找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>6 d% \$ l! y0 A( z+ H' ?
<TBODY>
/ o0 [/ m! P; I5 [, C<TR>
; f! h6 B8 h  s+ J- L5 h' {* B<TD><PRE>Method 01 % v+ _0 d( ]. W* R' F3 n, P
=========% k4 \0 }/ ^) c2 h! t
0 X0 X% ?( s/ a8 i* K5 K2 K1 \
This method of detection of SoftICE (as well as the following one) is
! Y% i4 X. e9 Xused by the majority of packers/encryptors found on Internet.6 {% V5 t) ?0 V4 E. W
It seeks the signature of BoundsChecker in SoftICE% ~( x' f2 v3 z( R

+ H1 e$ b' t+ v  A) a- S# V    mov     ebp, 04243484Bh        ; 'BCHK'- b& G6 L0 K* Q
    mov     ax, 04h9 F2 u. ?. f* f  U
    int     3      
- f" H2 c8 ?: [1 V" K$ H    cmp     al,43 _8 Y+ J1 V7 F' f
    jnz     SoftICE_Detected
, I2 U9 y/ {2 u$ P8 g
/ t9 U: S7 \5 k___________________________________________________________________________8 `7 G& I: c# N
) o: q& v2 B( Y
Method 02
% s4 b9 `) V+ ?3 `=========
/ E  U  w% c: g& L# J& Y& J  u0 }0 Y0 |) m* l
Still a method very much used (perhaps the most frequent one).  It is used, g, K1 ]' Z: L4 y! J* a* L5 m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 U+ |* f4 b( L
or execute SoftICE commands...
0 l! ~: z' u5 ^+ ~" z: s4 QIt is also used to crash SoftICE and to force it to execute any commands' C3 c1 l9 }5 S5 k
(HBOOT...) :-((  / d8 C: r5 A, }
) H' ^4 W0 U# r% @- u$ C9 y& t0 j
Here is a quick description:
3 b' R2 O0 E5 z  U5 T9 h( u0 h# J$ _8 x-AX = 0910h   (Display string in SIce windows)
  `2 z, o3 ?* w' J-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
" s3 ~! {: K2 x- v/ a8 }1 V' w5 M-AX = 0912h   (Get breakpoint infos)
: U% {. S+ M' H-AX = 0913h   (Set Sice breakpoints)# [6 G' u; m8 U; Y2 s: X2 _
-AX = 0914h   (Remove SIce breakoints)
. W8 g) ~( J: M0 M5 Q. h5 o
, a8 W' t/ Q+ N5 I0 x9 W! o2 V, oEach time you'll meet this trick, you'll see:% d7 w$ ~: E4 n0 ?/ \
-SI = 4647h! V( ^1 R1 A+ J) l0 y
-DI = 4A4Dh5 u" @- S- S; C# B
Which are the 'magic values' used by SoftIce.; b8 g. D& N/ U; N* _6 M8 O) Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ D" D0 u: `# @2 Q$ {

) E4 x, `7 s1 Y! {. wHere is one example from the file "Haspinst.exe" which is the dongle HASP, c0 E% p' l6 E3 V1 m
Envelope utility use to protect DOS applications:2 v8 Z( W+ \8 I7 d

7 K$ z% _. O' i' ]
" u$ N) k) y' P2 N2 b4C19:0095   MOV    AX,0911  ; execute command.
, Q5 A' c! L5 `, Y3 u0 `4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).  i+ R3 J1 u. @
4C19:009A   MOV    SI,4647  ; 1st magic value.
  @6 S) j" q- Q7 `4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ j" p$ Q& D9 h8 d# M
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 E* z, _2 _" y. h8 N4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
2 M. \) g& E; b  i2 r4C19:00A4   INC    CX
: F& Q3 X! T, P8 q4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 L; M1 o: U5 u, }) I4C19:00A8   JB     0095     ; 6 different commands.% C6 w- K! H3 B" T, r
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 t& Y/ O5 I, ]# B2 a% m4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) D- B, U/ t) C& j; `! X' I" D# ?
The program will execute 6 different SIce commands located at ds:dx, which: n. C5 o6 o5 O( F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ }7 n8 W) y4 \' G2 E3 Y; ~

