找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ y4 H  N' ]4 T: T
<TBODY>) ]. n, \, u+ s6 a
<TR>* |  I" y0 V% E
<TD><PRE>Method 01 ! }! R' {+ O6 e: H: U6 n
=========
2 W0 x* X6 T' ?* s, Y2 A9 \; @4 ]+ p4 t3 j
This method of detection of SoftICE (as well as the following one) is
/ O% B! |' n; S& t+ l' Sused by the majority of packers/encryptors found on Internet.
, f% ?% T$ n, \3 m; ~It seeks the signature of BoundsChecker in SoftICE
; r0 Q% k' c3 K. a  b& d7 \- b8 i- u* F  I( @# j: T
    mov     ebp, 04243484Bh        ; 'BCHK'
" z$ R$ l$ s) L, r3 f    mov     ax, 04h8 [: p. V) X: Z9 f% e" V* A# ]3 }
    int     3       / M% {( H* B1 d' j. U  A
    cmp     al,4& [  S7 v7 C4 k+ [5 o
    jnz     SoftICE_Detected
2 g9 g' e# F! W6 z$ D
& P  C% q6 [2 H0 I___________________________________________________________________________- f5 ^5 O/ p; ?4 m( ?( g: \

, g+ M  D2 K7 hMethod 02
' e0 k  I7 \' d/ O9 o& Y=========
# F. `8 i: d' B6 X' R+ x. b7 E$ `" @; g0 }. m
Still a method very much used (perhaps the most frequent one).  It is used5 ]- i6 A4 T* m/ |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 q! r& x) m3 d9 t' yor execute SoftICE commands...: c+ X7 D: v/ g& }# R; ~
It is also used to crash SoftICE and to force it to execute any commands
, i( x/ f/ X# |+ Z9 o8 ~(HBOOT...) :-((  # q. ^. B# H& e6 D" Z

7 p. p. y4 Y* i$ LHere is a quick description:
6 n, I6 E/ h. N( K9 U' n-AX = 0910h   (Display string in SIce windows)
2 l' Y/ ]5 j4 o1 {-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ s2 [1 K9 u( ?& y8 k( |+ F8 ^-AX = 0912h   (Get breakpoint infos)9 x0 r1 d0 j3 ~
-AX = 0913h   (Set Sice breakpoints)0 @$ l) X$ g4 q4 ~" [
-AX = 0914h   (Remove SIce breakoints)7 e0 A2 I  T* J9 k8 ?
$ M$ V/ Z/ i0 [1 L6 v- w
Each time you'll meet this trick, you'll see:
; }8 z% B# B' P-SI = 4647h
; R$ G; n! j4 {1 M-DI = 4A4Dh
9 G9 ^# L3 e* g" P( @0 |Which are the 'magic values' used by SoftIce.
1 g2 C) K$ N( p) \4 @6 ~% NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# j7 F& Q1 M# B7 w7 u. A

; A* _/ o, t6 m% e. x! QHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 o7 Q. L$ \2 A4 [8 ]7 U9 W2 Q% VEnvelope utility use to protect DOS applications:5 e5 Y! z, `4 `, a
' o& e, W/ ?0 h

  L8 g  j( q! W+ f  M7 Q* X) G/ ]4C19:0095   MOV    AX,0911  ; execute command.
  U5 {" g7 }9 s( j4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ A2 y7 ~5 A& d- A* e% i! g& q
4C19:009A   MOV    SI,4647  ; 1st magic value.3 b. p9 P3 R. f6 L6 J0 k
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 B# [/ C3 c2 Q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
! F! c% g5 T7 U  q2 f4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, d& B0 P. T8 A5 e
4C19:00A4   INC    CX3 b0 Z/ \4 X; Y" y' b, a. w* y
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 y# d: i( ^$ r1 M) q
4C19:00A8   JB     0095     ; 6 different commands.9 e9 z0 M8 e8 w7 ~* ?9 X, s
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& p" V8 g3 X* n$ q8 p5 D
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* C( \. p, z  [
) A& @+ E* @+ O
The program will execute 6 different SIce commands located at ds:dx, which
* I+ @: f& u9 ]& ]/ t9 d& aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% q3 J# K& L8 U- c1 d4 ?5 V

