找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
! _1 F1 Q* h% g5 B/ X3 P. ?<TBODY>
0 S; }) f* s- I: p, I<TR>
: b, z# I( U7 p<TD><PRE>Method 01 4 I* l- y( D/ \' H) q* x% A
=========6 S: W( c  C* t9 o+ V  q' d
* m* h. V8 S4 \  [% P
This method of detection of SoftICE (as well as the following one) is
2 r3 h# v4 l' F  C7 c+ m) \6 Rused by the majority of packers/encryptors found on Internet.6 }- m5 L% a( b) I0 Y. t
It seeks the signature of BoundsChecker in SoftICE
& \- {- b" ?0 `/ |9 Z% ], y5 W+ U& {: o0 R8 J
    mov     ebp, 04243484Bh        ; 'BCHK'
" w. a1 @& ~: T" ~' D" o8 Y    mov     ax, 04h
" Y" ^; K  d. t1 T    int     3      
% K. g7 }; c8 `' I    cmp     al,49 S9 B$ m7 S: g- D' w  ~' f
    jnz     SoftICE_Detected
9 J. A$ p1 G: S3 S3 V2 o: Z
% A0 @3 U0 T9 y3 M7 w, a& r/ t) {___________________________________________________________________________( ]  G0 e0 L3 O! L/ r

! o$ m, F. _3 RMethod 02
  F# [8 {0 w: [1 |5 P=========
/ u. G+ i& U  T: c' N2 Q! J6 I; f2 o- {, F! T: ~" ~$ K4 h6 T
Still a method very much used (perhaps the most frequent one).  It is used
/ R& Q; k3 v9 l- |, A" Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, s) ?4 D' q. d9 X4 p' Tor execute SoftICE commands...
$ @* i) o9 f1 {/ r5 b7 f$ EIt is also used to crash SoftICE and to force it to execute any commands  D5 r. l0 H9 h
(HBOOT...) :-((  : V6 u1 Z5 W5 u1 y. p; D
% w4 L* G# l7 |- w
Here is a quick description:
' \5 B4 z# c6 J: A0 }-AX = 0910h   (Display string in SIce windows)2 M8 [, z5 N5 G9 J0 k/ G
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! {8 D- k% j( X/ i$ e
-AX = 0912h   (Get breakpoint infos)* I9 N8 _# q2 r9 W
-AX = 0913h   (Set Sice breakpoints)4 d$ X6 u' c) {( Y9 h) U
-AX = 0914h   (Remove SIce breakoints)$ \9 W7 e6 ?& u& U

# ^7 h4 \0 d' N1 b9 IEach time you'll meet this trick, you'll see:
8 W9 {7 j1 r) l  L/ I: p; |  `-SI = 4647h
5 ?) T4 Q: B1 z3 ~% i* o, t-DI = 4A4Dh) R6 E: b  y. ]5 p: f% `/ k
Which are the 'magic values' used by SoftIce.! @7 \, ~' m/ }9 O# S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." L% k( r3 J' s3 d( g

$ Q3 ?% C3 Y9 c4 [3 W' A4 F  W0 ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 B' ~" o! W  G' J! o+ ]4 Q& hEnvelope utility use to protect DOS applications:
* \& `+ M/ y# g4 M8 x0 [6 V, B: q8 t+ M) ~; J
: Z+ B* I" h/ z  P' Q1 H
4C19:0095   MOV    AX,0911  ; execute command.+ Q7 k! e4 k, F0 e" H
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ s2 {! M- [- C0 E, O8 d
4C19:009A   MOV    SI,4647  ; 1st magic value.
* P( L& Y% ]$ Z7 Y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 J8 |4 z- ]- m* y2 r1 x4 l5 A: Y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 I  W! [! f  C4 T  Y2 \2 V6 M9 E. n
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 c$ _% i  t; R, \: \6 z
4C19:00A4   INC    CX: i0 Y# {  E/ t
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 `/ a0 G! c, S$ P% C+ g, a
4C19:00A8   JB     0095     ; 6 different commands.  i& F1 t% G  u3 S, G
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.) R8 Y5 s! n$ y6 B0 r3 E6 N
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" K5 C9 h& |  D( h0 I- z

