找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>" x8 i9 j2 s+ |. l/ i
<TBODY>0 M+ t( Q2 p7 t9 q- h" _
<TR>6 ~  n/ [* O! f$ `- c
<TD><PRE>Method 01
' d- I" `2 i7 g, r0 D4 X=========
/ u5 b9 T  \9 Z9 P
. {; B4 }! r- QThis method of detection of SoftICE (as well as the following one) is) \5 z+ {, ?" R3 \" @; U6 h
used by the majority of packers/encryptors found on Internet.: c4 o5 H; f1 ~& k7 s
It seeks the signature of BoundsChecker in SoftICE& k! O3 l2 E3 v& D, k0 i

# ]( n2 N$ z! i$ {- v( u' A* `    mov     ebp, 04243484Bh        ; 'BCHK'. \8 g, f' O, M- o1 w9 E2 L
    mov     ax, 04h+ h& Q7 A/ q- D/ g- Q+ L
    int     3       # ]5 ^5 u5 P2 _9 j
    cmp     al,40 V# J: P9 t+ G+ m6 E3 G
    jnz     SoftICE_Detected/ ~1 J7 Y: s6 y+ r3 Q

9 a7 l5 g6 T  I7 U___________________________________________________________________________
4 t3 l( k. t0 H3 n, U  ~; X: q7 J5 n4 ]( H2 l. p
Method 02$ i- T5 J5 M  [* U" o$ {6 f
=========0 D& }8 K1 I' c( b2 K- ]! @

7 Q2 y$ G/ r' E$ w6 YStill a method very much used (perhaps the most frequent one).  It is used. |: K# ~1 p4 S" O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 Z9 ~4 ~2 O( n, |% f) T! N# E
or execute SoftICE commands...
3 H' h5 y# ?$ LIt is also used to crash SoftICE and to force it to execute any commands9 Z* h/ e& X) D0 O5 t$ q8 ?4 }1 y
(HBOOT...) :-((  : h+ E* O6 H0 ]; x" Q

9 R. p; r. S' {5 k" h  W7 h% |Here is a quick description:+ `% d# `7 T2 G% l5 Y
-AX = 0910h   (Display string in SIce windows)
" `, p, h( }( w; J2 ~-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 B2 W9 j+ y' ~1 `
-AX = 0912h   (Get breakpoint infos)8 c3 W4 D3 _) f
-AX = 0913h   (Set Sice breakpoints)* z. ?, l% j) I, e" U& q0 U# o4 q: S
-AX = 0914h   (Remove SIce breakoints)6 b" z8 s& `6 m
1 l# B; y+ }8 Y' n( i! a& t: ?
Each time you'll meet this trick, you'll see:
$ g# Q6 @! l! Y! t+ j-SI = 4647h% G3 ?; S. v: v
-DI = 4A4Dh
8 ?; X) W2 v* s" S% F6 RWhich are the 'magic values' used by SoftIce., t. w- i5 }! \7 R3 n
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 E6 ~; x% ~0 ~& i$ G9 e

* p/ d4 L- q- wHere is one example from the file "Haspinst.exe" which is the dongle HASP6 [" j0 v7 Z2 J2 x8 e( N5 Y
Envelope utility use to protect DOS applications:" M4 z: a! g) f  @  [0 H

/ Z3 _. n* p( O; X7 \1 d7 F. _& Y8 p$ d4 \8 P' ]
4C19:0095   MOV    AX,0911  ; execute command., x" |* d9 h3 z! S1 _2 h
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% h# ]/ A/ t( u: C8 V$ b& S4C19:009A   MOV    SI,4647  ; 1st magic value.. [7 i+ s6 J: l- D
4C19:009D   MOV    DI,4A4D  ; 2nd magic value., A, v0 J* J  \: q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# _% ]  E" p* p' s
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ U3 G/ c$ E# U8 x4C19:00A4   INC    CX& a3 i2 a: v/ X) F
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 L8 f2 @: ]* i  Y; S( L
4C19:00A8   JB     0095     ; 6 different commands.2 G/ q7 P2 G, S% A, ?$ ]1 q
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ o: h* k' K0 S* c) y' z* w- N1 y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
1 `) ]7 @2 ^/ D1 |2 Q
6 e% r6 m. r4 }The program will execute 6 different SIce commands located at ds:dx, which
9 g! V" b) l, N( |5 Y2 g, \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! j% d9 J7 t, j/ o

