找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# ^6 N( ?; l5 i. l. }( }" v: |: W<TBODY>
+ B  o8 N1 A8 w( d0 L7 \<TR>2 }$ ^( f* m. f) ?) j( ]' W
<TD><PRE>Method 01 ! j2 X0 \, b6 ^1 U/ _! J4 s! m, p
=========
( X' n/ f$ M# V+ [- o/ x% O2 v: R6 B' p3 I/ }
This method of detection of SoftICE (as well as the following one) is
/ c) G: n, s6 n; M3 N9 [/ Vused by the majority of packers/encryptors found on Internet.' R  u$ s1 [' f- e& e. \
It seeks the signature of BoundsChecker in SoftICE
' O* L( |7 Q: o$ e! v/ Y, v/ K( x, q5 j* h) z
    mov     ebp, 04243484Bh        ; 'BCHK', X  |( a1 h# @- c
    mov     ax, 04h. c: {. ^6 C7 p1 E# \( k
    int     3      
1 B8 t. S6 N% u* W    cmp     al,4+ D, x* g8 Q/ b- s2 T
    jnz     SoftICE_Detected: B& [5 d; r0 }/ o+ q
  w, N! P4 H3 Z! l1 |, f8 r* f
___________________________________________________________________________
1 u: G6 H4 T. h2 K* t% ?8 G
+ k) v# r3 m) W- kMethod 02: a) G6 c4 Y- j. {
=========* O3 Z) ~# g, j9 H$ F9 e; A
# N6 U- u% f8 b0 D8 Q- N6 t' S4 O2 H" F
Still a method very much used (perhaps the most frequent one).  It is used! k( a+ I& }! Z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 @. y% b3 M. n4 _
or execute SoftICE commands...
3 D. b2 P8 X4 I+ @4 y6 s: b$ J+ cIt is also used to crash SoftICE and to force it to execute any commands
) R1 B# K' c& c( w. e(HBOOT...) :-((  
2 i' {5 \, E) M: B( ~& G* `" b& e% k4 B" t+ W
Here is a quick description:' R2 R' f7 N5 E: P* _" v
-AX = 0910h   (Display string in SIce windows)* V) p* a/ G* y. }' {  y
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 r+ g! A% f! [* x) ~' N& V
-AX = 0912h   (Get breakpoint infos)
, h; j" W  }; l# i$ x' t-AX = 0913h   (Set Sice breakpoints)
$ ?; u& C4 i$ D1 Z! a- E-AX = 0914h   (Remove SIce breakoints)6 O3 M# `% e7 X5 U7 `  X+ \

" ^+ k0 n6 ~! i2 qEach time you'll meet this trick, you'll see:
3 U% m8 M, k+ w$ h4 J-SI = 4647h
( i7 K2 z" c* u8 A-DI = 4A4Dh
" Z$ k7 M; }. B0 }0 }Which are the 'magic values' used by SoftIce.) ?( T6 p6 U' u! u' V2 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ U+ |3 P- z8 M8 _

0 P* `. V7 R* V3 @% }Here is one example from the file "Haspinst.exe" which is the dongle HASP
, W' T/ i& d' J& f( I  CEnvelope utility use to protect DOS applications:0 \$ N: r. v& D, M& h
8 I- k  n6 Z( W) A

