找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>4 v( P9 ], W! k5 x: q6 |
<TBODY>
. c0 X. L, a7 f- A3 B<TR>
! e, ~" p' J0 Z4 V% C. W$ _. @<TD><PRE>Method 01 * f1 q' g; \. Z/ {3 q8 g
=========
2 @6 u: ~9 f: k6 s3 h% D( ^% v0 @% Y0 ]3 P5 U+ M. ^1 \
This method of detection of SoftICE (as well as the following one) is
: N4 j. _) R8 r% M8 Pused by the majority of packers/encryptors found on Internet.
8 r) ?9 ]$ \* k& c  MIt seeks the signature of BoundsChecker in SoftICE: B$ ?# y% ]# X* W* q% Q% t
4 S0 |0 e' Y. H8 Z! o4 B1 g
    mov     ebp, 04243484Bh        ; 'BCHK'
5 f: J( a& v( k; ]  s    mov     ax, 04h
2 Q7 g$ I0 i2 E    int     3      
( z' y6 T! @) k0 v8 K" K& X) M# g    cmp     al,49 ^' v% n1 z& N/ N- p. ]
    jnz     SoftICE_Detected
" J( Y+ C# }) ~0 ?6 _0 w! O- B+ Y
! e9 P$ P$ ~% _& G6 I___________________________________________________________________________
' _1 ^0 K: H: k. {4 Q; A! T6 C0 u6 p7 g+ o
Method 02
7 X) p! O& b" C  U; N/ p' ~=========
) R0 v9 L; N1 t) n# t  x" e6 Y9 d5 j  N) ], M
Still a method very much used (perhaps the most frequent one).  It is used7 B( f: C+ ]& Z! z! h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 @, U: c( P2 k' J; @- M
or execute SoftICE commands...+ U# E8 h4 d, B3 K% y' o
It is also used to crash SoftICE and to force it to execute any commands
; t9 M) B8 H, \1 F(HBOOT...) :-((  
) ^% j0 F4 ?" C# t
8 t$ q- H2 q. E: \- t; s' vHere is a quick description:
, j3 y" q, ^& H5 K  u7 y" w-AX = 0910h   (Display string in SIce windows)
5 K- o$ }) G, b-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! r+ ^/ d* T3 U- _, t  s-AX = 0912h   (Get breakpoint infos)0 {) f! F/ B/ y" E' i
-AX = 0913h   (Set Sice breakpoints)
3 e5 O+ d( O! l! c-AX = 0914h   (Remove SIce breakoints)8 Z8 _- T' I4 s5 N# Q0 ~2 i
, _7 I& m8 V, J, E
Each time you'll meet this trick, you'll see:& M2 r, K4 F4 I$ ~& @& Q( J
-SI = 4647h
% T2 `  x, \: U" p4 |-DI = 4A4Dh# N5 s6 C1 c! L
Which are the 'magic values' used by SoftIce.. A8 ?+ l& V/ e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 m9 R, t. I3 L# b
1 |" m* g# t' v5 C) z4 j1 m3 D* e
Here is one example from the file "Haspinst.exe" which is the dongle HASP( v9 K9 x& P4 d
Envelope utility use to protect DOS applications:  T4 E9 i5 @4 S- ~% T; [
+ L" k. P, g7 W2 [, v0 ?3 c

& W, s! M5 U! c, Z1 w- U4C19:0095   MOV    AX,0911  ; execute command.
3 F' Z5 ^" ^; `) R4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
* G5 p( |$ c! L4 A, H7 c. `4C19:009A   MOV    SI,4647  ; 1st magic value.7 |5 C1 K8 e5 a( [1 k
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
' n" F: P% H$ W0 _, t4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 [. k* v. T* B4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute& q+ Y1 @; d4 Z4 T! F
4C19:00A4   INC    CX- {3 d, d( O2 t3 O$ k
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
! {( |3 q% p; \, l2 y4C19:00A8   JB     0095     ; 6 different commands.
* Y" u# P$ x% B3 N4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" w; Y1 D; ~( ]4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' ?" U$ B/ E# @; N( w  b( c! v8 D' g8 n7 C
The program will execute 6 different SIce commands located at ds:dx, which
- ]8 g! J4 |; U$ \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- ^  o& x) _& t