. H3 e1 t$ E* O5 o8 [" n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
  ?6 w- H2 }; }4 P0 i, w$ J___________________________________________________________________________# ?2 h' O& K) t5 c# N. ~
8 z! f2 |" U# o

" `* f9 _; p$ {# C" vMethod 033 p7 `+ y& d% R2 o' f5 E
=========
8 h0 @0 P, k% u0 r. A. o- [$ A" k- C& l, e6 A# z7 W! }
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 H3 a4 c2 @- z1 {( H( g3 Z+ W0 P& z
(API Get entry point)
+ d5 P. o0 r" A- D* h        ' ~; {, G4 @; [% W

% n- d7 |, h& Z5 u( m% {    xor     di,di6 Z8 n: r* ]: D) v# M
    mov     es,di3 S5 b5 r6 J, O* B
    mov     ax, 1684h       . y; i& T. u' F/ M; a( X
    mov     bx, 0202h       ; VxD ID of winice
& A+ u0 [2 l2 `; S" q% V+ c    int     2Fh
6 A! ~. u+ g/ g9 ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point( Z$ A) L; K- N# I5 m4 |4 }) s
    add     ax, di* E+ M2 M; o4 r3 V
    test    ax,ax
; U% E$ E) T7 b/ ~* Z    jnz     SoftICE_Detected0 v9 @2 k' v/ c+ m1 f

+ W6 \( r9 \$ X' M& S: m( l___________________________________________________________________________! S$ B+ P1 s! q0 g% [

& @" F# C+ f" p9 f# OMethod 04  w& Q4 T3 I0 o7 @
=========
+ Y+ |; ~5 ?- B
* o/ e3 A5 H5 R! F# MMethod identical to the preceding one except that it seeks the ID of SoftICE* L1 @9 z( `" @- o  \
GFX VxD.
* C: l6 V0 y6 Y& p3 ]1 b7 s* T! k: B, _- N/ V% X
    xor     di,di
+ a6 q* J7 h. z" G( D4 ?: T. A    mov     es,di) |0 S, V) O, p" @# v  K/ ^
    mov     ax, 1684h      
/ X% y2 ~3 ~2 q* [    mov     bx, 7a5Fh       ; VxD ID of SIWVID& `+ U8 D' I1 }. O, h2 w
    int     2fh9 `! j' f( ]7 _$ j* J% K; o
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: T" P; k+ i4 S: g  e/ y    add     ax, di. C/ B- {' @; \- ~
    test    ax,ax
0 U' Y$ u" `" K* L    jnz     SoftICE_Detected  Y6 ]1 T4 z6 p# C* Q$ M6 X, G

