找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' w7 l0 @0 c: p( Y
<TBODY>1 T0 ~  ]9 C+ H' e
<TR>( w# U5 [' ?; x& ?  s2 L
<TD><PRE>Method 01 / p  k" ]7 i8 p
=========
: G0 i  S! T. e7 k1 f% w  X  y& X4 ~& l( m& w* o
This method of detection of SoftICE (as well as the following one) is9 U6 A( W( I- j0 c
used by the majority of packers/encryptors found on Internet.
3 ]2 {  e2 Q. G/ ^: H) qIt seeks the signature of BoundsChecker in SoftICE+ \9 A3 @* ?9 ?  M6 M+ m: |; Y
# }; [4 H% ^( n4 L3 ~1 U) p+ T9 B; q8 j
    mov     ebp, 04243484Bh        ; 'BCHK'9 B7 A4 O1 {, g7 F% U) s& A
    mov     ax, 04h, a) j# T2 s/ X3 x  D, ^
    int     3      
3 n* _) d; `, @/ W0 T3 N, L" n    cmp     al,4
2 L. Z9 S  `& ?0 w4 n" T  u    jnz     SoftICE_Detected
7 m# q6 h: G2 u; f) t! ?. @: y0 \7 V$ q1 y+ f, v3 C( @4 v
___________________________________________________________________________
( s1 Y6 ?) ^% a% M: B
! c& F! Q% c5 f5 x5 X# vMethod 024 S  N0 n$ S+ E/ H. @
=========
9 ^% [, D: n; R$ t
- N& k/ Y3 E+ }/ b# L" TStill a method very much used (perhaps the most frequent one).  It is used3 h  \3 ^% g1 w* F* V3 W# @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 V  F# p1 F; c3 F/ e) @or execute SoftICE commands.... `- ~/ r7 Q# w: o# f3 d) j2 s
It is also used to crash SoftICE and to force it to execute any commands+ u* I# _4 t0 U: G3 @: J' g/ ~
(HBOOT...) :-((  
/ R7 Y( m6 Q2 e9 F5 i3 W8 b% s* s" A* C$ p
Here is a quick description:
7 k, E' ^$ J0 B8 h- `' y' T1 g4 D! a$ K-AX = 0910h   (Display string in SIce windows)
( j6 ^2 I1 \8 E1 e; \9 ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; l& S$ L6 F# ~* |-AX = 0912h   (Get breakpoint infos)
& O8 k+ B8 w9 U# M0 t-AX = 0913h   (Set Sice breakpoints)2 I# Q, w  k; u4 D; w
-AX = 0914h   (Remove SIce breakoints)3 o/ \, ]" B7 o

/ X0 l: i* ^' j% e* hEach time you'll meet this trick, you'll see:4 w) z6 c. h7 W$ B
-SI = 4647h
  c& x6 d+ _* N; F-DI = 4A4Dh$ L( W# K5 }5 b+ F% w' I
Which are the 'magic values' used by SoftIce.9 b7 H/ H1 }4 r0 s' `. w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- U) Y9 B1 |8 n1 A% Q3 L

. }# d3 R" S! w3 T  M2 |+ CHere is one example from the file "Haspinst.exe" which is the dongle HASP/ J8 T- I: d7 ^# {/ `- |
Envelope utility use to protect DOS applications:- o9 r# j+ t" h6 R

5 _- C8 X1 W* O' z; b! y! s- M
# C* G4 J+ c. W. w4C19:0095   MOV    AX,0911  ; execute command.0 J; P0 j+ ]- b0 F
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).* H7 R! z) S; a; S9 N$ P- H
4C19:009A   MOV    SI,4647  ; 1st magic value.
4 @* l" }2 x# K- Z4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 f4 q# Y% B. y% S6 H6 A
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), y. k4 N) Q, y: ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# p7 L9 p' k7 j( P8 p" _# M4C19:00A4   INC    CX- e( E0 c/ \8 c% K2 m
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 U" d4 K' H2 v& l$ g3 G4C19:00A8   JB     0095     ; 6 different commands.
* Q- k+ m; ]6 o4C19:00AA   JMP    0002     ; Bad_Guy jmp back.$ l2 s, d6 O# v, \
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); w/ E/ W& Y, w

