找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>. x) i. y6 D4 D4 H- v
<TBODY>
6 t+ x# s% D. N" Q) w9 [' o<TR>. e+ o5 |6 i4 g7 L  v+ I
<TD><PRE>Method 01
$ n* {" c: N0 R" U4 |, I=========
2 e. [0 Z( r3 T2 x, Z( }& |' z
$ ^" m) e  ^1 t  g" L2 ?This method of detection of SoftICE (as well as the following one) is5 x8 U2 X; p% J8 F7 \
used by the majority of packers/encryptors found on Internet.
+ g9 }/ _, r% CIt seeks the signature of BoundsChecker in SoftICE
) k: N- f5 |. _7 g: Q7 w+ f5 Y5 g+ R
7 ^/ g) R% f1 F8 n0 G! N    mov     ebp, 04243484Bh        ; 'BCHK'  e0 }/ A& @( _& e
    mov     ax, 04h" w6 x) Z5 Q5 I0 N; ~8 F. u& C
    int     3       , G* G% `, J+ g4 v
    cmp     al,4! v2 V2 W9 t/ q- [  D5 ~% [
    jnz     SoftICE_Detected
8 B- D( [$ q- D' s( z# l* \2 y0 I. `8 ?- r/ d
___________________________________________________________________________
3 l1 w, P- Q( g0 z/ B9 \) p* N6 B2 f: O3 }$ R' z4 E% Z
Method 02
8 U' C( @& S) M" y4 z=========# T- X8 L. L. y7 ^

4 ^, q' f6 r- W/ tStill a method very much used (perhaps the most frequent one).  It is used
* W! R* S1 E" Z- t7 F  Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ A1 a' l3 O+ O/ J& b/ Y
or execute SoftICE commands...3 F2 }) T3 C- Z# W( E
It is also used to crash SoftICE and to force it to execute any commands( k/ ~+ @" R( @# j5 [" _
(HBOOT...) :-((  
7 r# r, ]- r/ ^) o7 B: U. X( c1 w, u6 Z8 f5 Q
Here is a quick description:( W6 ], o/ p4 T1 n
-AX = 0910h   (Display string in SIce windows)$ W$ B  S# N  K: a: j3 o
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)& b! X7 x& @0 b( o, c
-AX = 0912h   (Get breakpoint infos)6 \1 @+ I# [) p
-AX = 0913h   (Set Sice breakpoints)* V+ b) E$ u( j' d$ C( t
-AX = 0914h   (Remove SIce breakoints)
6 I. E9 z5 @# J+ D5 E8 L, d5 X. P- L/ D  I: A: }7 j
Each time you'll meet this trick, you'll see:6 `- R* D, I; b: e1 }
-SI = 4647h
5 U$ \+ a0 W! S) G-DI = 4A4Dh
: X7 }& M1 r% G  K# xWhich are the 'magic values' used by SoftIce.
6 K3 J8 a4 `8 P( qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 A7 x# Z9 y( ]" _# G% ?
. T- t) V- f  Y; n1 g! ^" a
Here is one example from the file "Haspinst.exe" which is the dongle HASP. c& \& b2 `  I! e% O& U- w* n2 h
Envelope utility use to protect DOS applications:
/ V8 V- |/ @! G! a  x8 x% g$ A  m9 C$ f+ n
, b' ?; e% E. G* J
4C19:0095   MOV    AX,0911  ; execute command.
/ I2 H. K2 T0 ^+ s) s; x; o4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ K- V  k4 O- b6 B; o) H, @- n
4C19:009A   MOV    SI,4647  ; 1st magic value./ g3 E; M" _/ m! S  T7 H+ N2 [
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 y1 }  J% E+ o
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 C6 d  o8 Y5 Y# _3 m4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  b4 ]  x- K. S% I3 R- ?
4C19:00A4   INC    CX* k5 W6 ?2 s# Y- }
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute7 l8 K/ T% l3 }% O3 P) G% |
4C19:00A8   JB     0095     ; 6 different commands.
+ l/ A' ?6 g) H' \4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- j5 D0 b$ n; V8 Z! V, F7 B8 y/ f
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
% G( ?1 z( h, l; i. X
0 \( [9 g. R$ Q; B& zThe program will execute 6 different SIce commands located at ds:dx, which3 N. M1 I" Y3 W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 l  o$ [, @% j9 \8 h* D8 N4 X" C- f4 d$ k" [4 e: E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 ]# [# K( ~$ Q# H* X___________________________________________________________________________' L5 W+ O- J* ^
/ u6 Y- g8 V6 O/ O* O. y: L

