找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># N- q# Y/ c+ X. R" Y  h
<TBODY>8 f, o% ^/ q- q6 X
<TR>
6 S: N) \$ Y2 s2 K; x( I0 q% k/ P# t: M<TD><PRE>Method 01
, J3 @$ W! a, C5 t2 D: N1 N5 m=========
" k9 i, r' A$ o. c! S6 `# T3 {+ j8 ~2 V+ s: r
This method of detection of SoftICE (as well as the following one) is
+ B- `- G$ X% V  f3 Uused by the majority of packers/encryptors found on Internet.
1 H; O7 i5 v! {3 WIt seeks the signature of BoundsChecker in SoftICE
6 v* [" o. o6 |4 a' v0 D
7 u6 X0 E& a/ l' W9 \    mov     ebp, 04243484Bh        ; 'BCHK'
+ a* o! J. d8 [, R+ P0 L$ N    mov     ax, 04h" @. z' ^3 Q  J1 f- L- N7 F
    int     3      
0 H; E. I5 S  H$ A    cmp     al,4; n$ \( k$ C$ }& G
    jnz     SoftICE_Detected
$ |) g- ~1 L  ^7 a' G
8 ~+ ~) W( y( Q7 |3 K3 r, S5 o___________________________________________________________________________
1 |9 E+ i7 E6 G) l  q. l. c3 y7 {$ S) w
Method 02
% k0 \0 [5 o' [& p6 C0 R=========
6 f$ W6 r& e. n- d) b0 W, x& e/ G. {1 i5 f$ @
Still a method very much used (perhaps the most frequent one).  It is used& T9 d6 R0 @$ s- g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( k+ u+ M0 G0 H/ e  p4 g
or execute SoftICE commands...$ h4 ?# s4 i* ~% R
It is also used to crash SoftICE and to force it to execute any commands6 F; ?, A' y8 D) i# k$ }3 S
(HBOOT...) :-((  
; f7 G3 N5 i7 n2 m
: G, S9 o, T. _6 YHere is a quick description:) N. |/ A% q* O
-AX = 0910h   (Display string in SIce windows)$ x3 ^5 I% K3 \2 G* ~
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 X/ }/ L& q6 K/ v
-AX = 0912h   (Get breakpoint infos)
' V' B- G2 u9 i; \5 X9 ~7 F-AX = 0913h   (Set Sice breakpoints)1 T0 Q6 P; c# o7 T0 V" Q5 @3 p. [, l
-AX = 0914h   (Remove SIce breakoints): x# Q% x- C1 L% ?) n

6 M/ X& C4 Y# _9 a/ X8 a& U5 oEach time you'll meet this trick, you'll see:
4 U% }4 ^8 \% ?) |' s-SI = 4647h
5 ^9 m& _3 l9 l6 S-DI = 4A4Dh
6 }# x# y7 v( H# `  V( J/ qWhich are the 'magic values' used by SoftIce.; G# h6 ^6 ?* N: j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) P( U( Q9 _) D* b4 Q) e6 v+ q6 V$ U( e5 B. k/ t1 d5 ^: [
Here is one example from the file "Haspinst.exe" which is the dongle HASP& j* M% e, s$ m
Envelope utility use to protect DOS applications:- i4 ^* M" K% ?/ N+ L

9 p( h$ M( }. e( L3 h0 f" m% [) D: F, _' P; {9 @+ ~$ U* I; b" W  L
4C19:0095   MOV    AX,0911  ; execute command.
- Q$ a# x- h4 S' B6 o* b$ @4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)./ R/ g- d5 a3 w7 y% ~+ E
4C19:009A   MOV    SI,4647  ; 1st magic value.) k, X  q+ _$ ?& s3 W( {# E, N- H
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 D* W1 ^  ~& F+ n! h) a. G% k4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)3 w  O5 d( t' C4 U; d
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute. R; L. O- x- K+ t
4C19:00A4   INC    CX
& l. U) M5 k5 o4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, n! |0 l% S3 t4C19:00A8   JB     0095     ; 6 different commands.
  P4 h$ K7 A$ M4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
7 p; z# e" h& L5 k6 J4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)( J6 K& P) G3 E% W
: @9 Y3 Z- e* b
The program will execute 6 different SIce commands located at ds:dx, which
' e" H3 l* L1 e  P- Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( ^- r3 m/ u  I- O' K

