找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
2 a" Q$ j/ o8 r5 y# E0 a<TBODY>8 [* i$ J$ [6 \. E0 V4 C+ [+ c
<TR>
$ h) t5 ]: @" D3 _3 y% J) z, W: V<TD><PRE>Method 01
4 u' g- X0 o, W: u: v4 V=========
6 x3 N% A4 T# x3 `( N* w( Z" h4 j) T0 K- t) ~8 n9 U& ?
This method of detection of SoftICE (as well as the following one) is: T) m3 K4 [# \  [/ t
used by the majority of packers/encryptors found on Internet.3 O! @1 X# s2 w) k4 B6 M9 A
It seeks the signature of BoundsChecker in SoftICE. v9 J9 u# A; R8 e
# h/ i- Q7 @2 D
    mov     ebp, 04243484Bh        ; 'BCHK'4 G% K7 s1 E; a* V* U
    mov     ax, 04h7 c7 _* ]* c: O0 p3 t, ?
    int     3      
" i! H. Z1 ?+ O    cmp     al,49 A" \5 P! t4 Z: M
    jnz     SoftICE_Detected
4 f/ ]+ Q, f: q+ k# E/ B) [  P0 S1 v5 x% {' x0 V  B
___________________________________________________________________________+ o3 z' s5 C  E. H! c. J
  E; v0 n7 H, A# W( o5 \% a5 I, S
Method 02% P* ^3 g; t8 y
=========, [- R# u+ i8 S: B" b; _) n8 E: o

: W8 ^. I: H5 e3 U' \" wStill a method very much used (perhaps the most frequent one).  It is used
  B9 U# I: U5 ~* z5 C  j6 i3 _7 \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 M+ y, ?  k% Q& N) ^5 u( a* P
or execute SoftICE commands...2 d' p2 q# ]. a' Q
It is also used to crash SoftICE and to force it to execute any commands$ j6 ~  s% f6 z+ g" a9 f
(HBOOT...) :-((  5 v5 W: u6 w  p

& i* v5 T+ N4 b: H; U) i5 d# OHere is a quick description:" @% Q2 V& c2 y8 U! J
-AX = 0910h   (Display string in SIce windows)' e, a1 w/ Y, j" K9 F4 a
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), B2 s+ v3 Y+ G3 K
-AX = 0912h   (Get breakpoint infos)7 c% j. @8 k$ _8 S
-AX = 0913h   (Set Sice breakpoints), g  }2 H/ _% D3 d" s& W
-AX = 0914h   (Remove SIce breakoints)
8 u) V9 n' c! ]- E) o/ L
4 A, Q0 j! m1 t% wEach time you'll meet this trick, you'll see:
. A! z3 s: q& M4 \-SI = 4647h' x# O8 f; Z% E& S" Y
-DI = 4A4Dh
5 t2 P8 I7 G* E7 ^/ {Which are the 'magic values' used by SoftIce.; X2 C, [& E$ v, T% W: n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
  E  L2 W' ?) u7 c& o: q8 U
, v& h' N+ F; V- t+ KHere is one example from the file "Haspinst.exe" which is the dongle HASP, P4 k: m4 F1 Z9 \: L) o
Envelope utility use to protect DOS applications:3 e$ Z+ J4 d5 Q
9 q( \! _7 M: i. j

