找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
  f% m* R% w3 I! _+ B9 _! }4 [. ?" ^<TBODY>
9 ~" \1 k7 K" r. b# Y<TR>' h8 Y# ~, q; o
<TD><PRE>Method 01
  f  W: r# l, c& U- K=========
7 O5 H6 \, O9 x$ m" {; K/ b
# B: h2 Q; q1 }7 F) ^# Q5 wThis method of detection of SoftICE (as well as the following one) is7 B7 d4 P% U. @- l# j. [: ~
used by the majority of packers/encryptors found on Internet.
, z9 |) \3 R2 V& F1 |0 u2 k* GIt seeks the signature of BoundsChecker in SoftICE) r1 @' v/ f# x7 m0 u4 U/ n
/ R" g1 ^% L: N$ S+ L  Y2 j9 J! ~
    mov     ebp, 04243484Bh        ; 'BCHK'8 o; `& _5 e3 R/ m, o! t
    mov     ax, 04h8 Y0 ~$ [* j' I1 h
    int     3      
1 m* w5 p2 C7 ^! @+ S, X    cmp     al,4
% U) E- E8 R. n8 F8 {) `/ a    jnz     SoftICE_Detected
( ]8 _7 Q; L2 {5 b7 n1 S$ c; l) K
___________________________________________________________________________
! E# y6 ~$ [1 A+ P% [* t0 B, b- I( D$ }3 f$ Q+ K& e# D  W
Method 02
% g, u# w) o+ l: L1 P4 @) A=========! J! ~  V* M9 K

