找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
2 a, Y/ Z) I; N- @  m<TBODY>
) M6 a" L3 J$ S9 n5 e- ?* B<TR>
3 k4 o( j3 Z3 v, N/ V2 \- S<TD><PRE>Method 01
4 w. E2 c% g( B% Q$ y=========
- g" Q; X, E8 @" y2 s5 n6 y- s8 M% }% Y% V
3 K6 Z2 O. s) S( V  JThis method of detection of SoftICE (as well as the following one) is
2 l2 ^' K, N* }% j- x, Aused by the majority of packers/encryptors found on Internet.
( j$ t( x+ h. }7 d" J( W+ ^6 iIt seeks the signature of BoundsChecker in SoftICE
% a/ Q3 ~: ?. v9 {: N. O2 P, J0 _" y6 R1 C
    mov     ebp, 04243484Bh        ; 'BCHK'6 V% Z9 z6 S$ B, w, i
    mov     ax, 04h
, o: l% g8 f7 D" |    int     3       $ e( ^9 k0 h( Z7 l
    cmp     al,4
8 q* s9 H5 ]/ F    jnz     SoftICE_Detected
9 G* N6 W1 v& o/ K; H8 R. Q1 n9 V# ?
___________________________________________________________________________
! Q% F6 k- l4 L: b+ I7 i, s
' W, v$ S, E0 C! @/ {$ F! x& UMethod 02
: l& P$ [- Z& r' o5 O=========' ^% K4 C" ~8 l8 _+ Z- T
+ O: V$ Z& O# e4 f! j
Still a method very much used (perhaps the most frequent one).  It is used
& b) [! O! q1 f% d. O; U) o4 S: ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ X( @4 Y- f; L, o/ ^+ r8 j
or execute SoftICE commands...4 Q% G$ d* ?' s$ z7 F% j# H% U
It is also used to crash SoftICE and to force it to execute any commands
0 M3 o. A# M6 ^- ^* I(HBOOT...) :-((  
) E) Y. {( k) W8 T! b6 h0 c% E% c# U& G5 P9 v- p
Here is a quick description:
4 k' @6 n6 x* S) ?6 a$ j-AX = 0910h   (Display string in SIce windows)
( J# W9 ~: q$ T5 J; W3 L-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)/ J& H8 w5 x% D/ @; [' a
-AX = 0912h   (Get breakpoint infos)
, D/ M. q" Q$ W' z# `' }9 E* s" h6 _-AX = 0913h   (Set Sice breakpoints)$ q3 P5 e2 M; b  O2 q  ?) k0 Q
-AX = 0914h   (Remove SIce breakoints)2 u) C7 D! A4 O. r( a

1 v/ ^2 M. T2 F8 U( z; G- VEach time you'll meet this trick, you'll see:, B& g# F/ n7 G$ a% ^
-SI = 4647h# P, Z. F& Q- y. B
-DI = 4A4Dh5 m& Y# {2 a8 y
Which are the 'magic values' used by SoftIce.; v3 G3 i9 y& H& r0 b0 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( e) ?# ^8 y  `* Q# r' }) @. y; |

% F# u8 I3 Q  r9 D" BHere is one example from the file "Haspinst.exe" which is the dongle HASP" n  n+ F. {" S& S- q, c; |( a
Envelope utility use to protect DOS applications:8 |. @6 h, c/ S; B0 e
# o0 W8 X1 B: _6 D

