找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 x' E4 E) L4 v8 r" [
<TBODY>( M1 l' H1 E' R9 L4 \
<TR>, @: r" a) ~( D. o$ H
<TD><PRE>Method 01
& q9 W. k6 W, n9 y=========
" ^4 Z% }8 C: p- l9 F- M
; V# k; T1 K1 z- v5 E& F* H/ zThis method of detection of SoftICE (as well as the following one) is
: R% q4 n; c4 D9 v8 r& O3 t* hused by the majority of packers/encryptors found on Internet.' l2 H) `" T  o9 M. }1 u, ?( O. `! b3 M
It seeks the signature of BoundsChecker in SoftICE
7 t% T( ~+ G8 h8 D7 L6 i
: f4 ~+ ]/ e* V1 R- X3 h    mov     ebp, 04243484Bh        ; 'BCHK'
, B' p$ m- b8 e  |, O    mov     ax, 04h
- P/ i0 f# E. Y    int     3       % t1 o8 m/ b4 R' V
    cmp     al,4
: u9 E" Q8 ]1 D7 ^; v2 U    jnz     SoftICE_Detected. G8 X2 _( r8 [: b

0 y/ W1 j9 ~# U& _! M___________________________________________________________________________
: O2 K, Q7 p; s9 K! X$ @
# j4 m' T6 z  YMethod 02
% Z' D8 y+ z! T1 y& r9 k=========
+ F7 \! q7 }6 o- E- O2 B  `8 G6 l- G; W5 W4 U) s' M
Still a method very much used (perhaps the most frequent one).  It is used
+ U% [/ }. l! \$ u0 Z1 tto get SoftICE 'Back Door commands' which gives infos on Breakpoints," a% X" T2 @7 N1 j
or execute SoftICE commands...
& z: p" l% h( d4 o' aIt is also used to crash SoftICE and to force it to execute any commands3 r, D8 k: A, A" t4 Q' Q
(HBOOT...) :-((  - J9 a2 |( K- `% {, }6 r2 Q

- L/ }$ D, r6 z* Q5 O7 {: LHere is a quick description:# u# [# h6 Y; h8 e: q5 \
-AX = 0910h   (Display string in SIce windows)/ w/ k( V% {1 d, O
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
9 s- ]( t# ]$ U-AX = 0912h   (Get breakpoint infos)
2 B8 q. ]8 S+ H/ o* P( [6 Q" l-AX = 0913h   (Set Sice breakpoints)
& N' ]* d8 Q% m9 O; W-AX = 0914h   (Remove SIce breakoints)) d8 @! @6 o" ]( G

5 v4 L( N$ `/ j% R9 V0 e4 O& a- @Each time you'll meet this trick, you'll see:+ b5 @3 E' c0 U$ N8 N4 `% x
-SI = 4647h
7 ~' i  I8 R: [6 j-DI = 4A4Dh: x% d* V+ h: e0 W( c! \3 {* c
Which are the 'magic values' used by SoftIce.
7 d7 W2 c0 E/ b: n. U9 n3 w6 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 W( w/ I% s8 K" q& t& R% W/ O: l& B$ c  }$ k
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 ^# n# `2 `; v/ a+ UEnvelope utility use to protect DOS applications:
7 i* b0 u  i1 ^  W
, m0 k$ u1 m( G7 S+ O$ r: Z- M: Q" |9 K9 Y/ o, N
4C19:0095   MOV    AX,0911  ; execute command.
4 @4 k+ J+ u# {# d4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( {0 i  R6 S& |$ B& Q, M. @  d" Z4C19:009A   MOV    SI,4647  ; 1st magic value.( ]) S+ v" X5 K% V$ i9 X
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
: p8 y5 `; Y8 p" M+ g5 C5 \4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)7 t# ^9 V# K; I7 N1 g
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute: ]# a/ a% k) I  Y
4C19:00A4   INC    CX
2 q5 r" L0 L8 C4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  r- b+ _( J( N3 M# x) R4 ~& n4C19:00A8   JB     0095     ; 6 different commands.9 P& l2 U/ B. F. R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' f/ M9 I: k1 X( u" @+ N* h- A4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)$ i7 ]9 O6 R# a) r# k# E8 T2 Q+ c. [
' u. c- m: p4 ?( X1 q  C
The program will execute 6 different SIce commands located at ds:dx, which
1 n3 g8 N1 }# x: u, x" P, _! T, Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) H7 g3 n, X8 f