4 u, I" H) f6 {* F* }Method 03) u9 K% \# E% {  s( Z
=========; G; t5 |- }5 `* _* f8 S

" ^  m# u9 r0 m7 Q  g; rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 q! G# n& A+ V(API Get entry point)- X' s! ~- F% g+ E( S. |
        9 Z* }- e7 N* t+ H1 s

4 a! d! i2 H$ Q) H8 K) h    xor     di,di
0 r: f* d& x$ F; m$ w* x9 ]# z    mov     es,di
& ^$ k& n5 h' o* h+ @    mov     ax, 1684h      
4 l# {3 U$ j, B    mov     bx, 0202h       ; VxD ID of winice
5 R- J$ s; P$ Z: M    int     2Fh
7 F/ _" f+ Y7 \7 I, T6 @9 z/ [    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 K& q. v: M8 W' Z3 L    add     ax, di
$ I8 Y5 c" |" K9 Z% Q    test    ax,ax
2 y$ c4 ?" W7 w$ F* f4 B' s    jnz     SoftICE_Detected' l! n" T3 v7 |

/ b5 o7 b- c. @  E+ I# R- r8 F___________________________________________________________________________, I+ a* x, l, L$ e: w3 x# i8 I- a

3 \9 F& s7 X6 U8 w% q$ Q2 yMethod 04+ c' K1 Q8 K( C) p- k/ r' u1 e1 W/ P
=========/ B3 Z( |8 _% j( Y# h

, y/ g$ s4 D- i# f6 s: j3 S  I( PMethod identical to the preceding one except that it seeks the ID of SoftICE7 @# ^8 f' \0 |, u& o2 n, }
GFX VxD.
3 h$ k' l. m4 U" U2 h' {; D7 D+ E" F1 b, T  J+ K% D
    xor     di,di+ m5 u& _8 h4 c, R3 Y
    mov     es,di+ J2 y5 R" }7 F: `+ f0 T$ T: J! u
    mov     ax, 1684h      
& H5 \! ~& U  p& G    mov     bx, 7a5Fh       ; VxD ID of SIWVID, ], B, ]0 ~% A% }
    int     2fh
& b4 z$ F: e( ]* U/ m' }8 [9 N5 r    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 w3 d2 z0 _, B. U( r* T/ R5 ~) S2 c    add     ax, di) }. m; a+ }! R
    test    ax,ax- ~3 X  }8 }- U: ~4 G. s6 t. n
    jnz     SoftICE_Detected6 `" h+ a1 w0 q, r2 ~, ?
" w5 k% J6 ]( A' U+ z; \3 `$ i
__________________________________________________________________________
+ t4 `& n- N, }  K$ {- F1 Z% \
7 ^7 ~: r6 J- F: k% t* P& B% A. L9 H) o6 h* C, v  O3 j* v
Method 05/ G- k/ N8 t. h; U
=========6 M+ [) D8 b  e7 R  t& F% c

