找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
+ V, j- Q! [" a<TBODY>2 P2 P% Y, c$ M1 s) a6 G
<TR>2 x! G' v7 O( ^
<TD><PRE>Method 01 8 F6 y6 o/ E7 V0 x, O5 O! M$ b
=========' P. {) B+ N2 u: \0 B

" i, l) s3 \- S3 G7 DThis method of detection of SoftICE (as well as the following one) is1 H2 G7 \& F5 w& j+ \' A
used by the majority of packers/encryptors found on Internet./ O& n5 D( x9 q! J+ I0 u
It seeks the signature of BoundsChecker in SoftICE
4 s+ Y0 F- k* \! K
6 g+ K/ R8 L8 D5 J# y0 J7 K  Q    mov     ebp, 04243484Bh        ; 'BCHK'
3 A# J, M7 b) `/ s, K% i    mov     ax, 04h
1 ~1 P' }3 e& z/ B, f4 I* v8 ~    int     3      
9 G$ }, o1 X* s3 t+ e    cmp     al,40 `/ c( ^0 F; d2 x1 ?
    jnz     SoftICE_Detected
3 ?' Y/ L" o5 P3 R5 ~  L% M) I6 N. [
___________________________________________________________________________* a7 e# t9 \- b9 g( L
) ~4 b; N) ?$ r% p& Y: u
Method 02+ F1 h8 B' M/ `- e
=========
$ |% X: p2 v0 W0 I
0 z# y( {. b9 ?% q0 X0 i" UStill a method very much used (perhaps the most frequent one).  It is used- O) A" W) n2 C7 X7 J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& z9 t2 q3 w  z( y* r- S' W* uor execute SoftICE commands..., ]( d4 {0 A. [1 Q
It is also used to crash SoftICE and to force it to execute any commands- t  j: a# R) E) {( z7 f7 x
(HBOOT...) :-((  
  p& d& e) c9 J5 f
: z# p. J' k+ U. _: gHere is a quick description:1 p/ J5 u5 s: _  |# v) {9 W
-AX = 0910h   (Display string in SIce windows)
, ]4 H& m9 n6 i5 B& K0 w# r' X-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 e5 n- |) W. _$ |' L$ p6 H8 z
-AX = 0912h   (Get breakpoint infos)8 x6 X1 f! m+ d6 x
-AX = 0913h   (Set Sice breakpoints)4 M8 x0 r1 L8 r4 y
-AX = 0914h   (Remove SIce breakoints)( I+ s9 z6 F! R- |+ A

0 I: Z3 f! u7 o% ?' X8 ~Each time you'll meet this trick, you'll see:" M5 v! f. m/ U; {/ O/ S
-SI = 4647h
8 f0 Y' D5 Q4 h& {- i9 n. ~-DI = 4A4Dh
+ e6 a; n2 B& e7 ?$ q; KWhich are the 'magic values' used by SoftIce.
7 k5 \% }+ q4 O. R3 C/ e9 mFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 m- W: U) m9 C& ?  [

- R: P$ l2 y+ i3 [* [Here is one example from the file "Haspinst.exe" which is the dongle HASP9 j: D: B; S( I  N
Envelope utility use to protect DOS applications:
( K* ~; f( {9 \2 I  j
) ~5 F: N) p1 S# J: F+ N2 C$ q. B
  ^6 w, x  e/ `7 Y+ G4C19:0095   MOV    AX,0911  ; execute command., O8 r1 |" b, y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% Y' O: `) @$ {9 Z( F6 c9 M
4C19:009A   MOV    SI,4647  ; 1st magic value./ x# m1 e: a$ ^* d4 Y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 g5 J/ r6 Q5 w& q2 a" Y- j4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# }  v# p4 j! o- m7 J
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute5 [8 S$ t  z0 H. K: u
4C19:00A4   INC    CX; S* q6 ]* E5 R  w4 H8 F
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 Q* S9 d5 U# N( @$ A4C19:00A8   JB     0095     ; 6 different commands.
5 Z5 o$ B& y. ^0 X4C19:00AA   JMP    0002     ; Bad_Guy jmp back.$ q1 X/ _; f0 }9 e8 _
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 B# i5 @' @8 Q3 S8 ^
. i* p% {, t/ `6 ]0 SThe program will execute 6 different SIce commands located at ds:dx, which
( ^2 f, H/ }2 qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 ^1 J2 D! }4 k# H6 B6 |. \/ E4 G0 S$ ]5 \, P: N3 M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 b6 K: g* J/ o8 T9 ]
___________________________________________________________________________3 R: W; d4 s: i+ A0 W

