找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># T6 I+ V9 w4 O* F4 M  E
<TBODY>* B4 E" o- M; C4 A
<TR>
- X4 \- r( Y: G5 ?% f/ A<TD><PRE>Method 01
( @" C4 w" }2 n+ q=========2 d' F' r) ]5 }2 i  K( N' y

3 I" ~0 I" c# ]3 d7 e) `0 `This method of detection of SoftICE (as well as the following one) is
8 z+ L8 Q9 M  I# E$ cused by the majority of packers/encryptors found on Internet.
7 d9 l" Z( T8 |7 Z: D! K6 ^& g& yIt seeks the signature of BoundsChecker in SoftICE! L" I2 l7 P# B  h! R

" i2 [( A8 E- j* d/ \    mov     ebp, 04243484Bh        ; 'BCHK'/ P" A0 f6 Q( ?$ _* y5 t
    mov     ax, 04h
' f: ?' k% ]' A& O8 Y& B! `2 U    int     3       4 |" i5 N- C: ?( V) l
    cmp     al,4
! x# ^' N! e( @, S4 t( a% J    jnz     SoftICE_Detected
+ N* N' J" W! M8 H# d* d2 b0 ^) `' r- }5 \9 \
___________________________________________________________________________% q+ m: Z8 U, E) m9 |6 q0 S, i
4 u0 Z9 ~6 E" M: F
Method 021 V3 b: {) v6 Y- K0 k1 A
=========
4 m  j  _- d8 B; [) [( q. B3 \- A. [1 k! n
Still a method very much used (perhaps the most frequent one).  It is used4 Q% q0 C8 Q, ~  u/ i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% @1 }# N& Y% h+ F
or execute SoftICE commands.../ ]) f" g9 Q# i5 ]
It is also used to crash SoftICE and to force it to execute any commands* ~9 q7 k/ p; Z, @0 u$ U  }
(HBOOT...) :-((  / `. V7 s6 I: T: k) R
4 w# h; w0 ~* s% i3 I# }
Here is a quick description:3 w# g. G# c) C: K4 }& P. f; N
-AX = 0910h   (Display string in SIce windows)
8 d& v1 J/ t1 J" y3 \-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
9 F* h5 |. o; Y/ H-AX = 0912h   (Get breakpoint infos)  G& q4 f  F3 a- W5 a+ e& ?
-AX = 0913h   (Set Sice breakpoints)
' F) l6 Y8 |0 ~: O* P. `-AX = 0914h   (Remove SIce breakoints)
0 @/ w6 ?- A8 a9 B7 e- L, L5 ]% T4 b+ F1 z: z# v3 C" ]$ z
Each time you'll meet this trick, you'll see:- _3 l- S8 e. u0 i1 ~, @8 n5 m; _" S
-SI = 4647h
  t1 `2 Z+ {8 e* V- d: S/ F( `-DI = 4A4Dh
- q% U) C6 b! B( jWhich are the 'magic values' used by SoftIce.
' W. l7 }$ \8 A' B& aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 M" w4 z# k! Z7 u

( f2 l! C4 H. i1 X* S4 IHere is one example from the file "Haspinst.exe" which is the dongle HASP9 u* \% R" c6 m( j  T1 }
Envelope utility use to protect DOS applications:
% }+ Y0 y# Y9 h8 k! z( Z
( b* Q! I  `* L4 ^6 d7 |# Q
) A# Z! v, L8 b  @! v4C19:0095   MOV    AX,0911  ; execute command.' y- T7 N$ z" H  C& {. T
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
6 n/ W& y9 V8 {" Y4 e* G4C19:009A   MOV    SI,4647  ; 1st magic value.
" |- ^2 X! x% s" B, [4C19:009D   MOV    DI,4A4D  ; 2nd magic value.. d$ A5 n! n' m% ?% I' \  J; W4 l- T
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& O9 M( a+ T5 u/ e4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( H% X4 Q8 E, K
4C19:00A4   INC    CX
% w' h/ {) s* ?8 T( P- F; m4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute/ U- ~3 y; ?: @3 F
4C19:00A8   JB     0095     ; 6 different commands.) J0 P, E- w1 f3 b+ d, q
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
- d. [( ^& J5 Q* S5 a6 M7 e- [/ x4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)8 \1 ?* }$ P$ t4 f2 g- c- m
& n1 q; g' E$ ^1 A$ ]/ Z* ]
The program will execute 6 different SIce commands located at ds:dx, which% K% b+ T: c; M5 |, w/ e: M9 E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ K9 g3 g$ q$ e* v

