找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# \- D( v* ]1 Y- _6 G% `<TBODY>
& W/ ~/ v6 X( g! g% o+ H6 J<TR>& K2 c- C( d# e7 J( l8 x- J& \! d
<TD><PRE>Method 01
# p7 e. e6 ~: o+ d=========
' G" R9 f9 j5 j8 w& k  [9 D! O. ^6 R7 t  g
This method of detection of SoftICE (as well as the following one) is( ]! ?4 v6 t( S- `: F. L* }+ F
used by the majority of packers/encryptors found on Internet.+ f. {& H3 D5 ?  }$ X
It seeks the signature of BoundsChecker in SoftICE/ A& R6 S/ H, W7 U+ F, Y
. l1 f1 E& E% p& R# l4 O" Y; y
    mov     ebp, 04243484Bh        ; 'BCHK'
- R! M1 |% v  y' U7 j1 ^    mov     ax, 04h
" Y! T7 W* H! Y+ ^    int     3      
, ^2 L4 b/ R" n& ?; j    cmp     al,47 A; ~; |2 B- ^0 j
    jnz     SoftICE_Detected4 A% U/ `" D8 j* {

$ x. n. t( s& ^# W/ q6 ~: Z! N; W( p___________________________________________________________________________% e9 L' j3 I) V8 @7 d5 G) T% |
8 E3 Q* Y$ Q- A( |- V8 R, o) u" D
Method 02
! C, U0 n# q4 G$ ?: M0 f=========
4 b; }( l1 t) X; x4 G6 j/ c( _. M- d0 N
Still a method very much used (perhaps the most frequent one).  It is used; M/ [4 h9 q/ O3 Q2 A& ]1 D9 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 u  O- F  U% O; A
or execute SoftICE commands...
6 ~1 x* q- V# R, v" `9 [/ |5 TIt is also used to crash SoftICE and to force it to execute any commands
" Z$ n! I( U* W5 K6 A(HBOOT...) :-((  # }7 i8 p- @$ R5 |; r8 b

: T* M* f3 T- T' P5 `Here is a quick description:; X7 S4 o& v+ l6 e; {
-AX = 0910h   (Display string in SIce windows)4 \1 b0 [2 m+ }0 G# F; [9 @
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, s, ?8 W* f4 `9 \+ R-AX = 0912h   (Get breakpoint infos)3 F0 }$ v' C8 U+ w/ M. Z
-AX = 0913h   (Set Sice breakpoints)
% v* T2 h% p8 V- q  r( |  n7 z-AX = 0914h   (Remove SIce breakoints)
$ g: ]+ A7 [" F8 ]/ P$ z$ t) M% E4 }& U9 L5 b# {
Each time you'll meet this trick, you'll see:; f6 @8 ~1 v2 N
-SI = 4647h+ ^+ B, \! B/ v) C8 O4 T1 }) e* f
-DI = 4A4Dh( b" I0 ]8 u, B3 B0 [  c
Which are the 'magic values' used by SoftIce.5 c+ M( |7 `  S* Y0 W2 p$ B% c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ P, V: C4 P( s/ q* e1 [$ Z4 [6 A4 c. C4 D* k8 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 T1 G% b. W( t, i% C
Envelope utility use to protect DOS applications:& W: D$ n2 c, g( X

8 K" B; o2 K- `" S" i$ K1 g6 b! }; [6 ~; V7 Y8 N" g& ]
4C19:0095   MOV    AX,0911  ; execute command.
* ^9 v) Q; o/ n: X9 ?4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, d8 Z; ]* Q" p: L- a: ~3 R4C19:009A   MOV    SI,4647  ; 1st magic value./ N2 z  M: X, s9 M9 f3 ]0 T9 H" i2 J/ g2 Y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 B) a% F. m0 o& M% o
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ P' j. e8 X/ }+ N4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ [  j; R1 ?# h& l/ I3 T4C19:00A4   INC    CX5 B! j4 M* \; W) v
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 Z% b5 r' V, {8 w
4C19:00A8   JB     0095     ; 6 different commands.
, z8 ]; p1 _  g( F4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 ~4 I1 t; p* I8 ~4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)1 j+ r7 ~$ T; s1 R/ j: e

