找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# ~+ e7 s3 ?! P4 i<TBODY>
6 a% c3 Y! t! [# c4 t% ]/ \<TR>
2 S6 K# K/ @" {, E. n8 e; ]' A<TD><PRE>Method 01
) K1 S2 @1 ]; ?5 }; W' A( k=========) j$ x5 n/ [* ?

5 Q1 G3 h- j$ V+ e1 p+ OThis method of detection of SoftICE (as well as the following one) is
0 w! A- k: v. f" g2 ^3 lused by the majority of packers/encryptors found on Internet.
2 A- u. k& I- Q% zIt seeks the signature of BoundsChecker in SoftICE" N' c& f6 ]8 W1 c$ C

5 U1 E; [1 g: W5 ~    mov     ebp, 04243484Bh        ; 'BCHK') r1 R7 x3 f8 v# \6 H* H  r
    mov     ax, 04h
& m# _1 J9 D$ Z; ]% c0 l0 b    int     3      
" v! N* U: J  G- L    cmp     al,4  @3 G5 _( ^. ~& x( b* D+ a
    jnz     SoftICE_Detected
- d  N; p2 r, o* m2 V
! V9 L5 y* D- ~, W___________________________________________________________________________
3 B* u/ @5 p) v/ j6 r# r$ S
; A7 Y3 G5 b4 }3 PMethod 02
# E3 M  D2 J# }$ U; v=========
  H/ A3 A2 {# V% `5 ?" ?0 H3 c2 w. l; [% ?
Still a method very much used (perhaps the most frequent one).  It is used
5 d0 A% }. u& g6 D$ h6 d' Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,  I: Y$ b  C. v  R5 A# l6 x
or execute SoftICE commands...$ S  c( y! K9 [9 Y/ j! s
It is also used to crash SoftICE and to force it to execute any commands
2 Y. F+ Q# J6 B& M( I  [; [8 K6 m(HBOOT...) :-((  
5 l0 n" U: \. N7 H
) ~5 x# s! T; aHere is a quick description:
# b! y3 H5 ?$ O0 f& D" D- f/ ?-AX = 0910h   (Display string in SIce windows)4 J& S8 L. u1 m: Y& c6 b: I
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)2 u: L. g6 j5 V
-AX = 0912h   (Get breakpoint infos); I" W  B: |# L
-AX = 0913h   (Set Sice breakpoints)
; ?3 ~+ }$ K" a9 q-AX = 0914h   (Remove SIce breakoints)$ c& p7 d" o: V5 {9 R- r" A, K2 l

4 Y% |7 `  O  K  G1 W5 Y# K4 n2 }Each time you'll meet this trick, you'll see:2 [8 W; f/ G2 Y* A6 a0 f  D/ X
-SI = 4647h
. @2 y+ c' A3 n9 b1 C" c; }/ Q! T-DI = 4A4Dh
, ^0 _( j& M+ O6 x% V* h# w$ i- FWhich are the 'magic values' used by SoftIce.
9 u" g2 |: G2 u3 hFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 c( h7 K) T$ {/ t& \# U
& x" ~" N: j) }* M
Here is one example from the file "Haspinst.exe" which is the dongle HASP1 c  b' k+ [4 J2 {
Envelope utility use to protect DOS applications:
3 X" F4 {- j3 S6 N; E) b. S* r6 d* X3 @2 o" D5 L$ H& s

# |% E6 k7 Y' L: c+ o- q" W4C19:0095   MOV    AX,0911  ; execute command.
6 R0 [  G% R- h  n. b( b- |! e4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, k( }7 x4 R, v+ R* F9 c4C19:009A   MOV    SI,4647  ; 1st magic value.' [- A3 t  l) m1 b6 Z3 C
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 ]; ], f9 c. ^' u. o; e  q4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 G, {4 l3 c- H! r4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute% P. `3 l% W  A8 r5 i
4C19:00A4   INC    CX- y1 V/ h0 c6 y, K) c. l6 D% u
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 D8 `" c9 t7 j$ t2 Z, q4C19:00A8   JB     0095     ; 6 different commands.
7 {- A- j" R9 a1 [( j4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
7 z: p7 D5 v$ M+ J* r$ b4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& }8 L' v( A( J$ T$ t

