找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
6 F7 {3 S8 V; C<TBODY>
" `' V+ R9 O! U% e- Y" q( @<TR>; v4 U; d( d* |) @5 E5 v' [
<TD><PRE>Method 01 $ v8 Y5 W: Q' o
=========+ `$ S, L$ S7 X" J
; G0 l4 J' r3 }( n4 q$ h& ?5 s
This method of detection of SoftICE (as well as the following one) is
; u2 x# q5 g3 Fused by the majority of packers/encryptors found on Internet.
. Q% y) o$ Y3 `It seeks the signature of BoundsChecker in SoftICE: W0 r& d' o1 D1 W' e: [1 N
8 [- i! Q2 y, H
    mov     ebp, 04243484Bh        ; 'BCHK'6 \9 {5 a* Z2 l* C0 p9 n" A: i
    mov     ax, 04h
7 h* T" `# K5 a1 ~5 ~    int     3      
( W, b) `7 u& |& J* N    cmp     al,41 a. o8 u% h: P& m0 U
    jnz     SoftICE_Detected9 m. J. f- j0 w' W
4 m4 u- e6 D# d) X
___________________________________________________________________________9 v1 g. O" v- E  L

/ m  @/ K$ W7 o" _, PMethod 02( G0 a9 \) \# n; s  N- \
=========
4 s9 E+ t, J& b  G0 H* v, i; @( D% x& T9 U! s6 w8 p. y. [* W
Still a method very much used (perhaps the most frequent one).  It is used
  h* b0 w) R7 G' f& o% ^1 R( Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! e: ]  l8 ~2 H
or execute SoftICE commands...
, Y) |6 p3 @, d! zIt is also used to crash SoftICE and to force it to execute any commands: c+ m" k! Y( Q8 O& S+ T
(HBOOT...) :-((  
1 Q* }- X9 N7 s# [. O
) q' h# L- p0 d2 PHere is a quick description:
2 Q1 ^2 q' D) r8 {# j3 B& x) u8 K1 a-AX = 0910h   (Display string in SIce windows)' d& g* ?8 |, T5 ^- Q8 J0 y# i1 O
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
0 N2 {* n' ~" e+ J4 V8 K-AX = 0912h   (Get breakpoint infos)& h6 c) Z2 p" R0 ~
-AX = 0913h   (Set Sice breakpoints); b$ [/ A9 G# q" ~
-AX = 0914h   (Remove SIce breakoints): A1 [* j" z2 s5 D. z$ T8 H+ M" [/ U
8 s7 E3 D9 g0 ^
Each time you'll meet this trick, you'll see:, r3 Q/ L/ l# S( q
-SI = 4647h) E# E: }( ]0 ^0 @
-DI = 4A4Dh% Q1 ?+ R! V# c" n/ `7 B" @( k
Which are the 'magic values' used by SoftIce.; g0 W7 X( n" V! t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." y  P: Y' N: `7 D% d* w- A" ~% n
: o  s7 f2 M7 w8 A. ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP% }5 T$ z" t+ n' S8 S4 o* v* I) Z
Envelope utility use to protect DOS applications:
! Q3 P; S# q5 V4 o$ O* S- u  n$ I7 b7 I
& e* Q  x( ?8 F' Z
4C19:0095   MOV    AX,0911  ; execute command.* v( }  }! t( ~
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ S; V4 o8 H* P- B
4C19:009A   MOV    SI,4647  ; 1st magic value.
) \# w, A) R  h! s4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 W& V7 W, K/ g# \  L) B
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 g0 O" `9 E) v* o" T% Y& j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 x" M3 Z8 o! y0 U
4C19:00A4   INC    CX
' E8 B: g- G9 M  _/ U- c  |, ?/ O& J4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
- }# U0 g) t4 L$ \# U4C19:00A8   JB     0095     ; 6 different commands.6 G8 q) m: a5 O
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' b* v# ~, |& K8 M" \4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
% o# s  ~7 S  h8 u) o- H! b2 |* A
: G; m0 ^; M/ N8 ]The program will execute 6 different SIce commands located at ds:dx, which& E# O9 b: y: D! G; }4 t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( r: B# ?, u0 N1 I3 Q/ S- ^
5 u7 F% d# N& s' ~& R" O( m, Z( N; n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 J0 X% R' p% O  w___________________________________________________________________________) S. g: x- i7 e4 U' N

