找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  k5 X3 A1 {0 `1 v6 t
<TBODY>( ]+ u& f$ N/ Y
<TR>
0 M4 l. q- g3 W<TD><PRE>Method 01
* z) M- g* u5 n* y  E0 a1 S=========8 y4 Q* S0 g/ t* b

# L3 c/ T! p* i. g# U9 q( L! M: \This method of detection of SoftICE (as well as the following one) is: f1 h3 N! I: w6 w8 r
used by the majority of packers/encryptors found on Internet.
; w; |% \) X0 F5 B( gIt seeks the signature of BoundsChecker in SoftICE8 y6 C$ ^4 ^# w7 m9 ^8 G
( a& y: |/ a# [. @2 e: O! `
    mov     ebp, 04243484Bh        ; 'BCHK'
* U( ^: q9 p* {8 @. ?    mov     ax, 04h
( @7 I, I9 I' x/ Q6 i    int     3       7 {) h# a6 B; ~2 q8 r
    cmp     al,4
% q! }5 G$ X- V    jnz     SoftICE_Detected. A' W% ^# \1 L# q) s1 Y5 R2 v
. ~5 x) M( V& Z& k& [
___________________________________________________________________________
2 }9 b5 R5 j9 V7 A2 [
, B/ U6 x) d" v! OMethod 02& u- S5 k3 o$ J+ u$ q
=========
5 y' ?! @4 x! K
, D( O! O: i; Q0 e# M) k  hStill a method very much used (perhaps the most frequent one).  It is used) r  j, n& j, t/ E8 W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. N! P0 n: n; b3 R3 tor execute SoftICE commands...) m" m. E% W/ w  g, J+ i
It is also used to crash SoftICE and to force it to execute any commands; r# ?3 d+ C6 ?9 r1 {& b" I
(HBOOT...) :-((  ) W) e, D6 i# o& w

8 B  q+ s9 q' }- mHere is a quick description:5 H4 V' y; ?2 l$ Z3 I5 j
-AX = 0910h   (Display string in SIce windows)5 X( M7 p% E6 {0 f! O7 M7 S
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 r1 s) E- u- q% k4 {8 z
-AX = 0912h   (Get breakpoint infos)+ k5 }. ^# F8 @) f$ M* ]
-AX = 0913h   (Set Sice breakpoints)
; s6 F" n; P& B5 P8 c-AX = 0914h   (Remove SIce breakoints)
( j. |: C% f3 q% s& [0 X; B% U$ {2 I/ r- b$ m
Each time you'll meet this trick, you'll see:
7 e- e" I8 e* X6 `7 }2 o! d2 A) J-SI = 4647h
  Y- X3 k  K' B. |/ _7 q-DI = 4A4Dh4 `" W; m3 E8 ~! t* ?
Which are the 'magic values' used by SoftIce.
- \" Y8 @/ Z( P# d1 q8 bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# T4 E( N1 K4 ^( D
1 u5 \0 @+ e; C+ oHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 c+ o  d' \; A+ ^# a6 [Envelope utility use to protect DOS applications:  ~; Y$ R3 R% a8 d; {

