找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
' T  g" z% C) E' X, r$ N* N1 f<TBODY>
- J; n: _" f5 z2 l; ^$ A( Q1 F! T<TR>
/ B; f: C: @% q' ~( q<TD><PRE>Method 01 3 |  A9 u' p8 F' X7 H) N. s& {
=========1 }0 R# O% _. t3 F1 {
% ~7 N3 a+ f0 V2 [- D0 E3 x- M; @
This method of detection of SoftICE (as well as the following one) is
* b/ y$ F1 ]' H" @( nused by the majority of packers/encryptors found on Internet.
! ^1 Q. j+ m5 F# a5 X9 }0 Z. G; HIt seeks the signature of BoundsChecker in SoftICE; [' j$ I, B; _0 i, J7 x8 U9 h1 i' y

: j- H; o+ V5 i    mov     ebp, 04243484Bh        ; 'BCHK'
4 ?! R7 v) r, ]  {, B7 N/ Z    mov     ax, 04h$ ]" F4 l" |4 b; f9 B' L! d
    int     3      
5 @& R/ R7 p; q% c0 J9 m+ k    cmp     al,4
5 Q' u/ w" R- s- H. X' v5 Z    jnz     SoftICE_Detected7 e( W$ I+ Z% a

$ W/ `, u( I$ }) l0 w___________________________________________________________________________
3 ?2 Y8 P, L/ B0 M
' N" j( P2 Y1 ]. }/ N# {% GMethod 02  j' C2 |7 X- |( O- l- g/ E# `1 D
=========/ a8 F- g& s) T3 F& R
7 y; n$ V. m* @
Still a method very much used (perhaps the most frequent one).  It is used
" V) J  x2 d# X# [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& P* }" p3 v8 \& Y3 u" K( _
or execute SoftICE commands...
: z5 p# P8 `+ P' {+ b6 ]  U+ BIt is also used to crash SoftICE and to force it to execute any commands
6 `% @2 M6 z, o  n  A' Z(HBOOT...) :-((  
1 H7 o1 p5 h( @/ q. _: A+ X9 z5 X
: t8 \$ }" E& pHere is a quick description:3 ^& h4 ~' ~0 h  [
-AX = 0910h   (Display string in SIce windows)
" ]1 `4 D9 Z! A-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)) x  Z" b3 h: z# c) X. N+ |* E
-AX = 0912h   (Get breakpoint infos)2 S3 J& d! g3 ]* m% _# l
-AX = 0913h   (Set Sice breakpoints)9 W; `% z$ S/ c8 C1 ]
-AX = 0914h   (Remove SIce breakoints)6 D; k" d: H* y9 e# @
  T) F8 y7 `- U
Each time you'll meet this trick, you'll see:! c' _* W+ O  V% K
-SI = 4647h- f/ a5 R4 u3 d  X3 Z" |
-DI = 4A4Dh' j* F5 D5 i- L, K5 X8 e1 N5 Y
Which are the 'magic values' used by SoftIce.) N' H* r# [! M( g1 V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 v7 z- A  W5 N1 d8 B! M* t' Y! q" M, {. k- G4 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
  ~! T' A2 `4 ], s6 c6 ]5 jEnvelope utility use to protect DOS applications:
; A. V! U$ q' [8 \/ }7 d$ V" b( E* W  J" w4 X  w8 G' O
9 O* f3 e! V' ]. F# N6 Z4 G( t
4C19:0095   MOV    AX,0911  ; execute command.
  [' a" o) T% U" [7 L; ]4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ l. p1 i  N: Z7 v' s/ \$ w
4C19:009A   MOV    SI,4647  ; 1st magic value.- ?3 K! \$ y" F, t! V1 ^
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 h0 C' \1 G8 F# x, P6 I
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 [0 `4 H1 d0 h& R" P* V4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
: Z" C" v0 l7 U/ |4C19:00A4   INC    CX: t) l  m6 H! ?3 q6 q9 e5 I! m
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 f- n, ~7 c8 M# W) q5 V: s
4C19:00A8   JB     0095     ; 6 different commands.
; O& ?7 W" y1 t4C19:00AA   JMP    0002     ; Bad_Guy jmp back., V+ f/ X8 p1 b# T
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), T. i! B* f5 R( j3 S, Z( q
4 d4 J4 _1 z& c1 ?& }, T$ U
The program will execute 6 different SIce commands located at ds:dx, which
  A1 N) D% U* nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, k8 X6 t  A+ f, W
% D  b; o/ X9 k; [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; ?6 ]- c; f% ?; f, b
___________________________________________________________________________4 N3 E; x+ b0 }) C, z/ `5 j2 t2 W1 O
# w1 F- ~4 V5 o$ [

