找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, s; @7 z/ J4 A2 U! q  H0 x
<TBODY>7 U+ B: C- _- k: q
<TR>
- H3 @5 d9 x0 |' y<TD><PRE>Method 01 9 \& j1 ^! E  m" s4 l+ s
=========' h* Z+ ?) H; }, x
& i5 U2 I7 e6 U+ R" |5 F7 s
This method of detection of SoftICE (as well as the following one) is
+ l5 O) l6 h" G. r5 g5 aused by the majority of packers/encryptors found on Internet.
) D! G  U& [: j0 K5 iIt seeks the signature of BoundsChecker in SoftICE- f' f  t5 ^0 f8 z6 k+ n

0 l8 K! N8 u- J6 v# u) }2 {    mov     ebp, 04243484Bh        ; 'BCHK'
1 d+ M3 V6 ?$ f9 A+ T8 Z    mov     ax, 04h
5 h/ J, s* b: u1 p* s    int     3      
& P$ b0 h) A4 R4 c2 B    cmp     al,4# L* ]- ?* d) ]4 M
    jnz     SoftICE_Detected0 {' _8 M" Z! `2 B7 p

9 R8 k8 W& h, @  F* [, ____________________________________________________________________________' K  M" J2 E5 e' t# b) w: ^
# L$ \7 n/ g7 ~& d$ o# C$ M9 ?
Method 026 ^# \" A* i8 D$ }( F( j
=========
6 o, s0 p/ d# H( H, T! T+ r1 C0 f  Z
0 X. ~2 l4 w& e# D: FStill a method very much used (perhaps the most frequent one).  It is used
% {/ J! F8 g1 R/ A9 A; x# \; tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  v8 L( a! w% q8 por execute SoftICE commands..., @6 x, a, ~/ a5 d6 k2 Y
It is also used to crash SoftICE and to force it to execute any commands- Z4 b6 m! |9 {6 `
(HBOOT...) :-((  
' m: H7 T' H/ `" K: ?. }+ P8 V( O# R6 Z# K! k
Here is a quick description:
: P( j/ d' e- P) z-AX = 0910h   (Display string in SIce windows)
1 V, z/ S0 w$ y( k. K-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)" ?$ n: Q, R! [' z( q
-AX = 0912h   (Get breakpoint infos)
7 m( g0 y( z1 Z% H% Q5 h3 C-AX = 0913h   (Set Sice breakpoints)
3 |  r/ v2 I- e4 O5 }+ W% R-AX = 0914h   (Remove SIce breakoints)) u, D/ B) N, l- i
5 j' c7 L0 A5 ^2 V
Each time you'll meet this trick, you'll see:
3 A* U- F3 W# ]: I3 @-SI = 4647h
; {. c+ @8 A0 j, U$ W-DI = 4A4Dh
+ K* I( b! j8 a1 q( l- t- y' bWhich are the 'magic values' used by SoftIce.! T+ k% X( b  t3 v& M" n1 g+ Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! s) v5 W4 g6 V0 [7 j
6 Q( |$ M0 e: E0 p. {Here is one example from the file "Haspinst.exe" which is the dongle HASP7 |/ u% [2 P- Q8 v2 H$ ^
Envelope utility use to protect DOS applications:8 V, @0 I0 }; N& s. |6 i9 U
- O& r' h& H1 G9 \
3 ^: i5 \  p+ ~3 @) n2 j
4C19:0095   MOV    AX,0911  ; execute command.1 J  [( ^) M- H% R2 P
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 C" [2 E+ p/ V' R5 X% k1 d4C19:009A   MOV    SI,4647  ; 1st magic value.& |* O: {( O4 J, E5 O; A6 E
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.' @" i2 E$ d  o' e
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 N4 G3 L; w8 z- z) |$ A" Y
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! n+ ]6 J/ X7 k" H1 Z% G4C19:00A4   INC    CX4 p  ~# z$ y' S: C
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
8 }$ ~; H! J/ n) C: J4C19:00A8   JB     0095     ; 6 different commands.6 t- ?9 |# k* e) ]/ P
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 X1 M. j* d2 i  e7 @+ H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)% t! K, q1 r: f5 Y$ z
4 ~! k7 h' P' h8 E1 Z; y
The program will execute 6 different SIce commands located at ds:dx, which
6 f" u, P2 R% K; t. {. @1 q" Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 R, [: m3 K, m( D' @7 T5 u