: W; R3 Y' g( V9 m% ^2 MStill a method very much used (perhaps the most frequent one).  It is used; w7 A) M7 ?  ^+ a( h7 E) ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( d( M6 `5 f  }+ ?8 I# A5 m, r
or execute SoftICE commands...
# O9 u' C4 j1 OIt is also used to crash SoftICE and to force it to execute any commands3 Y5 P" I$ h8 V! ~
(HBOOT...) :-((  : S* `* o9 M3 k# r8 @6 v
9 G1 o, F" |  a; I3 x" T1 t$ D
Here is a quick description:
0 V( t, r: x2 [- _2 P-AX = 0910h   (Display string in SIce windows)
! g1 K1 l; ^8 t7 e0 q. @2 H* ~% e-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
$ G3 r6 @+ [5 \, z$ D8 U9 I-AX = 0912h   (Get breakpoint infos)
9 @. X; e9 Q* E2 o8 l4 D! n-AX = 0913h   (Set Sice breakpoints)
& }1 o+ B2 Z( g6 {7 Q5 r2 b-AX = 0914h   (Remove SIce breakoints)
+ T* m- e! B  c/ Z7 V
. c( n3 \0 q1 i6 o; s4 h% u1 DEach time you'll meet this trick, you'll see:
5 u& w7 s- Z/ n8 K6 w. O-SI = 4647h8 l/ H: a/ O: H; G# c4 q
-DI = 4A4Dh' O8 P) H! O; J) N) E5 m, [& P2 h& R
Which are the 'magic values' used by SoftIce.
; U% l$ `! Q9 U$ g  G: QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ |0 G& {4 [0 k1 I7 J( t& n
1 u) r7 \- u7 M, YHere is one example from the file "Haspinst.exe" which is the dongle HASP  I; d) D+ {3 o) B
Envelope utility use to protect DOS applications:
3 h; h" [0 j1 p
7 G7 d1 C; r& \& b( I$ m: |2 h9 ^) a/ K
9 \2 k+ l5 w# f$ x4C19:0095   MOV    AX,0911  ; execute command.6 h4 ]2 r* f9 Q* \9 ]( I" E! m
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
* x$ M3 l0 X, _( w; z+ S! n  Y4C19:009A   MOV    SI,4647  ; 1st magic value.; \; s) K+ X' M. p8 j, _2 L! I- L
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 [' b2 x  x: l" ~/ g8 Z4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
) k1 v" |9 J; T6 Y% {$ j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 f, ^, Z$ T9 b' n: `* [
4C19:00A4   INC    CX/ E7 ]" e1 S8 T3 J0 ^" }- V. U
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 r5 I8 Z  }/ B& n1 k4C19:00A8   JB     0095     ; 6 different commands.
# F6 l# g2 O7 i- e3 T4 M4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 [" x! O) O2 n1 F+ b3 R4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- H- H* m" N- C' F8 q' ~6 I: U0 p8 v% D3 h
The program will execute 6 different SIce commands located at ds:dx, which
9 }: Q; ~9 Q9 E5 T! A1 V! L; N2 Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ y' D4 L& E- c+ J# K, `1 L: x: R( d. |  A6 `
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" C- A. u8 I8 p# \___________________________________________________________________________
! y$ X; u, @0 x: u, a! {3 n9 U
: S# O5 V. e0 W+ B+ a5 j
& N! ~- ^5 z! u7 a" GMethod 035 O' c& Z# c- U: y0 O- W
=========
6 v7 z( d5 x+ V& H& C; t+ F4 K
6 o0 }, d: ~% ~1 `4 e3 {Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( }( e" |5 Z3 O(API Get entry point)
0 y$ e  r6 g$ i/ l7 n8 I9 R        ! a. t+ o3 P4 I
3 c3 C7 s' i, z/ H
    xor     di,di( ^' G3 f& i( s2 ]2 a9 B
    mov     es,di
: x- b# u1 H) Q( M+ S7 m# n    mov     ax, 1684h      
$ Q/ W6 m3 Y& M2 `) n  x3 P    mov     bx, 0202h       ; VxD ID of winice
# p, J4 a8 u# `* E3 V8 M8 z: W    int     2Fh
, H9 S0 \/ n2 C# ~) B3 K    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ k( M* R9 S/ E) Z2 E2 K( g3 O
    add     ax, di
  t% e6 x+ t; b3 y4 Q; F; N    test    ax,ax
, W  _; L* p* y    jnz     SoftICE_Detected, u& y- p1 r) ]: Q8 j6 ]
# _4 }9 z- x" ]5 g
___________________________________________________________________________
* ~' q1 E$ _: B+ h
  [9 ]4 [# T/ x8 dMethod 04
. N' m; f0 d9 O  P=========3 G; a/ o4 y0 g$ {/ J0 |- z. o
# E! a9 C& u  h
Method identical to the preceding one except that it seeks the ID of SoftICE1 R* l# S2 o0 z( m, H
GFX VxD.
7 W. O  v: p( p5 B/ O. X5 m
5 \2 O% i- o1 o    xor     di,di& k2 ~' l0 b; |: ~' k% d; G
    mov     es,di3 g, V4 H  i  v" L
    mov     ax, 1684h      
* u- x8 Z; c$ K* g    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 }  W) w$ j8 \: M4 n) \& }
    int     2fh
) c5 M: [+ O# M    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ U  c0 T: r( j0 B2 w: r" C
    add     ax, di
' k; F9 ^3 ]: t  X    test    ax,ax8 ]; D9 i+ D1 r! z# `$ _8 L& c+ c5 _
    jnz     SoftICE_Detected
; m7 `, `2 a& `" j' K3 ]
& h+ o/ G+ p. g' ~6 T__________________________________________________________________________
7 V9 x! o8 ~8 b
" i+ M3 `& K6 H% E3 G& _. H% b9 }
1 a& ?# s6 {. OMethod 053 B$ d2 J5 R; Z
=========$ Y0 P: q& |% L- b! H& D
- i4 S, g: [- R9 f* n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ v; E5 b4 D: Y# {8 l, Q8 Ydebugger. It calls the int 41h, function 4Fh.- q" T; b: a3 x  a6 M
There are several alternatives.  2 {( V! P8 [3 T, u
- |; D$ i$ q& d* }: c% X3 {
The following one is the simplest:2 M. v; S- Y) s. }9 {

