找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>" |+ l2 _* ~% `  V# g3 _. z1 K
<TBODY>. ?, y  e" w9 K
<TR>
% E6 y1 e% F# m<TD><PRE>Method 01 5 Z# U0 }7 U0 W
=========7 R# L  y$ a# K' P2 _2 d
6 Z+ j% ~) l; _7 G* @. a8 x1 q
This method of detection of SoftICE (as well as the following one) is. r% T3 f; ~2 J# L3 H! [
used by the majority of packers/encryptors found on Internet.7 V) ]1 {2 Q2 y: I" i" K
It seeks the signature of BoundsChecker in SoftICE
1 r' K% j' z! j3 Z+ w  F
9 Q' H2 c- Q% _% b( W' h0 M    mov     ebp, 04243484Bh        ; 'BCHK'( L: L! n/ h( d8 N5 L4 v( c$ I' D
    mov     ax, 04h' d; i: k& a. x; p+ |% z9 e3 a
    int     3       ; ~" R/ s9 L. V9 B
    cmp     al,4/ q, S1 m8 L; e) a( ^
    jnz     SoftICE_Detected
! x8 Q1 f/ }( y  s- ~) R3 }) S3 R4 C0 J' N  t6 o* Q+ z1 Q
___________________________________________________________________________" m7 r+ Y  a, Y) ^; ]7 L

3 d2 s7 v  |* R! [9 EMethod 02
& n1 E& _& N1 L5 w/ n=========
& Z0 x- ]8 G' y: i6 J; u' _8 }
6 p. I2 R7 _, K+ L( n% w3 QStill a method very much used (perhaps the most frequent one).  It is used
7 U! \! m; I3 i+ t0 e" kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. H8 H# Q& A! ^8 C) k0 ^or execute SoftICE commands...# s0 V% A  {9 s. `( s
It is also used to crash SoftICE and to force it to execute any commands
) J  d# |" U0 G(HBOOT...) :-((  
: j2 h6 i' s% s' J
: Z+ ]& F0 j# O& V+ mHere is a quick description:
5 y, S1 B3 `* _-AX = 0910h   (Display string in SIce windows)
" U3 d" A2 k3 o9 q; P- i: U( G9 P-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! Z& |! Y, A2 r. a
-AX = 0912h   (Get breakpoint infos)3 E: I+ t3 y- r% ~7 Y, f$ p
-AX = 0913h   (Set Sice breakpoints)& S7 H+ i1 w: t6 j! Q" Z& q
-AX = 0914h   (Remove SIce breakoints)7 J7 m" A- R3 V! R- S! }) J
5 O9 h8 ~( u% q7 I, G" a
Each time you'll meet this trick, you'll see:
) u  Z' M" Q* k, b7 c-SI = 4647h
% r& }3 I% D6 v: y. l- j-DI = 4A4Dh
6 t* h: G2 e/ y- g6 _$ zWhich are the 'magic values' used by SoftIce.
+ n; Q% C( ~' A* YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 ]7 ?' [9 H! x% q, i
) C" t0 ?# v+ o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
9 n. Y: A- h8 u; G0 _" O) |# c( x" ?; ^Envelope utility use to protect DOS applications:7 u( }) o5 i. T) }
. n8 q( P% ^% c2 [; V) x

3 G" y6 @8 o" h4C19:0095   MOV    AX,0911  ; execute command.
2 X  B2 g: \5 V4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).: m; ]) t1 o# V# W: Z* Z, W/ L' q" P
4C19:009A   MOV    SI,4647  ; 1st magic value.: F2 p; c- G+ D
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ E: G. K: K- V- N, y. J7 R( d
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; n7 V/ c0 w( \, t5 T  f  u. U4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 x: j, u0 w1 d2 s! c9 V; L
4C19:00A4   INC    CX
' [: O. n  m, u$ s! I3 C' |5 l3 k' }4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
! R0 H( R# v, m& ~! M4C19:00A8   JB     0095     ; 6 different commands.
) i& l* X6 F0 t: O8 }& a* j4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& V5 ^  H: b( u6 m- }% F
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' x# a9 V+ c/ ^* r" [! V
- |4 |! m% E; R6 X% z' U: IThe program will execute 6 different SIce commands located at ds:dx, which/ A6 a) X6 a! i  S% {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 Y+ O: j- |% J' x# R' P: ~; _8 O

