找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- a2 K# C# z' I' x. z& m<TBODY>
  \4 F0 I: }$ N& h- j6 ?9 T<TR>
/ ?  K) D( ]; q& v* }<TD><PRE>Method 01
+ W0 o2 n& @+ w' `* e1 n=========, N- A4 V# [/ }1 D' p* n0 D

: m5 C4 o; G. ~, D  |' HThis method of detection of SoftICE (as well as the following one) is
0 T9 z" D6 \" n! Aused by the majority of packers/encryptors found on Internet.
" i) u3 W3 }7 E2 ]- L) B- m' A! cIt seeks the signature of BoundsChecker in SoftICE
+ s" |$ j$ |5 ?5 ?: g5 l) |+ S
- k( S% D; j% L  ?    mov     ebp, 04243484Bh        ; 'BCHK'3 ~' P! S' I3 X  T+ C* {6 E4 E0 ~/ [
    mov     ax, 04h" B1 V! l( I" j* `' j$ |% ^' _
    int     3      
) B+ D) D+ p, q. t# a    cmp     al,4
' Y/ d, U- d( l1 x2 c% T. ^    jnz     SoftICE_Detected7 ?  ]$ D4 t/ l- d6 q9 w

# D1 Y/ L# S/ K4 A___________________________________________________________________________
9 ?. k0 ^4 \; m& l3 t- Q. J. m
Method 02
0 M) j" E6 Z4 j& l=========
2 Q, n( y9 o2 T
% E  a1 |4 ~* T' {Still a method very much used (perhaps the most frequent one).  It is used3 W3 P' A/ ]/ i5 [$ C$ x4 s
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ L: l3 C' z6 W* U9 L0 V* L
or execute SoftICE commands...9 H) F# [' `& O8 }5 W. q
It is also used to crash SoftICE and to force it to execute any commands9 W8 q: K/ ?; J5 @7 E  ~- J% Z
(HBOOT...) :-((  
) j" S: w: N# a# N9 N& h& C; Z- ~' K  |2 T7 o& ]
Here is a quick description:( U: u7 O! D  I( Z; M
-AX = 0910h   (Display string in SIce windows)- o# {* e1 V& O  c2 Y4 @
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)+ c) J; [% k0 k, P, r% t5 h4 H
-AX = 0912h   (Get breakpoint infos)
3 m9 _3 F& n7 L3 t) ?-AX = 0913h   (Set Sice breakpoints)
, V- P4 T* J1 h7 A$ ?8 t-AX = 0914h   (Remove SIce breakoints)
: G$ l, y, n) N( ^2 s/ |
& ~5 J; G+ o+ ^3 lEach time you'll meet this trick, you'll see:
" c7 t8 N# |6 p' \) v4 i' m8 `-SI = 4647h1 A' k0 Y/ R; j
-DI = 4A4Dh. _* q0 K' V# g
Which are the 'magic values' used by SoftIce.. h, F' Q# w3 B4 c$ n7 b  A' m5 p% P8 z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 x/ a& R$ F) E, P, D* n3 r$ M$ C1 i+ [2 f* n* b1 ]2 c3 n
Here is one example from the file "Haspinst.exe" which is the dongle HASP# n, f6 Y4 r* h& }
Envelope utility use to protect DOS applications:. [0 k% W3 |5 C$ D/ o

5 n* _  @+ X; G; o8 s
5 Z1 R0 _; q2 I0 t$ {) ^* ~9 J4C19:0095   MOV    AX,0911  ; execute command.+ R# @) O, m" g! L; C
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 V. Z  ]* c; r" _5 o8 G4C19:009A   MOV    SI,4647  ; 1st magic value.
; q& `# L0 u2 F+ y9 ^, M4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 S8 O$ ?+ V: k2 [' `9 ]4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 c  Z7 C( D4 i, K9 @
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute% l2 H, v9 l: _4 d& R; N) p+ A
4C19:00A4   INC    CX9 y2 A. W. e* i, J5 W1 W  H
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
& F' B0 E$ b! q3 {9 O4C19:00A8   JB     0095     ; 6 different commands.
& m  E0 F- f1 X: P# K8 _( q: R+ L4C19:00AA   JMP    0002     ; Bad_Guy jmp back.. J5 _9 J3 X5 P5 k" S" P( ^
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :): _$ Q& R  L/ k9 Y1 `

