找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 P  @6 C& {- e% k<TBODY>
/ `- P- {, D8 y. f2 A0 W; B$ R& v<TR>% y* {' g2 L! B, R  p
<TD><PRE>Method 01
$ Y% {, A1 r4 n: Q1 K=========. W7 D& Z$ c3 |

9 R, U- ]9 y, m) \: xThis method of detection of SoftICE (as well as the following one) is
3 i2 I0 q0 c% i2 E9 I! Iused by the majority of packers/encryptors found on Internet.
1 n) @8 O1 n# G% N/ vIt seeks the signature of BoundsChecker in SoftICE
0 M' z2 C! |" U$ @+ ~4 i% C$ x3 A1 ?, [: h  x7 O
    mov     ebp, 04243484Bh        ; 'BCHK'
9 b2 S" U  [- D; d7 b# D" I    mov     ax, 04h
# D" L4 M9 j; U. h& G$ c8 m2 x- N0 b1 Q    int     3         d" x. T" s& h- M; |9 ~
    cmp     al,4
6 m' |- s6 q$ w" w* l. I    jnz     SoftICE_Detected
7 g# ^( C* O; M
" a. l6 S6 S6 p2 c# D___________________________________________________________________________
: E9 O- L1 T, _0 C$ j/ X5 R; m4 e9 E' r
Method 020 E) i& p$ t% K# l0 h
=========1 v5 `5 ?7 g/ B# t! u/ c) A
$ R+ ^# R: [4 D& t6 K
Still a method very much used (perhaps the most frequent one).  It is used, g; I1 C. U& R: I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, @3 `/ w/ a) ^7 Jor execute SoftICE commands...2 @/ V. ~$ N9 R+ U- g' m
It is also used to crash SoftICE and to force it to execute any commands
6 a1 X% g9 H% |4 v! S0 U9 g2 E0 c% P+ v(HBOOT...) :-((  - l" J0 }+ S/ Y
7 h# z4 ~& s1 K/ \2 K
Here is a quick description:
& d  t( U4 [9 e& B+ {/ z-AX = 0910h   (Display string in SIce windows)
- c0 O6 t5 h4 J0 x' o0 D-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)/ s6 Y% h' J" M8 H- Z
-AX = 0912h   (Get breakpoint infos)
0 ?8 z# h' @5 g9 j  {. B* J" g-AX = 0913h   (Set Sice breakpoints)- D5 k3 z2 n' S, {6 Z4 F; R( A0 N
-AX = 0914h   (Remove SIce breakoints)
- d. O+ K5 t/ h' [; _, L
' H& ~& F9 C9 g' v5 ~5 i& x" KEach time you'll meet this trick, you'll see:1 X  a- \- s* J8 n% D1 L
-SI = 4647h
- _- \4 b9 {" a/ S-DI = 4A4Dh
* q# i5 x/ s$ V0 l) _$ a8 L; rWhich are the 'magic values' used by SoftIce., ^; C. u& ]* ^4 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 x+ g8 T* U, {; `/ o/ h

7 {2 E' b7 ~; Y2 v# ?4 HHere is one example from the file "Haspinst.exe" which is the dongle HASP% e5 ?; P6 v% Y% A" e3 O% R( d. i
Envelope utility use to protect DOS applications:
0 b9 j( ~0 B- r+ @
- G4 b3 e6 i+ i. F( L5 Z8 V1 F8 B$ u! A
4C19:0095   MOV    AX,0911  ; execute command.
% W2 C! _% E- S2 t" c: c4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).5 c" m7 C4 }. r' ~
4C19:009A   MOV    SI,4647  ; 1st magic value.7 O# H& K0 T. B" [' |9 l& K
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
* m; O! i7 ?/ V3 ?& G4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 b0 L7 D: k! D
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 O3 i& c( x  S/ S  i# A# _/ w4C19:00A4   INC    CX
$ q0 _3 l0 B0 h6 G8 p. p& _( M( l4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute5 ?, u$ K5 i$ m- d8 }* s& x
4C19:00A8   JB     0095     ; 6 different commands.
# y* y& @2 [6 D  q/ [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ \4 R- z' m' ~  \4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  H. e7 v6 A* i! a$ o: Q
- h3 k% z1 l0 k# R7 {' z
The program will execute 6 different SIce commands located at ds:dx, which
$ j) n% n# [% Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  r  M! o" x- [" O- p+ N' y

