找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( q: h0 n( J( ?' S1 @
<TBODY>
" g0 _! Q" T( n2 \<TR>
9 R0 Z( ?$ ]0 ]<TD><PRE>Method 01
6 J% k1 c3 j/ y2 }! [) c=========
7 e3 X! l3 Y; i
) C9 |4 F" v5 k! _This method of detection of SoftICE (as well as the following one) is  F; Z7 e1 O$ {8 O% p
used by the majority of packers/encryptors found on Internet.: ?: \+ _& h+ [) y6 Q
It seeks the signature of BoundsChecker in SoftICE
9 [5 E& _# t* }0 A7 Z  s. `- O8 O- s' D9 g# p
    mov     ebp, 04243484Bh        ; 'BCHK'3 |( `% t: ^8 ?0 o1 r8 p
    mov     ax, 04h/ V( D9 [( C- b8 ?
    int     3      
$ h/ w  ]" s5 [6 G+ _9 x    cmp     al,4
" p# t) i# B+ L* H    jnz     SoftICE_Detected
# P% G  {- D1 }6 G; M) I8 H; g, I; z/ @8 }( S6 e
___________________________________________________________________________
. x( S/ R& X- B9 l, m$ n/ X) u. U5 J& F
: l( \7 C& @  e+ I0 q, |Method 02
/ U' {: l, m0 y4 w! q=========
' R% y! M  b! r# y" [! R# H, B; B4 B+ l0 U! L- _" ~
Still a method very much used (perhaps the most frequent one).  It is used9 q, @1 q0 M/ Z! U" ]0 x9 b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 X: U" @  M) M) }$ t' O0 `or execute SoftICE commands...
9 u, l+ d& {  t4 x; h; R. B' s. e$ E- UIt is also used to crash SoftICE and to force it to execute any commands
: ~" h, |2 ^8 @; O2 j0 G) A' m' _3 f(HBOOT...) :-((  
- F9 W8 j; L# ~: Y
2 O, E; \0 Z" S  D9 XHere is a quick description:* n, I2 O* `3 m
-AX = 0910h   (Display string in SIce windows)( a: C. J/ d% @1 f) [  e5 C
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); j( ?6 T* ?  u' Z. J" D- L
-AX = 0912h   (Get breakpoint infos)5 y* y  K" U5 u9 W2 \  U
-AX = 0913h   (Set Sice breakpoints)7 B9 k! k: |& X* h9 J) ]
-AX = 0914h   (Remove SIce breakoints)1 \$ R+ k7 R9 V- d+ K" @. g: X
- s1 l; m- p. [' B0 z
Each time you'll meet this trick, you'll see:
3 K( y% m* g( @) R$ B% \( A0 H3 w# ?3 x* O-SI = 4647h1 e& ^5 I7 ~/ k9 f) h: f
-DI = 4A4Dh( w- |: D3 [- p4 ^
Which are the 'magic values' used by SoftIce.; B5 t6 C* [  u; ]! p4 K8 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- c- s, z$ S; @* J9 ^. i. H

0 Z1 }+ O. ?' |  c2 P0 N+ _0 q7 {  UHere is one example from the file "Haspinst.exe" which is the dongle HASP  n, N, g  g$ ~4 m: J: P
Envelope utility use to protect DOS applications:- d$ X* B. l1 p7 P5 L6 Y0 W8 v, V

( V, i+ A) ]" `( u- Q+ S# J' r, \* ~$ I3 w" I8 E
4C19:0095   MOV    AX,0911  ; execute command.
: C* n; p0 ]" c# G! B# W% R4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ e+ q5 _* W  W* \% l! Y+ ?4C19:009A   MOV    SI,4647  ; 1st magic value.
% O* _! M7 t. }  S4 Y/ |4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
8 ?( n# x0 e/ M5 X# B4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): x( O+ I4 D" K( M2 R4 F. ^
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute3 N1 z& A  \' y: U, V5 r
4C19:00A4   INC    CX
# g5 W! W' N: G4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute6 ^: O8 S  ^5 {& S" B+ Y. g; @
4C19:00A8   JB     0095     ; 6 different commands.
' l3 \* i5 t- N* l: u- t4C19:00AA   JMP    0002     ; Bad_Guy jmp back., z4 A) H: @: U% Z6 a& s/ d
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* v1 j& Y6 e5 U7 d8 Z

