找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; m  M8 d% s8 `' T<TBODY>
" j% U7 ~. W' m; X* Q$ q) `<TR>
4 x. t* s# Y. q" [$ n<TD><PRE>Method 01
1 d% E/ r/ n" F' H0 F=========: g, g( \8 F  d! ?6 o' Q* c6 `& y
2 |% [4 {7 [( ?5 I. {/ S
This method of detection of SoftICE (as well as the following one) is1 o: V* v% M- V) q1 ]* }
used by the majority of packers/encryptors found on Internet.
7 z  [9 v6 l6 B2 i6 uIt seeks the signature of BoundsChecker in SoftICE6 Z+ t; [4 w+ {% q, g

; i1 K/ l: c  g8 l. p$ \8 l    mov     ebp, 04243484Bh        ; 'BCHK'. @* y) L8 H/ k& y) J" Z. T' |
    mov     ax, 04h
3 H+ p; j$ h+ @0 Y% Z3 E4 v    int     3       . {0 ]! V7 I3 Y- ?$ R
    cmp     al,4
9 {* x6 B2 v* W' t3 f- n& j    jnz     SoftICE_Detected4 K/ ]6 a% M: E% `

, R4 r& |+ i! G( b3 q___________________________________________________________________________
$ W  z, F; `+ V/ v$ _
$ d7 \8 D* E( z* j4 M' e: y+ F. _Method 023 h/ v* C! D3 u. \5 r" w, @
=========
# N+ s& Y9 D4 j# h1 N$ _, p$ o3 Q* |) m% k4 M: k6 v6 o. j
Still a method very much used (perhaps the most frequent one).  It is used& ~: ~: o; F6 ]* d. V6 a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  s& D& Q: G4 D! H" v+ K1 S5 aor execute SoftICE commands...
% A4 \/ S- L/ u# I: iIt is also used to crash SoftICE and to force it to execute any commands
* p' P3 D9 P" u4 m: ?, z; x6 \  _(HBOOT...) :-((  4 x5 ^9 {& ~1 @6 u
1 z1 V$ v4 U$ m" {6 \1 H
Here is a quick description:  u) q) ~0 E( }2 H% K
-AX = 0910h   (Display string in SIce windows)% N- Y# @- b6 b/ o7 g
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
5 ^  O$ M! J3 [: k: C" H-AX = 0912h   (Get breakpoint infos)  K# B# j6 M- W! X7 T7 Y0 Z& g1 j
-AX = 0913h   (Set Sice breakpoints)( H. V1 Y) K, d! V9 g2 T$ J
-AX = 0914h   (Remove SIce breakoints)
: g" Y& h9 m# M1 a6 k0 t8 G1 Z+ n* v4 g( ^3 P7 z' t
Each time you'll meet this trick, you'll see:  d! f7 n0 j" `2 _) [0 V7 S( L
-SI = 4647h
: i$ A4 j1 x+ [1 G-DI = 4A4Dh! t" L- x: E8 z
Which are the 'magic values' used by SoftIce.. K$ N* ?+ R" C+ y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% |  Z9 L9 {$ ?7 f1 J4 A' m% s

5 J3 b7 Y8 ^4 X) \' P" y/ o9 O7 oHere is one example from the file "Haspinst.exe" which is the dongle HASP: |4 C+ L: R0 P
Envelope utility use to protect DOS applications:" o) s: N; e5 a1 D+ z
0 C) y; X0 s& G. S

