找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; l! }; T; n6 Q/ B- B; w1 O<TBODY>7 W5 I/ l' f1 t! v; N
<TR>8 d; N) J% M/ s9 [9 z, I
<TD><PRE>Method 01 ) W1 W! l; c' q
=========, \+ m+ b6 |7 ~: h

. L# K% j, F7 q( SThis method of detection of SoftICE (as well as the following one) is
' W) _  r! O% e" j& ?( d3 ~2 lused by the majority of packers/encryptors found on Internet.
3 w) M' x! G1 a( `It seeks the signature of BoundsChecker in SoftICE
- V& c, R) [7 ~2 h$ t) q8 H6 K0 t" I3 U
    mov     ebp, 04243484Bh        ; 'BCHK'  y" m+ y3 S. K* ^7 W! Q
    mov     ax, 04h7 S8 }. r& f0 b4 V. H
    int     3      
. h. i+ N4 E  t/ \! g    cmp     al,4) ^5 E" @* h' ]  w# r" p1 {
    jnz     SoftICE_Detected3 ^3 i8 H0 ]) f( m/ a+ Y

+ B7 q$ ~; w+ ]2 G___________________________________________________________________________( H  {' Q+ a8 M4 s( ~1 P' D

" E+ R) f/ r. L/ qMethod 026 N$ m% }3 \/ `4 {  Z
=========, b7 r0 k$ L2 T1 g

& `. J# z0 ]6 Y" [* C& nStill a method very much used (perhaps the most frequent one).  It is used9 a8 Q9 z3 Y* b7 v1 D! H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 d  d8 m5 }8 ^! I$ l* ^# T5 W0 jor execute SoftICE commands...
" ]) _8 t2 m5 D( e7 C9 [It is also used to crash SoftICE and to force it to execute any commands
% H# O/ z/ `; {7 i(HBOOT...) :-((  8 d( o  ]  j  Q, r. Q
2 p+ u6 y  [2 U2 n
Here is a quick description:
4 c+ z. S2 H: i  _; ~-AX = 0910h   (Display string in SIce windows)
/ d/ ]; x$ c& l" T9 ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)+ S! P( _* j# t! }: g4 b' m5 J& C
-AX = 0912h   (Get breakpoint infos)* x. Z8 R6 }" J6 Q& X: v7 K
-AX = 0913h   (Set Sice breakpoints)
0 g1 T" i7 I% a) E/ n: v% n% c-AX = 0914h   (Remove SIce breakoints)2 S* L% s/ D0 s, ~# j

) i7 w3 P. h, x! wEach time you'll meet this trick, you'll see:( v1 U$ G) P# y( z8 N9 s
-SI = 4647h
. M# s  l7 [( }; H6 Z; z. r6 f-DI = 4A4Dh' c* R" a, |. Y# W1 t( |0 A
Which are the 'magic values' used by SoftIce.! V$ m1 y- n1 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# a0 D6 r8 M# G

( C$ T/ O! k6 I- |Here is one example from the file "Haspinst.exe" which is the dongle HASP
: z" ~: @7 K# OEnvelope utility use to protect DOS applications:
: j6 N' }6 q! d0 E+ k) V1 ]1 Q, a9 s2 `* R( d
0 z/ T4 z5 I0 u3 s* B' [
4C19:0095   MOV    AX,0911  ; execute command.
. T* [  Y2 t: m0 ~2 W7 J8 V4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  f+ W1 B% Y' B: _: a, r& u. u4C19:009A   MOV    SI,4647  ; 1st magic value.0 D7 Z; _3 D; |; h; o( u( v$ o, }1 J! E
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, C8 k; y) X' B, Z4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 W) i7 S( L+ a, e3 L5 z  C9 q" U' _$ X4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# M' f, r7 X  O9 @  z" o( @9 R4C19:00A4   INC    CX9 R' u* y" E# G
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 @7 i; G* L" V) D* n1 B  K. M
4C19:00A8   JB     0095     ; 6 different commands.  n$ E5 W/ R: ?; C
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 \7 @) ^3 i4 n. y8 L$ w* T+ _4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); \* r# x1 N9 f% g; q/ S
) _: F% u6 [; W6 b; a" k
The program will execute 6 different SIce commands located at ds:dx, which/ d. _4 \  E# y; ~. ^: x2 f. \1 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) P" Z- U# {; A3 Z1 Y: ]9 ~3 ~8 H0 n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ J5 {( K2 e$ F& l5 e0 t+ ?
___________________________________________________________________________, K  `$ f. X3 s
0 r" X* q  q/ k. p, H( j

