找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 M; [6 k3 R( A) H& ~9 l
<TBODY>
7 |* {* b7 g, C2 v3 V<TR>- y2 m8 ?. a! n! s* e
<TD><PRE>Method 01
8 R3 `" N* k# G9 H=========
+ E& M! ~0 Y0 Q; s0 c
! S6 F( V) j9 }' sThis method of detection of SoftICE (as well as the following one) is
4 A7 K2 x, S2 G+ q: G& cused by the majority of packers/encryptors found on Internet.& u6 `: s! S  J! V0 U, [6 M( ^( S* U
It seeks the signature of BoundsChecker in SoftICE6 P6 E, W. V7 r# n+ P  N- K7 G
( T. \* b+ h9 \; Q  m. m; e
    mov     ebp, 04243484Bh        ; 'BCHK'  k; @7 C( q9 o) V" {8 k; ]4 _
    mov     ax, 04h
; C! h  w8 ]' Z6 E2 D0 L( w' h    int     3      
( y. n+ v" m  P" c2 L7 v$ }    cmp     al,4. k9 d) z. s$ P
    jnz     SoftICE_Detected) K% y6 ~; g" A" }7 L
8 R8 R" {0 _6 @) O. s  c6 {& X
___________________________________________________________________________& L4 R9 V& [) Z$ x7 z: Y% U

# Q0 y  I* m2 r: G/ N' oMethod 026 [% l/ ]" a1 q. Z
=========( B: n) O3 c1 X% h$ V

' e1 n( Y# V. w1 Q, t( P  ^; cStill a method very much used (perhaps the most frequent one).  It is used5 g) O3 V3 F: S3 b( @( s' }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, f4 i2 Z0 ^4 @: P
or execute SoftICE commands...
" R: U7 B. e9 S# V' yIt is also used to crash SoftICE and to force it to execute any commands
, l6 @! w0 }5 P4 K3 v(HBOOT...) :-((  ( z! q: F2 ~% n: p" p& f; i2 i" i

* Z8 h* V, [' |! ~/ P$ g, K' ?Here is a quick description:& b% S3 ?+ q1 g
-AX = 0910h   (Display string in SIce windows)
4 k# V6 U& U$ j# Q/ p-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)- |! N0 G$ {: w' ]
-AX = 0912h   (Get breakpoint infos)) V5 s! x( \1 m0 ~1 W+ N+ Z& k" J5 [
-AX = 0913h   (Set Sice breakpoints)
* }, g# d7 N+ D- v: q6 x-AX = 0914h   (Remove SIce breakoints)9 t: F8 Q+ H+ c

5 W: c- f5 d  |* L: h1 QEach time you'll meet this trick, you'll see:8 e/ i$ N" K, q' ]" Q. A5 j
-SI = 4647h. u! V4 k/ B' v. p, y& H: i
-DI = 4A4Dh
0 \8 ]6 y8 a% s  {& aWhich are the 'magic values' used by SoftIce.
/ t/ }: R$ X/ w' d3 _: YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& {5 z% U4 B3 B6 p  n- h, F
0 |0 g9 V) C& M" X9 `+ x5 [. }* sHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 U! g9 D  L5 a. {Envelope utility use to protect DOS applications:
4 G$ H7 g" r, S* d
$ q$ a1 P1 H/ O9 `; f
/ y: b# k) E( z4C19:0095   MOV    AX,0911  ; execute command.* [; O: \, J! O6 L7 E/ K
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).; o; c8 g$ R6 _, b) U+ C" O
4C19:009A   MOV    SI,4647  ; 1st magic value.& h1 `% ~5 e: V- X/ w" z$ Q
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& V0 {. K5 ?2 Q: M# z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 p  _- G! D2 U4 X7 R; t& ^. b
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4 ?/ Y" Z+ ?& q0 C4C19:00A4   INC    CX
) d. V6 s3 h$ s) J& Y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. y; W( W' u& x& o/ H0 c! v4C19:00A8   JB     0095     ; 6 different commands." J9 ^0 N8 U$ G, c+ g
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 m* C9 k3 W% ~+ j# y
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 U2 H& m* j# d. R, b! ?  M
: q0 b7 N! |9 |# MThe program will execute 6 different SIce commands located at ds:dx, which
' |4 |* c7 Y7 p- I/ d' K/ Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." ]* a6 _. y. z3 e

