找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
! P- Z3 J; e9 e) N  \& @<TBODY>' v6 I% h. J) {9 f2 ]2 W2 Q- L
<TR>3 i8 L; u! x0 m6 K+ o( c4 Q9 B' {1 `
<TD><PRE>Method 01 ! _* Z  h0 p- i1 W* }
=========/ S1 e* y. d7 w* h- L

8 n* K9 L  ~0 t1 Z  B" R% y& RThis method of detection of SoftICE (as well as the following one) is
0 N& p& A* d' Y' F5 R- Hused by the majority of packers/encryptors found on Internet.
( ~* F8 f7 ~+ x; OIt seeks the signature of BoundsChecker in SoftICE
  `( D$ y4 }1 ]4 J: P* ^
# @4 \5 B; d0 U2 c/ z( M+ n7 I    mov     ebp, 04243484Bh        ; 'BCHK') ?/ l. ^6 Q+ p% z- u; k; N
    mov     ax, 04h
, {7 A, w7 _, R    int     3      
7 ~2 }& I$ p9 r3 a7 O6 h    cmp     al,4! s8 ^0 H3 j9 `0 Y! j
    jnz     SoftICE_Detected
: q- m8 F4 p, i9 \2 y% p' D; p% F: W' W! j) e8 d' M
___________________________________________________________________________) F: _  \: j9 {8 h1 r9 @9 L

, n# ^* I/ S( x+ q3 N% q5 lMethod 02) f5 Q$ ?) X2 ?2 r3 P! y# n  o
=========
8 [6 ]9 ~* @& F- d
7 O  j# Q0 Y! w# Z3 V( U  NStill a method very much used (perhaps the most frequent one).  It is used
4 f, W$ t& C9 p7 S+ }6 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 _. X: V1 C1 ~9 k
or execute SoftICE commands...
! n' }0 a, K# s, i, @! AIt is also used to crash SoftICE and to force it to execute any commands5 ~6 k9 x1 t7 F, z- ?
(HBOOT...) :-((  & l' k( |4 }1 ^! v- Z

, t! a, \* \% N. D8 Y! f4 t3 oHere is a quick description:. m! d0 D) {3 }4 Y
-AX = 0910h   (Display string in SIce windows)
4 u5 @" D" R2 }: [! t( u-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 N, R0 N+ }4 U" b/ R
-AX = 0912h   (Get breakpoint infos)# s0 ~6 f& Z& P: C
-AX = 0913h   (Set Sice breakpoints)
. Z7 n$ V' f5 K) y6 ^2 v. q8 R# u-AX = 0914h   (Remove SIce breakoints)
/ k" y% {  O2 v1 M* e$ g0 l8 E. g% x, |5 W
Each time you'll meet this trick, you'll see:( r" H1 l: T4 X# q3 Q# s
-SI = 4647h% E; E$ {2 [& R
-DI = 4A4Dh
$ j/ `( y$ K/ M; t9 xWhich are the 'magic values' used by SoftIce.
4 j( Q, U. G( G" L5 E$ ]% [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, U) R9 G8 |& C+ O$ i( M! ]8 s1 A5 [$ o) K
Here is one example from the file "Haspinst.exe" which is the dongle HASP& t( K6 I( b1 d  B4 h7 D
Envelope utility use to protect DOS applications:
3 S! w9 D6 f/ r7 j
" w/ A- a2 T  o' w4 x- p# p# y3 s1 A9 ^; y+ M' ~4 h
4C19:0095   MOV    AX,0911  ; execute command.
0 T2 g* d# Y8 N% ^2 W& H. m4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 E" }* Z( i- a" c. J
4C19:009A   MOV    SI,4647  ; 1st magic value.5 {  V" V! I3 X$ |: p/ {
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! a9 v! b/ Y! p5 Q3 J5 \4 N
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: `4 P9 D2 N, j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 F7 q# ?: W. K" |. f
4C19:00A4   INC    CX" K9 E* _/ e$ a1 O
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  g/ v! A& c+ H# f% ?- d" n4C19:00A8   JB     0095     ; 6 different commands.) r' w; `& \& y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
: M6 z- F+ L+ h& O/ \& A4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 H4 g, c, s9 ]5 ?) v
9 d5 E3 m) k; q
The program will execute 6 different SIce commands located at ds:dx, which% C; ]+ K* k4 A9 Z+ u& X" z, N4 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 b  z# ~) ]' Y. ]

