找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
7 ^4 P" x7 L9 @, Z! X" l<TBODY>3 i  l* @+ j  @& O
<TR>6 q7 I  s. l6 F, I4 ?7 t0 M
<TD><PRE>Method 01 ) Y* g' Y. J5 r: z" M# ?& Q
=========6 {: A! ~- d/ N% ?+ L4 v' a. b

1 O- y( G3 P6 H6 w' y- NThis method of detection of SoftICE (as well as the following one) is# a* o7 T2 w, K6 B: W( _3 [
used by the majority of packers/encryptors found on Internet.
0 Z$ O. R5 J: C; k0 N5 z* \It seeks the signature of BoundsChecker in SoftICE7 A" r( G/ k6 H2 s6 b/ k
$ V) q) |4 J1 e9 f( V6 Z% l* T
    mov     ebp, 04243484Bh        ; 'BCHK'! e% J9 u1 _: e7 \7 b+ E
    mov     ax, 04h
$ j& R) i$ q/ [" H    int     3      
! ~" n0 }: {2 r6 Q& k0 E    cmp     al,4
) z' S3 b7 L6 k% p    jnz     SoftICE_Detected2 ]2 |/ n/ S$ N9 ^0 V

2 A% j1 h5 I$ j0 S- u___________________________________________________________________________* n1 i3 d% D& l$ J* Y3 H
8 O( {( }( r3 x3 ?, N2 b  y
Method 02" A+ ~' V! d3 w1 o; q
=========
' k! ^. `. e- C1 w3 F" x9 P; y1 D( E( r+ l
Still a method very much used (perhaps the most frequent one).  It is used
6 K" [% t% S4 N6 M  K6 q6 w/ xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. }/ D% ^2 O" N6 aor execute SoftICE commands...
- \% @% ]3 y. G1 P1 F1 D2 hIt is also used to crash SoftICE and to force it to execute any commands
+ y! n- c, w7 p(HBOOT...) :-((  
1 i. r8 j' ?- S! \) S9 @
" Q" r  l2 ?- eHere is a quick description:
/ O4 b* Z) C. t' R-AX = 0910h   (Display string in SIce windows), w0 g' R6 {& N1 @' J- _
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ }- a+ H3 Q7 K% }* J; w$ Q  H-AX = 0912h   (Get breakpoint infos)
- k1 ?* B7 l2 `9 j8 D-AX = 0913h   (Set Sice breakpoints); b$ c! u0 ^# I0 Z
-AX = 0914h   (Remove SIce breakoints)
  j. k/ i0 Q  d2 m5 M! X. C- ^/ e( D) H8 Y* Q2 ]2 \9 H
Each time you'll meet this trick, you'll see:
3 I: b, A2 k6 `; {9 p7 s4 I3 K-SI = 4647h3 h1 m( x' M* |0 ^; v- b$ I0 n
-DI = 4A4Dh
# b) g$ v4 w8 d' d1 J* Z4 iWhich are the 'magic values' used by SoftIce.
* `7 ^# Z( J  C9 `! a$ w  q/ EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* w1 J" R) A0 ~# E- ^

