找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>- t  ^; v) b) H+ Q6 }, i9 _5 j7 D5 B
<TBODY>
* [( Y# w: M- y4 y, F<TR>. g; X$ i* e) y; C
<TD><PRE>Method 01
) C' Z* v. M, K( {=========
( O7 P/ [1 w+ [( `* D2 \8 _( q" Y* z. E+ U' q7 J
This method of detection of SoftICE (as well as the following one) is4 d$ D5 {; R! [
used by the majority of packers/encryptors found on Internet.
/ k7 n; i! t/ |" D8 H) X4 t/ fIt seeks the signature of BoundsChecker in SoftICE9 ]3 {0 P. V4 ~* K' Z3 F; j. I
+ G: h* v% C$ ^6 m8 ^9 t/ k
    mov     ebp, 04243484Bh        ; 'BCHK'
9 L) X3 b/ f. U( P    mov     ax, 04h7 V% X, f" W* X
    int     3         V9 u; F3 J+ N3 f
    cmp     al,4
7 C# l1 S  e$ J8 d; r- G7 w7 Y! A: o6 [    jnz     SoftICE_Detected# H5 y7 Y, l! F8 b
! e! ~$ B- s4 C. k) O
___________________________________________________________________________
1 Q( y! y3 V* Y7 k% g: z% |; y7 v0 d, I4 L; |1 n" K+ R+ Q
Method 024 s" t9 W2 A$ g! q, u
=========4 M$ O  m' x# Y
5 l  K" {+ T4 V# ]% l! G* j
Still a method very much used (perhaps the most frequent one).  It is used
! ]0 R# f) k, c. U4 ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 {3 w1 e+ A& c/ y) v, @0 j& z" R9 e
or execute SoftICE commands...& b( e1 Y) M8 e6 U4 g2 h
It is also used to crash SoftICE and to force it to execute any commands
9 ~0 e/ D! r1 ~& g+ f3 x(HBOOT...) :-((  ! I5 t" {3 S. _* X* C

8 r8 g* p/ ?" {0 z+ C0 LHere is a quick description:0 n, E# K& l* q! |7 i# X, ~9 `* S
-AX = 0910h   (Display string in SIce windows)% R  C* i/ {9 @' }( _  Z8 J+ a8 I
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  {% H# |. f: C5 _" Z-AX = 0912h   (Get breakpoint infos)
( K+ z; I; M7 X-AX = 0913h   (Set Sice breakpoints)
: k1 M8 h' I! ]( W* o' {8 W-AX = 0914h   (Remove SIce breakoints)
; E- \, T# C2 [; _* G
. |* O$ h7 H: F" mEach time you'll meet this trick, you'll see:, i( B- m7 n7 l$ `$ f9 d/ z$ q
-SI = 4647h
- H0 g. ]2 r/ j; A  ^4 X; O/ n-DI = 4A4Dh
- Q( \4 ]/ Q; ~. s9 GWhich are the 'magic values' used by SoftIce.6 H  m) g1 H* A7 V# T$ B% i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. Z% Q3 _1 h3 n' V/ R0 |% p1 i0 ~$ V# v% C5 j/ q- v6 K! `
Here is one example from the file "Haspinst.exe" which is the dongle HASP' G! m, t- [5 `, S4 N6 j
Envelope utility use to protect DOS applications:
# W; t: z9 f1 ^- K+ y2 L4 [6 w( U( C6 F

* W1 Q" f. m. `4 m  c4C19:0095   MOV    AX,0911  ; execute command.* c! U0 \* e; d" O
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 B, m, \! E. p. l+ c2 U/ l, f$ C; S
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 L' y: `1 N" Y0 ^% y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 y, J( s* r& t/ T/ v
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), J0 A! c, k6 k" g! L
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 j( m. Y  U4 h0 t$ N6 V4C19:00A4   INC    CX7 f& r6 ^& Z/ u2 `
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 }- b4 t9 Y9 j; v4 @
4C19:00A8   JB     0095     ; 6 different commands.
" t) f. m' g0 @/ F4C19:00AA   JMP    0002     ; Bad_Guy jmp back./ ]/ W5 j1 k/ {8 [& l1 t& J9 K
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)6 y# }. p0 M/ r/ w* ^4 a) _/ `
3 x% ~: y- v2 e% D( U1 h8 p1 N
The program will execute 6 different SIce commands located at ds:dx, which
8 p& |" P2 @: qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 F8 |, F7 F( n, @( a+ D

