找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& H) A: Y1 Y  s* s- r+ u+ B' ]
<TBODY>
: V' W2 E# N( I+ W1 x<TR>
7 N/ N- _! a3 E2 C3 |8 D7 [<TD><PRE>Method 01 & A6 a$ o( L6 g; v
=========/ Q* ?2 P7 N5 v1 g/ N2 Q
9 `) `; j5 U* T. j+ ]" w* c- X
This method of detection of SoftICE (as well as the following one) is% @2 o3 o. i( c3 @; ?' ^. N4 }
used by the majority of packers/encryptors found on Internet.
- s2 P* c4 N* _# `  B- v6 A$ ~It seeks the signature of BoundsChecker in SoftICE
' L3 g" G. Z9 E3 Q) r: S
4 b* x  g# Y7 O    mov     ebp, 04243484Bh        ; 'BCHK') ~4 W/ [1 b2 c- E! v
    mov     ax, 04h0 g+ b: g5 {/ T
    int     3      
+ b2 e& f4 i" H1 u    cmp     al,4$ l7 ?2 z& c# D% P- R
    jnz     SoftICE_Detected1 J- [6 ^" p& d9 s; m

3 H4 W6 ]% f8 O* M8 O___________________________________________________________________________
% D& v0 C0 c* E8 U) U- ]1 u: b! y- f# |' z3 {
Method 02
. G. ~- k) H' b=========1 y$ {9 P* p- d: j) b0 T, @
+ S: n3 {! j- e3 x
Still a method very much used (perhaps the most frequent one).  It is used8 r* Z! V! e( s9 A1 J9 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 R' U& h" j; o, [9 Vor execute SoftICE commands...9 h$ Y2 h; x! p! k/ Y2 }8 f; C: ]
It is also used to crash SoftICE and to force it to execute any commands/ B; o7 }9 r1 L3 ]( N* n
(HBOOT...) :-((  : x3 q6 t& z: ^8 I& I
! d( t  O) g7 |) w
Here is a quick description:
, J% t; N( `5 q. s8 `' `, Z-AX = 0910h   (Display string in SIce windows)3 S/ @. x. ]' T8 E' z: D6 M/ O6 l& V
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)# Q  ?& x+ I5 _- h4 @8 I
-AX = 0912h   (Get breakpoint infos): \8 b& Z: R" d
-AX = 0913h   (Set Sice breakpoints)+ |" o, _) ^( A# I. ]& U0 T# e
-AX = 0914h   (Remove SIce breakoints)1 W1 g9 D, d$ [. X5 H8 v

; V$ S9 a- \) ?0 v& _. p$ h6 |Each time you'll meet this trick, you'll see:: O" N  [2 _  p6 p0 u
-SI = 4647h
0 R( X7 p: I8 J% L3 F9 D4 t-DI = 4A4Dh
9 _! J$ A* c% {6 v8 F* o: J+ o" w9 {Which are the 'magic values' used by SoftIce.# _  F' M- B/ ^/ q' D/ u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* S% i7 l' I; R. k
7 }5 ~- O: A7 v. H3 Y" B  y+ x" f' p
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 v+ P& ?, r8 U, [
Envelope utility use to protect DOS applications:# S1 n: w6 n3 O+ ]
8 U1 e7 ^8 c) M2 r# K

1 ~& F9 [7 h) Z3 Z4C19:0095   MOV    AX,0911  ; execute command." Y( l* }: a1 O: @. f3 U
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) }' q* F! p" G, {* z9 c, r
4C19:009A   MOV    SI,4647  ; 1st magic value.7 Y5 U/ U0 B, h$ b) i6 A/ a
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 s( v, F# N9 |, k' A
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 u- B' a3 E; e! e; E; p' w* O  m4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- o7 O! |9 g! H% \4C19:00A4   INC    CX
4 k+ C8 M0 @+ |5 t& L- Y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: }' U4 w0 S2 h' q2 k. R4C19:00A8   JB     0095     ; 6 different commands.: I: |+ `" @& L6 ~6 B9 }9 u( U
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 e* z4 |. h9 w' q# x% k
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ k0 a- d1 V( b, f% U

