找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>* l/ k2 e/ f2 W
<TBODY>
3 U9 W! s7 P; _2 X3 _4 Q7 r" a<TR>7 Z) ^2 F6 ^( w! c1 V
<TD><PRE>Method 01 , B) Z& d5 v* s8 _6 `6 K: `) p6 X
=========
, m/ n- l3 F5 R1 w1 ^4 X2 Y3 X, q# U- {3 U
This method of detection of SoftICE (as well as the following one) is
" D: P2 }- C- h; B; b8 Yused by the majority of packers/encryptors found on Internet.
' v) u7 t6 f+ ?# U* ^It seeks the signature of BoundsChecker in SoftICE
6 y/ J0 c: z2 u$ t( ~6 C2 v* ~: j  S" z, v. v0 l) x/ \8 u
    mov     ebp, 04243484Bh        ; 'BCHK'" r, g% m4 l- g' q- @# J
    mov     ax, 04h/ {8 l* U1 w; |
    int     3       6 R& v, x2 ]4 }6 q/ x* p& x
    cmp     al,4
! e4 s: z: x* Y* P+ T$ A" v- O6 n    jnz     SoftICE_Detected8 B& l. K. ^4 P+ B& ^, E' W
. r6 d. X- f' {/ o' Z1 ^
___________________________________________________________________________
+ G+ Q; @3 w9 c' t2 A1 r  j- G& U
Method 028 `" R' v7 a$ k1 n% J8 m
=========' Y2 b& O- P! M! ^5 I

  h# p; F. p9 W* _4 P! ?, TStill a method very much used (perhaps the most frequent one).  It is used% {' z& r. y: P, m/ L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% S. o6 G. ^$ g% _  d* E  p4 Y
or execute SoftICE commands...
' f+ \* M0 K+ K. |/ _It is also used to crash SoftICE and to force it to execute any commands
# _" s6 R8 }+ t5 ^(HBOOT...) :-((  
0 b: m. ~* ?' L) ^) c4 h4 ]1 J! @; l
Here is a quick description:1 a$ Z6 A! q' N8 u/ `  w9 ~: w
-AX = 0910h   (Display string in SIce windows)
" M8 V& @7 p  G) ]) |/ m-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. S4 v' M& G$ K% ^% {1 s-AX = 0912h   (Get breakpoint infos)
1 q4 D1 g2 F/ u4 d+ X( M-AX = 0913h   (Set Sice breakpoints)3 F7 {) {# t+ U2 a0 i% p/ w8 r6 V
-AX = 0914h   (Remove SIce breakoints)3 t+ Z. ~: k, u! ^1 U

( o9 Q4 V5 o. d; B' i" cEach time you'll meet this trick, you'll see:
/ a, K7 d. t  C& E3 @4 B0 \% `-SI = 4647h
0 K5 D5 j  f0 r# _-DI = 4A4Dh# f  ?% A) ^' Z0 W' l, l" n
Which are the 'magic values' used by SoftIce.3 b2 d$ C3 @1 O" V7 c8 O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" w8 o& s, L" C3 z# _7 L
. j. G3 e# ?9 L# ^Here is one example from the file "Haspinst.exe" which is the dongle HASP
- h" Q5 r' y" W2 {Envelope utility use to protect DOS applications:9 e3 h: f3 R: q( c. j' M
. f7 v* w% d8 u: G

