找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 ~' W' D- L) d/ w1 Q4 a; c, l<TBODY>$ M& ?6 W: Y; ]+ p1 \0 Q& r
<TR>3 K# k" R* R  a  a
<TD><PRE>Method 01 7 {% i% i4 }# F3 m' v
=========
' H; }# B+ m; H% O% o
1 \! ?6 w0 f3 D: N9 ~This method of detection of SoftICE (as well as the following one) is
3 _) m! n- Z! E9 x. a# d- @: |used by the majority of packers/encryptors found on Internet.
3 a" T6 ~8 r$ T3 X+ rIt seeks the signature of BoundsChecker in SoftICE
* o; ~- }7 ?  k. _: y* [( H7 \+ h! D$ h+ ^
    mov     ebp, 04243484Bh        ; 'BCHK': \2 a2 B2 |* E( Y  e/ X
    mov     ax, 04h4 Y/ `" w* W4 X* a: b
    int     3      
$ R$ t$ V4 |" l0 o4 O) {& p8 d    cmp     al,41 c/ }8 ]  j! j" p* @3 C0 o2 L- a
    jnz     SoftICE_Detected* ^  Y" m/ s0 N! F! W: u

+ G  t9 z1 O% J___________________________________________________________________________
. x& R( e, K, U2 I. z. ~; P1 z3 x' ^7 v" h& O4 ^
Method 02
2 ?) g) D9 K2 A. ?( n' N=========, m. w; h1 A; {! g4 H

. V5 p, h  p4 bStill a method very much used (perhaps the most frequent one).  It is used- T  }8 s, ?2 l9 `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' o1 E5 }6 ~$ p/ V
or execute SoftICE commands...  W0 S  y) e+ ~' G& A
It is also used to crash SoftICE and to force it to execute any commands
7 |! Z$ [0 d2 |. k7 o6 L(HBOOT...) :-((  
! I& K& L$ l4 d& O5 k3 U
" U. f3 m+ C; S: o' b# rHere is a quick description:
% g6 Z/ K4 b  d, w-AX = 0910h   (Display string in SIce windows)
. `* @; Q- j$ S7 q! x" |-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 N" k: _5 T; l3 J. E* n
-AX = 0912h   (Get breakpoint infos)
/ J8 z  m( @3 s% w1 Y. U-AX = 0913h   (Set Sice breakpoints)
5 @; b$ P6 P- r-AX = 0914h   (Remove SIce breakoints)
4 t0 e# f" ~5 @7 h9 i+ d
1 I+ c3 p7 T3 e8 I! bEach time you'll meet this trick, you'll see:
( `: d* T# I* g- b1 T# _2 E-SI = 4647h
) }8 Q6 F2 }$ p2 F6 h0 ~3 g! i-DI = 4A4Dh
, g: O$ L2 \$ ~. y5 _+ pWhich are the 'magic values' used by SoftIce.  ^8 W* |2 w5 z" j( |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 H0 {0 R# k7 m' E7 H! G$ H5 x3 J/ d  T# x1 r- m: X3 G
Here is one example from the file "Haspinst.exe" which is the dongle HASP" G' g! v. z( o- r- ?0 B) B' [
Envelope utility use to protect DOS applications:
, B* E9 ?. z( J5 O! @* S2 k
! W$ x! }0 J  g7 k' R1 ~
" m1 p: v) d; d3 g0 t- u, Q4C19:0095   MOV    AX,0911  ; execute command.
4 w. b1 d# Z+ x( Z3 h& f* S/ s- ]4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. ]0 e( R" W% f3 J* Q, k
4C19:009A   MOV    SI,4647  ; 1st magic value.( F: D- B+ g/ O$ r5 L: v3 l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.7 z1 \) h2 o& \& |. t
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ B# \6 N( G5 ?. \) b" h* Y2 Y4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& ~6 C1 {8 S& e6 s4C19:00A4   INC    CX$ @& K6 X6 p5 ]1 V* V
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  o! d0 P, W3 D3 g9 r
4C19:00A8   JB     0095     ; 6 different commands.2 m7 m( i" s1 G& z  k
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.$ |% {5 p2 v0 O
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
. N; W" W/ L1 d6 I9 s3 d2 Q% u5 V2 @6 `+ F
The program will execute 6 different SIce commands located at ds:dx, which
  \/ X" ~) |4 a3 i+ I* @: F9 e1 Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 }/ V- R. x% |- b7 R% ^' E$ n% G: g2 \1 u3 I8 s) I4 B; F  q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. @+ S+ q2 y: A; F0 |: S* o
___________________________________________________________________________
& q! }  K& ]. ~5 z1 n' D. h  G8 _+ J

