找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- v" Z" d; I; j<TBODY>; N9 F0 C" D' b2 V4 ^
<TR>
1 D' E1 M/ Z3 @- x8 `5 L<TD><PRE>Method 01 ; G; n" u% X  b  Y' y+ \, z
=========. f) B  `$ \# q4 E  [$ t1 v

- T, ?; [4 _3 ?" f7 ]; P6 N- OThis method of detection of SoftICE (as well as the following one) is+ C, n  L& U& {/ Y& k  a- _6 K
used by the majority of packers/encryptors found on Internet.4 P7 n3 m5 Q- ?$ [  l
It seeks the signature of BoundsChecker in SoftICE+ @: k0 b* [1 K2 a$ X$ k1 n, \4 o

/ M; V/ M- ^! C* d    mov     ebp, 04243484Bh        ; 'BCHK'
, N) @4 `/ S: r  M    mov     ax, 04h
% \6 |; Y2 ^2 {5 K    int     3      
) A  O' ]+ a2 c0 l3 X    cmp     al,4
5 c: n) P, ^+ V. K" z7 [; l  {& ]    jnz     SoftICE_Detected' D* S. g+ a8 m% i1 _

" F5 j8 N5 i- I% B; X9 n___________________________________________________________________________, ^5 @. X6 b+ B4 R- N+ a; [
0 o$ ]. t* L. ~
Method 02
6 n3 L9 u( v" D=========8 I# b, D8 i6 d  m6 D/ \3 ]! b

( n3 _' U( D: M- n0 L5 Z7 b" z% eStill a method very much used (perhaps the most frequent one).  It is used  [. R0 J. @) e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 o- F& P) V% |0 c; ]. Eor execute SoftICE commands...
- |  j7 [- E% {6 M6 J/ JIt is also used to crash SoftICE and to force it to execute any commands/ M1 u& L: {0 `. v3 ~: ?
(HBOOT...) :-((  
' E% H6 c0 @' W' K  {, ?; I% ~+ ^8 f- n6 B
Here is a quick description:7 s/ v3 |% k' O2 o) L
-AX = 0910h   (Display string in SIce windows)% x7 _/ f4 V3 r- r9 u3 f, K
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* ~' Q5 i4 N  v% F1 T' m-AX = 0912h   (Get breakpoint infos)% E# `2 {* ]- N7 D1 V* z
-AX = 0913h   (Set Sice breakpoints)
* U# a6 D- z$ v: d; Z2 I-AX = 0914h   (Remove SIce breakoints)
3 I; E  |, H! ~
! J  O. }7 y  i$ N& x6 nEach time you'll meet this trick, you'll see:* x4 n. G1 s( A( E/ X3 n
-SI = 4647h; R" L( \2 [* Z9 y  ]
-DI = 4A4Dh
) z  M6 S, _( D% C8 LWhich are the 'magic values' used by SoftIce.- L- \8 a6 O# P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 j" F6 _0 Y& i; R5 e( g
/ v$ m# ^4 O4 F& `9 b6 s) |0 M& u. i. V. jHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 c; Q' c9 ^% p- @& z' a2 UEnvelope utility use to protect DOS applications:
+ S5 L1 k* r1 i% n1 Q: {
7 Q) B. p. N! ?  Z
& K# S  z& U/ s& Q& I4C19:0095   MOV    AX,0911  ; execute command.9 y5 W/ F1 v0 J# T" j
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ `. ]1 s! O9 Q& J& s- i4C19:009A   MOV    SI,4647  ; 1st magic value.3 S$ n- c( P0 v9 p" J. l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; ^/ p' s( s$ ^
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)& p1 v' e8 s8 X" i+ f0 d2 b
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute4 h* I$ Z- A. r" A! v6 y
4C19:00A4   INC    CX/ j3 o' A" \+ l  Z/ V
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: W: \; E% X( ^6 x3 v4C19:00A8   JB     0095     ; 6 different commands.1 j" w. [) F# h1 L4 F) P
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( A& A0 H( V6 H& [6 ^! t. f7 O  ~' x4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; w8 m1 n; I7 ]$ o) ]
! Y: h" c$ R% I$ y& BThe program will execute 6 different SIce commands located at ds:dx, which
/ C1 R/ ~' H" eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 K" n  d$ c. I$ d6 ?5 l# }! \# {" ~2 D) Y; O' Y% {% J: O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 ^" }3 V& M" _% T2 M
___________________________________________________________________________: l  f9 n2 U3 l. D* J: p

