找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! a4 U( @& p0 \3 A2 Z- k+ T
<TBODY>
: Y7 x5 r. w, N; R1 F2 n# _<TR>
: K; u$ U- `, f+ w<TD><PRE>Method 01 + r6 h- ]3 c) G) P
=========
$ X, L+ T: S* \2 a/ B0 X7 _
0 @9 R+ p8 p' M. s% {This method of detection of SoftICE (as well as the following one) is: z: V& x: J$ e2 t
used by the majority of packers/encryptors found on Internet.
$ r, Q, f$ Y, D; y" ZIt seeks the signature of BoundsChecker in SoftICE) r! i& P0 Q1 e4 {% J

8 j1 N! h( H2 f& c4 e    mov     ebp, 04243484Bh        ; 'BCHK'
7 n( |/ c; g  ^3 q9 z/ h    mov     ax, 04h
* l0 Q' C' ]2 }  ?) R' Y9 J8 Y. ?    int     3      
( ~% C4 A% R& [9 j6 ~    cmp     al,44 z- h3 V7 U) ?
    jnz     SoftICE_Detected' R0 E! h% ~' P* l5 N+ h. L
5 _3 _* J  J( q* P
___________________________________________________________________________
5 Q" W$ U7 W" c; k" ?% R: [0 h) R* P' c$ E- A
Method 02
$ A" ^2 x  H! i2 u4 U6 J$ z8 m=========
' `% h7 E# k% ?, |2 }& b4 E+ W, {( q9 U3 V: F1 T2 n
Still a method very much used (perhaps the most frequent one).  It is used
7 P# Q& [4 G/ [- R& Z/ l" ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; \" d) u$ M4 \
or execute SoftICE commands..., m. P. x# ~, f- S% ~. w. s
It is also used to crash SoftICE and to force it to execute any commands
5 U- D# A1 S7 d: v: V% `(HBOOT...) :-((  1 t) |5 b$ Y' d$ c0 z) n- I0 p
$ |0 S; Y  u  a& s' k
Here is a quick description:7 s3 ~: s! _8 _) l7 @+ a% f8 u; k
-AX = 0910h   (Display string in SIce windows)) Z3 @: p; M( I% G2 Q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)+ v  w9 d% I5 d7 a" R) N
-AX = 0912h   (Get breakpoint infos)
& G# o; L( k, G6 Y, R& E2 {8 z-AX = 0913h   (Set Sice breakpoints)
& }7 {, {  }' M# H- _  |9 {-AX = 0914h   (Remove SIce breakoints). c- d. H5 `' ]$ D- M6 M6 Y2 b

2 a, j9 B8 v+ `. S: u- W" s9 f5 ~Each time you'll meet this trick, you'll see:2 E. Y$ H- N% B% D. l* T7 D$ S/ f
-SI = 4647h  {: P- t1 j+ g. y* D
-DI = 4A4Dh
; c; v* e! G) v( g6 e$ rWhich are the 'magic values' used by SoftIce.
/ }# t7 U" [/ @: ~& V4 K' Z; SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# O2 E2 X+ ?- J

. A9 M  \) `8 j- QHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 T) y8 ^$ i* T' H/ L! qEnvelope utility use to protect DOS applications:
6 _0 [0 ^# a; M$ F9 x" N- k- _
# Z% J: b9 ]0 l0 `8 U
1 F9 g4 x. b" W. |' j' A& _4C19:0095   MOV    AX,0911  ; execute command.6 f4 F% Q% W: q1 f, H7 N6 N
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
. v8 [/ m) P# x+ p4 H4C19:009A   MOV    SI,4647  ; 1st magic value.& t( x2 {: w$ |! B
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
8 V6 Q; [- T0 ]% k/ R9 e- N4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)+ D$ @1 @* F0 \, d7 s
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 a2 T; w4 t" e' q8 s( F, r/ B4C19:00A4   INC    CX
- E$ C2 N8 r  |" Z7 D$ V4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute" F6 I( a  [0 K5 `5 r6 L. ?
4C19:00A8   JB     0095     ; 6 different commands.
; I4 U' d" w# U6 N; O8 ~4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 ~7 N  \8 }# k! ~) u
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
1 L+ S/ K# ]8 _- p5 j2 |0 H# m6 f, _  s3 ]" g7 @. w
The program will execute 6 different SIce commands located at ds:dx, which- C, ~$ F- O6 S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; s4 U+ v0 z3 q  T' `$ F- B

