找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  F# {/ n+ O- q# q: c" n& @. G
<TBODY>3 _2 I6 o& h2 e8 M1 B
<TR># w; s/ F: O, x8 t* b4 O
<TD><PRE>Method 01
! r# O+ b  C5 D  B: T5 _=========
" A6 x( F4 B4 n+ s% }) y4 K1 w* m6 L- m+ m* u' m- X* F4 A& Y, _
This method of detection of SoftICE (as well as the following one) is
' O4 p6 t  j( v; |used by the majority of packers/encryptors found on Internet.
5 `" G6 Y9 `1 V2 iIt seeks the signature of BoundsChecker in SoftICE
# B2 C$ Z$ i) u  B( P$ h
& \, n' R: K2 W4 m6 n8 D- `    mov     ebp, 04243484Bh        ; 'BCHK'3 O2 p9 V, Y  m5 T
    mov     ax, 04h
" B7 r6 U0 B$ ~% [5 u$ w    int     3       + S4 z! t2 b" F" g
    cmp     al,4
, k; y$ y+ A2 h1 {. l2 N* c    jnz     SoftICE_Detected9 S& @4 t7 f4 h* @2 Z

9 n5 ]1 b' c- Q0 w4 f/ j___________________________________________________________________________. A0 U9 _+ j2 Z& N0 V' \
0 v! R+ A) `% _! x, }
Method 02
4 S" l2 }* `+ K, j% Y4 P' R=========
1 T& ]) g5 h9 f) I) k7 E+ `! ]* s$ ]2 s& {7 }
Still a method very much used (perhaps the most frequent one).  It is used. C9 c; p+ m& R( u& e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 E! w4 I( J8 Z" J# H5 O# P, Q% N- _or execute SoftICE commands...
& O) _4 \% t! ]( ^% PIt is also used to crash SoftICE and to force it to execute any commands
" a* r, a1 Q2 s. K(HBOOT...) :-((  
; a  d! q1 w5 d7 w( `3 e) c/ l) H9 y1 {
Here is a quick description:
; K; n  p$ T/ X1 q9 K! o" f+ N-AX = 0910h   (Display string in SIce windows)9 d3 L) \' Q9 T/ N- Z! Q9 |" r& y2 |& u
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
0 C- T3 _' `5 j6 F) X- `-AX = 0912h   (Get breakpoint infos): a& X$ ]- G7 x; _' d; u" C
-AX = 0913h   (Set Sice breakpoints)
& m0 B( n' n) s6 x" O$ x-AX = 0914h   (Remove SIce breakoints)6 q4 o3 x' y5 n2 k* D8 m

! P# S2 v* b- j: x" z! A! r* uEach time you'll meet this trick, you'll see:
" O5 [2 h* @5 |! T-SI = 4647h
. e+ {$ ^4 Q: X& z1 S2 E  o-DI = 4A4Dh3 `) \2 s* p8 k+ N1 F7 N5 `
Which are the 'magic values' used by SoftIce.
, Z3 T+ y# n$ h% oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., Q; {0 o+ o  F  n; w) a
7 C2 Q, p% E: T4 A1 J5 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 H- R6 T; v2 P* R+ ~Envelope utility use to protect DOS applications:! |- `! n/ e* E: a7 k+ G0 B

1 a5 e  {% h* a7 e: |5 k
8 _0 z# w% G/ p/ w, x/ a% W: J4C19:0095   MOV    AX,0911  ; execute command.3 I( C" W' Y! R/ a% T4 ^* V( `; P
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 ]- n3 A0 g' c3 I8 `9 O" B
4C19:009A   MOV    SI,4647  ; 1st magic value.0 x' f  g% S: v2 a$ o8 ]9 B$ ?8 l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.4 }' }, V* p$ d# e
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  U. v7 y4 R: ]3 S
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! E" _: Y4 |& ~% f4C19:00A4   INC    CX$ B" E0 x: O# Z8 ~2 d) K
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute8 f$ R" C% O2 \4 }7 E" f
4C19:00A8   JB     0095     ; 6 different commands.
  ?& z/ D5 x# ?2 V1 ^% B* B  v7 m4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
- i& B- c/ Y- K6 s$ g4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
$ w9 p* ^: C. I9 u: X/ J% [. z$ p+ N; v0 ^
The program will execute 6 different SIce commands located at ds:dx, which& {, H' l  P( w' o" u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 Y# v* a$ \; D) A: Y) h. N) G/ l2 h- A! s
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 W: c( Z' \- ?0 e___________________________________________________________________________  [9 ~" [9 @5 z# h. J- T" ?
# _6 H+ K: A( k% u3 l

