找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ L% v, M. W* R) E; X
<TBODY>7 [7 q. Q! ^9 j! [, m* d" a
<TR>. ~3 }6 Z! e% w5 N7 {& W
<TD><PRE>Method 01
6 ^, v( _- {' S" \6 z=========
% c+ I- r4 _9 g( m
, f4 H1 K' j7 [- X- {$ SThis method of detection of SoftICE (as well as the following one) is
. n. g- g! p: p) ~used by the majority of packers/encryptors found on Internet.6 N( m2 x2 E$ w- t
It seeks the signature of BoundsChecker in SoftICE, F8 F& Y: R* l( f. b* m: _

9 x7 H1 m; P' K    mov     ebp, 04243484Bh        ; 'BCHK'
9 ?0 v8 y+ L8 _  i/ i' u7 v( i    mov     ax, 04h$ D3 g! h' p" \/ g
    int     3      
1 y* [9 V6 l9 R! k9 v, N    cmp     al,4' p* H) ^9 h9 P  \5 g/ A$ w  w, f
    jnz     SoftICE_Detected. c$ q' t1 l1 t3 F/ U

6 d* Q+ G; Z$ A4 F- ]+ o___________________________________________________________________________0 i* ^) \  O0 A5 z" P  K. K5 u
& [% M& ~7 A! K: w. E* p, v
Method 02
* i% ]* P3 s6 _/ j( X6 o=========' N% H3 j; B2 x" {) F% b+ E  A
  g+ V0 t" z* y, \" l. F
Still a method very much used (perhaps the most frequent one).  It is used8 n! Y4 q$ A$ k  r; t. R# W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# g3 U, L( C) s, G1 C$ @or execute SoftICE commands...- R% f# U3 H2 H1 w: r
It is also used to crash SoftICE and to force it to execute any commands
: S- T) R& n# o2 b0 }1 D(HBOOT...) :-((  
7 M' M& k$ O0 W! f
/ b$ F( Z9 z* p- ]! q% C" ^% _Here is a quick description:- p, k4 g* b  ^2 z" i2 E9 H
-AX = 0910h   (Display string in SIce windows)
2 o! @% Z& V. S2 I" c-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 Q" I* Z1 S+ j
-AX = 0912h   (Get breakpoint infos)3 g- w1 o  {: `5 v3 n
-AX = 0913h   (Set Sice breakpoints)
; Q6 o8 L) M* i& _-AX = 0914h   (Remove SIce breakoints)
4 j% s4 {3 L" h% j* S
$ h) y' E) [& A' u  X# J! f8 REach time you'll meet this trick, you'll see:
( i" l8 s( I- E0 M-SI = 4647h- T* Q! W5 L- ~! T% S, b# K
-DI = 4A4Dh
/ c: ]0 b! K( M5 u% G) O5 {5 [Which are the 'magic values' used by SoftIce.
/ V$ @% a4 A/ m% AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 X# b' y& E* h9 q$ _' v0 h! c$ q5 G. |" x9 p
Here is one example from the file "Haspinst.exe" which is the dongle HASP. S& J& y2 y5 ~: C. Q$ v
Envelope utility use to protect DOS applications:8 ]$ \9 g4 g6 @  f; p
+ R& a3 b- K5 g8 E# W) `. y# b

, @, y. H* z8 i4C19:0095   MOV    AX,0911  ; execute command.
1 c/ W& m& U5 y2 e* M+ ]3 x7 n4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ I+ T' H9 Z- [4C19:009A   MOV    SI,4647  ; 1st magic value.: O9 V) t' L: P) l+ A0 M: g
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
" |, x  k/ F, r1 t4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ [. K$ [' g! V& _8 v4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
/ r5 x% j1 o. l$ c7 @6 ?4C19:00A4   INC    CX: j2 G! |$ x3 Q$ [! Q/ X% o
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
+ x8 l* `, b8 K& v9 g/ a4C19:00A8   JB     0095     ; 6 different commands.
+ H  H/ M: L+ W4 I( U- n4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 P* d, S3 N5 \( m/ e( h7 e4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 d9 L, ~7 T# J0 k

