找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>. i/ u0 V) n) f! Y! C$ v$ v
<TBODY>
5 U4 V# x9 N: Q) E. p<TR>
. n% E4 Q& c$ Y- ~$ Q) Y<TD><PRE>Method 01 ' E( N5 H! f7 k  ^7 X
=========0 q# n5 K) l# V+ S/ O

) O2 p. G% w6 l; Y/ EThis method of detection of SoftICE (as well as the following one) is
5 Y8 l2 g8 d' x) P3 Bused by the majority of packers/encryptors found on Internet.
( g, D- k) R8 k' O$ r  qIt seeks the signature of BoundsChecker in SoftICE0 o1 S& l( _& b6 v, {& j3 s
- u2 k3 x! u! k2 d
    mov     ebp, 04243484Bh        ; 'BCHK'
! z) n! @, m! W4 G" F* Q9 Q: N8 s    mov     ax, 04h7 a9 d- r( B" }7 ~
    int     3       " L* V" ^! k; a6 T
    cmp     al,45 y2 k- S( `4 _. [: H# ?
    jnz     SoftICE_Detected
. G- b' A8 \3 N! ~$ j
$ z! m, o" n& A& o: a8 D% q, r/ t___________________________________________________________________________
) ]6 J# [+ B" Q& O
/ `- P8 c8 d; SMethod 02
  t% x: ]* _- {=========
6 f) V( I$ _' K& g
; c" h5 Z: O1 _& A/ L/ h9 zStill a method very much used (perhaps the most frequent one).  It is used
! T* C* x! q6 s  Q$ T+ Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: I. J& E$ j+ p& [2 G: @& @- for execute SoftICE commands...7 o1 r5 q. V# N2 x
It is also used to crash SoftICE and to force it to execute any commands
* l" \; f! A$ b" f(HBOOT...) :-((  " f$ B& a6 X) z( }; c% ^' N8 X
' F1 o2 _; }8 t) _
Here is a quick description:" d9 y; W* k) K- I. X# b5 o) X7 l, D$ Y
-AX = 0910h   (Display string in SIce windows)9 X" s7 ~/ ]4 _# A0 _
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 {' g4 z) Y& n1 O/ m
-AX = 0912h   (Get breakpoint infos)
8 y! E- L3 I/ E; X* D-AX = 0913h   (Set Sice breakpoints)( a% p, k! [, r
-AX = 0914h   (Remove SIce breakoints)
! v8 e4 G& x6 m( }# W' h; v9 T
0 E; R% @' t* p5 r: bEach time you'll meet this trick, you'll see:- X/ Y, h# S- e
-SI = 4647h
4 ?0 {2 f% ?! t3 w-DI = 4A4Dh
. N0 b# e( x3 R7 m2 Y0 IWhich are the 'magic values' used by SoftIce.
3 I2 l( O4 `+ H+ \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# H6 _9 T+ B7 ]6 D1 i# s+ {
6 T; T# ?$ c! O/ a/ I" H/ t# UHere is one example from the file "Haspinst.exe" which is the dongle HASP  T" |% p' ^# \* ~  u
Envelope utility use to protect DOS applications:1 Y) r" p8 Q. _6 i& @
0 C$ H4 L' P( B
5 ~0 b2 d+ }: y4 P  F/ K) O
4C19:0095   MOV    AX,0911  ; execute command.  m4 t* n- H9 R" Z9 O2 {
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. c3 S: z+ _% d2 K
4C19:009A   MOV    SI,4647  ; 1st magic value.9 ^7 n  Y" p" |8 x' i% q# U
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, Q. U' ~3 M9 Q% e7 `: U4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), t: ~# s/ y7 W
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
  S0 K. Z% p1 W- Y4 z9 y3 P4C19:00A4   INC    CX
( B2 p, Q3 D9 }7 ~4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( n8 g$ X0 L. K8 D1 I7 @3 r
4C19:00A8   JB     0095     ; 6 different commands.
6 x. S7 k% V/ t% U  D1 j4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 Q$ ~+ M/ T8 Z* I' A( Q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), _4 |' _6 C4 B& x
) V% ~6 S  V7 v" k& i
The program will execute 6 different SIce commands located at ds:dx, which
8 {  Z5 F# G0 c8 Y( A0 D7 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. E  j$ r& B9 _& ?

