找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' O) A8 q% }8 g, |! o
<TBODY>
) V5 E6 m- s6 Q9 ^<TR>
1 n* j, H: B% `& @, l. F( |<TD><PRE>Method 01 : G; e  w9 e/ G( C: l$ w/ Q
=========1 r/ h- G0 s/ F7 V7 E
8 ?* z, b: ^- ?. D6 O0 E8 i6 U
This method of detection of SoftICE (as well as the following one) is; ^1 H" R+ [% i2 U
used by the majority of packers/encryptors found on Internet.
- t1 L2 ^; }, I1 |: B9 [It seeks the signature of BoundsChecker in SoftICE2 ~$ \. @4 h. U2 E5 ~

" c+ l  b$ T4 m5 q( @    mov     ebp, 04243484Bh        ; 'BCHK'7 s' ~. V3 m' L' b* `# v5 [# O
    mov     ax, 04h/ [" X9 V+ d  V* \3 C
    int     3      
/ \) |3 y& R" \! G) G4 r. e( z    cmp     al,4
% D# d( m% o% T    jnz     SoftICE_Detected. T4 J% _8 o% B% R3 Z+ m2 |

) q( `# H: [- \___________________________________________________________________________
  M, r* B( J) c; q# o8 O' G. _# A( U+ @) d
Method 02
) E8 v/ Z3 x' n& l, u# G% N. F=========
6 ^, o) ^% h# ~2 f3 W. i9 o7 b( s# O) _2 S5 |
Still a method very much used (perhaps the most frequent one).  It is used
& N  M1 z$ L" Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; ^, M1 b' ]" o9 {
or execute SoftICE commands...
$ v" L6 h& G7 @; F6 L4 L& |0 IIt is also used to crash SoftICE and to force it to execute any commands& S! s$ e' E0 q- y
(HBOOT...) :-((  
* y' s8 z4 v# t2 t/ z4 u% g- |
/ ^7 T4 h4 R; G* yHere is a quick description:" L4 e* l# v0 V! k, O% ?5 g
-AX = 0910h   (Display string in SIce windows)
2 Y4 i# V0 q+ K% G; U6 E5 f; y-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
/ D, V" e4 c6 f, d, Q; ]$ i-AX = 0912h   (Get breakpoint infos)
* Z6 B' M  c+ a8 M5 {-AX = 0913h   (Set Sice breakpoints)
, w4 Y) z$ `5 D# M& f) l7 |-AX = 0914h   (Remove SIce breakoints), V7 c& g+ W3 `
+ t) x3 }) ~+ C  D9 i
Each time you'll meet this trick, you'll see:3 k$ B2 p* |( o9 R. H: T+ H
-SI = 4647h
' |$ i1 m- H/ q9 T% N: d+ \' I4 G' c-DI = 4A4Dh
3 ^$ Z7 E( e* X4 d# z2 D* i9 E  W7 Y! a. }Which are the 'magic values' used by SoftIce.9 }- B$ O; F7 h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 G4 w/ t* c) G9 D- d9 g! k9 B: Y: E' q- Z6 J9 f" Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 b3 o! l- e0 S/ u7 K2 j
Envelope utility use to protect DOS applications:) a1 m$ E1 _: i0 y7 ?! t6 y

2 ?. T+ d# ]. k$ V& _
- ^6 i2 t) |/ ]  F  n4C19:0095   MOV    AX,0911  ; execute command.
# x; S' s- @! t# S& Z, O4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ R) n( n( l5 J$ e1 F5 x4C19:009A   MOV    SI,4647  ; 1st magic value.& ]; Z2 v- S3 u
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 l+ [, ^0 g9 D* ~1 u' e4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ B  A( Y# G, ?8 W5 T8 N. p) w4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, M5 u$ U9 ~% v& w, _
4C19:00A4   INC    CX; ?$ v: D  A9 y2 Q- ?+ ~9 \* j; y: N
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) e( P- M% o+ o4C19:00A8   JB     0095     ; 6 different commands.
- i9 C/ i, l$ L+ z, d2 S4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 f: x0 H5 o* c/ k4 @; H
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)( ]% ^1 P2 C* L, k) b