2 r8 Q4 y$ }4 ^# k* ~; r8 P7 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 o9 h- K; I( p1 S4 v" k  a___________________________________________________________________________. f; `  l8 k2 ^8 v3 y1 W* c- v+ A

5 X7 N* |7 d( \" {% A* q& R6 y* H) i! e; q
Method 03
% R4 I1 r* C. X& Y) n& ?=========
& F, x$ a7 p- Y5 J
) [  _5 d+ m5 h: |9 k* ILess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ }  c; Z, S6 f, _; C8 J
(API Get entry point): {6 z2 h7 F4 Z; s
        
! r  f( m! \0 {
0 [# S/ X! J2 c) E6 D    xor     di,di
% o; H; N& i' S  K3 r    mov     es,di- n+ n) Z3 v5 b
    mov     ax, 1684h      
/ g1 _  ^# i4 ~4 e    mov     bx, 0202h       ; VxD ID of winice
  Z; A  @5 W! S& Q- _6 o$ h    int     2Fh6 n& f# v% ?9 X& F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 Z( T6 D6 l0 s3 A& k& T$ @    add     ax, di& z- A1 @4 [! q$ x  G7 R" ~
    test    ax,ax6 z+ v6 O% y) \4 g; i' F
    jnz     SoftICE_Detected
8 H1 N+ Y0 _: w
! P- o9 x( s- F+ U* ~3 @7 u  E___________________________________________________________________________
. `) J( I2 D# t& a4 @; I# N4 ]0 Z8 k' k; H0 o" I% k
Method 04
2 r+ e' u! w" h; N* o8 C6 G0 ?=========
3 e" `$ w7 V  |9 z* h' n% p- W9 I* O$ b$ z" a$ c
Method identical to the preceding one except that it seeks the ID of SoftICE2 V5 B; m" g5 W: N
GFX VxD.
, U9 Z# ?9 L" |1 i$ U1 o* N, |
8 |. P$ l! ?7 T. L    xor     di,di
; }4 V; y3 Y; z; I# a) B    mov     es,di
( G+ }4 r4 g, D7 {# |) R    mov     ax, 1684h       + U0 O! d8 q4 u& T) j
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, p0 h$ q2 t3 z  n    int     2fh# d. m7 g+ T0 r) ?% H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point" V; @, s+ ]' @! t
    add     ax, di! @! ~: a- V( F) ^' u( L9 I
    test    ax,ax' B5 A( I; y: H
    jnz     SoftICE_Detected
7 z% _0 s7 o. ]2 A+ c: O3 }/ U6 D
% w$ \# _: {+ N" ~0 v' a' `# z) z__________________________________________________________________________
3 ^+ n; R! u, E- d! @! ?1 [' g- G4 R1 U: f- j6 f5 _
$ c" V' f% E" E: x- y  }4 f) k
Method 05
- `- f0 N, S+ s8 r% x=========- M* {' W7 m- N
9 `5 D/ ], V+ s1 G
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 [# ~( b5 I! [9 M: K* l( t, M
debugger. It calls the int 41h, function 4Fh.7 `* X( K2 N, e" G, s, Y
There are several alternatives.  3 S2 E9 H9 k/ Z" x- q

