找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>6 r; p- \% r0 v7 W3 |
<TBODY>6 m3 a7 L/ ?' k, ]) o) z. _; N6 U
<TR>  O$ I5 C; g1 ]$ ?5 @# X7 d
<TD><PRE>Method 01   s  ~. d. c$ O6 L. q$ ^. k1 ]. e
=========
0 n# F! N0 K2 Y
4 s. i3 z- z3 s) YThis method of detection of SoftICE (as well as the following one) is, M3 b4 l0 v7 r+ E" r) V' J
used by the majority of packers/encryptors found on Internet.
3 `7 l" ^4 n+ m% PIt seeks the signature of BoundsChecker in SoftICE1 s8 G5 j& A) M% q. B9 C
, o  B: ?! w( t9 s# h3 _
    mov     ebp, 04243484Bh        ; 'BCHK'
4 v( V! R& K6 W    mov     ax, 04h8 E4 @0 i/ r0 K
    int     3      
4 B$ {. _' c8 ]) I    cmp     al,4# S! @& _2 A% p, S0 H8 r( k
    jnz     SoftICE_Detected: [- U7 W/ x& P

: q; t( ]" z: _. J___________________________________________________________________________7 u9 l. z9 b9 X8 D
7 w- }) L$ o1 c7 X; ]4 [' `
Method 02" a- U' T$ I2 e  w$ m" [# I- M" i
=========) M/ ^5 z2 t0 R# K: E& Y( Z

0 `8 r: b. O$ V, N4 P8 AStill a method very much used (perhaps the most frequent one).  It is used! X( @; v& }, I3 s, H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 m5 T' \/ ~* t) por execute SoftICE commands...
& g) a3 n$ A0 c: ]4 f6 {It is also used to crash SoftICE and to force it to execute any commands
; |9 E2 X3 d' Z(HBOOT...) :-((  
7 r" }2 q7 k; }7 F
7 D$ ~$ g/ T4 Z5 @& I2 @/ P6 ?Here is a quick description:
( x% F0 `! i8 P-AX = 0910h   (Display string in SIce windows)5 ^+ Z1 l" d# g
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 m7 `6 H: |. o6 c- w( R1 N( `( s
-AX = 0912h   (Get breakpoint infos)
: o' R2 S+ n# `' K-AX = 0913h   (Set Sice breakpoints)
) J. c: z& K* n( z( q+ n! n-AX = 0914h   (Remove SIce breakoints)
1 O2 ~6 m& h  {. ^: Z' I2 r& S( r. z; V) K$ a. N6 [! y
Each time you'll meet this trick, you'll see:
" q  E+ V: U! V; @1 @3 a, N8 l3 K- B4 j-SI = 4647h
* G+ j2 _# p% n0 v-DI = 4A4Dh) S/ Y; R% k% b) u0 z* j
Which are the 'magic values' used by SoftIce.
+ }; f7 d- K( ?& V; aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 c+ o/ t5 s: h0 p9 x
1 m6 Y' f8 H8 n. |Here is one example from the file "Haspinst.exe" which is the dongle HASP
( [& z6 F- r1 B8 n7 C+ bEnvelope utility use to protect DOS applications:
5 u1 |. H: X3 L) M( p0 I
9 {/ s0 Z' P2 C" ~& O9 D+ p
4 i( Y( l( c2 M5 a$ j4C19:0095   MOV    AX,0911  ; execute command.7 T" N. G1 U7 m) E6 S8 z2 o( Z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# D- b4 n+ b3 y5 M4C19:009A   MOV    SI,4647  ; 1st magic value.
  r, b0 p- ?& I1 g4 m4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
0 d% D, ^0 B! @  L+ v4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) m! a0 F/ a, ?7 C- z, g! T. R
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  j2 J7 e' d% t: z/ N
4C19:00A4   INC    CX- s9 Y8 ^3 {9 d& |; k
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
6 a/ p! J& \' _; O& D4C19:00A8   JB     0095     ; 6 different commands.7 Z, f4 S1 A% }; H6 b
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 [" z" O" x& l9 P- R. C% w
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
: U5 U% J+ {% s0 _
# T0 L9 k1 M" hThe program will execute 6 different SIce commands located at ds:dx, which( J3 d  d3 ~5 d4 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 q' I$ L  A4 T: ~, Y
$ L+ k; @" V& I" V3 v) Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ H; O3 y3 @8 l# ]; g. @$ T
___________________________________________________________________________
- r: g5 Z% W2 u/ q' M! }5 O
/ Q1 I6 H) Z9 |( c1 I6 E
! ]* \/ s% h" x% EMethod 031 P* P; X: L) {" D4 a( W
=========
: p! i8 u# _% ]" h2 W( ~4 S
8 O3 M+ m; U3 R/ g" \Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ j6 w9 G$ `3 l(API Get entry point)7 y; Z5 O5 e9 n  A  e9 C  o8 i% D
        
