找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ b$ w+ O; }6 |8 q% `
<TBODY>9 t  i: V: g7 K. _& z
<TR>
! V' x/ y6 M  Q; ^+ L7 v1 z( G0 f6 Q1 D3 o<TD><PRE>Method 01
* c9 K/ O6 g/ Y' s: B  z3 s=========7 O! O* `- }+ D+ g/ M+ H8 P. U

$ v9 |' O' O+ G# C  lThis method of detection of SoftICE (as well as the following one) is
: _, x' Y& {5 f/ pused by the majority of packers/encryptors found on Internet.
, J# x0 w9 j; \+ {$ \) ?It seeks the signature of BoundsChecker in SoftICE
4 `/ s3 f+ t! d: ?6 f7 n$ w9 e! U+ `- a  k( a0 _( }
    mov     ebp, 04243484Bh        ; 'BCHK'8 ^6 P  c6 L( B/ u; Q. K) E7 V) M
    mov     ax, 04h
" E, `5 C% S! U$ S/ m" h& @    int     3      
0 f4 o9 k0 f9 [& a7 s    cmp     al,4
. ~# `8 V9 p3 l8 r: e/ E, k3 R    jnz     SoftICE_Detected
  K/ Q5 a# z6 j5 _) h! N: }2 n
: X, X* u% j1 ?9 X+ F' f! n___________________________________________________________________________
3 X4 p  e. O8 b- n: V8 T# I7 F# u6 T& Q1 X* Y
Method 02
7 x2 D8 O1 V. s# A=========
6 {8 k; T) ~+ X1 V* y3 p6 W/ P* K8 P) Y' |7 g
Still a method very much used (perhaps the most frequent one).  It is used
* n$ `" Y8 [5 ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  Z/ r0 _# Y! v% ?( Bor execute SoftICE commands.../ q$ a% _1 F0 B  ?0 K
It is also used to crash SoftICE and to force it to execute any commands8 S0 R$ M! a6 O" k( [1 u$ F! E
(HBOOT...) :-((  
2 Z8 c! n1 p' X! K2 g" g  [0 U; c( U: x; H$ b) ]/ v3 I$ Z) _
Here is a quick description:1 O- F8 @8 `, [; h( i  [+ P
-AX = 0910h   (Display string in SIce windows)' Z% ~# S2 [/ d) T& ~$ ]  o( _
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: n$ ^' M" ?" U; @5 t-AX = 0912h   (Get breakpoint infos)
0 s( z& E4 S& m' k" M! ]-AX = 0913h   (Set Sice breakpoints)
" @! L; h7 H* K" \6 h-AX = 0914h   (Remove SIce breakoints)
- N% e- k6 C% D# f: _: K% W/ P  E0 R) S, ]$ \% C
Each time you'll meet this trick, you'll see:
( D& I, {( H1 o-SI = 4647h
/ r( }  c0 e; m" c9 s-DI = 4A4Dh
4 |3 d: B8 F, e* x2 b, ~Which are the 'magic values' used by SoftIce.' I* r, k5 s5 }5 A5 z, H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: J1 |, r5 ~$ y0 m) K; l, k/ H/ a2 O
/ @; ~, ^3 m! wHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 U8 u9 J" H6 Y/ f; p: mEnvelope utility use to protect DOS applications:9 F; \3 \) |6 T7 k$ p; |* @+ z) p

2 V5 H3 t) ~1 f* Q  C) L. S4 k) z4 K+ l' J# Z
4C19:0095   MOV    AX,0911  ; execute command.
, X, G' B+ |+ b5 A' |# N4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 t- |8 b6 ^5 G3 f1 O
4C19:009A   MOV    SI,4647  ; 1st magic value.
) I0 w; s( A0 t( P( R$ x8 k4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
( a. a+ L; X% ~; |7 O4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), P9 o/ M( p# x+ v
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, i7 r0 ]( Q1 \
4C19:00A4   INC    CX5 {4 H5 B4 f8 w
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- A0 k- z/ \; D! }8 x6 m' p
4C19:00A8   JB     0095     ; 6 different commands.) W& Q2 D! T3 N% W% d3 X+ d( z& R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 q' \$ o( I% [: t4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)6 n; F$ W9 h" F. d. R

