找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>: C! l6 m; ~9 [" A
<TBODY>
) l5 u8 w4 b* v7 ]8 U<TR>% g" {3 y- o$ G- k5 _
<TD><PRE>Method 01
/ p) }- R3 M6 p6 W8 h$ t3 t0 B' F=========9 m& y5 l- o6 T

! y/ U0 r2 g0 S* X0 e/ i0 YThis method of detection of SoftICE (as well as the following one) is
1 X8 ~1 x. ~. ?& C% Q, C! ]4 G& C9 Lused by the majority of packers/encryptors found on Internet.
2 m9 o( N, [+ H: e9 q0 C4 t8 gIt seeks the signature of BoundsChecker in SoftICE
5 Y% n4 q8 a' q# z
5 B* O2 }6 ^6 w6 ?% Z! O, B    mov     ebp, 04243484Bh        ; 'BCHK'4 V+ y0 n- t9 [: J5 s# }
    mov     ax, 04h
  f! M5 e( b& A1 D    int     3       3 N# L# t* U! F$ p' Y. L
    cmp     al,4
: V9 y5 Q, \! q6 f) @    jnz     SoftICE_Detected
$ x7 h2 O3 f! I4 Y7 C# r8 V4 q! s% H& x' |
___________________________________________________________________________
8 q" i' {8 O" |" F! w& X& e" J, d+ v# Z; |" P( L# K5 a
Method 02
5 S* X4 u5 Q; a3 M) }0 F0 c( w=========: Z6 o4 M/ n  Z+ ?. f/ l+ u

/ y9 [2 E% p" R5 C) y4 qStill a method very much used (perhaps the most frequent one).  It is used. _/ X6 v/ f4 _" t" G, a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- c2 _4 l* Z) o$ _! ]
or execute SoftICE commands...: |4 W" O: c; b) x
It is also used to crash SoftICE and to force it to execute any commands
! D! a  b1 Q; R! G1 r(HBOOT...) :-((  
+ U4 H% M1 `6 o4 W
4 V! ?+ W* a7 Z- J: EHere is a quick description:6 _4 j$ b/ F! L( t. Y% I, \
-AX = 0910h   (Display string in SIce windows)
/ c: Y4 n: _2 U! N-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)+ r8 d) g; }  X7 T( Y4 v. M
-AX = 0912h   (Get breakpoint infos)6 h( F: M# n, Z6 C) c
-AX = 0913h   (Set Sice breakpoints)
/ o, b8 d' F" w+ ?-AX = 0914h   (Remove SIce breakoints)' d) \! {) q, T: D* `# K& K
! L2 a+ Y* v# }5 m: B
Each time you'll meet this trick, you'll see:+ T; b" w* H7 x4 w
-SI = 4647h
$ {2 a6 k5 Y5 }$ g3 w! g  s-DI = 4A4Dh6 _) H* `. B+ A  j2 ]! g0 J
Which are the 'magic values' used by SoftIce.  @/ m8 _  p( A& d/ {! p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 ]8 ~" w3 q& d2 L. l
; c) y% J. ~8 V: s& j0 U
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- S, K3 Y! Q+ ^: FEnvelope utility use to protect DOS applications:. I. _7 I0 g2 @# O

* b9 L( \- E3 \5 J9 h2 v: w  {9 X3 J0 C) i9 g, P0 u: }0 H
4C19:0095   MOV    AX,0911  ; execute command.# Z$ ]. B$ g! h# s
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: X& ]% U. O2 z. S+ k0 q! k4C19:009A   MOV    SI,4647  ; 1st magic value.
' r9 `' d) a. @2 I' Q1 U7 f( w  Y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.# J% L' z6 |! u: ?
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)8 r+ Y5 ?" d% t/ f; W
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute# f' `4 d) y0 s! c6 j0 u
4C19:00A4   INC    CX- L2 T: s9 q! Q8 o* a# y* o! W
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 P* y+ [+ Y/ s- D9 b5 j4C19:00A8   JB     0095     ; 6 different commands., w4 g  r1 w6 P4 j8 v9 |$ F
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 O5 N6 v$ {5 I- I0 G2 Y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
! b$ @! Y* i  O( }
, O/ w7 A' G6 b* u, tThe program will execute 6 different SIce commands located at ds:dx, which
9 L3 r0 A$ M1 P) d" J! _. e' Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ o% y4 p# O# n
) g; ?+ W! g. r5 a% Z. \0 v! d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& g9 C8 a' i6 d* e9 @* p" d___________________________________________________________________________7 g( l. R. V+ N  f
) M" C, Y6 o" h0 }& _5 h

