找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, X& @' X2 i: R, [7 w0 f/ U7 D
<TBODY>
; ]; z: }+ a7 C& }% ]8 W<TR>
, V8 E' t$ L7 [: u7 F<TD><PRE>Method 01
6 p- X+ n$ b6 n% R5 n+ r=========
1 |/ N# m/ u2 D
% E% O( I8 t- f' u: rThis method of detection of SoftICE (as well as the following one) is& C7 X( f7 [: ?$ |' {3 r& A. ~
used by the majority of packers/encryptors found on Internet.
1 G0 P: K/ Y% e( V8 ?It seeks the signature of BoundsChecker in SoftICE
1 {7 I0 V# d7 d5 v* s6 f1 G  e3 Y/ g6 A) F& N1 T, i2 p
    mov     ebp, 04243484Bh        ; 'BCHK'2 K3 s! T) F# x0 L3 F  u
    mov     ax, 04h
" ?" [. P& x5 ~4 |    int     3      
7 o$ J5 p- _7 Y  `    cmp     al,4
9 L# d+ {1 V+ |- o) q2 ?. Y    jnz     SoftICE_Detected
6 G. ~9 k0 M; W% a; J- F7 B. \3 {2 X9 X* r% P# D+ |0 E
___________________________________________________________________________
  s; X- J7 w* G" b  k  R) s# x7 H7 H$ C5 H
Method 02' B7 B+ n9 ]9 o
=========
5 Y( a: v( X; `" G5 _% [! ^0 ~+ o# |4 t: w2 `! O' j
Still a method very much used (perhaps the most frequent one).  It is used
7 L8 q( r# f; M/ Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ [, B( g$ l  |& C2 Mor execute SoftICE commands...& A" k  J4 ]& P' L9 J- E
It is also used to crash SoftICE and to force it to execute any commands6 m5 W' Z% W9 w6 [7 n% Y* F' C# ~' {
(HBOOT...) :-((  
% e; l: v" Y3 G  i/ i% }+ d/ h- r: b  D; X
Here is a quick description:! t2 W; o$ I$ U! Z* U0 \
-AX = 0910h   (Display string in SIce windows)
4 d# ]; H/ L( v0 L% Y3 |7 n-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), H4 d, M5 J. C
-AX = 0912h   (Get breakpoint infos)# {) i# `# ~8 i# e
-AX = 0913h   (Set Sice breakpoints)9 x/ V' ^% I/ |/ [
-AX = 0914h   (Remove SIce breakoints): ~0 \; q. g! z6 n$ t

0 R4 m( ^& K' O3 M/ r% vEach time you'll meet this trick, you'll see:
, ]+ c3 V/ P) k: C. e8 C" \-SI = 4647h8 P& [' P$ |' a  q
-DI = 4A4Dh( r6 W6 M) W2 ]9 c3 M
Which are the 'magic values' used by SoftIce.
! h4 A% H# _8 Z# TFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* a# h2 D& R' T2 w* G
6 D& h: }2 i% m# c
Here is one example from the file "Haspinst.exe" which is the dongle HASP" ~: ~% U: m+ y/ a
Envelope utility use to protect DOS applications:
) m# Q- f0 |8 f/ e1 ~6 N9 ]8 L* s
9 I" Y  F2 u! I) O0 a1 S5 q/ T/ R! o2 r  d2 Z, x
4C19:0095   MOV    AX,0911  ; execute command.
; @1 x2 }6 g5 L4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 T1 U* e' ^! P$ T' K% T, f3 A/ ~4C19:009A   MOV    SI,4647  ; 1st magic value.
# C+ {! [$ {  C4 k9 S4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) h/ S# P' c" Y* q6 e3 z' h4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). i+ C6 y1 H5 ^- }) ^! k
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute4 h2 l1 J; a0 e' p# j6 E/ R
4C19:00A4   INC    CX1 f, D$ P( @1 U
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 W! F5 p; }4 x( R4C19:00A8   JB     0095     ; 6 different commands.+ p  D9 i& h; }6 l
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- y/ N# F4 H) l2 B' m5 j- g% [
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 M5 G4 F( Z/ |0 Q6 Z5 o0 f
' N3 ?4 }. s, y! n: s0 g5 |3 a4 I3 u
The program will execute 6 different SIce commands located at ds:dx, which9 n& ]0 g7 S9 \! @( K" A% \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ @0 K2 ?/ a2 z
4 y2 \0 C& o$ h( u2 O- @" L# h0 f  E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 P/ a2 g( N6 F; H' X) {___________________________________________________________________________* z. W/ ]% @$ @& p

