找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, D2 B4 x8 J5 |1 M/ J+ S6 H. h
<TBODY>- R8 c; L& E% M7 v
<TR>: @0 L( c0 ]7 {2 J$ A: d
<TD><PRE>Method 01
% G* A$ G3 B6 Z% N* L* }' n1 ^=========5 N5 N2 A6 w1 F& ^! f
/ k/ |& O/ L% b- U
This method of detection of SoftICE (as well as the following one) is
6 _( O5 g! T* Z: _% ], G0 Hused by the majority of packers/encryptors found on Internet.
6 ^6 b  N2 r5 L( Q/ AIt seeks the signature of BoundsChecker in SoftICE
+ L; b) F) [2 u7 q" `; h% C0 H2 f3 q+ n5 E
    mov     ebp, 04243484Bh        ; 'BCHK'2 o5 D9 O+ P  i0 J1 b5 v  X0 n6 ?
    mov     ax, 04h
) E# K% O. }5 L; s& \5 f9 i' P    int     3      
4 @; O2 H, r9 X9 f6 v/ Y: Y    cmp     al,43 r7 Z/ B& g( @" U
    jnz     SoftICE_Detected# k; s9 J9 K% X# t, ~; _1 S3 e9 I
: T- l( }; E8 V+ d
___________________________________________________________________________% V! I2 s' _" S
3 ?3 }" ~# ?  {3 P! P" B8 }
Method 02$ |  j) T: j" Q% N& q  u# G$ s8 g
=========# Z! r3 v5 N* c8 k3 [2 R
- O9 F$ _3 w) ^. s5 a, t  ?
Still a method very much used (perhaps the most frequent one).  It is used- X8 s* N; Q# d* X1 \, C0 C" G0 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- T6 X/ l; S; T( ^or execute SoftICE commands...
, H& \1 u- F0 y' IIt is also used to crash SoftICE and to force it to execute any commands
+ i" R9 y) U2 O(HBOOT...) :-((  4 F; q, M, K* V, h7 y3 n0 R

+ w0 h( u2 t7 C- j% c5 r: h' nHere is a quick description:
4 t2 {/ f1 K2 J+ ~7 }$ g+ L-AX = 0910h   (Display string in SIce windows)& e. R' X2 k1 A' J
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# J7 m6 i7 [; [% [* |. f-AX = 0912h   (Get breakpoint infos)! I8 |# y! m" o- [3 \* w. \
-AX = 0913h   (Set Sice breakpoints)' g% Z! |5 k# G% u) p! p
-AX = 0914h   (Remove SIce breakoints)- {- `( [+ T2 w6 [& _

6 S  g6 O+ ?6 f& tEach time you'll meet this trick, you'll see:
  d- n( V' a- M) p! @-SI = 4647h' P# W+ s6 o8 V- a1 I' F% J
-DI = 4A4Dh7 D1 g1 L& V1 V& G
Which are the 'magic values' used by SoftIce.' q4 }7 h2 {! d1 _9 R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* Q& T9 y( ~  a9 q4 |( x' ?# h2 f( O

9 w+ a; i% {5 J( `1 E  WHere is one example from the file "Haspinst.exe" which is the dongle HASP
. N% a1 p1 x; j) c$ R: x; N1 [Envelope utility use to protect DOS applications:
1 |7 q1 m" k! O4 F+ t2 S& f6 k5 O( z

8 D3 B/ ]1 T0 }& _& J4C19:0095   MOV    AX,0911  ; execute command.+ g( X5 D6 D( X
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
/ i* F0 q, H6 @% w. a4 N  d& X4C19:009A   MOV    SI,4647  ; 1st magic value.  Q5 f2 l6 |% \. S3 X0 T
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.. E; a% X: N' i5 d
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
, D1 s+ D: C+ e+ H2 ?* A( C' y4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
) r; A' e: M5 \3 F+ y4 \% F4C19:00A4   INC    CX
/ J2 O8 I2 \! V* g4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute. K' t  V* I* y; l$ [+ B- \
4C19:00A8   JB     0095     ; 6 different commands.
7 P0 K2 Q- O3 J' R4 d5 C4 b4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) p# D/ X3 h2 N5 h$ B0 u4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)- S& @( c# S9 \) b; _  U* Q4 Z