' g+ ?! x1 [0 w: y# `" |# qThe program will execute 6 different SIce commands located at ds:dx, which) \/ u4 G; v6 m8 a* F3 [
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. v$ H7 n$ F) T9 p) @' [+ E& |; ?, _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. h- R2 x% ^2 y, C___________________________________________________________________________% C( T" _/ _* O" z5 Y

% Q/ E, l0 V1 m: M1 b, H! z& V' R# V
Method 03) k; B. ?. _- O( ~. H7 p9 K
=========
* |2 ?9 k+ i1 K4 a5 I
' v. z8 \+ d, x' L; x& v: oLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" K* a- b- a1 v$ t# N8 b/ C# Z(API Get entry point)
6 o3 |) V5 D. H0 P: a) a( k        3 r7 ?8 k0 D+ L' ]# L" \: k3 O% @

# i; w$ w4 W" r; a8 c    xor     di,di
" U( l1 @' c0 t8 p2 N) P, H4 k    mov     es,di
) Q& c8 g0 h: p% Z    mov     ax, 1684h      
/ s; X+ r6 S+ L, \5 k+ \    mov     bx, 0202h       ; VxD ID of winice3 f, y& K& D1 l, Y. _1 y' h
    int     2Fh) |! Z; F% y6 t( n& T
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 I: E" o: M! y$ e+ ]- C. h
    add     ax, di
  E+ \% Y  f5 T/ U- c( W; j# e9 l    test    ax,ax2 N1 k$ g1 G- K4 n1 ~
    jnz     SoftICE_Detected* l7 _; u  \8 p: }  c
: D6 g$ F0 x  t% _3 c
___________________________________________________________________________$ p  w- x8 b+ G9 s  p8 y7 Y% B

6 `+ L/ p% G2 n7 d- l! X2 [; i) NMethod 04
: f3 V/ k0 V6 |1 c=========7 I6 Z; E# q( ?  o$ n
) P& b# X5 I1 e7 I% e5 p* Q# y2 O
Method identical to the preceding one except that it seeks the ID of SoftICE7 b% c% ^  ]- ]3 Y% J' t" F% ]& n$ k
GFX VxD.2 [% m4 V3 f; P( n$ l/ }+ _
, D$ G: L9 q; ^6 a! C0 v
    xor     di,di9 P: m& A/ u% e
    mov     es,di3 e0 B2 W: V" i- @8 N/ l
    mov     ax, 1684h       5 {1 C7 \! f+ c  W' L" V
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 Q; b% s' S1 r0 B    int     2fh! p2 F# p" K3 P1 x2 T/ A+ H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 d: s) {- x3 N( |9 ?    add     ax, di
& f9 I) F! ]# B* H    test    ax,ax3 V6 F  i5 b$ @7 p9 s* B, |% x& t
    jnz     SoftICE_Detected- u4 k9 d/ ^6 b& S
4 i2 ^, L' _/ I2 }2 G+ B; Q) o  O
__________________________________________________________________________. n: C; U# Y( \4 k: X

$ t& {5 K/ I) ^1 Y( z6 I9 y! G4 Y
; C8 ^) F/ n2 t' |0 r* c5 _Method 05
9 a& m, u- l  G=========" |+ {. T  u/ q/ x/ ?
$ A2 F  \) H! a5 @6 ?0 G
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 S0 C1 f9 e( E& q' Tdebugger. It calls the int 41h, function 4Fh.+ G) l1 h3 l/ Y; H
There are several alternatives.  
- ?+ y! ?8 U: U0 l/ n
" r2 G8 }. G6 ^The following one is the simplest:5 I  x. o3 {% S' r! V; v3 n  O

