找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
4 \& x: c. \3 h( [$ j+ v<TBODY>
0 [+ q+ {% k: ]2 T. G. X$ C<TR>3 ^+ B9 Q8 _3 X  U
<TD><PRE>Method 01 2 i5 [6 E, d- R! w" }1 g% S4 |
=========5 J9 L7 T5 @& g* h$ v
; H4 a+ ]! e9 F+ y/ q7 o& o  y
This method of detection of SoftICE (as well as the following one) is
, ^7 V: M: [$ r4 i1 ^: @used by the majority of packers/encryptors found on Internet., B, o% O" f+ }3 z1 N( A
It seeks the signature of BoundsChecker in SoftICE7 {" v* S3 D7 K% U3 V* u' i) i

' ]6 u# L0 @6 |3 W9 A9 q% q/ O, x    mov     ebp, 04243484Bh        ; 'BCHK'
' H* \. P- W, @! D# I! R    mov     ax, 04h
/ |, b- |6 k' @$ i  W7 v$ J    int     3       7 G0 ^) F8 \5 ?. l) @- P
    cmp     al,47 b" L( p, M# z% h% q
    jnz     SoftICE_Detected9 c/ t, V6 ]- u5 ]% W
3 I$ V" ?8 `) y" e. B
___________________________________________________________________________$ T; V4 Z$ A- ~- e; j& u  A9 s
" o# M3 H3 B/ ?. \2 v/ i2 Z
Method 02
; w+ ^# {1 c5 X6 I( i( P=========
5 m( C; U4 y- f9 g# b$ {9 h" Q( s. K
Still a method very much used (perhaps the most frequent one).  It is used
' {' F3 o( J7 f# @# yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ q- K1 U/ {( m- v- S& i0 m' {or execute SoftICE commands...4 o( c, L+ c: K, b' ]
It is also used to crash SoftICE and to force it to execute any commands
1 Y( }- }) g; r4 w+ |% Z9 q(HBOOT...) :-((  8 s4 R% w/ a  E. \" T
0 A4 q0 o. p- y$ H
Here is a quick description:: `: w% n6 @7 R; ]* t
-AX = 0910h   (Display string in SIce windows)2 J; H, N0 Z( \, j9 \
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, W2 |% o) o4 @: n% m-AX = 0912h   (Get breakpoint infos)$ K" U" C4 L' X. [6 B2 }
-AX = 0913h   (Set Sice breakpoints)
5 ^! r% y" u3 p8 T! m* B& i: A-AX = 0914h   (Remove SIce breakoints)# U$ q' I1 o6 }0 ^

+ H: Z  U) `/ s: ?Each time you'll meet this trick, you'll see:9 V  @7 P& g0 b- W( S% I6 ]
-SI = 4647h+ p( ?- Z8 B8 ^* N3 P3 ?
-DI = 4A4Dh: J6 a7 l& {3 g$ O: P
Which are the 'magic values' used by SoftIce.
4 y# C0 A7 j4 J) ~3 \' y/ C2 S/ EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. Y  Z6 c" l0 m/ N4 l0 p
/ y! }, K" }8 ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP% h8 j* ^2 N- A1 V, i8 a3 k0 B1 I
Envelope utility use to protect DOS applications:
5 [/ f  G& x# ?4 _% [3 Y+ {1 [' u' x- ?; a/ B' y/ f3 Y

