找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  M; f, [3 o/ W0 Q4 ^
<TBODY>
2 u$ N) U  B5 E0 V<TR>! T& ]  c5 a" Z: i
<TD><PRE>Method 01
) S4 S3 M; t/ `=========
2 L  a& C  ]1 B  D; ~; U
& U+ p! w& ?9 ~3 o3 K/ A6 e7 wThis method of detection of SoftICE (as well as the following one) is# M. l3 o: y! Q8 Q# h
used by the majority of packers/encryptors found on Internet.3 V/ q0 A! \4 M7 G; m
It seeks the signature of BoundsChecker in SoftICE
' ]* i! ^% z8 }
* c: p+ P" Y9 f. a' n    mov     ebp, 04243484Bh        ; 'BCHK'
! x+ C( }+ S1 r3 J0 n! B    mov     ax, 04h
1 S# ?% d- _! ?, J    int     3      
( B9 S$ q1 z* j9 R! s2 ?    cmp     al,4# \3 w' g% I9 @; N4 z# g* ]4 S8 l% B
    jnz     SoftICE_Detected
, p9 h! }1 ~* v" X: ]4 N: r. s# d- y% l0 W) b+ E- H$ s3 H" l
___________________________________________________________________________' u' b$ L8 A- Z2 c- |

) {* I8 w: N+ @- Q: o+ `. ^Method 02: ~0 L, p3 u* [2 p
=========3 ~& C) R3 ~/ \2 `  T( }0 ?- o6 |

8 j6 C1 Q3 N1 m2 R/ aStill a method very much used (perhaps the most frequent one).  It is used/ {- d5 _- b/ C8 x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# C' Z  D* u/ n0 w* u! @$ Qor execute SoftICE commands...4 H% }5 P/ R% L! t, A  ?& n
It is also used to crash SoftICE and to force it to execute any commands
/ L. p! u/ V$ v: \& h! E. Y4 ^(HBOOT...) :-((  
% z- J; Q' R+ t& M$ H
% E  \+ a) o1 R" t( X7 tHere is a quick description:
- G3 `' q, t# q) P2 f( c, `' W-AX = 0910h   (Display string in SIce windows)
# m5 F+ X! o5 a* m" I  P9 T% ~) s7 R-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 `5 U: T& T7 b
-AX = 0912h   (Get breakpoint infos)# A: F* s% L, q/ k' r
-AX = 0913h   (Set Sice breakpoints); ]& v) @3 P: W4 G1 |2 M
-AX = 0914h   (Remove SIce breakoints)
* m' T( f1 ^. i( m$ f  L
$ X7 x; h& x) t+ ]- Z) }Each time you'll meet this trick, you'll see:1 K% P/ X# Z* J6 T5 C
-SI = 4647h
- s# u0 J" C4 E( C-DI = 4A4Dh! w4 n# H  b9 X2 U. x$ ?
Which are the 'magic values' used by SoftIce.
6 a# a) f! R* G- c: k* gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# `; x0 i& m4 Y9 g3 t
1 d" W8 y5 M9 g! }2 Z# o2 ~& BHere is one example from the file "Haspinst.exe" which is the dongle HASP
, Z  i: u0 I4 ?8 v3 F: jEnvelope utility use to protect DOS applications:
! F* O: J1 ]$ |9 M3 A3 [) y+ ?7 @- W" t" H
" T2 {1 R; }$ [4 Y
4C19:0095   MOV    AX,0911  ; execute command.& Y, y  i) E  b6 A7 E0 ^9 w
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
' s9 D2 U2 d( \3 D4C19:009A   MOV    SI,4647  ; 1st magic value.. ?( Z2 T6 \5 Z& L5 g# z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
0 g/ Z% l  L# o/ C  \  x  p4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
* ^: U% f4 V- s4 E& h' L4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 B0 U* G& t; w, A3 w( t; o9 |
4C19:00A4   INC    CX
, O, Y/ Y, w0 x4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute; a8 R0 L7 S, W7 b! A: D9 t
4C19:00A8   JB     0095     ; 6 different commands.
6 R/ Z- v6 w8 u4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 Y2 `7 \4 M1 X5 ?1 p3 I, i4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 |' P3 C) [6 ~* V1 c, w) |$ C" N5 C4 ]# f$ J9 U
The program will execute 6 different SIce commands located at ds:dx, which) D0 f/ ^, T3 d' [3 M! |, X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, U, x# v3 |( Y: m( l# `* l
& X& `/ R8 D6 M" i4 {* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! f. i; i; q7 y  }; ?1 g4 F( ^  i___________________________________________________________________________; _9 Z4 T. W. N: F7 l$ r& H
' [: |* f9 x: z( {

