找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- t" u! N8 M& s<TBODY>. r' F  r) }0 y9 J: w
<TR>) k) A1 ]6 E9 z( s3 A+ {
<TD><PRE>Method 01 7 P; r5 l  l8 s0 q  w* \# [
=========
  U( A8 `6 w! v/ x( ]+ s/ b9 A8 }* Z+ C- {  A$ K5 V6 P! F
This method of detection of SoftICE (as well as the following one) is  `( Q# C7 Q' V2 ^' j3 X/ c
used by the majority of packers/encryptors found on Internet.
$ n, m7 `; [% r! K- gIt seeks the signature of BoundsChecker in SoftICE
5 r8 T- P3 @4 h7 y/ W, I& M9 v2 Y5 h% b& z! P# l. F. V! A
    mov     ebp, 04243484Bh        ; 'BCHK'2 v$ y3 |% Q) D8 O3 e0 ^. `
    mov     ax, 04h. g1 ]7 `  m' w) S9 C4 T
    int     3      
! n: z  y& _2 k4 q! ^/ o8 F. h    cmp     al,4
/ o: y) @( ^7 m* }$ L" X    jnz     SoftICE_Detected2 u0 h% p- ^# i/ }3 e
  m2 Y' q7 c/ F2 z/ z  c
___________________________________________________________________________
6 t. W5 u2 |6 ]% L! j* X. l# u, g( H% N! t9 h, q& H3 M9 x6 }, x
Method 02
( E# G. R( S) B% i% J6 {$ \! [=========/ c9 E$ \7 c' F  }7 C+ B1 \

6 b, y2 I+ x7 PStill a method very much used (perhaps the most frequent one).  It is used
; L8 r( n9 S2 a7 Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. ^( R3 `4 M( C
or execute SoftICE commands...+ v: V) b0 b, L; m7 x+ g; R
It is also used to crash SoftICE and to force it to execute any commands5 R) H9 X' W, J
(HBOOT...) :-((  % J* ^, g; v/ ]6 o! ]! Y

2 q; `( W; V/ T0 I: PHere is a quick description:
( R& U8 S7 A2 s7 D* [2 Q7 `-AX = 0910h   (Display string in SIce windows)
5 a: K5 W( t& L- i% K-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 q. M4 O$ M/ T5 d9 U& s$ t) k
-AX = 0912h   (Get breakpoint infos)* X7 g9 L2 P, w9 m
-AX = 0913h   (Set Sice breakpoints)) Q8 ~. p% X6 a6 j
-AX = 0914h   (Remove SIce breakoints)2 h9 ]! Q; p  r) L/ R

/ i- Z# {2 j+ t% Y9 ]$ [Each time you'll meet this trick, you'll see:
" J; q! O$ V+ L: w" A- `-SI = 4647h
. f+ r$ G5 M9 K: S; Y- c: a& b; Q-DI = 4A4Dh
" g% ]1 h1 j$ c1 `2 HWhich are the 'magic values' used by SoftIce.
2 A6 U$ e' ^& CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 t" i. H. h! L# v* [. V) {! T; \* n4 \9 ]" i) m
Here is one example from the file "Haspinst.exe" which is the dongle HASP, m  K5 T  Q1 H* n  D8 f
Envelope utility use to protect DOS applications:5 w' x2 i. p2 Z7 r7 [9 ?2 j: l5 R
7 w2 R7 r8 v, X  e  \

