找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
. e4 I# ]9 ~& f2 T<TBODY>& s8 j5 z; i  r- \; K+ ?
<TR>. a/ ]8 ^2 }! p# W' C
<TD><PRE>Method 01 # o, n  l) u4 H$ d: Z" D) L% t
=========
' s& h% n" Y  g1 q  ?$ ]$ Q& ~. v& |$ e& p+ ?
This method of detection of SoftICE (as well as the following one) is
  ?$ {) U1 ~* Y* {/ b1 Vused by the majority of packers/encryptors found on Internet.5 `7 I! O0 v: G! Q9 b+ \
It seeks the signature of BoundsChecker in SoftICE
; F: X/ M3 g0 y$ P4 L
2 B: d' Q  p; Z: z* z0 {6 t    mov     ebp, 04243484Bh        ; 'BCHK'4 O7 Z& p1 w$ \8 V% l& L
    mov     ax, 04h
0 b0 h) p% m1 n    int     3      
8 ]& n' P$ {4 _2 ~& G% W6 ~    cmp     al,40 U* Q. s! {* j
    jnz     SoftICE_Detected& f- J. K# q- v# Y
9 v/ Z* R* j4 N( A9 C
___________________________________________________________________________$ e/ X* Q; y0 \

; s: X" C! \( _Method 02) i, p" s3 V4 B' d1 U/ N
=========4 Z$ c  {2 F8 f: ^
8 e: @6 o) i+ K+ q
Still a method very much used (perhaps the most frequent one).  It is used3 _. Q& X# O1 e  b7 Q# \/ Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: d% R  e; G1 y$ S0 J  {7 Mor execute SoftICE commands...2 i+ c8 c- T2 z2 W: {. [3 M
It is also used to crash SoftICE and to force it to execute any commands
0 c$ M( }4 ]* T5 o(HBOOT...) :-((  - C) I3 `2 [  J' C, D* i
% q7 k2 h; b; I1 m' K
Here is a quick description:( s3 r4 s( T& {( ~5 g
-AX = 0910h   (Display string in SIce windows)
* z0 d7 t2 {, T' m# T-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 \3 s% w6 {, G-AX = 0912h   (Get breakpoint infos)% b2 T+ t0 }4 P! P* n
-AX = 0913h   (Set Sice breakpoints)
: u3 w! Z+ }, W# i" b-AX = 0914h   (Remove SIce breakoints)2 l/ A" U5 r. J1 {
+ `, W2 D9 R7 S& J4 I! g0 t
Each time you'll meet this trick, you'll see:+ |6 w. f8 V$ C6 r  y/ f( r9 H+ V
-SI = 4647h
6 Q7 I8 S8 E  ^" [- H. ^-DI = 4A4Dh$ O0 I6 l  E; T+ C
Which are the 'magic values' used by SoftIce.
0 d4 b, s+ f, Q8 R* YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- m7 y/ a* b, I$ V( g8 q" o2 D' V
4 }7 z& m3 m5 G1 m  F! W- f7 I
Here is one example from the file "Haspinst.exe" which is the dongle HASP% i; Y# W/ e3 N+ b
Envelope utility use to protect DOS applications:
6 f5 F0 ^# ?! V( P0 y; Q4 ]( ?8 ?) s2 o  [+ O

9 H" Q% W' Z) L7 s  H4C19:0095   MOV    AX,0911  ; execute command.
1 {+ l5 e+ |( g9 Z& t4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ f' x  d8 T+ Z3 Y+ q8 @4C19:009A   MOV    SI,4647  ; 1st magic value.
! b4 K0 e' R) R  M5 p. j4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 O7 {. j5 R6 ~2 p4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), a6 h; G4 l1 M* w9 d" c
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
) I. ~! r. ?( t. ?4 k  j4C19:00A4   INC    CX
) f" S2 @* F1 l4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 g4 C9 M+ E5 Y& u9 ~2 _1 Z/ M
4C19:00A8   JB     0095     ; 6 different commands.- a% h% Z4 B! e' u" P6 d
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.% X+ v, q6 m0 @
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 o8 a: L1 n+ `8 \$ o+ S7 @  q+ \1 ^0 C( W9 k6 E
The program will execute 6 different SIce commands located at ds:dx, which
4 S, m2 R) G7 d1 ^6 _* }$ }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( O. c$ n" F/ [+ o- l7 C
& P' r: p" @' \/ x* B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 y  O5 d. g: H# w___________________________________________________________________________7 p  g8 L9 {2 k- O( X8 }

