找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) p7 s+ ~5 M5 I" V<TBODY>. x# k+ @& D" r- D& p) i/ @
<TR>
# E! M  n  `; S# D, O8 C0 c<TD><PRE>Method 01 # {0 h5 v8 `- V: O% H
=========& ^, h8 j- m9 a
9 u1 W" \- k  r! {
This method of detection of SoftICE (as well as the following one) is
/ D# }; Q* z' F! J1 v, m2 f# jused by the majority of packers/encryptors found on Internet.
) i) f0 D1 g1 e: A) L% gIt seeks the signature of BoundsChecker in SoftICE3 I) u4 o; f5 U3 O
; A9 r/ w! Y. E$ ~* t* m. l7 J
    mov     ebp, 04243484Bh        ; 'BCHK'
9 V+ u: G- @! \) O8 X  I* d8 A    mov     ax, 04h) f' O0 e" k4 c
    int     3       $ O1 H) o, m9 M$ a$ U' h
    cmp     al,4
# p2 D, C2 }/ i5 U    jnz     SoftICE_Detected
) r; d. h/ z8 }  f2 p, i# X. o7 C( }
0 @6 {. g, R2 V3 d6 c. f! W. C( }___________________________________________________________________________
) p% a* c( W5 r3 C2 [" b$ j: ^( e0 ~0 k- q* p/ ?" N
Method 02
/ x( B$ C3 V  l8 G2 I. ^" D9 J' p) G' S=========
0 @" T$ t" [( j/ ?7 k/ \( H; E" E, ~+ ^! r
Still a method very much used (perhaps the most frequent one).  It is used% t7 P* J' j; S/ E$ t; l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. _- f2 P1 p' Q* l$ `. s) Eor execute SoftICE commands...8 S( T2 C; a% e; c
It is also used to crash SoftICE and to force it to execute any commands5 q) p- C  @: V
(HBOOT...) :-((  
3 W2 L& {" |- C, B% R! Q7 V( U1 Q' {+ E! T. X
Here is a quick description:
3 m) C/ D& k9 ^0 d3 ?0 G. T-AX = 0910h   (Display string in SIce windows)
, c; a3 {1 d6 s) [* S9 M4 S- W-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 ~0 C) L2 L' p
-AX = 0912h   (Get breakpoint infos)- a+ s! H' I. B2 q$ R- b5 @1 m
-AX = 0913h   (Set Sice breakpoints)/ M9 j. |7 @  M$ `9 H( o1 c
-AX = 0914h   (Remove SIce breakoints)) @: N+ D2 ?' @8 f0 X4 }" ?( w

  J4 A! n3 P5 l/ jEach time you'll meet this trick, you'll see:
! v7 m5 {* X# b% R" j; X  i( y9 e-SI = 4647h
$ C  o' J0 V* I-DI = 4A4Dh
' \0 U0 D- o  f$ g8 M( c- I( r& U" GWhich are the 'magic values' used by SoftIce.
" y+ a% p+ C7 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: g4 U" s9 n) P
0 @5 L& v8 q' C) V7 d1 bHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 m) [, K) m8 \4 X5 ~Envelope utility use to protect DOS applications:
' u# [! H# |- k2 m2 ~# y& m- f8 P' k0 ~; t. [8 E, b4 c& a