# C, G6 j4 n. v& hThe program will execute 6 different SIce commands located at ds:dx, which5 a- G- H5 ]5 `/ k' ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ x3 X. E5 [6 {2 P/ I- ]' u
& D0 ~* V" D; s; z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 ?8 k; X6 p, B# ?1 o, F6 c___________________________________________________________________________0 R( S+ @* z7 L+ h

1 a4 o! D$ l, _
6 z1 n; Y2 u8 s7 K/ y; L" x: ]- @Method 03
7 S" }" ], D' V' }. O3 a=========9 i4 W! ]: q8 F- U* ]
! }5 f2 w' l5 H
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& H( Y+ L/ _- k(API Get entry point)
7 @1 _2 p0 F) T; k' J8 R        
& |( {9 i; [+ [( F, W7 S- ~: E4 C2 P3 T  ~* r% H
    xor     di,di
- U8 a& g# q) u) H/ n5 G    mov     es,di; r) |( g# F* p" r
    mov     ax, 1684h      
( F+ L1 Q7 K7 @2 m% G7 y* F    mov     bx, 0202h       ; VxD ID of winice0 d1 i& r3 o5 F! y9 d
    int     2Fh4 l0 U+ N6 K  d# |; z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point% w' o/ \5 v' s. \6 V! o
    add     ax, di6 M6 V! `' n8 C  u
    test    ax,ax
1 M0 t: }- g5 X$ e/ f2 b# j    jnz     SoftICE_Detected
1 w) F3 F2 |" W0 a
/ K' {1 f% z9 ?& }: k___________________________________________________________________________. {& I6 s7 Z" |  y! |, w" @) K
; Q2 K! D' C' Y6 }
Method 04
* d* P7 F1 {' Y8 v' u=========
, R& k4 p6 `# h0 |. T5 T' x7 t* d/ y  ]1 G3 [2 o
Method identical to the preceding one except that it seeks the ID of SoftICE
* f, E0 {. j+ d' ?GFX VxD.
6 y/ @% [' Q4 E% l; o1 z
9 M" v: y9 x  J, i  b0 |# _$ H( E% X    xor     di,di
' ^7 k0 x: H9 P* E    mov     es,di
' {3 z  b3 U+ {# G0 [    mov     ax, 1684h       9 ^# X. O6 {; ]7 f) ]
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 f4 P# K6 t8 E3 i3 P. c    int     2fh; x+ l0 M  j3 M! B  A) f" w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( A6 O9 Z/ l  ~- X' |
    add     ax, di
+ b7 z6 J1 l+ j. T' o    test    ax,ax. m0 j& r2 \' J5 S1 D" x* A
    jnz     SoftICE_Detected
" N, [( i, W& D7 p3 X, X
; Q/ L; C- o% }( s& ?8 H6 m4 |__________________________________________________________________________
) I0 ?  B% Q1 K3 Q
  W- Z. }  `; h, s
+ b4 D( w7 Z/ r" q) g. yMethod 05
# R2 C5 d1 X" H9 n# K; d=========
6 U! H. u  C$ Q
: M" W; U& A) M1 f- zMethod seeking the 'magic number' 0F386h returned (in ax) by all system; o$ Y* L; m9 D3 a3 P2 T: M+ P' n
debugger. It calls the int 41h, function 4Fh.+ S  ~9 R' U) _  B+ ?! `* z4 t" B/ a
There are several alternatives.  
+ l) O  Y$ q2 |' W+ J8 `' f1 T
( E- ^" e$ y* d; s9 U* X. W( d. u. FThe following one is the simplest:4 |$ x5 O. p# ?