, Y& s1 g3 W1 L9 b5 {/ ^, R2 _5 C  o+ O* t" ~/ P3 h' Z
Method 03
) g9 P: t  p, B* b# c=========8 R( `" `2 C! D$ u5 P* R% C

, R; M, a1 a1 p+ f$ _$ Z- r* qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ v+ H' u1 N: j4 |+ X: x
(API Get entry point)
- i! S; _  W/ a& [9 }        
) j8 b1 t$ H7 c8 l% ]! T" }6 P8 v( q7 a  V, [
    xor     di,di- U; V3 y: ?. l
    mov     es,di
! m. _- S7 h, P5 z    mov     ax, 1684h      
0 Z, a  b9 F( d: w4 L    mov     bx, 0202h       ; VxD ID of winice
9 d/ D+ \! V" M1 [8 m( i4 ]3 {    int     2Fh* `1 O; o! P+ a$ E# I
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: H8 W" `/ [; `5 {) N) f/ m    add     ax, di4 ^+ M# k8 @+ B( a7 M
    test    ax,ax# o' m8 F+ j7 S) h- c
    jnz     SoftICE_Detected
$ H6 a" O& ^4 }2 H! [/ ?0 @8 M6 S  o! }$ Z
___________________________________________________________________________
  C7 k2 L% z+ V4 s; M$ `* L9 u, ^) `. D# ~% O8 T# a
Method 04
+ E- M% A2 n( z( ~4 Y9 ^=========# ?+ `5 W. {* ^7 l
1 m# W  ?+ ^, e! e
Method identical to the preceding one except that it seeks the ID of SoftICE5 i2 Y$ a9 }; V- D! g. C, n
GFX VxD.
: g3 J3 O" S2 ]4 I+ ^* K* f# m9 R9 N* F6 y+ K( M7 _
    xor     di,di4 t6 c4 q* V& f3 F/ ]3 b
    mov     es,di
3 ?+ G# u; X( u6 Z" J( E6 j1 X    mov     ax, 1684h      
' o- u/ u3 o7 H6 m' [) K    mov     bx, 7a5Fh       ; VxD ID of SIWVID& U  g) q- \6 k- n
    int     2fh
. f8 A1 Z* w; S8 ^- {    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; ^- u. {! }) v* q    add     ax, di
* A+ G3 [2 X' ~+ C4 ~" r8 s    test    ax,ax
: X! `- I% c$ x7 x% a8 P    jnz     SoftICE_Detected
9 {; Q# S& }0 Q% w5 [6 u9 D/ C1 o2 X1 _, i4 L0 O% w. W
__________________________________________________________________________
! g+ [% I" @! d( c( ]  H
9 H. ~) l+ Z* u0 b' \0 |, l% M% i& G* C  ^2 l2 @$ Q
Method 05
* `4 ?8 y$ @" f8 }+ Y& C2 f=========0 l+ X. p* f$ z; x

) D: l  J" T4 ?# ]Method seeking the 'magic number' 0F386h returned (in ax) by all system/ n# U; T6 [% @& z
debugger. It calls the int 41h, function 4Fh.4 N; y: ^7 y9 e9 `+ l( ?# Z6 e& N
There are several alternatives.  3 l+ b3 W. o0 ^5 w