3 Z8 o/ e2 F, a) x/ u2 c& e% q  }    mov     ax,4fh6 s; m' K  E+ F1 K$ n( L' Q
    int     41h* u- j" f' h) G+ q, m% G$ X; _8 r
    cmp     ax, 0F386
! s9 g- j0 a  Q    jz      SoftICE_detected5 p4 V7 r: R, F. u% u
' N: i% r9 q2 m9 K( [2 x

" M% \) @, r, N( I, j( q% ONext method as well as the following one are 2 examples from Stone's
& |' N$ {- j( B/ j' u- r"stn-wid.zip" (www.cracking.net):+ l6 t  j( ?! ]' b+ R2 T2 l8 K
6 u* U1 b. r8 ]6 v; a
    mov     bx, cs
; o! X; X+ @7 p6 w    lea     dx, int41handler2
) m5 I8 s/ f& L    xchg    dx, es:[41h*4]
2 v, F% j2 Y4 S/ M    xchg    bx, es:[41h*4+2]: H8 e/ y6 T/ t
    mov     ax,4fh& o" i- }; Y) X9 ?8 j, Q# D7 |
    int     41h
" i9 w; M! ]7 l& A- o    xchg    dx, es:[41h*4]0 o$ T* T0 }" C% j
    xchg    bx, es:[41h*4+2]6 {& H: y% k( w0 \
    cmp     ax, 0f386h
- B, H9 T( g8 c! F" o$ s0 v    jz      SoftICE_detected
0 N* I3 B- V: O1 L+ H7 I
' c5 n$ V+ X9 M$ P7 T5 Gint41handler2 PROC3 e. G; R+ n' i' P
    iret. p8 T8 e6 n5 u( H
int41handler2 ENDP
# D9 ~/ N  w* P* p- U$ _4 M2 X/ _. g
6 k% q' Q. A% ^6 O! S5 [: n
_________________________________________________________________________: g7 c2 n5 ?# B2 _
" @. m# c2 Q, Z+ u6 E, t* j  w
1 E9 P. g8 }. k% K, `
Method 06: |. f( h' p, _% S/ m
=========
$ G" X3 \7 J. a, M: k* b- _% q/ G/ @! D4 {3 b" R# c' a7 P' D

: v4 C9 E' Q; |# c! Q. i2nd method similar to the preceding one but more difficult to detect:
9 f0 Y% Z0 T5 T: r: Q5 S  O' |0 g) v' g  t
( m3 [! i3 s. a$ {: V* [7 \- H
int41handler PROC1 b9 N+ p- H/ s0 m
    mov     cl,al
7 F7 `/ e4 g+ h' W4 R( ~& R+ L    iret
- _) W0 u# Q4 L0 h# a) Qint41handler ENDP
) S- [: ]1 k, O" w6 f6 [5 [
0 M& T. Z$ E0 }
5 D( r* ]2 m( G. A. ~    xor     ax,ax! l/ W1 Q' |7 B! M  g
    mov     es,ax
# d! p6 z  N7 G; F/ a: j" R  G# D    mov     bx, cs- t* e4 I; M7 }& C
    lea     dx, int41handler
# I$ `, D  X1 b/ O7 D: a    xchg    dx, es:[41h*4]. {% `: B8 I" d* I9 j
    xchg    bx, es:[41h*4+2]
' r$ S8 n/ u0 ?- C    in      al, 40h
% i. @$ N- ?  J    xor     cx,cx$ K/ d0 u, p1 B/ y  K
    int     41h9 W/ Z9 R  y3 q! V7 T
    xchg    dx, es:[41h*4]
* J% B8 A& x$ c    xchg    bx, es:[41h*4+2]
1 h7 C% B4 V. O    cmp     cl,al
' K0 s4 e5 S5 E    jnz     SoftICE_detected
1 q& w6 i# }5 I. q7 z9 W/ p. y
1 ?% K2 M9 k! c. N_________________________________________________________________________! B8 O; h: K0 M

