找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>. q# `6 h4 R4 {: C) d
<TBODY>
) [, z4 `# V( k' p# c; j1 W<TR>" K- x/ A- J6 ^+ G, \2 d7 q4 [
<TD><PRE>Method 01 ' @4 c: @/ }+ T9 O/ n0 t! Z
=========
/ T# V# O; k6 b
% P! G  \  C4 L, n1 v/ SThis method of detection of SoftICE (as well as the following one) is
, n' m9 m1 c# a0 w1 e% {used by the majority of packers/encryptors found on Internet.  R% \' }9 r$ ~5 S" }
It seeks the signature of BoundsChecker in SoftICE" @$ r% _8 _) d  ]9 V

, T' ?: q, r8 C$ f0 I    mov     ebp, 04243484Bh        ; 'BCHK'0 h- |2 H3 \- m4 c2 x( O
    mov     ax, 04h
* f& e! v5 N" T9 n" A    int     3       ! p8 e! B; Q" N* R: b" J( ~
    cmp     al,47 h2 d- e* X4 |' y* Y$ S5 z- }
    jnz     SoftICE_Detected
$ w$ }* q! r; ]! ~# v" `& W, z+ b6 @8 z7 H5 s2 F7 z2 F3 j
___________________________________________________________________________
% [1 H9 m1 ^* O. N) a; M  e! T: C9 T4 K" R% y6 Q
Method 02- V6 ^. _0 ~6 _1 y' E! u8 Z
=========
' |4 o& ~6 Y1 r4 N; H- o* t( ~/ _  ]- x' i9 t+ W/ g% k" W
Still a method very much used (perhaps the most frequent one).  It is used
6 P1 \) ~' ^  M5 K% }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 A& P" b  ~4 ?: w/ Xor execute SoftICE commands...
* j9 j. M& |7 gIt is also used to crash SoftICE and to force it to execute any commands6 Q7 _) Q7 [& M1 W7 V+ _
(HBOOT...) :-((  " c3 H9 o/ q* V! P7 A6 n) Z0 i

. A/ D9 n2 s1 q3 x3 W. zHere is a quick description:
3 V3 j, J/ S4 {" ?-AX = 0910h   (Display string in SIce windows)$ b7 p, G' g% c
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), `9 E; _0 S9 Y. T
-AX = 0912h   (Get breakpoint infos)
+ _7 B) J1 m) a  P5 o-AX = 0913h   (Set Sice breakpoints)
: u+ ]; b" J; E- B-AX = 0914h   (Remove SIce breakoints)( H) O- J/ o3 P# _

/ e* d0 q* s* H+ H' K  ^: CEach time you'll meet this trick, you'll see:& o% @. n; V/ g" V  t2 A) c
-SI = 4647h
' ~9 x1 `! s/ o: H-DI = 4A4Dh
3 k) ~0 t1 h" XWhich are the 'magic values' used by SoftIce.
8 R$ G- x3 E6 F6 OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. F+ ]5 r# L; j& f# b6 w- Z# ]8 F' a5 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP% W7 E( B* ~9 l9 ~! |
Envelope utility use to protect DOS applications:, h2 e8 r- A$ h' k3 \# U" `" S" r

6 P& l7 J2 }) z7 s, h3 C: T4 E9 Y
! }, l, \; I; f$ @+ A% r, _; i5 s4C19:0095   MOV    AX,0911  ; execute command.: O9 L, o% R& O! U/ U% Q+ ?4 P$ m9 K
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)." A" J, i& G/ ~* t# k
4C19:009A   MOV    SI,4647  ; 1st magic value.
) c' O4 l; R7 x. I: k- q8 p9 B% o" Y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
" o8 \& M- U! u8 H4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ w; x' C& t) k: r  C3 V" n  u5 E5 T4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* C- n0 H7 f4 _& f- ^& M% |
4C19:00A4   INC    CX  u  X0 L. y8 B/ o/ H" t) p: F& G( a
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute. A; G7 G3 E- Z
4C19:00A8   JB     0095     ; 6 different commands.9 U! K7 i+ Q% D: K' T' o' Y1 P
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 G/ m& e& c6 i8 S- t. @/ I4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ L' b! k4 u# L( q7 Q
) ?  u6 I) h4 G* ?7 p8 _8 S( d
The program will execute 6 different SIce commands located at ds:dx, which
# o7 I, a  |$ M( ?' e9 care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  T3 m8 b0 }$ I# c" c

