找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
0 E! D* \0 b1 x. O/ ~  s+ Y<TBODY>
' q& I9 u8 M& H$ [* I# o" B  d<TR>: O3 ~$ J9 q% K
<TD><PRE>Method 01 * J$ h5 m  q/ v" `
=========
( z9 \3 j8 _  G) n
. n* r: b/ j  k5 y" L8 EThis method of detection of SoftICE (as well as the following one) is9 ]5 Z: i# ?; J9 K' Z
used by the majority of packers/encryptors found on Internet., x* j) C% H' y9 k1 Q" Z5 s. k/ s. `
It seeks the signature of BoundsChecker in SoftICE
6 C# b0 m8 y* u2 l; j. Y  `: e! A' `9 G5 _
    mov     ebp, 04243484Bh        ; 'BCHK'
5 P& d' K! a. J8 ~    mov     ax, 04h
- T  h( g+ H) i/ _$ u    int     3      
2 D; Y6 R" i! O# G/ w+ j, D    cmp     al,4
. y$ V7 {* k- B* Z! E  t    jnz     SoftICE_Detected0 h! n% c# f9 {# P: N
* V! d  `: `: n- h
___________________________________________________________________________- R; J6 u8 n4 B8 ^% x) Z/ Y2 Y

8 ^& v* y* s( S, h# H5 ]/ j7 a3 EMethod 02
8 Q+ |2 J7 o7 w& z0 X" t- u7 F=========
/ F% J7 @! ]) _/ w9 l7 q; a; @$ Y/ ^+ ~
Still a method very much used (perhaps the most frequent one).  It is used
3 Z2 z' |* c6 j' B5 pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, [+ G$ D; U, H$ yor execute SoftICE commands...
6 n4 ?& p! u& e: _It is also used to crash SoftICE and to force it to execute any commands
6 t' q0 C" a& n/ p+ k0 t(HBOOT...) :-((  ; l; I2 _; |! d
6 [- y6 Q1 T; a4 t3 n: [
Here is a quick description:8 W! e/ J3 _- r" t
-AX = 0910h   (Display string in SIce windows)" w. s: G% z' p9 k
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 Y* h9 X8 L* G6 P% {-AX = 0912h   (Get breakpoint infos)
3 x! x  w$ p! `9 Z/ A/ R-AX = 0913h   (Set Sice breakpoints)
' ^% i' W: w3 }) o( s-AX = 0914h   (Remove SIce breakoints)
% B$ B; j- v, R
  c  A# V* a1 D2 C& M# w; Y1 u9 U- nEach time you'll meet this trick, you'll see:
3 r' J4 V7 f/ u! E% \4 C& E-SI = 4647h
. E# J  m1 ~& t9 Q, J- s; ?9 ~( D) [-DI = 4A4Dh3 K$ W% B. C+ t6 m  \. N
Which are the 'magic values' used by SoftIce.& e" a6 C* b1 B; v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 V( @' o  S! T0 ]5 w/ u; v
5 W( A& Z0 ~+ [0 N0 t. |( qHere is one example from the file "Haspinst.exe" which is the dongle HASP" H4 ~7 S- T0 n1 E$ s2 K
Envelope utility use to protect DOS applications:
* {8 d* J/ ^1 \6 q3 P. _$ L& F. _' U8 B. @" N' {