2 X5 G3 y6 i" {/ H7 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. @6 }# y3 E  r) U( X
___________________________________________________________________________
* I, j) ~5 X9 Q. B+ ~$ Q; _: F1 q4 G* N9 k* a; N% R0 \9 {' A* A

, N& t0 X( t6 XMethod 038 D* o" S0 u0 G. O+ G3 A
=========
5 q: \: A: k, X' u1 M/ I% T
3 C6 g4 F6 d* Q- HLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 @  ^( |) c/ U- e% b4 x5 t(API Get entry point)9 d, ~0 E" v& |  }7 V
        
* |4 W. _8 @2 @: w9 Q+ J3 B5 g" ^# f7 _! [
    xor     di,di2 X7 A  d" m  E. O5 q) b# r# E
    mov     es,di
* t( ]' j; k9 ~; C: e8 m% m    mov     ax, 1684h       6 l" k2 i8 j7 i, O8 @' ~! _
    mov     bx, 0202h       ; VxD ID of winice
4 }1 A6 f3 y& B( q4 n0 z# ]2 C    int     2Fh5 A/ U* B, I& t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! [+ ~3 n: f4 X4 l5 d7 R    add     ax, di
: u( q2 _2 F9 X" [2 `, k! g    test    ax,ax
6 k' H  M3 c1 J/ ~' N    jnz     SoftICE_Detected& y& |. }) j& x  r