& L, c( N- q" C& S% e
* r" X: a( |; Y4 F) y3 o  vMethod 03
9 s' c, {. m8 D+ R7 z=========
) q8 y2 R# e: l7 _6 U7 W) A+ U- p8 w1 J
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# t9 V0 s5 l! F9 V: r(API Get entry point)
* }) Y$ x0 y6 B" E4 ]        ! {2 n1 g$ v- ]( |! w
9 n" X/ w+ {4 d% G3 Q
    xor     di,di2 v8 g& `5 X- v2 \5 p% O
    mov     es,di
+ d! [$ a. G7 \* S9 Z    mov     ax, 1684h      
/ ]2 g1 u) Y6 c; l: R    mov     bx, 0202h       ; VxD ID of winice
0 g6 t- R1 U8 J, B* g$ K    int     2Fh
0 G/ {: ~# c* l    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( F& G' {0 }: v- w0 x$ q0 o7 U    add     ax, di9 ^3 \9 K, t2 Q5 I; ~8 i. w+ N3 |
    test    ax,ax* t- \% O$ {) d5 s( p
    jnz     SoftICE_Detected
& G& ~" Y3 M, S# c  {. n! p0 |) Q6 Y. ]6 \7 i; f  E2 V- B- Z3 M) `
___________________________________________________________________________, a1 C- G$ i- \  ]# g1 `% C
( p- @% ^1 Q4 m& {
Method 04
$ e) O8 E' Z0 Q% p' W! |% z=========3 ?+ j9 D8 h2 Y8 H) h
! C  G) P4 Z3 E% _
Method identical to the preceding one except that it seeks the ID of SoftICE/ O3 H; Z# ?+ @5 F$ W, T
GFX VxD.
' ]$ J+ F9 w# x: q( K7 B
: H+ P. T. w, t5 n# I& {* H8 A( ]! _    xor     di,di
1 b& ?& ^  T, Q: e    mov     es,di
' r$ {7 i1 ?( ^3 U+ S    mov     ax, 1684h      
& R& B( g! v& F6 B1 ]    mov     bx, 7a5Fh       ; VxD ID of SIWVID
: R& v; ~8 y" w! }! u- L    int     2fh' o. M; I% P, j6 O3 z* g
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 S* X3 Q$ x3 s& q, B
    add     ax, di
0 }2 C' m+ g, A    test    ax,ax, f! Y$ k3 r+ G) ~8 Y4 z! q
    jnz     SoftICE_Detected
) }; A% m# x' |$ x( O4 m" v1 l% x; M2 x5 M
__________________________________________________________________________
$ M! m* ?$ i) r
' D' f/ m+ |3 p! N! {; ^  J
9 m/ {" E/ g& I! u7 l: ZMethod 05
2 m. z* ]3 c6 G% D4 i: X=========
9 X0 S" l/ ^: O6 @2 I- s7 ~1 S* [* O. j0 k6 S5 {, o% A
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 c$ T" z9 y: Y( g' V( X
debugger. It calls the int 41h, function 4Fh.
: O1 {" A$ F8 g- j9 p# CThere are several alternatives.  
3 c1 q3 _1 I) J$ w$ j
6 s3 C; C7 ?1 e+ c+ K; |The following one is the simplest:
- n7 b- ~& `- b6 {  z7 j( g; k7 D( I$ }: k5 V
    mov     ax,4fh
: _' k3 U3 `, v$ l! @! o    int     41h
0 g# Z% m  E" j$ J    cmp     ax, 0F386
. s- y* c& R4 K# V& F    jz      SoftICE_detected5 `, p( i8 E( G: {% B4 F& x* n
6 H- w& a0 k0 @2 j
4 m0 q4 ]1 L5 v9 e" F' u3 y
Next method as well as the following one are 2 examples from Stone's ) l' V2 g( ?1 J. R3 W% y' S+ f$ S, w$ L- z
"stn-wid.zip" (www.cracking.net):' A- x! f5 d( n  ?; n  z

