找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
( z7 {) q  Y2 v9 l2 q0 p  ?<TBODY>- X0 P6 s+ {9 Q7 f& e) |4 N
<TR>  T& t5 S' U. s/ M6 l
<TD><PRE>Method 01
/ H$ b! |1 e( |( W; t=========- {, J4 O1 X( w5 z: y

2 q: l3 m" j9 A6 W2 b1 O  I4 W; ~This method of detection of SoftICE (as well as the following one) is
/ Y4 }! O4 a# ?9 R* q1 Cused by the majority of packers/encryptors found on Internet.
0 ^& c* c) m& {It seeks the signature of BoundsChecker in SoftICE( T* _+ S  a3 _4 c) C
7 A% g" Y/ k1 n
    mov     ebp, 04243484Bh        ; 'BCHK'  @/ U! r& K3 v- X; F5 e
    mov     ax, 04h6 n5 F! b7 ?1 v: h1 J4 b$ a
    int     3       " L0 N- f- e- I
    cmp     al,4: v* R/ u. R/ T& t5 l9 ~
    jnz     SoftICE_Detected$ a2 F+ z1 I% D9 x* v( @
2 [: z1 A8 M0 _% P  r
___________________________________________________________________________
& R0 d$ T5 u) m1 t" J/ U" g4 t. D6 L7 g( a2 y8 R
Method 027 C+ Q. {3 d  V3 b: M
=========
7 O5 u! ?. n- T
9 D' v& \, S* ~% B( E2 L* KStill a method very much used (perhaps the most frequent one).  It is used
2 ?! [4 u9 h+ w$ G6 E+ \: d6 Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 s5 M0 w2 g( n/ t% f
or execute SoftICE commands...
3 n) h$ g+ s5 V; sIt is also used to crash SoftICE and to force it to execute any commands
; F3 Y# L4 k  d- N- m. E6 g(HBOOT...) :-((  
' m  k0 g+ V: N0 `+ l4 I& h4 t( }5 R; w% V# o4 C
Here is a quick description:5 P$ \9 a) x. w& e- w/ L% P
-AX = 0910h   (Display string in SIce windows)
. S2 u2 E" u+ Q+ R# ^0 u-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)) J! `$ v6 H5 O! `# s: M
-AX = 0912h   (Get breakpoint infos)
! c5 K1 D, R- |# M: }9 o-AX = 0913h   (Set Sice breakpoints)
4 H" G. V' Y5 [( K# r-AX = 0914h   (Remove SIce breakoints)
' X* o6 C+ q4 _4 z0 G, p" x% v  L, l1 W9 a6 q- h
Each time you'll meet this trick, you'll see:9 s# n( V/ n+ i( z6 x6 J$ @
-SI = 4647h
, {" O, |9 S0 t) G' K8 t3 `; ?-DI = 4A4Dh
7 r& @. X& G! UWhich are the 'magic values' used by SoftIce.2 E8 l: h  ~. b, j3 e9 {. S6 e$ v' _/ H. N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 q2 y! w1 @2 C) V% w' L* h+ P+ o) K1 Z

2 R' ]+ ]/ i' V& h% cHere is one example from the file "Haspinst.exe" which is the dongle HASP& \$ E; l* ^- y( G
Envelope utility use to protect DOS applications:4 t6 s; k' W, r4 `2 J$ |0 u

