找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>* R2 D9 k8 ?$ Y9 F' O  e% b2 T' b3 J3 q
<TBODY>2 v0 W! Z; b6 P" z& I1 W! V; l' H
<TR>
  |# W, U, ]" o& s- {* ^<TD><PRE>Method 01 3 L& ~" ~4 r/ @3 J
=========
9 n2 q! R; l; F4 ~; t
* G+ A  e+ V, F' |5 E; dThis method of detection of SoftICE (as well as the following one) is
$ U- Y6 Z# U5 i$ f+ zused by the majority of packers/encryptors found on Internet.
0 C% ]2 W6 u0 X2 D& B; h$ `It seeks the signature of BoundsChecker in SoftICE
+ f4 V( l0 i& I/ m8 q( E1 h, L) E- Q4 Y, `% D
    mov     ebp, 04243484Bh        ; 'BCHK'
6 f9 f( P. c9 [* p( c    mov     ax, 04h+ r" c% e8 E1 A  g9 x) F' q) n" U
    int     3       ) h; x  M& s7 D# M& b
    cmp     al,4
  N& W  I/ {) ~6 s    jnz     SoftICE_Detected& q- m% }5 p  d4 g+ ?
% Y& y1 z) u: m7 d$ Y) e
___________________________________________________________________________. j6 ]6 b. ~/ f. X. V) Z* u1 Z* ]! o' x' N
) d+ C0 ^  ?. V: l5 a  h
Method 028 |/ E' w# g9 Q( T1 [. [1 y+ Q" b
=========4 l- Y/ R, _5 y
) Q: ?2 v  e! e  U7 q5 D, q
Still a method very much used (perhaps the most frequent one).  It is used
9 }' v! Z& J3 m* qto get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 b7 d: [0 D% z- g
or execute SoftICE commands...' w( C; q5 F  ^' S& N  ~1 i
It is also used to crash SoftICE and to force it to execute any commands
3 z! ~5 v0 a! p% C" f) R: B(HBOOT...) :-((  7 M" R' ]/ u, |  Z" w8 E) a

( a5 K! _3 m% Z/ g4 G! gHere is a quick description:
8 X" j5 x' E4 D$ V( H2 j-AX = 0910h   (Display string in SIce windows)
. O' h) ~8 U  d$ P% G3 D-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)9 |5 e+ H2 ?2 U! W- i
-AX = 0912h   (Get breakpoint infos)
3 Y; C( X4 U$ R. p. d. p& N. b9 y-AX = 0913h   (Set Sice breakpoints)! K" S. I8 k' h
-AX = 0914h   (Remove SIce breakoints), n* E* q( Q9 l) b) R% q1 p% j, c; e

; m- ?" t$ }6 L: n" B) U: oEach time you'll meet this trick, you'll see:
- `2 U4 M1 l, O6 b-SI = 4647h. d6 M$ G- B2 X$ c8 Z" N
-DI = 4A4Dh
1 w$ H# X* l% h5 O; a7 e$ a( A( XWhich are the 'magic values' used by SoftIce.
( I' h: {. a/ |/ \" n5 f4 kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% K( r0 M7 }% G3 ~/ h; k4 `5 o* A0 @; ^
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; q6 L" j7 @4 Y4 k5 p$ ~Envelope utility use to protect DOS applications:
: F7 V5 h1 ^4 P0 d) \! H; w! u( i* L! K

* ]3 D/ |. v1 f' ~4C19:0095   MOV    AX,0911  ; execute command.! ?; h( v1 ^: ]4 C% z  I. A5 Z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).! S; _( ]0 q" E* e) P
4C19:009A   MOV    SI,4647  ; 1st magic value./ i* M$ Z& r, x$ B+ A
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 `7 a& L; n6 U4 O; |8 y
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 [+ U! m1 s. U& a8 J. e- O& [
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 b7 N" K8 _* z& e: G! Z9 j4C19:00A4   INC    CX
0 f! K% B7 w4 `- H  a* Z  X4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute, N7 I% ^3 }. s& y- S
4C19:00A8   JB     0095     ; 6 different commands.' R7 q: M7 r* ]4 F$ w
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.: b7 ^3 Y+ u+ m" e$ O, m4 l
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 p. @5 O$ @  y$ b# V& u3 Y( y* g
The program will execute 6 different SIce commands located at ds:dx, which
( k# F% z) j9 y! i$ kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 p( c0 a* l/ f2 }8 v& t; n; i

