找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; i8 w- h2 `- [<TBODY>
5 U* j9 j. u# c- i( ?<TR>* i) e" S, n- g
<TD><PRE>Method 01 / b; k1 ~* b* {4 Q; y. L  R
=========6 u, a$ B: `& l8 a1 ^% u
) U0 A6 t0 C2 U9 w; z+ ]
This method of detection of SoftICE (as well as the following one) is
/ ?- P% ~( A9 e  r9 S; `7 `/ W& L: sused by the majority of packers/encryptors found on Internet.! l% A2 K8 ~+ d! d* D2 S( w+ k
It seeks the signature of BoundsChecker in SoftICE
1 ^" M9 k4 P) J4 \2 n. e
) F* ]1 C3 g, d: z    mov     ebp, 04243484Bh        ; 'BCHK'0 N8 C2 p- K  @. x
    mov     ax, 04h
. F* s- W4 g  c5 _2 }! Q7 [- u" i    int     3      
- ^; v/ a5 Y1 W7 H- V1 e5 y1 }8 e5 F    cmp     al,4; n/ u5 f4 i! _. u# Z
    jnz     SoftICE_Detected
2 B; @! g& ~4 D% S; R  W  ~/ O: l6 I
___________________________________________________________________________
4 J7 d) F! R2 C8 |$ l1 I* S5 c# Z4 E3 t9 h1 z1 `1 N; r  F
Method 027 }- ~4 Z" H( t+ q
=========
' }9 v4 K8 i  d* n7 S; S. Q% G) f3 E
' Y& X" Y0 C: b$ b. pStill a method very much used (perhaps the most frequent one).  It is used
6 L2 `6 b# m7 |2 H& |5 `& yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 Z1 C9 K1 O' k, U- d# tor execute SoftICE commands...
- r& ?" J- V  {/ q7 |It is also used to crash SoftICE and to force it to execute any commands
  P1 q: w& Z( v/ I7 D6 j; C0 c9 w(HBOOT...) :-((  
6 i) d( K4 J: H7 w* z& I
- W) R: K; d+ s+ l) tHere is a quick description:
& }  [7 Y" U6 j  m7 w- j; \! }+ W* u-AX = 0910h   (Display string in SIce windows)
2 \" G! w, b6 G3 H3 f% V-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)& p9 \  e( c3 y
-AX = 0912h   (Get breakpoint infos)
- d; q7 j3 w8 C/ H2 f* u# X-AX = 0913h   (Set Sice breakpoints)
' R  S% F8 ?- U" x7 s-AX = 0914h   (Remove SIce breakoints)
! m+ H) M$ `3 B
7 e8 ^- H( b6 ?8 h- HEach time you'll meet this trick, you'll see:9 c4 i7 l/ I* @
-SI = 4647h' H( f2 F1 W) j
-DI = 4A4Dh
5 Z% a% z! I. v! w2 C8 TWhich are the 'magic values' used by SoftIce.3 y, {7 x# q: r4 f- S
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* b- A  j0 E( p
$ B4 W, d  J- [/ I" }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, G+ `" w3 K0 H& E2 R! V% ZEnvelope utility use to protect DOS applications:; P1 B4 A; s# m" X" u/ n) ]+ l