; ]5 w) s7 W# A" ?) X, V+ C7 b. L0 ]& y
4C19:0095   MOV    AX,0911  ; execute command.' l2 C9 r/ t' h. H, m
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).5 m- \" k, U# M6 ~1 L) h" r* w  ]
4C19:009A   MOV    SI,4647  ; 1st magic value.5 {! p5 f- U' x6 q, M( u9 {* q
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) G9 T+ V; I& C2 k' b: B4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)$ o* x3 q  y6 z6 c0 k( Q7 T
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
. E( r5 R0 H+ ^6 v' x) m4C19:00A4   INC    CX
, b& @+ E. [3 O3 w0 K1 J! P4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 x$ M& h* r& l/ e# L& i  Z2 }4C19:00A8   JB     0095     ; 6 different commands.
1 K& Q) p/ v# V' S; y7 g4C19:00AA   JMP    0002     ; Bad_Guy jmp back.+ E+ y- x: E8 I- x2 o6 ]4 X  e
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( ]0 i; x) T8 C8 s5 x8 U% W2 g1 o+ h( o) X4 z5 A: `$ K" c
The program will execute 6 different SIce commands located at ds:dx, which
& J9 N9 [4 ]/ i6 y, b+ Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 a4 u' \5 U: S" a; l& j! Q% L, C" N7 V, I+ W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 B/ W: J' b- p  h1 x
___________________________________________________________________________
) x* b( l& l6 \4 L5 u  A0 s
# n8 S4 t( E2 T' I  P9 ~, A5 V! ]* o1 {7 ~2 C
Method 03
) V6 I( Q  ^7 E) U6 h& R=========$ ?( g2 k. }* K& h- E
; q0 f0 T" y3 V2 I5 E
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' Y4 X) r" n) m
(API Get entry point)
& r' ?9 E% |" b2 ^" J4 o6 M        
) d8 R0 w2 C4 P' }6 o2 ?- O% Y' Q
    xor     di,di# A$ V4 {2 a. D9 B4 x) \% K
    mov     es,di
0 q. e, Z2 v* g% ^4 m" H    mov     ax, 1684h      
  ^7 g3 {1 k' A7 n/ Z0 d    mov     bx, 0202h       ; VxD ID of winice% |, k. S" H8 Y
    int     2Fh" H6 M" W. i% e4 n
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( ?6 V% P( B. V+ O/ m& [* L    add     ax, di6 R9 x- s5 j* u) z  g3 L6 X
    test    ax,ax
" V+ ^. @% L" d! e. R    jnz     SoftICE_Detected
3 L: c+ g" T/ x/ h- p+ o* J
8 a# ]- ?+ l1 a. \# c+ }___________________________________________________________________________4 c7 u2 w9 w  K7 W% s7 \
5 x2 w6 e! k+ p" u/ W
Method 04
1 l! w5 U' a- p1 G- H" _. m7 t=========* C4 w' a- q5 X+ ~

) _! T. f: ^9 z2 n$ JMethod identical to the preceding one except that it seeks the ID of SoftICE
! u+ A4 k- t: LGFX VxD.
( C! \! `! D7 x, Q# l: D, W4 C4 S9 E. h& H
    xor     di,di
  w# e% E6 T9 ^    mov     es,di
6 T3 u1 G& ^. P7 ^8 L: G+ V  Y6 r    mov     ax, 1684h       - z9 X+ m3 x5 e
    mov     bx, 7a5Fh       ; VxD ID of SIWVID3 u4 K+ z4 C  h
    int     2fh; S. {* ?! ^3 n) @, l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ c4 F, K& O9 @0 \2 t    add     ax, di
) @/ P9 g1 W+ x( S, k    test    ax,ax: B/ S# K" h! i2 \' G6 J6 Z& q
    jnz     SoftICE_Detected
$ m7 Z0 y; R8 H; J
$ s) r. F8 f5 K__________________________________________________________________________4 q" U) ^3 I+ y' J

5 [8 G5 |$ P$ X0 d1 s5 G# M3 S; N
" _$ Q) l5 d3 c2 ?% O/ m+ b, [Method 058 Q- X3 |7 J) Y, W. R" L
=========
/ ?" h& t( ^( V5 Y, R1 j# S- o0 v$ @- c+ Z/ U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; K7 z. I% T6 G. ?debugger. It calls the int 41h, function 4Fh.
' `! d# m2 q* w5 \* E# N7 `There are several alternatives.  
) l( J$ E% |$ e. i& v
1 m8 S' U8 o  C3 pThe following one is the simplest:
$ K) ~/ p# j$ D1 R/ o5 z
/ i. V7 h  j! [( W% M& L& a  S    mov     ax,4fh# w  ^( ]! P; w, ~
    int     41h, ?8 r; B# u  h/ s
    cmp     ax, 0F386) V& M: J8 H! O0 s; Q! U
    jz      SoftICE_detected) J- ]# W. M; o, w1 e. w