9 P5 Z4 O3 W5 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 P* x5 E2 ?* w* _
___________________________________________________________________________/ {" @' O3 P, I- V& ]$ d0 e( f

- b8 g2 \: J! w  W* v/ \3 i8 N' n6 _* M
Method 03
% F, f) K6 u/ o! l) ?=========
* K, z, t6 E8 m* @+ \8 }
: ]/ G4 A1 X! m2 m- WLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. K$ z+ f1 S6 N& J/ u, n% m( J1 u/ d" H(API Get entry point); w$ w0 A: P7 T/ Z4 [! N
        ; C+ [; V' D3 L9 m! V
" \4 u' U$ a3 A) s
    xor     di,di4 M+ S- O0 n' ]" f) H
    mov     es,di9 D; f1 N& E7 ~
    mov     ax, 1684h      
6 j/ [9 I2 p- B4 b0 f    mov     bx, 0202h       ; VxD ID of winice; a# p, n8 A7 j, l0 _
    int     2Fh! L5 J6 Y% q- l& u1 b
    mov     ax, es          ; ES:DI -&gt; VxD API entry point: _: L9 s8 Q# m+ F$ m
    add     ax, di
3 n2 L% e2 L, n' P    test    ax,ax& J: [3 @  b7 I9 B$ D
    jnz     SoftICE_Detected
/ H- q' J' i0 o2 k  ~( R: y& b5 n) J7 S0 |! ]4 v7 [7 S" k
___________________________________________________________________________9 A. A% i6 {' R& I

' L3 f' i& _+ z( e( e+ RMethod 04
+ o- a2 f" y7 x! V% V8 Q=========3 Z2 z- N0 u6 w& h% r
- B) u8 S- y, ]9 p* d5 E: e
Method identical to the preceding one except that it seeks the ID of SoftICE1 o! t0 N3 n9 @/ w6 b0 R$ o
GFX VxD.' x0 D  D/ ~$ w- O

