找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- O' N4 ?' o& d! W3 y3 C8 G  d<TBODY>$ Z1 _& f$ E# x  R
<TR>
6 ]2 |; P# R1 F<TD><PRE>Method 01 * Y4 i; q7 }2 G9 l- y; ^
=========% B; o" l0 N/ |
& X" f6 ~' S! A. i. v. L8 }
This method of detection of SoftICE (as well as the following one) is
: ?1 q" C, Q  _8 `. z, W& B8 {4 Iused by the majority of packers/encryptors found on Internet.
+ ~8 e1 _! U( F) |; o) N, T: s6 ]6 BIt seeks the signature of BoundsChecker in SoftICE
  u4 x: Z3 Q' X: Y  a, j8 u; D0 u$ o3 ]: T% w
    mov     ebp, 04243484Bh        ; 'BCHK'
' F5 d$ I( n! o' b" ~, \% O/ Y* @    mov     ax, 04h
/ b( j3 s4 g9 O# j7 z" e    int     3      
* X+ l" ~5 a+ A# ?5 Z8 a0 q    cmp     al,4  U; a. W# D. `$ T
    jnz     SoftICE_Detected  l  a# q1 w! m/ P

: ^( O% P( T1 Y1 Q. q___________________________________________________________________________
3 X% b5 N/ q: x6 I% t) U) e1 I- K% m& Y; l7 [- T
Method 02
& [- @. {) V0 Q9 C* q=========" _8 O& d, M. f: g" V  F; s

' {  s  m1 f8 P# L% C8 F" `2 h# zStill a method very much used (perhaps the most frequent one).  It is used0 t# B5 Z/ M4 k( u' ~6 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* w# s- q9 _$ J. r( |9 _
or execute SoftICE commands.../ a4 P" y" g9 W' b7 O7 f! Q
It is also used to crash SoftICE and to force it to execute any commands% Q7 c  i/ a3 K9 s) P7 M
(HBOOT...) :-((  % H. `1 l- c8 t; |

) G9 C, Y; g6 B+ RHere is a quick description:4 T$ g: x$ K' W- c; k: ^5 C
-AX = 0910h   (Display string in SIce windows). G- R2 L! k" ~* O- B( T# o- @
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)" Z( q0 ]5 j3 j/ z6 J! m
-AX = 0912h   (Get breakpoint infos)/ [+ S& k: y* u! o6 R% [& G% E
-AX = 0913h   (Set Sice breakpoints)' b% A& v0 u/ N: ~, B
-AX = 0914h   (Remove SIce breakoints)( ]+ u  f1 D2 p" J0 X
5 A; k' }7 ?6 U
Each time you'll meet this trick, you'll see:
' l' e6 v+ L7 m+ M  W2 R7 k8 D-SI = 4647h5 }4 O! n5 P% b- Z6 f4 B0 @2 {3 x
-DI = 4A4Dh
& `9 U. \! f: m. qWhich are the 'magic values' used by SoftIce.- j* f4 A/ H8 I9 `: V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! h+ D, \4 J4 S+ u: S* Q$ _& s* z& Q4 H3 I  c# U) J
Here is one example from the file "Haspinst.exe" which is the dongle HASP! j+ l! S: v! O$ ~
Envelope utility use to protect DOS applications:' H2 x% Q$ W& H

