找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 @. z, P3 k$ y. l
<TBODY>/ _% v+ y1 ?: }) V9 G
<TR>, [5 C- G4 v/ c( g1 O
<TD><PRE>Method 01 # ~$ W8 m$ Y3 O7 ^! \
=========
1 k  H6 u7 u$ d) \7 M8 O2 S( c+ Z/ [2 R  b+ V! Q3 P, T# V
This method of detection of SoftICE (as well as the following one) is( g6 p4 f# h' `# m8 L' i
used by the majority of packers/encryptors found on Internet.
) \  {6 X* I$ ^9 F& U& oIt seeks the signature of BoundsChecker in SoftICE. o# J8 Q/ t. v3 X7 W

# d& z' ~0 w1 l' x! y+ g    mov     ebp, 04243484Bh        ; 'BCHK'$ o0 }& ^  {/ D) K0 }  L& O+ l
    mov     ax, 04h
9 {! ?1 D& x4 u2 D7 a6 u    int     3       + |2 q7 }: B! w
    cmp     al,4+ G' [6 B$ p1 i/ d. D" F% @
    jnz     SoftICE_Detected1 C( ~. g. _6 C, G$ W+ Z
1 p( B4 O2 T, r. h9 T: M
___________________________________________________________________________
1 I; G4 u! }; ]8 h$ r
5 ~+ r$ ?! m0 `& g/ X) `7 JMethod 02
+ V* ^' M& p/ x( u& u. P& `=========! w' P1 e$ Q& L6 l. ]! L
4 e! u# e3 a: m) \
Still a method very much used (perhaps the most frequent one).  It is used+ l' u, N# T, F, k5 E, n2 H7 R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 z  Q' m# N2 k: I+ N  For execute SoftICE commands...
6 k- u( \' _  ]+ y" jIt is also used to crash SoftICE and to force it to execute any commands
5 a6 r1 d4 t7 m, l6 H# r: h(HBOOT...) :-((  ; K) T' p3 ?% y
0 N6 V4 P; x& T6 O) n! ^* d' n, ]
Here is a quick description:
! n7 f7 n4 R  ~/ a3 Q, C6 N9 S! z/ ?-AX = 0910h   (Display string in SIce windows). E1 Y  b2 r& c6 n! P! t: s
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 Z/ G: I4 t8 B1 j+ q/ D' G: o
-AX = 0912h   (Get breakpoint infos)
1 K6 U8 _, A- M% @5 {8 t0 u-AX = 0913h   (Set Sice breakpoints)  L0 G6 [3 D# V7 I- K: \
-AX = 0914h   (Remove SIce breakoints)
# m$ e  W* B$ m; C" t. V: l, H: M' V. V
Each time you'll meet this trick, you'll see:
6 H3 T' G' e% P/ z-SI = 4647h
! u: R" p7 R+ Q5 P, m-DI = 4A4Dh
% q4 {) P' G, WWhich are the 'magic values' used by SoftIce./ b3 N: j  X" p/ S- `) Q  w* |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.; B+ Z! E4 _3 y% K  h! i

2 k& c; i0 ?" v0 S% x. aHere is one example from the file "Haspinst.exe" which is the dongle HASP: X. Z, Y4 }+ Q1 L
Envelope utility use to protect DOS applications:
5 ]1 f+ O8 N8 ]8 Z& B4 ]* ?: l