# o) \3 s4 k7 |# _' B2 i6 b( w# p0 b+ o* I6 _! g7 H0 y/ {5 b
Method 03# {# @: q3 X+ G* w+ Q
=========5 P: B/ O8 r8 K$ Z2 o7 }+ H' I

4 U! _0 G: r3 P' g% w" l' YLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: z9 v6 i4 p# X; `2 y! q7 \
(API Get entry point)
8 D5 t( `& G+ D8 r8 t( W+ p  `! T        ( ?* w, {0 `/ N4 ]( b9 E4 v/ J+ A7 _

* }. O2 C" C2 H8 s. M    xor     di,di; y* o. \$ v" y) ^; E( Y9 j. J5 w
    mov     es,di
7 v: r3 R3 F! C    mov     ax, 1684h      
) c# s0 M3 t* `2 J, k+ m    mov     bx, 0202h       ; VxD ID of winice
2 z& F) O( V* C5 z. e    int     2Fh
/ ?5 j) ]$ u! c# Q8 |    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ L! W* S2 g& I- C& o; H    add     ax, di( V: N& I0 Z" k
    test    ax,ax$ \# s* G0 g* q+ K9 O: Q* a* F
    jnz     SoftICE_Detected+ b" B9 l+ f2 T
8 m" y* f% D2 w6 C7 J6 b# X% u
___________________________________________________________________________
1 @" r& o2 Q0 t( v% U5 ~; n! I$ @6 l
' b2 ]6 J1 \1 {8 B% KMethod 04
( N' Z& Q! Y4 t; G" v$ ~) I=========. R; Y9 I7 I% ^" \! J
( o, @: z- ]. _5 l( Z" c
Method identical to the preceding one except that it seeks the ID of SoftICE
! R7 A1 m0 V* B# n2 DGFX VxD.
8 j& D9 e& W! T/ G% v' a$ E/ q
% \+ ^. x" ~' ?! J# u    xor     di,di
6 G; U: A! Z  S- _    mov     es,di
' @# Q  q! R$ ?9 R- [, k! S    mov     ax, 1684h       ; m, \5 B. O% l, q6 \7 X
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
. i0 d: }. [# p1 d+ n* N    int     2fh: c3 Y6 E/ J: |7 u8 f; m
    mov     ax, es          ; ES:DI -&gt; VxD API entry point! a& c; g$ q3 U( a- ~* E3 _6 W
    add     ax, di
8 \. n! A( d5 |    test    ax,ax" I8 y6 y6 E5 w
    jnz     SoftICE_Detected0 ^2 u' S1 f4 m0 h, {
# _' S3 O0 u  L5 H+ _5 w
__________________________________________________________________________: Z$ b% n/ c& ^, O$ B7 _1 O