- Q! [5 O5 }1 x9 bHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 E/ ]  ^: w9 W3 z( F- N" p8 FEnvelope utility use to protect DOS applications:
/ W+ h  c4 u( i9 n2 K. a6 h+ B# ^& J# |$ m& N7 U9 Q9 J6 H! {  m
5 j9 ?4 ?4 q2 x
4C19:0095   MOV    AX,0911  ; execute command.0 x  q) i* A, T) h$ d0 E5 i
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)." l2 p. Y8 |# p& g3 x
4C19:009A   MOV    SI,4647  ; 1st magic value.
6 B/ t0 ]+ q2 V4 t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.' L4 X3 Q5 u1 I: p8 t' x
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& @4 c, S7 v  B) o: i* Q2 f4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
. {4 Y) w# \1 H/ C" \$ u4C19:00A4   INC    CX
& R8 P7 U" ?" W  c4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 M; h$ |) G: T
4C19:00A8   JB     0095     ; 6 different commands.
( E/ ?2 ?2 v# Z; m4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 L1 W, y; a: s% K2 _8 z
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
* q& V; ]8 p! p( }5 u( L* C+ X7 C7 y& r9 G, w' _8 X& e
The program will execute 6 different SIce commands located at ds:dx, which" N4 Y. O+ [; j& o  Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# b9 J6 K, W7 ^  @$ u7 k7 l+ `) x2 u, Z% f) G  {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ }5 e4 l: `2 _( l* d9 o0 z5 }" E___________________________________________________________________________
2 K$ T' W" `$ o; y5 y
% d4 O3 X% F9 {- L  Z
7 E4 L8 {# [3 f% a& I! R# WMethod 03
, K6 ^3 D6 Q/ d( S# [2 l=========
0 K6 E8 w1 d2 N9 M( {: G8 r. c3 ~3 J+ W6 Z* U1 I1 z4 u; Y& r- A: `
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 m/ q$ ?  p# m" @( R(API Get entry point)
- }/ Z8 b0 N& A2 y        0 W* L" E# I% M9 g. C1 @9 b

! Y, W+ t2 f) ^" b& L  W( c    xor     di,di
/ r, j3 _1 g) c5 z/ K    mov     es,di
+ d. i; P- R) L7 d8 H    mov     ax, 1684h       - R. {, r# W, f( I) p& n
    mov     bx, 0202h       ; VxD ID of winice
5 b. y- Y0 B; S! z    int     2Fh0 x1 L- {7 H- c$ q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. |  [) L1 k' c3 L' Z" z  B/ `    add     ax, di
- ^# T* e- u! e; {6 Z    test    ax,ax
+ E" t. t; f. @8 H% M/ _    jnz     SoftICE_Detected( X: T% z& R7 i

5 b, N2 f8 R, h( Q8 `___________________________________________________________________________
0 x( M8 Q9 d0 @% R1 w2 p. f
5 N) _; W2 c, R; P4 Q* ]/ sMethod 04# G  u) w7 \) ^/ W! ~
=========2 H! n& {% A- W( N/ {  o
* R. T1 z+ x8 w( g
Method identical to the preceding one except that it seeks the ID of SoftICE1 i7 ]$ Z8 x6 p$ D& `& V9 f! f5 Q9 R
GFX VxD.
( f# H) \: M( W$ O' L6 ]" i. g. ^# q& G0 u
    xor     di,di4 }: r$ m+ _+ |$ Y
    mov     es,di% g$ K* n( d8 j+ Q# _# p0 W
    mov     ax, 1684h      
2 ^5 F) [0 C/ ^    mov     bx, 7a5Fh       ; VxD ID of SIWVID+ f, ^3 l0 N( t0 F
    int     2fh; w6 w$ x) z( G) ~
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ c3 C5 F0 G' H* g
    add     ax, di
) @0 r: K4 X( m6 k7 M    test    ax,ax
# ]% J& T1 c  h" z    jnz     SoftICE_Detected. r7 S- K- S( D  l! @

# f; D: I' Q! k__________________________________________________________________________
! p0 U4 i" E9 q! E+ ~1 \/ t$ ]2 h% m- A) b, n! X; c( t0 N2 O