' t3 W! a1 W+ T8 Z! \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: q( |* d6 \9 `___________________________________________________________________________
+ \. Z. i' `6 I9 n" _' X! @* v3 Z7 A# @" j1 j% f1 V* d
+ M  @9 i9 |: `3 }' l: U
Method 03, J: _' F& B" s3 C0 H
=========
0 z8 g. @7 ^7 V: j+ k( `
0 a: h) ?  m* k$ r- \% Z( ELess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. n! Y8 J  _! ]
(API Get entry point)  b) U, ]2 P0 N! C- q7 ?8 K& e
        ! r( ?! Z. K! T9 q9 T0 `

& _, Z8 U8 K0 o9 J" s# K    xor     di,di
/ i3 ^# i' m# w* |    mov     es,di3 E, ?- _& s: F- J# a
    mov     ax, 1684h      
) }+ L: P0 j% O+ a- N% _- v    mov     bx, 0202h       ; VxD ID of winice/ r9 E  D1 R  p1 E  [; J( b
    int     2Fh' K% Z' c5 d' b* D# O' _/ @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 v/ Q6 m, z; o  {2 j# l3 |    add     ax, di7 D6 B$ S( g6 r; L; Z% c
    test    ax,ax
, P$ J! ?4 x9 b& q- o$ M    jnz     SoftICE_Detected$ `1 d0 k4 m7 B. X3 J: t0 n$ k
+ |0 Z& S! f% X8 |
___________________________________________________________________________1 m! |# B# Q% z6 I4 d: `! _: C

2 ~- X) @" E  o4 H" \6 v' PMethod 04+ Q; D- [- ~0 d
=========; |* r0 r- z0 i6 L$ N! F

9 g. g2 \7 }* L2 \6 e( E' @2 l2 TMethod identical to the preceding one except that it seeks the ID of SoftICE! c6 X; a3 V  M0 L* t3 ?8 f3 L
GFX VxD.: n; @% M& Z0 V# K2 k# Q! y- `1 B
2 N% K; A1 u" j: a* F) A) R
    xor     di,di
6 }' V+ |. L& q- C: A. b    mov     es,di1 v) @; m9 g# M3 H- B
    mov     ax, 1684h       2 x* r8 d( b) e* o: N
    mov     bx, 7a5Fh       ; VxD ID of SIWVID" L1 C! S6 \; C- E" L
    int     2fh
" r6 T  z6 v; w  b    mov     ax, es          ; ES:DI -&gt; VxD API entry point* v/ ?$ \. F4 t/ k+ A' d0 k& }
    add     ax, di- {0 }* R/ d5 v$ x  D( A
    test    ax,ax& R% N2 d+ k2 ~
    jnz     SoftICE_Detected
* v( d2 D! h' S8 f2 {; i* N; s
3 y. e* f* a( Q9 j- g  `2 z  t" O__________________________________________________________________________6 z2 f6 _' Y- ^

+ Y  l" r( C: D+ q6 T5 J8 [" ?9 r
. P/ X8 r. T. z: [* e. _Method 05
3 k0 C$ r# w. Z=========
* P2 b$ Q6 g% F9 A9 ?) H
: g* F% L" x+ V/ p' C. uMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ e. i0 v" y7 f6 h: Y5 d& [
debugger. It calls the int 41h, function 4Fh.
/ Y& A2 c9 m- s- ~$ D0 z7 yThere are several alternatives.  , n. x8 o! b. m! `