) f) W- @& u. S! r' j__________________________________________________________________________
( g  {2 [3 }2 P; c9 ~3 b
( Q) S$ ?  v: j. p+ ^% u$ E1 a- r
Method 05
" d$ _- W4 x$ u4 ^9 I. n=========9 \3 e7 T% E) x: N  b" O
, O* P' ]  ^& m
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 H; ]$ I7 T2 a; P
debugger. It calls the int 41h, function 4Fh.
6 ^  N. }& g0 C  [8 W- X3 `There are several alternatives.  
* P7 [& o# Z6 J9 M6 z( |( d3 S
0 Y- R8 o" s- @+ nThe following one is the simplest:5 T! m; j8 a* }& R6 K, q
! b* ?8 j4 d3 X$ o; W: ]- H' z
    mov     ax,4fh
/ L5 U; D1 R$ q    int     41h
; \. q+ d- f. [, s" S: F# Y    cmp     ax, 0F386
" s/ x+ K/ e, D% M0 q    jz      SoftICE_detected
/ Y# O4 W1 A! c9 @" X, c5 t7 b/ b
. s7 D: n$ k5 t7 e
* w" F* F# _. d# {& [' F- E( ANext method as well as the following one are 2 examples from Stone's   F$ k8 A( p+ L% t
"stn-wid.zip" (www.cracking.net):" L% ^# i- l* k
) o7 w( f9 X/ T* T0 h. Y/ H
    mov     bx, cs" d5 M" Y& Z4 `0 ?
    lea     dx, int41handler2
9 ^4 w" N1 t9 v' J& _' N    xchg    dx, es:[41h*4]( N( _% t$ J# L7 b3 u+ x% `/ |, Y
    xchg    bx, es:[41h*4+2]
, G: F+ Z$ ^: h: i( y$ u( I; b    mov     ax,4fh( |# S7 M9 I1 S5 D' h0 V
    int     41h3 X/ W; H$ N8 Y+ u
    xchg    dx, es:[41h*4]: w" P. X. k' P
    xchg    bx, es:[41h*4+2]% \: P) d3 y0 ^$ P" c( R
    cmp     ax, 0f386h, N  n5 q) F  ^% K2 l
    jz      SoftICE_detected
  c6 q* D' B2 |+ l/ n( |
  q% w9 \6 X. G* a" nint41handler2 PROC
. v2 M2 _! R* G    iret) s* ^* J5 ?  S! V+ B$ \
int41handler2 ENDP
& y  V: A2 \) f: d' r7 I* g4 S1 q( y& d2 @
: [/ H# v( X% o5 B
_________________________________________________________________________
) I9 j/ ]3 h: F+ T1 A  V7 ?/ g$ F% p( S
5 ]! K( D, E( h4 J) V$ B
Method 06
7 N1 C$ H- R8 r) A=========
3 G8 @1 i6 G. x& _0 \3 U
1 V" x& H  {) j1 E/ \9 U# Z# c6 z, N- L( a. S
2nd method similar to the preceding one but more difficult to detect:
- x% [( X) Z9 N( p! V9 ]3 ^# \
( Z; m, ?, s  b& ]/ d8 @& d' J: u4 S4 s
int41handler PROC
. \3 J1 c, I  E2 M$ h7 V6 t    mov     cl,al
8 c3 E% |' b/ t5 C; U; |    iret
8 s! j, Y/ c# T  D, L, F0 h* Aint41handler ENDP
0 l# Z5 A9 J) Z/ q0 b) Z' t
$ d8 q# d- r" L; R+ E- h& \4 i, l# V5 @* j/ p, w/ P# O- M
    xor     ax,ax
! _5 x* ~$ F1 ]& c' U    mov     es,ax
+ a7 F: W( }% |! J% K. K    mov     bx, cs
6 h: ^, O+ ^0 I9 G$ G& s& G    lea     dx, int41handler" Q8 Y% D: I0 Q* x! I! U' B3 ]( o3 V
    xchg    dx, es:[41h*4]
1 P* f  w; C5 F$ `+ }    xchg    bx, es:[41h*4+2]3 Q2 z! s7 y6 H* L. Y( j
    in      al, 40h$ p, q* y; t- K+ p; `# T& ~- W
    xor     cx,cx
( k/ J: `) K( [8 }! ^. H3 o# Z; a    int     41h, x$ `) B: |% i. N: h+ X5 @' B
    xchg    dx, es:[41h*4]$ I& D% d, y) d1 a9 C
    xchg    bx, es:[41h*4+2]' b+ L& ~" X5 P; ]
    cmp     cl,al
9 a% j1 u( ^: f2 N" v4 v5 u    jnz     SoftICE_detected
4 R, B7 Y, O5 X6 q/ ]  A0 |( e% n3 Q, @5 F9 m3 U
_________________________________________________________________________) H0 E9 E* v$ J- B6 Y
3 a# B1 h! ?8 d7 H& Y
Method 079 P: R2 [# w9 A" U" v2 g
=========
8 g0 Y6 I( O3 S: ]% o) O% t2 q2 N. @3 g: D3 d& q! ^# j, `
Method of detection of the WinICE handler in the int68h (V86)
$ M% ~6 m! j# [! Y" l+ ]" A: L4 O. e( m0 {: s" H% P
    mov     ah,43h
! J' Y6 v; y8 O' ^7 I1 H    int     68h+ m$ ?& d8 A: i$ A$ X6 E
    cmp     ax,0F386h. j0 m1 X9 m' Z* u
    jz      SoftICE_Detected
) h: f5 F' C: c3 f7 F6 O5 r$ F" b# F* p6 P+ i  \; d" u
2 t# y& p4 k+ T/ ^, j
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 U# E1 i5 @4 c& x6 y. G
   app like this:+ F+ G3 N' P$ M' Z$ @/ g* D

