找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) \0 x- S% Y$ |# a9 w' \% c
<TBODY>9 R. D) Y: w1 G1 }
<TR>( h" Z. X( s. ^$ D/ X" Y
<TD><PRE>Method 01
5 I& x8 a& b; g: T9 Z; B$ h4 b0 x=========
  w$ |% p9 r; W) S2 w/ r0 |# J/ e3 {9 H1 M/ @
This method of detection of SoftICE (as well as the following one) is
2 D5 L6 b; N  [6 v: u5 n9 Dused by the majority of packers/encryptors found on Internet.
, n: ?* u7 l& W0 xIt seeks the signature of BoundsChecker in SoftICE
& S/ J; `1 R7 F. T! l9 _& X" v. |; i0 O# }/ w
    mov     ebp, 04243484Bh        ; 'BCHK'
: ?8 A5 H; Y) `1 c6 P: D! J    mov     ax, 04h2 N5 f' B" {0 b0 [8 g
    int     3       2 ~8 k% f$ L& X" z1 R: H
    cmp     al,44 R% y2 z2 F8 v4 g  X
    jnz     SoftICE_Detected
3 R; N2 V  w; Q5 g
8 b% P- z1 ~$ h9 s) F___________________________________________________________________________
3 F! n5 D. E; h, V  v" B
* C7 W2 d4 }8 ~- _0 j  l- j* |Method 02. d1 ?5 k' d! F7 Q
=========& A# Q. j8 x( f0 r5 K3 y

. K" B! H7 P) @0 u. y/ T/ G6 FStill a method very much used (perhaps the most frequent one).  It is used3 D$ C. l& N+ H3 K2 E) u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! _7 w) O9 \- w7 A4 N& Bor execute SoftICE commands...
. z4 x0 {$ z: I# T# _It is also used to crash SoftICE and to force it to execute any commands
; t5 b# J" V- @# Z(HBOOT...) :-((  * Z  m3 S& Y7 Q* f
; \! ^8 s5 O) ]" \  o1 T; J
Here is a quick description:& @/ `3 ]9 n+ D3 ?1 n
-AX = 0910h   (Display string in SIce windows)
6 o6 A; p' b1 P! U) G. r  ]-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
$ X, q4 H7 w: z8 R, X8 C3 z-AX = 0912h   (Get breakpoint infos)$ L( _; j% c9 m! c" l2 a
-AX = 0913h   (Set Sice breakpoints)$ d! b3 ^# V1 J" i, G
-AX = 0914h   (Remove SIce breakoints)
- s. ^8 k( ?3 [& N% p$ Z9 L
4 u( g% Z$ {2 c: R9 N& cEach time you'll meet this trick, you'll see:$ ^4 W1 p2 g0 A! {$ c7 ~, ]
-SI = 4647h; C6 I( n$ X5 p* g' m3 B* y. E
-DI = 4A4Dh
! P7 K! v! ]6 i) o2 w. K. xWhich are the 'magic values' used by SoftIce.! i9 V$ S2 S& M. x$ E) D  {+ R0 e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; y6 L( h7 W/ g+ r

; c8 G9 }# \, p; |7 a3 s  `Here is one example from the file "Haspinst.exe" which is the dongle HASP/ e2 b4 |" {+ ~, A  \- ]1 j
Envelope utility use to protect DOS applications:+ Y, Y& B9 f4 T+ i6 [# t
  Y; \+ y/ Z! A& y( K' {5 p
) R$ W9 d6 {# K- h/ Y% J
4C19:0095   MOV    AX,0911  ; execute command.+ W1 M6 @# p  H# W  j4 q" w9 J; o1 o
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).1 ?1 f* c7 c$ E& U
4C19:009A   MOV    SI,4647  ; 1st magic value.' b$ S- {7 v9 y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.8 Z5 j  O: U1 H5 ?  y- Y1 ~* E" S. H
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 R7 t2 o. Q" r3 o! R: r  X4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' v+ I. x4 f+ ], M1 u4C19:00A4   INC    CX
& K; v7 e. e/ i. d) U7 e/ W" S/ S4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, K% V5 @! T; M" `* A4C19:00A8   JB     0095     ; 6 different commands.
( V6 a: ?! Z" O. O1 ^4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 \- p- V- s7 }; z$ h4 R& y' p
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  |. i- \# C  u, w( @/ x9 N4 M3 u

