找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>+ a# \! ~- @6 a3 o
<TBODY>4 \' {! x- X- ?( q2 q, }* v1 }$ H
<TR>+ Y5 k+ G% A' h: D* B
<TD><PRE>Method 01 ) ]' O3 {/ R: w9 G
=========
* {' f$ [; Q& G( f& n$ r
* p% ^" w( O+ C7 iThis method of detection of SoftICE (as well as the following one) is
1 L1 u1 n$ p* lused by the majority of packers/encryptors found on Internet.6 X- e- ]& p$ X/ p5 o
It seeks the signature of BoundsChecker in SoftICE3 r. n* d$ T( C6 l

3 e% Q# D, x0 z$ u    mov     ebp, 04243484Bh        ; 'BCHK'& s9 I* b# K# b+ u; F' g* x4 Q
    mov     ax, 04h
/ P' q3 ^0 H  M) d  _( c    int     3      
/ D* K+ [1 m, C: B    cmp     al,4
$ `) a5 X  [5 U' c$ B    jnz     SoftICE_Detected, b( f9 s% ?/ ?8 f- u( Q
( B  K' y2 ?" W$ B3 R
___________________________________________________________________________7 E1 |! f  M" b7 q) U
' c1 b7 Q1 ], L- `2 s
Method 02
4 s" y- d% @. q5 z8 M=========) D% ^9 m2 W9 g2 X& Q) Z' \8 F9 h
4 |% \# V; W5 E' ^3 p' e
Still a method very much used (perhaps the most frequent one).  It is used
/ j! O6 Q% [& B6 f1 U6 _# w, Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: U2 l. P6 R9 h" ~4 C, z$ Vor execute SoftICE commands...
0 O* W7 ~4 ~/ n; c" B: QIt is also used to crash SoftICE and to force it to execute any commands
& h# D/ k. U9 V7 c3 R" Y(HBOOT...) :-((  3 p% W: p! n. z8 R9 r
! X/ [2 Q1 b1 i# H: }6 }  K
Here is a quick description:
" ?/ J4 w3 b' i! K$ H$ U( l-AX = 0910h   (Display string in SIce windows)- J- M" i3 G8 z0 B8 b$ w3 c/ u( C
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
5 S- x" R4 U4 K: N! G* L& M-AX = 0912h   (Get breakpoint infos)
8 ?$ Q% ?. B, @/ P- p9 U% x- B-AX = 0913h   (Set Sice breakpoints): Q0 ?$ N  O4 X4 \2 Y
-AX = 0914h   (Remove SIce breakoints); R2 }- V7 l/ K
- v+ M, w4 S9 s$ p. D; ^$ Y) l0 V
Each time you'll meet this trick, you'll see:
. {9 l! L% [# N5 T$ f( G6 t-SI = 4647h
! A  p% k. x, ?-DI = 4A4Dh
$ g  b' C' M( p! K: F0 ]% w) zWhich are the 'magic values' used by SoftIce.( ^' S$ S* ]/ J; c5 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ y- ]9 @( ]8 v
3 v& |/ d" ]$ F; @Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 p8 ~$ W5 k/ l; X9 vEnvelope utility use to protect DOS applications:
7 [  M% t) G6 X( I- _' Z( Q& z% U2 S* v/ _% R  m# ^- s
5 L* Y! B9 u. X
4C19:0095   MOV    AX,0911  ; execute command.
* D" G' L, S4 u7 Z( e4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: l% m- W" `% H% G) Y4C19:009A   MOV    SI,4647  ; 1st magic value., T& d$ E' {: L/ a+ a9 _# g
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
; u$ K) I2 A9 Y' k  H0 w, l  R4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)& ?+ d* J' e# R$ C' F( q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
) p& `& Y$ P0 A3 f+ Z4C19:00A4   INC    CX
0 w8 \; |  d( b3 r' }' H8 [4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. N+ w+ v( z. D8 J7 |4C19:00A8   JB     0095     ; 6 different commands.
9 S4 W$ X- N: h. v; U4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 D; m* ^$ V& ]  t
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- Z4 N- A/ C4 Q5 E
! l" ^6 I1 G8 @+ ?! YThe program will execute 6 different SIce commands located at ds:dx, which7 u$ ]6 \5 p% e1 @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" Z. T2 L3 c, H, {( s; c
6 |4 a: q0 g, t: }' J0 A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 b: L+ W4 O* t8 D, x8 s
___________________________________________________________________________/ F8 t# O* v3 W( @' c5 B3 p
% z4 H& b6 B' ?. T. ~. l* _