, P( U* ?+ W+ _The following one is the simplest:0 o$ y. i  s' g2 O: l  j7 z

' G3 M5 c4 e/ A% q; I* `9 @    mov     ax,4fh
* r0 J/ b1 b& G    int     41h
/ u) J6 E# i1 ^" V- v    cmp     ax, 0F386
2 s( y  `5 i; O4 a    jz      SoftICE_detected/ ]5 v3 Q4 a5 ]$ z
/ K, L8 i& ?' I! j- b7 U* x; R7 r7 O, n

* t' ]& j0 P8 kNext method as well as the following one are 2 examples from Stone's : M8 o" U/ S6 e+ X9 M
"stn-wid.zip" (www.cracking.net):, _( v  c- ^" g$ ]" o

& r( J. q, N' d; @! h: s$ V# H8 i    mov     bx, cs( S6 n" E2 u( g0 ~& @
    lea     dx, int41handler2
! g( v4 n7 d2 m' z' D' b9 R$ m    xchg    dx, es:[41h*4]
$ q4 t; G& F7 T! _    xchg    bx, es:[41h*4+2]
2 o/ s" L& n! u' c! A  Q" {    mov     ax,4fh
2 @' _0 p8 X# x4 l    int     41h, p! x* k: r9 w7 k
    xchg    dx, es:[41h*4]( O+ @. @3 {( H5 Y: L: k% g+ S
    xchg    bx, es:[41h*4+2]# W" p, a# I: b: X+ {
    cmp     ax, 0f386h% P9 G( M. }5 L) m
    jz      SoftICE_detected
4 u7 U% M' N5 e- l& L0 o9 Y5 Y7 X  {4 o6 D3 n8 `1 s9 i
int41handler2 PROC
3 \( l, p1 B; F/ R$ N: X& ]    iret
% N  I: ~3 E" A, I/ ^, B; }int41handler2 ENDP$ m' `' x4 Z$ J& v0 C

/ N  E% M& M6 I/ |% J! S/ A) I0 H
_________________________________________________________________________+ ~) J* w* [9 g" p" t0 \

+ _3 i1 ?+ [8 S" ^8 S- H' ^5 g) i8 l. _1 J
Method 06+ b6 j' K; \8 O5 f0 @5 |9 y
=========
0 r) t' K% q6 q: D: ^, z( B' U1 ?. l" ~( h

' c  g. Y/ i9 D. y: |) I2nd method similar to the preceding one but more difficult to detect:
+ O) R3 c: y# s7 H5 H$ F3 t' U4 B
6 k' ~1 F7 G; o& f# `$ n' u1 q
  I2 z4 a/ s. R) l1 gint41handler PROC1 R$ p# w( x# a, x/ A
    mov     cl,al% y0 g- w' _0 m3 t3 O
    iret
4 B( @! R9 E4 aint41handler ENDP
& q# |+ p+ f+ ^% I8 t" _. B) t" ?; P8 V7 g9 H# V3 {

& ]! S: J2 A. Z% I3 z    xor     ax,ax
( Z5 R% |- u) f* l5 A! G0 K    mov     es,ax7 {9 C3 u* B5 w6 H6 H* b, }
    mov     bx, cs6 A5 ]  g7 y" P' @
    lea     dx, int41handler
7 h& a  f' _% d* D' {    xchg    dx, es:[41h*4]
2 ^9 |  g4 _8 U' v+ C) Q( ^    xchg    bx, es:[41h*4+2]- ~$ ~. C* h$ {* S# r2 m( [
    in      al, 40h
! g+ e- [! n5 i% G( _% Q7 G    xor     cx,cx- n( x+ \! T0 I* Q# x7 D
    int     41h
6 `9 c; \* |- L" |" V    xchg    dx, es:[41h*4]$ D# H0 O$ b; o& T
    xchg    bx, es:[41h*4+2]
2 `* L, a8 B  h& M0 r6 W/ p' w    cmp     cl,al
: ?5 U+ \# y1 u: c2 z1 L    jnz     SoftICE_detected
/ E$ U/ U, C8 ~4 T' ]+ Q. C$ u7 v8 ]  f( x  B. W0 v4 Y
_________________________________________________________________________% D5 ~, f+ U0 C  B/ j
* s+ R+ r  ?0 c" E2 {
Method 07
& W. L  n5 S" g6 x1 v. _( O2 I=========9 L: K3 Z( d* W' X5 |
: _3 T6 n$ j- s5 ~
Method of detection of the WinICE handler in the int68h (V86)
: C; p% Z: _5 T1 D3 z. {/ U0 r- B) ~7 A( S" D
    mov     ah,43h
5 z7 z  y, I# j    int     68h$ `1 S: `7 `$ A* Y
    cmp     ax,0F386h
1 O6 W" Z+ g* {$ p. v' x" Q. h    jz      SoftICE_Detected
# ?4 f% Q3 f0 C( G  A1 u- e' v7 V' `3 m- g9 a  w

