找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>4 |# O& O$ i0 a' j4 Q5 W
<TBODY>
1 c4 v" {0 @8 L, E# b. @8 ]<TR>6 r) N! r7 W! y% j% ^: ?! ^
<TD><PRE>Method 01 # n9 w5 N6 n" \- }
=========
/ T: ~6 _* z6 Q" l
# l5 t1 Y# B, E! ?9 h7 U  EThis method of detection of SoftICE (as well as the following one) is
8 V' t) t7 k. F! k4 g0 ?used by the majority of packers/encryptors found on Internet.# Z+ m. A0 o0 o& Q
It seeks the signature of BoundsChecker in SoftICE
8 H' O$ g4 e; p+ n- w+ k% N. s+ {. C3 |
    mov     ebp, 04243484Bh        ; 'BCHK'
! l( n/ p4 q* v) g8 \    mov     ax, 04h5 q2 a: v( p5 P6 v5 B. f2 o
    int     3      
* z' F$ w- g) G" l0 b    cmp     al,4. |) D0 C0 n: |. W
    jnz     SoftICE_Detected
7 O/ j: b, E, b4 q/ }4 K7 g/ w: R( W( O; m; v
___________________________________________________________________________
* r, B. Z8 ^' A& q' K
6 `! {% C4 R3 a# g; gMethod 02
4 K6 K, M" ^8 g( j3 g1 t  [=========
2 X% p8 X; _4 Y% R1 M, {& r$ A0 Z/ f9 j) C
Still a method very much used (perhaps the most frequent one).  It is used# W% @, u3 U- o! P- {' ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ x& S% ^8 \- w& c3 {" Xor execute SoftICE commands...; q$ _7 @" X. q
It is also used to crash SoftICE and to force it to execute any commands
/ T! T7 f0 l$ x8 i(HBOOT...) :-((  4 _' ?/ X/ Z4 K

3 H+ U. Z0 j4 X  gHere is a quick description:
' ]/ s' G1 t* t' r& R-AX = 0910h   (Display string in SIce windows)
/ v  s1 m7 c) B; {-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 S) l0 m) l7 |& |-AX = 0912h   (Get breakpoint infos)
+ K$ h7 A% Y6 h% {( U-AX = 0913h   (Set Sice breakpoints)
. ~( h# l/ `. p/ H-AX = 0914h   (Remove SIce breakoints)
% }; _$ m. U. l7 |! J8 t* e. a- S% g2 o, \7 v8 G
Each time you'll meet this trick, you'll see:
* k% ?- K- `% m" W-SI = 4647h: V6 ]0 u0 @, Y  Z; C% _
-DI = 4A4Dh5 Z4 F) V+ a+ q% Y& j4 t- a
Which are the 'magic values' used by SoftIce.
" W* Q2 ^' x( R% }$ YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., H% ~; q5 o+ e2 X; o

- G. C5 ^" O% C" Y# gHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 C% [' {" n: l8 N& q! z0 dEnvelope utility use to protect DOS applications:& G, n* m9 ]6 B$ s
& M9 \* ]- v, P! W3 D9 R5 ?

- L9 m5 J' b2 |( V# B% o4C19:0095   MOV    AX,0911  ; execute command.
) l1 P* R5 Z1 m: h6 p$ E0 c4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, R& m. E+ v9 N9 x+ O. c" c4C19:009A   MOV    SI,4647  ; 1st magic value.1 u9 t2 @1 Y# b' y7 H
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 _* S) o$ p% j1 y2 ~1 {8 i9 E
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: h, Z" \$ _# j9 j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 ?6 ?( m6 N: b- L. w& M4C19:00A4   INC    CX$ q" ^* Y" R0 e0 A0 [
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute. _5 [; z9 }1 Y0 E
4C19:00A8   JB     0095     ; 6 different commands.
5 a9 X- @7 q, s/ [+ ]( a4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
7 a! [" s/ l9 H3 I! U& i3 I4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)$ v+ [+ g- Z: Y0 K+ ?* l" @