* k7 M, z6 a* u' LThe program will execute 6 different SIce commands located at ds:dx, which
5 z; Z/ \5 s/ Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 n( y2 W: `( y# K6 H
1 Q- S! ?7 q8 g7 z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- [$ M1 v; I! p: `- X
___________________________________________________________________________
1 D( u( A& F$ p7 y7 a! W9 Y' z1 w6 W  A$ U) T: x

6 a7 e1 h" p2 H1 mMethod 039 @. {3 P: F/ Q
=========
' k& o% u, g: h& M( L. b+ s( [+ _- w  S  z6 l4 [
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 e) d' t; F9 ^; i$ Z
(API Get entry point)
( I8 h) w4 s: `1 ]# N        
* `, K' K9 l; S+ b4 a0 N3 i; e& R. K8 }
    xor     di,di( }) N7 y" I4 ~+ g9 u: s5 w- r
    mov     es,di
) P1 }. h6 G% l/ P( D2 n    mov     ax, 1684h       ' d9 T* I. l* M, a6 D: ^4 N4 a# i
    mov     bx, 0202h       ; VxD ID of winice
1 I( {4 u1 z1 g$ Y# ^    int     2Fh9 e2 J1 R5 E' w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point- H: ~$ ~  k: j
    add     ax, di
- M5 Q) o3 o- c5 i7 F0 m    test    ax,ax
2 m. ]) y3 ^- u- r/ j8 o: |4 p    jnz     SoftICE_Detected
. a, h5 u, C. R6 Y- a0 S
3 l) u  o. o/ m/ u/ o! @0 V0 I5 L7 ~___________________________________________________________________________" j! P6 T* U( [  F3 B3 E/ f" [
1 m9 j- e! V8 l& q2 @1 H$ A
Method 04
4 s' N% l4 h3 E& @8 n=========2 A  R6 \' Z+ z2 y3 M
/ |/ C* ^: B& v( j/ j* ~$ @& C8 H: Q
Method identical to the preceding one except that it seeks the ID of SoftICE% y4 S" `+ ~: W2 Z" i
GFX VxD.
3 @2 @% e- G2 E' F& P' F
4 j. L5 d- K6 C- j/ _# q; p    xor     di,di7 b4 a/ K, n; c# f7 i# _& _4 k4 [- A- \
    mov     es,di
) v+ _* _& d9 K+ q& d! _    mov     ax, 1684h      
6 {; p& h8 Z& z! m/ H* i, Y    mov     bx, 7a5Fh       ; VxD ID of SIWVID; r- W( m) T/ W  \  Z% F
    int     2fh" Z* f+ A8 s" m$ r3 u; \% }5 c
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 w. u# y9 n* G- l" Q% }  Y7 l    add     ax, di0 [0 O' @6 L5 r! `4 d
    test    ax,ax
- ?. o, d6 W* [- n$ A4 L. f    jnz     SoftICE_Detected. ?) b' ^/ V2 U( j! S8 u3 U% [! b
( E4 |/ y3 _( Q% L3 c/ M9 Z
__________________________________________________________________________8 p/ D0 b% F) u  P9 Z

9 |- U' ]; O3 c7 h( v# A, t6 Z. L: ?7 [; j
Method 05) d) h1 k; x' d
=========! W/ ^5 V; b# Z; d9 b

  k/ t$ \7 _' a& _7 f( i3 `Method seeking the 'magic number' 0F386h returned (in ax) by all system8 O4 S0 r% i' w' E+ I7 q
debugger. It calls the int 41h, function 4Fh.9 D3 j0 d; o( P. D
There are several alternatives.  : [9 b! n+ ?1 I. @' V/ R
) F3 n0 M0 o2 {) f: W
The following one is the simplest:
% P# c, w9 u) A5 x. U% m
' p; A" E$ k6 K# f/ H3 u    mov     ax,4fh# Y# @. D+ f  X; ?) l6 z
    int     41h$ F2 D' B: K, [4 X7 V6 j
    cmp     ax, 0F386+ J$ y0 Q0 N- W) v4 ]: {
    jz      SoftICE_detected% k+ f' A: j, ~$ {3 A
' z" ~- q4 C, \3 \