2 [- c. {1 W- n: p. o# ~) }' Q4 W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 z* `' s2 O/ m7 u. b
___________________________________________________________________________
% F- F' |3 _* L0 j  f9 c0 r! l  @" }0 _. M  O, z8 p5 Y
& u' z- B6 J' K& d: \$ i
Method 03/ J! [  |* j" F$ ^
=========
; u- G8 a# n- Q4 X% ~! B6 K7 w: r$ n# d  L# P- x3 g
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h( J, H7 p0 g6 f- I6 K- |
(API Get entry point). @* ]9 j' D, F. F0 S
        ' d  a8 y8 {- X$ n2 c8 h' w
* V# ?4 {! o/ G. _$ \$ `
    xor     di,di1 ~. s, `5 s5 m: D0 v
    mov     es,di
  F/ T  y& U- J7 \# E$ `; E, P8 u' O    mov     ax, 1684h       ; B. c2 E* E5 J
    mov     bx, 0202h       ; VxD ID of winice
: ?$ p: ?/ g6 R5 B' l    int     2Fh
4 e6 H- P6 j' }' s% }' ~8 j" n    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 |3 [' @  Z- f8 O! R) A4 b
    add     ax, di
9 K2 _7 Z7 M& W7 o/ ~) T; j    test    ax,ax
( ^, j$ @* w5 r& O  A2 T    jnz     SoftICE_Detected
4 Z5 ?0 H" `2 W% t: x$ Y
$ D$ _! S5 U) Q0 K___________________________________________________________________________
) o" A( ~0 p8 _7 ~+ S/ W5 B  O+ \6 C  _) @9 u- W) r
Method 04
- T. |( N( x: _" P=========
- h' @0 n0 B7 e8 k9 A/ V
! ~; o  i  x, w( ]9 e. _' n( rMethod identical to the preceding one except that it seeks the ID of SoftICE
& a  b' q  e6 ?GFX VxD.2 m& ~' ]* p% k/ j& z

5 ?/ H* d( _5 n4 J+ l0 I  Y  P    xor     di,di0 x8 E; w5 J; w6 w- s1 ^
    mov     es,di8 E9 Q0 q9 p% a% ^. e* ]" \
    mov     ax, 1684h       - l) u5 p( Z+ N+ `
    mov     bx, 7a5Fh       ; VxD ID of SIWVID' v7 o! P7 C2 W: R, h. a# p
    int     2fh
4 I  }/ }: q" b( t- I    mov     ax, es          ; ES:DI -&gt; VxD API entry point' m& b1 `: A: _& j/ w+ \7 k
    add     ax, di
. ~- w2 F  \5 W  f0 Z    test    ax,ax
" y7 A) o( }! y9 O& q+ x    jnz     SoftICE_Detected- H8 ]  w9 ?6 s9 p: s2 R$ I

. O6 u% [1 V. v% Q* m9 j6 K, O__________________________________________________________________________8 G4 w% W. H) w" C8 `

( k. T2 I" Z) T5 c3 x* p7 h9 e: V3 b& C' @7 f
Method 05# G0 `9 D4 A" w1 @# {1 ^
=========
& z" @+ v* v& Z0 M* A: F& q+ Z: q: ]% k! @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ b4 u9 k! k! `5 q! m' A" xdebugger. It calls the int 41h, function 4Fh.9 C3 U4 N: {0 M( q8 R, Z0 ?0 L
There are several alternatives.  / b% _' [6 s  y. _- N6 P
9 j, [: x# ~. O& T* b
The following one is the simplest:
0 `& F% Q' e6 ?) b5 m( U3 f: i; S
    mov     ax,4fh
, O" C! g2 l+ V) @    int     41h8 A! T+ B) w: n# D+ x0 u
    cmp     ax, 0F386. G, S; s2 r5 R1 e5 M
    jz      SoftICE_detected4 P8 P4 n! P: U: A1 F8 f5 x