$ E8 X0 d' k* m& V. r+ u7 A1 i$ ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 \  P$ p9 I( t$ x- R: \  T- Z- i
___________________________________________________________________________
- Y  A( A8 n* N/ w5 h: g; m! X2 u& d" ]
" P( N' m' B% |$ S7 f% d
Method 034 r+ u+ [) O* \+ P. p+ H
=========! L! V) l$ j$ g' v& d4 S7 @
3 Q" Y3 b0 j' P8 t& j6 C8 K! z1 n
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 k% P# W6 f( l, J+ O. [( y(API Get entry point)
4 H# L& S" \: H6 A: W* \        6 O! r& d  S2 A2 K

3 f% b, @, U5 q, ?$ R    xor     di,di
5 m* F$ c" c+ I7 R    mov     es,di
- b* E3 M$ t% r  H/ C    mov     ax, 1684h      
7 J) \$ I5 O8 v  J& i$ Q    mov     bx, 0202h       ; VxD ID of winice% H5 `& b9 x+ U+ T, R
    int     2Fh
+ f1 K* [5 D+ I' V0 Q1 e9 j    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 z4 M# b. y9 o( b9 d" n    add     ax, di4 u2 ~: G) y2 q
    test    ax,ax
2 T" X1 P0 n) z1 f; i    jnz     SoftICE_Detected
) p9 F' ~- {' s) m" j  {# A3 r, e/ V7 i# g+ B9 M2 I
___________________________________________________________________________1 C+ b4 Y" c* C3 S7 w

. a, F4 P* h- a4 t0 M7 X+ Y/ L% TMethod 04& u& M7 m/ r1 b' u$ @  q& C
=========
7 Y. J' C7 ~) x4 z& G  U; ~6 M7 T# z* n5 E2 C: ~
Method identical to the preceding one except that it seeks the ID of SoftICE% u) s' m- l9 M6 k
GFX VxD.6 P" n3 g8 O3 r

1 M9 I6 M, Z$ t' Y% z$ B2 ^6 a    xor     di,di
! K" ^  s& Z1 Q0 {& E% n    mov     es,di
& Z& h' I0 t+ \! V9 r4 h) U( }    mov     ax, 1684h      
% ~9 w9 ~! ]* u* ]5 O1 Y    mov     bx, 7a5Fh       ; VxD ID of SIWVID" w( Q- X/ i) T2 z, _/ p
    int     2fh
& A" u3 ~! }; p( u: v    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 [& T( O* C3 l5 Y8 S0 @
    add     ax, di; j- a  G' \. x
    test    ax,ax
% f  d2 s6 x. `    jnz     SoftICE_Detected- D- y$ e. s! L2 z) i  X

' |) X( {0 Y1 `( _. j# O" y__________________________________________________________________________8 Y' W! l- g! E0 T9 @/ H0 U

2 u1 K& Q" Z& Z" d5 j1 ^) P" Q  h# D- w2 H% ~- _
Method 05
4 z; q- w, i; V' }2 T6 z9 V=========4 b) Z/ p" m* m

0 j4 l6 ~5 U, N& k% HMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' o4 |- r  e- [9 G3 Ldebugger. It calls the int 41h, function 4Fh.- S' R- ^+ ?8 q3 X/ j
There are several alternatives.  + V, h2 {1 }5 f" [
/ D1 u+ k; }6 b) Q3 ^+ T. v0 O
The following one is the simplest:% l4 q2 f1 w0 h1 y- Q( `

% R3 Y# {1 G: ]. y5 g9 O+ C    mov     ax,4fh! X6 O  l: @4 b1 b7 J9 j
    int     41h9 ]* B) \6 F  k4 }
    cmp     ax, 0F3867 B$ b5 g5 [% b6 Z- B* Q0 B
    jz      SoftICE_detected5 ^$ p- n2 Q9 {- b

