找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  j" @( D+ g8 _0 b5 R
<TBODY>
# @! ]) _9 ?. s( a/ j/ G<TR>! N; T& e* v- S9 J
<TD><PRE>Method 01 ; Y4 {! J! V& w1 y/ t/ i: P
=========
! o: ]9 g0 h3 W9 n1 F
' m+ G5 C9 G+ f; L& r  MThis method of detection of SoftICE (as well as the following one) is! S8 Y' [* S+ y  I
used by the majority of packers/encryptors found on Internet.
: r! m( u; A, r  e1 fIt seeks the signature of BoundsChecker in SoftICE
+ r) K0 S& R8 \. f* W9 {  v  [6 J$ D. ?
    mov     ebp, 04243484Bh        ; 'BCHK'
; \/ J0 x! b' H: j+ i    mov     ax, 04h
, w: @! N- N9 k& Z% Q    int     3      
  K' L  ?6 C& J+ H3 {& K8 D    cmp     al,4$ m9 u) u1 i, j" o3 a
    jnz     SoftICE_Detected; K* ~8 C8 N4 Y" N/ V) c

0 f1 Y' a4 i5 f( }___________________________________________________________________________/ d6 }7 a. q1 q: t& d  }
: S/ P2 ]) r; c" U8 u
Method 02
) D) v" \0 ^/ q! f- X6 r, W=========! w4 {# L, M0 X5 q: h2 U: e. ]3 C* m

$ f& J+ _; A% _. k( {Still a method very much used (perhaps the most frequent one).  It is used
4 P3 K  N- U4 hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# H& W/ O- O4 b) D' |or execute SoftICE commands...5 S+ [( r9 C0 f: R7 T
It is also used to crash SoftICE and to force it to execute any commands
) y. ]( q. y/ r# d(HBOOT...) :-((  
& }# H. @2 X5 u: C3 |4 D( b
" m. N; k4 n4 I% ]4 JHere is a quick description:
* _0 U" [; k3 J/ D6 E  N-AX = 0910h   (Display string in SIce windows)9 P. S" V6 H. i  K7 Q& q6 C; R- G
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)3 [- a8 D. N: i! x
-AX = 0912h   (Get breakpoint infos)  h- @) i+ r3 S, h# R3 u2 \0 J; f' i
-AX = 0913h   (Set Sice breakpoints). [) Y; ^! ^4 }/ e* u6 Z
-AX = 0914h   (Remove SIce breakoints): {8 B0 s+ @7 ?$ s

1 A; A5 {: [% D% A4 b+ OEach time you'll meet this trick, you'll see:
0 }6 \8 ?! L9 M; O5 D-SI = 4647h
. W/ N3 g/ p$ k+ }$ o8 i-DI = 4A4Dh6 k6 c" O  p- B$ D1 {9 G2 h# |
Which are the 'magic values' used by SoftIce.& E0 ]1 j0 ^. ~) {6 c$ l8 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, R+ a# S! r3 C8 E3 p, V. j! v  x1 O4 \, i9 B
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 ]# h5 P# R% Z4 S& d
Envelope utility use to protect DOS applications:) v. O4 M, |4 [# F# ]9 J8 m7 G8 v

1 w/ L4 K' p9 \7 t9 g5 t- r: B) Q! i; `* m& b5 k
4C19:0095   MOV    AX,0911  ; execute command.
; k$ W/ j& N* D; T" T4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).5 X$ p+ E& @: F: n
4C19:009A   MOV    SI,4647  ; 1st magic value.& H# v  f* y6 B2 g! `* L1 _5 r
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.4 v  e* U4 G- H! a4 O9 x
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)3 Y2 y6 p7 ]/ v
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ `; w# y) l6 n  l) j
4C19:00A4   INC    CX9 c) u" P2 e8 B% O
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute7 d8 S# x* y1 `. a; [( ]
4C19:00A8   JB     0095     ; 6 different commands.
- A# Y9 \' C; E4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
3 y3 ~: F& _5 n! n* w- r4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' C7 o3 x( J9 U6 O+ U
1 ~! K7 ?5 d/ Y- W/ wThe program will execute 6 different SIce commands located at ds:dx, which; T' E) A, ^4 d, x+ m4 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 t0 ]5 b/ W% X& f" R