, F2 s8 ]+ E! Y7 R9 ]3 W
/ h: H! R- I( W6 zMethod 034 E9 k' f3 |1 }4 ?9 F$ `
=========
* o1 Z; _$ Z4 `& p
+ C# F; n- O. x. V# Y$ _0 WLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ s3 x. ~* f9 }5 e(API Get entry point)- W! x$ g5 m7 h1 j
        
" W5 X* b) s2 ]9 ~  y) a- t+ h+ ]$ `" T
    xor     di,di
6 g7 `: k3 f2 p, ?1 W    mov     es,di, r( s- }. ]; W. E! p/ _
    mov     ax, 1684h      
$ I: f4 ~! O1 C; ]+ d1 I* {5 A    mov     bx, 0202h       ; VxD ID of winice
9 F; k! e, }; @) Z5 K    int     2Fh' b% E3 [7 S  C6 D& C; p
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 u& [* ?. E, F/ a1 T    add     ax, di
' v/ @  ?0 b: `" t    test    ax,ax
" D& d8 M8 k: Q9 A6 {5 t: ~    jnz     SoftICE_Detected, b4 A3 A8 k4 L- \6 z" p

0 x: w: n1 q1 t; X  M) X; U* q8 K/ Y___________________________________________________________________________* ?/ z  v. I8 V
, @6 ^: b& C* M5 H+ T" ^
Method 04* @5 u2 }7 t# l! ?0 N3 c, G
=========
  N  Z/ M4 c5 p1 k, L8 q# n' h8 q; s  F: Q9 G7 F& _
Method identical to the preceding one except that it seeks the ID of SoftICE$ t4 x  z+ t- g4 Y/ Q! D
GFX VxD.
. P0 [* _: D4 A. R1 O# `+ R; E3 E
3 P! h' X; @7 Q. x) M6 ?    xor     di,di0 S: T: ^3 E8 a; V
    mov     es,di
/ w9 b' H' K1 N. F/ H9 |    mov     ax, 1684h      
4 l# H( F' K( {+ r1 P/ v: o    mov     bx, 7a5Fh       ; VxD ID of SIWVID- h, b1 M; z! a8 k
    int     2fh1 q: s" n( b: q+ `/ _$ |
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( Q+ v0 D7 V- X1 e
    add     ax, di6 @' O  ~" f9 P) K2 n& E
    test    ax,ax" |' W- L# @8 S6 M
    jnz     SoftICE_Detected/ w$ k* z* U1 v8 x" F* V/ G
( V+ U% A& e! f
__________________________________________________________________________1 @, d; z7 i, ^& A5 ~8 E# U

9 I" M8 v  c/ N+ h
2 l& x8 N$ o6 W( l7 f" T8 CMethod 05
" {6 l9 Y) [5 ~( S& I) e=========5 R' ^8 o" b. G  J( e0 y& W
3 b7 Y9 A4 `, V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) P0 H0 A2 V$ O; _1 Tdebugger. It calls the int 41h, function 4Fh.  M0 F/ q" G/ n+ ^% O! Y
There are several alternatives.  
3 w* }; G3 C, u# B2 ^) n( U( R+ r0 V( X8 _# d
The following one is the simplest:
8 V6 d. q$ V* F
' Y' t1 }& f% N, W* _4 l0 y    mov     ax,4fh) @0 g7 Q* b% N, W# P7 _- y
    int     41h
& B1 r) J& n1 h    cmp     ax, 0F386
- W9 v0 U. D7 q; J    jz      SoftICE_detected" H8 h% L0 C# B* C6 P# j

