找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ a+ p5 |# }; L' ^8 L' c
<TBODY>$ A  X% R2 `/ |/ k- k6 R3 i
<TR>: o' G. d: o* L9 g+ g6 ^
<TD><PRE>Method 01 - C; F- H8 U% E1 [1 b) d6 B
=========. }+ I* D% R% u2 K5 n! u

) V8 d/ n. Z4 O7 ZThis method of detection of SoftICE (as well as the following one) is1 K7 I9 g* ]( _, i. m! B
used by the majority of packers/encryptors found on Internet.
3 r, q  i( K0 y! D) a, w: `It seeks the signature of BoundsChecker in SoftICE, b, ^4 ?  W9 w  e* J
+ o. T- U3 G) n8 B
    mov     ebp, 04243484Bh        ; 'BCHK'5 ]! D- T" r# R% v  T* J
    mov     ax, 04h# S  n$ Q' j5 O4 }
    int     3      
* ~# G8 |; a% E9 z0 V. i, R    cmp     al,40 R: Y7 j% l3 B( G
    jnz     SoftICE_Detected
# D. n" \6 |( ^- A4 {, q  M& @; I7 u
___________________________________________________________________________
1 w9 N2 M% ~, |5 T) U4 G; t- v0 T& `. G9 p  L: ]4 Z
Method 02
# W3 J; d( u5 A& W. W. r# s=========
4 b. K* r; I8 R+ C+ x: C% p
+ B( e$ U( U, s$ n. A8 ?Still a method very much used (perhaps the most frequent one).  It is used% m9 w! K5 v3 ^4 R' r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 f5 u( Q8 q& |$ p5 A; v" yor execute SoftICE commands...
8 k4 c4 W* j$ H; ~8 L6 i% y- g5 oIt is also used to crash SoftICE and to force it to execute any commands$ Z) E- E- X" @0 G0 A
(HBOOT...) :-((  
1 ~' Q$ c# X$ {* P8 D9 Z* V! _4 U
; a) W6 ]* N! `! w4 I6 ~& nHere is a quick description:
/ u& ~# I- t! M' W& g/ \-AX = 0910h   (Display string in SIce windows)
9 m3 I3 S0 q% O0 s-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
$ `. M; j% h* J" v" X3 s' D-AX = 0912h   (Get breakpoint infos)+ r8 C  c6 j4 S
-AX = 0913h   (Set Sice breakpoints)
* v' T! x+ v( z-AX = 0914h   (Remove SIce breakoints)( _9 R. ^: C6 H
/ q# `3 K: H, v( F: X# v7 L
Each time you'll meet this trick, you'll see:. _3 z  R+ \$ e# o
-SI = 4647h$ T# q/ x: b5 ~! I5 S* n
-DI = 4A4Dh4 k$ Y, Z5 p2 V) y  @1 `
Which are the 'magic values' used by SoftIce.
5 O' f6 g6 P; mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; o, d( }, |3 h/ O& F. u

' D" l" M) ^# ^& xHere is one example from the file "Haspinst.exe" which is the dongle HASP9 D2 Y1 l6 Y1 w6 ]: c0 C) M  P. J
Envelope utility use to protect DOS applications:2 r2 B) ~" {6 |; l- x

, R$ s, \9 p& F5 K7 k: c) _9 e% `7 V' y0 R7 i8 W1 H
4C19:0095   MOV    AX,0911  ; execute command.+ J9 F( d; B4 w, F( V& L
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 S# }6 p  z9 }- k1 v4C19:009A   MOV    SI,4647  ; 1st magic value.
5 Y6 F# d% v0 b* R1 M4C19:009D   MOV    DI,4A4D  ; 2nd magic value.. ?$ M$ M# q: a5 _" q) Q1 _8 }7 s
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 L: p! s0 b3 O$ X7 y6 Q4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 l6 v% t8 N. J: g4C19:00A4   INC    CX
3 L3 F* C: V" R7 z3 N4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. V3 |1 _/ x, k( ]) |" s6 ]* U2 U8 J4C19:00A8   JB     0095     ; 6 different commands.
. g/ O% K; H$ R6 i0 ]4C19:00AA   JMP    0002     ; Bad_Guy jmp back./ l  y) ^2 ]9 j* k% _% K. L  ~7 S( Y
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, m' H/ W1 d" N- h
% _/ A( v) P2 y* H" {The program will execute 6 different SIce commands located at ds:dx, which
: E( ?7 z$ F: R, R* X2 }' Z) W  `  H; Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 `) m0 }5 C- @$ N0 e
( z; l- l/ r( Q  Y9 _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 a, |" z3 p+ p+ ^1 z7 I___________________________________________________________________________( }4 V8 D# G7 V; f0 {  @