/ ]8 E; r9 R4 R' I! `
$ o: D. H# u/ d+ n4C19:0095   MOV    AX,0911  ; execute command.& P  M% c2 A9 o
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).; L/ j+ y) ?: _6 c
4C19:009A   MOV    SI,4647  ; 1st magic value.% [- s+ \; u! U, T
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, E1 w# i) Z- R9 ^4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 r5 ^" |$ {; Y. T$ D! p
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ z5 A; s( ?+ m
4C19:00A4   INC    CX
9 I3 b  G' x9 u- S! g8 x$ r+ [" L! a4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 b5 L9 N9 y- T, R9 Q4C19:00A8   JB     0095     ; 6 different commands." ~9 A6 ~! e# e- p3 s
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
/ O& v% F! H( Z* f4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)1 r( E- @, K1 E2 r
9 Q4 s6 k7 j1 m/ J( Y: T
The program will execute 6 different SIce commands located at ds:dx, which
" y+ ]* W, l! X" X2 Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 L0 `$ l6 t3 ?; X8 j) g* J
( g8 U+ Z' H4 ~2 p6 Q4 v/ c/ A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 A4 d% e* ]3 p1 S+ V& T
___________________________________________________________________________# o7 G9 T9 [: K/ y0 s+ F
, v8 E; a1 a' k

3 \# y1 _; S( X* N, I5 m" O! L2 F& RMethod 03
; Y, u/ j1 Q7 T% ?. a$ A( B=========
/ J* _# n2 U; L. U+ B5 ]. s7 c+ e' f# l
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' K8 _6 n- N0 x1 o0 X% e
(API Get entry point)
9 a1 E; U6 @( V) c" u- Y4 Y5 l& M7 @        
7 q8 c- t* G7 _' y0 [
" `$ n, K9 n+ ~    xor     di,di
4 w7 W" O: C, n3 l    mov     es,di3 i" H$ {8 T. ?7 U) `
    mov     ax, 1684h       1 i% V- Z2 M2 }. M
    mov     bx, 0202h       ; VxD ID of winice* k4 v0 R, k2 {3 C: {+ ]/ V. G- |
    int     2Fh
9 D+ B. H$ }. m0 s0 U3 E    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* y- s. V  L+ F- V, F; g    add     ax, di
: E7 U) W" _* O! w5 y- h    test    ax,ax3 Z* |8 `) n, Z" ^5 J% a# j
    jnz     SoftICE_Detected
1 u  z; e' g3 y6 Y' ~! j3 b- v0 C/ T) Q' u% ?) a5 s2 H
___________________________________________________________________________
( G+ C6 f/ E4 |: o: ^) h+ z/ O1 C) y* t+ T& G
Method 048 V8 s! x2 F" a: [# ^
=========
$ V1 G, C  v& e) W# R
. `8 h! y8 V+ y# {: a7 KMethod identical to the preceding one except that it seeks the ID of SoftICE. y  \3 N. `. P
GFX VxD.0 H/ r( x1 H2 ^5 c7 h- r; I, Q8 ?

, |+ ^* q. l% M7 o7 E2 ^4 D    xor     di,di' e5 z! t7 F. ~0 B4 x
    mov     es,di
2 ]% h% U% P6 q$ n( y, A# P# T- m    mov     ax, 1684h       9 [  s6 L, L0 _. R7 ~4 F- R
    mov     bx, 7a5Fh       ; VxD ID of SIWVID  z3 c& A8 g9 @: p0 ~* g3 A' d' K
    int     2fh
. W# {  m: M3 R" G    mov     ax, es          ; ES:DI -&gt; VxD API entry point! `( @0 G5 J7 ?7 x3 h
    add     ax, di* ]$ [9 ~1 L# s% r+ F
    test    ax,ax9 m% t7 ~/ J, S  @
    jnz     SoftICE_Detected2 B% V( t% t. y8 t0 b
& p  ~( d% R1 W' s" N4 G
__________________________________________________________________________
4 G' g9 o' j0 x9 s/ U8 Q, A2 a9 _! }' S: r% G) S% E

: ?4 L5 ?+ _/ d8 n" y5 |Method 05
; {% [2 L+ F% W3 T- x9 }=========, t* H, W* _$ Q
) {0 g! M& Q3 n" U( K# h
Method seeking the 'magic number' 0F386h returned (in ax) by all system2 U$ ~  c5 t; H, |" _4 _1 ~+ K
debugger. It calls the int 41h, function 4Fh.
5 `' D! |2 y4 L- Q# m$ ^There are several alternatives.  % Y# j1 r2 S$ U- z( f- w
6 w; r% a' ]9 X) {7 M* v
The following one is the simplest:  z3 Z5 t9 Q% V( M; k
- G( |/ F, z- A  Y  G
    mov     ax,4fh
( ]; v" m$ k; V+ |( p& N" V( I. \    int     41h
1 J" w# Q6 t: C* ?# J8 X    cmp     ax, 0F386( z3 P) b" L6 X( j& }6 Q
    jz      SoftICE_detected7 g! g5 O4 V6 }