6 m3 s4 E. m+ J, X! y0 U7 W9 a4 P. c) K) z4 _2 s6 U
Method 03& N: q! b  b( y2 c
=========
# j! Z; N  t. _  a! B( P, f+ Q) R/ O8 V2 L' \
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 Q6 i8 x. M9 g9 }3 d4 e(API Get entry point)# d$ j0 c# I8 j* z3 ]0 Q
        
7 |- v* y+ K' w% e
8 \% R  x) W8 i4 t2 L" t0 j    xor     di,di. T8 f  G1 I* k) o7 K; Q, `  }7 Z
    mov     es,di3 F1 k. k/ P, m$ x$ U
    mov     ax, 1684h       + z9 G6 v* s, {; I
    mov     bx, 0202h       ; VxD ID of winice
, [! D. A4 F7 s4 t    int     2Fh3 g/ Z! o/ O) b/ p! T
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, W' {. c& |3 @. _; r1 Z
    add     ax, di( P9 A) m6 S% I% |4 @
    test    ax,ax
0 j8 X! w, D& X( i    jnz     SoftICE_Detected
* k% S/ Y& d8 O8 f8 o' [# r$ w) j5 R6 A
___________________________________________________________________________
: }/ p2 F- O5 q0 B2 e" P. o( v& s0 h8 [! o+ a( F1 ?
Method 04
& @( Z) p. `3 V=========
# B1 Q: D/ U- I, U% r$ Q
; a& t1 B9 M  p, N9 ]0 m7 vMethod identical to the preceding one except that it seeks the ID of SoftICE
9 ]" y/ u: ?$ H2 @* f  m& AGFX VxD.
6 T( g& I0 m8 g$ |5 F0 P* k' J1 v1 s4 I8 _5 y
    xor     di,di
+ r" i2 a( H+ [" y4 c" g    mov     es,di8 z" L" X. u- _/ d/ z4 I- Q
    mov     ax, 1684h       ' `4 j5 y; ?. k- V; J8 y+ }0 D6 k
    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 w% a- c) C& v
    int     2fh
( W8 {7 l, K) s% K" [4 ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point' e" o9 h" w$ A5 x3 y
    add     ax, di! E" _. g7 q  n1 X6 V2 \
    test    ax,ax
* b$ [. Z3 b& Z- y8 p! B( a    jnz     SoftICE_Detected
; N9 ?2 u: S7 x$ k; e' P, I! V( I5 m
__________________________________________________________________________% e* P/ [5 y% f/ _' W

