找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>$ J0 P' i/ p4 o
<TBODY>% V/ ^! M" |# P, \( o& [# ~
<TR>: n& N# b4 e+ ~1 l1 m+ E
<TD><PRE>Method 01 1 ^8 m9 T/ n  t7 j" a
=========" f; [/ N, Y; t' b7 _
0 y: X, A% m% _! U. b- l
This method of detection of SoftICE (as well as the following one) is
5 w( ?  k! h1 s0 bused by the majority of packers/encryptors found on Internet.
; B1 h3 H" ~3 S, Z* }) rIt seeks the signature of BoundsChecker in SoftICE% n  O" q1 n& F, C) c# A

, o9 i! F! W; A    mov     ebp, 04243484Bh        ; 'BCHK'( v0 V& ]. ~6 z3 j7 |
    mov     ax, 04h
4 U  o# x' @4 p% {. z: E" S1 d    int     3      
6 f# Z+ v5 s* T- M  X# a    cmp     al,4
1 _$ Q! G1 g! j    jnz     SoftICE_Detected
3 P3 I9 I( \; J5 g" v
  `( G1 m8 f" m- ]  a6 [4 K$ N___________________________________________________________________________$ r5 a' B' t5 f+ h+ B

6 x: v- L# _4 |( g5 nMethod 02! F; G2 Q' `5 f& _# X$ V
=========
! l/ m3 I+ N  c! r9 T$ M5 Z5 a- q% k" }
7 B2 C; s! m- RStill a method very much used (perhaps the most frequent one).  It is used
6 _$ z2 ~3 [& i& r7 j/ cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 O! u6 L9 T3 Wor execute SoftICE commands...
" V$ A8 P4 [% D0 o9 j) sIt is also used to crash SoftICE and to force it to execute any commands5 x5 Y: L7 }9 A. M) M
(HBOOT...) :-((  
: C4 ?) q6 G# ^+ f8 }9 g1 e# A6 T+ ^5 O
Here is a quick description:# C! ~& w6 h5 u: n
-AX = 0910h   (Display string in SIce windows)6 t: s2 U8 U& G8 g* ~- _
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 o# S, J; b* ?& c* Q* J4 n9 v# b0 w# J-AX = 0912h   (Get breakpoint infos)( [1 s  ^, \% P' Z' D5 U
-AX = 0913h   (Set Sice breakpoints)
( T" \$ ?" @! }- @4 V8 }0 H# _-AX = 0914h   (Remove SIce breakoints)
# ~6 ~2 T/ W- `/ j! y) P8 b; m, Z! q- H+ s% I
Each time you'll meet this trick, you'll see:4 }) a$ @7 B; @5 k
-SI = 4647h
  F2 N  L1 g) y& j-DI = 4A4Dh  j  W% w- d  k) ?! e
Which are the 'magic values' used by SoftIce.8 _( o* u8 I7 ]- N8 }1 A0 q# D/ i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- D  Z$ G/ A0 Q. p
" l$ @. e9 x5 u- K9 j% g# OHere is one example from the file "Haspinst.exe" which is the dongle HASP8 Q/ D0 X* C$ V* R: P3 d: C! }
Envelope utility use to protect DOS applications:
& @  v: z# v0 L* B/ l, `3 j* v, o) j# E+ z0 H! \0 T