4 o( v8 p( J, L2 `6 h' P1 v! s4C19:0095   MOV    AX,0911  ; execute command.
+ E, p$ q# U+ I5 z4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
- ~5 m1 b4 h! b+ k) R6 H  v% q4C19:009A   MOV    SI,4647  ; 1st magic value./ L) ], W) K% ~$ k% L
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
0 _8 P$ ~7 F/ _( D4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 |0 @( z" G# j
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( `) W# a/ D/ g; s7 @
4C19:00A4   INC    CX
8 J* E* @% r/ Q- u5 N2 {/ O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: C) h  J- i- N1 |4C19:00A8   JB     0095     ; 6 different commands.
- m! r5 i) z7 L. a4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 I+ H* }8 B( z' ]4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 z1 W: l3 t$ G& I9 `( G) N6 t6 J* v3 ]' D, s. ]$ X( D7 `. e
The program will execute 6 different SIce commands located at ds:dx, which+ a& _8 W; q2 c5 b  F2 [3 f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  @* v5 l( c, N5 Z$ ~3 w; B$ j; p6 j
. j2 D2 S2 U- h- a( K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; P$ |# q0 K: X' e+ ?. n
___________________________________________________________________________7 Y& L6 g& @! W+ F
* g, A# o' k' }3 P8 @; j* p% D4 p' V
% g5 a# ~' ^( W% v) Z- v  ], [( w3 V6 x) l
Method 03, R  T5 R7 p) b
=========
" ~8 Q/ P; ~$ {4 f+ G$ V  y3 u7 i+ `0 \
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 R5 e. U% q1 y0 K3 p% E" W& d
(API Get entry point)' u" I+ T2 G% r- F6 l
        
3 m8 {6 `5 q0 D0 }; @9 }' h4 @) [$ G$ p8 H$ h
    xor     di,di) O6 t  h" Z0 s8 f( Y
    mov     es,di: {6 S7 l- L/ T: ]! H1 F0 [
    mov     ax, 1684h       ( t6 p9 E  s$ W% \! _% E+ q
    mov     bx, 0202h       ; VxD ID of winice, [3 S7 `2 F7 R- ]2 i0 U
    int     2Fh) B* S5 Z# B' d$ h+ u- ?1 J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 W) [7 b0 L$ T: A! `0 g# V
    add     ax, di
# m1 |3 P) s: I% [& \    test    ax,ax
) z$ L8 t. Y8 U0 M$ q3 h; f    jnz     SoftICE_Detected9 k: n' E9 R. d3 A
! y- ^- m( Z2 c0 p  f
___________________________________________________________________________  R; A  L$ z! J+ \. d2 ]
) S3 ^6 A$ W' {  n9 b% s
Method 04
7 H9 W: R8 a  p" _9 H=========
) z# e# B1 J& h0 c) _) Y2 R9 [
. h# ?: ?9 e. z9 K& z2 i8 HMethod identical to the preceding one except that it seeks the ID of SoftICE' D$ l, r% e* |4 u* n9 b( \) r7 \) q
GFX VxD.
$ y5 r9 v) C/ I6 x" [/ K8 W) r) e7 X0 v+ I
    xor     di,di. n5 p+ w/ y( @) J" }% b" |+ y  f
    mov     es,di  o) R: g/ |; K
    mov     ax, 1684h       ' z; R# Z, F$ v& b' \. c
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  K7 f0 t$ Q% Y7 A    int     2fh. L: X/ }% I1 I. }- C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point# s, I, ?  k7 ^7 F: i
    add     ax, di
3 p( O1 p" A8 W& |$ g    test    ax,ax
: a# }8 ~" X3 i7 ^8 Q1 F' M    jnz     SoftICE_Detected
. x5 }! e/ C" G/ `) I1 B" }2 J5 i6 [% W
* `+ j/ t8 O; k8 h: v__________________________________________________________________________
; W* s7 X7 }  |6 ^& C% ~
  K% l% C/ G# U# E
$ d( {! }+ z/ {9 d4 V. |+ RMethod 05
0 h' i  F9 b' _+ n5 }) ?& w( X=========& A3 a7 p( w" @1 U$ y/ ?" \
" p$ v1 k, P+ S2 x% C
Method seeking the 'magic number' 0F386h returned (in ax) by all system- c9 C* V, e0 e7 N0 B' O) ?" p
debugger. It calls the int 41h, function 4Fh.9 g! i6 f3 H0 ~$ |0 ]4 ^
There are several alternatives.  . ~2 O) X+ m! }; D' j! W
" ~. o) m' }3 l4 z
The following one is the simplest:$ n$ x, C8 E3 k6 D! z3 j1 {4 t6 ^
( _2 S3 N" T. q7 O/ z: z
    mov     ax,4fh
8 N7 ]( C2 W9 n6 v# i    int     41h
; r; i7 V" }  t    cmp     ax, 0F386, D9 U; o" L# T' F- B5 b
    jz      SoftICE_detected
+ |: V* {0 o. ^4 k% e" u4 E# t9 c$ Q) X7 A; \
) |# ^: k+ u6 ^1 w
Next method as well as the following one are 2 examples from Stone's
- n" O6 h& p8 M$ E$ s- s' ]"stn-wid.zip" (www.cracking.net):. L9 O8 J+ \; f, c' s