( y4 p; m( u4 n6 j) U
7 m, c, _$ h& N$ g4C19:0095   MOV    AX,0911  ; execute command.: s1 F6 `  S# |% P2 U
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 c7 l  p1 k& U1 U7 A5 ~- M0 M. z# u
4C19:009A   MOV    SI,4647  ; 1st magic value.
, D+ b7 j# J, i( @5 |3 _$ F4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 e, \7 N- G; J8 O4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)7 L+ g, x) Q) R' w% ^3 x* W9 t9 Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute& W% G! h" Z- f9 c. W
4C19:00A4   INC    CX
( K0 j! _! J4 w+ O# e$ H4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 N/ e4 f0 w6 w7 L) W! C6 t4C19:00A8   JB     0095     ; 6 different commands.3 C8 Z1 R; x  E5 }7 e+ J" D& K8 B
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 C+ n+ V: k2 R+ Z1 I3 `' O( f
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)6 W: Z6 b, R, e- H0 R! ?
8 X8 n8 J, B1 F- k' i# n! |
The program will execute 6 different SIce commands located at ds:dx, which7 q0 o! ?; F3 T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 Z- b- W5 R- D. G/ o3 x) O$ |- A6 e' o" ~* C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* r2 {4 P+ i0 [6 c2 t6 t/ I___________________________________________________________________________
( ?) a$ W( [& N  U% h
" N! E+ }& ?$ \. L0 ]) F
6 D$ P! h# u* M# r$ M, gMethod 03
7 A) i, J! f. ?+ N, T! K# q=========8 W. g% z) v1 |5 t9 H0 z# a

$ t: m  e4 S& V/ F* k% YLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; M, Z, C; k8 @& ?4 N7 H1 S6 c(API Get entry point)
5 A$ }! `& B& k0 m8 Y        
# f3 Y0 c( s9 j0 O
% j5 L! m; n' @1 j6 {0 q5 w; _) f* t    xor     di,di
. j6 f% U% _5 R$ D  K* {    mov     es,di
' i" E$ ?, O  C- v1 |5 q    mov     ax, 1684h       ! ]" }6 ^; y# @6 F2 u: b9 U! X
    mov     bx, 0202h       ; VxD ID of winice
, r; b$ k1 ?# P, Z    int     2Fh1 V. `+ u6 s* }! S1 b
    mov     ax, es          ; ES:DI -&gt; VxD API entry point; ]9 @( D  l  ?" H: n! I
    add     ax, di
; l, n# m' j6 @# N1 ?    test    ax,ax% |+ R" I  {  B& _: H' a' K7 y
    jnz     SoftICE_Detected0 Y  F0 k4 s6 i$ h' C( M- ^
# C/ Z4 ]) n7 d- C) T
___________________________________________________________________________  E" A( x5 u4 B8 c; h& w  }0 K
4 S7 _/ P$ c" I' i* ?
Method 04
+ q7 j! X! t3 F& h=========& J6 `9 p! g5 G
4 @. v& S3 e7 B9 ]' |$ e
Method identical to the preceding one except that it seeks the ID of SoftICE
* T3 {0 y  W1 F- JGFX VxD." i9 r2 L2 A5 s7 N& L2 X

7 \: A2 g) D" j) P" w! E$ t    xor     di,di7 m/ R6 S: y# Z! e+ `  x
    mov     es,di
& c6 j7 q8 ]( _. f& H# z    mov     ax, 1684h      
4 T4 b* ]; L# q- l* z  a    mov     bx, 7a5Fh       ; VxD ID of SIWVID
; ^6 i& o0 D2 E  D, w    int     2fh7 b4 T2 U9 ]. `2 P
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 ~) ?0 }1 J2 {  K    add     ax, di
6 y! _- S1 u/ D7 s' V# q; _+ f+ A) C    test    ax,ax
: F& S$ t0 m' Z$ |$ e; K- V* p; C    jnz     SoftICE_Detected
0 `1 U+ G7 u  j1 y3 D6 n+ p* A' z7 s
- a2 X6 F# _* u6 k) o2 l, D) Y__________________________________________________________________________
& |) B: {& _) k0 Z& Y$ F# V/ G, n  j6 n1 _- q0 H5 z0 j2 l

) j  }5 Y; k1 C  LMethod 05
$ T. \3 y: S( Q1 f2 i; S=========9 ]! k! ~# V3 ^
9 z7 B. M0 F  N; \- `& q/ W
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ ?: w. O9 d9 S+ z5 i3 z
debugger. It calls the int 41h, function 4Fh.
& F# r$ Y7 H& B5 zThere are several alternatives.  6 w8 f. B; X2 h$ w. k( e8 x3 r
. \7 E7 _. m3 u6 m3 G
The following one is the simplest:8 K! i# ?8 T1 u
& g! p" J8 l! V, Q  R2 f
    mov     ax,4fh4 |- U/ r3 l2 t# Q' b5 P
    int     41h
$ V- C; x. \) ]    cmp     ax, 0F3868 e9 W/ W( o+ |' L6 y% W! O
    jz      SoftICE_detected5 Y& w9 B. B4 O. C/ T, E5 h+ N% p