/ I8 c# _, u7 b6 A3 k0 l% h7 F9 b! S4C19:0095   MOV    AX,0911  ; execute command., W+ P& l- c8 y4 h# s
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( k* x6 y; E6 t9 O; j4C19:009A   MOV    SI,4647  ; 1st magic value.% i0 [6 s, |! E- r
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.% T/ o$ Z/ \( Y
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- g8 T  a$ ~, n
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" Z( G4 o$ x3 y' B5 ]- g4C19:00A4   INC    CX
' h* B. k" ?% O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 N" P1 `: b( H! e' d4C19:00A8   JB     0095     ; 6 different commands.
: C2 i. W6 w! V- K9 \4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  {5 t( S# B! N. M! U* G4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 a6 O& G3 z! r) H  i6 C
, D) \( n2 T* D! I' r& f& iThe program will execute 6 different SIce commands located at ds:dx, which
5 E1 H* H) V3 A& ]) nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 W4 ^! W7 G- Q! K' k! F! y) c' u7 w9 c) U! w1 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 ?/ \) I4 @4 }, v' E
___________________________________________________________________________
- k) n+ E& L, ]2 S! }) H0 V3 `/ |4 f9 A+ r4 o2 S

  ]# S2 z/ U% o* yMethod 03
& k  j, ~' r; V# K. s9 _=========
  S+ P+ m# N  o4 x9 c- c% w" e
* t( w& ?$ I. h; e0 P. WLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h  w/ A5 {5 d. W. C5 n
(API Get entry point)
6 {) v. q( [0 H( o9 g' c        
3 N/ @& a8 a3 O8 P/ J- y
* F/ b9 ?7 v& y$ a    xor     di,di/ v7 ^# ?. p7 ?& h: p* u5 o
    mov     es,di% q3 Z) H7 p, S/ o0 m* o
    mov     ax, 1684h       , d4 U0 p: N3 W1 s6 l: ?, O
    mov     bx, 0202h       ; VxD ID of winice
5 P. F4 a$ X) ?/ G6 |3 I    int     2Fh
+ g! r/ ^+ ?* _+ S/ r    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 U! H- A8 i# @; W4 g3 {) s
    add     ax, di3 ]$ s0 c: p7 Y* u( z. n4 p* K
    test    ax,ax
  x; {& z$ s+ e! |    jnz     SoftICE_Detected; ], u0 m; l- o; m  G2 X6 y; f
" T( `7 t8 ?" `- a( R
___________________________________________________________________________" E+ `8 W: p+ `* {7 u0 q

( u( v) x: C8 h1 q% wMethod 04
. p+ w' N" ]8 ?6 W=========9 _6 A( R; A2 H$ \
5 `7 p3 G3 l6 ]; p
Method identical to the preceding one except that it seeks the ID of SoftICE
) B1 E7 p* p9 t6 t6 eGFX VxD.
( f2 D# c, Q0 X9 U  ?; t$ n# z2 X+ a$ r) O- \
    xor     di,di1 x5 k" V% `) F9 C0 y
    mov     es,di
' s, Y1 g! j0 J! P+ s5 j/ k- o, A    mov     ax, 1684h       / u$ v: R. |* ]. V& @' Z& V
    mov     bx, 7a5Fh       ; VxD ID of SIWVID) J  h& x. }8 j3 B: K9 r
    int     2fh
" y. b& n: W+ K* ~7 @. F+ e    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 J& D' ~/ ~1 H) i7 t: n
    add     ax, di
5 z' @" t! Y+ k# s    test    ax,ax: P9 U" k( m' x9 M9 b' v
    jnz     SoftICE_Detected
3 }  Z' R. P  i. c4 B% K0 W% }% A1 Q5 L: J3 k9 g9 G. u
__________________________________________________________________________
* G) O6 w/ V  [: a7 x$ E1 q+ z% X6 k- w' G: I( G! M2 g! _9 B
/ n5 q! c8 @2 o- X, e% K" |5 k+ k
Method 05
) t6 T2 m' f9 |* K6 N6 q$ m=========6 |$ B  S6 Z& _9 F2 ?