; _; L/ C0 |, J+ E5 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ H( ~( K* r" c8 J) g& f( i___________________________________________________________________________+ e, K. `2 r" @+ h- `

. }/ ]( y% s5 n/ }2 a9 G- J  K' U2 n7 S$ d$ r$ g2 e4 v1 B( L
Method 03
# g7 L- }5 ~: {0 r7 x4 @=========& n. i8 |4 e: `/ w  `3 F% @
) k( K/ J& t; L) x, s3 Z
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 m( T# W! _3 e/ \. G(API Get entry point)2 m& ?, O; Y, B/ x; ?$ G
        
- x& d& W: V* B: o! b/ s. A# ~5 x7 P7 c) E3 F4 \4 F8 {& x# U
    xor     di,di; e. q% ?4 v0 w/ g) A
    mov     es,di$ U/ ^6 a& p- J; Y
    mov     ax, 1684h       / ?, [1 X( w, o
    mov     bx, 0202h       ; VxD ID of winice
& Q2 ~) G7 N! y7 h    int     2Fh
. w' b9 s$ K+ L    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' W+ n2 }% h* B6 h$ n* V: A# \    add     ax, di
, v% ^: [: X3 o; |4 Y    test    ax,ax8 C, k( t9 L! m" }; W' X: t
    jnz     SoftICE_Detected' H1 i% m% G6 g

3 c# r8 d6 V! W___________________________________________________________________________! ?& Q, H. p2 Z2 n
8 q- R5 U6 |/ R3 \( S
Method 04
: r* m. d6 J! O8 H( y& x. R=========" W! P) J, v: r* A9 r
! u( F. I" S9 N
Method identical to the preceding one except that it seeks the ID of SoftICE
  I/ e; q' ~$ }: o. n/ yGFX VxD.3 V5 m- K2 e. c" ^1 E. S
0 q6 C: T9 a0 u9 ^
    xor     di,di3 }+ J. H3 b* c
    mov     es,di
0 i) n2 K% ]$ v5 k1 J. D* H" a    mov     ax, 1684h       : e- p7 ~7 e; [9 ~
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# J8 E/ E$ {0 x# K; W# e, ~8 l$ s    int     2fh" O" R  [+ z. B8 c6 h
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ ^; {* g0 j/ f& ~9 D. L+ l( x3 B, A+ K    add     ax, di7 A4 y% E  j- }. A7 O4 S' D4 z
    test    ax,ax! J- J/ w/ l5 n& G
    jnz     SoftICE_Detected$ W6 V: L/ c1 i) a  s/ }- z1 J! r

