找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) p7 B! A9 t/ {8 ?; O
<TBODY>
7 X! k* z+ ]# z6 T$ Y" I3 o<TR>
0 P/ Y" D; X2 U: i7 h<TD><PRE>Method 01 ; ?2 S6 [8 _  {5 u( m
=========# o* J& H7 F% c- _: W+ z

/ |, G9 r- t( Y% h; |This method of detection of SoftICE (as well as the following one) is
1 K$ [7 i' I0 Z. I: [/ }! rused by the majority of packers/encryptors found on Internet.
/ O+ w% }: Q' f" P5 r0 RIt seeks the signature of BoundsChecker in SoftICE6 g: h+ p; f" }. _9 ]6 r

. F$ c. B. E; K( L    mov     ebp, 04243484Bh        ; 'BCHK'4 k0 c% \- L! o' Y: Z
    mov     ax, 04h
- |$ l( I8 y' t% ~0 D    int     3       # v  A0 e) a! Y! w* V: j  w* c
    cmp     al,4
  o& c  Q* F. \/ o( l    jnz     SoftICE_Detected
# E) i6 T8 t, E5 i" F6 e9 W8 M4 r" a) B7 y. U
___________________________________________________________________________
/ L  [/ U3 W% r: H
9 g9 D6 u" A0 ]% ]( q. lMethod 02
$ J# u5 Y1 L/ A! [. J) P=========
4 p' j3 O: b7 P9 u
! w( ]. M  o4 H8 WStill a method very much used (perhaps the most frequent one).  It is used
% o0 j0 ^1 y7 q) H7 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 f4 _( t8 E1 x& wor execute SoftICE commands.... n& q8 \/ G( a2 U- N( }6 d
It is also used to crash SoftICE and to force it to execute any commands
3 \% f# Y8 R3 _) f6 ?) V3 i* c(HBOOT...) :-((  9 R# C7 y5 K" [# h0 i4 p7 ?
7 ?) f* M$ }0 M' `! p% F
Here is a quick description:
% g. A' R1 d' p5 G4 t0 R-AX = 0910h   (Display string in SIce windows)
' y2 e, k7 e6 u-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' x0 |2 \3 d- m2 x$ }; `-AX = 0912h   (Get breakpoint infos)- M% t  b. ~% K! c+ r( {
-AX = 0913h   (Set Sice breakpoints)
" K/ o: u4 X9 A/ ~7 T-AX = 0914h   (Remove SIce breakoints)4 _$ U' @) U3 Q4 J1 ]

& B( O' d  M( {) V0 c* `& OEach time you'll meet this trick, you'll see:
1 U9 n/ A& a2 d-SI = 4647h4 e7 y3 c1 [2 \, H$ B1 c5 r
-DI = 4A4Dh
2 F& _3 t# e3 H5 y& MWhich are the 'magic values' used by SoftIce.( m. b) K7 U/ \" j! m: i1 Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 ^  Y3 `" u5 U5 y* d/ j
  p! q& x; w7 K. r2 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP- f! |( o' K! j- G9 V5 [$ w
Envelope utility use to protect DOS applications:3 C- ?" h9 B  L
; `' K, U; _3 `; F+ ]
9 I- [& E$ ], A" J) k* f
4C19:0095   MOV    AX,0911  ; execute command.
8 k$ N! t/ V8 v- s# z( K0 r( M7 U4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) {( I& X6 N' ?' [* t
4C19:009A   MOV    SI,4647  ; 1st magic value.+ v+ H1 H* B  i: _
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
8 `6 z, R- @+ a2 z8 g4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% ?7 d9 t7 ?/ \# B4 j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
( y1 q+ L' L2 d' D4C19:00A4   INC    CX! c/ q* J% ]4 s( P
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute. j7 v- ?% B) {3 ?+ X: i% S
4C19:00A8   JB     0095     ; 6 different commands.
* T' z2 {8 L5 g$ x5 Z4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 ]# [1 Q% i# I$ V+ i
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)- i2 A+ Y8 ^1 y/ ^3 l

