找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: R& Q3 Z+ A  T6 h<TBODY>5 @0 T8 h+ u; j! O' L  ~" Z
<TR>
; I! z1 |9 t# ~3 y  F" ^<TD><PRE>Method 01
( Z. I* K; y2 I( Y& X=========
- L3 |: Z) W9 r: c: L& K9 t; J
' h9 ^) L! ^3 ?, a2 d$ qThis method of detection of SoftICE (as well as the following one) is* [4 S- x! g, r% \  ^
used by the majority of packers/encryptors found on Internet.
! V8 W% b( ?/ K& |It seeks the signature of BoundsChecker in SoftICE" ]) u. N! b1 @0 o# w

/ y* w4 D4 b3 B1 A$ e    mov     ebp, 04243484Bh        ; 'BCHK'
2 W. o, d3 S) k6 X1 t    mov     ax, 04h/ w1 n5 k% E3 k; U. g
    int     3       ' F7 w! t  l, A8 ]1 {  _
    cmp     al,43 k- m9 c: J  `5 f6 v
    jnz     SoftICE_Detected( f3 h, v$ P1 v$ x8 m9 E# d
4 v9 ?" R3 l4 r' N
___________________________________________________________________________
5 v. f$ ]. @1 @9 A' R6 |% S5 O: `
6 i5 e& K, h/ |6 e" mMethod 02
. ]; r: Y& @2 ^- K& y( ]! s=========
. o* n6 E) L0 `' C4 d* l+ v0 r0 K% V+ S: }* G$ N1 B! D) R3 I
Still a method very much used (perhaps the most frequent one).  It is used
3 k2 J; _' s3 K. ]; Q$ C4 m8 ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" j+ s3 S( Z' ?8 |5 x8 oor execute SoftICE commands...  z4 w* ~! ~: n3 Y; K( ~9 X& x2 D
It is also used to crash SoftICE and to force it to execute any commands; E& B9 W4 g: g: P0 \( d1 r
(HBOOT...) :-((  
8 x+ c( R* A+ \1 q) W
9 n: T; x( e# I! D6 V/ o$ |. VHere is a quick description:8 x$ Z& @* p5 {4 L* a1 l
-AX = 0910h   (Display string in SIce windows)
0 |  L. j, e1 J" C5 L3 e; s+ P1 ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
8 k9 I" e- U9 z/ P8 ]-AX = 0912h   (Get breakpoint infos)
+ t& a0 N" k* s! R* d-AX = 0913h   (Set Sice breakpoints)
: d/ K5 ~. Z% Y$ O-AX = 0914h   (Remove SIce breakoints)
9 C& \5 h0 p) U6 q0 w
* q8 H# p- s6 k4 n4 E, f$ IEach time you'll meet this trick, you'll see:% a& y9 @- |" L, p2 T
-SI = 4647h
! Z9 o# E/ H6 S" }-DI = 4A4Dh
6 l4 y1 s4 E0 A3 G( jWhich are the 'magic values' used by SoftIce.: P: y& x8 E6 y/ K) R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ n0 ^2 s3 |1 F# K) c* J
! K$ e  m9 u( t$ e
Here is one example from the file "Haspinst.exe" which is the dongle HASP; d% a0 v$ o8 `7 M9 T* L
Envelope utility use to protect DOS applications:( f( D  s' i/ s  s1 g1 v9 l1 t" v

- g" V8 N3 T# y3 o+ d$ D8 z9 W# ?+ f, g6 ~
4C19:0095   MOV    AX,0911  ; execute command.9 ^% t: g) \- v( a
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).1 ]+ C' O# y# s5 G7 W
4C19:009A   MOV    SI,4647  ; 1st magic value.$ y$ d, k7 S7 T& M$ E8 F0 X
4C19:009D   MOV    DI,4A4D  ; 2nd magic value." b% ?, E4 J- z& R; L8 ~5 P$ Z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 ?# v! S: d1 W( Y+ H9 ~( D
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ n: F) h1 O4 h  ^& J* q  _
4C19:00A4   INC    CX
2 I4 j+ h% |$ z7 \. X) y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: K- A, R; u0 q" R4C19:00A8   JB     0095     ; 6 different commands.
) j& t* ~; p/ A; r; Q5 N* J. n4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 d* n( S  w' h6 k2 N; s0 e4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)8 l/ g( R" n, I7 F* n* c