) r& f5 B4 y3 T6 T    mov     ax,4fh3 u7 e2 \) K& f% {
    int     41h
) r6 }$ f2 M8 e    cmp     ax, 0F3864 Y! e+ u* U1 |+ I
    jz      SoftICE_detected
; q7 U5 K7 A( |- ]1 Z; P7 @# k2 H
8 t: K( A8 r: c( `; n' l5 R$ `, m8 ~" K  k
Next method as well as the following one are 2 examples from Stone's # O2 n: Q3 U2 G0 `1 B* e* b
"stn-wid.zip" (www.cracking.net):6 S' z( d% l) j) C$ y
9 V; D; T5 K4 f
    mov     bx, cs
3 f( E- D6 h  D8 ~9 W    lea     dx, int41handler2
" R" s+ _% u: z* h. V    xchg    dx, es:[41h*4]
8 ^. S' X  ?" Y    xchg    bx, es:[41h*4+2]; [4 w9 }( ^* Q% g" g- E
    mov     ax,4fh
! b( |* p1 f4 M  M) ?$ }2 A    int     41h6 ]: s$ B) d, g7 W
    xchg    dx, es:[41h*4]
2 w9 p. x$ ~5 W* b( L/ i    xchg    bx, es:[41h*4+2]0 V- T. k% x+ ~" `; Z$ b4 _
    cmp     ax, 0f386h
5 q1 H+ t, S4 f* {2 ~) z    jz      SoftICE_detected' E8 x& S# D/ B" [# \1 U

" L  Y/ q  {3 m% \- ^. @' o3 }int41handler2 PROC
6 |8 i' k1 B- X4 v0 }    iret
3 i& T' K6 j5 Y- wint41handler2 ENDP
+ U% Y2 A6 x; S' ]1 {, A- [+ Z+ A' E* F  A5 j2 S2 h

7 F: I( H  W* A_________________________________________________________________________- K+ J! @$ u' E5 X" \1 q# \5 w

8 {' s" c& d7 C# H" t+ J! k. E& }! E; g
Method 06
3 W$ l5 D; M; R' g6 i=========! K  X* w5 N! s! [$ g/ k6 c
" C2 l- w5 Y/ ~% y+ [* l

9 }% m9 x& W" P4 R2nd method similar to the preceding one but more difficult to detect:
  W4 Z$ B" t. f4 Z$ ~2 p8 }1 p9 y, k' Y
% P" U- r8 P6 t- S& {: n  ]8 U1 v8 j' F( n! U- _" Z9 {
int41handler PROC
; N! [' G  p# {; w  R7 T* i    mov     cl,al
: q% G0 A6 A: O5 h' q# X8 [    iret
' Q$ V+ x4 y8 x" r  S! R( o6 R2 W8 ?int41handler ENDP
* g  w- X- F! T/ M
( h# a  \1 I4 s' r, {
" v3 J1 I; Q; p  ?# v( m" x    xor     ax,ax
4 X6 r; Z* `* T7 u    mov     es,ax" N0 A& ~, `9 C# g3 C
    mov     bx, cs
8 [5 c/ }* p, x2 A! r8 S    lea     dx, int41handler  F1 P% H& V3 |7 e' e
    xchg    dx, es:[41h*4]
5 J4 D. Z# o+ T    xchg    bx, es:[41h*4+2]$ B7 {# e/ E, \
    in      al, 40h8 r5 [6 ?* H" X$ s
    xor     cx,cx. y+ d: R% p: F- {
    int     41h
& a' M" v4 G2 c: I; {6 o3 C    xchg    dx, es:[41h*4]
: c: x  H+ e" }& k; x5 ^8 P    xchg    bx, es:[41h*4+2]
( v! q9 T% Y" V2 O. H& v    cmp     cl,al3 T# ]2 G2 U, Q- D8 i6 J
    jnz     SoftICE_detected' N- `3 t9 r8 t8 C& m

