找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
, u5 J, j9 t5 C3 r; i* A1 V<TBODY>: c- G9 d: q2 z4 T3 |
<TR>) t6 H) p! ~3 U% k  {
<TD><PRE>Method 01 # [6 I  f6 q" H) M, ^) P2 W- D, E' o
=========9 h# _2 }8 G9 }, \: m7 v. c; a, `; @

) b6 Z' d! T9 ^1 ~) uThis method of detection of SoftICE (as well as the following one) is
  p2 p7 _* h7 w! pused by the majority of packers/encryptors found on Internet.
7 o( F7 o% V0 F1 k- eIt seeks the signature of BoundsChecker in SoftICE
4 y! @5 V& a& a" w, i/ O* b' N" x( |7 m' s4 q0 ~
    mov     ebp, 04243484Bh        ; 'BCHK'
1 Q% k& @; A- N& k    mov     ax, 04h( B/ B0 E2 U* Z% R- T/ A" g
    int     3       + S+ z' o- S% y
    cmp     al,4/ K5 y( A( |. _/ ?1 X6 C
    jnz     SoftICE_Detected
, u* m1 O* l1 Q* r+ [$ j/ {- c  y
, ]5 e2 o! ^3 C* `; X# \7 d, w___________________________________________________________________________
$ f1 ~5 E7 [: z. }0 g. Z4 X2 `5 _. X* x; r; q
Method 02
; _! k+ Z, c0 S, G+ L8 n; r=========
9 a: b3 [# e( g* r5 u" t. Z2 Z
; {, S* H( w# w! a& w# {Still a method very much used (perhaps the most frequent one).  It is used% h; r3 o8 ?0 G0 ]* h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 ?" V$ t) o+ c4 Sor execute SoftICE commands...
8 ]! |9 R: A# G) |$ t0 {It is also used to crash SoftICE and to force it to execute any commands8 X/ L: \7 C9 Q3 t; D
(HBOOT...) :-((  ! c; a0 T0 J, j
3 |5 l4 W1 G  u$ Z, ?) ]* f
Here is a quick description:
" Z9 D/ q0 a8 ~-AX = 0910h   (Display string in SIce windows)
% @& o0 I2 e2 s-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 K+ N) v2 _1 E& \  ~* S1 u
-AX = 0912h   (Get breakpoint infos)/ R9 x0 n$ w8 R! o9 }$ V/ q% P* L
-AX = 0913h   (Set Sice breakpoints)
9 g1 Q$ d4 q, ?. h$ ]7 W# _- l-AX = 0914h   (Remove SIce breakoints)
7 X8 N; C, H3 [7 w! u8 X& ], G2 ?, h" S, d" w& Q
Each time you'll meet this trick, you'll see:- Y& ?7 \' e7 {  H7 q  [
-SI = 4647h( L  j  Q0 c  n
-DI = 4A4Dh
5 C7 `  n! w, L3 h. U" kWhich are the 'magic values' used by SoftIce.
4 N4 q8 k+ |% K& S% L/ [! b  EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ f: g7 k* ^0 `% S: V! D/ j# Q1 ~$ L
1 t; K; L- |) V1 p# P3 P; o
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 {) I' z& z. g3 C: _5 I1 Y
Envelope utility use to protect DOS applications:$ j, s1 [8 R6 y- K

8 p$ N* n  l  }' m, t- b$ M2 q
& t: W  C9 V! `' |4C19:0095   MOV    AX,0911  ; execute command.% g) G- b) z- k; \
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
) R! |: e2 _+ n4 W8 ?4C19:009A   MOV    SI,4647  ; 1st magic value.5 c. K6 E1 v) k1 Z9 ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.2 q' q& B/ r9 [1 }. c. M, o9 `
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
. i% l! D% h* Q. o& k, h4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# }$ `7 ]1 U7 n0 V$ @( `4C19:00A4   INC    CX
2 `. ?+ W0 W' c9 d4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 g+ W( A+ J; b: H; u4 |) h" p4C19:00A8   JB     0095     ; 6 different commands.. E6 |/ N# E; ]; ?
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! f4 M/ G" m8 O4 D4 J0 z; `) q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, M- C" |4 B& L/ Q) Z5 f& D) o! E) T8 u7 X& A6 z- Q! N
The program will execute 6 different SIce commands located at ds:dx, which4 J% ^% E% a5 @, q# S- V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 A( w3 p3 z; U4 e& X' l

