找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' \3 K/ Y% J5 ]! s6 N# g  \" c- ^
<TBODY>
$ H- }9 u- @) g. n* `* a3 f# J2 [<TR>+ q7 D& M- ]! J5 ^
<TD><PRE>Method 01 . W* y% G+ H8 e  k
=========
' X+ r* s( z6 X" ]& a! d  g/ M& |' F$ Q/ R5 z* T
This method of detection of SoftICE (as well as the following one) is! C$ s0 e/ q2 H8 [) H  \
used by the majority of packers/encryptors found on Internet.
2 b5 f8 N$ p! S3 C6 {0 aIt seeks the signature of BoundsChecker in SoftICE6 ]  I: a) o' D4 m3 D# F
7 F+ f$ T# \/ v( i. I5 K
    mov     ebp, 04243484Bh        ; 'BCHK') q3 H, M9 ?3 }/ F/ y
    mov     ax, 04h
" r0 A( B% X& p9 D( P; b) q    int     3       ; ~. O8 s. o) f; C: Y9 R: W
    cmp     al,4
( J& U% `% d9 d, n# {    jnz     SoftICE_Detected
4 y& _% O: w, x) X* x: {$ {- D" v+ E$ W0 e, |# H: D7 ]
___________________________________________________________________________
3 f" @6 m) r. h& h& K& e
3 W5 {! P+ L; R" t, DMethod 02) o3 G" I$ \5 y& ~9 E2 E% y
=========
2 c' G. q+ P$ m0 o$ ]% U0 y
8 t0 n5 k' {' s) JStill a method very much used (perhaps the most frequent one).  It is used/ e) E' e2 |+ O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: L) n/ O- N0 u% K. E2 j' c" [or execute SoftICE commands...: K# k' k4 Y3 K" a; f; Y
It is also used to crash SoftICE and to force it to execute any commands, J: v$ s; M; C/ x+ ]" z
(HBOOT...) :-((  
: E; {# X2 F8 t/ B7 F+ q3 _+ m* I5 i( z. C6 o
Here is a quick description:5 s6 k0 ]# L( J- f
-AX = 0910h   (Display string in SIce windows)% \/ l! w" m+ y7 B' W- k9 K
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 K8 M: \1 `1 Z  m* ~  P9 y-AX = 0912h   (Get breakpoint infos)4 f. R9 I4 E3 q/ g- P" S
-AX = 0913h   (Set Sice breakpoints)
: m# Y  c8 t* o, [* X-AX = 0914h   (Remove SIce breakoints)  a% @6 @5 e1 E* z' L: [: F; U

. E2 e( U- V9 I! KEach time you'll meet this trick, you'll see:
' R  z) h/ p0 u8 E& R6 O& o4 e-SI = 4647h
) |4 E8 r1 v6 P# c/ Y$ @! e-DI = 4A4Dh7 ]: g. ]5 T: p2 |
Which are the 'magic values' used by SoftIce.$ Z) `7 U, w' ~! }3 @) W6 x) U0 V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: m$ h: {( I5 R# x5 C
1 P( v* Z% L  b. b  k
Here is one example from the file "Haspinst.exe" which is the dongle HASP& U* n/ D4 W( g1 H
Envelope utility use to protect DOS applications:
) |$ Y# j' f& E% C7 h8 b) j& |7 S  r; p0 n  F9 R$ I
+ {3 ?! s3 }! @, F# N" ]5 u
4C19:0095   MOV    AX,0911  ; execute command.  k5 v" ~' j2 @
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  b2 `9 {7 u7 B) K4C19:009A   MOV    SI,4647  ; 1st magic value.
6 q* `7 M$ s. ?. ]5 ]& p4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 ]  ]. H* X/ p. @1 A
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 o: o6 f* S+ W$ _3 x, F  u% w
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute) ]  H- f  p" F. I3 F
4C19:00A4   INC    CX1 M! a( Z+ Z' w' j* m& D
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
8 [) g4 G5 I* K) I4C19:00A8   JB     0095     ; 6 different commands.
, \- e8 C/ S/ E4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" u. `' r9 v% [1 t4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
2 B- i) P& i- f0 Z6 f" S0 u7 k- K9 I" t  v1 |8 g! n7 m& S
The program will execute 6 different SIce commands located at ds:dx, which
/ |) m- [1 I2 S4 |2 u6 h2 c/ |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; w) P/ A; @+ G. A( {! r
, y, l  E6 {; @' A) Z. }; y: ^" P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( N3 W3 o& v& c
___________________________________________________________________________3 v* B+ y* K" k# x" [
; @" M( G/ O1 }9 j" F9 x7 j

