找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
  F6 s8 w& L6 [- B7 D<TBODY>
" Z/ y8 R3 w! T* ~1 B<TR>9 k% }3 k9 t: p' B" y7 ?
<TD><PRE>Method 01 " u3 V1 s# Q9 z( ]  x' t
=========
/ Z# [: l: E) v& c2 o! s; h" {( Y+ w" t" b
This method of detection of SoftICE (as well as the following one) is
2 g/ y3 D* x$ }; N/ _! Z* pused by the majority of packers/encryptors found on Internet.
. z* {7 K0 f( ]8 g. k' HIt seeks the signature of BoundsChecker in SoftICE* ]( ]  y9 F2 v% |4 `# `- u" s
/ l, s6 t$ j2 r! d
    mov     ebp, 04243484Bh        ; 'BCHK'
( g1 i) h. Y/ q# t1 V# y' w    mov     ax, 04h
) E7 W. v' p- ^9 m9 d    int     3       5 h1 W* a% A( b$ A- N, g
    cmp     al,4; l4 Y0 z4 c4 o) X) e3 E% [
    jnz     SoftICE_Detected
' g3 [: {3 u, x& c2 K* T1 B& u. m3 L# K9 y/ [2 P; N/ L
___________________________________________________________________________# t" ^, _2 p7 C3 y
* v6 i) ?4 s7 V. I  c1 ^2 M
Method 02. t, J( U: R7 r, c8 e) l) q
=========; ~9 e  h0 {/ b5 ~! p+ X; p6 K
# b- S$ }3 Q5 }$ R" w5 g. j
Still a method very much used (perhaps the most frequent one).  It is used! g( p# C* K1 [" Y: S0 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( X6 E0 s( U- m1 c" ?( L# ]/ jor execute SoftICE commands...
. ]" [# X+ X% |$ `3 j$ {, m3 h* oIt is also used to crash SoftICE and to force it to execute any commands! X% c+ |' S; r6 u% ?
(HBOOT...) :-((  , O! j( i3 {: Y. B$ ?

0 Q& R* ^5 i: `& c+ v9 r- lHere is a quick description:0 [# s% Q' S8 R6 c2 g* o6 C  ?
-AX = 0910h   (Display string in SIce windows)
( q: P) f/ J' _* Y-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)% C* b& J7 x6 c% V( X" M% X. v
-AX = 0912h   (Get breakpoint infos)* n! Z4 h! t3 E  i$ m6 m( B
-AX = 0913h   (Set Sice breakpoints)
$ G+ V% I' I* j, b# N% y; s: t. [/ W# |-AX = 0914h   (Remove SIce breakoints)" A$ D7 D  R- o, E$ m" m: G
5 b- d3 t" K. s9 y
Each time you'll meet this trick, you'll see:
+ y8 e7 G6 e; S  _9 T-SI = 4647h
* g1 |$ j/ A9 R; k+ v) j) |$ I-DI = 4A4Dh. @7 o) i+ D! @, i
Which are the 'magic values' used by SoftIce.9 p8 \# o2 v: D7 }, O5 J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 q4 ?$ r: V# _+ e+ Z9 k% h( C/ [
$ D% H% v9 E  R2 F* Q5 f9 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP  J7 ]8 ]+ g$ S' f/ ~% ?
Envelope utility use to protect DOS applications:
; A7 j2 q. i" ?+ |6 E2 i
" n' a) w9 E7 B$ K0 K9 s1 y& X" ]  `3 ~1 o
4C19:0095   MOV    AX,0911  ; execute command.
3 g3 U, z! t0 J7 D( w: z' S' ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).- b, h. x+ E  f- ]7 ^, M! `
4C19:009A   MOV    SI,4647  ; 1st magic value.1 ^5 p. [, z! U# }* Q
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& R0 [  R# M1 M
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 F( ?* \  K) }8 k! D0 A6 V4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 m) o  L# d- m, k. o- @. @# i
4C19:00A4   INC    CX5 M! p$ P- ?7 ?5 i6 D) V
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 \" Y4 K/ U0 n* ^: ]) B) b
4C19:00A8   JB     0095     ; 6 different commands./ d( E1 c/ z( `' i5 R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ h; Y9 O/ n9 ~+ O6 s+ O4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
+ L& a4 A- Z! A) E1 g( Q
/ K* _! o0 m7 S8 gThe program will execute 6 different SIce commands located at ds:dx, which; J" D9 A4 j" s. o$ \% @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; o  @' Q: [. M
9 a2 F! t% ~4 Z% x' k1 p3 V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 d& G2 C2 r6 T! ~
___________________________________________________________________________
, o# p- O5 p) u9 e3 ~, r- o5 f; m
- {- c* o. E' D2 O. e( a0 f# ^# q- p; O+ J$ ~& G
Method 039 e6 V* _* G# O) L6 ?2 g
=========! T; H1 b  \4 e* A9 W! Q

