找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
. D+ B5 n' u# e/ r6 u7 M<TBODY>
0 x* J" j; M1 m8 E6 m<TR>8 a$ _9 l8 L4 c( ~; n* [
<TD><PRE>Method 01
5 n! W- p7 B) n2 A. O* M=========
5 D8 Y2 w$ G5 g5 ]* ]! l# Z! o* k5 z. m# g1 w! ~4 y
This method of detection of SoftICE (as well as the following one) is$ i; e/ b) R. H- a7 |9 `
used by the majority of packers/encryptors found on Internet.
4 k2 G! L% W, k, Y% [4 r) sIt seeks the signature of BoundsChecker in SoftICE* y' `+ \2 f3 J. s5 `$ q; ?
2 S) }. M" a9 Q, g! ?8 n8 }
    mov     ebp, 04243484Bh        ; 'BCHK'1 e" K: ]5 }5 _: r" ~& Y: k
    mov     ax, 04h' K$ Z6 |9 l$ w( C! v: j& u
    int     3      
5 M8 {, s; _# ]2 j6 l3 B& [& s4 ?    cmp     al,4. K. z  D% Q4 B; s6 V0 A, M
    jnz     SoftICE_Detected4 ]8 k' s7 ]0 A* E
, c5 j8 \% ?& T$ L9 I' P$ y
___________________________________________________________________________$ Z6 T" q9 b0 R7 {, ^

# V. `- m  b% y$ ^1 |4 u( bMethod 029 D$ H8 ^: f7 H% g' W
=========8 ~. s) l4 x$ g. t/ H. I

: a$ E3 h  e- ?Still a method very much used (perhaps the most frequent one).  It is used
/ _, }0 ]$ Q6 n; D- R# [4 [: fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,& h$ p: }. T  Q
or execute SoftICE commands...5 G0 i$ m9 |* N! u
It is also used to crash SoftICE and to force it to execute any commands
  Z7 _  t6 m  y- D. n1 o* N- D(HBOOT...) :-((  5 D( p; n) @  U- O9 W+ \

: e# |3 }6 o- d5 Y# _1 L( vHere is a quick description:' I: X: S0 v* A4 W; R! a
-AX = 0910h   (Display string in SIce windows)
; D( \  E) b6 D& O0 ?6 a-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
3 X9 w9 @2 n) N0 b7 }& Z-AX = 0912h   (Get breakpoint infos)
, S5 h+ a8 v4 Z( \-AX = 0913h   (Set Sice breakpoints)3 Q3 t6 S/ v2 f$ ?, i
-AX = 0914h   (Remove SIce breakoints)
4 ~3 g1 g1 d2 U( e
3 C8 {% S! p5 d. OEach time you'll meet this trick, you'll see:9 P; u. @) U/ i9 D! j
-SI = 4647h0 O: Z. b( |- H( K: z3 {+ T
-DI = 4A4Dh) C$ I5 [, {7 J
Which are the 'magic values' used by SoftIce.
& r1 P' ?3 N) j# N% I1 a  {8 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 q$ J2 Q- z- c. Z
- Z# v: n8 H' K) QHere is one example from the file "Haspinst.exe" which is the dongle HASP& j0 f# x+ K2 L; |4 l
Envelope utility use to protect DOS applications:
' G% k, l# z# b/ a
$ @" t# b$ f2 \, P- R9 D; F" H) }8 ?' I# \3 s$ Y, `
4C19:0095   MOV    AX,0911  ; execute command.; Z" J/ p2 S, t* U. `$ x; |
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).9 y- |! w( b! d0 i) d+ W* e
4C19:009A   MOV    SI,4647  ; 1st magic value.: Q8 F1 I2 l, h" `- ~! D2 n
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 \% P* ]4 N9 |, U/ k
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*); R% I7 B0 M6 t. N' J- M
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 V3 y! X5 G; {* z( p0 @4C19:00A4   INC    CX6 Z5 ~& q" k& A! ^
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ O7 y2 b# [- f+ h
4C19:00A8   JB     0095     ; 6 different commands.
1 k0 b1 x4 n" E# d4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' ?6 a" ?' E/ {( k' |! ^4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, H, ^! A/ S6 r1 ]# C, @, a4 Y
2 x$ `5 B& l2 y* r' v* FThe program will execute 6 different SIce commands located at ds:dx, which
" r5 G; b' k, x3 l) v2 Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 o& y- Y2 E7 Z4 @0 y4 Z# v: a
. |8 d6 z7 O! n( K2 C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. I( U$ @* \- Q# M1 ~1 B, V
___________________________________________________________________________
: f: }7 c6 F/ q4 P* E  @) `+ P
0 \! T4 K3 m) _% u5 R( m) T& \; B/ d$ p2 ]7 h
Method 03. O# B5 r4 ~# u
=========8 U% g* e. d6 m  S

