找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>8 L+ v$ c3 E) N5 ?1 s8 C; d. Q
<TBODY>4 b4 H: q, v7 h
<TR>3 P: V4 H% d: Z
<TD><PRE>Method 01 * J  H3 j) G; J* m9 d5 v3 P' ~; g
=========2 g( _0 j, S6 ]4 V( S, p
+ `; r" W3 Z& K! k6 H& Y+ s' Z$ R
This method of detection of SoftICE (as well as the following one) is( F% f$ S( n3 r
used by the majority of packers/encryptors found on Internet.3 G) u! G" [0 k& T7 _+ l
It seeks the signature of BoundsChecker in SoftICE( ?0 q  P% I* e, i; Y( ?7 q

8 y. h& F' ]. w/ @    mov     ebp, 04243484Bh        ; 'BCHK'! [0 F6 `" L" R# n) Z
    mov     ax, 04h% u# B7 L. i' u! k: n
    int     3      
3 g2 _, V2 d* _% e6 @4 ]    cmp     al,4
( b1 d( M9 P3 g% ~" I# a( e4 X, F    jnz     SoftICE_Detected
0 ~' A* c/ B( v1 E. X  V0 R9 q9 R
' ~! @: I. J, f* i* }___________________________________________________________________________
  y, R5 }8 ^1 i# H; ?- y) a3 B5 E  X6 P; f3 K+ E3 J" R1 t
Method 02
4 _. ~* h; B3 E0 r' W& e=========* r. f" K$ M; y, @; R! m
- w0 A; d3 `( n- y
Still a method very much used (perhaps the most frequent one).  It is used
7 [, H- P. l0 _5 _+ H: ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 `; _0 t) u( f' m0 nor execute SoftICE commands...
! z7 L3 w! ]3 ]. cIt is also used to crash SoftICE and to force it to execute any commands- t8 @% l% B. M/ {% l1 r8 O0 D
(HBOOT...) :-((  $ G9 R: ?. b2 M  i  i. q

' p* l+ j: o  v' o- Z1 kHere is a quick description:" E+ f; R; j: S
-AX = 0910h   (Display string in SIce windows)6 P- j! w7 ^& f* e! X
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
" J1 y/ _8 F, O, P& l( Q-AX = 0912h   (Get breakpoint infos)
& E' @) i7 g, W9 N9 M" w* K% j-AX = 0913h   (Set Sice breakpoints)) G6 K0 x- J: O
-AX = 0914h   (Remove SIce breakoints)
4 {/ B2 s5 L& @% v; Q" ]# M0 U  k$ Y. ~) y7 ~
Each time you'll meet this trick, you'll see:
7 w! F8 Z6 T5 `-SI = 4647h
* M, e, O8 z  T8 y9 T" n$ Q-DI = 4A4Dh
1 ]7 `2 [0 f# c" P, ^2 HWhich are the 'magic values' used by SoftIce.- V2 {- L8 o) O; _5 M) o. y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- F& i  g. t7 E" M# e4 D# V- o4 ]9 w+ o7 w% a' f, u; M
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 Q9 g0 @1 [! ^; eEnvelope utility use to protect DOS applications:2 \& L( T3 h0 W# F
2 C' b9 F- H+ y- ^) R; j
. t9 l% T$ C7 C( Y$ h3 C  ]
4C19:0095   MOV    AX,0911  ; execute command.& X# B$ e, g) a5 S% h5 B  V
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
8 ]% l, f! ?; u/ @4C19:009A   MOV    SI,4647  ; 1st magic value.
( O# \( [, X+ F2 V& j6 a4C19:009D   MOV    DI,4A4D  ; 2nd magic value.$ j7 R* ^7 a- B( x  r  |
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# V: p& S+ U- J
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  T5 ?1 Y  H0 b4 q4 m
4C19:00A4   INC    CX  V& ?4 z  g* F8 ]! _( \7 i5 }5 ~
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- c6 t( {% V* P# L! V5 g
4C19:00A8   JB     0095     ; 6 different commands.
6 V$ }4 f3 a, ]( ?& D7 S; ~2 C# w. G, R- v4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 G/ S& A0 x6 `6 E
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
2 Y9 E; u8 I$ W2 f. M! D
5 ?) M7 x5 A4 w2 {7 b% |) mThe program will execute 6 different SIce commands located at ds:dx, which5 o& e# L( N) Y" D
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 w  l3 ~* X. q/ n/ I* m$ Q- M0 c/ d7 B$ i$ ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 E0 z" q& _7 J% q2 W8 i0 K___________________________________________________________________________
3 V7 ?; A2 f3 N6 f) M2 T) `' k1 M- a