7 y4 U. v/ U. E2 L. m4C19:0095   MOV    AX,0911  ; execute command.
( Z* E" I3 p) I' h: k4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" p3 E7 C& Q5 ]: @% G' Q, c6 S4C19:009A   MOV    SI,4647  ; 1st magic value." z! o" L+ x4 _( t9 E
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 I: D. ~4 Y3 i4 ~4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 ]6 r/ ^, I5 A7 q' Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; D+ F$ D5 @, V& N" e
4C19:00A4   INC    CX
: V0 o! m+ }/ U( g4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
2 a6 s/ w: b5 S+ p, l: z4C19:00A8   JB     0095     ; 6 different commands.  Z% t+ o  b5 N1 A/ w
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 m" F9 `! R! v3 H, g- ^
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)# L  z. h$ e7 N
6 C+ ~% t  z/ c+ G- ]2 k
The program will execute 6 different SIce commands located at ds:dx, which1 Q( D! d9 b1 z$ G4 Z5 I& M: M+ j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- `, n$ j' {% y" i$ d
9 ]1 Y3 F7 j( U' P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." ?; y. _4 m4 d. [
___________________________________________________________________________
8 R. ?3 u9 u" S! V
3 j2 k" f/ L  a/ G! i0 k% C+ n* ]0 f7 L  |4 Q/ {, V/ |
Method 03
  ~0 |" a" J$ u5 S9 \2 i- y2 j=========
3 d+ F' H/ T5 E- N% A) z: a  n8 A+ O8 \5 P; F
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, ^  b+ Y5 n, A4 K8 b8 a
(API Get entry point)
% q& e5 s- t; e! A" n        
8 w8 w" L7 V5 {* C
" L5 k3 B& f7 Q! i/ R; d! P    xor     di,di, F4 Q8 B! C) \; W& ]0 h+ @' J0 [& s% _, ~
    mov     es,di
- g2 a1 y/ q8 f9 _7 L    mov     ax, 1684h       & N6 v$ [; @0 z3 x0 F) _2 \  t7 I+ J
    mov     bx, 0202h       ; VxD ID of winice
( ]3 z2 c+ a3 m1 O  G& y( m/ h    int     2Fh
) C7 ^! l, w3 b# C3 [, H; X    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 S" `5 ~! i# D9 T    add     ax, di* z' j5 d- H7 }0 i) ^+ G
    test    ax,ax
# `0 Y' H8 w. W% q# @    jnz     SoftICE_Detected
8 T' V) D& ]6 d* r9 n1 ~. u- G
9 Y7 |% w9 G: u___________________________________________________________________________3 s9 K( m9 M* {/ U1 _! K

5 ^( V. \4 i8 |$ `4 K. BMethod 046 G( D5 Q. U" I% M
=========- ?" h6 Y) f- w+ l/ ?  O$ n) T

; f9 [8 I/ g8 n; h, K& _Method identical to the preceding one except that it seeks the ID of SoftICE
0 Q8 b: i6 y/ a: m, h4 m) k/ `GFX VxD.# l/ v7 Q, B. x. S, r6 o- F

; ^$ `9 f2 C' j: H1 \    xor     di,di
* i2 q1 z" s- |7 u$ @" z    mov     es,di
, b0 {$ L2 R4 p0 P    mov     ax, 1684h      
6 \0 l# L) h9 Q$ j; y2 q    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! d5 x. e% C& u. x$ ^9 U    int     2fh
# a" m* O5 L0 r' ~# C    mov     ax, es          ; ES:DI -&gt; VxD API entry point% z3 W0 ~( g1 Y: k
    add     ax, di
- V2 [1 t' D1 f. u    test    ax,ax$ Z1 t# g5 W# v! v
    jnz     SoftICE_Detected
3 T7 f" C9 F% H  C, I% D% u2 ?! L
__________________________________________________________________________- a, e' e9 P" W3 @1 {
# o, y0 ?3 `. {1 ^' n# E7 I4 C" {
9 C2 o$ N" y" i" v  {; e2 C
Method 05
7 o$ I3 e7 R0 o4 [* i# h=========
9 E1 \4 |3 \1 I4 R
7 X0 P# J% [1 o( ~5 [0 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
( ~4 n. d2 B5 Z9 ]& Edebugger. It calls the int 41h, function 4Fh.! B5 c- Y. H7 ]. C% o" j
There are several alternatives.  
; L6 h0 R3 y! U0 h% c2 r
4 }+ [5 c5 J+ ?The following one is the simplest:4 ?) C5 N. |' i6 e0 a

