找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( }0 ~7 Y$ L- `3 i+ o
<TBODY>
' u+ i% j2 P5 H& I4 R; G; g<TR>) T6 }/ A( F7 {$ n' D8 w
<TD><PRE>Method 01
5 _6 S) A2 X( I( l% M=========
$ y2 x$ `2 S: ^2 x7 h- X. j
7 q/ M5 T( |8 r9 t! NThis method of detection of SoftICE (as well as the following one) is) l( G* W' L  h
used by the majority of packers/encryptors found on Internet./ Z1 Q- n* c# K# @5 b* U
It seeks the signature of BoundsChecker in SoftICE
+ K1 j* w2 a: d9 {, S( X7 N! j4 h! w1 T
    mov     ebp, 04243484Bh        ; 'BCHK'
  \0 g+ D8 V9 e6 p% s" O    mov     ax, 04h3 `' ^; s' f6 k  G* L- D
    int     3      
& h; W( b( G, c* [+ `    cmp     al,4
% p" m' U1 j$ `- O( F  F    jnz     SoftICE_Detected9 z0 O$ y2 T6 Y7 u) ?' O
+ N* g# C2 g2 F
___________________________________________________________________________
8 g+ F! k, R1 b
; {8 g/ s- y  O7 Q: L/ l! Z$ HMethod 021 K! L. p3 H$ Q( k8 S4 {" ?
=========! M- D, M1 n  v; ^# f

! C' N" J. W9 H( @- H* uStill a method very much used (perhaps the most frequent one).  It is used
, @+ h' k5 C0 J) W3 y- V1 \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 ~  O2 n7 `) @1 i' }- sor execute SoftICE commands...9 g2 ]* o: d+ }- o/ f
It is also used to crash SoftICE and to force it to execute any commands
. U) B4 T% a9 h, m(HBOOT...) :-((  & h- ~) W% I" p6 V8 f3 ?8 y

: }# _% J! c8 ~; |1 xHere is a quick description:" _; Z! C/ T: M" R1 z- f
-AX = 0910h   (Display string in SIce windows)) F* t; x+ [& p+ S  t
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 O! m# }; k- Y1 v+ a
-AX = 0912h   (Get breakpoint infos)
+ N: L& [) C; ^# I) H% e# s-AX = 0913h   (Set Sice breakpoints)
  e! J+ [0 H" D3 |-AX = 0914h   (Remove SIce breakoints)# \- e5 O& V/ Z* }

+ n% {3 y* ~) XEach time you'll meet this trick, you'll see:
+ ~" i! b9 c- a-SI = 4647h# a! K6 o2 v% q' g: X
-DI = 4A4Dh
2 {/ k. H) V7 e& m: A" @Which are the 'magic values' used by SoftIce.
% W0 _; B/ x  Z$ n) i# JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. R4 y0 E- ~6 D# b4 X5 z' u  N3 e. J" B
Here is one example from the file "Haspinst.exe" which is the dongle HASP" d+ u/ |* s# @4 `: r
Envelope utility use to protect DOS applications:
) @  n- G' |5 W3 a# O2 W  r5 x$ R# [9 v) k  ^7 @9 i

% X* S7 V2 v1 b- K% x4C19:0095   MOV    AX,0911  ; execute command.+ Q! W( b8 a7 W. n$ W
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. X1 @4 F& {$ O
4C19:009A   MOV    SI,4647  ; 1st magic value.
5 t' w/ h% E. l4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! h- V- [8 B* h) K
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ i6 z$ k! `' `: P: C4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 c' e7 N) M0 O3 I0 Z
4C19:00A4   INC    CX
5 |" I/ T3 F) N; _9 p4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
% V" ]+ e& E) v" t- n& D4 y3 D4C19:00A8   JB     0095     ; 6 different commands.
* ^& U5 q5 k6 j# t+ }4C19:00AA   JMP    0002     ; Bad_Guy jmp back.8 q9 ]$ v9 a+ Q0 Z$ a2 Z  o
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)2 Z/ C. u- a  E; w) T& a: ?& w