: u& [! @2 J6 U- Y' {8 N: Y: mMethod 03
; N8 i6 E7 Y5 f& ^=========$ S1 r+ @' \; z/ k: a. p; K

& a  p6 G; h" R, S: rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h! g2 i; P4 K% F$ a8 Y$ ~
(API Get entry point)0 S/ G& _& y0 ~- p' F$ {* ]
        , I2 ^/ C( @* V4 k2 I  B( `
' g# Q, C3 @) G9 S2 x' W
    xor     di,di0 t6 U* q  A9 F2 N/ T' X
    mov     es,di. U4 H" L- S. P9 T8 I
    mov     ax, 1684h       ! `! `: u9 {5 G( T3 w
    mov     bx, 0202h       ; VxD ID of winice# k- l) [! v+ K; E
    int     2Fh
) p2 c) ~. E4 {2 i; M: E    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 H' p, c$ p# Y* \* a# P
    add     ax, di6 }6 |0 }2 j1 t! m! }; s
    test    ax,ax7 v# z0 y/ |" ]( M$ i* [
    jnz     SoftICE_Detected; g$ Z0 V4 {6 ?
: q' H# [; o6 c5 G
___________________________________________________________________________
# w- y5 R" U6 s  o# b7 o1 c2 F9 d: q8 B
Method 045 ~; @3 N+ R8 N$ I! |. J
=========7 n) g6 |- b! n% Q- Z) ~

& d$ e1 {4 X* q( ]Method identical to the preceding one except that it seeks the ID of SoftICE1 C* J  \; S$ G8 }
GFX VxD.
& }) H$ ^) N$ M: L4 w% z8 Z5 q1 L1 D) _/ \1 ~. J/ f! r( I; }
    xor     di,di3 B2 N+ Y! s# @$ g- c
    mov     es,di: k5 |/ N$ ]% Q2 q( B6 ~- d0 m% t
    mov     ax, 1684h      
; t3 p4 N  `: s4 i    mov     bx, 7a5Fh       ; VxD ID of SIWVID& ^% d! l6 R" I
    int     2fh7 U# I8 E7 m# y) ^6 _; t7 l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" I' Z; i  _, R. N    add     ax, di
6 r+ k: n' h# [! X    test    ax,ax
& W! ]$ y  c, E& B9 H9 ^( `0 b    jnz     SoftICE_Detected
& A& m! x" l: W
# j9 b1 C" s& `" n2 A* d, x__________________________________________________________________________
  A$ ~+ O1 c# A3 v& D/ r; }5 `3 b- e; ?1 m& q4 _4 B) g& q: [, g+ y# _