2 `$ G7 p3 ~0 h9 c___________________________________________________________________________
2 q3 p3 K/ Z) y0 O/ O
: B9 m. e' v, P: X5 U" c  C+ \; l9 PMethod 041 W) V" l* {# Q% h' I. C" \% [. E
=========" ?5 X$ X6 O5 @7 d
: E. v7 ?) J* @
Method identical to the preceding one except that it seeks the ID of SoftICE& d7 T- A( X% o0 K0 g5 ^; R8 q* v. S# p- U
GFX VxD.- b7 q2 i# _4 W1 [9 Q/ D8 i
2 ]7 P9 I$ \  ?. C' Q* v/ t9 f
    xor     di,di; x& j* k2 Z: K( ^; a+ p) K
    mov     es,di5 j5 f1 X4 v0 C* F  _* V" J2 J
    mov     ax, 1684h       ( a  z3 a4 W! A; {% Y. J; _
    mov     bx, 7a5Fh       ; VxD ID of SIWVID( ]5 B6 A; e- j5 Q7 h# |! \
    int     2fh; L+ S! k2 v- Z7 |9 c3 j6 d- |
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( z) A( |( B: K    add     ax, di
- Y! d6 X) ^. i9 x5 z" M    test    ax,ax' @0 f2 X4 t) J8 w
    jnz     SoftICE_Detected$ U& i( \) `! e0 G
6 R% }5 G7 ~8 P* q$ x8 W
__________________________________________________________________________
/ J/ t9 d8 [, n! r1 x4 x' D
9 T9 C7 ^2 ]6 K- `
! a) }( Z8 _/ \+ i  q8 SMethod 05
9 W+ M4 l, C1 q' M0 ^& _6 e; ]4 v=========; n0 [, ]; D( V
4 @2 U1 M: Z4 ~9 v1 c+ j2 `
Method seeking the 'magic number' 0F386h returned (in ax) by all system& ?7 G/ m7 P# u6 x
debugger. It calls the int 41h, function 4Fh.2 k- [; @, Q1 I1 |5 x1 B  ?4 R. \
There are several alternatives.  
! W6 Q1 k1 ]; G' O3 k
  U' B% L" y8 [; GThe following one is the simplest:" O. s" \' R% [- U
: p8 R. S. o$ [- v7 p# a
    mov     ax,4fh
7 A( M; d' S( _3 ~# F3 b# ]2 D    int     41h
) y; J7 `6 s+ o/ L+ ?6 k% {    cmp     ax, 0F386/ V7 J! w2 d6 c/ D6 Q
    jz      SoftICE_detected% n( C* B3 j4 Z4 r5 P
# Q2 C( }- l: M& @
6 l+ v" j* _! R* `( |: q
Next method as well as the following one are 2 examples from Stone's 7 M6 v9 p& [4 a3 O" R
"stn-wid.zip" (www.cracking.net):
1 y5 n3 U3 N2 s" T. e/ [- X- i- z2 e. I- @) m
    mov     bx, cs
( D/ [* g4 i) d0 z    lea     dx, int41handler2
5 _& }* x  m, y9 Y, z* s    xchg    dx, es:[41h*4]
8 U, f% k; k: _) j9 W    xchg    bx, es:[41h*4+2]9 Q; a( R0 ~+ E" `
    mov     ax,4fh  A0 @) F' O/ I- I* X4 d
    int     41h" n, p2 D) T( b" c$ l% _
    xchg    dx, es:[41h*4]! _; C: A3 C2 V( [
    xchg    bx, es:[41h*4+2]5 B# n, j0 g/ b/ Z5 L. c* |
    cmp     ax, 0f386h
% _9 [- l7 r% R8 }    jz      SoftICE_detected
6 H7 N, n  G7 u1 ?+ z8 g# L1 q: {% h" |3 B# \
int41handler2 PROC
3 X* Y! ^  b4 v    iret
' _; w2 P+ a, s3 yint41handler2 ENDP
$ A4 \, O% s! V5 A9 y; V
# @$ T% O8 @8 Y! |5 S. J8 q5 |: Q7 ]7 r9 V* {; X: D1 ]
_________________________________________________________________________
! G! D6 I( Q# R$ U7 R# ^6 _6 a& I- ?$ t& t
: U6 x) w- z/ |/ [. i8 y! d
Method 06
  ?! @4 q5 h% }: G7 B=========0 X/ k8 j3 C3 \; i6 H
$ h1 D- Z- E( h0 Q8 T- Q
% {+ d" L+ |; @) |
2nd method similar to the preceding one but more difficult to detect:
( d6 A8 @* e/ y9 q. {# O: H1 o+ f- T- k+ C1 D+ t& Q  S

3 b1 X8 e2 c) E- K8 A" K1 Pint41handler PROC9 k/ m) D% }" [6 v& l$ D: Y/ r3 O, \
    mov     cl,al6 `$ b( O* E6 C, I, B9 Y8 X
    iret- X4 N# F+ `+ B6 ^
int41handler ENDP
' Z% E  I% \9 B% q: x, K% `" h' h( [. ?. r; }

3 L0 K  ?+ I6 x, m" R7 @) k+ [! y    xor     ax,ax0 y; W- {4 n6 Z; X" |/ w: g
    mov     es,ax. n2 j3 c+ T% K# \
    mov     bx, cs
  z; g- `& Q- U2 U% g% @    lea     dx, int41handler  N1 {$ O/ O% w
    xchg    dx, es:[41h*4]% p, h5 U) ]: I2 u: r, s9 y! p
    xchg    bx, es:[41h*4+2]8 b+ t( J) m: h! _! c) {# B
    in      al, 40h8 ~8 V5 ?- s  f6 u
    xor     cx,cx, g" a4 C6 F3 q! |& _
    int     41h
5 D: |' W3 r; a; h/ j# U. {    xchg    dx, es:[41h*4]! P& v' \" E/ g0 P% G, h
    xchg    bx, es:[41h*4+2]
9 |" Y8 }7 @) u0 v) g+ L" ]* P    cmp     cl,al
4 O  O( m, J1 v, A$ P# I    jnz     SoftICE_detected8 c+ b0 J3 r  s' \! f- z# A/ _" t
* \# z1 e0 ~7 v/ J
_________________________________________________________________________
6 M* D1 y5 v' h
3 q, `# G9 T1 o- S' k  A  S% S( Z. PMethod 07
  g1 h0 Y% ^/ k4 ^1 ^=========
( I2 y/ W' ^9 y  F# S) y
; ]/ E) `( \) E3 E7 ?* ~! ZMethod of detection of the WinICE handler in the int68h (V86)
) {$ t- j# h4 j7 {+ c& V* \# t! A. |* ^
    mov     ah,43h
" H( Y. P* R0 H$ z0 N3 u" s* a) ^    int     68h
1 y4 J; e5 D, L- y5 n2 ]    cmp     ax,0F386h
) R  P% a: E7 m% Q! u* i& y    jz      SoftICE_Detected! B: J( V8 ?9 o

