找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>$ j+ h' Y, }% `8 c& u: @' T( U
<TBODY>, a" v! @/ f. i% o) [, B
<TR>0 O- Z: r6 n. M8 `
<TD><PRE>Method 01 5 }% J& H* l; a5 }" m
=========! R- s, b0 s0 l- U

* F- h: t4 c7 {* C+ N$ I( o9 V5 _  p4 FThis method of detection of SoftICE (as well as the following one) is
" {, v* p$ n  g8 dused by the majority of packers/encryptors found on Internet.
3 R8 N3 S! e$ Q( l3 q& N2 n# rIt seeks the signature of BoundsChecker in SoftICE
% b8 X; D& ^# _, h2 B. c3 y) J9 }* w% k6 _
    mov     ebp, 04243484Bh        ; 'BCHK'  a# b, o) N6 t0 s0 l
    mov     ax, 04h* t/ [3 D" y8 |' u. D
    int     3      
; f6 h- ~$ K2 @2 l. p* Y: `" j    cmp     al,4& a7 i3 T% b& M/ N3 ]; U2 h
    jnz     SoftICE_Detected3 B+ v' A) ~; S# n' Z0 H
+ x' P1 {: J# W" W% @; I  N
___________________________________________________________________________6 ~/ X$ |. l! V% i1 Z$ d! j
0 y1 \/ A' y1 ^1 D' G
Method 02
* E: \4 s+ g. P+ D3 w0 |: j=========/ h3 _) Z$ A* R" C- R

& o8 X6 d# [( `1 sStill a method very much used (perhaps the most frequent one).  It is used$ n& _* ^+ T: D# T5 O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 t; b  V3 y7 G3 c& Kor execute SoftICE commands...6 m, `, X- ~: B% m1 p# {) \
It is also used to crash SoftICE and to force it to execute any commands
8 |& I# }) o. @4 g. ^(HBOOT...) :-((  2 T* c) S5 A2 }6 d1 l( G

/ X7 s* \, Z3 d( r7 X: y# j7 OHere is a quick description:2 Z- y) o0 r6 u8 y
-AX = 0910h   (Display string in SIce windows)" k* v$ ~( x. D" F
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
7 a3 Y4 |0 E  K+ p! R' e& D/ E-AX = 0912h   (Get breakpoint infos)1 p4 z% a% m7 o4 p7 w( f
-AX = 0913h   (Set Sice breakpoints)
3 U, I6 H; b/ t& R5 o+ W( A/ Z& T; U; X-AX = 0914h   (Remove SIce breakoints)
; M1 `* d$ q8 L( w2 [) {0 H+ x. y; U: P# ?. E% q; c
Each time you'll meet this trick, you'll see:2 l5 B8 a! B/ T1 i1 t/ ~. y" g0 Y
-SI = 4647h/ g( d/ v' \' o& L% ]# b
-DI = 4A4Dh+ i- }# J' v: m8 [# f8 R
Which are the 'magic values' used by SoftIce.4 j" Q1 L+ ]4 o9 G  o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 s+ T, |! ~$ y! g, b
. s0 B5 T$ ^) r' HHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 z$ a" _1 }+ G. l3 hEnvelope utility use to protect DOS applications:! P0 a" S- S3 D/ |4 ]
9 K1 M* N6 a5 Z8 @) _5 G

) T7 U, b5 f  [8 `- M4C19:0095   MOV    AX,0911  ; execute command." |! E' X9 K, i
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).& K4 d1 ?* {) ~; W0 P
4C19:009A   MOV    SI,4647  ; 1st magic value." @" s; A! q0 \
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 M4 f5 ^( T4 i& }6 q" Q7 R
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 V7 a  ^  Q( D( m$ u" {4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 h2 n4 B" Y6 J
4C19:00A4   INC    CX7 u3 p  O9 w% \. D0 u' A
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute" B6 M  e2 c5 |' E# i
4C19:00A8   JB     0095     ; 6 different commands.
' {4 o% U. }7 E7 L+ x) M7 ]4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 k5 g; v+ X7 Z3 s8 D" o4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 n+ U& U* s# l( a