9 b& ~2 h' k" D& t. P6 a0 P4C19:0095   MOV    AX,0911  ; execute command.
- r4 S; p9 e" ^4 j4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( @8 p; X6 a! v: J9 z- |+ o4C19:009A   MOV    SI,4647  ; 1st magic value.
% @: s, `9 Y7 M" S/ b! e- P* \4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ O" M' ~9 ~7 {% C  z# D
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)7 C9 p3 C8 F8 K- P. m
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute3 K% S$ e8 N( d$ F! |' M$ h
4C19:00A4   INC    CX
9 C4 ~3 U3 Q; |( ?4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 |5 |4 B( l4 i4C19:00A8   JB     0095     ; 6 different commands.( X+ f& o0 R0 O3 |3 V, y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
. H# `8 O& n3 K+ w4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 b7 t2 q+ S, y1 U5 M: ^
! @& P( U6 |  Y  nThe program will execute 6 different SIce commands located at ds:dx, which
* Q" z* a! Z: G: sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# J) c, _! P, a1 f
0 V$ I3 i0 f5 U6 u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ R0 I' ?' z/ O* f- f. Z3 S5 f2 K___________________________________________________________________________
. }7 P7 v: t- j, ?+ x" ~" Y
4 u. y( B* a- m1 u8 D( H  Z- ?, I
+ S( l+ u% \( y5 s9 }Method 03
% W* `: _4 u, s" G) V) m=========/ Y& @7 ?* M) N2 x  z

* f; @. a& M% V) q! ]7 M( vLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& {+ Q! r! O; R% p/ T! |" ^(API Get entry point)
9 T+ X5 ~5 r+ }+ }+ ~        , b9 _, U% R4 v8 @, C% s. U' C

/ y- d9 Z3 f! o1 `2 k' \    xor     di,di
; U3 u, D7 k. i* d    mov     es,di! W& r+ ^) u% Z2 r( Q! O
    mov     ax, 1684h      
- K: ]2 c& j- j9 J7 {    mov     bx, 0202h       ; VxD ID of winice6 L- [6 S% K9 r" M. H) D
    int     2Fh, p3 x# L- E+ n  W$ r+ i* ^; ]" V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 C$ p5 y" e9 V: E. P' i7 ]    add     ax, di
7 c# ^6 ~# a- E; F* _    test    ax,ax
4 s) F5 ~; I, P5 D    jnz     SoftICE_Detected
4 N3 b( r: e; H% D! A* c" a, n/ R5 Q. W2 |( l. {/ V0 b/ u3 q
___________________________________________________________________________0 ~1 z5 _& \; v) W! _6 C  q, Q& o

6 ]9 w( Y% T6 T" }Method 04; S! g4 v- R6 n
=========
1 k  r3 w; t% u0 D3 a; w) L( G9 a' P
Method identical to the preceding one except that it seeks the ID of SoftICE. X2 D6 _3 @# Q; `
GFX VxD.
: N- a; y) j; l% H! e
% V1 z0 z$ p8 P4 E    xor     di,di0 d7 Z% u- R: j9 s% [/ y! w: o
    mov     es,di) o+ F: K4 H8 `0 ]! P9 Q2 _1 \
    mov     ax, 1684h       ! y: a. B+ [! H& p1 u$ e
    mov     bx, 7a5Fh       ; VxD ID of SIWVID" V& a& j4 G4 x3 J4 a
    int     2fh9 g4 W1 d" }& @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ {4 M2 F8 y  s" v5 ]4 P- H: l    add     ax, di
9 C9 Y# y$ b) U) ?* ?    test    ax,ax
1 Y) y8 N+ `( s" l# A/ x3 M; _$ h    jnz     SoftICE_Detected1 D' b" R  E6 |& Q/ L9 j3 C$ F8 {

  w$ T! ~- T4 n__________________________________________________________________________' z5 d% _0 V1 W. R6 k
. J+ L. v# L1 k& g% d
0 Z7 Z+ U& o  a; `* C) i
Method 059 D# _4 W/ T) L( ?1 f( E9 S
=========
2 [5 T" B1 t1 G8 N  T5 m+ o. F; r. g. R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 r. O/ }! y3 ]7 b/ v8 _' M9 V# ]debugger. It calls the int 41h, function 4Fh.
: z& N9 |6 w4 M' @There are several alternatives.  : E$ d4 @6 E4 ~  A! M

% P* A" D8 L) ?% C2 C, YThe following one is the simplest:- }" |* _: o4 M+ ~. _' _" O  h
, d1 y6 R- g# e$ d  Y
    mov     ax,4fh
% i5 Q; F2 u+ ]# t! [) e    int     41h( w) U8 u# i5 _" H
    cmp     ax, 0F386# M: f0 t( Q3 m3 d& K( S
    jz      SoftICE_detected/ Z( ~9 E6 e% [: _& L/ Q* ?7 ]