8 A+ A% ^. |9 L% l6 L% r$ f) sMethod 03( b2 i" ]3 [( g/ L, ]) L0 `
=========. N/ [' Z- o5 v3 o

5 S& j8 y8 ]% b# k  s! jLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# h8 Y: O7 i" y4 X
(API Get entry point)
: L3 ~+ `9 R: ~6 P! h* Y: ^3 h        5 @/ L8 H* ]* l0 m) L
, @" ]. c4 `9 e
    xor     di,di
4 Q/ P( v* a) }' S    mov     es,di
: h* v3 X, z5 V: Z. g    mov     ax, 1684h      
3 A  R7 T1 U( q$ n, Q    mov     bx, 0202h       ; VxD ID of winice
3 ~: X  B2 C/ H% @/ T/ }9 k* B    int     2Fh. U* W& E" D  G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 I  H' ?' }* a3 j
    add     ax, di
" R5 z1 n& J5 j# ^    test    ax,ax
5 _9 E2 G  n* p- ^* d3 ^7 ]2 ?    jnz     SoftICE_Detected( b5 ?, m. x7 j  e$ `3 ^$ `

0 U: e% q, b) A* M' f3 t___________________________________________________________________________! a/ ~: [' z0 _% Q
( y8 z  r6 R. z! i) k9 m0 J
Method 04
- Z: K2 H2 J9 |% p: }* N=========
8 t5 _5 f9 o' t* ]+ ~' T+ F
. y, E# r9 J9 q3 w$ ZMethod identical to the preceding one except that it seeks the ID of SoftICE
  Y% C' b' p" F- N. G* BGFX VxD.7 C; @$ @: @9 E: _1 {# ?& F
; i4 E# N: U( F- q: C3 V% k1 t
    xor     di,di; N7 L+ D- Q. Z
    mov     es,di
$ s1 N- J6 s  E( `1 G( b    mov     ax, 1684h       ! Z, C! F2 a# b5 E5 A( @, M% G
    mov     bx, 7a5Fh       ; VxD ID of SIWVID: i; J& w3 M1 U
    int     2fh
6 l' i3 t8 l* \" ~9 c/ X  f    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 J" p# e9 D6 [$ h    add     ax, di9 f0 K% d+ H4 R0 l
    test    ax,ax+ j) Y7 y/ @7 B4 R0 _( }3 w. I
    jnz     SoftICE_Detected. O  p  Y8 v5 P# f; d
* M# }5 d' J. \$ h/ s
__________________________________________________________________________
) N) d, M! B3 j6 g; Z: X
6 D; d# s' t  X: I/ m& t) J6 u6 F' }! g  `" t
Method 05$ r: v" R& S# M. k! ?
=========3 {; O' |* A0 M" s6 D* C. t

# g1 X, N) }/ j) J$ E3 a: OMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 U% A- e: M) T4 Jdebugger. It calls the int 41h, function 4Fh.) S9 W+ m" p7 u" O
There are several alternatives.  - ?0 D' X$ Y3 m4 l- c! a
, W/ y& Z! n9 Y. @: h' s
The following one is the simplest:2 Z; P8 E; E) v: T/ ]
5 W6 A5 q8 Z- }+ i
    mov     ax,4fh
) D+ n5 d) A% x/ n& S& w' p% V" a7 y    int     41h
/ C3 F$ c2 Y3 m8 b    cmp     ax, 0F386/ N. v9 g6 b# R- W, ^' p4 i1 r3 J
    jz      SoftICE_detected
" q5 y! q6 y$ b$ R) f. ?7 X9 o/ N2 e3 L9 n  m