$ L* }" u. k; N, RMethod 05
& m9 _* `2 G5 h6 Y+ R8 w=========5 r( h5 G1 K$ {; o7 x! ?9 R
" u& W! U5 X7 j; C- _' ?6 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system& \9 o4 q" z# Z
debugger. It calls the int 41h, function 4Fh.; d; T8 o9 M, |' W' a
There are several alternatives.  
% }. E8 `- D# G3 w( m! R2 B( a5 N# ^( m. p( m! v
The following one is the simplest:
1 M7 y+ ~1 J8 I: c. b, W
. M. z) J8 }& [3 K; W7 g! z    mov     ax,4fh7 k; M6 r7 X' [& H) j8 @! w, ?
    int     41h9 L6 A8 i- S" Q6 L
    cmp     ax, 0F386! u/ y( D# Q5 A
    jz      SoftICE_detected3 k: ~, n+ @, F/ [" N
# V. r9 O# z, }- [" I# V2 d- v
* y( v# G1 i: ~7 }# y
Next method as well as the following one are 2 examples from Stone's
. u) d& ^" c! z$ z"stn-wid.zip" (www.cracking.net):# w2 Q+ G! m/ q: n8 y/ M2 V2 n

/ t  N9 [, W- d    mov     bx, cs. R: g+ Y& P5 L0 {+ ?" [+ J' Z' R
    lea     dx, int41handler2
8 ~) B- f4 N% O1 A% W1 K    xchg    dx, es:[41h*4]& k* ^7 w+ O0 k  z# g
    xchg    bx, es:[41h*4+2]
0 e# `9 @" _& h1 w    mov     ax,4fh* d/ b, M# }$ \; G
    int     41h
' N$ [% T3 f. k% }3 m0 y, j* ^7 r- r    xchg    dx, es:[41h*4]8 Z1 D1 y$ b! G
    xchg    bx, es:[41h*4+2]9 Z4 a+ |2 F6 `0 i9 a; V
    cmp     ax, 0f386h+ ~  h% O, y3 e. J
    jz      SoftICE_detected! ~: D2 ^6 V- O' a5 p+ C" f/ f' M/ ]

1 V% X) i. `/ m3 \int41handler2 PROC
: j3 L( v3 m$ f% _# {% Z    iret+ u/ H8 b" U4 {2 e, G* b. p
int41handler2 ENDP# J" x* |( T; E; D
% P2 f1 r6 ?/ ]' m+ H* l# a/ u

  \/ }; E( {, H_________________________________________________________________________1 O& d6 C& {9 A4 Z9 k$ b; S3 g: B. T

$ E8 [! i! c- X3 A0 `
0 v9 ]" A3 z0 g  X# j" TMethod 06+ l. N3 R0 t* a' R% _: ?) H
=========
; J' x! G9 z; z% h% M, g: C9 a3 n
/ X0 o" z( {+ @. Q# ?( w
2nd method similar to the preceding one but more difficult to detect:2 g! M5 @. i$ ?7 O# X. @( E
7 X( o  r1 n: }% p0 ^) ]2 m( K
9 M! J' i  O4 a% p. D) h$ t$ T
int41handler PROC3 {6 H, _- Y: Z0 j" _- m5 ]
    mov     cl,al
9 f2 X4 t$ ^0 C* ~4 t1 X! t    iret
2 \& ~6 @" U) a- U3 \int41handler ENDP
' r, t' S( \6 R( |2 h+ h# J  }1 h4 ^2 M9 B+ r% b/ j+ `( D. G6 U& Q& x7 x