+ {4 Z! ~8 d7 E& ^7 R0 q) k    mov     bx, cs
7 A: h4 g' Q) \6 e) W& l    lea     dx, int41handler2( ~% M. @- l  x  k, l. a( d
    xchg    dx, es:[41h*4]
# y$ s5 z( u3 J" J2 E0 D: S    xchg    bx, es:[41h*4+2]1 y; B* G) u' F
    mov     ax,4fh
* i5 |% i- k( I    int     41h( g: C6 n& n# T3 l3 u9 R
    xchg    dx, es:[41h*4]
6 |7 g5 S" O' M; x% b+ h9 z    xchg    bx, es:[41h*4+2]
8 ]; H( f, E( k2 }, o    cmp     ax, 0f386h/ n( k9 Q+ n+ H0 l* g1 q9 o
    jz      SoftICE_detected
1 E3 J6 V; d& u1 I: i( k. v6 c' w, x- y; ^
int41handler2 PROC
& D- m1 P% e3 Y2 s# I; p) M    iret
. p6 F; x$ O+ ^$ K! tint41handler2 ENDP
$ p. |! D1 Z6 r' [* i( @/ F) ?+ ^( z+ \2 U1 n1 p: N1 m
0 `/ }+ v7 e+ b7 f* s
_________________________________________________________________________
% C* y. Z9 E) r  s* j7 a' [, \1 U. X; o) C9 G$ ]

% k6 w: j" R8 Q. d; J6 DMethod 06
  h4 Y8 ?# ^3 G$ F  G=========5 E! K0 r, b+ k- E
* M7 }$ \' F( q" J- [

6 v& g% Y2 M; F1 z  N2nd method similar to the preceding one but more difficult to detect:
4 M8 a0 P5 z/ _) z) l7 L
9 D: I" z4 ~# x5 s4 z! P, H' F9 D$ {5 t( q2 Y/ p- m" p
int41handler PROC/ v$ Q; {: _/ L
    mov     cl,al5 N; [4 q+ J; h, d8 L6 g: E' D. r
    iret
9 D6 M5 p. R. ~* o! U' Hint41handler ENDP- J3 b5 q4 }4 @3 y# Z$ y5 ]; ?
9 w8 m1 F" \2 h& D

/ H' u7 B6 b5 p4 D5 x    xor     ax,ax
2 j  i% G% V$ V9 t6 S    mov     es,ax" C# R& T% J  z4 Q; l$ F
    mov     bx, cs. V( H/ i+ b4 b% h$ Y+ i
    lea     dx, int41handler* r4 @) \( X/ G: P- B3 t
    xchg    dx, es:[41h*4]+ y# t9 A9 q. k
    xchg    bx, es:[41h*4+2]
$ D+ \1 V+ O. @( G0 a0 h    in      al, 40h
+ H& T' l5 ^3 G6 n    xor     cx,cx6 |( \. W- S3 {7 |( @0 M; m1 M% f
    int     41h6 X$ I& i$ V' O$ @  k4 C
    xchg    dx, es:[41h*4]2 U; z6 F2 P4 N4 }* N1 h0 f
    xchg    bx, es:[41h*4+2]6 ?+ I9 t9 {! g5 L1 _
    cmp     cl,al* |8 }( y. g6 p* C' Q
    jnz     SoftICE_detected9 o. ~) l, ]  T% R9 O- }5 F
. d9 |1 o# D4 s+ Z3 Q% r
_________________________________________________________________________
# {8 N0 m/ b6 b( j8 w( ?9 L% V- X/ B2 z" r/ e
Method 07
5 m* n$ s  o4 L, S0 M=========
7 K# \+ \' |, I2 u3 s* l
1 Y  H# D/ x+ e- A+ P. G5 P4 eMethod of detection of the WinICE handler in the int68h (V86)
+ E3 U) w' [" {" `2 Z
- r! n9 l9 }9 D) a* @. S1 }    mov     ah,43h
! D3 @! a2 v* ~8 a' a1 Q" k( o) j    int     68h
5 @. W$ p1 m4 ~- ?    cmp     ax,0F386h- R/ `3 G- G* z# a! w4 ~
    jz      SoftICE_Detected0 H7 o6 ~1 l! ]' [9 g0 D9 x
8 E+ i$ m  O5 H& e! j
  j/ F' ~) _) b) G
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& V/ D: T2 s% |7 o   app like this:7 |; h! E! v+ e4 ^* v; ^

