找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
% y1 A" B, {) S3 H  Z' O<TBODY>
+ i8 v2 ~: l1 e* A4 T, W5 _/ {9 T<TR>/ s$ M9 {. j* e" }5 x
<TD><PRE>Method 01
: u* A* G, s0 A/ Q" L2 A3 z' v=========
9 T7 U. ]/ d+ b$ K0 _9 v  |3 M8 @3 Z! Q$ y8 D) y
This method of detection of SoftICE (as well as the following one) is9 a2 p* U* l3 j; m2 @5 x
used by the majority of packers/encryptors found on Internet.
. S0 c" W; t" }+ {7 q0 EIt seeks the signature of BoundsChecker in SoftICE
- Q8 j  J8 |, w. e* k3 o; r
; _! f! \/ _! ]    mov     ebp, 04243484Bh        ; 'BCHK'8 b' N' l$ t9 A4 v
    mov     ax, 04h
: k% v3 t- k. u3 v- [  i    int     3      
. O6 ]6 ~8 j* Z5 V: \3 ]    cmp     al,44 d) i/ P2 }, q1 R# A& \9 N; k% v5 ~) s: ~
    jnz     SoftICE_Detected* q! K( w7 l9 d  @$ }
* |4 n, G7 S/ m! o1 _/ `$ n
___________________________________________________________________________
. t& i( ~" W2 U+ J! ^9 S  M9 [- A/ ^. _. j9 w8 W5 E7 I
Method 022 V& V( H) h3 E. M0 a" o6 G
=========: w+ x8 g7 ~$ N; k: i( ]
  b) [4 i. u! N* Z
Still a method very much used (perhaps the most frequent one).  It is used) m/ E* c/ V( ^9 t0 F3 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! [  |' O8 \7 o. `or execute SoftICE commands...8 H; u; O4 M$ f  [, O
It is also used to crash SoftICE and to force it to execute any commands% |6 x- S2 Q) p$ w2 ]
(HBOOT...) :-((  ' f5 P1 M* k+ |: _
6 T! t1 S' |4 f7 |
Here is a quick description:" R7 W0 u. o' D( c
-AX = 0910h   (Display string in SIce windows)2 }  q. R3 T# n1 A% ^6 E
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)  n0 f% @- [  I3 R# s
-AX = 0912h   (Get breakpoint infos)3 h" j- E6 j& I  z' h
-AX = 0913h   (Set Sice breakpoints)
0 F0 k6 M. S/ ~9 `$ N-AX = 0914h   (Remove SIce breakoints)
! {2 a  e. ~. \
3 d9 y: J3 s' k* w- \" ~( T  YEach time you'll meet this trick, you'll see:
- e: Y+ R% P' |" g9 A2 _  _-SI = 4647h
3 }( ?$ g4 R; @" \4 G-DI = 4A4Dh5 ^. ~! y1 M9 x
Which are the 'magic values' used by SoftIce.2 p! J6 u7 U6 a& |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& T7 V: V0 q2 O+ [( k4 U% m
7 K. F: u8 T9 c& UHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 }! }' @- s* H5 r! ^Envelope utility use to protect DOS applications:- B7 Q$ c$ |, }! H& q$ ?

- c) I& @! P0 V% A$ }( a: Y7 m' x; D0 m1 n, H: k
4C19:0095   MOV    AX,0911  ; execute command.! P2 h6 W5 c. j  _$ A( m
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).6 g1 D1 |' D% `  ]
4C19:009A   MOV    SI,4647  ; 1st magic value.
8 K8 Q+ Y+ x) T# R/ h4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) K/ w- Q& D9 g# [4 u2 S4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)8 [' y) v: J# s: r  x& j
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 d- D9 k; j/ C+ J9 j5 @/ ~" Q
4C19:00A4   INC    CX  b* q, I) {0 ^- d
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute, P( }9 e& S- {
4C19:00A8   JB     0095     ; 6 different commands.
, q0 Q! [! p: ?4 ?5 K" y. y4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 \9 X: U4 C3 g4 z
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ N# a/ n7 n' @/ c  F! r8 Z2 \- H+ q$ r7 Z" A$ \
The program will execute 6 different SIce commands located at ds:dx, which. k6 K, z! N+ l* R! y8 V
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 z/ z# s, Z0 k4 a% J4 N7 x! `) P* S
' w/ g( _  D- {" F1 V# c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 C; Y. n, J' g; t0 _1 a2 m$ {
___________________________________________________________________________2 B: ~# z3 H  ~2 S4 u