1 I9 w' g# u8 Y5 `: {( D2 C" V$ _  |4C19:0095   MOV    AX,0911  ; execute command.3 ~- t. ~# z9 J6 B
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( d5 f$ d; z& a6 Y4C19:009A   MOV    SI,4647  ; 1st magic value.1 M! A. H. ~8 m% l6 {
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: Q: W0 N7 Q/ M' ~& M
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)& q- {4 A$ k7 y) O6 T8 r4 |4 [
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  [- S  A8 k) z
4C19:00A4   INC    CX
! Z3 t1 e3 A9 ]- P; s4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute! Z4 l1 f' R7 V7 E! K
4C19:00A8   JB     0095     ; 6 different commands.
* x/ \: H& Z1 ~6 T1 i6 `4C19:00AA   JMP    0002     ; Bad_Guy jmp back., D2 e! d! c* O
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)) B6 G* |' A3 A% w8 r3 M
/ q; w2 |" C0 R  F3 H* Q) ]$ M
The program will execute 6 different SIce commands located at ds:dx, which
% ?% J$ F* P) k2 J  X) h9 K  J% }& A1 l& Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 _6 C/ K) E% ?5 B( a, M+ C5 T, u# \3 L
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ x" o; w% n7 V8 |! f0 l* g
___________________________________________________________________________
3 H% O& ]1 v; C' m: R8 A5 X* H- ~9 r
: P3 E; c- X7 |* u* j0 l' u  A6 N$ ]; ~! I- |. a7 A' T
Method 03
# _7 d7 b6 X& Q* w) j=========7 o+ t) _6 w1 S5 O( B9 o
, ~2 b, |; \3 V+ q- r
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 e2 A& p, E; l1 H2 D(API Get entry point): p( Y# z  }; h; K9 b' R! n& v6 O
        0 B: E9 C, R; L1 Y  C

) d/ v& v' z2 g& V0 u    xor     di,di" Z) a' I' B, I6 q
    mov     es,di
& s' u" O) t9 Z- M0 U    mov     ax, 1684h       3 }; h& Q$ e$ Q
    mov     bx, 0202h       ; VxD ID of winice
$ M( u/ `$ Y" A. R4 O; \    int     2Fh
5 P6 [1 N/ z/ h$ V/ D7 x    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 Z8 ?( ~+ t3 t1 J! v    add     ax, di1 J* }6 p1 `# o/ P: q* G
    test    ax,ax2 z' ~, T  }* i
    jnz     SoftICE_Detected! m6 x5 D( k9 q2 N" @
$ I5 ~% H5 K9 Q
___________________________________________________________________________
) @/ ~/ G( F9 J# M+ a; @* {! c' ?+ W8 A4 {
Method 042 y3 O' `- v( a- i5 H6 R, C
=========
, a( ?+ |/ _, O$ B" [
# G8 Z5 d! C' p1 m; cMethod identical to the preceding one except that it seeks the ID of SoftICE
' O6 Q6 q7 c8 B) D8 ~, EGFX VxD.6 a/ T- Z1 ?! r* l2 i7 ^8 q
3 c6 [( ]* t! e: x3 U
    xor     di,di. ^/ j- [1 U) e. K# k, y
    mov     es,di
. N  J  k1 z6 d) w8 V# f- ~    mov     ax, 1684h      
3 L! G* j$ O! R    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  v2 Y7 [7 M" [. s  V    int     2fh
* j  x% j( z0 k. g' D    mov     ax, es          ; ES:DI -&gt; VxD API entry point- C( E9 c1 D7 e0 [. P
    add     ax, di
6 u; Z' b: S2 N$ |4 z) G, H    test    ax,ax
$ Y! Q3 Q+ s8 J' e' I- L& S& j    jnz     SoftICE_Detected' E" H: i; \+ ^( Z; q$ ^' u
" ^+ a& ~" h2 ]
__________________________________________________________________________  ]3 \: W& R3 T  l- k# ]0 [' }7 E- r

2 R0 S' ?* @& n% }) P
: v- B; v+ e- C1 NMethod 05  N5 U9 w8 N1 h0 g9 D: Z
=========+ Q8 h4 C- W" u0 N0 z

, r6 c7 y6 ]( P* w( hMethod seeking the 'magic number' 0F386h returned (in ax) by all system  _% ~3 c% p. T$ i" N
debugger. It calls the int 41h, function 4Fh.
) ~# Y8 A5 h5 k0 O! R( L4 PThere are several alternatives.  ' F4 j/ i2 E6 b( p+ t4 i7 Q
0 u9 g+ T' G' {. x
The following one is the simplest:( ~: W( L" K2 _7 F( o7 ]1 A