; e3 {9 A/ }. n) h4 m! SThe program will execute 6 different SIce commands located at ds:dx, which) |* |. ?' w6 [% G% z% L
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  l0 U& e9 Y) h: E" R

, v+ P* o4 X8 }- Z7 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ C6 _4 ]$ K, Z$ s' A
___________________________________________________________________________, H' O( k) W5 V

, m& |1 ?9 x- I0 f7 n! ^- J! s, o* Q  A# y6 `4 i. h; Q
Method 03, D# Y& J& Q! b, Q
=========: j5 N: M7 p$ g9 [9 b

( p6 \6 _% |" M) H8 ]* b, hLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 i5 W/ }! k5 f/ Z- V(API Get entry point)
% o/ r3 ^: _) c, y+ m        
6 T+ N5 g" U, _. j  _# c0 `
/ h' B) _! G0 X2 q9 T( r    xor     di,di
  e& K* K0 D3 O% P: O& x4 q    mov     es,di! X3 N4 J% E# F5 s) s# ^( L
    mov     ax, 1684h      
5 f1 |" l" a+ v: ~6 E2 I; Q( `    mov     bx, 0202h       ; VxD ID of winice! M+ ]- y; I* F2 F
    int     2Fh
- D5 @( L& O8 ~4 O# Y9 d: u8 {. ~    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 ~) R6 u8 d) Z2 J
    add     ax, di
3 e% C" A; j/ t; L    test    ax,ax" F& u0 ?% W$ G* }3 A7 H1 ?
    jnz     SoftICE_Detected0 D  E% D; o+ y
& ~# L% t4 F2 r
___________________________________________________________________________. Q% \% e# W- y% W- p. J

  y; F) T) U# o8 pMethod 04
; u* R2 _. {8 B$ Y. p/ g=========
( U6 I6 k: m: t4 x* ~4 ~' T0 {7 v$ Q. s, B1 p$ |' {
Method identical to the preceding one except that it seeks the ID of SoftICE9 F0 W& K7 U/ [+ w' M
GFX VxD.
; U9 j4 c7 A2 j  e1 a6 Q& ~
5 E4 T& H/ A1 \& O) O  s  w    xor     di,di
6 t% c8 F* Q0 ^0 t+ S+ O2 f    mov     es,di' p9 Z4 s& w7 Z( x& X
    mov     ax, 1684h      
- G6 Y0 S- q. L4 R    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) ]9 g( @! C' @+ {( p    int     2fh$ y! u3 t4 Q/ {* Q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ i$ `6 m  ^1 q2 }
    add     ax, di
& R; y9 P% Z  W( d) G, r3 N* d/ u    test    ax,ax
1 U9 D# s2 ?8 \5 A5 ?% k; n  C    jnz     SoftICE_Detected' |2 M, w7 X% G# t
0 Y  X  M5 D' P- u
__________________________________________________________________________1 k- Q3 `9 M% n$ e" q) c  b

0 Y8 M( }! z8 P4 C0 U1 c" f
9 \5 k) p! M1 c9 Z+ U6 a7 GMethod 056 \4 `0 `' F* S5 |
=========
9 U! x9 ~# E. o( j, ]/ j8 h0 d
' m) J4 @4 e& Q, `* o( yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 J2 ?) D( \$ \- m0 hdebugger. It calls the int 41h, function 4Fh.
8 f/ o9 R- V$ ?8 s7 ^6 F! Y- nThere are several alternatives.  1 _7 Z/ Y9 g$ |7 T) P
! Y9 h: X7 \: T. g
The following one is the simplest:, \! }- F6 ~! Z  |( W' O# \