4 v7 z6 }' i8 l7 j0 x, k$ CThe program will execute 6 different SIce commands located at ds:dx, which
, d5 l. s7 O4 A2 p: r; vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ?4 [" A/ `8 @# }0 z6 R0 L! X# |2 d
+ [. X4 P$ W& ^, O2 C0 j. |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' h1 P- Y& r  @. |___________________________________________________________________________
* I9 P0 c& H0 i1 k) S' `3 C8 D6 R  q+ {
, |% P4 @" i1 {; G3 @
Method 03
- p# \* r( q& z1 l( g% p=========7 e+ N9 ~( u( k- e% j. @; s
( O  h) e2 M6 X) g; E+ X
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 T: C. P8 G: i+ |2 ~; v6 K4 ^! g
(API Get entry point)
" }% [7 n' h; f1 K        , g( G. v; `8 _/ ]
6 R5 |5 l2 j+ h, M2 \% _
    xor     di,di
0 B4 P7 |$ y: T8 o' X: G; }    mov     es,di' t+ W4 N" C* B" s* a, X
    mov     ax, 1684h       ! c, R5 a, W8 l! ~* e
    mov     bx, 0202h       ; VxD ID of winice4 \. P2 }4 R* Y2 \9 `/ w: f
    int     2Fh
4 J0 d8 m! B5 }& H    mov     ax, es          ; ES:DI -&gt; VxD API entry point6 R# p+ q. f) e9 b( ^
    add     ax, di
7 s. d5 }3 q4 i    test    ax,ax7 k9 e( z9 b3 W7 V/ f/ y
    jnz     SoftICE_Detected
0 v. [" P* W- i2 d* e
; a2 X* x6 `9 m3 R___________________________________________________________________________* T5 A- Z. p, C' G9 ?& |+ s9 L

+ X5 Q1 ]$ C8 H/ BMethod 04% M& z3 y+ ]* C* @& u( S; o) k
=========7 r) a* ^) U. z5 }: b' g; Z  ?+ `

' e: S2 O; J. z( E$ Z/ l% ~Method identical to the preceding one except that it seeks the ID of SoftICE
$ v* T" e! ~! A7 ?+ D$ s4 X& k8 u0 pGFX VxD.
; I" C6 d8 k2 Z8 ^9 q! m4 @/ `0 n/ @) S- U) v" f& ^* \% {
    xor     di,di7 D5 C2 \& E, a; p; x) Z
    mov     es,di$ n: w- M5 D( V: m8 N( R* H
    mov     ax, 1684h      
( \) ^% X: k# V9 p    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" d& S+ X/ c7 v    int     2fh
! |' z. p: [  a4 ^5 \- d& Q  z( s    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 H) J; p! ], ?0 R! \
    add     ax, di
) h2 k6 K& A/ p  P% ]    test    ax,ax' ~# U* X, m- f; }. R3 g. s
    jnz     SoftICE_Detected) J; U, u- ?$ h& B' \
% V' O4 g& d$ D5 s) k- ]* K% F
__________________________________________________________________________3 f* H) z$ {. d7 e# p

