找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 A4 s+ g. |9 ~5 q+ C* c2 J" V
<TBODY># P, Q, D# u0 N  M
<TR>
6 B" s  @; P* x. x<TD><PRE>Method 01 , c+ U9 X2 j3 S: l& i
=========
" H7 Z8 [5 P/ ]' j: g: h. Q( P% H' C6 r
This method of detection of SoftICE (as well as the following one) is
- _# Q1 G- Z& Z( V( Tused by the majority of packers/encryptors found on Internet.6 x# b' R- z2 f
It seeks the signature of BoundsChecker in SoftICE5 D" n$ Q! U& i) {5 W2 i  O# E
" A1 C# `* h1 m& E$ p4 @& a
    mov     ebp, 04243484Bh        ; 'BCHK'
! H4 F; E2 L5 e  I    mov     ax, 04h5 r* Y% E0 {4 B$ o. X, J
    int     3       . O3 L0 c; P7 e: p0 A& k- |
    cmp     al,4
' R! l8 x# C7 E7 ?8 D2 y" \    jnz     SoftICE_Detected- O( E* t& L% U
5 e4 y8 b( y1 b2 M3 o
___________________________________________________________________________
" f' N. c, I- D; I7 X! p% r* [, w: L4 m$ G( p8 w
Method 02" P  h7 m: @6 q# }
=========# W4 [/ v5 P! a% f/ K4 J
1 `. ], }9 E* {4 D; Y+ H, _
Still a method very much used (perhaps the most frequent one).  It is used
, I% k; P8 _9 z0 h* rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- q$ Y1 ?, y6 k% X1 g1 F+ D: bor execute SoftICE commands...
2 V9 @, I, o9 a! M& JIt is also used to crash SoftICE and to force it to execute any commands
& R; u4 C- p: t5 D(HBOOT...) :-((  
4 A) v0 d( n) R, W6 B6 w3 E  J
8 q8 D8 Z8 H3 R0 U, t& [0 t7 |; zHere is a quick description:
- F- i0 |; G% ^' A* @, p-AX = 0910h   (Display string in SIce windows)% Z- ?7 n8 A4 z3 Q8 G) _) h
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), A) T- y7 N" U- A% V
-AX = 0912h   (Get breakpoint infos)9 V/ e; M. w: r  H/ }7 G% ^
-AX = 0913h   (Set Sice breakpoints)+ Q3 A3 d; A+ X  _. {" A4 Z  c
-AX = 0914h   (Remove SIce breakoints)7 A1 H$ f2 l! E  }4 I% O

+ H7 M8 {9 v1 a, ?9 tEach time you'll meet this trick, you'll see:2 d* q/ `) S; i  V( S! m3 I
-SI = 4647h
5 h0 E# q) z  o3 K- i6 N-DI = 4A4Dh$ V* Z2 n. e" E3 y0 p; P
Which are the 'magic values' used by SoftIce.% Q8 I0 E7 f5 C& {% O. F0 A3 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 {: r" a) c3 r( Y4 q; M
' E8 W* a6 L# h- N7 _3 }, P
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& o' c7 `) Z& n) Y. ~0 c6 aEnvelope utility use to protect DOS applications:+ S3 V: h: s$ l+ `6 j

. @" o5 X1 p, t1 v+ A( [
: P2 D5 _* H+ C( W: {" `& l4C19:0095   MOV    AX,0911  ; execute command.( R5 b: ]8 N! Z3 t
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: h& h8 o0 \9 ^& G) |4C19:009A   MOV    SI,4647  ; 1st magic value.# j6 `/ R, g6 N9 @
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
" O7 w1 G8 e" o- ?& Q, k8 _4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" B5 }8 O0 Y# T1 i- O" A, |4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 ]4 V4 p! E/ C6 a$ N9 v4C19:00A4   INC    CX; ^* S! ]: C  C/ k
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
3 Z( T! f( H* W  L+ w4C19:00A8   JB     0095     ; 6 different commands.
0 n. [; `8 I. i5 d4 ]4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 v) [" B$ [3 G: X( ^, j0 K5 I- Q4 c! H
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 B* d2 x- l/ K8 c- U6 F8 E
* V9 P5 z( Q2 m3 T/ v$ o
The program will execute 6 different SIce commands located at ds:dx, which7 }% L1 t) C) \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; g" L$ _7 N* a3 r; S
1 i8 q5 W8 X9 T: }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: l. g8 }! G7 v* V- T5 t
___________________________________________________________________________' L. h) M6 p6 W. M' E- x) P0 C, p
2 V2 R: G. q0 q! l