, a2 b/ y5 j. H$ ~Method 03& w1 t! J+ y+ {* e4 N) F- Y' l
=========+ N* O. F1 E9 ]4 i( Q2 h" F

% X1 j4 Z  \' iLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" r8 w8 n) m; K& e5 r
(API Get entry point)- F/ Z8 R! K4 e! b
        
% L0 ?# N$ J0 i9 q! F$ _) {# c: s
    xor     di,di
, I$ \& T! t+ I' f. p6 `6 G7 a    mov     es,di
3 Q# y5 a6 S1 W    mov     ax, 1684h       4 f3 A4 w/ v/ [) e9 i$ B3 G" ~
    mov     bx, 0202h       ; VxD ID of winice+ I2 p4 F! O0 H( r. Z1 g
    int     2Fh3 @, ^* h- Q" I8 _
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& s+ k( D# g6 v1 {; B; ?- @8 {    add     ax, di/ W; ~8 A  J6 a' d( w( F
    test    ax,ax; [3 f# Q' r2 X! m- i( i; m
    jnz     SoftICE_Detected% X/ A# G8 G* @$ P( ?9 H% T& _5 s# g
# y! w' ?: i5 y! I
___________________________________________________________________________
( c6 |% ]) ^3 F0 k) s- F  L) _  ?+ Z, i+ K7 u) l% {! v9 j0 E" T
Method 04
+ M$ x& \+ Q6 g) v" a=========
" S8 @6 |4 {! u$ V: v1 @
% H# U7 H- u& O0 N& Z5 wMethod identical to the preceding one except that it seeks the ID of SoftICE* ]: x; z; v8 U1 Q4 R% ]( @( Y
GFX VxD.
+ x, ]# _' S2 L) B- j
1 Y& o5 P9 X" H# o: O    xor     di,di6 y/ h! u: a% A0 |2 f9 f
    mov     es,di
; c% s6 p- d# M4 s4 U# a* m    mov     ax, 1684h      
7 t- P5 V; Z- A/ |! @4 f3 W    mov     bx, 7a5Fh       ; VxD ID of SIWVID
* V7 \7 A& @& Q$ ?  Z8 a' R    int     2fh9 A9 Z! U2 N. c; B% t) A, t4 `5 E  r
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( N) p% i) q, j    add     ax, di# h8 k9 e( Q4 k) l% K6 t* r/ k
    test    ax,ax
3 T1 @9 L# ?* N& O    jnz     SoftICE_Detected; n2 t; a. v1 ]5 h' C
: {6 A0 ^0 {' a' n
__________________________________________________________________________
- v( x, j4 g; ^3 z) N  K  A( a2 H. O& ~
/ q5 ^9 Z5 P; v7 r
Method 05
- r8 T" l9 R1 r! E  s. \=========+ d7 [7 v+ s5 r& j+ |
) M: e$ z2 l, e" L1 f) [7 I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 E3 B/ M) k  R$ a/ ndebugger. It calls the int 41h, function 4Fh., z+ W! ]8 u2 H. ^+ A
There are several alternatives.  & Q  Y. d* @- @! a) P! @. ]
. F; n9 @0 I) [" p
The following one is the simplest:1 U! v' W+ w) B; L2 Z