" M" `* k4 p( vThe program will execute 6 different SIce commands located at ds:dx, which5 b: r/ U1 Z( c$ P( y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 e( z. @1 q3 ^1 F6 R; z+ ^1 S7 I: f5 w. w) g7 W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.  r  N$ A' f4 Z+ z# Z( B$ H  t% U
___________________________________________________________________________
1 h, }4 K0 D" m4 H0 A: }9 Q
6 }+ D3 Q7 r) F" x$ `& D
- `2 y$ p( M7 [% n2 {6 kMethod 03
3 R- t8 N9 \4 R* S% D8 J5 O=========
. N( u1 K7 x, ]0 V, j2 ^' k
. e/ ^) R: M7 @3 M9 A4 sLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 L# I4 ]8 i* u8 O0 o- _
(API Get entry point)0 T' f, A' ]+ a/ r( `7 {
        + e8 d" ~- J- s3 u6 }. m

  k/ Q) R, ^5 Z  p    xor     di,di
, C/ ?  f% P. O, |5 N5 D. v, Q    mov     es,di
" f& `) g9 x% |- ~- y/ @    mov     ax, 1684h       . S7 Y# m6 m3 k# L  _5 d
    mov     bx, 0202h       ; VxD ID of winice1 q+ M( V& ?9 T: E
    int     2Fh$ o8 u5 D" y: L5 J- ~
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  ?6 T/ ~. j$ w. O3 q0 ]% l    add     ax, di
' G/ n$ m5 ^" k/ W, U    test    ax,ax' B8 W$ w. n. B1 B3 h# x4 D: D2 k! L9 e
    jnz     SoftICE_Detected
: ?7 R$ E7 Q9 D5 U: i) [0 S' W' R
8 v5 a/ g$ C/ k& ]___________________________________________________________________________6 k2 q/ d) D( _% }. u5 u' g& }

0 ]- x/ t  D! r" jMethod 04! H! d! K. G0 E8 e) k0 i2 i$ ^
=========1 L* V8 v! L; |. m

$ K+ f( A* s7 q) V$ FMethod identical to the preceding one except that it seeks the ID of SoftICE
  q$ R& u5 m7 mGFX VxD.* @! Q& g1 w6 Y' g

6 E# w2 k0 a3 c3 F+ n! E    xor     di,di
' _5 n, c+ [) ^2 v/ Q1 y  i    mov     es,di
* h/ x+ ]5 ~' X! _4 l6 K- V% k    mov     ax, 1684h      
: X% ^: m' ~* u$ X. \    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 K2 g* V5 i( y9 w
    int     2fh
3 S  ?, E- v6 m    mov     ax, es          ; ES:DI -&gt; VxD API entry point. _# q1 j. f/ W: q. L
    add     ax, di
3 @" u) z' @: }2 m    test    ax,ax
( c  u9 c7 M' C1 O6 O0 F  D    jnz     SoftICE_Detected8 N7 J. C3 ~6 S7 G; b2 `
% ~& k6 x0 ^* e% P  F& |0 x
__________________________________________________________________________6 z9 `7 ]& B* q8 X/ y: j5 E

4 o+ i0 J: Q( r5 ?: t
4 k. ]( {  @8 W, hMethod 05
7 Q8 W0 o6 M4 R5 I8 Z5 @4 @=========# L7 b0 a2 m+ l  N5 {
9 i& M" ^. t, R% D) L( [
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 E6 Z9 ~, W% ?8 s& b; ldebugger. It calls the int 41h, function 4Fh.
$ E" W: R, D, s' I1 gThere are several alternatives.  4 W0 n6 `$ x7 T0 w9 [7 @: `

