找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>0 J, n- d9 d& e
<TBODY>3 T& _, W7 M( O$ F/ x. k
<TR>) B) N) D" g: y0 I' t
<TD><PRE>Method 01
3 l" J9 V( U0 |, i=========% w/ ^' y) J* P
; h& g/ m+ A+ b: K) ?
This method of detection of SoftICE (as well as the following one) is; N3 H7 H' z, G) {3 W% ]- [7 ?
used by the majority of packers/encryptors found on Internet.* g. X/ l0 r$ V$ X& S
It seeks the signature of BoundsChecker in SoftICE
% Y4 q8 i# v5 C/ S3 J7 z' X6 a( A5 a' F
    mov     ebp, 04243484Bh        ; 'BCHK'$ Z, Z: @' W' ^- @% f- C$ [9 k  _* H
    mov     ax, 04h; O4 \3 Y0 \! {  K9 ]% O$ _3 M4 R1 y
    int     3       . z3 f# x" K9 r) e4 x: L' d
    cmp     al,4
  i: u0 h: I6 _9 l. |! `! {) z( e    jnz     SoftICE_Detected
$ r* A! b' f; q% _; P% k! U
# q! ^6 R# s$ `  c; f___________________________________________________________________________6 T4 C4 c) j  H
3 F1 a+ j+ \9 Z2 N% o; `  ]
Method 02
) k2 }6 o& v$ _% n; m" {/ v9 M=========5 R9 G/ t. S' r" P* k6 w

' E& h! h' G- DStill a method very much used (perhaps the most frequent one).  It is used9 t! I: C8 ~0 q0 G, E" Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 J# k+ z+ W- E9 e. m7 m  q
or execute SoftICE commands...( N2 t& M5 V: _3 s5 @
It is also used to crash SoftICE and to force it to execute any commands
( P  y& h5 A* g0 J(HBOOT...) :-((  - d1 ?8 v0 z" R& r! L6 Z. Q) y

5 I# T& h. ]9 C. v. }' aHere is a quick description:
5 }7 b5 p1 q& J/ P: z3 ^4 ]. s, g- y. @9 t-AX = 0910h   (Display string in SIce windows)
" |% F/ r4 r% V1 g-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 h" O# p$ y$ [' w1 l9 `3 u-AX = 0912h   (Get breakpoint infos)
- w' W- ~! H  g' R% }1 h( h3 \. S-AX = 0913h   (Set Sice breakpoints)
/ [! E0 j& u; W! T% C7 e-AX = 0914h   (Remove SIce breakoints)$ X3 F% d8 S% R) F" {9 p

0 o5 y* c6 B  _- {: QEach time you'll meet this trick, you'll see:
# K5 H: B  h, M0 Q2 L$ t3 t! E-SI = 4647h
0 a( l, o4 D% u5 x-DI = 4A4Dh/ [2 [( {  S! o  g! O1 z& H8 s4 x
Which are the 'magic values' used by SoftIce.
5 o  t3 [2 h/ k- XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 ?$ F0 Q4 `' ]; ~) G  ^

$ W0 X: ~" h$ b' o  p. y5 l6 D* E" D+ xHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 ^+ V( {% x/ c1 k: M2 U/ m9 BEnvelope utility use to protect DOS applications:
& F$ L" ^2 ^# T& G
! i& e5 D0 f, f! b/ C5 t7 B0 @+ H4 V  _* z9 L/ i4 J" V
4C19:0095   MOV    AX,0911  ; execute command.9 C4 S% Y5 \- X3 z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 T4 ^5 U5 |( _. ?; X8 Z9 S3 b
4C19:009A   MOV    SI,4647  ; 1st magic value.
, e2 r4 e- z9 d" v4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
! t# I7 l8 ?" a# I! u5 m5 W4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% c! D5 a9 b- E! |5 R) B4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- {* u2 B9 e2 h, U1 W8 a4C19:00A4   INC    CX  @+ M% `' q1 s* ^4 Y% m- U
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
2 A$ ~8 @/ Y) ~: o4C19:00A8   JB     0095     ; 6 different commands.
% h0 D" q8 c, A$ Q( M4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  @9 N7 g$ P1 w6 Y1 T4 B9 |& l
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& ]% p) g, X1 t; b: C( A: {5 Q