( J  y4 J& B% j8 C9 x9 L. p0 uThe following one is the simplest:
5 V; L& a" |2 z: \; _5 X7 T& B: a2 Y
    mov     ax,4fh
2 X! R1 K2 r% Q( R1 n    int     41h/ q: ]5 a- N6 ~* y
    cmp     ax, 0F386
( w/ L& q8 Z( u! ]1 W    jz      SoftICE_detected
4 @* R+ J* j  ~2 _6 v9 ^  W  v
! W/ ]7 T1 H9 U, Q# y+ a! e
3 A- J! z5 U6 P7 T2 L4 _3 Y8 RNext method as well as the following one are 2 examples from Stone's
# t5 v# m; O& V3 S. E, x7 [6 j"stn-wid.zip" (www.cracking.net):
) E/ C0 R2 R) F4 P7 B& N) g& d4 P  v9 M- g
    mov     bx, cs
* t5 M1 }! Q. t6 G% T    lea     dx, int41handler2. z/ w) w$ P- B6 p
    xchg    dx, es:[41h*4]
# x3 j% i, s& z9 R    xchg    bx, es:[41h*4+2]; T8 r. |- P% g7 \
    mov     ax,4fh
8 E" j% O! z+ A) G" X- m    int     41h- i, t" D8 X4 p# b# h" K
    xchg    dx, es:[41h*4]
( E  k2 Y! t( `+ p    xchg    bx, es:[41h*4+2]
0 Y% x, d5 I' F. j9 y$ @; w: r3 o    cmp     ax, 0f386h! [1 ]. R% H0 m3 _
    jz      SoftICE_detected, L' |) W: h1 L9 Y9 m

! A/ A( l* S/ V9 o, P$ nint41handler2 PROC7 B3 M" n8 {! A: C# `
    iret
  R5 p  L) D! k  ~- hint41handler2 ENDP
6 b; H8 b$ @$ }) d3 x' j" [/ I- s6 d/ `1 R. z' Y6 o( N: ?* B
3 F* b4 X& ?" p6 S1 A
_________________________________________________________________________
; O' u" j. [( a: X5 d2 r
, |, g% D% U2 D1 {/ c8 U% H% p/ r6 |
Method 06
5 `1 w$ |3 X+ k2 p! x1 r6 A( {=========/ E0 G! f6 o. Y% i* M* x
" _" g7 _1 O& m" u- }

! Q  t+ E, D1 q+ E5 D+ T( f2nd method similar to the preceding one but more difficult to detect:
- t* \' H. p/ G# J1 k
: l/ G  u2 b* K2 j. e/ \5 i% l( T
# j4 [- T( q" i$ Jint41handler PROC
$ N% ]; u( p& ]3 x" N" M    mov     cl,al
' t  [6 f/ B, {( N$ A2 }! e3 o1 ]    iret
1 ^6 ]& \7 }( _% lint41handler ENDP
9 D5 M  q$ R3 o3 s
5 n$ I; g9 y  G0 p% W& z7 B% ^7 k# ?1 l" e! t8 M
    xor     ax,ax
( J* ]2 A& q5 f4 ^( o    mov     es,ax
. s% L: ]! s' t! {5 b$ v    mov     bx, cs; V7 }3 I  P" M! m0 V
    lea     dx, int41handler
8 O0 |; P% ]/ b2 R    xchg    dx, es:[41h*4]2 Z; \1 d% n! W+ F$ d
    xchg    bx, es:[41h*4+2]) |# s. ?. [" s6 G8 Z$ j
    in      al, 40h
, p; [1 j9 @8 P* ~8 |3 L    xor     cx,cx9 j/ ^1 j' W! l" c
    int     41h
$ n6 M7 n4 d$ R7 o9 i0 ^. y    xchg    dx, es:[41h*4]
7 O0 M4 [! U) P" k4 l    xchg    bx, es:[41h*4+2]
0 S) X6 y: w/ [- E    cmp     cl,al
2 b1 O$ t9 I# A) i    jnz     SoftICE_detected
+ l9 R( a+ V" F7 l' R
% f" C) |+ Y2 q, w3 E* |# Q, h_________________________________________________________________________. D- W9 w( c' _) N( q9 a' B