4 e- N# A+ W9 E, D& |Method 05
4 Q9 B5 p4 q0 E+ {9 }) U* S3 v5 _=========
1 z% y. i7 c- X4 ]1 `# t- C, Y( N9 o1 Y1 _2 ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 [7 ]2 e, u. T% z* h; G  mdebugger. It calls the int 41h, function 4Fh.
2 O1 [/ D' p, [There are several alternatives.  
! |7 Y& R; p5 I2 \
, Q2 v+ `, q& v# \The following one is the simplest:
  A$ d/ {! n; ]; P( K+ I' ~
  N4 A* r( e4 }( J. H$ R: E/ y1 U    mov     ax,4fh
5 _6 {  b4 w9 ]% U; p" [    int     41h8 ^, _' u$ L6 B  R9 R
    cmp     ax, 0F386
3 C  V' F( _' {9 u    jz      SoftICE_detected2 j2 F8 u' c5 ]; }/ R" E
; f6 }( U1 H6 _0 F- n
& q  J5 v  ]) s1 w* ~! V& ^0 f
Next method as well as the following one are 2 examples from Stone's
' y" o% [( N" _; ~) d4 {"stn-wid.zip" (www.cracking.net):
( D; N( _  [9 m4 t0 R8 X$ F+ G* C! x7 D& V# O( t. i& o2 i
    mov     bx, cs0 k$ W! T; M1 Y9 @7 v; J
    lea     dx, int41handler2
# }3 \5 y- C8 B3 Q+ {' j7 V    xchg    dx, es:[41h*4]
6 V; n) Y3 G! A- o8 y    xchg    bx, es:[41h*4+2]
/ A' }! O1 M# y/ \: L7 `    mov     ax,4fh+ Y+ P7 I- i) b- I9 w( D5 S5 j
    int     41h
# b! G( L" ]- f/ e    xchg    dx, es:[41h*4]
- f& r+ l7 G" I8 f6 Y    xchg    bx, es:[41h*4+2]
" F2 P, |( R7 P5 b( `  ^    cmp     ax, 0f386h0 f1 \( |( ~& H/ z
    jz      SoftICE_detected
. @4 {: Q, e. w, `3 d' f" b, t8 ^7 ~# Y/ h, \- y
int41handler2 PROC# h: A. A5 Z: C! {/ f
    iret
* o  y7 t+ X6 Z7 J+ X, z3 Y4 J5 Rint41handler2 ENDP
% G- S4 W/ S$ T
  c4 ?! \1 X4 c; g1 r' G: V0 S& p6 R; T1 y
_________________________________________________________________________
; p0 w9 W  T+ X8 J9 H* V# ~7 W! X. v/ v2 b, F

; G7 S6 ?7 M, Q7 L! E+ r$ K" eMethod 06
- L' Q4 D+ r3 I+ n' ^+ s  |=========
7 u# c+ N1 [) V% u6 h7 h7 m
( R* q* ?7 |! Q% p0 n2 ]# x
/ I5 k1 C, ]% X5 C$ b" v$ t) f2nd method similar to the preceding one but more difficult to detect:+ f% m! N; G6 C* h1 z, ?

) S7 n) u7 g* F4 W
$ `5 p; h& Q' P) g4 Z8 k: s& mint41handler PROC
# _, ~! N! D4 U" D  z    mov     cl,al
& t0 v! F4 q. U/ Y    iret$ r% h% s8 b, V+ f! [
int41handler ENDP# x1 }5 x7 ~5 q+ V+ f5 R

( h6 X1 T# i4 {* p* g  ~# U
3 i( |! S6 O8 Z* l: E& k    xor     ax,ax
% {: e) `7 f: t- W/ |4 S# e    mov     es,ax
2 A, X: s, f% \7 r# x    mov     bx, cs
& u* }' Y; a7 b* @1 T4 x/ S    lea     dx, int41handler
( t8 f7 x2 t' l    xchg    dx, es:[41h*4]* a* @6 j' x3 J: P, c
    xchg    bx, es:[41h*4+2]
- u4 z2 d2 i7 X) ]1 v: m    in      al, 40h
/ p, V" @$ f$ n0 H3 T    xor     cx,cx- H$ a1 W% q1 \7 E8 I. b
    int     41h
! P4 O3 x' D5 e" h9 ~    xchg    dx, es:[41h*4]5 S! E# \: N  w2 p4 ~
    xchg    bx, es:[41h*4+2]5 v! j# w$ L3 ?$ g9 x) J0 U6 m
    cmp     cl,al
$ H& O: f0 O, L# L& Y; B/ C& j    jnz     SoftICE_detected
9 z* w4 G8 W  e* M' F. @3 x7 S+ ^) E7 _
_________________________________________________________________________$ S) X, Y! X" W