4 X6 [% e1 C% p% d2 n& r0 r# OThe program will execute 6 different SIce commands located at ds:dx, which8 ^* a7 v4 A0 j4 L! C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; j- M! n* J  Z  `2 O' c) R2 C  X7 w1 v; d$ n6 [* ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; Y3 A" d0 k8 Y$ G+ w, S
___________________________________________________________________________; J5 M! g( R8 B7 @& Z  f9 P" `. r* L4 X* w
! m# W( M$ F5 B
7 b7 G% h' D) {; I# F  G' W
Method 03" M, }' o8 f" d/ Y
=========* C* {( }  p2 X! u$ j* ]

7 h' a  m* V3 D0 M6 O. dLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 H* N! n3 a8 I& L(API Get entry point)5 z+ k$ t% N. q* o/ E
        
+ t7 X8 j2 f2 U0 P. N' g; d. `5 L% V6 |% _% A3 L
    xor     di,di1 X- s( i/ G- t& o" P% |
    mov     es,di
' g& o, k! ~& P& D    mov     ax, 1684h      
( W: E: J" S  h0 e; g" S) S    mov     bx, 0202h       ; VxD ID of winice( W0 M, }! n# C6 u5 Y! G
    int     2Fh+ ^7 r8 s. L- t6 U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 c% @1 z. Q/ n
    add     ax, di
5 ~. d& b5 n" c! o$ U    test    ax,ax8 E# k$ _* C: W
    jnz     SoftICE_Detected( I% {+ W9 X. _/ @1 p- C% q
5 ~0 ]: h2 o2 L9 s: r* }
___________________________________________________________________________& L) a/ }4 j( K/ v' H7 O

+ [% L; p- C; l+ W1 |3 X, @5 QMethod 04
! V. v2 f* i9 [9 \, a  s=========
5 q4 u; u2 Y0 s# \& [* y. w3 Q2 Y: n* b0 g0 c% d' A+ Z
Method identical to the preceding one except that it seeks the ID of SoftICE
5 p6 j) d3 e7 HGFX VxD.
1 ~# n8 H7 T0 s1 @* J: y4 V4 |# F* U
    xor     di,di+ g. Z3 L- Z7 O' p2 a9 V
    mov     es,di
2 C$ q3 y9 c- u8 p: L0 _    mov     ax, 1684h         V% i, U% U1 ^" K5 T. Y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
& I8 J# [4 I* s% v    int     2fh
6 p& `' d; I5 |- o    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 \" G0 _: _# A3 H4 j: f: D8 E    add     ax, di
/ J( \7 M4 e- F' |; _' d: \/ B4 V    test    ax,ax) {1 \/ p7 ?  t1 k
    jnz     SoftICE_Detected5 G' ^9 O7 R1 L7 O+ R9 W5 n8 D0 S

: s6 s: c- _. s* }__________________________________________________________________________
9 w& v8 l6 R# A) J0 J
3 F4 U& L/ {/ L2 t' A0 Z9 t' B* M9 J, y0 r8 k6 z2 n9 o0 t
Method 05/ c% E+ R# N) c( W5 j8 w
=========; L" O4 }7 k* d- O* t
4 r. ^3 }# t. I# I8 M" m# a& I% @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, ?8 u# y% Q5 Q2 c" R3 L/ g. K- m: Ddebugger. It calls the int 41h, function 4Fh.
" y8 l& N5 r6 X! c, @There are several alternatives.  
/ L/ X  F# W6 k
& S: }- w  H% v( }7 a+ rThe following one is the simplest:
! ~1 j) w' A* {2 e1 I# Z0 F2 D; q; M. Z* |+ n. E- [- K
    mov     ax,4fh
8 S4 c% z" k7 U5 n" d0 P    int     41h
3 ]! r; b0 g" d+ E7 X3 X3 A4 A    cmp     ax, 0F3862 T; W7 {. B: A! E! M$ N/ F7 D- {
    jz      SoftICE_detected6 B5 X& Z1 R- U# A; u' D$ j0 B/ |
/ h: V# p- D) G1 y" {. j, k

