找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, m) D! ^3 U2 i8 \
<TBODY>
3 u, {, q' D+ U3 e( A3 G! H<TR>+ J2 s; C1 `* ]  t% _8 T
<TD><PRE>Method 01
2 \" @3 r" {$ h=========( h4 \! }1 S" ^& n) I4 s7 y  \
, ~+ T  S( `! h6 O0 u
This method of detection of SoftICE (as well as the following one) is
: ~& i* W, s3 w& o, M+ s) Dused by the majority of packers/encryptors found on Internet.! l# j! q) ~' m( G1 d2 g
It seeks the signature of BoundsChecker in SoftICE" }6 _: r; D; j. V1 i2 V" B4 M3 a

; Q+ [( D9 ?0 i& {+ {    mov     ebp, 04243484Bh        ; 'BCHK'
' @0 N* T: g. S. q* e5 k    mov     ax, 04h
6 E2 Y6 |, s+ _  t3 T; [5 R    int     3      
" B3 q0 q) y4 f. ]9 C9 x    cmp     al,41 B9 y! F/ i0 L; \8 C
    jnz     SoftICE_Detected6 t  y: S" i/ _. s3 c2 n9 d/ N" [
) H# T% w+ b+ X
___________________________________________________________________________9 h- i/ p& @8 L. H( m2 f$ d: m; X

5 O: y. ]- s5 I* ~% |4 sMethod 02, S7 F) i3 f" u
=========9 k5 [4 Z8 h. J6 z5 c4 C" w( }; d

4 s6 P. W- z' c2 GStill a method very much used (perhaps the most frequent one).  It is used
6 Q4 \% W; Q# t7 P8 C8 [4 nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) Q  M: X9 e& jor execute SoftICE commands...$ Z+ O' E$ }6 u2 g, y; k' h, a7 b
It is also used to crash SoftICE and to force it to execute any commands8 b$ ^& C, c- m5 S7 Q5 ^0 C
(HBOOT...) :-((  / h: j+ U9 M) M; l9 T

  e8 u8 f6 i: [: ~, x) wHere is a quick description:7 y3 i' u: e* o  {: s& T1 B
-AX = 0910h   (Display string in SIce windows)
. ~1 [5 [: ^) F8 u; I-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; e3 D( p; v3 l9 o; V-AX = 0912h   (Get breakpoint infos)8 N6 b* M  }0 U6 t
-AX = 0913h   (Set Sice breakpoints)
, B- F* A. t6 n( O-AX = 0914h   (Remove SIce breakoints)0 o4 q0 `7 c8 @# n8 c& P
3 W. I  F' L7 b6 V# A
Each time you'll meet this trick, you'll see:( n2 m$ \- i% E8 J" q! f. k6 M
-SI = 4647h
1 f( \) {) W) O* A2 c8 J  Q$ r-DI = 4A4Dh- @; h/ a4 f5 ?- \2 `
Which are the 'magic values' used by SoftIce.  m7 A: N0 H# u9 {. `
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; N# L6 ?$ X0 Q( d5 i

# }% X  k+ G- Y$ G/ x% y( @Here is one example from the file "Haspinst.exe" which is the dongle HASP$ _( A0 Z2 [1 i2 P1 N/ L
Envelope utility use to protect DOS applications:
( j. O( Z3 a) R0 H$ {/ x
( _. Y) W2 D: E/ k1 H- V6 a6 Z
0 \4 o% }. x1 w" M& ^4C19:0095   MOV    AX,0911  ; execute command.
% }  n2 w2 X, ~& G- c4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
/ y$ I, G7 T5 s: I; K$ }4C19:009A   MOV    SI,4647  ; 1st magic value.& [+ J: a% z: C" {# D$ f
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.% v3 h( F( E/ x1 F
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- z. Y! y7 ~5 H' m6 t4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 u" \  z2 d$ V& L8 k4C19:00A4   INC    CX0 d* D# O9 e5 z' _
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' {7 G5 e; c0 N# s; d9 W
4C19:00A8   JB     0095     ; 6 different commands.
! f: Y1 x7 A% J2 y3 ]! d9 v- s4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
3 c5 ]+ z+ L4 y! ~4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)- s7 K, d7 ]/ t7 e+ N
+ A% t9 F. I/ c5 V# L
The program will execute 6 different SIce commands located at ds:dx, which$ M$ {' C$ {3 U1 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." k1 e+ i3 s: F  E% W/ j