( t/ ^* d: M1 t
' ?! J0 u5 e( {; zNext method as well as the following one are 2 examples from Stone's
3 Y9 e6 ?& c6 L: K& }"stn-wid.zip" (www.cracking.net):4 T0 k+ Q  T  n- {8 z. k

7 @' b( m  }# E- `& |    mov     bx, cs7 W# U3 u5 L. Z0 h
    lea     dx, int41handler26 |7 G0 B- z8 y# L, ?
    xchg    dx, es:[41h*4]
) q# s& P/ v/ [' p& t' R" n    xchg    bx, es:[41h*4+2]
4 |3 ~5 a6 R, n* \6 ?    mov     ax,4fh8 D# b! q5 H& E9 v6 t4 D
    int     41h4 W" j; z: {' n
    xchg    dx, es:[41h*4]& A" Q. D4 g6 H1 Z' P- |; p
    xchg    bx, es:[41h*4+2]& Y) m8 w) p! B2 Q5 U
    cmp     ax, 0f386h
% H* ^2 Z1 P9 ?1 b# c- @4 P3 k    jz      SoftICE_detected
' T* n# t! W! v# E" l; {* k
; S# G# S7 \$ M7 g' l6 {int41handler2 PROC* Z# S1 x$ w' S
    iret1 s2 r; l1 s* q/ f$ b9 K
int41handler2 ENDP& ?% B5 n2 u2 h& s
1 n8 _2 R( M4 N9 {' T6 f$ i! T8 z

+ Y4 X) h/ x0 ^3 S. {3 `_________________________________________________________________________
: }  v' P! P7 u7 b+ `2 Q# |, `( S+ l

& n$ ^+ v4 u5 j) W; ?) jMethod 06) S" e# E( e6 \' k' z0 W
=========
4 f1 ]/ E- f. T9 ?; @% _* o
- ]& w& O' h6 ]6 W
7 x& q$ C8 _5 V( z; X2nd method similar to the preceding one but more difficult to detect:
/ h2 Q1 ^* p& u) V/ E
1 x! L4 c1 L% W& J1 U6 k; |6 Y7 C: q' r
int41handler PROC$ C% s+ c, k. Q  a9 H4 N* ~9 X) k
    mov     cl,al7 l4 O. Q4 L+ p5 I  U9 K$ i% c! c3 |
    iret; f3 u% F; N7 B, E/ q9 U& ]
int41handler ENDP' J) U0 C# K1 ]# Z

9 G& @5 S" {5 {0 Z/ Y* G5 w" {( g9 _9 k+ _& q9 @6 j
    xor     ax,ax; f% I9 Q! ^' C( ]. ~$ v4 Y7 N
    mov     es,ax
9 W7 A" V$ O7 B! |" M/ q7 \) @    mov     bx, cs
5 p1 d, C& w" r0 M% R4 h    lea     dx, int41handler# ?' F2 j1 f# f+ `& R
    xchg    dx, es:[41h*4]4 v: Q1 V  j+ x% @
    xchg    bx, es:[41h*4+2]" j3 {3 n( g. E( o1 H+ C
    in      al, 40h
( q, q% {) o1 M8 i" W4 D  D    xor     cx,cx9 j! ~# N) z5 [$ v+ a
    int     41h" P1 a/ |8 O, m( D+ S4 S
    xchg    dx, es:[41h*4]+ Z! T5 t/ e. ?5 i/ D
    xchg    bx, es:[41h*4+2]
1 c0 V9 e2 k( q1 L( L    cmp     cl,al4 M% |! L8 a9 W) {% S: V
    jnz     SoftICE_detected" V. Z0 K" A! u* n

