找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; o  Y2 a9 R, }9 O& K<TBODY>
9 d5 R8 W- r% V% f" \$ `<TR>
$ j( I  P- V' i$ O- x<TD><PRE>Method 01 6 N9 f; Y% {4 k
=========
% d$ n2 j% g8 \6 o, @# ]. R, J: z5 J1 y3 f' b, C* y1 L& @
This method of detection of SoftICE (as well as the following one) is
" W5 S2 J& j% ?+ Z% s1 oused by the majority of packers/encryptors found on Internet.
* D* Y6 S( u" n+ c) r+ `4 U; D# s; oIt seeks the signature of BoundsChecker in SoftICE' P9 O: b5 V) z) I+ \# K# t

' A/ v0 [6 [) t0 P- U7 L    mov     ebp, 04243484Bh        ; 'BCHK'4 y& Z$ X9 l" N- T2 s6 {  n
    mov     ax, 04h/ w$ d) q; R5 e
    int     3      
% K9 \% M$ |3 R$ P    cmp     al,4
% G" l: `( O# C6 O9 f" E    jnz     SoftICE_Detected
$ _* k# e: v9 r; f" p
3 j. Z. `  y+ s* I* q' u; U___________________________________________________________________________1 g! E. f& ^' ]3 w6 F+ j

) |: W! u" A! wMethod 02
4 ~9 o$ h1 Q; f* C/ O=========
+ I- v/ {: S. P7 x# U. X5 P: p
; ], `8 F$ ^% O3 XStill a method very much used (perhaps the most frequent one).  It is used
' ^9 t. ]& r0 Z9 P  j9 b8 Qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ ~  {5 s& z3 m7 ]2 g, W
or execute SoftICE commands...
' z1 V+ w; H! P/ k* }; g, hIt is also used to crash SoftICE and to force it to execute any commands
9 l7 Y# G, m9 ?- m5 n  K(HBOOT...) :-((  
2 J2 O8 f; g5 Z" G, o+ a- Q1 y/ D% a4 q3 ~- U+ ?) u
Here is a quick description:
' B4 S; M* t7 I$ d+ s-AX = 0910h   (Display string in SIce windows)
6 {6 s, T" r+ N-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 N; h2 h5 Z% X$ _2 _5 D1 u-AX = 0912h   (Get breakpoint infos)
6 m2 u+ X0 _0 j8 k. `-AX = 0913h   (Set Sice breakpoints)
7 A/ G5 V! P5 k% ]-AX = 0914h   (Remove SIce breakoints), e. m/ H/ L; R" z# A4 U. d2 {

3 O/ d+ l8 x; G% m2 `Each time you'll meet this trick, you'll see:+ r$ ~, v. q( B) @
-SI = 4647h
& j" z: O+ q/ K* a-DI = 4A4Dh
! Z; _+ S# V. g) v. m6 k3 @# r, gWhich are the 'magic values' used by SoftIce.
1 n# B- {3 R- g  I) IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" U7 M& e! n! a2 E, p* B# |8 R. M: t2 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ Q1 |+ S$ p- q7 B2 y1 J0 oEnvelope utility use to protect DOS applications:3 Y+ i& f; O# w" n5 G8 @$ U' U

3 [, l1 M% G0 z6 k3 b
/ x- j, s: U4 h9 N4 j4C19:0095   MOV    AX,0911  ; execute command.
9 c- @9 L8 R: h* t! b9 l3 b$ ~4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
- ]; Z$ E/ N" i' F4C19:009A   MOV    SI,4647  ; 1st magic value.
8 @. p# c5 A0 n; ^' r) L, U, t: T4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 N2 L5 f6 P6 V* s. n5 @# Y( b. u4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). z; b2 Y4 d" U( Y% M, P8 {
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
. D+ x8 T  R6 m: `# |) p- e, d4C19:00A4   INC    CX
- g. u1 @2 ~/ `- x* n2 o7 \% D4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute8 l9 k) g* j2 \9 c- J$ B
4C19:00A8   JB     0095     ; 6 different commands.
9 C& m& z6 y% ]* e( s' L- U4C19:00AA   JMP    0002     ; Bad_Guy jmp back.+ j3 |3 [5 @* J" ~- S
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" f* K3 d1 @3 c( H. W9 ]' f
/ l8 [  u5 e1 _, m; r9 fThe program will execute 6 different SIce commands located at ds:dx, which. |, e! q: \! @; [+ H- Q( X$ b
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ M6 d3 w; {8 K' N( `( r" N