4 ^% {  w7 c: f# [The program will execute 6 different SIce commands located at ds:dx, which
( {5 f* B9 w4 _/ E6 `& W- z& nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ L/ J1 p! H3 [0 w

  b! a# y+ W% s4 a1 L8 ]! Q9 j5 M/ X* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' o; ]* v2 d6 o___________________________________________________________________________  d. p0 m3 C, M5 T! {

- ]$ C+ O9 Y/ ^% P  g5 u1 H/ j+ P- B6 f5 ?* H- ^- t: ?. V
Method 03
- g( ?- X3 X: O& O+ F  }  ~, e' ^=========% I, y0 Z* R8 R5 m) y2 r5 w7 w

( }, M6 A; P7 P: f# zLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
  N9 g; s% s# @+ O* U(API Get entry point)% c8 O# s+ h$ E6 p
        
. p4 M  j4 Q( r* I% k' J# H+ U4 \* [4 Z' N9 n
    xor     di,di
0 q- _, C! r9 m/ g! [( J& {    mov     es,di
# q5 p: m2 Z; G2 ~5 Y6 L    mov     ax, 1684h       * K; N( _( {& b& W$ {* `
    mov     bx, 0202h       ; VxD ID of winice
" E0 F1 ]) `/ }% T3 m+ E; M    int     2Fh! Q. o$ O% T* j; h  Z' C- M7 M
    mov     ax, es          ; ES:DI -&gt; VxD API entry point6 x0 s# O/ M6 G  k: N" f
    add     ax, di7 ~. R! M) m2 j# D' A" V" s
    test    ax,ax
" j5 M' c+ {  R2 x! T) Z/ j    jnz     SoftICE_Detected$ M2 S0 r; J- ~: L