. |% x1 y/ E4 O. V0 y* vMethod 03
9 O% Z& g4 s' v, A=========, |" X( \. S& g, r1 ]( d  @
9 u! [4 P. v; k/ @+ }- L
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; X: E% b% `1 n9 K2 C(API Get entry point)
- X3 ~# c6 J) B6 u0 B8 W: n        " [# ^3 X+ r$ L8 F( t
9 t  e: {# E5 G/ E
    xor     di,di6 \$ f& ?0 g  A: ~. C6 P
    mov     es,di& r; u% D( S( p+ L: T* A2 }- i
    mov     ax, 1684h       & N0 ]& g0 b2 I$ q
    mov     bx, 0202h       ; VxD ID of winice+ K8 o) O, \* t' w
    int     2Fh) p+ U' u* J& P6 S! x
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& h7 ~1 n% m  v( s! h8 T    add     ax, di
- Z; {9 J  i+ W2 U; f    test    ax,ax; |# A- \9 q+ ?$ Y: q& `+ A$ V
    jnz     SoftICE_Detected- i$ x! q& d$ F' L- d4 {

0 h! R0 M2 ~. Q! k___________________________________________________________________________
; c4 ~4 P! G  B( g/ X4 u+ D! S
# B0 W; i# d9 v  {Method 04
' ]0 ]) @7 l9 `' B=========2 d, P' m7 Q! N" f  d7 {* T1 K

3 o. J; k. x1 sMethod identical to the preceding one except that it seeks the ID of SoftICE
1 Q; U$ D" H4 l: e9 D! o4 d3 MGFX VxD.
; q3 u; ~0 |- P# o0 y7 L: @  N& i* W, Y, [0 a7 L; M, D
    xor     di,di
, F  B$ l: M" L5 q2 {    mov     es,di
, b! t9 q  n7 }* Z/ E7 w1 _0 X    mov     ax, 1684h       - C9 Q. j  K  S6 d7 W( U
    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 Y9 j4 }) h( N+ [. s4 j
    int     2fh% ]$ m/ m# F; b; w4 b9 g& ^: }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ w( k" _& I. o! w9 G! Q
    add     ax, di- O3 ~( `1 g8 @' t; n
    test    ax,ax
- p, J6 \3 J3 |9 T) ~5 F, U    jnz     SoftICE_Detected, u! ^+ X& b! s. H6 K% j; _
4 L9 |: v' V6 G$ k' n
__________________________________________________________________________
( P8 Y2 F; y8 ^, n& Q
6 W1 U0 ^) C+ @
2 |) }5 K) W& s" ZMethod 056 k- @0 X7 u6 N1 t5 _& z
=========' y! a9 w7 ]  F: z) E  P

; Z- H% R3 M; x9 D6 w' @9 u- G& x* z& uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 X- S0 r6 L+ o; M: d4 m$ Gdebugger. It calls the int 41h, function 4Fh.
) f# [* p, y2 G0 d( l. xThere are several alternatives.  1 w: }8 z* g" e+ \3 V- y+ l

$ R( f6 c4 V* w0 V$ ~% vThe following one is the simplest:
1 F5 ^5 K/ p9 Q& Y+ M8 l$ A* o
3 P; q$ \1 ~5 f    mov     ax,4fh3 C5 E0 x  `* v# |, O$ v+ d
    int     41h0 p* S( b1 ~5 ^4 c% _
    cmp     ax, 0F386" b; n6 o) p1 A
    jz      SoftICE_detected" G! ^' q* t/ l3 B8 h