$ W& r0 X8 h; G; J4 X- V$ h" p2 U4 \* h
    xor     di,di- t# }2 U" K% R* I3 c$ n' R  M
    mov     es,di) Y3 o0 ^# d% e7 ~9 A7 e, o" B
    mov     ax, 1684h      
+ B/ g( ~8 h3 Z+ P    mov     bx, 0202h       ; VxD ID of winice
0 R' v, j( Q0 \, F    int     2Fh
! q4 ?* w) B2 Z# o9 F) v& l) `    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 O6 \* O/ @1 B
    add     ax, di: l! @1 Y$ n- v
    test    ax,ax
( K5 z; ^) w# L' a. _    jnz     SoftICE_Detected9 {+ i+ j  @+ D* A0 a

9 K* R( Z; h4 O8 M/ C- r4 g___________________________________________________________________________: Y  |9 P  L6 r: y# C, L% G. E

2 V' Q: a2 S! }2 P; j) V7 _Method 04; a3 h0 R0 t: |' k3 T
=========
4 p: n  f8 M$ g) O; s4 A+ _7 [9 L  D+ ~: B
Method identical to the preceding one except that it seeks the ID of SoftICE+ f% ]0 _. x" i% w/ x1 N
GFX VxD.
8 \3 ^& w/ E2 n* v7 S, b7 L9 |. ^5 W; ?" }
    xor     di,di
  I2 \# I% v5 P3 T" d8 K: ]    mov     es,di$ D4 S8 Y+ Z$ y3 S
    mov     ax, 1684h       ) [! _& f- S7 b( e% z8 I
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! C3 T8 v/ I/ i9 Q" s' Y    int     2fh, h2 ]1 k! ]( X/ a0 ?# `
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 i% X7 a5 ?# A, e$ Y9 M
    add     ax, di, _4 p8 _1 w- j
    test    ax,ax
; v0 ^9 T. M# H$ K0 J' r    jnz     SoftICE_Detected( R! A+ \0 r; Q3 K& S
) O6 z, ^5 W! c: B. ?& k& [3 W, _( w5 {
__________________________________________________________________________
1 u- W7 |( A# ?" L+ o" t% P. [4 x5 ?% B1 t: J% B- G1 L

