找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) q' e! g" w! l& d0 w; k! F
<TBODY>$ ~3 H7 U7 I9 E% J  e
<TR>6 Z5 s* B% g5 V) P5 a
<TD><PRE>Method 01 4 C; K; P! V; L. r: j
=========
& C5 [, ]5 a3 @) p/ J4 L$ e' f, ]$ I( h' Y8 `, t* |' x& }
This method of detection of SoftICE (as well as the following one) is; u. h7 J9 z/ P2 w% m
used by the majority of packers/encryptors found on Internet.
- ?( C( m' E* F& p( fIt seeks the signature of BoundsChecker in SoftICE
; `1 s; Z( ?- ~: c# h- |* O/ z. I
    mov     ebp, 04243484Bh        ; 'BCHK'
! Y2 O- C# \6 Q7 ]$ g3 C    mov     ax, 04h
' [! @6 Z  }* ~! Z- B- v  l. H    int     3      
3 }0 e9 k6 i. `% o4 H% p2 p& f9 D    cmp     al,4% a4 \& ^; E. O, [
    jnz     SoftICE_Detected
6 r" u9 z7 z7 F! |
+ _. L; u4 O3 _& j- N9 h* f___________________________________________________________________________/ g, C2 W' \0 E2 ?; b

) \/ ?- r% f& Y" E! sMethod 02
1 o8 U- E( `) [6 M3 I=========8 e  L, r: o' G1 _5 L" x; m* U" E

4 f3 |1 K8 [9 }Still a method very much used (perhaps the most frequent one).  It is used
9 T0 J9 e" k! l: Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 A  I$ F% b  I& X: @+ R) {0 C7 {
or execute SoftICE commands...
" u$ r. h/ y4 J8 @, jIt is also used to crash SoftICE and to force it to execute any commands% r; h5 ^' X/ Z7 K' {+ \
(HBOOT...) :-((  ; k& i. a1 ?3 J
, D" E7 f. e! S; V9 G3 ^
Here is a quick description:8 m. A- T4 a0 j5 z" i5 r9 x
-AX = 0910h   (Display string in SIce windows)
- m, M! D  V' z+ U3 [-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: I  @. \& l5 t1 ?0 u7 U+ r-AX = 0912h   (Get breakpoint infos)
: ?5 a6 }- s. X  r9 H& |) u-AX = 0913h   (Set Sice breakpoints)
) D2 E9 _' l3 K$ G2 P( q2 H-AX = 0914h   (Remove SIce breakoints)
7 r0 O6 G' t) V( {7 E  Q" `
' K3 V. h# a7 F3 s8 |- U! y4 K' b. YEach time you'll meet this trick, you'll see:2 X4 \. `' I1 W
-SI = 4647h
6 a. R2 `# W5 A# J-DI = 4A4Dh9 ~% S1 b& _5 c( H& B% z
Which are the 'magic values' used by SoftIce.' c& g, w9 a( x1 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; B+ n9 I& F* }& H% u$ |) t) R  _% R" H0 d7 d6 F- [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# A9 m9 S4 t- j# i- VEnvelope utility use to protect DOS applications:
9 b- E$ c/ E: g
; Z3 H+ Q7 r, `+ ~5 q
' L, j  y( E0 b6 E4 e4C19:0095   MOV    AX,0911  ; execute command.  b- P2 G$ U* h1 E8 S
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) ]+ N- n5 ?* U  v9 _/ }
4C19:009A   MOV    SI,4647  ; 1st magic value.9 U: Q/ f7 V. h& F  @" }9 t; r
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# N, t: q! g5 m$ h9 o$ G$ D4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 M& t8 u% Z+ \' {& A4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
. P: M: j# A! ^/ W5 A. T4C19:00A4   INC    CX7 w3 y! d7 Q; _: i1 N) ~, l' V9 s
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute% s" o- j5 \& H* Q) I4 p( t
4C19:00A8   JB     0095     ; 6 different commands.3 S: \! x1 L/ y* y7 P7 V& y* [
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.: q( l7 u, t  z; E6 |: y
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)' l: `0 p7 e, w" [  s! M

