找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
  c& \) ?- G5 k0 I/ d( A<TBODY>
- J- M) q7 c2 t9 y: B% k. Z' H! d<TR>
6 Z: P$ b9 v# l<TD><PRE>Method 01 ' L4 t& T3 Z+ n8 q3 C6 e: K
=========. H+ b8 ?8 S; v* h$ z# l$ h7 X

6 t3 w: D' K' Z  `9 T: w& bThis method of detection of SoftICE (as well as the following one) is' C$ H9 q6 r# S& {
used by the majority of packers/encryptors found on Internet.
! t; S4 h7 w$ R% @3 _+ L5 pIt seeks the signature of BoundsChecker in SoftICE
/ ]/ k. q# ]4 A6 P# e0 l- A! Q  |8 V7 [) e" ?. V3 ?# x) i4 F
    mov     ebp, 04243484Bh        ; 'BCHK'1 T: _" [, z7 Z7 k
    mov     ax, 04h
) S8 E2 O% y* X$ C2 M# X! A8 t    int     3      
9 ^! K! J$ s+ d5 }) D4 x9 r    cmp     al,4
1 r% S8 Z' J7 E9 w& I9 \2 \* ]    jnz     SoftICE_Detected" q* n- \+ n  r, N+ ]

. Z; `+ v+ Z& e4 p___________________________________________________________________________( D1 Z/ A9 r- \7 |7 a: E4 X
+ @  H2 k2 Q+ H
Method 02
# E+ H, x7 Q: H  I=========% X/ m0 w! C$ h5 z7 L
- t$ V+ A$ n8 b9 |
Still a method very much used (perhaps the most frequent one).  It is used
( T7 B% \$ _& |! Y' \. o" ^; vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 v8 y( @+ x7 H, `1 Q( e) M6 L8 [8 Y
or execute SoftICE commands...
9 r7 N+ j1 {' G  u, n8 R, y7 U# fIt is also used to crash SoftICE and to force it to execute any commands6 J& d$ E/ b' R! Q) K
(HBOOT...) :-((  
8 N( L7 K" G  n) H, ^3 m8 k; b$ n# p
Here is a quick description:8 G6 p5 w+ _5 D8 g3 ]- g
-AX = 0910h   (Display string in SIce windows)! ?) ?3 @% @  ?& a( x
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* U5 G, d0 d' S-AX = 0912h   (Get breakpoint infos)
* M6 C2 Y4 x# J$ Z9 E2 S: U-AX = 0913h   (Set Sice breakpoints)! F+ Y( n0 @+ C
-AX = 0914h   (Remove SIce breakoints)
2 B6 N7 o" j' K. {" g3 D  p
8 V  j. U$ _0 m& s( aEach time you'll meet this trick, you'll see:' A, s! ?: ~- g
-SI = 4647h9 u0 M: [3 u8 m5 b3 q4 m' o+ a& V+ v
-DI = 4A4Dh
3 H: i7 K! Z2 ?* W. s$ mWhich are the 'magic values' used by SoftIce.4 o' G! X' \0 w) Q( z, s4 M% Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 o7 G( z; Y" [/ d8 o6 J+ a& @/ v; H: D$ U3 Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 c  y6 i2 G7 v  `# I' i. VEnvelope utility use to protect DOS applications:4 P& Y% A7 V3 E0 C$ r8 j( j
9 Y6 @/ D# O6 M9 V3 |& h# x* A