. _. _" L# N! f" _/ W& C3 R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 Q& |( P5 i* z5 U  `2 l
___________________________________________________________________________
) T3 k1 i$ R. q: L- h0 O+ i
: N8 d) R2 ~' B' E- A! ~
: P# E6 a% q* y: Y2 F* _% a+ MMethod 03  J" I7 F8 t: N* X* @, f
=========! F+ _. J6 X8 r. u) [- X# p

+ T  e( m  v+ Z, g' h2 A2 |Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h! ^% f% |, Y3 d4 V! N
(API Get entry point)
. n5 j5 a( {! J0 h7 [0 k0 [        ; ?# N# W- ]" M9 K3 j

, r, Z2 @4 k/ w0 Q, k    xor     di,di
9 t5 x$ ]0 F- b    mov     es,di
! T4 g- p0 t' ?  P/ v5 h# i    mov     ax, 1684h      
% j& @& V4 a- t$ R0 {, `    mov     bx, 0202h       ; VxD ID of winice- o/ ?/ o* T& t& ?( n
    int     2Fh$ c+ e; n9 f, ~7 x
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- N+ l& Q7 {( t    add     ax, di
  Y* P. M2 `" o# v) C    test    ax,ax; @3 g) ^6 T# z7 M0 d
    jnz     SoftICE_Detected
# m! I: z: y% \: J, w" r5 E8 l6 h5 e0 n4 P0 M
___________________________________________________________________________# d! F) A8 Z( M( ^! H& R. E8 m6 z

9 O  W' C, S* Q* v/ k4 HMethod 04- o" P5 b4 o2 H  H! W  a; |
=========" M+ `( u% r3 c- \/ A( b! B( i
. T4 y+ F& q, j- ~, m$ I" r
Method identical to the preceding one except that it seeks the ID of SoftICE1 F2 w' I" Q% l
GFX VxD.* h" A" K$ v" Y  ]- X; D: y

9 V1 W' [- @% ^6 t+ _2 z0 A- H7 v    xor     di,di1 A) u* L% y& K3 s, C; p
    mov     es,di  Y; I  R  D( U1 L" D
    mov     ax, 1684h      
, g" Z1 h6 s3 c+ h8 d    mov     bx, 7a5Fh       ; VxD ID of SIWVID5 c2 N& ~0 R, D+ p. g$ C( [' ^
    int     2fh
9 z" s/ |8 Q- F  o" ?# Z    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 W0 B* [) Z. _( f    add     ax, di+ S* U2 W' o" R* I. c% H
    test    ax,ax
) U0 j# \5 I+ ]! w    jnz     SoftICE_Detected: J1 {# K, ~5 r
! V8 _/ j% s  S5 U9 I% j) \( T
__________________________________________________________________________" ^. f2 d; t1 m) y5 a- k! C

$ O+ T1 K9 |* ~& `) r" m3 a  y3 G+ d  o' G. Z) b+ L# U- z4 \3 ?
Method 05
* X) J+ B4 h# M2 |=========: w( v: ?3 h. ^, O- `- ?
0 a/ w  e' H6 a8 |, F, T
Method seeking the 'magic number' 0F386h returned (in ax) by all system& Z+ l% y1 q& v9 W! ^) q, G( t
debugger. It calls the int 41h, function 4Fh.
) J& ^- a! I% N6 q7 G* Z, Z5 o  }There are several alternatives.  
5 Z1 X# U0 I0 s5 ]; r
/ i4 k: o9 U' q3 u" i3 z, U' ~. J8 e/ iThe following one is the simplest:! `" _2 I* ?" P' _8 f3 Y+ V7 `, V
9 g2 x  ?; `" }# a5 M. p
    mov     ax,4fh. Z& O& M( t4 z5 |2 S
    int     41h' \1 W) M3 T0 U& G# E2 }0 O
    cmp     ax, 0F386
) x4 x  |* m. S9 u0 E5 k    jz      SoftICE_detected5 c2 n2 A  S( k" K* P% f" Y: m

