找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# Z) A* D' d( d1 @0 c7 a5 ~2 k<TBODY>
: S4 e7 [8 Z, O" E0 Q/ K, j<TR>8 T  {" {0 f% T& O# J
<TD><PRE>Method 01 ; }2 Y( z7 d) e5 ?% o
=========
, `4 K8 o& o% R* @7 A9 n$ n9 k) {$ o
This method of detection of SoftICE (as well as the following one) is: N3 Z- x6 ]+ e) k( E4 n
used by the majority of packers/encryptors found on Internet.6 w# L$ `& O8 _) R% y$ I% N. i
It seeks the signature of BoundsChecker in SoftICE
4 ^# E* y( m5 s; M# y' e! U+ N6 {/ y: {
    mov     ebp, 04243484Bh        ; 'BCHK'5 B5 s7 @) f* g6 F
    mov     ax, 04h
/ `& G8 J: R$ X, U6 \; L9 E    int     3       " o8 _5 L, t# U0 x/ v
    cmp     al,4
  x. X+ d; k0 l( p+ k0 H7 V$ m    jnz     SoftICE_Detected* j& N+ w% e/ q! S) ^; X

0 T% Z) A0 O* f0 C' ?0 S___________________________________________________________________________
8 t* E. V+ o- `. s9 \6 g4 A' i+ ?; B$ R8 B" ~* k
Method 02
+ z) q7 O5 N! `- ?9 Y# q=========, J+ I6 Y: g% ]' f  u1 }

% V5 c5 P8 H. o4 s: lStill a method very much used (perhaps the most frequent one).  It is used
: I( J( r- P  b  @" {5 H2 Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  V4 B6 E3 V( V8 O4 x; ]3 N+ eor execute SoftICE commands...' S9 h: w( Y8 [0 A' w2 f7 k
It is also used to crash SoftICE and to force it to execute any commands
. }* y( i# R) n' ^/ j2 ^* u(HBOOT...) :-((  2 t5 f) l& _- p! Z. L

  {+ Q5 ~# x  Z2 o8 R, L) ZHere is a quick description:
, M5 T- L4 C7 w, o9 b1 A8 [-AX = 0910h   (Display string in SIce windows)+ ?: P$ c: q0 B4 V1 m* v
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
8 j/ X" r- u1 [4 [9 Q- j-AX = 0912h   (Get breakpoint infos)$ A! ?5 L6 V. C- |  p
-AX = 0913h   (Set Sice breakpoints)
8 j, W% ?7 h. p5 Q' @  o" W-AX = 0914h   (Remove SIce breakoints)
. L. N8 Z3 n' e5 s' g- I1 g6 h: g- D- b" [; h2 E
Each time you'll meet this trick, you'll see:3 k% s4 Z2 n7 [, f3 {3 a% }# T! h
-SI = 4647h* p! n# o; C9 O* f
-DI = 4A4Dh
4 w$ y5 B, _( N5 d# k7 X' w5 O$ QWhich are the 'magic values' used by SoftIce.6 B" j5 ^  |7 {. u9 @0 _; L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! P. H+ ^) b) P, Z* }# f
4 a7 A5 J( c$ R/ q; f+ `8 K( [Here is one example from the file "Haspinst.exe" which is the dongle HASP/ P5 t9 E; q# C. P& s
Envelope utility use to protect DOS applications:1 v' A6 t# l) {+ E8 b* c
- h) G2 W& n2 i* m

