找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>- N, @3 g! o* J* i" y8 R' `/ u
<TBODY>
; @) a% T: g/ T<TR>- F- X3 ~' Z0 u( K$ f
<TD><PRE>Method 01
, O( u! e9 C5 z) Z  c; H4 B=========
/ K5 Y) U. S( z0 ~3 z1 }7 h! y# f& G5 @
This method of detection of SoftICE (as well as the following one) is+ l2 `/ c- q& B: y) g! B# c
used by the majority of packers/encryptors found on Internet.
( D5 [$ s0 L+ q7 D8 sIt seeks the signature of BoundsChecker in SoftICE
- \' f. h: t: \* P7 Q# o5 e% Z) B8 g! A/ w9 n. _
    mov     ebp, 04243484Bh        ; 'BCHK'* l2 u% c; }2 s% a! d7 }) ^1 P) V
    mov     ax, 04h0 t: c  Z6 [5 i/ _  Y, P% E! ~
    int     3      
4 y! ~% p) l6 P0 k$ u( x    cmp     al,4
9 u0 q- s% A. T" {8 Q7 h: [    jnz     SoftICE_Detected3 z/ \" l9 [" Q" _7 ?3 J

7 C0 u8 r# W' m: O___________________________________________________________________________6 J( T7 A( U+ g$ H' y

7 _& a/ l4 T+ y1 \; NMethod 027 u$ Q( \1 B+ {
=========9 I  h* U! k( L" x6 H- k) ?: J% J
- x! o, x& D6 Z3 S
Still a method very much used (perhaps the most frequent one).  It is used  I( M  b, q& v' k' A0 y" ~! @5 _9 f2 ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,( E3 o4 w% x' _" ^$ l
or execute SoftICE commands.... C9 H# F. f& Q. W
It is also used to crash SoftICE and to force it to execute any commands
% g; j# h) l% d7 S4 Q$ {(HBOOT...) :-((  ( q8 i7 G5 P: M  w6 ?, b

+ j5 t1 w+ v6 ?1 W# e- Z0 E. Q9 kHere is a quick description:7 ^: v1 Q& ]) h& ^5 p% d, Q& S/ c
-AX = 0910h   (Display string in SIce windows)
( ?. a. P- l0 L-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ \4 x5 {, f( \-AX = 0912h   (Get breakpoint infos)" q& V8 x  u. p4 D' y
-AX = 0913h   (Set Sice breakpoints)  c2 B+ P' V4 H  }8 c% |& C
-AX = 0914h   (Remove SIce breakoints)1 r! y: n" p5 o8 @* |

! \2 i* ]) B% n' M  m4 KEach time you'll meet this trick, you'll see:8 E8 ?7 R5 \9 n; y
-SI = 4647h
4 Z1 E) v3 ^. Z# C-DI = 4A4Dh$ u0 g  m9 u. n, Y: _; E. q
Which are the 'magic values' used by SoftIce.
. ]9 }  q, l) C1 FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- S& v; }% h$ X) ^6 f
- \" f% V- D6 ~  `/ F( _( C1 [
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 \+ y" ~2 m; [  f
Envelope utility use to protect DOS applications:
# I) _& m7 z: |5 i, T
1 A; ~# d1 r0 _. @$ ~
, I; H  ~% l( i. z( N& l4C19:0095   MOV    AX,0911  ; execute command.
! ~( h4 `( n, n* a4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
* m5 h3 R+ |/ d4 b, u% t0 g4C19:009A   MOV    SI,4647  ; 1st magic value.: S) H) E6 ?) g4 A. D6 w
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: G$ n. J5 r6 ^# Y# ?  s" g# Y
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)+ A3 x$ x. t# j' [9 e+ F* x
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! v2 k+ x9 b1 c- B) f4C19:00A4   INC    CX
7 a6 D: I2 E# c4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 l5 d8 I: Q- T! ]2 a4C19:00A8   JB     0095     ; 6 different commands.3 `1 l/ a) ?1 R$ E! A
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
. |( S6 j, k, a4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)) g3 |6 d. Q# X" i( v. I. `' b