7 i$ E& Y' Y, {6 e9 s" X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( A# W. i  H- f8 B8 C+ h___________________________________________________________________________
' |" E2 E" P/ q, u5 A$ ?! j/ R* I# c" |% d* N+ s

# @3 g' q" m3 m9 n5 aMethod 032 ~4 s# U. D. ^. e% j; L3 z% o, H
=========6 f+ k) z4 |. `

6 @: n5 i' S- L8 q( F$ L1 r% NLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" m% s- S) F/ A2 F% _2 T4 \
(API Get entry point)- q* ?' C5 X5 G+ X, O# o
        
6 |/ }& ~  l- S, d# A/ L7 P1 L& ^, Y2 [' q& r( D! @+ N0 o
    xor     di,di2 l# p1 v+ [) Z# B' _
    mov     es,di3 n$ V+ R* U5 n$ a, ^4 B
    mov     ax, 1684h      
0 v. R$ R& n( f. }: L    mov     bx, 0202h       ; VxD ID of winice7 ^) _! }( x. }! {. n/ m
    int     2Fh
& U3 z. r% ?+ W2 C5 E    mov     ax, es          ; ES:DI -&gt; VxD API entry point  ?( J9 B3 i2 p3 M% P
    add     ax, di
0 d% B% D2 P2 h) o4 Q' [    test    ax,ax" Y+ m' }$ n. I6 E
    jnz     SoftICE_Detected3 C6 b" Z: S7 y7 G

! {0 |5 r! @! |& _# ^+ B___________________________________________________________________________
+ |* J( Z. V% R' u. ]/ y$ v1 ~; ]1 x. |0 p5 G
Method 04
8 i) U- `4 [' ?/ p( l=========- I9 E. Z* ~- [) u4 q! P- _
7 z) P# J3 z8 z6 W/ }9 ^
Method identical to the preceding one except that it seeks the ID of SoftICE% Y4 v+ [9 F1 _  i( F& r
GFX VxD.
8 e9 I1 _3 f0 ?6 w
9 R' j" P* b9 E& |5 Q+ X* j    xor     di,di$ c  z, a6 S6 d( v- N) I2 D
    mov     es,di# h/ ]; {3 x5 N' D
    mov     ax, 1684h      
5 D! Y+ E8 B: k5 R, ^3 b6 p; k    mov     bx, 7a5Fh       ; VxD ID of SIWVID, u% D2 M6 ~* v: M& A
    int     2fh
# a! f( |0 C: ?1 z8 d    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* b* C$ Q) ?+ r( F. ?# K    add     ax, di
! s) g2 g# H( \    test    ax,ax. A7 g: k. I% j" E# l- L
    jnz     SoftICE_Detected+ B7 q2 P2 m* S  \

  Q! V' k9 H' s* L__________________________________________________________________________
% U' T% W! `! f4 c9 }9 V  S- T6 O% Y& i3 S. U$ x5 v4 {7 [
, C/ {! d" @1 m' t; W( Q4 J& M
Method 05
2 p6 e# W5 J' g0 V( z=========
) [1 t: D, y3 H1 B: z
  q" s( L/ ~' o+ o  S5 F8 zMethod seeking the 'magic number' 0F386h returned (in ax) by all system. ^- M) A% b. V$ @$ a
debugger. It calls the int 41h, function 4Fh.
$ H) G6 e4 L) C2 f* j5 X8 UThere are several alternatives.  
- {) ~9 m3 x& {2 V+ Z
! A* W2 X9 b8 a+ B$ ]* @The following one is the simplest:
' a# Y2 D4 z, B. F* P" s- p) l( C
) F8 A* }% z0 W# d    mov     ax,4fh
5 U1 t" B. V7 i3 G; d% f    int     41h
3 ^! w3 V1 f+ k% E    cmp     ax, 0F386
7 y+ ^6 h% R$ D+ L7 L- O    jz      SoftICE_detected5 g" v- D8 V$ A! V' x  R