* s, C" `3 Z" ^" O1 a$ n% O    mov     ax,4fh9 _/ e) j  c0 k+ E" C; F7 k
    int     41h
+ X2 A9 p- S6 o% y    cmp     ax, 0F386
4 Q+ e; H4 m' @    jz      SoftICE_detected
) c3 M9 f0 k: t
+ n" L. t* @% F1 u- C+ Y. L$ ]5 T8 l6 s$ ]* E
Next method as well as the following one are 2 examples from Stone's
: L, c$ _+ r! C0 P"stn-wid.zip" (www.cracking.net):3 F( `+ K2 O; y' L3 V5 x- r8 O7 E

" j: q: \5 e2 e& S8 P- R    mov     bx, cs
# K" C+ U3 R, K  ^8 e    lea     dx, int41handler2  n  g6 {8 H: K. t* X5 b+ o* P8 Z
    xchg    dx, es:[41h*4]" w  B* Y# `4 F' `  ~
    xchg    bx, es:[41h*4+2]' c$ O# R/ r) v  D
    mov     ax,4fh; Q+ u, M/ y- j' N! T9 d
    int     41h
; G8 n7 ?( L  ~    xchg    dx, es:[41h*4]( r$ g$ {$ t! U0 U
    xchg    bx, es:[41h*4+2]2 P; ]  [+ j- X: L* e  \
    cmp     ax, 0f386h1 U7 Q6 S6 o$ O; L
    jz      SoftICE_detected
- z  _8 j7 {& Z5 a9 h0 c4 h. B* ~
int41handler2 PROC4 z# G  P; B: K9 h- b3 ^. K  O
    iret% V) k3 z+ `3 L# ~0 Y
int41handler2 ENDP& `! z/ L9 j" `4 b, K' J

2 L- V# W! p  D5 b+ q
! u+ l$ ^- ^$ X6 @1 U_________________________________________________________________________( M; V9 m: B! T6 T
7 L1 t% k; d8 l% p: J
  D' W8 r5 {1 m1 I
Method 06
$ M! n9 c8 E& X7 p8 G! O9 Q% _=========5 B8 F5 r8 a  L% b7 t* R
& k: {! `+ t, }3 ~8 [6 t2 J) c
  Y7 q# t  q1 b! r) @" U
2nd method similar to the preceding one but more difficult to detect:
2 x$ T& i$ I  o, B! y$ W
) }/ E! [& g) w/ X* L9 g
& C$ ^+ H4 Y& M; c+ M& r8 x! yint41handler PROC
4 ~7 ~! _1 b, g4 O& t2 Q    mov     cl,al
$ S: a" p  B; w    iret
0 {6 Y1 ^0 X+ m+ e* n: h* \; bint41handler ENDP4 t0 c4 b! N, p. I# N+ A/ _
/ k7 _) J# M3 k1 i( k" t8 Q
/ ~+ y3 M* i7 F- O
    xor     ax,ax) W9 b: N) G# q7 ~* H, ^
    mov     es,ax
. K9 B7 O5 G4 a    mov     bx, cs: w4 F" Z0 A1 z# B7 n
    lea     dx, int41handler2 g8 t. i- }$ d+ X9 C3 {, ?
    xchg    dx, es:[41h*4]1 e1 H) v8 t( t
    xchg    bx, es:[41h*4+2]
% f# [0 Z& S! K    in      al, 40h6 \; G# I, r1 ^/ X# @5 H( q
    xor     cx,cx
2 F, j  N7 n+ D    int     41h
0 r9 I7 z" X7 J8 v    xchg    dx, es:[41h*4]
% K/ J# J# C9 \% `+ E* e    xchg    bx, es:[41h*4+2]6 {, _- E: b4 y% x5 Z
    cmp     cl,al( R- w0 A3 E0 F0 d: e+ R
    jnz     SoftICE_detected6 e4 x- t* ?, }" G8 k: d5 c

