找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
6 t# f- J1 {: L& g4 t2 t<TBODY>3 i9 J: G8 F+ w, ]8 u5 j
<TR>$ o4 C6 m6 e8 F7 C: V& A  }
<TD><PRE>Method 01
+ |1 X+ |" z! g& n$ F=========$ a1 k0 Y4 o5 |. n2 F4 ~5 H  ]
* m4 i1 O0 e9 f& c% y
This method of detection of SoftICE (as well as the following one) is
. N* O% ?& l5 ]0 I# {# n, _8 tused by the majority of packers/encryptors found on Internet.
! f$ }6 v) k0 w( w  pIt seeks the signature of BoundsChecker in SoftICE/ J$ Y6 f6 t6 j. H( h2 B

! }  E  ^: m2 U3 T' ?( u& a3 \    mov     ebp, 04243484Bh        ; 'BCHK'
, ~& d$ \  g7 J8 `% P- R& K    mov     ax, 04h: Z5 M0 U; v) {+ u! `
    int     3       ' V+ r6 S& Y% ^( p' W; c
    cmp     al,42 M: Y$ z, z+ G1 x; k/ Y3 [/ {$ R3 J
    jnz     SoftICE_Detected
$ S8 o( A/ u1 {: X* Z+ w
* j8 o; l3 g4 j# S2 J0 s# ?___________________________________________________________________________
* a# Z* g# I! z( Q* a( u7 J" t, D
Method 02$ w+ _% C- J* F
=========
: j' r7 [3 f0 ], ?7 _/ x3 W3 u. e+ M# b+ h3 e+ I% ]4 \
Still a method very much used (perhaps the most frequent one).  It is used
! h# n8 W  |2 zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 I) Y; A' G0 U4 Y' f3 Z0 cor execute SoftICE commands...0 Y. f5 ?6 Q' e4 i
It is also used to crash SoftICE and to force it to execute any commands
4 H! L; |- {) S: A& [( z/ F3 O(HBOOT...) :-((  
4 z( G( f/ n3 g' A0 a
- W) w# }) N, j5 yHere is a quick description:
7 Y7 P/ Y& K" `4 b$ d& {-AX = 0910h   (Display string in SIce windows)+ b1 p# p# i" Q; ^
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)5 `2 ?5 B, T9 z
-AX = 0912h   (Get breakpoint infos)
. D! l; V" y0 x# D4 S-AX = 0913h   (Set Sice breakpoints)
, m7 I$ R) r+ l' }% }  a  L-AX = 0914h   (Remove SIce breakoints)
# L) {) c# ], z) c
/ D" L  P, j' x6 o% H3 E) }Each time you'll meet this trick, you'll see:
1 r3 W0 `$ Z* w0 q0 s5 r-SI = 4647h2 k* Q* w) H5 B; {$ \8 |# D3 }
-DI = 4A4Dh) X. u4 `" h4 d) l* |& @- W
Which are the 'magic values' used by SoftIce.6 |. r! v& H' s# \% ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 [6 R3 h$ Y" N' c1 I* x* K6 s! S8 t9 C
Here is one example from the file "Haspinst.exe" which is the dongle HASP) ]+ w, w+ r, |4 T: w
Envelope utility use to protect DOS applications:
, Q3 ?. a& m) T) N/ @* \( O
) t1 J1 q) V5 b! ^4 {* N+ g) J, F: F# t# T0 m6 [; n, _. ?+ u; }; j
4C19:0095   MOV    AX,0911  ; execute command.  S5 `8 m- X9 E) {3 \" F, m9 ?
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) q8 d8 V% @. E2 @. H4 a; A9 Q
4C19:009A   MOV    SI,4647  ; 1st magic value.) R( Z$ Y/ M, e  \9 Y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 {& C% t- M" x4 Z0 H& n* |" D0 d* Q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  D( m8 R# f5 o  g; c
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! E/ s. {* [4 _6 A& O% ?2 Y
4C19:00A4   INC    CX
* D; b& }4 m/ Z: E& ~8 V4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ p8 ]% K' O. m5 f
4C19:00A8   JB     0095     ; 6 different commands.
8 k# M) `! ^9 M4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 m- x1 j3 A6 `9 Y% l# N& E4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" V2 H, P+ l7 P