$ h; ^- d& t( m5 B2 IThe following one is the simplest:  \! [1 S" {4 y
* \: A6 d1 G# h7 ?2 E. d
    mov     ax,4fh
5 Q9 V8 F' t+ }. J    int     41h
* y& y( H5 [* b9 u) V/ Z& x    cmp     ax, 0F386& \: f6 i5 V2 t" |' D0 F
    jz      SoftICE_detected$ p7 K/ J( G0 B) z
; b0 ~( R7 ?. [  s1 W% W# e
0 W( y1 u: l  h
Next method as well as the following one are 2 examples from Stone's * f+ d$ K; W7 |/ p$ A) w3 @) F
"stn-wid.zip" (www.cracking.net):/ P7 Z+ r8 J( o& E

8 P- l% G+ p1 j) Z+ `) ~, }; K    mov     bx, cs
0 N5 j, t" b7 W6 d* ^7 O) a    lea     dx, int41handler2
7 M4 P; M. ]6 i    xchg    dx, es:[41h*4]
* I% @4 @; h5 E! H. d3 ?+ t    xchg    bx, es:[41h*4+2]3 I% P0 G8 g: v4 x
    mov     ax,4fh
/ G: w& W" L6 a, ]2 o) }    int     41h4 V- f( E: c7 `7 w! u! V
    xchg    dx, es:[41h*4]
8 z+ a/ A; \; y4 \! u2 }/ O3 I    xchg    bx, es:[41h*4+2]
6 K, ?1 l& m( ?5 @1 [( |    cmp     ax, 0f386h
# g' a% E( T: G    jz      SoftICE_detected) o" y; L  Q  D+ r

4 }! H5 {8 h" w: Z. n8 mint41handler2 PROC
3 y' G& O, j& P9 g1 O2 c- h    iret/ o# h5 q7 T3 u3 }+ _
int41handler2 ENDP
7 S& R& @/ a( m4 C1 ~  a4 ~7 [5 A5 V# t

# z# W+ Q+ y6 ?& i9 k: ^_________________________________________________________________________
* N0 e- [, D8 `& M: S& r: `$ R- E% M' h

- B3 n: L$ `& N: X" k: e5 AMethod 06( O# |: \& O, Z8 w
=========+ V3 b+ D  J0 B. m  `

, \2 N# d& [+ g: P4 m0 n( g" l1 y! m1 \) z: v9 e7 ]2 V
2nd method similar to the preceding one but more difficult to detect:% p  K: V' y9 b  K
7 \9 S- i5 a  C' x% j
7 k& {% S& t& d& s) T9 X
int41handler PROC
6 q# }7 B& p$ P6 ^, F    mov     cl,al+ J; n- U% t- s$ s+ {
    iret, t8 f$ T) J, r8 s) o
int41handler ENDP  m$ G# o) [1 P5 N( ^& w

( \  T* k' `2 H5 f$ J2 g2 B* x) v& r
    xor     ax,ax! N" @2 \, s. Y2 g$ v, d8 ]
    mov     es,ax
  l2 }/ ~) V6 b* a5 U6 h    mov     bx, cs: P" N. T6 b% L5 N2 T+ c" i
    lea     dx, int41handler) G' s& E, h4 ^0 N2 e  [4 f' G
    xchg    dx, es:[41h*4]
3 ]6 w5 }; p2 }; V# M$ s    xchg    bx, es:[41h*4+2]( E8 G6 f2 ~" M7 E  k' T
    in      al, 40h
! G* S& |( z& N+ ^' C    xor     cx,cx
1 d4 r% L! P, ]6 t7 Q  \! q- H    int     41h: `6 |+ l; C% g' _6 n
    xchg    dx, es:[41h*4]
* Z2 c0 e5 T$ Q( j% n% B    xchg    bx, es:[41h*4+2]  R1 X9 I0 H* ^9 _! Y, F6 V
    cmp     cl,al3 `$ r3 F! g" }" B
    jnz     SoftICE_detected3 ^+ ~; [/ h7 o: a
$ q1 {7 D, \- f! h$ B: u' I
_________________________________________________________________________
, ]# G" \& Q& F" V0 }# Z0 k0 I9 I
Method 07
7 X. |2 s. P4 F' Y. Z=========
3 A. X+ r7 C: ]' h, i. W+ h4 ^- `0 Q2 c, H- K% ?
Method of detection of the WinICE handler in the int68h (V86)9 A1 @# k* l) G3 [" p" L
; }! A: \9 w  z: U4 z) Q
    mov     ah,43h
# V+ m( j$ p" j. N    int     68h
. b* P  n" O0 K( h: t    cmp     ax,0F386h
; O+ m0 i# K3 |+ @" U    jz      SoftICE_Detected3 J* y+ k" d2 @1 e4 ]* [& R
1 w8 p3 K% h0 t1 Q) E

