找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! ]2 q4 e$ `, s
<TBODY>( W& s( j+ X, n
<TR>1 H% C5 q5 K: d1 F
<TD><PRE>Method 01
3 A; {6 M5 U- U& q4 w' A; ]9 x=========
! d3 l2 N! z: G$ V3 C) r: Y
* I2 Y" n/ q" R& O. c+ S" ?This method of detection of SoftICE (as well as the following one) is
0 }) T" K( ^- S8 |' R. A# l+ ~used by the majority of packers/encryptors found on Internet.. I; j% R6 K3 i8 \
It seeks the signature of BoundsChecker in SoftICE8 h9 {- }& f5 |
8 d, g8 z$ P5 f5 @
    mov     ebp, 04243484Bh        ; 'BCHK'* N3 g$ P, U. {$ n; c6 C$ I) k. f
    mov     ax, 04h% Y0 f% T; A, G- y
    int     3      
& D5 q5 s! M# z$ j5 b# _7 F    cmp     al,4( }+ w/ X# U* [5 q* e% A# b
    jnz     SoftICE_Detected- ?8 p, l8 s! a& h

! j! d* p: f; J+ ^$ w( U4 M___________________________________________________________________________
! {; V6 S' F. n$ F+ e( L3 @5 I# M6 M9 J- P2 X  D' d1 o  }
Method 02
5 ~! O+ C, P4 c; f* b=========# B! \, S- e2 Q5 u

4 ~: ^, G$ o, ]6 g5 {" x' |Still a method very much used (perhaps the most frequent one).  It is used
- C( q/ `8 Q2 Z; `5 hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 v6 W5 A. c4 O) J4 o- hor execute SoftICE commands...# U7 d# B+ B% @6 {* d0 J* [
It is also used to crash SoftICE and to force it to execute any commands  t, x, B) ~/ [# a& k2 ]' w
(HBOOT...) :-((  
7 D9 E( [  \4 B* X) X: L
# |# f8 B9 q" ^; ~5 s2 I/ PHere is a quick description:
; {3 ?( E5 k/ i5 ]  ]# M/ w-AX = 0910h   (Display string in SIce windows)
" H% y0 U' _! `# J* [, D; B& @-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# z; K1 p" U- }. c& Z8 T-AX = 0912h   (Get breakpoint infos)3 o7 f" A% m5 Y
-AX = 0913h   (Set Sice breakpoints)" h9 L4 T+ j2 {8 B
-AX = 0914h   (Remove SIce breakoints)7 y% B/ B2 E1 h+ J3 k
  Z6 b- N& s, M0 f& a9 N
Each time you'll meet this trick, you'll see:/ x: w7 A" L+ ?7 B+ ?/ n7 r
-SI = 4647h
4 @  A' w! T9 r5 N-DI = 4A4Dh: V! I. L/ N1 x8 v& w0 J
Which are the 'magic values' used by SoftIce.
1 @0 q- l' p% d1 A) zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: m$ Z  N# Y; O/ H$ A9 H3 K( a2 c* C  h, i* {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ X! u/ O& p0 }# TEnvelope utility use to protect DOS applications:
% R/ g( T4 ^1 x- Q7 ^
8 [1 B2 M: w& v% F& u# p$ h* ?& g/ s; V+ ^
4C19:0095   MOV    AX,0911  ; execute command.
6 s" d' G# V  Q& ^* _. X4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).& a. f. ~$ m( Q# |: X1 H. u
4C19:009A   MOV    SI,4647  ; 1st magic value.5 x, H& }" s' B" S% u" t
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.# z  S" s# \, i% R: h
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): z5 ~- u6 W# j8 o
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! s( M8 D6 q/ P6 f4C19:00A4   INC    CX! P- b' G. _% P1 ^. W
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ X3 t4 u/ K- N" u9 F7 `0 y
4C19:00A8   JB     0095     ; 6 different commands.2 P" @. B& v4 `, e
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; N0 ]7 D4 ~3 L
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :). K4 R" w4 S( F3 ]; |