1 X7 u3 n6 G. i* @! F__________________________________________________________________________. m5 }! b* S; A. k% `5 a. ~6 ?
: U! o6 I- q+ \
& H) j5 W6 i% E
Method 055 t& Z1 I: Y2 z; N, a
=========4 y. O7 y! Q& U/ S0 y4 F( t5 R
* H7 F: b2 ^: E+ h8 R6 b! O% B: d0 E
Method seeking the 'magic number' 0F386h returned (in ax) by all system& R% E! u3 ?2 z: q
debugger. It calls the int 41h, function 4Fh.
7 c1 L! p% b  A% C2 Q4 dThere are several alternatives.  
# S$ ^0 a& d  ?* K2 p  f8 I
" w6 r5 I+ d2 h% FThe following one is the simplest:
( Q2 D, {6 C* y7 x: h: p" Q
: P' k/ C" q+ Z4 v    mov     ax,4fh
( c& d3 m; i% E# Q0 e  _9 C3 M    int     41h
1 [: r% E4 K( G$ g9 I1 t& U    cmp     ax, 0F386& g$ {0 K9 @9 p9 }
    jz      SoftICE_detected
5 n2 v5 E( Y7 ]7 x+ |* l
0 i; P9 {$ h$ m- P5 F* @0 N0 k5 K$ [- o. k
Next method as well as the following one are 2 examples from Stone's + I) d# C( G. H( T4 e- `
"stn-wid.zip" (www.cracking.net):- L& O+ f& A% L  d6 ~
8 b8 A& v4 _3 o7 G! V2 R/ O
    mov     bx, cs* n9 G: W: W( b6 h  r- ]8 a
    lea     dx, int41handler2
& U, d8 ]% z: F# Q" K6 m5 |    xchg    dx, es:[41h*4]3 r: a7 Q. {- S0 d* C: ?! Y1 h
    xchg    bx, es:[41h*4+2]
" ~9 C- F4 j7 B# X( B    mov     ax,4fh4 H+ I2 I: X; J4 h: H6 M8 {
    int     41h
$ K9 Y8 p2 D" d: Y% J5 @    xchg    dx, es:[41h*4]
" t% i. Y7 n. X    xchg    bx, es:[41h*4+2]
7 d# |, ]% d( E& m' c0 K" Z' o    cmp     ax, 0f386h/ ?( T& V: s; B6 p7 K( O6 W8 v8 L
    jz      SoftICE_detected
$ Y8 O! z* d" O/ B9 X3 \* V5 J- M1 [* a$ o$ O  \3 A' C
int41handler2 PROC
2 ^: ]# L5 E, p( a- Z) d    iret
  I: \8 s& n& \6 R. w7 O4 R: }- Eint41handler2 ENDP
% l7 h8 w8 M' f  B' i. @9 j: L* Q! ~8 Y

$ b1 E8 B3 X, C. b8 s; ^_________________________________________________________________________, }' c% V: i# ^/ t9 R: `
  I, F9 K& R# ~( l

3 K8 D& Z$ Z& N( K* Z# j: DMethod 06* s2 z: k: t5 c8 S  l% i
=========  T0 u8 F/ H! s; z  H) o/ h& ]

1 `' l: R& ~6 }( ~) d# d  V. t% w% U, \7 ]) E6 c3 r
2nd method similar to the preceding one but more difficult to detect:/ `/ o, H* [$ S1 w& @

4 h4 i6 |: [% ]) {) ]& B  a' f) t4 V1 Z5 Y+ g- z2 U
int41handler PROC) t+ {. n& u8 ]% ?# y' \+ ~
    mov     cl,al
$ {9 n) y( F' Y: w    iret
) S2 s  c! V3 U* N7 j. M. [int41handler ENDP% _5 B8 m7 Z  N( f9 t
4 R; c  w7 ?) N9 y) g

. @, Q  d+ m  y8 a5 t' e    xor     ax,ax! B. U+ j) g- A! e1 S9 U
    mov     es,ax' Y5 @: d$ s* j0 j; {7 B6 Q
    mov     bx, cs
: W1 Q1 \5 b$ m. E1 E8 x( ]8 p    lea     dx, int41handler
& z+ l4 q# g# G$ ^" o* {& `    xchg    dx, es:[41h*4]
3 E. |: p  `% D' p: V& A6 k    xchg    bx, es:[41h*4+2]7 Q& p# g( H) n- q% W
    in      al, 40h
5 c. `! H1 z, \5 ~) p  O0 O    xor     cx,cx
8 A1 a0 V% L  h2 N  I# m    int     41h
: V8 f5 V7 |$ r2 T+ v) A; q7 f' }    xchg    dx, es:[41h*4]# K7 b3 w8 x) R2 m+ X
    xchg    bx, es:[41h*4+2]
) i$ Y% M' p% B! i3 u* U- g% U    cmp     cl,al) a+ R& w. A4 r0 B2 K, R' D9 E
    jnz     SoftICE_detected
8 o: }7 W+ C' U8 n0 G6 I4 K1 M
, G( `" Y/ v& J  e8 {_________________________________________________________________________7 y! F( g1 G! \1 _8 s3 A$ H; m
1 ?  H& \$ ~1 ?; p" s! H) ]
Method 07
  Y1 i7 S7 ^& l8 C8 U9 x=========
( ?. {1 K) F1 r* z% Y! q- y- Y" Y9 o0 O) V9 g8 \
Method of detection of the WinICE handler in the int68h (V86); B1 b" d  B  u2 w) d
$ M2 F! g6 ]. Z" D# M& w
    mov     ah,43h2 g& T6 ^  X' P9 i! ~* v1 |
    int     68h
8 P8 M1 t3 D7 B0 V4 ]    cmp     ax,0F386h
6 D7 f" [% l1 C7 G! y    jz      SoftICE_Detected( A% G/ |" Y* e8 E: \
: h' j# M& p: F# y: J