  w- |  v; W1 `- ^( @3 [4C19:0095   MOV    AX,0911  ; execute command.
0 t$ X$ ]. u5 p8 A0 p( F4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
7 t& [8 [" D  j- G4C19:009A   MOV    SI,4647  ; 1st magic value.* M. x. Q" X8 w) T  M, y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# s3 `# |+ o+ j# _/ d+ P* G4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
' B% E4 J5 [4 L/ k# b, j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
; w* d% I9 D) [) h" h$ _. p4C19:00A4   INC    CX7 R! t4 v& n, j% q5 d
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 ?( R0 P; g* w5 z; C" M4C19:00A8   JB     0095     ; 6 different commands.
7 }7 I& ~- E2 E+ I4 \% [. K4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
* w; M" p2 }9 d. N" B4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" Q, Q" I% b2 ?+ R: v1 y0 h, Z5 i# Y$ G3 U2 e3 ?
The program will execute 6 different SIce commands located at ds:dx, which
- p. a3 b1 X5 n- zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, n( [4 n  C' ]6 Z! J- O
% W- v( a! U2 L# F7 l9 q" ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; K  e/ D; a& y. u: P
___________________________________________________________________________# X, U3 Y$ m! d; c  ^% F

" @* v1 z5 P+ r9 K6 Q( x+ Y. l+ v
Method 03% U0 |& M( _; B9 k  F
=========
' y3 ]% _6 m; Z( V: e- K' B/ _/ J8 J; U
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, b- J! Z& T  R: M: U( i(API Get entry point)
/ [* L: x6 f# V' Y  R        5 ]# b  _0 c7 t, Y

, P5 r* ?2 J+ ~# b* w  a/ W) r* U    xor     di,di+ I( j3 c, q' U  a5 J4 V8 t6 p. w
    mov     es,di
8 k$ o* b7 r8 z$ N" p    mov     ax, 1684h      
4 ?6 V  z2 [$ E+ Z" T    mov     bx, 0202h       ; VxD ID of winice6 C# S% Q$ [8 i- v5 Z% Z
    int     2Fh
8 @* {% x* T+ k8 B8 g0 j% `    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 T5 {- I) [0 N
    add     ax, di3 t8 S' O5 w2 V& l8 _
    test    ax,ax0 e$ _" X( f, N. q9 E" y8 n
    jnz     SoftICE_Detected
7 c' q7 }8 ~) \: m" N) j% e: O3 @  N% o( d" a, B
___________________________________________________________________________
" z. q8 q! s; r- y- }. m( S
" }: V0 f' D% {Method 04, M/ I0 |9 B" r. O
=========% y/ r- s3 W; ]. D" ?
/ r3 r" J) t5 R$ T% D
Method identical to the preceding one except that it seeks the ID of SoftICE; E3 @2 l+ N  A) q$ O$ [
GFX VxD.
3 U/ ?# C# Y) y
8 J% E3 h5 h: T' R, z* S    xor     di,di
. g3 _6 q5 j( }    mov     es,di# H3 a( \$ M: h! {1 i# r2 A
    mov     ax, 1684h      
2 c0 _& ]1 S- w& s3 x: d) `  ]    mov     bx, 7a5Fh       ; VxD ID of SIWVID8 E( M. H2 l& G0 p
    int     2fh8 o5 z6 |3 c, Y; ^8 w! k
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) z; U* l0 F% g+ W' j    add     ax, di
7 [5 Q6 C  c  ]; H7 H3 y* l4 m    test    ax,ax
3 J2 a! O, [. W+ s8 m    jnz     SoftICE_Detected
/ ?/ j6 |$ w# k% \1 v5 t5 K& e! @- `2 c0 v; M
__________________________________________________________________________
  F# S+ q8 M: f6 ?& P* @- {/ d- u9 V2 g  s# Z' |( X; o
( S+ u( d6 g9 K( a  `: h; Y
Method 05
9 a. S8 I% y  s' ^( [=========2 i0 E+ h3 t6 B' P2 a0 X
0 m, }$ R$ x/ ?6 `: U
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 Z2 ^7 G# S6 O9 C" v5 X' r
debugger. It calls the int 41h, function 4Fh.
- y4 ~5 c( A7 Q  Z) nThere are several alternatives.  ) F3 D! t. B3 e$ Z8 c% ?  z$ L
9 `% \2 F* l4 B+ j
The following one is the simplest:9 l! g8 g! }1 f" z# e+ H) H$ W: {

