找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
+ h9 e, e  j; C/ k  \6 l<TBODY>
: S) J  L% Y1 \<TR>
1 ~: {. z+ P# g9 }  N<TD><PRE>Method 01 / m! t" E. Y9 f( C$ g
=========# y% U$ d! M4 K' X
1 X& h8 f5 ?5 K, {; B
This method of detection of SoftICE (as well as the following one) is; g4 M+ j+ r1 h6 d6 u/ N2 `3 c" t5 M# ~- D
used by the majority of packers/encryptors found on Internet.
$ M, G9 U2 P& O' UIt seeks the signature of BoundsChecker in SoftICE
5 D/ \+ N! Q: F* y6 v. ~5 `' ~. J4 J8 R& I7 {( M
    mov     ebp, 04243484Bh        ; 'BCHK'
. f1 x+ g+ i* ~" k0 Q2 H    mov     ax, 04h$ V) {* }$ E" r3 e% y
    int     3      
# J6 G. {9 g  ]+ y& E  E    cmp     al,4
& _' w' \( k) T% q, \& Y4 X, W# N    jnz     SoftICE_Detected9 m& h/ y8 Q7 h4 ^! F* b1 R

+ ]' l. c% y: r$ j# w) U: U& S___________________________________________________________________________* u" f2 ^" g  Y
# P; z! A% S+ t5 F
Method 02
7 L7 E. V& J% V( g! E* O2 A" [=========% p5 U5 [6 I, T- E+ q

3 E+ `3 r7 J/ k3 oStill a method very much used (perhaps the most frequent one).  It is used! K+ `9 ?+ b% x' N8 c4 S8 U* [; P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' M1 A5 e6 O. C/ p
or execute SoftICE commands...& p! m1 L2 A" y. n, M
It is also used to crash SoftICE and to force it to execute any commands
+ w2 K  k9 c$ y8 ~$ R(HBOOT...) :-((  6 k/ h, @5 g4 V7 C( M1 p
+ F( N4 x1 D  U/ H  @% f# j
Here is a quick description:
( V* r0 j- S& e' t6 I-AX = 0910h   (Display string in SIce windows)) O) g- P& k) b9 _/ }
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx): E/ |/ V% d2 \& d
-AX = 0912h   (Get breakpoint infos)
# D: A# Q' x, c-AX = 0913h   (Set Sice breakpoints)! U8 O7 x3 h" Z4 Y$ z% F$ i
-AX = 0914h   (Remove SIce breakoints)# r' c: \1 L$ N8 k3 C# d
9 t) G3 y2 q6 |4 I, h2 q
Each time you'll meet this trick, you'll see:
6 Y& i  ^8 e) R7 J; E-SI = 4647h- H) o4 t% Q' v# \- I! }2 t+ j
-DI = 4A4Dh- y7 \7 s% H/ [# _$ d( V
Which are the 'magic values' used by SoftIce.
& r: s* m5 m2 R1 {' Y) QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 x0 \5 Z" O# s  Q7 y" ^! ~
; `3 {' u- r9 P* B
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 O/ K" D$ y" u- _Envelope utility use to protect DOS applications:
. y( x, }# t$ ?& b, q0 V( T* E' G! V8 W2 W
; E8 ]4 A! I5 k5 n  f+ E
4C19:0095   MOV    AX,0911  ; execute command.$ N5 g4 ^1 L3 D$ @2 ]: [
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; j! i9 r; H# X- }0 U4C19:009A   MOV    SI,4647  ; 1st magic value.: c' u6 a8 C/ r1 y4 }
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 ^# M+ o' E- k* t7 ]0 S" k
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)0 ~& n3 n7 j  d( J0 |8 K+ @& _' s
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
  s  r# ]' r3 W5 [/ f8 K4C19:00A4   INC    CX: V& C  u2 Z- s. e" H, C" d5 q. O0 c
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
6 S* a- O/ {8 G, ?1 L( \2 S4C19:00A8   JB     0095     ; 6 different commands.$ z: y* c# g* h
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 I4 I3 L4 m+ |' K4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)7 W7 F+ c: T, J8 |  z. K' Z% }

