找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- A$ Q) |5 I1 F# t* ^$ ]<TBODY>
" m8 n; B+ f( m1 q1 d" e<TR>
8 {* c7 x$ q3 i<TD><PRE>Method 01 " }  q5 o( w$ s0 H. Z
=========
. k/ M6 e. _! R
% ^' y5 @5 a9 K6 ^. @This method of detection of SoftICE (as well as the following one) is5 r5 @( \( M! Q& z, M4 g) b5 M4 l
used by the majority of packers/encryptors found on Internet.) J1 @4 P; H! Q! Z& l7 J. _
It seeks the signature of BoundsChecker in SoftICE+ ^+ r# S0 u+ {: r' h
/ [' ?9 q8 d7 i
    mov     ebp, 04243484Bh        ; 'BCHK'+ ?* B- v3 W% v1 }7 k0 J' o
    mov     ax, 04h
+ e2 m8 k/ p, ~+ D    int     3      
" c: M3 a, J) B$ H* y- m    cmp     al,4
$ k  e# d& r* N# b# T2 T' D    jnz     SoftICE_Detected( @; k$ S0 c2 u; q; [/ \- D' h
( r" |5 t5 n; P) X; v+ r" B0 O
___________________________________________________________________________9 b- ]' d, j( c6 L  W/ C/ x

% @! S( _! ~. e! xMethod 02
* t2 H2 G. Y* _: X4 A# D  Z, p=========
3 V0 o) j) w" h1 q& R$ b2 h  m+ `# S
  p2 H8 @4 ~) S/ q( i; N1 TStill a method very much used (perhaps the most frequent one).  It is used
4 t+ T! @" M1 p" l+ E' o  Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 a. F' D8 y( v
or execute SoftICE commands...
1 K! G  i4 F( |5 L. z: IIt is also used to crash SoftICE and to force it to execute any commands% a9 h8 n* a, v3 ?2 y
(HBOOT...) :-((  3 n0 a/ @- |& n7 ~: ]
# p/ E5 e7 r# z4 G4 q
Here is a quick description:, c7 m5 E$ S; [$ d9 Q
-AX = 0910h   (Display string in SIce windows)
( P: w& z* C8 j' c' @7 Z4 k! B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 }: y' a0 K& V. t/ z- ?) p
-AX = 0912h   (Get breakpoint infos)+ h  V: N& P) i
-AX = 0913h   (Set Sice breakpoints)9 z1 K5 n2 c. b6 }9 v3 n* ^$ \$ {
-AX = 0914h   (Remove SIce breakoints)7 _7 G* U& f$ M5 ~$ P

: a( O, a6 l* d; W) ^Each time you'll meet this trick, you'll see:
% d) _3 p& D9 P3 j-SI = 4647h
( j* k5 Y) ?8 s8 M% N' m-DI = 4A4Dh5 r3 M( c4 t3 l  S/ T0 k+ X0 O% U4 ]
Which are the 'magic values' used by SoftIce." l, D% o3 y" K* j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 ?5 W# U6 r0 |& t3 G6 O) ?0 K) \. R" ?% _$ H! x! d
Here is one example from the file "Haspinst.exe" which is the dongle HASP& F$ ^; o, x' K  I' \+ V; G
Envelope utility use to protect DOS applications:1 e' ]/ K- E, R0 A* D3 S
, s% m1 q( N: n  |" P

  [7 f" n. V/ O* R' b1 a# z9 l+ T4C19:0095   MOV    AX,0911  ; execute command.- j9 l" V' L  ~( U) o
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ j# z' }; w+ b, d$ E. R
4C19:009A   MOV    SI,4647  ; 1st magic value.
8 R3 V4 D& B  S/ d" e4C19:009D   MOV    DI,4A4D  ; 2nd magic value.- \, y5 e2 k* _
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ v$ e2 z: p( E9 u8 ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 P' {8 _( U  x' A1 y9 n
4C19:00A4   INC    CX
, o% j, T7 q3 c! O, x/ b2 F$ ]4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
$ b% s* O3 e1 b4C19:00A8   JB     0095     ; 6 different commands.
, `& e% f. K6 q# F: }4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 X  v/ j- C+ u' J4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# y4 ~9 h5 ]+ L) E& G" b' \9 c7 j4 ~8 G( F4 h
The program will execute 6 different SIce commands located at ds:dx, which* D5 H9 \$ X2 v5 W9 V% K$ H4 \* s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: I! y7 @0 o: J8 ]* T9 L
2 q/ H8 m' H! S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ r. d: c. N0 Q' K' P___________________________________________________________________________  H6 A# A) F" L- L
: `' H6 t! y3 C7 k! P. y

