找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>; X' @  A. M1 A% A7 C0 O
<TBODY>9 L9 S- V5 }; g0 y7 S& v
<TR>5 D7 @/ k( @# B$ \+ R& I
<TD><PRE>Method 01
" D' ~" O) k' Z=========
( b! ]& N  p" \. m. P' Y
5 A$ C6 v' h8 q1 XThis method of detection of SoftICE (as well as the following one) is' a6 K0 t# f) w; u) k$ P- r
used by the majority of packers/encryptors found on Internet.
. v1 \) f8 O; v( P# @It seeks the signature of BoundsChecker in SoftICE. P2 n, B. v; T0 R; e
" H( z8 k0 m0 P3 e. O  h* h: u
    mov     ebp, 04243484Bh        ; 'BCHK'
* o- j  u9 @, v! _6 b8 x    mov     ax, 04h+ H7 I6 i5 G4 [- j2 d- M: @
    int     3       7 t7 }4 L3 k' Z, O6 s/ Z: u
    cmp     al,42 P6 g! m' x2 G/ n
    jnz     SoftICE_Detected
. q) X$ ?  d3 c' V* B6 x+ D9 q% z; Y0 B% i# K
___________________________________________________________________________
# C" U1 D9 U: c9 h4 _4 ~' q7 W; \" c( g8 C( k* G$ T3 Z  d
Method 02/ ~. @! k7 `; b  \# V" D5 S6 O( {
=========. s# u  y& y: n. [6 \4 o

6 ?+ ]" j" {; @, @8 d1 gStill a method very much used (perhaps the most frequent one).  It is used
$ n& R+ h3 K4 T' h" f" c9 l+ B0 Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. r  C7 r% V, i7 B3 V' ~& mor execute SoftICE commands...
+ t0 w9 ]- R6 m: A6 E+ ~It is also used to crash SoftICE and to force it to execute any commands" W) x  S/ }  k, P. E+ I
(HBOOT...) :-((  
, R" X' C' H7 d5 b9 g  }9 n# `- ]8 _
+ E/ K$ k+ i! S8 p" K. CHere is a quick description:& F3 ~. h; p; \- Q# P1 Q
-AX = 0910h   (Display string in SIce windows)% j" m& }! [; m, F3 S* [3 _
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)- J0 S4 d/ q5 H6 m& P0 n4 I
-AX = 0912h   (Get breakpoint infos)8 i* ?. F/ E) r1 R/ H. a! ~
-AX = 0913h   (Set Sice breakpoints)
* O' l2 ?% l) ]9 K$ Y: L-AX = 0914h   (Remove SIce breakoints), G  Y* ?% A+ ~

% ]) w, x6 F2 @1 p% tEach time you'll meet this trick, you'll see:9 O0 Y+ Y, ~' p1 }
-SI = 4647h! s1 ~. j. S3 M; ^5 E+ V7 d6 l
-DI = 4A4Dh" e! [' A6 |# o
Which are the 'magic values' used by SoftIce.
" t% @+ L4 S$ j# pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 t2 A2 |* D# i0 t5 M, N

& ?. I' I/ A1 r* n3 FHere is one example from the file "Haspinst.exe" which is the dongle HASP
. j& y9 ]/ R( W+ l" vEnvelope utility use to protect DOS applications:* J8 K' ^% \9 Q5 i+ [2 _

