找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># ]" C0 q/ h! I: B- y
<TBODY>
; @6 J( u% Y  }% Q6 t2 V<TR>
  U& G* e8 ]: Q7 M9 c<TD><PRE>Method 01
1 k3 J0 _) B4 i# X1 C  v) v=========
0 ?7 n0 _, ]) o/ i# f+ [# _( S1 I% g# u/ ^# h# ]: F- Y
This method of detection of SoftICE (as well as the following one) is
9 U" g4 j/ @' c% Q- \used by the majority of packers/encryptors found on Internet.
( o/ t( L4 |8 r; E& ^- V. l, vIt seeks the signature of BoundsChecker in SoftICE/ Y: y% t+ B6 \( V5 C/ \; S$ T

, `# D3 d! m0 s# @8 G, b    mov     ebp, 04243484Bh        ; 'BCHK'
5 Q! O. v8 f6 ~9 @/ ?9 Q6 i    mov     ax, 04h3 K$ D0 S' _) H) J  ~2 H9 p
    int     3       1 i) d4 q% D; F8 c4 i
    cmp     al,4+ Q" Y2 g) I+ e2 ?0 W2 l
    jnz     SoftICE_Detected
& h' T# S  D  p5 x9 @" o, C. ~9 G& T2 c8 S3 H7 L+ x: k
___________________________________________________________________________+ k) w% @  K8 j, r( |9 o9 Y

) c. _! x% H% S% r% {Method 02
6 u% D+ B$ N" g2 N=========
6 t( r) _* W, A% A5 _( M% f7 H0 \
; b& v9 {8 H- K: Y6 n, oStill a method very much used (perhaps the most frequent one).  It is used6 k) u7 n& U+ U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& [8 b+ |6 C! Z# Qor execute SoftICE commands...
8 C) E, i4 \7 u2 y* ^It is also used to crash SoftICE and to force it to execute any commands9 g9 O7 M& F% _5 h+ k; A
(HBOOT...) :-((  : V$ I8 \4 R6 w/ t
: _' J  H8 S. ^/ Y8 \' q  m+ U5 {
Here is a quick description:5 V% p( w7 D+ v7 Y4 t, ?
-AX = 0910h   (Display string in SIce windows)% |) N4 U; V( M4 j" L: s8 Y
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 ?- O7 K) V2 X
-AX = 0912h   (Get breakpoint infos)( Q# i# }9 m3 @1 n% R2 H* s+ _
-AX = 0913h   (Set Sice breakpoints)4 f/ E8 S% `9 p3 }
-AX = 0914h   (Remove SIce breakoints)+ k$ \% C4 u9 ?- I6 u, b- h  V+ i
+ Q/ u" Z/ k0 @' c* y) U3 m) [% I- ^
Each time you'll meet this trick, you'll see:1 ~4 \, H# _" h  x/ l9 b
-SI = 4647h( b4 ?6 [9 g! j: y9 B$ P
-DI = 4A4Dh/ O( |2 `( P( S5 M! r$ k& i. @1 t
Which are the 'magic values' used by SoftIce.
0 O& N: q: D, E! S) k% X7 c) qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 r# q2 L6 u6 r% h; u7 M