4 @# O2 n1 I5 B! w  S___________________________________________________________________________
/ B$ X6 \( N  @  p! y2 G6 c; l  g. X6 o# r" t$ l6 E# O" N
Method 04
0 W! x) @1 G+ P=========, s& V7 T$ m7 l6 c$ P( K
9 `* F$ B; n( {/ m
Method identical to the preceding one except that it seeks the ID of SoftICE1 e  H; h& @2 T$ }
GFX VxD.
) X  E0 \. c) |) r* C% q6 A5 p$ a1 L  `- i% L/ r+ _
    xor     di,di5 |4 @( n' x) K( j- C4 v9 M0 x$ ^8 h" L
    mov     es,di
$ r3 a/ o9 ?5 ?! @    mov     ax, 1684h       3 m' _0 Y- q) b: `) E! J
    mov     bx, 7a5Fh       ; VxD ID of SIWVID& v+ D+ }: I7 \+ j% p2 c
    int     2fh
6 f. X3 F" n& }+ Q/ F/ o    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 M* [2 @* \! n! v* {
    add     ax, di
5 j+ S  _" x$ w8 q5 e* Y! o    test    ax,ax7 r0 v0 C2 k4 k3 d6 s; W
    jnz     SoftICE_Detected
& a" y% E2 r( ^! o: t$ U  Y/ H5 `. z7 |2 S: {2 n/ ^
__________________________________________________________________________
0 f8 C& O$ ^% ]
$ u1 }+ x6 ]5 }  @- G) |- g$ Q7 w8 }3 G
Method 05" W+ ^$ Y2 a# r4 Z! N
=========2 |: P4 O0 H2 }8 f& b
. L5 m: v, P. D! }4 y4 X. ?; T
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 C4 U0 a. E6 j3 E- B  s! M0 }8 Xdebugger. It calls the int 41h, function 4Fh.0 c  y1 s7 A+ c1 E+ i$ f! w  `
There are several alternatives.  
% I( R6 U. @% ]/ W/ c, c' a
8 o- h; C% U4 k( UThe following one is the simplest:
. {3 P5 `& U! }5 m# M" R0 y
  c- G! x; a& B0 i    mov     ax,4fh
+ b, j; m% h- [5 [% \- {( b    int     41h( B9 C: P& z  T( N* G
    cmp     ax, 0F386
, I5 Y. y+ ?$ X6 u) d    jz      SoftICE_detected
7 d, O$ ?( _6 C% ]# r, q' d, R
3 U' X- |+ c, Y( h, f  v' M1 @+ y" [' }) d+ P0 H
Next method as well as the following one are 2 examples from Stone's
: C/ ~) P1 u/ g" U6 B"stn-wid.zip" (www.cracking.net):
, _" C! m% X7 Q3 |4 L; B& Q9 X
( B' M( ]- [- D& D9 Q' U9 K4 \    mov     bx, cs
6 W6 w" H7 T3 ^    lea     dx, int41handler2
& ?+ ]' d) l1 S' }) H4 [: H    xchg    dx, es:[41h*4], U2 |. f- B% E& S0 N9 f
    xchg    bx, es:[41h*4+2]
" y; ], l; S9 Y& l$ d$ k" `( f$ q- a    mov     ax,4fh. |2 x) H; m$ L
    int     41h, i" ?' p8 b7 i$ g+ O% n! V# I: V
    xchg    dx, es:[41h*4]3 D1 o: C% M6 e
    xchg    bx, es:[41h*4+2]7 t" t% p5 K6 {7 L6 V
    cmp     ax, 0f386h2 S: ^$ U( }) ^
    jz      SoftICE_detected  X1 a- ?/ |  ]: G6 h  ]
6 B9 z0 N' z: _; K4 Q, N  v. r
int41handler2 PROC
3 t+ n& M: z% M    iret# O2 k0 G* _5 `' O- c8 b1 `3 Y
int41handler2 ENDP$ x5 w# a  c$ o) g+ t7 M
: }1 P* r+ y* c- `1 T5 n0 q. D
1 C0 u+ ^. @: @4 B7 N
_________________________________________________________________________0 O) V0 Y$ b. H! ~' m
4 q/ O. Y( V# H$ K& I- |, g5 r

, ]8 Z' B3 \7 ]Method 06' b, Y$ g5 _2 _' p' Y  V; z7 O
=========
& `; U0 }: J4 x% c. c
. m" d/ I' O6 ^' i! V, r2 f; l. ^  j" I$ W( j! m+ D3 k
2nd method similar to the preceding one but more difficult to detect:3 Z: o9 N" f! Z/ J, `
3 W7 l+ A5 l3 D3 G  O1 w

. U2 ^! @0 {. Mint41handler PROC
! p: L" q" q# Q  ]; d8 o7 Z    mov     cl,al; r) ~5 I1 m, ?; l1 |
    iret( @& f8 R5 ?- b. |; K
int41handler ENDP
# w; i2 k# y! k; u- x
- R% [2 M$ U' V$ i$ D/ H/ b% G7 M$ h  r7 ^/ }+ I; K7 e
    xor     ax,ax( [$ P7 d6 t/ _  O" d% Q
    mov     es,ax  `7 W1 U) D- w( F. q- R
    mov     bx, cs: E5 K, W- K; u
    lea     dx, int41handler
( r1 V3 @; d9 X# v$ p    xchg    dx, es:[41h*4]
% r- ~9 m3 S7 x5 r    xchg    bx, es:[41h*4+2]/ j6 V& [3 X- y3 G, D- J  ^  }
    in      al, 40h
/ D* o# e$ X, U& @    xor     cx,cx
3 a0 _  A  }. Z+ I9 |6 A    int     41h
# e* ?5 g4 n9 s3 E    xchg    dx, es:[41h*4]
! E% a4 p7 H5 ^    xchg    bx, es:[41h*4+2]3 [. s% M: N: ?+ c5 l& [, i3 f  P
    cmp     cl,al* P3 N& b! W: `2 B0 M
    jnz     SoftICE_detected! h7 y, |% O$ K( x) x: p. p- c& u  O# j