6 W0 |5 D6 O0 S6 s. H/ ~Method seeking the 'magic number' 0F386h returned (in ax) by all system7 @4 V. k# Q! ^) a" y0 R3 D
debugger. It calls the int 41h, function 4Fh.# p! o9 u/ w1 |! D
There are several alternatives.  / V/ }" u* s) f& O

. t% P+ I( {3 x0 B5 E1 kThe following one is the simplest:
! {1 [: J4 c7 u2 T& w5 j& M- |
* b0 W1 ]3 y+ A1 {6 P& H  J    mov     ax,4fh2 \( q4 ~# G) u" ?! w5 V0 d
    int     41h3 t3 a* X) V: g) _9 M: M
    cmp     ax, 0F386
  K7 D/ Z: \5 F$ a  Z! m9 ^    jz      SoftICE_detected  e: `% M. j8 x, G
# k. }- ^7 E6 v& m# Y

. e/ n1 S. Z+ t  k- f- I1 PNext method as well as the following one are 2 examples from Stone's ( o3 u6 r8 t6 S0 W/ m' I
"stn-wid.zip" (www.cracking.net):( T) ?) s& F  _4 K5 u
9 N: p7 L1 G. F! ^# I( i  u& K: E2 T
    mov     bx, cs
, `' I3 c4 I% X/ `$ v% g    lea     dx, int41handler26 F8 @5 j" ?$ T
    xchg    dx, es:[41h*4]
2 _4 N# e' I3 Z' N    xchg    bx, es:[41h*4+2]( o3 ~# m% O0 [" Y  p
    mov     ax,4fh
( s( w2 A& h, d    int     41h
( u4 l& n6 @" }* N& A; e& o( j& {    xchg    dx, es:[41h*4]) N8 {" H2 N2 `5 f+ W
    xchg    bx, es:[41h*4+2]
+ B& F. a' y, `/ ]' X    cmp     ax, 0f386h
0 M2 c, y3 E' R# L) j; D    jz      SoftICE_detected- c: f; {; i' U* G  e: i* R% x

3 g5 I3 }# J# Z5 I- l) e, ^int41handler2 PROC
+ r6 S- t2 M1 O    iret
2 i. R9 @9 [/ N2 bint41handler2 ENDP0 Y+ |0 o/ I! S1 L

/ }: V, i# M1 w* U2 d  v4 Y) p- T: Y# {- E( E( b6 C4 Z
_________________________________________________________________________, o- p8 b! V) [% c) C- M7 D* X- ~5 s# I

) _1 x7 P9 w% M! o1 V
1 F4 @/ \$ d& m, i. d% I4 A( r: eMethod 06
- e9 B5 V" C3 l1 W4 g=========
" [$ ]6 G- ]* ^: r8 Q& p$ e$ W+ a. P, m, @
( c5 u" q' _3 k# Z
2nd method similar to the preceding one but more difficult to detect:  P8 o* f6 H9 C' U- k# D

: j. t0 f, O+ u4 B6 M
5 K1 e2 u4 ~+ ~int41handler PROC+ y; g0 x" _+ j& ~) g+ j+ A/ Q
    mov     cl,al
1 x/ n  e( V) S8 M7 J2 i# D9 u6 G  r    iret
, f, o; Z9 m2 z9 ?. o( C# qint41handler ENDP( P0 ^& G+ L4 z2 t

. D0 X$ s$ [' V& G( I) u( K. `" {/ f8 A
    xor     ax,ax- ]' C+ k" U2 I4 }- U; ~
    mov     es,ax0 i" q# Q) Q) i2 M2 R4 N9 _
    mov     bx, cs4 o5 c) m7 X" a4 x, Q  d
    lea     dx, int41handler1 U% q! `4 V2 A
    xchg    dx, es:[41h*4]4 j$ z6 C1 ?$ g/ D
    xchg    bx, es:[41h*4+2]  a* a( m; \' E& N# s2 W
    in      al, 40h# w" J* M* P- _. T4 ]8 D
    xor     cx,cx0 v0 i3 i: e5 T
    int     41h; j! j  ]1 z* w, R7 D; Q! o8 {5 R
    xchg    dx, es:[41h*4]
& }: E  S6 C0 A0 |$ ?    xchg    bx, es:[41h*4+2]
5 N) W9 q; R& ?, ]0 N& w    cmp     cl,al6 u/ K9 j, a3 y" x$ D' |  d1 T
    jnz     SoftICE_detected
) z5 X8 V/ B2 k2 D4 z' p
! o2 \3 s) Q: n_________________________________________________________________________7 F! _+ H! ?5 v
1 Z" q7 c$ z# F. j' a" T. k( q- Y
Method 07
0 P3 B5 J5 v: h" X=========
/ u' b$ N# g* J( U/ e, R4 z/ j2 R% ]
Method of detection of the WinICE handler in the int68h (V86). m# y. Z+ S- j. b) f
- C/ l- Y" {' v
    mov     ah,43h
+ U  Q8 ~* J( [; m/ E2 L9 L, s7 j    int     68h
1 l; n3 [7 O" p    cmp     ax,0F386h' \5 X& d2 ]4 B( z+ Q% D
    jz      SoftICE_Detected
0 P4 w4 R" c, E( X& u. ~1 N! H  }/ ^