2 m& W5 r) A+ A5 u
) D& N: O3 H5 n4 H. C- J& bMethod 05
" d5 U' H% e- P- f- k=========
' H" C3 ^( Q2 }6 [% y- U7 m+ F8 t9 K6 ?7 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 l. M* {. E, O4 K" Ndebugger. It calls the int 41h, function 4Fh.
, E1 b9 y5 K5 ?- T7 wThere are several alternatives.  
$ h. o1 Q& F5 p0 H" X
# `& x6 j, v( O. d/ ]The following one is the simplest:8 l# p4 Z7 B; x3 `% }* s
# [  V) z/ f9 O6 B
    mov     ax,4fh/ i7 z1 k! F2 K5 j- s
    int     41h) E) B2 y7 ]  r( P
    cmp     ax, 0F386
0 k; L7 w% I, C, A! F3 p2 Y' L& |- v    jz      SoftICE_detected
$ G7 l( o. j- N# X1 |" V  A
4 s. F& M) J( F+ a$ P3 z& I2 \' T% n4 n! _" o  V/ m
Next method as well as the following one are 2 examples from Stone's " d* Y. ?$ j/ s8 q( }
"stn-wid.zip" (www.cracking.net):
; V; i; i: @' m0 p/ p
9 _) K/ P; w( Y1 r( O    mov     bx, cs
: H9 S% K+ `5 e0 W) Y    lea     dx, int41handler26 W$ f" b" M+ h( {
    xchg    dx, es:[41h*4]
* `. ~9 N# U: f0 F& j5 m    xchg    bx, es:[41h*4+2]8 A, B" O2 }/ ]' \$ Y. u" D$ s
    mov     ax,4fh. @+ S2 a& u2 ~9 d' H
    int     41h
" v/ q2 H' |0 ?4 B) K$ X& h    xchg    dx, es:[41h*4]
5 p- E5 q) E* ^1 C! d, R3 |! o1 s, j    xchg    bx, es:[41h*4+2]
  n7 b* L! B6 X8 Z5 W% M5 `6 w    cmp     ax, 0f386h
+ @# a5 T7 y2 o4 {7 t& G    jz      SoftICE_detected
  d4 \  z. \. u1 U2 F1 s1 Q1 n2 M* N! Y) }
int41handler2 PROC
( T# A% E% T- w( j+ [/ ]1 j    iret
& f0 \, W3 j* B) l0 Uint41handler2 ENDP
( L3 A6 [! E9 ]" e. r* c% v
0 [6 x9 e; `4 L3 Q+ W$ m9 G
# }2 F) J" P$ y: _' [# x% V_________________________________________________________________________4 n6 P" X# }: p# u! ]6 k6 `, l
1 b5 T) `- L, i. p4 Z& N

/ }! p7 V+ p3 j# l, m5 }Method 06$ k, [3 ^+ g8 r* ]8 C" E
=========" ?3 \% O% s  D; _$ o  c1 z! u
4 i3 j7 a; U. e! a

2 j; a5 e# ]% E2nd method similar to the preceding one but more difficult to detect:
6 J4 j$ u( l5 D
  }) C( [/ m# j3 Z" |
& h( w1 Y8 z$ k% a' S$ J. q# Gint41handler PROC& w9 z/ O/ ]# K4 u
    mov     cl,al
% J  `6 L5 I$ _! X, r2 o9 Q    iret; y/ u  M, V8 }/ O
int41handler ENDP6 Z! c6 F( ?! d9 M+ k0 j. K