, {6 B2 e$ W" [: h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' V; M/ G; g- z- C' {! e___________________________________________________________________________
; |* |" @  _0 _$ M$ x6 A; ~9 ^! H/ o! r1 G
# T8 U& c% O  J2 {' A& o
Method 03
* o4 Q; x3 o% o=========9 `; I0 i$ J( o& G' K& L
+ g( ]: f, \5 H4 Q0 {: m% T) H
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 e- t) `& {" ]5 }! a
(API Get entry point)
) ?+ H, b( h# n        0 m! Q6 N" j" w$ O( @
3 S" C% o/ h6 P4 U; N. F
    xor     di,di. z  v& I" b0 X* ]
    mov     es,di/ y: K" f7 u+ I! C+ [9 v: e
    mov     ax, 1684h       & ~% [7 a5 L$ s$ R9 l, H- I
    mov     bx, 0202h       ; VxD ID of winice0 ^" p/ o0 P% m2 p: q
    int     2Fh
8 V0 S0 q( n- t( L8 t! d& S& S7 A    mov     ax, es          ; ES:DI -&gt; VxD API entry point( Z! W9 `5 A, v+ K( z- D
    add     ax, di
8 B" B$ ?# H1 y" Q7 Y/ N    test    ax,ax
' Q7 b) {1 \9 b7 V7 E    jnz     SoftICE_Detected
4 `& I0 i2 G8 W! v  d. U
- H# Z+ X5 A( ^3 i! e# R___________________________________________________________________________; \& I; y8 ]" @% Z$ P: }& b

( J! v9 [, Z) h5 s# ]Method 045 F/ o, n4 R' j5 M( m/ K/ G( o
=========
; Z% z- d: d% e, Q5 d  ]
6 J9 w0 T" q+ m, z' ?Method identical to the preceding one except that it seeks the ID of SoftICE
7 p1 @8 A  C% q  l" @. b1 `GFX VxD.
, y/ M9 d+ p3 y! a6 h; S. U& H$ v' N/ C6 c1 B
    xor     di,di
% w+ D. C. N& ?8 v: m% _# ?    mov     es,di  P" U+ R2 a$ a$ r1 Q2 }9 U
    mov     ax, 1684h      
: Z3 R8 L1 |( X/ G: ?    mov     bx, 7a5Fh       ; VxD ID of SIWVID$ [! w5 S( E* `: X2 h$ }8 n
    int     2fh6 L& W  _! t- o7 [  X0 Y# n( ^# }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" T4 a, {7 z. m: e    add     ax, di
1 |6 F; ]" k( @0 H! T- f3 `; {    test    ax,ax
, L/ P% e" ?* E* o1 q    jnz     SoftICE_Detected
& s+ y, a$ p  B1 v, B4 {) s0 Q
8 x, T; y, Q% P' V. ^__________________________________________________________________________, S) X- h$ {* Q3 e6 r: b3 L

% S* |  A6 N7 ^* d2 y' p. F0 z8 M$ J4 M' \
Method 05& f4 ~$ a/ x; o* @1 O0 k2 l& Y
=========
: A8 T# m8 u2 d9 ^! p' B
! J' G0 x2 {7 S! |Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ W1 t/ l! j7 U, g( @4 fdebugger. It calls the int 41h, function 4Fh.
+ L( l: a8 O' Q& A$ J; J2 F$ pThere are several alternatives.  + c0 w0 e! l& i% T( r) g