! R* i8 Q* c- x: V6 m! c. ]& C8 A* t. {
Method 05
+ V! i8 l' g* r4 h" e' F/ N=========
5 X3 U# u+ {" H
4 b4 X0 W5 U" Q; p, f% R, c9 jMethod seeking the 'magic number' 0F386h returned (in ax) by all system( |4 X3 I; K" m& K- u  C5 D
debugger. It calls the int 41h, function 4Fh.# N7 ^/ |9 p. F
There are several alternatives.  
* d/ h0 C: i' j* C1 p7 W% o$ r
6 k. A, Y- \' `. ^: F+ NThe following one is the simplest:
4 M. {4 c2 K, N: e: L5 T# v
! L/ T% }( U- L" T    mov     ax,4fh+ q5 G9 T$ I1 K% t
    int     41h* Z# p# a+ o0 g# g; L; l
    cmp     ax, 0F386
+ v, n2 [5 ~; ]4 L# o5 b: x    jz      SoftICE_detected; G2 y/ i: ?. h
" @( e) E7 d( g' s7 B" [
6 `: L5 k% S8 }7 `: m
Next method as well as the following one are 2 examples from Stone's * y2 B8 ?* Q3 t, f* Y
"stn-wid.zip" (www.cracking.net):
1 x8 t3 b" W9 y+ F# z  A2 D$ I: q: z- w- g! g  R7 r7 l- O
    mov     bx, cs6 J- F- A3 i- I/ A* S/ ?
    lea     dx, int41handler2
4 C. w) S& @% S" ~8 z2 _    xchg    dx, es:[41h*4]. L# ^2 @+ k+ A0 _2 {) T& O+ Z
    xchg    bx, es:[41h*4+2]0 l* H. T* Q8 c
    mov     ax,4fh
8 ~! h9 r  s6 g* q, d    int     41h& l9 u* \3 U. T3 ?! r
    xchg    dx, es:[41h*4]
$ B$ M/ R' R$ l9 c+ Y- w' g. P    xchg    bx, es:[41h*4+2]
7 C( w  {; a; p8 _& [    cmp     ax, 0f386h8 f1 R5 w: U- O8 ?1 m3 i8 s9 N- Z- Q
    jz      SoftICE_detected- e3 Y  b; u8 j, o0 r6 \

* Z$ B5 a; J, \int41handler2 PROC
" Y/ `! V& p, W! z+ s    iret
" M5 X# g- Y; B( qint41handler2 ENDP
; w* e- n) Y: R8 L9 j# c* B/ T6 V* b: @. c' N

' ?7 p0 K- k  Q, O4 ^_________________________________________________________________________% K, \7 h# B( ]0 a. K+ u. C' H* n
0 n. l" i2 g1 K/ g( C4 G
& |7 s4 g, M9 h% x8 l, X
Method 06
6 z" k: X' w& {4 H5 G3 J7 @4 ^=========- V" W  s, e( \, M. N

1 O3 \: A4 j1 {6 ]: l' k+ I- p- g' r
0 J- l: b3 M8 R& t7 m2nd method similar to the preceding one but more difficult to detect:* a  U9 q' s4 L

8 o- s, |8 n. C! Y2 \5 T
6 [0 i9 B5 O. M2 zint41handler PROC$ v) G% n7 `: ?4 G/ S" [$ q, {
    mov     cl,al3 b- |0 N! S0 ?9 N
    iret
1 R8 B$ V$ e6 e8 }6 Y  B3 f3 jint41handler ENDP2 z) R/ n" s7 C& d9 m* \& M& K; y