5 g# a( F1 R! }$ C+ D% {' v, e
9 ]( Y- m! t2 Z% h  }% j+ i9 QNext method as well as the following one are 2 examples from Stone's 7 p5 H% w) @; v  i9 q
"stn-wid.zip" (www.cracking.net):; d4 y9 k2 o' E

6 M3 T5 z7 d8 c    mov     bx, cs
5 Z& T. h. P9 K" ?    lea     dx, int41handler2' v4 r. ]8 X" Y) x% [; I
    xchg    dx, es:[41h*4]
; r( D& a- ]+ |3 R    xchg    bx, es:[41h*4+2]' i2 f) G# N' a
    mov     ax,4fh! d) P# G0 }8 y$ C
    int     41h
. C, Z1 U. q" o! w9 n( [* \    xchg    dx, es:[41h*4]- [! ^9 l, s7 e. k
    xchg    bx, es:[41h*4+2]8 b- Z7 y  j# f) @3 W
    cmp     ax, 0f386h
2 D2 p! ?  G8 E: [/ e. \    jz      SoftICE_detected
( T  f, l( c  H2 d  E6 E, m! W2 x$ \' \. f  }) |
int41handler2 PROC
) Z6 i# {1 R8 l8 k    iret& G8 W( h& I* u+ [! n' M7 F- L
int41handler2 ENDP( s% O( v0 D+ C) r" }  ?

, q, v! d6 s7 f+ l" e' j
7 f8 G9 x1 p+ |+ C_________________________________________________________________________9 G( I- h8 _' z. W& }

/ W: o' x- C! X9 s
$ U4 B) w# E& bMethod 06
8 M" C4 H" D5 k* ?: l. x, S=========
0 H3 f5 N, P3 f" L4 O6 M
$ P& G: w* P. P0 a8 D$ }+ n3 A4 ]* L: j
2nd method similar to the preceding one but more difficult to detect:+ }3 `% c0 b. s' |# S; `" f
4 C; f9 b$ K6 _. ]
, h/ `# D5 B( r
int41handler PROC) F! E) \( t& P7 V' D5 [
    mov     cl,al6 H& A1 z9 X9 R2 l9 o
    iret) N: C% X/ p) Z8 v' A# E/ R, ^4 r
int41handler ENDP) q, A) d7 ~% V5 N8 o

, s8 U4 A, q( J; {. Q
1 M: W+ i9 V3 Z/ p    xor     ax,ax
4 G4 B* U, l9 w  w. F    mov     es,ax1 _# H# I0 l% J! S! U& \; e
    mov     bx, cs- h+ I( Y" T" J) o0 L
    lea     dx, int41handler
7 ]& L3 r, h" y, V% C/ r- k+ d, n- W    xchg    dx, es:[41h*4]' G1 H- k8 c. e3 ]; V5 `; V. C9 r
    xchg    bx, es:[41h*4+2]! `& D# J+ p# E& R% r$ W# h  }0 o
    in      al, 40h
( x2 \; k1 t# ^+ U/ p' {" A( \- F    xor     cx,cx
1 w$ a- c1 b3 O, C; u5 _: x) p    int     41h
% I! N, c+ y. h+ ?* T    xchg    dx, es:[41h*4]
, V; {! ?! ~; [( X    xchg    bx, es:[41h*4+2]# g3 p4 \0 a5 E; }
    cmp     cl,al
- o  m% F: u# [/ p; Q# ^    jnz     SoftICE_detected8 T5 W/ v- Z: C8 B5 h" F

