找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) M: q0 c& ~' }
<TBODY>! i9 `+ p! i8 x
<TR>) D, n- E/ f# o, K0 O
<TD><PRE>Method 01 3 S$ S! J  V1 r. I9 m* p; \# q2 M
=========7 B5 Y% c! `& \  \) S- w

0 H& R7 o- t1 jThis method of detection of SoftICE (as well as the following one) is. M7 m0 W+ Q( u- l! h
used by the majority of packers/encryptors found on Internet.1 t+ L' u- D8 A! N
It seeks the signature of BoundsChecker in SoftICE: j# U6 F" A! z

2 h% f$ R  u4 V3 h8 g3 J    mov     ebp, 04243484Bh        ; 'BCHK'
- S* n1 t# F' `# L5 O3 L6 S    mov     ax, 04h
6 k- Y) D( w& u& w# U    int     3       , m" o, D1 g! h. Z
    cmp     al,4! V: b' }- I, z2 A; i0 @8 Q
    jnz     SoftICE_Detected! I4 V5 o5 x  M: D5 R' \  v, T* E
/ b$ d+ N6 j  C" n1 C% x
___________________________________________________________________________6 F; W+ P# `) a5 t2 P

9 z8 J( e2 t  Y, c9 h- `( CMethod 02
! ]. p$ c/ H7 r! B/ r3 a=========' `$ a2 H- @2 S5 D- M0 k5 }

. O: F" D3 t" b4 Z2 k0 q5 a$ ~Still a method very much used (perhaps the most frequent one).  It is used" Y6 w4 }. W! ~2 F4 d* S3 C
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 w/ N) U; f4 _. Sor execute SoftICE commands...
" l" Q2 x4 L9 g) c* m% d! F( hIt is also used to crash SoftICE and to force it to execute any commands! g; @. `$ b% `0 M+ f1 J
(HBOOT...) :-((  
7 Y5 d5 d. s( ^
3 \  f$ o  b& }3 m6 lHere is a quick description:/ W# j! k: M& Y  o* }% l! I) f
-AX = 0910h   (Display string in SIce windows)
9 H  ?2 f5 s& O1 l-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)  I; `1 x. u( k3 Y( v, J
-AX = 0912h   (Get breakpoint infos)
0 g  m) x( X. K-AX = 0913h   (Set Sice breakpoints); S" a+ J( Q! L7 T
-AX = 0914h   (Remove SIce breakoints)% R3 p. |; {* @4 |0 w9 w8 r
9 i; R1 o$ }( e% Y) e
Each time you'll meet this trick, you'll see:% I7 p% k5 W( q2 U! G4 e
-SI = 4647h
6 S( E; m* _. j5 t5 p1 y4 \% U-DI = 4A4Dh
% t  X6 }" c6 rWhich are the 'magic values' used by SoftIce." U" o7 L( E# ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' }7 S0 i& U" c2 c+ [: i+ x/ G+ L8 r. c/ C+ ~- ^7 A
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 t0 G4 G* c+ z+ z9 W% A+ G) H0 ]
Envelope utility use to protect DOS applications:1 p4 z0 L, t4 ], e) N! T" E0 ^

7 o( l6 V- U0 Q0 n; h* ~8 f4 y2 b1 i# r$ L: S2 x
4C19:0095   MOV    AX,0911  ; execute command.
6 d# b  ~- d5 @+ N' }+ n4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; O( N0 l7 z+ |9 V9 t( G& Y+ K( ~4C19:009A   MOV    SI,4647  ; 1st magic value.
* \2 K6 b; ^; F* Y0 H- X/ \9 i6 I* y4C19:009D   MOV    DI,4A4D  ; 2nd magic value., X4 O1 n" D! \# J
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 P/ e( @9 P8 t  N
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& s/ f& ^' v, U$ E6 V8 B6 z( p4C19:00A4   INC    CX) H. r, a, x$ c# H2 Q1 a+ Z
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
( M0 T# P  [7 q& [: N, d3 O! m; u7 l4C19:00A8   JB     0095     ; 6 different commands.
7 t" y. g7 Z9 l* A2 c. j4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 F3 U  X4 X  i2 r% s4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) F- F* S% }6 Y: F  z# h. p( w" q9 s/ t- i! `5 L( M
The program will execute 6 different SIce commands located at ds:dx, which
+ c$ S6 t7 G. K: ]8 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 E) f8 u3 k( E& H6 m  }3 s+ N0 T# m5 @* I2 ?0 K# g. @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" Q+ A; G/ z/ ]) i6 ^2 B4 a___________________________________________________________________________
: i' f1 g/ V  D  l' c7 {9 u& X1 g! p- A# x& \

