找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, o0 i6 v1 ^6 z0 d8 {$ Z
<TBODY>
& a7 C" ^( `2 p8 `<TR>" c$ z3 G# \& S+ j9 M6 _7 O/ a# M( n
<TD><PRE>Method 01 / i4 Q: x6 K* H: r
=========1 a6 H- O: C+ @1 Z1 C- L6 x
1 d" `; H) f$ Y3 F/ F/ q5 ]$ ~
This method of detection of SoftICE (as well as the following one) is
* ~# b5 h; b, r4 n, ~% h% Z0 S  yused by the majority of packers/encryptors found on Internet.
9 b9 h! O( {" P) HIt seeks the signature of BoundsChecker in SoftICE% C, z. `$ p) H
' y+ e( W4 [5 d% R0 b7 ^( y& t" ]
    mov     ebp, 04243484Bh        ; 'BCHK'
! \5 n. E& O2 C  T8 ^; I2 p    mov     ax, 04h
# `2 E3 a7 R" u1 M; H4 J. }    int     3      
& Z3 o4 f) ]/ q8 T4 n$ b* H    cmp     al,44 d: T! Q7 Z$ G6 W
    jnz     SoftICE_Detected
/ @; {/ t! p" H% c' ?
, P3 b1 g5 n- G$ T# u1 Z___________________________________________________________________________
& F' j5 n. g5 p9 |) m1 E! g6 J& c9 Z+ @3 U, C
Method 02
" P& Y( N4 S& \- D8 m0 F9 G=========8 @# Q' U1 ]% V  m# u5 S
5 m" Y1 o- _2 `5 R1 ?
Still a method very much used (perhaps the most frequent one).  It is used- o# ~* z' T- j3 n5 i
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! x  S( _" E; g( }& }1 [* d
or execute SoftICE commands...' j! X) S! w: t: `  _
It is also used to crash SoftICE and to force it to execute any commands9 _$ a% O: k' E6 D
(HBOOT...) :-((  
, S. v$ ~, X5 O9 n, Q1 l$ t: H/ B/ \6 S- v- p
Here is a quick description:
. d, D" m0 s8 ^, w3 S5 e! l-AX = 0910h   (Display string in SIce windows)
# f0 C; B  i/ q9 _-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! }' ?3 \5 s  E5 u2 v+ b-AX = 0912h   (Get breakpoint infos)
( f7 m( E) G2 f& b, B4 g7 g-AX = 0913h   (Set Sice breakpoints). k5 \2 X5 V- S# Q
-AX = 0914h   (Remove SIce breakoints)( _  s' R' Z* ^- x3 Z

) H% A' |. K. n" mEach time you'll meet this trick, you'll see:
/ I1 r  t+ f' t& w8 \/ z-SI = 4647h- o# ~9 I0 P9 s1 f9 P
-DI = 4A4Dh
) ^0 D1 d( O8 k8 IWhich are the 'magic values' used by SoftIce.
9 l- d: i6 n9 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' V% _4 ?2 {8 @4 W) w0 t
& F) |2 j* a+ R* aHere is one example from the file "Haspinst.exe" which is the dongle HASP
% `: l: p& D: U# j' DEnvelope utility use to protect DOS applications:; C4 e. t: K3 x0 q0 ]7 d! Q0 P
: w$ Y, g) T7 o0 p

8 Z7 B4 a$ l7 C4C19:0095   MOV    AX,0911  ; execute command.
7 y2 W$ U5 {$ u- t+ p/ g4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 r7 ?- [2 G4 Y' j4C19:009A   MOV    SI,4647  ; 1st magic value.
2 M  ^: i3 P; ]9 W( H( J. h% Z4C19:009D   MOV    DI,4A4D  ; 2nd magic value.8 B, T$ y: a: o8 c
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- r7 y0 |: f# b( o2 p9 y7 {
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" A" L9 Z" A( W4 |4 v; T  j! {# E4C19:00A4   INC    CX. W/ h  P5 Q  Q
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute8 n8 H. m+ \# ^! ^6 o- b
4C19:00A8   JB     0095     ; 6 different commands.' g) M1 |6 `* N* v" {& Q
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
7 |; Y0 |* z. j) w- Y: V2 w4 S- `% z4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 f# H+ J* I3 ]! q9 I3 _7 k3 G+ p0 P0 x$ p( m7 V
The program will execute 6 different SIce commands located at ds:dx, which: \+ P; w2 Z" V* G4 ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ {4 H7 w7 t& u8 N" u) q