* q! D- n  f, ]" S5 J2 Z: p- h0 Z=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& F( p3 ]- w) z* v: Q   app like this:
8 i" T$ x( g  ]# U, \
! S; b: S8 J+ z   BPX exec_int if ax==68
* n7 V/ A/ B. h8 G) e   (function called is located at byte ptr [ebp+1Dh] and client eip is
. H2 v  N  ?4 n3 V   located at [ebp+48h] for 32Bit apps)6 t- g8 _  I8 ^& O; ?* U- b' Y6 M
__________________________________________________________________________
& A/ Y  k' s% j' ]- M1 D& n- d5 I& H- ]  M3 U9 Y7 m% l) X
  C! `8 t+ `7 U: z* k+ O4 m, i
Method 08$ \' I; K. M" W1 T: u9 W  W
=========
. O  t4 B* {) r' ~
" y& Y( z) Y6 v7 P' Q% }7 yIt is not a method of detection of SoftICE but a possibility to crash the
9 A' v6 s/ u# Ssystem by intercepting int 01h and int 03h and redirecting them to another
, `3 @9 A& a! Troutine.
1 x5 u2 m9 v- l  ?' M( ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ w# i* N- N  E! f2 c7 v. K
to the new routine to execute (hangs computer...)! p# c' h$ t( t. H
! W7 [- O0 d1 X1 P
    mov     ah, 25h1 m) S; h* h& u" X
    mov     al, Int_Number (01h or 03h)  Z" E8 G. y% _# r8 y6 h- q
    mov     dx, offset New_Int_Routine. v& @4 F$ @6 ?0 A$ q( R% w$ I5 e
    int     21h
; d2 }  f# j/ k# `' ^: _+ J
  h. q% u, m1 e4 r* }" G__________________________________________________________________________! J: [! S( C3 L7 x  [/ z5 D

8 b7 I. }; B# {, HMethod 09# K2 }, K" B" C7 j$ }' ^( W/ B$ T
=========
0 e6 s8 e! K; P4 F: I: L# S) C/ @
3 U/ O! j7 X; J9 f1 y  K4 M# @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! G( B  y7 D2 P' a, Z
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 L# D* u" V6 O' f! {5 A# _. ZThe Get_DDB service is used to determine whether or not a VxD is installed
: d" |: A: V$ |  H) i7 \for the specified device and returns a Device Description Block (in ecx) for
4 v, b: [/ y/ u2 {: @6 p: [that device if it is installed.
9 P/ e5 p9 S$ [1 L* q2 {8 f% d3 Y1 {- N  w' z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 ^& E5 \. E4 Z# j7 }2 b! E5 \   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), Z) _" B# T* s* s+ l
   VMMCall Get_DDB
4 w+ y* @& M1 |& X+ f4 J   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
) a6 v3 |" j8 u! Y3 d$ X3 r; m
7 u8 F# K2 Z6 y0 xNote as well that you can easily detect this method with SoftICE:
2 |  X" n; Y) h) p. }   bpx Get_DDB if ax==0202 || ax==7a5fh
' z* y$ j$ k0 A$ P/ L, v+ Q/ G5 _% ?7 j
__________________________________________________________________________! }7 X' z; V1 `4 w& a& d

' H# h4 \- K( Q5 e1 y' x- yMethod 103 ~3 ^0 W& t* ?7 D; W
=========) D8 n: f  d0 @8 c
3 W4 H0 U( T& h
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with. \7 d, h7 D6 f" u5 _
  SoftICE while the option is enable!!' M5 ^% ]; L/ o- ?, a2 ?