3 i# y, ?$ p) H! L4C19:0095   MOV    AX,0911  ; execute command.
) a: {( u2 [. i, r# A& T4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# Y% p/ A) @' S4 U7 ?. T5 h4C19:009A   MOV    SI,4647  ; 1st magic value.
! ?7 ?6 c( y( B' U& H# H; I1 N4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 n$ y% N9 R! ]+ d; T1 }) c6 [" y
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
! e% x; V, O% |" {0 j( i8 G, ~+ A4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute& q5 b; B" \& w( q# O4 ~
4C19:00A4   INC    CX
+ _' ]# y9 P  R. C4 O! \- }4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
6 I5 w8 B$ E3 x1 H1 D# r) i4C19:00A8   JB     0095     ; 6 different commands.6 b* ?1 \9 g1 A. I# f- V4 W6 ~
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
/ I/ d8 S) W4 o4 y" q4 |4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
6 Q; E: r. f, }; G
  J$ z% h2 y0 ZThe program will execute 6 different SIce commands located at ds:dx, which, s/ j) h4 v) f; Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% ]& J/ U3 z, O9 t! E! b; `# B8 z- i  [! G( g7 K" n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 M/ @8 L2 h! ^0 x___________________________________________________________________________  V0 {" P0 ?! O% v# `  U. e( z
. F2 _+ Y) U1 u" ?0 y6 K+ b
9 E8 k$ E+ A6 I! ]+ K4 h
Method 036 X6 b: `, d: Z* f2 P
=========; d7 X$ N5 i2 U; q
# l$ v& Z% r, K2 f' n+ [
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ H+ z% W+ G' S# }& x& H
(API Get entry point)- d, p* U1 W( S, f
        ! l6 G8 E7 F) N; ^) c% N) B7 j
, f8 W. _0 i" M, C  @$ [: R
    xor     di,di( v2 j- I1 Y/ ^3 L1 A0 x
    mov     es,di. E, V, n8 l7 m
    mov     ax, 1684h       : R0 ]# [! K, {% f# c
    mov     bx, 0202h       ; VxD ID of winice% _/ J. t$ Z( a( H- B
    int     2Fh; |' e# ?" M* W( U. i& D
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ Q* L6 Q; @; o0 Q1 D
    add     ax, di- S8 T  ], H4 z
    test    ax,ax& Z' E+ s8 `" ?/ G) ?
    jnz     SoftICE_Detected+ y2 q' p) O! z) T7 D  d* o
+ D6 G) S+ n8 K) u/ q! `" M
___________________________________________________________________________
) R  x7 h( O+ v3 c6 |" f9 U
3 r  R( l8 N) u$ }5 f: hMethod 04
: v; h3 p1 N5 }=========) v* x0 z7 S, i! [* x
! P' a; d. [2 ~: H7 {0 w
Method identical to the preceding one except that it seeks the ID of SoftICE
4 L! U+ G& ^+ y* T8 O" mGFX VxD.* H9 }( S- T( d% @& m
% A6 K6 Z# D8 _" L- {
    xor     di,di
$ @- x$ I% ~) r0 n: B    mov     es,di! Q+ N6 F. H1 F7 D/ e
    mov     ax, 1684h      
2 \9 `* |" \% S' g2 O* |, {: W% E+ u4 T0 y    mov     bx, 7a5Fh       ; VxD ID of SIWVID) P# j& ^: t; _  ~- c  X
    int     2fh/ [. K% F. c6 D4 i/ \1 r
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( T, S5 c1 q& B0 ~. p, f% T    add     ax, di
+ L0 l: S0 S  ]: t% f0 g9 K    test    ax,ax
5 e" m$ g5 R) T7 Z8 L7 r    jnz     SoftICE_Detected0 |7 H! ^; W; N9 s$ v6 o7 b, o

* Y6 B7 K, U! a! W' C4 T__________________________________________________________________________
* c: X& a! E( I3 t0 p9 O, w1 p5 {- N6 R* v
3 i. `! p4 `# O5 a# M
Method 05) Q( o6 d3 W' C# y3 H
=========8 L$ _; g9 z# k, z4 I
) u6 z( f! R% [  _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ h! E( L* P" X4 I$ p5 M1 J, Wdebugger. It calls the int 41h, function 4Fh.
: m$ c" _' N+ Y, F/ {There are several alternatives.  6 n7 W5 O% r; g; u3 H# s

7 w. E+ a6 i; t4 w: ^The following one is the simplest:( U. F) _% Y/ O0 J/ ]% c
' T2 J. c6 ^, ]" m+ p0 ~( q- ]
    mov     ax,4fh4 j% m/ T. g) V7 u9 N8 |
    int     41h
, t4 E8 H( O( N! p    cmp     ax, 0F386
* Y0 Y9 G8 o9 h: b" L  J    jz      SoftICE_detected9 X/ j- e' a5 f$ W6 p
6 N0 d' {; v$ E2 a1 }  x