: m, B7 c. s- ]- m7 K! h( a1 t, w    mov     ax,4fh2 {4 {  `6 X( R0 b1 G
    int     41h
2 z( p3 a9 v% a7 t: A9 J: n4 Y/ n    cmp     ax, 0F386
; Z8 ~  P2 T. X+ L/ ^9 G    jz      SoftICE_detected
# ]3 i+ z$ a, s- C' h# n5 m. g) K4 d- A, U$ e0 I  E
- j0 M( K* O; v: v+ f
Next method as well as the following one are 2 examples from Stone's
) Q2 `7 N. W6 h3 }% C. @% H8 D3 W"stn-wid.zip" (www.cracking.net):
% M: ^- I# o2 R" D1 \
( E" {: T) i+ `4 x9 [4 l2 b    mov     bx, cs
. Z/ Y4 z9 z2 d" h, d' {    lea     dx, int41handler2- O' g$ `& ]! L, \
    xchg    dx, es:[41h*4]
0 {  u( g: d" J$ ^    xchg    bx, es:[41h*4+2]- x$ b+ c9 j& B. J7 I
    mov     ax,4fh
7 f; h! b* B; n) v3 `9 A" \    int     41h: c9 w  [" S9 B8 u; l
    xchg    dx, es:[41h*4]. [, P3 r1 r( Y4 }. J7 d
    xchg    bx, es:[41h*4+2]
, h3 }0 @$ Y# n    cmp     ax, 0f386h2 k7 Q( J; O& X1 |- ?- ?5 J
    jz      SoftICE_detected
4 z7 E; V# {( I7 e7 q/ b% R- r" w- `- [
int41handler2 PROC( v$ o! n* O9 X1 G
    iret+ s9 ~2 u: O8 q$ s
int41handler2 ENDP- `( @9 a! J7 a% I1 |. d2 Z. f  A" H

1 |0 R4 b5 j. e7 `* F8 x/ s4 \' m$ X4 C3 Q! e1 \- a& f* ?
_________________________________________________________________________) c' }* I" N6 j. o# d) [
" c. Q: O8 C; D- Q5 V" x/ b! N
! O* y" |0 R4 D8 Y6 O: j
Method 06
3 c+ E! f# k0 T: v! u# {0 p) p=========
- A* U4 B/ A" m! D9 ^- A! v& _- u6 B# j# z' k8 e
- I# X, N9 C" C3 o' O+ k2 S
2nd method similar to the preceding one but more difficult to detect:0 v& I: q0 _1 W( |" A% [; t4 x! E