$ D) d. T: x- I* @2 e) i8 XMethod 03
8 {; t8 k7 z# }=========" j' [# U+ ]' H7 J
7 K! q$ b" W' S% k. e5 l( ^
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: i% ]8 v4 A8 |6 Z6 N  m
(API Get entry point), x, ~* ~( t) R1 E- j
        
: L" W% s# a+ T; C' m$ s
+ A8 j3 R# h* |- s; d6 B. A6 b0 g    xor     di,di
) s2 i5 i+ e6 H. U  Z9 ^- h    mov     es,di
$ r5 @8 {5 l$ f2 ^. @% ?; A    mov     ax, 1684h      
6 g6 a! e! I; s    mov     bx, 0202h       ; VxD ID of winice3 F2 w9 n* _9 Z
    int     2Fh9 W5 \& U5 P0 d* J$ n! ?
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 y2 |2 e' p2 [( Z! U" K; w3 ~    add     ax, di
, o# I# V! v9 b( f" N& F0 z, s    test    ax,ax
5 B8 b0 t% P( i1 D  p4 J    jnz     SoftICE_Detected6 M9 c) q* A: M  X; O

" A: q9 W: T8 `" B- N2 ]" q; \4 Z( X! X___________________________________________________________________________
& c$ o! y# O. t) z$ f( @* u( w  `  \  d; z
Method 04
* T" R$ `, ?# J=========# q( v& q; O7 \3 i+ F+ Q
2 Z% x( O( \  G3 a0 J
Method identical to the preceding one except that it seeks the ID of SoftICE) K' [& n1 q( a' [( u; a
GFX VxD.1 i, H  Q% ~" |6 H5 l. n- F& c
/ z/ \1 B4 z8 z! Y5 L" z) E8 U
    xor     di,di
6 o) p( \' l1 m/ ~# w* d    mov     es,di
/ d1 D. \7 w, \; [    mov     ax, 1684h       9 Z, R/ |: I; t  k% c
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, p8 i* o6 D+ C) D    int     2fh
; X  C& g8 c5 l9 u. Q' h5 }    mov     ax, es          ; ES:DI -&gt; VxD API entry point  v; V9 Y8 z( t) w' s6 N* H0 Q+ p
    add     ax, di
4 `, L: f" A9 O1 X  V  I; q    test    ax,ax
! G$ R1 |( A; w. L4 s' A    jnz     SoftICE_Detected5 \# F" h! z  s
2 S. g" U0 n0 d0 i
__________________________________________________________________________
; s& z0 J( ^$ P& ^' x, e8 ~1 p, J2 a( e7 w8 W, P, ]& K, {
7 B8 I* P1 p% A, [
Method 05
# ?. E, p4 c! X& ]=========
" Q. U" [- ]) s* x' h" e6 S4 O  B0 m& H/ c
Method seeking the 'magic number' 0F386h returned (in ax) by all system% O7 q4 g8 D: J7 ?4 [
debugger. It calls the int 41h, function 4Fh./ A! W" H+ n+ J- D; c5 D7 s6 R
There are several alternatives.  
7 T8 p! d2 H$ E. P# r: U' R) d) r: L6 `. @
The following one is the simplest:' p  {- {& `0 N$ K& s

