找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) q8 l5 l. ?/ \: B% _" m
<TBODY>
, i  x* S+ ^1 T- n5 j; g- ?<TR>
$ H! c- X( ^1 L* ]& {( U<TD><PRE>Method 01
( N. m# e. g2 [0 l3 K=========  m4 L3 x# W+ Y+ c
! N. R, \' C, G% N# h% |8 }! J
This method of detection of SoftICE (as well as the following one) is' {7 o9 ]! ]2 R1 T& R
used by the majority of packers/encryptors found on Internet.
- u4 P9 e  e' I& {It seeks the signature of BoundsChecker in SoftICE
; P6 N, @+ r' T5 o. G' v  \! U! V) N, w
    mov     ebp, 04243484Bh        ; 'BCHK'' f+ ^/ j5 @! y$ j
    mov     ax, 04h+ }8 g0 F: ?4 f) J% j
    int     3       * j$ v/ J% m9 a) |. ?! U/ J: M- i
    cmp     al,4
- d3 l9 v/ B; [    jnz     SoftICE_Detected
1 Z  F9 C6 q) {# B
) r* h" q$ I4 ?$ ^' b; J6 \___________________________________________________________________________
; B" l: Q3 y. p. F4 ^. Z# h8 v" A
1 L6 S9 ~. W" I; p  z$ _/ s3 IMethod 02  R8 G" W( ]5 p6 v% y3 v: E( n
=========' Y; C& b- u5 F7 d
0 g; A, V. p: v3 F$ E
Still a method very much used (perhaps the most frequent one).  It is used
8 a  g' |9 z5 J7 Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; W) _9 P. T. I, ?+ ~* oor execute SoftICE commands...: _/ p/ _4 b% g. J; e5 ]% X9 n, o
It is also used to crash SoftICE and to force it to execute any commands
5 B- _) I- z. S(HBOOT...) :-((  3 u+ S" O$ w: @. ^6 U$ S  u7 H4 M

) B/ e' c: ~; j3 l, y4 |: HHere is a quick description:' A  \2 c* G  v
-AX = 0910h   (Display string in SIce windows)
% h+ L6 [' t/ }9 P0 @-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  d& V8 z8 P) N6 e' H- n/ D7 v: \-AX = 0912h   (Get breakpoint infos)
+ U+ {+ B2 F0 r2 Z3 n-AX = 0913h   (Set Sice breakpoints)1 Z: m' g0 j0 }6 H  `
-AX = 0914h   (Remove SIce breakoints), x6 M( y) q& M5 J: \* t

1 E- {8 _, }& Z6 e1 uEach time you'll meet this trick, you'll see:
# \! w5 A& B% N# ~8 A4 n-SI = 4647h8 B2 t7 s# e+ Y& ^( T3 c. a- E
-DI = 4A4Dh
" S) J9 D5 q( ^, ?# p- ?$ B( cWhich are the 'magic values' used by SoftIce.- M, e  J, ~& a5 |4 ~6 L' f) Z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ r& c! ]5 R; d5 w4 S7 S4 ^
9 {2 R! R! C6 b- [
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 e) t& u2 `- hEnvelope utility use to protect DOS applications:, s: |" \, G6 C* `, o) s, S
9 ^2 j) f3 J3 S2 J0 b& a0 \: a0 l8 u: O

9 Q! r) q$ C- k, m4C19:0095   MOV    AX,0911  ; execute command.' E4 A: h/ n6 l. ]& H( I' K& e
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" s; S: ^9 c* e' P+ O# ]. I# p: i4C19:009A   MOV    SI,4647  ; 1st magic value.: b, G( \4 m+ X0 ^) K- A+ }6 A3 b
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! e6 n, b) P! d  ~7 j, C8 r$ d# C
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% H  B7 ?- x6 [* ~5 \/ P! f4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 n4 I$ L" t+ w! U# x- G: R4C19:00A4   INC    CX
3 e5 f  Q$ O9 a1 x; |6 `5 R4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
* `, L! s6 Q* ]& Y9 E5 I0 E( A' k4C19:00A8   JB     0095     ; 6 different commands.
1 t* B, L1 T. d5 I% ]4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 _2 F- D- Q4 g% \
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
3 `4 n9 k& _$ J, C4 P4 @, r, P# T/ S/ x% e2 S* w8 f- N
The program will execute 6 different SIce commands located at ds:dx, which
3 X' d4 N7 Q9 p* Mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- I' S0 `! `3 y; Y