# i3 M- p3 c# U# z6 U' N2 e* {    mov     bx, cs
/ l8 h1 j/ _) C7 m; f4 j4 F' x    lea     dx, int41handler2
; Z) ?7 T( N3 L5 D0 H- W    xchg    dx, es:[41h*4]9 \$ |: q$ L# a, d: z; N
    xchg    bx, es:[41h*4+2]3 _/ r6 _4 c' m# F# i! I' |& v' b
    mov     ax,4fh
. D$ o- t; [) i' a7 ~    int     41h
9 m, K; `6 g# ], E3 s9 _    xchg    dx, es:[41h*4]
; a) H& j/ D! K  f  @    xchg    bx, es:[41h*4+2]) A. [+ H+ q, i7 q4 Q
    cmp     ax, 0f386h
, s# R+ O$ o: h2 q& |- l    jz      SoftICE_detected( }) b" F; c! j
4 z+ e4 A5 r+ l
int41handler2 PROC" o0 G! i2 c/ H4 V* R7 M
    iret
7 Q' X' w8 D7 W% s4 lint41handler2 ENDP
# ]8 B/ H/ Z$ ^5 V- {" `, F/ ~: j: e% b& g: k. V

; x7 _( a5 W# ?! z; [! }2 o& J_________________________________________________________________________0 @; V  }+ n9 E$ |% o, }3 F
1 o# |( @# z" y3 K- I$ Y" F

# ?& W9 ^' k- @- r; W9 |3 HMethod 06
. _8 t- j9 f: N7 {: a4 w=========
5 C1 x: a% z5 [; S( ]+ M, _/ o8 f% F. e1 @& M5 a: S( R$ W; z8 L" ^% y

4 W+ v5 J0 h5 t5 e  B% r2nd method similar to the preceding one but more difficult to detect:) B" f" Q3 ?2 ^5 G$ |1 l# ~  w/ [
" t2 U, E# m* O& s, l5 ?5 v* @: v
) e3 D' c+ |# j, {5 V3 C7 t
int41handler PROC- l3 G! L5 V0 j# ~/ L, x* C
    mov     cl,al
' [* h4 M+ B& J3 a/ l/ U8 l    iret
8 P+ [/ V, J. h' C4 h& P, ]int41handler ENDP
/ O" q6 N6 [7 X. L6 ?+ f! n: Y7 l* Y# J1 Q/ Z6 v8 D2 x
1 E2 Y# z/ T6 D. _6 B+ y! J$ K
    xor     ax,ax/ X, w7 Y3 c  V, D) R
    mov     es,ax
- G7 u* |  @: W. g    mov     bx, cs
, y. V- M  [8 O8 x    lea     dx, int41handler
' R$ D/ U1 }: b. ]' z$ |5 {4 g    xchg    dx, es:[41h*4]2 T, T# ]: ?% e' r7 j# h, ]  Z2 r
    xchg    bx, es:[41h*4+2]
3 z. w4 v3 _( g% w* @    in      al, 40h& K9 z2 Q( U, C
    xor     cx,cx3 }2 Y9 n" C" S+ H
    int     41h
0 r; `$ z7 E  w    xchg    dx, es:[41h*4]
  r  b# i" U6 {. [2 Z    xchg    bx, es:[41h*4+2]. _, h4 F  c; W
    cmp     cl,al3 x/ b$ i! q! D/ D' Y2 s# h) \
    jnz     SoftICE_detected) p, [  g+ m1 L1 [  {7 w9 C
8 v7 e+ ]5 r( w+ c$ m0 E$ k: B2 N# Y
_________________________________________________________________________
3 O( w4 F4 d7 S( D  G6 W+ X* p3 l' S+ a% i# z3 D
Method 07
' z# S0 ^2 Q# M5 _  c: I=========
' P8 s4 X& t: B- j) r4 z; o, G  W3 Y0 f7 r) T5 r8 T+ [/ i" E
Method of detection of the WinICE handler in the int68h (V86)
- \, ^+ i- ?; e  {5 |. W
  F5 K$ X5 M/ @8 d, b    mov     ah,43h4 W8 F- r% f2 q# e/ H  N1 ?' Z
    int     68h0 j) Y4 f" r1 V$ B& E# F0 m
    cmp     ax,0F386h
8 ?! O0 O( t3 `    jz      SoftICE_Detected
; Z3 T# W% l3 v: x; n$ [2 V
! W( P1 v4 H7 E, w% r
- L0 a9 e- @; D9 s# |=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 w5 ~2 ^. E6 }   app like this:" ~$ f3 {6 @& k9 t
9 [! R& L; h3 y. ?- f
   BPX exec_int if ax==68, h$ ]) u5 Z- a, b/ O
   (function called is located at byte ptr [ebp+1Dh] and client eip is
5 L5 n3 j  j* i2 S   located at [ebp+48h] for 32Bit apps)& I! u* S0 g& r1 C. B, _/ a
__________________________________________________________________________
2 B3 C1 ^4 {9 j1 t  m" ^3 P3 [7 _, M  D9 S' t2 D) d3 S& M

