找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
& O+ L# Y* ^) J; V& X* l- }% ]  S<TBODY>4 B5 G* p6 ^# w9 A2 M
<TR>
! S( F. @/ D9 k9 U3 C: X  ?+ X<TD><PRE>Method 01 8 b. J5 @5 I, n+ @4 f# T
=========
7 ]8 G5 n& w/ Q, C& Z  |
2 }, _  o, K9 ?! v& L$ d3 t) w" @This method of detection of SoftICE (as well as the following one) is4 i+ h3 U8 L2 S; a
used by the majority of packers/encryptors found on Internet.
" i) p8 C" A' K, S) v* d  KIt seeks the signature of BoundsChecker in SoftICE3 t/ \; x" X5 Z, b

; n; I- D$ J: Z4 A    mov     ebp, 04243484Bh        ; 'BCHK'
$ w' O" m* E- k" I1 R0 Q    mov     ax, 04h. y8 N- I* H/ F0 w- D  Y  c% @
    int     3       . M2 `3 r6 n  }# m2 [1 \& M
    cmp     al,49 g* |' F+ {* U0 e5 K2 l
    jnz     SoftICE_Detected
6 H7 N. Y+ E; f2 A8 A
$ Y7 F& J& [7 p1 u___________________________________________________________________________
: ^$ J5 d! ]' j+ G1 S1 K0 O% m; ^, {
( `; @1 L3 f1 }Method 02. ~' q; n7 D, `; ~' C5 S, v% B$ Z: L
=========
& m* W( C6 `6 B% t: D8 |9 q+ @  x- z
Still a method very much used (perhaps the most frequent one).  It is used
3 ?7 ]& R' s! Q9 R6 Z: nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- A' N) }1 t( Q8 [4 ^1 D: aor execute SoftICE commands...# e' ?7 x: `4 P" t
It is also used to crash SoftICE and to force it to execute any commands0 U% i* M2 a) X* n( |7 G
(HBOOT...) :-((  . Z5 D/ K1 A4 r) }- q/ n; J
8 }0 w. a  e& ?; I% f
Here is a quick description:
! k! y9 R8 e( C; R-AX = 0910h   (Display string in SIce windows)
3 ^2 s# l1 y0 ]8 ~' F-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)" V& W- p# S! Q. C6 a: [4 `  X
-AX = 0912h   (Get breakpoint infos)6 D' a: q" w0 M
-AX = 0913h   (Set Sice breakpoints)
! Z7 ^! `+ y+ `' j) v& @  @5 b-AX = 0914h   (Remove SIce breakoints)- }7 i9 ^1 e$ z! u
2 [; n+ |- u* `7 b& e! a
Each time you'll meet this trick, you'll see:
% k/ z4 j+ r" t-SI = 4647h
# i* R/ ?$ M% C. C: _& ?-DI = 4A4Dh; c7 X% W$ V: U/ X& X
Which are the 'magic values' used by SoftIce.
* `2 k% c) V# o$ k/ G# a0 h1 Y! @For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; f8 b; E+ H- @0 X3 ]0 z' F9 u, J& ?
5 H; j. C( f- w* vHere is one example from the file "Haspinst.exe" which is the dongle HASP
; X5 g3 l) Q7 M1 U) w; c- B( REnvelope utility use to protect DOS applications:
4 d+ a4 y  Y! f% u/ Y$ O+ D! h( d$ |6 e1 d6 i, {/ q: S, b7 c1 x

