找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
" y+ _0 G1 h; H/ ^* O<TBODY>
/ Q& C. w/ N' \<TR>
9 X4 G; m/ Z7 A% S<TD><PRE>Method 01
" g; q/ s) z' s( |5 D! N=========! e6 A8 B" @+ ?, \, _1 ~

5 {+ F; L, Z7 }4 Q. i* r$ bThis method of detection of SoftICE (as well as the following one) is) I# |9 w7 M; h+ s  r& Q, I; D7 s
used by the majority of packers/encryptors found on Internet.5 N7 d: j1 `$ Y! s- A  [1 {
It seeks the signature of BoundsChecker in SoftICE; v# ]$ r2 C% S
6 \& j# y# W% _& m/ y1 y$ \
    mov     ebp, 04243484Bh        ; 'BCHK'/ U/ P$ I9 \  w' e. G7 k" n
    mov     ax, 04h! E. e) ]' l: S9 y0 |  a; X& A. j: D
    int     3       ( I1 Q+ f: L, N/ w
    cmp     al,49 @$ s0 F4 N3 C
    jnz     SoftICE_Detected. ?& Z  o' z+ K! ~. {

1 k& F) N; X% X! P, R2 S___________________________________________________________________________, r3 B; g9 k4 H% z
- C. f) m" M, y
Method 02  o$ O1 ?/ t, t& u' s6 z( q
=========
' i4 E% \; Z$ U+ |! ]" t/ l/ {! R4 m/ Q  \* V3 k8 M
Still a method very much used (perhaps the most frequent one).  It is used
" V! \) l* J6 f* r) P, kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, N/ O; y$ a  ~7 ^4 |or execute SoftICE commands...
. }8 p% N& W5 M1 D/ ^7 M' EIt is also used to crash SoftICE and to force it to execute any commands
: y. W( d" C4 R& A& }. }(HBOOT...) :-((  
7 n8 S) u1 [! a3 Q) N& f6 n, H0 p, c
Here is a quick description:( O! X3 Q) x9 u: ]& d, o
-AX = 0910h   (Display string in SIce windows)# `; A$ N( p$ H0 s, e
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)- `" S- u$ e& P" b3 Y
-AX = 0912h   (Get breakpoint infos)  T+ Y+ f9 f) p2 V$ L
-AX = 0913h   (Set Sice breakpoints)7 E6 q2 q% D  H1 c- e
-AX = 0914h   (Remove SIce breakoints)  G% H1 t. B; ?$ Y6 l* I
8 Q: H3 V+ {- e0 G* i
Each time you'll meet this trick, you'll see:
7 M# y' E/ x2 J+ K; `. _7 O$ V-SI = 4647h
! b# U1 S6 E# e2 e-DI = 4A4Dh- B8 ]; y3 g$ x# z7 B! R, C
Which are the 'magic values' used by SoftIce.. ]* M/ _( u6 G9 J" |$ ?4 S$ V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 ~% D8 v3 v1 A7 F. c7 p

9 A, L! R) t& @  c) {9 VHere is one example from the file "Haspinst.exe" which is the dongle HASP+ q8 f8 s* l1 R8 b, @9 b
Envelope utility use to protect DOS applications:" B; G2 A( p/ w6 w' F8 I
* Y) G9 M+ Q( {% X- @

0 Q/ O8 `( ^; j( T' y4C19:0095   MOV    AX,0911  ; execute command.$ _8 ~( Z# t- Z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).; h# w7 Q) \  l2 }/ v- ]$ v
4C19:009A   MOV    SI,4647  ; 1st magic value., [- W1 a- N) I& {& W
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
8 e4 l, {( L7 w6 y2 Y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)* E: ~) a: F0 q4 @
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; ?! S# k6 X1 h  k& |. W" t
4C19:00A4   INC    CX
. Z9 K6 `( L7 I3 U4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute& H, _: T" J- e* @  R9 O% G
4C19:00A8   JB     0095     ; 6 different commands.
' V$ s5 v( G' c3 T4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; b  T7 u, Z, a& i' D% J
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; s/ ]+ a6 N8 @
; }& T3 p/ k" d  l8 c2 N6 \6 ]The program will execute 6 different SIce commands located at ds:dx, which4 J4 n! R5 y* V3 b! A7 b! [2 ~" G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& w# ^# k9 V) U0 e: |2 I/ m! X# P+ J' |" w3 [2 |$ C  E+ U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# S8 {; g& Y  m! @" j0 S+ s" G8 r
___________________________________________________________________________
$ t# A1 K9 y! N/ v6 J8 B' E9 q* Y9 A( A5 Y$ |, n. o: S