) y2 ~8 B# m2 j% c* [& e4 J* K2 C$ ?The program will execute 6 different SIce commands located at ds:dx, which
' E' y' @; b/ W# \8 F" fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* T3 X7 c) [0 a$ a: ~! N3 }- a& N+ {, C1 k3 A, ~: ]7 @, e8 z% Y; v9 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 c+ s% s5 y) ]8 a" b2 J7 j* G___________________________________________________________________________
5 `! V6 @7 E3 _+ L# T3 I* B0 B1 J% \& G. {3 j, R

' |! I3 Z' e4 u3 Z% q1 h2 vMethod 038 I$ V6 z, W- I" c  f
=========& g6 m( J2 P9 [; T* z
3 W& _# V. B' S4 F
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# p) H; v. v5 {" b
(API Get entry point)3 I4 d9 H- b, q5 d, b- l$ \3 ^
        5 G1 C. ~; j, h" c% T

( E6 \2 j9 h$ k+ w+ `    xor     di,di
, k& _: q" ?4 j* W    mov     es,di, Y# i! J- p) @) M8 M9 y
    mov     ax, 1684h      
6 w9 s) y* i6 I% t3 p    mov     bx, 0202h       ; VxD ID of winice2 \7 N; X7 v1 |5 Y6 `" `* j  e
    int     2Fh' d/ K$ N$ G" Z7 s( }5 ~* P
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" C  w( {1 g2 S    add     ax, di
8 w3 x- v$ W' N. V  ^    test    ax,ax* ~9 O% Y" C6 s7 a: J- G+ U: Y
    jnz     SoftICE_Detected
  P; K! ]7 [. a5 ^% k( i# r# Q$ d) v9 ^# l' c( {" h2 t) A
___________________________________________________________________________; {  U+ k( W* j, h" v
6 ~, C8 b& L# u' z: p. r3 |: m
Method 04# _$ [( [9 E0 c
=========4 L( i6 h3 y# S' [

/ _  ^# \6 Q/ Q" wMethod identical to the preceding one except that it seeks the ID of SoftICE  {& i( C, I, M# ^8 l5 P' l+ \
GFX VxD.$ v9 @5 Z2 \+ n8 ~

7 B$ D4 G# _( f6 s+ @- D6 Z+ J* g% @    xor     di,di
' \# o/ s# w6 m    mov     es,di6 t; N; a4 f+ X0 W& F
    mov     ax, 1684h       8 T3 @, p) m; _$ r6 k2 E
    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 Q3 J( P, O; E
    int     2fh6 |4 G, M% Z2 {' I7 _2 O
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 D- e# _, E# D4 b( x    add     ax, di0 P& P1 i  E+ e$ J' q/ l, J
    test    ax,ax6 L" n: X) x3 \9 R' _# Q; V
    jnz     SoftICE_Detected
% T1 R9 W( k  H- i6 Y
9 F# a" b& L" e" L  ?__________________________________________________________________________% K! k6 r; p; D& G; w0 M9 r