8 [8 E  C% [5 x9 |+ q  j3 v+ s# y* R4C19:0095   MOV    AX,0911  ; execute command.
% n6 D$ W& g$ T7 W- C4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 V( E  T! W9 t5 e# a- X
4C19:009A   MOV    SI,4647  ; 1st magic value.! o+ T0 X3 J5 A
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.' C& p- L( D. i7 j
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ c/ Q% `/ c8 [4 R& q  H: E8 H9 J
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 f& I$ p; {3 s4C19:00A4   INC    CX
: C' ?0 }$ e' d4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" q1 C% Q& _5 Z3 z2 X2 H! X% [4C19:00A8   JB     0095     ; 6 different commands.
" X# r4 @2 Q3 U6 }6 x) ^  a4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 G4 @/ M3 t  C, x* B6 z
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
$ I9 E1 W/ R6 W% E" w% ~$ ~
- Z0 |3 h5 J9 O1 A0 {2 jThe program will execute 6 different SIce commands located at ds:dx, which
( d) E0 |: @1 K5 A  a$ Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT." F; ]: D7 \2 u" X# _
" Y$ v7 n5 l2 o5 t0 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 D+ i( O1 D6 q2 ?3 V' F6 R/ Z- K
___________________________________________________________________________
, s' `% O5 f# U6 Q( f1 r7 x* h" Y: z* D9 `

. g& X! ~% B: E: E, V$ _Method 03' S  r! D1 F" o% d/ z
=========' Q; b0 S0 Z) r
, L$ o* y% @9 m  S2 ?6 u* N$ z+ k% \
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 X! u/ `5 N. P. z  O$ O  I* U(API Get entry point)
& m1 U- `& d- G* ~( a! F        
# s: Z; I' k) F6 Z. O+ Q( e
* P/ s) S* q7 \* V' l8 I    xor     di,di, g* J$ L" W0 B9 Z2 L
    mov     es,di( v, {: \( c( c. G
    mov     ax, 1684h       " T$ Z0 d& |( ~# w" d$ F
    mov     bx, 0202h       ; VxD ID of winice- u  e0 D6 P7 z7 v5 r
    int     2Fh
. |  M8 V" k! _. \- r- O: X$ ]9 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point  h  L# Q: Q. V! q  p2 A4 v
    add     ax, di; \" p, v3 P; B/ k5 s2 }
    test    ax,ax
& U7 |, S; n; i: z9 b9 }: G    jnz     SoftICE_Detected. M) O( [# L" \* I

, z2 b3 g9 V* l___________________________________________________________________________5 K# v! Q" |1 E5 o) c

5 a) k1 Z( X; ^2 zMethod 04- ~" w4 @4 g5 p" C" l$ ^* W
=========5 C- I0 h" @/ ]0 j

) E' H) Y; }: F) {( H! RMethod identical to the preceding one except that it seeks the ID of SoftICE) ^& @9 l+ j+ v, U2 C# ?
GFX VxD.9 i8 i. ^5 `) J# J1 W

' ]% s+ Y1 H5 @0 f* S  D5 T7 g    xor     di,di
: Z  L# E0 ^# ^; }2 ~# U    mov     es,di5 }! e; ^( M3 T, A+ A' o
    mov     ax, 1684h       # a1 u5 W% D+ I
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) ~% G* _7 U2 O; C" N6 `    int     2fh1 f; {9 W6 f; i  B# l$ N4 G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& K* I# F) _0 z1 t+ N+ X" o! l( r
    add     ax, di
6 [* f$ E% H( x: N( s, m    test    ax,ax; F: T+ }* T) E: @
    jnz     SoftICE_Detected
2 f3 v3 ], \3 ^: G9 F" d. E8 v& W8 q$ j- I0 \( _5 K7 x
__________________________________________________________________________
6 P, f# ]2 b9 `& Z' \
. @- h$ E/ b# d3 K, [
1 @9 g. g$ q! E! uMethod 05
% P3 d5 k& k) n. n6 M  N0 n2 l=========5 Z. _' D3 D! D+ d
2 A* k5 c$ P5 {5 M
Method seeking the 'magic number' 0F386h returned (in ax) by all system& h8 C4 }) Q0 c
debugger. It calls the int 41h, function 4Fh.
% ~! L  m+ R( PThere are several alternatives.  8 a5 R5 U, h1 x5 I6 A: v1 l
  o9 x0 P' Y+ `4 s4 M# a: s
The following one is the simplest:% T) L' W' T* C9 E" `& z( s