, G2 I* W! W+ B  V0 v( Z   BPX exec_int if ax==68" |# e2 L+ K0 Y2 X- j3 E3 D
   (function called is located at byte ptr [ebp+1Dh] and client eip is# m8 a; g4 l/ `4 i8 T, ?( O) F. |
   located at [ebp+48h] for 32Bit apps): ^: H$ f. v! z- Y, P5 H$ q4 V) e
__________________________________________________________________________
9 z# G0 }/ y1 h# r. n( T
0 l8 j9 v6 D" Y# j! A- R
' q9 }9 S/ a  l. N1 CMethod 08
) j( ]" i; F% W. R+ j, E=========
* ]$ p# }; X$ A6 ]" t4 F  f; f  N% h4 l& v9 {* j' |
It is not a method of detection of SoftICE but a possibility to crash the
% {+ q' @2 v2 m2 J8 ^$ gsystem by intercepting int 01h and int 03h and redirecting them to another
& B+ u- _+ d! e3 a5 J& {routine., X1 l( {- g/ a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- F6 D/ ~, b% O1 c7 D9 U' `to the new routine to execute (hangs computer...)
+ {! E9 o7 S' r) |3 w; J9 R: e
  h# V# Z) \" ?% X) z8 p    mov     ah, 25h
& X8 @& P2 C# \! y& Q: x    mov     al, Int_Number (01h or 03h)3 q: W. P! S+ I2 H$ Z2 ?& M$ [
    mov     dx, offset New_Int_Routine3 ~; d# O9 ^3 _8 G  t
    int     21h
  q- x% f) t" r4 O3 J2 R, A
4 U  x/ ^3 Y8 s& P__________________________________________________________________________
$ z7 V1 h7 `" ]) e1 t/ Y" z1 i
3 l6 q/ M" M( ~$ D9 y. Q4 GMethod 09
3 Y0 ]! _* \# j# l* u& z+ ]7 j=========
: t" y. W1 ~: C$ m. @# B, ?' X: o, v0 B1 _% E  x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& p) Y$ o; D" z; H
performed in ring0 (VxD or a ring3 app using the VxdCall).: P) \  l- U4 ~# W. u) d" }
The Get_DDB service is used to determine whether or not a VxD is installed$ X/ Q) U9 O: H: I' d& x
for the specified device and returns a Device Description Block (in ecx) for
1 @9 @9 a9 Y- f. tthat device if it is installed.
0 i% _3 P+ G: J& M0 |2 h
3 j$ d# A- J& Z% T   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 C" \" W- H" b$ ^! h. K% q) \: x   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# n  S) y' S3 v
   VMMCall Get_DDB
0 y9 @1 S5 c. _0 w& w6 p   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
" V7 H/ m* s$ \! b, y
* ?/ z2 l' L0 z: I% ~  r8 oNote as well that you can easily detect this method with SoftICE:1 O* A* e+ g& @  W
   bpx Get_DDB if ax==0202 || ax==7a5fh
# t0 ?1 @& |% ^% Y& T4 S& n+ g% ~# l$ T( ?& b! T0 j. h/ G/ M
__________________________________________________________________________! ?# f) g/ N5 R9 \

