找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>" x0 F6 P: i* e7 k* H
<TBODY>
( R1 r# c4 l4 w( |6 I<TR>
8 Y7 u: ]3 M* d$ @- f4 N- X: j<TD><PRE>Method 01 ' X! \- l7 c2 L# d
=========. u' i0 d- R8 W. Y) P+ M8 h( f
  q/ j: T* L% u% @
This method of detection of SoftICE (as well as the following one) is8 K: J9 [1 j9 V1 A% m  L, M
used by the majority of packers/encryptors found on Internet.
" ~3 t" z2 c0 E6 z4 FIt seeks the signature of BoundsChecker in SoftICE. s- }* s; t+ F) e  }
, v+ {: M; Q" a4 p$ `
    mov     ebp, 04243484Bh        ; 'BCHK': [% P7 N8 e9 c9 t; C* W; F6 v
    mov     ax, 04h
7 P) N( _  @6 m    int     3      
3 M+ `- Z" Q% g$ k  u0 m/ N    cmp     al,49 n1 O( L( Y+ ]7 {
    jnz     SoftICE_Detected  d  [3 r& I8 p0 v  Z$ b
) v/ U( D- S/ K
___________________________________________________________________________
5 {) S2 |+ f" e
& s/ _3 W! T1 Q0 d2 f. nMethod 023 M/ r! A4 V1 ?* y
=========* Z! O4 F& }: \* V

, S$ h" D: r' u9 `Still a method very much used (perhaps the most frequent one).  It is used
  P7 v# ^+ R4 Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ ]+ n: g3 D. m& Z+ eor execute SoftICE commands...
0 g0 u; x) h: Z& O$ HIt is also used to crash SoftICE and to force it to execute any commands
1 \, }1 Y, T' i(HBOOT...) :-((  
  {- J2 f- t! y" d5 f; X. [  F6 E. ]) x
Here is a quick description:& U4 N5 z( z2 Q/ z2 P. C
-AX = 0910h   (Display string in SIce windows)
3 Q  [1 H$ F: @8 g+ d! y7 Z+ n: \0 `-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)* Y& S$ ~9 g- u* i
-AX = 0912h   (Get breakpoint infos)
5 x) \6 W5 p$ [; I1 W$ ]+ a-AX = 0913h   (Set Sice breakpoints)
- O2 n8 X) w; ]' z-AX = 0914h   (Remove SIce breakoints). X# b: ^7 [% [% `6 G

( f6 u' B4 G: kEach time you'll meet this trick, you'll see:! d3 X$ ?; ?* u
-SI = 4647h
, _( d/ q, y1 d-DI = 4A4Dh
* J9 x7 x" G) iWhich are the 'magic values' used by SoftIce.0 z% P  T2 a3 L# `1 ^) r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 B5 o/ ]& |4 E5 `# O% z( u

& \: Q& I/ ^* J: S+ O6 AHere is one example from the file "Haspinst.exe" which is the dongle HASP, n0 @* k, B$ w& `. P1 y2 w8 O8 n
Envelope utility use to protect DOS applications:
$ y! i% p& \% ~/ E0 [# a
/ u" R* d. m9 i7 T8 P- t. n
( g1 U" w* w5 J. i4C19:0095   MOV    AX,0911  ; execute command.2 k6 \0 t' x) M& ]9 J+ E$ H
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
) F& y5 d8 |/ m  `3 k" I4C19:009A   MOV    SI,4647  ; 1st magic value.
* H) C; |$ ?& G+ \$ @4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
1 s7 C$ I- a* e9 M/ S5 ^7 ~& j4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 U/ P: F) W: J/ U7 p
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 E# f) g9 g& L4 |4 \4C19:00A4   INC    CX
. X/ J; E$ h/ B  I) u4 P2 R* \4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 T1 _+ |+ ?" p, O4C19:00A8   JB     0095     ; 6 different commands.
7 X- ?- X3 {: f) Q; g( o( R% [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ y2 ?: w9 b. q: L0 n+ n4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 n4 z5 _8 t' i, B
+ Q% m! }* _+ t2 N
The program will execute 6 different SIce commands located at ds:dx, which# p. d4 i0 Y8 `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 {' d2 U$ H$ e" ~$ f' Y( Y! Q0 m( j/ u. Y( i7 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 i' m' D+ k1 u5 Q2 d___________________________________________________________________________! b  f  Y# X+ ]