+ |, J/ f' s3 ]; ~
7 e9 m2 B. z2 E2 dNext method as well as the following one are 2 examples from Stone's , q' |' n2 ^# I3 A, [% y
"stn-wid.zip" (www.cracking.net):
! k2 U0 T- m: R* M2 |$ @& ^- x; L9 C% ^& }- k8 f% g
    mov     bx, cs. I7 {/ F, E6 E
    lea     dx, int41handler2" \" f/ X" t6 Z3 _, A- V- t
    xchg    dx, es:[41h*4]
1 O) G- [. K; u& x    xchg    bx, es:[41h*4+2]
- _" S( M5 {  y    mov     ax,4fh  O/ F- E7 e. s4 a5 {% ^! w
    int     41h2 X* c0 V! ]+ M6 e
    xchg    dx, es:[41h*4]
- x2 d2 H# f# f2 R* q1 h- _# y- V    xchg    bx, es:[41h*4+2]
! d/ n9 b" |0 l# s' g" g    cmp     ax, 0f386h( i) r3 {" \. |5 s& C8 v& ]6 K% K
    jz      SoftICE_detected
7 C2 f+ J8 ]& ~# Q, p
  r- _+ O( {5 }' h) hint41handler2 PROC+ q' F5 E1 G$ l3 G
    iret# J& z* R/ o$ l! A
int41handler2 ENDP
1 p. Y( g" _1 T  ]0 ]- C& v5 F# c( |9 r: P

( ~/ A- U6 ~$ Y3 T8 H3 y_________________________________________________________________________
; U+ e  V3 @1 q  ?" C+ N7 ^) K$ o- o/ x2 a

* T1 W+ ^4 ?, u& o$ L! AMethod 06* M/ c' w1 u* x! d* }4 Z0 ^
=========( n4 B4 X5 }+ s! r5 l4 E2 m

9 z' ~  Z. Q5 C; F4 [# v4 X! ]6 a& N
2nd method similar to the preceding one but more difficult to detect:% _* S8 ~% R1 R3 \' I
/ C# I  X  ^3 P4 X- ]8 g2 c' z
8 a: o: y& B: a1 L
int41handler PROC: G" t. h: A1 u+ U7 [" G
    mov     cl,al( L( W2 }6 l- a3 e8 P% Z
    iret8 j; ]5 n8 Z' b
int41handler ENDP
2 E5 z$ b; B% ?% C/ g* {- Q( v/ H% n: w2 P