  `5 T/ }% U4 w9 \: e# Z   BPX exec_int if ax==68$ k4 k/ p) o1 d$ G
   (function called is located at byte ptr [ebp+1Dh] and client eip is
" s% F% A. z) L* p5 Z5 ^5 J   located at [ebp+48h] for 32Bit apps)
9 |' u' h& U0 g( V__________________________________________________________________________
  x. t* r1 p7 V  x8 G/ L
* I. u0 K# c5 c' Q7 q' i8 |& X+ M1 U4 q! Y3 _1 k, |
Method 083 p3 }( t3 o6 |* c1 G1 y3 |
=========
, W# C" A! B4 i( _5 Y# q/ n3 F5 S5 V5 `# J
It is not a method of detection of SoftICE but a possibility to crash the
! R' s% x" }5 J8 x& Jsystem by intercepting int 01h and int 03h and redirecting them to another
$ |3 g) ]: R1 \" B! oroutine.) Y3 G1 r" c$ f  h9 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 a1 B/ U6 h  g; c# w
to the new routine to execute (hangs computer...). Z& F9 `  `) L% c! o1 u3 F

: y9 N. T2 W8 Q3 D' r5 J    mov     ah, 25h, o3 S/ j, ^5 N0 t
    mov     al, Int_Number (01h or 03h)
: v! w* ^3 E- @4 W& d3 v, ^    mov     dx, offset New_Int_Routine
* j  H+ F; p9 S7 p& A) \    int     21h
: _+ e2 d# v. Q: F
0 {. s5 l$ l1 o; H5 e__________________________________________________________________________
3 G0 u/ d# M, j: }6 m5 B5 T9 S3 x9 N2 I
Method 09
" N) a9 c+ H, F=========" i( V8 g$ `5 D, u; z' m

: I0 {8 W1 O# l+ v. d5 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( |. T/ ^( [- pperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ }6 z4 R5 h" l: u4 @" A8 _  `The Get_DDB service is used to determine whether or not a VxD is installed! n* b" _- y: b: r
for the specified device and returns a Device Description Block (in ecx) for: p9 e+ l4 u; }7 Q% w! R7 R8 k; J' b
that device if it is installed.
  \! J' U$ e) q( P
% J/ n; ]. R; y3 K% k9 B" I" @1 w+ J, f   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 ^7 d' N; y5 \   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 [7 a% f( O9 V. o
   VMMCall Get_DDB
$ _; F& m) i* L/ B) T& W! ~+ e2 Z8 D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed, T4 v9 r0 z6 e) W3 }6 h7 M* M7 h) [5 b: }

3 ^  G% _7 r; d& m! P1 nNote as well that you can easily detect this method with SoftICE:
6 q- ]1 M: J) n& `/ I; v; L# @! G   bpx Get_DDB if ax==0202 || ax==7a5fh
" g# v. ^  {" N4 ~6 w
2 `2 b7 b( ?3 |' s- z; e" y, V__________________________________________________________________________- C3 @+ e; e0 \5 `1 g; d