* _! b- D) S- \0 O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 |; F  \. G$ s/ j' [& {1 t0 V! R___________________________________________________________________________
" L* m, T# v- h1 n+ S$ b
6 [: ]8 w' b. Z$ t1 W: J" T& X
. h! T5 Z0 y" T+ U" |' xMethod 034 N, N- M! |5 E
=========& W2 O( h6 {% ^9 @

! [, K8 \+ ]* NLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 f( C8 E$ d; M2 ]' o(API Get entry point)
# |% J6 M9 Z6 d6 X. ?: T! ?* o        
) f$ ]6 C3 P7 e' ?" K! d" c1 _
( x2 w5 c: \; L: X# o    xor     di,di
6 o/ M4 b. @( x& |0 w& B8 t    mov     es,di+ Y1 z6 [% }( X- [
    mov     ax, 1684h      
: M  b8 G' p+ X! p  W' l6 g6 s    mov     bx, 0202h       ; VxD ID of winice
# y/ g8 @& Q3 A/ x  o7 q- t) e    int     2Fh; V% `9 z- v2 z5 V1 r# l( a
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) m+ f  A% o5 k6 ~% m
    add     ax, di
1 x3 A+ H/ |! V, ^" `# Y3 |! l$ c  A0 I    test    ax,ax
3 H; W$ L# g/ f* v( H4 h    jnz     SoftICE_Detected" U# `' z' w* }- S% q

8 T, W: y- Y+ Q" ^. r& M. U' v___________________________________________________________________________
( Y+ r' M6 T' \- C4 K
/ l$ x* ^5 x5 r3 PMethod 047 C* W4 m; C6 q/ v
=========
/ F8 b6 R% R* T3 ?' |3 ~5 d5 T% I6 D
) L- \2 G# |. p8 T9 v  a' DMethod identical to the preceding one except that it seeks the ID of SoftICE6 v2 E& y: T) z$ t' F( u& k
GFX VxD.9 H, Z  f6 Z: v- ~4 t- m

5 b7 a9 u$ S& K1 O+ M    xor     di,di
1 o& Y1 H# o0 h" n3 V3 k# S) f    mov     es,di) L6 c8 R; G. ^% N
    mov     ax, 1684h       - C( y  n9 E* i2 a! y6 p
    mov     bx, 7a5Fh       ; VxD ID of SIWVID+ @8 h! q/ m; _5 n
    int     2fh
, A9 O, `/ J7 x/ j! p7 B    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 A$ M* ^$ X  f
    add     ax, di
5 F' h6 B# [2 Y    test    ax,ax
/ G  H0 v5 X$ i    jnz     SoftICE_Detected
0 `! T7 p! H3 r5 K4 o' j1 T9 ?
__________________________________________________________________________
: l( V  ]2 B! S$ {
! Y! V$ q6 h0 r7 K
* X# R" K0 q3 V/ n, @2 i9 K* iMethod 05# n) x( O7 S: Z' y
=========
+ u" S+ y* I' ~6 p; ^# V* L; B) m- m2 Q! B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 c8 G5 K: A. E* ?1 {$ ^debugger. It calls the int 41h, function 4Fh.
" ?* S5 S! t, B" i" Y+ l. K- KThere are several alternatives.  
, D9 A- U6 H5 ^6 r( [1 V
! B: S8 X& }  W) f: x* p" NThe following one is the simplest:4 v# R& O0 v$ P, J% ?8 @# K3 P