2 Q, D( K: P7 k    mov     ax,4fh) @. N- s( M8 b& H7 Y' N6 ?
    int     41h* Y8 ]. Q: U/ Z; X7 k2 X( x
    cmp     ax, 0F386# N+ z; d; q* r$ d6 Q+ K
    jz      SoftICE_detected1 s" T& }2 t- Z' C9 _5 Z1 p: l

; o' z9 b" y: z9 q5 a0 R5 c7 V% ]  H, F
Next method as well as the following one are 2 examples from Stone's ; V5 G4 b- J9 }. V/ j( V
"stn-wid.zip" (www.cracking.net):  l' A0 Q% k1 q7 [  T1 y

' k9 Y* W2 @, H, M8 a0 b" E% k: {8 ~8 O    mov     bx, cs
5 T/ p3 U: G$ o0 I' w; O/ _0 F    lea     dx, int41handler2
% g: x8 f0 X5 ~9 D/ w, X' r2 }    xchg    dx, es:[41h*4]
+ N- c7 J9 j7 w( N2 h$ [4 f    xchg    bx, es:[41h*4+2]
; {3 f# P- d, e4 k9 {- M% [4 L4 {0 U    mov     ax,4fh
- J- `/ H5 |6 N$ e# |5 W0 I    int     41h  Q) s4 l1 V3 T- t$ Z5 W
    xchg    dx, es:[41h*4], F- e. i2 {/ x; i4 Y. e, H
    xchg    bx, es:[41h*4+2]( H2 Z% l; x# _2 u5 |0 l1 V
    cmp     ax, 0f386h
2 M6 q4 }9 j: N. T/ V1 V    jz      SoftICE_detected5 i/ O2 L8 c: x% `$ O) C- ~
) U5 f9 `- O& O  F# k" }9 |0 c( X+ T
int41handler2 PROC# u" g6 \" S$ p2 }3 l
    iret% H2 |# K  I8 H0 ]) q: e* L: I
int41handler2 ENDP- a0 |" R2 v0 G4 y/ h1 l
/ P% R) n+ ^1 k; r# k7 b

/ A/ i) L" E# n* e/ Q/ \3 G_________________________________________________________________________+ M1 Y; W5 |2 ~) {  F6 k7 `' \" m& n

' v; ^1 u: `2 c$ ]8 {$ I$ k3 C4 ?. [) a& x
Method 066 E2 H- R" [0 @; L- U% M' v. }
=========* s7 E5 _- o2 Q: z

" o/ z3 s$ U9 ]/ Y9 A  w0 `$ t/ g- \% _# E4 L5 |' J9 Q
2nd method similar to the preceding one but more difficult to detect:
! n& l( Q' a0 u4 W% c/ c7 [0 w/ g8 N* e
& Z& F6 ?* O7 G9 J2 I- K
int41handler PROC4 T4 i+ v9 k+ W& H4 e5 x
    mov     cl,al
& N* S) n0 M0 Y    iret* \$ X, H. l) {. N4 O( [
int41handler ENDP( j8 e  ]5 n( s8 o! M  Q, k8 ^; Z