3 O8 [3 U, A0 n( HThe following one is the simplest:" ^3 t' i% ^, K3 s9 H% g# q
# |) q8 x" Z. o. s9 U
    mov     ax,4fh
5 y& a: c+ r* T2 y    int     41h& T5 C5 j1 X6 U* M: b5 I- d
    cmp     ax, 0F3868 D/ p0 _- j; Z/ i+ b1 z: s% f
    jz      SoftICE_detected% z; W9 ]  L" v
( E$ F9 l$ O  `* D! T* ?8 v
) W+ J4 ~% I: a7 |  w. Y+ A( U
Next method as well as the following one are 2 examples from Stone's $ ^4 j4 Q  F! |: X% E4 i# P8 a5 l
"stn-wid.zip" (www.cracking.net):; [) o  f. D; V, \

! |9 X% l& C/ G  ^! O8 Z9 W3 _" c    mov     bx, cs5 y, [- b4 N3 N3 d
    lea     dx, int41handler26 Y' N/ b' F- l5 ]( R
    xchg    dx, es:[41h*4]
2 a1 L0 U- L7 M1 a+ F4 z    xchg    bx, es:[41h*4+2]
5 q! ^( ?0 M5 h; D; m- C    mov     ax,4fh$ b+ y$ G' Y% l& v7 w, }
    int     41h
. H4 h% a# X, R8 ]( B    xchg    dx, es:[41h*4]  N* P. a; j  r2 g' W! e
    xchg    bx, es:[41h*4+2]: q. d3 a/ k- x- ^
    cmp     ax, 0f386h* Y( \' R: G4 d! X9 z
    jz      SoftICE_detected
" |1 Q( K" `7 E3 `; r0 a* Z. g. Z
* ?3 o, u  z5 `int41handler2 PROC9 F1 ~0 g% A& d) e  Q" y9 g0 K% G$ v
    iret0 a" w  ~5 Q, c
int41handler2 ENDP- G' A( i2 W  F+ q+ Z
" n0 R+ x6 K2 a) t" t

# I+ A! B; D8 A( ~  ]) t& u9 h1 l_________________________________________________________________________
1 J9 v0 n! w$ _1 @9 ~5 Y9 Z
* i% W( B/ r1 E) X: s7 l+ f6 K5 Y% x( e+ v& ~9 A
Method 06
8 a- w' b, `6 o=========
  M/ V) D7 Z. m, `" d5 e: b5 B" F7 F0 e, }

9 Y. P% \# B7 H; y( a7 u2nd method similar to the preceding one but more difficult to detect:
. t$ ?0 V! w$ {2 [- [# p" z8 E( ~" l/ Y& x
1 Q' k- H0 w+ d
int41handler PROC
" f' y3 x+ l6 N0 o4 a3 \( x/ y    mov     cl,al" Y( `8 ^7 a% h& `0 k+ g* Y
    iret8 H) K2 Z& w% J! \
int41handler ENDP
7 K, W& r% Z% E4 S* L7 N* [/ Z8 A& U/ Q# w- W

) u8 ^8 l1 d; v, p* f/ n( M9 g& {    xor     ax,ax$ X6 D% }0 Y$ q( [% i
    mov     es,ax
4 h2 y/ q. w& Y/ R9 O# k3 }  T    mov     bx, cs
9 Y2 }: j7 Y) A+ k2 J& j0 }    lea     dx, int41handler+ m) W# {3 `9 R
    xchg    dx, es:[41h*4]
. E" |, E4 [: [1 H0 a    xchg    bx, es:[41h*4+2]: p# a, b4 G# A2 X0 N; r; P( l
    in      al, 40h. ^' j( ~9 C3 e  [3 E6 H4 s
    xor     cx,cx/ A, ?9 V0 F! b* ?
    int     41h
1 x) ?6 |# W, w    xchg    dx, es:[41h*4]) L& U% j6 |0 C& c2 V3 X9 O
    xchg    bx, es:[41h*4+2]% N% ]# t2 T: ^/ n
    cmp     cl,al3 L+ k; d5 g! d( V" S" s: _
    jnz     SoftICE_detected
7 b3 b& \% @/ Q0 J  I9 k' V$ F+ m; d) j3 W
_________________________________________________________________________0 n- @% t8 M2 ~* x: l

