找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
* z7 o- h7 A+ K9 O<TBODY>
  ~& R) V# ~( J# k# ?7 u3 x- k<TR>
4 f4 O4 {8 @$ @( ]<TD><PRE>Method 01
, b, s/ C" j4 z" I% [& l=========) V4 Y2 I' m! c7 ^* W

$ _3 |- b, ?% D' c0 rThis method of detection of SoftICE (as well as the following one) is
8 X; _3 s! F$ @( h3 n+ Aused by the majority of packers/encryptors found on Internet./ h! k  }8 f1 y' e
It seeks the signature of BoundsChecker in SoftICE; ]& C9 s% _# `+ _# A

8 X+ B' ^$ r' N3 y    mov     ebp, 04243484Bh        ; 'BCHK'# f9 o6 L% x0 v1 g4 e! J7 s+ ^# d
    mov     ax, 04h
( q% y. ?! I" Q. X    int     3      
0 l$ _2 i: J. A    cmp     al,41 V; u, v2 M# w* f
    jnz     SoftICE_Detected
1 z4 {' Q" s: k* W! h7 V, i1 C0 U' t( p9 U! P; R4 o1 {
___________________________________________________________________________
1 R. P7 V0 ~% |" a8 }2 {2 }( t( }8 \. F/ [# G
Method 027 ]& X6 K  W+ U  P5 [7 V
=========
8 Z; h0 v, V9 y. F8 R# a) c0 L  F& i- w* u/ w8 I- q% |# D/ C
Still a method very much used (perhaps the most frequent one).  It is used- y; A% K* ^' S# p2 \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 h. z2 o8 u' O2 W  Xor execute SoftICE commands...1 S& l/ a; ^6 d8 }# W' l/ p
It is also used to crash SoftICE and to force it to execute any commands
5 `. ?) V1 \* V# M+ u5 M( q2 m4 |( |(HBOOT...) :-((  . ]( ?1 A% {/ u! X

) t4 g8 A, i5 H: D& ~) xHere is a quick description:9 o: k/ |% z. y: n# ^( l8 H! f
-AX = 0910h   (Display string in SIce windows)/ W" ]% i2 u0 h# B; D4 o# a
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)9 g6 o7 t& o4 Q- w" o( r# v
-AX = 0912h   (Get breakpoint infos)$ M" ~- u0 L3 ?; G) V
-AX = 0913h   (Set Sice breakpoints)
5 C, R3 ~" E* k-AX = 0914h   (Remove SIce breakoints); n" x( s8 M, ^" U7 t# _8 t

: \% ~4 G* r$ O7 mEach time you'll meet this trick, you'll see:% D/ s( c, B. w) w
-SI = 4647h
  I  ?- d( c( I-DI = 4A4Dh
4 v3 w* }& z, d# u( q2 HWhich are the 'magic values' used by SoftIce.
% o5 c  V4 V- z. Q$ r1 w8 G- uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 k  `6 B* c8 b% M$ h% w# }' `
  f7 d! K3 N/ b3 D. F5 H* IHere is one example from the file "Haspinst.exe" which is the dongle HASP: \% G: {1 N' i$ r7 E* d3 k
Envelope utility use to protect DOS applications:3 \: D5 w+ p% b' n9 _

) ?7 h  c3 q' ^4 a9 h
; M. v) k: d2 x: |9 @- X4C19:0095   MOV    AX,0911  ; execute command.
! }8 ?3 Q: K; ~, U4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).( x) `3 i( t. {" c! Z* b
4C19:009A   MOV    SI,4647  ; 1st magic value.' P  L+ `1 {+ P0 [5 l, @' ?$ u" S
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
- h& e: r; b& H1 B! y1 J4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ M' f' w8 I5 T6 C4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
; g( u! D( s$ D% D" b4C19:00A4   INC    CX
" b1 h/ n9 @2 [7 n' ^( L4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
2 T0 a! g$ X  s3 z4C19:00A8   JB     0095     ; 6 different commands." J+ m- t1 _+ o- \$ j
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( \2 N5 o& v0 I; r  E, {4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ `) k2 h: H, d* {9 ]
, q. t  e: w8 X$ W' jThe program will execute 6 different SIce commands located at ds:dx, which
5 z) g+ z( a3 n- M* `2 j* {+ eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. q8 y% P# Y5 f' H/ C! A5 b+ O
$ w& }/ b, j" I# \# M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 h  \" Z5 L1 N0 g2 |9 o
___________________________________________________________________________* s  S+ q0 w( Z& t  S