0 W( Q5 G3 l& ^* f; f" @5 lLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" a8 {0 J( d9 Y, t/ g% g/ @
(API Get entry point)
. L% E3 @% J5 v6 H. J: _. k        6 C- O) D; I  o+ p+ E7 ~1 y) ^

* I: T; \/ r& t9 M$ G. Z    xor     di,di( c: |0 ~4 L8 N  l- [
    mov     es,di
% J. ]: [# K( z# }& K    mov     ax, 1684h      
3 W6 a& N: g0 I    mov     bx, 0202h       ; VxD ID of winice
  T- k; J. [3 k. W( Q9 t4 y% v    int     2Fh8 D1 B0 b/ a+ b
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 d2 Q. G0 A' I6 O    add     ax, di2 y; Q# C  n: s
    test    ax,ax; c0 H: w/ Y6 Z( ?) E
    jnz     SoftICE_Detected
3 e* J7 C: y6 Q) h: A- j( _0 F4 `( w9 z% z7 x
___________________________________________________________________________
: o2 L* h+ M0 E5 a% Q& H5 D! O$ o* Q2 i. f( ^$ W3 b7 `4 z
Method 046 t. s7 ^- a, ~! {
=========
, q5 t& V1 P: g* v* e4 {, X2 o7 O2 `
- P' }  }* @9 t# M' J* WMethod identical to the preceding one except that it seeks the ID of SoftICE) f/ }, Q, M6 `5 K. F) H
GFX VxD.
' o( }2 I* _; o) X# d
: A- g; ^# o: M0 g/ z1 t    xor     di,di% S- {6 y. ?9 H! ]' {
    mov     es,di6 B5 H4 b6 ?5 A% t+ D" h3 X
    mov     ax, 1684h      
5 v1 z8 j# q" _8 i  W    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" A& [/ i/ X/ x2 g- ^    int     2fh
5 M8 o# ~; K" A3 w3 V$ a- Z6 `    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 I5 P0 @: e4 E; T$ t
    add     ax, di7 k& t! D7 K  s( R# P) \
    test    ax,ax
" `1 Y& S3 c+ G5 k1 e. u: ~8 V    jnz     SoftICE_Detected# n9 x. ]+ C0 b* C" i" d
7 S  `6 c0 i5 J$ l
__________________________________________________________________________# H2 Q* _& ]' T, d

- D2 q( U' B# @" l0 i
* z' x6 j  P4 }" `" R& TMethod 057 @' c& j: N; C, `# i3 x: ^
=========
$ l1 ?6 {7 ~; j' a. K, H; a- [4 [% C0 S; b
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ J4 G% ]; U" H! l& E
debugger. It calls the int 41h, function 4Fh.; }5 p) O4 |: |' Z: Y
There are several alternatives.    S- G: M* L2 f/ M

2 i6 V) l# ?1 W5 d6 j# OThe following one is the simplest:  k6 F& j/ ~' p7 h

# x; k$ d5 }: e* x" I0 J+ r; A    mov     ax,4fh
- x& K# I* s0 A% s" d    int     41h; O1 r0 S" X+ s* X+ D. K
    cmp     ax, 0F3868 r' _2 N( a5 k/ X
    jz      SoftICE_detected! [* S) R  j8 C3 q

