找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>4 x3 B, D8 Y4 `, R, Z5 U$ A) z
<TBODY>
# p4 W: b5 t. |<TR>- }- H1 V5 e2 h7 q0 f/ i, O- N, W
<TD><PRE>Method 01
; R2 x8 R' n; [) t# y=========
3 N6 r" p; `; b
  e) i, x1 f5 S, P% IThis method of detection of SoftICE (as well as the following one) is
( H* o& ?. y7 C! Z* Wused by the majority of packers/encryptors found on Internet.
4 Y0 |4 t/ ]# h5 g7 yIt seeks the signature of BoundsChecker in SoftICE6 a6 l) a' M0 C" H* r( H) N0 Q+ ?
9 o6 y) ^; K2 {: F1 |
    mov     ebp, 04243484Bh        ; 'BCHK'& b) C1 U, Q+ ]. q* j- q4 @
    mov     ax, 04h; U1 _4 P6 B) e- H5 M4 y1 d2 ]
    int     3      
9 Y# ~: t/ m2 o# s' \0 d    cmp     al,4
2 p* I: b6 {/ y: X# V: f* \    jnz     SoftICE_Detected
* U- p3 g% t+ D. d* e( y( t
' G1 O; {' k) h___________________________________________________________________________6 I5 l8 I! ]6 \1 S0 ^. U2 [
5 F. U# D4 J8 m( P
Method 02# |6 h9 i" ^0 v) f
=========7 f; E, Q; p9 E1 A* A

) |% o% E+ q2 t# p1 cStill a method very much used (perhaps the most frequent one).  It is used" S6 o6 `+ n1 @% Q/ p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; M) E6 E4 X! E- y. l1 eor execute SoftICE commands...# [2 ~; ^4 m+ I2 Z! O+ Z
It is also used to crash SoftICE and to force it to execute any commands* M5 M1 Y. h) [7 G% q: P' i8 P3 j
(HBOOT...) :-((  
6 Z, r: U! `; c" `" n3 H& @+ v( Z  L9 C9 e+ l
Here is a quick description:
$ P* g) k2 ^& e: d-AX = 0910h   (Display string in SIce windows)5 r6 @# b2 H% o- F! O3 ~3 q. x
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
- a' a) E+ ~6 o7 k% Z4 T" @-AX = 0912h   (Get breakpoint infos)
+ r/ i4 P2 s% l8 c+ D-AX = 0913h   (Set Sice breakpoints)
& J/ X" i5 P9 ~$ S* u-AX = 0914h   (Remove SIce breakoints)6 O% d$ A3 v7 a% s6 Y
/ M2 o: {; F6 X+ @8 ?* ]
Each time you'll meet this trick, you'll see:
0 X0 K' e1 F# g! M* B* m9 v-SI = 4647h
5 ~% E; _% v3 e7 m-DI = 4A4Dh
+ ^. C- Q. z/ z% x- `& G4 EWhich are the 'magic values' used by SoftIce.
2 k! }, t$ d/ j8 V: `% iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
  y4 {( s: W: J6 F- W$ e' K8 a" f* T* \5 [  s& E5 Y3 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP' G7 K. z) ]+ l( r* L
Envelope utility use to protect DOS applications:
) G# O" ?( Q5 J( j2 Q+ X8 S$ ]& s( a$ Z

. g5 j1 X: o  Z, g4C19:0095   MOV    AX,0911  ; execute command., K4 g, }' H/ o* @  E) A
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. k: X" |# o5 S$ ?0 ]% I
4C19:009A   MOV    SI,4647  ; 1st magic value.- m' v4 o+ n0 x  e6 |! u; e* h
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
& S7 T3 P6 X4 X0 A1 y7 {% t; n- [4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)7 _+ Z8 Q% J/ T' U. Y$ |' S
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
( \3 B: E& D- W, n* e, y4C19:00A4   INC    CX
7 x7 m; d3 t7 z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) u2 Q% ?* q# K. n4C19:00A8   JB     0095     ; 6 different commands.8 x, p# B3 N1 K& c# n/ e6 s+ y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 ~( }, Y3 _$ K5 a" b4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
1 p% C2 N4 J+ v1 s( `8 \; g7 Z5 f, r' [7 e7 y0 l
The program will execute 6 different SIce commands located at ds:dx, which2 h# l2 l% M' t# N) k1 {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( L- O, S  f5 P/ ^2 g
3 ~+ P& b4 _5 ~; [7 r* E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( W  k( v8 J! _6 L! A7 C$ ~___________________________________________________________________________! ^, @0 s$ @: [7 N' O- ~; o