+ V, n  a7 _  U. [The program will execute 6 different SIce commands located at ds:dx, which, C: G0 ?6 ?+ u- o$ Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! _" ?7 ~1 Q) U

6 `& u8 `0 D( |3 d* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 c) B1 G& q) ?9 `. H& A) q* R___________________________________________________________________________
" `" a3 t3 l4 T$ {& p' t2 I* ~) q! J
" I( C1 m+ n  `+ T, E9 B, E
Method 03
) Y* |7 S; S9 z2 |6 s1 L9 x* G=========" H# P4 k( Z% S! Y+ z

" ~2 @9 I1 E, M* T, V) J) ULess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% a& K/ J1 o8 l, s8 B(API Get entry point)7 ?" h# f& {) X1 F7 m) R- o$ y) i7 h
        
* L/ {$ x! z' ?. Q4 ~( \4 p/ j0 m: Y* S
    xor     di,di" I+ U. p7 }& c- X( {% |* [
    mov     es,di* e& c) O) ?, B  ^/ K
    mov     ax, 1684h      
# ^' {" u4 Y0 A! _6 \  O    mov     bx, 0202h       ; VxD ID of winice
: C9 E. L7 ]" |. I    int     2Fh
6 F2 v+ D) |3 V! k. m    mov     ax, es          ; ES:DI -&gt; VxD API entry point! ?( F- \3 m4 t& L8 J
    add     ax, di' f3 Y9 A- k+ z0 l( P
    test    ax,ax
+ v. b% f$ w( X- C    jnz     SoftICE_Detected
3 a( Z+ E+ J0 d! r1 X4 n- m$ X2 ]: ]0 |# ]4 Z) S
___________________________________________________________________________
) X3 m" S  m% n1 n/ c1 x) F7 t
& D0 @1 n: z# W2 L  pMethod 04
$ X' ^/ d2 ^. e( I6 i=========
! _9 m% {) H1 |, U  a& o, W5 @9 t3 W  R4 U0 |8 U, \; \
Method identical to the preceding one except that it seeks the ID of SoftICE
6 q  A' \2 ]+ {; H: t$ ?GFX VxD.
3 U$ j+ y' M9 D! C' O6 f
3 x6 M2 l& }+ ~3 K' B( l( `9 j    xor     di,di
6 B- B8 x5 `  o+ g    mov     es,di/ c" N( H3 v0 `6 W
    mov     ax, 1684h       0 ]- L& x2 W/ D( g" b% P
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
% O3 m7 T/ {" a3 M$ u' r5 @& W! e% d    int     2fh& D+ Y2 e( H3 O4 d' e! T, d+ {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) B" \  X  x4 n; {4 \/ Q7 y4 k/ p+ j
    add     ax, di
' t* F) y  d+ _' i- m" C4 j    test    ax,ax- ]3 x6 S6 c+ _" e% R
    jnz     SoftICE_Detected+ f3 Y* J9 p6 {2 [! [4 H" q
3 R- f& M- b% s5 h
__________________________________________________________________________$ n. h0 Q- M$ s7 _4 o

$ S5 h) b5 C, n" Y0 L' B5 K: |5 S4 U) E
Method 05
( v% |" [7 F6 o0 J9 Y& A=========
  j5 D" D1 L* D3 r* c
/ z1 {2 }4 W- ?2 K1 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system2 Z9 p" q8 I1 ?. R6 Q/ G7 d
debugger. It calls the int 41h, function 4Fh.
/ Y  I6 S. Q# S3 X/ R8 R9 C- v) TThere are several alternatives.  
& b* b9 l1 |3 U8 h% H, k9 `5 k5 I; w" M5 \9 p7 ]
The following one is the simplest:
3 q8 W. ?6 U6 m& ~  {: K! D' E  g
    mov     ax,4fh
+ l, L$ ?/ {9 E2 i" g    int     41h
1 u3 g8 b* L7 N$ C7 k# X    cmp     ax, 0F3864 D# l. K4 q, v! t' w
    jz      SoftICE_detected/ M! ]2 t6 U$ r  r