. \4 m/ b- ^' ^3 ~4 x  i8 Y9 Q& q5 d# ?6 ^  l
Next method as well as the following one are 2 examples from Stone's " b. {# M5 R: P8 X# R, Y
"stn-wid.zip" (www.cracking.net):( L8 ~  Y( W" {3 I% G

, C: m( z/ w. E* K' m; [+ x    mov     bx, cs
5 N5 P. o( w# S+ b  y  c4 }2 {    lea     dx, int41handler2
/ `% @* _1 G7 Q4 m* a3 I' z) |    xchg    dx, es:[41h*4]
$ K# i- C# m) x% W; y# j3 w    xchg    bx, es:[41h*4+2]8 e" Y4 d9 o0 H% j/ n0 J; z5 h
    mov     ax,4fh+ o2 q7 ]# K9 u
    int     41h
" a) u. W* Z4 S. |    xchg    dx, es:[41h*4]
; i& X/ h1 e% G7 F  U# l- C  M    xchg    bx, es:[41h*4+2]- a) T' ]1 z& F  c; |
    cmp     ax, 0f386h
2 r$ T+ V) X/ F) t' a    jz      SoftICE_detected
3 c/ K7 s9 ^4 }7 S
  l* {* {; h9 U& \int41handler2 PROC
# F* G8 F7 a  n7 I0 q    iret
: c' y$ _" b/ ]& T+ U$ O$ [2 t! oint41handler2 ENDP
+ w8 Q% G3 o2 }$ {9 m2 J% Z
3 h2 {& p0 {  i4 i, B2 }3 f; X( v' |" e* ?- ~
_________________________________________________________________________' s$ y/ u# [5 l. e3 I

& p8 @8 i( y6 B% A5 N7 n& W! t- Y# ], H8 C1 J  G
Method 06
2 E/ b8 v) ]3 F1 G=========2 Y5 Q! d/ ^8 n4 w

3 _8 x9 j2 `; R  B
1 e+ S4 H% @$ L. K- l3 c2nd method similar to the preceding one but more difficult to detect:# t# W- p8 P% V1 l
& a: x3 ?$ A6 J
5 }6 e' }7 X& J7 n
int41handler PROC( L( R4 H: C% q0 |- ^, s2 i
    mov     cl,al6 L+ q3 l: W6 ?9 z
    iret9 ~7 f- V: F4 M( S8 `
int41handler ENDP& Q: S" z( v1 `- o9 T

0 C3 K& y( d" O/ L) B; T: e( z! N1 c8 Z, S. c
    xor     ax,ax' w) R' r+ W' `' ]
    mov     es,ax
7 _  V; A, b# z9 ^4 g    mov     bx, cs
  H3 j' m5 k9 N! q, a5 p    lea     dx, int41handler( j, l# F- r- I7 w
    xchg    dx, es:[41h*4]
7 c! I, _# j5 _9 d/ x    xchg    bx, es:[41h*4+2]5 m+ p4 E* `5 l) \
    in      al, 40h
# k) s, Z. ^7 m  K    xor     cx,cx8 M$ \& g7 E' O) B* e" l1 f
    int     41h
2 C4 j  J- R, ?" O/ E1 b: t# Z    xchg    dx, es:[41h*4]8 n" y' |. @0 e. A
    xchg    bx, es:[41h*4+2]
- d5 m; C! @1 w( ^$ }2 L    cmp     cl,al
- g% _# s& o& u  d    jnz     SoftICE_detected) F4 H1 P: t1 \3 B8 P7 o% u+ z2 T6 G
/ g, ?2 P3 v6 B( e
_________________________________________________________________________' }  @& [( c. L% Y" x; s  U6 e% v

