找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( c' ^/ V% c, W* B$ \0 Z
<TBODY>' U. U% ^6 N9 E" l* @% m; X  I' q
<TR>
/ r! `" H/ a" v# n# _<TD><PRE>Method 01 7 E+ d! M0 z; Z0 y3 F$ q& }
=========# `, A/ W3 b% {% c2 ~  t/ d6 j

: ^0 F3 e# q) m1 A% k1 mThis method of detection of SoftICE (as well as the following one) is5 u' u( q2 v2 W' [2 A8 R" v
used by the majority of packers/encryptors found on Internet.+ P$ y' F7 ^6 l
It seeks the signature of BoundsChecker in SoftICE
0 R$ j& y; b# W8 w, W
" k8 a" O" Z7 C* e! p$ g7 V    mov     ebp, 04243484Bh        ; 'BCHK'1 X4 I  Y: S+ X# `
    mov     ax, 04h
% j( ?$ d, X: l1 j0 k. x    int     3       # `" R/ F1 X7 V) s% ^
    cmp     al,4
3 `) S' @( N4 q, U4 r    jnz     SoftICE_Detected# E: y; }/ X- o0 l: m
. @1 p$ I# z. D  k( T! M
___________________________________________________________________________
9 F2 P4 R" q9 m' ^' X6 s; m- c" a9 x6 s5 g; \* T
Method 02
5 c8 a5 `/ z  y! M4 g* g# N* W=========, v* p7 c. {: N. a' h# t8 j

9 U; F/ V" L2 O5 R2 \' P" @8 nStill a method very much used (perhaps the most frequent one).  It is used( Z' R  F; C( ?! C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 q5 t3 \7 l7 k3 |; d* `" x8 l
or execute SoftICE commands...
# n2 Q( {. f# N1 sIt is also used to crash SoftICE and to force it to execute any commands( k  r' E/ Q/ b1 c  N8 B! j
(HBOOT...) :-((  & d( F# E8 w3 g& y
( F# n/ W" ?7 S- W; c4 [0 N& x7 N' d
Here is a quick description:1 A9 L% ?* g' q: h) b% `' V
-AX = 0910h   (Display string in SIce windows)! f9 k$ y0 ?8 J- ~  r
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ z  C; ]( H6 f3 d) L8 x-AX = 0912h   (Get breakpoint infos)" r( D) ?2 T# S7 B
-AX = 0913h   (Set Sice breakpoints)
( l0 r) E. R% p  F3 i-AX = 0914h   (Remove SIce breakoints)  c) |. W& M* y; N# D) {6 i0 O
# G+ ]# ^" `) p
Each time you'll meet this trick, you'll see:0 E( X  P1 q2 f- ]: Z* a0 Y
-SI = 4647h4 ^3 G4 Z  f9 Y5 z
-DI = 4A4Dh- s' a3 p8 Y: R1 u$ B
Which are the 'magic values' used by SoftIce.% r4 N1 p; f. T- Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ [8 {& u8 u. E1 x
) b, g9 K  h0 k1 X# X3 z2 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" S3 j$ m( j$ e7 U' rEnvelope utility use to protect DOS applications:
) o/ P& s8 h5 s8 Y/ g
- D4 h. o  `2 b! z8 _5 g: U; u7 r+ @! I5 J6 W
4C19:0095   MOV    AX,0911  ; execute command.2 O5 p3 E: A: c. o2 Q; {' v, s
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).( O! u4 D8 h& k9 d; h
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 \& }5 k, J- \$ ~+ \4C19:009D   MOV    DI,4A4D  ; 2nd magic value.8 m) q" u6 c" U8 B, M/ ~) m0 z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 F' L& y: r$ s" o* N4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute+ L8 G  [4 {" h, e
4C19:00A4   INC    CX
3 S; t( M2 e1 F4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
& D; I) s+ C/ d4C19:00A8   JB     0095     ; 6 different commands.
, q, _. u1 \, x8 ~, F4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; Q$ w  G: |$ }' O3 _5 h( D8 K+ A
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)) g& E, M/ A6 |+ X8 m2 y- ?) F* N& ^