& a6 U& ^5 F6 eMethod 03( B2 j. h8 r& B3 N: X7 V
=========
$ x7 U$ g0 i; d& _8 b& C% A0 X7 o6 f0 Z4 w
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. |$ @# r% Z4 O: K: Z9 d1 Y(API Get entry point)0 ~. x9 `3 J. T
        ; g/ Y9 w5 h& N. g

6 A! |! X2 ]3 P6 x2 o5 x) A    xor     di,di* |* z  e* Z! u4 K
    mov     es,di6 s8 O1 D. x" T" t4 j5 o
    mov     ax, 1684h         z7 p, \2 {0 _
    mov     bx, 0202h       ; VxD ID of winice/ q8 R4 q2 d4 R. t! l0 s1 s( ~
    int     2Fh
  l5 W. n- i2 {: p. \9 ~) m    mov     ax, es          ; ES:DI -&gt; VxD API entry point, U: d- T  b# H# h/ S" z8 ]0 k
    add     ax, di
  q' ^+ }# Z: W    test    ax,ax+ |3 b$ p% `  N. I! J6 X. x3 h
    jnz     SoftICE_Detected* @) ^  f( {' h; K
/ F  [2 E$ P7 P6 @
___________________________________________________________________________
1 B' d; O9 k& m( ^* F& \
6 y) r3 ^6 ?, bMethod 04, e1 o& T) T' O1 C, }
=========7 [; b1 ]( ]2 K1 }' [

) |$ H+ y! @$ S: {! MMethod identical to the preceding one except that it seeks the ID of SoftICE
5 E  z9 C/ E' [: ]; \7 v! ~" lGFX VxD.
3 \( l* q5 }  F, r; ]
# ~& K5 ]2 l) ]# b+ |& }# e    xor     di,di
/ g- r+ O0 U' V6 ^! ?  Y$ N  B    mov     es,di  X  D( a( Z4 n  z, y' N1 f# F' u
    mov     ax, 1684h       8 j1 B6 _" r6 a* ]) i
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- _: M& R8 U4 p  m    int     2fh4 v- B$ F, _5 F- Z4 }  I& v* K$ Q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& n  Z' K1 @8 ~) O( {( o# W* b- n
    add     ax, di' k* c, O2 s, ?' j# q* v" v4 e
    test    ax,ax
, F! G. A% u2 ^7 v5 a2 J    jnz     SoftICE_Detected
8 M: L' s3 p- W$ u8 F+ P4 ]* R0 g  `
__________________________________________________________________________
9 O2 W9 Z9 _8 t+ ]" X$ \
  f, s" i& Y5 f1 U: @- s" P+ X
0 A: {% R4 X/ r6 zMethod 050 b5 w- ?& l& t7 r  v
=========$ F) ]# K) n9 ]' g3 I# a0 n
' A7 q$ Q* P: \- w2 B5 n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; w9 r/ K0 M  \0 L; O# adebugger. It calls the int 41h, function 4Fh.
' {* q8 {( |7 l  z1 @# C1 sThere are several alternatives.  9 c0 {# o1 l1 y0 G

