找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& h6 K3 O# W: }8 A
<TBODY>
: ], m0 a! k  ^! ?* o' A<TR>
1 G% n9 H9 D  ?  X) [3 p<TD><PRE>Method 01 0 j/ T& P& K- d, T* k# k
=========* G: C$ C& ~4 L- l! B) ?& n

8 A2 C8 \+ l- eThis method of detection of SoftICE (as well as the following one) is
0 x0 v: W& x/ mused by the majority of packers/encryptors found on Internet.
( f8 M/ n5 h* z* q4 p8 oIt seeks the signature of BoundsChecker in SoftICE' L5 @7 X6 i3 c  t. w5 G8 K

5 n' v( R$ d; F! }    mov     ebp, 04243484Bh        ; 'BCHK'
5 S5 u: H8 \& V    mov     ax, 04h
2 ^* S9 o3 k: {) n6 J& y    int     3      
' ?5 z1 j5 \) i1 Z+ V% c' G+ Z    cmp     al,46 x9 x+ b5 ^# s" c1 H
    jnz     SoftICE_Detected, L) A" }, e' A/ p' C

) Z. t; \6 B) T. |4 Y3 i. u___________________________________________________________________________
" \  N. H9 }4 b2 j* ~: F. u; a8 M9 A6 Y( s* B  e
Method 02! A+ d% X; n+ X; a" A
=========6 s! Y2 l7 ], y3 b6 _

: i% v6 `7 d6 Y: ]2 x8 F4 R1 o; zStill a method very much used (perhaps the most frequent one).  It is used
: s  @! ]" Q/ w+ `  ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' N# M  o; B; b! z. f- tor execute SoftICE commands...
1 }& z; z! r6 ~4 E  R2 g; `+ ZIt is also used to crash SoftICE and to force it to execute any commands$ a/ e+ y, E9 R+ j4 |$ T. l
(HBOOT...) :-((  3 |9 J5 R  j8 E# W* u

  C" @+ ^0 z5 y) |' K0 P6 q4 \Here is a quick description:
$ F& m* p+ ]1 w  F9 S. a" t-AX = 0910h   (Display string in SIce windows)
; c1 M( [$ Q3 B* d3 c9 z7 K9 @-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 [4 n( u5 e# [, j) a0 P2 W
-AX = 0912h   (Get breakpoint infos): c. x" F0 l- u& M
-AX = 0913h   (Set Sice breakpoints)4 N; P! G, Q6 Q
-AX = 0914h   (Remove SIce breakoints)
* d: j  r8 T! @3 Y% a7 |7 s0 e  ^% {! i/ P! j9 @
Each time you'll meet this trick, you'll see:
' P) _; I& k+ M-SI = 4647h
' u* q  E6 ]% M, P- A-DI = 4A4Dh
. r( g9 h3 a3 u1 fWhich are the 'magic values' used by SoftIce.7 v) J4 o4 \) H, o8 {7 \" ]$ q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* Q3 @1 T6 X* Q& I5 M. u: L5 w! l
; \% a* K/ k$ BHere is one example from the file "Haspinst.exe" which is the dongle HASP
  ~1 |% r# k$ j0 k# `Envelope utility use to protect DOS applications:
6 N: B+ f' }& x6 X4 m' E" k' o7 q; L6 I9 N* u+ Y" t

/ q. O& L4 p  F1 C" n# D4 D4C19:0095   MOV    AX,0911  ; execute command.
. w% \( Q; ~# ~  d$ Z! x4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).- h  A% u! v: R% F4 P, _. B
4C19:009A   MOV    SI,4647  ; 1st magic value.* q/ v& `; y  O4 o/ Z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.7 I- R' r1 l0 j( X' f# B0 Z6 H& S
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)0 ?. c4 n% l, }/ z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! a& {* U1 l) B+ {; K1 D- z
4C19:00A4   INC    CX
6 u9 D6 U# @/ L) q4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute! q6 [/ q6 h8 k' M. {. e
4C19:00A8   JB     0095     ; 6 different commands.
% I# t/ a- G8 W/ y: a/ }7 K% |4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! P- h# Y5 E+ A( Q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)/ P) ~+ e* e1 @" k& t0 x! q