/ r  |" Y3 }& i8 i/ X7 w! U" \$ H' kThe program will execute 6 different SIce commands located at ds:dx, which
1 O0 j$ y6 ^) B" g; h) t( Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 c0 M( V) ]' |5 G0 f: Y

0 _! I4 W( c  O, T1 _) {' c2 ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; D, P8 Z& p+ Y$ o$ z( h- ^2 H
___________________________________________________________________________& l7 D' j  {0 y" y! v
6 {! H- t' D  {3 S; x  U

7 G7 k4 \4 G5 a9 D# _% qMethod 036 e9 V! o+ J/ m/ l: Y! B
=========
' L1 N+ D$ y4 B9 f- D: W$ {
- W  p& D% g: K9 C0 I2 ^Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ `$ j3 x0 C# u0 ?3 X, Q(API Get entry point)+ P' P* f2 e+ O0 R# w
        % }+ N# a( t* Y" C# f

9 Y0 V1 @2 |* |7 n# @- f  X    xor     di,di
8 _" i! U9 h1 X  |# r: j6 p    mov     es,di6 X/ B5 V& ^! V! d/ f, }, j
    mov     ax, 1684h      
9 y# N5 m3 y/ _0 F7 Q    mov     bx, 0202h       ; VxD ID of winice8 v! K1 |! p! P2 ]5 \. k
    int     2Fh# v" C2 x. A+ x; y$ n0 Q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ Y8 f. d8 w: H; u, ^! j    add     ax, di' c/ w& z8 t3 q
    test    ax,ax
! T" }. t6 g! T: R, W9 C    jnz     SoftICE_Detected7 Q1 n+ r  g, `$ V- Q( j
0 S0 Q# p0 Z  x9 Z% s* m
___________________________________________________________________________6 T* U! q$ L$ z6 y; L5 B: f

1 ]$ g' F; X' g, CMethod 04  _" a1 _% |1 j
=========
% v- i+ O3 B+ d# n6 `; Z. \- {8 A$ [2 S& ]
Method identical to the preceding one except that it seeks the ID of SoftICE
1 n% K6 t/ T& f) FGFX VxD.
8 d: \8 g! W$ K6 v% l1 h
* @9 g4 H, `0 s    xor     di,di
2 T2 u$ ~  g9 e: @    mov     es,di; k( i- U" v, M3 p( a! g% d
    mov     ax, 1684h      
: i& ?9 {6 A! S: g# V, z' x! s    mov     bx, 7a5Fh       ; VxD ID of SIWVID3 H2 @% q' X+ f! F7 \% o
    int     2fh
. ?* Z8 C0 h! H+ f) U) e% B    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 r& N" D+ a2 R0 D
    add     ax, di' l- P1 P, b% a: R$ E( Q% \' V  q
    test    ax,ax* r; Q% G7 d1 Q& k- V8 s9 S
    jnz     SoftICE_Detected" ?/ R; f: G' _; [, h# }( S; ^% ~

9 ^2 W$ U& o$ R5 u* r1 Q__________________________________________________________________________" {9 Z  k0 t- k
! u( ~5 e0 U9 r7 k) x1 }
+ n8 f, m. }8 o5 Y- t" _/ U
Method 05
/ |% _% F. [( H+ N=========
6 H* I7 x, O* L3 ]: \+ ^5 q
$ F: c" N# g9 T  jMethod seeking the 'magic number' 0F386h returned (in ax) by all system* d) `6 m" t& K% Z! g3 X  |
debugger. It calls the int 41h, function 4Fh.
1 B# `" S5 \# uThere are several alternatives.  
& d2 T+ \6 @3 U" Y% r6 L
: B( a# I, e- d/ Y2 EThe following one is the simplest:  j7 Y: ?2 z0 f' r