* c( N- d% J% K& P/ s* [5 uThe program will execute 6 different SIce commands located at ds:dx, which
" K# m8 c6 J6 N; lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; `5 z, Q6 `5 h% J+ E1 m

( O; [' r% p2 k9 U7 P4 `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 K6 M% T9 P$ i& l___________________________________________________________________________
' L( h$ ?( S* t
) b! D% p0 m0 t2 s, L5 u# }/ w' Z4 M& }* d, k- Z. M$ \; G
Method 03
, d1 P, `1 z6 u( ]. \7 V* z=========! d1 f0 Y" Q1 Q, W6 x

1 N, F- @  T) Q. ?+ i# VLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" u, S) O6 d% y+ ^7 `9 h  b" m(API Get entry point)4 H1 L) R- c. A* p% ^
        % p( O6 r: E# g0 F; ?

. M$ T6 M* @  R, l' \2 x' C: M    xor     di,di. E% n: {% e, D. X
    mov     es,di
7 Z: A+ [" W' X& M+ r    mov     ax, 1684h      
3 ?$ e' @* }' C8 N: v  T    mov     bx, 0202h       ; VxD ID of winice
" d/ b5 A' ?3 D2 B    int     2Fh
, w% f- l# a3 q* F( N    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ I0 o# \% T9 a8 V: @
    add     ax, di
5 [5 J) {* l. ^9 Z9 u    test    ax,ax
$ u( t; Y$ X! p/ Z0 I( v+ j; G    jnz     SoftICE_Detected& E. f/ M5 I3 [9 o+ K5 D& e* W  Y
. Q, N, m5 k1 [' \- c1 C$ V& |
___________________________________________________________________________/ @; I$ {4 \  v( T
7 i' ?$ u* Z+ Q9 U& K
Method 04+ `7 v9 m# B, {3 O% ?0 T* G, M
=========
3 p' l$ o0 k% r
; e* F' X7 z/ hMethod identical to the preceding one except that it seeks the ID of SoftICE' X1 Y3 V0 L1 z  L
GFX VxD.
4 d, d, w3 u8 }
: _! [+ _6 J& q$ G( V% y8 f* d    xor     di,di7 S" Y3 H& ^4 K( D
    mov     es,di
' S( a- n' d# Q) @    mov     ax, 1684h         [! s# W9 }7 A( \0 \  T
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
1 A  c; V5 ^6 I; s; h    int     2fh
( W' E7 D* g* \. S3 \3 J    mov     ax, es          ; ES:DI -&gt; VxD API entry point, @' a2 }9 {! u3 M* S/ f; Y
    add     ax, di, D1 e5 A" `; ~3 O4 m" k& q. d
    test    ax,ax
* y! |- s0 i  T3 ]    jnz     SoftICE_Detected
( I8 k' n0 H1 D5 G# }* K, s! L8 ?- N. ]- T; x. V  N7 V
__________________________________________________________________________
  m& G, f. L) G' k: T8 B: L/ o% B# E) \( E

) L6 a/ r: J. p/ p) s0 LMethod 05$ W7 C2 `1 `/ v$ ?4 C/ O/ ]8 X
=========2 i% p% `9 c: `% _7 Z- K6 m
, @$ `  }; X- l. G8 g/ Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ \3 y; f9 s+ T: ]7 U" [1 H
debugger. It calls the int 41h, function 4Fh.7 H3 U+ ?% G. p' a- ]' g
There are several alternatives.  . l5 ], s/ X+ F6 a
' j( q; _0 \/ v3 t) m
The following one is the simplest:$ h6 X6 J, [1 y, j: s# n