' d& T( k- X6 oMethod 034 E% f6 Y6 R( s
=========
: [& g, Y% `# {
7 v" f7 I4 F& b5 N# cLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 e" V" N' s" E" E(API Get entry point)% h5 d3 I$ X; U. n/ ^; H
        & E" t" Q# U/ R& d& p* K
0 p: [# v( E1 h
    xor     di,di$ s. S$ `% T& s# t
    mov     es,di
) y# [% T& W! N  j" F8 f$ J% V    mov     ax, 1684h       / U- E2 y0 E% v
    mov     bx, 0202h       ; VxD ID of winice
6 i' ^+ t8 k# R- t    int     2Fh/ z! Q2 B' `" m& Q" j
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) j/ t! s" N( o0 b7 i% F    add     ax, di8 c% {9 d" z3 f7 q& K( O% a
    test    ax,ax- o# M+ Z* _/ x/ Z, u
    jnz     SoftICE_Detected
$ t8 J$ |7 Q) \- h
6 q! Z8 G7 |& R; a( j___________________________________________________________________________
& x, }* B0 I+ \# H  W+ G4 _
0 [  t; K0 _  O# c7 \. h$ e- K4 A; JMethod 04
/ I) H7 T. ]$ H7 P$ {=========
- [9 f) R) n% Q) Y" [8 Y0 u$ E) x
Method identical to the preceding one except that it seeks the ID of SoftICE9 S; L. j7 A& e6 ~* B1 H8 n6 a( Q3 b
GFX VxD.6 b6 m: z- S8 S0 @6 k6 H+ I

/ U* g, ^& h' t3 N7 U    xor     di,di, O# _- c/ g. r, w4 R7 i
    mov     es,di% y- P  H( f; c3 y2 p
    mov     ax, 1684h      
5 m7 F- T/ d2 @4 J; m    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 \) l* D2 n5 _3 n# b    int     2fh
7 j) j5 l/ q) ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% C3 r9 W( f) W2 H    add     ax, di
; o- A8 X  u: Z9 i5 ]3 \    test    ax,ax% }9 s/ P1 D( p& u# p9 _( f
    jnz     SoftICE_Detected
6 I& [5 v; D( Q& s2 i1 b' k) ^5 }$ h! \% a5 H
__________________________________________________________________________/ \2 t9 Y$ P$ J