" X5 W$ C3 l  p  f/ A/ M( _2 bThe program will execute 6 different SIce commands located at ds:dx, which0 V& Q" d3 I+ \8 M- ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ g7 U9 s" v4 D, K. Q9 B7 |8 I6 Q" b

' w' W3 Q  S8 P0 g* M) n. }% C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' O0 T1 e' W6 I* ^0 m
___________________________________________________________________________2 N6 E3 f; M% \7 m( ?/ M. ?

2 u" o" g% H$ e% }! X. e& _' u5 m
6 p& H4 B8 r' ?3 H/ cMethod 03  P2 j( k3 N- o
=========6 W: [- z" h, w) U' O/ u, }/ a: ]

( a& c/ J3 _/ L4 }0 D$ {Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h  _* B9 x) \6 U. x$ `' x
(API Get entry point)
1 M0 A5 p1 }# G- D# _6 q        
! b1 k: z5 J' e& {% w, T
) s$ k; \+ Y* i+ b7 j    xor     di,di6 d7 S0 M. a6 P
    mov     es,di
: j& k+ _) \; H    mov     ax, 1684h      
" l( K3 \' E" Y    mov     bx, 0202h       ; VxD ID of winice1 m& e2 L+ L8 F& q. i# U2 b. z
    int     2Fh
- O3 L9 @1 f  \# w. K7 P. b    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- a( y7 R5 |& @    add     ax, di
/ {% X* S/ s; A# u; x: \    test    ax,ax. s. y4 Y9 Y$ K- w+ ?0 I. ~! E
    jnz     SoftICE_Detected$ P9 I4 o5 n* X; }; o1 x* h/ h

" t  G) s! k+ q& e$ e3 |___________________________________________________________________________
, Q; f7 }" ^& `8 k# k
9 ~7 K& S+ u0 P1 y: t. ?& EMethod 04
* [: F. W" L3 s3 C! n=========. ^( {2 Q; u! Q* _0 t" M$ z. m

1 c/ J; E5 D6 R( ^1 g- w) _# zMethod identical to the preceding one except that it seeks the ID of SoftICE6 C7 W& l/ }; W7 H
GFX VxD.- t; p$ g$ {; o/ f0 D' S

2 j3 e, J) z2 g( T  g    xor     di,di
: L) k$ G8 Z  f/ M/ T& s    mov     es,di& M: y/ }0 T0 m+ F; a6 G/ P
    mov     ax, 1684h      
/ |4 H/ W" i$ Z% Z8 n1 |! m    mov     bx, 7a5Fh       ; VxD ID of SIWVID7 x& \8 a, B# T' w+ C% O6 D4 v
    int     2fh8 [, D9 E+ `/ M) Z% A
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* I, l5 q1 \6 x' W    add     ax, di7 n- @4 M. ^+ n+ w
    test    ax,ax
! l3 ?5 e( X4 |) D    jnz     SoftICE_Detected
1 B$ X9 @' T8 c5 |8 s
$ v9 B' p; ], K- l( x* y& n__________________________________________________________________________+ g, o% r& A$ F$ W
* H2 h1 g9 m; j$ m7 D1 D

. Z. h3 P+ C, L  W, tMethod 05# ~* q; [5 t6 r) f
=========  H# E8 q' u9 q* K5 t/ @; p

