找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>; J& V* V" W# `! C- y8 B
<TBODY>
2 [' a! J2 P% [<TR>
. r5 d6 e( i, T2 N<TD><PRE>Method 01
- n' x/ _5 A: w' Y=========
, r% h' P  q2 Q# t5 y6 }  i  q: r- Y- @
This method of detection of SoftICE (as well as the following one) is  t6 B( k1 {3 N- w2 B5 R% w: T
used by the majority of packers/encryptors found on Internet.# H! e# u2 o8 l" ^' Y8 T
It seeks the signature of BoundsChecker in SoftICE! D( b0 ]) Y$ M& ]# @

5 H0 F8 `. d! ]* R% M- E& u    mov     ebp, 04243484Bh        ; 'BCHK'2 X8 Z( C: Q5 [7 M" K5 F
    mov     ax, 04h
6 q; R, k; p1 Z1 F! g2 [) V/ m9 i    int     3       . o  A* K8 O' c9 N% s7 l
    cmp     al,4
: R' z( w) d' U    jnz     SoftICE_Detected
/ g, R! k- ?5 ~6 Q& U+ N5 q
6 u2 A2 t  V  b- d9 N, l___________________________________________________________________________
; B# V: ]) B" G, R% k. V
! A. e9 _: d& r. b$ rMethod 02
6 P* v5 Y* Y# z7 d" G, G8 Y=========- P( b! w8 P( b1 g7 e9 W
3 `1 ]. t# B2 v5 p4 h
Still a method very much used (perhaps the most frequent one).  It is used4 F) k& j% x/ t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 ?  H. e1 r  [9 d$ K: k7 l
or execute SoftICE commands...
! ^4 v# U0 o+ q9 BIt is also used to crash SoftICE and to force it to execute any commands
0 D6 Z( z; b4 e% f+ L; A: m5 g' v(HBOOT...) :-((  8 e9 h* I9 X5 L" O) R
! {/ f6 n! m. m, Q) |- Z( K# Q
Here is a quick description:8 J6 Z, e  b% i( j7 L  m
-AX = 0910h   (Display string in SIce windows)& @- k- H  R4 j; R& s4 P
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)  Y% F/ C! _/ e6 d1 m! {
-AX = 0912h   (Get breakpoint infos)4 v7 D+ ^& N# W5 R0 S0 F' D
-AX = 0913h   (Set Sice breakpoints)* n+ \4 K: [* H: j5 K& S
-AX = 0914h   (Remove SIce breakoints)
2 ?4 U' S4 q7 p' D
4 u" R7 f5 f+ M( ?  fEach time you'll meet this trick, you'll see:
1 i+ G) ~8 N' m-SI = 4647h  Z, f% j0 i9 L" @
-DI = 4A4Dh
. C$ w2 F' l9 HWhich are the 'magic values' used by SoftIce.  W% B7 R) p) e! a6 ?1 X2 w; V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* X: p7 o0 B2 o% w. u/ R! W

- c# |% y5 {" t% t" t$ n2 l) oHere is one example from the file "Haspinst.exe" which is the dongle HASP. k3 J- \" x" X; p0 H2 D, f
Envelope utility use to protect DOS applications:1 W5 H& b0 B* L0 c
% I& ^. Q5 D8 R  J. C
3 N1 ~1 W$ n9 d3 f/ _& R( }
4C19:0095   MOV    AX,0911  ; execute command.
4 O' H" `9 {. O8 F- n4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# I5 e" P$ A0 y* K5 B1 s4C19:009A   MOV    SI,4647  ; 1st magic value.$ ]& U8 H) S* h- N# L- m
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) \* i' [1 L# i) h$ c8 S4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 k# @, u( a; _4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" a' f; F. ?% I/ m4C19:00A4   INC    CX
9 U1 \$ W9 P; Q* \% {" l+ V4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
6 O( i7 _9 ?: n8 y4C19:00A8   JB     0095     ; 6 different commands.8 v. ~2 I9 S# n4 y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ {9 _5 \( o. T+ j2 t  z9 _+ h4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 L+ `: ~$ @. s/ I  R) Z; O) X2 D# M' C, O6 u7 h% j
The program will execute 6 different SIce commands located at ds:dx, which
% \0 j# ^8 I1 c9 L. t& z6 P6 }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: _  D: u  \* W: }2 {) @0 y

