找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
/ T4 T& {# q9 }<TBODY>
; L$ s0 `* ~3 Z/ r7 S<TR>
5 d3 Z- o" h' Y<TD><PRE>Method 01 0 V, n0 I( {( s4 Z6 v, N
=========1 B+ p0 d3 B; \  ^+ `* ~7 }1 U
9 m5 j/ w; {- I! ?! f$ T
This method of detection of SoftICE (as well as the following one) is
# ~) d+ e: H; @5 f1 R1 `used by the majority of packers/encryptors found on Internet.; \  G3 Y% r# D! u4 F' l
It seeks the signature of BoundsChecker in SoftICE
# _" V) N5 ^5 Q. J- O. ]; B
9 ^% ?$ \5 E6 O& e    mov     ebp, 04243484Bh        ; 'BCHK'- {: P# n$ P+ ^+ }
    mov     ax, 04h5 Y9 T2 V7 [/ p  ~& [* _
    int     3      
7 w4 @* x& a- \1 h( ^& _" Y    cmp     al,4" f! \- ~) z3 l
    jnz     SoftICE_Detected' ~# m: w, {; B( ]5 e' L1 D
) c! h4 |* z! l/ b% J% @
___________________________________________________________________________
+ d* H0 j! k+ s8 Y6 ~. c* \" q7 a" {: V4 `: {$ i
Method 02
0 M' s: P6 o: x% A=========! F$ V' x% f  ^% Y$ h7 t
- L1 t4 m+ z: n) q3 t
Still a method very much used (perhaps the most frequent one).  It is used
7 [2 ?, n: Y: [7 C/ B6 U4 B& u# Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 h  R/ [4 |/ A$ P- g
or execute SoftICE commands...
/ Y& n; y6 l2 oIt is also used to crash SoftICE and to force it to execute any commands
  o: T3 z$ `6 O2 ?1 A; z(HBOOT...) :-((  & g* K; c* N* h9 j: p- ?* J$ X6 M

! S1 I9 @9 x' S& z+ p# y. W& RHere is a quick description:* ~. V& b0 k% R
-AX = 0910h   (Display string in SIce windows)
  p8 F* X- j5 I- w0 i2 N% @! i-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
$ h1 R& u- {2 {-AX = 0912h   (Get breakpoint infos)6 B& _5 n  y% D5 n1 V1 l; y
-AX = 0913h   (Set Sice breakpoints)
5 \- n, z! A# g-AX = 0914h   (Remove SIce breakoints), k" o/ m& O. y2 P- _, f
, |- G* }: p: L' \+ I5 Q! d' U
Each time you'll meet this trick, you'll see:
7 g  X3 Y" Z, S-SI = 4647h5 u, m$ i$ @/ c* w* {
-DI = 4A4Dh
- B6 h. P0 r8 g% XWhich are the 'magic values' used by SoftIce.
& `, g. b3 r8 ?  e" WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) ?3 E5 f4 Y& O9 K; P2 A2 v( ^4 O

, ^& Q) v' e: O) X; C- M7 H0 eHere is one example from the file "Haspinst.exe" which is the dongle HASP+ A8 o% H; C9 r/ _  z4 O
Envelope utility use to protect DOS applications:
. c" D! e) u0 u  \& e9 r3 }- P7 Z+ ?; A! C0 i* \) C
, g& E  c3 l& i
4C19:0095   MOV    AX,0911  ; execute command.. B: n3 L( Z" s" l) z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 f1 S0 V0 g4 V
4C19:009A   MOV    SI,4647  ; 1st magic value.4 O: P3 Y! `6 a+ z, V  Q( |
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, L" I% h* d  T5 ^; b( c- q; m+ [4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) q; u& G4 a9 X5 b& t& |, }
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute& k& d7 s/ J  E# y9 g0 }6 \0 R! @# i: z
4C19:00A4   INC    CX# @6 R  W# ]3 |. v: J" R
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' d+ }- p2 V9 b* `1 Z8 k4C19:00A8   JB     0095     ; 6 different commands.5 t) m6 i2 b! R) @
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
. [: q1 ~8 c. K) e, r' `4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( l" t/ @6 [8 d% ~( A8 \7 V- E. z' F+ A' y8 j+ U+ H2 ~
The program will execute 6 different SIce commands located at ds:dx, which$ O% j- M  I+ ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( O- ~! f" K# ]" o# e: X' V" \- l/ r/ _  l7 \6 M; v# j, A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
  y! l# a! U. l2 {& j___________________________________________________________________________. V# n+ u/ v6 f! i2 F4 i0 ^: x

