找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; }. O/ Y. z6 S8 E$ x" ]( ]1 J' _<TBODY>
& J$ e8 P1 a9 J- _<TR>
- n4 w/ @6 @$ T; V3 {( I<TD><PRE>Method 01
) W0 v& n& m' }9 Q. ^$ k=========
0 n9 b' _, [/ Z. s4 U
+ Q* w; @9 A! l; ~- F( TThis method of detection of SoftICE (as well as the following one) is
3 }# m5 h7 Y; V$ [2 Gused by the majority of packers/encryptors found on Internet.8 W6 t4 B8 W* @9 V, p
It seeks the signature of BoundsChecker in SoftICE' m4 N; I* T* h1 ~8 R' Q
) x' P/ @" w3 l- h8 f- A. C
    mov     ebp, 04243484Bh        ; 'BCHK': T( S) w' {- @# G* r+ n3 v
    mov     ax, 04h
/ H+ U0 r: |7 s: @; p/ c' E  M    int     3       / V: ^1 j4 E. s  p( ?  T
    cmp     al,4
5 X! f8 f; I" y2 z6 x' I+ Y    jnz     SoftICE_Detected
2 v$ h& ]0 h% {+ j  y
% u9 [, _) N  }, D+ S3 H! c  G___________________________________________________________________________! P" f( ~* x6 v

0 R. ^& H# I" |' e  Q* DMethod 02
" i) l# H. Y! d0 i' i+ J; `! j8 X=========
$ `, G1 j4 L$ S  Y
; Q1 G6 r1 ~! W' ~( f4 f7 m! U0 E$ DStill a method very much used (perhaps the most frequent one).  It is used
2 [- r% i) J  D4 \" b" w  vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 K7 _- B; e/ X5 g6 D/ B
or execute SoftICE commands.../ X  B4 W' J, X$ {! a9 z
It is also used to crash SoftICE and to force it to execute any commands
( l: f  e  ~. i' N: q$ t(HBOOT...) :-((  
9 y- ~( A7 I+ P& a- i$ h4 o8 `+ R" b! ~
3 t" L2 C6 h1 jHere is a quick description:4 X5 b9 _; C6 i8 t) e9 b, ]/ s
-AX = 0910h   (Display string in SIce windows)/ f2 i' M; ]1 E. Y# K
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
4 W+ f  t( v2 }-AX = 0912h   (Get breakpoint infos)
) g. V; r. q. F  f" P4 Q" g-AX = 0913h   (Set Sice breakpoints)! G( l9 F. B" {4 o
-AX = 0914h   (Remove SIce breakoints)
' Z  B1 L9 I, i, C6 [" U- t5 P  A, q
5 R1 ~" M3 j- V% N2 h9 o4 nEach time you'll meet this trick, you'll see:! W; b. x: [3 q3 ~9 G# v
-SI = 4647h
4 @: N, U+ ]% Y-DI = 4A4Dh
3 N9 K! E  |6 gWhich are the 'magic values' used by SoftIce./ x  x8 B% w7 K% v9 a$ N6 s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 S3 B6 U* u/ u# c9 z

) ?3 X# O0 u5 p1 KHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 X1 S0 t3 @* f& hEnvelope utility use to protect DOS applications:
0 l% o1 Q$ O5 Q3 W$ n/ D( w: B. v% w; h3 I& Y- H: ~