. h* }0 z% O* q1 T! _    mov     ax,4fh: k# r9 w0 F. h$ {8 y
    int     41h
- _- E1 ~6 j0 n$ S4 Y1 L- G    cmp     ax, 0F3865 H+ M- y$ l2 D& X  i& s  g
    jz      SoftICE_detected  U0 z: R: b! S, }/ l

2 k5 P7 i0 O1 ?9 W- `6 {' [0 @- v% U5 J1 x: g2 }& a! Z
Next method as well as the following one are 2 examples from Stone's # b7 f0 i* E, R) r- A2 ]! K
"stn-wid.zip" (www.cracking.net):+ K! A( R. a0 G

/ O, G6 d3 Y4 O" w! k1 G2 J    mov     bx, cs
% a- ~! k0 Y* r7 j% F' e    lea     dx, int41handler2
6 i) ?3 q1 a$ U. g    xchg    dx, es:[41h*4]
* {2 z$ B0 ~& R+ ^# @$ [* i    xchg    bx, es:[41h*4+2]: G% r! v4 M: h7 T, z3 x- M, ?
    mov     ax,4fh
; x8 Y! c8 l: l/ l5 X    int     41h
% L( k( W0 u6 q5 t+ j- G    xchg    dx, es:[41h*4]
( z2 C, Z1 |8 C3 ?, X0 n    xchg    bx, es:[41h*4+2]  `& p" F) x3 }& Z4 x( L& h
    cmp     ax, 0f386h9 X. i3 K* w/ A' c/ O
    jz      SoftICE_detected
9 Q; u/ D& C( [) \% V* B
: m/ F5 ~, R0 w+ U. w& K) D- {. Rint41handler2 PROC7 G6 p4 \5 Y( ^
    iret* E4 h* y$ h6 W# w9 P: ^5 y
int41handler2 ENDP
' k" T  K+ y$ y% J1 ~' s/ N& a: W
1 g- ]1 O3 i& [6 l- e+ Z4 O' k
_________________________________________________________________________
' G/ }# ]' V: W
8 @2 D- p) l! A6 i/ r% ~- b1 f3 u; ]4 S' K" V5 P
Method 060 e- S  K1 \) w  [+ l' Y+ K, J
=========$ }6 @1 _3 N# U- q2 L4 Y9 ?

  S- J" o$ G  f: e, P! l" |) s
9 H& t. N, d) W- U9 A7 J" i2nd method similar to the preceding one but more difficult to detect:
+ s, [0 Y$ t) u/ w3 T) i; l/ P* \4 B6 t1 {' A
4 H4 a- G) T. D1 H4 }& ]
int41handler PROC: x$ h% _/ i4 `! c3 K
    mov     cl,al
0 A+ p- k5 }( B$ y' z9 c    iret
$ e# N  S' u% n# bint41handler ENDP! p* b* Y* J/ |

  E1 ^8 i2 j$ Y0 }9 x/ [
6 y' ^1 z9 K& s, c    xor     ax,ax
- r' Y+ f+ x6 H/ w* M    mov     es,ax$ g% {) r* }; J! F3 d* Q: p4 B" D
    mov     bx, cs
7 B! H# b( D  j! G7 M! t( m7 B& s1 d    lea     dx, int41handler: C0 @4 F/ l" z0 |7 {+ k& x
    xchg    dx, es:[41h*4]
0 ?* p$ ^0 o/ e% S- p    xchg    bx, es:[41h*4+2]
4 Z8 j0 A; q+ K9 A) s& C    in      al, 40h
1 u: i8 M" }) T. W    xor     cx,cx
" \# |& T# i, Q9 F    int     41h
( F; V& j1 o2 G    xchg    dx, es:[41h*4]
7 q" m; q. P- K& L% {    xchg    bx, es:[41h*4+2]2 f& h( Y) [. y" }- @3 U. z
    cmp     cl,al  s2 h0 Z/ A7 o. F+ X# F0 _; L
    jnz     SoftICE_detected% @: P* k2 M7 g0 r- E; c
5 b4 B3 k, B) _! L
_________________________________________________________________________- _1 O- |4 H: Q# A0 J5 Z) r