4 f) W  k, T2 c" ^" ~0 F( zThe following one is the simplest:
3 g+ y' h" M& k  I$ c# [" T! a9 I" H. o, k! I- Q% [
    mov     ax,4fh
" b7 O# e! G1 k. S6 c2 D" x* Z    int     41h
( U/ q8 ~/ |; \. ^    cmp     ax, 0F386
- ?' Z7 q2 j4 b- S    jz      SoftICE_detected
6 N$ g6 R* @, h0 R3 `. U4 G, a: K8 M! }
3 h! g5 R, V/ a& q; N  M" z
Next method as well as the following one are 2 examples from Stone's
2 K4 i2 e" |' G% N2 y* z" G"stn-wid.zip" (www.cracking.net):
2 w# D: l* N" M5 X# S) R1 ]8 t0 N* ~
    mov     bx, cs
% r% H7 [" P% F6 ^: b6 a7 D    lea     dx, int41handler27 {+ z# I" l9 m2 v
    xchg    dx, es:[41h*4]5 _+ T& T4 ~; O5 {
    xchg    bx, es:[41h*4+2]6 l& d! h. c0 P/ s3 R
    mov     ax,4fh+ C  ?2 E1 S1 }3 Y  _' y
    int     41h4 |# W% y* d- _" P& N" M; C2 x( x
    xchg    dx, es:[41h*4]' u4 i3 Z- Z. ?. P3 D+ z
    xchg    bx, es:[41h*4+2]$ n) B4 n6 R! Z" ^+ @1 u
    cmp     ax, 0f386h7 R1 E3 p' A1 T) o9 f- E, k7 }8 ~
    jz      SoftICE_detected
: \; z6 a$ Q6 C# \/ a. f' L, _& }/ z- c* x* ^, z
int41handler2 PROC
& v3 Y, {2 B, ^9 H    iret5 z4 W0 d1 \, Z% R
int41handler2 ENDP* }4 T* s5 p2 b" w. U2 B- t  g; }' d
; F# y0 T# C5 I* f3 p' v1 Y' z- W% f
- m6 [. N$ M# e7 o1 a1 h
_________________________________________________________________________
" e0 ~3 d: k% ]/ C- [4 ~' z2 w% r
! a3 m6 N$ {, H8 F
' M& {! Q, X3 ^& QMethod 069 D' |, [: `1 k6 j4 D( Y
=========, d9 L/ t! F5 M" s8 ]4 U
3 X1 |2 g# e, J

% X# S3 Q: j  e* A; a. X; `3 h3 t2nd method similar to the preceding one but more difficult to detect:
3 i. W  I; ?! `
' t. X5 ]" D7 K+ e6 Q+ ]7 P$ U- V3 C, D) T+ u0 ^; w1 u
int41handler PROC  `. S7 `4 ~, r, C% i7 g
    mov     cl,al) F4 s! `0 I& ]3 v/ B
    iret
& C/ Z" S6 P9 x, t# o9 T5 v, O; vint41handler ENDP- r( S! c; ~9 T2 S6 O
) Q3 a4 W/ b' ?* w4 M

0 \( U4 Y/ r2 Z& y" M1 t9 _2 W% X    xor     ax,ax
+ \$ }: _" a$ O" l    mov     es,ax, z" {# t+ k' a8 T
    mov     bx, cs
2 |4 S3 b9 X8 Q+ F7 z# s- D    lea     dx, int41handler8 ?( I7 K! M; _' ]
    xchg    dx, es:[41h*4]
( r0 c* y& M( K. N0 v    xchg    bx, es:[41h*4+2]. v6 G3 f& e$ [( |. ?5 N
    in      al, 40h
/ ]/ E1 ?8 c3 k    xor     cx,cx
6 E5 W$ ]* h+ `/ B8 G% r3 {    int     41h
: p5 k; [: D% T% c    xchg    dx, es:[41h*4]
7 n2 z$ X1 ?, h1 R7 ]8 w2 P    xchg    bx, es:[41h*4+2]% A( q# a  D9 ]( n, E& x; D1 w
    cmp     cl,al0 {* L* b& z; v2 G1 b
    jnz     SoftICE_detected
! H/ ~: @* v( m, H6 V" d: e" f
$ C( b# P8 R" O_________________________________________________________________________, A) Q6 ]2 e2 ^/ s: x