/ ]& U1 o/ M) F+ w0 P6 k
, ?: U5 l! G* E: |Next method as well as the following one are 2 examples from Stone's
% c$ u& e. U# t# ]  S7 U"stn-wid.zip" (www.cracking.net):* J& e9 J, W- p. E

( I+ p) m* l4 x  e( S8 \    mov     bx, cs
" N6 x- L% I! B, {/ X    lea     dx, int41handler2
3 y' ]" K5 a: b    xchg    dx, es:[41h*4]- o' h1 B' O( f3 X' Z
    xchg    bx, es:[41h*4+2]
# k: U- x- D  r( [    mov     ax,4fh
# L1 B' M7 C  Y6 ?! ]0 Y0 Y    int     41h4 w- [- |2 A! D- h7 f
    xchg    dx, es:[41h*4]
: d+ p* h3 Y- t    xchg    bx, es:[41h*4+2]4 A, v: A! b/ ~
    cmp     ax, 0f386h
5 R3 R: B6 c! v4 a8 ?6 H. y    jz      SoftICE_detected; i, n' T/ L$ o0 ?" x- h8 r: L

- `  ^; `9 `- B/ |int41handler2 PROC
+ w) x6 J- a3 T/ e8 F! E7 {" j    iret
: F9 `" l" q. {  z; Oint41handler2 ENDP
" k% E  F% Z1 A5 \- s, X8 R" K
4 N" I) u8 A6 J. N
_________________________________________________________________________
. G( B! C# }1 p4 Y" J( k8 O- q  J& }  s1 ^2 q6 q8 c
0 ~/ ], i7 `8 o& w) P% x% }) Z, ^
Method 06
! S* ^2 D6 ~; k=========
5 \% F7 f7 t8 D% o8 [
5 a1 `( C; `9 {
" @0 k( C6 ^$ Z( C! W2 {5 n5 K2nd method similar to the preceding one but more difficult to detect:
7 _% j- G$ V' I/ A) L# R! M+ [# F; ~1 \" {6 m

  T* \( u, z) M4 ]int41handler PROC0 z( L$ f0 {6 e3 @: P
    mov     cl,al9 i- [( d! ~* h* j, v5 J) V+ m
    iret$ E- C" P% E/ a3 e- c/ N
int41handler ENDP$ k/ Z% N; `2 d) i# [
3 c' _0 R' w* c+ s4 u) m9 u
/ U3 \, V6 K3 e: N1 m
    xor     ax,ax6 `1 Z2 ~4 P. x
    mov     es,ax
  A9 `3 _* p5 `* X* j  |    mov     bx, cs
+ G6 M3 K& m' t+ B2 @    lea     dx, int41handler
$ h! t1 {- D6 c2 \    xchg    dx, es:[41h*4]; E3 t% t2 ^! T! ~  E
    xchg    bx, es:[41h*4+2]
+ U1 h# k* i, a1 P! ~% |, n) y5 R    in      al, 40h  L9 D5 ~* M' I/ \  g/ t
    xor     cx,cx3 w- b9 p& R$ {% K
    int     41h) K; d* k2 k/ ?. l: q
    xchg    dx, es:[41h*4]
* v1 e* f* i( C) ?! i. V    xchg    bx, es:[41h*4+2]+ g3 Q* s  o3 Z" G
    cmp     cl,al( g- f! P/ G, p1 U8 Z7 g! r
    jnz     SoftICE_detected0 a4 a4 o) u& x9 ]  }
5 P4 o3 y7 N6 o4 ]( x  O
_________________________________________________________________________& r9 b, p* W! d* ~$ K; ~. t! ^0 g8 q