- T  H" Z# F8 ?The program will execute 6 different SIce commands located at ds:dx, which1 o5 y' Z9 s; q; I3 f. J2 D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ {$ R/ I5 `/ g, Q7 N" v' _" R: E' S2 y" E1 s/ g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ W6 j8 i! @- ?8 j: w; o) [___________________________________________________________________________5 a% r2 y, D0 n* E# j+ y9 m

# k1 ~' [6 `' A/ m/ a, M4 B  s5 z$ u  W+ h5 i; [0 |4 _( v  Y! [6 i8 i
Method 03% z$ ~; E$ A6 q1 t8 S; Q. m
=========
$ M0 V7 C* O' S. t* }: C
$ q4 W5 ?! W, F; L! G- d' PLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ q$ y5 U- O; f8 M/ [$ e
(API Get entry point)6 h0 @, @* N1 j- c
        
+ l" d7 H0 `+ k8 h: Z0 |9 A9 b: ]% B: [1 c
    xor     di,di
3 K" @1 t% d4 \: X' Z    mov     es,di
) T% y  L7 z: p4 [) O) m    mov     ax, 1684h      
3 `8 Z5 }, u( K% y# R    mov     bx, 0202h       ; VxD ID of winice
+ [. l- g$ q; b/ s) a1 b" C' |    int     2Fh" n( F$ _  D* k- B
    mov     ax, es          ; ES:DI -&gt; VxD API entry point' l: y  A! a, |: j2 p
    add     ax, di
0 @3 R7 ^& x2 q+ ~. i; E+ N- h    test    ax,ax2 V" J7 I( S7 B3 l- z" U
    jnz     SoftICE_Detected: I. e6 |$ Q0 u8 X" f% G* _

6 p8 _3 b/ N) h2 t8 {___________________________________________________________________________
$ I' A. j$ }+ M, o3 p# X2 y* l* M9 t
Method 04
/ U/ T, _9 D* g0 I$ A: v' v" u=========
1 V* R4 K& l0 H8 E5 ^! B' j! N! N$ a( y2 E
Method identical to the preceding one except that it seeks the ID of SoftICE4 f( k6 {* q0 c8 C1 x
GFX VxD.0 {8 Y$ c* `3 V
/ ]; M, x2 z, O+ @! X
    xor     di,di% Z6 ?! \2 i2 q! K  U0 c
    mov     es,di+ [$ i3 ?% P' x9 c. m
    mov     ax, 1684h      
7 H* D5 ^4 f: U& r: G# k    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- a1 q( L+ g% d3 ?, W    int     2fh( h+ r. \/ f3 W  R' Q, s' f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) q3 B# |* @& H8 n6 V0 F6 f6 J
    add     ax, di, `& E9 C5 M# C( b* P6 W
    test    ax,ax
" r& D9 O( H+ _* S1 I. x    jnz     SoftICE_Detected! K6 j. f3 p1 z: C
: I( A. s7 w  _$ i: I
__________________________________________________________________________
; w- @# y: p: B; s9 X
; r& e' P( y8 }! _6 k
( B1 g  [( U! \: p! FMethod 050 y0 j$ I: @- j) v" e, J& T" S
=========" f1 L2 Y$ I2 w, F6 j6 \

& l8 u$ {" Y9 y/ A+ q  pMethod seeking the 'magic number' 0F386h returned (in ax) by all system
  n  W1 L: u) Bdebugger. It calls the int 41h, function 4Fh.1 W" j8 C% P! _) M- i- b( ^
There are several alternatives.  
" W' z8 J& ]6 y+ d
. G) [' o: u9 D3 S( C! X. bThe following one is the simplest:
( A- n3 ]' p0 |! P4 ~4 B: V: Y3 K! g
    mov     ax,4fh
9 E. i+ @! W& z    int     41h
0 N$ a5 t  N9 U9 [! n$ n" p    cmp     ax, 0F386
& t- e0 Q' B( a2 O/ x1 t! |0 V" a0 Q    jz      SoftICE_detected8 R* K; H. f- i- Z0 Z: M1 [8 N
1 V; G6 M& p  P7 v2 Q& o