- i: G5 P0 L) KThe program will execute 6 different SIce commands located at ds:dx, which
3 l/ o4 B- F4 n. f' d1 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 ]. y& m2 S$ V: w2 \+ g& s1 I$ U& f+ D: h9 d) n# n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.  W/ I$ J) L2 N5 Q: n
___________________________________________________________________________8 C4 |$ ^6 t: q

  r' v4 h' H- O% ]
$ l" d* A$ V, `! S% wMethod 033 v: f* [8 E8 Z- `8 {1 O
=========
; o& C: t& h$ t9 B) k4 T  R/ L, a8 a9 c: m! u2 Z" J
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' o! \3 c" W2 w. C  t
(API Get entry point)
( m5 y6 h5 ~4 M" V! Y1 T* s        . M* q2 E, b& u

! y* w4 G5 S9 u3 g, \: [    xor     di,di
6 G- \+ b8 W8 ?3 H$ Q    mov     es,di1 I2 G" K% F0 j5 b9 ?0 G& v
    mov     ax, 1684h       $ i( u6 h" N3 V* q0 w
    mov     bx, 0202h       ; VxD ID of winice
4 o& ^7 V) n9 }! u) z) t    int     2Fh
) z0 A; M- ?3 @    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ n: y9 E( F6 ^8 d    add     ax, di
2 W4 |8 e( N* D  f1 H" B    test    ax,ax2 j& z, x- `. v- z
    jnz     SoftICE_Detected9 O" I1 h2 ]5 G8 h8 P# C

. K& J$ {! K# x7 |! [. }# E___________________________________________________________________________% P3 j7 u6 ?* P( f: p, {
. b0 I# T. F9 |( e; h
Method 048 u  x& o. ?! }: [  E" U% I
=========
% L: m. @  q- p1 T- t, i# s4 U  |
( x7 i  `! F5 B8 i7 f5 q0 F# zMethod identical to the preceding one except that it seeks the ID of SoftICE
* y" z+ H/ F. ^& w7 \GFX VxD.
+ }4 M" r" ]1 }# a* f$ v" c, i( N, l( {, }  E9 h! I
    xor     di,di
# R. i/ K7 A9 Y$ \& @    mov     es,di
, A/ H3 y& {! X7 W2 |    mov     ax, 1684h      
! `. A( j! w+ ]! g9 T    mov     bx, 7a5Fh       ; VxD ID of SIWVID* R0 w9 K  P  H8 z8 T
    int     2fh
& n  {9 D' o% l' A    mov     ax, es          ; ES:DI -&gt; VxD API entry point; a% Q0 b# y& w* R8 P5 n  V" r( [
    add     ax, di* q. o- v- r" B, ]& P
    test    ax,ax; D( U1 @9 T. V3 k5 ~! c' }
    jnz     SoftICE_Detected- o6 B# F7 G+ T5 y, Y

8 u0 N1 j/ M* ]* t; d& M. ?6 Z0 Z__________________________________________________________________________( Z; Z+ @( ]$ m5 F9 F

/ H7 E3 }6 W, Q7 L( I  O
7 L$ a/ n! k+ A4 z/ V/ }# G( EMethod 056 I* O! b( k) J; o' o! p+ [, J) y
=========
6 h3 M* C4 j, Q1 ^
, J$ v6 h, [* U2 p" P% {: QMethod seeking the 'magic number' 0F386h returned (in ax) by all system
8 t7 _# `# l% s# Q5 F. }  s+ Q1 rdebugger. It calls the int 41h, function 4Fh.: m( d# Q2 B! y' t3 Q
There are several alternatives.  5 K5 Z6 h' S' n4 p0 d+ Z/ S( e