/ {- J# {5 X2 \+ b" f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& U, [* v* C  Q, T' m* I3 p
___________________________________________________________________________. H# |7 t( m+ P7 e: ~8 {

: \3 S. L5 ?2 C9 z, R/ W
: c6 T( X$ |0 @Method 03
: g4 s8 @6 ?; W# |=========
+ ?# K3 z# r) t* S) q- t+ F2 n9 [2 [& x$ c% f" I( p
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" {0 z8 G, Q: k( _  Y5 \2 i
(API Get entry point); H1 D5 a: C5 x6 R2 d/ c
        + X5 j% \. b1 u& G' X* m8 W# v
9 ?( ?7 T* B! v, d
    xor     di,di
2 y  Z# H8 i% N2 K7 m5 y7 u    mov     es,di( e+ G: B# v( z
    mov     ax, 1684h      
- s% |+ ?) D, A7 Z4 V- q, A    mov     bx, 0202h       ; VxD ID of winice' [3 Y. Q% @( ]" k, F
    int     2Fh: q% K. ~) E4 ^1 j9 R- u, W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 o! M9 i& h, Z2 {& i) r
    add     ax, di5 ]7 g2 ?+ E6 P4 I  w0 a6 @, k
    test    ax,ax2 C! s, g2 P6 P/ ]8 d3 p; `
    jnz     SoftICE_Detected7 ?& e, O2 Z2 U& X
0 Z# d( S8 `; [) ]" @$ c
___________________________________________________________________________
/ S- g- L! ~) u& G7 z6 ]
0 [2 S. d1 @1 t) q. uMethod 04) x1 o6 L) j4 o7 z6 H
=========5 [2 k' D& M) q! n

$ v7 t" O$ e, N, N+ ?: cMethod identical to the preceding one except that it seeks the ID of SoftICE( z& ~8 N* ~: W9 v) g$ [: H" C. o
GFX VxD.
" ~7 w8 ^; K! ?* W4 }5 g. R5 q4 W* Q# h" G0 R. F/ `" }" B
    xor     di,di; j6 ~' A& _. `/ l7 e
    mov     es,di5 |9 M) Q5 Z3 o7 y1 `1 z9 F
    mov     ax, 1684h       8 T4 o6 B" k$ I
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! L  E. I& ?0 v5 _
    int     2fh
* J1 ~' W' q8 G  |5 I$ n1 O% U6 p% k! B    mov     ax, es          ; ES:DI -&gt; VxD API entry point: S2 @: v  x; V4 g" Q. |$ o
    add     ax, di2 s3 r0 o; q7 J: I
    test    ax,ax. B. P! ^* }2 x7 @
    jnz     SoftICE_Detected5 u% j0 i, S5 l3 @9 e+ `. |6 T- A& Z
' l' o& f2 q0 f* ]" T2 Y. b
__________________________________________________________________________
5 P/ R+ f" B% ~) g: s4 b* A3 \0 t) [* L  o
$ d* U5 X( V4 W4 Y% i/ O
Method 05) b$ }3 g6 T: d( d; K3 D
=========
0 g6 @1 K- Q% M' l9 L* }7 h: t! F) W" c" q9 N% s9 z3 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' E# {# }# D7 t0 @debugger. It calls the int 41h, function 4Fh.6 A! N! c4 t5 _
There are several alternatives.  3 o2 |) o2 w" ~
) b5 ~- o5 V) |) w% J
The following one is the simplest:8 k: r( Q# ~8 p
9 k8 x! t* ]% R3 v% z0 s: j4 `: z
    mov     ax,4fh
. A! k0 d  C) {* v    int     41h
" R/ F0 I2 U+ X7 |6 ^" b+ Q    cmp     ax, 0F386) _% x0 i/ o8 H
    jz      SoftICE_detected
. e+ a  b- H) x3 k, y3 P9 i' K& X+ K% p5 D. h$ U6 d9 v