1 \+ ^# ^3 |% c" d# Q7 H, jMethod 036 S. f" U6 f  l2 q* u
=========
( u; ~* S0 c, B. y
! q% x* E& P1 A" X: ELess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; B! S' j) p/ p4 v(API Get entry point)
+ H9 A7 M2 {2 N- c/ Y, v        
, @  C3 q( h3 A
; w; N! K" f5 p& @" E7 e    xor     di,di! L/ n! @; ^: S8 G
    mov     es,di" R3 q2 N- D0 o7 I) w
    mov     ax, 1684h       + O8 I: C: D) G
    mov     bx, 0202h       ; VxD ID of winice
. s' [" B5 D# c; c- K    int     2Fh; `4 d* X& Y) \! W! h0 \& c
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 L8 l* o- ]$ k$ O' A
    add     ax, di- ~; t1 K: |$ H* |1 @' }$ I. g/ q
    test    ax,ax- N- l' r# Z0 Z# A6 [+ I! {: P
    jnz     SoftICE_Detected4 l/ M( e! A' _$ [( Q6 C& w' |0 h

3 n3 z% o2 d6 i. [4 K3 j9 k; Y___________________________________________________________________________" f# p# q# V% J% B; J* o+ l% I. O- d

; z1 Z: P  _3 b: p6 |& zMethod 04
$ n% Q" K4 c7 n6 e/ ?3 N* W+ D0 I=========
! j6 Y1 w4 J$ C4 u- R2 u: m" n9 {7 z( G1 ~, k  p; F. p( d7 [- W: j/ q# o
Method identical to the preceding one except that it seeks the ID of SoftICE
, g+ s* M/ X6 I/ C# ^# t3 f; [# j6 `GFX VxD.: K3 [% ~- y8 h/ @
' r2 f- P2 c8 `# \- {* Z
    xor     di,di- P' |2 \$ W! i, F' m2 N4 l
    mov     es,di
) A/ W3 k% ]) j: i    mov     ax, 1684h       5 ^, P# q% ~& y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- s3 G& M/ z. C; m- p! R' P    int     2fh4 w# B! J/ N3 n4 b# Y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point: y+ P$ M0 ~% ^/ g
    add     ax, di* s6 j  M; T9 }6 i: ~
    test    ax,ax
# y/ B/ J" j# r1 W* e8 n    jnz     SoftICE_Detected
% L  E: g6 g7 |7 _5 ]0 Y/ W5 `- o9 r- B1 p; U
__________________________________________________________________________% {0 k2 h, F' H# l9 D. H
" j( m, o- h- N) Z

3 I; `" F, `1 t5 F; @Method 05
" {# ]5 {; S; D=========
& p3 o2 S9 v4 r( a7 W2 j* ~
; q; V$ A+ v' r$ U/ IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& E/ l- Q/ j' n: N2 k" bdebugger. It calls the int 41h, function 4Fh.
# T& K4 C# @5 U& UThere are several alternatives.    P$ N% y. h9 P, m1 h3 m$ S& K