5 x% w" U+ z; f8 d# O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! N* ~! Q/ ~! w* c
___________________________________________________________________________
& }- _3 s; v, Q5 D4 u
9 u" N  G3 i$ i5 ~# L3 p4 z/ w; y: o7 M/ C; p, O. }
Method 03
0 P7 U$ c2 u; |$ m+ q6 [- K=========
/ A+ S7 |' \' X2 D6 b0 x" Q
. I2 e* v( ~- K" ~/ ELess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: z7 H9 v8 U+ k0 R" `( G) I(API Get entry point)
% Y6 R/ T' ~7 F; V+ F% H6 J/ ^  L        7 P1 ~2 c: t! o- e
+ R% _, G2 S: T: q; X
    xor     di,di
* f; Y7 h7 h( D0 ~# K- \+ ?    mov     es,di
  S$ k4 V- N/ L: N. I    mov     ax, 1684h      
0 l! K3 d$ u, A& ]0 D    mov     bx, 0202h       ; VxD ID of winice6 s% P* K' v9 m% J. \  y- j, j0 ?
    int     2Fh, a4 o8 q" w# y" U% `6 d. [* S/ v
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: I" s1 S  ^- K0 Y' h    add     ax, di
- _* M# M4 h1 A4 p' ~    test    ax,ax
7 Q: ~* X# K: F$ [+ i- g    jnz     SoftICE_Detected/ F+ ~, S9 B1 R, Y$ ^6 _

( E* c' K( a3 ~& a, J7 Z% u___________________________________________________________________________
- V, E8 `% I7 I) R) ^: k7 `
4 J! ~- |4 `# [' \1 h  I, N: oMethod 04
) _; X7 S. ?9 m  C* Y) @" L1 j=========
  o) \, _5 q: |6 z0 O2 |
. t; R6 L8 C: ^7 |8 ZMethod identical to the preceding one except that it seeks the ID of SoftICE
& h# T$ [* g1 v0 i8 uGFX VxD.6 L. p4 V; h' u5 D2 ?. i

- i* L$ M8 Z& y. M: ~    xor     di,di" F/ {! w( g' D' U9 q% C, M/ Z
    mov     es,di
9 `: C. f  u4 X4 Q1 c) ?    mov     ax, 1684h       5 V6 X' F$ v% d6 m
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
% R* c7 y9 B7 s  q    int     2fh$ @; e4 t" ]- _
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. o0 P  z) Y5 r8 Z    add     ax, di
$ J8 ?8 A9 u+ j+ x! g$ _2 \0 g$ F    test    ax,ax. u6 B8 S; n% S
    jnz     SoftICE_Detected
( E" Z  \% z6 }' N2 T
9 R$ M- n+ O; G! P__________________________________________________________________________
1 _8 A: A4 B2 w7 }- P
% m" O8 G3 M4 T7 {/ ]2 x: D2 o8 C
$ @( g& o6 I3 M0 B1 K4 y+ ?Method 05
6 j& I# l5 {1 D=========3 q. w* e+ B/ B: ]% ]

4 |. g& i% \& t6 f  S8 CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 Z  ^! l8 u& `: Udebugger. It calls the int 41h, function 4Fh.
  `% B4 G1 k) T. Q- F  o7 M0 N6 BThere are several alternatives.  
5 J$ P- H& n9 k6 B) K9 }5 e1 p% _2 Q, V8 \4 p8 [
The following one is the simplest:
' z7 q: n1 c4 @
7 L# u% E5 q5 p! {% F    mov     ax,4fh
  D+ o: h- R" ]    int     41h; k0 z* \7 G9 {3 k) b2 Y+ b
    cmp     ax, 0F386
' i) ~1 L0 J8 G! H' ^2 [    jz      SoftICE_detected" y7 E+ K4 O2 e1 D

