找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
& m* ~" v# e& P, j' O7 B8 E<TBODY>
0 i& `  H! A+ ?6 K( E<TR>
6 [( n" N9 K; k) W; d<TD><PRE>Method 01
) b, Y" L' B: Z* }=========
2 F2 i7 T  o0 [
( M  n( A# B/ t& I! l; MThis method of detection of SoftICE (as well as the following one) is1 s( o4 U0 S* o
used by the majority of packers/encryptors found on Internet./ k3 B$ l2 s1 v. a
It seeks the signature of BoundsChecker in SoftICE4 i% H, M. k4 z! q- d
0 ?& H) F! T* N% e/ X
    mov     ebp, 04243484Bh        ; 'BCHK'2 S  {1 F1 k% w/ I
    mov     ax, 04h$ s  A% Q4 u0 ~8 n- u$ `
    int     3       2 G8 A) J) ?% g4 h( ?& w
    cmp     al,4" Y) p0 N  _; W4 I( Y. j9 F
    jnz     SoftICE_Detected+ X- M3 E& i0 q+ j2 F
( N, L' h( x1 V8 W4 C' L
___________________________________________________________________________
9 A$ e; _! D/ v" x# y9 M
$ J9 R3 f. p; n% h5 t0 bMethod 02
7 E. ?$ v' l/ W$ j=========. r- P% p8 d! Z4 b
7 v2 }& Y  G1 k! L
Still a method very much used (perhaps the most frequent one).  It is used
2 ?6 S& o5 F4 q( @  \! Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 U$ y7 x! @) W0 w0 h; x! c9 W
or execute SoftICE commands...
% i1 F( h1 z$ U% \It is also used to crash SoftICE and to force it to execute any commands' Z' r, D' S: ^  v" V! m! H  d
(HBOOT...) :-((  
& ~# r& P8 N" M# d& N: ~
7 }, i. V# }# V: U3 yHere is a quick description:
" s. m$ P. v! D4 _, ~% v/ a-AX = 0910h   (Display string in SIce windows), H* R5 [7 \. M! ~# j2 f# u0 Y
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)3 _9 ?  G# w5 J3 w2 s, O
-AX = 0912h   (Get breakpoint infos)
; P3 w7 k. r6 h8 }; ^; s/ U* R* b-AX = 0913h   (Set Sice breakpoints)9 @% q2 o% \$ Q
-AX = 0914h   (Remove SIce breakoints)
- p: m8 b# Z  M. Y0 h
% y$ p* `( ]+ ]1 h3 uEach time you'll meet this trick, you'll see:9 C- A' G7 ]& B9 o$ |9 D  }
-SI = 4647h9 x& _8 v6 v7 Y
-DI = 4A4Dh" W+ v$ [; U7 S$ y3 V4 u6 B. n* h
Which are the 'magic values' used by SoftIce.6 _( B4 E  S7 `5 Y0 ?' b8 D/ V! g
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' q+ h' [( o. @, }. {+ a+ a
# v9 y1 i' O1 FHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 U# `' w" l: d5 L' o: O2 FEnvelope utility use to protect DOS applications:
! a+ n9 Y0 `: X7 C8 B. \% q
' ^' X6 t1 h4 G" S1 C0 q
/ c8 ]* s; O" U1 j3 [) U0 }4C19:0095   MOV    AX,0911  ; execute command.* ?0 }5 I# w: W0 U6 T; y" _
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: `! W: T: `. S! N$ f2 b4C19:009A   MOV    SI,4647  ; 1st magic value.8 e5 Z: g7 n, n1 W* g  C: {/ b& }' x
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.) n" f& S2 u$ q8 P2 g
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
* u8 o; w) x& W; w4 f+ |- s4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! d1 Z4 i4 d' s7 d  A4C19:00A4   INC    CX
4 V" X+ B' A9 r0 g- O3 P, l4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# K8 w) I/ q8 C2 R0 g4C19:00A8   JB     0095     ; 6 different commands." F5 S% o; |! e* _
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  X( E( g3 J, {  J
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( v% P/ \$ D4 H/ g. X1 T0 {; A2 r( o% C( q, j
The program will execute 6 different SIce commands located at ds:dx, which5 @* s! E* l  o) N5 `  t  t# z' q& n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- n" y: a2 d  ]+ Y
* H7 x/ Z, Z" D8 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 u# x1 x& W( \0 p) X5 I$ P& I
___________________________________________________________________________( j- }: G: J: d% J# E: Q2 z