& N1 H8 }. p9 c8 D( z4C19:0095   MOV    AX,0911  ; execute command.
8 o. V7 {7 v- g6 [5 E4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( p* j: z. x$ o! C4C19:009A   MOV    SI,4647  ; 1st magic value.2 x& e* e( m$ N& c9 H
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.$ D& a/ a; a8 C
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" z) E7 c* W% K$ f! i, W; a7 u! B4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 R+ _/ ?1 s7 {  I: I4C19:00A4   INC    CX
/ j/ Q5 }+ f* \6 u2 q9 n% R4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( M, Q' K. D" [, m! q7 Y
4C19:00A8   JB     0095     ; 6 different commands.: i: p& B  ?: Y  F" m
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 Z1 w; z8 B3 g% x: @
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
6 `& y. a( D" y
1 y* P5 L# |" E+ Y% ^& HThe program will execute 6 different SIce commands located at ds:dx, which
$ K- u" B' e: }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* |, @  ?% z: I2 K
1 g( v# \7 {3 \: L  I) J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 K9 G* s) I' I: p$ k___________________________________________________________________________
& P  }7 Q1 @3 `5 s1 ~, ]" a! ]
$ {2 y  ?' e5 i& g' `0 m# |" M  K6 w. d! u) i8 Y
Method 03
* ]$ @4 s. `. |# \9 v8 V7 L=========9 r; K4 i  J. S9 ~- g* ]1 n" l
+ {9 T9 C6 }* z* L( P
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ r" j4 [+ @! R$ F
(API Get entry point)' `: H8 c; z& m0 I% ~
        " u6 s1 O4 o* `6 a/ ^' t

& e7 j- n+ l; e" t8 C/ O    xor     di,di2 g' p: r/ R1 l9 |
    mov     es,di
3 z: k1 k0 |: D" d7 N    mov     ax, 1684h      
; A# d9 d  d1 m1 Y    mov     bx, 0202h       ; VxD ID of winice
* l% X6 J3 m4 j6 Y    int     2Fh( _3 Q& Q6 f6 a; U7 l: k
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. y9 }& _' K1 U: P; f
    add     ax, di3 O" x& M% q6 v( Q+ Z" v; q; G, C
    test    ax,ax
, a+ C* {# q/ Z* n. u: z    jnz     SoftICE_Detected
4 ~+ M' n4 D6 [# Q* P# \! t+ u3 m) H! \1 ~; G* g9 W" n( H( T
___________________________________________________________________________
& _. i( i4 ]/ \( B$ v1 d
/ ~' B! S& j/ ?' j6 m0 NMethod 040 i7 ^2 O. x; H; k1 s
=========4 ^1 Z* b# c( T
; r, k% @- T, Q, j
Method identical to the preceding one except that it seeks the ID of SoftICE
5 |. A9 l: h: Q4 \, _3 lGFX VxD.
" r; [7 _9 @9 X2 W8 G) I1 }, s; [3 t9 u4 t7 P
    xor     di,di2 V- t2 R  t# z; I9 i
    mov     es,di
- O0 E. W* n. n( j* f    mov     ax, 1684h       6 O/ r" e( d5 M- G
    mov     bx, 7a5Fh       ; VxD ID of SIWVID- M4 e6 s& ~+ i
    int     2fh& w" z: O2 m9 x1 |8 o9 \- E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ B6 m- o, m- V0 {9 H    add     ax, di
) [: o- V8 T# v6 j    test    ax,ax
0 r- g8 }; c. d6 k    jnz     SoftICE_Detected
8 c  M' j% p" J/ ]1 g1 V: r5 S, g$ |+ M0 D
__________________________________________________________________________
& e/ s( J0 @% E( Q$ c' X- j$ G9 l9 e; {% f" @7 l

8 s0 ^$ j$ f* u0 X4 U  zMethod 05
( t2 n! ~& B0 P=========8 \/ h; b! B+ Y3 E

+ U& A0 [: e' q' D. K( pMethod seeking the 'magic number' 0F386h returned (in ax) by all system) M  V# J, b: S/ j. U4 _
debugger. It calls the int 41h, function 4Fh.; w2 B; f; M3 ~1 V+ J/ |: c5 Z6 U
There are several alternatives.  
2 ?4 N& ?0 m2 M. T/ G& Q0 [- z) e- B4 v# N( L4 x, }3 }
The following one is the simplest:- i  b( ]( A$ z% x" m( \: |- e
% [; n2 X) a5 D% ~2 Z
    mov     ax,4fh
4 e; P+ V5 m+ x1 [8 j: v1 s0 n% _    int     41h7 N1 [4 Q4 Q' ^
    cmp     ax, 0F386# T: i, `2 g3 E; \
    jz      SoftICE_detected
& t9 f+ ?& U+ J$ {0 h8 `
  H2 _, |- a- @- S$ z9 {9 p1 ?# g) A; j; m
Next method as well as the following one are 2 examples from Stone's
1 x! R/ t; U( u0 a0 A8 S) }"stn-wid.zip" (www.cracking.net):/ J/ T' i" J8 n' q" ]3 R' F