6 O) R! c( y' _' t3 M
: t. O- J- p# AMethod 05
6 n. L9 Z. ?8 L1 F=========# `, k5 W% l: w7 J9 }
3 M" [  H, L! k- c& k1 n6 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system& a$ d9 a' H2 b" c  h1 K  a1 v
debugger. It calls the int 41h, function 4Fh.) X4 L% f$ B. E* @4 c4 i( g
There are several alternatives.  
2 c) r$ N; G& j( ]+ Y* X
$ B% K0 n" U/ ^, b' T% s- f+ wThe following one is the simplest:; B  L1 f1 ]8 W# w( S  q
# b* b9 a3 @  D6 n
    mov     ax,4fh
% A. y4 }1 z  q$ W0 `! C    int     41h6 J) n" {" d% s/ U' @
    cmp     ax, 0F386, p0 P  m; c& A% ^! B- a& @1 c
    jz      SoftICE_detected
7 B. C* O& }" B/ u
! N5 R+ w4 i& Q3 Y& e) `
" P5 q1 k, O" c; tNext method as well as the following one are 2 examples from Stone's
" f  |0 z. c6 r! l"stn-wid.zip" (www.cracking.net):
. y7 K. l- M+ Q( J0 {6 T8 k$ @: a# z4 f$ H9 l1 u
    mov     bx, cs
6 @' V. P& P7 y: a  ~    lea     dx, int41handler2
4 }) @: Q/ r) l" U. Q    xchg    dx, es:[41h*4], ^' n. s  d5 W0 O" G1 }7 `# V
    xchg    bx, es:[41h*4+2]$ @3 C* l! A% p: h, y/ i
    mov     ax,4fh: `# `' L; O- x% A) D6 D* ?
    int     41h% O( O0 e. n2 w' x1 P  L( t
    xchg    dx, es:[41h*4], [9 Z. D' E/ [. i% P
    xchg    bx, es:[41h*4+2]& x$ `9 x' ]2 U: n1 {+ }7 P
    cmp     ax, 0f386h  r9 r( O: o0 n, H( V
    jz      SoftICE_detected
9 c: x9 y! |+ Z9 M. V2 C$ i/ V- E# Z. X
int41handler2 PROC4 S8 t+ O$ w9 B4 }- q% ~' j
    iret
$ S6 L+ x2 C: v& h  Jint41handler2 ENDP
- q; C+ u- g3 e3 h8 P6 B3 w
: p: I- o0 F  }! J
0 K( w; e% \: |' N5 x6 ?$ S_________________________________________________________________________, \* M7 I9 {3 i2 R9 d2 ?

5 S2 N8 Q* V% X$ U6 J2 V1 a$ D: r8 U6 m; d
Method 06
4 W8 D9 R9 c6 E* I6 V) l=========
$ l/ C2 [+ ^* G! \9 H  c7 T4 o- h2 M
+ I4 r% \1 w' ]5 @+ o$ Q
* Y$ u# m5 ^. W2 V+ O; o* t! o7 v2nd method similar to the preceding one but more difficult to detect:5 s" B# O& x- s5 v* z
) {8 ^' d7 o3 t& F, v) a$ q6 a8 z, Z8 `
  k" W1 Z  ?& m; B
int41handler PROC$ G/ X+ C, h: f) F8 E
    mov     cl,al- e5 k; H0 X: ]
    iret
6 D2 i7 a2 C; |; Wint41handler ENDP) {2 n9 Z& t! J' h2 n1 ^( y$ e
6 X# V" R/ s7 W+ B
1 N+ \7 W/ C! T0 [7 |( V% o
    xor     ax,ax1 S* c# h7 X! {# ?- b5 j( \) B2 @
    mov     es,ax
" d2 n& f% u" S    mov     bx, cs
2 H. M% V8 @+ j& G    lea     dx, int41handler
/ o& |5 _) R- V/ u) l    xchg    dx, es:[41h*4]
! }  T$ q3 x: i- A    xchg    bx, es:[41h*4+2]- c$ W' ^8 q' W8 U! ?5 U4 j
    in      al, 40h
7 ]. r9 }) R! r' {: `/ y+ e    xor     cx,cx
2 r  e1 P8 X- {/ X% [5 W# m* S    int     41h. ]9 `" e- a3 r3 P6 f% m
    xchg    dx, es:[41h*4]' b3 j% m4 d: M& y# I
    xchg    bx, es:[41h*4+2]6 H; c9 |- g8 u
    cmp     cl,al
' `5 E$ Z0 B. u    jnz     SoftICE_detected
& l9 x1 k  T: ^' ?' P+ @, B; {$ Z6 S' G7 \" e3 x/ C
_________________________________________________________________________
* m1 @6 H6 n; _  ]1 E  C& d& z+ U* j  L) c* d# Z$ v
Method 077 s+ G# X" c/ U% r' j( ?& L
=========
  N  \1 v% s2 p. X/ B/ A  V7 ]$ ^4 K% Z5 `0 k6 b
Method of detection of the WinICE handler in the int68h (V86)
" p( }' R8 k- P  m  j. a$ ]+ }2 P7 o1 S7 ?) r
    mov     ah,43h! x& k/ ^- a9 ^9 D4 A
    int     68h
. J8 ]# R2 q6 a* {+ K* O    cmp     ax,0F386h! r# L& q0 r% u( f3 M
    jz      SoftICE_Detected) d% Q$ g* X! F7 ^

