找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>* J# ^. k! ~. J8 Y9 U6 {
<TBODY>& t7 y( k  Q# S" n8 b1 N
<TR>1 s" d2 |" h$ V  b
<TD><PRE>Method 01
' x5 W2 @4 u' Z0 I, _7 t=========3 D9 p* O6 f; X& u+ C* _5 h

8 B4 V; H8 R1 K* U6 }+ eThis method of detection of SoftICE (as well as the following one) is  ?  ^: ]4 C+ ^5 L  Z8 }
used by the majority of packers/encryptors found on Internet.( `9 n! E1 c" ]! O
It seeks the signature of BoundsChecker in SoftICE
: k9 T9 Q2 w0 T& ]4 O* {* l! ^7 q% E5 z3 m! Z) `' h0 m4 s
    mov     ebp, 04243484Bh        ; 'BCHK'& K0 W+ I% [0 F+ |. _7 G
    mov     ax, 04h7 M7 `# u: G2 [3 r0 ^: s6 U( ]
    int     3      
$ d! A3 I+ l: d    cmp     al,4. P( D6 K2 J2 Z$ ^. J
    jnz     SoftICE_Detected
' P0 f; x/ T# a. H+ f' o$ ~: e" E' Y
7 n' w1 l4 Z+ t5 }6 T6 U___________________________________________________________________________6 @4 w! i8 L* Q! U. \+ |

4 I. b; i* ]% }Method 02
" O% |* o) s( p( p+ K7 l5 m! {=========
5 h2 z9 p$ B" {0 V) Z0 x8 a+ ?2 e0 k
Still a method very much used (perhaps the most frequent one).  It is used
! @5 ?5 d* K& n* k! o( J: L( l6 l. Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 [6 p' {: t2 O  z0 Y6 z5 {or execute SoftICE commands...8 O# ?0 F. ^; K1 g0 h$ L
It is also used to crash SoftICE and to force it to execute any commands% j" I5 L% m3 I/ w, n
(HBOOT...) :-((  
  n  s  `( e5 C! h2 b% O- ^6 Q* p6 ?4 c; s% z
Here is a quick description:
1 m5 a+ |5 |5 ]# b. V- I-AX = 0910h   (Display string in SIce windows), O! Z+ j7 H- H" |  ^
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# f* l0 _4 v  n4 W  f-AX = 0912h   (Get breakpoint infos)
. y8 f. l! j  e8 }4 ?: w-AX = 0913h   (Set Sice breakpoints)
% s  p" U2 z, N2 g) ~-AX = 0914h   (Remove SIce breakoints)/ f* P; Z! l" i' r* N7 o9 X, W$ {

6 ~! m8 F7 [6 P2 R3 XEach time you'll meet this trick, you'll see:& j% O- v7 k$ K4 L+ y0 Z  u
-SI = 4647h7 |* f6 `" }  c5 U$ P, f" ]7 V
-DI = 4A4Dh3 w0 l6 E* L+ q, D& h  n
Which are the 'magic values' used by SoftIce.  P8 q; J& B$ R9 _0 e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. [3 H4 w6 @8 v- J
' p3 L$ i0 c/ J% t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% F- K/ R; k4 k8 y( Q( h) [8 k  J% \4 OEnvelope utility use to protect DOS applications:6 c2 B: I2 D& N0 |
- [- q; Z1 ^! D/ S. C" |
- [. q  M9 E6 r9 w; ]+ e# z
4C19:0095   MOV    AX,0911  ; execute command.3 K; |- `' G0 S3 o: R. q8 K( I
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
7 N" l# d( S  z4 T1 \* i2 r8 j3 m4C19:009A   MOV    SI,4647  ; 1st magic value.
! F' G+ a" G& O; g" w& H* T2 G4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ X/ s" K, P* s3 m4 _- i4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)3 W4 `; m1 m4 G' `
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute3 N) ?- G9 \! {8 U. V+ o$ b8 x. U
4C19:00A4   INC    CX/ C. z! G1 J5 S* ^
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 D% A% P( y+ H1 U( ~4 X* }# I0 T4C19:00A8   JB     0095     ; 6 different commands.
" Q6 J8 B& o. F4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& o& V4 d+ p+ I$ ~: ^- X4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ m4 P" E6 |, }5 ?* B+ \* j' g6 R- ?
The program will execute 6 different SIce commands located at ds:dx, which5 e. k: z% m4 y5 ?! O3 P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 G: ^0 ^" J! ~