: P8 M8 s/ Z' L, @4 f! z6 B$ w* t! o5 |$ N2 p' t* r! c- K
Next method as well as the following one are 2 examples from Stone's
# K. Y) ^& f" C5 R) R"stn-wid.zip" (www.cracking.net):
. f- s0 q/ r/ L2 v+ I
- ~- B) S4 V4 \3 q& H- D$ S! ?    mov     bx, cs
8 F3 a9 a9 n8 }, d    lea     dx, int41handler2
7 L& |$ N1 P% d8 u% v5 B; e    xchg    dx, es:[41h*4]+ B/ z+ ]! p4 l
    xchg    bx, es:[41h*4+2]! I9 q2 ?  y8 o: s
    mov     ax,4fh7 B9 v  Y, q: K, a  n! X
    int     41h
4 n: J* u6 w0 G! h9 c. y# G* q& P    xchg    dx, es:[41h*4]  b0 z  Q( m3 P
    xchg    bx, es:[41h*4+2]1 I4 V0 ]: c' }3 t0 R* }" |
    cmp     ax, 0f386h
8 t% Y- y) K; S! \; k6 y- ]: ]+ M    jz      SoftICE_detected
9 \# [# C: @; K* u$ D# l3 v& h! j8 P6 t. w/ I. k
int41handler2 PROC, c3 \' i8 c" O# ]
    iret4 P' m$ V- f5 U% l4 D
int41handler2 ENDP2 B  _% b) k" u; H5 @6 c
; Y, O5 o; e  t: [+ a2 y

& ]# p& O1 P5 ?+ T' [* a_________________________________________________________________________, {8 b' m0 ]6 C" z) i5 N$ x
; S5 h. |3 h: R/ m
- R! i: u! L* [1 A
Method 06' a5 _/ z( _, m
=========
% Z6 u# `: F) M6 C7 W' a6 V' d7 g
, s3 h3 L5 J- a# V7 g" N! A0 ^; h& J. A. c/ g9 P
2nd method similar to the preceding one but more difficult to detect:: y4 z8 D& h9 P5 J  Q) a2 T$ j
- X6 G5 A( S: G' ^

/ }. `5 I  {# U8 Z  _5 x3 Uint41handler PROC# p7 w1 q, Z& `8 E) p* L
    mov     cl,al
1 Z  r( c1 w6 B; u* @  v' ~) \6 Q    iret
4 P, \. l. m! f2 kint41handler ENDP( x( J! m: H& }
! L4 G( }' H. p7 n# I3 Y9 T& T

* T' h, p8 A% G: u    xor     ax,ax* V) h7 q+ {. @* v: v' ?
    mov     es,ax1 b* R# ^9 m5 p' u7 \4 P
    mov     bx, cs
4 O# v2 W" {+ i+ ~5 X2 w    lea     dx, int41handler
, w5 z& e: I, {, Z5 O8 e    xchg    dx, es:[41h*4]
' [) T7 n: m) `7 X6 r    xchg    bx, es:[41h*4+2]
6 x8 ^$ K7 U& O( k$ E( R    in      al, 40h4 P; X9 \7 @9 y+ b" F) F0 Q
    xor     cx,cx
/ D6 e' A; q7 I    int     41h( e: V: ]! T4 c( Z% S' `& F
    xchg    dx, es:[41h*4]% A$ s) H; t/ R; O6 M$ m
    xchg    bx, es:[41h*4+2]" Y2 Y# E2 V! F: `/ {$ g: y+ R: M
    cmp     cl,al7 |% s5 y9 c2 i$ A; @- c* Q' c
    jnz     SoftICE_detected
' V0 e6 Z( b3 N& y& m* {) u' F5 ]7 X* A' F8 o% t) Y
_________________________________________________________________________1 v  A( R7 T( g9 \