0 L8 L. Y1 `& B- EMethod 07
( X6 y# @7 p/ D9 s5 q=========. i' W3 ~- i! b3 o( x0 x

( n8 o3 v0 p7 ?; a5 T) uMethod of detection of the WinICE handler in the int68h (V86)
6 U  Z3 G1 @& U& O& Z2 K6 P1 L, }+ |. ^4 y, W6 r% H. n
    mov     ah,43h# y  z" }+ X* z  b, h
    int     68h
! `( }$ M( B+ f% g% }    cmp     ax,0F386h3 }) U7 }" J! ]6 F
    jz      SoftICE_Detected0 D8 ^* N9 U, t7 }4 m* }: P0 K- n

9 Q& s4 L. F5 o& N6 V5 M0 {+ R4 @" K1 G: D/ J
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit7 u) N/ A% {% S3 w
   app like this:
7 h( @: T; c+ a8 u
. y0 x/ ~2 p/ E" ^. _2 |+ |   BPX exec_int if ax==682 G$ |( }8 D9 o& j7 W  {
   (function called is located at byte ptr [ebp+1Dh] and client eip is
* V, K1 y" O% p. Q+ @. O   located at [ebp+48h] for 32Bit apps)
& Q2 I8 }6 E. F+ z6 J% J- E5 B2 V__________________________________________________________________________! @& x, J" C) I  Z  @3 \

- ~9 f9 i# l% _0 W4 A1 z! g) E8 }) k) Y6 A5 h2 \- f
Method 08) D: |, w+ U: f8 @  C/ I8 h7 n
=========6 M: L6 q1 R" v0 @

0 x- T7 z% T1 uIt is not a method of detection of SoftICE but a possibility to crash the" G2 ]* C/ @, p7 i' }
system by intercepting int 01h and int 03h and redirecting them to another
, a- E0 C; X; v3 d6 v9 g& M  j* V' vroutine.
6 P6 W$ b& J, G* X$ |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 k& ~/ H$ c3 o' P
to the new routine to execute (hangs computer...): l+ X+ h% b5 m6 V- F$ U

/ Y3 P3 a9 z7 W5 M4 ]2 P  Y9 c    mov     ah, 25h: }; n8 Y' c9 h5 ^5 Z' ~
    mov     al, Int_Number (01h or 03h)! @/ i. Q. n# q7 p+ Y3 c
    mov     dx, offset New_Int_Routine
; A5 V6 s( @) ^6 w- _2 u4 [    int     21h# Q+ s/ A5 G4 T- |

& ?  Y0 k2 l3 x__________________________________________________________________________
7 d+ N4 a' s1 x* {3 ~4 N- v( t
4 E8 t" v  ?: ~  }- F6 `: \. B! \Method 09
6 p; q4 y6 G& O* k=========
2 }0 B( C0 V) y8 g0 b3 z9 P9 O0 p+ q, |8 |' I) m: e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' s  {5 z+ [, K1 `. yperformed in ring0 (VxD or a ring3 app using the VxdCall).3 y, i7 N* d- f* K/ c, B  ~
The Get_DDB service is used to determine whether or not a VxD is installed
) Q8 \/ p  d- B( q3 dfor the specified device and returns a Device Description Block (in ecx) for
8 l9 `' X! s9 x% s. I. S. Sthat device if it is installed.- k( i2 I# O. ~- [2 d
3 s% r5 n+ H7 D2 N
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: w  d6 Y. H% P, b   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! `6 Q: s6 Q8 U) J( L  ?
   VMMCall Get_DDB
, W0 e: ]7 _: _8 r: @, I' ~   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed# l$ c0 ?5 x4 _8 I
; h0 V. H! x" ]2 m
Note as well that you can easily detect this method with SoftICE:" W: b  G1 ]( d! `/ t
   bpx Get_DDB if ax==0202 || ax==7a5fh: ^8 j3 n8 d: ~

$ M6 q% s0 T5 x4 k__________________________________________________________________________
4 O; q# z8 D  N1 X* e8 t, U) k! v  M
* E" p# N+ F" G( dMethod 10. A( @! @% F' R& K8 O
=========/ n/ m3 [) B* D1 h( w

