找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>3 g! v8 O& s3 j' o! P
<TBODY>
: A) {3 a6 C( A& h9 a1 K<TR>
* h! W1 Q( o" B" \" I% J<TD><PRE>Method 01 * T6 y- R  F/ s" j& W" O/ a: g
=========
$ P9 k- \1 ^* C- z9 E! w3 k
7 c$ _/ A: y6 D' L: I8 _" ^This method of detection of SoftICE (as well as the following one) is
6 r3 T' k8 t5 Lused by the majority of packers/encryptors found on Internet.
: o- f( _8 [" bIt seeks the signature of BoundsChecker in SoftICE/ D% U2 ?& B# t1 y
6 @5 C9 J+ p% v* d
    mov     ebp, 04243484Bh        ; 'BCHK'
# e$ F$ z* r2 k: z- ?4 E3 R. Q0 z$ @( f    mov     ax, 04h) z# x  d6 U) v. J
    int     3      
2 r, l: F; h0 B8 o    cmp     al,4) N( w; R+ n' J0 w  E* q
    jnz     SoftICE_Detected( O2 {3 S  L" c5 M+ c( E

; N" V' M5 x) z$ b: s$ ?/ t, ?3 a! D$ i___________________________________________________________________________/ Q" a9 x( z' X0 J* M8 C3 L

; p: R' L0 [, @# }% bMethod 02
: s' l( f( L, Z) H=========
# k7 O2 X4 [1 e
7 D# Z3 Z/ x2 J; a/ v- nStill a method very much used (perhaps the most frequent one).  It is used
  ~3 V3 X' N3 ]+ r' s% q& Q# T% Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ Y& p6 S% D! c/ X7 C( H% ~or execute SoftICE commands...
6 v3 X3 U8 o' {# P7 W6 m# s& k% NIt is also used to crash SoftICE and to force it to execute any commands
' Z0 T0 r' v8 I: u! v3 T* j0 h(HBOOT...) :-((  
5 |# q  t) R% T# _, y1 N
4 g! u3 P: y. ?3 J; L- r* {/ kHere is a quick description:
5 T3 V( c& F& i5 c5 E. S-AX = 0910h   (Display string in SIce windows)
/ M2 |: Z' x! U-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)) u/ P2 e  V2 D* \- V
-AX = 0912h   (Get breakpoint infos)
+ H  T* i1 i/ D3 ~-AX = 0913h   (Set Sice breakpoints)" x, w' Y! R' J
-AX = 0914h   (Remove SIce breakoints)
8 s/ h0 v/ R( W
1 S6 r) i; @+ o, HEach time you'll meet this trick, you'll see:
) q) x* P; b8 }9 d( A-SI = 4647h
/ E6 y. x; D9 E+ X1 \1 G/ O/ X6 V-DI = 4A4Dh
: s+ Y: Z( Z" M; WWhich are the 'magic values' used by SoftIce.
# R! R, ?: H6 _- k! u4 NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' K& _$ l- i& X# @# w
1 y* O9 P& Y; j  t0 l- g; b8 CHere is one example from the file "Haspinst.exe" which is the dongle HASP' n- g+ D6 {; m" |$ n
Envelope utility use to protect DOS applications:
4 [* E0 r5 N$ p  D0 N6 c  h/ S  x# p, t4 \2 G; i
# [) i6 a8 C5 V5 r9 Z) t# f) D5 {
4C19:0095   MOV    AX,0911  ; execute command.
' S4 S2 j4 {/ }$ V, J+ Y4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ t3 u% M* X/ U% a( C! @6 G4C19:009A   MOV    SI,4647  ; 1st magic value.
1 d' r# E2 Q4 U! m0 ]8 F4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ s; R; O% q+ g& _- F
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)* }/ \' {" X- @, h4 O; L' Z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute" }! M8 S1 @5 h- @
4C19:00A4   INC    CX1 m7 z- J: t0 H7 y$ q, }0 @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute7 J% O$ a; `+ w+ v% W
4C19:00A8   JB     0095     ; 6 different commands.
: N3 Z9 o1 t% a$ C, l+ B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.( `1 E. u/ J' T2 q2 F# B
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)1 @# q# R& @2 J) p* r" V
+ _/ O, d( a0 @( X2 H. \# g1 `) K
The program will execute 6 different SIce commands located at ds:dx, which
5 {$ s, o, ?% h+ Jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 q5 x6 s8 k# Q' v3 c& _6 N) I/ t; \; S& ]$ ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% ^4 Q$ ?, t! G- T& ~
___________________________________________________________________________
1 B9 x* n2 G# n% W
4 g0 ]" i! M8 b" I  t; u$ k& N# i! K8 W) f6 c
Method 03
0 p! X3 _( p' R) T# \" r: @7 k=========2 H, ?+ [. ~1 d$ A