9 [3 s6 X- l* y. AThe program will execute 6 different SIce commands located at ds:dx, which
$ a4 G0 [& d6 }) P  j7 i# Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% c) a) N- |0 |' W% h
' o0 A: v0 I2 a) Q) p2 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' H, _# E2 }& b
___________________________________________________________________________
* F( w& K' {5 _& o" Q+ V1 R5 p( N; n; ]" u% c( q

* a5 s9 x( X5 f& f. h+ I" g) m8 v4 VMethod 03
7 a) ~# s8 F3 h) w=========
2 O+ h2 L8 |% l2 h% d' T6 b7 v0 u- L- v) d( g5 {: f+ C% e& ]
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" C/ j: J% L1 a8 f! k
(API Get entry point)) N; C* e2 ^! J6 z$ ^. \' O, v. r
        # Q1 {0 W/ k: i* ^
! [% K6 S8 m3 E7 D( p2 T
    xor     di,di
$ n6 D4 V; }; L    mov     es,di  |3 l9 K5 l* e  F
    mov     ax, 1684h      
) a) k/ w- \; e* ?0 r0 W- N    mov     bx, 0202h       ; VxD ID of winice& O  |7 h: c9 X8 c/ E8 N* K
    int     2Fh  Z( `- e0 S* \6 _
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; F1 Z: q8 k: _' L3 ~- O# {    add     ax, di
. ]) X2 R0 [. M    test    ax,ax
: n. A" \2 j5 _6 t- V    jnz     SoftICE_Detected3 U3 ?0 D( I: a
! x% X) ], z/ ]  s  e6 a; F9 h
___________________________________________________________________________
, Q& R' O$ [* d* j* H% I7 j
" _! P( [0 X, C% I( C4 WMethod 04" s8 i4 N. ]$ l0 W) |# w
=========# M# f/ A4 f3 W3 L% `
1 _9 I/ x6 m" K+ H
Method identical to the preceding one except that it seeks the ID of SoftICE3 ?7 i/ x+ ], c  M* n( [$ R
GFX VxD.: v* R2 q' n8 W* J% ~4 Z0 d" k
9 r7 `& |2 f6 Y3 g( [4 a
    xor     di,di2 N) Y- l" [8 F/ r' _
    mov     es,di
; i% {* D1 T9 ?) w" [- O) q    mov     ax, 1684h      
% x5 _# M3 F6 ]% x  M6 J    mov     bx, 7a5Fh       ; VxD ID of SIWVID) y3 D4 u( z0 s2 r. C
    int     2fh# M/ s1 E* f# i6 w% }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ o# Z, ]( T& J, h$ y! J- ~    add     ax, di
6 g% Z* p3 j5 }- ]& x    test    ax,ax& x4 [, D  C2 w' r: @
    jnz     SoftICE_Detected9 s( F* x3 \! r& W! P9 G
- {3 V5 _& q8 A! H
__________________________________________________________________________4 L( J; W* A, X; a) E9 `

; V' b. c4 T; W. R! J$ e8 {+ _! b1 I9 h' v' Q% i2 @
Method 05
4 w  K0 c& k1 U* f- r=========
/ ?+ n, t; r) ?1 K3 I+ y) L" Z; y4 L9 Z) \2 Q' g3 [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 @% s# j4 _( C; @1 ~debugger. It calls the int 41h, function 4Fh.0 q) L2 X. w! i3 g% f$ e6 r
There are several alternatives.  
6 ^' b1 k' n9 y9 Y* e7 m0 N, K. L+ k! [  |* M
The following one is the simplest:  \! k2 }! L# I( P$ v8 g/ U
! O# x3 v1 {& `- }, d+ k% ^7 Z6 Y' S
    mov     ax,4fh% h# C# a7 f/ \' O) V* p
    int     41h
  ?" S' S: u% g3 p& C; t9 G: }    cmp     ax, 0F386
6 s; H# G5 i+ T- D    jz      SoftICE_detected9 `$ Z0 W5 N) v- j