3 @; X1 w( c) o/ t- k! {( h/ [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 b( ^2 K4 F( Y5 n& G___________________________________________________________________________
0 A2 r! _0 f( X  k0 F5 @; b$ @* [
9 G/ ^$ v3 i) X$ w5 q4 |2 b
Method 03' T4 V2 B+ g7 e+ c( Q$ l
=========
; F: \# u2 l7 `" u, ]
& `7 c3 u8 T  n4 T: qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* y* Y6 W' D5 Z, E. {. w/ |& b7 V(API Get entry point)
4 R: ^1 t& E* ~7 _) r( _: C5 Y        
+ U) r7 \& K7 j* w
6 ]; \! G0 p0 R' Z0 \" }; v" O1 E    xor     di,di
8 o& ]/ l5 |4 @    mov     es,di
: k& e+ v2 f* @$ x9 ~' e4 i    mov     ax, 1684h       ( x1 @* B3 R. P% T
    mov     bx, 0202h       ; VxD ID of winice
* B1 c' r" Y# P6 A7 y# C1 i; d8 q- t/ z( D    int     2Fh& z# v: m# a: Q  L  H. W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! c" O! p0 p; [7 {( k    add     ax, di
) H" V" @: q" a2 d+ \/ w    test    ax,ax
4 ^7 r+ m9 o! R2 F6 q" v$ M; [1 t; d: L+ R    jnz     SoftICE_Detected
( w; K8 f/ p6 v4 b5 J0 M' U9 r$ _  j" b- P
___________________________________________________________________________
6 Y, M$ z6 `3 H9 w* o
: I5 O' a; R1 c$ A6 ^% ]Method 04) q/ @  d3 V1 r+ E* @; B
=========
& v( q2 K6 l( c8 t8 b3 E4 k+ T4 \3 v; q
Method identical to the preceding one except that it seeks the ID of SoftICE  D2 _  z' [2 w2 w1 d) @3 T
GFX VxD.
  {1 G; p/ C) |3 @. _- Z" \) T$ |( w7 o0 m6 a: Z
    xor     di,di' Z. u! N# l/ R( |# }. z$ \* @) {1 t
    mov     es,di
+ _5 F) X3 v# I# g    mov     ax, 1684h      
  v8 d1 r+ Z, G0 |: x8 i$ a, _    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 Y; J1 W1 G1 }# y7 E+ L9 O    int     2fh. P& Y$ e8 ]$ c- f5 ^/ z) d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" |( w; Z& ?8 \( Q; X    add     ax, di
- D0 ?/ s/ K$ l3 ?) F1 {    test    ax,ax. D, r" Q5 y% p$ c
    jnz     SoftICE_Detected  I0 m& ]' B' k; b  z: v9 R
6 Y( h8 a/ J# U. z
__________________________________________________________________________  z1 ^+ j: d) Y
9 d; F3 v1 N7 G
# _2 N1 u2 R" e0 t2 e
Method 05
. ]8 Z* G% I$ z! `- ?/ r=========. i  T+ s# B  M' q& V8 l
& V9 r" S$ i* V$ |! X
Method seeking the 'magic number' 0F386h returned (in ax) by all system" S& B8 c( K/ \; i
debugger. It calls the int 41h, function 4Fh.
  b) c$ X; Y% d, T- ^3 J1 w! fThere are several alternatives.  
7 e; _) T8 `: X: l3 X6 w+ M4 ]
7 H( t) I1 Z9 z' Q$ TThe following one is the simplest:2 L1 G2 c- }' \# }