+ n/ [  ^* x% u3 ]/ ^$ d2 A, l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 V% H# r$ p: T$ d- q& ~4 S  j/ X6 E
___________________________________________________________________________$ G( G7 V2 I, o& a! Y
. z7 W, D; R$ x! K5 G

* k/ F% L) N* @) J' d, _, v# ^Method 03
2 d! c; ]5 V5 W& h, |" ^' q6 ?! x=========! `0 z3 s; k$ V7 U( |

) B4 K% p+ x8 `4 NLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' Z6 W9 f- ^9 X+ _1 E4 m(API Get entry point)
! z  F( |% i7 z9 r! G5 R' ~4 Q: {6 Z        
. x1 S* h: j- N' a
( |1 R3 K: B% f9 d8 r% D" A% o8 Y    xor     di,di! Z  I9 @! S: Q6 s
    mov     es,di
) q6 X! m1 B# N3 U) |+ v% \# `    mov     ax, 1684h      
; ]1 i; ]* O8 X    mov     bx, 0202h       ; VxD ID of winice
. [- A, b: C7 G  ]    int     2Fh. U0 B4 |5 l) u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: @- t. E3 E; b/ U    add     ax, di
4 f9 F* Z6 B, Y$ b6 D2 A3 O    test    ax,ax9 [  Z' m! R) X! p6 p. R
    jnz     SoftICE_Detected
4 Z. f( q2 ~3 l0 n8 J$ ]; U- e- q% o6 P0 h( G3 _4 m4 v8 n! }, k( S
___________________________________________________________________________
8 B' E6 b  p7 K% ~* d" r( i6 ^% o0 N% c
Method 04% N. ]+ ]( W3 x# p9 k9 X% t
=========
  j7 t4 p9 R6 ~1 d6 `6 W; X8 l$ b/ I6 M0 Y
Method identical to the preceding one except that it seeks the ID of SoftICE
* ]& c9 V0 {: T. J, G' D8 MGFX VxD.
' _- q  R' ^% @* |+ y0 S" A1 v% b1 q% J& y
    xor     di,di# w; K) {: a8 H& |
    mov     es,di. ~7 u9 O! s( }" @1 |+ \3 c4 l" a
    mov     ax, 1684h      
1 v% w2 f7 S: a/ d# }0 t& s9 |/ L    mov     bx, 7a5Fh       ; VxD ID of SIWVID
5 D/ V9 Q6 n0 p' s0 o- j! w: W    int     2fh0 I$ m# M( P5 |# _# U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 G( e. t3 D6 k- C    add     ax, di
: E3 R8 Q- I2 i* k$ y    test    ax,ax
8 Y" k% X! a' a% w; w. \    jnz     SoftICE_Detected, @" U: Q- H8 L5 a

- M5 r3 H' N' o5 T  V__________________________________________________________________________
* G3 x- S* ]. v# \& H; X; {8 C/ R% N

1 q/ G: w( K& K; ~% B6 T6 c% FMethod 05( N6 I) x( q  A
=========
% r0 H9 X8 P! m- ?2 X2 n: a
4 q* o9 }# J; t8 p* gMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, s4 q# k4 q( G7 y. xdebugger. It calls the int 41h, function 4Fh.
* i0 M$ q5 b) {There are several alternatives.  
* g& g% l. |* |5 ]) w
: m) I0 G8 G. i6 U) V" F# rThe following one is the simplest:
$ J  S( m% N% o, D& H
2 u9 g7 W8 I, t9 @; |    mov     ax,4fh
& C, e( g# b  l( Z    int     41h
  V; h$ K6 G' S5 Z% k2 X% [0 n    cmp     ax, 0F3863 x2 A1 b: o$ |& P
    jz      SoftICE_detected# |. }: @0 a' q' }