) o3 v( j3 b! y: Z* T- `1 O2 L3 t" o9 W' U/ x. e
Method 031 P' t+ d6 Z4 \
=========
4 k; f/ E/ `+ G5 s
& e' s' w) b3 X3 I& z: TLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# u3 n$ l- ~# m
(API Get entry point)3 r" y% q7 r, c5 b8 k
        / ]7 L! V) o/ s2 E0 Q

8 U; I7 x' h, c2 b3 E  x2 b    xor     di,di
9 I0 w/ G8 \5 M$ k    mov     es,di" O* G0 v9 x( x
    mov     ax, 1684h      
. @7 `  q# C  s( s& m    mov     bx, 0202h       ; VxD ID of winice; i6 ], w' |' K5 Q& t1 n( \% Z
    int     2Fh" n6 I" c- ^2 Y! d0 l, }' @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 |9 O1 h) l' L7 G+ [# L, P! [
    add     ax, di2 p$ K" k9 x( a# j. T/ u! s
    test    ax,ax  C7 q$ ]3 e; E+ f. \
    jnz     SoftICE_Detected* r7 [3 d- S; R1 \
* ^7 @1 p: q. L
___________________________________________________________________________5 C0 _. O7 b" i  ]! |- x
* V) y$ u. u9 k
Method 04( K; P) ~: a& v( S. ^
=========
7 a. l$ i$ T" W- J" S7 |
8 ]% {- q) S' [& E/ C, B, TMethod identical to the preceding one except that it seeks the ID of SoftICE
0 v- B7 g1 @2 t' S9 f2 M. @GFX VxD.* `# e+ s: X5 h
, {, V" k- x/ D
    xor     di,di3 t$ u" N3 x% N1 w) j
    mov     es,di
9 F; P- |+ D! b( |9 H2 ?# [, t4 |: D    mov     ax, 1684h       1 @1 C4 C  ~4 J" ]# V- c' t) l
    mov     bx, 7a5Fh       ; VxD ID of SIWVID# _. F2 r4 c) s  T" W4 k& g
    int     2fh4 F* Y; x3 I& J: s* b9 o
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ O" M7 U1 o. r4 e, B" h" w. H    add     ax, di- o5 s- |- k" F7 a
    test    ax,ax
7 x/ ?/ M& n6 W* O    jnz     SoftICE_Detected
, ?6 `( b" S3 s% j3 t& `6 T* C0 O6 u' E% H9 G& P) i9 `
__________________________________________________________________________
' j1 C6 ^/ _+ k4 V" j) s8 U  U8 Z' K' E9 t- A& j
' W3 G* i  y' a/ b6 p6 ?5 D/ F5 r
Method 05) ^( x: p$ H2 ^; H+ N& I+ ]' Y" V! Z
=========
4 }5 E6 k) z" Z3 U: F% D& y) O! C
& F0 ]7 p3 f' f# E& HMethod seeking the 'magic number' 0F386h returned (in ax) by all system: X) E4 |# b$ I% E! B/ M
debugger. It calls the int 41h, function 4Fh.8 g% @$ o3 _9 ]' `4 u
There are several alternatives.  
9 t- I$ W. k1 ?- h" Q0 {0 o9 I0 L# v. T" K! ]9 d+ k
The following one is the simplest:1 p7 l2 E3 _8 w5 m& ?
, E: z) Y# E0 j; H/ H, K
    mov     ax,4fh3 J3 f- ]) `9 Y/ y! r
    int     41h/ A+ N1 M9 Q4 w3 O  Z
    cmp     ax, 0F3860 p) H9 E/ @6 ^# h! g
    jz      SoftICE_detected
0 X( v. q* ], C0 v6 t/ v/ q/ [, j1 C' w! X+ ~0 K% A3 z, }