- j, C6 ?# K, uMethod 05" q, P. T0 P, G, D' Y6 H8 E
=========3 g0 R! H1 z8 j0 D2 T  m' k
; F% `+ Z: Z9 J2 s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* v9 O, O* x1 hdebugger. It calls the int 41h, function 4Fh.( M2 Z$ Q5 R. }8 S/ n1 u% W, U
There are several alternatives.  2 h  [) |  W5 v: P  M* Z! D" G3 V
( y/ W4 R# Z5 Y4 Z% W& E
The following one is the simplest:
6 k2 @# e" [& d6 C% t4 z2 W& o7 P9 D, B5 `
    mov     ax,4fh; [) i' g" ^& l8 Q
    int     41h
* i# L+ y! {, N' i: ?    cmp     ax, 0F386
8 Z* ^7 ?+ N/ M! e. l    jz      SoftICE_detected+ C" o, \" S& C# C6 z3 H; @! z
  D3 H) Z2 u! z8 C0 }
3 z  z( @4 \% ]( j2 Q
Next method as well as the following one are 2 examples from Stone's
4 U. ~, b2 [  f"stn-wid.zip" (www.cracking.net):9 h; x3 ^1 e/ I8 f4 w7 O' z
( T7 q) w, c) ]- h# }: b
    mov     bx, cs; N" r) k" M& `6 Y5 c1 ^
    lea     dx, int41handler23 I) ^) X+ Q4 h2 X
    xchg    dx, es:[41h*4]
# C* [2 A# g1 Y7 K: r    xchg    bx, es:[41h*4+2]+ l; R6 x9 S- Z, g# W( ~( t1 w% L, ?
    mov     ax,4fh1 d7 a. n; Y3 ~5 K
    int     41h
* z3 n7 G6 @1 M. j5 Z- K4 @8 R    xchg    dx, es:[41h*4]$ ?, r  o( f5 Z: i" J$ F7 s: I
    xchg    bx, es:[41h*4+2]
* ]* S/ k2 d' o# Z1 V    cmp     ax, 0f386h
7 \, j0 v. l3 z. Y# }/ c    jz      SoftICE_detected
; o0 E3 k' M* N  q4 a: X3 n" N! R9 n+ i: C
int41handler2 PROC1 _7 g# k" p4 t
    iret
) A4 }+ w' I7 e& f( @( l- cint41handler2 ENDP
# R5 o: i0 o9 O+ G; ^: E5 O- d, `: h" D+ D! L
+ W8 z! ?- m) j7 g; v3 f
_________________________________________________________________________
+ m6 E1 Q( h# Z2 l8 L, d9 }+ k
( {$ I8 u9 _0 F! C& q4 [5 k5 |  f) w8 ?8 J1 _2 I. j
Method 066 a% A& s8 N" ~4 M# u! p' `( m/ i
=========
8 z3 q8 ~% b' Z3 z8 C! W: h, E" }+ v1 c5 B
1 E" b  Q2 k. g' o1 y( ?5 v# ~5 l
2nd method similar to the preceding one but more difficult to detect:
3 ~; l; j% ^  X1 |6 m
- b6 E& c; R. o- o: p
) h: o  w% O( T1 v( }  T( lint41handler PROC
) v+ e1 Z' Z$ j3 k$ ~. o3 _( e; J) Z    mov     cl,al
( X* S' _6 u# n7 J; Q    iret
+ }# Z3 q8 N8 i$ D; |" gint41handler ENDP
. i: b/ _5 I& F) M* Z2 R
; A! M- U. y8 p) ^, C+ \, W/ F" W3 @' b* u) Z( E  W  p$ e
    xor     ax,ax
. {. Y- Z  o, G. }' ^    mov     es,ax& Z/ s. v  W2 A5 J, Y& W# y
    mov     bx, cs
  ^+ x1 S- g  B. N, |+ U    lea     dx, int41handler4 y+ X8 A/ V! {7 h- z' x2 P4 N9 M
    xchg    dx, es:[41h*4]# p- o. T! w  Q+ T1 _
    xchg    bx, es:[41h*4+2]2 V/ ?# {/ c& N8 G
    in      al, 40h: v/ D1 `1 [8 X$ r
    xor     cx,cx8 C: W4 ^% x5 F& s: ]9 b
    int     41h* B4 G- g- \; T/ i5 @2 n  f
    xchg    dx, es:[41h*4]9 L- e) m  z+ Y$ g# h8 M: B( ?: q
    xchg    bx, es:[41h*4+2]
% q3 z' ^9 m( K! h$ u    cmp     cl,al
& b2 A* P+ t) M9 _2 c    jnz     SoftICE_detected; m6 e9 z) ~+ R: Q. x- [& y
6 K- @/ Q) m$ V, q; u) b
_________________________________________________________________________
5 l# m0 l$ w  J
- l1 ]$ `8 x' \3 [! v4 H/ YMethod 07+ y! E% n3 ?5 a8 _! m+ l) B
=========) `1 Y* P6 E+ w* S. ]

