找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>2 j' S( A) Z6 O+ p! G
<TBODY>6 H* q0 f* S4 P- @4 w: D7 ~6 A
<TR>; Q( N2 \; S: w! O+ ?4 r) g( ]+ a
<TD><PRE>Method 01
+ {+ c7 @" F' {/ [0 \=========
* a# M) `9 ?" h/ S: F: S* D
6 a3 R9 o) l" m' B& nThis method of detection of SoftICE (as well as the following one) is2 g3 U" h; l5 ~, D
used by the majority of packers/encryptors found on Internet.6 T6 j' {, w/ I5 k2 }
It seeks the signature of BoundsChecker in SoftICE8 {7 U# o# N0 v, h  M$ J# c8 h

/ k8 t( {) j" o6 Z+ ^+ w" Z    mov     ebp, 04243484Bh        ; 'BCHK'
' v7 k4 w% ~4 g! v, N& r7 E    mov     ax, 04h
5 y2 I+ S8 z# h! g1 {, _    int     3       # y/ p6 j' k% V& O6 M  y
    cmp     al,4
  _4 ~0 h7 p, M; a$ y4 w    jnz     SoftICE_Detected
5 n4 o. ?+ R3 n6 S# k, ?; c8 X  h  p: F- n9 l8 ~0 W, m
___________________________________________________________________________
7 q0 B; V0 t7 `0 g/ w5 i: i% m
( |7 s, P3 {/ @Method 02
7 a2 }  Z: s" ^, }* n=========
/ ]7 C0 c, V, c3 @
# d  }* d( ~( X5 c7 \Still a method very much used (perhaps the most frequent one).  It is used! R  D* D* d" Q& f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ Q$ x1 L+ u; u) _
or execute SoftICE commands...
( L/ a2 V2 Q# U. b4 `5 O, @It is also used to crash SoftICE and to force it to execute any commands8 a2 ^1 o3 i9 G! f
(HBOOT...) :-((  " d! {% G* }5 A! Y2 ^6 `

( X9 P& [/ C" D3 y. BHere is a quick description:
7 e0 w$ d; `, [: Z+ N8 |, X8 u-AX = 0910h   (Display string in SIce windows)
6 L' m- |* |! X; {. z-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 B5 Y# e$ C' k% K: \: j. B
-AX = 0912h   (Get breakpoint infos)! a0 Y6 M& }* ?# R- Z9 {
-AX = 0913h   (Set Sice breakpoints)/ K  y+ U, y6 P% T" q# e4 H
-AX = 0914h   (Remove SIce breakoints). y+ T, Q! K% T3 Y
; b+ h( c. r( S; a& t8 H* d$ {
Each time you'll meet this trick, you'll see:: T% D0 ?. D8 l( X, ?, H
-SI = 4647h8 o. |( l* F6 y8 b
-DI = 4A4Dh" t" m+ n; O$ g6 m5 |) V: b& b
Which are the 'magic values' used by SoftIce.
" [2 ?% q2 O9 @For more informations, see "Ralf Brown Interrupt list" chapter int 03h." c1 J$ v6 B5 U" H, G

! M' z- W  c: wHere is one example from the file "Haspinst.exe" which is the dongle HASP
' T5 d. i7 s6 J5 Q1 c+ B3 qEnvelope utility use to protect DOS applications:7 V! l. K! ?, h0 V/ L+ e  h
+ [  G# c( {! ^/ u- @9 E

  R2 T( n; r7 {) b; M) o4C19:0095   MOV    AX,0911  ; execute command.3 F; _& E# S- Z; V, L0 l
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).' R" Y) F6 U4 d
4C19:009A   MOV    SI,4647  ; 1st magic value.
1 B; B/ R3 b$ [9 v. K) u" S" r4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
( ]4 s1 ~. G; D& Y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 `! @6 C& T' K' k4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" ?9 O0 p# p5 m- E3 x# {4C19:00A4   INC    CX" C: V3 ^7 C0 g6 e! U* s
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( ?+ Y- `9 I6 }# z$ D, \+ q
4C19:00A8   JB     0095     ; 6 different commands.
' N3 A' Y% q- `7 v& @  R# s4C19:00AA   JMP    0002     ; Bad_Guy jmp back.( h: D* Z9 O  H+ {+ g# v
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" T3 ]: U. P- P+ f0 R& f" ]! o