9 S" h4 i+ p* Z/ J5 R; zHere is one example from the file "Haspinst.exe" which is the dongle HASP
. ~$ F7 |4 s+ P, n3 @. ~2 |$ e) IEnvelope utility use to protect DOS applications:
$ A6 P# E; `  o' }4 v
& `( c2 C# d; \* J/ v4 v
5 X, I5 V6 q2 L4C19:0095   MOV    AX,0911  ; execute command.
/ b$ S8 z) o' N* L4 p) K- q$ t4 G4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 |: H6 c. q6 f! \
4C19:009A   MOV    SI,4647  ; 1st magic value.% o4 E9 U. d0 i% d
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
: p, v3 p( I9 \3 |$ A9 B! p, n4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). r- }0 Y, l9 e
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
; }8 k7 Q4 E, `4C19:00A4   INC    CX
: M4 K* Z% w; n3 b8 d4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 v% e2 H) s1 k* u7 @1 i6 y4C19:00A8   JB     0095     ; 6 different commands.2 _) b, D" p+ K7 {- n9 B- `; r4 X' ]
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 R# c. x9 f: y. k4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)7 ~. e7 {. L# S: G+ g% h
7 T0 O& R" ~. d0 o8 D& w- O
The program will execute 6 different SIce commands located at ds:dx, which
. x  }$ W" g  o( F' Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& W  A* ]" Z: L+ W" g8 P
- J& r, Q8 V2 F) y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. }6 ?9 Z1 A, s* K4 v
___________________________________________________________________________
( c( N7 r9 X  j9 R+ r" J
+ U6 L. p( f: K$ M7 P. G$ D9 A8 P7 n& V  M: R2 w( ]( }
Method 03
0 a: X% n4 y' Q=========
* {0 c& i# j3 w1 A
5 e. `2 q0 b% S: i& u# FLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 n5 F; `2 p6 L
(API Get entry point)
  s. R7 u& A4 Y! T& k* A        8 J  I' l8 ~6 x+ N  z" W

7 T  u) t5 m% M    xor     di,di
) ]( c4 ^" f* p' r) z/ u    mov     es,di
! Z+ z9 s! d: X" N- M( H    mov     ax, 1684h       ! G! n( {8 F9 Y0 W
    mov     bx, 0202h       ; VxD ID of winice
; m" w# F$ ]2 z" Z    int     2Fh' K* S4 M7 [# Z( o" ?
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, w* j6 Q- N  j% f/ ^2 o  O+ Q0 p$ F    add     ax, di
& ^$ l( B. q$ [. \# C: j    test    ax,ax
! m+ f) }9 q7 K    jnz     SoftICE_Detected
# y8 _9 ^$ V  g" [
! L, h8 v& v1 y' I# }1 B  K___________________________________________________________________________
4 r" u5 G2 P, V8 e2 \3 l$ s, m
4 o$ V! q4 C: a4 iMethod 04
9 l" Q* ?, M2 E9 z=========
1 X% j, u& c" b% D8 W" W: r
) E( l, Q2 W# j0 I! }2 RMethod identical to the preceding one except that it seeks the ID of SoftICE0 Q  _* ?& b) I9 _) ]# [
GFX VxD.
/ K) A: m% V" t9 ?+ a! z6 h
, ~3 J0 ]9 J) {% Z$ \& V    xor     di,di5 _2 C1 Q/ Q& B/ }  `, Y  T0 {9 y$ U+ q
    mov     es,di/ F( }* j: Y% i7 S
    mov     ax, 1684h       2 ]$ C0 z/ x: }2 W% `
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! x8 p9 P, o$ K' a2 U* C
    int     2fh# i/ p' \, x) L4 t8 _6 B# {' t7 _
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) y1 p6 N. ]" `/ w5 {" |( A
    add     ax, di
# l3 r1 k2 n# Q* k    test    ax,ax
( x: O9 c1 v$ M1 [. T6 m4 I6 {    jnz     SoftICE_Detected5 ~. a7 x- d! }* M2 n, K

$ h) J( j& a' y. i__________________________________________________________________________$ O: `) u' h% [5 F' b
0 q3 o; i! h- L- {
4 G2 o* ]! Y7 l
Method 05
/ y0 L4 ?* o# K( y+ F4 f5 y=========" M: v6 |) A& q* C
5 j$ D( D. u% A2 Y% X! Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system- m9 s! K- m( S( t
debugger. It calls the int 41h, function 4Fh.
! ~, A9 l% M& }5 U) I2 tThere are several alternatives.  ( s/ L$ ]% ?/ ?$ u