/ s! \( a; Y" H3 r+ S    mov     ax,4fh
6 r+ \6 J& w) ?8 \2 L    int     41h( t7 R! B/ D( p! @2 n8 e
    cmp     ax, 0F386
8 S$ F1 ^, [4 S7 S, ?* ]6 {7 `    jz      SoftICE_detected4 Z9 _& d9 x. X5 j, ^& Q5 r$ D

' I7 @- V* k. W1 ^0 F4 H' f+ Q4 k6 G% {  J
' N- o- N9 L! k; {Next method as well as the following one are 2 examples from Stone's
/ v! {; m3 T% p/ Z7 S  X8 ]7 z"stn-wid.zip" (www.cracking.net):3 V- F' `' S4 u0 _( j; Y( U  ?  T
) w, i1 _  a9 L: g2 J% D9 b
    mov     bx, cs6 ^7 q5 x* B% L& d8 ]; v7 l3 a
    lea     dx, int41handler20 e( ]1 F# I* Q' f6 Z
    xchg    dx, es:[41h*4]) X+ ^1 Z- o8 Q5 K; f
    xchg    bx, es:[41h*4+2]
3 H3 r, c$ f6 {2 F2 T+ S  W    mov     ax,4fh
9 \5 k) ~% f4 Z' o: n0 B    int     41h
  j. O9 A8 D' c1 L$ j- ~0 A    xchg    dx, es:[41h*4]
7 y, s( ]8 a8 S& ^7 X    xchg    bx, es:[41h*4+2]
- M( U. H% G3 @% I    cmp     ax, 0f386h( W! l( |, }; f) v) D
    jz      SoftICE_detected
! B% @. w5 `  m9 D6 U7 E2 s( `' k4 l5 r+ D
int41handler2 PROC. R/ c5 v! ^* s- _) i9 i* Z; o
    iret4 v0 c+ N5 E5 h: M
int41handler2 ENDP3 C( b, D  s* v, ^  \! O

( a2 I8 c& x+ D, I5 ~- a8 r# s+ h8 p; Q. |" r
_________________________________________________________________________  l8 h( S/ r$ R& f! N
$ n1 K& X: G8 U- i, _; G$ l3 X

1 i8 b2 c% O. x7 HMethod 062 e" p; Q5 d/ q# |! O/ D! u
=========% Y" g* _, ~/ A) {* ^% m( j
0 L  w/ b: @: Y
2 H/ l2 A/ ]$ i' h' N
2nd method similar to the preceding one but more difficult to detect:& c+ v, W% w+ b& V2 _

8 @" b$ s8 R7 O
8 P% \6 l9 \9 Q5 Y0 e+ r* i" G7 i; kint41handler PROC' W" Y3 _- o) V
    mov     cl,al( F& G) L" `; ~0 y9 l8 Y  E5 F4 b
    iret& i0 e" {- ]1 V" Z. _1 l
int41handler ENDP
- O+ s7 L/ b0 d" O+ F, U3 x) n% ^! M0 ?" [! J
3 c4 k- o  h& U. I' Q4 J" r
    xor     ax,ax
% Y7 L$ r4 ]( s: q    mov     es,ax
, {) V4 V& I/ I    mov     bx, cs
+ i- r1 ^+ A6 I5 b3 x) a& M# T% c    lea     dx, int41handler
" r. x# o& I/ h: g( ~+ a) U) M    xchg    dx, es:[41h*4]
% C2 P( z  R5 T    xchg    bx, es:[41h*4+2]
6 S- h  d; R% _' X# U    in      al, 40h* X" Q2 W: d6 d: C
    xor     cx,cx
+ X: G: ^; W2 f6 n# l7 `+ R' F- Y; Y    int     41h* @2 r- H) y- d. M7 m
    xchg    dx, es:[41h*4]
5 R% u. l( ~. u3 Q3 r% `    xchg    bx, es:[41h*4+2]
  Y( M2 \# c: @2 v: g7 v- ^# \) Q    cmp     cl,al% r: j& P+ n* _$ d
    jnz     SoftICE_detected
; I. C8 \5 V0 s" y! z) \3 @6 p2 {1 I
_________________________________________________________________________# O$ O! U* @8 j
! k( w  v$ e8 {9 v
Method 07
1 T4 x5 [) u$ l* y2 c7 s& \1 u=========; N% Q. C. g+ b( [& \/ g