1 F+ H3 Z, d( X  Z9 r# VThe program will execute 6 different SIce commands located at ds:dx, which$ }8 s7 s% z( D- g. R' G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. z) L3 }6 K! L, S/ n% U2 \% V4 l( m' }: v8 ^$ S3 L4 f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! u0 m4 _/ G* Q0 `0 G___________________________________________________________________________8 v/ W& t' ~% K$ r
+ a- o1 J" o' v

, S& K9 O9 c  XMethod 03
( C/ [* f$ x( b1 ~* c. x=========% q. V5 l& @/ O) l+ P
' ~9 @0 r* y8 G  v. p: }
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ \$ m2 f& k+ A5 K
(API Get entry point)
2 s+ o7 B5 ]- j7 W        
7 Z1 M6 l. F# [+ @! o! V* n# I: m
  Q6 u8 t% h, A* `/ P    xor     di,di
9 C9 }* G0 R5 {1 E; ]. Z2 f$ W    mov     es,di/ }. e, y4 V+ x# ~6 }( m
    mov     ax, 1684h       2 A) M9 x* j+ i" J$ Q; L5 |
    mov     bx, 0202h       ; VxD ID of winice
' S/ G9 e" Y6 W' ?8 k    int     2Fh  G8 j  H, g6 h& J( W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. ]% i* T! \. J    add     ax, di, L. W) c- J- m0 m. w+ n
    test    ax,ax$ x; X1 C. d, k6 |& Q$ r7 a6 T# c
    jnz     SoftICE_Detected
! V: \8 U( U6 ~+ I7 j0 Y+ i; S" _
___________________________________________________________________________
* J- E9 l; Z3 T& c- _! G7 Q9 F# j
; ?' A) K8 z! ]7 @% e) bMethod 04
8 e9 u0 M1 h! B6 u=========! _0 r2 n3 o! M, u* V1 D

9 W( p# ^* a# v: `4 n( \' ~Method identical to the preceding one except that it seeks the ID of SoftICE6 L6 c, c1 l3 v" _- Z
GFX VxD.
$ o4 @! ?& n+ ?7 N: r" T: V
+ h5 z6 M$ C$ E  X    xor     di,di. d) i$ f1 A6 X' k& O% p
    mov     es,di
2 \7 ]6 D* w+ H) q' }! J    mov     ax, 1684h         ~  B) \) r% _" ^; i1 f* e: V# h: O
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# ?  h4 s: g, w9 N    int     2fh
; `7 i2 }" Q+ a- ?1 s0 C    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; F2 I$ S8 j9 g+ T* o3 e. n% U" V    add     ax, di
+ e$ l# S$ l1 U, r    test    ax,ax$ y0 F: D2 A# M, E0 u# a' B
    jnz     SoftICE_Detected& E5 \5 a5 ^7 g
! o4 C' F6 v' J  V
__________________________________________________________________________
" k  E* A6 Z% V* n
& g7 Z; [- k* E6 n! y7 f4 T( S2 ~
5 ^) c8 u8 w/ T" T; FMethod 05$ q' p: E2 L6 t- J% S- K. P
=========
) s% x) H: T, |5 u5 c) g% O4 Y0 G3 K% Y( K3 y2 G9 w) Y! i. }2 [
Method seeking the 'magic number' 0F386h returned (in ax) by all system, P; \0 j2 w; \% M( K: T7 w0 K
debugger. It calls the int 41h, function 4Fh.
( T- ?* d0 r( p# Z/ A+ D6 o* yThere are several alternatives.    `! a7 a! G6 h

