找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>- e" c" c; u4 n+ i
<TBODY>
" k+ h% J5 B: u7 ]  h+ {<TR>
" ~$ [/ G6 ^* C% e<TD><PRE>Method 01
  c) @  k  v( x( j, e* i=========# L3 K' Q: r' t# x9 y" p- T6 m7 k
, p4 f# G' q: V; f" A4 T
This method of detection of SoftICE (as well as the following one) is4 S5 k# D( F& E* ?, j% Q3 q0 j
used by the majority of packers/encryptors found on Internet.
% R0 h9 v) h, N( LIt seeks the signature of BoundsChecker in SoftICE
& A; {: |+ d* X' I) T
' Z. A  O, M" m( o; P    mov     ebp, 04243484Bh        ; 'BCHK'5 t% S: E. l$ w- ]3 k
    mov     ax, 04h
5 w; G! o- l6 @( T& W+ j) v    int     3      
" m9 k5 o4 p! _: n3 y. l* b    cmp     al,4
) ]9 ^: g' D+ f& C0 C/ n7 }- v! B    jnz     SoftICE_Detected9 \0 |: Z# ^( q+ f9 l9 l1 c0 Y7 k
3 t3 E8 W3 [- d6 \) j
___________________________________________________________________________" p9 l2 `$ s- T  i4 c* Z

4 p. o. o& ?* O( YMethod 02% w1 i/ M/ v1 g6 x$ x
=========
. |  w" H, P) C3 b9 z( i% N/ v4 k* [" a4 W  N7 N) _
Still a method very much used (perhaps the most frequent one).  It is used
# Q- u" k( Q' |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' F& A0 {0 c5 }3 wor execute SoftICE commands...
' v( ~# D8 M0 G, u" S: bIt is also used to crash SoftICE and to force it to execute any commands8 }  o( G* N9 }, }2 a3 W
(HBOOT...) :-((  # `" H  s% z& c- |( Q# F
6 i: p; Y9 W9 y& X* x. e0 V
Here is a quick description:
* a# y1 Y2 S, e-AX = 0910h   (Display string in SIce windows)
0 }5 z- m6 R% p) H/ @: O-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ x& P7 K4 g( Q; w
-AX = 0912h   (Get breakpoint infos)
) ^1 |2 x: {: O-AX = 0913h   (Set Sice breakpoints)0 w: ]1 @( a1 S& S, n: H9 v% U% R; z
-AX = 0914h   (Remove SIce breakoints)# w# e3 |7 P7 j, U/ `3 E
# D# R! l' y, x: v- K1 ]
Each time you'll meet this trick, you'll see:
7 x2 N& Q4 r2 a-SI = 4647h) b4 N/ o' J& J- q% f& `  s6 G6 x
-DI = 4A4Dh
; i, U( T0 k6 ]: ~8 Y& eWhich are the 'magic values' used by SoftIce.3 x/ x) I: j0 P8 k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! f6 K/ _6 ^4 Y: H! A/ y

