找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>3 {+ S5 u6 ~$ X
<TBODY>
0 v) {3 h) t3 ^4 [<TR>4 w4 V; M: }+ [, @+ E
<TD><PRE>Method 01 6 q  O& q9 \; X8 N" |
=========
: D1 Y. ]6 Y% q6 A- ?- q6 u. r3 [) G- m7 {' p
This method of detection of SoftICE (as well as the following one) is
% b0 P0 g7 v& u2 ]2 j& U) aused by the majority of packers/encryptors found on Internet.8 l/ e) Y5 a; B3 y% D3 S/ t) c
It seeks the signature of BoundsChecker in SoftICE
6 N, T" m9 _" `$ o6 c. j5 {
: a  h) F  }" w2 d+ q    mov     ebp, 04243484Bh        ; 'BCHK'
% n0 f$ ~. w& r5 b6 M& T9 T    mov     ax, 04h
2 y: r+ v$ c0 b0 [- a    int     3       5 x% Z( Z# Y# P4 H+ s( P
    cmp     al,4
2 p2 H" s2 u2 x  J    jnz     SoftICE_Detected
3 j9 _/ @( k% g1 o% O2 h+ D8 G2 L
9 N1 s3 g! d8 {0 N0 g* _; [1 N! c___________________________________________________________________________
; u0 j& R1 x" O& q$ X& p) s: B5 C' u& G0 h8 @) o4 }/ n
Method 02- E/ }) y+ n( ]1 e8 G$ D/ v0 \
=========
9 A3 D8 Z/ C/ A: e) ~5 j9 O; g% B, X4 f5 K+ N0 B
Still a method very much used (perhaps the most frequent one).  It is used
  E7 q; `8 q8 L" c2 E; J" ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 J$ o/ Z) w- {( Z2 W( Uor execute SoftICE commands...3 B) I& m+ ?! d% _& y: @
It is also used to crash SoftICE and to force it to execute any commands+ v; W1 D, j) P) H/ X$ h; D
(HBOOT...) :-((  
: R. @9 |7 ]4 X: ^
: n, x+ Y) H3 _: @$ AHere is a quick description:
7 t) s1 x/ t' r0 q-AX = 0910h   (Display string in SIce windows)/ F4 Y9 F3 v7 D
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), ^- }# z* t/ O" J! q: e! q
-AX = 0912h   (Get breakpoint infos)# M1 v& l  H5 v5 |) X6 f: }, \2 K
-AX = 0913h   (Set Sice breakpoints)7 q3 x$ h  z! Q! d6 P, G
-AX = 0914h   (Remove SIce breakoints)
, K) R5 n% E! e% k6 ~9 ?+ k1 }4 W# A
Each time you'll meet this trick, you'll see:
: v6 C$ f) |( n2 X-SI = 4647h6 }/ r/ l4 @" Q" E8 q( _
-DI = 4A4Dh
% R, {# a/ z) O& e+ |Which are the 'magic values' used by SoftIce.: @0 `) E) s2 b. g* l! p+ N8 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 G) d  @9 ?& \, S  Z4 Z* ]- Q5 T$ n

6 U  X0 d4 T( t. PHere is one example from the file "Haspinst.exe" which is the dongle HASP; n& ~5 g6 }! N! K
Envelope utility use to protect DOS applications:
% Y  q( R* r# x' ~; z* l5 I% N
( a  `0 n. ]. p. R
# A" z5 [& n, j" X% O1 e! B4C19:0095   MOV    AX,0911  ; execute command.
, j  F! [/ v: ?0 g4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).# y# X6 K& {& D, U+ t# V
4C19:009A   MOV    SI,4647  ; 1st magic value.' W( w4 `$ z! l) l& j! J' L5 `; X- E
4C19:009D   MOV    DI,4A4D  ; 2nd magic value., Q, v. j" S+ y4 X7 u
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 y* _9 c# E6 V+ C" v4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 F; X$ J8 s4 `( A9 e/ }1 A
4C19:00A4   INC    CX
4 B  S! \* r4 _8 a# ]4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 k# q3 U9 N* q
4C19:00A8   JB     0095     ; 6 different commands.  X: k2 S0 A; V- @9 h4 Y4 N
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 j7 y, F9 ]' O: L; ?) f( Y" F: u4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  Y: j. E, J: C
0 ]# j; l1 h7 A
The program will execute 6 different SIce commands located at ds:dx, which% ^: {) V  Q3 r& @) ]( A) k7 R( N  U3 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! l+ ?, I+ u* W  o% F
, Z9 F7 H1 T" r" H8 z- f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 o9 L& ^6 ]# o7 l
___________________________________________________________________________" X; p' X$ c( \/ S5 K