$ k/ O; m, Y* V- d, j% @5 s  oNext method as well as the following one are 2 examples from Stone's
) v4 A' Z- h2 }+ l( _1 @, K"stn-wid.zip" (www.cracking.net):5 s2 p, ?$ H* z6 O- H8 s0 I, g
1 ^. S, u% I& D, g1 i
    mov     bx, cs: Y9 p: n* v; |* M( p9 b
    lea     dx, int41handler2
3 K( z+ J0 a% P& Z0 P- X1 i0 B    xchg    dx, es:[41h*4]
2 W' I0 K3 [( N! m    xchg    bx, es:[41h*4+2]9 i& w" f" r# ~9 {' I
    mov     ax,4fh
% a+ x$ s# c, B7 p: g  a    int     41h% }: p: l/ w0 S7 O" B# ?
    xchg    dx, es:[41h*4]
3 w8 C" ~. g. @0 P3 C    xchg    bx, es:[41h*4+2]2 P* P5 C6 b5 H) l' C* y
    cmp     ax, 0f386h" W9 H7 n' M1 ?3 P( `- Q8 v
    jz      SoftICE_detected7 Q7 f1 H: Y% k% @& L

9 v4 z# x# {% l$ R# _' Yint41handler2 PROC
9 [  d4 T7 X  y    iret
  s7 a. O) O0 s9 A. k8 ^9 t0 eint41handler2 ENDP
1 z) Z3 n) V( f" [& k" R4 \; e( c/ l: r
" v( A# W% b4 F
_________________________________________________________________________
& C) b8 W2 o4 `0 V$ G; F4 A: F8 M8 t: C

& [( w2 K$ H3 uMethod 06! g9 U0 u2 n8 r9 E: {- E  Q* J3 Z# e
=========* J6 B- f1 s( I" H
# Y$ |. j) V1 e! v

/ x6 d2 P: |1 ~8 T. p+ w2nd method similar to the preceding one but more difficult to detect:8 v( O- X; ]' x7 K  x
: X6 |2 ?4 f4 {: o" P

8 g. D2 ?# w5 z9 k1 yint41handler PROC
  p- _! t; L1 K    mov     cl,al
/ d4 Y2 J7 m- T2 B9 k% ]    iret" v- H( ^* H0 s6 X
int41handler ENDP$ S  {  f; Q: ~
* g  ^4 O7 W: e