2 ~5 ?# r, v5 s4 P- ~1 x, R8 a! R: `& a4 p# [# G; J$ U0 E
    xor     ax,ax/ K& J1 m! h# T. P$ J
    mov     es,ax/ d8 j# `) j* R
    mov     bx, cs
- b/ n& @/ V% i. J7 d1 U: _! p; X    lea     dx, int41handler5 |* q3 a) L7 l+ G* r
    xchg    dx, es:[41h*4]0 q0 f; s# B, T; O6 b/ s8 i
    xchg    bx, es:[41h*4+2]( s7 ?+ W. @& a. l. W
    in      al, 40h
5 }5 z1 j, L7 q6 _    xor     cx,cx  F1 t8 x; d1 _! k
    int     41h; e( v* A4 y$ ]$ P1 b$ V0 t
    xchg    dx, es:[41h*4]
% A% F5 _& U# _+ ?    xchg    bx, es:[41h*4+2]* \* G; Y* e! @
    cmp     cl,al
/ q* S$ M5 S/ Q    jnz     SoftICE_detected
& q2 m( k$ _, c2 W* {8 T1 Y; |( V' x: }6 Y& W2 e0 L; K
_________________________________________________________________________
' A  W& j! H/ y4 Y/ v4 F# r) d" Y) U% K% O  }& P" i
Method 07- D# E+ I3 p. `; B
=========
, \8 j, ]6 x8 c3 W( j3 e0 b) l/ a
; p4 F- Y. Z8 n8 ?. x/ dMethod of detection of the WinICE handler in the int68h (V86)2 o. b# B3 ^& O% J1 o4 g$ r9 ]' R: _
0 C0 n. A' A7 ^# H  z
    mov     ah,43h
) w+ @- Y& d0 R- Z5 Q9 G! N6 W& R    int     68h
  |5 ]$ W+ h+ ]$ U    cmp     ax,0F386h+ v) E. P$ P4 U5 J
    jz      SoftICE_Detected
+ F& B% I3 U8 s* f% T, z7 m# X# e( A* C, F: ^' ~( P
0 a1 R; _4 o; D: H/ S
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! N# r) O. u) ~( ^4 q4 l2 Y   app like this:
1 Y( K, J/ {, x7 B: P6 D  a8 w; a8 T: w
   BPX exec_int if ax==68
/ b% s8 C/ V+ _. x   (function called is located at byte ptr [ebp+1Dh] and client eip is) [! w; d2 }8 p5 W" \$ P5 A
   located at [ebp+48h] for 32Bit apps)
! p3 ~4 C" r& `- d__________________________________________________________________________4 H7 ~; B: x$ V

! |5 Q! t$ l0 ]& \% i  W- `. h8 ^- F& Z+ e
Method 08( q* D: @. i0 F/ @. I! r0 |
=========
/ h9 R" |/ H6 p+ \7 v& x2 l7 s' |% r
It is not a method of detection of SoftICE but a possibility to crash the8 r: z0 A+ g. G5 w0 j9 L7 m
system by intercepting int 01h and int 03h and redirecting them to another( J' G  T9 ^+ x
routine.
- s% {( @9 X6 T6 m. U$ R- [) OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' t9 ]! {% K: b/ g8 \to the new routine to execute (hangs computer...)6 W% z* `' V* K

% y4 i1 z+ o  q  D    mov     ah, 25h7 L0 m1 ~  R0 Q& u7 h6 R; t% q: t
    mov     al, Int_Number (01h or 03h)( W. r+ e% f5 {
    mov     dx, offset New_Int_Routine- {6 v5 w4 G0 W$ ?" L7 f
    int     21h
  B$ @7 T- t0 q( C9 ^
+ J3 C8 j6 G5 T# E( U__________________________________________________________________________
  T# v# |; L; X% q5 D1 ^3 K
1 B1 P+ i8 Q  K! sMethod 09
1 R: J/ o/ T6 t=========7 a, E% z4 n; z6 P& ]) g1 }

* N6 P5 w- I- \+ a( P# w9 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 [1 _5 X! N/ M" a
performed in ring0 (VxD or a ring3 app using the VxdCall).
, R( [0 o; K- L  ]8 ]5 E7 \The Get_DDB service is used to determine whether or not a VxD is installed
7 m$ q( `  L. Q9 e* a  D0 Afor the specified device and returns a Device Description Block (in ecx) for
% p. @/ E( S# c$ y4 u) }that device if it is installed.
5 f* X% v  x9 V. m- b# X
8 {& Q3 G! c' A/ a% [: B7 x- P   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 w* l# L1 o8 Q4 F1 |& ?6 q  @, |
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" G* |+ K4 o! d' E# ~, V: ]& }
   VMMCall Get_DDB+ r: h9 e- d& ^) P5 c
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
# N: G3 K4 f+ A: y" v/ M; P) V* B
Note as well that you can easily detect this method with SoftICE:
- A* S/ }9 f7 u$ M5 V$ g, k4 Z   bpx Get_DDB if ax==0202 || ax==7a5fh3 _: X5 f/ ?& R# e/ C' E
+ d0 H* K# i  I- R/ \1 j
__________________________________________________________________________
2 P; C9 Z0 W# I7 y! p$ }+ k0 R, q' ?2 S6 `+ x; Z
Method 10
$ }  {. x5 o  u=========/ E6 y. ]5 j" R- e/ z$ A# n" N

