找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 s, o6 x0 I, V; |% _1 c" P( E
<TBODY>0 S( l/ z/ B0 u' a1 J
<TR>
5 p0 \9 D$ F0 {<TD><PRE>Method 01
. @, n8 Q* J0 }; y0 Z( n) [=========8 J7 v5 u6 I# z$ X- f2 [4 e; Z

  }& x. B$ {. j9 r2 d2 l& l+ ^6 }) dThis method of detection of SoftICE (as well as the following one) is
2 E3 ?( a; t  A: [' ]# D# Lused by the majority of packers/encryptors found on Internet.
" q% Q) c9 T6 [1 [It seeks the signature of BoundsChecker in SoftICE
; ]. L7 e( ]+ A
3 P+ w. }# U' ?* @    mov     ebp, 04243484Bh        ; 'BCHK'
, B& k3 ]* b; O% M- G! x' V; s8 h* |    mov     ax, 04h
9 @/ p  Q0 n/ m! r" c& |    int     3       * T1 l* d% P* S2 v
    cmp     al,4
/ d, F( a5 N! b( F* z6 }& v    jnz     SoftICE_Detected! D8 t( s( y+ t) q" g4 Y

% [- W' ]. K' |8 z4 H# w___________________________________________________________________________! o' w& ~1 v" t  A' a' V% @
% ~1 \* u8 w- R+ K: [' d6 u
Method 02, y+ v0 P& e2 [5 c/ G
=========
* d2 N2 f/ l, `1 d$ k
6 Y' A% D7 n8 k* C- y& c6 [" a8 i' ZStill a method very much used (perhaps the most frequent one).  It is used
. b+ D. ?& U2 V$ y% ~1 eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 Z- U. ^* D  Yor execute SoftICE commands...$ w+ x: J' X( U8 \0 @3 C! v/ }$ W( H
It is also used to crash SoftICE and to force it to execute any commands, H' j. `+ o8 o3 g2 m- L& h
(HBOOT...) :-((  
0 L, b7 ?( i- D! ]9 X, e; Z) |+ K, Q1 b
Here is a quick description:6 _/ d& x% x& B. p
-AX = 0910h   (Display string in SIce windows)
5 a1 ~! m, l6 P) u( Z8 V4 f3 D% Z-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 ?9 a4 l+ L" J4 l7 M-AX = 0912h   (Get breakpoint infos)* i9 ]3 L* H8 |4 X
-AX = 0913h   (Set Sice breakpoints), `6 t. ^+ e% g; R
-AX = 0914h   (Remove SIce breakoints); R3 p  _# r; }' N

; D8 y2 m3 S1 R1 M  ]! I+ jEach time you'll meet this trick, you'll see:* Y$ `- C7 O. r# o8 U
-SI = 4647h" g7 g7 V5 e  y1 V8 G5 x( z
-DI = 4A4Dh2 ~) w4 T. @$ |! Y  W% c
Which are the 'magic values' used by SoftIce.
$ |. f% A/ Y, k0 l& AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 K5 C6 K3 F9 i( t0 n# B* `

4 X8 n4 y; I" t9 AHere is one example from the file "Haspinst.exe" which is the dongle HASP5 C4 I8 C9 W1 d
Envelope utility use to protect DOS applications:
9 a6 q) `" Z5 c
1 x* a3 g" |+ G0 `5 j$ M
+ H$ p7 B% f+ p4C19:0095   MOV    AX,0911  ; execute command.
* G2 `; D4 k, A+ A5 S' Z( j' H& K4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).9 s; b9 v; S9 M: `6 T1 R- H  M
4C19:009A   MOV    SI,4647  ; 1st magic value.1 u5 I4 {5 A# n% h7 `) ~; r0 D
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# z" r0 j2 u' V4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- A) E8 c9 j% ?' _; C
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 g5 m' A: |  c6 Y  o6 j; V) X9 Y
4C19:00A4   INC    CX" E* o4 ?; s( O3 L1 c$ u+ v
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute. V. B0 P# ]: v) a8 ]
4C19:00A8   JB     0095     ; 6 different commands.
6 Z, C- ~. I/ J1 f1 L7 Q2 R4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 I! W( {1 S# m! X  A4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! W/ }% l' o* e9 J7 t
; q6 K! w* N# Q3 B
The program will execute 6 different SIce commands located at ds:dx, which# o5 ~$ ?! ^5 }' U6 g+ C6 g* k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( K. x# i* N9 }1 c+ h. U6 K- t& I