: J& m+ }' Z5 X2 rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' k7 O. r. U. @" y) G5 C6 M/ D
(API Get entry point)
! d. m: O- ?/ b& z8 F          \) x" q3 k" }  p& |% j+ @( k

9 R) i2 o( b; z/ ?. b    xor     di,di
; {7 r; c# V9 ^: K" a: a    mov     es,di2 s' ?3 D- b/ K
    mov     ax, 1684h       $ V/ A* L+ _2 E, V
    mov     bx, 0202h       ; VxD ID of winice
: r' Q4 Y. V7 m6 `2 x/ Y# b# O    int     2Fh
8 n0 q, K  u, _7 z  B" r+ Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" h7 t2 s0 l- T, w" t/ C$ g    add     ax, di
# _5 E: e. X1 l% U8 R    test    ax,ax
: R9 W9 r: K/ M8 {6 H    jnz     SoftICE_Detected+ b3 e& J  p  [+ z' B
' C3 `. @) W- x3 j. y5 q
___________________________________________________________________________
$ q' B( B0 `8 n  }# \  i4 @9 }7 B1 G/ l* \$ l0 Z
Method 04
% P3 P8 W5 k8 i  V=========7 Q( @0 O- S6 u: X

. D2 O  W1 j% X" {/ SMethod identical to the preceding one except that it seeks the ID of SoftICE4 G" j$ Z: A8 }- ^% e# {( D: Q7 N4 l
GFX VxD.
: @9 z) G6 V5 I# @6 }4 @9 H: d9 ]" ?( B, E6 \  x
    xor     di,di4 z" G5 f6 y, U" M, N1 S8 |/ |6 A- o
    mov     es,di1 O( v- @$ r3 L8 P: J% r/ R
    mov     ax, 1684h      
  K' p" E* Y# j/ [4 q0 U    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" x3 c0 Z7 K5 n+ i    int     2fh8 q% e7 b) \* G  y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 s4 d8 n6 k& L; }" f  `1 S5 [
    add     ax, di
& T& d1 k- j6 K: R+ V    test    ax,ax; Y( E1 ?1 U; p
    jnz     SoftICE_Detected
( \1 N* z* H+ [! E- w2 U8 q% Z& f8 u" E* H
__________________________________________________________________________
- u, v$ W% g: e/ L
3 A8 V2 ]6 C5 t! ?9 ?; N# k, a% D
( k+ t" {& O& ZMethod 05) A0 Y. f4 v* q8 g6 K& x
=========
5 k4 n4 Q( z+ g8 _, ^( R9 G' W8 O6 [8 s  Z/ K
Method seeking the 'magic number' 0F386h returned (in ax) by all system# p2 G% t' B: L! l( v
debugger. It calls the int 41h, function 4Fh.6 p$ ~1 W, o) k9 Y$ P% D
There are several alternatives.  
9 y% k1 R+ K: S# J# Z
# ~- T1 v6 @$ Q4 w5 `The following one is the simplest:
  s- I. R- p( y. n! i
7 x  F$ z# v9 M! T/ W) {: Y1 h, A7 R    mov     ax,4fh
& m4 m9 X- ~4 C    int     41h! z5 x" E; m5 L- w) L
    cmp     ax, 0F386! e1 C, v5 T( w' O
    jz      SoftICE_detected: L& n8 W" B4 H: a# W
1 D/ h7 r/ K* G( Q' w; B* o+ R