' x5 `5 z' w8 c* R2 i% o8 t4C19:0095   MOV    AX,0911  ; execute command., v0 u8 z3 }% s; v& |& g
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
! M2 D* s% H, v# t4C19:009A   MOV    SI,4647  ; 1st magic value.1 [8 H6 E2 n* n. p. X3 R$ R6 |  h
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
% U- l- E1 S4 j. Q: X5 i/ A5 T4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 j4 }' G7 Y# y1 a0 `: g. f4 W
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
: B0 ^  d0 R. D* G5 S4C19:00A4   INC    CX
1 ^- S" z# `4 d" h+ \4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 r# p4 y- w4 S5 i3 D
4C19:00A8   JB     0095     ; 6 different commands.: Q: A/ A+ ^6 ?; g) L2 a
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 @/ L! @7 l2 D  R
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) {  g; t  x0 O% f! q
; O; R7 n4 \, }4 H2 z" WThe program will execute 6 different SIce commands located at ds:dx, which2 {- w- {6 x$ @' y$ R/ K# L: ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 J! _3 c6 V3 ]; _6 n4 {/ k1 M! w9 L  |+ C+ e) v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: ?/ _4 b. D$ h1 s" ]___________________________________________________________________________
& Q1 r/ m' Q3 N" @8 T
1 t& v% B6 i0 B$ I2 c
( e& v- c, c# M5 P) v( W5 G2 ^6 zMethod 03
! ~( ]# Z- U1 [. g=========
( W$ @" F0 r$ I  ^4 o
; S+ w: C( b1 L, [( C- n! aLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- f0 Z7 e+ E, o9 x* S) M
(API Get entry point)
! r4 s2 |0 O: A- N0 |% @        
: M0 o/ e0 K6 D6 `$ W: ^. Q" y
7 q% A5 s$ N, X: E% ?7 c/ @    xor     di,di
' W/ D, v$ N) f/ d0 U    mov     es,di
& ~1 N' ^- T, J8 Y; d5 {    mov     ax, 1684h       2 z% c2 |$ r' h! ?6 O* h
    mov     bx, 0202h       ; VxD ID of winice
+ ]5 r" x4 f% v( M6 B! u2 R1 h# s    int     2Fh( ~- E( V6 d* e) l9 Y" y  L
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) d* S/ Y% _) K) d$ @    add     ax, di
) U+ l3 f# F+ D4 N8 a; i) [* x! }, l    test    ax,ax
: I  n* g1 c8 Y    jnz     SoftICE_Detected
7 ?* W, R& H' A$ ^/ z) u0 F- ]! n0 i2 T2 s3 S  I
___________________________________________________________________________
5 b* {/ D. S* C9 r/ L* Q! f. A
Method 04
3 \+ {/ ?' ]3 ]2 h; P* `=========* T  X- u, v* j( C. s& x$ v! q* _
3 ]" X9 t! q: Z) O8 g  J& k+ Q
Method identical to the preceding one except that it seeks the ID of SoftICE
/ H  L( T" }8 H# i2 xGFX VxD.- g; u( n! C, w* j2 _# U
5 q* H  n8 i1 Z1 u. L2 G( D6 \
    xor     di,di0 T. h8 U4 ~2 s& R6 W# Y; p# q
    mov     es,di, M7 ~0 s. z, t
    mov     ax, 1684h         g  F* t! x+ C. r
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! |) j0 Z+ ~8 O, Y
    int     2fh
) A- }6 n/ D- d    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; g3 B! W* [6 w    add     ax, di
% t" T+ R8 ]+ Q1 Z3 o    test    ax,ax
# p# H! ^) J/ s6 g3 T    jnz     SoftICE_Detected
! q; F+ W+ ^* d% d; ?) z/ U3 z5 V) S; T, n
__________________________________________________________________________; O8 P( ?9 T" L, g

9 l" z$ \% i" T! ?3 R! p7 U( k! y7 s" }9 |* o1 w" t
Method 055 ]- z2 k8 d6 X$ }# m
=========% P1 p  r3 }; Q6 s- W: T1 G+ Y

9 G3 L3 E5 n) ~, r+ q+ v2 HMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ M7 q' q  w- T& k8 Y
debugger. It calls the int 41h, function 4Fh.
& [( @! G& ~* N* t* ~1 Q7 Z* oThere are several alternatives.  
- u. X3 a& l/ w% Z* A. V
7 ~5 C$ s9 g$ nThe following one is the simplest:3 i& }3 |  m& s7 O& y2 ~) R