3 Z) X4 r" \* ~$ F( ?. V    mov     ax,4fh9 h5 H1 m) U0 R( G- \4 r) K  Q6 U
    int     41h
2 U( x, d* g5 \+ y    cmp     ax, 0F386
) K9 m* Z) _6 p; `# {/ D3 S  k- ?    jz      SoftICE_detected
# Y) _  i6 n5 `& M5 {( @3 i% _/ b% T, |" S
. ^$ g" s& F* T) m; ^
Next method as well as the following one are 2 examples from Stone's 1 V  j, R8 T2 k  A# X
"stn-wid.zip" (www.cracking.net):
# b1 h/ o# g6 x
. x5 Z. ?) o& ?* _* e    mov     bx, cs
# `) C8 Y' w0 ?, x0 A; m    lea     dx, int41handler2) m6 x. \9 B2 F8 U: l
    xchg    dx, es:[41h*4]
' r; j: E# j5 @* x- E) n. y    xchg    bx, es:[41h*4+2]
! E" T$ P9 p' x( g. q) L) F! U5 `    mov     ax,4fh4 r3 C; }% F3 v
    int     41h1 X9 }; V, [0 z/ j
    xchg    dx, es:[41h*4]8 ?5 U8 {' q7 M
    xchg    bx, es:[41h*4+2]
6 }/ f1 H' j. \: ]1 g4 O- z    cmp     ax, 0f386h: f- r7 S4 h; }& r2 B  n
    jz      SoftICE_detected
' x- Q( }$ ?  P3 E$ a( ], Y0 [2 f2 E! L5 O. P
int41handler2 PROC
$ V, J9 g3 ^3 s+ M    iret
2 O& d5 z- L, {5 \+ jint41handler2 ENDP6 ]5 ~+ v$ v& a' j& W

( }3 x- F. y2 f* i0 p7 d$ u6 d( f
_________________________________________________________________________
* C' C8 i4 K, p$ r* b/ e" |- ?: b  n* [* e/ f9 V# G- C1 T

! ~1 H8 S. Q0 I" b- G4 l) x9 eMethod 063 b, d* H6 ^9 J6 [' A
=========
8 E4 z9 b( @& ^3 ?3 b) n+ j4 X# G' i" m: `

0 s. B+ U0 W1 w+ k% X6 y2nd method similar to the preceding one but more difficult to detect:
8 _6 r# [$ t0 {' G6 N6 s! v1 I* {. e2 s5 F& R
2 a9 j, B5 Z. f: h, D* s
int41handler PROC
! X' z+ h0 R3 }7 f  K1 ^4 a/ ~    mov     cl,al; c* a( b% v' G( k6 Y; j( s2 o
    iret
1 O# [) {+ e" Pint41handler ENDP
7 J! ]( S, z7 \& D9 l  X* `( C2 H& r+ J

) L1 j& g' Q+ Z$ C: f+ _5 S    xor     ax,ax0 A4 V) M7 P2 z5 l5 s6 t5 k7 o5 ?
    mov     es,ax2 _1 c" I  Z4 i3 E  y
    mov     bx, cs
3 a7 D( p" p' [! s5 q( b& Y, P    lea     dx, int41handler
# i8 X. Y& }8 Y$ m" ^2 x8 w6 {" ?    xchg    dx, es:[41h*4]
6 e2 `! K4 U0 [3 y# Z    xchg    bx, es:[41h*4+2]
9 g/ N. a' J, R9 c# X# y    in      al, 40h! r" p) C; S# E7 ~
    xor     cx,cx5 `9 X# T- g3 y6 E# V3 V# u0 p
    int     41h
7 g7 L" V, C1 t7 X* j    xchg    dx, es:[41h*4]" F1 \/ X* m! l, j* O7 S6 j
    xchg    bx, es:[41h*4+2]
7 n1 E5 q+ t4 I9 x, Q    cmp     cl,al
: \+ k1 R& m/ g/ U8 I    jnz     SoftICE_detected
2 z  a# x% W# ~" [2 \7 Q1 d  J7 ?, [- x9 T1 y* h
_________________________________________________________________________  M+ u# V. R) h* a( n5 J