! _2 ?/ Q9 Y. B- L" C, \) Z9 \+ }; i( _2 e3 O
Next method as well as the following one are 2 examples from Stone's & X' [# M0 W8 O1 K+ D( x5 @/ J
"stn-wid.zip" (www.cracking.net):- V+ l; k% J) v7 `( ?+ ?
4 |- ?. m8 `) K  r, j$ J
    mov     bx, cs2 Y, u7 x  K7 t* Y" k
    lea     dx, int41handler2/ L& M  C, M. m
    xchg    dx, es:[41h*4]
4 b  R9 k+ F* c( g    xchg    bx, es:[41h*4+2]. Q4 B+ X+ S* M& Y- q+ c: t0 \
    mov     ax,4fh* Q* _7 _/ O+ h) }# Q$ L
    int     41h
/ W* x4 Y4 Y: n/ g    xchg    dx, es:[41h*4]* u4 @" o# G3 S; s% z( z
    xchg    bx, es:[41h*4+2]
, @% ?' v8 i5 F7 q    cmp     ax, 0f386h- q. M0 ^  W  S9 w2 Y' W, y, E- Z
    jz      SoftICE_detected  F/ Y0 ?2 p+ Y$ k- ]" p# R

) C5 y# A  ^( D0 \+ V5 Qint41handler2 PROC6 S; H" J: N, ]
    iret
+ E1 T/ w& w: ~4 p# a4 Qint41handler2 ENDP
8 b) i# c  H& z- Y$ B$ |' C, @/ p; X' Z* R( m! p6 {

7 G9 `# N  C& q. k/ K_________________________________________________________________________
  S7 K8 f% K2 ]* X+ S! W
: A  v4 {+ R! @6 n& C5 ?3 t% Q% }) u8 U$ w- P& \3 W
Method 069 G7 |/ F& P% s! X3 ~' z  v
=========( Z6 f% K0 V  o( E, P: D; L

: }  {$ _7 R1 A4 n
) U  m) O3 b- o2nd method similar to the preceding one but more difficult to detect:) p* W9 Q7 N* U/ \) d- b4 W. z

: Q$ d2 u( [! f8 n) G$ M) l0 i" n& \& C  O6 }& M
int41handler PROC5 ?0 Q" G: R& O1 {1 U4 A
    mov     cl,al: O4 T* x. y+ p8 `0 R  L
    iret
& i+ j0 O0 V5 E, u6 y7 \3 wint41handler ENDP
6 L2 R$ u3 j& f: v: Z; V  v6 c% ~" B1 h& Q; g

6 Q) S. V0 q! N# R' z% ^. z    xor     ax,ax% M, b% S/ n+ O$ r. u$ }5 @: b
    mov     es,ax/ X6 b' D5 ]% R# n4 y) ?7 P' q
    mov     bx, cs- R3 T& T& _; l% M
    lea     dx, int41handler
- S1 q) Z4 H4 @; m0 T- Q' E" p    xchg    dx, es:[41h*4]
1 ?- Q* a8 O( j9 @; T+ I; T    xchg    bx, es:[41h*4+2]
7 M  G- {! U0 c! @8 R2 [4 I    in      al, 40h( N6 v; C' |' D. a' t: V5 j
    xor     cx,cx
! x( [$ F' o) n# T" G    int     41h0 ?+ M& r% h9 m1 Q% k6 ^0 S
    xchg    dx, es:[41h*4]& i  C! g. t; R4 v
    xchg    bx, es:[41h*4+2]
) C# T% n5 I: D) N$ L    cmp     cl,al
5 P# R7 _+ I( g) P# H    jnz     SoftICE_detected
0 d  m0 v; ?  J  W1 B
; l: g1 E$ D( h_________________________________________________________________________/ ?/ F9 O* p0 ]9 x. t
2 r0 W+ {% d3 G: R0 [3 t; E
Method 07, t+ K- e/ X4 x7 H
=========
$ b7 p4 x# p5 f% T, i9 A) O; v: |  {$ p% W0 h. J
Method of detection of the WinICE handler in the int68h (V86)
+ m! x" f& N9 c2 I! O% ^5 Y* M+ E
    mov     ah,43h
6 ^5 `. ?* Q1 ]5 q. r3 d3 Q    int     68h. o0 e2 k4 V, s9 h$ ?* E
    cmp     ax,0F386h- p. ~* k% x* u7 I
    jz      SoftICE_Detected
4 ?2 D7 c8 |) s" |! X0 \5 B; e9 @/ T3 r
3 F) [5 k! ~: s4 x( d  C! t  z6 }
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 A3 a3 ]" w- c$ \. T/ l
   app like this:
* G3 w& K- u. p7 E2 T8 w
3 z, v# j# j0 t  p. s+ l0 x+ q   BPX exec_int if ax==68
. l$ G- j, j/ [   (function called is located at byte ptr [ebp+1Dh] and client eip is6 B8 W( o2 T( U: [- z% v) @
   located at [ebp+48h] for 32Bit apps)0 s" O/ x' C! E! V; o
__________________________________________________________________________) {5 _8 X# w: h* ]+ p4 @+ ~3 f