  f2 T7 V7 L/ Y$ ~    mov     ax,4fh$ K4 M  o# W& B' ?
    int     41h# K. V# I1 r, Z- ]; l
    cmp     ax, 0F386* B( |: w% T& M/ Q
    jz      SoftICE_detected
& J$ d3 b  B4 J, W
! I2 \/ f* H: @" ]: P/ k& N( G
5 o7 f+ W1 ^& b  o9 |Next method as well as the following one are 2 examples from Stone's 3 l# H$ z/ T1 Z, @
"stn-wid.zip" (www.cracking.net):
# S  D1 \0 G( r, M' C: M) N* p6 v( d- O( I: K. |9 ?0 ?
    mov     bx, cs" P! e, o, I( w$ Q6 w  N5 P
    lea     dx, int41handler2  }! p* o  O# }9 I
    xchg    dx, es:[41h*4]
# h* i* p( h$ i: w    xchg    bx, es:[41h*4+2]) `9 C1 ?8 C1 ]& E8 P- p# f* y
    mov     ax,4fh" F, P6 C/ z4 E) c5 |
    int     41h/ f2 T8 \/ \% r
    xchg    dx, es:[41h*4]
( K/ ]5 m# P# x# s+ C    xchg    bx, es:[41h*4+2]8 E# g( ~( h, d
    cmp     ax, 0f386h7 D6 E( O  c* @3 [6 m' ~: \: a
    jz      SoftICE_detected
. I* _+ M8 |- W. |6 G$ x: w
3 C1 W/ Z) x  ~8 K8 J7 _. hint41handler2 PROC
' l5 m9 x* L5 T, k$ D. o+ C# c* w    iret( h5 s5 N- ]+ o# |8 D
int41handler2 ENDP( |9 c9 Y4 k  G  N
. `2 M6 i- [+ H+ Y4 Q* j- g; @

* E2 `& \- d1 {_________________________________________________________________________
7 e+ V- }/ m5 Z( F5 K
' \/ B. h) \  i
4 j; U( U* F! @: W% jMethod 06
5 O" c- K9 u8 ~& G=========7 L/ |- b- `* @

9 J/ i8 a( M5 }. T* H- u: M+ O% c8 _0 E' d! p* U4 Y
2nd method similar to the preceding one but more difficult to detect:6 j: b/ D4 |7 |/ y

. s) {) w& f, h- o+ B& y# c/ q
  ]1 E) t/ _$ ]( R5 Gint41handler PROC3 \  f5 T, w. P/ h
    mov     cl,al" {# x! c% y8 T& p  V, B# m2 E
    iret7 o. B4 M- c+ Q9 R4 R6 R
int41handler ENDP8 F! J6 }& J+ d6 o) u

- x* e* W1 d9 A/ }/ L2 B
. X3 ?4 K1 i. C% w- _2 W% z+ q    xor     ax,ax
: N' K9 P/ @2 Y4 L, z& t5 s5 I- s    mov     es,ax
8 |4 r; Z# E3 m, [    mov     bx, cs! f) m" B$ R3 S; F! o6 _# J  c- a
    lea     dx, int41handler
+ i+ Q0 x9 s, B' V" J& K# a3 ~9 o    xchg    dx, es:[41h*4]( O0 F8 F7 p) i
    xchg    bx, es:[41h*4+2]0 C& j: E+ f% H0 A3 ]
    in      al, 40h
8 t; l' ]3 o9 I6 F    xor     cx,cx' b+ _' h- T" k
    int     41h* ?4 A$ b# k' E1 a6 k+ U$ u
    xchg    dx, es:[41h*4]
  ]% I3 {* o* ?% a+ o    xchg    bx, es:[41h*4+2]
- Z3 r- B/ s9 ?& j1 w. q+ i* n. H6 d    cmp     cl,al# b4 Q$ Y9 K  ~9 l
    jnz     SoftICE_detected5 \. s9 A9 d+ s! {
/ v; a- |- t# Y# |( X1 w
_________________________________________________________________________# E+ H* `5 l6 C- P) f( x& f# ^/ d
* C1 A4 F9 d: Y: z' E# X# H
Method 07, g$ l6 I8 n+ x4 K4 c
=========; l8 c! g& W; ?