, z: M  @2 R4 b% ~$ P, ]. V6 O( `The program will execute 6 different SIce commands located at ds:dx, which
1 M- l5 [' r7 ~- f& n% iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* U9 A; Z0 d, h$ x+ W8 a8 r
1 E4 E) h2 n6 J0 _! j3 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
  n) E$ Z0 Z7 s$ [* V; S8 I___________________________________________________________________________$ N, p: o/ D: a( B

* V8 n4 v4 @# Q! d
' _1 ?& u1 M6 P% S: B$ O# e  y  |Method 03
2 l6 h0 l5 j( J% ~=========
& J5 ~/ ]* E9 _6 ^; E
5 V6 A2 ?2 F1 k9 Y* U, rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 @9 e" z/ i8 S2 i2 j7 Z(API Get entry point)
% q: f' e* @0 `( E- K5 }        
: s7 p- V' A1 z* M8 y
7 {: s6 {4 a% {1 n: `7 F5 x) X    xor     di,di; O, G3 w1 X/ Z1 o/ R/ j0 E/ a
    mov     es,di3 |2 B, ?+ ~. C9 ~$ P# M
    mov     ax, 1684h      
! e. A* `# S/ C* {! `* L  j! k    mov     bx, 0202h       ; VxD ID of winice0 Y6 N; s( r. K; K2 b& _0 q# L
    int     2Fh
/ a0 g. \/ l# `2 g$ O    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 V- [/ Z: Q5 S6 |* q
    add     ax, di9 J7 c7 B1 S2 ~" L! m
    test    ax,ax
  O: P8 j& M1 ?4 ]" A5 V) B    jnz     SoftICE_Detected
: a+ K8 g8 V! X; v, y# k9 ?
8 U& g( N6 h* b2 R5 i___________________________________________________________________________* M& }+ R+ t- K9 R
2 ^' z( H# ~$ `0 w. [4 t1 n
Method 04
! Z) R% y6 Z7 k% O, j# X5 R" o! k+ `=========
2 l4 x. P/ F7 c. o+ Z
5 T1 s" l8 K' P/ ^/ k# vMethod identical to the preceding one except that it seeks the ID of SoftICE
9 ^: ]# l2 C% n9 W/ h  ?$ r: ?0 A4 LGFX VxD.
5 [, n. f7 |4 W7 D/ }% F- S: C
% z* |/ B# ]# b0 J) w    xor     di,di+ F, ]7 k& L" {9 |6 w$ z: G
    mov     es,di5 q/ d1 G( n. N1 z
    mov     ax, 1684h       & i; ?) Q! O" Y5 }
    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 U' V' P: Z4 Y3 c0 r  ]
    int     2fh
+ x: A: F. Q6 y  [2 z" T( _0 O    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% W0 p- Q2 H+ h. U    add     ax, di* z  N: Z% O4 ]1 V; M1 c
    test    ax,ax( K0 l# _* p  L$ s: f
    jnz     SoftICE_Detected
9 X2 e# ~: q/ d
) K) q7 \) ^. u__________________________________________________________________________
0 O+ ^2 a5 L% ^' W# I2 h1 U& P0 P5 y$ }8 p9 S
4 l1 Z4 N6 R5 p
Method 05
# L! m* ^, t) `% c+ `  U=========8 \9 r6 M* S: S' \& w% ?