3 P8 c- F3 S/ Z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with1 Q+ I. s5 w8 q" x6 i5 B% D
  SoftICE while the option is enable!!5 K  h) N3 j* \3 `# S' W  p
, F8 @. r/ i' s8 U
This trick is very efficient:3 K: c2 T* @$ U$ T
by checking the Debug Registers, you can detect if SoftICE is loaded
0 Q5 U3 B2 l! _5 w8 `/ A& F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# ?3 F) Z! U: t* x2 b
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 W3 y5 k& c* D: S
value (in ring0 only). Values can be manipulated and or changed as well
5 C5 u  W, e" J(clearing BPMs for instance)! l  U8 y- I& ?; V

4 C3 |4 X+ B9 v0 |2 U8 J+ j$ @__________________________________________________________________________
/ g: d. G( y) z# l8 Y
/ |3 d' T% b# x; @, C5 DMethod 118 f) |. t; P7 h0 c
=========
8 C, o; D2 a$ T! [, |  G  m8 E+ f' d  A$ O! s+ ^
This method is most known as 'MeltICE' because it has been freely distributed$ n! `" r" X& V+ }% Y; f" H4 o. n
via www.winfiles.com. However it was first used by NuMega people to allow
8 @( X1 j7 G& \0 u) ySymbol Loader to check if SoftICE was active or not (the code is located
( t% y8 A8 a( V0 @- a1 S' Sinside nmtrans.dll).
! f' r" u( ?1 g( ?8 W
8 I, K% d8 ?/ GThe way it works is very simple:
& D: _" F7 U+ d" s( y+ F3 w2 {5 R8 f" IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# k2 u/ g. {9 L  G7 a9 i
WinNT) with the CreateFileA API.
7 r% q6 C' b& V! q* i- y7 T. t! ~# C: i. V2 C1 h
Here is a sample (checking for 'SICE'):9 `0 h! S* P# v8 M
5 h6 V+ R) f9 b5 Y6 }
BOOL IsSoftIce95Loaded()) B3 j0 e* e! M& a7 Y
{
# ^1 t+ d9 U0 G! ~7 v- O  d) r   HANDLE hFile;  
' U9 j: }$ f* Y7 V: L: u1 Z; {0 [   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% c" [3 a0 X3 c: t: H6 r# n
                      FILE_SHARE_READ | FILE_SHARE_WRITE,' k6 K6 j. v9 G
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( \7 ~4 i8 `3 n7 x   if( hFile != INVALID_HANDLE_VALUE )
. J& f# I1 x% R   {
' b* Z; H2 V2 \3 r5 Q      CloseHandle(hFile);
" B' K! ~; n: x7 S5 i      return TRUE;/ |$ e. w1 E$ H7 H
   }
% C$ U$ M# T: ]$ V* Y   return FALSE;8 a. W  O& O) y( A# S! L
}
$ B, k1 Q& r* \5 N/ c2 j1 u4 b4 M( y9 I2 g0 i+ K
Although this trick calls the CreateFileA function, don't even expect to be* U" T9 R* @1 |' C* `# P. T1 z5 X
able to intercept it by installing a IFS hook: it will not work, no way!
" y6 h! G; B! a7 ^& j( kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F  S8 S' ?9 ?4 X" U) t* T2 v: I( |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): ^) i8 i0 E: J$ U  I2 u8 g8 U. X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* t$ q; d. b) }
field.9 O/ U% q3 r2 b, g- p8 n
In fact, its purpose is not to load/unload VxDs but only to send a
/ _3 l) d1 j. y6 h  sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 I$ ~& D- v  N& L  Z( Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
  M2 x! ~, @8 n- Y) tto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* V( I! f$ o, c4 R1 ]- ?If the VxD is loaded, it will always clear eax and the Carry flag to allow% ~. E% O/ {. l" B$ R
its handle to be opened and then, will be detected.
. l. p. C& j1 J* t* f( q/ eYou can check that simply by hooking Winice.exe control proc entry point
2 `- Z7 l7 z7 o# S3 Vwhile running MeltICE.
! O/ x6 e) N; g3 u. u1 a4 [% e; m: f* u8 B& [