9 N' {  u; M0 C# P7 I: q- mThe following one is the simplest:( h5 B! i) C& n# ~& `- e" o8 M2 v7 x

9 n* F/ n% Q! S8 X  M) V    mov     ax,4fh
' u7 @2 ^; a/ y3 j7 ~    int     41h
/ ?. C" O; C$ o$ C' _' H    cmp     ax, 0F386
% T  ]% d5 a" N8 C" n) o5 Z    jz      SoftICE_detected  [* q$ C7 G* r

! S7 N3 ^, |; v4 q0 h0 u2 k1 o/ @9 o: ?6 D$ A# z
Next method as well as the following one are 2 examples from Stone's
- P. c  r2 u/ {$ ~3 h+ h2 i"stn-wid.zip" (www.cracking.net):
3 i  ]# R* ]- h. F3 o8 R! [$ x1 c# m1 K7 Z$ Z0 _' l
    mov     bx, cs
6 h9 C- t* h0 x3 Y: g    lea     dx, int41handler2; Q% O: k2 O. g' k1 v* q
    xchg    dx, es:[41h*4]- K5 \% c# {5 u6 l2 Y
    xchg    bx, es:[41h*4+2]
4 L7 x! ~2 p$ r( w5 F! O2 C    mov     ax,4fh3 ?! @/ q: D$ y, A
    int     41h" }" u% l. i1 q! K+ T* p' p1 `
    xchg    dx, es:[41h*4]
9 ^1 J' g% S  i3 x* Y. Y$ [8 {    xchg    bx, es:[41h*4+2]) w% i5 O- C6 c, x' ]' B8 O
    cmp     ax, 0f386h* x( x3 u4 |$ J4 x; w; E" S
    jz      SoftICE_detected+ R! C0 e$ }6 B& I: C( `. z1 [, J
: s8 S+ B4 S9 E3 {& x
int41handler2 PROC, E! P" g3 S3 ?2 ]
    iret7 ?0 G, [# }5 j+ L  g4 e* L
int41handler2 ENDP
7 M/ W- _( J' t% I+ Z- d, [5 @" p4 ?$ s3 Y- g

8 y- Y- a6 n; Q" c( _$ R; O. b* v_________________________________________________________________________# ~! P2 c# n) C* O' O+ _. `
, B. K4 F/ H. h+ |. b; G  S
5 {& S: J* [8 a) ?; N" V
Method 06% \$ k4 b$ c+ l/ R+ ^4 z2 K
=========
6 j4 `! H8 g! K9 O+ R/ l) x1 o; b1 W& k7 v/ V

, O; W' N8 F  `& m5 u# E+ `2nd method similar to the preceding one but more difficult to detect:
1 a2 e7 s$ b2 ~% A8 j  m5 R" J. |

4 p  P6 Z& O! Iint41handler PROC9 m4 x9 a- W* q) @( h8 P/ S: ]
    mov     cl,al; p7 u0 i/ f8 w, _6 Y% w
    iret3 a1 H/ \& z+ Y* a) l1 G1 j
int41handler ENDP- x/ ?$ V' C, b! _" L9 e
4 q5 r& F- A& K8 @+ O% [. p
4 `8 N: b1 G) W8 j# m
    xor     ax,ax' y! G3 c0 L$ {
    mov     es,ax! |1 W- G4 s7 ]7 \
    mov     bx, cs+ e, M3 V/ P% U: a: E
    lea     dx, int41handler
1 p; a" g; ?- D- V9 A8 A    xchg    dx, es:[41h*4]
, \2 y3 X& n, @1 d5 b5 k* y    xchg    bx, es:[41h*4+2]
/ a7 w# [7 j" G2 T    in      al, 40h, }! }, a& s8 ~! W) _
    xor     cx,cx; ]# R( ?1 v) K# |: J/ t: F
    int     41h* v1 z' Z; ~) K" w# D
    xchg    dx, es:[41h*4]
' D8 G5 }2 ^* r6 k% I    xchg    bx, es:[41h*4+2]
' r& b( R& n% T3 ~2 n    cmp     cl,al- Y  R3 i6 k3 t  v! g# h" p
    jnz     SoftICE_detected
; k! u2 X* x4 `/ J4 I' y' k! k
+ ~5 x; e- H. O8 @_________________________________________________________________________
( \9 ]; y  n# b2 a: |: }1 s" v# k/ A# Z& ^  n
Method 07
% P7 Y2 n" b" ?$ ^=========+ ~0 \' s3 d7 H3 g