# }6 B: `2 k/ Y; m% G4 U4C19:0095   MOV    AX,0911  ; execute command.! Q$ F: G% p+ R5 N5 i
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).* E0 B2 ^5 ^" j  k  _3 T; |- @
4C19:009A   MOV    SI,4647  ; 1st magic value.9 ^' s' }/ [0 U! N" A6 _
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.* x7 Z1 P! H3 {2 W, X4 f
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
( _1 N2 k! s$ E$ a4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! ?& s5 U1 ?# C& l
4C19:00A4   INC    CX' \! v6 f0 `/ }; C) h: K
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
; Y, f) K/ M' U+ `5 V1 J4C19:00A8   JB     0095     ; 6 different commands.1 c4 w$ v" J% O, t/ s
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 i; n* ?3 ^; g" T
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
% \+ G, z( h- H( t4 ^" s" {& r
" R; t% H7 @  Z# W8 `/ H- G  }' }The program will execute 6 different SIce commands located at ds:dx, which
1 x0 ^, X8 y  }( ]+ i& ]) Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 x; Q& t8 ^8 a9 o' m0 j
: R( D9 S/ M- e' V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# q) e( y$ l- u- f) l
___________________________________________________________________________8 J' S( e  \9 m! m

- }8 V. D) S  o" o/ h. W- S8 r* m- W: a: f* S! P4 T
Method 03" w) V( f0 w" k" X1 C) G* f2 D" G
=========
; w% t! D4 K3 p' h. g( b# K/ l( J- x
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# P- @0 R% P  p6 _( R- ^- x
(API Get entry point)
3 c" z+ }" M  p6 D  @& S9 H: |# G        
; y4 ]6 L. o# q3 H: U+ o1 g, ~/ H
    xor     di,di
% w7 m8 s( @5 d( }( B. N    mov     es,di; g: t: Z% E8 M7 n7 m( B& T+ O
    mov     ax, 1684h       2 Z. |6 E; d! _3 z% q
    mov     bx, 0202h       ; VxD ID of winice9 E1 P* }! N* {6 r1 Y
    int     2Fh
+ n- d" v/ d/ G. h7 ^) V" l    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 }9 F# [0 J, C3 V
    add     ax, di
2 M3 \3 S% S. n; q5 B& P# \# u    test    ax,ax
" d: I; F/ ?2 y& X0 i3 R    jnz     SoftICE_Detected
% l/ f; z& r# J5 M5 m# {, T: D
2 I# ^) D' _/ {* L; \) j$ G___________________________________________________________________________' L& N: z% W, t# v

: U, V8 E+ W1 c3 c+ ^8 eMethod 04
# E7 y5 g, I5 V6 t2 e=========
7 j7 w& p6 |9 t' R- x6 b1 t7 y% |. \4 |( |4 _2 P- T) F6 R9 O6 e
Method identical to the preceding one except that it seeks the ID of SoftICE
. A- I. p7 u" S( l' _7 gGFX VxD.# G, T* k# L2 E/ M; S  W
, ^$ c- C& S$ I; ~
    xor     di,di& l1 B0 f: ?* w* m' T
    mov     es,di
3 X1 i( ?  ?  C, C9 U5 ~    mov     ax, 1684h      
0 O! s0 U3 j% p. G7 ~, F1 r    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ P0 B( |  E  J# D0 k
    int     2fh5 H7 q% M" r& I
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( B' }2 d$ j$ b! c2 @    add     ax, di3 H8 \# h" w' ?+ R
    test    ax,ax1 `; Y, r: e2 h
    jnz     SoftICE_Detected
2 g& Y8 m% O$ Y; n9 O5 D! l
/ O/ P; R. D; n__________________________________________________________________________
! C7 ]5 N: a. n6 [1 d" p- F1 Z) F* r5 D# E

: g! H4 F5 M$ ]- rMethod 057 s- e2 o2 L0 F; ]" \, s0 u
=========0 e. D3 D# @0 }. T8 \  i