; Z0 r; m: q8 j, ?: K2 ]" K3 s=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with3 C6 G' J! F* _1 @  a
  SoftICE while the option is enable!!
" Z* k" u" F" }4 c6 b# f9 Y+ X/ ]; G! [( y/ p( x' e
This trick is very efficient:
, z' U8 C' L, ~6 x4 Pby checking the Debug Registers, you can detect if SoftICE is loaded2 a" S2 o8 T! }5 T3 R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 P6 Q5 [9 {# _$ pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" W. n0 d6 Q/ D1 Z* N2 evalue (in ring0 only). Values can be manipulated and or changed as well: u; f3 m5 m2 T. o4 d9 W% e7 ^, x% W2 \
(clearing BPMs for instance)8 A5 Y% u% T. w

+ U+ d) H7 M6 W__________________________________________________________________________
5 g* D1 F4 [2 C' D7 P, q
# S, F7 K% B, ]4 O$ L' ?' y- ]Method 11: U' r: ~* y# Z
=========& R) u! Y) I$ u( q
& v/ K% ~4 K: u, X0 `+ o$ L
This method is most known as 'MeltICE' because it has been freely distributed* s2 G$ t: N2 k$ J$ X% `
via www.winfiles.com. However it was first used by NuMega people to allow3 D6 N9 W0 ~) t* T7 l
Symbol Loader to check if SoftICE was active or not (the code is located
9 K0 x: ]' Z* I, R1 g* hinside nmtrans.dll).4 `' ?, w# {; J. |' H* p! v& M7 r

6 W6 h) k% H0 ?6 x/ V. y0 c" l1 MThe way it works is very simple:/ t& c8 m6 Z4 r( T1 j7 o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% m, B) Z) M0 u7 jWinNT) with the CreateFileA API.
, i5 y: r+ o. q
" d  D5 Y" q/ @# v4 {& l+ pHere is a sample (checking for 'SICE'):, M3 [/ Q( l, N$ \% W
* p$ `: J# s- _  Z' @5 ?3 F2 `2 O5 ]
BOOL IsSoftIce95Loaded()
8 y1 F1 }8 E% C{
& l# r" d* g8 d3 P2 b   HANDLE hFile;  
/ g, A1 q5 P* P7 t: B0 s; M- g6 H   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# \: ?* }( o( z! u/ ~" z8 ?! @                      FILE_SHARE_READ | FILE_SHARE_WRITE,  H2 w" D3 N8 ^) [
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 {/ y" m$ E3 P3 s8 Z
   if( hFile != INVALID_HANDLE_VALUE )
8 b4 u' g! x( J% \/ k( x   {; w5 E8 y* W* \
      CloseHandle(hFile);5 F& H7 Y0 q" P
      return TRUE;- R' q, m5 q5 ?* J( L
   }
7 c7 d1 }$ }3 {) U$ P   return FALSE;; f- E" s+ R, R9 H/ y
}% c, ~3 U$ Y/ v% S7 G# V0 c1 E
, _. V0 `7 k1 s% f0 N0 S. d, y! y
Although this trick calls the CreateFileA function, don't even expect to be
" c* I2 o/ K: Q" @5 H# k- N: d2 T" e: Aable to intercept it by installing a IFS hook: it will not work, no way!; ?  x3 O" D2 Z; ^: \: o' D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( c8 d+ }+ |, C3 q' K1 jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ q* j: B) ^8 x: U+ k$ G  s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 S6 E- v, B% lfield.
( I* M3 ]! L* g9 E; {In fact, its purpose is not to load/unload VxDs but only to send a
5 Y# `. I1 C# }( q) iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): ^4 }/ Z0 W' d% P9 T- |( L, r7 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; C3 d# {4 a" Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 o" x' q/ P+ }+ M& x
If the VxD is loaded, it will always clear eax and the Carry flag to allow, S% Y& Z: Y( q
its handle to be opened and then, will be detected.
7 c. E' N+ z( }You can check that simply by hooking Winice.exe control proc entry point4 q0 m6 e# ^$ Z; y0 O- {6 {
while running MeltICE.
4 e/ J( |" h; S' B8 u9 T  G5 F- P4 }7 ]