$ p1 v- L/ R5 `$ R3 D8 PMethod 03
. l5 l- g1 B" d" C7 c2 Z=========
# d: |" K6 O) h; s7 f8 W# t& Z- s7 c" ]1 P' V, {
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% [  S0 \4 ~1 R
(API Get entry point)  ?0 `- f% Z( t( g; t' [% E
        5 o) S$ V8 Q) N
) _6 j1 Q" X! c/ u: J
    xor     di,di# i/ V- w2 ?7 a) H- N+ _+ N
    mov     es,di
$ B8 O+ K) `3 y6 U2 A    mov     ax, 1684h      
) p1 v. f* H  j% k/ O9 R    mov     bx, 0202h       ; VxD ID of winice
% I: o( W" \% Y    int     2Fh/ @, V7 f/ X; H( W/ _6 b5 J0 P
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( O4 x/ [9 m( d- V2 C! V, F
    add     ax, di5 B0 I, f3 a) D8 l5 h* T: G
    test    ax,ax9 x! V# O# |0 G
    jnz     SoftICE_Detected3 _2 S) p7 }; B- d) ]

/ q  [9 W3 ~7 R0 u___________________________________________________________________________
9 W( k/ i0 O- u
$ ?% S- S/ y* y3 ~Method 04/ R* a1 p7 y3 e7 g. P
=========
) V' M  [8 q. Y$ L6 l% p* y/ D+ n$ N- b3 y0 c5 |. F  f' t. y( @
Method identical to the preceding one except that it seeks the ID of SoftICE, x- A8 G9 R  Y$ i/ B3 m
GFX VxD.
6 P$ F# _% g" X
' }0 i" R0 e) ^0 ?. P8 a    xor     di,di
( u) e9 Y0 H3 ~* Z& P3 J! i/ r6 d5 ^    mov     es,di
' M! N% a* e1 G    mov     ax, 1684h      
8 F/ {. }* ]+ J% y* _2 {5 }+ j" V    mov     bx, 7a5Fh       ; VxD ID of SIWVID# U* V% w+ n. k) U5 @) n$ W
    int     2fh9 B: w) F$ C" w; D, @1 u" x: D
    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 z% ]  s) B4 J1 e
    add     ax, di
1 A6 d/ }( v" d, T    test    ax,ax
5 l* D+ p' c( R4 z& P+ O* v    jnz     SoftICE_Detected4 B) a* {  l9 s2 g& x* n
+ Z$ i: R. N$ Q
__________________________________________________________________________/ ~  A8 Q. ?5 |1 b* W" c5 l
6 G) U) H/ [0 M1 F/ l

; J1 E' w; S# W4 Q0 h& PMethod 05: \: e6 L' G5 p' U! h# |4 K* B
=========
6 L; C4 A/ @; W3 l8 K1 H: n* l- i: G
8 P8 Z8 `( W( G7 Q4 ~( y! H& R+ cMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ A/ c9 k8 z+ k) c; G8 u& u& I
debugger. It calls the int 41h, function 4Fh.0 p( `" d8 O! W( E; W+ V, F
There are several alternatives.  
2 u: ^+ p/ F( `0 E; Z/ F# Z, k8 k$ Q8 J% U1 M" |  D( b
The following one is the simplest:7 M! {) p9 `1 Y' J