( g6 W2 Z- I6 G+ n2 AThe following one is the simplest:: U+ j! o6 {8 X" W5 y0 h- B
: H  s* J! i6 H( O& p9 Q2 X' l
    mov     ax,4fh6 u" y7 T; [. v; I) [% D
    int     41h
$ t3 g6 \+ v8 k' I    cmp     ax, 0F386
. z" W" m5 w! b6 \- r    jz      SoftICE_detected
+ s' }! }2 G  X* a6 [- H8 N
9 u/ F4 \$ W% ^1 \" {  Z9 k4 D4 C2 @. r' L1 d
Next method as well as the following one are 2 examples from Stone's
7 a9 E) k5 C" ?# k"stn-wid.zip" (www.cracking.net):
. j# X6 A; F% n, z' \1 F; g# E' p
8 {! j  \7 u8 W! a4 Z3 U7 S    mov     bx, cs( c9 j# h) e" E3 u7 \) ^$ X
    lea     dx, int41handler2
0 |0 m& g& K3 f    xchg    dx, es:[41h*4]
5 E' ^0 O3 W4 o" _" [. x& K; k    xchg    bx, es:[41h*4+2]
- {1 X$ O* ~* f9 J/ j- A' B8 r: D    mov     ax,4fh$ A3 p7 N4 p1 b# y* E
    int     41h( f1 |9 O3 A7 c9 Q1 v. k
    xchg    dx, es:[41h*4]
* q3 O: k5 d! y6 H+ h* h/ r    xchg    bx, es:[41h*4+2]
- u2 c0 p8 M$ W9 z9 u, w# w    cmp     ax, 0f386h
+ l/ v' V( ?2 B' i4 {    jz      SoftICE_detected
( L" F' Z+ G" r% w/ m" e1 d7 _' C+ r1 A4 V$ h0 j) e  Z
int41handler2 PROC
  i0 m1 w# b# q8 Q1 g    iret) h$ P1 ]. Z+ ?. R% Q7 p8 ?
int41handler2 ENDP: f1 a2 I: B" f' ]6 [
; n( H$ ]) y: L# t( h' q
2 W/ k7 ^4 }& |
_________________________________________________________________________
- Z* n% s7 [3 I: q2 k! H* e8 W2 l9 G+ n. R$ I
! Z3 @1 p" R# v- B, d" ^8 J
Method 06
  Z* d$ \# F2 J6 H: j) E: I=========# S8 E$ }$ R- k
2 Z+ f6 x) h: P2 t
+ ^) K! f" n( A, @
2nd method similar to the preceding one but more difficult to detect:
  H& x5 V1 F5 g) V" e9 T$ U2 O! ]& z; P

3 x' |3 X0 [+ c# ^( Oint41handler PROC7 u- v& c  V0 \2 b* o
    mov     cl,al4 k6 O, q' G& B( r; ^; j
    iret; {- H) i. k6 ]* {' C" Z
int41handler ENDP
2 I  l. C" l, n$ e
2 p# Q0 z3 A% Q) R& U- W( @$ x0 J
! T' G- }2 V$ e- t- S# B6 p1 J5 n    xor     ax,ax. m  y1 X2 O$ W- q& d; B, s5 f
    mov     es,ax
, J0 n; E, t; c    mov     bx, cs
: j2 s/ ~5 R8 O% g$ \2 a) |2 c  A    lea     dx, int41handler, |; S3 ~2 L9 o+ R
    xchg    dx, es:[41h*4]
7 g9 W$ r9 {- I7 b8 n    xchg    bx, es:[41h*4+2]
' h3 \0 ?% K8 k. R8 r8 n  H    in      al, 40h3 a8 d% z( z* b* t0 I7 @: t6 S+ _
    xor     cx,cx0 E- r4 ]3 [  p  h5 x! Z0 o
    int     41h
% ], B  w0 x% i& C    xchg    dx, es:[41h*4]
8 \7 U. v4 R5 T) g    xchg    bx, es:[41h*4+2]
2 W, c. x% \8 j" n; A( q    cmp     cl,al
9 m2 z; R$ V5 k2 j    jnz     SoftICE_detected
% `( }% ]  u1 P$ A0 e, x- G* w
' I3 M$ `/ l- [( i: z' Y* \" V* m_________________________________________________________________________8 Y9 i2 H/ W' n4 G  S