2 X7 G+ n* ]' T  A3 u_________________________________________________________________________& h0 o6 J) \: g" P

* U" w" P! u$ a4 DMethod 076 y) l7 S1 I- M( q  q7 K" O
=========
$ h) y* E! i6 p- P, X: x* g" C# s
& Y( R7 ]8 O) b; jMethod of detection of the WinICE handler in the int68h (V86)5 B! n7 \6 |. K5 r5 T5 ~
$ L2 w/ j8 T% o+ ]6 t( s
    mov     ah,43h
5 K4 Z; _0 ~3 f2 m) N" r# v    int     68h) [* J% a. \: [2 M5 W/ K7 f# ^
    cmp     ax,0F386h: Q' h6 e/ k+ ^5 M( s
    jz      SoftICE_Detected. c+ s, K/ A/ G

" M+ x: s  T" M
+ z5 E+ x" }! k/ ^=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% l) |" z8 p4 E5 P. R
   app like this:7 ?) i. y$ t  ~- x- _* F
& T& F2 _& d/ B6 Y& G' D
   BPX exec_int if ax==68, U3 C- R; j1 q; y$ M  ?' D: o
   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 o* {/ E% N: h" o/ V5 K2 ]   located at [ebp+48h] for 32Bit apps)
4 D& n" S+ b+ V  w2 b2 T8 J__________________________________________________________________________+ }: {: w8 a1 o) |

: G$ v+ [% x) n
, V+ X0 A( ?1 V. n  n( nMethod 08: s6 o! H$ N2 J% X
=========- P$ X! f$ q) w# _

2 T0 }8 v/ P8 IIt is not a method of detection of SoftICE but a possibility to crash the
* L! X" c2 X9 u. q; O( ~, l  @system by intercepting int 01h and int 03h and redirecting them to another% w3 ^/ m/ ^( I' g- l% g9 A5 I
routine.
9 s0 l! v/ ?, J+ Q( ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 }7 `) d+ ~* {. N  R+ _) {/ R; f/ I: x
to the new routine to execute (hangs computer...)2 n" j" L: q1 j0 e4 o9 {

1 z# f& h* v$ Y% l& G0 w    mov     ah, 25h
5 i( z: B3 Q% k& j) h  _    mov     al, Int_Number (01h or 03h)
3 e. G; w# F: f, _' Z6 D    mov     dx, offset New_Int_Routine6 d% k0 w6 t$ K$ |$ t( E
    int     21h
6 o4 P  D  m# W% A+ {: F
, t/ U. `# q7 E__________________________________________________________________________: F1 W7 D8 J" r+ n0 a

) b, T1 V# _2 |3 \! \& vMethod 091 @$ [. |5 z% _* _+ O& \
=========$ {1 n/ q$ C, a  O( x! A7 Q
- z7 }; H) B5 y2 b- D: p( k
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* i+ `# X  S+ A5 S+ G7 L; p* S+ V  Eperformed in ring0 (VxD or a ring3 app using the VxdCall).% q! `- [. V# c) D8 h# K3 K5 N
The Get_DDB service is used to determine whether or not a VxD is installed
4 e, M( K2 M3 v5 afor the specified device and returns a Device Description Block (in ecx) for
4 T9 H; Z+ A1 m* u8 Q3 xthat device if it is installed.  |( W+ }$ N4 k$ S, B2 D0 Y+ Y