3 e9 m1 \7 X0 v% m- a. r
/ v: W& x, f5 O6 I* m! ENext method as well as the following one are 2 examples from Stone's
  X0 P# a- F9 N, w# L"stn-wid.zip" (www.cracking.net):. W) ?& W! a$ g" @5 p" h

% Z- h; P" P1 Z' p    mov     bx, cs! q! ]( P1 I- x  r
    lea     dx, int41handler2% i2 V2 i0 X, {+ ?, _5 u
    xchg    dx, es:[41h*4]+ a3 A% {6 u( T) t- s+ b/ i+ W
    xchg    bx, es:[41h*4+2], a* Y! Z0 Q; v1 I  S
    mov     ax,4fh
$ b  C) l8 W( h# ~7 j  X4 j    int     41h7 W4 v3 x# d0 ]; F" K
    xchg    dx, es:[41h*4]
7 N4 V4 M" u& o" d    xchg    bx, es:[41h*4+2]
1 Z# Z0 U: ?+ w    cmp     ax, 0f386h
; G, U- b( }- ~0 o3 K. Y9 ~    jz      SoftICE_detected
+ y- u) P4 X6 [4 D' N. V  x" e( X: n+ v9 Z/ l' T
int41handler2 PROC" R8 F5 ]# j( g- J1 e, ~- G
    iret
0 c! p: J- O1 c" B4 [: _. Wint41handler2 ENDP
, _9 G6 I; Y3 p/ N6 g2 `5 F2 f2 b. H4 C$ f

7 h5 J5 h, f. T( y_________________________________________________________________________
+ K- V9 ~* ~; h+ c$ D/ W& U9 g9 Y8 d0 M# {  J

% Z1 h0 I9 \; e$ OMethod 06
% ]- f  l- `; m+ v' H=========: D6 U, f6 L. k) B, d; Y' L( F

% X! _' T6 y* F% B' x4 j5 ^# l
* s, F" P- u/ s( ]) ?( `2nd method similar to the preceding one but more difficult to detect:
0 G( j: {" n& O- ]# d
& n, }  c3 j: Q3 ~% m0 Q% K" @. o4 x; p
int41handler PROC
+ M- a; h5 D- h0 F4 V    mov     cl,al
5 E$ Z5 @- G/ s# s# v9 o    iret) g/ w; j5 H8 m- C5 V( N
int41handler ENDP. ^4 b8 a; d$ Z* E, t
$ s3 o0 T$ z  z* P- u4 `* B, q
* p  c- x9 {! D5 K* h/ k: k
    xor     ax,ax
. H2 _% t- q2 d, N% ~: x& Y( H* S    mov     es,ax
0 a* @5 n& p- P) Y    mov     bx, cs
' @& R! }+ }+ C) j- z7 a    lea     dx, int41handler( g: z9 {' y  `: d8 ]7 Y5 v9 `' g
    xchg    dx, es:[41h*4]3 z) c+ e3 E6 X3 m
    xchg    bx, es:[41h*4+2]9 j1 O& n8 e% Y& P& O# H* N
    in      al, 40h
% _5 N9 i6 s) q4 Z: F6 u    xor     cx,cx# O& z" r8 E; U
    int     41h$ K4 |0 K: u2 h. }0 L/ i
    xchg    dx, es:[41h*4]' W+ s1 e4 P1 b: W9 J& c
    xchg    bx, es:[41h*4+2]6 e, l0 G1 j! t0 k7 F3 v3 o
    cmp     cl,al
, `" D3 |9 L& Z( [7 c$ }    jnz     SoftICE_detected' S+ _+ G' A1 M* s