, ~  b! u6 p- Z* BThe program will execute 6 different SIce commands located at ds:dx, which
- o9 L" N# r+ h# W. j' s2 uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  X  v4 y8 h5 o+ s
# n" i6 l( O4 K% k) u! |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." K& m8 P2 t5 p6 G, Y- C) R0 r( y; P
___________________________________________________________________________& h7 R" g( h" Y" u) O+ S

) V: p  G8 H; g7 r/ ~% s$ K0 [! O& M7 e" u& r8 c' |0 B
Method 03
) E9 C+ m! |' C7 t. A, e=========
  ?5 U7 D. o4 C! Q( ?' A: ~( \: I7 w, e1 S8 A6 r5 s# d
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 y. N  \6 `4 a+ g
(API Get entry point)
) i, F% o1 R' y, Z  p5 n        
; G. q! J* H' O
; _- o4 I' N- r1 y) K# q; D% T    xor     di,di
& v0 ^' q5 c( c$ N4 ]9 m" T    mov     es,di* @2 z0 v3 D; O' X
    mov     ax, 1684h       $ U- Q& s+ d- J6 A
    mov     bx, 0202h       ; VxD ID of winice
5 n8 \% v  t) l) i/ u+ W    int     2Fh
" \4 f4 t( ]( A    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# U. X- `) \4 r  B    add     ax, di
# L: y: e( C1 p9 A    test    ax,ax+ A' Q3 m# d% @6 U+ R  j
    jnz     SoftICE_Detected
9 c8 M( L2 F  i/ C  {; K: K% W% h5 _
. T# D) S+ A3 D- g: G+ ~6 f___________________________________________________________________________
; S* h8 w- C! ~$ \1 h3 i8 r+ C. Y2 i3 p: l
Method 04
$ r! h  |  G* |% h0 P* J* N" b( i=========& X& {  }- J: A
+ f, e6 b# T& F- V
Method identical to the preceding one except that it seeks the ID of SoftICE
  F- m$ u, }, qGFX VxD.* U4 G9 J- G2 A- K
+ e# e) l" e9 k, [# o  E$ k8 s& I
    xor     di,di3 ]( \4 F' b, _. @- l
    mov     es,di4 l* o% o8 o) d% M9 [
    mov     ax, 1684h       8 N- Q5 y. a- e5 j! t
    mov     bx, 7a5Fh       ; VxD ID of SIWVID# z: `3 s" l% i8 K6 u
    int     2fh* }9 T8 k7 q; E# c, F8 j) T# s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. L+ q+ w& x: a: M2 O, M: y
    add     ax, di* b% }& _, _5 |' m2 v
    test    ax,ax
# Q1 @# D- V* V0 j; U5 T9 n: y    jnz     SoftICE_Detected. x6 p# u4 K- b# o8 x! D& T

9 @  o+ n1 i( q. ?/ W__________________________________________________________________________
' n3 c( E4 C- U' Z( ~1 s
- d0 Z6 d0 _) d- ~* k  V- Y- E- I7 j: o* \* R( n
Method 059 X/ p& L  \( X) t6 _
=========8 ]8 s- x( _0 p" h

2 J& Y0 Q  u0 y4 F- }, \, ^6 vMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 P6 R' v/ w7 ?
debugger. It calls the int 41h, function 4Fh.
) q" N* A# @  NThere are several alternatives.  ( v4 J& s2 W# s' m5 [  g
0 \4 j( @# a4 U& P9 I
The following one is the simplest:
. b, d7 H7 h: L5 J; A5 s/ F8 v0 V5 }. X
    mov     ax,4fh% k3 _0 q3 {: R
    int     41h
9 T1 O- a( y8 b2 V3 Y7 ^    cmp     ax, 0F386
$ O* z6 [9 V. f  i    jz      SoftICE_detected! f5 T6 g" Q% f6 x  E& ]% {

