找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
/ f( Y) z. B% B6 J* h" d: C0 l<TBODY>3 |$ z% q/ o# T( f7 O8 b: u
<TR>
+ O) i# B9 D, ?3 p1 _<TD><PRE>Method 01 . j8 t; e5 T6 J$ s; \
=========4 b! m  J! n# K! l* O
: C- c4 _" `8 C+ X! N( u3 s+ D
This method of detection of SoftICE (as well as the following one) is2 j8 ?2 M, I' w$ f7 |) U+ s' G
used by the majority of packers/encryptors found on Internet.1 ?( @/ y5 [* |9 @
It seeks the signature of BoundsChecker in SoftICE
. h# L8 z# D2 ^/ Q7 g& {, G2 |0 a& m( V0 \5 g) l7 k
    mov     ebp, 04243484Bh        ; 'BCHK'
! {( J' n8 m- L& m/ }& o5 y7 S    mov     ax, 04h; M: C/ o- {2 f% k: Q( q# z' ]
    int     3       9 \9 h( I. n7 l0 ?, O
    cmp     al,4+ R5 v% D7 k3 W6 c0 j4 b
    jnz     SoftICE_Detected! e; ?' d& X9 I- V5 z4 Y. L9 P

" P, Y8 |' ~! A2 W___________________________________________________________________________
$ g: v8 r% O" |: h' Q  p  |6 N: _. ?
Method 02
  N) v" G+ ^: H- ?=========
3 \: X8 t8 D; t7 }: [$ R# i+ r6 u9 x( b6 W# W  L) O3 C
Still a method very much used (perhaps the most frequent one).  It is used
/ X8 S1 K, l) v5 c; K! hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; e0 ?9 \: q, t/ S- s& L; P5 ?( Hor execute SoftICE commands...
$ i% f$ M0 L3 |' qIt is also used to crash SoftICE and to force it to execute any commands
7 V0 e4 s. R/ A; z6 h5 @' E(HBOOT...) :-((  ' M' Y! N8 \# y6 Y1 D
8 ?  p6 z( I& }  F
Here is a quick description:
: Y1 E6 ?# \, z% e  |; z: ?6 Z" O-AX = 0910h   (Display string in SIce windows)
/ f6 M: T! t# a0 z. u; {-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' y1 k3 e. F3 w% L4 X- B/ ?
-AX = 0912h   (Get breakpoint infos)& V5 O6 x7 F3 @: J
-AX = 0913h   (Set Sice breakpoints)
+ `6 I* z0 h* v9 s" U-AX = 0914h   (Remove SIce breakoints)3 g9 l9 f8 h/ \+ c9 L" Z8 F

. z3 R/ r0 u. G1 s" \* x3 VEach time you'll meet this trick, you'll see:) A% b8 I9 s$ Z" A3 ^) v# F1 L
-SI = 4647h
9 V) v8 B& f/ C4 \3 j) y7 Y-DI = 4A4Dh, t" B* z3 i4 S* F, u
Which are the 'magic values' used by SoftIce.2 v+ t3 Q* }4 i% M# x8 K( p4 X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# w' [+ k" ~7 ^: l0 Z5 _: ]
- h9 M4 h4 j, L0 B8 l* ~3 n1 ?( G. a1 @% _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 l! I( }0 r6 I5 C; S3 Q# OEnvelope utility use to protect DOS applications:% j6 E5 N3 m+ J$ f5 A& [! ]
" U, s0 d7 R' d. ^3 Q* }

0 k' O& f4 F  x% g4 U) x4C19:0095   MOV    AX,0911  ; execute command.
- K$ d8 N' d* [2 d0 f, F4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).- `& [$ r8 c* s$ f
4C19:009A   MOV    SI,4647  ; 1st magic value.
. R# ?% p2 `4 K3 e$ i4C19:009D   MOV    DI,4A4D  ; 2nd magic value.2 g8 K3 g" S4 [) Q4 ]% r
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- k) U2 R2 d/ o3 a! J$ X3 ?4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! Y2 Y2 j9 h( f8 O8 X  r
4C19:00A4   INC    CX* A- [* j0 q9 a# Q
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
8 [# Q% i& U0 J4C19:00A8   JB     0095     ; 6 different commands.
. `( y1 u4 S2 j( n4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 Z/ V+ ]8 O, L
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) j5 {4 O' P# G8 {5 A1 Y1 c) M/ Y" Q
The program will execute 6 different SIce commands located at ds:dx, which  h" R5 W# u( I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 f* b4 p1 M: [