$ g1 I  D* G  t+ K/ D* ~, Z. Q    mov     ax,4fh' M4 t2 ~, n7 {6 V
    int     41h. ^, r# }  s( M& |
    cmp     ax, 0F386
9 r' l. J" e; ~    jz      SoftICE_detected
" y4 v7 B, ~! f5 H# s
0 H$ [" i# U, y% X& g5 e) \( b: _2 Z( d4 q0 @
Next method as well as the following one are 2 examples from Stone's * T/ Q2 N! Z. \
"stn-wid.zip" (www.cracking.net):) x- ~7 {  X  T! F" S' w% @

' x# K) a0 p5 A/ `# Z5 h9 y    mov     bx, cs
/ j! n' Z$ c$ T4 A: C    lea     dx, int41handler2/ l# H$ M' b+ h' J; u8 K' x. U
    xchg    dx, es:[41h*4]
* T3 E7 I1 g  l/ L    xchg    bx, es:[41h*4+2]
* @: e/ K' ]' O) T2 ~+ u! {    mov     ax,4fh
4 x6 n( I% j- ^- ^6 s9 G    int     41h1 l6 W! h: Y( p) r) c1 x
    xchg    dx, es:[41h*4]
/ L& T! m* t% J: A8 m8 ^    xchg    bx, es:[41h*4+2]4 B& P6 ]$ C6 _' J2 I
    cmp     ax, 0f386h+ d: d( }3 E+ t/ B7 D) U# Z
    jz      SoftICE_detected
3 F% f' z( I  N/ U
! M3 c3 q( |0 g  K0 I' Nint41handler2 PROC. I2 k  N  H. N% C  T7 v9 n
    iret% Z" @& a" M+ U9 S/ \# \, r; {& g
int41handler2 ENDP
- M  r. E# _& `% a, @3 X
% ?2 g! q2 r6 |9 D/ j% m0 ]+ j1 z1 J5 ^1 p! c& _3 k! P& U( X6 R) f9 Y
_________________________________________________________________________
4 C9 Q# h1 _9 E  l/ }7 `3 U; n
. w) V+ U; S% {1 ]4 R7 S* y8 N$ r$ J# K7 d$ D/ A5 A
Method 06
# k5 ?" v: X. p) d=========
0 Y7 j' v* L& E
9 j* n# Y6 U- ]) P8 S1 M9 o% Y
; `' q  L* \: D9 \$ T4 ^2nd method similar to the preceding one but more difficult to detect:; s3 ~# n- C% c  F

/ U6 R! U! T5 d! y1 S/ J! W$ j4 ?1 R$ ?" b
int41handler PROC
5 |$ l# s6 v1 e    mov     cl,al6 w- h# x" N$ Z, Y' `
    iret
; c: Q+ d1 D( C8 F$ z# Hint41handler ENDP0 g# p) `& s6 ]% o: X
" [4 c& `; E, U; n* R  }1 {