, B3 n) J0 M1 ^8 Q+ z! I$ ^5 t( S) R7 p# w
Method 05
3 |# r3 Q9 B7 t# A, b=========
, I; f) `, V8 D' H6 ~" Q' U1 \
1 h' C. L, H/ ?; Y: S# p+ {+ C  }8 dMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 q6 I( k% Y7 a: Idebugger. It calls the int 41h, function 4Fh.- v8 ?, C$ n2 M/ s0 I* A
There are several alternatives.  
" a1 T: Q4 v: ^* }- J1 e' Z9 u1 G4 L8 c; G5 i/ ^( f
The following one is the simplest:
/ n* H- V: F2 u8 _
8 v% G9 ?! _9 j4 S2 c0 L    mov     ax,4fh
# H1 }% H6 S5 z0 s2 y4 b+ E    int     41h. h" x6 r8 i# E1 T/ X2 i6 J
    cmp     ax, 0F386
+ f5 v- G* u6 ^, B6 `! B9 E) ?    jz      SoftICE_detected
+ F; }8 J7 W* D
% b7 |2 H; m7 O& L; e/ Z8 C4 _% c% {* Z3 P) o
Next method as well as the following one are 2 examples from Stone's
, A. K; H; {0 [  b' M4 k"stn-wid.zip" (www.cracking.net):. H& ?0 x2 o$ {2 f
! ^$ N+ W' y% R7 @0 {* k, O
    mov     bx, cs4 P$ c. S0 m2 q4 D# q6 V
    lea     dx, int41handler2
* {! k7 T& r0 }1 Y# N! e9 ?; D    xchg    dx, es:[41h*4]$ M4 N3 I" s. O( ^+ N
    xchg    bx, es:[41h*4+2]4 R5 r" e4 `8 G  F/ W( _
    mov     ax,4fh
4 H- T9 P' n  C+ b) L1 F5 T    int     41h
* C0 S( Y8 Y9 ?$ R- c2 S    xchg    dx, es:[41h*4]" `: l# P9 @9 W, I* o2 S8 D
    xchg    bx, es:[41h*4+2]
5 `- {+ e( C/ g/ o4 v2 N& V    cmp     ax, 0f386h0 k4 T5 O5 C- L6 J1 b. K5 V
    jz      SoftICE_detected
8 j* M2 A$ p. @1 o( }  G
3 g7 X& e* ?' Z( }0 B3 y* J. x  xint41handler2 PROC
' Z* Y3 o2 P8 o3 [5 [! Z; o    iret
4 B( l9 s! E: l6 u* K4 G3 w- Kint41handler2 ENDP$ K4 b9 n8 L/ e- b; F$ B
" d0 g* x1 g, _5 a$ L
9 H  A( i- P5 c9 u  s. g$ [
_________________________________________________________________________
* @' M) S$ T$ Y# _" B
: V' A6 D  U. Q- j7 f5 K, O$ k  e" _0 \5 ^6 J" O7 i$ c
Method 06" b" |1 ~+ Q( O4 I! Y- e# C
=========
8 m& b) W4 O9 o6 }- X- c
& c5 r. T/ V9 A& R1 u/ @; J' p: Z4 j9 m. ]* ?
2nd method similar to the preceding one but more difficult to detect:
: Z! r( ]/ a, [7 x2 b! [
2 y* T6 w, U3 M' p/ a) [; l7 m
7 t$ R5 ?% d4 N1 z+ J5 mint41handler PROC
, u) O% K  R. N* }- D( B+ ^/ j! D5 d    mov     cl,al( h+ k( z/ Y% r3 f+ m3 l0 {8 I( j
    iret1 e5 j. J- h# \' d/ J. S
int41handler ENDP
9 D  J/ d7 X( y( j& h4 R$ ?$ P- C  S! ?3 |. U! U
# ^( y+ |* X9 A3 J" F$ f
    xor     ax,ax
& ]; U+ @- g/ D1 J    mov     es,ax
: F0 s' w% @3 @0 ]" ?- V6 P    mov     bx, cs
4 R0 q  E  @6 q6 u  U- K  D# G: z/ T    lea     dx, int41handler
) v$ G0 t* I* o, |    xchg    dx, es:[41h*4]5 y0 D1 y( q0 v# E- {/ J/ ^
    xchg    bx, es:[41h*4+2]
8 q6 h  B+ M( F, x1 I    in      al, 40h
! [! u# h- h* J6 A/ O    xor     cx,cx4 e  {) I1 C* _$ U
    int     41h, A; a# J/ C2 ^  M4 X9 @$ E
    xchg    dx, es:[41h*4]
+ F' ?- d- A% v4 h0 G    xchg    bx, es:[41h*4+2]5 Y$ c, O, N4 Z7 m
    cmp     cl,al( H$ m1 Q7 U8 |
    jnz     SoftICE_detected
& d0 t& o4 J. A' s( J0 H& y# z) d% ]0 F3 p
_________________________________________________________________________
, X3 \" S# A/ }+ U2 }; V& V
8 v0 M# R' z# ZMethod 07' r2 B! v+ a9 i, J
=========
) w% e4 j7 U9 K: @! ]$ _8 p9 c# W& b: J' Z, f- U1 c
Method of detection of the WinICE handler in the int68h (V86)9 |" [& u1 m4 B5 U