0 F  U' L+ p8 vMethod seeking the 'magic number' 0F386h returned (in ax) by all system# {* }$ a: Q  h2 v2 Z
debugger. It calls the int 41h, function 4Fh.% f1 Y2 }5 {" q3 [+ C) Q
There are several alternatives.  
9 H+ ~+ m/ T4 C$ J5 N; f& W
! B* E, u; F& W/ }; t! x$ mThe following one is the simplest:2 f9 e, r2 [  s  d
" g8 H9 |- _. ]- V
    mov     ax,4fh
2 z! y( A% y: \( p0 L' H    int     41h. T* R! D  t6 L: J/ Y" a& V$ e
    cmp     ax, 0F386( V- x1 C" ^' |0 J+ s8 u6 J: u
    jz      SoftICE_detected; T: y$ N0 i- T& Y; @" q. H: b
: \. H/ o- y) `, F  g8 J/ _- p
3 B/ O% h; }' T& O: a
Next method as well as the following one are 2 examples from Stone's
9 v2 w) l1 n5 Y5 m"stn-wid.zip" (www.cracking.net):
% {5 d" @9 c/ V% A+ t2 n! s% @+ i, W
, i- l( m* a& T- A: f1 \) N- n    mov     bx, cs2 ?  h% D3 I$ R. L1 R+ }
    lea     dx, int41handler2  Y6 j) Z9 ?  k5 q+ ]& h& A# w
    xchg    dx, es:[41h*4]  Q9 b& J! A) l; S
    xchg    bx, es:[41h*4+2]3 ]3 O6 C+ y: N8 E! L
    mov     ax,4fh9 c8 k( S7 `, S: T2 {" V
    int     41h
  `9 B: G) V9 U2 }7 g    xchg    dx, es:[41h*4]% ~9 T* Y# S6 B/ z) v& C& I% Y/ u# T
    xchg    bx, es:[41h*4+2]
* V6 Z/ B, k+ @7 Y7 C& `    cmp     ax, 0f386h
* @2 w. O; U7 t; `$ O0 i    jz      SoftICE_detected7 m2 |. j/ d" P+ B6 L" o
! z$ R# ~& o4 G6 ]% X% i
int41handler2 PROC$ Z  l' _* I  O0 @
    iret) W' `$ |1 \4 `
int41handler2 ENDP  b8 D1 z  |9 I. x2 }" _  x+ P& `
+ U' z# |( ^- H3 C+ n6 n7 d/ z& c
( z3 i9 p+ D2 Q+ i" U" |- u" [$ Z" G
_________________________________________________________________________. m) u  l- ?" n. Y: C
9 ^# ~9 [3 u+ t+ S

- s) x; k5 q! w8 P7 \2 V! t, G8 IMethod 06
! W: ]' E$ c$ o8 h8 e! r* J=========$ ^- m" @+ D6 A; a9 {" f( [! j

& ?6 Z) r' @6 x9 O- r! h7 ^  D/ |6 l4 A
2nd method similar to the preceding one but more difficult to detect:  d; B5 [! z3 J. j3 b6 W, m8 s% B* P

* f1 u* Z1 u5 i$ T+ S3 W% c
+ A& e9 `! N1 c; x" m0 g' Y8 Yint41handler PROC# H; ^" l/ u1 A" c+ q  Z
    mov     cl,al
% n) I' ~% p; W    iret, }- p7 `6 t* |0 G8 i0 p
int41handler ENDP
' I. x; v' E/ w% ]) h- }5 [
3 W/ h7 M' e; Q
( Y  h" h: A& U  n* X, Q% \2 a- w    xor     ax,ax6 Q$ g8 ?6 u0 E) }( `- d; }
    mov     es,ax! j+ o+ S8 J- q3 L# `
    mov     bx, cs  i2 o  m( I5 V
    lea     dx, int41handler
: I2 X# \" f/ z    xchg    dx, es:[41h*4]
$ w" `: |" l% \% I0 t& `    xchg    bx, es:[41h*4+2]
8 {+ g/ X" n. i/ X2 F! G( v    in      al, 40h
7 a2 N; a$ j& N2 _    xor     cx,cx+ I$ ]4 y/ g/ C
    int     41h6 X7 e9 e2 e+ r8 U
    xchg    dx, es:[41h*4]% P  d8 y2 |7 J7 v8 \
    xchg    bx, es:[41h*4+2]
- d. M8 I5 w0 v% Z) U- H2 s    cmp     cl,al
& D4 g3 p" v4 m0 p7 m& M& V1 y6 M+ @5 y    jnz     SoftICE_detected! Z8 k) a7 |1 [$ x7 A
2 [7 m) C! X* |- d! j' `
_________________________________________________________________________9 h! r8 {! A6 _% V: W' h6 x