) g0 Z% Q1 n7 `* ^( i* GMethod 03
! c+ L! ?+ o2 P( i0 m$ {=========
( h6 X: G1 V9 n$ O6 S2 q; c7 P4 j  H) P
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 {$ [2 \# I  G
(API Get entry point)
. B1 p+ o" _4 m& Y7 i/ V  L        
' ]% E) P' G1 Y# x
' L- \% S4 \+ j. |: Y9 {    xor     di,di
; y* w6 A) u4 N9 L    mov     es,di. R0 _5 v7 a2 r: f
    mov     ax, 1684h      
0 ?9 }8 Y( F3 }$ h: d    mov     bx, 0202h       ; VxD ID of winice7 u+ ?3 ?8 Y/ l, b. L7 P& n# _: P7 t8 I
    int     2Fh: x6 `: ?9 S2 I( `9 x) g
    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 W  s# ]$ P6 _1 C# J. X
    add     ax, di
4 H3 p; s- s: G- n( N$ J& J* @1 y/ j0 ]    test    ax,ax( u" t/ w+ t3 b1 P
    jnz     SoftICE_Detected0 q1 r5 o9 c) A4 X" r, k
3 I0 E& p7 z& H; e3 w/ t) K
___________________________________________________________________________  D, o, }# H6 K! \* i& q' y

9 R  u7 G2 k2 A/ j, eMethod 04
9 d8 G0 G6 y% {* K=========" a. M1 x  N$ w3 M5 g( |- e* A. D
/ I' C0 \, R8 @/ ?4 o% z; W$ t
Method identical to the preceding one except that it seeks the ID of SoftICE
$ g* M% W+ g2 b( R& u# r7 fGFX VxD.
7 x8 Y' r4 D6 J1 W- s2 R' L1 G$ T8 g; f. ~' C* L" l) i
    xor     di,di
! k6 t% E3 K" g4 K6 @7 o, m    mov     es,di& F! t4 n! E- c( m/ r
    mov     ax, 1684h       0 X% g2 q( R) h& K* N3 T
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ [, m- e3 @; I& b( [" d    int     2fh
4 i4 P8 I2 F0 q+ a    mov     ax, es          ; ES:DI -&gt; VxD API entry point( Y% Y3 k% U# Y: U& c( l. z
    add     ax, di
% e6 m2 o) ?! X% G1 F1 o+ o2 `8 p    test    ax,ax( @% a$ l" V5 d6 q
    jnz     SoftICE_Detected
9 e- k! P) @2 y! V8 R& Q2 }# q, A7 i4 O* X
__________________________________________________________________________
+ L" X$ g* o: t' v' i! o
. ^" d2 H& i: b. c  [( w# G. T' j1 @
Method 05
' q6 p1 x) p4 I1 Z# i! g2 T=========
  V8 g$ w( s# i8 Z& H' j& B! |4 f; c" n* M$ a3 [/ F
Method seeking the 'magic number' 0F386h returned (in ax) by all system# c1 ?, W* a9 X0 V, x9 B4 `
debugger. It calls the int 41h, function 4Fh.
1 G7 d2 f" Z: S- H, W9 ]There are several alternatives.  - @9 U3 b, w, g% Z8 t