- m% l* t: m* ]' t=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 A3 p. V# |& d% y   app like this:8 w: }( ~  P6 y& J/ M* }/ G
, n2 U) x! @7 u- Q5 L' ]
   BPX exec_int if ax==68
, a2 A9 N5 g8 e4 M   (function called is located at byte ptr [ebp+1Dh] and client eip is
- q/ }) s4 E8 ^# l1 d   located at [ebp+48h] for 32Bit apps)
8 n: G) [5 a. L6 M__________________________________________________________________________
5 a1 Q  m6 c5 k) k; U, H$ x3 [+ }; [3 _/ w: ?0 V8 u7 }- C2 o

1 c. [% a1 R/ n. TMethod 08
0 A% I( Z0 X: w9 J( W& }=========
' @8 d, r9 [0 ]; A* o4 X
7 S) a/ _1 A9 o$ |! G. \It is not a method of detection of SoftICE but a possibility to crash the" d# B, `/ Z3 J7 P& y/ j" f
system by intercepting int 01h and int 03h and redirecting them to another
/ i) s: ~0 M+ G! wroutine.
& A& L  u; f0 m& B1 N9 sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( a/ n$ |' W# p3 p1 ^" ]( O" O" s4 Pto the new routine to execute (hangs computer...)
, s% Y5 t/ M! o2 F1 [1 g* f0 w2 @+ }. n* S+ j% Q  @4 W
    mov     ah, 25h
  x& M& A  }0 l0 E    mov     al, Int_Number (01h or 03h)
3 M; w5 b" O' j    mov     dx, offset New_Int_Routine( q6 J& e( v1 |+ Y, d) \
    int     21h# Y  E, S0 p5 l8 ?4 e  H  W1 z

, V# X: b* M, M% |# ?__________________________________________________________________________- y) {% T& [+ C" b; u9 s$ L. ^* r9 \
& V# B9 g+ y. J# b1 I$ R
Method 099 W  O3 ?3 d- o9 C: S  t, H. _. p
=========
  x/ i; w) B3 ^% j1 p( j
- j* l. i  _" u$ z6 J7 JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" F* V  Z/ }, |6 Pperformed in ring0 (VxD or a ring3 app using the VxdCall).7 Y% }# P9 _( L' Q
The Get_DDB service is used to determine whether or not a VxD is installed
* T0 Q) J8 ?1 ~3 ufor the specified device and returns a Device Description Block (in ecx) for
* R6 Z/ y; p4 a. D; t. pthat device if it is installed.6 Y' J6 r& P% _# w$ j9 I/ J
# w" v& q$ t- ~% J, n
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! N! \4 E% e1 ?   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# r* D+ H: k! M4 G  Y
   VMMCall Get_DDB$ `; d4 @6 }6 A& Y. o
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; C; v# x) L+ c% y4 Y3 Y( X3 n/ P( R
Note as well that you can easily detect this method with SoftICE:* A5 |7 y2 s% E
   bpx Get_DDB if ax==0202 || ax==7a5fh
7 v2 z6 F$ p" E. b! M/ I
) M% C) e4 w1 g0 P( K: ___________________________________________________________________________
7 [6 H9 W* y( J- U, H% U9 E
' [6 I/ j9 D( ^- yMethod 10
( Y. @7 \- K6 f8 i$ K$ }7 I/ t+ J/ {=========6 P* k/ F1 u, F* E3 ^; ^
/ E* C$ {- j# V/ Z' n7 T) U
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 |& d1 l; e( E+ l
  SoftICE while the option is enable!!
2 r- y$ x; D1 z2 _' _* Y# D+ g, i! G- ^# r9 A
This trick is very efficient:  K8 d- p# x, e% V$ v/ h
by checking the Debug Registers, you can detect if SoftICE is loaded, W6 {0 ~4 `( V( G1 j) a' d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' _' L7 e0 {  |) d7 e" w% wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& |0 H2 G8 ~6 C# F5 [5 ivalue (in ring0 only). Values can be manipulated and or changed as well
9 o6 q; r' p, O5 j1 F3 c; I(clearing BPMs for instance). W2 z; J; p% m; X
' h0 g+ H: L: W# H
__________________________________________________________________________
# U# W: t# y0 N' Y. F& t7 K; ^
; B$ A# w' r5 X/ a% @- zMethod 11/ d" d+ z' y$ T/ ^! u
=========6 l  e; [5 r( P6 e* W