7 M1 R4 \: k$ N, m9 [=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 J2 |4 @+ X2 f* H
   app like this:' O2 Q3 T) x& n& Z( c* l/ ]
% U0 R  N, R( {+ V
   BPX exec_int if ax==68' J! C( o5 D5 f2 V
   (function called is located at byte ptr [ebp+1Dh] and client eip is' o$ B: S+ a) T
   located at [ebp+48h] for 32Bit apps). ^0 R- R/ e' ]
__________________________________________________________________________
) G+ m. o- n. v1 G
% l+ [: ]+ z: J' u! z
) i2 f2 A8 o( x, ~) ~Method 08" N/ |2 Q! l) I1 w6 z* L$ h
=========
# s0 V+ M- a$ }. n. U% @) X7 p3 e8 |7 a
It is not a method of detection of SoftICE but a possibility to crash the0 Y2 e1 m: n( w% @" M2 B2 V5 j" c
system by intercepting int 01h and int 03h and redirecting them to another
  H+ I* z1 b& O6 i' }8 P/ ~routine.
% q0 t5 i- v+ M" b2 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& ]5 D2 ^! S: Z! B" d! Qto the new routine to execute (hangs computer...)) C1 n" k* \( f1 X% N4 f$ e

7 t: A+ M  {* F( c$ d4 L' {    mov     ah, 25h* S" E$ f! `5 a# x4 `6 P: s
    mov     al, Int_Number (01h or 03h). ^9 k( G  M6 h- \% y$ \  Y, Q
    mov     dx, offset New_Int_Routine5 l: P) d) Z0 ]4 D7 S9 |
    int     21h7 d, t3 D: [* w' O* u
& s5 E# Y/ O0 Q: U
__________________________________________________________________________3 u' t- |" ?6 b% f

6 \% _9 y- V" |$ W1 y: L( e' p5 dMethod 09
9 d" O- d, T: a. Q$ ^% A" U=========
+ D# E/ G1 L* S- L& n; r  ]9 L4 s' J+ x5 J) p  k; A$ ]/ b
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ J9 l2 u) H1 D, n2 ?# v& }) i
performed in ring0 (VxD or a ring3 app using the VxdCall).2 q+ s6 m/ m. R
The Get_DDB service is used to determine whether or not a VxD is installed1 q! J; [5 T1 q! _
for the specified device and returns a Device Description Block (in ecx) for
3 V) q; i& Q' O8 I, o5 |that device if it is installed.2 B" x& e& ~/ H
, D0 l! Y, C6 T- G8 g. L# i: E7 R7 b
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) j4 V6 |) i) p1 g9 m! L. l   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, c2 Y, X/ g1 P$ k  n   VMMCall Get_DDB
* [5 M/ }1 ]) n) s   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- `# Q4 \  q" N/ Q$ i1 q
7 l, [1 r  T3 x5 p  u
Note as well that you can easily detect this method with SoftICE:
: I- W" o' A( V  k! P9 N   bpx Get_DDB if ax==0202 || ax==7a5fh
( t) c! Y9 Q  s. M5 _4 U% y
8 K5 C1 s9 t5 X! s7 V' [__________________________________________________________________________
* w/ L' B7 T2 J5 K# {" _9 v$ Y1 P" d- V, n: `4 }- v. n
Method 10
, N5 {6 U: R. T=========
( G4 O3 [+ M" j/ N. ]4 E% Y3 X* X2 {9 n) y4 o! R
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, a( c( e8 [7 ]! X% m% J3 o* l0 \9 L
  SoftICE while the option is enable!!
0 m: N  ?% Q  _; o0 {- y' _8 u5 z: W4 x3 q$ u& y" F
This trick is very efficient:: u' u' h! _1 L, U3 m, F& T. ~
by checking the Debug Registers, you can detect if SoftICE is loaded' s, N* }# x8 ]9 [: `9 G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  a! v5 m- r! ~( y, V1 Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. g- s! e6 B  J+ U% d9 B' mvalue (in ring0 only). Values can be manipulated and or changed as well
3 @* ]* `! A+ P: s/ H$ v8 g6 G(clearing BPMs for instance)% v! f+ ?5 x6 q2 o$ t5 x

