找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>+ k& k3 t6 j0 d' K
<TBODY>! t6 i% P# _  I$ L, [( n' Q, o
<TR>' G8 @" t' _, g: X4 |
<TD><PRE>Method 01 4 U" A& |, s. z
=========  D9 s, j' y9 v$ i$ S

+ \8 \  t% v  F, d0 \, R* oThis method of detection of SoftICE (as well as the following one) is( u- ~2 l# [$ C1 R5 b
used by the majority of packers/encryptors found on Internet.4 r$ y  v2 c# l5 _% X2 S
It seeks the signature of BoundsChecker in SoftICE
/ J) ~* N/ ~4 s8 O- \# v- _
8 h0 y. |+ Q- m: O* R    mov     ebp, 04243484Bh        ; 'BCHK'" L6 a# `2 L9 x- F' W
    mov     ax, 04h
  e  k" Y, k/ I/ A# H9 W" e% B    int     3       9 l4 L, J( E; Z7 {0 t. u' b$ O& F
    cmp     al,4$ t) J: {  D9 E
    jnz     SoftICE_Detected
- Z- R8 n8 k5 L6 T. R6 M: O" `7 H7 J/ @' B  v& y
___________________________________________________________________________8 M( M- P2 x! Q, N2 W. N

( F% p7 S5 I: [8 `9 A  TMethod 02
8 _( O0 o0 k( E8 u4 D9 V=========* L6 t' p3 _4 Y3 u# Z5 p& M; o
$ f; q" q* [; |
Still a method very much used (perhaps the most frequent one).  It is used
( X* T+ g& A- }6 x7 Y0 cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. p* |9 Z9 y/ e& \+ B% Jor execute SoftICE commands...
; z7 @& e6 b* ]! N& S/ d; qIt is also used to crash SoftICE and to force it to execute any commands8 n' m' q8 Z$ ~3 H8 C  o' y" z
(HBOOT...) :-((  
7 z: y* G) Z8 J% p( D& |
" I" j- {* x: t# y" ?Here is a quick description:
; ^5 T$ \& g9 K2 N7 U-AX = 0910h   (Display string in SIce windows)  X' t* ^- B0 F6 S5 a# {
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)) o8 Z* g3 k7 E& r7 X/ W& |1 w
-AX = 0912h   (Get breakpoint infos)
4 m! s$ b, N) d. f) ?( r-AX = 0913h   (Set Sice breakpoints)
9 S3 q- m% [7 b# H) U( M. T( s$ b-AX = 0914h   (Remove SIce breakoints)
% J+ I2 P3 Y$ {- d  k0 l. ?4 |
) D2 s. g* |; m' S) H" w% aEach time you'll meet this trick, you'll see:3 e9 R3 I1 n8 n3 k2 k% ?
-SI = 4647h  A; b) t0 m+ {! A  R; I2 q7 S: }
-DI = 4A4Dh
' G3 D' Z. ^, U; Z! I9 K0 ~0 zWhich are the 'magic values' used by SoftIce.
8 a" W. [: x2 E. Y' ]# d8 IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 R, u2 H) w/ O8 s  [: R4 T3 w+ x) b$ g3 m" K0 ?6 g# R! X0 R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* c) D) M; v+ x( X4 ?/ T' S' OEnvelope utility use to protect DOS applications:
5 \  a2 |" g# [8 E+ j9 Z
  ^+ a* E7 h" e* v
/ g# g' |7 ?8 o  E7 K4C19:0095   MOV    AX,0911  ; execute command.  y: H2 a* A2 j4 Z( u& v" _
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% V+ a: @1 g$ w# H$ g7 Q% C
4C19:009A   MOV    SI,4647  ; 1st magic value.6 P; N$ Y8 y  g% ~
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, @9 J7 M/ h& D/ x( d8 X4 x4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! J0 l1 O' I+ ^. d( t) }  x
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ J3 f; W" Y5 h  W8 T! Z
4C19:00A4   INC    CX) f6 z! O6 ]8 a* K
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 W6 z! n$ |& \  V4C19:00A8   JB     0095     ; 6 different commands.
; q& r  k/ E8 D3 ~- Z1 I/ k4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" V3 n* y$ h6 a' k: O9 U7 B: C4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)# R5 a$ A% i4 a7 d; w* t' N* x