9 e3 n) ?6 l3 i1 z: ]% I! X) Y7 K1 f+ X6 s8 n" l( z
Next method as well as the following one are 2 examples from Stone's   s. D- ?5 M' {" _% {% s, i. v8 W
"stn-wid.zip" (www.cracking.net):
; \2 k  b! M& x& a& F
: S& x% r8 a1 V8 p/ M7 `    mov     bx, cs
  {5 @: r+ W' e" M. e: W4 ~+ v    lea     dx, int41handler2
! Y! r0 x+ s- Y/ B    xchg    dx, es:[41h*4]
; [( p  J3 L, V    xchg    bx, es:[41h*4+2]: G# W6 j% _/ c
    mov     ax,4fh
. i, i* r* L# p. f. U/ a' J    int     41h
3 ^* D9 }" `. y    xchg    dx, es:[41h*4]8 D. t- ?1 J3 r% o9 `
    xchg    bx, es:[41h*4+2]( o" N  M) \8 `% V  P( n
    cmp     ax, 0f386h. N' {3 X0 ~8 r) Y; e2 h# _7 ]
    jz      SoftICE_detected
& j# l# Y0 e) @$ a. h& ?8 k( y6 J3 e$ y5 S+ |
int41handler2 PROC
  v" {2 r8 Y  i4 \1 ?) @: q3 k! R    iret6 \" @5 V' m! c8 U
int41handler2 ENDP/ Y/ E* j$ K- s6 x
) Q6 }% Z9 \+ C! t( N. u
2 Z, p" D6 p- i* z" P
_________________________________________________________________________) @" R  Z$ e: N' s3 Y* W
( B3 r) m+ c/ B& A" k  _

2 u/ y4 y1 \& W  ^; k: JMethod 060 D& ]1 F1 |) G$ ?
=========. f, K" F- E$ ^5 V
, T) C/ E" T. d

4 z% C& ^  c; e9 Z+ O5 j9 j2nd method similar to the preceding one but more difficult to detect:  R# o1 Y) y# E
" ?( @- ~' L; S5 m7 {) V# R4 m6 B6 c

( c9 W; e+ h: G' F4 wint41handler PROC7 t$ a$ }2 d& [2 Y9 I
    mov     cl,al
; ^. l; u. g! {( P7 ^    iret! Y% w/ y3 s  J) b% ~( ?% `
int41handler ENDP
! N) Q# F) |! t" O/ B0 W4 K* @% Z7 Q
9 a+ z9 _/ N5 W. f! a3 A' e' K9 P
    xor     ax,ax" l+ S9 ]" I2 b; ?( L3 ]5 O
    mov     es,ax
$ [+ |7 w5 a% f( R6 ^    mov     bx, cs. V' O* O- W& Z7 e/ L2 X7 L
    lea     dx, int41handler
$ |6 P6 P: z6 Y    xchg    dx, es:[41h*4]
2 B9 C$ Y* V, G% n9 d    xchg    bx, es:[41h*4+2]
& p. E. k/ d, l: n    in      al, 40h
, i  B5 \6 Z3 n! O. g    xor     cx,cx0 b9 ]& ^3 P( T+ Q
    int     41h
; D/ P* G" l4 O3 H- x* z    xchg    dx, es:[41h*4]
# @9 D) @1 Y- r& d    xchg    bx, es:[41h*4+2]/ ]* b* L0 k. T: M: V4 ^2 O- R; O" ]
    cmp     cl,al
' p5 `1 D" u* Z- ^/ r- l    jnz     SoftICE_detected
' Y  l, [6 [" Q, V
, N$ ~7 \: P5 b2 A4 d8 R, a_________________________________________________________________________
  J' U: J" K% `% M. |7 i) w: K8 d% z/ [
Method 073 L$ [% \8 i2 Y& P2 A5 q
=========
0 _3 |7 j3 E+ ^- _, b* l& F6 s
Method of detection of the WinICE handler in the int68h (V86)6 }' w0 E/ f! Y5 K/ y* }