2 g, Q% o) q# A/ _' ?/ rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 F. P) x" M+ v4 c& j' ]. T# R(API Get entry point)' v. H4 r: o  v/ m: P
        8 a, F4 G; ?6 r$ C" i+ h: y! i

$ X4 C. I) H* P& c! E3 s    xor     di,di9 G, J, E: Q1 @- A' h
    mov     es,di
" p# _# M2 j# s5 l    mov     ax, 1684h       , g; |8 i" Q: ^+ w: |
    mov     bx, 0202h       ; VxD ID of winice
( G+ I! I, h- R4 _' s    int     2Fh
" J5 M2 _3 s7 [$ s4 m% Q( ?* Z; G1 c    mov     ax, es          ; ES:DI -&gt; VxD API entry point* l/ c2 e. @5 h0 S# d( E
    add     ax, di
7 o. J+ x) k- @, L$ W  l- x    test    ax,ax& V; c4 s1 u0 |% [, \+ J5 j
    jnz     SoftICE_Detected
% G# G8 K/ Y; c' G& Z, i! o  D+ a5 B9 Q, V4 N1 ^( x& F, K0 [
___________________________________________________________________________
4 k1 v7 g( @8 e6 `1 g4 V; ^: T5 h
1 U, r4 q: l9 kMethod 04; E" K3 b: [# A$ i: M" k( r
=========1 |& \5 F1 {4 z

/ \" {% R, ^3 F% c" @Method identical to the preceding one except that it seeks the ID of SoftICE
$ @& D+ K: B) z3 m6 yGFX VxD.
4 d. f3 \, j6 I6 h7 ^
2 ~3 x# V/ U: c7 V& L    xor     di,di% ?( f7 J. ~2 _) ]  z! {  I$ D. ?. a
    mov     es,di
4 s7 g- h( U, k$ A8 e! ?    mov     ax, 1684h      
5 Z9 M$ U6 _$ E) g4 g7 F9 A! [    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ h( M. ^7 D* m! n4 h8 M& T    int     2fh
+ w3 R' B4 A6 K" z- Z1 S    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ [" w$ i6 m& K$ D    add     ax, di- A! x9 W) d/ ~) A
    test    ax,ax6 o' q5 m; b+ I) _" Z" |4 |
    jnz     SoftICE_Detected! e* k# H. U2 B! g% `

& u/ W) k" e8 N: s" |3 g9 ^% A, `__________________________________________________________________________5 t5 B- ?0 C: q, L+ V
& w5 r7 g; ]0 Y

7 \* I1 c* ?7 n9 w$ IMethod 05
' j9 X3 k& a% `/ D8 I5 D; [) y=========/ i4 u, A$ S' u( L$ @; m