! I6 S6 {5 b. E( S1 N, u& ~  o; o- f0 @+ `
Next method as well as the following one are 2 examples from Stone's : m8 p, t& z6 P/ d# X
"stn-wid.zip" (www.cracking.net):# R5 d& Y! H. B1 W! x2 R! U, o

/ A& P  L1 }$ ]: X3 o* z    mov     bx, cs" V' M" H6 N8 L1 `: E* @/ @' C
    lea     dx, int41handler2
. w# |, Y) }5 z6 w    xchg    dx, es:[41h*4]0 S( K3 \( D. y$ ^
    xchg    bx, es:[41h*4+2]: x5 B! Y- D! e* s9 |  ^8 z3 T
    mov     ax,4fh
( Q) S8 \4 i# [3 g9 X$ c" X4 e% I    int     41h
" m. _) K: h2 T* l4 X6 B    xchg    dx, es:[41h*4]
6 j1 ]0 v  i1 n3 Q$ ~( T6 q7 v    xchg    bx, es:[41h*4+2]
! A7 R! s+ e, c1 a7 g1 S; j+ l    cmp     ax, 0f386h0 b& v. [* K- _& s& a7 A/ E
    jz      SoftICE_detected2 ?9 |& l2 D6 |9 d) W# Q) d2 t
+ i/ d$ E4 l5 k# I: H+ c
int41handler2 PROC( A5 m4 ~2 r2 v; R
    iret" ]- {8 N/ t* c& ^2 F' H. J7 }
int41handler2 ENDP, z! ?$ U& [0 W2 ?! Z

( a9 a+ [5 p7 O% S. y% c" a# [( A* B& n% ^& V2 [
_________________________________________________________________________
9 z1 i* o' p9 Z1 H
" s6 Y+ ?" a7 }: ]3 V
6 w% f+ r$ f" }Method 068 x6 s; N: [4 a5 r
=========
, l6 M0 H- i/ ?' v( U4 e8 S
. H0 g' S8 s) U) ?& l& P) O
! s' i) H  o) C: F9 j5 E( Z/ `2nd method similar to the preceding one but more difficult to detect:
- E% H4 P6 P; o" N" W5 V/ u  S0 r( j$ z- `, `
6 w- S3 T9 I2 ]# g, I' U1 z- V
int41handler PROC
# i" z* P# M' L# s+ q1 v    mov     cl,al
5 m- O7 _. X2 P; ^3 D    iret
* ?" s2 R* d* z/ x7 A4 Aint41handler ENDP1 A! D+ D, x2 h4 a( h+ N. m
, f7 K. m# }# O: p6 i

9 ]" `: ^! `# _; x/ |' M    xor     ax,ax
3 C, t. E; f: Q    mov     es,ax. ~" y$ w8 @( H4 ?9 l+ T( d" J: |
    mov     bx, cs1 m: l% C- R% W' j8 W
    lea     dx, int41handler$ D$ o: B: j9 q( w4 y$ h
    xchg    dx, es:[41h*4]5 s9 y5 Y/ G: @# T( j' `% d  i% ^
    xchg    bx, es:[41h*4+2]
# L1 ?+ k% P% o    in      al, 40h: _+ g9 c# _! P& [& D+ A
    xor     cx,cx
/ i* ?# J2 k; c) ~4 L; ?    int     41h
+ ~7 R7 W# {2 F% I6 f5 u  Y    xchg    dx, es:[41h*4]
$ B+ y& u. }8 t: o4 q6 w    xchg    bx, es:[41h*4+2]
7 b+ r3 p, a2 f  x1 o    cmp     cl,al0 j! J' O' W+ L
    jnz     SoftICE_detected  P  h9 B% n% l3 @$ s
0 p0 ^3 B) p8 @" I5 d/ B4 \9 a
_________________________________________________________________________
  J" \: u- j% B* @0 Z6 [2 u" t, I6 P! |7 \# ?
Method 073 Y5 |: Q8 g) N
=========
' L0 K+ v% Q, Q) j/ M/ j# t9 o  v- V9 C8 `: L4 U+ E
Method of detection of the WinICE handler in the int68h (V86)
  }- J' T, M! \1 m
% q3 j9 `( G( l8 T2 N! A* w, i    mov     ah,43h
2 ^# h; {& c! A! [    int     68h
, T0 c6 ^! H5 x% x! l% G; L# V    cmp     ax,0F386h
" m( V8 E$ U& k3 D( [    jz      SoftICE_Detected4 y3 I  M4 F0 g# t" C
8 a; N4 a7 ]) M; c