3 Q$ _6 @5 A: g+ O* EThe following one is the simplest:
! b. h* Z; }$ X; m, d1 u" e" w
# L- d, P, h* l9 x9 j    mov     ax,4fh. @* }' U# l; c9 |9 d. s
    int     41h7 T4 z6 t( {+ l6 d& p+ @3 I0 k) S
    cmp     ax, 0F386* b! m( f# ]- c) Q
    jz      SoftICE_detected3 x! N3 w( a, L, b! o9 p. t( h

$ ~2 c# F) L; k1 G; |. D6 d3 I/ [. x! K& `8 j8 o$ ~5 E
Next method as well as the following one are 2 examples from Stone's 6 |% W- F$ `5 N% U- e2 E
"stn-wid.zip" (www.cracking.net):
, i1 ^4 O3 f) a0 ~! ~
. m8 \$ r# G' ]! _( [1 J    mov     bx, cs6 p. u# h+ v2 n% [0 _
    lea     dx, int41handler28 D4 d# E2 ], Z' E7 C
    xchg    dx, es:[41h*4]" s" y8 m& B7 `
    xchg    bx, es:[41h*4+2]( A) `$ J2 m8 {7 G- Y! a
    mov     ax,4fh" v' A" P& `3 j: L! z* }$ e$ S" L/ O: ^
    int     41h
8 S6 B; f8 r+ L' D% J' p, J3 U7 H    xchg    dx, es:[41h*4], R4 K9 P( F8 v/ Q2 J0 z, q( F" I
    xchg    bx, es:[41h*4+2], m: C, c6 q. T, r5 }  m
    cmp     ax, 0f386h9 A7 L+ Z" y% l6 D3 X+ F
    jz      SoftICE_detected
" R$ g' r8 v& \
7 a7 f* X2 o$ _" M! c. y+ p2 j! L& X/ pint41handler2 PROC6 L& Y# t) V+ ]8 ?
    iret
2 f$ I! ?! d* aint41handler2 ENDP
+ I, C* O8 `' C% O1 p4 s  s/ g
' G# D# S5 p& u; r% E. P( j4 e
" P. m) k7 D& r_________________________________________________________________________
3 ^2 K1 }8 @2 k$ p: w
; P4 E. A3 `' I/ u1 b7 T# s
! _) m+ Y9 x! ~# V$ q$ S+ UMethod 06
/ A& m4 t  ~; ~; }  \! }# w. q( f=========& J6 e) j! S, M- g
% t' u. z3 F- `4 m

) w7 J- A% y( Q5 a3 [2nd method similar to the preceding one but more difficult to detect:
$ J  Y  N* i# }: Z$ U4 V" w0 v- e) k& Z9 Y
- t# w* h9 C8 N6 A
int41handler PROC
! H$ w' o0 E) p5 l* D- z! ]    mov     cl,al
7 N! i# S1 S/ }# ^+ y8 r3 H# q    iret
6 s) {$ T! k% N3 ~5 c) `int41handler ENDP
, B( Q, U; y) T, q5 W* D
8 D6 Q2 l! m) @. v: t, ~! U* q" X# O+ z: C
    xor     ax,ax
. s, L* ]$ @7 j% k8 Z    mov     es,ax
9 ~0 J% F+ G8 @# j. U. ?( {" F    mov     bx, cs) [  q5 E6 G5 Z' v
    lea     dx, int41handler
* n" C7 k5 E6 f3 ^  y7 {) n) {    xchg    dx, es:[41h*4]
6 I! J, [6 A; T9 f. J* T% J% z! H    xchg    bx, es:[41h*4+2]
4 i9 Y8 H. e/ A8 L    in      al, 40h) N7 h& y: V' J9 _8 f
    xor     cx,cx
- ^( {" R2 V. N0 S2 e    int     41h2 d3 R  _# P% g: @
    xchg    dx, es:[41h*4]- x2 U# @. ?; J/ x3 }
    xchg    bx, es:[41h*4+2]
+ K7 @- u2 J: }# ?    cmp     cl,al
& M+ `( ]& {7 Y$ G3 j! a& I    jnz     SoftICE_detected. N. S# k( ?. i/ J; M  q
7 U- B2 t) P" ?0 \* j4 x- q
_________________________________________________________________________
9 U5 K% b5 K2 z, |- ?9 h$ U$ I/ N# B1 A( C  u" S
Method 07
1 n/ |6 r( j0 {$ N% P" D" ]=========
7 |$ ^9 ~# K1 A* L  s
7 R1 |# V& ]4 P# L! ]/ [8 \$ _Method of detection of the WinICE handler in the int68h (V86)
" I9 I6 b3 P( Y; T0 z+ ^) i- O$ |! f% S7 r, Z" O9 _. z5 k% h
    mov     ah,43h. o" k* |9 M  s6 i  U% N9 q+ Q& z# Y
    int     68h
3 t0 D5 H2 ^" m) m    cmp     ax,0F386h9 T4 m1 E$ L! Z$ g6 _
    jz      SoftICE_Detected
- V9 _0 e& w# Z0 {4 r6 p/ Y9 q3 O: m$ l
# J$ Z7 R' A& ?. n8 d
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 M& d0 X4 [( w
   app like this:
8 n$ {' a9 W: V: ?
8 y; ?4 e: c7 R4 S   BPX exec_int if ax==68" N) B  k  p* ~2 C7 C
   (function called is located at byte ptr [ebp+1Dh] and client eip is( Y' l; b& F0 I0 @+ e, N% g: X; [
   located at [ebp+48h] for 32Bit apps)
6 D4 I8 Q6 ?& W__________________________________________________________________________5 h' R4 {' ~# }

