找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>* {7 W: w" M) ~5 I' @/ L
<TBODY>! b$ H7 B  m+ c* J6 T
<TR>$ Z- i1 \( c3 G$ V0 ?8 J1 ^
<TD><PRE>Method 01 3 R$ a' `' a  n; o
=========. b% j7 m( c2 e* B) f/ k
; n+ I6 b, ~& p7 b7 Y
This method of detection of SoftICE (as well as the following one) is& Y& T2 t0 m6 N( Q/ C& ]
used by the majority of packers/encryptors found on Internet.. n$ t+ S! \* K& s
It seeks the signature of BoundsChecker in SoftICE, g; z, F6 S) p, |
% R& z* B# h) N* J4 T# D
    mov     ebp, 04243484Bh        ; 'BCHK'& d% a8 y# }* d- R  c3 P% _- V; M
    mov     ax, 04h
# \. l, P6 y+ M8 `    int     3      
6 o* G! c. U* O  D    cmp     al,47 \8 b8 A/ ~8 |1 U' @
    jnz     SoftICE_Detected
, ~6 q9 I5 p5 D! Z% ^% i. X9 P4 s% f
___________________________________________________________________________
6 |  \+ y0 t9 e: C3 p$ F; M7 X
Method 025 y+ c; w( C- y7 C, H
=========) \* q8 {' w" r0 q; C
& D$ r: Z- S6 X7 ?1 v6 ^
Still a method very much used (perhaps the most frequent one).  It is used  K6 n6 g3 a- E$ z' g7 I8 ?4 e' y+ M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ t% f2 N, A5 h- p  o% Q' N, u! Lor execute SoftICE commands...
) ^* {+ C# G2 A+ [It is also used to crash SoftICE and to force it to execute any commands5 K1 y4 R/ e9 G/ ?' Y
(HBOOT...) :-((  ( w1 _; m" x: {

3 N( p# S0 ?8 m' A4 p* vHere is a quick description:
* G% @( Q# V; [- q+ a-AX = 0910h   (Display string in SIce windows)9 M  u# u3 w9 R5 b" i0 B; t+ {
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: C, `/ B9 p  J+ B-AX = 0912h   (Get breakpoint infos)
% x" Y* F& L$ ]4 h-AX = 0913h   (Set Sice breakpoints)2 S  }4 W; J/ Z2 ]8 e- [
-AX = 0914h   (Remove SIce breakoints), {& b! c% ^, o" S

  l, h( [0 J1 [+ V; ^Each time you'll meet this trick, you'll see:0 B$ z2 H9 v/ ~+ _
-SI = 4647h
: _3 X: A# l8 _-DI = 4A4Dh: L8 `. n: ^% {% B& _. ]7 U5 G  M
Which are the 'magic values' used by SoftIce.
* d& Q, \2 m7 sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 t9 u1 I/ G5 v% e+ l" E- P* y6 u8 v8 S* K% L$ w
Here is one example from the file "Haspinst.exe" which is the dongle HASP( ?! F0 k# _- H% c- w
Envelope utility use to protect DOS applications:4 S" V0 T. _! ~5 t" L

0 f# a+ p7 D+ k
2 x' B4 D9 d4 K4C19:0095   MOV    AX,0911  ; execute command.& J- T* ?+ j% t5 L3 i5 g) p
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% N+ E$ x: `  ~+ ?8 ?( d: V
4C19:009A   MOV    SI,4647  ; 1st magic value.
5 k# ^: T' B& w4C19:009D   MOV    DI,4A4D  ; 2nd magic value.* A+ U$ [+ ]1 Z# ~% l2 N9 c, L
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& R4 p0 s% x% o8 D# p: g0 G: V4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' X+ [) b3 I- S! F! a
4C19:00A4   INC    CX/ L$ T) |# a  C! W; }) x4 P- g
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 S+ [% ~4 V3 v) {- h4 z4C19:00A8   JB     0095     ; 6 different commands.
( i" p  _1 u- d  H( Z& S1 y  a4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  ?1 {* J/ _& H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ h9 X# W; t9 _9 A
7 T1 y# g2 k( n  E$ n  C
The program will execute 6 different SIce commands located at ds:dx, which
1 C4 c& p8 H1 G- M% Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! u3 N1 S8 U! _0 c

  w/ T9 ]5 J9 [8 \. j; q3 Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 F6 Y9 Y0 v8 b. b; v7 U
___________________________________________________________________________- D7 r4 r/ L* }$ P; U9 W3 V
5 F" @- m$ U2 e- W8 B

