找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
' t/ ]) N" ~/ l2 B& L$ y/ C0 D<TBODY>5 T3 K8 c0 P! d
<TR>
  b3 a+ P7 q8 z3 |% Z  h<TD><PRE>Method 01
! h0 N# L( ?# s9 j9 K# P=========
# B5 N$ j" G0 n% o0 Q1 z1 I. ~+ R( t+ p0 L, Y% x
This method of detection of SoftICE (as well as the following one) is* H5 ]# K- l, }% E. b" I6 N3 t
used by the majority of packers/encryptors found on Internet., s+ {3 W7 X' `
It seeks the signature of BoundsChecker in SoftICE. O# |, U  P, m" u
- b2 y# |  R$ e1 C! h/ c4 V
    mov     ebp, 04243484Bh        ; 'BCHK'5 x8 C* o6 J/ S1 {5 E
    mov     ax, 04h# ?" p: m5 j9 Y1 A( Z- M  G
    int     3       0 b% u, T9 H5 P/ _8 u
    cmp     al,41 @$ d* j$ h1 `  X7 y
    jnz     SoftICE_Detected
1 U  A2 y/ |! z+ q, q0 [% c+ t( f( ~! T4 \
___________________________________________________________________________
7 n$ l5 G7 J' S' T3 o# n
7 a) [' R  o% f4 iMethod 02, B5 j3 g- ]8 z4 w) M, [. V
=========$ L' r. b$ z  j" f. b, j0 z& C
* V: w7 k6 u! m% F
Still a method very much used (perhaps the most frequent one).  It is used5 O7 s& z4 S: `( \. x/ J. i) _5 @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* K" j+ l/ B) m7 ~
or execute SoftICE commands...' }, h  E  D' r( L; Y6 Y- `9 d
It is also used to crash SoftICE and to force it to execute any commands" F1 @1 w# D- N) |6 j' h$ m
(HBOOT...) :-((  
' x4 t1 }1 R- q0 A' z. |
$ T) i0 J( @( q, Q# ^( ^Here is a quick description:
% x0 Y4 e% H) A/ U2 M$ R. V" B( ?; w-AX = 0910h   (Display string in SIce windows)4 {: }3 a' x3 a/ j8 |
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)9 I$ ]: ~/ y- X2 ^+ f
-AX = 0912h   (Get breakpoint infos); t' H( V/ b' ?# R  B2 g
-AX = 0913h   (Set Sice breakpoints)& A! F- S, _5 @7 d% f0 `
-AX = 0914h   (Remove SIce breakoints)7 t* F" b$ v: T3 Y6 S2 D, H5 |) H

  v  k  I7 ^! T( q  K% X8 r- ~6 S) ^Each time you'll meet this trick, you'll see:
7 a- \1 u; f' l7 l-SI = 4647h
3 m  N$ R8 r. B& P! Z. m-DI = 4A4Dh
/ D7 u7 J. h0 ^4 _* {Which are the 'magic values' used by SoftIce.& }! Z: p2 F6 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 L& F3 C: E+ T# B3 X: T) r# U! V$ C- h* x. _: C9 j7 l( K
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ J9 p9 z" g' X: k6 TEnvelope utility use to protect DOS applications:6 a* k' Y7 w6 Y% M+ j/ r+ N* [- x

" A0 E- M. G: V1 Q5 D5 h0 Q
* `, V9 t% i* r9 W% Q4C19:0095   MOV    AX,0911  ; execute command.) |: g2 \/ W! }. m; D7 G+ T
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
/ K0 l! Y* `+ A( k% l/ p! {1 Y5 O4C19:009A   MOV    SI,4647  ; 1st magic value.
% L! `  s1 ?* d; m- Q4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 |0 l6 S1 t* F8 y- l- l" u" P+ P
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 L0 W9 t( ^8 s8 z9 }
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 ^3 k) d3 g: h) y$ h* Q
4C19:00A4   INC    CX
8 `' F8 T- t5 |6 u4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- S3 l# }. A( e' L- N, H
4C19:00A8   JB     0095     ; 6 different commands.2 f4 h& p6 w8 P! z. c4 |
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  C& J5 ]; L, u* w4 k8 {4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 I( w0 O" s5 u$ g# t: b
7 W/ s4 F, f& H8 \' B2 m( o
The program will execute 6 different SIce commands located at ds:dx, which
+ J. V3 t2 v; x# ?! u* f9 Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 g. e$ R# ~# ?# v% u3 Q
- h8 J; c+ n0 Y/ o2 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ ~- Q6 V' T7 X1 a) m
___________________________________________________________________________- o) z0 Q* V1 l8 |