. {, q. `# J* `1 g! s( G  T8 A- I" O. B. G1 ~: H$ P9 S
Next method as well as the following one are 2 examples from Stone's
- d- r" k1 H1 ?% \7 W"stn-wid.zip" (www.cracking.net):3 g( b1 v5 {* c( }
* H+ _7 w4 i, G6 C* X+ n, S
    mov     bx, cs
% c  r" A( P4 t! O; a    lea     dx, int41handler2( f, _: c, N3 E5 Q; f
    xchg    dx, es:[41h*4]
1 B8 S& g  \* R9 m+ Q! T    xchg    bx, es:[41h*4+2]
1 e( j- n( @' b% j6 t    mov     ax,4fh
8 U7 q6 R# t6 R) b    int     41h
, |+ a6 R9 @6 V8 }    xchg    dx, es:[41h*4]0 I# j3 K' w3 \9 h  s# u# B6 s
    xchg    bx, es:[41h*4+2]
# l* N4 S. a5 W# b2 j! `$ J    cmp     ax, 0f386h' ]! s6 ~# x0 V( {
    jz      SoftICE_detected
' w5 e8 i6 T$ ?! B
8 H$ C0 {2 X) o) b) F; v2 {6 H% vint41handler2 PROC. ~  S5 _1 u3 U2 w
    iret$ y% ^, t; C% g! z
int41handler2 ENDP! y, O$ V; h/ a6 I$ W4 k& G; {
. X. K* _; d! ?
+ h/ C+ e6 T. j- X5 ^3 H
_________________________________________________________________________, o$ a6 m$ I- \1 M# Y" H1 e+ k3 r

  W$ k3 c+ k0 P# G% f. k% E5 @( _+ e( a# A7 S" i2 ^+ j4 ^
Method 06
0 j7 p& q. n4 e=========' ^2 _  E+ r' ^- ~

" w. Y6 P) F8 r1 e7 p9 z( Q$ j, d9 U
2nd method similar to the preceding one but more difficult to detect:
3 l( _" D, E9 l! [& N$ Y1 q! ]" K
* ~# v5 n$ s& Q( ]# s  C/ N0 N: `% Z: e
int41handler PROC
) ^7 k9 Z( s/ A/ g' Q6 L" p    mov     cl,al
7 v% Z/ ?3 e. O- D, v. t    iret
$ j. ]/ p0 o6 b' P# S& m0 Pint41handler ENDP
- j0 C- T) Z2 T! S8 I/ k# Q! V5 f4 f; n2 x' Y, O1 a
) O& ^3 d4 E# d
    xor     ax,ax
7 r" I) m, {! }- U% a( B    mov     es,ax+ t; {; ~# L# u! l/ k
    mov     bx, cs) d1 B7 F4 [" a
    lea     dx, int41handler- F. s  f' ^; v4 G+ n/ E
    xchg    dx, es:[41h*4]
  }- q! c8 R4 O1 m8 U    xchg    bx, es:[41h*4+2]" {3 ~2 _* j; m7 C' l$ P3 s
    in      al, 40h: e5 X7 ^0 V& z7 B# |3 p
    xor     cx,cx
$ f4 Q) a- v8 ?5 L    int     41h
4 ~7 w& Q: e2 F* b    xchg    dx, es:[41h*4]
. O# x" C5 }) Q, }    xchg    bx, es:[41h*4+2]
3 |4 T2 g& \# t5 s" h4 E    cmp     cl,al7 L9 J2 o) ~9 y, [& j
    jnz     SoftICE_detected
4 \3 g; p# Z; o  `# s6 u- X+ F/ i: U* l3 W' u6 m/ _
_________________________________________________________________________% C) w; Z8 c) y- \, {+ G8 [
* @1 m9 Q7 }" [+ j& {+ k5 l% C
Method 07
' [. P0 ?* n. H% O7 f9 y9 p! E=========2 _: w! f/ ~3 {( Y0 D6 m
3 t, Y$ \% ~8 P! z
Method of detection of the WinICE handler in the int68h (V86)) ]' K9 b, {1 {# b9 g! y$ G( H
* P- `6 V% A5 j8 M& K& {
    mov     ah,43h
: Z1 c0 a" _- ^5 @1 ^( b: m6 L    int     68h9 }" X3 Y7 ?* B/ I" o$ `& B
    cmp     ax,0F386h
6 y- }/ G" J6 W! _- C1 q' Y2 Y    jz      SoftICE_Detected, a+ ]; O, X/ c/ B" X3 I
& G; Q& o5 I0 s  t0 N' I