# x( a* h; |: v# f, Z+ y  sNext method as well as the following one are 2 examples from Stone's
7 o5 C* {2 O) k: h3 p- j"stn-wid.zip" (www.cracking.net):) @, ?( {( U) ?4 H
+ F2 Z2 g, c7 c6 K/ [1 e0 j
    mov     bx, cs
3 ~9 m6 R; ~! ^( c' P) D7 A    lea     dx, int41handler23 ~: M2 ]- S: K7 R' O& K4 k( H2 `
    xchg    dx, es:[41h*4]5 E1 @# R9 P; \7 p  T
    xchg    bx, es:[41h*4+2]
+ H$ f& T& W) l( ]- N    mov     ax,4fh
$ b( G. f4 {% p    int     41h
2 z( g+ t$ g# g3 \0 P1 H    xchg    dx, es:[41h*4]5 ^9 ]4 u. m7 b
    xchg    bx, es:[41h*4+2]
  d% w& Z  U0 \    cmp     ax, 0f386h5 ^, o$ }2 E7 d- e
    jz      SoftICE_detected3 o4 }# Z8 z4 o7 `. q  h

- W. i, t! \9 N* ?int41handler2 PROC
; P" Q* ^% G* Y: t6 {    iret" l1 w5 @/ x5 s+ M
int41handler2 ENDP
3 B( ^0 i9 }1 |1 D# J) v6 u4 S, W3 U% _5 b, o5 P
- p+ f% g4 b8 _* r: o; t& x- x
_________________________________________________________________________
5 Z$ G) d2 A3 s
0 O- k6 A- v/ q# C" R8 y; \9 S4 p" J
; z  b. o  W! L& t# PMethod 06! N, i, d0 p3 e+ @
=========
+ f+ B0 F0 A$ X4 C! c! G8 p( Q0 Q
5 D" o$ q, O4 X- a/ x: t. O# ?9 K' s2 d( h& Z8 }
2nd method similar to the preceding one but more difficult to detect:5 O" _. J0 q! {

/ d- ]! [# j, h8 W! i! O+ Q4 k" n  X" D
int41handler PROC: q- F. ?8 p1 W( B) [/ {) w7 W) @
    mov     cl,al
6 {+ _2 Y/ \) Q: w) e! ?    iret3 S9 b4 B1 x4 j6 `
int41handler ENDP+ A. Y8 X. I- L; b1 M% S, x

: r/ I' g# T4 q; x9 ]; n8 N/ K( t" n
" K6 f; E9 L' A+ o  ]    xor     ax,ax
4 J0 G1 V! s6 ]    mov     es,ax  T3 Z% f0 Q& @! C& E" }! U
    mov     bx, cs5 q* y/ v( ?- c. ~# {
    lea     dx, int41handler( b+ c5 e4 e6 h8 _8 d6 n
    xchg    dx, es:[41h*4]0 ~. p# v: k( x* M2 }7 U( k
    xchg    bx, es:[41h*4+2], E1 G# O' \; P+ K5 I8 V
    in      al, 40h1 H. I* E% D. S5 F$ R
    xor     cx,cx" A0 a$ u& N! W. p; N
    int     41h; }" c0 U( n6 g0 B8 X9 y# L
    xchg    dx, es:[41h*4]7 u( Q8 s+ b% ?: T8 v, c
    xchg    bx, es:[41h*4+2]) m: G& s! L9 E2 w! o
    cmp     cl,al+ P% N% v( p; q. Z& R7 l" v4 E
    jnz     SoftICE_detected
/ c- w0 l% g9 w5 m) m9 z+ [; {$ I( i0 k, s8 X- V
_________________________________________________________________________
( X. G+ [1 R! ~0 T
0 |0 D$ I7 \$ p" C1 kMethod 07
# w9 q1 T; }7 |=========% B/ k3 h: r) u# x5 n) E: i
, u0 J6 k; U' a3 b; m: L
Method of detection of the WinICE handler in the int68h (V86)
9 S3 ?" h, ^$ u% _$ \& w, [5 f7 o2 q5 W' O$ {( X: ^
    mov     ah,43h
8 |0 D& L. y: p& O* ~    int     68h3 k; ]; E2 p' y% G4 w8 x3 ~1 G  J6 M
    cmp     ax,0F386h5 l+ W0 M6 |) c" }( d
    jz      SoftICE_Detected
* ^$ p& c% N* O" {% o2 X8 k
3 u+ l! i# p0 J; T, d" A* _1 v
+ P# R, t( }$ }4 |=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 T' _$ L' v. Y! G   app like this:% r! _9 B$ ?9 K7 `' {2 v