% _; E2 G) f3 N, I: E
' Y! _1 y8 f+ t' bint41handler PROC8 l/ {% R2 b7 z
    mov     cl,al
7 ^3 l. }+ d  ]8 \# q$ _    iret, b# `# h; `' t6 F. ]9 E5 F; {. c/ H
int41handler ENDP
: ~9 a9 M7 Q7 `8 t: p
" R8 p3 f- w! D" f
  [7 E; h9 k7 L; j    xor     ax,ax
1 [2 a5 t4 `- |7 B0 S& M3 T. A    mov     es,ax
9 D& s" n; V7 Q5 ~4 E2 q    mov     bx, cs2 [5 f) {: o8 F* s0 j- r
    lea     dx, int41handler
/ o! b: G0 w- V, x8 w    xchg    dx, es:[41h*4]6 z+ a4 S' G! T1 W/ Q8 j$ P5 j/ C
    xchg    bx, es:[41h*4+2]
  |' h& N+ ]2 u6 H  @3 M    in      al, 40h
7 P1 l6 l+ O& k% e! e) i1 i    xor     cx,cx
$ ?0 m, |2 _$ u# T& y8 M    int     41h
* B  q7 U) C# Q5 k9 Q) p9 L    xchg    dx, es:[41h*4]
6 n; X4 P' L) k& [& p. F& k    xchg    bx, es:[41h*4+2]$ q- K- t$ v' w/ Q+ ^  U
    cmp     cl,al! }  y1 m! x& ~5 O5 m  P
    jnz     SoftICE_detected4 F) s: K1 b( j1 N# e. Q$ ?5 X, S3 p4 w
" q( p1 j9 f8 z( p' t+ P3 w8 j
_________________________________________________________________________' h' \) h' S$ J) I
. D0 R4 _1 I7 z7 \
Method 07
# G0 E* l3 _" x9 ]=========
: N# _+ r: E  E( C+ I8 j3 a2 x- s5 r. [# \% g  ?2 v, t: j
Method of detection of the WinICE handler in the int68h (V86)
. \# R  X) ?' I  j
' r) ?5 X3 f' L    mov     ah,43h5 C3 ^4 c6 \. b: b
    int     68h
2 M8 N% I: x  L' n+ _: @- ?8 j    cmp     ax,0F386h4 H' j! d/ t& m* g: h0 ^/ K
    jz      SoftICE_Detected
, d  P" W) R6 i2 n% b+ m# R/ d' N1 a1 i
0 z$ A# o6 O1 d' I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 z! [( c. A; A8 |
   app like this:
4 [/ A( l- i# [. b
' A. \" ?7 @7 o   BPX exec_int if ax==685 B% q  c: o! w' ~$ E7 V
   (function called is located at byte ptr [ebp+1Dh] and client eip is
' x' j! c. {$ R# x! e   located at [ebp+48h] for 32Bit apps)5 T4 X# C9 ?3 u# k9 H
__________________________________________________________________________
# m: ~0 p3 \: B6 g2 B; n6 H- V9 ~; O. W1 E& n
4 O5 W) m! ]' E4 {  j
Method 081 R" N; p% g" _1 T
=========( o$ O2 ^3 d7 P3 H+ Q' c
9 n: [; V, z* F/ t+ X$ s
It is not a method of detection of SoftICE but a possibility to crash the
, V( d: a" f! Vsystem by intercepting int 01h and int 03h and redirecting them to another
9 c3 @6 U( B4 o0 i' @: Y% Nroutine.* q8 K( u+ e$ G! m% d$ w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ b" I0 q! o9 L: W' fto the new routine to execute (hangs computer...)
) R0 g: ]; [% V, c" A% v- [
+ M9 r0 H. S; r    mov     ah, 25h
$ x- C- r) s1 M% g0 ^+ d9 V" ^1 o2 N    mov     al, Int_Number (01h or 03h)
" h. U0 q3 n% k$ S    mov     dx, offset New_Int_Routine* j  Z. D5 P1 K; L* a% c* n( M
    int     21h" R4 W7 S0 A9 b, f7 [

* ^7 E/ M! |' ?- `* F( ]) O__________________________________________________________________________; h6 p2 @( a7 G3 {# Q

6 K* s9 U3 V5 S% Z2 EMethod 09
! ~3 |. I" f0 Q- Q=========* G/ M- F% {. V' C0 {0 X
" m1 B! l4 G( s5 X& K: C' A. }) ~# k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ `% u6 j/ R0 I: c7 H. K6 i* Qperformed in ring0 (VxD or a ring3 app using the VxdCall).: A9 _: p( e* o8 ~* Y* K; `
The Get_DDB service is used to determine whether or not a VxD is installed: x. o2 ^$ a9 f2 H
for the specified device and returns a Device Description Block (in ecx) for2 f, A6 X! o& k
that device if it is installed.
7 J) ?/ _% Z& Y$ O! E
6 p! d' f5 i: m8 e/ R# M   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ k5 p/ J8 `# u. ^
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) L! }" J0 b( O; V$ W
   VMMCall Get_DDB
- ^( Q$ p7 \6 h6 r: o) h   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 Q* }: H/ b% B7 }3 W: N' _  l# O- V! m
Note as well that you can easily detect this method with SoftICE:2 j  i5 z% N) Y7 U1 x7 C7 E
   bpx Get_DDB if ax==0202 || ax==7a5fh
1 n* c0 E6 \3 z1 y, h* j# y. `4 f3 `8 m$ |: }0 _' M
__________________________________________________________________________
3 d! d% t: C9 f: y! R9 |0 R/ J( U' ^. A
Method 10
& X) @! }7 l* n* F' S& a1 v=========
/ z2 U* D- i4 k+ ]" l  _4 T; E; k( @/ C" J' Q4 C5 B- o7 p% c7 F
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with% ^; N2 k1 O3 Y; l  ~9 T5 }
  SoftICE while the option is enable!!
* d$ S/ K( M+ o. I0 j; Q
( u$ D# n  o7 t9 ~% N1 HThis trick is very efficient:
, C* f" @' v1 g) Z& z4 C: E! Gby checking the Debug Registers, you can detect if SoftICE is loaded, V" j, @: v- `4 g5 d( r! b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ c( t/ k5 d0 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* ?, `% y, w1 Z- |) K% c4 Ovalue (in ring0 only). Values can be manipulated and or changed as well
1 h3 m- c% O+ `. Z(clearing BPMs for instance)3 l2 }$ X& w+ N% r4 z& j, H