8 S, @6 A) t9 b: L- q& p. KMethod of detection of the WinICE handler in the int68h (V86)
" U3 k$ f) _$ d  F. T+ [" j2 w  D: G2 x9 k$ T6 s. ^$ M3 X
    mov     ah,43h0 c' }3 \9 J3 `4 k
    int     68h2 ~, }5 h0 R2 l+ v, C# M
    cmp     ax,0F386h
# B7 {# D. f+ w    jz      SoftICE_Detected
- o1 Z: h- {3 U# F1 H, Y& N  F3 s

# O6 n3 C# B9 B; k8 X=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 |/ @  e8 G4 J0 f! U8 d* p   app like this:" J4 S9 ~# S, D, R3 F* q

0 x" t. n6 D3 i& k4 K9 V3 C. @   BPX exec_int if ax==68' q4 V9 `4 E4 e/ F9 L
   (function called is located at byte ptr [ebp+1Dh] and client eip is* {* P, e* u% r; A
   located at [ebp+48h] for 32Bit apps)
" p, V+ k9 s* _) O% `__________________________________________________________________________
1 G. Q. b. h/ D9 u8 T# w
, ~" _6 E, `: }' U5 e6 `1 t, p' z+ f' H
Method 08) \) L' T8 J  R- S& S1 p% W9 a
=========
. o9 [1 B- H' }. k# |
7 L% F0 S) J; u9 o  p- E8 mIt is not a method of detection of SoftICE but a possibility to crash the
1 U$ K7 |. m* }( Bsystem by intercepting int 01h and int 03h and redirecting them to another
' m1 N- b+ E9 t2 Z" e1 }0 `0 Q$ Croutine.. L$ W& N! w- Q1 T* G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# K) F4 I" f, v/ dto the new routine to execute (hangs computer...)
/ B3 O! D* |1 c9 Y* v+ M6 O' |' b
) @  Y+ x6 T$ ~7 C( ~0 s    mov     ah, 25h
+ ~. ^: |) N! j6 A9 u2 d    mov     al, Int_Number (01h or 03h)" n9 [# _4 s; v( q
    mov     dx, offset New_Int_Routine
$ l' o' }* @- }7 a$ n5 {    int     21h
! M! R% o5 r! K5 Z/ m( N+ M0 g, d7 f5 W+ l
__________________________________________________________________________3 K3 c8 d; L/ }7 V) Y1 y( j4 m
" u. b4 ~5 t  N3 Q5 u
Method 09
8 I& {9 n- q% T6 b6 U/ S=========
/ _& ?5 _/ O& R. \$ u8 V$ k0 y/ F0 C% D) L, g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ H, w8 C, M# q: t7 A" ]performed in ring0 (VxD or a ring3 app using the VxdCall).
) g, T1 s- _/ @( d% lThe Get_DDB service is used to determine whether or not a VxD is installed( F! ?7 U# o; R
for the specified device and returns a Device Description Block (in ecx) for
$ D7 D5 ~$ _" j, k" @6 T) Nthat device if it is installed.; P3 X+ n- m0 [: x: _9 n/ H4 r0 `
3 p4 m" Y/ \5 I% g1 S5 q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID( B$ r5 Q8 _8 M# m
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. u2 X: Z, v% j; h2 |- \* ?- W   VMMCall Get_DDB
; `+ r+ F; k6 C   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 u9 B" S* X& l, t1 C' K5 w

  s: u  G) O6 r6 W) X  h% E* RNote as well that you can easily detect this method with SoftICE:
" o; s* c7 R+ O  |# T0 o  S   bpx Get_DDB if ax==0202 || ax==7a5fh4 d: r+ u8 E; v. Q$ M* D) j
' S: u- ~4 i* x1 e3 O. G
__________________________________________________________________________1 y8 e5 J  S5 ^) [

