找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! x. I0 L3 j( z: o3 v2 F
<TBODY>
7 n7 l; b! M9 C- B; c/ R% B; @<TR>
8 [) {0 e6 z5 b8 T3 F) n4 M<TD><PRE>Method 01
7 A* w; ~& ^& g# r# G  @" D" \=========0 Z( v3 g5 b; S

( z/ M3 K& S% t( t# V8 d7 nThis method of detection of SoftICE (as well as the following one) is  G. k7 S/ m7 e2 V$ Z/ u
used by the majority of packers/encryptors found on Internet.* c& l% S. f$ v# j: X
It seeks the signature of BoundsChecker in SoftICE
% N" l7 {3 s( y6 Y# H. d
! b/ ?3 s6 ?# O- k& c3 B- S; z. j# ?    mov     ebp, 04243484Bh        ; 'BCHK'+ L0 D/ p' ?4 g+ o
    mov     ax, 04h" Z8 [' Z% P6 X' d, F9 s% h
    int     3       0 |% l# A1 n8 k  J7 K
    cmp     al,4
; J' {8 G# i8 ?% r: o    jnz     SoftICE_Detected' q. C% l" S0 [+ @

* l: ?" P, R+ X  d' a% L___________________________________________________________________________$ x# \' Q* v4 |
: {' F7 r3 O8 @+ k
Method 02
7 K! Q" T- w" ^4 I: Q=========* u/ z4 I9 q/ K$ T* F4 A
( o0 ~2 R6 t0 C
Still a method very much used (perhaps the most frequent one).  It is used
- S4 R, i) e7 U+ Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ L+ w1 B# a' Q# @* ]
or execute SoftICE commands...7 {' k& y- [0 {1 m4 I) v+ V. ?
It is also used to crash SoftICE and to force it to execute any commands) m& N2 M. C4 K$ b- a5 a" ^3 e
(HBOOT...) :-((  0 P& a  P. |* B3 g

* k  ~4 B9 K9 x6 U9 |, `; rHere is a quick description:6 t* P# j; l8 w2 l: W
-AX = 0910h   (Display string in SIce windows)
, s& |" [; V1 l-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); x. \: g$ h& t, |) n7 \3 O  n3 y1 P& u9 R
-AX = 0912h   (Get breakpoint infos)
; l  P0 r# X( l) e6 Q" s$ F-AX = 0913h   (Set Sice breakpoints)  _; F0 G  D2 |
-AX = 0914h   (Remove SIce breakoints)4 [5 o8 v6 V3 E/ u9 {! R& K' [+ R

: ?" i* |- i/ Z7 SEach time you'll meet this trick, you'll see:# q' `" ?  P- q
-SI = 4647h6 ^1 J- x& q: G3 z& c: `
-DI = 4A4Dh$ F0 F7 X" t) `/ P
Which are the 'magic values' used by SoftIce.  P  G% v8 X7 q8 b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ ]" S6 L4 }+ q, }
8 o/ C5 G' l1 R$ a+ U
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ M. q0 J+ c, g
Envelope utility use to protect DOS applications:* L; ~3 [9 ~, o" P0 w' W
0 H# ]% f2 z8 z5 \) P

  V3 X5 A8 @" n' e0 Z4C19:0095   MOV    AX,0911  ; execute command.% v( T* s/ @7 R, y9 ^0 u; g" J
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).* d! x* l- }! k& W( i% u; z
4C19:009A   MOV    SI,4647  ; 1st magic value.. h1 g. J2 T; H3 x
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 P/ x( J) B  D4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ p7 J; C1 [; k4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# k- B# \" E- T! r8 \2 c4C19:00A4   INC    CX
- k3 Z; ]: z" u4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: o1 w+ ~+ z; O; b5 F! V# J4C19:00A8   JB     0095     ; 6 different commands.& d8 q/ T# Z% G5 M
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 j. ~1 M& U* M5 `$ Z8 @% s5 `( z! W; D4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
2 a0 p- x# A* h$ p- |7 _, ^
- P- M9 n' O4 J. rThe program will execute 6 different SIce commands located at ds:dx, which
% V  C) q9 c! Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 R: p  ?* D- [1 }, ~