2 [* N, I2 q9 r& e/ L
1 ?; @% Y( f' e5 N' Q  f& \2 dMethod 08
) a- @) ~: O* w6 q: d" Y, F% g=========
' [0 ?; d  }, r. y4 z5 x; {) l9 c4 `  `& B  B( Z
It is not a method of detection of SoftICE but a possibility to crash the
3 S1 S; ?$ L5 t# Z, l0 Osystem by intercepting int 01h and int 03h and redirecting them to another
# \6 `, y0 i3 s( U1 g8 broutine.5 j! j# K4 x' w' q. Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! I  ^7 f4 b! u% a6 o1 k( a6 {
to the new routine to execute (hangs computer...)  v) {2 X* D! g! m0 g

7 B$ A8 ^; \0 t  u# a3 d& V    mov     ah, 25h
# ]8 ~9 m& D+ v* b- p" J    mov     al, Int_Number (01h or 03h)8 D9 f) i5 C7 g( _" R. X/ J  I0 s
    mov     dx, offset New_Int_Routine
) o$ b# ~' Z! C# p! M" A4 j    int     21h( K. O' T' v) f$ n/ @# ]

2 V6 L8 t# I, ]" I7 C__________________________________________________________________________
( m/ C( G/ d0 K* j5 C9 K2 v
2 a3 K3 @+ e# pMethod 09
* y+ l- l/ H" q- E) c- W/ G' E: _=========
) A2 N# g5 x# s4 W
: L* m- K' S) r7 h# i0 O4 P$ D6 |This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only  T  L+ l% W: r( W4 L+ z
performed in ring0 (VxD or a ring3 app using the VxdCall).
, @9 Q9 B. G! \& m6 F- ]% NThe Get_DDB service is used to determine whether or not a VxD is installed
- G' W0 {4 Q$ X1 s. B4 s$ V# Zfor the specified device and returns a Device Description Block (in ecx) for) D7 X9 o- Q4 u* f6 _
that device if it is installed.5 J! X1 E8 f& L7 K$ w

: {, m0 A4 V) p% o6 X1 S6 r   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 h+ l2 t0 c7 ]+ k: [3 n
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-): K* p# P! S( t* T
   VMMCall Get_DDB
* C: C. s5 B  Z: N. m* ]! U   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. [7 P# i& {; c- I! d' ^/ Z+ `- W* @. P
Note as well that you can easily detect this method with SoftICE:
6 O! ~- u& H7 D1 Y   bpx Get_DDB if ax==0202 || ax==7a5fh! k7 W8 I& n, h8 R

8 u6 [  t& r0 V/ j7 b6 ]__________________________________________________________________________
  I  T7 }+ z9 @5 u1 X+ \; I, P
/ x& Y* r/ e2 a* N+ S% I0 t0 cMethod 10
: j+ Q. F! t4 i- w) }=========6 b2 p$ C7 m# F2 `
$ S' ]- R7 P, c  k: e: l" E5 ^6 A+ L
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with) i+ I$ A& G$ g9 b, E  v0 m* W- K  _
  SoftICE while the option is enable!!- i0 O: @+ V9 @' Z' `