/ w7 p% U) f2 j$ m7 N# r1 y+ T: wMethod of detection of the WinICE handler in the int68h (V86)
) N2 z- g5 h. q( U. a6 ]5 R/ r9 B$ b% z5 R" s
    mov     ah,43h* f) ~: M* C: e& H2 m: U
    int     68h
! F9 G6 D0 P3 y" U- T# s    cmp     ax,0F386h' s; a! w; q, @  v" }- Z+ X. V0 Q$ x
    jz      SoftICE_Detected
. y, G' }1 `3 b1 a9 u# }9 m# W$ t# \" Z* ~+ p0 d2 L
# v. U! [; E8 T  F/ S: J& T
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 l; z5 e7 Q0 j, g   app like this:) k7 c7 \; E6 N7 A6 S' U
5 ?1 i' _* o, b5 ^8 L" q
   BPX exec_int if ax==68
; H- a) m: u$ N: c3 g; j3 G. v$ g   (function called is located at byte ptr [ebp+1Dh] and client eip is
) ?0 w) V" B) h/ c  l& j- @5 S$ w   located at [ebp+48h] for 32Bit apps)
" u; W  }4 S% [__________________________________________________________________________& c# p/ B" C( V
, N' {' x* x/ L# _3 I

3 E3 z7 f7 @- }( J0 s$ A) TMethod 08, _, c7 _. f9 {0 z
=========
0 w1 u9 M# n8 a8 ?* `/ b+ _1 E/ B
It is not a method of detection of SoftICE but a possibility to crash the( ?$ P7 N" n$ M
system by intercepting int 01h and int 03h and redirecting them to another
( l6 L- G7 R& h) D& Y3 f6 aroutine.+ W9 Y+ ?) @0 E9 p5 \0 o, U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% r) Z& T7 N( `4 ^' o/ H
to the new routine to execute (hangs computer...)( D' v' \9 F( O* F
5 O+ W$ p1 `1 r9 }+ y
    mov     ah, 25h
1 L  @1 M6 N, L9 P$ I* c    mov     al, Int_Number (01h or 03h)
4 \3 V/ K9 C- x+ k    mov     dx, offset New_Int_Routine
0 o3 ?! U, W( A& _$ z    int     21h7 V; a6 y+ z% O$ e" j# z* U' s

5 a! l5 O! ~) {7 d__________________________________________________________________________
" ^0 B* ?3 M9 R7 Z* `3 _
5 U; b5 _: i2 u4 t7 G. s9 e* dMethod 092 o* h  E" _) O* v
=========
* ^; t  v8 a+ H
. V  W+ j3 f# ^5 `. l0 J- F/ f& iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 G* I' m6 ~( x9 j8 K
performed in ring0 (VxD or a ring3 app using the VxdCall).
) {7 k" r# U- i! Q3 Q5 [; W7 uThe Get_DDB service is used to determine whether or not a VxD is installed
3 c* |# o5 D' i5 ^& R. @, j- k* jfor the specified device and returns a Device Description Block (in ecx) for
# L0 c* a; I- L" {) Tthat device if it is installed.9 b# d8 e* N- j8 k5 _

3 s0 a. X; S# Q5 k$ o' k: u   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID. A7 z! q7 c! \5 u- V6 G9 O
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 V/ W; d( z) G% E   VMMCall Get_DDB
4 K, `0 `$ ]: ]/ O2 X' H   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed! M4 x/ a2 w( w$ R! c2 P
2 L5 y5 A4 i- d+ K
Note as well that you can easily detect this method with SoftICE:
7 m: \- S1 t4 V  g   bpx Get_DDB if ax==0202 || ax==7a5fh
9 G# h* s9 M2 [0 m. {4 w' ~& v- g8 U) x) f
__________________________________________________________________________! ]& h) Z6 P7 N1 D" A* J