2 l  ^- T1 z. k/ B. p__________________________________________________________________________9 ~3 c; }$ a& `) d0 n" e

  u! Z. G& h, P$ a* \& w, K1 OMethod 11$ `! ~  r2 ?8 W9 M  E" w
=========4 Y& Q4 l+ ~8 U

5 e$ L; C4 o+ D+ @! \5 r, NThis method is most known as 'MeltICE' because it has been freely distributed  U5 G: j* T( ~8 k6 Z' F
via www.winfiles.com. However it was first used by NuMega people to allow7 ]1 t5 V+ S* g4 H' R7 M, [  |0 Y) ^
Symbol Loader to check if SoftICE was active or not (the code is located
, j& i# w0 n' P9 Binside nmtrans.dll)., ~2 r& [0 L6 @% x8 F

7 ?" f. b+ E* A6 xThe way it works is very simple:7 Y8 j; e3 G# ]/ l/ ?1 y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- q' N7 f) b: S. N. r* v1 sWinNT) with the CreateFileA API.  L& W0 f/ G6 s2 E

- w# A& H7 Z) U6 l' {7 P( G; l  NHere is a sample (checking for 'SICE'):
( h" M" S. x. ?0 x2 R7 V- z# B" k9 T* }, X" E$ F) R- y
BOOL IsSoftIce95Loaded()& @  {: y9 ~$ A5 f, Q
{8 Z. E, y5 t$ d: s- H$ M8 g" B
   HANDLE hFile;  
+ c! l7 o3 G# x: ], X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; L0 V9 b4 G$ C, m2 j# n! ~
                      FILE_SHARE_READ | FILE_SHARE_WRITE,- x0 K3 B5 q+ Q1 A
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: H' U/ d# V- W2 W( l7 ~
   if( hFile != INVALID_HANDLE_VALUE )
2 M# Y$ T0 |5 `  J) M* ^   {
# x$ s5 G5 F) O. s  A      CloseHandle(hFile);7 f4 c, f# N& s  ~, Q
      return TRUE;
  l  b5 S- B( S1 W   }
: h: ~/ H7 C* i( n9 l. r- Z* _6 u! @   return FALSE;" |  @' c* ^+ `" P' P
}/ _; b% p( m' W0 S