/ W" m, p; T* W8 U" V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 r% e8 }; \  T) E4 h4 W1 [- V3 k
___________________________________________________________________________6 v8 d6 }1 v- P$ g

$ n4 `: E5 O# h  o
0 e* Z/ t# P( [  i+ v5 K/ FMethod 03
# B. H& \  O  t=========) J% \9 H, b0 v6 n. r

* }3 A: L5 U) K2 {) F  \5 ?& _Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ?( `# H6 {9 f6 h
(API Get entry point)  x) L) b9 _  o
        
  Z& ?5 f$ H8 A. ^% F. d: J) E/ Q; D  |! l6 f9 j; H
    xor     di,di
$ S' f) S4 \' M+ e0 Y    mov     es,di
! G1 O& G# M# T( Q" H8 e    mov     ax, 1684h       * K) @0 C' v  X; I0 _9 m  Q
    mov     bx, 0202h       ; VxD ID of winice4 y) G4 ], h9 f7 k- j7 q3 ~1 z% h- v; x  `
    int     2Fh1 Y8 u: T# l% C+ I6 Q3 ^
    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 F% N; i, P* W# `
    add     ax, di* X: i" h/ I8 Y$ U$ q, s
    test    ax,ax* v8 c  z$ y$ f& t6 P
    jnz     SoftICE_Detected
! m) I5 S; F2 t! @; i. L# z7 F
( Z' L9 ?  [9 t" ^, B___________________________________________________________________________
( K/ G$ @0 Y( [0 g) x# v# x
4 f) }1 G: M6 ]Method 048 F# ?4 _, U6 @+ A
=========
4 p4 m: O: c3 v! }0 n8 _6 t
1 C1 ?8 R5 k2 }" v1 O7 \Method identical to the preceding one except that it seeks the ID of SoftICE: P5 V% O! k7 ~  G
GFX VxD.
( }) A5 H* R3 c0 y4 @; W0 h% z
% V0 i' ?4 R! F  L* l    xor     di,di, G9 X# \8 R6 A% ~7 }. F. o- z
    mov     es,di, A  D+ q; O6 k0 g7 e
    mov     ax, 1684h       9 \# ?% s+ [  E- o
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  f* Z! `1 F9 f% J/ r, ^$ e0 B5 {    int     2fh+ L# b9 r1 f) m* a
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 K5 a! S# @2 n) D4 a
    add     ax, di
* B* q( I1 X- D& q2 V* D& a2 w    test    ax,ax
/ [$ P  L: S, I  \    jnz     SoftICE_Detected
6 K8 Q( j3 j7 W/ O
3 A( K- Q" l2 F9 a__________________________________________________________________________- H; |, Q" I* D$ S" z. Z7 |
  b+ [* i4 N. O% ^
; p  y* o" G3 `6 l! U; ]7 }" b
Method 05
0 m" B7 k! u  g. }! m7 y=========
6 y2 D9 Z% H. w( c/ }% t/ h/ ]& _7 L- Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 g  V) \5 ?' D9 p: r% O
debugger. It calls the int 41h, function 4Fh.
: h4 N5 A9 \# t* l6 N0 EThere are several alternatives.  , w/ d/ j0 G( Z  |) j+ x! d

- B/ F, S2 R; f2 G/ ~3 }& N& KThe following one is the simplest:
, d( T% G+ F1 ^) v7 Z/ i% H/ T9 }. N. s
    mov     ax,4fh
& P" t+ r' m/ ^2 A8 H& i' t2 |    int     41h8 E1 U" N1 X: I* P, ~
    cmp     ax, 0F386
* O4 Y2 {1 W! {" o    jz      SoftICE_detected
; f5 e; |6 z* f$ K: w) L9 f# L: f* W$ ^, s- L