$ i- ^2 A. ?  k# N$ r0 QNext method as well as the following one are 2 examples from Stone's
/ n' c- u! k- t& y"stn-wid.zip" (www.cracking.net):
( A( Q5 d1 G) f$ \
# ^! d% q. C3 ?9 U8 Q  S# s    mov     bx, cs% s5 _# l. O- s# ]& C: H7 ^) H/ }7 g
    lea     dx, int41handler2
% [& u, S8 q# U+ }+ j0 A- \    xchg    dx, es:[41h*4]" b  H! ?2 E2 y- Q, A* a( A
    xchg    bx, es:[41h*4+2]1 [0 Z, s( |/ N- X4 P) [
    mov     ax,4fh/ g2 H8 r0 R; ], r) U
    int     41h& _( n9 r5 `& g
    xchg    dx, es:[41h*4]: J7 r. F* F- P; {! m
    xchg    bx, es:[41h*4+2]
! o! M; w3 A2 ]6 T% h' v    cmp     ax, 0f386h
0 m0 T* U3 {! _- u$ M. \    jz      SoftICE_detected" |+ U. O+ a5 s0 e9 s

7 B% A/ n* E6 b5 P5 ]int41handler2 PROC
4 u' i9 N& R3 s    iret
4 B; V$ g- J. k) c7 {" D+ I9 nint41handler2 ENDP, y' @4 |- o/ W4 u7 |9 l
2 l& u9 G# H6 B* X6 o/ P6 k5 n

; x1 J% N4 n: h3 H" B_________________________________________________________________________
9 Q: {( s3 J3 Q# Y/ E4 R( z
9 v3 J2 A6 N  v& j9 z
# c) g# l0 I% Z9 l# O; i+ DMethod 06
9 r  f' n+ I* s2 A=========
& k) U% m2 b5 f' ?/ s. J% e) E7 P
5 P/ I$ V7 E' X: o7 T- r& r5 Q+ z" V. {) C
2nd method similar to the preceding one but more difficult to detect:8 }8 p+ J8 k: d, W# g
+ D; o: ^/ l4 m  T, z, @. m
9 R- K- |" t2 C* R
int41handler PROC; Z" K6 ~9 Q: u: t6 e
    mov     cl,al
& g5 o' |& h# O) H    iret& B: {+ k! z3 @% k
int41handler ENDP
+ |0 R1 p' m% v% H7 n5 F8 `0 s5 L4 A: Q& I7 ~, V

) J; I% m; j  }- U1 d) j9 M    xor     ax,ax
, g/ F+ v! H/ X3 q9 h! z    mov     es,ax8 t& b; d4 w2 P# U6 q" }/ F1 h
    mov     bx, cs3 b9 s5 L4 c$ h8 o& {
    lea     dx, int41handler
4 c- Z9 I" U& Y2 S* q7 _    xchg    dx, es:[41h*4]9 B5 J0 I5 f9 `1 s' }1 u2 @( J5 |
    xchg    bx, es:[41h*4+2]
4 ]& `; s4 L4 y- n' Q9 F    in      al, 40h
" z: e! |0 t  B    xor     cx,cx
5 i8 f5 v7 R8 \1 w6 F    int     41h' f- h* D) M' B! `; }
    xchg    dx, es:[41h*4]7 W' r/ C8 u- W) b7 ^' j1 ^; ]; g
    xchg    bx, es:[41h*4+2]4 U  _( H9 {) d1 w* T% x0 |) K
    cmp     cl,al
! C9 y" }( ]- c- E    jnz     SoftICE_detected
, p0 x' x7 M  \5 _  h
' i; S% I2 A0 _" K: \* B) A_________________________________________________________________________7 H! V2 s+ P, T
1 N, S* U0 q# }) R& N
Method 07
  t5 |  L" o. i# M=========
2 @( c9 o. t9 c! [- O* q; z( b* H3 t( k2 L
Method of detection of the WinICE handler in the int68h (V86)
9 Q) ~3 r1 w+ m( ]
2 [2 @/ R! P" O. b! o0 o: ]    mov     ah,43h7 l1 @: d  k* }" _' ?+ V( }
    int     68h
8 D7 L7 i. R2 T    cmp     ax,0F386h# n9 V2 F0 v9 m3 o
    jz      SoftICE_Detected8 U/ v( e7 t2 d; R3 e8 g2 x% ]- }; a