0 n& N* c8 ?' @+ D$ s1 [2 y3 _& q3 H& w! B% t$ l+ |2 t7 Y9 A
Next method as well as the following one are 2 examples from Stone's * ~1 R- b& Z9 O* {
"stn-wid.zip" (www.cracking.net):, w) m* M8 x/ B% t

1 I& B$ B' ^" U4 ]: V5 S    mov     bx, cs
1 T3 Q5 S% k3 S. R8 R    lea     dx, int41handler20 _4 [$ C" q0 [( I
    xchg    dx, es:[41h*4], Y" l4 X, A5 J5 b( M( o* f2 k) [
    xchg    bx, es:[41h*4+2]
/ R: k8 L4 X, I+ D* i9 u' |% |    mov     ax,4fh3 Z7 R4 x! r7 Q/ y& j
    int     41h
; N# e4 g" }# g; W7 S4 Q$ [0 F& R    xchg    dx, es:[41h*4]
1 x' S. X/ P+ U( |    xchg    bx, es:[41h*4+2]: h* D5 n0 C2 ^3 z9 a7 o5 b& n
    cmp     ax, 0f386h
/ L! x5 k  W" c! b    jz      SoftICE_detected8 f+ v3 N( n. R
2 H) w8 h. m% z4 N
int41handler2 PROC
6 q* t9 P+ f, o8 j) V    iret
) b  ~- m/ i! y7 x  [int41handler2 ENDP  y( t. q2 ?) A# |& W

4 m, ?4 ]6 _& k. I7 A  }8 t
0 _9 B( z6 Q9 z, M0 e' `) d% ~- c1 H  e_________________________________________________________________________
! `/ K5 ?/ X4 o' P8 h$ X% o( ]5 N7 h9 S- \" Y# k5 m4 o$ g

& B+ E1 L. d0 \Method 06
$ t) D" S( H/ l3 T* X6 m9 `=========
' j& x7 V; r" a8 f$ x" ?
9 f: _; I. }- h" S9 }2 h6 ^, g7 Z, ~% M/ A, M4 S+ ~/ b
2nd method similar to the preceding one but more difficult to detect:
; c- v! a: R" Q. e1 P9 e" _7 l, p( P- P1 K; W

/ s6 D1 ~: E: Uint41handler PROC! p. I! I' k0 E7 U" D
    mov     cl,al  {  q& P0 X0 E6 A# ~1 M1 q
    iret
, o2 ^8 u  R3 uint41handler ENDP' L1 E7 b9 r. V( C+ P$ ~

, f  L" Q7 b3 k: V# D2 ]: e: @" _* w
    xor     ax,ax& I1 S1 R9 m% Q2 ~) h+ f
    mov     es,ax6 ]1 B  U4 Z! M
    mov     bx, cs- O6 N$ B8 Z/ J' i7 e+ t" y
    lea     dx, int41handler* f5 P$ b& w: ^; ]0 m4 K
    xchg    dx, es:[41h*4]3 x; v- ]: `6 {) x
    xchg    bx, es:[41h*4+2]
( I0 N+ Q2 @0 Z3 Q0 W    in      al, 40h
, ?0 k& }1 Z2 k6 ]    xor     cx,cx2 l$ a( W5 `( C, N( f
    int     41h) G$ ?! Y7 x7 [$ @
    xchg    dx, es:[41h*4]/ S4 T3 d$ \; u2 a
    xchg    bx, es:[41h*4+2]" k5 o/ F( `- O& i$ g0 S
    cmp     cl,al
3 D2 A8 R2 {) O  M9 I  Y, V0 d/ T; O4 ^    jnz     SoftICE_detected
9 T3 Z1 m' z3 L. o* R% z) r
: i- n6 r) }; _( w: b4 p_________________________________________________________________________
; \1 A( k( s/ W- D& o2 Q- N
* [' T* g6 I+ u8 h* \Method 07
# V5 v! W8 |0 Y1 P, O3 S=========+ f0 L' }1 p5 s& h