" P. [/ \, c, M4 m% W) w% j; a6 q
; O( S4 X3 B+ f3 l- d+ m) TMethod 03
6 @+ {, {: F/ q$ b- h9 O=========, g2 r/ x) x3 t8 L

: e/ S  E( C+ I- l0 r, SLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h( K3 L. U9 F2 |* t! H6 }% k8 A" o
(API Get entry point)
9 {0 ?/ r9 Z& q) p" r        0 ~6 F: s* h( m' h! y7 R
) a$ J) R) B9 I3 ^+ W' G( ~$ D
    xor     di,di
# T* e/ E) z8 a# E' b% J    mov     es,di6 D) j& Q- U# ~9 X0 D
    mov     ax, 1684h       + i2 j. X' O- D3 p& r3 L0 D: `
    mov     bx, 0202h       ; VxD ID of winice0 Y: T) a" Y3 _/ j: q" S
    int     2Fh% w6 b  q% m* K& f# t" J0 y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  q2 }3 Y, Y" w" j. t2 e    add     ax, di: ?& a7 H5 L+ c$ h0 K7 Y  ?
    test    ax,ax8 E4 i: B" ^" ]% f" G9 @" n
    jnz     SoftICE_Detected
; J' H& |4 N- i/ b7 A+ ?$ Y
5 r* L4 [5 Q3 K$ {( z___________________________________________________________________________# K1 b$ K! P& K3 e' j1 _* d3 {! X
3 S+ T% m9 v$ V! _; W
Method 04$ l) {" _0 p6 a0 ?9 e
=========
1 Q! K3 ~4 a  ^0 T: `* C6 f5 P' U- y5 D8 i9 [* ^' e
Method identical to the preceding one except that it seeks the ID of SoftICE6 b3 a2 B8 i" C9 n
GFX VxD.
) U% S  \/ P* K; @0 {! _
. U! d- g( ^$ B3 o  ~    xor     di,di: ?3 D! \, s, ?8 ~2 |
    mov     es,di# M4 r$ b$ w5 N) I" h! y
    mov     ax, 1684h       : G- q8 _( N( S+ R: z  r7 e# Z6 }
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 l6 t+ d) t8 c; V1 |, C    int     2fh& S+ L4 D  d& U* u8 c. L
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  K9 {2 T% x4 O: i    add     ax, di3 ?, G3 R; J% F) h" ~* ^1 Z  h) U
    test    ax,ax
% N$ Y2 K. B8 d6 V  c    jnz     SoftICE_Detected
* V) B( p4 A2 A7 G0 }4 h/ Y
+ }; r6 I; n. [: c; A__________________________________________________________________________, t+ {0 q( O- c# L: S4 ~: p, g

+ b$ ]3 u* U7 h% |$ b, ^: O7 @' I2 ^8 z
Method 05* v9 X! S3 R7 m4 M5 l; K1 w
=========
6 R# _+ ]* H( M4 B( W% m: w* R. A  e
Method seeking the 'magic number' 0F386h returned (in ax) by all system
  c- h. Y6 m6 s+ ?) sdebugger. It calls the int 41h, function 4Fh.
( R# K7 S% n; _: _( rThere are several alternatives.  
0 q' y8 Y: q4 |" c
, a) F' a8 Q' p- f$ I* rThe following one is the simplest:5 M0 `8 W% E; k/ m/ M6 Y