3 y+ I& G% E- `: R8 JNext method as well as the following one are 2 examples from Stone's
, i! G; P8 E" u1 y9 ^' v9 R"stn-wid.zip" (www.cracking.net):
% H* W: j2 u# E' ]3 t$ n; N4 B' y" c
    mov     bx, cs3 Z' O0 Z" \0 X3 F) J3 R' e8 b  d7 z
    lea     dx, int41handler2
- n+ v6 R7 \0 X' G; Q3 a    xchg    dx, es:[41h*4]
$ {+ v9 v4 [. m1 Z! r+ j2 Q    xchg    bx, es:[41h*4+2]' h1 W- Y1 W: U3 l+ E
    mov     ax,4fh
9 W* B5 ?# q6 J5 ?    int     41h' }4 d& l& w8 Z! h1 f8 v
    xchg    dx, es:[41h*4]* L& W( x; a$ B( L9 t
    xchg    bx, es:[41h*4+2]& J' W- G) \- {- N& J/ C, b
    cmp     ax, 0f386h
: l7 A0 h3 A: l    jz      SoftICE_detected
- p5 y+ ^7 }) [# b" f
3 e* s3 Y% x2 Tint41handler2 PROC
& P: J5 K  P/ x3 ~5 S* U! P. R& J4 }    iret5 L. \4 {; p; q5 S
int41handler2 ENDP
! u8 ]( X3 \9 y9 Z8 R7 a
; S4 b$ T: \) v6 B" T( q1 W4 N  ^( i- f% e
_________________________________________________________________________' e( i3 B3 a; u0 U& M

0 w7 q2 j) A4 l2 R$ I7 s. R5 t, c) a3 I: R: L
Method 06
# S, T- T1 w. m. y5 K=========
: ]' @* I; y1 Q) |( O6 I7 i% |/ l8 C% c. n, a5 ?! [, U
5 e; {/ U3 W& R: a$ q( x% N3 W: ~
2nd method similar to the preceding one but more difficult to detect:
$ j+ R. Y9 s9 ~7 s) @6 C
% I7 N9 D$ m' `: R6 I4 h5 k
* f2 f; E& e( a+ z) [int41handler PROC
( K& ]0 L  P" O7 T  a5 B; |5 E    mov     cl,al; Y) F) |  a/ S# q2 \, n( Y
    iret
6 u! H( r% z8 p' K, @int41handler ENDP
3 W$ L4 _8 x3 v! z! b5 J& I5 Y- n
, i4 \7 Z9 [, |, h6 `! q" y& ]
    xor     ax,ax
6 }9 v7 b; l* d, F- C3 {0 _. s    mov     es,ax
; D: f2 X5 \, W8 T+ Y5 |! W    mov     bx, cs
7 z1 @6 a; ^3 N/ z$ w0 g9 W    lea     dx, int41handler
& M. |! d% r: ^, C- ?' P    xchg    dx, es:[41h*4]3 D6 m8 o% _7 `4 x
    xchg    bx, es:[41h*4+2]
+ i' d  N0 D; }' R- }8 |    in      al, 40h
: A1 p6 g9 X5 v- R; Y    xor     cx,cx8 T/ Z" i0 V, T/ Y" E$ I4 y" F
    int     41h. B* ~' Q8 E4 ~3 {
    xchg    dx, es:[41h*4]
3 G9 K& S; q- t+ d! o) Z" i; T    xchg    bx, es:[41h*4+2]
1 \) t0 `8 M: e2 @4 c    cmp     cl,al
3 L. [* L. a- `, z" h    jnz     SoftICE_detected- d5 P! N! p5 s/ T7 z7 E# m
, v, q4 Y* F4 I* x/ V/ M+ [
_________________________________________________________________________
* G2 b: S# n! H
2 |* |3 M7 x; _! _  |" x8 A+ q2 YMethod 078 y- ?. ]- f# K3 L
=========) R+ f; ~  y7 X" k: @