0 y# Q* i  [1 j_________________________________________________________________________# H$ Q5 Z: S$ g+ h% m+ E5 I

) g1 ~7 `, y7 `Method 07
. @5 k5 z: c* d* c  U3 A: k- b=========
3 d5 \+ G% Y0 `. v! r- Z: e' ~2 e3 G- P9 s. q
Method of detection of the WinICE handler in the int68h (V86)
9 ?, v: P. Y5 [5 l
9 W; b- i7 e8 O! q, P. G* S    mov     ah,43h
/ ]: g, X; T: p% W    int     68h4 j, w8 [% @5 l2 d
    cmp     ax,0F386h
+ z# j: v$ e+ c7 \8 W( K    jz      SoftICE_Detected/ \, ^9 H0 t4 C/ l% j6 u- ?" ~

) z* @1 _5 m2 [) I& H$ s
, D, D' N0 L# Y* s/ N=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 K- z7 s+ B- [* T. y  g' V   app like this:
+ ?4 D7 C$ p% K$ Q
. i/ X* y6 a5 b, f% f1 z7 ?* N   BPX exec_int if ax==68: |* W. H# t' Y5 ~- N( R
   (function called is located at byte ptr [ebp+1Dh] and client eip is6 X; x# z( ~; P1 Y# O5 W4 M. ~
   located at [ebp+48h] for 32Bit apps)
' M  j$ l7 K" }__________________________________________________________________________
8 m5 ?/ b9 P; Q" @' Z! T2 W/ e' W7 `) J! y# ]7 F0 M
& r2 m2 Z3 |. r5 b+ t: K* s
Method 08
, i2 _% V4 J. e! H0 G3 A$ K=========
6 _( e4 }9 M, ^, k5 F  _9 U$ F: m3 i: C) r' S) U( G2 D
It is not a method of detection of SoftICE but a possibility to crash the
* Q/ b: f; t: z- Fsystem by intercepting int 01h and int 03h and redirecting them to another2 T# _8 z- }, Z: ~4 t1 P
routine.7 W7 k, C+ ~$ P0 n
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ G. q& j+ u$ a$ D$ t0 J9 Y
to the new routine to execute (hangs computer...)% P0 _, |' \; _$ Z' s4 l
6 c  B0 @2 t/ T9 v
    mov     ah, 25h8 `! ~0 ~( ?) b) V2 U$ N
    mov     al, Int_Number (01h or 03h)% N: n' r# j4 m& R* b7 g3 _% j
    mov     dx, offset New_Int_Routine
/ d8 l3 \- {4 n3 H+ K$ J    int     21h5 L6 g3 i$ a1 U& X7 g9 m* }
+ _% v% J# h* F6 Y# C2 _
__________________________________________________________________________
4 p  O- O& Z* [4 X2 J8 o7 g6 u3 e- Z( G2 Y
Method 09& T0 l# }) P; x: m# r, x
=========
! z0 a: u5 x& a: c6 z) o+ f5 Z5 r: z. w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 v" y& E5 b' c* y% p
performed in ring0 (VxD or a ring3 app using the VxdCall).9 }5 I+ O/ q4 d( {: M
The Get_DDB service is used to determine whether or not a VxD is installed  s& G- o5 `$ J. o; c8 G
for the specified device and returns a Device Description Block (in ecx) for* k- I: q5 O# U& Y
that device if it is installed./ F1 Q, S! S/ ?7 l; A$ d. n
3 C  K  P' o  c" B- ?) x1 H( j) s
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. s" c: s3 ]% B( ?   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; [% }1 \3 z9 M! K' h: g5 |. M   VMMCall Get_DDB* g3 c, o( N$ K- w
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed6 R/ n8 I) A" n4 A0 [; W