# r1 [2 u# `$ s, [" J, c
3 V1 O; H* ]: [2 g. P. I=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 a( _/ {. ~8 _8 X1 R" b: z
   app like this:! Y& l' }$ S3 {
+ X  }- i  C/ {+ F. U' ?. Q
   BPX exec_int if ax==68
3 O' x% C' Z' L& D: P8 Q3 ~   (function called is located at byte ptr [ebp+1Dh] and client eip is1 ~2 W- K) O! J! d  @% p; @3 K
   located at [ebp+48h] for 32Bit apps)
" \. w! u! L( x__________________________________________________________________________
0 s7 O, x2 }2 a! }0 S
4 }& ~, U5 K4 ~7 k* x2 P
% [2 @" l9 b/ H; t8 bMethod 08
8 T0 h8 U% h5 e0 k=========
& b( W0 g7 b* f8 O/ Q# Y2 L& a& a7 g' Z, ~6 O3 {, T
It is not a method of detection of SoftICE but a possibility to crash the7 ^- `& B2 h! F+ U
system by intercepting int 01h and int 03h and redirecting them to another, e4 O0 ^' x) d5 @2 n4 x, q
routine." y6 o. f  |- y3 t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 R" Q2 k, e1 D3 ~( ]( C* ]to the new routine to execute (hangs computer...)' m; r- e3 x0 S/ S& f0 d
  \4 D2 ~* B3 {  }7 J
    mov     ah, 25h
$ _) ~5 W" \: b* g2 x2 r    mov     al, Int_Number (01h or 03h)
0 [1 X; R* G6 A5 D' n# T    mov     dx, offset New_Int_Routine
8 @* I2 D2 [% x" e% T    int     21h1 O! r: }: ?* J, l. R* h

) O. [3 u  x: z__________________________________________________________________________4 x" g: f2 q5 P" `9 n
3 w. }) x, q* Z( r/ e+ k1 e
Method 09
) Z+ X- q9 a( W5 B; u4 T' n=========' }# E0 M/ Q- }# g

  j* V" l/ m& G0 u) U4 s, IThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only  C' S/ J) i+ _+ c0 P
performed in ring0 (VxD or a ring3 app using the VxdCall)." J4 p# R9 b, T6 O1 A6 I" j
The Get_DDB service is used to determine whether or not a VxD is installed
" i& o# B  n! v' W' _  E+ F& sfor the specified device and returns a Device Description Block (in ecx) for
" e  F8 }. ^! O0 V, F% t) I: O' ethat device if it is installed.* v8 k2 ^0 W9 Z0 M- ^
8 b' N6 _( c2 M
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ I! `8 k0 a$ Y: w2 ~
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! e- N% w5 R7 f* U/ x   VMMCall Get_DDB) ?. s8 ?2 e0 L
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* i. [- R: G5 [0 ^0 [% y- {
, i+ M) l2 O$ E  R; x
Note as well that you can easily detect this method with SoftICE:
2 |: M8 `& {# }& d$ y) {   bpx Get_DDB if ax==0202 || ax==7a5fh
' U3 Y9 p. E+ \. I( k; o
5 |4 h3 e( Z$ q# q7 v$ a$ d__________________________________________________________________________
: B' F& z  j! X2 ~3 q1 |  |+ u2 w! \9 F% |6 u
Method 103 L* R7 S  J5 Q. H# F" ~
=========% [* |! D% o# b" }8 w) d% V