* x0 f3 ?" M# `7 a# X, p+ g4 bMethod 07
! V6 c4 o! \( n4 V7 `=========8 A1 N. T: G" W! q& E
) K- A+ Q/ P% a
Method of detection of the WinICE handler in the int68h (V86)3 C' f) l) J! Q6 ?/ }3 O; Q3 u" n

' V1 O; D6 {5 {! Q+ U+ C    mov     ah,43h
" |5 n6 t) J& b" ^8 l    int     68h
' t- _+ F$ r/ S! h* E3 @    cmp     ax,0F386h* V; [3 U1 a$ `) |9 v1 H3 c
    jz      SoftICE_Detected
2 K& w* ^4 \+ H" E0 W: s$ S* j$ @/ y0 B9 X
9 x+ x" _2 h1 j  E9 |
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; E% U( ]. }0 _4 R+ Y* v
   app like this:
# u0 q' I9 ~0 u
* z$ q% e& U: V   BPX exec_int if ax==68
& m, x4 J) V! k; C   (function called is located at byte ptr [ebp+1Dh] and client eip is
: N0 n9 p- Z) a. M3 X  D& c2 \% `8 _   located at [ebp+48h] for 32Bit apps)
; d; d+ D+ D% X7 b+ M__________________________________________________________________________
! `. ?  h6 M# ?  @  G* z/ f  K2 I( }
* r; }- O' ?* g, M4 f( k
Method 08
$ v+ ?) L+ D4 O0 D. ^=========) p! m' G! `# h9 z7 u9 W& \
' o+ M9 Y$ v# y& c' q0 _& N/ ~
It is not a method of detection of SoftICE but a possibility to crash the- y% ^$ u  H* N& {/ D+ z
system by intercepting int 01h and int 03h and redirecting them to another
  J8 {# F9 [  j/ }routine.' e7 y- C1 p8 N* @" e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ T% Z$ O" M  e* c- s; H) S
to the new routine to execute (hangs computer...)
4 D! ?& ~! ]4 g4 P) B# o! L  m3 f+ `7 R) J7 J4 X& K
    mov     ah, 25h
+ {6 {% ~0 T' j2 d: o/ M% |    mov     al, Int_Number (01h or 03h)
( c( j& a2 q* L- k6 l7 l    mov     dx, offset New_Int_Routine
  O0 e5 [7 F2 Y, x8 E    int     21h
: O6 V5 J8 }. X: K/ ?" D& ?% o( ^2 Y/ T. c
__________________________________________________________________________
) K6 t/ h# t2 I7 y! t8 x: G% S" _" Y$ O/ p& [! f$ H' y
Method 099 s1 K/ L) a1 {0 y+ C( K
=========$ A, ?1 E/ }2 z9 @( H7 ~% |

, v5 K& p2 h8 v5 u2 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ ]3 `7 y3 d3 L8 pperformed in ring0 (VxD or a ring3 app using the VxdCall).0 E5 Z8 r8 E1 {9 r* J  R
The Get_DDB service is used to determine whether or not a VxD is installed1 i8 x+ b- ~0 R% x4 u+ m0 }
for the specified device and returns a Device Description Block (in ecx) for
4 u0 |9 ~& G: T$ nthat device if it is installed.
5 Z) C- w) C4 X% o! a3 }+ E7 [' W0 K9 w
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 x; r! u$ e  M4 _% }
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 O. [7 n" K9 Z& k8 Z' B( r
   VMMCall Get_DDB
5 r7 t9 j, J1 z6 ^0 c6 A; ?   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed2 k+ j0 w" n* P& [

& U( l1 \/ D" E6 z2 k3 BNote as well that you can easily detect this method with SoftICE:; x. l$ q! z$ P9 N. \
   bpx Get_DDB if ax==0202 || ax==7a5fh, C$ `* T4 V2 L  }/ b, E# G