4 @, a8 w  J1 r+ @$ `Method seeking the 'magic number' 0F386h returned (in ax) by all system
# l* \. p/ ^8 @debugger. It calls the int 41h, function 4Fh.& M4 ^" |  A$ \! l# h+ ]! k* x
There are several alternatives.  
& ?$ M% h* Y/ X' F: ^1 J7 O" w, P
The following one is the simplest:
: d0 S( z% M2 F
( V! r( i0 V. h" e. j5 r  {3 l$ \$ z    mov     ax,4fh
  S+ h6 S8 ^* z' p& K. V, W    int     41h6 t% x4 K0 P' {
    cmp     ax, 0F386
% R* D& z+ S4 x8 t8 I' U    jz      SoftICE_detected
- v9 U2 k; G; M, Y2 F* _+ E0 o! O' u; g# N' Q( N
) ^! {/ j( t0 f6 Q! e+ O
Next method as well as the following one are 2 examples from Stone's
6 R# v. n3 w- U% ]% ]& P% I: ]"stn-wid.zip" (www.cracking.net):7 {8 [& i- ^  s0 b# x

1 s0 q- v) t4 U    mov     bx, cs: A/ f/ o3 `$ Q+ ^
    lea     dx, int41handler2% N# s- o( S& `0 [. P+ D
    xchg    dx, es:[41h*4]
/ \% U: c0 e% D2 q4 p    xchg    bx, es:[41h*4+2]7 u) m9 K% u9 Q. }/ Y8 N7 @3 f# c
    mov     ax,4fh  _4 K/ e/ \$ _. B$ t) p1 c
    int     41h
: H, \1 }) c) z7 d6 ]9 `    xchg    dx, es:[41h*4]
1 J+ I& D+ Q" i% y8 ?! \    xchg    bx, es:[41h*4+2]! g* C# s) U0 {4 f$ Y3 }
    cmp     ax, 0f386h
. q) ~" E6 u3 Q% H    jz      SoftICE_detected6 L% z0 C' i4 w6 u9 [

% Y' s* l7 [7 Y! Zint41handler2 PROC
5 d* t2 Q" e8 I5 p7 B7 u" J    iret
. ^0 \% n& K. ]7 W* _6 n1 K, U% Gint41handler2 ENDP! c3 w! R2 I+ f) I3 {0 z

6 W: V# D+ r! C1 w
1 `8 v* h! ?; N3 t7 l3 y_________________________________________________________________________, ?' d1 M  ~8 C( m+ \
% g/ g, \5 I* \8 q5 w; [
" A; [( H" z  M' ]9 E
Method 06% G5 g! W6 I2 _/ d; v1 M
=========! E, S' U; }) l5 n) H9 l
1 X* G4 N$ @+ @3 H' r$ `
) o2 u6 p  Y# K3 U2 c
2nd method similar to the preceding one but more difficult to detect:- ^& O5 P  H  q* L* p
) N: ^& Z9 G) c) E* E' G2 |
+ g7 i* o1 [+ v, o' ^- h
int41handler PROC- q- |$ S( }$ v2 n- ~- f
    mov     cl,al* G0 X. m1 {! g3 T7 `7 O9 P: N
    iret
9 B3 W5 i0 _7 s+ I$ t0 A/ Tint41handler ENDP
/ e3 g! k) l* {6 n+ L
% C4 z' ~" [3 J2 i* b0 F4 R1 @2 g/ E0 c4 X
    xor     ax,ax
1 Y/ C) I3 j5 k7 \; f! H0 K    mov     es,ax
) q$ H0 E+ D8 _7 D* @0 `    mov     bx, cs) l9 S' R! R) G% P, e0 i+ @
    lea     dx, int41handler
5 o, Q1 F4 E! e: {$ d+ V" G    xchg    dx, es:[41h*4]1 ]6 d* L# H/ _" F5 b
    xchg    bx, es:[41h*4+2]
2 S) {7 @- |% j8 {. |: \4 h7 i- A    in      al, 40h
+ N3 e$ z0 H, Z  w    xor     cx,cx/ V: p" L, P, p) z  B
    int     41h4 ?7 v3 v1 Z/ ~! b  R
    xchg    dx, es:[41h*4]& B, ?* {1 i& D. d' F1 x
    xchg    bx, es:[41h*4+2]
0 W$ @" X& y: [0 q/ }1 s: L, m, \    cmp     cl,al  o% B+ K& n. K1 V
    jnz     SoftICE_detected
1 B& d* {! u; U: C+ }3 q% T; i' w: ~" _" M  e, H1 S# o
_________________________________________________________________________6 [/ U: \3 r* h  H

