找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>. x/ a; W( R' k) }. A% o0 V. ]* R
<TBODY>! q0 y3 `3 B& K! M9 m- T) e2 e
<TR>
' K+ n$ b! ^0 T( V) b) o' n" V<TD><PRE>Method 01
* W* N, {1 v3 B$ b  L8 G. O=========
, a+ Y$ S4 K, y: r* t6 M$ n: Y( L$ b
This method of detection of SoftICE (as well as the following one) is
5 r* k, Y  l( H' O* Q: xused by the majority of packers/encryptors found on Internet.
: D" f. V3 F% X! n+ p, [It seeks the signature of BoundsChecker in SoftICE2 k' R1 J8 ~( S1 x
% Q0 `: w0 i: H; U' Y4 E+ K/ i
    mov     ebp, 04243484Bh        ; 'BCHK'! S# \# H: i" g% x7 _( |; k5 a
    mov     ax, 04h" W8 S0 _3 ^% K- m& D
    int     3       . q) t1 v$ x$ r6 T* U  U9 k1 v
    cmp     al,4
& q8 n" }& }2 Q8 B7 Y    jnz     SoftICE_Detected
$ n- ]4 I  Y+ _/ q  d* u( ~
+ f* \4 t, N( z& d8 [* B___________________________________________________________________________- Y; [3 I  w( B/ q. V
$ A9 N8 H( z+ D) r" M; Z1 P
Method 02* y5 Z8 ?4 C! C% ]/ N3 F& {
=========
' e- I  E) V% ?+ s
, H# }: v: v. _Still a method very much used (perhaps the most frequent one).  It is used: n; V1 A" M1 y3 E( G1 C; }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, M. u6 F  W& p* ^+ J+ Z
or execute SoftICE commands...
9 Q) G- r& _* y- v2 n* ?" nIt is also used to crash SoftICE and to force it to execute any commands
. i7 N. b+ b: E9 z8 U  b(HBOOT...) :-((  
, X, x7 l$ Z( F' m; v1 B/ f% p2 l9 {' P3 y6 a& j- p
Here is a quick description:
7 C5 T9 O  T3 Z6 u& k9 Z-AX = 0910h   (Display string in SIce windows)% T& `: d  Z9 m% f" a6 l* z
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)2 }* ^$ n# k/ m8 L& y0 G' j0 }
-AX = 0912h   (Get breakpoint infos)
! Z1 H& ^4 o; b. V$ m-AX = 0913h   (Set Sice breakpoints)& }& I0 K) C" f, |
-AX = 0914h   (Remove SIce breakoints)
5 U! t% l# r1 @- |
* a& k; d) G- m$ z  H( vEach time you'll meet this trick, you'll see:1 Q6 S4 O+ ~* o, g$ j9 A6 o' q8 I
-SI = 4647h" x' Z) o: _4 c9 \" F( O& Q( T, \+ N
-DI = 4A4Dh
2 f. f8 x5 l, C9 p6 j+ Q$ a. sWhich are the 'magic values' used by SoftIce.
  L/ d  ^3 E6 C: F9 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' z! d& d. [* p! {8 Q" T) L8 L1 ^4 B' y9 k! X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ q: o) ^. e3 c: U8 REnvelope utility use to protect DOS applications:6 X% F5 o* `# ]  A* y3 U" s% s, H

+ \) ~: a9 C( ^6 p9 q2 t: F, [2 V/ u9 r5 r  v! ]( T& r; \
4C19:0095   MOV    AX,0911  ; execute command.
/ k, F: a" A$ M* @8 O# x4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# c) |4 `/ z. w2 O4 n1 F% e4 |4C19:009A   MOV    SI,4647  ; 1st magic value.
# n8 t) i- ~: |: A/ m4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 [' {1 l/ f) S  J
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 g9 G; ]/ Z& G4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* U! h0 |5 I6 t
4C19:00A4   INC    CX
' m/ U  }' }; n9 f( S2 F4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  W, u( ?* u- P) q8 b
4C19:00A8   JB     0095     ; 6 different commands.& v6 C1 e/ e8 o5 e# L+ x' E
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
; i) v/ q& D! [' h6 \8 `* }- ~3 F4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 \- D+ T! s  a( J
& w$ @: W, q; r6 _; T; dThe program will execute 6 different SIce commands located at ds:dx, which
& B4 N8 b, q# u8 f$ n0 \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 t5 y0 t3 t* Z9 m4 B