8 R; m; ^7 b7 K3 ?; U0 o9 G, [Method 07  V& E( h5 g7 t6 a$ D5 q5 T! S" e6 P+ w9 V
=========
0 u; w; w, U4 a* X, g7 f# y; A* h
Method of detection of the WinICE handler in the int68h (V86)3 O! l5 e  h# D; w7 \
4 C" _" [3 Z. Z4 p
    mov     ah,43h
. v8 |' P6 `  s' B( ~. m! n    int     68h4 r& m4 R! m, u% `- B" z9 m% F$ O6 V
    cmp     ax,0F386h+ G8 g% ~5 |( {! I
    jz      SoftICE_Detected
: }; Y. w5 k  x" p" ?* ]
' v/ y% X% |# [- C" y
5 T; P5 h# C% P5 d' b=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ j: [4 Y% ?8 T, ~. p
   app like this:
) |4 R, V2 a8 k/ ~: Q8 z% t/ X& T
   BPX exec_int if ax==68
) b6 {+ S! l5 B! k   (function called is located at byte ptr [ebp+1Dh] and client eip is
: E0 F) w/ d" N+ F" f" _8 l6 u# U   located at [ebp+48h] for 32Bit apps)
" e" J1 D' e" {% H__________________________________________________________________________! ~5 v! m" e. e1 R

% j# H  t# h9 ~5 \; u
0 F" C1 Z3 u" B+ w5 s) k" L, AMethod 089 y3 U5 l) Z' M% a; U$ b* s2 r, g
=========8 f; ]$ n- l4 }0 d4 y

) M1 f9 r# \- q, D; N7 JIt is not a method of detection of SoftICE but a possibility to crash the8 T% e% z6 \$ N" i; }! E
system by intercepting int 01h and int 03h and redirecting them to another; R# f+ B* w5 |( p
routine.* m* S+ r9 d* b# B4 G# E! d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* V( |9 n. q& m( x
to the new routine to execute (hangs computer...)0 t3 C0 x! U+ w0 g8 {8 V; Z
6 F( m" X3 e: j0 ?. H3 \
    mov     ah, 25h
' c+ z( K3 U( M, w. R3 h6 h    mov     al, Int_Number (01h or 03h)* l: Z2 x3 m# }" P
    mov     dx, offset New_Int_Routine1 d, U" X3 x; G( |
    int     21h/ E( t. \, T  f
6 r  T" X" G% ?* N5 j; b5 @$ j
__________________________________________________________________________
, K  _% R! d: [" F9 p+ B& e& j/ Q
5 _7 d; X/ }% `. X8 B) m9 E8 }) tMethod 09
, P4 L) R3 ]0 _3 q2 Y=========
! T, e- b) Y0 L& s0 n8 V
& {& D! m# }  v# o4 V& b: rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 E8 }$ r. q: ^1 E& J( z. p, N8 u
performed in ring0 (VxD or a ring3 app using the VxdCall).9 ]" ~. M3 _. ~) K5 C# _- M6 ^
The Get_DDB service is used to determine whether or not a VxD is installed. L% C* z' g# e; a0 T) p& j6 x+ J' J
for the specified device and returns a Device Description Block (in ecx) for
8 o( l2 U& \/ x0 w6 |3 Athat device if it is installed.* G4 E+ R' O* Z2 c

* X; o9 ^( @! Z) r- X, k2 o   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% p) W/ i7 M$ Z2 n  O   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! E6 \# M' ?: L* ]- e7 m
   VMMCall Get_DDB
7 X; w8 M" h1 M0 Y# _3 s   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: n+ ?) T' }7 F0 d4 z& _' i1 V3 o2 T
' S0 O/ L6 H+ Y) ?2 `6 A" t1 N/ B
Note as well that you can easily detect this method with SoftICE:( c# S/ [+ c8 T3 ]  x
   bpx Get_DDB if ax==0202 || ax==7a5fh% r1 k$ D* M& ?