$ M) M6 \# R- m2 S; g% Y' J: m5 VMethod 08
8 k( |. d: D* G  W8 o' X9 O% c=========
6 Y" x* t8 y) m3 O/ H1 d5 k2 a9 @! ?2 A5 o4 G
It is not a method of detection of SoftICE but a possibility to crash the
2 A$ c9 R8 i$ J9 `# O) \system by intercepting int 01h and int 03h and redirecting them to another6 V2 q3 V" g& \( m0 [# C) a
routine.
; z& l) y  `! v- _( M; DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# G) K8 y+ R) d' L# t( w
to the new routine to execute (hangs computer...)
7 ^( \$ o! D7 r" |  k* e
* B: G2 _) e  w1 D+ G& h3 `' E1 J    mov     ah, 25h
9 r1 _3 c5 R8 N' r6 E- E    mov     al, Int_Number (01h or 03h)" J+ z3 s5 k* C
    mov     dx, offset New_Int_Routine; A6 \8 Z, Y7 ]3 p& M) f
    int     21h
! G8 U& ]/ i& U7 t: Z
. @# H& @$ e. f: T1 M# J5 ~__________________________________________________________________________
$ f" x7 k0 d% O; v. j* P6 l
& O, L& v& P4 ~# ~Method 09" w3 p5 h& D$ [: p3 Q1 e& M
=========0 F( c1 P1 u% g  e7 ^8 ]

8 l" Z3 }; E. @5 ~1 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 |, A: ]: L" E! J) Sperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 x9 S0 M7 b* _$ _; S7 sThe Get_DDB service is used to determine whether or not a VxD is installed
& ?( ?6 G- ~% Q2 ?for the specified device and returns a Device Description Block (in ecx) for
, w3 J( i. l, Q  Q8 u; a2 O. N' Zthat device if it is installed.5 i5 }0 ^3 ]! s, C- o! z. v; J

4 u+ _, W9 ~& Z   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ S6 \- E' o2 y5 |1 L# y# {5 r   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- C5 X5 e8 G* f" K; p$ n   VMMCall Get_DDB
1 c% |$ W; J: N+ ^* G" }+ r0 _7 D/ o   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! G0 h. [; d* [6 x1 M: f" W" b* y7 M  @' ^. D6 G7 t& O
Note as well that you can easily detect this method with SoftICE:
2 d: t& H3 E' Z- n9 m& L) t3 e* s   bpx Get_DDB if ax==0202 || ax==7a5fh0 t4 d) x1 A  R& z( N