! x1 R6 L* w5 b, m8 f# N- L4C19:0095   MOV    AX,0911  ; execute command.
$ W6 ?* a4 y( T/ ]6 o! f# h4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" z% D# S' |" F, \4C19:009A   MOV    SI,4647  ; 1st magic value." R4 B- A+ y) x% N1 {  z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.4 }1 h. ~/ e+ O- P9 ^) o7 h! g
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
( J0 _5 |& H! ^. A/ ]; a4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
* a9 c, R% x5 S( |& o6 V4 ?3 x- w4C19:00A4   INC    CX- c( n% g" G- D3 k2 @1 E
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute) a1 ]6 k* J. s5 F, G6 t$ G
4C19:00A8   JB     0095     ; 6 different commands.
# M" U; a+ o) b: B1 L4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
# t9 u( {& D2 w/ a( ~4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, J/ V  t# Y: l8 ]9 [$ `- |
6 I/ K5 Z* }% x9 f# @+ AThe program will execute 6 different SIce commands located at ds:dx, which7 {- J6 e( m" E% [, B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 G* ], y8 S5 d% ^0 Q
/ I6 o& `2 c$ [1 s$ c! g1 q) h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% I/ I' S# g' U/ ~3 N$ }1 \( A___________________________________________________________________________$ q2 e, a  F1 ^0 h; _5 V( r
/ P( j2 g0 g+ M+ |/ m, R
5 B9 p% d+ p7 K1 c8 V2 ~
Method 03
4 i( D4 B: w- l# i0 j9 B* L=========
; @- g8 Y5 {" Q# k- M. C. z- Y$ D( N# p
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. i  h1 h0 D) @* G. v2 u
(API Get entry point)# O/ ?) Y- A7 g/ i
        
( C, N( [* d/ Q4 |# W
1 a8 L! h3 C% g    xor     di,di, Q. @2 R  Q3 l6 ^+ D
    mov     es,di, n6 T! \  u3 f- n5 W
    mov     ax, 1684h       5 a/ n$ U' {: i6 x: w- e8 P
    mov     bx, 0202h       ; VxD ID of winice4 }! ?  {) U9 t' t1 [8 n8 U
    int     2Fh! @) [2 i/ F' ~
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( W$ ^# D3 m7 e
    add     ax, di
! g" t1 Z/ L" v+ M( ]( @6 i    test    ax,ax
0 y" n  O% m- C# l3 K" O    jnz     SoftICE_Detected
/ J6 h1 y% R: V, s, c+ h& l/ p1 u% u7 Z9 O; |
___________________________________________________________________________
, j& S) Z, |- K1 Q( }, ~+ _; }3 N( d) N
Method 047 B9 m$ q, b: d6 f
=========
) S5 t& i. ?. B! P. @
, ^& D$ _! s; o8 l1 }Method identical to the preceding one except that it seeks the ID of SoftICE
) V; k8 z; d. J, XGFX VxD.* R5 x( t3 p/ @5 p* W* o# i% c
+ c* u! d" ]% P  C. H2 w
    xor     di,di
- Q- U) f& n2 Z1 n. K    mov     es,di8 l+ Z$ q' [* A$ q- B+ K- ?4 z
    mov     ax, 1684h      
& Q- w7 x6 r5 k+ v    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- V8 _3 S( ^2 }+ Z5 k' y4 L    int     2fh% f5 F) }* ^9 c. v
    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 n9 @; X. r# L
    add     ax, di# j; f7 |/ Y2 c: _) q  Z
    test    ax,ax8 i2 Q: j' {8 a
    jnz     SoftICE_Detected3 ^- D. A5 X+ K- m# E1 y- \% B3 V

! E! q8 c  k# F. B7 F__________________________________________________________________________' H7 q  p2 t( M3 S
& c  K6 n' ^/ E* _
8 _6 Q) y, g' O5 B" W4 v
Method 05. v: k2 p: R* q  }
=========  @. M. H- B& W4 J" n: R' }# }
! r. v& I9 Z& a% a
Method seeking the 'magic number' 0F386h returned (in ax) by all system# x7 t: A. {# [" |, }( g
debugger. It calls the int 41h, function 4Fh.
7 {7 q% g  ?0 Y+ oThere are several alternatives.  " I7 ?) W- e! s& t- l
: v$ q+ K* q2 M3 \; P" S" U* F" n8 T
The following one is the simplest:
: |. c6 G% D% W" c+ Y  ^
# D" E* |4 Y- z# ]2 V( x    mov     ax,4fh
) }% w8 A# u- U2 ]1 v% g# D/ z6 U0 Z    int     41h6 L# N6 B( }: c% b7 I
    cmp     ax, 0F3863 d, i( o; R3 \# K. g$ b2 M
    jz      SoftICE_detected2 I& M7 O. g: j7 ]9 g0 @
+ ~: L7 U3 d0 Q  B1 a& e