' d) e5 c0 H2 S' U# y# l7 w1 y' B8 I! Q/ ?- Z* ]# w& [% `
Next method as well as the following one are 2 examples from Stone's
% O5 Y" K  @: t0 p$ u: u4 I"stn-wid.zip" (www.cracking.net):3 j  t' }  j/ R% x* E; p+ I6 Q
1 \. A  ?8 B- E! l
    mov     bx, cs
4 x# y' `! e  J    lea     dx, int41handler28 ?* [6 t4 a& g4 ^
    xchg    dx, es:[41h*4]
& F$ \, P' f$ ~( `( W    xchg    bx, es:[41h*4+2]
) b! b3 v/ M' ?0 X5 R    mov     ax,4fh
& A; V( g& u1 l' Y3 S    int     41h
8 o6 [9 M* r, U  E0 U    xchg    dx, es:[41h*4]6 J9 I4 v3 q% }: _3 o
    xchg    bx, es:[41h*4+2]
0 [( l8 F/ b* h% j$ _    cmp     ax, 0f386h
7 M  W/ S" b) s7 O6 r/ I1 h) }    jz      SoftICE_detected
! I- u" F6 {; m/ Q  D' ~+ M  m& P, E% S9 a# ^% h4 @5 Z0 S5 Y
int41handler2 PROC
! D* `$ k4 i0 h7 q3 M( _    iret
' D) u( y$ V. h. B6 }, xint41handler2 ENDP! e7 j9 k8 n# U& d+ o; ]! M
& j; A# E  ]0 l/ \, |" a7 Y7 l
: v, Y5 ~+ T3 V& {2 e# I9 e% Y
_________________________________________________________________________
* E; _7 s* g& a8 t- s: @; J2 y
0 o& r0 L) T  o
! M( g$ z8 \/ q8 U0 R/ Y  t* BMethod 06
6 ~- |7 X. w0 l* I=========. d/ a2 i0 W7 ?" G; Y! P
' ^2 |% a* p% `4 U# I/ X5 r" f

# O& C9 G& V- `7 X, m8 a2 r2nd method similar to the preceding one but more difficult to detect:
) p3 z1 {& v( J7 i9 ?& U) q" _  b1 L5 F' B" R
9 u7 v+ F7 W3 ]+ ]8 I
int41handler PROC, Y+ m" r: z" d: T& i% n, K  x, t
    mov     cl,al
# {- e4 L' S4 `0 \( {% d, Z    iret
/ x: o3 R  v9 Iint41handler ENDP
6 F" P; N8 L1 i% L0 V% o: y7 H! k2 o; \0 _' c

5 o- L: D1 b9 Q1 ?: W    xor     ax,ax, k5 @" x6 ^0 m9 d- M& }( X- f' `% V/ w0 }
    mov     es,ax. M2 ]9 g7 z- E' f
    mov     bx, cs
$ q' W) z6 z- ~1 K9 Z    lea     dx, int41handler
8 E; I* Z- g& J" p8 {1 k5 R    xchg    dx, es:[41h*4]( ]7 W  ?/ }0 k0 M" i
    xchg    bx, es:[41h*4+2]% x' v0 |3 j& p% G
    in      al, 40h
5 p8 R! L# I, f  ^+ P    xor     cx,cx' A$ ^7 Y7 q9 f  K* G
    int     41h; U" E6 R5 F9 Z
    xchg    dx, es:[41h*4]
- q7 ^$ W7 H6 V    xchg    bx, es:[41h*4+2]
7 D+ ?& O  d1 W/ a0 J    cmp     cl,al$ Q- I7 F% Z" `9 `: Y8 Z. Z* T
    jnz     SoftICE_detected) v. |5 I8 A. R9 X8 Y; j' |) q% V0 C
: ^; \2 V* H9 F& ~7 ]
_________________________________________________________________________/ z  r7 h- X4 V1 Z9 e, }- r+ ?
  h4 s# _5 ^9 F' Y/ \0 m7 e
Method 07
; G- e% j& G' L0 \=========
( I7 ^9 P# [0 S) T, Y! ^0 ?+ G) k; B0 b
: J/ M+ e5 u5 b- gMethod of detection of the WinICE handler in the int68h (V86)0 X6 Q; q) e) S

