找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- S3 A7 v* ^" B<TBODY>& P  e7 W( K( w7 h! }9 ]4 b+ I9 \
<TR>6 d+ V0 i/ p" J6 v
<TD><PRE>Method 01 ( N- o- q, q0 e2 r
=========
  F4 B7 l- K) V  d& G4 [3 j' L5 p! T5 W
This method of detection of SoftICE (as well as the following one) is
1 K1 z4 G. {6 Y& J" P# s. lused by the majority of packers/encryptors found on Internet.
& e6 U- y$ }/ o7 M2 J! E& DIt seeks the signature of BoundsChecker in SoftICE3 M0 i) l" M4 n* H

4 R% n- r. i6 u, x4 \  [  @+ Z& K    mov     ebp, 04243484Bh        ; 'BCHK'
) ]+ k" h" w$ N" U) C4 h2 B" q9 E    mov     ax, 04h" G' s; y7 K# n( r- t& U
    int     3       " C$ t" n) l7 Y4 U1 V3 B
    cmp     al,4
0 b+ Q0 l4 Z2 |6 @, M$ N9 {6 L0 v    jnz     SoftICE_Detected
7 I5 X& A) V+ H# M+ x3 a: f( V5 m' H8 {# _! \
___________________________________________________________________________
; P; w/ t) h; d0 H- @- E" B+ t# T
! z. [  B1 F, s4 P& TMethod 02
/ ?8 Q( s" r2 w# B6 ?  U% W=========# B! d4 _' s) P/ `/ q* Y

1 F  j- W) }6 b5 N3 NStill a method very much used (perhaps the most frequent one).  It is used7 Y2 c$ e" G6 ]5 y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# e6 d0 e- M7 ~; n( l- B# y7 o
or execute SoftICE commands...0 n& U9 T& |. y
It is also used to crash SoftICE and to force it to execute any commands( g* \; R6 c4 t' A/ D8 W
(HBOOT...) :-((  6 M4 x4 i/ R, B' R
1 J+ h! M# u+ N6 |% G! L5 k2 q
Here is a quick description:8 W9 y9 |, V% k' r* ?! e: x' A) ^
-AX = 0910h   (Display string in SIce windows)
* \4 f* W6 c$ Y$ Q1 R6 X% {9 L-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 K: J7 h) g1 H+ }6 X-AX = 0912h   (Get breakpoint infos)
2 q5 M! N1 Y- g$ O! \, l-AX = 0913h   (Set Sice breakpoints)4 X" @8 |- B5 a* S# P3 }
-AX = 0914h   (Remove SIce breakoints)+ M2 F8 q: a/ C; m& X

: {2 |/ B9 o1 t+ T5 Y  u0 d. EEach time you'll meet this trick, you'll see:% w; P5 j/ ^6 r% ^* ]5 N, ~
-SI = 4647h
; w, ^+ t5 S8 n-DI = 4A4Dh2 V# S2 z  t, w9 Y
Which are the 'magic values' used by SoftIce.1 V. X5 A2 O6 r) q( C, [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
  T5 v1 e  O. |3 d3 L- f
& S+ v2 P" l+ I. V2 }Here is one example from the file "Haspinst.exe" which is the dongle HASP/ A) C5 `( K; @
Envelope utility use to protect DOS applications:
9 t# U" q' k) f" f! o! i
; v/ x: z% f8 s5 @$ U/ A
% k$ I& x0 C6 A" E& \: P8 {1 E6 X4C19:0095   MOV    AX,0911  ; execute command.% F  v# P, O. K8 e0 [/ ^/ u* f
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 V3 _1 D2 ]1 m( p/ e; w- ~3 O4C19:009A   MOV    SI,4647  ; 1st magic value.
7 L" J) s1 ^1 `; M4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 {. C  x& L) [0 e* Z5 d4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 k) s9 B: R* l8 p/ u$ B4 Z7 O4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* X# S# R6 _, A' O+ f
4C19:00A4   INC    CX
5 C- R' [6 \0 v. `" i, |9 O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 a$ P! k' m8 S0 U  U4C19:00A8   JB     0095     ; 6 different commands.
2 P; t% R5 J$ I4 V' m/ j1 w: _4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 t5 T$ J5 @7 B3 n6 B  L1 u
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) v% @- p0 l+ j9 h9 }' p$ B- e! j
The program will execute 6 different SIce commands located at ds:dx, which! c  G" ?. ]; ^7 N8 q9 g5 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  g+ [4 P+ m. |
$ V9 g% @7 f& ^: F4 X! x/ ]! H: t* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ X! j9 l. k( w; }$ ^9 e" [
___________________________________________________________________________
. w& s: R3 v1 C! Y, [; L+ W# d" B& V5 {3 R% I