! |9 D$ q0 L. P0 B6 ~. e& E" l* n: L- z) T
    xor     ax,ax: w: R, F  M  z  N; c- `
    mov     es,ax
  ~# a* O! {- g! H  M  M4 _    mov     bx, cs% m# L/ K1 N% ^& z- L5 }0 z
    lea     dx, int41handler
7 y; {1 v/ e$ O- e    xchg    dx, es:[41h*4]
. `: m+ Z0 g; v3 [$ |) Q; C    xchg    bx, es:[41h*4+2]; P) t) C2 g* B: C; ~3 h
    in      al, 40h1 a1 f' }6 R8 V4 ^/ U" S; i
    xor     cx,cx8 v' p/ {0 L& |0 w; _- c0 O) \9 U
    int     41h
7 I+ x% z2 ]6 }5 Z) O3 l* T    xchg    dx, es:[41h*4]
% C' ^& }6 E& v6 b    xchg    bx, es:[41h*4+2]/ B: c$ T3 I7 a4 [
    cmp     cl,al
3 H- Q: O0 {4 J1 [  _' [: ]    jnz     SoftICE_detected# `* d- |# r5 W" o: [2 p! l* y. `
* c. O- Q5 ^& P% t! Q2 t: u' V2 U
_________________________________________________________________________
9 r# X' G. G! a) d4 G: f. `- G3 \& `
, R" I  J' J. UMethod 073 B1 Q! k" _! k: Y- T& q
=========  z' C- Q+ H6 I8 Z) y
4 u6 v4 B# D' k& S2 h
Method of detection of the WinICE handler in the int68h (V86)
+ ]! Z4 B" R6 d9 O
( f( p+ Q) B4 l0 V. F/ e7 v- y    mov     ah,43h
* Y: K0 W, ^0 Z: t) Q# E    int     68h
5 R* P6 w9 c( ^; ?8 S    cmp     ax,0F386h
+ e& f/ _1 {+ ]6 l, D; f* m* i    jz      SoftICE_Detected
; D5 J$ W* R- h- Z% R: [1 d/ X' @( s

1 M3 L. K0 G5 {. ^. |=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, k% f, [4 I) c: V1 I3 }* U
   app like this:
7 J0 h" M  L% k, O
8 ]" X6 b$ y4 o5 \" L1 L2 K: O   BPX exec_int if ax==68
! T! F9 k* s9 q! i   (function called is located at byte ptr [ebp+1Dh] and client eip is  g) Z+ D* y- u5 _6 R! X8 G0 H/ b0 ^- p
   located at [ebp+48h] for 32Bit apps): d- Y; U/ }  h% P( W& B5 }# A
__________________________________________________________________________) I. Z. e* G, R+ O1 @

- x! A% Q5 @/ H- x: `0 P9 D
, r9 @: j) n! U3 n. N1 KMethod 08
, i3 N7 _) B- _' f' I( Y=========6 u9 k4 u- _( \  `7 X- N

7 S+ q+ L/ H) s0 ^% cIt is not a method of detection of SoftICE but a possibility to crash the6 L3 J" z: a+ m
system by intercepting int 01h and int 03h and redirecting them to another" W. c. ]6 N, B: L' e; t
routine.
; T& h7 k( e  qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# l3 a1 r) |# `. B  [- v
to the new routine to execute (hangs computer...)4 N- n$ v2 a  c
  n" i! ]! v8 u5 c2 }: H
    mov     ah, 25h
, l! y' O" i4 u# n9 Y; x; ^* R    mov     al, Int_Number (01h or 03h)4 @% s$ I) y( R
    mov     dx, offset New_Int_Routine, j/ n8 O6 ^) J) o/ W
    int     21h
# [& t9 c: e  S5 Z0 D8 Y" @1 ?1 ~- I- D7 g7 U
__________________________________________________________________________
  w: \4 Z4 S4 d. C" ]/ Y$ |
2 _: j4 i$ e  l) w4 cMethod 09
7 m7 f. ?6 I" p=========
- u1 Q+ v8 A9 X0 y5 X
3 P+ X* `& ?3 `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
  W4 J1 N( y+ T0 B2 |performed in ring0 (VxD or a ring3 app using the VxdCall).
: h, }3 K6 Z8 r+ V: \2 U, UThe Get_DDB service is used to determine whether or not a VxD is installed
# E8 j+ S9 g% \3 C7 g% c0 v  Yfor the specified device and returns a Device Description Block (in ecx) for
% X7 G3 Z. t& {# i) Othat device if it is installed.
9 X8 o6 X& R/ `/ y- i4 c* T8 {, c" M0 |0 v
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. a/ V; ^9 h$ y! V   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 ?: L, [5 p$ @   VMMCall Get_DDB1 L, Q" R1 Z- y  [
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
( F. q3 V1 D' X' A# \# }( D( ?6 q6 R& m3 Z9 o; f
Note as well that you can easily detect this method with SoftICE:- n% o2 M. d9 ?: z% ?. y
   bpx Get_DDB if ax==0202 || ax==7a5fh
# n3 {4 l, F. I7 e) E. `& K5 X0 E3 @# l7 P! @9 ~( `
__________________________________________________________________________9 L6 u& ~! L9 u$ Q: ~  ^' i