' \( M# O4 o3 H8 tMethod 07
( G# j# V  G) J5 h# E5 X* l=========2 W/ R& U3 p. p6 j3 ~& d/ G
2 w0 I! z$ J/ p# l) W; c
Method of detection of the WinICE handler in the int68h (V86)
' `. N; G* }0 s3 o4 f9 K; f1 B* J; s$ H
    mov     ah,43h* c& z, r8 m8 L. R' c; P
    int     68h. c' d! U( Q) [. S1 {+ x
    cmp     ax,0F386h
( y7 c' U& D1 @4 X# D+ n    jz      SoftICE_Detected
# }. r8 ~4 H4 i, Y: @2 Z9 d$ F$ X7 r6 X" |# M1 q- x2 ~

- O% F# z/ Y% p/ _# o- R2 u0 I. t- l=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  W6 W' h5 d2 ^8 H& t( N
   app like this:
1 y3 I4 `( C. L
; S5 |. d6 W$ @9 r" Q; Z   BPX exec_int if ax==68
; {3 W& f+ g2 l1 l; D   (function called is located at byte ptr [ebp+1Dh] and client eip is" I, G9 \$ V* e3 f2 b6 C0 p
   located at [ebp+48h] for 32Bit apps)9 R" y5 }7 n1 k* L9 l
__________________________________________________________________________
& a- K9 j8 n) i, {+ p3 f+ J  O- Y; w! D) I

6 d* @' d8 g9 ~- P9 X  NMethod 08& U" X% `7 O8 p& v0 |* }. t$ r$ K
=========) l7 R# ~# P2 t! O6 O; R
% X" F4 L0 U; U
It is not a method of detection of SoftICE but a possibility to crash the+ n. K9 W- y* i; e7 k
system by intercepting int 01h and int 03h and redirecting them to another
  x  G5 \5 Q# K4 W0 ]3 P2 }routine.
/ Z; o8 c8 F' E0 o$ O5 f+ w/ o: b8 QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* I4 @  K- r  t# T8 _4 \3 T0 Y0 V
to the new routine to execute (hangs computer...)) O$ l/ l1 P  O8 H. Q; u# c
! V4 l7 v+ c( O7 V" o. W) i5 ]$ c* T
    mov     ah, 25h" r0 u9 Z& D5 A% S+ A9 e! i
    mov     al, Int_Number (01h or 03h)0 z9 M9 z2 L  T# W( S' i
    mov     dx, offset New_Int_Routine
& M4 C: u# ]( I# m# e. Z    int     21h1 X, e" i1 O& M6 C
. }! Y4 ], q" y0 U- q' Z# w" }
__________________________________________________________________________
/ a& a( K. r' b) L
. v$ x4 I. F9 U2 gMethod 09) ?  ]. U, C# S+ G
=========
6 E2 t" k$ q3 ^/ q' P
: R( E. h4 _% T! Y; YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& Y# R( S* E1 Tperformed in ring0 (VxD or a ring3 app using the VxdCall).* ?( }: e  N0 c8 S0 n
The Get_DDB service is used to determine whether or not a VxD is installed
2 B3 {( N# a3 y* {for the specified device and returns a Device Description Block (in ecx) for
4 \4 D2 l) o. z# V& w0 Ethat device if it is installed./ |: O. ]' r" o

- t, s3 w* n. c' O' C0 f3 Y7 G! A+ k   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ p4 n& Z( L+ |, z8 n! p" E
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( d4 Q% Y/ ^6 p" r3 k8 w   VMMCall Get_DDB
( N& u: w; q5 X& {% Y: T, m   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
: O. f' a) M: i
8 Z( H0 y: C/ ~6 m# J3 ?Note as well that you can easily detect this method with SoftICE:4 ?- n$ \6 O) v( S# u! D, y- W# J) C
   bpx Get_DDB if ax==0202 || ax==7a5fh' s, a/ M; D8 z) Q3 z