  [) R' q* W5 H  @; ~1 `/ z& J# ^# |__________________________________________________________________________9 u1 h( s1 Z4 H' s& _) e+ I
$ x+ K$ C6 M8 G4 m# A8 N* \
Method 10
% {& }4 ~8 p- V  V" E0 O  j6 W=========
* ^% ^% y% {5 q* o: F
! P2 F1 `6 K) m% i=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
: d! j  ^& }; k% M3 _4 v0 @; s  SoftICE while the option is enable!!
; i6 q( k: t( E, b9 f+ z! W: Q: t  j/ H, S
This trick is very efficient:+ N( M  N- e6 W0 C
by checking the Debug Registers, you can detect if SoftICE is loaded
( t4 `' S6 A8 c* i$ ~- W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! o9 k( P2 v- X6 Y9 v4 e9 Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 u6 v2 l4 d5 u5 v; mvalue (in ring0 only). Values can be manipulated and or changed as well  U, e  x' K; b  s/ H8 }
(clearing BPMs for instance)
6 e+ ?$ q- ?/ k% E3 o9 i
: w$ {* Y: R4 O: ?__________________________________________________________________________
; L& z4 l' Z, Z: Z3 N0 k4 v$ |) r% b. Z, n6 h, D$ }
Method 11- a9 p5 W$ h" T/ u
=========
2 {8 B5 x, c- \, m  R& c7 K# h* y/ l5 d3 a
This method is most known as 'MeltICE' because it has been freely distributed
  c( v. Q; H/ `5 gvia www.winfiles.com. However it was first used by NuMega people to allow
5 f. b$ A) b9 T+ u$ d( JSymbol Loader to check if SoftICE was active or not (the code is located, `9 r5 o* ]$ U! F, Q& W2 Y6 |
inside nmtrans.dll).1 u% B% A8 ~, K- c

  Z5 Y8 u* z- ~# u" L' e  ~The way it works is very simple:
' I. X. \) D+ s& fIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 u- l# b  t3 ]3 S; L* H
WinNT) with the CreateFileA API.1 y3 n9 n. p* q
! X/ F# ?: B& q  ~: R
Here is a sample (checking for 'SICE'):" d$ B4 ]% r- n. {$ f$ L

7 {7 n: j( L: EBOOL IsSoftIce95Loaded()
! _/ M5 x/ p2 c% j  ?& c4 a{2 t$ \3 G1 W5 J" C
   HANDLE hFile;  5 A. P* B* P* Q7 C$ S
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, ?+ x0 M5 b8 P' y/ M- g  D' v                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. w$ L3 T8 b' g- P7 _. H; r                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 N+ ?* {4 ?* }& o$ p$ g# M- S2 ~
   if( hFile != INVALID_HANDLE_VALUE )
& M6 }- ^- U9 o! Y$ B6 D   {
- M9 h. p5 F" n5 W      CloseHandle(hFile);2 _. Q! V  G1 _  W2 ^. t
      return TRUE;2 h3 ~+ R$ W0 k+ D) G; t9 @  Z
   }% V5 w; W' Q. Q! C$ F2 g
   return FALSE;# F" z% P0 [  [9 b9 c' G/ A
}9 i7 Z- Y5 I% X2 l
$ g2 n7 V& b1 [
Although this trick calls the CreateFileA function, don't even expect to be! |  w: r- D  S0 w( Q; t0 O  \
able to intercept it by installing a IFS hook: it will not work, no way!
& I8 {1 t. j, Y; Y$ {! w  HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! v6 Y6 u- Z# `% Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ Z, f& X$ F! q" \# H+ _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 ~) j* l4 x9 o: O
field.
" P/ P) @7 v) y/ y. D( L" }: ~In fact, its purpose is not to load/unload VxDs but only to send a
+ m! e% g0 [8 r: V, FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 I# `" s$ U. \* c% W3 V
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 Y$ H! c5 n' n0 }; V& r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) B6 X3 c1 `) l* rIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 x0 x* }" Q! i% X1 i
its handle to be opened and then, will be detected.
. ^4 R/ c0 f6 h/ e- iYou can check that simply by hooking Winice.exe control proc entry point
* v1 U" e' b2 a& rwhile running MeltICE.. _8 ^( T( z; }
( O% q( z4 [, U3 E1 L4 s2 j, R
; I5 N/ D- [. R+ E7 W, p' e
  00401067:  push      00402025    ; \\.\SICE* f3 |6 o. Z1 {. Y5 r  j! j
  0040106C:  call      CreateFileA
$ _+ P3 ]. K! \  r0 f: P, a; X7 _  00401071:  cmp       eax,-001! R$ Y3 o8 h8 H: U
  00401074:  je        00401091
7 {$ B4 |0 M3 I# u+ X
9 w' c( [4 \  F0 n; b
  @" _4 b8 s6 E+ j% G7 G" JThere could be hundreds of BPX you could use to detect this trick.  e( i4 U5 U- }' T! d1 u) z
-The most classical one is:
6 S+ v9 u3 D' w/ M  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  F' e3 X6 w( m
    *(esp-&gt;4+4)=='NTIC'
9 A; |8 E. D9 w8 K" \0 |- V) A" |. x1 t, n/ r- r
-The most exotic ones (could be very slooooow :-(
/ F0 S# T. \, ?   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( x4 L* c( J5 W5 m* M- c' X     ;will break 3 times :-(- B' v2 p3 C9 U- x* T! H. `3 j' C