5 x& H$ G4 m: ]) W9 KNote as well that you can easily detect this method with SoftICE:
& d1 m" i+ S2 C, j7 n   bpx Get_DDB if ax==0202 || ax==7a5fh
- P4 e2 y* W. A8 D  d3 F! V
; w* ^6 ?* j* y& w__________________________________________________________________________
$ K1 V8 P# d2 o& K
& b8 s6 `& i) E, A5 b% N0 ZMethod 10
. {) _* t( b0 o7 U/ P" m=========' c2 W' g- w  v' P# _$ X0 Y
) U- `" ]2 O* D3 k9 I  L
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with1 h+ Q% ?5 v7 z; i! C- ?# F' ?' S
  SoftICE while the option is enable!!1 ]! _6 V" p9 o* b: _

  ?' X4 S2 H  c! E: MThis trick is very efficient:
5 X" b7 V3 U* {/ }3 ~$ p$ zby checking the Debug Registers, you can detect if SoftICE is loaded3 j' M: q! r2 {& z1 K% J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  W  a7 ?  r/ D: v& h! w3 `( Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their- r$ @% q2 z- `  W
value (in ring0 only). Values can be manipulated and or changed as well3 a4 N3 c) ~6 F$ v6 w
(clearing BPMs for instance)
% T. I/ q6 k# m# k0 L; P# k3 g& X) k! k, }: ~! K7 _; T# k
__________________________________________________________________________, h. S, \$ Q1 E4 r8 n2 I! f
7 B9 u5 Z: ^- \  X& n: Y7 l
Method 113 M4 z$ b1 c6 a0 q8 E' W
=========8 j! C8 z+ N- T2 O) ?
& @0 n- ~! L5 C" h) @. O" F! L/ \
This method is most known as 'MeltICE' because it has been freely distributed
! [  W$ U9 h# svia www.winfiles.com. However it was first used by NuMega people to allow
8 F( g) P$ P; F+ s% \. Z' b+ bSymbol Loader to check if SoftICE was active or not (the code is located* B) R( ?+ X# _* n# G
inside nmtrans.dll).
% [) F, s7 F- G5 B3 k& z" u7 L
- N. v( ]; p2 K0 L4 |# B6 x3 o$ zThe way it works is very simple:4 a0 X3 g/ L+ N: F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. d4 M6 a) f% F6 o- h  `WinNT) with the CreateFileA API.
5 ?, \4 @" z* u) {$ O$ ~$ r! P: ?0 f6 A5 Z- C3 S
Here is a sample (checking for 'SICE'):5 \$ i1 C7 I: n  q$ ?4 S
( w/ A: V) l9 c8 ?: a  O
BOOL IsSoftIce95Loaded(). @6 M$ g- P' ^9 z! T
{3 P" Z4 ?- p. X+ w
   HANDLE hFile;  
. A! Y( l% Q  [6 n8 M3 Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 Z/ e6 |4 @/ P
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
9 ]! v% j6 B' P3 L: w                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* C2 r- T  M; N8 e, A
   if( hFile != INVALID_HANDLE_VALUE )# I# O6 T- B+ X' H. c1 H
   {( d9 }0 Z- m7 l, A
      CloseHandle(hFile);
& u$ R' V" v1 Z. M      return TRUE;
1 X% ]5 {3 D, T/ z. h7 ]   }
7 a( A% [0 o& \) ^0 W+ r: e   return FALSE;
1 x/ I! h3 t7 y' x}" i. ]. X- j( a9 z! h; }# G& W

0 L6 O( n  _- DAlthough this trick calls the CreateFileA function, don't even expect to be
4 E2 }. B1 }8 ~5 J2 uable to intercept it by installing a IFS hook: it will not work, no way!
# n* d7 u2 t( ]6 EIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& d+ j8 T+ n, F0 F( A$ i; ]
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 y5 Y: a3 t! p7 H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 C* V8 P* j! ?field.7 U0 |! Q. @) D/ J8 D+ F5 W
In fact, its purpose is not to load/unload VxDs but only to send a " @8 O/ [/ i5 A, a5 \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( L# i6 H/ |) ~3 b% ], [) Q9 A0 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ ?' n, d! [. K( D0 ^0 w- q9 U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# m( R' N6 z, w( F" M% M2 R
If the VxD is loaded, it will always clear eax and the Carry flag to allow8 j) }4 Q/ @2 \% M. n& {8 I3 `
its handle to be opened and then, will be detected.
4 v, m  F1 q5 k  MYou can check that simply by hooking Winice.exe control proc entry point
: ^% j6 E! D$ [; ^. O9 p; f1 H0 dwhile running MeltICE.1 F# z3 I% k# N" j# W5 ~