6 Z6 Q! ?" F9 S9 X- E& D- C' g* o) W$ y
Method 03
1 ]& Q/ J/ M/ P  q=========+ `- @. g; U/ C5 k& O* k
+ @, Z! ?+ l) B0 o+ d: ^1 m
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 |- u7 s% ]/ z7 y6 l(API Get entry point)
1 s. I, o: J( Z6 w- R8 M        
, O. }' Q: ~1 w
! l4 e+ [0 n1 {0 F7 E    xor     di,di4 `; c! V3 O6 L! U& ]
    mov     es,di
  I% d, y0 ^$ M. M* n* J    mov     ax, 1684h      
9 {5 ?4 y: i8 [$ g6 u; u; `    mov     bx, 0202h       ; VxD ID of winice
2 R2 ~. c$ n- u2 |    int     2Fh" n  }+ B: q' b1 Q) N: o4 A
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, V- O6 P$ d# y3 \9 {5 K    add     ax, di
  J4 D- ?$ X5 v: f5 P; p    test    ax,ax3 b+ v0 h7 B# Q
    jnz     SoftICE_Detected
2 }- c9 G  H2 v5 F0 S+ ?5 u: P% L/ e% B8 w
___________________________________________________________________________
7 }$ `2 a: h9 o" d6 f# a0 h7 b# N
( f0 E; ]# r) C1 K4 IMethod 04
+ z' j6 G+ i7 H5 p- q* e, p( b=========
5 {. z4 B: Z& P& V! w4 w8 a1 G0 A1 C8 [8 X: w
Method identical to the preceding one except that it seeks the ID of SoftICE
0 }& Q9 R$ Y  L) NGFX VxD.
7 I$ L3 b2 W5 [7 U. }, t0 h: u( _; n; S1 B% t
    xor     di,di: H3 u# D7 h% _3 }# S
    mov     es,di
! ]; S  E8 G3 a    mov     ax, 1684h       ! S* ]2 R& t0 h. @! m" F0 D
    mov     bx, 7a5Fh       ; VxD ID of SIWVID# x" N) C: A6 W  c& n
    int     2fh4 Q1 G2 ?- H+ h; V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% G. W# g1 c( C) c    add     ax, di
$ U, N1 l, V9 H5 x: j' [1 ?0 ^    test    ax,ax
# M1 n: k2 K" n8 r    jnz     SoftICE_Detected
. s  j# B* }3 z3 Q* Y' ]
8 B( f* d$ O. s& T/ s" B__________________________________________________________________________5 l$ ~! e; [7 ~( P: Z! O
+ n' F9 r! z' x- e( E- t

) f6 _# q- f9 a- V8 [Method 05% ?% p9 O5 Q: V/ Z' ?. Q
=========" M" {! `1 k( y7 C' A6 C
2 I' a$ D" G7 a$ H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- U# p& C' q7 U& F1 V, m% z7 V# rdebugger. It calls the int 41h, function 4Fh.5 I/ W3 n9 T# g9 |( [
There are several alternatives.  
7 S; P9 [+ V6 }/ z  A9 G. p* w0 B, T- f, d8 l6 p: S2 \- T
The following one is the simplest:  b& m! m. F% ?0 \) n
+ f( n0 x5 K7 J/ o- @! B3 i8 K
    mov     ax,4fh% [/ O) y6 s; `' V; z
    int     41h1 |% r( D1 M0 v1 R
    cmp     ax, 0F386
* {) [* b+ o1 N& c7 r% T    jz      SoftICE_detected
2 l0 Q% s8 C! a; E( I2 R4 D
5 Q5 I# O) D. t8 C4 g
" G1 y. l% }! U/ DNext method as well as the following one are 2 examples from Stone's
6 U% K: m- d- O5 t) V0 M  d"stn-wid.zip" (www.cracking.net):+ H$ S3 g+ r3 C4 a