1 @6 x3 f4 X; i; o  KThe program will execute 6 different SIce commands located at ds:dx, which+ m: w/ v& D  j! N/ x3 E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ L/ r6 \! w9 q; s% R" E, v8 z4 f+ z9 ^6 y% e/ n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& X, L+ g3 k% \0 A9 @; R& `3 t0 D___________________________________________________________________________
; q0 j8 Z4 Y" l  G& ~+ @" z1 |5 k( U! Y1 J0 C5 v" f/ l
9 ~' c# V: H/ t2 T7 x' J' G7 h% ^
Method 038 z# f5 A1 _% v* n: P
=========- ~2 ~1 }) }" _* V" w
) l$ ?+ @9 [  _1 N
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h! x7 v# f" {8 j
(API Get entry point)+ O: p8 I8 Q3 p6 N$ n' k  P" E/ r$ r4 R
        
' w8 h+ H* i3 s7 a0 K) H+ a
, T  S1 V* f+ G6 d" d    xor     di,di7 J6 f4 I0 S, c3 A( n6 s) y6 U
    mov     es,di4 h  J9 s0 \* i3 D5 s7 l7 _
    mov     ax, 1684h      
2 B' R) L, E, v0 `' H# a" z4 e3 R    mov     bx, 0202h       ; VxD ID of winice
+ T8 S4 |8 p# a. I; t    int     2Fh; S! X: E( y5 {( h( @5 A3 W7 Q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 U9 d1 {, D( X: p
    add     ax, di
% ^; n7 N# w( t$ w& _! c- }$ A+ W    test    ax,ax7 W4 H) J) K/ q3 K0 o& K- l
    jnz     SoftICE_Detected/ Y: w; y7 N2 g$ A/ }& [. }4 A

5 c3 u: |% }& @, K' D" h___________________________________________________________________________
( S/ T, a! A; U
- `0 R) q0 s0 _( v5 j* ^3 uMethod 04
% O5 n$ f! i/ @( }. R, |=========
% u. o) V2 U3 a) J+ @: h1 P
8 u1 h: V$ H. {/ ?, MMethod identical to the preceding one except that it seeks the ID of SoftICE* Y; b% r; b" a7 l5 L8 [/ p
GFX VxD.
( {, Q$ x7 V' o* z: m
+ ^: y, @1 k/ _6 u8 ]    xor     di,di# X! V7 u" ]/ _5 H5 U
    mov     es,di
, i# H4 S" {6 _    mov     ax, 1684h       ( c/ \1 f" C( R3 s( ^+ R/ L2 S5 {
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ I, J/ o- @4 [! K' ^' w1 r  D    int     2fh( W& w' I- f# g9 N& s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* J8 T% q5 \2 h8 ~) P3 Q% [    add     ax, di
) G+ y& Y* \: c    test    ax,ax
. d7 g/ n2 y0 ]; y    jnz     SoftICE_Detected6 n& c. F# J$ j6 k3 x/ K5 x9 ^; e! D

/ v6 B1 @1 D9 y  h8 n  g* X- k2 ?__________________________________________________________________________) f  m/ S- p" i; `7 S  U' i7 d

/ {; U5 B' c1 E/ q+ X) {0 X) x' ]3 @, `9 J- P
Method 05
/ g1 Z; A" O+ W# I=========
0 c7 v( D+ ]' k  a3 g8 z
. o4 p! s  K+ CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 }0 x# k# }0 }debugger. It calls the int 41h, function 4Fh.
: j1 I. l' V) D: v0 }* VThere are several alternatives.  ; P- U: I2 E4 o" M

/ N0 F- f2 d3 TThe following one is the simplest:
5 {% d, u7 i4 x+ }
, Z) `1 P% E9 I) F    mov     ax,4fh7 `- f( J" e" g) L8 ~, k: l
    int     41h
$ g6 r7 z: v1 z: J+ i  E# }    cmp     ax, 0F386% B' X2 }4 @& k9 m# |
    jz      SoftICE_detected: |7 t0 E; [3 w: \& k. o

