找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 e, `0 x0 `2 f
<TBODY>
- @7 g- X) U- y<TR>0 x% b9 ~) Y+ R& @) }/ |: r
<TD><PRE>Method 01
: G$ S; T; t2 [: o=========
2 ]' {* s% G  m
! h- l+ ~2 s  wThis method of detection of SoftICE (as well as the following one) is& f% z0 K0 X/ \* `" D
used by the majority of packers/encryptors found on Internet.& Z+ L( y/ M4 X2 y! g" j: J, E" e
It seeks the signature of BoundsChecker in SoftICE& z$ K" d9 a  l# O8 [
+ G& Y2 r5 d8 e# u
    mov     ebp, 04243484Bh        ; 'BCHK'. ~$ h/ Z) n# [8 k6 P2 F, t+ w
    mov     ax, 04h
8 Z- r" S* C& z5 N    int     3      
. j# p$ }0 _  w& ]+ t/ I( y+ }    cmp     al,4, q6 G4 E* C+ `
    jnz     SoftICE_Detected0 q  A- ]% ^- H4 v- v

4 B- j$ L: ~( b7 t7 V9 X___________________________________________________________________________/ E8 B5 D! P6 W! N* s' B
0 J% x' p: W, \7 K3 a$ `
Method 02* U- h  E% R. s6 t& ^! m3 V
=========
, u9 n! s2 i3 L: V  X  l# q8 y$ {5 r% H: G
Still a method very much used (perhaps the most frequent one).  It is used
) h' i. v9 I2 m6 Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 ~, ?1 s2 D( H8 Kor execute SoftICE commands...
! C# d) S6 o, T) `( @" vIt is also used to crash SoftICE and to force it to execute any commands
8 g* L, P( w5 Z3 L2 l(HBOOT...) :-((  
7 c9 e3 d) d% p; b- U/ d. l0 e2 Y+ \3 |3 s2 [. F4 {5 E, _
Here is a quick description:" {/ Y' S2 s; n% `! F
-AX = 0910h   (Display string in SIce windows)1 c% g& O+ u3 d# o) Z
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)* D# E1 T; z7 [: B, w3 @
-AX = 0912h   (Get breakpoint infos)  W& h3 l) |# ~+ v
-AX = 0913h   (Set Sice breakpoints)
" r5 X4 V+ i6 F' R, G0 F; O% `-AX = 0914h   (Remove SIce breakoints)
5 j6 L  ^7 c$ q  k; |2 N
: R# }( j, D3 z; w2 fEach time you'll meet this trick, you'll see:: _1 Z* W/ F/ p$ [2 X
-SI = 4647h
% w1 h9 Y! B" \-DI = 4A4Dh
+ N* |3 E$ M0 ?" M. iWhich are the 'magic values' used by SoftIce.# C# j! F$ ?4 R; l$ [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) C! [6 n2 B* c. M1 {- Y* \7 k5 t  f; B& }+ n, K2 x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! s- U) I* K, f+ f5 bEnvelope utility use to protect DOS applications:
5 y  [9 i( z% ?- c: ]0 s7 {
7 w: G- P  @! t5 O  ?0 u8 a( G' C) P
& w7 c+ E$ Q' b8 c4 K; |7 k/ o  d4C19:0095   MOV    AX,0911  ; execute command./ w: l- [- d$ b: O
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% [! Z. [$ A0 K# w4C19:009A   MOV    SI,4647  ; 1st magic value.  ?% B; }$ W5 V. m/ Z" @2 P8 k! p
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.8 H6 \+ B9 ~; a% w7 U7 f
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) e7 I5 C. t* d" }7 K1 I# ~5 E
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute& E. k' W( s% P1 r  E
4C19:00A4   INC    CX
$ x0 f: N7 ]  w2 l$ E4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" [+ x+ n+ g8 T3 [' C2 ^+ L4C19:00A8   JB     0095     ; 6 different commands.
, i/ y3 {0 Q" |% S4 O9 a4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' y: Z8 J( L% |
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 t5 `& }; W1 {9 W/ _3 s( R$ d1 S$ y
8 P1 x+ ~% _$ z- q5 l$ p( r7 q8 C+ E
The program will execute 6 different SIce commands located at ds:dx, which0 Y% d0 F& K/ v# j8 `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* V+ `' G* y; x, v- x- l
9 b& m+ N2 K- \+ z' t
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ r2 N/ n; k; [4 I' X9 m___________________________________________________________________________5 T/ a, |8 B) T/ s2 y0 K7 C7 S+ X1 E
. \3 I. @2 L7 f