: H1 o4 [; l. f; O# I4 i4C19:0095   MOV    AX,0911  ; execute command.
5 V" N% u* h6 m$ T% l. |4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 K, F3 |. D, _1 {% }$ G4C19:009A   MOV    SI,4647  ; 1st magic value.$ W2 `# }0 U1 i6 Q/ f/ C! \
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 |# d9 h+ l3 N
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 |; S5 ], D# v) h+ ^9 x' R4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
2 R  e8 P( ~! r) s6 e% z4C19:00A4   INC    CX/ T$ F9 ^7 z8 t; G" I
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 t( v7 s: j# X
4C19:00A8   JB     0095     ; 6 different commands.
$ D, I5 n( k, D1 u6 Y5 c4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  m4 e5 q6 G: o. Z. R
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; t: l2 Y, N8 ~: J5 ?" ]* w: d3 H
6 C/ O" h. s! ]The program will execute 6 different SIce commands located at ds:dx, which6 |) l/ d  s9 Q8 I9 P/ ]( n( x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 X3 i" @9 {6 X% e2 L/ r$ L8 c9 L- O+ _2 ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 \0 m/ C  L4 G, k___________________________________________________________________________/ A; y" {0 ^5 ?7 A! X" x
* T3 z, n+ l# o, _1 w; v3 {# W! ^. _
1 ^- q. O% l2 }5 B# s
Method 03
7 p8 j' _4 B3 X=========8 G' ~; ^% S; N2 F4 @# h

- f5 J, s% U2 T) x! i% N# tLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" u5 x# T) W5 K( q: G(API Get entry point)
: `) s* Z* d  S2 T* Q, L        
4 o! |& _8 Z# n; w, @7 E6 F* W% l! ~* Q) ?3 p
    xor     di,di
: i) p+ T- N5 c+ G/ Z( h    mov     es,di
+ K. @7 C$ D% L/ k0 M/ J    mov     ax, 1684h      
7 C5 k5 q4 w* S' n    mov     bx, 0202h       ; VxD ID of winice
6 _: Q* y5 Q' a$ o$ Y6 u; L) q7 E    int     2Fh* A& V3 x: O3 `; U: S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 o) f/ o; Y+ p6 W1 k, @    add     ax, di8 v* t  a+ }9 O  M
    test    ax,ax
& p- s( n% K2 j: g" J( _/ h    jnz     SoftICE_Detected
4 N  t% c" W+ a% \( h  ?& e- |4 |3 r+ X& Z9 ~8 a1 a0 B5 ?
___________________________________________________________________________
. x1 [1 N, F+ d) s( N' e4 ]+ ~0 p/ E! X' z
Method 041 F, u* A; D, x
=========
2 B3 V4 A6 X$ @( ]
" K4 q' u0 j1 `9 t; i- u% UMethod identical to the preceding one except that it seeks the ID of SoftICE
- a3 a+ a. G/ c, J( vGFX VxD.
) z- w# }, X5 _
# B3 V/ I4 ?- d0 p) h( F4 o    xor     di,di7 X- r( F; x7 k* o; J( n9 H
    mov     es,di* [8 }4 w& u1 W
    mov     ax, 1684h      
2 S  d( [" s  b% G. J    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 P) X# c, U  z, t5 P    int     2fh$ Q4 R: M6 e! H1 A% `4 v
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. w) w6 x: c; O3 J4 {    add     ax, di
' x9 I% g& s- i+ l+ {5 R    test    ax,ax
2 y2 W2 J5 \" O! v6 E    jnz     SoftICE_Detected
. g3 |8 E$ Q7 [2 }, e5 q7 }
3 |$ V* i) _3 V: M+ m5 e__________________________________________________________________________5 D+ d4 P: E  z+ M8 j/ ~9 |

$ x5 n  m* h" M! ~( B+ q. \* T/ \
% L' ]" P& i7 |. \# o# c( Y5 mMethod 05+ T/ ~: N& t( O1 k4 o  B1 b
=========$ u$ j9 f( o& d/ O5 {  }! p