/ [& I0 N; c, z# r# h& L; n* ?2 z6 {Method 07
, b7 t8 i  s) C=========# Y1 n- C4 \0 e: Z* r4 n

' X3 z) `2 S& t6 W1 h% ]+ }Method of detection of the WinICE handler in the int68h (V86)
3 a: l5 f% G  v) {2 Y" W
, W+ W! S0 ^% d5 C9 K    mov     ah,43h
; D% f. m. y5 W1 N    int     68h$ k* K. |# L2 C
    cmp     ax,0F386h
% Q, b# r5 U! r! c" P+ h; Y9 [    jz      SoftICE_Detected- q" @/ w! }* u5 s
, T5 U& ~  }6 ]- Y  b+ P* S+ v8 ~
0 Z) g& l* |4 C/ @
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. B- h9 `* t; W6 Y6 r+ r- y
   app like this:: r: J7 s) \3 u
0 U6 E8 {1 b0 Z: M" P+ o% u8 [
   BPX exec_int if ax==68
3 p# f. E( z: F0 A+ ^  D/ D4 |4 q5 J   (function called is located at byte ptr [ebp+1Dh] and client eip is
. C& g0 f' P$ N) J/ K/ C   located at [ebp+48h] for 32Bit apps)
2 K! |+ [" a  Q6 U5 \__________________________________________________________________________/ C5 t- j3 p3 z. Q
( e% S7 c7 M1 Y4 V4 ?

- w: U. m! [0 X% l0 O# oMethod 087 k/ r9 Z4 A7 T0 j- h0 o
=========
& t) O& z' `2 Z# @: M8 k0 u, S
( a5 J% H0 C# M& W5 iIt is not a method of detection of SoftICE but a possibility to crash the
# V! }4 a( K9 S, G# S, j  v% xsystem by intercepting int 01h and int 03h and redirecting them to another
; ^. l% m. @  ?( z) j3 w& ^; groutine.
* J3 L0 a0 T3 g7 g' {7 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 {  R% f: Z' S! `. x( K5 p# w
to the new routine to execute (hangs computer...)
+ W3 j7 {/ j- W% e7 ]
- E( @' R( o+ n; D    mov     ah, 25h; M0 a6 w. f( s& W
    mov     al, Int_Number (01h or 03h)
! h; q/ F7 m) o- m1 i. A    mov     dx, offset New_Int_Routine; G$ T) P7 v3 E
    int     21h
, r, Y8 s: E# `, y$ W$ v
  y/ m/ \, [  t. N: N! A__________________________________________________________________________
6 `: w! z! w' g5 q# [$ H+ Q
$ @3 X6 b* l$ J2 m/ @+ f' v  A0 {Method 09* Z" `! |3 c7 f# _% n6 V9 B) w# f  X
=========
5 V2 [0 ~3 l5 Q& o4 {9 ]
  d' b, X3 {1 Z+ _1 b3 X! NThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( K9 H) t6 m+ K( m' w: c+ Q/ O
performed in ring0 (VxD or a ring3 app using the VxdCall).
# F4 h( W' V* P2 q! \4 n# }The Get_DDB service is used to determine whether or not a VxD is installed
5 ]$ [/ Q. w& r3 p0 w+ o: [for the specified device and returns a Device Description Block (in ecx) for
' F& s5 w" A. B* ~9 cthat device if it is installed.
& r$ W. o( i  t. N: G  `; I+ W
9 d4 {. H; p7 B; m! q   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* b3 g; y9 d, l- w6 l- h
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  d+ Y4 g. S3 }9 W7 I/ A   VMMCall Get_DDB
' s. g$ N# x/ a' L* ~. B1 b6 L   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 N" j5 j/ Z0 w0 r- k
' A! X1 z3 [$ z6 K; m
Note as well that you can easily detect this method with SoftICE:
7 @( r; Z  p" z6 @   bpx Get_DDB if ax==0202 || ax==7a5fh
7 V2 F% g, X: M0 T8 f
8 w+ z9 n9 c8 R__________________________________________________________________________6 _; U' y+ j' v" ^8 A% d$ O