  T/ b6 {* ^, [# a6 ~Method of detection of the WinICE handler in the int68h (V86)* k2 x3 C  b& y. h7 c/ K% q
, ~4 I& L: v2 `! x
    mov     ah,43h6 s6 P  R; w4 D+ s4 |% R8 _3 e" s- D5 {
    int     68h
- ~: R9 `; P& S    cmp     ax,0F386h( j) f# c9 ]" F5 u9 h7 E, o
    jz      SoftICE_Detected; i& _* K5 s5 k' M
: m/ i/ N% V+ |
6 O! o& J, b2 Z/ f
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 p  V1 b4 U- |/ i% t8 L- B
   app like this:
  w# T, ^( U% T
2 j$ g$ Y* \8 F/ P2 q1 ?4 i: e   BPX exec_int if ax==68
/ F8 c8 A( B: j: ~; @* f7 G7 L   (function called is located at byte ptr [ebp+1Dh] and client eip is9 h- N+ ^' u  Y. }# k9 z* S) P* H
   located at [ebp+48h] for 32Bit apps)
' ?$ W# l* \, M% `# G1 `, o__________________________________________________________________________
1 ?' e- `5 q* h1 h+ @; N# k& ]: q( T) ?1 t( i4 H! E4 M. @* j
7 b% O9 l' z1 t; m3 K) C
Method 08
2 D' \+ z1 m6 F=========
. u! A  H9 e/ Q$ v8 y" _& [( z. n9 g- X- s/ n, L$ w3 T7 F$ F
It is not a method of detection of SoftICE but a possibility to crash the
7 Z: |1 ~$ s0 P9 o) Hsystem by intercepting int 01h and int 03h and redirecting them to another2 J5 a( H+ E; [
routine.
2 V7 j: G& B1 p& `$ t: |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 a( ^8 m4 r$ Y5 B
to the new routine to execute (hangs computer...)1 S- @6 U" s( G/ q. m  j

6 c: l5 p  |0 H9 ^/ X    mov     ah, 25h
. p2 o& F  P8 C) [. |    mov     al, Int_Number (01h or 03h)
! y( e: p6 T5 h" f' W$ c( A    mov     dx, offset New_Int_Routine. V" C: r$ X" K1 F
    int     21h
9 Q6 g/ x# m' O6 S! Y: F1 G6 ^. b* _- R/ J) A2 d* \- J3 ?
__________________________________________________________________________
7 e- R8 n$ W9 G* N8 b
' L, m7 V$ {4 bMethod 09  @+ @6 \6 o) {$ `8 \$ D3 r- r* d
=========
0 M2 B# b6 f2 `/ I6 s- o/ b0 `) y; g  }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) ?9 s  w& D7 O' \+ G- Qperformed in ring0 (VxD or a ring3 app using the VxdCall).% |  ?; g: _+ j+ F
The Get_DDB service is used to determine whether or not a VxD is installed
8 u, |9 E" J, h7 u7 ]3 Jfor the specified device and returns a Device Description Block (in ecx) for6 `& J4 z; K* N7 {% u" H; _5 b. l
that device if it is installed.
- V3 N. m7 u+ F) M
- ?, y8 w5 a8 s   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 P( k% ^% ]4 i   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 [0 m: U6 m) f) u, |- ~   VMMCall Get_DDB
/ H$ g) ]) F1 |- t  o   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* }( W: Q/ a( Q
4 B) R* A4 \4 Z# D5 y6 L9 k
Note as well that you can easily detect this method with SoftICE:( s9 }8 R: g2 ]0 }6 E5 U
   bpx Get_DDB if ax==0202 || ax==7a5fh  M, k  h$ x; ^: q( o4 o2 e7 _