* A3 K: {7 q6 `. {    mov     ax,4fh% P0 N: x: _5 a) r( R; f1 y: Z
    int     41h
2 M0 S# y# k8 L' {' v2 Y7 d    cmp     ax, 0F3868 V2 {2 |$ |$ s- c+ i3 J& X
    jz      SoftICE_detected
% |! |( `) l' p( ^+ Y7 {* T% |( o- V- g

2 X9 v( H* f" ]# }Next method as well as the following one are 2 examples from Stone's
0 n$ b1 @% Y5 {! S; `/ W"stn-wid.zip" (www.cracking.net):2 {9 Q0 ?9 ^; A

+ i* m. n1 A5 |- {    mov     bx, cs
, k! V' x  g% {; W$ k. ?% c    lea     dx, int41handler2" ^: x' V/ N; F' n5 }
    xchg    dx, es:[41h*4]/ W) |- v  r  a8 z/ A
    xchg    bx, es:[41h*4+2]# I' p- M' s8 z
    mov     ax,4fh
' a7 P1 O- v) V0 q    int     41h0 U! S7 i! h" d
    xchg    dx, es:[41h*4]
3 Z( J  n& Y* m& h    xchg    bx, es:[41h*4+2]+ I! y- A% c/ h  f% A" p7 A
    cmp     ax, 0f386h: f$ u( X5 U9 f* h4 }: m
    jz      SoftICE_detected
4 X" \  y1 G3 j$ q9 p1 ?/ a
7 [9 _( E3 H) N% @4 y, `int41handler2 PROC
. I9 z4 k, a7 L. {4 Z. R    iret
7 V! S/ v0 |7 u+ r9 ^int41handler2 ENDP' s% K: g1 e/ W0 ]$ h5 w2 J
5 q- R% w& ^& ]9 D. j; B: P
; @  i; T0 E7 f9 ?( k9 D
_________________________________________________________________________1 U6 q; }  [! l/ b

* \: [: I; X6 o& X; D7 b5 e4 x% E* t* r  [( {
Method 06
: ?% R1 H; _' P1 i  ?1 H=========
- I* N) V; A7 r8 ^
# `8 a! Q) g) K7 \9 j5 a, G' F) x0 l$ n, y4 C
2nd method similar to the preceding one but more difficult to detect:! S7 I% x9 q9 @' O0 q
( e0 |9 f" B9 M: [# d

6 F; i* W; _( k4 Tint41handler PROC9 v% b$ d4 S3 U9 m
    mov     cl,al
% r2 ?0 q& n( Y/ L    iret
, f( Q8 _  ^4 z6 @% t. Jint41handler ENDP
5 G! e( s) D$ _  r$ M% ?; S
1 o  o, S& s' k1 w5 }* |  l1 X/ U, X) z# ?/ C) @; o
    xor     ax,ax3 Q8 X2 G/ F! T) D
    mov     es,ax
9 O& m! l* U% f. Y- q' J! x- Q    mov     bx, cs. O' R+ @# L5 e0 l
    lea     dx, int41handler) P2 o/ N1 _* f7 w% H
    xchg    dx, es:[41h*4]
* G. t- i: M2 ?7 n    xchg    bx, es:[41h*4+2]
2 N6 L1 J  U# B% \0 m    in      al, 40h
5 f$ D# S2 p# p1 F) C    xor     cx,cx, |1 V0 v: s  P1 f0 }2 Z5 b
    int     41h
% K. Z8 K" V  {1 t& N, H    xchg    dx, es:[41h*4]/ D: [  U1 I# r( T$ [" M: O+ F
    xchg    bx, es:[41h*4+2]
* r7 u. K. X* @5 V7 G8 _* U    cmp     cl,al
& g2 }* u0 @- o6 y    jnz     SoftICE_detected
- Y6 H1 y$ r' k" j2 c* U  y& l! G, D+ m/ M, a6 K6 ^
_________________________________________________________________________- \/ N% ^. L. B2 E! M7 a0 O, \" h+ B
7 h+ }2 i/ v! @! ?% {, F
Method 07
8 K. |' ]- `9 K9 O% f  d=========
2 T2 A" v1 `  H% Q" D" @! @
* E1 o. x0 Y- t, m# ?Method of detection of the WinICE handler in the int68h (V86)3 d" `8 O9 Q6 y; m* E8 I