' a, Y" \0 C# a: b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 s. x, C$ V- b8 t* t" R___________________________________________________________________________
5 j( _5 v! a8 y, r, c! {% ^$ q  v9 f1 m& r( l. w2 |2 U

% E/ F/ G' o; {& Z1 z0 n8 HMethod 03
: G3 w. n; v* [# j+ _* o& A. x=========1 s7 F: k; G3 g, b

+ {* z" W9 U0 \& V3 ^Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 K( Z9 T3 t1 ?- R& q8 o
(API Get entry point)7 q8 l/ V4 p0 x" h, r
        ; x% A9 l3 b" N7 u! S. L

: Z, G2 o) x: f( I    xor     di,di7 F; r7 J9 l: A( N
    mov     es,di
9 W: E. G) n8 g. s# `# X    mov     ax, 1684h      
3 ~' l$ X/ D6 k    mov     bx, 0202h       ; VxD ID of winice
8 s' T: g- l$ N0 ~6 J& |    int     2Fh! }3 O' [) M  w$ M
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 T/ s9 l9 f" o& Z4 N$ K    add     ax, di! ^* h; n0 Q5 i2 n8 `
    test    ax,ax" I* ^# J! g7 `4 m, P
    jnz     SoftICE_Detected
& @: e- W$ Y" K4 S* e% ]; x( C, d0 _/ D8 D5 j
___________________________________________________________________________
5 _- i& V/ f1 K6 Y% E6 ?$ j( `
# i9 {& |' a, ^$ E% }  RMethod 040 l7 ~: U" K! T7 v( M4 m  ~/ X& r4 L
=========2 {9 N# p* \! Z3 j0 _  r4 L
# ~; I1 |) a+ R
Method identical to the preceding one except that it seeks the ID of SoftICE' V6 }" A- D  K6 n
GFX VxD.( @0 h8 _3 t4 k7 b
" a) ]3 J3 v- K, c5 X1 c( Z
    xor     di,di
* N, e7 D! X; a    mov     es,di6 T  e$ ~* w7 c" r! P
    mov     ax, 1684h       8 T2 f' F* T0 a. T
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
5 J: q6 c* P' j. d, O3 @# E! _2 W    int     2fh: @6 G3 U' A( Z" Y7 a; S0 W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, q- ~2 z( H2 S! B+ A    add     ax, di) g% M6 J- J; f2 L5 y: [- ]
    test    ax,ax2 H. P* e/ b& x0 x$ l
    jnz     SoftICE_Detected) [% c) C, g( d$ j

" Q! |( c: S! W& `9 v__________________________________________________________________________
7 r7 E: `$ ]0 X8 R1 q# Y, I* z6 i2 s4 D1 \