; ^  K, }0 U) Y" T: a/ i) c- h7 O; B) b
Method 032 z: p" d. ?) l" L5 L8 V
=========
/ v# r8 X/ O9 n
/ g% Q% l, n6 MLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 u$ Y  v  w5 a0 ?- S! z4 l5 i" J
(API Get entry point)
" a. W7 p1 Y$ p1 p! b, x' M2 {. \        7 f6 R8 x. q1 H+ G5 u# {, Y
  `- u- i  I7 {# j# A6 _4 [/ C
    xor     di,di
3 F$ Q+ b' T- u; j' D$ \( p) w/ W4 b    mov     es,di
4 Q" {- J- I0 D8 G    mov     ax, 1684h      
! D) V0 N7 Y. t. ?' G7 Z: A    mov     bx, 0202h       ; VxD ID of winice
  R. U; E; T% \' K$ L4 O9 d    int     2Fh" h2 ?9 H0 m' A9 G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 K9 m' z$ z/ X! |6 p5 _
    add     ax, di# K* q; Q  ]1 `* ~8 n" O, _
    test    ax,ax
( V/ o  {2 `3 G) M2 z    jnz     SoftICE_Detected6 K  z$ n1 _5 v& I
3 P# }$ d1 E6 h+ _2 o
___________________________________________________________________________  Q: j. U2 r) v6 l
& |/ ~+ }' v2 n3 m' c/ v8 b* D
Method 049 N/ W+ z# e( R
=========/ d/ Z( t, @/ K% k

0 Y2 ^7 X* D, ?% ?Method identical to the preceding one except that it seeks the ID of SoftICE
1 S. L9 @; ~! r% W  G9 k9 uGFX VxD.  J' D+ {' ~4 Q) v
- _3 {+ {+ b  T; _
    xor     di,di- o0 j9 {$ o; r- _1 _+ B$ d
    mov     es,di4 F0 s; l: D% D0 F8 n( @1 X
    mov     ax, 1684h      
; {) F4 K7 \' V7 w. @% O    mov     bx, 7a5Fh       ; VxD ID of SIWVID
% I! P+ ?/ A8 N. L    int     2fh+ V& `9 W% b% l! _3 B8 L1 t% Y" ^
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& f+ V, c* u! @! X0 {# i  c    add     ax, di& O( u, j3 {- o' b7 @$ l6 j0 ?
    test    ax,ax
6 g4 N, m( Y! i' {% n1 F    jnz     SoftICE_Detected
5 N4 F2 m$ M3 y) Q. z
0 f% t. j, Y; b6 Q5 A0 t( z__________________________________________________________________________
! P  U2 x  R. N! c* [  C9 L7 Y5 ~* O) m( ~% h8 F' a  [) y

3 c9 a; F: \4 D" [Method 05$ C0 Q' }. J2 b
=========
4 {+ {7 R% A6 g, J; ]' J1 A- m6 Q0 q4 w3 H. D1 p7 n3 f& p" l
Method seeking the 'magic number' 0F386h returned (in ax) by all system: I7 v0 L4 p+ U- N; b
debugger. It calls the int 41h, function 4Fh.
6 }! A3 F" k; c" n. hThere are several alternatives.  
7 |  o, ]- w. a8 m  M
9 x* s3 j8 B6 F* NThe following one is the simplest:
1 p0 U& i# A5 l! I
: v% d9 K( c: |    mov     ax,4fh3 M9 e! @/ [8 f2 W. Z
    int     41h
' ]$ m; D/ }- q6 S  X    cmp     ax, 0F3868 c& ]: n/ O& i5 U$ h. a7 p8 p
    jz      SoftICE_detected
, a/ h$ C9 b; @
; K- v4 t3 m9 g5 C( [2 J+ O, F( d& l2 [( L# v
Next method as well as the following one are 2 examples from Stone's
3 u$ x+ f. a5 ^- j"stn-wid.zip" (www.cracking.net):7 G& }( I0 F" t