8 d) F1 @+ K: p$ xHere is one example from the file "Haspinst.exe" which is the dongle HASP% o' a  d" Z+ A  j/ G: b
Envelope utility use to protect DOS applications:% B& h. H* m, c8 l6 l  n
; D- S7 @: ?/ E7 T' E6 ?. C8 i: `1 e
2 U5 g, H+ g/ x5 T5 o3 E* M
4C19:0095   MOV    AX,0911  ; execute command.
& _+ o2 N9 K4 s, `% \5 F1 Q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)." ]3 l6 u" d- J' q
4C19:009A   MOV    SI,4647  ; 1st magic value.9 P1 f, W8 b- V+ f# G
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: g1 x+ ~- w. }. ^& A
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ f6 H' z2 C+ V- g7 |# H( ~
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* A$ z/ K# e+ F, p4 x' |7 v
4C19:00A4   INC    CX$ Z$ b* p7 i9 M: W, u
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
! I7 w! Z! }" {) B( [) T4C19:00A8   JB     0095     ; 6 different commands.
( P/ l! P1 p# J* t+ D4C19:00AA   JMP    0002     ; Bad_Guy jmp back.: [6 ~( G0 t6 z8 K
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; k2 G$ y3 t& m5 ]) _9 y) Y, M9 w% T- C& |: F; T% n8 q- K
The program will execute 6 different SIce commands located at ds:dx, which0 d$ ]- u4 O4 Q! N/ U" q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' N) l" N2 c! B! T: [6 K$ E" x1 @: G* n7 u. b, O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- B. i& i; u9 Q. ~5 U___________________________________________________________________________( l9 T9 J. x" c9 _3 X; m
4 B. R" u$ r0 m- D: Z; y" H
& U9 P. _8 _7 O0 o" T# V; {0 H: v7 I
Method 03
; j% J% J; M8 u: t4 p( L- U  m# Y=========6 i: Z9 |- h: y( e
) [/ g+ L5 v8 y/ ~; a  s
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 `2 F, I: P- ]8 x6 A& r) ]  r  C(API Get entry point)& A  j+ h7 {. n. E! v& K; Z. b' x: y# n
        
% i8 z3 _8 v1 b- r/ k" I
" z4 N# X7 {  e3 T! t. e0 i    xor     di,di
: j6 |4 t0 p/ y9 \+ \0 M    mov     es,di
+ t% @1 c6 E4 z5 `' ]    mov     ax, 1684h      
7 O- u5 F, l# l) D9 Q    mov     bx, 0202h       ; VxD ID of winice
8 e0 ]  l) M! E8 C8 J- t    int     2Fh/ I7 O9 B- e7 C% v
    mov     ax, es          ; ES:DI -&gt; VxD API entry point* Z* a( x* ~. r$ h) M4 c
    add     ax, di
, c. J. s+ `4 w' P8 Q4 b    test    ax,ax( H. I6 g  r, z
    jnz     SoftICE_Detected& }' ~8 i8 Y: d0 v  b

; [- Q% {4 F) o/ H1 j/ c, \& j/ t___________________________________________________________________________
* d, {( c: d. }, S2 j
/ t" }9 r" Q1 v  @Method 04. v; _' I; z1 _2 `9 B. J
=========2 r* X& f( b6 Y9 Q2 W) V2 {

* @8 g' C! e2 j  A) f. YMethod identical to the preceding one except that it seeks the ID of SoftICE. x: S" Q5 w7 Y: I# c
GFX VxD.1 }4 {) V8 v% K

* ]9 i9 N6 u6 d& S    xor     di,di
) |# y) F/ G. G6 j5 T    mov     es,di  }! d! E  p/ k! |- a6 [
    mov     ax, 1684h      
" @: {7 \! P7 a    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 G3 o) o4 a0 c! S$ @9 Y    int     2fh, X; Y2 {2 [6 ?* C$ u- ]! n
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. j7 L$ C/ M6 z
    add     ax, di: Q9 }2 H. H3 s2 Q  R! n; K0 l) R
    test    ax,ax
$ z% i! N; o2 k: o6 I4 p- `; m    jnz     SoftICE_Detected9 l( j: Q0 T) m0 \& L3 p
& ^* b. N& u' [1 `0 k3 g
__________________________________________________________________________* X0 ^0 b! z4 D. ]# Q" u- R% O

( k9 F% y$ j0 s" g8 `
; Y$ E- h( r+ d: B- xMethod 05+ [" j/ j& ?, l& ^0 X
=========
( u7 {$ r( N9 w) z4 C3 t9 T0 [8 e; {5 j% d  s
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 k: l% A# @$ ^, H/ M
debugger. It calls the int 41h, function 4Fh.* @" [- u( S4 I" `
There are several alternatives.  . \: Z; h% l& l: P; U% G
" L& A9 r$ M' ]* t$ f
The following one is the simplest:$ Y1 O7 }( l$ O& i5 ~& i( ?
% ]) w; S- U" b! b$ h6 D" S! t
    mov     ax,4fh
6 O( w/ u$ x; b8 s8 O& U/ `    int     41h
8 l9 b% l6 B! R7 i$ X    cmp     ax, 0F3866 p% K7 \" L$ U) T% f' b/ J- V, _! i- Q
    jz      SoftICE_detected# x3 R' q# E6 {" D  k& |
% E" D2 g5 b# b

