找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( g% B9 ^' u# z9 ?9 f
<TBODY>& N) |% Y; |( J- h3 h. e
<TR>
) a1 ?4 c) D# B# E<TD><PRE>Method 01 5 v" g& D! D. n* v
=========3 l" ^  t2 R' e$ {# a- Q

; ]: s) t/ T% \% {" {This method of detection of SoftICE (as well as the following one) is
1 M0 b: ~, N% O& Vused by the majority of packers/encryptors found on Internet.! I6 j, D9 [( A# \* Y
It seeks the signature of BoundsChecker in SoftICE% S7 |/ r/ e9 }! {

0 R1 u' z6 d% J- q    mov     ebp, 04243484Bh        ; 'BCHK'3 `5 V1 r: S) s
    mov     ax, 04h
0 \; k3 y2 q0 B; F4 v3 i2 o, F    int     3      
/ g' @) ]) F% O7 L8 W& J( |    cmp     al,4
; T6 K/ y$ I" r9 f/ ]0 o    jnz     SoftICE_Detected# {( Z/ N, W) @5 ^- y
% e0 Y! o8 J; s" v
___________________________________________________________________________- ^: d  U' Q3 m$ j) c2 a

  @2 P# H" n0 l0 g2 [Method 02
+ p. ~* Q' t7 d- f0 M5 C; ^& Q4 z=========# p- O# F9 P* l: b/ A

1 B& p( m* p  p0 ^Still a method very much used (perhaps the most frequent one).  It is used# ]7 M3 S; [2 A/ s* K4 H
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% V5 Y, _: a9 Yor execute SoftICE commands...
3 u4 n5 j; Q& pIt is also used to crash SoftICE and to force it to execute any commands% r2 O2 \; L" K- Z) T& n' c
(HBOOT...) :-((  
1 U& c1 g& l" v& X( }
1 ~0 u: h- V; v3 }Here is a quick description:" h$ _. X2 {4 ~# }: Z
-AX = 0910h   (Display string in SIce windows)
* H0 L7 w+ ?. T! f2 w6 v) Y2 o-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 Z1 e5 W7 u8 P( f" v3 S' ?, X-AX = 0912h   (Get breakpoint infos)
  C! b, p1 p, f2 H* a-AX = 0913h   (Set Sice breakpoints)
% @7 G! c1 Y+ x-AX = 0914h   (Remove SIce breakoints)
1 G9 e# u6 P7 x4 f. }, T1 |( }1 U* x. b
Each time you'll meet this trick, you'll see:3 o0 f2 e/ ?1 A6 u
-SI = 4647h: j3 Z- A* f( f% `! L7 J
-DI = 4A4Dh
1 n- a; Q5 r/ f) u1 i1 gWhich are the 'magic values' used by SoftIce.  t! {+ U/ Z7 C% S5 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.: e4 I3 R! P; d7 t6 e1 Y
$ l' [1 \' u7 i1 k' r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 m/ Y. G$ h& p) Y4 u8 oEnvelope utility use to protect DOS applications:
' l5 D. W: w, c" {
" w2 a. M8 I! h
1 c  D- ~- }3 S6 C  C+ ]4C19:0095   MOV    AX,0911  ; execute command.
! y- H, B8 ~  E2 ^% E0 |0 x' f- `4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 n$ A# e1 z% D6 b3 D4C19:009A   MOV    SI,4647  ; 1st magic value.
; X0 p' M7 R5 f: f4C19:009D   MOV    DI,4A4D  ; 2nd magic value." S, M3 K3 @' u$ [. |
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*); e) g* s" L; K% u5 V  U
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute. k& |8 f, E0 e) L( a4 D
4C19:00A4   INC    CX
! K, T2 I; q  `6 D4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute5 l$ B5 q- Z0 x
4C19:00A8   JB     0095     ; 6 different commands.
2 S& s$ L, q1 W5 N/ U( c4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& B. u  |  }5 I4 f' ?1 c4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
* C. g+ P# _3 W2 h9 M- I2 Z* f4 W/ x! B% G  r
The program will execute 6 different SIce commands located at ds:dx, which3 H7 g+ O9 r1 i' b6 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& N. l. E4 k' \+ B
6 i+ V1 ^7 f  P' H9 J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* o; E! b4 n2 ]$ v) m- H
___________________________________________________________________________- K* S2 u' [! @& |' u9 \