) Q4 n8 ^4 R, f3 x; u2 |$ B0 mMethod 07" f  Y) c; ^, K8 S' ~/ m
=========) D2 D# f# |& Y$ C7 y/ V) X# y
; S" u2 D. @4 g- q; E8 P
Method of detection of the WinICE handler in the int68h (V86)
2 W2 e- x# E+ e4 ?+ ^# N: _+ u9 M& }
4 U0 r& K4 q' w: n4 t2 E; K6 U8 B3 g    mov     ah,43h
; t4 k: ]+ I: N/ ^' f    int     68h
$ ]+ K# n: E' e% m' ?0 A& M    cmp     ax,0F386h% f2 k+ j# |9 w. X
    jz      SoftICE_Detected
; J7 [1 B' ?' K3 O
+ K+ U" r$ j/ A( d: x7 y
1 r. \8 S3 C, I. j) V2 @=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ g; N/ D; n( d
   app like this:
% h, U  h5 T9 ^8 W2 ?
* c& {5 H8 ?& L) T' u& _6 C   BPX exec_int if ax==68
3 ?; f7 }- d4 O6 G   (function called is located at byte ptr [ebp+1Dh] and client eip is+ v" M8 z8 S9 O- \4 U: j6 T0 b2 v* t
   located at [ebp+48h] for 32Bit apps)! I6 ?0 ]) l# L' J' ?
__________________________________________________________________________
& h; Y/ W' y( x: o6 i
; S4 e5 Y5 c2 _9 y& D2 Z  Z
' R# L2 X: |, J: }  R" d- L4 D& O0 r5 tMethod 08' L1 {( Y& U7 V
=========
4 L$ |2 a. c$ v8 M) t: e2 }1 f7 ~) t" R6 ?" ^$ g# E/ Q/ p
It is not a method of detection of SoftICE but a possibility to crash the
) Q% R. v! s. J- J/ W4 y* Qsystem by intercepting int 01h and int 03h and redirecting them to another
& g- V! @. l* j3 Q9 g- K) Aroutine.+ n1 _3 I: N& R; u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% K- v6 ~0 S! A6 t& @1 Kto the new routine to execute (hangs computer...)
& A4 a' E$ Q% u1 q2 z0 s6 |! L7 ?% _% F0 M- P- r2 b' V
    mov     ah, 25h/ i/ J/ L! h' s, V
    mov     al, Int_Number (01h or 03h)- ^0 F4 q. H- \
    mov     dx, offset New_Int_Routine
6 _$ ^( M) w! C4 b; N/ n' l    int     21h) h% ]8 X0 \' Z" q, x5 [, g5 V

2 A; s5 w% W2 M& G: ?__________________________________________________________________________, h5 T( a& \: E
: x# o: F6 Y* I; ~( E
Method 09
% q0 y  T1 T' C2 {3 w5 U# W8 B=========/ G) h& G+ c7 ^$ t$ J
! M/ y* |' r/ U' b+ ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. b8 I1 _$ o. b/ F! u% h/ U) h3 H( s
performed in ring0 (VxD or a ring3 app using the VxdCall).# Y' j7 s  ]4 `$ K! Y9 F
The Get_DDB service is used to determine whether or not a VxD is installed
' X- v# [* m; N% w  G! Vfor the specified device and returns a Device Description Block (in ecx) for
& j: f" J# m' I! O+ Q- a/ r# lthat device if it is installed.- Y9 z3 M+ R$ o8 g/ w& a
; w, t# ?' Q+ b: ?  Z/ i, w
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 i0 s$ ~3 K0 Q! E6 M' P/ ]   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' \2 f1 S, y$ B  K4 x% V/ V
   VMMCall Get_DDB
- ]6 Q: y* o+ x/ F  N2 D6 J   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed8 E& j' L1 ]4 r. X0 |0 _( i
2 F. H' P3 }6 ^
Note as well that you can easily detect this method with SoftICE:8 Z, c# {$ C$ W& U& a
   bpx Get_DDB if ax==0202 || ax==7a5fh
3 r- f( L$ @2 M/ ~: ]
0 M% [5 n+ L0 Q9 V__________________________________________________________________________% g4 L: \, A& ~" |: x: v9 u( [