; d$ ~1 s1 r8 U- M- E) L( U& TMethod seeking the 'magic number' 0F386h returned (in ax) by all system; }, R. N' [) `/ T+ h' C8 ]8 \+ S$ ?, M
debugger. It calls the int 41h, function 4Fh.& z; P) [! w* c! o3 N
There are several alternatives.  
# q+ t1 w& Q: `) y) m
% b: P8 g8 t  F+ O& ]0 L0 fThe following one is the simplest:
- c  P5 o! u$ M8 [. ?
$ M) |8 u0 i3 ?* {& j4 M6 G. O" ~    mov     ax,4fh
: D* t$ |% K3 l, Y# v5 F    int     41h
% W" N/ b- `0 H7 t' o1 M    cmp     ax, 0F386' j' U) @7 p; A1 u
    jz      SoftICE_detected
' I& {" v9 ^. F' t6 f
* ?  t/ J% t& Q# x- w  A  o
4 M  [/ B3 P" _2 T$ b, f1 N& iNext method as well as the following one are 2 examples from Stone's 0 g. _3 \# p) ^/ u6 e6 U5 B+ ]: ^
"stn-wid.zip" (www.cracking.net):
$ g: c0 N4 ~; B' \6 r+ F
8 s; o2 \' x; n7 r    mov     bx, cs8 I) c% ]$ p# b5 |- W: e/ W$ K2 |
    lea     dx, int41handler2$ b7 O9 _0 ~5 h. i8 w9 P
    xchg    dx, es:[41h*4]
1 g3 A4 X. C$ E9 i8 Z, o9 D: \" w7 {    xchg    bx, es:[41h*4+2]
1 L9 Y1 u8 {& p! r" Z$ N' M    mov     ax,4fh* G2 {% ]2 V: |3 c% a
    int     41h
6 O% U  s* e% y" o. ~5 u- i    xchg    dx, es:[41h*4]) y0 X0 U, H9 C7 T/ S- [& M. h% A
    xchg    bx, es:[41h*4+2]
) J9 \1 L' h* [: l( q7 l    cmp     ax, 0f386h1 T, p7 c9 J. X7 _
    jz      SoftICE_detected# P) R- V, C% n) @5 t) t
' k, H% r% C, d2 J+ Q# ?8 Q, ?9 ^7 C
int41handler2 PROC6 h: u" A  ?, D6 Z5 M
    iret
* C+ v. r* q. t2 Hint41handler2 ENDP; q" ~! ^, ]$ n; w
8 J8 u* U2 W6 [' @& b8 U0 s8 H/ n
5 q$ v% s5 m- ~( @6 j
_________________________________________________________________________* M/ s3 V6 {) @

0 O' P0 N/ f0 X- Q* G5 O; m! e- b. _; U1 W) ~. |7 j/ R. _
Method 06
" e- m+ V1 t  ]: y=========
( m1 I, y7 S7 _8 s  L3 J5 ~5 v4 u; U& r  ]0 K, f6 e4 Y
: c+ @. j. o% ^  O, g) d* k
2nd method similar to the preceding one but more difficult to detect:5 w( n! C0 _9 v
5 Z7 A# h/ k* Q2 D: i1 q4 u
" u! V: ]% N1 X1 d2 d# h
int41handler PROC
; W6 c4 Y7 f9 Z: D5 e! ?; O    mov     cl,al
# n) E/ f3 ]: @% s    iret
9 J9 R2 A: ~# P# pint41handler ENDP( P/ c1 L' x, }2 ]7 ^; I# _' l* |

, T7 [% m6 N& a  C3 x. B; {6 R- q" y9 U- a6 S/ w
    xor     ax,ax- @- t% n# t# p. u7 x& W
    mov     es,ax
% v3 }' p) V2 g/ v    mov     bx, cs8 c  Z# j" d/ c( }
    lea     dx, int41handler
7 P1 `. e) L& O: f7 G( F1 k    xchg    dx, es:[41h*4]
8 c5 @" J  p% {7 L/ c9 y    xchg    bx, es:[41h*4+2]
3 O. i6 e. U* Q: I+ u$ s) q6 m    in      al, 40h' E* C) g5 _! o
    xor     cx,cx
6 S9 F# a% E9 d    int     41h
9 G8 A+ L7 _' _; b0 x% U3 l    xchg    dx, es:[41h*4]: a) M4 p/ h$ z  o1 w8 J* n
    xchg    bx, es:[41h*4+2]& y2 \2 J3 }+ E/ ~+ e
    cmp     cl,al
1 y5 p1 Q, o8 J0 c    jnz     SoftICE_detected
  W' @1 [' m' ^: m0 F( _, _% f, L/ L( O1 `8 L3 R. q8 ?: z
_________________________________________________________________________
0 o7 n& l, |9 f) _- F1 \8 ]! a! M& T" I$ j" o$ Y- ?6 N5 q
Method 07/ ?& V/ H0 f$ Y4 Y- ]
=========
! g3 L0 |& O% T  V4 b2 D4 Y, F
0 F) ]( b2 a9 N$ P( A8 d' [# UMethod of detection of the WinICE handler in the int68h (V86)1 K9 ?& x6 d  ?+ o' Z