8 d, A* s: Y1 n; v
9 @, m+ ?$ W5 m, z9 FMethod 03
$ w7 p) {, Q1 f7 u6 P6 q=========$ a! e6 H/ H9 i* d
# b; F; a6 l, Q& `/ L" _
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 W/ ^. X6 i( F( m
(API Get entry point), _0 [9 M2 g; I
        
( c2 `3 W0 s- D9 P  O
4 a4 S5 I' `' q    xor     di,di
. u, G& B' G) r5 \* H8 f  e$ G  v    mov     es,di
8 I0 O+ G) R. c; |    mov     ax, 1684h       , c. j. a3 {3 H& h! v
    mov     bx, 0202h       ; VxD ID of winice
+ L  @1 E! W* `    int     2Fh
2 H" k$ G1 b+ r: N- a( N; \    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& ]( ]( c( C6 T5 |6 O9 {    add     ax, di7 Y$ I$ b7 H" H( k0 g9 G
    test    ax,ax
/ D/ e+ h; T6 |# {8 _* \; s    jnz     SoftICE_Detected5 u7 \( G9 z+ [7 L7 c3 @( P

4 L1 c, q) }( W, U2 ^___________________________________________________________________________9 R  A* y/ L; X
' O5 s" {: A1 E% ^8 |: K( x( \2 _1 V
Method 04: w0 W6 T2 ?# m3 h, r$ \3 |, `: w
=========0 E6 {9 m! w" _. {/ h' M

1 N7 j4 A. R! O7 L; nMethod identical to the preceding one except that it seeks the ID of SoftICE" \0 J) k. P& r8 _* k, C
GFX VxD.( @) N9 J, e, \2 }; R: ?* k
% o) p3 c% m6 M( ~2 [( j! L* a1 z
    xor     di,di% E) E: T* F4 A+ @  q  |5 I7 F( R
    mov     es,di8 W5 L1 I( B7 R7 W: d
    mov     ax, 1684h       4 q. r. Q. a; \  m  Y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! S5 G# [3 w' ^" N* p0 y- s
    int     2fh# R, k% \/ V/ V% m
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" ~& F8 u: d6 `, H3 M; y    add     ax, di
0 z+ R0 D7 W/ x! w& X0 n* ^/ B    test    ax,ax# c# W/ R  ~2 W* v8 }! v
    jnz     SoftICE_Detected. g" P- N* l  N. M
5 E  E( o. Q0 @
__________________________________________________________________________# h  Q1 Z. d: t7 O0 i7 V, D

( K3 w1 l* j5 L+ L3 Z" f' `( `* C% Y7 t( [# R" s
Method 05
+ _9 o: b9 Y+ {" I# f=========8 l* a; y9 a& p. y8 b0 M: s

6 B! k$ n8 c& `; q1 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
. g1 ]) T% q$ g" P! T/ jdebugger. It calls the int 41h, function 4Fh.7 }( z& n! E2 y3 T
There are several alternatives.  % s+ \7 }: e1 f4 U  ]# W2 ]2 t