" S& a7 |; _* [, L, y7 M
+ l( T# d9 |' kMethod 03
  t3 i! L2 q5 i: Z% x& K=========% j/ v! d+ R! u# x# {$ x1 J, K& Z# y' ~
9 Q3 a  v( i# x+ y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" R" N4 h' g# ]1 I3 k+ G(API Get entry point)( o' |0 N+ M" E
        
4 h  n2 a- S, Y5 e' e! n* n
+ J! [0 F3 j* P; ]- R! @    xor     di,di5 q2 }2 R0 w0 z5 T: E
    mov     es,di
: J  f, |7 r6 ]3 r) S7 v" s    mov     ax, 1684h       ! h% u# r; r# n. ^6 \) \
    mov     bx, 0202h       ; VxD ID of winice& |* y, {; [0 w: c1 {0 g+ @7 O
    int     2Fh8 }# P! K2 I5 @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# ]) j& M) j5 i1 V. P$ N. c    add     ax, di
6 e% Z1 n8 E/ f    test    ax,ax* S9 x5 ^$ @' Q1 |6 {" R7 U
    jnz     SoftICE_Detected
4 i# F  A# y4 ^/ p4 L4 j
% W" H( x  y3 }/ G, q___________________________________________________________________________
/ _9 d! D7 A: E' ^0 _# p' L2 y
- B+ \/ F- j/ \" u$ M; pMethod 04! e8 `' x4 T( a3 l! ?
=========; N3 F! z* |; C0 O  B- r

1 m; m" u1 _/ \6 Z( a4 OMethod identical to the preceding one except that it seeks the ID of SoftICE
" [* H  ?' a% W; NGFX VxD.
! R& v( C0 f( N
1 Y/ F- C! j. o/ I5 q    xor     di,di
+ ]% n+ r( `, v) H: P. L/ w5 ]! ~    mov     es,di
4 [3 H) \( [) c( F& {" V    mov     ax, 1684h      
5 \% w5 q4 v' N6 N* u- Y* g    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 P: Y( y/ b( ]3 J    int     2fh
. B+ q# o4 s2 _* A    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- Z5 V" M% c1 w) U/ G    add     ax, di5 {  D1 O; c8 U4 v# D& [
    test    ax,ax
* k9 @+ A! R1 O    jnz     SoftICE_Detected! n$ k6 s' S" K3 x9 A

1 C0 r, ?1 \6 e6 B5 H3 Z4 Z/ V! y__________________________________________________________________________
5 x3 d2 h3 I  s$ w4 F0 Y/ y' X+ S1 P" @' O' b5 C( M4 b
& ?% J9 C9 h: k
Method 05* h- s, w+ G) x! j  b" d
=========
8 p7 V3 j! @/ F' l9 J6 i( N  U
# O7 [$ O0 x6 a, X. P2 L/ TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: s% H7 A5 `4 Qdebugger. It calls the int 41h, function 4Fh.
( n* Q4 u! ?$ @- }+ c0 gThere are several alternatives.  
( [' q2 |) \; C: S8 ]
) C8 R$ x! g2 _4 l3 ]6 f9 A! zThe following one is the simplest:7 |# n( A+ a, p5 J$ S

; V: p: o5 |5 ]+ g    mov     ax,4fh4 N& M; r" l7 o& Y8 k/ T  X3 [; P
    int     41h# x* U9 P2 m% x2 p0 f8 @
    cmp     ax, 0F386' S  M# \$ j1 t) ]5 _
    jz      SoftICE_detected* b& U5 m6 F+ x" e2 ~- a9 n* \