- `4 C& x1 P# Z( p  r" v' V1 \6 `: v# M; f
4C19:0095   MOV    AX,0911  ; execute command.
6 s& \0 E$ W8 j" d( E5 \4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: y& X: `; a  ]4C19:009A   MOV    SI,4647  ; 1st magic value.; y: _# O9 P  ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.1 z* T, m2 j) M! |' l: M' c# j
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 L' u# _7 [: `# k$ k5 E; ^4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute" f3 C7 f5 {" G" i
4C19:00A4   INC    CX
; @/ L7 B6 a; h, M4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
; R( X% r) a4 u/ i. z- q7 E4C19:00A8   JB     0095     ; 6 different commands.
$ M2 Y( j/ K7 G6 I  h1 o2 T+ ~: X4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 q7 S0 O3 e" d6 w% O( \4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 T1 R6 {2 E! o8 n* a; T/ x- Z8 l' S/ v. E5 X! m7 r8 B
The program will execute 6 different SIce commands located at ds:dx, which
) Q2 v1 r2 n% f/ Z& ]  P( h7 Z. xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) t& y% H+ j: ^- s; l7 o* G8 r, ?: G0 i& h% W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 R3 K( R! b2 }3 |6 N; g
___________________________________________________________________________
$ P* H  B, G6 |
9 L  E% y. D4 ]2 T* A5 {
8 a) G8 }" G# p+ ~8 `Method 03( Y# T# R6 S& S. |( }% x" s
=========
$ u* M& i; P9 h9 L) m- R7 _7 y2 X: ~6 A: a
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% f$ y9 F9 i9 j1 F6 s0 o(API Get entry point)
5 {6 `& v: c3 b2 [; G        
2 `, n  N( r4 k$ [. d7 Z1 i5 B# j
, _9 P  U7 Q$ u. ?4 `1 P; j0 R    xor     di,di  s0 m! M' A$ T/ n4 Y4 t7 @% l3 |
    mov     es,di. q6 r5 v% A9 i" f7 j% d( t
    mov     ax, 1684h      
7 ]. Z  u( G& F, s* J# ~6 w4 T    mov     bx, 0202h       ; VxD ID of winice
# I, t- L  }. D8 s2 v    int     2Fh0 v$ e. D) Z. g" J& y; u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 A% H  Z" }* a9 c& O7 K/ M* C    add     ax, di& \& B2 E2 e$ F$ j
    test    ax,ax
3 _, `& F( G! D    jnz     SoftICE_Detected( ]! b6 A1 O5 i8 G
5 a0 F  l, p$ m, W9 d" M8 U. Y
___________________________________________________________________________
4 Z. |/ k9 h% W' `- m
1 s/ O/ @, J8 ~, x  `  T' i: f" A! XMethod 04
9 ~, b0 |+ r" I1 W! u2 ?3 k=========/ ?7 t4 O6 i0 ?+ L2 B) B
/ q' l% X4 N- V7 w8 w  o! u
Method identical to the preceding one except that it seeks the ID of SoftICE, |) v1 X7 C& N) V' O
GFX VxD.
: q/ f. ~& q) w$ g. G( b  t9 Q8 o0 ?- X5 A' o* s, T9 ?
    xor     di,di  L& D  N3 ~: M/ k3 Y  O+ x
    mov     es,di$ r3 F6 ]( z; I' `  v% p) J. f
    mov     ax, 1684h       0 I" B2 K3 n" i2 }) z
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
( c7 V% w; h8 M! p8 m) R6 S    int     2fh" L- Q3 a% l" b: `* j+ @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( W: |/ E  r6 k' e+ q    add     ax, di
" G# S, b6 D, |2 F+ A    test    ax,ax/ l% t+ A( C. ?0 C, c' q
    jnz     SoftICE_Detected
4 L& U+ [5 U+ d. V* a* z8 n
* G; ^" |$ m9 t4 o( A1 e; D__________________________________________________________________________
, G$ V3 [% t5 q9 B* v1 L4 x$ E6 \+ b% R# y
7 U$ q. |  ?5 X* R$ H  n; \
Method 05% A; C1 m' h: d' K
=========
. @, z) ]+ C7 _  f" ?) o% s
! D6 s" ?1 u* O0 a: v4 D# ^  LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) u! \# Q) u3 _9 Y+ Tdebugger. It calls the int 41h, function 4Fh.' K: S& {: s( r2 X) `( I  I
There are several alternatives.  
. N+ ^* Q7 @* o# C: ?' Y: z& F8 O: U5 X3 _