. F5 ?) P# q) s- m8 o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# X# }0 M$ n8 W2 ]8 _7 O% k/ D___________________________________________________________________________
! e' H9 w* _& F. I# g
4 y  w) I& l- A( Y" E: ]0 {# N" A% l8 d% {% I# r& D8 I7 ^
Method 039 _$ g5 g: R( ]8 U' F
=========- q9 I" o( f- E& W. d4 d  |; o
4 f1 f$ z' u3 n( p7 {# ?
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" I0 q7 ^' c! ^/ S0 ^
(API Get entry point)
# K. U# Z+ Z& t        
) J6 `6 _% n; a
! E. n. r0 @. g9 j' a    xor     di,di
* p! M, K$ N7 y' N    mov     es,di
0 G7 \1 R# e/ y5 O* L. S    mov     ax, 1684h       # _+ m6 O! [1 m7 c9 f9 \
    mov     bx, 0202h       ; VxD ID of winice
' G* J" F7 d1 _& }( Y# P, u7 k    int     2Fh  ]9 d+ E2 x, V) J! I. r; X
    mov     ax, es          ; ES:DI -&gt; VxD API entry point' X% a# D# n+ N; m" ]; U6 L! X3 Z
    add     ax, di
& }$ f; O  y8 F    test    ax,ax
2 e5 S/ n" J  Z) |4 [: L    jnz     SoftICE_Detected3 W6 Q0 F! R% B+ e

$ j  `9 B- b5 p6 L___________________________________________________________________________7 O, M: I; W0 u; F2 g3 l
9 e" V3 ~0 O8 P& J
Method 04
! L- \, \- E4 A0 {0 d=========
- O7 b  [- J- g+ `3 F! x/ s$ d! B
Method identical to the preceding one except that it seeks the ID of SoftICE
, s" b/ K- I) O/ ?' n9 G" Q( j4 tGFX VxD.
1 V' g% s3 e- U9 }% v" X' L1 A1 l% q- `1 n4 t4 n! }# }
    xor     di,di
6 P& o4 D0 w  S    mov     es,di7 t0 `: K8 _; U5 @3 p" [
    mov     ax, 1684h      
# U. t8 W) ?7 T6 Q    mov     bx, 7a5Fh       ; VxD ID of SIWVID
* L- u+ ]( r$ {# M# J& f2 d3 A    int     2fh$ G# J/ I( ~) k1 A) o0 K6 l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 L# B6 S9 D8 _/ l+ m    add     ax, di
9 l6 w, M, Z/ R  _, `7 q7 e6 b    test    ax,ax
% ~! i& G; O( j% D3 y, y) \+ K    jnz     SoftICE_Detected& R9 D6 B' S+ M9 ?0 k
& s8 _! e5 k  U# }" x7 H' n8 e1 C
__________________________________________________________________________; }4 C% c, E4 O5 V+ I. K* I