$ q3 w- w0 p* i6 ]' q8 ^, E' L- D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 X$ L: r6 [+ [5 m* x- x, _
___________________________________________________________________________; ^% Z5 B0 o2 S& y' s  [
& H6 x$ b9 L" {/ j' N. ~# j
6 I  |+ K" H: ]# ~% T. n0 U# J
Method 03, @7 m) w) y0 k( M( j( m
=========
6 D- |8 W$ _: V. P+ J! C/ C3 N; x( P! A9 F# x  V/ D5 N3 |
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, ]7 l  n0 C2 Q* F& y3 \2 [9 z
(API Get entry point)
/ ^$ h2 C( A: T. z9 [  U  |) q        
# H( m# d& ?# Q0 U4 w
% S( z; X& t5 ?    xor     di,di' l5 I& [, H, c
    mov     es,di, @' G. n8 x; z7 J9 f# [8 B8 H( m
    mov     ax, 1684h       % f/ M1 T' [/ A1 E0 u
    mov     bx, 0202h       ; VxD ID of winice
3 q" S# A" l1 F# n, q# G. [% l& u    int     2Fh
4 O# n' O* U' y+ }1 I    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ @: V3 Y: Z; n" S" |% x    add     ax, di
; R- u% z) p) m0 h+ [    test    ax,ax! i# [! ]# b2 b9 ~
    jnz     SoftICE_Detected$ M: i; E. i1 s2 P9 V4 W& u
0 c/ G. q# Z! L
___________________________________________________________________________' v+ h* F( B0 ~$ F

+ m/ i/ j+ v: ]1 o7 I$ c5 dMethod 043 m7 V* e+ Q  q4 @3 c
=========+ l" A7 h- V+ y5 {: v0 t1 \
$ u" ?! X+ B4 Q" ?! t
Method identical to the preceding one except that it seeks the ID of SoftICE/ K9 I6 G1 d$ C, _* A/ l
GFX VxD.
% W+ L1 _0 ?: n" M9 I$ ]" A# A, S1 D& F+ V7 U
    xor     di,di
. j) F8 J. p( u    mov     es,di
: G, w. w' G: @5 t# G4 S5 U    mov     ax, 1684h       $ Y7 c5 ]1 _* {7 b
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 }9 u3 j! z5 _+ c8 I    int     2fh8 N8 g7 K+ K2 }6 @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) J7 m) z" _- ^9 W/ Y3 D    add     ax, di
6 s" d- L, P" O3 E# O2 ]# P    test    ax,ax
1 {4 E- e( U  Y) N5 H2 U    jnz     SoftICE_Detected1 q' ]. {+ e2 t; a$ U
; C: H& L8 p6 U9 R' W% q1 B
__________________________________________________________________________
$ \5 u/ @& f" w3 r$ d* d" [) n( @  g