2 j  O( M# Y+ _6 R# S+ r  {Method seeking the 'magic number' 0F386h returned (in ax) by all system: E1 m* \( q! v7 F- |
debugger. It calls the int 41h, function 4Fh.
- R5 @+ M  q3 U+ F8 ]8 uThere are several alternatives.  
+ j& n; A! i0 q; _
6 p  v8 F3 x* Q0 @- e; gThe following one is the simplest:; g9 h) n* b0 S3 i! i! ^
2 k" a+ B% v$ e8 d4 ~; _
    mov     ax,4fh; u2 q; P7 z% l
    int     41h, w0 B) G0 O8 J3 `1 k
    cmp     ax, 0F386
# s+ P1 Q3 f1 [/ Q    jz      SoftICE_detected
/ e6 P. ?7 j, q0 A
' ~; Y  L, w" u; j( O! S- C  t: A' ~* U; \. u0 _$ M
Next method as well as the following one are 2 examples from Stone's 1 _4 v# j. l0 y7 x9 o  K
"stn-wid.zip" (www.cracking.net):
% p* L* B" F0 L$ C/ a: \! S+ N7 D& H9 e# P8 k
    mov     bx, cs, q& W4 e% l/ H- j7 l9 ^6 E5 I
    lea     dx, int41handler2
; h* z3 q6 h. W; z# Z6 m5 n    xchg    dx, es:[41h*4]2 U9 \! E- [$ p  Q$ o7 `3 v
    xchg    bx, es:[41h*4+2]
( \1 n7 e$ @9 J. z5 Z' U1 S: h% u    mov     ax,4fh
% Z) p4 K: `3 V    int     41h. |! s: H6 Y, v3 U/ {9 i: t
    xchg    dx, es:[41h*4]
# I2 o& a. f) I    xchg    bx, es:[41h*4+2]" q) \9 M* C+ F" p( y. h  h$ q
    cmp     ax, 0f386h
1 W# L2 q, m# m3 O    jz      SoftICE_detected* w' Z) c) N, {2 z4 W
  S$ C& g) G/ k  \' @2 T
int41handler2 PROC
- J) Y1 f% d0 I    iret
  ?/ [8 d9 h/ N; _: l- c/ oint41handler2 ENDP) d8 j+ ?( n- j  }& p

2 d" F1 o9 T& s0 y* l. c6 }: b8 v
* p/ o5 ]! O. M0 E7 A_________________________________________________________________________; B. I5 z& p/ H' m/ n& `

: z  v+ Z! M% ]* }# K# d) F) f% t0 s1 k
Method 06
  r$ M$ \4 l: c. T: I& F. w# N" c=========' J6 v" s8 b7 ]2 s0 V2 l# B

/ J* H; ~2 ]) U8 S
- k/ D  @- O2 ^7 J2nd method similar to the preceding one but more difficult to detect:
6 d4 r9 w, O% G1 r9 Z2 V
% J) S$ T8 \) @. j, u2 ?( v+ W
7 v, Z+ }- ~$ x- F' Z4 F$ O5 ]int41handler PROC& s* d- X* G8 n# _0 w7 \/ t
    mov     cl,al/ s2 ?$ {/ V) T1 Y5 v
    iret
# d; m% K. U+ M/ A) t- p  s* u% Tint41handler ENDP
' G: H( i' D4 `
# o, E  F3 m- @. A7 O/ G1 a$ h" q9 Y% M' w* M  ~
    xor     ax,ax4 i+ ]3 Y4 N9 p) x$ W
    mov     es,ax) p$ M3 [+ k1 ?+ c7 n, A* o1 n
    mov     bx, cs
7 S  W) `0 `3 t) k7 K  o' `6 n    lea     dx, int41handler
3 ]! H# v6 z+ g, [    xchg    dx, es:[41h*4]7 `/ p' g! z2 f+ X% m9 Y
    xchg    bx, es:[41h*4+2]
7 u: x. `. g/ z) b1 c    in      al, 40h4 O  R  Y& y2 ]# a* b
    xor     cx,cx
; ?( s% r6 [, F* x; Y" q# |    int     41h
( P; a; Z" i6 q% Y2 g    xchg    dx, es:[41h*4]: {3 X* y+ P6 b( r5 V
    xchg    bx, es:[41h*4+2]6 ~  f# C( l: }5 P% G- ^. P
    cmp     cl,al7 N' Z2 n  c0 _9 ]1 {5 t9 t2 q
    jnz     SoftICE_detected2 A" t9 l! L" r8 u
, L- J8 k3 v0 E) |4 Q
_________________________________________________________________________
7 _. N! z3 p2 U4 C$ a$ X
5 e5 O8 T8 v, R( f- i- [Method 07; l$ C6 J& t* D3 K; W5 g, J
=========
- y! \- L- n2 V- t4 y+ K  d
9 _) P$ M, _4 u$ F, J; [Method of detection of the WinICE handler in the int68h (V86)4 I& |; i- Y% f/ N" U