, i4 m9 T# `0 }( L  ~" g& d4C19:0095   MOV    AX,0911  ; execute command.0 r7 |: \; d1 k/ Q
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).' X" ?: t, z! f$ A( L& H
4C19:009A   MOV    SI,4647  ; 1st magic value.
8 c6 L& G' Q5 V) n: K' ?4C19:009D   MOV    DI,4A4D  ; 2nd magic value.$ v5 i* E7 ^- `  }
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: `5 I; M: w5 ~2 w0 [2 t4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
2 m( y' r; C- n4C19:00A4   INC    CX
% `' I6 P( v7 \( _; M$ a$ f: }6 J' T4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute5 e; B" U5 D% Q+ _
4C19:00A8   JB     0095     ; 6 different commands.6 q& j6 {3 T0 K5 L6 @5 @" C( v
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
% {6 a  Y0 ]* c4 J' D4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 I0 r$ v$ X1 t1 F6 }. S* j6 z6 X, x* ]0 T8 w2 l
The program will execute 6 different SIce commands located at ds:dx, which( e* l, Z! X/ h1 Z# X5 z7 y9 c6 W
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 g% r+ r" a* R0 i1 k7 n$ b
: z/ T2 A* M" O7 x! H& U: n9 C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& I* n- p3 }/ b; l- n___________________________________________________________________________$ w: o, x8 G4 f# B, v2 g* y1 [

5 S, Q; p! _1 M
+ u+ S* Z, b2 a4 AMethod 03
& ]9 K: v9 H: ^/ x=========
& E4 O/ U% s- g9 }$ ?4 `
* Q4 h0 a, i  q* y2 JLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# {. C8 |, p+ ?0 f% V- [) A9 _& y(API Get entry point)' ?4 \: ]/ S2 A" y+ C
        
, E* o7 O* F6 w
3 K, G8 Q4 y: [+ b2 Y    xor     di,di  s7 t" S7 r1 Q+ A3 w# p/ O
    mov     es,di- _0 ?6 k  Y, Z) W8 c
    mov     ax, 1684h       5 A! n7 R$ P2 r! S. o8 u- ?
    mov     bx, 0202h       ; VxD ID of winice6 o$ J' x. X, z" [+ H0 ^" i0 ?8 R
    int     2Fh
5 K5 ^2 M3 e9 G: T/ `" Y    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ M! L* z3 l0 d8 V& \& ?    add     ax, di
" Q3 h9 W0 g0 n    test    ax,ax0 v3 Y* g1 d$ S  ]3 {% p1 U" d
    jnz     SoftICE_Detected
$ @- u; V' b+ d" Q6 z5 O/ f- F. P# y7 k
___________________________________________________________________________
. h  A  c9 }8 Y9 Z
1 Z$ v; m  P. iMethod 040 V$ `' \4 P+ Z+ Y6 i+ N! x1 }
=========2 J% @& O; A' S