+ `, x: ~3 t5 G& s; i$ vMethod 072 o9 ?/ r- b: ?  s, m. u# ^# r
=========( H4 Y  w+ Z( f9 L* Y
% t0 U  D, e; Q6 w- T" m, F
Method of detection of the WinICE handler in the int68h (V86)$ E# G, X, ?( F& F0 F0 C; o/ S' v

% k- S& n- [5 T$ e5 X! W    mov     ah,43h
& P' B$ F$ |5 }0 q7 s; a, U3 G7 Y+ ]    int     68h
" N$ ~& t! X" z8 ~8 X    cmp     ax,0F386h4 O/ i. n/ W  X  W
    jz      SoftICE_Detected/ k8 m- [' g* p* X1 O; [
5 n' N% t; B! _1 P& s% I
$ C! z1 b/ Y) {9 S! o6 h+ e4 u( m
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 e& X. T6 {* b9 x0 F! H, s   app like this:; E! z9 R% b. H% e

* }9 I. A! z' k$ X   BPX exec_int if ax==68
' B( \( w5 X# p7 d: ~  e   (function called is located at byte ptr [ebp+1Dh] and client eip is& a- e' b. ~  Q) g9 m+ E
   located at [ebp+48h] for 32Bit apps)# K5 g5 \; R4 v! p0 y" }! k2 r
__________________________________________________________________________
+ }. R  J" U2 H9 e) |. @4 g* k5 T
8 Y- l  f: V6 ?  Y$ p' u/ B0 E& |: A9 _1 _2 n
Method 08
) B6 |5 C' Y1 e/ T5 `=========# q# s0 ^7 u, @" V1 O3 e; H3 i

- S$ H7 n- Z9 h4 {0 }It is not a method of detection of SoftICE but a possibility to crash the
/ I# \7 v+ p& K; q# m/ p7 ]system by intercepting int 01h and int 03h and redirecting them to another
  j5 F( l' r) H! N% H% U4 i, q2 Droutine.
5 a: [, c" u" NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 R3 n2 f. g4 A# d9 y5 w
to the new routine to execute (hangs computer...)
6 P% Z9 O+ E  `3 Q- `9 \
& s5 m; X: N' [: x% q7 ~    mov     ah, 25h
6 q+ J4 |) ^# z    mov     al, Int_Number (01h or 03h)
% n% w- N/ V" r& ~) ?& ?9 t    mov     dx, offset New_Int_Routine  L$ y, `' t6 k' B) _" K
    int     21h' G& a. \9 S5 M& t) T- Q
; k' L, D* M, Z8 n) A
__________________________________________________________________________& I+ l6 [; m+ d
( O4 t' z* u' m* _& S3 l" d
Method 09
6 D' w5 L! `, v0 I=========: p% _% q! O! K9 g; n7 M0 M

% l1 z& t8 N4 BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 s6 h' B* H2 @) B( r# G! s  E* R/ X  Rperformed in ring0 (VxD or a ring3 app using the VxdCall).; L9 r( [' p4 n' E
The Get_DDB service is used to determine whether or not a VxD is installed
$ v) |  l1 X/ i9 ~$ Vfor the specified device and returns a Device Description Block (in ecx) for
# v2 ?5 x' E* [1 p3 Qthat device if it is installed.6 s2 N2 o% ^4 x+ T7 P

- d0 _* W5 s$ a) ~* x- W   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( R9 K: @3 h& a7 t: b   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 E( }: p* F: T+ ?2 N3 g
   VMMCall Get_DDB
5 Y3 C$ V( f  ^- C2 h7 x3 h1 R) N   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! P; I9 l6 J+ a2 C0 D- f( j- N' B( ^- s0 l
Note as well that you can easily detect this method with SoftICE:
! e7 \% l; h1 u   bpx Get_DDB if ax==0202 || ax==7a5fh- j  k! q, u2 V2 b# u: x+ ~