/ F5 {4 q8 P9 N, N    mov     ax,4fh
5 [/ N8 W2 d0 R7 S0 p6 d; `& r; v    int     41h" U; M* s% A8 o2 \( i* O8 }' L
    cmp     ax, 0F386
: D1 L" T) P: w2 |# A    jz      SoftICE_detected: ^( B) ~* r6 P( S# v
: T' L0 B# b% {) f* v8 t& R* k
- n) ^' I# U3 b6 ]/ o* U
Next method as well as the following one are 2 examples from Stone's
5 q) @* t& T9 f; L* {/ v"stn-wid.zip" (www.cracking.net):
5 G" Q7 b# y0 L
$ ?% Z0 s/ S; L/ G' K    mov     bx, cs* ?; q9 L6 l2 Q0 c
    lea     dx, int41handler2: r! C9 X2 |4 W/ J( V# C
    xchg    dx, es:[41h*4]  m! g: J, U6 W/ p9 O
    xchg    bx, es:[41h*4+2]7 ^3 Q) a4 g1 A7 m. m, W
    mov     ax,4fh
7 c$ a. {1 u  k/ U2 A+ X0 C    int     41h
% `) w0 [0 C+ n2 y  _+ \    xchg    dx, es:[41h*4]
/ Q- c" L" C. ]. F! `    xchg    bx, es:[41h*4+2]& B& S6 k* ~; O4 t$ M
    cmp     ax, 0f386h6 K! {; z1 S8 g  O. s
    jz      SoftICE_detected7 n1 d; U. s9 s

5 A4 ^: u' E* W) [4 fint41handler2 PROC9 r  T9 l; l7 c+ C" G; F4 [) `
    iret
6 f3 k( ]. j; F7 hint41handler2 ENDP
! L# e  j+ R$ |$ ~5 _  z  P- {  }, f" Y9 h) ~
! F+ A- _# T- J- R( k$ v
_________________________________________________________________________
2 k' E9 Q8 r9 V# o5 k, ^* i4 H0 h# u* [; q9 ~
  g- s: n( P# F: ?3 t2 N( K
Method 065 g# z! H6 ^7 b4 g
=========
( a0 z( s- m4 |$ R4 c
# V* Y5 H" B6 C. g; h6 w, m8 n' M+ q! N
2nd method similar to the preceding one but more difficult to detect:
" t# t- q6 Q, G0 e# ?5 O5 c/ D+ E' \0 w  w/ K5 k
) U9 [5 h+ X! V: I; i! o
int41handler PROC+ D) f$ o( I5 T  [' R9 a
    mov     cl,al
1 b0 S* x, m, @: a: K6 F    iret" w& V7 M8 X1 \; R9 E- [. Q
int41handler ENDP- p. B  r% Q( q# j

* |+ y. y' o( Z) i: d
6 U! L! b# k% q" Z( \4 j    xor     ax,ax
$ J: \7 T4 n# a( E    mov     es,ax
8 M1 X% `+ S- h7 n4 `1 ?  l    mov     bx, cs
* z8 v& K6 Q; g. H$ M3 f' G    lea     dx, int41handler! w. u7 {0 r6 O: j8 T2 h
    xchg    dx, es:[41h*4]. E+ Y7 [0 K" A# E
    xchg    bx, es:[41h*4+2]) s& n1 e6 {1 M  j/ o, x# N3 f
    in      al, 40h
2 X2 ~% @/ W: k* U0 B2 c! Y- z    xor     cx,cx
3 _0 K& u* a$ \* L& J: l    int     41h- q5 |5 J" y- U( E3 j5 H; L
    xchg    dx, es:[41h*4]
& C. K6 C( N( {- e' F/ @8 w    xchg    bx, es:[41h*4+2]
1 c2 R+ u) t5 D& L! i9 Y    cmp     cl,al
8 I  Q) u! H0 v8 j    jnz     SoftICE_detected6 B! k( x1 d6 [+ }
7 y5 M+ \. ^  l' q$ m4 x
_________________________________________________________________________6 I) m# |  Y* u- p. i- A0 b