- k1 n. C! P" Z( e# p# Y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( Y: a& o1 _- l   app like this:
: J  B7 Y% Z" K9 d- y
7 [: l/ k5 z, S' c3 H& e   BPX exec_int if ax==686 L4 k9 |7 q! K. \
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  U& Q3 k: D2 g0 m  b1 m9 d0 L   located at [ebp+48h] for 32Bit apps)
  D# i, f3 }! Y  v& w__________________________________________________________________________
) g% I( q& J" J$ Y8 E8 H7 V  z0 @2 l2 j$ E! M, T( {

2 V0 o% Q  b" K9 F$ HMethod 08
3 B  F# n3 c1 o4 u8 p7 O=========
1 ?" Z/ c2 `6 v& S+ Y- K) p1 L: A# H5 ~4 R( U; i8 N6 ~
It is not a method of detection of SoftICE but a possibility to crash the
, [6 b. c1 ^0 n3 vsystem by intercepting int 01h and int 03h and redirecting them to another) B3 |6 Q1 T. l% _. E
routine.
: N7 c4 J; e: q9 R) _( z2 q. }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 L  h7 Z3 F+ J4 V8 p, L5 p2 c2 w/ Nto the new routine to execute (hangs computer...)- M+ ?9 C) z, f0 J. Z

+ r0 V- L& P* P. s+ e+ o3 X    mov     ah, 25h
1 D8 }  e. b/ P/ Z) ?& C3 q    mov     al, Int_Number (01h or 03h)" d! {# ^- }& v6 s, C/ W8 y
    mov     dx, offset New_Int_Routine8 r* a2 m% Q- M. m. @& ?( t
    int     21h2 d0 Z0 i6 x: ]% i6 Z9 \3 S# E9 d

; _/ ]4 \4 s$ M1 z* ~__________________________________________________________________________; y% G2 p; e- u8 S
1 k0 c: P( l2 Q' c2 z2 u
Method 09" g" w* j; Y0 a3 s
=========
5 u1 Z* N' ?0 T/ \
2 }- J1 M: Y1 {4 o( QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ H  C2 i0 E3 y% l
performed in ring0 (VxD or a ring3 app using the VxdCall).
7 m% }5 f# w- A6 A, r- A8 r3 Z5 Q# e4 XThe Get_DDB service is used to determine whether or not a VxD is installed
3 Z/ y1 P' `; J# [" h/ G. dfor the specified device and returns a Device Description Block (in ecx) for. d( p& R/ o: `; k* l( ?1 ?5 y
that device if it is installed./ H# ^2 K* M3 p1 X  X* w
: S. d/ F, G6 G. i& x
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" T5 z$ q1 q" o, g+ A; n* \( A' r   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 m! L) R( L6 r2 c( _6 u7 h+ W6 k- i   VMMCall Get_DDB
& z5 I2 L) K) W7 r0 q2 f; }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! Q$ d; F9 g0 o% H% I9 S  M7 ?1 ^3 z6 ^5 ?! a; z  y
Note as well that you can easily detect this method with SoftICE:  E' r5 ^5 S/ H, J# H$ z4 S
   bpx Get_DDB if ax==0202 || ax==7a5fh
3 Z! w2 n1 [! E2 V/ V, D8 H5 z0 ?3 L0 z- b' d9 S! l; j/ c
__________________________________________________________________________: f3 g1 N; C5 |