0 w2 j& ^- I! w2 r% d2 R. p    mov     ax,4fh  S7 b" u1 b! y% [
    int     41h- _' |* r6 x/ w% y) Y7 S0 b
    cmp     ax, 0F386
  a* D: N/ F' v) N8 S  A    jz      SoftICE_detected* m6 a7 T# @2 {

# k/ _. M9 C. @; ~& S2 y$ G- J
. h3 {7 J0 i8 m* VNext method as well as the following one are 2 examples from Stone's 5 {" D) R- f3 c7 z# b, g
"stn-wid.zip" (www.cracking.net):
$ K7 g1 R" v! P& Z# [! O9 t3 [. t
    mov     bx, cs
' u6 D' b2 d: }, W  O) l3 H8 o    lea     dx, int41handler2) V& _# w( X" ?& v: }
    xchg    dx, es:[41h*4]/ F+ i0 }* Z; G! {6 Q$ p$ z
    xchg    bx, es:[41h*4+2]
0 d& Y, g/ S2 Q2 i+ q# J    mov     ax,4fh, A2 u. F3 s. k; T/ W
    int     41h8 e0 k+ N) p, I3 X. Y
    xchg    dx, es:[41h*4]
; y+ J2 a8 s; p1 L! f    xchg    bx, es:[41h*4+2]
) Z  c3 F* J. p* N  m    cmp     ax, 0f386h$ H; q! @+ S, D
    jz      SoftICE_detected, f: c) G" W# R+ d
2 m: Q0 t  [7 r
int41handler2 PROC3 `% Q2 ?8 E: D# j& h7 o
    iret
: m: ?* J0 v3 ~# ]! ^* n4 {, ]3 lint41handler2 ENDP4 b  |* y; ]. ]3 d5 s

) O0 E# I* y* `  p, j
& c' \7 v* p% H( G- t# E2 D_________________________________________________________________________
& A% N( F; v! {3 A' K. V
  b' Y; d7 V1 S3 L6 R. ^( l) q" y2 ]4 w! J, X( y( K2 e: L# f4 ~0 y
Method 06
: a9 D* W1 y5 w9 R; u8 p2 a- u=========
! o* b4 e/ L+ {7 I* c
& _) W! r  }7 ?7 ~) A4 h$ y* E8 s* E" f8 I9 v/ `- b
2nd method similar to the preceding one but more difficult to detect:, k/ @9 r% N3 d+ @  N
, Z% S0 r! i/ W) y) Z: X3 @, u

; @: j' |. U2 @' Pint41handler PROC0 K/ z6 X0 X* b; T: f; Z" O
    mov     cl,al
- ^! P* h6 S! \5 C9 I  \$ j    iret
8 k! w0 z1 U8 |3 k1 J3 [2 fint41handler ENDP
/ F) W0 v4 M" d5 p% F: h" y$ T; p5 B  z& b- [7 H
3 K% j9 A& C$ o5 s: F5 |4 S
    xor     ax,ax
# a& P& f% ~8 d  U( `; f; z, K  E    mov     es,ax
. U' B* A8 _" p4 n3 `8 n4 y, u    mov     bx, cs
0 z- V3 f# z7 k3 N$ v' B( `    lea     dx, int41handler" C' J6 B% O& X* L, q/ ]$ f. K
    xchg    dx, es:[41h*4]
- F) K2 r! X; t" U. c4 R    xchg    bx, es:[41h*4+2]
- V4 i9 [$ f6 @/ B8 v* r    in      al, 40h
( t5 ^; u) V% n* H    xor     cx,cx, w5 z# Z0 ?% S
    int     41h. k# h" p+ {  C/ q
    xchg    dx, es:[41h*4]! y/ W; w. S# ^$ j. I7 C  d* l4 y8 e! h
    xchg    bx, es:[41h*4+2]
6 J% x1 ^! X3 P1 `+ c% ^$ Y    cmp     cl,al
8 `+ ]! j4 _8 u+ g    jnz     SoftICE_detected
4 [. ~$ @" Q& O% I/ ?( l
- p: w+ p' M& d, ^_________________________________________________________________________4 h# G) {4 l/ h) p5 a; O
# O( ]7 b2 w' ]! A- p7 t8 S
Method 07* e$ W9 y7 K3 r& z* ?8 S
=========
$ }2 d% E, c0 R( I: R" f" e  K* H! g4 F
Method of detection of the WinICE handler in the int68h (V86): v7 h+ ~# L% D4 m
. a1 \+ Z( s) A; C0 s5 \7 k
    mov     ah,43h6 N( p( r/ w7 @2 n0 e1 m! ?
    int     68h. N0 j, {! k# h/ E( Y# E
    cmp     ax,0F386h
) P; O3 P; U1 h- q    jz      SoftICE_Detected( L9 N/ C* C; R: J7 X8 l/ e2 V
8 O! a  p2 W; y' E