2 z& N/ Z: V4 xMethod 03
% D7 ~; R) g* W=========
1 {! R6 ^0 t- A' @4 \% K2 B9 Y5 U8 K
- B8 p5 S: v4 p" d/ VLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 {0 K$ R  N- Z5 ~, m
(API Get entry point)1 P+ c' c, X) h: x' s* R
        
, W2 g8 @& {7 j/ T/ b% G! n2 z
) H! ~8 u& E* ]# M' B- q    xor     di,di
  w1 v, a; T' a1 S    mov     es,di7 j) [) ?& o( @* u: z
    mov     ax, 1684h      
- Z5 f+ ~3 y) }1 z0 s9 r$ g) F    mov     bx, 0202h       ; VxD ID of winice
1 E( u. A9 l$ o8 i    int     2Fh
8 U; `! A0 z" K9 l: f1 c: O    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 x  Z: f1 n' d    add     ax, di
) J! G1 w1 w7 |2 e) ]    test    ax,ax
0 V7 m* t) }6 c4 t5 Q    jnz     SoftICE_Detected: a# E; {) s6 P8 ~

/ l# q2 K' u  P___________________________________________________________________________
7 I7 U) I8 a* y9 R2 W4 c+ T' R7 O$ f1 C" _/ K) @
Method 04, d  M% a, @0 o6 _* g6 h* U
=========. A% t0 D! T$ a

- `& X. u% P( p- Q! G( t" S( }Method identical to the preceding one except that it seeks the ID of SoftICE* B8 e; ~% T7 p- c! Q( z
GFX VxD., P/ {3 u7 ]& A: J# d0 f% Y

5 t4 }8 m1 O( Z& X    xor     di,di' M0 f; p1 H) r& j5 ~% ]: }2 f
    mov     es,di6 y/ ?& B+ ^8 }. v9 I
    mov     ax, 1684h       ) Q/ P5 k$ [6 ?
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! h) F  k6 D) ]. v2 F
    int     2fh1 {% j( o: r+ i, T
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 \& L9 T! r3 N: b
    add     ax, di4 b) k) m$ f/ e3 f# w9 h2 F8 f
    test    ax,ax
4 r1 q5 N: U( ?' L    jnz     SoftICE_Detected& f: H) j! P& Y* t

6 d, r% T( a  k% {: I+ }__________________________________________________________________________
' N, Y" g: n6 U3 l9 d: a1 p% c7 Y- S! o/ G0 j