- j- V) F5 E& K$ c" B2 W! z
- Y8 m# h0 l% t3 [/ c7 qNext method as well as the following one are 2 examples from Stone's
: A' r  q5 {7 [+ R% x5 e1 v& U"stn-wid.zip" (www.cracking.net):
8 v7 g9 ]$ g2 U% R8 U: m2 F# u" H  E! E# _5 f) n: T' z
    mov     bx, cs- _* s6 |9 A9 F, f
    lea     dx, int41handler2
# Z2 L: h9 o9 y0 B8 s& s    xchg    dx, es:[41h*4]$ |/ J5 Y# r/ z
    xchg    bx, es:[41h*4+2]
- f: ]' `- e; |' O    mov     ax,4fh
2 s% G9 {+ v* M9 |& f1 U    int     41h7 S# c8 R: r0 G9 E$ ]
    xchg    dx, es:[41h*4]5 Q  F# N$ A' A4 h  u: }. y2 E+ X" j2 Y  F
    xchg    bx, es:[41h*4+2]5 `' ^. _: `- ?  F0 \( q  P& Q
    cmp     ax, 0f386h0 {+ b3 N; z3 A  P4 }5 O
    jz      SoftICE_detected
9 {# K! \* A% `+ J4 H" B) E2 h3 @) P, ]7 a  f( v
int41handler2 PROC  a8 e$ ?: F4 P# W
    iret
: Y' q  }9 g  d. U3 ?  V1 W4 Fint41handler2 ENDP$ o7 Z3 u$ m$ R/ |/ H
  Z: z! H0 B3 R6 a3 `7 f

: A0 O: T7 K5 Z( W; q) o$ v$ q0 L_________________________________________________________________________
( O3 @' S2 p* A! `: Z* t- r. B9 {+ h: N) S4 e/ s- v. F' e
: B- P$ \' g8 V8 `
Method 06
1 O% A  }( A: c( Q=========
2 u) L: L4 H1 Q! \; h  D. A% r: @: ?, d
6 K: y/ }* ^1 \; Y% y" \  N* i, K, X
2nd method similar to the preceding one but more difficult to detect:* V( T% m- J& _4 {0 l8 r

2 e5 u# g: a: I5 d$ f
2 p7 T: D/ X" w# X7 Iint41handler PROC: j8 l6 A) }) C0 J
    mov     cl,al
7 T$ A( m& J4 ?% J0 G6 M5 G3 L$ i! ?$ T    iret1 y! R$ A' z& S  t, G/ F/ t
int41handler ENDP
. a9 I1 R: m( k8 `
7 d9 X+ s( u0 `5 X* G3 D. k
1 Y' N' {( J( S- e9 U    xor     ax,ax6 l" B+ t9 H$ n, w
    mov     es,ax5 J( \0 L- Y. @8 |5 m! L
    mov     bx, cs* n% r! B* h4 K: e+ k7 J
    lea     dx, int41handler
8 ~# R- l2 b) z1 q7 p9 J- ^    xchg    dx, es:[41h*4]: ~8 K; Y: U1 T7 Q5 T( r
    xchg    bx, es:[41h*4+2]7 }7 H7 S- H- n2 j6 j
    in      al, 40h
" Q/ Y4 H$ n4 P0 n1 }. P0 V. K    xor     cx,cx
! _" i9 r1 R; O    int     41h7 M+ q4 m6 u, t
    xchg    dx, es:[41h*4]: x: G" t9 {  {3 N  v$ }
    xchg    bx, es:[41h*4+2]+ C: u1 q1 H0 [% r) @
    cmp     cl,al
: a! x$ V& v' {) x    jnz     SoftICE_detected
( w2 n" @& X: ?+ F. b- s% y4 l. u
_________________________________________________________________________
, M2 b" Z) F5 Z6 h# i2 I  }0 ^; w* O) F6 v
Method 07
5 H  V4 M4 N  V) _# x=========
+ Z" v  h  j' d7 B; I) @; W: d" ]8 R% K, W7 P
Method of detection of the WinICE handler in the int68h (V86)8 l# \# j' c8 J. z' h6 m
9 o$ o: W$ W! ]4 I7 y- ^) _
    mov     ah,43h) K! J' g6 V6 m( N5 p9 M" Q
    int     68h
9 d* e% _$ M" f0 i* C    cmp     ax,0F386h
4 N8 h4 d& p/ u( G. E- g+ ]    jz      SoftICE_Detected- I* [+ N9 `, G1 {/ I