, S& ?2 t1 d" S! H! n    mov     ah,43h9 z9 ^. e; n8 g
    int     68h; D1 H1 Z& b6 U- U# [
    cmp     ax,0F386h4 u( X7 o6 Z* m, Q  Z( j+ t7 v" ?
    jz      SoftICE_Detected. n, B- p' ]  {
- z8 }" d; B+ |8 M3 `

' R7 X3 n& C1 M) G=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* N% ?% L- I: J
   app like this:" ]. t; `- y7 {% L( V  [

( ~6 @3 F3 a4 u0 ^1 z& J% j, u& s& w   BPX exec_int if ax==68
% G! g, ?. v! s) R7 A& `   (function called is located at byte ptr [ebp+1Dh] and client eip is- m6 \, ]! w# b& U1 {
   located at [ebp+48h] for 32Bit apps)$ R5 l2 ?4 S0 H9 d# D7 q
__________________________________________________________________________
# ]# Y# b3 [; y4 f* @
9 Z: U  [1 R% s7 X5 s
3 O' H6 M$ k* ?' q3 _8 C& U) m5 tMethod 08
: U' G- f  C5 l3 B3 q, p4 }3 l=========
1 E: Q2 _' e3 r( D' p& o1 ~, ^' T
It is not a method of detection of SoftICE but a possibility to crash the8 l5 r4 {& N* w* L
system by intercepting int 01h and int 03h and redirecting them to another
  m/ E  V2 \/ b& ?! droutine.
6 c3 H3 H* O2 M" ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% F/ {; K  a- d# Pto the new routine to execute (hangs computer...)
# O; r/ b* K& s+ W! V3 ^' P' B$ R0 ?4 H) ~  |3 C7 Q! G% J7 D
    mov     ah, 25h
/ H# f) \7 H* O3 Q0 h8 o- I. p    mov     al, Int_Number (01h or 03h), t% V4 K, s  V; C6 Z5 ~
    mov     dx, offset New_Int_Routine
" {8 ^, z) H) f3 d    int     21h
. c9 W; Z% Z7 I  n# t+ [
7 X, q# ^& t+ f. I  G) P$ I0 `__________________________________________________________________________. u- E8 q! z& \5 f. k: B% N4 m
' U/ v5 k0 }6 r# z/ h! h+ Z+ r
Method 09
2 z; S6 `$ y# w, q. ]8 N=========: b: B& C) A  \: X. a1 S
) a$ o/ z) D5 C4 M5 _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) _+ a  e: a& h# e% Y$ G8 tperformed in ring0 (VxD or a ring3 app using the VxdCall).
" ~: @4 }6 F: kThe Get_DDB service is used to determine whether or not a VxD is installed% `5 \1 W- P- l! Z/ t; Y3 D, m
for the specified device and returns a Device Description Block (in ecx) for
. Q2 }+ y3 w3 E" J/ qthat device if it is installed.
6 t5 C# H, F. D8 e) B5 u  f) b, R% b- |0 [8 g2 k: \4 ]* _( Z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ @, O) ?5 N/ C# |
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 D- @: d6 o, A9 G4 t
   VMMCall Get_DDB
$ H! |; G5 k0 n8 G   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 X3 |3 e& J' ^, r# J( `0 j
, F. N) C  M# d1 ONote as well that you can easily detect this method with SoftICE:* O  W) ~( {" h
   bpx Get_DDB if ax==0202 || ax==7a5fh  r" V7 q: M3 p8 M# s, V6 }
9 }1 y" o' Q/ c2 W
__________________________________________________________________________& |% u& e: D9 d+ h: j$ W; z