0 P( A$ n9 G$ ~$ f( t( NMethod of detection of the WinICE handler in the int68h (V86)
& t: O1 T) L' L7 X0 x
, I) N0 d& V- R( K& K    mov     ah,43h
0 ~+ {$ t( j7 M; ~6 w% q    int     68h" b% v* {" @/ d+ G0 R  f( _7 \, G# f
    cmp     ax,0F386h
/ m) N  ^0 Z' e8 L8 c6 b5 m3 Z  |( e    jz      SoftICE_Detected
2 x6 {* l7 h% E! [; t) L8 [' k
0 B9 ~% g; T; d* b6 E9 r6 L( L7 v$ i+ X7 l
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, i8 r2 b: [7 H, }* |- P5 f* z+ \) b
   app like this:
6 R; ?( O; A+ s/ u- z! W5 c6 c' h  @: s* x% |; n5 [  p0 p( F
   BPX exec_int if ax==68; Y" X8 Z. h5 l4 P0 s3 W+ Z
   (function called is located at byte ptr [ebp+1Dh] and client eip is
* e- r) k( R* @, ~3 q   located at [ebp+48h] for 32Bit apps)
4 R+ }; |6 k3 K  B, d) a( w& O__________________________________________________________________________6 m! N- E: |; x$ p% \4 K# g. J
' U- ]& Q) P0 w9 w0 \; P7 i( Z

( t8 J' y8 a  b6 QMethod 08
! _9 ?0 ~) p! F; _- l) `6 k=========
" ^. q3 D" b' g6 N% ~/ z2 Q
+ E, D' Y" A+ d( o" OIt is not a method of detection of SoftICE but a possibility to crash the
! f/ ]4 W* {( i' B% E' f4 usystem by intercepting int 01h and int 03h and redirecting them to another
2 J/ |% _2 |- u8 I/ `( W% i2 _) [. Q- broutine.5 g2 b+ \' B1 |4 L1 |4 J+ T6 Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. n6 X( U# C9 }. G( K
to the new routine to execute (hangs computer...)" C9 d" v4 A, l% Y
4 b8 Q: h# [0 ^
    mov     ah, 25h* T8 A* j  L8 I2 h8 d, M( H7 ~
    mov     al, Int_Number (01h or 03h). H6 E; u, ^/ O( S
    mov     dx, offset New_Int_Routine
# q/ b* C! z' A/ k% n    int     21h6 x2 p; M$ U- \. e# u6 b% u' U4 z

) U7 H" U3 E! b/ N* ?__________________________________________________________________________
* s1 ^6 q$ i0 p2 K
3 Z5 Z$ t$ W, U# P  a6 ^Method 09
% d! B3 d* o7 G) u" N$ h* \/ m=========
9 k5 p1 t# F" g. [
. g, @: p1 I7 T8 n0 [* wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: ^' V- @& _1 s# A9 Tperformed in ring0 (VxD or a ring3 app using the VxdCall).4 G, D) T4 T4 K  I# d( s' [
The Get_DDB service is used to determine whether or not a VxD is installed
5 d% j; q0 z0 G/ ^' Sfor the specified device and returns a Device Description Block (in ecx) for
( U, W- h. D# A# u/ f+ `that device if it is installed.
- {" j7 C0 Q* {; O' ^0 b9 L, E) g% q; H4 `/ X1 t
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* H& g  j# R7 o4 A8 a5 h
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ Y- ]+ G+ H6 l3 n9 X8 q) h7 P   VMMCall Get_DDB* W3 E. Q+ R  i. J3 N- h. \* v
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& o0 ~4 e5 |3 c4 Z5 P, S
' r1 Z: Q2 O" g7 F0 e
Note as well that you can easily detect this method with SoftICE:3 z1 q2 f7 j6 D, J$ f7 U3 x* }
   bpx Get_DDB if ax==0202 || ax==7a5fh; G  X* c! Z- a$ D, @

