找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
. v& u4 f  y0 i3 @$ p<TBODY>8 X" L8 q: y% i) X
<TR>
4 s- d/ \; S8 d: E9 r& Q* E1 q+ I<TD><PRE>Method 01 ! Z4 C- f% A/ X
=========8 n9 j: f1 h9 |+ t3 q" B; z
$ ^* s7 ^! ?4 D. R# X8 D
This method of detection of SoftICE (as well as the following one) is: P1 g6 y5 \+ ]! L, E* O
used by the majority of packers/encryptors found on Internet.
1 D0 w5 ~0 @6 b+ s, S, C# zIt seeks the signature of BoundsChecker in SoftICE# S4 Q  }& @8 G

' v1 ?. B; c* r    mov     ebp, 04243484Bh        ; 'BCHK'
; A& q5 p6 u0 s6 G    mov     ax, 04h
; l) C$ |9 x- q8 v* T" c3 g' p    int     3       0 |0 F3 J4 l$ h; V+ i; K
    cmp     al,4
) d- o/ t5 }/ J6 C6 @8 w# K    jnz     SoftICE_Detected
, o) U* o* s4 `9 @& `7 L0 f  u. Q& s5 g
___________________________________________________________________________
9 D& v, t" R( Y8 }& s3 v( @. B5 W3 H4 f# _( d3 z
Method 028 \, m/ s0 g5 \+ e: d
=========
4 o; ?6 B/ g! [$ q& t
; m9 V  R: c! Y. t; ]- T; LStill a method very much used (perhaps the most frequent one).  It is used: U" |, V3 W8 R$ I% J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- O/ O, X) M! _3 Z) s( P
or execute SoftICE commands...1 E% B5 i& B# v. n, l
It is also used to crash SoftICE and to force it to execute any commands4 E! K+ @* g; ~- k! A" ?+ n1 O7 d" y
(HBOOT...) :-((  
5 L- `# u: P5 b2 g7 g& v: e1 U; Y" d: x2 `) P$ ~1 {. I  [
Here is a quick description:3 C) m/ ]0 w9 g2 P" R( o
-AX = 0910h   (Display string in SIce windows)
5 [$ Q' }8 R% u/ q-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 _& I. U- n# V2 }$ a- X6 g
-AX = 0912h   (Get breakpoint infos)0 j, n( w) f+ ]$ ]
-AX = 0913h   (Set Sice breakpoints)
& r# y0 {; a6 u+ T-AX = 0914h   (Remove SIce breakoints)
# u- n# u5 B/ L. a' h" h( m( p( a& C6 F( Y. z% y; D/ v; c. u4 c2 q% a0 ^
Each time you'll meet this trick, you'll see:, p- @. E# ~4 Y# i0 X1 Q
-SI = 4647h
4 j8 _# ^" F9 U- }4 _-DI = 4A4Dh/ D, j. p  u# O4 i; h
Which are the 'magic values' used by SoftIce.% F+ E3 S$ n- u1 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." O/ j4 z; n9 \' `; U. W
- N" a9 z5 @% b6 ^& V# {7 \
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, F6 p' q: t# l5 `Envelope utility use to protect DOS applications:5 E6 @. z$ N9 t" Q. d

! t- N' y) J8 H1 t9 R/ o4 n
5 t. S1 h7 p$ g& J6 s6 L& j/ E4C19:0095   MOV    AX,0911  ; execute command.
3 l2 B) y9 f; j. z- y4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ G( T6 W- @0 C* X& [- o4C19:009A   MOV    SI,4647  ; 1st magic value.
  }- T/ A& _. `" l% B4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 `; [2 [/ Y" U& Q0 ]% @: |
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)* J' _- ?0 U& Q1 W  z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 g: K, a" H* q+ R$ Y, x( I. {  }4C19:00A4   INC    CX# I9 E; I' x+ K
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# {" [9 q9 `$ K6 z3 _6 y/ r4C19:00A8   JB     0095     ; 6 different commands.
( x% ^- w" r* M4 C  u0 Q/ D% t4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
8 t3 I, z3 O1 m0 @) c! n9 A4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 z5 o* Q, v' L3 y& ]