/ W$ I. ?' O! F  Z( O__________________________________________________________________________3 C! [' `: L) {6 o' ]- u4 t: P

, i& R" m; R6 T  a* N: \' OMethod 11* u1 F9 d0 d1 u" K6 D/ f4 [5 |
=========- \  e4 O8 H; p
3 x7 y* Q) z: ~
This method is most known as 'MeltICE' because it has been freely distributed8 v+ e8 V2 M$ }3 x
via www.winfiles.com. However it was first used by NuMega people to allow6 p6 ]# u. o2 \% W6 Q, X
Symbol Loader to check if SoftICE was active or not (the code is located  [7 `% D2 {$ T' Q$ A  I
inside nmtrans.dll).
! c$ m; H* l2 l4 ?0 p! n
) Q4 P1 I. U. b" TThe way it works is very simple:) p% ?8 `  E$ D  w9 q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) C8 `+ M, }5 o& X, r! n
WinNT) with the CreateFileA API.
  g* u. h+ ]( C% M) v  \/ T: p, X+ a3 `) ?0 V
Here is a sample (checking for 'SICE'):
( t' |) i& i3 o; G2 z4 v+ V/ i- t& b% F0 {# S- q
BOOL IsSoftIce95Loaded()8 J8 @2 X: x0 S: o) V. Y
{
' t3 ?$ K# G2 ^9 _7 _, K   HANDLE hFile;  " B1 {& y" o% K8 B- D
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 q: k3 B( a5 c5 S7 Q
                      FILE_SHARE_READ | FILE_SHARE_WRITE,% z, v) S& f8 d1 [( T+ ]
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 Q  w0 h/ @5 _9 R. E
   if( hFile != INVALID_HANDLE_VALUE )$ r- z" A4 ~2 n" _& c
   {  F; c7 |7 ]' }7 T
      CloseHandle(hFile);& \% E% o" i& k/ ~4 Z2 W( K) `
      return TRUE;
% `: k$ n% x" F   }5 l) o/ G5 X8 b2 s: `) }! E
   return FALSE;  H# G2 [8 O& U2 E9 U0 I
}) T) H1 G# I) F9 i2 x2 N$ m0 @& n) |
$ a1 H& M3 g3 ~! Y& n2 k2 h
Although this trick calls the CreateFileA function, don't even expect to be# ~& N/ n& ]2 e: Z
able to intercept it by installing a IFS hook: it will not work, no way!5 c/ \" V! q7 i8 |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) ?6 H; p7 h) h% R" T  Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- E" G$ d. P  @! n" V2 Z- ^* a- K& `and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ K1 d3 [2 {9 G: F0 X/ [) Ifield.1 K* Y8 Z6 h% }* U8 T" D; l9 w; [" b
In fact, its purpose is not to load/unload VxDs but only to send a
, Z$ R* O5 Q# N6 s% gW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% Z4 U1 b) K- S3 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* g9 o1 T6 l" x; F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% {7 |% I/ |& C0 `If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 G) H; i; d+ L* nits handle to be opened and then, will be detected., [- D8 ^) p3 s/ L# i1 r
You can check that simply by hooking Winice.exe control proc entry point
+ O' `. J' J$ K8 y* j2 dwhile running MeltICE.1 W$ l( o6 v# O! @: d# g6 ]+ j- |