1 x/ L6 `. X5 M/ F. }8 K' \) i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ q& h* R+ v; H" @
___________________________________________________________________________
, B, A* I1 G4 \
, B4 [* Y) ?! ]$ ]% E+ p: l# M# g3 v8 R: z7 \
Method 03' A, Q  C1 N2 G9 I  D
=========! D+ Y4 a# p" u. ?7 H8 V0 N7 |
6 `" M- ^, N# L) z* e* t  w/ Z; {
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# u. [" H% N; @; p(API Get entry point)  F5 H$ U, c3 t1 Y  J! t( K
        
1 g" V) z4 Q3 D$ S
, R5 B& X9 w3 x) a    xor     di,di1 ^3 h# m9 k/ _% i/ o
    mov     es,di4 \5 k( s4 ?9 W( A% k
    mov     ax, 1684h       ! y+ ~+ ~$ M  P2 S, k6 P. Q
    mov     bx, 0202h       ; VxD ID of winice# k1 G+ L# t* j5 _. B
    int     2Fh
4 E7 @$ K5 P/ w4 [8 G5 ^) q9 ]    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. d$ a* g: c% r    add     ax, di9 r, Z! M. t# d$ f  `5 X4 D2 X2 ?
    test    ax,ax+ J2 M6 Q+ |/ X: O( b6 }+ M0 ^7 |
    jnz     SoftICE_Detected
+ s* p1 t5 Z9 h# b. B" t0 Y! @, [6 O6 V* d9 P& o6 L  i/ }8 f% y
___________________________________________________________________________
! K2 Q* A/ c: F# P; K
$ b3 K* w9 G( _' b! @Method 04" T, D8 O* S* L0 s3 _: Q. _% l+ _: `
=========3 ^- w9 m9 a& C+ i2 y3 ~9 ^+ d- |
( O2 x" v& l: Q  \8 H1 M/ ~; B
Method identical to the preceding one except that it seeks the ID of SoftICE
4 E6 r& t+ D1 }' z1 A# r$ I% DGFX VxD.
: N4 T' j0 _) q: b" s8 C$ w/ h2 x! f  H
    xor     di,di0 i- I: S' u7 r2 s- ]
    mov     es,di
: u1 s. H0 A# @; N, s+ N3 Q- M) o    mov     ax, 1684h       6 H) {1 o/ H/ \9 \
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
; Z) \0 v% B" Q) c6 S# {, E4 z    int     2fh
  i. w' D0 o/ Q0 K  [% m# L    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 Q) @* N% h- K( {) T! F  V; o
    add     ax, di
3 ?* U6 G8 Z3 B    test    ax,ax+ C$ w& E% h" X+ ^' k
    jnz     SoftICE_Detected% e" v; |* K1 Z9 i8 P/ l* [: _. K2 j

) r$ D* x9 N4 d__________________________________________________________________________& L/ a" i" S! C- c( h1 W' \2 F

9 Z" w; U3 U: P9 J6 D0 _' i3 H+ A3 O+ I: R6 `
Method 05
  ^1 L6 S( i2 y8 v  F$ N! G8 B=========2 }0 f4 w/ W0 t% d! y+ h0 @
/ d$ ^/ ~1 M6 L3 j- v- Q  @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 }% g1 I9 p5 M8 A6 ~3 c* v, Ddebugger. It calls the int 41h, function 4Fh./ l4 D0 m0 [/ ]9 D) @+ U
There are several alternatives.    d6 }& B7 F5 t6 f

/ B' d. N2 J$ f& `, X* B7 Q) rThe following one is the simplest:4 h3 {8 ^& M( J4 ^) z9 y, a6 ~0 v