2 z  s9 m% q) `) T" LThe following one is the simplest:
  ^& F1 y: f( |. ]0 v1 t0 j& O4 [4 |' ^' {) Z: m9 D& r) ^
    mov     ax,4fh
' l5 Q" e" C$ k9 K    int     41h
* N% r) c9 Y* u3 X/ n    cmp     ax, 0F3864 y% B& T) m; e
    jz      SoftICE_detected
% s6 x/ k6 N( q9 d# N5 @4 I8 X
" q/ |2 s3 r, d: f. D" Z0 }( e# [, b- l
Next method as well as the following one are 2 examples from Stone's
0 d+ E" j' m1 n5 u# K) |"stn-wid.zip" (www.cracking.net):
; }. o, }2 f# U( W6 f" W1 _2 f) Q9 w1 Q6 q8 ~$ P5 Y
    mov     bx, cs
7 X8 ]: l* L- H; ]5 B  G' z6 l    lea     dx, int41handler2
3 t# a& H6 K7 S- J! ]% N8 C2 z4 y    xchg    dx, es:[41h*4]
) R6 P; g" M- P& o+ j% `    xchg    bx, es:[41h*4+2]
, M/ z! w& q) N2 m7 f0 c+ S    mov     ax,4fh
* A3 N3 d' M5 [- L- m* Z$ n: O    int     41h+ m. C- \" k% i& Z& C/ z1 F
    xchg    dx, es:[41h*4]
; }: ]4 a* c5 P# M7 b: w- c, _    xchg    bx, es:[41h*4+2]
+ }. |# g2 F5 `- D3 @    cmp     ax, 0f386h
& T/ U% J4 d+ j* L1 D8 ]8 y) j. l  @    jz      SoftICE_detected" W" L9 y4 U; R7 L) r" P5 X
2 O& @+ q+ g+ A1 {6 C, q% {, H
int41handler2 PROC
7 F- I4 L9 Y4 J7 q6 M% T# p) y    iret
$ K# c9 G' y/ @' Cint41handler2 ENDP
* w* R4 @! e2 ?; N9 E+ F/ U3 @# s% T/ E" t

0 m. A& G+ A! _* u- P8 |_________________________________________________________________________
- ~9 d4 J; u( ^% D1 }" d! `( x$ N; [6 X7 [6 S" j$ v' M

$ L  ~7 Q& `: v' }3 b- _Method 06' y- H( ?  y0 w! ?2 U  R3 F
=========
& V8 ~4 D  }4 A: z% E
/ I( s7 n8 @/ n$ J7 l+ }9 Q7 e' |& t, p. O" R, A; K$ O: C# q
2nd method similar to the preceding one but more difficult to detect:! M% n6 s/ {- y

8 [  Y7 x+ ]; n2 J8 m' M& T9 G7 j& y7 K: o- C7 z
int41handler PROC
5 S# M! K3 F* r    mov     cl,al8 W  V( L* {0 A: d$ Z) H- @
    iret
2 ~* q( N) d4 a. t6 n. Wint41handler ENDP
& v; y1 L! ]% m  Z% j% W' i$ N
1 O1 N  J- S  x; `1 N
) `2 N/ y! C' X' Y! f& S    xor     ax,ax
9 Z% a+ ?* V2 u: D: Q, g0 d1 B( `    mov     es,ax- o0 G  h* Y3 U. P; ?4 v, F% a
    mov     bx, cs$ F1 ?5 x+ f* s" C+ ?
    lea     dx, int41handler
/ U0 o0 L$ ~) a    xchg    dx, es:[41h*4]& J& d  G' R) D! |- [# h( i" T
    xchg    bx, es:[41h*4+2]: C3 S$ z7 f- m  z" B
    in      al, 40h
6 o$ |& k. z% B    xor     cx,cx
4 u  _5 ^3 t4 f    int     41h
/ E( o- S: p0 n/ K* t    xchg    dx, es:[41h*4]. d( }: E& q! m: f
    xchg    bx, es:[41h*4+2]5 E9 o; g8 W' x( j# G5 u5 x. q
    cmp     cl,al) ^8 k" U& k, Y, K" |; _$ E
    jnz     SoftICE_detected
$ M2 `! v7 X: ~4 P, {/ ~3 m! A0 i- a& v( j, k3 [0 D
_________________________________________________________________________
, _* O0 ?0 M5 q$ V0 t# {
5 f+ O' y1 t2 F8 s( H2 hMethod 07
0 y3 ^1 a' m0 r+ H3 `6 |=========; A' Q& B+ U2 m! I* @

