找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) u$ h) U' p- N<TBODY>
* Q) L2 A3 l: O. c9 O4 Z<TR>7 w3 j8 C/ ^& F/ b2 m8 P
<TD><PRE>Method 01
& l, |- _; p' D4 i  }# F0 k=========" g. I5 e! U+ B' P1 g2 d; P
( L7 ?/ k0 k8 i. z
This method of detection of SoftICE (as well as the following one) is$ k  B: M  }% j( V, N# q+ e, O9 N  M
used by the majority of packers/encryptors found on Internet.# u- u* [. X# I+ t# h: ^, N
It seeks the signature of BoundsChecker in SoftICE- i; E* m$ V+ u

- I& O2 `# Y  ?9 x, _6 {    mov     ebp, 04243484Bh        ; 'BCHK'7 W, {! _+ `1 H* \0 R
    mov     ax, 04h- y) P: U, T- b# H
    int     3       " s3 l# \2 ?* L# ]
    cmp     al,4+ s8 u8 w( @( K
    jnz     SoftICE_Detected5 v$ X$ P( G' |; Q
/ b) k# i- C; `  U0 L4 p! D0 R; Z
___________________________________________________________________________, W$ y, d: \' b! t& W
! m2 y. a# }, ?
Method 02
2 a- |  \! s0 T6 M2 D. D: @: Q" T=========7 z: R' J6 Q" N4 _" L$ H

# s1 M7 u) O/ x6 uStill a method very much used (perhaps the most frequent one).  It is used5 d' v& u9 W! `% L3 ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 f/ L# Y. g, m2 T' t! n9 d
or execute SoftICE commands...
1 h" g' o+ n$ n$ G; XIt is also used to crash SoftICE and to force it to execute any commands9 c, f- ]0 `. r: P' A
(HBOOT...) :-((  
4 q. l* _6 _. K; }; u/ ]
1 ?2 ]& ]: f9 Z. `' x4 u& L$ xHere is a quick description:
5 ~# Z8 Q8 g2 O) l7 A-AX = 0910h   (Display string in SIce windows)3 @) _- G; ?6 H3 z7 T8 c  E
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), d8 g' |/ l8 f, P8 _, e
-AX = 0912h   (Get breakpoint infos)
! K+ P* `7 i5 z-AX = 0913h   (Set Sice breakpoints)
4 V$ f# X8 c' R. Q-AX = 0914h   (Remove SIce breakoints)% r2 b" s5 j* u9 x7 I1 P
$ h4 D' V- {. \9 Z
Each time you'll meet this trick, you'll see:
" m+ v, @' g" _9 o4 X0 g8 d-SI = 4647h" h1 u% n4 V% E' c/ }- h& ?( c
-DI = 4A4Dh% x% t! ?$ U" h$ o2 L
Which are the 'magic values' used by SoftIce.4 W6 C/ x( V/ q: t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ ?% P5 O/ K3 l' G. l
1 d/ h( K4 _) l, }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 ^2 t; S2 B5 ZEnvelope utility use to protect DOS applications:; O9 K) o( M" U, C9 h

# b( g# s& C- N+ A7 Z2 m. k; a( h  E
4C19:0095   MOV    AX,0911  ; execute command.
4 S, F% O2 A6 b" H0 b+ E% t4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( Z- d# T4 |. \* a, E4C19:009A   MOV    SI,4647  ; 1st magic value.  b- K8 }5 a5 B$ s% D. \/ n
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4 G, _% R( @+ {6 e  h" Y/ N3 F- [4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
. u' n, l- u; I! g& I2 A4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 U* h5 A  k3 E1 K' c8 l+ O5 w) C3 e4C19:00A4   INC    CX, }4 u, [1 F- s* P0 P  W
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute; D! q' ]: f3 S0 y0 D) O1 c
4C19:00A8   JB     0095     ; 6 different commands.
! P9 f" k5 i& F( x, e/ E4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 B# U0 S2 E- r
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- t+ N5 R( v! D  X* t' H* [) m; g# u
The program will execute 6 different SIce commands located at ds:dx, which
  x  \: y5 R* p6 C8 lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# n+ D+ a7 n: ~- T* R8 Y; m