" z0 p. V3 C5 R2 z: w! lMethod 03
& B; g% d) q2 e6 t/ {  s, i' f=========: e0 E. r) U- J

2 ~1 W; e3 _( T( RLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, n2 j9 ?. H4 e) H4 k
(API Get entry point)# m' s! T6 F- A/ j  e0 P2 J6 D
        ( [: a7 C) H4 z6 c* c* H

6 v7 C" X& O; Q2 U    xor     di,di0 ?0 e- [! F' J/ T+ X( v6 @
    mov     es,di' y4 u$ @) n& S8 S, j/ ?4 i8 i
    mov     ax, 1684h      
7 V  m$ X- z" A    mov     bx, 0202h       ; VxD ID of winice0 W" ~7 q6 K& G- `; ^: \
    int     2Fh
( v6 q& W, N/ q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 P) x+ A3 Z* r# o1 C    add     ax, di' `% x* O8 N( m7 m4 F# `1 l
    test    ax,ax
- B+ \* b4 o9 I    jnz     SoftICE_Detected# v9 I* }& h  J. q
6 p- u0 n, v4 R1 ?
___________________________________________________________________________$ ?0 Q/ D( a9 D* X' m
4 R4 b8 f( @5 r1 u7 J  {$ n$ u
Method 04, E, L8 k4 R3 l6 U& n& l2 Z
=========: R8 F, L9 _: T2 e* g( q
' J4 w/ ~$ G* Z+ r" {
Method identical to the preceding one except that it seeks the ID of SoftICE
! E1 v  k: p3 l8 @GFX VxD.
. N) z4 y( i' p2 b1 g$ `# h; {$ d% F" \
    xor     di,di
; C2 F* f6 G6 c* y6 z3 q3 I    mov     es,di
6 I# k' S# ?& f+ ~6 K# U2 l    mov     ax, 1684h       - |# ?) f( M+ g
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
& A% A9 j8 }7 f; e* k) m    int     2fh
& @* G% L7 l/ d) V( W    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ v/ @6 @. z0 w, Y6 j    add     ax, di
0 h' y! {8 _0 K9 g2 f& E    test    ax,ax; A& [# L/ Z# q$ Q" @: u
    jnz     SoftICE_Detected
( q6 o6 e! V$ @& n1 N3 T! u9 E' Z& z7 _: m! H
__________________________________________________________________________
, x2 y: h+ ^. p- M6 ?) q* e: h- u2 m