" d/ J, |# q; i0 b0 ^6 b$ r' L( U3 n) g$ M, @) @
  00401067:  push      00402025    ; \\.\SICE: O, {5 u7 |5 ^/ Z  W
  0040106C:  call      CreateFileA
7 `5 l6 }$ Y7 p, B5 N  00401071:  cmp       eax,-001
3 g+ h4 k# g3 X! ^3 N" Q& c  00401074:  je        00401091+ c6 V; f- x) I: e1 N
1 e" O# y. D; q7 y$ m8 U

  S' F9 J- O7 u- u  j1 tThere could be hundreds of BPX you could use to detect this trick.
3 h% Z  T# S2 N* }-The most classical one is:+ ~) @9 q5 j0 |) C+ E
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ K9 c  R" B. D+ O* }* |. p' {    *(esp-&gt;4+4)=='NTIC'# M: G* C; ~: _7 R# F+ {

  ?- y- k, n: T- Z% v-The most exotic ones (could be very slooooow :-(  F8 f8 U0 r" v- v2 k
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 D' B( H  n1 ?% Q: J( X% O" ^+ }+ k& p3 Y     ;will break 3 times :-(
0 _$ J; Q) c; E1 C+ [' _1 M: F: G/ ]$ a9 f/ A
-or (a bit) faster:
! x6 C. ]7 w9 _# `# |   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( _2 H0 R4 y2 M- i
. D6 }0 Y0 f; [9 d# T   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & e' k  b) N+ [1 v6 \
     ;will break 3 times :-(
1 b! a+ o( T- h3 _( }1 A# O# }. {2 B2 w; y. Q# S, @: _, b/ g
-Much faster:* i9 w9 `  ?! x7 L6 W
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
7 f2 I, x% H, X& D  G# c0 o$ W' X
# R  D2 }2 h: P. WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
  ?  c, Q% [8 x2 d0 }function to do the same job:
, k& y' R, G9 O' h& u/ d! Q
# q' l' u2 w: ^: R; f9 K   push    00                        ; OF_READ  n7 I) P8 D: D: z
   mov     eax,[00656634]            ; '\\.\SICE',0- ~$ [+ D' P" A' B
   push    eax
7 r: V( {# P* {# s* y9 W* _, Q   call    KERNEL32!_lopen
- x& G/ D* {4 s" k- b# K6 e1 P' v   inc     eax3 Q/ ~; E9 q/ Q
   jnz     00650589                  ; detected3 g8 z0 |7 c, [6 P0 L) v' r
   push    00                        ; OF_READ
: r$ ]& q6 n7 v# K   mov     eax,[00656638]            ; '\\.\SICE'
' F5 z/ b& O; z0 r# n   push    eax
4 x5 b3 c3 c' k- K( w; [* h   call    KERNEL32!_lopen
1 a9 S$ F$ }4 g0 y8 j   inc     eax3 \3 ]# T: ]& i- U3 T" b9 w9 ?- q, R1 ]
   jz      006505ae                  ; not detected
! x7 l" k% P& A* k+ Q$ v8 P; }9 P2 s' L
7 t/ r6 Q' b8 O0 m1 \% X
__________________________________________________________________________
2 t& F! V  b5 N! a% S' t+ r1 k) o# P+ l' p8 Z: h/ ?- E8 y, g( Y2 I  v: D
Method 12
3 ]1 a, r# C+ `4 B2 o=========  z$ F& j1 v1 `8 N