- M0 }7 q! p5 g$ P$ G0 Y; Z- }; D5 cThe program will execute 6 different SIce commands located at ds:dx, which
" V3 ^, E3 z4 t8 Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- [' M$ |: w9 x5 Q, n+ D0 x  f

6 m$ D, {8 F. Y3 o, ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; I. w  m5 @* H* R2 ^6 @6 l___________________________________________________________________________
' `1 J$ i4 ^; Q& D! ?( b3 j1 r4 O' l
/ i6 [1 o  ?% Z7 j" i
Method 036 ^# u" l7 C* O1 f2 W8 g9 v' g
=========% I, V3 C3 k+ i, Q" B! [

! k0 h" v9 J, l  FLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 {. X( m* x9 z  Z
(API Get entry point)
7 \$ x( A. I; n' \        
& o# _& F4 A  L- H' ^7 ~$ ^/ Q  L/ ]8 c# C& e; d- [
    xor     di,di' F  j1 [" G1 B! N
    mov     es,di
" }3 v1 \4 m6 F  q( `. n    mov     ax, 1684h      
* \1 L6 M9 D( [$ h/ }# ?2 i    mov     bx, 0202h       ; VxD ID of winice
5 s; @1 l7 h2 Z/ R+ o3 d5 C    int     2Fh
; C' O& v3 X& F% x/ [    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 t2 L6 L0 \/ Y( b$ D# t
    add     ax, di
7 n5 U3 L+ f4 e4 H' ]' {( C0 |! b    test    ax,ax
1 f3 H+ a& ^3 M    jnz     SoftICE_Detected6 o9 s; q7 l: m" ~$ _' I. l

' C( q1 }) m# _2 F___________________________________________________________________________
$ f6 {: Q: p; i/ B
% ~, Y9 S2 x8 X8 RMethod 04! J% R. N( A0 q$ u
=========/ T% X& d* S! O" Q

7 @( A. g5 t" @' oMethod identical to the preceding one except that it seeks the ID of SoftICE( \1 A% X/ _, ^; A' |) m. A& H+ J
GFX VxD.
' g* [3 z8 q+ l/ C# @4 F: @% o$ T$ q2 `9 ?% w# q+ S
    xor     di,di4 T9 }8 j. n: i  M2 |/ Y
    mov     es,di: C+ d9 {6 J) u
    mov     ax, 1684h      
: o& a# |! A! y9 y- B9 T    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! V4 i5 D& q' t2 L, m    int     2fh7 v% I8 b+ W9 g( O6 E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 _' u' ?( L  h7 A. C" f
    add     ax, di
. E  T" K8 M0 f    test    ax,ax. U2 U, Y$ K6 E
    jnz     SoftICE_Detected. \4 ^- W" P# S
# I% L" e; a/ B% G/ Y# {- l* |
__________________________________________________________________________6 C0 Z  ]8 M7 y6 T  a7 y

* Z( |0 h0 o$ Z4 j" p; l$ @. x% T5 K7 ^6 ^
Method 05
" }  t6 ?! g- i& ~# @=========1 X. m" t& V% m( H" ^9 s
1 y2 Y4 v( U: R& \
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 o% w, Z% [+ F" \2 O0 W; adebugger. It calls the int 41h, function 4Fh.% A1 X3 o0 u% a) C: g' u0 w
There are several alternatives.  ( D8 O& d1 ?7 b! c& v
/ z/ }  I$ ]* h- k& M* `; G( |1 z
The following one is the simplest:1 B" y7 @) C. ?! Q. O

