找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
0 ^% Y6 p; w/ u! G% [<TBODY>
) h) Z# O) K: d, {" A! O<TR>/ B. ?  \3 I) N/ {/ c
<TD><PRE>Method 01 ' n" G. n" \) S3 ^
=========
2 `, e; T% Y' f0 z- {% w; ?$ ~
, n* H. P; J% z! x4 KThis method of detection of SoftICE (as well as the following one) is
; ~  Y$ t0 ]) P, Zused by the majority of packers/encryptors found on Internet.
, |, b* J$ h7 ~It seeks the signature of BoundsChecker in SoftICE0 p2 U9 _4 i3 U6 u
* {) b* G9 N0 J# c& b0 \4 {: d2 [
    mov     ebp, 04243484Bh        ; 'BCHK'% Q* g' W7 V9 C# |' y+ p
    mov     ax, 04h1 ?2 ~& Y$ G1 H% }8 [( j* d
    int     3       1 x1 x$ w2 R- G$ o$ l
    cmp     al,4
# z5 i) m, w% ^$ e    jnz     SoftICE_Detected0 z. L! f8 S& D& m5 {/ \9 @

3 `1 `. K& J# P) w8 j___________________________________________________________________________
+ ~6 s' d! ~1 e5 E/ e" H
8 {) s' c/ g3 ]& b3 S% C- gMethod 02
% M7 Z0 e1 |7 |9 ]. R" v: Y=========
6 B: E6 n. n, L7 P
7 `" y- g2 f  Q5 U5 W1 I6 FStill a method very much used (perhaps the most frequent one).  It is used
- P5 G& x" B/ }5 X$ D+ t) U$ Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; z6 X0 z2 T0 H$ `0 M$ m$ u4 k* ^or execute SoftICE commands...' K; D# [9 H5 t! E
It is also used to crash SoftICE and to force it to execute any commands
1 Y  s8 A4 r% {- P* g6 p(HBOOT...) :-((  
, d  N; ~! R) {  z& A$ I8 P, D, h4 q3 Y2 Z
Here is a quick description:; @( ?  e& P( ~0 q: @3 m  v
-AX = 0910h   (Display string in SIce windows)6 r6 W6 u1 \) ?/ r0 F6 q6 o$ h3 ]% q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)( U8 S1 R" E  l1 l4 Q, W; x% g8 u
-AX = 0912h   (Get breakpoint infos)5 R* G' w" l5 L6 ^% y# x
-AX = 0913h   (Set Sice breakpoints)
8 a) N: V# [7 D- Y8 M5 p3 ?-AX = 0914h   (Remove SIce breakoints)
7 \6 n' v# c9 E% e/ j3 g/ _3 H2 L" o: L5 w6 B9 m2 d
Each time you'll meet this trick, you'll see:  d& x  M% a; ]" u
-SI = 4647h
! s& T3 a& \9 {3 x4 a% k3 D& b-DI = 4A4Dh4 {" I: n7 Z0 g
Which are the 'magic values' used by SoftIce.
( A* n' h2 i$ M$ V. Y! }' k# CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. Q" U; F* N/ n9 _
) c1 N! d/ W5 w; E4 h' x7 v1 [
Here is one example from the file "Haspinst.exe" which is the dongle HASP) G& P! Y$ Y. i, t) ]0 [' R) i
Envelope utility use to protect DOS applications:
# B( g" l* a& k/ Q/ c6 ~- W9 j6 \- x& {+ A9 S2 Y
9 w9 }" a$ D  u' V* B6 a
4C19:0095   MOV    AX,0911  ; execute command.( y/ w: H% ?6 t' I3 a
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)." t+ A6 ~+ h8 ?% C
4C19:009A   MOV    SI,4647  ; 1st magic value.7 O8 K' f7 q$ S% k3 o( ~
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.1 P0 p% D$ v2 E5 u" v0 R
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)8 {; K" w, n- r" e
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute+ k* W5 q4 ^. l( @9 ]4 H
4C19:00A4   INC    CX
/ E" q- n8 |# r  j6 |" r( u4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute% L5 L1 @, Z8 ]; Y1 L
4C19:00A8   JB     0095     ; 6 different commands.
2 F: {) Z& \; g# b5 C* N! Y& g4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 N  x( i0 t+ V2 b' @5 X8 N
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
: j2 n/ ?" F0 c6 I" v
( K( z  b  I, {; k& eThe program will execute 6 different SIce commands located at ds:dx, which+ ?5 Y0 i2 X* n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; d7 u" U( @+ L, g: D
% g# f; u, ?% _( {& q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; V0 C: ]2 @+ N+ R: B1 Q# w___________________________________________________________________________
; c; ?4 S, J9 [+ O
" N: F/ ~  |$ T$ ^6 _. C. `0 m" A9 ?' y2 A0 N/ r/ i; W
Method 03
" `. ~- l8 R- g5 G' Z* D=========
  ~4 W1 `0 K6 S8 |
* ~, ^: B  t( x. j- u% ?Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 F- v# Y# J5 e: N0 n) X
(API Get entry point)
* D9 ?2 a  V; _' Y* [$ Q        
0 z0 g" |8 {  ?5 T, r% u4 y2 d
" M0 p  A. K, a2 e" M    xor     di,di
0 @% \5 y9 d* q6 v  Q# n+ `$ I$ c0 u; A    mov     es,di4 }" }  [2 |0 |5 @
    mov     ax, 1684h      
# B+ I* h9 R+ B4 v1 e: d    mov     bx, 0202h       ; VxD ID of winice" ^9 Q% N0 ^0 o) h) r+ Z
    int     2Fh3 g0 F. |$ ?' j& ?& T# M/ U2 [
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 U  u* K; j8 m; E7 k    add     ax, di: H9 P  h# X! m+ q- L- m# |# w
    test    ax,ax
! t6 n1 s* D8 I3 P; R6 F; U    jnz     SoftICE_Detected/ }: g( g. l4 P' J3 W6 T% ~

