找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
, D2 N. ?5 q1 [$ G4 K: W8 N, @$ Y<TBODY>) {: x% W$ N$ Z4 l6 a* W9 {9 B
<TR>3 m6 [7 B: J* }1 I& I
<TD><PRE>Method 01 9 ?+ y9 T( H9 A
=========
# k% f, _. V7 H9 }. H1 ~
+ t0 [( J; f* W1 q0 O* l; S6 rThis method of detection of SoftICE (as well as the following one) is
6 Y: K1 f) M8 r9 A+ Z. ~8 bused by the majority of packers/encryptors found on Internet.
0 U/ k* V; o6 J, I+ N+ hIt seeks the signature of BoundsChecker in SoftICE
% n5 m) J/ m: h% Z# n7 C1 Q" ]  x4 p6 m! O4 |; m5 T  X0 b
    mov     ebp, 04243484Bh        ; 'BCHK'! B" _! k: Q1 z, u
    mov     ax, 04h2 d' |& N- F3 ]6 s" H9 N6 E
    int     3       " y+ C; p" ^- L
    cmp     al,4
. g. o* l  o1 T! o    jnz     SoftICE_Detected. t& k  m, o( y  `/ M: H- K4 h
, r0 Y, ^8 R) f- U" ?( v* {
___________________________________________________________________________
2 N1 C0 r3 [2 R) C
. g0 e- c; F' l9 ~8 Q. p8 p8 ?: R2 ~; f; rMethod 02% W: ?3 X* J" ^% ^8 T& v; s
=========
5 `9 l0 F* J/ l5 s- a( s/ n  [$ r+ s2 L8 {) y- Y
Still a method very much used (perhaps the most frequent one).  It is used$ Q9 B% q9 w3 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," E5 l. p' V% v6 r
or execute SoftICE commands...
5 x, j# J9 x# H- k8 M$ xIt is also used to crash SoftICE and to force it to execute any commands
8 r  G. s8 O1 m5 j6 E4 i(HBOOT...) :-((  7 d7 U  L# K9 B) d- E. z

( ?0 g+ Y& ?0 R# t4 Y! @Here is a quick description:: b% T0 |) s! w, G
-AX = 0910h   (Display string in SIce windows)
  q* D5 S. B# E/ m) K4 H-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); k/ L5 l& x4 r& F' C; P- e9 |
-AX = 0912h   (Get breakpoint infos)
8 t, p5 n+ A9 s. ?  T- }-AX = 0913h   (Set Sice breakpoints)
& Q7 N5 d% m9 g: R- x/ n) Y-AX = 0914h   (Remove SIce breakoints)( o' q: J% g8 l0 n! P2 M

! w" c3 `+ k2 `' a+ }0 lEach time you'll meet this trick, you'll see:- i3 F2 M: M- }, G) t& m$ l
-SI = 4647h
2 Y1 g2 i! h; P* G, Y' q( F1 `3 R-DI = 4A4Dh! b2 m! }9 ]. `: `1 V
Which are the 'magic values' used by SoftIce.1 @  A2 \1 u$ z  {: W- W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" ?* {! Z! L4 T2 u/ E3 y: ^. A3 u. \1 u, w4 \  W6 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ u8 c* N' e. O4 w$ n
Envelope utility use to protect DOS applications:
+ b3 ?) k6 V0 c  r9 [& z
% J1 q- x. L) s' h& ~
/ |: j2 ?  S7 d3 v* N4C19:0095   MOV    AX,0911  ; execute command.- m, r! ]1 D0 N8 |/ ~. l
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. V- v& r: u- |0 b3 R: g0 d
4C19:009A   MOV    SI,4647  ; 1st magic value.9 k( r& T, E- k
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.% o) h6 m& _* N* u/ r
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
  P) ^; Z7 n4 R4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; v& R& J& p0 F9 ?
4C19:00A4   INC    CX
* D3 u9 {* Q8 ~. w& U) w4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" |# f! F4 |8 I7 x' o* I3 Q4C19:00A8   JB     0095     ; 6 different commands.
. D) H0 O% p% W9 e4 C1 f2 {" e8 X4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 b7 k4 Z1 p6 s8 S- V3 O+ H
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
  T6 E5 T, j0 q- ]/ E3 v" \( x
$ c+ V3 e* \: m5 Y' gThe program will execute 6 different SIce commands located at ds:dx, which' p- H- ^* m7 c! O+ a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 y6 p4 m7 N1 p' _1 ?3 H6 a# Y  ~' f  [. v3 S, E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 g' s" K# o" O___________________________________________________________________________
4 m/ t% D6 z% T! P$ P1 m  m- Y0 D
* Z0 Z. p" o$ i# t
Method 03
9 [+ f) \! ~8 ^% P9 m3 ~( k9 N=========/ S/ z+ t/ k; ?3 [  R5 j