. k* [: Y( k7 u; ~; f* dMethod of detection of the WinICE handler in the int68h (V86)4 @4 A( B2 n5 N% C
% T5 q4 d, x7 M" L
    mov     ah,43h8 V/ x. A: @" K+ I' l2 E6 n9 B
    int     68h0 I% R, v$ G* S
    cmp     ax,0F386h
- A6 E) k5 `7 _1 ?% X4 m$ U$ }' Q    jz      SoftICE_Detected* X" ^! S2 J' r8 r0 Q

, D& V& f* Q" a* R# E
' ~6 H( z0 H6 @2 D( C8 {=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& D( X; E6 K7 S" B7 m
   app like this:) Z! m/ w2 w* b  _+ e

3 S* Y; i/ }4 I, m* O2 l- v   BPX exec_int if ax==68
2 _" x6 d7 G1 ~! [9 e, s   (function called is located at byte ptr [ebp+1Dh] and client eip is6 z. P: n) I( \: |% X* A/ e% ?
   located at [ebp+48h] for 32Bit apps)
* |" s  a; ?, }+ H' H3 k1 ~" |/ U__________________________________________________________________________
# i, p) N, {( p  o# y& r% L% A* S
" F4 F0 M+ u; g9 V0 @' s' O. M0 w+ e5 g7 ]
Method 08
) d; {; r- k! D. q1 d' \=========
0 E  G2 a+ I  H2 W' ^
; C" H9 \& f6 m6 QIt is not a method of detection of SoftICE but a possibility to crash the
0 G9 A4 `9 H7 r2 F( W) gsystem by intercepting int 01h and int 03h and redirecting them to another" E# e- j5 ?: u5 d  a# v7 ~6 E& ^/ \
routine.
2 Y. X0 e3 v4 X4 e4 ?1 T' `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: L! P$ {$ S; z' C: {+ j5 W: mto the new routine to execute (hangs computer...)& S5 A9 t9 g) q7 n

" F: @* K; I) H6 {, b    mov     ah, 25h' {) s% {- k* A5 E! o
    mov     al, Int_Number (01h or 03h)
& H" x% }8 H5 T# E) Z/ f    mov     dx, offset New_Int_Routine( q# Y. ?7 w- a& D! h: g6 y; @1 }
    int     21h
( B- `. t/ C0 q) b  P
  p; T  @  v, B. J) {  I: q__________________________________________________________________________
/ W9 Z/ P. v# K8 N8 u
7 z8 L9 k$ T( e7 bMethod 09
1 W/ ^  B4 p& M0 x6 c8 ]=========1 K1 ~/ `& q$ Y3 L" D

% V9 i& W" i. D, v3 v% a8 v& i% KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- R9 u/ P* q! M9 P! I6 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ `+ _8 l, w6 d8 F8 j) J- o% O* {The Get_DDB service is used to determine whether or not a VxD is installed: t, @" z( k0 y: }/ |9 S* ^$ r
for the specified device and returns a Device Description Block (in ecx) for
6 w, d- [8 G- n* K$ ]. }8 ?that device if it is installed.8 W; a$ {2 ?8 r% x' x% g6 |/ z

