找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 U8 c% [; q+ L$ e' x
<TBODY>9 o8 g4 o* }; c. A5 F
<TR>8 q; o& A( i" F
<TD><PRE>Method 01   B8 s( {6 e4 k" r. e
=========
( b- G$ K+ l# M: D6 `5 w9 ]" T; F% u7 R3 X
This method of detection of SoftICE (as well as the following one) is  n% j. t% g# t3 M
used by the majority of packers/encryptors found on Internet.
" |: i0 F$ c1 lIt seeks the signature of BoundsChecker in SoftICE
& r1 V- @; U# O
% k, D" E; _9 J9 y    mov     ebp, 04243484Bh        ; 'BCHK'
' z% r3 D  f1 h( F) N+ ~    mov     ax, 04h# ^* _$ w' m# }+ j& F5 O
    int     3       # w  v5 r& t' ^6 }# v% Y$ p
    cmp     al,4* }& W3 S. j5 n/ V5 Q, H
    jnz     SoftICE_Detected
% N6 S7 W0 N5 q4 x7 s) R2 Y2 _
0 P$ Z7 n. S3 w* t___________________________________________________________________________* W% d, s4 U8 J
5 E% o1 F/ Y2 L* N& {" }
Method 02
+ F2 F2 H* F# l! c4 j8 x=========
' h' N1 Z2 |& J7 X7 \1 I! E/ C; t/ D( S+ H( s5 {- T8 _* M  A1 ^) x  V' G
Still a method very much used (perhaps the most frequent one).  It is used
4 ^# N/ M- p/ z' T: rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 d& F, ^1 m" m
or execute SoftICE commands...
* ~5 w& J# T. x2 }# DIt is also used to crash SoftICE and to force it to execute any commands3 d6 k) r& {: B# Q; D  t
(HBOOT...) :-((  
, A1 g* L; G5 h: d# ~' K. F& q) y# ^) B
Here is a quick description:
1 t0 B' ~8 {# P$ G- @0 B-AX = 0910h   (Display string in SIce windows)2 x# w9 B5 ^+ e- ^1 D0 d9 y3 e
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ o  Z; g: D# Q- q-AX = 0912h   (Get breakpoint infos)6 A; i$ l" D% w+ l
-AX = 0913h   (Set Sice breakpoints)
: T9 q) M5 Q% |+ |-AX = 0914h   (Remove SIce breakoints), E  l2 _7 |$ j; [: j8 u

0 G$ u3 K# V# _4 l) Z* pEach time you'll meet this trick, you'll see:4 z5 S9 [4 H  ]  a" T( z
-SI = 4647h; c' n* k5 \8 \7 {' g: b
-DI = 4A4Dh$ n4 S0 A1 |% O4 Z2 C9 L/ a. J
Which are the 'magic values' used by SoftIce.
$ v$ \2 f" n" O* C7 Q7 W7 n2 a0 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* H; K$ ?! w$ G) G, ?

4 j; K) u& {* WHere is one example from the file "Haspinst.exe" which is the dongle HASP
( k+ _# Q# B$ M- p$ \Envelope utility use to protect DOS applications:
$ O4 T: p4 Y- }3 x  m" [/ s4 t
2 X7 o6 H  V4 M2 Z
; a+ ^6 W2 j% N( t+ j4C19:0095   MOV    AX,0911  ; execute command./ t" S( a: K& ?6 P3 _2 X7 |2 d
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
! I4 M( P% r, Z- y& e9 \4C19:009A   MOV    SI,4647  ; 1st magic value.* \0 L3 J4 }6 ]4 T
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4 r6 [6 s6 t' q1 }$ m  I4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 e% v+ }0 C# J" l4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; F6 u- R, p! ?$ U
4C19:00A4   INC    CX8 c7 F7 b! ]' P5 P8 g4 N% v
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 v2 `: O9 a# q7 P; A4C19:00A8   JB     0095     ; 6 different commands.
' e! m4 ?' m. d1 Z: @+ v2 N4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& W' k- A( g7 f; O4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 @' @8 C+ Z; o