' n$ [! a0 ]6 r9 Q4 F) V, j$ I  z6 H. x
Method 03
  }- S% ?: u2 D% l- [* f=========; Y) D1 N% Z  g0 \9 [3 i4 |/ `
& F) @; o/ Q; F5 R" ^( [
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 S% {4 \8 w  P( w$ [
(API Get entry point)" P5 U4 ]5 u8 I9 n' @
        
6 ]& ~- ]( D$ R$ H2 U4 _/ v
6 z" N* R1 L, k; V; V    xor     di,di
% g# y- w7 A2 Z+ v; n# h- H7 }; j    mov     es,di
! ]7 O/ q, s! s. ]0 p    mov     ax, 1684h      
8 ?. X4 t1 X1 T# ?, c8 }    mov     bx, 0202h       ; VxD ID of winice) I0 b0 n$ Y7 C6 ]* T
    int     2Fh8 @2 w$ x+ q( J- ?& [. g9 f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ y1 _2 z/ a" R! ?" V5 g5 a
    add     ax, di, |3 D' d- H! T" w3 Z% G5 _$ G
    test    ax,ax3 G" c+ _: t2 Q6 A9 R0 `
    jnz     SoftICE_Detected& U+ g1 ]& ^1 P5 X+ }# Z! Q5 Q' e
, A% c$ T9 u* T
___________________________________________________________________________
; K2 F" y; P& g
( V1 l1 g5 H/ Z) ~5 WMethod 04
# h* B9 X% m, R+ \1 Y( c- E& F% ]+ V=========
4 {  X' U( m& s0 P. Y- @# q
5 e) c9 y2 H) V) w! d0 o9 VMethod identical to the preceding one except that it seeks the ID of SoftICE4 h# c$ A6 X# Y& J& J( o' v# ~
GFX VxD.5 K! R2 S: f& P9 |1 q$ v

) P' f" n# ?/ B    xor     di,di
9 O" d7 J! q( o7 M5 l. H    mov     es,di# k1 R' |- `- f- J* M
    mov     ax, 1684h      
+ J9 s" s0 I$ s    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  r$ {0 I& D1 L  r3 M    int     2fh0 K( D* C+ Z9 Z) [1 m% Z# M0 ^
    mov     ax, es          ; ES:DI -&gt; VxD API entry point" c9 Y7 F+ j7 T( I
    add     ax, di
9 ]  B& N+ x' Q/ d, h* P    test    ax,ax7 A" E5 _) N, R" R- Z; C$ o
    jnz     SoftICE_Detected0 q7 x% S# o* L- O) F
- n$ s6 y; K# K
__________________________________________________________________________: ^. ]1 b- `& S- S% W
4 {9 t9 {6 T1 v6 l9 ?- s1 _5 p- i

1 R! I# W3 s) d) yMethod 05( S- [: Z9 }7 d; |. F& B
=========0 d: ?3 {7 d0 p$ c7 v0 Y
8 q( s0 A1 u5 a$ u0 {8 w$ R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) |( ^7 C( J) G7 N- _8 H. `  ?debugger. It calls the int 41h, function 4Fh.3 e1 K2 F) @& z/ a" S
There are several alternatives.  + e+ q* ]- R$ ~4 W# q5 m
+ m  t. c" r. {+ G3 o5 w- ^
The following one is the simplest:
4 ]1 c: V& N6 b; D. p$ ?9 g7 D9 A& G/ u) X1 T4 H9 }
    mov     ax,4fh, m$ K% [! ]: M7 K8 K, a
    int     41h
, c3 o$ a- n, w3 D* e2 U$ E    cmp     ax, 0F386
, b5 Q& Q9 F' Y2 I/ w4 r5 L    jz      SoftICE_detected
3 J, G1 e% V: [& R! D/ h; R* u  F) a$ {7 M4 A