; ?+ b) I& X% l% E+ e9 F% w! f/ B$ @
Method 03
$ J2 f: F5 s6 P2 N=========
, n2 n: B2 d4 j$ A5 @
. ]& Z5 \+ T+ b8 o& ?Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ z! W/ j5 R: o! W# J+ I& b0 q(API Get entry point)
4 [) a; K' p# B8 e( r        ) L) L6 s9 ~7 \. m$ ~1 p3 N# c

5 g+ T$ r. q+ f: @& {: u% ?    xor     di,di1 K  A! D  t! K$ |2 p
    mov     es,di# {& X" O* j1 V  O
    mov     ax, 1684h       % @% R+ m, i% _0 H$ k
    mov     bx, 0202h       ; VxD ID of winice
0 U% X5 D8 M/ H$ \    int     2Fh+ n( Q. t$ }* K" c7 o
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) I9 L- m' Z% G; y3 C1 a6 Y    add     ax, di  Z$ c1 l- K4 z" }1 H+ m2 Z* }% T
    test    ax,ax/ d! [/ z. D5 v1 [" I- t4 j
    jnz     SoftICE_Detected
$ S1 n1 t2 I+ k  d4 y) J6 Y3 U7 _0 w/ B
___________________________________________________________________________
8 v+ L, S8 h6 i) {* y2 G+ r1 E
  t7 {3 g) o4 {" K% c8 UMethod 04, w1 k* r7 d  r9 U- v0 I
=========
5 x# I% i8 b4 C) Q( l
: y: x% m. V/ V  n, aMethod identical to the preceding one except that it seeks the ID of SoftICE6 T; {. R5 q& h
GFX VxD.5 g% ?% Y( }( u; a- Q  Y  w. ^/ F

& ]9 h& R6 t2 ?3 y; ?    xor     di,di
) X" l7 Q6 ^: }0 x    mov     es,di
8 m( O2 |' ?5 r2 p# c% ~    mov     ax, 1684h      
8 E, r( Y+ b# Y+ T3 @# y1 U    mov     bx, 7a5Fh       ; VxD ID of SIWVID( n# W* f) n# `1 {$ M! @/ \! N
    int     2fh: o1 W7 f- W6 G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 ^" S; t  r) V2 K% k8 ^
    add     ax, di
2 q# r' ^+ s2 @' K$ [    test    ax,ax
* x9 e! `. Q; i7 n# }: o/ }' N    jnz     SoftICE_Detected
$ Z7 s1 }$ y: J) p: J1 E" c0 [+ Y; T. o9 |# I/ B/ B) ^" R$ X9 F7 i& E/ @
__________________________________________________________________________
6 @3 @" Q- K; b0 q& E, t& }& y' Q+ Z# G, G) M/ n5 s4 z; L6 w
7 V+ a) G+ w. h6 h
Method 05
- C& A3 h/ b' f, N% i+ @=========
  y- d9 R8 [5 x9 ]! U. a; W- c1 {' Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system" h- x; I. L& d8 b. n
debugger. It calls the int 41h, function 4Fh.
0 w0 a9 F9 w. T! DThere are several alternatives.  8 }: C0 ^1 ?$ H' @9 B0 e4 ]/ _( O
% T# o! s) @" v6 e2 N  m" a) m# \
The following one is the simplest:$ ?- A- B5 W# p, }