3 i& _  j% D8 n# V7 U" q" I. I, t- W" r3 B" n7 F
Next method as well as the following one are 2 examples from Stone's
' L$ Y* g: g% l% J& v+ T" N"stn-wid.zip" (www.cracking.net):  c' G3 N0 m4 A+ M

: W8 z! Y' ~7 D1 J2 P    mov     bx, cs# A2 z% T% q. w
    lea     dx, int41handler2
3 E) l& F4 `0 i, H! u. @    xchg    dx, es:[41h*4]" y4 E4 a7 w/ g+ d0 G$ m9 J; P
    xchg    bx, es:[41h*4+2]3 n' ^9 @, w5 i: n7 k1 A; I" s
    mov     ax,4fh
' g/ M0 {$ l  T; W6 ^8 U    int     41h
1 K& A7 `" j4 k3 p, `. ?4 w3 {$ _    xchg    dx, es:[41h*4]  H+ l) i2 o% f/ q
    xchg    bx, es:[41h*4+2]5 `' Z  F1 }. I# S# \1 L
    cmp     ax, 0f386h
% V+ d% u7 ?$ h: L) i3 K    jz      SoftICE_detected; q4 E! H1 T0 I

  k+ s" x6 Q+ e, V% k- ~: T$ Nint41handler2 PROC' G& T& A( Q- T2 U0 F
    iret
! i! F0 [) T" x! O& qint41handler2 ENDP
( O: [6 n- ]$ P/ ]0 ^
- B2 j6 v1 O6 [$ I% G" n  X9 n! C: [2 Z1 D# {/ X
_________________________________________________________________________& Z+ W0 E6 t7 w1 a9 [8 Y& `

  e9 Z' x% ?; i. w- @2 u+ }
% I& E3 j/ B9 PMethod 06" g* Z4 j( g, w& v4 e. v+ p7 \
=========
6 P# |' h& M# b
! l( q9 k/ p7 u8 h0 F1 i: ?+ L
# G2 F* o$ D6 r1 s8 x2nd method similar to the preceding one but more difficult to detect:( T* D8 f, z  e& I3 c6 J# |+ f/ r
' X) _1 l, M( `0 M

0 r7 I- J. a+ @4 }) ?int41handler PROC0 `7 q9 y' ]; K' y% p# \0 W5 e, Q
    mov     cl,al$ A: I% a' J+ b: O, {7 f  q: J
    iret
' X) [7 E) I% q. N7 }int41handler ENDP
& w* ~8 C8 w* `% Z9 k' n4 G5 ]
5 Z6 P) H+ n3 A3 \- I
( {9 Y. l0 D. m  B/ Y    xor     ax,ax
/ c1 Z# X" b" Z    mov     es,ax1 d% r0 G- z! w/ l1 @, O5 G3 X
    mov     bx, cs
7 h( H; M  a: z% }6 d0 p0 W$ C3 d    lea     dx, int41handler6 X/ x' n9 T$ ?) x
    xchg    dx, es:[41h*4]
* K9 |- g5 z! q  \! I8 \    xchg    bx, es:[41h*4+2]
7 t  p1 }& T( u2 V& U9 u- H    in      al, 40h
; U3 J/ U$ N3 P5 @1 G    xor     cx,cx, J9 }) t1 L  _; W: l! K
    int     41h
  \" G- p2 e' I    xchg    dx, es:[41h*4]; G8 u% ~( H, n
    xchg    bx, es:[41h*4+2]( s1 {( o: H0 P9 o( u
    cmp     cl,al
4 e+ O8 x4 L6 K* I    jnz     SoftICE_detected
" @" O( j; z" z# y' ^4 Z( u
. K1 {6 X0 [* T$ O- a. N" `& E_________________________________________________________________________$ ?; B1 o1 T' p* [- S$ F  x% J$ K