6 y% ?2 K9 Y1 F" O. p* f1 T! l( D% K   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 y9 u/ M' O7 V# z. O( M
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' R+ |/ y! m) \5 T  C; o3 ~
   VMMCall Get_DDB
6 M5 [0 S3 O- D) E+ A6 i   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! J( I; i2 m$ i) v1 e
' ^, e  K' B9 T0 E! N3 E" oNote as well that you can easily detect this method with SoftICE:/ @) z, J) @' |6 K' y4 w6 Q
   bpx Get_DDB if ax==0202 || ax==7a5fh
/ J0 j/ V, Q7 \& k# h: ^+ z9 o- Z# @' C$ n% T  A+ i. ~
__________________________________________________________________________
4 H9 }* Q6 X0 u+ N+ z+ g" Y$ v
4 M* Y- j6 f: X0 rMethod 10! T7 s( e) q, K  [, I+ Z$ l) L0 ^
=========4 P- l7 x8 E3 O- m7 ?1 C
  i" \3 i" v) _3 F8 N/ o/ k) c
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 v' g" r& \9 H' \9 q  SoftICE while the option is enable!!
! p$ @7 S) c! v6 J7 }% C- r& B; m& D3 E
This trick is very efficient:6 o6 e& Z1 v5 y
by checking the Debug Registers, you can detect if SoftICE is loaded: h" m+ i. p) ]! K. a. j6 ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 V/ }, U1 T# p5 P; ~4 o% [& e+ f1 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 C1 T; e  a3 Vvalue (in ring0 only). Values can be manipulated and or changed as well) w+ H) T8 p) i4 J& }) I
(clearing BPMs for instance)
# D$ f+ X; }2 p8 m2 n* d
6 d; B+ f2 X  b8 ~" s" g' E! \1 {__________________________________________________________________________9 L- w: d1 J: X, a" W2 }9 I$ G: l

/ [. ]0 d; R) V9 ~. M8 \5 L' oMethod 11
7 W! `4 {* Z% r' g5 d) ?. [- f=========
. r! k% N( w8 G1 ^6 A- y/ W9 v
; @1 ]7 B% k' x9 E! @This method is most known as 'MeltICE' because it has been freely distributed
& I8 U6 k) c# U5 d6 s3 Svia www.winfiles.com. However it was first used by NuMega people to allow3 @7 n& q& w+ P, h
Symbol Loader to check if SoftICE was active or not (the code is located1 g1 X+ @. g% L$ J
inside nmtrans.dll)./ G+ u7 @# b7 D9 b' d; H& k
) k0 a8 m0 ]& e! T7 b' `9 L% M
The way it works is very simple:: v3 K) S& e9 N1 M% y8 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& R/ V8 M2 J, I1 h
WinNT) with the CreateFileA API.
. f, C# A, `8 c# \; L/ ~
1 |' Y( \  H& o: f) Q3 E# THere is a sample (checking for 'SICE'):0 Z* ~( C; _9 R) g* R7 n7 o! A