. @: m6 [- \2 g6 f# c: h6 IThe program will execute 6 different SIce commands located at ds:dx, which
4 F9 o2 ?) [% [! A$ z0 Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ z% d3 R5 b  V
) y5 A$ K4 b" g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! {8 `% S" u6 A! S___________________________________________________________________________
! F4 O7 `; P4 ~
! v! a5 U7 u  R* K, ]0 B: I: s
2 s9 E( x2 R9 Y" u2 _" ]# HMethod 03" [6 m1 y- L/ m# L9 d3 p
=========  a2 X+ I/ i/ T

5 |/ U7 a' a8 ]# }. w: SLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 [5 }9 O& D- v2 m(API Get entry point)2 A# l. h' W5 l5 W) b
        $ P4 ?: D0 u- u- L
% U3 w  }8 o% K5 u4 Q6 W
    xor     di,di
) S9 n) U4 S. W- x    mov     es,di2 L0 A! J! V" l, q
    mov     ax, 1684h       ( u% o. Y! v! _5 v" y3 A0 o8 e
    mov     bx, 0202h       ; VxD ID of winice
4 m4 `2 d; W; r( d3 K1 X    int     2Fh& G6 i, I! ]! @6 `
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* c+ S2 d$ V2 [: K* Y, n2 o% @9 Q    add     ax, di
6 Z& k" m4 e% q    test    ax,ax
$ L$ W; r" |) H5 b    jnz     SoftICE_Detected, G) e+ N% B' P$ l
! [) w8 Q/ ?1 e5 c
___________________________________________________________________________5 M5 r; H6 J3 X
2 Y" \* v) c5 n, j+ X9 P  n
Method 04, t; D0 ^4 @+ W. `0 F9 I
=========
0 P$ X2 x0 c" A; s' j9 i' d
6 _9 d% Y2 \, j) Q0 F0 jMethod identical to the preceding one except that it seeks the ID of SoftICE
$ _3 t! I8 ?! sGFX VxD.6 J+ D7 ^: ^6 W# t4 ^! M5 M$ I
% B7 K1 b3 [9 P. [
    xor     di,di7 u& F8 Y7 R1 W. }6 x0 X, T
    mov     es,di$ w( ^& k$ M1 c8 B
    mov     ax, 1684h       * C8 H5 \0 ?* m5 T1 A7 ^4 y* Z0 \' r
    mov     bx, 7a5Fh       ; VxD ID of SIWVID- X9 V7 y' h% Q. u8 o; _4 D$ h
    int     2fh9 v9 _( ~- X1 }  B( {/ d# V9 P1 h
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 n  \7 b) i4 L3 q1 `' X; F+ i, D    add     ax, di2 _& y0 j# r; R) C1 N
    test    ax,ax0 V) s  {# l' Z- b
    jnz     SoftICE_Detected  U3 d) Q* E% ]* \( d+ U
3 Z! [( u9 @: }, |) J- T( ?
__________________________________________________________________________
3 n8 i  k3 ]2 W* I# `+ \+ U. ]% ~- ^( j  v
2 z) e) O; \: S5 U( a+ M5 P
Method 05
) R5 J( ?. V. l. N( `* O=========
+ _! t# X9 [* P: Z' e9 P; \) z: ], h) P4 v
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 V# u- V2 L9 K: E' y0 ldebugger. It calls the int 41h, function 4Fh.' P1 f/ z: B" \1 C. r. F, i
There are several alternatives.  
4 K8 P. C7 ?- R+ R, e8 D5 O7 y% y% i( L0 p
The following one is the simplest:
/ ]  z7 u' H2 a5 H
% S1 l! q$ d$ n! ?. I8 e0 F# t+ ^; B3 ]    mov     ax,4fh8 j$ d  i) C. n: w8 e
    int     41h
3 u- [2 {5 p: v- ?- X2 C    cmp     ax, 0F386+ z8 P4 l2 z9 B, I5 a9 m; q5 v; S
    jz      SoftICE_detected! }3 b$ ]5 w9 p2 x/ ]9 O
. @& i  z7 Z: N7 F7 q+ l' {