; z) _& n$ u% Y2 x: S& a7 ]/ e7 f5 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 V3 r: e/ }: k0 i; f___________________________________________________________________________5 J3 c  R0 t/ i

& O2 k' u7 S/ {2 Y
5 I: D3 ?7 Q1 \8 P2 o* e  \Method 03
2 {: C. x: v! I! L1 t( z% L=========
0 K4 ^* i& U* `" M6 j% H- V
/ ]# R; K2 B' y% HLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 R4 n# I4 l% b! o& f( I) R
(API Get entry point), X. M9 q! _  ~  ?
        8 T- U1 _& V9 L( v3 D5 y4 f
6 k" {- c7 X7 V
    xor     di,di
# n6 g" }% \1 w; w' x1 S    mov     es,di+ c! p  V2 K9 k8 l# D
    mov     ax, 1684h       8 H$ K* {+ C3 G) h) ?
    mov     bx, 0202h       ; VxD ID of winice
* [, Y* G* Z! s1 X    int     2Fh! Z. w) j$ x" C2 E6 p
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) h; c  Z0 g8 c$ B# ]+ M    add     ax, di! f4 k  e+ u( h% v3 R: K
    test    ax,ax3 }' S9 S# n/ R( S
    jnz     SoftICE_Detected, w1 L3 U5 N5 s  c
& o& _* V6 x5 q- m
___________________________________________________________________________
; s$ `& p' [: _0 p2 s+ f; y$ V/ g; K
Method 04
* z6 ?9 b. e. U2 X=========* A3 [, q$ C; m/ W/ e
4 M3 _6 w/ j# M" p+ Q: _! j4 F
Method identical to the preceding one except that it seeks the ID of SoftICE
6 Q8 A; f2 [2 EGFX VxD.
8 j9 t: [# h5 [2 s+ B% F) p" R
0 m/ Y" `- x7 x    xor     di,di0 R3 X5 y* i; O7 H- {
    mov     es,di
* h# u' `1 V' e' c- u! O4 p    mov     ax, 1684h      
6 s3 ~; H: i( A( M    mov     bx, 7a5Fh       ; VxD ID of SIWVID) l9 v6 t1 c7 C6 W" L: Z
    int     2fh
6 r( G- ^3 f9 A' w- |    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& V! W9 {& _& N6 W    add     ax, di, E2 }; h! [) G! k! n5 X& [
    test    ax,ax4 g; m$ |3 `: |# J
    jnz     SoftICE_Detected
& R* ?8 T; d2 j1 T( m  K4 E5 H2 L2 d( {& Z! }3 C  l
__________________________________________________________________________% k( U) L4 y/ g# L+ Q

- R/ T  w8 S6 K
7 `0 g9 o/ y: }1 e5 n8 l2 `Method 053 F" X( ~. i( P( L2 |3 w& q
=========1 Q( o1 z" n' g! x$ C& ]# _

' U0 Y2 L, E2 P  lMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 V4 X( `! n  n% ]7 X* z# e. [) V
debugger. It calls the int 41h, function 4Fh.
3 N, B- N; [' W4 D' \There are several alternatives.  ) V, @2 A/ V* J" Q6 ^  }  T

, m/ H5 G; F5 H7 P0 W, oThe following one is the simplest:. u# |0 [& @0 R) N/ X: c