0 w0 _7 _" g; t4 V9 `) W; D! b% [7 ~: V+ p: F- f0 a9 j% r
Method 03
, y5 V0 h+ z, Q. p6 t=========
* X+ O# U- [* Z/ h, _; q. T7 h; j4 G. u8 n  x' d8 k( ^
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: l7 ]/ b" F; b) t) A(API Get entry point)
4 R: u  f2 @8 @+ T+ f        
8 L1 z0 A9 w8 i9 Z% b
. d. U. w$ V# }6 _& p! x/ r    xor     di,di
# J: C7 U3 \4 v& o1 g% r9 F    mov     es,di: f- W* P4 k9 Q  }) y* D
    mov     ax, 1684h      
8 z7 r$ A& `( `( [    mov     bx, 0202h       ; VxD ID of winice
) h. i' i# f5 p  c0 c+ v& n6 |    int     2Fh
$ e. ]/ n1 Z3 ^. N9 @    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 d0 M! P( ]" I4 d9 I& ]
    add     ax, di
. k* d/ \+ E1 M% h% R" c" K    test    ax,ax
- Y; ]" D4 b1 D    jnz     SoftICE_Detected  i. t: B9 h6 Q% a) k

/ ?( [3 v  Y% M2 Z2 e___________________________________________________________________________
, t0 I1 L" K+ F+ G6 v8 p- X; l& H7 j: d' `+ l
Method 04
+ w0 q0 u$ j; Y- v' n=========/ G! a7 }; z% ]6 n. n
& p  b# z6 `+ ~; [3 k' E
Method identical to the preceding one except that it seeks the ID of SoftICE) j! x0 W- u6 j% E$ v
GFX VxD.
5 \# Z6 C+ L7 o- k) q5 A: a
) {* u0 S1 H3 H( [8 v; n9 i    xor     di,di: H2 ?) ?$ Z: }
    mov     es,di) I- C& R1 `) B7 w- ?1 E3 \
    mov     ax, 1684h       . e1 B; z6 j& {( w7 Q, }
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! l# R1 Q6 {  h- D8 {; O2 j
    int     2fh
: A3 @  m* m( r0 T1 W, }0 @    mov     ax, es          ; ES:DI -&gt; VxD API entry point) c* m2 b7 g; S# b# B$ S9 d1 }9 T6 B
    add     ax, di1 v! r) X2 L4 N4 i6 m2 ?
    test    ax,ax, s$ m+ q3 h, G+ m8 Q" z4 Y5 z
    jnz     SoftICE_Detected$ C2 t% p, J5 V7 r  ^+ @. M. k