: i, e  s0 D* AMethod 10
! ^" Z4 @$ T9 [4 }$ M$ O# @=========* i4 X/ D* f9 v$ a- r
: F. L  Z6 [7 m
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with2 e2 I+ l* Y3 R2 h" s; @6 r( g
  SoftICE while the option is enable!!) ]  k: q6 ~) f1 b) ]) ^
* b1 a! m2 B1 ^3 R  b/ Z$ S
This trick is very efficient:8 s. p; g) b& @" F6 c
by checking the Debug Registers, you can detect if SoftICE is loaded
1 r5 J7 X* I4 x5 Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, P  O& E1 A4 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: v0 p  n: H) R/ R4 }/ S% r( \value (in ring0 only). Values can be manipulated and or changed as well
  c3 R4 L$ d/ i2 N(clearing BPMs for instance)  x( A. B# O7 T6 [
1 Y  B# W. }$ k* Z! x  g7 M
__________________________________________________________________________
, s" g5 [6 W. q( i4 `
- t3 u3 C! B0 |1 g5 }( AMethod 11
) G" u; C, M* y4 ~=========  E) u/ y% A, B2 Y  G$ L

( D$ ^6 A. Q& j# b$ \This method is most known as 'MeltICE' because it has been freely distributed
" s! E  Q! \- Vvia www.winfiles.com. However it was first used by NuMega people to allow* R3 R6 L5 B8 z& U" g' s6 b
Symbol Loader to check if SoftICE was active or not (the code is located
; f/ c3 _6 K9 n# o4 `( f, xinside nmtrans.dll).4 E; ?, C8 }! S% t- |4 A8 n7 C