. \! }+ N) T/ `4 ?    xor     ax,ax
. g) d8 Y9 a3 o8 V% ?7 a    mov     es,ax
; K- i# x. e. L- K3 v    mov     bx, cs" h; ?$ }( ~; E; p9 p
    lea     dx, int41handler4 u% J: A) y8 G: d& z* a6 ~
    xchg    dx, es:[41h*4]
* H  w3 B/ r* Q/ B$ h) m3 F    xchg    bx, es:[41h*4+2]
4 C: m5 g7 q- p    in      al, 40h0 T; z+ }* k6 @7 T7 b$ r* k* N$ `& g
    xor     cx,cx+ o/ w! y' d' e) ~. C8 E
    int     41h
) A4 m( o/ i8 @+ c$ h    xchg    dx, es:[41h*4]
1 x+ Q0 [/ W5 s$ u2 S. m4 k* C8 x    xchg    bx, es:[41h*4+2]4 E9 \9 Z* O2 _7 i& i: h
    cmp     cl,al+ f# M4 p$ L# P, H
    jnz     SoftICE_detected, Z0 q5 a' O1 P
- W  V% t. @7 b0 v7 b/ w( h. A
_________________________________________________________________________
. C, \. Q: \4 u- k1 y5 x
) _* q* l3 p" ?5 }Method 07- Z8 W2 N* |! g/ r  F
=========' d# G; d4 w- G9 J. {. h
( g* \6 [) V# B6 `6 U8 c
Method of detection of the WinICE handler in the int68h (V86)
" f" {" s' }+ Q/ N8 k
% O# A0 k( f, C6 R# b; \    mov     ah,43h. i; \* H  h" M, n- {5 T! E9 R
    int     68h
$ j  v' J: }  A3 j# H    cmp     ax,0F386h8 \, n: n9 P2 {# f' C! O- i* T
    jz      SoftICE_Detected
# H! h6 Z' |& B7 w& f: Y2 F$ q* K
! ]. u6 C7 q7 W% n; p
' u5 \# g5 T. R=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 y3 X, c% f& f. M3 G
   app like this:; |% w+ `8 m0 r. D9 O
. W4 w+ R6 j' i1 C( P4 U
   BPX exec_int if ax==68. i/ X& @0 ~7 ^: R0 G  A7 L
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& L+ }( G6 ]9 m( @# T4 k  d   located at [ebp+48h] for 32Bit apps)9 e( y# g! U( ?: Z
__________________________________________________________________________
- B1 y3 s: D- o4 i* X# e2 R
" K, {1 V6 i4 h* j6 ~
; R1 l' e+ ]) N/ jMethod 08
  @* ^( G# t, C0 O6 ?7 e- A) ~( [# }=========
# n& k6 V- J9 w4 R8 i: Y8 T5 p( n0 k5 @8 W" J3 R2 b
It is not a method of detection of SoftICE but a possibility to crash the
  }  ^( g2 u8 F; J! ~system by intercepting int 01h and int 03h and redirecting them to another
$ Q$ {4 t: J& o% j+ N$ \3 |routine.( M* J0 Z/ H8 K9 e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. I0 n8 u8 ^9 ]( y' V
to the new routine to execute (hangs computer...)
3 D, g; A6 Z$ ^- A! n+ t# G* P
7 I1 [7 U& ^/ g% P: j    mov     ah, 25h+ k; N' h* l5 f7 x( F) t9 Q
    mov     al, Int_Number (01h or 03h)
1 }' b2 p* A8 X    mov     dx, offset New_Int_Routine
4 v/ q5 _0 T4 T, n2 w  @# R    int     21h4 J! ~6 M6 g. a6 L8 M* e
3 Y) M0 t5 K) l" ?) S* u
__________________________________________________________________________
3 h$ v8 a' E+ F% u% H! b
4 @* Z! v; X! ?4 [$ ~+ {) }Method 09/ j: r. I& o! Y5 j
=========/ u* J. n1 E& v7 R% T
8 l8 g* O/ Q! X4 ^  ?$ R9 n" P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- O4 p3 y% p1 R. b) X% l6 gperformed in ring0 (VxD or a ring3 app using the VxdCall).7 o( w* ^, e* q6 E* F
The Get_DDB service is used to determine whether or not a VxD is installed+ ^) R1 l' d  s/ R8 F+ B
for the specified device and returns a Device Description Block (in ecx) for" p2 y+ x" l5 B- [- w5 w. |; W3 D  k
that device if it is installed.9 w' @( D. k- F7 g7 T, a+ N

$ ^0 Q' D* t0 p   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" g. N8 \  ?# \- k. r$ O$ _2 y, Q   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 j3 n  O5 }+ y, `  A: b: E, V. ^2 ]
   VMMCall Get_DDB
1 Y# E8 c8 H; u   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 P1 V4 N* p# B7 s