, J% ~: ^, T5 f8 u4 o9 x% vMethod 10
' e# r( U' k% d, }* m0 ~) u=========
6 _; `( Z8 J7 M' {# g! J2 H/ }# M5 @- p
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
! Z) @; C4 b2 C  SoftICE while the option is enable!!
* D% |: k1 S3 |* ~& p1 b
) p$ z- J6 p) F  K- m0 ]: K$ fThis trick is very efficient:2 r% U$ Q* g; k+ J- Q8 H4 v
by checking the Debug Registers, you can detect if SoftICE is loaded
; u" x* t& b2 y7 p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ Y0 b/ O/ P* V* t: C& f) ythere are some memory breakpoints set (dr0 to dr3) simply by reading their- q+ m7 K% h6 H1 f
value (in ring0 only). Values can be manipulated and or changed as well
  W2 d, _% I" e$ `+ ~/ @) V3 M& F(clearing BPMs for instance)
/ I5 o) J$ U4 w4 c' l/ j% H  g
- X# t+ T' K9 d! y! g0 r__________________________________________________________________________; j8 ^$ ^$ `  Z" m, |% _
6 h0 G7 M) i& n1 W1 z& F2 r
Method 11
2 I! \& E, L/ Q0 x; i=========
% e8 z. p- }3 j+ W
2 Q& o- ~- R# r+ u7 BThis method is most known as 'MeltICE' because it has been freely distributed* }* J/ q% e, p# h
via www.winfiles.com. However it was first used by NuMega people to allow+ E! {8 G$ y' U) G; A+ w
Symbol Loader to check if SoftICE was active or not (the code is located
$ o; {) G' F* a; X6 T  a" t: j. minside nmtrans.dll).% T4 |+ |' u& ?6 _
# o- y' r( ?5 s* b- X& f7 m, C/ P
The way it works is very simple:2 ^* c$ w9 m2 O% J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) ~8 n/ T- B/ x6 [& c0 j
WinNT) with the CreateFileA API.
0 y6 `( q1 a: F4 I' _1 S) }5 `+ {5 r) t8 X  Z! n9 l* s9 N
Here is a sample (checking for 'SICE'):$ A+ |0 s  x5 y$ t- k

# f7 z/ W* c! ~- @: v' XBOOL IsSoftIce95Loaded()) Q( X" Z$ N, U9 L/ h
{
4 X  h; e8 {9 L; j   HANDLE hFile;  
' A" Y% e9 A& T! X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) I) f/ r) R2 E, j1 [                      FILE_SHARE_READ | FILE_SHARE_WRITE,
& ?! n$ q$ i5 `$ U8 U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 J; t' O0 D: M, ~  U. @( h   if( hFile != INVALID_HANDLE_VALUE )
8 X6 ]; h# X8 W/ a/ @   {
6 U4 j! \3 f' _* J8 G$ o      CloseHandle(hFile);
, s: b3 ~% t$ O2 @2 r! A' }      return TRUE;
9 ^+ z* r* m: v  w$ x, [8 h8 |   }% ~9 z( s! b3 e4 K) X2 f2 w
   return FALSE;' S, a+ _! \: Z' e% e/ B
}
. `0 c4 t! {) j2 b0 z& m; E3 H3 Q$ e2 M( ^  D
Although this trick calls the CreateFileA function, don't even expect to be
; P  K- i! t- S$ y% A& u2 P! vable to intercept it by installing a IFS hook: it will not work, no way!: o) v. a/ W8 i2 O! w$ v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! s6 K+ J& E  R7 @2 P8 ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 @- W0 ~- F/ ~' l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 l0 C& }  |; g" ?6 ^
field.
. K5 i7 L5 G5 F9 n9 u: J2 v: A+ PIn fact, its purpose is not to load/unload VxDs but only to send a
4 D5 ]: l4 Y8 K7 i2 ~# QW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# y) ~3 L! g2 b- [) |4 h% U: Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ D3 r! T0 f" _to load/unload a non-dynamically loadable driver such as SoftICE ;-).; B/ v& f8 n: }, r3 o0 r5 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow* R" [: O9 `2 n: V
its handle to be opened and then, will be detected.5 G0 D) ?$ Y! ?; d
You can check that simply by hooking Winice.exe control proc entry point. |( U  ?: a; F+ k1 Y
while running MeltICE.! D. \0 T& T. V5 E, ]2 G$ ]
* t# z7 f" B1 ^$ ]$ i% k- X
* T8 ^5 [- Q7 J( P; X, _' \4 P
  00401067:  push      00402025    ; \\.\SICE5 y% S5 H# k6 }
  0040106C:  call      CreateFileA; [/ y3 z9 E" N
  00401071:  cmp       eax,-001$ B. Q) D4 {9 J6 t6 N' H
  00401074:  je        00401091( r$ d. Q6 T9 q* G$ J0 b+ }* @2 N