8 }4 @) \$ G5 N8 K% W=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% i* B4 \8 J+ p3 L7 K   app like this:
8 N, j* i5 ~$ P. y4 [
* G3 e6 z& e0 F. h$ C   BPX exec_int if ax==68  H7 x" k6 C7 _8 c$ [8 f- P7 G
   (function called is located at byte ptr [ebp+1Dh] and client eip is
! h# W5 {% b. _+ n   located at [ebp+48h] for 32Bit apps)- ]$ e& z+ ]% y" W+ m$ D2 d
__________________________________________________________________________1 t5 x( \1 q3 j8 N5 X
9 t, c/ R5 ^7 `
& I; }9 |% E% U/ E  m( s& c. x
Method 08
, c8 t# i& T! S  F8 c3 m4 {& W0 }=========
8 x9 T; v+ ]6 g) U! \7 h. C; R9 x; h/ l  N
It is not a method of detection of SoftICE but a possibility to crash the: A6 X% {/ Y, n
system by intercepting int 01h and int 03h and redirecting them to another
( P0 h8 e. p7 L1 Y5 x3 V$ y: ?/ Broutine./ k- C$ ^- R- L  P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& {0 {* ]0 ~' |% [' H& z. A$ pto the new routine to execute (hangs computer...)8 J  v( v4 y; t7 b/ H

" h4 g" z/ B" R5 `    mov     ah, 25h
! n( H/ q0 y0 r9 [  M) q    mov     al, Int_Number (01h or 03h)" r% \' b( V- L
    mov     dx, offset New_Int_Routine
+ m3 K  t2 B" h" i+ s8 S! F    int     21h0 R# v* E4 I. ]1 Z" _& h1 I5 p

/ ?- w" q, }1 u% X8 ___________________________________________________________________________, K3 d  ?: |' _
! |1 C2 {/ @8 R1 q
Method 095 v! ?! J. _- A2 k+ V
=========5 W9 V" p/ V1 F! }% l+ E
# e1 Z  b: r* U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 p8 x5 ~! P/ W7 D# ]! T+ R5 _5 ]9 ?3 @performed in ring0 (VxD or a ring3 app using the VxdCall).
( w- e; D) h1 |7 P" _, lThe Get_DDB service is used to determine whether or not a VxD is installed
9 y% r, Z# W: y5 J8 F( ^for the specified device and returns a Device Description Block (in ecx) for
' I& r8 T  Y' j) cthat device if it is installed.
. ]% ~' L5 f# l6 z2 G" o6 }* B* Q7 D9 ?( X- `# t+ r  q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' q: b; I$ E9 c% H. [6 w5 k   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" X; u) ?9 L& }9 A
   VMMCall Get_DDB& i1 X# d0 j: s& q( g4 U2 X. H1 I
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ _! v7 z: w5 V6 }+ f+ E4 e1 {& y+ y. |9 k1 K
Note as well that you can easily detect this method with SoftICE:# m: G; k) Y& {! B( I
   bpx Get_DDB if ax==0202 || ax==7a5fh
1 P: G' \8 s; `- b) Y5 K2 y: c/ m) x/ U
__________________________________________________________________________! y% ?' p/ n+ v/ ]4 X% H/ X2 y