0 e7 @1 N) c5 j0 b+ A. x4 VMethod 03! O9 R( z- P/ j  E* t! U; y/ v
=========
% A6 p. T# m9 P: V
5 w9 S! i: M6 t& a4 `4 n; Y' s: KLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 R" o& C% {! _" {4 S  n(API Get entry point)
, J0 ~7 I3 q2 m1 \9 \* s8 V! t        
" u5 I" w0 @& J) c- k; r( D
( U, j0 |9 ^9 P8 u3 u" W    xor     di,di5 \, o; D( u3 s
    mov     es,di
! w9 H; A5 v. E" \# L    mov     ax, 1684h       8 {7 I3 P' t1 K7 l
    mov     bx, 0202h       ; VxD ID of winice  v- X. X4 T: v* G: P& B& o& J
    int     2Fh
; w" b/ i/ x) r8 d9 d3 J5 V    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  }* n: o2 p# h! ]# I" V    add     ax, di& E" x& F6 H, v" ~
    test    ax,ax# r4 r! R7 L( X: y& x3 j
    jnz     SoftICE_Detected
! Z$ U& X9 a% Y! {7 ]; O1 R% I! ?  t, y0 R# D
___________________________________________________________________________  ?5 M8 @* ]3 c0 `5 Z1 l$ p  w
. y! |) T' d. J! w
Method 04  \4 T; [2 I/ S
=========
- [% f9 `" z) {1 B2 h' s
7 C( s! w- @( s3 |+ XMethod identical to the preceding one except that it seeks the ID of SoftICE
8 U4 D0 C# a, Q5 e6 L& d, D! i. MGFX VxD.1 X0 [- x, H1 \. n; D% H  n
! o& F( l: c. k4 N
    xor     di,di
4 W" u  v4 E) D/ O    mov     es,di
3 p  B/ L4 i* L' S1 w    mov     ax, 1684h      
1 h, B" m7 {" l: G% F    mov     bx, 7a5Fh       ; VxD ID of SIWVID. [( Z) M! v2 }2 V) D) C
    int     2fh' H) C' V2 ]7 _& ~8 T5 d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( W- M/ @; e" i
    add     ax, di2 N$ e' B2 Y+ Q) o7 |, D
    test    ax,ax9 C2 u5 ], D5 q& t- R
    jnz     SoftICE_Detected/ H1 Z1 s# X: G
' M3 G& {4 ]" n% x3 `7 H
__________________________________________________________________________
* X1 C5 i8 E/ J+ }9 h
) G/ W; ~& I. `0 b8 X3 ^6 `0 g2 o2 X! {; X3 E
Method 057 c  G% S8 [4 x6 N+ R
=========
7 q" I. z( \. e, e) N0 ?8 V* h8 P( F  {) M! {& D
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 H. H( P# q& A7 a
debugger. It calls the int 41h, function 4Fh.9 w) V5 A3 N7 x* L6 _; h1 d
There are several alternatives.  4 k7 p/ y# u* d
: A" A5 J9 U0 _/ x1 D( O
The following one is the simplest:+ }: O% @- f! G3 m- f, v; @