# h" b/ }* J/ O! j; [3 X6 T  V7 B
Next method as well as the following one are 2 examples from Stone's + H( S3 R% u: a( Y
"stn-wid.zip" (www.cracking.net):
" Q: Q; w5 R/ [$ G+ x: Q$ K8 `! n* y' [( J
    mov     bx, cs
5 {0 r" Q. A0 ]$ Q+ b' |    lea     dx, int41handler2
2 w0 a! K# ?4 a' D3 e& j    xchg    dx, es:[41h*4]
. s  R/ i3 d3 p    xchg    bx, es:[41h*4+2]9 s# t# O! u. q4 n
    mov     ax,4fh
5 A2 E5 a+ w5 {1 v+ ]    int     41h" Z8 g  [! a; Z, \& K. ^
    xchg    dx, es:[41h*4]
+ J3 M. R$ g/ S) g4 {& c0 S    xchg    bx, es:[41h*4+2]
& o  g/ t) d- @  _    cmp     ax, 0f386h$ B% X! }4 m- E. @9 D
    jz      SoftICE_detected4 i8 B# v0 }4 p5 W' O9 v. ^  W
2 U& r& h1 G. I1 t% ]. T  B
int41handler2 PROC
/ o1 v% Q: P+ _/ W. W    iret
4 @- f% Z: |: C: y# f& s& Pint41handler2 ENDP* \/ l+ `, q5 k( x& s" b

' j. h3 b7 J! R4 ^1 |& b8 v' E
3 V7 U" a9 L" `_________________________________________________________________________
7 M( `  l0 p2 G7 y4 ?% Y: O
2 v$ D0 L+ u# g# Z2 \4 a% ^, [- C: m- u) _! G; C: F  Q. B
Method 068 _7 O% B6 n: Y8 k
=========4 X/ a" J7 {7 q6 {7 P

+ o) B& P8 x& ^# B, L1 }
+ f% ~  }. z) v) c3 q# Q% t2 _2nd method similar to the preceding one but more difficult to detect:
. F+ E6 W6 w% c; d& }- X( d4 H* C, P( T& U& W) N

4 T" i& o6 y0 q3 D  E% }6 i) dint41handler PROC
) f/ k0 a3 b! H6 J% b% D/ k: p    mov     cl,al; e' g% b2 f, d- Y
    iret
; y. ~; r3 F" ~# wint41handler ENDP; o" F" I+ y2 O$ N. p