0 L( }3 X8 f: H5 j: S3 S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 `* v/ r* ~8 V( o* m___________________________________________________________________________" z7 C+ {6 m* B. b6 E; A2 g

( W$ K  [% y0 i4 \2 J! ^) `* R5 K3 M1 R5 P' X
Method 03  L; L2 ]) X* a. b6 P4 X3 [1 _
=========
" G. Z  t3 V# ~9 Z9 H7 i
, ?& i+ i1 S+ D9 t  KLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; {9 t+ ?' Q( i0 L' ^* R7 u
(API Get entry point)
  T& N' h8 g# k- ?8 R0 `. v        . P% y! i3 I' }$ h
/ B$ y7 H* C; |# f( h
    xor     di,di1 D. Q+ q4 W% U
    mov     es,di# a. r  k* ~$ i
    mov     ax, 1684h       8 i7 i! d; i+ v6 o3 _
    mov     bx, 0202h       ; VxD ID of winice4 _8 G) ~8 n9 q$ ]; Y
    int     2Fh
" K9 v: q, o0 a1 w  G. g3 B; b    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 D# {' ]6 k2 ~9 Y    add     ax, di
9 G" n0 s: I1 u$ g    test    ax,ax; U( o9 w. W( j* W, r
    jnz     SoftICE_Detected  M. F, r( k) s! @4 c5 u/ N
8 Z* X' B) K  s
___________________________________________________________________________+ k# y8 O/ p0 j; G  x

$ n8 o, Y* T/ w6 b4 j& QMethod 048 i/ k8 R# j; a: B* b  E* u+ l
=========
: V/ \  p3 w- n, ~0 y  u2 N$ b' I
Method identical to the preceding one except that it seeks the ID of SoftICE
  d# F9 ^: w; bGFX VxD.
, @5 f. G* m+ K- y5 u, C# k1 Z5 t2 }+ O3 A+ t9 N0 ^7 H
    xor     di,di
4 n% E6 r& N2 }  b5 `/ d; S    mov     es,di) H; P1 O0 Z$ K- |
    mov     ax, 1684h       2 B% N$ B( @2 o; C+ P2 b+ J1 ?3 q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID4 D! {, q0 K# k& \7 |  V3 @
    int     2fh% Y$ y- t( }6 f1 ]& E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 Y; o4 @7 s3 }( Z
    add     ax, di
. ]4 W% m7 H2 {) a    test    ax,ax
6 u! c' ]2 [2 U    jnz     SoftICE_Detected
9 c% s* \* |2 C' ^8 R7 I& V
' P, J2 {5 W: w. ?/ [& _. O+ v__________________________________________________________________________- N2 J  @) y, G: `+ N7 j! N% Z% I
3 q( a/ _& h, a0 z. Z

7 w; h. |& a, SMethod 05
- }% q3 c' M3 R' `: v=========
& w( G8 s7 T4 n8 O* T) y+ a1 u( A! Z3 i( m' b+ U1 F( Y- S/ o& r
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 }& a' T6 Z# S6 x& @9 ldebugger. It calls the int 41h, function 4Fh.# C  r3 D* {1 T. ]
There are several alternatives.  0 _  j" |. o6 N$ E  N2 M  O