6 ]2 `8 g1 R; G* h& ~9 kMethod 07
' V0 j) ]" p* j5 c=========0 {0 y0 N0 r# o7 E
7 f* i. a2 y- I9 o. S6 y; A: X9 G
Method of detection of the WinICE handler in the int68h (V86)( G- K. P* X5 F& y7 ^( R0 h
$ Z+ V+ y2 e4 u& v) ?
    mov     ah,43h- e7 X$ `" x% P, ^- G
    int     68h6 n. x5 L8 \9 z
    cmp     ax,0F386h
% S2 f" w3 Z5 H8 G- ^7 h, l    jz      SoftICE_Detected! K) K; d! p0 U* u, C9 p# q6 q' ~

" U; j1 m" w9 U& i) H
7 e- m5 r" j' |2 g1 Q5 o, W4 Q=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* I( P+ T5 Y* k" L: N
   app like this:* K. A% _3 K( q, i1 R  H
- W! C6 ?, H) k- O% ]
   BPX exec_int if ax==68
5 c* h' A( S2 g6 O5 e: e   (function called is located at byte ptr [ebp+1Dh] and client eip is
, d3 j* z- ~% A( b   located at [ebp+48h] for 32Bit apps)
9 X  V# Q  L+ o1 \. t& R: F__________________________________________________________________________  P3 T6 |1 _* }7 p4 ?0 M. v/ `

4 ~: n' b$ C2 `0 L* d! `' Z. D0 w! I; z; Z
Method 08
, J7 r% E; D; B8 t8 ?=========4 V% Q' v7 C) y% D0 E

  T/ V! h- \& z2 gIt is not a method of detection of SoftICE but a possibility to crash the8 w) _# F4 O2 ?$ u4 D" w0 e
system by intercepting int 01h and int 03h and redirecting them to another; U4 e% m- {9 p6 S
routine.1 `" r* e8 e1 l* L5 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ M) L! g0 o5 U$ v! ?. g, Mto the new routine to execute (hangs computer...)
/ K5 N$ c2 I0 V& F  e' c) }0 l: s* f
    mov     ah, 25h
1 j* Q8 Z, \2 M    mov     al, Int_Number (01h or 03h)
: u1 n5 ]9 ]0 s, L" m" k/ [' V    mov     dx, offset New_Int_Routine
5 E4 L3 E# [; h; D  b    int     21h9 d+ U3 W/ C: Q( T/ _

& j, s. O( z/ }0 W, G" o__________________________________________________________________________
9 E9 I0 |) ^' h1 }) e
% ]8 F8 m4 U" ^Method 09
. J0 m% ~+ @+ I$ A$ R; g1 e8 K=========) I/ b) n0 Q# F

! L9 q" }8 p  N2 g" R9 g: I* D  w/ KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 k. N# |' E$ m" j( B- Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
* c4 v$ y0 t6 bThe Get_DDB service is used to determine whether or not a VxD is installed: ?8 c( Z8 G7 Q" d% m& s, `/ l! b
for the specified device and returns a Device Description Block (in ecx) for+ H  }/ c. L9 \9 z) \" t% }% Z
that device if it is installed.
% W6 A2 M! p8 g% o1 _0 e7 @! F- A# z5 g* B+ r
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 t: |, }& [8 N, ?1 P   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 Z9 a; g( P$ c( T: O   VMMCall Get_DDB
5 A( U2 J9 @3 J   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  \8 ]* L" z' A4 L/ R/ ?, |0 s, {6 O2 ]4 l2 k- R1 U. f" k# h
Note as well that you can easily detect this method with SoftICE:
' i8 m1 X9 M1 }' B% H* H/ p   bpx Get_DDB if ax==0202 || ax==7a5fh9 D+ L; V7 ~& L7 S# M
6 A1 X4 [& v, \% K
__________________________________________________________________________0 [) L( M2 r6 N9 ^& F7 _  S