1 C! O" D" d0 w6 a# D0 |! j+ V+ T___________________________________________________________________________3 g: Y  I' o" |, `; ~

) |( L/ J. ~( n) R& |9 SMethod 04
6 n7 C. Y  Y9 Q. w! l=========! R1 f( y: `& t0 U* H9 ]% o1 e" R

" J- R3 ]( d) s+ B+ fMethod identical to the preceding one except that it seeks the ID of SoftICE8 R- Z  L9 v( {' S
GFX VxD.
- B; N; ?. H- C
% {8 Q# W: Q- z9 [3 G  ?+ {  D    xor     di,di; i) q8 B$ ?' V) T0 u1 |
    mov     es,di
& K1 z' n* R- R    mov     ax, 1684h         s7 U0 J3 I: c
    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ `- N4 [. U- Q! }- w  K( t
    int     2fh
( b  ?0 S2 n/ e: H9 O& Z    mov     ax, es          ; ES:DI -&gt; VxD API entry point& L* C2 G1 I" ^. O- \1 K) a9 M' p
    add     ax, di, b6 G- b) Q. [7 K3 u! f
    test    ax,ax4 p7 v. l/ n! \" E# ?/ |
    jnz     SoftICE_Detected
, Y( o( ~2 g* l* W- S, |
! y' ^: o; B% [__________________________________________________________________________1 H- e5 f7 f3 ^+ n6 Q
7 h; ?/ D; g% B6 A* ^

  x- c& h& S; A' d# @3 a: sMethod 058 X: r& X; ~2 ^& z; ]
=========( r5 Z6 Z/ c$ ~4 x1 ?2 S

: u- a& K5 ?  D$ LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
- E  F% q2 c( i9 N3 g: x3 G6 Gdebugger. It calls the int 41h, function 4Fh.2 `# I9 J; Q. P
There are several alternatives.  " N8 H. k5 B3 L. a