8 P) h& P0 @$ ~8 M9 j# y    mov     ah,43h/ @4 W: Q/ R; V' p  `" Q( N0 V+ T
    int     68h+ t( `* [+ X/ {( Y' a) w2 [
    cmp     ax,0F386h1 v1 i4 ]3 X& z/ J8 a1 Y" T
    jz      SoftICE_Detected6 `. j8 V3 c6 v; ~  B

( H$ ^! M, q. Z% ^" T% L8 w1 @
5 x. [4 x" I7 P3 g1 e; S=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 A$ t9 T- u  X   app like this:8 Q3 J! d* D4 t( {3 z9 R

1 Y& |7 i9 o9 A$ H7 W& |0 U3 r  D   BPX exec_int if ax==689 I) j* z, n1 T. S$ D' D
   (function called is located at byte ptr [ebp+1Dh] and client eip is
! I, v+ f4 n, d3 G. s2 \1 S9 G6 c   located at [ebp+48h] for 32Bit apps)
, N" W+ d; I4 l5 r; S3 d2 n__________________________________________________________________________
# ]5 c6 K4 J, V' L( z, g
# Z* S. J% f, `, S9 M9 V" _# T+ Z0 w0 k+ b& c' [
Method 08
% K. Y1 v  `; ~8 F=========* Z4 X' Y7 ]! y+ G( t7 O

7 W$ p/ U& I6 {1 y2 h6 x8 \It is not a method of detection of SoftICE but a possibility to crash the# B. [! f6 ]( w8 u. s
system by intercepting int 01h and int 03h and redirecting them to another8 A+ W# Y/ o& S! e9 C
routine.
9 ~3 d. |; |/ R1 HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! @9 U* h! E: I2 l2 t& g6 O! S
to the new routine to execute (hangs computer...)
# e2 U$ c" [) V! m$ E* B. h5 j0 Z: G% e) w! H. Y; k
    mov     ah, 25h
) f6 T" `* P: O" L7 N    mov     al, Int_Number (01h or 03h)% W& N% A2 q$ @+ a
    mov     dx, offset New_Int_Routine3 \2 Q  e. i- `0 ~' J, D( l/ ~
    int     21h+ ]) {7 E, g3 W; \8 J, _2 q- A

# U: P% b$ o+ ~/ v4 g__________________________________________________________________________/ t' k3 s4 ~, ^! N; h8 i
- F2 |0 {) h1 j0 t: b  ^
Method 09
5 M8 z7 ~; v1 Y1 N4 b1 l7 Q=========- w, I" t$ j4 M
! H2 q, v; l- y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only  P5 Z  H0 R7 U! ?: g
performed in ring0 (VxD or a ring3 app using the VxdCall).3 W6 X9 f5 }/ A8 j1 \, J- J5 y
The Get_DDB service is used to determine whether or not a VxD is installed
  @) D) M! |3 E1 M- Tfor the specified device and returns a Device Description Block (in ecx) for
: f3 B) w' C$ n/ `that device if it is installed.4 d% u3 k, t0 y
- i0 q1 ~- y$ L# q% C
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* V- b8 i/ J1 i" r+ w- Q1 S$ ^) ?
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: g( C) p; B1 A( [   VMMCall Get_DDB
- D& R6 F1 b! d   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 `  e' _& m; P% k0 e3 l
% t! G; f& B  F  f
Note as well that you can easily detect this method with SoftICE:
8 n. i7 f  w  i% H. q6 R/ M. v   bpx Get_DDB if ax==0202 || ax==7a5fh
' z3 S- ^+ q5 o% E7 Z9 P( y
! g5 ?0 q- R& o5 G__________________________________________________________________________" ]! @1 }, A- w9 T" G# c2 f1 P
1 T" h; n8 P, q
Method 102 D/ h4 j+ t: n& v3 }( A0 b
=========
; q: D0 K) j' C
$ D$ q* C4 S0 l9 b$ ]0 j6 p4 F=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with* h5 }  S  a' e
  SoftICE while the option is enable!!5 p  t. p/ M6 b, ]: g% z