; V' J- ?& U) ~+ __________________________________________________________________________
( ^0 I1 B6 S* W% F) @: ^' p3 ?  R: Q, z
Method 07  K5 E8 o  [5 ?* E' P
=========2 f& P# ~  ~+ T4 a; v: w$ W
/ U0 ~. f3 u! G+ S# A& F
Method of detection of the WinICE handler in the int68h (V86)' }$ Z' Z3 k! k- U9 T
4 s  S4 `9 N$ k! z! S$ o% B" |
    mov     ah,43h
+ X8 T/ M4 X$ _+ D! G7 ^    int     68h
+ {; D5 ^9 k! f' R& M# r" N6 ?% W0 d    cmp     ax,0F386h
" D  W1 O4 h1 ?6 y    jz      SoftICE_Detected2 P2 g& f4 ^0 j4 m

- C1 _6 B9 \+ ?5 r6 c. U& Y" f  n* q1 e5 O3 t  C
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: ^( ]' L" E% W1 Z4 W, }& G* o   app like this:
  s4 D1 y) ^) q+ j; k/ |4 g
" c* }+ a2 |- x2 D7 a. D+ Z2 }   BPX exec_int if ax==685 w# T! N0 H# W7 z3 i( `' Q6 k
   (function called is located at byte ptr [ebp+1Dh] and client eip is8 Y% f: d! x, n: ?% D
   located at [ebp+48h] for 32Bit apps)5 w' @  p! w  ~
__________________________________________________________________________9 u: {) y2 x0 M' d2 H

* Y; `( Z' U( d3 T
1 u3 q; y) s6 TMethod 08
. E1 h& [. _$ R9 s, Y=========
; S4 D2 {4 I' U0 j* }& T; k" }& x4 Q) r$ c- m
It is not a method of detection of SoftICE but a possibility to crash the
& Q( V: T" u3 L; vsystem by intercepting int 01h and int 03h and redirecting them to another
% c. G  q1 d! O# X$ `routine.
' U& n. e! b$ J' I4 I- O  SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 d' k# R4 s1 ?0 O- A
to the new routine to execute (hangs computer...)
4 R, H5 ]! ~) \( o- Z
- F: `! r% N9 ^0 E9 y1 t' C3 v9 F$ R    mov     ah, 25h: v& q# L7 w  m0 d3 j( k
    mov     al, Int_Number (01h or 03h)
) o& o$ m& r; f$ ?+ l# ~; E# L6 ^7 D$ j    mov     dx, offset New_Int_Routine& i2 A2 u4 ?( u4 \
    int     21h& Y/ ]) f3 q: U1 J
1 T2 n( y" h* |+ [3 @% S
__________________________________________________________________________
8 A. [: F6 j" n
( B* Q, }% M9 n. WMethod 09
9 o# @) v+ r$ K/ ^' L! s( S=========# z8 i1 u  O# y5 x# F; o% ]" z0 c% Q
3 r! h' x, x) }4 e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 q6 Z( E/ V# `% ]+ Tperformed in ring0 (VxD or a ring3 app using the VxdCall).8 Z/ j  z! G9 j7 S& v
The Get_DDB service is used to determine whether or not a VxD is installed
6 b+ `; e; R- T3 s- S# ^for the specified device and returns a Device Description Block (in ecx) for2 J& T- z0 w; p; f0 |5 v7 Q
that device if it is installed.
. `+ }! U! A* G2 R. Z% z
- z/ v) d5 \5 `+ l/ a; ~4 M# C. y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- h" M; F5 _0 T   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( K3 e1 B2 `/ W3 S
   VMMCall Get_DDB9 r, J( l" V; V
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% k  C% T3 v4 P3 r5 K+ f2 J
* Y* I9 E2 ?' d9 c5 r. G; K+ f, }
Note as well that you can easily detect this method with SoftICE:8 N% n. I" K; S
   bpx Get_DDB if ax==0202 || ax==7a5fh
. H+ |# T8 M1 M  W: n/ g. S
) Z# M$ Q8 P; w, S__________________________________________________________________________4 R5 @4 ^) o0 Y/ y5 [& X/ [0 s