# R( u$ A0 R) X% c6 g" s! qThe way it works is very simple:
- d9 }/ i* V% GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 d7 w, F, ]) T! w+ s" FWinNT) with the CreateFileA API.
$ U1 k4 l: h9 {9 L
3 S5 w9 i) g' e+ U9 J. H6 kHere is a sample (checking for 'SICE'):8 k! V9 V% z( y! r( Z( z( c1 S; j( y
! G) I1 y2 I! J0 u% k
BOOL IsSoftIce95Loaded()
. I7 C1 ]& o! v6 A, p9 N{/ J+ P! \' g5 E4 I
   HANDLE hFile;  " L6 [( b; p3 Z( d  g
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ K: b) o* O5 q+ w3 X; H: Q0 U) P                      FILE_SHARE_READ | FILE_SHARE_WRITE,; }# m% ]% L* r7 x
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; G+ u9 C/ t8 r' [) q3 [   if( hFile != INVALID_HANDLE_VALUE )
+ C1 s! X# w8 K- r; g6 x+ @   {
( |6 \, P4 Z7 I1 S      CloseHandle(hFile);% R& G( g: H5 o
      return TRUE;
3 Y# C4 [* h0 |$ A: G   }5 y3 I9 K- w: _% q) Q4 g
   return FALSE;
* ?) G, b% }. ^3 X; b& l: |. t, p}
1 d: t% S" Y7 _, j/ W
' @* i4 w0 ~& U1 LAlthough this trick calls the CreateFileA function, don't even expect to be
$ s7 B4 p" D. f  V' `( Jable to intercept it by installing a IFS hook: it will not work, no way!. C% ^- N+ ~4 M9 y+ b6 u4 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: o, j& Z. l% u" Z+ c. w/ Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 [* `1 W! v7 R- F: y4 o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 m: C; A- y* N: r
field.0 w2 k' A" p" E' ~9 Q5 C( r
In fact, its purpose is not to load/unload VxDs but only to send a
) B, U  ^8 P" k" B$ FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& V$ ]" {# y2 }- }7 Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# t( T3 V6 C( w3 B  x4 Q% Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).7 c& n# o# |2 \) C1 @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& {+ L2 e5 G0 S5 l3 r7 \its handle to be opened and then, will be detected.
. C! T* |! r# g" B& H$ }5 ^You can check that simply by hooking Winice.exe control proc entry point3 ]1 g8 [. x: _' u  W, b
while running MeltICE.6 Q  Y, j5 a. ]. ~& r( l
& [4 O9 F" Q; z4 C7 r
8 o# [! n" m1 O( b- ?& v
  00401067:  push      00402025    ; \\.\SICE
! A1 S0 S. C7 E, \$ X  0040106C:  call      CreateFileA5 q. H8 c6 T4 C7 Z7 Z$ s2 H
  00401071:  cmp       eax,-001
' u/ J, O6 G* l! r4 G  00401074:  je        00401091
+ i# t4 M4 v, x9 M1 A
; k( I5 r$ n* C& g
- y; p% I" j, W5 U+ r) ^  O- Q$ CThere could be hundreds of BPX you could use to detect this trick.
1 b2 i' N  S" E, [-The most classical one is:
% o# d* \8 l: U# E7 D# G  u, }2 c, M  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
$ W4 {5 j. \9 F& Z8 z    *(esp-&gt;4+4)=='NTIC'2 [9 {' p( k# ]% `' s1 R
1 }: R8 u5 t  S5 N+ B' ]
-The most exotic ones (could be very slooooow :-(
, T) K' q* R0 P/ ~( F5 g! Y# j$ M   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 q% v1 K$ k7 K; o( O' r
     ;will break 3 times :-(
0 s+ B/ w+ N) `) Q- A- x% U& z" R% H0 Q9 l# U% v% O% H7 c
-or (a bit) faster: $ H- Z/ S* v* L% X: F
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ x! i8 g0 x0 U" W- P, ]3 I0 f% @% o- x) v6 \
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . V+ k! p% ]: `5 |
     ;will break 3 times :-(- V! c0 s6 m7 ]& l! x3 v3 ~

6 ~* T2 V/ k4 y' a-Much faster:
2 @0 B4 M; H/ {6 m* |   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! f3 ~/ m+ i* Q$ O2 A
- C- v9 T, w$ @: Q& A3 j& [# eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 \) n9 C% [' t3 l, m1 r
function to do the same job:6 z/ L' q; ?% O" ]" ^8 ?8 E
* n. Q3 h3 ^8 v0 Q+ ^/ E
   push    00                        ; OF_READ% w+ N0 l4 L) Y
   mov     eax,[00656634]            ; '\\.\SICE',0; m- U  S& C+ Y) a
   push    eax/ g" b) z+ `* P; H8 Y6 |% J* n
   call    KERNEL32!_lopen
- G! z- Q/ m; I2 U   inc     eax5 v+ {0 w) P7 ^1 C8 q! O$ k( g! y
   jnz     00650589                  ; detected
' J) ]4 Q* {, f   push    00                        ; OF_READ; h0 D2 b: g; _3 E) O2 [! u% g
   mov     eax,[00656638]            ; '\\.\SICE'
' ]" G8 R/ o: H/ q1 n   push    eax7 k$ G3 _6 Y' D& j) l
   call    KERNEL32!_lopen7 a; o' n1 D- t* g& [( M
   inc     eax
; H7 `  [$ [4 D& f; p   jz      006505ae                  ; not detected1 y# @  F! c* W# `% H; U$ v
" W2 n" C9 R4 Y! |9 X. ]
( [3 [8 O  |/ J; k0 l
__________________________________________________________________________
, x: G2 q  m4 Z% c$ B9 p3 S! I5 i
; }' N; e5 o4 j1 \' Q6 j/ ^Method 12, _4 s5 ~7 c; Z" b
=========
" o+ Q+ P& g% {6 G: c& X; ^6 _" e) p% d
This trick is similar to int41h/4fh Debugger installation check (code 053 ?" H2 B7 c4 @9 A8 h* B3 @& n
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' F+ I6 W% [! H! Z2 B. u7 s6 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 e' p6 l8 O4 P+ D