. W# [# v' M0 k) I7 q
* M5 K" i/ p& F% }3 G5 c4 h    xor     ax,ax  V9 s4 {5 p8 t' W! F: _& O( r
    mov     es,ax- X' `# ]) w$ ]; \7 B, _$ ~" \
    mov     bx, cs- S" F$ ~. N' s: k1 D: G( i( u  r. G
    lea     dx, int41handler9 K6 ~# F) b/ e6 J  ^3 d
    xchg    dx, es:[41h*4]$ T) S. g7 n* z% l% i- K2 ], P
    xchg    bx, es:[41h*4+2]
5 |  z+ O) ?) h, _% A    in      al, 40h5 y4 _1 U  @. N
    xor     cx,cx
# }$ u) }/ y$ L& d3 r6 y# }    int     41h
# j* ]4 R/ F4 J. E, S4 x, ~$ y* N    xchg    dx, es:[41h*4]
+ Y9 G  Y% h, o. r) H4 o" z  @    xchg    bx, es:[41h*4+2]1 L: L0 L8 R7 v+ C4 y! t
    cmp     cl,al' I# S; o$ y" M( U% q. R: A4 t3 |
    jnz     SoftICE_detected1 m0 k0 N2 Z  f* d; g
" P7 \# p4 X2 Z, S9 M6 D
_________________________________________________________________________: U$ @* X( ?: p9 a
1 a4 K* j+ V; `. @
Method 07
1 ^6 Y! Z4 x2 V* x+ j0 C6 D=========
+ L2 W9 \6 {' e' q0 U
2 }- P! I, J; ^6 l) E2 t  m. Q6 dMethod of detection of the WinICE handler in the int68h (V86)8 R/ S) C' B9 x/ \+ ]/ M7 Z
- F+ r3 D$ H7 g5 U& K* {
    mov     ah,43h+ p  o/ w# E. `" v( o
    int     68h0 f2 \2 ^/ Y& }4 @2 S9 f) @' b
    cmp     ax,0F386h; b+ R4 g& Q2 p) y( S
    jz      SoftICE_Detected
1 T  ]+ c$ C( @3 F" j) M0 C( ~
0 A8 u$ [2 _" j9 }. n% e% e; l! _8 Y! I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) T: |* F* V" b9 k  E1 E" I' W- a   app like this:" @- L! G3 Z8 R0 n5 ?! [
# S  U4 h8 i. o( J$ _
   BPX exec_int if ax==68  x6 S2 L7 A7 z6 S
   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 B; [4 ]4 M; y, b* |   located at [ebp+48h] for 32Bit apps)
/ W6 f* H% |4 I2 G9 T5 ~7 }__________________________________________________________________________
' @4 M: V$ B! b1 u; c2 `$ M6 F. F/ s4 ]# i8 `( u5 A$ [

: l6 c( \: N2 x+ iMethod 08. e/ {2 P9 g! A) n; Y2 C/ Y
=========. ^& b9 C  t# r8 K

% u- S, \0 d- V; Z$ VIt is not a method of detection of SoftICE but a possibility to crash the, S) i6 V6 |$ e$ `% \6 w
system by intercepting int 01h and int 03h and redirecting them to another7 f& d: K9 k/ D: U
routine.% d! G  B  K" E2 ^( y) m6 n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  E- g( D! Y& D( L9 I# p
to the new routine to execute (hangs computer...)
6 o9 L  l- G1 w! }1 G  G3 T8 U& U6 a# h3 u; e& v
    mov     ah, 25h6 i9 w' a' ?9 z! E5 r9 T
    mov     al, Int_Number (01h or 03h)& F. q0 o. v1 I
    mov     dx, offset New_Int_Routine
) |1 t$ X9 D/ y( ^2 c" g% \    int     21h
; h- [0 j: W0 }- C  ?: k. x$ ~) I; g/ }* v. m
__________________________________________________________________________
2 o4 E- }6 _- L3 I# S& J) A! M+ ^( n! e8 O  G+ X7 e1 W
Method 09
! J# s' s0 j- c/ p5 E+ t=========  d' O/ T% V) ]1 o! Y, m
2 F7 U9 @+ |5 J4 R$ m1 P/ E7 ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 F+ u6 Q. [  r7 k8 o0 Mperformed in ring0 (VxD or a ring3 app using the VxdCall).5 ]$ o* d- T$ |% I$ A+ z& y
The Get_DDB service is used to determine whether or not a VxD is installed& v6 G/ ?+ W! a2 p
for the specified device and returns a Device Description Block (in ecx) for
; `+ h! b" f2 \) J4 `8 D2 t% Zthat device if it is installed.
7 X$ x1 S( C8 d- S
" S$ ?2 C2 K( W/ c! A1 r7 o0 ?   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 I! {" }4 h# m& ]5 I) [6 W- Q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)  d/ B& f# m) H5 {/ t
   VMMCall Get_DDB
: U$ }6 K  w" b5 v2 K   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
5 w3 P' T9 K5 s4 X7 Y  e2 ]. w. V& H* F: L
Note as well that you can easily detect this method with SoftICE:
$ _9 |2 D2 U+ w5 W6 p: l   bpx Get_DDB if ax==0202 || ax==7a5fh. f7 l8 C2 m; `* @
7 E* H' `5 c) O' ?) ?; A7 ]3 e+ z
__________________________________________________________________________
/ o7 P) A& X* t0 a0 L% R8 r* e: p0 ~% {) f8 h" B  V
Method 10
: y+ o: [, V/ l% V; K# @' s=========3 @; E. {1 E' o
) `+ h5 @0 J' j9 ]; B5 Y) d
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
8 c6 i, a. g2 m% B4 u6 V' Z  SoftICE while the option is enable!!" W& H  m& T& Z) X/ {. H