% B2 k5 T- N% a( rMethod 07/ ]9 r- M1 L) d6 t* K
=========
' ?2 E( x* [# S) Q' q) T5 z) ~8 e: F. t% S8 U2 o0 g: |
Method of detection of the WinICE handler in the int68h (V86)
& f4 e0 g; X# `
# Q# C2 X5 S: a# }9 c& e/ v    mov     ah,43h7 O( F0 t( {1 e0 Y- `
    int     68h
) v1 D( I1 M" d. n( z4 M    cmp     ax,0F386h) |$ s8 ~0 ^, o! o" f8 x2 Y3 N
    jz      SoftICE_Detected: D' S7 b: K& q3 b/ E" ]: Q
* d: u# D) R6 v* A5 F4 h
, p) l6 p; g* c6 ?6 F; q
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 O0 T* u2 w7 }% H& q7 K$ |
   app like this:9 Y! l: z/ e1 o+ W% j

4 k/ J6 s) S5 T2 i   BPX exec_int if ax==68
, d$ T# }& k3 }! @% B   (function called is located at byte ptr [ebp+1Dh] and client eip is; j3 _! J, J0 f
   located at [ebp+48h] for 32Bit apps)
9 X- h5 y' b  s__________________________________________________________________________; s0 m9 g- }1 j0 k" X3 @
7 O; b6 {3 G5 p. h+ e) B
1 R7 K+ B5 g$ r0 K
Method 084 E: |5 `1 k5 L1 t
=========  Y8 s  w$ h& B5 m) X8 M