2 T7 t4 N* {, m2 z, u, R    mov     ah,43h
, a: }( G4 c4 o3 Y$ h    int     68h
! J/ b$ Z/ j# K3 D! R6 E    cmp     ax,0F386h
9 Q3 _6 @2 m9 \  t9 u/ K    jz      SoftICE_Detected
: n" a& s8 V% r, m1 d2 ^! l+ i
7 o  G0 E) h. w/ H4 K
# D2 K- d8 `0 V/ `8 l=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  R4 C8 a, P$ ?
   app like this:* h& Q( {0 t* U# P3 ?8 L

1 l* S7 K0 k) @   BPX exec_int if ax==68
( T$ d5 c! @$ b   (function called is located at byte ptr [ebp+1Dh] and client eip is
  p7 l5 \$ C2 K3 R3 Q5 r/ a   located at [ebp+48h] for 32Bit apps)
, ^  x3 J3 B+ N. _  \__________________________________________________________________________
3 X! b$ Q6 q% c# _5 ]6 q6 C: ~6 P3 O2 K$ z" i8 k6 D9 S

9 `. b6 S  W8 EMethod 08
; _) \+ F$ J' ~% g8 h. h$ x; p. ^=========
/ U7 m, d: U8 _' `/ n! y& `
* n0 B2 ?1 z# \) x* A; UIt is not a method of detection of SoftICE but a possibility to crash the
, S" n, Z  u, n. j7 ?; D+ vsystem by intercepting int 01h and int 03h and redirecting them to another5 O4 L; z+ G* W& B5 x" ~
routine.. l+ O  X4 w. S& y7 t2 k# r, Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; t! i+ O% `/ r  U- zto the new routine to execute (hangs computer...)
9 K& d& n$ Q5 A; X# Z5 o! i9 e0 L9 J! x
    mov     ah, 25h
$ \, j% U2 l+ r8 a! x" p  b    mov     al, Int_Number (01h or 03h)4 J  ~# T& P. Z; J# l6 o2 z5 t
    mov     dx, offset New_Int_Routine
; h8 g+ D) v. B! x6 w' e% h5 a    int     21h
9 f' [6 J* t! _" e" @/ ?0 n3 u" N3 h' U
__________________________________________________________________________* X' d! m: X. a1 b1 J

