找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) c5 S9 s3 `/ C<TBODY>
6 ]5 w6 A* k+ k<TR>
0 C6 u. J& r: _' X4 U3 @% n; j<TD><PRE>Method 01 . A# j$ ]4 \& h7 V
=========3 `+ j7 s: Z- z! P) H$ ]
1 H  P+ S) R! C( A6 I
This method of detection of SoftICE (as well as the following one) is$ x' X; C. a6 `; O$ k5 B# R
used by the majority of packers/encryptors found on Internet.
( U; j" f: r5 U% I% a% T( uIt seeks the signature of BoundsChecker in SoftICE
  [( s& y3 Y7 N- w( {
9 U9 z1 I6 o, W2 M% R+ k# [' P    mov     ebp, 04243484Bh        ; 'BCHK'
: I& v3 d. i$ d6 a) _    mov     ax, 04h# U; x: P# j2 P! K+ Y& {6 h: c
    int     3       0 Z6 G1 }8 q# Z! @9 {2 l
    cmp     al,4  F3 W) w8 p# k% A% y
    jnz     SoftICE_Detected
# c8 C1 s  y# B9 `% X+ l. c! f4 I: _9 o+ M( q6 @* b# e
___________________________________________________________________________3 Y2 n5 \5 m2 Q+ m; i$ s
4 M9 u1 V3 D3 T7 M0 m
Method 02  F% w$ T5 P/ t
=========
$ j% O/ o( J: G1 y) k5 f
& G6 ~3 h, M5 F8 q5 @$ t$ XStill a method very much used (perhaps the most frequent one).  It is used$ a8 Q3 a# q% M/ f3 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' R1 G. C2 f! X3 z
or execute SoftICE commands...) B& a: Y2 c% |+ N4 X; h
It is also used to crash SoftICE and to force it to execute any commands
+ _3 X* g# z5 x" J' B# _(HBOOT...) :-((  
" y5 C* ~; a3 R
! n; Z9 I& m* g; }3 C, PHere is a quick description:
( n( V& F7 E1 U. p-AX = 0910h   (Display string in SIce windows). w& i( [, Z0 n3 ~; Q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 v6 V" D- ~' X) N& b8 D+ w-AX = 0912h   (Get breakpoint infos)" i* \1 ]+ {) A! T% ]6 N8 H0 B
-AX = 0913h   (Set Sice breakpoints)
; ]. h6 S" O; [/ ^0 h; Q-AX = 0914h   (Remove SIce breakoints)
1 G  @2 I/ J/ {9 Q- R1 v  C7 _! K- I! I0 P
Each time you'll meet this trick, you'll see:
3 H3 a; h4 a* `" P) J1 \6 y6 h& _-SI = 4647h
( S& {& t3 P- f- @3 a# i6 x* ?-DI = 4A4Dh
; ^" W: C! O* P: W5 L9 ]+ K7 |Which are the 'magic values' used by SoftIce.3 H* W) K" ?4 S/ J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
  L/ }- _/ b( X9 ?& C( ?& z  z7 e# ^2 G: Z' p
Here is one example from the file "Haspinst.exe" which is the dongle HASP' [9 ?" M5 G) a( V2 [
Envelope utility use to protect DOS applications:
( Y5 x& ^$ I# S$ o
0 A8 g! s; @/ L) S3 v% K8 T1 U- [) g% o$ ~' @6 D
4C19:0095   MOV    AX,0911  ; execute command.
' J9 w3 E( p6 }3 N. z6 p' ]4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).- V6 Y2 ?1 ]2 A% r
4C19:009A   MOV    SI,4647  ; 1st magic value.* }) X( R- L) O: z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 a6 C4 i1 W' f8 f; b# q! B) x8 ~
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 j" {* |, A2 o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 @$ K2 P% {1 E  O3 {( K# e
4C19:00A4   INC    CX
8 P2 D- s0 J0 X4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
* C0 j# d0 }: i  G9 f: u9 J3 d& u4C19:00A8   JB     0095     ; 6 different commands.. g5 g& _8 V, j
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.* D' ]9 m, @4 z# P0 d
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
+ }0 m# z) U, ~, U+ [: N" ~! |5 I
% A9 e. {0 }! ?The program will execute 6 different SIce commands located at ds:dx, which1 [3 o& o3 |$ F) O4 ?8 }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. y/ [. E2 e8 K3 i* L' ^2 a
) e" F- [. f) g+ y) Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 e" h3 G+ W1 h4 O
___________________________________________________________________________0 f# L' T) n, G