! S5 [  b- s' H" O4 o+ [4 k! a1 M% @: y! Q% c
Method 08
. z. v* |* ^& ^7 P# A. c- Y: e4 x=========0 S, a1 v1 A3 d$ W+ d" C8 X: q+ y

7 ~# o( U4 Q- k* i+ b% y, I7 Z2 pIt is not a method of detection of SoftICE but a possibility to crash the  |+ L' v9 y0 p1 S
system by intercepting int 01h and int 03h and redirecting them to another
6 u( a% T' s; z2 K2 jroutine.) x/ R$ G8 ~; W
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 [) @# G9 q$ Q: ^+ l- Q7 q
to the new routine to execute (hangs computer...)
  t# W9 f* E5 I) @
# m( A/ M5 Z: F    mov     ah, 25h
+ e2 T; O* J4 v    mov     al, Int_Number (01h or 03h)) C+ |& {5 l# Y$ ~2 P4 Y1 ]! {
    mov     dx, offset New_Int_Routine
" _- K5 p3 c) i2 A    int     21h
) k8 V2 ~$ f3 p+ j) @# {
6 i( y" M3 L1 r" e( _8 h* y! z- B__________________________________________________________________________
- w1 ~5 S( A- N* h/ T7 ~* G
% S' C/ f6 d9 I, W4 c' _, NMethod 09* V% k3 R3 E# j; _
=========
# F$ ^9 Y' d% z+ g# z# \
4 Q: f% `8 X4 d; LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 F4 }" P# p7 f0 |5 |+ a9 R/ jperformed in ring0 (VxD or a ring3 app using the VxdCall).6 n- h; h' H. @: E0 g1 ?
The Get_DDB service is used to determine whether or not a VxD is installed
$ p4 |+ D7 Z: f8 Kfor the specified device and returns a Device Description Block (in ecx) for  M& a6 w9 o4 |
that device if it is installed.
, j& c9 e  a5 h+ B- v' K, _$ [7 z& N( J- M# s" Y$ j$ p" t% m
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 L7 B4 ~8 |4 ~9 t
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: n+ O- a6 F* y+ j4 V   VMMCall Get_DDB& j* R* l9 ?  t: `1 W% i
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed' j. q; Y$ y$ F$ Y  L; S

9 N. `- P! H  E7 y, j% PNote as well that you can easily detect this method with SoftICE:
2 y  a7 f! w$ y  D7 P0 N. p   bpx Get_DDB if ax==0202 || ax==7a5fh! {' K7 L  k. f! C9 B

1 w- @. }0 d+ o: x__________________________________________________________________________, Y+ p3 z) g* ^; W5 r