3 ]7 [; }: c9 s4 \5 zMethod 05
* k" a( _/ u0 K& m=========' }0 n2 k3 }$ p
+ f$ E' [; `4 Y7 K2 M$ z
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 }8 r6 {* K; `% b/ U
debugger. It calls the int 41h, function 4Fh.
; F7 c8 W& I9 z" Y+ J5 PThere are several alternatives.  7 M, b3 I/ R9 @$ t+ A0 x% t* U: y5 G% Y
; D( [+ F3 P( u8 u2 _  V
The following one is the simplest:
6 Q( ~1 w- ^0 n- ^6 H
7 g+ z3 u1 w% e    mov     ax,4fh  A( @8 I1 Q, r, P
    int     41h6 Y0 ^8 M9 s: o% `2 O
    cmp     ax, 0F386
! d/ {; ]# U. T% {% ?    jz      SoftICE_detected
; P& I1 ?7 k5 e  j6 \) i  J
9 ?4 K9 n% m8 p& K( p- j7 |
7 {- }& r( X9 b- Z8 M$ zNext method as well as the following one are 2 examples from Stone's
+ _+ H( {, K1 W) K"stn-wid.zip" (www.cracking.net):
3 u) c* Q* \- A+ |- h& k; C  l1 ?1 S
    mov     bx, cs) t0 Z5 r2 R% W: S3 ]
    lea     dx, int41handler2
$ O8 [- F" `( L$ J) Q" m( e    xchg    dx, es:[41h*4]- ?! f0 w: a, u6 N0 L1 o# {* Q: ?( S
    xchg    bx, es:[41h*4+2]$ M6 e  k& w$ Q5 G7 l
    mov     ax,4fh
0 w$ [- y3 y2 x/ T8 _2 _    int     41h
% a' ]0 _  t2 p) o. N3 M    xchg    dx, es:[41h*4]
- ], c) ]- m/ G$ J; Y    xchg    bx, es:[41h*4+2]. l% j+ Q* i5 y
    cmp     ax, 0f386h
3 Q+ d3 j9 P# r- L& V    jz      SoftICE_detected
; d9 t; n2 F: J$ j7 M
: y  R: ?0 R5 Q8 L' ]# t. xint41handler2 PROC
' L8 q6 W  V' L    iret
8 q' m- ?- i7 Rint41handler2 ENDP
4 @, j* f0 f3 ~2 ]" I' F% o2 `8 g0 Q0 \3 |/ H" _. E7 C) N
& U& O- r- ^" C! O* _. G: v
_________________________________________________________________________' x* F! X8 m2 {0 N9 ^

; P8 ^8 j( U+ r7 u* b, S1 F  f1 L' i( _" v+ V) I
Method 06# o: P9 L9 p7 ^7 r
=========, \; M, `# }* q3 ?
- }( Q: E& c3 M6 x2 |/ }

& ?4 k! W* v& `7 n1 M/ q2 s2nd method similar to the preceding one but more difficult to detect:
0 n9 O- a9 e4 N# b+ _) ]# i+ G* R0 R6 _5 b1 b
1 M! N' g; s+ P* \; ]
int41handler PROC8 c$ m# P" |0 L% \, O
    mov     cl,al, a* v# y6 h5 f0 d/ X  K  {; Z
    iret
8 m, ?4 L9 w( }7 Iint41handler ENDP+ Y7 C; r2 Y/ T. J: m5 l

+ m, }$ F) I9 X; ]
  l$ F3 V6 h- n    xor     ax,ax* R: m8 x! y; y, ~/ }- h4 c, l6 W
    mov     es,ax
; M. ]3 |( I) f% K, [' ?+ w/ W+ A    mov     bx, cs0 e* U# T& p( h; w; H) J: _1 I
    lea     dx, int41handler
( ?8 B, `) A  _3 j0 u* H    xchg    dx, es:[41h*4]( e. r# u$ G6 Q6 w! V# u% q
    xchg    bx, es:[41h*4+2]3 H) E3 w  a& R. I: S
    in      al, 40h* }  W8 {" _2 Z. B2 F0 P; {+ H/ M
    xor     cx,cx
  f+ y- J" E1 W! t2 @    int     41h1 D. m. R4 U+ f$ k  [5 v
    xchg    dx, es:[41h*4]
  }+ Q. o4 }2 P+ I' W    xchg    bx, es:[41h*4+2]
) W- k  d: z% V) Q    cmp     cl,al7 h6 L  w5 G+ y( L  M- e* G
    jnz     SoftICE_detected
" a& [# e/ c! U, P8 r7 f0 {( R  n9 B0 J2 ?- E% @
_________________________________________________________________________; f- J5 a% o6 L* X) ^/ t7 p3 ?$ k) a
5 R# Q6 A5 A8 L; F$ ]! W% F
Method 076 U. F5 s3 P% D) p: d# `) U
=========& z: V; s7 l1 ~" D
% m: F. ?: T4 l; Y
Method of detection of the WinICE handler in the int68h (V86)
3 c' j. ?. |: {; {* n$ \4 c
7 s2 L+ H1 O7 x3 g) y1 Z    mov     ah,43h4 ]% s7 P& N6 d# S
    int     68h4 C! h  ]1 Z0 t2 X# l% ~
    cmp     ax,0F386h
& m' B* z$ E7 F$ D    jz      SoftICE_Detected: ~7 r& q; ^  }' \: F5 @