) e; p: Q# L' m
4 s; Z, t: {+ g& H( LMethod 03' l0 v0 O$ @9 i5 e: @  W$ I, g
=========
+ ~1 k1 Q/ w" j* E3 X& [2 W8 V, G8 }0 L$ k. A7 V) r3 U
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 X6 i- o) k  F( d) I( S(API Get entry point)
6 }) T7 j$ U7 p/ n( J  V        
( V+ N0 q2 \) x7 i) n
3 g& x; v5 H, i4 J" ^' l    xor     di,di
  S+ o" K, Z# X# i% S8 v    mov     es,di2 H4 X4 Y) g8 K1 `/ \( U
    mov     ax, 1684h       " Y& e+ l8 K) q7 ~
    mov     bx, 0202h       ; VxD ID of winice
& r) _6 x; C# o- R: o' m$ G4 K    int     2Fh
, @, G$ R( J4 O2 _    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* e4 u% s# s$ w; j) p; _    add     ax, di, X" Q7 f3 y" o% {
    test    ax,ax, S, F4 ~1 b  [% s* P5 j
    jnz     SoftICE_Detected' Q$ G  M. ~* @
6 J$ w" E$ R+ N. z& K& H5 F7 X
___________________________________________________________________________& y$ Z, Q5 ]8 S# I. L9 `
, A9 {) \* J6 e! ?. _
Method 04
8 j7 z8 ^5 N6 c4 j, G=========( r# i$ ^  S, N7 B

6 i) Q" `+ ~: \( I* a  k2 cMethod identical to the preceding one except that it seeks the ID of SoftICE% `- Z  x. n, Y2 w
GFX VxD.
! l) B" J/ H' Q: A( D3 ^4 Y) A$ E8 ~% b# E# d8 d; [
    xor     di,di
% P3 j6 I2 A- Y/ A- w    mov     es,di2 ]$ a! N! y3 w7 N
    mov     ax, 1684h      
4 C" [) D: T( R" @; M5 j' S    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  d, z+ A8 p+ l3 s) c    int     2fh
& N9 y: ]3 y4 _1 _9 h4 F    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 D: M! }* T/ y: K" G2 n
    add     ax, di8 m; H, V' j% @7 f. u5 [8 }) @
    test    ax,ax" [4 Z/ ?2 M9 Z0 W3 K' C4 ?/ n! {! c2 p
    jnz     SoftICE_Detected) Z& L, o$ O$ v( I, F$ w( M$ Y4 r6 w

1 o) ^/ l- U- \" I__________________________________________________________________________4 C$ C3 M; E5 L2 l1 e$ U3 Z

: g  I# Z$ }( h$ P7 N
0 N! j, |$ b0 K' cMethod 05" Z0 w* v8 V5 Z8 a1 i
=========
: g! z, ]0 ~! ?" k) X) d: [7 }! W  n) ^" n3 l" k6 |; O
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ Y+ ?% x* p- G8 i: Y( edebugger. It calls the int 41h, function 4Fh.: D7 j: H$ y8 k2 m9 ]3 A
There are several alternatives.  
3 I: w: o6 t- `7 u4 z& x+ T) y# v1 i0 o: E) j% c
The following one is the simplest:& ?' |$ x& e, Q5 z9 I" @; g' x
+ q* v5 d6 N1 K2 I
    mov     ax,4fh
9 W/ y  I$ Z% q6 Q4 f+ [' x: t    int     41h
% Q0 J" E5 i1 R' k    cmp     ax, 0F386
2 ?& m4 K1 b+ d    jz      SoftICE_detected
  J+ O6 U8 z9 J* G! I2 E) |: Z% s& l- ]; Z& i- t2 W, `" X, H8 o