  Z$ ?) U7 l; D& n7 fThis trick is very efficient:
$ L  z8 C& C! Z* Y+ z2 A( Iby checking the Debug Registers, you can detect if SoftICE is loaded
8 I9 ]" k. L  e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: Q7 s  @, w1 L  W! I7 Q$ g2 othere are some memory breakpoints set (dr0 to dr3) simply by reading their
% `. |2 y$ F$ n- m- U# s$ B" c6 Z, ~value (in ring0 only). Values can be manipulated and or changed as well5 Z; ~3 F  A8 |6 b0 M. Z2 O3 [: ^* ^
(clearing BPMs for instance)
! K, q& v  J( @& A! Z
3 i& L1 R" a! I  c9 ]4 ?* O__________________________________________________________________________; O* D5 M6 s# k
; T$ D, C' f# ?7 m
Method 11
# O' k7 d5 Z+ |9 W2 p3 m=========
7 P9 U0 A* \0 I. w0 @) ?1 M; ]1 C/ u) K. O, ~# z0 t8 _
This method is most known as 'MeltICE' because it has been freely distributed
$ l: s5 {2 \' Qvia www.winfiles.com. However it was first used by NuMega people to allow: w  N4 Y- x& d+ T
Symbol Loader to check if SoftICE was active or not (the code is located9 z* t' |5 N' b: V, v2 r% m
inside nmtrans.dll).: W+ T2 `" k; q2 M5 m

* J5 U' F8 e+ b2 a' D8 f8 v; gThe way it works is very simple:- r. y" J0 z9 N) l# `1 w  v/ F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: y& x) R; {2 y
WinNT) with the CreateFileA API.( `# c5 Z1 V8 F! Y3 N" X
7 {2 ?+ A5 F5 ^: o- R6 Z# V
Here is a sample (checking for 'SICE'):
8 @- i2 }4 c1 R2 k7 k) b5 n
% Y) w+ {9 e6 ~# z& q0 iBOOL IsSoftIce95Loaded()
: `; ^- U3 W/ R' @{
" e( E: [6 w, ?+ O& W   HANDLE hFile;  ( I% k* z0 ?5 p& D3 p( x
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) s& a3 y; a% I2 q6 R0 s: t                      FILE_SHARE_READ | FILE_SHARE_WRITE,' W0 x0 y7 h* M* z% P
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& o2 I1 Z: v- P1 T* C$ h. g$ D8 p
   if( hFile != INVALID_HANDLE_VALUE )) @. c1 P7 r1 b9 `
   {
0 n' x2 K/ w, H, X2 v3 _      CloseHandle(hFile);
9 D7 r5 u" X, m      return TRUE;
: e2 U* @8 C. l   }2 A6 R( K& l- U/ a4 b. \% ^4 n7 k
   return FALSE;
: `5 D" i( N4 D" A! e4 A! E( F5 k9 t}8 }% f7 i! w! i. j# c1 a