3 w7 D8 }7 x! [" a
6 d6 n4 ^& f8 \; Z6 j# r5 O1 UMethod 05
: t) g$ i. s/ D$ w8 o' H0 d# Y4 B5 H=========, v. K2 x5 T) F2 s% y/ C
& V0 {: _* ]- G! D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 H1 ~* d; {( s/ ]3 V9 K) `debugger. It calls the int 41h, function 4Fh.( h: S0 f8 n' Q; g8 x7 r
There are several alternatives.  $ g; j- J" I6 @0 g# u
. \2 _1 w" k$ e
The following one is the simplest:! W+ ^( C2 T! l1 g9 M# }0 E
9 q: G* `# t2 s
    mov     ax,4fh" V7 Y. Y+ J# n
    int     41h0 }# Z* @2 L3 c9 N9 \
    cmp     ax, 0F386
# y( y9 g. c* |5 t4 K7 S4 @9 P    jz      SoftICE_detected. a6 w7 L  _+ G# f+ G
, R' d) x: v" {1 l( }
$ L! J& w7 L$ M, V
Next method as well as the following one are 2 examples from Stone's
' t' p# w. q( f/ S+ T9 e) s"stn-wid.zip" (www.cracking.net):
$ G+ v- ^3 K. W4 k( w1 ]7 n* \$ ~) G1 f" a- o/ V, ~' n0 h2 u
    mov     bx, cs
+ D. L& H2 {, z6 \9 [    lea     dx, int41handler22 y7 }  L; p& \# m/ f6 d8 i
    xchg    dx, es:[41h*4]
  v  g! n9 I) R% R    xchg    bx, es:[41h*4+2], q8 P9 a9 y  N
    mov     ax,4fh8 N/ o: R% l; L0 ]7 U, j
    int     41h
  O1 _- B0 f  i# Q    xchg    dx, es:[41h*4]3 v. K' l: a, T, X+ }; R$ y% B9 M
    xchg    bx, es:[41h*4+2]
! Z9 |0 _/ a' w$ K& Q    cmp     ax, 0f386h" G" q$ C1 N" R$ U1 {! L6 X
    jz      SoftICE_detected
. T0 J% r, {7 V6 ?6 F: h& s2 ^& o) |( ~) X( b2 b1 {
int41handler2 PROC
! W- B+ L" g3 X: I9 n7 c+ b! V    iret2 h  T) g# u, m
int41handler2 ENDP
1 B( E' ^. m3 K# W+ [
* a9 M9 }+ y( q" T+ w2 Q7 O" o9 s8 k! R1 {( D8 C
_________________________________________________________________________: T  D( {) H' ]6 ~, `4 w
1 y# r. h* O' C* ~$ Y' ?1 m; W: @
, `/ g" p" f. ~) G. w8 A
Method 064 z' K" K" A4 O8 Q% \6 w( V9 V
=========& e- E( y& {# A, j. j9 L6 E3 O

% {4 c& y  B8 ^) C! @! k6 u6 h9 G0 z2 L5 v
2nd method similar to the preceding one but more difficult to detect:
  N+ A) g  {* O9 R
; o  e) q7 z9 @2 p
% k0 Q. P, S3 n7 J4 a9 C( M/ ?int41handler PROC
; x9 ?& z% Y  C2 @% v    mov     cl,al
; P/ L# U- R. W0 i4 m    iret+ b8 A5 Q5 k* g  Y$ R9 s& n6 y
int41handler ENDP( {( p) y3 ~0 N0 _5 [

: B9 W# r! S' J+ n2 w. ?1 B' t
; G' p$ D) n4 A7 A) I    xor     ax,ax' a/ b% U& M8 ~6 q7 N
    mov     es,ax& `( w8 s: h- `3 I0 o8 ~3 Y( F' `+ D
    mov     bx, cs
" \) M7 q# Q! j7 Q' }- ~! s    lea     dx, int41handler
- p3 P3 i  V' g) ^/ ~    xchg    dx, es:[41h*4]
. N- `5 E% L( g: B$ s    xchg    bx, es:[41h*4+2]# o  t: a- A. B# j/ ~
    in      al, 40h
! O# }3 |, U( _2 ^0 b    xor     cx,cx
+ ~0 r$ u. ?  {( s& j6 `    int     41h+ b* |" V/ |1 }" p5 l5 d1 q' w! D" O
    xchg    dx, es:[41h*4]
- J3 }! m. O; G0 u$ {" x    xchg    bx, es:[41h*4+2]
+ ?/ M- |- W* f& c6 x0 [" k( n    cmp     cl,al5 N/ W1 p4 d) u+ o
    jnz     SoftICE_detected
' I9 D5 ^' `0 U
. U1 h5 `& I0 U" x6 f* }% j_________________________________________________________________________$ H! M9 Z7 |( P, K, w9 j
- \( W, r- i/ l# M- g$ y
Method 073 k# R. z/ M! \: X1 n; Y. q. G- s
=========  l* b+ G5 L2 M- k! Z4 S