+ H  p0 A0 T0 y" KNext method as well as the following one are 2 examples from Stone's
. d8 L. [" H! [+ \"stn-wid.zip" (www.cracking.net):
. M6 v1 \9 y5 m$ X, b% z; a3 Y: h% M
( q! T* G6 `$ M7 l$ O% g    mov     bx, cs
; s6 R$ h  h0 i# i    lea     dx, int41handler23 b* g2 W- p- T+ k% T9 f/ M
    xchg    dx, es:[41h*4]
, j# ^% f5 ]3 E6 z& H    xchg    bx, es:[41h*4+2]8 R& E* M( q# q  K3 a
    mov     ax,4fh
# C3 F& r2 W0 u! Z9 B    int     41h1 g8 p: C) b: e& Y+ x
    xchg    dx, es:[41h*4]* ]- h( ~$ U* \. j1 Y. y0 g% i
    xchg    bx, es:[41h*4+2], O8 P" t  f( S' i5 e5 Y
    cmp     ax, 0f386h
" m/ `; V* R- V" x( x6 b: ?2 G) d* J    jz      SoftICE_detected
2 ~0 K. i5 E$ \, V# ~( [: O
) Y! r5 M. @: N5 g$ e3 A! r! @int41handler2 PROC4 _  U7 X4 n7 X2 p, g6 _7 ]
    iret
0 D0 G: F* u  `$ q/ zint41handler2 ENDP
7 F: J- o' ^: W- a6 K% r5 F
  I( Q8 Q2 H3 b# B+ X. S1 a# D. N$ J) G9 f
_________________________________________________________________________! R: J: Z' q8 v! o! u

- n* v9 V& g  A; d4 }7 g4 i! o
2 ]8 F+ m* P2 A  C+ u. T" [Method 06. z2 d7 X" [$ `$ U. g3 |: Z
=========
& R$ U% n6 T& g/ G) d) y8 r; ?4 H3 V
( V) t$ N# |& [, Y5 i) Q8 D) H* t9 z* t1 V- A6 {# w* z: C
2nd method similar to the preceding one but more difficult to detect:3 L, L: H& w8 L9 p
4 q0 Z% Q% C! T  u5 z+ p% p
, L( f' k3 p! \' `
int41handler PROC8 t8 X9 v6 W, P( [0 z' {- p8 N
    mov     cl,al/ T1 u/ ^: w- b
    iret
+ R0 a; O% a' L! {4 D* aint41handler ENDP
  _- m0 P# P* J2 P. F  D6 Z+ I/ n6 u3 m, t6 d7 W
) \% p1 {: f5 F' P4 a% ?! \1 }' B
    xor     ax,ax
) n0 }% w* e; x  b4 y    mov     es,ax
% s' K% Q9 g. d6 N! O+ I    mov     bx, cs8 `6 l/ l0 ^( H9 b0 b; b/ @+ W
    lea     dx, int41handler  h+ N# n0 d) x/ g
    xchg    dx, es:[41h*4]
. X* |* a$ x/ F) N$ Q( x    xchg    bx, es:[41h*4+2]* y6 G5 F* f+ U+ C6 y. b! T
    in      al, 40h
" |! W! l+ r2 H% k* k    xor     cx,cx
; g' Y7 N" a; R: `6 W# r    int     41h
9 Q4 ~8 L% `/ h) f    xchg    dx, es:[41h*4]* [! n2 q5 ~' t3 e
    xchg    bx, es:[41h*4+2]9 n5 B% _# r4 y8 ^: o
    cmp     cl,al2 Y3 a/ A7 S  N; O
    jnz     SoftICE_detected
' Z/ v# s: T6 S
( s' l( U9 _9 P' e_________________________________________________________________________/ ^4 [0 T) }* _  p, G4 o9 j3 q