; B: K( y2 f9 o( |4 Z8 D* UNext method as well as the following one are 2 examples from Stone's
' `+ |0 @2 \2 p( p5 B' |"stn-wid.zip" (www.cracking.net):1 L  m, K1 N3 J( C- g# b- _

, j* d0 S6 H! `9 S7 j    mov     bx, cs8 y, e, |% T* w, O+ T! T1 M* [
    lea     dx, int41handler2
1 W1 {- K- X0 ^4 s    xchg    dx, es:[41h*4]
% c9 x, G( Z! f; \6 F" A    xchg    bx, es:[41h*4+2]" K6 W! [3 W/ [0 `9 s1 U
    mov     ax,4fh
- {; d/ L7 u: x1 p    int     41h
  ^/ M$ J: w( T* d6 S    xchg    dx, es:[41h*4]
0 f6 z4 ^$ c/ `0 V4 h8 o    xchg    bx, es:[41h*4+2]* ]: p" A: m' g7 Y4 |0 ^
    cmp     ax, 0f386h+ Z! y3 Z4 C' |, j) |/ f! n
    jz      SoftICE_detected
! L& e7 D" r9 c5 j/ o5 @( \9 `- K1 ~/ H8 n7 a8 y+ p, o# _; h4 I  A
int41handler2 PROC/ q& O+ R! k  w# @7 [+ [; p& o
    iret
7 R2 \" _9 S6 G+ _int41handler2 ENDP0 C& y5 B9 g5 q6 h, G. n/ y  |

* w) g0 d  d  `% \1 f* a) i. C3 D. T7 A$ m
_________________________________________________________________________( f* G0 ]- u: O' l, ]" Q. X' ^

' s( o8 h  t/ c2 m5 _6 N, u' f7 W: v5 I5 N# P" z
Method 06
5 I" }% s7 E/ n& I! o=========0 q, }* j8 \  M. }5 I  z4 c
* Q+ R" {6 S# q+ ~9 b

+ C5 ^5 W' W+ C, G4 p9 J/ F4 q. Q# Y2nd method similar to the preceding one but more difficult to detect:7 {+ y* n8 a' G) H) `
9 G2 D& z% B- s1 X: L

0 N% K& @4 y) |% h% s& a4 ~( T3 Pint41handler PROC9 b  D& i( o+ Y" F/ b$ w+ ]
    mov     cl,al
8 ]6 t1 G! T; i6 `7 ]. C    iret5 B( H$ _1 Q  Y& r( J, J3 |
int41handler ENDP
& K. J" J& a( I* ^9 A* D2 e" J
' P# _# [( e2 D/ i( @- @% b! @. e+ w5 Y
    xor     ax,ax) I2 J( U  g3 f! _2 W
    mov     es,ax
! ^4 M5 f% `, X( l. O    mov     bx, cs
% L1 f% g" {& ]8 C  L0 Y  G2 X    lea     dx, int41handler
6 O  E" {. F  R: a" f    xchg    dx, es:[41h*4]
+ U6 x. v3 U( |" J# V    xchg    bx, es:[41h*4+2]
  i+ A5 c  D. r    in      al, 40h
& }% v# a  |9 f% G6 O" X    xor     cx,cx/ `0 w$ H6 v3 {" o1 x
    int     41h# S( C+ n1 x) p5 I# f
    xchg    dx, es:[41h*4]
+ {/ s. x' k) ?4 [. H) }    xchg    bx, es:[41h*4+2]
6 ~4 s, A5 X+ }8 ]* n" o    cmp     cl,al
! y( n# B+ v  V+ p% J7 T' ~* j    jnz     SoftICE_detected: r4 s' n$ M$ `' @$ v8 r  t* r  e) |