8 P! \( T+ |9 m2 y% K: F1 R    mov     bx, cs
; W' k" E) J2 ]! h3 w$ h    lea     dx, int41handler2, z- }8 Y! [( H3 @% E$ `/ d4 b
    xchg    dx, es:[41h*4]
# B3 w6 u+ M; ?. F& \% f    xchg    bx, es:[41h*4+2]! G5 v% k1 G" ?* X0 k
    mov     ax,4fh
0 |, [3 f% E( k    int     41h4 E$ Z; S. G1 i; h+ r! S
    xchg    dx, es:[41h*4]1 W( f" W& _1 o3 N& T
    xchg    bx, es:[41h*4+2]
  i9 J9 [, ^  n6 r5 Y5 I    cmp     ax, 0f386h$ U, b, M7 j/ F- C
    jz      SoftICE_detected
5 c+ ^" C$ S1 b
# p% `2 w6 [( D5 g7 [int41handler2 PROC
9 g! ]9 w, ~2 ^/ P, g) x    iret" b8 r3 w9 w) z  ]! s: b
int41handler2 ENDP. A6 ]2 o0 I- f) d
8 y" r; [: O2 x

2 b$ H- }7 {7 P  x% n- k_________________________________________________________________________
0 J% Y2 R# f; K$ s+ [( X2 \: p
3 L' ^: m" X. a0 j$ E6 {& [
3 s9 ^9 t5 F6 h( r; \1 NMethod 06: h5 ?$ z' [7 B  z( b% y
=========
. K& C. O5 K! ~1 H$ j8 p9 r( k8 ?7 L% \' S' P% H- H0 N& X
2 }0 B* e. [& B! `. x
2nd method similar to the preceding one but more difficult to detect:$ z: a8 O1 W3 j' c# A) ^
; I/ m+ ^$ F: {! m0 f/ D9 F

, k; ?5 x& K0 jint41handler PROC
) j" X0 n$ _: O9 s6 W- T# c8 G    mov     cl,al2 I% _, n' R( m+ r+ o+ c. o
    iret
3 C7 j; y, U: b0 K- J/ W5 Nint41handler ENDP0 S0 f) ^/ W9 z# E3 r  d: ^- I
3 b. W' R9 M5 F5 ]3 Q0 r# \

' @! u- P( p. T% m' ]& O    xor     ax,ax
, Q& R% u& D0 e; |! J    mov     es,ax
$ q! R6 \4 I  v- [& X+ L7 @$ K/ g    mov     bx, cs+ a2 i: |- \6 m9 U/ c8 p
    lea     dx, int41handler
; H% _6 N- {1 d6 V, e4 R; t; S( J    xchg    dx, es:[41h*4]
* d' v7 e8 o3 M; k8 R% L* C+ I5 C    xchg    bx, es:[41h*4+2]) {! n% Z% C0 y. W
    in      al, 40h4 E4 E# G) r8 s* j6 C* Y
    xor     cx,cx
- p9 N: J0 i2 I- c" z5 D    int     41h4 q1 T- N  t- e) s3 u) D9 d
    xchg    dx, es:[41h*4]
9 s# ^! N% E7 [    xchg    bx, es:[41h*4+2]6 m, z  W; |. C, I3 l5 q5 f4 O
    cmp     cl,al, n  @% M$ \; |+ X0 b
    jnz     SoftICE_detected8 Q( k% Z' u: @! g8 R