4 S' ~7 Z- J  _1 _Next method as well as the following one are 2 examples from Stone's
6 t/ O% A' z1 W  C- ]5 k9 |"stn-wid.zip" (www.cracking.net):
# i. w$ N7 v# {5 h' T! ?
! j; m2 E6 `+ I. a$ e  K, @. R    mov     bx, cs" ]% |0 Z' n: Z7 ^
    lea     dx, int41handler2
8 z' u7 b: M; b  m    xchg    dx, es:[41h*4]
, t9 B  K3 `, b  T    xchg    bx, es:[41h*4+2]
2 o: r9 Q9 g7 V    mov     ax,4fh, Q8 L  ?* g7 w3 w
    int     41h7 E+ t4 e2 I9 S) B4 d3 e7 f
    xchg    dx, es:[41h*4]/ i. Y  @9 a, G& p6 n) J3 O
    xchg    bx, es:[41h*4+2]
/ R. s! S% p) x* I    cmp     ax, 0f386h( F. W. h" l2 e
    jz      SoftICE_detected( a0 V" w& J& H: g4 Y* r1 e+ P

4 r* z7 J: X2 k9 w0 |  Rint41handler2 PROC; O# y/ }  L& s4 C' L; f, ]7 ^+ z
    iret
! Q4 K/ Z  z$ B- _, X; r& W8 ]int41handler2 ENDP
9 B% }( T& U2 w" t2 L& b' d8 Y8 F- S

3 j8 m, ?$ Z2 Y3 ]5 q. C2 h_________________________________________________________________________
8 _1 R3 e6 X! Q  ~; Z
: }/ c) L4 z  E! Y9 r; N7 j
/ _1 D, @1 N5 i% JMethod 068 s/ U4 G: T2 X" N7 C; o
=========( R- i1 w0 W$ h
, p" j- z5 d$ t$ d/ w' B7 Z

- u; B( {$ G, L6 W/ x2nd method similar to the preceding one but more difficult to detect:  U' n  X0 k2 L
9 q  |9 K; ^2 k/ `0 J. u, T

$ J2 b4 Q( X( {, O: P! u4 }int41handler PROC
8 g$ _: m' Y1 X$ F4 k6 \    mov     cl,al& C. {6 y+ {# C7 V1 Y+ I
    iret1 J, e5 K2 A9 \2 W4 c
int41handler ENDP' o8 A% z! P0 {8 A/ h. ~6 t$ s
' V7 F# ^+ n# L4 j% g" O
% U6 M2 F+ J# R' S! I* ^
    xor     ax,ax/ K0 M$ X: n' `) n( E& N
    mov     es,ax
2 K0 w% t! S3 D  B6 a    mov     bx, cs! }+ r5 u$ ~, B9 R( y$ a! I7 K
    lea     dx, int41handler
8 ^$ P( ]  ~' d    xchg    dx, es:[41h*4]
- O$ A9 @/ f% [6 ~; n; ]    xchg    bx, es:[41h*4+2]
2 ^/ M- ^: l  q    in      al, 40h5 B" p* |* e9 {. E
    xor     cx,cx+ i( a! P! n: t, M( @$ A) \
    int     41h# Q! n; u7 s; t. v) A
    xchg    dx, es:[41h*4]
, f2 `( t! |7 Z  y+ [    xchg    bx, es:[41h*4+2]
% g( p8 j$ E9 X! [) I* f' |' `+ K    cmp     cl,al
" J0 P/ s4 j5 m3 n( B    jnz     SoftICE_detected/ W- U* p8 f3 |/ M9 K5 M4 g% l