/ g) n- Z( F. s$ N0 `' s' u0 sMethod 073 v- [: D! H4 j7 X
=========- o. N! v2 f: t& i8 T" c: D
, o- e6 ~6 K( u+ a( I! [3 p: w
Method of detection of the WinICE handler in the int68h (V86)6 O# r) o9 C0 @% t; [' b9 `2 j

8 P, D6 Z/ J- K9 u: R2 Z    mov     ah,43h
1 }: ~. S9 F: m8 b" z    int     68h
8 |& Q7 a4 ^) ~4 @8 _4 r    cmp     ax,0F386h6 U; F) c2 f0 X2 Z; \& z
    jz      SoftICE_Detected5 @$ M/ h! k+ j" E
$ P* g. b  X8 J7 n; }! F
: r& ?# S. y! G6 e2 t3 `
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" X+ T$ C& D2 G2 U1 L5 S   app like this:$ o" l, P( S2 X' v  |0 Z+ Y0 ?

. y; H' P/ L7 Y0 D( Z   BPX exec_int if ax==68
  K' \- t- T$ q7 B) q6 v   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 u/ ^+ H1 d6 s/ O9 e2 ~7 l# M   located at [ebp+48h] for 32Bit apps)0 A/ ]# M. X/ X0 L0 j
__________________________________________________________________________; M9 l- T% j7 l6 r

& v' |" n8 A6 b5 U; V5 X7 ~1 f& j  Q3 L7 F: g5 G
Method 08; r: X/ e2 h! g9 i$ i
=========
0 E& o: h2 i. w5 |0 e' n  N. m
, ?  Y* J4 {4 A- D7 DIt is not a method of detection of SoftICE but a possibility to crash the) Z% c9 O# K, A; S
system by intercepting int 01h and int 03h and redirecting them to another
6 s4 [! k1 ?% c, [  c5 Y$ Aroutine.. Z+ D  y0 ^$ y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' Q' N4 ]! q; x- @/ O. Uto the new routine to execute (hangs computer...)
7 o2 }2 o' k: B- I4 ^* S7 @
- b/ M* R3 e5 K* C' s. @' b1 ?    mov     ah, 25h1 N" ]' g& _3 h. G
    mov     al, Int_Number (01h or 03h)6 d- k. @$ l" Z8 t: d' I8 }( `
    mov     dx, offset New_Int_Routine9 P% j9 f/ K8 K
    int     21h
3 `6 l. F8 N! a
( A( L5 ?# V- B__________________________________________________________________________
3 t& X# R2 t! k* `6 v
" e8 S& P# d& e9 Y* v% OMethod 096 ~2 ]! t+ U8 f0 j/ F
=========
' H  f! h+ J0 g  c4 w0 z1 \
2 ^* c% z+ O6 n7 l) h& MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( r$ A6 m: Q# `1 Z* ?- r. [
performed in ring0 (VxD or a ring3 app using the VxdCall).& j3 G1 R2 `& E- S8 |8 p9 ~5 G7 y4 x
The Get_DDB service is used to determine whether or not a VxD is installed
3 k7 t1 j8 V& X2 Dfor the specified device and returns a Device Description Block (in ecx) for4 X& x' `+ {0 E0 i
that device if it is installed.
0 }/ b5 i. H+ s+ O  M: W) [- g+ T+ M) o& x+ X
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 n  [) E- A  S0 V# a0 {   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( B" W' w" {4 J' x) l1 Q
   VMMCall Get_DDB" o6 w8 n' ?% `- s4 T% S* m
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* X* T4 K" [; E/ C1 Z: Z" v6 A: b
4 ^7 V  v0 D/ S
Note as well that you can easily detect this method with SoftICE:/ P7 r  g, T+ H8 @+ B# I; A% A
   bpx Get_DDB if ax==0202 || ax==7a5fh
, u5 T% L& o. D- k1 z, z$ u4 X* M# P; q4 }! e+ [% ?( R
__________________________________________________________________________3 L4 ?$ y% L2 A1 [- \/ c
4 k5 A1 x, L) X- a% C! [- e
Method 106 U9 E5 l5 e. _
=========6 j+ J3 z  N* \( g8 k' J
1 \9 v0 }. V, d1 n2 M5 @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# ?- n! ]6 o- X+ `  SoftICE while the option is enable!!
5 X4 ^- v) \, V6 H' i. X& A- J; z0 ?
This trick is very efficient:
) x0 T% q0 K# Zby checking the Debug Registers, you can detect if SoftICE is loaded& S! H, x2 ?7 `# M- }/ |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" O7 l; H3 C) A# L8 }8 }0 [
there are some memory breakpoints set (dr0 to dr3) simply by reading their  ?$ B5 b0 Y  H
value (in ring0 only). Values can be manipulated and or changed as well. e# R+ M  G5 W% |: k
(clearing BPMs for instance)7 l% E% M, b! ^+ L
9 [8 v) ~4 H' j" j3 `
__________________________________________________________________________4 u# e5 D. N4 k0 ?5 `