- `7 k- S- H  s) x* P* t4 TMethod of detection of the WinICE handler in the int68h (V86)6 @9 s0 b: g& R  O$ Q, R" P
1 v3 s/ k% p1 t+ g, h
    mov     ah,43h1 F$ o" m' j5 T8 c$ J' ?
    int     68h
5 i+ m, y5 Y% R0 }% R5 A% g    cmp     ax,0F386h9 M8 F# N& j) n0 q' N1 [4 h
    jz      SoftICE_Detected6 H. Z. o! q& S: [
% \8 ?3 v- N1 a! r  X8 f

4 j; s% |( m) Z$ Z, e- |# `7 F=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. N3 M2 C8 N$ D0 Q" W8 Q: ?
   app like this:: |3 @7 l# m+ d* x
! ]& ]5 T9 W8 `$ K0 j* P
   BPX exec_int if ax==68
' N- {% g, U+ f3 \3 T+ N, V   (function called is located at byte ptr [ebp+1Dh] and client eip is. B- Y1 J, N: D  n! n; i# F
   located at [ebp+48h] for 32Bit apps)2 I3 ]7 x0 u# d5 P/ R. F- G3 ~
__________________________________________________________________________
: N! o. |% j& R, r& J& k' _
, N/ u$ F9 w9 y/ U9 i) u" H# f' U9 a3 o$ h- l
Method 08
5 J7 @3 b% e. g) @=========
4 [* J5 G$ |, L% z: U+ k+ ~: [. q1 y* B6 \. M
It is not a method of detection of SoftICE but a possibility to crash the# \# o; {) X6 K( S: c6 E1 [
system by intercepting int 01h and int 03h and redirecting them to another
3 `9 c" L) @7 u5 E: Xroutine.
/ ~: f+ }, m$ @/ @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 ?+ [% a6 f' {  Fto the new routine to execute (hangs computer...)
7 m( o9 J3 O0 u) D3 X/ \5 W2 a0 l9 H: o
    mov     ah, 25h  {9 ]" ~: U) G
    mov     al, Int_Number (01h or 03h)( Y; L+ x# L( |1 r6 n2 x$ y# ~9 z* k
    mov     dx, offset New_Int_Routine
9 w# Y6 P% [% ]) X0 Z3 a    int     21h
$ n8 W) O9 g6 i  W
3 |' c- N) W$ m* t" N__________________________________________________________________________
  N/ l4 n+ |8 H7 X( t$ ^& |" b. q
' s/ q1 ]9 f2 hMethod 09
, T  w" G2 w2 S" y5 d. s* p=========
9 m8 R+ T3 u- [6 y; [# Y' p: ?8 e6 ?; q' S* u+ d
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( h/ ]! Y. T" Z8 R& g3 Y! sperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 ^& q* S7 ~/ @: V1 hThe Get_DDB service is used to determine whether or not a VxD is installed
$ C- C5 ^* A! D/ L  jfor the specified device and returns a Device Description Block (in ecx) for+ V) \" L6 }& L  o0 t+ B, n
that device if it is installed.
4 ~2 e4 Y4 h5 Y( s; _* J$ G
' K! F  y) J" }   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 {2 k: w- z% ^8 T) h
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ z* P* t. n3 P0 |$ v( L) L, `   VMMCall Get_DDB3 A( |: F& Y+ }. o
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& E4 P6 l9 ~/ X- L
, l" s( y9 ^1 d: F* R# W' l0 {
Note as well that you can easily detect this method with SoftICE:
7 q& _6 H( o0 ~+ e& v8 h   bpx Get_DDB if ax==0202 || ax==7a5fh, g% G  {# ]& }- o' G# s
, ]. o/ s" G% p# Y6 j; J  s
__________________________________________________________________________
. X& y6 C4 |+ P6 r
2 Z4 j5 V# e. o  @* FMethod 10
2 E& R' q, n7 W8 i9 p8 V5 U=========6 H4 f# `6 X7 K2 U. l6 y  r
# e9 c: q# s2 p4 e+ V' C% l
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ @/ \' A! S/ e; r# A3 s# R. K( b
  SoftICE while the option is enable!!& k; e* T4 p- }* ?2 G1 s4 L