! @+ c: Q" ]8 I# h; t" n0 c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 t) f( ~( B, O! I& |
___________________________________________________________________________
, Q2 P! N, E: i+ A+ h$ B: h
9 |8 y# q% `) r' Z5 g6 z4 O  @4 V. B) [5 B, k' y
Method 03
' ^# N! n3 Z, `- e9 K=========
3 O2 E3 \7 V  F& a0 n! u  _
. x" [& b; T/ i. K) y" {: ~, dLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ N9 k5 ?& w# M" z$ Z
(API Get entry point)7 X- |: @" [* P1 m
        
& \' \' n' B, D, ^4 u1 ?$ r
% K9 s6 F2 S! W; Q9 u+ A' Y    xor     di,di+ s$ E: \  @& k$ j3 c+ W& ]; n% Q
    mov     es,di- G) W% R# C  @/ f) {6 }; f- N
    mov     ax, 1684h      
" x: `8 O& {! v! A! p1 h    mov     bx, 0202h       ; VxD ID of winice
9 h& z. c! j; [3 A; E    int     2Fh! [0 }+ l8 T' c0 l! u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point' v- }) e- ~4 v
    add     ax, di
) V5 _# W* \1 d: C6 j& y    test    ax,ax. s) X$ F( f, W& i  h
    jnz     SoftICE_Detected
. H1 M4 G2 z; l" R% @5 e
3 G2 H: J4 h6 Z" [$ ^___________________________________________________________________________5 @" `+ J8 C" ?

: p! Z0 R& E4 Z/ o  p& s( XMethod 043 r2 W- A# n- n- o. @; I
=========7 c% {2 p5 t& ]  G
& F+ l% _6 J6 H. b! K6 P4 I% Y5 S) r
Method identical to the preceding one except that it seeks the ID of SoftICE
7 W- v2 z- n) ]' I& g" z: OGFX VxD.
7 f1 P2 b6 X- a0 L* u6 ~' f- u0 S1 L, v) V1 i5 G& K# q: P
    xor     di,di2 `$ p3 {7 }: {5 J( R3 _( {
    mov     es,di# _$ _6 v& z7 @& t) [6 k
    mov     ax, 1684h      
- k7 G7 D8 {4 u" s' @) V3 q    mov     bx, 7a5Fh       ; VxD ID of SIWVID
1 M5 f/ d- A0 N. I    int     2fh6 b8 j" Q' N' P& J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( y1 u( {9 L# c* f2 w; w+ Q
    add     ax, di
1 w7 d% k  p" i# K2 r: ]# D    test    ax,ax
. Q# K. C" J* t- E& Q, j* M    jnz     SoftICE_Detected$ V+ d, B- T# T