( W) g. Z6 l! \# ~The following one is the simplest:) Q1 z8 G0 s0 I1 ^
$ i, U$ |4 W* t- y) I
    mov     ax,4fh
' e% T: L8 f, D0 s1 [    int     41h; M  h- ?2 [; [! h% y! _
    cmp     ax, 0F386  `6 p- b- L% _4 f
    jz      SoftICE_detected" `* P1 A; c* s1 U( _- j
! ^/ w8 J* J0 d

- d+ s9 N2 W  q* DNext method as well as the following one are 2 examples from Stone's
1 z, t) ?0 u: a/ U  B"stn-wid.zip" (www.cracking.net):9 e3 {8 G, _3 K5 R
( k( @* j! ~& s$ J7 y& i% [. C
    mov     bx, cs
; _# V- ]6 p3 q% v  x- R7 l8 R6 K    lea     dx, int41handler28 q5 ^9 C9 c5 R- N2 T; F) |# c4 @
    xchg    dx, es:[41h*4]0 R7 @" s  ~- @: K0 B" D1 V
    xchg    bx, es:[41h*4+2]
( P- Q# J. Q7 e8 a( o    mov     ax,4fh
- o& n; d6 n8 a+ L' W) k7 W    int     41h8 S" B6 }( i2 o0 H
    xchg    dx, es:[41h*4]/ i1 N9 Y$ K% C; U+ I
    xchg    bx, es:[41h*4+2]
+ m6 G4 S3 ]: t/ [( O! A4 G    cmp     ax, 0f386h2 I3 k0 ~) n9 x, g4 H4 _+ o. b
    jz      SoftICE_detected! _6 u3 {" G6 c; V

; S4 ^- P- n, a; {1 ^% w9 fint41handler2 PROC
8 t- N7 e) [7 r1 w) d    iret
+ h' J' j% e+ e( L- H$ S0 J. U$ Yint41handler2 ENDP5 t% D; Q$ H6 ~/ v
! L! @+ b- U& Y1 q  v- W

% y" }7 T) J7 a  W0 Y$ Z, D% |_________________________________________________________________________- ?3 Z: H6 x# p- c) y6 O3 C7 R( U
2 b+ W3 X$ x! G$ D- m, e

1 O3 Y4 G. v( f5 l+ |0 nMethod 06
/ J7 H( e& b% n9 @3 `4 k' H=========
; ^6 A2 ]! }7 w4 l$ z
! ^) q- G* O5 a% N' r8 m
/ D/ W7 }" g  k2 c- N) l4 r& Z2nd method similar to the preceding one but more difficult to detect:
4 s5 ]6 I6 m7 w" p
  }& t1 V  b7 v) r0 K6 T6 b/ B3 m" D9 K( ?; z% B6 v5 j( \
int41handler PROC; \" a4 s& j8 F* ]' Z8 C
    mov     cl,al
& q; k; @) m$ e* ~( k) }; g    iret
/ A& ^! A% p% l5 e2 k% g" m7 Uint41handler ENDP1 n3 m$ _2 \: Q: m8 q3 t- b" }
) Q3 }+ d( m' f( `
- n/ V! j) }" R% H, F, R
    xor     ax,ax
' i9 E1 P5 Y1 I    mov     es,ax) B- l' z; i, o' ?8 i0 x
    mov     bx, cs
) f+ K5 E5 ~3 X% b; U( c    lea     dx, int41handler
4 I/ G6 H2 B8 \3 z( @6 L    xchg    dx, es:[41h*4]- O8 O2 Z  K1 t& C7 u3 W3 r; s
    xchg    bx, es:[41h*4+2]
3 v0 ]: n# o/ ?: i& [    in      al, 40h3 t4 I0 V) [( I' I! B' [* V# J
    xor     cx,cx: {1 \# S" E% g9 c: t
    int     41h
  S- W& \/ h. ]9 _) Z( |    xchg    dx, es:[41h*4]
: Z, Q# ?2 m: U% I    xchg    bx, es:[41h*4+2]) Z5 J$ A+ Y" m" o( j, E; C
    cmp     cl,al1 g" K  Q! u3 G6 {5 t6 N* i
    jnz     SoftICE_detected) V6 F( A! Z8 L# k