% x) ]# Y: R2 f! {Method 103 J& [. B- C0 a; E+ r% O
=========
  s# {1 Z+ _) v) L" t7 h) _( U! @8 {9 Z
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 p, M) O$ o& m! l  SoftICE while the option is enable!!
2 X/ E: j5 t% J' r+ f' F- x2 d/ ^9 v3 [2 ~! e$ ]) J7 k
This trick is very efficient:! y9 F8 t& Z& N; ]- I3 c+ V0 F  L" `
by checking the Debug Registers, you can detect if SoftICE is loaded, x* {5 S4 d' T5 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 ~7 D6 {. b: ~: b; O. Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 U2 Y( `6 Z0 N  L" X# r9 mvalue (in ring0 only). Values can be manipulated and or changed as well
  i. A2 T$ i# n. Z0 ^& t) W(clearing BPMs for instance)
3 W5 M1 a3 v2 T/ z1 p+ @8 k+ ?: d! g, Y, e8 V4 G
__________________________________________________________________________* Q! w: z, ^. {  Y" Q

6 K4 [0 M0 S* D  V" NMethod 11
  |; r+ J9 D4 }2 x6 U4 n=========& S$ j* A; f+ c3 Z3 U

; R  v% t) m, x, j: cThis method is most known as 'MeltICE' because it has been freely distributed+ ^2 b; @4 j) F/ \
via www.winfiles.com. However it was first used by NuMega people to allow
5 ]; l; h5 u" F: p8 b' `Symbol Loader to check if SoftICE was active or not (the code is located
, x9 u- L8 n1 e: \9 A7 Hinside nmtrans.dll).
; ~: K6 M7 s" G6 W
  ^$ ~+ O' n# R8 v) i* f& SThe way it works is very simple:. K& w4 u3 u8 X. e6 O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ ^* G& f. r7 f7 Q" D% q# k2 D. A
WinNT) with the CreateFileA API.
% N. p- m6 U+ u" L" D/ a$ e8 V' i
1 R; V, b+ ?* Q- }$ NHere is a sample (checking for 'SICE'):
  u' C2 X7 Y6 h6 ]# f6 i( ~1 v7 b" P# H, t9 Z* v2 J( o5 ]
BOOL IsSoftIce95Loaded()
0 H9 Z! S) f+ [# k{
. W2 [$ g: I3 I* h9 ^   HANDLE hFile;  
( Q% v# j) E6 t# }) Q   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 c1 X8 U) Q# O1 e: m
                      FILE_SHARE_READ | FILE_SHARE_WRITE," B2 ~: \6 b( p- X3 V" \. t
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. t! q8 k  X1 M) M2 H   if( hFile != INVALID_HANDLE_VALUE )
9 b* A8 y7 B6 g   {
1 Z& J- S& j; W5 L+ ?$ Q5 V7 g& D% k      CloseHandle(hFile);
9 |9 m# m+ i3 j      return TRUE;
0 _6 V/ [* }: Z% J   }
" A$ m: E) `& j2 t; {: v! b   return FALSE;
% e- x! {/ M  p0 K}
4 r6 t, p- `6 g/ m* F- v7 s  ]: C! C* ?) T( V/ D) l% I9 q
Although this trick calls the CreateFileA function, don't even expect to be
0 P# X  R/ @- g4 D; d- Wable to intercept it by installing a IFS hook: it will not work, no way!) ?7 t# Z3 n9 S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ [4 m- ^! w! [  Q3 _* M9 O- M$ C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): f, x- T. ^+ [/ \5 T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" Y5 V+ @" |; z8 A
field.
  o% m3 n6 P) w% {- n5 ~In fact, its purpose is not to load/unload VxDs but only to send a
* J7 ]5 S1 u; q+ HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! t% U2 j! O" u) |0 Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
! l+ M; R. j! I% hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; u7 A) X5 _* z1 l$ hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 w1 Q2 O& w$ _/ B9 }9 \) Sits handle to be opened and then, will be detected.
0 C4 V) K# G" a: M0 U/ |" ZYou can check that simply by hooking Winice.exe control proc entry point
( d, Z. r1 f; ?% Y& R$ Uwhile running MeltICE.
- h6 ^( `! [7 k2 z1 K' k
0 `1 c; X6 k- [3 O
1 @; W, g- e9 ~3 f/ ]4 I9 b  U, N) D. b  00401067:  push      00402025    ; \\.\SICE$ r- l) h6 S8 f7 Y6 ?
  0040106C:  call      CreateFileA
8 y" M) [# y( T$ j* j" N- H  00401071:  cmp       eax,-0012 L% @. Z# r+ n5 K, [5 `; @+ l
  00401074:  je        00401091
+ B1 U6 P+ x: X5 g% `% [
( U9 ?& m- D1 D; K8 n( _
- f. ~7 R4 E. a2 \0 aThere could be hundreds of BPX you could use to detect this trick.
0 X' p8 T8 S! b# h; _-The most classical one is:" G8 G' r. K! g! t
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||7 C6 z% F4 r0 h+ R: v1 q
    *(esp-&gt;4+4)=='NTIC'8 f4 n9 A% m/ f' e" o7 ?