$ m% g) i  K4 `4 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: N% p, b+ I# Z___________________________________________________________________________
6 p8 N+ Q( k" {9 ^
, B9 {* Z" N: |+ X" {6 ?4 m
; c2 ?- l  N4 _+ k9 WMethod 03
: j5 G( v$ Y: A7 z+ |9 {+ I=========8 ]4 L( q; t( E) D( H: d
+ Z; V; E. r' W
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 k7 S9 R5 r( _. X: J) C' g(API Get entry point)
4 @. V) R' f2 H9 _* }& ~. L3 s        
4 Q( X/ p1 U0 r( q7 ]) l: i  X: `" V
4 L3 g) K6 V* p0 O, z" C    xor     di,di. Z7 G! ?4 L3 j  d+ l0 c: ^4 {
    mov     es,di
/ G8 B! t5 q0 R% z$ p4 [; J* ~    mov     ax, 1684h      
0 F: P$ j  I  d7 U, ?    mov     bx, 0202h       ; VxD ID of winice# @6 p  i& H/ k
    int     2Fh
+ @9 L. }' P* g# ?+ D+ g" ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 |/ |' V6 Q  U  n3 K
    add     ax, di
) t6 K, _  _( d    test    ax,ax' C: r; G  ]6 n; i
    jnz     SoftICE_Detected
7 `/ t; F- p/ F
4 L  x: s  r; B8 ]' _, r___________________________________________________________________________
3 d4 a8 n' |& I  z& {& ]) C7 j" E8 u+ e7 J5 y  M9 @5 t
Method 04
5 [# ~/ P8 |' p, V) W; H/ y$ f=========( v; h' }; {2 b) Q5 @

) [/ |; i* K2 m2 UMethod identical to the preceding one except that it seeks the ID of SoftICE
0 `8 U* v- _1 Q1 }+ x) g$ z$ ^GFX VxD.  S. W( t  v( Q1 N
* c7 D8 k  v* _  }/ {
    xor     di,di& q' E  f0 M2 o, G+ `
    mov     es,di
4 I  [% C; I' ]    mov     ax, 1684h      
3 w  q; S7 @  W  z1 K: j! n$ x    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 t3 w6 C. F6 S$ c3 A5 ]: n
    int     2fh3 w% I! w0 s9 n# H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- M5 O- b* r$ j. ~, e    add     ax, di
! z" Z' X3 Q& ?. U4 X    test    ax,ax
6 j, _# P6 M+ c8 v    jnz     SoftICE_Detected
" Z( z4 K7 H2 j# t  N/ q) X; p" F+ E& g
__________________________________________________________________________
; Y# B, u3 B% E* S  O
! U3 ]$ h  F# A' C, y( k
( ~3 ?2 }* G* I/ rMethod 05
5 p1 I  o; }8 Z% p! Q$ U=========* ~9 m4 D; f: g