1 a2 N  r# z2 v+ V! v    mov     ah,43h8 r# h4 [8 V! A+ x, m
    int     68h
( F& {% P' K0 F* h0 ?    cmp     ax,0F386h0 t, H  V9 k! E" k2 L
    jz      SoftICE_Detected$ ^8 K4 f: X9 p& s. q
, x, X# {" s" b+ `1 B8 O: q, r
; \/ a& |7 b' Q' P. F& Z
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- q1 m0 f: ?+ x- C) t
   app like this:
/ e3 H- |. ?+ _/ Z6 ]; M" o- V$ t- q# w- M7 _
   BPX exec_int if ax==68/ P; m+ |! U) m0 X" D6 H2 |
   (function called is located at byte ptr [ebp+1Dh] and client eip is' w" W2 I* b: f6 ]2 `0 T5 K
   located at [ebp+48h] for 32Bit apps)  v* y9 M* v' M
__________________________________________________________________________: ?$ m6 n  i  G; k- o- T4 u& C

( w9 P  }, ?% z! h8 k" e+ X4 Q3 Y3 x; M9 H* m
Method 08$ S8 G4 p3 u! Z
=========
3 d* c9 V' Q  y2 L6 g
% a9 [, t& H5 l: ~2 K, ]5 R2 gIt is not a method of detection of SoftICE but a possibility to crash the
3 F; F% U) N7 Z6 Y  D& }4 usystem by intercepting int 01h and int 03h and redirecting them to another2 N3 e- ]$ l, H  {
routine.
* S+ c3 i2 l2 l( B  DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, s8 x+ S3 B# `4 o0 S+ \* h
to the new routine to execute (hangs computer...)
" G& c( k1 Q; s1 Y* f7 G3 \% a# s0 h5 `, m4 a" z
    mov     ah, 25h6 N+ l2 e* g$ |. F
    mov     al, Int_Number (01h or 03h)8 i* V+ E8 S' s& }% D8 ?# a/ }* ?" p
    mov     dx, offset New_Int_Routine
/ O: c9 y* l* _1 Z! i    int     21h
5 ~; C) q( U4 L' j7 ]
- F$ K, M; g: w* }8 q) `__________________________________________________________________________
9 I$ w/ O) I3 p2 G- v( w4 U' A$ N- E* _: K- t
Method 09, A2 E8 P% O# S  g4 \/ E
=========
) f$ K7 z0 [+ {3 ]0 L1 P- C! }
; Y* |$ B4 \! B9 b0 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 O+ w) ?& W+ n% T* s8 Hperformed in ring0 (VxD or a ring3 app using the VxdCall).3 Z- _8 I5 F* q# _1 {
The Get_DDB service is used to determine whether or not a VxD is installed* c! T) N. j4 u, O6 N$ A
for the specified device and returns a Device Description Block (in ecx) for
, U' J) }; m; ]4 z7 m4 Sthat device if it is installed.
% Q! \) j3 l6 R. l# G2 W4 a! U$ X% I! ]! o* q7 r/ M
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 T/ N6 I2 R, _$ S4 \; V   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; V3 ~+ }- V, R# S0 E( O   VMMCall Get_DDB5 F+ ~+ @# a" b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed1 d  j  P5 D! M
7 }9 e: v0 o/ j2 a  N4 Y
Note as well that you can easily detect this method with SoftICE:
8 D& r: V( x; _0 i8 v8 y4 j   bpx Get_DDB if ax==0202 || ax==7a5fh/ s- D# H. I4 }
& Y; a0 j, ?( A# o7 E& y
__________________________________________________________________________7 a% T% q: j9 Y0 _# K3 @( q