The following one is the simplest:
; j* @1 ?4 w: ]8 x# K( V+ V  v+ e8 @; h
    mov     ax,4fh
5 Q) R/ v8 n/ R4 w! |    int     41h3 y0 d' E4 R5 V0 Z
    cmp     ax, 0F3862 h5 H+ C7 F! O/ E/ H
    jz      SoftICE_detected
% a, L1 n. ?# @5 H' s! F
/ Z( c& p, ~3 T3 G; N
3 y8 V. H4 D0 r6 C, s' t6 CNext method as well as the following one are 2 examples from Stone's . t, p1 c  E! A9 V4 T( @/ g0 R0 M
"stn-wid.zip" (www.cracking.net):
8 f: [$ Q( ^5 v5 `, p% k& K* A# R3 d' n% g3 c( s0 L, E8 G
    mov     bx, cs( b# ~2 |  p  d$ \4 M0 l
    lea     dx, int41handler2  E2 v! ]5 T' R4 e0 ?  c4 N
    xchg    dx, es:[41h*4]
4 n  T" D, L7 x5 b( p    xchg    bx, es:[41h*4+2]
2 @) n: a$ B" H8 z! c- T    mov     ax,4fh6 K+ |, I+ e3 c5 _& ]! S3 q
    int     41h/ w0 t0 v6 j+ g6 A4 }
    xchg    dx, es:[41h*4]1 n2 [. s8 |0 [" k
    xchg    bx, es:[41h*4+2]6 u0 d: N- f, E
    cmp     ax, 0f386h
2 q8 {% n' ^; f' ^5 V9 e    jz      SoftICE_detected
/ X5 q3 e0 M1 K0 @$ E  I2 R, K- b6 H. f( R- j0 F. c- g2 E! e
int41handler2 PROC8 p; l; R5 E; ]  b3 J7 s
    iret$ O! @* c; [/ l
int41handler2 ENDP
# i, i" M6 w; r; j3 [+ `
& d5 o$ L# \7 J( h2 W$ R
  p1 ?5 M# X% l9 c) X% c! I_________________________________________________________________________
; K: M4 a3 L# |! `! n( c
4 Q8 e6 T. n) y  R3 O5 |; ?. l( n
Method 061 g! R" L4 \# @. m3 A
=========
( T# b' _& D: V+ i: d& n% U- T2 T7 c* G2 x1 H; {: _
9 J% C- N( J" Y& {  p0 [
2nd method similar to the preceding one but more difficult to detect:
8 v* x( c2 C1 ?/ ]% s3 d$ a9 p0 z. E" A# L3 w$ H3 t
( l  |2 f% c* }
int41handler PROC
4 f0 z8 m) K+ h" N: t    mov     cl,al
0 i) v1 d1 Y- i1 f    iret5 C3 F, |4 b6 `
int41handler ENDP
% y1 k6 o6 @: T; U: }) S: c; |
7 j" U4 `+ z5 j
+ Y. J( ~; T5 h; {    xor     ax,ax0 {. N5 z; l# t( \9 U
    mov     es,ax0 w) g" c* v7 t2 `
    mov     bx, cs7 L: m6 X" p" J2 q8 t3 p4 U
    lea     dx, int41handler
" o! }5 i' U5 p, D# Q% q: z    xchg    dx, es:[41h*4]3 N& U9 n! h! k' F
    xchg    bx, es:[41h*4+2]
4 x  G& i( r, |, p) o% }    in      al, 40h- m  u+ \7 Z- H+ M  ^# E! Z
    xor     cx,cx2 Q0 h. d0 Q# o( o
    int     41h
  Q- Q, s: z1 U/ \+ p5 m    xchg    dx, es:[41h*4]# n( v3 b, O3 G5 a6 g) p
    xchg    bx, es:[41h*4+2]! p" i! z, a3 f1 Y' f( ]# O2 Z
    cmp     cl,al
; \6 |9 t: t, g! N: @    jnz     SoftICE_detected; X' u5 z, Z, ?0 v! f6 u
' m2 N8 d% x, t7 O3 x$ P  S2 r- j
_________________________________________________________________________
- R" q. P* M& _2 P, Z. }/ ]
9 @+ A' d( R7 i- h+ EMethod 07
; k* U8 G8 \$ ]: k9 d, [=========, ?) j$ b+ r( A3 K7 W1 r5 t
0 r; j  z7 w- Y% }# L; J
Method of detection of the WinICE handler in the int68h (V86)7 {: d6 g! n+ x; \; a
% m1 @* T8 l$ Y( x
    mov     ah,43h
. J6 B- c% k1 n1 d# _; p    int     68h
' l; ?8 D* c0 e( Z6 T    cmp     ax,0F386h
  a: D) |" _( w# G  y6 H, s' G    jz      SoftICE_Detected
6 g/ P. D: r& g1 l% O. [
: i! N& w0 g% J0 q' K9 d- R  e  ~8 _( l5 Q" {
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% K/ V& N6 `; X
   app like this:( t3 X4 l" ^: h1 D, b' k. l
& O5 W, W( Z* K) g# [& [
   BPX exec_int if ax==68
, O! @* H. j. W) \   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 ^4 d# I, y+ C) y/ |1 l  c   located at [ebp+48h] for 32Bit apps)
- \9 X: e8 P$ V0 `5 y( e: w__________________________________________________________________________
& _8 ?# E. v- L. _. o  m
5 T( u, O* c% E: w6 S
0 p6 n' o2 q$ n) D4 pMethod 08
5 e8 N3 J( v8 z: j2 s=========+ j: ~# P# C. A: Z! k5 M1 e) P