/ }- c; j2 m, ^The following one is the simplest:6 a0 f7 S; Y5 X; E# ]5 E) P! x
' i! C; F+ f/ {8 `: f/ l2 k
    mov     ax,4fh
8 M- o# o8 W! c' g  m    int     41h, G7 d5 }% N. d0 b4 x
    cmp     ax, 0F3867 n' a1 S; B. L$ h
    jz      SoftICE_detected
- u) _. X. T& M; T# W1 n
) ?* r+ x2 y! W# i7 Q; C3 i' }: p: w: S! F( p% }
Next method as well as the following one are 2 examples from Stone's 7 _5 ?8 K1 H8 ?3 s- d# a% U3 K
"stn-wid.zip" (www.cracking.net):7 E1 e7 S) {7 q0 o% i

/ q9 {3 G4 J; J4 R/ [7 L1 n    mov     bx, cs
0 m. v1 L6 @2 |, ?5 Q$ b; c. i    lea     dx, int41handler28 w" u8 g* }2 R. F4 n# {: u) K
    xchg    dx, es:[41h*4], C9 H/ h7 ?( ~. U
    xchg    bx, es:[41h*4+2]
/ I2 {; K9 t" F+ p" X) e    mov     ax,4fh+ l5 g+ h2 C" c) Q3 g
    int     41h% I. w  u" Y9 ~
    xchg    dx, es:[41h*4]$ P6 b# a- L) S- L) o, V
    xchg    bx, es:[41h*4+2]0 t  F* T3 X3 A3 \: g% B6 ^
    cmp     ax, 0f386h1 x6 X  ^2 P# ^, d/ s& G
    jz      SoftICE_detected
! ~9 J. _/ y3 ^# x$ T# T2 R6 H3 q5 s1 b/ h
int41handler2 PROC& E8 S! j, j: I; [8 a
    iret
, P7 q: M8 w8 c, ?  y" K! m* {6 Zint41handler2 ENDP
: u8 r( Q$ j' D+ C
% V" \- o: K4 F5 f
3 T9 I. O* B8 F_________________________________________________________________________' K: ^+ X1 F: y; r3 v

( H* K+ P' X, m; J3 f1 P: `4 A* B( d( K+ Q( C, b
Method 06
% s# O" a  i6 y2 m5 I3 o=========
, g- z/ @# y6 u# h8 C0 R0 W* q7 E+ u* k' x1 p- `

% [% P5 b7 e, T: U8 I9 y6 R2nd method similar to the preceding one but more difficult to detect:
0 F6 d4 W; N- q
3 w5 l  L! y4 J- n. j! A( |2 F( J: S# s& B& J
int41handler PROC: W6 A. S! a2 C/ D  a2 D! i
    mov     cl,al! {  X+ U# B% U  C# K- u0 n1 |
    iret
/ F1 G  a* \; E, |5 ]% B( aint41handler ENDP  T5 ^8 v% Q0 l6 \& @+ W

' j: e/ E. B6 S4 I" q. \* _0 w' a" q3 n! I' u
    xor     ax,ax
/ I5 V* E( x3 [" ?# M! y' D    mov     es,ax( M' n+ P6 J! Q0 a3 n3 s" _
    mov     bx, cs
  y$ a1 U% Y* v/ _7 ?    lea     dx, int41handler' g$ _& r6 {& A4 u1 s# F! L
    xchg    dx, es:[41h*4]
2 c3 e/ M/ {2 ^    xchg    bx, es:[41h*4+2]. S# I# c/ T5 N( m0 L2 W  P
    in      al, 40h( m5 H1 Z  n6 W( y
    xor     cx,cx. K5 L% p$ W1 g
    int     41h
8 \1 A' b2 b, O% p% o& n    xchg    dx, es:[41h*4]1 T" N: l4 n1 V% H) ^' N8 _1 O
    xchg    bx, es:[41h*4+2]
5 d0 Q. _8 Y4 ?. B3 c    cmp     cl,al
9 w0 j4 \1 F# H; c    jnz     SoftICE_detected$ g8 _: L- o1 o5 G, M

