找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
8 N2 ~- f( G$ e" M9 t0 e' c<TBODY>
6 c& ]/ Y5 E: y/ p/ C+ v- i2 d<TR>
2 G( p4 O/ b  x/ ]$ z3 }<TD><PRE>Method 01
" B- q- t  Q$ r4 h1 E4 `5 @=========
$ }& f# Z: z; G8 r, G+ {( X0 m8 Y- N3 o3 g3 u4 L4 P7 o, z
This method of detection of SoftICE (as well as the following one) is9 `  g! j. S6 J" B, J: T
used by the majority of packers/encryptors found on Internet.$ {5 u& s# e6 P, ]
It seeks the signature of BoundsChecker in SoftICE2 J: f4 |6 ~* g; K3 U% [
0 f. Z. T3 ?! w
    mov     ebp, 04243484Bh        ; 'BCHK'5 K' T" |8 T2 t" s9 i
    mov     ax, 04h% y" c; h" O2 D
    int     3       . f8 i  Z/ X) k/ ?) ~
    cmp     al,4
3 e5 A5 y' x$ [+ W* m8 f    jnz     SoftICE_Detected" R1 g# d+ w- ^0 g2 S" B

4 P. I9 g$ V/ K  D# h( G6 ^5 s___________________________________________________________________________4 [6 p3 _: j5 l4 U) c& x

' A9 [; V) C  ]' RMethod 02
0 w( q4 \, D& ^) i: x=========3 {  ^5 Z$ x7 G
3 U2 i: B( N/ E/ |/ t' W5 k
Still a method very much used (perhaps the most frequent one).  It is used
0 k% s8 T/ h; M- j1 ^% Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ p$ a. l- ]; \5 U8 R; j% O- X! Z5 n8 Z
or execute SoftICE commands...- Y* R3 S& m9 F
It is also used to crash SoftICE and to force it to execute any commands
5 o5 @5 ?6 q6 V( @& R2 d1 [(HBOOT...) :-((  5 z# Q0 t% p) w# [
( r* x2 `: z# A3 D# n
Here is a quick description:( }' x% l+ y6 [7 P! S+ M
-AX = 0910h   (Display string in SIce windows)
+ i. U8 E) F, r( T# e-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)5 t4 p4 G4 x) i
-AX = 0912h   (Get breakpoint infos); J# a& t9 R5 d. O5 }0 F
-AX = 0913h   (Set Sice breakpoints)7 P9 U3 t1 F9 a+ m9 j/ S1 T
-AX = 0914h   (Remove SIce breakoints)
# F: R5 X2 ?; x% l8 u6 U$ W) _, [' n6 m3 [* s
Each time you'll meet this trick, you'll see:8 x) p9 X. V5 z% s2 ?; g+ y
-SI = 4647h
/ s, C9 T& n) B/ m& k( Z% y* w3 L( ?-DI = 4A4Dh9 F, N. O& f9 f2 f4 X1 _2 g
Which are the 'magic values' used by SoftIce.
2 \0 I2 [* u3 w3 \, [; sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 O3 V% [; [5 y
- @, U2 P* X; \8 B" D$ C  z' @Here is one example from the file "Haspinst.exe" which is the dongle HASP
' O: }$ _) M! L% {+ YEnvelope utility use to protect DOS applications:( Z6 Z  B+ U2 c
" J4 R9 a& m' }6 j# j4 v