/ }; s' w. Q4 X. V5 P% UThe following one is the simplest:
+ n' _+ k% J- m' D. @
/ P( F5 W8 C# h    mov     ax,4fh; O3 `9 k& p9 e( l
    int     41h
9 r+ r" p- u: u    cmp     ax, 0F386
7 [  C7 h3 L1 J    jz      SoftICE_detected3 L0 a3 ~7 v" Y$ T
0 s* r" W  d! o4 x

& h$ r% e$ ^, J. \$ w( J7 P0 ]Next method as well as the following one are 2 examples from Stone's 6 b5 C: X3 ~& p( E
"stn-wid.zip" (www.cracking.net):
0 ~' ?% n& q6 G
, D' w7 @8 O. E# F8 [9 l& L    mov     bx, cs  _5 a9 O  Q2 I4 H
    lea     dx, int41handler2
, w& ~" I9 T4 v1 C# M    xchg    dx, es:[41h*4]$ g. U5 f$ U6 _) t& d
    xchg    bx, es:[41h*4+2]" T9 @. g- H1 A# n# w6 ?0 D
    mov     ax,4fh6 Z9 `: A1 f) r* H* d) F* b
    int     41h  q% o3 o; ]9 ~/ ?7 }" I8 j
    xchg    dx, es:[41h*4]
5 D+ T' ~! j% g6 |. d    xchg    bx, es:[41h*4+2]
4 S$ m& g6 r  S/ p) ]; f4 A    cmp     ax, 0f386h
: s* a1 u9 R* p9 A" D4 G0 e    jz      SoftICE_detected
# s3 F" m  u2 x# t9 o) ^) q2 j# U* R9 {2 i8 u$ D
int41handler2 PROC; n" Q/ q$ i% A  U5 ]
    iret
( Q2 H  M$ z2 p/ `+ J" G: j* tint41handler2 ENDP- ^. ~/ z: H: y# U4 ?* c
7 |, `$ ~# P" }1 U) j8 Q2 |7 U
# y* w" L! W6 q4 |5 q- T
_________________________________________________________________________
# F$ g* R" @2 W4 k$ S6 W$ \& s% ]  v. ?- B  |0 |$ F/ }, o: }
0 T, a% ], d9 f/ o  W( f
Method 06
- \: ]. @( y$ u2 S: w. }" V+ v  `=========: X* l& J" x+ @* s
: W: U% _: X' w& Y1 ~
" N  H) A8 k$ C5 k) G3 i5 W
2nd method similar to the preceding one but more difficult to detect:
' }+ U# X8 i: m% \7 a# U, t% y+ A1 c+ H: O) Z5 R# \. b$ V

( l* |0 L& P' H9 _7 G' P3 I; Yint41handler PROC
/ n. c6 y, D" }    mov     cl,al1 b0 |/ T. v2 {0 N4 a% E8 m
    iret
; ]& @# O8 q6 A1 @& @int41handler ENDP
1 O6 M& s5 d  M  y' E
/ r3 Z6 q5 a! X0 |1 G9 e
9 E3 F4 N$ n5 Q  r" j, c3 o    xor     ax,ax
. Z& \) C9 k/ E$ }    mov     es,ax
3 o7 @; ~0 x7 |* z1 E( g    mov     bx, cs  [7 L$ {3 X' I5 j- g
    lea     dx, int41handler
8 ~+ f- B; \+ S' @" D* o' V/ ]8 T    xchg    dx, es:[41h*4]
2 ~# P1 c" h* E2 p    xchg    bx, es:[41h*4+2]
* [. x' h3 U+ n/ k; r1 y* Y    in      al, 40h! b" I0 o* V' b$ B3 J' g
    xor     cx,cx
+ ?1 G% w5 W" v    int     41h
: V" ~2 V: G! |" s    xchg    dx, es:[41h*4]! i+ p4 Q  u3 f# D& u  L/ F) O
    xchg    bx, es:[41h*4+2]
" y' t- ~  p& ]    cmp     cl,al
, q( A3 C0 `& H7 j& A+ y    jnz     SoftICE_detected( g  F# k4 o$ U) `0 O5 i2 M& l0 b