* R1 E. n7 k7 `+ N1 n: a# ^# p    xor     ax,ax1 @5 g1 v. f& k0 r8 G+ `7 }
    mov     es,ax+ u. ]+ o! O( d) I/ o
    mov     bx, cs
0 m9 \2 g) U, X+ b9 X    lea     dx, int41handler
! e) r: }7 K$ b6 S5 Z8 o  N/ n- J    xchg    dx, es:[41h*4]' j0 T& D8 X2 S
    xchg    bx, es:[41h*4+2]
% a* H. `5 G. r0 ?' ?; G7 ]+ O7 B    in      al, 40h
2 A% N2 a* q! z' [( A& _2 m    xor     cx,cx3 R+ A5 R+ L0 J, D- s+ [
    int     41h
7 H  n* i  v# W3 s# l0 U7 o# ~    xchg    dx, es:[41h*4]; M2 @/ P8 `/ L& @+ E# v
    xchg    bx, es:[41h*4+2]
- T" I; [" T; X; a) K6 r3 T  S0 B    cmp     cl,al8 k3 ^1 b' L: c  V. `$ I# U
    jnz     SoftICE_detected+ p3 h; C/ }5 D# e
" ?- n" ]9 C% c7 p- b
_________________________________________________________________________; A- J- w) W$ Z4 `/ a: Q
( U/ Y$ g6 I" c1 K
Method 07% G" W3 R( A. z" y0 {! L3 k- L
=========
& u& a; X6 Z) ]# ]0 [
* A. i% F' p1 R& p# DMethod of detection of the WinICE handler in the int68h (V86)
$ F5 L- Q+ w0 G- ?' R' n
- z  O+ u* y1 \  d. d- T/ j% ?& h. G    mov     ah,43h* l* s2 C: ]5 C) R8 O+ t3 ?
    int     68h  Q+ \0 {& i, D* a
    cmp     ax,0F386h5 U9 Z- A: C- J" B" E7 L
    jz      SoftICE_Detected- D2 U, a0 G+ f: o6 I4 i
  t! s3 s; u( u4 C& w9 ?% z
3 b+ F" Y& r( A, e& }- h
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 B  n* q7 c$ A  V3 I
   app like this:
, ^" P+ v4 q( S8 C' @) G9 t1 e7 x; {. i' c5 ]- M
   BPX exec_int if ax==68
: l% G( o9 y8 r   (function called is located at byte ptr [ebp+1Dh] and client eip is
* s  P' c) |3 E; w, }$ U   located at [ebp+48h] for 32Bit apps)* N2 W: S2 y2 W. c* _# J/ J$ h
__________________________________________________________________________
% o7 E' k% A! X) T  v
) }9 r# ?# _. M! }/ L  v- l& U
; M$ l2 x4 f0 c# GMethod 08
+ ]! C: t$ @; a$ ~/ ~) a' l=========7 ^9 r) N. _2 I0 h! q
  I( k& V3 o7 _$ c; z7 e# V" x
It is not a method of detection of SoftICE but a possibility to crash the' f# p% ~6 |* C  H" x0 O8 E1 `
system by intercepting int 01h and int 03h and redirecting them to another) _6 t6 s; |( I% V+ I: g# Z
routine.4 ^- t/ o: b2 `, X# n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 [" ?0 c! s9 C4 I; H/ }( uto the new routine to execute (hangs computer...)+ y: @! p% u9 F9 D) B6 J

& Z: K& Z( P( x( z* q+ e1 o  @- o    mov     ah, 25h
2 v& b3 L; g: n+ }    mov     al, Int_Number (01h or 03h)
: o3 R4 Y1 t' i    mov     dx, offset New_Int_Routine
2 B/ D6 u0 p4 M" _8 g, Y4 y6 F2 o    int     21h6 B0 p3 G- |7 g
$ W$ Q) t' P! _: l
__________________________________________________________________________, J6 W  I2 }+ B5 A6 l  s5 q& s

' {; k$ j1 c8 ]' ]- r& L9 dMethod 09
5 g) D9 f- \: g; `=========
$ }8 K/ d) T1 y! O! s8 h& E9 P/ W$ s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ H9 L3 ?, r  {& s& r" Z
performed in ring0 (VxD or a ring3 app using the VxdCall).& y& v$ ^0 Q6 V$ z! r# p& K+ N6 O
The Get_DDB service is used to determine whether or not a VxD is installed; X. t; e" C9 X- M6 X. o
for the specified device and returns a Device Description Block (in ecx) for
1 |( f' M2 X% p$ h$ I9 z+ Qthat device if it is installed." m5 A) U4 L4 ~# r

5 Y/ ~. V% ~# e   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* f5 X; r' g: y
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), h6 D" M" r3 D8 C$ }1 }
   VMMCall Get_DDB6 T# p1 F, g$ O% K5 {
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 r$ u) R& @0 |% z- _! L$ v: ?7 `8 R5 |, l7 w3 U
Note as well that you can easily detect this method with SoftICE:' b- @/ x: b9 j1 Z$ U
   bpx Get_DDB if ax==0202 || ax==7a5fh5 y8 O3 {( V# }2 q