2 p( u" h2 q2 B7 x$ g_________________________________________________________________________# Y- j2 X. T! B
& E1 L6 r" U8 R* c
Method 07' O( R' U% s$ e4 s0 I
=========5 U: |: V3 S* P( b: x  r9 j, a( O
$ E+ ^/ M/ ~! U  P! E+ ]# Q2 ?  w
Method of detection of the WinICE handler in the int68h (V86)3 E& k. Z( z- Y
, d; _" M6 e2 l( A. \8 S
    mov     ah,43h3 a3 o: z' k$ N1 k) n
    int     68h5 ~3 h; A9 L+ t5 Q* o" r. J6 ?7 h
    cmp     ax,0F386h3 T" W5 }, J  t+ X4 S
    jz      SoftICE_Detected
3 o3 ]$ N3 E) y$ ]1 |
, l1 h+ C' v( j7 ^# J  A7 X0 s9 j
5 ^. W1 E) r2 d& S, v/ J, P=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 {" j# t7 X% x, c
   app like this:- D* u  _7 M8 {. `
/ {6 X4 Q! [' U5 u) Z4 b/ P' x
   BPX exec_int if ax==682 {) v+ D  `+ _3 p2 F& t
   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 ^# i# Y* \. z3 B9 i) C0 F9 D. e& `% i0 k   located at [ebp+48h] for 32Bit apps)
7 W# n) F3 n& k% C1 f: q0 F0 i__________________________________________________________________________! d3 [. _, P% c( _, E& U

/ j" J2 J9 i* ?$ U
8 W+ Y9 Y5 M# {( Z' PMethod 08, ]2 x& E( F+ {  n/ ^: i
=========
( i$ U, Z$ `* P) B2 P  \# h
- f: u+ U6 Q: s2 R  B  {0 s, eIt is not a method of detection of SoftICE but a possibility to crash the
- [) R) B1 C3 _. k. A9 R9 vsystem by intercepting int 01h and int 03h and redirecting them to another
, W5 N& R: ]! |3 k- v1 oroutine.
# W7 y" f# y. FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 B9 s" J1 }. g; ?7 xto the new routine to execute (hangs computer...)% E- C  T& P: W2 J

  b+ ]( s, r' h8 v" f    mov     ah, 25h5 [1 _. C6 @; x, ?
    mov     al, Int_Number (01h or 03h)
- g- D9 c' T" G6 C' z# P5 k    mov     dx, offset New_Int_Routine
$ D+ u0 h" v7 m4 @6 N; o( S$ k    int     21h$ N9 v9 u; M& u; n3 a$ y

/ v( F; C5 o/ O__________________________________________________________________________) ]& N. _9 U1 h) o% r$ U, u

% P8 ?; z9 B  @! j) H2 j" dMethod 09
$ B  C' ^- i7 ?8 x=========
# @: \/ [! Q6 a8 X/ D, m
3 p) F7 W3 N9 X3 DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; u9 i" V1 C# z( ]2 }4 b8 O, S& K; ~1 r
performed in ring0 (VxD or a ring3 app using the VxdCall).! p1 V, W  {- t: _3 S( j) C7 N
The Get_DDB service is used to determine whether or not a VxD is installed5 L7 |& t$ {4 n
for the specified device and returns a Device Description Block (in ecx) for/ M* T7 A0 O: C
that device if it is installed.3 w3 v% l. a# p5 e/ H/ o% e% Z
) o2 ?" @7 n3 U; K( O
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; d" m7 Z2 w/ s: I
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 f$ c- o+ A6 H: a' n' M1 o
   VMMCall Get_DDB
3 F0 n% H# i7 z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
- u. B: O, G: U" K$ Z2 j( }1 L4 z6 |3 Y' t/ B
Note as well that you can easily detect this method with SoftICE:2 w: i9 h+ }! G% t/ d& s5 j7 p
   bpx Get_DDB if ax==0202 || ax==7a5fh5 S& z+ k# x0 @) Z# o7 u0 m3 G3 P) J
( \9 P- P) \/ i8 ^, }
__________________________________________________________________________* y4 y1 n' D9 U- P
* q: i* H8 q& L$ v! [! `
Method 106 u% P8 L8 Z5 S# k/ ~+ [
=========" ~5 l' l( D7 ^1 O" p2 L