1 K4 J% P, J0 Y% P   BPX exec_int if ax==68
0 u: \6 ^1 ~9 @4 z. o   (function called is located at byte ptr [ebp+1Dh] and client eip is# I4 M3 I' x  \; |2 k9 d
   located at [ebp+48h] for 32Bit apps), o$ J8 K' k9 p% g5 G" p1 t
__________________________________________________________________________
. E; O( m! S' L! _
- y% Q4 ^3 S* J
) h9 a1 C! Y/ m: O# [/ {Method 08
0 {5 u7 g1 h6 n" V5 r6 p=========
% ]7 G1 _- e% ~; {& w9 \1 z% n  x
. i3 }' ^' h$ P% p' w9 jIt is not a method of detection of SoftICE but a possibility to crash the
6 q; `; U! L! \- }- {- e8 qsystem by intercepting int 01h and int 03h and redirecting them to another
; D6 c" n1 c0 @9 \routine.  d. ?1 W8 S! F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) T5 q, m6 Q: B* I! v
to the new routine to execute (hangs computer...)! c9 G1 q' G! \
9 h8 u% k! z9 W0 o* o# [  Z
    mov     ah, 25h
# G2 Y. j9 r$ [  H+ J) [" `, q1 b    mov     al, Int_Number (01h or 03h)
! `1 Z% X% y  t5 c- P    mov     dx, offset New_Int_Routine2 w! U% G4 L  J2 B/ n% e- u" q& p
    int     21h+ f) [  Q) N) z" L) U
2 d* J. h! F2 p$ c* {, }% p
__________________________________________________________________________
' ^7 T* n# V4 p: }$ \& ~( E5 O  g5 c8 ^  Q
Method 09; {) k/ d* g9 z5 I
=========
. l9 j. S% ~6 Q$ M$ b6 w" w0 o2 y! @& b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ E8 E9 Q' s/ ?- g9 ?performed in ring0 (VxD or a ring3 app using the VxdCall).
1 f- ~& H+ c# ]) mThe Get_DDB service is used to determine whether or not a VxD is installed9 r# |0 B/ D. Q, D2 g! x
for the specified device and returns a Device Description Block (in ecx) for
0 F, S$ V0 q( z& u' tthat device if it is installed.$ e" m, w6 P" ]! m5 D

- O" ]3 @1 D: V: j0 G/ _' M   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! c. |" x( [3 y( D; E% F( w
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; C2 g1 l) x5 w/ D8 u: V   VMMCall Get_DDB
! J, E% h. E$ P/ E   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 f$ u! r. g  R# G- C0 R
8 U8 J& e4 ^4 j- M  O" VNote as well that you can easily detect this method with SoftICE:
' x* U7 L; c# F  R$ [  Z   bpx Get_DDB if ax==0202 || ax==7a5fh
9 N, @2 O# H% Q( p
  b5 A4 m2 n  m& _8 ^: p__________________________________________________________________________
. k7 v- `& h6 D  @6 S4 J5 {+ @7 H0 |6 j' [" y  j
Method 105 b1 M6 R# k$ ~% T& U0 j* L1 W5 }
=========
5 j/ F* r) K; Z  {. p' g7 d9 P
; J# ]5 B% d7 n=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 I% a( d6 ]8 K  g1 z/ q  SoftICE while the option is enable!!' E1 `% a( z* z' n; e+ }