. H4 u/ {# ^7 k$ k/ VMethod 07
$ \4 `& U' D1 ?. K: m& J* Q+ T3 O6 z=========
& e' t; k0 E" F
& q: h- t# m3 m" @/ G/ mMethod of detection of the WinICE handler in the int68h (V86)" v1 x+ F) j* W* Z

% o' A  K' W# f, N7 O, E    mov     ah,43h
8 i, b* ?, i4 Z( p# {    int     68h
7 H& o) H! T2 G- k4 S, Z. c/ t& g    cmp     ax,0F386h9 o. r! w! ~7 H% H2 Y) m+ E0 o1 O& S
    jz      SoftICE_Detected
: P: J9 D3 B, \' P- ?  H7 |( m5 C  l$ }5 x9 a, w

* Z2 `) e! h/ Y1 |4 Q6 h* F=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' N* M$ Q: K- x' M6 T) A' p' m8 F
   app like this:# Z% H3 `" _; e0 l/ J( h

6 G- b- a/ b; b9 v: v   BPX exec_int if ax==68
* d% N" C) W, U& n   (function called is located at byte ptr [ebp+1Dh] and client eip is: X" {6 g$ D. @3 D, {: u8 c3 @0 V
   located at [ebp+48h] for 32Bit apps)" c8 [; |' ~4 t" I
__________________________________________________________________________9 v+ v) _  ]8 S

' J2 `0 f2 v8 ^$ G) H! E1 J+ Q
7 N& Z: {/ A: d) S' KMethod 08) U. K- I) }& T/ F
=========, L/ i0 N) ]- H. p

9 \4 H# ]: m% W5 T. ]  V$ z' kIt is not a method of detection of SoftICE but a possibility to crash the
; |! a4 [/ R' jsystem by intercepting int 01h and int 03h and redirecting them to another3 @, Z2 l2 O2 t4 l- }9 }4 ^
routine.0 j+ x+ h$ r$ [5 p7 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 l% Q) f1 B& O
to the new routine to execute (hangs computer...)
9 Z+ [% G* B; A4 T
9 S5 F) t) a4 `& [( ^$ w    mov     ah, 25h
" J8 U9 @1 N# H  U6 K6 M% Y2 R4 I2 J    mov     al, Int_Number (01h or 03h)
/ ~2 t6 U* V7 |    mov     dx, offset New_Int_Routine
  W9 B) K. z9 v  K# o: z. o    int     21h
# `* M5 k" a/ o2 U$ }/ v: n5 d4 y( m) R2 `+ z7 i( H  I
__________________________________________________________________________
( Y8 u  I. X! j) T9 X! R0 a/ o* O4 k* h. b: O7 R
Method 09
5 \. U) y. t5 X1 J=========
3 e8 x/ ?5 X" S6 F
# \) W- t. M' M, L2 F+ F8 u$ QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" R8 H  l- m/ F- N  t/ X
performed in ring0 (VxD or a ring3 app using the VxdCall).
( V+ [9 d" c7 W: R! EThe Get_DDB service is used to determine whether or not a VxD is installed
2 s: {! l+ m" ^& g8 p4 H! hfor the specified device and returns a Device Description Block (in ecx) for; B* E$ a. F5 [$ O( M7 k. I: \3 R# [; z
that device if it is installed.
2 K0 ?5 u7 a3 k. @( I" [$ n, t7 N, _, v& T* g8 |$ Z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID' x7 L- E; K2 K% e( g
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  G6 [5 @5 Y, ~5 r# ~1 C   VMMCall Get_DDB
' I  M1 U3 }! R   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. X2 n& ^; [* r2 R! F& u9 F5 u3 X  C9 C7 v9 y
Note as well that you can easily detect this method with SoftICE:
& r! x% o* m$ H9 ?8 `& d: M   bpx Get_DDB if ax==0202 || ax==7a5fh
7 q5 J! K5 W* M7 W7 u, Z" o
" O: I( N! Q7 K; i" g__________________________________________________________________________6 S9 p  N* _, I  L- s5 n# H
4 E; S4 \& Y1 {% {* c9 N2 k" @
Method 108 e" \" z! @9 x+ S7 b$ c( u
=========
' ?0 H  f/ h, W7 R. u1 M1 i4 `0 K
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
* S8 }  W; t6 e) @  SoftICE while the option is enable!!! g% y( f3 g1 A$ f5 Z
" a' Q' X* \1 U  P9 D: H" g: b, C
This trick is very efficient:
- {  e5 w5 B- z' Y$ dby checking the Debug Registers, you can detect if SoftICE is loaded
) e: G# Q1 l* `" }3 X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 I1 f- S+ t+ @, f+ @" ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their* M; r7 i3 X5 K9 y, l
value (in ring0 only). Values can be manipulated and or changed as well
' Z: Z5 V% D$ v) j4 Q9 h(clearing BPMs for instance)
% O) l5 a) ]. S* ~0 ?( `2 k7 D
1 f2 V; M" p  u( a. f__________________________________________________________________________/ v( Q. n& E  j* Q: D5 i