1 `% l7 g4 z1 jMethod 10
  n0 ?% c, u: m6 c=========
/ n5 s% E( S7 R. O/ I, x8 n/ E& q+ s( l0 e5 ]1 r
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 h3 e! [7 Z  K/ a3 ~9 @  SoftICE while the option is enable!!
( G: ^! I! ?' h# B" _* }. v
+ \5 A& v3 n6 f5 OThis trick is very efficient:. _  x/ L/ v8 U" o7 b+ U
by checking the Debug Registers, you can detect if SoftICE is loaded
+ V+ c) Q1 D. a' k8 d( J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 K3 N5 }: L6 B& \; M: k3 ethere are some memory breakpoints set (dr0 to dr3) simply by reading their
( k5 R* c' V5 f# \) ]value (in ring0 only). Values can be manipulated and or changed as well( k3 V7 K# C; p5 p) C' K" o1 Q
(clearing BPMs for instance)
8 b1 b# M7 _) w& I9 X
/ ^' a9 L5 x7 C% H& R" E- X: ~__________________________________________________________________________6 ?, S3 P$ s* ?. o( Y

7 n  T# ~3 R( D* z% mMethod 11. G) A3 S% s! b! k
=========
0 g" h4 y. c& h/ ~0 j( d$ l4 C/ ]' i' `/ O$ W4 e
This method is most known as 'MeltICE' because it has been freely distributed% S  T5 G9 ]4 D( P; G
via www.winfiles.com. However it was first used by NuMega people to allow( b6 \$ b8 [, [9 Q( V
Symbol Loader to check if SoftICE was active or not (the code is located
. Q0 }) Q: _" c% `; d4 Q5 G' i  `% Ninside nmtrans.dll).
1 i( I$ q; e  w; K% |
" S/ M: S0 l+ w0 u- SThe way it works is very simple:
5 o' W! j) J9 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for  L  e# H# S/ W* y: s: E7 X
WinNT) with the CreateFileA API.
- R) }% F! M7 K1 w+ ?
1 _7 {! w. o* g) ~1 a) ^Here is a sample (checking for 'SICE'):
) s- @) m8 e4 s5 J0 z: ?  K8 m; B4 z( Z
BOOL IsSoftIce95Loaded()7 f8 \% }. N! w) ]+ e2 D
{
2 ^1 y1 N$ N1 F: g   HANDLE hFile;  / d2 u) T9 p( u( l
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- t, h0 I" ~- `" E                      FILE_SHARE_READ | FILE_SHARE_WRITE,
/ m- G5 i& \2 h/ P  y                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ W& O. w# Q- D0 c
   if( hFile != INVALID_HANDLE_VALUE )3 _5 D& m' f6 y
   {7 [# J8 b) v! C- Y6 F
      CloseHandle(hFile);
- h' y4 @0 F. x      return TRUE;4 F# z9 F& m7 w; X8 Q
   }
1 r# C5 n' q9 R! j8 [   return FALSE;, d3 c2 r2 A4 }) L# j
}
* y: W3 c/ N8 T3 G# P9 R9 L; u! y1 U. ]4 e" W
Although this trick calls the CreateFileA function, don't even expect to be
% `9 O1 n0 q( C' b2 Y. `; Cable to intercept it by installing a IFS hook: it will not work, no way!$ {: M- w& ]: T8 d1 N5 p, t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. t- n- [1 T7 P( R% A& |4 c# O( ?/ E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- |( ]$ ~1 x8 E# X/ aand then browse the DDB list until it find the VxD and its DDB_Control_Proc; X+ g3 p: _7 Q/ }
field.
; a' E5 r' C) n1 T' l% eIn fact, its purpose is not to load/unload VxDs but only to send a
8 ?$ v% a4 H( q8 ~5 A% HW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 m# C% o: h( f4 ~3 G
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' C5 J. K! k- Y& w1 kto load/unload a non-dynamically loadable driver such as SoftICE ;-).  C( j( S& L' K
If the VxD is loaded, it will always clear eax and the Carry flag to allow  _0 p% `( J: c6 R! N
its handle to be opened and then, will be detected.2 `7 k3 j( m* a8 h4 F3 S
You can check that simply by hooking Winice.exe control proc entry point& r# G  T/ A  ~; F4 Q! Z; e
while running MeltICE.+ d, l5 k+ |- A# M# t