0 L& T0 g) S, f$ @, l__________________________________________________________________________
8 Z/ W9 y# Z( x+ \  q% [- Y. |. f4 s2 m- |7 B
: J2 ?+ z% b6 ?6 z
Method 053 z. k* ]) T$ C3 ]8 O( g9 `
=========: l( n2 X' \- u
! |  N7 z2 F+ |4 k3 d) K
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ?9 G; B! Z- F& n, ?  O, e1 a! Fdebugger. It calls the int 41h, function 4Fh.1 p2 L, T. V7 }) e" R
There are several alternatives.  
  Y" V* |# q  N- {& d% ~! G6 x; B# P, o3 A6 |6 t
The following one is the simplest:
% v  a+ k; U6 h- v( y! S- y/ Q; [- G# o# o
    mov     ax,4fh1 t& ?+ Q7 d, }
    int     41h
7 @& [3 T. o2 |4 h" @0 d  U    cmp     ax, 0F386
3 ~& u6 R; P7 R" U3 j6 C5 P    jz      SoftICE_detected
4 E# P" G( q8 n7 J3 _) U/ O
/ D' H2 f+ Q& k/ v/ @5 r2 F2 w* v9 u( ?" I3 u
Next method as well as the following one are 2 examples from Stone's / o; u; {# t' c9 G6 ?
"stn-wid.zip" (www.cracking.net):
$ w8 W/ Z, R4 B  u' u& X8 Y3 _3 _' u; O8 B
    mov     bx, cs
; H( b7 m0 O0 e. H' [9 P- }% x    lea     dx, int41handler20 v# F7 L: d% I8 M/ f" N
    xchg    dx, es:[41h*4]! I# a# _, ~. d6 k" j( m9 d
    xchg    bx, es:[41h*4+2]
3 B: q2 x/ d+ T2 t9 W$ Q4 k    mov     ax,4fh* @( D7 S1 [; k/ O8 }
    int     41h
5 M* i& o2 M  _9 p& s    xchg    dx, es:[41h*4]' H3 s' F6 s) v
    xchg    bx, es:[41h*4+2]3 I" Q4 A% P5 M1 D
    cmp     ax, 0f386h; j! w& N! s! ?& N
    jz      SoftICE_detected0 }6 u' d# S4 |. b' ^! S

$ J! y+ U( e. D& f* S- Wint41handler2 PROC: n* q0 v4 D4 y5 V/ H) m
    iret
! P+ l2 k1 k5 a6 qint41handler2 ENDP
- c1 X. i& M- H% |6 }% x$ K* o
! N, r; ^) C) P; _9 p' ]
' H! Z" {& u" z: `8 \! ]9 ~  m_________________________________________________________________________
6 t" y, X6 v7 B0 j7 @3 [: D1 s1 }% |/ D  `0 v, A0 m) P

9 A6 z( R8 T. W2 E. yMethod 06# R* a9 |/ |% \6 Z4 ~1 r
=========
9 q0 g) [2 ]& Y; L
& i1 L% o" l. Y* w" D- y7 L1 V) l1 O7 @5 n; E7 ^
2nd method similar to the preceding one but more difficult to detect:( B/ x) q( k& A3 R
& m5 f$ r2 ~  t# n. W
: h% L7 ?& `! Y+ P7 E9 _
int41handler PROC  J1 O- E5 U/ P( q
    mov     cl,al7 v  s! \. i8 X% ?3 V
    iret3 a% t: B7 }: J* D
int41handler ENDP
- ~5 P7 S, C. ]- R% g" D/ R1 H' d& L% }: o3 a+ f+ J
7 Z: g- V: i5 P& |+ k2 {: S0 b. n2 _
    xor     ax,ax4 t2 B/ {" J" y* @
    mov     es,ax- _; k6 J. W% o! Y2 Q6 g4 N# Q5 X
    mov     bx, cs" k( @! |/ H$ j) J1 y
    lea     dx, int41handler9 P- K9 ^5 H; w$ c
    xchg    dx, es:[41h*4]( k0 p4 {) M3 }" K) y9 r
    xchg    bx, es:[41h*4+2]
$ s- k& ?, V3 d% ]& B" s, j    in      al, 40h
9 v* n" E. [, G4 `; ~    xor     cx,cx9 k6 O3 k& h4 E6 |4 z: c
    int     41h
" S/ h) Z* U- I; D) X  a    xchg    dx, es:[41h*4]1 o6 D# J5 D/ V5 p, u
    xchg    bx, es:[41h*4+2]
- r* j& s! v3 I  p. `+ _0 A' a    cmp     cl,al
* m* `# y( ^$ z: f4 D( y    jnz     SoftICE_detected
. j+ i- }; Z3 n* _; P, Q. |+ k8 N/ K0 o% m+ ]
_________________________________________________________________________
4 \, z) u- W* S& M/ V# w
* ~% }6 n( E2 d% ]Method 07
) M/ }8 }. _4 g4 r+ S( r& G- W=========
0 h3 D" P% V3 F
6 S- x: n( s% _6 T; _, y/ \" p9 S9 SMethod of detection of the WinICE handler in the int68h (V86)
/ R4 Q$ a, {9 @5 k( H9 `) k. o
9 l0 z' |* `, k( z  I; q    mov     ah,43h
- z/ b( w4 w/ [7 _, M. ~! _: g+ G) G    int     68h
3 n2 `% _% J: _% F    cmp     ax,0F386h
1 k* q  u7 L4 K1 T3 \    jz      SoftICE_Detected
$ R: L+ U5 {8 B  @
0 v. B# K' @$ ^7 p( Q0 t7 w
5 s  F7 y8 R  P9 T=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 e: {* ?, u% ?# E( q9 `% z
   app like this:
# h5 X5 A; L6 }
2 r8 t0 w6 h. L   BPX exec_int if ax==68
/ K$ H. W. H/ U. _. \( o   (function called is located at byte ptr [ebp+1Dh] and client eip is( {& S/ y1 V+ ]
   located at [ebp+48h] for 32Bit apps), V4 ^, F$ J. j3 r( O
__________________________________________________________________________
3 d+ X! E9 o5 t; X8 B! D
& n  V$ m2 X1 b! ]8 D- u' P9 q5 C& a7 M, |! N4 }4 j. b- z1 z
Method 08
( g* P4 _8 ~: a=========0 A) z" i3 X0 Y$ u- i