% v; C0 z7 D. V. p1 z5 z: E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- [7 j0 D$ T/ k
___________________________________________________________________________
: r1 m0 g# E! r* A" w3 w- N, p5 x$ \! V% S
; s3 C, P8 e) L
Method 03" w9 }7 E1 F; q4 p( p* a4 Y$ {
=========, Z2 a: K( L- G, U; y

  _- F0 S5 }3 |. a! B/ ]! ELess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* t- ~% m9 N; D  L( g) C! [9 q(API Get entry point)* A$ P" o4 J" j8 P, G
        
9 a& O* S  }9 b$ L/ y4 v6 c: @& d+ `: `
    xor     di,di0 N( @$ Z, p& ]  i) Z
    mov     es,di
9 t& t$ M! H4 v4 Z    mov     ax, 1684h      
! y. C8 W  m  ?: d* B    mov     bx, 0202h       ; VxD ID of winice
" q' \; Q/ O' B3 a6 W. M    int     2Fh- X3 |7 X# Y1 u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, ^1 [. y! N+ t, K    add     ax, di
  p: C1 x% `# v8 k    test    ax,ax  K! S# G% W  ^
    jnz     SoftICE_Detected
7 ^8 y5 c9 c0 y) F0 f& ~/ C3 `: A! X6 q" o; d2 j
___________________________________________________________________________
! C- {9 a6 |, l
1 h- g9 z! U0 G; x  _: c# EMethod 04  R. S9 r3 U8 L3 e& k# x
=========
' q! ?0 K: N% h9 x8 x8 ^' J# ?) D% k; z4 T9 Y0 @7 X
Method identical to the preceding one except that it seeks the ID of SoftICE
5 T  Y( B- N4 E: F- K9 cGFX VxD.
3 @* u+ @7 o  P7 w( N, d. R6 _( O2 g* F
    xor     di,di
7 G& L" D! a; V# |0 q4 ~- h    mov     es,di
# b+ R5 Z$ N! z6 O' t: j    mov     ax, 1684h      
* G1 b: a+ {9 Q. b9 x2 B- ?4 N9 O    mov     bx, 7a5Fh       ; VxD ID of SIWVID8 J2 H, y+ i; w3 s& H" I8 }
    int     2fh6 a4 t4 A; I% _2 Q" ]) n1 M  ]* S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; k5 u" r$ k& b: r9 E    add     ax, di0 G& Y% H% f( x5 }1 H
    test    ax,ax9 Q2 M% p2 j/ I; \. B# e! i
    jnz     SoftICE_Detected
, l8 J- N: X/ ^, D' E" A) W$ V
) o7 j- a7 ?/ e/ \9 O& Y__________________________________________________________________________
8 @8 t6 ~. r* w0 o
( q4 x# P  X2 m: J5 L! {- F% e1 |8 D* T4 K
Method 05
& @6 ]1 y- U% ~9 l$ N: I=========1 ?0 U/ L; X8 ~/ U6 i