' c  B* {; X1 R/ b; C, a_________________________________________________________________________
0 c" @# H* K; @: f; d7 O1 ~! }! R0 h* c) x7 k+ E
Method 077 b/ i- y% o0 O7 A1 j' X9 s
=========: }& C- `+ X. E

" L  l6 v  {% {# p' TMethod of detection of the WinICE handler in the int68h (V86)
; y9 x6 M1 ?* S6 L% h& x  D5 f1 o9 [' Z( b
    mov     ah,43h9 J% n- p/ ~9 F( x" W6 Q1 p- `
    int     68h
: n6 L* \' T( A2 c4 N8 s) e    cmp     ax,0F386h
+ F; [# Z% \, Z4 H; N! Y    jz      SoftICE_Detected
* [9 N7 @0 B% k9 E3 a+ q% @7 ^, r2 S7 @* D2 R6 O6 p

' h% q6 {$ @9 y- Z% H9 a=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" s1 w% ]! w( e5 L   app like this:
% @" v* ^# a5 _2 x: e: n0 L% e% V* e0 D, P4 F! |) g
   BPX exec_int if ax==684 h+ U0 {5 V$ W. ^; `9 Q0 z. \- D% J
   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 p7 Q! f* e: p. r0 x/ y7 ?& y, S   located at [ebp+48h] for 32Bit apps)
. n' G3 z2 {7 L; H* P__________________________________________________________________________$ {7 O; y0 Q$ T5 {
. W* x4 G' ?  ]
& S. {9 M  e7 V/ V  c! G
Method 08, |2 E2 Q2 D, z$ y; V3 U  P* U
=========
/ J' c7 ]9 W& A3 f" w! O/ [! l) i) o: Y$ X9 d* \) _
It is not a method of detection of SoftICE but a possibility to crash the
' x; u* B! A9 f" Dsystem by intercepting int 01h and int 03h and redirecting them to another9 m5 v' H1 ]9 Z% F2 Y8 `
routine.8 ^% W+ ?7 v$ X8 ~9 Y- P) q* Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ @: G, c4 j0 q. K6 zto the new routine to execute (hangs computer...)
9 p$ ^/ {4 R% M8 p
( e% J1 {& a2 m1 m# r    mov     ah, 25h
2 k9 ?  H/ g# u$ Q) @    mov     al, Int_Number (01h or 03h)
( U2 N9 V! p- B( W( r8 M7 `    mov     dx, offset New_Int_Routine
' ^4 C0 C( g$ T% E" E    int     21h
1 T" M* b- a/ t4 B* z5 k/ F) G, s7 y1 g# A
__________________________________________________________________________2 O( k- S* D  O* R9 X0 p) v
6 d8 Q6 c4 ^0 ]6 L
Method 09
3 k( K  U6 P' u& e$ J) ]! m, S' H* _=========$ x4 l, i0 v. P  X+ o
: y# {: p+ @/ ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ Q* `5 V; X' R' s
performed in ring0 (VxD or a ring3 app using the VxdCall).( @" `& u8 o1 `$ ]' U+ }
The Get_DDB service is used to determine whether or not a VxD is installed
) O6 U+ x& }$ p5 K1 Hfor the specified device and returns a Device Description Block (in ecx) for
9 A& {- ?: N) O7 R# Rthat device if it is installed.% i1 F0 Z* T1 l& V. `
0 h" c4 v0 \) C5 o) [' R
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) a+ i: S  n/ O* `8 L
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 a9 h* d7 |) f, j
   VMMCall Get_DDB9 U4 {$ k: Y: \% v$ K
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed' p8 S+ m7 n9 f3 j) p
4 U& f# b& T, r+ ]3 {, \1 ]
Note as well that you can easily detect this method with SoftICE:! |8 _6 j* m  E  _8 J
   bpx Get_DDB if ax==0202 || ax==7a5fh& W6 g: h8 W1 @8 k7 B  u& l
4 u) b' b2 k% \1 d7 K2 f* Y
__________________________________________________________________________
" m* ~( |, |# n6 C9 _
# x, X. ^- {! ~Method 10
: t, e& a+ }2 R) ^=========1 p3 F$ {9 A) C2 i  K