7 b& F6 ^1 F& i/ K, z    mov     bx, cs* q! Y, C: h. I
    lea     dx, int41handler2
2 u; M% V, y) K& Q) P    xchg    dx, es:[41h*4]
$ @: N9 Q! O8 G) l8 z    xchg    bx, es:[41h*4+2]8 @) w3 G; c' n: L  o5 w
    mov     ax,4fh
+ s# Y7 Q* y+ N. q; z$ g    int     41h
5 b8 g; t+ G" l    xchg    dx, es:[41h*4]
+ I% ?( V! s) A# O8 q    xchg    bx, es:[41h*4+2]$ z! J. X# n3 V8 h4 B! e6 q
    cmp     ax, 0f386h
" z3 n. e& D5 u    jz      SoftICE_detected) w" ~9 Z' N& L/ W' i# \0 G

9 V: t6 j* o$ C. d4 ]$ kint41handler2 PROC
, p/ B! o! c" O# F    iret1 b2 M' a7 m9 C) ~9 T6 [8 @+ D  @& f) O
int41handler2 ENDP" @8 |" T" \# x# t$ ?& r3 x

: k2 W4 {( j6 b, R0 k2 N! |) M  W4 E" M0 m' F9 t
_________________________________________________________________________
" G" F* o; q: Q# I$ w- k8 F. r3 G
& r* {6 u+ ]/ s" C0 _+ i! }
' X; U; S) R5 a1 tMethod 06
) o" }" j; r7 g/ L0 w=========3 f: Y; H+ J) e; I# T$ C' I# `
! G& V% g2 C; a$ U

% D3 q2 ^+ O* w8 ?: Q# C1 x5 y$ l2nd method similar to the preceding one but more difficult to detect:4 }& G  L: X! N$ Z7 J

* c: h: a' A' {6 E3 s. J* w5 h" j  v+ Q
int41handler PROC8 b. F) a8 O* k' J
    mov     cl,al& S/ A- ~8 Y' z: d" t
    iret
9 S0 S" L$ X! |. Oint41handler ENDP' T9 ]4 j) R9 l# O
: z& \& w8 h% O$ w5 M. v

  h, m" l$ `( `9 ]5 c$ r    xor     ax,ax6 P% V# h' p( p$ D) _- |2 Y. a7 m! L6 G
    mov     es,ax
) \. M' B2 E5 Q4 z! V    mov     bx, cs! N9 k9 }' T8 A1 t& [
    lea     dx, int41handler
4 Z' Q  ?5 S! b/ Y- M    xchg    dx, es:[41h*4]/ t- [# e9 e' n1 k
    xchg    bx, es:[41h*4+2]6 @3 q( P$ D& X& r9 y
    in      al, 40h3 G" G' X+ u" H; K+ j  p" W# g2 k
    xor     cx,cx
- W$ n4 @* T: M: j0 B- i- |" v    int     41h* ]* |  {1 J: g, v7 D! T
    xchg    dx, es:[41h*4]
! g* I4 t$ R4 E' a8 I" J4 x: A    xchg    bx, es:[41h*4+2]  F7 s: c. {5 j$ N
    cmp     cl,al' \8 {! `/ R% l, |! S. q
    jnz     SoftICE_detected5 Y4 U2 S' N" N" ?5 U2 q