4 ^' p7 h8 W' K- U  r- GLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 W3 [- z6 A9 k
(API Get entry point)  c8 j1 U8 w7 m( t! W7 {& h
        6 ]: ]0 l$ g% g: J% w

# j4 E' [) {' c1 v8 g  o    xor     di,di
  ~8 R& J2 Q9 v* f' x    mov     es,di1 x( d* ~! A$ G% O/ V& C
    mov     ax, 1684h      
* F" m, Q( w6 m    mov     bx, 0202h       ; VxD ID of winice! R" ^# V8 o  j6 m/ T
    int     2Fh
$ \0 t1 l# C! U    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 [2 l. P3 d% m+ S7 m, B* I6 M
    add     ax, di* u" U+ k4 C7 o! U/ y6 t
    test    ax,ax
# F6 \, V5 z1 ?! {' l9 y: q# E9 o1 W    jnz     SoftICE_Detected
& r8 v  k( M* N) p. f! v) z% l9 u# }" O8 K6 T1 |( f: [9 D7 {4 {- H( d
___________________________________________________________________________$ B) q* ?8 U7 p, O7 Q2 B6 {
  C+ k0 Z* ]) d6 p/ c9 i/ H7 t5 ?# V
Method 049 R# {* }7 \9 P& G
=========
: ~9 q' F6 d! A" q; \  T' F1 C
! q) G0 H) F, {4 M1 YMethod identical to the preceding one except that it seeks the ID of SoftICE" H6 l5 y7 s1 m  ?- ~$ i- D5 ~
GFX VxD.
! [. e2 x' f/ f
' d. b' O& [9 X/ G9 t- N    xor     di,di
' g' X. p# U: q  X- D/ q    mov     es,di% y7 e, I( z: _
    mov     ax, 1684h      
7 I- |4 `; w9 ?    mov     bx, 7a5Fh       ; VxD ID of SIWVID. a- x2 B( p& j" d  ]+ C, R0 Y6 I
    int     2fh
4 r7 `8 c* a# ~$ s    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 ?  o4 j7 Z4 Q
    add     ax, di
+ \6 F  @: k3 v# c6 \    test    ax,ax  `/ e: m% F/ C3 Z4 m$ P
    jnz     SoftICE_Detected
9 ~3 h+ T7 h0 l* j3 u9 P! l
# Z& K0 ^) ~7 k, h__________________________________________________________________________1 I! G& e! @$ j: R: e. m5 ]

2 s, l5 V2 |& m9 ?5 v7 N
. z' |- R4 Q4 WMethod 05
6 E0 ?; p6 @5 a# d9 y4 l=========+ C- N( L6 \# ~# y

8 ~: B) `* e5 ]/ u3 S( ]6 NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. K1 G4 ?. l8 U4 x# L! S) r/ d- rdebugger. It calls the int 41h, function 4Fh./ z7 E& U4 j: ?* q) X6 E5 X
There are several alternatives.  
8 D5 E5 R9 y" }' \0 E2 C8 E
  e0 X) O; r- i4 YThe following one is the simplest:+ K% ]' b: ~0 h6 \4 p