6 N/ q* m) N' h3 B3 @1 ?Method seeking the 'magic number' 0F386h returned (in ax) by all system+ o1 R& Q. ]$ x2 w
debugger. It calls the int 41h, function 4Fh.% Y, J& N9 i: h/ d
There are several alternatives.  
/ A- i6 B0 v! u( x+ N* @5 C/ E- _+ O' e* A' {( O: o
The following one is the simplest:
* y2 |* }1 z, ?+ n  V0 a/ p" k% L0 k" \, f6 C$ _
    mov     ax,4fh
2 u4 V, m$ Z% f! ~# p    int     41h- G3 Y& S* y" F9 `5 p( _3 W
    cmp     ax, 0F386& S. k3 ~' k8 ?3 ~9 B% s* P
    jz      SoftICE_detected1 y! T0 O6 q, E( g* }
* O! U' V8 W1 a1 o" b1 W  N
7 m: Y5 N, s0 d
Next method as well as the following one are 2 examples from Stone's
) u$ C' i3 D* p. N! q"stn-wid.zip" (www.cracking.net):
8 w8 w0 x! O2 D7 I/ M; O% H+ S1 a5 l
    mov     bx, cs9 w% K8 S4 }9 R9 \
    lea     dx, int41handler2) e+ v% E2 U1 s& n' r* p; O
    xchg    dx, es:[41h*4]8 Q- e: B: h3 G( B8 [4 j
    xchg    bx, es:[41h*4+2]) P6 s8 l  R; E: ~* X
    mov     ax,4fh& k7 I4 P* _/ X6 \
    int     41h
/ Q$ b- D1 k: a; ^6 B9 {- O    xchg    dx, es:[41h*4]
9 ^' H' b9 a% B+ |4 X) s( q    xchg    bx, es:[41h*4+2]
+ _8 H! V1 _0 a9 J% \- Z    cmp     ax, 0f386h
7 ^; F$ n$ \2 c) N: z! u5 M    jz      SoftICE_detected
8 y; B+ ~5 A# L2 d# ?
4 |6 Y2 K) f3 w2 w8 ^int41handler2 PROC$ Z! ~  b3 R1 ]7 f
    iret. l; p' K/ w1 A) y6 u! N5 w8 r
int41handler2 ENDP, l! [! H9 \: n5 _
, U8 @! N* N7 Y8 F3 E$ s
4 X( z7 p- p# K
_________________________________________________________________________
6 ]' u' t% |: ]8 S" q6 \9 ^6 X
$ a+ U$ c: m9 ]& h! x1 L5 }/ J* K9 M( B5 {" @# H
Method 068 M: q$ @2 e* A+ M) T/ J- F
=========
8 ^; Q" a0 b8 b/ q% r7 I
/ v" h' q$ Q% w4 t2 w! X! |
) G+ \% W, L) J2nd method similar to the preceding one but more difficult to detect:
8 X3 n( s4 {. c) d7 N
; N2 b+ l# A& \
& D5 M) N9 O; ]7 E0 Uint41handler PROC
5 S4 v0 g9 p* c: A7 T- T% I, W: ?% ?. ~    mov     cl,al
( z3 q" G' d+ P% Y6 y: C' z    iret1 C8 Q$ x9 B/ k3 V3 f; k
int41handler ENDP
# f; I8 a# v( |7 k/ f% w* j" w) r, l6 o$ V( y3 M

, b1 R& g4 [8 u# u    xor     ax,ax  W0 @$ Q: x4 C: l
    mov     es,ax
  N- P7 y% W7 g5 U& x    mov     bx, cs* ?$ O4 Y; \( m7 G5 P' I# F! k
    lea     dx, int41handler% N9 k6 y. y6 o7 O. b# E$ w
    xchg    dx, es:[41h*4]7 Y+ f& Z; ~* R
    xchg    bx, es:[41h*4+2]+ s) t; w9 R( D2 Z& S3 }% b3 }
    in      al, 40h
# v1 g, b3 o4 e- C7 s5 j* G- |. p    xor     cx,cx; V5 }5 i9 _: H7 e, A
    int     41h
4 b3 U- p+ L% }% j' X    xchg    dx, es:[41h*4]
( S; B: ~$ ]4 t9 `# e5 G" e& r4 w    xchg    bx, es:[41h*4+2]+ p8 y( T2 b9 w" V$ N8 e* K& j& B
    cmp     cl,al
' H4 N* H, @: o3 y$ p1 K0 H    jnz     SoftICE_detected! S0 T: V; C6 K! m( w