1 o( n7 p( R' i. [6 f; f5 G. J5 V3 f( b- ~3 q7 z$ |' {$ P
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% F8 Q' l/ w9 @! m: Z* F   app like this:
" v  C2 V) E, D" l2 u9 \0 F) D( f7 ?" H" `2 @
   BPX exec_int if ax==68
( @9 Y* w" G8 v   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ a+ l# l, m/ h' r4 a   located at [ebp+48h] for 32Bit apps)+ `# A8 |( S3 Y% P, U0 i
__________________________________________________________________________, F) P+ x. p* v- N/ c

& Z  F5 H9 @. F, H0 f1 C# L  P1 c& d' W
Method 08$ N1 [+ J9 l8 ~) _' Y( {/ J
=========
7 u$ W# `  k3 `9 _* R; M* ?, R7 U) j/ |
It is not a method of detection of SoftICE but a possibility to crash the
5 Y+ C) Q+ {! Esystem by intercepting int 01h and int 03h and redirecting them to another2 F, q1 \" W" \+ D3 a  C7 d- i
routine., r2 F; B& _! Y/ p9 a1 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* r: z: n( T: Z3 t9 Z
to the new routine to execute (hangs computer...). ~; A6 M+ x: \* x, q# @
# V' _1 q6 C/ }  m3 b7 U# p* S: }
    mov     ah, 25h
& K) B3 {1 }) T    mov     al, Int_Number (01h or 03h)$ P% S9 ~$ ?! l. J8 l
    mov     dx, offset New_Int_Routine4 c2 g( P+ O4 ^1 N
    int     21h
1 a) o6 k( T9 x$ Z6 `+ V1 g9 D1 a/ J' H) R1 N
__________________________________________________________________________
( p# h, T2 c4 ?9 W4 @+ f
2 Y3 e& |+ B  A3 G4 VMethod 09* |5 t0 U( c- r2 L# k! M. K
=========
1 t  k' H, L% h  [: u! f. t6 `; x8 J5 n+ p$ r7 q8 X1 K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. V, f! [/ D! J' Y. Y$ gperformed in ring0 (VxD or a ring3 app using the VxdCall).: j" [; Y, j7 U7 j( d+ r
The Get_DDB service is used to determine whether or not a VxD is installed& J9 F3 }* {' m1 U" d" M3 V
for the specified device and returns a Device Description Block (in ecx) for% s0 _# B; b+ T4 _0 E4 B
that device if it is installed.
" a+ @$ p; I& R: u" A+ W+ g. h) ~( C9 x% J8 F' o, ^7 p: a
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 Q& L/ ]' t* c' A. L/ S) I   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 g9 j7 X6 a: }" ~8 J: J- h! E8 b% ^* Q
   VMMCall Get_DDB
% p& y$ w1 b! W4 s$ U: H   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! t9 t/ e2 g) E3 O. l9 Z- s6 v4 G( Q3 ~! J; L! E! o
Note as well that you can easily detect this method with SoftICE:
+ y/ A4 {& p" u, W0 J& @   bpx Get_DDB if ax==0202 || ax==7a5fh9 R1 b. @4 p' H% ^0 M& ^5 Q$ _. V
7 x" E6 }9 P6 b/ x, m* o
__________________________________________________________________________6 G; ]* \' _, j