. ?0 K% d( ^! d" K& O3 D/ BThis method is most known as 'MeltICE' because it has been freely distributed
8 O1 j! I4 n: o3 m& I, tvia www.winfiles.com. However it was first used by NuMega people to allow
$ Z* v$ [# h- l5 HSymbol Loader to check if SoftICE was active or not (the code is located
# P. q9 E: V$ r% ?* \# J& g( yinside nmtrans.dll).
# E! D7 U9 G; d3 c! Y8 n5 `5 K; o
: U0 H5 F4 w8 D! f, r: N$ U" z7 v& gThe way it works is very simple:
$ S3 d+ x( C$ M* iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 z; \% d( M; A" A
WinNT) with the CreateFileA API.7 ?3 D% t" D; Z9 H

9 a; F9 ~3 J( v5 x' [. L, mHere is a sample (checking for 'SICE'):) J9 v. Q  ]7 Z: O5 j9 @

; k$ |/ K& U5 n2 U* q6 N; EBOOL IsSoftIce95Loaded()9 ~7 [* X. E& r- d! q/ `2 j: V7 ]
{) |& C9 i6 b1 A; Q/ M2 f
   HANDLE hFile;  3 J% s' j3 W1 o( W) x6 @, R) x
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! v) Q$ Y" p, f9 ~0 O% M
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) X1 l  X9 U; t7 k' Q: S% A* [                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 i  b+ U0 S" l+ H- ^   if( hFile != INVALID_HANDLE_VALUE )
* r2 g% V# n1 E" m& p+ s   {& K1 O7 k% o& \3 \  M% [
      CloseHandle(hFile);3 [5 N7 F0 O. E1 m
      return TRUE;
' o& J0 _" d8 ?9 C  c/ J1 \4 V0 I   }4 A. j4 k# i3 [) a7 i
   return FALSE;5 \" B- v/ J! g. Q( ]: A" _. [1 k
}
: O) p0 n" q# J- v5 `& u, j( \
* ^; Z8 M* {1 \9 d6 Q( q# oAlthough this trick calls the CreateFileA function, don't even expect to be
7 k3 V% D$ F4 V  P/ _0 o% yable to intercept it by installing a IFS hook: it will not work, no way!3 a& O& y; p$ e7 Z, X7 v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 _2 [" d! k3 l; `3 g* ]! j  i: iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: k" w  v  t; {7 E0 s" H, p' o# ^$ G1 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( W$ P  E. y! `3 i. nfield.2 f% W4 M7 p3 q4 w9 Y9 w4 Y
In fact, its purpose is not to load/unload VxDs but only to send a 3 n( h0 Z; D/ B4 A( K) O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( r1 @/ Y% |/ x, I+ J+ Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 l' |/ j$ S& E' V* H! s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 i7 k5 T  c; g; B; q8 F
If the VxD is loaded, it will always clear eax and the Carry flag to allow" u5 d0 B; B; T3 ]7 Y, r
its handle to be opened and then, will be detected.
% j* |( @8 d; t1 |2 s3 K' j8 V# n4 wYou can check that simply by hooking Winice.exe control proc entry point# ~2 }" n9 R# v5 p0 x
while running MeltICE.: ?; _/ ~4 _, u& D) _' ]( }7 y