8 J4 h  B, s) h8 C) _4 V. aNext method as well as the following one are 2 examples from Stone's
+ R; P' a  ]8 C1 f4 g- r. d# \% V) M7 ~"stn-wid.zip" (www.cracking.net):6 u3 ~8 _$ E+ Z. h: @
6 \6 v8 W% f3 K0 C
    mov     bx, cs
' z7 S0 y& n- O' @' b* g5 ]    lea     dx, int41handler2( T3 i% A' ?- e0 H
    xchg    dx, es:[41h*4]
* E* X" }$ o* J. X& k5 @3 g    xchg    bx, es:[41h*4+2]: l% U; b  R# ^- \! {- m$ a
    mov     ax,4fh, R2 D" P; i: k: h
    int     41h. [6 r) B. B4 l7 ~4 e
    xchg    dx, es:[41h*4]' l; p2 y) f& `3 K1 s% y
    xchg    bx, es:[41h*4+2]$ d% E3 c/ n  Q  u7 h' k
    cmp     ax, 0f386h7 D& u0 m# @- i+ `
    jz      SoftICE_detected) _: U2 V! q4 D

+ L3 }2 Y; H- Y3 r4 i1 ?7 o; qint41handler2 PROC2 d0 z) O" [" O& N" o) Q1 e/ Z
    iret, N2 V: f" }4 x- L" l8 X2 G& @5 C
int41handler2 ENDP+ o( v6 c1 M4 E) x) V
  d; t+ {; I. ^: ^
! e' P3 r' b+ V1 R, ^$ Z& W
_________________________________________________________________________
, R% T7 O0 Q: G1 c4 `7 U4 _) _, j. f% j' k1 N9 E) F' k

& N$ A4 b) i# S* ]$ l1 J$ oMethod 06
1 O4 a6 Z6 B2 r" Z( X=========* Y2 x: w7 z5 ~! e) X

; A; y9 ~/ B1 F5 v& @) \& c9 ~9 @! s3 H" U/ _/ J5 a
2nd method similar to the preceding one but more difficult to detect:; z; w3 |4 E" n& v) U2 g0 t- s

2 z$ Y7 D# T% N; P
/ }8 a- w* ~3 q8 W2 pint41handler PROC
9 N& N4 w' d2 X6 c. K0 F. r    mov     cl,al
: t  [+ q- v9 ]6 b9 E    iret
' t0 `+ V  L1 Y9 g+ p# N1 E- [int41handler ENDP
1 k( p* R( q! R/ v4 M; J/ q& P: ?+ \: D$ Y2 q& q

) t: F; g$ e* u; q    xor     ax,ax
: h/ k0 r. \1 k6 M  O0 `    mov     es,ax9 M3 P- i, ]: l. q4 ~, z
    mov     bx, cs
  H; I5 n  z8 ^5 `! P0 N2 y    lea     dx, int41handler
5 W" _$ ^! j! i: _9 |! ~    xchg    dx, es:[41h*4]
' n# V1 E4 x+ H( ?/ F- \    xchg    bx, es:[41h*4+2]
0 N  w4 P, U* K$ @    in      al, 40h
5 t. j. I3 v! |    xor     cx,cx
) d8 C( x! o3 V& U& c+ S. Z    int     41h
: X3 q/ ?8 l4 {# M    xchg    dx, es:[41h*4]! K# R1 Z) X$ V4 j  {
    xchg    bx, es:[41h*4+2]
7 L% L7 m$ K% J6 K1 Z+ A    cmp     cl,al
8 j" ~8 _/ Y  P' e! o& Y3 J3 H    jnz     SoftICE_detected9 e! V- O  J# f