* F1 a5 ~- `# A. u1 XThe program will execute 6 different SIce commands located at ds:dx, which, T0 I$ w, q/ @3 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# J; J. Y* {  o2 [  U  o& z2 O
1 G, S: W5 m% o6 R  `- J6 j* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, N0 f1 W( m# B& Y$ C. G___________________________________________________________________________+ g/ z0 Z) b3 R) h

* {7 r* X' Q9 P9 \, |% A
2 {# Z0 V% l" \7 U; t" x& y; Y# BMethod 03
4 x8 b+ q! k, ?+ c=========: y' |+ C! c, X9 x' I1 E3 U

, y0 W6 v" @' C* \# ~5 _Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h! ^, Y: I; k* t' R; }. T0 h* i
(API Get entry point)
5 i- _8 ~; h5 m5 c4 l6 ~. G        
- a0 `, a" }" F7 y, V1 A
& [; g0 W4 X; H, W; p$ y. [    xor     di,di$ J! x/ s1 w3 j
    mov     es,di
- K' l7 l& u+ l! |9 i/ o    mov     ax, 1684h      
2 v- E7 Y! |# ~& K    mov     bx, 0202h       ; VxD ID of winice3 w6 S1 a# v& i% ~- `
    int     2Fh
( n. _9 N; R6 |( [+ Y/ b    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ V* P. B6 _" t4 I2 K
    add     ax, di6 p* \% Q  d. G# ^
    test    ax,ax( k* {% ]/ w  w2 i4 p
    jnz     SoftICE_Detected
6 E* ~; Q) \8 Q: R  _6 |+ g' ~/ S2 F* m
___________________________________________________________________________
7 Y, p& ^9 ^! m+ \0 I- D; T
0 R0 J1 W' F! M  L9 wMethod 04/ i, {8 s1 @0 ]2 O# V" O
=========
* N5 x5 |- b3 u" }0 n: h4 B, V
$ c' f+ C" b3 \9 O$ L9 B6 dMethod identical to the preceding one except that it seeks the ID of SoftICE9 r4 e( N7 ^: Z! y- p& T! Q
GFX VxD.
6 y# C- m8 ]) A) s0 r, n4 [- E8 I
, h" C! Y, h) A  W% z* Q* t    xor     di,di
& i5 x2 H6 H3 g# V( z) k# y9 B    mov     es,di& i+ i5 a1 C7 X- c3 m* v
    mov     ax, 1684h      
2 g" y. J6 A9 m2 z6 a& x. X0 e    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ P" F) o! E) t, k    int     2fh4 X3 ^3 b' G% L% A" w) g3 D0 l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! M; W2 R  }6 H! E/ U% _    add     ax, di
7 o0 t, a" x6 G" {4 n+ q    test    ax,ax
4 r: Y) w5 n( q: }    jnz     SoftICE_Detected# w/ I1 _% |* C, f9 k9 C

8 x' o9 c& I1 p8 L# s# t__________________________________________________________________________, ]/ j! w: t$ S6 n
( d7 p( b) \0 e' t6 b
' R" `9 q6 ~2 ?, |  f
Method 05: z1 L- X/ y6 M/ _
=========. Z* n$ Q* `. v! J# r! L/ c

/ s" K3 z7 H7 g0 ]# S8 N0 HMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 K3 n( e+ ^% ]2 t# Edebugger. It calls the int 41h, function 4Fh.
: s" N5 P9 A  M  N! VThere are several alternatives.  " E2 X, q5 F' ]3 o/ O
+ K; F- b# i3 q
The following one is the simplest:+ [7 H3 k3 d$ v2 e! ]0 x