7 i0 Y9 M: U' \( H7 F' iAlthough this trick calls the CreateFileA function, don't even expect to be3 _; P$ k3 z4 o0 i
able to intercept it by installing a IFS hook: it will not work, no way!7 r2 G* P1 s- R+ p9 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" \5 t' l% L6 N; g  E4 dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" q, j$ I& e* t  A1 k' _9 R( d2 A. L4 h
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 d9 x: @8 A0 ]/ M, |- _! Z) x
field.
" Q: l. A- G, w, XIn fact, its purpose is not to load/unload VxDs but only to send a
$ x9 E. B9 U; Z/ v0 J1 P" pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 ~8 m# |/ E4 p  A* h7 ^' x9 pto the VxD Control_Dispatch proc (how the hell a shareware soft could try: d, I$ m, q" L3 J5 J/ h  B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- b9 s' n7 }: w' o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% T6 m1 C- \  r: {its handle to be opened and then, will be detected.
4 s% t0 D/ j7 C- @  p4 AYou can check that simply by hooking Winice.exe control proc entry point8 u0 b( C* E" X# ]
while running MeltICE.
& M3 z- e0 t9 H5 n; v
* W" c- [8 J% ]7 K) p2 t
  `1 N, f4 b$ P; G4 f  00401067:  push      00402025    ; \\.\SICE0 C- m- O! S, Y! @7 |% y- J
  0040106C:  call      CreateFileA
5 q: K: W- A5 C  00401071:  cmp       eax,-0019 i( ^' y; I+ c+ D
  00401074:  je        00401091
: S& R" G! h/ |, z$ R9 |5 y! o1 K8 x$ i
% u* G8 q2 V4 r) N) d/ G
There could be hundreds of BPX you could use to detect this trick.! {, k3 f. @- W. c
-The most classical one is:
* r1 Z: r7 g$ W& ~6 P$ X  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! c4 z; a3 l& F9 K; H$ q
    *(esp-&gt;4+4)=='NTIC'* I, b2 M' }1 S( o% j

+ j0 h6 H: O/ |$ g-The most exotic ones (could be very slooooow :-(
- ?7 J: _: t5 r7 {. i6 b2 @* [. D   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  $ z' V( z8 [! ]) `5 J3 P, R7 e
     ;will break 3 times :-(
3 o% W/ S6 k6 [" A5 ]8 u7 f3 q  F8 E, }
-or (a bit) faster:
: k) A$ ~! X  ]: b0 y" h   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. H2 h% n, R1 w! N: L* ~$ H% k, f" J& r
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % I3 w5 D. P4 b9 o5 @9 i+ Z4 W  e
     ;will break 3 times :-(
; i1 l: ^( r; ]; H- r' C4 z$ o2 b! ?
& _# n4 H! l- a5 z; n* X8 d-Much faster:
7 y' j' }3 j8 p- x   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# w& y: D/ B8 ~/ ]! A6 Q' N

9 }9 T$ f3 {9 o3 P9 S. INote also that some programs (like AZPR3.00) use de old 16-bit _lopen& U8 z+ a) w5 _+ _
function to do the same job:+ h4 o! s: b; L4 {+ `4 R
- m- r& z& N0 H" N, [
   push    00                        ; OF_READ
* q5 m7 j- i2 _. m! ^   mov     eax,[00656634]            ; '\\.\SICE',0; K5 P' \6 W0 H2 _
   push    eax
7 v8 U) t- J& Z1 l8 |4 B   call    KERNEL32!_lopen
% O( g  Y. u8 |% `$ K7 ?6 ^   inc     eax# ?( w  F1 `  h3 M0 c/ G
   jnz     00650589                  ; detected
( G7 `  ~: L$ k; R& S! S+ \   push    00                        ; OF_READ" [/ y, x( C- M" o$ p1 J
   mov     eax,[00656638]            ; '\\.\SICE'/ a$ }- h# t$ G' M# H
   push    eax% ~5 V1 T. Q# |! @3 y" J# T: [
   call    KERNEL32!_lopen
+ g" {2 p) O, @* l0 a   inc     eax
8 x8 h1 ^) A# g1 h0 |   jz      006505ae                  ; not detected
! _5 ?' F: j5 Z2 |  _/ s, \
2 V6 N/ S: x+ y# h" i9 I6 `5 Y
% H7 ~; x! ?( G/ o8 Y$ }% m__________________________________________________________________________7 Q; y7 t  I2 C8 |

- @4 H1 R1 }5 a& X& Z$ OMethod 120 x* ?# m, [- o
=========# D$ h8 j# J$ P8 F

. u% Q$ w( n" I! SThis trick is similar to int41h/4fh Debugger installation check (code 05
6 s) U  E) C9 z/ t- r1 I&amp; 06) but very limited because it's only available for Win95/98 (not NT)
* r' H# w1 Z0 `' s6 X3 A! [4 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ {; |+ |' Q. T. S