- n9 y$ }/ S; y1 |- i% B2 x4 cMethod 11
" R6 R3 J7 d3 S=========& E- ^3 }* W7 W6 Y+ ?
/ x3 m, X5 q0 x+ }' r
This method is most known as 'MeltICE' because it has been freely distributed
2 F0 K  a4 I. @6 U9 P. e& |; w+ Bvia www.winfiles.com. However it was first used by NuMega people to allow
3 |* T+ L; Y9 w2 G# i1 HSymbol Loader to check if SoftICE was active or not (the code is located
" h3 h+ d7 K* f" C% P; ninside nmtrans.dll).& \  R5 g' F  c( ^/ F

; z: \/ t( W$ o- a9 LThe way it works is very simple:
1 W) n2 O: O* N3 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# c, q: m) z7 x4 v4 N+ uWinNT) with the CreateFileA API.) x5 Z: R1 s' A, I! [; j
3 ~7 v4 Z) n. u) G
Here is a sample (checking for 'SICE'):
( F; j- a* n, f6 f' Z4 k3 p( j
: |* Q8 Z8 |) a% o0 n% }$ sBOOL IsSoftIce95Loaded(). m1 P' p6 J! P: ]( Q* q
{
! C% S) R( e1 k/ U" j   HANDLE hFile;  
' J4 D. R5 X" v* |# f   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, w, Y; |7 [( L6 \1 V+ N1 @                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 {+ |/ w! j: r7 {
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ x4 ~8 [9 ?5 c   if( hFile != INVALID_HANDLE_VALUE )
: {( W# U4 D8 V* u. X5 {) ~   {& c( v7 H; N3 P% ^
      CloseHandle(hFile);
& ~6 t# o" X1 E5 F+ i0 v      return TRUE;
5 E$ P2 }; w7 }- t- M4 y   }
' S3 U4 q6 i  L" |; X6 B   return FALSE;
1 U; ~$ D2 w( C}
2 Y' e) ^. N- ?4 r8 H$ K- l' X/ p
Although this trick calls the CreateFileA function, don't even expect to be5 K. p2 }2 Z- p
able to intercept it by installing a IFS hook: it will not work, no way!
& P6 |+ y! N+ f4 K5 E! YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 o  F' U3 t1 g$ _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! |' ?0 }3 ^& R$ @" B* Z  dand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ u$ V( }. y$ \  z! K9 f$ u
field.
* {6 s- ]! k0 j6 wIn fact, its purpose is not to load/unload VxDs but only to send a 5 c% W3 \; G% s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 X* m. y" f3 ~6 b2 [) Z) tto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 W: Z  m  c" ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 P) C3 z4 p) x$ L$ R+ ~/ e# p$ y
If the VxD is loaded, it will always clear eax and the Carry flag to allow; X1 M+ a, k, H* Y1 W" [) L1 N- M
its handle to be opened and then, will be detected.
- W, p/ s+ \6 R  e4 H. ~% yYou can check that simply by hooking Winice.exe control proc entry point
% x1 @' f/ `  E% s5 dwhile running MeltICE.
- }: D0 _  }9 T, L- c9 }+ a$ l1 F6 {! w
; O# R9 P3 g( u' _! [# E4 _
  00401067:  push      00402025    ; \\.\SICE! i2 G" b8 }' t1 r
  0040106C:  call      CreateFileA, {# c; }. G0 ^* a
  00401071:  cmp       eax,-001! R- T2 H1 c1 r7 M
  00401074:  je        00401091
3 P# m6 J  g$ f/ l3 R$ r: \8 R* F7 u  B; x