4 h2 A1 Z- m5 V__________________________________________________________________________
3 @6 c" J( F/ y
9 }( d$ x7 R" ^* A$ VMethod 107 G' f4 |! k5 r0 T" U6 Y
=========( E. n* T; Q/ M
+ X5 w1 y: @3 M  S* m
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with- X5 ^2 e- E. q6 [2 R! S2 I
  SoftICE while the option is enable!!. A7 K. ?& c! y+ h  m

9 G2 y" E+ c! i0 q8 PThis trick is very efficient:
9 h# |- ~8 k+ Z! ^& L/ H" Q8 gby checking the Debug Registers, you can detect if SoftICE is loaded: d" B# m" ~! p8 D' H8 q6 v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 g% N* c. h0 K6 o* {5 a+ g4 O
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ @; g" H" e% S  O4 `
value (in ring0 only). Values can be manipulated and or changed as well
3 |+ G' b$ K' W" H7 \7 `& q(clearing BPMs for instance)1 B* f, d$ J0 u) T# i

+ d6 |' M; t/ I. w$ }__________________________________________________________________________
6 d8 @7 m9 x$ s+ u& s% C: U* [  n+ N3 }" ^2 E9 w
Method 11
3 I' M& @! q( {' A, d=========% |' }6 ?* c7 k; r1 A/ m
/ S2 r6 r& M; R' [/ z/ l
This method is most known as 'MeltICE' because it has been freely distributed: g) _. {; ^5 A) \& C; ]5 g
via www.winfiles.com. However it was first used by NuMega people to allow
1 @. Z2 ~% [; \6 ]Symbol Loader to check if SoftICE was active or not (the code is located7 |1 @. h* W* q# @4 K
inside nmtrans.dll)./ _3 m9 e$ N# _. f9 f- c

$ }8 A: s9 O, T/ KThe way it works is very simple:
1 F+ _3 _' _- n9 \8 U; V( bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% w! K- @0 m9 S+ k9 O2 `( kWinNT) with the CreateFileA API.
" s% _' y9 K: [
4 a/ o2 m8 l) u$ SHere is a sample (checking for 'SICE'):
5 X. F  M0 [5 ?; C4 M, Y( t2 _/ Q" r, n5 ?8 z2 h# i) P
BOOL IsSoftIce95Loaded()
/ g! h# d8 F+ N; S& e" L{& O; a9 M( _  w3 X5 I1 \) |
   HANDLE hFile;  
8 `/ U* E% y  H" ?& f8 Y: B   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' |, }( r) j$ ^                      FILE_SHARE_READ | FILE_SHARE_WRITE,, v, v1 {" [  _) |, F9 \1 ~
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" `0 S7 X; U$ E8 Z1 g; r0 I   if( hFile != INVALID_HANDLE_VALUE )0 M4 o2 G7 x1 A* u1 m  w
   {- _9 h3 p5 D% p; T7 q8 r; ^
      CloseHandle(hFile);
3 w$ q7 M4 y3 t( Y      return TRUE;
8 n4 q2 A$ R7 W- H$ T* P% p   }
7 C3 z/ Y( l- Z0 y   return FALSE;) W  N4 b: X/ B2 \; T# ~
}1 _( O" U' M% G9 r* P0 |7 K