" r; j/ P- P7 {: `! l4C19:0095   MOV    AX,0911  ; execute command.  p' Y. X0 s% U5 K7 O
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 y. P! x% N! c
4C19:009A   MOV    SI,4647  ; 1st magic value.. s/ Q0 s3 ~6 F- Z. O
4C19:009D   MOV    DI,4A4D  ; 2nd magic value., b) E- B( r+ Z3 u- k( C7 K2 j
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)& F) t! R: n, n6 i
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
* ~% L1 Q) J7 }4C19:00A4   INC    CX
, H7 S- k  L- Q: Z* [" B4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' M7 u0 C: e* q6 Q( J0 {+ X
4C19:00A8   JB     0095     ; 6 different commands.2 u5 U+ ~' @1 R# j( g
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.$ J" X' C2 p' ?. ?6 F- m
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" k. K; o, ]" y. r
9 K4 @: w1 J9 i- `
The program will execute 6 different SIce commands located at ds:dx, which* [0 R9 G0 P' K4 c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" C8 M( _- i8 Y3 j: Q3 a/ A  g1 Y- k" z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 P+ ]7 o2 [( `; @' I! q___________________________________________________________________________! O2 R. F" ~+ o( [- {
* K5 U5 _5 v6 g9 M

) v( U( ]) B, E  B$ r6 }! V: [* lMethod 03
. i! f5 K# P) [* p9 M3 _7 z4 A=========
1 C  w2 Z  k4 g) S$ W) z% z1 C: ]# {  B8 s& P
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- g0 a  |3 Y3 s0 g* ]
(API Get entry point)4 \( l; Q: ^' u
        
7 j; |( v! l$ F; I; @# D- W! N! H- M; j2 q! t8 Y9 L
    xor     di,di( H  G3 I4 _& v
    mov     es,di
- L1 g- Z$ M$ [/ D! \; V/ R    mov     ax, 1684h       3 ~# J) f' |- U7 x; I
    mov     bx, 0202h       ; VxD ID of winice
% Z/ n% }  ~* a2 I7 r1 A6 K    int     2Fh
& y+ n1 p# P& u# y  _/ W    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& h) r) \7 J5 Z& c+ Q    add     ax, di9 r) A  Y% z) [% J& u  [7 ?1 ?
    test    ax,ax
- L6 E, i  t0 k+ v    jnz     SoftICE_Detected7 d/ _+ }. G% u
  b" n" [+ Z  g. z
___________________________________________________________________________& s0 N+ H" K2 V
) j9 q/ d, C- l. g) n$ s
Method 04
5 X+ ]- C1 X4 I" p% U& S* \  k  |=========7 F4 L+ l8 i  E9 e# M4 w( [

% l' ^8 V8 v* ^3 ]) y& ^Method identical to the preceding one except that it seeks the ID of SoftICE3 N" C! ^, E! L; b
GFX VxD.& L) O' K: G* }7 w/ f
9 Q( n5 |, w5 G9 t( d  o
    xor     di,di; C6 R2 x6 G% p; [0 Y0 @% c+ z
    mov     es,di8 V" J0 j9 r0 C% ?/ n) W
    mov     ax, 1684h      
1 p/ u8 {( ^8 s' V7 Y& |) b    mov     bx, 7a5Fh       ; VxD ID of SIWVID
* n) }6 W( [" V- Z" O% ?    int     2fh# m5 u' }3 S- x; K6 f' n- u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 i5 y  M4 Y! Y/ p    add     ax, di8 C: B$ ^& i* @6 n6 {% U# Y# m* n
    test    ax,ax
4 d' c5 y# @  R! U& J    jnz     SoftICE_Detected
! o4 U0 {, R& T7 [7 i, ^8 j2 f% W' e5 N# _% g; U: C' ?
__________________________________________________________________________# o- R) B0 U) e( N! @
2 f- q9 C  z8 Q( z( z! p
8 N/ j0 x* I4 B1 L+ a
Method 056 ~+ H/ ?8 w1 {2 i
=========4 B4 }# j* f  @

% m& }  X2 \5 S6 JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 Q# |4 w" G" u% m9 A( n( [debugger. It calls the int 41h, function 4Fh.
6 H7 x+ o$ C# {+ v5 \4 e% HThere are several alternatives.  
6 Q! Y- [% W$ f* b7 u+ x' e/ ^, F( h9 ~2 `  W& V$ d# D
The following one is the simplest:! x5 E6 z- Q. L% X& I3 R