, G+ \2 @4 l' N7 C+ f, vNext method as well as the following one are 2 examples from Stone's 9 ]0 v$ Q) }8 v) {; S
"stn-wid.zip" (www.cracking.net):
. o  X- t$ P! s- \" U
8 D4 i& V% m; O7 H    mov     bx, cs! m. w7 u3 x- I$ |  }4 I8 e
    lea     dx, int41handler29 D" c  a# R* m! R3 Z0 f
    xchg    dx, es:[41h*4]
5 V* K  u4 O& F: e$ T- C    xchg    bx, es:[41h*4+2]! l) ^: b% F0 D
    mov     ax,4fh3 D: Y4 R, _. o" N+ L7 R
    int     41h2 F7 N1 Y. U) N+ i) E
    xchg    dx, es:[41h*4]
! F9 g7 O% R2 \    xchg    bx, es:[41h*4+2]) ]  }/ ^0 l' d2 y
    cmp     ax, 0f386h
) G" h  Q0 z0 G& F3 M! g    jz      SoftICE_detected
& l" a4 R5 {6 R; E! R0 G) {# `" i! c; H: e8 @& o
int41handler2 PROC
  B: ?$ [3 @; ]7 y1 g    iret. N' w1 f4 e! O$ o% Y+ G
int41handler2 ENDP& q0 U. }$ E8 `! ^: \

4 s5 h" L& A. m7 n) e
# d( h1 |0 `9 v# \3 A: b5 H, C_________________________________________________________________________
( v8 G) l8 E1 D( X* L8 x) [4 k. z, M
( U6 v$ ?5 j) n; g6 F: f
* g. C  s7 a& Z$ fMethod 06
" e$ O8 S/ R: a2 H% p3 K=========; E4 V1 i5 u4 @5 I
& Y" ?* ]1 G- c% V3 ~' ^

. d4 a0 _5 m1 ?- M& o$ C2nd method similar to the preceding one but more difficult to detect:
* I- a$ s, [* j$ p5 B+ J4 N
$ c( _9 l1 x3 A7 O0 P$ A& p( Y7 H5 `1 i% v/ W6 ^1 V
int41handler PROC7 a  P1 @; n# U7 L) i
    mov     cl,al' ^' h1 L0 C# W
    iret' n3 O9 y) P9 h! A* x" q
int41handler ENDP
( d- i: A+ Y; d. F7 w2 T& B2 t
1 _; [9 |& w+ `: }5 S) c
% u9 o. a$ U# C+ D2 x    xor     ax,ax7 d/ O: F6 m8 b+ C
    mov     es,ax7 s& ]; s2 n' ]8 X$ z$ i# K
    mov     bx, cs
. N+ T2 C2 v- d$ C1 k  b: V    lea     dx, int41handler
7 Q: g! I9 e/ T4 ]5 ]5 R0 f$ w    xchg    dx, es:[41h*4]
/ V% M$ q* c9 K; r2 O7 x    xchg    bx, es:[41h*4+2]
  }8 i' a$ v) f7 x. o    in      al, 40h
# T" I6 C: K0 ?1 H9 K: X" Z    xor     cx,cx
& }% f3 A" j2 u, |7 q) l    int     41h
. `2 Z$ D) K9 M+ {! G    xchg    dx, es:[41h*4]% y7 I+ T( O/ M5 x+ M8 b% P, v; m- W
    xchg    bx, es:[41h*4+2]
" O& f' m- ^2 v8 k  c    cmp     cl,al
) r2 u) R" I2 G& Q. G& v    jnz     SoftICE_detected
" l5 x3 Q2 |& `' k9 M' q3 {8 h/ c- b8 K: Q
_________________________________________________________________________0 o  a# c2 O$ X% ?/ _