/ m* ?  J: i& {& F8 `    xor     ax,ax; B1 U# l* z5 Z# u' {
    mov     es,ax* v. q+ B; p5 A$ V# g
    mov     bx, cs8 Q5 S+ ?( \' c" F6 T
    lea     dx, int41handler
8 i. N, b* j# y+ d0 s* B    xchg    dx, es:[41h*4]; I. X' E6 f1 e% d, j/ L0 Q% l
    xchg    bx, es:[41h*4+2]9 _' w7 A, f/ a, b6 g- E
    in      al, 40h
0 v& l4 s8 @; F+ ^    xor     cx,cx
6 n2 g0 u0 o$ q* l8 @    int     41h
/ i5 ]( x8 j  @    xchg    dx, es:[41h*4]" [( Q/ @, o" ?3 W" I8 u
    xchg    bx, es:[41h*4+2]
, y) `; U) y( q    cmp     cl,al  R, Z% ?6 d2 P" P0 z1 X# N0 D
    jnz     SoftICE_detected% u" l- u" }$ ^  D& {! l
) ^# M0 b- I7 d+ Y3 o# N' t" O
_________________________________________________________________________( E1 X9 s3 c& _6 ~. U& X8 L0 l
! I; y( I9 H8 b, J4 V9 }
Method 07
6 k0 f8 H3 E$ h=========
; N6 t  g/ r$ n1 |5 K3 R
; t5 @  l' m- s; |0 pMethod of detection of the WinICE handler in the int68h (V86)
6 h8 }- e4 A0 [# U1 ?4 w8 O/ m( N: D% J- Y$ V
    mov     ah,43h' Q3 F& T7 z# u% [( ~/ b! U! ]' }
    int     68h0 Y/ J+ Y2 O" R: Q0 D
    cmp     ax,0F386h  N( }7 {* m$ {  P( C0 p
    jz      SoftICE_Detected
9 \; N; F9 l& f" J" g, T. g* Y+ u; u1 t1 P0 a: ^+ H

' F- Q. y% ~: ?; m: V4 k3 L0 k=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& ]# e" k' c6 Y
   app like this:
! H, Q& `( G9 [0 M9 r2 {3 f) h# a2 B; P; b1 p- W- A
   BPX exec_int if ax==68
" j( V0 H0 H. l* F4 _, {3 j   (function called is located at byte ptr [ebp+1Dh] and client eip is
! Z: N- M5 K  g# S' m   located at [ebp+48h] for 32Bit apps)! b8 [1 ^% S: S; P# V! e
__________________________________________________________________________
$ f! t8 v1 T; c% |2 U
1 y6 Z5 \! E( {+ d5 r6 A
$ X, F- v# @" M' ~, |' t% bMethod 085 X* y1 Y' [7 M
=========
6 ^1 d( D' O  ]/ U! M0 ^' H* {4 X) I& N+ ?5 l
It is not a method of detection of SoftICE but a possibility to crash the4 }# q3 C  T1 @' J% Z
system by intercepting int 01h and int 03h and redirecting them to another
  ^: v8 T" O" x2 ?; ^" Proutine.: ?7 K! N/ S) r1 j6 @9 h* j1 B1 _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ e& P, k; I, @+ q0 `! @! N" C8 mto the new routine to execute (hangs computer...)8 q% l( c, D  u+ t

& X" }4 k5 {# G' w& F+ g    mov     ah, 25h
1 C. T; Q% m, D# M, ]    mov     al, Int_Number (01h or 03h)
& F6 g9 r) c2 ?, D0 N1 R) F    mov     dx, offset New_Int_Routine
( H* k: a+ k% F7 e    int     21h5 d7 y4 |) z, l. o8 x( m

* a) a% b: [; A( |/ e2 I__________________________________________________________________________* @( X( k. D, \, v- H9 R
# \  q9 T% k: {  v0 B, ?3 {! C) a% h* @
Method 09
9 x4 r3 v( M. ~+ N' P8 a=========, ]3 |/ q; H7 o8 y; d, r: {# z
' ?5 M) M+ Q. {& U! E. F1 `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 `: S- I, y. p$ z. p/ |performed in ring0 (VxD or a ring3 app using the VxdCall).- ^0 u4 {, J( i2 o8 k  o: A8 q
The Get_DDB service is used to determine whether or not a VxD is installed- n* {& p& ^* `
for the specified device and returns a Device Description Block (in ecx) for- c  Z$ m6 f6 S' `5 O6 G
that device if it is installed.# r+ J0 ~. a9 b