/ w! |  [3 }4 G( J$ {/ n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' p3 L  w' B: U1 I
___________________________________________________________________________) \) H2 ]5 m' t7 B' Y7 U% R' o
: [8 R. {7 A& U' Q5 }

6 y! V6 A' S2 I% E3 F4 w* F8 JMethod 03: i0 l0 {- b3 b8 n# `  A
=========
4 P$ e/ ^9 N+ b
% z8 ~' ?" q3 h' R3 `# rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' w* L; ^# u2 y# ]
(API Get entry point)) K7 G9 Q4 x1 T
        
: X" o( a7 \% B! _; ~
: p; I" v# j* v  y; k1 U    xor     di,di2 N. S5 y) f; Q) S- l# I
    mov     es,di7 h( A, s# ~8 R3 x0 k$ w4 ^
    mov     ax, 1684h      
* F3 p0 n/ E% e, w    mov     bx, 0202h       ; VxD ID of winice- M/ W5 m8 H5 r7 @5 g5 q
    int     2Fh; V2 n! N3 q( @+ `8 D( X3 r: x
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. o3 A1 @) d: o    add     ax, di% f5 g! Q; ]( g; K( f% ~0 q# n
    test    ax,ax) G7 h- z  ~: ^+ d: G4 b. {0 ]: t
    jnz     SoftICE_Detected
- L6 H! ^- o3 M4 B* f- W  S2 Q3 p; R- [1 A' ~3 y* t
___________________________________________________________________________% G/ ]- e! h: J
' f' }4 d  q7 |4 J5 u: L3 O# T. @
Method 04
/ [1 u4 b4 A# ]7 T/ z=========2 T  W7 {" j" o$ _
8 E; k5 o& s7 U- y+ N, ~2 c
Method identical to the preceding one except that it seeks the ID of SoftICE
/ X: p2 d: n( {; Z9 U0 dGFX VxD.
$ _% ~2 v; ^4 @+ F* ~
- d* Q: V4 ]. s    xor     di,di
9 {1 y6 N; Y& K. S    mov     es,di0 `: L: l1 h6 y6 a- F% c3 k
    mov     ax, 1684h      
+ Z$ Z/ p" }$ E8 L* I& j    mov     bx, 7a5Fh       ; VxD ID of SIWVID
4 ]: ^" {3 o8 W0 z    int     2fh
. L- B( Q6 q2 K) V& M* e) Y    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ h- @% A' R0 [$ N* f    add     ax, di- W4 x  `3 O% L& \: s
    test    ax,ax
$ V8 P, H/ |$ ?    jnz     SoftICE_Detected* E8 I. E$ {2 H5 M7 L

; w8 @' `! |7 T) F+ _3 q6 L- e( A' p0 o__________________________________________________________________________- f; S2 t& F5 b0 |* y; C, l2 ]
7 G4 l- u) ?  V+ y/ p. K+ w* _
/ K  N) p' l# C
Method 05. _2 J3 o% j1 o. P3 @( d2 q
=========  D/ n( M2 j0 ^$ l+ d