' W! b0 ^3 i( M( M' U. gMethod 10
8 I$ L( p. Y! {: a3 R, F=========+ S1 v0 R% m) Q7 I' @* a
  L& P" g+ ^, `" [& q) d) r6 }
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
7 U1 n- i$ o. q0 [. S. h  SoftICE while the option is enable!!) w5 B/ [* k& B: D, D/ e

% z# X9 W5 K4 QThis trick is very efficient:. C! T$ m! ?) L  c
by checking the Debug Registers, you can detect if SoftICE is loaded1 z& K% M' i6 q8 R6 j0 q% j( b, U1 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 S9 y7 q/ k* ?# S6 s: r( f1 G/ Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ k8 ]& E7 ?+ pvalue (in ring0 only). Values can be manipulated and or changed as well
5 j0 d  d( @8 E) U8 A+ w' d% `5 |(clearing BPMs for instance)
: }% d1 p6 O5 b! R4 \$ }+ ?
' \  a0 P6 J0 V: Q__________________________________________________________________________/ R0 z# K9 r1 h9 Y

' N- M: a4 i! P, w) A- L8 ]Method 11: h, e5 N% p: t- I% h" h: K7 j
=========* K6 O4 b  f6 a5 j5 D4 c
8 r& B/ s7 y" W& |: H
This method is most known as 'MeltICE' because it has been freely distributed/ ?  ]: e* Y2 `0 b, @& e% i
via www.winfiles.com. However it was first used by NuMega people to allow
& J% R3 N6 ]8 nSymbol Loader to check if SoftICE was active or not (the code is located; E3 N: d8 d- A2 H4 S4 B
inside nmtrans.dll).1 K- U. X1 L- ?9 S
( N% O' X, ^* Z8 ~) c
The way it works is very simple:
! |2 b, J% v) h- a$ r2 D) Q" A) ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! a* N0 v/ N7 [4 N. [
WinNT) with the CreateFileA API.  T! ]) |& F; a: `, F1 _

1 A6 c: x" a% g# S) k4 w( N+ u, JHere is a sample (checking for 'SICE'):
/ v+ e2 i, w0 t% }$ R3 G
2 Y/ ^( t, A# f! |# h5 vBOOL IsSoftIce95Loaded()
% D# `' g6 H: i& x) M4 T+ M{
: }# N! |6 N% X3 S; P, H( q   HANDLE hFile;  1 w2 a1 v/ o5 |8 B2 N7 e  i( i% V
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 U& \" w* a. h0 U* l
                      FILE_SHARE_READ | FILE_SHARE_WRITE,5 s/ ^9 Z( Q( h! r( S/ ]
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: f. h1 S3 K" A# r' @! Y   if( hFile != INVALID_HANDLE_VALUE )( H# |4 c) k# ]) w( B: y4 x
   {" I% X0 M, d* |/ x6 z
      CloseHandle(hFile);7 d7 F1 j0 }; E
      return TRUE;9 x- Q# O8 e( R. b$ V
   }
# j6 I" n9 ^2 j$ ^: o   return FALSE;9 G  X7 n0 E/ o
}
& N* j/ ^: f' [/ `  D+ W: o7 h6 @; L6 |& {: Z" @, k4 I+ i/ {
Although this trick calls the CreateFileA function, don't even expect to be9 e$ |7 t3 q& o. x. f" x8 \
able to intercept it by installing a IFS hook: it will not work, no way!- {- y9 o& E8 t8 I* y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. C" F/ p! s7 I$ l) P) @5 x, x
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); a5 ?  q* p( o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, t% @+ a/ K" yfield.
2 H  t. s1 R# q5 YIn fact, its purpose is not to load/unload VxDs but only to send a
' U3 `: A- N4 J0 jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( }/ s# P; H; g- S; `* n, i6 n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ e# X+ \4 j# U7 H4 B% ?  Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ I0 ]0 Q6 Y) S% ]- C8 J9 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow  F4 z, M3 }# g  k& P- o% K9 I# K
its handle to be opened and then, will be detected.- F3 q2 z9 M* |2 C6 E/ M
You can check that simply by hooking Winice.exe control proc entry point" e/ {1 @! e0 o
while running MeltICE.
; Z, E! S% O: o& A1 c9 p) e! ]( ?! B# y0 F, n+ C+ G