. a- V5 C% Q9 R3 t% g! ?This trick is very efficient:
  k" I& |$ M! P7 y6 u- }4 i6 o% Gby checking the Debug Registers, you can detect if SoftICE is loaded
& G! P) T' N" r# R' j. S" f6 Y) ^  f, B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ m: h2 e+ ]/ }  ?& g5 \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& t) N: ^; Q! c% A" j4 Jvalue (in ring0 only). Values can be manipulated and or changed as well
) Q, F0 T& j8 D(clearing BPMs for instance)
1 k. V, x+ S# [5 B; i3 [7 D. Q9 {
__________________________________________________________________________
) D& m0 k6 E& N" c0 M$ p; z4 F
* c8 @" M/ ]0 j6 sMethod 11
/ d) y$ a4 y" y0 h7 D8 R; ?4 a8 j=========
8 d$ ?. r: O2 g1 P  A4 j1 ?5 `! Q% K* W( ~: |! k% c+ Q3 _1 [
This method is most known as 'MeltICE' because it has been freely distributed5 `- G/ V  e$ [0 j- p0 M
via www.winfiles.com. However it was first used by NuMega people to allow
" @% z6 a, d) x: B1 v0 eSymbol Loader to check if SoftICE was active or not (the code is located& A5 g# W: B* j* ~8 N( N
inside nmtrans.dll).2 `  r9 [) g" f5 ~# Y

  c' w. i0 a+ h7 F( jThe way it works is very simple:
$ x; m' x- ?9 U% [" ^9 cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: h" |: t1 ]2 V1 k1 {4 ?WinNT) with the CreateFileA API.
/ Y# l3 M. z/ F/ N7 K6 y3 S- s( Q2 z: A+ ^
Here is a sample (checking for 'SICE'):
0 K, b, U: _! w: B1 U9 o
9 E; j" p* [9 H# bBOOL IsSoftIce95Loaded()3 J1 O/ v, G+ v0 T* t# u
{
' C1 [, @. O) k7 J   HANDLE hFile;  
& x1 B" n( J  l, w/ d( N& d   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( |  w* R# D, K1 |% O& U8 q                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 ^) P% [; j) C5 d7 F6 H8 H
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  t9 W" \$ A& D2 _% w' N   if( hFile != INVALID_HANDLE_VALUE ), V; [# @. K0 h0 M+ t( \1 S
   {2 S8 z* E# n8 v
      CloseHandle(hFile);
, M" d- W( G! [, Y. W      return TRUE;7 f( \0 I$ w7 K- k
   }! ~, h+ M7 \, t  e. z9 w7 p
   return FALSE;
6 r4 L$ G" y* ?2 j6 ~; n* S}
- r% \9 s) D9 p; Z
8 Y8 C6 W' F" I: ]. Q6 R, U4 }Although this trick calls the CreateFileA function, don't even expect to be0 K4 K0 f5 X( m* c* O  \" `
able to intercept it by installing a IFS hook: it will not work, no way!
7 X9 r5 ?* m, r, F7 P$ wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- l9 `' v  H6 |' ]) |1 ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* @" M" }% ^& Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" T0 v* I2 z5 }
field.
( e# L1 ?& K4 c# `+ @In fact, its purpose is not to load/unload VxDs but only to send a
' @8 r0 J, ^1 V2 rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ g, {0 _, A' h6 w; `  N! x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; l9 Y: O, b0 t8 e) \5 g( v, L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 _9 E* ], Q+ W, V, e
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 b7 C4 p  R2 z9 R6 ?
its handle to be opened and then, will be detected.
2 a/ ^7 s. Q. B1 A5 t  {, {7 FYou can check that simply by hooking Winice.exe control proc entry point/ h( M7 P* M" }  B) l
while running MeltICE./ I0 N6 ?( f/ T" a$ b4 ?
. ^, Y# B% b! g  r

