找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; d" d  n7 d4 Z7 k# {* T" i5 C<TBODY>9 M) L1 ]: g& H5 P; A6 I
<TR>
. ~" l) v- N# V2 R+ m3 X9 {<TD><PRE>Method 01
& v+ L( ~9 d6 t. V. t9 q- s7 R=========5 C7 _1 `4 m" x  L
1 U1 G+ Q3 V: m. u. V5 G. p  J; e
This method of detection of SoftICE (as well as the following one) is! V5 _( F/ I% s! z. w3 R
used by the majority of packers/encryptors found on Internet.3 }4 H, D8 e7 V0 U; B! j
It seeks the signature of BoundsChecker in SoftICE
$ e1 Y- G0 ^' ]$ e- x
- L  S0 @$ k4 Y9 z# W6 R9 z8 I6 J    mov     ebp, 04243484Bh        ; 'BCHK'
* a0 T  k6 G, l5 b. B    mov     ax, 04h" E8 a) y' V) Z. @: X! S3 q7 b1 X! [
    int     3       " ^9 m" [7 s. y4 Z& w8 u  _
    cmp     al,4
5 a. }5 H$ S4 j; P" H    jnz     SoftICE_Detected
1 i6 ^  e: c+ Q8 ]: r5 W* H+ G2 d
5 w* _( t+ Z/ ^$ w. a8 n___________________________________________________________________________
( Y! }6 S% S4 d& \. X0 f; N3 u2 u. y
Method 02
7 j' c! w) H8 V' i=========  H4 I* L# o! @' Z
& S% ?  i* a( K6 @2 l1 T5 L
Still a method very much used (perhaps the most frequent one).  It is used
4 e/ u1 m# s9 K9 _7 d# Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 `+ T, x$ ?5 j  [! wor execute SoftICE commands..., |# F. k7 g. W. L5 {
It is also used to crash SoftICE and to force it to execute any commands7 T! \8 u8 J4 x, A) C; N
(HBOOT...) :-((  
: Z: y  m9 s3 G- R% ?& S2 r3 Z2 H
: }( v5 |& R6 ^8 B- J0 s3 q$ S1 dHere is a quick description:  Z) H3 _8 ]: s0 |! w
-AX = 0910h   (Display string in SIce windows)
0 p5 m& ?6 @$ Y: S9 E, ~; _-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); G, Z/ Q; q3 g& h
-AX = 0912h   (Get breakpoint infos)
1 p+ O3 o7 o2 q6 C. m. I0 i2 c-AX = 0913h   (Set Sice breakpoints)
& K1 M( ]/ o9 U9 y! L( y0 s+ I-AX = 0914h   (Remove SIce breakoints)
) ?$ u3 i+ c: L) a2 A( k# O2 e, t3 P% J# M$ O
Each time you'll meet this trick, you'll see:8 J" Q9 c- \3 H7 s+ I' Q
-SI = 4647h$ H* O. }; S1 J+ D& q3 ~
-DI = 4A4Dh
; @+ J+ h0 U: R( P4 u  AWhich are the 'magic values' used by SoftIce.
5 g$ }6 [' v2 n3 P8 v  v3 u7 v3 RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* g% _( `$ N7 \1 J+ {$ ]! `$ a7 U! Q; f5 ]( F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
! K  N0 A$ R' Y% H3 LEnvelope utility use to protect DOS applications:' l# f6 p8 _0 X  ?- F
6 a0 }! S0 o4 q8 `

. v3 h9 d3 y8 |4 c# ?" t4C19:0095   MOV    AX,0911  ; execute command.
5 ]4 C; b2 S  w& h4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" K1 Y5 `6 o, @( o. o) Y7 ]2 |4C19:009A   MOV    SI,4647  ; 1st magic value.
) `) ~& @4 {4 j2 O. o) ?, p4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
( E# ?6 G0 {( W3 j8 M4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 x7 Y7 m: L6 w- i% L4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
( H: }3 i. i5 g: k5 [% G, V. f% ]4C19:00A4   INC    CX
* u: ]8 K' ]" N1 k1 l4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute% g0 L# ^- l  u) G7 W# j
4C19:00A8   JB     0095     ; 6 different commands.
& A$ v9 ]4 n: u! Z, Z4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' Y0 j: m- Z; k
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! |4 ?$ }1 X8 W: R+ w$ V& e