, \& P; P1 I+ C    mov     ax,4fh
3 r. S7 o1 P* \! E+ q    int     41h
- w4 j6 b8 k: s% x0 H! l5 E- U: m    cmp     ax, 0F386
2 ^! m' ^/ }& u    jz      SoftICE_detected
$ ^8 W# z2 ~' Q# l: v7 A3 Z7 e
3 U% m; f7 k3 f6 U% a' J2 _6 @
3 l; T4 h6 i5 W! T, q9 TNext method as well as the following one are 2 examples from Stone's ) v/ l1 n9 X8 U3 I: |8 V! J. V
"stn-wid.zip" (www.cracking.net):3 ]* I$ W1 Z: U) @/ l

, |8 c! q1 J' y" W' P& ~    mov     bx, cs: |/ g+ p" o: P  U2 o
    lea     dx, int41handler2
: O8 X# g4 ^) h* T- q    xchg    dx, es:[41h*4]
5 A; N6 [) j1 v! Y" p    xchg    bx, es:[41h*4+2]
2 f0 H4 k) S6 [! j3 W    mov     ax,4fh
+ ]5 E4 G9 R8 C, f8 L/ v    int     41h
' V+ \8 J. w4 s8 J8 `& [    xchg    dx, es:[41h*4]" n7 P* x6 R& D& ?, Z$ h' C: ~
    xchg    bx, es:[41h*4+2]
5 G9 Q  N; W6 J* ^4 a1 ~    cmp     ax, 0f386h
8 F! B+ y8 E0 V8 ~- B3 f6 E    jz      SoftICE_detected
* p3 `5 U' M+ C* w! L7 R6 ?6 v* e; A
int41handler2 PROC
) x! E/ K3 Z0 D8 m2 s. L    iret
8 W% D0 y) P: x: e6 m0 gint41handler2 ENDP0 j7 }0 m  ~- L; [

% ?6 a* R8 V/ K5 |. P4 ]/ r1 v. T% S& y
_________________________________________________________________________
3 A, y6 P3 {% {6 e2 u6 A6 T: l6 z8 d, F! w

0 }8 m' v- d; v( _  h) ]. oMethod 06
  h) [0 K" C) H7 B0 h=========( b2 C/ L, _$ S' |
0 y: a1 j8 D3 t' U0 m
8 M6 |! {7 D8 V! i1 e, P
2nd method similar to the preceding one but more difficult to detect:
% D6 a2 H1 {1 V
$ B& I# ?% i7 S/ \: K. ]  e, M8 l! o7 b) x
int41handler PROC/ j  ]: M0 G7 P4 u' h7 p
    mov     cl,al
& P8 ?2 y9 b3 d9 W/ y2 a    iret" I% B- s/ |1 |$ A" X" H
int41handler ENDP
! w6 g7 p2 H. ?; ~0 c
1 V" y7 x* ~) ]3 b4 b" B+ ^, W2 I0 S6 s
    xor     ax,ax
* b! s* U8 H% n6 I2 P    mov     es,ax- X6 [6 b9 f+ T9 N. I  u
    mov     bx, cs
2 y5 c) T/ O# y2 Q/ R    lea     dx, int41handler  C( }/ H3 Z1 _6 D
    xchg    dx, es:[41h*4]$ E5 \/ v  _* `; v1 j
    xchg    bx, es:[41h*4+2]. y: f; c$ T- Y5 H1 ?/ F
    in      al, 40h
9 s8 h1 f* l9 [& }    xor     cx,cx' t- B7 T# W. G( @2 \  j
    int     41h3 U/ b8 C' F0 c0 T* i7 D1 @: w" ?
    xchg    dx, es:[41h*4]
" D/ v4 g: z% c) n2 a; D# V7 b' i    xchg    bx, es:[41h*4+2]
) x# P' @8 b; k, @3 t  m    cmp     cl,al5 M- t# ]# H" `
    jnz     SoftICE_detected2 W& H/ A( P) Q3 i- f$ H5 L$ ^  j9 ^

6 u# ]  K- y* j$ y7 o5 T_________________________________________________________________________
% e, e) V9 c" _: O
) C6 N& F; F7 r. `! @  zMethod 07! j, M0 t& L1 p/ b
=========, C+ ^+ N! I2 X$ }6 q1 h