% @/ Z) n( R4 n5 G9 k=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 x( I& `. d" s9 V. C
   app like this:& T/ \& K4 ], G7 `( G9 w3 g+ H
2 \9 @; D1 a0 r3 Z& [& r+ n  g
   BPX exec_int if ax==68
1 o, q, c8 j9 o4 A# I0 g% R. j: r   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 [$ G# r$ ?3 E+ K3 p   located at [ebp+48h] for 32Bit apps)9 m( @  e# P4 z$ P
__________________________________________________________________________0 q' I+ ^3 H( T" Y5 o5 t
, D% t  G( N4 x# r* T& s9 f( `

6 C. C9 v( F& g* R  ?; S& X5 HMethod 08
/ ?7 f( `. _2 z  r8 ?$ ]0 D=========4 a7 ^4 p: R) \2 P
& M% m: l$ a' I0 P% I# D# E& s
It is not a method of detection of SoftICE but a possibility to crash the
' y* H+ c& \' P! g: xsystem by intercepting int 01h and int 03h and redirecting them to another8 G' y3 v0 ~9 K1 Y( `9 m
routine.
0 U' u' g( A. w9 e  Q8 |1 H2 x) qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ H4 b5 d/ m3 ?2 t- {
to the new routine to execute (hangs computer...)
2 J& Q( R+ z% n+ s
8 U' b8 C" d8 {* b    mov     ah, 25h3 h' v3 I/ S! i/ [; V  x! b
    mov     al, Int_Number (01h or 03h)9 |: u" t" o4 h4 ]" U6 w
    mov     dx, offset New_Int_Routine
$ G. a: U" i% O+ F    int     21h
0 e( P3 \0 k, i% s3 e
5 [0 s+ ]. f9 l6 c1 `__________________________________________________________________________
+ {7 m: g' C* K% L, |) Q! ?! P* [! a; L/ @' S& M
Method 09
8 c( A- r; l3 s( L$ O  @=========
" {# H" ?' w/ e4 E! w1 b9 o# s$ _' @) u* V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) q% P, X+ H/ }6 P3 }" _( l6 l/ e2 L
performed in ring0 (VxD or a ring3 app using the VxdCall).% `: l- d5 ?* I+ t0 t& P* }
The Get_DDB service is used to determine whether or not a VxD is installed5 U4 w* B% U+ L- F
for the specified device and returns a Device Description Block (in ecx) for
3 X  z# U3 o2 T. |that device if it is installed." S* h+ ^# j/ [! D7 {
  C' x$ m4 S/ o3 i+ ?* `$ N8 J
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  f+ S9 ?% `+ _7 G9 o$ M
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" U" |- \5 h5 R
   VMMCall Get_DDB
& F; j. v7 `7 R' ?' ?0 Z$ A   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; M3 B" ~$ n- w& I6 r% b
7 g5 ?) k( \8 q1 cNote as well that you can easily detect this method with SoftICE:
, g$ Q' ^) d5 P# d   bpx Get_DDB if ax==0202 || ax==7a5fh
: v) x$ u+ s& O* n( j
* K2 r6 ^/ L+ E9 w3 m1 D__________________________________________________________________________$ x! o' O2 K6 F! K  f) L, R
% h$ ?+ X% F$ ^1 q9 c5 _
Method 10
; x$ ]: K9 _, t% L2 f! w=========, @' g1 |; E3 j) J- r! |4 s
2 q1 q: y: o; v. z: `& p" I
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
9 ^; }3 N$ G, B" \2 [5 k* b  SoftICE while the option is enable!!9 l1 m  q. s4 I- w