, q" T6 Y/ i0 d$ f
2 v# _* D) H. H" _  P4C19:0095   MOV    AX,0911  ; execute command.
6 b. C9 {7 W' r+ }. O) z4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
/ b( S9 L1 S4 u1 }4C19:009A   MOV    SI,4647  ; 1st magic value.1 h( ]  i6 v7 q  b$ j
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ ^4 @8 E1 g3 \0 l: u) k4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
. ~- u* J) o8 C! J5 G2 B# e3 r4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% e$ H: `; M8 z0 Y/ G$ ^4C19:00A4   INC    CX" A. Q: U- g2 q1 S& J1 W' h
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, |" s2 [: \- A& y+ s$ y4C19:00A8   JB     0095     ; 6 different commands.$ K  k4 y; L, b9 c6 u( \
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; K3 @, G9 N8 R( H
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! n- x' L# Z: f. v# A# t
! \# D+ ]8 y1 K0 a8 \) ^
The program will execute 6 different SIce commands located at ds:dx, which9 v) u( H5 `0 L. ^" B# a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 _: y) Q* N1 r* S- s  q; Q% m0 ]5 `8 G: J0 z" O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' J) u# p0 @# Q+ y
___________________________________________________________________________
& Z* M( P- f3 T% l9 x3 ^" C
9 N  F. R/ g/ T6 ^/ [- c
3 }* E' X; M2 n: N: xMethod 03
/ H' u: ~% s0 K% _5 u=========
9 b' i4 U4 ~) x3 g+ v" T+ E1 u, f6 c  c) m
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 p2 l" h9 r: T* I3 s
(API Get entry point)
+ |; o* Z$ c, Q6 m* h6 y        
# ^' S& |2 i) C' d6 e; L+ k
5 |: H6 E# X$ H- S/ W    xor     di,di+ c( R! e9 o4 J+ B
    mov     es,di( ~  N' v: O. f3 k; S
    mov     ax, 1684h       ! B/ q# E/ Z7 N" A$ b, b1 M
    mov     bx, 0202h       ; VxD ID of winice
6 v- y$ _( k; m8 l1 ], ?$ I    int     2Fh( q4 j- ~+ c) s3 u' D3 x
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 q2 O9 w& ~$ y+ C6 I. x) j/ B    add     ax, di
  j0 h6 P$ N3 {, \+ f" f    test    ax,ax) @# `" R% c8 Q$ B2 l% d
    jnz     SoftICE_Detected9 H- L3 n2 V% y, \
7 z1 V  r8 E* ~& t
___________________________________________________________________________7 l# b! \, R0 N& \$ k3 U$ N

; T2 ^3 O$ z. D' f  r/ D7 G' FMethod 04! S" d2 j- a- T3 j" q8 V( p+ V; M
=========
( u5 u* v; X7 ?, s& ~% g7 k7 X3 K
5 ^# x* }/ [1 r2 ]' hMethod identical to the preceding one except that it seeks the ID of SoftICE6 b4 Y5 W1 |. D1 D9 k# {' ^
GFX VxD.) b# N1 D. l1 b2 G
6 E" a# A9 Z* z" o* }* }
    xor     di,di' S' [$ s" Y9 u2 B2 e- `& p! U* I
    mov     es,di2 h8 o1 a2 Z2 E
    mov     ax, 1684h       6 g7 i  ^( ]& j3 g3 }; n! [
    mov     bx, 7a5Fh       ; VxD ID of SIWVID- K# s% g" W4 ^" t6 O) d
    int     2fh4 \% [5 Y  z0 U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point6 z' ^2 S7 Z& ?' z* q
    add     ax, di
, ^* v3 C/ I. C6 e/ P    test    ax,ax7 o" k' Q! J6 }* q& r; u
    jnz     SoftICE_Detected, ~' |( v! |% W* f/ ], c9 ^

8 F! y' C, Q1 M% Z- Z+ i8 F( X. m__________________________________________________________________________5 x0 W# V, y* u  k
/ P+ v6 i. t) t" X9 A4 y' x
! h# [" k8 e% P  O! _- y1 g, z
Method 05' h3 ^/ I3 H& c% W+ F
=========( s: A6 ?$ F: E, P+ r7 D) O6 e
: i. U% v5 U& j* y% T( v4 @- C9 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 W) T; ]0 z2 c7 n1 Jdebugger. It calls the int 41h, function 4Fh.
# t7 @: U3 P  G# a  u2 R3 |- p& iThere are several alternatives.  9 F2 }- A4 \' r  k

+ ^( }6 j/ n  X1 @* `The following one is the simplest:1 P& }  g/ v4 w# l) i8 n
5 Y, V! |; c4 T, x/ |; D( C
    mov     ax,4fh
0 I/ b2 m  S3 {% N% X: w+ t  s    int     41h
; w# E# `. `8 @1 l9 Q  Q9 ?$ w( Z5 X    cmp     ax, 0F386( d0 @" q" h* M' r, k& g
    jz      SoftICE_detected9 N8 x& U5 N% H* B
7 A) ?1 B! B* k* |, _6 W  P. j