9 z# q& b1 ~& n. W$ j8 S_________________________________________________________________________6 H/ m1 f+ b! v# \

" o8 d) [/ q  H2 L" y$ J8 c1 YMethod 07
. ?( u8 B# ~5 O( k& l1 u0 Z=========. a! D' g4 a% P9 C

" c, q* x4 y. x$ D( rMethod of detection of the WinICE handler in the int68h (V86)
! A; z8 ^4 L! T% t5 ~7 U+ C  o; ]% P& c+ @/ _- o9 n
    mov     ah,43h
% U; U! n/ ]8 b6 O6 N    int     68h
% z& u) T( y; y) I    cmp     ax,0F386h8 b2 |1 ^" u: K; F! y9 m
    jz      SoftICE_Detected9 C0 ~$ m! \8 l' t6 Q; y
2 Y. ^+ R) Z, i( `1 U

. }$ Y/ ?+ g) a- Q7 O' E4 I=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) s: p( o& k  n" M: O7 R$ E9 y
   app like this:
7 E' G) @% h3 G" ?6 |6 s6 M( \. L; c9 A
   BPX exec_int if ax==683 j2 M4 A3 T1 w' W
   (function called is located at byte ptr [ebp+1Dh] and client eip is6 B- n8 @% y9 m# ?) ~+ g: j
   located at [ebp+48h] for 32Bit apps)
! q. @7 ~* }/ C9 i& M__________________________________________________________________________$ I% r) o  o" P
% u, Y6 m8 f! }* A: B/ m
) h: |. w& }0 u6 e6 u7 \$ ]
Method 08
# P/ s3 S# c8 m5 p9 I# Q, }! X=========
1 R* c% t7 j: u6 C3 P3 k8 l$ Y
It is not a method of detection of SoftICE but a possibility to crash the2 Q/ L3 F; u$ d- y( P  }
system by intercepting int 01h and int 03h and redirecting them to another) U$ ]; p& f9 A# j/ z' f
routine.6 U7 v0 N( Q" X/ j$ N( Y3 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 l7 j0 s+ b  E
to the new routine to execute (hangs computer...): F, R, o( \, J$ v

$ y1 X5 W7 P& Q* x. G; `9 L# `    mov     ah, 25h0 e/ l# M7 G: g" V6 D
    mov     al, Int_Number (01h or 03h)
- e, I/ A1 w. b, [: p* @    mov     dx, offset New_Int_Routine/ c8 W# _% Q8 W5 G& K
    int     21h# @6 O) M0 t9 c
$ l& H! z# N9 A7 i+ o
__________________________________________________________________________5 f' [% i+ H" t) s  g

2 c8 m- {, A0 p+ m! O' }9 lMethod 09
6 X0 H, f+ D& `. m, X=========
* Z6 M5 q* _8 X+ ]: E6 [+ B4 i9 u0 P0 |& i- t: c. y" B( P$ _9 ?5 }7 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 I; v3 E  n% d" }4 `, Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 F8 i. E* g$ n, X3 W4 w$ fThe Get_DDB service is used to determine whether or not a VxD is installed
  ]$ [6 s" c4 H* R7 v; y1 ofor the specified device and returns a Device Description Block (in ecx) for
" c+ y( q4 q) t! u# b; ^; Ithat device if it is installed.6 O" {) G$ N  w$ {3 a

/ m! r0 v; d8 Q* d   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 m! Z  V9 K3 C
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 S$ i) U2 s4 \9 i
   VMMCall Get_DDB/ o$ g+ w9 g* D0 N% O+ g  N
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; O( u/ @# J8 y' w" L# u. k* r' r; q* g
Note as well that you can easily detect this method with SoftICE:
8 g6 N6 A0 Q7 B* V, Q9 y1 S" H   bpx Get_DDB if ax==0202 || ax==7a5fh; `$ u' r6 T6 c; A/ w+ l! e1 Q4 h" {9 r