# h6 q* e$ _8 a$ I4 K_________________________________________________________________________
! \& l+ @; i5 p% A4 `& @, o' B8 R1 b# e5 Z0 F9 [6 c+ }
Method 07
5 W5 o' p& N4 B6 g5 _5 |=========
" a5 z7 @1 V! K- z9 H
; y5 P) D+ B& u9 r9 ]Method of detection of the WinICE handler in the int68h (V86)" {/ b5 _9 o9 G2 T
' ~. k) i6 M  I
    mov     ah,43h, q/ g5 n. I! B) X& q( u
    int     68h. w/ f5 d5 v" i" d4 I
    cmp     ax,0F386h- M+ E7 @6 x9 b4 @
    jz      SoftICE_Detected
+ o' }. Z! V- R
5 l; C) i# {* B
  h% ^, x  G+ l; Q1 \' m. B5 `=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' V6 C  d2 H6 l! R+ c
   app like this:# _2 B% w1 I: [1 x
+ Q  y+ ^# R9 |/ m6 V1 [& s
   BPX exec_int if ax==68
3 p3 J7 f' z+ l! i0 c; F   (function called is located at byte ptr [ebp+1Dh] and client eip is
( S( p$ W. i0 Z' _) B5 n# G   located at [ebp+48h] for 32Bit apps)
2 F$ c/ E! L  D( L& c__________________________________________________________________________; L% d8 f7 ~0 S( W# _  S

' J- v/ b+ ~( ~, w1 c$ h; P: m6 y) f7 V' L0 b$ F! j; }; A$ L0 {8 m
Method 08+ i( b5 `& o5 [9 ]7 M: z* ^, b
=========9 n7 ^. U$ u, {$ i
( \. H3 A' O' h, R5 z9 w
It is not a method of detection of SoftICE but a possibility to crash the
: Z& E; t  Q5 t( P  d  fsystem by intercepting int 01h and int 03h and redirecting them to another
/ t! P/ o& |+ x# e7 D* Croutine.
' j/ ]8 M0 u! a# w. S. bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 M; ?( ?- I2 f) U: h. n% B
to the new routine to execute (hangs computer...)
( S% r2 r7 X! O( c" W+ w: S: E+ L- w, @9 W5 X1 b! C# ]
    mov     ah, 25h) \. X' e+ m+ F; n. i2 I
    mov     al, Int_Number (01h or 03h)  B, T8 o: b4 T. ?6 u
    mov     dx, offset New_Int_Routine5 ^: H+ W6 P. U# Z- M2 f, r
    int     21h# @( M  x+ O  x1 T& ]
+ b. J/ X( F( b" I' F: t0 K+ w# c
__________________________________________________________________________' {* y3 R& p1 J

: A  @6 C2 V) ?1 s& vMethod 09
+ Z  P: x6 K( k: O& ^=========
& _$ I. r% |1 D2 u  |
6 C, h; B! J. W' @. TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ Y( \9 s: P) F7 q0 J/ |
performed in ring0 (VxD or a ring3 app using the VxdCall).4 H$ \+ {4 S/ T5 s3 g0 q
The Get_DDB service is used to determine whether or not a VxD is installed" C3 T% K4 J+ Y
for the specified device and returns a Device Description Block (in ecx) for
! R. B8 c3 L+ h$ b. {9 i. F3 Bthat device if it is installed./ m8 d6 Z% ]& V! F5 G  V, C( B