- S1 |; I. X: u2 a- n  00401067:  push      00402025    ; \\.\SICE
5 y* G  U0 u) q7 }) |  0040106C:  call      CreateFileA1 h" B3 o+ k* y
  00401071:  cmp       eax,-001
- I# j8 \  M  v6 U  00401074:  je        00401091& Q; w. e6 V1 s' k8 p5 W
/ p6 F- z/ B2 L: \

+ y7 h" [7 t$ |7 p( r& kThere could be hundreds of BPX you could use to detect this trick.; h* w' v1 ?  Q3 L
-The most classical one is:( t; b6 _/ }, C* v
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 e8 q. l5 I3 L& e$ ~2 D$ ?, `    *(esp-&gt;4+4)=='NTIC'' G0 \# P. W) i9 h
! |( c  q8 t/ B0 I5 U
-The most exotic ones (could be very slooooow :-(
6 K0 A, k7 c+ K& C( d/ U6 i   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 a$ w6 L  Y9 o' T0 r& H
     ;will break 3 times :-(
- R0 F; L! a$ ^8 p7 A
; b( w3 @/ Y: t, Q: e& a4 ^-or (a bit) faster:
8 z9 B8 o7 W' J( ?; f  ]8 p   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 D! `8 B' W9 G& g  P- J: W8 z6 j7 {
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 v, y+ ]& R5 T  |/ E: q' _3 V
     ;will break 3 times :-(
" y( w; T5 R% N7 k/ C0 M2 s: W4 X
-Much faster:
8 Y/ E  B/ T( k2 ]0 c   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# t) J! J8 p* x: N- ~) ^0 P5 @5 w" B
% h2 u9 j+ v$ }6 k" a; w- t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; ~3 D6 B3 U/ d1 s. B" x" O6 @: f2 h
function to do the same job:9 x1 {% E& X- r# r

. D, P& H5 Y$ \$ K, C' I  p   push    00                        ; OF_READ
% V# A; J" c2 \7 S  S" X" Y1 ~   mov     eax,[00656634]            ; '\\.\SICE',08 E; C9 Y: }" y0 z* m
   push    eax
! Q2 ]( ]" k+ ?. c+ A' c   call    KERNEL32!_lopen2 x7 q9 s( Z) O& e' g6 f/ h: O" ?& a
   inc     eax4 K1 T. T- O/ W( N! ^
   jnz     00650589                  ; detected4 X  K0 N1 L- r8 M  H1 U
   push    00                        ; OF_READ" ?" y+ A: _& t2 L  X2 X
   mov     eax,[00656638]            ; '\\.\SICE'/ E% a. q( l2 W; b
   push    eax0 w  w2 Q) ?8 _3 ~
   call    KERNEL32!_lopen
* Q+ N# C: U9 L2 k3 l6 J   inc     eax6 a$ {6 p4 J8 U6 F" C! L2 h& I
   jz      006505ae                  ; not detected
- I4 M. F/ f7 E; B
" g1 S4 j/ P, O8 q; `3 Z3 M+ ]. F. h2 d1 P, o. ~0 R' o
__________________________________________________________________________" z& z6 V, u4 S& Z- ^
: m! e: s: M' \8 o  t5 w
Method 12
) [" b# ^, a2 s: p+ v9 G" g; a- a=========& ^" L9 Z+ `! T' S  k+ ^, G