# G5 P4 ~8 A  g. O1 W=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with8 i) Q/ M$ t+ u7 r7 d- }! G
  SoftICE while the option is enable!!
, K' [- ^6 q' b6 A5 [8 H. q8 K8 O) |: e; r
This trick is very efficient:
6 w" m* J5 e# _by checking the Debug Registers, you can detect if SoftICE is loaded9 j* V' u$ @7 ~* ]& P1 o0 @9 k! [- p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) }( e2 |. t. K' z+ L
there are some memory breakpoints set (dr0 to dr3) simply by reading their' _9 w/ p, w! V
value (in ring0 only). Values can be manipulated and or changed as well
- T# Q; N3 y5 l) C+ X) W(clearing BPMs for instance)1 s- J* k( R' v3 Q- l3 ~! z, j0 N8 o

1 E* T" ~  l) a4 j# u/ K6 P1 L__________________________________________________________________________
$ T6 n# ]9 _' i( P& B- V6 o, U' S, r; |% |7 \+ _# k, v+ a2 x
Method 11
' s+ c  ^2 k- N. Y) \' _' l=========8 q0 d: n) n+ V) v* l  K* }
$ t; I2 E  a0 f
This method is most known as 'MeltICE' because it has been freely distributed
" j; s1 o' U2 o( n8 Yvia www.winfiles.com. However it was first used by NuMega people to allow
1 W  t+ o# K) sSymbol Loader to check if SoftICE was active or not (the code is located: |! K9 P6 }$ B- W1 \; t
inside nmtrans.dll).1 u! p; o2 p" j1 ~3 t% p
) C* }; g$ u) w- Q6 ^! B) s
The way it works is very simple:
2 B0 n  ^  {, q, XIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 {( ?! @, s+ l* J4 L. T# n
WinNT) with the CreateFileA API.
- y5 f0 I: S$ `8 x, a2 [! u4 Y0 }3 O( J
Here is a sample (checking for 'SICE'):6 L3 [9 k" K" w, @, M
) Z+ ~* @0 ?, M/ v9 t
BOOL IsSoftIce95Loaded()9 s5 V) a4 m- b* u! y
{
1 [: {# _! I) s) m   HANDLE hFile;  $ s' V/ D$ `* ?
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  f1 W9 G9 L7 _; ?% H5 {/ i8 \  Y                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 m* Y  w! D  i1 ]# u
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( ]; j3 O+ U! D   if( hFile != INVALID_HANDLE_VALUE )! @% U, g* X! d5 @4 j  N8 ?
   {% `8 ~' c" h. ^% g) k. |
      CloseHandle(hFile);, f; B# O9 ~0 u% p: o. x
      return TRUE;
* ]7 i6 {7 h4 R1 C0 `   }, l1 Y& |% u0 o4 c' {
   return FALSE;& P6 p) m0 K8 }; g
}
* r2 O" V6 m8 C3 j2 S) t/ l9 F& h7 y- Q3 F# J4 p9 H
Although this trick calls the CreateFileA function, don't even expect to be3 r/ v3 m% }3 J" e) h
able to intercept it by installing a IFS hook: it will not work, no way!
8 A/ K/ z  B' l! {, B  r1 l4 c5 b& kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( u3 w' P5 b8 F8 U% s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, q; p/ }) ?9 U$ ]$ [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. ?4 E& j( K+ ^2 W, V8 S: bfield." n4 }; x3 _2 G$ V6 N0 `
In fact, its purpose is not to load/unload VxDs but only to send a
8 U' ~/ M  E; R  S1 hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  m9 x) e" W$ h0 D5 c: u$ @' n& }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try) d( @* c2 V/ h- f; [0 \" o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! g3 v: x6 c  T0 \4 K: ]
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 x, p* t" d3 @+ V
its handle to be opened and then, will be detected.! X- U/ h8 J8 g2 v
You can check that simply by hooking Winice.exe control proc entry point
% h6 q6 t. H; c* X4 @8 Fwhile running MeltICE.0 U; H" x" ^9 P, r+ }