% Y/ |' b2 {( C5 r! ?. v! {Method seeking the 'magic number' 0F386h returned (in ax) by all system, P  I1 {, f+ e* i/ Y) N
debugger. It calls the int 41h, function 4Fh.
5 C3 D' ^- ^# x. B% rThere are several alternatives.  
' h8 l' r! p1 C  X; y/ s
" w% n6 Y: I" y7 NThe following one is the simplest:% T5 {6 i0 V, s7 o

8 F* U* W5 G# ~+ I4 s    mov     ax,4fh6 u, j5 j- x7 A; j3 F
    int     41h/ H% Y% g$ B# Z, k  {4 W6 Z$ ?
    cmp     ax, 0F386
; T+ i% L+ J' i  T+ i    jz      SoftICE_detected
  g; O. D- S2 t( M  y+ D% z- I. `% x+ K' j8 W) C

3 c1 `6 a) K1 p: d0 ?) X# sNext method as well as the following one are 2 examples from Stone's 4 {& x! s* K0 s( V  l8 @6 d
"stn-wid.zip" (www.cracking.net):  H( c/ }: O, t0 b9 C: L7 _

0 |/ c% t3 i1 B* \4 B( B    mov     bx, cs/ p0 |, Y0 d% V# r
    lea     dx, int41handler2: H. e' ]) V1 s' g2 r
    xchg    dx, es:[41h*4]
+ E+ ~: Y% |8 d( m7 P) k- O: g    xchg    bx, es:[41h*4+2]
' i3 l( t, S* Q) Z. t: s4 x    mov     ax,4fh& S. N3 I$ `* e8 h& b" l8 r1 f
    int     41h
3 Z4 T' q6 }; F8 m* Y    xchg    dx, es:[41h*4]$ D% E. Q0 z5 I* q% f# |" }
    xchg    bx, es:[41h*4+2]5 Y2 Y, \5 p, n0 s3 u1 j
    cmp     ax, 0f386h; X: m$ H3 P. d. ^
    jz      SoftICE_detected
9 u( u+ G! v5 s
" X6 x% s5 U" }int41handler2 PROC
% }: ?8 A' r9 S5 K* a1 V    iret& d/ Z4 f  C% K* _# E1 M
int41handler2 ENDP
+ H% ?8 t, Y  q5 c, c+ w8 T/ T' v

/ ]& u$ W3 t. o  l_________________________________________________________________________* D. v& `+ O; O; z  _

# O9 d! s  v4 E2 z6 _$ X4 }. {! n- U0 X1 }# @6 Z- }9 u. K
Method 06
: e/ c( W5 {; ^7 b! U=========
2 G2 P2 B( V5 X4 U6 t, k. w
' B) x. r0 T+ d; `& P& L; |9 v. p7 i
2nd method similar to the preceding one but more difficult to detect:
( e7 \6 N! D5 m8 D! T
) n2 @' I  W0 r# ?( ?; z
7 B  O3 u$ c6 r0 j; a7 g7 Y- sint41handler PROC
- G+ q) `/ H3 X" I    mov     cl,al. l4 S% Z' }  O9 T3 j
    iret
' q9 S0 D$ r) \' W: {int41handler ENDP$ g: q% m8 d7 B; ]+ }" A

; D) z5 P! Z; S0 v/ W& ?) w* H3 k2 u3 H( r" b7 |% F
    xor     ax,ax
, L" d; N. v8 O* m( ^    mov     es,ax
  Z3 {; h6 z  }' m    mov     bx, cs; A. Q, Y2 A# R" J
    lea     dx, int41handler( Q9 V( Z3 N8 z$ |* f. @) P$ Z! y6 S, [
    xchg    dx, es:[41h*4]. y* ], @3 [" D6 [' l9 b
    xchg    bx, es:[41h*4+2]! X! x4 ]! v/ h! ^  ~6 f5 H. n9 Q
    in      al, 40h
& m6 h; [6 w& }8 }6 o5 m" F2 _+ F    xor     cx,cx
) o: d4 F5 w! D0 M    int     41h5 }1 J$ W/ w/ A
    xchg    dx, es:[41h*4]! g+ W! C" u2 g) D2 E# x# m2 q2 i* {
    xchg    bx, es:[41h*4+2]
; y, z* V& y7 U) i% e    cmp     cl,al5 z# v" }/ B  |6 y
    jnz     SoftICE_detected
$ z* M% l# \* I% Q& A4 H# q6 j% k( D* k% Z4 k5 t9 \9 A2 n* P
_________________________________________________________________________- ^+ {7 u1 |5 I: o0 V4 t4 W: u7 N

