找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
9 }2 A9 }2 {$ s# G4 d" @7 L1 A+ E: a<TBODY>) J, O9 v; C4 a  c' o8 s
<TR>8 ]  Z) Q( e; s+ ~
<TD><PRE>Method 01
" n: {5 O; e; P' A1 ^4 N0 X=========9 @! r* K3 g% |: q4 A$ I. N& C
* p% t: V: C0 L8 j  L0 a+ D: J
This method of detection of SoftICE (as well as the following one) is
) u) s3 y/ p5 g+ I5 B9 K1 Qused by the majority of packers/encryptors found on Internet.
8 p6 ]3 D- P% m. R; V2 yIt seeks the signature of BoundsChecker in SoftICE, I2 ?9 k6 Y; s' g2 Q$ l: ]3 c. i
( F) D; O  f/ n. t
    mov     ebp, 04243484Bh        ; 'BCHK'
, C  J0 m2 _4 n& B3 k4 |    mov     ax, 04h
7 b: f* B! c3 M    int     3       9 S7 f2 x" N4 N' G/ C' c- B& w
    cmp     al,44 v( a, a, a: T' S) V
    jnz     SoftICE_Detected
$ F6 s9 g& c, F# E; x  J
. |/ x& s5 U. u9 F- C___________________________________________________________________________
' X( r5 D7 Y9 @: A6 \
1 j% J% k% f) ]9 xMethod 029 `! A# N' r, j. d0 l/ F5 L' y
=========
4 A9 g5 \! d) v* ~3 z) ]: t* U# A1 y9 i
Still a method very much used (perhaps the most frequent one).  It is used
5 f+ c1 G$ g. N" Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ i; N# X. i. `% i" N4 _8 ^/ D  g6 T' `
or execute SoftICE commands...' I5 _+ s' e$ r' n& l3 I+ `
It is also used to crash SoftICE and to force it to execute any commands
& n; b$ W5 Z; n4 R( I  \7 _(HBOOT...) :-((  
; H! ?, h+ _& M  F+ b4 ^  t2 q9 z6 m2 @( e0 S3 v* R/ Q
Here is a quick description:" u+ r1 O) _3 N; m; h
-AX = 0910h   (Display string in SIce windows). s: z7 m( D! a% j. W! G- o
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)* ]  b" P0 f5 W8 P% F4 s# `
-AX = 0912h   (Get breakpoint infos)* D: q9 G' I9 i
-AX = 0913h   (Set Sice breakpoints)$ ^+ H7 p# c$ o" ?
-AX = 0914h   (Remove SIce breakoints)
; o& K' Y. B5 W) g5 V; M. `2 j5 h) g1 c( w
Each time you'll meet this trick, you'll see:
% z& O: y; H& n0 P$ f1 ]-SI = 4647h2 c4 R. U5 J, k! H2 I
-DI = 4A4Dh
) y! \9 z) e8 j5 E' }& ^1 v' T, jWhich are the 'magic values' used by SoftIce.5 A6 h; K1 k. H' ]  X  _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. ?5 P+ o3 H$ z% m4 ^8 ?. l' }5 B+ I" v2 d
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 V) n3 a: ]$ Z5 X! T9 u8 q
Envelope utility use to protect DOS applications:
' R0 o9 S, z8 l0 |/ r5 u# E" d* M* E$ o+ Y

" c+ [& g6 j) N: u& i/ C4C19:0095   MOV    AX,0911  ; execute command.
' c# S0 n8 `9 }7 z2 Z9 i) F4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).7 [0 ]# Q* _0 d! e
4C19:009A   MOV    SI,4647  ; 1st magic value.
' \+ S$ w, j5 @5 C2 l4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# z! G. J2 O/ E) e4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 A7 @! h# ?1 c3 W, a* i4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute+ }& Y# @. ]# k7 n4 a
4C19:00A4   INC    CX: f/ j5 V- T1 U* M. U- E
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 x6 P/ o4 O4 y% r7 ?0 h, m* \9 ^7 g
4C19:00A8   JB     0095     ; 6 different commands.. T! ~, {' _  Y2 T: {& U' r
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  @) Z; w% }; ?: n9 F0 j# [  {4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)$ d6 ]( k8 E! A$ O& i0 m+ v* Y+ F( Y