/ w- r6 y% {3 xMethod of detection of the WinICE handler in the int68h (V86)
2 q* t, [3 C9 h7 o8 H5 E4 q1 h3 E7 Q1 U( E2 t
    mov     ah,43h
# I" o8 l7 \$ g    int     68h
- s' e1 Y0 L0 B    cmp     ax,0F386h
. F( t  R. p0 k# V7 G" h. Y, D    jz      SoftICE_Detected. _  a: R5 \% S+ Y" Z. ?% a

$ b. K' r+ ^- K( A, D6 p" [! b+ C: @
/ v; u! `1 d# L- x=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 b+ v  r( y  v- T. g0 L. @5 l
   app like this:3 g/ N, ^9 D7 _9 y: _2 }

+ K- b* ?- Z# k3 Y2 s   BPX exec_int if ax==68, X- o1 Y2 \- F% ?; b$ L  M: X! m  Y
   (function called is located at byte ptr [ebp+1Dh] and client eip is
4 F" h  f  H" p. U   located at [ebp+48h] for 32Bit apps); c  a% v/ t# a9 M3 P0 q
__________________________________________________________________________; K" r0 t# d/ \+ V; b) K7 U+ i4 r

- p7 b$ c) t4 l6 I; z! u, T
# h, X- S7 A! w4 yMethod 08
) {: D( G' w) J$ K9 {, F=========2 s7 p! M& {  s" U
! y4 E! L* x# y6 Q; L, S* g5 V2 j: O
It is not a method of detection of SoftICE but a possibility to crash the: O; U. Y0 H: z6 D1 Z4 z
system by intercepting int 01h and int 03h and redirecting them to another
6 S% B& U- \& ?0 P- M& e& i+ aroutine.( P# R5 b/ Q1 V  I- c) h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( _$ q" ]! ~% ?) b/ S4 k' m) i
to the new routine to execute (hangs computer...)
( c! H6 }$ h# b5 U' ?
  E# d+ W$ G" \    mov     ah, 25h( r+ B/ Q6 B" H& E) X  O
    mov     al, Int_Number (01h or 03h)
# S- E: x  X% u, T8 o* U- e    mov     dx, offset New_Int_Routine# |$ U+ p& K: u, C! y2 T& U
    int     21h+ K" z6 L+ l$ R

: D. a  h3 g6 ]& l! D; E& I__________________________________________________________________________# k2 P$ x1 Q/ X) }+ Q3 r: {

( O, C* X7 n# Z3 KMethod 09
0 v+ c, O0 n/ |/ n=========5 v2 a# E2 m; }" ]5 g1 V' F

" O) B0 b2 Q  c, K$ AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ `( F1 ]/ D, qperformed in ring0 (VxD or a ring3 app using the VxdCall)./ U9 B: l- ^, v4 o/ y9 M
The Get_DDB service is used to determine whether or not a VxD is installed
2 E( j; @* {/ F/ W. E& {1 h' vfor the specified device and returns a Device Description Block (in ecx) for7 W$ D* O4 B+ Q$ w: F
that device if it is installed.
( x8 X9 e; t9 p, a+ b0 u: m! e/ ?
8 A. j) M( O* w0 M( V   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* e8 H$ o( z0 ^; s  H5 A   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% J# \) P( G5 z% e: n
   VMMCall Get_DDB3 M* p0 ~9 t9 z7 e: U
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* B$ M7 i( c3 q& o, c. v

6 d6 j/ D2 i1 M4 ?6 t8 T: \: [Note as well that you can easily detect this method with SoftICE:
( p% R8 V6 w! j   bpx Get_DDB if ax==0202 || ax==7a5fh1 [- `) k: u8 U; R- ~
$ O4 f6 J7 r% u& H& e9 C9 k' C# a
__________________________________________________________________________8 |3 b3 `' r7 M9 t- j. I; r  U