: T$ T7 ]7 q* pIt is not a method of detection of SoftICE but a possibility to crash the
- n5 J8 V# i( O- c9 L0 o: Hsystem by intercepting int 01h and int 03h and redirecting them to another% G" a, L* \& G! j% [
routine.% B; t* W' A% }3 ~9 R* q$ ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 p6 V. `# \: D$ mto the new routine to execute (hangs computer...)
: w! Y5 k' E1 Y6 \0 m
7 m5 G) {; ~6 u! [. E0 q( [    mov     ah, 25h# C* v/ C, C; A- c, f! T  w
    mov     al, Int_Number (01h or 03h)( h6 w! Q, H& ?: C
    mov     dx, offset New_Int_Routine
. m1 j$ P4 X' w' O% ^4 I- @  S  V    int     21h
7 u+ o# a9 R6 i# {3 F8 w8 j& b0 ]1 j* w/ s
__________________________________________________________________________' P; U: ]) {/ u  Y. l# i

; e' m: U" Q" cMethod 09. a1 F+ r7 u; a
=========
0 E- k! R" Y1 F2 m$ W2 ~) Q* [' W: U3 r5 k' r- B! _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 }2 I. h( g& W8 [& o
performed in ring0 (VxD or a ring3 app using the VxdCall).' c: H, U7 r5 I$ B
The Get_DDB service is used to determine whether or not a VxD is installed
) F, v( }( K, W8 x0 R) _for the specified device and returns a Device Description Block (in ecx) for
: p) f, {0 {, a+ ^, mthat device if it is installed.
8 i' P# m4 f% }4 r/ t8 u" G' f& S
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 Y& Y, z- A8 \6 o" ]( F- T! v   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ s" \, g) R& H/ \  x0 }; g7 J
   VMMCall Get_DDB- y; P3 V/ z. w" j
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ z+ K6 q# ^5 _2 j+ ^: z& @' E

: E, Z& P) p, \; O7 {Note as well that you can easily detect this method with SoftICE:
6 u( |% r7 ~7 K" o4 D   bpx Get_DDB if ax==0202 || ax==7a5fh
  U. l# A1 K$ t1 v; l' H% s* b0 j+ z! I. r6 F& E5 {
__________________________________________________________________________
  z3 ?2 B: H4 c# G3 k5 f6 ?/ L8 _6 T, M9 g' F) `- x
Method 10! B, ]9 O: f+ p% H& W
=========3 g/ ?# y! o3 V