' ], y1 Q6 [2 T. |% z: D, Z- w8 M__________________________________________________________________________# u. A) {# M, f3 l% R5 }! M5 i) {
# z% Z, S5 V4 Z* F6 \; [+ z9 Q' y# ~/ S
Method 10! Q8 X: o8 Q* j, _0 [; @& n
=========
9 H8 D; I; l) a; ^$ {. ^& ^1 N. w% w
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
$ i  {+ T9 X5 h& V  SoftICE while the option is enable!!7 Y1 ]& u# m1 R$ Y3 v% [3 b
6 a  B8 T' x$ I# G4 W( E
This trick is very efficient:$ R: D+ L* m! x/ {% q
by checking the Debug Registers, you can detect if SoftICE is loaded/ T! r' U) b) B( Y3 z, X& H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- B1 x7 M  X: m( Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 t7 V5 t, e/ V+ ]% X0 V( x8 u
value (in ring0 only). Values can be manipulated and or changed as well' \. L9 ~0 [5 |: y/ j( C0 m8 Y# H
(clearing BPMs for instance). U% r% I/ R4 o* i9 Q: }0 U5 P
4 \2 w! ~" ^. n) \1 g8 [
__________________________________________________________________________
' f( m3 o9 p' s( h: l
2 L4 S% r6 i: g2 v% A' {Method 11
6 b) e/ k: ^9 o% v=========
5 K! `- B6 {* E% m
2 Y0 v; P6 @1 Z2 }$ OThis method is most known as 'MeltICE' because it has been freely distributed
' T6 w5 p  ?: S" y' m' b) nvia www.winfiles.com. However it was first used by NuMega people to allow
" _1 F2 C. k; u$ h& iSymbol Loader to check if SoftICE was active or not (the code is located3 s6 P& B6 s2 j6 `. V
inside nmtrans.dll).  I3 D' v0 w7 G' F! u
  Q- r9 q, _' s3 w- D' Y; n
The way it works is very simple:
7 l  j+ b) j0 X! Y. PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% r  M0 a% t# I/ ~WinNT) with the CreateFileA API.
- y+ b" o6 _9 f( [5 Z) J: b/ [% P& P6 i6 ^' j, u" }& B; l; L' N
Here is a sample (checking for 'SICE'):
. a. h8 o' T( r
+ F* A5 m# E7 |/ n$ K' NBOOL IsSoftIce95Loaded()  _' S6 t2 D7 u, c
{" q: l5 ]6 N! V* w" I3 n: J1 V
   HANDLE hFile;  
5 e  q, a! j8 B5 |* ?9 N   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, ^6 P; @! w( q9 Y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% w" J8 D9 L' r" A% z9 p$ O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 ~& o! [) |5 O6 v! o   if( hFile != INVALID_HANDLE_VALUE )
! m  P) K  `5 t; N# M8 b. z# ^7 {   {) x6 E7 l; Z0 L
      CloseHandle(hFile);
0 ]' o+ g0 F) e) P. b, @! t      return TRUE;
8 s, o% S: p4 k- c   }
0 v2 N, s2 f. U& M   return FALSE;
7 ?/ P" V* M4 {8 a* o}( v& B( E4 J7 s  X5 l# _9 R3 m+ e! X
: ?- @7 |  Q7 A2 k, p) A5 |: t
Although this trick calls the CreateFileA function, don't even expect to be
! H4 \% b- n( F3 u, T7 iable to intercept it by installing a IFS hook: it will not work, no way!
0 p1 }3 D  |( ], u& }, }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ I8 ~" m3 X0 N0 g8 ^5 lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ y% q* I0 {7 k) u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 [& e+ ~/ r) y' M3 a! q; r
field.0 g/ T$ g" H1 w( e
In fact, its purpose is not to load/unload VxDs but only to send a
/ n; U5 w' @' R: cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: c- N" `1 D, ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try. v  u) V7 }# |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ \; t2 _1 U2 y3 D8 N" |5 vIf the VxD is loaded, it will always clear eax and the Carry flag to allow( F0 p% L/ V+ ?
its handle to be opened and then, will be detected.
8 b: O9 d# g/ t7 Z4 V5 LYou can check that simply by hooking Winice.exe control proc entry point! @1 c( [2 w' ~' b' `- c* o
while running MeltICE.
: U# J' V3 e* p" o- `' Z2 ]! F/ n% `$ m, z; `/ q# ]5 s