3 ]; `5 ]! E  l9 c* sMethod 07
. F: U$ x$ D% k' V$ a=========" r( W, s# d9 V, \: H. q7 {

( F: Y8 n6 Q- t6 t! r# NMethod of detection of the WinICE handler in the int68h (V86)/ g& l) o, s# p/ J

; M5 v" {% u( G2 y3 e    mov     ah,43h
0 X& V$ F- q/ g5 {  C5 p1 }    int     68h1 ?8 T  K4 h  w, H5 \+ q" R
    cmp     ax,0F386h
9 H: F8 k& F! s1 i. N# q( M    jz      SoftICE_Detected0 U. m8 t% U/ H8 B* X
9 D3 u  l; m4 P; r
5 i" W1 I$ o; h
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, P, [& V& |6 A7 w$ k
   app like this:
7 D+ ?6 b: {6 z+ m- ^8 A! W7 m4 N( F2 ?# v, U' v/ w
   BPX exec_int if ax==68
- J& [1 v4 w0 E  w- z+ _   (function called is located at byte ptr [ebp+1Dh] and client eip is- F  y/ X! E: F1 t
   located at [ebp+48h] for 32Bit apps)$ T8 |( A, `* s/ V3 _2 Q7 W
__________________________________________________________________________
  J9 s" P- W9 J# D2 I2 F! c7 N* T  d* R. I$ _

$ r4 S5 P+ T+ u2 Q$ C- X4 u/ C2 tMethod 08
3 W0 c0 h" H; O. V=========
, m$ V. Y/ c6 d/ I+ \7 F- H
& ?' b  ?# T8 |4 z) K  E: lIt is not a method of detection of SoftICE but a possibility to crash the
; P# t/ t* q# ~$ y- k2 Hsystem by intercepting int 01h and int 03h and redirecting them to another  i( V# O% P; v2 z+ S$ m' j7 m
routine.# `' |; |  E$ b* C
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: s7 P( n: f; O. I- q. L
to the new routine to execute (hangs computer...)' U% l) c* D) Y; C

" ~0 ^& H4 H1 `4 A( P! G+ o6 r  S    mov     ah, 25h! K3 \; B7 f. \1 z$ |5 Y1 L8 j
    mov     al, Int_Number (01h or 03h)+ k+ f4 E* \" [3 \
    mov     dx, offset New_Int_Routine
. J: N' n* n. k& x5 n    int     21h3 E- d# a" b9 z4 X: |) @

" k" [% Z/ v' ?' X; z  W__________________________________________________________________________
: O. |- r( y9 ?4 ]
* ], a* y) @# e' VMethod 091 o) y. V$ R3 A& V6 l" j5 Y; k
=========
4 d  [+ w% u. w* A, e4 t  O
3 M, Q1 V( e0 V* ~; J- {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 C# \0 L$ B7 u$ y
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 D  m' F. D4 p1 JThe Get_DDB service is used to determine whether or not a VxD is installed% u" A7 I, D5 C$ Y6 Z& n$ E
for the specified device and returns a Device Description Block (in ecx) for5 v8 q% x0 E, O+ T% a6 Y" q
that device if it is installed.4 W' ^) s- }; `- h7 H+ y
3 J9 t5 \6 p2 v5 o) L- E0 u2 \7 p8 ^
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. ^3 @. f  F  K3 h. ?9 v$ c& K: r   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 i8 a+ Z/ c# u4 [   VMMCall Get_DDB
/ v3 k& t# Y  I   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed4 @# f! f$ v* i7 Q- r
: z2 F1 ?0 R) K- o
Note as well that you can easily detect this method with SoftICE:( Y/ Y) v3 |$ t& O- J1 z2 d
   bpx Get_DDB if ax==0202 || ax==7a5fh
4 ~/ l4 ?8 p) Z: O5 z( z
2 X! N( E8 X- x__________________________________________________________________________) T( ^* @; \2 q6 B: Q4 ?