- C. d" d+ h( S1 c' @; e    mov     bx, cs. b9 t) e  F+ Q2 `1 M: f9 \7 j7 Q
    lea     dx, int41handler2
, L% l8 g+ m" x, F4 {: a3 @    xchg    dx, es:[41h*4], ?9 B: R) i% b! o9 f( G
    xchg    bx, es:[41h*4+2]
% l8 z! c4 b: l5 Q% i    mov     ax,4fh
/ ]1 X6 N4 o4 \$ Q& O    int     41h) V: q3 Z3 ?" P" C1 {6 ^8 R" a
    xchg    dx, es:[41h*4]
! Q% P! Y/ U, |# h, x    xchg    bx, es:[41h*4+2]! y% }3 q4 u+ l" R
    cmp     ax, 0f386h
, N* t: P6 P8 z( z    jz      SoftICE_detected
# ]2 C! g% k1 n& t- K+ Q/ F% P. W7 S' V: k
int41handler2 PROC
; i8 _# d) O6 e    iret
5 g4 |5 G* O/ F4 o; Qint41handler2 ENDP  ]" G  C; a* Y! V+ E/ \$ A
2 }" }% c: n3 z; x! q' J

) S/ x; X) a" v_________________________________________________________________________
# j# K+ k4 G  i, v8 U1 O$ ], @& e; H  n4 U3 p' ~8 z
/ L, S" q3 q7 D& z9 [
Method 06
8 ?. P4 t7 i3 J5 x6 ^=========
5 m) e, {$ l; c* C) d- P1 u$ x* K! c

7 ]7 g+ s; R+ B" H; C( l8 L, S% K2nd method similar to the preceding one but more difficult to detect:
2 f! [9 ], z9 S
0 t3 f4 s6 w3 H/ y( K7 y  e( `" ~4 v" n8 A9 |) h* H! K4 Q1 ]9 O* h
int41handler PROC
$ l, Z8 I- n1 f: ~& y    mov     cl,al9 U% B- n! |4 g. K
    iret
, z$ E. D! _5 i) p2 b* v6 F" {int41handler ENDP! v1 Y& k, l- B8 z8 h0 }

3 t7 G0 ~, l6 p' y( x% w
) o( u; ^* ^1 _# Y    xor     ax,ax9 Z+ W+ [; L- r: M
    mov     es,ax
2 k" V+ T( m* S8 z, y    mov     bx, cs/ w5 U0 M# a3 Q: m7 Q4 R+ b2 [
    lea     dx, int41handler
6 C( w; D5 X$ B6 C! \    xchg    dx, es:[41h*4]
: y. x4 a: A7 i9 n( ?    xchg    bx, es:[41h*4+2]
2 |0 J  Y6 [( @6 }1 b- z    in      al, 40h
; i9 u4 b8 T3 a* g4 f/ a    xor     cx,cx
+ u0 g- U* D9 v    int     41h
2 A/ e& e, r& M1 |/ ]6 l! S1 g    xchg    dx, es:[41h*4]
( N1 q+ _' Q0 c( }    xchg    bx, es:[41h*4+2]
/ T+ |4 V1 l7 @4 `: y& E/ c3 K' y    cmp     cl,al
. C4 n* m( u) [1 f1 @$ J    jnz     SoftICE_detected
& I! j0 o$ r* ?8 A% p2 d) y2 L  q: E0 X% D5 K* i
_________________________________________________________________________
* o/ j3 J' G& V, I: t. O
$ C6 r% y. u5 _7 r! E& u. Q+ ?Method 073 P& j+ w& y& K! |
=========# T, p; z$ r% u0 j6 j