! z( \# T: Q( ~1 l2 Z# n" x7 ]" j; R    mov     ax,4fh* c" I( `( d0 y* e! h
    int     41h8 k* c. i! K$ j) g; H4 w
    cmp     ax, 0F386- j% T4 y  \$ I+ X+ U# p6 ^5 b
    jz      SoftICE_detected& w* O& Q- V) a6 F/ b
6 d5 ?, ~6 \# C/ ~6 ]2 l0 P  L

, N2 ]* X$ t* l" k; ~Next method as well as the following one are 2 examples from Stone's
( N9 r" T! R# k) A) I5 ~! W"stn-wid.zip" (www.cracking.net):+ M0 x, u, c# _& Y' \! n

5 Q- a% S  V% ~2 Z8 l    mov     bx, cs
5 T# ~3 v( L( g    lea     dx, int41handler2: c) l8 r9 H$ q: z, o1 ~
    xchg    dx, es:[41h*4]* N; d) [8 V2 p, B1 F5 W6 L) M' I
    xchg    bx, es:[41h*4+2]* ?7 g; {( U/ W% X
    mov     ax,4fh) r7 _0 [" p: Q& X" U, I, y
    int     41h& h7 [$ ^3 y6 z8 m  p; k/ T
    xchg    dx, es:[41h*4]
6 \/ g& H7 q0 f3 v. H; _    xchg    bx, es:[41h*4+2]2 b' R/ D& X" o6 l8 |# m! k$ j
    cmp     ax, 0f386h
0 y& e- {2 D" D4 N    jz      SoftICE_detected( f4 |2 N' C$ }+ b5 G
" k; [" @. |  [0 V+ v* s/ j7 v
int41handler2 PROC4 ?; D' [1 `# K* _+ m
    iret1 b* U% h" j5 p0 V7 X% C4 p1 O" @7 A
int41handler2 ENDP
7 r8 p8 u5 v; ~: W7 q4 I+ M4 l3 ?. t
, B. g# f$ y1 i8 f$ c. V# |; ~3 q) r" q6 L
_________________________________________________________________________6 Y* u9 d* ?/ H# J, a3 A9 v

  q+ r- o0 l) S! T, v1 F( W9 I% b8 X8 A
Method 06  D: G/ F; z4 D/ a  w
=========/ Y, g* P) S! U8 }! ]3 o) J
- E. z3 ~4 C1 E

4 o$ [, z# d; R: ~3 c7 b4 m2nd method similar to the preceding one but more difficult to detect:+ X5 T. w5 u5 w" U! J

' \; Z% X3 u/ Y5 U3 a5 L  P& \. s: B0 h% i% j. Y
int41handler PROC
+ n: l, C. a* @    mov     cl,al
) G  i: ~4 [0 W) _! t    iret
+ Y  T1 l6 L, H+ a% Dint41handler ENDP6 j7 F2 E( u+ u* p4 V! R
& k* b7 n) J" }- D# `6 x) V8 l

+ C9 ~; ^: [! G& h/ S, K5 N    xor     ax,ax
; n0 ^& }5 i$ _$ Y8 D, {* [    mov     es,ax0 H9 j3 g4 n1 Z! r) n+ R; Q
    mov     bx, cs
7 ~! h4 I1 p" I& f' d    lea     dx, int41handler0 [% ]& t9 R1 @. u
    xchg    dx, es:[41h*4]
9 H0 |7 e9 X" }, m) C* P3 H    xchg    bx, es:[41h*4+2]
% t6 c% Y. `1 e7 [    in      al, 40h1 Z5 `9 X6 F5 Z+ L4 d. S) T) `7 k
    xor     cx,cx
5 Q5 j2 {( J# v. \( M    int     41h' V( g2 E, M% e/ z) d( ~
    xchg    dx, es:[41h*4]' ]6 {! g8 s5 k8 l
    xchg    bx, es:[41h*4+2]
; z3 u' ~& Y4 m8 c3 W    cmp     cl,al9 b+ n  l1 D7 H4 e
    jnz     SoftICE_detected2 w  I' T; O( G' h) @" L% |$ }" A1 v
' Z. {& J4 \( e% D. \# R
_________________________________________________________________________
+ w+ q, P% [4 n7 H; w( L" l; ^; F. {/ L" `
Method 07
7 j% t: C: S3 i=========
) J  c! l9 T" a1 a  J9 o) e! }5 P. p. q1 l+ C% s
Method of detection of the WinICE handler in the int68h (V86)( p) x3 X: u7 g