% r& [6 U% x( t) WThe program will execute 6 different SIce commands located at ds:dx, which
3 e( a! K' a% ]. `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. c) |6 z& }7 J3 Q0 ^' S- ~2 }$ R" f1 x+ G# Z7 W1 a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) j  F- E7 S) N% X2 R: h7 x9 E
___________________________________________________________________________, P4 D; m  e8 T9 ?9 z( u3 [

: O) V6 m8 ]% H; J5 t
5 x9 s# ]# ?# {* ?Method 03
; W! U; p7 Z7 q3 ^=========
& G- r  J6 a: i- O' i
: V7 b" o: J, F7 rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ ^- }1 @) B5 @- i2 \7 j(API Get entry point)
2 s) ^- L$ t' L5 H: _: j        
; ?- ?1 {- I- P, e- g: d) J/ P5 h4 q- U
    xor     di,di7 G2 s# f. {4 [/ g3 c) L, E
    mov     es,di' t- O$ \! _' E. P0 J0 K6 A" ]
    mov     ax, 1684h      
- g( ?" X! B: j! ?# T    mov     bx, 0202h       ; VxD ID of winice+ Y; {# F. N2 P8 P1 J" P- i/ S
    int     2Fh
% b+ }, g$ {. b    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 R; }# _! u: N0 T/ W    add     ax, di
1 |( g% |$ l, a    test    ax,ax
& y4 ^, A" U) N6 \( S8 f9 E    jnz     SoftICE_Detected
# q9 {8 Y' l1 j# ?' e$ M9 ~6 ]1 a$ C7 K* ~; `
___________________________________________________________________________
$ C2 r# A( a; o! {+ l! |5 m
; s2 S7 L7 z* a, ~3 z" w. m! vMethod 04
/ y: w* Z6 t" |- r! A=========4 s; N0 b- _& E. n6 `& c  G' _

. p+ t+ p# B* O& ]- O) AMethod identical to the preceding one except that it seeks the ID of SoftICE
( q% w5 `" s7 E3 V, NGFX VxD.
' _( |' b* u' j/ S5 m6 j1 z% w8 D& H, }. D
    xor     di,di
* p8 z7 v: ~  o    mov     es,di
/ H3 |1 |* [/ T* u    mov     ax, 1684h      
2 a) k- v* o  ?  V1 G0 W    mov     bx, 7a5Fh       ; VxD ID of SIWVID
* k/ m6 U6 ?1 S8 g0 L7 e# k" P. F    int     2fh
* t& x: l2 d; y9 S* m" A    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 ]/ ^" P' D" L; ~+ i: @6 P
    add     ax, di# W( n- A. z1 i( P
    test    ax,ax
5 J# N* N2 D2 e1 ~8 y    jnz     SoftICE_Detected
2 O* P# {& g4 V, v4 [+ o: K8 b0 J" z4 _
__________________________________________________________________________- H% n# S. Z- S/ Z- ^9 X& S4 @3 g
6 O/ F( I$ A0 q% t
, a% i4 \9 K) `  c. W& Z) C3 z
Method 05
9 I7 l4 ^; H$ Y' d=========9 @4 Y9 x6 ~9 S7 {' P8 o: W! b

* H7 B$ }9 y! b1 bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 T! \" ?* Y! k3 R- W, q+ jdebugger. It calls the int 41h, function 4Fh.2 l0 J. k9 }6 M% a: }, q( }6 S( g# m( `
There are several alternatives.  
$ @+ W# l( j9 @+ A; @
; Y& I+ _5 v( o# vThe following one is the simplest:' S( J& B: X( L( x  x5 Z% J) d