6 @0 `* m( h2 \6 e" a' u
: i6 o8 T0 {5 Z. i9 ~Method 035 d5 V9 O+ q; F% Y7 i, p4 j
=========
+ K* d/ O0 a' @7 r& t' ?1 U& z
$ d3 S. v  L: N8 J5 pLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 w- E! [: u/ s$ n(API Get entry point)1 D, M. N/ ?. h) {0 i# ~$ [
        0 p: j) }1 Q: j! T* Y

2 O4 H* z; a& d* u7 c" {8 R9 b& g    xor     di,di+ P& @8 F' \' X  _( d% X5 E9 v
    mov     es,di. x0 x" c  B* ]& J) C- B; Q
    mov     ax, 1684h       ) O5 Z9 G6 q- k9 |. R" Q. j
    mov     bx, 0202h       ; VxD ID of winice9 M4 Z# @2 F$ b5 f: |
    int     2Fh
; Y: T8 ?; C) D4 r8 S4 _$ B    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' x' K6 x) C0 X' C! m* ]    add     ax, di
, h* N9 m. r- p  b+ I6 M4 ^$ U4 H, n3 ^    test    ax,ax
7 M' B4 s4 r! Z    jnz     SoftICE_Detected( z4 K7 p' f; ^  `
$ I  ~# [3 v+ `
___________________________________________________________________________
( ~. k3 [- R- q5 y: h* o5 @1 r) O' b( v2 P( f4 T
Method 04- }+ I) _+ P1 J5 x7 p7 f5 O
=========" {7 x5 U; ^7 x8 O! z( Z

. D' ~. n; H4 h6 P" P; hMethod identical to the preceding one except that it seeks the ID of SoftICE
2 j: r, [- w  b) XGFX VxD.
' ]/ ^0 e+ x8 W' E! ^
% _  Y' R1 P6 ]6 ?    xor     di,di# B% T# b7 C4 O0 l' S
    mov     es,di2 ?9 @/ _& @6 {
    mov     ax, 1684h      
- a( S0 @. X$ ?1 a    mov     bx, 7a5Fh       ; VxD ID of SIWVID& f- g& c: E+ N" F. Q$ y
    int     2fh3 z6 s% x" w( r& v
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, m2 q; x6 v8 W! ]- a    add     ax, di
! J1 X( V- }2 ?, w# x) |4 _    test    ax,ax
- K' s) V4 t# S0 G    jnz     SoftICE_Detected
1 \, q( p9 k+ S# N0 {' o( K
! m. r" |$ _# N) o__________________________________________________________________________
( p  F- g# B2 D$ }" B4 c
, O- V4 Y( U' [0 Q/ m; G. X; U5 R' ^. e7 ^
Method 05
8 C' e; y- Q- G" L8 o, z=========5 d" L+ b% P2 R6 U
% l5 H' W7 ?7 _% o9 K! y. A6 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 x6 Y- P$ q* s# p  ~7 Tdebugger. It calls the int 41h, function 4Fh.0 Q, @" y% ~0 ?9 L$ a2 H
There are several alternatives.  - s" S$ H+ J1 }$ B; L/ x, H$ l
6 a7 \1 z- S) j8 }
The following one is the simplest:
3 w2 d7 y% u% p6 i8 M8 G8 Z) K* K6 g$ H
    mov     ax,4fh
2 b$ m0 \! ^' {; l* \/ e    int     41h/ k$ X. i. y; k+ V
    cmp     ax, 0F386/ b/ b  a; U9 v) j
    jz      SoftICE_detected3 d8 o: @3 v+ h7 Q
7 K$ B: @0 w- ?2 a8 _