  {2 d8 C+ \: ?  F% QThere could be hundreds of BPX you could use to detect this trick.
, ?/ i% C; t7 r-The most classical one is:
3 \$ T9 W0 n3 z2 ]5 l! ~  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% M! N1 p5 t, [) X. ~: P. c& D& m
    *(esp-&gt;4+4)=='NTIC') ^7 E& [9 s6 M4 I, X$ `

) X  }$ i4 ]. G7 {: C% R- q* z* @-The most exotic ones (could be very slooooow :-(
" v7 F: X2 y+ ^2 {9 K, G+ Y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . a4 G( X# e+ z6 p
     ;will break 3 times :-(7 S7 G  W' w. |5 h
* T3 l: m' k" G( i+ K
-or (a bit) faster:
. A4 C' o1 J4 Z% u; Z   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! x1 o& p$ x1 v$ T
& \  q2 Y2 ~% S. n
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
5 z; z8 ]* j* k) S- ~     ;will break 3 times :-(
2 e/ s4 y, }! `' T$ A) K5 W6 G" e4 U1 n9 W* C/ ]  s: T
-Much faster:! @" V* `+ M1 e( j, _. Y
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
8 p: ~1 T( ?+ _! s5 Q& h! f( }' c' l+ v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 o+ z# Z' V2 U& O( e
function to do the same job:0 r* m6 q' _3 J5 W3 K; F

# F' l6 F) A) F4 S9 Y: U9 Q$ ?: U   push    00                        ; OF_READ# d& I( \: X9 a8 r5 O/ w0 i+ s
   mov     eax,[00656634]            ; '\\.\SICE',0) [: U! Z6 y/ ~' a
   push    eax$ K  t4 H. n2 d( ]8 r
   call    KERNEL32!_lopen
3 r6 b+ T4 ?2 V$ ^4 r   inc     eax
  L  G: W% }$ b   jnz     00650589                  ; detected% B8 Y7 ~1 p- q! l& c! L
   push    00                        ; OF_READ, e" e' Z9 H6 }+ Y
   mov     eax,[00656638]            ; '\\.\SICE'
' [- ~3 x3 j( V   push    eax
, U  i* e6 l/ @# \; v+ G3 z   call    KERNEL32!_lopen
7 G* t. z: g1 {   inc     eax$ ^0 A4 d; G5 _/ [: A
   jz      006505ae                  ; not detected
. b  }8 z* n: c* M% F2 ~: K& a6 i9 ?8 \9 `  p4 C
1 ]5 t* B0 s" ]; W# _4 X9 B
__________________________________________________________________________
- c7 E' F6 O0 T" w9 m: L# W% ^
8 w% f) l& ?3 U% _  dMethod 120 w# \6 a0 A* j. h
=========% o0 q# G5 n% i( J