& x) d: H3 X' W7 x; y+ c! jNext method as well as the following one are 2 examples from Stone's 2 z* w" ]& k( r  n  F: G3 z
"stn-wid.zip" (www.cracking.net):
6 w3 M2 |* I8 P) a( D7 H5 D7 ]6 o/ [% E7 Z0 V7 F
    mov     bx, cs
8 d% a0 h% W) _, ?* W+ G    lea     dx, int41handler26 N* }/ m) t) i( f2 a& T
    xchg    dx, es:[41h*4]" }: q3 t& O2 Y5 S' J' _8 j7 N
    xchg    bx, es:[41h*4+2]/ j& n3 I- w; j: E0 n: O
    mov     ax,4fh
* T- c; n: c$ o8 ?5 L/ x    int     41h
: C9 [1 q6 }$ N/ }2 E" J; x    xchg    dx, es:[41h*4]
* Q# m* s, o0 u7 a# c: |    xchg    bx, es:[41h*4+2]& z' R  Q. `; V$ }% M9 H+ E
    cmp     ax, 0f386h
5 g+ O' \8 h: ^4 D; y8 U    jz      SoftICE_detected# |* y' A/ Z! e' `2 u

. s# N( I4 [5 e5 L5 n, tint41handler2 PROC
6 z; ^7 c" k4 ~5 j9 R8 q) T    iret3 t# Y/ m( s6 R6 {5 O! p
int41handler2 ENDP
; E2 _& k2 h  f1 i" J; Y  z, L6 x/ p
4 E9 L; A1 Y3 e! e4 g0 `' g
_________________________________________________________________________! P- _6 O/ k9 W+ F/ k" b

% o+ b  }$ k8 k6 F" ]3 |2 f7 p
' n3 P0 ]4 {# Y9 t- ]6 w$ ~3 bMethod 06
: o4 F9 N5 B* `=========
3 ^3 c- e* j' ]* |
' q9 l  v" j; n. _* j; g0 X4 Z  E: S2 J5 ]( O/ i
2nd method similar to the preceding one but more difficult to detect:* |2 f$ t( f/ g

6 V" s6 B: p. \1 {& `! J8 O' O. {; ~* ~" G4 [$ O: b" B7 G
int41handler PROC1 v; E7 F4 R* J6 X9 C
    mov     cl,al: A3 c% `! |* @5 i0 _. u. t
    iret
6 s# `& I7 D! o; x  D2 G' Qint41handler ENDP  L& N' `3 d' r' ?
5 u8 e. D0 f9 i$ G2 @* l+ @+ b
2 M2 \' S+ a7 R! j. z" K
    xor     ax,ax  n3 h) j( H9 C$ t; \2 @' e% `2 h; q. u
    mov     es,ax1 y* v0 }  q& S& P7 p+ T
    mov     bx, cs- U6 t* s/ F3 v6 d+ y
    lea     dx, int41handler# b9 X; L( O. S+ o8 G
    xchg    dx, es:[41h*4]
$ F, n) ~1 y6 E# t( l    xchg    bx, es:[41h*4+2]9 T; [' j1 H! j4 r4 u
    in      al, 40h$ J" ?4 f* f$ o! B" f& E
    xor     cx,cx
9 N$ E4 {8 f. C0 \    int     41h( {* l) H" S, m+ r
    xchg    dx, es:[41h*4]
6 s) j+ D  |- ?% {. f: n    xchg    bx, es:[41h*4+2]
3 P8 @7 j/ k: Q( T' J    cmp     cl,al
4 z# n* n/ j* ?4 s4 M9 e7 m    jnz     SoftICE_detected
( w- F  k3 l* u* M0 a7 t# G- H- o' D/ Z3 i% i2 f
_________________________________________________________________________
' _1 d) Y/ }# o8 K5 C- Q. W; Q8 }  e9 }. |* p3 M$ y; p' E5 E6 W/ D4 v9 Y
Method 07
( C% \' [4 x: s, h* Q+ }* f! {=========* q8 }* ~$ ^" L" ^" J2 A: q1 D4 V