2 m7 I, ]( ]7 EMethod 11
) f0 t  H9 d4 s=========
  k& F7 @; d, H+ v+ h" E5 G" q7 d) V  W' D5 W& N
This method is most known as 'MeltICE' because it has been freely distributed& V4 d5 F) w1 C- Z7 m
via www.winfiles.com. However it was first used by NuMega people to allow
6 j4 p4 F( v1 U% N; Q' ]8 sSymbol Loader to check if SoftICE was active or not (the code is located8 _6 Z  j9 a! Z/ U
inside nmtrans.dll).
2 Q  A+ m; \1 e: Q$ c
& S( |, {- i# v& n0 ?  bThe way it works is very simple:  c0 A# |8 i1 g) ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 k, B/ @. Z' j8 B( |( Z
WinNT) with the CreateFileA API.
( u  L4 Z% s) h/ m4 C4 x$ V
3 E, _' G2 _& t0 kHere is a sample (checking for 'SICE'):
% A' d- W' L3 [! j+ B3 l! m& y1 a" m- E- @& t. C! A4 x. S2 Z
BOOL IsSoftIce95Loaded()
, M& j0 l8 c/ g3 D4 K0 n& @{8 c0 d) z4 z/ [
   HANDLE hFile;  ! ~9 I$ |/ b  S9 U8 E
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! P4 s1 N3 x+ M
                      FILE_SHARE_READ | FILE_SHARE_WRITE,4 Z) n* D! P3 p" x3 H9 W
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ V& t8 C* N, d) L
   if( hFile != INVALID_HANDLE_VALUE )
, f( M0 w6 T; ]; w1 w. |   {
' Q, V1 r3 m. r0 ]0 S* z# G4 C      CloseHandle(hFile);0 D' d$ L2 }5 s3 ]- d
      return TRUE;
* S/ W$ u* U" j3 I, k8 l   }
. H9 K. d# g  p. m* X- }   return FALSE;; O6 {. s5 J( `) \% G) ]. |
}: [) ^3 R0 n1 d- V8 @

9 a( U7 c! h/ w( IAlthough this trick calls the CreateFileA function, don't even expect to be
. J2 I3 H' O0 u# H" l& _able to intercept it by installing a IFS hook: it will not work, no way!; Y9 E. |3 r5 |6 c6 j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ i6 b  D9 |7 G1 C: s  y( `  w. vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 Q# V' j( o. o: {5 nand then browse the DDB list until it find the VxD and its DDB_Control_Proc- V. p% r6 O( l0 H; D, q
field.
# I9 [# P  V) s2 y$ Y4 s, Y, \8 GIn fact, its purpose is not to load/unload VxDs but only to send a % v% a' C) J( C7 U; P4 {! w$ R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* F0 p. @9 B0 P8 _. }0 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try: i' A+ z) B& f# J( |0 e
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 V* N6 k9 b1 u4 iIf the VxD is loaded, it will always clear eax and the Carry flag to allow
  y3 d7 S( L, i; T' V. H, T. ?its handle to be opened and then, will be detected.3 k* X2 u* a, X( r) T* c
You can check that simply by hooking Winice.exe control proc entry point
! T( t2 E% i, X2 V3 V3 {" l7 j# d) Iwhile running MeltICE.
/ e$ X# Z0 M" x7 N- U/ r" `( ~# x. W, c/ r# a0 ^( @