! p1 V. b; x! }8 z4 S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 X5 l# R( i% E% I8 b: `" Y___________________________________________________________________________; ?2 G0 M- ?8 T2 z

% o7 j7 N; P+ X5 T# W* c% A6 @: X8 F4 G, {$ i0 ^3 i7 P
Method 03
: }! P; P. j( Y) W; C  @. ]+ c=========/ Y+ y' A( `/ j# C* L0 X- j
: P: R5 h1 l9 g( |; [- Q, Y4 G
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h) _9 E! |! O  f, K. Q& q
(API Get entry point)3 f9 t( D1 i% a; Q
        
" n4 C1 H% z& @+ Y; K+ h3 K- J3 G, X. f. L- _+ p' R
    xor     di,di
4 y! i% F3 h0 m2 {7 _$ F    mov     es,di. S2 E  k2 G7 z. U: A% d+ v9 ]
    mov     ax, 1684h      
  ^3 l  _) O! ?% q    mov     bx, 0202h       ; VxD ID of winice5 i! @- a9 |( H( Z
    int     2Fh6 k# @: t1 ~3 m* {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 V9 g' t& g2 a3 Y6 X
    add     ax, di
$ A0 o4 o' L+ b& C2 [; l0 i    test    ax,ax  v+ E. Y9 M8 @9 s7 ^
    jnz     SoftICE_Detected
7 r9 a$ D/ A8 o4 f9 n8 O
1 ]2 P2 z% I; m; [2 M___________________________________________________________________________
& Q4 L3 s, q# u( R* }. X' l: D" l( b
Method 04( l$ _/ s# A' N! W( R+ r3 M
=========/ b) }2 ~6 X+ a) T1 n
. }' E2 N0 r, }, s/ T
Method identical to the preceding one except that it seeks the ID of SoftICE
' ~; [' U" X/ d, C/ `# ^GFX VxD.
% i8 Z$ D, i8 }) f4 g( v7 N8 e* X; n: m$ d
    xor     di,di* S' O  p+ }+ i
    mov     es,di0 W. q: l5 E( k# t- Q
    mov     ax, 1684h      
$ r9 C( R% q6 [8 D* N2 v5 f( m, ?7 d    mov     bx, 7a5Fh       ; VxD ID of SIWVID' n( Q3 B' A) r0 b; T0 ^
    int     2fh
& G# Z2 A! f7 m0 T    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# K- A9 Z* X% f$ h- X8 o: e" ?8 ~    add     ax, di
8 Z) J. N- ]9 Q* e4 }    test    ax,ax6 I( K4 X  K/ E. V
    jnz     SoftICE_Detected
' r3 a( E  K  Y
  }9 d% P* M$ I6 f5 P__________________________________________________________________________
" q! ^/ R; h& F7 m/ ^* u
  j$ W4 h# W( \4 L
* x5 j& x0 \/ U" GMethod 05
! c; f9 ^  g4 k: t=========5 F9 K: p0 A+ S# j