$ }4 p6 C9 F- f* q7 a2 I   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID# I$ a* a8 S- V, u% Q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# @8 x! S5 T8 @* o( M* x) \* N   VMMCall Get_DDB
; }  ~2 E2 b2 N( a( U   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
: H# \7 W1 h( i) v& [
: C% q- d: Y, W3 j( {Note as well that you can easily detect this method with SoftICE:
5 o( H0 r$ R; I8 ^   bpx Get_DDB if ax==0202 || ax==7a5fh
' I- ?- |% Q; I, b$ j- z1 t- K9 U3 {8 F7 ~
__________________________________________________________________________, {& }; j% ^$ ^6 \0 x+ o
6 r4 e# L& ]4 O$ v! U
Method 10- ^$ |; ~8 ?1 b- z- m" _) R
=========
( S  j0 F, t* U8 j! x& Z+ W" D$ R" V- [, \  n. Q$ Q/ i7 G
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
; ^! ^8 s. D  p, a0 Q+ w  SoftICE while the option is enable!!% w0 B) X% i6 X! j6 J6 U; w
; u7 Q1 E" U% O. V( N
This trick is very efficient:
8 x( ~  N) S. X5 u6 G. w: l( Q& x9 mby checking the Debug Registers, you can detect if SoftICE is loaded
/ I6 H: O  W$ N% z1 i! F4 t" {# a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 L: n9 |5 }; i8 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; A: N6 U# j0 Z% q) ]% u  T/ Bvalue (in ring0 only). Values can be manipulated and or changed as well$ ~# `" _/ b/ z% x
(clearing BPMs for instance)
0 \, V- G" J  A7 _/ }, c7 v+ X( d  z5 y0 b# `, ^- k; `
__________________________________________________________________________
# W9 l! F* Z9 A  U9 g% Z
& }5 a) K" d# A, }Method 114 Z" ?; {2 u9 e% x
=========& [9 t/ I, n1 l& ?; V% ^$ _
* Q" B3 b) l+ Z* |0 o4 X# n
This method is most known as 'MeltICE' because it has been freely distributed2 f* y9 d7 U, x4 i9 K8 s
via www.winfiles.com. However it was first used by NuMega people to allow1 ~9 E6 K# E* {& n; {7 y; T3 n- G6 C
Symbol Loader to check if SoftICE was active or not (the code is located
' `7 o/ I7 Z0 i9 b7 a$ Tinside nmtrans.dll).
2 e9 a9 _7 p6 ?
- w8 |9 J, F1 z( K; v/ ZThe way it works is very simple:
; `' C1 c4 K0 E% R  F% J% m9 {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! Z" d* G- T% l' K( T( aWinNT) with the CreateFileA API." b1 e  M, u! w9 r
# o  V" I# v. P  c
Here is a sample (checking for 'SICE'):
$ x9 k/ I/ T5 b; w' r# C5 }) }' D1 v! q* ^: a/ K
BOOL IsSoftIce95Loaded()
* z; O( ~& y4 S1 ^, B{
) `& u# Q! L$ V$ V' O. H, w9 V$ x   HANDLE hFile;  5 j5 B+ v4 b& T
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 |- v' X) g$ T; p+ W                      FILE_SHARE_READ | FILE_SHARE_WRITE,
5 r0 m% X( g; G( _8 }                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; v' C) t8 i1 A6 t; x- d
   if( hFile != INVALID_HANDLE_VALUE )8 f1 E! {# `# S6 z* m5 u
   {$ N- }' w, v* j+ Q& g/ q. a
      CloseHandle(hFile);
! [6 F/ ]) j. i/ p      return TRUE;
+ f& g* k$ K& P8 D3 k* c& c3 F3 ]1 m   }
1 R5 m2 a- m* t4 k   return FALSE;
' o0 V& N+ p: U1 ~3 ^}+ ^1 E7 w: Y5 d$ L/ X& N0 O" _# x' C