. T7 `3 N! L& ]# J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 S5 [2 j3 N6 ~: w. o
___________________________________________________________________________3 a, A; P4 Y; m* j% g
- w6 q; _" ^! l, `1 D7 {9 ^
/ X4 }; j- x$ i/ T9 j5 C
Method 037 t* F$ j6 _3 g8 S: F0 t
=========# I; c4 A% {- V$ _

6 ]0 |  e8 H, b/ w# LLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 u9 ^' f( B6 K(API Get entry point)
' S; Y, [- u. g# X# L( g        
( v7 I( l3 I) L% z! W
* [2 a2 H( e' P" t/ B' U% }  v/ B    xor     di,di. i) T* f  g( [: w9 S& F: ^4 W
    mov     es,di/ v1 w. Y$ {4 x; C2 u
    mov     ax, 1684h       6 i5 E" b% Y5 Q; Y, p
    mov     bx, 0202h       ; VxD ID of winice  g# y( S  h* q& j9 J
    int     2Fh
5 J0 ?8 S. U( i: u" {9 y    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( @( x( j1 ~# o4 p( k    add     ax, di
1 e5 v/ E- o8 u; ]0 c3 O    test    ax,ax
) G3 m1 B: b) {; D    jnz     SoftICE_Detected! j  G- O8 g8 C4 K6 P- k
! t+ o5 V( P# U
___________________________________________________________________________3 \9 ?5 Z5 J5 l+ O+ Y; W/ h9 Q

7 b- b% S3 t! E+ C+ b4 h( uMethod 04
. d+ Y8 a/ A5 {; r. L& v9 b, Y0 g* ^=========
- \' C$ w* {) B
1 w' E7 d% W4 z- T. q3 uMethod identical to the preceding one except that it seeks the ID of SoftICE
$ i) \6 E$ ^1 H( t; Q% ~/ ^% i9 Z1 SGFX VxD." n3 I+ K2 q7 c1 x# l
6 B  A& @/ n' |4 g4 |
    xor     di,di- J+ G. s6 }! r; r
    mov     es,di6 E1 R/ `; |: q' V$ {6 y
    mov     ax, 1684h      
+ M( x+ r# F! D) P: ~    mov     bx, 7a5Fh       ; VxD ID of SIWVID% R: j8 |; _3 Q: V. S$ T
    int     2fh
" m* d7 W4 E0 Y    mov     ax, es          ; ES:DI -&gt; VxD API entry point- `& ^' ^& B8 F( k6 o( S$ l; o* r+ W
    add     ax, di
9 v" J$ s' ?/ y) A0 ?4 i    test    ax,ax
/ N+ Z  ]6 y; Y4 c2 z7 c    jnz     SoftICE_Detected6 ^% P( P3 H  W/ u. ^% E

; L7 U' \! C/ X4 }# X# v__________________________________________________________________________! q* g6 A, z# m3 p% W

. Z7 b- Y1 O4 q1 _6 I+ M4 S- _- r! w# J% O- e- `
Method 05
2 X3 j# {6 X5 ^3 C$ S' }9 F=========% z" v6 C$ ?. q. N  }

