找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 K1 D5 A1 Y' m
<TBODY>
# z+ X; s  |: Q( m: z  I3 F! r<TR>
$ V+ k6 Q% o$ M4 h0 M<TD><PRE>Method 01
1 k/ I/ g" C+ z( f=========! ?. a$ z6 N( n9 x! Y: u$ E
% f% p% r2 V5 L' W9 N) Y8 R- p7 y% h
This method of detection of SoftICE (as well as the following one) is
/ J* E, M$ {' z, y) p. ]* _* H. Iused by the majority of packers/encryptors found on Internet.# F' v# F' ?5 \+ C+ b+ Y1 E1 b6 e
It seeks the signature of BoundsChecker in SoftICE# u8 H3 J: W( E6 q
0 q: J# O1 s" x1 f) }
    mov     ebp, 04243484Bh        ; 'BCHK'
! V! F  w- N. |* p0 E: ^! g5 k    mov     ax, 04h
- w* Y( o. K1 I3 }2 u; h; o    int     3      
, t- z2 l/ u! v+ W, M) Z2 n, y    cmp     al,4
0 f. _' k5 w) q2 q8 o* q    jnz     SoftICE_Detected
/ B8 ^: Z" `  n9 `* m7 t( j9 f& g% F8 }
___________________________________________________________________________% n; F+ ^5 J( Y: k( N, o
4 }: n9 M' g: ^; h( N3 W+ @3 G1 s
Method 02
# o# P0 e; \& ~* Q) o=========& E( q) l( F, t0 Z( f' \1 J

$ e5 @" |# M) D! W! V( Q1 v: ^Still a method very much used (perhaps the most frequent one).  It is used
2 ?$ z/ n# ^/ I2 c- Y; e* {6 D/ ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( ~* b" m  t; {  p) bor execute SoftICE commands.... v& ]1 E  ?1 n; i5 z; s
It is also used to crash SoftICE and to force it to execute any commands
& e8 X. K. o+ ~6 x' F. s& {(HBOOT...) :-((  
$ D% l) v) \* {
6 `. s, j# n- K, v* d# [% XHere is a quick description:: j6 Z3 I% Y% g4 u9 v9 S) y
-AX = 0910h   (Display string in SIce windows)6 ~; A  H2 D, f: p
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! X5 n3 P% C# G& v* K, ^9 Z$ Z( G, W, t
-AX = 0912h   (Get breakpoint infos)* R& X+ e% U) n( D
-AX = 0913h   (Set Sice breakpoints)
" z4 ?. `1 m* p3 T8 e- H1 u% Y+ t-AX = 0914h   (Remove SIce breakoints)
' M/ |( c$ O9 A, b2 T! ?
$ ~7 d  O8 K: `- J; ^5 l: Y: H5 ]Each time you'll meet this trick, you'll see:9 ]" ]& B9 {7 }$ t1 `' m1 h- w
-SI = 4647h
5 q4 k+ i: z% v-DI = 4A4Dh9 H- R+ @; |2 Z, U/ |; a
Which are the 'magic values' used by SoftIce.
$ b& u# k4 U0 w2 |) UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ {+ U4 K' ]* k
' V% x2 Y7 j4 n/ ^Here is one example from the file "Haspinst.exe" which is the dongle HASP0 V1 D+ E+ Q$ s) Y# s1 e6 v
Envelope utility use to protect DOS applications:" ^' A' ^, D6 u7 S6 G# s- v. u+ i% r
( W! V9 G: Y5 r$ {& \