! Z7 `/ Z/ X: x( M* {" S4 o6 e# G, G    mov     ah,43h
) M( k3 Y6 g$ W3 Q$ g    int     68h: P2 G# K% V; L+ S0 \, K" d/ T
    cmp     ax,0F386h
5 c) v+ g3 E# t% H5 m, w; x7 E    jz      SoftICE_Detected
+ j: z* Q! j. F3 X, C3 p7 B- U( C2 p# ]! V& w! Q3 Y
% u7 l) }! Z( y2 u8 x' h2 w
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- Y& c$ }7 o- J: y2 T' Y$ J
   app like this:  ^1 n; n# j$ `: Y+ h* a% Y1 K

5 F/ t1 {0 ]4 c8 z7 Z& B2 \   BPX exec_int if ax==682 J1 `' Z3 d$ R4 `+ j
   (function called is located at byte ptr [ebp+1Dh] and client eip is3 _: u, L. W7 @$ k
   located at [ebp+48h] for 32Bit apps)# e. f6 g1 q6 @- q& K" t9 o* Y
__________________________________________________________________________
  k7 @4 l: }/ v; ~
/ I4 z4 e0 N2 N! q& o) G& s5 ^. F4 L' `$ P# \
Method 08
' ?7 j4 l& I; M% G=========
; K  O" e4 m: }# q2 c2 n. ^. G
( H7 ^& P! S2 S5 b3 s, nIt is not a method of detection of SoftICE but a possibility to crash the5 S6 `0 T% ^, q
system by intercepting int 01h and int 03h and redirecting them to another1 N7 i- L' {+ j; s9 u
routine.
- d( b; ~/ I8 d8 d9 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 G2 S6 F$ C% _
to the new routine to execute (hangs computer...)
8 w9 Y7 J) l& y8 V$ n$ K4 V& I2 S
! n+ G7 C6 ^, G  |. S    mov     ah, 25h
- v4 [+ I7 Y- p2 p( G' ~0 r" z    mov     al, Int_Number (01h or 03h)
- Y. [2 E: L5 k! D" d    mov     dx, offset New_Int_Routine
+ _# T+ K. a- X, K5 B8 `$ K    int     21h. O, b9 H# l7 M* g9 Z0 F# O
5 G- `( B  r/ R* o; }
__________________________________________________________________________" H& r4 V: c# \3 u3 ^; C9 l( r

% w, H4 O! ]) v3 p2 n6 s. JMethod 09) Y3 {2 C5 F: J5 O
=========
. b) G7 A1 G) M" _- W2 o0 K; {/ x, D; W. U$ u' n( [# k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 C3 L9 O3 N/ c3 bperformed in ring0 (VxD or a ring3 app using the VxdCall).* X' C/ F2 y1 [. u! {, w# q& ?- g4 M
The Get_DDB service is used to determine whether or not a VxD is installed
1 @9 f& q2 k7 Q# y7 i( h; vfor the specified device and returns a Device Description Block (in ecx) for  d/ m8 h2 H3 X) |% _
that device if it is installed.
' J$ ?* u( g! b* N
+ B* Y/ `) a, }- b1 r% T   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- `( G5 j- `9 T* G. J: g1 M   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! V5 B3 P3 ]/ D8 ]+ V* j# ~   VMMCall Get_DDB0 u9 {& n7 T# b  P/ i2 G
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed' d, l' _5 n. r7 o