; h2 `8 d8 W( q; t, p0 ]+ |5 m5 @1 ?. Z
  00401067:  push      00402025    ; \\.\SICE
) T% H( @/ y$ p" ~1 n  0040106C:  call      CreateFileA
. `4 K" b/ I; H0 j  00401071:  cmp       eax,-0019 h/ t, M/ n+ L' X8 K
  00401074:  je        00401091
1 I. Y5 _$ `7 X, r! s% I+ R# S- I2 i$ q0 e  Z& d0 z7 i# t

: M/ I- a: g9 F  k! u1 K. ?There could be hundreds of BPX you could use to detect this trick.
- M6 F( b: M0 l' I6 Q9 T: Y6 t-The most classical one is:: z8 E7 u* t2 r7 L
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 h* K, @( o; L  s7 `2 @    *(esp-&gt;4+4)=='NTIC'" k! a" i# V+ x) Z2 c

5 L, Q( W( b8 {% v) ?-The most exotic ones (could be very slooooow :-(
8 B2 \4 s. ]* m6 d  q   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
' i$ a) z5 o: F     ;will break 3 times :-(
, H! R/ i* y% g5 o, v2 L5 Q$ K, _
-or (a bit) faster:
# l' x6 U" t  i( p$ O2 E' J0 M   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; s( b0 j0 |+ ^
$ R9 r) K$ `# I; m   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    k* F# d' w+ s% G, C" L! r1 n
     ;will break 3 times :-(
* I3 ^/ ?! W! P1 F
* @0 ^% x6 W- y: I1 h% j0 K-Much faster:
' }' P: u# C7 R" j# l0 ]. `   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 ~' q5 ]- p& M5 U# s
% r# e3 p- p9 q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen  h8 {! {; ~# v5 i  k
function to do the same job:
! w& r9 j( Y6 F- o' M9 V5 f' r; Q0 H
   push    00                        ; OF_READ
( E6 w7 n. W( E. B6 D. C   mov     eax,[00656634]            ; '\\.\SICE',0% E2 |( W; j  q
   push    eax
' B+ ?% b& F7 a3 @   call    KERNEL32!_lopen
5 I/ Q& E$ }4 Z0 P8 z# s3 o# A$ O   inc     eax
8 x1 M/ N: U4 P, y( @   jnz     00650589                  ; detected7 ^% \- I+ y5 G. z9 m
   push    00                        ; OF_READ
$ D  u1 w; }  O1 y* `   mov     eax,[00656638]            ; '\\.\SICE'
6 M; p+ i' A' ^3 p- S0 E5 K" H; w   push    eax, x/ }' Q, q+ z* Z
   call    KERNEL32!_lopen
' `# [2 S; b- ?7 D7 H& l, y" r   inc     eax2 X$ `9 Z0 A/ [+ t9 r$ ?* Y
   jz      006505ae                  ; not detected: Q. ]; Z  U8 ~, x: Y1 [