2 v2 ~$ p# c% U: j$ ]4 T   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ G7 q7 ^% A/ `3 t7 p( u   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  ]0 Q4 x$ r: d2 K# E0 w# S" L   VMMCall Get_DDB( n, J3 ?1 T# [6 U) X1 V" ~
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
+ q2 \% ?3 W- A6 Q0 X7 j9 W: i+ V6 h
Note as well that you can easily detect this method with SoftICE:
. y8 j# s8 r/ k  N: E   bpx Get_DDB if ax==0202 || ax==7a5fh
* o* f+ |- y  m7 H
+ m6 c5 W: K' n" l5 _- q__________________________________________________________________________/ e; _- a2 G9 E/ ^8 [& a
, ?5 c2 |( b( B$ Z4 D% G
Method 10* m* d: V& L& X- H
=========7 F" V# Q, X$ N7 n6 K' A! m
1 T4 o# l  w( s+ Y, y# S- b0 o
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with2 H7 I( {6 B& H8 N; N3 g
  SoftICE while the option is enable!!! s+ V- A$ @5 {- g8 V6 o- K
' r! C7 Z5 w" a
This trick is very efficient:( R* }8 \' R' K2 u0 a2 j% E9 a9 s
by checking the Debug Registers, you can detect if SoftICE is loaded
- a* O" d4 K) S' M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 e, O: }" B+ U/ J  e
there are some memory breakpoints set (dr0 to dr3) simply by reading their- e2 I$ y9 _9 _3 j. f
value (in ring0 only). Values can be manipulated and or changed as well
. |, F3 ?* B7 h(clearing BPMs for instance)
( Z. p, E( i* T$ K6 g# S5 I/ g. x2 w( r+ ~# V, r* K
__________________________________________________________________________
- W" z) @8 l* I6 L( d  K0 w& j' t  C: Y+ j7 ~
Method 11
9 }0 U, |; M, K+ K6 D( M, d' y=========+ m7 d: V) C6 U
3 m2 Z5 W2 ~5 P& q* J. h* @  s  D
This method is most known as 'MeltICE' because it has been freely distributed
1 L/ O1 r" B: W0 ^1 }7 Xvia www.winfiles.com. However it was first used by NuMega people to allow! H  c/ w& P! [  r
Symbol Loader to check if SoftICE was active or not (the code is located
6 L, j, Z; o1 @. e3 [( n" kinside nmtrans.dll).
- O* N8 p  E' }) m4 p
. \4 }  ?: b- w5 e2 f, CThe way it works is very simple:& \2 F/ v+ m( K2 D5 }; t- H3 j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 E4 i9 Y$ Q* h: G. E3 f4 L1 b
WinNT) with the CreateFileA API.
9 w5 R) X# a% t  C5 e+ a" A% w1 ~* x0 q
Here is a sample (checking for 'SICE'):. _3 H  W% n$ |4 ~; K9 ~

/ b' m6 x; x8 a- z! H  uBOOL IsSoftIce95Loaded()
; F! G  y; b: s. n; V' M) [{& M$ Z; F% y6 F' ]) _  I; b- M
   HANDLE hFile;  ' T5 u% Z- R; C( k% P3 E
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 J5 W* @8 S+ b3 j; X                      FILE_SHARE_READ | FILE_SHARE_WRITE,3 x; q& T# a4 V. A1 b5 _  p
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% z! e3 {& I9 U% k2 j) V: e) W
   if( hFile != INVALID_HANDLE_VALUE )
: \; F/ t% H8 u  j   {
& G' @1 ?/ Q& p; ?; p      CloseHandle(hFile);# k/ L* [3 {$ l2 p6 ~3 `
      return TRUE;$ I0 V$ t& Y# T  S
   }
2 T! u* w) M$ \2 _  g   return FALSE;% {/ V; ^7 W  g7 _
}  U: n$ M! ~3 F1 k. p* q/ o