, d9 m/ V! q6 t
4 C/ y( `7 {9 SThere could be hundreds of BPX you could use to detect this trick.. K8 \" m. M7 g& t
-The most classical one is:+ F" L8 T, K# S# y
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
9 K& A3 H$ |/ x3 Y    *(esp-&gt;4+4)=='NTIC'% j) |, l7 W& [% C) ~9 l

6 z* b  S0 a. v4 i3 ?-The most exotic ones (could be very slooooow :-(
; z# B# g5 ]6 i! d  F+ q+ {; W   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
7 d3 A  V+ Y6 i. o% E+ a$ \& I' B     ;will break 3 times :-(- R4 |! b( ^8 |( q3 t, |
2 _$ Y+ u0 Q" m+ v- v
-or (a bit) faster:
4 H- o0 Z1 ?& @( p4 g  b' x( ]   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' ^: a, z* Q8 r. i9 y( y
7 o3 t9 b9 p7 r   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  + E. s  G6 P" Z' N% u6 n8 b8 o
     ;will break 3 times :-(
* D* I. B! A( u% b5 m& `
8 m# y+ a7 o! _. |$ Y$ R" \-Much faster:
# j) O% X3 y% Z( S0 B  ?   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ d  l7 I7 y( M* w4 r7 l5 W' `; b

8 \* q* T; t" R3 ?8 vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ J7 [& N: }1 e# Q, P" t+ K2 m
function to do the same job:1 N1 }6 L; U3 d9 b3 v$ }
- q) `. e* F6 ]  W/ e5 e
   push    00                        ; OF_READ
1 ~5 O& }7 g1 k- T. A   mov     eax,[00656634]            ; '\\.\SICE',02 Q/ v7 t( @/ {
   push    eax
( B* O) I- q3 ~$ p8 ^/ Y   call    KERNEL32!_lopen9 P6 _) k1 C. r9 o: p
   inc     eax
& Q% I( Z, q; X   jnz     00650589                  ; detected; n8 n) q8 N- Z) J5 y& O5 h
   push    00                        ; OF_READ- ]+ p3 |  `5 |
   mov     eax,[00656638]            ; '\\.\SICE'
; Y: M2 T* d, P   push    eax) i9 G; F- N; Q; \3 Q
   call    KERNEL32!_lopen
! K# T, I1 f' F8 l   inc     eax# \. Y2 i% b6 h& d+ j
   jz      006505ae                  ; not detected4 G( W8 l  h. h2 r0 M  `5 [; o

; l: i! E6 T. Q* ~1 d) X2 n: l5 @6 X( t* W) J2 O
__________________________________________________________________________: Y- o7 Y: ?+ r- x