( S/ `! |. t  \. `$ R; I_________________________________________________________________________
2 E  x. t2 y: v0 o4 ]
( A  x2 D% z& c) R, OMethod 07
$ ?/ x, f6 u. l=========: y& E& O+ \+ N" b. ^1 U
0 a. F, ~9 {1 }* ~' N+ y
Method of detection of the WinICE handler in the int68h (V86)& X& x' I$ `; s* K6 Z1 S

4 ?* E5 K5 M; R# F    mov     ah,43h5 d& q) ~! o3 v& f, j
    int     68h" _. o3 I9 J2 {* v# v( r/ _
    cmp     ax,0F386h, ]# ?2 D( P" c! j( V5 ~7 l0 j' \
    jz      SoftICE_Detected' U' s9 A% a$ L9 V; i, q

( @  r1 C: R1 F# _
) j: [& Z* v3 `9 J+ y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; T5 ~: k! ~, G+ l' _7 U8 x   app like this:4 Q# ^/ x2 Z; U: J0 g& ^, y: U3 }
0 A) n3 i( L- q/ f- g( ]
   BPX exec_int if ax==68, k# c! t1 a( [9 x+ Z
   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 m/ j1 ?# S; H, b   located at [ebp+48h] for 32Bit apps)
' o! J7 q8 Q& ^% ^9 ?) g/ {__________________________________________________________________________7 Y) Z/ q8 r0 D% s

$ S! o& |/ i) G9 b9 F& N) b
5 F3 u7 ?+ X4 k+ F- gMethod 08
3 `) a# G5 C  A, p( ^) F% l) e=========5 v- ^. a+ v. u

4 L5 D( S8 @8 |. c& ?* kIt is not a method of detection of SoftICE but a possibility to crash the/ f" B' y% \0 r. O
system by intercepting int 01h and int 03h and redirecting them to another9 V  ]$ h* P" w, G: p' i2 U) Q4 r
routine.
7 f6 n" f. j) a: R# e( n( ~/ y, |It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" I+ j# v5 {2 m& ]. L5 \
to the new routine to execute (hangs computer...)1 A/ j. |3 D7 y, s% r6 _9 Q
; z  x3 l) e3 M. q9 k  G" j! h
    mov     ah, 25h+ c: f! u1 I% h2 {! ?. y
    mov     al, Int_Number (01h or 03h)2 h  j3 }* F& \* h7 k
    mov     dx, offset New_Int_Routine: [0 ^4 Z/ _( Z. G4 A
    int     21h; g4 G) r- K1 ~# A: a0 f5 T

$ z# f* b2 C' H! M  ?__________________________________________________________________________
3 i8 i5 B9 H8 Z2 u" F- ]+ m9 X4 |" s& N3 F$ f3 c2 ?
Method 09
- }2 n: p+ _" Q; P# [=========1 n) j; l3 l& l2 Q# M$ d& M. e
. K* ~2 F4 x4 l. C, J8 F5 y6 C, A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
! H. D$ R6 v1 }8 Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 }, C; v5 S0 z7 tThe Get_DDB service is used to determine whether or not a VxD is installed
  T6 O) P2 N! dfor the specified device and returns a Device Description Block (in ecx) for
& j% m4 p- F9 [) Q  l/ r, bthat device if it is installed.& X& z; c' v- S/ ?. v

, J& c6 D4 d) I* D: ?+ C   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID' K! s" z4 U# o, l$ G
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ I7 F, p; u* H7 B/ ]' p   VMMCall Get_DDB' b7 m  Y* h; f9 ~9 Y. K  w3 q# R) S
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
+ W2 {$ C1 w1 |$ W; g8 |1 d, d% b2 k: B: i
Note as well that you can easily detect this method with SoftICE:2 Q4 Z  L8 ?. b& z. Z# Z! u
   bpx Get_DDB if ax==0202 || ax==7a5fh5 F: |' o! ?5 @3 y/ H
  j$ ]; [6 b3 A8 d: ?
__________________________________________________________________________& q5 h5 z2 [$ C7 J# D