% C: I: F7 p  S. q8 `Method 10& w! U6 l: s/ e. A# ^
=========8 ?) S" w& \9 L# f
7 G  _2 }1 \; X, k( g: E8 O
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with) F: x4 w( n1 j8 ~8 x& l1 T
  SoftICE while the option is enable!!) _; F7 g: t7 l: h- {( l0 n+ U4 S
7 v; V- P) j8 }" t$ t* c
This trick is very efficient:
) }4 y9 j+ D4 ~* ]- o+ s+ ~2 ~by checking the Debug Registers, you can detect if SoftICE is loaded
6 d0 R4 _/ h) t- W8 J/ k. I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; b5 K% G* W1 I6 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their- M' J  v8 B- u
value (in ring0 only). Values can be manipulated and or changed as well+ m3 P8 U7 k, ?7 X! j
(clearing BPMs for instance)
9 z: e  W* z; w: F) S- B9 z" p
1 \+ E6 _# e# C' w- m__________________________________________________________________________
0 s* D7 R& M9 f. b7 M6 M* c  V" B# N! t
Method 11/ j/ h+ H. E5 B& R7 e- y% |
=========
# E1 w" A$ t$ O0 t( P2 \0 h/ z7 g
% e4 |" d$ `7 RThis method is most known as 'MeltICE' because it has been freely distributed; ?" S, k' D0 j" f  H0 I/ I
via www.winfiles.com. However it was first used by NuMega people to allow# V' B2 Y, [( K
Symbol Loader to check if SoftICE was active or not (the code is located3 O# T6 u; E% A; F7 H2 ~
inside nmtrans.dll).
* x2 w6 g* v" a. V+ _& O+ W/ W$ N5 t* d, ~$ O/ e: N
The way it works is very simple:
, S- |0 V$ e) i0 i; aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% _8 X2 x: a! z' yWinNT) with the CreateFileA API.
+ q/ u. f! ^! T6 j) a) J, s0 V7 @% D5 G: @4 z1 J
Here is a sample (checking for 'SICE'):3 f+ `, f& ]) K
  b; ?- k! u0 t% h
BOOL IsSoftIce95Loaded()3 G+ _2 g. Z0 y
{
' X* A: _$ d! S: s9 p: T6 F; O   HANDLE hFile;  
1 x2 [, q8 j, p- x: Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# `5 t1 V: r! I& B0 Y+ o                      FILE_SHARE_READ | FILE_SHARE_WRITE,
0 s- k3 d( |- s                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# r( q* r5 {2 O   if( hFile != INVALID_HANDLE_VALUE )
- @/ Q- N, v& f2 C' K   {
& j0 P4 x0 s  A5 ~0 }      CloseHandle(hFile);
0 H! v9 r+ u0 O# Y7 _* N' f% F1 k      return TRUE;/ L1 `7 r( K) }8 u" T0 ~& w
   }
# B/ {$ k) J* F+ S' _5 ~   return FALSE;
9 a% l4 n) A7 Z% @9 ]}
& u+ L7 K) Y9 i% ]( X
+ W# Y/ e/ C, y8 n( v: A4 tAlthough this trick calls the CreateFileA function, don't even expect to be# _' R! t, I) d. R; m5 ?
able to intercept it by installing a IFS hook: it will not work, no way!; M3 i: Y5 V" s& B9 J: M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# Y7 {8 k5 b& R3 ^# H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 w- l- ]& e: h' s& p% Z- X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 l# o% c5 ]# \7 {field.$ E9 l6 v6 {8 e* R/ J. W3 _# P
In fact, its purpose is not to load/unload VxDs but only to send a : i- U$ q; q/ U, Z+ p6 V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
5 r% P7 v5 ~' I  y. eto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 |8 e! ~& Z5 S5 q' R
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." S& U- N% M* E  W
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 {6 n  P8 t$ h' `3 E$ Q% Y
its handle to be opened and then, will be detected.
2 I/ H4 r) |8 G. b8 D/ \% S( ?You can check that simply by hooking Winice.exe control proc entry point- A/ p( |5 x' f& E
while running MeltICE.
/ b. e& b7 ?! L  @3 Z& A% v. \( P- U5 {* o3 p7 ]" f/ Q& z