) Q* n3 C3 d0 D4 cThe program will execute 6 different SIce commands located at ds:dx, which
! m& y* y! Q7 F! xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." y' Y8 G5 J$ ]
/ l' x7 V) ?  ]/ G5 N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 R- [  @- q: M/ N7 K; y# [___________________________________________________________________________
0 }$ t" J2 d! z" c) R- H) N& t5 P; @# T2 \7 s
' z8 o$ f! s; f' u! ?
Method 03
, ^) x/ G% F! W- }( M; j& T=========$ _/ z/ _; W1 C# F

! e" [; K, p6 [Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# P5 Z) V% K) ^6 x+ A4 p  B% i
(API Get entry point)
$ {0 A7 r+ d2 l        0 c- B* \- k" ^3 n# _0 F- ^

* s5 Z. ]1 A  I. I5 f    xor     di,di
/ i( g' G2 Q: h. u0 C' f" Y/ q    mov     es,di' M5 F" u2 R- Q& M  @9 v
    mov     ax, 1684h       4 u8 q' D9 c2 K5 W$ y5 @5 [0 z$ ?
    mov     bx, 0202h       ; VxD ID of winice! k$ C& ?/ b- }. X) m0 W
    int     2Fh
9 b9 Q8 G2 l. D' X) v    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# G' I! W! L2 n# M: D& z1 |    add     ax, di: S- F/ X% A5 w2 n0 J
    test    ax,ax
& O. E2 k) F8 D+ n. [/ D; a    jnz     SoftICE_Detected# M, O4 f" K$ z3 v: k6 C
; ^; @7 N, d8 V5 a$ e0 E
___________________________________________________________________________3 R1 F  o7 ]- v% t. P& A7 Y: _
0 u& d+ S0 Z$ ~+ t8 b9 l
Method 042 p9 k. T. `. J" x) v* N
=========
' ~* J! v, ~  d7 T! U2 b. \
8 O1 U2 \$ [7 @. N1 SMethod identical to the preceding one except that it seeks the ID of SoftICE
3 a4 \& `  n  z# b3 S1 Z, lGFX VxD.
  `' h# K. v; E- @; X/ j% k
6 ?$ Y' D) d2 M4 U+ A    xor     di,di# p& _; K% e4 j' x
    mov     es,di
( j4 ?4 c7 V5 M    mov     ax, 1684h       1 Y/ h3 c+ b+ ?0 U( a$ `9 d
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
( p0 K7 U7 m: P" Q    int     2fh9 W; F( u; ]) f4 L0 \- V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! Z6 Q3 Y* e, z% G3 P9 S7 [. X    add     ax, di0 Z' x9 I$ g; c7 k) G
    test    ax,ax/ Z! f) w, ?! K2 J8 z8 u  b4 i2 M
    jnz     SoftICE_Detected
$ B9 z6 j+ m4 ~) [& `; G
# d# [5 t& M5 w8 t+ A__________________________________________________________________________
5 G7 ]/ _- S4 H7 t, S
1 s. k" f" `* }; j* ~0 I5 @: R* G: ?
- a( [7 E- S4 D  s7 L) e0 z5 FMethod 056 G! d- D! B1 r9 i* E$ G
=========
: B: |, D1 x5 Z: Z- t" }4 N6 {- F& W* q* y6 l
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 @6 B; b8 z+ F3 o& B
debugger. It calls the int 41h, function 4Fh." r% y. k! d! [; w2 ?$ s. B" Y1 y
There are several alternatives.  
* u5 W+ ~4 R9 g) S- ^- l4 t) z0 T6 k3 e$ k
The following one is the simplest:' h/ z( ~3 t8 U# v3 i