, d% G* e7 M1 h) e: L6 O+ p% _The program will execute 6 different SIce commands located at ds:dx, which6 d) o- k! w5 `% U# _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ \" Z2 Z5 X, A& {7 O7 t$ t$ K
& N$ N. H% f8 S( d4 l/ |! h+ B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) M' B* k! U! l
___________________________________________________________________________& S& K  p3 R# d2 Q/ L& K
. }6 e% S3 _; ?3 V: C) K& h- ~

5 N, v3 i# o0 a+ `7 @' Z# o4 zMethod 03
' w' Q8 c) N+ u=========5 V6 ?7 z8 z( D. i' Z  r

% J) s$ `- V, T( [# \0 y( rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- g- m7 }+ j7 a(API Get entry point)
+ T% U9 W( H# r- g) b- |) k        
" f* m  l0 v+ U* k1 p9 O& i2 {7 S: L! T. V  `
    xor     di,di
" ^/ h/ L  D3 R- Z5 Z" H    mov     es,di
9 T0 d/ D: m* `7 U    mov     ax, 1684h       8 P% K3 j6 E- d" v% F9 L: c5 \7 r
    mov     bx, 0202h       ; VxD ID of winice
7 i4 K5 ?) O9 Q& [( f    int     2Fh/ z5 S; V' E6 s6 C0 l& t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: j; c* }" \! ~6 ^: _$ O1 H    add     ax, di
" r; s6 O! h" r    test    ax,ax
) N  G( U* H/ H. S; @+ j    jnz     SoftICE_Detected; j; k5 q1 a! `1 T5 j  i

- }" I* I, s% u0 c___________________________________________________________________________+ I4 L; F( L6 N& e! V: D
, y3 A0 d: P% f
Method 04
+ `$ f' @4 k9 A2 {1 n# [5 ^=========5 |* K/ \( ~, G

# d5 V5 N# s. k8 Q7 UMethod identical to the preceding one except that it seeks the ID of SoftICE7 _  l2 U% V, f& t8 `0 u* x
GFX VxD.
7 X  j7 `* d8 N7 V0 ?, Z% K
: o1 D. \# e; z5 |  ?    xor     di,di
2 Z* Z8 B# ^9 ^4 @4 l0 N, y    mov     es,di
' \' n4 J' ?: ?) ?# M    mov     ax, 1684h       - O1 F# C0 F9 _& _9 @
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
: r& p, y' |% O' e' i    int     2fh: f/ ]1 [  G7 V; X2 X/ E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 F; l' U8 y9 _, h$ e7 x' @    add     ax, di
* f; \" M: M/ W    test    ax,ax3 U& h- ]4 \# f  X; I+ v; L
    jnz     SoftICE_Detected
5 ], `+ t! @! S3 D& }
; u& V( Y9 E# D8 d: H0 u6 ]- F__________________________________________________________________________" Y4 e' p; Y, m3 Q  A4 W
8 C2 L' E' ]3 W: _" p( W4 j- M

8 M9 o; y  S! n, j' @9 u/ u4 fMethod 05( o! n) `% W3 U$ ?
=========
' o, H! M3 q2 i; `
7 }7 ~: E6 ?! |Method seeking the 'magic number' 0F386h returned (in ax) by all system- l5 T: d. k5 q$ i! x' V0 D/ I
debugger. It calls the int 41h, function 4Fh.
/ `8 f, j$ b, x, l8 B: [- zThere are several alternatives.  0 y! k( T! L4 b

+ k( A+ p2 Y( i7 g* {: o  z8 ~The following one is the simplest:2 _& ^1 ^% \: W7 _6 |