# x! q) p& l3 R) P: U' @Method of detection of the WinICE handler in the int68h (V86)- S9 Q6 A6 I0 q) M

3 R0 R2 @6 {, Y: d$ I    mov     ah,43h
( _% C3 p- \. M8 N, s& d    int     68h. e7 d" P( J! R
    cmp     ax,0F386h$ i; T: Z) L; b) Z! w
    jz      SoftICE_Detected5 ]! P, Z, w$ p# v7 [. l7 i
0 J) }; h7 ?7 U# k* g

+ ~) @  `3 c1 r=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( `  z3 R1 S8 t$ Z3 N* V
   app like this:7 F, }5 N; x, Q  L: J

3 C  U: ^9 w) w0 J" x) |0 H9 n( {7 G   BPX exec_int if ax==68/ Q' D7 k- C( n* y  b$ ~* f
   (function called is located at byte ptr [ebp+1Dh] and client eip is% \4 e/ O9 T4 M
   located at [ebp+48h] for 32Bit apps)
) q8 V% ]5 _- S__________________________________________________________________________
$ z9 H/ F" s" R, Z! T7 e! U. i8 V4 B) d, h

0 p( `  s. Y  p' p! P% x1 @7 b9 oMethod 08
  r* l2 {6 R* e=========' ^+ T3 N# _  H3 C7 X

  y4 c9 j, H5 ^0 [% L7 _2 hIt is not a method of detection of SoftICE but a possibility to crash the3 }0 g7 U$ |4 Q1 A  w  e
system by intercepting int 01h and int 03h and redirecting them to another1 [& I3 N( v  |* f3 t
routine.
# G, g  q4 \4 j$ q4 `! C( Q4 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( l5 ?3 C! l- C0 \
to the new routine to execute (hangs computer...)' F3 E7 h! D6 S* O5 |* m6 t

) U1 r! g) }& G8 W  V  v    mov     ah, 25h
, G. y% y- @" V9 t: E    mov     al, Int_Number (01h or 03h)# i; x' W! x0 w, V& K+ X) w
    mov     dx, offset New_Int_Routine
/ I7 n/ {; }; ^3 i" u- c8 ^0 V    int     21h
- J" y& J, `% S; L, Y9 J+ }# F: \2 k- [2 p. M5 Q9 G( J0 e4 x
__________________________________________________________________________! v# O( i* s) Y/ x4 _- Z5 N  q
: |, M7 V9 u( }8 q' V! I
Method 09" W; g2 U' K* k, ^
=========
( ~3 z0 n& n/ U7 r/ N5 U
) P6 o) Z/ K! N  ^0 @3 T5 W7 lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) B' m1 F" X( X# A: O, Jperformed in ring0 (VxD or a ring3 app using the VxdCall).: S) d) `6 H  |
The Get_DDB service is used to determine whether or not a VxD is installed
/ L% L- t4 ?6 @! H' ^& Wfor the specified device and returns a Device Description Block (in ecx) for
- K( K" d- J" o7 [6 C: i( o  }that device if it is installed.
4 Q! @1 f1 I+ K9 `( m; T
6 X; B/ H  E' f: g8 U4 D   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 H, D! N3 S# L   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ S1 n' K! k- T+ L: u9 t& g  ^& ^   VMMCall Get_DDB9 s# q4 j  \4 @7 [( U! d* k8 H; ]
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ e  C! k+ w) ?( T) h
8 }( g5 d6 w* K0 y1 g# l
Note as well that you can easily detect this method with SoftICE:% [, D3 t- A4 K1 Q% I# q
   bpx Get_DDB if ax==0202 || ax==7a5fh
5 j4 l: z# e1 }& H& x: N. D: W
4 C1 R/ x8 e. Z5 k% i2 E4 @# y: F__________________________________________________________________________, B# @! k9 u7 W