$ o9 l& n5 M! t/ D# b" K/ ~    mov     ax,4fh' u4 J: ^( L, w. ~9 G- o  l
    int     41h
6 m/ h, V/ ^9 _0 ~. d4 P- q    cmp     ax, 0F386" t, }: c; w' C3 u6 v
    jz      SoftICE_detected
4 [+ ?7 t2 h3 ~1 M" n: n( ^, y
$ I, j) i9 J: e$ X/ p! G' U8 ^
3 H( h5 Y. l" \$ UNext method as well as the following one are 2 examples from Stone's
8 h% a6 g/ a6 }; q- _& l, H+ w"stn-wid.zip" (www.cracking.net):
  G4 k2 g+ E+ [% n
* q' ~( S" X) g8 q  z" P, _5 N    mov     bx, cs1 B. X7 U# a& J# L
    lea     dx, int41handler2
1 I* T2 X( q$ M" Z/ W    xchg    dx, es:[41h*4]$ k; L! Z% T+ B" i- q! H
    xchg    bx, es:[41h*4+2]7 U. I2 I8 b# H4 ~
    mov     ax,4fh
: m+ Y. X1 u" i; z4 @1 K) P8 u    int     41h
+ ^: m% [, |, C    xchg    dx, es:[41h*4]$ n) b' i, j1 j( f6 r8 z6 B
    xchg    bx, es:[41h*4+2]- R9 K) U* p) K* ^# e, f4 y
    cmp     ax, 0f386h
. }( T( z$ q: e% D; z    jz      SoftICE_detected
3 T6 E; V9 }0 L, Y& T, C+ `; z1 V( B4 f$ n
int41handler2 PROC
- Y: B7 W( T: y6 k+ @    iret
" r& S4 K7 i- n/ V4 N) h0 b& Xint41handler2 ENDP- d* v1 S: C$ J4 P  Z) B& Z
7 ]7 I7 z: W2 V7 V8 \# U
' O0 ^7 E) w) N+ s
_________________________________________________________________________
. z" _) l6 ?, v3 r3 Z* W  |8 c. ?6 N5 v" O$ K- C1 m! m

; Z7 N( @2 q6 B) F0 {6 U4 XMethod 06# \4 t4 x: F3 l
=========- E) D  _$ ?: G2 b
6 |3 x/ f6 O( R( u
* e# j5 X# V% t* M' n( F+ k0 b
2nd method similar to the preceding one but more difficult to detect:$ }$ Y6 _, \6 Z