5 S/ S2 }* y5 X" q6 @    mov     ax,4fh
8 l5 u; {) m6 }" {9 D7 q( x    int     41h
- p' R( h1 x. N( c8 C! {    cmp     ax, 0F3867 P' `$ N/ t0 C: I6 |
    jz      SoftICE_detected3 g1 l. |2 r( \( G% o2 g

7 o, o' G! J( Z& j$ U" s9 y6 B. s: ]3 T/ `
Next method as well as the following one are 2 examples from Stone's - z+ D$ H! ^3 d3 i# w, Y
"stn-wid.zip" (www.cracking.net):
" e: J2 |- D* o% @, S2 ~$ V- t3 `9 {# s' j' x
    mov     bx, cs
7 A7 G# o' c# m) b. e8 V    lea     dx, int41handler2
; R9 ?& G2 L6 K2 y" K# \    xchg    dx, es:[41h*4]
2 @6 a9 v& \# f8 s4 M9 l    xchg    bx, es:[41h*4+2]/ b, L( k9 P: x+ s
    mov     ax,4fh
' r+ T6 s1 Q  Y2 z8 j    int     41h
) z% Z) o4 j, s    xchg    dx, es:[41h*4]
/ G) P) y# A) p9 ^4 N+ l2 Z( U3 G" m3 P    xchg    bx, es:[41h*4+2]
. ~1 [0 A' X6 y4 K. A    cmp     ax, 0f386h* _4 {/ }5 v) T( h) o7 t$ f* D7 R
    jz      SoftICE_detected: L* i$ d) |3 r6 Y& L- d/ ]
5 |  c  h; [, E' i; `% j
int41handler2 PROC+ E  p" T/ t5 P) N' {7 F2 x* L
    iret
) U4 e' m" h- f; A# P. B' c# z- _' iint41handler2 ENDP
( t) M! }! W' L! S0 p8 f& F( Y0 _8 Y% K0 z* |! n* J" ]5 P
. B: T5 k; c& r0 _% q, H+ G
_________________________________________________________________________
3 G: B, o& ?2 ^  `' D. L! i
- |( \/ G- T0 O% Y7 b0 A
! V% w; M0 U& ]+ }Method 06
; q7 |4 a% z; q=========
! L9 x- n4 }5 n1 H" @0 `0 T
6 X# ?% y, j( F
! S! |9 x  @: _2nd method similar to the preceding one but more difficult to detect:
) O* r8 g6 [! R: E8 ?# K/ y" K6 {! r0 \. U. B