( B( h  }; ^, c- w" Y: o/ ^+ @The following one is the simplest:
  B  @1 s% r4 S3 ?$ W2 F7 @! U
4 z  G" I+ @$ V! F    mov     ax,4fh
5 i: o( l3 c5 ~+ i8 N    int     41h
7 v$ z5 y2 r/ B    cmp     ax, 0F386( p- d& [% A5 ~( K: d" u0 i1 A
    jz      SoftICE_detected
0 V( i) E8 i# c' ?- W' S. R, [7 L. C1 [) d- h4 [. |) @
  ?5 G& q& ]* C: ~$ y
Next method as well as the following one are 2 examples from Stone's
% M8 e7 u/ d2 O"stn-wid.zip" (www.cracking.net):
& }& k  x4 Y( a
$ o( |6 \' l8 f" x0 {3 a6 u: m3 K    mov     bx, cs
: T- B# A/ y$ v7 u    lea     dx, int41handler2
4 A" t' l* P" ?1 b6 a. u2 F, W    xchg    dx, es:[41h*4]7 a& ^9 l8 t3 p5 g
    xchg    bx, es:[41h*4+2]$ [! b6 ?* S6 l6 n
    mov     ax,4fh
: N6 l# e3 U' N  J+ n    int     41h
. x: a( y- ~, M4 O7 V" m  ?    xchg    dx, es:[41h*4]
; M2 A4 y( s1 ^0 ]    xchg    bx, es:[41h*4+2]
9 e5 H" ~- B" y    cmp     ax, 0f386h; n" ~/ \0 Z2 ]
    jz      SoftICE_detected  d* \  M" d' @( v$ f3 q4 h1 Z

# o3 W3 I' a4 ^7 M1 ]int41handler2 PROC$ a) R1 W$ o! S' v7 K
    iret
6 w5 S; J9 v0 J4 J  jint41handler2 ENDP
) n" T  k5 P8 U% o# r) _& e0 E% l( ]! K7 @0 c  w+ K; x- r* p
- A* O1 m. o* K- b  U/ p# {
_________________________________________________________________________
, Q" u% n/ w0 c7 w) K" ?6 U
0 |3 {+ Z  W$ Q- o8 p
% m! Z0 n& h  b0 D1 g  v" {: aMethod 06
- A" ~( l" [) q7 t2 f0 I  K7 r$ z3 o=========0 L3 O- W/ d$ Z8 L
0 |: m3 E* h" h, a

; D# k8 M# b( ~8 L8 w3 j1 _2nd method similar to the preceding one but more difficult to detect:1 k1 q+ |  f0 r, `4 X) ^* N

# f0 e" A. A! i0 S; ]7 c% V/ {! \! R8 K0 j, L; K
int41handler PROC, m! K) ?! V& {4 K
    mov     cl,al. g( U) L, c! @
    iret
0 D2 p. ~+ A$ M; R2 H$ h6 o$ O8 wint41handler ENDP* d# p4 G7 T. @  I

8 |% R/ D; ?' R5 ^+ q+ H. V% i0 f; E. K5 e' \
    xor     ax,ax
0 m8 b! i0 G9 T5 R8 I# u    mov     es,ax) h" Q2 X; d6 [+ G: D7 }
    mov     bx, cs
( Z+ L* e* ^( y    lea     dx, int41handler$ d# w, @5 }9 c( E/ y/ S
    xchg    dx, es:[41h*4]! o% m) @% Z/ T- B$ L/ i7 ]: o, h
    xchg    bx, es:[41h*4+2]) F$ y- n$ i9 h% h6 a3 `, ]
    in      al, 40h# H! j0 v6 y* ]; c$ p9 e
    xor     cx,cx
' Y! Z  c" l  H, }% u* M    int     41h2 {1 D" e' u% C1 N  P9 z
    xchg    dx, es:[41h*4]* @- j. {, t! W
    xchg    bx, es:[41h*4+2]/ }% d3 j* `$ Y& B6 V9 G' V
    cmp     cl,al
2 P+ u% D% L$ w: R1 t$ P) Q    jnz     SoftICE_detected% j2 r: ]$ m8 V& L/ g
3 h8 S& n# E4 w' n$ ]9 i) P3 y! e
_________________________________________________________________________& [  O+ e$ D# T- \. i4 R
! j% D2 P. h6 T5 E4 |" `3 N* s
Method 07
( b: x& s9 ^$ C. Y2 e) T% [=========
6 L9 \6 V- o& A& u) p
( [) H, u- r! C! MMethod of detection of the WinICE handler in the int68h (V86)1 L5 g% Q+ ^. D$ y$ J% U
5 `& F$ p# e; v; s# @5 F
    mov     ah,43h$ W; A+ @* _3 B
    int     68h: x' ?% ~5 {) O, l2 @. ?
    cmp     ax,0F386h
" _/ l  m3 c" S0 s7 q5 L6 O2 J" x    jz      SoftICE_Detected
4 W; P; v% u: f# H! x7 O2 Y: ?3 m8 A# [5 O' }- R, ~3 P5 E, V8 ~