0 G" A9 P) [4 r1 |* \# a! J8 YNext method as well as the following one are 2 examples from Stone's ( E  ?( E% h% F
"stn-wid.zip" (www.cracking.net):
' C1 d4 \# v* U5 t! Q' z% F5 Q1 ]) O( N' ?# S) ]0 G: U2 `
    mov     bx, cs# Q( |6 P$ o  B: I5 I. F" v
    lea     dx, int41handler2" H# P) M6 |/ t* X) n; u) s1 }
    xchg    dx, es:[41h*4]
/ |5 C8 [5 M3 h2 i# M0 b    xchg    bx, es:[41h*4+2]! `$ k7 F5 }4 B/ m
    mov     ax,4fh# H* p+ [, ?- N7 d. N+ q- h
    int     41h$ g' X& D0 Y2 u/ @! q
    xchg    dx, es:[41h*4]
& c' R" A  ]5 D$ P/ B6 y3 c    xchg    bx, es:[41h*4+2]
' X1 C1 v5 Z  z* f& y    cmp     ax, 0f386h
7 f- m0 [2 j; i    jz      SoftICE_detected3 \! w; B# \6 f- n

( s: F+ V9 g! D: \int41handler2 PROC6 h# O& X2 B1 c# M0 g+ U
    iret
0 X. c8 ]( t/ z7 aint41handler2 ENDP
7 f/ t/ C0 z  C" d3 n9 [* {3 L9 _# Q! i1 I
0 ~7 _% O$ N! t4 x# @  @) ~; Z
_________________________________________________________________________
3 i$ I( c/ w' o4 ~" E8 {3 }) X
4 H7 b# _3 S' W" {% o! p- ~* }% w6 a& ^; D  `: N+ t
Method 06
( G/ G3 L- Q7 m1 U5 ~4 [=========2 B( ^5 Z& v3 H+ v+ p

! E( {$ n8 [7 F( S1 [, [+ u* x& ~! `$ v! W8 f8 G' Y, J
2nd method similar to the preceding one but more difficult to detect:
, E0 I6 B( U3 c" V" y, T  |  a% f' [7 L

2 X4 Z2 b8 Y; j, q1 Lint41handler PROC4 z$ s. g) H% L2 n' }
    mov     cl,al
% o* s5 N5 N, k. z    iret8 K: ~2 i. ~( P: i
int41handler ENDP
$ N  C. e' t( _: W9 |
6 [4 }5 Q, f  w" w9 a
+ c' z6 a' m& _  u( `) C1 X    xor     ax,ax) r4 Y* }& I- b" z+ O$ x: b
    mov     es,ax
4 E% P3 n. I9 ?    mov     bx, cs
1 L) a1 t) G* H6 F5 t# |. D    lea     dx, int41handler
8 I: T: w4 X* y" I8 X    xchg    dx, es:[41h*4]
/ q# t0 A  P- P4 S  |# r  Y" G; P    xchg    bx, es:[41h*4+2]
" C  K  Z7 X7 g5 u6 e- @9 \    in      al, 40h
. v4 a+ v6 d$ n. m    xor     cx,cx3 V$ C+ _: _4 \( u
    int     41h
) n: v7 \$ y- `. y+ Y    xchg    dx, es:[41h*4]
# ?$ |# w. d; R! q  g7 t1 f3 {    xchg    bx, es:[41h*4+2]3 R( h2 `; t' Y1 J: y/ R- O; p4 T
    cmp     cl,al
6 K! N$ C$ d. b; y! R    jnz     SoftICE_detected
2 R# o+ |$ g: e+ ^' e, y* Q+ J
9 i5 b2 T: w# q% u8 ~4 _1 \, X9 A_________________________________________________________________________* e0 d. i0 ~( X* F$ u- H
; h0 t' B# g7 b" g" \# Z
Method 07) s  C% R" p; g
=========8 T' l5 N( n3 {% l0 A