4 U# D0 H- o8 MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
  J* Z4 L  h# t( s: b0 cdebugger. It calls the int 41h, function 4Fh.3 f% K+ }4 |& B; Z, E  B" k! N! t
There are several alternatives.  
4 ~, X- Q0 S; c$ M* }: y# V' t$ q5 d- }3 x- ?0 g
The following one is the simplest:
0 ^3 c  X8 z9 y7 g: M, d2 U$ D0 B0 J  S, C* n" b$ W# G- _- K) _
    mov     ax,4fh
2 g7 w$ q- B: A0 D( o    int     41h
, p& Z' X: N1 R* H$ t) q/ K    cmp     ax, 0F386
/ B% u# ^0 [. s; M, Q2 W    jz      SoftICE_detected
9 i. y8 ?# r3 |- O  _! U% ^
! Y8 ^& ^' X# z5 G5 P
0 ]4 Z& f1 ?  jNext method as well as the following one are 2 examples from Stone's
1 n0 b  T/ H7 }# [6 ~. J- r"stn-wid.zip" (www.cracking.net):1 l) p6 ~& J# W( }
/ k% x6 V/ M7 e9 k& ?3 G  |: I
    mov     bx, cs, ?# {: p) @0 u
    lea     dx, int41handler2
6 M6 s: o' p8 ~$ L3 Y0 W( k    xchg    dx, es:[41h*4]
. z  v0 g% m, J) R6 r    xchg    bx, es:[41h*4+2]
# W9 s1 t: i: l; k3 q: n    mov     ax,4fh
8 _; r6 `* P7 W, v/ ?' Q% c    int     41h6 g" _* K* Q; r/ K2 R
    xchg    dx, es:[41h*4]  q$ V2 L% K+ }; L$ e8 }
    xchg    bx, es:[41h*4+2]5 ?  f5 f3 ~1 P9 k/ R
    cmp     ax, 0f386h
7 J, _2 E: {% [; b) m% ~8 y3 W& `: k    jz      SoftICE_detected
( [" k+ X7 d7 M+ K- r6 i
+ z1 d. Z* d( g6 L; v5 @int41handler2 PROC4 S' n$ |3 m% G2 A) ]/ P* V3 {
    iret) l* ]4 e$ C, N5 }
int41handler2 ENDP8 C- K! E8 i+ f! S( G& ?

2 G2 u6 @3 ]- k+ T. R" r! L& |2 o) J; V) R# D  r1 y( Q8 s
_________________________________________________________________________2 y. G$ b; d& M! F  _% D

% B0 M  a6 X% m7 c7 u" L- m4 I& v# x! k& m. ~/ R; `. w! v; a3 [
Method 064 Q; Q: f1 j& H" q
=========! F' v" L, |! b4 k  `

7 d3 V7 F( ?) M" g1 }  `! @. K4 W) r# |5 H* X* g& f
2nd method similar to the preceding one but more difficult to detect:
. C8 {! E4 P1 S9 Y" u) e( B' B1 v+ c

, \- N1 P" O  l) [: B. f# ]int41handler PROC
$ W' b! s/ d  P) g2 o    mov     cl,al
5 l5 E: ?5 E$ r- e* z& @  R5 I7 f$ S    iret3 D4 {9 g' A  \
int41handler ENDP( J2 v, m  @2 }5 t+ X3 x
9 {, v6 O! N3 N

# z0 T  b+ G8 J. O4 e' g! i. b    xor     ax,ax! l' M0 w  m3 A  k- `4 u
    mov     es,ax! k! |& m% i8 m. s9 H) ]! S9 i. f
    mov     bx, cs
! ^- B% V% C  c2 ]' ]% c    lea     dx, int41handler
/ _1 R/ m6 Q- }" [- j    xchg    dx, es:[41h*4]
5 A; B7 y4 _7 j  [    xchg    bx, es:[41h*4+2]
  E! |  n) k% j9 _% ^  w% |    in      al, 40h
) I7 l) P3 Q7 X1 p    xor     cx,cx
' k" d8 e: I* r2 }5 |; ^1 x/ O) c    int     41h
% z; v0 g: M* ?6 b5 i0 J! O    xchg    dx, es:[41h*4]. ^4 A& M# J  x* t
    xchg    bx, es:[41h*4+2]/ n4 |1 _5 U, `/ ~/ K" U
    cmp     cl,al: g  k: U% m# I( D3 B8 Q: [* j
    jnz     SoftICE_detected
. |4 k  n4 @; @3 x3 b# {9 @1 I, S/ L, R3 ^# l6 m, [) }
_________________________________________________________________________. j, R: q" m3 z0 [' D9 u