# N9 I' b3 O; V    mov     ax,4fh3 B( E' ~/ w0 c, S  r( r; J
    int     41h
5 M% |# s+ N( q8 f; w8 }    cmp     ax, 0F386; y% Z$ t% ?" _4 ~5 A# C$ }
    jz      SoftICE_detected
% s0 x9 k) a$ ?8 L% E+ J
8 r9 j$ ]: P* y4 j  d2 R( s3 i* b, c  U" u' p4 {/ c# a) A, I1 d' g
Next method as well as the following one are 2 examples from Stone's
  k9 n4 f7 O8 T1 }3 q1 r' X"stn-wid.zip" (www.cracking.net):5 P: {# v0 D' ^0 ]) l

: M1 X/ p8 k# K' q! a& e# ~    mov     bx, cs, u- \- V+ g' e
    lea     dx, int41handler2& g3 T  |: a0 _4 x, @
    xchg    dx, es:[41h*4]
7 S- J* l# D5 W" K7 Q- o2 l7 r    xchg    bx, es:[41h*4+2]3 e5 ~. P) r5 L: `) I( g
    mov     ax,4fh0 L% l% l3 a3 z' f! e
    int     41h' i* D- X. q- s, W- i$ u
    xchg    dx, es:[41h*4]
1 S1 C7 q3 ?- b/ k& R& o    xchg    bx, es:[41h*4+2]
. C9 |! A9 u  N' x3 V    cmp     ax, 0f386h
( `; ]1 U8 ^% h  D( L# [5 @    jz      SoftICE_detected  ?% ?. ?7 ]0 d0 O: b6 ^

- c0 H: D; R& Y. Gint41handler2 PROC8 O  x5 ~1 v0 A' s/ l7 @% G) y6 U
    iret; R2 d& c- n( T0 b& q% m! F. l& I7 v
int41handler2 ENDP3 h0 E7 a/ ]. g  J
0 v" ^& t7 g- I; N
; s0 B# \4 t" W# h4 x3 p
_________________________________________________________________________! h5 O, `. U: @0 N, z2 F& C
0 \. g# p4 V6 w2 V+ T
, {# g" N3 ?4 ]; k! d2 K+ x
Method 06$ O8 l8 ~5 v$ b5 |7 A& ]# k, F
=========
+ y, K) F7 g+ Z6 D/ s/ z1 ?
, b0 @. F4 o* B: g! v( A  v5 |  C) l: O% p& X$ z7 r
2nd method similar to the preceding one but more difficult to detect:
' ~* Q' A" h6 m1 ]; s4 O( a0 R) C% G, v; `/ B; ?, t

' j4 U3 L* d" p0 Vint41handler PROC
' K0 _2 d$ q( L7 n+ k/ O    mov     cl,al
, L: L- `  ^8 T    iret- p7 y  f5 i% b) f4 l2 _4 x
int41handler ENDP
8 U% t+ P2 {$ F3 Y1 G  t8 c: a0 K8 r& Y
! w! K( r! A' C! T7 f. b( J4 [' B. K5 X" j
    xor     ax,ax
2 y) J( ?3 N: J/ K$ [; Q    mov     es,ax
* @) A* z0 l5 A0 S+ s0 A5 ?- p7 [9 S) {    mov     bx, cs2 q6 H: B% n7 w
    lea     dx, int41handler" |% |6 f- [, p6 B4 k5 M
    xchg    dx, es:[41h*4]$ ~1 Z9 U" M/ G! _+ @7 A
    xchg    bx, es:[41h*4+2]' K' K1 x* n/ k6 O' w) v  W0 ^
    in      al, 40h2 z* d/ p. v& T' S% S4 H
    xor     cx,cx' f+ C/ v$ \8 |& o8 Q# u* O
    int     41h
1 [; p: s/ J$ K4 o: b" m    xchg    dx, es:[41h*4]5 I& t0 _4 t& E# P# s# [( {$ N
    xchg    bx, es:[41h*4+2]
+ N. @2 X7 z' u: a& C/ a    cmp     cl,al
0 S4 f7 o% @* H1 b, y% ]( V    jnz     SoftICE_detected& ~2 Y* j& m' B0 V* w- m