1 ]1 @6 f) D' J% c: Z3 m9 L" B* ___________________________________________________________________________' y2 E3 G! z  g9 F
. r. B- {) v0 D
Method 10( B3 \# K7 ~0 p- D- V5 T2 X( @. C
=========
8 t% ?0 |1 f0 j5 e; i- A& P+ v9 I* Q: f2 C
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with: d# x: ^% l7 A+ d( ]2 z: d/ M
  SoftICE while the option is enable!!5 G* a2 A: o" |4 o( Z5 G

/ n1 U( ~3 r/ l) a* PThis trick is very efficient:
7 v9 e. {3 j2 Q# [* s# E; X" D; Q' cby checking the Debug Registers, you can detect if SoftICE is loaded# }2 t9 A) y4 c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 `- Z8 N" v5 G* rthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 B' x+ W- {" H. z
value (in ring0 only). Values can be manipulated and or changed as well
9 ?3 G# ^6 ^/ v. d7 b' }1 R' k' y0 i(clearing BPMs for instance)
/ {' [7 q, C! H" W& U6 r3 e$ {- D9 Y0 P- G4 X: M% }: j
__________________________________________________________________________
$ P) T  F: C6 x" h6 }1 _) c) p& Z. B- W* K) e$ O4 ^
Method 11. e" Q1 @# s. L9 x. ^% y' _
=========, ^8 h1 O/ \2 O/ @5 T' ~1 y

* [3 ^& _+ O6 C; y9 ^3 H( OThis method is most known as 'MeltICE' because it has been freely distributed& \; U3 F( x0 H( b+ Q$ T
via www.winfiles.com. However it was first used by NuMega people to allow- Z, t% S, T9 `' D! H3 r4 P) |
Symbol Loader to check if SoftICE was active or not (the code is located
4 U) V0 W2 U9 M( T, ~* P, T2 Iinside nmtrans.dll).
2 z2 Y6 K$ W, p+ a5 o) ~% T3 f
( \4 P# Y8 Z- [The way it works is very simple:: f( b) I( Z  m$ Y  ]& w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 S0 {# B2 }4 b3 K' V$ |WinNT) with the CreateFileA API.: y" L; b5 g! i# d0 y6 a! n; P7 c
% x+ m7 f8 Y; W
Here is a sample (checking for 'SICE'):. l8 c8 z$ k9 u; l% z- f
/ z* O- @) X; l& _" [7 S( p' k- n
BOOL IsSoftIce95Loaded()
% b* O: X; V  K5 G* ]{: [4 m- C" X  f8 S2 Z
   HANDLE hFile;  
, A! }8 G0 t, `) S2 U0 m   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% @, T/ B0 A! J1 Y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; o8 R; U( n" d5 I                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ g& j2 P: w4 ^9 V  h   if( hFile != INVALID_HANDLE_VALUE )
& N& y+ U3 \  ^3 e$ ^) q   {
& O: J+ i% W9 }      CloseHandle(hFile);1 d0 }8 F% R8 D6 f
      return TRUE;
! O5 ?) Y9 N/ U/ X% u   }* o' k5 z& C5 u
   return FALSE;5 Q1 `8 S9 N+ n: B' \8 E
}
) ~' W; L" M7 H8 i$ S  {
7 Y2 t9 @- J4 z1 B# s1 p$ `Although this trick calls the CreateFileA function, don't even expect to be: _5 j: n. J' J0 n
able to intercept it by installing a IFS hook: it will not work, no way!/ ?" [2 b2 ?6 P7 v' i: l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 K* j* e  H* ]  K! ^6 N+ Vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) c9 H2 T4 n0 a6 R1 K) g% a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ Z! F- h+ F+ v# o+ e8 X; W  ]field.! f6 A5 p& S! {/ Q
In fact, its purpose is not to load/unload VxDs but only to send a 8 p- u( }" z" f3 @7 v6 a+ L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& ?3 o2 N% ~8 X2 uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 W) d8 H5 D2 E) mto load/unload a non-dynamically loadable driver such as SoftICE ;-).
  v1 o5 A2 {9 m0 K1 e1 a8 x4 JIf the VxD is loaded, it will always clear eax and the Carry flag to allow% m( }8 P% L, ~% d$ G
its handle to be opened and then, will be detected.* c; z/ F5 L1 n" e) `+ b/ u
You can check that simply by hooking Winice.exe control proc entry point7 b# I  p! I  g; h: n
while running MeltICE.6 m$ z6 {+ ?$ A6 p2 ^8 h: Q2 i