3 _: D6 O/ u5 b6 F+ o2 r+ xMethod of detection of the WinICE handler in the int68h (V86)
( o( `8 A6 Y! t3 A0 N) a4 A& d
6 _" g8 i5 ~; x7 `    mov     ah,43h
7 V: @+ Q2 M  L. V; b* {6 R    int     68h% l) ?) e/ q! Q# f
    cmp     ax,0F386h# R4 R6 ^" ?* B- `! `/ X9 ]
    jz      SoftICE_Detected
1 Y5 f2 R$ q9 |$ f
& F3 K8 K4 Q5 H: F! r7 U; @# P
* Y; l9 b" q( N' d=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& }. H4 V. n! e; |4 i1 l, n
   app like this:
3 o% R- R3 `2 c2 z2 E1 [1 F
8 G2 I: d1 `1 Z; m* d4 E% E% ?/ q# Z' T   BPX exec_int if ax==68+ e& y& A2 }1 _) a0 X: ~! q
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  ?( `/ ~+ F7 t' G  Z   located at [ebp+48h] for 32Bit apps)+ a  |# F, G. Q9 \; p9 ?
__________________________________________________________________________
5 e: c9 j6 o: m0 C' m/ |+ L7 w2 y. w& s8 t
$ m/ _( J& M3 \
Method 08
4 w3 x& g+ w( O# ?: R=========
1 X$ h4 W" W, Q! a' @3 B- {( d
  N' g( N: h. t/ b! V" ?9 ^It is not a method of detection of SoftICE but a possibility to crash the; g  ?, Y. {7 d8 Y  M& z
system by intercepting int 01h and int 03h and redirecting them to another
4 m) {6 ?) q0 _' k* z  |  I/ P4 f& i% V0 Proutine.
7 j  s/ `: d% @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( p2 q- d2 |; C" {1 o1 |to the new routine to execute (hangs computer...)
+ i$ r7 T9 Q) L) s4 \; m7 [' k5 v  f. s4 Y! v+ O& F
    mov     ah, 25h
- s- i" c( G" A' l5 V) W2 O. [& g    mov     al, Int_Number (01h or 03h)9 @& h0 H1 t" o. C
    mov     dx, offset New_Int_Routine4 T9 {' |% R/ t8 u- C' S" j) _
    int     21h/ a9 B( W5 Z/ K7 |7 V% ~  B! Z" F
  n. [, Q9 I4 w( W
__________________________________________________________________________) L: L. N* U( z! F& @