3 c& H  A) |0 b) |. c1 @/ [
& T5 w1 g+ H  ~. r# O: ^=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( V* A) z- p9 @3 O- S  \. O   app like this:# c- g- P9 ]4 p- P7 q2 W  {

. o: `) V8 s- M$ C* e' y   BPX exec_int if ax==68
$ ]; \: C: R6 c% [+ k5 w   (function called is located at byte ptr [ebp+1Dh] and client eip is1 f1 v* E+ F. p( T3 H
   located at [ebp+48h] for 32Bit apps)
4 a: z3 m; Z' h: L__________________________________________________________________________
5 T+ \3 B+ {# [! J( o/ V( T% r% K# \5 ?8 m
. i- \0 z9 J( S* V7 n, Q  S" R
Method 08
+ X2 J% _1 M6 }" t$ q$ S=========
5 K& {/ |6 N3 ], p) ~) {; m6 T& G) X8 h, B& \! x
It is not a method of detection of SoftICE but a possibility to crash the
& H) ~! j2 _; l& k6 b: [system by intercepting int 01h and int 03h and redirecting them to another) t  y) |. J, F- R1 b2 ^" g& U; T
routine.
# x. Q/ @7 Q9 I6 gIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 {$ d. s+ R. q9 A6 f0 Ato the new routine to execute (hangs computer...)+ k( h/ ^' r2 ~, P; p- P
* v5 S& d" K  A* A
    mov     ah, 25h
$ _! _, \- F1 p9 U$ j, f    mov     al, Int_Number (01h or 03h)
* y; R$ j) o' b% i2 g. D) P    mov     dx, offset New_Int_Routine
$ h0 b( q  e4 N, ]    int     21h. e+ N0 ~6 i$ D6 Z' h

# l5 X( R- M% ]5 k+ K1 O7 w__________________________________________________________________________4 ]0 p! o% d/ b

  R+ ]8 S" N5 KMethod 09% x# C$ b/ B* w& r: i4 x
=========
9 t: F! T* R3 p# m) M/ H+ K* ^
# N$ |$ r( R- w2 O! o& LThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 o8 P$ c, g6 c8 B5 _7 ~9 ], g
performed in ring0 (VxD or a ring3 app using the VxdCall)." Z2 M" s7 G! X+ Z- @
The Get_DDB service is used to determine whether or not a VxD is installed
/ g4 i4 b7 A  R% x' |" Lfor the specified device and returns a Device Description Block (in ecx) for0 U$ j8 d6 {7 L* ?
that device if it is installed.
8 g. q5 z8 O+ o
* N2 `8 X5 o# R- {4 I- S   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 P% Q' _$ `0 d# J% N  w   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 c! n; x3 H+ R7 _8 y! K
   VMMCall Get_DDB
4 z0 z  H* u; d. U& x. {" ~; R: b7 r   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed8 `% t8 A1 d+ ]

7 ^1 n) j, i, v, k0 H- y: ONote as well that you can easily detect this method with SoftICE:
* N' ?, C0 M0 |: \$ Y9 f   bpx Get_DDB if ax==0202 || ax==7a5fh
$ _1 y7 a$ x' w, y. e" [" F4 b, q4 o6 ^8 k) w) |4 V
__________________________________________________________________________! W/ x; ]$ W4 u+ `. C
. D% ?. Z5 U" j8 T0 O
Method 10+ B9 W) F+ Y0 |& H
=========
1 ?, a1 c0 `6 D) |# c- V8 i
  y! D2 E, Z! z1 _=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- O: ~" T6 v3 {! N: ~$ c2 f  u1 }- }  SoftICE while the option is enable!!- k2 M, B3 {' J! p