3 i! s  K6 n# \The program will execute 6 different SIce commands located at ds:dx, which
# x# V% ?' ?# Z0 u4 y" Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 G, h% e5 k" I- @* w
: @6 W( F1 F* v- r) t+ F" C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ J2 W& {, P$ i! c___________________________________________________________________________! x# C( t7 j" |6 N# N% M- n, h
. v( r, K4 Q, {# ~: Q, F  |

& A: |, y/ y( i  `6 D4 G0 GMethod 03
  i1 q: `$ M( ?' e=========
% N( Y, H! \2 p& C* a1 }7 w  S- h9 B: ?6 J
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ @/ d# s0 N: h; d, _; ]) p& [
(API Get entry point)
- W) }9 E' B* M. n: ]        % z7 x( N, {0 r7 p

' v( ?: z5 T4 [) P( ?8 f    xor     di,di
% t0 X: c* k. w    mov     es,di
; [( Z4 H& i3 D! w5 D' ]    mov     ax, 1684h      
8 R2 B, w& v& q+ w    mov     bx, 0202h       ; VxD ID of winice
) f7 ?6 z9 c  D3 Q/ }/ L) e+ J    int     2Fh- w7 e" x/ g  l+ B3 [+ q8 K& }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( _: V" R7 V" Y  D    add     ax, di' p4 D, @! u3 E+ ?* a3 y! [
    test    ax,ax
& e5 t& v2 g: M* @" I, r- K% f    jnz     SoftICE_Detected! B) e8 K- N0 g$ b

* F  s: ~. X' ]* I  M___________________________________________________________________________0 L4 E1 v; X% G: @  o

9 ^' \+ [% X' j% d9 b1 yMethod 04
! V* n$ D: Z; g( X=========( r# |' A% {1 z) C5 Z: Q
, H+ h7 J1 o2 h& x
Method identical to the preceding one except that it seeks the ID of SoftICE
7 T( [9 ]' w* FGFX VxD.
5 w& A' r" h4 A7 M0 u+ s, i- D5 A6 W/ ~
    xor     di,di4 v+ \7 D. v7 M8 N; q) B: I
    mov     es,di: |# e7 ]; j$ Y" Z# ~9 _! f
    mov     ax, 1684h       1 t* O& R  M/ b+ m
    mov     bx, 7a5Fh       ; VxD ID of SIWVID; b3 N$ S4 R7 P3 k+ f4 J  e3 _; L+ }
    int     2fh- }/ s7 W( M" K( |6 t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 A+ ~) X: ?! ^( S# ]: ~# ~
    add     ax, di0 z' L+ f9 c+ i. F% K3 e: j! j
    test    ax,ax
5 z* R0 Y6 U/ Y' G6 f, ^7 o. x    jnz     SoftICE_Detected: |! \5 g# F& J

' j! d+ F# B9 S6 C  S# s& {__________________________________________________________________________# R0 Z# g6 t( x0 v6 V