, Y* Y# p* ?' a( g+ [$ [, |; X    mov     ah,43h
. n0 a& ]  p# D, U    int     68h
# @* ^; O! ]7 U9 R, J    cmp     ax,0F386h
! _( M0 z; p8 S    jz      SoftICE_Detected
* V1 P1 ~3 s# x0 x" |; K/ o. \! E+ T; U! A+ q( t( s

5 F% ^/ M1 A: T=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 |7 o' S+ u' Q   app like this:$ _5 d% K, N/ z+ ^
( @4 \' r, I' w. ]( K
   BPX exec_int if ax==682 q1 w7 H6 ^/ i. c' T  k4 \& E
   (function called is located at byte ptr [ebp+1Dh] and client eip is
% H; d5 O. ]$ a. @8 L   located at [ebp+48h] for 32Bit apps)
9 J: F7 M) h0 S$ @$ B& T__________________________________________________________________________
: {' S( _0 L% ^8 ^! _: r
0 a; ~8 N& |2 I6 E
# l$ P5 `2 U# J* VMethod 08
- k5 V- |) V4 |+ t* Y=========! m0 f5 ?% F& n; p$ U* P
! G" ^3 d0 D! V/ }! P
It is not a method of detection of SoftICE but a possibility to crash the
0 ~) Q! h$ P/ [+ y6 Ysystem by intercepting int 01h and int 03h and redirecting them to another
1 D& ~' P: r+ h2 Sroutine.
; e  c! s. Z% _% X7 CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" s. {/ Y6 p7 A# G" {. i& d
to the new routine to execute (hangs computer...)( a9 M( k' p1 {, `

6 M5 Q. n) r1 P. @" y# s    mov     ah, 25h
  Q4 \! ?1 S/ |+ G    mov     al, Int_Number (01h or 03h)
  n: O. x& l/ c- d. I    mov     dx, offset New_Int_Routine
- Z$ y  f3 {" c9 W/ I    int     21h
" P" ], W/ J- p
7 [6 r' O" I/ ?__________________________________________________________________________& e) b. J! d" i1 M. [! y4 b5 B

# [5 G2 Y. f6 |  Y, NMethod 09" r# Y0 A+ e0 y$ l6 `; X
=========+ s" E( V) v4 v; W
/ z* ?, I3 Z0 @0 h: N+ T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ ~* u6 i( S4 t  [performed in ring0 (VxD or a ring3 app using the VxdCall).
3 |0 O! |6 O3 x7 ]- W2 M: e5 }' `The Get_DDB service is used to determine whether or not a VxD is installed) Z! M* z7 H7 ?" k$ @- Z- c# H) ?
for the specified device and returns a Device Description Block (in ecx) for
1 Q1 P3 `* C1 m/ jthat device if it is installed.+ a( I4 u1 ?; \% Y3 x
3 e" v5 R7 h; @$ U7 [
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! i6 D" d& G4 e
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 c6 y% {' G' v' ]" s, c   VMMCall Get_DDB
4 t. B; |" o, @* O/ D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed' t6 b8 L5 ^: \/ g

- @  U! ^% K, m1 n. Q! wNote as well that you can easily detect this method with SoftICE:+ k5 w8 V; _. F6 h3 H
   bpx Get_DDB if ax==0202 || ax==7a5fh
4 X9 H( Z$ t2 h* g) e7 s$ b* y5 \3 t( ]0 b
__________________________________________________________________________5 _" R8 |' B9 ]3 v