, @* E% {7 [1 F! g( i  M7 \" M/ C$ ?
! }# N5 q! d. ~, |5 Q: Q' \- jNext method as well as the following one are 2 examples from Stone's + U  A5 y2 z) r% ?. @! r. m2 p
"stn-wid.zip" (www.cracking.net):
0 P% K- r7 d' Q5 ?7 t+ a3 k& R
3 y  l& V6 P4 q3 ~* w% a% x* |0 f8 E    mov     bx, cs
# ]' X7 ], m* A    lea     dx, int41handler2" F7 c7 H; q/ c1 f8 [
    xchg    dx, es:[41h*4]
9 U# ^  o0 k  _& o    xchg    bx, es:[41h*4+2]
3 ^- @/ U) _6 v$ m+ U    mov     ax,4fh6 b. R/ A# }/ b& D( r
    int     41h
+ S% g3 Q* T' e# ]0 m; t; H# [    xchg    dx, es:[41h*4]0 o- Q$ y4 G( T! ^/ `, [
    xchg    bx, es:[41h*4+2]3 z( ~) n. y- u$ L+ o; z
    cmp     ax, 0f386h! A7 }) r$ ?' p' e# f
    jz      SoftICE_detected/ E. g- C/ i4 T8 v+ Y
$ J7 I3 t. o$ {* H- c7 w6 x
int41handler2 PROC1 h/ {' H3 C% f! d: P; R
    iret0 U6 }6 `! K  @
int41handler2 ENDP
- Z! _" y0 c8 N' a$ o5 E- A% C- C8 Y5 G+ P5 F
$ Q& e& g# K) W2 n, P# `$ L) P: f9 U
_________________________________________________________________________( Z/ E8 v  \: T1 P! q* E
( a, ]5 U$ c' a) M7 Z( b

) I0 z" ^) P6 Z9 y" [$ B; Y1 lMethod 06
. Q! J3 o' e: }  N! v1 c; T# [=========
5 A3 C+ l+ J" P  E& T( @7 U) C2 k9 @3 K& \  q8 b/ r6 g4 Z$ A7 N

# T0 p' {% {/ n9 n7 Y' r, T. G- z2nd method similar to the preceding one but more difficult to detect:
" X* N7 X, `7 @) M; f; |6 Z
, I* Y: Q2 n2 [
; `/ p! q% e: Y3 ^& Mint41handler PROC
" m! [  o9 W  S& S    mov     cl,al& P$ c3 ^% z) R9 ~
    iret
8 f; W: H' Q' a2 Y9 l' k' _3 vint41handler ENDP
8 s: F- t) f/ b7 X# A* r. c+ m' o# R/ C7 k+ q! @) O, [8 \$ u

) `; u$ }8 _$ d. X7 n% u# B. R    xor     ax,ax
" N: y! g/ p$ u  ?: \0 T    mov     es,ax
6 c9 P2 @. C2 W* \    mov     bx, cs
6 e/ a# f4 t  x; G    lea     dx, int41handler
4 n# h; _. b- J; c' v3 e    xchg    dx, es:[41h*4]" N4 ^* s4 Z+ h* Q. c
    xchg    bx, es:[41h*4+2]$ b' R) [, e7 g$ J$ n9 U7 b4 g" E7 \
    in      al, 40h) G, V/ l5 e/ y' t
    xor     cx,cx
6 j) e$ s7 P$ H/ ^+ b5 ^    int     41h
  Z* t% k- w6 e5 Y4 ?9 \    xchg    dx, es:[41h*4]: c$ N( h3 r' R, U2 l; |
    xchg    bx, es:[41h*4+2]
+ x, m* y; ]8 Y) z% M3 Y    cmp     cl,al% G! u( C: O# w  o+ x" T  T/ `: W! Q' u
    jnz     SoftICE_detected
# }4 u0 p2 S  \+ H2 M0 g/ O( ]1 O
# @2 \- a9 d' n6 E4 ~_________________________________________________________________________5 l# I/ I+ f6 e9 p! Q/ M
* ^  S0 L6 v  h9 c+ @% V  T
Method 07, v% H1 O: u1 T+ j
=========9 N  A1 ~- k/ y  R+ W