4 q  ]! s: k3 J$ o; j/ VNext method as well as the following one are 2 examples from Stone's " ]6 G* f( _7 s4 @1 F, b
"stn-wid.zip" (www.cracking.net):
  Q# u( l0 o6 h& c* ^- I8 }
3 ^5 {6 i0 X6 \, ]0 N6 c' A    mov     bx, cs
  B6 `: j4 ~$ [1 i! t  i; B8 l( X    lea     dx, int41handler2
) c$ W% m. q8 i& r0 }& n    xchg    dx, es:[41h*4]7 e, n# T: W5 m
    xchg    bx, es:[41h*4+2]
2 P+ `! x8 w+ O1 M$ O3 A6 T  E    mov     ax,4fh
- K9 a  k* u3 z3 H: m    int     41h
# u3 h$ G$ N% H/ B  T' M; D9 {    xchg    dx, es:[41h*4]
$ F# K1 p/ C2 U$ {$ N: Y5 p0 y    xchg    bx, es:[41h*4+2]
( W$ T, I  i" H6 s    cmp     ax, 0f386h4 O) r" Y( L# k/ a
    jz      SoftICE_detected
- v/ H6 a6 m4 f, N& L# [- P0 H0 f$ N0 z" b! s1 h
int41handler2 PROC' j! }5 b: X( n1 f% [. L
    iret
/ q# h; m# g2 R! G9 @4 H- e8 Zint41handler2 ENDP  F; n5 ]/ ]9 ~" n

2 m# v# k3 `1 F  v; T  L/ S; r  Y& s# v6 q# T5 a9 `) R7 K% k, }
_________________________________________________________________________1 ~! f7 Z' v# N& F; N" t

, u9 V5 I. Q" Z2 |
9 }0 {+ i. M) |5 }1 J. |! m. u# oMethod 06
6 A) I% q1 D6 t3 F=========6 ~7 \' _0 K4 u5 u& w% i" a
% G& l) u" I" F1 T# L5 e

/ N) q6 L  q5 g. d3 v& `) q2nd method similar to the preceding one but more difficult to detect:! s; j6 R% C, E# `8 D1 a7 L
1 ]) h4 t0 R4 D

( L! D/ F5 t9 kint41handler PROC2 ^8 p* p7 _2 f7 u$ D
    mov     cl,al
5 u, s+ @0 f5 S1 S. ]% X) E$ i1 \* `    iret
7 b( P8 R1 v3 [  g) R, kint41handler ENDP' a& Z: A- M5 w! x6 }9 }
) B, `- z7 j, d6 N9 p) g) T' F* [
) C# [" `0 A$ S6 [4 _: z( p
    xor     ax,ax( W- Z* E: `8 v2 H. O
    mov     es,ax
1 u2 r$ t0 e5 M, E( r  X    mov     bx, cs
) U& H& U  h# Q; }3 r& h    lea     dx, int41handler3 e& A& f) d/ t7 X; l5 ]! j  e
    xchg    dx, es:[41h*4]
+ t& f2 G( H  m    xchg    bx, es:[41h*4+2]. |4 C. E1 e* b6 H2 R0 k" @
    in      al, 40h
8 F6 ^; q1 d6 C/ U$ P% `    xor     cx,cx
( m; J5 @' e4 q+ N. A/ U" ?9 t  G& j    int     41h# x, z( o" c  Y+ e7 u
    xchg    dx, es:[41h*4]
; ~+ d& g* A% q    xchg    bx, es:[41h*4+2]% g: R' f/ g: g6 K1 j
    cmp     cl,al
% p5 X$ u8 N5 O3 l# K    jnz     SoftICE_detected4 T% l. Z: {+ J& |4 Y: t$ V