. h; c0 [8 a6 N! E3 y! F) yMethod 03* m3 O/ {0 |' c/ D1 H0 Y/ Z/ y3 `
=========# E6 T5 p; `7 C" }+ z4 J, X4 N
3 c( H. V9 |9 ^! F- \" t
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. ]. Z+ o2 s: M6 n# T4 f( r3 g(API Get entry point)$ U" {! b2 n) k  Q# ]+ }7 a% w2 @6 r. L
        
  J  C/ _7 B3 S* N8 W4 T- Z* _0 d
: x8 A/ K+ p: L: L    xor     di,di7 `4 X# P& q7 O9 m$ z4 W
    mov     es,di& z; v% w1 S  p% E7 M
    mov     ax, 1684h       - k8 V! K: z% O5 D# _% B; O
    mov     bx, 0202h       ; VxD ID of winice
* E' ]3 J/ X: @' @; X5 n# E    int     2Fh" b6 F7 G' R$ G1 m& m; M1 _
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 G% B5 ~0 g1 U1 H& g+ i
    add     ax, di' t3 F+ f1 }) I3 s- Y
    test    ax,ax. {" o- T) \8 t: d
    jnz     SoftICE_Detected
9 i# a7 A1 l- {/ [9 C( r4 `0 e/ |) }: l# d* |6 F2 t# t( C
___________________________________________________________________________9 v" [( E0 c( }
2 e4 M1 d: A& H8 \
Method 041 Y" v; |* y: l3 K$ y3 k+ V
=========8 O# j0 r9 _( w9 v/ {, R

2 _8 i  r/ F! d* V' {! hMethod identical to the preceding one except that it seeks the ID of SoftICE# X/ T1 S8 k4 k3 R% h  h
GFX VxD.. ~; ^6 R/ t. R1 i, P' v
6 U" N! F" N3 L1 I" |( u; [
    xor     di,di0 {6 p0 B8 i' I# n6 c
    mov     es,di
% `$ m) B, e7 d) f    mov     ax, 1684h       ! F1 G6 j: j6 s# Q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
' H4 \5 A( \! U& E    int     2fh
$ I' x! K" q8 w/ e9 m- T    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ ^) _8 O: L( Z, e
    add     ax, di
8 ?) F' [, Z7 u: |    test    ax,ax
, y" v4 G; @5 K* b1 V/ |    jnz     SoftICE_Detected
" ^1 X/ d6 l; d$ d1 T# w1 h
" h8 n) [; z5 L8 T0 m# ^. H__________________________________________________________________________% I+ Q+ T6 j. ^1 S9 s8 u
# u+ @" X. `/ `9 p
. x2 ]3 O: ?4 U( x. _
Method 05
( \$ V( z1 t, ~2 Q0 L. l" l* Y& _=========# j6 j. K0 ~) O, ?1 T1 A! W9 U