+ t- x8 {4 m% f! z" G, eMethod 07
: Y7 ~4 Z! ~4 Q$ N=========
  k% o5 I+ ]; W$ L/ v3 \1 z/ Y& B
Method of detection of the WinICE handler in the int68h (V86): w( e- o% W5 I& Y. q0 `
  K& Q. i2 e4 n5 f, B2 C
    mov     ah,43h
. s* w# D  q) J7 o    int     68h0 n. `5 H( }' R, U. `
    cmp     ax,0F386h
- B- j5 I# n* Q1 V* |$ [    jz      SoftICE_Detected
" |- j0 }2 @0 o8 l) j" a/ w4 f7 Q" U, _

& E, K$ p% N0 F* t$ D- i* U=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 \5 `4 s. N: |" N! t
   app like this:
, z6 f2 f, S# q5 y7 O% s, B! b3 `
   BPX exec_int if ax==68+ r$ |8 o0 E" u( o4 e$ z7 I4 J
   (function called is located at byte ptr [ebp+1Dh] and client eip is! ?7 G2 [6 q' }; H+ f# n; n
   located at [ebp+48h] for 32Bit apps)9 M! z. l- I; v0 ?! m# z6 {
__________________________________________________________________________( \6 U$ \+ Y1 ]' h
  u3 E5 W, i% C' _. P" K
- T6 u* k2 \4 f/ A- a
Method 08: h1 H0 {1 t5 y1 k6 r5 d
=========- _9 k4 c0 H8 e& @7 p
' s3 v  ~- @; i: ?8 }: ?
It is not a method of detection of SoftICE but a possibility to crash the. |6 A8 M! t3 X8 k' c  y$ R
system by intercepting int 01h and int 03h and redirecting them to another. ?' c+ u+ W; g2 F
routine.: T+ a4 K  D- z( X1 M$ `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; q, U7 L4 j3 o/ [5 O% Z3 H
to the new routine to execute (hangs computer...)
- \8 H; P( v  ?3 ^. K! W) ^0 P5 {) S' z) t2 {0 Y) C9 e: s! J% r# `
    mov     ah, 25h* |0 H$ x7 ~0 A4 n
    mov     al, Int_Number (01h or 03h)5 b  J% k+ f* C; H% N$ I: _: v
    mov     dx, offset New_Int_Routine! \! e% S, r4 g! L. g, @- i6 O
    int     21h' o" ?, I0 G  J2 {3 w2 I9 s, ?; T8 p
! @. H) b* ~* w! T/ m1 W! k4 d
__________________________________________________________________________
, B, y* t8 i; ?  Z5 t8 z/ r: F# g5 K' l! t# x( j+ m
Method 09, N9 L3 d0 d1 s6 e' x
=========4 ]- e2 k1 [7 k8 ]3 N: n

9 B. _6 B; k: T. KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only  ?" f* d3 N7 b  o3 c9 _
performed in ring0 (VxD or a ring3 app using the VxdCall)./ [7 W- z: h' J$ E6 O8 s5 F
The Get_DDB service is used to determine whether or not a VxD is installed4 I6 N2 ?* c; w5 B- b" W& D( d
for the specified device and returns a Device Description Block (in ecx) for
; X- R7 f" B- h# U; W' t: xthat device if it is installed.4 h$ D) p6 ?+ N! o, M4 H/ w" A
0 ^$ w; M: {  y: o2 V9 B# V
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& }) |. E$ V9 [8 A   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 S- V$ y' \4 ]8 k
   VMMCall Get_DDB: l, Z3 ]( i9 N* a
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
6 ~2 ^0 z5 }! T9 O" R- h6 D) X. z/ |( P# U' G3 O6 |+ T" N
Note as well that you can easily detect this method with SoftICE:
2 B4 U; I3 r- C   bpx Get_DDB if ax==0202 || ax==7a5fh4 I( f0 h! j9 }6 E* y4 N6 i