4 x0 ]" C0 G( RMethod 07
) w/ q/ j; v9 {) d+ b5 Y4 n7 P; ?=========! j5 L/ _' i1 W* M5 a$ ?  i9 B
! ~3 H$ N0 A; N
Method of detection of the WinICE handler in the int68h (V86)
1 T2 p+ L& r- t
: _; e" D5 m2 S2 ?3 ]5 c: h    mov     ah,43h
% J1 R0 k. y# X3 h; f    int     68h4 t5 s0 |. E: J1 `5 Z4 J: ^
    cmp     ax,0F386h
; x. A$ L1 d4 d* r    jz      SoftICE_Detected
% h9 C0 h5 p4 `- b' |
/ R; y3 }9 |% z; k: g7 e
  P% K& e3 c! g4 x=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! S6 t. C( e: o) q
   app like this:$ h5 K# J6 V! G5 g& f
" _9 `0 _3 n$ J3 f' O
   BPX exec_int if ax==68
" \7 h% f9 y3 _$ i! I2 y   (function called is located at byte ptr [ebp+1Dh] and client eip is
3 `4 l; H$ r7 i) F% l   located at [ebp+48h] for 32Bit apps)5 ?! D1 ~5 V# S! A9 e7 W% q" e
__________________________________________________________________________
! Z2 i. B8 `* O6 `; M/ [4 `& W  n; a: Y. a7 A- [7 E0 N

' B3 K& ^0 t9 gMethod 08
* r/ T, s! F# ~; e0 i" |; R=========1 \1 S* E) D: ]4 w6 [/ F. x# T9 |0 X

& u7 k. S1 I9 g7 SIt is not a method of detection of SoftICE but a possibility to crash the4 S0 l1 w5 r/ g# K$ T- m
system by intercepting int 01h and int 03h and redirecting them to another. n7 B& M0 Q0 \4 _
routine.
2 w0 }0 b" D8 Y: B1 Z/ c8 [+ TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ }8 B9 X! `# r' z) Y% d9 g: P7 `to the new routine to execute (hangs computer...)9 \" T/ q$ X% e

6 ]; D7 Z9 W7 V3 L/ V( w    mov     ah, 25h. a0 S7 g" L: B) Z$ J3 Q" H
    mov     al, Int_Number (01h or 03h)7 L0 C, N* X  q7 n& `+ A
    mov     dx, offset New_Int_Routine
- o# B$ z' f6 I- g) x    int     21h& N4 D2 s! d4 ?4 Y' T- g; ?$ ?

% V+ F  t% d  O3 {4 @! k' m__________________________________________________________________________# t( ]* n" o- M/ I# X0 w

) q9 D8 I+ h! W; g2 K/ LMethod 09
- b( B1 j& B) x( t4 \; M=========
2 o' _5 O8 N8 S8 d' V9 j4 p2 B4 Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 D* J5 r6 L% P+ R# D9 Cperformed in ring0 (VxD or a ring3 app using the VxdCall).' ~& m+ A5 k' ~) L! }; {2 |/ M
The Get_DDB service is used to determine whether or not a VxD is installed
4 m8 e( P) v0 h9 ]for the specified device and returns a Device Description Block (in ecx) for& p. I) S4 M6 o* r
that device if it is installed.) O" A4 L8 ^4 P8 d0 I- N
" h' F7 c# A3 W- w4 G* |$ G
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 }  g* c; D9 R   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 f( s8 Y+ [! v2 }. C: b3 @+ g   VMMCall Get_DDB) P0 z' V4 p% }6 B
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% P' s  p5 k9 U+ N