) j  D  H% [1 v% a4C19:0095   MOV    AX,0911  ; execute command.
7 @! A, N1 M! P- [) ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 m2 F' F  z& l" B- N' `* v0 i4C19:009A   MOV    SI,4647  ; 1st magic value.
" g0 e. d' N" `; s3 q- O4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4 n! ?& K" @. o3 h4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 d: d6 V0 t9 A4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 ?: d4 y( l) P" P5 N7 `
4C19:00A4   INC    CX1 l( y+ P) t9 f! Z7 \# C
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 M" s, U1 G- l  e1 O4C19:00A8   JB     0095     ; 6 different commands.
* R5 F3 L$ Z% e) j5 j4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 I! v. N$ r; i! _9 e4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 H$ ]0 o- e; i% R& u5 O" d; c! F$ T3 Y' |  h" D  u
The program will execute 6 different SIce commands located at ds:dx, which
/ ?5 I7 F2 x8 q* _: x+ Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 u# v6 {3 L5 e, Z

8 w# `0 B# o' Z0 w9 ]1 H, [6 h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 {! ~& B, V, ^; B+ M' a
___________________________________________________________________________( U7 T3 W; D; p' X7 N$ T& ~

0 M9 [6 z3 j1 I+ X: h8 X; C. f
( \+ d7 E3 G, V' \+ {% G/ _Method 03$ U9 }, x! Q- l& j+ t6 Y% [; K' k
=========
. U8 N  N5 w" x9 ^0 V- J8 |3 f( o  L" y9 ?' l% w$ U, y/ u" l4 f, T
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( ~1 K3 h, V- t$ G(API Get entry point)
/ C9 ]5 e: o. }        
+ [# ?& X1 C* K+ Y6 }; D  x8 @0 Q; p6 v4 ^: L
    xor     di,di
* C0 n: d4 W1 ]7 d- x    mov     es,di
& [) X% t3 G. k9 g    mov     ax, 1684h      
7 F7 }4 f9 v% @2 X/ ^    mov     bx, 0202h       ; VxD ID of winice
) }" g2 P: |$ y( S6 S" y, s    int     2Fh
( a3 O! m; I: h1 Z7 i7 ]5 I9 e: v    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  A4 y+ D6 V2 \9 a' g$ ~/ G; J    add     ax, di: ?' y: _( ~3 K1 f1 s
    test    ax,ax
5 t* q2 \# A% x6 c+ }/ n    jnz     SoftICE_Detected7 ]2 b! J2 K! K! W% p

* |- _6 X$ I- G8 e___________________________________________________________________________5 G7 e" T( s+ A
& m! ?% d5 b) z$ @2 B& B
Method 04
% t$ Q; x2 _. m5 h6 J=========
7 F* m6 q% ^: b2 V& G1 p' K# q
' `1 q0 r1 n8 }  M7 A4 pMethod identical to the preceding one except that it seeks the ID of SoftICE! \5 [) C& ]% p1 O
GFX VxD./ \( \- i# L% d4 i: N( M6 H
. Y4 B$ ]5 i/ m. A; H7 a. O! N
    xor     di,di. X/ s5 q; ?2 x# J7 U- w# l
    mov     es,di7 d* R+ m% t; ~% B; c
    mov     ax, 1684h      
" L8 `+ x% @, u7 X, a7 {& d2 {    mov     bx, 7a5Fh       ; VxD ID of SIWVID
1 i9 V4 l) Z& F* D5 L# ^! @    int     2fh. Z1 {0 y3 d( s8 F3 ^- H4 w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) \2 h. E) _) M1 P
    add     ax, di: n0 F1 ^6 ]& Y2 O3 Q2 N' x
    test    ax,ax
0 l6 a3 {- R, _; J5 X5 o    jnz     SoftICE_Detected2 ]* c6 Y) }3 ^5 c  X( @

( T0 f' {( h1 ?; L__________________________________________________________________________$ c' |, _* z- G! c  V+ R

' B4 P  u6 n" R, [
4 _# G6 K# ?- t. @, _Method 05- F/ d# k4 G) L) T8 \! g: Q6 c
=========
+ S' H  z, X2 y; ^7 e$ S' A$ B0 d# t6 f" B' n3 o& U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" Y( G2 ]4 G$ u# H& Ndebugger. It calls the int 41h, function 4Fh.
5 @) Y' U- f& b# Q/ g+ `There are several alternatives.  
" y/ r" m- J3 b( P6 x8 o
% Q9 ^8 m! z* G$ HThe following one is the simplest:
. P$ D+ l" I  a4 m1 Y# {0 k+ J6 R% [& Y* D1 c% N
    mov     ax,4fh+ L. G) p# F* b) e
    int     41h1 y6 }0 p0 _7 V7 e  i0 _/ Y$ m/ {- S
    cmp     ax, 0F3867 B6 h* _5 }( e! {. `8 C; j
    jz      SoftICE_detected6 k1 d( B! h$ c5 y) }! K