+ {6 m+ H5 A; Q/ T. P    xor     ax,ax- F6 Z, _+ {& K. }
    mov     es,ax; r; `+ l/ s2 O% Z9 u
    mov     bx, cs4 f4 w6 c0 p5 S; B* {0 j4 v' Q
    lea     dx, int41handler
5 q% ^6 ?- H; N8 O" |6 y0 b    xchg    dx, es:[41h*4]& d+ J! U; f; |+ V" D! L4 H" T1 c& Y
    xchg    bx, es:[41h*4+2]( c% I# J( N% t' `3 i
    in      al, 40h! Y# y* Y' Y1 ~- A: f; a( E
    xor     cx,cx9 \! s& i- T, d6 ~% |
    int     41h
) f+ P$ d9 `* \  h, a    xchg    dx, es:[41h*4]3 k9 R( d4 z# d0 i' D
    xchg    bx, es:[41h*4+2]
0 {1 m* K- e; ^' K    cmp     cl,al5 }& ~2 b# q! ?& T0 O. y
    jnz     SoftICE_detected
! c# u8 t, r' i  v$ T3 u7 a! k; T" g, C( X: m" z
_________________________________________________________________________  _( o7 c9 m$ Z7 q
- n5 Y0 w" p% `# t7 z& _
Method 071 _8 u! f" _6 x" H5 r9 j  i& A
=========5 C1 @' f! k; m$ T+ F
( P& j+ j" x7 x: W; F: w
Method of detection of the WinICE handler in the int68h (V86)
& L; w! J3 }0 L' P( g+ F5 b# x2 x4 y9 q! V
    mov     ah,43h
: B1 C! E7 x) V+ h7 Z4 o    int     68h7 M9 f2 y; N. h7 s  }  f
    cmp     ax,0F386h/ J3 d# M& }6 V6 {  f& r2 V1 [
    jz      SoftICE_Detected
! f+ a' B# D4 O. K+ t" X7 n5 I( f; Q4 p$ [0 @$ ^% S, N# o% u7 ?
( E& Z0 d% @2 Q6 F
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 @" F, q! B/ H0 ?  j& h: u: ~8 n; b   app like this:
  r2 ]: u- B% L, D) Z$ r' K6 P+ z3 D
   BPX exec_int if ax==68
- F4 G: h+ f$ {+ o: Y# _' d+ K   (function called is located at byte ptr [ebp+1Dh] and client eip is. P% \" d8 u9 @2 y5 o0 I- B
   located at [ebp+48h] for 32Bit apps)3 v: [" k1 \) B  I# \& K
__________________________________________________________________________
4 _9 p5 Q" N% p# W- C5 \/ \2 V5 h% ~) C: K; @% W

% g  L' ^0 S* L2 B2 m: JMethod 08
6 h2 H! u6 K& g) K9 n=========
8 k3 ?- G/ M" X
& }8 Q/ H. z0 {/ r0 tIt is not a method of detection of SoftICE but a possibility to crash the
; M' g% ~+ g3 Fsystem by intercepting int 01h and int 03h and redirecting them to another
& A$ T6 T* U. x- V7 w  qroutine." n- ~" p& Z1 j' R( A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* V2 F, W/ u0 q7 E
to the new routine to execute (hangs computer...)
5 M9 ^' _" s  i+ @8 e' w# R, Y
5 h- |6 v2 z; e5 A: H. w1 a    mov     ah, 25h
0 H: _) P6 e" b    mov     al, Int_Number (01h or 03h)* w- m* b  X/ M
    mov     dx, offset New_Int_Routine
' n. G5 x' Y! s9 P& w; T$ _4 K    int     21h, G6 m" M& o: T' e4 i' |
' F0 Z- N* I1 t
__________________________________________________________________________% S# Q! {- X# ]* X, |
5 o% q- D, F7 b# x3 X9 W9 p1 }! y
Method 09
" W! d# l9 z- \% Y- }=========2 L0 w( R7 h' z
: C9 W+ u% P% t" [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 G& W9 W% m2 f' z9 k* i/ }performed in ring0 (VxD or a ring3 app using the VxdCall).
& e- j( b' ]2 L; a' H' x6 r" t/ ~The Get_DDB service is used to determine whether or not a VxD is installed2 D: s! {/ g! f! {
for the specified device and returns a Device Description Block (in ecx) for
$ a+ V# \& \! Ethat device if it is installed.1 L+ I' f; I3 ]( u" B8 H! W
2 o) Z/ b+ u/ |7 \" h) M
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  d8 F9 X% O3 m( z: g$ Q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' B! ^. L' V# ^3 x9 P% x1 b3 {   VMMCall Get_DDB9 U$ @8 i& `5 y" W- L1 z
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ P6 M: ~. S5 U2 V
) E% h4 A4 v* M! e% U8 u
Note as well that you can easily detect this method with SoftICE:
" Q0 y* U+ n" |$ [" z: m5 n: D   bpx Get_DDB if ax==0202 || ax==7a5fh
8 g- {5 j8 p8 W2 t4 u' j. @: l
3 b! w5 I( w1 T' M__________________________________________________________________________# _) M6 z( [& P7 M# v
( h/ P, D1 b, X' U
Method 10
( j$ K$ v) O$ B! P  p, w" Q=========$ s: ]( }6 t" a6 N* Q: J8 {