/ k6 g' M# Q6 @6 C$ b. TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 Q" ~0 U1 Y& Q7 pdebugger. It calls the int 41h, function 4Fh.
+ R) m6 V/ [# }  V) f8 @2 HThere are several alternatives.  * g$ H6 f9 Q  @& Z; k- Q! u1 {! T
1 R# ~) x! ~3 B% l9 f$ @, ]# L
The following one is the simplest:
1 j; w* F7 `5 r" n( Y& n* M+ K
4 I% L9 @6 |+ E/ \    mov     ax,4fh
( M3 Z! F, d! s! r: H    int     41h
+ B6 n( k; F, S3 \    cmp     ax, 0F386
. }7 k' P* G6 w, @; ]" q6 N    jz      SoftICE_detected
& r5 ?3 r- l" p# R/ [2 Z
. R: E/ L. Y. d- \
" L' t" V# _$ d. x+ H" dNext method as well as the following one are 2 examples from Stone's
* s& b) M( X' |( v7 J  h"stn-wid.zip" (www.cracking.net):; ~/ B9 y* }" E) S# d! r4 @
# C4 |& D1 }8 s) ?6 D
    mov     bx, cs# S6 s9 Q( ^6 R
    lea     dx, int41handler2
2 P2 n7 F! y! r! r% x+ I    xchg    dx, es:[41h*4]
5 @+ _- U* b. p6 T/ D5 @1 O    xchg    bx, es:[41h*4+2]
6 W+ ^  [! {8 z$ i1 u" Q- R    mov     ax,4fh
: {. J) f, G, @2 j- [7 t* W    int     41h. c5 n  Y) T4 e7 R7 M) \+ R5 D5 g  {
    xchg    dx, es:[41h*4]
- J6 Q/ `" m& ^' d, V    xchg    bx, es:[41h*4+2]
- F7 }; r& G/ D1 E: C0 u$ b    cmp     ax, 0f386h
% X4 B- |- `! d  x0 m    jz      SoftICE_detected
- S& c5 Y( x4 b2 v7 s2 D  M. h6 \7 G, e# @& C0 @' B3 y
int41handler2 PROC7 ]  l) `: P9 e7 o7 ^7 ^9 K
    iret
9 _7 M4 m; a" v/ p4 ~! V- tint41handler2 ENDP* L. v  X( Y- c+ J( x

1 F2 N- x3 b; I3 D  P5 d/ B/ K
: D+ R" W' f! h% @0 Z6 @1 {_________________________________________________________________________  u3 [5 }; L: m0 P/ S
" C0 O* @  l9 W
2 ]1 m! K; @5 L# N% F- u2 |8 d
Method 061 n. z. Q: P. z, q! |( l4 M9 n
=========
; b# A+ U; W/ M6 T% R3 h3 {$ q0 \* X% w. D3 d
2 T( j) c1 A! S; c3 [) t
2nd method similar to the preceding one but more difficult to detect:9 E! i* U: O7 N  C
! @* r( M* u3 i: ~( ?" Y

. [' k7 _* s) D+ Oint41handler PROC3 i1 ]- i. _. m  r9 p4 B: ~6 G
    mov     cl,al' G& i! A+ X4 T5 I; m
    iret( j( E6 \6 w9 c0 M6 r
int41handler ENDP
8 J. h# O0 |! B( f0 J
1 b/ `% \+ d6 Q3 i) a$ n' c6 i8 q7 y  _- ]# v/ F" |
    xor     ax,ax
& l1 }! f0 j8 l8 m# Y* d# T9 @8 @) {    mov     es,ax
$ S  p  J. d* ?  X% w    mov     bx, cs
# Z: {3 a& W) k$ [$ ^+ x( ^" h! q    lea     dx, int41handler$ p( F" i  k7 g# V
    xchg    dx, es:[41h*4]# i- x7 }& `1 _* K2 Y
    xchg    bx, es:[41h*4+2]  i+ `( @% ^- a8 s, _7 i
    in      al, 40h4 a1 u% {  m' V) ?. U
    xor     cx,cx. A8 O: v9 C; }1 F
    int     41h
% b" e9 V2 V- X* B4 w/ v1 {    xchg    dx, es:[41h*4]7 r* J6 F; W- V
    xchg    bx, es:[41h*4+2]
  Q0 P; O+ @& k* Z$ B    cmp     cl,al: b9 A8 ~. e8 S  V1 K) K
    jnz     SoftICE_detected& I1 |6 ], ^- U- y
+ P/ Z3 B/ K3 s( p/ O1 J1 m
_________________________________________________________________________
4 s: `- F& O4 G$ d
0 G5 e8 x( @: r; M/ Q1 }Method 07$ X% j. k  w" X8 m9 L4 @- q) a4 F
=========
* ^1 ]) t7 l& q6 R% q
' y0 |& X* c% `$ a! B# v, X6 nMethod of detection of the WinICE handler in the int68h (V86)
% m/ v$ ~4 }! A+ E- z. j7 j
) n; x9 H  l" ~5 {    mov     ah,43h' ]& \9 F! a/ H% ?% F' V* S# y
    int     68h
* ^, X0 Z# F% ^* n3 g& B4 M; R    cmp     ax,0F386h, d; p1 q& e6 r5 ~
    jz      SoftICE_Detected' y8 H( a' R0 q6 R. n0 x

