找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>2 w1 c' F9 C) M% d
<TBODY>: U% b3 F0 a3 l, ]# }; X  p8 {
<TR>. j3 P* q5 g" [8 \6 ^/ p! f: X
<TD><PRE>Method 01 ! f" ~/ ^) [& d+ f! j, t
=========
% H* d' F/ @& R0 R9 p. h: l! ~0 X+ k$ C3 ?; G! @: P
This method of detection of SoftICE (as well as the following one) is
3 B- \* V. n3 w. `* {" N: d3 Pused by the majority of packers/encryptors found on Internet.1 j' T8 R+ N/ M3 j) s
It seeks the signature of BoundsChecker in SoftICE
& j/ k  l4 C3 G  Y
3 V- t3 l% X& q4 Y/ f/ H. L* {( m    mov     ebp, 04243484Bh        ; 'BCHK'
/ Y( A+ r. _% x4 E    mov     ax, 04h
. |! @" W) v3 e$ s: m    int     3      
0 T: B4 N  W6 N    cmp     al,4
8 ?1 c8 U/ m0 }3 r2 ~    jnz     SoftICE_Detected+ j  I" Z) W# k3 _
. P% Y2 V. S0 B/ T7 H, N
___________________________________________________________________________
( t& N# C# f& I$ l4 v( d
6 a/ B) g( j( t' KMethod 02
1 l) \% h$ L& a" o+ a=========
0 @1 }3 i( C! Q5 X5 N0 q1 w' }) E+ c# _4 L  N9 F4 o7 ~+ Q
Still a method very much used (perhaps the most frequent one).  It is used
( y' ~7 b0 P4 n: g$ o6 ?! x1 {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% _. ]+ H6 n1 H: }8 E
or execute SoftICE commands...
: G- L3 b5 x8 m/ c7 YIt is also used to crash SoftICE and to force it to execute any commands
, k' v1 G; _+ L2 D' \2 w(HBOOT...) :-((  
+ h/ }1 v. \" [8 J+ V$ H# `- L# U: ~
Here is a quick description:- ]: W# B" O2 ^
-AX = 0910h   (Display string in SIce windows)5 t: S! c$ h/ `0 B2 v4 T, {
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
$ F6 Z: k2 P) H  ^9 c% B/ {* B9 [-AX = 0912h   (Get breakpoint infos)
6 ~  H$ S9 S1 y  h/ L& I-AX = 0913h   (Set Sice breakpoints)
7 D' Q+ @7 S9 W" |3 K-AX = 0914h   (Remove SIce breakoints)
) a# d' n- A/ ~) C& i6 w) N
/ N+ Y( Q+ i; _Each time you'll meet this trick, you'll see:
+ `' g% _- W; B" P-SI = 4647h/ `5 u) s# u5 p; {, j; I( z, B
-DI = 4A4Dh
. [" s1 n$ V* t6 C# sWhich are the 'magic values' used by SoftIce.4 w' ]2 k# K- F3 N9 u1 L2 G, x# m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* U# }  |5 h( D: I3 s. Y: l+ W( w8 t2 B. [6 A9 m9 I* w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 ~6 Y" p! z5 t! L2 tEnvelope utility use to protect DOS applications:
+ `3 Q- |$ y% u. e- J7 Q
3 Q# I( }6 Q; J: E7 ~; F2 F
8 ]- n9 Q( k. e( ~$ i9 @+ e, g4C19:0095   MOV    AX,0911  ; execute command.
/ k7 [6 e* u9 g$ f: t4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
. B4 X0 V1 P$ V( z+ _' v4C19:009A   MOV    SI,4647  ; 1st magic value.
, q& Z  U- V0 D4C19:009D   MOV    DI,4A4D  ; 2nd magic value.7 u" I% @6 k5 l
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): v! Z; ?+ Z2 c' x& Z( w$ o
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  r( e6 v5 p; }% n- Y) L
4C19:00A4   INC    CX
1 h+ d2 r9 `* ]( R" j: h4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
2 P4 ^6 N( o* v2 b# E4C19:00A8   JB     0095     ; 6 different commands.
. y4 L/ V: M$ }; z: x+ R4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& Y" e8 x, \- I) X! v1 g4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ E; r, K  u5 J8 h8 B% Z
+ o, Z6 B8 Z' @$ ~
The program will execute 6 different SIce commands located at ds:dx, which5 k8 W/ A) x' A/ d# V4 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  ^; `: b, T; O" W
: F6 L( Q) K- c1 ]% }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, _' }8 j; u9 J___________________________________________________________________________+ _: r/ p& z0 X' g- ~1 K' P9 x