) h: ^4 D6 V: ]4 e0 M4 l" S& G  }, Q) i4 `( J* M
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( a/ f9 j. u8 H# e( K
   app like this:3 F, ?4 S3 X  F
) D) _' @0 Y, L2 V& _
   BPX exec_int if ax==68
3 K& R  o+ O! u/ O. j   (function called is located at byte ptr [ebp+1Dh] and client eip is9 ]' c, r* u- o! ?) g- c+ D7 Y" s9 o
   located at [ebp+48h] for 32Bit apps)
8 D1 z+ p8 L9 ]__________________________________________________________________________# b4 W, P; I- Y) |
! |7 o/ l9 g5 k( a( A
, O8 j# D6 a; A- @" s, R& r
Method 08
5 n: T9 L2 O4 S5 s1 `) Z7 @2 g=========% I: p- E+ j, k8 }
( R7 ]9 R8 n5 ~& J0 L( k& w  g
It is not a method of detection of SoftICE but a possibility to crash the
4 m! R+ m# q1 }: O4 K( g( B6 n" _. ?system by intercepting int 01h and int 03h and redirecting them to another9 K3 z/ ?; Z2 C
routine.
6 s/ }7 |% A" s% ^; c3 OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. W# Q- \8 H! T$ n: A: Eto the new routine to execute (hangs computer...)" V: |0 D2 s8 ]8 [+ O; D" o/ V

" y: Z0 E4 H1 s5 ^1 M6 ^2 a- k    mov     ah, 25h8 |* Q" ?$ C, U) q( N
    mov     al, Int_Number (01h or 03h)
0 `4 _* ?6 }* J# s2 e0 G    mov     dx, offset New_Int_Routine/ i" ~' \' R2 F' Z% V. I
    int     21h! u* d" }9 X7 j

& l" H! r( C1 Z' J7 {" v__________________________________________________________________________
- b+ v2 u' N5 K4 L! @: H+ l. Y7 X6 p# l; [, m6 {' I
Method 09. O+ t" f5 i5 C7 f
=========+ h" v8 B1 q; Y+ u, r. A

# d( G; D% f- e; f' v9 BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: E' G. j; n5 x
performed in ring0 (VxD or a ring3 app using the VxdCall).
' c, i- Q- u  U0 H5 p/ |# h, _The Get_DDB service is used to determine whether or not a VxD is installed
# a+ K! w' v2 f! p+ g4 Q# X4 {for the specified device and returns a Device Description Block (in ecx) for" w' t7 h$ S; y; _* T
that device if it is installed., @# b) _" d' s3 S; o1 {* Z+ \5 s
, R* M) s3 Q6 {9 G; p
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID. {0 _# P' ^1 {1 ^6 q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 s2 r7 X$ O9 L- n. z1 c  r   VMMCall Get_DDB
+ z& W3 Z1 o7 K" `9 p9 T" f% w   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
' }4 W+ w  x- O/ H$ ~
: }) a4 Q3 G3 V; n/ JNote as well that you can easily detect this method with SoftICE:
  @  d: X- V0 X# Z6 C   bpx Get_DDB if ax==0202 || ax==7a5fh% C0 n! V# f" C$ {) p5 K# g