8 M$ S4 r4 y) pMethod 10& J* S  d- E& A1 K  @
=========( x3 Z+ h" N  q% j+ j/ @

  f. I: i$ Y: k=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 A! N0 K$ K! r7 f8 Q# S& @" @  SoftICE while the option is enable!!
) W6 F' Z. n) a. E% ?% v8 D( @- ~' i0 V
This trick is very efficient:
: B: {6 n. x# l$ sby checking the Debug Registers, you can detect if SoftICE is loaded
9 q! R! F8 o, ]0 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! R8 O+ L- R. u7 B+ s: O& P8 E) Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" K' ~4 f% d9 E  y" b0 \7 d; r$ d) Wvalue (in ring0 only). Values can be manipulated and or changed as well- ?0 _1 ^$ f- y9 v( D4 ^
(clearing BPMs for instance)0 l) s: t! c4 M1 R
+ E$ I' h5 Q. z# p" f+ l$ C
__________________________________________________________________________
% S9 `5 d- @. t/ e# B* k, j7 h
- M- }4 q6 d; b: e% TMethod 11
  X* F9 T7 N/ G0 [% Y=========. {) H& [" ?' s1 T
" x( B% w- S$ l0 u' w
This method is most known as 'MeltICE' because it has been freely distributed
3 X8 k, }# [; }4 w. v: d" pvia www.winfiles.com. However it was first used by NuMega people to allow
2 m0 h+ H& I! o$ G! o, |9 aSymbol Loader to check if SoftICE was active or not (the code is located
' G& V" g/ ~  N. _. E  jinside nmtrans.dll).
3 V- g7 q. t2 h( k+ X5 k  j9 D! _
The way it works is very simple:
7 T8 `( b, |( j2 V4 l$ NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 [9 u$ ?; q9 q+ K1 {WinNT) with the CreateFileA API.: P: q4 Y) t1 M
0 i5 Y. Y# n' K' I3 u
Here is a sample (checking for 'SICE'):
4 c5 n  J$ b. K3 g% I% v, Q, z. z* c# \
BOOL IsSoftIce95Loaded()  }3 Z' `6 ^  u9 W& {1 {
{3 s/ B* O* ^) j% D* d
   HANDLE hFile;  6 p$ y7 d7 @2 f- r
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ W$ [" H5 O# P4 e
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  m( X1 f2 h+ z                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 R" a1 Z, p' H4 |: F
   if( hFile != INVALID_HANDLE_VALUE )- H! t: g# |; N5 x6 b
   {
6 k& N9 Q2 Y& r& f/ e: T3 r& Z8 z      CloseHandle(hFile);4 c/ Z& b2 U7 o7 f' W) v) B
      return TRUE;0 A) p. O7 Z! ^; _0 L
   }$ h8 q/ X# z$ C: e1 D1 g
   return FALSE;
: ?) B5 B& F- j, @8 T% D  }: J}1 I8 S- d& Y" n; R
, I0 }. A, a, @2 ]% c
Although this trick calls the CreateFileA function, don't even expect to be
3 c/ d& u" }2 c- D4 I& }7 N- hable to intercept it by installing a IFS hook: it will not work, no way!
$ l) R+ ^6 h' l% y4 b$ q% |  N& hIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! e& U  I& r) z- Q; Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# M& I/ b5 r* e: o' M2 m, h2 ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc# {$ y" w% z1 r& R* u
field.
2 }8 h3 |& h5 o0 Q% s% e$ I/ eIn fact, its purpose is not to load/unload VxDs but only to send a   r. v* |2 N) U! o6 l, ?  B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  Z9 E* a) u% Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 t1 _' \4 q0 B. l- q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( h$ c3 y8 x; D8 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow' x% W7 _, k, I0 V% h
its handle to be opened and then, will be detected.
9 ?1 v" c- l: g* q4 Q. uYou can check that simply by hooking Winice.exe control proc entry point; F0 ^( J. |. x# p5 d4 @% T
while running MeltICE.- ?! f& P% c) |4 u* i* X8 I