* j) K5 c. I- h# y0 \4C19:0095   MOV    AX,0911  ; execute command.8 V+ J; V5 T5 C  W  Q! R7 b" z# o
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
! {: c. @& `  ^' A! [; D3 }; v( V; R4C19:009A   MOV    SI,4647  ; 1st magic value.2 B# \6 V8 a& K2 _
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) D; l4 E: m$ U. M: b# n# y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- C/ E& h& j3 t1 C- U9 b- R. K
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
/ X, T0 s5 S8 d+ b0 i9 j. P; ~4C19:00A4   INC    CX
# k: j0 Z# o9 N: j4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ |2 Q! N% |; \) b: |. q' a
4C19:00A8   JB     0095     ; 6 different commands.4 P6 A5 w0 d; a( d/ G
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( _, ~+ ?: @1 P$ y. W, L7 x4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; q  C! T7 Z3 y: R' P! B9 H6 Y3 E; Y
The program will execute 6 different SIce commands located at ds:dx, which
0 N' |. ]) C2 H  A0 dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 {) V, ?/ `. V1 v  B  b" K
7 F9 I9 c& N* p9 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 M0 j. _( a5 U% P
___________________________________________________________________________
3 e% h' W0 D5 w5 D) ]% g3 ?6 N$ [5 b9 |/ t
) d4 X6 z3 V$ E9 b
Method 03
( i% I0 H8 q0 Y=========+ x. d* p* v6 D' z7 ^
! O3 `+ S* @4 \5 Y* A$ \+ {
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 ?5 N* {' b. M5 R0 X2 S
(API Get entry point)  p, o4 \, g4 C% p+ ]. u5 }3 R
        & _4 @: u/ T7 d: t
: C2 W( @1 t4 J( W$ i' P
    xor     di,di
7 U/ E! D; k5 i( i' @# ?' g    mov     es,di2 Q- c7 r8 }3 E7 H) z' o6 k
    mov     ax, 1684h       6 e% s0 @% G. d) f1 t
    mov     bx, 0202h       ; VxD ID of winice
# U8 r5 V% Q- o9 Y* I    int     2Fh2 U8 F* q/ [, g; b& y5 Z* ^( w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 v" V; t/ i, L" l2 l    add     ax, di
! F8 z  i$ w& P2 `    test    ax,ax
- q" ]9 p. ?2 y- M2 d    jnz     SoftICE_Detected+ g# M& N, \# K. q) D: v- e' X

% j" |0 ?8 E& z% \___________________________________________________________________________6 |4 r" E8 l( T. h
9 F9 M+ a6 M5 P" M* _
Method 04
9 q; L' t& J" W: f6 G' N=========  w. Y( N0 N  g

4 h( ~, {4 G0 {# Y2 GMethod identical to the preceding one except that it seeks the ID of SoftICE- q. p  d! S4 A3 y4 n5 `; e
GFX VxD.
, t2 E. J1 m% s$ ?7 I$ W& Y: \6 _) @2 D4 f% c" G
    xor     di,di
( v& R0 w1 a# T. P0 u- R' [/ h8 P    mov     es,di' g9 C$ y/ ~( n, z0 c. X
    mov     ax, 1684h      
) Z3 S* c7 `- p0 u    mov     bx, 7a5Fh       ; VxD ID of SIWVID. t0 `3 j  m. \
    int     2fh1 ]# H6 g& x. @' v& f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point* I" V" b6 U2 X
    add     ax, di
$ f$ W: g" a+ I1 K: F; @% ?    test    ax,ax
( R. l, ^- ^. [: K1 @: ]    jnz     SoftICE_Detected
6 x8 s2 u- @% \$ i& h, O; d- p. Y
. J4 j* f5 e5 N/ _% @; E__________________________________________________________________________
. `1 a2 f1 a$ @7 K6 M# j1 x4 [7 p" ]- ^" M, L3 j
7 `: d6 d9 v4 h' |# z" Q$ I" d
Method 05+ s: i# k+ e* B' u
=========4 i6 P$ K; ?0 `' B

; Z4 C6 J  y2 ^6 A& t+ G' g, x3 ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 k1 p; @* {6 P" Q3 w( ?debugger. It calls the int 41h, function 4Fh.
5 L; ~: [4 k3 r& W3 D6 nThere are several alternatives.  
& B6 k' O) u7 w4 w8 B
" g1 [5 r/ _2 v3 \) FThe following one is the simplest:
( H0 Y, ~) c5 R$ b# O
% k+ f$ S# o$ j1 w& a6 O: x% }    mov     ax,4fh/ D# r% p3 H9 n; ^
    int     41h  p4 \0 l# Y- e, ]& R* ]
    cmp     ax, 0F386
& t6 Y) m" K  f- d' [    jz      SoftICE_detected* e$ O) O9 z, ^2 x% k, e