! Z( q. O  q1 Q) p7 p% k_________________________________________________________________________* ^) x; v6 [" ~' t% h# z4 c& C6 p+ ^! E7 x
9 ~* M0 B5 n9 t. K  M3 o4 l
Method 07& R) h* N6 N4 t5 N
=========; H% C# d  I! T. G- T
4 I. u/ C5 S2 {
Method of detection of the WinICE handler in the int68h (V86)8 O1 e- |7 A$ T% w- q
8 q- Z8 o* D( C1 r/ d/ G
    mov     ah,43h) i$ g. d2 i9 r: z0 p6 n
    int     68h
+ B1 X) [9 F& _2 L1 A' Y    cmp     ax,0F386h; s1 x8 O: ^. g2 m7 ~
    jz      SoftICE_Detected
  o3 f3 F' a8 e4 {$ d, X: B
+ E$ r, t/ M8 n# W) o2 `9 u! K/ b0 A8 \. y% |
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) U/ E" Q  \' ]' m/ k1 s   app like this:
6 g9 K8 X. C( |; s* F3 n
& a5 u$ x: `6 D8 O   BPX exec_int if ax==68
- ^+ N$ t' n# d6 F0 M! f( B   (function called is located at byte ptr [ebp+1Dh] and client eip is- g  \0 |9 l' C+ M, x- J- V
   located at [ebp+48h] for 32Bit apps)
! |) t( v: \: D% c3 S: F__________________________________________________________________________
. f, A# w' p, G$ |/ C- k* R3 ]- R. v; }; J) k
5 d# o! q1 O: D/ y" m& p4 N. w: ^
Method 08
/ i: S8 X6 a6 ^- B" a  c4 a=========
1 o; {$ W% ~8 q- S% h
5 U) w4 \* ~& MIt is not a method of detection of SoftICE but a possibility to crash the
$ s$ L1 u5 h) g# {/ i: k5 Osystem by intercepting int 01h and int 03h and redirecting them to another
3 O6 ?* w, x' u$ n. {( aroutine.. ]3 u3 \/ k& t1 I$ G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, W3 t( x$ i- n1 p5 c8 ~! R
to the new routine to execute (hangs computer...)2 }, e# F# e( n; N! h1 x; o7 J

( k6 I* P4 m! X$ j6 F; n    mov     ah, 25h) H6 C: R3 b* {/ U: D3 |
    mov     al, Int_Number (01h or 03h)# @: h; Q0 Q/ M8 V
    mov     dx, offset New_Int_Routine4 [5 }7 g( @. l2 i% D3 ~8 @
    int     21h
# C! I: r; _1 x+ d' }2 o1 I2 X1 d5 {) F
__________________________________________________________________________
0 u, b5 T/ f* j4 \9 E, C( r2 |9 i) q3 `/ V9 r' H
Method 09
- s+ ~1 U; Q% ^! I( N- r=========
& A, T0 n$ N- W7 K" }6 ?6 ]) ^' x6 J+ e3 m* h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 o, F' Q) D1 F* {5 a6 Y, L
performed in ring0 (VxD or a ring3 app using the VxdCall).
* w5 U; c9 l2 ]& [- v- U: c  R& G9 [) nThe Get_DDB service is used to determine whether or not a VxD is installed/ V7 O4 v/ B1 [7 ]
for the specified device and returns a Device Description Block (in ecx) for
( o1 Z1 t+ i# b5 wthat device if it is installed.
  ^" o( c/ d+ v" R" {% A7 o( ^6 h. `7 ~( v
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& M) z% \3 s; r- m: B   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 @! p' [2 o6 @6 `. ^   VMMCall Get_DDB
' a% t: N. r# J6 b% U- J' |7 z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 ?( i8 y( h, I) U( {0 X4 ~6 |: S  f+ w0 e: k4 ]8 E
Note as well that you can easily detect this method with SoftICE:+ Q+ l! e; P! Y- r# X
   bpx Get_DDB if ax==0202 || ax==7a5fh  n! U, s2 d5 ^- s  `1 @