2 W- j3 ?: N; b6 Q+ BMethod seeking the 'magic number' 0F386h returned (in ax) by all system# k6 n5 A( U$ T- \$ c" j
debugger. It calls the int 41h, function 4Fh.
2 g: z0 f/ O7 _4 h# d/ BThere are several alternatives.  
, u( Y; m! q  Q, A& g# W. q. t. e3 P9 G9 z
The following one is the simplest:% V0 y: a' A1 q$ t, R
5 H+ v% Y2 ^+ C
    mov     ax,4fh
* ~& w+ ^3 K" R. m5 c" k$ _0 E, p    int     41h: N5 [4 n( {7 S: i
    cmp     ax, 0F386/ c4 W( w0 {0 q% b5 [  K
    jz      SoftICE_detected: O. \  E+ N, R+ m' X1 k
' p  y" y8 Q) _' c' X$ ?# M4 z! u6 z

7 Z' \6 k! v' H7 F8 GNext method as well as the following one are 2 examples from Stone's
; ]" B- [' @' a* h"stn-wid.zip" (www.cracking.net):* h( ?, B6 u' s! w, m0 B$ c

1 C  @/ A2 o0 i    mov     bx, cs
" S2 l- e& R* A( t    lea     dx, int41handler2; H8 {3 \  v; \! v2 L( ~
    xchg    dx, es:[41h*4]
- d. Y& F  n. N6 k    xchg    bx, es:[41h*4+2]
% L0 i& d, p) f: t2 M/ u( ~    mov     ax,4fh7 h, d! b$ j( ^: t& j* B
    int     41h5 ^. X; Y- ]! n7 A5 J  u
    xchg    dx, es:[41h*4]
' s- {% Z" ~* u+ a    xchg    bx, es:[41h*4+2]
, `9 W/ R/ {" ?9 L# ^8 J    cmp     ax, 0f386h  J+ z5 z# r- ~, {1 F5 Z
    jz      SoftICE_detected; C" N: ^/ X6 O" J+ S; Q

7 ^1 o4 K0 j2 H" J0 a7 Y' {int41handler2 PROC4 C. E' R+ U0 r4 g' G4 z! r
    iret
# h/ A: C7 }5 E3 U- G* s) uint41handler2 ENDP& _' N" o: F6 |9 _

2 N6 Z* L* g" u: B7 W" p$ Y$ f3 H3 `4 ?& V- e
_________________________________________________________________________
/ s3 j$ `8 R) M+ S8 Q: R- ], M. N1 G" l. W$ J
, d1 E1 A: s# B$ g$ l: b5 E
Method 06
3 j) f7 h( v# T( @( O7 `* N=========; Y& k! y# |( d0 A' ?) l
0 n  F! E* O; u

6 X! u: Z1 _4 V. x3 y4 l1 h2nd method similar to the preceding one but more difficult to detect:* J, r; P$ b  g5 s& f" T! F+ o
& W$ k4 f9 w& y" W7 y
+ \* d) O; z/ W0 W
int41handler PROC6 V9 d0 c6 f. I- Z
    mov     cl,al' m- V  e1 L3 f- [
    iret
3 u/ ]$ d7 ]2 O, Aint41handler ENDP
4 S9 K  c2 [& ]; }  t. z# h8 e5 i# f$ X/ }. T( g" h3 y

7 j5 S, r- w/ k9 g    xor     ax,ax0 M% d1 x6 ^! @$ O- F
    mov     es,ax; Y$ x2 ^3 g1 b; s; F  I1 q2 l
    mov     bx, cs( L* i0 w. K4 h& i) Y3 a/ H
    lea     dx, int41handler4 z9 [, i* l! _1 {4 e0 F
    xchg    dx, es:[41h*4]: f. Z+ P. K* [: k7 ?
    xchg    bx, es:[41h*4+2]
0 p7 U" T3 j5 Y" J8 |    in      al, 40h
7 t- n' J6 J" g7 p    xor     cx,cx
& d9 N* m* P0 p& R- E    int     41h4 F# M. [! ]9 j, B
    xchg    dx, es:[41h*4]
1 Y7 c, ?' M8 g4 w% h  M    xchg    bx, es:[41h*4+2]) ]* Y. n3 A  n$ _: d* z) d
    cmp     cl,al
; Q+ z' I. U9 C4 z7 E4 d    jnz     SoftICE_detected
8 F1 r% S: @* t: m& j& L+ a
* s# f5 ?3 ?5 f( `+ f# _9 G  H_________________________________________________________________________
# f+ @  i- b; Q4 b8 x% S6 K- K  J) M: n  |/ E
Method 07' R. M0 E5 ^3 I# z# h
=========
0 ?6 }7 m, A1 u, Q; Q# }- L5 w$ z( a3 C5 o
Method of detection of the WinICE handler in the int68h (V86)+ V5 ?0 _3 x. A5 C: Y5 {" w3 n& f
( A, X3 ]  [3 i3 h
    mov     ah,43h
7 f4 t% R$ J& _1 C& C5 o; z2 ]    int     68h2 L& l( b0 v, J
    cmp     ax,0F386h
5 b# u7 @, e& @    jz      SoftICE_Detected
/ R! d, `  ?6 k/ a
* M0 m6 ~7 U5 S9 Q- R/ m1 q  `0 W3 R4 X1 V
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 j0 I0 ~& l, Y! _: \1 J! C9 c
   app like this:( Y7 A4 K$ [1 A- l4 l