+ [" t7 F- ?) u
7 |* P; z( I- b. O  Y. R1 [# bNext method as well as the following one are 2 examples from Stone's " {3 W3 y. z" M% U6 E) @
"stn-wid.zip" (www.cracking.net):) K* C+ _+ x- K: a2 x8 X7 |) U# }3 d
3 \& e5 H3 \2 i/ B  }0 D8 N% [
    mov     bx, cs
/ }$ F1 L. T# }& n+ |' L    lea     dx, int41handler2, w/ n/ u- c' N
    xchg    dx, es:[41h*4]8 k, d  u( _0 |) @% q
    xchg    bx, es:[41h*4+2]
3 r3 O1 |) n* k    mov     ax,4fh
9 x$ h7 D6 G) {# Q- r- f    int     41h
" U! u- a) f, D) v7 _    xchg    dx, es:[41h*4]- t/ x2 E; z9 C
    xchg    bx, es:[41h*4+2]
4 e; E, ^$ Y! q6 U5 A    cmp     ax, 0f386h
) e9 [/ z3 \+ J) H    jz      SoftICE_detected
3 E7 I. I* i: K7 L$ g$ z+ Q3 a3 |3 A8 E! i
int41handler2 PROC5 n9 K0 C* L" {* N& Y9 S  @4 g
    iret  ]4 `3 x2 D9 D- j
int41handler2 ENDP5 N; D7 s9 e$ R

' J% L  q8 c4 x4 D# h# ~1 m; ^% l3 U0 H
_________________________________________________________________________
/ ~$ u# a& G  l' h9 s6 p
; Y: b* T) g& s6 @  c# F' G. {. B; _- H& T* ^3 O
Method 06
- h7 K% s4 _$ F5 g5 E) y5 _3 E=========; _+ }0 Y$ S, j  B* S
, b( C" |* b) T( a: x

) v3 a" V" n0 c/ ?7 f! e2nd method similar to the preceding one but more difficult to detect:6 d" H1 a. b) V- c' S2 N1 h
1 d- N1 \& O5 g1 i6 m1 G0 C
% c: d( G3 X$ a
int41handler PROC. q+ v3 F5 N( G& z; z
    mov     cl,al' Z- y; m7 g" }5 ^+ y# w* W: j/ F
    iret
5 C: A: c+ {+ X$ T' Mint41handler ENDP7 K* S& i& G( k6 ~& h" `; ]: Q
3 d; Q$ g9 C5 p- e0 l4 g0 z- Z
  H/ P  x# {( m7 @, G% ^) |3 I: [& @
    xor     ax,ax
  L/ m: O- V, S7 N; L    mov     es,ax6 b5 N- T& c/ E, s
    mov     bx, cs" A' _, J9 d; P4 ~& |! \. k
    lea     dx, int41handler
, D0 a" Q8 s; s$ K; ^- N    xchg    dx, es:[41h*4]  }+ g3 y$ u- w% {. b5 d
    xchg    bx, es:[41h*4+2]
' Q+ h1 i( i+ `4 }/ ~  f& I    in      al, 40h
# G: j% z' J; Z" y' t- Q    xor     cx,cx
, u$ [3 z  y% _0 _    int     41h7 z' m1 m( |) w( `
    xchg    dx, es:[41h*4]* k( @. B. }/ }3 [
    xchg    bx, es:[41h*4+2]
# }; F5 I6 X. j, t* x    cmp     cl,al
* s. ], N0 r$ m: N; O2 J    jnz     SoftICE_detected
; V- ~- z6 }3 Q, [9 U& x2 @% z$ i. f) T( T5 L" z& R
_________________________________________________________________________
# D' D- D, B/ z
' O* @  R2 h4 U2 q( U; A6 rMethod 07+ O6 ?. X7 S0 E: L% s
=========1 O) y0 U! c. e3 @