( Y7 g% W7 Z  A  `' R# L: u9 ~This trick is very efficient:+ X+ w0 i# r3 ^! f4 D9 y
by checking the Debug Registers, you can detect if SoftICE is loaded
% H7 ?4 u6 o9 X1 Z- C+ g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 b" H8 t& z$ f3 f  R2 q; R) g! M, c! ~there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ P. E% H7 t$ h2 ?4 U3 o( U! Wvalue (in ring0 only). Values can be manipulated and or changed as well; R1 l" E. h; G+ @4 w
(clearing BPMs for instance)$ j+ e" Z% G5 Q. w) C7 x$ `
* i; P. Y$ C% u& ?( h- l
__________________________________________________________________________
# O$ r4 ~3 [1 ^- o
8 K- ]* \& n# ~9 YMethod 111 g* S# U' D. O. e7 n* _
=========
$ l3 {1 u9 W& k) N* t, w* Y- u+ Z
This method is most known as 'MeltICE' because it has been freely distributed2 Y# W* c/ I  U4 O* s5 n
via www.winfiles.com. However it was first used by NuMega people to allow
% j' ]0 y2 l8 ^Symbol Loader to check if SoftICE was active or not (the code is located
: U: e# l" _7 I- p; N+ Winside nmtrans.dll).
* `5 w) D3 I: `8 k( r- K# d" k
- }- k- b! a' s$ Z- {: VThe way it works is very simple:
) d( D! B9 G! c6 F# }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 G# t' h7 a& ?! [+ ?
WinNT) with the CreateFileA API.
9 D7 r  m3 C4 z4 g( O) i4 [: ^' e1 O$ ^
Here is a sample (checking for 'SICE'):
" c% D8 Q) Y: _: q
! s) |: X- r! Y" EBOOL IsSoftIce95Loaded()* \  `9 p/ K! u0 b. ~6 E4 {4 E, C
{
# r, P' d. r4 l# h0 X3 [   HANDLE hFile;  
9 c2 ^6 n  W4 X: K' N& r   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% K7 w, q+ `, {# O! X9 u# T8 s
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 W: Y2 C3 ^- l) Y4 [1 }; j                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 k% ~9 a4 Z1 G
   if( hFile != INVALID_HANDLE_VALUE )
: f% V8 s1 ]1 Y: h   {' ~3 l4 ]* K% z3 V3 g) @: d
      CloseHandle(hFile);
, ]! _; ^' U3 w/ F" t& N+ a      return TRUE;" o1 d# q: C0 r5 J
   }4 o+ v6 _2 I6 L5 Q* t, v6 H& f
   return FALSE;
, d1 a) I; n& z0 O" @}
8 J+ f9 I2 y) R& G, J2 Q& m4 q
# `8 ^( ?3 k' S9 \Although this trick calls the CreateFileA function, don't even expect to be
8 `7 M0 D" y0 s7 a& ~7 u9 wable to intercept it by installing a IFS hook: it will not work, no way!. L+ `6 c6 K' q* n) e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' N, ]& z% d' u* ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! y; a( V) H, g/ Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 R3 v" n: E, K3 U4 m2 t3 _" c
field.8 t  t1 Q( R2 L5 D) K' c
In fact, its purpose is not to load/unload VxDs but only to send a
; j: B2 Z1 H6 W; Z2 j, _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ y% w/ x% R+ e: F6 N0 R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 N0 T8 @5 t' N, I' j& l" t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ }$ g) ?$ {. r5 {If the VxD is loaded, it will always clear eax and the Carry flag to allow
! |5 U4 O6 f5 t, C: Hits handle to be opened and then, will be detected.$ \, S: }0 ?. l/ g. _# @
You can check that simply by hooking Winice.exe control proc entry point
& a& n* L8 a$ gwhile running MeltICE.
2 ]0 y  d$ B# e
, a1 e; b, m' i, x3 s5 O, w+ f
& s/ }: V* O1 J  00401067:  push      00402025    ; \\.\SICE+ n7 b  o: N# ~$ P$ j
  0040106C:  call      CreateFileA
- C! d7 |- a, H( j  00401071:  cmp       eax,-001; Q: g4 A' y# e6 X" Z9 q8 V$ M
  00401074:  je        00401091
! G6 c  O% L. @1 p* T$ a% g) f/ p1 f: [3 Q* z& G- `! O7 H