+ c3 e1 s) X. T0 M1 y! QMethod 03
% X; |: T6 j4 `=========2 }+ H/ [/ D: q2 L! u" B

9 \+ _* }0 j; k! c1 YLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h) w5 X8 G; K1 ~. r% X  P& G% M
(API Get entry point)
* u5 ^: {; ]/ g3 h% T4 L        
3 y$ ?& A" D$ X1 x* n1 k
, Y* c& s" p5 c3 x    xor     di,di8 Q* k' i8 e1 ^5 y- X% e
    mov     es,di
+ a" v0 s8 u, Y  ^9 T    mov     ax, 1684h      
- N; A% m: L% K1 O    mov     bx, 0202h       ; VxD ID of winice
& c2 U7 F. f" H% R) I    int     2Fh" \: P9 R2 k: {) ~, O
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ ^" I4 E5 @  A2 v    add     ax, di
& f- e2 }, Q5 _  q4 `& Y) u    test    ax,ax
, X  f' K- X# n1 |1 _4 J    jnz     SoftICE_Detected2 s. I. o/ x2 y4 c  A

9 L; q) ~5 a0 c" Z___________________________________________________________________________
$ S% j, w0 n  ?5 C5 B' Z8 y' q( \; ]; B9 `5 [) Y) R- j
Method 040 p  }+ i+ T- W% _2 j# [1 u! t
=========
8 D1 \, L' g0 b  F3 T2 p, s. ~( u8 @+ \/ [
Method identical to the preceding one except that it seeks the ID of SoftICE8 N/ S  |# H8 G4 R
GFX VxD.
- R) n1 B$ ?  i6 x
. w, s7 r3 i0 y% q/ z, M- ~2 v    xor     di,di5 Y3 V. U7 A4 y6 e" [# r3 x
    mov     es,di
# K8 I! H0 a: U+ e" x8 o    mov     ax, 1684h       ; E* n: p" J! y$ A% Q; v
    mov     bx, 7a5Fh       ; VxD ID of SIWVID& I! b8 I5 f( j- Q* d
    int     2fh! a( l8 g6 ~4 I' l8 `- {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point% z5 g' |; ~/ J4 x& [' p0 B6 f
    add     ax, di
3 I& Z, s0 h( Y    test    ax,ax1 _" l6 L1 F; G
    jnz     SoftICE_Detected
& H4 v$ Y; `/ m% i1 L7 B6 s' O4 t- k% |7 Z
__________________________________________________________________________
4 s$ d; \: e! I2 [
3 D0 i8 k: R4 k  b+ ]
1 `( ^4 E6 u* V& z3 \Method 053 o8 e) R4 S, |: w  d6 g: d
=========
& o7 K! _9 u9 w8 w' ?; b2 {$ f' n" K# u5 }
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' C7 k' z$ Z. ]$ vdebugger. It calls the int 41h, function 4Fh.: B& T8 o( ^5 h! V" x. L, Y0 m- }  l! N
There are several alternatives.  * f2 r: b1 }, K* v: u  {2 i