2 ?( w' E3 ]1 o0 U* T$ J& b=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- U. z: F5 }! U9 o' B
   app like this:2 |* C  l0 y. D( Y& A. w9 o
$ Q& B/ M) M" U8 k
   BPX exec_int if ax==68, a" f- x2 O) I* X
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& b( x* h0 m; ^* n. n) }   located at [ebp+48h] for 32Bit apps)
  m% `6 n* H8 n( f; {' d7 W__________________________________________________________________________# b& _2 G5 ~# T- c
0 ~2 ]; f" _0 u/ l! ^

" |' @0 G  y  K1 \Method 08! m8 V) `- q9 [; \9 G: C; \: |
=========
2 @/ d+ D( \" J( V7 C+ N+ y0 J+ M: F' _) Q
It is not a method of detection of SoftICE but a possibility to crash the
, [$ z, W' @9 @system by intercepting int 01h and int 03h and redirecting them to another
' g* f% @  F2 Q+ {) j4 ^routine.1 J0 C1 g+ l% \# i& p9 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 l9 n/ ~4 F) {! s, q7 Nto the new routine to execute (hangs computer...)
0 ~4 k2 Q* r# V& l
" x0 c- ]6 C/ ]9 ^    mov     ah, 25h
) p- \" Z- ]& ~+ H4 u. W! ^+ f    mov     al, Int_Number (01h or 03h)' f; e. L7 [8 U$ W, u9 O/ [( }
    mov     dx, offset New_Int_Routine( Y  i! X: F( A8 b9 \
    int     21h
9 D8 k: I3 J! H5 I4 c
8 `$ y, {" Q, l6 ]__________________________________________________________________________
7 w* B) ?- R2 H' e
# o3 g3 ]8 Q0 E/ ?! \' Z: z  LMethod 09
2 R4 I6 R) p' g=========/ V9 `/ P; T- f6 s0 z: N7 e& w. b
9 N. M# j4 v0 T$ G6 {5 w3 u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 D; F6 Y+ T/ b3 m' D
performed in ring0 (VxD or a ring3 app using the VxdCall).
  {% ~9 c* o" ~0 o7 K. y( ^5 PThe Get_DDB service is used to determine whether or not a VxD is installed
. D3 l: j8 w; Y6 H# H( l, X9 b. wfor the specified device and returns a Device Description Block (in ecx) for
$ j7 A1 I' b. h+ o4 `. tthat device if it is installed.  i6 l% g" t0 w) W( P( n
  z& S' N! t1 ]& U. ^5 A  D4 B( _
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) Y8 S& Z5 e6 u7 f
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: e! w3 j, A2 u5 t6 z   VMMCall Get_DDB
5 h1 _# O, w4 M7 k; O/ {   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed" @" j1 E- x3 I! C; J9 @& b; P1 l
5 o3 Q6 y& r' Q5 R8 g, Z7 ]
Note as well that you can easily detect this method with SoftICE:
& {( v" @& e* h4 I5 B   bpx Get_DDB if ax==0202 || ax==7a5fh
+ `- ^, ^2 }- f! H" W  |+ C" ~& Q! c$ W+ t
__________________________________________________________________________
- h  l7 f. T" f1 y% W$ V4 U
4 L7 h' @/ M4 pMethod 10
8 X7 B1 C3 H2 U: I1 l7 k  _& K=========: s: c6 _, G4 h% E+ `  c. `