# P, N( T+ O* M( A; d* e" n- z: QMethod of detection of the WinICE handler in the int68h (V86)
8 j/ D; j$ L' `, m5 D6 M- |$ y; Z( V; M. n8 i+ h
    mov     ah,43h* X; h! v+ n8 D* v+ R
    int     68h
0 J7 W' l) C, F" W; A    cmp     ax,0F386h
. p& }" i0 i5 \) n    jz      SoftICE_Detected/ H; Q/ N* J8 y

- |; C+ Y! Y# I: R! c8 N
. F) ?3 r5 B- s6 R( T=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 J+ z3 t4 \  j4 \+ h0 V% V" W9 i' R
   app like this:
( ~/ ]  a5 B3 n$ D; a( @
. v& r5 U/ }1 e1 Z   BPX exec_int if ax==68) j+ \2 }" L3 t
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& q0 L- m( |% y4 l1 Y6 W8 \3 i   located at [ebp+48h] for 32Bit apps)  f. T9 Q; U6 v7 j) U, E- q( P
__________________________________________________________________________
5 M/ g0 S+ d) E+ L
2 X; G7 |$ m& u, n" ~) I" I: v0 I! M! I8 R
Method 086 i& f8 v+ h( P5 c5 v
=========
3 x' A# F) i3 s# |
3 R3 n2 [9 i4 V$ fIt is not a method of detection of SoftICE but a possibility to crash the
4 ^/ U" F5 G4 R: e5 G0 @6 \0 ?system by intercepting int 01h and int 03h and redirecting them to another
8 z' J5 x3 Z: S! n$ F/ I( ?+ vroutine.2 ]" W7 H2 H9 Q* |% l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) h: V5 Q+ u8 d7 n! H- I
to the new routine to execute (hangs computer...)
+ L5 J& f: r- ?3 _* _8 K
; G7 r- a/ y& Z1 T' k: ^: c    mov     ah, 25h
" B/ l7 Z; v# @# K+ x    mov     al, Int_Number (01h or 03h)6 Q  C" ^) u6 k' ^; T* b
    mov     dx, offset New_Int_Routine7 l4 j8 t9 U' s: R
    int     21h
, n7 t/ n2 S6 j9 G( R8 p" ?
* u# _# F& @+ g5 K9 ?__________________________________________________________________________; ]$ K6 Y1 T# K+ ^
( `) U$ e0 K8 y! ~
Method 096 u, g) f' P9 G& d& H- ~( C& C
=========
) J/ z" W  O' r" x# s! \3 t: D7 m- k" u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% M$ i' }: P; }7 {performed in ring0 (VxD or a ring3 app using the VxdCall).. r5 ?  y" I4 @) @  v( c$ M+ Y
The Get_DDB service is used to determine whether or not a VxD is installed
) }0 f& _+ _# j, gfor the specified device and returns a Device Description Block (in ecx) for" E* }9 ^1 d% [) H  d! `' u* k
that device if it is installed.
$ e8 f1 w  f3 P, J$ b$ h9 ~6 u' G+ B3 ~3 ]% p3 |6 c9 N% |0 \
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ N/ W. \2 P3 P* C' }! f% Y. X
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-): ?4 r& [! j$ T! [% U* E- @. V( q# B
   VMMCall Get_DDB' r' c! T9 d: D- \
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 j" \9 W" {1 P
: e; b# F: v2 G1 u( U4 i$ t$ x( CNote as well that you can easily detect this method with SoftICE:' n+ @4 T- ]3 z) I6 n. D; f
   bpx Get_DDB if ax==0202 || ax==7a5fh6 l1 v* b; L# U5 b
1 _2 K8 P0 N( E; c9 C( s/ H
__________________________________________________________________________) V% y2 M, r. F( @0 n3 v: N* Y