* Y1 r" ^: x6 T6 z__________________________________________________________________________
! S$ q5 `6 g% Z  `0 d
9 f" b' S, T) R9 j( N, S9 ~' x! j" C0 }3 n9 v
Method 05# |; l0 k& ~" ]8 f* `
=========
; X$ q' |! i9 M2 R, ^! ?; }
0 o& ~( E& O' H; G4 z1 G7 u. [Method seeking the 'magic number' 0F386h returned (in ax) by all system
. p8 ^/ @( P( o+ adebugger. It calls the int 41h, function 4Fh.
2 M! K/ @0 x5 AThere are several alternatives.  6 f3 r6 ~9 M4 _. |5 R
* W2 R# ]. F1 t% V7 [7 p% u
The following one is the simplest:
9 ^! g' N: D, t; D4 h" Z. X7 X. ^7 b
    mov     ax,4fh
+ ?4 {* Q( e  E  \    int     41h
- S3 F+ D( I  C& g9 j7 Z$ C    cmp     ax, 0F386
9 n6 n, q. h! f( h    jz      SoftICE_detected
6 k: y4 v7 p7 K' ^: g
( A4 O* O: B# S8 w. z9 a/ g# m7 U" y4 Z6 F
Next method as well as the following one are 2 examples from Stone's 1 e1 A0 J% X$ F
"stn-wid.zip" (www.cracking.net):
& T! X0 G! h& N+ B+ L* ?
( c! a) k8 r9 x  j3 `/ H$ E    mov     bx, cs# @# P1 P( y5 y( m, f
    lea     dx, int41handler2
2 Q  @1 P  ~" e# p' o    xchg    dx, es:[41h*4]/ G9 ]% j, ~8 S1 F% I
    xchg    bx, es:[41h*4+2]& }9 e3 N- P, {' K5 P
    mov     ax,4fh
$ o' D; V+ Y6 @8 n, p+ {  g6 c! J    int     41h
! G" P4 R3 a, @* ?3 G3 k5 B    xchg    dx, es:[41h*4]
' N+ W8 |8 h0 g    xchg    bx, es:[41h*4+2]5 T" _, m) `+ E" Y
    cmp     ax, 0f386h% M# `: W7 ~( ~5 X4 d, d( I, X
    jz      SoftICE_detected  g) o+ W* e8 y# S! q2 m3 r
7 A& n, W0 C8 `2 W1 ?
int41handler2 PROC
1 W# ^1 v9 Q+ n$ L* `9 d& ?9 \& N1 \    iret
4 a6 l' ]5 K9 R' U" ]int41handler2 ENDP; I6 I% L# |' H
2 q! ]: V* ~5 I6 |

. P8 r4 I# j$ G- i1 N$ v' G_________________________________________________________________________
' b5 C6 Y+ F" j" K8 P/ s$ C9 ~6 J  `3 i; S
% v& Z3 K) K1 y, j  I4 Z
Method 06
( X; ^* R% W1 l1 h5 n  Y& w=========' A. e6 M8 I6 z" j$ B' J

0 w' K) l/ {4 n/ `0 |2 s: |. X) K" t0 Y. q
2nd method similar to the preceding one but more difficult to detect:, U$ A5 @: b! R  O' ]
' r: h4 C% f. z! x0 q) G- }; M
& }2 v! I0 H- b; v
int41handler PROC$ c% M& u: n4 N" y% E- c" @' ~
    mov     cl,al9 X6 f+ D( ^9 `. p: S7 A
    iret! l) K# w' r% v- f- A6 Z! {" I) F* `
int41handler ENDP
6 k! D- U5 q9 E, S7 X: A  ~* o* d/ t) N% D' s8 r+ n& Q
' r' r$ |1 `7 K5 |* o  X% j
    xor     ax,ax
, Z) s5 [$ h' W    mov     es,ax) S$ ^7 l9 Y5 \
    mov     bx, cs
% r* p- {, F1 B6 o/ B1 f( O5 N    lea     dx, int41handler, d! ^8 S) q8 _2 v, z2 `
    xchg    dx, es:[41h*4]: a, T" v4 _$ j# d& S: u
    xchg    bx, es:[41h*4+2]
' Z6 d* L) w9 `8 _, y& N    in      al, 40h
$ Q4 y6 o5 y; K8 o- r    xor     cx,cx$ y  }5 r" y9 W3 u9 v1 l; Z/ y# x
    int     41h; ?) e/ s# j. ]: Y; j
    xchg    dx, es:[41h*4]
% F* B. f+ ]5 v, z9 [    xchg    bx, es:[41h*4+2]
6 G" [: E: t0 E2 n4 }' J    cmp     cl,al
- {- Q) d9 L  V% u; o1 T) ]    jnz     SoftICE_detected
, \+ I0 Z4 r' Z9 E- M. ~5 h0 z9 {7 ^$ z
_________________________________________________________________________8 K3 h- W; Y7 \& i) {! Z
, w/ A4 Q( o4 {  T- }& _: K
Method 077 O6 e! n5 [3 `, c
=========& \: i' h/ ?9 e# J