3 g$ N, K3 K# R6 y) A7 HMethod of detection of the WinICE handler in the int68h (V86)
- |# U; b9 ?) [" B3 @' ^0 h) G& y. n
    mov     ah,43h! L4 ^  t4 A1 A8 Q+ |4 U/ k( b
    int     68h
9 T7 g( t4 }2 C/ x) {! g! r! L5 H    cmp     ax,0F386h% x7 h, _* s& l' G- c4 ]9 [- ?9 ~
    jz      SoftICE_Detected& v- N0 n+ X- b% E2 \: b1 q

! r- K: Y# ?% b$ f
& x& a2 B6 |) g' d' d; ^" H=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; z! a* P1 g' k% ~
   app like this:
6 D! M, @, I6 V2 X6 R! X
% W& i4 l- Q7 O7 Z" D5 G* q" J/ n   BPX exec_int if ax==68
! f# @% a. X- L/ y: c* R   (function called is located at byte ptr [ebp+1Dh] and client eip is
) W/ G- d9 T/ K* T" q   located at [ebp+48h] for 32Bit apps)
. P5 x$ }+ h) j# l1 f) Q: H__________________________________________________________________________& g& h% V  g2 r, w8 A8 S: V
1 [- J1 K. z3 B3 v0 C  u

* f  _' C6 a: j1 g4 LMethod 08
  w6 a3 ^# I( r=========! ~6 L, e- j; k! s  e+ _* R

+ }; ?: @' f# {9 uIt is not a method of detection of SoftICE but a possibility to crash the  V$ x- A3 C! R( ?
system by intercepting int 01h and int 03h and redirecting them to another
7 N! h9 {* P9 E8 {' R5 ]routine.
$ S/ x! b  A& YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, p  n2 P/ p) g: B% a1 I/ J1 O
to the new routine to execute (hangs computer...)
; K1 {6 \9 r5 U. W# J. U# e8 q* m5 W" E1 W/ u0 @5 C8 h1 Z* q4 r: l
    mov     ah, 25h4 v6 G* V( C& ?: k) H4 H
    mov     al, Int_Number (01h or 03h)
" G  U; W/ |# c! @    mov     dx, offset New_Int_Routine
6 w: C, A3 y# f( x    int     21h5 z- C/ r- l9 i

0 E6 N, g9 J" a__________________________________________________________________________, }+ \: E0 W- }4 x

8 K* ?& x  |. `" ~& ^6 `. b! uMethod 09
2 `, M9 ]8 u- o+ A=========$ K+ O) b- [$ F% g

/ d( A/ Z( j/ q- ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ ~9 p0 v8 y4 Iperformed in ring0 (VxD or a ring3 app using the VxdCall).: x) ]4 k% p' M$ Y1 s# z) t( o0 ~
The Get_DDB service is used to determine whether or not a VxD is installed  U% B* k8 v# X# _
for the specified device and returns a Device Description Block (in ecx) for  o' c0 ^$ X3 N  S: Y1 S. A) h' K/ F
that device if it is installed.& `; n& L' @! b

# t/ q, @5 c# e7 P' w   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID# r6 j0 q; R3 L! G: d2 w) h; E# V
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 `6 [4 o0 w) s   VMMCall Get_DDB
1 s& g/ t" F* E0 F   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed6 i' n2 a8 U  Y6 E! ?) \: u; @