0 P+ e- z. W  v__________________________________________________________________________
8 }4 v% o# q- g* R% k9 A* M* k6 j! R( Z  Q) E$ W4 V) Y
Method 10
) V# B& W' a* B4 ]) M8 G6 l) h, T=========
# L( T. c+ Q& G1 Q- x3 d  C
( l/ c8 C# c# y) q' S4 x* b: C=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 n6 C8 J( X) ]* c1 a  SoftICE while the option is enable!!. p: w' f  x" M, j
4 w0 A6 s: O3 w( T, U. x
This trick is very efficient:
8 k9 m! A, o# G4 a6 T) q- b7 I4 Aby checking the Debug Registers, you can detect if SoftICE is loaded
1 W9 m2 w% L, q! R: E$ _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% g  i( g9 [, k) R7 Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, D, B9 i. v( m' g  p2 G0 q1 jvalue (in ring0 only). Values can be manipulated and or changed as well- S3 T. U0 E) a$ Q2 l
(clearing BPMs for instance)  D8 h6 C5 {$ N/ q

- o6 o0 S- X9 Z, ]5 e) K" [__________________________________________________________________________5 ]- ~. J9 {5 {' m
% t+ N9 f: {' L6 r8 g# K0 S8 \
Method 11
9 Y  \9 T! Q: G$ a9 P& t$ I7 O=========
( [9 M1 c4 T% g  E' B4 j4 _1 C( N& k0 u; O
This method is most known as 'MeltICE' because it has been freely distributed0 V. U# `' A$ M8 t; c8 `8 ~7 P
via www.winfiles.com. However it was first used by NuMega people to allow' T: `  G/ w. ~8 u
Symbol Loader to check if SoftICE was active or not (the code is located2 r- \7 b( d" q' N9 v
inside nmtrans.dll).
3 F  P( y' @* B- A
: T% G5 ~4 A! `# e6 B7 x1 m/ XThe way it works is very simple:6 s8 Q$ U; y5 ^3 Z, q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" G6 p; y) B+ p) K% mWinNT) with the CreateFileA API.# [. Z+ Y  B' r
* E/ P4 F2 u/ p! S) a1 n+ o
Here is a sample (checking for 'SICE'):
, o7 g2 |# P6 e* J% @1 k
! r7 r0 z( `7 h5 zBOOL IsSoftIce95Loaded()
- |1 c( ]' `7 w" ?{! X& N% t. {& a# }) U6 i
   HANDLE hFile;  
) z+ y5 ^; F3 M- }7 Q* n   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 b1 P& W) N% M5 e2 S9 z# y& h                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 O6 O# F4 J4 n" z( `                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; z7 M: m0 p9 a0 c; k4 g  O
   if( hFile != INVALID_HANDLE_VALUE )
, O+ u* M# B8 t1 q/ _& J: u   {( L2 j2 o2 ^' B+ F4 ^6 a$ @
      CloseHandle(hFile);- {( [" u  W% g; J: F$ m- e
      return TRUE;
/ n7 ~! J+ v/ W, S1 H+ P) `   }4 y( D' i1 \3 P2 m" O5 Q& K5 |
   return FALSE;
3 w' v) F1 }/ F$ ?+ e& M) a}
1 e9 M6 j! p3 \" n: y
6 m# Y# {. j0 i; ]# {Although this trick calls the CreateFileA function, don't even expect to be
5 N, `( P- D- \6 u0 ]' g. N. b; Q6 Cable to intercept it by installing a IFS hook: it will not work, no way!
( e# A$ n6 l# ?4 y' g- B8 MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 Y" X- P7 d4 h4 Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ c3 I+ ?* \6 c: q1 k1 B' mand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 ?* [$ C" q, V' H4 _& n1 `% {8 ]  |
field.
! \% v& m0 G) ]$ IIn fact, its purpose is not to load/unload VxDs but only to send a
; I2 S2 c" S0 E& gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( b# U2 X6 n, q9 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 [) ^& E- L- q% C- {6 F% wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ L# k! i* w& `4 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 p  ~/ f; q$ n* a# eits handle to be opened and then, will be detected.
% M+ u% B: \6 Z* d& V9 H) RYou can check that simply by hooking Winice.exe control proc entry point
4 Y1 w8 g8 @+ ]/ w( }% ^5 ~while running MeltICE.$ e! j: ]6 ~8 K$ S2 q3 q' @5 w" v