! I, W! J% v/ I& c& P& F_________________________________________________________________________2 \+ x  _8 F: K1 G+ ~9 j1 s2 f! p
6 c* v3 M8 F* `3 p$ V
Method 07* L& n# l: Y# B  A7 s4 |# a
=========
" T4 I' S" x  N- \# _" b
; F, u% q% ~0 G+ bMethod of detection of the WinICE handler in the int68h (V86)  K) ~' l+ ?, {$ N$ R

' S4 U$ D$ ?0 F( L    mov     ah,43h
/ b1 M5 f" q% R4 b, {9 X# k/ |4 Q    int     68h
0 D- l9 h3 s8 |8 A    cmp     ax,0F386h8 V' ]: C" ]( X! U# K& W' Y
    jz      SoftICE_Detected
7 e: s) C. ?, x9 |5 K. V) ?- x9 r: j& q( u% A8 f

) g- D. t1 \8 Q8 {8 ]  ^=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( ^1 _9 r$ y  o. [* o# B5 p+ i: u   app like this:$ G) B6 _/ y- n* G: d* M

! L$ f. f7 U" B' \$ R( {   BPX exec_int if ax==68! ?( v: S1 t2 W' q
   (function called is located at byte ptr [ebp+1Dh] and client eip is' Y. g& f0 Z. @% Y/ D
   located at [ebp+48h] for 32Bit apps)
7 R! s1 f! w* {: O2 C& Y! s__________________________________________________________________________
1 _4 z. `0 w- y$ d5 g; `7 `& n
( ]; ~/ Y. G, B$ W7 U3 x  Y
  N& K3 n. Y5 c* yMethod 083 {) k  r3 j. Q5 B+ s
=========9 C7 N5 ?. Q% b6 j) I
; o1 {9 q* d6 W: t+ g* X+ |* F, l0 B
It is not a method of detection of SoftICE but a possibility to crash the
/ R8 f. T1 {6 ~/ e* s; S3 {1 ]system by intercepting int 01h and int 03h and redirecting them to another/ Z- p! z! i/ r2 g% I
routine.$ R; p) @* i' t1 c) \! W% [3 q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! @' e- q6 v) k2 x
to the new routine to execute (hangs computer...)
$ j: j3 S$ i( v  K7 g' ]  J% J8 K$ y# d+ G' P8 ^6 A, r$ w- K
    mov     ah, 25h" y/ u/ I# Y0 g8 z% |  G# P
    mov     al, Int_Number (01h or 03h)
8 Y' C- c4 B2 S) t    mov     dx, offset New_Int_Routine
1 J" b" c$ R% {0 Z. s    int     21h
5 ^) i& g& J+ x4 |. W& o8 k9 J7 b: D! ^7 n, A0 \, d$ W
__________________________________________________________________________
5 g) ^! Q/ \1 k: E  R3 ~+ y% [$ {, X
Method 09
# }$ C* O% @: t4 M=========
- d( A2 T2 j% n4 j) c. \) v$ ]
) I* {$ I/ a: }+ \. W" JThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' V. I# g$ T/ h: U1 @& ^; Q' Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 C4 @4 H5 f9 `* }The Get_DDB service is used to determine whether or not a VxD is installed, g# t& l9 V( l+ ^
for the specified device and returns a Device Description Block (in ecx) for" X2 w! t0 i& K
that device if it is installed.
. J6 ]8 g! a- g9 f$ R$ Y  ~( e- t$ j0 d  t
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 G2 T; B, a% r& y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 u6 g" ?; ?8 O* }9 [) V   VMMCall Get_DDB
4 d  b9 I+ P. t7 _   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 p5 N& C# |$ V6 R9 e4 G- r; D- g: |* Y+ K% [6 ~5 h
Note as well that you can easily detect this method with SoftICE:
  F7 n! r7 j- i9 E. n' q8 ~   bpx Get_DDB if ax==0202 || ax==7a5fh
+ }% j. I- o9 ?  ~, v+ Y( T+ `4 N0 `; b  w
__________________________________________________________________________7 }; ^' @/ G* B9 L: q