: D2 D- t: p4 e=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; }" Z& I7 T( S, x) V8 |' |
  SoftICE while the option is enable!!9 e* }9 k* O7 F0 D: p. w
; [' G+ f0 A) h# ?4 l- ^' q* t! s& |
This trick is very efficient:7 ~+ V7 j6 i+ J; g1 s3 W( H7 a
by checking the Debug Registers, you can detect if SoftICE is loaded4 L1 _' K5 _) p, u! A7 `6 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 D7 e# p  ^( w/ K. E
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 i& W3 Q; V( ~
value (in ring0 only). Values can be manipulated and or changed as well- p) y. Z! v4 N7 j8 v. A" _( |
(clearing BPMs for instance); a4 b2 ]/ Z3 B

7 Y0 Q) K) {2 z, L$ l__________________________________________________________________________
9 V. `+ B+ b; n" c7 p9 t
8 H8 s, M  W% L# w4 @, lMethod 112 Y, g6 s  a$ A+ M- o6 t
=========& P$ H# g! H$ B8 U2 A4 R9 o- K
" A& F* }1 O* }) C4 G& j
This method is most known as 'MeltICE' because it has been freely distributed
  A! a* x" W4 o+ Mvia www.winfiles.com. However it was first used by NuMega people to allow1 M7 c0 [$ B6 A
Symbol Loader to check if SoftICE was active or not (the code is located4 m+ @7 W4 j1 o- p/ Q" ~! T4 C+ q
inside nmtrans.dll).* y- i: W4 h: Z4 y

( `, ?% o% @% E5 \  bThe way it works is very simple:
, C) a) B; c* n+ V( \# u+ I% ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 W6 U2 K& C  b( g
WinNT) with the CreateFileA API.
/ Z$ f' N4 D* u# T/ k8 j9 s3 Q
& d" Q8 G7 }* l1 ?& X3 xHere is a sample (checking for 'SICE'):
4 Y4 U: ~$ q, J  O# g" g" r5 c6 [* n3 |
BOOL IsSoftIce95Loaded()
7 I3 u" p/ M0 Q; W0 S4 x5 k# Y3 v{6 o8 `$ N! H8 c' c" I' ^
   HANDLE hFile;  : B- j5 F' G9 y/ a3 R" G- B- V) u' r$ q
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 @5 K+ A% }% I# G0 r6 t* Z                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) u9 s8 X, ~  K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 l9 O- `7 S8 s) m* ^   if( hFile != INVALID_HANDLE_VALUE )
+ R: I( ?0 c$ p: R( ~   {
/ I6 D7 `$ d+ B& B* ^      CloseHandle(hFile);0 n* l3 D4 @! T: ?, [" y
      return TRUE;1 Z. I0 B6 d; A" d$ c
   }& d3 W. o5 }) \
   return FALSE;
$ _/ ^' Q$ \& p) T8 w}
; u1 Z( n% n% b! ]  i% G9 |
5 z+ q0 u6 ?$ a, v$ i' YAlthough this trick calls the CreateFileA function, don't even expect to be( A1 ?! n  x4 j) a& c( I; r6 W
able to intercept it by installing a IFS hook: it will not work, no way!- ^. @1 V5 v  Y$ C; }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 ^/ d$ |/ D# B: i  ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* d, L1 R3 u- F( ?. M( {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 P$ {: R7 T6 k9 v
field.
% i& k* j. j8 ?  FIn fact, its purpose is not to load/unload VxDs but only to send a
9 \& _/ L3 r' dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 {1 v) H" T1 J8 w2 zto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 O0 P4 z8 O# w( ]/ G. x4 S' v% Z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# E# j+ ~+ b4 l2 m  Q5 M2 c/ R! \If the VxD is loaded, it will always clear eax and the Carry flag to allow
. S# \, G0 u7 r3 N7 ?1 xits handle to be opened and then, will be detected.
+ P) z. S$ W6 s9 nYou can check that simply by hooking Winice.exe control proc entry point( P" G4 K' E+ }' @) f, v
while running MeltICE.
4 k  E) K+ G8 J; Y2 T" W+ [& b) q! A+ y+ V: v% c, ^
  A7 D( A4 \! B+ e9 P$ I$ q6 W8 p7 w
  00401067:  push      00402025    ; \\.\SICE7 [! Z8 A, _0 l% e
  0040106C:  call      CreateFileA" R' s7 f. K( Z' A
  00401071:  cmp       eax,-001/ t9 L0 T4 x9 r5 |  i% r
  00401074:  je        00401091  }8 R8 V: A$ s; e3 g, w" y2 D, N( k
  Z9 s  x( D  F+ X/ {
/ I: V- n% v9 S
There could be hundreds of BPX you could use to detect this trick.; R& v6 [! X& E6 n' {8 \
-The most classical one is:, C% J& [6 N. v5 Y9 d+ e
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 R4 B. }2 w6 _" L8 T: o3 M" W
    *(esp-&gt;4+4)=='NTIC'
$ ~3 N: B, u! }  ]/ B( v
' m( t2 E1 h, E( l, N-The most exotic ones (could be very slooooow :-(
  ^$ S6 k5 N8 I; j   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ d' x+ x" {8 y& I     ;will break 3 times :-(5 N9 `4 f+ l  B2 V4 h' z) o9 {- [