. H  E# Z  U- e# P. L; C8 EMethod 093 M; A2 R( x1 ^: M# c) @+ U
=========' D- d0 U; x+ @
" y% n  ^9 g! U* `' N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& q0 F( x9 A0 H- ^1 u: operformed in ring0 (VxD or a ring3 app using the VxdCall).: s2 D- w$ G! ~
The Get_DDB service is used to determine whether or not a VxD is installed
' ]% P. h! ^) n/ j3 {& y0 T. Tfor the specified device and returns a Device Description Block (in ecx) for
$ O, m6 u& T" |that device if it is installed.; h! _5 \3 u* m, E! P, I
5 m" [2 f, i" Y+ I( S/ J
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; }* m+ H/ X& ^+ T
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ B! x/ v1 Z9 d" L! t9 p   VMMCall Get_DDB
' L# M) {0 x: D; M( S  \   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed2 g* y0 t) _* T! u2 G4 N# c
0 |9 b6 l, Q# h7 }8 }" F
Note as well that you can easily detect this method with SoftICE:
) W* {' c8 M& c8 Y1 I! X! S   bpx Get_DDB if ax==0202 || ax==7a5fh
9 ?! z/ m2 f4 G1 \; \' U2 ~' i# m; W6 o2 g4 F
__________________________________________________________________________
& u0 l- b; u4 B. V
  k! R4 Z: O* e$ {- F/ L8 a6 XMethod 10
. p. e# l) v4 {) `=========
0 M: O0 l8 a% z  A4 d5 B) y# ~3 V" r0 w8 l  h" Z6 f
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with) D7 D: o6 B) R
  SoftICE while the option is enable!!
' K- x$ W# \1 P; q
# ^, _0 E7 p& C- P& gThis trick is very efficient:6 p8 d) m6 z& q7 H
by checking the Debug Registers, you can detect if SoftICE is loaded9 x. ~4 \, E  m+ e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% X* e3 z# j' T# D  F3 k; U
there are some memory breakpoints set (dr0 to dr3) simply by reading their; G" P+ D6 P% ]) V5 E8 O
value (in ring0 only). Values can be manipulated and or changed as well
+ u+ u" a, l) @% a9 H(clearing BPMs for instance)8 \5 `5 A4 C5 m$ `" C# |
. D) q0 g" F, Q5 s
__________________________________________________________________________0 b' Z6 s/ d. x

" x/ m/ J  A% q4 {/ sMethod 11' c1 Q. |8 i; S; l' ~% b. `( [! x  M
=========8 z0 k; F0 u. L' O& T2 m, S/ v; B
1 Q+ k% F6 Q; R& [- t( O8 _9 N- l
This method is most known as 'MeltICE' because it has been freely distributed. L' h5 w6 J: b: c# I9 l* j
via www.winfiles.com. However it was first used by NuMega people to allow
7 b. T9 v. T/ z" gSymbol Loader to check if SoftICE was active or not (the code is located
) X6 A6 q. f7 `! N+ linside nmtrans.dll).
- ^" K$ D! B0 m; p5 g: ~
( t  t  L& l5 B& O4 P. ?+ bThe way it works is very simple:
2 j/ M- L) H/ jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- q# `- Y+ W4 {" |2 XWinNT) with the CreateFileA API.: g/ ^9 {3 Q6 Y& g9 u1 c5 _0 P- H
2 P* j! a& ^) U" N: S: x# R. j
Here is a sample (checking for 'SICE'):
5 q& R/ _) s; X
9 w+ F% X) g7 cBOOL IsSoftIce95Loaded()  d9 |! {, n% D
{
" n. p& s% i# x& @/ @   HANDLE hFile;  
& d" h0 `6 Q: t% d   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 Y, H( T  |  }' a% N8 T5 F                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' A1 j; q! N8 o                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# ]1 l- }) U& F8 i+ A  z   if( hFile != INVALID_HANDLE_VALUE )
* l& k' z8 E# y$ m) F0 |. S   {
+ l9 f* T4 {) E- o7 V      CloseHandle(hFile);" ?7 U6 ?& I- ]  t, b8 ~
      return TRUE;% m) V0 P+ c9 Y3 _
   }1 x7 f1 S0 j; C' ]: R
   return FALSE;* ]2 U. T: {- A$ p4 s% G0 H
}! L+ o0 O0 ?* C& i2 Z2 Q( ~7 O