6 v7 N3 a4 P4 u    mov     ax,4fh
% W# X, C/ z2 x    int     41h: g. t9 L4 V8 g3 [
    cmp     ax, 0F3867 P  E. _" A0 O! X0 v' U
    jz      SoftICE_detected3 ~* k  e% |- N8 H' N/ W$ E  @1 [

0 N6 G$ Q3 X0 v# v& K1 T
2 b' L% \! x5 i& p  zNext method as well as the following one are 2 examples from Stone's
$ e5 ]+ S% R* T# R  l"stn-wid.zip" (www.cracking.net):5 ~" w. R* z0 n& o6 U
  u  U3 Z7 C, ^: [
    mov     bx, cs$ @: `; }# H% R
    lea     dx, int41handler2
8 |" [1 U: v$ @    xchg    dx, es:[41h*4]0 F! [) t% i. K# \' j  x
    xchg    bx, es:[41h*4+2]
6 Z$ z: q( F/ W6 W    mov     ax,4fh
" T, n' H; u! s( n7 z    int     41h
% q8 o  X6 y4 l& ~, |    xchg    dx, es:[41h*4]
( x; N( A4 O7 C% P    xchg    bx, es:[41h*4+2]+ w1 @' g& M$ l) R0 v8 B
    cmp     ax, 0f386h9 V$ x! V5 I) |% V9 O) n% {
    jz      SoftICE_detected/ V; j6 J4 C7 J$ w6 E- y9 O

5 ~; ^) n* @1 a1 }0 C" ~int41handler2 PROC0 {* l4 i8 O6 i7 d* u/ w! e. `  Q, x
    iret
2 {* e/ h) Q! }8 \# j/ Lint41handler2 ENDP
7 ~; g- B2 x' o5 V# Y
4 {( p+ k) \7 {, a* K, ]+ z; Y5 E
* x; A" v6 V* m" `$ a_________________________________________________________________________
& S: W0 Q( q/ U! T$ \' |
# C: G: S, M' V" G0 E
- T, A3 f8 X6 n% MMethod 06
; ]. z  o3 p6 a# I=========7 Q+ G, m+ d& n% X9 U  u: _
% r% L& ?% J4 M. y: X
4 _, j! ]5 H& G" S4 ^' q
2nd method similar to the preceding one but more difficult to detect:
3 O9 _2 ~: O6 v
: J) \' |' ?& c$ a
+ t: s. K, l' R; Z5 g6 @& oint41handler PROC
& s: {6 ^2 p, D  I& _. r    mov     cl,al
* b/ X- U( S& A    iret
1 t+ P' W4 _7 _( `5 Eint41handler ENDP, F2 |$ i! U9 j( a: _3 n- l

: K( d# r- s7 _8 ]( I# @& P# c  ?, |) [1 j
    xor     ax,ax/ k2 k2 c+ C1 z1 |
    mov     es,ax
6 K8 B1 U6 S; s% f    mov     bx, cs. Q  H/ I# h' L) c9 T, v
    lea     dx, int41handler' l# D, D6 ?  V0 p& n' y. W
    xchg    dx, es:[41h*4]
" B8 X" H7 X8 L$ c" V    xchg    bx, es:[41h*4+2]8 Y9 Q: ?  B; `
    in      al, 40h6 N7 \7 p& y, S4 z6 R- k: e
    xor     cx,cx! Z9 Q9 c7 ~: }2 ]  z1 d: H
    int     41h; q1 R0 u$ s* P2 D
    xchg    dx, es:[41h*4]
) M8 }2 t! C: A! ^" }    xchg    bx, es:[41h*4+2]
3 G' \& A& F1 h& M+ N) S    cmp     cl,al
7 N4 w/ s) p9 X  `0 n. W4 D7 Y    jnz     SoftICE_detected
6 N# N! l6 {& h" y# \) e0 J
# m& ]% t. N! T6 U_________________________________________________________________________5 W5 O! ~  W* q, q4 C
; i* t4 G+ R% G$ H
Method 07
+ W4 X% Z6 A% a( d' W+ s=========
; N1 a: {7 X! t3 D1 @, D  P7 n! ?4 c( R: o$ E; }
Method of detection of the WinICE handler in the int68h (V86)
# k; p+ J) B- g8 h6 _* Z9 k
; I8 |0 L1 F+ I7 D9 v+ ^    mov     ah,43h% Q1 y, K% \; u& z0 w
    int     68h; L% Y9 `/ R  i" f8 e2 e
    cmp     ax,0F386h
$ d$ I( o0 a, `; V    jz      SoftICE_Detected. I% z# T+ _% d. ^3 B' a