$ ~" m: c# e$ ~" l: @Note as well that you can easily detect this method with SoftICE:
4 P) h; l& D( [+ G* V' Z2 I& m/ x   bpx Get_DDB if ax==0202 || ax==7a5fh% w4 I- T8 f! V5 O: c. O
! H4 c4 N# ]% ?5 a* L+ ^
__________________________________________________________________________
$ M) B! u: \0 F3 \( h# W4 \8 r3 H2 W
Method 10, b4 Q9 z; m" Y, a4 C# M( f- x
=========0 D6 l  g: J8 M5 o7 y  E
% ]/ l& |6 m* \
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with: `/ C2 C' N: {/ h7 _- N
  SoftICE while the option is enable!!
/ O4 N9 k) ?8 L& d0 L
& h8 X7 y" o, f% l# t) f4 AThis trick is very efficient:& a9 ?  C: W$ p; H  e# t* t7 J) A
by checking the Debug Registers, you can detect if SoftICE is loaded
9 n7 i. c1 x2 I6 V  \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! M% w6 Y9 {/ Y4 l9 [! O, ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 k  ~& ?3 s  n7 `value (in ring0 only). Values can be manipulated and or changed as well  y. w% z- }/ n5 n# ?- U2 M
(clearing BPMs for instance)
4 G4 m6 X( [$ @' h& Y) F% J- K* T! @" `$ w- p
__________________________________________________________________________
/ m8 x' Q1 Y& }( j" h8 [
* e% P5 a( u! w& J, _* v7 nMethod 11
, f! q) o7 O' x! s& y) F+ }- c  l$ ~=========
9 @) z9 A! |; e6 a5 i0 F3 T
: D# ^9 c6 @3 f1 b5 G# eThis method is most known as 'MeltICE' because it has been freely distributed9 R3 h- k1 M( s. E
via www.winfiles.com. However it was first used by NuMega people to allow. b; z) y0 t" K. }2 Z, E
Symbol Loader to check if SoftICE was active or not (the code is located
6 e+ c' J0 B9 f; Dinside nmtrans.dll).7 ~+ p) W  U, H, ?5 y

+ v- ]% R; d! ?' WThe way it works is very simple:1 e' u% y7 h. B2 L; ?9 N" }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 d( T6 ]% o) [WinNT) with the CreateFileA API.
8 q8 \) u6 F% Q1 |+ w/ X, U! w3 O( H) ~* M
Here is a sample (checking for 'SICE'):
( R) W/ A, \' r& ?) S' W# A8 ]
* Y( j2 a) k% k. r1 }; M* B; d$ PBOOL IsSoftIce95Loaded(). X9 d0 y3 M4 l2 o/ M
{& s  I7 I- ^- L
   HANDLE hFile;    J4 q  l0 O, X& {7 y- W
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 i( B& ]6 P& f8 ~# Y                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 z  A( }: Y1 P, j1 ~) M5 ]1 i
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 O) [& O% T, [3 d1 G  ~
   if( hFile != INVALID_HANDLE_VALUE )
2 Z( Y; y% `' I9 `* y   {
9 L9 W8 G5 t7 J8 U4 A5 X8 a0 y      CloseHandle(hFile);
$ E3 G# R. _5 v      return TRUE;2 y  o: F( g' W! p( |3 m1 l3 X
   }
+ n! Q4 j6 K, u   return FALSE;
4 e6 c0 Q% \' ?$ m% ^4 Y}  C" Q2 V9 x$ g
  m0 {. S1 ~6 l5 i
Although this trick calls the CreateFileA function, don't even expect to be# h$ z7 {/ N; n
able to intercept it by installing a IFS hook: it will not work, no way!. `% p0 d3 q3 F- Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; F4 S/ e; J" H: G$ R- o( oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 r/ v, z: _7 n. @4 ~+ f( ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ E: s' e0 @% h+ i- h; g
field.0 z# v) }# V3 c) v. {2 A! W4 L
In fact, its purpose is not to load/unload VxDs but only to send a 8 H: o+ j7 s2 Y- r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ b2 C1 O2 u& g+ X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ ?7 N. ~  g0 }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 k/ ~( _$ _0 E8 e# jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 Y' h; }! j; ~. V0 h9 M  i! aits handle to be opened and then, will be detected.
* h- [  e( w, P5 m3 t9 P; X$ ~You can check that simply by hooking Winice.exe control proc entry point% K* K: Q- X7 b; o1 {
while running MeltICE.
3 f6 g6 R. N( \: [$ s' f/ l+ S& ]# X( X' g# n  j8 B9 ]0 L% ^# j, L