: {4 N5 V/ R  OMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 Z4 y+ {, D. @" P* j, b8 ^
debugger. It calls the int 41h, function 4Fh.
) Y( I$ A) z0 z1 ^There are several alternatives.  
2 E/ T4 `2 B) u0 D( c3 N! l  Y
" `7 e2 d0 o  r! H+ O+ \; bThe following one is the simplest:# D$ i6 f* {8 Y. t( B5 D6 I) T  v
% L7 n1 l) |# B
    mov     ax,4fh
3 N- q1 r/ ?: ]) v, N# T    int     41h9 Y$ J" E* _9 U3 J
    cmp     ax, 0F386
4 }; ^. C. _" |' L% `) T+ G( \    jz      SoftICE_detected
. `1 m+ ]% i3 L1 V- c, o$ i! @/ ]
" S8 B6 f- b9 j4 n3 o1 V$ ^& l& R$ B- \8 Q& a) r1 H& c, n6 O
Next method as well as the following one are 2 examples from Stone's
. E  U/ z) B! a"stn-wid.zip" (www.cracking.net):
6 m) J9 y/ `  S3 W# C% B$ M5 p. t7 V) N2 g( A5 u2 Z+ y1 L+ Q! c( p& z, Y
    mov     bx, cs( Q" P" H8 G0 M1 m7 s, _
    lea     dx, int41handler2: Z' [  c! n6 G% F
    xchg    dx, es:[41h*4]! A* Q8 q2 D$ l8 w3 _! O
    xchg    bx, es:[41h*4+2]
) M7 c  n9 W' b/ Y: w. m1 q# Q    mov     ax,4fh
* h# ?' ~" U7 L7 K, o) k& W  a    int     41h
: K! y5 G; Z! s6 q' ]. ?    xchg    dx, es:[41h*4]) r2 M" l" e: B8 o8 y1 G7 b% ~5 W; h% y' M
    xchg    bx, es:[41h*4+2]
& K) {- ]6 w: U. o. f8 L    cmp     ax, 0f386h7 O- t' g% I& Z% Q4 f  I
    jz      SoftICE_detected
# l4 l% ?9 x- _4 l& j/ I1 {5 H4 o2 s" ?( b$ x$ {, e: _5 k
int41handler2 PROC; `$ z# d8 Z  i, v
    iret
4 p" g9 [* J" Y% X# F9 ]int41handler2 ENDP- G5 X  d% d7 ^2 p8 l7 j9 W
! I6 I( @" _9 Q' L' v
/ m: u1 C- {1 Y* y
_________________________________________________________________________# A1 E) n( O4 w" }9 x

+ A/ T; y7 y8 r" ?0 M9 U7 S# J1 \) E+ {- R) C% c
Method 061 I$ J  }" x- q2 j3 x. z6 k
=========
' t4 G3 u/ @' V; @* M. {, P% w+ t6 [# v

2 K, K- J' h  }$ m, t& ]& A2nd method similar to the preceding one but more difficult to detect:
4 W- |  \2 j! j- V3 W3 P$ @1 v* l$ h- m
$ r8 A" o4 s' d; m
int41handler PROC
( R  n0 e  n( j2 {    mov     cl,al
. T3 n. C2 U7 _- i' w9 k% T) T    iret  R! m4 ~) z' h! }' R/ P# X. e6 h
int41handler ENDP7 L$ }; j  Q2 x6 K9 M5 e
' q  n+ w$ n, Z5 m2 j2 X) g

& V$ w. g% D' Y* Y; K0 ]0 l9 e3 S    xor     ax,ax
  o  O9 y3 T  a9 D    mov     es,ax! e: S3 N! v! k( e5 Z4 b( _
    mov     bx, cs
( e$ x" ^1 ]! H3 d5 t    lea     dx, int41handler
  T0 _& D( y3 G( T; @$ m1 y; w6 i    xchg    dx, es:[41h*4]
3 K) B+ y) K: j  H6 I. @4 b    xchg    bx, es:[41h*4+2]
  W4 h  `6 w: \) I5 }. {+ c3 N    in      al, 40h4 X$ H! o9 |  V7 k: c! [+ K# Q/ r
    xor     cx,cx
, o6 g5 K' C7 D. B, D8 m: g    int     41h
/ ]; o6 N# u  K5 u- q- M9 `    xchg    dx, es:[41h*4]
& v8 y; f3 `6 ~/ r# h% _% o$ f% I    xchg    bx, es:[41h*4+2]
/ X  b- b) z- T3 ^/ U    cmp     cl,al# Q2 M0 G# s- S4 W5 V
    jnz     SoftICE_detected  K1 _1 b/ k9 m6 Z& M7 G5 \* b