) y: R0 ]7 }6 L$ g6 c! D# h) a% A. d- }2 I( P, I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 i. ]* F( R/ j/ g
   app like this:
/ j2 G8 _0 m5 \# t5 ^$ X- ?0 G5 Y9 [0 V7 M4 Y" M) `: e: @( J
   BPX exec_int if ax==68! k: W3 @8 r$ D, c) q
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& C& y3 c; U/ N; r  M! v   located at [ebp+48h] for 32Bit apps)
5 z' |" u% B# M__________________________________________________________________________
8 _6 Q6 I% K" e6 r0 ]& o
( m8 V# z7 O4 U1 a. G( j% A
; w; x! g7 x0 M6 o3 [2 ~Method 08; M+ n  r: [$ x) O6 {  `
=========) P2 A2 U: ?7 n
5 v# R; H2 G/ R
It is not a method of detection of SoftICE but a possibility to crash the
: ?, W+ r- A  asystem by intercepting int 01h and int 03h and redirecting them to another& H4 x/ l# k! ^8 f! P) d
routine.
! P6 j$ h" |  Z7 Q& Q& A) Z( cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 x: g3 I# t( `0 A3 ?
to the new routine to execute (hangs computer...)7 W/ ]9 Z, k/ X8 C! ~8 z

% V% ^# Q, ]1 y6 Y9 c+ I3 T1 \    mov     ah, 25h
9 l/ |/ b4 F# N3 s$ n    mov     al, Int_Number (01h or 03h)
. ]/ r; l& D% H$ V7 o, J    mov     dx, offset New_Int_Routine& Q; T* e& t& I6 c/ X
    int     21h
( e2 ?3 ?* F3 Y
7 \( V- k) t% u: F: k) v6 V__________________________________________________________________________
% T6 Y* p1 e. ~. R: U# i  X5 Z( U" N! [8 E; a) Q- Y; S) G% [% a
Method 092 v4 B2 E9 y0 K/ s
=========
+ e5 k$ L$ n2 n- v1 ]3 d% L' H4 v, f2 X* W+ y8 t* w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ [- H  v% f  r! D+ wperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 G+ q3 B) Y& ^! u  HThe Get_DDB service is used to determine whether or not a VxD is installed
$ O  E: [4 V1 X" [, O* v" D0 ?& kfor the specified device and returns a Device Description Block (in ecx) for
( G, ]8 `& v. Q' d- S; {$ n% wthat device if it is installed.9 N; n8 L& e0 q" P) M6 F4 p8 N

2 [# \  W5 z" O# p+ r$ ~2 T   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  v% |1 `* t3 Z9 e$ r
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). L$ k  {/ m& `# I' X8 h
   VMMCall Get_DDB
! ]9 o% f- X5 D. @/ V" @   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 k' E( j- O! r9 D

. F  n5 \9 Z, s- lNote as well that you can easily detect this method with SoftICE:
  k3 \0 r4 A/ c: P& m1 R  O5 K   bpx Get_DDB if ax==0202 || ax==7a5fh! V4 \# k! {0 y, p9 `/ w9 K