) t2 V3 R( @  A; H__________________________________________________________________________
2 I1 |8 c( G6 Q+ b3 ]& o( U. p( Z
' C1 T4 u* _! Q7 p/ D0 k: u5 N, XMethod 10
9 @3 z0 l" _5 w; f+ m=========) s( a! z& P3 t. P* Y

* ?, b* U! w; t; R=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with- k+ Z* i3 w3 v' R4 z
  SoftICE while the option is enable!!7 T3 o1 F2 E$ a6 ?) d' P

7 s1 M9 {- ^2 t0 k* XThis trick is very efficient:' j7 W( \7 q; R& ^
by checking the Debug Registers, you can detect if SoftICE is loaded
5 R, E% j7 X2 l0 |# T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ @8 s- t; w4 [% v3 g1 e; d- Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their' _: y( c- Q3 x; j
value (in ring0 only). Values can be manipulated and or changed as well7 K: p1 B7 u* e* W7 d: F
(clearing BPMs for instance)
& n' A" t. \0 g) T& M
3 D: S) N2 Z2 D__________________________________________________________________________
9 ^3 @3 _: P* V' G& w- S  d2 h, a  j2 b' P
Method 11
$ s3 K9 C- T% y. {=========3 @& Y4 l" C9 S1 N& T1 R7 r% ]

2 L- x0 P% M6 n3 _' Z( l* TThis method is most known as 'MeltICE' because it has been freely distributed  I/ R9 J" I  S; d4 [
via www.winfiles.com. However it was first used by NuMega people to allow4 q( ]  b0 ?0 I: M8 ^9 M; f9 E
Symbol Loader to check if SoftICE was active or not (the code is located4 X" A' D0 T0 g6 H
inside nmtrans.dll).
3 M( X0 T1 U! R9 E/ j7 o' }! G+ a
  I( V9 x% m4 |7 D. NThe way it works is very simple:
& k) d  R! _; N* R% U& p. N- nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 N9 e/ l% X) F! a0 qWinNT) with the CreateFileA API.
7 `. o8 Q: C. j- U+ h
% S2 t$ X+ n  Q2 T) C% Z# oHere is a sample (checking for 'SICE'):: L& P9 J4 r0 r' p" \) C+ ^

6 K3 }# z- Y; d* WBOOL IsSoftIce95Loaded()( D7 v1 c# I( J$ y
{! y# x9 H/ w# Y, x' @7 q8 {0 e
   HANDLE hFile;  
7 i  ^* J1 z+ G  v' y4 @   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. Y  ]% B+ c( ~; ?
                      FILE_SHARE_READ | FILE_SHARE_WRITE,) U. ^$ X- Q: r& s# E# D0 `# Z
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 x8 ^" n  j4 k5 c) F! }
   if( hFile != INVALID_HANDLE_VALUE )$ g3 ^4 t0 x0 _
   {
2 N2 v$ z/ R" ]; z' b7 ?      CloseHandle(hFile);6 I. X* |/ X9 g  ^- L* P$ Z
      return TRUE;
% x# l+ P& h7 v5 ?) s   }
' y; ?3 J! e% w3 Z$ n% F$ S   return FALSE;
  Z+ k! C/ E" ]# t. o" S6 j}5 C' c  S8 U8 P3 p. z1 ]* f/ M- f