0 t; N: ~) p1 A! r$ q8 F; k
2 X3 Q$ i1 l+ b; y- M" T6 v  00401067:  push      00402025    ; \\.\SICE
( `$ t/ I' k$ V  0040106C:  call      CreateFileA) p, z% `0 e8 T, J4 t$ ~
  00401071:  cmp       eax,-001
7 ]$ z" p& n, L  00401074:  je        00401091
7 ?, ]- h. b  o2 V5 ]
9 f3 B! s4 f$ u" V
1 @3 R* f, G9 Q; e/ v) b' H+ YThere could be hundreds of BPX you could use to detect this trick.7 q  t( }# y/ b. y4 j1 p
-The most classical one is:
' r# F$ b& C9 a2 F  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||1 w# Z( p. }$ z/ z
    *(esp-&gt;4+4)=='NTIC'
! i* ^' N+ b6 `4 A3 S
$ {4 i' X; B+ U-The most exotic ones (could be very slooooow :-(1 b1 g. `6 x% {9 W
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  $ N0 V  S5 b7 U% J
     ;will break 3 times :-(
. q0 K1 d! Y) ~" R" _
& B' l  R6 \" v-or (a bit) faster: " y; w# e; {6 ]- @/ i2 ^- x% D, u- p
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! E6 b4 E& R+ h2 Z6 `9 g2 r+ j+ n& U( Q2 p" W
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
' l' T3 j+ P0 k1 m( O     ;will break 3 times :-(
' ~5 x/ w1 j% _# ^
, D4 D+ M' i, R" y-Much faster:+ b; p/ o7 c5 G) ^: Y' ?
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 `6 I+ Z' U1 L* d
( J  v' |! Q- d9 L' k. iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 J6 V7 V, |9 h( zfunction to do the same job:
2 c% K: M' m+ ]: d+ s) e0 X( _
, N  F" R1 {3 X/ z8 W3 w, _   push    00                        ; OF_READ
+ O! Z2 X, t# I1 e& X   mov     eax,[00656634]            ; '\\.\SICE',02 d; _9 @- ^: E* M8 u5 h- [
   push    eax
; N8 v+ ~0 E" g   call    KERNEL32!_lopen
. Y$ T. t# T$ k   inc     eax
- |1 d, V+ R5 U2 |0 `   jnz     00650589                  ; detected$ G3 g( f2 C' R+ _! W
   push    00                        ; OF_READ* \; Q' y+ y2 v
   mov     eax,[00656638]            ; '\\.\SICE'
$ i2 S5 `5 f- [1 H" f6 R   push    eax  o( U. ~6 Y# Z/ {5 u' u0 R
   call    KERNEL32!_lopen6 [, ?) }1 x( u( u2 u/ c
   inc     eax0 Y. w/ E. R" v4 c0 F
   jz      006505ae                  ; not detected* }% S1 W$ u! W3 C: a! l" z
4 y3 k& j, G* {9 L. G
6 o. s8 J2 l4 z
__________________________________________________________________________
1 J6 [% \, ^' t, l1 |
  g$ R7 [5 v5 S; S0 m. I9 jMethod 12) R* |+ P5 m6 j; i: e
=========" Z8 `  C2 A" s- F: z9 b