; y3 H0 @6 z8 J+ z9 d: b=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" h2 }. k) X$ k" T  c+ j
   app like this:5 ]- ~  h2 C0 R5 I8 j

; O! d( |- y2 M- I8 @- b, U   BPX exec_int if ax==68
- O8 ]0 T& {! D; F, `! ~; }/ y: F3 B% D   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ Q: m) g8 A7 ]   located at [ebp+48h] for 32Bit apps)9 ]7 ?* E& W2 k5 k
__________________________________________________________________________
+ e# K: J) ?! e/ b1 u1 Q7 `
+ S0 m$ h" O* i- c! A
" {: ]# C& }* W- v. m3 wMethod 08
6 x6 Z$ t( i9 ]9 L4 Y0 f=========- s4 S; {5 Q# ?- Y4 O
- z# ?, E" d, B2 G( a6 h3 o
It is not a method of detection of SoftICE but a possibility to crash the
  U, a0 ~) W$ k6 |# jsystem by intercepting int 01h and int 03h and redirecting them to another
8 ]" m  {' b5 a! D  `routine.9 f% \; a1 K) Y) D1 \7 O: @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. E$ M; I( O8 @) i3 \4 v7 ^to the new routine to execute (hangs computer...)
% f5 W: ^- f/ h+ j( Z
% O' a7 ]7 e7 |, V    mov     ah, 25h
* {# f8 Y+ v  Y0 D    mov     al, Int_Number (01h or 03h)
' w2 u6 [4 g0 i: D    mov     dx, offset New_Int_Routine
3 E1 w: ]1 g7 _0 {    int     21h  c" [9 H& D1 F" v( b; G/ l9 y

/ |; n3 G6 L. a( A__________________________________________________________________________4 n: Y" h" T2 ~% a$ i

7 Q; I7 r! L2 V0 Z8 W7 RMethod 09
7 t- c/ E7 M4 A# w4 a=========
2 T0 l' {' K+ m" z" z% S) B; G! p" d) R2 R( h  I* }# A, _* i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ ^5 a: S, @1 w9 X; x6 ^
performed in ring0 (VxD or a ring3 app using the VxdCall).
# o' W/ k. u+ v" W& E3 {+ [The Get_DDB service is used to determine whether or not a VxD is installed
2 Y8 v5 q' B6 K. E$ T9 ffor the specified device and returns a Device Description Block (in ecx) for
, [! r7 M& Q5 H2 v% Jthat device if it is installed.
0 _0 ~% i/ c( T% k8 I0 v& [6 K- ~4 h; O, s
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 j+ s- v5 f8 ^4 ~: ]; V0 Y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* e& O( \. k/ }* ?7 [1 G, f
   VMMCall Get_DDB
6 A, G! I1 u4 K$ S4 V   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 n4 S$ C9 v& `+ k" V: X/ R. V5 v  K7 y/ |' I5 A
Note as well that you can easily detect this method with SoftICE:
3 ~6 w- S- p( e$ w7 S   bpx Get_DDB if ax==0202 || ax==7a5fh
2 D/ h- Z2 ^1 Z4 \9 k9 k" g# y3 B3 K2 P4 o4 A
__________________________________________________________________________. v$ j- R, Y0 [' R7 u8 o
0 H# ]4 l! p, m6 l
Method 107 n5 p) i  [( U  B+ N: D
=========
5 s: E: j, A# ^) G3 k# F% f
# j$ i$ C% D2 F9 K4 z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" L+ A6 e; d$ h! w8 Q  SoftICE while the option is enable!!; @, ]& C- G9 [; J