2 N7 G$ S. P8 }0 q( H  d& R8 oMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 O. j3 y; C/ f; x
debugger. It calls the int 41h, function 4Fh.+ [5 U6 [2 n" t9 }4 o. e: [8 o
There are several alternatives.  
8 Y. B! D% G5 W6 U( A7 P
7 q5 J+ F1 T* E9 i. `6 [The following one is the simplest:8 O' a- y2 W' L
& q+ Q& R# m8 K5 C/ p( A
    mov     ax,4fh  J0 s1 f: b3 o7 f% h+ ?8 I2 b
    int     41h7 [% B5 `" `0 \) F# m. U  ^
    cmp     ax, 0F386+ Z: S5 W* a# T7 c2 c  L
    jz      SoftICE_detected
! O2 K) g; m3 k" }9 C! _
* `2 b0 ?, Z# h( O) E2 k8 ?. R" y6 t. y- G3 y: J8 S5 c% _
Next method as well as the following one are 2 examples from Stone's ' p. h! e8 s: k( P$ z, H( {
"stn-wid.zip" (www.cracking.net):
6 W8 f- D; u0 s. K  g9 u9 l2 I. p) w8 Q1 S3 |$ N
    mov     bx, cs$ _6 R/ \6 N9 H0 V1 z: Z
    lea     dx, int41handler2& @7 e3 R& m" s+ z
    xchg    dx, es:[41h*4]5 C4 y0 U2 z2 q( P/ w6 F
    xchg    bx, es:[41h*4+2]1 Y6 a  `7 d0 a0 z- n
    mov     ax,4fh
8 i$ x, c- Q  Z+ A8 k, c    int     41h7 o$ }' J+ |6 o+ z8 D7 `- k  k
    xchg    dx, es:[41h*4]
7 @0 D0 {! m8 P) Y/ J9 w" Y& J+ |/ Q    xchg    bx, es:[41h*4+2]
9 [% J- T! s' l4 a& M3 B, k    cmp     ax, 0f386h
8 N- \5 g) m5 x4 a    jz      SoftICE_detected
& O  v' E1 x% L, {& ~8 b& G- z* f" o3 a6 i& [
int41handler2 PROC- j5 y- Z" {3 @4 @
    iret: t  K  A+ v. F& S. n3 e+ R
int41handler2 ENDP# x8 H9 h; H' w1 {) o& z, o' p5 ~
& q* f% \- n3 Y& X. l% V
8 x- ?5 X7 h( Z
_________________________________________________________________________* n% ~: r: @0 ~

3 b! h. v' Y. k- ~6 t% o2 C& L# W' d5 K. `3 m1 Z
Method 06
& z* A2 y# M( K% n=========9 l+ v! J3 A% r9 M( v- z
9 D/ D) d; X$ \

6 |8 P) E, u/ {, X2 S) G2nd method similar to the preceding one but more difficult to detect:7 ^- v  I; O& b

( _; B/ h9 L& a, ~1 T* a  H* e. Q$ w
int41handler PROC
% @% f5 t" u" Y, i/ T6 `    mov     cl,al( U1 q( M3 ]& v+ J: m8 Y3 X
    iret
, r! _9 U, R( v3 I) A; r! jint41handler ENDP
; l+ s, w, U* J  P
: n0 ~- h5 h, `: C7 U9 m. q/ l+ q/ R$ b5 a. y( ]( ?
    xor     ax,ax
- M% m% v. O8 ~! M9 p7 u/ }- u    mov     es,ax
$ R5 A/ i- x" |7 L4 h  x    mov     bx, cs) {; a0 L5 k9 Q6 {7 N4 g+ q
    lea     dx, int41handler( @' N  d, X! G) k
    xchg    dx, es:[41h*4]* {) C8 l$ q9 ~9 w! x( N0 }
    xchg    bx, es:[41h*4+2]
4 p' L: Z5 v- Z2 m) V0 n4 j+ h! J* @    in      al, 40h
5 U0 q3 O$ A+ \' X1 h9 f: O9 B& [    xor     cx,cx
. d( l+ h* Y- z! B1 c    int     41h" K( Z! E) h% j; I" S; ~- A
    xchg    dx, es:[41h*4]
6 j6 D3 g  E! A( t) K    xchg    bx, es:[41h*4+2]8 T$ B8 J6 z4 ?  b. a# Z! J# k( b
    cmp     cl,al
( n9 }: r: l: {3 I! i    jnz     SoftICE_detected/ A9 A( X  W5 B; v/ d