! a& V; T' D3 P_________________________________________________________________________
3 E& ?2 v3 M: l# G' P$ V# z  T$ I/ i
Method 07
% n+ V0 H  s) `" j( A8 s=========4 B) ]  W# u. z! H& a
7 |9 z1 Q* I1 ?2 V  F% c
Method of detection of the WinICE handler in the int68h (V86)& D4 V6 b& ~8 i7 e; @* \3 ]

* g4 H6 P: D& C/ B8 A. S/ }$ i1 N8 I    mov     ah,43h
! E0 ?- @' ^; H6 f6 m# s- c* u$ r    int     68h! ?  b- t3 p9 R# R- j
    cmp     ax,0F386h
! ~  d! L6 Z5 ^. j    jz      SoftICE_Detected
: L7 n" O' K# D* M, w; E9 b  N+ c+ ^4 O

- _- N% y; ^+ p& a, o( w=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 Y* y* R7 Q. G' a6 ^" O$ a
   app like this:/ E1 ?7 Q* Y2 ~

2 d1 M' J8 K- m2 \7 C: ^( ^1 h   BPX exec_int if ax==68. O3 r* X5 ~) D2 u- K
   (function called is located at byte ptr [ebp+1Dh] and client eip is+ e; B* g" Z# g( Q( \- `  Z
   located at [ebp+48h] for 32Bit apps)6 {$ F& i# E0 @* Q4 R
__________________________________________________________________________1 T1 W* ?6 b" `+ g9 C: e2 i' U' f" A
5 f: c7 `" I" W+ {0 m

" k% P* n$ T9 K2 G8 \" k* ]) Z! zMethod 08
, l: W5 l% `( o5 ^=========
3 K5 y5 ^4 \& i( J8 h! ^# l& j5 |. j, y
It is not a method of detection of SoftICE but a possibility to crash the
0 v- F% {5 o6 _4 x1 Z, Ksystem by intercepting int 01h and int 03h and redirecting them to another
1 @) z. ^% f& g0 n' A1 _8 Broutine.
' o3 w3 t+ B6 i+ W7 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ S3 P/ K2 ~5 B2 a
to the new routine to execute (hangs computer...)
2 N9 m, Y) }+ X/ o6 E2 w' K1 A+ l: N) U% R/ {4 [4 }
    mov     ah, 25h% l5 N' ^, ^& R- d6 w
    mov     al, Int_Number (01h or 03h)
( F5 k0 q, Q% H% O! y' |    mov     dx, offset New_Int_Routine+ V5 T4 `# q9 T) M1 L3 l& N
    int     21h
# [3 o( v$ Z5 R' A7 R( y2 T2 I/ Y9 k% a+ F" A# r& M, K
__________________________________________________________________________
( y! q9 |5 r4 d* N
8 T4 E1 }- Y. ]: q4 d3 i9 OMethod 09
9 _0 a; g- N9 v4 T7 T# U=========
* l  ?+ d& I% P, R5 P& c+ F1 l
' i3 o5 }# v: Y! s) V; G: zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 P. W/ n1 e& C# h+ kperformed in ring0 (VxD or a ring3 app using the VxdCall).$ Z/ b) Y/ A/ E6 \0 y
The Get_DDB service is used to determine whether or not a VxD is installed  p. S! \: B3 I
for the specified device and returns a Device Description Block (in ecx) for/ J7 _2 ~( {9 @# I3 |8 W
that device if it is installed.4 R4 d! |2 x, F
5 K8 A2 y6 O! }" l- G1 q; F6 V
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID- C9 B, V7 @+ K4 ?6 w* ?
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& N9 z0 h# n4 A9 ?4 O$ |
   VMMCall Get_DDB- U/ [0 _9 i) B2 D0 K
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
" z) m' l2 g. e" V: k  @$ ?0 q9 q! T% s7 K, B" `/ v
Note as well that you can easily detect this method with SoftICE:
. M! `9 Y* @& u& P$ ?   bpx Get_DDB if ax==0202 || ax==7a5fh
- {* @* @2 ^$ \# P! ?" c. |' C5 `' [& i5 |+ |
__________________________________________________________________________6 Q( V! I! n6 ~* i( i3 U
7 ^4 ?, K# h7 w2 Z' Y: B
Method 10
2 C! I) {: i" Y9 E  M  \=========
, t9 W8 v" S" W" M8 D" [1 e* H
7 r2 Z* |, k/ }+ k5 ^=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- O0 t4 e* N* ^0 ?; _  SoftICE while the option is enable!!+ V! r" K3 m5 v' H: A- i
, G  }2 b5 t& x+ Q5 P$ G
This trick is very efficient:$ ~' H. Q# N6 ]# h; H
by checking the Debug Registers, you can detect if SoftICE is loaded
* G( J- f$ d# h9 f) m/ F( o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! ~0 o* O* z7 t9 J8 vthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 E1 n. Y; H! i$ s1 w; }8 d; q
value (in ring0 only). Values can be manipulated and or changed as well0 j" ]+ v6 e+ h) F& ?3 x  l8 q% B4 {
(clearing BPMs for instance)
1 u$ F& L- J. i6 E4 p/ d7 L! J) D3 p  y* ^0 `
__________________________________________________________________________4 {" H' W. J1 h5 G! l6 p1 i