& J7 |( U; |# k   push  0000004fh         ; function 4fh
' R0 e' l+ R( _, p+ X8 l$ d* L   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 U% t$ y5 X+ c                           ; low word specifies which service" |& \8 V" R( {- n* ]9 E) B7 O
                             (VWIN32_Int41Dispatch)
5 m1 N1 Y: V6 Z2 e2 f( O' R   call  Kernel32!ORD_001  ; VxdCall7 r, y9 \; n- P  n7 H
   cmp   ax, 0f386h        ; magic number returned by system debuggers2 U3 ?5 U: U0 E3 {" p! S1 n
   jz    SoftICE_detected
! i0 L* g" z* ?$ y. s+ j0 w
: ?9 b/ O. z3 B' X9 i" fHere again, several ways to detect it:
+ J7 i7 w9 }: |
) b: o! L$ k# `; K  y; `    BPINT 41 if ax==4f
8 L$ L$ B; Z: N% t( _8 g, S+ Y) x1 v: x* D' u0 |
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one4 J9 J# g" d0 T

1 C% T7 K6 _, f5 [7 @: _6 M. Z* e    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
7 Z4 t; U8 u# k7 U  l3 T$ u; f; X$ Q4 v1 F8 ?! s
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# \% X* T. q3 N+ o' z; _/ x/ E% [' d: Z) ~" C2 I: T
__________________________________________________________________________; J, [) r7 ^; r/ n4 t
8 u" z! h; R' ^$ }1 e
Method 13
9 _# T- P0 g. f3 v  G, Y=========
  k- r: h! k- X; O
* Q' j0 }9 X9 G3 a( qNot a real method of detection, but a good way to know if SoftICE is) \. z0 X2 I; @. h8 r3 Z' F' h$ \
installed on a computer and to locate its installation directory.
0 y2 S, L9 R9 ^! K! y: vIt is used by few softs which access the following registry keys (usually #2) :. O2 N4 ^; n. K) }, M% ]

  T7 b: z) }, M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  b0 ]# H2 L2 U- p# ]
\Uninstall\SoftICE
8 ?1 C! `: a3 D! {3 @- A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# z& n. O! s% l2 S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* D% c( A3 E& h) j2 s4 q1 b' c5 }\App Paths\Loader32.Exe
1 L: Y' W; ]1 k. H- _1 }* p- z* ]( ^
* d8 C7 }. _4 c1 |
) }) `6 h2 [7 t, U4 WNote that some nasty apps could then erase all files from SoftICE directory
6 l0 a) E9 p! k. }! s1 }(I faced that once :-(0 d1 F/ m2 Q  q% [# P+ d6 x
) O/ W7 x& j- I) |- D
Useful breakpoint to detect it:
% S% q: J$ Z7 D1 R$ b9 ?6 v
+ e# ]+ r2 b7 @     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
; ]" L+ u& e8 [/ u/ |# M4 m
" f& j* c- K8 Q9 c; b3 x5 D__________________________________________________________________________1 p5 E. Q) y9 a, Q

  }, ~  o! o0 _1 e# v, Y! Y
. d% i! H' @& H- W$ ]Method 14 9 z4 ^2 Y! D, d5 x: k
=========3 F. ?9 Q& t& r- w% T, l

- Y/ u( W* D2 r8 s& u' [; ^% EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: d3 w$ R& @4 r+ y0 H& Pis to determines whether a debugger is running on your system (ring0 only).
0 @9 G% ]8 ^$ V- D# Q  O
. q# M! L3 C1 e" ?' {" I( O3 q% t   VMMCall Test_Debug_Installed. {/ e2 o6 V7 R7 e$ ?+ c3 H5 V: ~3 X
   je      not_installed
% U& f: ~# \! S. ]
5 ]6 W0 p. r. l8 Q/ O% f" M2 ~This service just checks a flag.
. P& i& n9 Q4 Z" Q5 e4 S& O</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-26 08:52

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表