- |2 N9 g# i& U0 i3 B8 s7 o: N0 y" `. S# ~* S# }
Next method as well as the following one are 2 examples from Stone's ) |" y. b8 V4 o' J# B3 L
"stn-wid.zip" (www.cracking.net):! ~5 i, P: h& \2 q2 ]
" V2 m+ j7 G, f1 }* x9 {& M' p: r
    mov     bx, cs) f- `: k8 w+ a+ g
    lea     dx, int41handler2& ?3 V% l. M* [8 u' @0 t& c
    xchg    dx, es:[41h*4]6 M' s' {" [; d& h8 V' M) i. q, R
    xchg    bx, es:[41h*4+2]- y7 q1 }& Z1 t- e6 P' t! M
    mov     ax,4fh
# |9 C; K! w/ N7 p! N- b6 \$ c    int     41h. K: I! `2 N) B9 |
    xchg    dx, es:[41h*4]
. L; j% f4 U2 ^# E+ ?% S    xchg    bx, es:[41h*4+2]( @7 @- }0 z3 \9 @
    cmp     ax, 0f386h0 |/ ]) _8 J4 ?1 ]; S% \# S
    jz      SoftICE_detected! s2 L) K6 v+ O5 {4 j  o" d0 W

# _& j& }$ c) L, l7 Dint41handler2 PROC% B7 H% M# \! R! U. w$ Z
    iret1 D/ |. d4 X# g
int41handler2 ENDP; V) y5 G; h+ @' s% K

$ Z9 B) {( s9 z) r  }) h" S1 X7 a; X% v
_________________________________________________________________________1 K! K1 J/ l7 u( a! i: n! w8 ^) |: l
. P+ z: Q1 [( m3 D0 a4 v  ^
- Q9 a: h1 o8 n1 {, A
Method 063 s; {: {2 ]" c# t
=========
0 ]2 u" m% a7 V$ `  O% }
7 u6 y" ~; D/ m; H% X1 u
5 y5 l& P& Y. q2nd method similar to the preceding one but more difficult to detect:
7 M" _1 d) L6 V1 n' O
0 [6 n  z# }4 j/ F# f% }" w# ]
& f: h' v" d. X( Gint41handler PROC$ A" |0 v' Y  i2 s6 x
    mov     cl,al
$ j/ h2 ^$ P" ?$ G$ T    iret1 o6 p, P9 S9 T9 \9 i- C7 e5 ]
int41handler ENDP
7 n$ K7 Q; O5 q1 l" ~0 I; w# Q4 q) h6 e6 h  ^8 @3 T
1 ^4 p: `" Y/ Q9 b
    xor     ax,ax
: s# B7 H4 P2 n% R" ]    mov     es,ax
2 U9 W5 n) U4 l! O1 ^, v/ E    mov     bx, cs' t, E0 v$ L- g6 ?" d
    lea     dx, int41handler
- _  ]! W3 R9 _3 ]8 _    xchg    dx, es:[41h*4]! Y9 C( F' i! `+ X
    xchg    bx, es:[41h*4+2]6 C0 [; s* v5 g/ b+ v
    in      al, 40h! J& l% i, B' a+ s9 n' |
    xor     cx,cx" |# J4 \; M1 N) u( ^. n% l$ c1 R
    int     41h* v3 K% q  V! g( s
    xchg    dx, es:[41h*4]
/ J" G: [4 E4 {    xchg    bx, es:[41h*4+2]
0 O6 T) P4 q* n( s) A    cmp     cl,al, q# F9 t6 v, N+ {! i
    jnz     SoftICE_detected2 p5 A. Z. @% d6 {

+ S# u" p2 K+ Q$ T- v; K_________________________________________________________________________  @: x" A0 d$ P: o8 l