; {; E$ F/ h1 \2 @9 ZMethod 10
, w$ B$ P5 Y4 v& _=========6 v  [6 h& M0 w& p

) ?, `7 ]$ w- s4 P" d2 X/ K=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ @2 S4 ^; }* F- P7 ]
  SoftICE while the option is enable!!
" x5 d4 N  ^# T3 M4 A, N4 }$ u. y  ]& W# i( n. k
This trick is very efficient:8 x0 d' L' y# {, c% n
by checking the Debug Registers, you can detect if SoftICE is loaded
8 V9 _$ E( A" b, l4 t9 ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ ?- S' k8 l2 n6 H% o% Y4 ~$ lthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 i* T, e% L! k; `. U5 i4 l
value (in ring0 only). Values can be manipulated and or changed as well4 I7 H) x; D3 [! H- h( E7 ^; @
(clearing BPMs for instance)0 q$ f% n. O0 x, x. i
( H, G& u/ j9 M* }+ H4 Z) Y% H
__________________________________________________________________________
  c  X) q1 o) `* O2 ]6 G* W* l
8 u3 p; \% J7 D& bMethod 11) H" X* t+ Z, ]! }7 U
=========
! r* V( P4 d! T6 }
- a3 k% O! g. CThis method is most known as 'MeltICE' because it has been freely distributed! r' Q' l" K3 J2 s; B
via www.winfiles.com. However it was first used by NuMega people to allow, e, Q- s+ X, l9 @8 ]2 Z3 S" q
Symbol Loader to check if SoftICE was active or not (the code is located
( x5 C& O: n& N8 \! M* C3 Cinside nmtrans.dll).' ^& y* l/ u$ d# }& Q8 u

, N5 i, f- e; p3 V( U3 ]4 X, f" |The way it works is very simple:5 @+ S9 h, n6 l$ L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: w+ a/ t) {- X6 }' R) v+ L! V
WinNT) with the CreateFileA API.' S" \; P/ `: d/ Z! ?2 E

, k/ N$ c5 G2 C: j$ D( p3 }Here is a sample (checking for 'SICE'):  \( Y. ^' h8 W( g! U

9 z1 K6 r  T" A9 ^: v9 UBOOL IsSoftIce95Loaded()6 S" e5 c+ B/ F9 P6 V
{8 B6 K' @! Z! C- @6 Z
   HANDLE hFile;  
) D4 `4 T& Y9 G5 V" C/ q! ]$ Y   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% A1 B0 o; _7 Z) I
                      FILE_SHARE_READ | FILE_SHARE_WRITE,% {, ~' T/ W" X" G+ J& R0 S
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. i5 k$ [6 k/ N, Q& ]   if( hFile != INVALID_HANDLE_VALUE )
# E# A' m2 i4 g6 @1 n+ C2 j4 a   {+ x# d4 T0 t3 O/ u% G
      CloseHandle(hFile);2 z" J1 _6 _8 ~) V" I3 a0 y
      return TRUE;, T$ w* u; `2 d& q$ E. ]
   }% ]/ ]+ O& `0 F% \; F6 s' Y
   return FALSE;
/ q  Y- @& \+ ?5 a# `4 v3 z$ e}
0 |9 @3 E8 b7 r, X# [2 w- H
& d5 p, ?/ Z0 I3 uAlthough this trick calls the CreateFileA function, don't even expect to be7 z& g, K3 ^  J) e, i: y
able to intercept it by installing a IFS hook: it will not work, no way!
0 {- ~* I, w1 U4 ^& F- x. j' u0 {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 t8 d! M# x) w& Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 t$ C2 X) n& J  r3 k% o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 j. s8 E2 B9 v9 H# Efield.
, v; d1 r2 Z( C; [In fact, its purpose is not to load/unload VxDs but only to send a ' m( x" H" |9 p$ J- C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). P4 f7 e) W- z2 F1 L% D! I3 n7 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: a' {0 N" l) {4 I; Y8 ]to load/unload a non-dynamically loadable driver such as SoftICE ;-)." K# |. P. K; E0 D, n7 X
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 l7 S( i: V7 p8 ?
its handle to be opened and then, will be detected.) Q, G$ |- V/ M( u5 w
You can check that simply by hooking Winice.exe control proc entry point! e, c0 i+ I) G
while running MeltICE.$ ?4 v( c, T5 h
; F% }% Z' D2 h0 n% o' [) h