' W' {" A# `+ h1 ZThe following one is the simplest:
, w( B3 U/ ?) c% f- G! b, \! S. p$ r2 a9 \$ {
    mov     ax,4fh0 V+ x' l! _4 b! s6 \+ B7 ?/ W) I
    int     41h. M% c: X( K, q) w( L
    cmp     ax, 0F386
: i; R2 y2 D( ^4 X6 a4 X    jz      SoftICE_detected+ g& `( {& k0 `. b4 g% C
; P  L  p4 ?+ k5 ?+ g

! x1 l4 g; C1 k- P' p) |- M, iNext method as well as the following one are 2 examples from Stone's   d/ A6 l/ Q' i3 D$ C2 O0 m- {
"stn-wid.zip" (www.cracking.net):  T' j# g+ D3 o6 a; \: G

, `- ]( m% F; K6 T- f6 \    mov     bx, cs
- Q% O' p8 R9 Z* ^, H    lea     dx, int41handler2' S2 Z1 N) k! k6 W
    xchg    dx, es:[41h*4]
) w- f/ ^; Z: t4 i0 G    xchg    bx, es:[41h*4+2]
: S/ V( {/ z0 F    mov     ax,4fh
* a4 H  h) L, h    int     41h  l1 @) F! u. B
    xchg    dx, es:[41h*4]& v. N) `. i& r3 ?9 x) a7 h
    xchg    bx, es:[41h*4+2]! [: J/ \3 J+ t- V# e5 G' [
    cmp     ax, 0f386h
4 Q# E$ D' Q! G. ^0 i4 V% f    jz      SoftICE_detected
' Y; z' F/ j2 o& m
/ y# f5 Q( a9 r" i* J" U: Vint41handler2 PROC
' f+ s+ l' n7 e    iret  x9 o9 I( d) m4 V( v- p
int41handler2 ENDP
0 ]8 ~3 b2 E3 S  e9 X& X% _. @7 ?1 F6 E2 e
3 }3 y  K+ _4 x, _' Q- I
_________________________________________________________________________9 \  @+ @* B' Z8 j. }7 C
7 I9 r* Z2 o, m' x

# X7 |: B4 Y( o) E; z4 LMethod 06; k6 N5 w0 }8 `$ |5 x
=========6 S7 [. D) y# h* \1 c- u5 j- l

) I. c+ [9 H+ g' r6 b1 ~
9 Y1 E6 f- y: W; c% a, W8 f2nd method similar to the preceding one but more difficult to detect:9 J* a, Z, }1 k+ b0 ^/ S7 _

/ M; }) z' T; n# u0 n
  C+ k* d. C- N' F- s4 Jint41handler PROC' M- M8 G; T" U( E% ?/ F
    mov     cl,al
" L/ X  ~0 f& q7 i/ _    iret
+ s6 M9 V2 W4 u5 a+ v2 Tint41handler ENDP5 [1 F9 V! F" h. I( p

- R% w3 W+ Q: F* N1 G* F# B& d' N) L0 b" L
    xor     ax,ax2 o' y; T" B8 S6 t8 O6 n: U
    mov     es,ax
7 o) M  f8 S# C    mov     bx, cs9 I6 a0 \5 M; M) @2 |7 f* }. A+ L
    lea     dx, int41handler
) C+ M+ C8 T2 {- r    xchg    dx, es:[41h*4]2 A( u9 u* e; p+ O8 Z
    xchg    bx, es:[41h*4+2]7 n  E* X0 F3 P- h. v2 _( x
    in      al, 40h. ?- D5 S* l5 k6 Q) F
    xor     cx,cx
0 q9 n2 b+ V$ e9 d$ Z5 j/ y- V/ I    int     41h  T, U' P" I, k# k2 {7 O9 L- M! j
    xchg    dx, es:[41h*4]6 B2 U0 `! {. E
    xchg    bx, es:[41h*4+2], @3 Q  S- [# u7 [& e6 g8 x. q
    cmp     cl,al
' v7 ?7 P3 l' Z0 C    jnz     SoftICE_detected
' a# I  x/ x( U; [0 K/ ^( @7 ^
_________________________________________________________________________
0 z5 o' ~2 ~* Y( L1 Z) M. K
# Y  W' E) \( p! L+ vMethod 07
# I" }; {9 a4 j. V  V; f& x+ p=========
/ Q9 J: `. }) @  c$ j
- K) l; U' r. M0 j1 ^( \. g, ]Method of detection of the WinICE handler in the int68h (V86)/ g# I: h' S$ d/ d: Z, k