5 }& ?9 m3 t1 `( `. ~& M" @! F! T6 t' C: T) k) R
__________________________________________________________________________
+ ?3 Y6 a7 a3 }' \& X% \: b. ]5 f2 G/ x# c. v5 {7 e
Method 12: {5 {  y$ u7 ?+ ?7 G' C& U) S9 W
=========
1 N8 a& E% S; R* P, m% p) Q! U! ?7 k9 _- l
This trick is similar to int41h/4fh Debugger installation check (code 05/ N8 F, i, C6 M1 k) h
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
2 |# N2 Y* D/ q+ xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 B8 T$ k  X2 S4 g+ X
5 e- D/ C( T# f7 r4 x/ c   push  0000004fh         ; function 4fh
2 R- C) ]( b/ `8 v: `   push  002a002ah         ; high word specifies which VxD (VWIN32)- v4 l3 T6 H, X+ j6 j0 c
                           ; low word specifies which service
0 Q1 X) C+ z# H4 {! ~                             (VWIN32_Int41Dispatch)8 A, P0 [+ {" }
   call  Kernel32!ORD_001  ; VxdCall5 x- |, C+ \. E9 ?
   cmp   ax, 0f386h        ; magic number returned by system debuggers# k  ^/ Z. E' Q
   jz    SoftICE_detected' z' u5 d3 E8 q/ o4 e
/ d' t1 @1 E$ O
Here again, several ways to detect it:
+ ~4 Y! Z( x2 o+ ]+ R0 z: b; C  \
$ \9 g" C: w' P/ m$ g7 H    BPINT 41 if ax==4f3 b+ }9 j- P" y, T% P
: `) R+ A- W8 g% p
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 q2 N6 M" m! b5 w, ]$ ~& ^2 Q: A$ h. i" Z6 X) z) R7 z
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A) g; {% P' \# P1 a) D7 B) `

  B2 _- z( D1 s# E9 `    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
; M' {) J' D" _4 D6 P& |4 z2 I- [/ _
__________________________________________________________________________
# J* q. r& i% z" d/ o) n2 {% S$ n( d/ y; S! `! Z
Method 13" J, m5 O, X* f/ h2 W' G
=========, _* `- e* x( b* |( g
; n$ I: Y# G& L1 x
Not a real method of detection, but a good way to know if SoftICE is4 f( _8 g" u4 y' U6 ^( Z& ?
installed on a computer and to locate its installation directory.
0 |* c1 i& A0 ?& v, e" b3 MIt is used by few softs which access the following registry keys (usually #2) :
% t+ o+ v$ Q6 }6 p- W3 W: Z# d. K1 j
4 P* d* s2 u" b5 Z2 u6 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 [5 w5 N% f% C+ o" y7 ^: U; [  ?\Uninstall\SoftICE
  _; E1 e1 ~$ C0 S5 h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( k9 G( t5 h2 F) l! W% i, p& ~( _# R2 X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 c$ Q0 k/ ]( [+ I0 W! F$ G" L7 Y: C
\App Paths\Loader32.Exe
( k6 H3 @; g" q, |" {! N
) Q7 o; |  r2 Y3 _
' d1 n7 ~$ o. V/ }  S) `" gNote that some nasty apps could then erase all files from SoftICE directory) }3 r. Z  R6 a
(I faced that once :-(
& W3 [! _, ^# P! k% Y* Z0 b, C% p+ h) p
Useful breakpoint to detect it:! i3 @* q% @! ]" p4 @. m: X

8 h, R; L% H  p$ o# Z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 P5 x6 B) W' l' I/ d
- e  q0 y  ^) [0 t5 Q. N/ H/ G__________________________________________________________________________& Q5 J  u5 a  @; y4 H- V
( Z& D3 H2 u0 x' j5 |
9 _  w; w! j$ A, O* a: \7 h' t
Method 14
2 t% y6 C5 x* Q  u=========" K( R* E6 |, d- h5 _
$ ]( Y. t! @, N/ K  s& }. e* w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( D- w: N2 J( ?0 r9 P% m* H% {) Eis to determines whether a debugger is running on your system (ring0 only).
  ~  O% i1 t& i- t! N* S/ N4 o
% r1 O8 p" O' d8 W* @' I2 Y; _   VMMCall Test_Debug_Installed# V' b" t8 i+ @5 Y9 u. E8 n
   je      not_installed
# O+ Z0 i: h: O* h7 y# f( Y7 W6 v
) R1 J& w2 L+ Q2 hThis service just checks a flag.
& E% ?/ V4 m' m, k; N: O& r( ?% B</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-25 07:13

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表