7 C0 z$ i5 U: E" K/ i+ P__________________________________________________________________________
) f% x) W0 e6 d7 J- z$ s2 B2 R, u3 R6 G2 n/ L
Method 10) m& }; h- w  W9 \7 e
=========
3 o" i% F+ l. ^- S
5 L+ Z5 r& j% P2 B=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( m- b0 p, }; R% ^
  SoftICE while the option is enable!!
3 y+ P1 F" a; X3 v: b
  n& Z+ p) n  c5 U1 ?  HThis trick is very efficient:
& o8 V. x/ ]9 y  L1 R2 X8 wby checking the Debug Registers, you can detect if SoftICE is loaded
+ |& w" A. O/ Z* ]6 j9 C& p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 t9 H. z% e- S. z
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 B: W9 b1 _3 ^- e( |8 e
value (in ring0 only). Values can be manipulated and or changed as well1 t0 J0 y5 C5 t
(clearing BPMs for instance). Y) u+ E- C1 H% H) O3 a7 D
) E* H* ~1 ?. `1 M0 n
__________________________________________________________________________3 j0 q3 m/ [( Q" @( }. y

3 v8 B$ M3 c& Q& Q+ A6 r7 C" Z% H0 ~Method 11
; ]& e0 B" Q7 V- ?  D. S=========2 m2 ]) y" H& g  \

6 `, [; f6 u6 n" I% R/ O) JThis method is most known as 'MeltICE' because it has been freely distributed
$ l( t3 b: \- O" E+ i2 cvia www.winfiles.com. However it was first used by NuMega people to allow
* A) j6 E1 u% G9 ]; T! b+ [Symbol Loader to check if SoftICE was active or not (the code is located
% S1 v9 M7 P7 J4 S2 U1 ^$ Einside nmtrans.dll).
6 J* ]' ^$ w# }8 m
! @1 G& H! }1 z4 w7 ?8 sThe way it works is very simple:) X- N; Z' b& s$ p. v9 N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) e3 A0 d# L$ L- I% Y& Z
WinNT) with the CreateFileA API.
: j4 e9 A4 C3 y8 L: g3 k' u. T. U7 [0 w4 f
Here is a sample (checking for 'SICE'):
1 B( v, k4 W9 O& K7 d5 C5 A# I& C3 m
# Q# Q9 W' ~. o( JBOOL IsSoftIce95Loaded()
! Q' t. n; ]- N& |{0 u6 a1 a7 e' |& i
   HANDLE hFile;  ; e# s' }4 a; V1 H, c/ N, R1 {6 ~
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ m& ^6 J; }, n; Q
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
/ A5 L) ^* ~" ]9 ]0 y% q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, y: e+ D5 |# B. x* O
   if( hFile != INVALID_HANDLE_VALUE )
  W3 x, U0 q2 A2 U, K* d6 R   {. R) q7 w( J+ c6 K
      CloseHandle(hFile);- k( j+ H* e+ h0 M: c& j9 z3 z
      return TRUE;
+ p, @8 N9 r5 e% j& a7 h0 T   }- E4 f* d# V; R4 I0 T2 k* {" W
   return FALSE;
, I! W$ p+ g, u8 k1 T- C}
4 _% g3 A' \9 ]5 Q1 \9 Y5 f1 |' j' Z' E
Although this trick calls the CreateFileA function, don't even expect to be
. l: F$ H1 D8 ?/ V$ Iable to intercept it by installing a IFS hook: it will not work, no way!
4 s% d: J$ z- a6 Y' eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. a& d) W: F/ T4 t, E- dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 B: }2 K& l; {: H4 u3 X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 a* R2 X7 B$ |
field.7 V; ^) r5 _) i
In fact, its purpose is not to load/unload VxDs but only to send a * w1 S9 h- t! L! z1 S( X7 }0 z. c" m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 o- d3 s3 t! e  W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 k+ _0 w  O3 u& v3 [7 s( q# ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 l, k+ I: E5 a- S; v. ^, nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( H3 X0 i, G9 _, \# |" v9 \2 qits handle to be opened and then, will be detected.0 Q. Q( X4 Y2 x
You can check that simply by hooking Winice.exe control proc entry point
% S3 W0 c" J/ F' s3 N% bwhile running MeltICE.0 F' c9 g+ M: o2 x5 a
/ M% h; X2 s0 ], n. o8 D- y