- ~0 P- c* A# f/ c* f: iMethod 10
& i! a2 W% p& l, {: C% W=========0 v1 a( o, ^4 ^

: X: S4 \- _, c3 h8 y5 l+ O  ~=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with6 C4 ?3 D" p: N/ s; j
  SoftICE while the option is enable!!
5 Y7 p& w1 {! L% E4 Z0 i$ M" b  `" O& b) d% q0 q! |
This trick is very efficient:$ K7 C& t1 Z% ?3 V& N& y% d
by checking the Debug Registers, you can detect if SoftICE is loaded
# X" E1 z; I" I" E* n0 {3 V! g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 X! F% \  @. I2 Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ V0 x1 M6 ^# avalue (in ring0 only). Values can be manipulated and or changed as well! x( L; e, p# ]) R4 W& [. `0 @" |: U
(clearing BPMs for instance)
  V7 E5 ]/ Y0 ^  o; `7 B& n) |- H4 Z: Y4 ^4 ~3 T8 b; A
__________________________________________________________________________
; ~* H& I7 n2 {+ m5 i7 Z
3 Y  H. _' o$ JMethod 11
, F- H3 A6 I) u" u$ f=========
. f3 a  G: p: [* _, O- S
; ~7 N; B2 ]$ jThis method is most known as 'MeltICE' because it has been freely distributed
& h& o. J. L! e! Avia www.winfiles.com. However it was first used by NuMega people to allow2 ^7 {1 {- J9 Z7 K9 h  |' y* V7 B
Symbol Loader to check if SoftICE was active or not (the code is located( ]: N% {* H( D) R4 R% w7 R1 g
inside nmtrans.dll).& e9 M4 j2 v6 H6 l9 ^) U& S' j

8 e# _9 Z$ j3 v4 o! \7 v6 o+ }The way it works is very simple:
" \6 W6 A4 U" UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 m7 s  M& ?; E) }
WinNT) with the CreateFileA API.
. Y2 B3 x3 {& W3 P) j: w) q9 M% {# c% X
Here is a sample (checking for 'SICE'):1 f- J) @6 H1 A" G2 B) l. g# F& F

8 b" f5 I' }: `+ l) }5 k! u2 WBOOL IsSoftIce95Loaded()8 O7 ~6 |+ J4 U$ G7 a0 _
{
4 }/ T/ o5 y7 }3 D, b+ b; O& A$ b( J   HANDLE hFile;  
8 {3 N: v( U& G   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
2 v+ b4 o; d  R                      FILE_SHARE_READ | FILE_SHARE_WRITE,& H: A/ j- S" m; v8 ]/ }
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 g2 R* I" U  C& N
   if( hFile != INVALID_HANDLE_VALUE )
" k; a0 `+ j7 G+ M   {
" a, I, D0 ]% B" O      CloseHandle(hFile);
) r" {% W" w! o' y. U7 M2 x      return TRUE;: \! U; \. F- T. g$ }; W) d
   }* k6 U6 d4 [& N0 X6 g- ~  ?) C; `
   return FALSE;
" s- X# v) o; E; F. q- S! j}0 k, N' x3 N$ C3 C7 I+ k& j5 u6 J