4 w& T1 S6 j# m& a+ Y4 U/ g+ [Method 10) K+ X' j8 e+ P, v
=========& R. S3 d0 H( P, X8 K, K0 A

$ E8 T* Y2 M4 A- Z% R# S* t, e) M/ ~=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with: x6 r6 r8 U. r2 j4 y5 M+ A
  SoftICE while the option is enable!!
9 k0 \0 b2 d. ?. B6 B
$ |! N3 L& Q# z# YThis trick is very efficient:
) y3 u+ y( W% ^3 b3 gby checking the Debug Registers, you can detect if SoftICE is loaded
! Q8 m8 j( j: Q  `6 ~+ T$ U8 g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 u& u0 C! D: \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 H( P  h% V  s. d/ b9 _value (in ring0 only). Values can be manipulated and or changed as well
! A. @6 h, M- w5 s1 ^, n" r(clearing BPMs for instance)
+ W0 I' B3 \+ P' y1 Q: L. [6 c8 {% T8 J/ B, G
__________________________________________________________________________
4 H2 q) Z/ _; I) V4 T% u3 x; M
: m- S; O% P# y! d3 z) m/ |Method 11+ w; p4 [- M% R$ z1 B
=========
  p  l+ s; P% k( ?$ a
" K4 W/ c1 G* |, c7 ZThis method is most known as 'MeltICE' because it has been freely distributed6 ?* U/ }1 N9 Q: ^) i6 t& X
via www.winfiles.com. However it was first used by NuMega people to allow1 O1 j) }$ Y1 R5 k" F( i% R
Symbol Loader to check if SoftICE was active or not (the code is located
0 L0 s# H3 v7 hinside nmtrans.dll).' \9 _1 E$ Z2 m' n9 T

0 o5 K/ @5 x% J& @, SThe way it works is very simple:
, @7 N- `7 o% T# C5 }+ s# QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 C# U* T# Q4 t/ Z: W1 f# V
WinNT) with the CreateFileA API.4 `3 Q; n) z0 \6 p8 O1 t2 u3 h: Z

! @- V2 U$ k% Q+ W- aHere is a sample (checking for 'SICE'):
% r1 N# e3 s7 C  b/ s' c# h0 }: ~  V6 Q$ P; ~/ K& q
BOOL IsSoftIce95Loaded()# m6 ^+ s; [) m- `/ ]
{  f* S& z- b% n7 _- v
   HANDLE hFile;  7 t( }- \% Z6 K
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) S3 H/ P4 X; _5 |! F
                      FILE_SHARE_READ | FILE_SHARE_WRITE,( a7 J7 g" @+ ^  S
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 \; N8 ]$ x8 H: F6 }/ \& {) {9 R   if( hFile != INVALID_HANDLE_VALUE )
8 H4 _6 h2 Z) |/ B. O  [6 s6 W   {
5 P: z" w* I3 N9 d, z6 B/ C      CloseHandle(hFile);. y# p" F6 \' _6 W
      return TRUE;. @% L: l# F8 W2 M( {3 P
   }
; p  _! y7 T1 N/ F1 ^3 `/ t! X* m   return FALSE;" B9 S+ M( _/ k  a# Y
}
+ ~& ^# t; v- m: u. H* n. s' s) P
Although this trick calls the CreateFileA function, don't even expect to be
' w- t8 n& j" N) U3 yable to intercept it by installing a IFS hook: it will not work, no way!
! p/ Z& f$ @$ W8 \) e4 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 d4 @* Y) }  k" @! y* F
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 W; y8 e8 _$ Y: l3 J' Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" L7 Y3 |3 \- H
field.* s+ h, a# d8 R/ E/ Y9 i
In fact, its purpose is not to load/unload VxDs but only to send a $ c, G# O8 v8 A( W& [! o- i7 |
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. W' i- T6 G  K8 d5 S* s) ~8 W; k. o/ xto the VxD Control_Dispatch proc (how the hell a shareware soft could try( o+ h! j  s% m& \8 Z% I, R, v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ z' ]' O8 g& C4 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow9 G6 W- L7 q/ Q) t
its handle to be opened and then, will be detected.
8 Z% q7 d/ P) ?( f! cYou can check that simply by hooking Winice.exe control proc entry point* H: G0 T6 y2 k1 p) V
while running MeltICE.
4 [: I+ Y5 @) G) {7 Z
. b5 \2 e( E; H2 i% t9 w. w4 m# \) ]& p* m7 Y
  00401067:  push      00402025    ; \\.\SICE- H: [9 c- [) K" S
  0040106C:  call      CreateFileA
$ v. @4 O& k- j7 S2 n2 n' \: ^  00401071:  cmp       eax,-001
$ L  ]% D- U, Y/ P* s- q  00401074:  je        00401091
) x1 t6 L2 [" _" g, B) ^" J  p) P& V8 p( ]  R  Z