. d# ~* H( ~' H$ \! e$ q2 R_________________________________________________________________________0 [7 B+ `. x( I8 H

; O3 G% g+ ]; i. E) mMethod 07* f( H; H7 m# V: C$ }3 X2 v( g
=========
' Z0 P  I: D( A2 x) T0 y5 J9 c
5 [* e( e5 ~7 m6 V: p) x$ bMethod of detection of the WinICE handler in the int68h (V86)
, i1 v3 x3 S7 ]) O0 a
" r6 z/ N+ ^3 J8 J. S    mov     ah,43h. y4 |# r" a) Y! S
    int     68h1 p+ g- C- r$ ?! F
    cmp     ax,0F386h% u+ t+ M3 o7 |3 A" ?8 ]
    jz      SoftICE_Detected# H, ?# ~" c  T9 ~  S- c
" w. m/ q, h$ a) l6 I! ~

, c# N5 I4 W+ K" z* o=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ \: _( k  P3 P" s   app like this:
: x/ w. v9 C% G' _6 k5 Y, k5 y0 v, J$ ]4 j/ P. d& i; k4 M
   BPX exec_int if ax==68; e- p. H3 b" J+ @8 Q8 C9 N
   (function called is located at byte ptr [ebp+1Dh] and client eip is
3 e& j" D  k, R- v   located at [ebp+48h] for 32Bit apps)7 B/ @+ h# E$ h" g  m
__________________________________________________________________________
9 ^9 K" [1 ^- r/ \9 V& N! ]0 q6 K4 \* o
* g. G. }* m( J) Z) d8 [# x
Method 08- o4 E+ V" s1 J: V
=========. e! P3 @+ E) w9 h6 K$ X$ t1 ^
8 H  G* X( o$ a7 V0 e& l* i/ w
It is not a method of detection of SoftICE but a possibility to crash the
. j. k* A" k) |! m0 y, z+ s9 Usystem by intercepting int 01h and int 03h and redirecting them to another( g0 g6 N" m# b4 X
routine.
5 w+ Q( `6 F, s/ uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! B1 b4 a; H$ X5 v5 U1 j) e
to the new routine to execute (hangs computer...)
. a1 S4 m* [6 D" W7 i$ g/ x% u" Q
    mov     ah, 25h
  ~  a: Y2 X8 U6 E8 ^; K    mov     al, Int_Number (01h or 03h); T# m7 Q+ h  ^4 P. m( x
    mov     dx, offset New_Int_Routine0 P. _1 R) q8 j+ b8 M
    int     21h; K8 L8 R8 o/ o& n/ I

. a4 l4 }/ t" f__________________________________________________________________________, w  H: X: i6 L( J$ t: n

0 {/ f( b1 O$ K' c9 d. HMethod 09
: f$ T' {' N1 o* z  R, E- d=========
1 _1 H' }  b! s3 C& _; m
: B) s  g8 m% _! M! O4 a& CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. B, ]0 X3 P0 g% [! j4 A
performed in ring0 (VxD or a ring3 app using the VxdCall).& ]( ~+ i0 h; _7 u6 N
The Get_DDB service is used to determine whether or not a VxD is installed
- T, B+ q6 c* ~for the specified device and returns a Device Description Block (in ecx) for8 h$ p5 m5 j" D
that device if it is installed.' c0 {9 ]* a0 B  W5 L

2 W+ e: W- G& L2 O   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 L" |$ u% c! G- X: C: K0 ^& }
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 |" c" w0 s1 [' V
   VMMCall Get_DDB* p5 r% I2 ~9 t9 V
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* H6 q3 g( I6 ?1 W, s$ }

4 u& \' ~  d. N2 A" C" Z+ d$ xNote as well that you can easily detect this method with SoftICE:
8 b9 s# v/ ?! R3 R9 ?   bpx Get_DDB if ax==0202 || ax==7a5fh
  y6 t! ^7 T$ D! E) |( O) d
- M; c# c6 m& \6 X8 Y$ a__________________________________________________________________________1 s. x0 i7 Z. i- V* r! N
) z5 a7 a2 m& a7 B
Method 10* m/ y6 Z: T3 |4 F
=========% s$ ^, V0 d* q5 g