3 v4 `! \! k  R3 C7 k3 V6 T    mov     ax,4fh+ i! z* ^8 l5 F3 V
    int     41h
1 P8 Q6 H7 y+ G% t    cmp     ax, 0F386; i/ N) w& j$ |& {! J  e1 C$ ]
    jz      SoftICE_detected
  g# Y0 p+ {  `" P4 V, c' O+ ^5 f1 C! i% c( I" l

5 q, ~2 E! ?* S9 vNext method as well as the following one are 2 examples from Stone's
  s& b! k) ?: x1 r! e' N"stn-wid.zip" (www.cracking.net):
3 v1 M9 `# z5 {+ ?# c/ s9 o! Z( N
# a( V& D, a5 j' }8 f9 J$ `    mov     bx, cs' |* M. v& o# Y2 l
    lea     dx, int41handler2. T& M  A' |, ?% `; O
    xchg    dx, es:[41h*4]
# k3 f6 r( o7 g$ ]    xchg    bx, es:[41h*4+2]
6 {7 d, [* C6 p1 S5 p- j4 h5 O, t    mov     ax,4fh
4 M4 t: b! q  n- H* o* t9 [9 j( O    int     41h. Y8 _( ^% o1 T' k0 p! h
    xchg    dx, es:[41h*4]
2 |% F/ j% E( F$ `7 S8 w    xchg    bx, es:[41h*4+2]9 f- Y* J8 f# v9 M* |' B& D- T% \
    cmp     ax, 0f386h* V+ ^2 c5 `3 E
    jz      SoftICE_detected
3 i/ \% R% L% a- M
+ P5 H. m5 j: I; Zint41handler2 PROC
5 ~& ^* T0 S6 d5 ?! y9 M1 [! o, F    iret
8 v" G6 M3 b( ~/ Iint41handler2 ENDP9 [/ _# d8 Z  c$ B# k- L. D$ c
5 @0 f, g  p% s6 C' G. H

+ U! E4 a4 \3 X3 j! K( g, r" S_________________________________________________________________________& C9 Z4 d; I- ?: _/ u

  L0 c! e! B6 U/ f5 o7 P/ l. V, C) {
Method 067 D- F% w, Z4 d0 {8 u: b. T
=========1 B/ g" q+ H* O
' y: b% ]2 h( d0 @

9 r. L- a4 M& G6 C: P2nd method similar to the preceding one but more difficult to detect:- [* k. |, b8 Y& A/ v+ o
$ g; ?) Y3 F7 H/ v

# O/ r5 z& y# p; P, x* \" K# Cint41handler PROC
. q" F3 ~' i& j6 Q1 q    mov     cl,al
  C. N; e: ^/ a3 b8 L    iret
1 a3 w! B7 t3 O0 m. l1 uint41handler ENDP- W2 {. s" x% S7 q5 A, @, ~

3 |0 L# |" k9 W( z/ v
, F4 y6 w! R, }% t8 d1 t    xor     ax,ax) j% F3 i- d* k1 V# i
    mov     es,ax
4 |. p/ [: ]/ o( D& M    mov     bx, cs
# K. G7 J, z9 Q0 J9 h    lea     dx, int41handler4 A( O3 S4 {7 U( e+ x
    xchg    dx, es:[41h*4]
# B4 R) Q2 V% Z4 G. l    xchg    bx, es:[41h*4+2]
. \! J( o: \( J+ v" q    in      al, 40h
. x/ q1 D' C% X6 ]6 j    xor     cx,cx* R% _9 D# a' u. f4 d0 y, C
    int     41h
) e  y& o1 y7 D; l: f/ j    xchg    dx, es:[41h*4]' g  A% {1 F: b  u
    xchg    bx, es:[41h*4+2]0 d3 @) l( W0 W2 H3 J3 E# j$ j
    cmp     cl,al' B, w4 q( l: r0 F5 R' S8 Z, p6 q
    jnz     SoftICE_detected
' M4 K$ e/ |$ B
7 a; W7 n: g, u0 w  W_________________________________________________________________________
: Z5 T. Q7 x( v0 a! H* m- ?  P; N1 R. [7 l; `
Method 07
' H+ G2 l+ f& [=========4 E8 X3 ?: w. T8 d. e- `