# f4 ?3 h; V4 R1 UThis trick is very efficient:
/ @) e. b& i/ p* e* ?by checking the Debug Registers, you can detect if SoftICE is loaded
- p4 |, L' f5 W- r3 J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 {, d8 \% v. C7 }
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' r: `* R" U6 _0 qvalue (in ring0 only). Values can be manipulated and or changed as well, U! ]2 y& P9 J% P3 X/ ]
(clearing BPMs for instance)
) ]& n% ~0 f' s8 C6 U+ k
( n: a6 n6 z* r* g; D; a' ?__________________________________________________________________________
2 S8 p& l  m2 g; {* @4 _. o0 p/ K0 d& n9 n# i$ @* t$ B
Method 11" l$ q, E1 j( Y- Y& `
=========2 `" W4 L/ K3 u; h) \' i4 P

# Z9 c1 t( h9 t& S8 U5 D8 OThis method is most known as 'MeltICE' because it has been freely distributed
- o- M2 ?2 x$ w, K1 k, W0 Z+ gvia www.winfiles.com. However it was first used by NuMega people to allow
5 e; \  i1 B# w+ l7 p% J' mSymbol Loader to check if SoftICE was active or not (the code is located
' W% W" J! p4 _* x" {! E4 iinside nmtrans.dll).: g; K. k/ f, R! y/ c( l; n- R  S7 P; ]

9 L7 `! F$ h' [0 I7 N! TThe way it works is very simple:
: K+ a) i$ X5 Z6 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 }7 w5 I; g1 _) sWinNT) with the CreateFileA API.% p. h1 A4 C3 V. h
4 O) s* l5 `  x. H' c
Here is a sample (checking for 'SICE'):7 j& O; K9 b* f" P! m. i

" O8 C2 J8 P2 ~) t) j% WBOOL IsSoftIce95Loaded()
  L4 g3 M. ^8 o% ?1 Z{
# ]" P4 {6 O% _+ ]   HANDLE hFile;  
) O$ {& S& y0 M% k# V, v! p; I0 _   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: o3 ]; h& g1 ^. k) a5 `9 l5 i
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 H4 t" g( R* \. A1 Y                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 i5 J8 ~: D$ N! _; ^8 T0 H   if( hFile != INVALID_HANDLE_VALUE ); c# [& L" N. t: j) t8 c
   {& x6 @0 w; Z6 l1 g; L3 _/ ?
      CloseHandle(hFile);+ Y% J* I( ?- _/ L6 e9 I$ |
      return TRUE;
7 y9 u4 I' y0 ~+ V8 _& T7 Y- r7 E   }
3 t( }9 |: G9 O7 [   return FALSE;) u+ r6 E" n/ u" w/ Y' @0 B. g$ T
}4 ^  U; O5 D" r9 ]2 O8 ^; U

$ @# M- i7 ~' T/ @7 n; |Although this trick calls the CreateFileA function, don't even expect to be
% Z+ o1 K% o/ g" x# C6 M! gable to intercept it by installing a IFS hook: it will not work, no way!$ r. D' f0 c  {) `8 \& E& P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ k& V+ P5 x. Q5 s  |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 I- a3 H6 f) E% q7 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 j1 I5 K6 p! }4 [3 r, k7 xfield.& S7 E9 E4 d6 ]$ @" L
In fact, its purpose is not to load/unload VxDs but only to send a
- P. _7 ^! \/ r1 `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! i8 A* c. C7 K3 ^  V5 _$ X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) x8 z1 Z9 S2 i7 `9 D7 U/ ]4 s2 ]( cto load/unload a non-dynamically loadable driver such as SoftICE ;-).  Q' E6 _" r- w/ Q, [
If the VxD is loaded, it will always clear eax and the Carry flag to allow, K5 P. f+ s3 w* P: K! D: s
its handle to be opened and then, will be detected.( z5 U; u# d/ i/ d+ G3 i
You can check that simply by hooking Winice.exe control proc entry point; d: a2 G1 }. Y) M1 Y% S4 Q# m3 c0 U. b
while running MeltICE.
5 G; o7 D4 r! Y7 x5 H- o5 ?; ]& K4 K! }