% ^: x# g3 f- l' w) V* O  E% ]Method 03
. u( l& C/ M2 G- M) Z4 V=========/ Z) k0 ]$ l/ d" e5 D' I' A
+ n2 R# M0 R. T' Y2 A
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ t. O2 `% c: S% J, j3 Q5 h
(API Get entry point)
4 I+ }0 `8 {: x( \5 O3 y        ( C- ?4 m( J2 }- E
9 w6 ~3 {. x, `4 ~% ^
    xor     di,di8 _+ Z6 k3 K9 e+ S/ D; X
    mov     es,di
9 P5 {& t" T+ }8 h5 Z! o- `    mov     ax, 1684h      
0 c' ]+ r) K5 X# ^* l9 \    mov     bx, 0202h       ; VxD ID of winice
. G* e  l1 P5 C5 _- \    int     2Fh2 H+ }4 X" o- i0 K4 x) |% `7 ^
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 r4 H! ?( s- g& B! M    add     ax, di
) I( v" f% g/ Q( g8 Z: q    test    ax,ax- ?0 M3 q) d. r7 ]" u
    jnz     SoftICE_Detected
# g  D0 k- j/ K; w* Z0 N* Y+ z4 @( ]7 D, W5 a9 e
___________________________________________________________________________
+ v5 _7 s4 U- V3 ^. s% z3 v
+ K, Y( Y& \6 v2 z4 HMethod 043 q0 M. y- H" m8 W
=========; U) A" i4 S1 Y; @
, a( {; a: u* A5 l1 W1 X/ Q
Method identical to the preceding one except that it seeks the ID of SoftICE, n, q3 D* I" b. E/ s
GFX VxD.
" x7 T& v" `, X& F* A, j
, ~2 D6 E. }/ j: b3 N    xor     di,di
7 P5 v+ H, M' Y& [" \; d    mov     es,di: y% r# F7 B# B) @1 y# ?
    mov     ax, 1684h       4 b1 [# s. l7 y3 Q- O: z2 j. X; c
    mov     bx, 7a5Fh       ; VxD ID of SIWVID. `+ M$ I' L. i8 h5 @1 p4 n
    int     2fh+ k; k2 ^1 R5 l) S0 h
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' i* l. P5 C/ M( y" P    add     ax, di
& ?1 ~+ o6 [6 ~$ E2 E3 M& O    test    ax,ax! a* d' O" H: H+ U
    jnz     SoftICE_Detected$ s- O- h4 E1 t( {. J( j
) y4 D" d; }! P/ c' x
__________________________________________________________________________/ v9 u- t8 T/ a! Q+ B! j1 T9 I  v' Z
6 X3 n! j# r" z

5 L* A5 @/ p* a4 M$ _$ _Method 052 j% T( A" e8 F% F2 Q6 x
=========: |. v9 D$ F3 y# e+ c
8 |9 f/ `2 i0 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system; m$ e9 e! T4 h! b7 I, ^
debugger. It calls the int 41h, function 4Fh.
$ A; R0 B, S9 v$ a* {There are several alternatives.  8 m* S# C1 k1 o) j: h# s