8 E# O/ A# U7 {: e* [: s_________________________________________________________________________& _" a( l( O- t( m

" @1 ]8 N2 K- H3 @Method 07
  r' G2 _- K6 h' r=========8 M& {% o+ Y8 M+ L# L7 V1 d

/ q/ K' D% S4 w+ ]( mMethod of detection of the WinICE handler in the int68h (V86)4 U! |( [8 Q. a4 V3 d

: f  ]0 w* f" N8 z- G& e+ e    mov     ah,43h" v' `. X9 ~* H
    int     68h6 [6 u# K7 }: N& h7 h
    cmp     ax,0F386h/ H2 I8 _& U8 w7 F2 s
    jz      SoftICE_Detected. @- \) r3 m" ^0 L+ y: u4 V1 F0 B
) v1 R4 O( K2 p7 t) e- M! o( ^

7 j% f1 J. G3 d5 j=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! _# f( j5 [0 c2 {. G
   app like this:
! r9 Z5 \4 a: ~2 @
5 y& Z% \) k4 e3 F   BPX exec_int if ax==681 X5 u0 l- E$ Z  |
   (function called is located at byte ptr [ebp+1Dh] and client eip is
) M- I$ s" k0 D   located at [ebp+48h] for 32Bit apps)
7 j, A  F9 a8 _2 [3 y7 t__________________________________________________________________________
9 Z% e) G+ f. Q8 z9 H
8 l1 V# _5 t0 N
4 S3 }5 C  a% u  o! ZMethod 08
+ A' m- `4 c% W0 f; f) A=========& e7 s6 G5 j% b' c& P. i) o7 k
% ?8 X6 f/ T7 p5 p5 a0 J1 V
It is not a method of detection of SoftICE but a possibility to crash the& M& A' _) p9 M! r
system by intercepting int 01h and int 03h and redirecting them to another
' @) @5 |/ |8 e8 h) `! _- S/ E2 o6 W) W! I/ Vroutine.( f* v$ x+ j; A! \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 l, ?, y$ C) j% B2 L, [+ jto the new routine to execute (hangs computer...)- ?. s8 {" I$ Q( P
6 [3 T; u6 X( @1 ^
    mov     ah, 25h
$ ^' r" T4 K  z+ N! _& e! S2 ~    mov     al, Int_Number (01h or 03h)
) s1 [% R: Y2 ?    mov     dx, offset New_Int_Routine
! S& a5 m( |* n" y! D    int     21h
4 ^# Y  Z' b7 D! A# i& ~3 @, U% \, e/ r# T0 Y* ]5 c! P
__________________________________________________________________________
6 j. U" n9 f5 n: W1 _4 q! ^: V5 h5 L# f1 E
Method 093 S4 x; v1 b! w* k: m; m
=========% ^  ?, m3 K' Z8 _( W" Z9 G
+ {0 W2 u  I- A; H( H' U1 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* X6 w, N* |  R. J, b9 l4 a
performed in ring0 (VxD or a ring3 app using the VxdCall).% H; O4 S# k5 J% p5 E7 W
The Get_DDB service is used to determine whether or not a VxD is installed; v3 s- L! n) f" Y' a7 N( V$ N
for the specified device and returns a Device Description Block (in ecx) for
2 u$ Y1 i7 U# I$ o5 v  ~that device if it is installed.
* ?9 ]8 i; `. R! {' i
7 k1 D. }8 A4 y- z7 g& h0 f   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID- R  _, u3 r8 B; V7 S# V' ~
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 Q( x/ w0 |! @2 [   VMMCall Get_DDB
2 s4 @% u2 e6 l  u3 Y/ Y   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ s% F( m- c+ t. m" B
3 c7 {. w' M& L$ ]
Note as well that you can easily detect this method with SoftICE:) _5 z. {- v4 q' E( e
   bpx Get_DDB if ax==0202 || ax==7a5fh: E/ V( n1 n7 \