9 `) r* W$ i& Q% qMethod 05
; j. t3 o' u* L% W: U=========
0 m) t  X( D4 ^2 u3 s8 K- S; d7 Z5 Z2 ?% j' y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ k3 H2 e3 y3 E7 r, Sdebugger. It calls the int 41h, function 4Fh.2 s8 w7 y  U# Y8 Q1 r" Q( }
There are several alternatives.  
/ c5 o+ P# f% }0 G* ?6 d! ~- k
. \, \& Q9 W7 M1 \' [1 ]3 D3 v  y! fThe following one is the simplest:" D: c- }. }  }6 j( o
5 H. t6 W. d: C( M6 s$ v8 p1 ]
    mov     ax,4fh: ~- z9 A& k( j" I! e) P( Q
    int     41h
- H) B! S# d' l  M/ U    cmp     ax, 0F386
# Y$ g+ A8 L. M: q5 J    jz      SoftICE_detected3 U0 F: y- K. C8 n1 A# G
- ?3 Q& k- D0 [/ ]- D) x
* e* g3 `, }; b- Z' g$ N# o
Next method as well as the following one are 2 examples from Stone's 4 Z, R( c: G! U, S
"stn-wid.zip" (www.cracking.net):. h! _! X% \" P$ l3 N; u% i

9 r$ n8 \8 r0 l, T  e) {( G1 u: |    mov     bx, cs# v7 T2 S+ q. _: ]5 ^
    lea     dx, int41handler27 F0 P' N9 T' k
    xchg    dx, es:[41h*4]
# m: \9 p  V9 U4 O9 V" |    xchg    bx, es:[41h*4+2]
0 ~- O3 Y" N' E; \- o7 I! l/ ?    mov     ax,4fh
# L% Z% b. D( \- C, K    int     41h
+ E% I5 Y- _1 E2 R$ R    xchg    dx, es:[41h*4]- u  ^  _/ `+ S
    xchg    bx, es:[41h*4+2]: a: J" W- w) t1 _5 `$ }5 A
    cmp     ax, 0f386h* c5 [! L3 L# M: R* }- P
    jz      SoftICE_detected3 l& G5 _; k/ i+ q
( y0 k& K( A% V
int41handler2 PROC' D0 q( R/ g3 m: {
    iret
- B. {3 O7 t0 H- h7 D0 Eint41handler2 ENDP
8 V$ w* V! B& y+ v7 q6 F/ \' W# o2 W  M' ?

" L1 K- G$ ~! d% l0 f_________________________________________________________________________$ X( {& @7 Z  d6 I1 j8 a, g
; K, O! G1 R8 l" ]3 u( X3 ^1 f( @

+ z+ \. _7 B9 ^2 O3 GMethod 06
- M/ S1 F. u, v5 b4 y# p=========
. ^5 G- a( J7 F$ y* R( q1 c8 R
! H4 ]. {! ]" T, ?! Z! B" j  x& F4 ~) O
2nd method similar to the preceding one but more difficult to detect:
! O7 y3 o/ D4 L" d3 @& n- r4 q: ?4 ]: y4 g% J. d/ [, a
, N6 F9 b. w- y8 @: J1 F. G( Z
int41handler PROC
3 m" {6 C, |, U2 m    mov     cl,al4 i- c- q. f* p" Y. s# r( N
    iret
' m- ~1 j& _5 Yint41handler ENDP
4 Z( B; z0 z3 N! x0 S) Q, N5 W3 C; C: `: E$ Y& T/ E
4 v; ^8 C& N* S$ L7 b0 g, U
    xor     ax,ax
% \, E2 J9 v3 Y5 a5 k2 x7 E) ~    mov     es,ax% H7 N6 @/ C; ?6 X
    mov     bx, cs
0 h/ O- _  m+ h# _5 z2 X  E0 m    lea     dx, int41handler9 w3 ]# }$ P" E% I' M
    xchg    dx, es:[41h*4]3 a" z, U- \$ o3 v3 j7 X& n! D
    xchg    bx, es:[41h*4+2]  l* O7 g6 L1 N, R/ x! o) }4 ~6 ~- u9 v. g
    in      al, 40h' l: ^" t3 t  \. R7 }
    xor     cx,cx
% U6 i$ W" E4 F! _* Z6 R4 k( y    int     41h! r+ K8 ?% @5 F, H' b6 ~
    xchg    dx, es:[41h*4]
; S1 s6 H, |' O8 a0 A/ J8 L    xchg    bx, es:[41h*4+2]
% k4 @: p9 _0 o/ r6 ~& r    cmp     cl,al
& u$ X; P1 W% h* w9 {6 Y) `9 [: W    jnz     SoftICE_detected" l3 \3 Y3 e9 e& k! _