/ X! H2 k6 A/ x4 A' o    mov     ax,4fh
  y* x' A1 \9 W8 g" z6 ]) {    int     41h
) Y8 h( h& Q1 G- P3 S) w1 T    cmp     ax, 0F386! n. F5 A9 @; v4 S' _# f
    jz      SoftICE_detected
- p, S6 h/ m9 u7 a% A3 y9 O
! W& y% O3 W+ A' Q0 d- r- e* _/ ~* n8 {! e( |" @3 B/ A
Next method as well as the following one are 2 examples from Stone's % E: h; o( W2 ~8 \: I; j
"stn-wid.zip" (www.cracking.net):* a' r  I! S* i# ~# S( K; o  @5 y4 j4 Z

( V( `# g% [' Z- r# T3 \! s    mov     bx, cs
9 o9 t& S' h. s$ b8 c    lea     dx, int41handler2
+ }  V/ [6 r; y" T; Q    xchg    dx, es:[41h*4]8 T3 Z( z4 W* a+ Q
    xchg    bx, es:[41h*4+2]4 \  e2 z( ]4 ~7 u
    mov     ax,4fh
* J- L  Q4 y5 r, {    int     41h
7 Z+ P1 b+ ], x  T6 s    xchg    dx, es:[41h*4]
+ [, o) g9 X. B1 y    xchg    bx, es:[41h*4+2]
% }0 r3 t* u6 ~/ ]4 E  y9 E) I. p% J    cmp     ax, 0f386h
7 ~, y) e* H, M* y! g    jz      SoftICE_detected
+ P% }' E7 [+ ^, o
) @. t/ G: q3 J+ j' c0 zint41handler2 PROC- u7 R9 X: S# a; V
    iret% H* j$ `: D: v9 d- C( m8 F
int41handler2 ENDP
/ O) v, _' A) {  R" |8 d7 {+ V- k
* ^/ E+ c  `4 w1 o! M
2 |1 c  C9 S( l% {_________________________________________________________________________
. A5 R! F/ ~5 b; R2 ]( @
( H- m( N% V) ~6 }1 j1 D9 r( u( I3 |* m" C% d: P
Method 06. I) D1 N- K4 E" d, L
=========
7 j5 V* e- }% E4 H9 X+ @7 P4 Y. B3 S3 l( ^! ]7 D8 X' e
2 G' b5 z' f' V' x
2nd method similar to the preceding one but more difficult to detect:. q8 m) {4 u6 t: y

9 W3 u, Y9 e5 {8 U
" `* X, I( B( y- }+ C8 xint41handler PROC2 W7 K1 h6 q% L, L/ C4 {4 G
    mov     cl,al
9 @  C) j5 B4 [8 U    iret2 L6 x$ S( ~; R1 c4 e
int41handler ENDP
8 p+ R! t  j) L
8 J% V; I  V" J' p) k4 D
& v) N/ ~; x* h+ W! m3 {4 f% U6 @    xor     ax,ax/ i& z  j( W. o) ^+ d! K' L
    mov     es,ax; J/ \- ~: i8 J( R/ w
    mov     bx, cs: D6 o: C  Y1 x% E- j3 m% Y" q# D# d
    lea     dx, int41handler% _5 T3 N2 h' z6 p2 r. L6 [4 p
    xchg    dx, es:[41h*4]
0 H. a3 ^+ x4 h    xchg    bx, es:[41h*4+2]! [3 y( K/ N2 E4 V  H3 L# ?8 i
    in      al, 40h
% `! u' I4 }4 g" q4 ], q    xor     cx,cx
  Q$ t7 Y8 S. d' Z. C    int     41h1 W7 v& l* ^+ `' t
    xchg    dx, es:[41h*4]' @! W# n' {3 E4 R4 ~, A5 _6 ?
    xchg    bx, es:[41h*4+2]6 L' Y' ^' X( m- c+ I7 _
    cmp     cl,al' B3 _# q2 f$ X9 N! O
    jnz     SoftICE_detected
; B) I$ p- o' T$ R( b6 [9 P3 Y' u2 C* p7 O7 c: D0 B
_________________________________________________________________________; H3 H3 n! \% X: I