- I. K5 T, `/ I* M; Y1 W/ k    mov     ax,4fh/ O0 S2 A+ [! b- W) p2 b, C
    int     41h$ @3 i: a0 w9 s5 h0 Z
    cmp     ax, 0F3861 a6 H# U% K; \; G+ X, [
    jz      SoftICE_detected  `( L4 S$ t8 ]0 }& g$ Z
* _3 n5 s! N- C. b3 z5 T) Y; f: _

- ^, S' Y+ A; m7 y) ^( p# l" X' Z  L3 qNext method as well as the following one are 2 examples from Stone's
1 O, `( o' Y5 o$ X2 `& J/ K"stn-wid.zip" (www.cracking.net):9 ?1 R( S2 |0 U0 q* E7 s
' \- B" ?7 `, Y( x6 y
    mov     bx, cs
6 n' J% j% m  S    lea     dx, int41handler2+ `9 b  C/ i6 G# Q# W
    xchg    dx, es:[41h*4]; `6 f. `- R! v6 q
    xchg    bx, es:[41h*4+2]
4 x* _4 M3 O! z1 s4 |    mov     ax,4fh; y& d. t! F+ E/ \
    int     41h  d% v3 K+ v& R8 e2 z4 v
    xchg    dx, es:[41h*4]+ R# o! y% t: ~9 C6 V0 J9 ?0 F- _9 ]
    xchg    bx, es:[41h*4+2]
! s7 E" R2 y) T( b; h    cmp     ax, 0f386h6 T8 {% W+ h5 {# O, z
    jz      SoftICE_detected* Y0 x) U, r$ a, M* X
) z# v. r1 U' R8 }- K% z* w4 ^
int41handler2 PROC
8 J: s, P, w" X6 u3 y3 J7 q$ ?  _    iret
2 K7 F2 N+ F/ P& D2 `6 o: @int41handler2 ENDP# i$ a: C0 d% _
1 H8 P' g! p% c5 J, a
3 Y$ P& M8 U% K, c1 c% J8 I
_________________________________________________________________________! r: H9 \/ U% A. q' x! n4 e

% h4 M9 j1 T; L; J! }9 \; u9 l' k% \0 l1 m/ c& {3 ~
Method 068 v% `: `( C( E8 G
=========4 D% l! L* G+ ], P: R! a' e
/ U( R% b- v5 {- P
& H$ {* N- y- [: x; q. ~
2nd method similar to the preceding one but more difficult to detect:5 I0 P, D4 V/ J7 i2 a

8 v% ?& d) V! ?8 J
9 ^0 N( l; }6 H' i2 l# mint41handler PROC
' {* L3 `7 b3 l/ m+ m. h    mov     cl,al3 E& W9 w: f8 e" Q
    iret
/ [" t! e. n- Vint41handler ENDP
3 T+ D2 O8 h% \- ?2 {7 Z3 ]0 _5 [
! ?4 _4 D; {3 e- |- k, d
2 ~% j3 o: y, o. L( R8 `    xor     ax,ax
0 D$ k+ K# y3 s' _. d/ W7 b    mov     es,ax3 Q. Y; ]+ g2 A# Q- ?% N2 B% s* L
    mov     bx, cs1 g/ a5 q. \# q1 }! f, i" r& x
    lea     dx, int41handler
2 _  t  \2 p5 U    xchg    dx, es:[41h*4]
3 y9 r( l3 n  R! T; M+ b    xchg    bx, es:[41h*4+2]
8 f% R* y1 Z$ S. o3 q% P! U    in      al, 40h
' S' N5 ^+ i( h6 R8 B& P) R' D    xor     cx,cx
/ ^  @8 Q# ~- b& b9 o" u, S    int     41h
$ |* V0 V8 V, I# A  f8 A, F7 Q. }    xchg    dx, es:[41h*4], H/ D8 Y, a: ]# o! o3 Y" M* m" W
    xchg    bx, es:[41h*4+2]: K; S, H1 T, R
    cmp     cl,al
- m8 k6 V1 A" I6 }    jnz     SoftICE_detected; t/ ]2 c1 U  F9 B% `7 E' ?( M
/ u$ y4 z- P0 H6 y; x& u, {$ z
_________________________________________________________________________
/ m( Z) Q' S5 I! d7 T/ J  N$ U  H: W) u7 T, K; }
Method 07
9 g9 X- u1 w& G7 h) |0 a=========
# a( ~- L8 J$ C* T( Q/ H' _  c) `! G2 S4 t+ ]3 S
Method of detection of the WinICE handler in the int68h (V86)
  F* B+ E' ?7 y! X! Z8 s9 p6 Q3 D, o" w) ]4 t9 G
    mov     ah,43h
, j+ S/ b1 P( i) x+ V    int     68h
; E: I6 B/ D& i, }- V7 _4 j0 Q    cmp     ax,0F386h$ |& ?" h0 `1 F( J8 f
    jz      SoftICE_Detected
( |* f% V5 k5 C4 t7 M. e
" c/ C* c; h  |' b) x! L- {
' p) e8 e. G, o, g=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ V% o1 `+ }5 U8 ]3 a
   app like this:- {& B8 K5 c$ q: u( v; z6 I
. d4 D5 r: v4 q! W; I1 @* c: P
   BPX exec_int if ax==68
8 E! u1 A1 }9 ~: A" g   (function called is located at byte ptr [ebp+1Dh] and client eip is& I9 ~* V$ q* H5 g1 p' u
   located at [ebp+48h] for 32Bit apps)9 y8 @3 P( B# Q! b4 I) F- e
__________________________________________________________________________1 z( Y* W! @/ Q7 R: p
/ v0 B, j! A% U+ S8 a