! }& B) D1 O) C2 L6 q, f# oThe following one is the simplest:
# Y6 X5 i0 A- w- l* k  S7 g4 R; o( m
    mov     ax,4fh
: ?* O" |% E+ }  i8 K$ j* p9 p+ N$ z    int     41h
# G& _( g3 d7 r0 X  F8 M    cmp     ax, 0F386
" p: @( G+ j  c) @" @$ F    jz      SoftICE_detected
: q8 Q$ K% F  M1 G, ^0 u$ j8 r
/ e; b3 s- s6 w! _9 ]+ ?. }* A. d
) w( V% b" T' q2 R4 A0 lNext method as well as the following one are 2 examples from Stone's
' u& s+ k) n# T6 k0 P; c, W' p# I"stn-wid.zip" (www.cracking.net):& X/ w1 Y0 t1 w% }, s

% _. O/ q  g" E# p    mov     bx, cs
* Q( v( c% F$ X, H0 k+ g. E    lea     dx, int41handler2; i2 E. ]1 A- \
    xchg    dx, es:[41h*4]: ?7 L1 w& [4 q" h3 K( P* L! n3 d4 {
    xchg    bx, es:[41h*4+2]
! a8 U/ [9 f8 x+ w: i0 X$ }/ j    mov     ax,4fh6 W' J+ g  _5 D6 h6 H
    int     41h
; Z- g" y) c- I% V- p) ]    xchg    dx, es:[41h*4]$ p. Q7 |- C# N
    xchg    bx, es:[41h*4+2]
# k$ S( d! ?9 E$ a( r3 _* n    cmp     ax, 0f386h+ N! `3 b! g, w1 U& o. |1 y- K. S
    jz      SoftICE_detected
% ~  L6 L# S4 M$ O- a: o' _* f  u6 h' @
int41handler2 PROC$ L' p7 U/ O2 I, ?* t# {
    iret- B, N5 F! o0 c0 u2 y7 R! e; l
int41handler2 ENDP. B9 ~) @$ t  v: s" Y# w
6 ]8 Y% @: m. \# w( R8 q

) A8 Y$ D& X, @; @) n; {_________________________________________________________________________
& H6 W! X+ t- i9 j" k
0 u) q& h% g2 U/ C& Q1 S( |' r7 \7 ?+ Q. g  p8 H1 |( R
Method 06$ Y7 T& O5 e* @' v: \4 \% L
=========) O. E) U8 y+ L& g" P- `8 e; c! ?. h
1 }& v6 G: k& K0 y$ @* P5 i- h

+ Q: U+ c4 L- I  H- t2nd method similar to the preceding one but more difficult to detect:
0 s$ y2 t' t6 M! U# _+ K) r; ?5 C! k/ G" ]

. ~- B) t  [% g+ }/ q4 g$ Q& zint41handler PROC' }* m7 j4 `1 _3 v0 m
    mov     cl,al$ \, C1 j8 X* \( m2 I# l
    iret5 l: H3 q% n9 M/ a
int41handler ENDP0 e, S- ]/ m, z2 {) Y6 g

5 g9 e, @' D. H& H% F/ \: _+ B5 L
    xor     ax,ax" Q- X/ W  w4 N/ K! Z  u5 G$ ~
    mov     es,ax
* L- H+ ^, K0 @; i4 J9 B    mov     bx, cs
/ z! k, L/ `' R+ D/ t5 b9 j    lea     dx, int41handler
# ^/ j+ o( }  [' V7 P    xchg    dx, es:[41h*4]1 k( ]* u: g; x! _' \* w4 d
    xchg    bx, es:[41h*4+2]; W+ H) f5 A3 Z! T- E6 b
    in      al, 40h
. c. w  z# X+ s' Z5 h+ d    xor     cx,cx3 ^4 U2 c  P$ |- V
    int     41h
% r" C) W, R( d3 }  R    xchg    dx, es:[41h*4]% H- u) s0 F$ z; `3 K# d3 m+ A
    xchg    bx, es:[41h*4+2]  s# u8 n: d# Q0 n, b" P
    cmp     cl,al
+ K) S0 P7 A# q1 \; H+ F    jnz     SoftICE_detected
( V  O; E( j9 \2 g+ c7 y9 z& ]% s: E! m& d, x( X
_________________________________________________________________________$ `) X( C" k( T6 Y8 b5 c/ [