' B! z# P" x4 x0 n  H9 RMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 z* o8 n; w6 {; n
debugger. It calls the int 41h, function 4Fh.
# i" A; P9 M- C2 ?0 r! {/ DThere are several alternatives.  
& M; \/ \0 t# \4 @8 D. K8 d" G( @6 O& f9 T# D& d
The following one is the simplest:" n) M4 p) p2 H9 B# a
7 ~: \: m/ `" _" X+ H
    mov     ax,4fh9 Q- w5 f3 u7 B* r* s5 l
    int     41h
3 Y: @/ y! b: F, d    cmp     ax, 0F386- A- M. b4 {$ g( K
    jz      SoftICE_detected
: N2 F' {% k( Y4 @! y
) c4 y2 u0 Q4 g, l6 u8 A$ [2 t
8 f1 U% J4 \; y9 QNext method as well as the following one are 2 examples from Stone's
$ H- F+ J+ v) a3 F; V# t" r"stn-wid.zip" (www.cracking.net):
: O% U3 E0 X/ M2 O+ f  i- y
% }- J3 R, n0 m7 s5 ]% m) s    mov     bx, cs
( r0 M# X% G" S5 L: W# H    lea     dx, int41handler2$ a1 R7 S4 p0 e! I& e! E
    xchg    dx, es:[41h*4]
3 \6 Z- {: A, E4 X) C! s. n: V9 s    xchg    bx, es:[41h*4+2]  m! f/ V. G8 L
    mov     ax,4fh
' L- ?0 x: k9 O7 X9 Q# y    int     41h3 a7 n/ y# F8 T( C
    xchg    dx, es:[41h*4]
6 p3 L9 V% d1 @+ H& J    xchg    bx, es:[41h*4+2]3 H- y# _; G: Y# [8 o
    cmp     ax, 0f386h2 X8 m' x8 `" t: p# A( D
    jz      SoftICE_detected
5 W( H5 I3 H+ v5 f: Y
: ^4 O# T' O' c* _8 g9 ~! Gint41handler2 PROC$ F" z5 S) ?4 @' I' g
    iret
5 Q# V0 z- q; a! U% V; Wint41handler2 ENDP
; H) S& K. W. d5 m6 |6 P- }5 o
, @0 o7 m; I% g! `. z0 e! D# \1 @8 T: `7 {
_________________________________________________________________________
$ O, s8 m+ [; A2 b# D. w& i; k% F( j8 W; j, p' \! H8 H
+ j' q. k% L* t3 F! p
Method 06- {% f& d) R7 k
=========% Y. U: o7 K) e/ M( x1 K: N6 @

  j3 ]. W. E. j" j% j3 M+ Q! k3 O. g  v. `0 Q, ?
2nd method similar to the preceding one but more difficult to detect:
1 e2 |& P: |4 D2 W6 U% _9 [0 A3 l; r1 Z+ y

8 @6 ?- E3 W/ L+ L' v8 C& J2 C- nint41handler PROC
/ \! h: C8 ^: n) \3 l8 w    mov     cl,al
7 g6 s3 b6 D; n: |    iret
% ?$ t$ T6 S$ c3 A  |, D* jint41handler ENDP
3 v9 ^; `% G- ^7 g- U4 {3 {
5 r4 \+ E0 o' ?( z, s$ f. F" E. L/ y( Y. Z" X4 W. o5 m" Z
    xor     ax,ax( S3 j' Q1 a" N) \; T
    mov     es,ax
, z  \, }" a( `1 ~/ h% P$ B    mov     bx, cs, N9 k9 W! Z/ {) [; ]+ E* {
    lea     dx, int41handler
5 R! V+ |/ n8 m  W    xchg    dx, es:[41h*4]
/ h) @7 f7 M: D( c  U    xchg    bx, es:[41h*4+2]
  _/ p% B; f8 l2 F! t9 A    in      al, 40h, n# G8 u9 U  v, a6 L% R* m6 e, @
    xor     cx,cx
) K  H3 V2 B( A4 A' Q    int     41h5 D8 n3 Z. X, o6 e/ ]
    xchg    dx, es:[41h*4]0 F5 r" C- U# {1 v! J
    xchg    bx, es:[41h*4+2]! {; F" c$ `# {4 l% b% {& x, F1 M
    cmp     cl,al
+ G( A  C+ {$ k+ u: A/ N1 \+ h    jnz     SoftICE_detected4 I9 M+ M1 `: b