; b' m$ j( d. e8 G__________________________________________________________________________
8 I; W9 N* T4 [, ~  y: v
' q0 c, `  N' b, YMethod 10
9 H2 P+ C2 F1 R! i7 Z% N=========( b8 m/ N, j& m. p) V! ~
6 [2 |, a# `" S. [9 @( U
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% t( g% c( @# E  SoftICE while the option is enable!!6 y" h/ T) `* d6 q9 q

9 F* r3 K* Y2 _7 \$ qThis trick is very efficient:
! w* D9 L- Q3 O" p( wby checking the Debug Registers, you can detect if SoftICE is loaded
7 S, K% j5 O. c# L( c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; ]( C" `5 }+ k; X8 I, `0 othere are some memory breakpoints set (dr0 to dr3) simply by reading their8 ]! V& ^0 }1 ^6 R
value (in ring0 only). Values can be manipulated and or changed as well
1 j# @1 f4 B7 ?/ b(clearing BPMs for instance)
( n% T! }# T1 a# Q9 c$ F( C$ D5 n0 f2 U2 t) a
__________________________________________________________________________# Q6 I# b% r8 l& U( J

/ s: a9 O, O4 [& c- j+ v) s9 GMethod 111 \# r; G! S2 E3 R
=========
% z2 p( ~/ Z  s8 S6 }1 T' ~9 K: e2 X0 ]9 h" m
This method is most known as 'MeltICE' because it has been freely distributed8 `+ D# }  Y% s7 g
via www.winfiles.com. However it was first used by NuMega people to allow! p7 s! _2 }4 ]( C3 ^3 A. x
Symbol Loader to check if SoftICE was active or not (the code is located
$ K" Q  O1 H5 e4 F* Q4 U# Ninside nmtrans.dll).
. ^& I2 w% W" A' M9 ]1 d; \4 T! G) H3 V& p$ Y6 ]! E" B) Z" z
The way it works is very simple:
/ A  g* k3 l! ^+ D4 i+ K: [( @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, z$ n2 u  ~/ a4 ?+ iWinNT) with the CreateFileA API.0 V4 {- r# X& K' R) R" }3 H  _

1 ]  Q* X. w, }% k* ^, p2 hHere is a sample (checking for 'SICE'):
6 x( [" y* D( W9 k/ x
( Y! j# F# L0 z, o+ G+ u7 V) PBOOL IsSoftIce95Loaded()
0 x$ h9 V% t7 m; e' J) j{  [. \4 ^) t7 O% R* w
   HANDLE hFile;  . C! Y& q# U+ p8 N4 U: u% a6 @: f
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* b' S3 T( H. Z& W                      FILE_SHARE_READ | FILE_SHARE_WRITE,- x- }- F! {! A( |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 S! ~2 U/ \1 |# m( k6 @5 {$ _   if( hFile != INVALID_HANDLE_VALUE ): v; G( ?6 p- h( M" \/ k7 k
   {
! P! m0 R. J* u  f" ~  M      CloseHandle(hFile);3 n+ w; O' t& y
      return TRUE;
, O* V% F, h; m; r1 e" J   }
- o: [; R5 j) u- T4 X   return FALSE;6 Y3 s8 L, Q4 l0 t3 P5 K
}
5 e. y9 t) H, t  O+ D# ^; ?
7 o; [* j4 X& gAlthough this trick calls the CreateFileA function, don't even expect to be* G7 o+ @3 _& |
able to intercept it by installing a IFS hook: it will not work, no way!6 r: V. U8 {  z- @  w2 `
In fact, after the call to CreateFileA it will get through VWIN32 0x001F7 }; n2 a8 }! ^% U( ~; j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ c& b7 Z2 e& i% U/ m. Z9 q' Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! O! w2 [1 D  S7 ~- q9 hfield.0 [% _! U5 g6 g7 U; w4 |* }: q3 `
In fact, its purpose is not to load/unload VxDs but only to send a
% [& G1 s) ~/ `- t2 R5 j5 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- [9 Q- M( o+ c1 t5 Z0 `) K
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. z2 i8 k4 v: d& ?9 u( L2 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# h7 f6 g& j% c/ w6 l
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 d/ Y3 z- T2 q2 d: k3 L
its handle to be opened and then, will be detected.
. g) r" L1 t8 Y0 [# FYou can check that simply by hooking Winice.exe control proc entry point; E; ?& Y; E+ K! v! l
while running MeltICE.
# K* O! \) L8 Y* P- Y3 o: B, u) I6 f% q7 N" s# h( Z2 M  ^
$ v! b) K. J9 O# [
  00401067:  push      00402025    ; \\.\SICE4 y9 R4 }/ \" B% J4 s& @9 i3 c
  0040106C:  call      CreateFileA
3 S; a/ H# y& a7 C" r3 t  00401071:  cmp       eax,-0014 e3 R- d& d/ B4 U1 v7 U7 R
  00401074:  je        004010914 z5 |& x$ P/ j; @0 O