& f1 I& W3 t+ f' M0 Q) n8 B/ }Method 10
& G6 u( ?+ T- Z0 B# p  m" g. A# k4 g, K=========
6 a) Y0 p6 z% I, o% Y. }' V
( \; b; W% d* s* |0 y" L5 b=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. W6 f; i3 r5 t+ w# M  SoftICE while the option is enable!!% F/ ]' m9 l* ^& w
& U2 u( s( o+ S6 G
This trick is very efficient:
9 [" b) X3 y" N3 w1 D; j6 zby checking the Debug Registers, you can detect if SoftICE is loaded# F  Q) G2 W7 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 V( T' A- |2 P# U; V) Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ f/ s. l5 T: O& w' ]value (in ring0 only). Values can be manipulated and or changed as well
2 R: R8 `- _; ~9 c* {: Y(clearing BPMs for instance)7 B  C. i: a$ A6 }. M& K
3 S' Y. E  ^# `
__________________________________________________________________________
3 ]0 I/ a& g1 `2 T- K' w6 T, i' O5 I; E' l8 U
Method 117 n. d3 B! t" I. O' p
=========
" w$ {5 T. i) B5 }
2 q: \0 [( B' j" `) ^. ?+ |This method is most known as 'MeltICE' because it has been freely distributed
5 r: y& v; ^  S8 L: Q; ~via www.winfiles.com. However it was first used by NuMega people to allow! R! f& N+ X5 Q  l
Symbol Loader to check if SoftICE was active or not (the code is located
: \  C/ S  F4 ^7 Binside nmtrans.dll).
- o+ H3 F: A9 b% p7 L5 P! ?+ S
( X7 ]9 n1 r9 f* A+ ]The way it works is very simple:
8 O3 E% S: d) V$ ]( \& eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ d* u. [) f/ e+ x" qWinNT) with the CreateFileA API., N8 M, D) V( I; B- X: B' z- x! x- d
: H* ]! J5 k. `, y  k# _6 A
Here is a sample (checking for 'SICE'):( u! |! k. n1 k1 ?+ y" j
& J% q. K8 [; P4 n8 Y: }* i
BOOL IsSoftIce95Loaded()7 L% S9 p& ]; P. y, e
{) p1 _2 @8 V0 J2 h
   HANDLE hFile;  
/ w. j1 c6 d* v' ?   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ k1 ?0 a( V2 {3 g
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( M( k  a0 P+ C+ O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ ~3 J) ?2 k4 S- K( J4 l3 `2 @+ h% a" B   if( hFile != INVALID_HANDLE_VALUE )
! q9 [% y$ E, V; u8 B   {2 ^- e# A. `6 N
      CloseHandle(hFile);# o. l5 p! T  }' @5 I$ d
      return TRUE;
! V' Q2 I3 G. O' x8 N   }
4 _0 S( _  q+ \5 h2 m8 l   return FALSE;8 Z  F/ j9 |4 u
}
/ ^0 [* A( n9 [' _( u6 `6 o: J% [3 I" }  b( D9 D: d% w% d- q
Although this trick calls the CreateFileA function, don't even expect to be1 E) H5 A7 r+ h" i( g
able to intercept it by installing a IFS hook: it will not work, no way!" Q% ^- I. ^/ G# |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F  |- p! Y$ M- ]' a1 w7 Q7 a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 s2 l! \" ^" e9 t) B0 land then browse the DDB list until it find the VxD and its DDB_Control_Proc
% }# ~6 Q# \/ E( ~field.' A# Q; C8 L9 `$ Y( W
In fact, its purpose is not to load/unload VxDs but only to send a $ q1 A1 G" J" W; O, m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. [  O: u( B- W6 i" D5 nto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ e$ n. f6 R: }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% q3 ?  }. }  cIf the VxD is loaded, it will always clear eax and the Carry flag to allow* n- c  j& h: m9 j
its handle to be opened and then, will be detected.5 ^  E* K5 ~" H% P
You can check that simply by hooking Winice.exe control proc entry point9 I1 O+ |! T/ X' w7 }4 \$ y7 t. m
while running MeltICE.
) M8 E' [5 M5 w) h: K* u9 C# D
0 I- U. O! G; O% o; h7 R6 `
  s7 o4 U+ g& S5 I1 ?) |* |. s  00401067:  push      00402025    ; \\.\SICE# Y; ]/ @2 C& S3 a8 ~$ i/ Y6 u
  0040106C:  call      CreateFileA, I- T/ m% y! m3 }. u2 |/ x
  00401071:  cmp       eax,-0013 r- @% z4 w, I3 R' C5 |6 Y" N) x
  00401074:  je        004010916 ~- P( J* F1 n0 `9 |