! w' _/ T5 @9 e% n' T5 [Method 10  T9 |% I4 k$ }( u
=========
& V& q: _( k6 x
9 o8 R/ }  s! |4 D! O=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( [( }& v7 o$ W, \. _9 k
  SoftICE while the option is enable!!9 [% K# H- ~# K

. r3 H6 m# }( G, BThis trick is very efficient:0 c4 r2 H& \2 h0 a! H
by checking the Debug Registers, you can detect if SoftICE is loaded) o" Z+ E' e' l# @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, k2 Y& x5 ]4 |
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ w  i' h/ m' R3 j7 ?value (in ring0 only). Values can be manipulated and or changed as well5 q1 q  D0 _# z+ y
(clearing BPMs for instance)
5 L1 W& o; \7 f) @$ M: p4 [' O0 j1 a, z3 o/ b1 _4 m( L9 t
__________________________________________________________________________- W# T/ d3 l+ p
/ E- v( {6 Q. h" Z" d' l3 f  T
Method 11
$ s( j- w; w& ~( b$ [/ {( O=========
" i" T* `- m7 T7 B2 z% G
6 F4 c& P& |9 O' b1 `  fThis method is most known as 'MeltICE' because it has been freely distributed) @, A6 }  X* \- F: H
via www.winfiles.com. However it was first used by NuMega people to allow
; u. K% b/ M7 O8 E& NSymbol Loader to check if SoftICE was active or not (the code is located0 ]$ `3 p( y& f% A6 Q
inside nmtrans.dll).3 J1 H! p0 P- _( n: m3 v8 {

, `/ Q% V, R( F' b: N) \8 {# ~The way it works is very simple:
" [& W2 U8 D" N3 r* A( EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% {' c. ]+ z; P/ |8 |1 g% W5 s
WinNT) with the CreateFileA API.& `4 H. X# y& l$ V

. f4 @; r& [% o+ v- }Here is a sample (checking for 'SICE'):, }4 A& u4 k% k
& R* d. ]7 H# P* t/ Q
BOOL IsSoftIce95Loaded()
% T8 h& E5 V: _3 {1 `% i{) [- \6 m" g$ X* b) a! Z
   HANDLE hFile;  
: b8 C: B) @5 R% A  D+ X  l   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 d& @! H: n% v. Z+ t
                      FILE_SHARE_READ | FILE_SHARE_WRITE,, l: D1 k. }* R: c. T* ^
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 d) c* H3 h- r! D+ J7 S: @
   if( hFile != INVALID_HANDLE_VALUE )" `1 w$ B, T6 m
   {
; S' H# F8 M6 G* e1 `      CloseHandle(hFile);- |. }5 M  b9 g  T( p. P% \
      return TRUE;  a0 V; P) l2 l
   }
  ~, m; V& [! L   return FALSE;
( g- t' L. C0 i9 u- F}: [" E* \% o/ F: R: [  j) C: C/ V
* ^4 K1 T% z7 {3 A  L% @
Although this trick calls the CreateFileA function, don't even expect to be6 W' c: X0 ~% D& a
able to intercept it by installing a IFS hook: it will not work, no way!: y( N% f2 O; m4 }5 }5 t) F. Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ j9 S" Y+ S9 p" C* o+ C$ rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, i$ r6 p# Y: u3 x$ @/ o+ @and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 d# o8 M) e- R9 x, U% J
field.
! p( Q' Y  L3 ~8 wIn fact, its purpose is not to load/unload VxDs but only to send a
3 L, g1 n/ x, J8 S! W& W4 u' E7 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 F. r; O7 O/ ~/ Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, F' }# a( y& ~! vto load/unload a non-dynamically loadable driver such as SoftICE ;-).: Q& V( Y: d! X: c7 ^! |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ @1 A4 k, ^/ p. ~its handle to be opened and then, will be detected.6 T% d! f" m3 p5 a5 T# v) N6 O
You can check that simply by hooking Winice.exe control proc entry point
; u% b6 ?8 F; ~+ H* G( `while running MeltICE.
  N) H8 P. M. q8 d( m: Y: p0 y; k6 q; I* I) @4 d! @0 b