/ R. U! Z7 n7 bThis trick is very efficient:
, x0 p2 Y5 L8 l9 C/ m* L6 B: mby checking the Debug Registers, you can detect if SoftICE is loaded$ V$ C+ T8 s  S) v! Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* E! G+ c3 }$ J$ X5 E/ Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" L8 |# `3 c! ^3 ~- ^. ?' zvalue (in ring0 only). Values can be manipulated and or changed as well; p3 q; T% K- F6 ]6 M- V4 Y
(clearing BPMs for instance): ]$ g2 J$ |( i9 A1 l" B
! c( }/ g7 L! P; [+ T, Q7 S; N
__________________________________________________________________________9 s2 I; o' ?4 `
, T: Q3 G/ I+ O/ ?) I9 d
Method 11
, H! a% W( A! m2 ?& C: R' u=========3 |! x! L, D% A# `( _1 X: F
. l1 n  F) V# R$ ]/ G  ?" m6 q- H8 U. [
This method is most known as 'MeltICE' because it has been freely distributed4 [- U5 N6 B5 a5 D2 N* b( M
via www.winfiles.com. However it was first used by NuMega people to allow% a3 |- a' T5 W9 Y( E
Symbol Loader to check if SoftICE was active or not (the code is located2 q6 E/ M5 X3 w, Y. v
inside nmtrans.dll).3 W% v5 b9 L& c9 D
! D5 ^6 }; m4 W+ ]) X! I
The way it works is very simple:3 O0 y# P" X% o' @/ i
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 t7 R# B. M- C" b* F
WinNT) with the CreateFileA API.
; J! k- j# W4 e; m8 M) F1 d( v% J% h0 C6 j; l" w
Here is a sample (checking for 'SICE'):
+ F7 N$ k% t% k- k4 \" Z  V
/ M+ b; g4 i, `4 Z7 c4 @! BBOOL IsSoftIce95Loaded()
8 y/ O" f  A9 c2 y4 n{& d: Y$ x7 ?# s1 b4 Z# R9 y8 l/ B
   HANDLE hFile;  
/ ]3 T  Y# h, c& j7 x8 a* J   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 L0 n& S/ S* d: u  c
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ w: O& G, d; I' _3 j1 G4 U% z                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);  k1 ]6 @3 T' q* \  e, `; s5 N
   if( hFile != INVALID_HANDLE_VALUE )
* n9 p$ j2 E+ ~$ C9 R   {# v; D3 Q8 F+ `3 d8 G- |' X$ p  ^
      CloseHandle(hFile);
& H) T$ f/ d7 y+ C& X) G3 b, w( A      return TRUE;3 ?& \4 T$ t/ v4 x7 f
   }: W. a1 p; p! }9 Q- G
   return FALSE;
+ \+ F, a. `. K7 k' i4 J}
- G2 I1 a- q0 y, F" P9 }  l' u0 N: V8 Y" [* J
Although this trick calls the CreateFileA function, don't even expect to be( ?% y1 F0 d1 i- Z
able to intercept it by installing a IFS hook: it will not work, no way!
. _: ^+ `. s9 m6 x1 w: F" yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
* d* N" \* T# G. r5 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- F! v; r- E9 Y- A7 q% n% d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: x% ]* w' u( u( [0 W, Mfield.
. T" S" u7 y/ P0 d3 ]8 z8 S. {In fact, its purpose is not to load/unload VxDs but only to send a
) b5 f( K8 Z' G% x2 xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ I  b( ]9 x( M; p& Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try" W5 ?0 r! {# R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- }7 q  p( Y: s4 H( ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow# P7 I8 U% A3 K3 p7 U. K
its handle to be opened and then, will be detected.
$ C% g- u1 s3 M' X7 s5 m/ ]# dYou can check that simply by hooking Winice.exe control proc entry point1 \8 a, G, O' X( ?4 C
while running MeltICE.
  i( L/ R7 `$ ^6 y; r8 g# W" n  _3 d2 ~5 r0 b
& j" |! ]2 D9 D% z0 X' x# D- i
  00401067:  push      00402025    ; \\.\SICE
, }( p" q( N' ], ^. o* H$ d  0040106C:  call      CreateFileA
" T3 s6 R" Y  o0 y8 w- N5 l  00401071:  cmp       eax,-001% }0 l9 @) d5 f% w1 |
  00401074:  je        00401091
* m2 ?5 m; w5 b" p+ u: a$ K) r& H* ?4 O' ^. T0 r