& [8 @' p; t/ F( s' f. ^    mov     ax,4fh3 d0 Q/ d5 z% J* o' a4 M
    int     41h
4 `7 ^# h: Z7 v8 ]0 g, ]+ w( ^    cmp     ax, 0F3866 O# P5 c8 ?6 ~4 h! R0 {
    jz      SoftICE_detected
7 |5 u" g& N$ S1 S
! r$ \: x9 J! D0 E
1 `  e' w% B# ]7 L' FNext method as well as the following one are 2 examples from Stone's $ [2 H# S) _% R+ t1 m  A3 B
"stn-wid.zip" (www.cracking.net):1 V; ~; i4 [) T( m5 A) Y+ X' o5 E2 v
: T  O! U) b: m, L  E
    mov     bx, cs
2 c8 H6 ?6 N7 }    lea     dx, int41handler2
8 f8 {! N3 d' P& U: I9 b    xchg    dx, es:[41h*4]
* p3 h5 _& U: Q$ V& v, t" U& y    xchg    bx, es:[41h*4+2]6 ~- s5 v3 A, T5 s# r' ~- c# o
    mov     ax,4fh' r( z6 j# a4 V, ~5 I$ X
    int     41h, t4 F4 S5 N1 _8 n' D3 N
    xchg    dx, es:[41h*4]( c8 \. r9 G0 S1 I* J
    xchg    bx, es:[41h*4+2]
' S# i/ _& c' f& d    cmp     ax, 0f386h
% k$ y* j' ?& V  K& Y    jz      SoftICE_detected" o1 k7 `# m0 h5 A
9 g" E1 B* s9 x+ v2 y% W
int41handler2 PROC
; H! @: p( j) I    iret$ K4 ]! A+ P4 O% o3 s: O
int41handler2 ENDP
; \3 q9 P! t; x* A& k1 X( k  Y% ]) Y# t9 Y6 H, k& y" S7 R
" b+ S8 J' g! T- x# x5 J
_________________________________________________________________________+ z" Y1 z. r: `' v% {( P
9 g/ H* O% ?" ~

: ]; U# y6 r; ~$ m: b4 ~6 n4 pMethod 06* N( \1 i7 I! h7 j4 |" ~( r6 P
=========
, S0 M. `, T/ U; u" S* Y/ @8 B  V- o& X  k
) J  f6 ~/ ^0 P$ H: M( L+ ?
2nd method similar to the preceding one but more difficult to detect:
; V& _) Q4 I6 ^! b; [; i0 x+ R+ Z* `

9 k5 l% @& b7 ^5 Zint41handler PROC2 G4 b" _- t; O; s& z- }5 o: [' b
    mov     cl,al( V+ y0 [3 b" W) n1 {* S2 }' g
    iret
: q+ O" @& B  I, Rint41handler ENDP" r( i$ b8 v' ]' L: K( p* r

7 H% v4 g# l: V+ D$ g0 K
1 Q0 U1 b0 {1 ~& k, c% A6 B    xor     ax,ax/ I7 Y( b# w( T/ U. U
    mov     es,ax
/ `9 @' I" b  O+ S) N  M( x. ?6 ?% ~    mov     bx, cs
: a4 L1 m# h1 @3 v9 _) m% Z    lea     dx, int41handler0 ^( t9 q; |) H
    xchg    dx, es:[41h*4]  C, h0 p# h1 ?
    xchg    bx, es:[41h*4+2]4 S. c  x2 z# N& ~8 O/ O
    in      al, 40h
0 D: V  s! I9 ~1 z7 K    xor     cx,cx
: \+ E) B7 r4 g4 _  u    int     41h
& L9 q; C- Y$ E$ X    xchg    dx, es:[41h*4]
1 N  ?0 M. A4 @& T    xchg    bx, es:[41h*4+2]
; a  F6 h$ n4 S+ f( }5 y    cmp     cl,al, x! B" L, f  T; Y2 d: V6 V
    jnz     SoftICE_detected4 f8 O' P6 D) {* E/ ]
4 N# N- p' u4 y% T' I4 L1 F' g2 T
_________________________________________________________________________
) |6 k  k& v' L7 b9 f
; S$ ?& o& r; G& V1 M5 JMethod 07
& k  _0 E$ e/ f=========( H# U0 t0 q+ |