/ z: j6 D; K& p=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with' J, c3 [* ?- O6 i( I0 i1 ~
  SoftICE while the option is enable!!5 n. I( @/ ]8 w6 H4 t- M
" E) E0 q: ]" l
This trick is very efficient:
7 ]4 ^2 G' O, B8 Z; m4 l- E& bby checking the Debug Registers, you can detect if SoftICE is loaded
* O' m. ?# U+ d: y9 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& \4 V) c7 l1 f7 f
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 s$ R' f; U/ u% k0 _, nvalue (in ring0 only). Values can be manipulated and or changed as well
" Q6 @- M- g6 x9 d+ @! i: @(clearing BPMs for instance)
" N" @, n) j" x- t$ p' O
0 [4 A5 u& @: N9 l9 e__________________________________________________________________________# I( U8 `( m/ t

) A' p2 S7 d7 \/ E4 b: n6 e+ [Method 119 X( t( ]/ K5 p/ l  }! N
=========, N5 n3 J/ Y1 Q; R/ [

* e/ O4 e' G- b6 R, tThis method is most known as 'MeltICE' because it has been freely distributed8 ~3 ^4 E$ \4 [' y
via www.winfiles.com. However it was first used by NuMega people to allow
7 q) i# R- J0 d, V6 ISymbol Loader to check if SoftICE was active or not (the code is located2 |  A$ P9 h. ?7 |, p5 l0 [- \* @
inside nmtrans.dll).* b! J/ y  W3 G+ M
  Y7 ~, a  [1 a
The way it works is very simple:
& Y7 C2 M, _3 x- `* o* D# uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% j9 s5 U7 z# h$ o; Q$ s
WinNT) with the CreateFileA API.* Q7 t: r) x! c/ x; w5 L- G0 V
( t8 Y% Y; k6 R7 K- p, z3 p
Here is a sample (checking for 'SICE'):
! o; E7 P% B0 M/ P% ^8 N& ^
( |- {% z. W: tBOOL IsSoftIce95Loaded()
- G) w5 Z; u9 Y: ]: c9 m$ b{% C+ g: o) Q! n: d# c% q  j6 L
   HANDLE hFile;  
' @+ z' Z5 Z$ t: s  S  z) Y   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, v0 o) t- M# J6 `                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 j, [% B9 ^8 u0 b" u8 G                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" Z9 ?* B! h/ p% `) Y& Y9 R   if( hFile != INVALID_HANDLE_VALUE )
0 H( F- E8 H8 [( K: t   {
9 x0 H8 ^$ i3 u# V" Q* [% v/ Q" g      CloseHandle(hFile);" l4 h1 t5 A/ O0 S  E$ q
      return TRUE;
. t, y7 {+ I% y0 l3 n) G7 H   }
: g7 c% ]3 a) o6 s   return FALSE;
, z6 m  V$ g' e6 s7 p2 W}
; Z0 m- n. N( h
% K- n2 V3 f  t6 C. W9 ~; OAlthough this trick calls the CreateFileA function, don't even expect to be
8 n: f0 C1 @# i3 y9 Oable to intercept it by installing a IFS hook: it will not work, no way!
9 }6 O* {" A8 r' {1 y. W4 gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% f& R4 w2 p. J! s. }# ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& J' S7 k1 v4 X3 ?' b& A
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 ^+ Y/ M  l& k! m
field.& g7 B6 n+ J% `( e" p2 K0 k
In fact, its purpose is not to load/unload VxDs but only to send a # y0 `8 S8 K" H: G- V5 g- N$ d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* w! F) x+ P$ F' Y* e- \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! w& O( d1 b) f# G5 c* e7 j9 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
  O; V/ ]& p7 I2 l$ ^3 [3 Z9 fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 h0 V: R3 ~% D# }( s" w8 lits handle to be opened and then, will be detected.' s' U, C$ K. G! S
You can check that simply by hooking Winice.exe control proc entry point7 G3 `* l8 ?8 t0 F7 N5 T# ^
while running MeltICE., y! K; ?- F8 l: N
) |. Y! Q: h9 ^) g  f