& @) c* A  Z4 M& Q5 C; V! X$ P# \% [2 E; O: w: c
  00401067:  push      00402025    ; \\.\SICE6 y+ ~, B. v. E" F$ j
  0040106C:  call      CreateFileA6 Q" y& U% V' i/ K6 V" z, `! Z8 ]
  00401071:  cmp       eax,-001
% l, _3 m- M3 i  00401074:  je        00401091
6 `+ r' R( z7 D9 P8 `  b
- {- I' b$ W- U6 x( ]9 r5 y, E
There could be hundreds of BPX you could use to detect this trick.
2 e7 H7 ~. g& H6 @-The most classical one is:
; a$ y2 X' Z" ?  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! Y' b2 [7 Z+ a0 n8 Q4 f7 v
    *(esp-&gt;4+4)=='NTIC'/ R2 d. e& @6 B6 S% p' S  ~

% o" ]/ a7 }- V-The most exotic ones (could be very slooooow :-(& W, s' ~) e8 a- u1 m
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  2 Z7 s- \, i2 D" a% A! g: q
     ;will break 3 times :-(1 Q. I8 w- }* I2 }, y$ ]

/ i0 e* ?, l) A; Y' s! ?3 z. r$ Q-or (a bit) faster:
4 W* B: W* E! q4 K8 K( N   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ U  u7 J3 x, q" U) Q+ V$ E

1 g+ h  r* ]* F+ A6 j1 L! n2 E   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
7 ], x9 }2 ]9 I) G2 E; {# [) |     ;will break 3 times :-(0 f. J$ z, F! D! T' y  M# P5 [
( D: S% i. z% L! ?% a" F
-Much faster:
/ w7 ~% z" _8 f7 O5 E1 H' R0 q4 z   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
4 D6 V; q9 s2 Z7 d8 ^" V% C/ m3 N: u7 k) a9 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# G) i0 w  t; d- O  z8 P: y: R# ^function to do the same job:* Q7 {# F2 h$ [* R3 c1 j# y
# r1 ]$ f; {* E. M/ N
   push    00                        ; OF_READ6 n6 c1 U7 k/ D+ l9 B5 Z* Y( `+ K
   mov     eax,[00656634]            ; '\\.\SICE',0
% U% q0 P  n* _1 Z* x   push    eax% n$ d# j/ A, C" j" B6 [
   call    KERNEL32!_lopen4 R* N. \* e' e' U, D$ V4 a
   inc     eax
) Q0 @- k5 Q1 K1 y   jnz     00650589                  ; detected
& A. X5 v( W5 p! g! \2 E   push    00                        ; OF_READ
1 }5 h4 }1 Z: j" ?  X   mov     eax,[00656638]            ; '\\.\SICE'
7 W' \% h/ {  S7 D$ E   push    eax; B5 i: C- b# V' N  U0 F  M( x
   call    KERNEL32!_lopen
+ e8 Q* E  U6 h/ k5 G   inc     eax4 w) k% F# r+ F1 B: J  y+ t- p) j
   jz      006505ae                  ; not detected4 i; y' d: I1 ~$ v
. g7 ~. n) J) B
0 O1 g4 {3 O  b/ ]% y3 V3 ]6 B
__________________________________________________________________________
/ [$ P$ q6 F2 X4 m. W
; Z  N' C- ]( K# Z  q4 T& UMethod 12
6 \- a: e5 o2 s5 V8 K. Z" D=========
2 [; w5 |! `- R3 q5 P- C1 v# B* Q. M7 G
This trick is similar to int41h/4fh Debugger installation check (code 05- h5 t/ W& z: K
&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 R* r  g: F9 p' N9 G  \" G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) I; b" f4 S: P4 t6 K  I6 b0 I$ I& x0 y0 }
   push  0000004fh         ; function 4fh) {; Q' Q7 c0 w! V& a7 c
   push  002a002ah         ; high word specifies which VxD (VWIN32)
9 }  o- d- ^7 _9 O+ M                           ; low word specifies which service* s' j* `( @+ [# X9 h$ Z
                             (VWIN32_Int41Dispatch)& M8 D& s1 x: g5 e$ Z! B
   call  Kernel32!ORD_001  ; VxdCall5 y4 p' R+ D2 G) g7 h' o7 S9 @/ u
   cmp   ax, 0f386h        ; magic number returned by system debuggers) o" k. x2 @. i  ?
   jz    SoftICE_detected2 v1 I) h. k) h+ Q/ E
, o) d5 o, i  U4 x7 r4 P! ~  B5 b
Here again, several ways to detect it:
* }2 @) `- }5 ~# Y( w
* d8 ^& Y) C1 R3 Z" Z& ^    BPINT 41 if ax==4f
4 `3 x2 C" A. v9 `) C; x8 }% ]. d6 ?
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. C$ n; u( V4 q: ?