% Y& y1 |' A3 ~/ v- x5 {* FMethod 077 W5 y  R$ j5 R7 Q& ?. P: @
=========/ l1 b4 Q" r0 @. C3 h. k
, \$ m3 G. k/ }; `3 X& |4 G, B" a% V' c
Method of detection of the WinICE handler in the int68h (V86)! S$ i9 S! t- z. i6 }( ~
" H6 M$ r6 ~2 j' {
    mov     ah,43h( v  \7 l: s+ K0 o1 w8 W
    int     68h# V0 F2 O5 j/ P4 y/ C' g
    cmp     ax,0F386h
# T7 R% \, O/ a/ M    jz      SoftICE_Detected
+ `1 h2 \/ g% K1 A; y9 ]. H; z& b; }* n

' Q0 Z5 M1 k4 r4 n0 K=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 l! l/ o4 z: W. W/ m- P   app like this:
" c& u4 V1 ^4 U6 y. P( A% T3 C, t, B# M0 _( k( r
   BPX exec_int if ax==68% o5 N! f1 @7 }$ O/ j  A
   (function called is located at byte ptr [ebp+1Dh] and client eip is9 l/ q$ l1 w( Z! y' d4 k+ {" S
   located at [ebp+48h] for 32Bit apps)# l# Z. ~; G' m. n
__________________________________________________________________________
: `- H3 V( }8 s0 {, J5 T( p% w4 P  Y5 ^) }- r7 X

2 r1 s( V' V( c& d; lMethod 08( s) D7 W! u# \0 b( c7 v
=========
' O$ q( W- G2 L4 p( C9 {$ I- ~7 q& ^, ^) g% H; u6 B: U( `" P7 W
It is not a method of detection of SoftICE but a possibility to crash the
( G0 D. n6 r6 Usystem by intercepting int 01h and int 03h and redirecting them to another
1 i: P1 a+ d- N+ G2 l, e+ Mroutine.2 Z$ K3 Z4 f- l2 p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 z+ x5 ^# r# u7 y; |to the new routine to execute (hangs computer...)
9 ^; k1 c. }/ k9 S0 R- q; f/ y5 U/ g* U$ S, k
    mov     ah, 25h
8 G, `% Z" i4 x5 D; ]2 A    mov     al, Int_Number (01h or 03h)
$ ~  ?3 W  P. e* L$ f6 L2 K    mov     dx, offset New_Int_Routine% C( B% Z; h6 c. X: j4 r2 {7 t! Q
    int     21h
2 P9 J+ y: E' E# k
: h. k+ S* D4 s) `__________________________________________________________________________5 Q0 z4 Q, ^; t4 U! X' i# _

3 I2 Z) O% E* n* q% aMethod 09/ T) n# n: q- ~: H# D
=========0 d2 a$ l5 d' H3 p# l/ X) C
: b$ @7 W& O; {9 Z4 ]2 }1 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
  O( W: ]* T! Q6 U# Hperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 r9 t" Y- p4 W2 o1 u. U5 x  bThe Get_DDB service is used to determine whether or not a VxD is installed) |5 X: g) Z+ T$ u$ S. B5 X
for the specified device and returns a Device Description Block (in ecx) for8 ~4 T2 k2 A  q9 A9 V
that device if it is installed.5 V. |' n! u! J, Z4 x