0 Y* t. ^2 |$ D& h; b  00401067:  push      00402025    ; \\.\SICE
7 J/ }/ S, F3 W! y! l  0040106C:  call      CreateFileA
, H8 f. f8 V9 v  |: f  00401071:  cmp       eax,-001
, R8 b0 }8 Y1 c. ^5 u8 N. _& i+ x  00401074:  je        00401091( h/ i' ]5 h9 C1 a0 N

' _/ K4 }" H# J% M1 L& ], [6 G* Y1 x
There could be hundreds of BPX you could use to detect this trick.* L; C# B3 c  I  R9 S
-The most classical one is:, r9 p7 i% e( B) R4 S- f0 o
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% }$ q3 A7 B# G
    *(esp-&gt;4+4)=='NTIC'
* @- C! E( s& H2 |" V4 v
1 Z& g- u. l7 m1 c-The most exotic ones (could be very slooooow :-(% t+ W2 ^- v4 P" c' u5 r$ r" n
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - m% t' A, I7 e; r
     ;will break 3 times :-(# M5 W; W+ q' i* G4 @; v8 \; G
% Q" k/ m$ b( z* d( k5 z# V) H# s
-or (a bit) faster:
. o+ a, W- b* u$ n   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ J3 P9 G! P/ t$ B

: E; e& f8 ~  k8 J   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 Y: y& [& A5 T$ Q2 }+ S! [5 l6 d4 o     ;will break 3 times :-(
' [. o; a3 g1 l1 B0 K+ ^6 y6 U# g5 `  w  L( j0 S( y
-Much faster:/ o2 v. ?3 |. ?# `& b. `
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'* @& G3 U( v' d2 P! O$ w- b

6 c9 r/ b# e+ X7 m) ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# I( T* {8 q* {3 ]) Z) Dfunction to do the same job:
% q; F% J; _. j5 L8 G) C  D; s$ u' j* ?* ]
   push    00                        ; OF_READ1 S' e0 O+ F/ N$ S
   mov     eax,[00656634]            ; '\\.\SICE',0
1 R0 W% ~4 j2 Y3 o0 ?! \4 \   push    eax
2 J3 z; O! D1 P3 i   call    KERNEL32!_lopen$ t" U% ?4 L3 }
   inc     eax5 S* l4 w! v4 P. x" I. E
   jnz     00650589                  ; detected
6 ]* |2 l+ r; R$ @' c   push    00                        ; OF_READ
7 U2 m# l- m, ^3 I) P) p   mov     eax,[00656638]            ; '\\.\SICE'
& t( H! m6 V6 p  f   push    eax
8 ?2 Q1 S  x! _2 h3 B/ a; v) @. m   call    KERNEL32!_lopen" a7 K3 E  q9 R' B4 G8 V
   inc     eax
* ~6 i, ]; @0 ?" Z5 }5 B   jz      006505ae                  ; not detected' B3 @& }" N/ m* |% Y! h$ E9 f