- f, x" f+ Q# S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; x. ~0 P* p" u! K1 W; I; C- @+ j
___________________________________________________________________________4 P* E: t0 z6 [4 r+ g( P& a. @
# a" L) p$ W4 H0 U  @% L

0 |$ X# w, J* n: f: r' C* P9 c2 dMethod 03' g" f; f5 G+ V6 k+ F
=========# _  }; i0 o1 {: I

) c* o6 i0 Y$ i/ d' v3 JLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' _) j4 S7 b. p! r(API Get entry point)4 J/ t" ]% c$ v: M7 y* g0 ?
        + f5 j% l! z0 Q6 [  w% c4 _
' Z6 C2 b9 {. H0 V
    xor     di,di
% k/ A7 g, p" S5 r! [6 X    mov     es,di6 h+ g# U2 s3 a( p6 |; ^
    mov     ax, 1684h      
- f1 f0 L1 _, T9 Y4 A+ R    mov     bx, 0202h       ; VxD ID of winice; L' P/ w2 C) d# T! @2 i! o
    int     2Fh
% w  y, t- T! C: T- b: t. ^9 J1 P    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 p5 h$ q% Q; b& c5 U! a1 l
    add     ax, di
, o3 `/ Y8 ^  S1 H0 o+ l7 u0 f    test    ax,ax9 s9 p3 @  R) K; t6 w
    jnz     SoftICE_Detected3 s$ D0 e1 M, V3 b

! Y% ^: h- q. u1 g' S___________________________________________________________________________: M- n: J  M/ p8 K: X$ m: V' Z

$ r4 s; a  w: D8 RMethod 04
, U9 v  ~; s: b=========
3 x, A$ ^% W3 ?% t+ d* s& E' _: y6 [# k. t8 F3 X6 W9 m* c
Method identical to the preceding one except that it seeks the ID of SoftICE
* Z. X$ W' x4 s# v- xGFX VxD.
2 E0 g& W$ i, v' F
) p, N# Y, [9 h5 v0 q    xor     di,di" s3 e; W" K! x0 D
    mov     es,di5 F8 t& U' h; U8 O: ~( L9 j2 [
    mov     ax, 1684h      
' `4 k+ B/ Q* y9 ^' I+ Q8 T0 Y    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 T, `) E- S. w% Z9 I    int     2fh
; c% L- E: {5 P4 R# P7 [0 g    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 k( V6 E, \, T8 s7 s2 i
    add     ax, di. |  t. Z8 U5 I, E5 e- `$ D
    test    ax,ax6 T; f: S  X8 r
    jnz     SoftICE_Detected. D! K/ @8 n9 a( _
' m- I% H& D. W* E- \2 d* H* B" ?
__________________________________________________________________________
0 e% B% f$ W" ~5 p+ t" e9 r" l5 `
) b# N7 r) A% G
Method 05& }% u/ u( g8 X% n
=========
0 }& T2 `/ f" K7 W7 W2 o: e* W  l( i
; l* Y& u' J4 A1 R3 X4 M3 ]Method seeking the 'magic number' 0F386h returned (in ax) by all system! f  s+ ?( T1 G
debugger. It calls the int 41h, function 4Fh.4 x0 ^4 s+ y; a! F: }  B
There are several alternatives.  1 f/ b& k) K+ W+ L2 i1 Q. C& e