6 h3 H. Q8 n1 L- m& J" {$ p4 wThe program will execute 6 different SIce commands located at ds:dx, which
6 e& ^& R7 G/ x# e, t8 G( C4 Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' c6 K& H1 ?' y1 t
1 f2 x8 K$ C' U8 m& n" n/ A' g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' L& R( b' U3 Q/ p3 o2 ^- [+ ^
___________________________________________________________________________
' a/ P7 _8 h" l9 @9 d
: U. n! n5 g; Q5 G' c# n/ t! y
Method 030 ^. H: \: @8 H4 g" o$ s( z! w
=========! |5 h; E7 ?9 p) T% ]
% x9 ^5 q$ E5 H4 x- ^, y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 h# g; P% b: M8 d
(API Get entry point)
/ b2 r; {0 n5 n        * m( T( ~; r0 n; q8 I, \
( T7 {9 I' E% _$ o) K( C
    xor     di,di# J5 K5 \8 n" O1 B3 |  @
    mov     es,di1 m1 p7 K' E. g! z/ T4 U
    mov     ax, 1684h       6 p  u) ]. Z; ~5 m) F$ X- {
    mov     bx, 0202h       ; VxD ID of winice
$ u$ E/ F6 T2 u) e# d# G" d" D    int     2Fh
+ y, A1 i, Q0 _2 q6 \    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; Q9 h: S  X% E: e' B0 ]    add     ax, di
  D% o) N+ D% ^6 r    test    ax,ax
/ W  p2 b, E* L% V& Y+ j+ ^/ j    jnz     SoftICE_Detected
) y7 ^' _2 Q+ m& F; P. w- H( {: j% T9 M
___________________________________________________________________________
% e! C/ s2 w: s! G: L
/ I+ Z! p% i- T! _5 _- ?5 r9 fMethod 04
3 H& v$ o) `' H: I1 @=========$ f* g, \$ P) d. n0 }

+ q3 v) h( A- k0 vMethod identical to the preceding one except that it seeks the ID of SoftICE
; U7 j) I* i$ @6 C9 W: ?GFX VxD.
9 B% s. ?6 T, q6 n: D2 N2 q4 c& q- N5 ]3 a% ]( U% K4 ?1 y1 R
    xor     di,di' b$ ?2 t9 f7 m* a3 y' G8 I
    mov     es,di
% x& I+ O  j0 x% v5 X7 P/ Z    mov     ax, 1684h      
4 L7 c: p$ h4 P0 M    mov     bx, 7a5Fh       ; VxD ID of SIWVID, ], j; }7 s; _6 c
    int     2fh) ]$ _6 A! }. D* c
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ N  I! D& H4 Z( V
    add     ax, di* U$ @! x; n' y( C* y. b
    test    ax,ax
$ M; W8 K# V- j- H1 w5 _& o3 S    jnz     SoftICE_Detected
+ e* D$ F; y7 F9 i& X
# _2 G3 T0 B1 X( j% k2 z__________________________________________________________________________
# `, L. [3 R0 i6 p& b3 \4 P- o# |; {8 _0 _& j
' K# E. l" N" y
Method 05
( o! D3 ?/ I5 L! p' A, t=========( h4 J! U% l2 O3 P7 _. H) e0 ~
2 J% J5 n2 ?9 J, M$ L$ Y: n9 b
Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 Z* Q& n# z5 r/ Z2 N1 A- P) T8 h5 l; fdebugger. It calls the int 41h, function 4Fh.- b4 ^2 j. c% r- d# q5 n
There are several alternatives.  ( t5 z" d) k8 {% r