% C' k( p' M, i/ z+ JMethod of detection of the WinICE handler in the int68h (V86)
& i+ |% U- d) z2 ]8 d/ a9 n+ t3 _5 [- Q* @$ p/ ^
    mov     ah,43h
& C2 i0 c- s; i' o9 k+ T    int     68h
3 l! @, A; b- W+ t    cmp     ax,0F386h
% j" f7 F" X# ^    jz      SoftICE_Detected
6 q9 Q* n2 N, H6 g  y+ Z
' L$ O/ a' {7 n% L- z& q$ H
2 w% c# E5 \& \) ]  p=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- O0 T' A- K0 {* ]* J) A   app like this:
& u+ F6 M% |" _) P2 X# [2 b  s4 F3 Q* a: }" y6 m5 b- M& |( C" r! ^
   BPX exec_int if ax==68, h$ I1 t0 ?4 b  y: [; A
   (function called is located at byte ptr [ebp+1Dh] and client eip is( }& b' @/ H, c) E; y' H
   located at [ebp+48h] for 32Bit apps)0 _3 X" D5 O& K) o7 v9 p
__________________________________________________________________________
2 v/ b2 ~- Z: V( U/ m8 c; h4 c/ R* V

% E& t$ M0 I; R4 ^4 D( wMethod 088 d  @+ P/ g! @, E0 h* f
=========
) o  \; o, r" I% D* J, p8 d& `6 O' o: ^3 |) u2 S- S
It is not a method of detection of SoftICE but a possibility to crash the
- ~9 T$ N+ e& ]0 psystem by intercepting int 01h and int 03h and redirecting them to another
; H; c/ z$ m9 X) f% Croutine.3 Q& `- y4 k, k7 L: D0 [+ U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. K/ w# V1 M# n! H- L5 P; z# W
to the new routine to execute (hangs computer...)$ m3 p8 w! A; E7 D# A" l

' R1 t! `; D2 l1 U, }6 [5 z    mov     ah, 25h
# v1 d" Q9 C5 l) \    mov     al, Int_Number (01h or 03h)
# a4 j9 y7 w) ?8 G9 X    mov     dx, offset New_Int_Routine
: A  ?+ W; u" G5 p) p    int     21h
. Y; n# b0 k% Z& J1 M+ K7 H
) ?% P' X: m! M4 ]__________________________________________________________________________( e3 y3 _7 }: B/ V0 W. S# K* |- p9 S
5 u& l  p$ p9 v- e
Method 096 N# m* M- ?( R$ z8 X
=========: L& _# r$ G- b, G, ]4 m
% e( P" @. q1 O: x/ X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- u- V; |9 O( \* wperformed in ring0 (VxD or a ring3 app using the VxdCall).
  y" t% e1 ]6 e' tThe Get_DDB service is used to determine whether or not a VxD is installed
: ?8 b( W( X& Z& {% Cfor the specified device and returns a Device Description Block (in ecx) for
, F. U1 d% y6 n. X4 E! uthat device if it is installed.
( F0 E7 @4 t( P! M$ }; r, X. k$ o" @2 k, ~( \% n/ A
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ C6 m  ^& `0 N1 c% y% f' u/ J
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ W6 f: \- Q/ B
   VMMCall Get_DDB
- T% I- m4 o9 c/ i  S' f- o5 A* N   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ M- D3 U) N% d
% Q2 b+ j' O, p0 s) ^
Note as well that you can easily detect this method with SoftICE:
6 r# [" E9 ~9 l& D3 v9 g6 G2 }   bpx Get_DDB if ax==0202 || ax==7a5fh
1 }5 t! g- n9 t( x' K9 Q$ S% @( Q8 B
__________________________________________________________________________7 g6 F, g0 {. I7 _# j* R) ^. A