1 D6 b, }5 I' ]) e2 [7 z; T$ w3 U1 a) G
    xor     ax,ax
" k+ k! N5 E/ a8 j6 [    mov     es,ax
9 d+ p5 E$ o% e3 }# L    mov     bx, cs- K! W* m5 J/ z. m2 e( G
    lea     dx, int41handler
6 p$ l( s1 @+ d, f& w% Y2 ]    xchg    dx, es:[41h*4]/ |: x: v8 V  g2 x: r; }( @
    xchg    bx, es:[41h*4+2]
9 k3 V, Z% J2 s  R: s; w) k- O    in      al, 40h& W/ H' k! r" p$ Z6 ^% @
    xor     cx,cx
( t0 h# h, I) O7 `1 Q, q    int     41h
0 R' L8 C6 q, H6 t6 I, ~+ Y4 W    xchg    dx, es:[41h*4]
# D! H! `, r# \8 p' e6 F    xchg    bx, es:[41h*4+2]
7 u9 W+ B8 q( q: K* d3 ^/ e    cmp     cl,al$ ?+ n& a* j3 H' e$ {9 \7 a
    jnz     SoftICE_detected
2 Y+ }$ u( B& b9 X4 L  K- N3 e
5 |6 U9 J/ g! }4 h$ W) L; g_________________________________________________________________________# n' a  |" r: X6 Q; d0 P
- o  i1 p3 r1 `9 s
Method 07: _, u2 d! M. f1 c$ ?# f
=========
8 G% l3 G; ?- W# @( ]$ ^& [4 g7 _4 @' ]+ i7 ^
Method of detection of the WinICE handler in the int68h (V86)
3 K! i1 l( O4 _; N/ g# j' l5 L: i5 H, u* S; |7 m6 H- |+ J; r
    mov     ah,43h% I. r. c# }8 o+ D4 a0 T/ N* m
    int     68h
# p4 X% l$ m" Z( t8 p    cmp     ax,0F386h3 b9 h) @  u. l( d! t
    jz      SoftICE_Detected9 W  Q- s9 a- w/ g' [
% z: p9 [6 q$ E$ g: u8 {: `& U
, a/ e! M! |/ \  q' O4 `
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
  d, p: |  ]/ |; P8 A8 ^   app like this:
4 w0 r2 i! C' r% a9 J$ G: e' `! v. w, W+ W/ s0 M
   BPX exec_int if ax==68
. L+ k1 r! @; v; _   (function called is located at byte ptr [ebp+1Dh] and client eip is1 F! e" i$ m" Q: ^' ^" h/ H# Q% U
   located at [ebp+48h] for 32Bit apps)/ t4 N' {! K3 T  T5 Y
__________________________________________________________________________
7 r$ w  b4 t' Q* {! j0 @; x2 a. g9 u3 Z
) N5 l2 u4 Z0 [- {
Method 088 T$ v$ y6 j, K
=========
1 D, E, f0 s3 L& V, F! Q
- M0 B* J: j8 f1 p1 O2 }It is not a method of detection of SoftICE but a possibility to crash the
" {8 E5 \8 {" E8 B# U, Psystem by intercepting int 01h and int 03h and redirecting them to another
7 k' R$ _0 o0 k, \& g( Zroutine.$ j- A0 w8 l+ T" x. ]0 Y* y8 J0 i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ Z/ |/ t# A6 B2 F' g
to the new routine to execute (hangs computer...)/ k: q6 T  Y1 u  D2 d, d

8 s( h8 [( U# E. L5 ?    mov     ah, 25h% I) y6 X1 ~# G2 h- J9 Q
    mov     al, Int_Number (01h or 03h)  I7 F, H7 A0 b# @) `
    mov     dx, offset New_Int_Routine
; ~2 K* q4 U* H. F8 r( M0 O4 l    int     21h7 v+ f: }5 g  V. q0 D% w
* \# X" F5 f1 }( N2 u2 d4 z
__________________________________________________________________________
0 S3 x, p7 u6 E4 V& c/ K
* _# d' F0 Q+ x/ B; uMethod 09! [& Q6 A/ x" K3 ], r
=========
) Q# P: x. ^( W; c, R* E4 @: s' X. Z0 L# u9 h$ h1 Y+ ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 T+ }: @# g) }performed in ring0 (VxD or a ring3 app using the VxdCall).7 J; m% Y! o# S- w# Q
The Get_DDB service is used to determine whether or not a VxD is installed9 S/ [( W+ `4 ]# q6 \2 G
for the specified device and returns a Device Description Block (in ecx) for
- p6 P8 H5 B; |) p+ f) ^that device if it is installed.
6 [4 x+ O; \. I% z& k& D# \, z
4 }$ o2 N) D  V; `% t' y! V   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 q5 ^' f" ~+ T/ }# \
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ ^7 B$ Z4 Y/ @  u' [   VMMCall Get_DDB
4 @" [& n' W- n% v  ~. w* E, `& a" q   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 z0 i& q: p2 ]+ Y/ t: m
4 S. K, E7 _2 Y# L" @" g
Note as well that you can easily detect this method with SoftICE:0 z4 {% q8 \4 D- C
   bpx Get_DDB if ax==0202 || ax==7a5fh! E1 x- t6 X/ }" s, j

. u' R. T: r# }" a) }__________________________________________________________________________3 f" M" }4 E! L+ v3 }