) M- s5 H& g& Y3 ^  00401067:  push      00402025    ; \\.\SICE
- T, e3 l) |) c7 G  f7 X  0040106C:  call      CreateFileA
. c" l! X9 M5 i; V8 @( j* P  00401071:  cmp       eax,-001" h' O* d- N3 y2 X( R" q4 k
  00401074:  je        00401091
1 H: f+ O" V& @; e* k# N% T
1 M; N# v$ L+ I, P4 F( I3 m
% U8 F* D! u" M6 _% K8 \+ UThere could be hundreds of BPX you could use to detect this trick.
$ p% ^( B2 d* A8 b1 L1 F* z2 u+ w-The most classical one is:
1 ]; \3 J' M1 }  B6 W  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 h; W$ S$ ?4 U$ }( X" I! V    *(esp-&gt;4+4)=='NTIC'
: @- ?/ J: z; o; Q) s+ [- v
9 N) W$ }2 l2 p) S. }8 |-The most exotic ones (could be very slooooow :-(* r' w0 X4 `" R5 q$ P9 y: J  F% t
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  6 |/ ~% E) M- J# B
     ;will break 3 times :-(% l' v( t: u# `. d6 K& O

( H5 a1 c# K& L$ S0 R/ x-or (a bit) faster:
, y, Y4 s8 a9 s' s: a   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ h" X" k" S- y7 V0 c

# ^* G: ^1 k2 E   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
8 W( N& S# O, i) L$ s) h     ;will break 3 times :-(
, [2 a8 K$ C: \6 W/ E
' s) v" p3 N, i0 R* r0 L-Much faster:
' F' m1 U; r$ ~) a   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV') \  _. P% v8 g" P$ J5 n' x3 l
9 f5 T. r9 y7 C3 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 F. D) A6 e: B; T. O& H
function to do the same job:2 f1 V. j! Q/ o4 Q
0 N3 y. B' K( U4 M
   push    00                        ; OF_READ
; ^- K9 z% ?  T& ^1 q. O$ b   mov     eax,[00656634]            ; '\\.\SICE',02 j$ q: l  u; m4 N0 _5 V
   push    eax
' I0 b/ `1 F& U' Y1 I   call    KERNEL32!_lopen
* r# P7 ?& b; a! S2 Z   inc     eax4 u2 \! ]% I. ]( e) _
   jnz     00650589                  ; detected
( X# t3 V5 b0 j' ?: Z5 n2 k* Q   push    00                        ; OF_READ
8 H9 Q! v" a3 J4 s7 c   mov     eax,[00656638]            ; '\\.\SICE'
2 ?* r$ n* F) t- I0 V   push    eax
9 c7 ^* O2 P1 g/ g9 M' a; W" z% R# v   call    KERNEL32!_lopen
6 k! C/ ~8 A  p2 B) }" e1 Z3 g   inc     eax' G8 J; C0 b4 ?; e5 _
   jz      006505ae                  ; not detected) U5 S9 p. H8 S3 t

) Z9 O+ r- J! n' D2 d
0 W- x# Q+ R* F6 ^- [" I__________________________________________________________________________) j8 m+ J+ M& r
, h' p) t6 K$ x3 J+ W8 s1 w! E" i
Method 12
  m1 N; {: U. M. H=========% r$ h" v1 ^( i, }, B" i) K5 f