! Y; C. Z( M9 C* d$ x! vMethod 10$ i1 j6 I# D3 b8 c; g, w% f
=========* J7 `' d, J5 j) c! g5 U+ @$ ^
  S) v5 f4 H' h
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
: I& f9 w; {- V/ h  j  SoftICE while the option is enable!!
9 Q$ Q$ n/ g" V2 B5 \) f3 q: V+ `6 P# C
This trick is very efficient:
! K2 `* k- E4 d9 Dby checking the Debug Registers, you can detect if SoftICE is loaded
( T% ]+ D6 _2 i. j4 j4 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 }/ H! ~! M* O: w$ I7 ]7 ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their
  l+ q3 R. S+ E$ p' [( n4 mvalue (in ring0 only). Values can be manipulated and or changed as well& Q5 c% ~* q, T* ?1 {* b+ E( p
(clearing BPMs for instance)
8 s: g( a# z5 @# A; [- t# P
4 v$ ]/ I$ k" U__________________________________________________________________________" p- I; v, \+ b" v& `) _2 Y1 ^- W$ [

$ \6 [1 T: y( o3 g/ [5 o  k/ r/ nMethod 118 ?: b3 G# f$ y4 Y8 m
=========: P+ ]5 [6 B; h/ d/ S2 z' u

& p6 _% d0 B7 y! l) Y; U  yThis method is most known as 'MeltICE' because it has been freely distributed1 v( T+ m$ i$ |5 a: b6 t8 r
via www.winfiles.com. However it was first used by NuMega people to allow3 c8 P* {* ~# L  h
Symbol Loader to check if SoftICE was active or not (the code is located
1 z7 T/ i3 v! j' w0 j- [3 @inside nmtrans.dll).
2 b' u% j( F. ?: l1 U
& m  n( L6 P/ [% J% C7 SThe way it works is very simple:7 f- X% u8 \7 ?  Z! [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 P5 g& W3 n# aWinNT) with the CreateFileA API.
4 ?5 Q( v6 w5 K" Y5 \0 }( g* {' c1 Q5 `9 D6 l4 A; A9 n/ q
Here is a sample (checking for 'SICE'):5 U  u4 ~* h/ N