7 H- S, \0 _3 YMethod 10
3 ?1 Y: @6 _& l5 a& n/ f=========  X9 f. v6 F1 Y
& M5 D, Y( K) B. ^/ p" {8 y$ B
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with5 R  y/ i8 Z5 Y3 w. Y% \
  SoftICE while the option is enable!!' J; b% x8 n0 E) K
' u. j5 O1 [6 r% H# k
This trick is very efficient:
6 D) T1 A1 u9 V. _1 N+ Fby checking the Debug Registers, you can detect if SoftICE is loaded
' u* Z" k8 m& ]; V( A7 b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' s6 Z3 x5 S) ]  q" }4 |1 ]4 U
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 i3 ?, ^. X% h# {+ P% L
value (in ring0 only). Values can be manipulated and or changed as well
" R/ g# |6 q: T(clearing BPMs for instance)
/ \: f# M" E4 Q1 f3 S& o8 c! j% s; C* T" O; f( _" {. f
__________________________________________________________________________! w( y( \/ v. p7 I
4 v+ C7 l. N' J1 ^+ h) r. \
Method 11' ^! ]- \% l1 {0 d
=========2 p* e: V" Z7 @

7 S* Q4 n( Y8 [* i- ?' |% lThis method is most known as 'MeltICE' because it has been freely distributed" Q9 W, E5 U7 m6 s
via www.winfiles.com. However it was first used by NuMega people to allow. Z- h! b" a0 I9 _) `* P
Symbol Loader to check if SoftICE was active or not (the code is located3 U/ \7 G9 [% Q0 U9 F
inside nmtrans.dll).* N; l: O% K4 E- H! Q

  |7 g: ^6 I! E0 |: SThe way it works is very simple:* Y# t& u! P& C' f" x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. u) [4 t) m9 @0 K8 QWinNT) with the CreateFileA API.) @; E/ W) c3 g! g. M% Y

2 X: c' g& Y0 P/ A+ f1 jHere is a sample (checking for 'SICE'):  o8 i7 D8 X4 M) j
6 s/ e; y7 |6 Y4 u
BOOL IsSoftIce95Loaded()1 o9 a. M0 [0 |, R5 O
{* g% w' ?% C) [7 g3 K
   HANDLE hFile;  - v7 U7 g) X1 s2 i- U. W/ o6 P" h
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ b4 D. }7 m: k" E5 t
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 w& g' c4 r4 h( _& c" _% q# a. r                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ g# H5 C# c) i3 F$ X; n  i   if( hFile != INVALID_HANDLE_VALUE )
" Y2 M3 m6 @+ y   {+ i" T8 s- Y- ^  e' ]5 w
      CloseHandle(hFile);
0 f6 p# O( N: {% L% @$ y      return TRUE;' |2 @$ Q/ |2 I+ l, k% z$ \5 L9 e8 F
   }/ D; h. P- L) e
   return FALSE;
- L% l5 ~! f; `& ~1 s4 [}
. {  u: N$ V0 b* {! F. g4 H
, M2 S2 u) R: MAlthough this trick calls the CreateFileA function, don't even expect to be6 ?' X0 T7 S0 X9 P
able to intercept it by installing a IFS hook: it will not work, no way!
  `5 G  V( D+ t8 A/ [9 eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' O2 Y5 s, ]2 m. v8 a4 nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 i! P& ?' O" P- a) B7 d5 ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ W  W7 C7 ?4 R) f- l
field., O+ x8 q2 X: D6 B. v+ f
In fact, its purpose is not to load/unload VxDs but only to send a % I4 Z- y% L8 j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 _9 R- L2 s6 h6 |" p* n4 nto the VxD Control_Dispatch proc (how the hell a shareware soft could try( F6 M8 y# A* C4 O4 M6 h9 Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ b6 [6 X& X% j3 a" a' @+ oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 d7 x! f' G1 I3 c( bits handle to be opened and then, will be detected.1 d5 X3 q2 w. \2 F" X) ?5 P
You can check that simply by hooking Winice.exe control proc entry point0 F; J8 w/ g+ N! o6 v0 o8 [
while running MeltICE.
  i  U% k2 c8 [$ _0 j+ m3 }* B
( c4 ~* M. V2 l/ x
. x) c) s1 P' s) A  00401067:  push      00402025    ; \\.\SICE
5 P* y& ]% [- K0 g/ _- @  0040106C:  call      CreateFileA) u( D. e8 x, |+ b4 m% q' e/ d8 A
  00401071:  cmp       eax,-001  v$ ]$ a* [- K5 u
  00401074:  je        00401091
' s) L* h; J% ~7 W* M5 X$ b: q
3 @4 f2 e6 c7 r! l! W) H3 N" v  h0 f; W  {! a. z) k
There could be hundreds of BPX you could use to detect this trick.
0 g) F3 ~% s2 Q' Y3 Z* P* T-The most classical one is:0 t1 y( _9 k& _0 _- a- P
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 ~# e1 n& h' x
    *(esp-&gt;4+4)=='NTIC'9 y+ ?' D5 U* h5 Y( C! x, s, ^
0 ]2 ~) V2 W; R8 P
-The most exotic ones (could be very slooooow :-(
  L, r) P; W* U) v" {* h! B0 O0 ?+ X   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " Z0 f  [, n+ c4 J; `
     ;will break 3 times :-(
9 O8 [) s% B5 o: a% p1 _, X0 o8 Z3 y" W9 L8 I+ J3 V
-or (a bit) faster: : z6 f' r% E5 D8 ?' U  `
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): d7 P+ F$ A6 K4 r$ j! w