$ \7 w( q6 @, b3 h6 G+ T) DNext method as well as the following one are 2 examples from Stone's $ O& v' v% @) z& c. M. V5 C3 b
"stn-wid.zip" (www.cracking.net):; Q' F, B& `6 d5 E- ]

# x9 w% w4 `0 G    mov     bx, cs, G& G: [6 p1 K. d; G; Y+ H
    lea     dx, int41handler2
3 P1 X# G" U+ i" }    xchg    dx, es:[41h*4]0 q! `! d; C- Q# m6 Z1 h
    xchg    bx, es:[41h*4+2]& _; }# K6 x, [3 ^6 P. J/ _! ~
    mov     ax,4fh) f7 l3 Z3 B. D: k- g
    int     41h
: G3 p# H1 q1 x+ ]5 i  }. y! X    xchg    dx, es:[41h*4]' N" \9 g3 I/ S- F
    xchg    bx, es:[41h*4+2]3 c! K. h! N. L2 Q
    cmp     ax, 0f386h! x5 q* @+ D/ A+ {2 ]; s
    jz      SoftICE_detected1 Z  u- G9 Y, m% X9 B

" g0 L' ]5 V& t% p* u, Q9 O8 h  E& `int41handler2 PROC
4 ~  a1 a$ @; _7 t: Y    iret: S( T5 l! ~* P, |2 Y) I
int41handler2 ENDP
. O7 }# d/ l! I9 O; y6 k! i) ?, w  Y9 T5 |

2 H2 x. F6 A9 D& u4 [1 c2 R_________________________________________________________________________
: b. X. R4 S$ r% T( G2 S0 L
" R7 T/ f& d9 |, K7 o) S& N# G  P* ~. M/ h: C" p% a
Method 06
* F! k% v' Y* D2 L; {% d=========
: N4 u4 Q  q+ g  E& D5 S* k4 Z; U, v+ r5 m- h/ z2 G9 x

+ _/ L3 D$ I0 V) Q* |9 L0 Z+ Q2nd method similar to the preceding one but more difficult to detect:7 [5 Q* Y! ]7 t! ~
! D0 G- _! X# _7 h. @
& Q3 s. Q- ]8 W9 S) a  F4 i
int41handler PROC7 d% i6 z% Y. ]( U5 {
    mov     cl,al
8 V4 X8 k% [4 e" o! V1 j9 ?) N    iret* o( S$ |$ L0 n* Y
int41handler ENDP1 n/ _8 I* B' @4 e8 g" s
3 Y5 ]2 a/ x" V/ V0 L

& V0 I) S4 [$ Q0 ]" p' q    xor     ax,ax, K# I" g: _- x& x: J
    mov     es,ax4 r6 j" b: y% O4 a4 I+ W2 F" W
    mov     bx, cs
. ?+ F# C- ^" o  `    lea     dx, int41handler
& C# t; j2 a! |0 p    xchg    dx, es:[41h*4]
. Z, q, |: S! r    xchg    bx, es:[41h*4+2]
( Y7 {' H* `' W9 B" M& b; q1 H% |    in      al, 40h. r/ o8 a  u$ R* k# O
    xor     cx,cx
; l+ m$ ~+ U$ e' |" [    int     41h; n" L% _0 J' O/ r, K. \
    xchg    dx, es:[41h*4]; ~  _9 Z8 S, J6 \- h( }
    xchg    bx, es:[41h*4+2]
, @$ h0 e4 X7 l  k# Y0 E$ e    cmp     cl,al+ u9 D% O3 Q3 \
    jnz     SoftICE_detected
- U$ k" _& ~# A) }% \6 F
; d& k4 D, d% s9 p_________________________________________________________________________
1 F1 o9 o) ?' a3 v
8 z/ J: e9 G6 G6 WMethod 07
+ k5 B4 ~/ q& G; S7 J=========0 f) ~. l" p4 q. l. D- F