, g3 j3 s+ y+ ^1 V6 h" oMethod 10
/ \' t+ V  \1 Q1 R1 i. Y=========
0 D5 O/ x4 u5 F4 S4 e) M2 i/ a) F9 t( J$ m3 C. v
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  R8 F+ |7 G; ~8 y: J1 l; c# P" [  SoftICE while the option is enable!!8 Q2 Z3 j( i! F) }" @& w

' d; {3 U% ~  u' K& {! BThis trick is very efficient:
% }1 |* @. N$ U4 E) k5 Hby checking the Debug Registers, you can detect if SoftICE is loaded
% v  F4 B, B3 c7 B5 }7 ?: F- V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( p6 D& S! p  j: @8 Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 C, n7 ]; S3 {3 V% |
value (in ring0 only). Values can be manipulated and or changed as well
5 M6 n, i  N8 J# |(clearing BPMs for instance)
# D2 Y! k# a$ d% ~# N5 |! A( @  p4 o  l2 J% w
__________________________________________________________________________2 f3 Y  p% M) b2 C1 m% V4 t

$ w0 M: [7 z+ @4 OMethod 11
/ z9 i& p! [9 q- r8 e" ~2 h=========
/ W2 m5 P" Q* g
+ |+ s6 c( k) E' Q& Z. W8 u% pThis method is most known as 'MeltICE' because it has been freely distributed, s/ P2 a5 [) l" R( N: M
via www.winfiles.com. However it was first used by NuMega people to allow  K8 x, A& n: P
Symbol Loader to check if SoftICE was active or not (the code is located
. E. F) i; E. g% o3 M0 jinside nmtrans.dll).
* A  O3 w/ `" F  }! w) b$ o
! I5 w" I+ B: b: S) @The way it works is very simple:9 W1 q2 F2 ]6 `3 L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 }4 J+ D& N8 }, iWinNT) with the CreateFileA API.
/ s. O* c4 v# e3 d* x! T
$ T; T3 Q$ e7 p: s, u  P! N3 zHere is a sample (checking for 'SICE'):  o0 l9 @. y0 G! F0 h