9 n3 q$ u5 `5 ^& ?    xor     di,di" q+ g, B& i0 Z5 U9 K# _
    mov     es,di
# n8 b$ ^1 u  ~) l# t% t. _' P/ I) D    mov     ax, 1684h      
# S6 Q- H  ^6 v* c/ |    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ v$ |9 E/ d3 C; X, o
    int     2fh# O1 z! Q5 \- ^" O0 T; L2 {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) N: h" h- ~. Q+ W% p
    add     ax, di
' i8 p# ^. A/ F7 `0 i    test    ax,ax5 F% ?- F" x; Q1 X5 Z2 g8 G# h
    jnz     SoftICE_Detected
  I# B$ G" V7 s) m4 \5 R" R9 p$ [4 j0 ~1 ~" M# V3 ?7 J
__________________________________________________________________________
( Y1 t! b2 N1 w- B  s2 s7 h
0 d2 n- j4 R; b' w* [; z
& I1 F5 ~7 C0 R% E7 e4 M, j5 cMethod 05
! u. u# ^) y$ M! ^- @=========5 g6 }( e8 k6 B, o5 I! m% ]; y
8 |* M8 I$ z) T5 A" v$ g/ e; P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 C, I2 y' Y; s1 |. ndebugger. It calls the int 41h, function 4Fh., Q8 T1 A* [; f6 K/ L+ C
There are several alternatives.  
5 U' Q' p8 X' D
5 P$ u. u! Q, nThe following one is the simplest:
2 G0 D' ?# g9 H6 z+ b" h3 O
/ `& ^: ~# @5 j! }+ z7 i7 V( X    mov     ax,4fh
& v3 Y/ U' G6 N4 X3 V! \/ c    int     41h2 `7 W5 h+ d3 I. A# L6 }3 `
    cmp     ax, 0F386
! {+ H1 p8 Y: r    jz      SoftICE_detected! M$ Q! d  O% i) N" a* \9 f
$ A/ n# n- i+ b, Z6 N2 T# F" `+ X
2 Q8 o+ p% U+ I& p& Y) x# e, L
Next method as well as the following one are 2 examples from Stone's   K1 L1 L: j8 L" [) [" i9 J
"stn-wid.zip" (www.cracking.net):
5 u. I2 ?* b- b- _# p- Q
1 D& ?7 Z; Q) w    mov     bx, cs
$ D  y& C! q* p( t9 w$ w    lea     dx, int41handler2) T( l4 r& q: T! U6 R
    xchg    dx, es:[41h*4]
; O; r5 y" v. b8 L$ @; c$ h) E' P; e    xchg    bx, es:[41h*4+2]
2 M- S. ^7 _; e0 Z; `6 Q, T. Q  n    mov     ax,4fh
( N0 ?1 {) L# r4 d4 G    int     41h' e8 M! P4 ~6 v* M
    xchg    dx, es:[41h*4]% u" z7 N- u! z- |: o; G4 F
    xchg    bx, es:[41h*4+2]
; |% ~  m: l* u* d    cmp     ax, 0f386h
' e6 Z7 Z3 a# g( ^( K    jz      SoftICE_detected
) V( j% o/ w% {. J& g# w
6 r. {$ Y9 h$ v# b* Q, Y6 |. jint41handler2 PROC7 C  g! v( Y% }- F' b! L4 e
    iret; w2 I5 s: |4 N
int41handler2 ENDP
- ]; @8 I1 X  g; q8 u  j
) ^5 Y, a9 Z0 [7 W
9 A" R6 }/ Q5 S% f_________________________________________________________________________
( C, a6 y* V5 b% P7 s! ?# u
  s. c/ Q9 y. w6 x& G. `, t9 }- K5 {2 m& }3 Q5 u0 V  t$ L8 G
Method 06; `  k! B9 S8 x) h0 N7 v4 X
=========3 W5 u( ^% x+ @0 l2 a! k

' u2 R  f. s* u9 r* [- y& u8 h7 Z+ U, y
2nd method similar to the preceding one but more difficult to detect:
6 i) n2 {2 U) k4 M' @: J
% f( h2 f% G9 X+ L# l( a8 e$ K% r& J* ^% @) ?2 i! i' t4 t
int41handler PROC* b8 q  j: l  i6 x1 J
    mov     cl,al" }5 m7 j" y6 h  L7 ?
    iret8 N( V4 l" s, j; t- O& E
int41handler ENDP
0 G: n& k' S8 n2 H( x9 S* M' i
' \' p7 j) T- F6 w8 n4 J4 I
    xor     ax,ax
& C: i% y: v& f; F    mov     es,ax
& e, ]1 a2 \( c" R* f9 \. @4 Y    mov     bx, cs& e6 B0 X( F/ \4 c
    lea     dx, int41handler
2 T# S+ I, P! {" w& A1 B  b" ]7 f. r' Z    xchg    dx, es:[41h*4]
2 ^/ X4 n  g' i. ~8 y- P& z    xchg    bx, es:[41h*4+2]" i1 ^4 C! h; r- ]8 r2 c2 T
    in      al, 40h
( o; c* m5 M; C9 i5 y# m% v    xor     cx,cx  q3 J+ G; I: e. `7 P7 W
    int     41h
7 ^% C9 ~' z1 W; r    xchg    dx, es:[41h*4]! P4 r' i- f8 Y1 m5 P
    xchg    bx, es:[41h*4+2]
: ~' p4 {4 Z+ J    cmp     cl,al
8 T; ?5 P, u7 y# ~/ z% I    jnz     SoftICE_detected
8 g8 M! O0 c) ^$ }4 ]8 W2 S; U5 Q: m" m0 p- @5 D
_________________________________________________________________________
5 B5 J: C) a( B0 E
4 z- B, O8 a- \+ q8 _Method 07
; i8 ~0 j' N; Y=========
" Z5 [  F% y/ O6 a; Y. u
9 f" n  b* m1 `4 [Method of detection of the WinICE handler in the int68h (V86)
3 B" U4 ^8 j  P
; P( m+ b& u" Q7 P* V1 M- \    mov     ah,43h' _7 t; P' _; Z
    int     68h
1 J4 E; G5 X5 _4 t9 P    cmp     ax,0F386h  M! A  R3 k- c$ p# Z
    jz      SoftICE_Detected9 Z! E% L4 X* s" t. c# a; ]
6 K  x# p6 x4 \; ^$ w$ i