  r" w" S. \. w( b8 TMethod 11
7 M- E6 d6 ^% h# k, Q7 U& p/ _=========
" X. @( V- [* n' ?# g& ^. y
  x5 C2 S) B; hThis method is most known as 'MeltICE' because it has been freely distributed9 |8 y0 o( y4 S& [
via www.winfiles.com. However it was first used by NuMega people to allow
5 l% Z% O" z( V9 a8 Q: q( XSymbol Loader to check if SoftICE was active or not (the code is located
! Q  k& g* l% F+ x' D: i/ o8 y1 f( linside nmtrans.dll).1 [  X) h: Q! c

# h: w4 a/ b) D( jThe way it works is very simple:; \; D9 ]. O! j% t$ q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ?  E& Q; w6 b& ?WinNT) with the CreateFileA API.
. ?( R5 R8 ^, r* R! u0 q
" v$ r. {0 }6 b) m( X8 yHere is a sample (checking for 'SICE'):7 _# ~" t! ~+ r9 {' z0 j

/ {3 l+ y- L% A% u( _BOOL IsSoftIce95Loaded()2 s' }: o3 D9 U2 L4 I2 E
{' s2 L$ p$ f7 p: }
   HANDLE hFile;  
& v7 h5 \. `8 U# Y; B3 |- T   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" v; o8 s4 \8 k" z                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  }) |4 O3 U  B: m  @) H                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 L0 P4 A: J; Q3 x# g9 A! L
   if( hFile != INVALID_HANDLE_VALUE )
4 f, b8 J6 ?% o( K. l   {4 o5 K$ q5 e' W& J  N
      CloseHandle(hFile);
5 D1 ?! R7 b5 T" a! {* V      return TRUE;
7 n( \4 v9 G9 E! }$ J6 j; s4 `" ]   }
! p# ^7 v, Z6 W) w* }   return FALSE;( u1 U- M! d7 z9 k& k* C
}
% m0 \8 Q* j0 T/ ]0 |0 ]# t9 v+ o0 ]1 o8 ?! t3 V, `. |, |
Although this trick calls the CreateFileA function, don't even expect to be8 k( n& t/ D$ @2 ^6 b( T7 D
able to intercept it by installing a IFS hook: it will not work, no way!
2 d& n" g: A- t  IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" A8 u* K+ |7 h$ Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
  G, w9 n5 S  T9 _% Band then browse the DDB list until it find the VxD and its DDB_Control_Proc8 V( r. {  i2 K+ D5 q* z; O1 S
field., _/ |, v3 A7 x* E2 z
In fact, its purpose is not to load/unload VxDs but only to send a   ]" T$ H/ o* d. W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ r# R/ X3 j0 c% Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 g. [4 J  Q- ]8 d: |# Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% B/ ^4 d" @0 {2 G$ \. BIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 J0 Z3 T/ D* o
its handle to be opened and then, will be detected.
, P( B+ I" L$ m( _8 WYou can check that simply by hooking Winice.exe control proc entry point
0 p; p$ v, V' M+ _! _5 twhile running MeltICE.: I6 Y0 K7 n# ^, J) z& ]- C- P% B
6 L5 x$ g3 z* _& E; |! W6 `2 R