( ^2 D$ v1 ^" @: [
& N$ b( Y7 p8 [- \  00401067:  push      00402025    ; \\.\SICE: F3 `# r5 h1 J) j7 ?) Y2 Z+ e' j
  0040106C:  call      CreateFileA6 D: @# ~% q1 M
  00401071:  cmp       eax,-001) ~, _. f- e+ }2 m; z
  00401074:  je        004010914 |3 ]$ ?- e6 ?9 A+ o/ I8 i0 z
8 D* L& z9 c9 Z8 h9 T

5 g9 y5 n0 h) c+ xThere could be hundreds of BPX you could use to detect this trick.1 h+ l$ e5 L( y2 U! x, K% z
-The most classical one is:
  q' y3 _& x1 b; {$ F! v2 G! ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||- E% C" F* f  G: `, x! L0 k7 S
    *(esp-&gt;4+4)=='NTIC'  N; Y; b4 T6 ]' o3 R0 D

; L, t7 a3 C% c-The most exotic ones (could be very slooooow :-(  n: B, ?$ S4 u8 {7 C
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ e( s7 v' l. Y! ?     ;will break 3 times :-(
- S- ?. i) m7 @/ h+ ^1 k
5 O* z8 z9 L+ G0 \-or (a bit) faster: " S# A: J4 s- n' Y3 a" g- d6 g9 e
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ E) Q+ L- S) G7 D% C, J+ T0 u
1 R6 I3 e( l1 N) [1 I   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ T* k- h8 u, T7 I* e     ;will break 3 times :-(
& H; V% L7 ~# A# A1 R
, D8 g4 @3 m+ f7 X$ k# r& Y: r-Much faster:# T7 D- j1 Y: C* [, z- |) A
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
8 f- Y- m' t5 ~
+ L  u* U/ L4 K: N! _( S! DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: x) @: @5 }4 \% ~- c
function to do the same job:
* i- s! R" G& M! _
3 q% k7 b3 A3 Q: J1 ?3 E   push    00                        ; OF_READ
9 z( M6 `, q% U+ m5 }' u   mov     eax,[00656634]            ; '\\.\SICE',05 U, o: O( e+ l2 K
   push    eax
2 U7 a" n' l! u3 d6 K   call    KERNEL32!_lopen
% ~2 p. w7 y" Y   inc     eax
/ G& d+ X" D' }- c2 C$ @0 s   jnz     00650589                  ; detected2 }. I4 G: n# \9 t  P& a3 _( f
   push    00                        ; OF_READ7 {% w, V' L, H. Q! _
   mov     eax,[00656638]            ; '\\.\SICE'
$ w' M  e3 a+ k. ], l8 ~" T   push    eax# }  s$ E& W( _/ K5 w( ^( Z
   call    KERNEL32!_lopen0 j/ r1 D$ N& ?- a$ K. c% X* J
   inc     eax: k7 x0 [! V6 u5 t6 W. r
   jz      006505ae                  ; not detected
" _0 i6 u# z+ I& D9 d
. E+ |) l* X2 [1 m; f
2 c# w' J* }4 c- S1 k7 u5 b) `9 ~9 \__________________________________________________________________________' k' t$ x, a. q' |  {- v! Y