) I9 v) G0 u8 f! NAlthough this trick calls the CreateFileA function, don't even expect to be" r# @$ H+ k% D& }8 L, k
able to intercept it by installing a IFS hook: it will not work, no way!
+ ^- b( b7 A! p) ?: LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F/ q9 a) f* c; K" G( U, r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# @5 |' G0 @) n' W6 b9 t9 iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
% S9 {% d! X* ~! lfield.
3 K4 C+ I, b- s% E" ?! nIn fact, its purpose is not to load/unload VxDs but only to send a . \- S0 g* A. g6 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( U- e( G, q2 C
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# C! z/ b, [' [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; F3 }, r* l! J: ]; G/ C
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ x( P  K$ \0 F4 z! u& W
its handle to be opened and then, will be detected.
, v4 L' z/ V, t+ Z2 N6 u8 `9 tYou can check that simply by hooking Winice.exe control proc entry point
( K$ @% C4 P! J% a, E0 h; M8 z6 i( R& |6 `while running MeltICE.+ Z% L7 {. k7 R4 x

0 U5 a5 I. P: E) \
7 F" w; W7 C- K2 d1 _( h  00401067:  push      00402025    ; \\.\SICE# h* `. O2 k4 R# Z
  0040106C:  call      CreateFileA8 m; i2 ]3 i$ n1 u* m
  00401071:  cmp       eax,-001' j# Y* O6 o' U
  00401074:  je        00401091
$ v: C, P2 x* Y
  q9 {% h+ P* s: M- S. v6 W1 ]- {* v* U4 H% a6 _5 P9 w& J
There could be hundreds of BPX you could use to detect this trick.
* ?2 {3 l2 C0 S- [4 J3 H  Y( D-The most classical one is:# [# `9 K5 G8 S' @
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% z7 x2 E: C1 S0 S
    *(esp-&gt;4+4)=='NTIC'% o/ Z8 [! V- Q( [$ ^  M0 ?

! O; e  H6 T( S0 T  ~-The most exotic ones (could be very slooooow :-(
4 j! t; t- }. P+ ^7 Y+ c' k& F   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + }& L: R+ B( l( _
     ;will break 3 times :-(: G& N- I: q# K9 B  Q9 x3 Q* i

" p6 \2 a; C* p; K8 n8 ]0 g* w-or (a bit) faster: 0 H- S2 |7 z3 v: c
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 p4 U8 U& K7 G4 v& J0 Z3 S' z

# M8 R5 D& `  Z   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 t. m! Y3 R: H' m5 q3 r( j
     ;will break 3 times :-(
7 J( f2 x; @* Q! k: f4 K1 E3 f; ?# f8 X  n! u0 t' r
-Much faster:8 s$ v1 j; V& ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
# S6 |- r7 s4 I4 }% E! J, |
* h2 Q" j" H: a# g' BNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 Z* z: X  a$ x' [4 j
function to do the same job:
, w2 z2 ]0 B7 t
8 f8 z. M/ Q& X   push    00                        ; OF_READ. C8 L! Y; z4 a) N. R
   mov     eax,[00656634]            ; '\\.\SICE',0' ~' |* n" q4 P9 j- r! i8 e
   push    eax
' W' F  O3 w4 Z! c5 k# B9 c5 g   call    KERNEL32!_lopen& c1 o4 t  E3 ~/ i: ?4 ]8 p( U
   inc     eax
- ^0 j' p8 E" a- [  K# v! \( N. J   jnz     00650589                  ; detected
8 Q/ c9 d. e+ C. e   push    00                        ; OF_READ5 B7 r' I4 y/ I
   mov     eax,[00656638]            ; '\\.\SICE'
) ~2 O! F/ L1 j- O9 M% F5 g# y( k   push    eax8 b9 a5 k7 P! a1 U3 x% R. V
   call    KERNEL32!_lopen  M' n+ Y0 Z% @/ B0 l+ X. y
   inc     eax% V" P9 ~0 _8 b" x
   jz      006505ae                  ; not detected% ~, f1 [" m, x% \: w% x8 X

2 y) t* q* ?7 s8 [& h, m6 M5 Q0 i3 R9 R: r. c/ }# L
__________________________________________________________________________
1 k* s. P$ U  q" y! e6 F9 r  _0 B3 }' W. Q8 e: B
Method 12- D1 x$ e$ M. F# ?
=========: N! J1 k* n! v( l6 y' K" D) Y