1 g- [: G# q6 v& \; f1 j5 v1 O' {, v. y9 W) H# H3 y9 [- I5 i
Method 03# b  S% X% e3 `4 u2 R
=========  r& ^/ Y; \" M! z) S
& O3 E7 q" N) z! G
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ t4 J: G+ p' z6 `9 I3 q9 l; e
(API Get entry point)
) E/ g/ h7 Z; P, M* ~/ l        # N3 X1 m+ k7 d  S6 q8 n, A! ^2 A- z( @5 g

- }' c$ P& G' ^5 S! s" h    xor     di,di4 P1 Q" E- V7 O+ _7 @
    mov     es,di# g  V% O$ G6 I1 }
    mov     ax, 1684h      
$ u6 P9 v$ {/ S. l% a! v' X    mov     bx, 0202h       ; VxD ID of winice0 n* R7 Y# X7 {( b" t3 D% g! P
    int     2Fh/ J! s$ ]" Q! F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( Z5 J! f4 [5 ^' [    add     ax, di& f' D0 J$ t7 e8 M- ?
    test    ax,ax& v  E0 y9 c! u2 g% _5 S
    jnz     SoftICE_Detected; S8 F3 A+ E0 Y2 `: G  K
# H) S. V9 `  u$ ~6 z& ]0 ^( z) m
___________________________________________________________________________
+ |# A- Y8 ^" \% i9 A' p! ], x) J$ P4 r( q
Method 047 V( q8 e% j2 U2 k' S1 a' J
=========8 G- I3 ~0 X. e% v" k9 m' B+ e

+ I, y$ C2 Q! o9 O7 p4 l+ ~1 gMethod identical to the preceding one except that it seeks the ID of SoftICE' }3 {  J! h5 x- x+ O; b
GFX VxD.
& t( M( i, c+ i. R# K& m" d; d( T/ w# U' ~# V+ T
    xor     di,di+ A  E4 ?8 q+ k# c
    mov     es,di9 f6 _7 R# K% i
    mov     ax, 1684h       , ?# g) ~7 t3 w" o; `' Z
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) J  T# t# l9 `, S& z6 E    int     2fh
$ l) L. k3 P& ~# d  X& K% ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point( |" L0 u' t9 [) i" o
    add     ax, di& |6 I: T! _+ n$ s, `, v. h% {
    test    ax,ax
8 E. \! n4 |3 E6 O' J, [    jnz     SoftICE_Detected" g( _+ ], s" C; s8 K% N- u3 g& N
. [6 L4 V% f/ G7 M- p
__________________________________________________________________________
2 M4 B4 Z' ?1 w9 H; R) G  y; q  L4 l; M5 m5 e. E1 Y  ^
1 P( J( L4 u' F
Method 056 P- l' H( U9 J, h/ B" Q( }
=========  G$ U7 \$ K  l9 \* E  S& t5 U$ q

& E5 d, y+ K& R. XMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ F7 a. B) i( wdebugger. It calls the int 41h, function 4Fh.
0 E0 {. L; A- _: b7 i  iThere are several alternatives.  
/ F$ |% _! O- u: q! V- R- n/ e, ~/ h& G2 `- s, z
The following one is the simplest:
; V- }$ L* V8 ^$ N8 E# W0 R( G. o7 O8 N- ~
    mov     ax,4fh' E# N' ?/ I9 y0 M7 [0 H/ c
    int     41h
% \' M; [  a2 U! P    cmp     ax, 0F386
4 w1 e8 n7 k1 C: ~" }    jz      SoftICE_detected( y6 ?; p6 M+ K' v9 d2 `* K4 r
# a. E8 L! z* s9 \  s5 f6 W% e( N