! O  t; Y9 l5 |" ]. w4 u, B7 KMethod of detection of the WinICE handler in the int68h (V86)5 c$ G- k+ a. I1 z

; g+ b" R/ j& f( [/ C3 \* ?    mov     ah,43h' R. }# q) h! i+ X8 X
    int     68h' A4 c. t: a8 I% h! n" w" C
    cmp     ax,0F386h
% d! V! {/ v4 A- k3 f: X; I    jz      SoftICE_Detected
) m6 ~/ b  \8 G+ ^$ w4 Z* E
0 g+ n( ]8 U7 T  H% @* g* T: y) z& ]5 p9 k5 Y
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: u: t, u. f% I& D; ]" {1 V) O0 ~   app like this:
8 c% I; `7 A' X7 r( Q: ?. A2 l6 `) \) v2 B7 Y8 ~- B5 f% w4 y
   BPX exec_int if ax==686 c, Q) `* p( i- K* u. ~
   (function called is located at byte ptr [ebp+1Dh] and client eip is  d- B3 n' }6 m& g  B* H: P3 C
   located at [ebp+48h] for 32Bit apps)% Y  W' e2 n5 f, P4 r4 m( O( s  r
__________________________________________________________________________
3 ~) R4 \$ n0 p# b, w+ s* p& Q9 J7 E8 ~: F

& v! x; e2 `2 jMethod 08; h; }' C  {9 j
=========
7 K' ~1 V5 @7 P3 h% z. [! Z) f
; L4 C& F# \  ~. g% u( c; A* V1 x/ m8 nIt is not a method of detection of SoftICE but a possibility to crash the, r. z- D. {3 \4 N$ V
system by intercepting int 01h and int 03h and redirecting them to another; w" t' O3 l9 N% ]% y2 Q* O& c( N
routine.+ O+ o6 g* l& f+ ^8 i( }5 X- l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' {, \" Q* N& T* P* h/ {6 N2 eto the new routine to execute (hangs computer...)! @( z* J% l4 n0 X4 b

5 e6 x5 A, @/ L9 h& @1 b( K    mov     ah, 25h# }7 `/ \) \$ E/ C
    mov     al, Int_Number (01h or 03h)
4 }; Y/ T* I' K' R/ O    mov     dx, offset New_Int_Routine6 I: p* I* l) _/ w
    int     21h
2 O* d( `" ^% Y/ h/ C6 t% d3 E7 w, m, [' A, k
__________________________________________________________________________
( Z/ a1 m4 k& {+ h0 L9 W9 v2 L, n& [; f7 c7 l7 B& y
Method 09. J/ d. L! K; B0 n9 c3 W
=========
% @2 J$ J% V% _6 e: X' V/ {/ c/ N/ h( R% L8 a' z2 f) Y9 v2 Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 b6 N& H. i: J, a
performed in ring0 (VxD or a ring3 app using the VxdCall).$ A1 |, A3 b# W- [
The Get_DDB service is used to determine whether or not a VxD is installed8 D' ?1 L* |; i$ V
for the specified device and returns a Device Description Block (in ecx) for! G# |4 L4 ^  K) Y* y$ @
that device if it is installed.
0 h/ e. D) b& ^  R9 @- m/ I" C/ h. u
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 H# ]: q1 G( _& z+ u* N   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ U! L. c) ^7 [9 ]
   VMMCall Get_DDB' X0 v' |4 W$ v% G
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed, k. Y6 ~* R$ D& g) J
, T  P) W+ V! l8 ?' F( @
Note as well that you can easily detect this method with SoftICE:
0 K4 U7 j9 L/ X+ [   bpx Get_DDB if ax==0202 || ax==7a5fh
9 M9 C$ D/ Y2 p8 t& L+ b& x+ _. \' i5 }8 J* i9 q6 e  l
__________________________________________________________________________
5 s! c5 Z! T9 c/ ?
" U8 M3 J; r3 i1 |Method 106 {. b& e1 d5 U" }2 ]0 A
=========
, S7 q5 `+ K& P+ M" Q2 O8 X* E9 [7 D. I" s  C1 ~
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with$ U; P; N- W, b
  SoftICE while the option is enable!!
( ~6 c" E( n! J, n9 ]9 ~! G4 P5 V7 H$ w& h+ _. }5 g
This trick is very efficient:* Q3 F' Y2 _% ?8 k* H9 @0 d
by checking the Debug Registers, you can detect if SoftICE is loaded
; k$ I5 y6 M1 X# c+ |(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) t9 i- }/ X: V' Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
* l; p6 v1 M, [' I* Svalue (in ring0 only). Values can be manipulated and or changed as well1 y' X& t3 u* C. R5 X% V: x
(clearing BPMs for instance). r' @+ @7 O6 I9 q& E
) q( p+ s3 [$ u6 R* y+ }
__________________________________________________________________________1 I7 q5 t" I; L2 r4 M
0 e/ r5 @9 y+ h, i9 x2 P# P: w, V
Method 11
+ \; Z! [  [- c9 }! Z1 L( }% V=========
: \7 A& k; f% X  X& ^
! a8 t) I- y9 f% wThis method is most known as 'MeltICE' because it has been freely distributed# X) p; y7 x/ O9 Y( s9 `! ]
via www.winfiles.com. However it was first used by NuMega people to allow8 o) z: O$ ^8 [8 c, B7 [8 k4 N
Symbol Loader to check if SoftICE was active or not (the code is located
5 Z  C" q% W8 ~: z$ ^  r  _inside nmtrans.dll).
( T; Z' \, h+ g; N- e9 V: h1 k! N4 D6 d" j7 h
The way it works is very simple:' G. m' j: d6 l4 i! S3 [8 ?4 Z; N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! K0 V8 U0 E* ]* O' N
WinNT) with the CreateFileA API.  y! p: A6 }; z8 G7 C4 o# b0 y