- o/ z5 ~2 K5 i( ]9 e' Y; R4 AMethod 077 ?4 C  R# ?! I3 a% R/ K0 |4 I2 P
=========
: c  O' K$ }: ]1 p: P( c( F* B5 Q7 o; V; {
Method of detection of the WinICE handler in the int68h (V86)7 m# K  b2 X' m& O7 ?9 X8 f, ]7 t

% I9 ]9 H$ {" d8 n! \7 `    mov     ah,43h( m; M& R7 m9 j6 t1 w9 O/ E* G
    int     68h
. I, s1 U5 V3 \    cmp     ax,0F386h9 |. U; S- N; \. x4 }& H. t
    jz      SoftICE_Detected
/ V/ p. Y  k# f& B4 `
+ r* e& s3 R5 i9 d) X" G4 P7 E0 k/ Y; j
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% z  e& r7 ~3 q+ B2 R$ {/ r" h
   app like this:
! f" _& @5 @' ^; _# K9 t
' d7 u- Z" Z! H2 d- v7 g   BPX exec_int if ax==68
( O( Z- x/ V4 {0 E7 B' {* P   (function called is located at byte ptr [ebp+1Dh] and client eip is8 J6 P8 x- B/ H/ c5 |
   located at [ebp+48h] for 32Bit apps)4 v4 ~& g( F4 I1 \- M/ |/ w
__________________________________________________________________________- `# m, z0 o. c7 \& T5 q

! H5 M* @  R' f3 V1 q3 C9 C6 r- n( Q& l" P5 V2 t
Method 08
7 m+ i8 w7 f( D9 b; ~=========3 p+ I# c' E8 P" d- x* K

* z! ]" Y- m$ a4 K: C( ~It is not a method of detection of SoftICE but a possibility to crash the
1 a( K& a6 k3 e: K' i  hsystem by intercepting int 01h and int 03h and redirecting them to another
2 p, f% [) v2 i# u. s, t7 droutine.& @3 Y/ c% h3 f# i( ]1 l; z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, Q% a( b2 C  Q! Vto the new routine to execute (hangs computer...)" O% u) g9 C6 V0 X& {) [' @

9 X' W) h% K5 D8 R5 M; I$ o3 B- {    mov     ah, 25h; \/ [0 k0 X" q* {* x3 A
    mov     al, Int_Number (01h or 03h)
" @* }) w. U- @9 Y" N) G    mov     dx, offset New_Int_Routine
3 E' [7 \1 d5 P4 V! s# h    int     21h) o/ [! h8 `; m4 w, @% l3 \$ j
: v: N( Q) C: A9 K8 I' x" R5 V
__________________________________________________________________________
" I) q  q+ c# C# L$ s% \0 v9 K9 x7 ]( u' M
Method 09
9 F& x" H9 y+ ~1 \. U+ u=========+ v- F3 G; i4 g
+ _! y( y4 k2 x, ~; F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- l4 H- O) M" P6 m2 G9 ?
performed in ring0 (VxD or a ring3 app using the VxdCall)., ~: S3 ~# \8 d: x
The Get_DDB service is used to determine whether or not a VxD is installed
# {3 y3 n. }2 h# d: \6 v# |; Cfor the specified device and returns a Device Description Block (in ecx) for
6 P6 k0 T+ Q5 J  @3 Tthat device if it is installed.
: ?- d/ {1 o4 p+ X& g/ V+ G1 Y! B3 l/ s* D- D& ?& L5 t
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ I8 t6 h- j9 R* l$ U   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( N; y$ Y$ K& G2 ~6 y8 A6 V   VMMCall Get_DDB8 `2 B: E3 O0 h5 p3 s& b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 f0 Y( @( h3 F& Y. @
" W4 ?  y$ e+ Z  ]; o: S  m0 ^
Note as well that you can easily detect this method with SoftICE:) c8 x3 g5 r$ I, b
   bpx Get_DDB if ax==0202 || ax==7a5fh
0 Z& i" \3 j, J% J( x% X4 c# O
6 P# M4 O5 f+ ^2 j0 [9 }__________________________________________________________________________
$ c  f7 q# R+ E3 I3 N" G7 A* x! F% X0 L- @2 \
Method 10
# _. v. J( m+ a9 R+ `, l=========
$ S% u& D1 q$ H- m+ x
2 S/ D% P/ B" S  |8 Y0 O=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' T% ?* F# ~% w" j9 \  SoftICE while the option is enable!!% N  D; q2 y! R& K  x0 l, I) Z