# C: s1 @7 G6 a    mov     ax,4fh+ V# z/ E) r1 K+ G, ~% [( p8 Y1 ]
    int     41h) x! r+ v* Q" `7 W
    cmp     ax, 0F386
# B: ~% L* {: P7 M. o+ Z3 a4 y    jz      SoftICE_detected
/ T9 k& N5 ]' r6 F: L+ k$ G  |7 {1 G1 X' l% P0 U/ \
7 d5 U) T$ Z( a- `# S0 G( f
Next method as well as the following one are 2 examples from Stone's
, G: m' e# K2 v8 N- K- s9 K. n"stn-wid.zip" (www.cracking.net):
! _7 G" `. i- i- ]  v2 E3 i  @2 ~* o( M  g+ u0 e4 T2 t
    mov     bx, cs
, P+ n: s2 i2 q, l1 R' C1 @    lea     dx, int41handler20 c$ O+ Q; n4 n6 T
    xchg    dx, es:[41h*4]
2 Q# p* n  c% A& N# w: U    xchg    bx, es:[41h*4+2]( O) L$ u/ M5 y  ?7 T& s
    mov     ax,4fh; v. t7 r! A- q! |+ G" D
    int     41h
% x. |" H' e" E% k    xchg    dx, es:[41h*4]
% B8 a* c6 u( {+ H! J1 `    xchg    bx, es:[41h*4+2]& ]3 r. F. y7 L# _( k$ ]
    cmp     ax, 0f386h( L/ K) ]! P; M' s" ]
    jz      SoftICE_detected
0 A  `3 `3 N. i) p" W4 z# K9 K; h0 }+ J+ Z( G/ D
int41handler2 PROC
0 c" A& d. \- \% v    iret- j1 K/ K+ C& l8 x% z) O
int41handler2 ENDP
0 B+ b5 s. J; r5 C3 A2 w6 M$ \) Z/ s

7 `, D6 ?0 D% Y3 m+ d_________________________________________________________________________+ n& A" E4 n. p+ y0 ^

! t2 q5 m$ Z& l6 I5 j1 U
+ v% X: p8 ]1 i  j" r/ kMethod 06- [  `2 Z- `1 [2 t/ V
=========
; a- C* t( F1 o6 I/ m
5 u. j. y5 t7 c5 J! z) m  S7 d2 S2 ~. {
2nd method similar to the preceding one but more difficult to detect:9 |( x6 a+ n2 n. S. D
) D3 b- w% ?1 w& y0 l- n+ B
0 U/ h+ L! }: G$ [$ [
int41handler PROC
6 k2 i' @* k. b2 h+ H    mov     cl,al
) y  T+ M6 Z7 E' O0 v    iret
, B. S  I2 _# W0 sint41handler ENDP
: M7 W& E) d) C% c( j) B( h) ]8 A; s' g0 S2 d

0 \, n) H* `. {/ L* A    xor     ax,ax7 C9 o& o: P+ w
    mov     es,ax
( y6 u2 Q& R5 G* \, @8 b    mov     bx, cs
4 A+ R- R1 E$ Y8 h( ?! k: V    lea     dx, int41handler  }/ O" s6 N! Y0 E7 d0 I
    xchg    dx, es:[41h*4]
1 z( b( b4 F2 l7 D    xchg    bx, es:[41h*4+2]4 j4 m/ j1 X* t" L
    in      al, 40h
( Q, T+ F# }: o  M5 Q& i% d& j    xor     cx,cx
6 S$ h5 m3 |4 Q    int     41h1 _' g7 R! V* P# L
    xchg    dx, es:[41h*4]
: e+ d/ M* H  J3 l9 G( E6 ~: i+ M    xchg    bx, es:[41h*4+2]
, j8 F/ f1 `7 \5 I7 C    cmp     cl,al
/ q$ A8 K3 M# N+ m  F4 V    jnz     SoftICE_detected
! t4 I1 O* u8 p! z$ |
, s9 R. v0 _6 A4 {_________________________________________________________________________) U7 k0 x" A5 }6 Z
& C% z# V, l2 W5 o
Method 07# u, T9 K5 n2 i# b
=========0 B$ p- }; ?) g, x% G$ M+ Z& e
* p9 t: E+ d* S9 M5 m" A# o9 h
Method of detection of the WinICE handler in the int68h (V86)9 R; J2 }' B; w% D0 X0 `5 G