- \. Y7 B+ |8 g6 }5 S3 q0 s- Y6 CMethod of detection of the WinICE handler in the int68h (V86)5 h( o) c. n' F* C. ?" h

) k8 _6 R7 n2 n( R/ L    mov     ah,43h
" ?$ [7 V. m# N/ W# L/ }$ i  A    int     68h; Y& i" C5 b! ?2 T  v( q" R- n
    cmp     ax,0F386h( V1 z# I% h+ N* S
    jz      SoftICE_Detected
8 E+ n( p, c/ ^( M+ D
8 e) o- W' e, A8 x4 |. F7 b, Z  x: g
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! a! d' P5 [6 u. e% _; z: c   app like this:
$ {( W* [! L% U! v% i9 Q6 k5 _; }* k5 s5 E! R. O
   BPX exec_int if ax==68
' \1 W7 ?6 n  A9 M( c   (function called is located at byte ptr [ebp+1Dh] and client eip is2 E7 i; B7 |3 G3 I% q4 e9 A: a) [* w
   located at [ebp+48h] for 32Bit apps)
) t9 E. n4 @. `7 W8 S__________________________________________________________________________; s2 ]$ R4 a' @1 B* U' x) c- S

2 c+ P0 [" t7 j+ ]. k- w
' o. y' r" ]8 j; `1 [+ GMethod 08% ^% h- g& G. e; H1 ]; \
=========" w  {/ q" J2 J$ E; X2 A& j
9 L- U. n7 O  ~
It is not a method of detection of SoftICE but a possibility to crash the
7 o; h0 q, W! W; asystem by intercepting int 01h and int 03h and redirecting them to another
' U8 u4 w$ S3 proutine.+ u: w+ y2 J( z/ P& U0 O: u% h1 f$ W
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 p) s1 x2 \" d, Fto the new routine to execute (hangs computer...)$ s: F6 A7 H3 G* `) p* X0 K
( b2 }4 _, {) M& x+ {# s2 `- {! O
    mov     ah, 25h1 i4 u: P1 A/ r9 I: A5 [
    mov     al, Int_Number (01h or 03h)
, f! z3 c& y, C0 @    mov     dx, offset New_Int_Routine' _7 c4 j/ @3 C* ?1 S& t' w3 N
    int     21h
4 d- b: k+ C1 f2 m1 M) J2 O* @; s. G4 t9 J
__________________________________________________________________________
  [! R8 n+ G/ i+ i0 t
+ K9 Q$ S3 m! b# z$ g5 B1 Q' lMethod 09# X- j$ c+ h8 ]) H" C
=========
( q& j) a1 K0 D  D  w
3 q' k4 A3 C1 V/ hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( e4 n9 \& C' w( k' a
performed in ring0 (VxD or a ring3 app using the VxdCall).
% J# e% ~! J6 F2 LThe Get_DDB service is used to determine whether or not a VxD is installed+ S% O( g% A: G- F3 j# p8 {
for the specified device and returns a Device Description Block (in ecx) for2 n9 J( W/ C9 Z
that device if it is installed.6 z2 Q" S: i% G5 d

7 b) {$ {! J8 ]1 ~  }5 l   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID( I  e/ P! R8 a8 \
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 `& D( j/ ]! k+ S
   VMMCall Get_DDB* t% m) F0 s+ C* \; w* f0 M, N
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
6 C  l2 V! B6 Z* J4 M0 M
# ~8 x2 ]2 t1 v& f3 SNote as well that you can easily detect this method with SoftICE:/ K$ k5 \+ ~5 }# \6 n6 x) a' m; u% M
   bpx Get_DDB if ax==0202 || ax==7a5fh$ D1 r0 o; q) z% C5 l5 X