$ H6 Z3 \9 y$ c! j8 K# nThis trick is very efficient:7 v$ y6 X! j1 @& @# o5 u9 I
by checking the Debug Registers, you can detect if SoftICE is loaded/ v9 f8 z. \& \) C# A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! K0 n+ }4 E+ e2 b% k
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 _, Y& J) g& y. f+ Y) Y' p
value (in ring0 only). Values can be manipulated and or changed as well; M& c& |! \9 [
(clearing BPMs for instance)9 D6 Q; l  O  H5 E: Z  z' ^

- h$ ^9 s1 c* c! j8 s4 P: `__________________________________________________________________________! E  l0 l# Y  H; S6 F: x
" d  t$ k5 n, u8 U( i
Method 11% R0 X/ \' G' k" W" @3 z
=========$ v9 X; E6 ~0 l
; R, N( n) N+ d. \$ D3 Z" ]
This method is most known as 'MeltICE' because it has been freely distributed( B! e; Y; p' Y
via www.winfiles.com. However it was first used by NuMega people to allow5 P$ Q, I7 S5 j
Symbol Loader to check if SoftICE was active or not (the code is located
, W8 V; [; Z6 X5 t) c$ A2 jinside nmtrans.dll).8 p6 ?$ c" j  a! l3 [$ s  q1 `
/ B/ z/ B6 V, L- m- d" t& N
The way it works is very simple:
) r8 ~1 i. Z, J3 o, G+ tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) C4 u5 q% o1 ]9 ?7 @* IWinNT) with the CreateFileA API.
& k2 c9 I* \9 s7 W3 H! P, I/ q- q* h" V; n
Here is a sample (checking for 'SICE'):3 z# u7 P. K+ {0 z3 m& }
( n' ~3 E/ \- T' L
BOOL IsSoftIce95Loaded()2 s8 n. i) e' u1 H8 T( R* O
{
5 N  u5 T' M9 }  _) h* j, q1 n  X   HANDLE hFile;  + v' A" }9 ]; g/ _
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 [4 r( b7 D) f1 B6 C                      FILE_SHARE_READ | FILE_SHARE_WRITE,
0 V7 d* w7 q9 p! R% j6 L                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 D+ h( @% Z! ^- B5 j5 j% o' j1 K: A   if( hFile != INVALID_HANDLE_VALUE )
. A$ ]3 @7 k- L5 O   {/ p8 u, S6 n. b+ `
      CloseHandle(hFile);
5 l* y; s6 D: B; _      return TRUE;* `! Z3 }7 ^" z. P6 ]9 b
   }+ F! J4 l9 ^" \1 h* l+ y
   return FALSE;
; I$ a, {' ^, s1 {0 X* l$ P/ D: T. u}
; Z% N- y* W+ v6 }+ y% b
! F( Q& |( ^0 ~+ |. b1 d; YAlthough this trick calls the CreateFileA function, don't even expect to be% N+ w& g* V2 V# w- c
able to intercept it by installing a IFS hook: it will not work, no way!3 f- @8 u$ @/ g7 k' d/ u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) ]+ j/ W0 y3 Y$ V6 q: `. V0 c0 V7 r2 rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ w0 [# t5 O9 R2 D: s! G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! J4 ~7 x4 A# O. X! n0 D1 [field.
5 l$ }- J/ E! b3 I! HIn fact, its purpose is not to load/unload VxDs but only to send a
+ H- \: F4 _6 i+ r4 L5 h- H) pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). z2 K" R' k6 U* E8 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: k6 O* }  [3 z! ~$ D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 x3 R0 X* l1 S& o7 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* f# k, b! k, V3 I2 xits handle to be opened and then, will be detected.
* _& `' G- O; C4 C4 N1 w8 A9 f. U7 mYou can check that simply by hooking Winice.exe control proc entry point
6 @2 T  t$ W& F) p: K$ V7 [. gwhile running MeltICE.
8 h2 x! E$ n( g0 `- i; K* @* `$ t1 x' a1 \) S" W