/ [3 F  P/ V3 g$ d! j: |+ ]0 Z  00401067:  push      00402025    ; \\.\SICE
) e& q; u$ i7 B7 Z$ ~; n, t" Y  0040106C:  call      CreateFileA
7 j1 J( _5 m3 U1 m1 X  00401071:  cmp       eax,-001
& @  h: n: k* ?& ^+ ]5 {  00401074:  je        00401091
* b  g! V: V! D1 y2 ?* u
8 d$ p" t, Y+ b6 E; w0 B
; k; J5 c: |! \2 M$ ]There could be hundreds of BPX you could use to detect this trick.9 i3 @# B; }. d4 o: @+ T, {
-The most classical one is:' l! d; F- c* }5 \* W
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 X9 B# _" a/ g) e9 [/ j9 @    *(esp-&gt;4+4)=='NTIC'
6 a2 L6 h/ V* p- [4 c
, U1 o9 W0 p% Q* l* x& t-The most exotic ones (could be very slooooow :-(! [3 l! \) n$ O" q
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ ]& M+ ~6 ^# t9 y     ;will break 3 times :-(
% R8 l( f, J* X/ G& e% k( A' c# L- I
; R& }: t3 b6 H  t$ S-or (a bit) faster: 2 _! Y5 M) n+ `+ Y0 H1 ^
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 k) r8 @3 x9 h
2 V* |+ F# S! |; _" v$ [
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 y% [9 c4 _8 C  u
     ;will break 3 times :-(' v- o) W( m  M5 ^
% a- i" S! o( _) L5 d6 C
-Much faster:8 m# f$ I; \* o* ]) i2 \
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ z5 v5 C5 ?$ _& ?7 W
! ^4 i* S1 |3 E) R; ~' ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% H6 s# `2 R3 p9 _: y0 mfunction to do the same job:
6 Y$ m  K. J8 A9 y0 \" X4 F. V2 @$ }7 t' s1 e, S
   push    00                        ; OF_READ
8 h1 P' ~1 A9 P/ c   mov     eax,[00656634]            ; '\\.\SICE',0
: n% O; N8 C' C   push    eax
' s3 Y) A/ b* t* g, e' g   call    KERNEL32!_lopen
; j8 h/ y2 Q# S  G   inc     eax
2 k6 ?+ [( ]) o* n   jnz     00650589                  ; detected, ^1 S/ s3 T0 r. [4 t# g, D
   push    00                        ; OF_READ+ _. R. U1 r- N7 M) Q1 p( V1 |
   mov     eax,[00656638]            ; '\\.\SICE'
9 P& b" p% F1 n  W  n! C   push    eax
' C/ K! C$ X# A  P& B: p' D   call    KERNEL32!_lopen
, ?3 o8 ?5 }6 w8 m5 l   inc     eax
/ N$ e/ K8 P3 [" E0 W   jz      006505ae                  ; not detected
; Q% {  C3 P  t$ D: H3 x! d" t3 v* l$ w7 h% @
' ~$ ^, l: n3 q7 N
__________________________________________________________________________" T% U8 w% x0 n7 H