, i* W0 l' Y2 }0 j  q. d" `Method of detection of the WinICE handler in the int68h (V86)9 I1 t0 N) E* S, P

0 e; R6 D8 b: \& X; D8 O& _    mov     ah,43h
! q3 a3 I: G7 O) l, b2 P    int     68h% K" s% t6 M# G4 [* I
    cmp     ax,0F386h1 E0 A5 u/ u' F! D2 `
    jz      SoftICE_Detected6 n3 C7 \4 F/ G; V8 I$ J
8 Q* N" F# ?! X
3 Q. \. k6 E% z/ r# I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 }! S4 I/ i8 `
   app like this:; v3 ^( {# L# M) @& K* W
/ g7 M% k8 I" j
   BPX exec_int if ax==68
' V8 |  s9 R" }6 Z6 A. C6 N   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 v) Y" f% V8 d2 B   located at [ebp+48h] for 32Bit apps)
# a3 b( N$ i/ h; y' o; o__________________________________________________________________________
  s8 J* x1 R0 t. H( F6 o& O3 k' R5 W+ n5 Q% u+ l, |

" t  \& P' Y; r& b1 kMethod 08
1 |1 ~8 a1 Y4 Z, T/ R=========: S' z& y" G: X- V( S
2 G+ p/ ?6 @4 _/ d8 ?
It is not a method of detection of SoftICE but a possibility to crash the
7 U5 y* r" g( ?- E2 k$ E4 @# c% nsystem by intercepting int 01h and int 03h and redirecting them to another
: Y3 z6 o8 O. b6 v+ x/ Kroutine.6 s( G9 u9 j9 a% \0 N( e* c2 T6 s- q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% s$ R: d' C1 i4 O+ A
to the new routine to execute (hangs computer...)
4 t: E5 x3 O& G7 }0 b! h% _$ a! s
    mov     ah, 25h9 D: u- k3 l2 W  W5 g
    mov     al, Int_Number (01h or 03h)- h+ D2 o8 Y  ?3 P, ^+ D* l5 b
    mov     dx, offset New_Int_Routine9 a7 H( c( L# }$ X5 C+ {
    int     21h
) a$ u; X2 m& S) L- O' r, Y" a% w+ ~7 p& C* u+ s- A
__________________________________________________________________________
$ x7 h% O9 Q. S* A, }- h% x$ d9 F7 P  p
Method 09
+ t8 k9 `8 @; k# o2 ^=========
0 r" H4 ~; Z7 E1 N: D1 D* m! Z0 U# O& j$ s; H% ~! @8 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! U8 p! \9 `3 j6 z; _5 N
performed in ring0 (VxD or a ring3 app using the VxdCall).5 P  F& o; Q& }1 R, ]
The Get_DDB service is used to determine whether or not a VxD is installed  D+ T, t- T' x4 |1 P$ {% d
for the specified device and returns a Device Description Block (in ecx) for( ?" \! |% w5 u2 P' e. N
that device if it is installed.9 a9 E, p& U  g, t' b7 v: E8 M

& \; x9 X/ x/ t, [   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID: C$ `9 F1 k* z
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 ]) h* D3 Y; W) X
   VMMCall Get_DDB
) {- r; e) v0 E: K; P! u3 |   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed# a8 f- \0 K+ m6 t
; H  d, Z2 u8 A; s& X" N
Note as well that you can easily detect this method with SoftICE:
  z* q/ Y7 u+ Z6 I9 r   bpx Get_DDB if ax==0202 || ax==7a5fh
, V% k+ R* c3 ?3 u6 C9 V1 x% S. @# _0 f$ J1 O( t& b
__________________________________________________________________________, T% c& q1 l  ~. G6 u
0 J* D" z. P2 j/ i
Method 10" k* c+ m5 G! I4 _& P- O3 H
=========# B2 X( j1 n6 @8 P; O