" i4 b, l9 Q& |$ Y/ jMethod of detection of the WinICE handler in the int68h (V86)  N. Y( J, F, ?2 N! j& G$ e
/ q4 o6 q# D7 @' c5 L9 r. W& b
    mov     ah,43h
0 F* Z' L' w! J6 u7 f    int     68h/ m3 }2 `! {" ^0 y1 U3 _
    cmp     ax,0F386h
3 ?+ J+ o: j8 n- b& _' {# O    jz      SoftICE_Detected
* J! x2 F' R3 M0 }+ w9 W& N2 a+ ]# l. J/ I

6 v. k* z  S& Z' K  v& C( T( A=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ t5 H2 F+ b+ w   app like this:
5 `  F% J$ Q& X+ j' H! x3 x" B% q8 {# C4 G* |  I' M
   BPX exec_int if ax==68/ f" l' m- [4 s0 r
   (function called is located at byte ptr [ebp+1Dh] and client eip is
, E' w; e" c& ?# G- t   located at [ebp+48h] for 32Bit apps)+ L' x/ K( T# g' S+ P8 C  e
__________________________________________________________________________
6 j. f- b; v% K) Y% R
. x* P  }" ~6 [. ]- C9 B4 Z3 H: _
, q& K# I. W% p( n# j# d# IMethod 081 X: [, u+ r$ P/ `! l! X
=========1 G5 |% O" a1 [, r0 [: Q

6 O3 a; T* _3 x5 U6 q( ?It is not a method of detection of SoftICE but a possibility to crash the
2 I* R" y- P1 U& a  Nsystem by intercepting int 01h and int 03h and redirecting them to another& v( C( p8 z+ H* l) O$ g
routine.
' C. ~( S6 T8 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! M6 J( z- q+ }8 m  _* F. @# Lto the new routine to execute (hangs computer...)! W( _; m$ N$ G7 X8 a9 f
" r) q5 l, O0 _7 }0 T+ p1 S% l
    mov     ah, 25h
8 `2 [' X+ m1 G7 ]  u3 C    mov     al, Int_Number (01h or 03h)$ H& p6 v7 D- b! ]7 T( I
    mov     dx, offset New_Int_Routine  h' [. R. w+ S1 o9 [
    int     21h% B/ M8 i/ j0 ^

' }: V# H' c* e__________________________________________________________________________, ]; b, u& }2 W. x2 a. g. k. A
! F) \9 F) {4 U9 e
Method 09
8 o1 y1 L! N" z, o: T+ u3 f=========9 [" }: O" t' q' S& a# ^! z

1 |( c6 U; J- q4 C# JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& v1 U1 ^% I3 h) x1 o' `) uperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 k& y* z, ]7 a) W/ c) Q4 {' rThe Get_DDB service is used to determine whether or not a VxD is installed: v  J; G' ^, }8 C" `- u
for the specified device and returns a Device Description Block (in ecx) for7 K9 H% F1 @" U3 {8 s$ _
that device if it is installed.
- l# q) m8 v7 z" K; s5 }' U' L" T* }
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 \3 T5 f0 R/ E9 y) p9 b1 a$ h
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 [7 d4 X6 K7 Q5 t9 }! w
   VMMCall Get_DDB/ j' V) D# O: ^, V
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- L! m0 _2 M5 V0 o! L