( D9 h; \+ `% \This trick is very efficient:
* [) G1 h+ t# b' @7 ^  D* G, n! pby checking the Debug Registers, you can detect if SoftICE is loaded
) P& ~1 u  P+ d9 H7 K# ~/ Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 P5 }7 e" Z! Z& z$ V4 p  K' [
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 u" e- |& a) X" I# {6 P( yvalue (in ring0 only). Values can be manipulated and or changed as well* P' ]( r) d+ j5 r% r  U+ ^2 J7 I+ ]
(clearing BPMs for instance)7 I! T4 _" q+ G# S

+ \5 ~7 f$ Y( k- j, p__________________________________________________________________________
: y7 q2 o. V% R! J) |9 w
" d% h  i- X# I6 E; @; \* ^7 s% A5 d' x' XMethod 11* q$ a0 b8 t' h& ~/ b7 I
=========6 J& E+ S* D6 U9 y6 `- e7 `6 P. M

! ^' k0 S) a/ |% R- WThis method is most known as 'MeltICE' because it has been freely distributed8 |8 Y) P8 Y" a3 D, Q) m
via www.winfiles.com. However it was first used by NuMega people to allow8 |. d9 d! {9 Q, v9 C2 z$ n
Symbol Loader to check if SoftICE was active or not (the code is located- m  _& V* ?' n  I# ?
inside nmtrans.dll).+ g8 P" J9 F+ R: k8 |/ }
/ u" D5 Y( `7 Y$ U: V
The way it works is very simple:
% B; B. e  ]5 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* q! x4 U3 P# f" qWinNT) with the CreateFileA API.
+ i2 b$ P7 Z2 g- ]# a0 {1 y3 z" A0 I' }& z
Here is a sample (checking for 'SICE'):# d7 L; B) O) j& U8 ?8 @) E8 b: @6 |
/ u% u! s, E3 u* Q
BOOL IsSoftIce95Loaded()- p7 F% \" e+ a9 q
{
! }) l3 g% t  o7 [5 N   HANDLE hFile;  
: Q# F9 l& r* W$ g+ |   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 p% u0 t2 s! |8 w  k2 G
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
- X4 \: _4 d, P                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 z# I* v. E7 h) ?, f8 O8 `6 s6 T) u: `
   if( hFile != INVALID_HANDLE_VALUE ), u7 s' j3 N6 \; h
   {$ L9 w1 ^2 U& M$ s3 R: {4 y2 J& m; I
      CloseHandle(hFile);2 E# a7 K# x3 n
      return TRUE;% |/ w4 p) X# F0 U9 ^8 `
   }" ^$ z4 a" s2 w! j4 R  b
   return FALSE;
0 n( |! H0 {' ^% i9 a2 w- K7 x}
0 c* N. T1 {0 Y" ]: i  i/ `: A
- k" X9 N3 ^( H& s" r* ~/ FAlthough this trick calls the CreateFileA function, don't even expect to be) Q" J9 G( W$ m2 e8 P- l9 G
able to intercept it by installing a IFS hook: it will not work, no way!# m; `4 `9 S: A$ g! K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 v; H6 i- o7 t5 j- B: q$ H3 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 Y& x7 I; [! @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! c6 A/ F* j( w" H6 xfield.
- X! k6 v$ Q; M5 B- @, e; _9 hIn fact, its purpose is not to load/unload VxDs but only to send a
7 o# b/ H, u3 q! u5 w3 t0 f' l9 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; l5 A2 k# S' Z2 i# Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try  s$ [) w+ d6 |  Y8 j1 F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: V; u$ s+ Y4 _. ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
' \. F$ M: V0 }1 J5 S; e& \( bits handle to be opened and then, will be detected.
6 n2 c. l& r! y) p  Z6 ?2 D' kYou can check that simply by hooking Winice.exe control proc entry point& A8 x" E2 \1 {6 u1 c; \
while running MeltICE.
! m2 }- h3 M$ U5 G3 e2 k8 ~  w# N4 q8 c: b1 ?& V8 k. O