; ?* F. N3 }3 d+ cMethod 05
4 F$ ?6 G0 D6 H. Z% W1 e=========
5 N2 B& Y# L( R: ?! b0 ?& Q7 J1 W5 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 Y2 a$ }: a$ J! G6 o" l0 h4 xdebugger. It calls the int 41h, function 4Fh.; Q# V: T0 f8 }
There are several alternatives.  
  S3 ~# _* f3 o& [7 e6 W. ]9 c9 I" f! |, Z
The following one is the simplest:
+ q. S+ L; f0 Q! x3 X; v  M0 d: H* W" x& b4 @
    mov     ax,4fh, Q8 m$ w) h1 G$ Z! P3 \- l3 q& z
    int     41h
4 m/ c2 W2 g1 d    cmp     ax, 0F386' q, h& F; R! J( y; J/ v& s$ h
    jz      SoftICE_detected
5 \. y& y* U. v( I& S6 T: M6 f6 {
1 n5 }9 K  b7 @
; g& e: K; g% Z( T1 ]' w9 g5 FNext method as well as the following one are 2 examples from Stone's
- @+ @7 _& A+ E/ B1 S"stn-wid.zip" (www.cracking.net):
6 w8 Q) M. o- `6 v2 ]0 Y( b1 g' {0 z) y: U+ [, e2 G
    mov     bx, cs
, b4 E0 }2 s7 K) F, c& j5 L2 v9 v    lea     dx, int41handler2
/ n/ B0 w3 o  v" G    xchg    dx, es:[41h*4]; u7 m" M0 a% I8 S! w; N
    xchg    bx, es:[41h*4+2]
1 r% `) ~8 C3 Z* E    mov     ax,4fh
) x2 V9 q( T- E2 p5 Y) D! L9 b4 k    int     41h) L0 w) d' \, n0 s2 y8 L% ^9 w# ?+ [' ~) c
    xchg    dx, es:[41h*4]
# @0 W: F* `, |    xchg    bx, es:[41h*4+2]
  u7 I2 K6 A3 Z' q; d; e$ o; G5 q    cmp     ax, 0f386h
/ C: D3 U$ `1 o  {' _. I6 z% M    jz      SoftICE_detected4 K8 y5 K# D9 K1 @/ A/ n

! j. [! w* V3 E4 n6 |( yint41handler2 PROC
. a7 E# O% H$ _% h& Z    iret6 f! t; J8 z0 ], {9 F" c
int41handler2 ENDP' U2 I4 f7 `8 s2 g) |

7 e0 t2 d2 w3 z) ]1 [) u% P. a7 _+ f
_________________________________________________________________________% N* P# Q1 w. m" x8 Z6 w, J

: b/ |, n) @: C: |8 p& \& c0 V& S3 d- W  k  e
Method 06, S# J5 @3 N; e+ L# o/ a
=========
* e& S% _' ^" k' n
$ E' w+ v3 X2 b( q3 q( I2 C+ P7 K4 K8 y( u5 P6 u, H
2nd method similar to the preceding one but more difficult to detect:  p! k- ?8 b% ]4 n

8 A. |6 s( p9 D4 m1 |
7 |" `% V& T! I; f! Kint41handler PROC4 q: f7 p$ @. m% @' e- o
    mov     cl,al& y% a2 V1 t% I1 ^
    iret8 b- H" ~$ y1 [$ p) z
int41handler ENDP# p/ ^4 |- l3 M& l% j9 Q! h
4 J1 p& l8 ]( F
1 s! g6 G" n" Z- Q  \
    xor     ax,ax! N& h& m- V* n) w+ O, W
    mov     es,ax! @7 y, W  y( ^) W  [: e
    mov     bx, cs8 e: i: F6 g. n2 J
    lea     dx, int41handler
  T) n  V- w5 q4 o# _    xchg    dx, es:[41h*4]
# h8 b( w0 I2 z: V, T    xchg    bx, es:[41h*4+2]: T5 U/ {' D/ J5 I- q# g$ k
    in      al, 40h
7 i- A/ e) B  R# Y    xor     cx,cx
1 E2 ]! k4 E+ h5 A! [$ z    int     41h4 g. U( ?# K. \4 @/ q$ A% g
    xchg    dx, es:[41h*4]% R8 Z# P- {5 n' R: W, a
    xchg    bx, es:[41h*4+2]# T* Y2 A8 x. ~7 }6 a! [
    cmp     cl,al# S+ @) r8 y- H+ i/ {% E4 h1 g
    jnz     SoftICE_detected
+ a! s( a; e6 @
$ s& j6 N8 D# d; ]_________________________________________________________________________( ]/ q/ I5 e* E
# S! c8 f6 j  W' ~
Method 07
2 S* [. [2 v5 B5 u* J6 B: B- Q=========
1 W+ P1 `# k* S8 M8 T2 F
. _. c. n! l. ZMethod of detection of the WinICE handler in the int68h (V86)
; c" F% f& T. l' g4 L1 ?- d, s' H# l+ V  B" u2 S, Q
    mov     ah,43h0 v5 B3 o, Q: K3 D* h! D
    int     68h
, G' @1 l9 ^! R    cmp     ax,0F386h! ?( b" m3 M' |# {+ @# U7 E% T1 I6 b
    jz      SoftICE_Detected
" }1 ~1 N5 j" }4 R& J9 _8 |7 Y9 B" _
8 k. H7 V- h0 B  K4 z0 k4 Z
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% g3 x. a5 @% U( U0 T0 S   app like this:9 R# U3 L0 y# a$ C4 E1 j% c