0 F  W% U5 n5 b  g
! _/ `& U) @0 K0 {  00401067:  push      00402025    ; \\.\SICE1 H; [6 t$ h, s' k) _7 H9 ~2 G* w6 s
  0040106C:  call      CreateFileA
  z: G/ b* D2 W# R% h  00401071:  cmp       eax,-001% i' ?1 {7 A% ^5 w& x9 _) a$ a* z
  00401074:  je        00401091
! Z4 F: {6 M$ _1 i$ Q" m* v! |' n! ^1 j2 `# w: n

# ?$ k: I$ u6 c/ v  @/ ?; L  JThere could be hundreds of BPX you could use to detect this trick.
# U4 `. k$ _2 k1 p  T-The most classical one is:
2 d. z6 d: q- v6 p  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; R' F+ Y3 `! G: [2 \    *(esp-&gt;4+4)=='NTIC'" [/ E$ N: C+ V4 i

9 _1 w0 x" s9 A. i-The most exotic ones (could be very slooooow :-(
# i! ]! _( u) f$ n   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- q- ~8 t8 A! {$ z; a2 m7 n' L     ;will break 3 times :-(
+ b! m/ ?, C( ^
* `" G7 e6 k/ U; i; t-or (a bit) faster:
8 N/ n2 y# ^- }- Q/ {3 M   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 Z& X) i/ ~/ F6 X( i% T! B1 Z: H9 G2 }8 K! K4 D" V
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 e6 l. p; y' J" O- @) y4 T
     ;will break 3 times :-(
9 B. Q( v% i# a
" z  ^, E% j3 E5 I/ |# k+ H-Much faster:- d( [" a5 a8 Y+ }, F" C$ l
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" N, M3 [" w( M# e7 p- f! M; P
% b6 T9 g: g4 |* ?4 ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" L# D" [9 b! b( a9 N0 g8 s. \function to do the same job:* [9 z* b- N* i4 u8 M- I# W  l

- ~. f+ [( O6 r/ t( g. Y* j' i   push    00                        ; OF_READ
" N5 p2 {6 M4 ?. x   mov     eax,[00656634]            ; '\\.\SICE',09 c2 I7 ~- w; E9 g8 |8 p. z% Z
   push    eax+ n3 {7 g% u: u& d" T5 c4 a/ X& p9 @: e. `
   call    KERNEL32!_lopen2 c; o$ Q' v% G) _+ p$ J; r# T
   inc     eax
/ c3 |$ A% U0 h/ Y/ U   jnz     00650589                  ; detected; d# z2 r0 m7 {+ e" B/ C9 e
   push    00                        ; OF_READ
( r7 Z2 s8 R# F7 H   mov     eax,[00656638]            ; '\\.\SICE'7 m4 B5 @" }, k/ r! R
   push    eax
, j( z( ~$ n. `6 I- a   call    KERNEL32!_lopen
; i4 }$ `' T9 g   inc     eax; j$ L6 m1 _+ i! y' B* Y. O
   jz      006505ae                  ; not detected
( Q" |$ N8 U8 }; v* e$ c% d
" T0 u( _- }3 E- U* s+ m* t1 t& z
1 X8 z, w  g; |8 q+ p) X__________________________________________________________________________! |; A- @# M$ f8 E! w; p6 K* e# x