) M$ H) |& P  __________________________________________________________________________7 V* b- S; p* d$ D  F# M
7 G! M, n; `9 X  m" n/ I, A+ r
Method 07! v0 M8 e; ^5 ~* Z5 t. |$ |
=========5 F' ?: Q& {+ f, p+ Y) A; C3 \0 d
- z5 x& k* _* D1 F% H
Method of detection of the WinICE handler in the int68h (V86), ~" T5 r  p* J/ b" V

; h9 }( c+ A1 M3 F8 M1 ]    mov     ah,43h
4 k8 U* n5 T0 ]- |* t' L    int     68h% }- v7 C/ M) R/ [
    cmp     ax,0F386h  D% d: u& c2 D% W1 y4 F
    jz      SoftICE_Detected
6 G* X) U" h& g$ L3 C6 \# Y' {  C: j! T* w1 W% U% j; Q0 J

( [4 R8 m9 l8 |. S1 Z  ]" f=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% e9 I- B# }% |# B: g' k
   app like this:
( Z0 J& R: A- `7 n0 f2 q
& c! y' v1 [' N   BPX exec_int if ax==68; `5 N; _/ M* N: t. a8 p
   (function called is located at byte ptr [ebp+1Dh] and client eip is
- J0 `! k# b0 g6 t. k  V" g- u   located at [ebp+48h] for 32Bit apps); W; I5 e. E+ R. W6 U
__________________________________________________________________________: V2 x1 f3 M. I1 k0 z
: f9 W7 M- V( h& K1 a4 b

/ I3 z; K: E$ `$ \! ~( ]# h, Q' dMethod 08' J+ H9 A& |% U
=========
# g+ }/ ~  m$ W1 d4 o0 F/ T: V
6 t- p7 f- X# nIt is not a method of detection of SoftICE but a possibility to crash the6 u9 J% P  Z' P* o, E
system by intercepting int 01h and int 03h and redirecting them to another0 L8 M5 h5 D6 H- T# e1 H% [6 v4 d. _
routine.' {) M" |, M! @& C# F4 w; H; z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' l6 ~9 e4 s6 \3 o) Y2 [/ nto the new routine to execute (hangs computer...)
+ R' y# y; v, J
/ M( t& }( X. Y4 I( m    mov     ah, 25h
9 Y* e1 J+ i  F6 J$ ]    mov     al, Int_Number (01h or 03h)3 q+ k  x7 D6 w
    mov     dx, offset New_Int_Routine
; M+ C9 _: T1 @# [    int     21h
9 w  j0 `! e1 W8 `
1 t1 K; P/ p: M5 i  X__________________________________________________________________________
) B; E" W! h; ]6 A# O- K( r) T) n
% {* T8 D* W. W& K, B4 I7 ^7 tMethod 09
, T8 e0 i! M5 P8 Z6 T=========  ?$ Z+ K$ H( K" l8 h

# W+ I0 S1 ?2 X* p8 v8 dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, [! m2 W+ ?9 z! u, yperformed in ring0 (VxD or a ring3 app using the VxdCall).
  P- R% @' w$ _The Get_DDB service is used to determine whether or not a VxD is installed- D6 p- Q) b5 L4 ^( f
for the specified device and returns a Device Description Block (in ecx) for
7 b/ L! N5 @/ G/ X1 |7 ithat device if it is installed.
+ m9 M2 C+ C! _$ R9 W: K8 b+ U0 p
3 L0 X+ ?4 ]: B   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 u, B5 P" Z0 T9 M
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 H( Z; r$ u  F( s5 e  R   VMMCall Get_DDB
( v: M+ _! \" n0 g2 d+ _! {% p( ]   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed3 C) W% E, }" [. r- A: p8 `
) P, r6 g4 L7 P; U, a
Note as well that you can easily detect this method with SoftICE:
3 w# P- W/ q" l) b# S* T# _' ^- l   bpx Get_DDB if ax==0202 || ax==7a5fh
5 m+ h3 m( l% r0 F( z
" `9 h' q3 a6 H' u__________________________________________________________________________
% k& t4 J2 G8 R& _6 |- @3 V9 R2 l" m  I" f9 E: [0 i
Method 10- B. A! O: K6 k4 c
=========" G& L0 W* [& I- K/ ?# {5 x4 T
' r7 X+ ^& W% n
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 ]; }9 f7 J5 G( I4 T  SoftICE while the option is enable!!
; S1 {( E- B( ]+ U* ]) O& Y2 W$ [' Z# g8 ~% a; I0 j
This trick is very efficient:7 w' n0 ]  G; i+ @1 A( M
by checking the Debug Registers, you can detect if SoftICE is loaded5 d( L6 H6 v5 z. T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 g' \0 u) r* i! C7 t4 F* f) S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
  F1 Q# N" \8 I: j6 O% b: evalue (in ring0 only). Values can be manipulated and or changed as well: T4 V& \2 s8 @, P# Y( q0 w
(clearing BPMs for instance)
; S9 A/ l# l; M: p
1 f" W' ?6 i0 O$ e* `8 U7 y__________________________________________________________________________8 ^4 }8 Y0 `/ h' d: y