5 h5 L. h# k! Y1 |! }" @0 s  l6 G4 PThe program will execute 6 different SIce commands located at ds:dx, which$ c& r4 Z- ]- S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 T6 {- j" h. G9 n- }. E6 B* T+ `# U2 {! z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 V1 b  w! A' o. s4 X
___________________________________________________________________________/ `4 e+ [7 ^' y4 v6 C: \
: q0 A! ?7 v" q

' E/ d: u+ d+ B" u+ dMethod 03
3 Q9 E9 O6 ^& c4 H% \8 D=========
3 V6 g% }/ M; ?* W" ]) P8 R3 Q1 C8 W6 }- J) [  G# A+ Q7 B# s
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h( u' z8 f5 _6 x( z+ c& N* O" o
(API Get entry point)  s% `# ]% K8 {* n  l2 |
        , S* J9 H; H% V4 C6 p

& c# _( n6 }8 u5 i    xor     di,di4 ?1 X0 V2 A) p5 v
    mov     es,di
% v1 d# _/ f( |7 m- f    mov     ax, 1684h       $ m2 A1 t( Q# @9 H  i
    mov     bx, 0202h       ; VxD ID of winice9 s) v7 T5 A' k8 a
    int     2Fh) @' d" A5 T* f; l& X  H8 M
    mov     ax, es          ; ES:DI -&gt; VxD API entry point% r& j. Z, \6 a4 _3 }
    add     ax, di
/ Q& S+ {  A" i8 n# @, G    test    ax,ax& d. z( K$ X+ x/ |+ z" v; m
    jnz     SoftICE_Detected
6 m% Q7 g5 ^  }% ]4 m9 L+ b5 H$ E2 B
___________________________________________________________________________8 |$ v5 ^  ^  F! `5 J
% U' e2 x0 G% h4 ?8 G5 J8 e# l
Method 049 L/ ]) a. A0 y9 z* K
=========9 s" J8 n- B/ F. ?0 E, D. B
2 U* `: a  p) ^$ R' e; W
Method identical to the preceding one except that it seeks the ID of SoftICE
0 ^- i1 t( u6 TGFX VxD.
. }) o1 b& S% ?/ r1 J% c# ?: B( t1 O( i9 H) e2 A3 s9 P1 _! B& \
    xor     di,di
/ ^4 F* t) x' L( v1 k    mov     es,di) q/ s6 r: `8 h9 ?" x9 l
    mov     ax, 1684h      
4 f" d4 p% q- v! q4 v- c  }    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# l4 s) L# S3 |! ]5 h' d    int     2fh
, G9 h0 R% Y& t. k% V    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 Y& P, i9 o) L1 x, G
    add     ax, di
/ I# F4 s6 D' J5 v/ s: _+ t    test    ax,ax
+ W- w' n3 P: F/ ~( C1 G    jnz     SoftICE_Detected
0 Z( ~# k; Z, p- l" x" N/ q/ J
8 \/ O# \, B9 [0 \__________________________________________________________________________" R: D& F. }7 p# \
6 ~& s3 ~* x( r1 l! K5 b

/ N& ?: E) A6 k2 P" `6 V6 V. hMethod 05" O: n7 w6 T( h- T: [
=========, t- d0 G, I0 j4 B# q+ j. r( k
) R/ L8 s, \( W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 ]( E/ F: L4 s5 L/ pdebugger. It calls the int 41h, function 4Fh.
( M  x! M) z7 H' q0 P. DThere are several alternatives.  7 g# {" k4 ~4 e5 o8 ]