3 Z7 p" V9 G9 u2 ?9 Y) T
' G+ }/ Q) |4 W. i8 n# r0 Z0 fMethod 05$ r+ V5 I& n  u( D
=========
! B: d4 M8 j) |# Y* t
* n1 H7 h/ j: B5 L" OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, f$ ]4 E; U: Z  c3 c1 Z: Edebugger. It calls the int 41h, function 4Fh.
* D& D) L  h( [" Y: m5 DThere are several alternatives.  
: Y& r% F/ }7 E6 v5 [! c
; P9 V$ P' S) v( Q& CThe following one is the simplest:
2 N* k8 s  E5 e2 B) z8 S" D( d( q  `& O8 X* j& x
    mov     ax,4fh' K: t% Z$ K6 R4 C; B
    int     41h6 P$ D9 V6 B  `* L. T6 R+ M5 b
    cmp     ax, 0F3861 J. H2 _! Y1 i7 ]- r7 G' X8 ]
    jz      SoftICE_detected
, W( }- ?* `" a1 J1 C* L1 C
  r8 @" d0 _3 i% p. j  u
( ~/ C' y( E- Z1 u! MNext method as well as the following one are 2 examples from Stone's / H) P5 ]* `+ G. b5 f+ h& P$ \; R
"stn-wid.zip" (www.cracking.net):8 }0 S. N7 B- D2 k! T
2 h! Q+ q) T% \% F+ V
    mov     bx, cs6 h4 g) v" x( |$ G4 q! H- h
    lea     dx, int41handler2
; [& B$ ]8 o5 }  B, j4 `) d    xchg    dx, es:[41h*4]! c- a, p. j6 _& ^/ u$ O* }6 i
    xchg    bx, es:[41h*4+2]& j/ A" V6 H. B  r2 K6 k
    mov     ax,4fh6 ^5 D; u' Q* X* ~8 \8 f
    int     41h
/ o8 F# s1 _, R9 E: |# y, p) h- f" q    xchg    dx, es:[41h*4]: ~# F4 H9 \+ f- v$ ]- W
    xchg    bx, es:[41h*4+2]
/ a1 e; `( w. l3 }# O3 F    cmp     ax, 0f386h
- y5 p- ~  i# S4 |% ?/ Y) X    jz      SoftICE_detected
# g/ {. m" i% y9 p. Q  f& Q; s$ S% g" K3 v+ y0 n; W
int41handler2 PROC
' o- w& M* _+ t4 j5 Z; l9 j- w    iret
- m# v. ?( z( i" M; Dint41handler2 ENDP! ^& p6 H& m0 D( i" X9 {4 B- c

7 x+ @: ]6 T% v+ {3 B2 Z( E# _0 G; Q, r1 J7 c
_________________________________________________________________________
, o! l0 u* X) x( i- ^. U) d% u  x2 A- ~- c' m
  M( r5 D- |/ |3 K! s
Method 06! ]* Q2 Z" i; h/ H: V
=========7 C/ _- J8 k7 S" c

9 a7 n' h) O1 K$ ^- R" S, H. ]2 Q! j" ^5 K% Q( I3 V8 K) I
2nd method similar to the preceding one but more difficult to detect:
8 w/ Q8 e- K' h, s3 c" w9 F7 \, g) V" K/ u2 m1 o# D
  X# y  m! d; n  ]7 W* \6 ]& Y
int41handler PROC
/ u0 {6 |. y; D9 U# J  }: }, ~  a    mov     cl,al
, F0 Q/ u3 }4 _3 z7 h& i: [    iret- y- w4 ]9 _' N8 s. {
int41handler ENDP
; W4 t* H6 c5 j5 a( E: {% \7 C; \( o

. I1 w( h) g- Y    xor     ax,ax6 F- ^6 G' [3 e$ j8 d4 }8 r
    mov     es,ax4 n1 w. Q4 U2 c& E  Z& C8 p
    mov     bx, cs
& t: I" c# h3 y, H    lea     dx, int41handler
+ M, t: E. V$ D! `  b0 |, w% D    xchg    dx, es:[41h*4]
* B- p7 g4 H: O' q    xchg    bx, es:[41h*4+2]
* ]7 z9 b' c8 |    in      al, 40h) ]  s3 q2 a. Z% z+ B8 S8 J  s
    xor     cx,cx1 R; ^* |/ F" {1 q0 ~+ z( K
    int     41h
1 V6 m" b0 _7 ^, \8 r    xchg    dx, es:[41h*4]
! J0 W  `$ ^$ ?- ?/ `1 A    xchg    bx, es:[41h*4+2]
1 @7 i0 h# a+ b" F! R/ G    cmp     cl,al& L! G4 D7 Y* ^4 \1 O, K! Y5 q. U# w
    jnz     SoftICE_detected
1 j  P: s4 X( e6 g, i* g
$ i: N3 ]; N2 _! y3 [$ t_________________________________________________________________________
* ^2 J  k0 Y7 t; a- F9 m, y# b1 M7 Y3 i" h+ {
Method 07; m- g; i4 H* ~: C& g
=========4 q5 R& {. s7 `1 J6 r