" n0 ?/ B8 `: O. PMethod 07
4 S7 N/ K$ i: f  c) C3 u6 U4 q=========9 p$ t+ u' ~3 z% u5 r- }
3 Q$ ~; ?# {4 s+ P# K
Method of detection of the WinICE handler in the int68h (V86)
3 N" ^; U% p9 ]4 M1 ]7 s9 I* w: |. h. r+ Z" H. S
    mov     ah,43h
! v! K$ b& r1 k- z2 W    int     68h( `7 C$ g& e+ Y7 r
    cmp     ax,0F386h
4 Y/ c' o1 S7 x- F" F    jz      SoftICE_Detected" {8 g; d2 \* u0 [/ }6 v' ?/ {
# o* n7 x0 M* Z8 z  f" Y6 D
2 f( A$ h$ I& f4 B- Z7 L- t
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* F+ \: v5 e, o3 I4 A6 {3 O+ u
   app like this:. i; i4 D* T1 A* N7 s
+ ^2 N4 u. O. H4 E  d4 x
   BPX exec_int if ax==685 P( V6 y* q) {. Z! w
   (function called is located at byte ptr [ebp+1Dh] and client eip is  M) c  F; z4 e( I7 r
   located at [ebp+48h] for 32Bit apps)
3 A3 W$ C" S: f" \4 g__________________________________________________________________________: G* w' o9 ^8 q  D
1 ^# D* n; ?$ j1 u0 n! l, u- L
) z# G- ?. Z. f- Z5 q4 U  D
Method 08+ }1 x2 }0 I7 i  [1 j* v  u: g
=========2 J" ^  t5 `9 p! {6 |# R9 a: b! u

1 n) d/ A) L  E9 @5 A* H3 P) sIt is not a method of detection of SoftICE but a possibility to crash the
5 b0 T3 V/ a2 U" m( ysystem by intercepting int 01h and int 03h and redirecting them to another2 t+ t2 v, C9 _/ S9 ~9 ?1 |- e) ^
routine.
% _, z% B1 Q$ F8 pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: \, ^. p- h# n) n: \6 o7 nto the new routine to execute (hangs computer...)
3 u2 n4 M  Y7 ]0 Q5 T. S
  ~9 ?' v5 K3 {: z, Z* Q+ M( T6 n/ t$ F    mov     ah, 25h
1 z$ K% @" G4 ?2 B, h    mov     al, Int_Number (01h or 03h)& u( K7 h+ i" a  a, T  N8 M
    mov     dx, offset New_Int_Routine
# P5 f. N$ q. V5 q    int     21h
  \4 c1 @9 \/ K- y! I, Q
9 v# y3 J4 y7 [$ h$ r__________________________________________________________________________3 m; L# x% `8 ~! a/ }5 y4 O- |
1 z* s$ Y$ S! U# c; ?9 s
Method 09) E# s8 `( a5 w
=========) v. g1 G: t  x2 E# r8 f, r# o0 w! u/ J
  c6 m/ ~, O1 Q+ C6 f2 Y& h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; V( L- T$ |0 u& _
performed in ring0 (VxD or a ring3 app using the VxdCall).
% n: W( \' c5 Z/ \- L  q- d  {The Get_DDB service is used to determine whether or not a VxD is installed4 A% N3 [9 I4 E. y
for the specified device and returns a Device Description Block (in ecx) for
0 r8 l  z8 v% O" _# t" i1 bthat device if it is installed.5 F# _9 S1 }7 p4 @