& g* S* L, ]6 G+ Q  A1 d/ Z# ^  I
3 Q# e5 u1 o" o9 n4 SMethod 05; R+ M8 S7 L2 F% P6 `4 |+ S1 m$ B
=========
. g5 Q, {* r, c* V- v2 a: r2 R, A/ a6 X/ [0 O4 W. i5 O, X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) f( f5 ^" X: ^. [5 H. A( \6 D! Ydebugger. It calls the int 41h, function 4Fh.
2 w4 B# G2 b6 O9 W% yThere are several alternatives.  % _: L+ L3 K! s; N4 x7 H& U
% J9 i9 l$ ~. Y  c
The following one is the simplest:
  g) V8 R1 }/ V7 p, h" @3 H
( m3 o4 v8 d6 L0 C8 j    mov     ax,4fh: ?4 D' c- \7 p' z
    int     41h
8 \" ^2 x% ~6 ]) D( F    cmp     ax, 0F3869 {6 q$ |5 \& k, R# |  ~+ H
    jz      SoftICE_detected
8 \# v! t: k0 ?! [9 a) F1 O7 `& W! p1 P. m4 V$ W- u
- g& ~" r, x6 `2 }4 {; H8 _. L& p
Next method as well as the following one are 2 examples from Stone's , F" h% Q3 `+ v' h
"stn-wid.zip" (www.cracking.net):
3 C" A- l* P6 h7 V4 j' [2 W6 w3 r0 K/ {0 ?
    mov     bx, cs* A$ ~5 ?6 v: v  W
    lea     dx, int41handler2
- y  }! K9 U( g' `0 y! ]1 @) g    xchg    dx, es:[41h*4]8 J$ t1 K- W- F$ q) L/ p9 ^& F
    xchg    bx, es:[41h*4+2]
/ Q/ z1 l$ j- ~2 ~! L    mov     ax,4fh' ]2 N+ n  z# S6 `3 m/ T# b
    int     41h
: X' Z# [1 J2 G    xchg    dx, es:[41h*4]
$ V1 K, ~8 Y+ k( K, T9 i+ J    xchg    bx, es:[41h*4+2]
; s$ K5 ~4 I* I% B- Y    cmp     ax, 0f386h
; Z: q' n! J& N1 ~+ X    jz      SoftICE_detected5 T0 s/ a  o  }/ O

! Y/ c5 s, ?( f% Iint41handler2 PROC9 C: g/ N, t2 Q, x9 }4 B
    iret
* r6 E( K$ t! W, ], I0 jint41handler2 ENDP
' _, A, s+ {8 ]! M, v
9 g! i* v, n& `3 C2 I) ^3 n
: x/ a8 {! W& G2 x: M6 y  e2 R_________________________________________________________________________' w0 \1 a( R6 A3 {8 ~( y- j0 l" i
) @5 l! K  v2 N* Z; T1 Z

  G' ]8 z. q5 f1 G( f, ^Method 06
1 J: u7 x, O4 h# i=========; M2 Z: ~5 v- c+ ]
7 s2 _' I) b, F( e  k! a* J
- h& V6 m- g& V2 n. Q# n) U3 @
2nd method similar to the preceding one but more difficult to detect:
) I9 a+ V' I* ]. Z* W( Y
( [+ y! w+ V' v6 Q. C
1 Q. y" g, O. \) f+ ~9 r' u, Wint41handler PROC8 T5 R' a2 f$ |6 u5 `* u/ N
    mov     cl,al
& {! A, R' h2 s9 X6 v/ q3 Q; T+ C- ~    iret( z+ X! _. }+ x: \2 Y( ~# N2 c
int41handler ENDP. n7 l/ x; c/ q  A
5 ?/ D+ T6 G' C3 ^& h, p7 L