0 o: {8 z  Y5 q4 K3 x    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
: T4 y+ @& I7 ~. x* M( `0 H2 R  @, T2 {2 ~$ Y3 ]& l, K
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
) }8 D' j; Q5 t- s& O# J, V
( x7 I3 _2 N( q7 T3 V__________________________________________________________________________
2 f! ?/ x* S! m" {& }3 T, U
" x! P: V: G! y. D4 {& L6 U2 z3 vMethod 13
( Y6 ~# L$ w' i4 E=========
* I% T6 j  {* c  Q7 X& M
+ Q$ N7 r8 P# mNot a real method of detection, but a good way to know if SoftICE is; t- }! K. O4 [: i* D
installed on a computer and to locate its installation directory.
# b- S& x  m' r% S# R7 M& lIt is used by few softs which access the following registry keys (usually #2) :
5 c! F2 y1 d+ z! M' g% h) V7 [; E
, H/ l! [8 h, h-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) b2 a/ ]! q+ w* Z: F
\Uninstall\SoftICE
3 m2 Z0 A: U, j0 ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 N& _  c6 m6 ]7 p6 [7 m/ P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( l: |5 c7 ]; M3 c* O
\App Paths\Loader32.Exe  O2 U' {9 q) e: J$ [- E9 J( r0 ~

4 k+ P0 U. q- T+ C* ?. M2 E1 }: p/ K6 C
Note that some nasty apps could then erase all files from SoftICE directory
- Y: T7 D, _. z+ `8 T" ]+ K1 x(I faced that once :-(
3 \& ?# ?. h; [6 S- G6 W2 H
8 }7 g  b* B- t6 M" b9 l" I3 vUseful breakpoint to detect it:7 A7 u+ K  }% n% N& @/ S  I0 M8 ~

* m$ o" q' v# m8 J. N  D, G- t     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* j1 m+ W8 q# a. f/ W. b9 v
1 z/ P& V' W% ]; V1 d+ u% R+ L__________________________________________________________________________
: p# G+ Y+ x+ f# @9 g
; s3 C# |% c7 s& ]1 s
4 J! M8 B3 B5 s8 f' y# `/ Q3 a  YMethod 14 & a. j( s0 d9 E9 c- @! a
=========
- J& K3 n4 G/ x& h! A! r2 m0 N8 v7 A/ W
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# o. E* ?8 F; l
is to determines whether a debugger is running on your system (ring0 only).
; E' t9 Y+ I8 e: ?
0 l/ l0 A& S  ]( M6 A# @   VMMCall Test_Debug_Installed
  e; A, Y9 g( d5 e4 L) z% m, i   je      not_installed
) m3 c" _" S7 B; |5 K- s6 e  D$ m0 Q# }" q% }8 X
This service just checks a flag.! f' ?: _% E% C/ J* g8 q
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-18 12:04

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表