6 Y  e6 y/ p5 z% w1 LThe following one is the simplest:) W) O- b4 k' x. F3 ~. g5 u

8 G4 d% w6 a& y! N+ }    mov     ax,4fh1 P2 d4 H" P$ N+ A( f
    int     41h" c: k" Y4 A5 ?& g* h$ R
    cmp     ax, 0F386
1 @5 Z8 t' L. P    jz      SoftICE_detected$ v& E% }  a/ @0 `2 {. g% I0 C+ p3 N
* d5 Y0 I7 r8 z! u1 Z
1 k/ E+ V. O# u1 m2 k  B
Next method as well as the following one are 2 examples from Stone's ( h2 K- w) n) f2 l6 l8 N, S
"stn-wid.zip" (www.cracking.net):
+ v- Z8 s: h1 g, m8 r& F
8 s5 S! I0 X- z  ]    mov     bx, cs
+ o6 \2 `! |. {/ x! D7 p' R9 o5 S    lea     dx, int41handler2, h3 X! k* j$ a2 w" V6 y
    xchg    dx, es:[41h*4]2 {& p$ t# _+ y  J3 R9 ]. g; s% ^/ e
    xchg    bx, es:[41h*4+2]9 N, w( D6 T; s2 W% p6 t0 T3 V
    mov     ax,4fh  {; \8 |! {$ u0 W0 X1 O/ A& @+ O' [
    int     41h( n3 \. j" i9 E- ?% f7 s
    xchg    dx, es:[41h*4]5 P# G' n7 A* Q$ Z  @1 Q
    xchg    bx, es:[41h*4+2]6 ^/ t4 N* }7 M0 {
    cmp     ax, 0f386h
* a# t. l6 I& Z- A    jz      SoftICE_detected% U3 _% R6 K2 |, B( x
7 Z+ W  p( T) ]' v$ }4 G
int41handler2 PROC* Q2 E1 L5 N% N1 ~" J% u4 R" X! P
    iret
- l! u6 m9 ?$ X' Zint41handler2 ENDP
+ [' s  e& S  ~. D. v; K1 S% J7 P, M7 d4 [  J8 u  T

1 H4 {' @  k, f( @/ x_________________________________________________________________________
" L$ C' l) n# c6 E, C6 A8 g/ i  }
$ T/ p0 h! W9 S. m; U
  V  d4 r5 |% Z8 n7 l/ j' \6 GMethod 06" ]8 t* Y0 w2 e. |0 Y: R- h
=========
0 w; T& k% x1 |1 n! e. I" H4 o' k0 M2 h
& `( O' i6 o! L& {1 Q  y/ V4 V
2nd method similar to the preceding one but more difficult to detect:9 s0 |& f  `1 S' H- ~
3 X0 \, g7 R% M

1 t2 I- X1 [! N! cint41handler PROC, I" q3 {$ X3 O) k. |
    mov     cl,al
5 |: M/ A* L) l, F& \5 {8 c    iret8 w+ I8 n2 D5 l  ~9 u( Y8 {
int41handler ENDP& m8 q# i- k, g. \2 H$ S, e2 V) ?

- J9 Y- K7 U+ ^+ V" G" G: }, S% C* p/ A
    xor     ax,ax7 `, _2 Q1 i3 o4 Z
    mov     es,ax0 t/ _* m/ L( H5 F# P& I- L
    mov     bx, cs7 I' Z  d8 O9 {5 Q, V
    lea     dx, int41handler* o7 P- A: T) y" ^5 q4 Y
    xchg    dx, es:[41h*4]
: `/ R; n+ ~. c. x    xchg    bx, es:[41h*4+2]" {8 x/ B0 o4 P/ s) H' L
    in      al, 40h
/ Y" g: ^% t3 P8 ^" W    xor     cx,cx$ r0 t3 J: @/ y
    int     41h
1 J+ ]6 G" o, y7 ?0 ~8 D8 P) U  K    xchg    dx, es:[41h*4]
/ o: h/ B' Q5 s    xchg    bx, es:[41h*4+2]5 T0 O( R7 D9 O5 d: J
    cmp     cl,al
. E9 u' C- ~/ `) S& J; W2 M* ]    jnz     SoftICE_detected* b& \+ e4 v# [  \: c. F3 D
4 d/ w, L0 d* Y
_________________________________________________________________________+ N: W& B( [( N5 \& h
/ h2 B" b1 m8 |6 b
Method 07
2 p: O4 i4 t$ C* B: X+ @=========
2 ^7 [- P7 e2 z1 M7 @1 L3 m2 M6 Y% r) k& n' K0 g
Method of detection of the WinICE handler in the int68h (V86)! |) {) d( A& d: C9 X6 {% a
, y7 y8 g! C/ R+ \
    mov     ah,43h
: h( F  `* i& g/ U, o    int     68h
1 Q- K$ Y6 g. f( `. j    cmp     ax,0F386h
7 }% H8 P: n+ A1 C2 G" s8 ]- b    jz      SoftICE_Detected; `- v9 v) e2 E- t