. k+ @: y7 |1 j- o- v# dBOOL IsSoftIce95Loaded()
5 f1 A& j4 d+ j2 K2 Y9 M& J{
, O& h* v1 _  y: x2 |- {   HANDLE hFile;  3 r2 }  T- T5 x$ g' k* \- q* X
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ ~- Y, O$ r6 e                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! r. a! o( S8 {% q- o                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 O$ B% o4 v/ R
   if( hFile != INVALID_HANDLE_VALUE )
6 T4 M9 o! J4 I, o( p; G* T7 t   {
& w& S2 d% D8 z* J# K- h      CloseHandle(hFile);( p1 S+ s1 t  W: I
      return TRUE;
1 \: o0 f4 T" D4 S& Z/ x   }0 F. V$ I9 b+ y4 R) F& U1 I
   return FALSE;( y* t. [8 g1 w7 R; x, K' S
}
/ e: _, }) O9 T! I1 i& V$ J' z' @; B) W: @* r9 Y/ \' r$ @% y- {
Although this trick calls the CreateFileA function, don't even expect to be
" z! a& |- w. {able to intercept it by installing a IFS hook: it will not work, no way!
( Z" n8 Z  Z9 Z3 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# F/ R$ d" |, Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ b$ R% W. I- h: n& z# ^* b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 p$ v3 ]4 q3 ?& N2 h. wfield.- o0 l: t- A' \# K5 [
In fact, its purpose is not to load/unload VxDs but only to send a ) z+ C! s5 G& H# Z7 c% `
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): A" Q  Z+ g# e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% o+ f  y+ x8 q( t, E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# p1 a! E" X! B6 r- ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
* A) v3 F3 F% \% sits handle to be opened and then, will be detected.
6 U* r' j5 L; s& v/ [& g# Z( jYou can check that simply by hooking Winice.exe control proc entry point
( C0 y$ E' p% _6 Z5 p, X) v0 cwhile running MeltICE.
4 d7 S0 P9 R; T2 i# c0 H2 I0 F
8 Z; P. i2 U* T1 X, O
0 W, T2 t* J! K5 ^  00401067:  push      00402025    ; \\.\SICE
  e2 o; V4 x1 n- N  0040106C:  call      CreateFileA; I. p& k' g" z( }4 P; R  c6 Y
  00401071:  cmp       eax,-0018 ~6 n0 a# h! v) _2 u4 z
  00401074:  je        00401091
9 l; L8 ^7 U8 J6 l
& P! ?; E: p; o6 x( ~5 d+ j& |
) }& i7 d8 D/ N; _There could be hundreds of BPX you could use to detect this trick.
, }' [8 j/ U! h% C1 a-The most classical one is:: e7 L3 L2 i4 ]( d! ^! x
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||* X. I9 u. b# G: g6 r% d
    *(esp-&gt;4+4)=='NTIC'
: e. t$ {/ P6 E* V) F
" {( Q1 c+ r2 O* ]-The most exotic ones (could be very slooooow :-(
  O# d" `8 n- A& X, Y, I   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ Y1 |) d; S! K$ g4 e     ;will break 3 times :-(. `, K; ^1 T  Z( a( C' W* _& f  Y; R
/ |& c# x+ F9 y
-or (a bit) faster: % j8 J7 j0 G% I$ u0 M
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' b6 y) m; I8 N* s0 e  Q: j& \7 e9 M& f2 U& p2 E9 S* b% \+ P
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 a: \6 B; }: G- I% k0 D
     ;will break 3 times :-(( }6 N+ H& s7 m- [& W4 |, `

$ K* }2 U* T9 H% }* {0 t8 v; Z-Much faster:
" f  \$ x& _4 q# N% F   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  k7 ?4 h0 S7 \' X/ \3 {  z1 `' m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- }& B7 P3 Y  p! e* r' S( I$ Gfunction to do the same job:
0 F# p) I7 ~4 F" T& O% H% a! G% @
   push    00                        ; OF_READ6 s$ o$ p) O5 S
   mov     eax,[00656634]            ; '\\.\SICE',0$ ?" l" t2 H: W+ r
   push    eax; i, P! [8 X& L
   call    KERNEL32!_lopen
" o* h( J- b& K, a4 e9 `# V   inc     eax. ^7 b3 f  d/ g; {! S4 B7 B
   jnz     00650589                  ; detected" M, w9 ^1 W7 E+ a) I  m+ i1 `
   push    00                        ; OF_READ7 b2 J3 T5 w) X, i5 o
   mov     eax,[00656638]            ; '\\.\SICE'
: i; C% A% E; N( {, e   push    eax5 a  V+ H, z1 }' x  M3 Q; O% s4 S
   call    KERNEL32!_lopen
" T5 d9 D! t! }* V3 q7 ^   inc     eax2 v, u% a3 O  V& Q$ x
   jz      006505ae                  ; not detected8 ^+ ?, d$ p5 Y4 W4 U1 L- I3 J; U/ B
- Z& Q- h$ f' C. u$ C/ B2 a