: ^" h. \: ^# ?; x=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 `; P) P+ [0 ~1 f1 o7 d  SoftICE while the option is enable!!/ [) P( k6 [) F8 ]- P3 ~$ O' r" q

4 }: ^# D, ?$ sThis trick is very efficient:' u' K* k% O8 a# N
by checking the Debug Registers, you can detect if SoftICE is loaded
* m4 N) ?" G/ r! T& \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( z- l4 r2 ?2 s( R& u0 xthere are some memory breakpoints set (dr0 to dr3) simply by reading their# l5 K7 }" H5 W8 y# c2 c6 E# M( f
value (in ring0 only). Values can be manipulated and or changed as well
) B3 I% e. h# S2 T& W(clearing BPMs for instance)
, q- ?; q. O" {' H4 R6 [% N* S1 }. w! I( `
__________________________________________________________________________; h4 e5 g- v. n/ ^# F( m; q

6 u; P2 u7 {/ Y* g: ?2 r1 dMethod 11
4 d1 D9 Y" V% h7 o) N=========
/ ]# J1 u4 ]+ l' L  c  v' q
" |1 P4 Z2 B  |- Y& j% f/ AThis method is most known as 'MeltICE' because it has been freely distributed' ~6 p- D! ]7 B2 i) h
via www.winfiles.com. However it was first used by NuMega people to allow! j: D3 k) v5 M0 c! r
Symbol Loader to check if SoftICE was active or not (the code is located
, ]1 j& J- I) r  f. Ginside nmtrans.dll).. ]6 Z" H7 k( d9 c* X  Z

6 t  d& o& a0 y2 A1 s9 A- w+ rThe way it works is very simple:
0 ?0 Q4 ^5 p" bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 Y' w7 |* o' A' z4 E0 L
WinNT) with the CreateFileA API./ A" B! _0 O4 y- i2 t9 [8 D* D

" }2 c! a7 G3 [: yHere is a sample (checking for 'SICE'):0 j! R. E7 p" a; ^& t) Y8 G

0 ?2 l- Z5 O; |9 d! p% s" MBOOL IsSoftIce95Loaded()# B0 B, j1 U8 S0 I) u. o" T6 y4 C; e
{" j( X5 l0 u8 Q8 Q/ T2 s1 s
   HANDLE hFile;  ! C8 n2 s! I1 i) b  d
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& k; h/ s3 G3 s" x3 G
                      FILE_SHARE_READ | FILE_SHARE_WRITE,( v; l8 A% ?5 }' K: X
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; [4 u: T- O6 I% E* J   if( hFile != INVALID_HANDLE_VALUE )  `2 ?% g) U- G3 W6 Y4 _1 ?
   {
1 g6 U2 U  c7 D5 t  m2 V2 z      CloseHandle(hFile);
4 r) f* D1 _* C/ _. z3 L8 j      return TRUE;, A2 `9 V3 l$ b( e
   }! T0 H' U* g" X6 q( [$ Q' H0 i
   return FALSE;- l! v* |) g. w; S  j( J# c. O0 s
}
& U% S( O# p/ K
+ t" M2 F, Q  u- X4 |Although this trick calls the CreateFileA function, don't even expect to be
$ b% U- X- \% p) e1 [; j: zable to intercept it by installing a IFS hook: it will not work, no way!, b8 w0 ~1 ^4 o" ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, d3 }% ?$ o( y3 @) \4 w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ g6 l3 H4 w: x$ c/ T! l% m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. V$ r" L1 l+ C8 G
field.
5 Z/ c9 Q* g9 t# IIn fact, its purpose is not to load/unload VxDs but only to send a # ~3 n6 e& ?' h/ r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: B7 J5 G% b$ S0 R' B2 ]  d* G. }to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 u% p7 @9 F3 b4 {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 @+ A7 n! }' j! Z# {If the VxD is loaded, it will always clear eax and the Carry flag to allow5 T0 E" \$ |" r1 r& U/ H2 Q  f
its handle to be opened and then, will be detected.& p4 R9 w, O; K( e9 A7 U
You can check that simply by hooking Winice.exe control proc entry point
9 S0 O, p9 ]) Xwhile running MeltICE.$ L4 S, {* A! s9 F+ e$ b; x