6 u4 s% Z8 s/ `' m8 M" h$ Q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ ^- x9 W+ z5 h8 t! s' C  SoftICE while the option is enable!!
2 C, J3 Q3 k: `8 `& i, g% L, _5 p2 w4 g' x- g; A
This trick is very efficient:
" ?% [& f1 `: V4 ^% iby checking the Debug Registers, you can detect if SoftICE is loaded
, W1 t/ Q% L7 G/ J' I) e6 f9 v3 B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! N. Y+ k+ E4 m7 Q; e# O. L( f( O3 cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: @% ?7 q& ^4 qvalue (in ring0 only). Values can be manipulated and or changed as well( X; w  A) u! e' f) h
(clearing BPMs for instance)" ~. ~, ]( e7 C: e' _* S
8 {' n2 v, j( i) o) p
__________________________________________________________________________
: q: K: Y/ K, o2 c. D# f  J* o! m: p6 P' G4 w
Method 11
9 J3 F7 p% g1 i=========% _; `# b9 [1 J- @/ R" K+ H9 z
$ h/ i% C6 [, M  Y! L
This method is most known as 'MeltICE' because it has been freely distributed; B" \+ k: c4 Z0 h8 x
via www.winfiles.com. However it was first used by NuMega people to allow+ Z2 K* ^/ O* T: I/ j. @
Symbol Loader to check if SoftICE was active or not (the code is located
$ L- s; t* Z2 i! w8 T# p9 Finside nmtrans.dll).# x" t& T& _$ X; a

9 _+ z+ w; |1 \& s4 i7 \The way it works is very simple:
& U; g1 {# x. x  W% P6 aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 I& {1 ^$ U5 ~1 E. vWinNT) with the CreateFileA API." J$ ?5 y/ p5 j! T1 d
: ~3 r% D% \( O5 C8 M7 r
Here is a sample (checking for 'SICE'):7 ~7 v* a: @2 w6 G$ \# N
: r5 n& a7 b$ V3 n. g* R3 P8 x
BOOL IsSoftIce95Loaded()
3 c3 V4 G4 p9 k: P{2 u" A" u6 q$ |: m, l
   HANDLE hFile;  + s; f! r+ g$ c. L  v+ H
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 I" ~9 _7 S8 f7 B- e
                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ M8 X2 z. W5 Q- a. ^
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 E& g2 ]4 P% p- O0 d
   if( hFile != INVALID_HANDLE_VALUE ): b: m8 |& G5 I
   {( P' a8 d. d+ _' d* g4 b
      CloseHandle(hFile);, i  k; }* N; S9 B$ I; {- L3 O( N8 _
      return TRUE;
# m8 n  }* |, u5 d% I   }
1 C, I/ o" W6 V8 g2 y- r   return FALSE;
8 ]/ ?  G% D" K" v$ A}8 u. z4 H3 r" Y& x4 m3 s# G( s' Q
0 t( `5 _7 T8 J4 @2 J
Although this trick calls the CreateFileA function, don't even expect to be7 a  K! h+ }" j3 N1 |
able to intercept it by installing a IFS hook: it will not work, no way!
5 I$ v. G) I! @$ r4 VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ v; b) T6 M) K" G! J, A' oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
1 o: F0 \, \# H+ a0 H6 x# S  kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 g( r9 `) M4 I4 v, c( a, Dfield.
5 \/ Q. ~6 y) ?In fact, its purpose is not to load/unload VxDs but only to send a
' u, a4 g; u& I; ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: g6 _) h# T" M. qto the VxD Control_Dispatch proc (how the hell a shareware soft could try& v+ l. y$ B3 z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).  \9 Y4 r1 G6 q  D- S
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 R4 D2 F2 U: c! i& S
its handle to be opened and then, will be detected.
) W2 ?, l- X1 l6 z! }You can check that simply by hooking Winice.exe control proc entry point
8 E% w- H7 f" j# M, K5 T3 Mwhile running MeltICE.2 t, V# K# p7 m9 ^, T+ j4 Z
1 n% l0 v  b" V- x6 L1 h% ~
/ `) [* Z, Z0 f" s; @
  00401067:  push      00402025    ; \\.\SICE# c! }2 R8 z6 r& D5 \+ m2 t: W
  0040106C:  call      CreateFileA
9 b- F' G: M  u9 t4 D  00401071:  cmp       eax,-001
4 h- j0 F9 K5 z) E  00401074:  je        00401091
, L% Z% P" D. Q: C- Y& A: W. ]2 A$ n- h9 t. p8 F6 T