6 l6 \# R" \3 A# P) N4 y% d    mov     ax,4fh
" b# f. P* O1 w* C0 j+ D    int     41h
" ~; r  m5 B& ]5 l# R# B/ L    cmp     ax, 0F386
& o$ ]8 j/ V& y    jz      SoftICE_detected! ~# i0 t0 T2 X2 m3 O: G: k! [) \
) v: g! T  |6 r+ j

5 ?; ]5 g) h7 q9 G2 E) ~0 INext method as well as the following one are 2 examples from Stone's
1 M3 K5 O' j5 U* |: q/ f: {7 _"stn-wid.zip" (www.cracking.net):+ j; Z1 J) r# j6 F) S+ Y, W
) N- O* J+ V. l- c) l
    mov     bx, cs) b5 D7 R! U6 K+ Q) [
    lea     dx, int41handler2
: p( W3 Y& d8 D, W    xchg    dx, es:[41h*4]& q' P- a' U. P
    xchg    bx, es:[41h*4+2]. {- c/ M* ?1 g; k& e
    mov     ax,4fh
; R5 p  ]+ ]- q( P    int     41h
. K4 x% f0 r# [3 E+ r; V& ?: ?( x    xchg    dx, es:[41h*4]
+ P5 N; L/ a8 F; }! A' U0 R' Z    xchg    bx, es:[41h*4+2]9 `0 a5 p2 o3 Q$ m% @
    cmp     ax, 0f386h
6 k% w1 k3 q2 W! \' q1 k    jz      SoftICE_detected" `5 n7 Z" l) G: x9 b) E+ i% U/ f& g

' ~, p7 S3 p8 I: c! Yint41handler2 PROC
; w  R9 K/ ]% |' b6 N' C5 X    iret
/ L6 ^6 N7 E1 b8 u) O) N2 {  gint41handler2 ENDP2 Z6 f; I# L+ [

% y7 I" {' j$ G2 G% v! y& X: e/ u* ^5 J2 J
_________________________________________________________________________3 j( w& u0 B3 x# I% B

5 v9 R, x2 p3 A5 o# Q5 {4 E; E1 n
7 y) y' @+ B! s8 wMethod 06
4 X8 V' W6 G; \+ I, Y" h" N* G=========
  ]/ K6 _8 L) s" }4 d$ R# S
3 P3 y2 w& q/ x. x9 _& f: s% h4 e# X' y% d  Q- K5 F
2nd method similar to the preceding one but more difficult to detect:! {% Q/ l2 `) N
& k9 J" K  R$ c" Y

$ {& u4 H! u" A* }int41handler PROC6 f* v* b5 F+ K1 w& w: y$ ?; Y
    mov     cl,al, _* ~$ y8 _( Y. Z
    iret3 t8 F9 J1 }) B
int41handler ENDP
0 n+ f% o5 B! I2 S4 C
4 u# _' K$ p7 q+ R' C5 y- b) h* P' m, G1 q
    xor     ax,ax7 i# k7 K9 k1 s9 ]7 d8 y
    mov     es,ax" Z. s: z; @. v0 w& {  K, r9 U
    mov     bx, cs7 {/ {. R" G$ B1 Y  d4 K7 @
    lea     dx, int41handler+ T6 k) T& K! q+ i' T. v$ v2 ]- m
    xchg    dx, es:[41h*4]
# X1 I# c/ ?+ u/ I" k    xchg    bx, es:[41h*4+2]
6 J2 Z$ U: k+ }* I# i' o! L    in      al, 40h
3 s+ S* k5 \* g) j3 E    xor     cx,cx
# q5 J  W# x& w3 a0 I6 t( X7 X    int     41h
- i7 G0 }8 s' B    xchg    dx, es:[41h*4]
. T# ~+ Y. U9 t    xchg    bx, es:[41h*4+2], |- f. H, L1 p8 Z
    cmp     cl,al
# \! o: x# _8 }3 V# N    jnz     SoftICE_detected
0 ?% G& W; y3 u8 W+ @! M5 e/ ^$ R; h) q1 l
_________________________________________________________________________
: x/ l5 P% z! h# O8 _  o+ z% T1 ?6 j+ w
Method 07
! N0 K' j% U! x+ I, z( q=========/ y  i1 |% f% t