: J) r! J6 }! z: D_________________________________________________________________________
7 Y' t; }# }7 c- g7 u; v" G) H0 }" V, ~  B
Method 07
! U! ?2 j/ r, a8 ~9 b7 @2 P=========  k' z+ O5 Y5 A1 ?4 a) b" V
& O1 Q$ D- r/ ]' F# E4 T
Method of detection of the WinICE handler in the int68h (V86)  k: }* @; t, s; U* u1 u/ _
- I9 @# u% J! ]' x
    mov     ah,43h
8 X/ F& y4 H& ~# O! L    int     68h
0 |5 }& u/ f( Z& Q7 d9 o    cmp     ax,0F386h$ v' v5 H0 y& W
    jz      SoftICE_Detected2 p, ?: a* r/ R! G" F; l
3 }& X7 W" J) y/ W, D
% Q. [. Y" {' I3 i% K" J7 y" v  W- X/ I: Z
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ p1 B+ Y' I  ?8 ]0 g   app like this:* ?  s: {2 H2 g: Z

% R9 o4 }  k; g   BPX exec_int if ax==68
% Y6 }( L5 E  Z! d+ Q   (function called is located at byte ptr [ebp+1Dh] and client eip is
! {' e# P' x- V9 `+ ]% H) S   located at [ebp+48h] for 32Bit apps)
& k# x" q) n  ~__________________________________________________________________________( |* o. y1 q7 Q& [' ]

9 r( G) F* M, ~9 ~# s
% Y5 ~' ^2 \) P. ~$ @Method 081 x0 Z; Y# s. U- D9 Z  i1 a
=========+ i; W- Z6 k+ B

, |* K. i# Y% X: d6 ^It is not a method of detection of SoftICE but a possibility to crash the
( h: K% i4 T' @  Dsystem by intercepting int 01h and int 03h and redirecting them to another- k5 S7 D2 Q8 a5 ^6 p: `
routine.& n6 k# P0 E; K- [4 ?" D: U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 v9 h& |# M0 x* y
to the new routine to execute (hangs computer...)  a) Z) L' H- u. Y) f

5 a2 n7 o* f' O* c    mov     ah, 25h* ?. v5 y  e+ x1 g2 q- {
    mov     al, Int_Number (01h or 03h)
3 j  f7 v: }( \( C    mov     dx, offset New_Int_Routine
: @. J" H- _4 W& k3 \! {# B. ~' ^    int     21h3 \! D1 B( \* x+ P8 ]+ n

2 b# o; W: p$ [5 |__________________________________________________________________________3 [0 L3 p! @& K( u4 E5 h: Q
! ?) X0 O. v1 a& d! s2 |
Method 09
7 u; k, i: x( ?" W; P% Y=========4 p, c- M- M, i$ b  }

" ?; z" H, K# n) I7 ?( a3 G' BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 Z. B, \$ a) v% X5 l7 P& p& p
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 W7 D: I/ X$ v4 v, J2 {The Get_DDB service is used to determine whether or not a VxD is installed5 B+ P6 |+ W9 X( q  h% K3 T4 A- ^( `
for the specified device and returns a Device Description Block (in ecx) for
' i) S6 E& f) l+ |that device if it is installed.3 {2 y! W( Q& m3 f

' F, b' I' S' v' b: |   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 R3 f- Z4 U1 }* q   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 Y! I0 R! }9 ?9 N* C& `8 q( v   VMMCall Get_DDB6 t: }1 Y; [% Y) M6 A* n
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; F- b9 c8 J( `- S; x
1 J0 ~* L, ?4 C* UNote as well that you can easily detect this method with SoftICE:
" n- s7 G$ ~; @2 K" M& N1 \9 y   bpx Get_DDB if ax==0202 || ax==7a5fh7 M. r$ n0 M9 B' c
- Y3 Q* E1 b, K' N, M
__________________________________________________________________________" I) h- R% \3 {" e" J