; X0 ]9 o; B% j; M' M! t   BPX exec_int if ax==68: z3 S7 G: [5 U7 X
   (function called is located at byte ptr [ebp+1Dh] and client eip is9 t4 }( ^) a6 X% W0 `" M* t. ^% z0 k
   located at [ebp+48h] for 32Bit apps)
7 t" [& k) M' p& D) i$ {; t__________________________________________________________________________  B- q# X8 h# f2 t2 a9 M/ p# S
! Y9 `( O2 Y2 e( M
4 p4 }& T0 t4 ^: Z
Method 08' i9 _) H* K( c) _3 \
=========# o5 ?4 `7 P  [( |7 ^/ @

( z. I$ A" Y) P/ sIt is not a method of detection of SoftICE but a possibility to crash the  ]$ N* m9 O; Y
system by intercepting int 01h and int 03h and redirecting them to another
: b, o7 {0 S# I* ?. Iroutine.
. P) U2 C$ {  `7 i2 \! V+ i6 bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; l+ D& F3 {" E  V" }4 ]5 I
to the new routine to execute (hangs computer...)' y! I5 q- B+ ]7 Q

* S; _# A. s+ j. d! u& M1 ^    mov     ah, 25h, I* R7 k% v' n6 i  r
    mov     al, Int_Number (01h or 03h)
( j6 ], F; u1 h8 l1 g1 B% l0 R: }    mov     dx, offset New_Int_Routine
" D. p: P& |" m; v/ ~/ S    int     21h
) f3 t6 {0 E* G/ v1 @- s1 f& ~) _& Q8 Z* B4 ^% B2 n0 k  L" Y
__________________________________________________________________________
* `% _! q& o: X- v7 O3 K* D5 K; p1 T* Z
Method 09& b- R( J3 {6 q
=========0 ?2 i# @: j4 H$ Z5 {% y0 [+ Y

4 ?2 K- z$ W1 v$ g/ o5 I/ UThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; K( O9 x3 P5 |3 s! H3 ]7 h
performed in ring0 (VxD or a ring3 app using the VxdCall)./ P+ T. x  j! Z5 }6 ?
The Get_DDB service is used to determine whether or not a VxD is installed8 A* a( i1 Q3 y
for the specified device and returns a Device Description Block (in ecx) for
' k  ^4 R0 p! O7 y/ p4 \  wthat device if it is installed.
: ?3 f; n' \* Z2 C% Q2 I+ _( S1 x8 q( M- \% s/ |$ C$ y( S
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ v5 W6 |% p) _) J- Z. d
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 l0 o/ P; h: q- \9 i
   VMMCall Get_DDB
7 R5 w/ K' M' @5 `0 X) a) M& [   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 C9 A+ t  N' |/ ]9 p  U4 ]" y, Q7 ?0 a* k; |2 Q/ @
Note as well that you can easily detect this method with SoftICE:
9 Q, R, ^- l+ [+ t/ ?   bpx Get_DDB if ax==0202 || ax==7a5fh
1 H# B% [- n, ?* X3 F* w( P* `3 P8 c' a! x
__________________________________________________________________________
9 l9 v1 `3 w9 a$ R7 _% j  F4 `6 E9 q$ Z: ^: l, s
Method 107 w; m. f% g& u
=========
* Z9 r5 e! ?# d. f- L, x) L; R$ z2 h  ]% P- l: c+ o# h
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& z% @( q! O2 k' b( w2 B: h( M; C  SoftICE while the option is enable!!
4 `) H$ n# E+ b8 X
' F" N+ p+ N6 ?' ^& NThis trick is very efficient:
" t* A5 `7 ]/ @0 ~# k4 E! Q. L& U& b: ]by checking the Debug Registers, you can detect if SoftICE is loaded
# L% ]# d! r" [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 H. H% ]1 B! ?5 I- o5 C
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 B4 y* U( |( \, C+ C# P3 lvalue (in ring0 only). Values can be manipulated and or changed as well
) b" A8 u& j  c% E  w# ?9 y: p(clearing BPMs for instance)
) Z7 X9 N0 n) Q2 m( H- O' q$ T& S
0 {& s! b  L8 F6 d5 ~* P1 Z! v7 f+ ___________________________________________________________________________- F$ k8 T! \; i: u, u