+ i) Z6 Y; ?$ P9 M. ?' s    xor     ax,ax
5 |* ?  {8 b% W8 P    mov     es,ax$ w1 K" E* ~- E* z( O
    mov     bx, cs
# _5 L( @3 Z& B& R    lea     dx, int41handler- F! u* R/ g! w$ Z3 ?6 D
    xchg    dx, es:[41h*4]
$ _( m1 W. _' X4 J4 A! E+ _    xchg    bx, es:[41h*4+2]
  V0 @6 h) J: E$ o0 c1 j# J$ M    in      al, 40h
( h3 T# Q, H1 G    xor     cx,cx
( X8 H8 a/ k! ^4 F5 R6 H9 Q    int     41h8 F( }& c( l( f. i; \! o
    xchg    dx, es:[41h*4]
$ {/ b) G! d1 Q" h4 n: M    xchg    bx, es:[41h*4+2]4 n, y6 w+ _* R2 T2 g; q1 U
    cmp     cl,al
+ N: t8 V3 A+ v! e* R4 k    jnz     SoftICE_detected
; r$ \/ T6 {) N- p: ~: y: f, J) ?* a2 F, g0 @
_________________________________________________________________________
3 D! o" G: ?6 Y( u  L# R' w, Y5 f1 r$ T, [
Method 07
0 [4 k8 P" \: Z% m4 F- t6 l9 U=========4 b. e8 F, s5 ?3 ^
9 H9 a$ r& c1 K, ~) \
Method of detection of the WinICE handler in the int68h (V86)
8 }9 h4 J5 u+ o2 A; c) q9 b$ j1 E
6 o, W9 \5 N* S3 U    mov     ah,43h
' g9 _3 F: S$ t' \) U0 w) l, }    int     68h2 f2 p+ P3 |& g  h5 U8 A
    cmp     ax,0F386h0 G  r2 {# Y  l- F. v
    jz      SoftICE_Detected
6 H1 @2 l& Z- [( `; S
0 T2 ^& K/ Z5 ], _* k9 |# c- Z& \1 ]7 L3 x7 X3 A# |
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 I0 M: I/ I& d5 I. d
   app like this:
! z: ?% g. j3 n( _6 P: ]
! V: ?5 W0 h# n' Z6 N   BPX exec_int if ax==68
/ u" i# L7 P) l- C   (function called is located at byte ptr [ebp+1Dh] and client eip is0 w2 \  A) z8 c
   located at [ebp+48h] for 32Bit apps)
  N. A7 z, J) b3 m4 u* l  R% F__________________________________________________________________________
- G; L& W2 T4 i2 o9 Q8 L
+ ^; M0 T6 }* A2 w
' l( }( B# w# a/ H- A2 T1 r* dMethod 08
% Z8 j1 s0 A' b: T( V=========
  M* T4 y/ z+ p6 W: C+ F
/ g( _% q9 I- l, J: }' S7 l. E7 lIt is not a method of detection of SoftICE but a possibility to crash the
' l* t% u; b% ^! u- Osystem by intercepting int 01h and int 03h and redirecting them to another8 |8 ~( y: d1 m0 z$ _! g: N1 \
routine.
# N2 |( U, h' v* B7 c  K, c5 \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 s* ~" z# g$ g8 cto the new routine to execute (hangs computer...)* k: \$ `" P& I
. X  C4 o" B& d& k+ K
    mov     ah, 25h# ]3 T- |! E. \# V6 f' y
    mov     al, Int_Number (01h or 03h)
' Q# t5 f. E* B% r, i' O9 |+ c8 f    mov     dx, offset New_Int_Routine: [1 M  K: O( D) E5 O
    int     21h, R9 w* b0 S0 l
* _) B# k* }6 |4 z8 @- L
__________________________________________________________________________
- K0 P5 S  w/ S# X, v  `' G1 ]7 s# c6 z- [6 \& w' [
Method 09" Q2 n# C$ j( {7 e' y0 X4 ]1 i$ D$ g
=========* t# i4 ]0 o0 a' p
2 u. h$ O% z* m: P, b" e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ L; o# a8 t! T
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 \. M+ r$ F0 n8 f( B! r4 V* O' uThe Get_DDB service is used to determine whether or not a VxD is installed
. y$ r5 c6 t% y) Kfor the specified device and returns a Device Description Block (in ecx) for8 K" P% h* U4 e
that device if it is installed.7 g% X$ T: i8 _1 T
3 b8 s; H9 j7 C) D
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" L: H" u0 J, ], X% Y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  V% ?& i% U. w   VMMCall Get_DDB
7 a0 q& }3 e) W0 y2 [9 v1 v   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed1 g4 q& L+ t) e. \
7 b7 R/ ?2 X& W* _* F
Note as well that you can easily detect this method with SoftICE:
5 N/ S0 B2 w2 \/ `) D- }; k   bpx Get_DDB if ax==0202 || ax==7a5fh& D# C! q7 ~6 q6 T( q  I/ c' y