& @; m0 f$ ~% Y" C; M8 \
6 j2 z9 c& }# P9 Y: t2 E=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# o4 E6 B' P  i& n/ a) x   app like this:8 }+ i' [) Q1 c8 T6 \' r
+ q6 ]! u; I5 S1 L4 [
   BPX exec_int if ax==68
3 F* a  t# G$ E3 G5 k   (function called is located at byte ptr [ebp+1Dh] and client eip is
3 x3 h2 k. C; g+ E2 v   located at [ebp+48h] for 32Bit apps)
5 s0 n9 \# O- j' u! F. Y__________________________________________________________________________
3 }( P% z0 [6 s! r1 N' S0 |  g
( X/ W' j  R1 q' |( S- z# Q* N1 X, v4 m# d$ W* R/ _- ^3 b
Method 089 _7 ?6 @  v$ k2 J
=========
+ z/ ~% v+ R. B9 \3 s' r7 Z
* O9 x$ O$ v- L7 X, F1 kIt is not a method of detection of SoftICE but a possibility to crash the
7 {; R3 O- v5 F# n. ?0 jsystem by intercepting int 01h and int 03h and redirecting them to another% p3 V' x0 t2 K, p; |' ?
routine.
) H( g" a& d& p# ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% I3 J, i* F4 d6 ]* A6 t
to the new routine to execute (hangs computer...): G" y$ F: L' U/ h* [6 X9 Z
1 z: a! o) e7 @6 e& N
    mov     ah, 25h, J/ E2 o/ I$ X# h
    mov     al, Int_Number (01h or 03h)
- j6 J1 D& {# q. @2 ~% d    mov     dx, offset New_Int_Routine' x. o3 |3 O8 x4 c
    int     21h
, F( Y. B" J! R! q& ~* f* k; S8 U3 l# z
, ]% W. }. S8 b: {- U7 T__________________________________________________________________________5 t% Y8 y* f# H& t( J# g
, \$ u& p: Y1 d0 C# S6 C
Method 09
, k9 Y# c9 V' l# h( R5 p=========
* N# S+ E1 p3 I. |
' y6 l' c; H; z3 GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ G4 ^! I4 }; U3 c2 ]. Qperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 H+ Q! D% z5 o- N+ _The Get_DDB service is used to determine whether or not a VxD is installed
( w( @; O8 L* y$ q5 R9 f0 Ufor the specified device and returns a Device Description Block (in ecx) for: w" U4 B1 u# ^" f, V4 Y
that device if it is installed.6 E: _$ b  j+ m: b2 {$ ^- p2 R

) M* x+ J5 \& g+ d) t8 e   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID' ?+ I( C1 D1 @; Z: \% e
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% z8 s1 j8 A: @* T+ A
   VMMCall Get_DDB
6 A2 @) r/ [. m% b8 d   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed  E. }( W4 ^$ g% q
& @4 o2 e2 Z0 B/ N7 e' u
Note as well that you can easily detect this method with SoftICE:+ O1 C- i* z' u0 k
   bpx Get_DDB if ax==0202 || ax==7a5fh* y% A( T2 l7 z: k