: B  l# Q  Y3 V' ~
+ E7 z5 E6 ~: I+ h  00401067:  push      00402025    ; \\.\SICE2 [" m. J: [! A$ U2 r" g
  0040106C:  call      CreateFileA. w" Q1 R3 x/ D
  00401071:  cmp       eax,-001
( l7 x- W+ ^- r9 e  00401074:  je        00401091( l# X: @# f! n0 |, |0 C
, m# B3 n, U$ M" [- j6 |4 ]

  o1 F! @% o7 n& p  |1 gThere could be hundreds of BPX you could use to detect this trick.
6 ?2 g9 R+ i$ S! u4 w2 ?1 W% C9 M-The most classical one is:. ?/ b  P4 p# T& o- r
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||- M( R" x! t, D3 K  w( H8 ?0 Z# x2 L4 h! w
    *(esp-&gt;4+4)=='NTIC'
5 S- R5 B  k$ J! l$ L7 u5 V9 n
0 g. Q' {" @7 q8 H8 c# l& ^-The most exotic ones (could be very slooooow :-(. [1 ]" J! G& R  o: Y9 _, e$ B, ^
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ }. m+ y* R; `     ;will break 3 times :-(
! l7 K! M7 \, F5 E% _8 M: w: `
; n) S$ p4 W: R2 Z-or (a bit) faster:
; O6 ^* s, R$ w# w& V   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 d: O2 c: X: t- T# s* c0 L; T5 Q. F6 Q4 a  A
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % A+ y! v/ {5 `$ ]: y; p# t
     ;will break 3 times :-(
0 }" f0 ^& y: j8 _1 d" i* a$ C' _' g" g- \& Q1 n
-Much faster:
" x; r5 K( [2 a7 R6 z7 n3 B% t   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
8 @, p& I0 f3 ~4 o/ r
' U% W% Z  S; uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- d9 e* p0 p. b: H' ]. n" U
function to do the same job:
8 x+ s$ \' j7 W# \  N7 o2 e# A3 o2 G3 j
: ]# R! e! E4 ?# u5 C4 ]   push    00                        ; OF_READ5 M* N3 H8 J& X! y1 M. H
   mov     eax,[00656634]            ; '\\.\SICE',0! H( a5 z' a& a, r) F8 z
   push    eax
4 r& t3 B* ~, M5 t! h) n" K/ F6 \   call    KERNEL32!_lopen
6 @& @# h( U! \9 g   inc     eax
: Y. ^( Y& ^1 k! L- n6 s   jnz     00650589                  ; detected
. [% ]4 f8 v  L9 ~   push    00                        ; OF_READ) a7 ]) @$ n: [; X5 `- ]
   mov     eax,[00656638]            ; '\\.\SICE'% N- L3 F0 c& q5 k! n- o
   push    eax! U$ _- G# u5 }  w$ Y0 _6 M4 v; g
   call    KERNEL32!_lopen  x# ?+ W. r9 D7 B4 D1 y
   inc     eax5 q8 K# z% C; c! k% E
   jz      006505ae                  ; not detected! ^0 t: @& A6 `