: R/ I  R2 e' x! t   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& a$ r) V4 ?; G! n   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 W& v& e: k9 W6 g- B8 O' z. W   VMMCall Get_DDB
8 a0 z2 r$ L, B, `   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ F& C2 K/ @. T, `
4 J1 {: H6 e6 w# s* {0 e
Note as well that you can easily detect this method with SoftICE:
: k( f# P0 F! L) S' V4 V1 C   bpx Get_DDB if ax==0202 || ax==7a5fh
7 z' s1 `6 L1 F* `0 \  J$ c; x% j+ U8 _
__________________________________________________________________________2 y4 V7 J, e, ~7 l
5 w0 V* r; P2 b
Method 10
9 H" U0 c7 D' c' }=========
* c8 ]" p. l% [
0 S& M+ q7 P' S: q" d0 Y; q3 F# q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with6 V+ @& y! l/ b! }; O# a
  SoftICE while the option is enable!!
7 x1 u, A$ j, h( A) ^/ R3 K7 }$ a$ i" W2 }; {( a
This trick is very efficient:1 H( |) g5 P3 U* ^4 H1 p: U
by checking the Debug Registers, you can detect if SoftICE is loaded
' @- S+ h% d! ^+ Z" J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ X7 R( u8 {8 h( a9 a* z
there are some memory breakpoints set (dr0 to dr3) simply by reading their- @1 ~  ~; B  I2 `3 V0 u
value (in ring0 only). Values can be manipulated and or changed as well
7 J( E4 Z1 a7 V(clearing BPMs for instance)
! j" H  H: I$ e9 T
; A5 f( S( |6 _, \% r__________________________________________________________________________+ i  G; \9 _; K0 v2 o6 ^4 @
- O8 I, Z" J; c/ Q7 u/ n
Method 11
3 k5 w- \1 T0 c& c6 E/ i* D/ g=========; P8 D5 ?7 x! L# T* T

6 W9 _  q' O8 h" _- u* z3 AThis method is most known as 'MeltICE' because it has been freely distributed
  i% V; {- P/ k+ W6 V( V7 O; Tvia www.winfiles.com. However it was first used by NuMega people to allow
2 o0 e$ Y$ _; T- X7 f! \" R, ASymbol Loader to check if SoftICE was active or not (the code is located5 u: _8 N& g: Q) s+ B5 T
inside nmtrans.dll).2 Q( }( ]: d1 ?, a
5 W5 e0 ?9 a9 G$ w: c# X" N# S9 `
The way it works is very simple:' w6 O* g$ q9 {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 J$ ~' W& \. H; x5 y! A
WinNT) with the CreateFileA API.
8 \, Z- @" k' @% q( S0 F7 I: k" N; V. b6 K5 p; R$ K+ y. b
Here is a sample (checking for 'SICE'):" ^! w( ^$ Z6 P" f
! a) }/ N+ m  m3 b/ Y0 J' O- j
BOOL IsSoftIce95Loaded()
+ v+ K4 ]9 k" H4 c* O# S" X{- N, c3 ?; E: r2 j' Z) k$ C1 W
   HANDLE hFile;  
: ~. b) G. ^) J3 i   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; J# D8 I# h7 I% |' U3 M
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; G! Q1 `2 W, x  Z0 \5 M                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);  s" N* S6 `- r% @. t
   if( hFile != INVALID_HANDLE_VALUE )1 F/ E0 n! V; c* k4 J
   {  t7 N9 M) T2 Q7 d  [% l7 d
      CloseHandle(hFile);
3 G* I) W8 n9 f- J& w6 E      return TRUE;% z* y9 B* q. N! T7 x* G0 _6 t
   }* V# {1 T2 s2 X: p* ]0 M# ^" _
   return FALSE;0 g% \' D( s# x8 y1 u
}! J0 l" u; ~* j2 F9 C
) D* [/ d+ z: S/ i" X2 W& y  m, C
Although this trick calls the CreateFileA function, don't even expect to be
3 s  V( T2 U4 I* c0 h- B% eable to intercept it by installing a IFS hook: it will not work, no way!
7 o$ w0 [/ L+ _) iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" r1 R$ X( ]2 T* j2 d+ gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), Y1 }% H8 \, }$ e7 o' s0 g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' X% [) r4 ]8 P0 l% a& afield.
: k' a4 T% @6 H' C3 C* cIn fact, its purpose is not to load/unload VxDs but only to send a - t! z. r; C' d( X0 W8 F" @# C0 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( \8 R$ y1 V1 Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ z, K- s: \" r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
: j3 O+ M3 h* _2 G6 W  ~. B" mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, A* N  |: o  H/ }its handle to be opened and then, will be detected.
# h5 k" O6 V, z; G- EYou can check that simply by hooking Winice.exe control proc entry point9 }) R* m* V' \. S) I9 |  u: |
while running MeltICE.
1 e) x+ g, e. |- w$ b" G2 g1 E2 ^7 [9 i8 b; O
* c& H* F0 V, `. \
  00401067:  push      00402025    ; \\.\SICE
6 s! C% l! I5 n# I# K  0040106C:  call      CreateFileA% o$ d/ {3 ?* t& g$ N+ u* X
  00401071:  cmp       eax,-001
. [- Q/ r) C! t8 z: F  00401074:  je        00401091' O' X4 z+ \: @5 n& {4 S