! N6 y- y7 |3 |1 y  00401067:  push      00402025    ; \\.\SICE$ }  _- d, m" `7 ]/ t" F
  0040106C:  call      CreateFileA
, n1 {; Y( Y5 N; Y" s8 ^  00401071:  cmp       eax,-001; O; J% v# C9 @6 K1 v6 Y
  00401074:  je        00401091& i  }: i- j! Z
; ]4 j, ]& `6 {. X3 q; w

5 I# R! `/ t; x, S! K" u1 dThere could be hundreds of BPX you could use to detect this trick.
' I' N# ]. R3 }4 c  |-The most classical one is:
5 B- f3 u9 h' j  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||. g8 t/ ^2 V. V! z4 G: t# Q
    *(esp-&gt;4+4)=='NTIC'% P% ~, L6 p! ~1 Y

  j0 Q0 C/ W" h+ P0 J7 Z# h' X-The most exotic ones (could be very slooooow :-(4 `. ^- M9 Y  `4 m% c. u# }6 L
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) t# Q- s% L) O* f     ;will break 3 times :-(4 [3 H! |% W2 W  X$ @
$ t5 ^" X/ k  H) j2 F* G
-or (a bit) faster:
1 D: E& n. m( T/ v   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; `  }+ L. r  ]/ H+ }. C3 |% P' y# D! T/ |& X$ a' v) G* _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 c- w: ], l$ V# i8 V
     ;will break 3 times :-(8 b, {1 J" ?7 M2 O% f

5 n' H, j7 K, P, G/ D+ s-Much faster:+ ~0 Y- ~. R4 C
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. C0 ?. G9 a! T- O
6 v8 `  V/ R1 H. z( rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" ~, X- m# Y/ {, y6 Ifunction to do the same job:
% k- g4 ?9 U+ A. w8 i4 c
: Q" \# N$ l+ h+ r" m5 u! E   push    00                        ; OF_READ
& `% a! F* K0 ^7 f) b, M# |. m& X   mov     eax,[00656634]            ; '\\.\SICE',0' E7 F7 X! f% E% T
   push    eax, y( J/ Y, l* T. P
   call    KERNEL32!_lopen
/ v  D8 F( |& {! h5 |   inc     eax, J1 T- E" x1 A- a$ t
   jnz     00650589                  ; detected7 Q9 M0 \3 |( v) o  |: V4 Z
   push    00                        ; OF_READ
0 V' u/ S4 x, e( y- I3 \% D   mov     eax,[00656638]            ; '\\.\SICE'
$ ^7 ?0 [& {; H   push    eax) R4 j' {0 d& k4 {" h
   call    KERNEL32!_lopen
% K6 [. t* G/ _; S1 s' ~3 K   inc     eax
' \0 i7 I3 m/ b( F   jz      006505ae                  ; not detected
, M7 k3 w% L" B2 [, G8 B) G) e- g8 \& D; i& s4 P
3 B( Q/ L/ p6 O4 @; I0 ~. w
__________________________________________________________________________
8 |( G' c( p; W  Q' q, x9 X* T- d+ f4 J5 j- b% B/ w
Method 12
5 M2 n: @" N* r  q! L=========
9 l- c, h7 ]2 K8 U/ m! ]7 v) e) |* a  W* A" Y. o4 y
This trick is similar to int41h/4fh Debugger installation check (code 053 v2 x4 y( U; v: F- r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
2 ?7 a) X. _" |# Z! m  Aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ ]! x2 t# \+ }) r, E# v
( u  j8 v) [& m) O& u   push  0000004fh         ; function 4fh
+ ^* R. Q7 V2 K- Z   push  002a002ah         ; high word specifies which VxD (VWIN32)
2 @4 z) ^8 K- s4 g4 {                           ; low word specifies which service8 t9 z0 h, J: t; \* u1 E, t# B
                             (VWIN32_Int41Dispatch). K# V1 ^" |5 C
   call  Kernel32!ORD_001  ; VxdCall
# q. H+ B* e8 G" c9 ~2 n   cmp   ax, 0f386h        ; magic number returned by system debuggers2 R9 Z+ V- Y0 U+ r, Y. x
   jz    SoftICE_detected
% a; k$ {5 \; l! x% D* w
; I6 x- D; b8 t! _! F8 t# f- z3 RHere again, several ways to detect it:
, w5 I4 b& [& d# v+ L5 s
0 O" t# X( r6 t1 k    BPINT 41 if ax==4f
. h6 K, Z7 ?) Y2 |0 L
- D7 e  D7 m( U4 y" z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
0 T+ S+ S$ u; C- h
. r4 f9 {( n$ w. x, E    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ i5 Q3 e1 Q* D0 H' Z6 p5 L