& ]% v7 a1 q1 o- L2 w( ?Here is a sample (checking for 'SICE'):
9 G' r( i2 H1 X# |2 K& I- G0 D2 Q" E! b
BOOL IsSoftIce95Loaded()
+ d0 H6 n. Z( P! y{3 g$ B+ Z+ Z3 p7 e2 _
   HANDLE hFile;  
2 h' e; u: I* X0 d3 F   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; Y& t/ Z  W9 q" S9 n/ g0 X7 L                      FILE_SHARE_READ | FILE_SHARE_WRITE,
$ Y7 w$ T! o8 r( d" Z$ {                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& C  U# ?. n3 h) Z; K/ v# W
   if( hFile != INVALID_HANDLE_VALUE )
0 i1 F6 B5 w4 l# T/ f+ N  ?   {
( q, g9 s% u, C: g3 ~. _) o3 N( I) u      CloseHandle(hFile);
  X) _2 O  M. d      return TRUE;* m9 s! `% R; c9 ?; |- U. R
   }
2 u; ^7 S. [% g( q   return FALSE;
* [, Z* m) o$ \( J1 Y% ^}
' a6 L5 x9 r/ A. @; m* a* M
& f9 S( J5 k1 W4 `Although this trick calls the CreateFileA function, don't even expect to be& V; K" {+ j( j7 a) b" m5 i
able to intercept it by installing a IFS hook: it will not work, no way!# W$ \- k1 T8 r+ u; w: G: ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( f, v6 k' K4 i/ k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k9 P, _  L# S8 x- O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ a% {  I% U/ |9 W- rfield." m* i1 z2 ]) ~
In fact, its purpose is not to load/unload VxDs but only to send a
3 K7 ^. |% A0 n, J4 t5 m( qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ }1 ]+ h, ^) _/ P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 @/ D* ?& `5 r) t! G2 ]# F
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., x( C1 |' J  R' Y* u( s5 I. F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
4 c( S- b0 r; [: r3 G& S: uits handle to be opened and then, will be detected.
& I3 y9 N, _" m# U6 F% ?: S2 zYou can check that simply by hooking Winice.exe control proc entry point
: V+ a9 I: i, F0 d  Qwhile running MeltICE.% H" X: z" |: \/ m% u( G" s/ U