9 l8 A" t# O+ oThis trick is very efficient:3 y. q4 A5 U& s" N: k
by checking the Debug Registers, you can detect if SoftICE is loaded
' F, |& [+ L( }; H! t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- N3 ?2 k7 G# A" U$ I+ F& o2 l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* {2 Q  L) B7 o1 H1 W& Qvalue (in ring0 only). Values can be manipulated and or changed as well
# {+ h* ]# R% s( R) L" p(clearing BPMs for instance), t" H* C, G/ l, \+ p) v
& ?$ e7 e* m0 m. t" Z
__________________________________________________________________________  h  O  V6 s. ?9 j7 }& a0 U/ C

8 y5 {9 |- Z, O6 rMethod 11
9 i! v$ w5 ?+ p$ w3 o6 ?# D=========
- N! n9 x! T+ D/ S
" D4 }8 T9 K4 E6 W- BThis method is most known as 'MeltICE' because it has been freely distributed
/ x0 _$ y) U: o9 L" Y9 Zvia www.winfiles.com. However it was first used by NuMega people to allow( V0 Y+ W1 P/ S" p# U4 {
Symbol Loader to check if SoftICE was active or not (the code is located4 W& k2 I7 ~3 N& g3 R8 Y7 y4 ]; y
inside nmtrans.dll).
1 i; ^4 I2 E7 E) a
0 H7 `0 [' d2 W; O7 @The way it works is very simple:& C0 P( E1 i6 x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, ?, c9 p1 T/ y
WinNT) with the CreateFileA API.
% d' h) m$ w1 \7 s: j8 C4 {% D& r0 F2 [$ ^$ z. U* d0 N! X) d
Here is a sample (checking for 'SICE'):
& |8 ?$ L$ V/ |4 A
9 z( B/ N; [4 |, s2 V" j9 L) s) hBOOL IsSoftIce95Loaded()
) `, }# e3 K# x5 q- `{
9 S) `/ Y- u  [2 }$ D( ~2 K: p) X: }   HANDLE hFile;  
5 C1 h6 m) a/ t% H- u" R' h& ?   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, @5 {* O4 y- M3 R" G) H7 w7 I
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
1 @7 p$ Q2 T* M! ^  x  F                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( m% W5 H2 y  g# T
   if( hFile != INVALID_HANDLE_VALUE )6 H  I. j- r% F5 C6 _, J- u) A
   {/ A' I/ ?" F6 \/ T1 N, {& y, a/ z
      CloseHandle(hFile);  M* J6 h. Q! t5 L+ {
      return TRUE;1 A& Q" @1 S  N* H: k
   }
# k# Z- u0 h3 Z7 Z( O4 X   return FALSE;
( D! y3 M* O2 g: q}8 g6 V# `0 A( g# r
. R+ ~! S- b. b* v  ~, }! H
Although this trick calls the CreateFileA function, don't even expect to be, f9 S; h% @! v/ a  R5 U4 i
able to intercept it by installing a IFS hook: it will not work, no way!! {# }* G4 k; [4 g+ i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 R+ O5 G' u- F# U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! N- I/ U3 Q: A0 Q% C, C! D- o
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. L8 I, G5 \7 O
field.; I( Y, x# F5 H- [/ U/ N& x
In fact, its purpose is not to load/unload VxDs but only to send a & Y" ]' _: n$ b+ ~+ z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 ?1 }: F. j5 \; f! y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
  M7 L! A: z7 ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).- S7 H+ _1 K6 r4 v  K6 k
If the VxD is loaded, it will always clear eax and the Carry flag to allow  }- D2 z! t4 H) C# T
its handle to be opened and then, will be detected.
' Q) E! D4 f. BYou can check that simply by hooking Winice.exe control proc entry point' w! v$ @5 d" d( ?8 O8 ~8 H
while running MeltICE.
% y. ^/ f' j# Z- @; Z; v* g# _  T# v1 M' i- A2 T  u