# i; C3 S: H3 x5 N7 g2 T  k  00401067:  push      00402025    ; \\.\SICE
( e% y! Z- a* }- i% L  0040106C:  call      CreateFileA* G9 ]# R% O% }7 `, _/ b
  00401071:  cmp       eax,-001" S% K& \( a. d$ s" U  c
  00401074:  je        00401091
9 v& Q6 i4 C9 K# _0 v+ P2 S% p( f2 `( q! M* s

! S8 x: G. ?% ^There could be hundreds of BPX you could use to detect this trick.- Y1 H) \% l3 s. L, J
-The most classical one is:' b+ D3 l- i. {/ a  `
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||" v  g+ m- k; Y3 @% g7 X
    *(esp-&gt;4+4)=='NTIC'
1 O% L4 l$ e$ i6 |! W5 c8 x" ?* j' T7 ^! [! l+ A
-The most exotic ones (could be very slooooow :-(
+ D! o& Y5 }9 r   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - v  X1 ~" Y8 X% t% C4 [5 N% S
     ;will break 3 times :-(
/ r. |4 [; Y2 K  X8 m
' u8 L9 [1 C! f) V* g8 D-or (a bit) faster: $ O, C) q( u1 N+ l3 D- ^9 q
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 }/ {4 k- G* @
  q! W. b9 h7 t% k, Z   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; I2 J; }- T0 m$ b' D, R
     ;will break 3 times :-(
5 l/ S/ W! r2 w2 w% T& R6 {9 L* B+ X1 R. ~: P! _
-Much faster:
' Z+ \- V& C+ e+ F9 }   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ P6 H# ~; A9 ~3 ~7 Y* d8 P
4 ?4 H# f  C4 r8 b5 U# HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" `2 R9 i4 s' zfunction to do the same job:
2 o6 G6 o2 H) q: A
, C& e& c5 D3 p4 p3 C8 H5 ]   push    00                        ; OF_READ* x6 ?: p+ X2 ^+ j$ I  G
   mov     eax,[00656634]            ; '\\.\SICE',0
9 q: R6 d: _6 X" M9 J   push    eax$ M3 z  {$ y; z7 l9 v7 m
   call    KERNEL32!_lopen7 t* |! \& O2 S2 M2 o* Z
   inc     eax" u+ `; {0 J7 [2 m5 ]8 f& P0 ?
   jnz     00650589                  ; detected
3 j$ q* u2 x& v4 k4 w+ Y% Y$ O+ Z   push    00                        ; OF_READ/ ~* `( R% G: H% K" f0 c; @' ^! {
   mov     eax,[00656638]            ; '\\.\SICE'/ e; t# ^! K+ K& ^; `  Q5 X
   push    eax
$ m5 q# P. X3 K! {' k% J, W   call    KERNEL32!_lopen7 y6 P- @. B1 y  z; y( q, Q5 j
   inc     eax* x2 c' y6 ]/ |# n" l- H' K0 M
   jz      006505ae                  ; not detected
& ^6 @/ Y( r5 T- r9 [. J8 u
% t9 V9 U" X$ i5 @* C8 M% y# [- N; O7 X6 }9 W% @
__________________________________________________________________________9 w3 R% k( C! l2 B. E1 Z9 ^

( _* Y/ c) C2 r2 {) \( y7 t) H: kMethod 129 D  s) u. Q# x' [( m
=========
& R& T. i( r  P0 P6 D3 ?7 R- V) G/ v8 ^! z1 \  f* z
This trick is similar to int41h/4fh Debugger installation check (code 05
* l3 \0 W' N- `0 Y4 c&amp; 06) but very limited because it's only available for Win95/98 (not NT)3 V% H& O6 {9 V6 U; U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 [0 r$ T' Q7 q  R