+ `1 k' M% [- g0 k" O( _Method 10
" ?) S# D5 m' m: D' e- Y=========3 T6 l, r+ R  y; t8 G
5 R( t$ h8 z4 \8 Y* N
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 d: h7 ]0 {2 Y: P
  SoftICE while the option is enable!!
/ l# |5 Y( `, d: i5 _$ F4 j# ~% \; X- J4 z. X
This trick is very efficient:0 j; `. l3 F# r6 |6 ]
by checking the Debug Registers, you can detect if SoftICE is loaded, G% D( Z- L) P5 K; V" G
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* U  k# ^/ U- o  [/ I2 O, athere are some memory breakpoints set (dr0 to dr3) simply by reading their* W3 j: y- E: w& _9 z0 j9 U
value (in ring0 only). Values can be manipulated and or changed as well
+ u- U4 {) B& w7 Y& v# N(clearing BPMs for instance)0 J5 s+ ?6 p( L' R& X0 S

( @8 c- A& D4 U__________________________________________________________________________
9 y9 [* y& w6 ~: N6 Q, D  I% P7 J8 H- a" T* M
Method 11
+ F& J. {( R# G& a, w+ e=========
; b3 Z9 d2 m5 A. A# b6 G
6 u6 N7 ?" b; Y8 o5 bThis method is most known as 'MeltICE' because it has been freely distributed
* y+ W, T" [! J8 ?+ uvia www.winfiles.com. However it was first used by NuMega people to allow( ]' m7 W# |/ h: o/ i0 d
Symbol Loader to check if SoftICE was active or not (the code is located* |. r% N" R+ K. c4 {6 S& ~3 d5 P
inside nmtrans.dll).
& e2 k' \4 u0 d8 E! ?' U, u6 m4 i+ a' B# i! C
The way it works is very simple:8 x, a7 h/ E# Z8 t3 B! n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ V" E( N- e, X8 `5 oWinNT) with the CreateFileA API.
& ?, P* ?3 }! o; s& l4 U8 M' y* z$ ~
/ s, E9 Z- ]/ S: XHere is a sample (checking for 'SICE'):
; N0 O) q! ^. C& u+ n. W+ F" b/ u$ s! q$ b0 h  s7 x2 U
BOOL IsSoftIce95Loaded()0 E& H; ^5 U+ ]3 D0 t% ]
{
/ t. n8 `( m2 G( p( e   HANDLE hFile;  
3 m8 O) Y2 R0 b5 }   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," l' a% Y$ e' M+ O: S, ~7 t
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( W( t  f# V% m" }                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ f0 n1 G* p' |3 H  [7 _5 K   if( hFile != INVALID_HANDLE_VALUE )8 E2 U- r: F; i6 H; J
   {
6 ?: Y" h4 U1 {7 T+ D- o6 @: X      CloseHandle(hFile);
& @  }( i0 `1 ^2 d      return TRUE;
9 c+ L2 p- W( L, S   }
" v% ?& u8 U. m! U$ I   return FALSE;" s# A, S4 T2 I( Z
}
; U' A1 r$ b3 S. I( z
; t( D" J5 j! X$ p: r+ y4 dAlthough this trick calls the CreateFileA function, don't even expect to be
/ U3 L& g  z/ c3 z7 x4 H+ q" P. N: `able to intercept it by installing a IFS hook: it will not work, no way!4 D" V3 ~2 w" k$ O& P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# M& o* w3 j  P5 F- l7 ^service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' t( t. i& V  y: _/ ]* uand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 w& s3 a( [1 E8 m$ S8 @/ q. ?
field.
5 ^9 X' w$ @& L, bIn fact, its purpose is not to load/unload VxDs but only to send a 6 v" P* \9 I2 q! Q8 p1 Y+ ?0 V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. ]+ A# Y' g  b2 e) _5 e$ ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try# |9 C* j. G. u( B  ?, o1 q1 {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& {, r+ \* r* u/ R1 }0 m" p3 w6 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow& X" l& h8 z; ^
its handle to be opened and then, will be detected.
' w1 o) X& f3 ^% k  oYou can check that simply by hooking Winice.exe control proc entry point
( q+ J- _3 q' u/ Owhile running MeltICE.
# v0 ~  y7 u2 u7 Y; G8 ?" n
& D: X6 U2 B! i. J# a# `3 y+ U: k
  00401067:  push      00402025    ; \\.\SICE* W, f& k6 E- C( |, T, A3 w. Y
  0040106C:  call      CreateFileA
9 m3 G% Z0 i$ |  00401071:  cmp       eax,-001
* R, i4 Z; Z7 I7 l5 J  00401074:  je        00401091, m! w! k# j. F