# E( S, E  ]2 v" S; T8 P- ^The program will execute 6 different SIce commands located at ds:dx, which/ O) M4 H0 o) [; M7 K& S; s$ N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ e2 B* E! ^/ F5 x" L
" O9 f( p' d. @( i+ P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; S% Z; l( @) f8 v1 j' j
___________________________________________________________________________4 @1 f+ z! u1 d' @7 x* v8 `
9 @5 b# i6 O. {; q8 z7 u

" ^% ^" u0 _$ j7 g* K; y, oMethod 03
7 }0 ~  F, i& C  `* F=========
5 b& g3 x- w$ h% Z  R/ ?% ^2 n& V+ G5 G2 W2 z6 r$ }( A6 B
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% s" s) `" ^# a& P5 C(API Get entry point)) [3 h  J& J! Z$ V: M' b$ V9 d  q
        
2 a3 \& T/ _) j6 a! X7 U8 e
% ^5 F2 Q6 d. j! `. O    xor     di,di
, s( |6 z/ ~& e0 Z    mov     es,di) q' N$ ]1 G& B/ N9 a
    mov     ax, 1684h      
  [: g) ]8 r8 k    mov     bx, 0202h       ; VxD ID of winice
/ W/ D: [: D6 y6 S5 z    int     2Fh
! @! E' e4 O5 {* L0 {    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ G# [7 B3 r, G9 r! A$ ~    add     ax, di
3 H7 d8 l4 \4 d! |' u/ Z" k    test    ax,ax4 P' b6 t% o  I$ y0 E# h
    jnz     SoftICE_Detected  k% S+ ], Y! d" `- \
) l4 t: H" P! U/ J2 G
___________________________________________________________________________, d2 A7 m3 b1 y) c% F
6 A/ E) `8 J/ m6 Y
Method 04
0 h+ y) T, X. Z$ X/ I=========+ U# x* V# e9 ^+ u

9 R9 E: a- {& b7 d! m  G# J9 DMethod identical to the preceding one except that it seeks the ID of SoftICE
% ~' x" l8 V  Q# ?: c, jGFX VxD.
, l, K5 O, `% Z
# U9 M- c' x( i9 k# S    xor     di,di$ n, M' s) [9 i! t. n
    mov     es,di/ a9 h3 N- L0 D
    mov     ax, 1684h       ' w1 g5 n3 ^2 @6 G0 n6 _' b) W
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ `+ K3 Z& z2 e0 r9 Y+ j    int     2fh
9 B* [/ Y- u* u; J8 t% |    mov     ax, es          ; ES:DI -&gt; VxD API entry point% R, ~- n' C, K; p( i; v
    add     ax, di: G7 G/ P7 b& @2 z( {% v
    test    ax,ax
0 Y0 {0 L. v$ v5 j) ~2 y  h/ p    jnz     SoftICE_Detected$ Q( B9 d4 @9 B# }$ o* X8 v* h

. A6 j# Z, I7 F' P__________________________________________________________________________: T! O/ i3 Y9 u+ `" _. C

" Y/ D& a9 |  K  S, ]6 e* w8 B; m0 o# D: i, R
Method 05
: A1 r4 h1 c( \) M=========- H2 }. U  \, {7 _; ]4 S

* F6 F" Y$ `0 z, f' EMethod seeking the 'magic number' 0F386h returned (in ax) by all system& ^3 i6 r. H$ F4 ]0 k/ V) ?
debugger. It calls the int 41h, function 4Fh.4 z+ ^) K+ E0 @/ Y7 \( ]) D* B$ T
There are several alternatives.  3 T$ ?* g/ I8 }3 k8 |% |( P0 Q3 W
3 l: p5 Q! x4 R8 H5 w9 _
The following one is the simplest:  B4 }' E8 q6 w9 {- L! t. \