2 Q) E% u- {- f* fMethod 07
  |: a5 d6 D; r=========& e" o( y1 Y( P6 a4 v  @3 o, e' A

8 _. J8 ]# M  f4 fMethod of detection of the WinICE handler in the int68h (V86)
' [% N7 c9 I2 a* k6 K( \& c
* Z: X5 r  J' c, ?: l    mov     ah,43h
7 E( j$ n( p3 `3 ]    int     68h
! g) P9 Z9 U8 u: ~    cmp     ax,0F386h' v) P; U" T& A* J% Z
    jz      SoftICE_Detected
  I! ]$ ~. o" ^- T
1 S: d6 @& F' Q" U  G8 {& o, a4 V4 _- V/ c  f2 D. H
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 O: n9 }0 o4 o) g4 i- ]5 ~
   app like this:& ~$ f9 D( y! J& b, q
( d5 t& L2 u& I/ w" @6 r! Q0 W
   BPX exec_int if ax==687 Q- F: S2 v$ W$ Q- n, X; t2 J' k
   (function called is located at byte ptr [ebp+1Dh] and client eip is
- T( _4 t. c$ q& ?9 n, ]' d- x   located at [ebp+48h] for 32Bit apps)
# I2 ?! J% I& H1 V0 j__________________________________________________________________________, f  l2 `7 I( Q
5 d. L- T) o1 ?* `
7 J% P! X" v- Q6 q
Method 08# N, v! R. ?" U
=========4 o& B( n; S& j' e9 o
9 [8 g' J5 M5 P9 R! [4 V
It is not a method of detection of SoftICE but a possibility to crash the
% D% H3 F" D6 d- o+ K% {8 Isystem by intercepting int 01h and int 03h and redirecting them to another
: q+ j! H3 `( Z& Zroutine.$ O& y  M1 x9 f2 l; V# v5 X# g! x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% @: O6 w- d, ~, V- S8 o! sto the new routine to execute (hangs computer...)
) r0 ], W/ f" I/ q* X- p
2 \- U$ x, ?; }  w4 s% H    mov     ah, 25h3 u8 Z) j; A4 J" P
    mov     al, Int_Number (01h or 03h)
: u( X6 ]: k( W, }' Z    mov     dx, offset New_Int_Routine0 V& ~. q2 W4 v$ ?2 H# S3 `
    int     21h$ L/ h+ U- _* N# s9 f+ L

, ~( j: s. R) r: q) L% m- \__________________________________________________________________________5 s  A& C2 @. k5 l% f
/ Q- j6 X, I% t
Method 09
4 @! A# V3 \* [( Y; [6 ]=========: W- A7 |7 U2 y1 }9 M5 h: x
. p4 e: T  @( ]6 @2 C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* w. u! Q5 a: ]' }" |7 }
performed in ring0 (VxD or a ring3 app using the VxdCall).
1 X- D3 C9 c% o) r9 u# H* ^6 s  bThe Get_DDB service is used to determine whether or not a VxD is installed' P# |; _) V9 k
for the specified device and returns a Device Description Block (in ecx) for4 ]# F; Y( P9 B8 N. A
that device if it is installed., o/ w  K$ X# y  ?' X5 ~( g