; B/ [( C- [) ?/ aMethod 07) x* O4 \7 R. J9 L; b+ Y
=========4 C7 a9 b  k5 `6 j5 ]& w+ k" m
7 w" z% ]5 m( F. D2 h+ O! F
Method of detection of the WinICE handler in the int68h (V86)8 r7 G* x) t- d# N  {
, A& y1 ?3 |$ s4 H9 E& N4 E: D
    mov     ah,43h7 H6 [  [5 e+ h! A* S# S. [
    int     68h2 {6 g) j0 R. L+ `. Z
    cmp     ax,0F386h
6 v5 e* C! p+ V9 c$ Z6 Q    jz      SoftICE_Detected
' K$ q4 e% E5 V: u/ J. S" D( G; ~6 o- Z' [3 I" `" |) C

# }4 {4 |) N$ t* S=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ z8 {4 S. X- x' |" ~5 k
   app like this:+ \! ?% y0 \; S+ `) b; O
( y/ Y' f8 n  ~- k
   BPX exec_int if ax==68
. B  r$ a" Z; E6 Z   (function called is located at byte ptr [ebp+1Dh] and client eip is& D/ Z% W' F( @1 Y% V8 G4 i. E
   located at [ebp+48h] for 32Bit apps)
$ J' [8 W1 |1 {# ___________________________________________________________________________5 u: @; d  O1 z3 E1 Z4 e+ z

. c& Z# @5 c5 G# H9 l: u. C! f$ a% z2 M! J
Method 08, y2 Y1 ]. U2 o, p4 }9 T. |
=========7 S9 \& h- B8 J% r, X4 t

6 B1 z% n& d+ e6 K' ?9 WIt is not a method of detection of SoftICE but a possibility to crash the. u% K4 `+ `: F
system by intercepting int 01h and int 03h and redirecting them to another( R; M  R9 e, B7 }3 C
routine.+ j1 `' N+ d" I) p, U7 e
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. i$ m6 V$ \# k4 f! a) y( D# T: {  d( ?
to the new routine to execute (hangs computer...)
% G4 p# T" e$ m
( b4 g8 [/ I# d; R9 D3 b/ m/ h    mov     ah, 25h& ]! V  ~" ^3 j* G0 e) K2 w
    mov     al, Int_Number (01h or 03h)1 U6 v+ e" W1 i+ ~7 i( }
    mov     dx, offset New_Int_Routine
9 `- r  o: t/ z) H5 w    int     21h2 T4 y8 }2 F( j5 `# D% ^

6 C8 `! k7 c6 V__________________________________________________________________________9 e# D6 U1 {4 S/ g, B9 X# D1 Q

. T3 j7 x$ D. P/ |# yMethod 098 n+ T, {6 l2 O9 K: y$ m* U
=========
% ]# ?; V" v$ h) H! ]0 q( ~) _+ _1 S# p; h
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 q8 w- \1 l! S6 ?4 t, m4 Wperformed in ring0 (VxD or a ring3 app using the VxdCall).- @- E) c; ?% l- F, T3 o1 G
The Get_DDB service is used to determine whether or not a VxD is installed* S" `! X0 k7 n# \
for the specified device and returns a Device Description Block (in ecx) for. ?: l& Y  Q/ H2 D4 q: R
that device if it is installed.) W0 d$ c7 f8 I
" D) c3 J7 f' ^: e; C" ]6 e( b
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 V( ^* B% g( F* U5 _, O
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# Z0 V9 [$ i) j9 l   VMMCall Get_DDB
" J/ u! \7 V, F) X" s6 z- J   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed, P3 f& W4 @0 Y% k5 _# L
  I) f+ I: X/ y' x' b. \
Note as well that you can easily detect this method with SoftICE:
' |' X& e  X/ ^5 |+ ?   bpx Get_DDB if ax==0202 || ax==7a5fh3 O( Y' V% X# h+ e3 m