: e2 R8 @2 o0 t/ }; p. N# t' {# ]$ L% h; O2 F9 g. r" U
There could be hundreds of BPX you could use to detect this trick.
" D3 U+ D0 \$ V' T# m-The most classical one is:
8 p- z9 F. \4 B# S: C$ y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||6 x$ `2 [! n9 q3 _7 v% j9 L" ?
    *(esp-&gt;4+4)=='NTIC'; w1 {1 [* _7 Y7 W5 n4 K& ^
; T' p4 |, S8 ?
-The most exotic ones (could be very slooooow :-(
: l) i% |3 C' H( Q+ K; |   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
8 W1 K8 d) K4 _- u$ z+ h9 e# Y) w) F     ;will break 3 times :-(
+ a- W* \3 t. g& P5 g
  H6 Q4 ]6 [* X9 Q  w8 ^. m-or (a bit) faster: + m$ [# R/ a4 O. ], m3 ~4 D, ?
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 g& O2 z) l; A5 `' G2 ]
8 f9 A6 _! [9 M# W  N   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 B4 n% H4 ?: ]: Z7 }
     ;will break 3 times :-(3 O2 q/ ^6 N4 p0 w( q: }! x3 ~
; @* G5 a6 t  {: H7 _
-Much faster:
( M# u$ M* @' b   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 R6 Z, f1 |' M$ \0 T% X( D
  _0 h) D0 [7 W+ r/ oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ r3 z# t* V+ k4 B7 t/ mfunction to do the same job:# P: [1 \0 M' Q1 R
& y% f' @9 A7 Z6 a
   push    00                        ; OF_READ" n& g4 }: n0 b+ z" h3 U# i! c
   mov     eax,[00656634]            ; '\\.\SICE',0
+ n$ p' S) c* F2 {   push    eax
0 o' T4 p/ w8 s( q+ T* s1 i   call    KERNEL32!_lopen
& Y- o3 k; p. G/ t8 d; H2 J9 t7 T   inc     eax$ D+ I! b" i5 g
   jnz     00650589                  ; detected
+ p! ]1 F, n9 |! M. N   push    00                        ; OF_READ) N# A/ [! |* _/ J
   mov     eax,[00656638]            ; '\\.\SICE'2 s0 Q! ~6 q7 Q
   push    eax5 r% J" b& K6 j$ D
   call    KERNEL32!_lopen' u& ]( g8 a" B
   inc     eax
7 |( `. {8 s* ~' }   jz      006505ae                  ; not detected
4 W- ?. k, j2 q4 f. ?. o, w- i) y4 x

6 }* f  J% a# \" |4 U/ b, `__________________________________________________________________________% G" T4 f) R; T0 T( v