, k; j* S- z, ?/ h5 p3 j: uMethod identical to the preceding one except that it seeks the ID of SoftICE
- J8 w1 |6 h: j  EGFX VxD.: V* \8 J% x. A; G. u! d
8 q& B" H# F+ ^7 {
    xor     di,di$ k& N- N8 W; j& E2 Q
    mov     es,di
/ [$ s. q) |2 ?# {    mov     ax, 1684h      
$ P  M) j: H4 C  \) i+ L- s    mov     bx, 7a5Fh       ; VxD ID of SIWVID1 D% h' B0 W( t: v- s% i. C
    int     2fh- }3 b/ o2 g8 K0 m' |
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 W4 q4 d1 I8 w% I    add     ax, di
' x) H$ \; `  J  P( n    test    ax,ax% Q% E5 r. z6 d( q3 z, J, C$ ~
    jnz     SoftICE_Detected
3 g; _8 I4 e8 S$ s# E5 |- W. K% W! e
__________________________________________________________________________
# D" @' d* k3 H, E4 u& S
; S! n& K' C+ x2 n' G/ Q& v' s' _7 ^( }' n" I4 r2 n9 c
Method 05* y% o6 I' j* Y3 b" C
=========
; V) C& w: _$ p$ _) l; X0 e
; c" T9 `0 B- J' j" L2 v9 R4 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! x+ [- F1 E. o1 y4 Qdebugger. It calls the int 41h, function 4Fh.3 Q" h+ H# N8 H+ ]. l+ d
There are several alternatives.  ) {  C# U: L5 G0 k' }5 W' P
2 N1 [9 g4 ?0 ?+ L: w
The following one is the simplest:
( F* h( e) w& X, i. S# z. v$ W6 H$ y$ |# Q2 h
    mov     ax,4fh. Q! Z8 n* U9 _, o, n* M, z7 Z6 N
    int     41h$ ]7 G1 M$ h- U* h/ P" u' o' p
    cmp     ax, 0F386
) f- v. Q7 Q( S; Y# }4 y* J0 M" c    jz      SoftICE_detected
1 E7 q" V/ D$ N
0 ]& P  K: S3 |* M
) K; o. J( Y: y5 l9 ?4 I. HNext method as well as the following one are 2 examples from Stone's
: J" e3 J* ~8 c2 n"stn-wid.zip" (www.cracking.net):
) T3 h' Q, K: k4 f- F3 `1 B1 Z( b2 Y6 ^6 M: L+ s; w" \9 d
    mov     bx, cs
0 `2 F# ]+ D: R( O$ [6 p    lea     dx, int41handler2
1 l5 D; ^0 }. Q$ j' J" J1 O/ q5 P6 B    xchg    dx, es:[41h*4]3 `: }' s- Z! H( Y7 W
    xchg    bx, es:[41h*4+2]
* z) Z8 F+ r! z! x& p    mov     ax,4fh* [7 b3 ]" m8 R5 g( Y% O' R5 Z9 o0 ?
    int     41h
/ k: o: Y6 i& X) W    xchg    dx, es:[41h*4]& |, x9 C# d, g2 q+ I
    xchg    bx, es:[41h*4+2]
, Y# i* s9 u  n    cmp     ax, 0f386h
; W# t+ h* c$ ]7 n2 I    jz      SoftICE_detected
! G2 }( {- J. K: ^. q( [" Z& a3 Y3 u9 D& K) B
int41handler2 PROC3 ?# P# W/ K# t. B9 y1 L/ ?
    iret4 r/ G$ L1 V" h; w! q, P
int41handler2 ENDP
* N% d+ d7 g$ h' F3 G6 I' [
5 L& L3 k. H4 o4 B2 J1 j- q0 t: S% M1 S7 U5 m- s- }6 f5 {
_________________________________________________________________________
9 `- W, |0 p2 N4 \$ _7 K: N% S+ l  ?# d7 w4 [% }: y$ i
7 c9 ~4 X/ d7 a4 y$ C7 R( C
Method 06
6 }+ E' ^* R$ y=========
3 ^$ U9 R7 K) s2 a3 A1 E/ [- B: K4 t( P% M/ t6 `% i
2 r  y( D6 w# D4 s, E) E1 |! M, L
2nd method similar to the preceding one but more difficult to detect:
; i" J: l& e& \5 R* n, q5 d3 ~* i6 L, }  v
  b3 P  P/ r$ i- V
int41handler PROC+ d7 o; i: Q# _! O( ^9 W. c( ]) U/ U
    mov     cl,al2 k7 h/ G9 T  _0 X
    iret
) e) m. ^$ \/ C" X0 _/ m( uint41handler ENDP+ C8 Y% F; o, ]( h
3 b9 H$ u' H0 [; Y& D0 e5 L

: B. v" Z6 s1 C& V. r    xor     ax,ax
- ^6 W6 j3 B: `. r  J% M& P    mov     es,ax$ j# }- P3 J% T, I6 ?
    mov     bx, cs
3 v# R8 ^& n  F* h- ]* k& l    lea     dx, int41handler. C& T! n% q! \' i8 S/ E5 m
    xchg    dx, es:[41h*4]/ ~& y% B5 A$ \7 `
    xchg    bx, es:[41h*4+2]
3 z' h8 X7 S9 }    in      al, 40h* T5 I, u# D. K" l; b& G
    xor     cx,cx2 }2 _  H% G7 ]+ M; A0 u7 v
    int     41h
5 A9 T2 L- d1 V0 L; B! L    xchg    dx, es:[41h*4]- F9 H' P& m. `$ R
    xchg    bx, es:[41h*4+2]
; `8 w! L% z0 A7 }9 N$ ]. H, E7 x" i    cmp     cl,al+ t- X9 M( e/ S$ u; v; J, _6 h
    jnz     SoftICE_detected! w4 I* ]6 y) f* _8 i