; p& [/ Q# j+ E1 L$ }  F8 a: a' QMethod 12/ O( y' C/ {$ d1 t7 X/ E' ]9 E
=========
& O3 ]2 E- v4 f$ K5 O' O5 D
- e0 B! Q* q5 d% nThis trick is similar to int41h/4fh Debugger installation check (code 05
% o4 M9 m$ y3 z$ O" n! Q. `&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 m' D* O# s7 \& Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% C4 ^5 [% m1 n* P) Y3 {6 t- k. G1 y8 A- j
   push  0000004fh         ; function 4fh
8 C" i2 J  k" f9 h   push  002a002ah         ; high word specifies which VxD (VWIN32)5 q  U2 r$ Y4 n! _' Y/ [# x
                           ; low word specifies which service
' \% T+ i. R" C5 k" ]                             (VWIN32_Int41Dispatch)
' P4 C' Z6 x# R7 f: O# y   call  Kernel32!ORD_001  ; VxdCall
4 k# d6 L, |  Y/ G   cmp   ax, 0f386h        ; magic number returned by system debuggers4 [) j( V  R3 M4 H
   jz    SoftICE_detected5 g0 X+ F  A( P- v9 a6 O& D4 s( w# c
6 H; n8 d: s( `5 Q2 F
Here again, several ways to detect it:
) y5 i2 S3 x4 Y' J, |. Q! e2 D) {
  T; _1 d0 H5 ], K    BPINT 41 if ax==4f$ g& O  j- ~1 p2 K

( B% V: e( w5 ], i, ~7 i    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one( S: ?( f% `- W7 y
: F7 J* E! ^( M
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
2 J  d% j9 B8 K& c3 O! R- v" k" k$ j3 N+ ]* i( f
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!6 K7 D' p4 x4 L+ U  E9 j
* G( L9 i1 `( n- q. f6 w  m
__________________________________________________________________________
# H$ a" K1 f5 y/ S) T0 `$ e% d/ r
7 M5 h& j" f% x  ~8 ~6 g9 nMethod 13
  s+ s0 P  l- B/ K( l6 e3 m=========
( m# o- B- M1 h0 v. p  H6 @0 H3 [; m3 h
Not a real method of detection, but a good way to know if SoftICE is: q2 ]- J  ]# m% Z/ H1 L
installed on a computer and to locate its installation directory.
" k! ?) ]0 E" ?9 _It is used by few softs which access the following registry keys (usually #2) :9 H, Z3 B+ z1 q* O9 V

+ ^& }6 v7 d" D1 K- K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: Z# |! T) M/ d
\Uninstall\SoftICE' A4 A) G8 T; v* g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' d# C. W) g( V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 f( U$ F$ b! g7 Q& r% k0 x8 a\App Paths\Loader32.Exe3 M  K( j' I4 b9 K
1 t; E4 V0 y0 D$ N& `# q
0 c2 G* ]" \/ V+ \+ M1 b$ O
Note that some nasty apps could then erase all files from SoftICE directory" j2 `& Z1 W1 I1 ?2 }! s% R; ^$ I
(I faced that once :-(
# \! Z# k7 i0 C
; W  }6 b6 x$ C3 g* QUseful breakpoint to detect it:, m  p" E7 f* ^- {7 d6 w0 q

7 J5 h  Q3 }2 J& H* z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 J. d5 H3 M8 K- q( x0 C+ V6 V/ N2 {% j6 |' d+ n: h( C4 r  {6 @, a0 ~
__________________________________________________________________________7 [! p7 ]/ U) c. ], j

5 z2 D0 X5 d3 p. p" k
1 p) A: s. K  f1 [, N  t1 q  {Method 14
# x9 p- z' E: M: S. n5 p5 K=========
, B& `# N* ^1 d, k- {- H/ ?
+ [# i4 H6 j6 V+ }0 F& ?& C/ yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( j0 W$ g& k( Eis to determines whether a debugger is running on your system (ring0 only).( J  G. ]; G. d& }' M9 p- V/ i
3 M: Y1 r$ m! y. C" w
   VMMCall Test_Debug_Installed2 ?. r% k6 j/ e
   je      not_installed, G3 r# V2 [- j7 a
9 d% _- _) b) X9 p4 W2 l% h
This service just checks a flag.. s  p. \' G' R5 r& ]; }
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-28 15:46

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表