& R# V- D" k2 _Method 11
" }. G1 @$ r2 q; ?. }: ~' Y5 F, q=========! a- C  n. V! `$ _

+ [7 T% [7 B( G# y# EThis method is most known as 'MeltICE' because it has been freely distributed- g4 k1 L2 I7 R4 U
via www.winfiles.com. However it was first used by NuMega people to allow/ }: I; D4 i3 T8 k6 B0 t3 R
Symbol Loader to check if SoftICE was active or not (the code is located
3 ]5 w3 ], B4 Y9 M, linside nmtrans.dll).
* f$ ~! f9 a0 E3 P3 ]8 F
4 _! I7 F- ?, J$ e/ |The way it works is very simple:6 u- k7 G1 T3 c, |; B  F* c) D
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ s1 [9 l( C3 S( F1 X2 q7 g
WinNT) with the CreateFileA API.
: i! g- N9 k$ ~; r  m$ C7 V
4 R& g; Z) G- f- _Here is a sample (checking for 'SICE'):
# \$ v0 A; b" H6 V/ U0 ^2 p) [4 j6 X. S+ U8 L
BOOL IsSoftIce95Loaded()$ k7 h6 D8 z* w9 r' X% A( m3 G
{
& d2 }7 }' k4 |# W4 c' L   HANDLE hFile;  ; {9 n9 O9 X6 [3 p" H& n! X: L' O
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! ^' h2 a2 a' J$ I
                      FILE_SHARE_READ | FILE_SHARE_WRITE,* S6 q$ l/ y' R0 w7 Q
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ ~/ j1 t) D# X2 R( R   if( hFile != INVALID_HANDLE_VALUE )
/ {, g+ P' o: L. {9 P& H: `1 |   {1 f4 ~% m/ @1 z  G4 y$ s6 k
      CloseHandle(hFile);$ F4 {1 D6 i# D* L
      return TRUE;1 A4 B% `, P1 i3 _1 _; R6 [
   }
- t0 ]/ y* F+ j6 v4 D! d+ n* e  _   return FALSE;
# w* q+ E2 B2 M$ V' l}
7 Y+ q2 E) `, |! D9 p/ B
+ ~' Z# Y  @( r4 |9 h2 iAlthough this trick calls the CreateFileA function, don't even expect to be
4 A: S6 j4 \" c: `: X, }7 Sable to intercept it by installing a IFS hook: it will not work, no way!
8 ?+ z* L5 U! |0 V  |, L6 v% {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! A" Q# E; l+ V/ Z& O$ nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 x; @( e# w# G4 w7 k3 N4 S0 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc" e2 M( l$ e: C% `
field.! `# F+ Q: E* T( j
In fact, its purpose is not to load/unload VxDs but only to send a ( ?5 c5 ~5 T- [2 B' O& H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  N1 i* n( H% l; T4 E+ p! cto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 N3 c- `: j$ P, R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 t% F1 N. v1 y# u. j
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 P2 V, C$ @+ Z8 d
its handle to be opened and then, will be detected." A& X! m, V) g% Z6 u
You can check that simply by hooking Winice.exe control proc entry point( K- ?) _4 G; `0 Y, i0 _. f
while running MeltICE.
1 a, ]: q' U" V  d% ^2 [
3 P! A) [; |& e- q! g4 M( ^  r- d  k9 h4 i1 _; W3 S
  00401067:  push      00402025    ; \\.\SICE6 ]3 F4 P& H, O" b0 |7 G
  0040106C:  call      CreateFileA
- W: H$ X  e  p) J; Y) u  00401071:  cmp       eax,-001
2 ~& T" a. o' b. U( ]2 H' m3 h  00401074:  je        00401091
/ M) m, K, r/ m- R+ S3 k* k% G" Y$ R6 B1 h. {! B3 f1 e
/ q8 G$ E4 {9 M8 z
There could be hundreds of BPX you could use to detect this trick.2 j$ v; x& a: t8 F' E
-The most classical one is:
/ |3 E. E6 |2 M0 Y! L  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||0 n( K3 A; x  a
    *(esp-&gt;4+4)=='NTIC') w* _3 v; X6 v/ ?4 G5 q: C