% y9 S8 O9 C/ i3 i2 PMethod 10, d% y! v' B& J; U6 t# q
=========
7 i6 l; [/ j/ P# h
* y% |% l6 k6 g: h) h=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- d3 }  ?3 b2 `5 Q  SoftICE while the option is enable!!
/ h- E5 R8 c; Z: v+ j8 \8 \" s  u" w. z" K) y7 l
This trick is very efficient:
+ ]* P" i, e4 [- qby checking the Debug Registers, you can detect if SoftICE is loaded
( ]2 Z: [1 P9 X! t" b7 o  a3 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. w9 A4 g3 _4 `there are some memory breakpoints set (dr0 to dr3) simply by reading their( g; U5 L$ ?* ^  x% W" l
value (in ring0 only). Values can be manipulated and or changed as well% ?0 ~' T) L! Z* z
(clearing BPMs for instance)
& `  x2 C. j  T- b: l& H+ |9 z) H  d- h; l6 O9 U
__________________________________________________________________________  J: G! `0 F& |0 I

2 {- \2 `2 W7 |: t, a, @Method 11
- N5 j6 F8 g' e/ C( R=========
# c6 h# }/ f- r3 e1 b3 y+ s/ Q0 s
* ]: E* A. ~7 C& uThis method is most known as 'MeltICE' because it has been freely distributed
8 A6 Z0 @" I1 m$ k3 uvia www.winfiles.com. However it was first used by NuMega people to allow
0 A# A9 x$ H* M$ f9 h  d& kSymbol Loader to check if SoftICE was active or not (the code is located
: k& }9 X9 b+ {. k$ ], p9 rinside nmtrans.dll).6 o" q8 {& @2 a& R- P1 o$ F7 N
! ?, i  n0 l% {# Q) M5 P! v
The way it works is very simple:+ Z4 w2 V: l8 u0 E2 Q! @
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ P! h: d; L% T7 qWinNT) with the CreateFileA API.
8 S' O0 ?  n! ~$ p: t% I' X" q* Q- ]+ s
Here is a sample (checking for 'SICE'):% \# y4 {: @# H6 w/ X% v

- G, u+ N# G( E% E' |BOOL IsSoftIce95Loaded()  l  w1 U/ X' ^* F+ Q  i) y9 y8 l
{! x8 j3 c' L. L3 r6 G
   HANDLE hFile;  ' Y; a+ k9 \1 x5 R" ]
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! X! r/ ~" R1 r/ C( b4 Q* y/ ?% ^                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ J7 d. R  M4 A; s3 Q- R) g7 j' q
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; i2 x' v; r& h2 R# ?. h4 C
   if( hFile != INVALID_HANDLE_VALUE )
/ v, I) o& q. J* Q% E5 @   {4 \" q8 ?% T& G7 j0 t/ u4 p6 R
      CloseHandle(hFile);
8 V$ O& i& y0 v: A7 }1 \8 e7 T$ [      return TRUE;
) x3 X" E. b" o$ k/ d   }  f$ ~& }  }% c/ {5 B3 |6 R
   return FALSE;
" H6 T6 V. M8 p. k% U6 |- `}9 Y8 s; H. H6 A2 r* Y# f1 p

$ ?; ~1 d: P8 `9 `: T! LAlthough this trick calls the CreateFileA function, don't even expect to be. g; M9 z: i, D3 i- A7 m
able to intercept it by installing a IFS hook: it will not work, no way!3 t* c; b+ I- w0 B. y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- k+ `7 N  o; n( A- i3 E' Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* b8 W+ I3 `" g. v8 g5 |and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 m( Q& p9 x1 Z2 {2 w: \  ^! Rfield.
2 i2 a3 T. b3 E& i; t$ GIn fact, its purpose is not to load/unload VxDs but only to send a 5 y+ |* O( M# E5 N4 J1 g  K# \% y# r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). D0 ~8 e" ^* h' s( ^( B/ {; h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! E# @0 Z, ~: r# Cto load/unload a non-dynamically loadable driver such as SoftICE ;-).% B1 P3 J9 U, i5 x$ s7 y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 E3 ~2 ^) U( Iits handle to be opened and then, will be detected.. E& o( k9 ]5 G! |; r3 C
You can check that simply by hooking Winice.exe control proc entry point
' i+ [0 u& u# L# F% f4 Swhile running MeltICE." ]2 [% C4 h7 ^" `