% V7 p, C* t+ v+ b3 I% k3 WNext method as well as the following one are 2 examples from Stone's
) o# r2 ?2 @/ ]% B! X"stn-wid.zip" (www.cracking.net):/ q9 ^" G) S( \0 }& P* t+ u8 \
) }, x/ L# T7 G) N7 u
    mov     bx, cs
# @% Q9 p- _0 M& m- S6 Z- c2 {    lea     dx, int41handler2
8 A& b4 i; j7 A3 [    xchg    dx, es:[41h*4]  y6 ^  b) W  M$ D$ _1 u7 b
    xchg    bx, es:[41h*4+2]4 C6 t; k" b( C% I$ z7 R; d+ s
    mov     ax,4fh& W) z$ G' N* t6 }9 d
    int     41h2 v5 N: M0 V' J
    xchg    dx, es:[41h*4]
; J' \0 _: m7 p3 M    xchg    bx, es:[41h*4+2]; Z  Y; p& T+ N3 C) e
    cmp     ax, 0f386h1 k' Q0 D3 V: I
    jz      SoftICE_detected
0 J3 F: Z# I& M1 b' b3 B( H; P& [8 U- C" O( Q" A
int41handler2 PROC
# ?. ^- j! C& u( d    iret7 L& O+ _# I; @9 e4 X" A- t
int41handler2 ENDP5 w3 K& L( w" O- M

9 R! @) R% h, r) P1 R  a' h  ^8 s3 j  c8 M& g4 Z+ f
_________________________________________________________________________
; M0 `2 X, z7 q2 P/ Q/ V; d, G5 D  g4 S6 I: w8 g% S9 a: F. E% I
0 ]5 G  B; I9 M7 l6 i" c
Method 06
. g) I3 ~2 `4 E& s! B) @! ~3 ~=========
$ }' z7 o9 J+ a( N. |9 u& H+ J3 S

/ A3 Z" o! ~; `0 \' q9 s2nd method similar to the preceding one but more difficult to detect:
4 k8 ?# Y: r6 B8 c- z4 K
/ o& z- R" D: A: Y- W, f2 T' M5 b$ M- L% ^) d
int41handler PROC
9 ?: K" G  W( }1 b    mov     cl,al
9 v; U$ y. W3 M4 k, r6 [  f5 R    iret
9 K8 O  v0 F2 e3 f7 J& {; @1 Tint41handler ENDP
0 ]  |5 a, n2 x3 |, }
+ D+ a0 ~, r0 E" t) A
0 {) X2 L& p  ?+ H    xor     ax,ax1 Y" g3 K% e7 r' c
    mov     es,ax
0 u% y1 y& u$ l8 j$ l9 V: S% O    mov     bx, cs
7 p, G2 M; v/ `" z5 {& Z6 {+ q    lea     dx, int41handler6 ^2 t5 Q1 I' y
    xchg    dx, es:[41h*4], q7 i$ p) F! F
    xchg    bx, es:[41h*4+2]
1 w. H  u) J5 a% {7 K    in      al, 40h# d. _1 [& z! F$ T9 w; o6 b7 |
    xor     cx,cx
( H  _' l  h* e    int     41h
* }7 G7 e1 Q4 f9 `! A    xchg    dx, es:[41h*4]
: a# \( A" T% }    xchg    bx, es:[41h*4+2]
$ p5 n" j' X6 h; {: V    cmp     cl,al# C+ H9 _7 {+ I* k- Y
    jnz     SoftICE_detected0 |/ G4 D, I( ?5 B5 R1 Z. l
8 F0 F# }' ~' t) V+ d
_________________________________________________________________________
, _/ |/ F4 t; a# w3 r0 W/ p' i4 u8 p" I
Method 07
9 g) E, D1 }/ P7 m6 E=========" Q" {! U0 z  t1 `6 V3 K
4 t! J: v& D/ X( U4 ]
Method of detection of the WinICE handler in the int68h (V86)1 |' X$ c) _1 j) e- L7 s# n
; o' J, J4 f( ?; M  ?
    mov     ah,43h4 e# s0 i) A' J2 }# I. J
    int     68h
7 M9 }; T7 M, @3 W; a  g  {    cmp     ax,0F386h
1 [1 b9 ]0 T! h+ w0 @6 D    jz      SoftICE_Detected! ^+ \. Y* B" ]5 \! G