  j' o7 j8 Y4 w; z5 t5 Z2 x_________________________________________________________________________  ^2 V+ j4 i4 H/ O' T
+ e: j# _# s5 o, V+ t" X
Method 07
; w) a9 f! q  P+ N0 q) @! |=========/ q: R+ z8 d0 d& g+ M5 x
7 l0 e3 R) u4 u$ K
Method of detection of the WinICE handler in the int68h (V86)
+ |0 D0 h! v% g. r- _. h9 s
$ ~0 E9 _: g; ~& }    mov     ah,43h& O, G8 e) v3 \; Y+ l. X% r
    int     68h
0 S$ B5 I7 T2 @$ R# {    cmp     ax,0F386h
/ X9 M% j+ V# t! `$ h, ?    jz      SoftICE_Detected
. m- A8 Z/ X: R3 B; b% m9 x' l0 W/ z0 F
/ J2 G4 P2 S7 M7 J
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 Z" N8 ~/ Z4 d/ Q$ l# G   app like this:9 s/ h/ Z+ ^& _/ K
7 {: m" n. j4 l9 g! s4 i
   BPX exec_int if ax==68+ A7 L: ~, g: v+ t8 z
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& D+ k6 d3 E( g0 C( W* R, j" o0 r% j   located at [ebp+48h] for 32Bit apps)
, P6 Z5 N$ B2 K__________________________________________________________________________
$ K. a* o# b; m" I% W% g& J/ v6 t" K  P( V; F

: `: L8 O% C/ aMethod 08+ Y8 H$ ?3 T$ m8 v* t* R' Z
=========
/ A; J, O; P9 }
6 u2 K5 t6 U2 Q$ E4 TIt is not a method of detection of SoftICE but a possibility to crash the
" ]3 {: T; s$ v! Rsystem by intercepting int 01h and int 03h and redirecting them to another" n  i9 L, s! J
routine.
5 @( C& C- \! f- \! WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) D7 F  X. k% x: J) z: Kto the new routine to execute (hangs computer...)
& W5 v5 C2 d& b3 i1 ^, O
# T) k/ o3 R" L$ \8 W    mov     ah, 25h: U  W. e6 q; ?; D/ ~
    mov     al, Int_Number (01h or 03h)
3 R' L; W$ L5 e6 n: H    mov     dx, offset New_Int_Routine
0 E. h. }# n# o" Z0 r( U% h    int     21h- B- W$ Q* `3 |. s; v

- @0 k$ [4 R3 e3 G__________________________________________________________________________, X+ ~- I. h. Z0 {) g' T: z
$ J0 ]5 y/ W3 S* f+ ?
Method 09% O6 b/ n; ]! L$ n+ y/ ]
=========6 j; ^6 S+ W6 Y. |
/ H& `! Q% v9 o# A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# t7 m3 w" U* I. O7 a
performed in ring0 (VxD or a ring3 app using the VxdCall).
& W* x4 B7 Z- GThe Get_DDB service is used to determine whether or not a VxD is installed% |) e& O' b/ }& r
for the specified device and returns a Device Description Block (in ecx) for$ y+ _! I( P8 X
that device if it is installed.
2 ^" N. \2 p0 T8 ?$ T& O6 e8 C0 ]! n; @& Z' A6 h# e, |/ k. v7 v
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% K8 i" k" N# a6 Y% q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! i; {; O9 V7 G& a+ S$ ?; ~
   VMMCall Get_DDB
0 ^8 ~% V+ r" _' Y' `   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 a6 h7 G$ e6 F0 |! t% R" @- r
1 @; r8 x: |+ `) C5 v" W, |Note as well that you can easily detect this method with SoftICE:: g) P( F; L- h5 ^8 J
   bpx Get_DDB if ax==0202 || ax==7a5fh
# H/ a1 }% f$ h9 I& v
  Y# ~2 {8 e7 s, S__________________________________________________________________________
0 l0 b/ W2 T8 l, ^4 O$ C1 [' @6 `3 I0 v; H3 [8 ~
Method 10
% _+ i, s/ P# A+ n3 F9 W5 N" K# R# N=========. R  d0 |/ F( L
6 \( F8 Q, e7 [4 j
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 p! J& W8 F% X. u
  SoftICE while the option is enable!!
  L3 J$ U; U, z/ R3 H- d1 c/ ^7 w& `0 Y& C! H- A
This trick is very efficient:/ \# W5 j8 @. y" \; w! g  j% \
by checking the Debug Registers, you can detect if SoftICE is loaded
3 R; w( ~; c+ \# t$ [3 F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' F; s& j, o1 G7 @1 ?" a+ q) rthere are some memory breakpoints set (dr0 to dr3) simply by reading their- B0 C  M1 |- o
value (in ring0 only). Values can be manipulated and or changed as well
- k- {0 m( n- G+ }  r(clearing BPMs for instance)" l3 M3 j2 L2 ~* e" n# A  \/ |