: L2 Y0 w+ E* s5 T; N0 FThe following one is the simplest:
* |% H! x0 ~. U  u" D3 z$ J+ L
* D# v  r) U8 L) x' n- Q    mov     ax,4fh
, e' J3 }3 {4 r) {" ^' U0 h    int     41h
& h  K- I! a  b+ e    cmp     ax, 0F386  s: v2 E" N! m, {1 Z' l
    jz      SoftICE_detected
* m- c0 Q1 S, N9 H2 w- C
1 E  Y, Q+ g! A! c$ Z$ t+ U3 c% v* n2 X1 e
Next method as well as the following one are 2 examples from Stone's : O9 o/ S0 w9 Q
"stn-wid.zip" (www.cracking.net):
( p/ [  L: O' b% M$ H& ^7 c9 }0 {; W& o% s! H4 q# T
    mov     bx, cs. D0 C, A+ `. [# A
    lea     dx, int41handler2
+ v+ l# z6 w" ~, _$ B* L5 q# Q/ I2 W# ~    xchg    dx, es:[41h*4]# W  ^# P4 _/ c4 @' s
    xchg    bx, es:[41h*4+2]
4 P8 I9 r& g1 X, M" w8 ?, ~    mov     ax,4fh! D- z: C) f% _2 j; F
    int     41h
) D) M' w! }6 E  |3 A    xchg    dx, es:[41h*4]
: B, ^0 Z/ v7 m( U+ ^2 \    xchg    bx, es:[41h*4+2]2 E, L$ I, T% e, ~7 `( t6 m1 C
    cmp     ax, 0f386h4 @3 ]8 L4 {9 q, V8 L
    jz      SoftICE_detected
! i4 k  \. B6 T8 C" U( z" \- W& Z3 \  V5 s  j
int41handler2 PROC7 o9 N0 L) V" ?6 P! ]
    iret' P; g' {+ _  l/ j
int41handler2 ENDP
" H. ^3 \/ a: B9 z9 l" [8 b5 `& p" ?7 p, J& X+ @
7 W5 f6 \- d$ }$ H8 z0 ~& i
_________________________________________________________________________
( e9 o/ I3 X' ~. |8 O# w
# I8 n2 m) N3 k+ e2 k" y4 D) n1 r* J' ?. q  R
Method 06) s3 U. W- m6 e7 I# g
=========: \" j6 }8 R; Q1 K+ |5 v! R

6 Y% U0 Q0 g; F2 b# U' X
( n; {: E  u) f) `  r2nd method similar to the preceding one but more difficult to detect:
; `0 `8 j' N" T& v; u) c0 x/ G$ f' N, [& u0 ?. K/ A% [( H

+ ^/ K7 e. B; }9 Y9 fint41handler PROC
# r" Q1 e+ C3 L7 H  E    mov     cl,al
, G3 E7 q( d( h7 \    iret9 r$ {1 ~* h3 F: G6 q; {4 c5 G7 W! @0 O) Z
int41handler ENDP
5 [; q! h# O  o& B0 j
% Q1 L1 I+ q$ W# A$ B
" U- H2 A) M  c: Z. Y4 M    xor     ax,ax
: t: ^2 n. W7 x' O" N  W3 D* q  i. f    mov     es,ax0 B2 R9 v' t7 Q6 }5 I$ `
    mov     bx, cs, d; ^( v- f1 c$ y) J
    lea     dx, int41handler
; s$ S# ]6 p' j! ?! {* \    xchg    dx, es:[41h*4]
5 a. h+ `+ D' ?, x, a4 s    xchg    bx, es:[41h*4+2]$ E! v/ D. B3 }# l  q' y  L6 ]! P% P  A
    in      al, 40h
8 w, k$ C2 L; T# }3 j9 H    xor     cx,cx5 ]) d. ~% ?& `9 c% O, L
    int     41h1 M' b. }6 U; m8 C. _# p2 E+ G. x
    xchg    dx, es:[41h*4]
) h* F7 P& E! U: X$ X    xchg    bx, es:[41h*4+2]3 u' H7 b% ^" l& f- G3 `
    cmp     cl,al
* a4 b- O9 g7 h    jnz     SoftICE_detected
7 N& z: |4 w! @# [
% m' x' I. o% f1 |# ]8 L_________________________________________________________________________
  r8 j: Z5 e# m+ ]% H0 p
+ J6 m0 @- I: y1 hMethod 07
7 }0 p' _! M% K6 B) F9 s3 J) Y* q8 r=========. r; d- E9 E) P- x- M- R1 C