8 D, p" q3 i$ @$ \* {) Z! mNext method as well as the following one are 2 examples from Stone's & X. Z+ q/ q: y, Z7 C2 |& o. F
"stn-wid.zip" (www.cracking.net):
5 u1 m1 ?4 S8 r) R8 e& h
* {1 X9 _0 Z5 }- L- X0 C( c) {7 Y    mov     bx, cs
% B& L3 a% |( `7 }    lea     dx, int41handler2, I% C! c) U- H" v- {+ A
    xchg    dx, es:[41h*4]( R7 j! G( K, u1 D' U7 ]
    xchg    bx, es:[41h*4+2]
' H  U4 E9 Y9 |# ]" t    mov     ax,4fh$ r# d- M9 r3 P2 t
    int     41h- T( n& `  |3 w0 ?0 z3 @% |. |
    xchg    dx, es:[41h*4]
9 y) ~4 A: q' _    xchg    bx, es:[41h*4+2]
$ \  o9 O/ j; `" h5 f7 {  ?    cmp     ax, 0f386h
4 T. Q0 A/ n" T2 c9 t    jz      SoftICE_detected9 e& z: X+ k# V

6 b$ d: v  J! _% J7 I9 ?) Mint41handler2 PROC+ C0 [9 W/ `. {, r
    iret2 {8 B! i* m) K
int41handler2 ENDP; a2 t9 p8 x1 J& d7 C- z

- o/ V, |, ~. J6 q
  M* E1 o9 u. q9 o_________________________________________________________________________/ G# C2 G; A/ ]) u& B
% O0 D" C0 V: {2 I1 c$ z) Q2 Q/ V

7 T! ~' U; I: J4 @9 {& N' WMethod 06" Z2 m# k+ F" r% Q6 @
=========. F7 ?  h  A, B# P. o) G: O( I9 Z
' {' ]* G2 f4 U% a

+ U' l6 ]7 Y: _/ u# x% U; G1 ]3 T1 ?3 s2nd method similar to the preceding one but more difficult to detect:, j+ l0 \7 k: h/ s8 q. G

: p) u+ {7 c. _9 v# g% j
4 A+ Z6 r, S0 W$ cint41handler PROC
1 Z+ }. a. R5 w* M0 N    mov     cl,al% i7 ?% e+ `7 I) v" {0 n: S
    iret
. v. a' c! Q1 `: p7 @* ^; I4 lint41handler ENDP
( ^3 u0 B! ^8 ~2 E5 g: g& Z* E! j, h- `  F$ j; _3 e

, j- j0 F' U& q6 ~; w    xor     ax,ax* y' ^1 _" ?. P% C3 p! _
    mov     es,ax
6 d& b* d+ _  P6 w* ^3 w5 f    mov     bx, cs
' Q$ ^3 h  W( _! K9 P    lea     dx, int41handler3 |8 x7 y) g6 H/ E9 W
    xchg    dx, es:[41h*4]
6 @+ [9 o8 q& @    xchg    bx, es:[41h*4+2]
( U! c9 V& n/ {6 N7 Z    in      al, 40h) G4 _$ |4 X. k/ i' [; Z* N  Y/ q
    xor     cx,cx) h9 \; m0 I- z2 n
    int     41h- F* W- ]- ~* |2 I1 O( V- q/ r
    xchg    dx, es:[41h*4]! r$ E- m2 T# B- t/ ?
    xchg    bx, es:[41h*4+2]8 H# J/ o0 |, f- j5 \
    cmp     cl,al
' }4 _7 j: A& X' t  V7 b$ a    jnz     SoftICE_detected
- V, O. x* D8 D) ^# y
" \: N: ~5 Y. z_________________________________________________________________________* l0 t! A% _# X