+ M( H2 m& d7 V) m  00401067:  push      00402025    ; \\.\SICE
9 O; L8 d" L. o2 B6 M& l4 g% j! g  0040106C:  call      CreateFileA+ E+ K5 D" V2 o3 T  m$ `$ y" @
  00401071:  cmp       eax,-001! E1 r+ F7 q  u2 e% ]
  00401074:  je        004010911 x. R9 w) p+ ~# A
3 q1 }" {6 D# i

- Q+ c2 U: ^8 o1 o3 }  vThere could be hundreds of BPX you could use to detect this trick.. o0 ]' |3 j* d1 @5 g- C  J7 G, v! ]" I
-The most classical one is:) z4 e* |- l! W! S! c8 a
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 L! p# O* r. J' V, v* V7 q  L0 m
    *(esp-&gt;4+4)=='NTIC'
* t; A* W4 W# f7 A8 o( b" x4 ]
" L1 H0 E- p( o; c0 g+ J$ v/ a-The most exotic ones (could be very slooooow :-(
' `) R, [) E- ~   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( H( s3 {# S9 P1 b( f! b( a
     ;will break 3 times :-(" J% m4 D" U( ?0 s' Z# `; `7 e/ |
( O  R7 J: m6 m: v
-or (a bit) faster:
- V' F9 b: J, [   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; d; s$ |+ e* N- g$ ]
. k9 C  b: m; C# w& s6 F   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  : T( m& l  [! u2 v0 g/ S
     ;will break 3 times :-(
* N1 N' _- a( r( j. V# w
0 E3 o6 K. X4 L4 {-Much faster:
5 w+ l" u% S+ M6 ~# R: c6 ~5 Y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 Q8 K( p! {& f: N0 m2 e8 N; T7 j; V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 r  u+ R) _5 d+ G/ w7 k4 }$ s
function to do the same job:
3 L* z4 `  r; I+ b* c
: x) i* q# M, |; G) u! ~   push    00                        ; OF_READ
: y- j5 P! e( h. }' {" \+ n   mov     eax,[00656634]            ; '\\.\SICE',0# C2 E6 ]6 F. L1 O: }# e, a  Y
   push    eax
! [- Q$ \2 A6 M7 J6 g   call    KERNEL32!_lopen
# V6 c& S9 D1 W& F& K   inc     eax+ Q7 Z0 l2 [! M+ |: ?8 E- x
   jnz     00650589                  ; detected  o8 Y# e! v# R1 F8 y$ \+ g9 J
   push    00                        ; OF_READ7 {& e- S) I. e/ s0 _. S( i# D
   mov     eax,[00656638]            ; '\\.\SICE'& u3 O5 T& D, s) ^. s
   push    eax% T& q& C" q: b7 r6 Q" _  y# S
   call    KERNEL32!_lopen  B% F6 p5 X$ a" |8 u$ d9 c
   inc     eax) `. f- r: j; S( a' P% I' Z8 |) I
   jz      006505ae                  ; not detected
9 F/ d$ ]" f& M4 w8 |
  J# ]! c$ w4 g$ k) j4 }, O
3 L9 N$ j: m+ q* e" ~__________________________________________________________________________
  _( A2 Q$ Q/ h( r$ V' c- s# I+ G
" t# V. a5 v3 @# z! e3 M' j% ]Method 12
$ Y, ?( s) l. U& \=========& E& U$ ?$ B! H/ W* H
: c3 N4 e. v, [7 E. q- |5 |8 M
This trick is similar to int41h/4fh Debugger installation check (code 054 `: x; ~5 w2 ?  K! q; d- Q
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, z2 a7 H, V0 G7 B0 @. d) \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 H$ G9 y* P3 D. J
+ ^7 n4 l; C# p1 h  p+ j5 C$ h   push  0000004fh         ; function 4fh# ~3 m( p+ ?8 H, v* I- b
   push  002a002ah         ; high word specifies which VxD (VWIN32)) Q* g+ S! X* _4 f$ T$ G
                           ; low word specifies which service* z5 A0 Q) O5 F+ ?" E# ~
                             (VWIN32_Int41Dispatch)! m. ?* O& z$ F8 z
   call  Kernel32!ORD_001  ; VxdCall
' L( f9 Q  e1 q+ A* u5 H3 p   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 P4 S1 [% M7 c% ^   jz    SoftICE_detected
! D1 l  J& l8 @" J+ Z" d# X7 W4 o. u. ~9 E: g' N
Here again, several ways to detect it:- Q; r- T: L3 ?. N2 J+ H