7 D( ^4 Y  M6 \
* M; C% T, F' u8 q- c! E$ t=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 l$ z# i* }; I% @$ ]+ f   app like this:
2 w' T: u+ ~" l$ }* w. j9 A; R
' c0 c  h' u- y# U4 ?3 g7 Z   BPX exec_int if ax==68
0 h" T2 n' m2 _% `) L0 v   (function called is located at byte ptr [ebp+1Dh] and client eip is) M  C& s' p3 w* g( ]
   located at [ebp+48h] for 32Bit apps)
+ @" t# f% d% C) E" v3 h__________________________________________________________________________
8 b; J9 g7 f  N  i7 x
& T& D4 U0 z; N5 u7 l' Q
0 p, e5 E. a. E" Q# H1 ~( a: yMethod 08
8 N; K% w7 \2 c. e6 ^5 r8 x0 K1 I=========
; O8 c, k% ^# R9 F% K7 S# ?' t& ?  Z5 H$ K
It is not a method of detection of SoftICE but a possibility to crash the
9 `1 k$ Q+ i5 E/ P, }( a+ O1 qsystem by intercepting int 01h and int 03h and redirecting them to another
8 r  Q, P& Q# S. C6 Groutine.
/ ^- ], H9 v2 g3 y! c. PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" X0 d* P9 S+ k) kto the new routine to execute (hangs computer...)
. I3 N0 P! ]8 |0 K* r
( I6 r# }' `& a$ Z    mov     ah, 25h
& w4 K' _3 U$ T    mov     al, Int_Number (01h or 03h)
" A$ F( \2 f* L( y6 s  i: H4 p1 _    mov     dx, offset New_Int_Routine
  a, K% r! x4 M1 n    int     21h0 y: L; V% ^5 X$ \# r+ k

$ W2 Z4 b7 @  {__________________________________________________________________________/ r- t8 _, E/ Y: H% s
0 g! ^' c, |; h7 o4 {( o- U; ^- v
Method 09
, i$ {! ?. @* R, }+ q" Y=========
/ ?1 }" W9 |: f5 F, `1 l3 k' A/ K+ j( t
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 _9 H( w2 v( G9 j' u
performed in ring0 (VxD or a ring3 app using the VxdCall).! i% Q5 d% _+ c* z/ j
The Get_DDB service is used to determine whether or not a VxD is installed1 ^5 T* V1 N% K/ y; u
for the specified device and returns a Device Description Block (in ecx) for& n+ K+ i% A6 f8 E2 ]* \
that device if it is installed.
3 z) ]1 D3 R. `' f2 C& ^: Z/ Y1 @& w. \4 z6 i& U8 x+ N* ?) [( V
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 M, h; c3 V- o+ v$ [   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 j5 u8 {- h3 u- m1 G   VMMCall Get_DDB
) }# B5 w8 E! S0 b  D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% A" a* E# {/ t
( P) H0 f* ]7 Q" [; xNote as well that you can easily detect this method with SoftICE:2 O: }4 b8 ]0 Z$ W$ P6 ?3 w0 |( I4 X
   bpx Get_DDB if ax==0202 || ax==7a5fh
4 H2 d9 O, {; A! b) L0 _
' U  |0 Y9 z4 O__________________________________________________________________________
* C4 ~1 ^; z7 p+ F! O
; E& m! I/ W! S8 P' D1 T0 EMethod 10% m: Z' s' G  d7 h! U- S. H4 e
=========+ t; r4 ^. r9 t' L$ l# {) `