1 C" E$ X' R% Z' i# m9 {4 E__________________________________________________________________________" Q3 R8 R/ F4 w/ j+ z$ R

) ]4 B  ?5 E9 ?* J! jMethod 106 }- f0 E0 ^5 |" g5 O2 m6 r( }
=========3 V( S8 R  w7 s# g* U
! p5 @  Q9 M. y1 H& \
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with+ o& o$ {. ~8 H- B7 y# O
  SoftICE while the option is enable!!
, j3 K0 F# c: l+ P- t5 R1 Q
/ a" ^* L& ?1 U* DThis trick is very efficient:
" j, X$ ?( n; p0 E1 zby checking the Debug Registers, you can detect if SoftICE is loaded
: U$ w' L& C) m( p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 ]% q( E2 Z. S' B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 |: A+ `8 m  |5 K' Jvalue (in ring0 only). Values can be manipulated and or changed as well, y/ |. y! s& r! j' _5 d
(clearing BPMs for instance)
3 X* C6 u  ]* q1 o. g
  j6 c2 O) ]; g* M7 s+ x' u__________________________________________________________________________+ }5 x1 n6 K8 ?" O0 O$ u- d

2 [+ b- c: l, GMethod 11
- f0 ]8 o) ?" {- M; J5 U8 u2 e' G=========
& W# S) |9 A3 D* P2 z3 d+ N5 Z  b8 C8 i2 e: A
This method is most known as 'MeltICE' because it has been freely distributed2 t/ N  y4 @4 w
via www.winfiles.com. However it was first used by NuMega people to allow& u4 b2 [: F+ p" i  E% @% {  D
Symbol Loader to check if SoftICE was active or not (the code is located
, Z/ T: c+ o0 I  Ninside nmtrans.dll).6 G. |( V" `& L

% E: E( e/ }' d! t# C; Q" V- V6 qThe way it works is very simple:* O# I. L  y* j2 V! o/ p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 p% y$ |% s- k2 ~
WinNT) with the CreateFileA API.
' i% {( h" s% A, z5 V3 G& l7 M! v' _# Q
Here is a sample (checking for 'SICE'):
- \. \8 f/ ]. `$ Z5 @- D
" i: I( Q5 |' M& m8 ]7 ]4 d# ], HBOOL IsSoftIce95Loaded()& q; u1 [8 N1 V# F* d0 k
{. H2 e, b  `8 B
   HANDLE hFile;  ) j' a0 w, o  B
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ ~* {$ {% J! n* a$ s                      FILE_SHARE_READ | FILE_SHARE_WRITE,( ^' w5 {# l' ?
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" ?! @# @4 p5 x: @4 l, z2 q
   if( hFile != INVALID_HANDLE_VALUE )9 ?# A& i4 Y) }7 c/ _
   {
. ]& U. q+ N4 y: T      CloseHandle(hFile);
' i# g0 P& X4 o# P' Q( c+ J: e; B      return TRUE;, I$ w6 o( H( d0 c
   }. G$ u* w+ u1 z1 j
   return FALSE;, p9 y" d" Y2 H7 O5 i  ^
}
" Q$ F7 m4 i+ a2 d. @' D- i! B* J
Although this trick calls the CreateFileA function, don't even expect to be* @# ?7 c& Y/ y' }$ p( c! H
able to intercept it by installing a IFS hook: it will not work, no way!; y- `4 F4 a, o  w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# |5 s' m, w/ w5 R+ x5 q$ t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 D- P0 n. w# i' M* C2 X- D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! {( E- L2 T" j$ @2 n$ _( R" }* v
field.
5 @8 G# ?7 O- u( J3 AIn fact, its purpose is not to load/unload VxDs but only to send a 7 j: g, v9 P6 x' z' ^8 N9 T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); c4 ?( L0 k: Q" ?# |: A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' t9 C' Y6 w8 V# B1 B' |to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 d/ i, d9 j$ w4 q
If the VxD is loaded, it will always clear eax and the Carry flag to allow# j9 Y7 P" [. Y0 {& C* y. Y
its handle to be opened and then, will be detected.
) ]- j5 F: v& AYou can check that simply by hooking Winice.exe control proc entry point
9 l0 Y9 @5 r3 y  e- _9 H& z7 k* Zwhile running MeltICE.
4 C" h. t# }( \. _2 L7 w3 I/ p
# e4 }1 y( {3 s6 ^
1 c# Y; Q& r1 T: P4 q0 h/ L  00401067:  push      00402025    ; \\.\SICE
0 |, V; [6 y! b  0040106C:  call      CreateFileA
7 `$ d) x- L8 q% T( {( u: h  00401071:  cmp       eax,-0017 I7 Y& K2 U/ }/ z2 u
  00401074:  je        00401091" b- f( _  f2 s, A& F
6 P0 G6 X& @! y1 V# ^
% l/ c' r, R( S% Y3 S+ Q
There could be hundreds of BPX you could use to detect this trick.( ], L7 {8 G! b0 j
-The most classical one is:" \6 ?7 ^) \4 H. J1 t
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 O! E- Y6 w: i5 d: h
    *(esp-&gt;4+4)=='NTIC'
. n! N: |5 O) a: L1 ?) @
  Q/ z1 Z, h( ~5 U1 L4 [1 p. e-The most exotic ones (could be very slooooow :-(
5 a4 D, x# D6 C, ~( k   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  8 l7 I. |0 \5 Q2 t
     ;will break 3 times :-(
7 i) A1 F' O  H, z& y; F. P
% G: }( ]7 ]4 g-or (a bit) faster: , T, s! \; W' F, I9 O
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* u) [, ^7 h  v+ h" |& h