' z3 \  x! V$ rThis trick is very efficient:
9 U$ t# v2 N  z* J0 mby checking the Debug Registers, you can detect if SoftICE is loaded
6 X$ O+ ]+ M+ P# t- r+ B9 K9 D% P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 U* J8 k, S8 U9 K
there are some memory breakpoints set (dr0 to dr3) simply by reading their* P" [$ {0 _4 C6 O5 `4 F
value (in ring0 only). Values can be manipulated and or changed as well
# t( {3 y* l; M7 d(clearing BPMs for instance)" M+ Z, p; ~- l6 b/ W, J. ~+ G
  b2 s, j) h4 ^6 }3 _5 X
__________________________________________________________________________
8 z( a' J* }; i. _& }
5 D4 r% a- J. }; U# c4 ]* x, m5 |Method 11
9 m/ Y; {4 ?. y- s* ~# H3 A/ X: X=========' T( Q1 g( ^) w! \

& {9 b6 q) u% V: p: j6 W4 A3 NThis method is most known as 'MeltICE' because it has been freely distributed
, ^9 V  r6 m5 ]0 ~/ Yvia www.winfiles.com. However it was first used by NuMega people to allow
" c, H/ g& e& z3 LSymbol Loader to check if SoftICE was active or not (the code is located
  V" c/ R- {$ I0 h8 Binside nmtrans.dll).
9 z9 }+ ~) s# a9 W; L
- ^# e* Y- K  C  m" hThe way it works is very simple:% H" s8 V, Z+ }) I; [0 t
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. b* Z2 ^: Z- Q$ O1 r$ aWinNT) with the CreateFileA API.( L! u4 j; ^  Y# z
  X0 A4 R1 t6 Q  W! r
Here is a sample (checking for 'SICE'):3 q; U0 Q0 H1 g( @

, M" x1 c7 f, ^6 g; d! OBOOL IsSoftIce95Loaded()+ e  z# v* w" }
{
% U( A9 z7 F; L9 z   HANDLE hFile;  8 H. P# F) i* H: \$ L7 e! @
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 G' z( V' D, }; y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 w; ~# F$ @$ R5 ]" i  }5 A2 R# q( z
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& o, t- I; Y+ n3 \4 c
   if( hFile != INVALID_HANDLE_VALUE )' R+ ^1 `5 D/ y0 A. z  r6 C8 M) w
   {
( q. R/ w/ Q3 \1 c: K      CloseHandle(hFile);
/ w# U1 u" D. S  A+ X; C( A" M      return TRUE;
4 S, A( s2 d/ x   }( h  `4 E" }: U$ b1 \+ t1 E2 b3 f
   return FALSE;
6 v) v+ ^! ^1 \4 ?  E" `. |7 `2 \$ i! {}' N2 I2 _1 ^# Y: @