  ~. ?9 L& n) A' n_________________________________________________________________________5 w- B/ H6 z. h

4 h- A- r" W8 x) S: gMethod 07
3 T2 o& C3 l0 }5 g=========2 b( ?: h3 C; I* j* f$ e

9 d& @7 l- w8 w; l2 `9 E  |4 dMethod of detection of the WinICE handler in the int68h (V86)5 ~# x2 F7 }# s9 _% Z) f1 K: v
4 Q) O( C# V7 E/ g# Z
    mov     ah,43h
& T+ ^/ }2 B9 B5 j: I    int     68h
  k  I* F4 v. x6 a8 B    cmp     ax,0F386h1 b; ]6 }% x8 u- X; w* c( ]- q6 l
    jz      SoftICE_Detected
& \, A) d# w. q$ P5 x% Z
# e# h+ K1 k0 ], B& i/ f4 `; H8 I5 S' g
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 Z9 G: a5 u/ M* ~* N3 b
   app like this:7 D# l4 I5 q: T; c; o: E4 b$ B* Y
# \2 j& `" H+ I* d4 k: B/ A
   BPX exec_int if ax==68, I* ]. P0 i& W
   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 l+ N, I1 G% N: ]+ j/ \. D   located at [ebp+48h] for 32Bit apps)7 U4 ~0 C4 w0 p
__________________________________________________________________________
# M, V+ D" y: Y. w, d" U0 [
; N/ M3 I% e+ J. V4 @, E! o7 Z* r0 F: K
Method 08; P$ h8 D: o$ r; K& w& Z6 w
=========
+ R. X; S# @2 e2 H5 j4 H! n' D- x( R+ U$ @8 {6 p& K
It is not a method of detection of SoftICE but a possibility to crash the: g+ r9 s3 f1 q
system by intercepting int 01h and int 03h and redirecting them to another
/ |; ~5 C; q3 p( @0 }' g0 z2 X& aroutine.1 p2 Z# ]8 I; X4 Y  k7 T1 c3 V% E* e  o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 Z/ s. J! N1 U4 n, \
to the new routine to execute (hangs computer...)
4 w; K% u4 j6 m+ }# A9 H9 {* a3 S* n
    mov     ah, 25h7 @, S3 q, _- p! O1 @4 y1 O% O
    mov     al, Int_Number (01h or 03h)
, f) L. a6 D' N0 |    mov     dx, offset New_Int_Routine) M; f2 ^( ~# ?5 D  b+ d& z# `
    int     21h" K8 g# u6 K  j& v! I, R# g

- F' }* r/ u! Z8 O3 I& n, Y__________________________________________________________________________6 ?1 V$ Y. [1 r8 N2 B% w0 P8 M  ^

9 ]# J0 s$ M/ c  \1 d0 P! DMethod 09' M3 \' s" Z! e7 L+ j: k3 \
=========8 A2 R" e' A( p" t: J0 C- ?
; q" n- j& |* S# T2 R/ O& g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# R4 ?) b3 H5 _* g% i
performed in ring0 (VxD or a ring3 app using the VxdCall).* W, H8 |3 o/ i( _+ e
The Get_DDB service is used to determine whether or not a VxD is installed
! e( U9 H2 m3 wfor the specified device and returns a Device Description Block (in ecx) for
+ k8 |" F5 j# p; C7 `& d) T0 ]) _that device if it is installed.- x) }" M) _8 i6 W3 u2 l

$ A9 j9 j2 r. B/ g& h" }; T) W   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ J. S! w3 ]! T   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ t, h4 x7 A! d9 T   VMMCall Get_DDB
$ |9 h6 C7 N% p5 k) Z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 f) i  y& J2 @6 Z: L