# ^# G/ M5 e7 h+ |, |
! T2 T6 \' w1 y! q" P=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* K2 J( G, Q1 t7 b' @7 @8 q   app like this:. U1 R0 t- k4 ]( y, V
* C( P6 T# o7 H4 _4 R$ D
   BPX exec_int if ax==68
0 l: q/ ^  M/ n: h   (function called is located at byte ptr [ebp+1Dh] and client eip is$ ~2 p; t' J- @) {& z
   located at [ebp+48h] for 32Bit apps)/ e5 {6 _* j  ^+ Z: h3 u
__________________________________________________________________________7 \) B  y+ p: F
. {  w6 {1 M: r0 R

+ H: N! G, B$ ~; V# J; pMethod 085 D% i7 G. g" p; k
=========
* C, C1 k, t( |
+ A2 q) d0 v, |5 o+ iIt is not a method of detection of SoftICE but a possibility to crash the
6 R$ _5 j9 i2 t1 E) W8 ?9 fsystem by intercepting int 01h and int 03h and redirecting them to another
+ _! S3 ~6 k7 m4 k1 {routine.
1 X/ S' w4 A& y% p0 k% VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 e! O+ k( n3 D# n! O- ~
to the new routine to execute (hangs computer...)
# ]6 n: K9 |% e' @0 `( z
* `% N$ \$ A, F9 D    mov     ah, 25h% c+ m2 i7 i" N$ l- b! a6 b- |
    mov     al, Int_Number (01h or 03h)  }7 D9 K+ N) C0 [
    mov     dx, offset New_Int_Routine7 c* k' \; I7 j) K, t
    int     21h0 Z- P& |4 z7 W/ \

! U9 J0 }" I& ^9 z, g: N__________________________________________________________________________
& N- Q4 B. N, b0 K) ]
3 q  R/ Y9 v& B1 F, u) ZMethod 09
0 i  y4 M" `& v1 `=========4 X7 o, d8 y  g, |) K$ \" U

  h, J& [( @+ O8 d0 G' {+ yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' Z. f4 b/ i; W2 Q4 z8 t
performed in ring0 (VxD or a ring3 app using the VxdCall).! a% M) U& r+ Z/ M$ g# w$ t3 u
The Get_DDB service is used to determine whether or not a VxD is installed/ D6 F- q7 n& v1 U: {% y# q
for the specified device and returns a Device Description Block (in ecx) for. \" }! h0 n- i- s* m) L6 s% P
that device if it is installed.* c, d" x# w* j2 t7 Q1 [

' I9 ~% q9 N* L: J* h   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% T" U7 i  O* h7 }" j: W: A) L   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), v! N, s, U6 D3 n3 U6 D
   VMMCall Get_DDB
: M! ^) E2 J2 ~' c   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ D$ m3 t0 Y5 k9 ]* K: X6 H
' k* W7 e# [: E! Q
Note as well that you can easily detect this method with SoftICE:7 W3 S7 F& n8 m* |
   bpx Get_DDB if ax==0202 || ax==7a5fh" M4 c) \0 X5 w# i  Y

. s( W: `  l. r& W__________________________________________________________________________7 K# K5 q3 ^! f, Y