# G9 p6 P; y7 V2 V; n$ r2 s1 ?! M! o6 Z+ N! X/ P
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 o; A. j8 u8 E1 F% m' d/ i4 V: R
   app like this:4 \+ l9 _, I- c9 M* h0 D
. v, u* V% L! @/ G+ o
   BPX exec_int if ax==68" ]& Y# {" h1 [
   (function called is located at byte ptr [ebp+1Dh] and client eip is+ p1 W2 ]4 ?3 Q0 M
   located at [ebp+48h] for 32Bit apps)
2 \9 Q( d" X( A- l* c1 X__________________________________________________________________________3 k  S+ z  x  Z2 m: }3 [( a
4 r& c: C. N- v

: ^5 F$ M! f# y9 m. _5 n, m7 eMethod 08
9 W( I, g+ o+ ~=========
" y, l" R5 h1 Z  C: I. d8 B9 w% g5 L6 f! q9 H, ]
It is not a method of detection of SoftICE but a possibility to crash the
* A5 q5 ]+ r2 {0 _system by intercepting int 01h and int 03h and redirecting them to another- Y. ], e9 |: [4 C6 @$ a
routine.
6 V8 \" i$ A3 C  e6 M7 z+ `4 f7 ]  OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& _; u9 Z+ Q3 T$ L
to the new routine to execute (hangs computer...)
1 Z5 X, u. i& Q
9 Y" G5 {" g5 |8 w+ y  B- ?, N    mov     ah, 25h
) [. f5 R0 j3 m. p/ g9 c    mov     al, Int_Number (01h or 03h)
. i+ d+ ?. B, i; F9 k0 c    mov     dx, offset New_Int_Routine6 k, \+ H' P, C  ~/ ~; _
    int     21h
7 A$ |3 s. o; D0 f# C" c9 A) D8 ~* X
__________________________________________________________________________( z. L$ k$ p3 R+ `( `

2 x$ g' H( m! \, D- jMethod 09
8 A% d5 W2 S( Z: M; s. S, o=========' |; W. X) f/ l8 C2 y0 ]. `
  ?) o! p) P! F8 m7 J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 ]; {3 L% R: kperformed in ring0 (VxD or a ring3 app using the VxdCall)." k6 q7 @; H1 k1 H- f
The Get_DDB service is used to determine whether or not a VxD is installed
5 n! h7 K  f4 M0 ffor the specified device and returns a Device Description Block (in ecx) for# x$ b2 n' Z2 w# H( |: n9 {1 F0 R8 {
that device if it is installed.
3 A8 H2 n, D$ _, x( t' ^- q9 ]
" }  O7 q& v# e+ O( M* \6 ^" C% R   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  _) J$ X7 I6 ?2 C* P9 ?   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). |2 Z0 @1 c: T4 f5 L# ?6 \( M
   VMMCall Get_DDB6 Z8 A( f# @9 t
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed# n( \% p. y) Q$ q- D

- i# H. V1 j" g& ^# ]* vNote as well that you can easily detect this method with SoftICE:
% S/ f  T" l/ G   bpx Get_DDB if ax==0202 || ax==7a5fh
) x7 d; F+ N3 q  p0 x( I# N3 }7 F1 f: f% c+ d2 o8 }. i
__________________________________________________________________________. G3 a9 W0 m& d& f0 d