) I- x* D" v, |3 N_________________________________________________________________________
" f. O' p7 x& v/ i- x9 X) Q) }4 |5 c+ A" z  J  T
Method 07
+ [" O. j2 R8 o=========
& H; a) f) }) v; t5 x' d7 A# ]" \. z6 k+ k4 W1 o
Method of detection of the WinICE handler in the int68h (V86)5 a3 V( V, U) d6 C; T7 ~7 d4 {# p

5 V, m3 I( B7 U+ G8 z    mov     ah,43h! ?/ Y7 j# H  K# v
    int     68h
+ ?8 ~: q2 [( T, b  x9 ~4 y. D! G    cmp     ax,0F386h
7 j) F7 b" P# F) h3 m/ `    jz      SoftICE_Detected4 ^; I1 g; N2 |: T  r7 q+ M  N/ i

1 u% O! f. j- R5 B
/ A/ p1 i4 G0 O=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 ^1 p, \+ Q; }; E3 j+ C. V$ Y
   app like this:. J) W3 s1 J1 F! p8 {9 j

" {/ J+ C/ m$ ?* m0 t   BPX exec_int if ax==68
9 L' j8 ^' C9 t! Z2 C* r   (function called is located at byte ptr [ebp+1Dh] and client eip is, m. Y$ {8 b$ Z7 F
   located at [ebp+48h] for 32Bit apps)
1 R1 n0 o  x) g__________________________________________________________________________' a% ~, \- ?9 g; J  f0 c; p8 _" X
+ F* s" @8 i1 q7 g

9 g5 u3 v! f% Y! f# _& N6 v) eMethod 08. `: j/ h+ C, f! U
=========
& u! k8 M- ?6 C6 I9 A# g
7 p& @- P" N0 g7 i# lIt is not a method of detection of SoftICE but a possibility to crash the
# _* u9 M3 h6 N3 c6 ?% @system by intercepting int 01h and int 03h and redirecting them to another% l. Z3 ~+ O: r
routine.
# H, Q1 n* t8 X$ T) F4 a  {6 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  {; S& @: V  I
to the new routine to execute (hangs computer...)  b8 Q' t  H* M' g/ X3 q. z1 }
2 k0 v/ }# A! S7 x1 [  d, z9 u
    mov     ah, 25h
3 v  n4 a; w- b: ], _- |    mov     al, Int_Number (01h or 03h)& s* K% K6 t9 M9 S; n
    mov     dx, offset New_Int_Routine
2 j  ~8 a3 \7 P, v7 p8 O+ b    int     21h
: e: O. O& N' r! k; |2 L) }7 O' K- @% S
__________________________________________________________________________
8 D! T; {  R+ P) A8 d9 r& K. B# a0 ~6 J4 Z! A
Method 09
; a! v: c- U% }=========
5 Q4 q- ~: y: h, d4 s7 T8 q, q, z8 h/ z$ g( R. I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& l$ Y1 `+ y2 K9 t- ?# lperformed in ring0 (VxD or a ring3 app using the VxdCall).2 O6 Q- ^  @& G; S  S- r( a' G: L
The Get_DDB service is used to determine whether or not a VxD is installed
( h4 e$ }, ?9 e) E7 yfor the specified device and returns a Device Description Block (in ecx) for( v* k) a4 E/ ]; ~5 [
that device if it is installed.
: v& Z$ E+ T( F- N  N/ T; b6 R* W
2 j0 ^& s% L8 L1 ^   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) W  J/ N- M% q- S1 F$ ^
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). m' F% Y9 Z2 a6 I4 y0 O
   VMMCall Get_DDB  C% O* t( X& ?5 q& b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 ^+ L( ~6 ?& d, `# Y