) z+ l( M. l/ w( R9 Z_________________________________________________________________________# @- j" y; `3 N$ m

" i" e! M& }2 E4 T& j/ @& }Method 07
5 ~' V$ v: [, N. D0 g=========0 H6 T) {, C1 ]

* M# e( J$ D/ h4 ^& Y# jMethod of detection of the WinICE handler in the int68h (V86)3 t6 b! X3 h$ n

5 J* S  `( @4 H$ Q8 z* H0 r* e3 B    mov     ah,43h. O8 l/ E- Q6 o
    int     68h
0 {* a8 `) e- X    cmp     ax,0F386h1 m7 p$ ^- l9 i
    jz      SoftICE_Detected7 `, x9 i5 x: y% I
; B5 y* U* l! _+ Q% q
% P$ G# }+ X/ l- I6 q" k
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, n* U9 z1 p% F0 _8 ]$ {
   app like this:
9 |7 a/ r' R! K( _
3 ^4 _6 y7 g3 d8 K0 |9 C2 {   BPX exec_int if ax==689 E; |/ ]/ y8 t3 f( D* w! T/ [
   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 [5 x9 A4 ~# ]' q3 H$ Y* H4 H; J4 y   located at [ebp+48h] for 32Bit apps)6 F5 O: A. D6 U) O
__________________________________________________________________________% q' \/ {% P0 a7 y" O, _  ]
8 D9 d3 O! u& ^* s

+ M6 @% `3 ?( y7 _7 F9 }3 r! [; ^Method 08
+ x& t, }* m1 [5 u7 o8 J- G=========
. O' i% }0 A' D, R- X) f% o# d. m6 e) i$ {& l. j) N% c+ D
It is not a method of detection of SoftICE but a possibility to crash the
+ K9 o" a, f- i+ osystem by intercepting int 01h and int 03h and redirecting them to another
. o) j2 J' n+ @, J2 s: Aroutine.
# {: ^; E6 q' Y8 S5 _$ N; v% f# EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 O( H7 Q% K4 l  f: {
to the new routine to execute (hangs computer...)
" U9 P: y! u% L+ ^* Y  v0 H) E* ?; J0 E+ c( d9 _
    mov     ah, 25h
# z' S! e5 X3 A: w- @1 r  o% B! E    mov     al, Int_Number (01h or 03h)
  ^) Q( f9 x9 ^    mov     dx, offset New_Int_Routine
# w/ X* E. n8 H0 e7 F    int     21h
2 H& E7 A3 B3 g8 P4 C; s; u. z" f) g" C/ Q8 ]
__________________________________________________________________________6 q$ B; [# m3 ~; c, ~4 {  Q
7 z( J8 q' ~% I* `$ W/ C
Method 09
4 N- v: i1 i* y; H; ~3 D6 L=========- Y% o2 p6 j+ |# A/ b
2 |# f% {/ u7 g+ N# E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ R) x) G/ P" {7 k6 s0 Vperformed in ring0 (VxD or a ring3 app using the VxdCall).9 [, \/ _* k, z2 r+ D+ E1 B! X2 F
The Get_DDB service is used to determine whether or not a VxD is installed
  A) |% L6 h- v1 Sfor the specified device and returns a Device Description Block (in ecx) for
0 r; l* Z4 }- zthat device if it is installed.. p. _- ~: ]( m/ J$ N7 z" N. S. r
3 Q2 c" t+ u0 R- h
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; D0 d% Q0 |6 q2 U$ N4 N2 y$ i   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 t4 A; w/ L5 ~4 F. h( v
   VMMCall Get_DDB
: s. M  m) J( L6 ^1 {* r+ W/ u& R9 a   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed/ B2 s8 A: l& E6 c1 d$ I# P. y5 E