6 i2 c8 Q8 W3 @; AThere could be hundreds of BPX you could use to detect this trick.
/ ?% Y1 \  S4 K- V-The most classical one is:- X- n% c. A& D
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; d* r0 ?" }" s5 o5 T/ b8 W    *(esp-&gt;4+4)=='NTIC'" e4 N' g+ h" ~1 i
4 R# M* X! S* D9 K& n" A& L% z
-The most exotic ones (could be very slooooow :-(
1 l! x/ S; M& W5 r; |' K% T& N   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . n# x; c& r4 ~! c
     ;will break 3 times :-(- Z, `7 E2 ~8 Z/ H1 s6 {

: }: U9 \, a! I2 F) E' E, H-or (a bit) faster: ) N$ p1 d  r* `: G9 x
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* ^: C, m' N  Z- }  F  G: K' ]1 m& I/ k2 j# D1 [
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% l, {* L. f( W5 ~2 [( \9 _     ;will break 3 times :-(+ y6 j6 I& R0 u- ^. e
& H' ?, [. m8 f9 t
-Much faster:
1 R: E3 ?: j- G& Y7 M   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  T# w7 T/ h1 P# W; f9 K0 Z7 V2 z3 }3 l# {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
( ^+ E5 B7 Q$ X- I, B- @1 B7 vfunction to do the same job:4 G7 l- p( Y2 Q- i+ e2 z

( E4 ?7 \# R( q/ b, E   push    00                        ; OF_READ9 {( J) d$ ?+ s& T" {0 o
   mov     eax,[00656634]            ; '\\.\SICE',02 o) j9 x# L8 [8 H0 t! A
   push    eax, d& S/ n" M2 W1 y3 L
   call    KERNEL32!_lopen
& }$ b2 H/ T" i( [! v   inc     eax  q% X9 g4 w, r$ n7 N& w
   jnz     00650589                  ; detected* u3 P, d& K! t4 x$ l
   push    00                        ; OF_READ. ~/ V) z) w2 D
   mov     eax,[00656638]            ; '\\.\SICE'
! X' g' r: N( e6 N$ I" p   push    eax
& n* G7 g  g7 n1 `3 Z+ _) C, _0 K% }   call    KERNEL32!_lopen* j" A3 f1 L% x' x% N) q# [' h/ g
   inc     eax
8 v+ Y! A0 h  t9 e! g3 k   jz      006505ae                  ; not detected' \, a! B4 g. b+ q: C0 x
- _8 g+ {" x. R2 {# w& @4 M

! \2 @; B, Z) M* |# X- C2 q+ A__________________________________________________________________________
5 Q  U/ V8 Y# a( n( R. H. g
) k" |. C3 g7 z+ C- T! LMethod 12
! H3 f9 ^" H6 L=========9 m+ t, C  }9 s  w
, ~6 ?! R9 W9 u+ T( J
This trick is similar to int41h/4fh Debugger installation check (code 05
+ y% ?& p3 \# L4 ^! n9 x% h&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 J0 o" [9 E4 I4 bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* y- m; x3 j& b/ G5 m  Y