0 u1 U9 H1 r' E6 i2 a    BPINT 41 if ax==4f
0 X( C% Z  M0 ~2 j* t7 O0 U- t: i, f+ n& _
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 v0 l6 s" T/ ~8 B% V- Q* W2 O
# F( {: i+ g& n( J    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& ^, `( n+ i0 [4 j
4 V3 {/ n( u, q- S
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
) g3 Z% y' d1 K, M& ]& }# v& J, u" n, M" v' W
__________________________________________________________________________
' ]# ?6 p: f- I& r* Q# d7 [. s
$ e( d4 Z3 c7 [0 |4 ~4 wMethod 13
, S* h, F4 N- @4 I=========5 {: o$ e$ {2 e) W* W, @' b
' F0 m$ j  U4 }# [" n' j
Not a real method of detection, but a good way to know if SoftICE is
4 Q3 F9 _: A, S/ @" c( i7 Ainstalled on a computer and to locate its installation directory.
8 i! k5 R' B" Z8 [" G9 iIt is used by few softs which access the following registry keys (usually #2) :
% `/ V( H4 B+ A/ O- K
0 y0 Y' [8 S9 x2 }* C) i- }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 B0 o& [% P3 q5 ~3 e& _
\Uninstall\SoftICE( M- i+ {9 }' o' `: Y$ ^  U; w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' E2 A2 V2 F* h5 f. w% ]. x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 ^2 h0 }6 T& {9 E\App Paths\Loader32.Exe. j! `/ m8 Y. S1 t% r" t% V! u
, T$ E( D" I) Y
- u4 ~! G( z7 z+ g1 d
Note that some nasty apps could then erase all files from SoftICE directory% b5 u/ d8 [8 E7 d- z3 X
(I faced that once :-(8 l+ d* i! ^% |* I9 X* u) }
6 D7 f, i6 @/ A4 @4 E) n. O0 L
Useful breakpoint to detect it:7 T" [8 F; q5 `- i5 y

& X7 n8 [7 M% B" z: }3 \     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'/ r, `: k. [7 E8 I
' {/ |& P3 |9 B
__________________________________________________________________________3 ^. q$ x+ L$ e# @
' I6 r! k( b1 p9 ~# ]) j; n
" ~5 v1 l! G& t* ^. }) }
Method 14
1 Z4 z+ r* p4 e8 ~, K1 M=========
. \+ @, [$ Q# l! e. E; z. M& K5 [/ U' y9 L; E4 V6 t+ n0 y+ R# S3 p4 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 M- b- d/ m& e9 b6 o0 Bis to determines whether a debugger is running on your system (ring0 only).5 x! o9 \% \' b* }* t+ v. P
6 Z: O6 j" t1 U8 q1 ^: e1 w
   VMMCall Test_Debug_Installed
! ]8 K/ y5 F6 @; x: x   je      not_installed
0 F5 Z' F  A& a# I/ Q, V6 c7 s; K  F# C% I
This service just checks a flag.
% T" v+ Q! [+ Z! {</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-17 14:40

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表