2 ]% m4 \# U1 E# |    mov     ax,4fh; [( m' c4 L: \
    int     41h
8 [+ c4 U3 v$ ?, v  X' W: |    cmp     ax, 0F386' m) s9 B  }* k8 c* P: b6 D1 `
    jz      SoftICE_detected
+ a4 r' \5 _9 o6 w* N/ `4 H+ ?3 M8 j, @, c  `2 @- |

. v1 b9 n7 l) j" o) bNext method as well as the following one are 2 examples from Stone's 8 n; \8 Z! @; H" ~! \6 F
"stn-wid.zip" (www.cracking.net):8 y3 v: p2 f7 C5 q8 r

  Q0 T9 C: V9 O4 E9 b  ~3 X' U    mov     bx, cs
0 e" q7 O, n+ r, t: u    lea     dx, int41handler2
. I' A* ?# B8 Q" j* m3 n, L: m3 _    xchg    dx, es:[41h*4]
0 a7 m7 f  P, ^$ o    xchg    bx, es:[41h*4+2]
; Y& J8 ?  _6 |% L4 `! Q& D    mov     ax,4fh4 A, f, W( o% b4 `; j" b3 h
    int     41h9 s3 D% u2 L  D, G, C& V. @7 x; D
    xchg    dx, es:[41h*4]8 o6 x1 T( V( q# v: r
    xchg    bx, es:[41h*4+2]
( d1 }; z9 ]& L. D    cmp     ax, 0f386h
/ |0 C0 Z( O( v" {! m    jz      SoftICE_detected' R! Y4 K. ^0 a( V1 o* Y7 F
' G0 U$ s8 K1 p
int41handler2 PROC1 I3 @7 {# `3 q
    iret
1 A# X5 a: t7 M+ Yint41handler2 ENDP
. X. m# X+ K1 L
% J9 E' v+ Y3 F" r) |
/ k9 [" G& A% |8 v7 k9 r; }9 S_________________________________________________________________________. s- l) k+ i. R% p

1 A" Q5 L6 d5 q- D
4 Z* H6 j5 j% tMethod 06
5 J" z  p' ]+ N9 y7 z=========
3 A! K5 x9 z8 ?2 [
& I* k' i6 N" K4 z
. Y' X- H2 V, H2nd method similar to the preceding one but more difficult to detect:
2 u. @  Q$ Y. M) _; W8 O% G# C% J0 ]1 f) I; O$ N

& Z$ i  ~4 q7 x, y1 C  i6 W+ @int41handler PROC
( \" T' J8 O. C; w/ A; M" D    mov     cl,al
  u" ]  t% n1 U- g2 Y    iret% z" ~. h4 _8 O( s' _( t
int41handler ENDP
7 d9 c- y. o, i$ q' L
6 d/ L7 L% d$ d, Q# g2 }$ u0 p  H
    xor     ax,ax3 I# u* @3 j8 ^# W* N
    mov     es,ax
% ^' p0 M, p5 p3 i: l9 q6 A8 F( i    mov     bx, cs
( N4 ?, W6 @: E2 N    lea     dx, int41handler: h: L; _  I& D0 }& A! O; F
    xchg    dx, es:[41h*4]! h* ?3 R% Y( r+ \
    xchg    bx, es:[41h*4+2]
5 O( G  N" z3 f. J    in      al, 40h
  Y( ~  o. A, G; h" o) P5 {  P    xor     cx,cx
' Z$ N/ a; t2 K& m7 N    int     41h
) ]3 S: O/ x* T1 ]9 I% F/ M    xchg    dx, es:[41h*4]+ k5 ?2 j9 w+ s" \( C
    xchg    bx, es:[41h*4+2]
3 D3 s6 o* l2 I* p  Q' U4 V" F) N    cmp     cl,al
- A' l. c7 S' b6 E- Z$ @    jnz     SoftICE_detected
9 P: g% ?1 p6 ?) [$ m9 ^3 i9 D7 |! j
_________________________________________________________________________" g2 g% P9 _' y" q0 r4 E1 R) B