* ]* {& n& N. y% aMethod of detection of the WinICE handler in the int68h (V86)& |: p: K" H( m* ~' Y+ \
3 K* b( a0 S% F8 L
    mov     ah,43h
, B, w0 Q* J8 p3 }! ?3 m6 y    int     68h7 e0 k2 A5 |/ ~0 f
    cmp     ax,0F386h; ~) N2 E9 @& A% V9 Y6 ]
    jz      SoftICE_Detected2 Z9 f. M8 T4 E; Q
* W4 C" K2 R" y
0 `: V& h8 [0 P# o- `$ U  _
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 m8 a  d% C" C; K: F$ q* {   app like this:9 Z2 a- V2 R, f  N; Q6 L

- u9 ^: }9 N* D  `4 a8 @4 u   BPX exec_int if ax==68- \" e. \, F6 I2 w: a5 O3 T( V1 E
   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ T4 `* s! @* f* {   located at [ebp+48h] for 32Bit apps)
" C/ o: B; I+ y__________________________________________________________________________7 O' K4 U* K' i  h

( z* ]' }  b' r: M: O  G* q# o: i% V8 r* w1 w# X# c  R' V4 x) I
Method 08& e, a. O3 ~$ P( B
=========2 j( P. u5 t  C
& I2 n7 ?$ p4 L+ w! c0 H4 W5 z
It is not a method of detection of SoftICE but a possibility to crash the: e! c$ n) O$ e$ O. G, p: a) y/ A# |
system by intercepting int 01h and int 03h and redirecting them to another1 S$ [& l: ~5 Y2 \1 p" q0 q
routine.
# V$ y) V% b1 f4 w( o, hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: Y2 w& y* a3 g' W( q9 tto the new routine to execute (hangs computer...)' X  V% k6 \# h# ]3 }/ d. a
: A) c& x- P* F0 s( y
    mov     ah, 25h( t* H- _* n5 l. ]/ S
    mov     al, Int_Number (01h or 03h)- _: ~# m' a( A, A
    mov     dx, offset New_Int_Routine
8 E+ c0 i' n0 a" _; J+ v3 h* i" r% H    int     21h8 t4 W9 j5 H4 X9 I, g# u
# i, c' }! M' b# W, y: ?
__________________________________________________________________________
0 J! J2 C$ _* y+ \+ T
9 m/ y- R/ f) QMethod 09
1 v& @( t& D' O=========) I- n1 D$ T/ x8 f% r6 X

1 T# m& s# C, M# q. I2 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ {6 @" ~; l' b# ?( t" o, q- i
performed in ring0 (VxD or a ring3 app using the VxdCall).
$ Y$ t% V! g4 n3 e& `/ r7 g" q5 EThe Get_DDB service is used to determine whether or not a VxD is installed
8 i8 m/ q( g2 i. y% [2 Z, tfor the specified device and returns a Device Description Block (in ecx) for
9 T- f; x- S  I) A/ d; q' H. _4 o7 Athat device if it is installed.* Q8 l' s' Z7 ^5 y

& n( ~9 O) o8 i, D5 N0 b$ p! ^   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" c( L! A; S# ]   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( U, _. V7 Y2 O) ~& i3 a
   VMMCall Get_DDB
4 y+ K  a; q+ s. r   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ }9 D% s, w: w: S' `4 X' m! }( U$ d7 @' }3 C: @
Note as well that you can easily detect this method with SoftICE:% i$ w  Z6 S- G# O# C' i* d
   bpx Get_DDB if ax==0202 || ax==7a5fh6 o9 f& Y% W1 J7 E$ H. w, r9 g+ z
: [3 i/ k$ F/ m
__________________________________________________________________________9 r2 m4 C* h6 h

1 ^# O; a2 T2 v( f2 rMethod 10( b4 A$ t( @+ ~1 r
=========. F% C# L- F# t. W* ]" h$ n