  ?% u5 o% w, d  ]7 M4 D, z8 pAlthough this trick calls the CreateFileA function, don't even expect to be
! p2 u" F# V4 B# w. F. mable to intercept it by installing a IFS hook: it will not work, no way!# D  F7 Z; N2 X" J" p3 e6 |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; ^- F9 k0 q& U8 ^* Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' W6 p4 i2 l1 I* S) \( ]/ s9 |and then browse the DDB list until it find the VxD and its DDB_Control_Proc; I- S9 V, E' K
field.
& {0 {# A4 N* x  IIn fact, its purpose is not to load/unload VxDs but only to send a
2 a# ?* x$ k# K* uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). G) q" {) O- u4 U. J$ M: f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ r3 E: y2 w6 b  ?; y4 G7 |1 j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 A8 Z+ l6 _# w' f
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 X0 [7 w9 a: Gits handle to be opened and then, will be detected.9 [+ {, z( n5 l$ |  l: D; i3 f  x
You can check that simply by hooking Winice.exe control proc entry point
8 N5 [- K0 C# J) L) p/ pwhile running MeltICE.1 v$ n# C  D$ b2 j$ T# R- @7 \
! x2 \) h' q/ a0 X0 X
* n. H, b" `2 L9 e( j1 q+ x" E
  00401067:  push      00402025    ; \\.\SICE
% K7 ^5 Q/ F) u0 X5 Q4 E# ]& r  0040106C:  call      CreateFileA4 Q, Y9 G, E0 O7 u* X8 |( m: R0 _" D( v
  00401071:  cmp       eax,-001
: b1 |5 k, a9 P  00401074:  je        00401091
8 P: @3 d9 T/ B& c) r  h  Q) o4 o& W# e/ _

* Q5 C" s3 _2 s) H. }There could be hundreds of BPX you could use to detect this trick.- Z  n. q& Z) Q& q, M
-The most classical one is:9 I$ c9 Q0 g+ A/ C; l
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! }0 \/ `: l' G" x# x: x6 b: x
    *(esp-&gt;4+4)=='NTIC': c( ~  M  W; F6 J
, i. U5 a2 v1 u& n1 ?0 t
-The most exotic ones (could be very slooooow :-(
$ ]7 J8 a- a- d   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 l4 d0 F9 l4 ]: L  K
     ;will break 3 times :-(
2 }3 c* n) _% H: U
( ^7 O2 V4 `! b2 _* ^2 P! {# z-or (a bit) faster: : {( L, R8 y7 V- |8 c4 a4 _# o
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  w, p6 u+ h8 U

; C& c# c0 I. b  x# H   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) I; U7 l4 ?$ L! ^     ;will break 3 times :-(
9 x% m; ^' I5 z' V- @
+ R  D4 p* m  J+ j- }5 N-Much faster:
' Q& ~; J' i- k" b8 \4 j   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; ^, `0 Y4 H7 q0 {. u3 s% F
4 M' A) L8 a6 Q7 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ Y& D& u! y, B5 Nfunction to do the same job:0 @0 p+ q9 g+ K1 X
. P1 `7 @" H& b2 g* J/ Y& H& {
   push    00                        ; OF_READ
* ~2 ?! M7 M# u  y' b' j# K# Q0 M   mov     eax,[00656634]            ; '\\.\SICE',08 {' c$ ]/ O4 h( |& C/ q
   push    eax+ C0 H3 B6 d$ O, {
   call    KERNEL32!_lopen' c- p( L, M# J% t
   inc     eax' V9 S' s8 \4 Q0 e* ^6 J7 i  K! r9 B" C
   jnz     00650589                  ; detected
) o! R% ?/ e4 m& B! P1 l   push    00                        ; OF_READ
8 w2 k3 u! ~" X0 I, p/ m% m  V  X  H* d   mov     eax,[00656638]            ; '\\.\SICE'8 A: M6 G, `% `) e( f6 H, D
   push    eax
7 f* J1 B+ E5 _9 V0 [   call    KERNEL32!_lopen" i! U; F" a0 R8 W$ F& C" D1 L
   inc     eax- r4 J: A! x$ T8 ~  z
   jz      006505ae                  ; not detected: u1 O. N) W& E
; }6 f& m0 u- Z2 c# W6 K, v5 u
2 i8 W' G/ K/ l8 L
__________________________________________________________________________
( H  }/ M8 C% j  O
* D6 |: A) W: f0 T6 a: r+ C/ JMethod 12
. [: V/ R( j* m( ^=========
- X, W; d! B/ f. o+ x8 m) z6 E: I
$ ]7 p* a& T+ W  [, }This trick is similar to int41h/4fh Debugger installation check (code 05
- h2 d4 v& L3 z0 s&amp; 06) but very limited because it's only available for Win95/98 (not NT)
- P; o, C  g+ s/ M4 Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 k9 E' ]9 n6 y# h% ]" J8 {  f