  K3 a9 }& K- R* ]1 z/ b- Y+ SNote as well that you can easily detect this method with SoftICE:* I& P2 z) D0 y+ {% N0 H5 A0 R5 N
   bpx Get_DDB if ax==0202 || ax==7a5fh: V0 b* h& M* |7 S/ Q. X
+ A! U+ U" v6 B. g2 E# o# g
__________________________________________________________________________
. }, n7 \* Z3 Q3 j! x& w
9 U0 t9 ^9 D- K* ?" D! rMethod 10# N  _9 B9 |' H3 U
=========7 O8 m4 t( Q* c7 n8 x
, G! {3 T0 B0 u% ?
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
$ M2 `6 l$ a" H1 p- B0 ^" D2 q  SoftICE while the option is enable!!
- g8 M4 M: l, t, ?* T- c9 m; t6 @3 v6 b
This trick is very efficient:! k5 N8 Q9 _2 S! F
by checking the Debug Registers, you can detect if SoftICE is loaded7 m. ]& z* |4 U- D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 {8 f/ D6 I( ^2 d2 f, A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 A0 L3 [2 K2 I: Dvalue (in ring0 only). Values can be manipulated and or changed as well
3 s5 b: f4 B! ~6 }8 L; y(clearing BPMs for instance)  r6 t! B% k3 v% w$ c

/ F  u0 v: ^8 @9 X9 x__________________________________________________________________________* a  m, K! ^+ P1 F* q8 A* _0 g, f
; Y2 o3 r; A$ `/ G* e% u  ^
Method 11
1 u. m, e) P  _: p5 q=========0 G7 f7 A" X4 z0 Y& A

( x, q9 e; k/ t) e7 M' Y' W4 TThis method is most known as 'MeltICE' because it has been freely distributed
9 d' H6 K5 E5 P* Yvia www.winfiles.com. However it was first used by NuMega people to allow
( I; R+ E1 T) M2 E" TSymbol Loader to check if SoftICE was active or not (the code is located
2 d+ U2 N2 J3 I; s. b' L2 V5 B' rinside nmtrans.dll).
* n% R2 S6 U+ l8 n2 Y
. h5 k8 S% |# t5 f: Q! ]  w8 Q/ xThe way it works is very simple:
9 p( M' K8 t; Z- J. CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! j3 X5 W: P4 d1 |: c" MWinNT) with the CreateFileA API.
/ \2 I- ~, P( L% h
& j* f2 I4 O# t% BHere is a sample (checking for 'SICE'):. I6 _' U2 p' m5 r; x

% F6 T( j$ m! }6 R. @BOOL IsSoftIce95Loaded()
' f, `# i; ?3 s{
# L/ A4 ^# u+ C" _! a1 P   HANDLE hFile;  7 T& q3 A* P9 C! O% Z7 t
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 A! D* p( c; ^' [- {2 V                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" p- e( L0 n% l0 L                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 M- Z! c% J/ O' ]# G2 {$ J   if( hFile != INVALID_HANDLE_VALUE )/ v5 k# f' T& u$ T
   {
" `7 g7 W1 f' ~9 G      CloseHandle(hFile);
, g8 U; B" c# G/ Y. W* M      return TRUE;3 k5 s# [7 Y7 y! N6 C9 u; v
   }
3 P: U+ t6 E( r   return FALSE;
) q+ P1 o7 V( ]) K}+ ?$ [! e2 n7 C: R7 O* g) i4 k) ]