: g' A5 t( K9 q- W" a" ^7 WMethod 10/ R  Y& X1 F5 ~# J" t# S3 ~
=========
) {# J1 V. B  N9 i8 \# S8 I5 f& g) G2 Z9 v+ |
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
; q( p0 j4 _! ^# P  SoftICE while the option is enable!!
" t0 u& g* m$ u' M6 h
4 x7 L+ [, A  m! F7 n: m2 @This trick is very efficient:
0 w" V% g6 o/ I- |+ \by checking the Debug Registers, you can detect if SoftICE is loaded( M: V. K7 t# F- N1 o
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! M. }6 P7 ~% M; n( H  a1 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- B! n. k* r( B- m2 @* \value (in ring0 only). Values can be manipulated and or changed as well) M! I' O' Q& }# w: C
(clearing BPMs for instance)
/ y+ b! y  ]* [0 e8 t' t# z/ A7 E; `8 n
__________________________________________________________________________
6 `: |0 h* x: x) K7 ]7 D+ S% n# @5 a5 d# l+ ]! {
Method 11) z) u; e0 I: u! W7 {
=========
$ _0 i. U- u7 p. u( m3 u8 u5 n! M! D' T
This method is most known as 'MeltICE' because it has been freely distributed2 A$ B- L3 I5 w/ t8 b  j4 V) G' x
via www.winfiles.com. However it was first used by NuMega people to allow
* J0 c0 R4 a3 ^8 }- q4 W$ L7 iSymbol Loader to check if SoftICE was active or not (the code is located
( Z: w) b* k' Qinside nmtrans.dll).
3 ^% m+ g' w/ b# C4 O: N2 P2 x
4 B/ y& W* |& }! MThe way it works is very simple:
! J2 a* C$ y8 ~* f7 u0 `7 oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. P" {; o4 c) HWinNT) with the CreateFileA API.# e5 u0 {+ l4 }! `