+ B+ V; T6 E' v. Z; b* z$ M
9 c' f$ Z( p8 L8 Q8 l  C/ ~There could be hundreds of BPX you could use to detect this trick.
1 P& E4 b) w, U6 Y-The most classical one is:- D* `# u& u* M* F+ h2 U
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' [# J6 J+ P- V6 }+ e6 Q    *(esp-&gt;4+4)=='NTIC'
- V/ K4 U! @5 i9 y" I& w! i
- h( F( _  Y: Y) K-The most exotic ones (could be very slooooow :-(
+ ~1 ]4 W& @* [1 j5 N% K- I   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ D% H  M: n/ C# K# n% j     ;will break 3 times :-(/ g; X( ?. ?( d% w0 A

  w" t  a& I1 X-or (a bit) faster: 0 t, Z: l. i, {  h3 A
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% _2 u# C4 n7 k: ]) E) |6 d, X
% F; b9 J. X4 W) V. }   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
/ _4 o1 E5 s/ q     ;will break 3 times :-(! G* A( M- z4 P

  S9 k. Q  o( T. Y- i0 Q-Much faster:) w, X5 K+ Q- K- i# Q7 H
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
7 k) L: T* E7 i5 y0 \. [
# P+ Y+ l. K, }* A0 U4 {2 TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ ^7 J; I% D8 s& s" h2 Y, h3 C- Ifunction to do the same job:
" n& `6 f' Z' l" M, t& I. r# t% q4 P$ ]9 h" R
   push    00                        ; OF_READ# }  Y! s+ c+ r& T$ ^
   mov     eax,[00656634]            ; '\\.\SICE',0* B( v# R/ k9 ?* _
   push    eax
* U( H9 m% x" `, ]   call    KERNEL32!_lopen
* c4 P8 t+ }5 I2 ^% V. G3 k   inc     eax
5 h& g6 s  o! g3 F# a   jnz     00650589                  ; detected+ @$ r. z6 p; s; d; f
   push    00                        ; OF_READ& ^6 W/ H9 X# R- y8 y) ~( t
   mov     eax,[00656638]            ; '\\.\SICE'
  J% L; m$ D1 L7 u   push    eax
/ i; ^! U9 i. K  P   call    KERNEL32!_lopen
/ @0 S4 q' Y0 J! O! @   inc     eax* I' N8 a+ L% ]/ k
   jz      006505ae                  ; not detected
5 e( w0 w! q; H" t. G
, ~  c1 \/ R4 Y# g$ B) d: j3 F2 p  E! H" S) O7 `* `5 a
__________________________________________________________________________% m' F* ^3 }$ E+ [9 Y  `