; o1 {0 c4 m; _2 cMethod 10
% f& F3 M9 L$ W0 f! ~7 I$ |=========' v$ e! s1 ^; s* m% V3 T

' O$ W  T+ o  v6 L4 y! u; b1 D& W=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# [/ w  [! q& Y3 O* ]0 X  SoftICE while the option is enable!!
! @* ^( |, I. x; u+ c* |" T/ @
/ z" t1 f, E3 n) d- v" [# x3 YThis trick is very efficient:
: e; L3 M# |' J/ Z8 F/ e: Vby checking the Debug Registers, you can detect if SoftICE is loaded: B5 w0 o. q0 y8 Y4 Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- m( ?6 \0 ?- w  p: [+ C) sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ t. U: _% e, W" I2 qvalue (in ring0 only). Values can be manipulated and or changed as well  O; b  S7 _" s( B
(clearing BPMs for instance)
$ h# L: k' T8 r' o5 e% f1 o
2 ^* ]3 u# N7 `__________________________________________________________________________, ^& f9 I& c. r, N; W- m$ b8 C3 B
% u- {9 b* b' G! E, n
Method 11
8 v- L* x+ `; E1 F=========4 Q- n3 f7 B) [1 z- b

6 E7 ]" r. w1 VThis method is most known as 'MeltICE' because it has been freely distributed, t7 d- ]; S* c2 x- M( T7 T( ^
via www.winfiles.com. However it was first used by NuMega people to allow
/ v  r7 C4 z! N/ k& sSymbol Loader to check if SoftICE was active or not (the code is located; D: _. R3 N3 @
inside nmtrans.dll).; {: h) c4 G" f& x. a( ?

0 L9 L3 s7 V; r! ?5 oThe way it works is very simple:9 k6 B0 {) r1 o. x6 \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 ]' {+ a7 z7 U6 }7 Y% g& W* nWinNT) with the CreateFileA API.$ W, U8 i' v) s# @# K/ ^+ b  p# N
+ x" m% p& C( c/ k, @
Here is a sample (checking for 'SICE'):/ g; Z* y/ H) T+ m/ G* ]
* O1 z) ]5 U! |
BOOL IsSoftIce95Loaded()7 E7 \0 G$ q9 i3 e6 d) Z! c( w/ }
{
: @4 ~4 D6 j! _( z, s- G   HANDLE hFile;  8 }6 z( M! ~5 N
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 b2 J/ G4 N, y+ g- b, y1 i                      FILE_SHARE_READ | FILE_SHARE_WRITE,& {$ t+ D0 ^! l
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 H" r. S. t7 A- b' U6 u
   if( hFile != INVALID_HANDLE_VALUE )
2 ~. {: R7 n. A   {
8 n4 x5 q; l0 h: C5 ^7 a1 w. O2 j# f- h8 j      CloseHandle(hFile);
, E) u8 r5 K6 K( X      return TRUE;
+ V' c2 R1 ^) u: t   }1 J7 x, S5 r0 R- @! v0 D
   return FALSE;
& Q1 d# A  ]& Z* l$ Q6 ~}7 j) l) m) S/ `( `; I/ @

. l5 {  ~! h/ e, cAlthough this trick calls the CreateFileA function, don't even expect to be
$ j( ?7 [8 p% N- qable to intercept it by installing a IFS hook: it will not work, no way!, }- W* [5 z1 V# j1 C& X1 o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 f5 d, F0 P8 q% Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ E7 o; R) s; Q" D5 K$ K1 e6 Band then browse the DDB list until it find the VxD and its DDB_Control_Proc" m5 d: X' j7 L5 `) R
field.
8 y1 W% O& U0 D8 E) aIn fact, its purpose is not to load/unload VxDs but only to send a $ m  z! E' F4 W! |7 z# s! j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- j# E2 ?+ Q# X2 Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! N# O, J6 C2 |6 W2 j7 N0 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).: ^, K, o2 K  J2 |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 n" i# s1 b8 i# x" y) Zits handle to be opened and then, will be detected.# E- x7 a* |6 F0 O  E; |
You can check that simply by hooking Winice.exe control proc entry point
# \3 \. j. d* P2 ?' ?while running MeltICE.& e" Y7 ~' N0 n  `) w# \