% U4 l- N2 W9 p# }+ g( r    mov     ax,4fh
6 P, ]. F6 j% H4 c    int     41h
7 l/ ?4 s3 M1 n& O* f# w    cmp     ax, 0F386' P7 {& U  r* s
    jz      SoftICE_detected
; V! p5 x$ I7 F7 n5 B7 S
& r! s, k1 G* N  l! f. u2 n$ }2 ]
# r% d, j$ e5 p8 u: T2 H; UNext method as well as the following one are 2 examples from Stone's
7 y' W  R2 v' l+ c3 a; q3 }+ d/ X"stn-wid.zip" (www.cracking.net):
& T. S2 \+ G# b# W' ~
; a. t3 r: r0 Y, ^( _0 ?7 \    mov     bx, cs' h2 s- q# a1 s4 s/ J
    lea     dx, int41handler2! s6 p0 b6 i9 X6 U
    xchg    dx, es:[41h*4]/ ]: h( H: S2 c" c4 ^4 _
    xchg    bx, es:[41h*4+2]
7 q' I( B# q' q* j8 z    mov     ax,4fh
4 @* A3 C9 }0 Z" f    int     41h
6 o  o! v( k' }    xchg    dx, es:[41h*4]$ N, S+ |; r! k, H! \
    xchg    bx, es:[41h*4+2]  U* x( B3 n& v& U+ k% L! Y) L
    cmp     ax, 0f386h
; j1 a3 q8 G+ `% ?    jz      SoftICE_detected! h; @9 Y: B, h! T/ ~

% x5 R. g% }7 ~. G/ Q  b/ x4 Cint41handler2 PROC
! j% }+ w0 r2 F0 p3 m8 ~1 s    iret' F9 \5 X# g# I8 M& a2 X: l
int41handler2 ENDP. y0 A' g8 a5 l2 X8 o: n
: w3 ~0 J( b; k; q9 ?  U

' _) ]% Z/ Q) R' o. U6 p_________________________________________________________________________+ T9 J* q1 e# c# L5 {$ i

2 U6 t1 E4 Z4 m9 _8 ]
) s4 H: y8 s& J' VMethod 06( b2 j! h) G( B' i
=========
- H8 z' G# X' {2 p: s4 P& K1 ^* K9 T3 d$ G/ o

3 r* t: K! C' }. M9 b2nd method similar to the preceding one but more difficult to detect:
  E" A5 N5 t' A# L- q8 U' X8 T+ w  [2 Q/ O/ H1 U* W* W$ ~# t
5 S# X- x3 }+ O) z- k( ~7 F7 o2 A/ R
int41handler PROC' F. D% a5 e. Y( {( M* D
    mov     cl,al
* `% g: j: ]- R+ I    iret
! K* A: z) l# h% M" r7 C6 [5 Xint41handler ENDP7 P/ y9 Q9 o! c6 j/ g

# q* \$ A1 B! C3 D6 c4 C  l& O. M9 ]2 o9 c' z1 v7 w
    xor     ax,ax
1 d1 _1 |! J7 D& R    mov     es,ax
( t, l9 @2 K$ i2 L    mov     bx, cs: ~+ X2 y( p$ c; I/ ^# B: N: s
    lea     dx, int41handler* g8 B( n/ m/ }. d! B
    xchg    dx, es:[41h*4]
# D) C$ G, @+ Q( W3 b! m    xchg    bx, es:[41h*4+2]
5 ?. N6 J8 F7 B: r    in      al, 40h  w. u/ ^( G% T8 J2 v& ^6 _
    xor     cx,cx  T( z3 ?9 i1 s& E
    int     41h
0 c5 A! U5 h8 `2 [  A    xchg    dx, es:[41h*4]
, f3 L% b& A4 \) L( H3 ?    xchg    bx, es:[41h*4+2]
$ B- k. G& Z0 ?% q7 y& V. _+ m: r    cmp     cl,al! Z! r+ _+ n4 ]' H, v% @
    jnz     SoftICE_detected. f0 s& }4 @) {8 q9 j7 l% r8 M" e
$ [2 o  }6 H* Y; Y, \
_________________________________________________________________________
* k9 i/ P$ E, ?% A2 n0 R* Z+ d' A. ^+ Y
Method 07% V3 ~, I+ T, Z+ Q. a- _
=========" v, z4 S. F7 M) y. B. `. K