* v0 t' l  D! ^( W" B( V__________________________________________________________________________
( G- \/ r  V1 z$ a$ I0 H8 R+ D* q3 [" h
Method 104 G1 c. k4 F- j# f9 w
=========: u7 l) J, G& V: u" J6 o

  b7 ~: Z2 t! K  w% a=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, p. n1 H9 o; |1 r. S7 V
  SoftICE while the option is enable!!
  }. Q: C4 l8 f9 ?( l  k2 U
* D' b4 D& u7 T# uThis trick is very efficient:
. A* b( d# Y2 H9 f" M6 |by checking the Debug Registers, you can detect if SoftICE is loaded  y/ ^) D1 q8 I2 ?; j7 q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, L( z2 b% Y: e" \8 A5 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 R) r  \9 l( S: ?6 E' u
value (in ring0 only). Values can be manipulated and or changed as well3 `- Z* u  B0 I: R1 Z4 Q3 ^
(clearing BPMs for instance)6 Z  h4 Z) a7 A

( H/ R5 L6 l8 r# t0 ]__________________________________________________________________________
* b/ I$ ?! x1 T6 u/ a& K
, _/ i9 q) }) EMethod 11
9 r% K2 r( c2 c=========
' R. u% V; A8 m* n& t) H: Q- E) Q& Q- B( J% d' o+ |
This method is most known as 'MeltICE' because it has been freely distributed5 S! N+ |/ w, c  `, U
via www.winfiles.com. However it was first used by NuMega people to allow, C) C# N# w) ]# u9 i
Symbol Loader to check if SoftICE was active or not (the code is located5 ?, \& a. W. c' F1 K4 ^
inside nmtrans.dll).' i- }: y, k8 G1 G
- N0 E  A2 R  {
The way it works is very simple:+ J* O, T  b/ _% J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 R. B; R0 ]$ y
WinNT) with the CreateFileA API.
5 X' G" w: l4 ]# c1 p# z; v# [
% k( }- `3 x5 z0 Y# {+ fHere is a sample (checking for 'SICE'):
$ \# j+ f* s( H9 U5 ^8 v! u! k
: _2 f$ o" L6 y& d# E1 f) d* x, uBOOL IsSoftIce95Loaded(): X3 F' K9 b  z( `5 D
{& \9 W2 K: ~1 z2 E) m+ Y4 h$ @0 s
   HANDLE hFile;  
0 X# k8 `4 _8 H' N   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 d8 n& j3 T8 ]3 v7 P' L9 `1 Z
                      FILE_SHARE_READ | FILE_SHARE_WRITE,+ e% F! H" V$ m2 t7 F% Y6 B1 J1 C
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( l, D; y/ P' A( I! n; D0 B5 @  e7 K   if( hFile != INVALID_HANDLE_VALUE )
& ^7 G" m9 B. Z' D0 p   {$ u6 o1 }( K" U
      CloseHandle(hFile);
1 s8 n$ ^: F+ T7 W" F! L* Z      return TRUE;7 u( U  ~+ A( [. l
   }
) P+ c8 v, W, {6 F& T; C   return FALSE;
: n3 Z5 }) o  }% g}0 e3 ^! i: }3 i1 |: d5 z- N1 y$ o- M' }9 V
0 E" e1 O$ V: j5 {- V% V) K
Although this trick calls the CreateFileA function, don't even expect to be. J9 r! s1 Q% {5 F
able to intercept it by installing a IFS hook: it will not work, no way!2 M" k. t5 {# O. \. s/ d: d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 n1 X1 D9 d9 Z! f* N- T8 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 @/ ]0 L6 @; k" Y3 R1 d3 b( Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; k7 J: i  C* A" }/ G/ R& xfield.
8 H7 h, j' @0 a, Q0 d- E: ]In fact, its purpose is not to load/unload VxDs but only to send a
0 S. I; C, C/ H2 T  XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 `5 n( q5 }9 ~  |" D, q* n. F# U( `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( ^% |1 D# a" K! {to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 ^* U( N, i) _4 g4 k0 C9 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 ~& g+ e9 T# b- p2 S) i% }
its handle to be opened and then, will be detected.  h  y  _/ ?: }, r; ^" v* n* \
You can check that simply by hooking Winice.exe control proc entry point
  f, j; x6 J" c. c! f: V- r9 W4 lwhile running MeltICE.
/ w, `! W  h3 ~- e6 L: E- h$ b! X
( u! c% [0 E8 [! C" X2 t/ x5 E  s6 ^4 T
  00401067:  push      00402025    ; \\.\SICE1 F. u5 g; F$ G
  0040106C:  call      CreateFileA# l: c/ X( o4 s" t- V& o5 M) m% _
  00401071:  cmp       eax,-001  V; a1 P+ x& e" \
  00401074:  je        00401091: u, E% O  H6 L  A" w8 o6 l
" G$ C5 @0 H# a) k! Q" L0 q) [