2 f2 L- F& Y1 l6 C+ j" h1 _" cMethod 11+ K8 j8 f- |( T6 E, A& I' @& L
=========
4 D3 T, g) {/ X& K: C4 j
3 x) S# S; Q& d0 E4 H# AThis method is most known as 'MeltICE' because it has been freely distributed0 [: |% _  @! C
via www.winfiles.com. However it was first used by NuMega people to allow
, Q& f2 ?! U  Q1 B4 H; A" G0 z4 vSymbol Loader to check if SoftICE was active or not (the code is located- M! |+ T4 e  ~+ A6 q
inside nmtrans.dll).
1 r; S, E) T; u! ^. D& B: u6 a) j- h1 w8 J3 }9 y, l4 L; t
The way it works is very simple:, S" x/ u( S2 X: l' r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: J# C: Z9 x+ R1 r/ _( H. p3 J
WinNT) with the CreateFileA API.
" B, \: K' ~% F, w6 B3 V0 Z0 }2 U! d3 x
Here is a sample (checking for 'SICE'):
* V/ c5 P% h3 @7 Q7 X
) B1 f* e( S2 D% B% I  W: Z1 G: `BOOL IsSoftIce95Loaded()
# B. P4 V: D5 g$ {, v8 h4 y0 t{: M" F; C' R4 U1 P- l) \& @& t
   HANDLE hFile;  ! Z; x5 _. ?) O4 O' I8 `
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; ^8 C" ?9 ]/ y  P  j1 m) f; Y, R6 g
                      FILE_SHARE_READ | FILE_SHARE_WRITE,& Q' N8 i9 ^9 ?% G0 o
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 e1 l: S* D) J   if( hFile != INVALID_HANDLE_VALUE )
$ `2 y5 Z- b6 L' X2 O   {
- n- T6 }/ Y9 M& I% x      CloseHandle(hFile);
) Z8 w0 e) l+ O* @9 e6 o      return TRUE;% P7 G; C$ H3 }7 B9 _1 T. N$ J7 C
   }6 B* z6 w  ]% m  J
   return FALSE;& N' K* V8 E$ g# A5 B% e
}
! N( h/ t& D) W8 V% M. V4 b2 V7 Y' C$ M- e
Although this trick calls the CreateFileA function, don't even expect to be! j( _# Q" A8 z9 `& u/ u
able to intercept it by installing a IFS hook: it will not work, no way!
% }* v, Q0 P+ D% {: {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ ]* o' c- Z5 Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, u6 Y! ]6 c" g$ l8 c1 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
# E/ N% p! {+ |# ]9 U: sfield.8 Y& {$ O  s# h6 q/ k% j' L
In fact, its purpose is not to load/unload VxDs but only to send a 3 G# _) j8 K: s2 B% }. U* @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ a$ F7 u, D# }! Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 P0 z, p3 g/ ~0 P2 J% A4 p  vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( H) u( {' b1 z; UIf the VxD is loaded, it will always clear eax and the Carry flag to allow* S$ \9 j" f2 K* n, a' s
its handle to be opened and then, will be detected.1 D+ |1 {/ F. }" v: ]. N, y! _
You can check that simply by hooking Winice.exe control proc entry point( P' h: ^4 w) x  a
while running MeltICE.
9 A( }0 c- H3 x" m; c* k
; Y! u4 [) D" m) h! w6 u, E
, K# g. l: }8 v4 C( H! |3 P  00401067:  push      00402025    ; \\.\SICE
1 M5 Y6 o2 E7 M! i9 P! b4 b! i  0040106C:  call      CreateFileA; i( @* _, j* ~/ `: |
  00401071:  cmp       eax,-0011 A2 }. N# H' z  Z( ^
  00401074:  je        00401091! F  m: }) G2 O  f5 w
7 b* }/ e/ H6 m) F8 q
, B' R* H0 q* ?
There could be hundreds of BPX you could use to detect this trick.
+ U3 P, Q) s, B7 B6 b) h9 G-The most classical one is:$ }  T( d3 ]0 L
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
$ x% E2 ^; r! @7 v/ R- D: e, i    *(esp-&gt;4+4)=='NTIC'! _- a% L; _( P8 M' I* x
4 l6 ~0 y- t; u+ v  Y$ Y
-The most exotic ones (could be very slooooow :-(& w, t- i/ K2 ?, D! e- \- j2 J
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # V/ q  x4 G& D; ?8 m; r2 w
     ;will break 3 times :-(
3 W+ f& B5 ]9 R" e5 l  K
# _8 |+ A& A2 D+ t, ?-or (a bit) faster: 5 ^; v- k3 `6 [. V  y$ k, v
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  A& B: j! b5 v- B/ {6 y