) R* C& b6 a0 [# y+ D__________________________________________________________________________
/ D' U, f( c) d& P# y" E: d5 j( m1 f8 T! Z0 O( u' O! F6 K4 M
Method 10  F5 F. e1 e" J
=========
$ C, x3 X2 w' q! W" j1 [1 i& [1 O% ^4 t
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 @8 S7 n$ m6 f  A' D' v
  SoftICE while the option is enable!!" [7 T- v3 _( E
; S9 R' _( f# d9 U  Y
This trick is very efficient:
- \( B$ T3 @- \( q& E+ @) rby checking the Debug Registers, you can detect if SoftICE is loaded/ W$ Z2 T. h+ J3 r% R# u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& f- B. F  y0 ?+ O* H( m7 lthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 L8 m* s( ]# H9 H! `: T, z
value (in ring0 only). Values can be manipulated and or changed as well
, A# @6 r- d/ w) O% b; T(clearing BPMs for instance)/ c3 ^: Z5 p; X9 k5 [( Q

. d2 L9 ^/ O% v3 o0 J$ b__________________________________________________________________________& S- t- e% J7 A) D( ]1 b1 k
, x' M9 o* _7 `: Q7 w1 b
Method 11
9 E3 r7 c7 M. N/ ~( c  ~$ q) T  z=========
! r, Y2 B! c( r3 Q2 a$ w* l
# `, e1 B/ n* q1 j9 AThis method is most known as 'MeltICE' because it has been freely distributed4 [0 a4 G( m6 X2 B
via www.winfiles.com. However it was first used by NuMega people to allow
3 O! x1 s* K% }: b2 k: rSymbol Loader to check if SoftICE was active or not (the code is located* B% v9 E5 d& L2 K3 X( U+ J
inside nmtrans.dll).
$ D, g. _+ G+ d0 X$ @# k  \
; _! n9 L% F4 b8 x# \; fThe way it works is very simple:
# H. G5 ]3 g- [  ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! o6 S4 b) S; V6 Z
WinNT) with the CreateFileA API.
" t- C1 s6 _1 \% J0 T
0 @* u! [& p7 h. K7 g/ PHere is a sample (checking for 'SICE'):) Z& x% X& v$ Z' [- N

1 o1 Y% L/ O+ b7 sBOOL IsSoftIce95Loaded()' E# \) V! k; G- w& N2 H. h
{
% e# ]- t1 k  h5 j9 d# H   HANDLE hFile;  * G. B7 X4 l1 y  I, A
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 k. z1 e/ l; y! Q  \4 |# ]                      FILE_SHARE_READ | FILE_SHARE_WRITE,
, ~) t- B9 C* G' i, R0 {3 _                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 a3 I& n$ T7 B7 m
   if( hFile != INVALID_HANDLE_VALUE )
$ N8 G& s1 p4 v   {2 h$ d) A2 Y" t/ r* @/ ]& B( f
      CloseHandle(hFile);& M/ g- G) A% F0 i- |7 D; r
      return TRUE;
: T! i$ {) |( }   }3 C* Z5 ?0 ~) X
   return FALSE;
& @3 g& A  o0 p' X9 S4 C}
; w+ n( F! |7 u  T: k. V  H
6 k1 U+ N: V2 ]Although this trick calls the CreateFileA function, don't even expect to be- }5 k" I9 \* B* m' t
able to intercept it by installing a IFS hook: it will not work, no way!" P5 n: l7 Z7 F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 q( A7 Z- e2 H; _6 n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 s, G4 T' R' F; ], O  hand then browse the DDB list until it find the VxD and its DDB_Control_Proc# X/ q( Y$ F% A
field.
4 d, u, l2 d% v. o* Z- YIn fact, its purpose is not to load/unload VxDs but only to send a 6 L, u- Q  t  o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 b8 V( n4 ]; c0 Q- M; O. L: ~& s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 p+ p- Z- Y% S/ B! W0 Nto load/unload a non-dynamically loadable driver such as SoftICE ;-).% u( `- t; T6 |( C6 |4 y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 P" U/ e3 M' @its handle to be opened and then, will be detected.
% A0 c: T; a8 n) `You can check that simply by hooking Winice.exe control proc entry point
' D! i6 r+ C! \( U* Bwhile running MeltICE." b2 K1 ]: D6 H3 E' ?7 X