$ X1 {+ L5 d  s& {  00401067:  push      00402025    ; \\.\SICE4 i# M( D) P) F/ ^* X3 R
  0040106C:  call      CreateFileA
) S# P/ i' u- Z& l9 @$ b$ z- u  00401071:  cmp       eax,-001  A5 y( l. U. w% M2 z
  00401074:  je        00401091
, q7 \" A1 Y" h2 s' T
# ?( V% J0 i  s: R. Z: b3 e7 E0 c+ i) T  d- o3 R! T; L
There could be hundreds of BPX you could use to detect this trick.
& T' c) I  e1 H9 @-The most classical one is:
) K( M% Z3 r# R8 k  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
- S& L- \% ]; b    *(esp-&gt;4+4)=='NTIC'3 V" N* @( R7 ^0 M* _' v7 r: V

6 c7 n+ D, ]6 p4 |  R4 o; r; X-The most exotic ones (could be very slooooow :-(
1 h8 \; y/ w& _/ ?   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ Z) e7 v; r, k$ T, \     ;will break 3 times :-(/ e: ?5 o5 \; c! Z' P3 P% D

% |2 \0 H# y3 e3 I-or (a bit) faster: - E; @, D2 z( X+ O8 N- a( n
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), `8 m% S+ ]- i/ O7 F

1 o8 o0 J8 g% Q6 Z' H   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    \$ f/ }5 B  ]8 S- X+ z. ~
     ;will break 3 times :-(  y; u5 t) e' m0 S, i2 M
) m' l4 G7 n8 }) G
-Much faster:
7 e( ^0 y, z! Q9 [9 u   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
# r6 V  N6 i" U0 r* U& Y/ \% A+ l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& v3 o3 D  s, n6 c" a
function to do the same job:+ w" k  s& A& P3 B$ `& G

& h( K1 `8 x0 b6 r   push    00                        ; OF_READ
5 D( S1 L8 y- ]! P   mov     eax,[00656634]            ; '\\.\SICE',0" \) j, H( Z0 r0 t/ m+ u% A& I  o( X  r
   push    eax( I- y" S0 s3 m, `: `" c, B$ a
   call    KERNEL32!_lopen: N4 c9 d' m2 h6 D
   inc     eax
% d7 J. |7 m5 [5 L7 e& D   jnz     00650589                  ; detected/ n4 C2 q) ]5 A$ j* u$ @! A9 w. o
   push    00                        ; OF_READ/ }0 w# p) K8 `" q- p
   mov     eax,[00656638]            ; '\\.\SICE'( A) B1 O: @9 P0 A! G9 j  I
   push    eax
% ]; V1 S$ ~6 x: D7 C   call    KERNEL32!_lopen1 @- [* `( A3 F) s: N. {- b8 a% B
   inc     eax' i/ c) Z# j5 r1 x0 H- h  V3 f
   jz      006505ae                  ; not detected: |: ~$ g- l! H  @( X

& Y) y. I1 C7 R' }! n$ j( E3 G: L5 k$ g. {$ }
__________________________________________________________________________) _3 z8 \9 N) z