7 [9 {" X$ s7 R   push  0000004fh         ; function 4fh* c0 }! x  v) `1 Z' k1 D+ P5 F0 g
   push  002a002ah         ; high word specifies which VxD (VWIN32)
( h& L& Z/ B0 R2 [& l2 u                           ; low word specifies which service
& t% x  E7 E& [2 o$ s( `% N                             (VWIN32_Int41Dispatch)5 r, Q- }- e/ ^: O
   call  Kernel32!ORD_001  ; VxdCall0 ^! r( z6 N; G9 h; F
   cmp   ax, 0f386h        ; magic number returned by system debuggers
# d' m1 X9 g4 A$ c8 r   jz    SoftICE_detected
2 F: @4 Z* g# L! K; r$ a3 Z$ R/ O- T1 D7 L
Here again, several ways to detect it:
* x/ `  c+ j4 ?4 Z- Z1 E6 @+ V% w2 W$ W3 d2 V0 z1 b
    BPINT 41 if ax==4f
. P3 o5 y* Q6 i% s3 _; f5 `8 F+ q" U2 W8 M2 [2 @# B' I( k( x7 `: S" \
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% u+ F$ e% E& h% P! M
. B1 j2 s6 R& j' c    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 o" |3 f& V; {( m, O2 S" c

. d. E% z5 Y4 A* K, [    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" U2 g6 h4 R# T: A( Z! J( _, I8 n) r! f6 e* e2 A5 ~/ @) X
__________________________________________________________________________4 z- M: t. O7 r

3 [2 ~$ d0 z! R8 b6 {, k( RMethod 13
) p0 K5 b  h# B/ `=========3 F! }) S5 F( Y1 z; t! Y6 {* T' X
4 Y2 e* }; C' X
Not a real method of detection, but a good way to know if SoftICE is7 O, }' E2 B) ?- J4 ^' K
installed on a computer and to locate its installation directory.8 d5 b; h8 L. B, |0 g3 E( C
It is used by few softs which access the following registry keys (usually #2) :
. h4 q2 r0 o; `6 P+ f0 E* w1 @$ T0 X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 }" X6 f$ `* L+ @! C
\Uninstall\SoftICE
1 x" q/ a! f8 C1 z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' v$ W' ]* a! A; X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 j9 ~8 p7 m: o6 I( ~
\App Paths\Loader32.Exe
  r1 n. o6 C; e) z. Q5 |6 M. [
0 F, S0 V" }0 P5 Q- Y3 e" b
/ [" x& V$ \# S# s3 I$ G# VNote that some nasty apps could then erase all files from SoftICE directory
) \+ ?9 e& l, {1 S6 n- H8 z- |( }(I faced that once :-(5 ~7 N, H' P5 o! q2 G# h( y

! @/ O. Y5 W, I$ m) K6 aUseful breakpoint to detect it:) U' ?- Z" [1 y7 }; {
( Z' x' \! R0 G8 k1 f
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  u3 W. v/ }7 [) t% R' ?
! z$ R. a, B- ]+ w* ~2 J4 `
__________________________________________________________________________
3 f+ e& o7 G7 n8 q% O) S" ]$ t" m& Q8 S- v7 X

2 B/ j; z1 W! V8 y8 Z5 KMethod 14 $ m* Y5 {$ H5 ]8 B" n; }9 m& k) C
=========8 o4 U3 e, o  a8 |5 }/ E
# O+ \# T& ~( \- ~0 W" _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& ~; ^( `+ i8 ]
is to determines whether a debugger is running on your system (ring0 only)." a1 v% ^0 Y4 z
; j& e* E* d% `) J9 E! D# }7 c
   VMMCall Test_Debug_Installed
8 H: q7 P6 R. g, Q! B9 m  I   je      not_installed, B+ u2 s# c# w# S5 }3 h

- D+ E: [+ S. ]( b& X$ r" eThis service just checks a flag.1 w) d6 Q3 R: c  G" N4 v
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-6 09:41

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表