+ r" y; `2 h0 \8 a  L, K-or (a bit) faster: ( j2 A3 Q0 E  r* @' h
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 g# M; r" k# K+ T8 j1 C4 c
$ N  N# n) f- O) O1 Q5 g1 \   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  j* q, e) n; X$ O( k     ;will break 3 times :-(! f0 d/ B0 g6 F

) Q, R; O) b; x4 U1 {-Much faster:3 S% M) O# j: w# i2 y% u
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 d# C3 n; a  d2 I* L8 O' ]! W

3 x) w1 ~$ ]. T( \5 C" \- eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% y9 V2 l' o7 }% T6 ^) K8 lfunction to do the same job:
8 h; X* S3 G9 P9 [! B# @  x* V  G7 r! w8 g" b4 |
   push    00                        ; OF_READ* S9 g" p3 U, X- x$ V
   mov     eax,[00656634]            ; '\\.\SICE',0
/ ?9 e+ y* P1 ~5 y   push    eax
$ G- A" A* q8 x% Z4 O   call    KERNEL32!_lopen
# R8 [1 t6 ~6 J' @   inc     eax
6 Z( @2 o9 I* [; V. ?- E   jnz     00650589                  ; detected
1 @2 ^" N) Y( V+ T   push    00                        ; OF_READ
5 n/ s% W7 S0 w( c. }   mov     eax,[00656638]            ; '\\.\SICE'0 X5 L9 I& g* f) I5 q  V1 m8 W. C
   push    eax
4 j, O0 F0 W0 }. J   call    KERNEL32!_lopen
) p# T  n( G2 A7 h. X' P3 s   inc     eax( o3 ^' t8 L  Z" I4 z9 W
   jz      006505ae                  ; not detected8 B) P) f  p* L5 c0 E* n