3 M7 N- _6 c1 R    mov     ah,43h
; W: r2 Y5 G: d5 A& x! U. _    int     68h$ {5 l/ B$ p3 k& q) h& j+ B
    cmp     ax,0F386h4 v7 f0 C! T' e7 p0 a
    jz      SoftICE_Detected. E) R9 ^6 P" A) t* V

) |2 E$ O$ e3 [) ]
: t/ U' K7 D+ A=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% _( D2 V: K, s( n1 P/ x; A   app like this:1 D/ A, B3 o, p* e$ q; h# ^1 h, v
$ a" K. s5 s& c: K1 L7 h
   BPX exec_int if ax==68/ I8 v; b7 B* [  h. C
   (function called is located at byte ptr [ebp+1Dh] and client eip is
, {- w6 F6 B5 `# ?; H/ k0 U/ b   located at [ebp+48h] for 32Bit apps)4 y8 _! ?. v4 J& ]. `1 L+ ~% ]/ N% R
__________________________________________________________________________
4 n9 W: a7 ]' @& }$ G
0 k- w2 x8 w0 Q8 F
- M" D. f- ?% C+ J5 wMethod 088 [+ R* w  V* B6 Y
=========8 y) n" m- G4 j
! A  K* M! K; b, Q
It is not a method of detection of SoftICE but a possibility to crash the
7 [  q7 g5 a( D8 z' {system by intercepting int 01h and int 03h and redirecting them to another- [$ X/ [$ H+ O9 A! ~
routine." Q. v9 m6 J8 N8 g) ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ f" ~7 u. O1 R% l: q& Ato the new routine to execute (hangs computer...)% [! H1 K) N3 W0 G" P4 B# z
% u" R4 u8 R. o8 Q5 B+ f5 S, F
    mov     ah, 25h8 k% B0 `7 o* g, l; {. [
    mov     al, Int_Number (01h or 03h)
9 ?6 m% x3 C) P- {    mov     dx, offset New_Int_Routine( w: T) n' g9 f5 P
    int     21h& u1 a! v! w* \  |3 V. b3 s
9 R. j* m7 x) P' `1 ?9 `
__________________________________________________________________________2 @- Q0 u4 E. S8 j& k
3 K. A! P8 x, f- p" L3 D+ _
Method 09" k9 B5 Z. ^$ u$ E1 s$ H) G
=========
8 [" q" f, Y- `& `; K9 a0 L( [  y& U, L( O/ [  {8 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- y. ~( R, F4 L  D" W) I8 V8 H+ C$ D7 _performed in ring0 (VxD or a ring3 app using the VxdCall).  `  R% a( @9 m; I; V- ~
The Get_DDB service is used to determine whether or not a VxD is installed
3 [) s7 M1 p. g* [5 e% Y/ Ufor the specified device and returns a Device Description Block (in ecx) for/ D. I8 f) P  F# I" v
that device if it is installed.
6 r; g: I% |2 @# g
# x. o( Z7 `, ~% k' o0 f# g   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) O/ M# e8 g! P7 V
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 a0 v& I3 L( W- t, ^& K
   VMMCall Get_DDB
9 |! I( t& T' j   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed! l8 R. j! r, A' p  d