; e6 P* x$ L" ?3 a  ^/ ^9 YMethod 07
" T, `' V; l1 ]; U3 {: J$ x=========
; _! |; n. N9 v3 N# k. |+ d/ a2 h! d/ j3 G2 \  k
Method of detection of the WinICE handler in the int68h (V86)
$ Q  G: m+ V$ Y- O  ]; ^8 y* z1 j$ g& u2 u% J' l9 i- T
    mov     ah,43h
6 }+ c+ s  k  _" L0 e1 S; q' w  G) S    int     68h
# }4 q' W% W$ H! h; T    cmp     ax,0F386h
/ f+ B7 C& c  K    jz      SoftICE_Detected4 R& A9 v" M3 u

# }' l# O7 Y! b' `- m/ |
+ F$ Z# F+ t/ \% @=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 j7 Z- R+ k# N6 Q& f* k   app like this:* ?  h4 c% Y+ C# h, m4 q/ l

0 U7 L/ g6 f7 o$ d   BPX exec_int if ax==68
7 K, P4 T$ s* _- I+ G   (function called is located at byte ptr [ebp+1Dh] and client eip is& A2 i' E: B" P( \; `
   located at [ebp+48h] for 32Bit apps)
7 j* a5 v7 I. n9 _; V0 E__________________________________________________________________________
2 g" Z' k( t2 A9 h' i1 B. `# r) Q  d  G+ w# m2 h/ [
* f. V1 Z  _' r  W* {( A( N
Method 08
, z) ^. G8 ]2 K8 s2 l=========
9 B' r% k9 a. z6 V8 F+ b% f! d+ ^% N+ @( u
It is not a method of detection of SoftICE but a possibility to crash the( H0 {, @7 o( J, ^
system by intercepting int 01h and int 03h and redirecting them to another
3 T# ?* o7 J& F7 uroutine.. S+ Q, I8 l3 p9 A! t  C5 Z4 {/ ]( I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 g2 g* b1 }. `3 T
to the new routine to execute (hangs computer...)- d- W: L0 V+ k" Z( j
1 L1 Q! j& V; p1 s- q& e, E5 g
    mov     ah, 25h
& I, C! I& y7 m0 a% I) [9 Q    mov     al, Int_Number (01h or 03h)$ ~( P% Z- a9 S( w# r! i2 B4 y' f
    mov     dx, offset New_Int_Routine
% _  z: n) t0 b9 F1 [- U/ p    int     21h
) z$ v+ t0 [2 S! j6 B7 B- T; o) |+ ]/ S5 s4 ?" a
__________________________________________________________________________+ A* X5 }' I+ P8 o7 q1 K: j& M+ \
; f# a0 e$ ~- i' D7 r3 y6 J) X
Method 09
; M2 ~  W: j( T=========% w' ~, }1 V% }) N1 N- {- s, u

! k% z$ y- E8 Q- B4 L% E9 w1 f; eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( j) J* J, s* j# e- m
performed in ring0 (VxD or a ring3 app using the VxdCall).
; P1 ^( r/ B4 I. u5 i, jThe Get_DDB service is used to determine whether or not a VxD is installed
5 t  d; F7 N5 ufor the specified device and returns a Device Description Block (in ecx) for! y1 p$ m- V9 \: B
that device if it is installed./ L; t3 k2 M  h+ l$ l0 J' f) e# U
5 h/ m+ M: o# v' }3 n, t
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. _' s6 i8 w3 H- C1 }/ Y9 g   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! R3 h! P- ^4 v0 S
   VMMCall Get_DDB. ^( _. Q! }5 r+ I! ^! B
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed2 Q2 D$ j  P! P

) ^. R. E; y- }7 iNote as well that you can easily detect this method with SoftICE:
5 D' a6 i0 ^. |9 N9 V$ V) _   bpx Get_DDB if ax==0202 || ax==7a5fh
$ N, {( O7 {  t
" F3 |4 J- R- {/ i& f9 H__________________________________________________________________________* _: _0 |) S! `0 g+ D
2 P$ ?3 q: W, f
Method 10
* ]4 s6 `; o/ e5 q: ~- a- M=========" d/ {/ V# p7 K2 q( O" B