7 `7 |0 o; ~( {Method 10
% k, j: G: h" g+ L8 i1 C9 l=========
$ P; l* e* L9 N" e$ D) C3 K  P' E& ~4 b2 h# G! c! `
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 y  v' O0 I' |+ S! Q6 Z9 Z( K/ j
  SoftICE while the option is enable!!6 f6 K5 \; f. a. z5 s, o: F: ~
( D* H6 ~8 a' ^; W
This trick is very efficient:
/ K' H. @1 a4 Z6 z) f1 B" L+ h# }by checking the Debug Registers, you can detect if SoftICE is loaded3 c( L. f2 n- v3 J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 Q0 r* v$ s* t9 m) {( q2 ?3 L& M$ F! W
there are some memory breakpoints set (dr0 to dr3) simply by reading their; w( ^" r# L+ b2 c8 S3 _+ f# \4 |
value (in ring0 only). Values can be manipulated and or changed as well$ X% F( R7 i# k7 |% k
(clearing BPMs for instance)* ^# a0 g1 e. k, C3 D

4 m7 h9 @, R* ?) q1 t$ }8 b: v! n& D8 R__________________________________________________________________________
3 m/ u, C$ g- }$ \9 Z
" D' E8 G$ h, d3 r0 o* Z! X: a( XMethod 11
: i- f. m; Z: u=========3 t  @( v4 Q& f$ I) P

. c% _9 F$ `& z$ n4 I: m  c  @This method is most known as 'MeltICE' because it has been freely distributed
# D: r, P8 Q8 O- ~3 dvia www.winfiles.com. However it was first used by NuMega people to allow
: c) D7 W7 M/ C4 ~Symbol Loader to check if SoftICE was active or not (the code is located4 L! J( D2 m* v
inside nmtrans.dll).
( C' w3 w2 Q4 s9 W- |$ m( i; a% Y1 c3 M3 P$ m3 d
The way it works is very simple:
3 C5 D6 Y( ?, d6 F: S0 d" C( l& xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. ]1 Z0 I  Z* U+ ?
WinNT) with the CreateFileA API.
4 ]. \& s$ ^: \% d! }) C; S2 G8 C- Y' s8 L1 b
Here is a sample (checking for 'SICE'):3 Z! a$ l' \4 X1 a' U
  z: @* b/ T- T8 V& }# n
BOOL IsSoftIce95Loaded()1 P5 q$ S  G& L! r9 }
{# q/ O2 P/ Z0 \! l8 o
   HANDLE hFile;  5 p/ \& l. A8 `) t( x( \
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 |# s% n- x) `/ V3 u: x! h
                      FILE_SHARE_READ | FILE_SHARE_WRITE,- g5 W# u( m2 b8 ~
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 H) I9 @2 {6 I   if( hFile != INVALID_HANDLE_VALUE )7 p; t% \: a9 A
   {9 ?  I% Z; p4 [* F$ D1 Z
      CloseHandle(hFile);) @; w$ `. W/ f" M  S
      return TRUE;
5 a7 h9 l* Z7 ?& Z3 h   }. h3 a- D/ `& E& H
   return FALSE;
" y. n: ]$ x7 S; n7 L; F) r) |2 ?}
) w* i4 F$ G' c- Z. A% Y1 L$ d( n5 y( A
Although this trick calls the CreateFileA function, don't even expect to be2 g7 x+ `0 ^5 A9 I! }4 n
able to intercept it by installing a IFS hook: it will not work, no way!1 f( N2 x$ q% Q7 `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' ]8 }0 [& o7 _0 W  E$ j+ g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 S2 [& O: T; o+ u9 t% tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& L1 z7 s* |# L6 ]6 l6 \! J( x8 ofield.
9 s1 r$ H( Z! q, ^In fact, its purpose is not to load/unload VxDs but only to send a # O5 J: Q1 h5 c2 v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 `) ~  r% }* \& \1 |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" M& x9 h8 P( C) {, f9 E, b( B, `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 n7 h+ t# |5 q' t2 j5 |If the VxD is loaded, it will always clear eax and the Carry flag to allow
% F- c" t. o$ W- \; Aits handle to be opened and then, will be detected.3 z: J) z5 f9 J$ w/ Z! S
You can check that simply by hooking Winice.exe control proc entry point
" r) i# o3 b3 }1 Ewhile running MeltICE.- h( G+ t$ C7 |5 z