3 U1 h7 }8 {/ n( ?Method of detection of the WinICE handler in the int68h (V86)
9 |2 ~+ j* t# H8 ^$ ?) h2 z5 d
9 S& u. J7 x- R. K* w% }6 \: w    mov     ah,43h
* ~) E/ d, ~+ a) G1 [    int     68h
9 K6 B! o8 {7 u    cmp     ax,0F386h
& x$ S1 o" Z0 b  U6 P    jz      SoftICE_Detected
/ b: Q8 M' x/ ?9 y+ c' L; Z& n" c4 e8 ^5 {: P- f# m4 o
+ x+ U$ w& ^: \9 L" v
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& c. |1 o1 F" q. \+ v3 R, N/ q, l' i   app like this:
/ d7 l3 c6 H8 G  H) X! b1 w* A- l+ ^4 H) `
   BPX exec_int if ax==68
0 A  ^  e, {' ?+ \   (function called is located at byte ptr [ebp+1Dh] and client eip is  u* S8 N$ @  k
   located at [ebp+48h] for 32Bit apps)3 J" j+ |, S: Z
__________________________________________________________________________# n/ b# y5 I- F1 o9 I# D

8 p% l" `  ^. D) x
# d1 v! L- ~* H# WMethod 08% [/ J( o; Z3 K1 |
=========
1 K9 e7 P4 @$ @. G  V3 ^' J3 k+ u4 D( _
It is not a method of detection of SoftICE but a possibility to crash the
$ j' C" P+ V  c0 jsystem by intercepting int 01h and int 03h and redirecting them to another
5 l# x  n9 l) T) c8 Nroutine." r3 a' [# @# R; k+ k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) N6 x2 x$ P' S- t$ m* j
to the new routine to execute (hangs computer...)" D( J7 p9 y9 B* W9 A: W

2 k: u  b% X% O9 T    mov     ah, 25h+ s( W) ]2 ?( o$ A
    mov     al, Int_Number (01h or 03h)
3 A# {1 G9 C1 o& C" C: F5 X7 D% K    mov     dx, offset New_Int_Routine
5 q; V8 q6 |0 \) [1 `$ U    int     21h
" A  {( S0 h' f  k0 T* e/ o4 n# K8 L- B' X' m1 L8 y( u
__________________________________________________________________________
' n: Z: s5 U5 U7 p2 A* z3 R1 ~
  D- f' y  t2 m0 gMethod 095 K6 A5 B4 D, U$ n
=========
2 a8 H4 r+ Y! K4 R) s/ d
2 T% ]* I! s" VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 `# y2 j$ f7 r% {
performed in ring0 (VxD or a ring3 app using the VxdCall)./ p' W1 @1 _$ ~; v
The Get_DDB service is used to determine whether or not a VxD is installed. b. n- ~8 p, U/ L/ F9 R: u! p2 X
for the specified device and returns a Device Description Block (in ecx) for
) A$ S2 ^- N% Pthat device if it is installed.
. T& {8 Y$ P4 l2 Q9 N, c3 r* @  Z! v; n5 H5 `9 v7 q$ x
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 ^. d! u+ {& w# ~7 {9 A7 c' H* E, h$ V
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ m' Y" h( |" w% ]! A! f5 V8 |
   VMMCall Get_DDB; k( z0 O$ i7 j
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 m7 `% ?7 f+ v6 t
* u# u- v! ~& ~Note as well that you can easily detect this method with SoftICE:
4 z" u6 e  H* C1 U2 O" k   bpx Get_DDB if ax==0202 || ax==7a5fh; B) U: b/ x! U4 S) c! M# H
3 T7 _( H2 s' B5 Q3 A
__________________________________________________________________________
7 s! w+ X9 y# }: S  g1 a% W5 t; r0 Q) p* Y6 {
0 G) w' a/ P+ z- Y6 Z9 IMethod 10! U* u- R& ?  q& o& g
=========
+ T5 X" j8 i9 E6 B
& e2 j7 f5 `. J( n* E' l6 H+ c=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
7 o* P1 ?# X* z  SoftICE while the option is enable!!3 x% p5 _& O4 A, t