$ _; u9 o2 z$ H- F0 qAlthough this trick calls the CreateFileA function, don't even expect to be  L% d7 c* b7 n
able to intercept it by installing a IFS hook: it will not work, no way!
; G' P- V4 y7 q2 `' M7 aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, N+ _4 g. m) J/ Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" y# a4 Y1 \$ f3 _and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 ]1 I5 d* S. Q( |8 [! sfield.
; P7 n7 \& t  I' A6 L+ YIn fact, its purpose is not to load/unload VxDs but only to send a
. S0 H$ X8 x* [, x- o: [- K6 t3 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 ^$ O: U2 l, @1 dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; n* J1 [/ d* {8 F. Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. C" |8 J/ V/ lIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 Z0 N% o1 r4 p
its handle to be opened and then, will be detected.+ e9 a5 a+ s0 U
You can check that simply by hooking Winice.exe control proc entry point
' {& G; E6 {# u4 |" A$ U$ Nwhile running MeltICE.( v; X( z7 E5 B6 `4 H. }% Q  T0 c
; Q9 [/ \# x# L

; P/ F2 r/ c% P+ M& ^8 t  00401067:  push      00402025    ; \\.\SICE  e. T) n5 _9 M5 c8 {# K
  0040106C:  call      CreateFileA% H5 R- z. J$ M+ t, S, p  J
  00401071:  cmp       eax,-001
& i; D$ J: n! v( J  00401074:  je        00401091/ ^% B7 ^+ d8 H9 L6 {

4 r. ^/ A( B7 h  ~+ Z5 c3 S7 `  v. {3 P# p  }
There could be hundreds of BPX you could use to detect this trick.
: L8 J" X- ~+ n1 P% o6 O-The most classical one is:% G% @& Q# o# z4 S, q  V, K; m  u3 ?  @
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 j8 i( [+ e& R" j    *(esp-&gt;4+4)=='NTIC'# U$ ^3 F* s/ T: V
$ k8 [+ a' n2 @8 e5 b  F
-The most exotic ones (could be very slooooow :-(
/ J, H+ `0 o1 ]; Y) e   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
. X  m0 k$ P# V8 ~     ;will break 3 times :-(. w  c$ Z8 D; u6 f

/ g! I2 x6 ?$ V: V; c-or (a bit) faster: * M# A! S' [2 j
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  x% o. y  S6 H& z! V5 E. G

* V& U8 J, B2 b   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . s6 Q2 r# H. f8 i$ ?
     ;will break 3 times :-(
2 D9 e6 |' d# H: ^. K/ y& n! \
" [  q; I* L9 y9 B-Much faster:
+ N0 v1 R4 ]' b) m$ O/ O   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
$ f0 w" N: m8 W6 R' O& H0 o. k& b9 ?! \4 w7 C, p( D7 N8 P- f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 v# p, e+ _( R! Lfunction to do the same job:
" x$ p* I+ N: J' D( ^5 s; C, P
! O7 \7 N6 l, W( f; ~" ^   push    00                        ; OF_READ7 o8 m2 h) Z) s- I7 B  \
   mov     eax,[00656634]            ; '\\.\SICE',0
1 R8 D; q- S7 F- x  g% R   push    eax
, ], |0 ?- v! I% w( H: `   call    KERNEL32!_lopen; d2 |! c# I& T3 i
   inc     eax0 L9 v+ b7 R7 h" E; m
   jnz     00650589                  ; detected
. j; N/ z( L  r; ~  ~3 [- B   push    00                        ; OF_READ
2 B6 T  P7 c$ r2 P. Y   mov     eax,[00656638]            ; '\\.\SICE'
5 o1 e. m* h9 D: X3 Q   push    eax) k" G- g! y( a+ ]" W: L% L
   call    KERNEL32!_lopen
- j2 i- X. s$ v: a: `, Z! [. c   inc     eax
$ Q% R. b+ @& D& O# B8 i  g+ T1 w   jz      006505ae                  ; not detected
4 b/ `9 u* g8 w
7 o; e  B$ O3 ^/ a+ Q: j9 r3 w; U6 ^  L% `0 ?+ E
__________________________________________________________________________  I( j- J2 F' a: u0 Q
. J0 S0 r- P% X% W
Method 121 U$ l8 x& z$ k& u  b3 B
=========
- C- t2 b+ q! n' A+ B8 a
; Y" m+ R& K/ d$ q8 |+ d+ iThis trick is similar to int41h/4fh Debugger installation check (code 050 q1 y! J) j- h7 z
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 o2 e4 p+ m8 e# K" v: x; eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. m4 L/ Y& V2 [/ |; ~6 s- D) ^- n9 ~" R1 q
   push  0000004fh         ; function 4fh3 m  Z- X: T6 j
   push  002a002ah         ; high word specifies which VxD (VWIN32)
3 d' s1 R- O+ m5 g- ]$ A; d  ]                           ; low word specifies which service9 E1 d+ x, z7 _
                             (VWIN32_Int41Dispatch)
3 p) i+ h: A; h' g) N) W! [   call  Kernel32!ORD_001  ; VxdCall( k* x8 d# Q5 K
   cmp   ax, 0f386h        ; magic number returned by system debuggers
  F/ E1 ~$ o' z   jz    SoftICE_detected5 F5 |$ G5 ^1 ]3 R: c' R& |- j