6 o, g% R& K; _; J; _4 }
0 }  @, A9 F$ |: `* A$ U8 `int41handler PROC! m3 d. k' ~8 S" W7 P% s" L
    mov     cl,al
& Y/ J4 |% |+ T$ D; }8 q) U    iret" C# B+ x! w4 M8 w3 c  M$ |" Y9 i
int41handler ENDP
0 b) a! ~# h  C9 @! X
. }6 l/ Q" g0 _# I4 K8 r) E( b
: @; f+ A- Z9 |! |& o+ e    xor     ax,ax
; @$ X$ c4 d+ ^. d' M    mov     es,ax! Z% N$ S) G0 W9 Y  i, w1 K; K
    mov     bx, cs% t4 {* \% ^5 D* \
    lea     dx, int41handler2 y2 E0 \# j% E4 l8 y
    xchg    dx, es:[41h*4]
* y4 o  ]% L! |    xchg    bx, es:[41h*4+2]
  m1 J4 u) b/ N( _' L  W    in      al, 40h
' O- B) D! r  b  H+ E+ t; ]$ w    xor     cx,cx6 x. U1 J6 W; t; _2 w5 c9 A; E! t% w
    int     41h
  P+ W/ V; }; o  K) y" I' P    xchg    dx, es:[41h*4]
5 r3 f1 o0 g1 m    xchg    bx, es:[41h*4+2]
& g# v2 A5 ?- k5 v    cmp     cl,al0 A" \# X8 m: m
    jnz     SoftICE_detected
2 U5 |* G  f# \2 h. m" O  }; x: L1 z
; ]- O! R8 \$ a7 A) L1 Y_________________________________________________________________________9 U: r* V2 F0 a8 E
6 A6 [0 `* p6 A9 ^, F+ ^. j/ k) c! A
Method 07
0 [) ^' S1 k- w: ?=========
1 c  F( R1 P# z0 p9 a% Q. ^4 d6 `& w9 Q) f+ }
Method of detection of the WinICE handler in the int68h (V86)2 V! V# m* f# x' g! b" l( `
' }: ~) h: S( P- a. S5 a) M6 X: X
    mov     ah,43h
. N% i) A; R: t& I    int     68h
/ B) ]: `2 W+ X! J1 I7 K  s+ c    cmp     ax,0F386h
% h  E' G; `6 ~4 r6 p    jz      SoftICE_Detected. |5 X/ B# R5 k( `) X6 F4 W' `
1 \8 A0 A' U! k; d9 X* |2 X6 D
* s; w2 v  F+ `0 Z; P$ |
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; U' ?2 d: f$ H' t+ D, ~) e   app like this:) X! B+ }! j6 Y. q
* s8 W0 g9 X9 [! T
   BPX exec_int if ax==68
7 B) ?0 x$ l4 ]$ d7 h- @) |  t   (function called is located at byte ptr [ebp+1Dh] and client eip is
! T& n! Z' A" r" S. B9 A   located at [ebp+48h] for 32Bit apps)
% a6 @; f3 j" c. D8 I, V) l+ R__________________________________________________________________________
7 v, P, X8 C7 b  l* W  Q1 C3 u. C" H: {- I
& G" n- z+ k5 w  r( Z# l" T
Method 08
$ h5 |5 \) O$ Q" X8 Q' x=========
+ C1 I* U5 h1 A$ h+ r$ O5 o+ [4 v& l3 Z+ q( ?
It is not a method of detection of SoftICE but a possibility to crash the' }+ a5 ~! @6 e$ E
system by intercepting int 01h and int 03h and redirecting them to another
' V4 |/ c8 Q8 J7 b3 b  M/ Kroutine.
7 V8 O) p+ R2 }1 D8 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) [' W! [8 c9 ~( `. v% b
to the new routine to execute (hangs computer...)
2 R" a0 m2 {( \/ _3 z) G# O- Q0 G/ r/ U
    mov     ah, 25h, M4 f' T# @4 o2 Z) e) V1 v5 a
    mov     al, Int_Number (01h or 03h)
1 G# s  ^0 ~4 w0 j/ L' E/ u    mov     dx, offset New_Int_Routine
: `3 _' g& ?" R3 a- s    int     21h
$ ^8 Q  m- u: X* K* u/ B9 L8 B
4 I3 C+ P- Y6 h8 U  `__________________________________________________________________________
0 Q/ ~7 ^9 \9 `# Z# _& u" ]: m8 `. O) y4 t
Method 09
4 v6 E1 k1 r6 l& k9 B=========5 k- k$ p6 O$ a  Y5 Z
) r! W# k( ^# a  d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( B; }) [: P3 bperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 V* b# z1 V$ i' O; {The Get_DDB service is used to determine whether or not a VxD is installed
/ q  ]* p' O& ~) q/ s7 }for the specified device and returns a Device Description Block (in ecx) for8 s9 u# f9 j' g& N6 H0 ]. J
that device if it is installed.
: F/ @# @+ k+ K) F. o' @7 ^, O/ V! |3 M7 \* V5 ]2 U* L
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Q4 x& R( _3 E! j, n   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! J6 C; k: E9 {
   VMMCall Get_DDB# G, E+ K  {/ Z( j
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( O9 n  Y, `4 @/ v& s4 L