5 B7 T7 O/ S- f; E) }9 rMethod of detection of the WinICE handler in the int68h (V86)# e3 c9 D; m' d7 t% q3 r. o+ l
5 s) a5 y- ?, ~4 _0 }! E) m1 c
    mov     ah,43h
( q) |& b7 r, v7 N  R    int     68h
/ X* u* ]  L5 ~6 e2 L$ o3 H3 q    cmp     ax,0F386h
: l% X  n) Y" E9 t    jz      SoftICE_Detected+ i8 A3 C, @5 H8 Q) I/ ~

" U) b8 |/ E3 N& T: o" B, m' t$ G& H2 D/ n8 U6 s$ T
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& ?2 f7 B" w. F5 B; m' `; q0 N   app like this:* b* ^! f# V8 r6 S5 a" h+ N* u, E: |3 \
* U+ s8 t7 e* l# Z8 e* _
   BPX exec_int if ax==681 \: M1 E7 k5 ^& d  P8 @* v
   (function called is located at byte ptr [ebp+1Dh] and client eip is
# W  x8 n" \7 M& U0 ~+ e8 p0 {3 i   located at [ebp+48h] for 32Bit apps)
! e* k! E, R& c6 ~# }__________________________________________________________________________2 Y) W! D% Z1 K* o
5 \- H; k; A9 \' D
" ~  E1 D/ u3 _
Method 08! W: j2 ~7 r) I' m, q
=========
0 @9 W! l- n8 \" u6 Z2 x. `/ A  X; |- E$ |1 T& }) ^! T
It is not a method of detection of SoftICE but a possibility to crash the3 ~7 N9 j0 V+ L. W" O) M, E3 V9 g
system by intercepting int 01h and int 03h and redirecting them to another
3 z  `' `: A% Y1 A  Q. s4 D" W/ l2 yroutine.- {1 ~" b$ @2 |- M: J8 P6 N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ u# F  ^; ~+ fto the new routine to execute (hangs computer...)
# o6 O% K  E( e9 [7 j$ k0 M. }4 k+ V6 P4 N, P2 b4 u
    mov     ah, 25h
9 G5 C1 D- V1 x# [8 g7 ^7 s! y    mov     al, Int_Number (01h or 03h)
6 @, [* B! {# Z9 ?0 w* W7 _& }    mov     dx, offset New_Int_Routine
, F5 g- c) Z; W7 C3 t( h4 P    int     21h7 I+ B9 h# l% w' u4 ~1 w4 q
0 b2 X+ [5 v; Q8 M% y# I
__________________________________________________________________________: h; P3 n; g. j' _; r- i! ~+ O
. m, Z" L+ y' j5 Y) R0 i4 G6 Y
Method 096 P6 e/ u$ Q4 \" z
=========6 u& m* T: J  v0 a- G2 y( L! H: F( E

7 p- `% N6 [" M0 l( Y4 F2 q& P/ B2 k8 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) K9 [; H2 ]$ ?performed in ring0 (VxD or a ring3 app using the VxdCall).6 ]( D6 m# o, G9 L
The Get_DDB service is used to determine whether or not a VxD is installed
  @! M, E. m6 y7 l4 Afor the specified device and returns a Device Description Block (in ecx) for/ n8 ~& Q1 o9 i* A5 F1 S
that device if it is installed.
1 d0 X) q* M. w7 m/ [* d3 a6 r) R5 U0 V
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 y+ t) Z5 G: _8 G" G& {, P$ `
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 A; ~* r9 p' Z( _$ x' _, Z
   VMMCall Get_DDB
5 W1 ]; R  j! j( }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. w! }  L7 ^/ C9 b8 T9 E
1 n: J; I- c- P# A" [" _6 Z
Note as well that you can easily detect this method with SoftICE:3 e. ?6 t3 D) d0 r) y
   bpx Get_DDB if ax==0202 || ax==7a5fh2 X% r0 P5 H/ q
5 u  M- T" _) t* h. c
__________________________________________________________________________' r2 R6 N8 ^* `" T  g" C