' A: V# U" t! \7 p2 d* t8 ONext method as well as the following one are 2 examples from Stone's 4 K2 o8 `6 E2 M: E4 ~% ]8 Q+ e
"stn-wid.zip" (www.cracking.net):' K1 _7 Y1 U5 B% J7 ^1 Z

; j9 V4 e0 f$ r" X8 `  f    mov     bx, cs
9 W$ T7 k& t* X    lea     dx, int41handler2
1 I7 `  A- J* y7 x$ d% O; [    xchg    dx, es:[41h*4]
; ^( y  n5 L$ ^7 q& C) P    xchg    bx, es:[41h*4+2]
+ I6 @, d+ s% U, ^2 ^0 C    mov     ax,4fh
5 A: |- R" W" c$ ]3 S. S    int     41h) s$ E9 \* a! Z, s9 H/ N* N
    xchg    dx, es:[41h*4]* h: Q1 g  u$ L& ?5 @
    xchg    bx, es:[41h*4+2]& X3 K+ ?8 c  J; N& s- j5 U" g
    cmp     ax, 0f386h
4 B/ X; a: G, F- w, k5 c3 g1 }    jz      SoftICE_detected
) o: \1 h% p- O7 E! v! N
$ b  W6 {! i& j( i; L' Eint41handler2 PROC
) X/ M! ]7 E% Y+ ?, B0 W4 m    iret
4 E2 Z" G1 B/ D1 N' r0 Jint41handler2 ENDP0 Z6 d% i$ @1 n( G) O" }- m
( l7 l, h8 {$ ]+ k+ I

3 y# [' u  m3 q$ D/ b1 k+ M  g_________________________________________________________________________6 [" J4 M1 L/ V3 A% @4 h

% a( K( S4 _1 v/ O$ ~" ]# c. c5 P, k6 M1 K0 f2 x. R
Method 06
7 o' }0 t9 R" E$ R8 r; C=========3 G4 `; Q) V( d) c4 K) F9 S1 a
, j1 O8 ?( o" {5 S0 F

' P/ b6 v, A: e8 l( W5 e2nd method similar to the preceding one but more difficult to detect:6 |. a1 a" J  W* H  G; J

# X* M. ]. @  T2 w9 W& _: [- M) l1 A
int41handler PROC
' ^0 s/ |; a  W1 q    mov     cl,al- Y% O2 P! j4 m1 Y" {
    iret
, Q: G, O1 b$ }+ U5 Q4 kint41handler ENDP/ i" u( e% t& v& x6 f/ r4 T

/ \9 u0 r6 _/ x3 L0 e& B/ {" W8 \' [  `0 Z
    xor     ax,ax4 Y0 f# @: T8 i% G; }3 A# u6 N) z
    mov     es,ax
) Y0 A- I: [6 F3 n* e, @    mov     bx, cs# t, q/ j; I6 @3 j. _+ I& p. H
    lea     dx, int41handler
2 f) \. T" D- r& t: Q0 h! N& [    xchg    dx, es:[41h*4]
7 m- I  @* e; i. }% i7 j    xchg    bx, es:[41h*4+2]
. W9 r- ?# W6 t) A& W    in      al, 40h
" ^# |- {- u& q    xor     cx,cx
( [9 _% B8 B0 u6 m6 X( j/ {    int     41h
( z7 _& ?2 \: t* A7 a    xchg    dx, es:[41h*4]9 R# y" l4 r% ?1 ?- z
    xchg    bx, es:[41h*4+2]& ]. Y' v/ g  H3 l4 N
    cmp     cl,al- M3 r: W  M8 ]# \* w( ^9 c
    jnz     SoftICE_detected
# j+ H# Y' J! c
' y! y  c0 a3 _1 l# r# U! k_________________________________________________________________________
2 I% X1 o, `1 L+ }) K/ U% Z& e# j5 K
Method 077 g; ]5 H" \7 O7 `; d. a
=========# q- b$ ^. E. b