" l: R, y7 J0 ^- QThere could be hundreds of BPX you could use to detect this trick.8 \) ^  o9 H# j& n0 m  Q9 w  w, f1 `
-The most classical one is:
; ~8 \+ T, Z8 D9 X& B% C  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  ?1 l  C- N+ c. ?" B# v
    *(esp-&gt;4+4)=='NTIC'/ Y* k6 b- q( b$ A# X3 ?& s7 J

9 I2 J8 u+ R6 `; [-The most exotic ones (could be very slooooow :-(, r$ h! H" w4 Q# d, o3 S3 l9 Z8 A6 i
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  5 p/ ]% A- A+ r" i0 x2 _6 C5 W& D7 v
     ;will break 3 times :-(. n( B% u- j+ }, e- O; x
% R; G! O. ?+ C1 T$ Z% e# T( j
-or (a bit) faster:
: Z3 F% w' f7 O/ ^; r  X9 V   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) O5 S* E6 v5 k4 m7 g; d( f  c& c4 a3 K0 A  n
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & o: g: y) N: _) T
     ;will break 3 times :-(& D. W( J% v4 ]" O

+ K) L0 X1 P+ n-Much faster:
% e' h: U! ]/ I! K4 k. ^9 @   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! q; C6 ^+ A  b5 ]/ S1 D* [2 p& [. j  h( P; T; k& c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 ^  w2 t9 N; H$ _6 K2 g# G
function to do the same job:
4 \1 C$ b9 h$ K! R; q
$ K/ x# l0 E; O   push    00                        ; OF_READ- H2 R/ Q' e: H0 T% Y) G/ `
   mov     eax,[00656634]            ; '\\.\SICE',02 ^+ `. ]! h' \" H4 N% K/ }+ w% D
   push    eax6 R) ~( P; |( ]- m* {3 b: |
   call    KERNEL32!_lopen
2 j0 a( c/ N9 B+ v& ?# Q   inc     eax+ U0 t1 A. f: L8 u4 `( E
   jnz     00650589                  ; detected
( [/ ]/ G7 y0 I. U   push    00                        ; OF_READ
% X5 K- l: y" M8 V4 p- g2 R+ [   mov     eax,[00656638]            ; '\\.\SICE': U& P3 c8 O+ V& l2 N% L2 s
   push    eax; V, D5 z+ u9 Q/ h
   call    KERNEL32!_lopen
5 o. x( d. Y% R+ h& G. K! p   inc     eax
7 E- Z$ s  r* }' B/ R3 B5 m   jz      006505ae                  ; not detected% b+ \& K8 e, m( v# ^