' S: ]( H* Z- A! E) Z7 ?   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% \' u% Y& _7 A) G1 ^
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" k- a, L$ H6 u" J) y; N7 n
   VMMCall Get_DDB
! g7 q6 f7 @# Z% _3 W2 }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% Q) [& h$ H, v6 y
" `. B2 {* D8 M7 M2 C! K! WNote as well that you can easily detect this method with SoftICE:
* }& H% t% x" p  M! K, m5 v   bpx Get_DDB if ax==0202 || ax==7a5fh
# p( O' Q8 m8 x3 N! \) h
5 p2 S6 L/ {$ A4 ?& \# f# r__________________________________________________________________________
9 k6 e$ W6 K( K4 k
+ V) |7 d" j1 xMethod 10
& S1 N( v2 f) b=========
1 n% m! R* R; `0 i3 e) y& |1 b) S; W& F" j) F. y4 m9 ]& Q7 g; I% _
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% ^4 w" H+ Q, t  SoftICE while the option is enable!!
8 b/ m! l8 r! v- S/ \+ M. e1 g
* {0 j' D; L4 N8 O- pThis trick is very efficient:
" m  `% c( I5 C3 }( X7 uby checking the Debug Registers, you can detect if SoftICE is loaded6 u' Z& H7 ?, \, q# U4 B1 u$ q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; F2 X& s# g, t
there are some memory breakpoints set (dr0 to dr3) simply by reading their& I) P# u  V/ G7 k2 v. q0 i) A/ K4 M
value (in ring0 only). Values can be manipulated and or changed as well9 W6 t5 R+ ^8 C* L# `6 I
(clearing BPMs for instance)
) S0 s2 _* \7 a! A% B  k; u
% ]& G9 v8 m* m1 W: X2 q__________________________________________________________________________
  |3 \* c/ ^# t" e8 \7 m+ [1 }
) ]$ y9 R+ D0 `; BMethod 11
: R! Q# p5 n. F& W=========
0 V7 \+ \9 D/ u; D/ ?. G! k4 s! u$ ]% n  @- n* Q# r7 P
This method is most known as 'MeltICE' because it has been freely distributed/ t: q/ {: o' t
via www.winfiles.com. However it was first used by NuMega people to allow
3 q9 Y9 g' c( ~  h* sSymbol Loader to check if SoftICE was active or not (the code is located& m% U* l4 K# n! n' F0 z
inside nmtrans.dll).
8 x% F" m% y, a' W* o' W" u6 D" ]7 A+ j8 i) B
The way it works is very simple:" u# W# @' ]( `% J2 Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 {% ]/ \+ R6 r$ \6 y  D" S4 d
WinNT) with the CreateFileA API.
0 S# B' d; Q6 _$ ]) ?# ~$ Q5 {7 _
: B9 b8 K# X7 o/ m  _9 jHere is a sample (checking for 'SICE'):3 D  n7 N$ U# f) Q5 m/ [