: o2 c& L" s' G. p- o" |! ~Method 10. n* b9 N- Y# s4 S8 G( U* ?) Q
=========" l& E; b( O6 T( O/ _

- A' a/ ~/ s- q" W. O  T1 e=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with" n' X: I) d9 J: a2 g% w  f
  SoftICE while the option is enable!!6 O7 r4 ]% T1 b4 m6 e- c& n# l
3 u7 [) u- f2 C+ A
This trick is very efficient:
8 M# p( o1 ^) Wby checking the Debug Registers, you can detect if SoftICE is loaded
/ Z1 h- `- S: \" i: O8 `, _% n3 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% m8 T1 _! V2 i& l" U" Y( s; ~1 N$ Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their% d+ h& x$ \: O+ B! Y
value (in ring0 only). Values can be manipulated and or changed as well
$ \* s- m3 m  I(clearing BPMs for instance)5 b1 q4 c& O' i! d3 g
3 R0 s0 O* g) d( D' s& `/ r  \0 Y
__________________________________________________________________________2 q. [+ g% n$ e7 @

3 \& K! S, o8 }6 V+ JMethod 11$ {& w5 B( ]/ |2 m( B  b9 g( e
=========
1 ~- Q# v5 G% m3 U/ m+ Q* F) ?) U' ^, H% h3 y/ [$ p8 C/ o
This method is most known as 'MeltICE' because it has been freely distributed' Z: Z; D, W, X7 ?2 s2 _: @
via www.winfiles.com. However it was first used by NuMega people to allow
7 a/ f8 ^- q) s, Q1 u3 RSymbol Loader to check if SoftICE was active or not (the code is located
  f8 f$ X: F+ f  w8 Cinside nmtrans.dll).
0 Q3 f2 q% s* u6 i( T0 Y6 r/ A
5 u1 J  |- P2 o/ v8 J- E# T- w+ DThe way it works is very simple:
: @% Y( z0 [; \6 a% f4 w3 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' Y' h( q  _( k$ a
WinNT) with the CreateFileA API.7 Y/ M; L# Z& y1 N! d! H9 F
6 e. ^* [6 x5 w9 N  p
Here is a sample (checking for 'SICE'):
" L# A- K$ n4 ]) N( I' L
! y% i$ v; S* r# ZBOOL IsSoftIce95Loaded(): E  t! D/ t' C2 Q  y' V
{
( |% C# D+ P  b4 f( q; S   HANDLE hFile;  
: u0 b. r6 A1 V8 |4 _0 n  D- {   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. }3 N8 H* K9 V2 j( t0 r, K                      FILE_SHARE_READ | FILE_SHARE_WRITE,  ^* n4 k. p8 |! k/ B9 E0 p
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& O! [& w+ f9 i3 k( @
   if( hFile != INVALID_HANDLE_VALUE ): J) t( M/ `7 [) p
   {
7 t5 P; T) D/ G4 p0 _      CloseHandle(hFile);! e- t7 T0 U. L" L2 o+ F
      return TRUE;5 E: ]# S4 _  H
   }
2 r. b' u( _6 I% k. k* E% C) J1 H   return FALSE;' D9 q2 a$ k" d+ b9 {
}$ |* U' K" _- S: D/ J
6 i: M% F, U: T) N
Although this trick calls the CreateFileA function, don't even expect to be
) [4 j$ p. }  [able to intercept it by installing a IFS hook: it will not work, no way!& G/ L* d6 n) M& y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& t( d1 b9 w2 bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)  r7 ~  r/ u5 J* ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ s; c8 Q% \" F
field.
, e' G! r* v9 l0 f4 c% aIn fact, its purpose is not to load/unload VxDs but only to send a 7 r0 \' _6 C" o( ?9 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 G1 l# T! f6 W9 f0 a+ N' B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' a, d* @& u8 Z8 d$ `; o4 K
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! B7 R  w2 X8 |: M/ o/ r( g
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 ?. B: K- S6 Q  @* b- {! i9 [its handle to be opened and then, will be detected.$ S! g1 D: X7 J; {. H
You can check that simply by hooking Winice.exe control proc entry point/ U0 ]* D8 Z0 {6 @6 E
while running MeltICE.$ c: v4 @! A5 s) Q
" v" ~) B( t; I