, R, c: j; `7 ?. VMethod 07
8 [, h2 m' Z2 \6 Z=========
8 |1 t: D& d% |2 t! S* |+ z; G1 w& p; L$ k; E7 g1 H6 z: T9 N& l$ c" W
Method of detection of the WinICE handler in the int68h (V86)
/ h' [% c& r% K0 o1 R" u- z8 L% l1 ~2 K) _0 g  i
    mov     ah,43h8 [3 O$ i- N& D
    int     68h; @& Q1 a  i- g1 @2 M" |6 o
    cmp     ax,0F386h
6 K. O4 w, }' T3 a$ a& K    jz      SoftICE_Detected" X% U+ y- _7 U* o

9 {$ t/ O* |/ E7 L& M0 A
' o' v1 [' ~1 V# b/ p=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 C7 Q+ i9 J' N2 v  ?3 n   app like this:2 A; V2 r+ Y# N% x# Z; f

& W! u) ?! ~+ _   BPX exec_int if ax==68
% ]# v+ N3 r, |! r   (function called is located at byte ptr [ebp+1Dh] and client eip is
& J+ ~" [7 x, A  n1 R: J& e  I   located at [ebp+48h] for 32Bit apps)
$ k' H; P: h+ n6 V__________________________________________________________________________
$ C" E& ^3 A( ?* ]" }+ S, E- U0 B" [- A( M( I

0 j, x2 x8 c: q0 d6 Y* UMethod 08
5 t7 b  ~. E+ z' r$ J5 W=========$ Q4 c# U) I! J- R0 y
( C& B8 S- F9 Y( h! f# O, U4 W/ [
It is not a method of detection of SoftICE but a possibility to crash the
+ [  S9 W6 h" P  \! e( V3 usystem by intercepting int 01h and int 03h and redirecting them to another' c. {( y! i$ F
routine.  c4 l4 L* M; M) Z% p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 l) _3 f8 c0 K% n9 Bto the new routine to execute (hangs computer...)
) d  t4 b  G5 ~% {  K+ O' l. x4 M; B
    mov     ah, 25h
6 f0 K# R% z0 c* j% e' R  I6 f, M    mov     al, Int_Number (01h or 03h). V( k4 j& F# I
    mov     dx, offset New_Int_Routine# F* U- h2 z5 Q$ ?; j6 V, @
    int     21h) d1 J7 k* V: S$ c( {/ j

# \2 Z! S0 v8 O/ m% \__________________________________________________________________________
  y8 \  _1 c$ K" I' i) D) P1 Q3 `' U- m; h: J* N+ v) E+ Z/ O: z8 `% o; _- }* B
Method 095 Y1 }/ h# ^3 Z! Y' }& o+ Q
=========! w' N! F7 F9 V- n$ J! r6 t7 @

0 e6 g8 [/ A) R: nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 u3 o2 X) k" b4 L' q8 d5 Eperformed in ring0 (VxD or a ring3 app using the VxdCall)./ V$ T" l6 D2 E
The Get_DDB service is used to determine whether or not a VxD is installed; T8 F. @1 s2 o5 u
for the specified device and returns a Device Description Block (in ecx) for
( @! E1 _3 {. N& r9 u  U; ~0 i) [9 ^' Fthat device if it is installed.! ^1 n) L; s; g