5 ^# o3 x* A6 z) PMethod of detection of the WinICE handler in the int68h (V86)6 _- [" h. _7 V7 {2 k

( G8 T+ h0 G- Q+ q% A! k    mov     ah,43h+ n) J+ d8 z7 R: |
    int     68h/ p4 P3 |- J6 z) j
    cmp     ax,0F386h
# W! J4 O$ v! C, Q& R; X, a    jz      SoftICE_Detected4 U# {. L/ ?3 o" k* x

: y! F& F$ T- @6 F" r/ \3 v6 \  p! {
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! {" l) E+ k+ J  I! T0 }+ Q. K   app like this:
% j# g) V' O5 y; n) Z/ g* [& |, O! f4 z
+ l0 U# i! p" o# J, C5 O0 }( q   BPX exec_int if ax==68
# w/ r5 B; e2 t) E' c3 H8 [   (function called is located at byte ptr [ebp+1Dh] and client eip is
* S3 _: z4 b2 c- y0 C, A   located at [ebp+48h] for 32Bit apps)
  r2 }* ]* s" F6 N__________________________________________________________________________
7 d6 h7 S3 e; b# ~$ ^
$ R* S6 y+ d  K; K/ `* h$ `, q  f% P" V" {" @6 l0 ^  H
Method 08$ d* a1 D! i; _0 B  a9 l
=========/ H/ C; N# B1 v% ?- \
" s' c" }7 ]# K1 s  G) `
It is not a method of detection of SoftICE but a possibility to crash the: |9 C" Y6 |' j! C' o: s
system by intercepting int 01h and int 03h and redirecting them to another
6 p7 r, b  `1 Z5 `; }routine.
# G& [+ z: @4 y% N/ f/ O' R. t. C7 t! Y! PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 ]2 Q' H/ [8 i3 W0 H# m
to the new routine to execute (hangs computer...)
2 D/ u! l# N: X7 X. W* X3 z, b0 D8 f+ a: x
    mov     ah, 25h
1 b4 c: ?2 C0 J+ e    mov     al, Int_Number (01h or 03h)
+ w" e+ F: }) l# J1 n    mov     dx, offset New_Int_Routine
% P5 r$ X2 ?  Y0 V+ ?# V6 `9 [    int     21h
0 r/ }: M  h8 G6 C- A! C
4 F# m# m$ G2 i! r$ N3 F* S- r__________________________________________________________________________  D6 m1 Q, k" h* z
. H# ?* g$ X/ A
Method 09' }% A/ i5 Y7 F) X4 f
=========. {" z3 Y* b* {) g: Q

# @! M2 @3 K& l7 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- U. D5 @8 O/ H) t, l$ w
performed in ring0 (VxD or a ring3 app using the VxdCall).
! P9 J: v/ C1 J! eThe Get_DDB service is used to determine whether or not a VxD is installed; ?0 [! }! p4 s% [. o) Y$ N
for the specified device and returns a Device Description Block (in ecx) for+ H7 @  k7 E8 a) P: w. @' o: x
that device if it is installed.) \$ w2 q; M8 n5 q& J9 _% E2 ^# e

# R$ ]6 \9 M6 o* V   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; f8 y/ g* S& Z2 K   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 B' E. I0 I& Y4 P! g& l+ ?& S
   VMMCall Get_DDB1 ]  M; ]! x/ c% f6 J
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed" a: q+ q( a6 L% {* K( A0 n
! q+ N& ~7 }; ?. W. T! }
Note as well that you can easily detect this method with SoftICE:) |7 G' F& d( j; ~
   bpx Get_DDB if ax==0202 || ax==7a5fh: I6 M$ ?" M2 p! ^) W7 l
6 w- m$ ~5 w9 s- G* l9 H( y
__________________________________________________________________________2 H4 p0 m: h6 w+ R: i: q3 S