2 g$ j3 Y' k5 d$ e  P  00401067:  push      00402025    ; \\.\SICE$ ^( c& F& b5 _7 X9 _
  0040106C:  call      CreateFileA
" ^& n+ J* I" N. E- U% q  00401071:  cmp       eax,-001+ G' H' \2 f# {3 o, I& Y+ M! Q) O
  00401074:  je        00401091$ N& |- ~* t6 |8 |; i  G

) B9 H/ u4 Y3 p9 L1 ^: D" [" k9 I* k7 c  E# Q# r- h5 N& {' H" I+ D8 j5 S
There could be hundreds of BPX you could use to detect this trick.! Y/ }1 }! ~& e+ p
-The most classical one is:- R$ b' q$ Q+ D% s  s1 P1 B
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||+ C5 e; P; g3 s7 t, F; f
    *(esp-&gt;4+4)=='NTIC'
/ I& U2 X+ A  H
; c: Z. }- o" a4 s# J. E' s1 l% \-The most exotic ones (could be very slooooow :-(
( l, Z% @/ W  u2 d6 X4 g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
  V+ @& T2 Q2 F, ~8 n     ;will break 3 times :-(
5 w( {: c* Q9 k. S: Y4 s
  s1 ~9 A% S& K2 m" S1 B-or (a bit) faster: # A7 g! G* B. R7 }6 t
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& Q" G( ~" |2 `6 W5 Z: b! s! m4 O* g1 S& t& E- @  a; c4 |  D6 c
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( H& w5 X6 A& ]) n
     ;will break 3 times :-(
+ U1 ?  Q3 R" r1 l4 h2 S- c" Q0 R5 ^/ r  o  \. u6 ^
-Much faster:8 v7 n( T$ P1 `4 W. `4 L
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'4 A7 F9 l- O) p8 \

( v0 {2 ?. C0 c0 Z7 VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 ~$ p; w( u8 K; W$ V  l& I
function to do the same job:
0 p7 e( n+ r. p- g. \" A7 |4 B8 F$ m( ~/ q+ p' n) Q& y( z
   push    00                        ; OF_READ
5 l2 L* k4 v# Y8 F9 ^$ i   mov     eax,[00656634]            ; '\\.\SICE',0$ B, Y) K" W8 o  j
   push    eax% U2 B" I+ l$ b. B7 j
   call    KERNEL32!_lopen
  |2 M. R. N' d9 T) ]/ Z   inc     eax
2 |) X' D) Y0 l- L   jnz     00650589                  ; detected& q# [$ X. e5 O% X, z3 t' N: h
   push    00                        ; OF_READ+ O1 A  n4 y$ o  ~
   mov     eax,[00656638]            ; '\\.\SICE'
) f- m6 _  _5 M0 S   push    eax0 {. c9 B6 i4 B4 K
   call    KERNEL32!_lopen  S7 m3 f; `9 L0 J
   inc     eax9 T6 f9 q0 N& ~2 A
   jz      006505ae                  ; not detected2 w2 ~0 ^9 D; l% e
  J; d6 d$ g) R

3 u. r% }8 ~& w; v__________________________________________________________________________- n! z7 Y5 N, G5 H7 O

4 v4 c$ z' A2 I+ FMethod 12' ?" F# S. s% j6 ~) j
=========
$ O7 ]2 o. w% K
3 J# S/ \1 H3 V' d5 Z( EThis trick is similar to int41h/4fh Debugger installation check (code 05
/ M- F% K0 M' w3 b- H- e9 W&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& X( x4 b4 f1 ?- ^0 b  v* s% ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% s' d& o0 O8 \/ v. ]: ]: x