4 V" g1 W' g8 C+ }- {Method 10! E) a9 x- q8 U- t# f9 N
=========& D$ e3 M9 L) A, C
- X$ @3 L' ?" M: g; Q
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with- c9 V7 p* k! Y$ N- U8 m
  SoftICE while the option is enable!!
/ U* f5 M( x& Z+ P. @6 e! V2 b( ^+ p& k8 ^, z! _0 @: N
This trick is very efficient:
1 g- I9 W' a- j# O) r$ M8 rby checking the Debug Registers, you can detect if SoftICE is loaded! G& @. a, a6 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; q* e; R9 o2 J& d! |there are some memory breakpoints set (dr0 to dr3) simply by reading their4 z3 B: J6 _9 h" ~1 R
value (in ring0 only). Values can be manipulated and or changed as well6 i" S2 U) |, @3 t$ L
(clearing BPMs for instance)0 x* I( {4 R8 m1 J9 \
' `9 f5 v, h$ t' B* \
__________________________________________________________________________7 a1 q8 b, Z. j( Z
- J) j% D+ r: s8 \$ ~4 g, h/ T
Method 11/ ^6 E, q: n1 m% H1 j/ [$ ~/ @7 @: @4 W
=========/ z! B3 p$ o; U* K- C/ V
- G# [; ^7 F: D6 O. q1 a1 I
This method is most known as 'MeltICE' because it has been freely distributed
6 y' _$ e' m) R5 m, Ovia www.winfiles.com. However it was first used by NuMega people to allow0 w4 e" I: P% v! d( N
Symbol Loader to check if SoftICE was active or not (the code is located
  {+ M; D- s6 L. W- sinside nmtrans.dll).+ L/ V% C9 U- \, J- z9 ^
7 B2 Y' K2 a. u( [$ X# V5 Y! m
The way it works is very simple:
  t9 E- e; T: H3 ?1 Q  B, uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 i2 S  u% r2 a5 p) J" hWinNT) with the CreateFileA API." |2 q" G" J. I1 G* p' P
- C3 U7 P, K& |& Y# T+ U# b
Here is a sample (checking for 'SICE'):' e+ z0 `; O1 X: P
" L' U, i; m$ X3 B, g
BOOL IsSoftIce95Loaded()
6 N6 [3 x; c6 E/ D' l* Q6 Y{
% }& T9 _9 A4 o   HANDLE hFile;  : n* X6 k7 l/ f% i8 L) x
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 j& s8 [2 J  J% j" X+ _/ X                      FILE_SHARE_READ | FILE_SHARE_WRITE," c. a. z* ~3 O3 Q% s6 V! W
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 W9 p8 v1 h3 Z/ Q
   if( hFile != INVALID_HANDLE_VALUE )2 S+ \% ^( ^: G2 y7 v8 a
   {
# }; W. D5 S. X$ H6 ^: H. V# F, N      CloseHandle(hFile);& l7 n0 }% i  _$ D
      return TRUE;
8 Y6 y" a3 Q0 R. k& ^  ]   }
0 d8 W, d8 Y$ `   return FALSE;! Q- i5 y2 s7 B
}
  V3 [* I( p4 o' {& a7 w3 w5 |7 }, N/ O% q
Although this trick calls the CreateFileA function, don't even expect to be
4 L: s, m7 p  G7 D' P6 Gable to intercept it by installing a IFS hook: it will not work, no way!3 F0 ]; f+ n1 ]6 j" M: z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" F% H1 h1 G: E# o4 }7 N) c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 h: `9 a1 p+ h0 k! O" A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) x3 \4 g( O& N
field.* s: @$ x# }" A3 ]. R, b0 S3 L& a
In fact, its purpose is not to load/unload VxDs but only to send a 9 ^! m2 G8 R1 ~; X) C4 v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. _8 s0 O6 I; x5 i( ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try) q9 e" U& @2 u! J9 ]: K1 B5 S
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; U* Q0 M# Y" h1 F+ g6 x- t( e* EIf the VxD is loaded, it will always clear eax and the Carry flag to allow" ~- P4 ?9 l! s9 P8 @
its handle to be opened and then, will be detected.+ C: Z( }6 d. O% Y" E5 S
You can check that simply by hooking Winice.exe control proc entry point( r3 d5 {% a8 A% ]* s( M
while running MeltICE.( U. @8 O: Q# b5 x