. ~% B; A8 g  z# j& K$ m& gMethod 10& D, `1 J4 h8 Q! L  _, I
=========
  \+ u8 {/ E! ?, K/ Z
! q5 {) Q' G; A6 ]2 s# T1 ~=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with* P% \( j2 N8 h) R& k" t. b% _
  SoftICE while the option is enable!!
, |! m2 }. ]( V& G4 z' m( A6 Y" |: {5 d9 A! D0 G) ~) o
This trick is very efficient:# p5 {% G& [5 w8 y+ L7 s, B
by checking the Debug Registers, you can detect if SoftICE is loaded2 r3 W( s* J: T2 T, _' |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# C3 B2 ^7 t9 Q: Y& a  b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" P3 b. B4 U3 z- L! qvalue (in ring0 only). Values can be manipulated and or changed as well* `* V8 w4 c7 [
(clearing BPMs for instance)( ]% B" R  J, Z
) g7 f9 F$ O8 F* ]( u4 @# e  g
__________________________________________________________________________
# b5 k; I: ?/ C6 Y( R% C( M7 p& \6 x5 x2 X
Method 11
' C! v0 x0 e* A) t- W$ P: ^4 H=========
  Y- r% N0 _* j& d' x, N9 b8 M: z! p6 q  ^7 f$ p( B
This method is most known as 'MeltICE' because it has been freely distributed
7 g' ?2 W8 j! U( i# k8 w$ Yvia www.winfiles.com. However it was first used by NuMega people to allow
: s) h7 b9 x( [Symbol Loader to check if SoftICE was active or not (the code is located4 w, a4 A/ P* @: m% k  ?3 \" |
inside nmtrans.dll).: Y7 d& ^  u0 h* I- K
3 N% j3 J2 H/ i1 R
The way it works is very simple:
' d5 C3 K! g& B; I# _4 DIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 F; H8 Q. f; V1 r7 C  p" P' v* O
WinNT) with the CreateFileA API.' e8 ?# f, ?& z/ m5 L' i1 k
: A, X. a+ M, Q9 n
Here is a sample (checking for 'SICE'):/ T4 R( R/ T* h: d- V+ Z0 C1 {: E
- d- W5 l3 j* w! X! y
BOOL IsSoftIce95Loaded()
( I+ v1 n7 J. k* y{
  _8 |# ~2 v! x1 m% P   HANDLE hFile;  3 }% c9 c" e7 j5 R9 O3 t$ x
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  n  Q& H/ [" j                      FILE_SHARE_READ | FILE_SHARE_WRITE,/ O9 o" X0 Y% D+ X" a3 P
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 c0 a$ u- `8 i& l) S! V) j
   if( hFile != INVALID_HANDLE_VALUE )
4 `5 C  f5 `3 k' J8 K7 a" T' y   {1 L' @- j! A$ g( {7 j
      CloseHandle(hFile);+ l( C0 m& e& Y& u5 y  r; ]
      return TRUE;0 P1 O* V& `& F9 W, @: p6 A
   }
4 c$ i; t$ G. I- Z5 W   return FALSE;
) H1 X4 V( ~: ?* y' \. M7 x4 n}
; j; o7 b; A/ ]5 A) i- [" ]/ ]3 B$ U( m9 w5 w
Although this trick calls the CreateFileA function, don't even expect to be: f! K9 Z* k, q