! `( s' @& V- R2 e; C5 z* `   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' i: _' n5 K  y8 U: {: J* N   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ c. q( ~  X  L$ o3 ^# [  T
   VMMCall Get_DDB3 ]1 x; }1 I: ]8 a- w! K2 U
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 n% J% D; E, D* n' f
2 O3 Z3 s& U( D, N, o1 _0 fNote as well that you can easily detect this method with SoftICE:/ d) S; ?' J) C/ W# |
   bpx Get_DDB if ax==0202 || ax==7a5fh
. W3 c" {' K3 d7 z1 v4 V, v( v, R( b& X# L& n. r9 D: l; E/ X' P
__________________________________________________________________________
8 e  X3 b0 f2 l/ ]$ z3 D! M$ N* Q! a1 Q( i0 b
Method 103 W6 C: a5 d) w
=========
# f2 `2 p" c% K1 X1 p4 |; X
5 k0 {, L* M9 |6 t! {* T" i=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with6 l9 E$ f' I0 X2 F& t
  SoftICE while the option is enable!!
' B5 H  W; l5 H$ v! [; k: j: Z/ ^* I$ T4 q& v2 v
This trick is very efficient:
# E$ U6 c) W4 x3 O7 s3 Q1 Lby checking the Debug Registers, you can detect if SoftICE is loaded" {0 L( }; l! B) n: o$ |+ v/ q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* \9 u# Z0 m7 I  ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their& F7 s# [% Z# h' t( r. H
value (in ring0 only). Values can be manipulated and or changed as well; Z, ~% |; `! _2 A' m
(clearing BPMs for instance)0 d9 u5 p9 @/ M+ U# D

2 w) v: Q1 p0 V9 r7 b+ M__________________________________________________________________________. d7 _! }1 i9 _

/ T* H2 D+ l% E* w7 U: D1 O+ \Method 11: f- a6 R" M7 n; R1 N% g
=========  a3 K. P. }" S
6 X$ t4 Y  Z: z7 a4 l$ }
This method is most known as 'MeltICE' because it has been freely distributed/ U9 A9 v8 a- }! Y
via www.winfiles.com. However it was first used by NuMega people to allow
; d* {! N" V2 ^. G3 ?! JSymbol Loader to check if SoftICE was active or not (the code is located- g* A$ U7 T0 }$ b
inside nmtrans.dll).7 {3 j9 p+ x- i* f% Z/ A. ?

( y7 F+ P2 Y$ t8 r. I# c$ C# YThe way it works is very simple:: o% i5 H- U% c7 s  a) [: H! U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- v1 {( t) |( P, ]7 T. J8 IWinNT) with the CreateFileA API.
" t; o' p- X% p) E9 ]; O1 U+ ^6 r: Z3 [: Y
Here is a sample (checking for 'SICE'):8 Y7 S. M" ?( i# G) u+ N8 L3 o

/ Z, ?' G; c: wBOOL IsSoftIce95Loaded()0 C4 W! X+ j- a* g1 R' [0 ?- D
{
% }0 `1 M# }/ x1 P6 T9 x2 @   HANDLE hFile;  
8 _: A: h; s' S3 R! y, X( P   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 }7 `, a* ], H7 r2 L2 _2 `  L( y                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! ~! l( e# i  z( e' u                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 N% X( s5 d8 v! a% g   if( hFile != INVALID_HANDLE_VALUE )0 F+ ^" A, S) Q2 y+ k
   {
! N, n% v  \3 w) w; o: ?0 t      CloseHandle(hFile);
/ V( D* Y# d* V. @; u      return TRUE;
9 A2 }6 J$ l0 ~" S, J7 x1 @   }
0 B& A  J0 D7 N  A   return FALSE;% V8 @; I7 W/ r4 }! s. ^
}+ }# t" T/ S; D) g9 @* x0 T