# `  I& C# Q* l; n8 h( JBOOL IsSoftIce95Loaded()  O! \5 C# Z8 @: L) M( Z
{
8 \" r- u  W7 z2 y( j7 w" W( ^   HANDLE hFile;    C6 |& \6 `4 ^
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( Y- F/ U0 _/ o9 Y. U& O                      FILE_SHARE_READ | FILE_SHARE_WRITE,
# k) W- c0 C8 o& P* r                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) [1 ~2 k) [4 p, _& l, z   if( hFile != INVALID_HANDLE_VALUE )3 D! R6 d6 v' C1 }# u+ |
   {" ]* j' B. u: \' F% i
      CloseHandle(hFile);- u+ O* @1 A; D# X* w
      return TRUE;+ W! X( d, T0 u# L) v
   }
( L* v$ l0 k" K& `9 }+ A1 ~   return FALSE;8 a, b3 d, a8 I+ \6 W6 @9 G  u) J# N1 M
}5 k0 V3 `) D: k7 l1 C" a
3 Y. I9 n9 d5 u" G
Although this trick calls the CreateFileA function, don't even expect to be) G) q1 t9 Z1 n( v
able to intercept it by installing a IFS hook: it will not work, no way!
9 w: {+ ?  b# HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ R$ N; E; {' i0 O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! w: z! I) b1 O0 P) dand then browse the DDB list until it find the VxD and its DDB_Control_Proc, }# ?. U  t) [# I7 h
field.
* q- H6 r3 X( F4 A3 ]In fact, its purpose is not to load/unload VxDs but only to send a + I2 z, T0 e/ J- I
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 B1 P5 T! P" G' p8 Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; P3 r3 n, F5 c0 n' w: Y# Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).) b+ V6 G1 @9 E, w. `% g# D( ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% Y3 q: e% R4 c' s9 }$ R" gits handle to be opened and then, will be detected.* `3 M* A6 C- @- [9 }
You can check that simply by hooking Winice.exe control proc entry point; t1 e& l$ }: j* S' h2 H
while running MeltICE.
( {; Z4 z- a1 s8 e% t3 H! ~4 Q1 {9 K) G. U
, V: k3 N% J6 M3 @5 p7 d
  00401067:  push      00402025    ; \\.\SICE
, q. k* s2 s1 O; P  0040106C:  call      CreateFileA: X' s: \3 Q: T8 a
  00401071:  cmp       eax,-001; f! S- j) R9 e) P2 M" E6 @
  00401074:  je        004010915 O! F1 G! _2 `# r
# _  v; m" j0 U6 w# W5 q1 m6 g/ X5 L9 L* A
/ V) X( Z3 f1 Q. l& p4 p3 N; i+ M
There could be hundreds of BPX you could use to detect this trick.# P# r$ J- @3 K* F  z# D* ^
-The most classical one is:
/ |9 {: ^- ]; ~4 ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 W, s% @* l5 }, D2 f: {/ X
    *(esp-&gt;4+4)=='NTIC'
# K- p: D+ i3 t: r$ U4 q8 b: L% Z( a4 R. F4 G) M
-The most exotic ones (could be very slooooow :-(7 K; Z& m" O( e: l7 W
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
9 `; ]1 {5 l! J+ W  @) U     ;will break 3 times :-(
1 T' n. @3 U2 D, V1 }4 D
# h/ r# \& b* b2 F-or (a bit) faster:
) r" S% n0 w4 k/ V   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ q; m; m# \- h4 `3 c
7 @4 E5 t. B$ ^" @) _" M
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  # ?* ^5 Z! R8 _& @- N; q
     ;will break 3 times :-(
' E4 r( k6 S& q" k2 S  x9 ~' {$ P
, ]  U+ c. B/ S-Much faster:
. N- ?& C8 |+ P, g$ d3 @4 K9 T$ @   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
9 S0 X1 V& d  h/ E6 A  n2 L
1 j; R1 z& G0 mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ g' B  {0 i& W' s
function to do the same job:+ Z7 A3 W9 \+ \& W4 A* e$ B' w

4 v7 H$ k9 T0 J) {  ^: d   push    00                        ; OF_READ
/ X, W" i8 R6 u  u# f$ P   mov     eax,[00656634]            ; '\\.\SICE',0$ O+ ^1 c  Z5 w1 Z# y% J/ }8 N
   push    eax, r7 p% b; r# E0 y
   call    KERNEL32!_lopen, Z+ S+ D" c5 j! |, R0 A
   inc     eax$ i+ _/ r: _6 W% O
   jnz     00650589                  ; detected# B5 _% P5 F7 ]2 q* V' l
   push    00                        ; OF_READ
! X) {) O$ x6 b1 _6 y; ]! m( s   mov     eax,[00656638]            ; '\\.\SICE'. i  T  ?; C* @
   push    eax
' E, x; ]& O, V, F   call    KERNEL32!_lopen
9 l7 b7 V; B0 q: x3 u$ m   inc     eax- a1 \) M4 R& B+ [$ l' p2 r
   jz      006505ae                  ; not detected/ [  @4 Q% x! {5 P( v) J1 K3 n6 n+ W; ?. G

: d0 `& d& k4 F) B3 ]6 S3 Z, |' e- ~, [# n1 g- b  Y' C
__________________________________________________________________________
5 u0 F/ @! Y# I6 D5 F% M$ a0 _& V( |
Method 12
  n8 Q6 ?. c, z# J' j* u  a- e) U=========6 f5 s3 A" k- L