" B6 W/ H, k; w9 F   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 I9 x* b& f' ]) {& j+ j   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! p  o: }1 d# t7 A" |   VMMCall Get_DDB& S) C" G2 A% q
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. S, i* f# E& i! W1 A0 v
1 M& g! I0 ?$ z
Note as well that you can easily detect this method with SoftICE:  S- d( r  d! O1 C# N
   bpx Get_DDB if ax==0202 || ax==7a5fh
+ p' ?0 n! d, v5 B+ n, |" e0 L' n' t( x  K6 B( \0 D( Y( A( W! G
__________________________________________________________________________
5 N' ^1 R7 ?8 L1 S7 _* K
" f% O7 T6 [" [' W" Y: sMethod 10
: Z2 y- k2 G  d! h8 K=========
  D  |" q5 [& _4 u% v$ u+ I
1 T6 B( k' l; o9 L=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
1 E: G% V* A! Q2 Y/ g  SoftICE while the option is enable!!
- _! H$ a: R  k: ^5 ?2 k* i2 F1 D- c5 N0 B) {3 k
This trick is very efficient:
& g0 C0 K7 c1 }4 S* d4 {' Xby checking the Debug Registers, you can detect if SoftICE is loaded
: t+ }* c! I. B6 H+ [! n- O- L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, M% G$ s9 _5 P  N0 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their& ^' F, }# Y/ m6 p' c8 j+ B; k
value (in ring0 only). Values can be manipulated and or changed as well- I! x( I2 m5 L$ o9 q) e+ d+ _
(clearing BPMs for instance)' h+ Y; w7 s- R) m# d+ d
' T2 i7 s8 I4 c( o* q
__________________________________________________________________________( m3 H$ H' y! M* H! {8 F
3 w* `+ t7 y) n" @) [# R. G, b
Method 11
7 B1 w2 f& j3 m" f' n# r=========
; @+ G- ~7 i! d
( G- s) N; m4 s+ Q$ ?5 [This method is most known as 'MeltICE' because it has been freely distributed
! e# I! L4 O$ K+ ?* x4 ]via www.winfiles.com. However it was first used by NuMega people to allow
* A4 D4 Z& _/ [; GSymbol Loader to check if SoftICE was active or not (the code is located
- w* w3 {( K8 O7 ]; x* uinside nmtrans.dll).
* K: z2 b+ I& ]8 e. F' }
. h2 o. O! E. `* ?The way it works is very simple:
! J# r. j0 U" O! b+ V. U9 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( p& [* C" H8 T3 m2 o, e5 s4 VWinNT) with the CreateFileA API.
% D2 S  d9 X: i% r1 n6 E; }5 G; f& e: K) V$ S1 I
Here is a sample (checking for 'SICE'):
2 H; M/ x. }- p1 F; B2 V7 ?7 U9 Q- T' [6 @, g
BOOL IsSoftIce95Loaded()
4 s3 r: q0 [, g8 t1 }6 o6 s' x{! W0 a# X9 e# {0 _. b+ \
   HANDLE hFile;  
: |$ Z, w8 C5 Y5 b   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) p' ~5 u  ^. U                      FILE_SHARE_READ | FILE_SHARE_WRITE,+ v3 E! d1 o9 |  j
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ Y' ~6 Z$ ^* J6 `9 o* v   if( hFile != INVALID_HANDLE_VALUE )
6 ?% k* k0 o' t  m. Y: A   {! b) j+ o- k+ a# @0 Q
      CloseHandle(hFile);
: z3 H0 y# g6 z% }3 n* R; I" H      return TRUE;
! m$ f# G; t3 f' U4 q! o   }6 B( I& A) j7 ^
   return FALSE;0 q, {' M# h; u7 U! L/ u
}" m7 e* Y  J- g' q; R% h  R' L
# o0 y9 [$ F' y1 P, M' z
Although this trick calls the CreateFileA function, don't even expect to be
& g% h" ~. i5 G% s& p, ~able to intercept it by installing a IFS hook: it will not work, no way!
5 {5 p2 }2 ]. l% e# J( B3 SIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) U9 y# G9 c5 H# T& W$ [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, K& l# Q& p" O' \. h( B: @  Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 U. p& f2 B, D! f# [7 y! b2 |field.
8 ^( T' o# r+ ^+ f4 Y1 f8 }In fact, its purpose is not to load/unload VxDs but only to send a ) f1 m/ K# p, Y$ s  b1 D0 b# ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# d$ |5 D, W/ s( F; A( O% m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! Y/ B6 ?8 A! z  j' h% Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& J  [  l# r8 b4 }9 X6 F) K! X1 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ M5 V3 n6 g: Sits handle to be opened and then, will be detected.
6 r2 z. k* m# ?5 f" {You can check that simply by hooking Winice.exe control proc entry point
; R4 y6 Z" B) ]0 E. nwhile running MeltICE./ _* w3 V- |& w$ }: K+ l6 l0 H/ k
8 I  l: b8 }  h  t# j
9 O! P" v+ c3 F
  00401067:  push      00402025    ; \\.\SICE# o% V6 a6 k. w; ?. W6 ?
  0040106C:  call      CreateFileA
: E" ]5 h, `, P9 }7 i6 [  00401071:  cmp       eax,-001+ V# N$ a, [% s1 j8 k" b% e* {
  00401074:  je        00401091. k) B+ E7 c+ W+ {