0 ~; i/ c% A! J' x6 D-The most exotic ones (could be very slooooow :-(% E; k" Y5 ]! q' _8 E
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: J8 N! e( {, ?, B. h* Z) R     ;will break 3 times :-(* o8 E, P0 A7 i8 A2 L' v: ]* O- |

- B# \, e- ]' n- C0 l-or (a bit) faster:
  Q; w. r. q/ ~' y! O   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 V2 Z* B( S/ @( O- K) M- }! J8 T1 X) F+ R% A1 j
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# |6 V0 g; _$ I' z( ~1 Q     ;will break 3 times :-(6 Y% N/ s5 g3 ], P. M2 i

: B6 m7 {$ K( a% Z-Much faster:
+ g6 V! Q9 k" Q, U* h" L, ~   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& f1 }9 w: W- f* M* a, l) ?9 U

5 |" p3 n0 [2 e7 z! k2 a& }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ r& p! j; i4 n1 y( w0 {9 d
function to do the same job:- Q& [4 ^+ d8 Y$ }+ P

& v) ^) w  B# k! W* V  @! y( [   push    00                        ; OF_READ
: S6 ?! H  ~6 \# r5 q   mov     eax,[00656634]            ; '\\.\SICE',0
( j' }& |6 T6 a/ f( N. [; K/ F   push    eax* M/ p. E, j4 ?1 S
   call    KERNEL32!_lopen
- G' C; X& x# n- R   inc     eax
0 S1 {7 s2 L( L) f. N' L" J5 p   jnz     00650589                  ; detected
$ q" U' \' F& m   push    00                        ; OF_READ
& r* D) @: x0 }+ [" z) _! G   mov     eax,[00656638]            ; '\\.\SICE'
( `9 K6 A* \5 w* ^( E9 g   push    eax
7 N, X5 w3 G9 G* q5 _   call    KERNEL32!_lopen; V; `3 Q9 X  y- m. G9 k7 d- I# D. C
   inc     eax
1 \! J$ I0 C) a* ~% E; |# _- @   jz      006505ae                  ; not detected
7 V' k; y" K$ N9 U$ v6 d
6 Q$ R) z8 m( E  P! d5 k
; `  H8 W+ d) J! c! b6 u' K0 P& W- ?+ Z__________________________________________________________________________
5 ]) |) k0 b9 O! n) u+ T, r1 J0 r
, e. O. c8 M7 ~! `: }, zMethod 12
' ]( F3 v$ Y8 U2 r: P  W=========1 e3 g2 o/ z. h* n" q$ l: N
; r3 v$ N, c/ ^9 e3 v0 i2 g# M
This trick is similar to int41h/4fh Debugger installation check (code 05# ~9 k6 t1 `2 B, n) s# y! {
&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 E- m8 Q4 X+ [& q) _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% L/ k+ B% q( ]# Z3 S& X9 Q+ A5 ?7 S. L# `+ ?
   push  0000004fh         ; function 4fh
- p+ [9 H/ X+ E1 |' c" N4 T7 z   push  002a002ah         ; high word specifies which VxD (VWIN32)) [, X* f# ^' ~+ `' f; f5 P5 l
                           ; low word specifies which service" |0 q" Z1 B+ q; [. m" r: F
                             (VWIN32_Int41Dispatch)
1 e* S$ a* k6 V4 b/ Y. M" V   call  Kernel32!ORD_001  ; VxdCall" @' f1 Q/ r+ C" P! o
   cmp   ax, 0f386h        ; magic number returned by system debuggers
" S- v- W& {1 }* e' Q# Z4 z, U! w   jz    SoftICE_detected0 d# ~( n, V3 g! q& n, D