2 t5 @5 @7 ?- M8 K4 NThis trick is very efficient:9 {; R; x7 Z2 I* k5 l- R! a
by checking the Debug Registers, you can detect if SoftICE is loaded' p8 m5 s+ _7 x( Z+ ^; K9 l3 S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% g5 m* n" i* z, S4 @. @2 Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their+ S3 r' J$ {- e) R8 {
value (in ring0 only). Values can be manipulated and or changed as well8 K; d, C0 I" J+ L( {
(clearing BPMs for instance)
  y2 S5 }: x7 W4 C5 b
* e0 ]4 q4 g) V; Q6 k% u3 S__________________________________________________________________________. d  T) A. L. ^9 _

; s: X' m. b1 V: [$ oMethod 11: M& v" U0 ~( Z2 ]; L& C
=========2 \0 s: J* d/ J" R% m+ v
$ I. Y0 }& C% H' Z+ n+ D9 B
This method is most known as 'MeltICE' because it has been freely distributed
, V& x- B/ y/ s/ K8 gvia www.winfiles.com. However it was first used by NuMega people to allow
8 J" k. X) b8 E, @, kSymbol Loader to check if SoftICE was active or not (the code is located: \, v$ [5 U5 {2 Q; D& U2 U4 l
inside nmtrans.dll).2 w6 A( F8 m0 |  Q1 o/ }

! B0 J" {. }1 P. |: T. TThe way it works is very simple:
5 L& N  W$ @/ r3 _5 B8 D7 JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 \1 z2 o* e0 B, v* R  _1 eWinNT) with the CreateFileA API.
; f+ K) |+ W' y7 v
8 j% p0 I4 G- E$ J' ^# jHere is a sample (checking for 'SICE'):" q4 v1 |5 q! x6 Q  q6 [  d
# L5 D) z7 N$ r+ K
BOOL IsSoftIce95Loaded()
2 @# s% w2 q$ X{! L) I) j" C1 i& X" v
   HANDLE hFile;  
: l. ?$ e; c: C% H$ b7 }  r6 B   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; E5 _; z. J3 {                      FILE_SHARE_READ | FILE_SHARE_WRITE,. w! c' O- {7 d# u
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 c/ i& y6 \* @" U   if( hFile != INVALID_HANDLE_VALUE )- R; D5 l$ K, Z. S; _
   {4 @2 W$ J( a, c$ M" ?
      CloseHandle(hFile);
2 k5 ~7 `# L; S6 \8 m$ z      return TRUE;: H1 l/ M& K, V" O+ d. R
   }
2 h* y1 W1 z8 v" t   return FALSE;# O" v# l0 Z9 F; k
}
8 e+ G3 K: i' p4 h! c! H- `6 A9 u0 Q# _+ K
Although this trick calls the CreateFileA function, don't even expect to be
0 @- H. d1 v8 {; ?- q' |) Uable to intercept it by installing a IFS hook: it will not work, no way!
! N3 n& Z( I8 bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 q( F- B* u# I, i" f/ Z; J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 D6 i3 q- s& {! r: Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( [* D  f! Q* {field.3 p# U" W' P9 F$ u9 V  M" j
In fact, its purpose is not to load/unload VxDs but only to send a
# {0 C  C7 I" L3 }) \W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' T8 P6 G. ~/ X9 o: l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 l& b% _8 @9 B7 f6 Y4 X7 j& vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 E& \$ K: Z. lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 H7 _& y: n; Lits handle to be opened and then, will be detected.* K- B! z' {$ Q1 V  p/ a5 ^
You can check that simply by hooking Winice.exe control proc entry point
! L1 Q9 x( d- P) M2 Z, L7 Cwhile running MeltICE.- F: x: X1 F  t% q# a" o# H
" c& Z% ^$ H: \6 _