# u3 |- d5 J4 s# mHere is a sample (checking for 'SICE'):- S' m0 i! V% e  E. h% ]

$ i5 _& k5 v- m: }! J# j# t2 O$ WBOOL IsSoftIce95Loaded()6 [+ m, ?' K' x, W/ S3 r8 z0 ^
{
2 C7 N7 X3 i, V! k0 Y( d   HANDLE hFile;  9 |4 m- H. ]7 a
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) ^7 H3 A# T  R8 w4 C1 b                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 [6 O* [) l# m/ A+ J' h                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 m6 Z. r. U* N6 D4 u; a   if( hFile != INVALID_HANDLE_VALUE )! X- U: K7 F& p
   {
/ a2 x, M  F  m" I  V) G      CloseHandle(hFile);
' H0 ~4 s- }' o. C+ p2 \      return TRUE;! S. k1 l  C! w; z0 h" R* K
   }
/ Z; g- M1 e' d" Y+ M   return FALSE;! ]" P: |- \1 I* W, u' g+ m# r: f
}
, Z1 ]5 x& P/ r, R
2 }) P, @& O3 X+ d' |4 I0 uAlthough this trick calls the CreateFileA function, don't even expect to be. \# @' M5 X& W
able to intercept it by installing a IFS hook: it will not work, no way!1 C0 s* U8 l6 \' u& G( H  P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 d# C2 q% x, G* |* yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ Q( A( a( ~. P2 _and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 x8 a4 A& ^% `
field.
# ]0 Q. C7 `( B0 YIn fact, its purpose is not to load/unload VxDs but only to send a
& n( `3 W% S! E% ?: {3 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 ]5 v7 N  g$ l$ |7 }% k2 I* Y) Z1 u0 e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 d/ ^; x2 \" O- f+ O1 G9 ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. w( V$ E0 Q( B# p/ p. q, f# t3 n5 eIf the VxD is loaded, it will always clear eax and the Carry flag to allow' E. Q) r6 Q3 U% E5 I6 L5 N$ K
its handle to be opened and then, will be detected.) k4 _3 C" g" i0 y+ c/ u9 b
You can check that simply by hooking Winice.exe control proc entry point
' n) `( E- i& ~# W  Hwhile running MeltICE.
, t) {' t) W7 x- q9 b: Z/ c
+ ~* C  R" e8 q8 b3 U2 Y; m% ?/ e6 J# I9 f. I% Y+ P& V; o
  00401067:  push      00402025    ; \\.\SICE
: p7 D/ y  _0 J% M/ ?) ~; j  0040106C:  call      CreateFileA
4 b' e$ C! `! \+ l  00401071:  cmp       eax,-001
* }6 ~: j9 O* m5 w  00401074:  je        00401091% Q; I$ W8 _: q9 i2 ^
2 D% I: F9 [% {% D* R: S9 R
  O6 o$ C/ d' J# r' K
There could be hundreds of BPX you could use to detect this trick.
7 ~  u+ b$ F3 E7 ~1 }6 S) K$ r: }-The most classical one is:* S# X% f7 _$ L$ O  x
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||6 G( x6 h/ z, o+ F* o. j6 y
    *(esp-&gt;4+4)=='NTIC'( {4 k) z8 V  I. y
3 |  c; @4 H7 l8 u
-The most exotic ones (could be very slooooow :-(; P" [, P$ L) @. n) i
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ f% U/ L) {( E3 [0 d  f     ;will break 3 times :-($ p- o$ k& X5 q+ y3 h$ V$ e
; a; ?& e6 h- q
-or (a bit) faster: 4 Q7 O# X8 B2 E; Q2 n/ ?1 c
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; e. l7 s& H$ v- B( r7 \
% l) X  V; t5 {" H   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) Y8 R) @* c2 }* G7 o     ;will break 3 times :-(
2 V" X3 l2 j) G/ a7 V! E9 N9 \- i8 g
-Much faster:# d! I4 j" j3 ~1 v/ d
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 W) ]" f$ j5 R: o( M4 s( `

. H% B( l& R# p/ A/ q( bNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 C) ~8 z0 X) I8 n: F; t7 p, p
function to do the same job:
7 ?4 ~, R! [; p0 A9 }! `; Z9 ^# a8 O7 J
   push    00                        ; OF_READ: ~# `2 j2 [  ~7 y. w* A! X
   mov     eax,[00656634]            ; '\\.\SICE',0
+ T& ]( l0 K5 z' W: f   push    eax/ f8 U/ J; S. o
   call    KERNEL32!_lopen: ^$ @& `$ _+ k& O  P
   inc     eax8 k0 V- ?8 G" ^. H/ \
   jnz     00650589                  ; detected; z( {1 j' J" D7 b+ r
   push    00                        ; OF_READ
& `% H. [2 J: _/ W   mov     eax,[00656638]            ; '\\.\SICE'
* b% t: s7 M9 q0 H2 s+ }9 L   push    eax
& U  {; a& j" \6 S& V( o   call    KERNEL32!_lopen
8 _- K! J" f8 ?   inc     eax
+ b1 K- q/ f& E% Z/ }   jz      006505ae                  ; not detected* k5 E6 a4 e. P, e