8 [! ~1 q; a8 x+ e9 I6 hAlthough this trick calls the CreateFileA function, don't even expect to be2 ]$ A. n, d* e# _5 ~" D
able to intercept it by installing a IFS hook: it will not work, no way!
; u5 Q: ^/ b# o9 Z1 C/ OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, \# L) [4 H9 z% x2 _4 _9 I5 w8 Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 }3 P4 F; G/ l& T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 v6 g0 e2 R4 X; E. ffield.
9 I) \; Y( h$ b  o* I& |: g. OIn fact, its purpose is not to load/unload VxDs but only to send a
3 A. }3 b* c/ P7 B8 a( b1 yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): K$ N) E( Y1 y4 m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% ?# q: _. z7 ito load/unload a non-dynamically loadable driver such as SoftICE ;-).: q$ c8 E7 i& H# w: G$ W) [4 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow! S* ^; W% i% X: Y. f
its handle to be opened and then, will be detected.
3 K0 X9 h' P* g* BYou can check that simply by hooking Winice.exe control proc entry point3 Z& h9 f5 q. N7 t
while running MeltICE.
& M0 _# j# ^3 u3 ~( Z
9 }* T. w7 C; X2 ]# w, d; d
; D: W6 j4 O( Y  00401067:  push      00402025    ; \\.\SICE. e- m& E* I; @7 u( L; `
  0040106C:  call      CreateFileA
2 [3 Q! U& L! i! D$ [  00401071:  cmp       eax,-001; ?, r/ P: R0 R! e# M
  00401074:  je        00401091
6 y3 I- i2 A3 M6 a' I' M' a2 o6 O0 e4 o1 Y7 N
) V' h/ C' P& g# @4 i# z
There could be hundreds of BPX you could use to detect this trick.
! C8 q; X0 H7 Y1 Z  a-The most classical one is:$ z$ ^) D) |( O4 ]
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  W3 _- u8 ?0 B6 m4 I" I5 y    *(esp-&gt;4+4)=='NTIC'5 i; R. ?) h$ N
5 Q  B2 W! t, `& M' k2 r
-The most exotic ones (could be very slooooow :-(
6 ?  L  d- j8 V3 s* Q   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  9 Q) {+ {, J. p  b" B. B7 C0 k
     ;will break 3 times :-(
9 D; Q0 Y# o" ~1 U
8 H% ^! J# m, q# M( U; c: \-or (a bit) faster:
- S: H  m  `) V) t! Y- F* J   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 _  v! L! L  E3 @
9 {" M# m1 \1 h   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
- A% A0 w, ?1 v+ B# d     ;will break 3 times :-(1 l+ A9 R+ r+ h

. @$ d) O7 U8 U-Much faster:
( e9 d3 J0 W! }- e% M   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'- S  J4 x9 v, v4 |+ O% E

  M1 b* B6 f+ ~% ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 Z' \0 j: }- Z4 U7 V& X7 c
function to do the same job:
* ^" l6 ]8 w% _4 y- a# ]
! d5 M" G1 M; G0 ]9 C% y   push    00                        ; OF_READ- B1 z* t. i8 j% @% E: v
   mov     eax,[00656634]            ; '\\.\SICE',0: s" ]3 B0 _1 j5 w
   push    eax/ Z$ I5 B0 m. u; B  j2 b5 Z
   call    KERNEL32!_lopen
( Q; D4 t7 ^2 a, A" E" H# [   inc     eax2 `5 o5 k% l. r1 Z
   jnz     00650589                  ; detected: l  y& ^; e7 o( r
   push    00                        ; OF_READ+ w# I! Y) }" x5 p
   mov     eax,[00656638]            ; '\\.\SICE'3 K" |& ?; d  s1 ?* p
   push    eax. b% a! E+ a; }  z! a) o! q
   call    KERNEL32!_lopen) K# E! N2 A' r" L$ Z5 a6 |1 L
   inc     eax+ k2 _+ p4 ~6 E& \1 ^
   jz      006505ae                  ; not detected& {7 y7 ~4 x3 p
# c( R4 F: C5 S9 _4 f) G