- _/ Z. p2 |# |" X9 TMethod 12* G( d. v) @4 g7 l) b1 H- ^
=========0 _  j# H, E3 E3 ^5 V

  m9 c1 [6 }; [* j9 T& W! EThis trick is similar to int41h/4fh Debugger installation check (code 05' c7 z: T* j$ z2 J. b% F. U7 o
&amp; 06) but very limited because it's only available for Win95/98 (not NT)* c3 \2 }4 ^3 M7 O: Y' ?9 s  D: p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ ]+ t( ?3 \) r3 G$ `3 F- {, p& v
0 T% e" _$ n' p; W! }) d& b   push  0000004fh         ; function 4fh
; E6 B: D0 k% z" n   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ q+ @- q3 m" W, F' f8 Z                           ; low word specifies which service
$ C; ]6 O) [) S8 _" }8 h                             (VWIN32_Int41Dispatch)  ?3 ~4 _! M; K+ i$ c
   call  Kernel32!ORD_001  ; VxdCall/ {3 V8 w5 b8 j' K4 g. ~
   cmp   ax, 0f386h        ; magic number returned by system debuggers
. O$ e4 c, G& Q) b/ M; l3 F" q   jz    SoftICE_detected
2 E- B8 v- X* V- L1 F- J2 J1 Y& a! f- V0 q; I
Here again, several ways to detect it:
6 N) Z3 T7 q: x
& |8 w  f$ x- I2 P! s: O+ R5 @+ ~# E    BPINT 41 if ax==4f' w, H) Q0 a' r0 u2 q9 i/ o
& X7 K2 z- G  s
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
- a' g2 o% k; ^5 P( O7 `4 L9 r
7 i' \2 p1 E2 p% i  D    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 e1 X: m8 a$ Y# E
! t% {: ]/ P; \* t- Z
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
- v; @& i9 g/ R. ?$ ~; @, c1 e6 J' `& C2 h
__________________________________________________________________________! C8 I* y2 h6 L# K! z+ \
" P" a' b% I. Q" ]% b# n( v# k
Method 13
4 {. x& x0 [4 [6 l- q1 ^9 X=========
+ q' [' ~8 G( M# W
6 p& d2 X7 N0 }. G4 {7 cNot a real method of detection, but a good way to know if SoftICE is3 m8 v, o- V8 i9 B; C! D) H8 k
installed on a computer and to locate its installation directory.
4 x! X; g! O9 j* P+ m+ Z3 xIt is used by few softs which access the following registry keys (usually #2) :
  t. g+ k; ~+ k/ h1 z; y
: a5 `+ t$ s2 K# V" _& g5 X6 X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 W$ ^7 r, o1 {: n0 H* F\Uninstall\SoftICE
) h2 K: C7 I7 t- Z; A* W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# p4 ^6 i2 K6 i( ]( ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- o* G" f. F* a$ h. ~( q/ M7 v
\App Paths\Loader32.Exe
' x. e' x" ], x' ~' O% o' h. v% g3 U! p* R

0 I& A+ L6 A: K7 v9 y0 \Note that some nasty apps could then erase all files from SoftICE directory
3 P: C8 r. b& F0 c9 n(I faced that once :-(
  k5 c" e' X$ P6 p; ~. |% ?, I- \9 C& w
Useful breakpoint to detect it:
# ^% e* x, S9 h9 y/ u# [7 Z/ E) C- p
/ n  b0 N  h7 o+ n+ U$ B+ s5 Y' H     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 B+ s7 K7 X6 y% F' {
# y6 H$ P5 d% T: k__________________________________________________________________________% \8 n( P4 L0 x/ G+ ^4 v; S
" Y0 ~% K! X3 J1 l9 q6 \" v, x
6 M0 Q- d6 C6 u# ?8 c+ @
Method 14 & b7 P& r  ]+ g& M) G) Q: H
=========5 G% v) O7 N4 }% S# \) [, [

5 n9 d3 B$ C# d7 s* X) pA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 ]8 e4 c" d' E. ?* mis to determines whether a debugger is running on your system (ring0 only).2 m! C% y. g! T; Q
* B/ T# _! S. `" F  B* a
   VMMCall Test_Debug_Installed2 {5 h/ J  P2 }( F
   je      not_installed8 \7 V1 h+ U( O0 h

  u9 A' |6 c$ e9 L1 K3 b: b7 g: e  y6 YThis service just checks a flag.
& M/ F7 L0 _5 z  u: }</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-4 07:00

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表