: c$ X! E( i6 v( {, w: j3 _+ A=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with" Y3 q, S$ n! G' _! Q# [. ~7 `) z
  SoftICE while the option is enable!!
- m3 ~8 m- i6 [( j
: e8 W9 \$ Z. ?. q# Y' U! TThis trick is very efficient:: Y. r5 j* U; l
by checking the Debug Registers, you can detect if SoftICE is loaded2 Z4 F$ e  I0 g7 H6 m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% z- K. `+ [: `1 K# P# qthere are some memory breakpoints set (dr0 to dr3) simply by reading their. N) p5 @2 G9 ?
value (in ring0 only). Values can be manipulated and or changed as well
: ^* e# X$ J3 P9 X$ q! m$ \(clearing BPMs for instance)% r8 N1 x- o: a# Q

$ P/ g0 Z+ L6 t9 W7 {. J# K% e__________________________________________________________________________* j# @3 x5 _1 ]) G

3 _& {% a4 G5 P" v0 ?Method 11
  V9 ~* j8 d( E- ~7 M  k! t4 Z9 p=========
, W2 |5 E; Y! B+ _- f9 H/ \% J4 j+ [! ]* K/ L! ^! {+ X, \7 ^
This method is most known as 'MeltICE' because it has been freely distributed
# R$ p/ O/ b- fvia www.winfiles.com. However it was first used by NuMega people to allow! b& V/ K  [) H$ K/ I
Symbol Loader to check if SoftICE was active or not (the code is located, w( R& l0 t: M* Q6 p
inside nmtrans.dll).
3 k  v0 @, d$ X9 H0 c& [. z% c/ a- O9 p* o4 z1 a9 j2 v
The way it works is very simple:
! ^4 `- X- d7 c! f7 b# v" `0 ~3 eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ ~( w4 m! K$ GWinNT) with the CreateFileA API.& H5 ?, v  B! t: V6 ?5 W
" h! {2 w' x1 c3 n3 |8 ]5 K' ^
Here is a sample (checking for 'SICE'):
3 s, _$ e" b8 w% X; E( I& J4 T0 r% a% K
BOOL IsSoftIce95Loaded()
7 F1 Q, l* F6 A{
1 I$ d: R/ T' b2 X1 Y) B   HANDLE hFile;  - c% K# G1 x* L6 M6 N( o
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- ~8 g" G* i: V* m                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" A' u# }! ~/ Z( |0 n) D                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 C, z; N1 K+ m; s& x- [+ J, o
   if( hFile != INVALID_HANDLE_VALUE )4 {. `5 _/ g( W' _! B4 j
   {
' F6 G5 ?9 Z( \0 l9 A6 I      CloseHandle(hFile);
% v$ \. _# x; a      return TRUE;
6 a; o) M3 f: ?   }3 U  ^; R# ?9 f% p- f
   return FALSE;
4 N; K7 ]6 N# G- ?' j. H}: M) F6 e( H/ o# W; `

& Q2 @6 R! s3 S: yAlthough this trick calls the CreateFileA function, don't even expect to be
6 h9 Q. h3 w( g& vable to intercept it by installing a IFS hook: it will not work, no way!7 k. |# z2 Q8 T
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) X! w6 y( n: w: T  T5 \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 L0 x. n+ l( N( M. R7 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ a9 D, v" [8 ?; Ofield.
; {/ R  ~$ J$ KIn fact, its purpose is not to load/unload VxDs but only to send a
: Q: p3 {; n) g! ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( D! x+ W5 a/ q8 N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 s0 |& K6 c8 B" I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- I; G" S% o3 Q" }$ P1 _
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ \5 H5 [  }! R' o
its handle to be opened and then, will be detected.
+ @: `# Z( o" L- F# o7 L* s- jYou can check that simply by hooking Winice.exe control proc entry point
/ o' n0 M( B" T5 A& @0 Twhile running MeltICE.  |  H. m' x. t: j7 e8 P+ \