7 c8 V9 U2 |5 P% G& I( Q$ }# {Note as well that you can easily detect this method with SoftICE:" ^5 {: Z( p' O
   bpx Get_DDB if ax==0202 || ax==7a5fh
2 Z" P* W$ D; i' G$ G1 ?5 y( f- R5 r; n0 r
__________________________________________________________________________
- R! {% H6 k& r# X
7 y6 w- N1 k) i1 m+ aMethod 10
+ y! h, l" ?6 e2 A5 x7 B% ?=========
# U* ^1 v8 |3 b. E' y( s- q- D" J2 }/ E( C/ M. H
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( ]- F8 ^1 v* d5 v0 [7 N
  SoftICE while the option is enable!!  S8 ?5 n( v' O3 Q: R
! {9 g/ k. C# X- s+ k2 k2 b8 n( J
This trick is very efficient:# R2 t& x# d: M- O
by checking the Debug Registers, you can detect if SoftICE is loaded+ w) g6 `" F/ a6 l/ E+ |5 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 g3 m$ H+ K7 V; v/ s. O/ bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
) ^  |; ~' z: cvalue (in ring0 only). Values can be manipulated and or changed as well
* _+ s& v' T7 t5 @, O(clearing BPMs for instance)
8 l/ v7 Y- O0 o9 Z( N  n; d+ q/ m2 K, ]0 i. z$ l5 _
__________________________________________________________________________
$ W# W+ r2 a: X( X2 Z* z" s5 ^
) i  K/ m6 o" f; ?" G& H1 KMethod 11
$ l% n3 y, ?5 O% t) y=========
' E) |( U1 B7 x3 ^' B5 f# B) I2 s: |' k5 c( t
This method is most known as 'MeltICE' because it has been freely distributed
# P! B3 K1 Z: L' J2 }! svia www.winfiles.com. However it was first used by NuMega people to allow
5 M! R9 l2 G, B+ c! [, |; `Symbol Loader to check if SoftICE was active or not (the code is located' L- y, r8 r# E( h
inside nmtrans.dll).6 m. P: y9 M' L- D5 J
: t/ C$ T+ ~  |, ~$ R$ ]# F" g8 K1 R
The way it works is very simple:5 C; ^1 e$ a; U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 P7 h3 x/ ^, T" P4 g- ?
WinNT) with the CreateFileA API.8 [- g6 h& R0 l/ X% R& D8 o. ]
9 M( m) _' c6 L+ d% C
Here is a sample (checking for 'SICE'):
1 p6 z* y. V: W8 S4 Y1 o9 g+ [" f3 \/ t, J: c3 k" K2 Q
BOOL IsSoftIce95Loaded()" O7 g7 e' T; ~) E6 m
{) F% z0 ]0 ~7 |  F! r
   HANDLE hFile;  
7 b% p3 G& Z2 Y0 u* {   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 N; X- `. @8 m' {( X! x0 Y& b
                      FILE_SHARE_READ | FILE_SHARE_WRITE,+ E" |6 o( S; A9 c! n
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' e3 F' P1 ?7 M8 N
   if( hFile != INVALID_HANDLE_VALUE )
( q  c! c! b8 I* i: M   {
! z8 w' K: C7 }      CloseHandle(hFile);
+ S& o5 e8 {: b) w      return TRUE;. a9 {. Y# D6 J8 n9 D+ Z5 O
   }! ]1 ]6 x9 D$ Z" w  \/ d6 T
   return FALSE;1 [+ O% g3 u# T. p+ O# [- B6 A
}2 H6 f+ K" L# g' \9 H- }6 ]
2 o& [* F$ p/ r$ X+ s! B
Although this trick calls the CreateFileA function, don't even expect to be
- ~. y. a2 d" n5 |; ]able to intercept it by installing a IFS hook: it will not work, no way!
5 z( V8 L& ~# IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' S* X7 s; h+ n$ `. g% A* t1 ~. Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" n: X( }) s/ m  W2 _1 {% x3 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 `" E% s9 O) m
field./ }3 v/ E8 q; x; j- c8 N
In fact, its purpose is not to load/unload VxDs but only to send a & s! L" l/ ]% i' e* z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 a$ h; P; t0 n% T, y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 V  |2 t3 _! T' E$ R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 U% G: `# r8 _% T# K$ [' }/ V% U
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: z% q( Q' V" Tits handle to be opened and then, will be detected.4 T) W3 \# p% Q5 S
You can check that simply by hooking Winice.exe control proc entry point
9 f: P6 [/ J7 _5 z( e* H5 i9 Kwhile running MeltICE.
- F# c, h8 ?+ D8 q5 p, U) W/ U, ~, S; x0 }) Q
. \3 D0 j6 }7 c& r
  00401067:  push      00402025    ; \\.\SICE, Z5 U' o- F6 {- D) `+ y  l7 p2 Q" k0 O
  0040106C:  call      CreateFileA6 ~) w) p' ~  _
  00401071:  cmp       eax,-0010 p- s! S7 Z% m" {) I6 E, t! ?* E
  00401074:  je        00401091/ V  h  a& n/ j2 t3 |" a# N$ L
2 O, d& m" f" d' b7 L3 g' {  J