5 U" t" d; e! ^3 C=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 F& f* M% m& U4 H. l, X6 B   app like this:
" {1 l6 M3 m) e
& E. f  G/ s3 j7 r. H" \4 B# q   BPX exec_int if ax==684 n/ T- x+ ?" ~
   (function called is located at byte ptr [ebp+1Dh] and client eip is+ ?3 |8 k5 `5 w2 y
   located at [ebp+48h] for 32Bit apps)
' {! Y; k6 g8 |3 D7 \__________________________________________________________________________
( k! |% T3 s7 w; A% o- ^% u& q5 z" a& L# p
0 ?3 S- `$ f2 V/ j# _1 n
Method 08* A# k8 r: R- Q
=========0 W4 ^, G9 y% D! S8 a6 N) O8 ?

/ o9 K9 }! u7 y# k1 m) d& }! WIt is not a method of detection of SoftICE but a possibility to crash the
) U6 Z& w) b1 o# usystem by intercepting int 01h and int 03h and redirecting them to another
/ w# b7 k/ }. m) croutine.
4 A) L$ l* w4 p+ O, J0 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ M  ~: E# K4 Q" f& y  Lto the new routine to execute (hangs computer...)% @8 `2 f& D! a% y* ^
( ^& c# z9 v- p9 W9 l) J6 x0 p
    mov     ah, 25h$ w, f2 Y) G0 Y. v4 {
    mov     al, Int_Number (01h or 03h)
2 I; {7 ^" P6 e& N    mov     dx, offset New_Int_Routine' Q/ Y: r8 S" a( r3 j  J3 |) g, |. Z
    int     21h
" p$ O1 s4 U2 F, T8 j; ^% d) X! S* T# ]2 e7 P8 ?  o% ]# J
__________________________________________________________________________
$ }) _5 M- B, R$ Q  H: x( o5 j9 |6 a5 U8 G9 A/ n3 D9 v" K, L
Method 09/ J9 O- \: ?# Q2 E. d. U1 c
=========
, a) a( ~' Z6 T2 ^! J  Y
0 G, k2 U; [) u) S. J4 \" ~/ W7 X8 jThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
  _: q2 w& J  k3 q+ Uperformed in ring0 (VxD or a ring3 app using the VxdCall).2 n4 Q, a5 ?% u
The Get_DDB service is used to determine whether or not a VxD is installed$ G' h& Y3 O* a. p
for the specified device and returns a Device Description Block (in ecx) for
3 V2 G* h) g7 z- k" J0 `that device if it is installed.. B& ]. E/ v# ?* n( ^1 H