* Y, q3 T8 e0 u7 \( F) k=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 J! a+ s& x6 \3 i% ^5 u  SoftICE while the option is enable!!
7 @5 `+ j& B9 \& v6 M$ m. e& B( H& o8 W3 K
This trick is very efficient:
6 ?8 `1 b/ N% ^& x: }. _; Zby checking the Debug Registers, you can detect if SoftICE is loaded
; l+ {9 U- a0 O2 }/ R% D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( J$ e2 _3 r6 e- xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: z9 J9 ?2 W, G3 Kvalue (in ring0 only). Values can be manipulated and or changed as well
/ W2 M! q9 j% s# @$ ?(clearing BPMs for instance)
/ u! l; ?) h' m8 }! g6 A& C# Y6 t$ T, Z' N% r" i( e
__________________________________________________________________________
( P& L/ t' X: {5 j7 S; z! B; s- z
Method 11
" b' ^$ u: ~; }3 L" E2 D1 W=========9 e- v+ k! R) t: [+ N

7 J4 }2 n/ A( F) q; R1 yThis method is most known as 'MeltICE' because it has been freely distributed
& z& v3 ~* i1 b9 {& n6 vvia www.winfiles.com. However it was first used by NuMega people to allow
: g" j6 U& T) _2 y6 W9 X! ~Symbol Loader to check if SoftICE was active or not (the code is located
# C2 D+ Y: h* N5 y5 C1 y. i2 [inside nmtrans.dll).
9 L+ m" j: Y( _# e1 e' z7 g5 W. ^" S' {" D0 J9 Q3 A' k8 S' V
The way it works is very simple:# b6 \6 i' Q% t% z- P2 L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 l) R; D2 d+ {7 ^  |WinNT) with the CreateFileA API.2 O' ^$ m# Z) Y$ g: R

- o% i+ `% z3 w* RHere is a sample (checking for 'SICE'):
/ |+ N0 ]* |& I$ R1 _3 l9 U1 Z( \4 ?1 [; R
BOOL IsSoftIce95Loaded()7 p8 l& H' g7 z
{& p: ]1 }0 b3 s! `) }
   HANDLE hFile;  
8 T5 |6 j( n5 h! K/ r   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, ], D. d/ m$ C$ U1 u                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; I: t8 u* T) a& |) ~                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- K3 ]; `6 d  f. h. i1 F   if( hFile != INVALID_HANDLE_VALUE )
/ D& }+ v7 B) m2 u% Y8 l1 m   {
" J( [6 l. X4 q4 U) x! J3 s      CloseHandle(hFile);5 c: d4 E$ T; k! |0 n' p; u
      return TRUE;( Q* ]" l" x5 d( W7 S0 H
   }  N1 m) @$ R7 h  x/ p, d
   return FALSE;
0 J3 B) o2 D2 Y2 J( X}" [) r. O! C: g3 _
  h3 I6 S% E7 e9 C) x0 Q5 s
Although this trick calls the CreateFileA function, don't even expect to be/ Q4 T- B5 R. o& Z, a: q! Z4 T5 W6 @
able to intercept it by installing a IFS hook: it will not work, no way!: j) e9 Z" E1 y/ W. f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. ]3 R: x; E: E. ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% v5 F" C! f6 A9 p5 t# p8 \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ k0 k: Q3 \' J! X5 E8 ~0 T( ]+ Z
field.
1 d; j3 j0 W8 V# NIn fact, its purpose is not to load/unload VxDs but only to send a
$ m4 b0 l. s7 O* F- HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; g# l; c6 {3 Q0 h' {6 ]8 jto the VxD Control_Dispatch proc (how the hell a shareware soft could try, h; J" H( {: |' }0 y  K6 a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ R6 r$ o( U% t1 k! ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
, H) F- ^' C" o2 C0 g6 n( }: Lits handle to be opened and then, will be detected.) A2 U2 X6 d' Q" ]- V3 h7 j
You can check that simply by hooking Winice.exe control proc entry point9 t3 M* w' R& A* u8 ]
while running MeltICE.
- m9 P4 [' T' d$ D% h, D; v- ?
3 ?& b+ w8 T' V4 k" f' ?  r' g' U: J
  00401067:  push      00402025    ; \\.\SICE) _! u5 u5 T. E: b7 i
  0040106C:  call      CreateFileA
( B% x5 n  w3 e% v  00401071:  cmp       eax,-001
1 {& y$ M9 y/ e; O8 \; z: w6 |  00401074:  je        00401091
- _+ N) w2 ^. r4 M- \* y, d6 p8 B9 U2 U9 h$ M