3 j" z% |( f8 ]( t8 t' p. C, ^' D  00401067:  push      00402025    ; \\.\SICE+ b# C! `' e8 O  L
  0040106C:  call      CreateFileA0 R% f1 p  C9 l: P% d0 C
  00401071:  cmp       eax,-001
1 H' h' l7 K* j1 [+ F  {  00401074:  je        00401091" t% M* |2 M0 p5 R
: A+ ]8 H- n  j: _2 Q; T. `- }
3 m; l% i' O5 u5 x" a$ f; h* }
There could be hundreds of BPX you could use to detect this trick.
4 M! l2 ~5 g7 E% l5 K1 k-The most classical one is:, H* f  b* e' A7 f4 y8 p5 U
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
. _+ {5 l- M9 k' }3 W% F; b    *(esp-&gt;4+4)=='NTIC'; E( ~$ J+ i( k) m: n1 F
7 F3 x$ I* x" o
-The most exotic ones (could be very slooooow :-(
9 h& ^1 R, j* F/ B" c   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 ~9 J* ^# m1 Q) }9 w; Y1 u, }     ;will break 3 times :-(
- u, G, I: t) t' z, m
* t/ ?2 a, D# f-or (a bit) faster: 9 c; D) S- {! [7 C
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ j8 f, Q" F, C. s) x+ C2 o/ S( `- |+ f  S) }. X1 q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) x& S. f3 [) b; J- r+ @! j5 l6 E) U     ;will break 3 times :-(  i5 A  s; w9 O2 ?6 L2 Z- w$ y6 e
. A3 M1 ]% j/ P$ Y$ o( }
-Much faster:- y- V  Z( O0 q1 b- r
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'5 J3 x/ c$ X# g8 y
) F. R) |6 A2 p  i; |4 B* k& p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 c3 r& ^1 K2 ]
function to do the same job:
* R2 Y8 q( r4 u0 C
) z' T; C) F3 N+ M1 i' X; v   push    00                        ; OF_READ
& a" y" I4 H7 o: }' J% V   mov     eax,[00656634]            ; '\\.\SICE',0
* g! u/ z1 Q4 ?3 e( x! Y; ]2 O   push    eax7 {$ T# [7 w3 F. j
   call    KERNEL32!_lopen
% }/ C. ~* X' ^) W% O+ h   inc     eax7 a7 N3 N$ z% ?
   jnz     00650589                  ; detected" P& a& E. X% |, }
   push    00                        ; OF_READ5 @. C; b4 l0 s  X$ n8 r
   mov     eax,[00656638]            ; '\\.\SICE'
  ^9 ~, |6 M# V/ r- }   push    eax5 {( I! q$ Z1 z( W, R7 a/ F- Z/ ?
   call    KERNEL32!_lopen. b* ], [; n1 q% ]4 y" y
   inc     eax
7 e, C* w: A! l, c" U2 N: ~   jz      006505ae                  ; not detected0 j% V. d8 {, Y% v( A