. c9 M2 g# @) E4 vint41handler PROC0 G* s: s  l( b" C  }- w& w
    mov     cl,al
* @; C" r4 h  z    iret, B. T3 ]' b( `9 R" m" Y
int41handler ENDP; r- p$ e; V4 e
2 N: A+ Y1 b5 ~8 s& H
/ |" {, M/ l) x, X% T4 J& u
    xor     ax,ax1 r% |4 J7 L9 I* \
    mov     es,ax
( B* W5 L/ h- y& e( V( L    mov     bx, cs
" H  S; D9 ]- m    lea     dx, int41handler
; a$ w( z$ U3 _4 Q/ J( v0 a    xchg    dx, es:[41h*4]9 I; a7 m4 |# z- C  T' _: C
    xchg    bx, es:[41h*4+2]% x# l& D6 N  n, R
    in      al, 40h
/ J+ u8 y5 S0 F    xor     cx,cx
, o' E* W8 U# [    int     41h* s7 R/ V- `- j3 _6 t
    xchg    dx, es:[41h*4]8 z: ?4 {: O' i6 l8 L; G
    xchg    bx, es:[41h*4+2]
: t6 ]+ P/ j8 V    cmp     cl,al$ u2 N# N+ S* }# [( ~
    jnz     SoftICE_detected
7 J# W& L/ c6 h# N/ U) t" _% q# Q* k- A
_________________________________________________________________________
) ^% M/ \/ e: a: J. D4 X# U0 \# Q' R5 R; |
Method 07, \* c& [' U! E9 A4 S1 {) {5 p
=========6 f% ~9 r2 O& {. M5 V
0 V, \8 c/ U1 V
Method of detection of the WinICE handler in the int68h (V86)
7 i9 U. E$ U; {: J+ b2 z( A* w
9 |# F+ _& N/ i/ M* B    mov     ah,43h1 }% {* j' C) F5 I8 \6 f$ ^1 C4 D
    int     68h* R% r% j% L6 ^" ^# l4 x5 v2 E7 V# p
    cmp     ax,0F386h
: X8 M6 B5 \' L# M& D    jz      SoftICE_Detected' h5 x  I( ]3 ]% b3 ?$ G3 O
; y, o" N3 b5 |3 L# ]* v+ E1 B
4 ?) ^& D+ ^  c4 P* {
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* c* \! B2 X+ l  `5 W6 [& t! j   app like this:
, z, f; [# z& l& t* Z+ A! E  K) W- l8 N$ r/ q
   BPX exec_int if ax==68( e8 W( A8 o2 ], a
   (function called is located at byte ptr [ebp+1Dh] and client eip is
) M( g6 m% W8 a4 }# g/ k   located at [ebp+48h] for 32Bit apps)( |; j% R  D( F
__________________________________________________________________________
0 i$ `+ n- s# B2 j8 a1 Q6 P! D2 s8 ~$ `) N! r7 ~
4 I# i' `+ Q7 ^$ W/ Y: T# f% K$ Q3 }
Method 08
8 h4 w6 q0 a$ K) {4 ^) [=========6 T, {. a2 o6 v+ e, f
, V' n; R4 }( `# P( v( _
It is not a method of detection of SoftICE but a possibility to crash the; q+ H/ B# ?1 S, ?! y1 A
system by intercepting int 01h and int 03h and redirecting them to another
9 {4 F6 x  v/ m* m& }- m2 m- Wroutine.
2 ]0 }* @. c1 r! S- f. |: B2 FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! i: N6 w2 S9 }8 |. c( B
to the new routine to execute (hangs computer...)  i; K5 U- `0 _+ F
  V6 S& T  p- U# u; N
    mov     ah, 25h
0 t- ~" N! G5 V; g    mov     al, Int_Number (01h or 03h)
- @% J( `# }) Y9 Y5 c    mov     dx, offset New_Int_Routine9 R" i7 W0 Q3 X, z) c6 Q, m
    int     21h
1 f2 }+ K, Y- Z+ _+ ^5 b0 ~: G% U; `* |
__________________________________________________________________________, m$ ]  D: s. _" s! m
$ b' W( w/ p  _" r0 K; V
Method 096 Y5 s" l3 _5 Q8 V: x$ S
=========' m- [# a6 I+ E( \" Q4 ]. b: }
( D6 {* p' x, ?1 F& K; w% B
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. k" f* C8 R+ v  d* ]* @2 j% E
performed in ring0 (VxD or a ring3 app using the VxdCall).
) ]0 P0 p" k- L) o7 O9 D' A9 XThe Get_DDB service is used to determine whether or not a VxD is installed5 M8 ?. y  \9 l9 }0 y( ~5 u: f
for the specified device and returns a Device Description Block (in ecx) for0 n8 j: t$ W- b& y0 a
that device if it is installed.
1 b! J9 R# ]5 X) `
$ m7 W  |& U7 z* C! L+ y0 ]% d   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- L) S* Q# z4 i/ z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- x' G" T  ]( s" K
   VMMCall Get_DDB7 p  T; G6 \2 w4 v
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 |- }. g1 i4 p" ^% a: ?+ H7 u: L# K
Note as well that you can easily detect this method with SoftICE:0 Z  P& z: k  f1 b  g* u
   bpx Get_DDB if ax==0202 || ax==7a5fh4 ]* k( T; C+ R) A- Y  Z  S
7 u6 A. Y1 k" d; }4 D7 o
__________________________________________________________________________- p9 W+ t. k+ ^7 q" k; V