: S- k0 ~& r) L, A$ i9 ?( u
0 l0 W1 T; A) G: N: w) k; r% c  00401067:  push      00402025    ; \\.\SICE4 m/ g' n3 n" m
  0040106C:  call      CreateFileA
. ~* f/ Y) N5 F# G& @/ \  00401071:  cmp       eax,-001$ k9 Q  y9 U- ]
  00401074:  je        00401091
# r. \, H/ @9 p' u4 ]3 X' ^) k0 i7 M' _. E5 i/ x
# r6 k3 T& D# b/ w
There could be hundreds of BPX you could use to detect this trick.1 @! M  E. j5 T" ?9 D: x" O/ t
-The most classical one is:
& ?9 R" i6 r. U" o! Y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  d) m; u9 G2 i6 L& B1 f) I    *(esp-&gt;4+4)=='NTIC'
( _  P: G, }2 H$ w1 U1 Q) t* H8 H1 Y; K5 g( |$ L: a4 X+ J; @+ y
-The most exotic ones (could be very slooooow :-(
4 s2 E2 |& R6 Z5 X   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( `; ]  j. @5 S& ^
     ;will break 3 times :-(
. W) z2 {1 ?2 u# j' _/ t9 H& q$ J3 d$ L2 q1 \. x. e
-or (a bit) faster:
* v+ s5 k$ ]/ u3 W3 ?$ [9 y   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  z  X: }9 v, o
& S7 s5 K8 k+ Z" Q# V0 ?. l   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  @. K( S9 V) z- n0 ?. {     ;will break 3 times :-(& E  ?" ~+ V. O$ o6 U( ]
3 N2 x$ R) M+ M  ^" D' S7 G
-Much faster:8 s( W: _8 W; H% v: i9 C* r
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
2 Z2 s' I! i& O  k/ S; |$ D$ _
7 _( t- p/ j- b1 r! c* I6 J  GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. y. ^" g. j: I( A7 I' ]function to do the same job:
% G4 l7 Y4 g2 V
7 P1 T  g. ~9 x0 }* z5 s, ^& G   push    00                        ; OF_READ
5 v$ o2 B1 \7 ^* s* L   mov     eax,[00656634]            ; '\\.\SICE',02 X6 s: i( I; d5 L% j
   push    eax# p) |- Z: J8 ?3 G  @- K& |1 X
   call    KERNEL32!_lopen; _4 ^" t' o4 ]9 S
   inc     eax' y, s8 G! w- c" r. q
   jnz     00650589                  ; detected2 f. ~' \/ j' v/ ^1 h
   push    00                        ; OF_READ
+ l9 A' V4 N. k- @! \   mov     eax,[00656638]            ; '\\.\SICE'
4 r# P$ Y7 S1 J   push    eax% W7 ~; s; i7 u6 ^
   call    KERNEL32!_lopen1 n' x! U; T$ {) u4 ]; }
   inc     eax" ?3 a+ w8 t: @9 n# m
   jz      006505ae                  ; not detected
; S: X( [0 E  X$ d6 k9 U  A3 j
% u! D' L7 _, k6 W, R( \: O3 `' _% W
6 o8 _' ?& Y3 y. p# q; G- |1 G__________________________________________________________________________
! F& G# _( Z3 u3 \- {; y( q- @: P) o/ B# S/ C5 @
Method 12
$ M  \/ V+ v: w5 g- Z=========
) h% w5 l; }+ ~/ A' a7 u6 P% f4 Q3 T; w) p" q' P. r
This trick is similar to int41h/4fh Debugger installation check (code 054 T! S1 q- C, D5 h# y3 |
&amp; 06) but very limited because it's only available for Win95/98 (not NT)% I3 G0 T) ~/ c- J0 F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 ]) J4 A' B, t
8 S" j" F- ~9 `
   push  0000004fh         ; function 4fh9 L$ n. l# F, v
   push  002a002ah         ; high word specifies which VxD (VWIN32)# M" }3 Q0 N9 F/ V6 C
                           ; low word specifies which service4 Q5 k7 I* O8 {
                             (VWIN32_Int41Dispatch)
! y* L1 s' j6 u3 n7 D% K   call  Kernel32!ORD_001  ; VxdCall
/ M" c. f/ U% k9 G1 m7 ?   cmp   ax, 0f386h        ; magic number returned by system debuggers: `8 v9 h* R5 G9 w, p
   jz    SoftICE_detected! a$ Y' m) N9 t: b1 {- g0 d