( ~0 F" m: _! v* b; k- C1 h9 @Note as well that you can easily detect this method with SoftICE:
6 r% C  o: k% V   bpx Get_DDB if ax==0202 || ax==7a5fh
. V) s' E. ?! r9 \/ u6 }' N
! j. |6 {% I$ \' K( Q! k9 A__________________________________________________________________________" D% t4 |0 Y0 R/ e; g; M# x4 h
' |8 K& N$ |; \2 C
Method 10( f  f. S$ Q: g3 L2 ~7 D
=========
/ \; m  n+ Z: k; C0 t3 L8 D
5 C( f4 [0 }1 v=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
1 h. c7 I4 n6 R- [/ U! e. D  SoftICE while the option is enable!!
: L* ~5 @2 [1 C/ M1 g# t4 X% B
. L& m6 ^: Y  U8 Q8 _/ ?3 WThis trick is very efficient:' c7 V. T) h' o: m! Q
by checking the Debug Registers, you can detect if SoftICE is loaded
: P* L( Z' `. [$ y+ A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 Q  X$ ?6 h% w1 r3 e9 l' U. L! P, W5 w8 cthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 V7 C; h% ^5 K+ [  @4 R' M3 \
value (in ring0 only). Values can be manipulated and or changed as well- a( Z$ A! \" H4 \1 m+ f
(clearing BPMs for instance)
" g5 ]' w& O5 `5 K: l: [' D5 Z$ y7 d9 l$ }  J9 X
__________________________________________________________________________
5 E# L  p% \8 C5 K
9 G0 Y! L; w4 n2 l. {Method 11
0 L$ H, H6 w4 L; q6 x4 h3 h=========) v% R0 g+ L4 |. E, u2 b

' \9 C8 [8 d) k' z/ J! {This method is most known as 'MeltICE' because it has been freely distributed; c. Y3 S" u( U0 N- L; u1 M$ h
via www.winfiles.com. However it was first used by NuMega people to allow
& U3 h# @* ]& {- m- ~$ W. y  bSymbol Loader to check if SoftICE was active or not (the code is located/ Y, E, V0 H2 l
inside nmtrans.dll).% f# \8 o6 R* b  i- \- C2 v+ F0 t
7 P1 F7 n' s- V7 d/ g: w
The way it works is very simple:. C) Q5 x" N3 R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ U2 W, G; D+ B0 `, n& f* K2 qWinNT) with the CreateFileA API.2 @3 e1 \9 K* K

2 f& L  G# l7 x' d. sHere is a sample (checking for 'SICE'):: }& x! Y% Y1 d( O6 O
; q, z! I$ u7 X& e: @* f' O
BOOL IsSoftIce95Loaded()
6 M! o( i# _# m, _* z% x{5 s( u3 B9 Y3 H; B9 N
   HANDLE hFile;  
& X. l, h! o7 T3 Z8 S4 Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 T% d1 C' G! |% g( s
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
/ g0 {' E' X5 w2 E  ]* K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* Y5 E/ k# Y# U+ w0 t# {   if( hFile != INVALID_HANDLE_VALUE )2 L* }# B4 Z5 e1 O3 J& B3 E; Y
   {
7 I' v# V7 _6 F4 G8 f' [5 B/ I; X      CloseHandle(hFile);$ w9 j( I) h1 r9 Z  R
      return TRUE;
) }0 W5 c* B/ Z: O  L& q/ k0 w$ z   }
7 C7 {- w8 t9 ]/ R# N) L) z! n' r  q   return FALSE;
' w' `4 o- Y1 y& O6 G0 D}
. k& [- w0 ^1 w0 \4 K: P
) l2 f4 R* z5 V$ |Although this trick calls the CreateFileA function, don't even expect to be: Q9 o6 s. O) x5 f; ^
able to intercept it by installing a IFS hook: it will not work, no way!! f* Y3 C; B' t9 E: L+ X7 Y! ?& Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% [# N3 Q: B& Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& ^3 y% D( @2 s; a8 ^6 D+ S2 m& R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 l' P5 \7 X" f& ?& @
field.
. U5 c$ F' u/ ^, `' CIn fact, its purpose is not to load/unload VxDs but only to send a   l7 r$ Q5 u8 K# {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* t/ I- e6 q  Z. E2 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ p( U9 J* n* E; ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' u  D! J8 ?1 @* K% I1 }If the VxD is loaded, it will always clear eax and the Carry flag to allow) b  t& s( e' c
its handle to be opened and then, will be detected.
! ?: v7 w4 M1 {9 X# v0 r. M& cYou can check that simply by hooking Winice.exe control proc entry point
7 j0 A& x8 \+ w* {" s: l% Q9 w- X" owhile running MeltICE.: J* l0 x8 _$ s) W4 F% _" }) C
6 z7 d3 ?1 L4 R7 F4 q