) d! X1 j' P5 g; B- X5 R  K=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 d' k- }6 c3 b' g: Y  y4 j3 v  SoftICE while the option is enable!!
0 h) b0 e+ X+ U( _' Z/ g/ Q, V$ c, M/ r' J
This trick is very efficient:
* J5 U# c; o! m* l3 V4 Q% lby checking the Debug Registers, you can detect if SoftICE is loaded6 ~7 E2 I& m/ m) P+ o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. ^1 w# F( a4 a/ X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 p& k8 m/ V( ], ]2 g9 Z/ \value (in ring0 only). Values can be manipulated and or changed as well3 t6 e( o6 \, a% G, O$ P
(clearing BPMs for instance)
) g- {8 g: K* m( y1 Z( C. Z  t1 H9 E+ g% a8 N# v
__________________________________________________________________________8 e2 ~, x3 ], B+ T
; [7 n3 Q# T1 W8 z1 w
Method 11. |% E/ M/ p6 Q4 R6 J: s6 j0 d9 W
=========
0 P# v6 S0 U: }3 J7 ]! l$ E. P1 N$ ]# V
This method is most known as 'MeltICE' because it has been freely distributed
+ u* z( A! G3 O$ h2 y" _5 ]' v  }$ r( d# _via www.winfiles.com. However it was first used by NuMega people to allow& N+ ]5 S" b( G: F$ G! U
Symbol Loader to check if SoftICE was active or not (the code is located
) f% q9 _5 V7 ]9 {$ `+ ~inside nmtrans.dll).  Z2 m) a- ?/ ]4 j: I
' V2 W3 @, H* g+ S; d- J
The way it works is very simple:
! e2 d& B: Y: C% x/ O5 y5 V7 wIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& J( I$ G( V0 w( t6 @. a
WinNT) with the CreateFileA API.
" D8 F/ r4 z! q# x: b8 B8 r
! g8 }& z* u/ Q/ K6 U& v  v! A6 dHere is a sample (checking for 'SICE'):0 @/ T$ @" _( N! u

" D0 n: d9 ]9 H: v4 c! y6 m! D0 GBOOL IsSoftIce95Loaded()4 A! W, s5 x' j( o7 @9 u( P: m6 o
{" G1 K; E/ w; {. ?5 R) H
   HANDLE hFile;  % k2 S0 M1 E0 }
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: m3 M- x+ w9 h6 S4 s/ k$ k0 P5 t( U4 _
                      FILE_SHARE_READ | FILE_SHARE_WRITE,) y. \& C# w5 i- p
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ l2 y  x. ~$ Q. Z2 _9 b1 x   if( hFile != INVALID_HANDLE_VALUE )
: F! h- I8 [1 h0 |# ~5 i, b   {
0 l, u" Y8 t0 r      CloseHandle(hFile);
* q+ @8 \1 z! u; T/ O      return TRUE;4 J9 `' W! g  {* A/ U
   }
! P1 K; {  a- A; G& c   return FALSE;* K! |8 X' i2 A
}
2 m' a; [1 r% Y% H9 O* L& _1 G
2 [* s6 N- }: C( x" H; ~0 jAlthough this trick calls the CreateFileA function, don't even expect to be
0 p. N! i/ C' mable to intercept it by installing a IFS hook: it will not work, no way!8 Q4 _2 [, X: |: q- N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: }" ~( X& U3 `6 I7 Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 ?. P1 \6 B/ ~4 t" H5 Y" Band then browse the DDB list until it find the VxD and its DDB_Control_Proc4 t& \" K9 A$ C, w# f2 G5 E2 P! C5 q+ g
field.
% Y/ h9 [* G, M! H0 i+ ~In fact, its purpose is not to load/unload VxDs but only to send a 9 F. x& T+ ^; A9 Z$ [7 t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ F! G4 C8 U& lto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 `: w6 D7 C3 k1 |' T( O4 J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' l# i3 U, a, T* V6 I) B# TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; E" a/ D# K( a7 k. K/ d! }its handle to be opened and then, will be detected.6 O; w8 {4 J( ]
You can check that simply by hooking Winice.exe control proc entry point
7 Z  Z' j! o1 B' w/ hwhile running MeltICE.) A. g# X0 G3 R+ l1 z9 X0 C9 l6 n
; B1 ~2 Q% u* a9 `4 Q! ]