. C# r$ b$ B9 A0 s=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 W- @3 i% q7 {. x3 T
  SoftICE while the option is enable!!& q1 E, `- V$ |( R
5 D% K  j0 Y% v8 k( Q4 O
This trick is very efficient:
+ }3 K8 W- @3 u1 A) y" }( nby checking the Debug Registers, you can detect if SoftICE is loaded9 H$ ?# [- u! N% t  D3 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' _! l" Z8 x3 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their* M5 h7 G8 J8 d: m. C
value (in ring0 only). Values can be manipulated and or changed as well
; f  K) o' i6 x/ {(clearing BPMs for instance)/ q+ |6 E; q1 g
- |8 n' B$ c) g  @
__________________________________________________________________________
) v8 r0 ]0 t6 s0 f9 U. M! }8 H% W. r+ [7 q2 M
Method 11
" z' Q2 B. z0 J/ b& q) Z=========5 m  D' q6 M4 ~3 K5 C- s

! B1 ?7 B# V4 U$ h6 KThis method is most known as 'MeltICE' because it has been freely distributed; {; i% l0 N+ E0 ^# r: U: I! |8 y9 [1 S
via www.winfiles.com. However it was first used by NuMega people to allow$ S; X6 F9 G) b% W" {% i1 l# ?8 E, @
Symbol Loader to check if SoftICE was active or not (the code is located
; P" c; m1 Z) I5 l" ?! ]inside nmtrans.dll).3 I8 g: Q7 N0 G1 Q9 ~

7 K% L/ C' h- vThe way it works is very simple:  _0 r2 H0 [& |" b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& I! o( C, U" W9 ~8 E# @0 W
WinNT) with the CreateFileA API.
# G0 S* y5 b1 L0 U9 s' m! f# e# z: t" Q# S$ i2 C- |
Here is a sample (checking for 'SICE'):
! U6 Y4 O9 ^4 T# _' U$ O- y4 o
BOOL IsSoftIce95Loaded()1 m: ^$ x9 w4 W* H  o% k8 ^3 g8 @
{
9 n2 b& M1 h  w- G" u) g   HANDLE hFile;  
# |- }* `+ H* o' C$ K; _   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ ]" e7 m( y$ U" C0 Y- y                      FILE_SHARE_READ | FILE_SHARE_WRITE,' q7 e! ^, Z9 b8 m
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# s7 `/ R8 ?: D* Z   if( hFile != INVALID_HANDLE_VALUE )
1 ]6 |5 |+ ?( g, g0 b  O" C; o   {; C; I" j' r+ @9 b3 j4 _7 }. [
      CloseHandle(hFile);
3 K0 Q9 v* U8 Q' A' U, A; B      return TRUE;
, C8 j! t5 V! o9 S   }
' d7 h' L* M1 }; w1 T  n   return FALSE;1 D" M, _3 J- c6 j
}& ~9 C; P; f& H& F