( n! }: i4 r) c" k9 @6 k0 N
- ^: k5 ~, c" x9 G! d  00401067:  push      00402025    ; \\.\SICE
! T" @& |: C2 B5 ]: M3 L  f  0040106C:  call      CreateFileA' {6 V  D/ Q" M( G7 S" s$ I2 M
  00401071:  cmp       eax,-001/ b) H& _6 M3 r6 g- Y) ~8 b
  00401074:  je        00401091  |9 P; c" I! y2 @. B9 b7 E
/ X3 T/ ~7 Z; |+ G$ r7 v
' ]5 y# N0 {' f! _. `
There could be hundreds of BPX you could use to detect this trick.
7 U7 v, T8 F3 `, ?( p( A-The most classical one is:
# z" `! K% A3 b4 n# J  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, r3 H6 S7 [8 {/ @' P% y    *(esp-&gt;4+4)=='NTIC'
2 Y7 f6 S* E- H7 W7 O
% [8 Y1 }6 l8 {/ K4 a0 |* a-The most exotic ones (could be very slooooow :-(
7 u% }0 @( Y% f& f% o5 ]   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# x8 y4 M$ y6 D$ m     ;will break 3 times :-(
6 p6 p* p/ Y9 U" d0 P6 i9 C- W9 ~
% A& k3 P2 E" |. F; d, p9 Y0 u-or (a bit) faster:
! v0 B3 W$ t  u3 }, |. z   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' {$ H  M' I! M8 p6 ~' S- c: `$ \: u( H: [, w1 m% b6 o
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
, r' E( `4 y3 A  L0 i     ;will break 3 times :-(
* U' k, ?3 ?% f: n& B. v( Y4 @) T
6 \' B; m- ?: n5 V5 ?-Much faster:
9 h4 M' e0 ^' J, ?   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'9 I* R/ g7 a0 B" i; H7 y

7 P: g- M: s: F# l5 L' j% h4 L* lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" b9 C+ i) |5 f+ ufunction to do the same job:% K: l- X/ F. t4 i
; M$ e# v% h+ n
   push    00                        ; OF_READ, L! x' E7 ]' O# m
   mov     eax,[00656634]            ; '\\.\SICE',0
* a. @  F: g0 H5 |9 D9 ^5 N+ m! I+ H   push    eax
+ k$ f6 ?, _0 j   call    KERNEL32!_lopen% Z' k% Y6 n: _9 ]9 M
   inc     eax; S$ G- J$ L- g
   jnz     00650589                  ; detected
) ?6 U. P" Q% u. Q( [2 ~   push    00                        ; OF_READ
0 O$ M$ z; c8 U7 e1 k' W" g   mov     eax,[00656638]            ; '\\.\SICE'. a0 f' h6 U9 L* w5 i; B
   push    eax
& e' i' n9 I- k3 M   call    KERNEL32!_lopen
4 {# u. H1 B$ Z( x: Y4 j   inc     eax2 d" ?# [, ]& ~) G/ K
   jz      006505ae                  ; not detected9 ?, m+ h7 {8 m: s
. b6 g5 P" |3 W# ^# C& X1 I  N
: \3 C# M+ p8 l; R
__________________________________________________________________________
8 O/ Z# z6 e; z1 v8 N2 t, r& ?
5 g5 l4 o( J; O- ]' I, ^+ \Method 12, H$ |! j7 m( c' C. {2 Y4 Y
=========' A7 d: Z: j5 M