/ H7 e5 v, ?$ |* o# `  tThere could be hundreds of BPX you could use to detect this trick.
! }$ F" o- u3 j  S, G-The most classical one is:5 R: F& f0 ~; [6 p) d  g) d
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
: {- A- J  e7 [/ W    *(esp-&gt;4+4)=='NTIC'( p$ _# d$ v; {  D- |1 m

8 A( `5 a8 ~% J; P. \9 Y, n-The most exotic ones (could be very slooooow :-(
+ j( j, E+ P% {1 N$ r7 \/ F   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" k) i" I# t9 z3 |, l* u* v% c     ;will break 3 times :-(0 ~5 Z6 {# i( ?% X; I" b4 d% D
2 r( ^. e" a" b# z( H$ |
-or (a bit) faster: 0 K& G& h- D1 n1 ]8 h6 T* s) A+ ]
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 ~- m# W* a2 m! m. p0 q/ f
. X$ X6 ~" ^1 e# H- b: w& P0 B
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! {9 Q  S, `9 d     ;will break 3 times :-(# Y/ z' M) Y/ d2 }0 ^, d
$ \2 F% N7 n% X% Q
-Much faster:' e) ~; E3 M$ b" n
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- d) X  |$ M9 v  z- Z% X" R2 |# r+ o0 H6 O5 B/ c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" B/ L) \1 r1 I. Kfunction to do the same job:
* L9 v9 X1 U' d3 E) K& x; ]8 W* }; b0 g. N% ?+ ~
   push    00                        ; OF_READ
6 K& W3 ?) }) O   mov     eax,[00656634]            ; '\\.\SICE',01 f/ j- E/ O3 a6 c9 K
   push    eax
. X. E+ ]: _) |, c$ [   call    KERNEL32!_lopen* P7 p$ w1 p$ x4 Z! O
   inc     eax
7 g) O4 ~5 }+ z  @( d1 T   jnz     00650589                  ; detected3 D) `6 e8 b8 c3 n( Z
   push    00                        ; OF_READ; Q' F) J, u" i5 L+ X
   mov     eax,[00656638]            ; '\\.\SICE'
& Y  @" _0 Z- r4 Y8 `% r   push    eax2 r& f8 S5 a! q' T( s
   call    KERNEL32!_lopen' ?7 ?0 v: [* i- x9 f3 j
   inc     eax
, P9 S$ e. ?+ m( I: o! Y* ?6 @   jz      006505ae                  ; not detected: u, s, w% P2 A! s7 r+ v" ~

0 @& n' r( b+ C! N8 B: s; \( [, f' A% [: K; o5 X
__________________________________________________________________________" {- e9 P: O4 R4 U. q* [. K$ c/ c

7 s/ H0 T& P4 ]5 P* D+ _Method 12
6 e, A: ^( Z/ f* C=========0 [( N% C- u9 Q1 v2 ?