. m$ g2 g9 F! HNote as well that you can easily detect this method with SoftICE:; }. M/ M% K! R% i- j( q
   bpx Get_DDB if ax==0202 || ax==7a5fh
/ L  d: N; u9 W  S4 H' p  r! F' E; U# ^4 M1 y
__________________________________________________________________________
* J; E9 P0 a- b2 \# }% N0 K8 l5 K4 q) \& z# T) d$ \
Method 10
9 _% B9 ?5 g5 F0 g=========
4 {9 A9 x2 C# P6 t- A0 m' P1 t2 g+ W) W$ g4 R
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 O2 a6 G/ t9 o9 ^
  SoftICE while the option is enable!!
- N! Q9 a8 K& _# B
3 U7 g7 M$ Z( x" l1 MThis trick is very efficient:
% N" h+ }4 b9 w( ~3 [by checking the Debug Registers, you can detect if SoftICE is loaded
' u/ ~5 \! x- y6 r1 e7 w) N# ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) ~# ]* l$ E& y7 g6 `5 B% U3 h5 B% m
there are some memory breakpoints set (dr0 to dr3) simply by reading their& f# R8 h# g& Y' J$ B7 N
value (in ring0 only). Values can be manipulated and or changed as well
5 }2 ~" n6 ^; V8 m7 t(clearing BPMs for instance)
, _  g9 {& m+ v& ?8 h3 c/ s  A% m. ~- I
__________________________________________________________________________4 d8 u2 C  T* \
5 M; |) z. ]  f% [( Z, s
Method 11
3 s3 {3 N7 n. D7 b  w! ~% x=========# I) N1 H6 ~8 Q1 A7 ?# a
; n$ c7 l" Y6 J2 @" z/ L. {
This method is most known as 'MeltICE' because it has been freely distributed
9 B( T4 V2 ^+ u7 [  Rvia www.winfiles.com. However it was first used by NuMega people to allow
& g! Z0 u' A6 |/ I( e( fSymbol Loader to check if SoftICE was active or not (the code is located; y/ k, F; w5 f" j3 c
inside nmtrans.dll).
/ p2 _! v( V. q" N/ t; [0 J9 R* c6 n# p6 T
The way it works is very simple:6 b1 w3 ~2 Y$ \4 Q5 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 U# e  ^1 q4 y1 {- i$ l: |
WinNT) with the CreateFileA API.% O9 r; X( ~3 x2 j9 ]
% Z- P( h& A8 ~" D- K6 P, d
Here is a sample (checking for 'SICE'):. R  ]# |0 w7 y2 d3 `
: ]+ r1 z2 R% I' i& q# Y1 f
BOOL IsSoftIce95Loaded()0 V( p7 ]9 }' ?2 Y4 d; m# R; w
{$ v5 c  X- r1 u* I
   HANDLE hFile;  + ^8 G+ L: G8 ^( {
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 m+ d1 G* G4 |                      FILE_SHARE_READ | FILE_SHARE_WRITE,/ D: g. `, e1 h
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 d) k5 f+ I& M. N+ @
   if( hFile != INVALID_HANDLE_VALUE )
+ d) _3 h7 ]8 U% h   {
4 s7 ^# L; H& P      CloseHandle(hFile);" }( k8 k! o& ?( h7 r
      return TRUE;6 Z$ z1 C/ c/ t9 @
   }
7 g0 J- S% R4 H' S" w   return FALSE;* ]! V# |2 i/ A: p& N9 ?
}3 c$ |& V5 D/ d1 k+ Q% ?

; ]' u( B8 J- [% L3 e6 ]6 cAlthough this trick calls the CreateFileA function, don't even expect to be" n5 e1 u# s) Z
able to intercept it by installing a IFS hook: it will not work, no way!
; M0 d) ^0 |8 m6 d. LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 x: T: q& x" }3 S+ m% f9 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& q; {7 f1 t) y  o5 J3 N, Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 e: ^( ~& M2 ?- C
field.% X7 H( a9 ]2 x  I. h( H) |
In fact, its purpose is not to load/unload VxDs but only to send a $ T* T" V0 p9 e
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ X, L. }5 ]8 _! r9 f/ ?6 ~* _! mto the VxD Control_Dispatch proc (how the hell a shareware soft could try% T2 B& x! |) P* K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 ^. W  z/ u8 ]$ y" T6 k5 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 z% y8 p4 }# @/ u# d3 `its handle to be opened and then, will be detected.
- }" p9 d3 j* s* j6 pYou can check that simply by hooking Winice.exe control proc entry point
* ~4 J4 [7 J; S9 q( ~while running MeltICE.
5 ]/ m* f) L9 {7 N5 J! `3 c! a6 d" I: o& D6 Z7 w$ B8 i