$ b& w: `8 \, r% p__________________________________________________________________________
# [3 t& K3 D8 [- a. Y! o( V1 Z8 U+ z9 l; ]
Method 10
) l% g3 E9 t0 W) K=========
5 n1 y5 ]! w, I  F* S. o2 ]- G7 l3 B/ @5 P) [
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  m4 K. g1 o; M# ^. Y  SoftICE while the option is enable!!
+ L$ _9 t; d* |1 {7 B+ ~
, I8 L# h) a3 o( ~! P9 eThis trick is very efficient:
7 ]% e; Y! j# Fby checking the Debug Registers, you can detect if SoftICE is loaded+ \! u2 c: l! k4 K  z8 a3 b$ R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 s% ^$ v5 [. c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 [, L# R( e( g/ O+ U# n( Fvalue (in ring0 only). Values can be manipulated and or changed as well
! F1 @6 v6 L$ \(clearing BPMs for instance)" l- [; Q8 _" ], C* o4 ]/ u

$ z2 ]8 ?" q; z: B, k2 U__________________________________________________________________________0 t. N1 q) Z$ U: |# I5 \, C0 t+ I
- K- T# P, f9 L7 [
Method 11
8 h8 m1 a# u+ ]: x! P=========' K% f: ~, B2 U5 S
; ]5 M1 \8 `7 f& _5 {
This method is most known as 'MeltICE' because it has been freely distributed8 y5 ^/ D9 ?# k) C% P
via www.winfiles.com. However it was first used by NuMega people to allow
! `- g. n! L* H. F& d- ZSymbol Loader to check if SoftICE was active or not (the code is located
* I2 r' o# t. R0 k. X' _+ }9 Ginside nmtrans.dll).
# B9 K; C/ E! B4 ~1 b6 M' U  F5 E9 H$ D6 N7 @$ @3 ^- ]" t$ N
The way it works is very simple:( {- k: Z$ G0 y" U0 W2 p: M
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) y5 o( ~- T  R/ t4 Q8 Q
WinNT) with the CreateFileA API.
6 R; Z0 M( w# @! |, ]6 p. t7 o, `. x2 l' D# t
Here is a sample (checking for 'SICE'):
3 r, T- j/ B( t( N7 t8 m
$ R4 u" Q0 a3 t1 V+ {( z- fBOOL IsSoftIce95Loaded()
" J) U- ~1 L" I{
) x- P2 U1 C: P) A   HANDLE hFile;  # ~/ O: a* p7 r7 P1 h
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 z3 u$ B: n' P4 b( {! `                      FILE_SHARE_READ | FILE_SHARE_WRITE,. y7 [9 k- s% S$ S
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 o3 d% B5 K9 S7 {8 a5 {& P2 e% S9 u
   if( hFile != INVALID_HANDLE_VALUE )
* i' C* Y4 R) t/ v   {- o/ j6 G) ~% d
      CloseHandle(hFile);' ?  M& C9 f6 d: G; U: P1 G
      return TRUE;
5 D  z5 V7 w2 S9 c) t: x1 [* u   }
) n" X( h! {' x* P$ a   return FALSE;/ ^, X. B! T" C! j; E( l$ U
}
( {( w- |. Y- Y  W* j
8 T3 r& M0 T7 h1 X$ o! e" ~Although this trick calls the CreateFileA function, don't even expect to be0 t6 O  |& s; G: L& \
able to intercept it by installing a IFS hook: it will not work, no way!
% P: i) T. x: R5 j0 f' QIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ A# i+ r0 ]" j+ r" m! Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 y9 v6 I( ]( {' \
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 l( U: V) R) c- Z: ]% H
field.
2 P% i; }- j5 @) b" d! v9 [In fact, its purpose is not to load/unload VxDs but only to send a
- k( _  _! U9 J) pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- z2 T, O& \3 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ U# g7 p. X$ W; A9 m+ v! u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 R1 J7 h( ^1 K& S3 C+ t7 G/ b5 nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 t% h( @& E: T- Dits handle to be opened and then, will be detected.
; g$ H1 d  b9 ^3 l: z3 xYou can check that simply by hooking Winice.exe control proc entry point) d3 i! O7 k) o0 R& X& S' C
while running MeltICE.
+ h* [3 |+ U  [: c: {" Z
2 v& i+ h( E; N' p* [3 W- r* w) }, H4 Y7 p
  00401067:  push      00402025    ; \\.\SICE
( ?9 {0 h  Y" h0 J4 L" D  0040106C:  call      CreateFileA
0 |6 R+ r1 p/ R7 X, x( `  00401071:  cmp       eax,-001- }# z$ J. _# R7 n- _& I: f/ `
  00401074:  je        00401091
- F& b: W) c) o0 n8 G) K: V4 Z$ u
( F% y* `4 m+ X- I, t% n- p! y3 i+ O0 l- u: c% x
There could be hundreds of BPX you could use to detect this trick.
5 `9 n! f% n/ w  K-The most classical one is:
8 q! y: p5 `# k5 x2 }  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 Z" {4 O' C) `( p% [( s; {2 n# b    *(esp-&gt;4+4)=='NTIC'
& Y* b. n' u: [+ ?
  W! ~! N; {4 R-The most exotic ones (could be very slooooow :-(8 k2 Z6 V/ F& J+ w4 K: u8 K- _- y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
9 g( z- k( U, {7 d1 ?     ;will break 3 times :-(0 l+ L1 F$ W  a' b' F2 o7 g
! y) W* g+ x2 @/ k" m8 W
-or (a bit) faster:
* H" B+ \. ~: H4 r0 D8 O8 L   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' ~6 g# d8 K  _) O; r; {