$ G: L% s) v. t2 w) H+ YMethod 10
$ C( w7 x) n" ]/ K" j: i! f=========: x+ E/ \  n) g# y% t: L
) P* D, j1 s* b! t( l4 }( r% e
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  R9 I( H' z7 d8 V" E4 e7 g% b  SoftICE while the option is enable!!- m% ^) n- [* S2 S1 A& _

& R8 k0 i) B. EThis trick is very efficient:# g8 I# [  q6 y9 T2 ?) y# Z
by checking the Debug Registers, you can detect if SoftICE is loaded
- r% e3 S; _/ C% h(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) Z0 D. Z) h) u- @! g
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 q/ [3 \  ?, l0 J
value (in ring0 only). Values can be manipulated and or changed as well
/ Y: B) m4 W8 v! |" _, F) q& [(clearing BPMs for instance)
# a- X0 n& B# c2 R4 M# v3 S  {/ B6 |  C8 s
__________________________________________________________________________
3 X8 X  o3 d; e8 C
& Y% c* g# }2 y- L/ h* i8 L9 _Method 115 t6 _  a0 d5 t, ?+ D. f
=========
* ~6 C3 W" T4 A5 n& e+ d, O# j0 q" P0 ]
This method is most known as 'MeltICE' because it has been freely distributed
* B# d. Q0 z' u  N3 y2 K9 ~via www.winfiles.com. However it was first used by NuMega people to allow
5 F; y$ Y8 M0 n5 Q- ^' J' w" CSymbol Loader to check if SoftICE was active or not (the code is located
7 K9 l8 j; D% o  g/ z/ i- o) r+ t* Ninside nmtrans.dll).
4 G' a) V& ]6 B& N4 {8 p- a/ E6 {5 R8 J+ g, W' l; X
The way it works is very simple:* m8 I) S# k5 h" M1 y+ ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 u& Y$ A3 D8 g7 b, \) S' j5 q
WinNT) with the CreateFileA API.
. Y* L# P2 v- b, E( {7 F% D
6 N4 c' [! r/ c' FHere is a sample (checking for 'SICE'):! |0 I% l# _: J! X

0 f0 b7 e% T1 }6 p, B! k4 bBOOL IsSoftIce95Loaded()
) e* A0 e; U9 s$ q: T4 d( C2 s) @{
% Y  q- H$ Z1 W6 c6 d8 i& S   HANDLE hFile;  0 q# M3 q( k- H
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 z5 E1 O, O/ ]4 I                      FILE_SHARE_READ | FILE_SHARE_WRITE,( F  i1 ~. U0 P* S
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 w) d3 L. J( N8 I
   if( hFile != INVALID_HANDLE_VALUE )# ~/ c. ^$ W* _* m  Y1 S) v
   {5 J4 [  X& n0 j( l4 w7 `; ?. e
      CloseHandle(hFile);
$ a8 g2 l" k4 C      return TRUE;
% t6 [' D- C3 M- a3 x& @( c& c   }
6 ]7 {% `- u$ g$ }/ e   return FALSE;7 O% P5 w6 R. O: n0 f+ g; R
}
* j3 Z9 v6 X! r" q
! Z- g1 v# h2 H6 mAlthough this trick calls the CreateFileA function, don't even expect to be2 d- h# H4 r1 P, O7 o% S
able to intercept it by installing a IFS hook: it will not work, no way!
* A& _, `+ y- O0 a# k; pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F5 Q6 _$ f4 C& n+ c, N% J+ J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# R# f7 g7 x. {1 }0 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- h  U# y3 F0 \+ D6 `. Hfield.2 F/ L; _2 r3 ?4 u" N
In fact, its purpose is not to load/unload VxDs but only to send a
! a: B4 K" S! N' ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" _) W% L; l6 A- r4 x  u- k8 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ V' R& N% I& ^2 J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: J9 [8 S/ G4 z! `If the VxD is loaded, it will always clear eax and the Carry flag to allow
; ?" Q3 R' ^2 t! I  eits handle to be opened and then, will be detected.
+ h- B: K( h8 N- P$ {* EYou can check that simply by hooking Winice.exe control proc entry point
' a' y" E6 R2 D' Xwhile running MeltICE.
9 _4 S+ b/ G" G8 ?2 q" ^: H/ `
1 s7 E" h2 I. X+ W: y1 k. f* K! L1 L
  00401067:  push      00402025    ; \\.\SICE
4 m- m  T5 p* ^/ n/ ~4 t  0040106C:  call      CreateFileA' L, q+ L7 N3 R( f6 ~" \# b
  00401071:  cmp       eax,-0018 [+ X3 r3 }* X3 P. W
  00401074:  je        004010913 `/ I# d3 R% X