0 M! U1 V6 [- ]& Q' E- Y; t_________________________________________________________________________- q9 h) a" S& {
* q$ ~0 D& y% Q1 @8 ^+ q
Method 076 P, {$ M4 M. J# z* p* g' k
=========3 h. K5 V( m4 j2 O8 ^
  z3 Q( o  M8 N* Z- D) L
Method of detection of the WinICE handler in the int68h (V86)
" X* J& s" [7 `& c) X* ~& s
0 K0 _% ~) k3 J/ ?) X. L- D0 ~    mov     ah,43h$ D2 m# ?. t. A+ I( y  F
    int     68h  Z% y; @! L/ v
    cmp     ax,0F386h
4 a5 ?6 f% y0 q    jz      SoftICE_Detected
. j. A; k" C+ x; Z: ^' ^: u* F% w1 K$ P. u# O
8 W3 V( T$ I* j# B+ N, _& d% ~
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 W) ~$ w4 n7 E/ N2 F) x& n& l   app like this:
! [' }$ L2 x  H, u5 [, j4 Q+ ]1 `2 X/ L8 ^5 R, P1 Y
   BPX exec_int if ax==68
& N% X: |# J9 [& {% e! ^   (function called is located at byte ptr [ebp+1Dh] and client eip is: z& T* @5 c/ Z) Q0 n
   located at [ebp+48h] for 32Bit apps)
" Q' f" O7 ~: I- \  A+ e__________________________________________________________________________  w+ ]+ _, p+ z

6 w) u% L# G7 e6 I5 I& W# f4 z" B- Z
% `+ C# I' M4 c4 \. nMethod 080 l- R3 l0 ]: m2 f! u: C4 ?
=========& ]/ v& m# J9 s$ [  E

8 V; a0 n7 H. t4 x. ^( }# vIt is not a method of detection of SoftICE but a possibility to crash the
7 C! p' L. I5 q! @system by intercepting int 01h and int 03h and redirecting them to another
9 B. b$ W3 R% Q2 N* Lroutine.
/ K$ N+ Z( v- G2 I# EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 G0 X: G' O6 R3 W0 ?
to the new routine to execute (hangs computer...)9 Y* H# ]- R: j, l8 Q. V

' s& F# e, {& E4 b0 K& J& d. X5 M0 v    mov     ah, 25h
7 v  W! t  v) B1 |" B    mov     al, Int_Number (01h or 03h)
* q. x  n" Q5 N    mov     dx, offset New_Int_Routine* C7 ^6 k, U+ c" z7 q. N$ S# g( w( `( I
    int     21h
/ G0 b1 X9 G+ y( {/ w7 s5 j! _2 B+ M" {
__________________________________________________________________________! s: I) [" K2 Q

0 D6 l9 f- f* n3 Q$ {3 A" U. I# v0 GMethod 09
2 K& L( a% ~6 ^=========
6 b7 w0 J; \& x. F6 [. }
# d& ]# y. O8 o' \$ j2 D1 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* V' P3 v5 y2 D0 d* R  k; K2 R
performed in ring0 (VxD or a ring3 app using the VxdCall).' C! i% T! ~" s$ R- E+ q
The Get_DDB service is used to determine whether or not a VxD is installed
3 P3 @+ ~/ s  qfor the specified device and returns a Device Description Block (in ecx) for
( z* |) h& b: v" R* ^1 ?that device if it is installed.
/ a3 m; V8 K& h1 _
0 _; ?' k+ f$ N- q+ w0 {6 S   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' \5 A+ I# p( z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 Y. ]8 y% |( D0 q: F) o
   VMMCall Get_DDB) h- }4 @7 R. f6 s2 D
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 E2 W5 m2 m  |/ j" T; w
3 Y, y6 Z# U: J/ y. A) h, V
Note as well that you can easily detect this method with SoftICE:! R# `8 f% j, l3 H$ F
   bpx Get_DDB if ax==0202 || ax==7a5fh& _. l# _% d' q. g- ~