7 y( k0 }3 v$ ]) Z2 l+ J  vAlthough this trick calls the CreateFileA function, don't even expect to be5 |2 D) C5 r) A- Q9 z/ `  m
able to intercept it by installing a IFS hook: it will not work, no way!
  i, J) L  f: z1 R& ^3 @* }: WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' e, |; ~4 ^& i. Q% k! x7 D( oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ x! ?$ d( X) T& k9 N. X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
+ {$ s+ G- v+ U* [9 Hfield., Y0 \/ V  g. r" e3 O. I
In fact, its purpose is not to load/unload VxDs but only to send a
0 x  X% N! J$ R' ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" K2 d- i/ {; Z# O/ Z2 m  e5 Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try) V. u: _+ o3 a5 R5 i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 ~) t- b' s) Z$ h. y& I& j* JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& }) U6 {/ N( a3 ?  \its handle to be opened and then, will be detected.
4 p$ c, ?" v( S! R/ yYou can check that simply by hooking Winice.exe control proc entry point" d  G0 b  \+ _) j1 Z6 M
while running MeltICE.
" F8 W. F+ ~3 o! m& E; z
' J$ u0 k* T: i) ~
; s* K/ u6 I* i% q  00401067:  push      00402025    ; \\.\SICE' D+ ~. P3 X8 {' ]. r
  0040106C:  call      CreateFileA- B3 j" Q* U2 |
  00401071:  cmp       eax,-001
4 Z3 R7 \5 Q& Y% o4 b  00401074:  je        00401091
( L/ |$ j9 ^; t- B+ J9 J9 `) Y  q# E7 \& G+ j, Y
( ?8 g# L4 R; m7 Y
There could be hundreds of BPX you could use to detect this trick.& s, }, L2 o! n0 g
-The most classical one is:2 p% |$ ]6 q) X9 I/ s2 ?
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% S/ N0 P5 \. f! n. {" _/ Q
    *(esp-&gt;4+4)=='NTIC'$ G! H1 _! K, R/ K$ {
+ L# C. K  N( j/ ^: z2 u
-The most exotic ones (could be very slooooow :-(9 u' C8 z8 s: t+ {( S9 x
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 J' |; {) R& Y4 l* Y     ;will break 3 times :-(: J6 w- }- k+ ^" d6 l% J1 j. W2 e

- d3 B5 |! a- |4 Y2 k, A( p-or (a bit) faster: 8 D4 E8 a! o( G* V) {% [$ h' D/ m
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ m8 R  W, n2 G6 I* }3 W( Q1 c: |* l3 R
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 f3 z, a3 }  j     ;will break 3 times :-(
- A' S- ^( Z, O; ^  g
2 u, q: R5 F( E. c, U-Much faster:
2 `' K! X- r3 |! |   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! a* e) \6 e1 S  g' @9 B( L4 e4 F% \! x$ _" ?/ }4 x" h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 {' L( x6 v+ d, i* m5 |$ D9 hfunction to do the same job:$ d7 H& k1 O$ e+ Z& @8 W% @
3 s  K" Y( d' w6 o( z* a
   push    00                        ; OF_READ
8 h- {% O% U* w' L& X; r# l2 H   mov     eax,[00656634]            ; '\\.\SICE',0
+ v$ J  p+ z1 F' e# D* t  T9 W, a# c   push    eax, Q. ], ~3 y! _8 d5 E  g. A
   call    KERNEL32!_lopen; G8 v! T4 J7 l+ u& z
   inc     eax
. e& U6 _; |$ A. R, G: s3 _& A   jnz     00650589                  ; detected
" y. @4 x3 D0 ]' ]) k$ z5 l; h. u) G   push    00                        ; OF_READ9 }7 C/ g, t7 S4 W* w0 E( k! ~
   mov     eax,[00656638]            ; '\\.\SICE'5 z9 |8 m. f# O- Z
   push    eax
1 o6 U6 V3 j# S8 s" {* v- `" x   call    KERNEL32!_lopen: G. @( Y" |# h, @. e% N
   inc     eax
! ^8 ^6 Q* s4 z5 a   jz      006505ae                  ; not detected
$ W9 j! P; h0 `! e9 `
% f% k) ?3 D, V$ ^  q8 K; f- `& x# `
$ q. l. w- _/ G* [' ]% p__________________________________________________________________________
" l- n& X/ S. C8 Y' w
' d. G9 B+ P5 y( I5 xMethod 121 {$ V) K6 r( m. H. `
=========2 Z( y3 s4 r. |3 i% @

# K2 q0 K  l- P  v6 x5 W+ \This trick is similar to int41h/4fh Debugger installation check (code 053 X, b  T  {' I- |, x$ G7 o4 ]7 r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)5 X( U7 w" |' O8 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 `8 ~) x- h4 T7 u! c/ I( G, r