: n4 W" h( ~% J/ d/ [' `9 s* [-or (a bit) faster:
# w& x, z* W7 e' d. F1 v   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# ~  b, I- q$ ^7 v6 y

- j5 c# S, i  N5 e& A$ j8 E   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 `" `" y, w. D5 |9 U7 v5 \5 G     ;will break 3 times :-(
4 t) g) S( {& T) E8 N- M" M$ g' Q" ^1 v& g6 N
-Much faster:* i6 r0 c6 _! N6 i; P$ m1 N1 v1 z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ w$ j7 c2 u7 p) f% L% \5 w' ^

2 n- n9 r( {( Z% g. d+ fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ q- U2 o, i; z8 ?0 h" x- |
function to do the same job:
+ \1 ?5 Y- R' B" E* w+ J8 N% t" ]7 _  g' X) u9 w! u) K
   push    00                        ; OF_READ
, z6 g( g; D+ [2 `$ V4 x. _   mov     eax,[00656634]            ; '\\.\SICE',0) e6 O/ i$ r1 ^0 U
   push    eax
. l- B& X, |9 r8 B, l9 b   call    KERNEL32!_lopen
! c9 [3 a4 E9 y) P   inc     eax9 S! j3 u! Y- r3 j8 i6 M
   jnz     00650589                  ; detected3 E( v9 j+ w3 e; B" K
   push    00                        ; OF_READ4 D: d; N9 s& s
   mov     eax,[00656638]            ; '\\.\SICE'4 D# J- a/ e* v* t9 I& F; S
   push    eax# A$ l) p! J& t" H2 @
   call    KERNEL32!_lopen3 l1 o# d' L- _- \. G  t$ `
   inc     eax; t+ J( y/ ~2 Q& |
   jz      006505ae                  ; not detected
/ d' `( X! P/ b: L, a9 y
7 E( W) d: v, q0 {0 H) c5 h( U- e% ?3 E
__________________________________________________________________________
  n5 c$ N+ v5 K5 n! D0 [; _* |/ t6 M2 i4 V, j8 H! m
Method 12
& Z* Y6 Y% S7 B, R% W=========
- s5 h# ?* Q3 n5 U7 C9 ^/ ]
3 x0 F; _3 M0 P/ _& m7 t3 GThis trick is similar to int41h/4fh Debugger installation check (code 055 S9 u  g: {( k  {6 X
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, a  N/ P3 D' S( V% fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& M/ o% c4 {' q& {