# Y/ W$ U" _# h* |, L
$ s0 J4 J2 m2 Q+ n- @" w' C__________________________________________________________________________/ v- S1 V/ M( [* ^5 b/ X. p+ ?
0 [! T. D. z% R0 h/ c! ]$ ]
Method 12
2 [0 F2 W  R+ s" |8 l7 g& v=========. o0 s: b" ?$ O7 z6 M6 o4 t" i  o
1 `( V+ I: m) [; j" P- R
This trick is similar to int41h/4fh Debugger installation check (code 051 ~8 b) E; n4 o: f
&amp; 06) but very limited because it's only available for Win95/98 (not NT)5 ]$ X3 @" u& X  _4 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* y" j; O, s2 n) o1 t( E
( S! [2 @2 T$ z& s9 u
   push  0000004fh         ; function 4fh
6 H; l4 a( u3 d5 e, l" e% g   push  002a002ah         ; high word specifies which VxD (VWIN32)  T" H) n6 z6 |3 r2 O
                           ; low word specifies which service
' Y6 S* ~4 i' b/ B                             (VWIN32_Int41Dispatch)
6 F- ~" x; ]: N; O8 \( L, g   call  Kernel32!ORD_001  ; VxdCall, h( K+ P& U& G
   cmp   ax, 0f386h        ; magic number returned by system debuggers
# W, J% j  L6 {1 p$ t   jz    SoftICE_detected
2 w  c6 r5 F% r! B. i, \& D% s1 }" \- P2 ]( R+ F
Here again, several ways to detect it:
7 r6 l, k3 ~" r$ e& D
' N0 B: i4 a2 U9 N3 b    BPINT 41 if ax==4f
8 W* P' f( d3 ?& B" T5 y) F, h4 @* S3 T9 Z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 }5 K$ C3 @# _  F" u, D& W, [% ]1 x& S* B: O
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# x4 Z1 T0 c! |4 A. y- s! ?: _

" ]0 `; i4 n2 J    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 B: N1 j6 O5 c% n& O
! e* k: G% n7 z+ Q% ~__________________________________________________________________________+ Q. c5 R5 \8 E
1 m3 W; y+ \8 H. W: w
Method 13
* O& Y+ S- d$ r4 J6 g7 m6 d( k* ^=========& u8 M7 m" b/ w3 v2 J; O" ~

; i. o8 r* P5 O, |Not a real method of detection, but a good way to know if SoftICE is
8 H/ {5 ~* J& g7 @5 binstalled on a computer and to locate its installation directory.+ z, m" o9 K/ `. k7 f7 X
It is used by few softs which access the following registry keys (usually #2) :) b; {1 Q9 i3 [- a" x. F1 D/ Q- J

, ]9 T9 D" c8 W" Q0 M( p/ Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, C9 A# p6 ]$ s5 B  ^\Uninstall\SoftICE
" ^! p+ X. P, N# ~# p8 c: U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% T$ i9 y* e# h$ w4 O3 f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* x3 \  j) f3 a. m, u\App Paths\Loader32.Exe
% u+ N* O! d% r; A+ O: n$ ]  J3 g

4 c9 ]# x  I" j, {- gNote that some nasty apps could then erase all files from SoftICE directory9 r. T7 c- v3 b! H! c% Q, [$ I
(I faced that once :-(2 w2 N9 b8 p* R& e6 Q! r4 a( Q: G5 P6 `
" N2 `" i% y8 \8 c6 x4 G
Useful breakpoint to detect it:
+ E- S. D: C2 `4 o# [4 a0 s
3 c8 z/ x6 L) y& e4 Z* k) ]! A     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 n# q5 h1 p- D! @
9 ~  g( ~9 `0 N
__________________________________________________________________________" j2 Q. _5 P! h
4 g' r% Y# F6 s
8 S2 t) ]9 G% o$ F& y
Method 14
+ ^% A6 k7 X6 u7 G' E: K=========# \# y  f5 J) [+ H$ p7 k9 A3 _
( _+ [9 Z# c- r* \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, s6 C2 h. U0 ~: h" |  _is to determines whether a debugger is running on your system (ring0 only).
' ?) T, E5 m  {# A; r+ n
0 G" V. W) H* H8 @0 ~2 i9 `* U   VMMCall Test_Debug_Installed& Y& ], J5 M( [) u% `/ R8 A7 f' Y
   je      not_installed. s7 d0 U! U6 Q9 E

0 U% k5 l* F* n9 \9 {/ F+ BThis service just checks a flag.
, j, |5 y* R' a1 D6 Q! g</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-16 18:41

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表