' m) M' g9 p# X" Y$ \2 }+ Q9 {. O6 o! u, x
Next method as well as the following one are 2 examples from Stone's 2 l, o, u+ W# Z, G; C! P$ h, N" A
"stn-wid.zip" (www.cracking.net):$ ^1 {+ x3 X1 ^% F$ l( ]1 R1 Q0 I
) X" O  B: o# _  d
    mov     bx, cs
0 Q' h% P! G; f# r* J0 J. s/ w. G" b* G    lea     dx, int41handler2  J% @6 b6 p, n7 H' u3 I2 w
    xchg    dx, es:[41h*4]
( N' x  S& v% [( w  J8 d5 H' U    xchg    bx, es:[41h*4+2]4 ?2 ~3 }* z% I) T  u; ?
    mov     ax,4fh. m% a1 j& q; P, o8 o
    int     41h
* ]7 D9 V9 z4 B" S    xchg    dx, es:[41h*4]) i4 k: D' g! x9 |
    xchg    bx, es:[41h*4+2]
, H0 A/ F3 a7 p, e9 T) U, K    cmp     ax, 0f386h
: ?  ]" ~! ]! M$ v1 R+ z0 w9 s    jz      SoftICE_detected
# ?# [% h  i0 t, T/ `$ V9 k+ |! e  [/ A- {. Y
int41handler2 PROC8 v6 h/ d& Y$ m6 ]& H7 V% g; g5 o
    iret. s% [5 ^6 R- z5 K9 |
int41handler2 ENDP
( G  q' l8 n" ?* @5 n7 N
1 Z$ o" S! R) s% p4 b
0 j0 ~9 C) t: c4 B( J- __________________________________________________________________________% ^+ \# w/ i; {! C
- N. p$ J. K# v$ k
5 v' U- A( \9 C  ]( n0 j# H. n# F& @
Method 06
" p% K# W* q+ _. M2 T=========
" y6 G6 ^. Q* o1 F) q
) H; g% |0 j+ H+ i) H: \$ z
$ B0 _8 I- l2 @2nd method similar to the preceding one but more difficult to detect:  J7 y; r) c7 O6 G' N0 A  z7 u

6 j' B  I0 {# ~6 N; ?+ V. t' d% s4 r
int41handler PROC
; Q. h" ?: q7 J3 ?; Y    mov     cl,al
+ {6 d" V/ J9 _: u+ b, m5 k    iret
$ o3 m9 k4 k/ l! Z$ A7 |" A2 l2 ]' Yint41handler ENDP
1 K5 r, k4 }( K- ]5 E1 D/ `7 k* R6 Y$ _; Q, @

" p% K3 T5 H+ {5 A    xor     ax,ax$ R8 k) R5 g" }& g' L) N) l) x
    mov     es,ax, `  O# R6 b& v& A
    mov     bx, cs  I, [. d  w7 _+ q; T& Y
    lea     dx, int41handler
. t- b4 A5 ?2 ]5 \1 Q/ C4 \    xchg    dx, es:[41h*4]) t* [2 N, z1 [2 f
    xchg    bx, es:[41h*4+2]1 |9 e8 [. E$ ^8 z0 O% J7 k' J
    in      al, 40h/ B' c& \$ a. p
    xor     cx,cx
: ~* P1 v7 {, Y    int     41h
9 J! _2 t/ b, s+ d) ]    xchg    dx, es:[41h*4]
0 v3 E& f$ V5 Q4 i- ]5 S    xchg    bx, es:[41h*4+2]
0 ~* W3 }* q, \    cmp     cl,al
4 s" H/ i7 u, I- s# {, I    jnz     SoftICE_detected
# G! I. F/ Q, z- Y0 @* C! B0 }' A7 j% k+ c, w! W% g2 a$ E
_________________________________________________________________________% T3 k3 G' p) W4 n' }: k( m