; f9 y, b# G) X. n& A   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 N* b/ M- ?) T" s7 N# I4 ~
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 w  E$ t& {# W
   VMMCall Get_DDB
* n* S3 ~% D9 S   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
: G1 |' R# o1 ]3 B- s8 c* A
$ I% z1 a2 D) H; Z; QNote as well that you can easily detect this method with SoftICE:
- y9 G$ f: N' A0 E# U   bpx Get_DDB if ax==0202 || ax==7a5fh5 G$ B8 x- }+ E5 r3 L
" z- ^) Y- k" N% k3 r) e; f4 e
__________________________________________________________________________
& }) \9 X6 V/ Q1 i  g) v6 s# ]/ r( T, e) m1 @  `" q3 x" v" Z5 E, W
Method 10
& V9 t1 {/ U" u0 P=========3 e2 v8 g3 R' T+ N+ m! S, K
1 ]& b/ L2 ^) X( U  n8 t- @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
! V4 M  p9 x' R1 }% c5 }  SoftICE while the option is enable!!
, c. \  t9 ]$ \; x. f# Z+ v2 A
9 s! j+ ]% Y! w4 U. YThis trick is very efficient:
' P+ _3 Y6 e* B9 k% r1 R' _by checking the Debug Registers, you can detect if SoftICE is loaded; [; v8 j8 L3 U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 _$ D& N9 e  w" n3 M. M
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 a: R  i1 f; k0 b3 ^% y
value (in ring0 only). Values can be manipulated and or changed as well
; k; m* d0 F" e, }(clearing BPMs for instance)
7 B. o. [, @% W- q7 G7 ^6 P  _- w7 Z* `& p* v3 _
__________________________________________________________________________
: X. D! N) q5 w# b1 q- V/ H3 }) I: L! T9 V
Method 11( y0 D7 [0 v) w* W
=========
$ ~$ d: c4 B2 |* s% z. z" X
% O( T. c! C. ^3 Z# MThis method is most known as 'MeltICE' because it has been freely distributed
* l# T6 r% ~& y5 M3 }0 r) y* O  Xvia www.winfiles.com. However it was first used by NuMega people to allow
/ H6 I8 `) N/ c$ o3 h5 GSymbol Loader to check if SoftICE was active or not (the code is located
' ~1 Z' `# g. Dinside nmtrans.dll).
& ^9 v9 k4 ~; M$ a2 t7 @# e" D4 b0 c1 p  e" m, d
The way it works is very simple:
8 [9 b& ~! ^7 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, W% e$ p0 [) F  o+ q$ I. J* s
WinNT) with the CreateFileA API.
3 Z9 K8 T# l* r+ u3 Y. \
9 U- ~' N2 M( |3 ]* Z" aHere is a sample (checking for 'SICE'):; A( u1 N- ~6 H/ {% B4 O6 a
( t+ R* I# q! g) h& G- p
BOOL IsSoftIce95Loaded()
- n2 O8 l2 I* s8 R$ h( f" m{' p. m* m! p. X, l4 u- `
   HANDLE hFile;  1 G6 Y4 T$ F6 {3 A# T: m6 I
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ e6 T6 U2 g" X5 C4 I4 n; k1 a/ \                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! J% T  k+ H! v% E                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 u/ c/ h( R3 `3 h0 t) o- a; o
   if( hFile != INVALID_HANDLE_VALUE )/ p8 w4 i$ v) f5 R" w; {7 H6 ~
   {/ M) E8 L  W/ K5 r( S
      CloseHandle(hFile);
/ ]5 W5 p: Z3 T7 _, F* `      return TRUE;
& {( b, |9 E. K# R2 a' o7 r   }" |1 k3 Z; m5 M1 ?
   return FALSE;
. L( R; z# B& \: Y' h: h0 M. n}" \( }4 x; F( J0 S
; B- l" f; @" e: a# L% }
Although this trick calls the CreateFileA function, don't even expect to be% N( N8 J9 X) j0 e" `8 t
able to intercept it by installing a IFS hook: it will not work, no way!
4 ^8 Z5 e0 \' O  ?" U+ lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: t6 f/ m+ U3 M* Y% r' f! }. Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( a) ^  M' Y  v) t2 _4 J1 h  D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* u. v' ?7 @2 Z  D5 z( @
field.. A2 }0 A3 j3 [; c7 E: M2 ]
In fact, its purpose is not to load/unload VxDs but only to send a
8 O) N; L4 m3 O8 VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& m1 m9 v1 e8 l$ Eto the VxD Control_Dispatch proc (how the hell a shareware soft could try% N- }" h; L3 T( U: x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 b# H2 ?( \, k
If the VxD is loaded, it will always clear eax and the Carry flag to allow# b0 w! X, k4 V# L8 }4 |, F
its handle to be opened and then, will be detected.# L. |( x- b7 a, }- C% I
You can check that simply by hooking Winice.exe control proc entry point/ o. C) l; }; `2 e
while running MeltICE.- b7 i5 o" C2 a. s/ @0 T