0 L1 X' M2 w' U% V* L& r/ r4 R   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" Q+ u6 ]: L: i, Z+ m" h$ Z9 f     ;will break 3 times :-(; I2 k" `- o) J" b$ R6 y

# s, f: O3 h8 v  ]+ ]  x% w" T-Much faster:* I, A. L2 o' {: c- R: x
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 J+ b+ y! f9 D! {1 Z- S

1 n6 k% W! P: }! v" n2 Y; Y  DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 F+ f3 W- C6 `6 H
function to do the same job:
( }! V. G- H/ @  y9 D. \, B3 B+ [' L% r6 M& Y
   push    00                        ; OF_READ
1 O4 {1 ^& l6 h6 L   mov     eax,[00656634]            ; '\\.\SICE',0$ u: A2 F4 P* X- W2 I
   push    eax
* j' v7 t3 s. u! r* k2 M5 W   call    KERNEL32!_lopen( C1 z2 [7 [4 `# N
   inc     eax
2 g+ B5 _4 i7 c8 O+ a( [   jnz     00650589                  ; detected0 t  `+ V& B) F6 k4 r
   push    00                        ; OF_READ8 }" }- z4 K. }: p7 w- i" V
   mov     eax,[00656638]            ; '\\.\SICE'
& s5 r0 ]. A7 r2 l   push    eax3 j( ]$ f5 @% G2 \5 j9 X" N3 R8 }
   call    KERNEL32!_lopen
5 e2 P1 y9 }  Q, a4 |4 ~0 h   inc     eax
+ _' B4 A) I+ U/ k5 i6 K' B  m   jz      006505ae                  ; not detected9 I7 P3 J& y4 a& G2 e