4 n8 f/ t8 ~" B% p( L    mov     ah,43h6 L/ l# i# Y, [+ @: r
    int     68h' q. ~. C0 I- C" P  K9 A
    cmp     ax,0F386h
; q, N% q1 }+ H4 L2 @! E. W    jz      SoftICE_Detected
+ t3 Y2 l* p& c4 ?" q; j, T; _  P8 e* v3 N6 @6 J9 |
% h& U4 ~$ s' Q8 D0 Y7 f  b8 S
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 l  F( k6 r6 h% L; q% _
   app like this:
* |8 Y9 V2 A( F+ C3 d( F& p  E( X( X/ f; g- H
   BPX exec_int if ax==68
1 u; C+ ^' Q1 J) j   (function called is located at byte ptr [ebp+1Dh] and client eip is
# D3 D% k3 ^* u' f  W& l   located at [ebp+48h] for 32Bit apps)
: Z( N% ^! B. V4 K2 G: A/ O: b__________________________________________________________________________
' s% j; i8 a2 h1 L) h, r. m  L7 j& W/ t2 q, m* V# O4 i: F. ]$ |
, e( W% j1 k$ @) y: A
Method 087 A" m$ Z# y  J9 U! s
=========
; H2 V# V( n9 _- h7 j  R( }% s) P& j7 g  _: }
It is not a method of detection of SoftICE but a possibility to crash the
. I3 O/ c8 G4 [+ y+ k( m/ o, I8 x9 Usystem by intercepting int 01h and int 03h and redirecting them to another& z- s# ^, w+ n% H/ j
routine.
1 K. S3 b' A7 J! a# U! ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 Q$ D% ?$ X( a( m7 ?to the new routine to execute (hangs computer...)
/ C1 Q* p4 l& C5 P& @6 `0 F$ z" W) j( T/ b; W6 j
    mov     ah, 25h
& K6 j- Y/ o6 S; m0 h- Q3 f+ Y    mov     al, Int_Number (01h or 03h)/ }7 k% p- m3 `1 u" X# t
    mov     dx, offset New_Int_Routine
# I# B5 y1 [( g) ~. R( b    int     21h
/ i6 f( N, b# p# F1 B  |9 X& r0 h( d5 r. e0 Z
__________________________________________________________________________1 K$ Y1 x5 A; O3 f0 ?
3 u, k1 c) g! G5 \# N1 l' C/ L
Method 09
: Z8 C2 b5 B: U" u=========8 ^. {" h! B7 X7 p/ X
3 k/ K4 F. n, Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* ~3 a- I7 O* N. d6 U$ xperformed in ring0 (VxD or a ring3 app using the VxdCall).8 D& h0 p" k9 e6 L# F
The Get_DDB service is used to determine whether or not a VxD is installed" Q4 x( t$ ^! B' b/ Y) O1 _
for the specified device and returns a Device Description Block (in ecx) for/ W6 s0 O5 |& I9 v  u
that device if it is installed.
0 O4 m" H$ n% ~- X0 }1 i' `4 S/ i# I, [. O1 w
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 K5 ?- o/ n) n& u! j; ~   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! m9 U! B% H; F1 G   VMMCall Get_DDB* }$ r5 {' l, X2 s& W. l* l! ^, m
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 Z6 ~( @# g" e3 S; B
! p0 y: P0 ^+ X
Note as well that you can easily detect this method with SoftICE:: E1 |$ W! Y6 Q  j' D2 ^
   bpx Get_DDB if ax==0202 || ax==7a5fh1 {* @" F3 C! v% V2 H) @$ e. |