. G* T/ k% w$ U4 `$ E2 |' pMethod 07' l  O- A+ V7 Y1 l4 x
=========! Q, M' e  Z  Z' h. f
" \4 i/ E) j, Q( b, c6 W5 r
Method of detection of the WinICE handler in the int68h (V86)
3 F; _! k  B0 m9 U
+ ^$ ]4 O0 m0 G  Q" L    mov     ah,43h
: M. s* C( i7 L- `1 O8 j( l    int     68h
) }% ~' U$ m9 e! c    cmp     ax,0F386h/ v0 A: r3 O( i1 W7 C
    jz      SoftICE_Detected
' q2 B- W. T; G4 ^% V7 H3 U# n7 w' R
% u6 ]9 M6 J. N/ {
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 V9 i+ A8 _. a0 Y. J9 i   app like this:
7 q2 C) N2 E' E, s9 w1 @1 n1 j  u& V" M
   BPX exec_int if ax==68
; q  \/ W" P8 T1 [: a, J! F8 x, J' {   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 B2 U. W7 W) y: O7 s% {9 y4 }   located at [ebp+48h] for 32Bit apps)/ [8 v# E! }. C: m' V6 l" A1 w
__________________________________________________________________________
+ [5 h7 _2 T1 x. V  Y* S) O2 X) d, f; g7 M  E, C4 T& p. Z) U0 o& t$ b# Z
, _9 G  |8 E2 |- B
Method 08
2 n4 j- A' m& Q0 I# y) w=========: X/ H6 }! u3 P: P4 y, q; Y

* T8 U  }5 ~4 H/ j6 T0 z, TIt is not a method of detection of SoftICE but a possibility to crash the
# _$ m9 o2 J% t; M' fsystem by intercepting int 01h and int 03h and redirecting them to another1 E  G& E( {9 x! N$ y
routine.
% a$ N) z, s9 R7 bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% u9 q0 s3 y" J( O3 G3 B  w! d- P& kto the new routine to execute (hangs computer...)
( V* u& e, H" |0 G! l8 U
% P5 U: e1 z2 ~( o& k% |    mov     ah, 25h
" n( g. ^/ x6 W    mov     al, Int_Number (01h or 03h)
' Q2 A$ U5 ^, ^& ?& x' I* a& n    mov     dx, offset New_Int_Routine5 }, C  {7 |+ i7 c
    int     21h* v2 \, [, l6 Q; ?

0 a/ ?% ?8 W2 t; p. ^, k0 Z__________________________________________________________________________6 b2 C! a# [& u4 X