; I8 f; B& m6 [7 K" V4 [6 @/ `Method 05( ?1 h) L+ t$ a; |
=========
: S3 J6 ?) D( R1 y
2 {1 t+ d* F* K5 }9 g' pMethod seeking the 'magic number' 0F386h returned (in ax) by all system% @4 I! V1 o! y6 |# x8 J
debugger. It calls the int 41h, function 4Fh.
7 y/ V7 z5 v, h7 Y0 QThere are several alternatives.  
$ d& Q- v( s( i- Y7 b$ |5 F# z# ?. v; {) X$ ]
The following one is the simplest:
  e+ A+ I5 i5 z8 ]% Q. C/ r; H
    mov     ax,4fh
4 q5 i$ c8 h  i    int     41h
: [( I3 Q9 e  X$ t6 r    cmp     ax, 0F386; j; I4 m  W. U7 t
    jz      SoftICE_detected& V/ n9 G! w$ _) k! A* @# D9 s
4 S0 Y6 o7 }$ G: ~) @
7 i0 \$ u' ?1 O* M6 V' ^. H. O
Next method as well as the following one are 2 examples from Stone's
2 B! P& R$ K3 M+ t  y+ k"stn-wid.zip" (www.cracking.net):
( i& O3 m1 G* \8 R! N8 y* q
; ^& ?7 J2 |" x$ s    mov     bx, cs
( J5 v) M# Z  r# T8 B5 k0 k5 X    lea     dx, int41handler2
% `$ S/ m5 K. g+ ]: \% @+ |6 ^- J; c, e    xchg    dx, es:[41h*4]
" b. _% @* p! |" C) G" j    xchg    bx, es:[41h*4+2]& m' ^$ Q! Y" |  G4 w3 s& g
    mov     ax,4fh
8 w4 f! c5 e1 R7 E3 B    int     41h
% n9 w  f( d5 t# i6 F% W' k    xchg    dx, es:[41h*4]$ \1 Y* U7 Y/ E
    xchg    bx, es:[41h*4+2]& E1 g, x9 K) i
    cmp     ax, 0f386h. Y/ U1 ^& F( t
    jz      SoftICE_detected
1 z$ M' Q6 i" _" L7 B; I* t% E% x$ B- A. K( d
int41handler2 PROC
7 f6 e8 f4 d3 X* _    iret
% T6 q3 H9 v+ Y$ p# ?, d0 `7 Pint41handler2 ENDP6 H7 U, H1 W9 j& ]3 s6 f
$ h/ j: J& C) H) t7 y- r
/ y% V4 L6 G5 W3 c6 ^* w
_________________________________________________________________________
: j. X+ e  q. I3 u3 z  n) W9 A: L# @
& M+ J9 H& {; u8 s/ _6 @
Method 060 [! j. i5 ]7 j( R7 e* J
=========
1 @" |9 V0 r5 y( f# ]7 V
$ Z* t% G' u/ S6 U* t  ]7 E; W% z0 `2 d5 s+ P
2nd method similar to the preceding one but more difficult to detect:
7 ~3 o+ [4 \6 y4 M! ?8 W3 D, e+ }1 f
5 x+ H; r1 ]* T8 Y  A  G
int41handler PROC" p6 q1 K  e8 V* ~. F
    mov     cl,al
* J+ P/ E+ z& I$ V    iret
7 {6 e' k  a$ p: y/ lint41handler ENDP
9 D! M) O0 I- p) x3 ?7 g1 ^, u7 u) d0 |