# g* z: g9 I) v& f4 ANote as well that you can easily detect this method with SoftICE:
+ B# m/ X9 Q7 g) k1 |# V   bpx Get_DDB if ax==0202 || ax==7a5fh$ M2 m3 z" ~8 s/ U7 R- m
2 \0 `" _, }% ?: ]$ ?; Y4 ?" x2 P% w
__________________________________________________________________________
7 m: e. O  G- O$ J) ~( |' L" d& x8 a% C# F
Method 10
3 O8 Y  |0 h# G  _=========
% l0 y: M2 {2 V+ y& ^6 T
1 W* I; a) Q* P7 x( ^0 s=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with& ~# l( C, k4 b1 q. c: K
  SoftICE while the option is enable!!5 \7 K. Q$ x4 x  m( y/ k" n- P% c
+ d$ d, u* S* p
This trick is very efficient:
( z& b- U" Y. g  q  mby checking the Debug Registers, you can detect if SoftICE is loaded1 ]- D! s: |0 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 V( }% `% ]  ^& N7 r' ]there are some memory breakpoints set (dr0 to dr3) simply by reading their* h3 E/ j. V9 {4 A% d( Z6 c+ |
value (in ring0 only). Values can be manipulated and or changed as well1 {# Q. G1 J+ Y+ U! ]9 S- J: m
(clearing BPMs for instance)4 w& Z8 [5 L; W) z# r& E
+ Q: y0 h& `* K! j; M; w
__________________________________________________________________________
( k6 v$ n7 o% K/ b+ Z4 o/ M/ {. c
: U( a2 ?) B( o) aMethod 117 @) |5 w  }4 \9 [, X3 {- ^" H
=========9 t5 R. x$ L1 V, S3 B, b' ?
) N, U" o1 e! v9 f
This method is most known as 'MeltICE' because it has been freely distributed
2 B2 H: H, W( I' z. Pvia www.winfiles.com. However it was first used by NuMega people to allow6 T4 R, g# _9 ]
Symbol Loader to check if SoftICE was active or not (the code is located
# d! E5 h- b: n$ {$ m4 t+ m( Linside nmtrans.dll).
9 M1 f# G6 Y7 Z6 B3 }& v1 ~" x) w5 Z4 {
The way it works is very simple:$ X9 {0 ^& Z* i- ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  h' R2 w! Z6 F% @4 q# h2 e: I5 |WinNT) with the CreateFileA API.
& `6 `2 I" ]7 l: Q( h; p
8 w2 H4 S- B5 C# V4 E; g) |Here is a sample (checking for 'SICE'):
9 T  v+ E7 Y4 C3 `" p# Q0 U  ~5 \5 ?2 y5 w; Q7 ?( T
BOOL IsSoftIce95Loaded(); O# T1 O3 [/ w4 A' \4 ~
{& H7 t) t# q: [2 c3 ^: |7 p% _
   HANDLE hFile;  
: E- V! w/ K' [* B, V   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 R' H8 t2 Y2 _9 Z% S. G8 V+ e1 F                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* Y( e/ i& t# X4 z* b8 \                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 @3 w$ H/ D% y   if( hFile != INVALID_HANDLE_VALUE )- Q  F- Z6 x" p7 n; t: }
   {3 X. B: `) Q* I- H$ J
      CloseHandle(hFile);& k8 @2 ]7 Z! {7 w/ k' p) |
      return TRUE;
4 S) Z/ M; y1 F- v; X' v   }
$ B- \& i, B0 ^( U7 e# D   return FALSE;/ |( S8 t/ R8 i4 ^: }
}
" k* q6 W9 ?1 ~, ?, e
; e( d1 e8 ?$ i) p( F0 \Although this trick calls the CreateFileA function, don't even expect to be
1 q9 x8 O& L/ Q8 D* w7 @able to intercept it by installing a IFS hook: it will not work, no way!$ J& D5 `7 m0 h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) e( W3 R2 Y$ L0 Y0 @! j* W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, r" e6 b" u, v( J8 h5 S# \$ v: Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ G2 \8 d# Z. j) {
field.
" v' ^  \) P# r$ VIn fact, its purpose is not to load/unload VxDs but only to send a
$ f6 {  }4 J4 e& m' Q- Y" aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: d: l- V: y  w2 ~  Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 `- e1 B0 c1 p9 h8 U" q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 P+ Z" a% X( t9 Z) N9 o  _If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ N, r+ n' K- |3 ^) p9 Uits handle to be opened and then, will be detected.
$ @4 S2 A, ^  v% R" f* UYou can check that simply by hooking Winice.exe control proc entry point* ^  K+ R9 v" h- w! {0 o( W
while running MeltICE.
, i2 H8 M. {' m: X) j6 W$ p$ y- k3 ]3 {) z1 f/ l: V1 Z