; k7 W$ j7 I5 v! SNext method as well as the following one are 2 examples from Stone's 9 m  T: M) Q( w2 d' H
"stn-wid.zip" (www.cracking.net):
# t  A0 E$ e0 G$ D' }% @
3 [4 ]- s! b# T2 z+ T, X    mov     bx, cs
: Z& r7 o# o& F2 R8 h/ L# v" r    lea     dx, int41handler2
: i$ \8 X2 ~( E" @( |: _6 P' N9 k! k    xchg    dx, es:[41h*4]
) I, U' Q+ t, m! b( B( f    xchg    bx, es:[41h*4+2]
" J3 P" g; D! p! e2 o    mov     ax,4fh
* y1 x2 `- T- |  d; S    int     41h
5 Q, s# A  h$ D, I1 V3 @2 U. G    xchg    dx, es:[41h*4]! G; Z/ y8 p  h4 K: t
    xchg    bx, es:[41h*4+2]$ r0 {# I% {. V
    cmp     ax, 0f386h
  d9 {1 H& G( p& G    jz      SoftICE_detected/ v) g. ~3 a: m

. L& K6 @0 E  i% a3 J9 m8 zint41handler2 PROC
: g- T7 o2 l% t0 b1 |) k  l    iret
* W9 }' q  V. |4 lint41handler2 ENDP. _. f% H' P+ p5 P0 r
" A! z9 W# G1 q2 P# r
  Z# N5 g0 t0 }- q2 `5 A8 }
_________________________________________________________________________
/ L7 S+ l) j6 ~9 j. ]3 w2 e* @1 }
& ]; b  F2 [7 a% l/ m: y. B5 x8 w- p0 o
Method 06
! a6 |6 D! n" \0 Y, s+ U. f=========
6 p7 c, W5 v; r9 m
" P& U% S9 ~4 B0 H/ C
7 E$ t& ~, C/ }0 m2nd method similar to the preceding one but more difficult to detect:; L& Q1 M1 @) Z, i; Q: n

% h& X7 n& \% S+ E/ }! U" |9 p
  z- {0 x' O' D" {int41handler PROC/ w! d$ q' S4 ?1 ?+ C9 R6 }
    mov     cl,al4 p3 [* H6 z4 H' r) j. ~$ Z
    iret. W1 {+ @: s4 N: v0 a: d) X" T
int41handler ENDP
4 }6 r$ ?% \. U( P' x- v# z( ?
5 P) Y, D& G$ Z" L. T3 U8 |+ y' i8 z: O( O/ G9 h) o
    xor     ax,ax
+ c( Z$ ]0 q: L" b4 o; \) J" G) J, d    mov     es,ax; ^0 X- @' N! b! g  k
    mov     bx, cs
8 @$ g& K8 u  ~, D! S    lea     dx, int41handler
" _( J4 ]) n; D% ^8 m$ c    xchg    dx, es:[41h*4]/ B3 k! I' I$ O& R: X6 p
    xchg    bx, es:[41h*4+2]
+ _/ {9 @3 _% R0 Y6 o: a    in      al, 40h
/ E$ K# ~. Y& U; T( K9 u    xor     cx,cx& r4 {% z" r' k) O7 E' \' q
    int     41h; z2 @8 R4 b6 |! _6 v- z' G, Y
    xchg    dx, es:[41h*4]
3 ?3 j: e5 d- ^- i! S  k% Y    xchg    bx, es:[41h*4+2]
/ X. t' X5 ^7 ]* n- ]    cmp     cl,al' N8 Z! u, d: Z2 l  Q4 J& b
    jnz     SoftICE_detected
# ]5 q* {' F: ~0 o# r6 s7 h1 j' Y" E! _
_________________________________________________________________________
2 k& Z, l: p( B- A, O) M" N+ s% B6 [, t, w, @: I
Method 07
5 q4 q3 j3 C- V3 `2 B. q; Y$ S! `=========5 e. E) ]) \% T! T
& m' c1 Z* P5 F1 _2 ?
Method of detection of the WinICE handler in the int68h (V86)
" t+ b& `5 r* O
6 U% J2 p8 _6 T! ]3 g5 ?5 D    mov     ah,43h
+ y. Y4 B4 `( K3 L4 ]; s, o! s: s    int     68h
$ r% I% @8 V& X% ]7 [6 n1 o    cmp     ax,0F386h2 i8 e2 \+ Y! L6 R
    jz      SoftICE_Detected3 p5 q/ d! U9 x8 s& ]3 K! {  K7 L! `/ F
9 ^& _5 t* l' f8 l
, x: y3 P; Z/ a  G
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# d* d& B" Y6 K7 G% t" Z) U   app like this:
) m1 T" k+ K5 ^
0 B! U) C- w! `   BPX exec_int if ax==68( R8 t: O+ i3 `; Y, c0 T) T
   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 i3 g8 l# G# t0 b. B   located at [ebp+48h] for 32Bit apps). _0 ^2 e, o& x
__________________________________________________________________________8 Y6 v" Q, R+ m0 p