+ k# r& T. P: s; h2 KBOOL IsSoftIce95Loaded(): V" d0 y$ n% h* L% o
{
$ F5 [3 V- M# b5 t6 D, b   HANDLE hFile;  
' e' b4 T5 i  |3 P! K2 U   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 F* w3 S# \, T! S7 d5 L
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. y8 o% T; t0 f                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 o* F5 g: n7 \: }# B   if( hFile != INVALID_HANDLE_VALUE )
/ m5 n2 @0 o  L! r1 s# R' O   {$ `7 z9 P2 v) N  ^7 a$ z$ Y/ d
      CloseHandle(hFile);
' W* q  `. q! s  S# M5 l4 {      return TRUE;; W% E  U" B- Y4 q) U
   }4 ~" W( p+ l2 d) x
   return FALSE;' P" r2 K& ~; D% r5 v
}
. D, H' i8 C6 Z, y. M
5 ]7 `# V5 V! v) W  \Although this trick calls the CreateFileA function, don't even expect to be
! w8 Z5 O; |; Z3 z+ I( v' p! Kable to intercept it by installing a IFS hook: it will not work, no way!
% C* Q: e8 m+ i* ]7 WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. c9 ~( n" K+ A  m) |5 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) w5 D! ~7 P" J1 H9 R  l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 _7 G: [3 k7 M5 U/ {: m
field.5 A. H$ \; f! b8 U- D. {0 L' B
In fact, its purpose is not to load/unload VxDs but only to send a
% `7 o- r0 R' {/ X& qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 }0 `) n* @* yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
: r& ^2 |5 Q: m; w: u8 X! c- eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
% l2 B& r- K: fIf the VxD is loaded, it will always clear eax and the Carry flag to allow' H4 `5 L. l2 ^( o4 S
its handle to be opened and then, will be detected.
+ i: W/ ^$ i1 D. ?4 K/ tYou can check that simply by hooking Winice.exe control proc entry point
9 T  ~# i" o* q  o) a; R7 N% swhile running MeltICE.
6 m2 b3 B0 ]) @/ ^1 y1 x
9 [7 M* o1 y: Y7 }8 ^; p; s1 V9 h2 l2 t1 |  u
  00401067:  push      00402025    ; \\.\SICE
0 b0 H. a$ @; a. s" r  0040106C:  call      CreateFileA
, P4 v% ?* v( ~  00401071:  cmp       eax,-001
" i3 g  l' c; p9 }7 t2 T/ N  00401074:  je        00401091
( I, ?% _' j+ r* _# ^& j- x9 V7 x0 G6 }$ `
5 W. }& t+ g2 e8 y
There could be hundreds of BPX you could use to detect this trick.
- o; T- x3 H) A" o* i9 L- l* D-The most classical one is:
6 D! m- f( _& d  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 j2 P2 q5 V$ f. y3 F    *(esp-&gt;4+4)=='NTIC'6 W. \2 s8 Y4 m
) ~. w3 h+ A" q) o) n6 W. Q: g
-The most exotic ones (could be very slooooow :-(, K3 c* V8 o# H
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( E' e* [# n) {     ;will break 3 times :-(+ y. j1 ^  q! O! C" H6 s0 T: P

$ H' z7 ?, f2 N/ p9 N# f1 u6 v-or (a bit) faster: % W$ A/ b+ X+ Y* O
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ Q# [7 x' t" T8 u& I- n* v
7 p) b$ {0 W5 q8 O
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) o; R3 _0 ?1 r0 H/ ~$ b     ;will break 3 times :-(
& r6 O* z* {/ E! `
1 p8 |1 C7 M8 D$ |-Much faster:1 q8 u2 _5 v$ c9 J+ q: z* d; T
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, }7 s7 f2 M+ J' Q0 U1 |5 [1 [
* f- s" F1 d  ^% R) kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
  q! Y  }: d' d4 o& b. i9 Efunction to do the same job:4 c4 O% G9 m, L
9 p, g) m* q; N  A% h7 u  N
   push    00                        ; OF_READ
$ F$ a* ~% |6 A: [6 v' Y/ W/ b' F   mov     eax,[00656634]            ; '\\.\SICE',0
' ~  O  r8 @5 j7 `' H& P   push    eax2 s  g# {) v( ]2 w3 N
   call    KERNEL32!_lopen
9 D" N/ _( C; G+ ?6 ~! T   inc     eax0 ^1 a4 a' S+ R% r  t
   jnz     00650589                  ; detected* l, L0 Q# r* X2 j
   push    00                        ; OF_READ7 a7 u6 V0 W" e8 J4 f
   mov     eax,[00656638]            ; '\\.\SICE'
) d1 ~$ G; L; C! b* O7 x   push    eax
- C4 L) g* s( X8 W7 r0 p7 F% r   call    KERNEL32!_lopen0 |: I% R; w4 T5 w- r# K
   inc     eax0 J$ t6 C, Q" J
   jz      006505ae                  ; not detected+ @8 m: g, V, }) R. ]
: u4 ?4 i$ C5 m( ?