! Q+ O& Z" ^) v% R4 U% j, o8 v; JMethod of detection of the WinICE handler in the int68h (V86)
$ ?" O; d' H. w; R% ^; ~4 f
1 E) ]+ b- q1 S; }4 Y    mov     ah,43h9 m* l  L! u: ~7 s( E) m2 ]
    int     68h
+ b! i2 `) _1 R2 a6 `2 \    cmp     ax,0F386h
( y; L& |  V* n, Q    jz      SoftICE_Detected5 _  \% U5 n+ J7 g0 y! k7 V

+ ]. |5 M* W' w- Q/ [* H# p! r  [  a
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
  W/ T/ V, ?$ b. ?. h2 z   app like this:, S# Y6 t% x! c& S

/ n' _; L2 U; x% \& S   BPX exec_int if ax==68
& X0 ~! k, {) k& H! `   (function called is located at byte ptr [ebp+1Dh] and client eip is: B$ \# p, ?1 D% n- I1 ^- Z
   located at [ebp+48h] for 32Bit apps)! Y1 _+ V0 ?0 G! ]0 P) T' c
__________________________________________________________________________3 {8 \7 u+ u7 C1 H; L
0 b% R5 a1 i" C' J/ U

; H6 u' x3 z- G# ?) a1 Z1 ~' IMethod 08
" _1 \7 h& m8 ^/ v# h! F. C3 N3 L=========9 J  M( }; n/ ?8 K- y; e+ V1 R1 X
$ m" U4 K! E8 [
It is not a method of detection of SoftICE but a possibility to crash the
+ m& R0 N& J6 S6 {8 ?- asystem by intercepting int 01h and int 03h and redirecting them to another) ^( |' p" M# K  z: z* m+ W( _+ F1 l0 [
routine.+ \- C' T* a3 _: }- H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 s8 W: L1 q) Y, h, E/ Pto the new routine to execute (hangs computer...)
1 c6 I' ~& R1 h8 ]% L% R* B
3 |; a! U7 I) Y; [/ m    mov     ah, 25h
* L: c; j. v$ Y* |, Y  ~" q* ?    mov     al, Int_Number (01h or 03h)
& _/ P" M  S  ]2 r" ]! ?    mov     dx, offset New_Int_Routine" `' w! A$ Y4 I) S; p+ p( B
    int     21h6 l7 J* t& T" {; W* M) x( f" E

; u$ k9 P8 q$ M6 Q- b$ j4 _, j__________________________________________________________________________# B- S% G" k$ D( A: l# k: S

! }' s* Z6 c1 j! ^$ nMethod 09$ y4 o! D* b& l3 F
=========5 N3 A% z2 q; b$ w, G: }% {
8 k5 O7 b: H; K5 ]7 `# u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- a$ V# G1 l+ ]9 ]4 E' Mperformed in ring0 (VxD or a ring3 app using the VxdCall).
" D, v- F4 T' Z& C4 ZThe Get_DDB service is used to determine whether or not a VxD is installed) P* d! i0 z+ ^8 }/ U& l0 D
for the specified device and returns a Device Description Block (in ecx) for
) i) t0 W$ o2 I( ?1 Pthat device if it is installed.
; _3 q8 n5 m4 T  h  H! f0 ]2 N+ m6 g5 q# z& O( n, U0 k. ]; r2 t% v
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 \% w, o4 r8 }; c1 L5 U  s# a
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); k7 |9 {9 h" K6 S/ l4 U' {$ R
   VMMCall Get_DDB& G% x7 e5 L/ e; F9 v8 W: P% M
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% S1 m" [- Y) S" ]/ ?
& R" [/ K6 @% I1 x2 W& B
Note as well that you can easily detect this method with SoftICE:# R+ |( R7 A9 F" ]* Q+ Y
   bpx Get_DDB if ax==0202 || ax==7a5fh
& G. O& T  j9 b3 @6 `% |/ ]8 p2 O# R; S
__________________________________________________________________________$ M8 Y- q- n6 C: k3 t! I2 J
. w' M' ]& `, S9 \
Method 10. V, f! K! M5 y8 ]
=========9 k) o/ Z% x+ ~* I( D3 f