1 U  W- t! R, s# n  xIt is not a method of detection of SoftICE but a possibility to crash the0 K# K1 b2 x9 I
system by intercepting int 01h and int 03h and redirecting them to another
  [# t1 t; |( C0 ?+ A; ~routine.
/ a2 N- D$ D4 FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ m" d* V7 a. {4 pto the new routine to execute (hangs computer...)
$ Q2 ?  B6 ?" @' M2 @
+ v7 U$ r0 q) O. x( E3 `: z    mov     ah, 25h3 ]; B: K  Y9 {7 A1 P$ d
    mov     al, Int_Number (01h or 03h)
; h% @$ V/ @: A" j, X1 [. u    mov     dx, offset New_Int_Routine
8 @( l5 [6 p9 F    int     21h
7 d" k+ _3 q$ P1 d# l/ b$ V) x% m. w: h) h) ?* N
__________________________________________________________________________
4 P) T' B" ^7 _
4 q+ F- S; V8 v8 Z% V: Y" J8 J+ PMethod 09
' m7 d5 I# r- J- V$ ^6 s) I6 U: s=========
; S7 r5 j8 ]  c" U* s7 D7 n
: ]7 E1 U; y6 K: p, M+ LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, F3 F7 {# o3 d+ S8 V! Kperformed in ring0 (VxD or a ring3 app using the VxdCall).( L6 i0 `7 ?& x1 z
The Get_DDB service is used to determine whether or not a VxD is installed
4 c8 q$ j& x  D0 Dfor the specified device and returns a Device Description Block (in ecx) for
+ p% w3 V5 Z% \# u; @1 v' [' Jthat device if it is installed.
) @! e! i' D5 ]" _( k& C. N* y: m* f; t
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ T+ D: z0 ^; v: d; N) I) H4 c   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), U4 s" H5 I! T; r" p( z1 Z
   VMMCall Get_DDB
* D- `8 z/ W0 s   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed/ L. T/ T# i3 m
8 ]/ y: _" }3 j4 a
Note as well that you can easily detect this method with SoftICE:
: V2 T: B5 B0 x5 s   bpx Get_DDB if ax==0202 || ax==7a5fh
/ G( F* _$ @( {/ w3 a* {! f6 @+ B# l4 y7 T
__________________________________________________________________________, v. A* S3 U6 Z' w' J5 s. Y
6 i$ X$ m# q% ?# D
Method 10* S7 I% F' W4 T2 I  z" t
=========
3 [! |5 o) C/ }4 J4 y( x; f6 ]
+ Z4 o( N4 i* }, u- r, e=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
2 r8 D2 K' k& L$ |: O& O1 b7 t  SoftICE while the option is enable!!
% `8 r6 k3 a3 \3 r; u  ]
# g# l- V. Q8 dThis trick is very efficient:: U) t+ U' Z* p- ^9 I
by checking the Debug Registers, you can detect if SoftICE is loaded: E% X. n1 H6 i* ^: q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' M' i! u0 e3 i2 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ B8 j/ x0 G) t0 o7 Q% N) w  e# ?value (in ring0 only). Values can be manipulated and or changed as well
8 W* D/ ^* N6 d) x, C) x# h(clearing BPMs for instance)
: Z' v! h* e8 F2 k+ {1 ^, d6 I; B* a( u$ C
__________________________________________________________________________
2 @3 h) Y' r4 U. |
) x; m: B% X# \. f  l  K4 I; m% AMethod 118 G% n- I, Y$ ^9 @" K  L* `% x
=========3 s( a) t% F% t# W) V+ E7 }
, k4 `; S' \$ d1 Z
This method is most known as 'MeltICE' because it has been freely distributed
* T* D0 p' {. @$ I# ovia www.winfiles.com. However it was first used by NuMega people to allow: T' W- ~7 a; B6 u
Symbol Loader to check if SoftICE was active or not (the code is located. d% N8 W* R4 U  P4 g
inside nmtrans.dll).! n! U5 m6 @  r/ N0 I( d: j% C% f/ A
9 E4 f. B4 B# V8 W$ [8 {$ n
The way it works is very simple:: ?5 m5 @+ z: x5 b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; B. I) {; k2 B3 D; L1 j+ }+ ]. Y1 m
WinNT) with the CreateFileA API." Z; `( H! v/ o) K
+ o* s0 O( b# k5 C* }# ~. m) p
Here is a sample (checking for 'SICE'):
; A  U) O5 ?1 a) K7 q7 _
9 W+ y2 K( c' z- L4 C$ vBOOL IsSoftIce95Loaded()
7 r  B, _( ~1 ^% T: z/ Y5 w{
/ v5 K; X5 s( D   HANDLE hFile;  + ]+ T. N, ^( ]  y+ _7 ?3 ^+ C
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ O3 O. n) m% d% L0 F                      FILE_SHARE_READ | FILE_SHARE_WRITE,; g$ y2 J. Y+ `3 n. }% d7 P
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( q- X0 B4 C5 |! x
   if( hFile != INVALID_HANDLE_VALUE )# T# a% t/ @7 m5 q+ E
   {
0 ]6 g" Q' v3 w5 S6 U) K2 Q      CloseHandle(hFile);  p5 ?& l: w  o7 w$ h
      return TRUE;- h( B; E8 v9 x/ L. p- @4 T6 G
   }
; [5 Q1 O$ ]5 r6 I, Y% b7 Q7 _   return FALSE;
2 ^1 v: f. i& E0 Y- N7 f! a' b}, X: f# C9 ?6 L& |: u2 f: \5 J% _