' |7 E/ a* ~. ~1 X+ U) y( D_________________________________________________________________________& ?; `. ]0 L( b9 L# `6 p
9 ^5 O/ F2 c3 }, o6 o* x
Method 07
  O( |; s4 I0 \- j( \, d=========
! M2 r- r7 P$ A# P$ B1 a; Y  D' L  [3 i6 C" [/ C- C' w
Method of detection of the WinICE handler in the int68h (V86)
- b- P/ ?& z' X& L" l0 w1 N5 _1 [* V* S2 m0 s
    mov     ah,43h
* m# R+ s: |5 S( f$ p    int     68h2 G9 Z& `! I3 A1 [
    cmp     ax,0F386h
/ v% n* x/ L6 I' u5 s! R! o. C    jz      SoftICE_Detected& U& H6 s- u* `
# Q0 S% D* ]& n. a; d' }5 V
' h% Q. p. a' R( }" |% J- s
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: I$ R- n! o2 y! L9 N0 m   app like this:7 S$ Z, @6 H7 P8 W( g

7 D0 f/ b, a1 G   BPX exec_int if ax==68
$ v: _7 J; N1 b! s, G   (function called is located at byte ptr [ebp+1Dh] and client eip is! Q0 o$ z6 n6 f- h% g6 n. ^
   located at [ebp+48h] for 32Bit apps)
: H+ ]5 a& u) J# @% w, B# Z! t__________________________________________________________________________
1 k6 V; S: e* F
0 y$ U9 b3 l" K% p! \4 _  F) {8 N
" L! ?7 D! M( p. HMethod 08
: @# W7 K2 v& }) @, @. {" Y=========$ H; f6 J1 c' L- I: M
; J) C- I6 \- n0 ^/ \
It is not a method of detection of SoftICE but a possibility to crash the8 f) F- L8 l; i
system by intercepting int 01h and int 03h and redirecting them to another
( w0 C" r+ A. J6 i) M9 r$ xroutine.
+ Q, x9 ]) c, G0 pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. S! V: U% s$ Q# Z
to the new routine to execute (hangs computer...)0 E' ^/ J' O( l& C+ K

* q0 a+ b# J( x+ ], I( s    mov     ah, 25h& @. f) @1 l' i5 q
    mov     al, Int_Number (01h or 03h)
& J2 B( u1 W; u( v    mov     dx, offset New_Int_Routine
2 |$ N' }) h) K* f+ G. r    int     21h
8 J+ P) t; I" `5 i9 [- |7 Q8 y+ }* q5 s
__________________________________________________________________________
9 ^9 h* ]% Z( s0 y7 l) g4 Y9 j. _, ^& e$ \/ a; n5 v& x
Method 09
+ ]- f+ }/ n  z# D6 v=========
& j8 d* P6 Z$ Y
9 t$ l2 k7 _5 [+ _' e6 Z8 \2 eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 Y% U1 @' h. g0 f. x( |performed in ring0 (VxD or a ring3 app using the VxdCall).3 O0 ]2 w  e- p( }" J
The Get_DDB service is used to determine whether or not a VxD is installed
# j6 u" g& H/ Z' T" ufor the specified device and returns a Device Description Block (in ecx) for
& L0 Q* i- j  _( p9 ~& pthat device if it is installed.
/ y5 E$ r$ k7 M9 Y* y9 A5 u
) ^( x, J$ v1 ]( m   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ f* ^3 X' F7 a' l2 _5 e
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)  ~" i/ _5 M( B/ w7 A, c- j
   VMMCall Get_DDB# b; m7 u& U) `# ^3 v
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ Y8 V: z+ _" q3 _& J: |6 L
% `$ d( O1 w& ^9 x- B
Note as well that you can easily detect this method with SoftICE:
3 g- _  v- R' @4 j   bpx Get_DDB if ax==0202 || ax==7a5fh. D* A: c9 E: x8 {9 x
2 W. a, J9 V9 d8 r, g+ T9 w& _! e
__________________________________________________________________________
& j1 t  N" j* h& E; x4 k0 z, J; g
Method 10& g* {+ V5 A3 {" A
=========
0 m" L; O! V; E3 m& K- [( X
. Z! \, O; @4 G# L=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; u& w5 [7 a* a- g
  SoftICE while the option is enable!!
$ a- z+ y' n6 ^# I, y3 K$ n0 |, Z) m, X6 f) E% d7 M
This trick is very efficient:
" |# ]8 {4 r7 R% i$ Mby checking the Debug Registers, you can detect if SoftICE is loaded
% U0 N& Z( q0 f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& |: u' n+ Y+ z$ d) K4 }
there are some memory breakpoints set (dr0 to dr3) simply by reading their  G2 J% {/ Z$ [! q8 e1 P
value (in ring0 only). Values can be manipulated and or changed as well' k7 @2 v% K1 K- {8 N" Q3 A
(clearing BPMs for instance)
  R2 Y2 G% Z8 ~6 S% s" Q/ b( v8 m
__________________________________________________________________________
# A/ `; N" W  c0 Q3 i) N; _9 Y9 S6 {+ l
Method 11
& S8 F2 {* D2 M- d=========/ r" O* i4 ^& B. y