$ L, g9 u8 Q) S9 W' aIt is not a method of detection of SoftICE but a possibility to crash the
. _9 K+ M, K! f  S5 |( ?7 Q; b" v  ^# {  Isystem by intercepting int 01h and int 03h and redirecting them to another4 {9 z7 f3 y3 @& O; A% l
routine.
5 e& m, E' I* j0 _It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 Z8 J+ I, T% U7 H2 R  E; |
to the new routine to execute (hangs computer...)
8 e9 ?% H* l/ W* [1 v
, y- N5 e% K) p  _    mov     ah, 25h5 X* O6 T" p5 J
    mov     al, Int_Number (01h or 03h)
! t  n# n' i9 A# a$ p/ u8 I    mov     dx, offset New_Int_Routine$ y' v1 ~5 A$ w$ k4 \
    int     21h
( t" {5 P& Q  z' v8 R! e/ ^  @8 e- y. g& x/ o. f
__________________________________________________________________________
; Y! H4 d3 x7 c7 a6 S( Z+ W9 G  d* {1 |
Method 09
% x/ H* G6 A/ t2 t, j=========. Y1 F( m3 h+ w" }
) B, k* z! A; ~& y7 Z& z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% |2 c8 H+ l4 ?0 {
performed in ring0 (VxD or a ring3 app using the VxdCall).
( s  ?5 B, P3 w; N1 i! @% OThe Get_DDB service is used to determine whether or not a VxD is installed
" u# G0 u  L  k# lfor the specified device and returns a Device Description Block (in ecx) for5 ~- [) `$ D( ]+ a$ H7 ]+ n5 Y
that device if it is installed.6 t/ C+ y* ?4 A  G4 E, n+ z
$ d: h; Q" _7 S2 |7 ~, Q8 ~+ r
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ g0 p1 t; y1 }6 i0 D   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 J! e+ [% D7 t" V
   VMMCall Get_DDB
. M) c' M% K2 S( _# e& Q6 _4 L   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! _! J# p2 Q- S7 w) `' x9 B
5 J% Y$ f8 y2 W% {$ @6 D( G$ GNote as well that you can easily detect this method with SoftICE:
% m0 S0 c9 F* I+ ]; W; C8 W   bpx Get_DDB if ax==0202 || ax==7a5fh
  k) |  m* r  N4 x+ I
2 ]( X% T( @/ L! i* i, x__________________________________________________________________________
* {; [4 \2 \, |1 K* f+ R% |8 _) e. n% w- h- O
Method 102 ?# Z1 J! S2 w& k0 h: M
=========
2 n& _+ [6 M2 u/ n$ {( q3 s, a( \# l' k+ d& m- W1 Q0 P. A
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with) r. i7 i( o$ K& H! \  |1 @
  SoftICE while the option is enable!!
5 W2 c2 y, m# I$ C3 ]; f0 Y5 y+ Y
This trick is very efficient:
/ e7 A2 J% L" O& \! pby checking the Debug Registers, you can detect if SoftICE is loaded
9 ^, q% d) J  M: r# f3 O! l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ U  d3 U0 {6 u% S$ Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 ?+ M" j' K0 F! Y: Rvalue (in ring0 only). Values can be manipulated and or changed as well
$ ^1 O8 V, O2 X. o0 v(clearing BPMs for instance): l. {3 L* L. j