7 W. G! Z- |5 jBOOL IsSoftIce95Loaded()
" v# [1 M) g  O8 ~2 @{7 }2 L8 e; U1 L/ `) A/ g
   HANDLE hFile;  2 l8 z" }: Q7 F" [4 w, y! C
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- i6 Z5 a( n- r1 N                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' ^3 I0 w  h7 k6 w( j- |: f                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& g) {4 l0 j% A$ U   if( hFile != INVALID_HANDLE_VALUE )
5 c$ `, Q1 a5 C9 a: h# \' ?' `   {' w! m+ h6 ~: E! @) e8 P: H" E& G
      CloseHandle(hFile);$ M& H1 T, T  a$ S
      return TRUE;+ y1 K9 Y+ b# F- y# a1 z
   }$ G2 J5 I0 @4 W" O# S) Y
   return FALSE;2 X; Q2 r0 [0 X- ^
}
3 w3 e4 e9 h4 H+ l% `" D) r1 T0 n+ ?( {0 u! M
Although this trick calls the CreateFileA function, don't even expect to be% j, C' n3 q! A! Q  s5 Z
able to intercept it by installing a IFS hook: it will not work, no way!4 l% ~" d; T  Z, h/ T. v/ i  v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 e. a! \9 \3 ^: m, s! U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 `5 X2 z3 B' l5 V# j3 A* G- {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) B: g) X2 B. n9 `
field.
% ]  h8 v% l8 f% A) ~. \1 i7 LIn fact, its purpose is not to load/unload VxDs but only to send a 7 c6 t2 ]# o3 Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; M1 }3 L! {! b# h  `, L1 k. f/ \# wto the VxD Control_Dispatch proc (how the hell a shareware soft could try2 [& |8 X% M/ a' B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 C1 C9 L, i% PIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ z- R9 x) N$ `, Y7 m/ R) y% s5 s! Jits handle to be opened and then, will be detected.& I5 o' x0 Z0 D: l" e/ e
You can check that simply by hooking Winice.exe control proc entry point
9 q4 N' H6 k  E, W  {& y% {$ i' a) dwhile running MeltICE.' K# ?2 s3 M6 }. Y" C+ S
3 |( y+ E) w. c( Q
+ n% C* U, r$ ^. f" \: M
  00401067:  push      00402025    ; \\.\SICE
& J, L+ U$ T1 H* E4 N6 H  0040106C:  call      CreateFileA
( i& j* G8 p# G  C3 U4 a  00401071:  cmp       eax,-001
- G( W) `2 f+ ?& L3 z- \8 a  00401074:  je        00401091
0 J' I6 ?3 r4 J- H" H, t) Z' p' ~% a& R! _: @
/ c+ Y& R0 X- N  X1 _
There could be hundreds of BPX you could use to detect this trick.6 v8 [  m4 b, v$ D' }1 m* u
-The most classical one is:/ [/ D. D* Y3 R
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||( |0 p1 c/ p$ [; G4 K# q
    *(esp-&gt;4+4)=='NTIC'
: G* h2 n+ A' @' j5 M5 k( X% Z; s& r$ A
: f8 I4 w. o8 ]-The most exotic ones (could be very slooooow :-(8 K$ S% \7 Z$ {& w" B- N: P0 D
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
. T6 @' g  g$ F# c( c     ;will break 3 times :-(
; L" N* i* O7 D9 Y2 ~1 E
; k; ]8 M2 I; G# {& ^: w7 I-or (a bit) faster: 8 }+ {0 L) }- a- E
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( S2 h& V/ M" o% t5 U( D( ?/ k: o* e  q  z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
7 \8 E4 v2 F4 b3 E: U     ;will break 3 times :-(
) l2 T4 B! I9 E' ]* @% e" q
9 l. ]+ U: ]6 m( q3 ?& Y" ~-Much faster:
# [5 {0 g8 @! y% f7 Z" i) B   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ l& E# G5 }2 T9 e6 l' A! ~6 o6 I2 _2 i  E; f1 H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! Z" R1 M* B9 l" b
function to do the same job:
$ b! i) \: h, z/ v3 c8 ?( \' t- i8 c
   push    00                        ; OF_READ& t; O1 `/ g& y
   mov     eax,[00656634]            ; '\\.\SICE',0) x5 u5 x% T  v3 g$ z1 W
   push    eax- b3 \& w( [: p7 `. r) k0 V
   call    KERNEL32!_lopen7 R3 o1 A# C$ R. t
   inc     eax
" z( P9 h: v' B5 S! l- p: n1 M1 B   jnz     00650589                  ; detected- w9 I* d" m2 n& p+ @/ @9 G5 J& ^
   push    00                        ; OF_READ
. g6 c% m" e3 @  w- o   mov     eax,[00656638]            ; '\\.\SICE'
4 K! I9 |) Z' [4 E   push    eax) s& y6 D" _( y: L
   call    KERNEL32!_lopen
2 \1 m8 E9 Y& h' a. i; D   inc     eax
9 B5 N" M2 D, @1 Z! }/ Y" I& U   jz      006505ae                  ; not detected) z& j5 i# h0 }4 r2 x
, v% r! z9 O$ y+ G- ]8 e2 E
9 ~1 r1 U8 X5 {! x
__________________________________________________________________________
% c7 S3 w1 H  ]2 Q
6 W9 K& n5 s9 r& q' X+ D3 t! oMethod 12
; ?7 W! W9 @6 H8 i=========$ ^$ Q5 X+ s5 s' y1 ^! K. o5 Q