$ V* ?' [; ?. p9 ]=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
2 K! g- m* J0 u" c9 P& {& P  SoftICE while the option is enable!!. ^+ C; H( j" d( ]

, W: h$ ?) ]) ]+ z, Y, RThis trick is very efficient:
( ~  Z2 Y8 `/ F9 Z8 T/ y; n( W! x  wby checking the Debug Registers, you can detect if SoftICE is loaded% [( [% }7 B0 u0 t0 }+ H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 @( K. D9 q* d7 f0 ~there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ e+ T- }$ f& }5 q+ X2 i  k' X& Evalue (in ring0 only). Values can be manipulated and or changed as well6 T7 m( k6 w/ r1 k2 j, c
(clearing BPMs for instance)0 w2 t1 f7 F: X! e1 b# y
; ], y1 i7 p2 M
__________________________________________________________________________
# g/ X4 b' |% r; k. |' G
' U" }5 a( O! a2 }0 S$ vMethod 11
& p* V  `: L2 Z& j4 W=========. ^# }  H7 ^5 j# R. I5 o7 P; ^
3 r2 ?, H2 B( X/ e
This method is most known as 'MeltICE' because it has been freely distributed
# `/ H6 N7 g* ^5 y4 _/ N# zvia www.winfiles.com. However it was first used by NuMega people to allow
$ d: g9 q7 Z0 NSymbol Loader to check if SoftICE was active or not (the code is located
2 ]( E8 h$ J* Q* A8 finside nmtrans.dll).
! Q9 k3 x( A! w
9 n5 J  A: D' w$ g: l! HThe way it works is very simple:
! [3 y+ R9 Y# T3 _  WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 [, K7 Y& F2 K7 A* cWinNT) with the CreateFileA API.. s4 ~5 n1 O4 ?. b) J8 L% e  c
: p/ ]2 k4 W3 q* Z. y- g% z
Here is a sample (checking for 'SICE'):
7 }/ C- B( h  c% ^; U1 j
5 O: l, ]8 d  Q$ U/ uBOOL IsSoftIce95Loaded()
% ^" h. p- K) ?2 \{1 C4 f, h/ ^. a( Q
   HANDLE hFile;  - x1 w$ ^& c8 z
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( L8 z: O. I( G; L& D- j                      FILE_SHARE_READ | FILE_SHARE_WRITE,5 O9 J, b$ v0 K/ g
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 S! r5 Q8 B6 I
   if( hFile != INVALID_HANDLE_VALUE )$ H  A& b1 B, Y+ j
   {8 I% W" ~# t( x" G
      CloseHandle(hFile);+ S; y9 F) l- S
      return TRUE;7 j/ M# q/ g5 _: v' l: X
   }
2 K$ v$ F. y* E$ H5 g7 h   return FALSE;6 @# ?7 S" ?# }( `, a7 |. H  ~
}
9 O4 A% z6 g5 \5 o4 Q7 z5 l# V) X5 T5 L! v4 f
Although this trick calls the CreateFileA function, don't even expect to be
2 I  N0 W% Q- t0 f: uable to intercept it by installing a IFS hook: it will not work, no way!2 g! s# h* H7 C4 q5 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, `# T5 ^! q+ ]3 Y1 I! Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- S/ ]- s* q# r+ I& d1 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% g( A' N' |9 R
field.' _+ J8 N! G& I- O& T
In fact, its purpose is not to load/unload VxDs but only to send a : I6 T' P: s& d" _. P$ V+ o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& H" E; s9 E1 l% T  j3 }# xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 |& [, x2 {  P# Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 a, ]: @5 k$ w& n- r5 w  M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ _6 [/ @  _7 _" m" dits handle to be opened and then, will be detected.; f4 F, v3 `$ Z( ?0 u
You can check that simply by hooking Winice.exe control proc entry point
: M* q# z0 T' s% E) [  Swhile running MeltICE.( e; k- V! f( s& [6 |' r' b" O$ b