4 q- P: u9 D7 K5 u) P  }The program will execute 6 different SIce commands located at ds:dx, which
- R  j% V, j& e% care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% M& R% ], B( P( T8 s- N4 _& B

- z5 S* |9 U. A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! {4 L) I5 g: {+ Z3 x___________________________________________________________________________, H3 V" s1 F; X* I$ [; N# q  I. h. j1 c
& y$ Z/ Q1 J* e/ b9 J- x

8 o/ O, ^; c- X* DMethod 036 @% W) \/ N5 m( C& |' a8 U
=========
+ }/ M# f8 d% \) G! b# g
7 X3 h& f) S" c4 G) z5 `Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 E; e1 w) p2 E* k# A2 F
(API Get entry point); Q3 P( X2 {9 k# ]( s4 D6 O7 I5 C
        
$ l6 K% }4 H5 y
+ o# V; m# m4 ^4 f4 _) x* y) d    xor     di,di0 r- e$ t+ U! F0 ^5 M. m
    mov     es,di; y: h+ G' J: E4 P( K
    mov     ax, 1684h       . _9 @1 A- Z7 _) b
    mov     bx, 0202h       ; VxD ID of winice/ H, }9 J0 @# F, E% N: @, J& v
    int     2Fh
5 G% Y% C! G4 |    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" e+ {1 z( _. w/ q. ~/ R- F    add     ax, di
' y% ^! T  x9 ^# |& f    test    ax,ax; c3 ?* p# f1 V/ W
    jnz     SoftICE_Detected" P  t! |  p1 r# x

: ?( [* z/ n0 A, A4 L8 j___________________________________________________________________________8 x" J$ ]* S7 m: u7 W

5 b. h! K/ ^8 ^9 j5 vMethod 04' W- P+ l) C  C5 ?! O- U
=========
* V( K/ X3 C, y# m7 E7 O! ?# {$ V" l+ c) H, t5 a
Method identical to the preceding one except that it seeks the ID of SoftICE+ e, f- Z2 X0 }! M
GFX VxD.
( _; j( C  G$ ^: e2 }0 G8 a  }) s/ v. L. F
    xor     di,di" ]. x: K: P- V! ~0 u" H' X
    mov     es,di$ ~; _2 E- K9 c/ O
    mov     ax, 1684h       , T; j) I/ t' U3 [) P9 I9 X$ R
    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 D; p4 }5 [; C% I
    int     2fh( h7 G/ ?, Q( S0 y4 v  U- k( O. j
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& V. y9 g/ h" m+ k% ^/ Q    add     ax, di, V0 p! k, s! |
    test    ax,ax# ]4 D. ]+ f* `" ^$ M% N; ]0 \% f
    jnz     SoftICE_Detected
+ o1 l( q- }! W' J: z; f3 F
4 u$ l1 x7 A4 ^# O6 F__________________________________________________________________________  u- P, H, n- W$ ^9 B  [

; S+ a9 m. w5 x6 F; m5 \. O% e8 b, k' Q8 v/ m& G$ L9 e1 v
Method 05  y# u; m# J5 K& j  p& |$ b# L4 P# f
=========( @$ l9 O' w# D! M6 s! y7 C2 o
4 a# X* g1 N1 @7 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ v* h7 Z! v+ ?, e0 [debugger. It calls the int 41h, function 4Fh.' g4 o, [2 k+ r% E' a$ P. Y) N
There are several alternatives.  4 f0 e( |$ }, z% l