: X- k5 N. J+ ?$ h; Z    mov     ax,4fh8 h2 V7 m8 I: Z. V$ a
    int     41h! ?: U/ a; \  Z/ j/ B
    cmp     ax, 0F386+ r; b& E, A5 R- }/ ?- J
    jz      SoftICE_detected
0 }8 ^% E; j! R8 s. _8 |4 |/ h  b7 e  T) F+ R

( q& c# W% m) k6 jNext method as well as the following one are 2 examples from Stone's
/ y! J3 _& p, B4 y4 ~# B"stn-wid.zip" (www.cracking.net):9 P" ]  ^" {# Y; x- Y+ [9 u8 L

& A0 s: e  R. l& P0 k( m' M    mov     bx, cs3 }0 l4 I- b( [9 W& U7 W
    lea     dx, int41handler2& O1 L# H# c6 r7 h( Z! I$ Q
    xchg    dx, es:[41h*4]
( a' g1 d+ r3 }9 ?1 N" f    xchg    bx, es:[41h*4+2]
2 e$ {1 c' `" `3 E    mov     ax,4fh) y% \8 L! z' U( z1 E$ V& H
    int     41h5 S& K; m8 ^; ~: H9 E9 J
    xchg    dx, es:[41h*4]5 X8 _( H) u4 r- ]! i
    xchg    bx, es:[41h*4+2]# f. J! E! i3 E& ?$ S
    cmp     ax, 0f386h
' Y8 V* o$ E+ x  L" `    jz      SoftICE_detected7 k  X' H6 n1 z  q  ~" w

! e- A1 }4 S, D! w  m7 M' wint41handler2 PROC) {) s+ ^( w2 `5 W2 S* Q, v
    iret
8 y, y! K+ i# E9 nint41handler2 ENDP+ [! a' W/ g/ E! X6 a
& }5 Q; j& ]+ o  p
, l6 I% Z6 n5 G; s* {+ `
_________________________________________________________________________6 X8 F# h( U4 Z- F- m3 C3 I
( k- o0 {, C0 s% W9 q
* m* g2 k0 s3 T
Method 06! K4 i' X( L! D+ R1 H" M9 |
=========" u8 X5 B7 t. ]0 g+ U& l, b

3 n* V9 M6 k  t; X
( n& P6 d7 P/ S9 J8 _. q/ i5 m2nd method similar to the preceding one but more difficult to detect:, D( S0 _$ g+ h, i6 [

% G# B# H) i' x: p$ V& V8 f5 x  f  @- F, E# K# z
int41handler PROC, A: c* _5 S, x. h1 i
    mov     cl,al
9 u4 P7 L( D1 {5 ?9 a  e    iret8 g7 S: D9 v5 r2 h* B& X
int41handler ENDP
# {1 o0 v, u1 \# i) b. k0 I8 c/ a" D+ Y) n' w; D; h
: |7 c. }5 i2 ^. D6 ^. r7 c
    xor     ax,ax0 F+ d8 ]% `$ b/ W2 ^2 T
    mov     es,ax- b8 [5 `4 k  Q; h# w( Z& X# S
    mov     bx, cs3 d# }" |' W4 Y; _& l; J
    lea     dx, int41handler( }' ]5 V+ J2 \; |/ R8 a% d
    xchg    dx, es:[41h*4]+ O, l2 F4 y* Z$ v
    xchg    bx, es:[41h*4+2]
  e4 I  H+ m; W* G- o    in      al, 40h6 d1 V# k- x" \  x3 F5 t1 l% [
    xor     cx,cx
% U' i. k# q7 m& W    int     41h7 g. ]: Y; o3 q4 ^; o
    xchg    dx, es:[41h*4]" ~$ ?$ b. Q9 x0 P3 b
    xchg    bx, es:[41h*4+2]) U+ Y0 m) B4 k- k/ Y
    cmp     cl,al
2 @1 a9 d# K: P# x. y    jnz     SoftICE_detected
& h$ {, Y* `0 T0 S3 I' Q& q+ X1 {, ~9 ?7 O1 |: z
_________________________________________________________________________
% G) M( n: }( Z5 T3 z, l4 \7 {6 y" T7 q/ ^. `) q8 z
Method 07
! k8 ?+ b. e) G4 U=========
# K0 \+ B& ^+ M8 p. S0 Y! ^/ F
Method of detection of the WinICE handler in the int68h (V86)2 g. j$ h" G* q9 q- ~1 V" q