% v! d3 y7 z) GMethod of detection of the WinICE handler in the int68h (V86). |% r/ s, H8 ~: _* m0 N' t" U  F9 g
6 N/ x5 q. R6 X1 L
    mov     ah,43h
& M4 G# c$ N6 L# d; h* h    int     68h
" ]8 M2 c! b- l+ j    cmp     ax,0F386h1 N6 q: K+ s+ T8 Z9 l# ~
    jz      SoftICE_Detected
; t* E# g7 y7 g2 j, \
! c! J4 M+ ?) l4 a$ A! g6 i& @& G( e
( p# [3 `+ w# `7 \: Z3 t=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 ]: g- U& v/ O# ~8 i% s/ M3 F
   app like this:
  ^# I; }, R' I7 i
4 E5 a, p6 Q% v- \- j   BPX exec_int if ax==68
% p5 Q: Q) c8 P   (function called is located at byte ptr [ebp+1Dh] and client eip is! o) L3 ~) \8 g2 M  E) r
   located at [ebp+48h] for 32Bit apps)* r  G" u* t; V5 d/ V# t# @
__________________________________________________________________________2 L/ M$ j  Y$ t; g9 t$ x2 e( c

; X: e: L* V/ o  K6 n0 Q6 B# c$ P6 V$ R' Z
Method 08' @+ ]9 f  X$ C7 I
=========
# U& N: [  s) F% y5 x
0 B1 Z; B1 \) ]3 t4 d0 d0 s. @It is not a method of detection of SoftICE but a possibility to crash the4 u; u( t( J6 w; ?) ~1 s( s" J0 y
system by intercepting int 01h and int 03h and redirecting them to another
7 F8 T( r6 x( l! X( Q3 F/ iroutine.5 H; _$ a- j) i  K0 q9 }8 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& n: X3 O/ W' O7 e+ a4 ?, O) m! V! Kto the new routine to execute (hangs computer...)$ D. D& E, J# y; K2 Y

. F; a2 t% d; ?    mov     ah, 25h: U% _6 }" i0 N0 g2 G
    mov     al, Int_Number (01h or 03h)
- X/ A  _1 n  t5 D% h0 R! F) ^* S    mov     dx, offset New_Int_Routine
) V: x% z: @2 x    int     21h/ }6 [0 _/ d0 C- r8 s* Z2 f6 b

2 E7 u& O2 J6 F' T+ r) K7 l9 D__________________________________________________________________________
6 T9 l1 X- S; w# c! y) c- D/ V! C( k! }% }9 Q6 g% P
Method 09
' a+ b: w: k: C0 w2 ^8 g+ V=========5 K# r, o5 i0 B* S
; A( B% Z9 a# V  e( L/ L1 }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% O# K7 p  G( i6 dperformed in ring0 (VxD or a ring3 app using the VxdCall).+ d4 y! o3 N0 ~  M- Q3 w$ e
The Get_DDB service is used to determine whether or not a VxD is installed7 g3 V& F) M; g1 ~' c3 j
for the specified device and returns a Device Description Block (in ecx) for0 z6 d7 d$ F& ^- }' k
that device if it is installed.
* j. ?& F1 G, u% u: f
3 o* s- B  e$ @/ V* L- f* I   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 }( @% U# `3 Q   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 H2 f" ~: R  [
   VMMCall Get_DDB
; q. M+ k  n5 l  F; ]3 O+ q6 @8 a& [   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) @/ _3 y6 a5 [/ Z+ Y; W; n
8 s" b6 l; a( o  v
Note as well that you can easily detect this method with SoftICE:9 F( s0 g) ^' e2 J! W: H
   bpx Get_DDB if ax==0202 || ax==7a5fh1 w4 n) J& k$ x- n