8 e$ b. ?; S" n( N! r/ N/ `5 b: {) h$ C. g# D" K
__________________________________________________________________________
0 |, f  ?' i, _. t( g9 O0 b9 Y4 w/ Y5 I6 K' k* v) ]
Method 123 e9 Z  z) A! X
=========
! k7 r7 ]& ^9 ~+ r, d" v8 G5 j
# \0 o0 l! c7 a" V% p! y; hThis trick is similar to int41h/4fh Debugger installation check (code 05
$ g- v0 T; Z5 M&amp; 06) but very limited because it's only available for Win95/98 (not NT)
- w) q2 y0 e9 U+ Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 T  K1 @9 R& \9 e4 q
# G  T% Q; m7 t& _, r# w
   push  0000004fh         ; function 4fh
7 I% {4 z" U1 H) D% o) B   push  002a002ah         ; high word specifies which VxD (VWIN32): t  Z7 r9 ]' _- O, t8 r* Z% j/ \1 p
                           ; low word specifies which service4 O; u) k5 |$ Z; @! z8 S. C
                             (VWIN32_Int41Dispatch)
+ G8 K: G  T7 \: j+ }, q4 G   call  Kernel32!ORD_001  ; VxdCall
8 L# V3 E$ Q; T3 J5 Y' M( f$ j: I   cmp   ax, 0f386h        ; magic number returned by system debuggers
0 B  O1 W6 c* k# p- k( i! c   jz    SoftICE_detected$ X  p6 `" i0 t' k

; g% G) p. e5 f' `Here again, several ways to detect it:" a/ f/ l' e/ g1 I
; D' r- E! U; S; a* f3 ]% H9 G) n
    BPINT 41 if ax==4f$ ?1 i( u  T2 ]1 D" [% v! c3 b
# O- {* w" ^6 ^0 Y. ]0 H
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ E1 ]+ E; _1 N, c# o2 T

  n5 @' |+ @% o6 s+ s( o: c    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A% O% k+ m: v- {
' H7 r: \/ ]/ v7 L
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ ^% m* @6 l; H/ d: F- e- w3 `: G

) T2 n4 J  A' @3 W8 ]1 Z__________________________________________________________________________
1 X0 R1 @4 G7 k7 {# \- b) F4 p& W; Y/ P
* x6 o, q3 B/ V, M5 u' ^6 {! gMethod 139 g1 b2 i/ Z8 O6 `9 Z: r
=========* c& {3 m% \5 O! u* R

3 }, e) G! f0 a7 B4 ~% k  HNot a real method of detection, but a good way to know if SoftICE is
8 u- ^# q  h' @4 ?$ F' U0 B/ N* winstalled on a computer and to locate its installation directory.* E& @3 n2 O% N. P) b
It is used by few softs which access the following registry keys (usually #2) :
) s4 m% s5 W3 d3 p; [/ y: P# M2 g9 y$ K% ?9 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ a, c* H% g: z7 Q/ k7 D\Uninstall\SoftICE- t1 y' [% P' X2 V3 ^4 U( B4 _; r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) i& w2 N1 `! v; k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ C5 ^, F/ W& }0 e7 C\App Paths\Loader32.Exe( w: {! s0 R! g- s' Q. @
0 ~; J4 L* H, Y! W5 {% c9 i( d& C
+ _, K5 w! w9 Y# M9 K- q
Note that some nasty apps could then erase all files from SoftICE directory+ |! a. }. f+ e; c& }
(I faced that once :-(
( O* U6 i) j' i$ h5 C3 E8 K/ L9 p$ X1 A5 h- z% [
Useful breakpoint to detect it:) o) k/ y+ Z& ]" H- J
* P; D- G; x# M# q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 h# R' }1 }8 W# \  }; n3 d4 e: X0 H. a/ s; c
__________________________________________________________________________! u, o) ~4 v( l0 j
; j! X1 o" {  w0 N* C, r% x
8 ~7 K2 z8 ]5 S* y9 w5 e
Method 14
5 x; a( p, ]8 ]  V1 L' v( r=========
$ z3 c: H! V9 H1 x/ Z0 p7 e" P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& S. K1 k1 d7 T, x* Q
is to determines whether a debugger is running on your system (ring0 only).
9 N% ~, [5 C; A- u, D1 v
- o7 {' C1 f5 m' P! n5 \$ {- B   VMMCall Test_Debug_Installed5 t1 f2 ^7 S1 W9 l4 v
   je      not_installed, K* u, P  [/ D9 Q5 u! A1 a7 \

( I9 c1 a# e! [: ZThis service just checks a flag." M. E3 D6 C2 ]2 ?9 G
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-26 03:55

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表