+ {, N2 [4 ?4 X2 C# \/ `Method 10, [( O* h0 Q2 E7 [
=========
1 e, h& B# k  B5 W  i
7 x% P. M6 }# r& o- g=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 d1 A, i, ?1 M; _) r5 U- D5 l  SoftICE while the option is enable!!/ D; s4 g+ W2 C" ~7 Z8 k
6 o8 O& Q8 x) L
This trick is very efficient:
; \1 ]6 U' V. H" J. o3 L5 ^by checking the Debug Registers, you can detect if SoftICE is loaded
2 ^% b. ~' L+ Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 e2 I2 F1 {- I+ |6 F7 Jthere are some memory breakpoints set (dr0 to dr3) simply by reading their
7 m- ^* [" n3 c% `: d, zvalue (in ring0 only). Values can be manipulated and or changed as well( M7 V* V2 r5 J  z4 [3 e/ _
(clearing BPMs for instance)
$ g* O4 j8 i4 J5 o; v, P1 h1 v/ S3 k- p0 X# s3 T8 \) U' K
__________________________________________________________________________: U: P; ^7 ]0 j9 v
' Z, @+ u8 i+ }" g) E0 c
Method 11* L9 I# F' J" H+ [
=========3 Q3 p3 Q( v) E) d+ _

' u, H# _$ p. K2 Z# H. Y" xThis method is most known as 'MeltICE' because it has been freely distributed5 {% ~4 O8 ~6 _3 H
via www.winfiles.com. However it was first used by NuMega people to allow
$ M3 B, q# @8 i. Z7 f8 q: v& j; [Symbol Loader to check if SoftICE was active or not (the code is located4 g- x: C+ s. B: e
inside nmtrans.dll).! G% K  b7 {' j! P
+ g, Q6 f& _: e6 o1 p
The way it works is very simple:
/ @1 |2 |0 \$ b5 m, H- Y$ Q6 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% J; ]: S& W) `. [) N% ^
WinNT) with the CreateFileA API.) g7 ]2 n6 W+ _* ?
. h. b$ e5 s0 M4 n! p6 c
Here is a sample (checking for 'SICE'):
9 f4 f6 Z7 B& {/ {- u. J; N/ y% Q% x8 k5 n- U
BOOL IsSoftIce95Loaded()
# W! N6 l: V6 E/ g" V0 S{
' z3 I7 B( Y1 G$ a) ]* U3 `   HANDLE hFile;  7 n  r& |9 T! d( o, ]
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& t/ x% B* A. V# ?/ v- f/ e                      FILE_SHARE_READ | FILE_SHARE_WRITE,
# Q2 W* ^4 C  E6 }4 Z  |                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. D+ C  `) u9 ?% x; F9 K1 Y
   if( hFile != INVALID_HANDLE_VALUE )
9 R* j+ j& T% g) P   {$ @3 ^0 }% ~" Z0 [
      CloseHandle(hFile);
8 ~, j+ ]" O. n6 c  }      return TRUE;
0 G! A* z7 ^) P4 @   }
6 T- v# \! E- y/ |3 D- [   return FALSE;
5 Y) s* P# d/ G' r3 p# c5 ^}/ S5 G% R  Z6 e  v3 @* }% ~7 T$ w4 l

' D0 y; R" ?7 n( M( L3 f) ], kAlthough this trick calls the CreateFileA function, don't even expect to be
: g6 E0 d; l0 P1 rable to intercept it by installing a IFS hook: it will not work, no way!: n! e' Y, R& L# i) d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* d! H( b" O. o4 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( A: f" @' p5 U4 B( |3 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% G3 Q/ Y/ K, v- n. h# z$ `field.
3 N& V1 t5 v1 nIn fact, its purpose is not to load/unload VxDs but only to send a
3 f- v! a! Q# AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 Z( T9 ~, T% Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" d- `$ ~8 N( M9 j& u3 R6 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( {$ l9 C) E/ t) P# NIf the VxD is loaded, it will always clear eax and the Carry flag to allow- ^: l- O5 b) G( N* I
its handle to be opened and then, will be detected.% b% F; A. B% @0 p; a
You can check that simply by hooking Winice.exe control proc entry point4 g: o8 M4 I7 R8 \5 q9 @* a
while running MeltICE.2 S5 g' x' O8 C# y% F
5 }. H: j  U9 [# [! U( u