+ Q6 ^! L6 z, F/ M__________________________________________________________________________
% m/ M/ H2 m# k$ S* D5 [) f* `+ k
* p! _* r( {8 W6 X3 O1 B1 OMethod 10% I6 @" `; x8 U
=========
0 {) O1 Y. t$ e: k) r  o' _# M; u4 }7 e# F: I  c
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
, S7 K) S2 l- d$ A- S. S9 V" _  SoftICE while the option is enable!!/ q3 R  k) N8 ?3 C2 f
1 t  J9 E3 _1 e# ^/ s8 V
This trick is very efficient:
3 Q# M  J& A' I( a. C% i% Nby checking the Debug Registers, you can detect if SoftICE is loaded
7 |/ r2 |7 ~6 h; W; w# N7 @& q! w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) Y8 a  m* x) Q6 dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. U; T* r. k' y+ n- k3 t% K) Svalue (in ring0 only). Values can be manipulated and or changed as well1 N1 x( _  \% K! i( V6 |
(clearing BPMs for instance)
% g- W  {: f( P& d! Z( F8 r( z' b# b+ _9 n7 q3 \
__________________________________________________________________________4 |7 U1 C' ^' z$ }* {2 @

1 u' @5 X# Q0 ~) _Method 110 A+ Z; R% u5 t' W: A
=========
5 T2 B6 M0 z9 n- d2 r- n2 v" E9 d. B7 W  ^0 z9 Z& g
This method is most known as 'MeltICE' because it has been freely distributed
. a/ r" M; ~) v* M, y/ \7 cvia www.winfiles.com. However it was first used by NuMega people to allow) t( L& k, W$ u
Symbol Loader to check if SoftICE was active or not (the code is located
* k" W  [. ~8 Z- a  U, H4 p3 @; p: l; Hinside nmtrans.dll).3 Z- l4 @0 M' R
  f5 l3 @! `% j5 a+ k+ G
The way it works is very simple:
3 g( b( N3 w" l- YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 w" c- r. s" H( c; v( t, J2 i5 o
WinNT) with the CreateFileA API.' C& r3 z2 d' e* D% \

8 S7 m/ @2 m1 `( ~2 _% iHere is a sample (checking for 'SICE'):! B8 h& n, U! P8 }# X
; n+ X3 b& q# P9 Z: Y) |, A4 b
BOOL IsSoftIce95Loaded()
, l% ?3 u9 O7 S2 h0 D+ N{
5 O* H& P4 P+ C+ L7 f2 F   HANDLE hFile;  3 q1 i. t* ^+ k8 ]
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 R; e2 L: K7 i                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 c0 H- m; X2 l1 h. e1 J, g
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; a- _5 O% W* x/ @. p) j
   if( hFile != INVALID_HANDLE_VALUE )
0 ]; y! K5 x5 x$ \- e/ D   {: Y; v6 g2 S" ^* i7 j* P3 V* T, s
      CloseHandle(hFile);
& `* H) ?) f, r# S- r$ ^      return TRUE;7 p) u, h; R3 v8 v3 `' l; q
   }
, r2 o( }' Q! V0 l9 a2 I! T+ ]; l   return FALSE;  H/ \2 e% Y/ K  e& U0 [( {/ Z4 ~& A. e
}  f9 ~& k; M$ g. R9 c: P% V
$ N+ ?* J+ S/ ]  R* C& t: ]4 F' _
Although this trick calls the CreateFileA function, don't even expect to be0 @% `  D5 G& ?. |2 P
able to intercept it by installing a IFS hook: it will not work, no way!4 U4 l1 U6 i2 ]# Z' |( o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" T3 O" O4 O' ?) Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 \& m; N7 I* E2 u: w8 b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 I! O  ]- _: ^0 x0 v& C' c
field.
, ^' g9 @0 m) v1 u7 q$ |& bIn fact, its purpose is not to load/unload VxDs but only to send a
4 ^4 m' C2 x. S+ v1 X1 ~W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), ?# \9 d0 t/ g2 b( n8 A6 _' r: P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" k0 z- c* G; L0 p1 F' fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- e+ B+ [- a# T8 \* u' H' AIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ E1 D7 T$ z4 |9 ~$ Q" V0 |2 W
its handle to be opened and then, will be detected.
9 A# @2 B$ ^8 ]$ ^! Y; nYou can check that simply by hooking Winice.exe control proc entry point
( l: c# e2 P+ `& Ywhile running MeltICE.6 @" t. k+ k! w! ~
/ o6 m" W& o! r% ~6 n
! Q% `2 c% R5 e: D1 U
  00401067:  push      00402025    ; \\.\SICE
, k: y" H6 ^) P* \9 F  _  0040106C:  call      CreateFileA
/ a' S+ e' \+ ]! J- P9 A  00401071:  cmp       eax,-0016 @) C$ m5 D7 d- d& \
  00401074:  je        00401091+ K4 x* n- R& h$ B
, D- T! S' b& H( k2 r4 S. e3 H