* K& L- w* Y9 Y1 V  00401067:  push      00402025    ; \\.\SICE, v  W/ u2 P# J
  0040106C:  call      CreateFileA4 S. |8 n9 {  K' [
  00401071:  cmp       eax,-001! m- g2 |! |. Z0 `& X6 A3 v1 b% I
  00401074:  je        00401091
, n& h7 j/ j5 q/ ?+ Y3 Q- ~) W
+ _+ S1 w8 t, \( U/ z8 e$ j* d- g" E+ w! k
There could be hundreds of BPX you could use to detect this trick.9 n/ q  R6 A1 X3 {1 e, y% V
-The most classical one is:- Y4 ~" G5 N( X4 n8 c& s
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  [: H# H% r" o8 F
    *(esp-&gt;4+4)=='NTIC'
9 m# u: ~0 o  \  i6 I- ^* N* A* d7 ]" h5 s- n: A6 M
-The most exotic ones (could be very slooooow :-(0 V! B- r7 {( H  H$ @
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; n1 R) V+ i8 |     ;will break 3 times :-(" |9 n" h3 t8 L  e5 f
: K  ~  r" k3 I0 ]
-or (a bit) faster:
& g) ~9 H3 B! C% @0 ^! c   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( j4 _: ]. q( ~7 C& T& [! N5 J1 p( U  m# f' O6 S
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
2 K6 `/ d9 K3 r" Y     ;will break 3 times :-(
3 i) |4 o- G$ m! t) U& i' r" B3 J4 o  @0 N# t1 }
-Much faster:% s0 {5 e* D! y& u* ~; y: o- q
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ a: Y4 w& N- D% i/ D3 \# O
$ D7 v: s2 z" E) ?. g8 n
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 v, J7 m( q6 n7 i0 C# s+ ~" I
function to do the same job:
& ^2 {% k& U. G% Q' }5 n- o0 [: M" C* D% r; ^* v5 Z$ a
   push    00                        ; OF_READ
8 c$ @" p& @8 x9 L9 T# G) j# Y0 B   mov     eax,[00656634]            ; '\\.\SICE',09 s" s$ L, }' Z  A1 U
   push    eax8 w. O$ x# n2 c# c; v" j
   call    KERNEL32!_lopen% k9 X1 v" b' i0 z$ F
   inc     eax
( q* n4 E( C' q, o2 T   jnz     00650589                  ; detected/ X. n- A* A: g7 G: s
   push    00                        ; OF_READ
. A  h3 y# i+ j$ m; b) N4 a, w   mov     eax,[00656638]            ; '\\.\SICE'
8 c) Q. [; x4 u$ Z6 b$ k( x0 e8 m  z   push    eax" N  ^+ ~2 Y1 `, L0 O
   call    KERNEL32!_lopen
9 Y% R2 [) V) q/ t. w- }  t3 G   inc     eax
' S% [% a8 f& }" U- `" T8 x   jz      006505ae                  ; not detected
, `% f( {& c/ {2 V9 \; @7 `
2 u1 Q; C$ y' @/ h5 Z* j
- u4 g, ]. K, h$ B. a  w" {7 l__________________________________________________________________________
! m# F5 d9 e; e6 h. s
  P9 s: o% i. C3 x/ AMethod 12% n) H" f5 \- w$ Q4 K. Q
=========* W7 x. k2 a* [/ Q" _, ]5 c- f- i! \
3 D# _7 B* M7 f, _% }
This trick is similar to int41h/4fh Debugger installation check (code 05. b, L. l3 u' D! @9 ^7 N
&amp; 06) but very limited because it's only available for Win95/98 (not NT)% X. l7 i: |0 v( {
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( o) M1 M* l) @7 f5 n  C( }4 W0 ]) @; x* [
   push  0000004fh         ; function 4fh
) ]$ [4 u* k# o  x6 Y   push  002a002ah         ; high word specifies which VxD (VWIN32)& |+ `. [4 l6 h! X
                           ; low word specifies which service1 A, f( W; r" I8 G6 w
                             (VWIN32_Int41Dispatch)3 f1 B' ]+ i) L
   call  Kernel32!ORD_001  ; VxdCall
$ Y' t+ V- E& M0 I% [   cmp   ax, 0f386h        ; magic number returned by system debuggers
. N) v7 q; Q$ B8 @# \/ V5 @8 a   jz    SoftICE_detected
# T" C# E: G: r  ^. P* ?- [* e( A, y/ l6 C& @4 N' s" g
Here again, several ways to detect it:8 C& F4 r4 Y+ e1 ^6 g# s/ m