7 F4 e8 W/ J, x: H1 _2 q3 ~2 R$ b' i5 F  m2 t' \
  00401067:  push      00402025    ; \\.\SICE2 y% U1 |8 y0 w* ?7 X; n
  0040106C:  call      CreateFileA
8 N4 k# F! j' l, ~6 Y  00401071:  cmp       eax,-001
6 b# k$ x) [* d  00401074:  je        00401091
9 k3 q6 {7 J6 y4 T0 n$ D6 s# N. A
, a# S! s3 X$ \: D
There could be hundreds of BPX you could use to detect this trick." t' d! F* I& M
-The most classical one is:
4 q* E' X& ~1 J4 n) N4 f  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! d8 u1 n" V% B* L. t3 a' V
    *(esp-&gt;4+4)=='NTIC'
4 U5 A* d/ D( O# }9 b' [$ a# R- V4 n1 e% T) T4 G9 k
-The most exotic ones (could be very slooooow :-(; {, }% i9 N  z) j& @0 @/ C. w
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- ?; @: _7 q9 c     ;will break 3 times :-() g- h7 |. Y5 x. j% q

# I) I8 z1 z7 k& y-or (a bit) faster:
: _+ M3 J3 O% K+ \; U   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 C* D" q/ E! G5 K& N

4 o3 ~1 _0 m. @; w   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ F: F! U' }6 Z/ U/ o( h6 f
     ;will break 3 times :-(
6 i7 q+ Z: e: |8 D- r2 \5 Q+ v: w# U; q5 w
-Much faster:8 i2 @% f1 _( S( d8 L' H' d2 m( ]
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', G: N# y, i9 x0 ^: K; q

/ h1 }( h2 H1 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 Y3 N, u9 [* E# }# t5 s4 S0 n
function to do the same job:
4 C1 O2 E4 t+ e) l3 ^. R! X, a7 {
- w' v* C1 \& Z1 y  F8 D   push    00                        ; OF_READ
) I$ G$ Q0 s0 s5 k& b3 G   mov     eax,[00656634]            ; '\\.\SICE',0
3 a5 r- u' r3 o) Q   push    eax9 `) I4 ^# J+ u! u" j3 ?
   call    KERNEL32!_lopen( R5 H, N% X: ^% s( [6 O' `% ~
   inc     eax, v; q2 l  P1 n6 d& F
   jnz     00650589                  ; detected! A! T1 F0 ?, l- u
   push    00                        ; OF_READ5 v, z2 M( E0 D! c1 H0 X0 f  ^# l
   mov     eax,[00656638]            ; '\\.\SICE'
: E1 E1 E0 w  \+ p- W2 J6 d, G   push    eax
0 a, z' m2 D7 G7 r  v: i   call    KERNEL32!_lopen1 |! X8 G6 b+ m  Q0 L: Z
   inc     eax; o4 }8 u- R' Z" e# ?& T+ @
   jz      006505ae                  ; not detected
1 h" f' V7 d, Q/ g1 B3 ]& T$ W
4 b( M9 I# T0 u
0 F8 C3 _2 L  S__________________________________________________________________________; u# |6 h- v& G( A
' m% i8 G, p) a* Y
Method 129 ]  k2 ^7 `& p  C1 _
=========6 [+ P! j2 H- k3 g6 d9 v4 c, M