8 }; P0 l, ]/ cThere could be hundreds of BPX you could use to detect this trick.
: ~8 z& C" a' c3 a-The most classical one is:; n" f# ]/ W7 j& Y* y+ j# {/ i2 L
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||" l! {. f/ A9 V! J
    *(esp-&gt;4+4)=='NTIC'0 a' Q2 z) Z: }. D; w, N9 z% N

. x. N! y$ P) M4 ?2 @6 N6 D4 v-The most exotic ones (could be very slooooow :-(/ I' P: ]. @% x: w' ^( b
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  5 y' _8 Y9 T) G2 I% u
     ;will break 3 times :-(: S) k; P/ M2 _' R/ }( n
# H: H" i# T0 Q. ?# I' F
-or (a bit) faster: " c# \5 {1 A' B8 p  `. h
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 e3 J! q( E6 u% g8 n6 C

* J6 c1 w/ R6 p' o0 _& K2 K5 `   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    f& e1 w1 @, X! ]
     ;will break 3 times :-(
7 t; A6 x3 L+ ?8 H4 P. y* V3 P3 w+ ~* j/ }
-Much faster:7 Z' J2 E& k5 `% a1 q: l8 I' Z' p
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  B6 e7 L' r3 k) W- R

. G+ A2 c. G6 d' ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 v# K6 m' A, Efunction to do the same job:
3 m, X" K% x# @- q" g; u) |0 C2 Y8 F& R4 i! {8 \9 J/ F
   push    00                        ; OF_READ
$ h4 |1 o  ]! o3 |2 M   mov     eax,[00656634]            ; '\\.\SICE',0; C  W: V) A2 ~. g/ S2 E
   push    eax
& Q+ |: F/ Y: R+ d' j   call    KERNEL32!_lopen
  ~1 v7 D, V+ P# u   inc     eax6 q; o' [8 e& D. l, f7 D- a
   jnz     00650589                  ; detected
6 R% y3 N6 W* \% h3 n1 P/ J( _   push    00                        ; OF_READ# {( X8 V  c( U$ h4 i5 q) Z
   mov     eax,[00656638]            ; '\\.\SICE'
7 [" V' B! ?) f% w* I  X   push    eax2 E( r& q) B. m' z* m: t/ C, [
   call    KERNEL32!_lopen4 _. M* [  F1 ^
   inc     eax
) x" h5 p/ N. ^! c   jz      006505ae                  ; not detected- [+ N' X* n. L; T# G9 Y
. d5 ?- U3 x( D