9 b1 a; R7 r8 C; A( P2 ^  00401067:  push      00402025    ; \\.\SICE
+ p! t7 H% w$ r5 h7 N  0040106C:  call      CreateFileA
  V+ v4 V" i: ~, w6 V$ W  00401071:  cmp       eax,-001
4 I# p4 z8 \, |2 @: K- j  00401074:  je        00401091
; j5 J4 e- d( z1 w% u6 t" h2 [5 X! M- K6 u, _0 _, w

! ~% b3 u/ A& p: d+ {+ K- F: OThere could be hundreds of BPX you could use to detect this trick.0 N5 ^; ?  x* ^" q6 r
-The most classical one is:% H( p  M! R* Z/ I) h. U% H- H
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 W/ [2 X9 |" K% j    *(esp-&gt;4+4)=='NTIC'
: T# \% a, ]' d2 I! d. g; j0 |8 f+ R4 n5 |5 n' n( r! J* `5 y
-The most exotic ones (could be very slooooow :-(: S4 o1 ~7 b' k0 e3 z4 @- I
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # {7 H: q. @( {( p
     ;will break 3 times :-(
; G* c. i/ L: v* V. {0 W" `; ^/ u& y- [2 @. @8 G" f
-or (a bit) faster: # i0 A1 T8 Q8 C- E
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- v6 C$ z$ O" a' y; R, w6 f/ U7 x; T- c# Y" i" u
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 _+ q( Q- O8 H8 v5 T
     ;will break 3 times :-(2 C9 J) {; h: g1 X& h4 E% V

# }9 D. b" m6 g6 C+ x3 [- a-Much faster:* S. u' }5 B, }0 H) E# q
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ a7 ]! S& }5 @6 D! C1 m9 j
" ]0 s, u! U' m4 d- G) w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ I4 J. O8 w( d/ t; q( t9 qfunction to do the same job:4 `) M9 Y2 b1 h$ q0 B

' s& E7 ^% J7 L( h$ u7 {) F- s. Z   push    00                        ; OF_READ* e1 H( p) V7 T) @2 a
   mov     eax,[00656634]            ; '\\.\SICE',08 D9 w% \- @3 ]% K1 C$ Q
   push    eax: q2 d( \" |" {, J$ u8 |
   call    KERNEL32!_lopen. u9 D6 T7 S4 i; r5 R: k3 Q
   inc     eax# i0 L2 j2 w# j
   jnz     00650589                  ; detected5 m2 J9 |2 `* I) ~
   push    00                        ; OF_READ
  `# ~4 |: Z& Q! C3 W* H   mov     eax,[00656638]            ; '\\.\SICE'
! g9 U9 a. M4 f7 n! G# I# `   push    eax* v/ }" u" ?0 V  Y; t  C, Z2 |
   call    KERNEL32!_lopen; N4 U, @% N: F
   inc     eax
) s, S4 I' z; |6 a   jz      006505ae                  ; not detected
8 t' ?* P) J- q6 T" j1 t- \6 o- O, n1 u2 _
. b$ Q* }) b0 y) S
__________________________________________________________________________/ \+ B7 ~5 H+ ]! I0 m
  a6 k+ a: ^1 {7 u# y
Method 12- ?/ `( |" v. L2 S# K% a
=========
$ [' L9 H( z9 ]8 v! U3 x5 ]1 ^: y5 n1 a
This trick is similar to int41h/4fh Debugger installation check (code 05
9 o8 J! w; R8 H4 W( o&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 H3 ~( G# ]8 C# T  Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; v5 G) e  E" c7 l( x2 r5 N) s; t, ?1 O2 G. H; n8 K
   push  0000004fh         ; function 4fh5 l5 H% M* M& o+ ]
   push  002a002ah         ; high word specifies which VxD (VWIN32)/ P- F4 J6 I. L. T) u; L3 N
                           ; low word specifies which service
) x' S# j8 H1 W5 H+ C1 T8 X4 {                             (VWIN32_Int41Dispatch); G+ I* ~" y1 i# k5 e) k3 _- C
   call  Kernel32!ORD_001  ; VxdCall
$ u. V' O% h! J  [8 @   cmp   ax, 0f386h        ; magic number returned by system debuggers$ W3 ?9 Z1 x9 ?: w! j
   jz    SoftICE_detected
1 z- Q' b9 N: c. `) `: B" E1 R
Here again, several ways to detect it:' X9 p3 [$ }" f9 t5 [9 y