4 A# |/ `8 W& g: h+ ]% R7 d% lAlthough this trick calls the CreateFileA function, don't even expect to be+ s8 W7 K- F! ?( p+ J" f0 B3 H
able to intercept it by installing a IFS hook: it will not work, no way!
2 _' a# U; P, X/ l' X  @In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 c  H6 w" z  q  A6 D' b+ n4 B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 u" m0 I" i3 B% o' P* J+ P2 zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
* c; K7 h' e3 A3 a5 A+ ]* i- rfield.0 n, X" p9 K+ I7 h/ Y, i1 `, ]
In fact, its purpose is not to load/unload VxDs but only to send a
6 V+ f6 b" p6 Y9 n0 K  V" RW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. z5 L2 W1 _5 F# @: G$ Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: R% ^5 o# I* b) h) |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 \) O( h3 p5 v+ I% x1 lIf the VxD is loaded, it will always clear eax and the Carry flag to allow" f0 ]) b! g0 `1 Q' ~3 u! P
its handle to be opened and then, will be detected.! |( x8 h0 X! q
You can check that simply by hooking Winice.exe control proc entry point8 e% P. H5 g, P# e, ^
while running MeltICE.
: M( u1 `# B2 J7 d; A' u) v% O2 E
5 i; {% N0 [2 I  o; t0 o
  00401067:  push      00402025    ; \\.\SICE
* `: T' ^/ s; w( n8 _' E  0040106C:  call      CreateFileA
7 [6 r1 f. G  ?$ T* v  00401071:  cmp       eax,-001  h0 L* D* E2 |( g' B# b
  00401074:  je        00401091
2 y. j% h. I, F) I
$ o7 H) |: h) B' b  x/ `7 J6 b; {* k8 l- g
There could be hundreds of BPX you could use to detect this trick.
$ p: n: W( \$ j) k( Z1 q/ [-The most classical one is:- I! F  L  f5 J3 [. q1 {$ p  X
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  @( p0 v& P: u9 E) C9 O    *(esp-&gt;4+4)=='NTIC'& p3 v3 O# }( A

6 ?% C. o$ h* L5 ~# X-The most exotic ones (could be very slooooow :-(
' Y; Z% _1 f# s   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 S, E1 k; f2 U1 Q! M
     ;will break 3 times :-(( Y' f9 A6 _0 R' J. d6 x

- |& l1 \9 Q/ j+ Q-or (a bit) faster:
2 E5 E2 i' o9 s% @7 q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- \0 i8 I$ d5 ]

8 b8 n* R0 G6 W   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  # l' d5 k8 `+ w! p8 |
     ;will break 3 times :-(! D( G" \: Q$ l' W

+ {$ k, Q& t" _2 {) b" i-Much faster:
: |; V; l) f1 ?- X" s" q* Q1 x   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! f# A  l2 p' h1 t) c
' t* Z, ]& Q& u1 M% DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% {1 T6 I+ e9 o! \% J! O7 G/ Vfunction to do the same job:
6 |0 U' x1 B) a
9 z/ O/ ^2 w6 W! |   push    00                        ; OF_READ
- m& v7 ^4 s8 G& [+ Y3 o3 d) _/ R   mov     eax,[00656634]            ; '\\.\SICE',0
( ?" E3 ~7 F( m1 C" |   push    eax. F: z3 a% B7 g8 |) q& b8 ?
   call    KERNEL32!_lopen
3 M2 ~  X$ s+ v1 N7 P. ?* W3 B   inc     eax
* q, W$ g1 ?9 x   jnz     00650589                  ; detected2 X- f/ C6 c& n4 Y+ f. h4 t" _
   push    00                        ; OF_READ
1 A* V$ e$ U4 E. H3 E: z0 s   mov     eax,[00656638]            ; '\\.\SICE'
$ z+ p4 ?2 o- w+ ~, i1 E1 ^   push    eax2 w1 s. F. K) m: ~( Q7 F% O
   call    KERNEL32!_lopen( f! D: p# }; ?% O3 R' |4 |
   inc     eax+ M" |1 A% ~6 L# A5 x% `
   jz      006505ae                  ; not detected
5 _& m1 a: U! L2 V4 R  s' H! g6 ]# ?
8 v8 \5 U5 D( |( s  V+ u( m. x- |' J/ E( g. l4 X  y
__________________________________________________________________________
0 x2 u7 f4 B- u3 o- {: ^7 n  @. t& c0 E: G& A+ A  ?& _" a( U) N
Method 123 R" D& Y* V; d& I, _7 u  z# W
=========
( E0 d3 V* B- l' _  r& Z
1 Y% D3 Y" A/ K4 P! T6 ~This trick is similar to int41h/4fh Debugger installation check (code 05
! e" U& |& ~0 U  N, N: k+ G&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! v1 N  D# N  }" _( W* sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ y  t$ c- i. \; E* S5 M! ~: ^# s3 L% S! p1 f* C/ f' ~
   push  0000004fh         ; function 4fh
$ \( M. u" b) G   push  002a002ah         ; high word specifies which VxD (VWIN32)  G4 d% v+ r  L% L# T
                           ; low word specifies which service
1 a5 |$ b# ?. S; T8 c+ s5 k                             (VWIN32_Int41Dispatch)- W) B/ \$ z! ?+ m
   call  Kernel32!ORD_001  ; VxdCall
3 p) {: F1 L" T; A8 |   cmp   ax, 0f386h        ; magic number returned by system debuggers
; w! m: M  V; O2 F1 |   jz    SoftICE_detected
8 O7 H; ?; o9 t8 h& ]0 S& p7 E' x3 C0 B1 F; V2 D% i
Here again, several ways to detect it:
, S7 g4 G' B( @; v/ o7 N
: V6 J0 d2 s' m2 T6 S0 q    BPINT 41 if ax==4f
  Y( E3 P# u( o; f8 I2 D, p' M# P0 Z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' x, c  \- B4 a  ?7 R: t+ r
/ S: T+ [1 V* {8 w; Z; S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( N$ B% ]7 m5 L
: ^2 h+ j1 u( t$ T) ~8 b8 Z
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, U2 O1 O( H% L: b4 _! c! `: Y
8 g  B6 D& _7 R& q__________________________________________________________________________7 N7 e9 U0 p) Y% q. v# v  l