- d5 P+ V! c# r7 nNote as well that you can easily detect this method with SoftICE:* ^, V$ V2 P4 D
   bpx Get_DDB if ax==0202 || ax==7a5fh; v3 I! c3 b, ]: V7 j
" U9 a( ^: T  u* Q3 a4 p
__________________________________________________________________________
- c5 P; r. |5 v5 o8 J* @! V
6 z0 j% O: D( n$ bMethod 10
7 ^  `7 `  }3 }: I=========
) m2 F: p: u6 b. T
: {* e; S" ~" `: g8 z; z# A# a/ i=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
: @& ]& ?5 p! x0 s" g% ^  SoftICE while the option is enable!!
- g7 }- `7 j7 A! B7 F3 i2 ?9 _2 _8 _. z6 V. f+ Z8 h
This trick is very efficient:
/ T, m0 L0 L0 @5 pby checking the Debug Registers, you can detect if SoftICE is loaded
+ D: p; [( U! p0 r+ F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 P; k3 c0 B2 o: J4 ~; m5 C' O- vthere are some memory breakpoints set (dr0 to dr3) simply by reading their& f7 y/ s" e/ E% o
value (in ring0 only). Values can be manipulated and or changed as well
5 `- D6 N! V% U- m(clearing BPMs for instance)9 Y( s9 {% s' _9 k+ @: G2 |+ a) U
" ^# l3 }5 t; J- E
__________________________________________________________________________
# }0 X/ R# e4 z; d3 E2 ]/ c( V4 R9 H; O8 A- A
Method 11
! [" H3 u: n: @# @. q1 n  P1 |=========
9 h: \* I8 m" r( \6 U0 r5 S) R8 n6 _3 c0 ~
This method is most known as 'MeltICE' because it has been freely distributed
" v8 x) T/ c2 N( `* Rvia www.winfiles.com. However it was first used by NuMega people to allow* i7 B4 M/ J9 S  G" q/ {8 y5 E6 `% i
Symbol Loader to check if SoftICE was active or not (the code is located
9 _5 Z; T( N/ _  f5 ~$ Linside nmtrans.dll).2 b- a) P; n$ n% ~8 y* M* o; W: B. |

+ o2 g4 J& T. w- k  [6 N' uThe way it works is very simple:
1 F" [; Q3 }- W: R! nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ E( J5 {3 Y6 g: m6 o9 ?
WinNT) with the CreateFileA API.
2 O. ]7 a! ~7 v
  H  Y) Q7 ]2 v4 W2 \9 I. Y; W% L  V, Q' VHere is a sample (checking for 'SICE'):
6 o/ u/ D. D4 u  W, T9 J3 e" R, T3 I$ n0 p4 H+ O# S
BOOL IsSoftIce95Loaded()
$ U' f) A' W2 v% J, y{8 @' Y" E) Z0 m! d; T. e
   HANDLE hFile;  
& e2 f4 L' _; i, f   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," L8 R! G/ X6 i. o. C, |4 }7 E) c
                      FILE_SHARE_READ | FILE_SHARE_WRITE,, p1 A% v1 V/ C8 R1 p
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ e$ o7 Q* J" Q9 A3 R   if( hFile != INVALID_HANDLE_VALUE ): o4 \  N4 q9 @9 G
   {0 r8 H* w4 l$ ~: D% g6 D
      CloseHandle(hFile);8 |' i, O  C0 d4 T& U8 C, D& t
      return TRUE;1 n3 a0 W& N) g7 K" B5 n! m
   }1 s9 d' [. y: W% K
   return FALSE;
5 U8 X3 E. C4 A- u}# v5 g  ]; t9 F1 T
* S3 v* y; w4 L0 {  C( G. P$ ?5 {# n6 n
Although this trick calls the CreateFileA function, don't even expect to be
2 X, p( R! j: d% }/ \9 wable to intercept it by installing a IFS hook: it will not work, no way!
* x" D1 m! ?1 F9 a* jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F; U" O6 G- Y6 i8 C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- e" W, P* p$ }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( ]; a! d3 F: x; m2 J- X
field.$ }. g+ A* W- m  _
In fact, its purpose is not to load/unload VxDs but only to send a
3 r0 I6 l8 g- Y7 T$ t/ F- jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). L( c; t9 }) W. ~* ^) ^9 }/ q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 C  u7 e9 P: e' D5 A2 ~7 ?) Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 \9 [- z! U: B! e- T* u: k1 S
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 F# k* u6 ]5 w- W! A* kits handle to be opened and then, will be detected., {$ @; e$ K: \9 S7 b! g2 j
You can check that simply by hooking Winice.exe control proc entry point
' T# @8 j$ A6 C' Jwhile running MeltICE.$ F7 [* z8 C. q8 U$ n6 C
! F: {" p2 b8 o: `# H
0 Z* ^, E  P3 m# y# A$ g% Z/ D
  00401067:  push      00402025    ; \\.\SICE% u2 Q9 v. W' H: k# T
  0040106C:  call      CreateFileA
! ~; e% `  h5 Y1 @  00401071:  cmp       eax,-001  R- X9 D2 k) z& d
  00401074:  je        00401091+ W3 J5 ~( Q/ N% @. k7 h
9 J7 m, C* Y# W" {