9 K3 m. |" B! @$ X$ r: A2 gThere could be hundreds of BPX you could use to detect this trick.
$ _8 `; g0 O& M3 B-The most classical one is:
+ u: d& p( o5 t+ @! j( f8 |  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
$ N- h. {3 S2 S7 C5 C, e    *(esp-&gt;4+4)=='NTIC'
; K4 w* |1 t# k
5 t& h6 ?/ h0 ^+ }-The most exotic ones (could be very slooooow :-(
/ s. a# y. }# {/ Q& [% r0 d$ z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
* o0 A. \0 N' ^: `, y- E: p: [6 ?     ;will break 3 times :-(
, I# V3 o, o/ o2 @- I6 M9 B1 S) N! T: D& t* b1 F) L
-or (a bit) faster: 1 p- ?% h8 K1 {. e7 I0 ~/ D/ {) z- D
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ a, ~3 y& l( a+ @. [

  k6 w2 y4 Q* P/ s( `   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    w  G; e. Q3 {9 |( w' W
     ;will break 3 times :-(
- _5 Z$ l( e% [6 R* N! r
2 o3 \- ~3 p5 m9 v1 Z0 x9 l1 L' ~-Much faster:
8 c+ r1 Q. y" w1 d: O/ B   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& j2 H+ n: L& `. D  u) g& o
0 X7 q- y+ \) uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 _2 n. A) j5 D5 a4 T
function to do the same job:
" ^6 N$ N2 X% i
4 K0 y; A' z* `& d  \( D   push    00                        ; OF_READ
* Y( M, h& ^# q1 |+ H   mov     eax,[00656634]            ; '\\.\SICE',0
& D0 \- K1 p, Q) @   push    eax
# u: e' ^9 ~4 j( K3 d1 B   call    KERNEL32!_lopen) X4 z5 K- p2 B7 Y' b0 l
   inc     eax* i! E! y( R& o& q7 u
   jnz     00650589                  ; detected' p, a; L) v4 X1 ]  X5 S
   push    00                        ; OF_READ7 U) y+ c. Z2 \* u; E/ X8 ~. a
   mov     eax,[00656638]            ; '\\.\SICE': a7 Z& ~: o8 z9 q. l
   push    eax- `. u6 T; r3 [+ ]* l
   call    KERNEL32!_lopen8 R& d+ K! S. f: ?5 J, O
   inc     eax
1 p" N! Q# U, h" _$ ]2 e7 @   jz      006505ae                  ; not detected( z) G  n3 b2 e' L3 U3 {
/ r+ `( Z2 ?& S6 d3 [

9 G- t+ F/ k5 ?2 X__________________________________________________________________________
! W3 L7 {* s7 E. e5 ?' J3 L4 ~8 Q  T# ]' O9 y/ c, w$ s
Method 12
% d% V- K$ P& ]  i; ?+ V=========: f& K7 L; t" N, \8 y1 k