4 g& Y1 v: a$ _0 [The following one is the simplest:
. |1 a0 ^! w. L0 F$ f& h: ?3 f! D& h* K) K! L4 \9 D
    mov     ax,4fh: E1 O3 Y! H0 `+ i! n6 Q
    int     41h
. R! m1 A# A; P5 I* C5 X+ K- I    cmp     ax, 0F386- ]% _$ d; Y' r2 K  y3 Y
    jz      SoftICE_detected
2 z8 J- V# c- k( O- z
  l6 g6 |3 c  x1 P
/ x1 _1 @! i7 H" m8 `" ~: _Next method as well as the following one are 2 examples from Stone's
6 ]; Z- M& ]# f$ S$ c"stn-wid.zip" (www.cracking.net):
0 u5 I8 y: h/ S8 N7 t8 `
/ l4 K6 M. R! e6 h; p, V3 x    mov     bx, cs2 M0 |9 }+ C& I2 [  P; Z# {; f# ?
    lea     dx, int41handler2
( y- c9 z8 H% |7 Z" t/ b" R7 ^4 Z    xchg    dx, es:[41h*4]) w; r) i! L2 w5 t* p
    xchg    bx, es:[41h*4+2]# H/ f6 F0 g5 E
    mov     ax,4fh
* r- @& o, S6 a. S    int     41h* x2 X/ o2 s! E$ o# n/ j  c
    xchg    dx, es:[41h*4]
( T3 C+ X7 _6 p, P7 |# B' P    xchg    bx, es:[41h*4+2]3 I6 Q3 V- w5 ?7 a# v- m
    cmp     ax, 0f386h2 E! C) c/ ]' H
    jz      SoftICE_detected/ g8 q* ]  r) K) T" D: ]; ^

# U* l$ S2 {, |& v: }, Zint41handler2 PROC
% r* B. e9 E8 \" b) ?! i    iret4 k: g4 l9 @% c+ W' E- V, _
int41handler2 ENDP# Y7 R0 }: c: h; L1 L
8 i; H$ m+ P4 L/ X' }! W* V! f2 o

  g( w% G8 t! z/ }: _  E7 I8 i) i( I" j_________________________________________________________________________/ U  J5 x$ B3 w# u7 L% c7 f

; T! J- T2 e# X! q$ `' ^! W' y5 d
0 }! S! [* }' I6 e$ G& {' y# A8 AMethod 06; m/ a: G( N" E
=========
3 ]* t: F- ^3 l" g! T. M; z
) F: w6 t; M3 y8 k
% k2 s# [& _8 J( a, V2nd method similar to the preceding one but more difficult to detect:% q5 L, g- q8 {7 {1 K, M0 F
2 L4 s4 x1 l; t4 C  a
; n# g. f! c  f  x" B- g
int41handler PROC
" g. e/ }: k" a8 J    mov     cl,al
+ `9 _" b# H2 Q1 I, u5 K; D    iret
6 t7 v. B0 t; g6 X3 hint41handler ENDP: S, P0 J6 r  e% e) _/ N

( F' Q- v5 m$ J1 f& ^' u
6 F- g  h1 j1 t3 O/ T! }7 l    xor     ax,ax& D' M! r/ U5 Z' R7 |, f* T
    mov     es,ax
4 D4 H2 e, h# E1 [    mov     bx, cs& N1 T, h+ @% G/ L  w* _) A! ?
    lea     dx, int41handler7 W4 Y# M& t( }: p
    xchg    dx, es:[41h*4]
: J/ X* \* z2 u    xchg    bx, es:[41h*4+2]7 d. G& E; ^. L- v/ u
    in      al, 40h( c+ T" p/ g) C/ q% ~7 N, p
    xor     cx,cx- }8 A) r2 P1 F5 p3 g9 z; f
    int     41h
) P0 k9 T" [0 O4 E! N2 H+ o' m    xchg    dx, es:[41h*4]- m( s7 s3 n7 S) }' N4 x
    xchg    bx, es:[41h*4+2]: n8 F- e6 {+ M  _7 p2 U
    cmp     cl,al
; [4 {8 ]+ [/ ?. R0 k) O    jnz     SoftICE_detected
+ L! O1 B8 r6 z) K( ]0 {1 W3 M
0 ^3 H( u: s1 p8 V7 F7 H5 o. r_________________________________________________________________________
2 q4 d  k: s( r
; f- U- {8 Z4 ]7 HMethod 07$ D. |) [7 \4 N) X- ]$ q
=========) G5 m' q3 C* H% q
/ @- @7 \% V2 z. d
Method of detection of the WinICE handler in the int68h (V86)
, ?8 h2 V7 L% A3 T" a, f6 n0 L. J; D( P' V6 c. u. y
    mov     ah,43h6 ?7 `. f& o6 l  {% I& M% R
    int     68h
# `2 z9 U0 z% j7 R( f    cmp     ax,0F386h
2 h# {: c6 h" P& v4 \    jz      SoftICE_Detected
  ~' h( H# c' o/ a, V' f+ r- U& O) j0 M