5 e. S. k/ g5 B+ F1 ]+ l8 U5 S8 I3 I4 \
  00401067:  push      00402025    ; \\.\SICE
) \5 m6 ?3 H. @$ s  0040106C:  call      CreateFileA
1 X3 v( ?6 M: d, F8 Z! a  00401071:  cmp       eax,-001
/ K) x( f  D  c& G/ p& H  00401074:  je        00401091" c5 `( s- H3 q# z

4 O6 b$ w; ?4 v' p4 U% q0 V% I4 c/ y6 c+ g* @8 V2 d) z8 w# ], |
There could be hundreds of BPX you could use to detect this trick.3 w6 y7 c' p# n/ k& N" `
-The most classical one is:
7 I7 C+ ]* r4 r* L  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) H. c. V3 C: [2 T
    *(esp-&gt;4+4)=='NTIC'
; _" X: _9 m% G) U( ]* v% ]% y1 Z& q! D3 U/ X1 Q: H
-The most exotic ones (could be very slooooow :-(
( `8 h  d, w( d" C   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 U, i9 r; ^$ c" w* ]
     ;will break 3 times :-(& f, ?! c+ O, u" A  o) f

, E. d6 l5 |. j: m-or (a bit) faster: : o7 M& y% ^0 s2 l2 G" u
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). [2 X4 x( J4 O  E

& g7 b8 i8 T/ P! X0 |   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  5 z. h1 d+ ~( H& |
     ;will break 3 times :-(4 P' @  A1 G  u' w8 h3 `
$ P5 n( F' P$ S9 y+ h$ w
-Much faster:; L* e) P4 R  a: \6 z; t3 ]; x
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 F& ]9 t8 i: o( O% z" f, ?8 n
+ [# T, f3 {6 C  ]( s8 D8 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 @0 }. d% o9 @" u5 k* @. c' o! Ufunction to do the same job:& m& |1 q# P# B& W" E( H# Z

1 O& d8 {: a0 T/ O& F   push    00                        ; OF_READ3 W( Y6 T; O" v4 ^# L
   mov     eax,[00656634]            ; '\\.\SICE',0
' G: G7 d0 [, b$ J5 z/ U; ]" N   push    eax: n. }. l  E( H: q4 B. D+ ~9 q0 G
   call    KERNEL32!_lopen
& \1 J+ ~9 r3 A2 I   inc     eax; {; K4 P) v6 b! P' n" v0 x
   jnz     00650589                  ; detected- {$ j. z+ `5 m
   push    00                        ; OF_READ" }. W' W) F& q
   mov     eax,[00656638]            ; '\\.\SICE'6 C1 P$ n5 C# ]- h/ j
   push    eax, w% e2 O! U6 z5 O' ]2 Q* J  a- Q
   call    KERNEL32!_lopen: ^6 C4 H* Z# ^+ N6 A
   inc     eax
* z# W/ C/ k0 S( H8 \   jz      006505ae                  ; not detected5 ^4 V4 G7 z) }