. ?9 y3 u, [1 w6 b9 g( f) pThere could be hundreds of BPX you could use to detect this trick.9 h$ Q  j# `7 t+ P% s1 `$ t
-The most classical one is:
) [; {( y; `: ]  w  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||& M5 b* O* x9 v. ?  a8 m0 x
    *(esp-&gt;4+4)=='NTIC'; T" R. f  U# d5 j- n8 G
9 B7 ]. X  `( i- I  u: k, j) a
-The most exotic ones (could be very slooooow :-(( B( K9 ~( H0 e# I# [( ^. L
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . F" S0 L; T( e8 J5 y1 K- l
     ;will break 3 times :-(
. U4 Q- U$ y/ K+ e4 N9 v% \# Q" J
* O$ a; s: G  q8 M4 w+ ?-or (a bit) faster: $ L' Y, M9 ~! h1 x) h
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ `: J$ U& k8 x( v' \- ^2 c

( P3 {9 A  n+ ~$ e# K/ f& F   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; O% S) s- Y. G+ [/ e/ D* B
     ;will break 3 times :-(
8 Y, B& j+ U8 k- X2 t( n/ I$ a$ W  |( E- B9 ?7 `/ T. U
-Much faster:1 Y& G4 {+ w9 `6 @
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 d3 T5 j0 I8 e. D( K$ E, I

. x. \) e% D* C3 }Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- v  Q/ K3 j" n
function to do the same job:
# ?2 L0 N* |; f$ Z8 y: r
  l8 @0 r" L( I) a: [3 V   push    00                        ; OF_READ1 o5 S0 V, Y3 g2 Z: o
   mov     eax,[00656634]            ; '\\.\SICE',0
- s- E7 W. S4 r# K4 q/ b   push    eax/ c* Y9 C3 ?) Y! {. a" L: o: Z0 o
   call    KERNEL32!_lopen
6 o% o9 t& j* x1 }   inc     eax
) [/ T- q1 e& ?4 I   jnz     00650589                  ; detected$ }# U6 ]9 N" U9 z: a6 h
   push    00                        ; OF_READ# y" s3 x. l! O9 [2 l0 z$ d* B
   mov     eax,[00656638]            ; '\\.\SICE'
' `8 u( N; L* Y. A  v1 e2 k   push    eax$ }) y4 x, F$ H9 ^! J6 W( L1 @
   call    KERNEL32!_lopen0 y3 {, Z8 ^5 M6 o; {& z3 z1 S
   inc     eax% {5 D  ?" z' |0 x
   jz      006505ae                  ; not detected1 _, v! x" G/ T. [3 {; Q, Q- y