2 n" f. h' \; h6 K9 a& r" `( h=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 I5 x, x2 J9 ~* ^
   app like this:
& l( A1 {( D7 l) h8 r/ g, [# o# {4 `( k9 `5 h& C- i1 u
   BPX exec_int if ax==68) n- `- f; t9 k7 C5 I+ C
   (function called is located at byte ptr [ebp+1Dh] and client eip is
: o- w) w  k+ q5 H2 W" D* f1 t   located at [ebp+48h] for 32Bit apps)( U+ p0 P* E/ g
__________________________________________________________________________; B% V4 k4 x5 R% T

  L& L; B: b2 z" |; S3 Y+ i# ?: R" d( S' M
Method 087 L5 E# U# Y! K! i# ?
=========) V; `9 q- U8 P- U3 H

; J5 _: c5 G( V9 `# R: cIt is not a method of detection of SoftICE but a possibility to crash the3 b5 o, z" ^! h# X# r3 n! @  @
system by intercepting int 01h and int 03h and redirecting them to another
# k( {0 h# b4 k/ z) Z9 }0 Y  e, _routine.
( l" f1 f: B$ M+ [! ~2 TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! u4 }$ n! W: i4 ^( Bto the new routine to execute (hangs computer...)
% {4 @+ H: S% c% j/ @3 t/ `  ?# [5 M5 Q8 d9 t
    mov     ah, 25h( A9 T" H" K) m7 ~
    mov     al, Int_Number (01h or 03h)
& P) Q( p) g: d" m% G/ l2 f0 O    mov     dx, offset New_Int_Routine) b% Y% g; @( u5 N1 _. {, c* u
    int     21h
9 ]% X( T1 S6 G1 A) ?" `! f8 M, t% a: {5 |' \+ {0 U+ }0 s
__________________________________________________________________________7 [% R. D) y) G) R9 K' e8 I9 J( A

) c' k# _: k5 X& v; d4 j6 |9 KMethod 09
; M  S! o: S- [1 Q; W=========
5 B) V' q8 I% |/ [* a# V- y" E% {
. g/ m0 O* W+ g4 u/ `( f; h5 @This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( q$ f! Z, Y0 Z' N, ?
performed in ring0 (VxD or a ring3 app using the VxdCall).4 x) W1 s1 W  M  I' B
The Get_DDB service is used to determine whether or not a VxD is installed7 U; [! K+ u- s& g) T+ h  D
for the specified device and returns a Device Description Block (in ecx) for0 c/ x4 x3 ?  o8 K
that device if it is installed.
" z/ k4 ~. u* A; A$ \
/ r9 x3 n7 F) Z# l: Y) l8 O   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 Q0 D: Z0 b+ v+ _+ d1 R   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ S, j! p! _' b- q; i, v! v6 x   VMMCall Get_DDB; N- \, ^3 q# f( R2 n
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
( a8 Z$ o* J" l0 G
1 b0 ~: K9 H' {) ONote as well that you can easily detect this method with SoftICE:
* S8 U' S5 V8 {' `6 `3 u" b   bpx Get_DDB if ax==0202 || ax==7a5fh, N& l' V) S5 ]$ V9 k

, p, [+ I' H' L8 V- J8 N$ W__________________________________________________________________________' d* n& Z% ^! A0 {2 x

; |  t7 p3 z7 j8 \2 K: L& AMethod 10
. I  m* P, y6 V+ o. J) s5 B, v! k=========4 f0 j6 ?; y- M- z. A& V5 U" ~8 {