9 I0 F  Q; L+ h# h' _  00401067:  push      00402025    ; \\.\SICE
8 Y1 }: L" W8 @. \+ J9 e  0040106C:  call      CreateFileA
( \6 E/ Y: A$ m: f  00401071:  cmp       eax,-001
! [; L8 L: M- j, y1 b  00401074:  je        004010917 g1 ]& I; y, g

& K# K, j4 n0 q/ [; s- [
! |( c9 z7 n; C3 j; [There could be hundreds of BPX you could use to detect this trick.
# A6 H9 @. f" j; q$ t8 u6 p7 M-The most classical one is:3 f8 ?5 o9 \8 {/ R/ N, G, G
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 \4 E  k0 V7 B# ?- p1 K
    *(esp-&gt;4+4)=='NTIC'
; B$ P! e: k5 [$ v- H$ ?
9 h9 u" E3 O% c: b  J. f-The most exotic ones (could be very slooooow :-(
+ L& X6 ]. T$ c. M. I# F   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; T4 T( x* K3 G7 X& C; _     ;will break 3 times :-(2 K# I/ [9 ~9 }  N0 Y6 ?7 \; `

2 ?  M. ^- Y* t5 `-or (a bit) faster:
; Z- A& r- R3 e- }  D* q/ M6 k   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 ?0 T1 G& C$ n7 f# m
' r: a. \$ k1 M* ]; q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
' l! }+ k* j( T% t9 g     ;will break 3 times :-(
! Z% {% V7 E( w, n, r  ]' A: `
# h. ]5 B! U4 Q% [-Much faster:* [( o8 y  F' W+ `/ o+ ]' d
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& u9 q4 O0 X; _0 ^. t1 o8 }

% n; o! e$ h- l: C$ l& ]. F5 aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 k' g+ `( t& ?4 p/ dfunction to do the same job:' R5 X: v( w% Z7 N, V" k, W2 Q. c
: L8 M" g  `. r/ R
   push    00                        ; OF_READ  h! B% T  G$ Q
   mov     eax,[00656634]            ; '\\.\SICE',0$ s* a* G6 Q) X. F
   push    eax
! U  F( `2 @+ Z2 P; |   call    KERNEL32!_lopen! f) T: `7 E+ ]( o5 |! M
   inc     eax" \- e1 W, d* @9 o
   jnz     00650589                  ; detected. G- b; L" G( n
   push    00                        ; OF_READ  p& g8 f/ p2 _4 l4 s; \& K
   mov     eax,[00656638]            ; '\\.\SICE'
+ c; p+ ?6 r# z' e   push    eax
* ~6 @% {( H/ \& g   call    KERNEL32!_lopen" ?+ @) X# j- i) v8 d
   inc     eax, ~$ z; K2 y5 l& U
   jz      006505ae                  ; not detected9 n8 z; U9 ^" H

8 |2 h( ?" C! L: w$ v1 i+ M
- f2 O4 _" `; a. D1 ?__________________________________________________________________________
7 W* E  n9 ?& {
4 }" J0 A! Z% g5 z* tMethod 12. ^9 N7 {7 A/ a' t" g
=========% r* ~/ H) Z1 B5 h% _