1 {0 m0 d6 M/ T7 NMethod 076 R( U- Q3 l3 @/ s* Q) }9 |7 a) Z; k
=========7 U  }. k* q$ k; \0 r

- f( v* h/ K1 z( wMethod of detection of the WinICE handler in the int68h (V86)4 w6 @5 u, l! V- o" J7 C5 a7 n/ I

1 W9 s! L0 H8 ~+ i* ~$ q    mov     ah,43h7 E* r* L" r5 |+ x
    int     68h
' g( k9 o& w. e; h2 P1 [    cmp     ax,0F386h0 l8 v: k) G6 ~! i
    jz      SoftICE_Detected. K/ N0 K7 S6 C9 O7 Q
3 G- n) c$ X. _; A  y
  C% F* _+ x% A% a0 f' q( Y" k& D
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 r/ F; v/ p/ {: r8 ]: e
   app like this:
& ~6 z  x( S% Q5 W2 b. O6 L- Y, w9 `- {" ^( |  V+ C. e
   BPX exec_int if ax==68
# S1 ?% X( k0 T0 `( _9 m2 ^3 j   (function called is located at byte ptr [ebp+1Dh] and client eip is
, D% t" ]9 t& O; u6 D   located at [ebp+48h] for 32Bit apps)
  O: X6 A% z# n$ h; }3 G__________________________________________________________________________7 q& k4 D, a% i* t4 C5 ^( v
* w& r/ A! ^+ V" @( p9 m0 _7 S4 e
2 ~, d  a& M. v/ S4 a
Method 08  ?9 _. B. s" D' ?3 k) x0 c' b
=========- V: n4 @8 `" B" M: g  y
9 R" |2 }5 x6 @# T8 |% Z
It is not a method of detection of SoftICE but a possibility to crash the
2 ^/ w3 I$ Y' b4 r' Rsystem by intercepting int 01h and int 03h and redirecting them to another3 O7 L  B: ?( y( X' n- U
routine.
0 V# \6 r4 E, B! R) b/ r6 v: EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 k5 K; X" M! O! w+ ?to the new routine to execute (hangs computer...), ^8 f+ T2 L" i- k
8 Y/ H) B, G3 i8 l
    mov     ah, 25h
0 g3 E7 B: h& N! f4 R6 a    mov     al, Int_Number (01h or 03h)3 a' C8 q$ R# ?* d3 P/ e& R
    mov     dx, offset New_Int_Routine
- d7 y- l3 M( X) r4 ~    int     21h* `% x& W7 G" p+ I9 L
4 q% t  |1 W9 S" A
__________________________________________________________________________6 P8 D6 a; @/ N5 i% t7 m* [9 v( ~$ U( Z# y
5 V2 `% C4 W9 j( l
Method 09
% B1 t2 o/ p* L- B=========
, L9 m+ K) Y! G4 `* h/ U
: ]  r. `$ c* R. MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 u4 f8 ?& z1 ]9 p* R+ z
performed in ring0 (VxD or a ring3 app using the VxdCall).+ G. D# e  A9 m- C& ~
The Get_DDB service is used to determine whether or not a VxD is installed* n, O) P! n  W& J  D
for the specified device and returns a Device Description Block (in ecx) for
# R$ J: n: s6 [7 wthat device if it is installed.
+ _4 w- C  o8 K4 }5 l, J/ `" n! F$ u/ K3 }
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ ^) m- Y9 W% K1 i8 O   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ T- O( X7 Z. K' h  c
   VMMCall Get_DDB
3 W6 r+ b( G- K1 N$ q+ C9 ]   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 i1 g5 W) {$ E3 H. w1 S
) e5 g0 B+ c/ L; N: d; E8 N8 g6 W9 l
Note as well that you can easily detect this method with SoftICE:" x9 C- Q. a/ y# D" y. Y. B
   bpx Get_DDB if ax==0202 || ax==7a5fh
" h5 M7 `2 k2 T5 {, Y3 L) J! f* q% a# Z% \
__________________________________________________________________________
2 I) D+ k9 k$ R6 h6 z% j8 ~# R- g  ~4 q. K7 ^2 ]. u$ z
Method 10
7 E: t% y& Z" r) @; p1 a2 ^=========% q& G1 r, D+ ~# P$ ~