. c7 A5 v2 l0 [Although this trick calls the CreateFileA function, don't even expect to be
6 w9 O0 F2 O! b+ X1 x7 C6 table to intercept it by installing a IFS hook: it will not work, no way!) m- P* Z. t+ b- A7 M% ?" N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 }. J1 r/ |3 B& Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 e- `* A1 c* O% z3 @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 @+ @# ~! m+ ~* `$ S$ }field.9 r) o, d4 p& y7 e6 G. D
In fact, its purpose is not to load/unload VxDs but only to send a
, i7 V1 L( r9 Z. g* [; j' JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  k: Z7 i  L+ i7 _8 ~) Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
* Y6 |9 l9 l. ^. O4 y: {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
  D. l, O! x3 R% s' Q. NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 s: B0 k5 k2 K: }2 l: eits handle to be opened and then, will be detected.
6 u- ~" ?) G8 U. vYou can check that simply by hooking Winice.exe control proc entry point
* D& C  t1 F) Ewhile running MeltICE.
3 ~5 W# C# ~" h: r6 k, S9 C
$ s( a) [" W+ I4 C4 M
$ F, ?- s0 v0 W0 i1 @$ f& u  00401067:  push      00402025    ; \\.\SICE
5 b; x6 K4 f) h  0040106C:  call      CreateFileA5 I& E# R/ h! `5 w  f+ p
  00401071:  cmp       eax,-001
1 j" @0 c1 O! X+ e  V3 {5 T  00401074:  je        004010917 G8 {  Z$ a9 D! e) q7 D
" [. ^( t! e1 Y* m& p' e" X

- S1 {' h9 A/ PThere could be hundreds of BPX you could use to detect this trick.
; v2 ~! h, D; O$ V) _# g7 f-The most classical one is:0 d" U1 M+ ~+ M  l  p  l
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||+ z9 t3 H# j+ ~4 x! P
    *(esp-&gt;4+4)=='NTIC'
2 E. l# r3 d& H4 u1 x# |% y* Q! I; N- J: a+ `1 f+ M! ?3 f
-The most exotic ones (could be very slooooow :-(
4 j& a' l1 i" |4 D: |   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( B& q  t' M  S5 v( B( L, o5 @     ;will break 3 times :-(
8 z7 |. `/ y) ^  z- |7 m% I/ D
4 e" r" Z) d5 @6 c% p5 b-or (a bit) faster: . W5 E% E4 h0 M! z9 r, g
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, C* V, Q2 W. ^5 d8 w1 N& v  a8 F" B& l1 ~+ o7 {. \" W
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  " ~; T, Y0 ~: M# W
     ;will break 3 times :-(
9 p/ f2 \9 p2 k  `3 S3 W* \
: W+ G. I1 j; p' V-Much faster:" B+ K7 G, P  x( _+ w4 |
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'! C  o" I( v7 k+ v7 J% T. R+ R
+ O+ ?7 A  C6 i0 ^# T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ |0 F' E8 x* H5 I4 e/ G; T; qfunction to do the same job:
3 E( }5 T/ ]1 b, k
" E& m/ w( |2 ]/ t   push    00                        ; OF_READ7 W: l$ |5 v; `
   mov     eax,[00656634]            ; '\\.\SICE',0
/ K0 C, }  A2 j; x0 y2 {   push    eax
5 U; n5 y( \; S% f   call    KERNEL32!_lopen2 s; z# p; u1 h3 C; I. e
   inc     eax8 f! [' N" U/ K' J3 h% v
   jnz     00650589                  ; detected9 ~& c# L4 W% F9 L0 g' y
   push    00                        ; OF_READ
: h8 Z8 P* J) h, G0 `' H2 b   mov     eax,[00656638]            ; '\\.\SICE'9 m7 Y% C7 J# R/ r7 c4 v
   push    eax
* h. h# n9 B: {+ t( ?   call    KERNEL32!_lopen
4 P! J1 R4 n5 u$ ]   inc     eax
, j* n# L6 o2 x; w   jz      006505ae                  ; not detected
! d: c" B* D) z" w% F9 G  V9 Q& `1 Z3 o  t1 R

. Q9 @% y7 o; I. H' }4 Z__________________________________________________________________________0 w' f4 D# ?. c& @  e! a' ?