: P3 z! ~) Z/ l3 b  00401067:  push      00402025    ; \\.\SICE2 n& A. _0 k9 i. a/ {$ V8 a; I6 |) n
  0040106C:  call      CreateFileA$ A4 H8 Y+ D" V' }) \& }+ L
  00401071:  cmp       eax,-001
6 c( `8 S( O% }) D9 M  00401074:  je        00401091
/ @. p) R7 |: S/ k4 a1 q6 o) |. B# Q
% T  d% e+ j5 o- i$ @8 M5 l
There could be hundreds of BPX you could use to detect this trick.
) ?1 \7 o( _& _5 I$ d-The most classical one is:
" k, \# @3 [8 q) J$ F5 a  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 w. _, N3 d& k
    *(esp-&gt;4+4)=='NTIC'
! Z& z, L, t/ V! l( [5 _& o, G/ C( A" Z2 @7 o6 H% q
-The most exotic ones (could be very slooooow :-(
1 |( r5 Y! M2 k8 T- ^4 [   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' e8 `3 h2 A. K6 j9 i4 f% O
     ;will break 3 times :-(
$ z% o' W% C+ o+ S( x3 p/ ]6 g! y; w
-or (a bit) faster: 7 Z8 R9 H9 d9 D. |. A
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# ^6 b7 f4 ^2 x+ q: B/ _6 b

/ C& S# s$ Q9 d/ m( p$ I   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 r* Y/ a4 n5 a1 j
     ;will break 3 times :-(. W1 F: A; e/ a/ P* `
- T& \+ W) o; O, q  P9 U" |. n
-Much faster:% l, q( `8 C! t' m" n, Z4 M+ J& l# n
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 I" F$ W# A8 e/ s2 k- ]

% m" k6 U1 F7 RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; Y- l  N' {' V% |
function to do the same job:
8 b, s& C0 ^- }$ y+ F# S( v, _+ }9 K/ ]8 @. `
   push    00                        ; OF_READ( @) d* ^, b5 V$ Z
   mov     eax,[00656634]            ; '\\.\SICE',0
- s, W! b) y  D' Q) l2 }+ l   push    eax
7 z! F4 ~6 M, d) S+ U- K   call    KERNEL32!_lopen
0 Q" L0 ^* q8 T1 P+ L0 E) M, K   inc     eax
$ W# `$ U( f8 h7 S7 b9 U% k   jnz     00650589                  ; detected
" c! ?* T) h1 S. k, h' K   push    00                        ; OF_READ$ g5 |4 p, F3 _) V7 C( `
   mov     eax,[00656638]            ; '\\.\SICE'
% c4 u7 J: {" }* e" Z. ^2 h   push    eax
& G. a4 ]5 X* `% ~1 b   call    KERNEL32!_lopen
& O; Y0 `2 F+ B  r' v# p   inc     eax+ [! u" u1 `  s' C
   jz      006505ae                  ; not detected/ v) g2 d7 e" J- F