: t+ p1 Y! A* ^( }/ aMethod 10
  Q$ ?" u7 s% j=========: @% E+ e  V5 c2 D# i8 C8 \) i  m
5 K+ q! O$ Q& T5 d+ P6 u# A1 w
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
$ l: U7 Y6 o+ T$ A$ l: B8 \  SoftICE while the option is enable!!
9 D- b; u; h/ }/ k7 h& S, l- h" ?. Z  `4 y, b3 q7 v# [: e2 `
This trick is very efficient:
7 {* O6 }& J" b: rby checking the Debug Registers, you can detect if SoftICE is loaded+ H* ^1 m- s! c2 c6 M& P$ O8 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 H) b. N: k5 j, `+ d
there are some memory breakpoints set (dr0 to dr3) simply by reading their: U' A) f, o/ Y, i
value (in ring0 only). Values can be manipulated and or changed as well
; H$ x( ]8 \5 o, z4 K(clearing BPMs for instance)
: w! g9 q& h9 Z; m4 X% S. i$ S# [" x5 w8 e$ `
__________________________________________________________________________0 I7 A6 G5 ?& y  P

/ S4 ?3 e! P* E0 D2 w8 \Method 11/ X' q0 W2 M- @3 {! w
=========$ J! G! l& k! e
4 Z- P7 y9 r6 c# \
This method is most known as 'MeltICE' because it has been freely distributed7 V" O3 o' X7 \$ q7 F- E7 {2 V
via www.winfiles.com. However it was first used by NuMega people to allow) h7 S( w0 G. a! i. o
Symbol Loader to check if SoftICE was active or not (the code is located& j! R; `: p) b6 w6 [. R
inside nmtrans.dll).. d( W0 ~2 @7 x* C( ?1 L/ }/ F
1 Q; f4 _& M5 [% b8 K
The way it works is very simple:3 Z) u2 x: \( V3 _9 w: }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' ^, l5 j/ {/ x$ M2 o5 a; eWinNT) with the CreateFileA API." f- t* ~3 R/ r+ `. z

9 w! T6 w+ I: g: D# VHere is a sample (checking for 'SICE'):
% R' Z! P2 u( ]. {& V: T
, }; H6 Q" w( DBOOL IsSoftIce95Loaded()+ Y! T9 I( ~* Z9 I: K4 _
{+ |/ F: i# O7 n9 S6 W! A
   HANDLE hFile;  # |! R) a$ G' o$ j( E3 p7 {
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 r+ a: F. w% Q+ j7 R# ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! ?/ J4 B1 q2 ^' V' n                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* r9 \; r8 d. u* `. L6 h( h   if( hFile != INVALID_HANDLE_VALUE )
' o% u* V5 x  ]9 v   {
$ w( X# r. l1 [  v      CloseHandle(hFile);
( h, a, y6 \$ p9 n8 W9 B9 m      return TRUE;
7 F5 U3 t6 c. b& E/ N( ?2 `4 X   }" M8 v% f2 N6 x; q0 s3 M$ ~% N
   return FALSE;
# d  S) `$ E4 {, ~}8 u  y  W8 C3 M3 j) D- Z

; Z7 P4 |  E. W1 J- ?5 {Although this trick calls the CreateFileA function, don't even expect to be
# D! Z7 e8 O6 @/ O: L4 fable to intercept it by installing a IFS hook: it will not work, no way!
8 c4 T0 Z5 e% k( ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, Q4 {3 B9 ?$ B9 H1 \/ H6 T* qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% s  k6 g1 H. g6 v- y" ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; ?( v  }: e- @5 S) qfield.3 q  L0 K- ?: U5 o1 v2 t, a
In fact, its purpose is not to load/unload VxDs but only to send a
' z6 o- Y+ O! l9 ~, a+ MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! p0 i1 C) U8 N* o: b3 C/ \to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 H1 z" q8 k" [7 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).; K% T: F% z! _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* k, y) ]% |  h6 o& s# h$ Nits handle to be opened and then, will be detected." `/ |$ _, p5 D: y( K& a
You can check that simply by hooking Winice.exe control proc entry point* c+ j' g* p7 d( l, l
while running MeltICE.
+ l( l, {# j% o; u4 V% |6 q+ }6 |: {: U' w( B. Y4 ?