$ Y$ c/ Q1 Q* [( K* ]; ~2 R3 [* s  00401067:  push      00402025    ; \\.\SICE/ |, f$ X. z6 ~
  0040106C:  call      CreateFileA1 ]. Q4 x6 U6 l' ^. F, ~5 Z
  00401071:  cmp       eax,-001: x0 B6 m. u. K  d1 W3 K: d
  00401074:  je        00401091
4 s  r( Y+ x, z- M! d8 U, a
6 x3 d$ J. v; j( g8 A; A4 I3 U( `( F4 z6 F
There could be hundreds of BPX you could use to detect this trick.9 ]: F3 G4 @( z3 B' q
-The most classical one is:
7 D# a$ j; H1 r: s9 w: ?  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 _" @  o/ j3 x6 E& e5 @    *(esp-&gt;4+4)=='NTIC'
7 O! f# C& L3 @
/ v9 d  E+ f' i-The most exotic ones (could be very slooooow :-(% W& ]" \4 A) ?' R- Y  [, y4 l* V0 }
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # W# D3 B+ }8 y
     ;will break 3 times :-(. Z, R' ]3 L& G& J9 V9 {; Z
  j+ c, r. y8 i- E. ~0 G+ ^1 l9 n4 M
-or (a bit) faster: 0 a" {- L% Q. I4 |2 y
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, L2 W8 T1 e; [( R4 r$ {8 N
9 p  \  y: S* R   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  / g$ |) B5 i9 Z4 ~7 j
     ;will break 3 times :-(
/ l' u5 S0 ~6 q/ r/ Q: l7 k/ N; k8 b8 H  y1 L
-Much faster:0 k- o2 y( h0 _& Z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV': n, e: E* b- r3 a

* |1 s2 q' C: b2 ?+ ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# a5 R# k6 J2 }. n8 o
function to do the same job:$ ~$ u9 W4 D$ N/ c' N3 y

6 S3 O: b1 D4 J& g' V1 z: C$ _   push    00                        ; OF_READ; z  a" G: k9 n1 U  {3 C7 A1 b6 j
   mov     eax,[00656634]            ; '\\.\SICE',0
; B+ l7 Q  C: D) m' }   push    eax
+ z& W4 m( z3 i1 m- h   call    KERNEL32!_lopen
7 S2 d+ K, P  l8 F   inc     eax) V' B* a* H) r: Z: N1 e8 b
   jnz     00650589                  ; detected
1 L- p# ]* ?+ w  a7 f$ M+ f   push    00                        ; OF_READ
+ A: q9 ~( G% P) j6 X) Q4 _2 n   mov     eax,[00656638]            ; '\\.\SICE'; H3 a3 K) W# H2 D* j; ?' Q
   push    eax( l6 r6 [+ i* D7 p" }' t9 @
   call    KERNEL32!_lopen
/ Z% L0 Q5 B. ~   inc     eax
' \: m! g# d7 M0 [8 y5 H   jz      006505ae                  ; not detected: G: x( E$ G2 ]. [0 w* I8 @
# P. p9 h2 B  o  j

$ Z+ H% j: i& ^7 U0 ~__________________________________________________________________________3 v4 n  T; G: A/ `& p. Z9 K