% o8 B2 Q6 r' j   BPX exec_int if ax==681 G& ]- \8 b! L& E" `  r9 ?
   (function called is located at byte ptr [ebp+1Dh] and client eip is
; W: C" g& g( ^; `# }. w+ b   located at [ebp+48h] for 32Bit apps)
  x0 z4 Q2 E7 m; t2 A' a% x__________________________________________________________________________
2 M( j9 a$ u$ O& N9 d7 J6 ^) L
/ v+ ]6 y. V7 s: i2 q# w
; \$ p' N+ K( G7 m# Y8 fMethod 08
0 h- w) x9 o* y- ?=========3 {( Q" T: w) I' T) F5 T7 S

: D  \, ^+ T( G5 H& ^6 S  d. ?) fIt is not a method of detection of SoftICE but a possibility to crash the
8 p, O5 O: }' z& {! s1 Gsystem by intercepting int 01h and int 03h and redirecting them to another
/ J: s: v: ~2 q, l3 ?routine.
5 E7 x6 H4 d) y, d! lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; u5 Q9 [" N- s$ _7 E: |
to the new routine to execute (hangs computer...)
6 i" Y& t# A9 ^- W
  \3 R3 `6 e( _, a+ _+ L' K    mov     ah, 25h
. d* o) F8 q6 m4 D) Z/ t* U    mov     al, Int_Number (01h or 03h)
) |3 y2 g  {- T8 I$ `( w& G3 b    mov     dx, offset New_Int_Routine! _' q* T% \- ?5 U9 c! g6 I0 f
    int     21h
+ V& A+ j3 Y2 Z& ]% s
# A. Z) I0 d" y0 l+ ~__________________________________________________________________________
" y- h$ O6 b, U  U( M8 J4 S& R% ~8 x* }6 T1 p1 V
Method 09& j/ c6 j! q8 Y$ w% n
=========
, s9 q- m- T, S- M  s7 L
6 i% l/ ]. K. iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ G( T( B2 H' I8 hperformed in ring0 (VxD or a ring3 app using the VxdCall).
' t7 K7 G/ G1 FThe Get_DDB service is used to determine whether or not a VxD is installed+ v1 Z. E0 M% _% [* \, a
for the specified device and returns a Device Description Block (in ecx) for
1 S: i% M& o( F$ O( Ythat device if it is installed." x- w2 D5 Y8 W! [2 j. F* a( j; {
  L; N6 f( K+ |- u: E
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 j' Y6 o1 U9 G   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ z+ S! j- }- s! N
   VMMCall Get_DDB8 [8 g+ l2 ]+ R4 F) X
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
6 I: R5 a: e4 P0 c8 N
1 a9 D: N/ O0 V9 z8 vNote as well that you can easily detect this method with SoftICE:' G1 P' b# X; n5 ?% H2 k. }
   bpx Get_DDB if ax==0202 || ax==7a5fh& k4 }- O, S: F* ]2 e* }9 ^! y6 ]
1 p- |4 C5 n; I# J+ t+ L
__________________________________________________________________________6 y4 n* x/ l! {: [" m