9 N% _  ^5 I5 b/ v  {* k4 y4 j6 j
  00401067:  push      00402025    ; \\.\SICE
8 x: L% F" G  {  [: o3 e  0040106C:  call      CreateFileA
. C2 k8 l% r0 x6 ?4 w% H  00401071:  cmp       eax,-001
  `7 E8 S1 o9 J, W  00401074:  je        004010919 w" E/ V5 J& r6 A# J

: o- P/ U) ]; V" A' o2 t5 n
$ ^5 f- _& U! ]: n& m9 K4 O/ n. }There could be hundreds of BPX you could use to detect this trick.7 P2 |( ]# T( q, H
-The most classical one is:/ r0 ^" v# ], B( p! R
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||" D2 t/ j# K) J, K# s; T. Z7 p
    *(esp-&gt;4+4)=='NTIC'
$ `8 C  Y1 L/ a0 [. O; O  ]1 H! [+ Z9 ?+ s
-The most exotic ones (could be very slooooow :-(+ a( R& {% b6 U3 E! P
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 L: P: r  @* p4 J8 ~! S     ;will break 3 times :-(/ w# Q. D& C! h8 w) J

" L0 Y/ S& s4 g+ \1 r& M' _) e" f& z-or (a bit) faster:
+ {" T2 G8 D; s) _- k& X8 G1 N   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 f" }3 c+ n/ {. I
: X& m0 O- P& [  M2 X8 m
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ! E4 X; z) ^5 T: a; J
     ;will break 3 times :-(
9 J: C) N* ~/ B( _' V) w: H8 F' v4 Q5 p6 [
-Much faster:
5 P; k3 C' P) i" D' g+ G: z$ g   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( Y/ \8 \! \+ O: q& d- f

9 e$ ?6 j1 l' |) iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
& O& U, A1 T: d2 y9 I8 {function to do the same job:) p# F) W2 j* ]. O0 T
8 c  C9 ^4 \, ?6 y
   push    00                        ; OF_READ; a7 U* n: h7 y/ z0 C
   mov     eax,[00656634]            ; '\\.\SICE',06 p* Y6 V; M  a  K" ~/ a# V# T
   push    eax
; B0 l1 H* m# U1 j+ \   call    KERNEL32!_lopen/ A/ k1 B* P' l( N( a  J
   inc     eax3 _. w9 s1 F: R6 u/ J) @# C0 @
   jnz     00650589                  ; detected' y5 h3 h) D; W5 p
   push    00                        ; OF_READ
6 f8 l+ A# I6 Y   mov     eax,[00656638]            ; '\\.\SICE'- P: x$ \& P/ T( Z" }' d  H
   push    eax
+ Z) X5 A% L) l8 U9 h9 i0 Z   call    KERNEL32!_lopen
. u) r0 Z& D2 @+ j' Y   inc     eax, M2 X. F( d) y
   jz      006505ae                  ; not detected$ h! x& I' T+ b7 x8 i" l4 h
: J( Y/ b" c! h& v, j5 ]

! p, a( N" u/ U4 }( Y; E__________________________________________________________________________! T, n0 L8 u* x2 d  {

/ ^3 g# T  g3 ^$ r) UMethod 129 `% S8 l/ t. z5 w! v. G% X
=========
+ ^' |; M! r1 k( J2 b# c3 E
& D  G- l& K* NThis trick is similar to int41h/4fh Debugger installation check (code 059 c$ x' J# t5 c) A7 N  R3 E! D/ T
&amp; 06) but very limited because it's only available for Win95/98 (not NT)+ e( Q4 u- x6 u3 E8 z. X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& X& U" C- [+ o, U1 g; n$ v