% H2 D  J) G9 D$ i7 b( r) b% x( b  00401067:  push      00402025    ; \\.\SICE
8 x  x0 G' w1 M+ J: _( S; T' ^, b, j  0040106C:  call      CreateFileA
( [$ O3 o: W' Y+ G* g$ B# W  00401071:  cmp       eax,-001
0 i" z# w6 Z$ _/ G7 R/ w& W  00401074:  je        00401091
' [5 Y# H- @! h' @
% |( O7 Z5 b. H2 L0 e& a  K' u! R1 G3 a
There could be hundreds of BPX you could use to detect this trick., R, _1 @+ ]  E' k2 J1 k. M2 a1 M
-The most classical one is:
/ [/ `+ ]( C- F9 j3 D# n  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
# `4 }2 O6 N- i+ W5 R: ^    *(esp-&gt;4+4)=='NTIC'  F9 E) ]- |) ^( D3 w

5 U3 D1 M% G) q  o-The most exotic ones (could be very slooooow :-(
0 f" b7 ~& I- r; |1 B, R# _: R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + Z- w* `0 a3 p4 g9 d
     ;will break 3 times :-(8 q; O$ j0 \& K# ^1 d

% Z$ V6 }( i+ H" [-or (a bit) faster: , ]3 D- f6 [% a$ k, g
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 F+ k6 d9 }4 R2 p7 q4 W% r6 x2 R1 @
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; x7 C4 w2 g$ U9 @$ `/ B* _
     ;will break 3 times :-(, V0 {; o' b1 Z1 Q$ M  l* T
  w4 W) ~9 ]6 z0 J
-Much faster:! {5 t7 F& H8 i! p! @, t# `) v6 A
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
( l9 O" `/ {8 u+ T5 I  Z3 g5 i4 T" A! A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: L: I7 Q4 {6 Q9 R& [9 ]
function to do the same job:
7 b/ e: O) v1 _- U& f0 P
' G; I* ]" H4 p   push    00                        ; OF_READ
& a/ Q) K, A/ a' n! x' I   mov     eax,[00656634]            ; '\\.\SICE',0
3 |" B) W+ U8 j; r   push    eax- A- g* y" \3 C8 d. d, Z1 }; F& y
   call    KERNEL32!_lopen0 _$ S/ V" h4 d: D( z2 f: p
   inc     eax0 p3 n- |$ J6 Y: N* [
   jnz     00650589                  ; detected, |8 {7 J* J; B3 d1 m5 ^
   push    00                        ; OF_READ
3 m+ r5 K, a  i1 Y; n' K0 G- U. d# q" [   mov     eax,[00656638]            ; '\\.\SICE'! z) `7 C- L! O. `
   push    eax- q* \8 }/ d6 B
   call    KERNEL32!_lopen
6 t4 G- H) v$ t3 u   inc     eax
3 L1 r4 S% \1 S4 R( j   jz      006505ae                  ; not detected
  F7 m. E, f6 g& F% Q7 {1 G5 f8 _7 ~4 S% d6 K, h; p2 |
2 n; M( b# D# t, K
__________________________________________________________________________
1 W& {( Z( D9 r' D6 M, R
9 O" z4 ?2 ~* w6 AMethod 12
% F( |: z5 K% w6 w( [: K=========3 P* J7 f; [/ M) x" R$ j
& h( n4 g! [; C) R
This trick is similar to int41h/4fh Debugger installation check (code 05
* k- d1 \  `$ K6 f* ^! g8 M&amp; 06) but very limited because it's only available for Win95/98 (not NT)! K6 [# O; e2 d  V& S7 q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) b/ E; C2 P# M2 Y0 {9 e+ g' P" l