( q9 @0 x6 Q- P% @, Q/ s__________________________________________________________________________
+ B$ N: v  i. @# U/ o( `8 a. Y( e
Method 110 q$ g: O1 Q" o
=========0 p" p* _# C5 @# l" `- \9 p6 S
9 y! i% q: a0 v' a
This method is most known as 'MeltICE' because it has been freely distributed
7 X& W  z' P; W9 J1 N- E& Z& y- uvia www.winfiles.com. However it was first used by NuMega people to allow: H' n( ~* m) z: w5 b
Symbol Loader to check if SoftICE was active or not (the code is located5 q" I) s  U9 K9 h& G0 b' R
inside nmtrans.dll).9 [6 c; m6 i7 ]$ {7 r
" ~8 d/ t: e  K7 ]( u4 g# o5 I/ u* Q
The way it works is very simple:8 r8 M) w( U% i/ U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( n  i/ K8 ]9 c- FWinNT) with the CreateFileA API.+ |/ w5 Y% f, `6 [% Y+ `
2 C6 p8 O7 Y* |( b
Here is a sample (checking for 'SICE'):5 u$ m9 u, u$ M# b& U5 G% {' ]
( U; d6 h3 W( {& d, C8 P) x* n
BOOL IsSoftIce95Loaded()
! m1 x0 g0 {9 n- g1 }% L7 b{
' e, A' O8 Q* |( K) p  Q: E   HANDLE hFile;  3 B" M) T) g& z1 e
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% p+ M/ ?" t9 Q- |+ e% l: ]  l( p                      FILE_SHARE_READ | FILE_SHARE_WRITE,' `. u% L. s0 y) l7 I; P: C
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. w. y% W7 {0 Y: P& }$ p' K7 s) |
   if( hFile != INVALID_HANDLE_VALUE )
( k, R. i: N4 X+ F8 D: n( Y% N   {
" p& _$ v3 _; Z* ^" o4 {9 M      CloseHandle(hFile);
, z3 Z2 k  Z0 C' K5 g      return TRUE;  M2 O9 B% u9 Z% n5 ]
   }
" h7 i' _( F/ B& u   return FALSE;$ e* s  F* |9 Y3 z8 X) X
}1 d$ ?! c5 E7 S7 y
: m3 O4 s. w& I
Although this trick calls the CreateFileA function, don't even expect to be0 c" Y5 F* f4 {+ g6 v$ S
able to intercept it by installing a IFS hook: it will not work, no way!8 T: K0 H7 q& s& P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; V; H5 q' Z& [1 Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* C# ~9 E# b1 J" Y+ Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" ^& ~: P1 Z$ V1 ?0 A% Vfield.
- d) k: G; r7 OIn fact, its purpose is not to load/unload VxDs but only to send a - ~* p) v6 p$ V3 N6 e$ S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( N. `: c% u# j! p8 X/ F- R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ S+ ]! f4 j$ c2 d- V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 B3 D+ o( K( w
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* W* @& v& N: z5 n4 a$ S- v) sits handle to be opened and then, will be detected.9 f* f, [% B/ H
You can check that simply by hooking Winice.exe control proc entry point
% }+ V/ p4 Z0 U9 V: t5 C$ mwhile running MeltICE.2 I  s- L1 B, v, g$ e! k6 O/ _+ \