' o) M, u% S, C6 z- m$ i. i. H4 E, }__________________________________________________________________________6 y, q; \2 Y0 \0 @+ \

; [( ~5 y" \3 u$ F9 R3 c7 P" \9 GMethod 10* C5 o6 }* K3 a3 j8 ?* G6 Z1 \8 A
=========
) F6 m; y) Y6 W' x4 ^) p
: ?* f6 E! y" s6 T, u8 w=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 d+ s1 u5 b1 i6 f8 L  SoftICE while the option is enable!!
' Y. Q+ N% p7 U8 U, v6 Y! E+ k# N" U5 c$ ^4 W3 H
This trick is very efficient:
. u* W2 s$ @4 Y' q, iby checking the Debug Registers, you can detect if SoftICE is loaded
; k* l' m& J& q) v" {5 o) ]. y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! E2 z! E% S, @
there are some memory breakpoints set (dr0 to dr3) simply by reading their, b7 ?) Q% x: x( r+ f
value (in ring0 only). Values can be manipulated and or changed as well
% ^1 l: L  P- ?(clearing BPMs for instance)) D! s( C/ Y% y

& x+ V" F( B9 s+ I' r: q__________________________________________________________________________
# W1 u. w" V. e3 t& X
2 U  f5 y  D. q2 d" K* ^Method 11( C* H8 }' s$ X, l% y* U+ q
=========: i1 \8 |- o4 ?

$ @. u+ a: K9 ~% q% {This method is most known as 'MeltICE' because it has been freely distributed8 D$ S+ I* F3 S- [
via www.winfiles.com. However it was first used by NuMega people to allow' P: O8 Y5 x3 Q9 r7 |2 [7 J/ d* V
Symbol Loader to check if SoftICE was active or not (the code is located
$ g/ M' h+ y7 ~6 T- minside nmtrans.dll).
* q6 w. p8 B; {% F# ^) P/ L% V' Q9 l/ Y# d5 W8 b$ z
The way it works is very simple:$ v. Y  A) V2 B) K. ?9 v- L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' R, \5 n# E( k2 W( W- A+ r
WinNT) with the CreateFileA API.7 D( }% O4 g! m2 b! d$ p  D- M) C
& |+ p1 F6 v- E* u- S2 B& W  o
Here is a sample (checking for 'SICE'):  ?$ p# s' l+ E
* u' F! z, l  W' f; Y( Y
BOOL IsSoftIce95Loaded()3 I" ?' O* U3 f2 N) F
{
0 i0 b8 ?/ {# s8 G6 k, v# \   HANDLE hFile;  
8 f3 n, z5 d- z# ]1 N8 S* u2 h& C   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 ]3 z2 p  c$ Z5 ?9 B7 R5 i" A) ]8 D                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 e' @9 i9 ^% I! l: F                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* J! D; S. B+ z
   if( hFile != INVALID_HANDLE_VALUE )
# N' l3 q/ C' q. m4 ^6 A( J   {
/ A2 \3 B- c. D0 w' q      CloseHandle(hFile);, l) a# g, M8 ]" k+ d
      return TRUE;
4 s: A+ ?1 Z! s; H   }
/ x( }5 k" k) l6 \( y   return FALSE;$ S5 @" j0 g" \# @
}
$ c$ l' [/ D& h1 Q5 l! H( ~4 o, _/ X/ [" i
Although this trick calls the CreateFileA function, don't even expect to be" `' o4 A4 y( H
able to intercept it by installing a IFS hook: it will not work, no way!& Z! z! j# X8 {/ _( T5 q4 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( r9 E9 n, H7 ~5 P! e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)  S/ J/ }# h! `' Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 ?& |* F: a# W. F7 Y0 }& |field.
% J, Y3 g; t7 S7 \+ dIn fact, its purpose is not to load/unload VxDs but only to send a " K1 Q1 [! M- k9 f7 U( F& `: B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 A* s! g& f4 {+ Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try! x2 g& n$ f- `* o: o8 u$ f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 O, y  V" ?+ P. o- w- g% HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! A: m+ D( \! Mits handle to be opened and then, will be detected.5 B/ j6 B! s4 K8 T; c1 C8 U! S: z
You can check that simply by hooking Winice.exe control proc entry point
6 f. r5 t4 ]) @( c4 K& d( gwhile running MeltICE.' y1 S9 N6 W3 O; I, |' J
# }- t( X; K4 A$ n+ y1 l! `