* ]5 h) S% m1 K3 @" \Although this trick calls the CreateFileA function, don't even expect to be5 {* R+ i8 R" g4 m* z2 W% K; c  I  n
able to intercept it by installing a IFS hook: it will not work, no way!: \; A" e& o6 b6 D- J! P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 F! O9 {" z9 W. H; Q. [3 K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 d6 c+ K' v" Y& ~4 [3 C: X; @# ^& gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! e  ^, E, G, g: f# ^field.
, {3 r5 }" J3 R$ K0 @In fact, its purpose is not to load/unload VxDs but only to send a
  \0 W+ `. a6 K) r) F. u3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- r( @" @" Z$ z. i) H( g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 j7 A6 F# F$ M- P. q! a  sto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 o7 `2 C, q: i7 ^+ l+ u- H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) l: [0 ~* v" J7 N- V+ bits handle to be opened and then, will be detected.
5 T! B% L( c; W: v& SYou can check that simply by hooking Winice.exe control proc entry point+ U0 R9 l( }/ p( }' g
while running MeltICE.: j( F9 b. P! {' J) b! |
; z) {, V8 M% C" Z1 z/ V, G# d  ^
9 v1 }% c) z2 X7 W- I
  00401067:  push      00402025    ; \\.\SICE; U' ~( }  F' _, q4 R( z) _$ q
  0040106C:  call      CreateFileA
: f" N: z1 l7 e: ?& j  00401071:  cmp       eax,-001
& V) x$ m; l+ q$ B% S" U6 |  00401074:  je        004010914 I, J: h& L. C6 }7 o" g5 Z# N/ L
( _. w2 c% {" F; d& a! n1 s9 R) F
4 x9 N  g  L* \' N* m
There could be hundreds of BPX you could use to detect this trick.
, V8 m/ t. L/ v/ R-The most classical one is:+ t  d3 D$ i6 d! O
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' M% I; P: O/ s1 ?2 l- [0 [) a
    *(esp-&gt;4+4)=='NTIC'
& e4 }( o2 x' |- b) h; v% X7 H7 u3 p  @
-The most exotic ones (could be very slooooow :-(3 V1 L) {0 [! I; x# |7 ~! Q' N
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; l4 w  H* k4 _8 A# p6 R     ;will break 3 times :-(( d, J# _5 p% N, K, {/ m% |8 c- \
! Z# d8 g* {+ j: P. B7 c! m( o
-or (a bit) faster: 9 i2 p& p8 z3 V
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' {" W4 ^; l; E: [5 G% S
8 t* M' u& ]: w2 W6 `( m   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 `! M' A" q( r, C4 L     ;will break 3 times :-(
- k  _. S7 [: }% n6 N- v
5 i- c6 n, L' r6 q, h* X' W* G-Much faster:4 L% U' ?$ H. b) U. O1 b- s
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# q$ S) g: `* J' y( {7 i6 @
6 f) [- Q+ R1 N1 p  @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 u1 [0 v4 i) H4 afunction to do the same job:( l( A8 B' G! k  ?; m, d7 K
! B6 Y5 s( }1 F2 f: Z! r' _) C
   push    00                        ; OF_READ
5 a6 Y$ \5 B6 h. @- X" p   mov     eax,[00656634]            ; '\\.\SICE',0
5 v* T8 x4 ^' a% h1 n7 J* ~1 l   push    eax
* l* T) D3 P9 T( M- x, ]   call    KERNEL32!_lopen
8 Q5 _4 s$ p0 M+ Q! G   inc     eax
8 f! v9 Q: z1 ^1 [   jnz     00650589                  ; detected
+ b2 H- n: `! v6 |  }! H' Z- J   push    00                        ; OF_READ
; w( X$ s6 Q- w) u. f   mov     eax,[00656638]            ; '\\.\SICE'
9 S, v/ u4 n+ k( ]) _& E1 G& I   push    eax
4 t& w6 [2 L9 A. U5 b   call    KERNEL32!_lopen+ \, s/ A! C$ B( Y3 j  b
   inc     eax
) K9 l9 B4 G' x! j- u9 ?7 q   jz      006505ae                  ; not detected
' r+ |( f3 v4 h) J1 }
# }6 F6 _9 @: G, c  |9 a! ~1 O6 d/ q/ o: N, u
__________________________________________________________________________
! t6 [9 o- O1 B7 ]! X8 N6 r! a5 @0 q# q% u( Y
Method 12
7 M& N+ t/ z* N=========
  v  S, B  B4 r# ]' A, x) V- ^* D6 B. P+ G
This trick is similar to int41h/4fh Debugger installation check (code 05
2 n; `: T8 s, B# x6 z. R+ z&amp; 06) but very limited because it's only available for Win95/98 (not NT)* h* n# o2 T5 y) i) V6 M( _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! b! P) |2 W2 Q3 i
# W% ~+ j) I: E( r0 N* ]   push  0000004fh         ; function 4fh
" ?3 F1 a6 i# m  G+ m; I/ E/ H: M+ s1 F   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 S" T6 c2 A8 t; N                           ; low word specifies which service3 y1 C4 \  `7 K0 W+ t4 w
                             (VWIN32_Int41Dispatch)
2 @6 u5 _% \( q; K  X" f   call  Kernel32!ORD_001  ; VxdCall
2 J$ U% Y  D! `1 q/ c7 {$ Q$ |5 A   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ v3 f( X0 j- F- i4 v. @: X   jz    SoftICE_detected
  A% A( _# _6 Y9 p+ b9 d5 c8 e" o1 G
Here again, several ways to detect it:/ j! |! \3 j" k! Q+ U
- D& C9 u' b2 d# o* n
    BPINT 41 if ax==4f0 }% k3 u9 y, ]  D8 G- i) Y# A' B
( S) D  ~3 n% B! O/ X1 Y3 g+ \2 H( ~( H2 e
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( R# H+ Q5 |4 {; a# n1 T* t
0 C6 d$ ^; w/ e! v( e! A    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 E7 u# S' z8 w! |9 ]# z3 Q
5 M/ ~# b3 J! a, Q- m/ x- b
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 y0 ~/ i3 r6 l- A  ~0 J+ q
( }) I, s* v( _
__________________________________________________________________________, C1 w+ f! Q1 q1 `8 C