0 ?2 C* f; n9 t. J  00401067:  push      00402025    ; \\.\SICE
2 [6 z7 j  @; ]% x! H  0040106C:  call      CreateFileA
% }9 {7 K4 ~" a* U: t2 i# R% F  00401071:  cmp       eax,-0013 G/ N  D) d, R1 J. ~6 c8 ?& P
  00401074:  je        00401091! s" C$ `: _  F* k

0 ^$ L2 k4 @, i% F+ l: K" a9 Y! R
There could be hundreds of BPX you could use to detect this trick.
' w9 ^" m7 K! @/ d) z; e-The most classical one is:
8 k. H% e5 k" Q  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ m+ N6 s2 e" \3 f+ o) ]: I    *(esp-&gt;4+4)=='NTIC': [, x- f0 l; M: b7 U( ^
( \# U0 O' Y# S/ P
-The most exotic ones (could be very slooooow :-(* c$ J7 O3 y$ J# F
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
* W  U, m% L0 m6 n0 K! j9 _6 |1 J     ;will break 3 times :-($ s( H- o# S( D1 C9 F( Q

8 C) R# w6 D3 F" A-or (a bit) faster: : S9 ~: e7 b' H1 B# }; o" }) {
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% F/ x: ~* l: \
/ H! }; ^# @, k
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 Q$ V- P6 I& M* p7 Q
     ;will break 3 times :-(: [1 ?# p/ v0 P

% d" i. B1 J" h5 @" g$ y-Much faster:
( {; r" F7 J4 c$ \9 i   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. a$ [- }" x/ Z0 Q6 c1 f6 t, G; R. e+ M5 X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen  ~0 R) b/ y0 n$ ^) F0 K
function to do the same job:
0 j* Q7 h1 B" e& I6 V7 a+ q
4 D8 s8 b! w7 i/ y9 k+ B   push    00                        ; OF_READ
2 n6 O, }9 t; G6 e   mov     eax,[00656634]            ; '\\.\SICE',01 I4 O4 {, H! ~4 g1 p- Z
   push    eax
5 e9 w5 c2 `8 ?1 s( Z   call    KERNEL32!_lopen& H6 i0 Y( ]) ^# J
   inc     eax
# B2 S( F& l& {& e8 `6 g" l3 H   jnz     00650589                  ; detected& z* ]' V. J4 ]- l
   push    00                        ; OF_READ
$ l8 z; d. @( p( k" s! p   mov     eax,[00656638]            ; '\\.\SICE'# n! @" `2 }2 V
   push    eax4 x  L% Y4 c' H+ r8 z
   call    KERNEL32!_lopen
* I# o, w; W& {+ z) \, `6 {   inc     eax
$ ~  c6 _9 L! P5 h" @  \   jz      006505ae                  ; not detected
( t% a( W( F  n: x! B# y6 d! |# a$ i( N# {' z0 h
; [) e4 S. M% b2 w# ]
__________________________________________________________________________; h" H/ g' _9 T6 B5 e5 d' p
. U/ f, K+ E+ W
Method 127 F2 @7 K" V7 \9 r; E  B4 n( {
=========
3 f! H2 f6 m0 v3 ], {& U1 R
! D, j2 ]! g! JThis trick is similar to int41h/4fh Debugger installation check (code 05# {  f. K* ~7 d# u7 K9 ]% v6 D
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
0 r1 {/ Q) j, Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: m- c4 {0 i6 t' Z