7 t* ]. }. r0 R1 n0 _  q9 q   push  0000004fh         ; function 4fh% j. M3 V- }: L& @1 A# Y+ K
   push  002a002ah         ; high word specifies which VxD (VWIN32)1 J; Z* f* J' W6 d
                           ; low word specifies which service
& N5 [% m, |4 L+ o; x                             (VWIN32_Int41Dispatch)
% H5 k  N1 Q3 f0 u$ l   call  Kernel32!ORD_001  ; VxdCall6 l% P" P& L, Y/ Q- |* V- y
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 @" H( n# \! s5 `3 z/ a* M   jz    SoftICE_detected
% o" S: t2 k, j1 J: |6 Z3 F) l3 p# _
Here again, several ways to detect it:
! d* i5 p2 u# ?1 P  _
* Z! t% }; ~3 `/ @$ J4 |    BPINT 41 if ax==4f" k  y/ T8 z' l' _

0 K& d  E- p/ R5 o2 U$ m    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, ?) F- u; h1 M1 g3 S9 W
; u; h, O/ o2 y7 l
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
- _  M: c+ M' g9 f$ J% U- a2 D5 F1 G" B3 b
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. D7 M0 o7 C. }& t% b$ ]

: ]/ }& L* x3 C1 G. e6 I__________________________________________________________________________$ f/ i3 X6 A9 m; u% H, Y
) B5 c' z& B. A
Method 13
3 _9 k3 }. m/ d* G9 {* v6 x0 n4 `=========
) [# n+ b  [( q" w, R* O6 F3 M0 j' v9 Q7 a4 B) \
Not a real method of detection, but a good way to know if SoftICE is% i. P7 N' `$ A9 @3 {
installed on a computer and to locate its installation directory.
. ]+ j; L9 w8 DIt is used by few softs which access the following registry keys (usually #2) :
) v' ^% b9 Y$ I* V- W4 N
: e" Z: y+ o4 V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* t+ Y9 p! \1 L' J1 f
\Uninstall\SoftICE5 _5 e, q( U) m2 X* S% o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. U7 v/ P& y  U' y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% q" {$ L8 l5 H; r\App Paths\Loader32.Exe  H2 d+ m4 E9 X7 U  e3 t

" j- l+ R/ X8 k: O: V6 d
- O& W5 L# x( ]/ YNote that some nasty apps could then erase all files from SoftICE directory
5 l$ L/ P2 u2 p% a3 A( y(I faced that once :-(8 e' n; N9 K8 a5 y' w4 L- W

& R! M  F$ u# `' Y% oUseful breakpoint to detect it:
" K! v. y& f" \6 }' R, ], r' E8 Y" n
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 f7 `2 O. d, H
) Q- u: ?: s5 l7 q__________________________________________________________________________
) K- K. E) A( s6 `, e( Z- R# o7 N. l1 a& ~" ]3 \0 e# g) f. ^

. Z7 M6 E1 S. \* _& D: yMethod 14
5 z0 p) Z6 j! X% K. h=========6 G# r- u" i5 c/ ?
" l; E" m$ Q8 ~/ q$ S' L" U0 C
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, B; j$ Y- L& k3 c9 I- f) n( X3 \2 _
is to determines whether a debugger is running on your system (ring0 only).% x: h* X0 W# j5 M4 c# y; _! H

' W' M) g6 C, k) N9 w4 D! Z   VMMCall Test_Debug_Installed
$ x; d4 _' O6 Y9 ?; A% R5 d1 R   je      not_installed# y( J, M; L9 B* e1 z
( G& q8 @" b- [$ y
This service just checks a flag.  G8 X3 _, l" x+ N4 z1 @! A% z
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-18 17:50

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表