1 o% A5 o5 ~5 \& p0 r    BPINT 41 if ax==4f+ ~# u/ v8 o& l+ v
& z' U$ U- J! e2 J
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one6 P$ p) L# I; d; B: H

8 h' K4 R/ c$ {    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- ?9 H) m5 z9 M) u: |
( C8 n+ r( `9 P1 Z2 r' @
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( l, Q- Z( m" [# Z* F# J4 s2 @
3 N) Z7 `' Y6 J8 i' B4 h; Z9 p' K__________________________________________________________________________
6 R* a- G9 ]2 F& L, F$ ~; A8 v
! g# E$ K$ Q  U& PMethod 135 ~, q& Y' |+ M  N# H
=========# @0 T& f8 v0 L) F6 D/ I
8 s/ c3 @0 k1 T. a& t2 E
Not a real method of detection, but a good way to know if SoftICE is" t, t# G- i9 H1 |
installed on a computer and to locate its installation directory.6 z! Q0 D" e. {! \: a2 g5 [% H1 ?
It is used by few softs which access the following registry keys (usually #2) :
* I! O5 Y2 c! g) R2 }& c& z1 ]* q* ], G# S8 Q1 V* g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 q" \( F) \! s: m; y
\Uninstall\SoftICE
/ G2 E; H8 x6 \- }/ ?: J7 M( w-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) h9 R/ H; Z# }. ^% Y' _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* p; |9 K8 K! S, c+ a/ E+ K\App Paths\Loader32.Exe
% I, g& d+ K! r2 o/ P$ B8 ?0 \3 {! Q! @. S
0 @- y" S6 |) t& u+ [9 N4 L; k/ `  E% m
Note that some nasty apps could then erase all files from SoftICE directory4 s: D" l( D- e$ Y
(I faced that once :-(! v6 O. n2 D6 p$ |5 y0 p! a

3 V' `9 ?0 j0 O6 o1 O1 kUseful breakpoint to detect it:
0 S3 v- h" a9 G" F
- U  f# `) d( f; h8 |" l; Q     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- s, a9 h) z0 x# l2 ]6 i% \" T

0 I: o' R& ]0 \+ b3 Y0 \6 v__________________________________________________________________________
* {: s% ~$ i2 T/ W# J& I' X. Y' Q) E4 C" O( ]

+ q1 ~* V5 t% ?- xMethod 14 , E$ P2 I* P# T9 V2 z/ \1 g( t0 n
=========
+ j" j  ~7 v9 v/ W4 x, y6 x8 b6 T& L
- d& j; ^* A8 [* zA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! s8 O5 X0 I! G
is to determines whether a debugger is running on your system (ring0 only).
, U+ }. t" G% A1 N6 f  s2 w8 H: A+ q" q' T" @
   VMMCall Test_Debug_Installed6 Q- e2 O# S8 h. P0 c; i
   je      not_installed
1 w. F8 A/ a3 \8 ^3 J, ~" ~8 C8 Z; h/ d4 ]+ n. M
This service just checks a flag.2 J6 x* S9 t2 o3 h* O; a5 p8 s
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-16 20:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表