" y' `: M% C3 H5 w4 J6 |0 Q  IThis trick is similar to int41h/4fh Debugger installation check (code 05
( w2 f: B2 c! Z% G0 ]# A&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' j3 O5 l( ^) S! I% W9 Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, h% u7 x' q$ P' s7 L) G6 v) U4 q, o
   push  0000004fh         ; function 4fh
5 k, K, Q: j* l. E( ~   push  002a002ah         ; high word specifies which VxD (VWIN32)
4 \- W- ~' [2 l' x$ m                           ; low word specifies which service
6 B! Q8 a/ @- l$ q. F- e                             (VWIN32_Int41Dispatch)+ a( U3 b" Y" g
   call  Kernel32!ORD_001  ; VxdCall5 l9 H# f) A% i$ ~- @9 I" G' l5 g
   cmp   ax, 0f386h        ; magic number returned by system debuggers
" R; p0 A# m, U   jz    SoftICE_detected
% M$ U3 k6 \, }" A) a/ X
( K8 b3 j/ e. d( ~  D5 Y* sHere again, several ways to detect it:
! w7 n1 y! t! J  Q/ y* `! M2 \
# C9 ^7 v/ m( t/ f: j    BPINT 41 if ax==4f# l+ k& V' Z; W3 p7 G  q5 h+ w

) }( }4 g9 n: U0 e/ l    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 o# [- u& E1 Z

- r% A7 J; \5 V* g    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 }& J% ]# ^" ]3 I# `. N( }9 F

4 i8 C2 n5 \( d* z4 `  [    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, V+ q/ t2 Y0 S% P9 p5 ~5 p8 f9 t! x4 N6 i, e# i
__________________________________________________________________________
/ o7 g; q0 `' n  j3 g! y8 h) K. \% m% f5 G% w- \' |
Method 13
6 C* i, ^3 \; Z  Z  x' w=========( K5 t9 G4 N1 x6 ]+ l1 r

+ e% |7 v8 U/ f8 {+ \Not a real method of detection, but a good way to know if SoftICE is6 Y2 V1 t! `$ `0 v$ a6 R- p) s
installed on a computer and to locate its installation directory.* L( J% K* y7 A% I
It is used by few softs which access the following registry keys (usually #2) :
$ Z$ f! R. E  b# l5 H: P0 j+ v& |) P' e7 p& O3 T  Y3 E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 R' ?' F: u- Q  G  \\Uninstall\SoftICE" y/ h- R6 L7 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; S( ]; |' s2 J+ H' b, F7 {, e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  ]. ^+ `3 `- `1 c( c: u\App Paths\Loader32.Exe
' Q3 q2 I* ^7 j7 S# V" G, i+ D
+ t9 C0 e8 `1 I# |
/ \' U  q& O2 E0 FNote that some nasty apps could then erase all files from SoftICE directory9 P" J) z# g6 t& e
(I faced that once :-(! c2 ]9 k/ O0 ^( [* W
5 t& i6 A( @3 C. T! d/ ]
Useful breakpoint to detect it:" }6 J; k2 q" ^6 w# m1 X
$ j' |; |% s8 x0 l
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE': I# Y# t! M. p' }! s- u! @3 z
6 Z3 C/ T8 s" S( M
__________________________________________________________________________
- A$ C0 [2 F; B- d1 ]
9 ]1 c$ Q$ ~3 _
: c; D2 \. H+ FMethod 14 % _. z6 m( z0 Z# z6 O
=========4 u0 U1 @2 q' T$ m
/ @. ]( P* m/ X0 l3 P. b/ U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 T8 W- E+ V6 N- g9 P# {0 q* gis to determines whether a debugger is running on your system (ring0 only).9 d* _+ \5 m9 E6 i

' P  A+ y! y7 l  q- n: z$ p   VMMCall Test_Debug_Installed) Y" L2 b8 U8 M; b5 a
   je      not_installed
1 ~& r: k5 K& s' v1 j5 l; z* v+ N- N/ R) Q1 i. Y7 y0 o
This service just checks a flag.
" \, g2 b" d% ]. r( `+ ], c</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-8 08:43

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表