+ l) W& L: \# k5 T' t- z4 T8 qThere could be hundreds of BPX you could use to detect this trick.
' _; T9 @1 j0 C-The most classical one is:5 y* s) Y8 _0 h9 {2 w$ \
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 ?4 q: F' J, _! \    *(esp-&gt;4+4)=='NTIC'5 G5 D6 Z0 P3 U7 H* B

8 X# {  ^) x% g. i  Q-The most exotic ones (could be very slooooow :-(
, b$ R- M* y! s9 O, q) g( B   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  & ?( F( g. X* r8 [$ l4 E
     ;will break 3 times :-(! ~8 R4 v9 v) x3 j6 }0 [  d, v- r
' b. B1 P7 O: Q& E4 d
-or (a bit) faster:
' x% H/ j7 i( W% A   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ x) I0 Z4 [! ?
" v/ m+ Q& k9 V, O. }" w+ _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  " ^( s! l5 [5 x) r! g, {
     ;will break 3 times :-(
2 F7 o0 s5 @1 c; F6 W2 X4 }/ T- h& \
-Much faster:
4 S: d4 f( t) c- B; \   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  A2 c9 ]1 M4 s4 J  n
$ V0 }7 ]' B( [( d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- Y  h" V) J* J& I7 ?/ ffunction to do the same job:
& G# Q; e; o& O# S6 o
+ `; F! W4 N% S2 O4 v   push    00                        ; OF_READ
# x: W+ S  g: }   mov     eax,[00656634]            ; '\\.\SICE',0
0 b8 W% @  l3 J- [, W$ ]' `2 `   push    eax* G; B: e: |4 W: x% w1 q7 M
   call    KERNEL32!_lopen
  N+ I1 G. W1 e( g5 F7 r& f   inc     eax
# Z+ ?6 B: d( g   jnz     00650589                  ; detected
. ?/ {  G0 H& o8 X% _* n. d   push    00                        ; OF_READ
: a2 \) ]: m" C( x2 I* u   mov     eax,[00656638]            ; '\\.\SICE'
( U: P0 k4 {1 n8 f" X0 y9 }; u& {+ [   push    eax
# u4 R1 n$ Q- A8 ~4 \   call    KERNEL32!_lopen' O* _" o7 n. Z# i
   inc     eax
1 N# c. w- [" D   jz      006505ae                  ; not detected
- e5 D6 d7 w' q8 S7 [
& p! i+ C9 Q3 J- g* L* }# h. M: U4 k: ~* c
__________________________________________________________________________
- j- V; ]  m" B2 b  @  Q0 k' n0 f2 L0 U# |- a' J$ U
Method 12
! I3 p) X( o- B: X( U=========0 }  ~# x% r, ~) @* B