& e. }5 x$ \4 @* n0 u! C  00401067:  push      00402025    ; \\.\SICE9 _+ J7 }/ x& ?- B5 Q% }+ ?% j
  0040106C:  call      CreateFileA
, v5 P0 w3 }& y5 {" y  00401071:  cmp       eax,-001; c5 H" D& u  ?9 x: S0 \
  00401074:  je        00401091
: F' P3 o8 i! @8 G  c: t3 J0 _& c- h# p0 H+ Z
& b4 X+ B( v+ z6 x7 s
There could be hundreds of BPX you could use to detect this trick.* Y/ m* }8 g- J3 w
-The most classical one is:- q% s$ W: M7 s1 Z
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* n* e5 a( |) f) W    *(esp-&gt;4+4)=='NTIC'
* g, A4 ^) A9 w. i, p9 C$ `+ p: Y- _& Q" ?' }/ K  i: Q5 n7 E1 ]
-The most exotic ones (could be very slooooow :-(/ V9 v+ _" v& ]
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
3 |8 k" c( ~- g5 G     ;will break 3 times :-(" i* U7 p9 R; L3 e5 R

: M7 j1 v9 e, s& e: {, D: \-or (a bit) faster:
9 A& a9 l; x5 v1 f& \9 k. i   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) k7 [. l  T* H& g4 }7 x% {0 T/ N) K, S
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. Z1 U  r& R: T+ W5 b. H% _     ;will break 3 times :-(
7 a& N' t. ?  s1 k8 z7 c. ?) h1 d( P+ n0 M6 H4 S$ u
-Much faster:/ Y* k  q' L4 Q6 j2 w! ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- K0 W0 c- g* U# f% h+ c$ z) x: s0 s8 V0 G8 ?0 ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; |3 d" p" d; C$ }7 j" F# |% H0 \
function to do the same job:
, M2 p. P# L0 U' M* f# O* E' O) [. q
   push    00                        ; OF_READ; L+ Z, {9 k% a* T
   mov     eax,[00656634]            ; '\\.\SICE',0# g* a2 I- b! q7 [' f8 q
   push    eax
" p/ [2 b, ]" _' \   call    KERNEL32!_lopen
+ ^5 y/ y+ e' e$ ?$ M" r+ t5 A8 ^2 z   inc     eax
5 v( U6 x, r. \& E   jnz     00650589                  ; detected' j/ F0 I- v  H7 j/ n# O7 B& Q
   push    00                        ; OF_READ/ X( r1 |2 B0 d& Q) _: L
   mov     eax,[00656638]            ; '\\.\SICE'
  X4 t, T; [( z* ]5 R' W) @   push    eax
0 g3 D; J: V- b' K' p9 P3 k   call    KERNEL32!_lopen
, k, [  I% C, j; r/ [- ?1 l  A   inc     eax
# N9 U3 U! m( r: F   jz      006505ae                  ; not detected
* o$ U1 P5 S9 c# B1 p  E% r# s# T. z; A; A
2 H" W$ {$ F2 u5 y5 \
__________________________________________________________________________
0 q8 x" j$ Z# _5 ~/ w; `( q1 ]# Q" g2 g
Method 125 F# E. _* @! y: A9 L7 W
=========9 l" p! L. P  Y; J4 G: g% }# M5 M8 ^