. a2 Q1 ?0 y6 Q- o6 J* XMethod 10; N4 D3 n4 G7 ^6 s3 Q
=========
( k1 l+ ?  u( s! I
6 Q' y7 _$ @3 P! `7 S=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 \6 I0 ~4 t4 @1 n. ]  SoftICE while the option is enable!!! t5 ^/ S+ t1 o: T

3 K: o5 y( Y+ ]. }. m" d0 eThis trick is very efficient:2 b( u. I/ ]! w2 m% W
by checking the Debug Registers, you can detect if SoftICE is loaded% u! Z& P7 L4 `/ w' s& z" }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! v" D- q6 q% a* |
there are some memory breakpoints set (dr0 to dr3) simply by reading their' V; a* S3 ]( y, k- o9 O
value (in ring0 only). Values can be manipulated and or changed as well( y: _6 u. N) G8 Q9 ^0 Z) `" r
(clearing BPMs for instance)
( @" K/ E! ?! Z2 m9 z* n0 c1 G" Q
__________________________________________________________________________
& K( ^4 O& o+ a# Z3 J+ T' k' u) g1 a$ s& _- ^  f, V
Method 11
, d: m  s( U$ a: f' ~=========
2 R% [. M) s+ g, m. R. r) q' G( c; C5 `* u. s' R, e
This method is most known as 'MeltICE' because it has been freely distributed
8 F( J4 A; ^2 u# Nvia www.winfiles.com. However it was first used by NuMega people to allow' B6 D$ N6 |9 T- l5 h7 ?: c5 ]2 E
Symbol Loader to check if SoftICE was active or not (the code is located5 {3 D7 D5 t0 `  U+ H8 Y
inside nmtrans.dll).
3 V- S6 u: }0 R9 f: C5 D7 A& I; _' z
( {! q5 n9 X$ y; W: `% Q+ PThe way it works is very simple:) N0 n, q. N4 d( {. q5 u0 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' q& L! h$ S) `WinNT) with the CreateFileA API.
7 c- \9 }& E, c) g
. x0 p& M- M, }6 _! vHere is a sample (checking for 'SICE'):" c/ f$ m4 q/ F9 h" K2 T# h
5 U9 R4 D- O$ O  M" z
BOOL IsSoftIce95Loaded()
9 x: B9 m6 M- v* Z, w{
: _( Z$ ~% I& p9 z; G   HANDLE hFile;  9 I5 e* Q7 X( v! E) y4 E9 Q
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 A  \8 G5 I0 V6 Y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* X4 ^9 K3 |( s  c                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 ]' ]# H. T& g5 M, X! x, a2 G
   if( hFile != INVALID_HANDLE_VALUE )
6 K% E; o. C, a4 i8 z# H) s+ E1 z   {
; J* C6 A. [3 ]* g9 E" j      CloseHandle(hFile);0 j0 y( B' S! k6 c# L# G3 e9 v
      return TRUE;
8 @0 }! |* G* i+ `  y0 J   }7 f- E8 G; K4 g* r, P3 p; ]3 w# f/ A
   return FALSE;
6 F6 i, L% @% }$ N' E}# U0 R- e# j& H( A

8 p. j: H2 I1 ~( N+ T. KAlthough this trick calls the CreateFileA function, don't even expect to be; U" d( @& ^$ ]
able to intercept it by installing a IFS hook: it will not work, no way!) z9 k) W- Z* F! P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 w, \! D# m  r1 F2 U1 O1 C3 f2 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k4 r' o% I. {5 M, s6 N# g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' h) D  x8 w& D6 ?' B
field.! \; Y0 _) m7 k6 X7 ]$ |) p
In fact, its purpose is not to load/unload VxDs but only to send a
2 t" }# y2 \8 ~9 p: Y. E* H) Y& VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  {5 t- {( i1 I* U" u: |9 f# i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) I  t$ j9 C; h+ @+ M( q, l" Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; g* J7 q- l! aIf the VxD is loaded, it will always clear eax and the Carry flag to allow' D4 j& B/ |% g! ?3 U
its handle to be opened and then, will be detected.. q9 m( K9 q/ U- s8 Y# I
You can check that simply by hooking Winice.exe control proc entry point0 a& J2 F/ x2 G, \: X$ s
while running MeltICE., P" Z& H4 w3 i5 S7 s9 z0 `/ v