1 C) v' _$ l  i. _The following one is the simplest:
) f; e9 Q% w$ w1 M- m1 ]4 A6 ?6 W$ J. L
    mov     ax,4fh6 I, p) ^7 q) E; e- V- s/ O3 O
    int     41h; H" _' `/ I; ~6 M% w& B+ l" F
    cmp     ax, 0F3863 @% |$ F- u/ Y. c/ t
    jz      SoftICE_detected# A6 ~# ]6 R% ?' C7 A0 o
9 j) r( v+ Y6 h' k! Z% i4 a
# u) l5 A2 }* o. S3 c
Next method as well as the following one are 2 examples from Stone's
+ F! B) f4 c7 i# w1 m8 W- c"stn-wid.zip" (www.cracking.net):
5 s: c4 W- y! p
7 r  m- p: ], x: i    mov     bx, cs& P. d% e3 Z5 R" c* B0 {
    lea     dx, int41handler2
2 \7 D) o8 ]( }) o. _- D8 Z& M: K    xchg    dx, es:[41h*4]8 v: X, t" O2 K9 @+ }' \
    xchg    bx, es:[41h*4+2]
6 l" e: ~/ O* k& c9 c2 x" k0 J    mov     ax,4fh# x, W2 e/ E" }7 O
    int     41h% {3 J) C! p6 M/ c4 z
    xchg    dx, es:[41h*4]* M9 O% I) F& V" n" c
    xchg    bx, es:[41h*4+2]
8 [8 L5 c  U4 z' Z1 K, g    cmp     ax, 0f386h
1 M+ O# ^1 ?7 z    jz      SoftICE_detected
* v" {/ O* R: q% |/ Q' M! B6 H5 V0 t( `
int41handler2 PROC
1 K+ c9 l5 U% m" x" n$ y    iret! J4 y. H- m) \* z# b
int41handler2 ENDP. w2 z+ d0 t4 U$ a4 j  j( s

. X1 i: F  e6 c! q- e  A' D  {" M1 Z9 u% g+ \) P2 k9 c
_________________________________________________________________________8 ?' M  ~4 |! O: }
0 y( y+ k% g) G' o

1 N3 t' Z% s& d/ z, t1 E) M& |0 `Method 068 i6 N; P$ `0 p, ~# @2 \" `$ P
=========
9 X5 q" L2 ]. f6 A/ q
) U* W6 i3 |# [& v6 x
3 j  R0 q) e! W) g( M  h2nd method similar to the preceding one but more difficult to detect:: d7 S0 q5 f, B8 \0 h+ K' A/ h

/ o/ C& x: z1 u5 y$ ?, m6 }- H3 q" B, W  H1 W/ q
int41handler PROC
& [. Q1 g. k0 q( c: N! w    mov     cl,al& x4 |  C+ ?! y) D. m
    iret
  U# p4 ^7 y4 jint41handler ENDP+ Y) l- {4 Y  ~. s( C. ]! \
, e; D. ^/ }1 e
, T; O. t) ^, ]- X2 o4 W! f
    xor     ax,ax
/ @3 y7 E" D3 F9 \6 k    mov     es,ax0 {! C* N  B1 b, y+ P
    mov     bx, cs
: f% D# z7 d8 ?' f2 y    lea     dx, int41handler
5 k1 e8 ~9 X, ?# i' T' k1 D8 p    xchg    dx, es:[41h*4]0 c% |. o& T* M, e1 ~
    xchg    bx, es:[41h*4+2]
7 ?% v. o( h7 j/ n/ ]    in      al, 40h3 i: r7 p0 |. ~5 [+ k/ Z& L
    xor     cx,cx: U; O0 L( a% H) T3 M
    int     41h
/ G* N; y0 z: {+ G7 W    xchg    dx, es:[41h*4]
8 c$ @5 x1 ^+ b4 E    xchg    bx, es:[41h*4+2]
+ n7 }7 C! `3 ?* Q$ I    cmp     cl,al. c9 h2 n2 A% |. G: r4 Z" x& F
    jnz     SoftICE_detected
# `5 H* A. [* J; u* L* l+ P) H: v) n' {2 C8 @8 H
_________________________________________________________________________1 T: q) q* g& J3 a) N