( O" k) R8 C2 @* V& C- J   push  0000004fh         ; function 4fh
8 @) W9 A8 O# K! i" y% g   push  002a002ah         ; high word specifies which VxD (VWIN32)
9 a6 i# P; I/ B                           ; low word specifies which service
. l: j: [$ d" _5 ]  }; E9 ^                             (VWIN32_Int41Dispatch)
( E' q' m# `% {/ r9 g2 I0 Y   call  Kernel32!ORD_001  ; VxdCall
" K! K0 a  u; s% m- ?5 e   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 j7 b! p' X! L   jz    SoftICE_detected
1 L4 P3 J3 u" ^9 o: c
! v* h" R) w: n1 J# u- c/ o5 \' tHere again, several ways to detect it:
" z4 J, w0 l$ i) N4 O0 s, g$ V8 O5 b
    BPINT 41 if ax==4f
9 S0 d! q) x) x% M# X
) c! k3 c, M1 g- ~    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one8 M6 _5 K) ^( R, [
! a6 d$ P& ~! L! g, s
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 I9 p6 i; f- s& f3 v
- R. z3 J+ E) }. M
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  t* f, E$ `, l& K! c; ]& q4 J
4 f9 q# m4 Y: h__________________________________________________________________________
% p# I: N/ g6 H: H7 b5 E. C' Y6 Z. J, v4 f
Method 13
+ C% ~( [# ]' r$ L% x. T=========
, X# R8 Z+ Q$ [; o+ M6 z4 b5 F: G2 v5 s. u$ N( a5 `4 L9 `
Not a real method of detection, but a good way to know if SoftICE is- m1 H0 x$ ]" M: j* \: q
installed on a computer and to locate its installation directory.& q4 K- L7 Y# b4 }; w
It is used by few softs which access the following registry keys (usually #2) :
( d' X* p% W$ N" K3 D* \8 y5 L1 A" s4 m4 g9 r: X, |( l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 T3 k0 d- g# m% A' j\Uninstall\SoftICE
/ }& v# y- \/ ^8 r, r: q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) U0 h! n/ \! w7 m5 s, u: ^+ w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. }0 f8 l, A: I4 ^# q\App Paths\Loader32.Exe
) f- G0 M7 l- R3 y/ a! V) y
! ~8 R+ K5 w& F5 U- C9 s/ o7 ]7 e! O  |8 ?/ ^5 i
Note that some nasty apps could then erase all files from SoftICE directory! ^( i% t/ h, F: G$ G
(I faced that once :-() r- v& {% ^$ n
! h/ n8 c  ^/ l
Useful breakpoint to detect it:
4 u* |# z: T5 K0 `/ n- A5 K) Y" k, R, Y3 a& M5 i. r  {3 h
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 @0 _3 `9 g! W8 r0 C8 t* O7 O! c8 S+ Z& V
__________________________________________________________________________
& D  C% c# n+ g- w
  t8 u5 I6 R1 b! Q; {6 {  r/ Z
, [. Q' ?* m% f6 j8 _, H- mMethod 14
6 t9 ]3 |* O4 ~2 a$ y' x; q=========
+ g4 X$ f( W6 M6 j3 K
/ a& n4 O! g6 y6 d4 z5 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: k/ F/ |3 k: D
is to determines whether a debugger is running on your system (ring0 only)./ [" ]* Z" I4 l) S2 |6 G" c
. p! S6 n2 q9 L' U
   VMMCall Test_Debug_Installed' P: g3 k4 [- B: ^/ Z
   je      not_installed- o, c5 m) o& v4 w; }/ ~/ q7 b+ e
$ ^5 g  O  u4 e7 q3 m7 M
This service just checks a flag.! T; B4 u8 V- q' m
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-15 11:43

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表