- T5 F7 @1 S  L- {. H4 V; {' f, x
9 Z3 a% ?9 x& y__________________________________________________________________________5 G/ [0 \) \  z0 J: a
6 x' m2 {. Q3 b5 c" j3 T" c5 E
Method 12
, m; i" l% k3 a' }! S. K' F=========1 l0 |- h' ?" p. _, {8 i
( @$ z1 }+ Y: B3 J. {, E% n1 L
This trick is similar to int41h/4fh Debugger installation check (code 056 C9 s: b- T7 W7 f: Y$ b
&amp; 06) but very limited because it's only available for Win95/98 (not NT)" J' B  m! Z" `+ E- O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 u) o- M4 B/ C8 c- c7 e! b5 m* l4 i/ D$ I: W: [3 ^; `( l) o! g
   push  0000004fh         ; function 4fh: @8 C: r3 ]& X- d
   push  002a002ah         ; high word specifies which VxD (VWIN32)
% }% V) g  Q: Z+ ~                           ; low word specifies which service% Q' N* _: j; N& y8 c5 T. P6 v
                             (VWIN32_Int41Dispatch): g- N5 o  N' B+ V# B  l# X# V, _
   call  Kernel32!ORD_001  ; VxdCall% B2 u8 r! H* F* b( }1 [# G! d
   cmp   ax, 0f386h        ; magic number returned by system debuggers
- T# S) F. A* `" G+ m   jz    SoftICE_detected- G8 X+ ^  Q8 g( i. |) H6 b4 t
2 l+ r' ~' r9 m+ ^9 L+ ~4 |; z
Here again, several ways to detect it:
1 c, C4 \( j: ^9 Y7 K1 G
% k2 e  M* {% G( C5 U% }, u    BPINT 41 if ax==4f3 p2 Z! m" w0 c
5 J9 n/ v- M  h% p
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one2 P% A+ l2 h# J  J, Y
' W4 q* h! k" |( n# H6 d! j5 k
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
$ Z: t) {" S" i% X% M
* L! a3 Q6 Y5 i    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 t1 X3 ~! Q1 ~- K- G; v
& E/ N/ e5 p/ \! p- X1 D& z__________________________________________________________________________* ~9 [. w" ]- U/ q
( X1 M& N  r5 z, v9 e8 C0 r  O% [
Method 13
* i& S" a& Y- d=========
1 X+ q1 z5 V0 e% I. T: x* B8 N( S5 j1 L* o
Not a real method of detection, but a good way to know if SoftICE is4 L- B" n' e" Z2 `# s6 Q/ N- ]  h
installed on a computer and to locate its installation directory.
' i% \& k- N/ O$ E3 T: tIt is used by few softs which access the following registry keys (usually #2) :; Q% q: X9 ]0 D8 P4 m

  N; L; m1 m- j+ |  k  p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: e) j7 B  U6 B
\Uninstall\SoftICE
7 s/ }. w) _3 r8 Z$ k6 z# @: [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ O8 d9 \0 a* j0 D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  i+ @$ O/ n( T2 s2 K% H# M; F/ a
\App Paths\Loader32.Exe
* g" p5 P6 `9 |; W/ e7 v- r
4 D- z5 Y2 Z2 B! o0 a% h4 W6 T# ^7 t* j4 n: {
Note that some nasty apps could then erase all files from SoftICE directory
. c8 e# P. _+ Z9 ^% n3 ^/ ~& A. u(I faced that once :-(
9 r9 g, r$ V/ [3 U0 V& F2 R1 J, A' m2 J" T# g
Useful breakpoint to detect it:, c4 N" S3 N% e6 I& X

$ q6 z- h0 Q, ?0 b6 q& W5 q# ]  r+ x     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 W! w4 D. j5 V

8 O& u* q% O! `! n__________________________________________________________________________
6 h$ p) g, L/ U; e8 r1 n3 d
; b1 w. Q" x  Q3 H" c& Q
: z5 W/ N% |+ nMethod 14
4 o5 r* q) L( `8 o3 T=========0 @. C- [8 W# s3 a5 @1 d

: D3 P# ?$ r3 m& U5 j+ m. HA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" P$ M8 ^7 P* U" ]% qis to determines whether a debugger is running on your system (ring0 only).
+ O, C* Y4 I  C) W+ \% o7 h9 ]1 m% b8 V. ]1 ^" X( T+ m
   VMMCall Test_Debug_Installed, z1 `6 g/ w2 R: F8 F
   je      not_installed& j# i. |. D! Y

, \( y( P$ W4 g' eThis service just checks a flag.
, I# a: W" _/ F% w</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-26 03:41

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表