, u* I& U9 C: m# h__________________________________________________________________________7 w# D% b: ~. _/ y

6 B  M0 g( C. tMethod 10
. m( c2 a) H% Y  |' p5 u! ^$ @7 ]=========
& f- s2 k2 [% K7 V; c4 U( x  I
$ i: S9 ~  m( r! Z& ^) O=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  i8 j  X7 {" q0 A" l7 v5 D  SoftICE while the option is enable!!
8 H* l6 V  t7 i- N. s: N5 Q+ \. X; U8 X* v# T
This trick is very efficient:
+ M, u+ z- U: M3 p9 xby checking the Debug Registers, you can detect if SoftICE is loaded
' t! x! H. ~. p. L(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! D9 [* y0 Y. ?3 Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 ?$ M& P% W6 p5 R# l6 xvalue (in ring0 only). Values can be manipulated and or changed as well8 h' s" H- E* |  i6 ~4 ~, g0 O
(clearing BPMs for instance)) e3 r- e! [# x
* Y: e2 y7 n7 d% A; k
__________________________________________________________________________5 a# h5 _; _4 a8 M

5 v  ]- U( J$ Z: V6 u* PMethod 11
5 Y2 _: s& k& j4 [+ L=========4 {; D. s8 ]3 v& H8 a
6 ]. P5 l% e$ K% v0 E3 U
This method is most known as 'MeltICE' because it has been freely distributed6 x/ P5 R9 p$ j
via www.winfiles.com. However it was first used by NuMega people to allow
6 [% m, }6 _7 GSymbol Loader to check if SoftICE was active or not (the code is located& }9 K# B* V, O/ @2 h: ]
inside nmtrans.dll).; M6 Q- I5 b' E8 W* o3 N7 O' u
5 u% a$ w0 P# w  p4 w) c
The way it works is very simple:
% w( l, D( V/ J9 g- j2 x* c, _" tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ v) }# \- y) l6 t; n7 hWinNT) with the CreateFileA API.' a  n5 M( E6 O% F  L0 z" q0 U
% w: y4 f% f4 J2 G
Here is a sample (checking for 'SICE'):
' n8 _9 I9 L# Z8 t8 z# ~
+ j- N% ]1 l+ V4 UBOOL IsSoftIce95Loaded()* y' _2 O1 d0 a0 J7 T
{  c9 }( r6 |& m1 J' }7 L
   HANDLE hFile;  
; L5 s* H6 w7 @. o   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 V3 }( k* Z- c) D6 r
                      FILE_SHARE_READ | FILE_SHARE_WRITE," K: _5 @; q* X3 J% i- s- F7 E
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) W' B, U1 c0 i, _4 M   if( hFile != INVALID_HANDLE_VALUE )' R9 m2 v% Z5 M# C' Y
   {
& J$ U2 h4 l9 _+ p# T      CloseHandle(hFile);
  q, i4 B, l: v4 e. U' S: [& Y      return TRUE;
! p% d+ K* r2 w+ z& U/ w   }( R3 g+ `4 ?1 d! n# z. d0 R2 I
   return FALSE;" t% `0 J) g# r
}
( Y/ R3 [8 H0 P4 w9 S: R- S
8 c8 U6 [6 z$ u3 e1 ?Although this trick calls the CreateFileA function, don't even expect to be; G2 G) r* o+ X  G
able to intercept it by installing a IFS hook: it will not work, no way!
2 X1 W, ^2 I7 S$ q( j4 L, Y; ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- r( Q# o  r3 @service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ w+ k0 b- w& u% d+ R# j% d& Z9 ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' |  o# b& s+ Mfield.
( Z- K$ ^+ d/ h" [/ [6 g  \' ZIn fact, its purpose is not to load/unload VxDs but only to send a 4 P% y; Q4 |* I2 g2 _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& K* ]  p; |5 Q( r6 cto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ P, F' T; o! I3 G  p5 \* n0 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) d1 G9 ~- r& [7 B5 w2 {) C+ D
If the VxD is loaded, it will always clear eax and the Carry flag to allow# d" l% n" s! `2 n
its handle to be opened and then, will be detected.
9 f9 L  w+ h6 v% ZYou can check that simply by hooking Winice.exe control proc entry point
' {& }& j7 O- U3 l6 hwhile running MeltICE.
8 E6 V, U/ K" Z1 `7 M9 e- K; ^& H$ K0 \; b$ G' ~