, u) C2 ~3 M! U+ V* T# y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( [8 b  p, r  [& g- z( U
  SoftICE while the option is enable!!
+ E/ w/ Y8 E; |
0 M0 a; F% l5 ?# a( K, gThis trick is very efficient:) i. J* f5 x% X  Y7 s
by checking the Debug Registers, you can detect if SoftICE is loaded2 t3 D; ^- j/ S9 x! I5 _# d0 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- R* L$ w* v  M& _6 Z- u5 g
there are some memory breakpoints set (dr0 to dr3) simply by reading their- X4 u6 _' [( F7 T( ]- J" P* J
value (in ring0 only). Values can be manipulated and or changed as well) Z9 A' G1 E+ z" h( b- b
(clearing BPMs for instance)/ }) V4 |$ Y9 `% D1 n$ w9 \; {
8 N9 `7 ]# K1 g) v9 h1 I
__________________________________________________________________________. Z! N6 M/ A6 f/ N1 ]

) P: f; U+ v- q: y( v  E0 [2 {Method 11
- B& A- N. p  w! T# h=========8 Z" m) A2 t9 e1 H4 o8 L! }

: M+ E9 o+ L# }8 C" YThis method is most known as 'MeltICE' because it has been freely distributed( k5 g: q. A, p. j3 p( N( T
via www.winfiles.com. However it was first used by NuMega people to allow
" O7 E& m6 Z4 b4 K! p0 r% |* y$ xSymbol Loader to check if SoftICE was active or not (the code is located
1 `- l6 T: r( iinside nmtrans.dll).
; p1 s2 p8 n# M* w
  P. g% ~: u4 O) FThe way it works is very simple:
2 b, u) P/ ]# E' {& AIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; C" \3 t% K- f# l( y+ K1 @WinNT) with the CreateFileA API.7 t, r: I% |# @6 r
1 `7 e* i- F1 p' C9 {3 s" `, ^
Here is a sample (checking for 'SICE'):4 g* O5 n  R$ q& R; w0 `# K

6 @' q( i) ?/ u$ v9 t  }$ \% h; KBOOL IsSoftIce95Loaded()6 _* f5 q/ p( Z* @, P4 m
{
( j1 X2 |7 `$ L9 V+ Q2 _' P% C   HANDLE hFile;  
: j* \. R, M2 A' L# `   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# W% Q8 R0 N  c/ D                      FILE_SHARE_READ | FILE_SHARE_WRITE,- S* D# g# O' V; ~2 s/ M
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& J% C+ \; d  `0 v4 B) C/ B   if( hFile != INVALID_HANDLE_VALUE )
* H7 H" c! N  d   {' b  X: r9 }- |$ ^9 u1 V
      CloseHandle(hFile);
* P$ k$ F9 \0 V' f  }      return TRUE;& v" X' ^& s& O; U+ Y& U4 u' C
   }
1 r  l6 O- `9 S- V4 _   return FALSE;
% V$ r6 ?, w# n4 Y; q3 `& d}
! R  V9 I% [( K! G5 F: Q- b$ q; \2 T# m. v  w
Although this trick calls the CreateFileA function, don't even expect to be
# E$ Y1 `$ g, d. j' k5 o0 [0 W+ O! `. pable to intercept it by installing a IFS hook: it will not work, no way!6 l0 @  J' U' Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( s: ]) g% ^! G+ K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): i$ U9 e$ B, F; T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 X- r/ q5 N# }  `, H4 j1 O1 f
field.0 X2 K% E& U1 `1 D
In fact, its purpose is not to load/unload VxDs but only to send a , k5 V& [$ [/ R. B- @( Y; ?& V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 k$ f# h/ u2 u* c* S5 s' O, O' wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 c! N# ]8 u; r5 g% ^9 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* b/ `0 Q* z3 u9 @' r( _If the VxD is loaded, it will always clear eax and the Carry flag to allow2 ]& E5 S& _# Y0 L5 d0 ^* a. h
its handle to be opened and then, will be detected.! @: b; G  x$ }9 [# ~
You can check that simply by hooking Winice.exe control proc entry point
$ T5 ~% E9 u% u" \while running MeltICE.
( P) W5 A) z* b* q8 h2 E. \
$ @% M+ t9 S* Q# p/ R. \6 s. G  m& i. ~
  00401067:  push      00402025    ; \\.\SICE
6 s* K5 O5 x6 M* K, `+ ~' V' ^  0040106C:  call      CreateFileA
" n6 {8 {3 u+ @" q  00401071:  cmp       eax,-0013 P) s9 U( C' \6 V2 b+ t6 D) @$ C- N
  00401074:  je        00401091% p. \% K4 O* Y8 l- {$ t
6 r% W7 ]# D8 ^& T4 h' r( g