' h7 w! ^7 Q- x   push  0000004fh         ; function 4fh
5 W5 F6 Z# \2 |1 A: d   push  002a002ah         ; high word specifies which VxD (VWIN32)
2 j8 ~- m3 P- x3 X4 V9 x                           ; low word specifies which service
* S8 p% K4 a; v2 Y" ]) q3 t" K                             (VWIN32_Int41Dispatch)! {+ M: o: T3 g
   call  Kernel32!ORD_001  ; VxdCall
/ m! M) r6 x; Q; P, m8 ^+ b   cmp   ax, 0f386h        ; magic number returned by system debuggers/ t; p5 e1 E+ ?2 O+ w6 B& j
   jz    SoftICE_detected
; ?* H. `/ n- u/ \0 U: T, e9 u
, J# [& K! K4 P9 i: ^Here again, several ways to detect it:" S, W, ?/ \7 D# X/ z. y2 Z0 {
1 i1 G3 ]& ]! p9 v; x- Y
    BPINT 41 if ax==4f
3 k# a6 v; P6 [4 C, u
1 t1 w+ f  Y+ a4 \* u: i2 }    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
3 ~4 [; i# [6 {$ W' L
6 c" S4 {- g! ^& D7 X    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ H# W" r9 h" {% Y
" T, `( t' q$ U2 p) e, s3 l. X
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
2 c0 C/ H2 w. e  ^$ a; u
! f% R1 N" o$ A8 A% j__________________________________________________________________________8 |9 T5 i' }2 I4 E

/ B, l% f1 _3 t/ e0 X( U7 c2 sMethod 13) f$ v/ A5 Q' B) R. ^2 @; D9 S
=========
4 ^" A5 G2 |8 r: ~' a$ o/ b' h, n2 i$ N% h# [
Not a real method of detection, but a good way to know if SoftICE is  [. |3 ~3 W+ E8 I% ^  y
installed on a computer and to locate its installation directory." \& v6 p, a+ F6 f8 K
It is used by few softs which access the following registry keys (usually #2) :% G3 x& c9 x4 G; z, I

9 \  ], ?7 T! V1 R! v0 u% u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ Z& g! g+ [- r. R3 {
\Uninstall\SoftICE" X% K' t/ K/ Q3 h3 x2 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  E& ]2 a7 g* t" k8 w/ J( e# E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  @' M7 ]2 i0 \0 H\App Paths\Loader32.Exe) `$ S  i) J4 c0 a2 X+ t* o
) d& M5 ?" E) U; |: W$ n8 q
5 @( @' v5 A/ Z# `6 Q1 n6 s
Note that some nasty apps could then erase all files from SoftICE directory/ b( o& s4 J- M0 E
(I faced that once :-(
3 D! V0 @4 X$ m( v( r7 ?+ K( F
8 U) q/ Z0 V- Q6 b) v; Y% a" XUseful breakpoint to detect it:
( x6 m' O/ t; h& z" [* ?' V4 S) Z) j7 u- t7 q1 V, n  Z/ S
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( o3 Q0 \1 o& S3 X7 Q4 E. q8 L! e; E' y/ V, w1 ~: V: T' {. m
__________________________________________________________________________
0 T) c# t$ P0 v4 _& [+ l) U8 @
/ L% V: C" p6 p* D
* L. _3 q7 G2 y- vMethod 14 # R& d+ f( j8 L1 C% c# g, g
=========
- Z/ c+ t1 N0 ]+ |# ?) `/ @3 k' C
) |; Y( c7 P& P1 }4 j, k8 VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ n" @  P5 ~' m4 z6 `) pis to determines whether a debugger is running on your system (ring0 only).2 _5 M7 d6 n5 m" B' i, S6 q+ q
1 Y2 m9 `! k" y% ^
   VMMCall Test_Debug_Installed( n7 ]* o  i& V- f9 W- O
   je      not_installed0 X* F" _/ t- p, m
- E  Z' a' _" M6 D5 V- Y5 r
This service just checks a flag.
" m  A( N7 ?  J- x; L: z' Z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-17 18:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表