  L" k' Y) W3 _: o' B; [8 o  00401067:  push      00402025    ; \\.\SICE; R# r, ^3 g6 l( Y' f
  0040106C:  call      CreateFileA
% I; w0 N1 k6 t# m  00401071:  cmp       eax,-001- A6 X7 X, g+ T7 p! n; u8 X1 X
  00401074:  je        00401091
: w8 G$ @' I" T1 \* l
' c$ G: `. ?2 s0 C1 G* g9 b! ?- R$ \: i8 N4 D3 T' d9 K
There could be hundreds of BPX you could use to detect this trick.
+ f& B3 W5 \( B4 p+ e$ i) Z" \  q-The most classical one is:
: q% ~) G0 R. t# \  s8 \# L  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* n* D& F5 I3 S/ c7 P9 B    *(esp-&gt;4+4)=='NTIC'+ p1 r7 }, Q9 f# p& K

8 b! X( D$ Y5 L; ?, h, P2 A-The most exotic ones (could be very slooooow :-(
8 U4 N" l" c/ r1 R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 H& G( Z, o5 K3 M3 t+ @     ;will break 3 times :-(
7 \; d! y! F5 b& y
0 z8 q3 [' _0 x) X& r8 {7 T-or (a bit) faster:
4 C# g" @2 ^, h8 m& ^   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ Z2 z* S2 b; y" H) [

4 U8 e) L/ I! v5 f   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# S$ j9 L0 W, w! N5 w3 X     ;will break 3 times :-(
0 K: H: J6 d; I  m5 T: S1 M+ N( v5 S: H$ d/ V) B! n  b
-Much faster:7 B6 T! ~; Z* [$ c- {5 Q0 ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ [( {0 C% W2 o0 ]. o- ~8 h- K2 H+ a! H0 F9 H+ I: V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 m0 n4 @- d. r& U1 R, _function to do the same job:
& C' J, u4 G. [  L* `; g  Y: j: X0 q/ k+ w1 J4 H7 s  J
   push    00                        ; OF_READ
3 O! l( x6 ~: L2 g# p   mov     eax,[00656634]            ; '\\.\SICE',0
; D2 f9 _' Q% s1 o7 [   push    eax
) }- O5 J* }( n9 C6 D7 o   call    KERNEL32!_lopen
- A8 Y& `+ S0 X* F0 x   inc     eax
; R, w, y, v' v6 I   jnz     00650589                  ; detected2 i0 J, [! F1 F. n
   push    00                        ; OF_READ
5 V  w( ]( i4 W: [* v   mov     eax,[00656638]            ; '\\.\SICE'$ V3 ]! F2 k* z
   push    eax
! n" p! Z* m' ^   call    KERNEL32!_lopen/ s5 E- H5 z( ]9 ]) ?) i2 d1 ^
   inc     eax
& G3 c" r1 ]$ B" A   jz      006505ae                  ; not detected
$ U8 `: X4 g  t+ Q! B" W$ S, T, v, j! u2 H# M

8 U8 ^3 f1 b. V0 o$ E__________________________________________________________________________/ }: K9 L" ?: P  M! e$ R/ B% _' L