4 ?# W# O- Y$ WMethod 09" q7 C: ~! r" n
=========0 g: d( N) y' {) g+ j. x; B

) O% |9 U2 h- CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 D0 f- f" F+ J' s$ }performed in ring0 (VxD or a ring3 app using the VxdCall).# e. X5 f4 |5 Y: U$ s
The Get_DDB service is used to determine whether or not a VxD is installed. i; j: k2 t% J1 L8 D1 {
for the specified device and returns a Device Description Block (in ecx) for
$ S. Z" L8 w( t7 Hthat device if it is installed.
% F1 w( f! g, v; d* w2 z
4 C  c6 @! O7 M) ~   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 D" M; I: y3 ^2 Q9 |- J2 B4 P" t
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; P% u, {, b& i7 }1 t  X5 f   VMMCall Get_DDB* Z( j; B6 ?6 x3 m3 x) h/ W3 X
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ h& {2 T2 I: F- t1 t
' ]( k2 o! @, k8 `$ E* S$ X
Note as well that you can easily detect this method with SoftICE:; d0 J' N, B# o* e2 {! P. v
   bpx Get_DDB if ax==0202 || ax==7a5fh
8 h$ A4 {0 r- V+ J! P' e$ i  P. X, _# J
__________________________________________________________________________' Y* G; j# o) @5 T
# v5 R" Y+ J+ l' G
Method 10
% L- r4 y# [. A. \=========6 m) V. q% ]  Q, ~* L6 Y
- _; I. F) C3 T9 I9 M1 U
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ u5 s% ]+ Y/ L% }+ f8 b6 D  SoftICE while the option is enable!!
( C- ~+ v: j, i6 |. [; C. y
. s0 A. Y' H! q+ x( P  W: zThis trick is very efficient:" ]) B6 T# o, M. ?* d" z
by checking the Debug Registers, you can detect if SoftICE is loaded
$ v. t1 n  S' ]: q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ ?; R# K/ \5 c: ?/ g! }" L
there are some memory breakpoints set (dr0 to dr3) simply by reading their. m) }2 ~% f$ f4 o  Z: z  A
value (in ring0 only). Values can be manipulated and or changed as well+ T( m% `2 x3 D+ Z; Q) Z) b
(clearing BPMs for instance)  \5 ]; k) j9 o$ K
( G: X  I4 B+ n* M4 ~
__________________________________________________________________________
, L9 b, h4 \  Y0 q( u0 T7 }9 z6 X5 S- s0 n
Method 11: w% ^4 I6 l& z7 i" u$ `
=========
& ~& L4 {' q9 |# t8 S- @0 Y
6 b4 ~$ u. M) b5 G/ c  R/ SThis method is most known as 'MeltICE' because it has been freely distributed
* U6 t! A9 p; j2 q$ f% Evia www.winfiles.com. However it was first used by NuMega people to allow
- Z" r, b% p4 q8 X2 _% mSymbol Loader to check if SoftICE was active or not (the code is located/ i# n) Z& c* S0 X2 S5 S
inside nmtrans.dll).
3 w! y9 f) n2 u& ^6 I. M
/ {& \0 Q3 ^0 K: T3 BThe way it works is very simple:
2 }' V8 A8 ^0 PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' e. s  G( i  l" z, K
WinNT) with the CreateFileA API.6 y7 ]8 B# j+ }& m9 t  N
" Z$ R; ]5 Q# F2 v# x1 ~  T3 f8 M0 [! ]
Here is a sample (checking for 'SICE'):8 b. E" ~( R: X$ t. ?
* d3 @% N. r* h
BOOL IsSoftIce95Loaded()4 u7 h5 {& p3 G# F0 J9 s9 d
{
4 @. V* G" O" y3 ]+ {   HANDLE hFile;  0 G$ C6 a# W4 o, f+ c
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: r! p; N) y1 L' ^" m7 _2 `- R3 W                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 S+ A+ }4 y2 v4 j2 p  K4 `
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! X# B$ e, }! q. l
   if( hFile != INVALID_HANDLE_VALUE )- @7 `1 w% A$ Y9 A# z) b
   {
7 C: I" |  X1 v9 }. [      CloseHandle(hFile);& T/ e- B- G/ F* Q' ~
      return TRUE;
6 d$ s6 F: C  \( e7 }0 z   }3 t- i5 [, G& x- p3 k/ N
   return FALSE;' l% J* h# O) G% d7 R
}0 P  X9 l* B  A+ q
8 I6 }+ D# A% }! W3 g6 G
Although this trick calls the CreateFileA function, don't even expect to be
# h/ h9 `6 J6 e5 f" E3 sable to intercept it by installing a IFS hook: it will not work, no way!/ @: d4 f1 @6 y9 H
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 M# P" n9 g; X# L( E- R' ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: k) @* y7 ^# @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 b% w0 y. W3 t$ j# z- y7 r7 X$ c, Pfield./ m+ y4 ?0 K! K
In fact, its purpose is not to load/unload VxDs but only to send a
/ A' V+ p8 `- n! _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' f5 O6 k3 b& j6 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ r5 T% X1 G* y1 a3 V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! X/ w, ]) G" Q# P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 h4 `1 p  ~3 V3 ^4 I& u9 }its handle to be opened and then, will be detected.3 f# v+ {% C9 ]. m9 ~% v: Q
You can check that simply by hooking Winice.exe control proc entry point8 u1 P' U. v. i9 c, B  m
while running MeltICE.3 l1 N+ o& w0 ?' \% g# T3 l
, g. A: j6 s+ a1 w; m  @