; Q+ g# I- G  Q1 d  R# ], h$ J4 W& E+ k) T1 ]
There could be hundreds of BPX you could use to detect this trick.
! G* J3 G# L  m. E/ i; K-The most classical one is:
* S' r. j" B% t7 k; |/ e# L: x- |! D  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 V3 u- w' u8 ?' E% v    *(esp-&gt;4+4)=='NTIC'. \6 S+ j9 s4 R0 v$ K

3 x; @# t. a. F+ x3 y+ M-The most exotic ones (could be very slooooow :-(
5 A3 |/ Y+ W, r2 Y9 k" F   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  9 W1 b( V" i8 ?) H, w6 I
     ;will break 3 times :-(7 I% O0 l; }# b, Z& Y6 N

1 p0 k: P. t3 C7 f-or (a bit) faster:
9 P5 Y; {1 Y9 F) @+ @5 e$ y# S' u   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 d& [: e: c& c( y/ D3 X0 o4 H  f- [' w( K
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( q! l/ d& Y4 e
     ;will break 3 times :-(
9 k* q% S- G) X+ d
' p2 A, U5 ^; d- `! U4 g) A1 \-Much faster:9 s( l0 u$ m- B/ s9 s" d
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'9 G' y+ G7 N3 F

6 p3 |# C/ g1 W. Y0 [% R. T- QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# x- G( O7 N( e; h/ g
function to do the same job:
' S% N  J. L& S+ G3 A  d, s1 c! g4 @% P# M, A
   push    00                        ; OF_READ. ^2 C4 k. t( s. m+ B
   mov     eax,[00656634]            ; '\\.\SICE',0
. G& x3 t6 k/ Y7 `. p# ]   push    eax* v$ |* }' |3 r& B+ {
   call    KERNEL32!_lopen9 y! p& N5 z1 S7 H% {
   inc     eax
9 [' T- I4 Q+ d' U0 L. ~   jnz     00650589                  ; detected3 I$ B  E$ C7 e6 F- W
   push    00                        ; OF_READ2 ]/ p5 h$ b3 D, c$ P
   mov     eax,[00656638]            ; '\\.\SICE'
$ ?* ]8 @7 z* o, \   push    eax
) f" R9 S. C7 q2 H7 ^  A& r2 I# c   call    KERNEL32!_lopen% C% z( L/ j! m- P; e" X
   inc     eax2 O% J3 u* q" i+ X# J
   jz      006505ae                  ; not detected' Y: {( `' \. O: z3 w/ L! Y
+ B( j# \% g0 P- s" H
$ M& F0 g& v  z) n. c0 J$ t
__________________________________________________________________________
* J! \  O. f' k
2 [1 V- S; l( ]1 X. yMethod 12
% k5 I8 j$ n6 O5 F4 Y& B=========; @1 U$ ]+ G7 _  }2 ^* S