+ L# H6 |, ^9 `1 Z+ Q' D% a   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 `/ ]. W4 j. h
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 |  d7 ]/ `: j
   VMMCall Get_DDB2 V) [# d  F& B) P# b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. l2 i0 J. `& N
0 R3 l2 j3 C; ]# l% q4 B" bNote as well that you can easily detect this method with SoftICE:2 M( L0 f0 _# x2 X  F& f
   bpx Get_DDB if ax==0202 || ax==7a5fh
9 y4 c/ }" n+ Z4 g4 W7 d' N" L
* n5 p' J* m9 a9 \3 Q__________________________________________________________________________0 b8 |" g2 I8 t+ \; g
, @# |$ I( A8 i2 T5 A+ W; G- F
Method 10
9 O: @" W7 P% ^=========
; Q( S1 Z* ]# a5 B7 g: G2 M2 B
" R* j/ Y% [: w' ?% P4 }; N( z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 _# }0 D" L$ V$ g- i% U1 }  SoftICE while the option is enable!!
+ V" G6 l" F- D" A; B' K* c4 \# k" c* ^; c7 U
This trick is very efficient:+ D) U* e8 P( g  E8 ~
by checking the Debug Registers, you can detect if SoftICE is loaded9 ~, m8 L! O+ b0 d- k7 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( P* W5 V3 {! p& ^: T8 d
there are some memory breakpoints set (dr0 to dr3) simply by reading their' U- K% R8 M* J+ C0 Y7 v7 Z
value (in ring0 only). Values can be manipulated and or changed as well
% a6 R& r# X: l" X% S. P4 g(clearing BPMs for instance)2 i$ c% w$ n) w2 B0 l; i* b7 I) Z
6 P+ X* v) e. R
__________________________________________________________________________! W. j7 F1 \9 b5 d8 b) H! k4 X
+ O  y. B$ @) o" g: z
Method 11( {3 D" k/ t: t. D* h  Z8 F$ i
=========
6 t8 Z# k, n; U1 X' G( f
- C6 v/ D, [0 z( ?* E2 kThis method is most known as 'MeltICE' because it has been freely distributed" V! q! _' ~2 ^6 n6 `/ L" ~1 b: G: A/ D
via www.winfiles.com. However it was first used by NuMega people to allow
: A& E0 B; I5 i* `! MSymbol Loader to check if SoftICE was active or not (the code is located) K* J  T+ f* o! [
inside nmtrans.dll).
! ^- _1 i4 j! ^3 S
+ |  v' R* s) Z( KThe way it works is very simple:2 q. w/ K/ q/ d* ]* n. s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- `% q, u. o6 x! aWinNT) with the CreateFileA API./ o* |4 B+ w; a% j# g( o" @0 b
  b4 |' T" o4 }5 x; N2 M
Here is a sample (checking for 'SICE'):
% C  [5 e  a4 \0 [
( ~, F8 r7 E; v7 ~; ~  ]* H9 ~BOOL IsSoftIce95Loaded()1 @$ T  \' V, V- f. F" m+ M
{% A5 D% v) q+ \3 @/ `" a
   HANDLE hFile;  ' S6 d( l+ N# g
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ }" m* K; _  h; f$ M5 R3 \. B+ ^; `                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 w' T5 h  H3 N' L6 O3 |$ K
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);  t' ]7 y" ]+ v
   if( hFile != INVALID_HANDLE_VALUE )1 Q+ \! G0 M& ?% j
   {
; _6 W% Q$ v1 j& Y  p      CloseHandle(hFile);
, o6 h0 {3 Y; |# D( `      return TRUE;
3 M* y% [! K# f3 b3 t   }/ Y7 y  J! s$ n5 l: y7 j
   return FALSE;
- x  z8 a+ m! {3 B* t, [}
/ X) ?* H  R2 ^/ b6 s; o$ A; i' b# ~% L' [6 `) Y; g
Although this trick calls the CreateFileA function, don't even expect to be. z, E2 T7 K8 P& j+ Z+ q# t* c
able to intercept it by installing a IFS hook: it will not work, no way!
: D& U9 J5 I% Y' d  s7 r6 rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& L/ ^' c* [. mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 X/ z& D9 z! J( V! [/ i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: E$ i; k0 o" S) d' ^: C% Q
field.+ v3 x+ U+ ^5 N$ j) T# @
In fact, its purpose is not to load/unload VxDs but only to send a 2 u8 }8 E5 f& p$ ]% w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ i' r# l+ U+ a9 F9 j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ b, B: |8 r* D; f& z2 k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 h- t& `/ O5 j+ E
If the VxD is loaded, it will always clear eax and the Carry flag to allow% c4 S. [$ }( q: y- E4 P
its handle to be opened and then, will be detected.
+ \0 s6 w" J- bYou can check that simply by hooking Winice.exe control proc entry point6 k. I# ]/ c2 x" p# ]% E" S4 l
while running MeltICE.
" f& q' G0 }' @& a' ]( ?1 ~' r7 }& W- G) V- [1 {& H: d8 D