1 ]" _5 I# z/ `; m/ ?( z! Y- U1 `) R__________________________________________________________________________
' l% t' m9 `2 K& C! Y5 l) P6 b3 i8 N% _9 b
Method 11" J; C! w3 ]0 Y  t" O2 f" U# y
=========2 m5 U% Y. i* k' c3 b
, G) l' \( k  X
This method is most known as 'MeltICE' because it has been freely distributed
2 v  I( t7 F; Y- p( a: rvia www.winfiles.com. However it was first used by NuMega people to allow
' R: Z4 s8 Y2 _Symbol Loader to check if SoftICE was active or not (the code is located
% g% b9 L" N3 h  Q' P! Cinside nmtrans.dll).) I9 P) _: D+ h: O
9 k0 Z2 \6 l( k6 |9 G
The way it works is very simple:# r+ [% @3 I- _# ~7 T7 s( ?6 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 I) |; F* p7 a2 e  x" p% h2 W9 aWinNT) with the CreateFileA API., [: Y) k) L0 Q
& b) P9 R- }8 Y2 T/ L% D
Here is a sample (checking for 'SICE'):. d  v8 N$ ^, p' Y
! M! ?2 ~, c& E0 `. f
BOOL IsSoftIce95Loaded()2 D! u: @1 d6 u' e3 _' m
{$ j0 ?6 q! i  W$ b0 C+ ~- @. |/ T
   HANDLE hFile;  # F: U4 Y; e" o$ h- \
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 X6 c; l1 b. c9 F9 c6 S                      FILE_SHARE_READ | FILE_SHARE_WRITE,6 Q9 w" @$ D9 i; ?6 E( s; \8 d7 d$ s
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# e- ]6 V% N9 a1 r3 q  h( D   if( hFile != INVALID_HANDLE_VALUE )$ a$ `) d8 w9 M9 v9 D7 B7 P. Z1 f
   {2 K1 i, X5 D) {3 l/ G  K. ~" A8 z
      CloseHandle(hFile);+ K& T9 g3 s3 i! Y
      return TRUE;
5 u3 V7 p5 ^2 y2 E! {   }
) d3 }$ L1 J- A1 Q& a   return FALSE;$ c& t4 A2 [  b
}
  |3 }& N( W( E) g. S/ g
! s& K* c5 t- A# R: P4 d( Q* OAlthough this trick calls the CreateFileA function, don't even expect to be6 P$ Q3 K$ f. V7 }2 [4 g' x& M8 h
able to intercept it by installing a IFS hook: it will not work, no way!  q/ L( B: Y& b# P. O) }. r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 I6 E4 f# }1 aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' A& E, r" d  Land then browse the DDB list until it find the VxD and its DDB_Control_Proc+ r6 I0 K% d$ o( M7 [5 x
field.( @. @# a% M2 e6 {
In fact, its purpose is not to load/unload VxDs but only to send a
2 C6 u8 d) ]- ~; x. W; r7 i' U4 YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, M1 j  k6 H$ I+ y7 ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try" u$ ~+ m- R6 |8 P% F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, \" x. M& C1 M+ V$ `. T+ Y' @If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 s+ C- o! l! b/ A; h8 `# fits handle to be opened and then, will be detected.
" y4 ~! M' ?' e) m( Z. W5 TYou can check that simply by hooking Winice.exe control proc entry point
/ @: `" z( l* ^; iwhile running MeltICE.
2 i- t4 y% ~& G3 a5 O6 z+ x( |/ w3 X8 p  R, S3 T0 `