! v, @" G9 U9 B7 ~This trick is similar to int41h/4fh Debugger installation check (code 054 X4 e7 ?. N: T0 r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 G1 ~2 p( w; Q7 |0 u! s' Y1 Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& A' q" [% [2 G) B: M4 e7 {+ W% @$ k( u; t2 Y  L3 j. x& l- [
   push  0000004fh         ; function 4fh
$ l) V8 Q  n2 t* }% B* m% W+ A7 I   push  002a002ah         ; high word specifies which VxD (VWIN32)( q- N  F7 {% o( f
                           ; low word specifies which service
' W! A( l. K- A" p/ O& w5 V3 H                             (VWIN32_Int41Dispatch)
+ c. M* V. u( v7 }7 `   call  Kernel32!ORD_001  ; VxdCall
& ?( {# P" `" F0 C8 Y7 E9 Z$ |   cmp   ax, 0f386h        ; magic number returned by system debuggers( B% q( V* D, c# Q6 f) H4 @
   jz    SoftICE_detected8 ]/ P( P! u9 E5 L
- I3 U5 f% `/ B5 \' a+ O
Here again, several ways to detect it:. O0 [. T5 I5 P7 ~& V  G6 I1 p3 k
  s" O3 J# D6 d) W1 O" C, p
    BPINT 41 if ax==4f
- c* V, S+ r  N+ d1 j9 [
* c2 q+ ^1 V: ~; P8 e, M    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% I' T, k! f5 D' Y, O) I

1 N* \# p4 e6 J/ U- A- f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; w6 u2 @6 H5 Z5 s  f% {
% h) J8 F$ a3 i' u& S* w+ B9 E
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 v& Z- g! m3 \& P9 n5 P; ?$ ^+ D6 x$ z$ Q8 b, C! L' i: o: \
__________________________________________________________________________
2 Y, l9 t1 }) W, K3 J
6 C4 u: J5 e8 SMethod 132 Q2 ]  \4 k# T: k; y$ }: P
=========
* p7 D  }) R) m3 A0 U9 z' d; j
& E  F. `1 n1 Q) x' i$ S$ ^5 u$ i- ENot a real method of detection, but a good way to know if SoftICE is& B  n& w# ^3 @0 f
installed on a computer and to locate its installation directory." m8 [* d+ {- u4 m/ \
It is used by few softs which access the following registry keys (usually #2) :& |: G& h3 O% i  D7 m5 r

) N& ~- V9 W6 G& b; y0 ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 i& H5 C0 \; T1 w1 \
\Uninstall\SoftICE7 T3 r5 R9 x& _  Z! o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! |- k, K$ n8 V" J: N) N) h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 D# i8 O0 t9 U' e' N\App Paths\Loader32.Exe
0 `& V+ D' U7 U3 k4 m7 r+ ~1 _5 E( ^% n4 O  Y, S

1 O/ x1 ?: T9 UNote that some nasty apps could then erase all files from SoftICE directory& f4 u% J7 D0 R0 }' u+ R& ?# ?
(I faced that once :-(
, E) [; j" g. t  n% b3 p0 G. _. ?/ A% \
Useful breakpoint to detect it:
7 f2 @5 G8 \- T0 u" a  ], R/ k1 {; t* y/ _) `6 D' O7 O4 V+ k
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
  z. }8 O' n% v7 Q2 U
3 S4 e4 K) ?: \% n) m- R  S__________________________________________________________________________
( E4 B( [( G7 t3 u* Y9 ~
/ c" n/ P- c3 _% P
( s; _0 Z! R' V, {+ yMethod 14
. M. f# M, ^! m1 x# Z=========" U' C# k; _$ P' C, S, A

+ y6 P4 T( o. xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ K: ^* \0 G4 n- }. Z
is to determines whether a debugger is running on your system (ring0 only).
4 [# ^2 e+ x6 V: `( {/ c+ p* W
: V5 q" y% g5 A9 l( m, A2 v) K   VMMCall Test_Debug_Installed
* p3 L9 Z3 d: n4 x- ^6 M   je      not_installed  A! j" j; S8 Z9 {4 L* {, H

5 t& b  M, L- [2 r2 n& aThis service just checks a flag.1 j1 O+ T, `( s; H
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-12 08:11

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表