+ {, O1 b. V) J% E# k$ T8 AThe following one is the simplest:
* a( I/ [' v+ e# Y' V! ^/ M" k' q) Y$ m% R
    mov     ax,4fh
# V  X9 G( C( E& c# \& S/ {    int     41h, ]( P& \4 E3 c$ _
    cmp     ax, 0F3864 \$ Z+ l9 D# M1 Z# O# b4 b0 K
    jz      SoftICE_detected
/ @. i& F5 j, {: ^6 s2 I. k
5 d) C% J! ^" ~2 A' }% b  m) [! Z. s/ N2 F# r/ I4 T
Next method as well as the following one are 2 examples from Stone's , j  s1 z1 ]3 h* D. x5 r
"stn-wid.zip" (www.cracking.net):+ _0 H9 d% r8 N6 q( h' R: m: p# ~
6 t* F+ N! O0 |0 q" O' K- s9 }9 W
    mov     bx, cs: g1 N0 }- j) Y3 w1 n0 P/ ?
    lea     dx, int41handler2
1 S( ^/ A  w7 }% t6 W    xchg    dx, es:[41h*4]3 K5 Q* G, ^7 s6 ]0 A6 n$ [
    xchg    bx, es:[41h*4+2]
# w( j4 l- l6 M9 n" y( S    mov     ax,4fh
1 K4 @6 l5 s/ W8 H    int     41h
( T0 ]. U2 K( G( L2 q  z    xchg    dx, es:[41h*4]* [" k4 k- v8 n. z& U4 g: p
    xchg    bx, es:[41h*4+2]
3 F4 F1 A* X( t/ @2 \* H6 P    cmp     ax, 0f386h
$ x1 m4 D7 `% E3 L( B6 ~    jz      SoftICE_detected
9 T. U# o' F6 A9 ]! R2 L6 F3 U0 i. Q. v
int41handler2 PROC
6 H6 B3 l& w. `& t+ N    iret
' @( p9 ~4 }9 T; hint41handler2 ENDP
& u- T' K5 k! Q& ~! q2 r: x8 C* f
9 c6 d: u3 C4 D0 p- V) Y
( y, D9 {) I  A8 b_________________________________________________________________________* @3 l5 M) u6 R- {
: a6 M9 a8 Q) ?4 A

! @& h/ c: J+ k$ u( oMethod 06
2 D) ^- v$ c5 U8 s% u=========
9 w& J  t+ c. Z2 D4 d
% v9 K& H# m; Z5 k' ]9 Q" r& a5 ~5 P& V! ?! t4 D. ?; Y
2nd method similar to the preceding one but more difficult to detect:
! a# s! j* b) H; J
6 ]! c$ X/ l. y$ S' w) |$ I  _& ^: t4 R# t4 H, f
int41handler PROC/ G6 ]: s4 b8 j  v2 S5 u3 x
    mov     cl,al% Y" `, m# n, g  k* T
    iret
" K; ^+ u* \: P3 u: x7 D" Lint41handler ENDP
/ E; O$ n8 A& M, U; _- {* M, \' |! T$ i4 ^; H6 A6 u