7 A. k3 M: B5 K6 ?. Y  D7 yAlthough this trick calls the CreateFileA function, don't even expect to be& D3 K+ t4 U8 B% q& C( J" }3 i& F
able to intercept it by installing a IFS hook: it will not work, no way!
' f' m8 X/ t8 U  k9 v& g% bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 V" V  L3 y* W7 \2 vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 K! C+ ~! Q) e1 R' [! x) L# R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ _7 a& Y4 f1 Q
field.& p2 M. K( V- C% ]* z0 x
In fact, its purpose is not to load/unload VxDs but only to send a # F: Z. j- A) o0 D. z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 f! q( G, k' {3 v3 W3 nto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) f& Y7 T! C' {6 Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 F  p  c+ G( t7 C( a/ rIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 E% g3 E' d- g: Uits handle to be opened and then, will be detected.+ J/ s" h. R0 l6 r  t' B
You can check that simply by hooking Winice.exe control proc entry point
* K3 _' r  R4 c0 m% wwhile running MeltICE.
+ v8 H  e/ Z# a( R
! C9 \' z  }1 B; \8 a  T: M) L  T
  00401067:  push      00402025    ; \\.\SICE
. v# q+ ^. ]+ J  0040106C:  call      CreateFileA
0 m6 e& n* T8 j$ P4 k, D  00401071:  cmp       eax,-0011 k. g: v! y( Y) G1 x: @- Z
  00401074:  je        00401091
% {3 O* j3 p) Q5 }' X/ n3 Z/ [3 G. d- z$ G
8 i5 Q& x0 Y( y* z
There could be hundreds of BPX you could use to detect this trick.
5 z0 L( ]/ d. e, {/ O% k$ [# j-The most classical one is:: D- a4 t0 J# P/ G8 E
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# S1 L& a. S: F' ^8 V1 D6 Q9 d
    *(esp-&gt;4+4)=='NTIC'
* S& K. v9 o2 l, c# \% c% i8 z  y  v! i- w5 i/ `* `- j7 z
-The most exotic ones (could be very slooooow :-(
. Z7 u) x) J( _4 v' J6 t( B1 E   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  : L6 p; U& b# l  U
     ;will break 3 times :-(
8 B5 B0 g: x4 t) E6 d/ J! R$ z' U9 y, D6 Q7 S
-or (a bit) faster:
1 e6 z8 f2 F9 c& b5 c( G   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- G( @6 q2 T& X  h1 p

. ^. g* g! h; L& b   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
& R8 x- m+ G* y2 A     ;will break 3 times :-(3 P( I2 k+ ]/ |4 J- F' j8 `
3 B* ~! x2 m3 C( k0 E7 k( O2 J
-Much faster:
6 V4 K5 W# G! e6 p. v+ T   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'6 r/ R6 J6 j/ ]7 F+ R6 ^

+ k( m4 p& z0 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: @4 @8 y- [0 Q6 ], jfunction to do the same job:
! I6 J1 [; ~% N8 G4 N  |! e( L
+ a' T. q0 i  ^* p4 u- d   push    00                        ; OF_READ
3 z: n# L" y0 l8 }: i  l   mov     eax,[00656634]            ; '\\.\SICE',06 k( g( Z- x1 M. `  J) N. c
   push    eax& J; M  @5 e% Z! V' w
   call    KERNEL32!_lopen
; M) I* ?* D1 t* V   inc     eax& f+ ?( ]( z, p  K6 y/ g8 P: ?/ S
   jnz     00650589                  ; detected
$ \3 m3 b. k* L& L   push    00                        ; OF_READ- D% c: o- p9 e; h8 X( Q. f
   mov     eax,[00656638]            ; '\\.\SICE'
) n* `" t2 X) d) ^8 c1 x" m   push    eax8 n, O9 U5 {2 m5 w; I+ `; ^
   call    KERNEL32!_lopen  N$ }; ~0 f# n
   inc     eax0 A+ E2 `' H/ Q$ V- n
   jz      006505ae                  ; not detected; h/ c6 Y) [5 }, Y" j3 X- T+ Z: q2 @
+ X/ u0 j$ b# H  J2 z
  q( `5 [. l3 Z" i
__________________________________________________________________________
' z) }) j7 {' F3 u. h, F0 D7 p. j! Q7 \4 v; _/ h- @
Method 12
, [3 x1 y3 g6 Y) P# L1 H=========
2 u  Y6 G- O3 t; k, L$ w4 I6 W4 s
This trick is similar to int41h/4fh Debugger installation check (code 053 V0 l! ?% c& t( F9 e6 c( [( L
&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 ]+ `- Z! ~5 ^% I5 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! Q8 o" Q. C. _& x" T! X; ]
& l% A; C: M0 ^0 }, E+ Y, i3 h, x
   push  0000004fh         ; function 4fh3 J2 E% f/ h9 [, W& N
   push  002a002ah         ; high word specifies which VxD (VWIN32)
* w8 D( s, W8 J) s8 n' {                           ; low word specifies which service7 E+ a/ v8 u5 E. b: O# p7 v
                             (VWIN32_Int41Dispatch)- T* w3 f6 ^4 `# x
   call  Kernel32!ORD_001  ; VxdCall9 E: s" j$ U( L' V
   cmp   ax, 0f386h        ; magic number returned by system debuggers! o7 Y, a! r' s, Y' I+ {6 p8 r3 c
   jz    SoftICE_detected
) T; F% I2 i9 h+ s+ G. X6 x/ i- Y
% L  }7 n9 V; X$ k1 Q( F2 O8 PHere again, several ways to detect it:
3 s( X2 X9 [: \# x' C
8 j! {1 @7 M% x+ n- p) M    BPINT 41 if ax==4f0 [+ g: i5 b$ V: s$ R6 L- g3 G5 k+ \4 }