6 a. F  s. T$ h9 v6 G6 w   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 n% \% x, |$ n0 H7 T4 {
     ;will break 3 times :-(2 E" d+ N# [! m$ }+ D$ w

8 |$ k+ A/ _  |# K' Z-Much faster:
/ v) ^8 e4 |9 w* f2 r: i   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) }* v* B  v0 `5 K/ K8 g$ U- j% I% U, u) Y0 y( U4 M. Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( \1 Y# U- t0 q+ afunction to do the same job:
2 X# u( ?) j) _7 k  M/ w
4 ?( I1 W& }0 n   push    00                        ; OF_READ( B# L7 Z  G4 ~6 L7 @
   mov     eax,[00656634]            ; '\\.\SICE',0
7 i& g5 O0 ~9 L5 k( F1 W   push    eax
: \7 I4 s' h! {) T7 y" B   call    KERNEL32!_lopen3 N: T+ Z- u1 \1 M5 z* b
   inc     eax
2 R5 a7 H7 d% p( o+ u0 v- ?   jnz     00650589                  ; detected
7 n2 X% h! ^6 \0 x# m0 C   push    00                        ; OF_READ. F4 ]/ b8 H4 o& ]1 l: h- A
   mov     eax,[00656638]            ; '\\.\SICE'
! T( G3 H9 V5 {# P; ]   push    eax4 h/ q# j+ @6 j4 J- n
   call    KERNEL32!_lopen
/ n5 D( @9 C( x# G0 \' w   inc     eax/ [  t% U' u6 A, O, u: X( K7 j
   jz      006505ae                  ; not detected- n3 j  s- _9 B' {# x1 r  F5 k6 b# I