9 t# a- W* U1 F1 s6 [Method 102 B- X/ z' R' |' E' w) B- T8 E
=========
& U3 e) X" A1 w& Q" [  l  z0 _
6 _0 U% A' _- L: n# ?=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with' T" @  l& D& C
  SoftICE while the option is enable!!* N9 s, X( A% L1 B; X

' C: r$ G- E$ ?0 m7 m3 @5 [This trick is very efficient:# ^. `+ y1 S* Y! v1 I
by checking the Debug Registers, you can detect if SoftICE is loaded) V, X. E: _; Q% V7 ?# J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ w/ \, r3 z2 k# Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
. r" N: Q* _( N0 M$ |' {value (in ring0 only). Values can be manipulated and or changed as well8 o& U" J+ D( T) U+ Z  ]
(clearing BPMs for instance)
3 ~; C& }* ^; b3 p
/ O( x) v* ]# }__________________________________________________________________________. l' e1 `6 {' K+ n+ L: L9 H- K

6 z9 W' a3 z5 b4 b) r$ SMethod 11
7 C; v" i' M1 w9 e0 u=========
" G! z3 N( {1 {1 k9 W/ C/ W2 e. A' C% ]/ G! k! X& |
This method is most known as 'MeltICE' because it has been freely distributed2 g. Q. D3 Y- l4 @- z* f2 W
via www.winfiles.com. However it was first used by NuMega people to allow
1 V9 g. N% y& W& K6 d2 I/ R/ \Symbol Loader to check if SoftICE was active or not (the code is located
5 R# q, z* G2 Y8 q( yinside nmtrans.dll).' k0 @+ K' v: H( y& ^2 i7 j1 C

& g- u; o) R6 m. |2 ^; I3 O+ FThe way it works is very simple:# M# d  I; F4 M5 N; b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" o0 y% p/ g4 \3 KWinNT) with the CreateFileA API." k' ]- ?8 m  g3 {

+ H) q( T. @7 Q" y2 _) b2 ^Here is a sample (checking for 'SICE'):
5 e+ O; ^# O5 Z" h- V: v" ?# f0 }+ R4 d/ E
BOOL IsSoftIce95Loaded(), P. b  C% A6 N9 o& P( p7 Z' a' m
{/ q. ]. r* Z0 A6 K0 s) Z
   HANDLE hFile;  
9 @, \! b4 m1 S: t8 k; {& e   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; A+ h4 R8 G+ h$ F/ p
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* d0 t) E' L. Y) B) Q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; ]) N4 s2 ^0 t. q: @8 l; N6 @
   if( hFile != INVALID_HANDLE_VALUE )1 }+ u  l1 Z6 I1 X" N$ M. r
   {
0 c6 m' a! }! P* j. d" p! k9 s      CloseHandle(hFile);: h7 d% H  j5 e6 S
      return TRUE;4 H" u/ v/ a, Q9 i' x
   }0 H/ H# B* w+ ^3 P/ ^( U
   return FALSE;
; {* B' j( j+ H" w& S}
. P5 s: v& U+ s# M: M, H1 a' x: k0 m% I' b; {, x6 K& T
Although this trick calls the CreateFileA function, don't even expect to be+ e, Z) q+ T! r( t
able to intercept it by installing a IFS hook: it will not work, no way!9 T0 b$ C  F1 `9 l8 N. h4 N
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! ?, |: m, F, c( m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& R2 b( N1 L4 Z, j4 F6 H, Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) Y6 D0 }2 V) {# E! qfield.3 M8 ?0 _% M+ l3 {* G
In fact, its purpose is not to load/unload VxDs but only to send a * W9 G0 ~$ |9 b8 A" b( j5 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* V5 p% r1 v5 u: q2 s/ n# f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 v: H4 ]0 Y3 `1 ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 B' k& ?; p9 w# R3 I7 {% y! l/ q5 s! D
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) N/ q* @9 F$ m7 v+ U2 Yits handle to be opened and then, will be detected.% i' ]6 O% O$ k5 `% A
You can check that simply by hooking Winice.exe control proc entry point
4 x7 c. G' ^3 ~! ]. L2 K* ]while running MeltICE.
9 t' D0 g  T, {7 x0 z- M6 x  \
! L( n0 B) R6 v& c6 L( U# i1 J
5 N  m( @$ w3 X  00401067:  push      00402025    ; \\.\SICE
8 |9 W& s) _0 P  0040106C:  call      CreateFileA# F, B" u. A; d6 \, ?: `/ P' _+ t
  00401071:  cmp       eax,-0010 P* c) k( H/ Y0 _, p( W' B
  00401074:  je        00401091
8 ~( o, z6 Q$ d& t+ J2 u& [2 w+ y, R$ f( Y4 w