% s# N5 o2 c3 K3 Y& l5 lMethod of detection of the WinICE handler in the int68h (V86)3 V$ [8 ^& p% r/ d5 F9 L. ]4 i
: S, P1 d7 `3 \7 D- w! p' Y
    mov     ah,43h! G2 ^+ A) I9 ^! n6 P" C/ P: r. ~
    int     68h) d8 T  W8 l. r$ v
    cmp     ax,0F386h
; S9 e* V* L7 c8 `+ I5 O3 u0 r    jz      SoftICE_Detected
4 x. [) @% c7 d9 a. X9 V" ~9 E5 N" P8 r; Y

8 v7 P: N8 W: d% C/ ]' k=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' m! P" Y$ p: d. A
   app like this:) i/ {( I% {6 O, |2 q

- y# p/ S, z" }. d/ s0 w   BPX exec_int if ax==68/ J/ l- a: K; [5 `' ~
   (function called is located at byte ptr [ebp+1Dh] and client eip is
) h6 O4 O- u+ i   located at [ebp+48h] for 32Bit apps)
2 _& u8 x0 F0 A0 [, q1 V__________________________________________________________________________/ \6 t# v" C  `4 K  z9 q' |
4 ^" W9 @$ @0 {
( m/ _# k' F8 o% Y4 i
Method 089 I1 v" P- ]$ O/ y7 [
=========
- A! Q) b( q  v- n5 C
+ V1 _* o% x: hIt is not a method of detection of SoftICE but a possibility to crash the" O8 @- r* B+ w$ I
system by intercepting int 01h and int 03h and redirecting them to another
; ~" i+ T$ Y  C- d' ^routine.
$ o: j! u" c5 X4 P7 W0 \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ t7 O7 w, b( q1 @# Pto the new routine to execute (hangs computer...)$ Y! Z$ N. ^( f7 g

8 ?7 H6 _3 ?2 W" X+ N    mov     ah, 25h
; e6 Z: x; _7 p; _: ^    mov     al, Int_Number (01h or 03h)
; }6 y: F3 D. h, U$ P6 S3 u/ y7 W    mov     dx, offset New_Int_Routine
+ ]. t; j& |2 o    int     21h' G& |" b# V& `1 l2 a; k

" A' G3 Q0 V) t$ ?$ P* I__________________________________________________________________________) \. h/ s6 b/ x# v6 K

& N' ~7 e7 o4 c4 r  KMethod 09
: t* N, J0 ~5 y2 z=========' s% Q* @$ B0 m+ ?2 M6 _0 w$ K
' r4 N5 z4 l. J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 B  v5 i; P: Z+ Sperformed in ring0 (VxD or a ring3 app using the VxdCall).* B- g  x% u& F' A
The Get_DDB service is used to determine whether or not a VxD is installed
/ Q6 T( I% ?2 x) bfor the specified device and returns a Device Description Block (in ecx) for- ]8 Q3 n" l9 `7 p1 b+ ?
that device if it is installed.
  ~9 ^+ h" y" o* @2 _; P/ ]2 @) e6 G+ U0 `& G
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ o( y' D% {5 ?( v$ D
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 g- }# F, v  e+ F1 X- f
   VMMCall Get_DDB
* {4 E$ p, T/ J5 s   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
/ y, i' y3 ]* }* w* f. x5 ~. Y. O* L2 ~5 G* }4 f' @
Note as well that you can easily detect this method with SoftICE:. m- I* [: ?& l' |
   bpx Get_DDB if ax==0202 || ax==7a5fh! T9 u( j1 r& l# Y/ }3 M
: ]+ ?7 V- E  U! ^+ s
__________________________________________________________________________$ s( a, f6 `5 ]( `2 a$ I