; J" \! z$ H- X& E3 H* |: j2 C3 \/ Z    xor     ax,ax; \3 A3 ?% m8 T3 u* ?0 m
    mov     es,ax7 z& S! D+ E$ k' |4 ?3 S& D9 d" ?
    mov     bx, cs
2 o4 b  a, K1 D# ?! T6 y9 t- X    lea     dx, int41handler( o# U6 v4 Z( R7 E& M2 i$ [( Z) P
    xchg    dx, es:[41h*4]
$ r9 F6 ]7 ]; J8 Z: P    xchg    bx, es:[41h*4+2]
: E5 l2 B5 b  ?& W    in      al, 40h
2 ?  h. u$ ~. {. F" w6 j5 l    xor     cx,cx" {% p+ o. d6 P; S2 c4 p5 ?
    int     41h
* Y6 G  d$ @3 U$ [    xchg    dx, es:[41h*4]
2 N4 N3 C& Z# w# C5 S; \2 b$ y) H- C    xchg    bx, es:[41h*4+2]! f8 D% G7 K: ~+ H0 Y6 @% i
    cmp     cl,al
  }$ S1 R9 H: q4 n5 ~5 B* m    jnz     SoftICE_detected
" L+ @; @; R) g  n1 k. K5 f! s3 {' V! }6 N  H" b
_________________________________________________________________________
  k# M+ F1 ?0 Q* l/ D
* v% B' y% w3 J2 k$ F2 `Method 07
9 y. \. ^6 H: U  H4 o# u* B' Z=========" c4 E" r8 H# Z% e2 b5 J0 U
! J/ ]* p1 u  ?# i3 `
Method of detection of the WinICE handler in the int68h (V86)
/ R. y2 S* r, q3 k. f
: n, m, u8 \+ ^4 F- p5 `! @    mov     ah,43h
5 b2 [5 V0 y& J' U) D' `& I# f    int     68h, Z6 p( K7 z3 Y; c; F! ^" {: }
    cmp     ax,0F386h$ s9 o5 [, R- n. Q* }
    jz      SoftICE_Detected
% b9 a9 J' z" _" c1 I8 L! r* P; N: K7 n' ^4 C% ~6 i) E) X7 Y( X% M$ G
; M/ R3 z/ U! }! ~. o+ I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ P4 a  v' o) K; t4 n   app like this:
& O8 e  k6 u$ d7 P" ^9 W& {5 Z+ `9 e: }  ~' ^! E: h: ~# w
   BPX exec_int if ax==68
2 w! O3 ?. g7 t+ u% q- F   (function called is located at byte ptr [ebp+1Dh] and client eip is; Z$ B- ~2 p" v* d) d
   located at [ebp+48h] for 32Bit apps)7 }- Q( A$ ?8 z6 J2 w* A  ]" \
__________________________________________________________________________% a, Z' Q1 m. O

; j0 g4 p7 f# F8 Z
# Q& m+ w2 u2 D6 c' n- VMethod 08
; W3 z7 }* a% v" E) F5 u5 T3 m1 N=========
" Z% R8 S# w. W0 [; L, b7 r$ F5 r) r
It is not a method of detection of SoftICE but a possibility to crash the
9 H' C2 ]8 }4 Hsystem by intercepting int 01h and int 03h and redirecting them to another  {1 M( x: k8 g* \6 U6 h) |6 A
routine.
/ `. m  I8 r6 |- x( W  C+ ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. J" k6 A$ @# a( n' x* M9 `to the new routine to execute (hangs computer...)+ B5 M3 W% K5 r/ _6 d

5 m! V$ w3 \# V; g9 Z7 J* X    mov     ah, 25h  m- [" y1 C( p: a" v
    mov     al, Int_Number (01h or 03h)
/ ^6 n* H6 `) ^( D$ g$ S! D    mov     dx, offset New_Int_Routine
0 H& B7 Y5 s% ~0 e5 r' w# {    int     21h7 y/ r7 L9 a  a  M

* R' x. G! S1 T6 ?. Q__________________________________________________________________________' S9 z0 j! z( w% H. [, d

8 r6 J' C% Y. B' X, j9 E- kMethod 09
1 _% n' X' H% }2 P( x- {=========
$ p- E) t# t0 Y0 c% Q
5 c$ h- j% w/ N# Q7 xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" P9 h3 f1 D) {  z# _performed in ring0 (VxD or a ring3 app using the VxdCall).
$ m! ~2 }- p8 k7 e& {The Get_DDB service is used to determine whether or not a VxD is installed
6 @* D/ o, T  X; W  r0 O6 ofor the specified device and returns a Device Description Block (in ecx) for% D& ^4 I: [+ |0 k6 V8 Q
that device if it is installed.% Y2 `# z' [8 ~+ r2 w1 S  u
" X* \5 u0 o* |* M6 U7 x$ K
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 o' x0 k3 b2 |$ p  R
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 K' M4 _+ x+ I9 h
   VMMCall Get_DDB
8 D; ]5 [) e4 Q- \6 }# l& J! k* N4 A( `   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. F2 k' J, Q" a* W7 d( Z
: G2 L7 l2 T7 D$ K& q0 a
Note as well that you can easily detect this method with SoftICE:, O/ g+ _$ ~) V2 p- t4 l
   bpx Get_DDB if ax==0202 || ax==7a5fh
/ K" |2 i4 _) B$ X* s6 @* f. J4 E1 c
__________________________________________________________________________
' u. x8 f. w" d% ^; F" R: p; ?+ j  e
! }+ c$ _! \) B( b5 oMethod 10
' h2 t/ S: q/ N% f, d=========" D& ?5 E( i* A, p4 [& M1 i% I