- m, F5 A: B9 n1 P/ s" Y4 v=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with) g9 X/ S" Y3 K' B
  SoftICE while the option is enable!!
5 c+ j9 |: M$ l
, D. z5 _( ^& k$ C1 oThis trick is very efficient:) s( J/ @! x5 n- K; j6 S
by checking the Debug Registers, you can detect if SoftICE is loaded
; @2 R9 d) h; H, L- [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# r/ _9 L) D0 s3 H: P0 W; Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their! w% ^7 {2 P9 L3 ~4 [. n- c
value (in ring0 only). Values can be manipulated and or changed as well/ x7 l7 l6 ^' F& i/ u2 r) g
(clearing BPMs for instance)
: E/ A9 `" Z* `" X/ w& r8 U0 G( Y- N: C
__________________________________________________________________________
/ m+ d; I# O, T8 ?$ i7 L! \! e$ y& T0 @7 H% M- J! W* f
Method 11
5 Q3 P4 q$ P( P=========
& u) B8 b: R: e( |0 K; [$ N
3 L9 l" R% B% Y  X2 C% Z: IThis method is most known as 'MeltICE' because it has been freely distributed
% t- m1 p( A& y. N* L  m$ s. Y6 pvia www.winfiles.com. However it was first used by NuMega people to allow
+ L* ^2 R1 H6 V& G( zSymbol Loader to check if SoftICE was active or not (the code is located
& ^& ?5 y+ i. Y" d9 P! z4 y$ M" \inside nmtrans.dll).
1 A: W1 v2 Z* W# R* y- }6 k; [- i/ L) ?+ O% N' t
The way it works is very simple:
2 \9 p6 o' l# n9 A$ xIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( g/ q' H6 B0 h5 k0 w2 B6 L' q  @' I: GWinNT) with the CreateFileA API.
+ q) a' q+ J- L. v% P
- y' u) k6 m/ P* H0 g. M6 r0 N; Y+ LHere is a sample (checking for 'SICE'):1 V! h8 B0 [& b: X

" L) J% z8 \, I/ }+ i. S  cBOOL IsSoftIce95Loaded()) _% I8 n9 ?, t- |, I
{: G- B) B* [5 }0 o- f& w
   HANDLE hFile;  " f! T% s' W6 Y5 Q$ u
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 h2 _" J5 i1 ~, g; B* S, D
                      FILE_SHARE_READ | FILE_SHARE_WRITE,; l  N$ J2 Q- O7 u3 A8 v. S
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. V7 a# _& g2 Q5 K8 l
   if( hFile != INVALID_HANDLE_VALUE )
% h- d- }! X! }$ W' _% M   {! g( B6 }% P3 C, {% r3 g6 c
      CloseHandle(hFile);7 Y0 z+ b% l9 X& I5 u
      return TRUE;
. _! u( w+ B$ s& J: e) Z# W   }
1 h, [- ~' c" o+ I; ]  }8 U, M   return FALSE;4 K; _5 |) c2 v7 D( o( I
}7 L- B; P+ ^6 t( T5 \7 `
9 f) K0 S8 A$ m6 v" O7 p: P3 G
Although this trick calls the CreateFileA function, don't even expect to be" t$ u5 L( e( _" l/ U
able to intercept it by installing a IFS hook: it will not work, no way!+ q" Y* v; H) e0 d" G4 y3 a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 I9 f& e  q/ F, o
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 H! m! x# u$ [/ A# H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! Y& v! e7 v' y0 i9 Z
field.
3 G8 x( A/ m8 X7 L* pIn fact, its purpose is not to load/unload VxDs but only to send a , A: s0 c( c, m' C8 o7 w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 G: L$ X' w% O9 cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: T  U: |3 K0 Q+ i  q% p, U. Sto load/unload a non-dynamically loadable driver such as SoftICE ;-).! `) F, ?. F+ e4 l0 Y! ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow3 t, \9 w$ D; [' S) f
its handle to be opened and then, will be detected.
  j0 ?. P' {; EYou can check that simply by hooking Winice.exe control proc entry point
4 m/ u2 m) B7 _* s. x1 n7 K% dwhile running MeltICE.
5 D: t8 [$ Q4 u9 L- i; l
7 @- N* j+ B/ |  M: L- }9 h! K/ L3 a4 Z; s0 ]* Y
  00401067:  push      00402025    ; \\.\SICE
* n" n: M! d8 H7 W  0040106C:  call      CreateFileA
9 t$ d- w, j5 J9 D% O  00401071:  cmp       eax,-001
- ~0 Q! x9 K* B7 S- g  00401074:  je        004010911 t! B- q6 g3 y4 w9 A2 i, i4 A