. d6 i4 w) W/ N& E' oAlthough this trick calls the CreateFileA function, don't even expect to be( `2 @9 Y' M! ^( i9 z
able to intercept it by installing a IFS hook: it will not work, no way!
1 a. u3 w7 F* YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# A$ T# B9 o) k) l1 b7 z0 D* Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 q/ `% c& C  {( k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 Z7 l: m& u4 n( H$ O3 Y1 z2 ^
field.6 X+ w6 }7 o$ {2 n9 Q7 m
In fact, its purpose is not to load/unload VxDs but only to send a 7 z! L, t. g4 i, w' _! s- }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 W/ S; u, {( B) c& M* M3 Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try( d/ \5 ~- o9 y3 E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ J. j9 D2 X; G$ T) v7 r* d
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 x, G# W2 ?- o- @
its handle to be opened and then, will be detected.6 a9 x1 `1 ^6 U4 ^% w- I5 v4 k
You can check that simply by hooking Winice.exe control proc entry point
, i0 U( ?7 M( a% A6 Q- G( bwhile running MeltICE.
/ G. p. [- e8 x; b: a7 G
, y, t$ A8 `/ u, e: M
$ A( A& h* R& H% M  00401067:  push      00402025    ; \\.\SICE
  L" Z  r# V) Q/ M  0040106C:  call      CreateFileA" s. E0 e' T! J" E% ?! ^. O: Y
  00401071:  cmp       eax,-001
3 t( b2 c0 b6 u9 t  00401074:  je        00401091& I3 C. Z$ W+ I7 K' Z* ?- @

3 v! j8 t+ p/ m6 E5 S* S8 m3 N' L. Q
There could be hundreds of BPX you could use to detect this trick.9 O  T) m- h, C1 n1 e2 D' |
-The most classical one is:
. o8 K" F% X! P7 ~  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  X2 ]2 p, h6 I5 k& _  P+ b    *(esp-&gt;4+4)=='NTIC'
* f& l. n+ D  \! ~
  \% a# i* c' Y-The most exotic ones (could be very slooooow :-(
; J$ O, g! n0 N/ j: s! F   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# d$ O/ z' G  D. m     ;will break 3 times :-() N9 G8 x; l' ]7 A4 v% J" t6 O
+ n/ h4 m$ M+ f5 x$ e
-or (a bit) faster:
$ @! O2 T8 d! K0 T: |% R" A   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& \4 |8 k2 V' r0 V' ?( m
0 p9 x1 N5 K. x) w; S
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  - g! H/ S6 [0 B
     ;will break 3 times :-(! q: _+ ^1 P4 S+ o' l

- y% L1 B! S' m1 d8 j' S-Much faster:
" i! `8 D; t2 d& c6 d" c; X0 r0 \   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& ?$ S2 o/ ^9 X# k& p- }8 q, o9 `* q1 k( ]2 b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 q. i3 H% n3 G: |" c( P0 Lfunction to do the same job:
: B# R+ _% U  |" s3 e- _
9 B/ F" Q, g' s9 d/ F- ]   push    00                        ; OF_READ
2 f# t% F- Z7 R$ L( B& o* |   mov     eax,[00656634]            ; '\\.\SICE',0
) V- w; P3 l9 L   push    eax
% F3 _6 K1 K" l) E6 _   call    KERNEL32!_lopen
" O7 V; G+ A. ]2 E: [   inc     eax
- |* P0 T% X& A2 c% V- ~) T6 F' ~1 S. E   jnz     00650589                  ; detected
- H1 ]" b* _4 ?. b" C! l   push    00                        ; OF_READ
1 b# C0 Q. A. O6 W, i$ i- R   mov     eax,[00656638]            ; '\\.\SICE'
# ], I4 Q8 |* F# ~   push    eax6 ?3 [, S) f) j2 w3 K. m0 k
   call    KERNEL32!_lopen; C+ j5 p( h7 M  U/ J
   inc     eax
+ G) H4 ^( Q& {5 d% u9 |   jz      006505ae                  ; not detected
+ k& ^( U) g. t! _" m, {
, M  j8 [% t, B( Y4 J
4 C  z, m! t2 b7 V2 {/ A__________________________________________________________________________4 n$ n; F- L4 _$ n  X- f2 d! G

( T7 R- r0 l5 a* @7 j' k0 H' }Method 12
3 A1 T6 s- x* }1 }=========
% [( L/ u& r* U: w/ p! D+ p( X4 o! d  x6 H
This trick is similar to int41h/4fh Debugger installation check (code 05) R( x6 h. M% h4 a. {( C
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
" P3 W; L  r7 h: P) M' Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 u2 T6 L' t, r. v  D