3 H, s7 X2 J9 @2 f# Y. J9 x- f   push  0000004fh         ; function 4fh
/ d- F/ H( e, ~. o8 M( J   push  002a002ah         ; high word specifies which VxD (VWIN32)1 w- [0 Q4 a3 ~/ F1 ~
                           ; low word specifies which service  b: D2 n- F, D
                             (VWIN32_Int41Dispatch): z6 \: e; t: b5 Q! C
   call  Kernel32!ORD_001  ; VxdCall. v8 L9 f9 k# U
   cmp   ax, 0f386h        ; magic number returned by system debuggers# h8 F: |6 E4 B4 l: Q: B3 [2 }' S
   jz    SoftICE_detected
. b, I  k6 d7 |; e8 q3 a3 K7 {6 h, {( m& x
Here again, several ways to detect it:
2 \1 z3 |' H0 g9 G) s
. V: x# g0 o) c' u    BPINT 41 if ax==4f$ _' F$ y, L. l$ r# p2 N
) h. a* `' ], }9 u. r! Z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) w. f, K- _4 q! c
. s" c% z. b# C    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
  d* _" F9 l2 h" L/ g6 }
8 R3 V- j* n2 K0 |" [+ m$ ~8 d, b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- g' S+ F* y) j# w& m
( C6 X" a3 c& R
__________________________________________________________________________
- P) K) [% z6 R3 Y& j' _  S* j+ _0 u8 N/ L
Method 13  c# O$ M8 }: F# ~0 K/ |2 }
=========
8 r# a; k) _: K) v
- h  l) C. z0 E3 p5 m" VNot a real method of detection, but a good way to know if SoftICE is
# X; |4 |4 l: J0 }9 b2 ^4 Pinstalled on a computer and to locate its installation directory.
5 m4 W8 G- l2 ]It is used by few softs which access the following registry keys (usually #2) :
. H! N9 m- u$ q$ V/ D4 s  w7 j/ d: L9 E* r/ A4 j3 s" F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ N! P+ F+ g+ p- ^$ @( A\Uninstall\SoftICE9 x( K: }  v2 D: K6 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  O8 s! i3 v: O; \+ b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* o! g' k  P# |- N$ ?* ?
\App Paths\Loader32.Exe
7 P, p3 }, `( h* S) g5 @( _' b( G4 D+ n6 J) w2 P' d
4 \* c$ M% N& e6 @' D2 F+ |' d4 E
Note that some nasty apps could then erase all files from SoftICE directory, }0 @9 T9 p# s0 A$ S' j& `- Q
(I faced that once :-(# Q1 Z9 N. L" Q

+ K! R4 n3 }; @/ ]! l) VUseful breakpoint to detect it:
4 J9 o; j+ F+ f' K1 b
; R* m2 {9 X9 l$ q  @     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 p$ T% x/ Q- i2 [) H  W& L8 N

' x( c/ K9 ?+ o8 e4 D/ C( P. G__________________________________________________________________________
+ N3 Y2 @. Y9 l. z& z8 k  X4 q

0 N  S2 @+ [# n6 T# R# y* zMethod 14
4 O6 r' ^% B: j% ^% d% o=========
$ [5 ~( L- F6 p3 M: @, x* \% b" r* J. E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ p; Y) i0 \4 his to determines whether a debugger is running on your system (ring0 only).0 {! P- f# {5 o- T% @7 f% G
0 E% ^: o* {; g# z; e% B7 N- c2 a
   VMMCall Test_Debug_Installed% |$ E) H: f  B& l
   je      not_installed8 _. X, S) V0 r! w0 n' H+ g/ ], m
0 c! S" M. U3 A5 a
This service just checks a flag.
. g$ d  }; x7 R, R6 R. J! t0 z* K</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-29 11:05

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表