5 m3 U  @/ o: Z) g0 [9 p4 m: u, L. U7 a- E8 H! [9 [1 Q1 w
  00401067:  push      00402025    ; \\.\SICE
2 k& ^# W, ~5 U2 t' \2 ^8 U  0040106C:  call      CreateFileA
& G: G. K! V# B+ ]8 m% y. c  00401071:  cmp       eax,-0013 a8 ~! F2 ]% t1 z
  00401074:  je        00401091
  e7 k7 z& a1 |4 O7 n! c0 `. K/ J2 ^3 x* G9 Q

+ E  v4 z# x7 ?4 {There could be hundreds of BPX you could use to detect this trick.
* U% s9 v* f7 \) Y0 ]* Q, E-The most classical one is:
  ~1 }! g4 a& g% Z+ a  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% R6 b! D7 h. K( g
    *(esp-&gt;4+4)=='NTIC'- n, c, r/ Y2 x# G6 d' n5 X/ @

2 g" M7 B" }) D- l3 Z, L) Y-The most exotic ones (could be very slooooow :-(6 h3 O0 C$ L3 f" _
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')    |' v: j* P/ ]- h7 I4 [% A
     ;will break 3 times :-(0 O* n& P9 M* b  Y

! N2 `3 J$ M  @$ c; q-or (a bit) faster:
' w+ Z8 s. w" h9 P4 o1 @9 i   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, g# x1 P% e: w5 k/ s  W& d- f. F- x# b, k
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . Y8 Z& R7 ?7 w
     ;will break 3 times :-(0 }6 {7 M3 x( ~. y! \; O* F# R
0 M, w: f  f+ {6 P
-Much faster:! x7 K/ |( e4 |# k8 P% e
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'8 x. q, G3 U0 g' o1 X+ \) M
- ?) B, s1 P# ~% x* e. P: E9 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 g9 o6 W# A) ~# d2 Tfunction to do the same job:* c$ G. x$ x+ D5 }

. x0 ?7 x/ V8 x2 @8 L   push    00                        ; OF_READ# Y6 U; A$ U& z2 x$ [+ f: V
   mov     eax,[00656634]            ; '\\.\SICE',01 @) @0 Y( f: ~0 E! |  T' i# y$ p8 d
   push    eax
7 x6 i9 m- p& T! w' t   call    KERNEL32!_lopen
! L4 ~& `. z- c( p) ~   inc     eax
# c4 \7 N( T2 Z* l- k3 Z   jnz     00650589                  ; detected
" H! B9 H0 ?7 R7 v2 V4 U' f' ^; V/ y   push    00                        ; OF_READ+ [5 n+ N% H. b& A
   mov     eax,[00656638]            ; '\\.\SICE'6 u* z- P  D9 a) y- A$ ~0 ~
   push    eax
0 z6 Y/ i! X7 g$ Q6 m1 \9 c' J   call    KERNEL32!_lopen4 t! A+ w/ N( r. E. _) n+ i
   inc     eax
9 S" q. m' Z: m0 _' q" I0 \0 O   jz      006505ae                  ; not detected
3 S1 B" ?4 t+ k6 Q7 R4 |% K6 i  n% ?3 }7 Z- f
  m6 N. s+ M+ I/ |
__________________________________________________________________________) N6 U  t% N* I1 h7 X