  Z- f9 e! X3 z" ]9 C3 U9 k( PMethod 10) G; |6 d+ f4 F6 }
=========
  p) r/ i+ c9 W6 W+ j, S/ ?! J! C/ @( F* Q& P/ _' z. r5 T$ d" o
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- x3 ]+ V# E* P1 v& d  SoftICE while the option is enable!!" M( I" ?5 I3 S) Y2 f

4 D9 D% C* w; v5 y0 p% T  RThis trick is very efficient:8 K- C1 u5 ?" r( Q! U' d
by checking the Debug Registers, you can detect if SoftICE is loaded+ m: S% d' `" s" a* G  l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' [) [3 ?0 |1 ]1 T' j/ Wthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 e$ F6 j3 _! w! j
value (in ring0 only). Values can be manipulated and or changed as well
4 F6 J) x& T/ I. u& H(clearing BPMs for instance)
6 h8 {2 f; g5 N8 `; B3 \2 f# ?. w: e' z) f' |' R4 A
__________________________________________________________________________& L1 E, L( j. Z' `4 X
) g: }5 Q. t$ g0 j
Method 11
0 G' s- H% n0 [& {=========, t- d2 s$ r6 d5 h: Y! J$ d4 e
: X" i1 _8 P4 o/ G6 ?4 K2 [3 A$ V# w  Q
This method is most known as 'MeltICE' because it has been freely distributed* Y' K  U( u; v# |  ~. N: s2 M
via www.winfiles.com. However it was first used by NuMega people to allow
) W6 a$ n" C6 f% ^3 }* QSymbol Loader to check if SoftICE was active or not (the code is located# u& Y8 \/ o3 m* C4 S9 ~
inside nmtrans.dll).
/ o( w" n1 ~$ {2 T5 I5 t
/ V; H3 f' r7 ?% B$ l; G1 c0 E* GThe way it works is very simple:
3 N( F" C6 n7 Y+ IIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; c6 [3 L: P: k& }. yWinNT) with the CreateFileA API.: |9 w3 G+ ]: S/ |

+ ?/ ?( F( M) R3 }Here is a sample (checking for 'SICE'):$ A8 U6 U+ X" z% m
3 ~6 I; L6 s& v* b" T4 Q7 t
BOOL IsSoftIce95Loaded()  B, l8 R8 \- d9 B, t
{4 w1 r. i- }; A6 _- X# O
   HANDLE hFile;  
6 s; H5 P, I8 L8 H   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 E1 U, ?  C$ _0 l  L
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  }2 ?! L0 H0 T5 A/ d                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 _* q1 O$ r& \" a- M+ U' o   if( hFile != INVALID_HANDLE_VALUE )
# n% w. Y7 r! t   {
2 F, f! R( b& _% p/ t. r4 T0 O      CloseHandle(hFile);
- g# m: b3 _5 [/ V      return TRUE;
9 u  c. O6 x3 _! p( _* U   }8 r# Z9 N/ t9 i* `
   return FALSE;
' _4 x# A1 e' I6 {1 U}3 E8 b! \8 |' C+ o. L  E# d

: {. \) k, F5 WAlthough this trick calls the CreateFileA function, don't even expect to be4 i+ h' `6 A. V7 p4 U
able to intercept it by installing a IFS hook: it will not work, no way!
1 a$ K+ f$ \7 y% fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# {4 E3 b; q+ H
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 {3 A7 c2 G! ]/ z2 O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 B; J1 ~2 o1 \* B* \) ?
field.
4 `( D6 [# {  U$ w! B( rIn fact, its purpose is not to load/unload VxDs but only to send a 3 v5 w* w+ D/ W. g; N; w4 e' f; B- L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 v' D$ O2 S( q3 u# i' yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 g4 X" y2 }, m8 ?! W6 S! u0 ]* z0 Dto load/unload a non-dynamically loadable driver such as SoftICE ;-)., a" ~6 Z- A" J: u+ \+ c4 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% d2 k: U. g1 ]) aits handle to be opened and then, will be detected.7 ?- |  D3 f  J% U0 k
You can check that simply by hooking Winice.exe control proc entry point
3 J7 a- R2 s; Q5 B1 H( s8 Dwhile running MeltICE.. J+ Q9 j2 I4 Z; _
3 x3 H' e6 d- e* [