) L( I" w; [: C" x; d    mov     ax,4fh
6 R: [0 a3 U+ q5 l7 N    int     41h
$ i+ E0 Z) v1 Z8 V' H# f, d    cmp     ax, 0F386" a' \2 _6 \# i& {7 R5 x1 c
    jz      SoftICE_detected
  {) m+ C7 h$ |( a9 Q: f) X/ o: ^; d1 d/ b$ p$ I% u9 n

3 `# b* S7 R, u5 Q; j7 m$ ^& zNext method as well as the following one are 2 examples from Stone's $ y7 J9 X1 ?0 U. S
"stn-wid.zip" (www.cracking.net):
: q1 V$ ~. y' q) o' D* J4 V, C; j" C8 L8 W" [) @3 h3 i
    mov     bx, cs/ W3 a# O. g4 T+ o6 p' E
    lea     dx, int41handler29 m, `7 M- J# S% ~! b4 d  _2 c
    xchg    dx, es:[41h*4]* `+ `: A. ]0 o/ Z9 N2 D
    xchg    bx, es:[41h*4+2]! A) C' Z; ]$ ~+ L2 Y. X/ U
    mov     ax,4fh) e3 L& V3 {, V$ q8 v1 b5 Q- G- ?
    int     41h
6 @( p' J8 P* j+ e) A& V    xchg    dx, es:[41h*4]
' I0 k4 k+ K/ g9 {, t9 Y    xchg    bx, es:[41h*4+2]
* ?  J" }) F8 c- N/ G/ f    cmp     ax, 0f386h
+ w2 Z' @0 A5 h  K  ]) l, l    jz      SoftICE_detected6 v- j4 ~. B* L! `( I* G
; z+ N) k$ Z' I. B3 F* }
int41handler2 PROC( k/ y1 H: X" S" l* F8 e- M6 b( P
    iret$ m0 K& }0 h& H$ A% _
int41handler2 ENDP- ]9 R4 Z4 g/ Z8 B
8 c9 |) e, Q" g7 R8 A; H
3 r8 q' E' x# A* y$ ]) T2 m* `: G+ C
_________________________________________________________________________9 @5 ?( w7 W' T3 o2 L! ~/ ^

7 |0 A9 E* @) o9 u
8 A* _5 P, ?+ O; H; xMethod 06. K) O' l: M  w! y, {
=========
1 l  z" B! _0 w
# ]& e- s% w7 }" Q. ]4 {+ t
3 \( B& E: O( b$ f3 x- Q4 P2nd method similar to the preceding one but more difficult to detect:
6 U8 |6 s; e7 b7 ]
- x+ b- q  R- W2 H  \; H  L! h# n( S# @' K- c3 D2 `  j
int41handler PROC2 S/ v; E6 t3 ^+ e) f& J" j
    mov     cl,al. Q4 {3 S: D1 {3 P8 I( d7 v( p
    iret
) w* W; s! P9 s2 `8 v! Y- N0 d  Rint41handler ENDP
" H$ U8 f' i! z- U
1 B9 [) h9 E/ C" }' a7 n5 c
" s# ~+ z' Z' v# q! ~    xor     ax,ax  b7 a1 z# I: O# Q4 B3 [
    mov     es,ax
) t$ T8 _/ a" \1 Y1 i    mov     bx, cs
1 y; h# _2 t1 V) ?4 ^    lea     dx, int41handler' c' d, E! n* B( {
    xchg    dx, es:[41h*4]  ~- W9 C8 d) a% a7 ]. N4 R2 P  v
    xchg    bx, es:[41h*4+2]. o6 \$ e) r0 M- @4 B& b& }5 Q
    in      al, 40h
4 h) q! O' f; r: Y    xor     cx,cx) k' c5 n' B* A/ B  c
    int     41h
5 ~1 ?" S9 _) F. L, v$ X    xchg    dx, es:[41h*4]0 e9 n4 _: n; x
    xchg    bx, es:[41h*4+2]
  m- M) y% f* [* C    cmp     cl,al
( M, j/ J# f$ x/ r    jnz     SoftICE_detected
6 X  i4 e9 R/ p; T9 k. f/ f) g" [& p- L# M/ g0 Y# Q: ^4 l% P
_________________________________________________________________________, x2 f8 p, e7 F' b) h' d/ ]
7 E8 F$ d- A  h
Method 07
: ~( E- f# s% U; z- |=========
- S2 q% u6 D; q+ ~9 J) a1 @5 I- O
+ e, B: q- w, _, ~% ^! @Method of detection of the WinICE handler in the int68h (V86)
, C4 w6 o6 {2 D
; Q5 A# b0 l& Y1 E# q    mov     ah,43h
. c6 E6 E2 F/ X4 v    int     68h
+ \; v7 t$ T3 ~& b6 A    cmp     ax,0F386h5 ^2 c7 U2 r4 p% y* ]; ^
    jz      SoftICE_Detected2 W- O  T0 i- L4 f