3 X8 t+ @0 N( i, @1 ?2 {  00401067:  push      00402025    ; \\.\SICE# X  R# g3 M# v, z4 h
  0040106C:  call      CreateFileA
. w3 @4 f# i5 |! z, _1 f  00401071:  cmp       eax,-001+ z$ L1 R: s& ?0 I# _
  00401074:  je        00401091( f% g3 f; R1 Q

- y5 r' v/ r1 Y' l4 E3 m, C- [: r- M3 _1 n. x
There could be hundreds of BPX you could use to detect this trick.* w' _* n: q! L4 K( u' [
-The most classical one is:
0 H* D- i# i; t$ D  G5 m& @  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) `: _0 M* U. A$ F# \2 f, y
    *(esp-&gt;4+4)=='NTIC'
$ ^2 @: D' {' l1 f2 g" g, c
+ I$ _. e+ Y; \9 C! z6 z" M' l-The most exotic ones (could be very slooooow :-(6 J9 l6 ^; ?1 T2 Y9 K% p) ~+ ^
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 j. ~6 k9 W) W$ M% z+ E     ;will break 3 times :-(
! e) w/ Y/ O. j' ~# ~( g7 A9 ^( e( l& [
-or (a bit) faster:
8 v; e3 b8 C0 t3 |7 |   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: y" I7 \4 i$ z
: b7 V  V4 J# ?0 A; W6 `   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 D9 t8 x. C& m     ;will break 3 times :-(
1 C. W/ `# y1 e) I7 K9 R
, r0 e1 `& E' X" W# A1 l) b-Much faster:1 {9 `' Y* O/ j- K0 ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- \) C5 q9 w7 C  x
* L- V3 S% x1 ~9 ^: pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen, y+ f) u/ y! s) ]' P
function to do the same job:2 c! x: l$ W% V" C% e
" d! q2 H$ ^2 B$ \
   push    00                        ; OF_READ
# R; E! C! y# D   mov     eax,[00656634]            ; '\\.\SICE',09 f0 E6 J; b' p, r5 c
   push    eax
1 E+ R' r, O8 h- |- x8 L5 D. O+ i1 ?5 k# a   call    KERNEL32!_lopen( h9 A" q, \! U4 ?
   inc     eax
' F" E7 C) ?6 w- A+ U   jnz     00650589                  ; detected$ q! C9 W1 @+ ~! i2 c: d. v5 v
   push    00                        ; OF_READ8 k* K' A5 v/ w1 \# w
   mov     eax,[00656638]            ; '\\.\SICE'* ~# }' D2 G& N1 j% i8 x+ @
   push    eax9 r3 {& x6 L  K) a) F
   call    KERNEL32!_lopen
" E4 ?- T8 B" D' j6 X8 D   inc     eax
5 t  d8 R. o9 S. h2 V2 p5 D7 ?5 ^  b   jz      006505ae                  ; not detected/ S) ^' Z* \- t: T, G