) V: Y4 t) p, y$ t  00401067:  push      00402025    ; \\.\SICE  T& P: Z" p. V$ s- _/ ]% M
  0040106C:  call      CreateFileA
, K( n0 I0 m1 ]  00401071:  cmp       eax,-0016 n. M' ~2 }9 v- R
  00401074:  je        00401091- h% @1 Q1 n! T/ N8 `
, M1 ]" G  r4 M
; F* U) v& z7 l. Y, ~! y+ M5 u
There could be hundreds of BPX you could use to detect this trick.) L) u. Z0 y% @+ H4 z
-The most classical one is:% [7 W/ i, k$ G# ?/ x
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# o) p/ J2 R' ~
    *(esp-&gt;4+4)=='NTIC'3 h% v. i# @2 R2 P) e8 s
% }7 j9 g1 }- z- F9 Y* ]- ]/ F8 ~
-The most exotic ones (could be very slooooow :-(
- ]9 A: J& `2 u: T$ e/ o+ N( m   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
  `$ z$ e8 Y; A2 H& P/ [     ;will break 3 times :-(
% t0 t  q, W/ p/ o7 S2 `& n; x4 E* K* u, q$ v0 ]+ @
-or (a bit) faster: ! t  p/ O8 m  w' {. f
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 q9 w( g1 V; r! M, {' H* w0 R4 m! r5 ]8 ^; U+ ^% G  l
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; T. ~2 {5 |7 I* Q# R# P
     ;will break 3 times :-(
4 m1 D  F$ k4 O) U6 l- _8 o8 q% s3 ^8 x2 P
$ R# l  ^! t# O6 T- k7 Z1 T-Much faster:
+ [* D" q9 n- V2 Z8 A3 G   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
0 k' \" R/ I1 Q/ \* e, b6 X, L8 q; _+ B5 K' W7 {( Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 j, y' l' J3 A
function to do the same job:8 N5 G4 }- h. ~; Q* t- P* R! o
3 c9 c9 P; W% ~- ?# Q& f
   push    00                        ; OF_READ
& }7 E* M: [+ e+ j! k( t   mov     eax,[00656634]            ; '\\.\SICE',0/ Q0 T! |2 `/ X  F
   push    eax/ g# d# n2 \9 u/ t& _$ x, R& j
   call    KERNEL32!_lopen3 Q" X3 [4 d' ^, W& o
   inc     eax
7 v& b1 }1 W6 _. e% M4 ^, k& t+ A   jnz     00650589                  ; detected
% z# S4 m" B8 ^% u   push    00                        ; OF_READ
- k; @! O$ R: K5 `7 \1 Y, [9 T   mov     eax,[00656638]            ; '\\.\SICE'
: X- d5 |2 ^4 S1 z, V$ y  ~   push    eax# s+ \8 `0 U6 P
   call    KERNEL32!_lopen" Z2 P/ c5 b( `, [  L  H
   inc     eax/ d$ k( Y  n9 W) {9 Y/ I( |5 U
   jz      006505ae                  ; not detected
$ Z: W' m) T# X9 j5 I( c4 b  V/ P; c' t# @2 R! S9 y. ]  s- M" d. o

/ _8 Y' q. D  m! \1 q. E__________________________________________________________________________: I9 _2 B1 q( C* D, X0 e
; X8 Z  \3 V9 Q; H) Q
Method 12) l  r* Z& D/ z; O& T6 J" s
=========
, B# J7 a+ f1 M
/ c# O$ ]" ~6 GThis trick is similar to int41h/4fh Debugger installation check (code 05  |! a4 J# \2 G. C
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
8 n5 [# _  m3 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 T4 Y% o# o$ s1 |( P: q