6 m% F9 d4 h6 A, Q. Q2 n0 C% HMethod 07" L1 G8 F' H0 r& ^) o
=========/ \4 {7 u$ H  b9 ^3 |8 H) C* Y
. n- X& N' z& F) W
Method of detection of the WinICE handler in the int68h (V86)
' m& L! f1 S/ w: ?* f! k$ q9 Q
% R2 ^1 R5 o& t( d# w$ ?( t# E1 N; c/ U6 _    mov     ah,43h5 g- x5 b( _" t0 m
    int     68h
' d6 D$ I6 F+ y& b2 m6 u% I) P    cmp     ax,0F386h
1 e( r2 ?4 U: Z5 ~    jz      SoftICE_Detected1 l7 q3 F2 ^5 T3 K6 H. E

0 h- ]" Y7 @( g4 C( `, n. _0 D. O' k) @
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. n2 P5 ~1 X8 J. x1 A2 W! }   app like this:
" M7 c8 L' z6 w* D4 t% @
" q; n) F! w3 b7 J- |# V   BPX exec_int if ax==680 Y" q9 K# Q3 [+ x
   (function called is located at byte ptr [ebp+1Dh] and client eip is9 c' R# w5 o" ?* B9 f
   located at [ebp+48h] for 32Bit apps)
& Z$ q* ]% A/ @0 [- O__________________________________________________________________________
0 b' W: d; B5 Z' ]8 r
6 S% v! h6 C; |! [+ m0 U+ j$ L8 [, C
Method 08/ \5 d$ n( w0 r4 V' y1 k
=========
6 {/ L5 ~- y3 r5 f$ @6 {/ d
$ z$ V( W% H( I; TIt is not a method of detection of SoftICE but a possibility to crash the
0 W2 ~  \5 }8 Tsystem by intercepting int 01h and int 03h and redirecting them to another
& s& O" Q" z# z! O2 ]3 ]5 lroutine.# ]8 R3 }0 U6 E' h; ?+ z: ]+ K4 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ `8 b  N; f+ e+ ^6 [4 P# Q
to the new routine to execute (hangs computer...)
4 w  p  D& P+ T
+ E6 \! n2 d, z* \7 w    mov     ah, 25h
: o  q8 D# g. X' h    mov     al, Int_Number (01h or 03h)
! ~; Z* i6 v( y- M    mov     dx, offset New_Int_Routine
& {" Y7 o4 Y) L2 }1 H2 X    int     21h" {6 K: x/ d$ @7 U
# z$ V" d5 |! |' w0 b8 u+ q
__________________________________________________________________________2 @7 s" C  e# J  y
- b1 b7 w! E" q8 C$ n1 c
Method 09
* E! R! F+ d! m# L/ K=========5 N" Z. V3 }/ G2 O0 r1 C

" i4 C. q+ `6 z3 kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; e7 V& {2 L0 w5 [+ x* @6 L. lperformed in ring0 (VxD or a ring3 app using the VxdCall).+ c3 u1 b. A' ~. F$ n
The Get_DDB service is used to determine whether or not a VxD is installed7 Y% T% [) y. {) D/ i/ Y
for the specified device and returns a Device Description Block (in ecx) for9 o- w0 \% U2 N! _& C& g
that device if it is installed./ P6 r0 Z4 U9 y" E& B