$ [: I/ q2 _8 N  J) wMethod 07
* a8 j6 ^4 j. R) \2 L' p; v=========& w9 ^$ z" H) D7 R' {* o  ^% n

; m3 |! V# M+ l/ z& C3 e2 d/ e  A; K2 yMethod of detection of the WinICE handler in the int68h (V86)- @6 B7 T# Y' |; ^
6 Q  D+ L8 i8 A1 @2 q5 s7 f
    mov     ah,43h
9 l3 _" ?1 @$ L; ~) o    int     68h
; Q+ m' m/ `5 d7 E' Z% k9 T    cmp     ax,0F386h
4 L* d# d  t# d0 n    jz      SoftICE_Detected
% ]1 V$ e+ U- ?, i! z7 P6 q1 t( N: [# \$ p
3 A7 C& m6 u+ s8 A# \. `* }
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 t5 K! \  e/ x. }9 C
   app like this:
5 j1 h' _: L' ^( v5 ~- m' l# s# c7 f- X$ w/ c
   BPX exec_int if ax==68
* [5 t, x3 F( _7 F2 g: }   (function called is located at byte ptr [ebp+1Dh] and client eip is' B5 h& F: _3 _& }& \7 S# X
   located at [ebp+48h] for 32Bit apps)
& F- h, s; }% ~* E__________________________________________________________________________4 V" R; I" L# R
: Z  \3 ~0 N5 z
" }% I+ n8 b, X' K3 M& R5 y: h
Method 08
6 h3 f8 C; p, I( `3 [=========0 c: s: n6 g! A$ ^; d$ }

; o4 x( ~! Z; iIt is not a method of detection of SoftICE but a possibility to crash the
/ q  [9 w6 w: S* V$ ]system by intercepting int 01h and int 03h and redirecting them to another
+ K& x) l) }. ~' v+ xroutine.+ H/ b. X0 U0 I8 W3 n( h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* V0 h  ?0 R5 h* dto the new routine to execute (hangs computer...)
0 y' L% r5 K1 U4 r! @: T& Y: D; k6 H# A7 ~
    mov     ah, 25h) I; [" \9 I! [( u( f' s
    mov     al, Int_Number (01h or 03h)0 a# e: ?2 p/ d' P
    mov     dx, offset New_Int_Routine, u0 }5 `7 G1 E- u+ E
    int     21h
" q# M. |1 _7 H6 D% u1 {3 t* s2 D0 o# ?
) q& i/ Q$ k" q. ]8 v__________________________________________________________________________
, ]" E$ }" G# I/ y' t- D7 g' F9 U$ u+ C
/ j0 J( ]1 Q( _# H4 KMethod 097 k+ W( P" u2 N( g9 [
=========
$ N. N6 E7 }, v. e0 r9 t) J# x0 ?: N; ~/ l- S8 `7 T( M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ P6 [$ H# i& Rperformed in ring0 (VxD or a ring3 app using the VxdCall).0 Q* `; a* k4 R; L3 O
The Get_DDB service is used to determine whether or not a VxD is installed/ v0 n. r) ]# M. F
for the specified device and returns a Device Description Block (in ecx) for
. v$ y2 c# R! Q5 K" b5 Sthat device if it is installed.
( |5 x. |# V) g0 J& I& q0 ?# T" a7 j& w1 Y1 ]9 N3 @6 O
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
! M! C( B, F& g2 u1 h* x  m) s+ y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 G8 r' t7 k3 x' L4 J2 \
   VMMCall Get_DDB& A% M# F; D' H) ?* O
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed6 f) o3 p/ _. o1 M

: K+ u" o- _, \" X8 y9 M6 eNote as well that you can easily detect this method with SoftICE:. g0 k4 I1 C5 K$ J
   bpx Get_DDB if ax==0202 || ax==7a5fh: p8 R; N0 r) R' j* b