$ N+ x" b: R: mMethod 12$ C' G' e4 g& F' D6 b) C  O# T
=========7 H' S) o/ |+ [+ H0 D
; F% B& [, y2 ]  }/ c. t3 t" t) G
This trick is similar to int41h/4fh Debugger installation check (code 05
/ K& k7 f  [5 n&amp; 06) but very limited because it's only available for Win95/98 (not NT)# F$ {, m& p" ?7 [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
  d7 z. C5 D, A
* j: l& t+ g- i0 i   push  0000004fh         ; function 4fh
7 o; ?; b9 e& r   push  002a002ah         ; high word specifies which VxD (VWIN32)2 n; }2 u9 j3 z- G0 k
                           ; low word specifies which service
& `* Y  ]) Q1 c                             (VWIN32_Int41Dispatch)
% v- g1 h) i+ W4 ?, |: D   call  Kernel32!ORD_001  ; VxdCall! Q3 d( B7 d8 u  I5 }6 \5 ]
   cmp   ax, 0f386h        ; magic number returned by system debuggers
  U" U3 G- {# @  u2 N   jz    SoftICE_detected
1 v4 {1 z2 `. t* x6 C- I) D
. n+ W$ Y2 I  o. A8 z7 Y* R+ PHere again, several ways to detect it:
* J( m1 n( o! _; w  T2 e. [
8 p7 J9 S% b7 H' q3 s2 ?% h4 i    BPINT 41 if ax==4f
5 F+ N- s4 V0 e# o; n: I
0 [; H/ q( M5 z" Y8 V* O0 s    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
6 g0 @% {; G5 }) c8 p
/ S) P# V6 D) q$ R8 S2 O    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ K2 g5 c) P2 j* ^5 T2 g1 [
$ j& c3 |6 G1 Y2 q! D8 G
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, f; G4 X/ V% A6 Y6 z8 ^
( u" X0 C- a7 k2 x! B) d__________________________________________________________________________3 V  Q4 Q  X5 k4 O9 p9 o

! ^5 J! N7 w6 q0 U% h! B7 G) lMethod 13
+ z; _; F1 N4 Q. a' }4 A=========
! v; J8 g% q+ Q! M& G; X' v( _. N# V; |' f8 W; ?. m; c
Not a real method of detection, but a good way to know if SoftICE is
* f' ~+ E5 a. [; Cinstalled on a computer and to locate its installation directory.1 P/ P- J; m' |/ l2 X- _* V8 h
It is used by few softs which access the following registry keys (usually #2) :
" T& g% [, I/ M; r/ ~$ I! X/ m
- h7 H) h  }, h, {8 ?  H- Z1 t& W-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 j4 r" y3 Z6 H1 [9 R
\Uninstall\SoftICE) ?5 c$ x+ @, A* E1 _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 W# N! }0 \( T4 }% W: J* \2 z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 C% c5 y: \2 j8 P3 ~' B! ]/ H
\App Paths\Loader32.Exe
9 p& q+ F2 ?4 i8 f! u/ P1 v) W& c2 K# L

* e4 h7 Z8 _8 h+ S% j$ KNote that some nasty apps could then erase all files from SoftICE directory
3 ~. n1 S8 p6 M- V3 d  @(I faced that once :-(, b' Q3 Y" q' h8 X8 _+ m4 x- y  e
2 m+ m. v( N: X5 `/ u3 ]$ ]
Useful breakpoint to detect it:
2 H+ a: t9 @, r6 N6 g
3 v, K" \, W: t& c" y+ [! D# I. a     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; F' U. e1 K6 [" [
' g* D* k7 }9 o
__________________________________________________________________________
# a4 Q7 a% y7 P+ v4 W5 E2 ?4 b9 s" D4 E

. N0 Q- _5 P7 BMethod 14 ! Y. d0 U; U7 G7 E+ k0 o# r6 J5 s8 P
=========
  p# L9 n& f" D, ?" c* w$ Z
- z# K  N7 E* Y* x+ A% A- s$ y  KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* ~1 Q5 G- J. R7 s' G- ?is to determines whether a debugger is running on your system (ring0 only).; M5 x9 g& k) G  ]1 m( B) T) q1 N
+ B3 N% X" J: l$ `9 j. s
   VMMCall Test_Debug_Installed
- t2 @9 @2 d+ ]7 j5 ~9 S9 g   je      not_installed( n9 L( f, x4 Z: R
2 B8 j1 g, _. d5 X3 ^: i
This service just checks a flag.
7 o. o4 @7 r  Q. D; N: V5 G</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-10 10:53

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表