5 F- Y3 F  A7 ~6 h7 q* e3 {% @5 PMethod 12
* o8 g! E* |6 P9 c=========8 ^" L1 f5 m0 [! P7 \" x

+ \& P$ T! p5 tThis trick is similar to int41h/4fh Debugger installation check (code 055 W; D! p9 L, w9 z! p5 p
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 X! l4 c0 M+ I5 \" ?1 |2 ^7 _, |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 J0 s  M! g; |) I7 k5 G( m$ |: @( @4 ~
   push  0000004fh         ; function 4fh
+ _: B4 s' l. A% h  ~   push  002a002ah         ; high word specifies which VxD (VWIN32)
; t- h+ ~/ j  z6 L1 V  i& W) l                           ; low word specifies which service
. A- m8 J& m* n' C, I8 m' J                             (VWIN32_Int41Dispatch)
, b" P: T' e5 W4 O  s! T4 u" L   call  Kernel32!ORD_001  ; VxdCall+ O. {# i! {) t5 l
   cmp   ax, 0f386h        ; magic number returned by system debuggers# a8 P! V* A% c8 E" b) u- a
   jz    SoftICE_detected- O8 C( i! |8 g2 A

5 K5 r0 F! z0 U. hHere again, several ways to detect it:3 }$ `% Q3 i# ?# x+ |4 J) J

  q- o$ q( v" l( U0 x8 _    BPINT 41 if ax==4f# l& e" M$ W# A, j" d0 f5 e" o; T

/ o1 a1 n8 `( |) }! T) ~2 d    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 n' K6 }% r# P$ w( ~, Q" W

9 k2 `+ Q" V3 a2 A; j    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 ~4 J. _' m  n' j3 B3 ^9 X5 ~* [/ W
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!; z' R5 O, Q( Q$ g# b. n& c

3 a! O9 x( E6 l5 W7 K8 [, R__________________________________________________________________________& x9 B- i1 F; {3 @& m

* V1 P4 a! w6 p1 U2 F( ^) V0 {Method 13
2 x$ h+ A0 \7 O& F  b) s=========
& u+ b6 \) O$ }  F6 W
, p: Q4 K% y. l( |- iNot a real method of detection, but a good way to know if SoftICE is2 e4 B, u+ k  R9 r+ E
installed on a computer and to locate its installation directory.
$ d! {( Z; b# b1 NIt is used by few softs which access the following registry keys (usually #2) :, U6 c1 n5 e/ |9 P* w7 ]) I6 F% S
+ `4 G, X1 b1 [+ Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& d' e; @+ h2 i+ \\Uninstall\SoftICE: f9 \, L) U4 y$ ]- Y, V8 R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! M, W8 I4 D  t-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ K/ d! N- t1 l! e; X, a' s3 x\App Paths\Loader32.Exe
( d1 A- l2 I/ S2 n6 h1 o6 y2 T* x# S: n1 k; U  H" `; s' [
; W) @% _: |) f! I3 }) G
Note that some nasty apps could then erase all files from SoftICE directory
* C  {- q# R; ?# q; r  g(I faced that once :-(3 p: S5 a; r* i1 [" v

$ S: Z: m" k, L. G. e- MUseful breakpoint to detect it:
! ], j& B5 f* D& q) Q; H3 [' n3 x9 g
, n$ a" b$ x% U/ K" ~     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ C& Z8 s4 |9 e. f& v! H# W3 Q. z$ ?+ e/ k7 m5 |
__________________________________________________________________________
6 M, C, ^9 C4 p7 u) k
0 S/ H- @3 Q. C* H- s4 i/ U. n& F; z2 }2 r8 L1 \5 A: \4 o1 a$ O2 l/ e# E
Method 14
$ z- L& M* S$ w+ A! p: ^/ K=========" H% g' n; I1 P7 L4 u2 U) |, e

3 s) }: B$ z% b5 xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% Q) ~; O9 F* v, p  w4 G6 ais to determines whether a debugger is running on your system (ring0 only).( ?6 p0 [0 r  c/ B

- x4 F* E" h. k1 {$ \% d: ], |   VMMCall Test_Debug_Installed5 h* P+ X8 b4 I) W; w/ _5 @" D4 S; e
   je      not_installed3 H% [0 K9 ]5 J" e! }; {  a  Z

4 Y/ b* K3 G" v( p8 W4 kThis service just checks a flag.
5 P1 ?# G1 \! g# b7 {</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-17 23:21

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表