. m; P# Z' i# T. E4 |6 @" UMethod 10) l: F% Q* V7 D" f; D
=========$ }5 m# m+ D/ O+ E4 |+ s5 g

  g2 `( I+ j$ z3 w) U' W=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 v) t% s4 Q8 @- o: G8 Q  SoftICE while the option is enable!!; f# b& p* K1 y, R- n# ?& i

2 a: M  S( g. k' wThis trick is very efficient:
6 |& C2 ?! Y7 Jby checking the Debug Registers, you can detect if SoftICE is loaded
$ c9 V: s4 C/ ~  l# U7 k6 h+ F4 S2 @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ T0 ^# Z. d9 D) [, d* Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their. O; a$ t5 e6 J, _0 n0 p3 W
value (in ring0 only). Values can be manipulated and or changed as well
1 W" `) S0 h% Y1 A(clearing BPMs for instance)% I. _2 i( S0 e7 R- M
/ e( U# P: S! Q: f4 q- z
__________________________________________________________________________
1 {0 q- D4 ~6 c0 I7 c; K  F
# x& T$ S: h3 r/ F! P( IMethod 11
' U; b: U  [, [5 g, T% F=========
7 {) [* d. a4 E, j& E/ ^) ^
" p6 @0 J# Z1 ?2 @; Y7 vThis method is most known as 'MeltICE' because it has been freely distributed1 ?8 ^- A8 `8 s0 i4 f
via www.winfiles.com. However it was first used by NuMega people to allow
4 o" F- p& x' o" u$ a& i$ O4 PSymbol Loader to check if SoftICE was active or not (the code is located7 }( B/ M/ N6 J9 C
inside nmtrans.dll).
# h  N) C* x- l: n3 O6 D% e7 ^
. Q! C  |6 `. l9 o9 kThe way it works is very simple:
$ e) M9 \, i; s# rIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ L) i, V( P9 q3 A- }8 ?5 h
WinNT) with the CreateFileA API.
. [6 [0 g5 @, A+ Y7 A9 [; K
$ h' a  y- G4 oHere is a sample (checking for 'SICE'):
) ~! e- K7 C8 ]0 |0 J8 [# S- @5 h3 g; _/ F4 [- J( p2 X9 x, |
BOOL IsSoftIce95Loaded()+ v8 R" o6 b( x" a7 o# z
{
) W* i" E( D& V   HANDLE hFile;  
. T  h9 P$ A3 O; h8 `' Q+ x) D% {   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: M' }' m* e% N4 ?7 i: |8 g# [
                      FILE_SHARE_READ | FILE_SHARE_WRITE,! g% j( T+ S0 _6 J# k* v9 |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, y; M. ], `6 A$ F) m, W& ~; _
   if( hFile != INVALID_HANDLE_VALUE )
4 ~7 J2 }# _" Z$ V   {' }% w) B' a) e, b* R+ p
      CloseHandle(hFile);+ c0 r$ A* t, I  n, e
      return TRUE;* ?+ t* Z2 g4 c8 C6 z
   }
4 C2 Q. ?( }9 z   return FALSE;, I3 N2 e# z' x' z) K/ m, U
}: u8 D1 j5 z( I9 e0 \+ n3 z