$ Y' L/ l& l; U' a  w_________________________________________________________________________* X4 v5 H# w( a

6 ~6 b) g7 H1 ~) \+ N' d% ?Method 07# B9 K* u& g4 x! w3 [
=========
3 B4 ]- t& |2 y- R/ ]1 h, T
/ X4 L% G$ ~9 j% m7 LMethod of detection of the WinICE handler in the int68h (V86)
0 g! z0 w5 z- \, K) K  P5 z1 c* q) A# C3 q6 d- \
    mov     ah,43h! j7 T) c; x2 ^
    int     68h
6 g$ \0 V! L" [# D1 j' Q; r    cmp     ax,0F386h
) L6 Z% i2 S: o+ w    jz      SoftICE_Detected
6 @5 N9 w" p. M5 g+ ?
/ D+ f9 F  e+ W
# P: t  l$ [$ O; N2 V0 o- @=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  G" v* G2 R8 e! `) \& X: z5 L. T
   app like this:
& I4 m! H; `" d" ]) @
$ w' V1 g8 V# b+ n. l' q7 P   BPX exec_int if ax==680 d) e, r' n3 _2 {* u
   (function called is located at byte ptr [ebp+1Dh] and client eip is
$ t: Z: S: C% @0 V  C   located at [ebp+48h] for 32Bit apps)
6 _  k( ?- _3 ]% r& R__________________________________________________________________________
1 U, n# F0 D6 w- O1 h3 f: r! ~  M, c: P! }. s+ X0 z3 I4 s
: `. `6 h8 G  d( ^. y
Method 08
7 `4 T+ n+ t9 D( H=========
* {  t5 x! z0 I/ @
( W$ T' `% f! m+ ~, S, [It is not a method of detection of SoftICE but a possibility to crash the
6 z, A1 T- Z0 N* }4 M9 [7 gsystem by intercepting int 01h and int 03h and redirecting them to another
/ a0 s% m" F0 x; s# G( M- u9 q. vroutine.
% W4 a6 E# [* O0 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: ~3 [9 x' C+ O* cto the new routine to execute (hangs computer...)4 Y  c9 k$ W. S# O
9 I7 \+ `3 d6 l1 c3 l8 n
    mov     ah, 25h
8 T* Q( J( B2 x1 R    mov     al, Int_Number (01h or 03h)
/ Z& E: ~2 P( P  Y    mov     dx, offset New_Int_Routine
: O5 C2 y( N6 s0 A/ q. k    int     21h, F" N+ G5 ^* |. D7 w/ h/ ^
, k8 q) R# O9 c2 ^. U) M3 D: }% j
__________________________________________________________________________
+ n2 C( [7 ^7 e0 x# o; Y5 Y
2 N# s4 Z5 E" l/ k$ ?1 H9 tMethod 09
; ~, A. C% E* w+ L7 {=========
( d9 a. |6 G. t: _0 s; P# z/ q
+ j* O% H3 a9 t" Z4 Y; G2 D; kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 \3 ~' H! |, a; v, Z' s/ _% yperformed in ring0 (VxD or a ring3 app using the VxdCall)., w, e; J/ `5 \
The Get_DDB service is used to determine whether or not a VxD is installed- D; p% s6 r$ C* I1 r% v2 }
for the specified device and returns a Device Description Block (in ecx) for
+ d2 Q+ k$ O& D. rthat device if it is installed.
3 m+ m" C' H# e2 Z) ?9 [- J9 }/ M4 ?) r* |5 l6 L: h% @* o5 p+ @
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; M4 \3 z4 ^6 ~   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 j7 g6 d: N5 V, O2 P$ f/ V
   VMMCall Get_DDB' I9 Y3 o1 O( T
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
+ y  T, g. c# z9 C/ ?3 m2 D7 p, t  x1 A
Note as well that you can easily detect this method with SoftICE:
+ o/ M2 ~3 |8 `) P( Y5 |   bpx Get_DDB if ax==0202 || ax==7a5fh
1 a1 E2 a5 n/ ]5 s( x8 [0 X
- Y  E' l; V& t$ [) l0 M1 q__________________________________________________________________________$ K! i/ z6 l- b. l* D# {' i
: Z/ H! k. L* a# X# v& v
Method 101 J0 H, l) W3 `% R
=========
; b; W+ \- l) r) j0 `2 _: R: @, M5 a: c* j! f5 P3 |
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with2 h0 j3 x0 M8 C9 Y8 `. H( w
  SoftICE while the option is enable!!
, d5 P( T+ w/ {  d
. V( a! @/ O: D' j# z7 S9 y' Q7 ?This trick is very efficient:
5 m: h! Q! c& W9 tby checking the Debug Registers, you can detect if SoftICE is loaded
$ R# B8 {9 c7 y* C9 m. l, v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% a- I1 L) p1 b2 z9 X  d8 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
  s# ^( c! [$ Lvalue (in ring0 only). Values can be manipulated and or changed as well$ ~) [# ]6 S) K. b4 A
(clearing BPMs for instance)3 x% S3 z4 O- j; z
. H8 k& t  n! e/ D% m2 J) n( Q
__________________________________________________________________________& z! \; ?( A. d! g# f
. q1 u+ U$ c: ?$ J
Method 113 Y5 F) P# X4 S2 g
=========
1 L; t1 s2 Y. q7 u2 i4 i; ?
+ P8 H7 B& B5 s' S& z! q2 j5 mThis method is most known as 'MeltICE' because it has been freely distributed
1 M" s% E2 u. k9 ]8 Xvia www.winfiles.com. However it was first used by NuMega people to allow4 m2 H! e2 S( w0 D( N- Y$ i
Symbol Loader to check if SoftICE was active or not (the code is located
0 k1 a" H/ e7 I6 N) Q( Z( pinside nmtrans.dll).
& `; m% j) H" r. ]* k( I' {) }/ J; ^. V% [6 U0 Z; A' F
The way it works is very simple:
& L. q. r1 G: gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 n+ J8 q1 d5 G  GWinNT) with the CreateFileA API.6 n# K' R; o0 D# J1 ~