9 d. x0 e: Y- RMethod 12
2 q& f0 \. P$ B6 Y=========" A& b  k( j' T6 w
  H7 C8 }9 M, R  X( o7 V
This trick is similar to int41h/4fh Debugger installation check (code 05
- ^' g# c2 g, g6 ?" ?: j' v6 R) q&amp; 06) but very limited because it's only available for Win95/98 (not NT)
" e1 m, U8 w% M' Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 v8 Y& Y, U1 Y3 [/ J# x  a. z& h( f3 R  G
   push  0000004fh         ; function 4fh
* f" i: J1 ~/ M0 m. a   push  002a002ah         ; high word specifies which VxD (VWIN32)0 f( D) \. w( k1 |9 k  l
                           ; low word specifies which service$ E! l4 X0 {- g/ w8 g# j
                             (VWIN32_Int41Dispatch)
1 q' f8 L. p3 s   call  Kernel32!ORD_001  ; VxdCall2 @, B9 d, K8 W9 k' w
   cmp   ax, 0f386h        ; magic number returned by system debuggers
% h2 s2 I, |* [' b+ M) Y3 Y   jz    SoftICE_detected4 p  _4 P" t/ W! q8 R' y

  A$ D) v! D9 n* OHere again, several ways to detect it:4 S. H0 T2 K* i3 x1 k# x! t

: z9 o; q" T, E. G' i    BPINT 41 if ax==4f
/ w+ T5 E5 k! n" {9 p; k5 G) z- J4 p# y" ?) B/ u
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% d; Q2 j% \/ o8 y
: C0 x1 K4 _/ i3 L# ?    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
& l' V" T- o7 I5 p% P# G! `% c+ c& B- _# G3 i  u
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!' C' Z- Z- r5 _* Z  O4 `5 S9 \) ^( }

( Z! w- m- P. q; {- Q7 J__________________________________________________________________________0 ?; w) `( T+ d6 U1 y/ S2 ?

) k, Z( C5 T' q; G7 ~2 ?8 [: GMethod 13
1 T5 s1 C& `8 `9 u( J=========& a3 H' ?) }$ X) g" L9 o

3 C- _2 P+ E* YNot a real method of detection, but a good way to know if SoftICE is- \1 k; C- R8 W7 c, L  \
installed on a computer and to locate its installation directory.
9 R& }* l+ f8 F# H5 _. K: ]4 ZIt is used by few softs which access the following registry keys (usually #2) :8 ]0 O# K5 T( |7 w

9 V1 W- J7 y8 }9 i! y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 _' A9 Z1 Y% ^
\Uninstall\SoftICE, B# e* V: @+ }( ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 K( g  ^; p8 @4 P( m+ k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 t. p- P1 l% s0 g\App Paths\Loader32.Exe* J, L) i7 E, F4 E7 B

" y" `; j' n7 o* [5 x
6 T' b% d) Y7 `" ~* d' |Note that some nasty apps could then erase all files from SoftICE directory
" m# U$ F3 x* U( I* Q  X: R(I faced that once :-(
9 G) G. k5 ?: p  y. q* J$ @; ?  [+ o' O) r6 I( N- e
Useful breakpoint to detect it:
3 c, Y" o0 g3 c2 K  `. z$ `- ]5 f, q" N+ |- X, e2 _
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 m" _% N3 ?' b: x5 r; y5 C* v; S0 [
__________________________________________________________________________3 r  L' U+ P+ ]$ o& ^
% |$ l0 U& K: C" z; z: g: D* ]
5 G& I4 B# b7 S! h" p5 P/ \- ^6 ]2 ^
Method 14 8 h% r% c' W3 ]$ P: @5 N
=========
. U  P9 F" G9 _& F/ u& V1 e
' Y6 R- L5 x. N* SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 j7 H" v+ j# x) A( Eis to determines whether a debugger is running on your system (ring0 only).
' d( o2 T5 `) j' o/ R# B  X. P- V% M. M1 L
   VMMCall Test_Debug_Installed
' V* a  [8 Y6 s& `) N: d9 R   je      not_installed  n4 D! g$ M: t$ ^7 T4 d% \3 P
' N2 ^) C$ f9 ]
This service just checks a flag.0 E% E: [9 O: q) w4 O
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-28 10:31

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表