6 j$ V( p' h, \* L% y/ z__________________________________________________________________________% B% e# O& t% w& m& K. ^. W( I  j
$ D0 ?: e' c" O
Method 10  ~% O* j9 E0 b3 [9 s, f5 D* v
=========
5 h  D5 l- \' t" G1 [* i4 K/ z6 i3 {, d, `/ Z+ B/ r2 ^+ C6 B" s
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with* G0 N* K# o, Q* d5 ]( L
  SoftICE while the option is enable!!
6 i* ~9 e+ ~8 P, V
' L2 H! D6 J2 g# a7 ^) f2 O6 XThis trick is very efficient:3 }4 @! h8 Y7 d7 }5 w  o
by checking the Debug Registers, you can detect if SoftICE is loaded
- i( G/ H' B6 d: h( R0 U( o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' G1 N, C1 f( q4 ]& v( l1 @there are some memory breakpoints set (dr0 to dr3) simply by reading their# s5 I8 x# c& Q: ^; I
value (in ring0 only). Values can be manipulated and or changed as well
# X# H1 S; H: m) z6 C2 Q(clearing BPMs for instance)
9 T) D5 X8 ]  O2 T- _6 n) p- C  `4 z1 ~, f9 p7 a- B
__________________________________________________________________________
5 _5 Q/ W8 s5 C3 \/ T
0 }9 `/ Q) D9 B9 O4 S8 J# i  RMethod 111 |+ O( r+ m  X0 N( y3 H
=========2 ?" J2 ^. a' f' j% E5 w) h
0 F4 K, y; ~, I% y! {
This method is most known as 'MeltICE' because it has been freely distributed% t# c+ t* k' W( P, G; A# M
via www.winfiles.com. However it was first used by NuMega people to allow: t- H% W- R* \+ P5 H5 h
Symbol Loader to check if SoftICE was active or not (the code is located! P. H4 i3 a2 E6 Y( o
inside nmtrans.dll).7 ~/ }8 I  [" ?& I2 P* q6 ?# M

+ m; w1 G, [' e) r- R; V' @7 {- k$ pThe way it works is very simple:/ e4 m. f$ K$ s' _/ W4 R4 m" f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 Y' n% R0 h0 m  `) o, ^! O
WinNT) with the CreateFileA API.
" w9 ]5 o+ I6 J) |5 T* A1 z% n( ?; a; n  l2 O( R( N" l% G
Here is a sample (checking for 'SICE'):+ }, ~7 f" ^" O0 b: Z: V; |5 @# a
# O' @& w, j: @4 i" _
BOOL IsSoftIce95Loaded()
# |; X7 z- s0 {0 ?{' \. g0 X6 J  @! D# \3 b# U
   HANDLE hFile;  
4 j. z- o3 \# P, |   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 g. Z! e0 ?/ g% @$ B
                      FILE_SHARE_READ | FILE_SHARE_WRITE,4 |$ s0 a' o* |" ]! R# j( |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' p' L. b5 N. Q5 Y! y   if( hFile != INVALID_HANDLE_VALUE )% U. l; o; D$ a' @4 Y
   {
) F8 ^( s  [# ~! C      CloseHandle(hFile);1 i4 |! F6 W5 J- c
      return TRUE;
# a" k7 O2 F& H, E' Q7 s   }8 p, m$ Z2 y, f4 y" ^
   return FALSE;/ p# P1 @1 L+ R  n& X, e7 C( o
}
9 w% W# H  {- N  f8 V- h) D3 q- m; p, u9 K) O# d
Although this trick calls the CreateFileA function, don't even expect to be6 v; X0 f3 Q5 S1 B( Q
able to intercept it by installing a IFS hook: it will not work, no way!$ h; W( E; U. m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: m) e2 M( Z( z$ f7 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* i# t% w3 k# D$ x* k- C- pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ R' z9 r7 _! ?field.
; R, D2 q! _" j2 ?# W5 sIn fact, its purpose is not to load/unload VxDs but only to send a . Y* B; U  e/ n/ |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% o0 D: X4 _$ J2 s6 t  Y. Z. U# D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. W4 g* z/ O; I3 P# Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ Z; d: o3 [, M0 fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; y4 ^" |7 F9 m+ T% sits handle to be opened and then, will be detected.) j( d8 A- O8 l! J: Y. P
You can check that simply by hooking Winice.exe control proc entry point
& j8 ?% M+ Y. ^, D- cwhile running MeltICE.
# H9 o0 N, F- ?$ n, {8 k* c8 X; ~. b$ s( L9 @! l2 k