' D+ p: l0 m* V: G) }9 X
1 B4 |/ i4 \/ g% ]# ~  00401067:  push      00402025    ; \\.\SICE+ S8 ]" M* f) E- m4 E
  0040106C:  call      CreateFileA
  @& C0 m9 e" Y. X7 \  00401071:  cmp       eax,-001
( n5 W9 w' {: F; c2 u  00401074:  je        00401091, R* N, x- t6 M: S3 `8 ^: Y( b
' `! g8 G8 W# F! ?: M8 `2 Z2 s# N
# _& E. }  e& U! q) c# h; v
There could be hundreds of BPX you could use to detect this trick.5 o( @0 [6 v/ A# b( b& F! D
-The most classical one is:
$ a# }% [0 l* ^+ V, I) @  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||. ?9 s* {& i' l3 X% n
    *(esp-&gt;4+4)=='NTIC'0 u$ r' Y4 }5 S1 n/ h4 _" @8 o- C
% H* o# b' c# ^+ m  k# C
-The most exotic ones (could be very slooooow :-(  R$ N. L7 Y0 b0 u1 e5 H
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ) P4 P; }9 z3 |" h2 \
     ;will break 3 times :-($ s, {" ?( C& T( i, k
3 x2 x3 v5 Q8 t3 C% x7 B9 B
-or (a bit) faster: ' }+ `3 \9 p5 C2 Z+ k  m5 w
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ p5 y$ Y1 ^, t! d
0 }8 X2 @" {8 E) R5 G
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 A! B. [7 ^$ e7 |4 D! Q: E" \! B     ;will break 3 times :-(
; T% [6 q3 m1 O% }2 C- E
% F6 x8 |4 T! S-Much faster:
/ i7 X* y6 X/ J1 `   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, `  ?: h* l8 g; @- K: I" L
& n8 d, X: L/ q% ^- pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ M; _- l! I( \5 M) F1 j
function to do the same job:( D/ N& Y& s# B5 K

% a+ O; C5 \3 E; E2 B) Q   push    00                        ; OF_READ
2 ^" p1 Y7 J! T! g   mov     eax,[00656634]            ; '\\.\SICE',0
2 |( S+ H3 o; z  v% J$ F5 `   push    eax' ]( v( g2 R; n) X, w6 P- N
   call    KERNEL32!_lopen
) g/ j! a% E  v( m. B* w   inc     eax
6 {1 f* f/ w: L2 C   jnz     00650589                  ; detected( ~5 }; ~% ~% t6 d% M0 j+ v, {
   push    00                        ; OF_READ& d7 ~* O% m- B$ M" {- c1 ~" t  @
   mov     eax,[00656638]            ; '\\.\SICE'
& M/ n* U1 p7 Y( G9 H   push    eax
0 m' R! e5 i* s. ^$ Q, d2 u   call    KERNEL32!_lopen
2 S" f( y1 p1 y- X! |* ?   inc     eax- u+ s4 N% U8 C. o3 K
   jz      006505ae                  ; not detected! h( q- W* T1 }7 E: H, `7 j  w/ S

& P6 U8 K, i- U- }! |. b! F5 D& [$ N8 H: D1 s
__________________________________________________________________________
+ w) i) ^* u- m) y
4 u8 w+ w4 L/ p" _" YMethod 12
6 \4 s9 v4 j7 j( P/ ]4 u=========; }' s# w; W$ m/ u4 p* C* @5 T' C

/ Q1 x7 T' r& p2 wThis trick is similar to int41h/4fh Debugger installation check (code 05
; W% w. A1 z& C3 T, ?&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 n' [7 b1 o0 A" l8 R2 ~9 i8 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# T' E# s! i6 b# ]: E