6 x, w+ `4 e7 O* }  P9 \3 ?
# m- K7 @% f' t% L' m2 w# jThere could be hundreds of BPX you could use to detect this trick.3 Z" |- V2 K9 T: h9 `$ Z# K: u+ o; l
-The most classical one is:
8 f6 K# I# j! e  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
/ E7 x3 i" c6 e4 W$ G/ l7 s    *(esp-&gt;4+4)=='NTIC'  y4 n' Z# b7 t/ L0 {4 N8 c$ ]
5 q) G8 j" }! x6 S& n
-The most exotic ones (could be very slooooow :-(- O: ?- F/ V/ u5 B  h6 W
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) d7 x1 K3 e. \, D     ;will break 3 times :-(4 `% O0 ~; t: B. ?
: R4 ?- I, m( R
-or (a bit) faster:
/ J/ v# L/ d1 S2 x   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), A5 C" Y+ }( e* J, K
* `; y/ X  m) H7 j
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 J) F3 Z0 q0 H. L5 M7 I
     ;will break 3 times :-(+ A6 |" P8 M( V, x
9 J* c! C9 Y" Y2 p" o+ t' I
-Much faster:, O* s& w$ Z9 _
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; _) J3 }6 [' ?6 S; F$ F6 o

, Z7 I8 Z$ ~* m. |* ]% iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ z$ \" \% u" w+ n) Zfunction to do the same job:
1 o4 ]: U: |; j0 P8 j- g0 l$ j/ c* m# R/ t( O% C6 a4 ~3 r+ Z+ a
   push    00                        ; OF_READ
3 C3 i7 r: e" [/ A   mov     eax,[00656634]            ; '\\.\SICE',0
; ^2 h( ^3 A& x   push    eax  r( x8 P& M% d. N1 i8 z3 _
   call    KERNEL32!_lopen
) }8 ^. d3 E1 D: p% J; Q2 \3 r2 O# w   inc     eax$ K6 F/ w# _% r8 k& t# {' o) w- a8 |
   jnz     00650589                  ; detected1 L3 n4 ~0 j# F/ _$ U2 m
   push    00                        ; OF_READ6 w# M, V, w/ G3 h5 o3 Y
   mov     eax,[00656638]            ; '\\.\SICE'
: ?- ]' r( E# e( s   push    eax0 n  |4 ]6 y7 J$ @8 m, h* ~# y1 L
   call    KERNEL32!_lopen. U  @9 `& H8 z
   inc     eax
* b* ]! ^( Y$ Q; Y9 M# t   jz      006505ae                  ; not detected! f! ~& m# b, U" r# H8 F

% K. _4 P& u2 C$ H' p
9 y; u+ ^4 |& B__________________________________________________________________________5 E& I& J" E1 I8 K
4 E6 o4 n* H9 F6 h
Method 12
5 {: @3 }" F6 G9 C6 H=========
: s0 ?& S, k; i+ N% u8 r( p% ]9 ^! C6 |
This trick is similar to int41h/4fh Debugger installation check (code 05) ]. C! P* M7 M1 b6 K% w6 y# C
&amp; 06) but very limited because it's only available for Win95/98 (not NT)) g3 R: s) H/ T# F. [* i$ }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ ~4 ^+ q' Q( P. J# b: H% Z