, F# x" d7 i- @Method 13# K' m3 v1 V0 k2 u
=========
( n2 ~$ |) \6 f3 P
/ W* _; [3 X! T0 C7 GNot a real method of detection, but a good way to know if SoftICE is4 Z! b+ \8 J8 ^+ l7 X. m
installed on a computer and to locate its installation directory./ @  h, a* q6 x
It is used by few softs which access the following registry keys (usually #2) :
! s0 ~: ~2 m3 B9 B5 k$ A3 a" U0 j  k+ J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: |6 z/ z( |: y; q\Uninstall\SoftICE' _; x; x- ]; q0 d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 N4 g% b& I! w3 L! i. B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( j2 a0 E/ h2 y. n5 f+ \! h\App Paths\Loader32.Exe6 T. ^( {- r! }% K! \' M
; ]0 A% [& k7 v

: F- e# Q% U- x" QNote that some nasty apps could then erase all files from SoftICE directory
: P1 i5 n: z* s  S+ r3 S3 Y(I faced that once :-(% D& Z* Z9 C# Q% x! H$ n1 E9 z

0 _2 `0 n3 p) G0 @  U# sUseful breakpoint to detect it:  p/ Z4 ^: a! F
' e) H' u+ F( @/ G3 B9 J
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* s$ R8 \/ }' O- w# p1 C/ K3 P" Q  c  V
__________________________________________________________________________0 |* R- M( ]! C" y$ D( b  F3 R
0 H7 ?- Q- E( ^; Q

1 k1 `+ x' _6 U, z7 @) sMethod 14
- s. Y; `' `% o8 f5 ?) E=========6 L( M7 U" X( B& g, j( g

! s' p. z. a0 ^: e$ QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 e/ k( [9 u5 _8 [
is to determines whether a debugger is running on your system (ring0 only).# t! v5 ]8 R+ U
( m' W7 w/ Z+ |# w5 _! W4 d
   VMMCall Test_Debug_Installed
% N8 d: k+ h$ z9 M   je      not_installed' p$ T2 A/ X$ q$ J

0 }3 a. R% x5 B+ fThis service just checks a flag.- M$ w, C( ]( s2 b: r* U! E' [, z1 r
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-27 07:55

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表