3 u! m" E. Z- l( k1 XMethod 09' f' m& ?9 z+ y# [+ f. b$ p! V
=========
* x4 B/ v8 }$ ?) ?- V0 y9 e  H
% Q( ]* L. v9 U: x, e; R  hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' ^7 u  M4 o% w" rperformed in ring0 (VxD or a ring3 app using the VxdCall).! Z: z* Z& Q# I+ ~
The Get_DDB service is used to determine whether or not a VxD is installed- S5 C# _8 q2 i1 s
for the specified device and returns a Device Description Block (in ecx) for. T# [+ }4 Z6 @% _, w8 u# P
that device if it is installed.- G. j* s$ x# z/ O" y
1 O; l- r( o+ ~
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  D! J- k+ z! v. t
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! D1 \/ h5 ?- F; ]" W3 s; G$ Z   VMMCall Get_DDB
: R. c% V+ m- L   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- W  m) _: N. j3 k
! Q4 m4 d/ g4 X: A
Note as well that you can easily detect this method with SoftICE:/ J. C* J% ~* ?& t0 c5 M
   bpx Get_DDB if ax==0202 || ax==7a5fh
5 b) M" |7 F( C# z9 f
8 @+ F  A  J& a: G' [__________________________________________________________________________
- `0 u' j7 ]7 [: s4 _
: ]- I7 n0 \8 R" w  XMethod 10
( |& Q0 O% q/ Y9 O2 Q# J  w" u=========% g- }% W- v. ^" q! D
2 Z5 M3 m2 I" W1 g) z( ]- o- A7 R( W
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 A5 C! \  }) z" z6 J2 r/ C
  SoftICE while the option is enable!!. L, H% [2 `3 h  d. d
7 o( Z- o# H( Y) D1 D5 e
This trick is very efficient:
5 {  O! ~( {7 |by checking the Debug Registers, you can detect if SoftICE is loaded
5 U; Y" f+ \- b/ Y5 R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# E5 |8 L9 s2 I( L7 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their  Z1 O! n/ p. f5 D; g
value (in ring0 only). Values can be manipulated and or changed as well- ~5 t- n& F8 j- L# t9 T$ b
(clearing BPMs for instance)1 h: Z4 ~# N! E( y
$ p( u$ X9 }3 ~* |
__________________________________________________________________________( u0 D0 E- H4 r) N; U' Z3 |# F
* M" b) G9 i3 H) p
Method 116 f2 i9 ^  V( z/ ]7 i( D) J+ n! p8 h2 n
=========
6 Z# L9 b) T1 q' w. p7 X
* E9 m/ N) b8 ]0 i7 W1 Z' u  W4 iThis method is most known as 'MeltICE' because it has been freely distributed2 b( J8 z+ T% z0 w
via www.winfiles.com. However it was first used by NuMega people to allow
8 Y' t% L0 H$ F' M8 G) i$ `" Z% jSymbol Loader to check if SoftICE was active or not (the code is located
" _7 \* D% r6 w, y$ |4 h# {) _6 Einside nmtrans.dll).
# b; S6 W5 F) Q6 g' Z' Q% H& D/ {, b$ Z% ^2 R  j9 }6 I0 C6 G
The way it works is very simple:
/ h" L# i5 Z4 n; E' D. V- F& D& xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ i# J# ]0 L" M/ ~6 HWinNT) with the CreateFileA API.4 C8 ?; C! N4 b5 x

7 Z" E0 y0 {, X! _: D1 tHere is a sample (checking for 'SICE'):  e/ R8 T7 ~. H* m
  D7 o( N! n: f* A6 X! T8 G6 F7 j
BOOL IsSoftIce95Loaded(); S& L$ u: H( j) F' U2 n$ v- M) i: a* ]
{
' g5 Q0 W; g/ R   HANDLE hFile;  
' {4 C; I; L6 ?+ _   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( e, R* H% L0 o+ d
                      FILE_SHARE_READ | FILE_SHARE_WRITE,. f  G4 s2 K8 S, F7 |, P
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* d& F; ^: l# y4 z/ L
   if( hFile != INVALID_HANDLE_VALUE )0 _* W+ t  @, ^; E; U, _/ m
   {' d6 N) x: J- K
      CloseHandle(hFile);
* ~) Q% q" L* ^6 y      return TRUE;) P2 P0 J5 Q! B& z0 _- b" M
   }
$ b4 V6 D9 H9 U2 Q   return FALSE;
) B. {/ T9 B: ]' x# b4 G}! R) D7 m; n8 N# H9 V
8 ?* E  e) Z" \$ C2 g* ~( v
Although this trick calls the CreateFileA function, don't even expect to be, o! k9 a  V1 M3 U$ a8 l6 i% {
able to intercept it by installing a IFS hook: it will not work, no way!+ G/ e+ m5 ]5 ~# X$ S$ p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 m* c% Z0 c# @( Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)  g4 {4 p1 C. E( ]! X! u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* ^; y1 Z' K$ ?. w  r1 ?
field.
7 i5 ~8 g: w$ ?In fact, its purpose is not to load/unload VxDs but only to send a
& M  a4 f4 b0 j5 l, fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 {1 r3 ], [1 ~: A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 h9 J# t; [/ U5 k9 Q2 C$ A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( @  W# M" ^1 ]1 T6 C
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 J$ D3 ?! v0 \$ A2 `& B( E9 Yits handle to be opened and then, will be detected.6 L1 i, `, Q- j& {
You can check that simply by hooking Winice.exe control proc entry point
7 }5 j4 n& C! w. fwhile running MeltICE.* I. P, O1 m; W0 Q
- n( X3 E! x( t- D
8 T" u  W, G2 F" V
  00401067:  push      00402025    ; \\.\SICE
' X2 ?; `( q! Y5 C  0040106C:  call      CreateFileA
2 L* H7 s; S5 ^3 D! X2 N- t  00401071:  cmp       eax,-001, W$ t. G( _2 `0 c/ }! p
  00401074:  je        00401091
- d" Q% H+ S+ g* C" t" n/ A: f! E+ H9 j) q. _: X3 @
9 w: p1 T+ Z' v+ f( [% z. z
There could be hundreds of BPX you could use to detect this trick.
6 N. V7 p( I( ?1 r' F1 K-The most classical one is:
+ Q, B7 l7 C3 @* L4 A  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||- i6 f* e: |3 n! U8 @
    *(esp-&gt;4+4)=='NTIC': ~6 u4 w9 x& e. {( Z0 t8 x1 H