' o) r) s7 q* G" B  00401067:  push      00402025    ; \\.\SICE
' U! U, @+ g5 v; n/ R0 q  0040106C:  call      CreateFileA4 ]; g) g/ h0 N  Z( \' v
  00401071:  cmp       eax,-001
1 Z2 `( U6 K. Z% L  00401074:  je        00401091
' M! H( Y& q' F3 b7 e) h$ I+ d) O* l- U/ j  |  Y
7 @8 o" ^* j7 L9 `, I
There could be hundreds of BPX you could use to detect this trick.( e: Q  X: p& `3 b  [% z5 ^9 X
-The most classical one is:
" i  I6 `; }& r4 h1 C/ q# u" l: X0 v  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ N( E4 I7 n3 i' l2 {% \( K4 z    *(esp-&gt;4+4)=='NTIC'+ s! c& y7 ?. O5 t5 s2 O: w! G, ?
- O' r" V4 R& g! q
-The most exotic ones (could be very slooooow :-(
  S' J8 f% p$ u, G   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  2 z; @. M- @) m1 s
     ;will break 3 times :-(
/ o6 e5 s7 ~0 L0 Q5 @$ D+ B  ]" G3 j! d# x. J  i# E: j- L
-or (a bit) faster: 9 t+ |. g% a$ Z3 {. \$ Q
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). Y/ `+ q1 b7 L

/ b4 V0 ~, K  R7 U' S: d# X   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ n1 `: F3 A6 J8 l: |     ;will break 3 times :-(. ?8 r( a8 U$ G5 E& y; C- }

5 q/ z1 j" |. _  i, {-Much faster:3 t3 g: T6 }' l" L7 }3 l
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
* q: Y& n" Q5 v& @9 n/ B$ v2 Q$ g3 b6 X5 Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 ?) t+ Z5 l0 b9 L" [function to do the same job:
6 X/ p- v$ E4 ^- M3 L0 Y1 W6 d! P' e9 G" _6 n
   push    00                        ; OF_READ
, C* z" A! P' h0 E3 n7 ?   mov     eax,[00656634]            ; '\\.\SICE',0
- C: q% p' z8 h7 X0 p) j7 l1 j   push    eax
5 H: q+ x4 H9 y   call    KERNEL32!_lopen
+ _6 }: A. B3 D2 c) ]5 S/ [   inc     eax
- I3 a5 e- o: _) j9 d( r   jnz     00650589                  ; detected1 z7 @! ]6 t) b: A" z) x6 V; o' ^3 A' K
   push    00                        ; OF_READ: |; ^8 k1 V2 _% E6 e/ U) o# i
   mov     eax,[00656638]            ; '\\.\SICE'
; B, ?1 ~/ K- u3 _/ a   push    eax
9 B: y$ ~( p* h   call    KERNEL32!_lopen
( {/ S! Z& ?( g1 \" G   inc     eax
+ x# d7 e* v" l& M1 ]5 |- U   jz      006505ae                  ; not detected. _/ o$ I; b5 @0 f5 @% L- u
9 v  @# ^/ J2 T; X

! C4 q* Q' O& f2 c( @3 E__________________________________________________________________________) t) A, P" n, p4 Q. n

. z  C& G1 k: h( f2 iMethod 12
# [5 l$ ]  I, p2 I/ x=========; Z+ A1 j3 a% O
' ]7 i) Q7 T  @2 b) n/ J5 m
This trick is similar to int41h/4fh Debugger installation check (code 058 [5 _( p4 K9 U' p- C4 K
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, V& |3 u% m( I* h$ r! e) i5 @$ jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* g1 v! d: W% u, w0 V