- g) S: R. \9 T. [This trick is very efficient:4 N  I  P; @. }6 j* N7 m/ T
by checking the Debug Registers, you can detect if SoftICE is loaded1 `2 `2 {: L" j2 y6 t9 p( R5 c0 ~+ Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 W) ?& a0 S3 V! Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 L; Q. g: f2 x1 u: c2 I7 pvalue (in ring0 only). Values can be manipulated and or changed as well5 h$ j7 ^+ u. w5 x8 u, Z+ B$ C
(clearing BPMs for instance)
0 n/ {4 R: d8 R5 h5 |
7 T# G. f; X$ `7 t5 Q. k/ ?__________________________________________________________________________/ I, J6 A  m6 f+ d* d
% }1 q& C# b# h" B
Method 11
5 h2 z0 ]* m2 ^4 K: ^=========: A- v) S  \; K
) X1 N1 j# L" W) D
This method is most known as 'MeltICE' because it has been freely distributed8 p" T8 N( @& U9 v; n( s
via www.winfiles.com. However it was first used by NuMega people to allow
* Z, D- m; y& |" T$ gSymbol Loader to check if SoftICE was active or not (the code is located1 V9 L: D& g. P' K& N
inside nmtrans.dll).
9 a$ R; q+ o" h' F2 @
7 _: q" l+ e4 M/ C, {The way it works is very simple:
. a- o$ `4 Q' p5 g. d( l2 QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: E  C. k  O5 d+ H+ I- I; r
WinNT) with the CreateFileA API.7 T9 c; K- |" A4 w! P: Z

+ I# j' n9 B+ B, g, |5 XHere is a sample (checking for 'SICE'):. z9 ~8 G4 Y( p- y! G1 H+ F8 v
' e. v: X: g2 [6 @+ Q& v
BOOL IsSoftIce95Loaded()
4 P, \. e# N! ?* v{0 L) b# l! U8 [* V1 Q# F) r
   HANDLE hFile;  
' H& z4 f1 q3 }4 m% p6 K: ~   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 h9 s* p' f1 @3 c, c& g3 l
                      FILE_SHARE_READ | FILE_SHARE_WRITE,/ M7 z9 m$ K5 k5 h
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) N. z* ?: A. T' {
   if( hFile != INVALID_HANDLE_VALUE )0 R0 z" L/ I$ d2 s7 V
   {
/ I. q8 {! y4 k/ y" H9 V      CloseHandle(hFile);7 N3 _: u% A* N0 p7 v1 s& O
      return TRUE;7 q* R; r( P9 s8 ^6 t
   }1 M3 f; f" f; |2 d3 |+ M
   return FALSE;, Z+ C0 y0 [' ~- y$ z
}
% d3 R' p) J/ N- q
) v" u7 X: F% Q! _Although this trick calls the CreateFileA function, don't even expect to be* l. L- R  i+ m! X  N. U+ ^
able to intercept it by installing a IFS hook: it will not work, no way!7 }7 j4 ^( v  f
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; F# ^8 w3 [- E$ p! g8 O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: w0 C- \6 i# m. A/ q+ Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 y3 `; b& z% s8 l: D
field.$ Y7 y2 E+ m0 Y, @6 o2 k
In fact, its purpose is not to load/unload VxDs but only to send a / i6 @: Z, ^( \! T" z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. g- |9 y* @6 T$ F$ C5 kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& b0 L" B8 b0 qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- Q9 G; {0 u$ _) f" P; X; FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% B" q& W# e' l) k+ oits handle to be opened and then, will be detected.
7 f8 D& z4 k* g9 l# b1 ZYou can check that simply by hooking Winice.exe control proc entry point
  I; J! ]! b" S  N% Q/ x6 a$ Nwhile running MeltICE.8 q1 n5 s) \0 |; y  D. P" k
  ?* w7 _7 O8 @0 [