* i8 K2 a- K$ P) J    mov     ah,43h
  m/ v7 F2 |) o8 f+ R! x' }; J6 C5 v    int     68h- Y' D" C: ~, `( N/ L( \
    cmp     ax,0F386h
: r  l  c- {, G# B; ]/ @    jz      SoftICE_Detected
4 u$ F5 h5 ?% S9 P$ W5 }1 h! r
. v) x4 j$ k3 K* P: R8 [; P2 S* n1 h2 M' [
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- r9 E; b3 r% I- V   app like this:
7 f" O) V' }8 R9 j4 n8 s+ H6 i& G
' o1 T5 B7 P) W* j   BPX exec_int if ax==68
) a6 N2 Y; X! Y# y% d" o6 }) C$ i- l   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 S* j' ]. a; Z4 t! i  ~   located at [ebp+48h] for 32Bit apps)* g& \( [  r7 S" I
__________________________________________________________________________
1 ?# R5 t, }; f# r( N, M( N1 A0 L7 i8 b

3 d/ O4 q0 w+ B2 e/ [; p! |" ZMethod 08
( d& ?+ P( v9 L" r7 x=========
' p/ l1 r: S& Q4 |; _8 A2 \) _. p  d9 r) b9 v  r2 ?$ C# N
It is not a method of detection of SoftICE but a possibility to crash the+ I& B/ z, N) E1 `( t) k2 P7 b# c
system by intercepting int 01h and int 03h and redirecting them to another2 c% P9 S, e) R
routine.8 v3 L5 c% I$ ?1 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 t2 W: U6 y" p; Q  _4 uto the new routine to execute (hangs computer...)" \0 A7 z2 t. t( T5 E5 U

% j* E4 ?% A4 J- R, h, ]( l/ b    mov     ah, 25h
9 c9 X# Q% ]2 e7 x* j    mov     al, Int_Number (01h or 03h)# k) }) }, p, s/ I) v
    mov     dx, offset New_Int_Routine
2 {) {2 T; w3 I7 C# k0 r( v% @" k    int     21h
, l! l0 i" a* J: k% r
% M$ ?- l( m$ @0 V$ Q, Y__________________________________________________________________________
* J0 }8 M4 |: p) M7 ^; L9 T
- X* @+ i8 c8 c7 t8 K5 G. X% Z6 e& P7 K+ `Method 09
1 C# t) a9 R2 S2 }, S6 B" Z. ?=========/ A5 ~" S9 o- r6 s% |8 {  ^3 R
* o- N  q' t- q0 [/ z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 S$ h1 }- U- ?+ \6 k- v0 Qperformed in ring0 (VxD or a ring3 app using the VxdCall)./ @( y8 x& h$ |* M( j6 Z" g6 e: C
The Get_DDB service is used to determine whether or not a VxD is installed
6 T2 W# b: \2 c/ j$ K+ Ffor the specified device and returns a Device Description Block (in ecx) for
* d* z) Z9 ~& g9 u! m$ f" }that device if it is installed.% b2 z+ s9 F5 F  b1 D, c' J7 G2 ~
! @) J+ `" c$ _2 J) B, C8 M
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  S9 u6 u. c( ~* K, s   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 f* Q2 M. W+ X" e( R   VMMCall Get_DDB
" r  {" v1 g; y! G/ ~2 }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 f8 T  _! L6 g4 s, _6 V0 J
. H& f7 ~) G4 }5 x+ p2 P3 L* ONote as well that you can easily detect this method with SoftICE:  D$ r: _! d7 m; D. y
   bpx Get_DDB if ax==0202 || ax==7a5fh/ z/ H. x0 s0 u  A