& Y+ ~0 s7 X) h8 a! |3 o% ?3 nThere could be hundreds of BPX you could use to detect this trick.
3 w/ H! h4 f8 H# z+ e! h-The most classical one is:: A* o* D6 \' d
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
) Z4 `* k" o. O7 D' \: N1 P    *(esp-&gt;4+4)=='NTIC'2 V+ X6 {+ z6 L
4 p+ J2 Q2 S( y
-The most exotic ones (could be very slooooow :-(6 ^) o0 F8 G; H" H* m
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 u* c( w, b4 ]1 g- Y- m3 c$ i; ~6 U
     ;will break 3 times :-(
- |3 U+ R! Q0 v* k- s
6 C) W$ c8 b8 g-or (a bit) faster:
+ A. Z3 n/ M, i' i4 n: S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  H/ X" \$ {! m; E$ U; z
: {# T( f+ o, v  i0 e. ~
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# P( f0 s) W( U: N     ;will break 3 times :-(2 s  s0 J7 V9 y; E# Z, ]
/ K$ T# ~9 z. a% z$ H9 `; @
-Much faster:
7 P0 t; h* \% P- D6 g7 q5 \0 V   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& R$ y& m  t) R- m, o, v) p; ]3 U' w1 M6 d+ t8 f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 P1 p# G) B+ Y+ e0 r1 U4 Ofunction to do the same job:
/ ^, t1 _! R0 T( P% H8 a8 D" m$ l3 Q4 \+ j6 m+ N+ _: E0 s
   push    00                        ; OF_READ+ D# v2 k! K9 S% _! x: e
   mov     eax,[00656634]            ; '\\.\SICE',0' I$ a! }5 i# z" t( o. M
   push    eax% q8 ?1 ]* Z' R
   call    KERNEL32!_lopen
" Z* g& n% H7 _- z   inc     eax/ J$ i6 R; \. g+ {. u
   jnz     00650589                  ; detected6 k7 ^6 l1 K9 s- n8 o4 x) l
   push    00                        ; OF_READ) J3 G$ a" h$ n- S4 a
   mov     eax,[00656638]            ; '\\.\SICE'( P4 Y* e- ~5 M% V5 K! `' v
   push    eax
2 T8 p& t5 h$ i2 |   call    KERNEL32!_lopen
( i: S* X6 s; {+ n( b   inc     eax& p- j  {8 n% s. {) a' j  b  x2 p6 O
   jz      006505ae                  ; not detected
. G9 G0 {) E4 W) r' b5 C
1 _, W( [6 P' _, w
/ `" k! {, E/ Z3 N__________________________________________________________________________( M' \( r$ ?0 z  ?% ~