( T) x8 k, H$ i! M* t- @Note as well that you can easily detect this method with SoftICE:
* S, Q/ u- r/ f  H1 j# E0 p) S   bpx Get_DDB if ax==0202 || ax==7a5fh
" n* W; j+ U) y+ w5 d8 I! b2 J
/ s/ J9 K/ {' a__________________________________________________________________________
  q( N+ w  w( \: u6 x3 E
- t' z1 Z$ v: M) [+ j% x! a0 j* ^Method 10
3 l3 n+ i  a3 p( G=========
5 T1 `+ a0 x8 n1 F, O% |9 x2 n
. A& e1 _' [1 v1 h=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- ^4 b  [8 t% G& I) b  SoftICE while the option is enable!!9 X8 ~# f5 ~* Q: L; E6 x) o8 {
0 f6 t4 d- v6 J& L$ N2 w
This trick is very efficient:
: q1 \: T; Q; |, jby checking the Debug Registers, you can detect if SoftICE is loaded, r3 k( i; N# o) C5 m2 K0 r
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ [; K& \9 y7 a9 a, P8 }
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 t; v. b7 F8 j% ]' Rvalue (in ring0 only). Values can be manipulated and or changed as well' |! a" N  J6 u/ U' ?# C1 T; W
(clearing BPMs for instance)  W) _3 o0 |% ?2 n  z" T# s
9 D3 ^) ]. D0 H. \- \4 H6 p. o. Z0 a9 E
__________________________________________________________________________- T' l+ B! s7 T+ M* K7 G5 E& v; z

3 c) }% `  `0 LMethod 118 K' C6 C+ A3 x0 @1 I: z$ W- b
=========% @/ @1 k4 c/ u) m& y$ Y* z
5 Q: `! m( U. f$ h; L0 g! G
This method is most known as 'MeltICE' because it has been freely distributed
% Z7 |) Y8 {/ C* v5 A; Gvia www.winfiles.com. However it was first used by NuMega people to allow) w+ G9 L0 x/ \* p: a
Symbol Loader to check if SoftICE was active or not (the code is located* h5 P+ _3 ^' R0 C' g% f
inside nmtrans.dll).( Y/ M1 V2 R7 n7 i
$ G' t) }( p  e& M; \& l0 L! {
The way it works is very simple:8 C& V7 s4 _, J( L  V, q3 u/ Q) Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) l6 S: ]: K% k9 N8 _: a4 IWinNT) with the CreateFileA API.
/ g  K5 p: T& u; L4 q  O/ F8 f9 {" p: d! b/ {8 K) j+ V
Here is a sample (checking for 'SICE'):
1 D: T/ ^( g$ Q& z1 J! e2 Z* D" a: X; x8 V( X
BOOL IsSoftIce95Loaded()$ s" m$ v- {4 e$ |
{) o/ P( h* c7 R
   HANDLE hFile;  
4 n3 o1 L. r' m. q9 U. f0 r   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,  h! I/ W- h( h$ z: j& ]' m: b1 ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 P- _" Q& F( c  u$ _& l
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 V5 H7 y8 P* R$ [+ @   if( hFile != INVALID_HANDLE_VALUE )
. Q$ c1 U! @9 K. Y  G' F- f3 p! N, U6 c   {
5 w  @4 v" o' g# a8 R$ u      CloseHandle(hFile);
0 g2 f0 K: E1 \! Q3 }3 \      return TRUE;
1 M5 c" {1 p8 ~5 z   }
( @. x6 ~. F" d7 |/ H( J4 Y   return FALSE;
5 W9 p$ c7 |$ y/ p7 |: p) l' t}
& A' n. I7 b- H' k1 ]. B- K' f  A) o. U. J, r
Although this trick calls the CreateFileA function, don't even expect to be
; h2 a) `% e2 L" P. U% G" [! `able to intercept it by installing a IFS hook: it will not work, no way!
% f9 B3 }' \( t$ rIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 [0 Q4 w; O) x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 c8 ^+ i/ L7 j5 u5 m3 ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 m' B# p: @" c1 {. X& pfield.
, S: \+ T) A8 X) _8 cIn fact, its purpose is not to load/unload VxDs but only to send a - k3 |% Q: w2 J6 x2 x7 S  X
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( k- L4 R: Z& Y8 I+ @0 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 I' J9 v( _' P. X0 J! Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 B6 m: A( T+ ]1 r& P# dIf the VxD is loaded, it will always clear eax and the Carry flag to allow- j2 w% |$ N9 A$ N5 c4 n
its handle to be opened and then, will be detected.
/ K  }& e: x7 J- WYou can check that simply by hooking Winice.exe control proc entry point
3 Y9 W3 W* c, p1 O$ jwhile running MeltICE.
. \. ]* x: f. \! `( s( q5 i2 V' S  `
7 r5 R  I$ D( S( P- R2 {
  00401067:  push      00402025    ; \\.\SICE5 e2 {/ H5 c7 \/ X) P: \/ j
  0040106C:  call      CreateFileA  v. {1 F) ]0 ^/ D- D  Y
  00401071:  cmp       eax,-0018 J% q) T& A" q+ \( x  u
  00401074:  je        004010917 M& o% \6 S% I6 |
7 U9 C) a1 ?  }1 d
; v" h. d+ s  A3 g; U
There could be hundreds of BPX you could use to detect this trick.+ K0 W1 d/ W$ u& Y4 X8 q
-The most classical one is:
- Z, z/ L  E0 J+ O( W0 e4 `  j  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' G& m$ w2 ^; x1 r3 v, W* c/ a1 c    *(esp-&gt;4+4)=='NTIC'+ O( g$ r6 N& E7 W