1 e9 T% J. a9 ?* nMethod 10
+ M' u( i/ g. n/ p=========
! J. q4 F/ q8 F5 b) X
6 r: r+ u+ n2 B; L8 ?=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 Z( f1 O5 l1 ~  SoftICE while the option is enable!!
8 t7 n+ u: ~- I& T. t! i! M) \& c* y2 e& @+ g
This trick is very efficient:( G+ G( G+ A% v" h& |* Y6 ~$ n& b
by checking the Debug Registers, you can detect if SoftICE is loaded5 @: b$ Y+ ?3 W8 N1 J: l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! G0 S8 P+ L( h* \( B% p7 W) L
there are some memory breakpoints set (dr0 to dr3) simply by reading their- @2 M* l- s$ ]" v' M
value (in ring0 only). Values can be manipulated and or changed as well
3 c- x, A" p1 r& b8 R(clearing BPMs for instance)1 U7 n! b6 e5 {, m  r6 n* `1 N
) w* R- ~3 H' e6 {# o6 c9 F: `
__________________________________________________________________________. ?/ m! o5 z/ z9 V+ \

$ P2 i5 C1 L4 H3 ZMethod 11
7 F" c) ?, v9 u( j( Q=========
  W7 @1 \8 `7 ^  H
( M5 H+ ~* N$ p8 I3 OThis method is most known as 'MeltICE' because it has been freely distributed+ H2 F1 ^2 E6 Q  d
via www.winfiles.com. However it was first used by NuMega people to allow8 S5 r3 X& ?% g1 w
Symbol Loader to check if SoftICE was active or not (the code is located  G; |. }$ m" @
inside nmtrans.dll).
, X/ ~' U1 q+ B4 F- l7 \* Q( }  R
/ ^0 w+ p, G2 E' E+ _The way it works is very simple:
/ t8 L, [9 [5 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* [& _8 h* m8 @$ [; e. j' D1 t( kWinNT) with the CreateFileA API.
! f& s0 o; h# }- _4 A' z/ z
; Z0 @5 p, G" R: q/ v$ SHere is a sample (checking for 'SICE'):
# b3 [# X% x* b: |. ~, q2 k% A! `8 L% `- D: V9 _$ K
BOOL IsSoftIce95Loaded()
& C+ T# u- b6 @6 Q# o{' I5 |3 }1 v, P! ]9 q# l7 a
   HANDLE hFile;  
) k$ W% S+ g& b   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ C3 W: y4 I. K8 k5 P3 l; h
                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 }' l/ a5 s: e- @
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# A7 Y2 n5 s; ~( f   if( hFile != INVALID_HANDLE_VALUE )
  x! |3 H/ _" P* p; g& f) j   {, I2 h$ F# a) {" h/ ?
      CloseHandle(hFile);* r, `  i1 L2 `) L
      return TRUE;
3 |; \; Z: ^& A/ r% ~$ ]4 z   }
; L# [' ^$ f. U! E   return FALSE;
" T8 I& u, F" F9 u. M4 Y% I9 @- ^}. ~5 |2 f- a+ L$ y0 \# O

1 F- f+ W0 \: _8 b- x8 YAlthough this trick calls the CreateFileA function, don't even expect to be
  G' l+ x. _) t1 x9 `1 n: Nable to intercept it by installing a IFS hook: it will not work, no way!
& X8 T, B( I& K5 }; ~$ j$ y, tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* M1 h' q; H$ Q: C6 q. ?: iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). J) \' v% N- D, w  x2 ?- e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ p, g$ y5 P/ h) v- k5 U) T. F. g" u
field.' T/ p2 v) V7 M; [/ o* c3 ?+ ~
In fact, its purpose is not to load/unload VxDs but only to send a
/ I" d5 a# ?. k& z' U: W+ N, `1 AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* o! V+ `/ P6 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 |' B$ F9 |) ?; @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 A% n: V/ I7 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow- d( u* Y+ o. [. Q+ l3 t
its handle to be opened and then, will be detected.9 P- G! |6 I# C2 E/ B
You can check that simply by hooking Winice.exe control proc entry point0 G& r: U6 W$ c; X
while running MeltICE.9 F5 ?7 t2 `9 I% f1 R