& d* z& F& M1 k4 R1 j1 tMethod 08/ p0 G3 j7 E8 d% h# L2 e7 j
=========) ~, R2 X$ d: ^$ ]& a
0 s# Q  L/ T3 s5 y
It is not a method of detection of SoftICE but a possibility to crash the
4 @3 {; y8 S5 e7 t4 Isystem by intercepting int 01h and int 03h and redirecting them to another
( A* v- Q; H6 ~& O$ [. Vroutine.
6 n3 _% U. l$ d; {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& @! p" c3 G( o( W
to the new routine to execute (hangs computer...)+ S9 h/ r/ C( d/ A

  o1 {7 h; Q& u) s& h  w( \: `4 ^1 E    mov     ah, 25h$ ?$ F+ P/ X$ p& x/ @
    mov     al, Int_Number (01h or 03h)
" o: Q+ q; M8 d5 r$ c    mov     dx, offset New_Int_Routine5 ]! [1 p  Z. n+ O6 i5 r( k7 w; v0 T% ~6 U
    int     21h5 D6 T* ]. B- n7 B: B

) [% y6 k3 j* E__________________________________________________________________________
, \9 v$ ?& Y* w7 d: q8 j9 O6 E9 @' O; c4 O* p  d: j* w* ^
Method 09
5 n8 c" {3 h  J/ u2 R) ^=========% C1 a- L* h9 j% ~

: S3 U( d' E8 a- T1 c2 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- F) {% @9 J9 ~( N7 }& a% T4 Sperformed in ring0 (VxD or a ring3 app using the VxdCall).* D  {' B8 F% D
The Get_DDB service is used to determine whether or not a VxD is installed
) i! X: p8 s5 [- C7 \" o- @; ]for the specified device and returns a Device Description Block (in ecx) for
/ Z9 `0 _# w2 w2 [9 d/ Mthat device if it is installed./ I6 T1 q% p' V  t& R  t
  L' b3 X8 x! O- U; Y
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ F* X1 b" [: v. I' m4 v   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), K( X% g* ?7 Q- Q
   VMMCall Get_DDB
& a/ ]/ x3 A( ?) D4 w' r& Z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
- X7 B! e6 A/ A) K7 }+ }
! w0 e8 a: O! `0 W4 `0 u2 D/ P! xNote as well that you can easily detect this method with SoftICE:
, A/ o+ T( G, ]" J$ O7 Z   bpx Get_DDB if ax==0202 || ax==7a5fh
6 Z9 _  q0 a/ C( ~; l% C
0 B; J! V6 R& e; a1 S__________________________________________________________________________; i0 d- Q0 f9 `! n1 H% I' s