' Z0 E5 ?; b% w9 h__________________________________________________________________________  ]! d* v# d0 G( A; O( H, U

8 r, T' C6 f, _Method 109 T7 M# i6 s( L
=========# K. X4 ?8 R4 A$ x. F( g  s( e

9 o; c4 V' w0 U3 S+ I=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with) X+ i& u9 w/ l" n
  SoftICE while the option is enable!!8 C) a. Q* G9 A: K2 E( n: H, S

1 p9 Y! j" t  G& k2 o: V, yThis trick is very efficient:0 \* M; v- [- r# o/ x% T( A
by checking the Debug Registers, you can detect if SoftICE is loaded
1 u  ^3 N; j/ x* S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( v4 H+ O* [! J0 B0 q4 Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their& ~* }! Q3 N0 D, K: P7 J
value (in ring0 only). Values can be manipulated and or changed as well
  X* L" h; M6 t# n6 h5 P(clearing BPMs for instance)+ s: o7 r" k! [; p8 K% U
) e6 l6 j7 {2 h1 z- @' G
__________________________________________________________________________
2 G5 I9 r8 V0 H. ^3 K; N( g0 z. w! f
Method 11% u6 i! h  A7 O+ a# A/ J. K( h
=========/ J# H* w" M& C( Z8 m" f4 J
# h% e- `% |8 ?, ^+ g5 q/ e
This method is most known as 'MeltICE' because it has been freely distributed
; K7 ~: E! e$ ?) l  }  u0 ?. a# nvia www.winfiles.com. However it was first used by NuMega people to allow8 p- j. k# \- ]; _! \- K* D
Symbol Loader to check if SoftICE was active or not (the code is located
. ^. V6 k" K/ ]0 A( a3 Zinside nmtrans.dll).
& i( e& q+ W. c2 }  o) a& L3 X! v* d3 e! b' c
The way it works is very simple:6 A; Q, ~+ X6 t3 K! W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 i0 Q8 H. }; S3 p( UWinNT) with the CreateFileA API.
8 m5 U( R4 U2 J6 n+ c* i4 t8 s) X( ~, x" V7 X# Q
Here is a sample (checking for 'SICE'):! n& p7 G6 Y' Q) n

: P' B7 v0 y/ Y  U# V3 RBOOL IsSoftIce95Loaded()
$ }, @% ?( m) |0 v{) f- \& z9 g5 Y: J) t9 E- J
   HANDLE hFile;  
1 q1 y; p' n( s; P: O! g$ m+ P   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 h" |/ i' t$ T                      FILE_SHARE_READ | FILE_SHARE_WRITE,  M' s' \" m  a7 g" k; i
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; C5 \7 k0 p  d4 f) f" p/ Z& g
   if( hFile != INVALID_HANDLE_VALUE )2 y/ k) x: G; `1 \, H. x. H9 r, Y0 w
   {
# D& S2 m6 o$ G8 [      CloseHandle(hFile);5 a% o8 z" Y) W, t- W
      return TRUE;
2 U% e" @: [; C4 N" N; t: \6 y   }9 l6 z6 c" O4 G
   return FALSE;
' ^4 w4 Y# n- t9 R% h/ w9 N1 c}
9 i) f3 M& i' y! L2 M  F  F# s) r7 [5 M8 ~# M, o4 m( k
Although this trick calls the CreateFileA function, don't even expect to be
2 ]7 Q2 _- {. [" Kable to intercept it by installing a IFS hook: it will not work, no way!
6 R! H* g# j( t4 O# Y1 kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- S* l  p5 D$ u' `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& t" y/ f4 u4 B2 C' o  O9 ]; |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: p7 K  L  N% ?; d( wfield.' y: K: {3 [9 ]0 ?7 }- T
In fact, its purpose is not to load/unload VxDs but only to send a
% L1 V  V, u- D7 n7 `% A2 l, ~4 xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 k+ E7 s) s2 P. C# M- O) {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 l" y4 c: o5 K9 S9 I" eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 @* P* _) S" Z; H; q& P% y) vIf the VxD is loaded, it will always clear eax and the Carry flag to allow: o7 G) n5 {3 E  ]! F# @* n
its handle to be opened and then, will be detected.% g+ P. @8 \  J) L" i4 n5 f" o
You can check that simply by hooking Winice.exe control proc entry point
$ |" }: p0 F0 q7 i2 gwhile running MeltICE.: J) z* H1 m7 O# N" w! {
1 W% j& a+ N7 l8 v( H