) X. B$ C  y4 Z3 f* D
1 k( T6 X1 S, BThere could be hundreds of BPX you could use to detect this trick.. Y- i7 ]8 w% i
-The most classical one is:5 h# _1 x" n% j) y* N! w
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 p" U: ~) t! W! Z0 @" i
    *(esp-&gt;4+4)=='NTIC'
) a. p3 V2 c/ u* s$ D! `0 w
- v) f% |3 ]" h( E$ Y8 j-The most exotic ones (could be very slooooow :-(
  ?7 q5 ^' A8 R+ _6 N0 ?) V   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 W0 x: k  u; s     ;will break 3 times :-(
6 }5 M- k( v. ^' U" x  z+ {2 h# S+ d9 I
-or (a bit) faster:
: i# b3 [: c5 U3 ]7 A" ~   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" ~0 s! p- N# R0 K  Z# n
6 B. h! ]; D7 N4 f1 l   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; Q8 y8 q. D: K* h; @  e
     ;will break 3 times :-(. v# Y2 R# ^" a. I  ~! m
; ^2 d$ L4 V! E
-Much faster:: S! j2 `+ g9 u1 B0 S
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
$ K4 o, R9 E/ q1 k  J8 P9 h' Q# E2 V! z# a1 b( s9 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 i, s" h' @4 F
function to do the same job:; P# ^2 Q5 |! O$ c: K# B

/ v' p8 ]% d6 S. f0 i' A0 Z   push    00                        ; OF_READ
: D9 K2 c( A6 I0 G) A   mov     eax,[00656634]            ; '\\.\SICE',0' a& n7 O& r$ u9 i8 y
   push    eax! `; x- M& F5 \: x" V
   call    KERNEL32!_lopen
0 @/ n* {/ M7 T6 }& r2 F   inc     eax
& W, h3 z5 v0 A0 W! n- m  k/ [   jnz     00650589                  ; detected
' V* X3 i! r; x* m( {, c1 p8 c" z   push    00                        ; OF_READ
6 C& p) |; d% `5 n   mov     eax,[00656638]            ; '\\.\SICE'
7 |3 G7 L% \, x# _   push    eax
9 u+ U5 T2 Q; \/ p% m   call    KERNEL32!_lopen+ w* Z2 G0 A. o% I
   inc     eax5 u5 j. s! _8 o  F, i. N# o* B' \
   jz      006505ae                  ; not detected! G& B6 H$ S& D; ~

) ^4 j5 Q! G/ h2 [3 E; g, ~/ d+ L& \  A* s# f3 ^
__________________________________________________________________________' X+ }( `" k* n4 B! `

* L- Q/ G: w9 ^) q& M# n, P( IMethod 127 u7 w: s1 V8 q6 W$ }4 [
=========
  q' B- m* K' }
- x" t% G* B. }7 ]This trick is similar to int41h/4fh Debugger installation check (code 05% `3 n0 o/ B. u3 K% O! M7 ]
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& d" b! r, s7 |: h1 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 P. I6 p' ]4 N; H) k- v