5 w3 `1 v2 T- L2 U/ D=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with5 E0 R' F/ G2 g# L3 u* J
  SoftICE while the option is enable!!; M) Y( E: f0 c  e
' U! t4 {. t9 R' e8 A5 z
This trick is very efficient:, I6 }. g6 n: P" W
by checking the Debug Registers, you can detect if SoftICE is loaded
2 @8 k* l+ k! w! B" H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, ]: Y6 d" [$ r# H9 n: o! \7 S4 |
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ Y  B7 V- H0 d
value (in ring0 only). Values can be manipulated and or changed as well
. B0 ]1 e* M) d& W(clearing BPMs for instance)
# P- K) l4 U: v  [. N' A3 e+ B& r0 Q6 ]1 K2 c
__________________________________________________________________________8 ?1 @+ u+ R+ o% r8 }
" _' j: ^! O  B3 B4 s6 x2 |
Method 11( O2 p) g9 |# r8 ?; ]
=========
# c; a% b* N4 f' U0 o
! V) e) m4 v7 U% XThis method is most known as 'MeltICE' because it has been freely distributed" D9 J) R6 P' ?
via www.winfiles.com. However it was first used by NuMega people to allow  F' M* ~0 P. L4 _5 Y
Symbol Loader to check if SoftICE was active or not (the code is located* E4 h0 J' u- ]) e2 e! m: P- o
inside nmtrans.dll).% Z3 o# K; e3 f% D2 O7 K3 N% V" Y
, X3 P9 i. j2 c5 [) z
The way it works is very simple:
: i5 q! z( i# e- i& WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 _. P7 d. h  `9 q/ Q( pWinNT) with the CreateFileA API.: J6 E) W1 k) D/ `