9 |3 Z- g" i2 g3 J6 G- N" e2 j* Z9 }__________________________________________________________________________2 ]& f0 W# e, _- Y$ T6 ]

5 l0 N' w( k& K( XMethod 10
2 _! c+ _0 q% ?$ Z6 h; |6 B=========1 F& c2 N7 u5 B3 d" M: Z
# }5 \5 |; ~4 {! I
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 p! f& P; i, V, y
  SoftICE while the option is enable!!" t4 S. K0 e9 |) Q4 R3 }

+ F) j+ t$ U) {% ^- NThis trick is very efficient:
& r* z  |+ q, j+ jby checking the Debug Registers, you can detect if SoftICE is loaded
1 t$ L2 M$ E* H0 k/ t4 R* c6 X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 a3 T. e" q7 k1 Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% S2 I! @* O9 o5 `  N" h2 r: Ovalue (in ring0 only). Values can be manipulated and or changed as well5 O  ?8 n7 a' L
(clearing BPMs for instance)' X. r$ N3 r" t  _: ^' \

8 j$ U  }3 y# U- g5 `. G7 P+ f__________________________________________________________________________
# I$ f3 x! S( }; W* U1 m
9 ~# c# K( q" z& h1 t$ s7 tMethod 11! \3 b9 j2 l% R/ r1 Q
=========8 w+ I, z5 h5 j$ r+ ^& ~
6 F5 `8 D, P1 d) X5 h
This method is most known as 'MeltICE' because it has been freely distributed
' m" u8 x1 U# E! {via www.winfiles.com. However it was first used by NuMega people to allow9 F. {1 _1 O- N6 x
Symbol Loader to check if SoftICE was active or not (the code is located
0 t7 |2 t7 j0 o, `& Hinside nmtrans.dll).9 h5 r1 V. t0 k: M

- v: k# l. ~6 n  z# zThe way it works is very simple:$ o5 J" U3 d' u0 }6 F9 t
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: l5 Z# b% W1 H+ n
WinNT) with the CreateFileA API.
* c1 L  O+ V# {7 \. _- g! T: R$ ^% S$ C
. L* ]1 W1 Y2 Y: Y& [Here is a sample (checking for 'SICE'):
& I& c9 [" z" K
, e) @" ?( p' |$ L4 bBOOL IsSoftIce95Loaded()7 e; g/ m7 B- Z# Z2 }9 ^5 l; O
{, S) Q$ b* O  O8 s
   HANDLE hFile;  6 S0 B' U) \3 }8 ~# M
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. d& f" C/ }* W" l3 I4 W                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 g, w- H8 ~9 p4 i$ d1 e# V                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  t( m  {) _: _   if( hFile != INVALID_HANDLE_VALUE )3 A# W, n3 [. z8 Q- }; V  e- M
   {" E! y; T2 v) h* S) ~3 s$ }, B
      CloseHandle(hFile);; N6 M3 H  \! a
      return TRUE;% |1 @, {( h; L# |8 L& ~
   }$ C- O2 ?5 c3 \8 l
   return FALSE;
- F0 E6 G+ ~4 w1 g$ h8 [5 l}
9 a$ j8 u# e! f! o3 E# Z) k$ L6 Q6 E0 _! w3 o
Although this trick calls the CreateFileA function, don't even expect to be
7 C, o4 ?: C. ]+ \; oable to intercept it by installing a IFS hook: it will not work, no way!
' P8 d- }; e+ E# HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) e9 B# m8 u" C" p+ ]* Q8 m8 s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! W5 u" c# ?  U( T# X" X' v8 t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 F( I0 \& x3 k
field.$ C: p/ r) z6 m6 r; ]8 {: p
In fact, its purpose is not to load/unload VxDs but only to send a ) s& ~+ p4 a  ?) v6 q, S3 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 I; C: S$ C8 X) T, `: Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try' l4 I4 S7 y' A. ^: ?9 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) E3 j6 K, {) b3 d9 i% s) Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: ^: \/ i7 B1 ~: B+ ^  u/ C: x  k* r6 zits handle to be opened and then, will be detected.
/ F8 o' q1 v* D4 _1 @You can check that simply by hooking Winice.exe control proc entry point+ a. M9 W) u8 ^- K: V4 D8 l
while running MeltICE.6 r0 t0 d2 t) Q