9 A& N- C' R4 P$ u  `1 r0 b! _3 TThis trick is similar to int41h/4fh Debugger installation check (code 05
0 M+ k) y( j, p& `) E4 V" q( y&amp; 06) but very limited because it's only available for Win95/98 (not NT)* y  _/ u$ T) @" |, x, U6 w: B, k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# I0 b4 C4 q" ]7 s: L( _( P. B  k
   push  0000004fh         ; function 4fh
! Z+ X- g* T1 r- Z% T/ S# L( Y, r   push  002a002ah         ; high word specifies which VxD (VWIN32)( w% l! f& B$ S; E% p3 P# N
                           ; low word specifies which service' ]8 ?9 }& ?7 \/ }1 j4 K
                             (VWIN32_Int41Dispatch)) k! M; o" }" p" f
   call  Kernel32!ORD_001  ; VxdCall
+ g7 D4 r' t6 i1 n1 m/ l   cmp   ax, 0f386h        ; magic number returned by system debuggers; c/ _; M! Z: N7 w' f, |$ C7 f7 [
   jz    SoftICE_detected
  @5 P; k+ I; i4 S
8 A, W$ o$ w: c) |; U4 }/ m! JHere again, several ways to detect it:
2 }% a+ `9 n2 x' A9 f9 o$ ^
: M- k& I+ C7 I. s    BPINT 41 if ax==4f
, j$ f% S& x3 `6 [$ o
3 _9 J7 a$ s8 X    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ i2 U1 r. H2 ^" R% i+ m
! E, C* w7 U) a
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, }( z1 i9 t- }, T. t% P$ }4 X" E) M- p& f% k  ]2 J$ N
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!" E6 p; L9 z' l$ v
, y4 O9 E) j4 D
__________________________________________________________________________
" V4 ?# ?* W0 S5 }/ q3 A* G9 B& w9 B4 ~! o2 k% Y
Method 13
) H# ^1 Q2 u3 @& ?* X=========; [8 U  c. v0 f$ ?

0 F0 e( Y8 Q1 }' J: RNot a real method of detection, but a good way to know if SoftICE is
) |* b) Z; T8 U2 I. A: n9 iinstalled on a computer and to locate its installation directory.
2 ^: t& {% ^0 bIt is used by few softs which access the following registry keys (usually #2) :
" A" N8 U+ ^; L4 H0 k7 k* D" ?( f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& `7 X. X  b3 u\Uninstall\SoftICE0 e" D3 @' c/ k- e* J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ s0 v/ G) f( ?" i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ n' y9 i0 L. _7 H9 _  A' @2 u\App Paths\Loader32.Exe
* E0 C2 N+ t2 H$ |6 q
$ _! S0 g, i6 ^5 ]5 o; _) F5 i
# c8 b0 X: g$ B4 T/ T  K/ ?Note that some nasty apps could then erase all files from SoftICE directory6 M1 r# h( m% C) `$ P) G
(I faced that once :-(" u, y2 J. T8 x$ T9 n( V; q
6 J  O4 D' r/ ?; i2 ^
Useful breakpoint to detect it:, e4 {& O- y+ ^" J

" x' }1 T- M5 i' n/ N, J* B     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'& z) }: c7 I9 ]* K8 y

7 {- G- e; A5 s' _. d) F: t__________________________________________________________________________3 t- Z* |0 r! k2 P
$ G2 q" c9 Z+ {$ `! K
& G# ^- C8 C: U
Method 14 ; X0 u6 k/ C) _2 k. q4 `
=========3 F" ~2 i+ S1 k$ D/ f. y
# s8 E% |  y3 l9 a- Z; V+ G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' M3 C, I; z/ S. R/ ]8 C4 H
is to determines whether a debugger is running on your system (ring0 only).
) n3 j  [. }2 N0 ^
1 x% j/ P' T  l   VMMCall Test_Debug_Installed
* V3 E6 W- f5 X" L   je      not_installed4 C4 n& F: \. ~0 v
0 W1 S& C+ S% o. B
This service just checks a flag.* j+ @, E+ P( Q; E
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-26 23:37

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表