( ]# }: }! R1 J% q3 n6 x8 m4 {This method is most known as 'MeltICE' because it has been freely distributed
; E1 Q4 g1 ~0 ?via www.winfiles.com. However it was first used by NuMega people to allow
- D7 Z% u4 b9 s$ V3 n& RSymbol Loader to check if SoftICE was active or not (the code is located/ F& w+ B) U" |7 _2 S" D7 t
inside nmtrans.dll).! A8 S- R  t" I9 T6 M; G& G

) |. d1 x8 V7 E. r% N8 ^The way it works is very simple:
+ |- d. j. V9 J6 }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 A/ `, C1 f* L, s* C  jWinNT) with the CreateFileA API.7 N7 l+ C$ x3 a  M+ Z2 k& K
! e9 ?: u. {, K
Here is a sample (checking for 'SICE'):
# H5 y# ^! J$ a6 ^! |6 T* O& t1 p" x6 r% W
BOOL IsSoftIce95Loaded()
& l7 J* h9 q2 `/ _) m1 ]! |5 O{
9 p/ u# l% u# [( j4 l' L8 l   HANDLE hFile;  $ a+ p( A8 g$ X- Q+ L
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  E" n, u2 `" h; J" _" a                      FILE_SHARE_READ | FILE_SHARE_WRITE,0 T7 x8 ]5 L6 e$ q
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 Y3 E& f: @& `- r5 K2 q
   if( hFile != INVALID_HANDLE_VALUE )% `2 {  X' R7 j
   {4 j3 D6 m- a3 R6 H& B2 o
      CloseHandle(hFile);. F  W/ J) z6 F3 ?
      return TRUE;
* P) h1 N2 C8 Z1 D2 e$ I   }
5 G) V8 H. Q* }: |) A+ \   return FALSE;
+ w! U( i6 A4 ^3 b7 h. X}( Q% R' u- j$ T0 A. S