$ Z& z: @/ h' ]2 V. x" _/ v5 g! `__________________________________________________________________________
" C) G2 E+ i4 ?
+ L; N9 V# b1 b$ v, b' iMethod 10* M% d5 n  [/ j3 y0 k
=========
9 D7 O1 b! Y$ g8 c# }( z$ F) p3 K/ D. l, L
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with! Q, d( p2 @5 S8 p, C3 e
  SoftICE while the option is enable!!; `7 t( @4 k. v; Q) j4 I

; ^+ ]3 N# w2 G, V0 r) j+ H7 V" _3 ]This trick is very efficient:
6 D0 h% R3 W0 n3 f0 oby checking the Debug Registers, you can detect if SoftICE is loaded
' q+ I% [; g( R: n0 m$ k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' [# @8 e5 R/ s% ^+ Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their4 q$ ^+ z0 K" N* U
value (in ring0 only). Values can be manipulated and or changed as well
% O* E$ K6 z" i, t(clearing BPMs for instance)
! {$ l: D/ @5 U+ n# G, d( Q7 j+ B
__________________________________________________________________________5 U- @; J8 t( ^, p8 B* f# J8 E: {. S

9 N8 L; c7 @  ~5 z7 \1 b3 i1 N4 QMethod 11$ m, H/ J$ i$ t$ b" v2 [* v4 z* N
=========
; N4 ^& ~) I! m! W9 w% d9 ^8 J- b0 g* _" D! S( {6 Y
This method is most known as 'MeltICE' because it has been freely distributed
( i  e9 j7 J# M' \4 [via www.winfiles.com. However it was first used by NuMega people to allow" W' u, {5 R, Q+ X" j
Symbol Loader to check if SoftICE was active or not (the code is located: z) d9 t( T; q! m, y- A1 l
inside nmtrans.dll).
7 B. w4 t# M( x/ C) b5 H% z" C' p# y
The way it works is very simple:9 A$ D/ z2 m' H- K" ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& D. i6 u- y5 D: Y( ~& B
WinNT) with the CreateFileA API.
$ w* S9 k3 E' ~/ G7 m( @, b
# H  V& }9 {9 W0 V) aHere is a sample (checking for 'SICE'):
2 z. m" L7 J) w# b$ ~4 I
4 g3 l+ Q; |& p7 \# s$ NBOOL IsSoftIce95Loaded()
; o) V% u$ K' i0 }& ~{
6 x2 b1 d4 Q# T& _+ \7 V& d9 F( `   HANDLE hFile;  : r0 g2 l2 l# [: O$ x$ F
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; l9 ]1 w5 O5 M( k" J5 x- w                      FILE_SHARE_READ | FILE_SHARE_WRITE,
: v% a- B3 W5 F  K) u  L                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: k; U% B4 e, T! a* t6 H   if( hFile != INVALID_HANDLE_VALUE )% v# \: t! l" ^! }7 y% O7 z3 n
   {
. I6 `- B" }% A) T      CloseHandle(hFile);9 A( K& y; w0 m, i0 D" O
      return TRUE;
5 a$ p9 o1 T6 {( L% G   }
6 {% E7 ~8 v, x, _  w   return FALSE;
- j* d% q" j" q3 D) k% ^9 l}% B5 ]* T* C8 E2 z
' D% A) X$ I" e4 x& v+ Q2 W
Although this trick calls the CreateFileA function, don't even expect to be, S9 p( ]: S& {0 @3 P
able to intercept it by installing a IFS hook: it will not work, no way!
4 |/ f) \4 ~$ [In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 {% B4 j0 Y; }+ N6 F. `( t8 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- |/ z  B9 r/ B; {" uand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 c* @5 n5 U5 u  m, S3 Y+ K) k! D
field.( J' e+ C. t) v& a9 p8 I, |/ V
In fact, its purpose is not to load/unload VxDs but only to send a ' H4 m' J2 g& z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! i3 r$ Z* p) ~" s5 V) Q3 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
# t* r" z, [1 Z* ?/ F6 x7 Q8 x% }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& U0 }$ Y" w2 W/ T# g. `* }$ VIf the VxD is loaded, it will always clear eax and the Carry flag to allow& i5 o' d3 M" w5 ~
its handle to be opened and then, will be detected.
& D9 E- U. t' x4 dYou can check that simply by hooking Winice.exe control proc entry point( w# v) W: m  Q& ]
while running MeltICE.
! B) A, Q- b( W; ~5 e# k* p6 N5 N1 v2 w
  c1 b0 s0 g1 n- M" \- r
  00401067:  push      00402025    ; \\.\SICE, \! D2 I8 E& u' ?9 p) |( t. Y$ z
  0040106C:  call      CreateFileA
" ?. e& D$ s8 P  D) y  00401071:  cmp       eax,-001- L$ y6 S, v3 ~3 y" n
  00401074:  je        00401091: B) i8 b. l6 Y5 O( T5 c. n
6 J9 }6 y- @, `7 {! w& m
1 \. h3 P* j# o" z
There could be hundreds of BPX you could use to detect this trick.' f* ~! t7 M' U) Y/ o
-The most classical one is:! \9 T: i- h* ?* w& ]. D. m
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 K+ R% [+ s5 s. a+ K0 r- u
    *(esp-&gt;4+4)=='NTIC'
8 l5 x% ?) X/ k) ]$ `2 R# j
& t3 Z  ?0 E6 g-The most exotic ones (could be very slooooow :-(
. Y5 W7 R- O% d& o   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
3 Y. B1 J$ z' z' a7 Y+ z+ m     ;will break 3 times :-(# n# \5 U: m4 S" u+ i* Q