0 t: H( f- g3 }  00401067:  push      00402025    ; \\.\SICE2 g1 i$ m8 {% T/ S9 @) S
  0040106C:  call      CreateFileA% \7 c9 d- `; k8 Z8 q
  00401071:  cmp       eax,-001
, `5 d* c% R/ c9 ?( H8 k. R  00401074:  je        00401091( ^3 u- r3 b' V' e4 a+ L' c& x
. l; J( d+ k; A/ J
" U' j( y6 K5 u- j
There could be hundreds of BPX you could use to detect this trick.3 F0 J2 `! v) E( r  p* x, G6 Z
-The most classical one is:$ {+ c  O; q" F" v" n- G# N1 y
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
( a& S& k/ r; K1 v8 U5 t$ A( W    *(esp-&gt;4+4)=='NTIC'
; W- v" ?2 p, \: b8 g: y9 c/ b/ @$ |' S
-The most exotic ones (could be very slooooow :-() A! f% ^7 p( |4 O
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  3 x, h0 t4 J+ d$ ]
     ;will break 3 times :-(
+ b0 A2 x3 D0 e% U2 v8 W7 a# }& u2 J* B% d
-or (a bit) faster: ) r- j  B" _: a0 L; z8 y" w
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! u- V5 G1 g. h

0 F$ s: a7 b$ _2 n1 D  E8 l   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . f, q3 c0 g; a; J4 _
     ;will break 3 times :-(/ D1 I" m! E! b' N
7 B% i7 o+ B4 C& f
-Much faster:  C! y5 H9 d* R" K$ g! Q- f" R
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'- b$ v' T- a! G9 c' ]8 F# y* {
9 ]" u* X" p  s$ B' ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 ~; o9 x5 z. C4 g2 c' R; {
function to do the same job:
, ]# j( @# L0 U& Z( d0 M, f% u( ]" y0 C
   push    00                        ; OF_READ
; V3 j! m' I! S1 _: Z8 Z: {3 a   mov     eax,[00656634]            ; '\\.\SICE',0
6 R* ~  D1 Q$ B7 q   push    eax
% v; U2 b4 N$ L1 @; k; v" V* D   call    KERNEL32!_lopen' U' e( s3 F( U9 G" @* H
   inc     eax/ I1 [2 l3 [! j- w4 e: M* ~3 |
   jnz     00650589                  ; detected
: g: D: ~2 w5 }' B) }2 z8 ]   push    00                        ; OF_READ
  A% k& ]4 Z. G/ M+ a   mov     eax,[00656638]            ; '\\.\SICE'
6 R5 I0 ^8 `" t  }" h6 E5 j   push    eax
: d, }: r4 q0 i" D( l! E   call    KERNEL32!_lopen
2 t3 Q6 L* k9 {" i& S6 t4 J   inc     eax2 x. y( w& R7 g5 a& Y# r
   jz      006505ae                  ; not detected, `5 i8 t' O3 n& k& O% ~; s. ]
7 z4 @( e, a+ V. R  B0 X
, Z5 y# |1 i5 V: h
__________________________________________________________________________
2 @/ ~3 s- I% n8 b& M* N, d0 q/ A' t, m+ \' k) a. _1 ]% j& T/ Q2 T5 a
Method 12
* i# L! f' X3 D# {8 j2 V+ O* m8 U5 j=========. {& l/ I" {2 u" K
, ?0 d) i' c' Y) g' y% Z
This trick is similar to int41h/4fh Debugger installation check (code 051 V6 r& \& m: W8 w4 `! a: w
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 B5 Z! A4 m- q7 S! }! H. G8 `  K3 Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 e: e% Y! l) C
/ O& Q; d3 T# O& q) z
   push  0000004fh         ; function 4fh% p8 m7 N7 t& ~' D9 Z
   push  002a002ah         ; high word specifies which VxD (VWIN32)  Z) ]5 ]$ l+ S7 Y6 F+ e/ T
                           ; low word specifies which service; q( N/ d+ H7 z( W3 T+ A
                             (VWIN32_Int41Dispatch)- H) q/ O5 w& `$ Q& S# d
   call  Kernel32!ORD_001  ; VxdCall& ~& J( s- @: l  W  t) V
   cmp   ax, 0f386h        ; magic number returned by system debuggers# x  ]; d' C6 y5 }
   jz    SoftICE_detected: s' @6 ~3 S$ R