9 e  E  S) B  q! V4 d2 E2 FMethod 12
! B  @5 Z- R4 Y6 f0 c" s/ u" b5 B2 ?=========
& W, q& W! B( ~4 k" z& H
' T6 |. M- M+ f, O$ f8 s, _; u8 rThis trick is similar to int41h/4fh Debugger installation check (code 058 ^" s/ H( D/ a) j3 T' X
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
0 ], J3 `, }2 g. a0 Y$ gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ v8 P, l7 h9 D7 m% I7 ?' L  q
, s& I! G: r& m! f/ ?4 }8 S   push  0000004fh         ; function 4fh% X4 A4 \& V4 V, r, s
   push  002a002ah         ; high word specifies which VxD (VWIN32)$ x6 B4 n9 J8 I' A2 t" S4 `
                           ; low word specifies which service
9 {: Y3 t$ t$ t                             (VWIN32_Int41Dispatch)
* {9 m9 V: i# }& q   call  Kernel32!ORD_001  ; VxdCall0 Q& R$ B/ F! @
   cmp   ax, 0f386h        ; magic number returned by system debuggers0 k) u1 r* H$ `7 H8 W% h
   jz    SoftICE_detected
7 O! f3 t9 V+ i: ^! S/ u/ h
& ~6 J# K: }( M9 b* l2 x6 FHere again, several ways to detect it:- J! Y( o% j- ^- o# q' K/ u$ r( V4 ^

8 b' {4 x& f) @    BPINT 41 if ax==4f
! ]+ M- ^  Y" w$ _; L
( R, l6 P* I; E3 b- T& F    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
9 y% M, ?' Z& ?2 ~) M% T4 V+ T* t  l2 {/ w8 y( v+ n3 ~+ b4 \
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 E- V1 w7 }8 T- B5 |3 H# }: }* I$ B5 y2 O0 _& @
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% e! |2 a/ x3 F) A8 [! m# W! J; c
- h& \# R0 ?3 v; Y__________________________________________________________________________1 Z8 R" r3 I" P2 y- H

8 P( q: v7 R2 E, U) cMethod 13- ~& L8 ^- c% r
=========0 E6 E1 Q6 L! o* t. z

3 D, r5 I0 c6 t8 |/ P5 I3 G/ xNot a real method of detection, but a good way to know if SoftICE is: M$ U3 q: m: l) `& G3 @! t
installed on a computer and to locate its installation directory.
1 E9 s/ ]2 d, j6 S/ k6 Z/ y/ ~It is used by few softs which access the following registry keys (usually #2) :
& D* \4 N" {, y& G' N5 r
  k) F' K% s1 T$ `5 o; Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 p0 g' J8 k- p0 o- K\Uninstall\SoftICE6 `, ]" J% q$ v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 ^) D' m! C6 J0 ^7 t, a; B' ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 x3 m7 C' X3 L8 _& Q
\App Paths\Loader32.Exe
; N3 ^3 [4 d; e) _; I) |& I. c% J" {% n9 h" a: a6 ~
7 `" c: u' o) G8 O& Q
Note that some nasty apps could then erase all files from SoftICE directory
; F3 ^4 V& m0 P. X! c9 @2 P(I faced that once :-(
0 D8 `/ p# z9 C$ Q$ C
3 d( w/ O; o: Q9 w1 z6 O, N8 oUseful breakpoint to detect it:
! y1 V7 a. s, ^0 C4 ^6 Y
' m9 S! y: B( U" s2 b* K8 F! b     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 k' n5 @5 E9 y( s! _6 e
+ H  I0 P& @- }' F3 F, N
__________________________________________________________________________7 B( k6 p% O0 L+ X$ _

$ {: c3 B3 o1 A8 i/ k4 `% Q& K& x# V+ ~2 E
Method 14
# r* p- X* r" ]$ d& s=========) f' _' f0 B3 Q& M4 k( B- D4 x) Y: n" p

" i* T6 _7 l2 g% o; P7 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! n. C4 B, l; }, q0 X5 lis to determines whether a debugger is running on your system (ring0 only).5 \7 [5 H7 E, y  B" ]9 v! p

  P; u: S" B) X# z   VMMCall Test_Debug_Installed8 e: z! p4 Q( X$ I. t2 T; K
   je      not_installed+ O/ o) x  v, g7 e# p

+ x* k! k# N2 p  j/ s. s: N! ZThis service just checks a flag.
" X9 v+ I% h" `2 x; w</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-17 20:32

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表