& R8 {; V7 S: T, E' Q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ B" T# I; v# C! D4 J) L
  SoftICE while the option is enable!!
. \7 C$ G+ E5 ]8 Z9 x" O+ }
: `! Z8 Y: e9 ]1 s& zThis trick is very efficient:
! V0 r4 `" `& L  t6 bby checking the Debug Registers, you can detect if SoftICE is loaded
* Q0 w9 S2 {: D# k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ R; [2 x# b0 F. S6 w7 c. t
there are some memory breakpoints set (dr0 to dr3) simply by reading their
  }% N0 U1 D; g! Evalue (in ring0 only). Values can be manipulated and or changed as well$ e5 g! j/ V# x  F: B, N& L: f
(clearing BPMs for instance)
: [0 ^9 `: J' B- |9 @+ F! R0 M" o. Y2 |! ~! a' q' G
__________________________________________________________________________
: c5 @6 `9 h2 k1 B/ L% J
# X$ v; a2 i4 C, Y+ S( \# J. k8 nMethod 11: w* z; H1 d7 Y. `3 `; `4 H9 ?- Z
=========
* D6 z8 Z3 ~/ \) u  c; k8 Z  j$ e( G# v+ Z4 r
This method is most known as 'MeltICE' because it has been freely distributed7 K) m, L+ e; L" S% B: j
via www.winfiles.com. However it was first used by NuMega people to allow1 |0 b! l' R7 q( Z! p+ P
Symbol Loader to check if SoftICE was active or not (the code is located1 Y4 p# Y* e' E. S" q  s
inside nmtrans.dll).
: N2 @( v3 O7 K3 n& u( E9 V
( |; D% b5 I  r1 H- c5 `The way it works is very simple:
7 A- K5 G: H) C8 u3 m# u; P; mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# n; n  R3 m; W% ?- n: R& n8 g' BWinNT) with the CreateFileA API.
8 w* T& |/ M3 f
" M  ~+ d1 |* ^9 T2 PHere is a sample (checking for 'SICE'):
( V$ n8 z0 r$ o+ k; T8 U+ F$ G0 v" t9 K  U9 B7 r
BOOL IsSoftIce95Loaded()1 Z1 b5 e7 R7 j. f5 Q& X
{
+ t) H; e9 N  ?: ^6 o* X6 D, m, q   HANDLE hFile;  
, i0 V. u, ^1 I9 Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 u8 g1 V( q9 G+ d- M) e0 z
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' u) V; v, t$ O, \7 y+ l( k7 L# |                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 h, g4 o9 C" g" r, B; E   if( hFile != INVALID_HANDLE_VALUE )
! w& b+ ?% A8 t( H6 N   {) ~, F0 [2 ^3 n1 I4 J# w2 v$ P
      CloseHandle(hFile);) M& X: c( d; ~1 Q4 @$ p- T  n, h
      return TRUE;
: [) E# {3 _& c) W5 q% r, \3 o   }
+ V$ F9 n4 E: S3 \9 V: F  O! m* D   return FALSE;( n7 D& O& b* S4 u2 R0 f+ x
}2 v4 w8 z' N4 `' Y) J! q" a

8 a6 @. m6 A/ D! Z. zAlthough this trick calls the CreateFileA function, don't even expect to be3 e! Y. O( H# F5 {) F4 ?
able to intercept it by installing a IFS hook: it will not work, no way!8 Q- ]9 D/ y0 r( R  j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) h$ h) n! L, c$ o9 C) n' sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; g1 B+ ?( Y: Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" w% z- R2 C, j% s* Ofield.
" b2 D, @: v0 r% G! x0 K- gIn fact, its purpose is not to load/unload VxDs but only to send a # Z- y( ^9 {6 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: z9 y' i% z4 t7 g! N& Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try) \+ L/ I% `/ {& M8 w- B3 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# w# i2 E. w* e+ p% f! p" M4 k" gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% ]" ?  |6 u" A% O  u: S# s1 nits handle to be opened and then, will be detected.
  O- M  b  y! q, ^1 H; o4 ~% ~0 ^You can check that simply by hooking Winice.exe control proc entry point+ ~1 `" s; B: K/ @
while running MeltICE.
5 S; H, S2 r% \) ~( B, u4 V  ]1 t! x/ d* w* {% ]5 V: c