" i- N1 v9 ?# p3 y5 M! ^This trick is similar to int41h/4fh Debugger installation check (code 05
/ q) [1 x0 w; I/ }. ^. L7 n. c' f4 I&amp; 06) but very limited because it's only available for Win95/98 (not NT)
4 F6 a2 T( e4 Q' L4 Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. _  D8 G! A3 V, F, c
2 C. \' L. G7 j' a6 @% T# L   push  0000004fh         ; function 4fh. E. |: r+ K$ v6 P8 j4 d. D% v
   push  002a002ah         ; high word specifies which VxD (VWIN32)5 Y7 x  e) \2 |, ^
                           ; low word specifies which service
4 g7 p6 j* p/ ~. U* y0 |* k( K# R                             (VWIN32_Int41Dispatch)+ E; C% Y; U) z: O
   call  Kernel32!ORD_001  ; VxdCall
9 r7 ~* M5 w  N   cmp   ax, 0f386h        ; magic number returned by system debuggers
  r2 z& T' s% Y; }+ a   jz    SoftICE_detected* Q# O7 a: \3 _" Q6 V
$ e7 h# R1 A& Z; Z4 V$ C
Here again, several ways to detect it:
1 S! S; y7 z$ n: |7 s' x, [! [# {1 S; j
    BPINT 41 if ax==4f
  P1 S# I  i. L5 p; a
  U: G/ i. {6 y2 E    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! M( K- Y. y7 J+ m

3 R% f8 j# @2 H+ F, _$ d    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A. U7 f; N' Y9 x7 W+ S
- n# F) ]8 H0 x, I+ r
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!  E) U4 z; ]) z6 O2 I) B
$ D" E1 L" X" X& f9 F
__________________________________________________________________________: Q+ ^' ?$ Z" k3 _
' \, ~3 m7 U2 T' x3 [: {
Method 13
! g, o4 {3 X/ e8 q/ z! B2 [=========
6 [5 y$ z# m6 p* S# v' p! k: d" x- \/ j  r$ N  i
Not a real method of detection, but a good way to know if SoftICE is
- o8 o" k1 K& f' c4 o1 ^installed on a computer and to locate its installation directory.! e" y: O4 U  R& ^. d. F. u
It is used by few softs which access the following registry keys (usually #2) :" m/ l8 b% H  A- C% S7 t4 b
# Y9 V/ Z$ I3 Y2 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& o) b; O/ D- e, J' v) x# O1 I\Uninstall\SoftICE+ I6 R8 `5 w7 A: ?4 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 f. _8 z# i/ I  N, z* a8 ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: L$ w7 J5 j% D, p4 k; Y0 T\App Paths\Loader32.Exe& q/ q- o1 h  w5 H
4 m- M; o- I! u: y9 \
9 x/ H% q' C6 }3 x7 d  p
Note that some nasty apps could then erase all files from SoftICE directory, v% E' A5 [# e
(I faced that once :-(- T) F  c# F7 k$ f
" k9 `. [% l5 d! S0 I& a: q6 b
Useful breakpoint to detect it:4 a$ c2 d/ B  n$ O$ p
% `5 f+ u1 Y9 U4 D5 k
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'( O8 k; q, C4 ?( E& Q0 X

) B: B; f  P& l6 f__________________________________________________________________________9 l; m: ?0 k2 ~

* V9 m1 j- m/ X* ]6 l" ~: K6 b' O& A& j  f# G, b
Method 14 5 d/ X& V- j# d& c
=========1 a2 |. x0 O% Y" U# |# l7 T
- f# {4 v1 j' W5 i8 H/ w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 f$ l1 f( o  C8 M
is to determines whether a debugger is running on your system (ring0 only).
' F9 U: }  t7 i: o: L
: M4 ~$ g9 N! M/ B   VMMCall Test_Debug_Installed& d) O  W, l! s. z- w  v
   je      not_installed
3 e4 Y' P& |% ]: m7 W% Q
/ H2 Q' i( d( kThis service just checks a flag.
" O# G/ K4 N0 [) E$ x- z- W</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-7 16:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表