! S' N/ a" j6 [" H+ _( _This trick is similar to int41h/4fh Debugger installation check (code 05
4 `) y: h2 R! g2 m0 ?&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  Y0 M( |# |2 p0 |! Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, I4 u9 ?5 N% I9 ?4 k' F2 q
6 |3 ]& k$ I. W& X6 L  @   push  0000004fh         ; function 4fh, [+ E, s4 W, s  m3 X6 ?
   push  002a002ah         ; high word specifies which VxD (VWIN32)+ s( w- t7 b# Z' K2 h
                           ; low word specifies which service
) x& J6 V: b% X! m8 D, y  H                             (VWIN32_Int41Dispatch)
, k7 _) P, b: F   call  Kernel32!ORD_001  ; VxdCall6 M& @4 }" N$ @5 T7 }1 m1 B
   cmp   ax, 0f386h        ; magic number returned by system debuggers7 T, ?" w0 _8 u6 E" R! s; T, t
   jz    SoftICE_detected
0 w1 S$ T; r. D3 ~/ x
+ |% W" U( y8 ]* K' q# \5 \Here again, several ways to detect it:
# [- ?6 B) n) x. P2 c" J% X+ s0 ~7 E' n; ^4 |$ s
    BPINT 41 if ax==4f
5 y% J) R( T: V; g& k8 y
" p. C9 c0 Y$ _7 y. E9 E/ e3 ]    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 l/ t* c2 Q; \8 q$ f
: X' a: p. R4 r6 W. h
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
9 b" e6 I2 G  Q7 F; g
2 o" K+ j0 d0 L) D4 k2 M) [    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# k0 L) S! v5 u5 D: J, }( g
2 m3 {9 q3 Y* @0 @$ Z__________________________________________________________________________
" j, q$ p8 t8 [  e6 {3 o" t! R5 y7 w+ t  |+ p# d
Method 13, Q' k  A/ c+ ?3 J8 T+ R9 z- A. q
=========
" E( C5 U% l! Q+ y& ?6 z( J( K) Z( P% M0 C7 \1 Q( M5 J
Not a real method of detection, but a good way to know if SoftICE is
. n3 x! S0 ]# Z7 u& q/ \installed on a computer and to locate its installation directory.
2 Y$ J8 `/ p# n5 JIt is used by few softs which access the following registry keys (usually #2) :
& D9 \+ D! q8 Q* U  O
* {, O; h& p( d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 m+ m' E$ r2 [* H# d, t: D& E\Uninstall\SoftICE% T: r: a" \9 p% u: @$ `2 D2 z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( S2 @! G1 t; f- S3 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 Y% J7 `# m- D7 F2 g; |0 S( I\App Paths\Loader32.Exe  ~# Z6 i. f0 {! U1 G' y, w

: _) y; ^: [9 G' e" u
( J# t* H1 s6 E1 fNote that some nasty apps could then erase all files from SoftICE directory
/ ?' B6 G6 O" b$ q2 V  K(I faced that once :-(: E1 e( B3 O+ T/ |' v

7 a; y# K) {) u2 P5 SUseful breakpoint to detect it:: [% W9 u1 N" C

  P# i6 W$ B1 t2 f" `% ]     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
# i9 P: \" Y/ ?1 B9 J* P. [+ m; _
__________________________________________________________________________; j4 Q2 D5 J, ]

' ~2 _: S: D# [- I2 W5 e* M2 H5 D6 k% E& X5 ]/ t
Method 14 ! t* B) l) O3 b) n4 b' Q1 p8 r3 V
=========
) N3 ~; g# k, y) l9 h3 S0 ^; j9 `3 x. x7 J3 g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: _, c. u/ G- Wis to determines whether a debugger is running on your system (ring0 only).
& f* W3 M7 ~" T; p# n" n* l" d3 G$ }' s
   VMMCall Test_Debug_Installed
! s9 l8 e4 g! D1 S, S1 [   je      not_installed# m9 G# X6 W& i7 d3 L
9 G. o1 Y' H. K) O% q
This service just checks a flag.
/ A( e& G" c& U  p/ q+ j& B: Z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-9 04:57

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表