5 h/ V+ J1 o( O; x% A% MHere is a sample (checking for 'SICE'):. s4 N2 j- k2 \$ O0 X  C7 h
4 Z6 G: b7 z& @$ _9 o
BOOL IsSoftIce95Loaded()
. V' n& Y7 i6 Z/ `0 [3 ]) ^{$ F5 l; ?  M0 Z4 K" }& x" [
   HANDLE hFile;  
+ i9 E" |, \: `4 t6 W: J  J- ]   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 T4 p7 z4 t; b" R) W- Q5 c: l/ `
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! P5 b8 K! V: E' y' T                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 }! v5 `" a% }3 w  ]9 F, V/ ]: E! u   if( hFile != INVALID_HANDLE_VALUE )
0 W# q% m+ w# w: |   {, a  O6 ]  H: o8 z) x2 d
      CloseHandle(hFile);
( J6 s- H- h2 A# g8 u. _      return TRUE;1 `5 O; t& n8 n+ H5 L- G
   }
' j4 r+ y& K* N2 Z1 \! S6 [" b   return FALSE;
5 h1 L2 C7 G6 D3 Z2 h}& L. H+ S$ Q3 y/ a2 {0 @/ C1 Z
) K) i) C+ v/ \' O7 z
Although this trick calls the CreateFileA function, don't even expect to be5 e8 X6 ]0 f* z& G3 l: T
able to intercept it by installing a IFS hook: it will not work, no way!6 y0 v  y$ V, Q& S3 t0 H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 [$ B, X& Q$ [# b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 ?5 }6 C  C) z0 ?: }and then browse the DDB list until it find the VxD and its DDB_Control_Proc' w* M/ o1 l- s9 q9 J( B! o# l
field., X5 X; v7 X3 p* x2 E6 S6 e( D
In fact, its purpose is not to load/unload VxDs but only to send a
$ H* ^/ T8 S8 }, L# t' @& H& hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), P; Q7 M& w* d# V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. D/ x/ V# l; @7 _! f/ f" H8 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).6 R' _+ q% Q" ?( E9 l& j: i% Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ f6 |! |$ e6 q+ Dits handle to be opened and then, will be detected.
# D; Z" A% e0 |) ^. gYou can check that simply by hooking Winice.exe control proc entry point
3 w! h5 K" x% L/ m; z) uwhile running MeltICE.8 y7 v7 ~0 L' L3 b" D
$ n% T. E  v0 p' W. ]2 g; p