3 M0 I- V; J9 L5 v+ E( O. ~& [  00401067:  push      00402025    ; \\.\SICE
% H7 J# s7 B) G! n6 F' {  0040106C:  call      CreateFileA
2 d' m5 X% y- u/ v: F9 }  00401071:  cmp       eax,-0019 M2 W9 Y. N2 j3 v
  00401074:  je        00401091
; X9 \% S) p. d4 I; o% M, O, D$ t7 ]: ^2 X1 p$ l! n
# ~% m; `' ^- D
There could be hundreds of BPX you could use to detect this trick.2 c& ^" ~& T8 x0 L
-The most classical one is:
$ I5 k) K4 l# A- g) w* ?  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 Y: ^$ j4 }) A! _2 y( h) m    *(esp-&gt;4+4)=='NTIC'
- i! i5 h4 x9 s4 h8 e8 W
( @2 s: Y& M5 v7 [/ E0 B& L( z3 v-The most exotic ones (could be very slooooow :-(3 h, T! {* `+ m
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 A$ i, R4 i, C- d5 i) V/ r     ;will break 3 times :-(
/ ]' l- O' q; I# s7 K* I
3 w! {: s6 k) E! Z, v-or (a bit) faster:
% I% j" _: b" C0 b( |/ C( N6 P   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* V/ M9 v6 o8 H9 s
/ ~# n+ F6 `- j2 e8 G
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* m; H' W( e; ~+ o) j8 l: G     ;will break 3 times :-(: V+ ]' P" g$ x9 W5 H
9 c$ v- Q4 @# T- ~, n
-Much faster:1 X( F6 J8 L7 D: c  O/ [/ s4 m8 k9 ]
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" z2 ~: i* N& T3 b% M% i! i
3 Q9 V; ~- _2 I9 `5 m: B# S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 L- |/ C+ P% D# M- O6 o7 U
function to do the same job:. _8 r& L0 G' d% ~: l' N- [

% `" a: \8 G7 }7 B" A* b# ]/ u   push    00                        ; OF_READ
# G+ h. Z1 [5 c) x# g) s   mov     eax,[00656634]            ; '\\.\SICE',0
- S4 d& D/ x4 ^: |! X   push    eax
( F) E" A+ e5 \7 U   call    KERNEL32!_lopen
/ b3 R. o+ F" }3 z   inc     eax
% z# d% n( c3 f# t$ y5 H  J: Y7 u   jnz     00650589                  ; detected
/ x, x& y# l" f1 e  n   push    00                        ; OF_READ$ {: l' K8 K7 T# `+ @- ~
   mov     eax,[00656638]            ; '\\.\SICE'& r; v3 T" U, i9 T2 [
   push    eax( g) x8 @* _2 R0 F
   call    KERNEL32!_lopen7 m3 t# S) U/ m
   inc     eax
" [: V3 c' |/ B   jz      006505ae                  ; not detected
  Y% }9 {" @/ b4 C; V/ D. A& M
& K* W+ v+ X- q8 ]" I' ?# O) t9 E( u7 e4 a8 `
__________________________________________________________________________
' Y- M5 W7 @) x+ q& {; ^9 K% q6 R8 q- b) Q2 t
Method 12
4 f4 e* J7 I2 C3 M9 L7 x2 m+ G=========% E4 H' a, t( Q! K5 Y5 f
) w+ L3 `* [) c& n
This trick is similar to int41h/4fh Debugger installation check (code 05* ]0 |: A, \& m7 Q- X; m3 R
&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 o7 a. x6 w4 d( f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 P4 P0 i( B" k& v0 i
* O- ?. E6 {, g! o3 ]
   push  0000004fh         ; function 4fh; N/ W4 V* [* l3 `$ q( c
   push  002a002ah         ; high word specifies which VxD (VWIN32)* g- e) y9 [$ @4 B
                           ; low word specifies which service
# I. R2 w" U  h8 m, x( d                             (VWIN32_Int41Dispatch)
4 D- ]( g5 [6 i! |   call  Kernel32!ORD_001  ; VxdCall
% e* X4 T, V) R6 p& M   cmp   ax, 0f386h        ; magic number returned by system debuggers
2 ?. H9 {7 l/ W+ D   jz    SoftICE_detected+ U" P: \8 G/ m* ]9 T" @: h