, V; s) F  Z( n0 v7 h( }
, Y( L! H/ Z; {1 ^. [Method 08* B: R+ o$ l9 g9 N. v0 e
=========( Q  O- q; [1 b9 x
* L, X8 o/ _8 ^
It is not a method of detection of SoftICE but a possibility to crash the: A+ |" d) P" d5 o) ~7 C: E" A. V
system by intercepting int 01h and int 03h and redirecting them to another
) R. N3 k9 C, ?( I8 {/ Z2 q# T* vroutine.( L0 c# }5 x: z4 H3 a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' R% q- `4 {* Q. U, V
to the new routine to execute (hangs computer...)2 S: J5 h: R+ U9 r. H3 k; v

; H5 A( q7 r) y1 W' M  F% k% d, F    mov     ah, 25h
( p! G! u; c. J- k& {0 D. l% r    mov     al, Int_Number (01h or 03h)
6 a' l5 u  s+ p) x8 u1 T' c, S  ]    mov     dx, offset New_Int_Routine( Q: W" `  \, v! Q
    int     21h
, }: O- R1 D$ h3 M, n2 X  G- j. y* P/ L! b" a' b  f
__________________________________________________________________________
" u- d1 K8 l. @( r6 [$ @! ]4 Z9 r, s  T
Method 09
( Z6 b0 R/ v; f8 S; |$ N=========( ~3 R7 S% N6 z# c
, u* s5 `) R  A% Y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 k! e; k2 f+ x8 g2 V: uperformed in ring0 (VxD or a ring3 app using the VxdCall).: h8 G. O, s5 [2 q
The Get_DDB service is used to determine whether or not a VxD is installed
6 r$ f1 D( m7 \for the specified device and returns a Device Description Block (in ecx) for& d9 g4 x. H3 o4 R) R2 d& p
that device if it is installed.
  r* g6 P. H) p, u' p1 j2 l, _7 d% s5 W
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 m. W" T: n3 l9 z* b& U% Z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' R% r5 z4 a( g" `  Z( c3 a- T   VMMCall Get_DDB7 p3 ?" S' t! q3 @$ e6 m
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* T$ u. R3 N) G& q) }0 O, o. R( F

5 c) U$ z, w4 f& _2 uNote as well that you can easily detect this method with SoftICE:) v: b9 _2 r, Y# [' k& D
   bpx Get_DDB if ax==0202 || ax==7a5fh6 l3 w7 w" R7 @/ e