1 w3 M+ {4 _8 Y9 {& v
/ h$ k7 G& `7 ]1 J8 @9 q* a  00401067:  push      00402025    ; \\.\SICE  z' {8 t+ H& _4 K0 b# I; O: c! j
  0040106C:  call      CreateFileA
. z, M0 N/ H! e$ G, O  00401071:  cmp       eax,-001* ~' r% b/ y# f& d& |
  00401074:  je        00401091
4 C  T4 I1 U+ ~# d0 e) G' i* J
$ j8 g9 Y' h- B1 \/ \& Y$ q; n4 d3 f# J
There could be hundreds of BPX you could use to detect this trick.
/ k/ a* L) ^: @8 L  m-The most classical one is:
. k( k" T7 @+ J. C. |9 A8 ?  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
( g) |8 t. ~" d# z( Q    *(esp-&gt;4+4)=='NTIC': X2 G7 c7 S3 A3 s

" Z7 q6 ~- P  W: H4 p-The most exotic ones (could be very slooooow :-(
2 o) L6 @1 K( H6 \; q! S   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  & Y# N9 y% y1 ?/ H
     ;will break 3 times :-(
: H/ T. H; }7 Q+ m7 T7 t! {, W9 ~. V
# C/ x3 ?$ K8 Y/ g$ s/ I-or (a bit) faster:
$ }$ Y$ z+ y) V4 u0 l& v/ n   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ Y5 d1 }, r5 u: E3 B& g/ k, [' p4 z
6 {) I) F. N, j* }6 l4 D1 u. O  |
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    J. h6 D4 t5 v1 A# C; y
     ;will break 3 times :-(
) b4 u9 [6 S& H0 q/ J' X
: \; r! f0 s6 o-Much faster:8 f8 ?& `5 P8 `1 ]" W$ L6 ?
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
2 A% Y' ^( D' P/ u* W+ `" ]3 m
/ b* r* n3 ]9 ~, @+ |; j) k3 K5 ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# ~2 E6 A+ Y: |6 k6 A* ofunction to do the same job:
/ \* \) A9 C1 I& a9 K
, h, K9 ~* _+ i: e7 v   push    00                        ; OF_READ) D6 [) o$ j& @; f8 ^4 _
   mov     eax,[00656634]            ; '\\.\SICE',0
/ I! u8 E1 b$ P) g; j, v   push    eax1 P2 Q. Q$ `- Y8 o6 z  X1 X) ~1 L
   call    KERNEL32!_lopen: ]0 a2 v% u9 j* P6 c* d% |
   inc     eax+ B/ j0 A! h; `4 G  ?
   jnz     00650589                  ; detected
3 a9 V, g9 W4 ]/ G" ]   push    00                        ; OF_READ
2 }" `3 }$ G* l2 O   mov     eax,[00656638]            ; '\\.\SICE'0 p; }6 k) J  _, q" R  d
   push    eax( r; V+ m  Z4 G
   call    KERNEL32!_lopen
/ t( S' s1 U8 ]# g4 E  M! X   inc     eax# B& C( q" N  ?9 n+ U4 n
   jz      006505ae                  ; not detected; ^: _; e5 S4 v- x$ [
: t8 y) p: ?" m# F, ^, q- f
( s/ {$ i% L) U; N" H( V
__________________________________________________________________________$ R8 Q( g  _3 F" x) Q

% I: f5 l% v1 S# E  t, qMethod 12
+ J/ b; l0 i; V6 Q% X8 g=========7 ~( U1 j0 t( `2 ^. U1 [