3 i1 x+ y, O- t3 v# J: V! R__________________________________________________________________________" J% J" S4 t* w- J) k# J

& u6 t9 n$ x9 c) K+ uMethod 10
% N4 h0 C8 z6 G6 Y=========
1 U( s0 D6 W0 ~6 m" f7 C: k9 `+ c2 K' B: G+ b
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with! n9 Z$ E  t, b, L9 [1 |
  SoftICE while the option is enable!!; _0 E, |4 I. m
( ?3 p2 k  q0 n
This trick is very efficient:0 _3 z7 M( O- S' @8 q& `
by checking the Debug Registers, you can detect if SoftICE is loaded
; v: Q* }5 x+ k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& F0 u* c" q% u9 ]4 O
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 f# ?1 z5 ?4 p* s" f+ `
value (in ring0 only). Values can be manipulated and or changed as well
: v6 L8 N* ~$ e: H8 d(clearing BPMs for instance)
, }2 s% [7 ?% N& @& [; C, V- [! c/ z) {) o& _  m: w
__________________________________________________________________________
& }" x1 z1 d" D( x3 h$ B" y0 F& N! O  I, y5 N
Method 11
) t" b2 O- H% v" v7 z6 C6 t: a2 a=========$ |, ]4 I  }0 w* E1 Z

* {2 E- a0 p- i% z9 iThis method is most known as 'MeltICE' because it has been freely distributed
  U8 F; `  B# ]via www.winfiles.com. However it was first used by NuMega people to allow
# N0 ^4 \7 W$ ]$ m9 L, xSymbol Loader to check if SoftICE was active or not (the code is located! n! L6 R6 L0 Q' V8 s8 r0 o
inside nmtrans.dll)./ h$ ^; U! Q# r; [, {1 I

7 Q! N% t. L- h$ a, |The way it works is very simple:* r8 D& `9 g/ m8 l9 t1 y3 h+ `8 a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. q5 ?4 r/ b: t% m; _0 W
WinNT) with the CreateFileA API.
" |% o9 C% b: r- s2 Q3 `  r1 a
( s+ a8 U8 Z7 i+ }- B8 E* yHere is a sample (checking for 'SICE'):
) y8 P0 C: s4 Y- ?( A
' l" ]9 |5 S& gBOOL IsSoftIce95Loaded()
7 U0 d9 C! V' e1 j( C/ e{
! s" R4 }2 H) ?; O   HANDLE hFile;  . c" f( \9 l' N% ?' b
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, @' t& `9 S5 p0 Q/ m0 [, g                      FILE_SHARE_READ | FILE_SHARE_WRITE,, C0 @9 W8 X  y6 o3 b/ |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 r* H4 ?9 o) D* k% G' [
   if( hFile != INVALID_HANDLE_VALUE )& s. ~+ f- O/ X- M. A7 `% _
   {
9 T* ~, Y% t- _5 r! k      CloseHandle(hFile);% R+ C) L# Q) W+ {3 X3 h
      return TRUE;! V6 c- G7 g2 m1 \% H
   }
6 i4 ?0 J/ e. c2 c4 J   return FALSE;7 ?# J1 |: a( f# l2 u) J
}
4 d2 s+ \  A+ a' H! W7 ^
6 _8 W! v+ i/ H7 o! fAlthough this trick calls the CreateFileA function, don't even expect to be6 c# c! A* d9 S" S7 u3 ]  ^
able to intercept it by installing a IFS hook: it will not work, no way!* A7 \" n2 T4 i) Q% R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. H! v6 k3 L- R4 M$ r, }& _* F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! \3 w) U: e, G" e9 k/ O$ b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 {5 x4 L9 F% Q$ y9 w
field.
, {; j, K2 ~. P' tIn fact, its purpose is not to load/unload VxDs but only to send a 4 ~% Z* P: f0 Q0 U0 y( o& R1 P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 K. c: e1 U+ W  R3 Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try' x+ x7 c3 Q% D$ `0 o' H' G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! n3 ^* u1 q  j; g$ T0 P2 [+ uIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 @$ ~+ w; b$ nits handle to be opened and then, will be detected./ Y7 \$ Z4 u( \
You can check that simply by hooking Winice.exe control proc entry point3 p8 j! C8 |  I
while running MeltICE.
5 w1 m  J3 A8 Y7 C# z5 B' x
- F0 Y# R$ Q" L3 N: e+ a6 N* s* V9 E$ ~% _8 Z7 K' H
  00401067:  push      00402025    ; \\.\SICE+ Y# |/ U& k$ E' C1 Z
  0040106C:  call      CreateFileA
+ I/ n. P' V0 `8 l3 z1 E  00401071:  cmp       eax,-0012 Q4 Y6 R1 r9 i7 k, J
  00401074:  je        00401091
5 u9 `  t& z9 P& ~) k
5 @9 w+ h$ \' {5 h. S8 ~3 Y$ r) x$ w4 D! x2 C! v& l5 E
There could be hundreds of BPX you could use to detect this trick.
* N# m0 U/ V$ y7 j-The most classical one is:" ~9 X; r/ G9 H# _4 `
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||; @7 k7 o* B3 ]6 \' u: }% {, X
    *(esp-&gt;4+4)=='NTIC'2 f3 U6 O# i' L; \