) }4 J- L9 y1 Y" B
3 C& C! E! |8 R  00401067:  push      00402025    ; \\.\SICE
6 A! @4 z  f0 v/ E& Q  0040106C:  call      CreateFileA6 |5 ~8 \1 e/ \) x
  00401071:  cmp       eax,-001
0 n9 v- A1 m7 s0 D- e  00401074:  je        00401091
& E. L7 r; d) @3 N; D( E( K5 t! R
0 t' O5 O/ [1 z, S
* o. K% |+ U9 O, s# C1 NThere could be hundreds of BPX you could use to detect this trick.
+ n: O0 o7 z5 N4 C  k7 p-The most classical one is:
- d8 R* Y: {4 H/ [( B/ d  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
5 s! G- }. G* x) s1 v& _5 n) u: D    *(esp-&gt;4+4)=='NTIC'
2 Y% |, Q+ e+ F( Q7 S0 X2 t
$ ^7 J, Z; E- j  U% e* B% \-The most exotic ones (could be very slooooow :-(
( b  ~0 {2 S( |5 j1 q& r( o/ a   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! U' E! b3 T( h& f/ a, O# V
     ;will break 3 times :-(
; p5 f, r- p' Z: N- k3 Q! q: f0 @+ ]  R- a% [
-or (a bit) faster:
5 U7 I4 g/ T. ^   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 |. k5 Z1 t% z3 u7 C
& H4 Y0 f. Y' T) G; G' k   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ _0 w% S0 s9 z+ j# q5 X     ;will break 3 times :-(: Y! C* T% {7 Z  D8 K
+ k6 X# b7 t2 W/ L2 x0 Y* B8 v
-Much faster:
/ ^" y: _- `! h) ~& Y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 ?+ z; R! u' a$ V

) V1 O; r3 _, P3 }& e4 i/ gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 `$ `6 ~# K% h$ m9 ]9 c  k6 P* yfunction to do the same job:% Z- l0 p. h7 I
! {1 J# R1 P9 v  W7 b
   push    00                        ; OF_READ
: H9 ?$ J: z8 h2 m* _% [' N   mov     eax,[00656634]            ; '\\.\SICE',0
1 `8 v6 m& O3 U/ m/ u   push    eax, |, N, M0 f9 _2 P2 [
   call    KERNEL32!_lopen
+ d* ^+ N& O3 c  v& Q! q/ r- }   inc     eax
  V$ ~/ k$ f9 E/ b/ s2 O# I+ |   jnz     00650589                  ; detected
5 C0 y2 u4 j3 p! h: C   push    00                        ; OF_READ
0 C4 ]. x; f  Q4 j8 G4 ]3 n! K' \   mov     eax,[00656638]            ; '\\.\SICE'& X% O4 C, _+ e, U) c+ X
   push    eax
. K: l6 q6 v& `8 N4 V3 K, W0 Z- S   call    KERNEL32!_lopen( g: v+ }3 T+ |; @/ V7 R
   inc     eax
& P2 v2 P. j* `& u+ \   jz      006505ae                  ; not detected
& w4 c# [' j) r* W
" ^( d# z9 ~, j8 w4 t3 L3 f6 J+ {& L0 I/ p; Q
__________________________________________________________________________
5 Q4 Q" t, d! i1 m2 J: T
' B( i& a! ]( J: o- F' j5 lMethod 12& j- @2 E7 z. \. L7 z! i
=========, X% d* Q, F$ C& S# H& U" X