: P! x4 D  N( c: v    xor     ax,ax# }4 c6 ]9 |  B6 W% _6 ^" K( f
    mov     es,ax) ~% j6 h+ ]' Y/ W1 N9 `( D
    mov     bx, cs
; \# V0 @2 Q6 r    lea     dx, int41handler
( A1 _; O0 q! l# k    xchg    dx, es:[41h*4]
: }% |9 P0 t, P& N0 e/ }    xchg    bx, es:[41h*4+2]) S4 P; {- N$ @$ V5 l1 F
    in      al, 40h
; B. f% U7 T: K, ^: d    xor     cx,cx. B& [4 I, K6 z* ^6 S$ B+ p
    int     41h
4 s2 s% N. ^4 u/ o    xchg    dx, es:[41h*4]
4 `. u# |3 t& z    xchg    bx, es:[41h*4+2]/ A. s7 \8 K5 G, C
    cmp     cl,al
' M) X' x5 _0 ~" Z" g6 C    jnz     SoftICE_detected
6 W" j8 `8 z3 d2 J1 M
( [; `8 h* v; c_________________________________________________________________________
7 {/ Q7 J$ {- d) `3 p
$ I& U- u6 Q& h' ^/ ]- F/ qMethod 079 y! e" d3 Y3 \
=========
* C* m$ m( X% U6 t' g) Q* `. S5 q" [
Method of detection of the WinICE handler in the int68h (V86)
4 F8 {7 W. Y! Z9 X4 `: W1 ~0 A4 o: `' f! y9 ]  D
    mov     ah,43h6 h3 P/ P) Q- J3 `* [& W
    int     68h9 D" E5 h) y0 t3 `% [" W9 n8 h
    cmp     ax,0F386h
' ]7 J8 T. l9 D- f* V5 J    jz      SoftICE_Detected  J+ ]) E4 x6 j# V! B) S- G8 K
1 P! `0 Q1 R: T5 [* u3 ^
, M1 g8 {1 Q- k# z. s: T5 T
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 R- P8 g. r8 {& `7 L3 \   app like this:
$ z  ^0 c' q0 N, d7 v8 q& p# k/ H3 t0 h
   BPX exec_int if ax==68
$ n$ A  U8 ~+ l  V6 Q/ e   (function called is located at byte ptr [ebp+1Dh] and client eip is4 J  z' G; u- I6 O$ i: v" w
   located at [ebp+48h] for 32Bit apps)
# D+ N% }: w, U& R__________________________________________________________________________
* }8 @' d- i& ], }% V+ T$ m! K  d' Q; @6 q3 ]
- ^* o/ ?' z/ J; Q1 Y3 w3 r9 j$ c$ ^
Method 083 x& u7 i  S- U" F& {- J: u
=========9 ~# m- G/ I) r% h" Q/ @

: R) ?0 H% \3 QIt is not a method of detection of SoftICE but a possibility to crash the* p% v$ ~6 J0 t& t3 k
system by intercepting int 01h and int 03h and redirecting them to another6 ~! a; ^( z# ]; e$ B" Q* S
routine.
; u2 u# \+ I  `4 _( H' bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 n$ _5 S  ?5 Y1 w( }
to the new routine to execute (hangs computer...)# T# p5 Z# K: }; W* y( |+ e

+ z4 v3 K/ @+ n* @# v6 v- T    mov     ah, 25h! b; x2 j1 M: w( D  \
    mov     al, Int_Number (01h or 03h)5 ?/ f4 D8 m4 E: i
    mov     dx, offset New_Int_Routine
) X& t/ j8 Y2 z+ H" u2 O! y    int     21h+ a. d% m3 u9 n2 S; t
- [2 p5 w/ t0 p3 V. W. X, {9 Z
__________________________________________________________________________) n5 N1 L& k9 L1 B- w  ]

% h. L7 _+ l$ }0 Y3 @Method 09/ F* N5 Q4 k) J+ S, h; ~: n( C
=========" l6 `7 o& ^6 a$ e0 e# m

; S( R$ t2 c( i; j- E2 Z% KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# H; V% o! {' W# m: D1 o& `4 I0 C
performed in ring0 (VxD or a ring3 app using the VxdCall).
. p6 _& O& q; b$ wThe Get_DDB service is used to determine whether or not a VxD is installed& {- t! t: `5 H) G! o4 [
for the specified device and returns a Device Description Block (in ecx) for
* a7 X$ x$ g8 s4 ythat device if it is installed.2 H) o' L4 _# V/ K
+ v; V1 k! d# d
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 i' n- k7 K! M' [   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" D' X0 r: J& k" K   VMMCall Get_DDB! j, ~7 U" n3 u$ ~' @% Z; d. W
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( e1 C1 n9 q, E
5 B9 S9 k7 J" |' e0 l+ q
Note as well that you can easily detect this method with SoftICE:
7 Q+ H# G. [) V( `2 r   bpx Get_DDB if ax==0202 || ax==7a5fh/ M# X1 W* }7 d6 A+ g4 R. E7 J
- f9 b% L' ?" W/ X
__________________________________________________________________________
8 s* E+ h* u! o2 i& p0 s9 X9 }' |! Q$ i. y. L4 k" G& Q
Method 10  A  F5 b4 {( O7 [- n; J3 n
=========
1 r3 T5 L$ z, Y& Q# d& W7 {0 B( {; W+ V7 \- U7 s& l
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
: v3 W8 \$ L) m$ F/ F  SoftICE while the option is enable!!5 g: X5 A( t' [& T( Y2 W- o