1 e" q' L" {) g. K% K9 t% B) n+ jAlthough this trick calls the CreateFileA function, don't even expect to be+ e( L# [9 u5 _7 p0 d$ `$ h, x
able to intercept it by installing a IFS hook: it will not work, no way!
1 X& ~$ j( J$ ~4 k. h, O9 iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) R) u& Z9 N' E% ]4 r6 r$ W" Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k: L# t$ [, O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ p6 v! }5 T) p# Qfield.3 a8 T7 }- b# ?0 Q9 x: G8 p. G8 _
In fact, its purpose is not to load/unload VxDs but only to send a
" E3 F  e' }5 `/ NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 j8 {+ x; ?$ Y1 J0 i6 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 o* h5 P3 c! ^; j' h9 z8 @; nto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. l$ F6 r9 r5 E1 T& ]+ ]6 hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 d) H$ D5 ]! g; y+ H' bits handle to be opened and then, will be detected.
# C" b" K/ ^2 o: ~! ], C8 o, iYou can check that simply by hooking Winice.exe control proc entry point6 C$ ]/ [) J# R! T* Y4 \
while running MeltICE.% T& w! b1 E$ c! c, g6 o. D0 Q
1 D' ~  l, r+ ^( E  _
# j7 e. h+ z/ x; g( f& a
  00401067:  push      00402025    ; \\.\SICE- }! T% l9 m- U; Z5 M* R
  0040106C:  call      CreateFileA; n' V, g! e/ [& ]* }  [
  00401071:  cmp       eax,-001* Z* s! u8 [* O- l: {) O" U% B
  00401074:  je        00401091- \4 B" P9 s4 K# }
) S+ m1 W% S' f, e8 Q1 r5 ~0 [
. J# i8 X  M3 l  f+ Q3 Q+ r+ i( L
There could be hundreds of BPX you could use to detect this trick.% i8 u6 M, [8 N. d+ ], q0 k
-The most classical one is:
+ @7 q- F  w" X4 d# S5 E  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
8 o% ?0 o3 g2 r6 y5 R6 `    *(esp-&gt;4+4)=='NTIC'
9 d* U+ q1 ]* x- h8 W
9 @* Z8 {+ K: w& }+ m4 F) S-The most exotic ones (could be very slooooow :-(
5 |' w4 B  B+ g) w. V0 v" a: P6 |   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + O7 U9 p+ Z% F- W, p6 R
     ;will break 3 times :-(
+ n; X: Z- E' w  L; `) G- z0 x# ?* t6 T& `) k3 J
-or (a bit) faster:
/ h5 r' K+ }6 ~% F  x   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" X2 J5 ~" U- i$ g' \5 [
9 R9 _. Z! m4 F" v7 h
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 k1 n& Y  }; @
     ;will break 3 times :-(
) w7 h4 _% E, D0 _
! }; G, ~# B/ t1 I-Much faster:! g( W  C5 e$ Z' k, `3 u
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'' m1 R2 k% M  g0 X- b

1 u# s5 \  D8 h/ K8 O0 c! @Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( ^6 o, J; E( h. `
function to do the same job:' [- |/ W% v5 r' Z& _& T8 W
$ E& t% h7 @9 z$ C+ s, D
   push    00                        ; OF_READ; W6 Q  V6 C) s* m
   mov     eax,[00656634]            ; '\\.\SICE',0
. g/ h0 w& l1 b. i( \7 ^& S   push    eax; ?' B* z1 e. H+ [( ^
   call    KERNEL32!_lopen
; d6 j' t& O% a9 m   inc     eax1 C, K0 H% `! u# U) L/ m/ X
   jnz     00650589                  ; detected: p0 a6 _3 z8 X  e
   push    00                        ; OF_READ$ ]" \6 M3 G6 W
   mov     eax,[00656638]            ; '\\.\SICE'
( {  D( ~6 u  O# ^   push    eax' d: U( \. @. ~
   call    KERNEL32!_lopen
! s0 x5 T* m9 ]: k$ d. q   inc     eax9 F+ b+ o8 o' e3 I
   jz      006505ae                  ; not detected( E7 \& b* [3 E# q" }+ b2 r% v