4 v8 [4 s/ g$ S& [: y4 `   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ ~' o: P9 r9 s' C   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- h) G( A* ?5 p3 ?   VMMCall Get_DDB& f- O/ t( `* A, m- ^
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed; u* ?' [% l/ a" R
" E  ?* W3 u5 X6 i* r9 c6 j& T; L$ T6 X
Note as well that you can easily detect this method with SoftICE:
% T& X5 A; D( S/ Y# M1 K   bpx Get_DDB if ax==0202 || ax==7a5fh
" w, j1 X1 T7 |2 ^0 t( p2 R' A
$ d+ {3 X, i  |  i# y3 G4 R__________________________________________________________________________& V, R, Q+ ]2 k( ^1 A
% e  {; a5 l# j3 D
Method 10
/ z# a6 ]9 ?) `% t$ o! f=========
) C. C& N; c! ]& F' g, L, l: k
6 h) D3 s  N$ |& B1 r# I=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  P8 o! i4 r7 k% n+ `
  SoftICE while the option is enable!!# B2 E) R0 [, `' J4 |
3 o% h% h/ e. a# H* Q
This trick is very efficient:
+ V9 V, n$ J1 N8 fby checking the Debug Registers, you can detect if SoftICE is loaded  K3 x. D3 ]3 l" T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' Y) u$ g/ F* e1 H9 V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 c0 x, [) Z( |9 Z& Z7 Z5 D& zvalue (in ring0 only). Values can be manipulated and or changed as well
2 {# v# U2 f5 Q3 Y/ A& L+ g(clearing BPMs for instance)- _0 Z+ c1 d0 C$ ^, M# o  Z

2 D+ l% D' Z: R5 {( o6 j5 p* N__________________________________________________________________________
% h# p9 x, h5 [) l" y
) h5 Z& H: V- z% f. \$ W0 _Method 110 f- B. e9 R: W: T# i2 A& b1 a9 i2 }
=========
# |* W' ]9 a3 l* {9 i9 p* t5 n9 Y* ]8 B% O! k1 A/ V: ?
This method is most known as 'MeltICE' because it has been freely distributed/ U4 u$ y( [% t9 V! y! I8 I; l% [
via www.winfiles.com. However it was first used by NuMega people to allow
- ^  V( H6 V( M# z4 |5 E! d* rSymbol Loader to check if SoftICE was active or not (the code is located
4 z6 x  o7 ^. @- d: Vinside nmtrans.dll).
) u5 f. p9 {: N
) c3 `/ R0 t0 `4 n+ h* p- UThe way it works is very simple:
& F: g3 ^; @/ t0 pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; y$ _# U0 v9 z. BWinNT) with the CreateFileA API.
" T8 W4 C$ U' \) Y. r- \# o6 Q9 {+ ]) g7 L; I
Here is a sample (checking for 'SICE'):
7 P( J9 g* w1 f- o6 k/ q+ {% {. d. B/ R
BOOL IsSoftIce95Loaded()
+ I. A1 R& Q" c& A3 _3 b5 a{( p8 I" s! ~  J5 f; m1 I) B! t! Z
   HANDLE hFile;  
+ B2 A/ d6 V0 j# J; t   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; D. M) u" H( {. s. X5 W$ ]$ |                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 f8 ]2 N4 i! [# r6 e3 l                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& B% p. Z0 A7 X
   if( hFile != INVALID_HANDLE_VALUE )
3 ~  o8 s; k6 h% U. [8 ~1 R9 J" \( B8 Q   {9 q, p0 \) X  a6 w
      CloseHandle(hFile);
, q& j: q# F& M0 m9 [* }- a      return TRUE;
6 i: A8 [( x* h- T3 L   }
; v7 W3 f7 k. Z" A0 O. P$ w1 m   return FALSE;0 r6 a  j7 v3 O) c! H* o5 \# E
}
2 b: y) J7 _$ D4 f8 A8 @+ D: @: z* Y( N' E4 C$ o
Although this trick calls the CreateFileA function, don't even expect to be
/ ]7 ^% s' y) Z. f: v' Iable to intercept it by installing a IFS hook: it will not work, no way!* @, i1 \( t7 z; ]6 s2 u0 H  U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% }- b6 C& E6 `. |" H: Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% R, y; J% ~. J2 c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! [% ?  K+ O, I' i
field.
) }! j. V0 u# jIn fact, its purpose is not to load/unload VxDs but only to send a
2 t& p3 W9 X7 z7 s5 i% wW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 Q3 j% G# T! g* N# m; {" bto the VxD Control_Dispatch proc (how the hell a shareware soft could try& R2 V9 w4 O! k2 A+ S/ {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! S; b5 A$ ]  u3 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow( U/ y! D" q3 L8 L: |6 Y
its handle to be opened and then, will be detected.
$ d; M& w6 D! ~! x1 G& dYou can check that simply by hooking Winice.exe control proc entry point& C& q# s8 O' M( n8 a0 w. A
while running MeltICE.! g  `( e" J* e4 Z3 Q, M, K; u7 ?