5 q* |  h; u/ c! q4 S! VHere again, several ways to detect it:: R# k7 a/ h% u9 i3 S8 q

$ M4 e* N0 a; d+ B    BPINT 41 if ax==4f
9 e1 t4 g% m' J3 J5 h' U
+ s9 l; J9 `5 a6 {* q, L2 |& P    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
0 k- e. _" G+ d) s1 o. d: Q, |- H% j
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 L: i. [+ P3 |
' D2 m. g7 x  G
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  H2 p1 W6 L$ L- w. G  p4 G$ S: P
__________________________________________________________________________" K; @1 H4 b7 J# C. t$ b7 H; t

9 l# E; D( r9 L$ l# sMethod 138 v0 J0 Q; U- O9 I4 L5 R
=========
% B) A6 l% U1 C$ t7 }" d2 r2 J9 |4 d0 b6 l
Not a real method of detection, but a good way to know if SoftICE is1 c0 p3 V& M( }7 c9 E
installed on a computer and to locate its installation directory.
( Y! H7 @& }: S/ D' ]- u$ l( `; R0 y& xIt is used by few softs which access the following registry keys (usually #2) :
  v5 U- t! `: u2 W7 @
* C8 ~# r5 G  I: o/ G& u) \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 k+ l  W6 _9 b) Z/ v- Y1 v
\Uninstall\SoftICE
- H  v  f1 q8 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 B9 g) o8 R6 a; T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, c& o3 U8 Q0 M! Y$ y\App Paths\Loader32.Exe1 }# c- \# Q; c  u* g1 }
5 L9 d- k, j# ~2 R- S

  [/ U; A7 \" ^5 j- }8 }+ i/ HNote that some nasty apps could then erase all files from SoftICE directory" V; ~* L3 C' @: F+ P" a
(I faced that once :-(
* r/ Z- d; l+ l9 a+ \9 D& h6 _3 ^3 E" w  [4 c$ S) q  _4 R
Useful breakpoint to detect it:" W% {6 a0 `; R+ o

) x4 R) E- e; Z7 a6 d2 r     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 ?/ o8 [% e2 g) e3 \9 w- c+ F
__________________________________________________________________________2 Y3 g& M/ w$ f, y% J2 V
3 k+ r- E8 _1 s+ D& H
$ o+ [4 V* j$ L  U8 _' c6 I
Method 14
, C% w: M3 O/ k, t' z=========* h1 [+ c- H) o& u2 u! `3 g
7 o- `( z* o4 H6 @( b5 ~5 B; }7 L$ U3 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* [$ K/ p; p% G. K1 B- c
is to determines whether a debugger is running on your system (ring0 only).
& s, d% }! ~( ~+ f. V$ e- @8 h! z* T5 G. M3 ^
   VMMCall Test_Debug_Installed. D% _6 O( L6 l
   je      not_installed
8 V! q) s# f# m) ]5 l) p% f# y1 k+ I2 I) O
This service just checks a flag.& S* W0 P- u4 e5 R2 X
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 17:06

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表