9 {$ s2 J% o- F
+ u$ q9 Y% U7 _* C0 D' A4 MThere could be hundreds of BPX you could use to detect this trick.: l2 g6 f; ~' z" I- {
-The most classical one is:
5 B! F, }4 r9 p. J- b% P7 Y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
& d! j$ H! a! X    *(esp-&gt;4+4)=='NTIC'
- S/ j* S  h; E+ c4 G
7 o# w7 \* J3 a+ _% a! f* j# E7 Q' h. N-The most exotic ones (could be very slooooow :-(
/ `. h8 N% X5 J   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; ^% n! i& u5 P4 B0 k3 p/ U* f     ;will break 3 times :-(' o* f. Z7 C+ I  D, A/ V

" n1 _& b4 q, V( c-or (a bit) faster: & Y' _- Q4 Q2 s- k
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( C) c& O0 P) A7 g, {% C
3 N, `* y% V0 U   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) z! |' C: O: X& N
     ;will break 3 times :-(! e5 T: f0 G$ P* U8 p1 V

: w5 u0 A/ [: P# {# S/ b-Much faster:( g( x* m1 s/ V% V/ n
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 Y, s8 S( K0 M7 R" ~& o
. x  u: y7 }# ?% TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
  U2 A. C7 [2 }' i& @* U3 jfunction to do the same job:6 D7 r# \; N- b. i# a

; F0 Q7 E/ r4 ~( ^   push    00                        ; OF_READ% B8 f1 ^/ D, L" a) r! d
   mov     eax,[00656634]            ; '\\.\SICE',0
+ i9 \, m4 b8 {0 V: I. ?' J9 V# K   push    eax, H2 w: b  `- e5 `
   call    KERNEL32!_lopen
% O* _* ?3 H& r8 F2 N9 \( P+ O) j   inc     eax
& l7 W4 H( ]' D* T6 D% C; M% H9 x+ k   jnz     00650589                  ; detected
: y# Z  S' B0 `   push    00                        ; OF_READ9 W! \% y- Z7 p- U( H* N% o& C
   mov     eax,[00656638]            ; '\\.\SICE'
& ?( Y( v1 l0 \   push    eax2 a1 m3 V! \+ p) x* b5 Q* l
   call    KERNEL32!_lopen
5 _' w5 L  R) X+ G% N, X" @* f   inc     eax3 }9 [3 ?, v/ E) L1 u+ f4 Y
   jz      006505ae                  ; not detected
2 ~* v6 }) n$ H: U+ t
. P% m  {/ g9 X* z; b: L7 q2 I
& J2 l; s& O" R$ M6 t: K__________________________________________________________________________* C  B( [/ d8 v6 k: l
" a% F/ _& _2 P3 h; r
Method 12
9 Z' ~' i& [6 B* B, C=========" I+ T" ]8 {. ?  E1 V* l8 C
1 b( x- N5 {; ^5 ~- x
This trick is similar to int41h/4fh Debugger installation check (code 05
$ k& [+ S4 P& C6 I&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 ^6 b: r" c; h% {5 j9 Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 Z2 c5 q: F2 @( b  c8 j4 h& P
% T5 H& c$ M, E& o, c( [  j
   push  0000004fh         ; function 4fh
# v* Q  m. ^- ~+ u# o2 S, s   push  002a002ah         ; high word specifies which VxD (VWIN32); n2 v+ c7 z& b. u4 M8 G& z
                           ; low word specifies which service
* r: X9 E5 T: x4 r0 v7 y                             (VWIN32_Int41Dispatch)9 A' M$ `6 m- i0 K
   call  Kernel32!ORD_001  ; VxdCall
8 P) W7 S) s* o' @8 W   cmp   ax, 0f386h        ; magic number returned by system debuggers: N) x* v2 s, o: y: O$ w
   jz    SoftICE_detected
# q) l# O, H. `7 H+ n
1 i1 t* l0 g9 N" }7 _" oHere again, several ways to detect it:
. O% T2 h/ x' s  m: d) [' Z
- D* V- {# ^" R" L4 {% F1 Y. V  [    BPINT 41 if ax==4f
8 G- V! s- O- O' y8 H  W* z" }2 w5 a9 U* f' J6 E6 I
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" `5 r- o/ ~$ E4 n# p2 O
, V1 C2 l* @; K6 g) @    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
( d4 S8 y  X, T- J4 ]' _/ c/ Q3 v: G0 t5 H* S! H* ?) s
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
& J' s% W: m- f7 s) l, R" {1 g9 `! b: [* _7 L, P) K7 i
__________________________________________________________________________9 E  v/ U& S- C' ~