9 a' z7 v  C2 c  _6 ~  00401067:  push      00402025    ; \\.\SICE
) G, }5 O9 z) w3 V! S6 A( s' i% o6 p& k  0040106C:  call      CreateFileA
+ I; m2 e5 l( Q7 y( t  00401071:  cmp       eax,-001
& B% u& C) K3 P' x  00401074:  je        004010915 ]6 S1 S- w" f: p$ D, Z* j3 r

7 \# v7 i; n. R+ s" p0 Z- F" E# z! n, N
There could be hundreds of BPX you could use to detect this trick.- ^3 y( F) c1 F! |5 L
-The most classical one is:
, B3 q* Q/ ~' D' m5 Q: ?  L! c  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
$ P. Z& t' ~- \0 L$ R    *(esp-&gt;4+4)=='NTIC'
$ v: B8 }# h. o# ^  ?  P' N" D2 m' |( D' a1 D/ z+ T6 B  C
-The most exotic ones (could be very slooooow :-(6 U" D5 D1 {$ f: U* k, O
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ c1 B2 d  T) |/ ?' h     ;will break 3 times :-(6 _4 ]1 f* i* Q) d4 }

" Q2 j1 N6 p' t1 @" G5 [-or (a bit) faster:
! `6 Z% r5 z( C6 H# W) v   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 P2 t! @  I0 Y0 u2 E7 T: [8 l, Y/ _
, M* w5 Z: i; Y   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( Y8 b5 j0 E( n- T: C6 f- e     ;will break 3 times :-(
3 y, a6 n/ I' s, S9 K" b! M6 H& {% E) B
-Much faster:) u' m1 J; ^+ w6 O$ x
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 H! Y  P5 l, c/ V' W4 H* f, o9 p# S1 Y( m! S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" o/ O- _) |% ~
function to do the same job:2 c3 D5 D) A9 U* C
, @0 @$ S: D4 r* }( a8 Q
   push    00                        ; OF_READ
) I; |4 y# m* F1 u  X/ O   mov     eax,[00656634]            ; '\\.\SICE',0: _, }( Y: u! {* \/ F3 E5 M; q; A
   push    eax; m1 l) [# ^5 ^( n9 d. }5 n* s
   call    KERNEL32!_lopen
8 m7 p& F0 o2 b/ N$ ^! F; |, C   inc     eax
4 i  w- o. i( q' ]0 x   jnz     00650589                  ; detected
1 @& V4 Q: C# t! {   push    00                        ; OF_READ
1 Z$ e0 ]0 z3 D  R   mov     eax,[00656638]            ; '\\.\SICE'; M' J/ ^7 r0 u2 c6 r) G0 K, {1 j
   push    eax
% H/ J0 L6 m: Q   call    KERNEL32!_lopen
# ?; L* i. n6 h0 ?8 ^   inc     eax
- D1 e5 l, C/ F: D+ |   jz      006505ae                  ; not detected
6 d8 Q, K) L' G) ]& a" {0 a% g
+ n# N5 D7 I, s3 `
. i9 H9 r  x. @; }7 c: V__________________________________________________________________________+ v$ N6 ^+ g, R& W

1 ~4 J4 O* t+ y5 W7 W* ]" YMethod 12" y; _- m$ ^# e8 k% M" Q: ~) g# Z
=========  J9 A- n: U5 q! k# u! ]

! q: n. S& m. v4 O2 g/ E+ `* nThis trick is similar to int41h/4fh Debugger installation check (code 05: N3 ~3 q/ S# y6 c) }. n9 s, G
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% h( R" D$ V. [/ |. _, g$ Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' {  u* `  K$ E: J5 Y: K( ?