: h, i. X: e( l  p- |7 S4 l( w9 DAlthough this trick calls the CreateFileA function, don't even expect to be/ x& o; L3 h4 _5 K4 F% o
able to intercept it by installing a IFS hook: it will not work, no way!. U3 K3 u8 L% L% r2 w! V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; F  B0 N, l- j7 w' @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ z% ]* p1 u& K
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 ?7 f1 @9 l0 h- E; h( Hfield.
7 w# H& r( B- r" g1 I! }! \- aIn fact, its purpose is not to load/unload VxDs but only to send a , Z% I  Y4 ^  n. q' I4 E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' V; q" D) {- I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try& \" z2 l  m" m4 ^0 k3 k) s. V5 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) J: l9 J5 D2 ~( B4 J" yIf the VxD is loaded, it will always clear eax and the Carry flag to allow  S, Z& P9 \* }. a3 I. ]
its handle to be opened and then, will be detected.9 V2 I7 ^+ e: g1 X9 E- l
You can check that simply by hooking Winice.exe control proc entry point9 A" H: z2 a. t" P8 e: [4 _! y  A
while running MeltICE.
  I' H* f; L: C" ^, p# N* v" w/ d5 v- v0 P
  m! Q9 O$ |( l. y# [1 ~8 t0 |
  00401067:  push      00402025    ; \\.\SICE! x+ p9 J4 p/ U1 w" u
  0040106C:  call      CreateFileA
0 R$ _; Z/ y5 g" E7 s8 F" [  00401071:  cmp       eax,-001) ^6 {7 ^8 v/ \4 i
  00401074:  je        00401091
4 ~( R5 I% M5 R, o, I6 S) }
( F/ b! o1 Y$ X7 U& y  C
$ e+ x0 e( _* [% y; yThere could be hundreds of BPX you could use to detect this trick.
1 `% S# G7 V. X7 n( A- z7 ]2 C-The most classical one is:" d! L* U/ @$ E( ^- Q4 I
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, M' |7 K" V" Q/ g4 J    *(esp-&gt;4+4)=='NTIC'
# O& y/ G8 ^& C+ q: @4 A! M1 A' s* O* |4 S3 c) _
-The most exotic ones (could be very slooooow :-(: i( J4 a6 c- ?3 k6 t2 ^* a* F( y: K
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
! X) @' b7 h* N0 L, ]5 b/ F, F     ;will break 3 times :-(
' L$ D: t9 P' |1 T
9 `* s" F0 r" u2 j-or (a bit) faster: 8 G& _, n" z' I. z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. L9 O, o3 f, w) r# w0 n" L. O* m/ W. F7 T8 _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
4 p# b/ g! P. g7 j. E& Q     ;will break 3 times :-(( d& v: e' K+ Q3 \& `
/ D7 F$ |' L  j6 i9 L
-Much faster:
* h( R: d- Y( P7 y+ [4 p/ {   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" x6 `7 t) B9 L6 X) [; X; Z. f7 C
. E# J: e) r& ^6 Y+ W; F0 x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 B% Q( g5 W6 W, d
function to do the same job:
/ `& {: Q: w; w% c( |3 l6 I( B) ]5 B5 j1 }1 ?
   push    00                        ; OF_READ
# {, b8 `2 {! f  N. v9 T* c   mov     eax,[00656634]            ; '\\.\SICE',0
1 P- n8 a% W9 Y3 `# G   push    eax
7 B0 V- I2 C9 w* y8 w4 O   call    KERNEL32!_lopen
: n6 h$ v9 _* {9 }6 D5 j" Q   inc     eax
$ m( R9 R9 F/ W5 ?# v+ ^' P   jnz     00650589                  ; detected
0 Z- u8 s5 F# M+ {6 y   push    00                        ; OF_READ
3 n! M# |) b9 Y2 R5 i   mov     eax,[00656638]            ; '\\.\SICE'
1 W' {0 f% n/ N; [% T; H   push    eax3 v6 N8 `7 `7 t
   call    KERNEL32!_lopen4 z: c6 X- e% }) j; _/ }
   inc     eax1 ?+ w1 j! ]' O. z- S$ `
   jz      006505ae                  ; not detected4 ^; C/ e! l+ f6 E
! e5 r% w  ~1 A7 B) X: C
9 l2 P1 i: X) N( u4 d! X
__________________________________________________________________________
  }3 K; X7 u: \+ N( f, S- S1 F
- W/ @$ l. r, S# C; N. W; z. ?Method 12+ v+ r& p( _0 ?( m4 S  F
=========% g5 z# Y& ~" |) V
; v6 I  E. y* b% V! A
This trick is similar to int41h/4fh Debugger installation check (code 05
. F4 V8 T# T& b+ K1 b&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( c; d( x5 z4 J/ uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ e. Q9 ]6 l  V( i: b6 A0 R! y% Y, t
   push  0000004fh         ; function 4fh+ y/ n' O& J) v# W- r8 g# B0 K
   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 I8 d# [; r. R2 l( s3 k                           ; low word specifies which service
" B) {- J6 R1 h                             (VWIN32_Int41Dispatch)
& G6 ^/ A8 |  \) `4 _7 Q- _   call  Kernel32!ORD_001  ; VxdCall
# }, {7 c+ n8 G2 s1 r' O   cmp   ax, 0f386h        ; magic number returned by system debuggers
5 `& k" ^" v5 p1 I   jz    SoftICE_detected
$ Y( Y# c9 S" o$ }$ Q+ i& y. Z' `6 D) u: v
Here again, several ways to detect it:6 Z" ]: A* W6 R% J3 V