. Y2 W: @9 G3 }3 l3 {
! {7 b/ Y- i# ~' c2 E__________________________________________________________________________
( v3 B% L% S: w
) B2 I) `, s' M& L# N6 P4 SMethod 12
6 U$ E8 T6 M# h=========
- A7 g$ b1 c) v( Z5 k- N
' K, b8 F: u5 U% `This trick is similar to int41h/4fh Debugger installation check (code 05, b' H3 s2 T& _6 `6 f
&amp; 06) but very limited because it's only available for Win95/98 (not NT)' @5 K" J$ T: i3 w9 {0 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 j* [: t/ w) b, L( `6 m+ w* b' Y. S  }! |* d
   push  0000004fh         ; function 4fh
" O, b( r: H! G" T4 G* b) b$ b   push  002a002ah         ; high word specifies which VxD (VWIN32). q  O0 D, w* l' J
                           ; low word specifies which service
  f6 [" s) ^) x                             (VWIN32_Int41Dispatch)
9 H+ u& t# z5 E: K2 U3 V) F+ f   call  Kernel32!ORD_001  ; VxdCall
9 G! m: n6 u6 G0 v! l7 L   cmp   ax, 0f386h        ; magic number returned by system debuggers. i7 b8 K5 i4 Q. y" l% n
   jz    SoftICE_detected3 g4 `1 l5 g) q( s, H8 \! R
, O% }$ E4 B" `& e
Here again, several ways to detect it:
  G; P1 _' a  x  a& o8 }( d" o
    BPINT 41 if ax==4f3 A8 M3 z7 |# M! s$ l. U

+ S: B) a( R6 o; }! o    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" p$ d: E. ]- Z% J7 ^. c1 b
5 L% P. |6 S* k! ]9 E- B4 T    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: e7 J' k, v0 {6 N: U
! a& S* ~& y' C, \3 X
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
2 e$ W$ K5 c7 U% G/ q# A
  Q. ^8 G6 C& }1 F__________________________________________________________________________0 y+ J2 f% s0 E8 x

* W  \  A0 f2 F) j, S* X2 [( HMethod 13
2 H. k- ?  U5 {; B( I& p3 x6 J=========0 F5 i2 R* e; @# G4 \7 M
+ I  i+ Z) c6 n% K  _0 y
Not a real method of detection, but a good way to know if SoftICE is( P/ ~- F1 w8 A/ }, n1 s6 X2 W
installed on a computer and to locate its installation directory.
+ X; _; M% F/ s( `6 V% f$ l9 uIt is used by few softs which access the following registry keys (usually #2) :3 j7 v5 F6 b5 p

2 \& o( U' m/ X7 j( A) l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 i9 G9 p0 M  Q
\Uninstall\SoftICE
$ r1 p8 T* P' F6 p, A) |1 a( E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  t* i8 F8 n7 V9 X$ r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 s% [7 `0 u, F' H0 D$ P& `) Z6 a
\App Paths\Loader32.Exe7 n% ~, F) U; M. \. F! k& v
7 z6 N; r2 H* D, ]+ G: D

% u( |- P. C- o  b' H, X% b6 aNote that some nasty apps could then erase all files from SoftICE directory
/ o/ U* E) _, ^(I faced that once :-(
# S- J- M; U9 @3 Y* k7 s& n4 Y0 I$ e' L& ~
Useful breakpoint to detect it:
& m. u8 W8 C' C% E: W" Z" @6 e, v/ e( ?
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! V- p& s. ~1 M9 E! ?1 T, p. A3 }+ y% W
__________________________________________________________________________
9 C7 m$ x3 \  ~! e' |
& x& P+ i& X4 F
  S/ Z- x8 X5 B8 f* {& u6 c, lMethod 14 $ ~0 c' `% V/ E' |" N; a
=========0 A+ F) H1 O7 t4 T

/ u9 t. c0 D+ B% o) l$ a0 DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 q" i/ L4 D. e8 uis to determines whether a debugger is running on your system (ring0 only).
% j$ l, _7 {4 P- L: e8 p) q5 n
; G" X% T" _: Z# }   VMMCall Test_Debug_Installed# }2 `( k: t! g2 S; Y; ~
   je      not_installed
8 X  m& w+ Y5 d6 x3 t4 g3 |
5 p/ t8 H0 P2 v8 oThis service just checks a flag.
7 c0 A8 V* {# b/ Z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-30 08:17

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表