# P7 m- s/ d( Y: P   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  h1 Q: J4 H) P     ;will break 3 times :-(
+ r. g# E6 T- ~* q& g/ Q& @6 G8 z2 ?1 w$ S) R; R4 s+ |2 R: C2 U- K1 x
-Much faster:
7 j, |3 Z4 D0 A* E   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
* `+ K# T* _9 _) g
1 f% p; I: v) r, s. m2 S* cNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
; o3 s: Z; A, [3 Q# x0 D  E/ L: rfunction to do the same job:5 f( I  b# ]7 b  Y
2 x' q* \% e) p+ J
   push    00                        ; OF_READ* M; q$ p) S! D5 U* D* U% t
   mov     eax,[00656634]            ; '\\.\SICE',0
& O, Y: Y0 k/ @' x3 [' t. X   push    eax
! @5 D1 T" b& N/ L/ j6 Z   call    KERNEL32!_lopen/ ~5 a/ z/ x" a( U/ j* Q9 s$ I
   inc     eax" w# I. P. P+ [- |& ~$ l1 T
   jnz     00650589                  ; detected
9 w2 w5 F, ~8 {* j   push    00                        ; OF_READ; _7 ]( ], g( K  _) s0 v( `
   mov     eax,[00656638]            ; '\\.\SICE') O' ^% c) g; u- N! V; X5 q
   push    eax
" ~7 u# t& ~2 I. E' m6 M: I   call    KERNEL32!_lopen5 C2 A4 M6 o, a: b& K
   inc     eax+ |  e% J( g5 U7 T
   jz      006505ae                  ; not detected
. F% |4 n0 }! c: X! g- h' O) q* b8 V$ w4 W5 t

  c" c; q. q+ k4 G1 d% Q8 f__________________________________________________________________________1 b  o4 B  `5 H
* a5 t9 f; S' R7 _* P% O
Method 12$ y9 \5 m5 I$ i: h4 F/ @
=========6 v: {! C5 D0 N7 U+ B

5 u8 I$ v0 y) V- J5 Q- u2 RThis trick is similar to int41h/4fh Debugger installation check (code 05, e6 M4 w' P+ ]3 a; c9 |
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
5 x% J) Y5 a) L8 n# o! h$ nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 R' p: c' S: b2 i& g1 S: o' D