/ x. G' o1 q( k) k& N' P5 D1 O9 VHere again, several ways to detect it:
# S4 r2 Y; J! O+ n' V; c% t- W
% T, M9 u8 W  f' ^- ~    BPINT 41 if ax==4f
% G' |4 u. T. @3 J" _; V) u; I9 Q* H: j; i, D$ l
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one8 M6 a3 D8 m% @+ H7 x; _
6 {+ O& u  C; ^- M
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
9 T$ T. N6 }( {2 B5 d4 i& G
: G& [: ?1 ]3 L+ Q; o    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 J* G7 L7 _- }% ^1 b4 X6 I$ @

7 G/ E2 U3 k7 G) }__________________________________________________________________________
4 o' t/ b0 w0 i; T  B+ B0 h3 J1 p) @6 q1 n: \0 v# d
Method 137 {& O- v. F3 q6 e8 d
=========
. r& X# o8 E2 k" i- ~+ E3 F1 {0 h2 n4 F  D
Not a real method of detection, but a good way to know if SoftICE is/ x+ H2 ?" v2 P4 O0 n  ^: h6 R
installed on a computer and to locate its installation directory.# b3 x$ v( G! ~9 j  c: {
It is used by few softs which access the following registry keys (usually #2) :
' E7 Z( Z/ q, ^* ]& Z9 r7 g; D
0 Z" H5 W8 }9 F$ J$ W2 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- r/ [/ J+ t7 R\Uninstall\SoftICE/ |1 n8 [& c# g$ L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" |* ~8 Y( \' F6 C8 d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 w; P: s0 }7 i0 {7 M\App Paths\Loader32.Exe
: K+ m5 @1 p. M5 j4 k1 N2 L( }; ^1 K* ^4 W! z  M( g

* f. L9 J) `# ]" T0 A; H6 c  WNote that some nasty apps could then erase all files from SoftICE directory# j$ F: T1 X; W4 h. L4 C
(I faced that once :-(
. O) i; J& M* E/ w# C2 s. S+ x/ |+ j- T- c% B" u" X5 ~" \/ @
Useful breakpoint to detect it:  D  w8 W0 [3 Q

( D# i' l% I- w6 p1 V$ l: P     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
, n6 ?: G- Z& z0 ]
" f9 H: g" ]% e: K5 f5 X__________________________________________________________________________
  a2 I- O6 @7 I. E6 l& q. J3 K% P4 }+ o, i
2 \5 _5 _+ k2 ^4 v4 M/ ^# Y
Method 14
, r1 \; W3 Q  G, k=========
. G- d; G" g% y; I) y# I) A: X0 P8 [$ _6 [1 b2 k$ H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; q8 r) Y7 u$ U
is to determines whether a debugger is running on your system (ring0 only).. s8 l+ o3 x6 v; r/ D

$ `0 l% F8 J/ J3 t; U& [& o  ?- b   VMMCall Test_Debug_Installed
3 u- i8 [2 c: e' O2 P   je      not_installed1 e9 E7 ~) f0 y8 _' D0 C2 m; @8 G

9 N! e" x7 `3 _This service just checks a flag.
3 s2 f6 b1 }+ K( A" b$ O4 P6 F</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-13 00:47

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表