. j) ^# i9 ?( `, t4 [3 f8 a/ \! g+ E% r
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, t, s& h& S0 d# \- S
   app like this:
) d0 G4 S; R( k4 }4 k
2 \+ G8 D  I9 M$ Z; G   BPX exec_int if ax==68
0 ?& [3 _5 F, i; ^7 `' F! s& g( P   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ e& o# X0 d' l7 [$ V! l  _" b   located at [ebp+48h] for 32Bit apps)8 {. s; Q5 ]0 J9 S4 m5 t4 {6 T4 R
__________________________________________________________________________/ k! Q: W, S' Q" M

: O/ C& ?) ]5 g4 X5 Y
1 |, ?. b+ R# D3 }Method 088 E6 s( e2 ^( f9 Q
=========9 h/ r  k0 {8 C' ~6 m- m

" S1 N' m4 L; Y8 @3 LIt is not a method of detection of SoftICE but a possibility to crash the2 D; C" C4 z( i! K
system by intercepting int 01h and int 03h and redirecting them to another
) j- a5 f* ^5 B+ {9 v- Broutine.* J4 |) s5 ~# K  j" P* K# _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. O2 Z  A; R7 M) U! xto the new routine to execute (hangs computer...)# o4 l& _6 I. [" Y: e2 D9 L0 ]/ z
* Q1 {4 U  U  m- v$ c! D, A
    mov     ah, 25h2 i6 k. \% [) Y$ ^
    mov     al, Int_Number (01h or 03h)9 K9 Q3 u3 r% ^! E( y+ w  Y
    mov     dx, offset New_Int_Routine
: A1 m* ]4 f' l# c  o& p' u' E    int     21h$ b& e! s6 q# p: H; y
; S9 r- W. E5 q$ j- l+ y
__________________________________________________________________________* z4 @! p- p  S& \