* e2 }+ _# J4 `' x0 B5 w/ Z   push  0000004fh         ; function 4fh' s: y% h8 N5 }# K4 r3 E4 h
   push  002a002ah         ; high word specifies which VxD (VWIN32)
# t/ {2 d, p& G! `6 h0 D2 {& F* y. v                           ; low word specifies which service
- ^2 S5 `) A+ m0 M( [                             (VWIN32_Int41Dispatch)$ M0 }3 U; i' b+ o3 g2 h: o) \
   call  Kernel32!ORD_001  ; VxdCall  C4 V8 l9 P1 G* l  ], h
   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 |8 B0 l$ k& L2 }& ]( X4 o   jz    SoftICE_detected; s' c% L5 ?+ y" J
4 U  g0 o+ K4 b% N) O% \7 b
Here again, several ways to detect it:
# t0 _0 M& E5 P8 S8 e$ E% O/ p6 F2 U2 u( q8 O
    BPINT 41 if ax==4f, E  i2 ]% U; Q' l+ z

" C3 Y( R  l7 m- F) }, `    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one  g0 P8 m' W' L/ {* \
# D( Q7 T9 ^: J
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
  \+ M' R% x9 b5 Y6 X# |* z( r/ `4 j* a4 R
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, i$ ?4 D0 i7 Z( k# L& i% o! U
) K9 e9 a/ L& u/ g__________________________________________________________________________
' s/ ]& o3 E: ]0 x9 O' D
& z+ B2 T/ E; {Method 13. S9 h: o1 J0 z  C
=========2 l  b  R) Z/ L+ W8 n6 ?

! N( X! Y* s! m/ t8 M1 H  h& o) Q/ ?Not a real method of detection, but a good way to know if SoftICE is6 r3 `, j' H* b3 A6 O
installed on a computer and to locate its installation directory.
$ S: x( x" Y7 _7 ~( u/ J9 N  BIt is used by few softs which access the following registry keys (usually #2) :
9 m- R( l) f1 @( n/ ?
# y. a/ `) W' K! w6 M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! `3 P" Y" S" D, L  Q5 O\Uninstall\SoftICE
, Q+ z: y' V' R" R% X( T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- r9 C. L, S) Z( @8 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 V2 P  [1 g; x3 a; \- m\App Paths\Loader32.Exe6 P2 _7 O+ `; G0 c
! G  A: E" ^, N) d
( v- ?, F3 H3 j( t0 C
Note that some nasty apps could then erase all files from SoftICE directory: t3 j( ~. Y# ~) p
(I faced that once :-(
$ t: A9 U8 r( W- D3 L. i+ r# I; A; k$ i3 _) J0 w
Useful breakpoint to detect it:' X5 I0 h( t  m3 l4 z& a7 @

' `% l' n! b$ L6 r     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
, _4 n/ w7 K' K) c/ ]' E! t) z, Q! d5 @" Y
__________________________________________________________________________$ u2 C6 {' u/ y' L. [; y' Q

- ^, f' b* K4 n0 ~3 g1 d7 g3 Z1 l5 W8 l3 G0 J. {
Method 14 % `  \8 q) C/ O# g# o  a- N
=========% ~$ Y+ j# [. z8 U$ O! @" w
7 W0 x( a% T3 h+ A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ T( [- \9 X2 r. ?6 ]9 T
is to determines whether a debugger is running on your system (ring0 only).$ I2 I4 O  T- S0 E
, [: ?) s6 M7 p' K
   VMMCall Test_Debug_Installed4 ?% N; r  l! u' a& U* |6 p; \. o
   je      not_installed  A% E# J0 ~  V
* [2 l# g; [) l# Z
This service just checks a flag.
7 r0 X- m& U/ S" Q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-22 12:19

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表