3 R; N5 T! M3 P% B    mov     ah,43h: w% S* H6 t3 s
    int     68h
% r5 [8 P' }% z6 D7 l    cmp     ax,0F386h. l$ Z- w  F0 k. f, ?* c
    jz      SoftICE_Detected
0 Q! g0 l( A$ p/ m8 I% t
! t# e9 a; k$ m" ~7 L7 |) l  }( O$ O4 {
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, p% z; K  W2 A2 c# D* V# T- t
   app like this:1 h: Z! G8 b. v% E! Y) d4 q
8 W2 u8 _9 a# s2 @: G2 p
   BPX exec_int if ax==68
7 @/ B4 d, q7 t6 Z& [, r   (function called is located at byte ptr [ebp+1Dh] and client eip is
$ A! z# V+ c" O% x8 d   located at [ebp+48h] for 32Bit apps)
0 l# [% N# X1 v) D4 I% ?6 n# Z__________________________________________________________________________
+ O+ S+ L6 w4 d+ t% Z
. E* S- L* {5 j0 ~, {6 O0 G( `" u
1 K0 e3 D+ S; B  m$ eMethod 08
0 _1 P" d+ y1 N! u) _5 F! S5 h=========
& E' S5 |, s1 G; k) Y! k
5 f2 c* D, z* ~, YIt is not a method of detection of SoftICE but a possibility to crash the! C0 H3 V  R8 \' A) k
system by intercepting int 01h and int 03h and redirecting them to another4 t: O4 l1 _/ S) b* b- }
routine.
$ K, V0 z, L- N- J/ VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ f! ^2 T* B$ Hto the new routine to execute (hangs computer...)
2 B# b* i3 @, `0 F7 Z1 t: y" e
% B; K. y5 {/ I3 p: L. C/ \    mov     ah, 25h) l$ U) t0 x, Y
    mov     al, Int_Number (01h or 03h)2 d  m; O! Z! J7 M& H
    mov     dx, offset New_Int_Routine. G$ y& ?" b/ b) }0 G8 C
    int     21h7 K4 ?0 W7 T2 [
$ j. `9 d* g0 ~2 ?8 x) K, X
__________________________________________________________________________; n; E; E. H) W- o4 S. g

/ `/ V. ]1 y( @5 UMethod 09
: F0 a  X. k9 v3 _=========
+ C5 W  b9 R# y1 A) ]$ Q
: D5 H& W  g( Z) w1 P4 c' IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 c" Z; W7 w% V/ I: U8 S1 t8 _' q
performed in ring0 (VxD or a ring3 app using the VxdCall).
- ?! w/ t2 h( Q+ {) a! TThe Get_DDB service is used to determine whether or not a VxD is installed
1 c0 |# Q) z) k6 kfor the specified device and returns a Device Description Block (in ecx) for; w: I+ x5 P0 U$ |! C
that device if it is installed.
- s% t4 t2 G# M: G1 f& _/ [
/ u3 ^" a. G1 _   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  ?, s: W9 E/ [: _5 O, d- e+ m* z+ M   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. ^2 n, O  C: D1 T7 D   VMMCall Get_DDB. F& a: w% k/ X% a# I  y$ S
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
( p6 m8 O/ X4 Q, @2 ^" e. ]* x
. m7 J' ~- G6 k9 P7 R4 tNote as well that you can easily detect this method with SoftICE:5 Y. Y  ^2 B6 B( [& B
   bpx Get_DDB if ax==0202 || ax==7a5fh" _& J2 h% r) V% z$ p+ c
7 J8 k8 `  I. P: ?: K8 V' N' c
__________________________________________________________________________# ^7 ?/ B6 ]2 S& v: y$ F' _  \7 I
  E- c# {1 A# e
Method 10: j' S5 {7 B* B* p
=========
" Y. r- R2 I8 B7 D: C5 t# ~) T; q! a# b
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  Q! y3 F/ f/ D: q' t  SoftICE while the option is enable!!
. i! A5 R5 C0 d. m% k) V7 t
8 Y9 Q4 r8 H) h+ j# @# QThis trick is very efficient:
' m* e+ x; F, H/ h9 p6 K$ Lby checking the Debug Registers, you can detect if SoftICE is loaded6 e; H% A, a- I
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& b$ d3 @" S' cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 x4 v1 L  K9 z! L- `. x( ?7 u9 Dvalue (in ring0 only). Values can be manipulated and or changed as well! Y9 ~' @9 [" Y' F% G/ l4 }( n
(clearing BPMs for instance)
# I4 S: D, F- \, H4 q' B& `8 P5 A6 `% n1 g/ |1 W( R
__________________________________________________________________________5 d; T( }; y5 O0 A' h* Z