+ R8 B/ n: A* q2 k, M# u-The most exotic ones (could be very slooooow :-(
7 ?  O$ B3 ^1 `   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ) P: o" N5 P. R) H
     ;will break 3 times :-(
/ `& a4 E6 {5 P: r" v7 r, c
0 A0 l- \& H: J) }2 S) U-or (a bit) faster:
/ {+ ?3 o) n4 h  K   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" ^+ ~$ s/ C! @# }5 B6 R
* B' ~5 m% N! a, x! z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  6 `& h* B5 _0 Z1 y, T+ `$ h0 C
     ;will break 3 times :-(. h4 W0 R4 E0 ]% v5 z. Q

: {6 b1 ?, Q, S5 g; T. c+ L/ q8 }-Much faster:! ~% a6 P7 D( {/ I6 f. f8 P
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'8 T3 d& z0 s) }$ W! A3 q
8 Q8 ~1 s  }, s2 R, D# z0 h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ p. ]* Y2 X1 N+ e( n
function to do the same job:- M' |& I9 `+ ~0 I& B

. o4 U9 i; {  U4 ^( K# {" k9 ^9 o* C   push    00                        ; OF_READ# a0 v' Y1 Y6 j7 I7 N# L- z; |% w
   mov     eax,[00656634]            ; '\\.\SICE',0. C5 }, P$ u4 E; R- p, p. Q- I- u
   push    eax
- s, I* {4 S# f% x4 L: @" C   call    KERNEL32!_lopen
+ `8 b7 _* m$ @. y8 h   inc     eax
' }' z/ t5 K3 F! n" u! C8 m( A( ~   jnz     00650589                  ; detected
. S8 b1 j" g% e# U   push    00                        ; OF_READ
$ O8 V  A$ m5 D# }% r   mov     eax,[00656638]            ; '\\.\SICE'
6 i: L: ?$ a8 A/ {; Z, R* M, ?/ J   push    eax
7 w# B& N. p* w- Z   call    KERNEL32!_lopen
9 F( H: h7 \# d0 P   inc     eax
2 H# p7 e1 ]9 p9 s. t   jz      006505ae                  ; not detected
7 f% M& `! f" j* J- D8 }+ Z3 s
. V+ R$ ?( e( e5 {  p
2 w9 F& i) H9 C% d0 h__________________________________________________________________________
$ ^+ ~3 v( {  Y8 V) [' w4 g% J
1 E1 j% R6 v" yMethod 12
2 [# }$ X3 |- [% y1 T=========6 a2 y. H7 x+ \

. t1 Y# }8 F$ W% HThis trick is similar to int41h/4fh Debugger installation check (code 05- n# j; u' @5 |- j% v
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& i& I5 S/ ~% X0 `4 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 u4 U. J* [3 x$ }9 K2 j9 q