% N% }8 {' F: a' ^( s0 f  00401067:  push      00402025    ; \\.\SICE2 w& k6 ]' b7 n# |
  0040106C:  call      CreateFileA
9 A1 F6 a% T/ B* R7 e/ J' x) @! N  00401071:  cmp       eax,-001- `" }' K( q7 N$ e+ A# u
  00401074:  je        00401091* E& f: ], B; Z* v5 X

) `) ~2 U7 t1 ~# p, m, b' H  B) {
" `( n: }9 [( S& }( I4 H) yThere could be hundreds of BPX you could use to detect this trick.' z% n1 A4 M3 m( Q) e# R
-The most classical one is:7 I) p- k! D% }2 t: ]5 t# L
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||1 L9 B# n2 N! ]5 w% U  L
    *(esp-&gt;4+4)=='NTIC'" w# H; J/ u3 ?5 u* r$ z
7 K3 D; z9 J6 o6 R3 P% k; }# h6 y
-The most exotic ones (could be very slooooow :-(
4 a4 w, W" h% t, e0 ?   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 Q+ J* `7 u. G; X  A     ;will break 3 times :-(3 V9 h+ j; ]- o% v

' ~& E! ~3 h5 o-or (a bit) faster:
+ }1 h! L" m$ J" h   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- m, P7 b- v  k" i; Z

) w. `1 u& r. g6 r9 y& `% m+ Q! [   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ |0 }8 y$ v! O. L! T
     ;will break 3 times :-(
. t+ d! G" d( [' e0 v" b/ ]$ c! l# P4 z
5 u% M% `; @4 o3 p$ z-Much faster:! Q3 y. ~) ?* H! ~
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
* X% ^' j& B6 R4 L$ d
2 y+ }" ?2 X9 c7 [. ^& eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 E' [. `4 a9 K5 J' ?function to do the same job:: F( ]5 p" g' D. I; ?! A

+ |: V6 Z* a0 M4 }, ~+ `; h7 s   push    00                        ; OF_READ
2 W- o5 b- n8 n4 o! U' d   mov     eax,[00656634]            ; '\\.\SICE',00 X0 `& K; H% x! u4 F, _0 M
   push    eax
6 c3 Y: U: O" }( o. G4 @   call    KERNEL32!_lopen: h) A: ?: Y7 e. W7 }0 ]7 |
   inc     eax- r8 S) E6 f$ V! |& d
   jnz     00650589                  ; detected
% \8 n1 w6 c) D9 F7 ^+ x- m% g- B! s   push    00                        ; OF_READ
2 I6 c) ]9 i% o; S0 V   mov     eax,[00656638]            ; '\\.\SICE'
, y4 h5 E* r  ]+ d   push    eax  d3 H' h  E& U& e
   call    KERNEL32!_lopen. F; g" |5 K  T) d) `) H$ }  P. Y6 C# s
   inc     eax) o5 p; ]7 s/ U- W1 |. Z
   jz      006505ae                  ; not detected
. [2 t; M" v, i2 q6 ?, G6 ?
) J7 |7 _+ D& r1 v8 ~# T% L0 H1 \3 @# j
__________________________________________________________________________" x9 ]1 M* O; ?/ u" q) c( x

% b1 H( @0 m5 w& v/ @Method 123 E7 V& S: C0 a8 ~" h$ |
=========
% W' v& B+ s+ {1 X0 ]/ `
  C% c( R- k5 \- M: yThis trick is similar to int41h/4fh Debugger installation check (code 053 t5 ]- J6 K/ J" [$ Q8 o
&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 ^* C+ i, T' ?% f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.( o; K+ V2 o. R