5 I# k+ y) \& C3 t  ?- h3 K( ~This trick is similar to int41h/4fh Debugger installation check (code 052 Q, W( H7 E5 L9 W) ^1 P
&amp; 06) but very limited because it's only available for Win95/98 (not NT)/ X" i; w3 g( N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 \2 b; R1 W, W# p- l* [
' B7 w# F- n% r# I/ ?' E
   push  0000004fh         ; function 4fh
  M# ?& ^5 F! L% N- o1 A$ Y2 H+ `   push  002a002ah         ; high word specifies which VxD (VWIN32)
9 v" c) B6 D8 l  d: S" z                           ; low word specifies which service
: v3 G1 t4 ?4 b4 q                             (VWIN32_Int41Dispatch)! u! c9 ~$ Q6 @
   call  Kernel32!ORD_001  ; VxdCall
; y5 s3 N( a3 F9 x: T. _- }# D   cmp   ax, 0f386h        ; magic number returned by system debuggers
) Y) {/ C+ x# G  t3 b2 \   jz    SoftICE_detected4 I" f; u. Y8 d2 P6 r% f
, W, H' Z8 x% ~, n( ?2 I3 d
Here again, several ways to detect it:
# K+ X& h$ Z" r, t; T# o! G) e" B5 m2 t$ a' y0 F0 E
    BPINT 41 if ax==4f
9 E0 S/ ^# z+ E" P/ [5 d- L3 K1 T: E+ W. X0 e
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one2 Y4 U; C6 Z* E& g
# e" i! }: |& f* K* c
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: x. V" B8 V* s8 d, f7 N! ~7 E
$ y# p! [" J  |& h/ P
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" x/ |  V6 y( Q3 e, ^- w2 g' g* j( O( x% [) E( R
__________________________________________________________________________
" S) ^( a6 w0 p" C  i( i; W4 Z
5 d8 w4 U8 I7 w5 {' k' Y8 t$ aMethod 13
0 x7 j' V& O1 s7 V% X" g5 U# n' x=========
& b* R' @3 e2 A$ w& [. l( m: b. U$ D; q% E" z7 S, z, v( v
Not a real method of detection, but a good way to know if SoftICE is
& }  M" p* I3 binstalled on a computer and to locate its installation directory.
# Q3 Z4 k0 s2 q- G7 i8 l0 e" ~It is used by few softs which access the following registry keys (usually #2) :4 d( K1 f+ o$ l# P7 c

* Q/ a$ s8 t- `# r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* d- ?$ k7 n- O1 C# K\Uninstall\SoftICE7 Y1 J5 u0 j& m( }% y' A* u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, E2 H% Z# w# a$ A# D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' T0 Y# B. `0 K" `- i
\App Paths\Loader32.Exe! r  h: T8 v- j; d( A

8 b6 P/ h; w. c' b: Y2 @9 U/ u3 k3 _8 P
Note that some nasty apps could then erase all files from SoftICE directory
9 h0 I. y3 @" W! o(I faced that once :-(
1 S6 Q8 _1 \5 ^+ \
5 ^0 C( L  r4 O4 a! tUseful breakpoint to detect it:
2 |6 I6 V$ K# y9 b
: t; L: X( g: Q     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
8 @4 H$ g" T( O; ~
" C- X9 m6 |. }5 f4 J- K: {* g__________________________________________________________________________! B/ `; F% w' v& A
$ L+ Q8 e7 S3 ^2 E

5 _+ b% v/ X8 x! V. [9 uMethod 14
0 N; P0 x  r) a9 R" Y) q=========, a4 [0 p. z7 {" J
4 C9 w4 ?7 X: H( O* P1 U. C5 M! X
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' \/ m0 P; @( y, jis to determines whether a debugger is running on your system (ring0 only).& G: H5 O( l& Z' l( M3 x5 `

# d! _0 }9 N: k( P3 b   VMMCall Test_Debug_Installed
0 q0 c6 M7 {- w9 {" ~   je      not_installed
* M5 j/ D. d6 r% h* M; V  O% P
5 b+ n2 w3 e/ j# C7 gThis service just checks a flag.3 M- L, ^- Y  M7 V" m6 V* o! X
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-18 03:08

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表