: r8 o+ Q1 N6 Q' a    BPINT 41 if ax==4f9 \! G5 R- I- V

, `  \9 g" X& k, w    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! r+ V: I+ J% `" v

2 Y1 H1 H9 M% Y8 v: h" K    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; l7 Y, ]$ Q; m3 Y' d- F, B; U/ h
' _$ v0 O( F" ]% p6 x
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* k8 y9 u* w& K1 G
% F; d; y# o2 P: o" w1 K
__________________________________________________________________________* n1 G0 W9 n" U, y' S- b& L# q8 F* f: k

* Z' Y# I( _& Z1 AMethod 13
' G/ n3 b: O# E, h; d# w0 J; i! @=========" F% G7 Q( D, F. S
6 v. @2 Z9 Z; i, d- z
Not a real method of detection, but a good way to know if SoftICE is. H: N) C+ u& \  d$ o' N
installed on a computer and to locate its installation directory.
: o: c1 R9 z. M% H# XIt is used by few softs which access the following registry keys (usually #2) :$ d4 j1 Y, D6 g! n4 r

7 x0 x0 [, ?, P/ m-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# {2 {2 {) L* b9 |9 m$ S  W\Uninstall\SoftICE1 t* K8 V' T! k  P. D
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 c1 B% ]0 J* _$ K- u! Y  L0 ~  v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ p2 Z, g! W  L5 f
\App Paths\Loader32.Exe7 W: I5 A  A; ~5 a

9 \4 J+ l6 X) Z5 U7 I: z( e; r) {" J) o1 a( J
Note that some nasty apps could then erase all files from SoftICE directory1 r4 s7 l: P9 a9 q. F7 h, `
(I faced that once :-(: p% m& R; X' t  n& r

( p9 H" M% A/ l2 UUseful breakpoint to detect it:
4 C& W5 `$ [$ ?" h2 ^/ I1 \$ j$ Q
% K1 T( A" ^8 z) b     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
# Q! f6 U- c; ~1 n' J) t9 O! J) p- o4 s
__________________________________________________________________________6 |5 I# p; o( h% F- L

0 Y  }! }5 v- K, w: ]$ {, u1 x, C7 {" a# o. N3 h
Method 14
2 z2 Y2 P7 M7 G" {, ?, ]=========% L- {' \+ x. e5 {# @3 M

( K7 C9 h5 y# ?. z# a6 D" aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ n7 h* Z! j/ L
is to determines whether a debugger is running on your system (ring0 only).: |& r9 S8 b. R0 D& w

0 l7 e# r& H4 h/ Z$ k; I. ?   VMMCall Test_Debug_Installed8 f9 J8 A1 X3 j) p4 F! B
   je      not_installed1 s8 Q4 j/ z* {3 e
6 {% S3 ?) E; l% m3 b
This service just checks a flag.
" X3 x( I  O+ @; D0 O! p</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 18:57

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表