$ W8 d& r( @/ J& F# T* `! RThis trick is similar to int41h/4fh Debugger installation check (code 05
0 E0 Q$ r4 b6 b8 I) {&amp; 06) but very limited because it's only available for Win95/98 (not NT), O& @4 x2 u. c3 \5 h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 e# g# _+ `( v4 _& U* M, }9 |4 }5 a6 o* N4 ]
   push  0000004fh         ; function 4fh6 z- Q+ U+ S3 X, ^
   push  002a002ah         ; high word specifies which VxD (VWIN32)+ W5 _4 R, E6 d) q1 j
                           ; low word specifies which service6 r5 R% H$ ^8 e$ c4 g
                             (VWIN32_Int41Dispatch)0 D2 Q# K0 r7 J7 ^
   call  Kernel32!ORD_001  ; VxdCall2 P/ ?  R7 P% f8 M2 R: `/ `
   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ |1 w( {+ m9 y9 C2 L7 c9 |   jz    SoftICE_detected5 X! l  @) t6 I% |
# g0 I9 X$ D$ R# r' O3 V/ K
Here again, several ways to detect it:5 I/ |0 o" ?0 j* x! g8 h

! ]: b0 R! R% H& y; s6 z1 N0 ]/ s    BPINT 41 if ax==4f& C1 }* T2 B! x; E5 [

- v% V" a4 v$ z; p% a    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
5 @% r5 ]5 k2 `: y4 {: K) ^7 D- M) M3 y" G/ k# l1 ^
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A* F8 d; t' Q! m: s

( e- P3 ]: f/ ^: [5 Q  E+ V4 j    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!: e( ~! i* L5 r
: e6 D4 W$ {1 p% r/ I
__________________________________________________________________________4 e5 d2 T# s( W, y; _, V5 X
6 a& M4 P" `( g& n( q
Method 13
6 h( f- u* b! d" V( v=========+ Q4 {/ \, g. A% Z  y9 T1 B
+ Q  f' R+ q+ E) q
Not a real method of detection, but a good way to know if SoftICE is; X; G5 o' d# |# ^8 i
installed on a computer and to locate its installation directory.
& O% G0 C- e& F5 `' P; nIt is used by few softs which access the following registry keys (usually #2) :! j6 v3 W6 {+ Z- d7 B

# }, V; s( g) x, K) V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 I& Q& ], }& @0 r9 P& O- [\Uninstall\SoftICE
# U( b! n/ i  t1 ]% `  F- k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 z# O' P  f/ E7 ?: F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# [1 |; e- B+ F& J
\App Paths\Loader32.Exe$ Q; V  q! t$ o. Z0 r
; u* q. b! J; o- \, r

# f/ W8 N2 R$ MNote that some nasty apps could then erase all files from SoftICE directory
1 w6 _1 V5 K+ y0 w1 ^  g* M6 g7 f(I faced that once :-(& R1 \6 _* v. Y) s+ V! Z
. u9 v/ i! z! Z* N7 Q0 ?
Useful breakpoint to detect it:
9 ^( ]1 p9 E* y5 J4 k
( W3 `( F$ R4 w- g     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 u, H2 M6 L. g: r
, O$ m9 i5 L  J1 h; Y6 D6 x! J__________________________________________________________________________
4 u7 @2 E' Q& d; E5 f0 ~! b: Z  y+ h2 `5 r! ?3 S
* u0 Q9 e( `3 r( N7 e( N
Method 14
3 q2 X' j  X8 K& w& R' U=========
+ C# D' T% H: d) Z5 f& ^" ^# v! v% K7 b/ F2 x  w, `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ _/ T2 K# ~* p2 _is to determines whether a debugger is running on your system (ring0 only).3 D7 ^  n. P' {# e$ m8 m
7 O- W0 P# o: p/ \
   VMMCall Test_Debug_Installed
8 N8 f+ I# f0 H% S  N2 q$ R   je      not_installed/ P- E+ [2 P# _/ K# v" F& R8 w' R0 M
! F- _- v2 G/ y8 a
This service just checks a flag.  Q$ j0 {# u4 ?1 Q" B
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-25 19:09

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表