- T$ ?( ^, c& y9 Y  x-The most exotic ones (could be very slooooow :-(
9 [7 s2 e. Y8 r/ y% H6 S   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' A0 ~  K7 k8 y7 e8 u
     ;will break 3 times :-($ J2 o. n: R0 j5 _

3 H9 h- G  i5 T% _1 H( {) t-or (a bit) faster: 5 |5 M3 r; Z/ ~7 R
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ A/ x! r' V: H" E, S, x8 q7 r
$ h3 R* L; `/ s   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 g& y: `) l% j
     ;will break 3 times :-(3 g% K$ |8 A  M6 S$ e. T3 s
* `8 Z" J' f4 H- u% a
-Much faster:
; a2 a) H% |/ ^- {" T   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& O# X; z9 i( @6 w0 G! Z! _. s
1 I) g3 c- s- JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, p; E4 E3 ^* d4 H, A- D6 i  Afunction to do the same job:2 Q9 l9 ^# z* D2 k, X
9 \& B4 k) N5 {6 w8 B- D
   push    00                        ; OF_READ
9 ]5 n: D4 h: L2 L7 p   mov     eax,[00656634]            ; '\\.\SICE',0
( [, V5 l/ U1 ]4 P6 i   push    eax* G/ ]! E# {( `' z/ N- B
   call    KERNEL32!_lopen9 k$ ?3 G, \2 Z" \1 d9 I
   inc     eax
* S" D: F' s; H  }8 e: B0 f- T, x   jnz     00650589                  ; detected) _6 e1 T" f6 M/ T
   push    00                        ; OF_READ6 g' @; g7 p- @# j
   mov     eax,[00656638]            ; '\\.\SICE'3 q" P7 d; O7 X4 E: I5 L
   push    eax
# G8 C% R8 s. N. G4 ]+ k   call    KERNEL32!_lopen# f# V8 }2 U, W$ E% ?
   inc     eax
. u! A9 R, b+ {0 z- g4 y+ L- F   jz      006505ae                  ; not detected5 w* F0 z+ Q+ ]) R  }/ E3 E
/ m, S- P, I: v# f
2 X/ |) Z- e6 y; ^2 h
__________________________________________________________________________) h% p$ L- r2 Z" e4 [+ l. @. u3 E
6 \) ?. j' U" [$ X, g, ^3 ?6 F
Method 12+ O5 [5 u; Q' N# I
=========
! ]9 v7 B1 i( v9 u$ [( V/ `, J# T; H
This trick is similar to int41h/4fh Debugger installation check (code 05+ ^8 w1 k4 o" \1 E9 q) Y  s
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( e9 E0 F  Q/ y- }: f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# l! I( \, d( i