$ c/ t- W1 S8 U5 G) H+ x$ O) S$ f, o' oThis trick is similar to int41h/4fh Debugger installation check (code 05
1 T% ]& u; F# [: }+ W- A- y: r  {&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, h& o  e0 v/ u6 kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) F/ j# `; ?2 M) F* m6 a2 o$ N) ?! l! w. `
   push  0000004fh         ; function 4fh" R$ t  V' o) G) U! B' x9 p
   push  002a002ah         ; high word specifies which VxD (VWIN32)
' v. z. i# F& H4 e; m( b7 o# n; H                           ; low word specifies which service
( V% x( T) O" u$ N2 a- O                             (VWIN32_Int41Dispatch)
7 o: f8 `$ [6 B, ]   call  Kernel32!ORD_001  ; VxdCall
0 O- j- g3 ?; q   cmp   ax, 0f386h        ; magic number returned by system debuggers: B# B$ |* |: ^: ?
   jz    SoftICE_detected, _" L% y3 E; M2 O0 e# A$ M! {

" P7 E# L7 \& j4 tHere again, several ways to detect it:
$ I7 R8 M& i3 z( x2 X, G# e) X; C' i- R: W  c( w/ S4 h
    BPINT 41 if ax==4f) U, q9 F- O* X$ W
" h% h7 K0 m8 s6 L/ e" d0 N
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& x9 t! Z) S2 m, l. z1 n
& n! R' S" c- b
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 [+ N4 K+ a* W# q. P
' f* {7 K% S9 J
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 o. O5 }/ W4 |5 i" l' W
% e# C: R3 {# ~  A  I+ y__________________________________________________________________________0 i* _6 w. D9 U" J
6 n& A7 A& o8 w
Method 13; E( Q6 y4 N3 {
=========) r( Q. j( _; Y0 F/ u! F( @

3 B* n3 B9 i- F. l! \" CNot a real method of detection, but a good way to know if SoftICE is  t8 l1 O3 }' S5 H: y; J' {
installed on a computer and to locate its installation directory.
4 g2 @6 q1 a! aIt is used by few softs which access the following registry keys (usually #2) :: P& @1 Q  T7 F" |$ R

7 s2 v; m/ {3 p+ C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 J, C0 X+ c! I4 Y. Y\Uninstall\SoftICE
: y- @  L( i' r) S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" f4 |8 s6 x7 D, m) h# A$ H/ N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 j  ~& h& M5 s6 R2 N& J8 R/ D; U
\App Paths\Loader32.Exe1 X) l8 y' j  r: z( O" c

7 l3 O# C2 L4 _
6 m( k3 R/ c6 |- _Note that some nasty apps could then erase all files from SoftICE directory9 C1 e( O! k5 C! m+ f( b1 H
(I faced that once :-(
$ m/ p2 Y7 ~  b  O
, O: ~. l4 A% Q. k) fUseful breakpoint to detect it:3 i" q/ G) h% \# ^2 Z# U: q

5 t( K+ c" k! O$ w* u) r     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  y% j, k: O1 M1 v  h
6 Q, F7 n6 d9 e2 p
__________________________________________________________________________& ?0 H% [# u  G2 t  P# v( f5 ]

0 s& Y* A" q- \/ n* c( r* Q
5 R  P8 @8 I! K# h( x, n2 kMethod 14 ! Y- h) {. v' ^( x7 Y. D. M8 O
=========3 u( a( k2 h: v' S# D. t, y+ C, T" I

  b& j! g# O/ F" P( ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 h* k4 ~+ N; ]3 A6 l  H
is to determines whether a debugger is running on your system (ring0 only).
+ p/ }4 t: D/ m; ?  `; h8 l- d8 _# `" D
   VMMCall Test_Debug_Installed/ |" J: }6 i) ?* d/ L: q+ M
   je      not_installed! j0 d* a2 x* ~& E% y5 {. J

7 D9 z" X* W& `# k5 zThis service just checks a flag.7 Q2 p- f. U/ @9 Q/ R9 ^9 z" K6 K
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-27 01:17

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表