' n: |9 S5 N- V* G, ?. E% dMethod 10
: G$ K# b7 @: `) j  g- M  x=========
+ {7 l. b8 I% k. b4 X. n: x2 o% U# ]  Y5 _2 _7 e- Q* k* R
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with3 S7 h7 T" R5 ~3 f! t: P  z
  SoftICE while the option is enable!!/ t5 F2 A3 G# j5 G1 T* j; H

- H5 h: _% _  H- \This trick is very efficient:/ d) p+ I9 z0 ~( N
by checking the Debug Registers, you can detect if SoftICE is loaded8 M' v( ~- B7 [) F" u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 O1 f, M5 b/ u. T) N/ m, x/ t. @there are some memory breakpoints set (dr0 to dr3) simply by reading their+ p. P+ U7 U) x
value (in ring0 only). Values can be manipulated and or changed as well
  v2 d+ P* V% H& R(clearing BPMs for instance)/ D( y/ t) P+ \  Z8 m8 a4 u

' S/ [! Q* G9 u. D( M- R__________________________________________________________________________
4 N5 I+ q* b1 M6 z& p  p& V# `: T+ M2 y* U, K
Method 11
* b$ i/ O4 ]. y  o* K1 P! A=========
' V# d! T2 E) J6 E7 ^1 E+ N; n0 {# U7 S4 X
This method is most known as 'MeltICE' because it has been freely distributed; p4 v/ x5 m: D* X) ^4 y
via www.winfiles.com. However it was first used by NuMega people to allow
9 m( Z; B2 t* e$ xSymbol Loader to check if SoftICE was active or not (the code is located
' j; w$ g/ e' t; {inside nmtrans.dll)./ b6 U8 S5 X4 p( `5 `) F; R

- j' ?; y3 E1 i: U) c6 X. G$ pThe way it works is very simple:
( F  d: E( i$ i+ p1 O: {* {! ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 U6 w) m3 o. v# pWinNT) with the CreateFileA API.
5 R1 L4 Q% f3 [4 i+ w3 h
0 g4 E) U+ `! ?* v6 DHere is a sample (checking for 'SICE'):
# C) E3 ~% x5 H; [1 B- ~& f; _8 G( g4 t- H6 Q
BOOL IsSoftIce95Loaded()) w" T3 y$ ]4 U
{
7 Q3 ~& e4 v/ E6 X! b   HANDLE hFile;  
: v8 Y4 S6 x8 e   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# F. ^& p: T; n& T                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! ?& ?% c' g, S% [8 ^* V                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 H8 z( E% ^* H( b
   if( hFile != INVALID_HANDLE_VALUE )
  w, K+ c$ R' Z   {0 q8 ^2 e" Y; A
      CloseHandle(hFile);
2 f; {& i# L1 A- |: C      return TRUE;, c5 N0 T6 B0 x8 s; \
   }
7 b) T' z% n! ~, Y7 w   return FALSE;  n1 b. ?! u7 ^
}
  }* d2 Y, D  ?  v' T- x7 R. Z7 N- S5 B
Although this trick calls the CreateFileA function, don't even expect to be8 c- \9 ?' Y1 n0 M/ B, |0 ]
able to intercept it by installing a IFS hook: it will not work, no way!- I' ?% F1 B+ Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ |  d$ \6 ]( O2 ~) C7 wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) j6 y  O* l0 T1 A8 {0 Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 o+ Q) I  C- Dfield.3 I, o4 Y8 ]; @  r* U! J
In fact, its purpose is not to load/unload VxDs but only to send a # C2 z3 n# X; t+ d
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! i; W. C4 n5 i2 s. `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 k$ q4 }  Q& ?* S. vto load/unload a non-dynamically loadable driver such as SoftICE ;-).+ k! d2 j: W8 O# F3 _) M$ z) m- R3 x0 I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. f- S) v* u; }8 B8 J# Zits handle to be opened and then, will be detected.
! A7 J3 o( `8 FYou can check that simply by hooking Winice.exe control proc entry point4 e$ E7 Q2 X9 j( Q7 B& R; a
while running MeltICE.) E9 m3 [! B# d+ l7 c( F5 @  l