- c" u2 T) N8 n
% A0 u0 }1 z0 O  00401067:  push      00402025    ; \\.\SICE
; H5 o8 m6 c+ m8 ?# s3 T! S  0040106C:  call      CreateFileA; K, x) y# v( Z+ e& J* X
  00401071:  cmp       eax,-001% g  v! k: C6 L; S
  00401074:  je        00401091- W. ~4 K: c2 x- o

7 L% Y7 O0 W0 c5 x+ Q$ g2 [, t0 Y% s% Y0 v  H. Z& k
There could be hundreds of BPX you could use to detect this trick.
0 ]" q5 ~1 }+ {% k( F# y1 [-The most classical one is:2 m0 c; {& B  y
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||7 ~; c- K3 m7 r$ R/ Z# G
    *(esp-&gt;4+4)=='NTIC'
* H' P, K  p. f0 G# }$ r9 l  E: V: o
-The most exotic ones (could be very slooooow :-(# Q- c  w2 D1 q' B6 [
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
8 Z# o- K- k& i5 r     ;will break 3 times :-(5 U; Y- K- I6 z
* R" X% x# ~- ]# ~0 T" Q( P# V
-or (a bit) faster: + B# }" l. J  F5 Q4 @& {
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 X' Q1 ]1 t/ t! J3 C! i  k$ c

2 ~' f0 x) }: B: ]$ m$ v. r  J: F   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * S. U4 K0 S" r5 e4 G) H
     ;will break 3 times :-(* E1 t1 L% H( y7 V

6 T8 v0 x8 o) T6 W-Much faster:
$ o, i, z0 |, n0 Q8 o7 M( U   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'- @. U2 Z2 ~6 y; _# I: Y; h

& I4 x8 W0 A+ `3 o: D. }3 l  FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' \& n) t* I" M1 E' M: t
function to do the same job:2 o* b4 E. g5 f
3 {( W2 Q% W1 j
   push    00                        ; OF_READ
, L2 P- _# c1 n9 O1 }4 H   mov     eax,[00656634]            ; '\\.\SICE',0
* a& S) J& g+ o) a   push    eax9 ], z! e& b( I! z
   call    KERNEL32!_lopen
# C5 u; l; b" ]" T9 y! Q6 d   inc     eax& |+ x3 ]& r, Y8 D8 ~
   jnz     00650589                  ; detected( g: k; A: t: Y- U* B
   push    00                        ; OF_READ
5 S; j  h9 c) V: \2 G; H   mov     eax,[00656638]            ; '\\.\SICE'
" u% H: O6 R0 l: n4 q# a; e   push    eax5 f) D! j+ L( j7 L4 I. E/ k
   call    KERNEL32!_lopen  |# }* h/ ^3 f7 Z3 J2 z) F) d
   inc     eax
7 |3 l6 c. z8 Y   jz      006505ae                  ; not detected) O- c/ z1 S3 d5 N

0 T! Y3 U) Y) s" R: Y0 X
% H/ O! s6 F6 S) O. I__________________________________________________________________________+ v! W; J1 B% X: h3 R9 u

/ i5 c+ D' b' H- kMethod 12
& C2 O! N6 x+ p( c2 j- @" c+ j7 Y=========9 P" A$ N6 q( K- I
0 I3 y* ?1 u9 c
This trick is similar to int41h/4fh Debugger installation check (code 05
7 {* C) G) A' ~2 _* K&amp; 06) but very limited because it's only available for Win95/98 (not NT)- B( x! v6 b& j: z/ ~/ J7 \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% M7 T" n3 Y! O6 N& [, k, h