+ i9 T6 ^, I) }( [; {5 W! ?+ J-The most exotic ones (could be very slooooow :-(/ q- k1 \6 B& X# U; C: b" R
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 k/ }+ d- ]- P1 |
     ;will break 3 times :-(8 z, O3 \0 N* l" a( w9 o

- D) V9 H5 I) K# H& Z& {-or (a bit) faster:
% g/ X; }( i2 v6 X/ n% W- ]# S3 E   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" T8 S- a! n& {, o  ?/ z% W
! D. v( K2 y2 }9 \' @. \* n. K* w   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
: L/ `4 f1 K: i. ^# r     ;will break 3 times :-(2 n1 A$ b8 o6 d( g: M% c+ X& L7 s3 G

" E, w7 G3 \8 M$ P6 o# F& l/ z( L) a+ K-Much faster:2 Q) Z( X, e: i: G: L$ d: Y  t
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
; L5 K, s1 r5 P
1 M- Q: r. S& jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" _. A1 @6 d3 G3 H/ Qfunction to do the same job:% Q1 ^: Z5 w" R- |! N

& i: \- @% R" J% j, }   push    00                        ; OF_READ4 r9 u* X' A+ z9 Z9 i1 g$ a+ B
   mov     eax,[00656634]            ; '\\.\SICE',0
7 }8 m0 A% C+ }+ p. ?( R) J   push    eax+ j/ z4 T7 q3 ?; a2 F
   call    KERNEL32!_lopen: D. ~; c1 I% |6 B8 {  A. \
   inc     eax( `! Z  v+ m) P4 `
   jnz     00650589                  ; detected
* B; J, P: p2 ~1 \( K  |: I) N   push    00                        ; OF_READ0 w- ]5 i2 o  r2 T
   mov     eax,[00656638]            ; '\\.\SICE'
1 Z; t. a( a, l( O   push    eax% S. f2 c: A0 L5 r& `0 N. W3 B
   call    KERNEL32!_lopen) p8 {; \1 y+ ^) g6 d, Q2 m2 Q
   inc     eax* T0 V% r! C9 L% p
   jz      006505ae                  ; not detected
5 ^7 `' y3 h, b  _1 F: Z* `# j2 L2 l4 y2 H