: H/ K& `( ?" i7 v- d# N; C3 IThis trick is very efficient:0 K. t' C' s; J
by checking the Debug Registers, you can detect if SoftICE is loaded
( R6 ~0 C9 X" n9 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' h- ?) C* j+ |
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 K( g9 \0 O* R8 O8 q, @9 B5 D/ z
value (in ring0 only). Values can be manipulated and or changed as well
# ?$ _& Y: {, ](clearing BPMs for instance)
2 |  t" n" G% b* s: s1 k! l8 g8 Z6 d) J
__________________________________________________________________________, d: I  V0 Q4 B4 N8 y

# F# _! Q, K9 jMethod 11
: |# G/ y2 Q( f$ y  E=========* u! U! O  [, w# ]: O& Q
, e7 Y% F7 e4 n" c5 i$ K, L. y
This method is most known as 'MeltICE' because it has been freely distributed
) A# m# I* j2 I2 I4 o) Zvia www.winfiles.com. However it was first used by NuMega people to allow
4 v* L: S/ f, Y! V+ f' wSymbol Loader to check if SoftICE was active or not (the code is located
, [% V: [2 s: q" l7 _6 f# oinside nmtrans.dll).
8 ]4 Y- m+ ?; c+ g: g; `- [+ ^( X0 d0 l/ A( d6 |, A7 p+ I
The way it works is very simple:+ J6 i8 S1 S" I) N8 C1 z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 k4 j+ M6 g) R  U- }: r6 t. Z& t
WinNT) with the CreateFileA API.- a# M- x7 Q# L9 w7 Z8 E
6 _7 }1 O# Z8 I; x4 O
Here is a sample (checking for 'SICE'):
- X. l8 k  a0 y& v; o; r2 K) j5 ?( |. Y
BOOL IsSoftIce95Loaded()9 p4 r- |! N. r# D
{
- D+ \5 @! ^2 m6 s9 f: |) K2 r   HANDLE hFile;  ( f0 O& Q2 I# a4 Q$ c- t+ B+ z
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 B! _; J: v& B# r                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 E; R8 t9 I  s& C; b4 l2 x5 [                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 ?9 e+ C& p* W" P/ b1 Q   if( hFile != INVALID_HANDLE_VALUE )
1 {& @& L: V0 l5 d$ x   {
: D7 c& X: c& |! d# f' K      CloseHandle(hFile);* V1 y9 r0 j. k" S2 h4 S
      return TRUE;5 H4 D% i& Q, t1 n
   }
( s' D9 z& v+ ^! h8 v   return FALSE;
+ p- x9 }4 m0 [. ]% G7 f}( A( T& D, M5 G  a: H, C/ ^2 @