! G* g: X0 S4 a) e. ^& B# jThis trick is similar to int41h/4fh Debugger installation check (code 054 q! K" T# c5 _8 \9 F! `9 M
&amp; 06) but very limited because it's only available for Win95/98 (not NT)' D0 B: [; q+ N6 [4 T- x% }3 ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 e9 e( l% ~7 z# k3 @
  ?6 p: M7 ^& H5 e( H
   push  0000004fh         ; function 4fh
6 \( t* p7 Z. x, ?4 j   push  002a002ah         ; high word specifies which VxD (VWIN32)- j: R6 c+ r; q+ r9 Y8 T
                           ; low word specifies which service
5 T1 [/ f6 d; S' L( i9 i+ {                             (VWIN32_Int41Dispatch)
/ T9 S) N3 W/ \3 G   call  Kernel32!ORD_001  ; VxdCall
. R! v$ y  i0 g" x   cmp   ax, 0f386h        ; magic number returned by system debuggers; p& A3 O" I3 r7 L) q; s' W
   jz    SoftICE_detected
4 V/ @4 @  ]. J$ X- M6 n0 E+ Z2 K2 l4 ~2 g+ R
Here again, several ways to detect it:. F/ w4 i7 f, K; R$ \9 f% z+ V6 G

7 ?8 x7 W2 F) h9 M  p" m8 ?1 n    BPINT 41 if ax==4f  ?( ^7 s% ^5 X3 R
+ ^9 a8 B: L& P" v
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% P- |+ m) B% h! U# i5 G
- t0 ~" D7 t( p7 _. J" q8 s
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# U; \. |' s; e+ h

$ F  Z+ J, p1 C/ w& _3 f    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  U' [4 O% k: k! {4 q
6 @' q3 P' ]/ h4 l6 @$ j, n) j$ q__________________________________________________________________________
7 z$ o) Z4 u4 K  T/ C7 P, x
- Q7 ?* Q7 a$ U2 [5 T9 B1 ?Method 134 K! A% e+ _1 H: J0 x
=========
# s+ X+ [, y+ f, y& `- F5 u  w) M% @# `9 S9 d9 f+ O
Not a real method of detection, but a good way to know if SoftICE is! d# a1 M. c5 S( A
installed on a computer and to locate its installation directory.5 \" K: F. V% e' L8 Z* }7 r3 r
It is used by few softs which access the following registry keys (usually #2) :9 y/ A% ?+ ~1 k

% q7 w: {, t9 p, e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 e2 d) ]' p* V7 E
\Uninstall\SoftICE' Q( u6 G0 q8 C* S" Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 J/ e8 I* l( ^" X' r$ u' Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 H! X$ ]" @3 Z8 K4 I9 ]( k/ V\App Paths\Loader32.Exe
) h& j$ B, E& `9 A; X8 a+ s2 J; X. G5 F) Q" q
" A; H, p7 ]9 m7 X; e% I  b5 ^
Note that some nasty apps could then erase all files from SoftICE directory6 a& J7 N6 i- w
(I faced that once :-(
. k; I4 \. O7 j9 q5 [+ w: z/ O; v2 c* A( o9 \% S
Useful breakpoint to detect it:
9 x1 U( m0 o" {2 x* J& L9 H+ R+ i9 p
6 r# i& i+ q, f; L     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE', H% Y, `+ h/ }# F& P' R) [

4 k4 m: M8 K, [6 M__________________________________________________________________________
5 R+ V- p* p+ `4 N
. R+ _, M! _3 Z/ [+ p
4 D* e6 ^3 s1 R7 R) i6 b$ IMethod 14 9 h( J6 Y8 t' e8 ]6 ]7 q& \
=========
' `1 K' C2 q( d& w) ~
- u* z$ l' N; E% {4 bA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 r5 T( \# t8 k1 v( @
is to determines whether a debugger is running on your system (ring0 only).
: f1 ]. a' D  K
# Y0 h' _. V, J5 D$ Z, O$ z   VMMCall Test_Debug_Installed8 x8 M7 O9 f  u5 T, {; ^
   je      not_installed; w) Z( z/ q( a' Z5 j

4 V3 x: \: [- J* L8 x, |/ c1 ?This service just checks a flag.
; q; @5 J# U& F9 C' t6 C6 k</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-7 04:46

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表