3 k$ [6 A. A' ~2 ?2 oMethod 11
; W2 J6 o( h0 x=========) L- G8 @1 @7 g
- Q0 r4 D7 G9 i* A1 Z$ S
This method is most known as 'MeltICE' because it has been freely distributed' {: o2 X/ h+ w% a, j6 \
via www.winfiles.com. However it was first used by NuMega people to allow0 ^8 h# \& z6 P7 P6 b5 G
Symbol Loader to check if SoftICE was active or not (the code is located
  r( j3 ~2 ~% f# i6 H/ u3 C2 j1 \inside nmtrans.dll).* m, V/ Y9 Z7 R6 r

$ Z4 ]" A3 w, B4 h" M6 VThe way it works is very simple:1 d- J2 Y7 k) b; h4 y- }  {, x0 ?" ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 w  f. s+ r& P  KWinNT) with the CreateFileA API.' m3 e! \  n  e. i' O3 Q
1 M7 K( ~( M# C
Here is a sample (checking for 'SICE'):
' S, u" @9 H, I  u% M- e9 z+ E8 v3 O9 d4 \
BOOL IsSoftIce95Loaded()
8 q6 b/ v" y6 ~- l/ ]3 T) s" ^; n{
( G2 X1 m$ W' V4 E5 B   HANDLE hFile;  
3 G7 l) w  T! p: E# M( R& B, R   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& M# x& i1 _7 J! p' Y                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ a6 y! c, P+ j7 \/ G# [! ~4 X                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; e0 q. E* q8 [: c
   if( hFile != INVALID_HANDLE_VALUE )/ u8 w# C0 l; x9 X) h
   {
$ A5 c* ^- h6 A+ U0 }      CloseHandle(hFile);+ k9 |1 F* p/ u5 u$ K/ W( ~) u
      return TRUE;
" t) Y& L7 Y: S7 t3 N5 b   }3 k9 i. m. A* n6 y& z( g2 Q$ `
   return FALSE;5 v8 H6 |% x6 R0 p9 o
}
( N9 _( ~% K6 \8 o+ m2 L1 N' L" q; z/ E9 O) r3 X8 M; V
Although this trick calls the CreateFileA function, don't even expect to be
2 H+ Q$ s1 b& Pable to intercept it by installing a IFS hook: it will not work, no way!0 z; c0 N  v7 `# L1 Q9 b7 A$ M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 P: a9 @& e' `( e( U2 ~0 w: R/ Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 _: k- t( e- a8 H* J  _/ A( g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ C2 \1 d  l7 z# X2 `  hfield.
* I& x( ^- Y3 ]In fact, its purpose is not to load/unload VxDs but only to send a
8 f, Y  a! z+ r3 C0 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# H" N! I. D3 [: C2 Q) `: m8 Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 F1 [* I7 j! ?6 Q  W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 r" j6 q  K* }. X$ I- ^If the VxD is loaded, it will always clear eax and the Carry flag to allow# N1 ~7 `% [) N% l- `! B
its handle to be opened and then, will be detected.
4 X% y- _* |2 e9 b, ^  `- ~You can check that simply by hooking Winice.exe control proc entry point
( `& i/ n4 x3 N& R2 rwhile running MeltICE.
* L+ ~, C' Q. ~* H% T" d/ _& Q, q% P0 q  ]
( A  G0 @. k% l2 n* [
  00401067:  push      00402025    ; \\.\SICE
* h1 q: b, `$ z  0040106C:  call      CreateFileA1 S; [/ A& G, d% I' k
  00401071:  cmp       eax,-001
$ d& O1 F2 K; `2 I2 J. v9 `  00401074:  je        00401091
+ z$ y6 _9 ^* G; @; l6 b
  \8 K- `' `# j& p7 f8 X4 o- U. O# d( R7 Y4 k) A) C
There could be hundreds of BPX you could use to detect this trick.
: A2 D$ x/ b; L+ ^6 E* t( ^8 _-The most classical one is:
9 l& c" m) z; l  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' A! s  O" r. z* X. H7 i+ y    *(esp-&gt;4+4)=='NTIC'4 E4 r; w5 L- U5 f: `# ?+ I
8 m7 B( p3 R. l) E
-The most exotic ones (could be very slooooow :-(% o# @* C! T( b! Y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
% o! u8 N& K6 J; q0 R     ;will break 3 times :-(
5 y  [) E) t# w7 L2 L/ m; }" R0 B0 z, z/ R. i4 Q$ o/ G
-or (a bit) faster:
* O. Y" F! G* {3 j& ]$ {+ ^   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" e4 o; {. s7 W7 v