) r& \0 g. G% V& M4 H7 N2 G  00401067:  push      00402025    ; \\.\SICE
, r' l9 |. ^% P: O6 B( E  S6 o3 z  0040106C:  call      CreateFileA
7 \; V0 s  s: o0 |" D  00401071:  cmp       eax,-0018 p. B, \/ h3 N8 V2 B. Z0 _
  00401074:  je        00401091
* a" |( E% {+ e( o) d5 E+ `& ~
  h5 e3 ?6 A1 p* k9 E% |' K
! {+ h( u/ Q1 p! l2 _5 D" Z0 C# {There could be hundreds of BPX you could use to detect this trick.# t5 G( H  h1 o
-The most classical one is:
$ K9 O  p0 ]* P8 F7 p5 A  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
) _7 j% h! i+ b) G. k& [+ N    *(esp-&gt;4+4)=='NTIC'8 p5 q% i9 N8 D: ?+ q/ z

4 z& D' U" ^2 W) w! L-The most exotic ones (could be very slooooow :-(
% }! B2 \- P5 ^0 l6 m8 w   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # v1 B4 r: d. H( ~2 a/ u, X
     ;will break 3 times :-($ X9 w) c7 {' F
+ B) ]1 ]/ x, }4 |: m; S- w
-or (a bit) faster:
6 V  Y9 n3 s% `& B! B) n% Q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  m0 \& t, e3 e! k3 l: f, @* s6 ]6 j+ B1 `3 A, w0 v# y  M. r
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
7 o2 R6 m* F! F3 S% v+ S7 N, b6 f     ;will break 3 times :-(3 Q! `- N  y' h0 P( Z

* j' J9 E( r, I% Y) F6 e-Much faster:
# U! v* p; }& j  y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
8 @4 O5 _& E7 `' @2 b9 g4 _
6 _; u' H# ^! LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' h9 o& Z  |& c4 D" Cfunction to do the same job:
) x9 A; [* I) P0 F& N# G+ d/ y; ^0 z* D' _3 K# k  b0 D7 g
   push    00                        ; OF_READ7 F  U- W# l% _% O+ i2 `" C
   mov     eax,[00656634]            ; '\\.\SICE',0! \+ m" I: K0 Y6 G
   push    eax1 U! l( Z# l( Q
   call    KERNEL32!_lopen
) @$ Z7 W, G, f! Y( T   inc     eax: _; e0 H, N# k( c4 X; y5 Z1 y
   jnz     00650589                  ; detected
0 [5 H5 M. k9 Z# @/ a   push    00                        ; OF_READ  g: G1 I9 `* o, e8 {
   mov     eax,[00656638]            ; '\\.\SICE', V8 p$ i. D+ P8 B, v  Y
   push    eax/ Y* j0 z& u( V& [
   call    KERNEL32!_lopen' p  ?6 ?8 d1 J4 n( @, g$ q
   inc     eax) Z! I# o( y  q! a  V
   jz      006505ae                  ; not detected- i5 b$ h+ j, S( ?
% X2 F) J0 B5 {  U& Y9 k8 S. G

1 g, x& {1 u* x7 G__________________________________________________________________________
$ q" a# \6 @9 h1 b7 ]9 l) {8 L& t" c( I& k7 [9 X
Method 125 ?2 s2 u$ D7 X2 J$ I
=========$ p0 t( X5 W0 ^  X9 j0 ^