& A/ v8 a/ W# ]; G   push  0000004fh         ; function 4fh
9 b% c3 Q8 u7 M% C# {   push  002a002ah         ; high word specifies which VxD (VWIN32)* v4 j* `2 v. ?1 n
                           ; low word specifies which service
2 a; ]" m# O+ I/ N* i' [                             (VWIN32_Int41Dispatch)& Y2 h0 X2 s8 K$ m# y. J$ ~
   call  Kernel32!ORD_001  ; VxdCall* K% l" ]1 C6 x9 W, g5 ~$ {
   cmp   ax, 0f386h        ; magic number returned by system debuggers
8 T+ c) ?$ r  y4 I2 \+ N   jz    SoftICE_detected' B$ i( a) e, D0 l& B/ L

7 x# u2 P' v* H! K" X6 ZHere again, several ways to detect it:6 l7 `! y2 O- E3 W! v, V; z
. ^" Q' C, @  F
    BPINT 41 if ax==4f% t4 f) R5 \7 x" i0 b- H1 @

) z4 n; {$ G& t% W    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
  d0 Y! ]6 _( U: Y3 ]5 y
3 j: ^; {; `% x$ u" v9 y4 |3 o    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A' S2 K& l5 L* Q
) a' S7 a0 B/ `' _/ Q  N
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!  o" C" T3 v1 q% a$ @! J5 F
8 O1 Q; \% h4 i6 K. k$ l6 W) q% `5 e& O
__________________________________________________________________________
+ O7 S0 n0 w8 F6 v+ V  e5 j3 f2 A, F* @  h( a
Method 132 H3 X! {4 T. O. X' \. r
=========
. k3 {* o( T* }0 m
! a! j6 }7 d. K7 w& {Not a real method of detection, but a good way to know if SoftICE is
+ Z+ e( x+ l; r  x/ G: O- Hinstalled on a computer and to locate its installation directory.
7 B9 j5 N" D5 U8 S- GIt is used by few softs which access the following registry keys (usually #2) :
  i% ^+ Z/ |9 T7 n7 v2 w' \: A$ z8 i7 }: m2 i2 k& w+ {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 R6 s* u" x" Y7 d* H3 p; I; G\Uninstall\SoftICE
) x; w. K; C3 Z& l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 @2 s4 l1 i& s' w5 B% r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 @" z3 k* y6 g! p/ B
\App Paths\Loader32.Exe6 o% I% U( i  `: z, I

8 D! s7 t! e4 s) ]5 m4 t7 ]+ ~0 x& m1 y" {+ c6 z
Note that some nasty apps could then erase all files from SoftICE directory9 f& e# V' H# S! b
(I faced that once :-(
5 r0 p3 M; s) W( O, U2 Q* J" Z  f. N  A2 g; N6 P& o& s
Useful breakpoint to detect it:+ {8 P% s% R9 I' Z
! V9 m* s6 M1 Q: T, G; D" @
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ g( M9 d5 i# h2 h# x
9 S- A* K* |: G1 o! ~  ~) L__________________________________________________________________________
9 J) ~/ E* [8 G# h# K* X
5 l- C# `. s4 X9 n  u8 o6 N; E6 }0 r. r4 \" R7 G9 M. T0 m
Method 14 9 z0 H- d% _6 V/ Y6 Z' h
=========
4 [' {: ], ~2 a7 f& m! d6 v
$ ^: _3 X1 R, H% QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 j9 L* V% K& [. b0 Dis to determines whether a debugger is running on your system (ring0 only).
$ x9 c0 s. b1 o& Z
9 Z# q" M- \2 N2 L4 X* u   VMMCall Test_Debug_Installed
; A2 s" W$ ~6 J% [+ h   je      not_installed
& T: y7 C% {1 C+ Z) s: R" m5 W; b: A* d. I. z$ }& v
This service just checks a flag.+ g  o; m5 J" C" L  e. w7 J
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-27 14:57

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表