able to intercept it by installing a IFS hook: it will not work, no way!
6 ~5 S1 [# x, ^/ U& a. R2 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ ^2 y+ F1 E+ Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); b4 {! i) k7 O0 ]2 t# I2 D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 d+ R8 X( Y/ q" x8 W7 H
field.1 K  L5 P; f& Q( u5 b
In fact, its purpose is not to load/unload VxDs but only to send a
9 i. E7 m# j( F+ Y2 Y* o9 A. U, zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& _2 ^- F- X5 u* }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 c0 n0 m, M# p8 I- R
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., \4 J7 |! z2 j& m7 p% z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 }. U6 ]8 e2 t( g( l, ~its handle to be opened and then, will be detected.- ~3 u+ j8 }* |/ d4 _
You can check that simply by hooking Winice.exe control proc entry point" b* d. P3 s% I7 P
while running MeltICE.
( \- n) A8 D) ^+ Z% a( `1 J7 E; A9 i7 T- {/ z0 ^) S: n4 V, K
; l$ k% s  ^" j& O
  00401067:  push      00402025    ; \\.\SICE
/ o0 }: N1 }, ]9 W$ K2 h- [  0040106C:  call      CreateFileA) V) ~/ E9 z; M5 ?; i
  00401071:  cmp       eax,-001
( z% j3 a0 \6 [. V  00401074:  je        00401091
* t6 a) F7 d1 P) {* C0 C/ {
. j# P& t8 O& I1 I9 u7 v
4 L. M1 L4 M! Y6 g6 Q, S# R+ KThere could be hundreds of BPX you could use to detect this trick.: ?% K" ?) j  U% k
-The most classical one is:
# G/ ?5 X  k; A9 U  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ W) l1 {3 F; k. V; q# p6 D& X: B    *(esp-&gt;4+4)=='NTIC'' |/ d* A+ o6 M
. _5 a/ C% m7 ^  l6 ]$ ?! ~
-The most exotic ones (could be very slooooow :-(
/ P6 S' s! F& d/ w$ n3 ^   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! ]: H- {6 B! H5 u
     ;will break 3 times :-(
. I/ g1 X# B9 l( b8 J
; L9 i) V% D& z-or (a bit) faster:
; \  i# ~' ~$ T& h   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, c+ g1 w$ p# u8 m9 j1 p8 k% ^- T4 q( @! V- z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  4 i9 x% q& P2 K/ x9 z- w6 P- d8 }
     ;will break 3 times :-(
! g% f! O7 _; R* q
3 \3 n  O9 N0 v8 W  ~  H-Much faster:$ n' W  S6 G- z$ ^2 U
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 \& C1 I* k9 O/ S; o
0 F3 s4 A; f- V. h& D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ J7 h- M% G  |8 d5 g* l& E! lfunction to do the same job:' J2 ?$ I' j+ e; z7 U  o. `+ ?( U. h