9 e& n: n$ ^! m' X) sHere again, several ways to detect it:  |8 ]8 {/ v; P) B; F# g

" Q+ R: U" ]; w1 h: ^( p    BPINT 41 if ax==4f
7 W5 K. P/ I! _+ d' e9 {: m) ~6 ~% g# `2 u
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one4 s# Y% Q" b& b+ r5 ]
1 P. ~0 g* _$ j0 \: [" _$ ~
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 k( g+ o/ ~2 l9 _0 m
( a( c1 [3 ~3 Z$ l; p
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 I( R6 Y' j$ Y/ T

% v5 Y1 Z* r- `* E2 q; a__________________________________________________________________________
' n7 D+ }# r: j& ]% k; b1 z  i, C
1 G8 @" H- b3 F* I3 w/ wMethod 13; m. v3 N! g7 V4 E3 H
=========, s7 F! N) m. V  Q0 w+ I
) e/ z4 i6 A' X% |8 g
Not a real method of detection, but a good way to know if SoftICE is3 K6 c2 U0 `# H6 O
installed on a computer and to locate its installation directory.: Z5 k' g; E  K, F0 K
It is used by few softs which access the following registry keys (usually #2) :
8 O, n  q) P4 _  V- }8 u+ P3 \
3 S6 c( P3 Q% x& D: l! D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 O, r5 q- Z( P8 U7 I! Q5 P7 @7 ~\Uninstall\SoftICE4 |( G! \" t( E; J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' O9 b2 E7 a+ {6 N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- R9 Y! e4 m: O2 f\App Paths\Loader32.Exe, t5 e' X& U% z3 c4 C3 b: L  y
4 r; |& T, D- _9 h1 g+ {" n

. n1 a! ?  y* r* h' e: M9 }Note that some nasty apps could then erase all files from SoftICE directory0 Z+ x- K: a  }6 H6 h
(I faced that once :-(
" O3 W* _! R+ t3 F8 a# R  A5 ?
* }$ h% J! x: L( P+ S* zUseful breakpoint to detect it:: o6 ^  [# b" v8 Z* |7 m
9 C$ H6 `" q2 Q% `! J; c
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'" Q6 \/ k3 L  v+ D# J  U! S( o4 v4 ~
; N8 y! j% @' v* R
__________________________________________________________________________
* A, a  G8 g3 A& {
) l- d2 w0 v6 l8 k8 n$ a0 _
. S- F2 ]& I. B* H* I/ h1 B, fMethod 14 ! G9 r$ G4 I6 |0 S& }
=========5 i* A: n$ \8 t7 B! Y% u) M5 C+ G3 @
) n- a4 Z" a. n# a6 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 N4 h- V2 e; {3 Q
is to determines whether a debugger is running on your system (ring0 only).$ \6 q4 r8 y$ M; p, u) U. x
* V/ c8 U2 E- E- L/ c
   VMMCall Test_Debug_Installed
' {. g0 Y5 H* @6 u- G   je      not_installed1 i, @" T5 f! P) o4 S

: N0 G- x. I" nThis service just checks a flag.
! x( O6 i: h' B6 E0 ~4 X! j  ?  f6 z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-7 18:38

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表