/ K% \4 Z3 H, a0 xMethod 13
5 m# |! S8 }2 u3 G=========* ~/ a' m- t8 L! \8 Z+ D8 \

4 U& T, s3 X% aNot a real method of detection, but a good way to know if SoftICE is7 C+ f& [. P! G. z
installed on a computer and to locate its installation directory.
5 J" Q* m5 s( y; ?. |- gIt is used by few softs which access the following registry keys (usually #2) :6 o  T1 _: }% Q0 v1 A* j: ]1 ?

7 |+ T7 d. u  Q+ z: `# M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ T1 q! M% M; x+ N  @\Uninstall\SoftICE1 y4 k4 I8 B  i2 r8 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( C/ N. a: g9 G8 ]-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 F* C! u) k" p# {\App Paths\Loader32.Exe
% f5 V* h& `" M4 _0 R
% u/ {3 Y& I' `$ k+ n* V$ p/ A; i4 Q4 L6 d, V! M( l1 [
Note that some nasty apps could then erase all files from SoftICE directory
; e$ F9 P) ?6 V(I faced that once :-(
  v% w/ U' t' F; E" v7 g5 M2 K4 F5 U' T" i' f, Z0 B0 I
Useful breakpoint to detect it:
. e' V5 G+ t3 Y$ E( T3 w
3 y! Q* E+ n; n9 G! I# D     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
4 D: t# w( r3 |6 R/ O
* Q) A( u; Q) K9 m$ f__________________________________________________________________________
; }$ S" l2 ^3 E! Y! n; ]/ b% K' p7 {- Z1 B! M8 e
7 ?8 R# |3 [8 |" P$ J2 T
Method 14 & U0 F3 Z1 a& r* B+ M
=========6 F; T. I& K1 o8 @, P$ |& Y) a9 L
" P9 k2 p  r$ V  O4 b1 H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 f* a" Q* r1 W( X# G! [' i6 ]
is to determines whether a debugger is running on your system (ring0 only).
  _7 ]( @8 f5 x" c" s+ f2 J3 Y7 w) S
& [: q4 s2 {7 T: B& R   VMMCall Test_Debug_Installed8 R& ~7 @- u! G0 B% q' a' x3 v  O
   je      not_installed
3 d. i  v2 g0 k
0 d( Z3 h/ p* q. v& z1 d% uThis service just checks a flag.
4 \& t9 @% p. x- h* T) V</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 18:09

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表