6 U& }, R* M! g) mNote as well that you can easily detect this method with SoftICE:
7 ]  Q7 F, J4 S  W9 X   bpx Get_DDB if ax==0202 || ax==7a5fh
' v0 `2 ?1 L+ f( e/ }# g# O5 Q# M. @
__________________________________________________________________________) m5 e* K7 O& o
3 W1 c) t" V6 ?% a+ C3 G
Method 10
  W: M( G7 J+ x7 H4 K, X=========
' n7 u" |3 G/ `6 n6 i. {9 F' N. f# u7 ]! ?- E: }7 a
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" ?" }( p& {) O1 }/ e% e- ?  SoftICE while the option is enable!!* \" i: ^- w% x' W9 J
, d8 ]  r1 j  w) ]7 p( s
This trick is very efficient:, v" P+ {+ j, R; G; T
by checking the Debug Registers, you can detect if SoftICE is loaded5 ?1 |' f3 D. C$ N& }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 a: \/ J# f1 Athere are some memory breakpoints set (dr0 to dr3) simply by reading their" n- Z- G6 q. c, v5 w* S2 q4 |" n
value (in ring0 only). Values can be manipulated and or changed as well9 C7 r) ^, P6 E3 m
(clearing BPMs for instance)! S) G9 T7 {6 ]: w7 l9 L% l% {

* R. L: F3 x' O__________________________________________________________________________
! o, u) r( e6 l  l. D+ l4 n+ E  ]# P- q- R% ]
Method 11
' K) X' D- s1 o0 j/ r5 o3 w=========
4 d! f# G4 s4 n6 ^6 L6 J# Q, X9 y2 ]- Y5 {
This method is most known as 'MeltICE' because it has been freely distributed1 A0 M2 n# q' e- Z1 ~! O
via www.winfiles.com. However it was first used by NuMega people to allow
9 q# E, {/ B5 h' t  tSymbol Loader to check if SoftICE was active or not (the code is located
& y/ i) c3 j4 S# o1 Tinside nmtrans.dll).
0 E9 E( |% M/ ?7 ~) M. O
3 C. S6 ]! l- f2 X6 Z! LThe way it works is very simple:
1 _0 _$ Q( g, t: N6 }$ eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# Y0 I! b7 v, x, z/ |. c5 MWinNT) with the CreateFileA API.
) T4 q" j* F( v3 z! _  p" e  q) x% P6 n  ], x
Here is a sample (checking for 'SICE'):
- ^) J, W* p* A3 ~' O# x! i$ X! L. e) s. w- e& T# ^. d5 T
BOOL IsSoftIce95Loaded(). M& a! T" z) ~
{$ @& i5 Q  N, `4 F& h
   HANDLE hFile;  
- r, d3 y/ p3 u, H6 {. O7 Y: e: _   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 E) q% f5 e* V6 W' `
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 U0 P7 |, T: z2 E# |- T2 l1 Z                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 |" g8 U: v. ]  O   if( hFile != INVALID_HANDLE_VALUE )
! T8 j5 @9 f% j+ M+ z   {
% q0 ~8 \  N6 v, i  w# \      CloseHandle(hFile);3 U5 \1 w2 M7 {
      return TRUE;
( h; P! A9 L' R+ q+ Z   }' [9 l. M1 d# A- O% h3 L
   return FALSE;: B6 ]+ B) c. i9 J% `
}& G, E' v4 N1 A9 ?' u