& R3 m+ f" G( T+ `: @- n: ~6 }( ?" h3 ]. N: A# Q
  00401067:  push      00402025    ; \\.\SICE
& t* d" l8 j  @" O9 [: ]% d  0040106C:  call      CreateFileA
) W( |" }  t% u3 i* k0 `* |  00401071:  cmp       eax,-0019 H) Y. U- ~4 F5 `. \
  00401074:  je        00401091& _; S! C% n* K" T8 y9 s
8 [6 S& }3 B/ M  {, f; h, M
2 S$ y( T9 S( V* E# |
There could be hundreds of BPX you could use to detect this trick.
8 W; V, g5 F7 T3 K-The most classical one is:
% ~" D. T6 _5 O+ `7 t" P$ w9 r  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||+ E8 a) m" M: Y9 ]0 v; Q6 _
    *(esp-&gt;4+4)=='NTIC'
' t$ b% T# G" j* n7 X3 a% g9 b7 ^/ |. i/ C1 M$ A- i' o
-The most exotic ones (could be very slooooow :-(
- T! x! e5 z$ I   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  9 l  [( `  `1 E1 w9 h/ @  b
     ;will break 3 times :-(0 e$ u. d( F$ j% e1 v* D

3 X  P* b1 e- G" R# q+ X0 d+ [0 V-or (a bit) faster:
8 n- W; e: Q# I2 r1 f/ m   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& f* g1 n& X; e, P
1 y5 d: N4 n' e# t& M   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & |% a0 F4 U+ t2 Y. m$ i  p
     ;will break 3 times :-(
/ k3 i5 H! `1 _: e" P/ M: {
- `: N) g7 l/ ^; u% E! A6 e-Much faster:( r( Y4 l2 q' o0 E  P( `+ _2 k$ a
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) h9 C- I5 B; M* B6 \: M1 k% P4 Z; ^" Q: q1 i$ o' ^1 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: X, M6 a' y, M: j# X4 @
function to do the same job:
3 B# @* l0 q3 p  l! H4 m* ]1 i
   push    00                        ; OF_READ
* l; W( T- z- g# k9 g5 K   mov     eax,[00656634]            ; '\\.\SICE',0( z  e- [7 e# T4 O
   push    eax
" E. d' h3 u. V1 O" k( h4 t2 y6 r9 i   call    KERNEL32!_lopen
& G, A& {, _, G   inc     eax1 a4 {# u4 Q8 {) b/ u
   jnz     00650589                  ; detected/ }8 _" f: h" F8 T* `1 P
   push    00                        ; OF_READ$ C' b5 Z, _, _
   mov     eax,[00656638]            ; '\\.\SICE'
6 A( V/ c, l$ [) E   push    eax
* d  K% Q0 z* N6 g, w" f7 f   call    KERNEL32!_lopen
" g. w$ j. d1 }* \2 ]  A   inc     eax9 h1 [! S! ]/ i+ y1 b0 A4 H' l
   jz      006505ae                  ; not detected7 \8 a# O; v. S3 r/ F7 C- m& h9 D
5 q) ?/ G1 G! a