! Z& `4 f) Y5 ]! r9 n- XThere could be hundreds of BPX you could use to detect this trick.
9 l4 i' }% Z! q" y# j: p-The most classical one is:
; N/ @, _: v* g/ s4 v: P6 a  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 V: q& f2 n2 a0 S0 O7 N    *(esp-&gt;4+4)=='NTIC'
2 i) C) u. v+ i' X7 x, j6 c/ w" w, N. ^/ Y4 F1 X" d. z! t; g
-The most exotic ones (could be very slooooow :-(
( f2 [1 M0 n4 V& t9 D- z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" L3 S; W- @4 h8 p     ;will break 3 times :-(& D/ \, \% O6 j3 Z

* f+ n: H" ~' H# M% U! g; N( ^-or (a bit) faster: / I/ s" c2 ^. U1 a" i
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ q( y  |0 t  b, H, D# x% O) d! Y
5 i" }/ k3 k; i: }3 h8 A" C   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 V+ ?: x- x2 ~% n, {! p) t     ;will break 3 times :-(. C3 [2 D4 A# @6 N) Q7 s7 k7 F9 [

5 I& O! Q$ U% Q- h+ o# U9 z* V. m-Much faster:
/ p; a; n' m2 S. Z* l' i5 t   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'4 R; a& J0 D1 @3 o1 b

. m% v5 X2 y5 u! X5 ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- q8 ~. W$ F; A  l) P1 Mfunction to do the same job:) ~1 I: u/ ?3 z6 V0 T2 |

5 v- U2 O  J( w  u' C; @   push    00                        ; OF_READ
3 U+ l0 \0 m" z/ c* s   mov     eax,[00656634]            ; '\\.\SICE',0
$ t% d8 q% T% Q1 h& f" P) R3 t, K   push    eax
8 W) S/ I& O  P9 u7 u* X   call    KERNEL32!_lopen2 M+ q6 J- O$ ~2 P. p9 H4 ]# @
   inc     eax- M$ g8 ~9 i6 z+ D3 Q, _
   jnz     00650589                  ; detected
! u7 ^9 t4 d- K* L: y   push    00                        ; OF_READ7 V& Q8 N% y+ h
   mov     eax,[00656638]            ; '\\.\SICE'
/ A- q1 W+ s, U# r8 |   push    eax
5 \! Q5 @' {0 a+ v% r- }8 W   call    KERNEL32!_lopen
: D7 N4 w2 \1 b   inc     eax7 P2 i( {$ X0 S8 [4 |5 U
   jz      006505ae                  ; not detected2 n4 Q+ Y. i  s

" G/ @2 I1 Z4 R) }! b4 S+ T9 R
2 U; Y5 v- x# e! X__________________________________________________________________________4 q$ {, l5 u# {$ r, N