0 ?6 ~) b" r) b$ K6 U3 E$ Q    BPINT 41 if ax==4f- _' ?" \; U/ U0 T1 h+ {
6 B7 d# s$ R3 f
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* B; t" O/ f6 @* M% t1 D
$ Y) D" x, f' k  A) L  }
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
" X5 I' \  F& ]
8 p5 O! h9 ]! U/ A& N    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, ^7 |9 b3 a; A( U: j2 P3 w4 a0 e( k9 v8 w( h
__________________________________________________________________________
& u/ j: ^1 W- P  {- I. p1 _
1 P1 d7 X9 t3 m- {* m* e7 LMethod 13+ `, G( B! c5 u) t& Y7 ^9 y0 X$ Q! n' {
=========
$ N+ V+ [/ V  F/ q. _5 `' G; F
Not a real method of detection, but a good way to know if SoftICE is6 @5 O7 X3 p8 N( T7 Y, h
installed on a computer and to locate its installation directory.$ ^6 @) d  T# |+ }
It is used by few softs which access the following registry keys (usually #2) :
/ A* J3 u3 Q+ ~) s% @. w) w
( Z: `" ?- P$ u; N0 A3 G4 s1 x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% x% }6 w- @- {2 u5 R\Uninstall\SoftICE+ O% G2 P, W+ [! G- p8 p; \: {# d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* R; J  Y8 x* }4 a2 d/ M! N+ J8 t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" K, m  i0 |* o. `3 U$ u! H. ]
\App Paths\Loader32.Exe+ M# ]) g% c. D4 L

' n- ]* \. B$ o# P' j! G1 n
( @' X, M: o0 S4 gNote that some nasty apps could then erase all files from SoftICE directory
( d6 L) B4 Z& D& }, L. g- u(I faced that once :-(; X: o) U) e' y7 k9 E; n- x
5 l4 e, b% n  k0 e
Useful breakpoint to detect it:
( r* b, J( W/ C$ l$ u
( y. G1 G# Z% z# m     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ j- P8 D' H2 @
$ C7 P5 l7 K# e. H% K  q+ i__________________________________________________________________________" \& b% R9 r; \9 Q+ C- P* z. _

7 B/ h) Y/ J% y6 A0 J2 V% G4 h; h7 ]) B2 P; a
Method 14
7 I6 l3 g) c- D=========# A9 y8 ~/ t' e5 c) X$ |) P, x' n
4 k% P/ G1 L8 T4 }1 w+ z7 K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) N3 {1 E. `: b
is to determines whether a debugger is running on your system (ring0 only).
) Y& V; z( a$ i  Y2 v
$ i0 y- k# a" Q  D$ X, u  N: H   VMMCall Test_Debug_Installed
3 r# [- |; O; a   je      not_installed
! a3 v, Z$ E# u
5 t# c$ q7 E; Y6 U1 YThis service just checks a flag.
- p  ^- _- y$ Y) \! t& t</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-19 07:44

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表