* `$ x- x9 N  t. |  y" V- vMethod 10
6 g3 D, [$ @% A=========/ b# D7 J9 e7 P0 P' q

% }7 b' p+ n$ j- x8 d=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
7 j( y4 I, z# T* \  SoftICE while the option is enable!!& M* Z6 n" A1 U) |" \
  {! a& j1 J0 `- |8 s# S. R
This trick is very efficient:  Q  o1 T6 j" V+ v
by checking the Debug Registers, you can detect if SoftICE is loaded
# ]' M5 K" a' s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ M& v5 l' q6 d, o$ i6 W* r" z2 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
' v( o) T- G* O; y+ e% _value (in ring0 only). Values can be manipulated and or changed as well8 u& G+ [3 X1 D/ E4 a7 d4 |- D/ p
(clearing BPMs for instance)0 N; g+ O2 v- n2 x2 Y6 u$ k( |

3 r9 k8 Q5 [8 n! C: Y__________________________________________________________________________
: {, M6 I! q3 B* P- S- i4 b2 V3 S9 M" L) U# Q8 [
Method 11
, J5 g9 `$ o# {5 J. ~=========
) C: v7 P' e% `( D* u6 W- ?7 q
4 o; }; d. ~9 T0 V5 ^6 O! kThis method is most known as 'MeltICE' because it has been freely distributed
+ X+ T3 w& k8 Wvia www.winfiles.com. However it was first used by NuMega people to allow
' T2 [4 Z5 ^; S1 V. i: sSymbol Loader to check if SoftICE was active or not (the code is located  L4 E& j4 ^- W# s) |* p0 O
inside nmtrans.dll).
7 i# K3 s- C* @3 W3 L- N; F. @3 d: `3 t
5 p& f1 y0 ^0 i& _# m4 \8 VThe way it works is very simple:+ p* K" U: f; A, j8 w+ y, C7 J! V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% K: e9 S$ v) a5 G* t, qWinNT) with the CreateFileA API.! k! I" F  ~1 s
( @7 m+ A. ?* `- F
Here is a sample (checking for 'SICE'):: l( s7 ?& {* A/ ^' O0 s3 e

* T% w3 u% V' T- `BOOL IsSoftIce95Loaded()7 k' a: x2 k6 E3 z9 s8 B. C
{% ~8 F- `( P( i5 z1 d2 r# r6 `+ L0 I
   HANDLE hFile;  . D+ R% o7 N, ?4 l4 k& q
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' W5 O) [- `% j
                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 O+ h7 g: D1 o  ]& N) \
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# D: N  a3 M) K" @/ n
   if( hFile != INVALID_HANDLE_VALUE )# {  F, v, J( K) X% O
   {- q8 B* y& H* R1 q4 m5 S4 `
      CloseHandle(hFile);& X1 z. f; T  I! {0 _
      return TRUE;6 ~9 _& w& j! y! N6 y6 o* t2 }3 e6 X
   }4 }: ?: f9 r( D7 H* |9 |. l
   return FALSE;
0 C( C! }6 u" ?6 L. s' c2 L}
( ~+ R- s) h+ M) p/ g' h+ Y
3 m; W8 G$ e, B2 A  f4 BAlthough this trick calls the CreateFileA function, don't even expect to be4 y  B: W/ c5 V. o  b5 D
able to intercept it by installing a IFS hook: it will not work, no way!& R) G* E/ g! C3 ?4 u" e2 u6 V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ k- ]) F% y. u$ t6 l5 U$ a, _1 Z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ k; S$ m0 y* A) E3 r: q7 \2 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ _3 d2 d7 {- I+ r' Ufield.- V: H& r: H0 h- w6 o9 ]' q
In fact, its purpose is not to load/unload VxDs but only to send a
. C# t0 T2 M+ s* T3 h' a5 XW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" {+ `; K4 E6 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try: O& }' F5 Y( K$ a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; B3 y1 a" A* vIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 t* [* r) |5 A" U$ X* m
its handle to be opened and then, will be detected.
3 }# }7 ^$ n( H. @& j0 RYou can check that simply by hooking Winice.exe control proc entry point
! l7 `. n- |  Xwhile running MeltICE.
3 c- j, r: E/ P7 k: X: b+ h1 Z7 u0 W$ v; e6 e9 t$ J9 ~
. p8 O% p0 D6 F
  00401067:  push      00402025    ; \\.\SICE# t' g3 Q( g+ O
  0040106C:  call      CreateFileA
% l/ H" w. c( G8 `) u: ?  00401071:  cmp       eax,-0010 |6 l. g* P3 [% c/ ^  S$ C) r4 K7 J
  00401074:  je        004010917 F  X/ x6 P7 R4 E- q0 H
0 _! R/ ?( e, i+ K, M: I2 G) v