! ^; p* Y- ~: m4 @Although this trick calls the CreateFileA function, don't even expect to be
( A1 B* Y2 h$ y# d7 W, wable to intercept it by installing a IFS hook: it will not work, no way!
4 ~1 O) l  U2 x" F" v6 U& Z9 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F% q, E+ d3 c% k& ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" |4 r& t; y2 r8 E- P5 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc' m3 o4 L" N& D: r4 x
field.+ c5 {  ]8 Q3 S( L/ p! z
In fact, its purpose is not to load/unload VxDs but only to send a
0 s  ]0 L7 i) W. |8 u, [! aW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); C, O/ t! l5 k9 x* _/ `3 \1 L
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: V4 {! W& p8 h3 V% F/ A  J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! A4 z( H5 \7 w4 q! h9 d+ F
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 Q; G" j6 F. \, r2 t
its handle to be opened and then, will be detected.
/ I. _2 t' @1 zYou can check that simply by hooking Winice.exe control proc entry point& G! K' p( o' E  K/ n4 `+ k8 u: o
while running MeltICE.) u- S: m: S: |: S6 _1 j

% r& H5 O/ @# ?5 t0 Q
, Y/ ~# d( \- M% U% z+ S: {  00401067:  push      00402025    ; \\.\SICE' y! t6 P  |7 S! O. u
  0040106C:  call      CreateFileA- ^+ \7 H5 R" c- |( B+ c3 N
  00401071:  cmp       eax,-001
9 ^/ j% D' y* Z/ ?7 a. Q6 D  00401074:  je        00401091
! x# t0 k, D) X1 F; M; c$ H
) V* g! I1 r3 M6 d, z) J; `4 ?) U
6 h& x8 t( x; `% S' g+ MThere could be hundreds of BPX you could use to detect this trick.
4 M, b( B# ~2 @/ h$ @- v8 J-The most classical one is:
7 D& @. H' y" K' ]* F  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 |* P/ Y1 H0 _/ E" ^  O
    *(esp-&gt;4+4)=='NTIC'
* Z9 v/ t1 I' H1 B* U9 i
& N. W- ?8 {; B" u' |4 m-The most exotic ones (could be very slooooow :-(
# E! z6 y9 G9 T$ l! i' g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 V4 s' r) @2 s; M7 ~1 \+ F     ;will break 3 times :-(1 v  z  }- C- _- V! a. E

* R1 x( x* S- f-or (a bit) faster:
+ X! ^* S" L' ^0 f6 c. i2 X7 s, }, z   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): `. c) k0 C. O( i8 T
3 r" n6 D8 \3 r, D( d
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ W4 h$ v* [1 p4 s' R, ^" z7 }, z
     ;will break 3 times :-(8 S8 m& n/ F9 d8 y

$ J& `& D5 C( e1 ^-Much faster:
! \& V! l5 I2 L   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
8 d6 ^* @- ~& E( o1 }$ s- E
6 e: l# M* j9 p; [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# J& p2 o3 I5 g. J4 [, E/ m' lfunction to do the same job:5 ?8 p: r' A: g

, ?7 |: v; c+ z5 G- ?8 t  t   push    00                        ; OF_READ
' e# f( e. f  L+ j   mov     eax,[00656634]            ; '\\.\SICE',0) d. H  b; a. Y# ?. I1 c
   push    eax5 o" D. p/ t+ l) \
   call    KERNEL32!_lopen4 e: z4 X  H8 [. M
   inc     eax
; L! d$ X- u$ Q   jnz     00650589                  ; detected6 N# M$ w6 O9 C% w
   push    00                        ; OF_READ3 v; m1 W5 f, c
   mov     eax,[00656638]            ; '\\.\SICE'0 t) `) v& @! F! t
   push    eax; P3 {4 B# R9 z4 P  V
   call    KERNEL32!_lopen
$ D2 i. G2 J! q   inc     eax, P* j- E4 s, R) a/ B
   jz      006505ae                  ; not detected
: k* L1 t& }$ @7 E, ?' p; Y) q' x3 j# [4 E  l# ~# ^2 P6 {

% j, a) L# M  M6 z__________________________________________________________________________
* L8 q! s! \! _- ^; Z6 J  l, ]5 c5 x. K% S& w  c/ Y0 \+ @- x4 k
Method 12( \9 L7 k- C) H
=========; D2 B( B! Z. A1 s4 c