7 r  M4 s* \# X4 v" L, UMethod 13& J* ^1 K' q% w; v& f! }
=========3 ~& \8 P! O: s. A* _

4 W8 |) {- Z! A: B( H# e& tNot a real method of detection, but a good way to know if SoftICE is
! G2 s6 @3 a! {  o" oinstalled on a computer and to locate its installation directory.: h* e) ?4 F2 Y3 B1 r) @* U& U
It is used by few softs which access the following registry keys (usually #2) :
* r8 _6 Y  h! H
4 A9 D1 V% D' h. n  H4 W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# h# j5 w$ ?8 C) J! G8 m\Uninstall\SoftICE
: H1 F3 X  q' M7 c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 r- }# Y5 j- H, k9 w! Q( ?! @-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ A5 i- q5 ?0 L0 [% R3 d( s
\App Paths\Loader32.Exe, D( c* l2 j9 q

5 f# }6 g1 E2 Q/ g" v) F5 a& V% u
Note that some nasty apps could then erase all files from SoftICE directory
1 {4 d9 @  Q- A/ ]. H7 a3 k3 u(I faced that once :-(
- ^$ i  R: Z7 x6 ]* m& v& _" |' X7 P" Z) b
Useful breakpoint to detect it:3 k5 D: v8 s' ?; t7 ~# ^: N' N/ E
0 q3 g+ ?" _- \3 V6 r$ ~5 v
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'$ c/ ^4 H* ?4 }+ U) X4 I

1 a' z: L; \; U. `/ l__________________________________________________________________________( v1 Z6 v. Z! j) i0 p

7 H" u7 V: ?& v: A) s$ T7 O6 E3 R+ H- c9 ~  b$ x
Method 14 ' r; N: k5 b6 B" Q. h
=========
6 P0 d: q8 R: G8 l" W3 E( E( o: M+ P6 F: p5 I8 J4 A- x2 {8 B% M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# `$ ?; L: x3 n$ [
is to determines whether a debugger is running on your system (ring0 only).
$ f. e- t' `* H1 R# z
3 p2 N/ I, i8 P  o   VMMCall Test_Debug_Installed
) Q% y, j9 H: w. z   je      not_installed9 k; p2 B  \& `- x+ d# t6 m! z

6 E! ?# L: ]+ G& o; x  d0 g8 Z( AThis service just checks a flag./ b3 M+ q* i; u7 x- Y9 [7 o6 X+ Z
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 07:08

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表