% p& ^5 `# s  E' e0 m9 ^: L8 _* o# l5 A& u) o, B5 Z
__________________________________________________________________________9 d& ~1 g8 l8 \" U3 M3 }- s
. B7 N  \. n# w) L% C
Method 12
$ o( h* ]( G- U. b9 ~=========
3 h7 c5 U4 V% x6 g: N. u* Z5 n0 f! T# n" _. L* z
This trick is similar to int41h/4fh Debugger installation check (code 057 C- R3 ?6 g* F: N. r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)3 B/ G- `0 n$ x5 q, K6 S+ W; U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% M4 H* d8 j; J: x: c) X0 }
8 l% b4 L0 ^  ~- _4 J) V   push  0000004fh         ; function 4fh0 |; p9 C5 j( X4 m
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, X3 Q; B  f: g) j0 r                           ; low word specifies which service  W/ }7 O. b/ J8 ?4 [, B0 F; T
                             (VWIN32_Int41Dispatch)& e4 D/ A% F- g2 A& ~
   call  Kernel32!ORD_001  ; VxdCall( O8 \: L( `7 k5 w8 W
   cmp   ax, 0f386h        ; magic number returned by system debuggers
& u) y8 }* Z8 Z. |( M8 k   jz    SoftICE_detected
5 y" I& B# e3 X9 P% V) J! q8 Y. k# D
Here again, several ways to detect it:
- B9 V) ^- r; D- n6 D( K; c, C
2 V; O7 [7 N; W: P& x; S    BPINT 41 if ax==4f/ T# v2 }& r. H9 M3 \
/ J5 i+ f; ^- m9 c$ T7 z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( N7 N% `1 Z# z; t$ I5 V6 ]7 z, M7 P# I  Y( O
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A5 [4 \6 F: E# y% \1 j) l
7 K0 k, }8 L! w" g1 w
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 {2 ~5 f; Z* n) |4 w2 F6 N
* \6 L4 ]- Q- t. }
__________________________________________________________________________' |: a6 l; _, q3 Z7 C, S

, T% H, F3 X4 h4 j2 C6 X/ J( xMethod 13& b- b# D& o* t/ ]7 @$ K# J
=========
' h( n6 t+ N* I3 ?# f, J0 p$ k' z- m  b0 \: H7 M
Not a real method of detection, but a good way to know if SoftICE is
. u; m% o5 x" y# `0 E+ [) cinstalled on a computer and to locate its installation directory.: q* @! d; x2 F- ?
It is used by few softs which access the following registry keys (usually #2) :
3 l0 U8 G$ |% c0 h, O: N
( z/ m' v$ X6 q! S: Y5 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, P; Y4 W4 R5 B) X\Uninstall\SoftICE# e4 u* B! z2 {1 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 e) n9 Y/ C& Y9 g: j0 y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 d5 N1 f% }: [; L
\App Paths\Loader32.Exe
1 P# O* r( ^6 p0 U7 v& y/ z3 r( }
$ r3 W9 \1 f5 Z6 Q1 m  T% j, h3 t9 p
Note that some nasty apps could then erase all files from SoftICE directory
4 }1 G9 z8 m; h, {( @8 R(I faced that once :-(1 x( k- |: Z5 }9 k6 n' H

' p% m" r" L" u+ B( x2 nUseful breakpoint to detect it:2 [1 a8 S; d+ _& H3 g

, U  X# {9 n, \4 [% i3 H" {2 G+ H7 v; y     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. F" g' t! n  s1 q6 B

4 E% ~+ m# \. |" m__________________________________________________________________________
( }5 U8 t1 Q8 r. a1 b# B1 W' m7 n2 S& A4 ]

8 |/ A/ _4 e! A, b4 ?& _Method 14
) v9 J# \) c. R=========  c# |  Y3 R0 p  b5 T: o
0 L3 m3 J- d$ e1 L0 R6 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 ?& o9 w/ r8 q" N' Qis to determines whether a debugger is running on your system (ring0 only).9 v0 S" \' n8 ]* c" [0 E+ T

# K3 v, E" _5 b$ F, t   VMMCall Test_Debug_Installed
* u2 n; C) M$ h/ }  a   je      not_installed
, Y* I1 I1 Q8 g1 M9 _
5 z4 t  C& O- x5 _: `( _This service just checks a flag.3 j$ r9 x1 N+ n) V. G# I
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-15 22:09

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表