* b+ W' _! R1 z; O4 _
& j% Z- {8 ?- H% L; t8 W__________________________________________________________________________  v. ?6 e9 D2 E9 R* h# K
' u+ X3 K# M- p. `. l1 H
Method 12- f; s- O/ }0 H. m9 }
=========
3 ]  c( I0 _8 d6 G7 ^" ]0 y3 ^7 m2 l7 O6 F2 D" `
This trick is similar to int41h/4fh Debugger installation check (code 05
2 H) v1 m/ Z8 H9 ^; o1 z" {& T) H&amp; 06) but very limited because it's only available for Win95/98 (not NT)" q* [2 Q/ l  d/ G. G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 S, v; x3 ?% r- ~2 U- z" `
" E0 m0 _# X- V, ~) A
   push  0000004fh         ; function 4fh) O+ l8 b7 q0 @+ i9 U& ^  u
   push  002a002ah         ; high word specifies which VxD (VWIN32)2 m- ~, l3 e5 l/ |6 h+ i9 n5 \
                           ; low word specifies which service. U; z/ c9 \  ]% n' ~
                             (VWIN32_Int41Dispatch)
9 z1 q4 C, O8 c   call  Kernel32!ORD_001  ; VxdCall: U' |: F/ I* n8 q1 m  x
   cmp   ax, 0f386h        ; magic number returned by system debuggers4 \3 P6 U+ p8 n" i+ l$ F, O' x
   jz    SoftICE_detected
; u; A$ K$ ?- Z. o: t) Y0 E
8 t' S! U0 b% \; \3 wHere again, several ways to detect it:
7 Q- m5 i7 \  E9 k' X
3 J) u. e7 [! d+ b- Q* e$ d    BPINT 41 if ax==4f" m) R, \* z4 }# h

: @# o. [+ ]& B2 e3 m0 ?    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" U! \" H- l" u. A, a
, I$ O% [# T2 M) F) g! k    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A6 V) ^, I% C& I. f

$ W  ~" d1 U/ ^4 Z2 A5 T    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' b; d; O0 h4 U7 P
$ J0 J0 c/ y2 Q$ B. X, N0 i( U__________________________________________________________________________. s& r' h% N* |5 J- s0 p' F
7 M3 D- L- F# J0 U. T" `
Method 130 K7 m& z2 ~' b1 I; x. Q+ d
=========# q# s! b/ e$ ]) D

! R) }7 g% u5 o* h( oNot a real method of detection, but a good way to know if SoftICE is
. _$ i& A2 A+ u3 Q/ Q3 jinstalled on a computer and to locate its installation directory.0 b$ U" M- V1 j( k. v0 `6 @( P1 l2 V
It is used by few softs which access the following registry keys (usually #2) :
8 i9 Y" w9 H6 n2 L& g* n8 f! |' O1 p- C+ o4 S$ Z+ O* i  F7 g* {. u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  G0 D+ v* O# z: k  q" A
\Uninstall\SoftICE
: U+ s2 r5 }- ?6 O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) ^( c+ y1 k- V+ H% i+ ^5 M# N$ D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* x, s  l+ A8 ?9 U\App Paths\Loader32.Exe
0 c! N7 z9 k& O: u6 e8 b: [9 g1 J# S( j7 G# U0 U

& }+ t" x+ F3 `Note that some nasty apps could then erase all files from SoftICE directory
* w, ?) n# u6 U(I faced that once :-(. V0 i, c9 i6 x$ N$ m

0 y+ n) p, k: _! i5 _1 I' g3 [Useful breakpoint to detect it:2 t# }' _3 a. i5 Z
6 N$ w8 V  o! J% r& M, s
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% V! e/ Z1 F$ R$ T* O
$ K0 P3 [: v! x9 b__________________________________________________________________________" ]4 i9 i2 a4 O5 O- O
: ?" b- V  a  V4 \
' u3 H' C8 H" i* ^& j. ?
Method 14
( z8 U  H1 r5 E  {5 w=========% {0 s, |% H. f

' Y* M5 h$ Q5 \1 D0 sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 V5 j+ ~4 z4 @1 D/ [is to determines whether a debugger is running on your system (ring0 only).
! v/ k0 M( Y  f( ], C* X: ]% O5 y7 g* x, H" h  u/ R
   VMMCall Test_Debug_Installed
# p% D) l6 F  z  n0 ]7 U   je      not_installed3 \+ n8 J4 k( L, ~7 q4 p( I% ?$ D
/ Y3 z* |5 C3 W8 d! k" ^
This service just checks a flag.+ V- i8 ]) y( K9 c9 y1 _$ Q! q
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-16 08:40

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表