! s' i3 y5 m5 y; Z) X) N& _% `  00401067:  push      00402025    ; \\.\SICE
' y$ e/ ?% a7 n  0040106C:  call      CreateFileA
9 I* Q" q% U3 x. i) a) a  00401071:  cmp       eax,-0017 M* |' b- b! m: |$ Q/ _6 c
  00401074:  je        004010915 i: o  T9 k  k9 }
! {- `6 e* b  w; N1 @9 |) B; V
" z+ q/ w3 k. u% W
There could be hundreds of BPX you could use to detect this trick.. Y1 B/ [& @* o& d) q" I1 A
-The most classical one is:
" A# V( E2 ]' p  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
: }" f. {* Q1 k% y3 M    *(esp-&gt;4+4)=='NTIC'
. F* k7 Q. @; y! i( P3 P4 n" c# M' y6 }  M- E6 C% ~' V+ E
-The most exotic ones (could be very slooooow :-(7 `4 U& U9 s' j/ m
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 |0 e' T3 @1 |* _; Z     ;will break 3 times :-(
! a  }$ v# E& n& b6 d$ T. _* x- P4 @! V* v3 F3 ?
-or (a bit) faster:
1 ]& y+ \' x! s9 r6 v5 ?   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 c1 k0 g. Q) D% [; i4 u& |

7 G. _% b" n5 S4 }   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 ], H; @% t4 l4 t/ R; h! E- F
     ;will break 3 times :-(7 e, l: I$ k0 @1 f
: U; Q0 A  X3 B' q
-Much faster:: g0 R; `" _4 X7 \. s- V* z( ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ ]2 k5 ]5 [& n0 f. B  }% _- [% ]. b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ S& j$ {+ F8 C/ e, mfunction to do the same job:: {; S! D( Y7 A# R: O7 \

) ~! H2 m+ _4 }. g   push    00                        ; OF_READ
; E! K( `! z) k, A9 T4 |7 S   mov     eax,[00656634]            ; '\\.\SICE',0
' r# U8 j; b- F! G   push    eax4 [0 C2 r5 X9 e$ C! z. c) k5 Z
   call    KERNEL32!_lopen: K- a1 e8 ^: S% i7 y+ ^0 Z+ ?
   inc     eax. }' ~1 K2 D$ Y2 I& n( R8 u3 u
   jnz     00650589                  ; detected1 H1 d( Y4 S; r+ D0 I
   push    00                        ; OF_READ
) X: @* C" a1 p( M  i   mov     eax,[00656638]            ; '\\.\SICE'3 G1 S2 e: G: A2 |4 l5 c) H
   push    eax
1 G/ }) J% A% q0 W% U5 L  W   call    KERNEL32!_lopen7 H0 w/ w, H1 M
   inc     eax) c5 y. q, ?# M! [) g6 G8 n
   jz      006505ae                  ; not detected; z% ^4 m) s. r1 K5 I

9 n0 R* w4 H, Q2 r% ]3 f! f' _. O7 v# j$ ]& T
__________________________________________________________________________5 Y& [/ g& m+ `1 X3 d' l3 z! |

" X1 Z) ^1 \( [2 q# Z- B8 K6 ]9 ~Method 12. ^5 P. i$ t! T) o  {
=========2 }/ K0 c; f3 U0 k$ v

2 A; {8 R6 N4 F' i: DThis trick is similar to int41h/4fh Debugger installation check (code 05
" Z( I$ j$ J$ f/ `&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, D4 |5 V$ X; q- _! v* Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.' P# T/ j4 A. Z* n$ R, {# v9 [