; C1 }2 @& t1 C- a0 h2 g  00401067:  push      00402025    ; \\.\SICE
7 P3 ?5 D5 t! U% W7 ~# _$ l  0040106C:  call      CreateFileA
8 F0 G* T3 Z; N& q  00401071:  cmp       eax,-0010 ~- d# \; a* e9 z4 e! |
  00401074:  je        00401091+ c7 E: D" w' H9 u8 D
7 V) F9 t2 m/ [% M

' {$ G# i" T7 t5 K2 A  T7 T3 OThere could be hundreds of BPX you could use to detect this trick.
! w4 D, w0 U; o, ^. C-The most classical one is:) j  {% l) k! q# u: K4 X, {' k  W
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 W% a- f. F! f2 K% z
    *(esp-&gt;4+4)=='NTIC'* P% g1 M1 L! A# \( }: L5 B) ^

. P% [% U' k* x# m" j-The most exotic ones (could be very slooooow :-() h/ ~# T' l$ Z' T% f5 K* z2 O
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) ?  S" y! U5 B     ;will break 3 times :-(2 M, J! X. F( v' B6 \

0 p! c) x4 n- V1 F- P! ?-or (a bit) faster: ) T- o! G, x$ V4 w8 N, m6 X; s
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# x2 V6 p% _( r' v! V3 L3 _- S
3 S" b0 C3 Y7 w" Q* Z$ x7 X5 v   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
- @) i+ ^9 S5 b, r     ;will break 3 times :-(
6 B& ^" ?8 Q) W6 a  w* S; L' f& j% z, D8 R& q) ~8 i6 O
-Much faster:9 |. \" [. E/ d/ v' a8 ?- w1 l% {+ Q
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
6 U! X2 I; s: g* \. f2 E9 \" E8 l0 U) _5 v* a! F1 p2 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* l6 R! C3 I- B  h( Bfunction to do the same job:2 D  ~) q8 `* _& w

* j5 V7 l! E( i( u! j   push    00                        ; OF_READ
/ ?' I, V; \& Z: C& M   mov     eax,[00656634]            ; '\\.\SICE',0* g* H% i- ~! V" ]# I- w
   push    eax
5 r: {* s6 A2 I* R* W! e% }  i   call    KERNEL32!_lopen+ U* j1 t8 b6 S. \! M! l
   inc     eax' {0 u% v' k: d. k. U8 D/ B5 ^
   jnz     00650589                  ; detected" L& j' I3 Y! g5 B
   push    00                        ; OF_READ
- E3 c$ a5 F; _& N$ v- ]9 P   mov     eax,[00656638]            ; '\\.\SICE'% b5 G; x1 Q: s) @0 s; w  i
   push    eax, o5 ?, l* q0 Z2 E
   call    KERNEL32!_lopen7 n. Q0 x' ]: L. {. `* z4 Y
   inc     eax
3 H. M+ n, L4 k; ]   jz      006505ae                  ; not detected: G/ i5 `, I. y5 o" y( ~! O
2 g' @: H3 h+ Z7 R) p8 `
8 g' Y- Y, n: |" ?& H: ^" I. d
__________________________________________________________________________* }" H6 K  X" ~+ l
  q/ x# Z* R/ {8 w% K  {  f
Method 12& p4 K( q% g# g$ r, z  y
=========" b8 Z1 ^7 l! j  N; H4 W4 n* ]  c