9 k* t# z1 K) y& K+ o. nThis trick is similar to int41h/4fh Debugger installation check (code 05; B. z" l( [: {" v; v
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( @" L0 o& X7 u4 V# Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& U4 h) U) M: M- K, {, C

) t& F3 E6 S! E- R4 k& [* e! e   push  0000004fh         ; function 4fh
1 L, S) F. o2 E3 @9 m, G   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 w1 r5 l: }- B! z: k                           ; low word specifies which service. s4 V% l6 f; R- Q" {8 k* J
                             (VWIN32_Int41Dispatch): }% c/ @/ k: d% w" W
   call  Kernel32!ORD_001  ; VxdCall
5 |  s9 K4 E0 `# K, V6 A& e% Z, x   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 H7 Z/ X% B) I. a   jz    SoftICE_detected
7 u/ ^; v, a9 W5 Q( B) o3 u7 Q; n* a% r
Here again, several ways to detect it:
+ V  T4 P5 X' b/ @' `
: `( I" _8 }9 g    BPINT 41 if ax==4f/ a( H, l; x$ [
& Y- o2 W$ j7 y4 F8 s8 m
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' X, |! M" z' c1 T. F4 ^) o0 T
+ w( P5 @5 h) `+ c/ K    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A6 C3 T  R7 m) v; f8 R+ \/ [
4 F- I/ V7 O6 S1 _
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 W, J. s7 {* R3 n: u
2 }( C  }' `1 W8 I* }& b__________________________________________________________________________3 c+ A  @  W/ T$ U2 \
) I7 [! ]2 _; C6 M3 J7 `/ F
Method 13
2 \) r  N8 D3 C=========& I% o- \  D% ]" R
  G  c9 {* }' o
Not a real method of detection, but a good way to know if SoftICE is6 s9 p9 L1 G8 R: B% e
installed on a computer and to locate its installation directory.
% M/ Q3 V* d6 Y) o# x  P6 vIt is used by few softs which access the following registry keys (usually #2) :" v! j2 n- `: E% O. N
, X6 j! J4 J1 K% N9 u# u- E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( I; `: G6 {4 [3 e/ v5 t\Uninstall\SoftICE! [$ T& ?* y. P7 x% f0 j! b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  y( c. U9 T! \( ]" S9 A9 i( p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 m0 I% d2 |5 [% n/ {2 X\App Paths\Loader32.Exe
: |' \- ~0 m5 S( z$ \+ k$ k1 }! O7 k

* @4 S$ A+ m  M: G" b0 vNote that some nasty apps could then erase all files from SoftICE directory
0 O+ j* z. s- p(I faced that once :-(5 R( ~0 j& v+ q2 R1 d
1 b! F: z  `- z- \: v
Useful breakpoint to detect it:1 X: U. q' W* ]( A1 D: e- Y

9 g- F* r$ p& G8 e5 N! Z, e     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  A2 o, v) u4 N! k- c: ~' r" N

' Q% v+ u* P8 W; e__________________________________________________________________________
4 |- a' ~1 H2 i" K
! ^( t/ U4 Q* g0 ~# `3 [1 i0 v; R' _% o6 o
Method 14
5 {+ \$ o  ]6 e  V6 C! |1 M=========( O( O! u0 e: m% h8 y

8 I0 l9 f6 l; u# i6 s1 k% Z9 H6 O+ ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 H" ^+ }2 O5 s! P1 L( K0 A$ ^is to determines whether a debugger is running on your system (ring0 only).
# k% l7 ~' R  O9 N  ]4 y+ {! @: v0 x5 _% H' s( F2 j
   VMMCall Test_Debug_Installed, V2 I; ]& n0 g) Z7 ]8 s
   je      not_installed; ~. T& Y0 j" f# m) Z" u$ w

* S( B2 m! w# pThis service just checks a flag.
# i7 c+ K! m- e( @: A- o8 P</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-1 20:23

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表