3 n& @" V3 L" N% f   push  0000004fh         ; function 4fh# }+ p9 |  d+ S
   push  002a002ah         ; high word specifies which VxD (VWIN32)
. N: k/ G4 k$ ?: A! J% f                           ; low word specifies which service
4 D- d/ z5 |! ^4 r$ q8 ?8 T$ M8 ^                             (VWIN32_Int41Dispatch)
6 t( a+ s5 @) X, }( w% v   call  Kernel32!ORD_001  ; VxdCall
& _, z, E3 B6 E0 Q" _4 Z+ H  n   cmp   ax, 0f386h        ; magic number returned by system debuggers4 n( t& V) y, `, q  C9 C3 Y
   jz    SoftICE_detected! p; v  b# B, H- x6 E+ \4 J
$ _. B* U# c$ N  @8 A5 Z/ \
Here again, several ways to detect it:, i- q" M- u; H# i6 F
3 p8 H1 s; y# r
    BPINT 41 if ax==4f& t3 j6 t# p) T' t- _# ?* _3 z1 Q2 ^

; h6 p# R% d2 r4 k, }! d    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, u* ]8 n" S7 y* K* Q" B) l1 Z! F# L
; r5 D2 a8 n5 g2 u8 R8 J3 ^
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A! U0 B& Z! M$ x

* R, w# Z2 e' c* p) M+ R. x    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. w7 ~* }. R+ I; J/ `6 u) ~

! t  m) N; z0 K' I3 O' y7 h__________________________________________________________________________* ?# s( n3 D$ g3 S
$ L' s& f% l" p5 M$ Q2 ~7 g
Method 13+ H, L! ?' \$ ^2 k0 A
=========% ?3 Y' L2 K7 o$ N" e% S

5 H, @6 \) Z- Z5 r- j' ^! C, |Not a real method of detection, but a good way to know if SoftICE is
* _( {. e. j% q; n( ~4 K4 M' ]installed on a computer and to locate its installation directory.) }$ h; c- a7 I7 U# Y
It is used by few softs which access the following registry keys (usually #2) :
6 o* B& t3 n4 l& H2 I( x' X$ h9 r5 C- ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% w& l! V3 q9 T2 z\Uninstall\SoftICE& U$ L* T* P8 U, u4 g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" W4 o5 D# M; `) A' {4 s- W- }1 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- l9 ~7 u2 Y% ~% R6 Y& V' p! w
\App Paths\Loader32.Exe
( _6 ]% [8 I7 n" }' q* k
# p: R7 R9 T# H9 z& h0 O) e1 `
, M3 P5 L/ }  y. ANote that some nasty apps could then erase all files from SoftICE directory
6 B9 v/ b# D! l(I faced that once :-(" _4 X  V7 }0 U, Z$ W
0 n8 F) O" ~7 M, e: L, M
Useful breakpoint to detect it:
5 O7 \0 A  g4 `. X: U' o) S  C. [: q9 j! ]  g9 Q9 a; [/ k/ r6 {
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE', P1 c$ Y: |% I2 `6 C  x) a' j9 n

# \! T3 A1 \, A7 ^- N# K) A__________________________________________________________________________
* x7 h* H1 v! ?* f. H4 i; P* y# D
/ r- W9 R3 I( T$ R# X5 Q/ Z
+ k# k% ~1 w2 [- Y* @# MMethod 14
& L' N+ V* R5 c- G! W& B1 T=========  l3 ?3 x! E- S+ N' Z9 s7 E

! v; I7 D6 L' a( k3 [8 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ l7 X+ i8 a% C, T. }& D
is to determines whether a debugger is running on your system (ring0 only).
' u8 P; T( u; v& [# w% q0 ~# X# g2 k4 a. I" p
   VMMCall Test_Debug_Installed% p( ^* }; [- \: n
   je      not_installed
- \% N$ p' {' j/ P3 v% X
; L4 n: u. T. ~1 @  P, s$ J5 lThis service just checks a flag.
0 [( {" B$ y( Y: b/ N$ p1 T</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-1 08:26

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表