6 w" c& B- v8 |* h__________________________________________________________________________' @8 I1 e$ e( E& d3 [9 n+ ~/ ?
7 H. s' _, z4 F1 v
Method 105 _: G: P; p% h2 |) g
=========
) n: J: C& r& p  Y4 \5 J/ \
; k& L% p3 G# e& @3 a=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
8 v" y( p: {4 a( I  SoftICE while the option is enable!!
" G  _1 N9 M3 e9 P
8 {% j$ q3 p7 L& nThis trick is very efficient:
7 I& i) p. S  I& Q9 L) C0 W3 [by checking the Debug Registers, you can detect if SoftICE is loaded
4 _* t+ j6 p2 Y7 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" s# O' ~$ j# y; H& B
there are some memory breakpoints set (dr0 to dr3) simply by reading their, b/ k( Z3 F) [3 l( Z' Y* E6 L& U
value (in ring0 only). Values can be manipulated and or changed as well; |- V' T. T+ w1 F" Q
(clearing BPMs for instance)
/ j$ v7 U7 w/ i- W: n3 \: V! w
) t9 S6 m! U* I+ E7 z, G, ___________________________________________________________________________" {3 v' ~. U+ G* |/ G
; H* b% T9 y; [( Z4 q
Method 11* Q  ~1 w! {. J2 c- ~% r- d
=========
8 E# \& T2 Z4 I6 ^
; b  |5 Q, k/ [8 ~; j/ z9 V+ c4 m5 {This method is most known as 'MeltICE' because it has been freely distributed
. W+ W0 z& N8 X5 t# |# G9 Vvia www.winfiles.com. However it was first used by NuMega people to allow
' V( O+ O6 i4 sSymbol Loader to check if SoftICE was active or not (the code is located6 a9 U  \: Q$ l
inside nmtrans.dll).5 O8 P8 ]1 }" B

) Q4 I$ r# I1 E3 RThe way it works is very simple:* Y" O. s1 y$ u1 A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* a4 a; `9 {. A/ W! Z9 @WinNT) with the CreateFileA API.
+ K. Z: q  C3 s) z% g2 ?, s6 @8 O  Q$ l) D* G' N
Here is a sample (checking for 'SICE'):
. N* q  y: u+ R0 `* {# k
5 ^- P. _& a3 c( _3 {/ H1 dBOOL IsSoftIce95Loaded()
/ N  M# m" ^8 v4 W4 a, O{3 ^6 S! a1 G6 r0 ?' m6 E$ ~9 x
   HANDLE hFile;  8 W, C9 o4 M9 ?. x# {8 e2 E+ l
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 k, z2 b5 ]. u$ `% k0 Z, u                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. H2 m# a0 n. ^( r2 N" S" y                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ N1 u  o8 i# ]   if( hFile != INVALID_HANDLE_VALUE ), c1 A6 L4 b/ u" y( L+ S
   {+ D: d' a  ~) u! `5 n9 h8 A) |
      CloseHandle(hFile);
" Y$ Q0 N( N0 _1 T6 F      return TRUE;0 V5 f" Q7 e& f9 B; d
   }
2 {' S$ {% Y  N* M  R4 [* A   return FALSE;
1 Z4 k2 N5 W* S2 N* e  R}
4 K) c8 z, F. A2 y
# h- g; T! N7 E3 t: X$ E- xAlthough this trick calls the CreateFileA function, don't even expect to be
6 Z; y0 `) K& o/ B# O7 zable to intercept it by installing a IFS hook: it will not work, no way!
! e: I2 l2 L& x! L7 Y8 m0 cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( `* P, P, T+ ~0 F6 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& K2 J/ |; O: O! ?  d4 S# K' D' U# o6 ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 b+ d% I/ p" Y* H6 Y' u4 p
field.
/ Y! c( q4 n) m5 nIn fact, its purpose is not to load/unload VxDs but only to send a & ^6 e# A" W8 i; B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" Q5 Y3 {' J2 {3 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 S; f! S! g: o7 p* A) g+ ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) W% x: B1 s1 Z. I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" I$ T4 A3 @7 D( U! ]its handle to be opened and then, will be detected.
6 u/ a- l' `8 ~) \- K+ @  H$ x( tYou can check that simply by hooking Winice.exe control proc entry point7 Q9 o  }- [$ ?+ x, q, K+ n4 d- w
while running MeltICE." b5 O  [# z/ ^$ _) a' E7 |