$ k4 ^6 z# M5 a( f
. _7 A/ m( j0 o__________________________________________________________________________
( L3 v8 x7 E& ~# H: _! q0 m( z" r2 U& J; ^. o
Method 12
1 @5 |  `5 X1 H$ e9 x6 D; Y=========
* [! V7 I8 X+ K
1 B8 _& ?/ ?$ b6 r/ `+ L5 p. c- \/ `This trick is similar to int41h/4fh Debugger installation check (code 05+ c( A8 O, x$ g# Y* I
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  U9 J  w. r" z- C: A! C2 n  m9 U- {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( ^" `& N0 y. j' A, P
! O! v" Z' [0 r- Q5 v  W& X
   push  0000004fh         ; function 4fh9 z: Q( I) g# B* n7 w3 W# z) K( _
   push  002a002ah         ; high word specifies which VxD (VWIN32)
7 f: E% L/ |/ y                           ; low word specifies which service. o; X) |7 I+ y+ _( N* `
                             (VWIN32_Int41Dispatch)
4 V' L5 _# B' ^# R, i  N   call  Kernel32!ORD_001  ; VxdCall: A+ o5 ]( Z% }% U  U5 [
   cmp   ax, 0f386h        ; magic number returned by system debuggers# U! q3 I4 K9 C6 a
   jz    SoftICE_detected
" f2 D( ]5 M/ B" l; N$ X% [; ?
; `- J& K5 Q+ H2 h7 DHere again, several ways to detect it:
  {: _" }5 G$ i# p  `2 N' _6 h  W5 Y
; j( S* X& a* L6 z; m7 A) I) j    BPINT 41 if ax==4f) U8 b+ e5 D& t9 ]3 ^  N
3 C! n) P) L0 ]' e8 G) A3 D$ Y4 W% j
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
5 S( {' m& k1 b' E
8 E/ k7 X: E. s1 D1 J    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A, D2 C) N/ B6 @1 y

8 M% v8 _! ^* y  m, n) p    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!6 A* |& ^" s; `

( H0 }) L$ d$ l3 u/ L4 J__________________________________________________________________________
  R7 C! P2 H9 F  y4 s
) c! \& h4 g5 O. A, y7 H. ?3 cMethod 13* x* f9 N, s! l7 x3 `9 g
=========0 q2 u2 Z8 i5 K) j: C

* x# k- |" T* o" `. XNot a real method of detection, but a good way to know if SoftICE is
6 H) [9 p4 a, Yinstalled on a computer and to locate its installation directory.
) _" o! n! Y" L: D; J( D. zIt is used by few softs which access the following registry keys (usually #2) :
' [; G2 g' ?/ p  L, |; o+ V6 N& }9 O, ?- e) g" A# N/ O$ y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 I" a0 i5 k. n" k4 N9 C) q\Uninstall\SoftICE
2 I, x, u# V. J5 F* d5 L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ a7 x" X% t+ w. P7 k% r0 d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 L: D' V1 W4 V/ i8 S\App Paths\Loader32.Exe
8 {4 X; p+ s/ U7 E/ e4 b1 R  g/ Y4 Q$ ^# V. J1 L' G
! B0 m: V9 u4 N! t( m
Note that some nasty apps could then erase all files from SoftICE directory# b7 t3 ?* S* q, o/ s0 n% ~2 ^) m
(I faced that once :-(. x- W: G0 y5 }
; b2 g5 x" J( I3 V4 O& w! w2 @+ e8 E) s* g
Useful breakpoint to detect it:
$ V5 g. b3 @( g: Z/ n) g6 D" X3 N+ {* `: \2 k7 M- ?
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 u% B. B8 Y. H& z2 T, B4 j. Q( G# j3 _' _
__________________________________________________________________________+ e+ t+ n7 r1 P. Q. @4 R6 C

) O: {5 E) ]; v2 x1 s0 E6 d1 k( [0 D. A7 _4 J' [  H
Method 14 ; @% l* a; w% J6 n: j$ k
=========# P$ y+ H" P+ `3 q4 c

1 z9 s5 k, z6 W! n) r7 gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" r# I* [6 O9 l- Z* a8 g* h2 bis to determines whether a debugger is running on your system (ring0 only).
: v8 E' R4 ^- z. I) A2 G
  _+ e; J! V3 X% \- G: e   VMMCall Test_Debug_Installed' V/ Y3 P0 h9 O7 |4 [7 H! Q/ w- G" y
   je      not_installed
% k4 {/ _8 F' e# |. Z' z6 d( N5 j' u4 a) y1 |
This service just checks a flag.
$ z9 Q- g! V& x</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 22:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表