: b5 ~# e; k1 W   push  0000004fh         ; function 4fh
2 [# n/ u, U5 n! i9 D1 h& [   push  002a002ah         ; high word specifies which VxD (VWIN32)
. u/ W( C7 h/ D6 e! u/ G" U8 A4 e( }* N                           ; low word specifies which service+ {# j5 K- N4 \3 w
                             (VWIN32_Int41Dispatch)
+ @6 `2 q# k; ?0 c1 r1 [( C+ V   call  Kernel32!ORD_001  ; VxdCall
2 S! b1 h6 _  \7 m3 B   cmp   ax, 0f386h        ; magic number returned by system debuggers% \  U- P: H& R# D9 l- _  p+ @1 N3 \" [
   jz    SoftICE_detected
$ r  O$ W9 ^. r. o+ a6 c# J% P. A1 {7 R8 |1 v5 f% w
Here again, several ways to detect it:
2 L1 x" n" q- _5 O  w% G6 M
4 F8 F* G" C  M1 Q9 ?8 A    BPINT 41 if ax==4f
* I' B' l  E3 W7 L
; d6 @% K+ ?8 r1 P! P8 N# d% T    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; k9 C/ j: V2 u8 ?5 b/ U0 h/ v' A6 j- a' ?  x4 ?8 v7 Y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  Z' E# a5 n* o( A7 c: w1 }( D  \
* |  x1 r8 c" ~1 \6 D3 E; k
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ f9 q' C+ s1 x5 R9 X( U- p9 Z* ~4 k% Q: K
__________________________________________________________________________3 S4 P! f4 J. b9 r0 ]- K

. w% h( e$ d$ s8 _3 Z% WMethod 13
6 h+ C8 n8 E! a' v- ]' `$ n; t=========( _. q! h0 ]" X# F- b: j" X1 Z

9 y+ E1 e( s$ ]Not a real method of detection, but a good way to know if SoftICE is
' p* v* G7 j3 Y' e* Cinstalled on a computer and to locate its installation directory.$ w- ], u. G; |: P9 E0 a, A
It is used by few softs which access the following registry keys (usually #2) :7 b; ?  ?5 X! ^* x" c$ n

/ }( l$ A8 z2 P; ~% x" S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' C3 J$ _6 q' `! G8 p. w\Uninstall\SoftICE
6 |2 S4 w7 y( \( R5 O2 L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# [/ b2 |5 T/ n% v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- `. k8 s* h- q( z0 S" \* p+ _\App Paths\Loader32.Exe7 I% P4 l- J+ X6 |
& E- b6 B2 }7 z+ W5 S
" B' y, h" v4 L* }( ^4 j
Note that some nasty apps could then erase all files from SoftICE directory- i+ w8 E% V8 M& ^
(I faced that once :-(8 ~' \1 ]6 _5 w9 A' W7 d# `
" q8 X* ?# h- Q7 k% h
Useful breakpoint to detect it:
! \+ R- f5 m9 c# {) j& F
) e; \9 k5 ^1 p9 J: V3 i     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 m# v  l9 e4 u4 z' z: D. L6 Z! ~$ W) J/ }+ ?9 i) P
__________________________________________________________________________
! V5 P( H% M  Z" {. J0 I: O; }& X6 U( t1 f5 @3 T

8 X, V# x3 v8 r: R( q$ K+ I, OMethod 14
1 ]# q# O- x: s$ c=========& z; d. m! E* R" Q6 |3 c

7 q9 h$ D% C! R4 F2 S. x0 n- \, u5 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! z6 I' Y8 C5 Ris to determines whether a debugger is running on your system (ring0 only).
" P, {2 m* X- A* q, G. V/ m* G( m' h- k  k
   VMMCall Test_Debug_Installed
- w  ^1 U7 s4 \/ d+ H& N   je      not_installed
# L$ C/ L( M: ~! O  y7 g" A% q; H3 D( \* X
This service just checks a flag.
) `+ z- {8 `2 y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-6 15:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表