9 s6 m7 Z4 }" w& h: n$ @$ Q! i  I  m% ]9 ]
  00401067:  push      00402025    ; \\.\SICE" F8 b; S7 C2 I9 H2 |: V+ Z
  0040106C:  call      CreateFileA5 o$ v, u& @$ {9 I3 N, z$ {
  00401071:  cmp       eax,-001
" R% H& I, ?2 Q5 T1 d  00401074:  je        00401091
2 C; A  P9 _  J* _0 J
, q+ r# h+ X/ b# H/ H' V! q6 k" r' w/ W
There could be hundreds of BPX you could use to detect this trick.
: \. R3 l- I- a  E/ L+ V5 c-The most classical one is:
5 ]/ `8 }) M+ G1 G, F4 w  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) A9 o; N( P0 m. J- @
    *(esp-&gt;4+4)=='NTIC'' F* w; a. V! K! ^1 f, [4 M
: r) F$ F+ |* N
-The most exotic ones (could be very slooooow :-(
, _; x8 H% Z2 f* J* K: @   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
8 ?' \: B+ ?. i     ;will break 3 times :-(
2 D$ V1 H7 O# p" I' E
: Q; P) I! B0 \2 }* q% }4 }-or (a bit) faster: $ _: k, K, P$ \5 K5 ~8 A
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ Q- ^2 E! z+ o; f+ F9 s8 ^/ X
* C% R" F; X0 Q2 v
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 h# L8 S( i1 p4 {; \' E3 U/ h
     ;will break 3 times :-(
. I1 ]2 i2 t3 q$ e
1 [& ~: E3 o$ o9 C) V# @-Much faster:
$ F) R) r$ I+ }4 I" T( }1 ]   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'8 H- x) x1 {$ `7 d" n$ z8 x+ q: o) ^3 m" J
- L  h# ~/ I7 Q6 e/ j3 Y5 _/ v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' L1 _: ~& Z, E( Qfunction to do the same job:
1 ]4 n, w+ O3 y: x) f5 B
  R* A+ N: A4 H, [5 r5 F4 N   push    00                        ; OF_READ
. X# `8 l0 h( R+ [. K   mov     eax,[00656634]            ; '\\.\SICE',0. x3 {+ q$ w* Y6 P( u5 I$ ]3 M
   push    eax
, l6 M8 g3 b- E; ?6 W# F- r7 i   call    KERNEL32!_lopen
. I& e) v  M' z9 j0 B8 {1 O! p. l   inc     eax5 X+ k  f* j/ H
   jnz     00650589                  ; detected
2 ]( k8 U4 |. `6 x   push    00                        ; OF_READ% m: Z( c" [. Y
   mov     eax,[00656638]            ; '\\.\SICE'4 s3 K& }! v' _; g) o( \; W1 {
   push    eax) F, L/ Y" p. ?5 U/ D  W8 ~$ `% D
   call    KERNEL32!_lopen
4 l1 x4 s8 G& W6 x6 V, l   inc     eax
7 S) [( D% t% g   jz      006505ae                  ; not detected
' ?  m: Y. R* ^' B3 X7 K. s2 r! I

: h5 _4 k) x5 U7 J; W" V__________________________________________________________________________0 k+ n8 `  C, z9 s( t( [3 u

1 x9 [" a% n' X6 X0 q7 p4 sMethod 12
5 W5 i* H8 r% z( i0 w=========9 ~8 I+ s3 g9 T3 F; P9 `4 ]