" G2 s; L! {( C* p4 u  UMethod 07
+ y' c/ O7 v" v=========
8 G% i7 w6 v& L% h2 X* a8 t6 W8 L
( e( F) o# A0 q& E7 X$ zMethod of detection of the WinICE handler in the int68h (V86)* _9 V9 r+ p9 Q1 @4 O& z

# [, I. A, R# S& W- T+ }    mov     ah,43h
, ?7 {2 J. ^0 }$ a    int     68h4 k6 C( q" Y- ^! Y9 n1 w  d
    cmp     ax,0F386h
$ g; V( e2 Z) K& m! O    jz      SoftICE_Detected
$ L) Z5 p. n5 {3 m
) ?% p; r! ~' Z& g' {" J% x) }% v2 O/ d
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# x3 {: R/ ~7 D4 |   app like this:% ~) z( L* `2 K. K- Q
- t9 M$ f* e3 r8 D9 V, i$ k/ L
   BPX exec_int if ax==68
7 g, x3 @/ I0 l- \/ f4 r$ U   (function called is located at byte ptr [ebp+1Dh] and client eip is) P0 ]3 v' j9 V3 f$ ~8 m6 a1 M
   located at [ebp+48h] for 32Bit apps)
* Y/ K0 U7 |* G; A__________________________________________________________________________
& ^- K( R5 W' x  n, j
6 D; B% S& A5 d; r* z7 d" |
, f3 R/ n! w$ c& f: }) v) uMethod 08  M" C% d# i* I6 D8 m
=========, u, E+ \: r4 B4 p* r

3 k& f9 j* {8 P) C; q& x$ gIt is not a method of detection of SoftICE but a possibility to crash the
5 S  u. s- S; f! Q, D( l. b$ Ksystem by intercepting int 01h and int 03h and redirecting them to another! ^6 c9 ~: D! P1 l
routine.) t* `/ U8 K( K9 M  I+ p1 b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; n* J' g. k7 e: l- t6 V+ f
to the new routine to execute (hangs computer...)
6 O& }. |3 c3 [. y2 l# w3 c* t# u  n7 o3 L& {$ `4 k- _
    mov     ah, 25h. n, B! _" I0 F  C0 h7 i& b- \8 G
    mov     al, Int_Number (01h or 03h)
) S) l2 ]5 d, \+ a; Y    mov     dx, offset New_Int_Routine& f, L- Q% C" m
    int     21h
9 K8 }: ^8 E) A. Z6 s& R' a* S& E& e: D# ^
__________________________________________________________________________- S; h' L7 N% \  `& j
- G; o8 M+ O( y, w' T  D8 }7 {7 ]
Method 09$ j1 J4 x. e$ S6 N$ q' @  c5 M* q
=========
3 n4 X9 n% B, ?9 w( r* o6 |3 X+ S* j
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* H7 V; ~3 E0 E# nperformed in ring0 (VxD or a ring3 app using the VxdCall).
( c& d' v5 E! ?0 MThe Get_DDB service is used to determine whether or not a VxD is installed
; r0 Z: \% t" |" V8 cfor the specified device and returns a Device Description Block (in ecx) for
$ v& @9 m- u% ]1 [; I4 c2 [0 Ethat device if it is installed., Y3 U% I- s; C" J0 k8 {

; [; Q. F, S+ E9 N/ o) Q' M/ a   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  j3 ]5 H, ?7 X   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ Z, l( b) ?) C$ m: q  j
   VMMCall Get_DDB
# Q5 ^" O* F3 w) I. {   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( K4 k9 |) B- p* [" J
) B  K* F- E4 [3 I
Note as well that you can easily detect this method with SoftICE:
) t$ [- P& K3 z/ T# U" r* X   bpx Get_DDB if ax==0202 || ax==7a5fh
: X: n9 S; L9 N: Z/ c+ a6 }# A! O4 w% c1 Y3 A, H
__________________________________________________________________________1 T) \8 g: ~6 p( F2 u) O9 W8 K