/ d5 {4 g9 E: Z, mMethod 09
4 g6 Z2 o; D9 I( F7 S1 ^8 T3 }=========
( C& R* m% b% s/ g4 R7 R
6 W% w5 K& Q, b7 \, VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 ]3 `5 @# \% U5 w% `0 W
performed in ring0 (VxD or a ring3 app using the VxdCall)." n% F! l8 X0 t/ h3 q
The Get_DDB service is used to determine whether or not a VxD is installed
4 d" P+ @2 C) s. J( \& hfor the specified device and returns a Device Description Block (in ecx) for
& U$ i8 d. x2 U- cthat device if it is installed.2 }. R; g9 R, X" Y
; |5 ?. e/ }* u; ]* D6 N% f
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" z0 B' v5 H& j+ {. a   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: W, ?. d  v) n* M  e   VMMCall Get_DDB3 s) `" V% B% k+ X# }+ p* Q
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  r$ N% R5 U) _! j' o. I1 f# m0 G0 R2 f5 x; I0 ], i2 h
Note as well that you can easily detect this method with SoftICE:; N  S* ]. o( k9 H/ l1 {1 i
   bpx Get_DDB if ax==0202 || ax==7a5fh
# `/ b+ Z( x, Z% ^) ]% v4 v" K/ A* j4 c5 ?+ I
__________________________________________________________________________
  B/ V& @6 e, c/ d" f  p9 h
8 X2 t3 m8 e$ T" ]% H, DMethod 10
! U7 J3 v) p8 Y3 g& p. l5 t: ?=========
( i) D9 k5 E4 c2 S$ p$ h2 `" P" R5 X
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
7 E5 V  b. |5 e1 ]9 y% V8 a- N  SoftICE while the option is enable!!& }& n* [! A( V
7 }. y. ^8 T. L) I
This trick is very efficient:) S( Z. k; m9 x3 A
by checking the Debug Registers, you can detect if SoftICE is loaded( M  R: b3 M) |! |4 I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. E/ j. L, S/ w0 L0 G" ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 o4 v* Z# f# H* Qvalue (in ring0 only). Values can be manipulated and or changed as well
7 p! @8 H4 z5 e4 |(clearing BPMs for instance)
3 n( _6 w; {4 K; n2 ]8 y. f- C0 q( j( N0 q1 ^! [6 c& m0 H+ g% O. J
__________________________________________________________________________
3 L2 x  _; A! o$ W& S
6 Z# U: H1 [5 a: `5 z% UMethod 11/ z; x4 S' G* s9 u
=========4 @% _8 G' ?% u
' W  V3 ?! ~5 a/ Z3 j
This method is most known as 'MeltICE' because it has been freely distributed
6 O! }* i2 \+ D( zvia www.winfiles.com. However it was first used by NuMega people to allow
2 W6 Q2 C4 E4 g- D0 DSymbol Loader to check if SoftICE was active or not (the code is located; Q) U; d0 k0 c6 M+ t* }
inside nmtrans.dll).
+ U3 s+ Y* R1 W8 S9 I2 M  v
4 ^& t# h2 U4 q3 RThe way it works is very simple:
; f* ~) p6 h* f( @' IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) [9 I. ~/ ^7 [( r0 W; g9 c" Z
WinNT) with the CreateFileA API.
& R% J1 i. N) B+ R* T7 Q1 Q' @
8 g5 `3 y* G& E; fHere is a sample (checking for 'SICE'):
: C4 [5 T( u) W7 k6 a% v7 R0 T- a$ g, V7 g2 x  e3 d
BOOL IsSoftIce95Loaded(): W6 W+ f- h# r% T
{' F' s3 _5 W2 s7 ?  ~6 J0 h& d
   HANDLE hFile;  8 G9 g# c3 }4 q7 x7 _0 Y1 |
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 [! x, y. Q! U: @; {* T& w                      FILE_SHARE_READ | FILE_SHARE_WRITE,( z0 n- S+ Y. U
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 Q! ]' S3 L, w- q   if( hFile != INVALID_HANDLE_VALUE )
0 n9 ^/ |1 h+ U   {
' L  V' {, o3 p- a$ z      CloseHandle(hFile);
/ v2 R& S; a- N$ @      return TRUE;$ z4 @- F, X- E) K
   }& M$ h: b0 t3 m& ]9 W
   return FALSE;
$ @; [  f8 z/ n* u% ?9 i" n}: D, h! _8 H) e6 A' B