! u7 ]' B4 }; X: I! q2 ~9 p# J
  00401067:  push      00402025    ; \\.\SICE# r5 n$ J1 M: I, b, K; [8 z% c
  0040106C:  call      CreateFileA6 d9 e6 u8 n& d0 F8 Q
  00401071:  cmp       eax,-001, ?* I" n/ V. t3 }5 ^3 }* d3 }& O" T
  00401074:  je        00401091
4 p$ |2 Y- X' B! V9 D" G0 W, S8 w
7 }& J* {* K  ^" W8 A
; ^# H* V# ^' C: ?# c' nThere could be hundreds of BPX you could use to detect this trick.
/ h' P7 W5 \! P4 z8 i( P. S-The most classical one is:
; k, V( S) P$ A5 M* ?  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 d+ f/ ~; [# [  F- a& ^& h; U    *(esp-&gt;4+4)=='NTIC'
, C$ z" p4 K1 Z8 i7 C1 h/ _. \" U/ R# X0 l
-The most exotic ones (could be very slooooow :-(  B5 u5 R3 Q# q6 y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 t+ V9 ~/ y1 m
     ;will break 3 times :-(
& [# o# H" q( B3 h' w
) ]) ~5 h3 V1 E3 ~7 U-or (a bit) faster:
* y# M+ ~4 F4 q6 R" l8 t5 R   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! Q5 m9 ~' l% B4 M- ~$ m* @
- ~8 X3 R$ G1 S4 _   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ' v- D# d2 \. C
     ;will break 3 times :-(
8 z% ?5 T+ ]8 l- a9 d4 v
% x4 x+ H# H: G0 X, _$ V8 _' w-Much faster:
* f: H: ~: B/ s0 r5 P   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
; }; f9 f8 _  ?, b; p: D/ e' V! i, w- s4 j5 G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* N; J: G; [1 B/ ?4 K; z
function to do the same job:
# @% {+ N4 x7 Z* ^
( l# c& `2 K; _; x; s" E   push    00                        ; OF_READ( ^1 h0 ^) T# x' v: ?
   mov     eax,[00656634]            ; '\\.\SICE',00 ^. `! r3 F& f0 X& U, r6 ~: m
   push    eax# T, \/ \7 Z. H' o
   call    KERNEL32!_lopen
# a. ^/ y& m' u( i3 ]   inc     eax& u* I  g$ u1 O
   jnz     00650589                  ; detected) P# M5 J1 I7 w9 u$ u
   push    00                        ; OF_READ
! u2 P6 U$ X, z8 S9 O   mov     eax,[00656638]            ; '\\.\SICE'
, Q2 I0 h/ g, G1 V4 d# |9 S   push    eax
! P1 C9 ~: o7 _   call    KERNEL32!_lopen4 h9 y5 T1 O, X
   inc     eax; H4 ^* q, z5 p
   jz      006505ae                  ; not detected
; x0 e" g# O6 V. C7 _( y  H3 W
- w' L. B3 t$ D2 D
* ]$ K' l% A0 R__________________________________________________________________________
3 C7 w) ^9 x6 ^0 T& P, }$ O( ]; _) Q' q
Method 12
( h% w- p. ?+ v. T, I8 F' {=========
2 h  z* \& T) u3 k' M. Q1 ?
4 g1 D8 a6 ^% s) ^% S. f0 M% ?This trick is similar to int41h/4fh Debugger installation check (code 05/ Y& l4 Z  r: _2 q
&amp; 06) but very limited because it's only available for Win95/98 (not NT), B( L& x" x  |& P# p* d) p5 q* U  U6 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.  T* }; `8 K  ?, c
* w3 v" \' ~0 a$ {1 C
   push  0000004fh         ; function 4fh
4 d* l; r0 y1 R6 b$ w+ m0 \/ T9 N% t   push  002a002ah         ; high word specifies which VxD (VWIN32)% S- d$ b" u0 }/ z  ]% E4 _