' _  {9 a8 s  k9 z# f6 yAlthough this trick calls the CreateFileA function, don't even expect to be
7 h+ b7 v: d! D1 Xable to intercept it by installing a IFS hook: it will not work, no way!
9 D5 `( v0 x. K( b. X% h7 ?( jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& l) u' |3 M7 m8 T; z* q8 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
  s/ K$ S0 |$ m' m4 v5 @and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ @- d; V; R0 i7 r
field.7 T+ A+ v# E& q" m7 x
In fact, its purpose is not to load/unload VxDs but only to send a
. V5 t8 Y) u% bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 i2 w( L3 S" n; S5 l" w# Sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" u+ O, {) ?) T# l. ]& Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
* k0 r& N% U. d# xIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 C9 g& q8 `; i$ l3 y& C
its handle to be opened and then, will be detected.4 o( f; ?* t& D  y! g9 g# q+ F! u
You can check that simply by hooking Winice.exe control proc entry point
6 Z0 C+ u" k! u1 R3 K5 B8 {while running MeltICE.
1 C& [0 D" S/ `# ~* _
) D6 q$ [. C# I% d" K. Y$ M; K
4 v: }6 v& v9 _1 N4 R  00401067:  push      00402025    ; \\.\SICE
1 A4 M" O+ G: e8 V4 P1 m. I  0040106C:  call      CreateFileA! j7 @& k2 q7 i' D/ n9 E
  00401071:  cmp       eax,-001$ U. o  G; l# j# }. E
  00401074:  je        004010912 c: Q, B! B3 t/ I# \

  _( l" r7 Z, @3 w; C- \
- R. O. k' w6 o7 ^) N- s3 S; tThere could be hundreds of BPX you could use to detect this trick.! B3 u$ m* r0 v  m
-The most classical one is:5 Z: S+ K1 E+ @
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||& D# W/ G. |) u6 U6 ~
    *(esp-&gt;4+4)=='NTIC'
, n2 l* z/ A2 [/ F2 J7 u  @( P3 v# T* E0 m0 Z) @
-The most exotic ones (could be very slooooow :-(
  v  p: r( l9 R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  * G0 W; n8 }* q  z6 _0 C
     ;will break 3 times :-(( E* O. U4 e9 n* x

+ f# Y5 x5 f" i3 Y. V6 R( w3 B-or (a bit) faster:
) R4 P4 z7 m, w   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 j% m5 {/ c7 s1 D* A3 I
# F* \3 e: R* B- r3 F! r  v+ z   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % n. d- S) n1 y9 I
     ;will break 3 times :-(
" A9 Y# \  y7 |" D( H0 ]2 Q$ {6 E
" X/ u- B" |9 |) E; R4 _' m-Much faster:- x1 V; u) R6 t% Y4 l
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ p. G, ]. S& j2 S
0 _7 ^/ A8 p3 S" j- iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 E% y& X) V5 D5 t3 i7 ^function to do the same job:# C. j5 z7 y' X( Z* B

/ O" m1 X. L/ E+ a   push    00                        ; OF_READ
" z' r: T/ i; u9 C  h4 w( a% M2 J   mov     eax,[00656634]            ; '\\.\SICE',0" S1 s$ [3 G1 h# n% o& N( ^. Q$ F
   push    eax
4 V- g0 @: X% T% e7 u% L- k: ?   call    KERNEL32!_lopen
2 m6 \, k; s4 C3 F   inc     eax
9 [% B5 Y3 M8 M$ U   jnz     00650589                  ; detected
) N$ E* I' G) v   push    00                        ; OF_READ' q% x4 q' n0 a# e
   mov     eax,[00656638]            ; '\\.\SICE', v5 u: ~  x; Z( R8 n# y
   push    eax
; e; t) Y, U& ~6 p   call    KERNEL32!_lopen
) O: C1 H  D" s* \3 M) N   inc     eax: D% T  j8 [. c: v: N! S. X
   jz      006505ae                  ; not detected$ V& |3 x9 T4 l" n

# M8 B% o/ ^$ s0 d: C2 _! w' K0 e3 A
__________________________________________________________________________6 w5 \3 o8 Z6 w& ^# c3 _
6 {! g7 B. F7 F( v1 D
Method 12: L% J. d* u& O: |. n0 \
=========. W) c! h- R1 C6 z" n7 {