# I5 `0 Z5 _9 l7 V: |; GThis trick is similar to int41h/4fh Debugger installation check (code 05
: v: |" r4 _& z8 E; M  G&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 Q1 p! U" h4 p) n* d: |6 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ d1 ?5 A3 |7 v; y6 m8 P' u2 @/ z$ O- c3 O% F+ U1 y* a$ ]
   push  0000004fh         ; function 4fh( V- `: A6 u8 l5 B4 t: W) ^
   push  002a002ah         ; high word specifies which VxD (VWIN32)  _( K" I. L) _  F3 H& G4 }3 s6 s
                           ; low word specifies which service
& ]* T8 o: q0 I8 f) i! [                             (VWIN32_Int41Dispatch)8 _$ H& t$ e! k) w3 g+ d
   call  Kernel32!ORD_001  ; VxdCall
7 O5 k+ @2 |# l   cmp   ax, 0f386h        ; magic number returned by system debuggers2 W3 |; T/ v5 P
   jz    SoftICE_detected' _8 [5 s/ G6 Y2 l

8 [* w5 K+ M6 S! W% e% O9 KHere again, several ways to detect it:8 K# {" C# E0 u( i- k# R7 n* t" W
+ H6 _, F2 M6 a8 C
    BPINT 41 if ax==4f/ g1 ^  M( E0 e

* ]7 |0 t" b% _* D' e# o# \    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' i& {" v7 G& i
# ~4 M1 E# u) u+ i
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 s5 G8 `' Y% _, y. x0 i8 ^# s

7 n$ }* k( X" f( G+ v    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% z* K3 u$ f& T8 Q& C1 m
! y$ |9 Z( o7 K- |9 f__________________________________________________________________________; c3 C  c" L6 b/ x/ C
9 u( E! I$ R1 Q' L; M
Method 13% N3 Q; E8 y& Q& q/ M. D. R8 i: x
=========& n3 w: X" H) W5 @

( D# z6 L6 }" v9 l6 V( RNot a real method of detection, but a good way to know if SoftICE is$ ~# P  `0 J: }, _
installed on a computer and to locate its installation directory.
; j8 o4 ~, M( x. EIt is used by few softs which access the following registry keys (usually #2) :
. m1 T# `0 q) e+ J8 u( ^/ p
9 X% `+ d3 H8 w) ~4 N7 Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; ^' v9 M6 p- _4 O& C
\Uninstall\SoftICE
: C/ P! Z$ y4 Z8 O( ]3 H$ p  T1 d-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 z8 T) G* p" _1 Z: E$ O2 @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 O6 G7 B6 K4 }" W\App Paths\Loader32.Exe0 q( ?* H4 F/ ?) \! V0 N+ C8 t) B' C

7 N" Q% X. j; }
* h. q, U3 }% c% S7 YNote that some nasty apps could then erase all files from SoftICE directory, K5 w" \3 m6 h6 a1 B; H% L  E
(I faced that once :-(
& a% g& `: v' D- U/ q$ n" r+ o; h; l+ ~% l9 H
Useful breakpoint to detect it:
, P, L) s0 F9 S& h# t, l* ]! C" f' J' ~/ d5 L
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 d, \' N+ e* a, e

. q2 R+ s" o- c) _( Y__________________________________________________________________________
9 H; p% L/ A4 x& S( y( j& ^4 `6 Q# p" z& ^" v
0 W+ f  \& y8 I) r# ~6 b0 M
Method 14 * f. b7 S6 a+ }8 z$ m+ i6 q
=========# n+ z" x% r3 S$ ?  W. X4 k
1 i0 \& c) r/ j5 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ [/ v$ t5 z4 q; ?3 L, V# cis to determines whether a debugger is running on your system (ring0 only).& H- Z, t9 D. N# A- F

. i4 Y5 Y9 C( G- }+ a7 P   VMMCall Test_Debug_Installed
4 t8 R7 q' w% s   je      not_installed
/ }0 r. s0 w/ K, e1 M- Q5 G* p3 T8 K5 b  f$ f* o
This service just checks a flag., k' s# H/ p- \
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-17 05:00

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表