: R) Q1 r. ?/ I3 NMethod 10
  F8 s% c+ r3 J, Y( |=========
' P2 `; C* O0 C; e5 t5 u- b1 x+ L# m- l% d# E9 |; M) `
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; C- y7 W; j5 D- N
  SoftICE while the option is enable!!( Y$ u) F6 ]  y) j9 G

1 o9 ?9 ~4 O) U% J: D% y. `+ d) V$ zThis trick is very efficient:8 B" I% S' I8 w- e; \3 q$ z
by checking the Debug Registers, you can detect if SoftICE is loaded
! r$ F1 a" F" M4 l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ I0 _0 ]3 e# B% \( `) n$ s% u3 T
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' s$ A7 N3 }7 g$ U$ |value (in ring0 only). Values can be manipulated and or changed as well/ C' _9 o  _/ e
(clearing BPMs for instance)
1 j2 M% J7 P- d  K2 _7 O4 y2 g, g/ I6 g7 W3 M. Q1 c( p$ k. }
__________________________________________________________________________
) M# P+ e$ G' G+ ]8 l
0 d" Q+ W* \7 {( N  ^% K# A# L! t, hMethod 11
2 l" A2 ?0 ^* _0 e! b=========
, Q: [* K( d/ @% f, V
8 e8 n: r3 z. j$ Q% j+ xThis method is most known as 'MeltICE' because it has been freely distributed% y7 U. d5 w* U- ~/ F7 v  M& e
via www.winfiles.com. However it was first used by NuMega people to allow
1 N9 e4 {, e/ G' C7 dSymbol Loader to check if SoftICE was active or not (the code is located& n: N: L- n* j# r, ~9 h( Z
inside nmtrans.dll).
: j2 G' f. k7 H0 b, H% u0 u  \# O+ y4 ?5 T5 M+ j
The way it works is very simple:
7 d! h  b4 \+ IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ _8 _* b+ y2 M) d9 U9 {0 J0 d
WinNT) with the CreateFileA API.% }1 E0 [6 T9 `" v
7 I9 x- ]6 F9 ~& o6 q& g) W- A
Here is a sample (checking for 'SICE'):$ u. ^( S- }7 a) R- R

: |/ k8 }. Q1 a" QBOOL IsSoftIce95Loaded()
  Q% f. r0 c, D' Q7 D% ^' p% L{7 V: t2 Q1 Z  C2 ?6 i
   HANDLE hFile;  1 D2 H' @9 t4 y2 A; l% e- {8 k7 w
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- _  [3 S" L8 m6 Q& I2 R
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; U4 }/ X+ e8 G7 L' Z4 Y. t                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 R; f- v+ \* t2 x0 {' ~   if( hFile != INVALID_HANDLE_VALUE )
* E. I4 |2 b* P6 F& F4 P   {: \- N( n8 V  a  |
      CloseHandle(hFile);
: v% h$ G5 P" N$ u      return TRUE;" y7 B& i8 o  A6 J& \' h8 M& M7 W& u9 J
   }
, `; c$ W/ R$ g* U4 Q   return FALSE;4 L) H/ b4 X9 O& ^
}
$ x0 `" R0 I) H- @- N. @0 @; W& q; R9 o; Y& c
Although this trick calls the CreateFileA function, don't even expect to be7 j+ t2 y* X; v' \8 {* Z% p
able to intercept it by installing a IFS hook: it will not work, no way!$ u' g7 W( r( X* Q+ K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" t: w3 h" w* oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' C+ c' B3 m6 `; F) H
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 c. u& R7 p: ~4 ^" \field.
& {  G* _. `- ?8 YIn fact, its purpose is not to load/unload VxDs but only to send a
8 _4 B/ T1 m8 d0 ^; J9 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ f: x' W$ P2 y) l6 ~' N, _0 I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 }% l( Z! e) s9 `1 O( P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 X& f4 f$ \" Y. W8 L: f$ mIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 J9 T* c, P" {
its handle to be opened and then, will be detected.
  A# N) c3 {7 a, c) P+ LYou can check that simply by hooking Winice.exe control proc entry point
" m$ ~; o5 j" s2 S" k/ b( l' ^while running MeltICE.
: k$ V8 v; U1 I* D; [1 Y. |
  C. T% G& ?0 \2 J  v. r: M/ ?& _
  00401067:  push      00402025    ; \\.\SICE
7 _/ L' l5 E! M  0040106C:  call      CreateFileA8 T# I4 V9 E5 Z& ?
  00401071:  cmp       eax,-001
2 S" N* H1 u+ `$ t& A/ T  00401074:  je        00401091
. R2 j4 \2 ]$ Y2 V) w5 Q1 E, {
8 w$ u0 K1 u2 A
- y% q, q" G$ T) ?0 K, fThere could be hundreds of BPX you could use to detect this trick.4 C" Y6 w* U2 E9 b
-The most classical one is:
6 T- D% b& a( A. p3 v6 ~  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' q  }/ K: j1 u# n1 {
    *(esp-&gt;4+4)=='NTIC'
7 F0 R% d1 T! h# k* i5 h' T& o
$ x& q- i; {4 a-The most exotic ones (could be very slooooow :-(9 w' W" g5 M/ ?. _
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 J4 H) o1 R4 u4 u     ;will break 3 times :-(- [+ U! _- i+ P" d