4 V6 k* ]$ [6 _; D$ G$ x# |* Z" B-or (a bit) faster:
) C5 z; a( B& e$ o. M1 d5 D   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( N1 q. l$ Y( z

& ~2 {) c5 v, T. d$ f9 E* y   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  : }  b& I' l4 z# G  i0 |
     ;will break 3 times :-(8 \5 H# t% F/ T# V7 T
7 V  {  B8 V8 e# c% U
-Much faster:1 @# v1 Z- d2 ~% w! J
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. D5 g, G' {6 b# ^% A/ X; I! x5 Z) n, |* ^3 R; {/ e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: [) C6 X8 w8 s; E
function to do the same job:/ `5 `' s7 ]; S. O5 _
0 D$ L9 v2 e; L3 w9 _% s1 x
   push    00                        ; OF_READ0 P8 W  Q& W' k* ~1 u4 t9 b
   mov     eax,[00656634]            ; '\\.\SICE',0
  X* T$ B- {# _5 t- R/ S   push    eax
7 f1 k1 }" ]0 Z2 d   call    KERNEL32!_lopen
2 B0 x: F/ W% I+ ?   inc     eax
2 `- ?9 ]; ?% k& K   jnz     00650589                  ; detected
. [/ m% W' i* B3 v" P   push    00                        ; OF_READ& M! }7 |3 v1 T3 ?8 M6 r0 |* e6 N) Q' f
   mov     eax,[00656638]            ; '\\.\SICE'- s! |3 X" X! p- b! \* `
   push    eax
% P2 c; |8 D5 e9 I0 m   call    KERNEL32!_lopen
: Z  {: x  ]  P3 q0 l   inc     eax
$ w3 W5 ?% I( t9 a   jz      006505ae                  ; not detected2 {3 L, t/ |6 [

1 }7 S/ H8 H( ?3 Y3 f* K( D
% I: a! k4 e+ |- d__________________________________________________________________________4 x8 z5 n5 S7 t2 ]) i9 p