0 l/ f$ {8 ^9 Q0 T; u0 x( Q   push  0000004fh         ; function 4fh
) t. e2 Z; K2 d/ U   push  002a002ah         ; high word specifies which VxD (VWIN32)' d) S' y' @% \  k
                           ; low word specifies which service
3 C# t0 h. q' c$ G2 M& D                             (VWIN32_Int41Dispatch)1 E  M+ l5 e/ s  @; g4 m  Q$ M
   call  Kernel32!ORD_001  ; VxdCall
% S- s" h3 l  K" x/ y& g. @   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 w  T4 d5 }8 ^* [* O1 w   jz    SoftICE_detected- J: y. |7 G  R
7 l- Z" W9 k1 v) [7 g* T' M; ?
Here again, several ways to detect it:, O) C( W. _  `* X+ B& U4 ]. o8 C
9 g9 n5 _5 d- |  q: S, Q
    BPINT 41 if ax==4f
8 J* @4 o7 W/ e2 s6 B6 }* F& O) \: w) ^( g4 ^  o: ]) b' [" Y& }
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% L4 @$ P" m1 Y/ g

4 ?7 r- {! a% I+ P" u5 p    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 K% c/ q3 _7 g
, I  ^) n) C8 s' C2 O" D
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 o) [5 m  T# X  Q, `
9 {5 b5 y' x+ o6 n# Y__________________________________________________________________________6 ]( ^3 d8 j3 l3 A4 H8 P
# Z! b  C* \0 a% N
Method 13: d: ~2 B( s7 Z0 b& o
=========6 X. j1 c1 d, T( P

7 g, A7 d/ x0 MNot a real method of detection, but a good way to know if SoftICE is
1 n' u! r5 J1 B5 e( _, \- |5 W; m6 pinstalled on a computer and to locate its installation directory.1 P0 a' p& q; ~. t2 P: S
It is used by few softs which access the following registry keys (usually #2) :
1 t8 c) [+ I4 u) l/ h7 N
6 P2 x9 Q% R  f* f, E3 s  u, D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 ]* Q9 z. o8 ^5 ?
\Uninstall\SoftICE
" p4 h+ V0 o# U! G' z, J; x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ~+ F! y' X. H' q! l% B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, J4 \  Z# f/ i6 W7 h' Z" i
\App Paths\Loader32.Exe( v3 n# f" G  I, W2 [8 f
. D. s6 O4 z  C0 [8 a1 d

2 r: i& X/ t/ [6 |, _Note that some nasty apps could then erase all files from SoftICE directory
6 x  p* ^) s6 e# a  R& g7 Z(I faced that once :-(: f! d1 [8 J1 ^! c4 e% }* R2 W
! H, d7 N. }( u# [, ~5 a4 l0 l
Useful breakpoint to detect it:4 w7 d1 j- L5 n) O! ^) r; J4 U

& u! W( }8 s2 h- y- s$ h+ G) I/ ?+ z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' s7 K0 ^# A, e) ^5 Y& w- X& Q
0 U% Y5 `8 j! s1 P/ j
__________________________________________________________________________
4 b( U8 n, D; K3 [; M) H# T  j9 j1 W3 h, h

3 c$ x0 p& y* T. |. jMethod 14
/ D1 C) C# ^1 O) I: ^=========3 A+ e; R4 H+ A8 G; O/ w- M+ c

+ t3 g7 {! ~" gA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
  l& @) f" W( r& `% O) [$ `is to determines whether a debugger is running on your system (ring0 only).9 A" ~9 g- A) I0 a/ N
. I. |7 `) l& h
   VMMCall Test_Debug_Installed
/ \' _% y. m3 q  o) F7 ]3 g7 i   je      not_installed
9 }; H' k2 A3 S6 |" Z( u& K
6 B) k; W/ w6 v. ?! {# LThis service just checks a flag.( D) y* W+ f2 B, ^& a% Q) ?( Z4 o" I
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 10:56

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表