6 \$ e( d) D0 d4 b  A9 X( Q1 S! G  00401067:  push      00402025    ; \\.\SICE
+ G" K8 ^* W4 G3 t! Y5 V: {2 M  0040106C:  call      CreateFileA
3 N3 h# T6 |, _$ T2 S  00401071:  cmp       eax,-001
, p$ X, v% W! y" O2 S  00401074:  je        00401091
/ [7 i1 C, Y. B# l  s9 Q: d0 K0 Y/ Z/ p

" s: d! O4 m0 x, M9 P8 E9 B7 L" [There could be hundreds of BPX you could use to detect this trick.
- r5 t* u8 \) l9 i- U7 ?-The most classical one is:
/ v9 M/ b& D: [5 b  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* C7 O* m- N9 Y7 j' L' B    *(esp-&gt;4+4)=='NTIC') ^1 q9 k# Z0 w, k6 O8 G

0 ~) ?# K! `- B9 m4 L- g-The most exotic ones (could be very slooooow :-(
) ^9 C  a; s8 r3 D3 J5 ~   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 o0 a+ D; C5 G1 T" P8 V% V/ `
     ;will break 3 times :-(" ?+ K0 c4 N' x" Z0 k% r: |
* `+ P- R" a# b& B1 a- Z8 d
-or (a bit) faster:
: s7 p/ v& N! D   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" z: I( v8 I9 ?) W4 E( J3 S. j4 J' F7 l" w3 {" C8 L( V
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  + N/ d! [& s2 A! l) i
     ;will break 3 times :-(3 Z+ @9 V4 M8 ~

/ y4 H% V! @$ i4 l4 X4 R( \) ?+ g% `6 U+ @-Much faster:5 t( T1 l7 T; `( n4 ]) ?
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
8 }9 l3 F0 {1 j, ~
, N! K: _  ^8 m/ e2 d/ f; qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ Q& Q  j" U  C% D
function to do the same job:! h2 [/ [4 t; z/ O7 c( g: s

1 J, ]4 s( `9 [# _   push    00                        ; OF_READ( F+ t0 d( m. d$ N% T7 K, O$ ?
   mov     eax,[00656634]            ; '\\.\SICE',0
2 h& Y: e/ w2 T1 B! O: x   push    eax  o: [7 H* X( O8 i/ |% j7 L
   call    KERNEL32!_lopen6 j6 _" G3 b  o5 h* O, j7 M
   inc     eax
, S9 [. r+ `* g+ S   jnz     00650589                  ; detected
  K+ g  y" }& u8 O, p2 ?   push    00                        ; OF_READ
' h6 Q: ~1 p$ v) Z5 b   mov     eax,[00656638]            ; '\\.\SICE') _5 ~9 {8 F* M7 `5 E- ~3 j
   push    eax8 O* B4 C" f0 b
   call    KERNEL32!_lopen
, e  R3 f; o- [& [   inc     eax5 O" C: [+ X* y$ A
   jz      006505ae                  ; not detected: ~; i8 o6 G& W" Y, s
1 J2 W9 @( f6 q$ x+ D! s2 n) X, ]