/ G/ |) P* L1 g- R$ H5 Q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' h4 a" ^" b5 I& ]7 k  SoftICE while the option is enable!!
7 Z1 y" ?, S: Q( q  L3 a3 o! d& q/ ]" ^  J" e
This trick is very efficient:
( Q& q8 I* a& k0 Bby checking the Debug Registers, you can detect if SoftICE is loaded6 s. L0 @; Q+ D, j: E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 L+ k) k) s5 u, Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
! x9 C1 k) c3 g' S( Jvalue (in ring0 only). Values can be manipulated and or changed as well
& X3 A8 g9 x% P+ `. n(clearing BPMs for instance)% c. H: _2 p* H$ H. h$ B0 s# J

9 t) h: M+ m: d* Q__________________________________________________________________________1 y& {- u- I' R2 [& B$ L) w" ?2 N
9 X% }0 I/ j3 O6 O. ]. d. \
Method 11
7 `3 P" Z; _1 I, N+ e2 J& L=========/ i/ e" g4 R6 l* ]# m  E; V5 P. A# s

( y- F% D) Q" c( {" M# G) QThis method is most known as 'MeltICE' because it has been freely distributed
+ x+ H% p- |% ^" w; I0 q! Uvia www.winfiles.com. However it was first used by NuMega people to allow
& [( d$ N# R# L* B- X- s  W* KSymbol Loader to check if SoftICE was active or not (the code is located7 R1 G: }+ c; p  p6 Y9 z- [  G1 \
inside nmtrans.dll)." {+ {7 @% n. n+ n: P5 u# X/ X  a
7 _- v" z% H9 p  m) @* b# _. j
The way it works is very simple:3 j- m7 Y; [# e8 b8 ]# u) C5 O
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' x/ c) g  h  ?6 u' WWinNT) with the CreateFileA API.
" r/ z- {+ F# }- I6 o, H& F3 \  Q) `& O/ f; w
Here is a sample (checking for 'SICE'):
( N1 X3 ~' ^/ O; x0 G5 o
: U, v4 Q" O9 B1 ?, QBOOL IsSoftIce95Loaded()0 ?, z% _9 ^5 ~/ q
{3 N6 r+ n& \/ f1 b
   HANDLE hFile;  ' e% r) K8 \5 m) o; G. u$ ?
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 k. t- Q+ t0 ]+ l                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% G! W, |1 }) k& K- G4 ?% B6 @                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  r, ^3 |' w/ |1 |   if( hFile != INVALID_HANDLE_VALUE )
6 _9 I; {+ n9 M0 P   {
, Q8 ~: O/ h1 S, ^/ {: G      CloseHandle(hFile);& V4 u6 o& d! t7 V; n! p4 G
      return TRUE;
3 Z% S- Y' r4 p8 b  @   }+ d9 Q* O+ g* z9 v2 n4 S
   return FALSE;
6 u1 U! P7 e$ G) U5 D, ^+ a$ E}% `& O0 I. q+ f& x% n  ~
6 z1 C0 L& u  i: Z/ g
Although this trick calls the CreateFileA function, don't even expect to be2 Y. x" W4 y+ @* s1 v0 a8 l
able to intercept it by installing a IFS hook: it will not work, no way!
/ j4 N( Z+ I# _0 l+ F9 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) z. v- r1 \- y' E) l8 }5 n8 `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' I" _1 F1 Y9 g$ wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 f) t2 b5 I, w' j. Bfield.
5 n; Q, u2 P* k6 s$ @: z$ W4 FIn fact, its purpose is not to load/unload VxDs but only to send a
% r$ w) q6 T/ `" s. C: fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 [3 I. M) o) V' s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) Z) w2 w, b4 K) l8 ~5 W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! x( d2 k9 v# w! F
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 h! B' T' |0 e
its handle to be opened and then, will be detected.8 p$ t0 Q5 u5 Y0 r% Q- Y3 }' N6 \
You can check that simply by hooking Winice.exe control proc entry point