                           ; low word specifies which service$ e3 V" K* f- c* Z% b
                             (VWIN32_Int41Dispatch)
8 v# b/ p2 j$ R1 t! S   call  Kernel32!ORD_001  ; VxdCall
7 V" u( E( N3 V( G   cmp   ax, 0f386h        ; magic number returned by system debuggers: `* p0 n( \0 P& A
   jz    SoftICE_detected
) P4 p; ]/ ~& U) }( y$ E  c' \# `; }4 E
Here again, several ways to detect it:! z3 X  ^* s# V/ G: `, z! d& U" P' Z
2 ?- m; N% O* O. ^( ~
    BPINT 41 if ax==4f' `+ `; U' d( w- V5 k
) s" K( w0 v2 Y. L1 f
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" [: A" h2 H9 N& P; e( ]2 N7 c  K8 i: H, E. J4 q7 }" e8 ?. Y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
1 V/ d3 U6 b- \5 O; G' _, n/ r* L/ @# {
/ V8 ~1 ]$ X1 O, `% e- O    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
2 a0 C$ h' l1 e3 s9 x" F* Z8 N, v- `% L. ?5 y4 t& E# y
__________________________________________________________________________
; _9 G% R  i/ _
: d( v- v2 i' C! K  _Method 137 v" x2 o! r4 f9 P
=========) U2 m5 p- U6 _$ Z$ ?  M6 [
" d5 w/ v* K% e* d; u$ r
Not a real method of detection, but a good way to know if SoftICE is
3 A( n7 F7 Q3 g' T# n9 Qinstalled on a computer and to locate its installation directory.
. m* F5 s1 V; K+ Q$ ~* cIt is used by few softs which access the following registry keys (usually #2) :
/ d4 @" ?9 F! t: E# g" q% h6 u( T$ U2 H& W. |/ g5 P) f, N8 n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) [+ W& W1 ^( s\Uninstall\SoftICE
8 j/ c: ?- U8 ]6 J. ]% ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) \( B" n, n' h' g
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! k$ Z2 Y; v# X
\App Paths\Loader32.Exe
- I. J! Q" Y% M* ?
( W: O$ K% @$ w* c( ]
5 C' ^+ t2 m7 l; R  G; ?Note that some nasty apps could then erase all files from SoftICE directory/ R3 Y$ }8 A/ Y. `+ p7 M" o
(I faced that once :-(
7 c% c* e9 V) n* G, W% p9 i: b# F! n7 x/ K6 ^: I4 w
Useful breakpoint to detect it:
% J; x$ a( I8 O: a/ d. {( Q. U) f* [  j0 T# U( W% e
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* Y9 a( M1 C$ M' S: D, Q6 N( t: K2 p* R( ~
__________________________________________________________________________
9 q7 ~# J" ^% U3 X2 ]- F8 s5 e
' e5 A9 V6 F1 X
0 V* E3 I: @; M) @8 F; S! |6 C3 ]Method 14 0 a; {3 d! k# m+ h7 d
=========
: X0 h9 s% |1 u7 y
1 a1 J' ?; Q, r$ h- f& ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ o' }* M  u6 }2 u" t
is to determines whether a debugger is running on your system (ring0 only).
, g6 u9 l) L$ N3 ]" r( Q' N- d- r. U) q  ~( g
   VMMCall Test_Debug_Installed! a# A( M* w. {" e$ v
   je      not_installed
% t: U5 w. N# F7 {; n+ b8 L4 n" Q: z  i
This service just checks a flag.& k! T' w, X( @
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-9 07:26

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表