0 X# T' p7 @( f8 q  {: ~' V) yThis trick is similar to int41h/4fh Debugger installation check (code 055 j" h- j, _( M# G5 n
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( D6 q$ A- L1 y; `; q! Q; ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( Y' L1 u4 R6 o/ z6 S7 f
; Q+ e& J, O  M1 [3 i* L9 R; j- V2 }   push  0000004fh         ; function 4fh
. C. k0 r+ O6 B3 _0 P3 b; E   push  002a002ah         ; high word specifies which VxD (VWIN32)% R+ k( y' T) e3 C
                           ; low word specifies which service$ s# m# E8 n& [6 |  p9 T
                             (VWIN32_Int41Dispatch)8 z: M& O1 |7 @6 y8 H( b
   call  Kernel32!ORD_001  ; VxdCall  H, Z9 I# w# R' w- c; b
   cmp   ax, 0f386h        ; magic number returned by system debuggers
2 `# r7 ?% u3 B  w0 z5 @- B* b* K   jz    SoftICE_detected
- k( ?2 F; j! f# K
, M- O7 @* ^4 R' u, O2 u; {Here again, several ways to detect it:! V7 q# v& n4 x

( P7 f! q- A( g    BPINT 41 if ax==4f, p5 [. N3 e5 L

+ E1 K* e7 F, `6 R# o' |    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
6 C3 V' w# A1 M/ U
$ Y4 a7 o3 g5 E    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A9 V8 y2 c; M1 U/ H8 U6 |  H2 c
% |8 F9 ^& g. g7 M' d
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!" U3 P9 t) {5 I, c$ Z9 c! \" K, l  W

; \8 Q2 Y* x! G__________________________________________________________________________+ g) z+ A$ B5 n- I/ q( V4 M
7 Y. [) m% p2 y" c  l2 o' Q: T
Method 130 u5 X  \; e* I7 \/ r9 N' Y7 k
=========
# z/ X: `3 ~1 L, R
1 a5 H( }. d$ t, K& l  f! T1 QNot a real method of detection, but a good way to know if SoftICE is
9 c* z" b( u3 T2 [4 ninstalled on a computer and to locate its installation directory.
5 ?' |# }4 h8 L8 D4 |It is used by few softs which access the following registry keys (usually #2) :# `0 L4 p; }. R. @" L: h6 h

6 L& u" g& a+ G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ w% W2 m) A, M# [" @2 m: s\Uninstall\SoftICE
% g. ]- z. c6 T( V& Y: R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: [; }; F6 ^, ^  O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 l3 S! B+ L% y% `$ J: c
\App Paths\Loader32.Exe
3 g; g8 h" P/ W+ b* E3 c1 K& v" O

1 r* J+ S4 i9 e+ x. x9 i+ M7 U% ^  VNote that some nasty apps could then erase all files from SoftICE directory" c9 l/ M& A9 w' J: V* Y6 {4 W
(I faced that once :-(5 P: W6 J8 ]( ]* G# Q

3 q5 ^/ `5 o8 v% @3 l" HUseful breakpoint to detect it:
* P8 W# f6 X! m% U) N, z8 y" l! [6 @2 o" p8 o6 g2 S' [- P
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'% p' [. j5 d4 ?7 A6 b; x2 w6 h

- {6 N. O& u* l7 u7 c7 M__________________________________________________________________________8 G7 t* W0 u2 h  j- B
! S- Y9 \( b1 n- a; C$ S

2 t/ l9 K# V8 OMethod 14
2 O. l8 w: ]. K- j=========. L3 m2 h  r# i2 `. }
: }6 k  o& V1 w& u' V* o- y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ M' B, w9 w" I1 h* L( a
is to determines whether a debugger is running on your system (ring0 only).) h6 J( e5 M0 @" z

: ~/ N/ z4 y3 W. K   VMMCall Test_Debug_Installed+ \2 h6 w1 y9 x7 }0 K2 p5 p5 @/ j, z
   je      not_installed
, ^7 a0 E" ~: x+ r+ Z/ F
& R1 T) W5 L$ L9 }* J; ?; EThis service just checks a flag.) p% g, r5 I% b) V7 n0 D7 Y
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-8 07:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表