, `6 s7 b* a0 Q1 z0 ~; mAlthough this trick calls the CreateFileA function, don't even expect to be
4 A$ u+ H9 F- m5 B& cable to intercept it by installing a IFS hook: it will not work, no way!
% |$ d5 V& x3 S% c' G- qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 w6 c" k6 H& j8 O  W) s2 Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" I+ G6 Z1 r$ L! u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: c& K. U% y/ _3 x9 E; H* Q$ Jfield.' C1 v$ F2 ]+ w3 m
In fact, its purpose is not to load/unload VxDs but only to send a
4 u: E5 Q/ `' h- y+ w+ uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- Y+ _6 q( u4 o& k/ @- O% Y5 {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 X' \8 i4 [* jto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 @; @) w, ~  r4 }  T- S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 p# K$ T( `7 u! T/ _) `9 ?/ rits handle to be opened and then, will be detected." k: k" u8 ]& }5 ^0 p4 l. D
You can check that simply by hooking Winice.exe control proc entry point8 z: \# Q% L' X7 b& N
while running MeltICE." Y0 e  m& _% b& G9 _3 r+ k$ E
7 o4 X5 h: F4 k' s$ \: M" X
2 r8 f# g' M: U# s# f
  00401067:  push      00402025    ; \\.\SICE
6 O  V7 }. A* g' Z, @* `3 ]* {8 I  0040106C:  call      CreateFileA
! A& k; I( E( V& i) i# E; T  00401071:  cmp       eax,-001
0 H# N2 C% N2 A$ ^/ A5 `  Y- x0 J' Q  00401074:  je        004010914 c0 D% _1 c% Z3 s- a
# Q. _8 p: Y8 m7 z  [
" K- M4 y* ~! |) M: N; ~( F
There could be hundreds of BPX you could use to detect this trick.7 D2 g2 a+ t2 f% ]( C
-The most classical one is:' i6 h- I0 c) l9 H$ B& k( L: Y8 Q
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# h0 e, V  L1 f  C5 L% {
    *(esp-&gt;4+4)=='NTIC'9 [; K" \3 ^/ y8 r# Q& ^$ |7 ]) g( h

9 d! u. N* c" H  @6 b7 ?3 V9 b-The most exotic ones (could be very slooooow :-(2 F6 n1 r" S; O* e5 I
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
9 h( D' g0 F$ U2 y     ;will break 3 times :-(
5 e8 M! p0 v3 b. Z3 I) O) I" n' y& A* e- t# J6 Y0 \& \
-or (a bit) faster: 0 T2 q7 s* G+ }  ~6 S- C, g  i
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 Q5 q& j. a7 |% }3 Z' ?. U0 y9 ~* R' S, y) Z: K
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  # f* b8 ^- p% \; c. q
     ;will break 3 times :-(
; d2 ?$ J* L8 q
6 L/ E4 n  V, c) Z+ O+ Z. r-Much faster:/ i7 f! r! M  j( @
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% N! ~" u  F$ `2 K# G7 @/ n2 a1 x

+ b$ D6 h2 }  ]6 h  i: W- uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 J" Q2 n9 c: l$ ^; @
function to do the same job:/ Y8 [/ d. A0 Z5 ^: m: u+ }7 V4 K

0 ?; q9 I$ y' B: p* h$ r  g   push    00                        ; OF_READ
3 h5 H0 _& c1 F7 N5 E$ K& a   mov     eax,[00656634]            ; '\\.\SICE',0
  C$ K; w% m" Q1 n" g  x   push    eax+ x" I' t7 l' \' ?* t
   call    KERNEL32!_lopen, y% z' z2 e* R6 V4 v: c/ r, v
   inc     eax
8 Q% Y# O$ k) `" n4 s   jnz     00650589                  ; detected
, x. }* m2 S+ f& y+ ^5 A   push    00                        ; OF_READ. p% r7 l4 x8 p( H: X" [
   mov     eax,[00656638]            ; '\\.\SICE'4 w' A: C. `+ w: W. _! F; Q% t7 L4 Y
   push    eax7 s7 m' P1 @/ ~
   call    KERNEL32!_lopen
8 _! `! w, A- B- u) @- v7 O   inc     eax
" w' S& i. V$ D   jz      006505ae                  ; not detected# H7 v2 F4 `' ^* S' M
# `5 @  u5 x* q4 T