$ z, N5 [+ ]& L7 r7 J  k-The most exotic ones (could be very slooooow :-(5 ^' Y9 J& N6 a& {& T
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  * U& a7 w' C" e% Z
     ;will break 3 times :-(' M) S+ I+ Y$ K: u' X
( o1 z: S- w& \2 z% [
-or (a bit) faster:
2 d# q! Q6 q9 Z7 U5 p; L   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% J3 F; p5 {) ^' N4 u" ]+ H

/ z/ X% w+ K# c( M! G   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  : Z, y; ?4 V' ^# Q* [
     ;will break 3 times :-() J, p( ]! D% w* X
0 K1 Y* z6 ~* y+ ]% U
-Much faster:0 X) h6 |) w0 Q9 h& \, _% m
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
7 F$ t2 `, N7 e1 L0 ^# n) a6 m" l% t  P- |2 K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ H! I0 E  r+ L1 T% G
function to do the same job:
$ t; Q; r2 i  N. C' J& f1 M+ A1 `& [" ?, D, K: T
   push    00                        ; OF_READ/ ?+ s1 L. f! @
   mov     eax,[00656634]            ; '\\.\SICE',0- b* F! @' _& o) h1 A  K
   push    eax6 S9 P7 F3 s+ n$ Y6 W. v4 a
   call    KERNEL32!_lopen" C9 o4 P6 a  F5 l" s! G& x
   inc     eax. X& e3 t/ N8 u  g
   jnz     00650589                  ; detected
# H6 L1 r7 F: [1 ~$ |! H$ B8 C( e$ u   push    00                        ; OF_READ
  H0 ?0 ~& _6 e0 N   mov     eax,[00656638]            ; '\\.\SICE': x8 F8 C. e+ X; O+ F
   push    eax
9 ~( ^" P* a  [, \7 G  ?   call    KERNEL32!_lopen
0 q* `# E; A3 A# u8 z; \   inc     eax
3 O2 v, |3 U: m9 p7 W% F3 X" y$ T   jz      006505ae                  ; not detected
+ _9 F" M2 A& Z# \6 ?) r  {, x! x2 g1 d
2 ^& e  C' p& R; B
__________________________________________________________________________
; Z5 n6 H: y9 T+ r# A" N+ q: J1 ?0 z' j5 C$ a
Method 12' y1 ?/ L* M+ B' w7 I
=========
3 u1 S( w7 `* y8 w0 n6 a% O9 x) O! D6 s
This trick is similar to int41h/4fh Debugger installation check (code 05! {7 k0 K; r( H9 ^7 q/ Z9 k
&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ \) _; t4 P1 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ v7 R( J4 _! \! _/ J
4 F) h; j0 Q* m8 B" X
   push  0000004fh         ; function 4fh/ p8 w" k1 c9 `
   push  002a002ah         ; high word specifies which VxD (VWIN32)) y+ ]6 V. `* h- ?
                           ; low word specifies which service5 I! c2 z& Y  s/ K2 h' c
                             (VWIN32_Int41Dispatch)& D4 J; W& X- Q# Q
   call  Kernel32!ORD_001  ; VxdCall
  R# }* l1 l% Z9 u( i3 p5 {   cmp   ax, 0f386h        ; magic number returned by system debuggers5 w( O% h6 u& c
   jz    SoftICE_detected1 Z2 Q; A3 Z: j( d8 r1 d9 Y9 f