& j6 H+ p" F) T, P2 LThere could be hundreds of BPX you could use to detect this trick.
2 r5 {$ X1 Q7 H4 o7 g' r1 w-The most classical one is:
* {" Z  O0 _( N  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 l! o- M' j5 ]) I    *(esp-&gt;4+4)=='NTIC'4 u6 V) Q7 E2 `6 p2 V* g) h
8 b6 i5 r( d7 K' O( B9 L
-The most exotic ones (could be very slooooow :-(
( v1 a% v: `  d. [7 [, ~# s   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ G" w, J1 H+ u- l     ;will break 3 times :-(( ]1 e* W7 v. u4 f; }
, o6 y! o$ M0 ~8 E7 h/ v
-or (a bit) faster:
1 e+ R- l$ b* i1 Y* f1 M+ d   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* d1 X! Z! x4 b$ i7 Q) ^+ @

6 L2 V0 |0 x* l% e3 W4 Y   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  o0 x, [! \! ~8 t, j' |8 h     ;will break 3 times :-(
+ [7 u/ A, K" I. p% G* L
  \& r# t  U/ q8 U( P-Much faster:3 r$ g3 B- k3 d0 u, M# X$ `. v
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% [$ x' @+ p, o
% i+ |/ j: j& _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% M7 e9 j% Y, ?9 A# e+ w" K2 U
function to do the same job:, L; O  [5 q' W8 p5 d% ]& N1 Z

% \: S" O' @: o9 h   push    00                        ; OF_READ% c) u( D" t( S3 l  S) c- w
   mov     eax,[00656634]            ; '\\.\SICE',02 P/ V, O/ k' K) t
   push    eax; W5 k' j5 e4 E0 L) b
   call    KERNEL32!_lopen
6 D2 _& _, i( c% U. ^  G) \2 {   inc     eax
, G- [3 s$ H; \4 R. @3 f$ m! |   jnz     00650589                  ; detected
* z- D3 n- G, ?/ p6 l   push    00                        ; OF_READ$ c8 T( G. E- _* b% l
   mov     eax,[00656638]            ; '\\.\SICE'
+ w# X+ q- @5 Q1 i, _   push    eax
3 C* W: ]) e4 {   call    KERNEL32!_lopen
% x" w1 X* j: \3 D) d: b4 l   inc     eax+ _& T7 R! U9 l8 {
   jz      006505ae                  ; not detected# ^" I  p: t; h8 h) J9 m' ^9 a# G
$ {/ H, L0 e: F6 e& t