, e* A) `2 H* Z: s   push  0000004fh         ; function 4fh, `, u3 ~. {3 N& p$ L- D, m2 {
   push  002a002ah         ; high word specifies which VxD (VWIN32)
: q  @( g) L( R  T0 _                           ; low word specifies which service" @: ^  Q5 H+ h
                             (VWIN32_Int41Dispatch)
: |% M$ Q6 p+ a& d9 s% C: Q! b" S( h3 Z   call  Kernel32!ORD_001  ; VxdCall
/ z6 J/ L1 d+ E1 @  ~   cmp   ax, 0f386h        ; magic number returned by system debuggers/ g- n& r( X3 U) m
   jz    SoftICE_detected: k/ Y, B! r  `( c& L  r

& x1 M/ B3 w0 QHere again, several ways to detect it:
+ w0 ^: f0 N+ u  y" V; I. X. I
2 T" x1 ~( n, \7 V    BPINT 41 if ax==4f& L/ E. y- d) b  _9 T
' @+ |) a$ w* ~" B- b+ r  z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. O- Z/ N& T. f) F  _" n& V
: _$ M5 b0 M8 m: N* l$ h& {3 t; l" K
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; A; f' O" u4 ?

5 U4 i. i" a, Q, L$ P* K2 l& N# g    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!6 v- g' E" F7 I. G

, m1 q; R: w3 n- g3 c__________________________________________________________________________
2 t1 ], R2 q0 e. A
6 V, P1 {7 f% O' S5 E4 `+ MMethod 13* M/ R2 V5 d( f- Q; A3 `
=========
, k; D3 x) L. B9 K
& _5 [  ?3 N; b7 u/ L  ~! ?Not a real method of detection, but a good way to know if SoftICE is
! q4 H2 a  T4 t& a! g9 l! Kinstalled on a computer and to locate its installation directory.
1 s. H! g6 X) e6 zIt is used by few softs which access the following registry keys (usually #2) :
8 p9 m1 r( p- U( L2 V; D' Z! t" O# [- u# g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 [- e( I9 I" v7 ]* C$ h
\Uninstall\SoftICE
: v) R4 k/ g, n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ g+ ]% B  r- t% ~# \. w3 r4 @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ]9 x2 f! j( m8 B3 p4 F\App Paths\Loader32.Exe
; q/ f! u1 v3 o$ {# W4 H; Z/ i4 _7 w5 I% J

2 B. ^- q- F" @3 r* w4 |Note that some nasty apps could then erase all files from SoftICE directory, M, H# X" l" j+ R# r. X! T/ F
(I faced that once :-(
1 m, j( N5 \& e* ^: D6 X% s/ k& p' p
Useful breakpoint to detect it:5 E% `8 R  t9 v/ d% G0 p
2 ]" d! L: D. x* B  P5 `
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'* r' g: r& r: S( L/ I6 b+ ~
# b& X* u/ ~3 E  T( `4 a/ ?6 ~
__________________________________________________________________________
; k- s2 j9 e+ ^0 J9 j8 F
2 d* ?* u  q6 S, X# C  ^0 l2 W' ^- n5 h
Method 14 - }# ~! g" E: s) s% L7 A0 T
=========* m, g2 |, G) x1 `6 C
; ~5 A& b7 [( u' O& N% j, d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 {  D$ e- a' H/ Lis to determines whether a debugger is running on your system (ring0 only).
0 T! t, v  \+ k1 f! z1 h2 `# G; S5 L! b" D, _4 h9 y2 Y: i
   VMMCall Test_Debug_Installed
, I+ b' C5 ~8 A( J" T3 d   je      not_installed0 _: F. e! O7 t7 l& y
3 ~- k" [, T+ X$ ?! S
This service just checks a flag.) w  I9 _3 E' E+ n$ H3 w
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-11-22 19:09

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表