% p# ]% w2 F6 R7 n1 TThis trick is similar to int41h/4fh Debugger installation check (code 05
7 @% q& F% d; k2 Y3 F0 I&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ d; |8 C* ]( z. @! w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 r# Z! v$ w& Z+ r( ?& e/ f# E4 G6 F- m7 g: v1 W  ^% e
   push  0000004fh         ; function 4fh
" H7 l1 y2 s; }/ [  @8 |* Z+ _- E  J   push  002a002ah         ; high word specifies which VxD (VWIN32)0 \! e2 n6 s7 L( C; A/ N! z
                           ; low word specifies which service% Y( P9 `  {2 |& _9 d8 o9 n7 Y
                             (VWIN32_Int41Dispatch)
  Z  p. }8 E+ t' C2 \; I9 L   call  Kernel32!ORD_001  ; VxdCall' E( [; ^3 T8 i3 f0 B& S7 n
   cmp   ax, 0f386h        ; magic number returned by system debuggers' Y$ M9 U5 y* L3 \: D+ z; [1 X( R
   jz    SoftICE_detected% A6 R& o. R" m( A9 F
6 O, ]4 r( @) D0 E  ?
Here again, several ways to detect it:( U! ^0 o, U2 W5 f7 G! m1 x

% s1 o# A! V4 v  c    BPINT 41 if ax==4f6 ]' k- M) Q$ b0 z) P) S! o% f
- S# c4 l: L3 i6 `/ k! J, z' b5 K# @
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ h8 W5 p6 N- E& U
# n) v7 x# P5 N9 X    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 j7 v; I, \& a7 M# L% \* n9 |
# C! E; @$ V1 q& f7 E
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!: S* }# e0 G, k* D

; Q# v9 |9 u* A4 Z& Z' s6 m__________________________________________________________________________" d3 h5 ^4 w" V( U

* Y+ o7 [3 S5 x" s: m1 G& EMethod 13
+ k/ d6 o4 p! F" `+ j& Q7 c=========8 G  ~, f3 k% R" O

7 ~4 p# V) ?; |+ lNot a real method of detection, but a good way to know if SoftICE is
# y& Q: A& K4 p& W& Kinstalled on a computer and to locate its installation directory.7 X+ Q8 I# |% [" j& l2 Q& d
It is used by few softs which access the following registry keys (usually #2) :
9 v6 F+ h+ c4 j+ M- B" q& R
9 w2 T' `6 g# S. A) J-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) j4 c. Q- `) n$ |
\Uninstall\SoftICE
; s' P) l$ Q9 U1 q- Q' j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: q. |/ a! A$ I* B1 I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 @+ A0 [7 J: g- V. M
\App Paths\Loader32.Exe
0 x7 n+ i; ^; P6 O5 E$ Q$ p  v( a) o: m4 |/ l& Y
9 _$ L: u/ e9 n4 E8 w0 e
Note that some nasty apps could then erase all files from SoftICE directory
3 g. ~  D7 I8 w8 V7 B* e(I faced that once :-(
+ C) g- G, A* L6 ~+ E7 [* J0 E! [3 ?+ M: z2 k
Useful breakpoint to detect it:
1 ]6 |1 {+ `( a9 {# Q9 \- P8 S2 b$ ]6 m
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* w$ [6 l9 E: Z2 G9 P' h1 d8 }8 y5 d' V' W
__________________________________________________________________________# Z$ _  v8 {5 G1 R( R

7 c. n6 |$ b* ?: d; D8 h7 j- w+ \+ A# L; r! t; U' v. q
Method 14
, c' z% z" I' O  A=========
9 |4 q# B) t, C/ ~' g; j
- M0 W; S1 D- o- dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 K1 T- M) J7 A, O4 v0 b/ u& w$ |" q
is to determines whether a debugger is running on your system (ring0 only).% x% n- M* b. |1 W( k8 F

  o' |  x2 E' U8 P0 I% i   VMMCall Test_Debug_Installed  V: Y) z/ C% _$ _) n4 W! B
   je      not_installed/ Z5 s% Y, {# B
. E  s4 U3 Y! l( v
This service just checks a flag.2 d$ n7 A5 n7 d; r4 M% S+ {/ U& N
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 06:51

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表