& ]' ]1 G$ c- G: \5 V2 I- \) Z   push  0000004fh         ; function 4fh
6 g- A# C/ M: ]" C, F   push  002a002ah         ; high word specifies which VxD (VWIN32)2 w# t: K0 J0 E
                           ; low word specifies which service
: [( J4 j5 f% v0 o                             (VWIN32_Int41Dispatch)
, T* I7 w! V$ j! i. P0 Y& U' k   call  Kernel32!ORD_001  ; VxdCall
8 v# T! f7 r3 D+ `) I& ?/ K   cmp   ax, 0f386h        ; magic number returned by system debuggers3 H9 V7 U/ i  S1 q  k
   jz    SoftICE_detected
- |; H" r% q6 V% H" W9 b% N9 i0 O+ E) N5 T: J' k% G7 b) w' O
Here again, several ways to detect it:
8 ~; @7 P: ^9 f& e& m* i8 j& U  b( L# I1 r# a! c/ v
    BPINT 41 if ax==4f
4 l  i& j2 E9 F- l0 S0 R# h8 F* z! }+ F  T, {& t" r0 \
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; j/ @/ u, J  B# h
8 L, G0 l" g3 Y    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A1 O' |! y; U' i
- C4 p. D4 g8 X/ X. ], |
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!4 R+ C4 v% c/ D+ E+ o
2 ?/ u5 E5 s+ E& d
__________________________________________________________________________+ x5 h' }7 e, X
/ u. o0 ?& {6 J, s5 s; T
Method 13
+ R$ b6 ~& a. F- |! a=========
4 B6 ]& B) s# }7 h* v* k
# l! ]7 N7 O: ^2 N- T# i+ g, w& |Not a real method of detection, but a good way to know if SoftICE is* i7 t& b( B) `* T
installed on a computer and to locate its installation directory.
% M3 r6 S, @7 z7 _5 t! j9 x/ AIt is used by few softs which access the following registry keys (usually #2) :
$ U+ e, v6 q" `; O/ ]4 C
, C1 L; e0 [% i: Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- m) O8 k; G" F5 I3 }\Uninstall\SoftICE2 `' v% {& D1 n% o! H7 u4 I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  y# \: U! `, h1 |8 r' p2 q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ]" P5 I- @; T( D\App Paths\Loader32.Exe
# w1 G$ ?, _, Y0 c
( j4 p1 m" _3 Q# B2 ]) A# _: l) p
5 F2 K% g3 f! n3 H9 ?Note that some nasty apps could then erase all files from SoftICE directory+ _4 G. N7 }1 [/ K7 g
(I faced that once :-(
# h  |9 @- Y+ ~8 I# j8 v$ f6 g1 ?/ j  I" i- ~- r4 i. @
Useful breakpoint to detect it:! j2 l5 x  u. S" h
$ u9 E1 @- _2 T( Y0 |7 s) B8 s8 a
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 g  w4 ?4 B/ J8 T. T3 R  f
# @( o9 ~7 [! [( ?6 `, x* _
__________________________________________________________________________4 Z1 F) s7 F! _, C, X
7 k8 E! P0 C' z6 Q; @' Y

+ b; z& e& O) l0 L+ GMethod 14 ! R. k3 w7 Q7 T1 e
=========' {2 t: e( \5 a2 l/ _
/ ^& i* b0 X3 [7 l5 P# U; v1 o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 N4 K1 a! c3 d( vis to determines whether a debugger is running on your system (ring0 only).
/ a. e% w# R* h' f* _* `8 M# p4 W& l) b  z
   VMMCall Test_Debug_Installed8 s' k5 M- f( l( z- y
   je      not_installed
. r8 v! D1 G! W* p" ?+ q5 Q: h2 `) q$ E! N
This service just checks a flag.
% Q; X2 |1 b3 g3 ?1 p5 o</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-7 22:14

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表