9 C0 [2 d/ A, W' X7 Z2 S4 y  w4 @5 U# ~5 o& X" p, t
There could be hundreds of BPX you could use to detect this trick.
9 o3 g. {# T" w- d! K; M7 d2 Y-The most classical one is:) e7 H5 u; N0 f* `$ u
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' \8 A7 n# o) \3 l( \
    *(esp-&gt;4+4)=='NTIC'3 m* L& c, h. U# T' W% k; g
, P% h: A+ U1 l
-The most exotic ones (could be very slooooow :-(' t: J, V$ t( B3 D
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
% m8 Z2 J& R# f3 B* r     ;will break 3 times :-($ o8 T/ t4 k* ?% T3 L: i5 y/ y9 A
" e6 Z' [! H4 A( Q( ~4 @6 o' ?/ R1 c+ p" f
-or (a bit) faster:
1 B& L# T) F: W. [   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" g8 f1 R0 n9 A6 c6 A1 N. t

) X$ B. B' N8 {& _# l4 X   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 O. j: }' R5 O3 {) |* e
     ;will break 3 times :-(6 _6 S3 `7 g" R
1 c% A0 M0 x2 r# }* b) M2 O
-Much faster:
1 g# X( i' h/ @1 u8 j0 h0 l   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 \8 T# E, ?9 z& G& c% }) x) y% G/ J
. m+ u+ @9 T9 a# {+ K, h& l- }4 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! `2 a; W; Z, K6 J$ qfunction to do the same job:
! x- a) l% h( ~+ k' G& G( L
1 e4 O; _  S& I; H2 L" S   push    00                        ; OF_READ% D3 n; z  h) @  h1 l! R) U3 V
   mov     eax,[00656634]            ; '\\.\SICE',0
" E/ v1 a# n5 c0 e1 w, {- }  Z   push    eax8 {& H4 R1 \( v4 ~
   call    KERNEL32!_lopen* a6 K/ s4 \5 O( U2 [  [. u
   inc     eax
3 W0 Z9 @* H. [   jnz     00650589                  ; detected
/ g9 I0 U+ B$ n& p+ {" Z   push    00                        ; OF_READ. a7 t* N, @3 w" s8 x8 l5 ]4 h$ V( Y
   mov     eax,[00656638]            ; '\\.\SICE'
5 a& b) S1 ?3 E. H   push    eax$ z' a6 N; Z( W4 {( N! N
   call    KERNEL32!_lopen3 g1 n9 M& Z5 z. t1 K/ |$ V
   inc     eax7 V3 G$ L  d0 @6 l$ J: i+ Z
   jz      006505ae                  ; not detected% D2 s# x/ ^. A- S# ~

: `) ?" `: ^0 l5 z- c2 N  K6 B( @+ p4 e& G" R+ H' Q
__________________________________________________________________________; j( Y" e* }# R# M2 M