/ l# j) q1 [, K0 G$ d__________________________________________________________________________
1 R2 ~' p1 }0 G& }3 q5 i) a6 v; z6 j2 x4 \
Method 12
! f. f+ y; i! ~=========
- n/ |8 }# B  u! V4 s( G1 X% I3 K) o! ?, u- S$ P* b# t
This trick is similar to int41h/4fh Debugger installation check (code 05
" O. N7 J7 a8 _$ z4 }&amp; 06) but very limited because it's only available for Win95/98 (not NT)  z. K: Z/ t+ \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 I+ p# N1 w5 U
8 e5 H1 @7 F9 ^) V! n   push  0000004fh         ; function 4fh
/ G7 ?1 P, S6 _( [- i5 N   push  002a002ah         ; high word specifies which VxD (VWIN32)& B1 Y0 g: I5 c- X% u6 |1 i
                           ; low word specifies which service% m6 y/ \, D4 F# D
                             (VWIN32_Int41Dispatch)
$ ~: _7 G2 R) x) ?" r' `   call  Kernel32!ORD_001  ; VxdCall. ]2 \! I+ e: I+ O* T
   cmp   ax, 0f386h        ; magic number returned by system debuggers8 G' B4 y% E' ]* u! v
   jz    SoftICE_detected% n4 `# S* w0 C6 g8 M

4 Q- l# _& ?( t: \, z( AHere again, several ways to detect it:9 p% U) I/ _  d
$ ]  t) i, F* ?1 g3 @, w
    BPINT 41 if ax==4f
! K2 V( f/ O4 D6 Y5 p+ v# Z0 l  Y/ H; U9 ?6 n
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one0 F4 E) J& M, H

3 g0 {% E) v$ p9 E$ _2 D* c; @    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 @8 ^& T5 N. p
( h/ a# P0 `: B, F    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( V4 |  ^2 k# Z) K9 q# K* S
4 |6 @5 U3 r* ~0 M1 F: G
__________________________________________________________________________
; c, X" t9 e9 n- I5 n" j; w8 E
Method 13; N3 m( h; U+ a* q
=========
& l" P6 b6 O% n. i/ J
' A7 r8 q2 q; s- n/ t. S7 y6 ?Not a real method of detection, but a good way to know if SoftICE is
( C3 B, R5 Q* ~+ @installed on a computer and to locate its installation directory.
* Y3 l2 F8 Z& N0 W8 a+ A& i+ aIt is used by few softs which access the following registry keys (usually #2) :1 }" M: N- z$ P" t8 c- c) G- S: u
( f' L& }1 l3 e# c+ N- B3 I% ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# r2 {# t3 o/ Q3 d\Uninstall\SoftICE
* x  ^$ X% q! i8 G* z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" r! @8 v# a% K; R6 ~' I% Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Y/ M6 v1 ]' h' q! Y* k\App Paths\Loader32.Exe
- x7 o; q' M' v7 X3 X) Y: T
' l! y3 T# `& t6 B$ [% M& l5 G+ Q, {* S# d
Note that some nasty apps could then erase all files from SoftICE directory
7 a9 F% Y9 g  m) c1 X5 u5 x(I faced that once :-(2 X% b; ~% o0 B2 \

. i+ A0 M& z- n7 t, s  ~: UUseful breakpoint to detect it:4 E9 R/ s, O' R. V" D! v: t

6 R" b+ }; ^1 \/ M9 Q9 n8 _% ~3 r     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
& Q6 f$ }/ a2 m( X4 o0 g4 ]9 X) l+ B+ a6 [
__________________________________________________________________________
7 d; Q) R8 k: ^8 M2 h
; k9 r7 `' z: ~
3 f, S5 p) `, J( I& ]8 n. {Method 14
  ?( e! F+ J( z# H2 Y=========
5 A1 U( ?, N7 \+ I- }( u" D2 |6 K3 @, T! G; F. M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# D4 u  |0 |# ], Pis to determines whether a debugger is running on your system (ring0 only).2 J$ ~3 r, c' u! J" r* u1 Q/ i

* q2 R4 d$ C) l# @9 @, ^   VMMCall Test_Debug_Installed* a! D0 ?; t  |0 c( ^% r
   je      not_installed$ C& i, _! ~( U6 D5 B; l

* L2 O$ `+ B- V9 T& A: a8 OThis service just checks a flag.
4 q. i  Q" P0 {, q9 r4 e$ s3 Q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-22 03:01

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表