( `. n8 f/ s0 x! ?This trick is similar to int41h/4fh Debugger installation check (code 05# E  |: ]. k$ ^
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: s, d4 F3 ~6 `& f1 has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! x6 U; I+ J/ \8 \6 y# D: S* ~7 G; t. f/ ^- i6 d8 v
   push  0000004fh         ; function 4fh
" g, n* k# E. g2 }8 f& t, b   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 |0 K% h$ O/ @" @- s! z, N( T                           ; low word specifies which service
/ m! a! q1 Q3 h, k                             (VWIN32_Int41Dispatch)2 s( g) b* l& W. Q1 A& G
   call  Kernel32!ORD_001  ; VxdCall( P+ N# Q& R9 N- z
   cmp   ax, 0f386h        ; magic number returned by system debuggers  h( X( D, F( m% O' _# K0 j
   jz    SoftICE_detected9 h+ C' v# {& K1 a
" D+ w) R% I6 O( A8 j9 I
Here again, several ways to detect it:- [, A! S6 Y, g' C
+ Y* M" P; i4 K* [7 h; K. X5 M+ W5 ?
    BPINT 41 if ax==4f5 x( E. T8 R) r- J& R
( a3 M' D' e" G8 S7 M5 ~. u
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& Z, p1 \5 t% H7 \/ X) _* A

6 O2 n$ `/ E2 W' b6 G0 B6 F3 l    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* k/ S/ w; `" f. B; p0 \
0 c% n9 V5 V( A* g: Q3 J    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 h6 u7 P% b( R  p2 L- B8 J
; c( J5 O7 b" P1 S
__________________________________________________________________________. P. C% q+ [- Z6 w  `7 I: r
- k- B! @, M3 S9 r$ d- C
Method 13
! h) j* X+ i3 s0 L=========
8 M/ C$ e# B" w& D$ [  w: K0 }4 |
Not a real method of detection, but a good way to know if SoftICE is
8 a. e! k' [# ~) g6 q0 |/ finstalled on a computer and to locate its installation directory.
5 T3 f8 D% Z( r: zIt is used by few softs which access the following registry keys (usually #2) :2 b6 u; N7 R3 I! s

$ i8 L3 G9 l8 @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% D8 C& k- Q  g1 H' ~3 K; S\Uninstall\SoftICE% W4 ^( W% J5 T; W" |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" v1 n6 d. d  e& l& X; [/ i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* T' h9 K1 `: _; f0 v% V! |\App Paths\Loader32.Exe
- \; ]* T' n, M0 Q* V+ w4 U6 W' r& Q3 k

2 r4 h' w. w: [7 y0 ANote that some nasty apps could then erase all files from SoftICE directory
: l( O. b* }& z9 n  U(I faced that once :-(
* H9 ?) ~: F* m5 S* y" k5 D7 q( q4 M2 [; h7 s7 h. P
Useful breakpoint to detect it:9 f5 k$ z7 |; m, ]

. b$ c! k( Y; p* a+ h     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'% W1 H- v; t6 w' R9 k
+ w( N8 O4 r% g3 V6 A3 T  q
__________________________________________________________________________7 I4 M8 V& _7 C3 `8 m* I

7 d/ J- o, Z9 B
1 ^  a6 U  i$ \Method 14
# c+ J- M0 V+ k7 i) O=========; A  A  v. P+ ^2 y3 l1 o

- d7 b. Y7 X1 X" [! e8 ~" @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# \. O; ]8 a  N- E+ j5 k% i) e8 o* c
is to determines whether a debugger is running on your system (ring0 only).
8 A! t# `5 H. Q# h2 M
9 `; j5 }# J+ w/ ?: \8 [   VMMCall Test_Debug_Installed7 A) t) z0 [5 u" S: n
   je      not_installed6 r/ W# n. R& U; ~
' m6 V6 f) T) z( L
This service just checks a flag.2 W/ }7 r$ A. N7 E* c9 B
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-6 16:21

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表