; r: D) [( O+ }0 W9 cAlthough this trick calls the CreateFileA function, don't even expect to be
& Q; u/ B0 K# I/ Uable to intercept it by installing a IFS hook: it will not work, no way!/ m$ Z9 |6 M% @+ T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ N" j- x- d( z- p( }; pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% l. T2 k/ Q' |3 o$ H6 r* Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc& I( @  V2 V- c) \( n$ g
field.  P/ Q; o  r) T
In fact, its purpose is not to load/unload VxDs but only to send a
5 K/ s8 j4 E4 @+ p# AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# w9 Z1 S) z9 m3 q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 L3 Q+ e5 l% `to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 w2 j. x! @1 a; p: f3 p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* h4 K$ B5 ?, _/ w/ mits handle to be opened and then, will be detected.; B# j2 C6 a# M& Y. F1 [* O
You can check that simply by hooking Winice.exe control proc entry point( \7 i. ^" o! t4 e" A
while running MeltICE.
8 h0 p# ]5 Q3 Y7 W# j3 N
: M! D: ?3 ]& E
" T) r3 P: y+ V, @& B  00401067:  push      00402025    ; \\.\SICE9 ~6 \$ K) z3 H1 w0 |# f
  0040106C:  call      CreateFileA
- F# J- H8 }2 p/ b5 a. g  00401071:  cmp       eax,-0014 E) [# D( ]) U7 J( \
  00401074:  je        00401091
7 \# @3 L( k6 U. O1 Q! k  J" j# H! z
6 D+ n+ l' m0 X& ?; \0 `$ b# h5 a% |  d4 r0 s
There could be hundreds of BPX you could use to detect this trick.1 A2 J  T6 a  a- X' P) {8 w
-The most classical one is:- V# L; S2 D! v4 M- V' W
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# g8 ~& y7 L- n
    *(esp-&gt;4+4)=='NTIC'
  \  n2 V1 u0 d" ]0 j: j7 ?+ }% J
8 G+ f4 J, O  v' g3 G-The most exotic ones (could be very slooooow :-(3 k0 h( d. z5 o) `5 u# G
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
3 W* Y0 ^! y5 ?: `2 k, |# r& O     ;will break 3 times :-(
' k# m7 _, l1 m. @; f% n$ w# ~( u) s$ W# |5 `
-or (a bit) faster: * o* u+ U2 E/ g9 G' a
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! J! W% W( J1 }8 L% S1 P5 r

. c- S" \  u2 n, j% k   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 m% a* i+ v" ~: E6 ^5 f& X     ;will break 3 times :-(
, j; ?/ S* {! H8 _; d6 t
; C* X. a' n% J- O-Much faster:* S! [$ D- {* c/ C+ A* M5 @" Q
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, d3 W3 P1 N5 c' U% t, n& L7 P. r; h+ {9 o# I/ W/ ~' P0 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 f/ H0 I  u" C, c! h9 ufunction to do the same job:' ]: G' a6 _7 \8 l
# \) J7 }7 x+ O' J
   push    00                        ; OF_READ# r, R! \) c% t
   mov     eax,[00656634]            ; '\\.\SICE',00 H0 r- N3 A/ a: I  |. E8 |
   push    eax
7 D) |( B" Y+ T# C: Q   call    KERNEL32!_lopen
8 R3 Q( P4 N+ \; t, ]9 D( b1 t/ j   inc     eax  b2 a' B% Z( P; X+ B* z6 z( }& u
   jnz     00650589                  ; detected; g3 c& A$ j2 W$ }3 d6 ^! c
   push    00                        ; OF_READ
3 I/ J- k' a1 w2 ?   mov     eax,[00656638]            ; '\\.\SICE'
' H6 R7 y# g, ]6 q9 Q   push    eax! `5 P; Y5 ^: X$ m$ N2 ~
   call    KERNEL32!_lopen
# [7 v8 w) U8 f  @  U   inc     eax1 |1 |$ {  U4 G# M9 M
   jz      006505ae                  ; not detected# E, \8 f* s7 w5 d' E& I3 s( Z
$ d* l8 l4 u+ e2 `
* F: D4 C  I9 Q* ?6 ?
__________________________________________________________________________9 m# J: B2 k/ t% |
* ]+ E& U3 u# s0 D% T
Method 12
+ u- H+ b& ]6 N6 f$ t+ k$ @# F=========+ n% Y: Q" e' _9 H4 q

- O1 B* X7 {+ x4 i8 u+ mThis trick is similar to int41h/4fh Debugger installation check (code 055 ~2 [% u% c5 i
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( @' M" @+ W- Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo." A: M4 r6 O4 `/ @+ a% t6 a. e