2 n4 t0 G3 R# c& h- x' N. v, o/ \, gThis trick is similar to int41h/4fh Debugger installation check (code 05
* E1 w1 c; y/ s/ \&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 i9 A7 `0 u" }9 f8 ?) @/ A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' m; Q: g) e5 }" @
4 E; U, @: A% m5 H& N6 Q
   push  0000004fh         ; function 4fh
( j" B; P! |- J( m& ^   push  002a002ah         ; high word specifies which VxD (VWIN32)8 C2 }1 i8 ~6 l, |  M9 O6 n
                           ; low word specifies which service
: p* B3 G$ M" i                             (VWIN32_Int41Dispatch)( f3 N3 j0 k/ Y2 y' m2 u, V
   call  Kernel32!ORD_001  ; VxdCall* F( g8 u6 y+ z  J$ D0 [0 q
   cmp   ax, 0f386h        ; magic number returned by system debuggers
# H' m' j- r6 r! O- h   jz    SoftICE_detected4 S+ v+ m" D% d9 Q  J+ g
+ Y- l$ X6 p1 c/ k0 ~/ V) x
Here again, several ways to detect it:  v+ Z; e6 m5 [& ?
( o5 L7 [/ k0 e/ S: |& u
    BPINT 41 if ax==4f  i6 P& }: d  e$ t

4 E6 [3 m2 A3 l9 L! R9 W3 J3 O    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one: o' t) B1 j% T: f' i
9 }* o" h1 _6 e, K3 O% @
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 k. n& ?3 f" A# v! w/ s: u, C' f, e0 n9 r* l
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!: |- Q/ Q9 B! j8 Z! r
5 A; O9 I( t2 ]1 [4 x( i: A
__________________________________________________________________________
/ X9 K7 |; l* j6 ^& ^
' z8 S% f8 k* g& T( J- AMethod 138 G2 F! d+ \+ Z( Z5 |
=========' R. A+ i9 H  `

$ P) J3 r" o, r$ x! [Not a real method of detection, but a good way to know if SoftICE is
8 L! u, L$ m- _3 n2 o0 W8 vinstalled on a computer and to locate its installation directory.1 O2 B. p' ?- z# M, q
It is used by few softs which access the following registry keys (usually #2) :
5 V" K3 O1 \% \
9 ]0 W0 R% ^  U9 X% q7 `) A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& r2 z# f2 i9 X+ O% [2 v\Uninstall\SoftICE: n8 ?2 ]- d; X& e) ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ ~2 e# H, c* p8 K/ W; \$ p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 Q# f; K: _/ i4 U3 d, M\App Paths\Loader32.Exe+ ^! n) K3 D; L' p( _6 M% q5 W

3 ?0 D9 T) @* x5 m3 |; X+ ^; T" I0 d
8 k$ K# n- x) ]8 w2 oNote that some nasty apps could then erase all files from SoftICE directory
- m$ Q! }. H. R: M# z& \4 a6 G(I faced that once :-(
2 A; J# s5 t2 U
9 f5 I" m1 Z4 d1 }7 \, gUseful breakpoint to detect it:
; K: U2 P% t( v1 M# o9 |, N7 T% p
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'* s9 W8 E$ r+ I$ c! p3 y

- [  m, ^4 Y* i9 ]9 I__________________________________________________________________________  v2 j7 l4 r/ t' O% z2 L/ g
9 W* [7 D5 k! a

; P- _; D+ j. j: ~Method 14
2 k9 w# R) t3 ^1 [. _& l; u, j=========
; x( {/ R: C$ M- L7 M7 T$ r9 U* i/ w9 t) G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; f2 x, D* ?+ `9 f: S2 N1 xis to determines whether a debugger is running on your system (ring0 only).
  ?) h2 Z+ \. g' K! n$ h# N, |
, X4 u5 C3 a* t/ z. [6 r   VMMCall Test_Debug_Installed
# y& i( l/ a# [1 u   je      not_installed
! j) [; B7 A& ]# V/ E' ]& p# ^% Y( ^( t) H, G  O  w& u
This service just checks a flag.
# i9 V! m5 ^4 g; R</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-4 20:14

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表