" i5 G9 u; _9 V% V, R6 z) m5 u   push  0000004fh         ; function 4fh
* c4 Z4 t, D. h' a) G& g   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 p$ u, j4 e* V$ @                           ; low word specifies which service
, F/ [8 b: n, V0 u                             (VWIN32_Int41Dispatch)5 v# _9 f: B' X! V
   call  Kernel32!ORD_001  ; VxdCall
+ J  v- [+ H& C4 F   cmp   ax, 0f386h        ; magic number returned by system debuggers2 A  R1 Z7 D1 r/ }# ]
   jz    SoftICE_detected
2 o, M" {  W; z% r* [
. d$ n8 B- ^9 K, ^8 ?- bHere again, several ways to detect it:
$ Q' b  n4 k2 F3 R3 A2 e
$ `# Y: U5 ~7 ]* u    BPINT 41 if ax==4f
/ ]  C& P! d, S, l+ n" O5 c( m6 W& _( B  d9 c1 M
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! o% X# f! S3 ?- K: k6 v- O! Q

% {5 o  Z  l8 ^$ @! i; U# B    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A5 O3 A5 @6 ]* @8 V9 `* L
9 n- T1 _% k, c
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
$ O* ~% p) I+ U9 u- n9 ]
; u: D5 m8 U# G9 }4 M__________________________________________________________________________, C. l. _$ |9 R5 i, z! {
8 @9 j1 M% m. y* o
Method 135 j% d2 ^' B$ s1 G0 a4 u
=========
% |- J" _# r0 ^  k2 G' o, v: t3 j2 o9 }7 Z  P; l
Not a real method of detection, but a good way to know if SoftICE is' I1 d% \3 Q" X2 }9 T7 Q. M
installed on a computer and to locate its installation directory.3 h! b5 V6 v$ H2 N: U
It is used by few softs which access the following registry keys (usually #2) :/ Z% q( d- v6 v- l9 R& j) n' D

# P- v7 y; P8 ]0 m: a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" T$ _; l8 _3 q: C3 S\Uninstall\SoftICE/ J$ O/ V4 [; ~# Q+ Y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# ^- t, T! p3 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! d* N9 Q* Y, g  H
\App Paths\Loader32.Exe* t' p6 H* ?! W( S- T; F8 f& d
/ }& S% C) T  ~$ g& B4 h& R% q5 s

  ^: g0 m% F4 {1 _$ ^Note that some nasty apps could then erase all files from SoftICE directory1 z2 O0 \) g% A$ W- P
(I faced that once :-(5 C: z9 }: g% u" l' @
$ Z& p& I' v# B; d
Useful breakpoint to detect it:
: y( b0 _' w9 T
: Q3 J9 E5 o4 F     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'8 A8 H4 t# t9 q3 ~2 a
% {! Q! R6 L4 ~# q) {
__________________________________________________________________________
4 ^- m$ G  l, j/ y$ _) q( y
% M9 N% v; A* P1 [, [; D
% x% g' _# `0 l( R+ RMethod 14 7 Z7 T6 c# H$ X4 P( Q0 Y
=========* a9 z' X9 F# Y* Q" l
# D) e: C) s6 t6 ?9 _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) c' {) D' B5 s8 k7 L
is to determines whether a debugger is running on your system (ring0 only).3 \' V& z5 \  r! S5 z7 i

, E4 k  m0 S5 r3 ]   VMMCall Test_Debug_Installed
+ t) L& `, O, r5 B  Q" u8 f! t   je      not_installed
. f0 L$ A, b5 e' W5 K2 I" u
' w3 ]  \- _* N+ H1 Z( ]7 K, A9 JThis service just checks a flag.
4 j* o/ @2 {, E- h! ^</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-18 11:08

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表