$ h$ ]) n0 f5 KThis trick is similar to int41h/4fh Debugger installation check (code 05
- F+ d6 e% |7 I* z7 v, M&amp; 06) but very limited because it's only available for Win95/98 (not NT)  U: }8 l5 G& ]2 m) P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ a+ ?' m/ `! q- ?( P8 t
. U$ R8 |, Q! m9 h: W$ B! C
   push  0000004fh         ; function 4fh
. L5 ^. M1 a: I+ k5 w   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 ?/ R& d- H' U" ]                           ; low word specifies which service
6 K0 {/ r/ O( \$ l                             (VWIN32_Int41Dispatch)" B& Z. _3 B2 L& Z/ N
   call  Kernel32!ORD_001  ; VxdCall( z1 y# M, g6 |! v! W
   cmp   ax, 0f386h        ; magic number returned by system debuggers5 Y4 I, s3 a6 w8 p& \2 t
   jz    SoftICE_detected! n# {: h/ D/ i
+ T  a1 D2 b6 S4 K- E$ Q
Here again, several ways to detect it:; Z' i% D$ w( s/ v% V
: ^! ?6 P* k. p) t# u1 D8 w
    BPINT 41 if ax==4f* G  S; S, W9 s9 M' I! t. d3 x

- G$ K, R0 i2 x    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" }, j- o. j) }  Z0 g5 s: D- t( g8 A$ e
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# g; s9 [. g- J+ `" D

# j, K2 A  o. W/ ?5 w' l: o    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!# p% z" c5 w% L" F' A  R9 q
' b8 X2 u4 t  n  c2 \) u$ m5 i
__________________________________________________________________________8 H" q6 }5 F) O! P3 L
  G0 [" |: [* z% j* B" g, u( u1 V8 a
Method 13& {- V7 ]6 y* I" e' z
=========' g1 f2 }. E# r) a

) u& P. I! Q. q3 O2 K; `( t3 v9 K1 {Not a real method of detection, but a good way to know if SoftICE is
4 d: Q/ I- I4 |' V5 u- kinstalled on a computer and to locate its installation directory.
* j# g. C: e6 h8 B0 R& [' FIt is used by few softs which access the following registry keys (usually #2) :7 m. [+ f4 v4 m* O3 b8 `

8 Z: O2 M7 w: D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ Y/ p/ ~* U) F$ w1 f/ z
\Uninstall\SoftICE4 s3 e, s% s% ]* F' @" r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 g& f6 V4 V  [5 r# |" W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 p: {2 @  F6 s/ p% J. i3 o
\App Paths\Loader32.Exe2 W5 X! x8 N$ v( F4 e% p9 q$ b! u5 D/ {
9 z2 C3 h' r" M! X* H
% v+ ^' J2 D, L  v1 T
Note that some nasty apps could then erase all files from SoftICE directory
$ G% w2 w$ q  a) T(I faced that once :-(! g- b: @4 }! N" }$ t8 v
% r0 A- b( X' h0 r& |
Useful breakpoint to detect it:; C6 W* x4 E7 t" E: K5 p

7 |! Y$ v% p! O/ d% H2 A     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ \2 x% S) h) A% w' q9 l9 W7 [( h8 C8 [& n# D
__________________________________________________________________________
. k3 N3 L9 \0 Q- t; e
! j2 ?9 \2 ]5 z3 S" N) ]6 u. D- g. J0 y
Method 14 9 f& U8 Y/ q% A! X( b: V& V
=========# m& z& l$ J6 ?. ]

" y- Z* s9 i5 c0 ^* s  |- IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# r9 c, S6 y9 A9 ?( j" I: i$ wis to determines whether a debugger is running on your system (ring0 only).  z/ A0 `+ R9 u: v3 Y7 @/ k
) o, c0 ?! h# U
   VMMCall Test_Debug_Installed
6 j) l' @; k  ^. z! M- r9 c5 r: J* C# j   je      not_installed, R! Q- w' t4 ~! ]- J

  ^, H/ L! n' H; w9 H5 \This service just checks a flag.
" q& B) M' \4 x4 o1 z( i</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-30 05:45

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表