0 M2 P# S  @2 E, r' D8 \& O   push  0000004fh         ; function 4fh
: o, e) y" D3 b   push  002a002ah         ; high word specifies which VxD (VWIN32)) Q9 l: e9 n( H$ t3 O8 J( _6 o
                           ; low word specifies which service( A7 }  c1 x$ Y
                             (VWIN32_Int41Dispatch)
: @7 }' h. b% j0 I& S+ k9 P   call  Kernel32!ORD_001  ; VxdCall, C' i" @& u- Y) ?  B$ c
   cmp   ax, 0f386h        ; magic number returned by system debuggers
. W+ G! O) x& n6 N   jz    SoftICE_detected
. v5 \% |. G- V% m2 r) s8 L; f# `  d# ~
Here again, several ways to detect it:
% b, l7 S8 U( ~" z: t5 t' m
4 r, }0 o- h* C+ J7 M7 A5 t    BPINT 41 if ax==4f$ G2 U$ p3 W  I

# u) \  c! U! y7 K$ W    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. t* X) ]7 V' ]7 ^6 x( V3 K
; F7 Y. j6 i* H9 t- C7 c) `( D1 K
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 J  ~3 g7 D( p; L: z) a$ R
- Q3 @8 x) }+ Z/ Z8 C
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!" [6 n# T2 ]& U* E, A7 ^

( V: D" U8 n) U6 e; M1 h" g__________________________________________________________________________
) Z5 U  _% [) w1 f5 }- g2 P! B! ]" U! a
Method 13
' x  h9 c& y0 [( C" w=========
" Y) b4 }+ p  U: b. {2 O) D8 Y4 L6 u$ v; f. b* N! y" [9 ]! ^! I$ {8 N
Not a real method of detection, but a good way to know if SoftICE is% R2 N* z8 ~* K( v
installed on a computer and to locate its installation directory.
2 J* m% p' Z1 U2 X5 L0 ~It is used by few softs which access the following registry keys (usually #2) :
+ I$ e2 S0 L( h
' u# ~" N( F; K* K* D. y7 W0 u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ i$ M* P# f" `: s, q" g5 @\Uninstall\SoftICE3 A' G! r1 r9 Y3 m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: b3 U9 v- C1 C# L0 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) M0 n$ y0 [6 S0 y0 o\App Paths\Loader32.Exe& }9 V4 Y( r0 h# x  f
( }8 }  e, M! N9 r9 e

! J2 F6 _6 ~; Y- q# PNote that some nasty apps could then erase all files from SoftICE directory/ |1 x* u# _& Y0 ^; z5 J
(I faced that once :-(- H" O5 V. b8 V

7 E8 Q3 m( A, y, j7 p5 ?Useful breakpoint to detect it:
& a3 c. F3 o+ b, s
- C; C0 N+ n) Z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. a0 N( M1 e% U1 [. o" _( D7 ]
9 b6 V! A" F! @- v# A. e
__________________________________________________________________________$ R1 P- i( M- R
6 z) C, e/ G, u& M, k
( j/ E* j8 M) d7 R+ y  v
Method 14 ) [/ q/ q, {0 e+ x+ e' R& S- \
=========: Z* H4 B8 t! s, r, a
7 `! E( O, F: R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ ?, B: r2 m5 c9 r. ~7 H; V4 I  P& Yis to determines whether a debugger is running on your system (ring0 only).
0 L% U; A0 Y5 A% E" k, }, u1 Q. `' e4 K' }$ i, c( c9 v& q
   VMMCall Test_Debug_Installed
2 n: p' B  A9 c7 w6 g   je      not_installed
7 V  u0 v4 v% M4 b8 Q6 L- |' b9 X
  Z* b' ?( h+ n0 H( T8 _This service just checks a flag.
  f$ L8 j9 Z/ e3 m</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-16 19:21

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表