8 i  u$ D* s  N0 A2 _  00401067:  push      00402025    ; \\.\SICE" m1 S( Y+ K+ \0 Z# E5 ^
  0040106C:  call      CreateFileA
  t5 W6 x& ^8 E5 D/ ^& a  00401071:  cmp       eax,-001+ @4 V: d& D0 L3 Z
  00401074:  je        00401091; p/ V" c, @/ J& s" Q

1 h) y# k- }0 d, V4 X8 G& ]4 T
There could be hundreds of BPX you could use to detect this trick.
4 q6 d" n+ Y2 f-The most classical one is:' E1 M# x: w9 |* }! u# f) x
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
) x3 x8 q, o9 W' C6 `8 q9 V    *(esp-&gt;4+4)=='NTIC'
2 Z/ u: c* x" c5 N" y* b1 S! w! ~, G8 T* Y- K! ^( q" |1 m+ N
-The most exotic ones (could be very slooooow :-(; J4 n+ [. |  |& w" E% Y: C2 v
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ D$ n/ `: c  I/ p5 h* b     ;will break 3 times :-(/ k! a6 s. U+ S
3 j- Q7 o, _7 a* W6 p% T
-or (a bit) faster:
8 n! D; \5 L+ b   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- ~6 \; R: T$ t0 Y0 k. C4 ?

8 p2 K, W& Q+ h) S7 `+ `7 W+ u, d8 |   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! \9 s7 n& M; `' {     ;will break 3 times :-(
7 B: T) x. b$ U1 R# a/ C* t; m! A) K' P( K. m8 L. T8 `
-Much faster:/ V, [+ j7 h& W: N- h
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) @' T8 O5 W  F
# x' `2 e0 `1 c, B3 ONote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 ~$ `. M$ z$ t/ \8 {& ~7 c9 |
function to do the same job:% x/ p/ l. ^  L0 }9 b

. Z/ {* Y! y8 _& i6 v/ m4 z   push    00                        ; OF_READ
& s! Q5 {1 v! \$ p2 d   mov     eax,[00656634]            ; '\\.\SICE',0+ F: \/ b$ Q# }3 H/ y3 ?
   push    eax; Q7 A, z5 d6 k. ?: v8 J
   call    KERNEL32!_lopen
4 s% B$ a* V: ]) v   inc     eax
% E$ k( h( o) R) T3 X' X) V# Z   jnz     00650589                  ; detected
9 f- q& d2 A* G4 J   push    00                        ; OF_READ5 A* o4 e/ V/ H/ _7 K! R* V7 d
   mov     eax,[00656638]            ; '\\.\SICE'
" R/ O& N9 \& Y; x   push    eax8 U3 t. |4 [' y( z. y3 x
   call    KERNEL32!_lopen' B! Y# D" O$ \3 J$ E
   inc     eax+ O0 h/ h' \+ K5 y9 w! z3 Q6 ]
   jz      006505ae                  ; not detected
$ Y5 Q) g: V/ c  g( {3 d% F1 B3 [( W
5 j5 f$ a4 V0 h% R
__________________________________________________________________________
3 Y, Y! ^% S  s6 w, G- _
0 h* `- r3 P5 r5 x% r9 PMethod 12. z4 A! {3 D/ g- n3 N
=========
2 m  C$ X4 d7 J" W- T% X
" M: K8 H+ S) I; BThis trick is similar to int41h/4fh Debugger installation check (code 05
. |6 u" c/ X, m8 r1 S7 Z1 S* P, J&amp; 06) but very limited because it's only available for Win95/98 (not NT), v' D6 R" ?  ^9 _, S# P5 H
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! `# P( m, a4 ^+ H+ t; C" B' @2 I6 I& j
   push  0000004fh         ; function 4fh
. G8 ]: Q% a$ A, d   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 i- G9 ?$ m9 X( I                           ; low word specifies which service
' O8 G  M+ [1 W% t* g" _                             (VWIN32_Int41Dispatch)
% u" m: Y1 j) w% ^1 e9 z   call  Kernel32!ORD_001  ; VxdCall& Q0 Y6 T, z1 D1 m- K. B1 q' x
   cmp   ax, 0f386h        ; magic number returned by system debuggers
9 M( y% }3 k  v# M) n( g- A, g   jz    SoftICE_detected/ e; ]- S7 v  V# }( E9 D- Q