( t" i1 W8 ^( h- V5 ?: l* YMethod 12
0 s3 ^$ Q  w1 n0 O2 }=========
; c: y( h1 X* r3 M& d
4 s8 k. K& [' o) _+ B* gThis trick is similar to int41h/4fh Debugger installation check (code 05
6 R: `: a' K0 c1 T& H1 v&amp; 06) but very limited because it's only available for Win95/98 (not NT)8 C7 W0 l4 F* B5 V; }+ {; l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ A& K! Z% J" v  M7 P  d+ K
6 E. O) d8 r1 l$ o9 o
   push  0000004fh         ; function 4fh1 s$ k+ ^# A4 {6 l* v" a, T
   push  002a002ah         ; high word specifies which VxD (VWIN32)
* ^: O7 ^$ ^0 E  o                           ; low word specifies which service
; J8 D9 M" m9 d                             (VWIN32_Int41Dispatch); P6 P  ?; ^: p" s; N& Q% W2 x" P: D
   call  Kernel32!ORD_001  ; VxdCall
  P. \0 k0 M1 m; Z  ~1 E6 Y   cmp   ax, 0f386h        ; magic number returned by system debuggers
) N6 j5 j8 t  D6 N( i$ }   jz    SoftICE_detected- _/ n0 v0 K5 h; }% x2 o, n% j% c6 W
$ z) Z. w( y9 a) a" s# `+ K
Here again, several ways to detect it:
: l) a3 W( r) e3 I& Z1 E8 \5 ~* H/ T( n$ U0 ~) m  W
    BPINT 41 if ax==4f$ L: N/ Y+ I3 @9 C+ d2 n4 t

$ j) ~$ R8 ]$ w. O" m$ M" Y; b8 [    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 l3 `6 P  V8 u
& A. b! g8 x" A+ H8 a! C    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A* b* O0 Y9 R& q' E; d
+ ^- W+ m. G9 k, h6 Q8 K5 L8 |
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, X& L/ b+ N" g2 d  `9 G
& H6 j9 w- G) ]% f0 Z+ c
__________________________________________________________________________# i' }! H( Z; b- Q/ q
$ d- P# h& Y9 }8 H: H
Method 13
2 m9 A: g* E  y0 t4 }) L( N=========. T' H' e8 F' O; h1 Z- P

. f( B' b3 I0 g7 C6 e' T8 PNot a real method of detection, but a good way to know if SoftICE is
3 k% f1 @( x4 @# V4 F/ pinstalled on a computer and to locate its installation directory.
" W9 e, M8 L/ `. o, @! W' ?It is used by few softs which access the following registry keys (usually #2) :0 h% X5 ^0 r% s0 u
/ c+ G+ k. M6 j! ^
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 F. l0 ?4 G: G) y8 [% q, m\Uninstall\SoftICE" L' D1 Q; A9 j; k2 ~4 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# t7 K( e3 A- @- c; P. o; H+ p  L2 a  S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 Y3 ~4 `: O8 i8 M
\App Paths\Loader32.Exe( U* h3 ?. B$ L& }, s( h
0 b8 k* w% t% M- w

+ D/ E. s# l+ z9 u- c( D7 n7 jNote that some nasty apps could then erase all files from SoftICE directory
& f7 G  Q  U6 q- E(I faced that once :-(
# V0 k3 I. X' ~$ \$ w+ I/ K4 A  \# N5 Z$ m9 i
Useful breakpoint to detect it:* G" o( Q1 L# P8 d5 r5 {" A1 ^
! U! l( r8 g) h7 c9 n1 E( A
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 l4 k9 a2 b1 Q1 r" B
8 M: @1 d5 t! H0 i
__________________________________________________________________________9 o$ E2 z5 u1 s1 ^, q2 ~

- q7 e/ _3 x3 [7 n7 ^" P
. |1 H3 J" f0 o  xMethod 14 0 M' Q4 l7 @& W& U5 ?- I
=========9 [: g3 H9 _$ m/ d+ R

( ~6 F8 r4 X( x# C- Y5 M. V1 `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ T0 E% U8 f; h2 D6 i+ h
is to determines whether a debugger is running on your system (ring0 only).4 j% W; ]* c* [, M  n! A; Q

% t6 |! N$ ~0 N/ p( y   VMMCall Test_Debug_Installed
0 |' r- ]0 h* G: e* }   je      not_installed# r! j1 ?. @8 @, n  w( z) j1 W
( q! `' }+ z. E/ s
This service just checks a flag.
9 h; q3 T8 `7 V  r! J0 m" N7 x</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 15:06

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表