( P2 k# `4 E/ D7 F% d  00401067:  push      00402025    ; \\.\SICE
6 e8 d0 D* `4 l2 L7 S" N  0040106C:  call      CreateFileA
8 _; P  \/ n: b- ?/ G! o$ v) Y  00401071:  cmp       eax,-001
5 q: F7 M8 g: ]# d  00401074:  je        004010914 Q, w! J5 D8 h8 v. q. T" P# E

/ K, o4 \$ {8 Y
  P' n/ j5 p- X# PThere could be hundreds of BPX you could use to detect this trick.
0 S; L( A. T; Y$ A. K* T' T-The most classical one is:2 U' h1 H$ ]8 Z$ T
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% A3 O: V4 X! M( j
    *(esp-&gt;4+4)=='NTIC'
, Q: j5 d2 g. e2 E  S2 o/ {% y2 R' r% T" p
-The most exotic ones (could be very slooooow :-(+ ?5 q, F! a1 `1 x8 s2 G: C
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  5 G: ?/ Q4 g: A; v8 U- r# U
     ;will break 3 times :-(5 y; F5 U9 j: Z

- H+ h; x$ l. X* i* `* h) A-or (a bit) faster:   x$ Z5 ^9 [; n+ \$ ^2 {
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 @* F* V% x7 Q9 S
  Z' n: {/ f' `: l, f  K
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
8 z  V2 U# y" C; \     ;will break 3 times :-(& I+ @' M3 f. m+ V- o5 m$ A: V; g9 u. U
4 }  y) F/ t% z8 C) {
-Much faster:( o( d- Q' o. L1 W9 N; P
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& I# N' O; e) g0 g: ~, G% `- k
. _9 a3 t4 \( r' r( U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, w( m& x. o4 l: s  G' Q2 `function to do the same job:
  Y$ X3 q" o8 H
1 a# l% N6 [1 w7 L- H7 Z- S   push    00                        ; OF_READ
& ?4 X% W: m; Q, J+ ?; h+ s( @  {   mov     eax,[00656634]            ; '\\.\SICE',0* A; ?3 a9 m. q
   push    eax: E/ m6 c, v0 s
   call    KERNEL32!_lopen; s1 M6 x! ~' L  D
   inc     eax
- S$ \6 t# T  k   jnz     00650589                  ; detected
8 P7 N$ ^0 ^0 `$ u: J2 y6 Z# E   push    00                        ; OF_READ
- p3 B& d* G3 e% ^7 W8 n* `   mov     eax,[00656638]            ; '\\.\SICE'6 W5 }& U4 J  O: t$ ^! n9 L+ g
   push    eax1 D9 v2 G4 R( P
   call    KERNEL32!_lopen
' p$ {  k' a& O   inc     eax/ v# d2 ]' Z8 F# Q4 m
   jz      006505ae                  ; not detected
& a# _6 |4 f; b; C
3 U3 P/ N9 g; I7 k3 i1 r' P( N" D5 O: x5 [' @; g& H
__________________________________________________________________________% ]+ C$ O& M" f  x