8 e& a. P8 U( z* P/ X$ ?Method 12$ O/ b  Y! ^  c  f$ K6 s
=========
, Q4 G5 R: m: P3 l, v" O( j- H6 |2 H+ f2 I6 P
This trick is similar to int41h/4fh Debugger installation check (code 05
4 i4 I. \& h% K1 G$ c; R% ~- e$ ?2 L&amp; 06) but very limited because it's only available for Win95/98 (not NT)% z8 O7 g* s( f6 I: P( d5 C
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 u! k' H! V9 F
. m7 [+ a; {" h* d) H9 |+ `7 E
   push  0000004fh         ; function 4fh
6 X+ W2 Y9 @) O5 B# C   push  002a002ah         ; high word specifies which VxD (VWIN32)% L! N" e" b% n0 _% S* J( q- a# ~& C
                           ; low word specifies which service. T# C9 q" S4 i- j! Z, a( ?
                             (VWIN32_Int41Dispatch)) ?8 S+ c2 C( x7 ~9 \
   call  Kernel32!ORD_001  ; VxdCall% D" P4 L5 F( v
   cmp   ax, 0f386h        ; magic number returned by system debuggers. s1 ]- w+ G5 k' r5 I  I  h3 i
   jz    SoftICE_detected2 x" I( Y5 L! S: e

% Z1 A/ M" [8 j4 bHere again, several ways to detect it:
7 p: F1 J5 _3 `- d" s! W: M
, j* ], _) P$ ?7 Q* l+ j' T" Z    BPINT 41 if ax==4f- r2 t& d3 Y; ~: J4 Y9 {% U

2 v2 J3 w: p4 K6 m; n4 a# [7 R    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* `) R1 R1 O; T+ O( g9 }! k  I: W$ g! M
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; u& B1 H4 J# z) \' [3 c
/ k1 E. W$ A, ?5 J0 j  z
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
! X5 l- D( L/ [6 I5 S5 ]8 `0 R
2 c$ a* g- ?0 M8 y$ r9 R! E# S__________________________________________________________________________
& p, e5 G) o! ~" Z* t# f" `" u( u, s. }
Method 13
& C6 w2 Y7 H' J+ y, A=========/ S1 P5 I# I6 b, O/ {& v( X
. A1 [3 y+ B+ X7 Z
Not a real method of detection, but a good way to know if SoftICE is
- {- A5 o! g1 |( }6 xinstalled on a computer and to locate its installation directory.
2 o- r: D* K. ~% l1 h' o3 ?It is used by few softs which access the following registry keys (usually #2) :
+ P! V  ^/ K$ R+ `1 j2 x9 c$ I& ]/ V. q( S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, \& {3 t) F& C* I: R
\Uninstall\SoftICE) B  o6 I! V5 g( v$ j% d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' U" ~. C) f8 c: @/ a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ]# E2 {8 c% `" x8 a% G\App Paths\Loader32.Exe
" k7 V, }$ D; ^8 }7 }' r# E# y* I7 F7 X% h

. C" B1 w+ B4 w& P+ d" mNote that some nasty apps could then erase all files from SoftICE directory' T5 p( b- J, v5 L
(I faced that once :-(; L5 a+ K9 |5 @- d* n7 [
7 i) d" @4 S( M) A2 @5 j" c: |
Useful breakpoint to detect it:
: j: ]- Z! ?; a, n9 B6 i, Q4 S1 m' J/ K% |0 k! t/ w- }
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'* k, O8 E9 j  x! ]" h" \

9 x2 f2 \0 i! p* {: p__________________________________________________________________________0 v. }- |6 ]( \6 C& h; v
/ y8 X6 o+ ~7 Q1 q5 k

$ F- S2 E% }$ o( `0 Z, YMethod 14
% O/ |' w8 K5 c( E+ ^=========; ^, }% {' [! w3 K) [* P
5 A6 O' m0 K  B" w$ P8 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' L$ b1 [9 V: F8 Q% [/ i8 V
is to determines whether a debugger is running on your system (ring0 only).
+ _2 Y0 T5 ]; @2 a6 M
* f) \1 e( R% U0 ?$ s( ]; D' x: t4 D   VMMCall Test_Debug_Installed. U4 s+ G$ I6 W0 M5 N4 e
   je      not_installed
& L+ T6 j. }6 X$ m* s6 b  R: F
9 a+ B, @* M+ _5 E  M7 X0 tThis service just checks a flag.
: k  f+ ^2 {# U3 d1 R2 U</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-27 22:29

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表