7 p) b& w( E8 ]+ D% I5 P3 w) M3 G$ v% w) u, S9 o  B) \6 l
  00401067:  push      00402025    ; \\.\SICE
; ^+ b# }! C1 ~% [! B8 n  0040106C:  call      CreateFileA0 a- E: J7 h5 ~0 j) J- k$ K. _* c
  00401071:  cmp       eax,-001
( ]) H  Q1 }. X) D# t  00401074:  je        00401091" i7 l3 H) M  U- A6 c
- e* L+ N% Y! O, r# [* G* b6 T7 j/ t

) ]1 I2 C  r* g5 q" z' V4 QThere could be hundreds of BPX you could use to detect this trick.
$ s, {  l1 L# ?# ?9 d: C" S-The most classical one is:
# O5 e3 G" G) [" T$ }* R  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||+ E% }: e$ N5 y9 v7 d
    *(esp-&gt;4+4)=='NTIC'
$ G6 V/ t; S9 A% `" a; p8 K& h
/ I4 O% \- Y; b-The most exotic ones (could be very slooooow :-(
1 n' P( ~% c/ x# x- d   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
' F" N  X9 `4 D9 r5 e# b     ;will break 3 times :-($ t: y! g$ F2 f) L# r- [& D- w' }2 F6 ]
; g+ n' N) c* g* A1 @
-or (a bit) faster:
& b! N  D! V1 s" ?+ t6 @( ~, g; c   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 i+ {9 n; H5 A  [3 {8 V
; ^/ a, B: X# F& A- u4 \6 p$ P0 ^
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  + i* @. S  x& s, a
     ;will break 3 times :-(* y1 h; O5 Y4 c' X2 I
2 w6 L" H' C* V
-Much faster:- o0 h' ?# r) f* o/ U0 p1 N/ e
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 \' q% x& }& Z  v& b5 F

6 b: l: p2 |3 u+ r+ j7 L( F0 gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
  r9 K& \+ P+ ^! d# A: z* Efunction to do the same job:
4 i0 o* z/ B# t' e- P: e3 a% T$ v
4 Y# F( @& X' a- j# u/ L2 X# B1 R   push    00                        ; OF_READ% c/ U% ?5 K( o- \. B+ H
   mov     eax,[00656634]            ; '\\.\SICE',0
2 y) \1 L# k% ^5 p; W  @* i   push    eax- U; [! X8 H* a: H9 p1 V) s
   call    KERNEL32!_lopen4 x3 @" V( e, ^, \7 u& E
   inc     eax
- }9 l3 \. x9 U. ~% J* H* _   jnz     00650589                  ; detected  |6 F8 j4 _0 d+ b+ w
   push    00                        ; OF_READ6 P3 z! b) e( s
   mov     eax,[00656638]            ; '\\.\SICE'0 o; {' C6 J, V+ U5 o
   push    eax
3 U2 S! q+ b1 i% m   call    KERNEL32!_lopen
4 s: |# ~* {7 E* z! T' e   inc     eax5 r% q* T" X/ ~( \6 I0 N: t
   jz      006505ae                  ; not detected
) \- j; f* d5 }) [* w" `5 h
9 u: t) G9 b3 Y9 J" Y, |; w
9 y* F. m; ?& O9 u__________________________________________________________________________
- W7 v8 `# N* ?7 b- ~& r4 p3 a  z$ {0 z+ w& N- s( k
Method 12
4 m; ~$ {% u' l: y8 A2 _=========2 z# p# \9 c/ Z8 q# R$ Z0 P
( y1 `. T" S# c- U" N
This trick is similar to int41h/4fh Debugger installation check (code 05$ Y/ J) t4 |( d5 u. e( X4 K
&amp; 06) but very limited because it's only available for Win95/98 (not NT)" _( e6 m' D4 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.- [1 `" L4 P$ `2 h* ?
- ^  A3 |. Y) `7 Y7 S3 l
   push  0000004fh         ; function 4fh
0 X+ v) h" f/ q  o* l   push  002a002ah         ; high word specifies which VxD (VWIN32)- F# B+ ]/ _) r3 S+ s3 V
                           ; low word specifies which service. T& j# l- }% F+ n/ ]
                             (VWIN32_Int41Dispatch)
: h- ~& S- ~2 H# H8 C% l   call  Kernel32!ORD_001  ; VxdCall
; ?" I) m# c+ G6 ?$ Y2 u% t   cmp   ax, 0f386h        ; magic number returned by system debuggers4 }& ?+ y% S- ?# P5 @# ]
   jz    SoftICE_detected
* N5 D" }  c1 l$ d* _8 s2 ?! V8 v# h, {( W
Here again, several ways to detect it:9 j* M* W, x. z" T
4 n$ [7 b+ K6 [* t
    BPINT 41 if ax==4f
* K5 W* t8 }, r, Q( e
8 S& S. X0 c3 _6 d5 B# @* J    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one/ a( P) m$ p# S" ~; n* X/ }7 p, P: k