9 U  u2 l1 N& ]5 [( r/ w& [5 R__________________________________________________________________________
7 s: b$ R9 s2 R9 a- |; A2 x7 b, q9 _2 U9 T
Method 10
; a9 j0 e- u  [3 }+ w& C=========: J$ i$ s3 q9 w! H4 S5 `: F
4 V4 |( o( z4 e
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& b: M" e9 x+ i; I  E( y  SoftICE while the option is enable!!
" T& Z, H9 |+ }  `! v( ]1 E; D1 ~% b1 K
. o8 p0 R6 H/ ^- kThis trick is very efficient:, U" n0 S4 q  |6 c
by checking the Debug Registers, you can detect if SoftICE is loaded
4 F! e) r5 Y5 o. Y! A9 v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ K) u# K0 h' k$ K' K/ a- tthere are some memory breakpoints set (dr0 to dr3) simply by reading their! o" w% d4 }1 m; n" `
value (in ring0 only). Values can be manipulated and or changed as well; g/ W& q1 `' f5 n) `! O
(clearing BPMs for instance)
' |  g: s! g- m  E' z3 ?) u6 y2 @
__________________________________________________________________________
/ m2 x& `" j9 W" [# W# s9 T! ^% }
% D& q6 }) D; G+ f$ Z0 WMethod 118 D! E, ?2 i, A4 _4 Y) Y* e
=========
1 u! r0 ?! A4 Y
# {! \/ u: G1 Q* \9 W- NThis method is most known as 'MeltICE' because it has been freely distributed0 d0 ?  f, c9 T! M9 f0 E$ [
via www.winfiles.com. However it was first used by NuMega people to allow8 ^) M: t1 L2 @' t  c- S
Symbol Loader to check if SoftICE was active or not (the code is located( p; S% j: `9 @) G8 w$ X+ k" |
inside nmtrans.dll).
3 }& s" `) {& c2 l$ U5 d0 b$ n! X' ?7 w8 |
The way it works is very simple:+ l, I& l# i2 [
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 Z6 `8 {0 D" G, BWinNT) with the CreateFileA API.
) [# v4 m; c5 n0 e0 Y- J: d
8 L: |0 t; l. t- g+ eHere is a sample (checking for 'SICE'):) x  U8 M  R! t, G