! F! V4 ~" z: [/ [5 ~% `' b; W   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" w8 b5 F- Z; N4 H$ N+ M6 V     ;will break 3 times :-(& D( t: }, J1 ~# q' V! z

9 C5 J' t5 L( e5 u-Much faster:: _1 I7 g8 [  }" I) |5 p
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: x3 t# f( e) M8 m: h% w' y4 _; }8 i* j1 \
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 m0 s3 x$ U$ b' D3 L1 i5 |0 n
function to do the same job:- B3 a" U: J( k* l. A
' h9 b4 h; U- \+ ]. Q5 r8 P
   push    00                        ; OF_READ+ _$ c, o0 @! u- {  j1 s5 t4 p
   mov     eax,[00656634]            ; '\\.\SICE',0
) w- a' C3 H  g$ h5 ^+ U5 Y   push    eax: ^9 u+ m3 u4 L
   call    KERNEL32!_lopen
5 |/ D0 t( V: {$ r8 V5 O" ~   inc     eax' D4 Y% W* w" X
   jnz     00650589                  ; detected+ e2 S* I& t7 D2 K) n
   push    00                        ; OF_READ& J) v0 B7 v! Z5 G% {9 `& r, B8 S
   mov     eax,[00656638]            ; '\\.\SICE'+ q* R  J& [' M! A6 t/ B
   push    eax1 s, y7 N: I" T- v( _
   call    KERNEL32!_lopen& i, o+ R! Z/ k( ]  I$ G
   inc     eax
. ~6 i0 M! @$ z  \  c   jz      006505ae                  ; not detected. d: y, i! R1 m6 ], g

+ l. F" ^  b( f/ O% c9 V
/ t# a7 s. h( n# L__________________________________________________________________________
' \, V# W5 G# Y* g: |% h
2 C. ^5 H7 H3 i) A5 a7 ~Method 124 ?  L5 F/ w( Q5 a* h! W6 h4 b
=========- ?/ [2 w! f- {! b0 A  v' ?