7 _8 O2 j) z: S6 yMethod 125 T6 K, }) J0 V# H: T% P. A
=========
# g' j! N% b" I1 @6 ]+ k1 f. @% ], _$ D$ x
This trick is similar to int41h/4fh Debugger installation check (code 057 T1 V2 Y# [4 ^
&amp; 06) but very limited because it's only available for Win95/98 (not NT)' G# g; M1 \& n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! g% v5 E6 l2 C- v8 k9 ~  J
: `+ h# j7 |' v6 ^' _" n  T   push  0000004fh         ; function 4fh
8 A% k4 T# S3 i& v: L' d   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 V' c  i2 g. Z8 l8 ?3 X                           ; low word specifies which service
, q& D) m$ e: O8 g; m- }                             (VWIN32_Int41Dispatch)! V8 U* _" }6 Y% x
   call  Kernel32!ORD_001  ; VxdCall4 h9 U8 I7 W" u3 Y
   cmp   ax, 0f386h        ; magic number returned by system debuggers
; C  q4 r" `% x' {9 J5 r7 M' g   jz    SoftICE_detected7 N( K9 U& [6 q; v2 r

: w! O! f5 H! @2 W; m" b/ SHere again, several ways to detect it:
$ r8 S* K8 w# O  i6 O2 K' U
5 }' M; S5 R0 b    BPINT 41 if ax==4f
- `% D5 Z2 i+ d( r" H4 T
, C5 G2 Z  S" G) M    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. R' ~* {6 j7 X& _5 ~0 f

& n) V( G4 j7 b    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A$ a; A5 v: |9 T7 k( R

* b$ w. ~- w* T" k1 C    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
8 `) X/ @) P2 J, S+ |' `# x/ p# |  v( a# [4 A
__________________________________________________________________________/ S# T( y" l1 T3 p
6 v- z2 q+ [4 E* I, q0 J2 O: U$ S
Method 134 \. P% w+ ?2 |# }! O* U
=========
) R; }: b8 r" J/ l; L" E+ H# {+ H
6 w1 y1 s+ v/ u% v# ENot a real method of detection, but a good way to know if SoftICE is
. M9 p0 F# |5 k- V( N6 Qinstalled on a computer and to locate its installation directory.1 `: @7 M. O# y- q& t3 m% @
It is used by few softs which access the following registry keys (usually #2) :
. E* f' P2 _1 f- i9 I# w- m: c/ L- E- Y1 d% W9 k, K
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 a" P$ H* R0 @3 b
\Uninstall\SoftICE" t1 y/ ~. O% `. `+ c# x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& ^6 }( _. ?. V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; r( x' e$ Z; T9 a( |
\App Paths\Loader32.Exe
( M( S! Q3 i0 G9 I: Z, u+ x! w* d! }, d# K% z4 w9 a) o/ q4 c

( ^3 z! ~! H( wNote that some nasty apps could then erase all files from SoftICE directory- a% d7 o8 g! n; V" q  k- l  @
(I faced that once :-(. h: m' d3 H7 P" o: O* N& ^9 v0 C
# X+ d4 \; Q$ d, ^
Useful breakpoint to detect it:
& Z5 Y( h3 m3 b  |( ~
0 w  |) f6 e4 P, r     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! G7 e9 \( G; W" Q& `

. |6 ^; l6 E! T. [__________________________________________________________________________0 C! ^1 {4 \  G- E

" r5 F& m! i; N3 _) w  H, O, N" b  F6 _4 w
Method 14 ' S4 `3 F! d$ t1 h! p: i7 ~  H
=========
6 F( u7 }; {& o: f5 F5 e" _5 O4 F3 K- `2 d% l) c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ V3 J" V- q7 C; Y% kis to determines whether a debugger is running on your system (ring0 only).; ~; w% n5 i1 [" M8 z! ^/ K

5 s& }  o  u4 M( {4 l6 b* f  Q   VMMCall Test_Debug_Installed
2 L/ B0 l7 R% e" A  O2 b/ m   je      not_installed
2 N2 [* b; D- k" g/ c  F+ L. Z( ]. k7 d/ C+ a1 T1 D
This service just checks a flag.
% ?" A0 J; y* I* F8 z" [</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-5 22:38

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表