1 x! \! T7 w. V. e  mThis trick is similar to int41h/4fh Debugger installation check (code 05
1 N! X! Q: _6 {4 q0 M5 i&amp; 06) but very limited because it's only available for Win95/98 (not NT)- X3 z7 K9 a& j4 D6 d: J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 g. c# j0 r; \4 ~! K& ?1 V+ u3 S, N0 ~3 D
   push  0000004fh         ; function 4fh6 H5 r) L0 q* J
   push  002a002ah         ; high word specifies which VxD (VWIN32)
. [0 S) o2 a' d% j9 t5 G; A6 \                           ; low word specifies which service
7 j1 G! a5 D( |7 |! }' V" V                             (VWIN32_Int41Dispatch)
" ]# P9 [) y7 `   call  Kernel32!ORD_001  ; VxdCall
( t' y& {( B- f' k2 d* @   cmp   ax, 0f386h        ; magic number returned by system debuggers
2 C0 C0 J6 c: t) o/ J* ~   jz    SoftICE_detected
4 g3 C6 c* Z# v$ l, o' x* N
7 _: l3 a9 r' D7 ?; ]- iHere again, several ways to detect it:) k- U. s! M7 _" i7 V

% W1 s' U* r/ U# V    BPINT 41 if ax==4f
2 G- V7 |# F2 B# r
3 M8 C- u% ~% ~3 ]% X5 {+ s    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
: z+ @0 K" J! h4 y% v* H! T2 W0 E
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 N/ a4 i+ u: p9 o( c1 [1 U
3 `4 N$ j# J# `7 ]+ l. W
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!# F% o) n. e) a' ]" J& i- h
6 a6 `" F( _- Z' p- C
__________________________________________________________________________
, C/ I5 x/ W  e
4 u* \% _4 c# U4 L& q' z. f  HMethod 133 @. L% ?. \' k7 a/ j
=========8 Q( C0 _5 ?5 I/ i
8 a$ i, m  K% a& T) f
Not a real method of detection, but a good way to know if SoftICE is
8 t$ V" q' b5 D0 {- {/ p& l' winstalled on a computer and to locate its installation directory.
! U" T  y" _. m" qIt is used by few softs which access the following registry keys (usually #2) :5 ?- t; X, ]5 J5 k

3 L( V% p% M! u9 i* h' o3 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 L+ s/ t! x; _" F" ^4 g/ e\Uninstall\SoftICE3 U8 |% I) A. J8 h) r9 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% k# O1 d* h: r4 @  \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ i' ^: n/ d! o( d) t! b( t
\App Paths\Loader32.Exe+ t) s( w' i5 z1 m9 {/ |
4 D1 K7 r, t2 [! G' e" ?2 m
& L& z" N" h  F7 n  f6 O
Note that some nasty apps could then erase all files from SoftICE directory
4 a6 ~( k; O7 T+ {4 ?6 R( [0 ](I faced that once :-(
* U$ y. c! Y6 l) i7 F/ ]# H$ N+ F6 `& C' O  \! c
Useful breakpoint to detect it:* V0 `0 l3 d$ d; R. m
& _5 B# T, j' q2 l
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 r* E4 f1 n' h8 _8 X
4 J4 `/ `9 Z9 p& U" p7 V, o6 C__________________________________________________________________________
8 a+ `: {" y8 F7 d- N1 n  ?! I5 y
, _  z. g1 ^9 i4 e4 s& q4 ?8 r5 Y4 |- }& C) U9 r. p. b0 y
Method 14
" k! r& ?" P, I9 L3 T% B# V=========3 f* S# t" l1 t' ?; m8 v4 a+ c
2 i. k9 L9 g6 ^  }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 D: x% n/ [* T+ D+ z1 b( p/ ~  y4 A
is to determines whether a debugger is running on your system (ring0 only).) d8 P% B4 x+ \1 P1 J0 q

, p& I: |! ?) N. P   VMMCall Test_Debug_Installed
9 s, w% @2 ~6 h: W# _. V   je      not_installed! e7 u! c6 H' m0 v0 J

6 \6 @  D4 B. u  R2 X! nThis service just checks a flag.
/ u, ?5 L2 `! \3 k& u</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-14 04:15

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表