3 b# E6 B& o$ r: FAlthough this trick calls the CreateFileA function, don't even expect to be
7 p& v$ x9 s) b  fable to intercept it by installing a IFS hook: it will not work, no way!1 L. u% \. }0 E4 J% ^' K; R* M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, m5 B) g" Z" o& h$ Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: |- J# d" y( i4 nand then browse the DDB list until it find the VxD and its DDB_Control_Proc, v& v) b. v+ O. o, G. T7 C& S5 ~
field.6 Q, Q) v7 \, N! d( u( f3 r4 @
In fact, its purpose is not to load/unload VxDs but only to send a
7 d5 T2 M9 ?: ~9 Q. H$ HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- H/ U7 m+ [" G* t9 v- H8 D/ fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 [' V  E+ y; p; [to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" I% g, f, s1 |9 BIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 \2 Z  Y; @) P. g+ h/ {& n1 Wits handle to be opened and then, will be detected.
" y9 i: O" f. Y8 i2 qYou can check that simply by hooking Winice.exe control proc entry point7 _2 i% O3 ]( z
while running MeltICE.4 B) ~1 L$ Q: G6 E' M  o
, \6 e/ V0 y7 U
" N% V2 w' ~' g) f8 l$ ^# r0 m; F
  00401067:  push      00402025    ; \\.\SICE/ C# ^9 O  e2 N- e; t4 [
  0040106C:  call      CreateFileA
0 P7 V% U7 z0 b  00401071:  cmp       eax,-0016 v' v- p. |' t, N
  00401074:  je        00401091+ w) d: ?# f; l5 F9 X6 i

% J3 Z9 D4 e/ ?4 P
' ^2 r- k/ g: p" Q) h7 [- a) NThere could be hundreds of BPX you could use to detect this trick.
3 h; f' Z3 b" ~( a& |-The most classical one is:
6 b+ D5 j+ i. v# b4 j9 ^: Z1 \# w  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  O' M' V6 P0 _4 c    *(esp-&gt;4+4)=='NTIC'
! Y. w( i; y, _/ V7 g! ~* Q
' q3 ]1 A  h7 U/ K5 b-The most exotic ones (could be very slooooow :-(0 c! @  A: g/ W" }  h, ~
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- w2 R4 P1 u9 ^& Z. `' Y  Z     ;will break 3 times :-(
6 e& j1 ~8 N6 j! w/ e: i$ `2 E
! U2 i' w7 e6 t$ u) s: \6 K-or (a bit) faster:
" G3 I- T4 C4 ]8 L& c) B   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" u4 s1 G" P$ ?" V- ^5 b& `

1 H6 l4 d9 h# F- w1 k9 [   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ' [7 K& A. a5 Y4 }% i, [0 m
     ;will break 3 times :-(( d! Q# p1 N4 c* ~6 U

% Q0 M3 c: `+ S-Much faster:3 K( A9 M- `5 J/ S9 @
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& J  @; ~0 G. G+ [1 ]( z& e
' O/ {; V: a. m! L! h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 p7 \0 `( j3 Hfunction to do the same job:1 z$ R0 E8 j0 H4 |1 r& j/ K3 I

5 O, S) D2 G( \/ o9 }  `   push    00                        ; OF_READ6 v& c( ^  ]2 a2 k
   mov     eax,[00656634]            ; '\\.\SICE',0
1 U7 w9 G, [2 t: y   push    eax
, n' a- H0 J% |# X   call    KERNEL32!_lopen
( ?  o8 T" b+ p/ R+ v   inc     eax
' P5 y- Z8 B7 _1 V" O2 ~" ^   jnz     00650589                  ; detected
( ~6 Y% ]+ @8 Q5 r. G: `6 [6 p   push    00                        ; OF_READ: `" d/ f$ L7 L: ?
   mov     eax,[00656638]            ; '\\.\SICE'
0 ^; H, ~1 [" ?# w1 }" \# `   push    eax
1 x5 r  L# ?* \9 _. l* O4 p   call    KERNEL32!_lopen4 g& T6 J% N& n% y2 W
   inc     eax
7 A) K% Y( M9 b% ~  e2 m   jz      006505ae                  ; not detected! e4 b2 _3 F; u# }
  r# R' H* V) p$ A3 r

0 I. u) ~- w+ Q7 n5 i__________________________________________________________________________4 D; R8 p1 X% b; y( a. S

* ^* z  f. q9 k) OMethod 12: J) O/ x6 B5 N% i
=========! G. S) x6 k  ]) q. E! E: n
( \7 G- q" g7 v4 I8 d+ M& M
This trick is similar to int41h/4fh Debugger installation check (code 05
1 E. y. o8 o' h+ @&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# x4 M/ x# v9 @- f5 P& }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.  O+ U5 N3 d/ v( G) ~