5 B8 ^8 u- A/ F   push  0000004fh         ; function 4fh& C4 K. b& V6 k6 M$ @
   push  002a002ah         ; high word specifies which VxD (VWIN32)$ l1 ]" |. J3 ^# u
                           ; low word specifies which service# o: p5 H& b7 l+ s% o
                             (VWIN32_Int41Dispatch)
$ ]% p$ a8 ?0 W   call  Kernel32!ORD_001  ; VxdCall
" V  W( M5 N. M% O* v. ]* r7 ]   cmp   ax, 0f386h        ; magic number returned by system debuggers  U. F( A% {6 U  h5 h# G3 H" }
   jz    SoftICE_detected" W: P3 N& R: {2 H+ J$ T) H2 z& N
7 ~8 t7 I8 w0 `: N6 N
Here again, several ways to detect it:3 }. U% x) ?  }) ~
! @: q  k# i$ h: a& O
    BPINT 41 if ax==4f+ t9 j3 Q& z5 J1 T+ L

, Z& W% p. f. `( x8 M+ U- T    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ S  g2 u- O: H# q

$ i3 s: X4 M( G* r; z9 a    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
" @+ _- g' Z$ M( l0 o$ ^2 M
$ s3 E( z! R3 g    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
! Q( `' B6 R+ C& C* Q1 f
! s0 S5 x$ y0 e6 F: L4 G2 d3 Q' Z3 w3 N__________________________________________________________________________
( Q. |1 m* Y- H# k7 T" y5 m5 ]9 l, b; A/ Q- G- N" p
Method 13
" O+ s2 T8 Y2 F/ v' p' M! Y( i" O8 f=========; j5 S* G/ G, g0 x8 O
* b7 i" e, z- j3 j! d
Not a real method of detection, but a good way to know if SoftICE is
; {2 }8 _' E+ n* r& ?installed on a computer and to locate its installation directory.. ~* r- e( z8 j' {+ R* u
It is used by few softs which access the following registry keys (usually #2) :
/ S1 m& @. D; A) t& L
5 L" }7 ^, K0 q0 C+ X2 [+ @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. I& M8 \; \5 i# P- ~4 x8 J5 t3 O3 {9 Z\Uninstall\SoftICE5 `5 A! {; a' o3 m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. z7 \. I& l; r  S9 E# w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ m7 r1 E* v, p2 K, O( O\App Paths\Loader32.Exe4 l1 t  _; a# t6 y9 v

+ `$ \8 n" I+ S1 g
  s/ W  X5 ^4 ~2 TNote that some nasty apps could then erase all files from SoftICE directory: J0 Y7 B' Q' i5 S7 @9 Y
(I faced that once :-(  V9 I4 Y: [# K+ z4 x( E# r% }% h

) K8 a& N! {: N7 y. IUseful breakpoint to detect it:& ~7 N" l5 N+ r- q9 c
  e" z' Q3 t, Y3 Q$ t' m4 }6 |
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'/ J! y% B* b/ Y0 H
. S- t  i, f' |% D
__________________________________________________________________________
2 p# t6 m# n9 k2 U0 n
! Z- ]1 \5 X- S) |0 |" r
: t3 @1 j, s, c- @1 ]/ A1 x$ f; HMethod 14
  O8 \( P9 B& l7 i( J  `# B) V=========/ K' d# j) u. d* P8 h4 _8 \- w
2 `$ i' F! s2 [  P/ G3 a' P, [4 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; D9 }3 L' W5 `* r6 cis to determines whether a debugger is running on your system (ring0 only).
. W* r  ]; g7 H9 P* S4 |9 p# E& P3 e$ v8 E; t0 k) A/ ^8 m
   VMMCall Test_Debug_Installed
  X5 ]+ C/ B+ j   je      not_installed
% P8 h( ^+ ?; ]# x, e, T. Y
7 q$ W6 j" M. P/ \0 CThis service just checks a flag.3 g1 u6 ?7 C+ F
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-3 20:02

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表