, `0 w% [5 ]) j" R$ i- E# {  00401067:  push      00402025    ; \\.\SICE8 x! _9 Y* B: B
  0040106C:  call      CreateFileA
: f# c. h  ]8 r2 c) y  00401071:  cmp       eax,-001
6 k. N1 x- ~1 ]) A$ }  00401074:  je        00401091. ^0 D0 c/ h% [" t, N  L
% s) M$ w9 Z6 Q, V0 k3 |- a" u

; d  P7 y5 }% [3 W( o+ g; t6 AThere could be hundreds of BPX you could use to detect this trick.9 Q+ ?8 b3 i; F: ^" e6 c
-The most classical one is:1 \  N( O+ F' D# J" ?: h, d
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, W9 s, h% q! W- b    *(esp-&gt;4+4)=='NTIC'
  Z2 Z1 W' g3 Z. c  T1 B  R7 E4 L. i3 b7 Q$ v" d
-The most exotic ones (could be very slooooow :-(( ~4 N) B7 D6 p* j+ v
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  8 H' l4 D: @) n: j' f  L/ x
     ;will break 3 times :-() k+ E3 Q4 c; \" |
; L, n" F" P8 c6 j8 @
-or (a bit) faster: - T* m1 i' p; }: C3 B& j
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  [# d9 f5 Y1 q5 ^" F
" L+ _9 j1 v6 U8 [9 b# g
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( X, N% n4 [- f! P  c) H! q. x     ;will break 3 times :-(1 E" t" \% }( k) w
9 J3 {4 ]7 l! X% O; R, v3 `
-Much faster:
# |& v6 G" v6 B7 o6 n2 W. p   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& T' ]7 y6 `3 `# M
* ?( `8 t8 j; i' i7 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ {/ g7 h' l' w. f% Y
function to do the same job:9 H2 M( V; ^2 T& N( s8 u" a, h

; A" d7 |2 M2 {' [( }0 V   push    00                        ; OF_READ& _7 b" G5 X/ j$ ]6 E3 p
   mov     eax,[00656634]            ; '\\.\SICE',0
) W4 n; q, M/ V7 M6 d( `: h' v2 ~5 g   push    eax5 P8 b" r, a. W6 [8 e
   call    KERNEL32!_lopen& H/ R, a# a$ y/ q
   inc     eax9 k1 \2 x* j8 F! W% `& V% `
   jnz     00650589                  ; detected
  ^* B# M: |) u- s7 a' P   push    00                        ; OF_READ) H0 _- y; \( ]. ?, Z9 p
   mov     eax,[00656638]            ; '\\.\SICE'! D. y( m9 @: e0 s) S
   push    eax: b5 P/ y0 b. P" ^  ]. e# b1 ^, H
   call    KERNEL32!_lopen
$ M0 X6 {4 k) b   inc     eax
/ d8 X  q7 G: m% w7 ^   jz      006505ae                  ; not detected
$ n/ F( T  N7 X3 @
3 D6 g5 [* g0 Q: P0 V5 i: p& b
  c& f0 G( s8 Y. C6 ?__________________________________________________________________________
$ i$ w1 r, r3 b: r8 _3 t/ B3 P6 J  ^+ A$ a" Z5 @1 X$ Q$ Y
Method 12/ K. z2 S7 ?1 s1 k! l
=========
4 E, ]. ?6 ]1 ^" E. w' L/ M2 E6 {
0 H8 u# Z( |+ P5 WThis trick is similar to int41h/4fh Debugger installation check (code 053 ], y- o! d4 c5 l* K+ v
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. [; H/ x/ X, |2 S& C) Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ o8 u+ N6 ^) C& T& D