& T. S8 i" w) t& d' t2 V8 A, J. tThis trick is similar to int41h/4fh Debugger installation check (code 05
! X0 S; X% a8 a% t&amp; 06) but very limited because it's only available for Win95/98 (not NT)& f8 n3 N9 B& n4 c- m: t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 g) B5 I# ?% b6 \/ }) z* X4 k4 U
" b( d7 ~6 v7 T0 `) f   push  0000004fh         ; function 4fh
/ P" A8 r1 D, e9 P1 h   push  002a002ah         ; high word specifies which VxD (VWIN32); Q- b7 G+ V! y/ ~
                           ; low word specifies which service; X7 J7 k# h; e- M
                             (VWIN32_Int41Dispatch)7 A9 a6 @4 O! ^. q9 M" [. ]8 W
   call  Kernel32!ORD_001  ; VxdCall
5 e, h' u# F3 b6 S3 P8 j' j3 u: I   cmp   ax, 0f386h        ; magic number returned by system debuggers
( m5 g. y* B0 u  r+ W$ e9 i/ L   jz    SoftICE_detected
/ y$ G- S5 J- K! v" r; `& Q4 {/ m; i% U8 X& c4 T3 t
Here again, several ways to detect it:
  t9 \. E7 a+ _4 e- n% E  ~5 P# y# F* r/ F2 G
    BPINT 41 if ax==4f
  E; d. X( O# [$ d- s1 g' [! ]* x/ J2 L: L8 p
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 a9 A9 ^' r5 S  N2 l% \+ h4 j! t
. |0 g! |1 u' x5 O4 K2 L    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
& ?7 @+ f" `" I  _6 p7 ]# n, b! g5 U% s$ f; i2 p, J: ?( y- R
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 f& f! N: [' x) }1 H( v/ x

. b5 ?1 |) }% F4 D/ }/ ?4 q__________________________________________________________________________; f2 @+ r8 [" Q: x$ K. B
" C1 r! W! P  v* l' T  Y0 v4 p1 k
Method 13
/ M5 `5 d: a/ f; }1 c# T3 d=========
% h$ U1 _  n  W. X
9 W6 n6 K: k* |1 N6 G$ u3 uNot a real method of detection, but a good way to know if SoftICE is8 p: o$ Z: e  h, c% W& @- R8 {/ e
installed on a computer and to locate its installation directory.
2 h$ U, `8 q9 |: Y  S* E: l4 xIt is used by few softs which access the following registry keys (usually #2) :4 t# X0 q# |1 V
. m7 ~- G* G$ [+ s- {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 R3 S4 v, F% a" _+ t% b$ _\Uninstall\SoftICE5 Y5 ~. W+ U7 a8 V$ \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 C- z4 A/ G& X" V, x" g( M; j. J- n-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; @# c2 K+ _9 C& i- {
\App Paths\Loader32.Exe
, w2 y" E; Z, ^: Q8 R  m' U$ X" ?

/ E# G/ I9 s. x( x; g2 X( T/ INote that some nasty apps could then erase all files from SoftICE directory
+ S! L8 \+ e* Q7 N(I faced that once :-(
5 q4 `( n  x* o6 [8 e9 d2 D1 J$ ~! j3 H3 [
Useful breakpoint to detect it:+ B7 a7 V( R0 @+ ^
% l$ _6 `1 i, V$ h7 r
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# H# J6 l( R' j8 s7 R
) B9 a1 J$ c+ j& {0 `# @7 X
__________________________________________________________________________0 c& Y4 x7 A. t6 X" t5 a

1 l7 B1 c/ I( l' ]9 m
2 e. |9 O* l7 G( V0 HMethod 14
1 v$ \, b' v4 |% U$ n9 m$ W=========+ e! B& l) W+ b) F
  r0 `/ ]* C( ?! g; g  C) N% o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 T4 u3 P& c. E' W6 Y8 N6 Y; [/ z3 uis to determines whether a debugger is running on your system (ring0 only).
  V8 L: N& `9 `4 i  S  o" X/ |( r  F/ G2 B8 _  Y* B+ H
   VMMCall Test_Debug_Installed' u1 l5 z1 [- C' r
   je      not_installed
- N) H8 |, @4 J! t- E2 g! [) P8 i; [6 v0 [% K) a
This service just checks a flag.
: W+ c5 {' c. [8 O</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 10:51

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表