: [+ a3 j$ j5 C* O9 FThere could be hundreds of BPX you could use to detect this trick.
- v9 r4 ?, ~1 {; F: z. z-The most classical one is:
: e! N3 V* S/ l0 [, _  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 F" G$ `  W* P, t
    *(esp-&gt;4+4)=='NTIC'
; D: c  H% H: F7 H8 }/ c+ @- A; H* ^5 _& @
-The most exotic ones (could be very slooooow :-(
% g7 t& T0 ^: O  T/ ^* g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + x5 L* [0 z# T9 L. S# V! {2 b
     ;will break 3 times :-(  w! I8 M8 X# i' Q& S
0 @" k4 B3 ~4 h7 @; s( F
-or (a bit) faster: $ X' f- Q9 I! M4 B) k; Z3 y5 \
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): g: g; N7 y6 ~& u# @# M' [' m- k

* K( A: {- b' H% i5 F+ t   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 S5 c$ o& F0 I, [* M     ;will break 3 times :-(
7 |) Z6 o# ?) E4 H! ?0 x7 G( P7 R$ ]& i; D- b( u0 |, B" p
-Much faster:
# ~' b. m, k3 l: [: z! j   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'1 |, p3 E# A- Z0 P& H
# a3 f) N5 ]: b+ a' x# C3 f3 f0 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen  o4 U  W3 [+ l1 D6 U2 h
function to do the same job:
" W# t  M8 K: ]; B" ?7 T) s( s# Q( M5 d& |' N
   push    00                        ; OF_READ* r+ e; s' s: B# p& z
   mov     eax,[00656634]            ; '\\.\SICE',0
) n2 W' `8 o1 ~, a' R   push    eax1 I7 G) ~6 v! R8 A: y, W
   call    KERNEL32!_lopen
; z+ V' Y8 Z2 {" ?   inc     eax
$ J* ]$ T' n& ]" O- L  b' s   jnz     00650589                  ; detected6 [; D, O# J: ?' G
   push    00                        ; OF_READ
  E6 R  v  Q, X+ `3 x" Z4 b4 V# `$ Y   mov     eax,[00656638]            ; '\\.\SICE'
7 D. i* \% a2 y1 u% s- ~   push    eax8 O3 X5 I0 A3 u- t+ p: ]6 ?
   call    KERNEL32!_lopen
. P. l0 g& b: j   inc     eax
% e  J/ f; k% e  B0 y$ ?1 w   jz      006505ae                  ; not detected- E$ R! Y% @% L
7 p- {9 y' p2 n5 U8 v0 {( ]
3 F0 ]! ^% L- V' r: H( E$ D+ I
__________________________________________________________________________
0 v' _+ q' K8 E" b) K9 _+ n# C% N! O3 G
& r2 A+ O4 O8 E  {Method 12
& |$ t9 Y% P' a/ U, T4 e5 Q=========
' {5 ?: l+ o: r
5 i: }3 O* H. O- }( RThis trick is similar to int41h/4fh Debugger installation check (code 052 b; P/ R9 N) L5 N! A
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
" ?6 o5 O- V7 F4 n" e( ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 l, @6 d+ s2 P. c0 G- \. y) F: F3 ~
7 F- l2 M5 k7 [% ?/ N9 I9 N   push  0000004fh         ; function 4fh8 F0 n+ Y( Y! J2 z! N7 ~3 C: K" f5 j
   push  002a002ah         ; high word specifies which VxD (VWIN32)
  ~- C  _- @# d! N' k% A$ d                           ; low word specifies which service
! w* ^' h+ u0 o' ^( a                             (VWIN32_Int41Dispatch)8 L# ^, a( H- D& B4 T3 F: s& ?
   call  Kernel32!ORD_001  ; VxdCall; ^! c5 }' U1 ~" x# }$ y: i0 ^
   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 c% f  c. D8 H* U# U   jz    SoftICE_detected
+ D7 x: e( S0 f8 Q# K
2 O2 [  D$ ^$ b8 v& v& G5 MHere again, several ways to detect it:2 D; `% r4 k5 c3 C7 b4 F. |
. l( T' @+ d+ d8 f, i  w
    BPINT 41 if ax==4f0 h' h9 E  @9 j. N
% M6 o0 m5 t* p9 O
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
5 Q. K* G$ e. {8 b
" T- k% N0 z5 ^$ z7 o& w5 o    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
5 `9 c( O: p# R& F6 @
: H# ~# d8 `0 Q& w. S    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!# ]' y* H9 G2 c! n+ j  b* X
2 Z$ t5 {, R5 }( u0 H
__________________________________________________________________________0 v+ t8 V( R9 q  ^; a2 U* {