9 o( J9 x( `$ f7 {. C   push    00                        ; OF_READ
" c8 l" D; P+ F* j- O2 A7 N9 V  @   mov     eax,[00656634]            ; '\\.\SICE',0/ p4 B; a% y" ^& y9 E1 z
   push    eax; R' v( c0 M, h1 G
   call    KERNEL32!_lopen# N3 r7 N' A- [$ c$ C8 K3 p% k
   inc     eax* a+ j% p6 H: T) D
   jnz     00650589                  ; detected* D1 O8 U$ d% v1 v5 {( ^
   push    00                        ; OF_READ
, y% c5 p: R. l* q4 ?2 d   mov     eax,[00656638]            ; '\\.\SICE'
/ E9 h0 s- D/ u: X3 U+ x   push    eax
* ~3 N/ W9 c. V- P( g9 Q5 J   call    KERNEL32!_lopen
7 x" {9 n* @7 y- A/ V9 p5 L5 d* p   inc     eax
6 N) p2 G/ e% l" u   jz      006505ae                  ; not detected
0 N& t2 Q, @- n* _0 W
* l3 T  d4 E" q: m: H
' _( `: l0 j1 \__________________________________________________________________________3 T8 ]! A0 b+ I( h# ?% d0 V( `& i) p

# o5 O$ g; I6 `+ |) a9 aMethod 126 T6 g# o/ p& W# K
=========* l8 ]. n7 V0 x0 A# Y, k1 R- }

% b9 `/ K8 S  g! CThis trick is similar to int41h/4fh Debugger installation check (code 05
& n( s; p1 a  l2 ]&amp; 06) but very limited because it's only available for Win95/98 (not NT)& V- f+ X# M; N4 u  g$ d: E( J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# m$ b) c7 I2 ?0 s/ }% x6 w; x( U+ e" A" Q( N  H
   push  0000004fh         ; function 4fh
3 N) ?8 G8 Y- I; ]7 `   push  002a002ah         ; high word specifies which VxD (VWIN32); z" B9 s! p1 Z9 p; K6 o7 m
                           ; low word specifies which service
+ i5 k7 _' U: z  ]0 {3 y: M                             (VWIN32_Int41Dispatch)
1 H" n9 V7 s) `. O& C   call  Kernel32!ORD_001  ; VxdCall  l4 b; W  P" C3 \: Z
   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ v) x( E* x9 S, A   jz    SoftICE_detected0 }1 ]" F6 `- x0 m- z! m, P8 g
- z: R/ v! j/ l  T2 H
Here again, several ways to detect it:% ?. u. K2 t5 I0 L& a4 B2 S/ e; [$ T

7 {. e: i7 r! t8 @    BPINT 41 if ax==4f
. z: e- D7 [; \  N
0 K. Z+ N8 t+ ?9 Z  n    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
+ E! l; N  Y0 {2 M) a$ v/ d* V
( Z2 v! B0 c( G3 ~7 q! S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 P1 u5 H& Z% X% x; ]0 }

0 @$ `3 a9 I, ~9 I5 i    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. }4 r+ F/ M9 G# _; A3 `

+ w& w! x/ b" o* G0 l__________________________________________________________________________
  ^; i9 W$ F: ?+ `3 v$ Z* i0 c. H/ R+ I3 s# b
Method 13
6 s% f5 i1 n- {+ x' R& s=========
. L* t% Y4 D, X. m3 ~: n8 [2 q3 J
Not a real method of detection, but a good way to know if SoftICE is
. K+ `1 L, Y# d/ G' D% |* _/ ginstalled on a computer and to locate its installation directory.4 k( V+ o8 R1 H" ], {! q* ?
It is used by few softs which access the following registry keys (usually #2) :% I' ^) d2 Z0 L! F
/ O6 @% `1 @! b1 ]* i3 l& H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: R- o; A  L5 M3 S. W9 L: a\Uninstall\SoftICE3 |" b: M3 a9 @5 Z% k5 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) r7 S/ F  H  F4 f5 Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ z) K% z# [& H9 e; N
\App Paths\Loader32.Exe
) Z2 P5 l' X7 O# B  A* k8 G2 c- n$ A9 W+ g# k- n9 B" P. }/ M8 a3 I( r
( B) d# |7 g0 B* u
Note that some nasty apps could then erase all files from SoftICE directory
5 v" v7 e1 C  }( Y* c(I faced that once :-(. z5 n/ j( Q" p' V; T
2 ~: ~& C1 P, E: M7 d8 N
Useful breakpoint to detect it:( L+ Q' o" u5 S3 y7 x
) v0 M3 c3 ?: e, N6 ?
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
" a" `! O2 a- u" @; @
0 ]5 ~+ ?3 ]/ G__________________________________________________________________________1 t% y) y7 \1 v; `4 Z
4 U4 ?2 z  C! M4 h& W

! I% X2 N! B- _# R, M; K1 hMethod 14 2 k# e; k1 X! N
=========
% Z' [( F2 h; c" c/ D. i! K* P0 H# u' r2 P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# p- g2 `! J: j. a% Q. l% u) s
is to determines whether a debugger is running on your system (ring0 only).
1 V( \1 e, Y2 `7 V! S. U8 t; f& \3 n& v' W9 W
   VMMCall Test_Debug_Installed
+ @4 W, x3 y. d2 c: m# e5 x   je      not_installed+ R% N+ E( l! c& J# e. T  Q: |# L4 n
" f& w7 w) N7 E6 k% [$ Y5 Y
This service just checks a flag.: P$ ?5 D2 e6 \  V: M
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 00:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表