" z8 ^2 E7 I7 M4 i; u( |Here again, several ways to detect it:
1 O5 {# T2 e4 u: a( L, \8 m+ [# j/ U8 j& Y
    BPINT 41 if ax==4f
7 \0 S" F2 U, l1 @
- U  M! F: C8 t5 _  A    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ m4 B. H) r8 o1 H  v, E4 t5 u
2 j" R  `/ H% y4 `    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A* O3 k  W' a' N& g
  R2 f- _. |% R8 G7 l
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ n3 K) ^& S! Y1 p8 j1 W6 Y% i3 G# x! e/ ?. ]
__________________________________________________________________________" q3 P& `- Q8 L- ?! c

6 x8 K% }5 f; C# U6 ?Method 13; ^& `2 J, Z( A
=========
; Q  C# ]" f) [! D. t4 K: ~/ \4 C4 a& m* m2 h3 {; B. C* P
Not a real method of detection, but a good way to know if SoftICE is
8 u0 [$ ^% A1 r0 b6 _installed on a computer and to locate its installation directory.
/ ^% j$ \+ ~0 M8 W2 \! ^; f* qIt is used by few softs which access the following registry keys (usually #2) :% E0 o" L1 `' O+ X, P
2 |. D' J  q& j4 C3 M! w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  ~5 l6 n) g3 }7 k7 r9 N\Uninstall\SoftICE
& m* J! O. B% p8 y8 c* x# H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 Z9 _4 J% K* K' W' H, v7 h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( X2 o, U- o; N5 F\App Paths\Loader32.Exe
  _" ]$ b1 D; P9 P8 z$ y0 H& H  `5 j% c4 O6 w1 ]0 d& q6 T
3 w' O& S9 ^* L; [0 b' n+ I
Note that some nasty apps could then erase all files from SoftICE directory+ I( b2 W8 N% W. T0 Q+ Q
(I faced that once :-(
9 E( ?/ Y( ~1 L( g0 n- K7 @2 k9 q6 N0 [" E2 \& Y1 o5 E
Useful breakpoint to detect it:: c  B/ e, F$ ~: I; y( A) y
- i* s. G* b! S5 L) w
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 T$ K! \4 U. |- n2 J. Z, I. W2 G/ y, C
__________________________________________________________________________8 w$ b2 ?/ X' k  V8 B* Y9 U

% c; t% w! R  g* C+ @+ x
2 A7 `! ?- X$ xMethod 14 * S" ]# z2 q  z
=========
6 ~& n6 o3 k3 Y, X2 |# a5 x7 Z6 t$ V; d. ?3 ?  l& m2 Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 i! F* X" Q* p  E( y
is to determines whether a debugger is running on your system (ring0 only)./ Q# g3 h. \1 Z) l3 c. I9 D2 `/ @: ^1 ?
* j* |) q) {! J2 ]1 o8 l) ~; [
   VMMCall Test_Debug_Installed
+ f2 s; \6 I  O   je      not_installed7 T3 f. g  n" U8 Y
& ?: k: t6 d- z. C9 p" p
This service just checks a flag.. z  n* z. i( A) s7 P8 ^- Z
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-27 18:16

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表