2 M8 M+ }/ ^1 u$ @: t+ N__________________________________________________________________________
7 ?& v) F6 n% L' K: U! ~
3 w) z5 K- }& \1 l8 G7 R0 j" zMethod 124 k! {& ^3 C2 {: p+ ~9 t) ~
=========$ V, L: C# g6 p
# B+ ]2 D3 c( {, x
This trick is similar to int41h/4fh Debugger installation check (code 059 \% p9 \2 B% x. S+ J
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
8 ?" z# b: [  H9 L. J1 r$ c7 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* K. x: l" t6 G$ i
# {- S0 O, o7 _5 R! o/ I5 k* ^   push  0000004fh         ; function 4fh# ]2 L; _1 Q# X$ {2 E$ i% ~: ^& r
   push  002a002ah         ; high word specifies which VxD (VWIN32)' M& e' `9 ?# X7 h- Y  d8 c7 |
                           ; low word specifies which service+ c- s& y% M- w+ D5 U
                             (VWIN32_Int41Dispatch)6 |, z( j/ E6 R' O  ~. C6 `( M
   call  Kernel32!ORD_001  ; VxdCall* N: x& P& V; g' t' x0 t' j
   cmp   ax, 0f386h        ; magic number returned by system debuggers5 z& \/ [& v2 F0 C+ T1 d" y% Y
   jz    SoftICE_detected
( x7 x; I4 a# [. B8 k2 Q3 |, q9 D2 Y( I. i: D) k8 D
Here again, several ways to detect it:
. p3 ^3 T# V5 b& [
5 {5 a$ h  x4 @/ o* A    BPINT 41 if ax==4f+ r2 @6 x  J2 \: q' W$ Q- n2 v

3 N6 R( ?3 r% D  A( D( M    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one1 o) I9 k* t8 A' X1 A
! C4 t+ v* B. `* P, a
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A. z0 c. y2 k5 b+ V0 ]& K6 F

7 A6 o: `  j$ G/ ^) ^# n    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* f2 i7 i& P! q% S1 W4 A9 M) |8 z7 c; Y7 D5 c+ t
__________________________________________________________________________
' F% _7 M- A& j2 r8 j1 k! S; J2 ^1 c0 r( {  m
Method 13) ]. x& s: x$ a" h- s) }; R
=========; o/ |) B" e+ H" L, D, \3 @% P- Q
9 N- g5 ^9 K& G) K5 n; h! s
Not a real method of detection, but a good way to know if SoftICE is& a2 r( h4 k. f' }
installed on a computer and to locate its installation directory.. R* [4 T2 ?% i( K+ I4 d: Y8 ?5 g0 R
It is used by few softs which access the following registry keys (usually #2) :
8 j% p. Q3 ?% F0 ?; ], u; t# Y, k& `
! B8 f* K2 ~4 f3 U& x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. u! l6 w* y- R# m: @
\Uninstall\SoftICE
' P  Z' q/ n: m2 n5 R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 L0 U1 c  s( [0 B1 O( b' P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ Z& L4 C8 o" z0 b
\App Paths\Loader32.Exe  K6 Z' ^  N! T. z4 ~

# N5 ?# U8 M5 }7 l) h; o$ N* c( U# ]; z4 P7 X. N
Note that some nasty apps could then erase all files from SoftICE directory
+ `9 ]; y  {' S+ B0 E6 i(I faced that once :-(/ N' i! u. @3 |  S! {* G9 N  q
& c; X: w/ a  w2 @
Useful breakpoint to detect it:1 D1 y; R; z3 r# @
1 ~( o* _" _$ Y" ~
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'7 W  f2 D8 a0 h/ x8 _# q% U7 H

' L/ R9 S& Y& D0 A( H) ?__________________________________________________________________________5 N  C% }3 w" m& t  G
  h; T3 w/ @- n; c

% s  k9 Q7 A/ J# l9 L( Z  _' w! d+ hMethod 14 , E0 e* o, q' R  a7 }4 l8 N
=========
) }% \* l& v' i# A, }0 |; I
" m; Q* ~8 u$ NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' \' I& z6 [2 g; S, b( Ais to determines whether a debugger is running on your system (ring0 only).
$ A$ F. V8 ^, _: }8 i3 t! Y
7 s" N- }. U3 t4 w" i   VMMCall Test_Debug_Installed
) w+ L( m- I* `9 V* L   je      not_installed6 I) T( C: E8 j: {& n: M

, T& _) d! R% q' YThis service just checks a flag.
  d! r7 w' k( D1 Q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 03:41

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表