/ C* |, L/ N1 G; o% [* Z. R; u$ ^3 _0 N) a( h
__________________________________________________________________________
- v! C/ |) |! [5 j# C' a8 s3 S7 s/ Y- H3 q# ]+ S4 d* A. t
Method 12$ j8 ^! g5 O; k" Z9 A/ L
=========9 a* R: J2 Q6 r  T
. e( d" X7 e; ^: \4 s" N( G7 {
This trick is similar to int41h/4fh Debugger installation check (code 05. d" e: E3 r5 O; E) D5 N
&amp; 06) but very limited because it's only available for Win95/98 (not NT). a" ~; d6 b, Z4 J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% M$ ~2 v$ Z4 Y1 }  g, I% E  j
. M; K1 v3 {$ {/ T, U8 e- N) l( S
   push  0000004fh         ; function 4fh9 t, I7 R( P, D( x; ~" C4 F
   push  002a002ah         ; high word specifies which VxD (VWIN32)/ }6 a& C, W8 U9 u; ^  E; [1 C6 A
                           ; low word specifies which service( Q8 v  o; h' ?, v6 ^2 [, _, t
                             (VWIN32_Int41Dispatch)
" n7 F. o0 W( s6 T   call  Kernel32!ORD_001  ; VxdCall
' `8 A  f- Y( b' v6 \4 c   cmp   ax, 0f386h        ; magic number returned by system debuggers' F9 ~/ f; {5 P3 h
   jz    SoftICE_detected9 Y' _. u3 v" }; F( m0 x5 M

8 A! a6 ~; {6 L; OHere again, several ways to detect it:
5 Q  L% A; {- d) w4 g
8 J9 A# C6 q8 n& G& W, ^: q    BPINT 41 if ax==4f- j, Q% s$ n/ t$ ~7 d+ i

1 c; u- _  c4 ?  B$ y. z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ [0 g! |& c; A# v% @# @- O
, T( j3 L9 i) c" ]$ B8 z
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; X+ }2 n( g# y% C$ l- z6 `  J/ f

: k3 c( r6 b3 R, s    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!' A% r1 w* {# L. a! ]& I; K
4 k3 Q" h1 d( o7 X" V- h$ h
__________________________________________________________________________' |4 j3 ?7 y6 X. B4 Y

# V0 e$ F" C% rMethod 13; C6 |# ~$ c: r
=========# y, M) G4 P: M% Q

0 f( a" j; c, Q; c) oNot a real method of detection, but a good way to know if SoftICE is
8 q2 W+ c$ `% X' X! Jinstalled on a computer and to locate its installation directory.
- `( j- c. X1 l* F0 VIt is used by few softs which access the following registry keys (usually #2) :6 E2 O# J0 O1 d" p( X0 [2 o: q( {

% O  F$ i6 h4 I) z8 a  K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 w, t6 t7 v- J! G0 S3 Y\Uninstall\SoftICE( M% H' ^$ b2 A* F# L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 S, j$ l; `# V" ?4 ]" T4 p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( w/ k" u1 U( t5 a
\App Paths\Loader32.Exe
& w* t" a/ ^& v9 I; z8 T- u6 k7 e8 H+ n* `

: P( S+ i& T% J$ ?$ E8 cNote that some nasty apps could then erase all files from SoftICE directory
, q3 i' i4 r+ B5 W% e/ s, ~(I faced that once :-(/ W/ E6 J% u/ g) ~( R* N) u7 Z0 S

5 R# f5 @; `0 TUseful breakpoint to detect it:: I8 W+ C) C5 Y
! v+ a, V) z6 Q! X, z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ [* r9 I% J; L8 H! L: S: B; A0 W3 g/ @" T% o6 ?& E/ {
__________________________________________________________________________. M; E& H* s: q% H3 N( g4 u1 G

& @2 }  @7 N; ~. k2 H8 ^" M: T
% q2 b; s& R" O2 v# J, o3 N, f0 c1 @Method 14
7 k& ?) T+ U' s( g/ ~7 U=========6 R3 l$ g. t6 Q8 R* d& S6 @2 @& y
6 @3 e$ x% y, H9 i4 z, e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- c. V1 t6 w0 y8 |# y8 n. m
is to determines whether a debugger is running on your system (ring0 only).% x4 z2 ?$ ]# V& Z: m/ A1 K( }

4 u  E1 O8 n( C+ L   VMMCall Test_Debug_Installed4 l, J( R7 t3 C1 ]5 a2 z# x* {
   je      not_installed
' J9 E! r* \& v) L+ o/ r6 L% |$ t# _; M6 J# H1 f3 g! P
This service just checks a flag.9 P" T8 n& Y$ c& O& |
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-14 22:49

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表