' v" s" B2 o5 T, n' d7 t5 E
0 J0 S$ q" T! b% ~, m# W  00401067:  push      00402025    ; \\.\SICE
+ T2 E1 Y  D2 [9 D+ p0 x" j  0040106C:  call      CreateFileA! ?) \: X+ t8 e$ U9 m! {) i8 T
  00401071:  cmp       eax,-001
/ A; s+ n+ J+ I. Q  \: `  00401074:  je        00401091+ l4 n1 j* ~  v/ e5 w% |

: V" ~6 H( p) J% {  e, _
! R5 q1 `9 b+ D1 j( |3 TThere could be hundreds of BPX you could use to detect this trick.0 e0 x( X/ {8 g) N! v" T( k2 V
-The most classical one is:+ v- E7 {  j' W, J
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||. k4 f, \& O% E' c8 u9 p( b
    *(esp-&gt;4+4)=='NTIC'
5 I% ^. P" C6 R/ h/ @- a1 K9 V
. ~. i0 Q4 c- e-The most exotic ones (could be very slooooow :-(, r' E8 k/ `1 A7 a1 g
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ) Q& h0 b  ~  O% v: M' U; M- Z" C
     ;will break 3 times :-(0 _* {) }5 x. B" m3 ~3 M
: g$ W: d& F0 [4 b
-or (a bit) faster: 1 _& N0 ?- F* P1 }; L8 t
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 T+ N7 f" d. L) e; ?+ @

: ~: [' J( K2 C, y! z8 Y   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" e% ^6 S9 U  C2 r     ;will break 3 times :-(4 `! J/ E' W9 ^( n9 ^, u( h
* b# h6 F' D$ S$ c: Q" M
-Much faster:
) ~# g. P3 `+ d! j   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  Z/ v, K! X6 w! l
( R$ w1 ]! a; B$ c  s8 V  Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ q) T2 M# I# N1 Y6 `% ], ^# ~% Dfunction to do the same job:' f! g: l5 B, H2 z% k# {

) p  o1 m; V& i8 c% y   push    00                        ; OF_READ
8 m1 a8 R( Y3 a4 B9 U% x8 l- _% D   mov     eax,[00656634]            ; '\\.\SICE',0
( H, Y# [7 g! z4 H+ d   push    eax
6 S$ d" }5 Y/ d6 i, \3 H   call    KERNEL32!_lopen2 m$ A( F: i. l
   inc     eax9 q/ l1 s! A) _) J* d3 X' G
   jnz     00650589                  ; detected
1 E- }8 w- E; L% j   push    00                        ; OF_READ, p  p* d8 _" b# i6 f6 i: J6 c
   mov     eax,[00656638]            ; '\\.\SICE'5 B. ?# i( M) D: Q2 J2 `1 K5 X8 K
   push    eax
7 N7 ]+ `; a8 G" G% k" d5 z, q   call    KERNEL32!_lopen
7 x0 Z) ?* d/ o7 u" w) m) ^) H   inc     eax( Q4 G2 Y- D* A. m4 t& R4 A
   jz      006505ae                  ; not detected. T0 s7 O. F* p3 v& i/ \