" z( [  j- F2 ]) o   push  0000004fh         ; function 4fh
- c3 t3 U% o- _' D3 W/ z$ B1 W8 Q   push  002a002ah         ; high word specifies which VxD (VWIN32)
  f, ?! Z3 P; t+ }                           ; low word specifies which service
1 C+ s9 [" h/ D' d                             (VWIN32_Int41Dispatch)
; Q# W. E2 F: v/ Y3 E! A   call  Kernel32!ORD_001  ; VxdCall
7 p2 }* G: e. o   cmp   ax, 0f386h        ; magic number returned by system debuggers
# Y( g; Q2 r1 u1 y: l0 X8 s8 f   jz    SoftICE_detected' N7 C) D& p. ?. i

! x0 ^+ a0 r5 X4 jHere again, several ways to detect it:
# U! k. d5 j  x) a6 o/ T
+ n' c3 Y+ r8 ^& \( b! Y6 s    BPINT 41 if ax==4f& m+ @. i0 O; J' H0 B# }# f) Y

* A7 w  b7 _3 Q. h    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
6 H. R5 w% q" J# ^3 K$ q8 Z4 V8 b' k& l: K" f) g" ]. B
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ e5 ~7 w$ _2 @- `2 ~

+ _6 a$ r/ U3 I    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!# X, P0 q, m4 V8 Y

# Z  n- u7 e" g. q5 Q4 P8 D+ K__________________________________________________________________________# q/ G5 s# v8 ^/ r0 W2 @% f/ n8 B, t1 e/ N
4 h. U5 P  @/ M) X2 U+ g7 P  U; H
Method 134 v' M  K/ `  K6 m. m+ m
=========
" O! L# R& s" I" r( U' t. d& o0 @* B* x
" v2 L5 K* [: d% z$ T0 u  A! NNot a real method of detection, but a good way to know if SoftICE is
+ h4 B- k$ Z$ R! E: _installed on a computer and to locate its installation directory.3 o! x( r8 @, S/ x
It is used by few softs which access the following registry keys (usually #2) :
2 R& I6 a3 c& n9 J. H0 O  l% M* `' R" a" D% b8 C+ I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* g! T7 _9 }# w- b" t3 i! g\Uninstall\SoftICE, _0 i# A- [6 W! t% o3 {3 l! h5 o0 u, u! }& }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. I9 q4 |- V; q. F; l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ~/ \, K* F+ x: ^9 `\App Paths\Loader32.Exe
6 N, v/ ~- j4 i% _6 O& S6 F
9 J# N& K2 ~+ r$ S4 }
- U1 T' Y( E* O: jNote that some nasty apps could then erase all files from SoftICE directory/ H# K) U" l/ q$ ?- h& }' C
(I faced that once :-(# b( Q' i  o$ ~2 e! i
- z9 P' G, T9 w) _; ~3 Y2 Q
Useful breakpoint to detect it:4 V% u1 w& @4 B4 e* ]% F* E/ R4 T- J- O4 B
( S9 t, U% _; _+ F9 z4 G* ^3 t# @4 o
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 O/ i% t  n* a; k# K( b; Z1 f
& G4 \+ h, @& T5 P" M__________________________________________________________________________
% X% x. `' J) L) x
! R+ V$ H" B# P/ @
7 b& k- D( `/ W# DMethod 14
1 A% n) z$ Y# i6 s: Y=========1 m4 L2 H$ n4 S3 c- f1 B* S

& r- G0 u: H" V* z4 A3 VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: _; T! `/ c  F7 ~& G/ f0 [2 V
is to determines whether a debugger is running on your system (ring0 only)., F, ]+ x" V2 e. @5 V

2 b. {* _/ z- @% a) r   VMMCall Test_Debug_Installed
% y7 _& x! P) r2 l; _- Q   je      not_installed
8 e* A8 }. g; {; G% C$ r6 E/ P- c  ^- h0 p) ?
This service just checks a flag.9 U  `; [/ x0 w5 i0 T( Z' @. h
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-13 19:43

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表