8 Z$ {; R( T0 h* W) E- w- ~  b5 [__________________________________________________________________________5 T5 f0 Z4 W2 L4 v; l+ \6 _2 m
0 V4 V$ \/ t  ]) M* l3 d/ _
Method 12
7 d7 U8 s2 w# C/ n=========
; y; H( ?" |3 Q1 U2 b& v
+ L+ I4 q9 l# K( Y& E4 B% HThis trick is similar to int41h/4fh Debugger installation check (code 05/ ?9 z; E- n8 ?! F2 w1 o7 J
&amp; 06) but very limited because it's only available for Win95/98 (not NT)' M, P  H  q; X* A8 f* @0 T" v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 D. W5 v6 u' p) l7 g
/ S. k8 U( i, J' K0 a7 l9 m" o
   push  0000004fh         ; function 4fh7 k6 `' b. \; E$ }
   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ r+ i8 U$ E/ b- m6 `                           ; low word specifies which service
( S- o2 k9 C% Z2 F' o' v                             (VWIN32_Int41Dispatch)
  l$ x, u7 [. j5 S& v* y   call  Kernel32!ORD_001  ; VxdCall
5 {" L# R% ~6 f( @" S0 y   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 o1 j1 w& ]7 ]: @) |   jz    SoftICE_detected1 F! t) K4 j( G0 S+ f
( B4 L! U- W% Q
Here again, several ways to detect it:
4 R4 u7 J1 M* D2 }' T; t  |; v* B& C& d' ~' {
    BPINT 41 if ax==4f
2 d6 a  r! M( [: v: _5 c9 m7 C8 j! B  ?' b
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
. R$ l! A# e2 [6 U2 D8 M
2 f& u+ {9 z8 G: ^- @    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 d' c/ t: U  ~' Z
$ ]6 j9 {/ e# Q# `" G
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* u+ p, H( ~2 U1 z) E, E  j
# T3 g$ G5 C$ t9 p  W. A2 I+ X* P
__________________________________________________________________________
6 y# n5 {' y: i) q" l
/ w4 O* n0 ^. F! H) o; }  sMethod 132 G' k1 _4 @7 R. ~7 i: H
=========
1 ]5 n+ o: k5 A0 M' r  A+ ]4 F
9 @5 Q; A7 Z. `Not a real method of detection, but a good way to know if SoftICE is
4 ^4 w/ Y7 H- ^+ G) Kinstalled on a computer and to locate its installation directory.9 T7 Z' W7 C& j2 S' N5 \
It is used by few softs which access the following registry keys (usually #2) :4 B- R3 c+ z: t
7 \3 K  Y  q7 R/ `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# m$ R; K: L- k1 E4 z1 T' t3 o" h
\Uninstall\SoftICE
& Z$ L, e) P) Z$ J% t+ H- v# H-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. N' d* A+ d  W) w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' B, C/ Y2 ~) ?7 `, R0 @
\App Paths\Loader32.Exe
6 o4 W& |1 h% }; P5 K: o
. R( o% L. R. N% C5 A6 K2 t7 n, N( \+ w5 u/ Y- i
Note that some nasty apps could then erase all files from SoftICE directory0 z6 T5 w" z: {, x
(I faced that once :-(
7 P$ A1 v) d$ m" Q) X/ E" f( }7 y# O% m3 l6 z
Useful breakpoint to detect it:
+ X8 F- T% n6 i+ X! x' D4 V
6 @  [- Q$ m* \, T4 F3 ~/ t/ J     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. m. N5 T5 B8 B: B, s2 ?- D
+ ~; W2 b4 s' M" S% M+ A6 e/ `: L. T
__________________________________________________________________________* ^0 N  K* z1 j8 B$ c) K
0 o4 F! i2 ?" i; ]
' c' `0 B* |: {, J
Method 14 3 ?* g& p* B: }" W# [! u
=========+ J* y* X! k5 J/ F# h
- X8 d$ T* M% k$ j( r/ I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; a5 E  H" b# g8 L4 p, n0 h3 n/ Wis to determines whether a debugger is running on your system (ring0 only).- @9 {3 ^# ?" J) W' B

* e0 Q! b+ G9 E6 U. U. f   VMMCall Test_Debug_Installed' R4 i) G) K: I# w, D
   je      not_installed
" l: m' S. i" C2 f  H6 D+ |; v4 G; [# O/ E. D, y0 M
This service just checks a flag.3 V6 |9 z0 |% N8 y9 \  p
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-28 18:45

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表