7 z* B* C  L) ~' p; T: vMethod 12
9 x2 j' @  }3 @4 _8 ]=========
; Y& M7 G2 I& ^9 [% c( t1 a* T* C% N% h: D- \( i, r
This trick is similar to int41h/4fh Debugger installation check (code 053 y3 F+ e) ~; D" H2 ?6 r- V7 P
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( O3 N) u0 B2 [% P6 B0 Fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 o& K7 y' B+ ^3 T1 u; O8 W
1 S; y' }& Z8 w% J# ~# h% t" z
   push  0000004fh         ; function 4fh# G* Y' f* \) D! _5 F8 R; K# P* @
   push  002a002ah         ; high word specifies which VxD (VWIN32)( c  s# N: E. n
                           ; low word specifies which service& N+ _) V. m) t; Q# {3 P$ V$ Z
                             (VWIN32_Int41Dispatch)
6 [0 @* o$ F+ X   call  Kernel32!ORD_001  ; VxdCall
2 Y* Y3 R4 b+ c! ~! i* i   cmp   ax, 0f386h        ; magic number returned by system debuggers
" O* B7 g( z  M6 j   jz    SoftICE_detected& X/ }# y9 X- r+ q$ j. Y

) a6 a6 W. j3 g0 ~Here again, several ways to detect it:
1 I! r8 X! Z% h2 a0 _5 [: @' P, K! Z( A+ M+ n0 Q. F+ v
    BPINT 41 if ax==4f6 f# Y* Y) X% [2 K# [4 @
$ U3 a2 [3 }% E( s# B9 M
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
0 H& @2 C8 z% T( t$ H2 D) z
; a1 w; Q0 h* S9 D    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; h8 {$ s7 P/ ~9 x: Z, }+ \% l% g9 k, q6 C  l, `: t
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!: A* O0 P' B2 B( |  y3 ^3 K2 ]
; J+ I1 y$ w6 L& k" u: c( H
__________________________________________________________________________, d) U9 g6 r- l- F1 {
$ J0 ?$ w' e: _& G0 B8 O
Method 13# \& ]: `4 f: q7 L! J
=========5 q, C# q0 W+ u0 M

. h% V' e8 Z3 C! q# e' p, v% vNot a real method of detection, but a good way to know if SoftICE is8 E, D# I! O1 H: Q
installed on a computer and to locate its installation directory.
7 Q$ s7 l+ G1 y0 {" _0 b( cIt is used by few softs which access the following registry keys (usually #2) :
4 ]; y+ P) \: Y! P- m, C1 i9 ?  l2 f0 S2 q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 I7 ~: F- ^5 I$ q3 V0 x+ Z
\Uninstall\SoftICE& j/ r& X/ a' S/ K# D- w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" j  O# Q/ Z) P8 p* N* P# Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# t) v, A& i/ M' C# o\App Paths\Loader32.Exe
& U, x% G, I' m1 m( _/ y& Q' C& P: X( k' n6 {
1 D; J1 A* A7 v: b) V% Y9 P
Note that some nasty apps could then erase all files from SoftICE directory# T" E- f- l- r2 |
(I faced that once :-(' g  ]4 U0 F2 r
/ `# y/ A+ o. f  K; C- M0 A9 J
Useful breakpoint to detect it:5 c9 L7 z5 K) D  ]3 ^
9 S& r% d" i8 b+ l
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
) z- r% r; l* k5 `* Q3 @& e$ r! i
__________________________________________________________________________
; E' g/ q. ], H9 Y/ Q
3 t- _8 k+ p! ^& ]' o- f7 @/ U7 O& h/ \) g) E# O. ~
Method 14 8 b" w5 C3 Q5 ]. d6 Z8 w
=========5 p1 q) a: q5 p/ \+ O+ Q' w
$ h, J: b9 t4 F# F9 n+ Q' z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, f& Z) `" a. t0 r; Ris to determines whether a debugger is running on your system (ring0 only).! d0 y0 B0 o! j- X
. E+ j  I2 H9 a0 Y0 q( s* y% F5 o
   VMMCall Test_Debug_Installed' q/ {- J. E2 K# n
   je      not_installed
! [  H3 g5 L" s% b% ]
7 e8 `0 _; \7 g- VThis service just checks a flag., c! K( `- _# a  n0 u' D) E+ G; t
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-14 23:50

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表