1 d" W* b0 V2 ~4 `. c; ?   push  0000004fh         ; function 4fh9 W/ N* t% r! x; F1 r4 l
   push  002a002ah         ; high word specifies which VxD (VWIN32)
* C2 \5 o/ g5 Y( a. {                           ; low word specifies which service1 ]" k& I2 C* S" c2 _6 s+ t" g
                             (VWIN32_Int41Dispatch)  J' }; J0 [* f" Q
   call  Kernel32!ORD_001  ; VxdCall( h0 W& d0 _; @6 y( o: J" O
   cmp   ax, 0f386h        ; magic number returned by system debuggers& r/ b1 b6 N) ^9 C( C0 K
   jz    SoftICE_detected& ?' u0 c7 u  z/ w/ t  o

' N4 n* n9 _8 rHere again, several ways to detect it:0 F! t9 [) V2 g  z7 @

7 x) f$ I) ], D3 |1 i+ E7 A$ G# }    BPINT 41 if ax==4f; s9 V1 W) o# f* m+ g- N9 A5 y
. j" }+ w( |5 I9 d4 H) W. j) Z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; S& C! N1 h' Y- {1 X, h1 c" x  K1 d6 U* p6 ^, w
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; K. a- i  O' R  b; @6 o  ]
* j6 [) n( t3 L/ _    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!% u7 T+ ]; W0 f

6 Z# R9 h2 `9 q! m& b__________________________________________________________________________/ w8 _# V* X# O4 m
) F! J  |$ ^* G' m3 f$ g
Method 13
/ k" ^8 D2 B- ^! \5 V) V=========
( N$ {& _) P$ a& U& r1 D* B: t0 k& ^, _" X, r; m9 H8 b1 d& o) j
Not a real method of detection, but a good way to know if SoftICE is
7 M( \+ _! c% {& Qinstalled on a computer and to locate its installation directory.
; {0 K( r5 x1 O" cIt is used by few softs which access the following registry keys (usually #2) :  U6 K/ y9 T+ Z' b

" o1 T8 e! v5 W1 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 a) b( h. s! g1 K1 b\Uninstall\SoftICE
/ u1 o2 f3 t/ r7 s& e1 X+ Z6 W! B9 }! l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' V2 `- U. f6 J. Y2 ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ r# s9 p- x- I% }8 U9 n' o$ w
\App Paths\Loader32.Exe! u) X- S$ J0 a# z" |/ W+ U1 I% |

: {- C1 n0 n7 z5 R9 Y- m. b5 r
6 i2 x3 [1 Z. u) o- C& Z% MNote that some nasty apps could then erase all files from SoftICE directory
) P9 M' w" k, \  S(I faced that once :-(7 m, L; \( ?' o# C5 s- N& R

, T+ [( k- v% R1 v' c) W( yUseful breakpoint to detect it:
0 K# L7 ~$ _0 ~
7 g* c6 I4 M8 a$ {, j' }8 F     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 G! H' ?2 `3 q0 ?- l! {) `
, C9 q- |# L) w0 U) M
__________________________________________________________________________
: S( Y: X" h# u% \
" c. z2 }, P, q7 R  d
) e# {4 Z  `2 K, ]. c$ SMethod 14
( Q* `3 ^8 I4 w  Z: Q=========7 |( j* U4 J% l4 V2 @0 |3 v
: r0 B. [3 J" X0 W2 c6 n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. |5 }8 G) q' N& ]# J' I- \
is to determines whether a debugger is running on your system (ring0 only).
. F2 g; U# \6 z4 o: y& i; c5 g2 e5 G% f( b
   VMMCall Test_Debug_Installed
, M# U+ v& z5 {3 j+ W! I- Y7 x   je      not_installed* }6 `7 p! G3 Z; U# c! u- ?
, M/ s5 G+ r! D5 g6 r3 ~* Z! ?
This service just checks a flag.4 l. H/ e3 d$ o; x: a1 o6 d
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-1 08:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表