4 P" Z! ?' p' X8 y5 y4 rThis trick is similar to int41h/4fh Debugger installation check (code 05
0 j/ Y; h3 V/ N9 z) Q&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! G% s- e0 |, }- zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* \8 T# [9 \6 g8 Q2 f! i  c: G7 D' I6 M
   push  0000004fh         ; function 4fh
7 }9 k# f5 t! [4 t& q   push  002a002ah         ; high word specifies which VxD (VWIN32)5 D! D9 u% Y1 d2 u# r2 ?3 E7 O
                           ; low word specifies which service/ }3 S9 o+ T' ^
                             (VWIN32_Int41Dispatch)1 w3 j' U9 U3 {8 b3 i+ l
   call  Kernel32!ORD_001  ; VxdCall
0 j7 \. I' e7 h% S   cmp   ax, 0f386h        ; magic number returned by system debuggers
, r# i1 W, E; E   jz    SoftICE_detected
) l0 a$ j3 I- S; W8 H% M- O2 q( S! K
$ Z4 w( m4 S) V* vHere again, several ways to detect it:# q7 t  b; ?( z% `" a% E

% U1 [% r% a+ J+ g5 F8 R5 C  c    BPINT 41 if ax==4f
& s: \8 ~+ s& v7 e1 N6 ^0 a+ Y8 }4 D, y5 V5 a) ^
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( m( T) F( p0 a4 A, {: N- k8 p
/ X* s( C! F* B0 J3 i/ S& O    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* P2 k3 i0 Y  x" q, [7 \
- P: d" [, J) e! B    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
3 I( V- D6 z% \: @8 \: v# C0 u: r8 k2 ]4 I: K4 e; Q+ i% B
__________________________________________________________________________
/ r2 U- ]( T% S2 p; x# C& K" a1 e- c( H8 Y9 \5 e1 V
Method 13$ E* K* m9 A" b  q2 ]9 e! ^
=========
: p9 w# Q1 T4 X
+ q& I/ L/ e! g' D  d; ?! C) BNot a real method of detection, but a good way to know if SoftICE is
9 B! }( a$ @5 w9 u& Q+ V2 Ninstalled on a computer and to locate its installation directory.
& k$ G* y( c) O2 x  vIt is used by few softs which access the following registry keys (usually #2) :
$ W: x6 w# ]( b" c! l
: q9 A  Y( f4 [: S2 g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& q/ R$ M2 A; ]) X\Uninstall\SoftICE% W! `7 \8 n# a, x. ]3 V0 w# F% u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' ~0 C$ y5 H/ M: X. K9 _# Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& D. H" x+ s* M% c7 r
\App Paths\Loader32.Exe+ }. ~! q) y+ L

' A$ }. s! N. B5 L4 [! d' s% s/ e$ w3 ^1 Z. G* @4 Q
Note that some nasty apps could then erase all files from SoftICE directory
0 O# @5 R( S9 y& f; W+ j( l! a(I faced that once :-(/ d" E% M7 j$ o. x+ o5 u, _/ r

8 G$ I2 M5 P! y- _' X( bUseful breakpoint to detect it:' q" r+ @$ e5 g0 R$ Y+ x0 ]+ I% O
) C* j4 K) x& G) p3 f
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'  b3 O2 @$ ]: A# E

  F  D1 k) a* q) C5 m__________________________________________________________________________* k" B- F. M) Y" @( K+ \
! n3 G. o  K0 J

" X5 g# F" }6 L  KMethod 14 & A( J$ f9 p3 ~( k
=========/ i& E: ^. Q4 z' c+ |6 S
+ E' C. v9 I# n1 W9 R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* \, x$ m3 G, f% J. e: f7 T# gis to determines whether a debugger is running on your system (ring0 only).; Z, T1 R, v$ L. \. Z! I0 C" j

% e( N2 ^* u3 z( ?; @) _2 ]   VMMCall Test_Debug_Installed
# B2 P6 p4 ~/ R  X9 n0 u# B8 @; f   je      not_installed) L6 j8 c: L: m3 z
# ]' y! w* q& i5 u9 Z1 q2 I; M
This service just checks a flag.
' }. D3 X; H7 d" @6 `</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-6 18:06

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表