0 O; W# b. I; q4 X$ s-or (a bit) faster: 8 ^2 a8 C# x4 N* u
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" Z5 U, @8 N4 Q; J% ]
5 q. z" M* p+ F% W% ^/ A) I   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 Q; [+ D: o4 I" X! B8 P; K     ;will break 3 times :-(
( ^/ G: x7 R# b6 w5 s( }$ n. ~; T& d% }* I- L% D; c! V' R
-Much faster:; W2 d' r# y. ?/ _! N' t1 N
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  |2 S8 _8 \8 M! W6 X2 o0 E% ~; A# I$ Z  U6 `. O+ E, G$ e' W' u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 E) ]5 y2 K" W) H, m4 o7 ofunction to do the same job:/ @5 W+ V, @% x0 m2 y- J

3 ^& h( D) {0 }; D3 P   push    00                        ; OF_READ; W  v+ Z: v$ F: l7 L! C
   mov     eax,[00656634]            ; '\\.\SICE',0) F8 L6 @, ^: j/ t1 y
   push    eax# X7 ]. \" w* @9 @8 G
   call    KERNEL32!_lopen
# _' {2 N, d! }9 Q" E) b   inc     eax
, q3 Y( B; G# d& z) ?   jnz     00650589                  ; detected0 \7 c: h4 u8 s
   push    00                        ; OF_READ
* H- A; d5 @) z   mov     eax,[00656638]            ; '\\.\SICE'  G6 s& {* C# \
   push    eax
+ i/ s% K' q. y3 L8 e   call    KERNEL32!_lopen+ W) b" Q) [! Y3 |) W
   inc     eax
  J# i: o! G2 g1 S* G! c9 z( \   jz      006505ae                  ; not detected* |6 K0 f& ^# P$ j/ E* T4 C* Q
2 z  J6 h3 p9 b2 r
0 x% ^( p1 a  s5 Y+ |
__________________________________________________________________________( Y" I. K' b5 U9 r( q, c  X1 A