' T+ I8 ]* F8 K5 ]/ e3 Z; O# J
  t1 O% c6 Y  \' j4 x; S  t7 i- M( G__________________________________________________________________________! B# Z' q3 O! F( [, @* V3 u2 ?0 i
, c0 J8 w7 w* B* O
Method 12# o; W& z  `! b2 S, o
=========
+ L0 `1 F; m& {6 S+ n
6 s2 |4 a8 T! U0 X' ~0 U/ R! d) E$ cThis trick is similar to int41h/4fh Debugger installation check (code 05
0 A# G, F0 {: u1 |9 o&amp; 06) but very limited because it's only available for Win95/98 (not NT)" s4 X& O5 y3 R( ?# y) ?- [7 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% h, [6 c# A& [; d  M9 E' i
: G- `( u8 r8 l+ s& i# R' Y   push  0000004fh         ; function 4fh
9 T- _8 \3 Z  g" N; G: F: [   push  002a002ah         ; high word specifies which VxD (VWIN32)) g4 I" I2 m$ O
                           ; low word specifies which service
8 `/ p4 v, l" Y! q9 h) i3 Q; e" i                             (VWIN32_Int41Dispatch)1 C( L8 D% ]! E: l: \, m3 s( L- Q
   call  Kernel32!ORD_001  ; VxdCall5 V2 c6 f6 o8 C* \  m; c" C
   cmp   ax, 0f386h        ; magic number returned by system debuggers6 G2 K9 ^- }6 Y. L: R3 k7 Z
   jz    SoftICE_detected  f$ l) N" P. N" y; W+ A0 U, |
0 r, b5 R: Y" |0 c+ j
Here again, several ways to detect it:) C$ k! v6 k* ?. s  y6 {

! Q* y0 z4 L$ l) l1 ~. S( @    BPINT 41 if ax==4f$ L) k- J; }/ k: J1 a& N% G
- l3 x. w" t- b
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* N% a2 I% ~- L- W5 v3 ^  k# y* \. }+ ~+ v" ~$ O2 P
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
( U0 m% i& v# Q$ C5 {$ {" u" |5 b& R5 W$ E
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" Y. |' m$ {6 H# r% F# T* j7 I5 D* r0 c, Q  \7 D5 P0 x8 {$ [
__________________________________________________________________________
2 J8 _) K1 w) ^! r1 V% u( N+ n
  K; X% Q/ c& Z. v0 cMethod 13
. @! F: F8 W% ^4 c6 l' x2 {' U4 r=========  y' j$ n7 ^+ w( [0 a7 M  g
8 F! N- B+ L2 C, z- Z
Not a real method of detection, but a good way to know if SoftICE is" t; n8 M1 }' o' }  u
installed on a computer and to locate its installation directory.! n2 q  J3 [6 M* m0 H5 ^  ^+ z2 R9 }
It is used by few softs which access the following registry keys (usually #2) :/ ?! T# {# g9 g9 u

7 U% j1 f, N! c% [, Q% H( z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Z8 l! j/ A8 N: J+ W$ P: }" ^\Uninstall\SoftICE' t! x1 v9 o& ]* j5 d# M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' N8 }3 h' Q; E/ Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ]) @+ _. R9 z! M# N7 `\App Paths\Loader32.Exe7 C( V7 \5 ^) Y  ?9 a* {( [
0 B" ^" t5 M  z

. k0 B3 O) T' i$ ~Note that some nasty apps could then erase all files from SoftICE directory
& @# t- `3 j# g1 K6 D  y5 K" \5 P- d(I faced that once :-(
) u% ^* L9 w$ h# [2 `3 ^1 R/ \: W/ f! O& R3 |& r* a* b( H
Useful breakpoint to detect it:* z) O1 q* r7 Y3 z7 k

9 J5 i' Z& |( b1 f" R+ G( N     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'& b- v. B4 O. G: I! p0 Z$ _
7 H1 E* H0 Y6 f: N# {) r9 N
__________________________________________________________________________8 ^1 J# n! b2 A9 p9 ~% I6 |
0 `$ F% o/ I, W
- a: l& ~, S6 ~, r! p8 u6 \
Method 14
4 }5 O+ k( `1 ^! \' x- U=========, d) w# M$ c' K/ A) t% q/ O

* ~* `# M1 h, rA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 e' m5 _: b* `$ o) gis to determines whether a debugger is running on your system (ring0 only).
  |) E3 |) R, [) ]. w. Y* `. G' e. ^- i$ S* L
   VMMCall Test_Debug_Installed
7 `  _' ^9 G: M/ O   je      not_installed
6 t% z- j: ~: d  z+ L$ C: ^  ^
4 O/ y5 P# M; T  v7 |This service just checks a flag.
; Q! M) M" W9 u</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-28 12:21

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表