( ]9 f3 I: q/ v0 L/ w* i   push  0000004fh         ; function 4fh: r; V+ W: u' j4 l" w
   push  002a002ah         ; high word specifies which VxD (VWIN32)9 N: ]6 p# b# N# }. s  }& q5 M
                           ; low word specifies which service
5 L& ]& a0 i- q) ~: H$ H7 m                             (VWIN32_Int41Dispatch)* Q% a8 n: T. ]. ^
   call  Kernel32!ORD_001  ; VxdCall
$ `. w5 F( b) Q# `; a1 V3 V- Q   cmp   ax, 0f386h        ; magic number returned by system debuggers
' M  z; v9 B0 |* K. p% Q& x   jz    SoftICE_detected
3 Q& ?  }4 u' E% ~+ W& I1 n7 ^1 w( r3 m3 ?. U
Here again, several ways to detect it:
9 m" Y+ {1 O9 ~9 T( {* G- B
. q9 z7 E  i2 Z3 ~( j/ r    BPINT 41 if ax==4f
9 O0 a) A3 t/ v$ b4 X
5 G$ Y0 o( W8 g+ b+ m8 p1 d9 _    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ o8 q+ @2 \9 @7 B1 g
7 e+ O$ i# p- |0 K    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  U% W$ H0 T5 K, c! H5 J3 E
+ G1 V5 ~4 d  k5 a5 D
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. F9 |/ m3 ~/ ^& r7 @8 i
) d2 b* m3 {  e9 d
__________________________________________________________________________% {! }; [  o6 w3 R. t! [: s6 b

1 e9 ]  C3 t9 W9 B' |! H- g9 x; WMethod 137 E9 i" B, d8 \( o. b, m5 a
=========
! ~, p. P% \* L% \4 o# m7 W  U1 e' r* c4 @/ m9 k( y" h: M
Not a real method of detection, but a good way to know if SoftICE is7 u4 j; T, Y9 Z' r( z9 U5 l
installed on a computer and to locate its installation directory.
) x7 m$ y4 D# c1 dIt is used by few softs which access the following registry keys (usually #2) :8 l6 k( D# ^5 I$ Q

0 |' r. L6 H' S4 \7 D) X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* W9 D3 J" y' d  ?\Uninstall\SoftICE
$ q1 F/ Y' S# ^; e) N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- F1 c7 h" i+ A# S3 {* k3 [9 [) b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. ]& {: `2 z8 m7 f* H, |2 r( s
\App Paths\Loader32.Exe
' M. ^+ ], X! z8 m
6 T, I9 w: Y% E9 F% k
' S# p* k0 t9 y: s( gNote that some nasty apps could then erase all files from SoftICE directory/ z& p; u4 v4 d- k6 v7 k
(I faced that once :-(9 S: Z, W: S' K/ C) P6 t

  q/ T5 X. `2 }8 u2 P' P# nUseful breakpoint to detect it:3 N4 h, i& \, F' J9 q+ o

5 l3 H% e2 u. _( z* M8 O     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 b" {8 b" S2 Z8 Y% Q$ [6 N+ b9 R
__________________________________________________________________________
  G/ n* B' V6 N6 g
; k$ d7 V# i3 f/ x
0 u' B. W, ^* ^Method 14 4 K8 K8 s) T: V
=========& ^; ?$ F0 J! ?1 ~8 d, j

8 K$ J, j8 D; G+ LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 X, C6 x4 c# }
is to determines whether a debugger is running on your system (ring0 only)., v0 e1 B, R- p; h: \

$ P' R) X* `' O% r0 c  a8 x   VMMCall Test_Debug_Installed
% _! D, T& |2 `* e) ~, O% x, E3 G   je      not_installed* v* v) ~" c% Y; y3 H3 k! O4 u
( X- r% m+ k8 J/ I2 F3 m: v. Y
This service just checks a flag.1 o) T5 l9 u. {' M' H$ x) R8 H
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-28 23:06

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表