6 [) @) ~( M8 O  00401067:  push      00402025    ; \\.\SICE
& Q. h1 ?* M9 H  0040106C:  call      CreateFileA
1 f  O3 ?2 M$ t/ c. H9 Y, j# ^( E  00401071:  cmp       eax,-001# Z$ J; G3 [5 \1 ~
  00401074:  je        00401091
: i( o4 n- v6 U% t- B1 C, G0 P
8 y  z$ M2 r% B
! Q$ ~+ }9 I7 X. G& l; BThere could be hundreds of BPX you could use to detect this trick.
3 H2 g: b3 n/ H-The most classical one is:; C8 C  o; A6 T
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) Q5 ]. I' ^' v& X9 w9 M$ t
    *(esp-&gt;4+4)=='NTIC'9 N' o  h, p" Z. T4 E
! O! X& A/ _: I1 y  C% X( N: e) g7 X
-The most exotic ones (could be very slooooow :-() F0 y( d' v# g1 F' P* Y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + L3 f7 v+ {  z* z/ d# H' V
     ;will break 3 times :-(
5 W) P! U3 V, g4 [9 d3 Y, {0 X- A3 ]: o+ ^
-or (a bit) faster: + M* b4 o% n, M# _
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ S  F5 d8 l( e5 U1 v* {. t% i* n5 f: c2 l; E2 F% C
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# J, @5 O$ x* [5 L, B) M: D     ;will break 3 times :-(
& L/ Z& k; [" k7 c  H7 q+ Y5 K, H7 b6 K
-Much faster:, t5 q6 v6 ]2 H0 u+ K: n4 S9 T$ n# ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# c. k$ `8 U4 u8 T, `, L! P

& i* }* c0 S) o/ d  uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- z! M7 d% a7 s: ?1 S0 k7 N7 Pfunction to do the same job:
, M8 t- i9 |( i! d1 [$ L) u  Q- K
   push    00                        ; OF_READ% F4 J& M( C4 e( m/ N! s
   mov     eax,[00656634]            ; '\\.\SICE',0
* l$ }5 M8 v6 U  A7 ?' a   push    eax8 C; V/ s9 w  S- a; M& E
   call    KERNEL32!_lopen
; D4 v/ |! T! j9 P   inc     eax
5 M9 M% z3 b1 [1 W1 V# @* G$ ^+ k   jnz     00650589                  ; detected
( l* }9 D, L$ R( ~% k! R   push    00                        ; OF_READ1 E# r$ C: M2 y1 H' @# j: r
   mov     eax,[00656638]            ; '\\.\SICE'
) `, Z/ S- b( U6 O/ Y4 ^9 }% J   push    eax
: @' g/ v( G* N1 |   call    KERNEL32!_lopen1 x1 j; K/ m# `' v: i
   inc     eax. m( }$ o% n4 X3 a
   jz      006505ae                  ; not detected
/ g! a1 J* J) I! d9 T' ?0 w8 ?) d5 |# h/ `6 z