8 i3 s' a# c1 c   push  0000004fh         ; function 4fh
( i+ E  O8 p, }8 y9 y5 Z4 F9 Z! ?   push  002a002ah         ; high word specifies which VxD (VWIN32)2 b7 P% W, E$ ^: ^
                           ; low word specifies which service
8 A! _9 Q! M8 w7 S# [/ A2 b. f                             (VWIN32_Int41Dispatch)
8 L$ w! p5 k7 a  L9 f   call  Kernel32!ORD_001  ; VxdCall+ k0 [- y8 n& X5 g' }
   cmp   ax, 0f386h        ; magic number returned by system debuggers, k( H* t; K( e- T
   jz    SoftICE_detected" D% v" J2 C1 d7 }+ Q- K; i9 e

& C- ~- \% K2 u) fHere again, several ways to detect it:
  q- |4 E& q* Y* r! r
* V5 v9 h& E$ b. I+ V    BPINT 41 if ax==4f
+ \7 q$ p: C% P6 h# C+ C# ~
1 K% H! a4 y0 b    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& h& }5 D3 G5 e2 e
0 ?# Q' N9 r2 {2 J$ u, Y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
& K( W1 S  ^. ^; K5 J  H# o& u- F- d+ h/ V7 A
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  M8 O2 U& e( q& L9 j; W$ y) ?
1 j( I3 \! v! n# y! A8 ]: w& O__________________________________________________________________________
, h0 f5 T7 C" h. {9 S8 v: M) C1 B; a/ f/ c
Method 13
7 _8 \( ~/ x* z& o=========! a) @" j1 _, ]+ H

8 `  g9 |" R& I" fNot a real method of detection, but a good way to know if SoftICE is
. b! B. R7 p% R! V+ N8 A  ~installed on a computer and to locate its installation directory.
$ `: [) N( W) x, i. SIt is used by few softs which access the following registry keys (usually #2) :) ~2 \+ D$ X% H! C# K. q" K% H
4 Q# X/ ~/ G8 h+ s2 e7 I' U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ]  I! Y- y! r" [1 z
\Uninstall\SoftICE4 a* f+ M0 R0 R2 b, `) \& a1 X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) q/ q; h/ o5 J4 p/ @7 Y& v: F! D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& R: y' s0 @/ W6 P# w\App Paths\Loader32.Exe; m2 k* b. W/ \, g+ R; U

8 p, |! C- r. ]% K: e; H
: e1 @& I, l& l6 |" a0 L- q; W  y4 bNote that some nasty apps could then erase all files from SoftICE directory
2 E3 G# h+ Y  `3 t+ e(I faced that once :-(0 |9 I# l) P2 s. b
) G& H7 y& E# x; J( m  S2 F
Useful breakpoint to detect it:9 ^/ Y5 u8 q* ?& ^* Q# S1 D
( _9 Q! B  q: Y/ z/ w" j9 Y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ r. J' n, B* ~% A; R
# p5 e3 [6 P! \) }__________________________________________________________________________
. L9 m3 H0 o4 h, i5 I, c  N2 C9 n% E4 H% c' |; R: r

/ v3 R8 f4 |1 M- t1 oMethod 14 * `$ X: }3 i2 h/ ]- x6 }1 I! {; x6 i
=========
0 X0 {0 ^1 v2 y' _! O4 Q, A1 k0 M$ s$ s8 y! x( ]9 }9 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: j* T( T7 E2 N) X- Cis to determines whether a debugger is running on your system (ring0 only).
- f4 |8 B2 a6 a" B5 x6 ]) B) S2 ?9 N* c- Y0 O# p
   VMMCall Test_Debug_Installed  N1 m% C/ i  A% O7 n8 e
   je      not_installed
( v; A2 g+ j4 I) A: p  Y
, G6 t1 i& S4 r  ]- v' h4 SThis service just checks a flag.( C+ J9 ^! i: a; |; r; L
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-13 14:05

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表