" p! _- J! U% F% j' B- V7 C, D0 a__________________________________________________________________________
. J* x) e; {- y# U3 Y( X; u+ l4 K  p3 j- ?4 ^! Q, _
Method 12
1 D0 F0 R' w  p. B  f=========
$ y( Q; R6 K" C4 g7 v/ U5 @& s7 Q+ c8 m2 r7 S# K1 h4 j5 `3 n
This trick is similar to int41h/4fh Debugger installation check (code 05( }) W, }! \, v* k$ w
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( {) c# `; L) b2 w& t$ i$ K" d: D6 |7 g0 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; x2 S  Q7 V  P0 C5 P& N: c
  R6 [& G- k7 t& N, h: _  Y   push  0000004fh         ; function 4fh
- M1 O3 V9 I9 y   push  002a002ah         ; high word specifies which VxD (VWIN32)- D  h/ _% W. V
                           ; low word specifies which service
) X0 ~: _  S- g6 C/ r* g                             (VWIN32_Int41Dispatch)
0 g3 ]# }/ O. r   call  Kernel32!ORD_001  ; VxdCall
0 _) a* r- {6 }1 W8 k! i5 [; P+ p7 M   cmp   ax, 0f386h        ; magic number returned by system debuggers
: {# w; F$ N! ]  a) f4 l5 j   jz    SoftICE_detected+ y, Q. d0 l8 V* y' L6 _7 O+ I
+ A" ]4 b# I1 ?. C, \0 y6 m
Here again, several ways to detect it:
9 I7 A. e. L7 U' }2 p- _
* c3 b* h7 S( o9 e9 n    BPINT 41 if ax==4f
. j) d& x) m, }8 X+ Z' R( _7 l- Q9 ^5 D1 l6 F$ F
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one0 I- L- a0 G; p! c
. Q8 _4 q' ?* P) U/ p/ I
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
  ]" Z. o$ [: y; D
* U% E/ P( b* q3 k  v    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!1 z- C: r' U/ f& d0 m
9 l' |, z" {& q1 m) y: S" Y# F; Q
__________________________________________________________________________+ p) I+ r5 S" V! f
  L3 n5 x/ q# Q5 v
Method 13
- e4 q% [( j' _6 ]=========% z0 b- @! H6 R0 C' M+ l; X' x

2 M: ]5 |9 `( I6 V: _Not a real method of detection, but a good way to know if SoftICE is6 D% t. k9 O$ i" K3 R  P, |
installed on a computer and to locate its installation directory.# A4 q4 B; O  p% V- _4 |
It is used by few softs which access the following registry keys (usually #2) :
- w& P5 O9 j& D0 \- K: h5 ^7 n% g  s4 q* }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ @8 r5 z( Z1 ^6 v; x& \: d\Uninstall\SoftICE
4 O5 m  y* {) r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 I, E9 ]/ P9 l. H$ m3 i1 m* d. J
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" X+ C+ o+ c0 ?\App Paths\Loader32.Exe8 d1 F8 H- G- ~1 r' t

3 u& U; n/ `# G2 [) M' D% r/ [# E! q  h+ `* G
Note that some nasty apps could then erase all files from SoftICE directory
) ^  T# @5 V% d. [2 q' X/ S(I faced that once :-(% j/ p! d8 i# e; ?. G/ @

; u0 b0 ^9 M3 I) `; b- W8 aUseful breakpoint to detect it:
. `0 V- q0 Q- M1 }# Q+ @4 A0 b- J. D; e8 O. |
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; E0 F% a7 y9 O1 d6 \

& ^% z1 N7 R* v) X1 Q__________________________________________________________________________" {7 ^0 U, Z7 G

  L  h- x$ U$ z$ h9 w6 e: s
/ Q2 b  e1 ?, B3 |% qMethod 14 % I1 z4 T/ _8 y! ~+ O0 ?& f2 x
=========! r0 L* A) v4 u# i

% z: {; y: H6 S+ ~# WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' z3 E* y8 O0 v" w) x
is to determines whether a debugger is running on your system (ring0 only).0 v' j0 Q7 ?# d  ^1 l% Z$ o# U
' N( L$ |' g  E1 z' U# e" o
   VMMCall Test_Debug_Installed
0 t# `& N; k  i2 q+ l$ w9 \, V% J! _   je      not_installed
  f1 O8 o4 o: a) k) _
0 T8 c) o9 B; aThis service just checks a flag.& w$ h) Q2 S, c8 p# ~) }
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-25 11:41

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表