2 ^/ b. \' G/ Y! u" {" Q5 ^Method 121 Z: u) B% T+ X
=========
, a9 {8 |) C9 l" b& ~. O6 e0 ~
: N( _: J. Y; \6 t, O+ I% ?This trick is similar to int41h/4fh Debugger installation check (code 05
/ a# E' T$ w! K* K&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 n# B  K9 s' x+ d. F( M) u( `5 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ R: V4 B  O: {; [; j
6 z4 b8 D4 R) R0 ?% j: X7 E0 W
   push  0000004fh         ; function 4fh: \; q( r0 u8 C: |5 |: ^+ U8 w. L/ H+ D
   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 g% ^/ ]) c0 \  }. r                           ; low word specifies which service
- i# |' R4 X; r4 g4 ?                             (VWIN32_Int41Dispatch)# Q1 F: g  S1 p/ e0 E) [) G& w
   call  Kernel32!ORD_001  ; VxdCall
4 Q7 E$ B) }! D) b% A+ {) N   cmp   ax, 0f386h        ; magic number returned by system debuggers
) t7 m* t4 h) u9 d( d# E# O7 X0 c   jz    SoftICE_detected
, f  K' z+ b! r# U- ]* {$ T4 {! z4 \
Here again, several ways to detect it:
# \/ }& L' i4 o4 ^( ]/ }: f" \# Q) D, M+ `& U/ L
    BPINT 41 if ax==4f9 s8 x- {3 v, A& Q0 i

' x7 G8 N- T; U8 O0 s    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 l2 B/ P2 x( }& c* K2 m/ {

! K* W5 _. \8 e3 n7 y7 D  w    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
. \  q. o' @% `0 [  R. C7 P3 I8 E7 {2 N2 {" x' C# e6 U# ~0 t( @
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 W% `5 C4 ?5 F- x, S  V6 X. `) x/ U- m
__________________________________________________________________________
0 @7 f% J. f( C
% |( g$ K& n1 \% m( OMethod 13
5 H4 q2 f9 s2 [6 D* W1 \$ \=========
3 }8 i! [9 L6 U5 E- v
% y$ ^) y2 |; FNot a real method of detection, but a good way to know if SoftICE is2 u2 `) ~" t# D0 Q
installed on a computer and to locate its installation directory.
$ I: @: x; Y* SIt is used by few softs which access the following registry keys (usually #2) :1 B! r, W* O3 L3 m  `

* X1 B) b9 _2 V1 V) x9 ~, S6 J( U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. z! ^  c+ J9 i; [: C& X4 o7 A4 Q  r
\Uninstall\SoftICE
5 z2 \9 ]- K( ~% m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% _9 K) S: Z2 ~+ D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- K& V& ?- b: B  k3 s
\App Paths\Loader32.Exe
( O& p% L: \$ v* M
7 f( t% P) G' j, ~! a% e# E/ A' w3 h7 C! K' h1 Q; z
Note that some nasty apps could then erase all files from SoftICE directory
0 q3 a) j+ n, G1 @$ g( x8 l8 u4 V$ ~(I faced that once :-(, T6 k6 ?# ~' v0 N

1 R- {, a/ ~9 k, F! JUseful breakpoint to detect it:
! V$ H, s+ N3 |! S0 A8 D
) G) X% Y7 P4 C     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'* U3 X6 ^# Q* |, }4 t" _
% L' l* K0 d1 I" T) [1 t- W
__________________________________________________________________________
: S) B) z0 A' S0 Z& O/ }. K% |* ?' L8 ~  g
, T5 d8 j/ ~% }) M
Method 14 . g5 M8 L5 W" P2 i. h3 l* ^
=========' V* G9 z+ n* T$ x9 e; Z5 i
5 i5 x" Q- c2 r* ]) {5 z: f
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; y' F+ u1 d" `  o. g- g
is to determines whether a debugger is running on your system (ring0 only).
- w6 b3 z- ~* ^; m& C! y: G
, C5 S2 q) L- |3 i; g8 q: ]$ F  ?   VMMCall Test_Debug_Installed# |) B$ |) a1 K% ~
   je      not_installed
& u& a: d+ H# d* F9 \/ t; P. A8 }
7 y2 ?& Z: @9 z& JThis service just checks a flag.
$ `$ \/ I. b: a8 u. r  m) m4 p; ]</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-28 06:03

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表