3 {+ B( B1 V/ c9 i5 z$ P- S( P7 k. b. B7 F
  00401067:  push      00402025    ; \\.\SICE
2 v# y/ P9 M  r: ^" Q  0040106C:  call      CreateFileA
" |& B4 _6 ]2 _: N  00401071:  cmp       eax,-001
" P2 m  n$ C% J. {1 ]6 H* T  00401074:  je        004010914 }+ b& D2 T9 S( j. @
) }6 U/ W/ ^, L) N, `' Y( B, ^
" C  M/ h7 G! i! }. f' s. ^+ N
There could be hundreds of BPX you could use to detect this trick.4 \: s% r  Y: p. ]# z) h8 m, l  U2 ~
-The most classical one is:+ S$ g/ O* v2 c9 C' V* a7 s9 V* g3 L' C+ g
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||$ a6 X6 n8 C, W
    *(esp-&gt;4+4)=='NTIC'
; S% Z& e- `1 f# |1 K7 ]; p! j( [8 e
9 g' F9 i- y3 h. E-The most exotic ones (could be very slooooow :-(3 K( {: Y' q, [! I  C0 @4 `  s) m
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  $ M& `$ K0 @; V
     ;will break 3 times :-(
  L; G; Z4 n" }9 b; p  D. u& O* `6 P" |0 g- t% i; d* l8 }, s
-or (a bit) faster:
7 ~, h4 A1 p* v. B. r   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 \1 b0 T3 j+ G: X2 w1 O& F
" C  y: G- w) [
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  - h8 e5 U. a# ?
     ;will break 3 times :-(
+ @; d, t7 E" B, E- c# o% p  k7 p
-Much faster:
2 W4 ], a- x! P, z, u) W5 O   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: x9 c' `- G- G; X
/ Q' V6 ?6 Q  H+ A! g. [& UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 G9 s1 t( K4 Y( ]
function to do the same job:4 T& N  `8 h1 Y, A' @& C+ O2 v

! H4 M2 J% I4 ^/ e   push    00                        ; OF_READ2 X: a; K4 `) }0 o$ R5 a
   mov     eax,[00656634]            ; '\\.\SICE',0! y0 H2 c0 s5 h( t) f9 F% e
   push    eax4 b1 i' N5 m3 q- t* A
   call    KERNEL32!_lopen
0 A. i* b3 M2 L! Q' _9 P; w   inc     eax- b: ~0 ^. u" L; c$ a! j1 W
   jnz     00650589                  ; detected0 Q. r  c" x  `  D1 i
   push    00                        ; OF_READ: _8 q% J7 K4 M# N9 C) t% c
   mov     eax,[00656638]            ; '\\.\SICE'
8 B) G% i, ]) j( e. m/ o0 w   push    eax
5 Y- X' y% R0 e4 w   call    KERNEL32!_lopen5 N: V6 p1 u$ x" M0 G1 L8 ^* L
   inc     eax4 k8 L8 y- y- E4 y' z
   jz      006505ae                  ; not detected
/ i% k. y$ `7 F
' L. W/ L4 E: t, Z, u0 E, G
. f# T9 t) i; [  o- j2 [__________________________________________________________________________, _' v" ?; k6 ?