5 N' w7 J) O" P& F2 k* R__________________________________________________________________________) Z. s4 v2 X0 j' [2 g; f

4 k5 B3 ~2 x# d0 G2 R. V8 a! `; G. N" fMethod 10
* W7 `2 k. R  p, [' E+ w' F- \=========
" Z, {! g- _  \. F: M
* f: ]8 Z. B+ R& ?  I) A, o  J: O" z' C=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
2 j$ }; Z% @) t: W5 m0 M  SoftICE while the option is enable!!" }9 [0 F4 q6 ?1 }  o

: _8 ^) w$ b, HThis trick is very efficient:; [' K  r/ q! T( V9 ]% N
by checking the Debug Registers, you can detect if SoftICE is loaded
9 D( |; o" Q- G( ?, c0 h1 I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; y! b( J/ b  o1 ]% b# M
there are some memory breakpoints set (dr0 to dr3) simply by reading their  i$ d3 u0 H6 [- ]% i0 x. b+ v
value (in ring0 only). Values can be manipulated and or changed as well- e# }+ }+ x( \, u: B+ [/ y' D
(clearing BPMs for instance)) x* O. B. f. u4 i

2 T# h! F: p# K7 a" t& v__________________________________________________________________________
8 F) V2 ~" D; z* X: d7 x
, S3 T* w* `1 L' z0 W' ?, W8 A6 eMethod 11
! [) c# G/ P* n2 S. C! b% O% w=========
6 r9 ], R# S7 q8 g% r
6 y+ M5 F, ?- F0 a; PThis method is most known as 'MeltICE' because it has been freely distributed" l: X0 j1 s, h2 k' a' J0 D
via www.winfiles.com. However it was first used by NuMega people to allow- ~7 ^6 W! Z; K" [
Symbol Loader to check if SoftICE was active or not (the code is located5 R1 _/ j( n( F! E1 g7 d3 F8 x
inside nmtrans.dll).
& H+ r8 \0 d! o9 F% {% M
) n4 ~: y; R4 _0 c* yThe way it works is very simple:
  F, {3 ]: J! IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 M. V: ^  `5 M
WinNT) with the CreateFileA API.
! Q+ p/ ?2 J' D3 ]
* W( {7 o9 U/ Z& I1 @Here is a sample (checking for 'SICE'):
( {& U/ W0 x% D+ U: n9 I- T0 _" ]3 }- Z4 ~0 f4 i
BOOL IsSoftIce95Loaded()
1 z9 _2 E/ p" g7 F1 {; J! |3 S7 @{& p5 x: u- C6 [/ |
   HANDLE hFile;  4 W# m8 O" \! H5 Z
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ O: F5 J) d$ z% F7 K4 X8 Z. q% S5 t
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
, `3 w+ g( }+ O- |4 F                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: J2 O+ x" B. `. c; ~) V
   if( hFile != INVALID_HANDLE_VALUE )
; v. _! f+ H& {: Q& E   {
; h2 J3 |* a7 |      CloseHandle(hFile);
( n* k8 k: _+ a( c      return TRUE;
2 o( H8 w  C7 j' i   }
: S# U# X$ l. v* O% p   return FALSE;/ I; Z8 E8 z3 [1 |: |6 c
}4 Q- J; B5 O- S* k

) ]* o% a# C; P) X9 S7 }$ \; d1 ~Although this trick calls the CreateFileA function, don't even expect to be$ q2 n3 H  o2 z, @
able to intercept it by installing a IFS hook: it will not work, no way!
8 T0 \6 b2 C* f; O; W! }In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. }9 s+ y7 k' o  ?. l3 G( Q0 m: Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' u( H" y0 L# Z) }' W- oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 g! j7 s! O  Nfield.$ {: [. W2 J! @8 }& g  b" C* }
In fact, its purpose is not to load/unload VxDs but only to send a " \5 O7 ~8 v2 y& F3 q6 g0 s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* n# D; U) q+ J/ u2 C0 _2 y$ oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ ~; ^# p# l# I& O! {2 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).& ?' X$ N3 S. _. X# f7 h" P# I5 G- `
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" t: L- Q3 F+ d+ ^% Y. E, b; sits handle to be opened and then, will be detected.5 E- t. E/ k5 K% N6 h4 _  l
You can check that simply by hooking Winice.exe control proc entry point0 ?8 c1 U/ o  p1 v- e. E
while running MeltICE." D' X1 ~, d0 m
$ ?, @4 |$ ]5 _