) B1 }  X' T& c: O* H/ l__________________________________________________________________________$ [  n) K! R* Z3 j+ @: v: L
+ c. J, g" M: Y# r! ?& z& D
Method 126 Y' [& V# j2 F4 C: G% }
=========
; e* a9 q; g0 i  n2 M- d3 Q% U$ A
6 Y- U8 {/ ?+ ^" R) a$ dThis trick is similar to int41h/4fh Debugger installation check (code 05# ?) g+ |3 G8 B7 O2 o* k' W* v* z
&amp; 06) but very limited because it's only available for Win95/98 (not NT)! _: `1 i, L' G* N1 z9 _$ r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ w( f& k% w( k4 _6 B; o
2 D! x/ @$ L% J& Z$ {$ O   push  0000004fh         ; function 4fh. S2 Z% `/ W$ m. s4 E, L  Z$ k: |
   push  002a002ah         ; high word specifies which VxD (VWIN32)* x" W1 y8 V% }( w: r
                           ; low word specifies which service
& Y+ X4 o7 j" y! X                             (VWIN32_Int41Dispatch)0 {+ c$ B; M* b3 h5 j: r
   call  Kernel32!ORD_001  ; VxdCall' |+ _. Y( k+ j# ^
   cmp   ax, 0f386h        ; magic number returned by system debuggers) `, ?0 [: Z; e( \! j6 g
   jz    SoftICE_detected
2 E4 V. o% k9 O
. _' L1 C: O: ?: x: A& ~Here again, several ways to detect it:6 v# P- W* v" w, E: H  F
( U  l: [& ^; i8 v3 a
    BPINT 41 if ax==4f! H( F4 d, ~; J# l& A- G
! K" ^, w' n4 i2 g! k9 L
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' q) z1 t+ c, T7 X" `& b! k! o  c7 T$ G
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ u1 C4 T2 c; D& l: j
, i/ U, G8 y: s, ?2 ?
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 w! }  T! P% _. \7 u# s$ h: ]2 k6 Y# p
__________________________________________________________________________7 t; f& {, B- l& y$ |
3 B3 N4 u" Y) ?0 j
Method 13( u. S! ]: K  ^' T+ j* G3 j
=========
! f4 r) h6 ~* ^0 z1 @5 |4 K( L- C4 |; Y5 I. s
Not a real method of detection, but a good way to know if SoftICE is
  J, Y% Z4 J: Iinstalled on a computer and to locate its installation directory.7 T8 s5 n- I+ ^& O
It is used by few softs which access the following registry keys (usually #2) :, v+ I5 l5 T/ ^! P$ {

& I5 |  f" m. X1 ~, `! m5 B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 Q2 w; G0 N9 }. ?# I# S\Uninstall\SoftICE+ }' E; g7 A3 ]9 K( B( b2 q) p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ ]( R, y, q6 _0 l5 u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" r* G+ f: n: c' k0 K9 g) E1 O
\App Paths\Loader32.Exe; W( P* t* P1 S3 s. G& Q2 i8 w# ?* _
' A0 j% U8 |+ d  J* n0 ?

' }, b' f" i. H; C# e1 mNote that some nasty apps could then erase all files from SoftICE directory
" F5 v) f7 Z9 x) k  x(I faced that once :-(% \8 b) c( Q. \0 D. V

* K8 E/ J" A/ _Useful breakpoint to detect it:8 B% Y% B2 V1 |+ u: B

2 _1 f) f8 S( u. D! f     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
) s/ X/ X: V+ S1 j+ s4 B- M% a3 Q, N
3 k  |9 C. }- v__________________________________________________________________________
  R# u" I! z' C+ H1 I+ q/ ]. G
8 l: [# V2 N* M  _, I3 G3 _# L9 b- s7 n) m5 w4 M" R: i6 z
Method 14   v1 J" K* `& c6 g% w- i  O9 N
=========
+ }# n+ Y- H4 \: B# H
& m4 v! |) u* s! b' _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 N+ i) \3 C9 W9 w% S7 ?7 e. J  O
is to determines whether a debugger is running on your system (ring0 only).5 ^3 Z7 `. @: Z
! k! f9 T; q8 V# g, G/ G
   VMMCall Test_Debug_Installed/ H6 d6 d% c+ G
   je      not_installed" `, m  [6 a: \2 K
' o7 N4 [( Z% K5 ?( g5 u4 n
This service just checks a flag.
$ m; P$ |2 k% t0 y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-1 15:03

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表