8 P5 l+ G' B9 HHere is a sample (checking for 'SICE'):& b! `5 c8 U$ V/ `- C

, R2 |; |7 j* F, T+ r# ZBOOL IsSoftIce95Loaded()
9 m! a# f: g3 R& r( ~$ K{
' `1 U7 {$ h/ p) b; V% m# h3 ?   HANDLE hFile;  
, e! F0 |) I. \& v! u' c- _   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& @4 u- I! ?" l8 W( x
                      FILE_SHARE_READ | FILE_SHARE_WRITE,0 l/ U; ?5 g4 I# C: P! O7 i
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: v) P, V# Q- H: `' j   if( hFile != INVALID_HANDLE_VALUE )
# S. ]7 y( i* r# C4 T   {
) E) M; e! _6 ^7 W4 N& @      CloseHandle(hFile);7 j. R5 q( }, [' p3 q, A/ a
      return TRUE;# I' ^0 U: A: \% V0 v' b/ E7 \
   }  T# B) a) S6 f  G8 j. j2 m8 o" O
   return FALSE;
: C6 \5 A: i( u: D1 G* t$ M9 b# D6 e}
6 x7 [! D5 V4 Y5 G1 H! U# c( A6 h7 @. k2 V3 b2 C! o8 k
Although this trick calls the CreateFileA function, don't even expect to be1 T4 x7 [, M9 @% V
able to intercept it by installing a IFS hook: it will not work, no way!  X6 z$ D7 E' @8 g* H* U4 g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& L* X3 q! y/ |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 h1 ]3 T: i3 Y' M- d; Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) ]( t! g. k: i
field.2 h% s9 p2 x9 }
In fact, its purpose is not to load/unload VxDs but only to send a
: e2 D1 r# `* C5 F: vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) m  Y9 V# w& a0 N3 s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% I3 q' b* ^) ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 S: \3 K! f" _* O
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 C8 s! l5 G' V5 q
its handle to be opened and then, will be detected.7 t% U1 q% n6 K) V* O3 @, o1 e! a
You can check that simply by hooking Winice.exe control proc entry point6 j9 Z; d3 V1 N0 S( x
while running MeltICE.+ n0 z" Q; y8 @: G
! Y3 E" ]; N0 r+ G) F* _
; }- p$ }7 ~1 {9 C# V* z4 n, `
  00401067:  push      00402025    ; \\.\SICE- c: m' v4 n" X  _5 k
  0040106C:  call      CreateFileA
2 L. T; |: C* T; P3 D" E( w  00401071:  cmp       eax,-001! {, y/ G6 ~. y+ P* ]3 \
  00401074:  je        00401091
! Y! D9 @2 X4 i, v, C0 M
) a& f, T5 K5 M; e2 L
/ \) U$ _0 Y+ K% A5 I; d" nThere could be hundreds of BPX you could use to detect this trick.3 Z5 a+ R, F0 Z) A) ]# K2 E; t: J
-The most classical one is:
9 l8 ~$ w. ~4 w, N  r$ C! M2 A  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 e! ^* U, r; _; E# A0 d1 U* z* N
    *(esp-&gt;4+4)=='NTIC'$ N4 b( y& ?/ @, Z# ]0 S
4 i" f, O% b7 t& y# U0 C9 [$ r
-The most exotic ones (could be very slooooow :-(
0 ?5 B" ?5 T( U   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
* J9 N1 t  m9 s+ t& Z     ;will break 3 times :-(
0 ^! q/ H  g$ L5 N& n: M2 q/ R0 f- F! X- w( {! Z, u: D
-or (a bit) faster: : z( d! {* [6 d) s
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 L9 ^) N- O( J! c# q2 h
$ I1 o' s' L: h! Z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * x# A; }" A1 v
     ;will break 3 times :-(
7 q& U- i6 \! o1 }& G1 }* r9 v/ n* W3 H, G4 O- k5 E
-Much faster:5 u2 o# @  u3 L/ x
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 w+ g& v" }2 k9 ^) W* k

8 d; q3 F( V5 T, v6 QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* K8 A% c- ]* i  K
function to do the same job:; F/ ~0 q. c, V! B

$ `* {- m1 O5 w  D  B: L   push    00                        ; OF_READ
( }. P3 Z) Z8 y  |# z1 m: m   mov     eax,[00656634]            ; '\\.\SICE',0
6 b- c; D: E; j& ]7 {7 W( B   push    eax2 S$ A6 d0 `; a4 j2 I
   call    KERNEL32!_lopen" D, B/ p* F0 v! ~7 n+ e. F2 `5 F; |
   inc     eax% }3 d( ~1 l( S* P
   jnz     00650589                  ; detected
( Y0 P# ?4 f1 [, d   push    00                        ; OF_READ
- G$ H9 O) ?5 h" c- P   mov     eax,[00656638]            ; '\\.\SICE'" Z) M. G& E3 @: `
   push    eax
6 k2 G- `7 k6 I   call    KERNEL32!_lopen
& J9 H; S* A0 @. o8 p; {" L4 i   inc     eax
. s# Z9 P1 F9 [, K- z' @# Y   jz      006505ae                  ; not detected
8 c; U/ y8 i" n; k( ?' [) _
. v! i. \$ C! N3 R5 u
: a, P- ]% O, D$ P7 Q__________________________________________________________________________1 w$ W) j$ F7 K! x& A2 e