+ P( p; ~9 v' V: K2 j& Y__________________________________________________________________________
: ^; U0 Z! J4 [$ ^8 f; k% I5 |$ X! u- V5 d, B/ D
Method 10
; w. a; L. N3 Y" ~7 v: l=========( h  X5 m- h* f0 a" w) P9 f; X
7 d, D/ t8 q) \9 j: U$ q* n
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with$ w2 h# ~# I9 Y1 e4 `
  SoftICE while the option is enable!!
4 Y, O% [. _9 t% I
# q/ K6 C1 _( L; _, F: V1 xThis trick is very efficient:& L% u4 c8 j6 y2 z; [, a
by checking the Debug Registers, you can detect if SoftICE is loaded2 I" m% U6 g' w  `$ F5 O" ^0 I2 e; A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 e3 |% |) }. `: ~/ Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 B# ~  f9 L( H4 }, g/ r+ D
value (in ring0 only). Values can be manipulated and or changed as well- x  h& i$ T: e. Z5 ?- }2 z
(clearing BPMs for instance)) L) o& T) R  O2 O" F# D3 A, i

: W  N: x, u* l__________________________________________________________________________
& i  R, b+ \4 W' y) X6 z% \% b% N6 |6 ~5 Y
Method 11
, Z" Z: W8 _( w$ T) W- {; M=========
8 A( D. o8 I  L0 _- \! h8 F4 ]  a+ X6 X2 B3 h
This method is most known as 'MeltICE' because it has been freely distributed8 x% j: [! k) H0 y
via www.winfiles.com. However it was first used by NuMega people to allow/ i: v! T; O/ v- }2 u7 u+ H  v! i
Symbol Loader to check if SoftICE was active or not (the code is located
+ n) }- n7 G- T9 \inside nmtrans.dll).
0 R' }  Q5 G" D
& `( @- Y4 s* v* Q% b, z% `The way it works is very simple:* p9 V2 I# m5 H8 ]1 e. l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' W- q+ I1 X5 R* l7 R. ]" ?; O
WinNT) with the CreateFileA API.
( w5 T8 x/ T$ P+ F* x9 {4 _# j
. n# @) B7 K$ t& w6 HHere is a sample (checking for 'SICE'):1 p) C) ~" Z" _+ e

: C* _/ F+ O2 H  X, ~3 HBOOL IsSoftIce95Loaded()
, i7 V- k, E# p4 ~0 f! C( T{
% m0 U& N$ I4 d" S   HANDLE hFile;  
- b; v( ?. V& ~1 E4 [) A6 n   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: u1 D, T. l3 F: _9 `1 Z                      FILE_SHARE_READ | FILE_SHARE_WRITE,& n  D* Y: J, J& p9 l
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 r2 n, a0 D% K5 c5 r  G
   if( hFile != INVALID_HANDLE_VALUE )
. a) ?3 e( x8 ^. d+ e% a* H5 L  }   {9 b# M! b5 B% d% l: _% m; J
      CloseHandle(hFile);
: G+ Q- _# l; e+ Z$ }" o/ x      return TRUE;/ _0 g7 j/ ^4 l; N! J/ V
   }$ D. R5 }! K: h2 x+ u5 g
   return FALSE;
# f; E1 {( j! Q! @2 U7 L}: n- Y+ V1 }1 |  x3 I% C- U* U
/ b" K& t/ U: F: H2 M" ]8 v4 G& K1 r
Although this trick calls the CreateFileA function, don't even expect to be8 d6 |5 p2 Y( |  m
able to intercept it by installing a IFS hook: it will not work, no way!# B8 b4 D+ Y  C$ T5 t: A! A, J, j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" N. r/ I. q0 B! n2 |8 p" ~: x% y$ V$ ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- T6 E3 G1 @4 c7 Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 D. l8 g! V7 Q$ w# Q2 @5 c! ~field.
3 ]8 M* o0 V& dIn fact, its purpose is not to load/unload VxDs but only to send a - ?9 `, i: U+ u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). ]: A: a4 j5 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% r" P$ y$ Z! T1 N
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) D0 C& ~, J: oIf the VxD is loaded, it will always clear eax and the Carry flag to allow; x6 A4 H# I3 R8 h0 J' q0 ?! n
its handle to be opened and then, will be detected.
3 q* k1 a6 X, z6 O3 d0 [8 V' _& u' }You can check that simply by hooking Winice.exe control proc entry point
* t1 d9 B$ K3 {0 Ywhile running MeltICE.
7 }7 `/ Q1 b" \+ x" e" S3 }$ m) U+ ^4 f; z
( ^" R/ i" F: J0 Y3 v& @
  00401067:  push      00402025    ; \\.\SICE
$ [9 ^! F6 i9 L& }( W" `( P* i  0040106C:  call      CreateFileA
& V6 T/ I! @7 I+ f  00401071:  cmp       eax,-001
+ j1 ^+ C5 Q( i; S' Q  00401074:  je        00401091  C: y/ F% M% V3 }; g% W
4 X2 V  }# d8 p- ~* i