  M+ L1 x- U( h% ?" O
0 d: _& i' g9 P( t2 A  I__________________________________________________________________________
. L+ f! }/ @, k6 {- b) }! g; ^; z4 L, c, A$ r+ s  n
Method 128 r8 Q# |# Z% t7 p! s/ N0 V* N: F
=========
- v% K, f1 i6 k" Y3 q$ N
+ Y  }7 T8 Y2 B7 P- |' T7 [- IThis trick is similar to int41h/4fh Debugger installation check (code 05  r: }2 `' Y1 \6 T
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: F) v$ b5 A) n" `' Ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* X( z4 B/ @+ W  P0 d0 K
7 C. E* S+ K8 t2 f9 r# J   push  0000004fh         ; function 4fh( A, H" F" m, m7 ?; v
   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 `; x/ t" T$ r) \. |                           ; low word specifies which service2 j  f6 T9 J$ O6 X. d
                             (VWIN32_Int41Dispatch)0 ]- K( o$ v$ {' v: r+ T5 X1 G0 `
   call  Kernel32!ORD_001  ; VxdCall
  M* k9 _4 @# t9 t9 a   cmp   ax, 0f386h        ; magic number returned by system debuggers6 J) h2 [+ S/ B" X) A+ C
   jz    SoftICE_detected  y; E6 m- b* F- a6 k. y( {$ {' @4 x
1 T0 O! [/ P5 q6 i% T: T
Here again, several ways to detect it:/ t6 O" K8 D! F
/ a) t: Z- L9 v- Q- U8 ^' L1 U
    BPINT 41 if ax==4f
# Y  q3 v1 n& H6 T/ }# \. l' y! B0 ?1 {& \& B" Y3 ~" j, [/ u
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, Z' ]: `; o( i% @
1 q: |$ c+ Z5 K8 d( C2 U$ E
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& N4 M" a$ \5 e& @4 p1 e  T
+ R1 s  f9 a/ H. u  r. p6 d
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!) l0 q8 D  L- q, `
- J) d! O7 n6 s; B4 m# J7 @
__________________________________________________________________________
  F! L( |7 R- z3 z% V5 A1 F  z- d$ d$ A! \  Z: [
Method 13% I( r4 d8 i4 c9 ?  H6 G
=========
, p- z8 F; K; i: v7 l, E0 g$ E
+ E( ]! M2 e: m, I$ n* dNot a real method of detection, but a good way to know if SoftICE is; h, Q+ J" b4 J- Z. ]0 P
installed on a computer and to locate its installation directory.+ F* Y( o- r/ V5 ?
It is used by few softs which access the following registry keys (usually #2) :, G7 w6 b' @+ E2 j% g7 J6 w

5 B- _4 v3 _( e8 R6 g+ U) T; p2 ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 |4 A+ M0 P" i- L! a$ d& E
\Uninstall\SoftICE3 ^6 T; |2 Z/ p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 i3 e7 N7 }$ m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& v0 h8 W( Z" ~2 ]' m\App Paths\Loader32.Exe
/ U$ i# m2 o, L$ r/ e! E! \' v
  B1 ?2 n/ g0 l7 |2 E, l% o! G0 s( _9 i$ a
Note that some nasty apps could then erase all files from SoftICE directory' F9 v4 ~0 S- Z8 O* {
(I faced that once :-(
4 o; Q6 u+ {; b0 ^+ ~/ L) |- v- a6 |
Useful breakpoint to detect it:; z8 Q( h, j, e% t
- F7 O: W4 l) F
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 t& G0 [' }  p* C; t
( q6 ^! h9 N. n' W! R7 N- x# w
__________________________________________________________________________
3 l# a$ l* R1 ~1 M# o% d) [2 N' V% `% ^6 `: |) O

) B* z  t6 P  z) ~  H8 `: MMethod 14 5 x3 t" T  s; f
=========
6 _. \$ [9 t' d0 K
8 e, d1 F" G. P2 R5 S7 ~* l0 mA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 [6 J% G, j; z' }' y3 [: o2 H
is to determines whether a debugger is running on your system (ring0 only).
1 w9 I* T( }! h$ A7 ?! q* j1 d3 D0 ~: T
   VMMCall Test_Debug_Installed4 H# ?% E. Q: Z* q6 O; m
   je      not_installed+ R0 [2 K; g  Y+ V6 w1 Y3 l3 t3 Y

! C8 M% f  J  ?This service just checks a flag.% g' H# ~: U  n* I6 x, |
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-30 04:18

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表