* E. ]; j0 p; l" f% G6 D3 [  ^Method 123 M+ o% y) j: c6 h$ J: W
=========
( w8 s( e) P, T- K* Q/ n7 _
/ w, S. Y5 [, n0 bThis trick is similar to int41h/4fh Debugger installation check (code 05$ d$ k+ O% I, _' v+ l  ?' [
&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 U. p- V4 N( b5 |, L" X( J  S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 D8 W4 T- P9 O
! S( K0 r: E0 x$ [+ ?0 h
   push  0000004fh         ; function 4fh$ {+ z1 J" \4 V  y6 H- a; O
   push  002a002ah         ; high word specifies which VxD (VWIN32): H! W" r6 J7 C, U7 ]4 H
                           ; low word specifies which service
" u, i& p4 E. A9 L                             (VWIN32_Int41Dispatch)
  U. ]" N" `/ k; J, Z- o& W+ a$ ^   call  Kernel32!ORD_001  ; VxdCall: t6 j* Y% e# j7 d( u
   cmp   ax, 0f386h        ; magic number returned by system debuggers* l1 a% Q; U6 r9 z# o
   jz    SoftICE_detected+ l/ k% ^. i' M- W
3 h) Y" H0 r: E5 e( X8 |, Y* p
Here again, several ways to detect it:3 E4 ?! V* f$ M% A

: {7 Q% W; |3 v- Z; N    BPINT 41 if ax==4f6 Y4 T1 H% x: ^, Q: u4 g
5 e- u1 ]2 s2 `3 h& j: d$ \
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! l1 e0 M- ^5 i

, _0 v! E7 _& u; Y" s1 T    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A6 d9 T, w% L# e0 m1 B) C* C2 M6 j! W

' O5 O; @1 p5 p    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!! L) J! e$ g7 A. H

) w, ^& r9 A5 U6 g) b& T__________________________________________________________________________
: w3 ]# T" d. s6 E$ e% I, t5 r4 x. W5 r: t& Q
Method 13- m1 R; o, P1 a7 t! J2 U" Q
=========1 y- a! x6 E9 O4 f, P" _
2 Y* N, Q: l' O+ Q) l/ t# a
Not a real method of detection, but a good way to know if SoftICE is
- G4 |! B. R: n  z3 o, Qinstalled on a computer and to locate its installation directory.
& Z; Y" K6 G5 e9 GIt is used by few softs which access the following registry keys (usually #2) :
, J9 @$ i5 g5 U. v
9 Q) ^/ T* b, y, J9 K: s& L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 v* _) \3 D6 J. ~) i9 A+ n" X\Uninstall\SoftICE* I+ J2 `8 T6 a& \) c
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: M2 o1 I7 m- O- w9 p-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" W& c; q$ ?0 m0 R- W\App Paths\Loader32.Exe/ N) D3 M, z7 v3 \& H

' y# ^, y/ y5 [1 x& u4 r
4 g: V4 r! g6 \! NNote that some nasty apps could then erase all files from SoftICE directory: H3 o' Z- d9 c3 B* Y$ w7 z
(I faced that once :-(
  T# D8 d/ |. F  i! A6 o7 _) A; T2 }& i
Useful breakpoint to detect it:" S% \. _, z3 F- Q7 y* _6 Y2 N0 |

! T0 U5 `4 b- e6 b- d2 u8 a. a/ m1 h3 ]     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 ^9 S! U1 o! a( e
# f" A- W( G  s7 v& \
__________________________________________________________________________
% I% F0 L* Y' k( O4 z" P, S
# `) [5 `; b7 L& U' b. P* D  q5 P- o) U* o* C
Method 14 & ?9 R) b' u: T6 z4 K( r* S$ K
=========1 j, H$ m( P8 J. h

' l. ^0 e5 l6 D/ C0 I" @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ f" D! ?- Y! W1 V# P" Iis to determines whether a debugger is running on your system (ring0 only).3 y  b, U  t$ N3 `
* N) ?* o3 F) D( g
   VMMCall Test_Debug_Installed4 O2 `2 j. h( \9 h8 e5 b4 F
   je      not_installed& s9 e& c. k# ]3 ]2 n* t( [& y+ m7 @
  L; g: r% [; r/ M, O+ @
This service just checks a flag.4 b$ k8 x* {" z" G
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-24 21:12

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表