; S3 f) ?/ k- B3 q__________________________________________________________________________" \! c" f$ n: N
/ o/ c3 ^6 y9 Y( D5 q$ F; g
Method 120 Q# v3 J& G6 y( m
=========
6 ]1 s: o6 M6 U* ~1 F0 E$ P8 n
' c% s4 l0 c# ?0 ]This trick is similar to int41h/4fh Debugger installation check (code 051 O- v- |0 x! U% k) M( o, F
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
4 u* M1 B3 y6 W2 N! Q4 d' f  qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' O) L7 d" n/ ^4 o$ u; A' ]: K0 F$ z( S4 l
   push  0000004fh         ; function 4fh
# E1 k0 K" a: u3 H. G3 }6 e   push  002a002ah         ; high word specifies which VxD (VWIN32)# d3 A# u, w3 ~0 S7 w
                           ; low word specifies which service3 H8 ~5 [% j/ B' x1 C. b+ h
                             (VWIN32_Int41Dispatch)
7 O6 e4 a9 t9 X( {) g( Q- K   call  Kernel32!ORD_001  ; VxdCall
9 y5 r4 B7 i/ U- R, U% o   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ f  b" {% b) x* {0 B  M0 E   jz    SoftICE_detected. J" Y2 ~& k- W7 j; [( z
2 Q2 \. R% B" [, Q+ q" D6 }+ T
Here again, several ways to detect it:, N: e9 _$ k5 r  B
3 C8 q' ]  f" U3 ~3 j1 G
    BPINT 41 if ax==4f/ \- d; o& B4 M, P1 c6 [
6 `( e2 G" u% a' O9 I  c  c' }* X3 ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 `: w/ ^+ h( q7 h; ^+ a

+ ]% D. e$ o2 s5 C4 s    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& u( `. G% P) m

! G5 `- s3 Y. O: _/ F" Y+ C    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
; x# y) t2 |: [, Z$ r; {( k3 E
9 ^" m1 w& D; z0 N+ {1 f, }__________________________________________________________________________
, S3 D4 k) r& P( ~$ h3 e6 s3 D: X5 K* e# W% ?5 @$ W, z' ?
Method 13' p0 ?4 B% S; _  Z! t7 X5 H
=========8 w3 N: Z) J7 a3 V  Y9 S* P

/ Y; `5 s6 C- Q3 ]3 BNot a real method of detection, but a good way to know if SoftICE is3 @# M: `% J& a# x" j
installed on a computer and to locate its installation directory.
; e: c. E7 L7 PIt is used by few softs which access the following registry keys (usually #2) :' B1 l4 A5 a2 ~6 W) `
9 o4 s4 l8 y. P  \0 Q: I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" g, T" r3 B2 ]; j1 D0 R: X
\Uninstall\SoftICE' z) {1 U: h8 h3 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 y8 l+ j/ C/ Z. {3 u+ c  w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, v, O7 D; N( K% e, x\App Paths\Loader32.Exe3 w! X9 D# H+ U
6 s9 |/ Q& ?: l9 G  ~- G

: L% u1 Y$ C+ p5 ]Note that some nasty apps could then erase all files from SoftICE directory+ {/ G' N; d* a3 r7 ?( }
(I faced that once :-(
! g& p! v+ ?0 h0 O; Z) h; x1 t* _# i# @! o  A7 [
Useful breakpoint to detect it:8 ^$ T: S1 O$ Z

6 j7 R/ Q- `! w3 b% G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 {3 [6 z) ^$ r0 B! ^
6 |4 R* }# c0 z9 M6 @__________________________________________________________________________
, o1 |4 M1 o  V/ _" u
2 a& S* F) ~+ S5 Q
, y$ k2 ]) {" T; S7 x  H% iMethod 14 . Y) c5 B% v/ Y
=========
/ W' h' x. U/ |0 I! F
- [0 f* ~/ m* ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 Z7 y7 }( x- j, bis to determines whether a debugger is running on your system (ring0 only).
1 h* q) u( R3 L! Y) X5 R# D
- Y4 `2 ~' x/ f2 C( J4 R   VMMCall Test_Debug_Installed, {6 d, m! m1 @1 ^2 {3 X
   je      not_installed
6 f$ O3 n; h4 E" Q4 q  t
- Q9 u: R1 O, e/ S+ [This service just checks a flag.
6 f6 @: J% o( N9 p5 F0 S</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-20 09:21

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表