+ o8 ~! R6 I7 g/ b    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' j2 X6 \+ V+ U( N3 R) M2 h' D% b: x& ^+ F* d# A# ?' ^1 h! ^& k
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 u! @3 v' `& j+ w+ D! k6 h, h( |3 U4 f) D
__________________________________________________________________________
" Y- q/ g2 F2 W4 D1 H7 |
) ?( ?4 G+ q1 \Method 138 e( E; K0 k4 w/ L: s
=========
/ [5 @& W4 U" N6 ]
3 b: v' S: F# q( U3 YNot a real method of detection, but a good way to know if SoftICE is
4 W+ c7 T0 o+ k3 |* A# D5 v( sinstalled on a computer and to locate its installation directory.
% [+ {5 @' f& {! ]1 |; m; c7 ZIt is used by few softs which access the following registry keys (usually #2) :
0 L" z3 H" h) ~8 m! F
, e7 [* ?  @5 [: _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& {  K3 B2 w3 p# J% f5 v  X. A. h\Uninstall\SoftICE7 U  T. s! p2 L: V1 d5 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 X+ a; }9 l0 x4 @: C- r* L, ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) \1 W; o8 K# h' |- F\App Paths\Loader32.Exe
/ Q  t3 E( H) G! R. j0 j. I( G  t) q2 g! F. [( x2 L, M9 B9 \, T

1 b  o5 d- |& @' a/ a8 T3 b: jNote that some nasty apps could then erase all files from SoftICE directory/ c1 ~: y% `# J4 x/ R6 X; u
(I faced that once :-(4 S7 \: ~# H/ Y2 n4 ]& l4 s& O$ c

# I- z5 U3 {! w( H3 Z$ o6 [Useful breakpoint to detect it:, y5 `* S5 M4 z3 Z$ C3 d

* B* L- J) _4 o$ n     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# B% r# ^$ m8 w
1 @% I  T$ ~4 ~: n) w
__________________________________________________________________________* K5 D' q$ {& B. _- E
, N% P- e0 v  ^3 Q2 ~! b

- }6 n0 `& `- ^  d) ^5 ^. O2 aMethod 14
) S" V: l& t5 J! d# x=========
) u- a2 l4 \! T' A: g% l2 M9 |" u8 c) z. Z' ~% V3 S5 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- X% n4 \! X3 O2 U  }1 e; mis to determines whether a debugger is running on your system (ring0 only).
+ g. q' j6 c( t: A- ?! _$ u0 v, o7 t% U7 t$ C1 u9 z
   VMMCall Test_Debug_Installed
+ \, s7 [# f: p" G: D* E   je      not_installed
" ~( r8 r" c2 v0 r4 m3 \$ S6 x' y, a* C0 v# r6 d& v' s
This service just checks a flag.. ?, ?& k0 u; E! v1 Q! ]6 a
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-11 09:37

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表