0 Y0 F9 o9 D3 ~# g
6 t! N8 a6 I4 s& n" ]! B) W__________________________________________________________________________% [$ J% T' A0 w2 `; o5 U  y7 u
( w( u6 L# d; Y4 p" l
Method 126 S7 e/ \. G! u
=========
: Q; _: k9 p- ~: {; m
2 J) f" N3 P* W$ x5 sThis trick is similar to int41h/4fh Debugger installation check (code 05; r- V7 L* A2 z0 `8 S* L
&amp; 06) but very limited because it's only available for Win95/98 (not NT): O, n$ P2 H+ j* A2 j
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 _/ l5 z0 l* [$ \9 [& {
6 v; i. R% O" j# u' Z) ^) _; q
   push  0000004fh         ; function 4fh
8 A/ Q* [; ?7 S7 F' G1 p& p- J   push  002a002ah         ; high word specifies which VxD (VWIN32)0 O& X/ b1 f9 s" H7 Q: w
                           ; low word specifies which service: C; U8 r4 K+ ?% d4 Q
                             (VWIN32_Int41Dispatch)
& _% a. p1 r) M; \' {% u   call  Kernel32!ORD_001  ; VxdCall
& S2 y/ F1 X) \& q9 b0 M   cmp   ax, 0f386h        ; magic number returned by system debuggers# \% n8 _. }& B" K$ k  |( O
   jz    SoftICE_detected
, j) a$ L$ r, ]  C0 }- Y
2 J! l8 {; @* J. GHere again, several ways to detect it:5 L: |3 [' X, q2 s& Q
1 u$ d0 U* g' b$ _0 e. F' y3 {
    BPINT 41 if ax==4f
/ E' `) r+ l8 L' ~# Q1 G5 W  a* f7 z; j* a% y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
9 @  U+ Q  m4 e# g, Q$ I* o' ?. D" J% B. f9 n7 x- ^5 O
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: a/ T! T/ Q; j, o- e5 i
" M# m# U5 G) `
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!; D$ e8 ~& ^% ]: q

5 |1 u2 W; f/ o0 f. t__________________________________________________________________________
! s" ~6 l7 y2 |6 ^# S8 r+ |. }7 h# v+ V* l! k! I
Method 13+ N2 y' Q- B7 G, P
=========
: A$ O& O: d$ r
2 a! K) d+ K7 l/ DNot a real method of detection, but a good way to know if SoftICE is" H$ J  c/ `( ^( k! ~
installed on a computer and to locate its installation directory.9 `/ O4 U- l: r; z" R% L
It is used by few softs which access the following registry keys (usually #2) :
8 z7 Y  G( x7 J3 k3 V
  G* }. x6 U- c5 l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: W0 }5 Y+ _3 g% {
\Uninstall\SoftICE
0 E+ z" p: \- Q" \: Q$ j-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, l/ h' ?3 [/ f2 ^$ f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 o* Q: }# ~" ?- R9 o
\App Paths\Loader32.Exe
' Y2 H' a) H* ^
3 c# m5 C* @; W& y; q
. N  E9 |4 o2 m6 J, F9 PNote that some nasty apps could then erase all files from SoftICE directory
" g2 P, z5 }" D0 t(I faced that once :-(. D2 i! o# e6 x9 Z3 e( `
3 b) _; p+ o2 x
Useful breakpoint to detect it:7 J( r2 F, ]4 ]
6 \8 y; V$ P5 Y: |& b, m7 U
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE', |+ j5 N+ s  u, d9 [9 s* h
' [0 Q5 d- L5 U. w
__________________________________________________________________________! Y. b* N" d  d
7 o# c% w0 L+ I0 H% r. p
( [6 C, q. R$ Y9 J
Method 14
! Z5 q9 @" A  L2 v' w=========+ g& t# A) Z+ c! {/ U  M! g5 ^
  T9 t$ ^3 s7 ~& B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 [1 o! T7 w0 X" \
is to determines whether a debugger is running on your system (ring0 only).2 K, ^0 W+ f4 y/ D) f" G
' q5 p( ^3 C* @
   VMMCall Test_Debug_Installed
' }+ F; [4 R* j: m! P' \& _   je      not_installed( O* e6 X3 S  p+ `$ M5 U3 M
. \4 z- |* L- N# L0 n& H
This service just checks a flag.* b# L, r" {2 K! G2 B
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 14:40

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表