% g: Z" _. n0 y  k. X   push  0000004fh         ; function 4fh
& E* c3 d) N/ L   push  002a002ah         ; high word specifies which VxD (VWIN32), g5 X) }! b2 Q
                           ; low word specifies which service3 M, c0 E: \1 n# v. E( h2 b
                             (VWIN32_Int41Dispatch); Z  \  h! B5 F
   call  Kernel32!ORD_001  ; VxdCall8 X, I: B. y8 g# i5 L+ s
   cmp   ax, 0f386h        ; magic number returned by system debuggers9 h4 F( b2 R" ~7 X* p
   jz    SoftICE_detected3 |0 a# z4 t4 F8 d1 `7 L

( T/ z7 W: q8 D# r7 Z" }Here again, several ways to detect it:8 ^' l: ]3 c& d" w! c
: s+ n( N4 T$ c
    BPINT 41 if ax==4f
8 `2 D- m3 [3 [# N4 \1 I) u. T* `5 Y' n, J% x! K1 d
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ s- l  D( \4 W" c/ a
( T: N/ _" @4 Z; }    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- }& k5 j% V5 x: h1 ]
; R. J6 H$ o1 Q7 z( j- [; R
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, N7 Y; X) s, I" ^
4 F& f7 g; T) {. d- k1 Q__________________________________________________________________________+ t( a! l$ B- H: g2 i# D8 P  R) F- L0 r

9 N3 q# h4 J2 Q! x+ b: rMethod 13: z  ]6 {" G* I7 u2 d7 x
=========% Z* e, v; p! B/ s
$ X0 a( R8 i# b$ P
Not a real method of detection, but a good way to know if SoftICE is/ P' r6 g( g% U5 H* x' U
installed on a computer and to locate its installation directory.  r. Z' X! m, n" T. d9 I
It is used by few softs which access the following registry keys (usually #2) :; C9 R4 w& x" b. T% ~2 x

  `: |9 j+ r/ R" g: ?' K" T  c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- H- P" H5 {% ~\Uninstall\SoftICE
4 ?& P" _) D/ c2 C( T& }+ p) ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ }0 M& M# }% f/ S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& F, X8 F5 @0 A/ @5 p\App Paths\Loader32.Exe3 Q5 y3 Z4 j7 a9 {

8 @& [: j% M' l- S5 P: a- l0 I- j1 O
% h2 o) I: _% f; I( o7 I, {4 aNote that some nasty apps could then erase all files from SoftICE directory$ Q" I, P9 H! o0 q1 n' l
(I faced that once :-(
  V# k3 U% K+ X* X: X0 X3 x. R5 v
Useful breakpoint to detect it:: P( |9 v! I; B- h% D# g( x
& E; e0 ^4 J% B$ J# M0 y, J
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( Y9 I. o4 Q& @2 O% W& R+ L8 r$ h/ y: x: O: \* O& W
__________________________________________________________________________: [: J. v5 ?( G
5 `# K/ `6 U1 p$ `" Z0 k

& n" ^* |# o( ^: b$ W7 y! @Method 14 ; }, r9 I6 {2 f% Q
=========  \- g% U2 O' q1 V; j
, Q4 O/ T1 L& j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ x% B+ K* Q( s( ?/ i, x
is to determines whether a debugger is running on your system (ring0 only).
3 ~2 y2 K# n3 ]
1 h; ]5 {. y" D! M( J   VMMCall Test_Debug_Installed' A9 Y. i( v) G( o% i
   je      not_installed
& r% P, X6 u" m1 ]# z. H5 b0 Z( y1 W. T$ f
This service just checks a flag.
+ c6 D" \5 }  ^3 q9 e1 w) k</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-18 21:20

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表