; U$ w/ z, ]# r' ^( o( i( e   push  0000004fh         ; function 4fh. O7 m  T4 z' \/ L; C! o0 X5 ~
   push  002a002ah         ; high word specifies which VxD (VWIN32)
. w8 T! E6 K: Q                           ; low word specifies which service
( \6 q6 d' z8 }                             (VWIN32_Int41Dispatch)
% s4 u* v+ {5 }9 \" a   call  Kernel32!ORD_001  ; VxdCall
) U4 v7 L9 r" z- f, c% N4 V; Q# T   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ J- r* p* s- o! F2 h! e   jz    SoftICE_detected
. D# @! `( J8 y1 p' |: r4 K6 B! D2 z1 `) ~9 m
Here again, several ways to detect it:# i+ B9 Y9 [' U. I- j! f( w* @

$ _6 q3 R( ^  y; m( l' r    BPINT 41 if ax==4f
- \2 X" I% G8 _: {4 l" F6 U$ L5 I7 I  q7 {- ?% _( ^) r7 H
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; g2 E+ e- e; W8 q( F+ {" y" v- t& K) i: h; y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) [! I: ^  ]# s: ^$ q4 E* u8 G+ g
. ]+ n) {  H- N. b8 T    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
$ w! F0 P6 L8 z$ `- b2 |% Z" N4 N1 X* E  ?3 O% Q! M5 |
__________________________________________________________________________
: |% U: x$ ^1 I' {( }+ J3 j# d! K3 a* I
Method 13! Z4 a) e% T5 a- a3 V
=========
% w+ c0 f' |. @
- ~6 ]: O5 w6 ?1 p1 R! nNot a real method of detection, but a good way to know if SoftICE is  ~1 D* D& |" a
installed on a computer and to locate its installation directory.
$ s8 B( }, B3 ~8 ~It is used by few softs which access the following registry keys (usually #2) :
; T2 U' |2 ?3 C1 V
. ~; b  r: ~9 w7 w* P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 N6 {9 b8 y- S# |0 z! I9 w\Uninstall\SoftICE' {' g$ T* O3 p9 e7 S$ j, X/ ~& ], k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( R% ~& Y5 ]; \5 I: @8 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, ^! X+ A; F" C, x( b" E, F\App Paths\Loader32.Exe
( O( |" v' u$ {1 E, p
- Y& k3 l2 \7 H- C6 N) F
! m* G5 H$ T4 B2 ^0 S8 b6 XNote that some nasty apps could then erase all files from SoftICE directory
! q6 @2 g2 z! F5 ~! P(I faced that once :-(/ _* S0 m2 k0 O! W$ N# o  w3 u4 D  E
. K# k% s- c# E8 }5 I4 _
Useful breakpoint to detect it:& j$ B9 r% K9 M

5 t' q2 d' ^/ S# c2 W# V     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE', i8 x6 U3 d) R; ?2 ?* U" Q* K

- S9 u5 Y* S9 s* _$ I3 P__________________________________________________________________________
0 a) U# _. t* l1 R
% ]7 X2 g% R) O6 s! n0 M" M" e  J0 @4 F' D* N
Method 14
4 K& A. o7 N# U. J7 @7 F=========
& R7 m# G* y" U, G, u7 g, S, z! h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) I) L- z9 z) s( V8 }/ z* W  ^
is to determines whether a debugger is running on your system (ring0 only).- ]# q7 K0 I' b& r2 B

7 n, H9 X0 v/ ]9 v6 s5 _   VMMCall Test_Debug_Installed
, y) [! c$ }$ a4 i- y0 I0 u1 k   je      not_installed  m1 J+ V. r0 r

- F% G9 _. E* j+ g- n$ mThis service just checks a flag.) d! B0 @, |1 ^- t& P. R- U
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 17:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表