- ]9 A! j$ j4 Z0 x   push  0000004fh         ; function 4fh# J7 v0 F9 v7 w+ ]5 o2 P
   push  002a002ah         ; high word specifies which VxD (VWIN32)2 N, v0 u* q1 `. V7 \, L
                           ; low word specifies which service8 }7 _; z, a+ d, O& s4 u
                             (VWIN32_Int41Dispatch)# L* K. B$ Y+ P# `
   call  Kernel32!ORD_001  ; VxdCall
* l) X7 U. Y5 {; |7 O& q   cmp   ax, 0f386h        ; magic number returned by system debuggers. ~; M8 Z% p, f  N' h, t
   jz    SoftICE_detected9 p- s# p6 p" V

+ w) R- `$ N( f7 T1 ~# MHere again, several ways to detect it:
" v0 O+ B3 w* ?7 L2 f
4 G5 c) m5 Y) i0 O3 }    BPINT 41 if ax==4f
) K6 L4 G5 {2 b- A# H, C# I& G& x6 ^  q7 Y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
  a6 ]/ O# O" M, B* r8 c+ l5 |+ P5 Y$ q- M8 ?+ ]  y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A% D" I+ u7 r0 {) `1 l( B' Y

3 j2 @3 p6 \- v) X# [- t$ D    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' f5 V+ I" ]) ~. N: g2 b
. a5 l: y  e  a9 x: b; w  W$ D9 u# ~__________________________________________________________________________
8 w/ B( O$ ?0 @" v* ]
* \% n% e5 H, n6 g) v6 hMethod 13% L+ ?1 x6 x# g5 Y' P# D
=========) v( B, ?4 b: u5 z1 F
* d/ w! Z: |" B6 G) B8 F/ g8 h  r
Not a real method of detection, but a good way to know if SoftICE is
9 t; ~5 |+ k2 t; |0 r3 H4 h4 jinstalled on a computer and to locate its installation directory.
0 P  s$ Z0 Y4 PIt is used by few softs which access the following registry keys (usually #2) :* [# H8 f6 n8 e4 v2 v
7 _$ O/ S4 f- I& ~# V/ {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 p! b' Y" \6 b9 Y$ A\Uninstall\SoftICE
7 C4 e# [9 D' y" W5 ?. t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 P$ [6 b8 O& Q( `9 P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 Z! `  {+ X5 _; d& y. C\App Paths\Loader32.Exe( ]! B4 F. b. V$ K. |
- {0 T7 ^# r6 I% J

  w% J2 l2 W' R: XNote that some nasty apps could then erase all files from SoftICE directory- d9 U$ U# y" A
(I faced that once :-(
* G$ C2 Q$ u4 ]# S4 S# J  d# V6 k
Useful breakpoint to detect it:
) h; [; J+ w( J* Z% |' A/ g2 \4 ^+ l9 M+ M2 G5 g# d0 O
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! J1 k" t4 K+ X, i3 j5 B- ?- I1 j& R
__________________________________________________________________________
$ I, P" A! |+ h0 \- B
- D: a( @8 s: K: e' k3 n0 d& B6 N* c
Method 14 3 I/ b; M9 H$ f3 `: v
=========9 Q- w! E% w* |3 j" k+ Z( R+ |& t

4 h" m5 |! G$ u2 w' o0 tA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose  s$ V/ K( I! I
is to determines whether a debugger is running on your system (ring0 only).
- j2 h, j/ R& ?2 b# F$ w* {! W+ \0 `6 g
   VMMCall Test_Debug_Installed
; q( n& M. c" j5 @   je      not_installed
2 Z( K6 P& c' o7 l; C7 m5 c/ y# p. S
This service just checks a flag.
; m% W$ |# v: y1 \6 D, A/ z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-2 03:34

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表