* w: N9 w. x" O, S. |  m0 H( bwhile running MeltICE.
1 p( o# O: [; C* p
2 H& w, K, x& Q; R
% E+ _) P, R2 S, I: ]8 |* i  R" ^  00401067:  push      00402025    ; \\.\SICE
9 M* Y- \; M; M- D, J  0040106C:  call      CreateFileA& k* L0 b# `( f) q* T
  00401071:  cmp       eax,-001
9 A8 Y$ a; C- h& Q! r$ c  00401074:  je        00401091
" J8 H* G2 m+ A, C# M/ r
% s* i4 h" [/ n4 ]# l( v' O* S' |, S% h5 Q8 L4 P0 {. |
There could be hundreds of BPX you could use to detect this trick.
- V# C4 s; Y, E6 K-The most classical one is:
( d- _7 Z+ e( u" Y$ p; A  K  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||" M* l; q+ ?) q) @, G: `0 o1 d( D& C: x; A
    *(esp-&gt;4+4)=='NTIC'
. q7 v, b+ S; T# S1 V* @, Q4 I  M* Z& R+ o) @
-The most exotic ones (could be very slooooow :-() I4 T; N7 i6 Z, F1 h( A
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 l4 d; `1 }# L6 Z  }! n& a  Y     ;will break 3 times :-(6 E$ d# z8 Z" f
* J' R, f, R4 _' ?  K
-or (a bit) faster:
; `& }: G% D% s9 s9 i* ?) Y4 N   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ k, v9 q8 _, p2 ?* q6 d( f( x9 ]% r& S
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ! G! P& d: K+ L( t0 ^
     ;will break 3 times :-(( Z# g, r2 ], m& Q% @
) q$ y$ |$ c: J8 L
-Much faster:) j; q& o/ H# X
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, d/ ?1 J/ _8 }! @% I4 A4 b$ N+ \  l, d: c+ r, a) b( c" s- s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' q, f3 J2 K  `; w3 K9 Sfunction to do the same job:
: _' S' G, n8 ?4 a1 [+ b5 m
5 t/ q" I( w* J, J4 M   push    00                        ; OF_READ) V& D2 F2 `6 U9 j- u$ T
   mov     eax,[00656634]            ; '\\.\SICE',0
' Q3 v* g6 y" ~7 s. j, j) W   push    eax1 T6 L7 @, U8 M- d7 B3 Y# [- ?# A
   call    KERNEL32!_lopen# z0 }, ]( }% w
   inc     eax* |* X, m" L3 e
   jnz     00650589                  ; detected6 `3 X0 y9 F4 W9 @
   push    00                        ; OF_READ
  O8 j2 B% ~! q* g  t   mov     eax,[00656638]            ; '\\.\SICE'' A2 b6 [4 c* b2 u( [" E* n
   push    eax; @5 t# e3 T$ Z' f
   call    KERNEL32!_lopen
" E! u; [: @6 R& C, n   inc     eax0 }/ ~* l3 ?' @8 V+ V
   jz      006505ae                  ; not detected
+ b4 O& O" i6 ^# S% l+ O  V4 R- ]6 H1 N& s: |
% S3 g# N% X% o) K  o
__________________________________________________________________________
$ e9 d' M4 m; b& }
; j) l# j6 X/ J' g+ _, w& |Method 12, m7 R7 H1 v8 V+ h1 h! ~! E
=========
. Y; J$ n4 x9 i% [1 D9 U6 d& @: V7 K& f- n1 }" N+ Q! c
This trick is similar to int41h/4fh Debugger installation check (code 052 e  T. u' J/ E2 D/ }6 x8 }
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
" N: n7 ?& ^# X1 Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.( m6 w4 m9 e& i5 {3 q% L5 K
5 t1 _# y/ P2 |) b1 g% E3 K* r
   push  0000004fh         ; function 4fh2 F0 K" w  v- l% l# a: `, I! e
   push  002a002ah         ; high word specifies which VxD (VWIN32), X. v% n4 k( y" p+ J/ f
                           ; low word specifies which service9 e3 }$ i. X$ k5 I8 ]. }
                             (VWIN32_Int41Dispatch)& r4 y4 H: C& k/ \3 `& `
   call  Kernel32!ORD_001  ; VxdCall6 a0 T% a0 \) ?8 L3 D/ J
   cmp   ax, 0f386h        ; magic number returned by system debuggers# @! O1 S7 R8 \! s
   jz    SoftICE_detected+ L; O' h9 p7 d) Y3 W4 \! I