$ r+ U2 X: H" R9 d9 e" k( d__________________________________________________________________________; W" t) ?" O1 y8 _( r: U. Z1 i
3 ~' V/ f* f+ E' V7 Q5 |
Method 12
" S$ o- A1 O; {+ ~8 H. V=========. q3 E* ]! s& X+ V
% L& ?% y5 R* H( [3 L& Z: n
This trick is similar to int41h/4fh Debugger installation check (code 05: j: ~3 w! {. Q) M+ A! @1 u( w
&amp; 06) but very limited because it's only available for Win95/98 (not NT); Z- e: F* c- v8 b0 l: L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 A* U7 r. p9 |' e6 r4 f3 ]8 ~: T. J" \5 ~+ M" ]
   push  0000004fh         ; function 4fh% p% z  }" L: Z) i! Y" l
   push  002a002ah         ; high word specifies which VxD (VWIN32)
& J0 M" f$ `! e2 I# d  o5 {! e+ r                           ; low word specifies which service
" c4 D& Q8 R' h! w- [! y                             (VWIN32_Int41Dispatch)
* Z& a1 x- y  q- Y$ c! F' a   call  Kernel32!ORD_001  ; VxdCall
$ T" {! ], J, X; ^   cmp   ax, 0f386h        ; magic number returned by system debuggers' Z8 \8 s/ M% ^5 `( F8 u# c7 @0 b9 G# k7 E
   jz    SoftICE_detected
. j. o: c4 E3 W: b+ b
- ^3 \3 O6 ?0 }" K) r% LHere again, several ways to detect it:
. e4 c7 ]( o1 N2 z) A; M+ r$ P/ U; ~' ^$ y! }) k) N
    BPINT 41 if ax==4f
/ P" x' {7 |/ O: f" p* d% y6 B+ N4 [6 [+ B0 ~! A
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; A2 o  c1 A5 `( E0 N$ N; P. d0 D8 r. u" y% ?$ k1 v. l
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# Y( @8 p' y& r* O

; F) P, H+ s( A( G4 Y+ T    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 c: P+ T6 x1 V( X) G7 S6 s

/ h3 D+ [. L( B2 i__________________________________________________________________________
/ P- m( f. m$ m; r3 N
8 Z5 J" o8 j' b) SMethod 13) j7 h- c0 Y# T+ ]* D, C1 u
=========, L- Y% x) i0 Z2 Q
( x/ G& h8 _$ d( n# H& j) l
Not a real method of detection, but a good way to know if SoftICE is
3 {8 r8 i$ r# @4 \+ ginstalled on a computer and to locate its installation directory.
3 v( @! H; Z6 ^- y/ F; \: A7 V+ EIt is used by few softs which access the following registry keys (usually #2) :
! R7 ]; x0 u1 }" }5 M; {" S% _- ^+ I
; o/ N* F; p3 D: b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) K+ N$ V& x4 ~0 x7 W% C\Uninstall\SoftICE
. S  P  b) ]0 F; P# Z  q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% c) M' J9 k/ U6 n( u& Z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 @' v( v! t+ }$ ]$ [6 B
\App Paths\Loader32.Exe
1 |: L' A' c$ {, A' v! @6 X, {
( X- u# f, [5 A! d! G! k) C9 X  @% }) G- @. n
Note that some nasty apps could then erase all files from SoftICE directory
  x5 A* G" N: N; D# D9 d/ t(I faced that once :-(* \3 K" m, o$ ^5 ]" ~) I
& b! q+ ~6 n* l6 x/ B
Useful breakpoint to detect it:
+ T5 B; {2 J1 D, ]0 p
( W1 Y! T) Y% J     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
4 ]. z7 l: J1 ^. q7 R5 s; G5 {% P! [5 g( ^' z! x; P9 z
__________________________________________________________________________2 l) o% n; o' w

& [- f( }& Y5 X% R; x  J6 g8 n4 y
Method 14 1 m/ @& V: `6 _" X; ?
=========
- z" a( Z4 N( b6 Y+ i$ G. k- }- P9 k
; ]! g2 ]  Y! V9 D; {; oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ T  i3 @; ~1 L# W
is to determines whether a debugger is running on your system (ring0 only).
3 u0 ^6 E7 Q% F5 ~$ }; F( ^/ Q  y0 G% S  y) Z4 v# q1 m; V1 X; z$ @& |$ _* P! D
   VMMCall Test_Debug_Installed
/ ~: Y3 G0 T9 [   je      not_installed7 H, `5 P3 |! K: T, l' C

2 ?$ ^8 J: p# ^9 J& B: b" b, [This service just checks a flag.
4 o' U6 O5 n( ~: m& N" r; A' U( U/ B</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-19 21:56

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表