; X( I5 o9 z0 ~3 b0 l0 r9 N0 ?8 GThis trick is similar to int41h/4fh Debugger installation check (code 05
9 V) P$ i/ ?- P$ a/ y) h# A( h&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  w0 L# L8 L5 I# u/ t8 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# ?4 ^# G5 d' B5 F0 r& U
. u! W8 n; o& I" ~) ?   push  0000004fh         ; function 4fh) Y$ Z4 }+ @, ~8 A2 _# J
   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 m* O" l, F1 d9 E1 b  D6 r+ x# F/ f                           ; low word specifies which service2 N3 [' C5 ^3 H
                             (VWIN32_Int41Dispatch)" I. X, I9 {% P0 K/ A- G2 `
   call  Kernel32!ORD_001  ; VxdCall) [5 e4 Z: |. p
   cmp   ax, 0f386h        ; magic number returned by system debuggers4 G% Z) t( u+ K! B4 U( X. w
   jz    SoftICE_detected/ `1 t; }6 x/ ]' ]0 {% ^
, l% s8 t5 n5 ^" j
Here again, several ways to detect it:+ a6 b9 m; E5 n% f4 g( O. w7 U% M& s
7 l# ^2 S6 L& U$ L
    BPINT 41 if ax==4f# }3 w! E- d& Z  |2 ?2 a+ a

+ m6 ]4 x% B9 `! j2 B' Y  G    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ J6 r+ L' W3 y& {5 _
# D2 e: ?' I; M. O% v1 z7 a    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ G! c  {& Y* I( }+ }
3 j2 N0 [& G: f: T+ y
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!" W4 i( e  d2 @9 d- z

2 }. T! B9 R* ~  M; U% l__________________________________________________________________________+ v) C5 U' g7 D- \1 H' d+ U4 C

2 R1 Y4 s6 P  D  A  I  @: R. YMethod 132 x0 }7 O. q& z0 J6 ?
=========8 F: I8 n. t# ]: t( y2 x+ X. c

* _" A+ d$ Q: a2 D8 t/ x. jNot a real method of detection, but a good way to know if SoftICE is/ H, A. J; q4 G9 U8 i
installed on a computer and to locate its installation directory.
5 _3 q. ]7 H9 I" xIt is used by few softs which access the following registry keys (usually #2) :
* Z( O2 ^9 j/ c3 @# w1 `  ?7 a" G7 t
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 O6 k( P0 h/ p5 R& j2 |/ n
\Uninstall\SoftICE
1 S0 H/ V( S: c- }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; B! O( e# Y& S0 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( e8 ^) t, D- ?
\App Paths\Loader32.Exe
$ w  m, k! O1 Y2 b, X; e, T) A5 i% N" \' J, |
( [1 p. w0 E5 w/ ]. |4 n& H
Note that some nasty apps could then erase all files from SoftICE directory
3 M0 |( b! n- K& {% P! p7 J(I faced that once :-(. Z9 q4 t* b9 [$ N
7 d$ a+ Q* o0 D6 k5 O7 D
Useful breakpoint to detect it:" q6 N6 f' K# |  [& ?
% Z& s9 p: C) |! k/ X  K! D- b% b
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'+ q6 S  l( j) d2 y) ]* {1 K( ^
' n( y' y" N* [0 z0 D$ z
__________________________________________________________________________& M9 U" ?/ [+ j8 {' p% f. m
& P+ v1 k2 J" y+ Y: H, K' j% P

' _( p5 j; @+ r6 P" t  M0 Q/ rMethod 14
9 y. ~: G; E* E! R' Z9 U=========
5 k; {  ~. f# }5 x2 C4 o1 j
+ t" d) ~4 q% ?- I3 P2 J* `. E4 \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 r7 l4 U; U# B
is to determines whether a debugger is running on your system (ring0 only).) D7 O6 E1 T3 S; ]0 M# k" Z# Q

0 S4 j$ V/ c1 U# I7 k; r  w   VMMCall Test_Debug_Installed2 t3 f# D- y: `
   je      not_installed
' K8 Y+ ^: Z% |/ w" J/ T  Q% x5 C
9 ]+ k# c2 f- S0 @4 _This service just checks a flag.- `0 M' L& G* h1 D/ @& P- F
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-9 05:03

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表