' g# z4 j4 }: t0 u! e5 \0 H. cThere could be hundreds of BPX you could use to detect this trick.
; w$ y! o3 G9 f" P' h" n, `-The most classical one is:
0 L, {: p0 x* m( Y; _  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||0 }5 E! M) u4 D
    *(esp-&gt;4+4)=='NTIC'
; V8 G& R+ ]1 S0 ]( C9 m0 v' t* T& U9 k: E* v
-The most exotic ones (could be very slooooow :-(
; V+ e6 W8 V8 A, a9 x  G   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- r4 y9 Q) V9 V# i( r9 t8 ?9 {( R: d     ;will break 3 times :-(
9 w! P% B# n* R! i" y' Z: Q5 S' d1 P; `* ^" V
-or (a bit) faster:
3 u1 z/ R/ I! L1 I' l# L& ~$ f) {0 {   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' @% j1 X: \4 h. U* Z

; d2 l% `7 j0 h   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 S! y/ L& b* j8 p, B     ;will break 3 times :-(( S8 m; T1 O; [

3 R0 s& K  H; `- n-Much faster:, y0 Y! U) J1 k
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 U: t. J3 c7 W& b  v7 m8 {2 b+ e7 Q) ~  p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# X5 b3 ]0 L8 G8 s1 `" }
function to do the same job:8 g& \: S/ N- E% q( T' M
4 K  \$ i  n8 ?4 F. I
   push    00                        ; OF_READ
9 y" I' L. Q5 w. s$ ?7 }+ k! ]) ]   mov     eax,[00656634]            ; '\\.\SICE',0
' {: b2 k% t) E: ^   push    eax  N. p7 E. X$ P( s0 G8 y! ~7 @# A
   call    KERNEL32!_lopen( d& Z6 g+ }' {. K: e1 D
   inc     eax
4 d+ F, E# q8 z   jnz     00650589                  ; detected
5 b7 a. J2 V/ O* d. k( b   push    00                        ; OF_READ. Q3 g2 u' a3 I+ g
   mov     eax,[00656638]            ; '\\.\SICE'
. `8 M) n0 A- a: o. l   push    eax' p( \/ w3 e( N
   call    KERNEL32!_lopen
- H1 k! \6 ~8 v   inc     eax$ r3 V. i/ f% ?: G/ _; H
   jz      006505ae                  ; not detected
; f. I8 h; @. j. `6 E
1 @. ~& @2 J  @, m5 k2 L( p, _( L- M# R& i9 q# N. [' h- _
__________________________________________________________________________1 c9 f  ]3 L) Q0 `
& t+ ?. Y5 I% j8 w- g9 G+ k9 O4 r3 F
Method 12: R/ I4 X" l4 g( h
=========, ~' r" L5 _7 ]) c) h8 Z
) a/ t6 a4 {9 u- y# D# R/ d! j
This trick is similar to int41h/4fh Debugger installation check (code 053 n3 _* H5 K) ^1 l' q* \* T$ P4 M
&amp; 06) but very limited because it's only available for Win95/98 (not NT), k" R9 i" }* H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 Q% H  z; a( I; H+ J% G6 q
5 V4 j. |7 X' c. L   push  0000004fh         ; function 4fh
# _% W+ `! {$ F6 _   push  002a002ah         ; high word specifies which VxD (VWIN32)* z! e$ E3 u+ b" o4 b- k) }
                           ; low word specifies which service
# s6 u2 d4 {; n                             (VWIN32_Int41Dispatch)# W! \6 L5 G% N- ?+ \
   call  Kernel32!ORD_001  ; VxdCall
/ @# r6 b4 `$ Y6 f% i4 g6 d   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 K' w) a# p; _   jz    SoftICE_detected$ e; F3 W3 u, N( L