( s+ C1 ~' E0 M: o  sMethod 12
" c  T6 A6 [" @1 i2 K* ?7 b! H=========
! k' n& A  \- }* i' }; p* h
9 \5 k, I; ]4 _' UThis trick is similar to int41h/4fh Debugger installation check (code 05
" ^4 ^; n& a2 [&amp; 06) but very limited because it's only available for Win95/98 (not NT)
/ h9 G4 M3 \- t2 @! ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.( v7 @; L' _! d; n  p  W: k- p
. v/ u! D* F0 k, n. l
   push  0000004fh         ; function 4fh; g: a0 m% n1 u9 U; H/ [0 c& u: K
   push  002a002ah         ; high word specifies which VxD (VWIN32)
! g8 i) e' U! c7 h  [% ~. _( d                           ; low word specifies which service
2 l! z: G7 A) N; p                             (VWIN32_Int41Dispatch)
+ a7 ]0 j3 L& b% y4 \, M8 L- _   call  Kernel32!ORD_001  ; VxdCall
8 I3 U, L4 L2 `; o   cmp   ax, 0f386h        ; magic number returned by system debuggers- R8 t- u. Z/ E5 ]5 m
   jz    SoftICE_detected
+ g& z4 T! H4 z! j4 X6 R. S- C' K( `, V; x
Here again, several ways to detect it:
7 b, E; X* a/ j, x( E# z
- X' i; T2 D9 A) n" i/ S    BPINT 41 if ax==4f
5 A; F5 R+ j" P  D/ G1 J9 u
/ I8 x, L+ _  t; v4 }" j    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one/ n* L+ c, j! d/ }! J7 v* ~4 U
; ^  U5 \* [% ], x
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
& s/ {8 @4 |0 `" r  k  ~' l" B( ^" @( I* l# `
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 P& J; o3 ]. [. B# `' r' l, q3 U. B1 c
__________________________________________________________________________
0 ^6 Y) S2 K+ r7 A- ^, |* v( R" ~4 `( c$ w
Method 13
3 Q) F* T3 ]1 v$ x=========, i! |6 v6 O0 F# Y) Y

% H& E3 u+ c% k7 Q5 Z7 h( sNot a real method of detection, but a good way to know if SoftICE is, ^! {+ ]/ O0 m# d* Q) v! b' e1 k) n
installed on a computer and to locate its installation directory.0 D5 m# k  F8 s/ E1 E% R8 Z! A
It is used by few softs which access the following registry keys (usually #2) :
9 t! g# Y3 ]" s8 Q
* Z( L4 ?5 Z2 [/ P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  B# a: ^) ~2 S7 y
\Uninstall\SoftICE$ N9 d# E! ^! j/ N4 l5 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& t; \& F% A  @' i( x$ o# R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ]! {! x( b0 E
\App Paths\Loader32.Exe* b. [0 g1 U/ L5 D& E
! W; Y) V0 ^" w5 G2 Z

: _2 L3 \. i8 f+ l0 `9 @Note that some nasty apps could then erase all files from SoftICE directory
1 |$ s' E- s8 d0 z(I faced that once :-(. r' U: F9 ]4 u( V8 ]1 K7 Y$ P

, Z% X; P2 W% H$ z7 a0 L$ hUseful breakpoint to detect it:
6 p6 e+ S7 o  W* p+ p7 }8 C& P- p. f" X) U" A' q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 g) O0 o' _) h8 b

, J, H5 N. b) m6 j; o0 ]+ V3 T__________________________________________________________________________
, a  G- c" C2 }0 R! K( b0 e# c" {' r/ p6 i% }" J- n

% z/ @  N: V# K$ OMethod 14
5 i9 e( B  r; n3 g' G9 m=========
) C- }" ~  ]: B' A# A# V' j; [% D4 ~) v, ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 ]2 o# G: _: Z3 B, Y( r
is to determines whether a debugger is running on your system (ring0 only).9 g1 Z( n+ K7 @1 {

. _) F  @1 e2 i0 A, o* U, n   VMMCall Test_Debug_Installed
' Y9 b6 g4 {9 p3 T; [1 f0 H9 p   je      not_installed
1 a+ N& t) X  n: @. x7 v
! `* l1 y  r5 y: L* H- N% fThis service just checks a flag.6 w/ B1 K* w9 v4 ]9 l( @
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-31 12:22

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表