  k& c1 w$ z7 T
( b, u1 z* n! H! w( ^  00401067:  push      00402025    ; \\.\SICE
* p/ E. A5 g  ~) Y6 b: C  0040106C:  call      CreateFileA/ k0 p) l3 U$ c- J( k2 H; p4 f% ?& b
  00401071:  cmp       eax,-001
4 |5 ?* Q; m8 X6 k' x3 U$ W  S& G  00401074:  je        00401091
" K, K! F% @6 l1 M
. d; l& [0 m, b& I, t+ ^: m1 Y. I$ a) f" R* e. L) z' g
There could be hundreds of BPX you could use to detect this trick.; J0 ]2 a9 r. D* S7 D
-The most classical one is:6 M/ Q4 V" G8 R" D3 x: U1 y' f
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  f0 X  N! Q: f7 i    *(esp-&gt;4+4)=='NTIC'/ p9 M& g* O4 J
. |; L" S+ a# v6 t" j
-The most exotic ones (could be very slooooow :-(" i" y4 T/ Z, l: k1 z5 `9 s
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- G* f% |5 O4 G- J     ;will break 3 times :-(/ w  n6 r5 {/ i) v/ v
$ u* h* B. b. [& @
-or (a bit) faster: 5 J$ T% Y! d$ s3 ^( [" H& y! z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ A6 A4 M- p, h7 k- o
+ O/ H- e" g9 x# U& s6 C
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ! Z3 n: z# W' Z1 {+ P7 c
     ;will break 3 times :-(3 {; c7 i' T7 v$ \3 f! d1 f; ~
" R4 S  h  C" G4 j, I, l! D# J
-Much faster:
& x9 L6 o# u( d8 W6 _) e& W   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
7 X9 g1 e7 K4 d
) A9 l* r0 j& h6 }5 r9 h# g) GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# t$ Q! o$ t7 H8 P1 `6 p
function to do the same job:
6 }% Q1 z  d  H5 h' A7 V# m4 l; P1 k
' U; h6 W4 }" j1 a: Z6 H5 f) b   push    00                        ; OF_READ7 x. X2 I7 P# c" O1 y8 O/ C& W
   mov     eax,[00656634]            ; '\\.\SICE',00 h+ u9 A/ b& N
   push    eax( _( \, f2 I' S/ O) _
   call    KERNEL32!_lopen
/ x' y) C; Z; Q9 c; V) S   inc     eax
* b) n4 `! `, K8 M! y+ d  E) n, x+ L   jnz     00650589                  ; detected2 A( G7 N% v5 |2 @4 F1 D
   push    00                        ; OF_READ3 ^4 w6 q2 |: a0 {9 T# G- c
   mov     eax,[00656638]            ; '\\.\SICE'
$ C% v% b6 m' h, G4 W- B9 @" ^2 g6 i: L   push    eax% i$ [) x8 g& b0 z+ l) S+ S! N+ N6 |0 w
   call    KERNEL32!_lopen
. L, l* q. |( N  X9 S  h( K8 T& n   inc     eax! `9 F0 K6 l4 O/ ^/ b2 u
   jz      006505ae                  ; not detected+ m3 f+ Q+ O! @: f  f1 U1 O, E1 @