6 y7 T/ F& C8 Q- Y: T2 UBOOL IsSoftIce95Loaded()0 f3 C0 f* j# m6 R; _
{
- L. q, g2 S0 Y; [$ r   HANDLE hFile;    C) K. o+ Y; H6 E
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," O9 ], h7 x/ f' j: D$ G5 M
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 r* I$ J0 T& |( f- x' m& r) D                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, Z! e. o& K& a# ]( M1 R   if( hFile != INVALID_HANDLE_VALUE )+ m' y4 o  I! @* O. ?3 h  p
   {
: g, L, K3 r% ]4 m& T1 q      CloseHandle(hFile);7 I. ~  p) Y' k1 n
      return TRUE;9 l& o% }; t* ~" I9 O
   }9 x* r) G: S7 y- t0 G* ?8 s
   return FALSE;
: P, H; G/ b* H  q+ r; u}
/ b+ g. X6 r* Y4 R9 a+ o8 v5 m# y& h, S( x
Although this trick calls the CreateFileA function, don't even expect to be! g% t, W7 _3 o2 g: E
able to intercept it by installing a IFS hook: it will not work, no way!. B1 S* G& T- E) b  ^: X: C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" i  o4 K" C! T+ E; p/ h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! |" ?; S2 y( _1 Y" A( xand then browse the DDB list until it find the VxD and its DDB_Control_Proc: i% x. q! C- \% u# O
field.
, ]; W6 I( H) ?5 ~$ FIn fact, its purpose is not to load/unload VxDs but only to send a
% G! \! W, m$ E: Q7 P6 y1 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 H) x5 y) E. i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 E/ a2 t, I/ G! V  X, b, M9 V4 a: Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: G; w$ ]6 {: ^4 @  DIf the VxD is loaded, it will always clear eax and the Carry flag to allow" h7 [: S& L! x# G( X& |+ }  r: j! q
its handle to be opened and then, will be detected.
% f7 B: d' |; U; g& CYou can check that simply by hooking Winice.exe control proc entry point& u; N  w+ I- Z8 L. g
while running MeltICE.
6 C6 A, h  w% H( c+ c6 S, W/ v
, G  Z) ^6 a* q) v. Z# `
8 l1 v$ x0 |! r% p$ L1 @& L/ f9 p$ e  00401067:  push      00402025    ; \\.\SICE- b8 S0 c9 K+ I8 O- F7 {' z% v
  0040106C:  call      CreateFileA
& I; p1 {; Q# d% y: l7 I  00401071:  cmp       eax,-001$ ]5 p2 @' h- o; b
  00401074:  je        00401091
# Q$ o) J* @3 C& a% G9 W
  b/ ^* j$ A: m5 j$ W/ a4 o: H! k* G4 X0 J  J
There could be hundreds of BPX you could use to detect this trick.
; H- V! p) E. Z- f. V0 ^4 U6 n: _9 ~-The most classical one is:: i2 i/ z" L9 ?6 D; u
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||" L8 S+ b7 N4 i, v
    *(esp-&gt;4+4)=='NTIC'
! R; R' e3 `% ~" k' P2 D5 F* M
3 D4 N+ g' ^6 R4 Y3 b- n7 P-The most exotic ones (could be very slooooow :-(8 X( X3 u" x+ W$ z; |. Z" W7 u
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: p6 G# ]  |& z$ f+ S     ;will break 3 times :-(
+ @" ^, p+ }% E/ |4 ^& Y  d
2 {2 F* n  V( v0 d2 ^-or (a bit) faster:   K3 q* G1 K9 O- c1 i  C' ^
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ _# D/ Q4 N0 P& ^' \; E; H$ r$ S. }5 z$ {
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & E9 i- T5 L- ]$ B( ]- _
     ;will break 3 times :-(' p) R4 X% T( M1 O! k
$ u3 M" H9 F4 X  G( Z) ?4 d: @
-Much faster:. ], h7 C; w+ n3 V  z2 |  l& t9 ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. _6 T7 u/ S+ W; E& U

; j: y8 {8 o5 o2 UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
  t& x9 v, u) M8 G3 pfunction to do the same job:
4 R4 o6 W6 e- \; u- r2 {$ S4 a8 e9 K
   push    00                        ; OF_READ' \1 ]8 ]3 ~' i: ?" ~
   mov     eax,[00656634]            ; '\\.\SICE',0
& ?% }# Q' F8 f' `4 L   push    eax, x( W8 h  f* D9 K
   call    KERNEL32!_lopen: t* E* C2 ^9 U. q3 ~
   inc     eax
& n% p2 ]+ t& s  K   jnz     00650589                  ; detected
% i( _# c% ]) S: g/ |3 k   push    00                        ; OF_READ
2 `9 a: b, P2 w# X1 q   mov     eax,[00656638]            ; '\\.\SICE'
" H: A$ ^+ S3 X: w9 G1 O. B( |   push    eax( q/ j" d# X- [/ v9 C
   call    KERNEL32!_lopen
# ?% Y; _( j# A: p  f+ b6 e   inc     eax1 U5 h1 T( i8 {. \9 P% Z0 e1 Q& v/ b3 \
   jz      006505ae                  ; not detected
4 Z# Z: c: G" o1 z8 P9 r) a) n- P) W  P3 B2 n+ ]
* p$ q' d3 ~' u! \, ?
__________________________________________________________________________
2 S8 C; G# f: Q9 ]
8 [7 @+ ]1 V3 R+ R5 aMethod 125 _% }) O! [4 y
=========$ A9 [; P$ G; ~7 f# x