2 O: t1 f1 P- M" `" V  W+ B- m( f5 J+ G$ g$ c7 @7 u
__________________________________________________________________________
8 Q6 G  L$ V/ z: b6 L5 _' K. y  |3 E8 J$ d- Y
Method 12
" H0 U4 a- R% g1 Q. y- W- E7 {=========3 ^3 C* I, }% G
0 i& K' v1 w8 Q' b
This trick is similar to int41h/4fh Debugger installation check (code 05
3 U- h, a! n4 u) d7 ?2 t&amp; 06) but very limited because it's only available for Win95/98 (not NT)
8 G/ D& e6 d* A7 v% i9 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 v; F, ?% \" q) S2 ~: p* t4 [! L( y+ c3 _- k
   push  0000004fh         ; function 4fh" |. n" o. r  J* }! {* J
   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 L/ y4 l6 [4 l% O' c7 `; q                           ; low word specifies which service
  e/ m/ _7 c# u                             (VWIN32_Int41Dispatch)
" t% X7 n# G- V8 m# F9 }" L   call  Kernel32!ORD_001  ; VxdCall$ U8 z2 j! G+ N
   cmp   ax, 0f386h        ; magic number returned by system debuggers
8 ^6 u7 `* k- M/ J$ \4 d   jz    SoftICE_detected
5 n* ~. T- m- d  X7 ^7 s
5 i2 d  z  O8 r- aHere again, several ways to detect it:4 j6 N$ p( n' E) X9 j8 p0 R+ a; ]
  i: W- g/ c& \0 b6 |4 V+ k
    BPINT 41 if ax==4f& ]6 a" i; x, c, K$ q% s; f
  X! j9 H* z7 h
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one) \! M( |2 ], g1 T$ m
0 L, z/ J, }( d! G' t3 Y" R
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A8 U/ I, X0 h; v3 B

! B9 k# j8 B' G" [& A8 q: }    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( ~' m. V' y7 e3 t8 M& U
) }+ V) x, k4 a2 j) U- ~' H6 S
__________________________________________________________________________$ a, b9 V: f7 @( \# c
& s1 V3 _3 ~9 @% v5 B  b. I
Method 13
9 @. ^: M8 F& P+ ^=========
, Z" z8 R" F+ S& b4 e2 {5 j
* g8 m" f# P" f4 b- p) v+ `Not a real method of detection, but a good way to know if SoftICE is
3 Z, }6 n  n* t* Ainstalled on a computer and to locate its installation directory.
# q$ w, q3 S2 I! o! i/ uIt is used by few softs which access the following registry keys (usually #2) :
) [; z: @$ R" t' O( y) k
) B! m/ E* D! w2 h; {! a-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q; j+ l+ e  z0 U3 D6 x\Uninstall\SoftICE
% i3 B, h8 w; C3 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, o; w* M0 F) i7 J) `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 Y* F/ Q1 Y7 O( ~/ n
\App Paths\Loader32.Exe. T3 [8 ]2 m/ e$ T' X
! ~  l+ r, s9 r: a
5 |! l4 A, N# i& C
Note that some nasty apps could then erase all files from SoftICE directory
% X5 t" d* S4 a/ _2 C( F(I faced that once :-(
; r- ~' N8 z% Y( @8 B# H5 I! b& `8 J6 Y
Useful breakpoint to detect it:; J( ]& u' y7 w. B2 `, t4 H; p) I

/ c, s  N; {* a* r' N     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
# A& L& Q* }/ |* J& A
2 c# r5 P$ P& H__________________________________________________________________________; K* k6 {- \; k4 p( N; ^! `2 A, I

/ O0 K. F( i5 v! x  m# m, u4 H" v) J: I2 w6 h' _0 W$ \0 {& T' _1 E# o
Method 14
( z, l1 H& s- P1 u9 t=========
3 c7 J+ ?" z% u% R* w) g* B! N- m; a7 G1 W* m9 O, `0 @& L( S/ j# i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- Y1 D9 v/ s8 Y0 M8 \7 w
is to determines whether a debugger is running on your system (ring0 only).
1 U3 z& s; v, T4 g4 l/ c. E$ C# e* B/ r: ]- i, E& K1 [/ t
   VMMCall Test_Debug_Installed* k7 @+ ~( O. I' |) I
   je      not_installed8 ]' a% w5 I/ t! s  _) C2 B

8 ^8 n& W% t; ^# r$ FThis service just checks a flag.! F; J3 y2 ~, E; D* g
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-10 07:39

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表