; X9 R. Q" C, Y, k6 S  00401067:  push      00402025    ; \\.\SICE
, s3 E6 K8 z6 {$ u0 g  0040106C:  call      CreateFileA, O/ x! A( e& p( c
  00401071:  cmp       eax,-001+ [  A! @& J" m/ q' Z: H
  00401074:  je        004010910 U5 @' B5 C0 K# I
" m/ Y# {. Z, B0 F: t8 s; x/ j

# e$ g; ~. z# v/ L* W+ U/ UThere could be hundreds of BPX you could use to detect this trick.6 \1 s, n# c% J8 d
-The most classical one is:
. ?* [& `7 s% r4 w: L% A  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) l- O# {. I: f% W- |9 G
    *(esp-&gt;4+4)=='NTIC'& ?/ m) m8 ?# u5 ]( k% C. f
1 X" [" w! g1 Y6 p. F. Y$ B
-The most exotic ones (could be very slooooow :-(. W. i% J  v+ S$ a  d  s, a
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
& w+ p# O* d+ `1 D& `/ e" ~$ k     ;will break 3 times :-(, ~- B. f+ w- t: ~, G

' \" [- M" \0 a3 \' D  g! c-or (a bit) faster:
2 j& D  l- p- N8 x! S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), C9 j' c6 p6 T7 s

8 @) k* a) Z& X1 f* \  d! `   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
& C6 Z. K5 G4 s# q     ;will break 3 times :-(- b, N% D  g; K/ v0 ^

- B9 H: E/ M: x& E, P; y5 b. z-Much faster:
2 W0 u% s2 J; K9 u7 ]% O0 Q2 e   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ J7 }4 T7 \0 U& ]0 n
: R- |* B' g+ I9 Q7 r8 Q' a) b4 u5 RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ {- k( y2 n3 h4 \function to do the same job:
" h6 s* s) t- L* E1 P9 o
0 q" |5 ^' Q. l' ]: ~; i4 P5 ~  S   push    00                        ; OF_READ5 C. j1 ]8 X) {: m8 y
   mov     eax,[00656634]            ; '\\.\SICE',09 [2 `% e' I+ f$ a+ ~
   push    eax' [4 @/ \7 B: \
   call    KERNEL32!_lopen
* D* s/ U7 [6 U   inc     eax- T2 D3 w3 k! Q9 [  C* K8 t* d" t$ ]
   jnz     00650589                  ; detected
* b5 |' A, Q6 H7 E2 j9 ?6 W7 I! C   push    00                        ; OF_READ6 r4 j- h: M6 |5 |$ E
   mov     eax,[00656638]            ; '\\.\SICE'
7 H, ^* V5 k, G" g& W, E. |  a$ u   push    eax& ?/ }4 D; s. B2 e
   call    KERNEL32!_lopen
* c% @* g- o0 }3 M   inc     eax$ I1 J; ]7 q' \
   jz      006505ae                  ; not detected
5 Y+ l( X2 V5 \: ^% x; t$ Y; a$ E' A8 W9 _4 K6 K

" g) y( @. {; N__________________________________________________________________________
3 Y% E2 L2 u; U3 l% M' F0 m. M# ~
2 [0 G3 a8 j) uMethod 128 f# L5 M1 ^% I! H. \8 h
=========' Y) x8 K3 o% L  E% o