+ X( i9 `' W* }0 v( R2 S+ ONote as well that you can easily detect this method with SoftICE:  C; G6 p) E1 R. Q8 B- j
   bpx Get_DDB if ax==0202 || ax==7a5fh
8 h. x/ o; g8 ^" p* ]
7 Z! c1 N# E" @4 T/ h$ v( }__________________________________________________________________________! m. I$ P1 Q' Q2 w
4 }' l# P6 Q: u% t
Method 10
/ T, q. l' R: i+ R+ S3 A8 Z=========
& u0 {) S& f- V0 ^% n: M) \' |+ C2 r4 J- |5 Q' Z
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ [. e8 d, K0 v0 c7 \  SoftICE while the option is enable!!
, N% j, K8 W  S1 \/ Z8 u* `
/ _1 R0 L. V4 v( }! I( pThis trick is very efficient:
/ ~+ R% z7 k2 v8 ^5 @* x' g0 i0 hby checking the Debug Registers, you can detect if SoftICE is loaded
+ _  c2 g5 T0 _  n8 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 i! L1 d" w% x" E8 R0 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 h/ U1 ^* p& X1 G% s) r
value (in ring0 only). Values can be manipulated and or changed as well% a$ S# e7 r+ |
(clearing BPMs for instance)
' p2 G/ F" [5 p, \$ A1 f6 }. m% e
__________________________________________________________________________) y- T- Y# \' f
1 H2 c( r% B; u2 a3 h, _
Method 11
$ M& ]4 X* m. G( R; G& y=========  K8 k! _! F" H. }- Z
1 p7 H% _' H# G' S" f( |! U
This method is most known as 'MeltICE' because it has been freely distributed  G. }0 H" _; o
via www.winfiles.com. However it was first used by NuMega people to allow5 n3 V0 N3 z! z& Z5 c. o; L6 Q
Symbol Loader to check if SoftICE was active or not (the code is located
/ Z! Y7 }! ~2 H+ _& `& C2 Sinside nmtrans.dll).
2 Y2 `5 |3 [$ B- q2 }9 C" C3 t
The way it works is very simple:# x) P) f0 O" H8 U  W8 S# q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 K4 d# N+ d7 c, v! s2 k" P: Q, u
WinNT) with the CreateFileA API.
$ S5 F8 S: v$ T
( s- j! J' T" A* H7 zHere is a sample (checking for 'SICE'):
2 s, b3 A& U+ R! w5 s" D  i/ w& e  c9 b2 g
BOOL IsSoftIce95Loaded()  u9 W' \+ q) Q, E; p3 ?9 W
{, N/ a8 [* {/ ^/ U% d
   HANDLE hFile;  
) ~( d! l, j6 {4 ?; ?   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- p7 m& s; j. j$ f- C; Y+ E
                      FILE_SHARE_READ | FILE_SHARE_WRITE,. r, Y7 \1 u+ E8 K4 i
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 e# _( O# w! q; W8 K9 D& u% J
   if( hFile != INVALID_HANDLE_VALUE )2 I% [. J( f; ^* F4 V
   {
( a* [6 @( {2 M; I: c5 D      CloseHandle(hFile);* v+ E! k* e: k8 V
      return TRUE;) P( T# h0 w5 B, ]2 e4 N  @$ `# ?6 w
   }: v9 i/ k2 p. n: o2 E. E$ B6 D
   return FALSE;
9 A+ p! B' o( m8 m6 l}
0 \  |- H) y' p/ f% ~
& o7 R( b/ b, b- ]- o  a$ p3 YAlthough this trick calls the CreateFileA function, don't even expect to be# F, `, X2 T5 e) B7 n+ }
able to intercept it by installing a IFS hook: it will not work, no way!+ w  @: G* U! Y; c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 F1 U5 j" P8 S! |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 b, C1 @5 }9 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- m* j' c1 |* G
field.; E$ j5 F' U& h. M! j
In fact, its purpose is not to load/unload VxDs but only to send a ; B8 @( q7 z% T' U. B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 c! I; D! @3 x5 ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" }) P( ?; L- F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
  i7 G0 x/ ~$ ^6 g' e/ |$ fIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! P: z" o" L! S+ F% h8 `its handle to be opened and then, will be detected.9 Z/ m$ p+ Y/ F: s6 n  h' @
You can check that simply by hooking Winice.exe control proc entry point5 U; l! I$ G, h2 s
while running MeltICE., o2 s8 s4 p4 p# y( z
" w0 X! M' [5 y4 N3 k