6 ~% J9 U' N, l# r( i$ m) c+ P7 K7 EHere again, several ways to detect it:6 g1 N% T) P  X
/ O8 r% v2 A% ?
    BPINT 41 if ax==4f8 U% R. v& M# _9 [6 A' @
" h; o: }; |: O  ^
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* M7 Z$ v5 C: K, ^, l
' `1 K& o. R/ Z& g% ^! v- P) O1 i    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
/ v& D: S* H; g9 s- T' I1 v* H: R* ?/ S6 e1 [1 ^
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
9 h' h2 D7 o& ^0 N; d0 o$ l$ G! A) S
__________________________________________________________________________
1 ?, I" t9 ?# T3 }  W0 R& Z; h4 F9 G. y( `
Method 13" m0 g4 N( N6 g7 r$ K
=========
+ ~: {1 T3 R' p! \: f
; ]# k- r; U/ b! Y6 ENot a real method of detection, but a good way to know if SoftICE is
9 S+ L8 @" e# Y+ c. _installed on a computer and to locate its installation directory.0 [9 g* `8 y/ L: c
It is used by few softs which access the following registry keys (usually #2) :; q; \9 `5 L/ C+ o# T% J* ?

8 _, d( J- n6 b% p9 f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 q, u9 E1 A7 _. d
\Uninstall\SoftICE0 z! F& G9 a) Q+ w) L% x, M4 U' L( _0 N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- ]; s, t4 ?3 Q- ?0 G( g4 l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ Y8 X- }* i) u7 b1 R3 ~\App Paths\Loader32.Exe$ n! A9 e9 ^2 [+ v
: q7 m3 c- y  F4 G# g* J

* e* }6 Q& a5 U0 t/ DNote that some nasty apps could then erase all files from SoftICE directory
, O( @: s2 F& N& G& f) Y' [$ B(I faced that once :-(3 p: W% m/ I1 l- |: \

( h  _- f! N+ s% FUseful breakpoint to detect it:
; ?1 I( H8 l- y% H7 n3 q! q3 }) V1 L4 r; U- i
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'( O( c* z$ z1 E% A
1 j/ P! O$ M+ V5 c# ?8 R  X7 E
__________________________________________________________________________% b4 U$ D4 f# ~3 g& J
- o2 h- a9 M; _- {+ H  z- A1 t5 D
  c1 Y0 q. u5 U; a, P2 T
Method 14
' {. ]3 z. s; a, G=========
- G) a$ o, `* E/ {
: r7 p6 z  X# K1 v, ]7 B9 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' Q+ X7 ]. Q9 |% b
is to determines whether a debugger is running on your system (ring0 only).
- C3 [4 O& S" K8 G  B4 q+ Z7 L+ Z8 Y& t7 O; n) k
   VMMCall Test_Debug_Installed
  ^/ R/ H2 M4 P; w* {/ \$ p' ?2 N0 d   je      not_installed3 U& H2 ?1 M6 ~$ G. h6 @, e

, T) ^+ L2 ]7 y& K7 ?2 EThis service just checks a flag., @6 k+ K9 X& {; k) a( M: g7 W
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-25 06:14

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表