( j5 C* {) l) d8 V2 U4 S  }% P, xThis trick is similar to int41h/4fh Debugger installation check (code 053 L) b" A! f, ~
&amp; 06) but very limited because it's only available for Win95/98 (not NT)3 F1 M2 e" v" Y4 ?! g+ T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' O8 @! y) X8 t
" l# Z% F. v  s) Q$ }  j
   push  0000004fh         ; function 4fh
# l) g( V, t" b& Q, ^( |0 X   push  002a002ah         ; high word specifies which VxD (VWIN32)/ A6 t/ T+ N' S- F6 k' j4 d
                           ; low word specifies which service
0 `7 m2 t/ c% s  D, p                             (VWIN32_Int41Dispatch)& m$ Q1 N# J/ z; v
   call  Kernel32!ORD_001  ; VxdCall
6 d' ~$ L# M$ K* u9 \   cmp   ax, 0f386h        ; magic number returned by system debuggers: G: C! V, _6 w% @2 ?
   jz    SoftICE_detected5 h$ y5 S: a/ R2 l
1 I+ ]: V: ^; q3 p& {  W1 B
Here again, several ways to detect it:! z+ |4 l8 c: T) g- ^5 c# g

& Z4 N: z& ?  m, K9 g" p+ s    BPINT 41 if ax==4f6 }' k' l2 T. ?& X7 R+ y1 f0 j
/ ^; ?' T7 b! I; F$ [2 {
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one: T6 J2 O) B" i4 j7 j4 d/ Y
# c  F6 ^. L" ^: s1 e$ v
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A. j, `" R2 A' J! e

4 G  f6 u- C+ j4 z6 T; b8 W# C    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
: Q/ F& C: K* {0 c# @5 o, r/ l
6 Q: u+ H0 B5 m) I4 H/ M__________________________________________________________________________
7 A- `1 b# G2 F% B8 e2 U6 V0 \* T* r' I. R# `" T
Method 13: }- M# K  \! ^% D# X. F
=========2 W: l' `& N9 Y! O$ W, F
$ S- K- f  {' |* g9 l! \/ O' S
Not a real method of detection, but a good way to know if SoftICE is  X: e) F4 o; e0 u
installed on a computer and to locate its installation directory.: S2 v0 M# h; y8 ^4 ]
It is used by few softs which access the following registry keys (usually #2) :2 x  \1 t+ Q1 p

! ^5 w* n/ P2 x& M- M0 x- k. b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* Z2 n, H  J1 `, `* y\Uninstall\SoftICE% a" C! |$ d: q! c- \( f' N6 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! w' P7 C) r5 q8 T! I6 \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; D# y/ x& M! a( y( h" K$ k" ]\App Paths\Loader32.Exe
( T( j0 C2 b) ?+ z  G+ f, Z& U; B# u& ^. g) `0 W1 u

* }  e1 E" Q4 L4 z) _3 C% iNote that some nasty apps could then erase all files from SoftICE directory
( G/ d' `( M( Z; S5 n(I faced that once :-(
/ q7 ]4 ]$ A/ `0 ?/ H0 f! R& F9 q& n
Useful breakpoint to detect it:
& j3 l% A. o' M. k2 |& J: e9 ]; C$ m* j$ |; [! I& R
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; U1 e- L+ E% m) h- H
) }0 e6 L2 A. o$ k/ M
__________________________________________________________________________
) Q6 h4 e/ P# W) b3 |% W7 }5 w' A1 l: x

8 t* U* |9 a1 s- gMethod 14
7 E6 c( H& n0 ^. }) f9 N( l$ A=========2 u2 [9 g# z' P
' e- Z7 h' g" P$ |6 w0 d; o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ u( T7 A6 K4 M$ w9 g( u& Tis to determines whether a debugger is running on your system (ring0 only).% m$ p' a* [6 G

0 W. ]3 j" v6 w9 F# D! M   VMMCall Test_Debug_Installed
! Q- c1 D8 ]7 V   je      not_installed, u1 k5 g7 j1 E0 B  s) N
, H" K' ~0 c$ @, _7 M; @+ w7 Z: v
This service just checks a flag.
7 w6 x% P$ m, ^0 o7 Y2 h- x2 t  h</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-23 22:32

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表