: i) y; Y" W4 h) B0 ~  y. `  00401067:  push      00402025    ; \\.\SICE* s* Y0 ?6 X  q& F
  0040106C:  call      CreateFileA
6 A2 i$ I' s& ^, e8 h- t  00401071:  cmp       eax,-001; m% s7 b9 ?4 C( J' H
  00401074:  je        00401091) G' d" _8 }8 P$ N
% `1 V% x! q  e/ _4 g

' s6 Z9 J4 N' hThere could be hundreds of BPX you could use to detect this trick.$ I& ]" ]0 x: z- z% b0 q
-The most classical one is:  r) @+ n8 _6 J( {2 r0 A" W  c
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
- |+ ~7 F& ?, _3 u  M& V    *(esp-&gt;4+4)=='NTIC'
; o  H4 }' X& g+ F8 ~4 v4 F/ R$ T5 m7 m1 {+ g
-The most exotic ones (could be very slooooow :-(1 ]+ A7 \. |* |* s6 o
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: v4 p: [% Z3 w# p7 _     ;will break 3 times :-(
3 k; n$ V7 |6 C% a$ |4 |  c- n* i
; e- s: c- S: E+ b% ]7 z-or (a bit) faster:
) ^! e' O/ G! t( s2 \& l. c   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  s5 E" [, k6 G  Y/ {
) v1 l( s1 y3 |& z1 F0 K. @0 f$ h   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  8 q* y2 ~* N7 ]% Y  x' u% e
     ;will break 3 times :-(
6 V3 f  ~0 p( v  I0 ~1 e, O0 s3 b
-Much faster:& e% Z# Q, i) l3 T' h" |
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; D4 v* q7 V/ w6 f0 |6 ^- O
, \/ o1 W5 o! E8 n
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! r0 m: U' \8 R# Z
function to do the same job:
1 k' B# H( h* Q: R5 d+ l" E: R5 g! C& V& Z! i
   push    00                        ; OF_READ# L' P6 T5 D2 W- Q3 Z
   mov     eax,[00656634]            ; '\\.\SICE',0
6 N; L- @) Z1 \( P+ W- b& e" l: C   push    eax
* t# I/ i/ \; ^6 o8 T3 b   call    KERNEL32!_lopen
) R7 ~! g1 b( T1 @' C   inc     eax
$ {/ j( Y0 S1 b1 g  ^   jnz     00650589                  ; detected: @: a3 ?0 y& s" G: z; j
   push    00                        ; OF_READ
2 ~& G0 r) a9 m2 x   mov     eax,[00656638]            ; '\\.\SICE'
  j9 w( p! ^$ P) y" ~   push    eax# ?2 K3 w5 u3 T" ]8 U# p* k, P
   call    KERNEL32!_lopen
2 |3 b, h3 U0 N2 b! e! }' W   inc     eax
% O8 M; x( K9 C& F1 [8 q   jz      006505ae                  ; not detected
# c) Q7 p& \1 ]& R. U! t& C
( ^( {5 B8 {8 b& a, x) G. ]4 S5 w) k8 I( U) R
__________________________________________________________________________
. J# V' j3 h  S2 ^
$ o$ Y8 E+ V$ X4 UMethod 125 p5 Y" N) M1 c
=========9 Z$ p& R3 q* V! h

& W* |) Y  j* I3 D  V" C0 P  D  kThis trick is similar to int41h/4fh Debugger installation check (code 054 P! b( f: Q* E2 ^0 P
&amp; 06) but very limited because it's only available for Win95/98 (not NT)! R. ]3 e2 E9 }8 g/ E8 q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 h! X" U6 L4 R5 ~1 _& S