4 ~- K% ~2 [5 T7 n: H4 m/ X9 p__________________________________________________________________________  H0 N7 \# T8 j0 _# P- e2 z6 Y
" ~% P  G0 `* s" w
Method 12' {. V2 k  B  I! z2 j
=========4 C* T. L; S. X( I  ?& J
# i: O$ S) i3 }  j
This trick is similar to int41h/4fh Debugger installation check (code 05) Z" y5 D* y' S8 G) z
&amp; 06) but very limited because it's only available for Win95/98 (not NT)3 t3 A, ~8 X* I7 t) R6 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: x. v2 i% m! ~1 ]1 a
8 J* u( }0 o8 H5 h# Q( t: Q
   push  0000004fh         ; function 4fh% k( _# c# F: q: |$ J
   push  002a002ah         ; high word specifies which VxD (VWIN32)' @8 i: M7 j" V  L3 S" g8 H
                           ; low word specifies which service. w/ V- I( Q5 U
                             (VWIN32_Int41Dispatch)
) O7 C: P" K8 S   call  Kernel32!ORD_001  ; VxdCall
; b1 u* \9 e3 Q   cmp   ax, 0f386h        ; magic number returned by system debuggers
2 x, f; i2 C  V- b; k   jz    SoftICE_detected
) x" V+ r5 c! U
% O/ T9 s8 G. ]! E; h5 XHere again, several ways to detect it:
  q" i- M1 W" H6 F( ~# R
/ J9 G8 h/ U+ K/ E    BPINT 41 if ax==4f
4 b: b* Q( M: P1 `2 e$ \, ~% V' A0 j7 {$ S& ]' }! r5 m
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
5 j) v- F) o# w! n- [2 y" Q" L4 K  e: U" Q# z' j
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
! U9 s' z6 Y. P
* L- V8 b( v4 l2 v$ b8 ?) x# x    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 e  ^# A! S1 L/ l9 x1 L

' b# ~: k9 ^, _+ O; z5 c__________________________________________________________________________
+ e8 f$ G* ]( X- {- v
. m  J- g) s* v- r/ xMethod 13( n& A. C* l! R! D+ \  D
=========# i: R  `: l/ M) W4 P$ l1 ]6 u( C) [

  e0 B' P: [$ P$ b' B2 o; dNot a real method of detection, but a good way to know if SoftICE is% [* m' B% ~0 ]1 l
installed on a computer and to locate its installation directory.
' v! m" w0 c' p  ]1 m" sIt is used by few softs which access the following registry keys (usually #2) :( ~0 j3 p- J  x) C4 f/ s

% F" T5 J4 u- F( V4 q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 q0 Z! E( N+ \# [4 X, E\Uninstall\SoftICE
8 |% ~. {/ ^/ h& Q0 `2 }0 p8 x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 @$ m9 d) o: ]. i+ T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ G$ H3 g0 I4 _9 W- _8 t9 d
\App Paths\Loader32.Exe8 v/ z3 [, g( a2 X1 h1 d* e$ U
* M, y/ F/ g4 c% d  c

. G( k7 l, v5 T, w; XNote that some nasty apps could then erase all files from SoftICE directory$ y5 C/ c6 [$ Z7 \0 I' _
(I faced that once :-(
+ l  y0 Y; w. W/ h( v
' F2 P1 [" _% _. T% A2 r: C9 b+ WUseful breakpoint to detect it:
  e) l+ Y  y& O( ?1 B1 u
" V% E& m( }! ^/ E     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 b' `( J, X& Q5 e- O1 ]: e: E: k* B( N& Z' h$ `; W- w. `
__________________________________________________________________________
! X, z$ s, L5 q/ T  N! Y" v; R" s# z- g  {
% Q8 h8 `5 z6 x' ^, W$ B
Method 14
. m1 M- N- l2 I# O! `# _5 h6 m2 e, i8 W=========  O. s' T+ U* U8 e9 Z

, U) O2 n6 E7 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' f6 U8 X3 d3 c  ]
is to determines whether a debugger is running on your system (ring0 only).- V7 S9 V4 K5 o1 @% V& I
! H& P3 j. ~9 s) v
   VMMCall Test_Debug_Installed
, Y: Z: y8 T( C' |& Y& t6 q   je      not_installed
5 Z( N  N' e4 G% X7 _* H7 g* V1 T- V4 U; L# S8 W
This service just checks a flag.' T, ~- W+ _& C& A/ ?
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 22:18

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表