0 X$ \. Y, E$ r0 K4 B7 Q: {# R) aHere again, several ways to detect it:, B$ D  O1 m( @& ~1 h: o& r
% b! [& R8 n& A7 h8 r
    BPINT 41 if ax==4f! d: S& ^/ l& }5 \7 W

1 w6 B: H7 O+ {1 B$ V) R    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one" K0 T5 A5 o0 z* q' t$ |) R
7 E/ k" W2 ], a% L9 O7 H
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ Z! S( c1 U* j: U4 R/ M1 y  e+ p) N# r- Q5 S
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ V% @4 j% e7 o/ k$ l! w  \) m9 i; G! Q4 m# F5 L! r
__________________________________________________________________________
% b( O" g- Y, W# h# j. y+ ]  b
# E- R/ b- W$ vMethod 13* q& a  R7 K) M) ]8 P  \4 s6 u( {
=========- B" \. x2 ^" X  w

  F: w) a3 ?, J) c( [; hNot a real method of detection, but a good way to know if SoftICE is
8 R) R' \4 v& ?0 c  ], }4 Uinstalled on a computer and to locate its installation directory." Q+ d: c1 v& M6 p1 @& E
It is used by few softs which access the following registry keys (usually #2) :& V0 p3 a  w" K8 j; i; u
( q7 ~" Y7 r  j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. z; @' C- F; }8 ]\Uninstall\SoftICE
' q9 u4 ^7 {* A( Y: f9 p' q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 \3 i" b( s" g3 a+ {8 d1 V1 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ]0 @5 ~' _4 u7 O( A& e\App Paths\Loader32.Exe
3 `% `$ M* l. q  G% Z
1 s, w0 ~" c/ p) h3 j! A
6 U. v1 P3 ~3 QNote that some nasty apps could then erase all files from SoftICE directory$ E% `% z! @2 Q4 `2 F
(I faced that once :-(
& I- m4 p( O& P4 R2 ^0 G6 |3 k
: y; V3 W) I) EUseful breakpoint to detect it:  `" X! H; D! @' Q5 W

. X$ b3 Q8 ]0 m% r  j# x     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 T' F! N' d2 s+ a* `" L* S4 m: q3 m- V5 E9 g
__________________________________________________________________________
* n& q$ e7 J7 L$ {) q: R* @  U3 q( t* l1 v9 [

& E" z& g9 w) X4 K: O0 {3 TMethod 14
) v4 j2 t3 L+ v( W' [=========
$ n7 m1 D$ p, y, b* Y+ T
, M/ C0 k3 _  B+ o  E8 u- E/ }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- a0 T/ }3 y- r5 c  r; Z+ {( E# ois to determines whether a debugger is running on your system (ring0 only).
& `0 {0 W7 v, ?/ F4 i# _
  ~; N9 _& r" n* a$ f' f   VMMCall Test_Debug_Installed
' s- h- X* n0 x* a   je      not_installed
2 ~" e4 A: m5 O# L# \( d/ w  V
' }3 Q8 O& q% N; L- m, wThis service just checks a flag.& `' S6 K  M" z4 w3 p
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-31 07:20

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表