0 D1 s' P& c/ R' iThis trick is similar to int41h/4fh Debugger installation check (code 05
$ X! ?* K5 W- f! J  ]) u3 a&amp; 06) but very limited because it's only available for Win95/98 (not NT)' b  _) f5 y$ K. g& x# n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 g. B9 {% l! y' i3 }$ q! j& K
& C( @0 m- w" d, i0 Y   push  0000004fh         ; function 4fh1 }3 Y# d8 S4 u! s+ K$ V$ G
   push  002a002ah         ; high word specifies which VxD (VWIN32)
( s% W# v) w! b1 M" |3 Q/ a2 j                           ; low word specifies which service1 C- J7 s3 [3 z% {3 l' }% H
                             (VWIN32_Int41Dispatch)
: R( {+ V5 `& A9 L8 ]1 W: w! c" m   call  Kernel32!ORD_001  ; VxdCall
4 }# n; |# ~7 M   cmp   ax, 0f386h        ; magic number returned by system debuggers' f' i* I) p- h
   jz    SoftICE_detected
2 k: g7 J9 R, P0 S+ [4 z% ?5 a7 c
" t+ u' _. ]7 J; SHere again, several ways to detect it:) H( _1 G1 c3 i  b1 ~9 [: x
9 m5 O# [+ A& S. V# u3 M! K
    BPINT 41 if ax==4f* }+ b& E+ G" o% X$ t/ {6 h

$ v2 M4 r! @& o. y% R    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 H4 z: u" P0 w& H* T
# c" |) U( t2 U4 E9 K    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 N' d! o1 c+ G, ~
" d; X1 g" a7 B0 E3 Q1 k
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!  u- P" R, N; {

0 [2 H6 J# u$ E8 A__________________________________________________________________________5 E! F4 [3 s7 N2 M. S$ e
3 ?7 G+ C4 ~9 H& k8 T+ C$ T3 [
Method 130 s5 c; J, p$ V' [, A9 r
=========
" D) w; ^6 p) m; Q5 |& z3 l8 I4 }* T2 K6 e. h" l
Not a real method of detection, but a good way to know if SoftICE is
, l, n, @6 k1 h% O* Tinstalled on a computer and to locate its installation directory.
% ~6 ], A! S' E: H2 [  VIt is used by few softs which access the following registry keys (usually #2) :2 C! V% g8 ]' b0 G) a
* z' @1 H5 w! D  ^- J1 k5 S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 M* v+ p* ~" }( k$ M\Uninstall\SoftICE; }+ X6 N- Z6 n" G' n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& i# A# n7 ]# S  y' Q) i$ ~  [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, J( d0 x! i4 j, Y( G\App Paths\Loader32.Exe
: ^' L2 w5 ~9 d
0 e3 t% j. |) x$ b' a" H  G
- |( C) g* o3 d0 LNote that some nasty apps could then erase all files from SoftICE directory
" |& m8 S6 P- C5 R& c: r(I faced that once :-(
! m9 \- y5 H6 e2 q( t7 \: `1 Q- m6 Z
Useful breakpoint to detect it:
2 U& z- g3 X# N% B" ^/ H/ p; u) Y; V$ j  m- e- U
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. U6 e% ^/ E) z  J1 ]' B

/ J3 l! k# u& Q__________________________________________________________________________
4 u  T3 T0 z6 {/ {: J7 K4 h: K
2 y) i; B+ _% G# t" P- u0 k: c. O% o  A0 r
Method 14
) W3 J% D' M  e1 ^=========# z0 I8 d# k  R$ y# h
. P7 ]/ O1 l5 ~! j7 J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 \  ^4 U' u* U7 T9 g# Ais to determines whether a debugger is running on your system (ring0 only).
: V. `, P. {4 s
$ M$ M8 g' Z: c1 o   VMMCall Test_Debug_Installed
3 F- \; C2 ]% A$ V   je      not_installed' d) O0 M3 B7 Z% O

+ ]) ]" o' a. U6 xThis service just checks a flag.0 f& h- I" n0 j5 g- u' V  V
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-11 14:58

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表