' E4 J. a' y+ J/ i+ W; ^: Q  _& [+ v- c2 c6 D
__________________________________________________________________________
0 X" K( f# H7 F1 W5 B5 ~0 m1 N8 ~' ^- L/ ]; m! B  x) E
Method 125 n& c% y- V. E1 h: j6 J7 @9 Y
=========
6 ^' f3 S( l) \* D) R
7 G  ]. u: H% k0 uThis trick is similar to int41h/4fh Debugger installation check (code 05
4 O" e' U* n) b) s) I9 M7 E&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% ]- Z, l# V3 j: J0 k# Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 K) X1 s- C7 |4 F
* H) X. v! C+ U   push  0000004fh         ; function 4fh
9 q& j( {/ S* s# u) I; N* B   push  002a002ah         ; high word specifies which VxD (VWIN32)
$ f9 q, G$ D  u' g3 [/ H5 X                           ; low word specifies which service
+ S% P$ U8 g1 d; Y9 u. D' r2 G                             (VWIN32_Int41Dispatch)
9 d. H4 \2 G5 a3 q2 r   call  Kernel32!ORD_001  ; VxdCall# S9 s1 U* t8 B" ~) m. c* l
   cmp   ax, 0f386h        ; magic number returned by system debuggers# T9 G  B$ N! T- S0 g9 ^
   jz    SoftICE_detected9 P% h: ]" ~/ @. }

7 e0 \2 j5 w8 J5 x5 uHere again, several ways to detect it:
$ g9 y' t1 q" q; P0 B8 F
; O0 P5 U! Y" A) ]$ ?" h2 {    BPINT 41 if ax==4f9 x) ?  G8 g8 i) `
+ e, F' B1 x8 v
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
- v. s$ ?2 I: A: O
8 o! h7 ~8 f/ b4 a0 a# z' F. p    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' Z( }: \5 Z2 I) G& E, m% q$ A; W& [
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 \: d5 J' n: S& G! L3 G& S( }
9 f7 c# e' M7 Q4 I
__________________________________________________________________________
+ e8 O3 s. o6 d. X1 q5 n( ~8 I# O! C8 O: U: c- q
Method 13
' r7 t% _4 j7 L6 Q- B=========- m2 O# s4 h! ~" x3 d5 ?
! _( H+ T+ \8 M" s- ?, I, x9 R
Not a real method of detection, but a good way to know if SoftICE is
4 u5 ~0 M- f, yinstalled on a computer and to locate its installation directory.' w, [8 s; W7 l; {, @3 [
It is used by few softs which access the following registry keys (usually #2) :
& w1 C8 A% }; k) }- l3 t7 X; t. c  Y& r2 y) {/ S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 t" m/ B8 }) Z; i, b
\Uninstall\SoftICE! A% ?5 e8 Z' v/ w" k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 W) v* K" X' M4 }; ^( Z) B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 j8 T6 C" C3 Y* h8 R
\App Paths\Loader32.Exe7 g3 F# M- Z1 i8 y# N5 ~* H  ^
# D) Y5 V' j8 ?6 o' n' i
  O& e+ V3 G) W& c) j' O
Note that some nasty apps could then erase all files from SoftICE directory
9 z+ N! q2 M  }(I faced that once :-(
7 Q$ R2 Z: P1 h- Z/ _8 A5 a. o& j. a" {* y. |) g
Useful breakpoint to detect it:
, Y9 d1 z! B5 H, |6 f
6 {' t( t4 v: F" g6 M: b     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! B5 t3 G, o  K% q- N/ o$ I3 M% ]2 g( ~0 f% `
__________________________________________________________________________
* R" r$ ^8 X0 g: G* \! Z% r
# l- D" b* b* p
# b* o2 Q) H& I- z3 f2 SMethod 14 ' N; E3 P  u- b, U( L! [2 v: P' y
=========0 N# r7 n, m  n5 U% [! T$ y9 j) B
' S% ?+ g- ?7 l) x6 F. U$ F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, q$ N9 a7 T. \, r1 a4 ^* E$ C
is to determines whether a debugger is running on your system (ring0 only).
; _* f! e! z  \* I" I  x% s/ b) d9 r. E+ S' Z5 ]
   VMMCall Test_Debug_Installed
% R( h; N! o$ r0 R   je      not_installed
3 S( u" G, h6 K) j3 J- J' @+ ^9 V: |9 `
This service just checks a flag.
, W4 N, J* c  U* Y2 \1 ]% ]  v# r</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-4 12:51

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表