+ G* h% N& P1 W# A( I+ q3 ?__________________________________________________________________________
) m2 A4 }7 ]( f! V2 c- Q7 _- Z3 B' b8 l& Y2 e' A) \2 W  N: z
Method 12
8 u1 v- `0 S, d3 _=========
$ k+ ^3 g' g% D, s" A7 K+ k/ S# I* Z# t% |, H0 Y. A
This trick is similar to int41h/4fh Debugger installation check (code 05
: j& x8 ?4 U" e' s3 C. ~&amp; 06) but very limited because it's only available for Win95/98 (not NT)! b3 S0 }! p7 M1 N$ S5 S1 q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 I  k. p5 i/ K- L3 C0 u' s' m1 N# t
9 l3 w# G( X. s1 z3 v: S* v/ q   push  0000004fh         ; function 4fh" s5 E/ f+ c4 Z5 g6 H# [
   push  002a002ah         ; high word specifies which VxD (VWIN32)& @) E: d$ T% x4 L; O7 J
                           ; low word specifies which service
  k" E# B: k3 w" \1 Q                             (VWIN32_Int41Dispatch)
2 W6 }' v9 E# ]9 P! a# i! `   call  Kernel32!ORD_001  ; VxdCall
9 Y0 ]. A; w4 u" w8 x# e0 k7 c5 B# z   cmp   ax, 0f386h        ; magic number returned by system debuggers
6 Y' U* @2 A3 t* @( f   jz    SoftICE_detected
/ E5 E& G% n1 |# u1 G! y. N
; D# T# Z/ w5 y7 r& e7 |3 d, X& Z# GHere again, several ways to detect it:  x$ Q( t: N  H7 j1 u' C2 e
  Z% @, H6 f/ x0 p  D# Z* E
    BPINT 41 if ax==4f' k7 V6 y- b: M  M7 m

) ~+ X7 t7 E) E    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% }( `! f  D! }# ~0 B! m! q3 U. s6 u* w
9 l3 @% \, q- c7 Y& j    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; s, O3 L' x. t: {3 O& Q
% p$ `0 i) N! t3 a% v% p" g) n
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# z! [; e) m0 v% V0 m- b" V# r$ K/ m, d2 W  p6 W5 y* \3 F0 _
__________________________________________________________________________
+ N. {3 s) j. X+ u- F- L& M: e2 T
9 g/ g' G  R0 i- t6 fMethod 13+ m, e' ], T( J' Z8 z1 j7 ]8 t
=========  @( N% V+ f; C9 D0 x- v
3 b% n2 x+ [+ O2 Y9 W4 H
Not a real method of detection, but a good way to know if SoftICE is
+ g/ I( I% x% {1 a, V) y6 G% Xinstalled on a computer and to locate its installation directory.
8 \6 C1 `! p0 p6 {. o8 EIt is used by few softs which access the following registry keys (usually #2) :7 W# m4 l) o7 R: l5 J8 b9 V7 o

5 n2 b9 |0 R$ F- }" C" [-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 `5 n! h2 Y$ i: l5 ~% L' N
\Uninstall\SoftICE
+ B$ ?6 M& E- }' h6 X+ P, B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 [/ F8 C( Q% y: Z2 b9 I" \% V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. T; o! \# h" a5 W8 E& E% S* n\App Paths\Loader32.Exe
# D3 E5 O( h1 R. o# h" m! B
, C6 @7 z; M* _4 a& [9 }
0 x. h, w( \, KNote that some nasty apps could then erase all files from SoftICE directory
' v: G4 j/ b" O( ]3 ~* w; f- F(I faced that once :-(" h3 W, z; i- o  E

, }5 e+ L2 H# I; X+ IUseful breakpoint to detect it:
/ x& L0 b2 W* S- u0 l' H: y( I1 O& f) `9 a- H, Z1 G* s
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 k* V( n/ k# M  l5 L# _8 N5 }4 B7 N# e" @6 S+ K2 m, v( g
__________________________________________________________________________
8 C; k  o& l3 l; _5 e% z& q6 N3 i: W6 d

* S- K3 B- Q* J2 ^- XMethod 14
4 a+ ]% f5 T4 W, r" J$ |=========
" F9 z5 I4 _6 a. n" @) }7 p0 E4 k- ~, G$ h- Y/ b! m. ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) }9 d* E# n& F- S( b0 \3 [! @1 A& ris to determines whether a debugger is running on your system (ring0 only).
' ?+ z5 C; m: |: k+ p1 Y* G$ `# G& ]
   VMMCall Test_Debug_Installed! j2 s, [  m* y, Z2 E
   je      not_installed& L4 f' h$ K* S; S! G4 _

6 e5 n% j( o: B" eThis service just checks a flag.5 ]6 }0 ?( ^. q  B8 G/ c3 s
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-1 01:18

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表