5 k1 G, e/ `6 Z  A! y$ l( E% a# b7 gHere again, several ways to detect it:
* t# \! d. b  G& f. K# g
" V( V1 I* p9 K+ Q    BPINT 41 if ax==4f& c6 \$ n/ W* {( J6 E

4 w+ \/ v& V- P' s    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 n" X/ C% A: L& E
; C6 D% y% G) w7 n! r" L; e1 e! S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A5 F; `: a5 \" i, O( D4 m3 q

2 P7 g9 ?3 F8 s' d$ d  z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
& ^8 f6 m- A; K0 c; u" \
0 e( E" r) V2 g' ]2 Y. V- L__________________________________________________________________________
: Z  Q- E( R2 x. J) k
4 z/ h0 _0 N) C. H1 d! U1 xMethod 13  K9 i5 m) w0 B# y- S5 g
=========
" o, A) d* N: n
! T2 z4 t( E3 L8 v8 `0 r& ~, hNot a real method of detection, but a good way to know if SoftICE is. `" F, @8 ^# D' {/ t6 Z
installed on a computer and to locate its installation directory.
6 a9 o( C2 R! D& b: E) cIt is used by few softs which access the following registry keys (usually #2) :8 ^, |5 p5 S; [' Y
5 N0 S! m% N' N/ C2 {/ ^! m
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% p5 b- S" n( V$ Z6 G3 G4 {
\Uninstall\SoftICE
1 c( Q" J" {& o# P; S4 n$ j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 x1 Y9 A0 U, A& _: V1 X4 K; u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ k# y- Y+ R9 i: L) W
\App Paths\Loader32.Exe6 f7 V7 v$ ?' A! n4 F
' `3 k8 }- Q) P  R: L1 S0 M

( `" V- \% U# d' ]Note that some nasty apps could then erase all files from SoftICE directory
3 W. v) H- s' o& x$ \(I faced that once :-($ N4 p8 M, [" O3 ^4 W& A* ?
1 T; [- H, Q* I( n6 a
Useful breakpoint to detect it:; T' J' y/ H# ~  C# F
! W  {, i9 H5 z. ~; }+ n' X8 }
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 \. C' Z& h* z, P& n) t) x
- x  h% m$ f# u__________________________________________________________________________
7 _8 k8 o2 |& Q) c! f3 I
% Q/ w1 Y. {2 O% S8 l) {3 _5 _  p/ ~6 @# Q
Method 14
- l9 U( \) M9 y3 x=========
$ q/ l) S7 o5 j! c: L% P  Q+ w, t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 c! O* C" w8 j3 x. @is to determines whether a debugger is running on your system (ring0 only).
. k0 O; Q* F; i; u
2 `9 h5 @( g5 C7 Y4 t   VMMCall Test_Debug_Installed
/ N7 U9 K; @/ X  F) \   je      not_installed9 k4 i2 ^( a, N# B- j

+ G0 A' M# d/ `$ C' xThis service just checks a flag.
. T  d2 \# s7 f- T. V4 p9 ~</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-5 20:15

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表