( g+ d; W/ ?+ R; P4 l" u; ZMethod 12
. o9 Q$ Y4 q4 m+ A5 K=========
6 n! ^' h0 _! m" \# t6 n8 X  d) ^. ]/ F! g
This trick is similar to int41h/4fh Debugger installation check (code 05% O7 r4 i+ C& l8 P0 C
&amp; 06) but very limited because it's only available for Win95/98 (not NT)4 S2 i* R! ~$ R. V" P8 a0 @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 F8 ~1 M) x, W9 H5 G3 u
8 l( j/ ~: ?& `1 o# `4 _
   push  0000004fh         ; function 4fh5 y/ N6 K8 f5 R* n
   push  002a002ah         ; high word specifies which VxD (VWIN32)
- ~9 ^1 z( ]5 {- K5 z! y  e" T                           ; low word specifies which service6 }9 N7 J5 j- y2 N
                             (VWIN32_Int41Dispatch)
" t- |* S1 F2 Y0 [; C, z* W- `( _   call  Kernel32!ORD_001  ; VxdCall
5 d5 \7 i( b. e' P) ~   cmp   ax, 0f386h        ; magic number returned by system debuggers
( f0 I, f- Z$ _  r. G8 {6 K   jz    SoftICE_detected3 n, ^1 `" P+ w. l

9 f- h: k- Q" ~Here again, several ways to detect it:
- N, F* o) K  U2 ^1 [1 H" o# n; V1 `5 E1 j
    BPINT 41 if ax==4f2 t, F6 t( m0 J8 y. |+ d3 ^

/ I' G0 G# x' K# d8 l5 i( K# w4 G    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* W, L* t0 o0 G7 B3 F0 H+ V% A3 A, n, U7 V5 U% b
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
  G9 i! \/ C- l& O  B/ Y9 v+ n! j) P& ^# d( S
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' I* T/ w0 ]' ?" a
+ Y9 |! e  H5 W! M__________________________________________________________________________( x# }  t, m: ^* _6 l' ~

) V' N* ^8 ?$ B# [. pMethod 132 r# ]3 o- j& _( i- F- i
=========: l  }% C; ]5 z8 k

: v+ J/ ~: C! S& K  b7 [Not a real method of detection, but a good way to know if SoftICE is
2 a) A5 C3 a' E$ Q7 |9 Iinstalled on a computer and to locate its installation directory.
5 i5 x- J  s/ S8 aIt is used by few softs which access the following registry keys (usually #2) :: }( d3 f7 ]# U- `" c5 z: p/ r

. h; Q6 E+ p# a7 x+ t-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; a1 Q7 |% E# c2 Q( e% s6 B* w
\Uninstall\SoftICE
6 }6 d  Q/ C5 {" d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 Z2 v3 [" _( P" _9 r( T  f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 {$ ^9 }6 o/ P7 l- [6 G
\App Paths\Loader32.Exe, H0 a, D5 x9 t; D( R% H8 e

. P. X1 `  ]! T. h# K8 c7 \
, f9 n( F; N5 R: B5 WNote that some nasty apps could then erase all files from SoftICE directory
. m# q1 L  X  A( a(I faced that once :-(
) z- k' v. z( u3 O8 }
& {* [* L1 k, ?- C% r: ]Useful breakpoint to detect it:" u7 m8 Y, H0 _4 x5 f

. `9 k5 s8 j" s2 ?     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  t9 h0 o  _: d% ^, z+ {' E5 B

( G7 B& Z0 z1 E7 E! c__________________________________________________________________________. g2 D; d& r" @! w. R$ G
% L# w* q' ~0 c& j+ R

, e/ ~& O% `" t7 ?, X) |Method 14
4 m/ X/ W. d+ ~) n/ [5 u/ s=========
# t  c- u4 a5 L
& c  J7 q3 l. a+ d( {& w. ~6 Q; hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 z$ V- \/ @# t1 O- H
is to determines whether a debugger is running on your system (ring0 only).
+ Q& K3 w" m3 A! U4 I; J; n# N( R& e: q! W% M4 r6 G
   VMMCall Test_Debug_Installed
" }6 x* `& g4 R0 }( _- H- t   je      not_installed8 }# M) R* G* c# d* F: V

4 K# L3 w0 E% j7 P: sThis service just checks a flag.3 T* g( c8 s% U' c* c
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-21 05:21

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表