, L0 C4 k$ R& R" C  ~4 DThis trick is similar to int41h/4fh Debugger installation check (code 05
: g4 i( @4 ^8 G  ~1 M% `&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 D, W; D$ L2 Q; ~  b: u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: H, g2 ~0 N2 i7 N) [3 y3 Y- O- ]8 C) o
   push  0000004fh         ; function 4fh8 U* x, E/ G- a) i7 Q
   push  002a002ah         ; high word specifies which VxD (VWIN32)
: W  c( y4 U  c                           ; low word specifies which service; j% m: U6 Y0 J- ~3 p
                             (VWIN32_Int41Dispatch)5 p8 G, D8 x7 E7 k7 r
   call  Kernel32!ORD_001  ; VxdCall/ ]6 |" R" ~" |* P& [8 S+ U
   cmp   ax, 0f386h        ; magic number returned by system debuggers- b; Z+ g9 ^( m! X
   jz    SoftICE_detected1 L: j3 z* ^8 @: g  }; x

( {, V0 E' |, EHere again, several ways to detect it:5 X. Q2 [" ~0 |# o* z

( \; M8 J4 Z( j6 u3 @/ }; r- Z. T* W    BPINT 41 if ax==4f+ o! b% _' E3 G2 A0 w) o
) Y  j# l. R) o0 T, W! n
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
3 a! z" n9 {  a$ r1 K+ Y( o- C: E+ \$ K+ `, @" d
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ i7 S  d9 ]2 B. m4 Y2 U; o
! e, _2 @$ V2 l) F% R  H    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
& r8 K/ `; v; B. F# D& P! V- b+ E" d$ ~) h
__________________________________________________________________________
- N- P4 h1 S# F0 ~" _7 ?4 B4 k
2 w; D% w0 @% E* j. dMethod 13) t3 Q& U1 ^. p5 o( G& v
=========1 d/ j+ d: V0 Z1 x

; C' t; @5 h( X& ^Not a real method of detection, but a good way to know if SoftICE is
/ h* F4 B1 J6 yinstalled on a computer and to locate its installation directory.
2 |3 m0 F5 A  \4 UIt is used by few softs which access the following registry keys (usually #2) :
+ A# J4 b: Y, X) g( U( R( `( i
0 E6 v# ~6 n, [) [2 F" r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. A+ {2 N. ^8 [1 |\Uninstall\SoftICE: @/ x  _& o8 Z: z- {$ D! y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 ~) W  f  t  ~. G- ~4 ~# S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 a1 \4 J/ x. |1 x. a2 I$ ^\App Paths\Loader32.Exe3 I$ @8 H0 D1 R8 K# d) X
: w2 F9 h6 ]$ j* y1 \7 O* a9 t

/ b: y1 D- ]6 N* D: e; R2 nNote that some nasty apps could then erase all files from SoftICE directory
/ N$ X7 v7 \& G0 M( R5 Y" r. D(I faced that once :-(
$ x# G) h. @2 C( z5 |9 O8 A7 p) m) W3 @2 D2 Z3 \
Useful breakpoint to detect it:% B0 B& j5 Y3 Y! d1 w+ ?
( q' k& P+ b1 ^
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'% Y' B. f. `0 a( F. S; N/ t, b3 }

' M% b/ [0 n- x+ J4 H; C__________________________________________________________________________: G1 ]3 h9 b" t0 F
& W3 n: V. Z8 J9 `( n$ ?- g, X9 _

: O  h& d* S7 r) a, }* RMethod 14
, Q  r) P" f4 w1 A  ~6 U$ n, I6 r, k=========3 M4 R4 O0 s1 @) u" ^% X
' R, n1 _! B9 P9 h! D! B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 s  v( _  C# b' K2 Ris to determines whether a debugger is running on your system (ring0 only).+ E4 ~0 R3 N+ i2 e5 P, p

  d. f& ^& U. M0 }   VMMCall Test_Debug_Installed
7 V2 c  a# ~3 H5 N- d) _$ `4 ]   je      not_installed
+ ^5 l! w5 s) Q8 x: g* O! n5 ]" o9 V1 v! [2 n
This service just checks a flag.* e4 L) \7 `  k; w* }0 {. ~1 z
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-17 15:06

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表