% m2 C  A5 w- d! B
1 q$ i* z, V8 Y8 t  c" x4 T9 D* J__________________________________________________________________________% g$ Z9 P+ g! f. l: J/ s& y
4 j3 _5 E. |* C: n2 |2 t! C# w
Method 12
( S2 Q  t1 e. P7 \! _=========
9 x7 C5 [" ^7 W9 s9 e% @& y6 \1 o0 W: y+ o# J1 U' D7 E% D
This trick is similar to int41h/4fh Debugger installation check (code 05
( f: E3 l* Q) U# _  f% Z" E( |&amp; 06) but very limited because it's only available for Win95/98 (not NT)
; f' @5 k+ R( d$ K0 `7 V4 q' w( oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& _7 C2 g& b" u& v8 O; f( R( V8 y% x) s1 V
   push  0000004fh         ; function 4fh2 O' M+ o, Q" |  ], z7 m+ B
   push  002a002ah         ; high word specifies which VxD (VWIN32)2 S) k0 i* w0 j" |2 O2 E  v
                           ; low word specifies which service& y( l! E  Z* I" A. i+ e* a
                             (VWIN32_Int41Dispatch)
6 Q' J  l/ S+ Q: d5 G% u. K) R4 o   call  Kernel32!ORD_001  ; VxdCall  Z% x2 ?5 A. M+ [+ `
   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 V5 R0 J. o7 d7 @   jz    SoftICE_detected2 \4 b1 I5 k6 X6 C' q( |6 r$ J
- O1 V, a2 v6 d( |
Here again, several ways to detect it:, q$ i0 R5 ]6 J  B: {7 ]; E
% S4 s4 ^; {& w
    BPINT 41 if ax==4f
6 n+ _2 s: K4 `6 s' f  c+ K
% f7 r9 A4 ^7 j. x* F8 a  ]) B    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one/ a3 l9 K, F" ~0 ~- b
! ?' f" E$ B7 |  P% d2 J
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# M- J+ B" A3 ], b' K9 E2 G* M# c$ q" t" e2 w. B& q( m2 m4 m
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!: H7 R! }7 y$ T0 m; l4 o* D( @

" j! R* P* p! N1 Y; d4 _4 ^__________________________________________________________________________
) |) g" a$ Q* T' {  W6 D
# z5 q# O* n5 e+ x: jMethod 13
9 h& |  O& g+ y) Q=========8 k8 o) b$ X" w5 D$ @" i
7 T/ i1 H  N0 f% W9 {
Not a real method of detection, but a good way to know if SoftICE is
9 i: `. \4 T2 P7 ainstalled on a computer and to locate its installation directory., y; ]) m, |0 E5 O) y( D" R
It is used by few softs which access the following registry keys (usually #2) :
8 _' U5 H7 }- _! M6 Q2 M6 }6 I" U0 s) Q7 R3 g( F" v& u) O7 N. w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" z: F' u2 p; [
\Uninstall\SoftICE
; q% g: q) i: F1 p1 ]" X4 _- D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' `  Q7 p% {; R. }' V  O* I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 [, T3 ^; E1 v9 j( u" J0 p
\App Paths\Loader32.Exe
. P2 P& Y4 Q) l' Y( t! u, T8 [2 v1 o( J
* u6 A6 E9 A  L; V
Note that some nasty apps could then erase all files from SoftICE directory
, J- G& l8 Q$ Z# V2 z(I faced that once :-(  N# }8 k, D/ d% X( Z
' Q3 U. u/ E5 Y( t) H% x. M
Useful breakpoint to detect it:8 @: w, f& @8 U2 A; J2 c1 G/ U1 }8 G

" a7 f# Y) I# p5 u     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 a+ n) X" F& D3 Y6 W' Z
/ R9 x1 ~$ f6 H; c__________________________________________________________________________8 V1 V: p- F! U

" ]' G( t$ I5 r; [- E6 Y6 }1 X
$ f1 V; S: Q* ^: k$ U9 e* q! \1 GMethod 14
0 w3 G( r% m! p# {( [=========
( t; D8 _! W9 a; J/ w3 D" k6 y- t; i% a% \, q9 X0 ?! q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( l# L$ b( m6 R0 i$ Eis to determines whether a debugger is running on your system (ring0 only).5 J# H  g# M% T5 [" `) G7 u
/ C* T# J, @: r, r
   VMMCall Test_Debug_Installed
/ v( k  d( Y# U2 c& m   je      not_installed1 T  ^: @- v: b% E/ t; F# c6 p  u2 ^  x

1 U' }) G/ `- m4 \* _This service just checks a flag.2 l7 C0 u' k% \; I
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-23 11:46

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表