0 |# n, e0 n" R6 f$ E, lMethod 124 L9 J, o6 e, Q4 y4 X$ J& o
=========
- p4 S! ]6 k$ z, g
; F, a- y4 n6 K' ?7 J' JThis trick is similar to int41h/4fh Debugger installation check (code 05: T2 z- Q% v/ K  }+ c" U7 x. W
&amp; 06) but very limited because it's only available for Win95/98 (not NT)/ Q3 @, }9 ~% N) A( \: g8 J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: T& k) Z2 Z0 Y  i  `
8 b6 [: ^/ n9 g   push  0000004fh         ; function 4fh* X% v0 D$ l2 [7 R
   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ u! `' z, E, L                           ; low word specifies which service! W; l* Y& ~2 G0 Y2 c9 A4 }5 _
                             (VWIN32_Int41Dispatch)
) r* G4 n; y9 Q1 M; p, `   call  Kernel32!ORD_001  ; VxdCall
' E% p) i1 f! |  X# m- T   cmp   ax, 0f386h        ; magic number returned by system debuggers7 ^1 G8 {" V6 s& D$ F9 `- d
   jz    SoftICE_detected
, B- Y5 \$ j6 n: m& s# n/ [/ Y; @2 b9 K# i4 D0 ^" u" r
Here again, several ways to detect it:
6 V$ H8 T' w( J7 [' I+ ^$ ]+ F+ o" }2 ?
    BPINT 41 if ax==4f
2 L7 [) h: F' g
5 ?# d. I. P/ V4 Q% w    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; m4 w' V; w% n8 b& ]3 L* D
# P9 B; m+ W/ {# Y6 }    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A! o# q  y3 i& N- E7 c& R

6 T6 C! G/ x0 u0 c    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. Z. i1 _5 L$ u! G
/ D' D; U+ J: i- X1 s, L__________________________________________________________________________6 B8 L: G( I. r

& f$ ^& R0 n" C: o, H( m6 l/ HMethod 13
# Z) T) h0 y- @5 \4 L=========- E# s, |. [  }" T

2 o6 Q! P1 R! Y+ U0 sNot a real method of detection, but a good way to know if SoftICE is- X( d0 C! d& y( G: J
installed on a computer and to locate its installation directory.4 H  |; T$ J! {+ h. l/ R1 B# b
It is used by few softs which access the following registry keys (usually #2) :3 N5 \  Q$ f9 N$ H1 ?$ H1 t

: \: `5 G! r7 O' x5 D8 H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 y! |9 n- p$ v! i8 s8 D; o
\Uninstall\SoftICE
" d2 s8 _0 q0 }5 h5 x* R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ H# \* ]' W/ c, e0 i  H, x7 g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& R0 ^* s* Q9 Y6 J  [- u" A0 m1 I\App Paths\Loader32.Exe7 D1 M, B/ S$ D" V! P

# K" K4 V  r% }+ E% J4 r+ W& ]8 y+ S$ x
Note that some nasty apps could then erase all files from SoftICE directory' v, P) Q. J' U$ a
(I faced that once :-(
7 G6 @1 z4 b+ }: |7 b) S9 E4 F
; z: y' e- t7 M$ B7 t& sUseful breakpoint to detect it:' g' a3 [& L: s) J! v

# L  K6 z6 b: A' G( a) L( R     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'+ a' I. Z2 e2 |, r/ {

& Z# h3 N+ ~6 d1 ?' B; W; b( Y4 B__________________________________________________________________________/ n- Y. P( B8 D) @3 v$ L1 p1 A' I

# W/ L7 r' u8 o( i" J4 K% g9 \% M
# X% c  }) C5 z5 _0 CMethod 14
) T! r/ H* c& N. ~- y9 _=========
+ d% {" E  F# c* }9 r0 Z7 x
4 M! @  H, I3 e0 o6 JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: e1 h- X$ {8 K1 k1 r
is to determines whether a debugger is running on your system (ring0 only).
1 Z  i6 @# U; f5 S, @$ y
& B9 m& a( O4 y: f' t% c   VMMCall Test_Debug_Installed
' G& D9 N9 C: M4 N* ]6 U5 p   je      not_installed
) L" M) {" u  `  q, y( A1 }) G$ w8 b
; k& _4 `) m; _# zThis service just checks a flag.. w  ?2 K  d7 n) D
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-20 17:18

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表