( u7 K. J1 V) N0 I% K8 _Here again, several ways to detect it:5 Y, L, N5 G$ t& A* M* \
9 v& o8 b, ?1 ]6 \5 S& ]2 x
    BPINT 41 if ax==4f& I3 z+ a8 D/ m
; J7 J8 X. E$ }' K) m9 k+ A
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! j! y& b8 M+ t6 d" e9 T9 L0 |
! D. K' f8 a0 `. P( Q9 i. T, k
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* u* z0 e. L; ~0 V3 y8 W
' C0 `% g8 v  N6 Z5 c  @    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" P. f" G3 P1 b& U5 @9 k; _8 i1 i+ y* |8 L  B1 O8 s
__________________________________________________________________________
) d/ A. d: }, U# z1 |$ W3 }/ c( g! q, k% o+ E/ P! Y
Method 13; p& p6 c- w6 d7 B" U, |- f! _
=========
5 S1 T4 S. Y+ ]$ r2 _
/ {2 f3 n7 R/ aNot a real method of detection, but a good way to know if SoftICE is% M# b1 a4 C* l  M( G! Z
installed on a computer and to locate its installation directory.
. ^! Z1 ~* ]- y% F) g, Y' `It is used by few softs which access the following registry keys (usually #2) :
/ ]4 r' w% }: v6 x  s, [$ j* A4 s, H+ u* c" G
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 Z  M$ V8 z4 t" u; v! ?\Uninstall\SoftICE7 s4 z) d0 T8 l8 d& V+ `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# F% o2 }' x8 t& P  M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# d% F) U0 v5 s# \9 ]8 `( n2 x
\App Paths\Loader32.Exe
) ~+ y) Z' ~. w0 g: _: {5 J5 ]# h4 `& \0 D! N# N2 f: l8 _

) T! [# r3 H# A$ i  UNote that some nasty apps could then erase all files from SoftICE directory3 r* c( t2 S1 ^. W+ \
(I faced that once :-(% O$ m! K' W- w* Q! Q/ a

6 O: M0 A3 A4 Q5 |( |Useful breakpoint to detect it:3 o" [# [# @5 g# J

6 ]3 O( S1 h' k  j     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 R6 Z0 D' q* [4 H' x: f( w6 q
5 p' y& V& K4 u& l+ l) n__________________________________________________________________________( z' q' W; N+ t9 I
( T* S0 n, b: i7 s6 s' {
7 N1 x" h6 I& N2 K+ [' X1 ?# ]" U
Method 14
& ?/ P4 G$ {/ s+ @) I# I/ @( D. M=========* @) X5 s, }2 ~1 Z; D% ~

' y) T: \. D  Z, l  g. y% T; j' FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 L! R. J: S. k
is to determines whether a debugger is running on your system (ring0 only).3 _/ B" m& X/ h* t: o0 ^& B. P

4 p7 G! T  Z" _   VMMCall Test_Debug_Installed( f! G& {8 d5 O1 m
   je      not_installed
$ ^& r+ U3 ]1 w1 b- j7 A9 t3 J& X7 N+ e1 P) q4 b
This service just checks a flag.
; N  U  ]. ?3 B; T</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-15 09:13

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表