& e, X8 R* F& I. C  K2 Y  00401067:  push      00402025    ; \\.\SICE3 M- L6 J0 A, S7 s- L
  0040106C:  call      CreateFileA
+ e( T7 y9 I- i( N1 b" a  00401071:  cmp       eax,-001+ ?0 T2 ~& s8 a0 T
  00401074:  je        00401091' h! J8 b2 n0 n' G, M
5 t" Z% ~0 ]+ j( f$ f. ~! o

# T! q, g: l: T+ u' N; UThere could be hundreds of BPX you could use to detect this trick.& k; B' R1 q7 L* L" k
-The most classical one is:
9 ^9 D. ^; L% F- g+ x+ [' F  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  ~" V. w7 r6 z4 T    *(esp-&gt;4+4)=='NTIC'5 J  ~5 c0 `# [: p7 X3 }
& j) \1 T5 \: q9 c
-The most exotic ones (could be very slooooow :-() r# L7 A/ ]0 I" i0 I
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ a' ~0 h' }' t8 ]% w! r  R     ;will break 3 times :-(  w/ d% Z6 `6 R  B, b* q
$ M  N9 i8 A2 ]0 k! R
-or (a bit) faster: ; S4 ]$ x, |! h) F# `* f
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 h; q2 o8 j" C3 p& K" _1 t; L  S$ R/ ^& p/ D6 n, E
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 o0 k' H! U" b7 r3 o: c7 V
     ;will break 3 times :-(* @  x! _8 i  r5 r: S
; C: x& x$ M  }( v; B
-Much faster:
# X/ @* M. R! L8 v/ y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  f+ a) l7 D- l: \9 Q8 D6 _; q9 r" t: m& V' k7 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 J. J5 t0 o1 ]/ G9 B$ W' b* t
function to do the same job:
, `! `* t  @2 j8 o
! ^3 V( {+ E* N2 m6 |   push    00                        ; OF_READ* c- K! G2 n7 f. l1 W% ~- w4 Z, N4 x
   mov     eax,[00656634]            ; '\\.\SICE',04 z: z; i) P' X8 h7 Z! ~
   push    eax; y( e6 x  k# M  e! \
   call    KERNEL32!_lopen
8 C5 V+ |+ I# ?& X" v( {: \   inc     eax* [0 W7 @7 C3 ?
   jnz     00650589                  ; detected
% H) J% ^! [# j- C& x/ U( w$ j) @$ F   push    00                        ; OF_READ. j/ N1 G) y  Q
   mov     eax,[00656638]            ; '\\.\SICE') `, {& n) i# M8 ]
   push    eax  k& Y; j% b8 c$ A, S/ N( }& d$ x
   call    KERNEL32!_lopen
0 {3 D+ X& ^8 s   inc     eax% I( l$ d- M  i4 N" ~- j
   jz      006505ae                  ; not detected
! V1 Z. N8 \" H3 T4 _
5 j# ~, T6 Y2 c. n7 ]; N. b
4 m) K" G( h9 u( e$ g1 o__________________________________________________________________________
; z- s1 _+ k% ?# S! `& J: ]* E; g9 |7 @# _6 Z
Method 12
# F2 V! s2 P+ W0 [=========
3 O7 C1 W/ T& N
/ z* o+ b4 r8 U2 p6 y% kThis trick is similar to int41h/4fh Debugger installation check (code 05
" I3 C. I5 q! N- v&amp; 06) but very limited because it's only available for Win95/98 (not NT)& x, `% `- F- v6 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 [/ \& W5 R/ |/ a
+ [7 M+ X! H! r& z   push  0000004fh         ; function 4fh
; w, M: ?2 ^5 z; s# p/ r   push  002a002ah         ; high word specifies which VxD (VWIN32): E3 b+ q3 H& {& e
                           ; low word specifies which service
. L* x0 b/ X# k! }) s$ }                             (VWIN32_Int41Dispatch)# \8 T; r# X4 L* }
   call  Kernel32!ORD_001  ; VxdCall+ M3 {5 k2 _; y8 r
   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 R# x1 Y* W3 W& C7 b1 a- E   jz    SoftICE_detected
  ]$ `4 ]+ g  x# s( |$ C8 {; w7 t- c; l  G, `
Here again, several ways to detect it:/ c. F# Y0 m( k% T0 ]
  _. w( r6 U1 T9 ?1 T8 t# @
    BPINT 41 if ax==4f
1 T1 S* U6 W3 ^5 E5 K$ p% }) U: @  ?
6 g. P2 l/ M8 E( v2 I; D    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 g. X; W' [4 b: _. E! E  L# V
5 I: v% f/ d% s( H( m/ c4 Z    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: w% u3 K" _: c: E