  |4 U9 |' ]3 J3 s$ ^Method 12- s& q) n6 f4 S8 P3 W: o, P
=========
- Y$ w  H5 n/ h, Z" d- ^
1 F1 Y( Z( z) p* R& a; @* Z8 K# UThis trick is similar to int41h/4fh Debugger installation check (code 05, J1 K) c/ x# v3 J" V
&amp; 06) but very limited because it's only available for Win95/98 (not NT)) ]: e4 c/ n% t# l$ n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.  X, ^# L2 Q7 o" {7 |1 i# i) o
/ p6 q$ q6 P& A$ j9 \
   push  0000004fh         ; function 4fh; D& G1 N/ W4 z" R( V2 z! B5 S% p
   push  002a002ah         ; high word specifies which VxD (VWIN32)* b  ~- Z) s( C1 L. S
                           ; low word specifies which service
& U; j9 \; S2 t6 R0 }" H$ N                             (VWIN32_Int41Dispatch)+ \  |! L) z- @7 Z# \9 w
   call  Kernel32!ORD_001  ; VxdCall
$ T/ x: P9 u3 k2 Z8 h6 F   cmp   ax, 0f386h        ; magic number returned by system debuggers. q" L6 b3 L( [7 p5 C8 c
   jz    SoftICE_detected2 X. B: |. ~& S! F" w

3 F, a4 A2 V' `( f) E4 ZHere again, several ways to detect it:
- q$ M1 J" S6 ]9 y' D
$ L, K" D" y1 S; L+ d3 b    BPINT 41 if ax==4f+ p! l7 ^) Z6 c5 s
  A  ~& j7 M; B; n( y3 x
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one0 o# T2 I, F$ V) E  m

8 n/ }$ K6 ?9 H# W" x0 B/ e* ]    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
$ f1 o1 S8 c# z6 P/ @2 q$ U
% R/ t# R9 `' p5 Y$ d9 k' S    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. q. P: v0 R& S
9 u' T3 o0 e/ ]! y$ q& _  S; @* t__________________________________________________________________________
7 k2 @6 [, |' y/ `9 ^5 d* Z; T7 S9 W9 q) ^1 [
Method 13( b$ T- K) F# V- \! u3 r. l
=========
; S: b( p. r" r$ `1 c# a2 Q0 K+ {# u+ _; `6 r
Not a real method of detection, but a good way to know if SoftICE is
8 e7 b- e) w# @) o4 |6 Y% vinstalled on a computer and to locate its installation directory.
. k$ K' j" N4 Y( M3 g# r% S) xIt is used by few softs which access the following registry keys (usually #2) :3 d3 A7 L( q$ ]7 p' M# K
2 F% a7 v, f* A- I9 K; J- C! M( t1 _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# X/ U% V6 Q( t7 c8 }6 S
\Uninstall\SoftICE
/ X8 w5 s6 @0 z/ X4 `2 G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* \1 _. P- \, A9 u6 I# B  ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: u6 b' w8 h& ^3 \8 X
\App Paths\Loader32.Exe
0 l( c2 x4 R% ^1 `' h( A9 F( N3 `
7 V$ a; K. c3 X  g0 I4 f1 Z) \2 f7 l+ f# m) G
Note that some nasty apps could then erase all files from SoftICE directory, y" v/ \3 S" v
(I faced that once :-(: G$ g: O5 K) U0 X+ Y" C: n

' E6 V* q! G! l- M) \* R, R& l" wUseful breakpoint to detect it:  O& c# g2 J( P

) f: {. D' ?, u     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 J6 a: @" w0 K/ o: ?9 z; f
5 _7 i7 \3 O$ T% F
__________________________________________________________________________& R+ }. G6 z' _3 N# Z; e+ _
2 r/ B, N" w4 g8 n

* m$ P8 L" c/ QMethod 14
) z% M+ {$ f8 I' k* K. @=========( U9 E# W& N& t
" B, c/ a# A' b% Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 R% N3 c& N5 i  u4 h3 ~2 `+ ~
is to determines whether a debugger is running on your system (ring0 only).
9 F3 N7 @) d0 k% R6 M9 a* e+ i/ a: ]! i& Z% C3 Y6 _, Q+ C3 q
   VMMCall Test_Debug_Installed8 w6 m% y( F$ |; G" H3 O( y7 m$ T6 @$ I
   je      not_installed
5 e2 Z" r! N) `7 K- o. R
- \8 R9 ]' S, SThis service just checks a flag.% h; T5 c5 m9 J
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-13 09:07

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表