/ M/ z: k1 Z" |' D9 @; C, W   push  0000004fh         ; function 4fh
1 m2 \  F# N% i   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ ^: y1 S) ?4 s5 I  c$ f                           ; low word specifies which service
+ }% }, ~1 n: t" N+ X, V                             (VWIN32_Int41Dispatch)1 l) t  s& L$ I. f0 Q, T
   call  Kernel32!ORD_001  ; VxdCall* _4 X+ \" V" {9 Y' J8 l
   cmp   ax, 0f386h        ; magic number returned by system debuggers# y1 [8 p& j& m5 ~, @3 N
   jz    SoftICE_detected
9 g# T8 Z5 x* |/ [% J6 X3 F, I1 k8 j. l3 @
Here again, several ways to detect it:! K( f0 l4 d/ g# X$ i/ W* j* b

; d( n. o# m4 R    BPINT 41 if ax==4f
* }+ W+ F2 S5 C! T, Z3 W5 E, T- G) n6 n) [7 |0 b7 }
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one" t# B4 ~8 }1 n8 u% z

1 Y& u# u( {: F0 r7 T    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
7 Z* R- L) F+ }9 E1 J" e- T( L0 x- E+ v  e4 b% a- Y/ U& }, W
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ t3 z$ X+ [3 o$ e$ M' s( |
8 Y+ C$ D+ @( r
__________________________________________________________________________
2 _0 m& t4 K+ t& W) O# h% Q7 V! ^% X9 @
Method 13! u- w% A0 g2 d0 Z4 r% H. f
=========' ]# H4 j8 w$ T6 d* v9 G

* y# Q( b4 t% [0 I* t; qNot a real method of detection, but a good way to know if SoftICE is2 N3 j+ c! D- ]3 c
installed on a computer and to locate its installation directory.
. s7 N9 r' r! s+ l) R0 H. B9 NIt is used by few softs which access the following registry keys (usually #2) :
5 z% T1 j' R- {( |# s* F
/ V: f  S$ c# u% _0 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. |; u  z& r8 S9 k\Uninstall\SoftICE
/ k& F  q7 J% T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 ~# v& m0 L! c+ E8 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ J' I; \2 W9 l5 h6 ~. L, u\App Paths\Loader32.Exe9 C8 S+ G1 o3 P1 u
' `; }! R" q% }2 j4 T2 F, p

! e  W0 q1 Q6 a. oNote that some nasty apps could then erase all files from SoftICE directory5 q& F5 q; W1 V: O
(I faced that once :-(
& O% _( i; w3 i- |" {! L; j9 N8 p# U4 n. G1 E
Useful breakpoint to detect it:
6 F. v" \4 P7 i5 Y& v- B6 ^, p/ G2 Q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
  o! P# g/ A, N+ z4 }: U& W1 j  ?6 Z0 r! f0 q. i
__________________________________________________________________________
9 K8 I+ B& X  ^# F+ ?* G1 `! q: ?& f" U2 y% S) ?+ e

- ^; c" R6 ?9 ]% U7 b& OMethod 14 - }; V1 w7 f) z
=========/ a1 h5 n& |+ S) m/ f7 _

- r) A% j; h5 [) C0 z# f! W, VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 p$ z$ q8 b6 q, N& `, J! S2 j: Ois to determines whether a debugger is running on your system (ring0 only)." w' K" v0 y) j

& o4 O2 O5 E3 v3 ~   VMMCall Test_Debug_Installed( N2 @) V5 ^  {3 H
   je      not_installed
4 F2 @% G6 S' `" E4 u3 P
4 E) G2 C9 H* jThis service just checks a flag., P: i9 Y8 O) r0 ^, f" o9 |
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-11-25 08:26

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表