9 }# O5 `. `7 C2 m! e8 K& A' ~   push  0000004fh         ; function 4fh
# G; _5 A$ E+ c0 w7 E" u4 v8 R   push  002a002ah         ; high word specifies which VxD (VWIN32)+ y1 z& L9 f, T/ C8 t
                           ; low word specifies which service
, ]( U( |& a( Q" s9 Q8 f0 S, e                             (VWIN32_Int41Dispatch)
9 U7 K: \3 P" G7 b1 V   call  Kernel32!ORD_001  ; VxdCall
. b/ Q- ?! Y+ {+ E   cmp   ax, 0f386h        ; magic number returned by system debuggers9 Q7 W: X% Z' t+ D0 V2 X
   jz    SoftICE_detected
5 k) d! F3 k- V* K$ i1 b( x& W" m
1 R8 C( N8 U' n2 V" T: n* O" J; yHere again, several ways to detect it:
  W/ x0 [. e# j% E
0 L1 h7 @: u8 C9 A  H  h$ d    BPINT 41 if ax==4f
5 q  C; S5 o; l8 Q* L/ u
, V& e: d% A- c  P    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 H. I2 [) V1 z" V4 F& _9 o4 V# e& [
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
0 ]1 m- e3 l/ `2 ?0 [4 Y
4 v  p3 c6 p/ M( B, l7 k/ O    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* s. m; r. M5 c; z' B0 B9 W
1 h: v  `! G8 F/ H; B) P0 D! `__________________________________________________________________________8 M. V! O  X% I# j( H; ]
, {: C" b" h) t- Z0 Z0 }4 o7 p. S
Method 13% ~: V( H% t: x: ]
=========" `/ t$ N. M' Z$ y# K7 G) c( Z& y& Z
; x' _# y; k+ d& N. e2 `; N
Not a real method of detection, but a good way to know if SoftICE is# a$ [+ R' Y% d. y# Z  h& b
installed on a computer and to locate its installation directory.
& ^9 m& ~0 a$ [9 DIt is used by few softs which access the following registry keys (usually #2) :
" U9 l% @; A6 N4 S
6 P* m3 P  i! d! v1 s. d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ z6 S6 ?& F, }+ z( W! u
\Uninstall\SoftICE0 P2 B; R( U9 y2 w) |9 _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 G" y- B9 `* C, ^+ h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 n" A7 F$ |! b8 ]! R7 a\App Paths\Loader32.Exe
* \+ L& G  t# W: `5 U! X* Q# Y' l
$ z9 x$ y7 h; x6 T  S/ [& V$ a  m
0 b+ H- M0 K3 ~& X9 |+ |, ]Note that some nasty apps could then erase all files from SoftICE directory3 Z0 B/ L  U8 z
(I faced that once :-(' J& ~9 M/ P' d" O) q
. U! [$ @( f0 B
Useful breakpoint to detect it:6 I* ?9 {8 G: H; o" q

% e, A2 O; j/ ?2 g     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# o0 P+ _* X' a: m- {# R

/ U- _/ c5 _% A- |+ h, P/ h__________________________________________________________________________% V! s5 b1 J# t% {3 O0 o3 b5 D

; I& g0 M9 U# O4 [/ d5 ?; {. q0 u+ G1 M- a  o
Method 14   t4 o5 j: g( z  L4 D, F6 i- ~
=========+ L, r2 T( M0 d" c

5 `: x* Z. }& o' f4 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' ?7 O4 _$ D- Sis to determines whether a debugger is running on your system (ring0 only).3 E1 B, E9 {3 E0 t5 S/ t
1 L9 ~& F' z* u
   VMMCall Test_Debug_Installed
  W) h4 G+ K5 ^- k& D( [   je      not_installed+ g7 D7 c5 E+ ~9 k3 ^7 ~$ f' ?

" \1 B% j4 \8 h5 tThis service just checks a flag." q4 ^. M9 ?$ u, }" w6 o
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-9 20:07

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表