9 [  ^  P2 M& E7 vMethod 12
' ]: W% m8 n7 `& K: ?& V! ]=========
1 z/ F) ]9 l& r! K# S/ n, W4 C
) r  a2 P* j* K+ G# U( tThis trick is similar to int41h/4fh Debugger installation check (code 05
8 m% U" z* j) U: Z, W0 G&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  E* D- z  d+ }& O$ das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 x/ A" U0 U0 r3 m- H2 q
, S8 P( ]' v' a% g. ]   push  0000004fh         ; function 4fh; Y- g5 J" P1 G1 {- @
   push  002a002ah         ; high word specifies which VxD (VWIN32)
% y& P7 ?+ _) `                           ; low word specifies which service) F3 h. |1 \& R) Z
                             (VWIN32_Int41Dispatch)
  W8 I: f7 S! t( ]$ N   call  Kernel32!ORD_001  ; VxdCall- \, d4 E" E, {0 h; ?
   cmp   ax, 0f386h        ; magic number returned by system debuggers
- w- r. L) {- t! f# P& D! l3 H9 z& h   jz    SoftICE_detected
9 N3 P/ h( A/ D* o; Q5 G
- O5 K# }5 _( t' HHere again, several ways to detect it:
1 s- z- O1 Z  T6 H$ n! T" T; Q$ E/ c6 |0 D5 r' A
    BPINT 41 if ax==4f
0 X9 u( n7 I7 C6 x3 }1 i. F) C; t4 W8 f# L/ @
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one) |9 s; t, Q! u" w

# c1 w7 Q1 p7 `    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
/ n3 l; W0 @8 A; J+ F" d' `! y
1 H! O: w$ r: r  L/ b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 B$ n( E. r- q4 H( b
' b1 l* p6 F1 T* k% Z5 n__________________________________________________________________________; k1 u, ~5 |* R9 N$ L+ @7 N
: v  N. e* h, j; b* ?7 n
Method 13
& j# ~- N3 z6 t9 Y) d! m=========
6 h0 T/ a! b4 u: m
4 q. \7 S) a. dNot a real method of detection, but a good way to know if SoftICE is/ c5 n0 n3 {6 C- l
installed on a computer and to locate its installation directory.3 e6 j  v8 [2 {& [
It is used by few softs which access the following registry keys (usually #2) :* D. Z, @9 P' T, [

! a) ^; S2 U! M. c  ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 I/ K7 B5 e( m" j
\Uninstall\SoftICE
2 x4 N' c, a% V& Z. X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# j8 o, @% a! {, e$ G! w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% Z4 ?& _" G1 r/ B% r! `# v
\App Paths\Loader32.Exe' U  a% {6 K7 @& R
5 m0 k( A3 K  @! q# o

1 `  E/ F/ q$ S% v" YNote that some nasty apps could then erase all files from SoftICE directory4 j/ W) O' n! f) P
(I faced that once :-(* e( A7 b+ z0 B. d4 o* i2 [& Y

5 H. M& I1 S* X9 d: RUseful breakpoint to detect it:1 V, ~9 c/ a% |2 |+ L
5 W+ ^8 ?2 @1 J, k4 G( y5 T6 u
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ ^) |; V' v& j( U, `
4 Q6 [1 s- s: c( D1 r* ^$ P__________________________________________________________________________( `5 }) R0 ]" q* B: W! r% k$ d% O+ i
0 w& R1 C+ T, I. ?  Q

: f9 N' P. q1 zMethod 14 " y) E) X( r1 S1 E* k+ f3 k0 v$ Z
=========
+ f  b. a# p' n' L  ?; q
8 g& J" U1 W/ X7 |1 I( Z' o- r& FA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 E/ }" M3 r+ i# Yis to determines whether a debugger is running on your system (ring0 only).
1 }5 {4 n0 v' [; |$ C$ Y5 Q& P2 ?$ ?3 D' }2 h4 ]9 ^
   VMMCall Test_Debug_Installed
2 J, \0 Q' g7 B   je      not_installed
2 m3 c# A# u7 @9 r3 g* `. G% [+ {. \6 g: ^! ^
This service just checks a flag.
1 R' m* x$ k$ z0 p' c</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-15 18:23

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表