: ^' Z, ~! B0 K9 E1 Y% }: r__________________________________________________________________________
# U5 [3 }9 |3 B  ?5 @* `7 u7 _; N
' [' g' s" g* J+ ]$ R3 t8 yMethod 12
) V, \# c4 {7 s$ J=========
! b+ G; H( c9 ?
$ L% |- u( f/ n5 C) \! oThis trick is similar to int41h/4fh Debugger installation check (code 05
; ^5 k# U. z% }&amp; 06) but very limited because it's only available for Win95/98 (not NT)- Q6 U9 n1 ~* f# Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.  r; X8 m. h6 G% q/ J7 a
& ]' h) ]# E8 [2 J1 B) I
   push  0000004fh         ; function 4fh
1 h" U0 v0 i7 w( O+ m+ ]" M7 Z   push  002a002ah         ; high word specifies which VxD (VWIN32)
2 k7 C( `/ g% O                           ; low word specifies which service9 M* U  e1 U$ J
                             (VWIN32_Int41Dispatch)
0 w! K+ f  s& I, g# N   call  Kernel32!ORD_001  ; VxdCall# s$ ~" @' p' v- T; H0 D
   cmp   ax, 0f386h        ; magic number returned by system debuggers
& u* F+ J" S6 f) T* J   jz    SoftICE_detected
2 U# k3 C  Y7 U
0 x+ Y, S/ z$ N& a& y" |Here again, several ways to detect it:
3 h' M/ |( o" q
1 O- @+ Z; F8 N; d2 U2 b    BPINT 41 if ax==4f4 o# S) Q6 p& \0 j
( w4 P6 h" K* p4 M, T
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% b, o: @5 @" E+ H

( u* F* ~$ w$ H    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- C$ ~/ C' e3 ~' }. N; l7 X8 A% ?& G

1 s: a5 c, Z! }2 v8 V% W% d+ w    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!1 I+ i# I6 K( g: y- A' e

& N9 i2 @! B& B1 b% Y1 H) `__________________________________________________________________________$ z+ O, w2 H4 K' s' E4 n4 K" ~
; [- G, d: p! T% J& J6 }, t( h; T
Method 13$ u/ c. G3 j3 S3 g& F' i; \3 u
=========
0 h. o, v. O, }
4 |3 W" ]- G5 l1 C0 Z2 r& v7 ~Not a real method of detection, but a good way to know if SoftICE is
) e' Y% J& u' D# V% ~& Xinstalled on a computer and to locate its installation directory.
$ x8 V1 Q7 j5 ?9 o  s, Z. G) B+ ^; n: hIt is used by few softs which access the following registry keys (usually #2) :
1 K6 a1 O2 }# o  R7 {- }& X
! p  |  k6 W; @- {% C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 V/ j  w5 z# m* J\Uninstall\SoftICE
- a4 f; f2 Z* X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. F  w0 L4 L, s' L' |3 K, q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 T$ j, L7 q6 [8 Y2 ~" z4 p+ F
\App Paths\Loader32.Exe* [! U1 p% |. F" E, _2 X
- Z& j0 o0 M8 ^7 Z0 P; v) g

* [( Z# B6 k! i5 h- aNote that some nasty apps could then erase all files from SoftICE directory& T9 L5 J4 k6 _4 E" n( q
(I faced that once :-(" h1 a. x' }# K4 M( w. s( a

& O1 B, F0 M, s) P1 @8 x5 }& SUseful breakpoint to detect it:8 W" x0 v, `% M4 ]% x0 p* g" [

7 T0 I+ M3 \$ L" F/ p4 h. x. A+ O     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# R- `9 j, c/ i$ R

* z# U. r) K% L& K__________________________________________________________________________
, S( r6 i0 B  N8 u* w% O1 l
' P2 M) f8 C7 E" y
+ `# |' e2 M+ qMethod 14
( |+ z) C, ^8 d% `=========
* P6 X# D( F0 x- R
4 H8 G. Q4 k: v* CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 y  g& d9 J2 p! Q% `* M! i
is to determines whether a debugger is running on your system (ring0 only).5 Q+ \% x8 ^' j) }

9 D  P3 U/ Z( r, f   VMMCall Test_Debug_Installed
& X+ x& g2 z( Y6 y2 x3 G4 L: L   je      not_installed# P6 r/ t8 h: _8 V/ P- G3 r+ @
/ P1 A$ U8 f: `  x5 Q, J
This service just checks a flag.
) K* g' l5 I# u! f7 P6 q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-13 03:32

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表