; a6 W( O5 P/ b% q3 ?$ H: M$ j
, U4 X2 T1 ~1 J/ n  a/ V# m  00401067:  push      00402025    ; \\.\SICE
7 U- A8 D- G9 v5 j: m& d+ q  0040106C:  call      CreateFileA7 V6 G: r1 V+ d! _; v0 a
  00401071:  cmp       eax,-001  f: k8 K' Q2 y5 m
  00401074:  je        00401091* K. M. Q# v0 G- r

& g" \/ E' _: ]- r
& z$ y5 u+ @  e+ G: KThere could be hundreds of BPX you could use to detect this trick.$ T2 @' F0 i5 z5 C( M
-The most classical one is:
, q' o9 Q0 a  @% P8 ~, `  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' e- r; P: [! c3 a6 H0 V$ s' u
    *(esp-&gt;4+4)=='NTIC'' ]  V9 Z  i7 B: E/ k
2 D: S+ D- l1 Y& {. A
-The most exotic ones (could be very slooooow :-(1 ]0 @- C+ R  v
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')    K( G/ j* c. |3 s
     ;will break 3 times :-(
. i) |5 n  a: D  d1 Y9 f# y
  Q/ k0 e8 ]0 u; \% W-or (a bit) faster: + O. m' x' M6 R+ s
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  K0 W6 [2 ]1 m/ Q+ r2 [3 O& ^
' A! x. A* Q5 L5 k4 b
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
8 i  ?* o2 o  k" s- i; D# e& a% v     ;will break 3 times :-(
  V5 a* [% M! i: A4 |. A
8 E4 o# X& M: a  }% i-Much faster:4 P* P7 w& o+ i4 o5 c5 X& d
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- A( n- E  K* ]- g. c8 o0 c
1 `7 O% r" U/ \; t8 m4 s( s8 I; wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 @  V# v" |+ C0 e/ B' b9 K* C
function to do the same job:
4 h, ^, R) P: q- t4 q3 f8 \6 ~3 L" N% L
   push    00                        ; OF_READ. b. A5 s) Y. E& C
   mov     eax,[00656634]            ; '\\.\SICE',0
# y8 s% [% N' r2 d% s   push    eax
+ k+ D+ s* ]% j  s5 Q' ]   call    KERNEL32!_lopen
) ]  L; U6 l2 ]   inc     eax
. n, V4 z! n6 _) o   jnz     00650589                  ; detected( D8 Q# _9 ^1 l) Z9 S8 J
   push    00                        ; OF_READ
$ L$ a. N+ F( f# P' Y3 l   mov     eax,[00656638]            ; '\\.\SICE'
+ ?5 f2 @$ A8 b/ x4 F' M: l( O   push    eax
8 f+ ?- g+ |; `: u, w: \( [7 e: j) n$ T   call    KERNEL32!_lopen
* I% P, W2 i& B' M$ z/ ^   inc     eax7 r  Z4 `% |: N8 X0 @" o0 t! h8 ~
   jz      006505ae                  ; not detected# ^' s3 r9 o, E' K' t; K4 z, v
- ^5 M" Q$ M) R+ w" e

; z) W0 S4 ^! \__________________________________________________________________________
7 p2 [7 L0 Y: ~" \0 b, a/ A' S4 X
Method 12
4 i5 Y% c7 g; [2 \" S=========3 g7 C: ^$ q9 _) l9 t4 z