6 h1 H: q$ M9 z3 |  x2 I7 ]   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
4 f. }3 Y% F9 S% o: {4 O     ;will break 3 times :-(; L( j5 h/ y; Z

3 `* ~8 u5 u) V- h( K" M' n" u/ k7 e-Much faster:
3 Z/ Z1 G* {1 _   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 l3 v- n( @  P3 s9 g, N* w* `7 Z! `) I3 T4 I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% A- b5 s/ L" D+ d4 ^! Ifunction to do the same job:$ N) D3 E. S3 h# L% ~0 \1 ]
: G, L+ c1 m/ c2 l: k
   push    00                        ; OF_READ
: u/ ?+ D8 h) N) L# s- k3 b9 m   mov     eax,[00656634]            ; '\\.\SICE',0
5 C1 M8 }$ N: p) E" e$ Z6 i: Q/ p   push    eax/ D6 l2 _8 }0 U6 `
   call    KERNEL32!_lopen
) K! p5 z3 C( x( V* d   inc     eax
( L( V. `% }8 b2 m! e1 I   jnz     00650589                  ; detected
: f5 f; J+ l: d0 Z/ ^' M   push    00                        ; OF_READ  `! q2 I$ y* D9 l5 w1 c
   mov     eax,[00656638]            ; '\\.\SICE'1 N7 L, c% B0 u0 ^! ~5 t4 ?* ]3 p5 A7 N
   push    eax
+ S2 M/ ^  z% p$ ]" T' {   call    KERNEL32!_lopen2 ]3 F  g5 F7 W( u1 S9 s
   inc     eax
9 C; P2 U" J0 e2 f3 _   jz      006505ae                  ; not detected
0 S$ w6 L$ f! n4 o: v  o& W# X
0 H0 F7 ]% I7 \" M7 }- \+ Y6 D) Q2 p8 q( I6 {4 H
__________________________________________________________________________- T. O* k" k& `; ^