' z0 }% K+ z2 }$ q
0 s; r3 N* S1 d7 d' [- r" C__________________________________________________________________________
# j* f, _$ c8 o1 B6 s, T" x6 i2 H+ O+ o: p9 x- ^$ L
Method 12# N# @$ X# i! |6 N6 O$ K
=========: ^% G3 A. P# A( W
$ H4 L* M' L: I' _
This trick is similar to int41h/4fh Debugger installation check (code 05% b$ B& B. B' A+ N6 x5 J1 M
&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ ^' P0 C4 ^2 K0 ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 y* d4 A5 @- L  j9 n) X8 O4 M) X, @" F7 |) z
   push  0000004fh         ; function 4fh) n% X1 w% R" X
   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ b# ^) P) u, V# M% n; U                           ; low word specifies which service
1 r6 |) \: g; P/ V+ t( W3 m                             (VWIN32_Int41Dispatch)
! F0 e5 H% _4 X! L$ X  M( m   call  Kernel32!ORD_001  ; VxdCall
' C" A( I- n5 G$ R) m3 ~' o   cmp   ax, 0f386h        ; magic number returned by system debuggers8 L& t! ?8 r3 ^/ w1 G; V
   jz    SoftICE_detected
$ U! }: R, E' i( F; [1 W  N+ [2 ?; }& q
Here again, several ways to detect it:
2 X( q. }7 F1 y
8 @1 u; c  f; u# [+ k, J5 X4 F* v    BPINT 41 if ax==4f
0 R. _, E4 B3 Q. x
. J- n+ I/ u, z+ `  D2 a* g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. ^, ^" H& n0 F" u9 o

. n* v: x( l7 H0 O# |, w    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( Y3 }" M3 M& M7 I: w
' H+ C/ F3 A: i! H5 _
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!" H2 I8 d: F* {0 \# `; p

' ~% O" y2 F1 l- j& Y9 p__________________________________________________________________________
, R% C9 t  ?& {. M! Z0 n( U: k6 L4 Y' x% v( |8 @
Method 132 \' I* D& C0 r
=========6 g% u1 p8 @7 K1 ~

! g4 Q  d/ X; L; C4 WNot a real method of detection, but a good way to know if SoftICE is. V% U* h. p% H6 ?) L. P9 E6 t
installed on a computer and to locate its installation directory.  ^  a! k$ J, u, [1 d! c
It is used by few softs which access the following registry keys (usually #2) :
* _9 m( t  u+ }8 a  L7 b& j% H$ t+ v  c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 `0 G+ }! R6 E$ I- L3 z
\Uninstall\SoftICE
5 d2 W; W# b$ Z6 ]# V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 t$ P0 c, Q% R. u6 I2 k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& ^6 Y5 x) C8 Q% b, e" I
\App Paths\Loader32.Exe
, N$ ^' h2 \9 }4 R+ ~& A* c
$ j, L- }0 j8 C4 m) @
  A7 T9 ~$ H" I$ D: ONote that some nasty apps could then erase all files from SoftICE directory
5 r& f! x1 C4 C% R4 K0 }. w(I faced that once :-(
$ @$ E4 G& w7 B4 ~3 w' p2 h' M
$ V3 D2 }4 w' A5 ~/ U" [# hUseful breakpoint to detect it:% o! D. u" i, V

6 [2 W( i' H" d, C     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 g) X; `/ O3 U
) \( _' ^/ K5 L. D__________________________________________________________________________
! M; F% T* e$ Z0 X7 ?4 d# O6 r
: d1 n1 i1 d) {$ F) W! D5 [0 x! X5 \
: t! ~: _$ k, I& wMethod 14 % B2 Y9 i  }( _! Y
=========
2 g5 s4 E; L. ~  I/ S8 h0 d  E' W6 k9 A, y3 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 k0 v9 f$ I! L: T! t' K# `2 kis to determines whether a debugger is running on your system (ring0 only).
' z/ a+ I, s$ f$ Q+ t/ ^5 V" ~$ T' x" ~
   VMMCall Test_Debug_Installed
4 Y+ u! {' y, b, R  C8 Y4 ~, q3 y   je      not_installed
# E+ {- {4 r# ]( R2 V
9 G5 l( }3 t$ N4 l* Q4 ZThis service just checks a flag.# {# D5 X# f: L! I+ I
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-28 14:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表