" X' e8 f/ B# |# d9 ]Method 12
' H1 ]4 w0 N8 m; X  N- |( Z) S=========
0 ?4 T' L$ Y* d  s& t( T0 O$ \5 i% l' o4 B/ c* V6 U
This trick is similar to int41h/4fh Debugger installation check (code 05
! o% @' E5 ?. \1 s, U" s&amp; 06) but very limited because it's only available for Win95/98 (not NT)' k$ }" V# K8 I+ q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 e3 V& u" \4 D0 V# x1 S; L. _- h) D5 K' e- i. i/ C5 i
   push  0000004fh         ; function 4fh) q8 }2 ^* |3 z$ c- ^
   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 g+ _' S: d& |4 ^" N5 Q7 }2 E" }                           ; low word specifies which service. r1 v* I- W* d. i( I. U- {8 k( i
                             (VWIN32_Int41Dispatch)
! k8 d( K3 C( b) Q& _9 @' Z; I, B   call  Kernel32!ORD_001  ; VxdCall, U" C/ `9 s6 v. `; H5 U" K
   cmp   ax, 0f386h        ; magic number returned by system debuggers
) S% W3 K6 G5 y( L   jz    SoftICE_detected8 E% Y! h1 M$ S& h
0 _  K4 {+ ?1 ?' N+ m& G- \4 E
Here again, several ways to detect it:; R# q3 ^1 E$ B( F

9 x/ J/ d. x" I1 `$ o    BPINT 41 if ax==4f
8 c7 k( ], `) E3 J1 B& L. c5 M* F2 O7 A
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
+ @2 l, M; I% G( N: J
+ |0 S) ^4 h% l4 q" b# \# {    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A9 Q7 x; a5 c* O

) L! _2 ^2 T- G' ^9 _4 L3 ]; J7 M    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 f9 j/ K9 ^  c9 a
+ l/ v; x$ h4 \9 ]5 I) p
__________________________________________________________________________
  R# M7 w- m" {; E. `) _1 d6 m7 y, `2 D
Method 13  p+ ^; x4 V) C6 F. p
=========" d6 B# ]. ^! F) n7 Y& H; p- w
; S1 u! `$ B4 y
Not a real method of detection, but a good way to know if SoftICE is6 E; n8 y7 v* t0 S& D7 N+ d/ A( m
installed on a computer and to locate its installation directory.$ H% W% P2 D5 A: e) {$ {' F
It is used by few softs which access the following registry keys (usually #2) :
4 p  V: ]# S, d7 [! N6 H
$ v" J* Y, u  }6 _) E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 L: l& G1 F/ \/ c
\Uninstall\SoftICE
5 P* @+ a6 O0 R  G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 y0 E8 j* ?+ n. }4 ]) v2 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 i/ s2 F0 \* f( z! l
\App Paths\Loader32.Exe' F' g' v5 S1 ^" `  l" R& c% L
* b: W( m! K( a4 [7 p

( {1 N% ^) F& Y5 I/ k% k) _  j% i8 fNote that some nasty apps could then erase all files from SoftICE directory
" u1 a/ S9 z$ g8 \- }(I faced that once :-(2 i- F5 t+ M  ?- a3 i

8 [8 }' k8 F: V0 Y& |Useful breakpoint to detect it:" [. O, x) g& @8 G! q6 x7 T  W6 q4 x
; m  b, W( c1 g6 K7 V1 r
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
, l: g7 g$ T; T1 l5 k3 \6 o2 b; v/ `6 N; k* h1 I* s* k; ^
__________________________________________________________________________  d# g! M5 n- s0 H; A' ^4 Q) I
9 }" J. [8 q7 h) _& \) y/ y: ?
" n5 J3 B  y% H! I- u
Method 14 ( v3 [2 c) @. P
=========
: b9 }. L+ q. |' W; c+ Y+ W6 i  _; b/ b, ^% }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& z* g: [* J: ]" d! p( }is to determines whether a debugger is running on your system (ring0 only).
  t5 q) X/ D9 z0 I
, t( g* K6 l/ q) L0 I8 Q   VMMCall Test_Debug_Installed
% J  N* r4 f# r  m# A8 N   je      not_installed
. S# D' O9 U1 t3 K. A7 A) [! ~0 ?9 Q8 n1 Z! Q
This service just checks a flag.
, N* H* T9 D% ~& ~6 E; R) g5 v</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-22 08:22

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表