+ l1 K/ @% S' Y; W# ~% n5 q+ ZThis trick is similar to int41h/4fh Debugger installation check (code 05- |: P" m1 N  v( ~7 L/ [, x( l0 T
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 k  [; h' }' f9 ~; V: |* uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. \  }. Q' q% M
, \- ~- g! `/ O0 _
   push  0000004fh         ; function 4fh. ^% H# ^' E! U5 x
   push  002a002ah         ; high word specifies which VxD (VWIN32)
. X- k- l6 }1 V4 Y                           ; low word specifies which service) M3 W" y- k, K3 Y8 b" Q- k
                             (VWIN32_Int41Dispatch)
5 s6 x! J; e9 _7 A4 l   call  Kernel32!ORD_001  ; VxdCall
" [' j9 P- v0 b   cmp   ax, 0f386h        ; magic number returned by system debuggers$ y1 w+ {0 J, {; X5 b, u. H
   jz    SoftICE_detected8 @9 F9 t0 l$ r7 u2 w. a) W

* K* U# h, |6 t2 uHere again, several ways to detect it:& d, f! a' \/ p" m$ ^5 z

5 x$ K6 H8 ?& T5 ]1 s    BPINT 41 if ax==4f
: {3 C( v1 {! Q2 G, i: k
5 G. D' h( c& N* h$ x    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one8 v" w* C  x' ]) p2 X+ x
) T) {, E5 W% s! L
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
  A# q8 i/ r2 G  Y" s$ h
2 z; A8 H$ |6 u; [: ?    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 v# K. F; r7 V' @$ j3 F& X2 N
. @  y& v0 [( W7 b* n8 P& U. }6 ___________________________________________________________________________& I' F0 Z+ E6 f: ~7 v; M
" b8 I3 S/ t5 X$ v
Method 13: [# r* z2 K- d; h; e% t
=========7 G5 W& g: F% {, t4 z! J- y# r
) g' b0 O! x& `1 g
Not a real method of detection, but a good way to know if SoftICE is
# S( S1 t8 d- |" _, ginstalled on a computer and to locate its installation directory.2 `( ~/ f9 j/ L
It is used by few softs which access the following registry keys (usually #2) :
4 e+ h; h/ }/ ]4 H  Q
: F- s% \& N4 E9 `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 L- c4 e7 V6 O# v) f+ a* b1 t9 A. Z* f\Uninstall\SoftICE! N0 S: q# C5 r7 s7 M+ o- G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 K, a  l; E! O8 h+ T8 l3 B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! W, |1 T& ?' j' l8 \* E\App Paths\Loader32.Exe
+ |" ?0 E/ G6 u8 e, c: C6 d& d. F( |+ Y0 ^7 b! _

/ ^" g2 ~0 v5 w5 I% w9 i/ y& ~, Y# x/ O# TNote that some nasty apps could then erase all files from SoftICE directory
$ _7 |6 E& \0 P+ R(I faced that once :-(
/ P+ o3 p+ d, N: m! ~3 Q4 R. D: \- X  A' J- w7 m) ~( U- L  N0 u
Useful breakpoint to detect it:
& ^: N7 k" U! H6 H3 G" v3 B  J3 R, m: D
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
; j% K* m0 X2 S& }  r
+ t* C+ Q0 G0 P; q/ f; \5 }__________________________________________________________________________- W$ `; n" F% a

+ F; W- e" t4 V" |5 {/ j8 O$ l
! K8 m; h1 V! i4 R# R) W) V7 xMethod 14 8 ?- X( K: x! q. P3 f9 s
=========
' b1 p0 X/ ~. Q- C/ J& O
- p; j  X( T) Z* xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 V0 f( Y( w! ^" U4 ?
is to determines whether a debugger is running on your system (ring0 only).
; L" {  }0 G8 a. S$ w  c% K
% G0 f  w+ u7 Q0 I7 j$ }/ s: e   VMMCall Test_Debug_Installed
" h+ J0 H9 |( \! J   je      not_installed
: Q! Q  q+ G3 Y0 y0 U
' A8 Q2 `: D/ ^; zThis service just checks a flag.
% e1 h4 n' H: G9 q3 x# c7 ?</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-9 06:49

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表