5 D" b. k! j( FHere again, several ways to detect it:8 O' M! N6 [5 f
8 V0 p* j, M6 O; ~
    BPINT 41 if ax==4f, {) I  n( N- c" g% i- h- e+ W- ^( r' W6 K
4 R: E7 L' N+ m0 i  N
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* _8 T4 M! P0 J0 f
. _8 V2 p, f/ [% S( m! [. G: C$ b
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; r5 n& N) ?0 Y$ Q4 q5 `2 O
0 N7 P% \+ i/ ]; l    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# G& o1 s0 `  X* k; ?0 `( e3 b
1 z: I5 h0 I3 Z& X; k0 l! D__________________________________________________________________________
2 \  v/ U; b* z$ V, V: o0 F1 d( h- M1 {* _9 x5 L/ _
Method 13
4 J* ]  X" h2 D! z( H1 D9 {=========
+ a" X* O$ t0 y" q/ w
6 m1 `$ c8 k0 wNot a real method of detection, but a good way to know if SoftICE is$ X# X( n# T- G6 `
installed on a computer and to locate its installation directory.
* @8 \. w  }" R; ~2 h* eIt is used by few softs which access the following registry keys (usually #2) :+ U  r/ o" O. k; W" j( u

! n6 g1 f# J% e4 ^! V: u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  N! x( |: Y; z( z% z
\Uninstall\SoftICE! v0 `# H) w- w/ x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& |' J! t( F; }; \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. j+ C$ z3 j8 ]$ B7 o
\App Paths\Loader32.Exe
* k! `* |0 Y5 t. q+ k) E8 {# S8 ^3 q' U6 i" u# X' O! B! C2 m* b5 S; t1 X
8 ~$ n% R2 f3 ]  X6 T$ P" s8 B
Note that some nasty apps could then erase all files from SoftICE directory
' _1 W2 n7 f! E2 x) k2 D$ Q(I faced that once :-(( w+ [9 V/ q) s% ^

3 D  |: i+ L* jUseful breakpoint to detect it:9 O8 x% c8 c- }8 `+ Z$ `. |
: j/ K3 a0 f% M' [: E) p
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 Q# l" _2 a4 H* R& ~* y8 q9 ]+ V9 ^2 y. ^" D6 ]' S2 s$ g" a
__________________________________________________________________________- j! ~4 W! b- a1 r& o
( l  _9 u1 w* i# S/ i; I% a

! _, H" M+ N- ?6 p3 m% C' zMethod 14
1 z9 @( C5 j. n; k=========
1 s% _) I" \$ I" B
; i& t# \/ t8 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' i, e, d5 t) Z% c! S! q' v" Fis to determines whether a debugger is running on your system (ring0 only).
8 c  e/ Y' `2 G& u3 c. Z  V) ?3 f! e6 w4 x7 E% `/ ]# \
   VMMCall Test_Debug_Installed* j4 y: l7 G7 c% {5 b
   je      not_installed
- l; a! P6 e6 O+ j% _
" Z6 d, P  [9 K/ f& h9 b1 iThis service just checks a flag.. o% r# I/ R( R
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-12 19:00

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表