/ W% F, B2 Q: Y/ g: w# ^4 l: T9 V: j, A$ n   push  0000004fh         ; function 4fh
: n; r4 U# [" K2 `( g' Z1 {   push  002a002ah         ; high word specifies which VxD (VWIN32)# q9 P) U5 W2 i1 S& V( V$ d4 B9 Y
                           ; low word specifies which service
4 @' k! V, ^, l7 `1 z$ @* v% x                             (VWIN32_Int41Dispatch)
6 }: @& c2 m/ P% T% |* Z. f   call  Kernel32!ORD_001  ; VxdCall! H) V- @* s& h9 Q: v' e3 J
   cmp   ax, 0f386h        ; magic number returned by system debuggers& t: u, Z. U& _
   jz    SoftICE_detected
6 R9 e: y8 d! A* g% t2 o' ?6 R1 s5 ]: a8 k) j$ P
Here again, several ways to detect it:  e, L: \/ n: G# {; e5 c

3 I& h, Y# E) }. n, R    BPINT 41 if ax==4f
$ B! L. Y, ^% m3 d% X2 `; o0 F: l; [( D
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one4 C* T) i0 L3 R
, V: p0 _9 f2 ^$ H1 }4 G( }8 u
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; }1 L$ |9 I) i( G, K8 A
, Q% w8 _# X% o    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 K* u3 E: K3 x9 C. {. u, K0 ]

6 d4 e  g1 d, g3 T, ?__________________________________________________________________________
$ B# P, x! S4 s+ ?* a. G
0 \: I/ K- T5 E/ dMethod 13. S% y. L& H2 a4 ~7 O$ `" v1 s
=========
, w* W- n1 n/ r, N% M
" ^; J1 A. d& w  pNot a real method of detection, but a good way to know if SoftICE is' S7 ^' S9 ~7 f% W
installed on a computer and to locate its installation directory.
- f  F( N- F7 n+ {" ]  BIt is used by few softs which access the following registry keys (usually #2) :
5 `- ~& b' k+ D7 a
& @% `: l  r4 q+ Y2 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 r; W, c/ \/ D% f5 d) G
\Uninstall\SoftICE& R: [3 u  T7 `% \- j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! G! v. L1 U& D) s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 x8 \! V+ J0 L) l! M! q\App Paths\Loader32.Exe0 n* e! r+ z9 f9 m

5 ?# _6 a7 A* z) `  \  Y* k2 f, p2 {; ~8 k
Note that some nasty apps could then erase all files from SoftICE directory
/ X' o- _+ h, ]8 \( L6 r- m(I faced that once :-(8 h3 C* a+ ]* W

4 J. W- l( |/ r/ t+ AUseful breakpoint to detect it:- P* n6 s' X3 Z& M4 D4 ^" F* ?
, n$ t9 |& u! n0 ~
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  g% j( _) |* _1 i

6 }) B7 j5 y/ I/ E4 V) e+ r8 ?__________________________________________________________________________
/ \0 L1 x. n) |+ c/ I
- }) h  k. W5 \4 w7 f, o& w
; Q, I( D! X7 k) u% q; A3 @& B. UMethod 14
! _" c6 E" ^- O( ^2 n8 j: u/ }9 a=========
8 a" h# R9 V+ W, e( z
9 w5 Y6 F' v; _3 M$ K1 {1 Y+ TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 g0 j3 Q  r! [* W
is to determines whether a debugger is running on your system (ring0 only).# Q3 d, U, ]7 N. F4 p+ x" F( c

3 ]4 d2 p3 \8 {   VMMCall Test_Debug_Installed6 R# F& ?. K. x) a4 ?* H
   je      not_installed9 \: E% @5 D, i: b) |

. \% w" {* x. k: [- @" vThis service just checks a flag.8 l' I: |( Q: @( c& o
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-22 20:27

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表