7 w& i$ v3 D' R: G* N   push  0000004fh         ; function 4fh
' |1 t" z7 I9 |! Q8 e9 _! ]8 |. V   push  002a002ah         ; high word specifies which VxD (VWIN32)2 o/ |0 ^6 m% @
                           ; low word specifies which service+ z1 ?4 K4 p2 F6 ?
                             (VWIN32_Int41Dispatch)+ E& _" \. b% j( {1 R* ~% s( J4 J
   call  Kernel32!ORD_001  ; VxdCall
5 o6 \8 Y3 V, y4 [: j   cmp   ax, 0f386h        ; magic number returned by system debuggers+ O3 D& {0 u" c) O
   jz    SoftICE_detected
/ h4 c4 q3 g1 p$ j; V' ~& m) U7 `6 E4 U7 T; X5 d( r$ ?
Here again, several ways to detect it:! m* I( l) m2 \- s0 s5 ?$ p/ j

6 V+ o7 S/ C. s7 B; s    BPINT 41 if ax==4f
  f+ n3 ?  T! R  W# _3 {
& e; ?" j, ]8 `5 H- t    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& t, p" q$ m) z
0 \8 D& F- K$ @; n    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
. y3 W* A1 s% z0 k; @: \! Q2 o2 L# l. z6 X( Q% X. E% G
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ W  u) V; k4 _1 t2 O, M! @4 @( m
4 G) I8 ^, f0 _) L5 ]
__________________________________________________________________________) E# A! ~) Q' g: J; ^

$ K% p9 O6 x# o# Q  Z/ F8 w% uMethod 13- G! M$ @3 N3 y; @4 _
=========
# P. Z1 `: v0 K1 p* T* d% P1 K+ [1 q1 v# C0 N8 o/ f7 ?/ Z
Not a real method of detection, but a good way to know if SoftICE is
" j: y4 t7 U( q. d2 S3 q/ Yinstalled on a computer and to locate its installation directory." A& T% n6 e1 I  K5 e" ?8 I0 y3 s
It is used by few softs which access the following registry keys (usually #2) :
# f/ j% A, S! e+ I9 |) P. h; d) O. x5 o7 G9 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) c7 C; j* X3 J5 I7 H' |
\Uninstall\SoftICE
- F" I4 d1 q& D- P9 Q- F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: S/ f7 D; c0 H9 D0 \% s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. n6 t+ ]& f9 k4 F" g\App Paths\Loader32.Exe- r. o/ {% K1 r# w$ j1 G
1 B' T, t9 l% o3 V. {: O4 N
9 w; @9 b  T9 l% {& O7 y; v; e. G
Note that some nasty apps could then erase all files from SoftICE directory
2 Y1 L8 K# j3 u' b: k) }* b- K! n- Y7 M(I faced that once :-(% j8 s' |: e" Q6 J4 R& l: w# o" F

8 Z1 Y0 M5 F  J: T2 z3 {4 |1 FUseful breakpoint to detect it:
3 C  m+ ~" w$ C/ \+ l! f. z: W8 F6 z8 Z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! r! G6 f) D! o6 o" d" f
" Y7 n2 r+ @7 n% S__________________________________________________________________________
, ?; e' x5 m& I, J0 ^
! i7 v# {& ]+ F- L) y, C- D
4 ~, v4 ~% s2 O0 {Method 14
" r: U- i' Z7 T& b6 t! e=========
: t0 Y& M# D3 b. k, g
6 N2 D' [) u1 f& |. t1 e# {! lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
9 ~7 T/ e6 v- h9 J$ @is to determines whether a debugger is running on your system (ring0 only).
  Q+ p( c3 _% _* Y7 j, K5 k
* r& o) s9 w. q2 G, Y( U$ {   VMMCall Test_Debug_Installed& G4 O8 @! d# l1 C) S2 [1 k
   je      not_installed! m+ K' {' `, r' b, K
5 ~5 E, T$ a7 E  X( u
This service just checks a flag.
" u$ s& J* r( N' X</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-17 01:32

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表