' c# M) }2 I# W. C, J. Q  00401067:  push      00402025    ; \\.\SICE7 u, }' G; t! j" h/ q" x5 }
  0040106C:  call      CreateFileA+ d1 U/ [, _. V( O/ r5 L
  00401071:  cmp       eax,-001
8 ^9 y  f5 J2 W8 V  00401074:  je        00401091
, }7 _, m) k. A. ^- r
. F" x' D6 {0 [9 b2 S# @1 t& o. k' ?8 I6 b
There could be hundreds of BPX you could use to detect this trick.
; Z" {: ]) I, s# z% K-The most classical one is:
8 I, ]% E4 O5 G& ^8 a8 y5 ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
% T. \* ?* ?7 `! G. K! }/ l: \2 n    *(esp-&gt;4+4)=='NTIC'- e0 Q9 ]4 O" Z$ Q5 ~" n6 ]# t

( U! {; y" ~6 c- l% d-The most exotic ones (could be very slooooow :-(, F* `1 @  `% L2 ?  D3 n8 C; R6 _
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  , c, }' _+ a  K; }7 Y3 B. Q/ z
     ;will break 3 times :-(
* ?9 S: _, T& h+ S! Q( R5 J5 p: T5 |. ]
/ j! Z; R: U; O  s-or (a bit) faster:
  m% E8 Q$ `6 ^6 c   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 o7 z& L$ ~0 ~- {/ J3 d4 D) k* g
1 g! _/ T3 r1 J   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
' b( H& L5 Y" g7 I" `     ;will break 3 times :-(
% O! R' _" x, a4 }8 n$ J* g% g% a5 A! m% j
-Much faster:
! o4 j4 b, B5 h% v   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ u1 U, Y0 B- l! n, S1 a" e9 ^6 F8 I  i8 `/ t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 q* t3 K4 P1 T# [: U
function to do the same job:3 ~* @- K5 T; f3 u$ P6 _' n5 O6 c

. k5 d- u+ t7 H. r( F/ m% o: @   push    00                        ; OF_READ  S9 [! I* \8 d% }" n
   mov     eax,[00656634]            ; '\\.\SICE',0* ]# w/ a6 X+ u# N, M( \9 K, Y+ G
   push    eax& x( a; K( ~! R) d
   call    KERNEL32!_lopen0 l' o* M5 s1 ?( d( a
   inc     eax* ^! U3 X4 W, U
   jnz     00650589                  ; detected: b9 W: L% k& c. s$ }% J
   push    00                        ; OF_READ
! c% U1 a& m- K; d' c! w   mov     eax,[00656638]            ; '\\.\SICE'! Z' W5 H$ z* O
   push    eax
. }" I/ }4 B' }2 a1 @( W: g   call    KERNEL32!_lopen
1 V% d; Q% L2 s7 E, x2 w   inc     eax6 B) b  H3 t7 d( q
   jz      006505ae                  ; not detected2 ?. d3 \9 u: J+ \: Y! X

$ u3 h) q4 I' G' m7 P6 M; Z1 y8 F2 M3 x
__________________________________________________________________________
# k4 W' w/ M1 j  V, ?# ?8 P' C- y9 K2 a% i$ J
Method 12
2 q2 j0 i: G( a, v1 U. p=========% Q' e6 p7 P& G