7 A% u7 T0 j6 \" z9 GThis trick is similar to int41h/4fh Debugger installation check (code 05
* y  F: c; y3 v% F&amp; 06) but very limited because it's only available for Win95/98 (not NT)
6 O6 N* g' e5 p- P# k) E1 aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 o3 N  X; Z' i# e4 s
- E8 R, Z5 b/ ?% K/ a% ~
   push  0000004fh         ; function 4fh' L0 K* l* n0 L6 P
   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 J/ x! w2 W8 u3 G5 v) C$ c( ], A0 f5 \$ A% J                           ; low word specifies which service9 ]3 }6 V% e. ]8 i4 |2 v
                             (VWIN32_Int41Dispatch)
& I, x3 g! K$ q; S) p6 B0 ]   call  Kernel32!ORD_001  ; VxdCall8 d" Z4 x$ j* b9 t" N
   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ J8 m0 t9 J6 r& l1 B   jz    SoftICE_detected8 z: P" M# Z; v5 t$ e/ m9 V
, i3 J& i1 e, n$ i
Here again, several ways to detect it:5 w; a7 I, Y; h9 b/ ~& w

: B; ^4 B  Y. e* j    BPINT 41 if ax==4f
, w) C6 A& v5 ~
% j& f$ i: n7 }; w    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 L. Q+ D/ ], e( C3 {, a7 K( }/ y+ {" c6 H1 V
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 Z- U/ q9 O  ~5 }# h$ J$ }
' H. p) J8 W+ C; P& n7 G2 C    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!$ O) E, F5 o! A- n7 u# Z( Q: K

5 {- ]$ W' Y4 `; a9 ___________________________________________________________________________
, H1 L4 S: I2 ~# K" Y& P: m! X( w$ h% n# P8 g) E4 c
Method 13
$ B5 v) \$ I  D. U7 J, E( J=========& Y+ I+ b4 u/ e+ A5 n3 Y; y

1 X6 ]% _4 Z% LNot a real method of detection, but a good way to know if SoftICE is
9 x$ U' b4 |$ r5 ~installed on a computer and to locate its installation directory.
: y3 p) }5 N5 k0 OIt is used by few softs which access the following registry keys (usually #2) :( f% r" m# l0 p

! T/ C! C- u0 F' `. N# x3 b: l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 v8 }# t  E9 V\Uninstall\SoftICE
8 u- U, E: l: h+ O* p' ?. A0 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- ]4 [2 L( ~+ ~9 M* {$ K: Z, f5 o+ m-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) \: `3 m4 B0 ?1 j
\App Paths\Loader32.Exe0 r. G/ ~' j) P9 u  ^9 w" x
% a3 N' o# s  a+ x/ A* E8 G: r

5 X4 g9 g' N0 n! y! ANote that some nasty apps could then erase all files from SoftICE directory4 f1 B- a4 ?2 W( @6 H
(I faced that once :-(5 Q0 c5 E4 @" E0 H: A

  s1 b; D" K) ^) p* H& P. C2 iUseful breakpoint to detect it:
6 c& E) i; [; ^. i" e1 e. `5 T4 g- h. S
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; b9 N- U0 G  D& q7 `0 _
* W: d5 v% E9 ~: O
__________________________________________________________________________
3 B+ g1 R3 R3 W$ P% ~3 m  E% f$ U- V2 b* f. t
3 m. f8 Y! l2 y5 ^3 j4 O
Method 14 8 Y9 E( \+ t, U4 k/ f& n
=========
. l6 Z3 \) f: G) C# [8 p9 ]* y
$ Q- r% n, l. RA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ]3 Z) u( {0 @  D$ K8 `is to determines whether a debugger is running on your system (ring0 only).
" h1 a6 `: W8 x  x/ y8 c
' Y7 \( H; {/ [' t   VMMCall Test_Debug_Installed' @! ]" O2 T3 b2 l
   je      not_installed
+ e) M# `2 i. L5 b: S" K  H2 @: y+ |. g2 D! \
This service just checks a flag.
' {: ~& i8 G) _6 G6 D0 r</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-23 19:13

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表