0 D4 A- b% `5 i( G6 oMethod 137 r- D+ N- s0 |8 c
=========
9 Z0 X7 ?5 F$ k& k- K  i8 c6 h$ h, Z0 F3 P5 E7 q
Not a real method of detection, but a good way to know if SoftICE is- n- b* I  T! e% x
installed on a computer and to locate its installation directory.8 m! |' y; P$ R' Q4 e2 k  K
It is used by few softs which access the following registry keys (usually #2) :
/ l! P. P5 v+ a* K" h% H" F( w. h3 f; r/ [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- n. O9 c! B# ?. Q: t\Uninstall\SoftICE
1 i! t5 r# u& j5 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% |% {( J: @: ^$ G; ]4 c- B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 N+ o' Z8 T2 V: t( C. \) E9 Y
\App Paths\Loader32.Exe
# {4 ^, Z6 p# z9 c& M  L$ ~; `2 [! [1 m2 e
2 m. Z, g) M  e1 d2 x7 g) t  m
Note that some nasty apps could then erase all files from SoftICE directory6 k$ o" V7 @' i. R- o6 Q: S
(I faced that once :-(
% r. B0 V0 p+ V$ w$ k+ m* ^% ~: w8 A- q2 }
Useful breakpoint to detect it:
: }1 T! \( ~3 X
7 y; z5 j; I# c, W: J     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  B" O$ }3 l% W: W, H" |

  x, `7 R$ s" N__________________________________________________________________________
$ z8 v- f, u0 w* K
0 N) Y! L) j5 S' Y, c- |
  G! f, D/ f. c7 C5 pMethod 14
* `7 ?/ \  F- F* q* V+ X5 S1 q=========
0 B+ \2 _/ W1 R! b; M& _. b5 R: z1 w5 G  R- v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# s, C$ M9 Q: ]. X  g
is to determines whether a debugger is running on your system (ring0 only).
8 v# ?/ o. Z0 w2 k
/ y( ?  h& r; r" o* X4 n   VMMCall Test_Debug_Installed" \) ]$ c" ~/ _1 B9 L; A4 ]. x
   je      not_installed6 T0 w: u4 [4 U

7 i) Y% w( W" \, E6 @This service just checks a flag.4 n/ M0 {$ }1 ]5 ~  X7 }! \0 g
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-27 23:19

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表