2 h7 y6 @0 L7 E; v: qThis trick is similar to int41h/4fh Debugger installation check (code 051 N# x0 d! u/ l4 ?
&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ }2 x8 ]+ `! B" X, |; `5 `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ j) a. [' p+ j0 ]! ?  R3 W& i  T" R5 }/ R
) h3 q$ `* V. {5 K, I/ m   push  0000004fh         ; function 4fh- {6 X4 ?) t9 u" h( C% ]; ]' D
   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ e$ p5 X: ^+ {3 C1 L                           ; low word specifies which service/ Y+ O! Q8 S1 E+ z4 I$ x$ B* v( f
                             (VWIN32_Int41Dispatch)
! U( ]* [( u: O" Q3 j6 w1 i   call  Kernel32!ORD_001  ; VxdCall0 K$ `! K0 B% {- X* V" ~2 F* ?
   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ D# x5 }8 F  U# b8 ?$ H   jz    SoftICE_detected8 h/ l% `$ @' D, f

% F; V9 a1 Q+ J" b, m5 j9 {) pHere again, several ways to detect it:$ \) D. _* N  g+ |8 J& _8 O

( \2 W4 \7 d! t. `    BPINT 41 if ax==4f$ N8 r5 F8 _/ }6 I, n: k
7 B$ d. b7 O# |8 M' e( Q
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* C0 ~% u( A2 i# ]! B# F2 j
0 R  A- J3 Y& P' O! w! R5 f# X
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' [+ U# `. @5 Z- ?( h& t: z1 l  l- P  f# L1 P: B  G6 b1 }
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!  r' d& @' y# u& J/ C+ t

9 i0 v3 Q+ M8 c. D% \- x/ F__________________________________________________________________________( g1 w2 l1 R1 E) E3 G! z  d

: G' c' L3 H- H1 C# i, b: n' @Method 13
* I! f2 [, C3 U+ ~- g/ _  m- ?=========. q3 Z, r, i/ t
- L" c& w& f4 E" S3 B) ^$ s+ z/ M& L
Not a real method of detection, but a good way to know if SoftICE is
( U" b, G5 v6 i& O* a: V5 A$ Finstalled on a computer and to locate its installation directory." c9 k/ R$ T) x* r+ o& Y
It is used by few softs which access the following registry keys (usually #2) :& E3 q7 j8 }  S$ @  m

' u* E& p1 }: _; S5 d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 k8 B* [1 x1 c) u) T2 v\Uninstall\SoftICE
, F( p0 o; m' a3 B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. S- ^! o6 [3 Z" t/ u8 b4 L
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 ~. G* H. ]0 q) e5 Z9 b: z+ l
\App Paths\Loader32.Exe8 B  c$ R! z$ g& H: I7 r

+ I6 U$ w/ p; V( m  w
% e- E3 s& B* z. J3 t6 CNote that some nasty apps could then erase all files from SoftICE directory7 T' M6 Y- M5 m. u
(I faced that once :-(
0 H  U5 z3 h, v" @
" z/ s- w, I9 x, Q+ c3 fUseful breakpoint to detect it:$ q2 q' ~7 S7 ~, u

* l! _0 O! O/ C0 v     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- ^  B: D2 ?' |
0 a( J+ J* U. p* ^5 R, |0 z
__________________________________________________________________________0 x( B& C0 T! @$ h

  A( W) H' k2 u* J' C3 t& k, G7 `" f. T- ?
Method 14
8 t* L; T' S* _# q! j. }=========2 \% T/ w- y" s3 ?2 k& W
' ]( U5 L3 |) E4 J8 i* J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& v) Y) s/ y& o, h7 i* M) r
is to determines whether a debugger is running on your system (ring0 only).
: _$ s5 E7 N  n$ i1 _
) I  G; ^' L9 z# D. t9 H   VMMCall Test_Debug_Installed
& G4 p/ T5 E8 T& E% C  b- f9 M   je      not_installed
7 j* }% R5 u, ^# P5 g
( n3 I5 s8 `- dThis service just checks a flag.% V% l0 S9 f& p2 M% M
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-25 20:19

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表