2 u; n! h: A+ O" p9 ~- p    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
5 Y# O! e2 n$ R* e
4 f6 a2 v) [( F; O8 G__________________________________________________________________________
2 d4 U1 a7 A5 O# c! G9 J2 \9 Q9 {4 W( W6 a0 z
Method 137 e: q: p1 [% H0 h  d
=========
# P/ D  P7 S  F# B- R
  B+ [9 Q9 t8 aNot a real method of detection, but a good way to know if SoftICE is
1 y1 I. F  Z# p( S1 @0 Finstalled on a computer and to locate its installation directory.
! _* z& s8 a7 W6 a' [2 d# sIt is used by few softs which access the following registry keys (usually #2) :! }. I/ D# O- j6 I5 f  m8 ~

, @' k  p3 W. i. O& t# ~2 e-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( v0 N+ ^3 A* ?
\Uninstall\SoftICE1 Y9 a1 `3 [6 e5 l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. P/ Z6 G7 c9 q* h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 K( H: _6 |, z- z" h8 j- K' t. V
\App Paths\Loader32.Exe! a( `% |( P6 u- U/ k3 ?

/ I% O  H* E+ K4 u7 ?$ i, b" v, O- R4 ]# ~8 ]/ [9 ?
Note that some nasty apps could then erase all files from SoftICE directory
" |1 p# x4 p' e  q) o+ A* e(I faced that once :-(0 U4 y9 L' X0 H$ Q9 h. N
0 S$ b( F- Q+ Q% P
Useful breakpoint to detect it:
: C  d8 l! Q0 I) |% u( u- L; y0 h5 K2 p  d: Q& J/ I7 y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  u' K; ]: A  H& y0 W- |$ P
  J2 H4 W2 o, p! i, ]1 d
__________________________________________________________________________
7 P9 l' E; Q' ]: \- n  z' U" r' W0 V

1 h# X: o% G: P% ?9 i/ N! M5 N& \Method 14
- J4 Y$ H/ _! k! W. g2 ?4 R8 P2 M2 \=========
+ g4 e% O- Z' E6 Q& E4 k' L0 ~6 Z5 v! I. w; b
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 J: V* ]6 t" n4 v5 x
is to determines whether a debugger is running on your system (ring0 only).
# |' g. V( W, M3 {) j- c$ H7 B# F3 N: d: o" F/ m' k
   VMMCall Test_Debug_Installed- f; G/ A) m6 l6 ]
   je      not_installed/ R# q" ~9 H1 X$ n( e% t" C
' t; o% M! A" a. [
This service just checks a flag.
& M5 H7 I5 C, E</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-23 03:28

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表