, p  u( d$ e6 n" `    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!& R( @7 y! b% M& P0 @2 `

' ]5 _6 `+ W* L3 v9 H7 l__________________________________________________________________________0 }+ B/ W/ z0 M1 u1 L: z; M

2 r. x$ _8 i; UMethod 13
8 g2 W5 A' e& B" P! [=========
- X: \3 c. |0 b" F. J  W- Z$ ?/ T& ~; m0 X) ?% y4 ?
Not a real method of detection, but a good way to know if SoftICE is+ e: |! e6 a9 Z
installed on a computer and to locate its installation directory.
, B( H  j& J; l+ r2 pIt is used by few softs which access the following registry keys (usually #2) :
+ b7 g$ M+ J! O/ R
% I  t' S0 D7 h8 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( r" [' q2 g4 [9 L
\Uninstall\SoftICE1 w1 t5 W" a4 A' J6 D" B  @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& q- I( W6 c4 P9 h" {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 s6 s5 f8 E( H/ N
\App Paths\Loader32.Exe
- S. B; g- u: K! [/ ?+ w$ l5 _$ |" `9 @8 g3 Y: Z
/ T) }( q: S2 R
Note that some nasty apps could then erase all files from SoftICE directory
" u& w* n- l/ z6 l1 h6 D) E3 t; }(I faced that once :-(
( R3 J$ m4 k2 z! g- J) M. A+ e, ^3 z; X$ [- d" H3 C
Useful breakpoint to detect it:# t9 F2 H% T& K

+ _# j- x  B2 _8 Y     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
) y3 a, C7 |* u  F, d/ d1 K# W, f) {
__________________________________________________________________________
; N0 R/ t" R# s4 }$ f' u) c
0 _% P) T3 q# D% B+ x) ^& V: O1 W: L) f
Method 14
' ]: a; C5 Z9 ?9 n0 ^) w0 M! O=========5 P/ z$ |* b+ j; [; R+ o7 o
( [) ]3 Y+ i1 z# g" k% f6 X! Q) Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
  \# u2 ^' ~. @  V  [# His to determines whether a debugger is running on your system (ring0 only).
1 G! B7 w4 m) d8 R
  A3 A9 ]; k  O+ D8 L; k9 @& i   VMMCall Test_Debug_Installed
- e5 \2 m. ]% h# I   je      not_installed
! f, Y4 O. r/ ~3 Z# F& Q' f3 n( x) E. Y9 i1 S2 [0 m3 B& @5 m
This service just checks a flag.
& J; V2 f* K  K- S: Y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-20 03:40

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表