6 l1 c  h2 e( ^This trick is similar to int41h/4fh Debugger installation check (code 054 b+ l! @- ]/ B. t9 C; e, c
&amp; 06) but very limited because it's only available for Win95/98 (not NT)) c: n! x: W: [  N3 L7 m
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 T* M2 l$ L4 n# b3 K/ @) _4 t0 c' k1 |1 E$ r
   push  0000004fh         ; function 4fh
8 n- R4 o" ^/ D# }" V   push  002a002ah         ; high word specifies which VxD (VWIN32)
: q! K9 J" a! E/ ]2 k8 d6 z                           ; low word specifies which service
7 m& `7 s% y+ P( C7 n& t  t$ [                             (VWIN32_Int41Dispatch)- e) i* [' u2 h3 ?$ l! d2 |& E
   call  Kernel32!ORD_001  ; VxdCall) ]; f" }: T2 \
   cmp   ax, 0f386h        ; magic number returned by system debuggers
. U! f. R- n" @! `   jz    SoftICE_detected
4 E2 J4 k! d; a# ^! Y0 b, ^+ r$ x/ W1 S' L  {3 c+ J0 \
Here again, several ways to detect it:: p% v1 P7 x" l& ]
  e1 k7 _4 X8 R9 x' a$ f
    BPINT 41 if ax==4f
4 w- D+ V$ l. @1 C/ m9 _5 {* T" d1 P: [2 j
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% S# Q& E) a# X) ?4 G
; ?# q8 i+ u: c( {+ Y# `# l. N+ b
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
5 Q# q1 m5 V* o, W7 R0 ^/ q8 L" r6 }8 n: e, x7 C& o* C
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!! K2 }' a0 ?, j% p
1 g" E9 L+ o$ \) z) Z1 U
__________________________________________________________________________" t# @, Z" v' R% [2 _

( o! s4 I, ]% r9 w# d& aMethod 13, ?. M. {( H" H2 q9 _& c# T
=========+ \  G$ d4 d. R# Q9 y& R3 x
0 h  U9 _. I* [; {0 W9 m6 d
Not a real method of detection, but a good way to know if SoftICE is9 b# u8 C+ W$ i7 V0 B
installed on a computer and to locate its installation directory.; p; j" h: F* i9 G& j. v% k4 @
It is used by few softs which access the following registry keys (usually #2) :  |; `- H. }' S0 ?
( t- i  Q9 |0 c$ ?% f$ L- e  [1 l4 ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ^" W9 ^0 v9 F: r( _7 x3 B: J* _
\Uninstall\SoftICE  }% V' s- m; p1 {# D/ v& S/ W+ @* `$ R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ ~8 z" z- N& W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 [* @$ q/ T2 S/ \( Q/ C' D: L
\App Paths\Loader32.Exe1 \1 Q6 \- X/ e& q4 t7 t8 w! E4 N

/ s- K5 R9 J2 q! \  G0 J% {1 ^+ ~* ~
+ b! w$ K8 c3 @' r  TNote that some nasty apps could then erase all files from SoftICE directory  r' W$ f2 f! r0 ~, E3 \3 Y
(I faced that once :-(
3 \) X9 X# y6 }8 Q- R; E3 C2 w9 X% r. F# i& I5 t* ~5 O
Useful breakpoint to detect it:
9 ?; g6 V& Y. m8 I2 J" Y3 B" |# U( a2 q' z4 y0 U) z9 z+ x
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; \4 Y5 ?! l7 O& ]% `* S

" o4 r8 I# ^1 [5 Y% m5 d__________________________________________________________________________
- @* `! h, S# V: O/ P) k, v
: o, j' p  P9 J" c, f' e8 b: R' v2 J( q% t, A8 I4 o2 J# m- g5 r7 X8 b
Method 14 7 U2 z# Y" A' s2 b9 X+ V
=========
  a0 i, P& ^9 e" [; v" w* K2 ^8 f' u0 Q% c6 U* l
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) b" l( E! Q8 ^# e
is to determines whether a debugger is running on your system (ring0 only).
* [& g9 \. \8 H
3 v7 ~3 ^6 i) Y) Y0 T! R7 j   VMMCall Test_Debug_Installed$ m, O: N. ?/ g, p7 G4 s$ U
   je      not_installed
, v0 k5 n- x5 p( }; H, F* {8 E+ z; _" l6 v) n% B
This service just checks a flag.
- i( V+ c+ w0 ^* K) e" T' \2 s</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-7 23:24

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表