$ x$ ]( r. f/ x# N4 b+ \8 h% s, w    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one8 j+ \9 N' n) B

  V, Z2 \# V/ d' p  Y1 n    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' E: N1 E- u7 T" R
$ a/ D: e3 ~) i    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 f) ~6 ~: F* Q' S, l0 X9 N

. o; S2 ]+ R6 M8 m" N/ C__________________________________________________________________________3 h- W$ t% b3 [8 H4 Y: o2 z0 z% S

6 p$ q( ]3 X" Y: A3 ?7 `8 z/ XMethod 13. N2 b% s5 c9 k4 \# P6 H3 m/ o
=========$ x! I9 y/ |) I" ~6 _* D
/ z( K9 M6 S9 z: ?! k
Not a real method of detection, but a good way to know if SoftICE is
, u' s" P4 L( ~# [9 Binstalled on a computer and to locate its installation directory.+ _7 W& z' T# m. W
It is used by few softs which access the following registry keys (usually #2) :
- Q, c7 A9 o7 R/ _9 ]0 u% H
: i, g# K" M# r- r. ^+ S0 T5 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! p7 D+ }1 ^- L( }; b\Uninstall\SoftICE
+ q) ?! _! L, z3 M' p5 R; z$ Q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ B1 l' k( ]" P8 @# P7 Z8 r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ d# a- r/ P" ^1 G\App Paths\Loader32.Exe1 o7 G: A( c. L3 s
) \# w( Y4 I1 V3 y; y8 I

. ?' h2 b; o7 y0 R% s$ h6 CNote that some nasty apps could then erase all files from SoftICE directory$ D% \7 X% T* G3 h
(I faced that once :-(
; Y+ O, A2 [. p0 y' t3 \/ M* C% c) v' k' N+ Y1 d
Useful breakpoint to detect it:# T1 \0 e4 x, Q

! r. M# a4 M3 y# p     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ V+ q" \0 B: ]7 z! Y6 t3 d7 [: r5 K/ b& {
__________________________________________________________________________
/ D( h; `. }# D' @- z
9 |- L! I. s* p- |
4 X" n0 d# c2 K- kMethod 14
$ v& ?- ~5 f( j! Q+ U' L=========. R: U9 f# L+ I" w; z

/ ~8 G2 I- r! n1 C/ ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: H* V" l5 }* o/ a6 S+ j3 }8 t' J5 Eis to determines whether a debugger is running on your system (ring0 only).5 J! @; a" J" e) m  y

5 }# O0 B6 u6 K   VMMCall Test_Debug_Installed. h: S4 Z' q4 \$ x
   je      not_installed
; l, _. F, [; P0 k2 T! h* Q  @/ R; O
7 ], L( ~, n  [3 C1 w( y' jThis service just checks a flag.: g( m$ b( X' p) z2 z/ T* S
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-22 02:19

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表