" j% D% Z, F* ^" \; Q! t+ S4 H8 {7 [Method 12. z' i$ ], u2 E+ a$ M( W
=========
5 v& |% I4 @/ C9 Z) _* b% L3 m1 P' O4 G* a8 S& g( r. k0 d
This trick is similar to int41h/4fh Debugger installation check (code 05
* t' d* f7 `& q" S" m: k, \&amp; 06) but very limited because it's only available for Win95/98 (not NT)
* j( j5 R) z2 Y2 R8 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 M( ^% N8 M1 ]+ w" Z0 y: T2 \2 }: [5 V3 F( l. s
   push  0000004fh         ; function 4fh& ~" @# I; ~+ \! e
   push  002a002ah         ; high word specifies which VxD (VWIN32)& C4 v: _1 z  w& J. j: M* ?1 L9 m
                           ; low word specifies which service% [. \6 S5 F# x
                             (VWIN32_Int41Dispatch)' r) X% n! Y6 `
   call  Kernel32!ORD_001  ; VxdCall
3 k; G0 x( v9 \0 ^( K, f   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 T3 M, h+ N# F/ g) h8 i4 P   jz    SoftICE_detected; ?2 z" H8 ]) d

+ K+ B/ G# L0 V/ W/ q: J, NHere again, several ways to detect it:% M5 ]: J  D6 }0 j2 K# S

7 Q0 t" [, n  a& o1 O# ~  d) @6 ^6 R    BPINT 41 if ax==4f6 p; S, Q4 S. U
/ r: C3 c# q$ U/ b4 k
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one2 e2 P6 U& t5 r( Q9 U/ H

! ~/ M; `2 R1 E2 u; X" k    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 N3 \) Q+ ?0 U! E: E2 K! y3 G! y3 i9 R+ X
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, t' \- H2 w4 i
+ S! b) ?+ k( O! a8 h
__________________________________________________________________________
" i) P( C& }/ _3 I& Y* G% l: u( {
' ?# T$ t7 |3 ^% AMethod 13
$ R" S- c$ ~: }) S- D! y=========
" m# w8 m7 p3 c/ ?- |$ x) s0 d7 F9 W+ @7 q, x5 x& @
Not a real method of detection, but a good way to know if SoftICE is$ o/ U+ n5 ]2 e5 s5 G! H% Z# X
installed on a computer and to locate its installation directory.
6 H1 `' _! t) [8 Q# PIt is used by few softs which access the following registry keys (usually #2) :
3 N' N* k$ G' W" Z. p: r1 _& d! n
3 l+ E" A, o: E; v+ W) E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; H6 E8 o5 Z6 C# W\Uninstall\SoftICE
/ {; D$ v5 v& L8 V2 c- A6 m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 c. @) S4 Z9 N# a8 }; J5 v1 H  p& v1 Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 ~# K# Z+ o! ~1 L
\App Paths\Loader32.Exe( v- t) Q; g4 e' q0 ^( o
  x# `0 k$ Y) P  t+ i. l! L% m

' J+ F; j. f/ a2 [. V# gNote that some nasty apps could then erase all files from SoftICE directory
6 _" b" g! f# t. W( _" H, y" p+ e1 j4 h(I faced that once :-(& k( d  b4 [/ [
$ L0 F, B- f; e, P
Useful breakpoint to detect it:
( }2 [  ~8 m# P
% Q" ^- z( o7 y' X* Q. k     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 ^5 b; Z$ ~7 O# J

9 P  C/ @: P8 [4 J& \, M. c__________________________________________________________________________' @3 l5 ~; S: h
- F& i8 k2 ]3 _& G

! S" ~+ q5 i: [8 w. Q% pMethod 14
2 b" `3 ~4 L" `* x/ M7 m9 n4 o, B=========
- V& |+ h- K) k% e
4 D8 U1 s5 k  f( T( \+ VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& [; o# W9 |- r( n
is to determines whether a debugger is running on your system (ring0 only).7 F" e4 X. K. n7 U. Z1 r% l2 U5 }
. x6 g/ _& e1 {& x& a
   VMMCall Test_Debug_Installed
1 M$ y; I: v: ]0 q7 `   je      not_installed
1 {" S2 |/ }0 Z- [  n$ k: m
6 }0 u; O0 ]3 Q" [0 pThis service just checks a flag.
+ ]: s0 j0 Z2 x0 L2 D& M</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-2 12:43

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表