# [1 l$ A" ~, J9 IMethod 12* t0 @. a! J! a& D3 s5 Z0 ?
=========
! F2 _1 `8 n2 I1 r; m# f3 {* A
- ], S& s: w, mThis trick is similar to int41h/4fh Debugger installation check (code 05+ s  G2 V& W+ n
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
$ T7 J) h, Y6 e7 M( Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 P8 x# J7 h3 j3 x/ X
) H1 |' ]* r# w9 F8 Q9 E( b   push  0000004fh         ; function 4fh
8 A) j8 |( T. R! S9 [   push  002a002ah         ; high word specifies which VxD (VWIN32)( G: l3 t+ S' I
                           ; low word specifies which service5 m# _  G7 V% v  |4 {5 [( L
                             (VWIN32_Int41Dispatch)5 C9 a  B0 s* Z3 g! u0 P. i0 `
   call  Kernel32!ORD_001  ; VxdCall
& }, ?" [# w1 A8 I0 x& Z   cmp   ax, 0f386h        ; magic number returned by system debuggers
' S& h% r$ ?, k4 Q% d& u+ n* D0 n" S) n- o   jz    SoftICE_detected2 Y* m6 d; ?( C1 P  h% V
/ g$ k0 F( ]9 I$ R7 w% A! o0 L
Here again, several ways to detect it:) b, x! p+ D- |: D

" C! A, A8 M1 s" X. f    BPINT 41 if ax==4f1 j) C$ n: K1 c* u0 s' {. T

* R7 ^& \! c0 j# a) C    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
9 B( X( [3 C/ S1 F" p; c0 ^! L. E
1 B* {  m! X: B5 ^4 b" c    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( J' k" H) O/ a# r# z' g

8 u; c) m+ s5 ]* ^  I6 s' p4 J    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 ?; J7 O/ m- C# h, B
% \2 t/ R0 t6 H# Y; K__________________________________________________________________________
/ N5 m. S+ r8 Q& I/ H: Z! y, e! o' X) E
Method 13
+ X* f% k. {* [8 J=========
( |- I& ~" `+ k# J, N4 I$ ?) V5 }, k. {$ v2 J7 U- b1 _
Not a real method of detection, but a good way to know if SoftICE is4 t6 B% m7 l9 M" Q* y' ]) T
installed on a computer and to locate its installation directory.. g( R- h3 m) p" j
It is used by few softs which access the following registry keys (usually #2) :
  n  q5 T' ?+ M2 F
; R( }" S% _, D! O, n% X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! }: A/ i6 h) Z
\Uninstall\SoftICE
! Y' }! G, W7 X& ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 N* C4 Y" w/ [9 l6 M6 j# q1 u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 {' N# Y4 ]3 d) Q+ S8 [' i/ D\App Paths\Loader32.Exe" i" j7 R" J5 t# m0 K

4 b4 @3 x. R- j6 D6 A# ~6 S/ h. _# j8 G; F& W
Note that some nasty apps could then erase all files from SoftICE directory
2 b1 @: w- F" Z0 w) T; n$ }(I faced that once :-(; K: Y3 S- L% w( Z
9 i9 C( s' v$ n8 f2 n$ [. |
Useful breakpoint to detect it:
/ b/ B7 B% V4 G9 }4 c$ A, Y
) r- {3 Z6 z* L     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' ~0 y; A2 ^% i9 K! n4 U7 |/ {- ?

7 D( j7 l5 [# @5 d__________________________________________________________________________
, t$ u1 k! |7 i9 I" W$ B9 ^1 [8 r' P! u; w
9 U; ]* n6 F' {! r) A8 U
Method 14
  M: R3 ?: Y7 N& w=========
) b1 z. l/ u) o) f, {' l7 X. z& M" _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% a, b; R8 ~$ |  i1 Q+ o/ ?! P5 k
is to determines whether a debugger is running on your system (ring0 only).& m+ e, v0 S2 C$ s6 H5 q0 C
" d& |& s: I2 j. Z1 C  x, T2 A
   VMMCall Test_Debug_Installed* R- `1 ]- ]( d" z  k# T1 l0 Q$ W
   je      not_installed
0 N4 z# ?: y1 h- h+ A$ ?* E- _1 h4 s2 C8 e, I
This service just checks a flag.
0 O. f: W4 v9 o/ s& a" B</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-13 12:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表