8 q) d' J  h$ w3 J" rThis trick is similar to int41h/4fh Debugger installation check (code 05" r7 Z; C0 }, T# Z
&amp; 06) but very limited because it's only available for Win95/98 (not NT)  s* g- G) P9 B' @# h2 @: k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 C7 c8 H/ F- j' T  S- u4 T7 j/ k9 A! C
   push  0000004fh         ; function 4fh" V, V0 a8 x1 R6 ^$ N
   push  002a002ah         ; high word specifies which VxD (VWIN32)
* q7 c3 W" V6 v# s+ ]$ X                           ; low word specifies which service& Z) |& n# I% D+ b& l: c
                             (VWIN32_Int41Dispatch)  u# {, U7 y1 F! ^" F; d
   call  Kernel32!ORD_001  ; VxdCall
, W4 z/ @+ d* r- F  }   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 _  K  ]. d2 h* z4 Q, r   jz    SoftICE_detected
9 Y& |3 s" \: t( l) L: O7 R1 f( z0 U
Here again, several ways to detect it:
' `+ T5 e0 ?, x3 O# b* U# |& J, K8 ^' _" r& ~$ X
    BPINT 41 if ax==4f6 x8 M6 P3 d5 f- k; s) F+ A

& h$ y+ R  G, G3 E1 R% b    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
, [4 U* y1 U7 _9 h- \. M0 q: [3 {% c2 b* v8 {
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, T8 Z7 s" e6 U. M, e& n$ b' Y1 B" l+ V$ {5 W3 J1 ^1 M
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!$ i, `$ q1 J0 N

3 X3 w# w4 G" B1 P9 B' I__________________________________________________________________________
9 R' G3 V. w  ]1 z% V8 t' n- B' U; x, m
Method 13
! i6 s* [9 k$ ^# r=========0 P5 J! q6 \: ]$ A( B# W

2 @( z+ i0 l: D2 o5 F; q+ n! eNot a real method of detection, but a good way to know if SoftICE is7 h1 Y* t8 S$ L( V' M% `  T# G6 ^
installed on a computer and to locate its installation directory.+ x& m. |! s6 f; N& ?5 o
It is used by few softs which access the following registry keys (usually #2) :9 c! ?; `. d2 R
/ H8 A. J; L, S" e" K- s  G; a4 d$ B) H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ v5 A1 [! p& S* P/ N
\Uninstall\SoftICE6 z5 s  n' d0 C( F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; B6 `( e8 v! X% K0 Y* t. L4 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" J) Y7 ^( w' T
\App Paths\Loader32.Exe' A/ E" X) W- `
0 C8 H! S" C# v8 [$ {% g4 b2 p
" e5 B' y8 x" I0 F
Note that some nasty apps could then erase all files from SoftICE directory
4 c  m& V+ Q' T5 K$ j(I faced that once :-(
6 Y- n! R! j$ \0 E* ^% a7 w( {4 h% ~# t7 N0 Y" k: W
Useful breakpoint to detect it:
$ m9 O0 i1 K- u% N; b( N' j9 H  X7 g+ B% E- Q! J8 a$ R* m  P" d
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! W) C" L* D3 j+ Q+ f, ?7 Y  U. m, w
# m0 _& C! |' k# Y__________________________________________________________________________
8 O8 ]4 z) L+ n
7 H8 E- l' L' L% Z
5 E' W& D- R( A; n" `7 w5 }Method 14   ]; O) Z6 E1 I' S4 e
=========
! T) B" ^' F# b/ E" |3 O. l
0 s3 i3 `$ k8 {- \* y7 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- B: s% E: q5 @is to determines whether a debugger is running on your system (ring0 only).
6 a  e$ P' D/ j: b2 j' x. a# a, z* T
   VMMCall Test_Debug_Installed
$ S" n1 Y3 Q- Y* {% F9 N) q6 I2 j   je      not_installed
4 }; S* l' l2 N* M% N. m) w" Q* a1 D6 Q* z) p" @3 i
This service just checks a flag.
" A# `% w' y4 p# Z, ]1 F</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-9 19:55

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表