4 j( p1 ]6 a/ L3 U   push  0000004fh         ; function 4fh
- U* x6 m0 w, i& L  e+ D   push  002a002ah         ; high word specifies which VxD (VWIN32)4 _" \: ^, J: i' V  T
                           ; low word specifies which service- d) h8 ?& M. J& Q1 F
                             (VWIN32_Int41Dispatch)
8 R! S! U9 `, }$ w; s0 g9 N* u   call  Kernel32!ORD_001  ; VxdCall" B/ I* }$ I# e7 H& i: N
   cmp   ax, 0f386h        ; magic number returned by system debuggers
- M0 }" |" \, M+ E9 P% K, J( ~   jz    SoftICE_detected9 |7 W- [5 X  a# p9 W
& p4 x  `) u# R$ e3 v/ q; ]8 [
Here again, several ways to detect it:+ H3 A' v! Y- w6 F/ g

. r3 X& N' M7 [4 H; @3 T1 |" W    BPINT 41 if ax==4f
+ x% a' y" o1 H$ G9 X' t" \  n
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one2 I) ~  R9 {8 E* L; U: m" a3 ^
+ A; @7 r: O( b$ E) J" }3 D
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: }" M2 n. d) s
2 X: {, j% T0 C) k3 |8 s+ @
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* Z& m6 V2 ~: L4 W! \( x. a8 q- W! ?( u
__________________________________________________________________________
  n" E' ^' I' V  B5 a) M
/ C' A4 p; Q# lMethod 13; V# p* {, M4 W" ]- }4 T
=========. X* @* y- W  l7 t9 G+ P* V5 v% r
  b; Q0 l- e. F1 a& ~
Not a real method of detection, but a good way to know if SoftICE is! v" g+ {' J, ~& O  L
installed on a computer and to locate its installation directory.
1 c; V) j9 C' c: ]0 J# BIt is used by few softs which access the following registry keys (usually #2) :2 t6 x) I# z" t' _* g- @
  p; {& I! _5 Z4 [3 }) {! R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 V9 ~; J6 S& [& w/ I\Uninstall\SoftICE
* n$ L6 J0 Z. d4 ^  h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' x$ [7 K3 X, ]6 ^8 @6 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( r& H8 E( F# I  f6 v7 l& a# z7 i\App Paths\Loader32.Exe* m- X) [; m" V. P* e# g6 }

& ~& d1 G% Q& y: S, b  \) O+ Q
1 i/ p$ {; N. b0 x- iNote that some nasty apps could then erase all files from SoftICE directory- t6 V5 D5 k+ i! m9 F% j3 p( Y
(I faced that once :-(
! n: w8 M. P- p, d' t8 j% m8 I! t: d
Useful breakpoint to detect it:+ E% i2 \- F; q0 d2 O5 g$ c

6 J, l5 S; k. S8 R% q, U* `& F     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'+ H5 @3 o. {4 E- g, |

1 E8 N! }: l  T+ `6 O1 g__________________________________________________________________________  f& ~4 [5 @. ^7 w; G8 H7 _! ^6 H

' |) o2 K* x1 J# V, E9 }8 k9 ?& O8 v. ~
Method 14
" l; ~' N( R; y+ u  R" i=========
2 {  |1 g/ Z' Z# y# K+ S3 Y% o, [# J0 M2 t1 y% D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 y8 ~' T; B; m  s4 x
is to determines whether a debugger is running on your system (ring0 only).7 y. V' f+ O7 d  n2 R* A4 q

3 m; M. U0 Q1 U/ F) @   VMMCall Test_Debug_Installed
1 R2 ^) ~% ?2 Y   je      not_installed% ~3 ]# J/ j: ?* u9 a

6 Q' u+ E6 N" g( KThis service just checks a flag.6 w8 A2 Q6 n7 f' i: h
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-17 14:31

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表