+ m3 `. G2 U# w$ T' _9 |; z6 dThere could be hundreds of BPX you could use to detect this trick.
) B8 j" @. e' u3 \-The most classical one is:* B# T0 ]. B& E2 |0 |1 E8 p# H
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||1 M( Q" D- F: Q6 L
    *(esp-&gt;4+4)=='NTIC'
& ^! J8 M) U9 p2 `
# o# j0 |% x% h# L0 M% G-The most exotic ones (could be very slooooow :-(
) H! z" [6 ^; o/ `, K. G  P   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . i6 U+ `: D  D# w( {1 R
     ;will break 3 times :-(
2 y& @* i4 f) W8 `5 _# b! i5 G; ^+ o9 l
-or (a bit) faster:
. Y* R: p% l7 F& d  u5 S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* z2 l. ^7 L, M/ d6 D, H; y  Z5 I
" \/ L: R( e9 u% O. L! t
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  - e7 Q/ @7 n3 O* g; D( N
     ;will break 3 times :-(5 O- G" h9 n' t7 h( h4 w
  Z, ~, Z+ p' N
-Much faster:
0 v# p! a4 U+ a% D) t% @: t   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& _+ H, |" M- G  j

/ Q: e7 N$ T" `3 u# D/ JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 s2 a) C0 y& Y1 c. `" @
function to do the same job:: N6 U. W+ S1 P8 V8 i- R2 G, k

2 C- T4 @) W& }3 Z   push    00                        ; OF_READ
/ e) J% {  T. k: m( @   mov     eax,[00656634]            ; '\\.\SICE',0
9 z' e' `* i! Z0 q# `. _   push    eax
8 {- q2 g0 ~9 g, p# y/ l   call    KERNEL32!_lopen. r* r# q" Z8 ]) G
   inc     eax, `1 n' v" T% W- T% K
   jnz     00650589                  ; detected
5 x# V- \( j7 K  K' C& S   push    00                        ; OF_READ* Q, O: [8 s2 n$ G0 x+ M! t
   mov     eax,[00656638]            ; '\\.\SICE': b% O1 n% I3 i2 z/ T: S+ G
   push    eax
( @. j; T! l0 I" N  J   call    KERNEL32!_lopen
% v& l( i8 _4 D3 Z   inc     eax: S: o. K* d7 h6 |4 z& f: }
   jz      006505ae                  ; not detected
. ?; P2 b0 M- e9 ?) n5 J, H
' ^0 `/ j" ]% j7 y
; P  p5 G+ {% Z- h/ J5 R6 V) c__________________________________________________________________________2 U- o5 M& E/ ~
- J, q6 z4 G9 g
Method 12
  I& w2 ~, }; B# [' e# X=========
- M" V) A; t; z, d6 P8 x- Q. d" d
1 ~, G# K$ l3 O" t, |9 `+ a, nThis trick is similar to int41h/4fh Debugger installation check (code 058 Z4 @" m. k- k- @2 D0 s, f
&amp; 06) but very limited because it's only available for Win95/98 (not NT)- P, Q: I+ z& H7 V- a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, L  \" A' Z. ^6 x
8 J" p6 F9 L3 ?" @( i   push  0000004fh         ; function 4fh
3 ^8 [, _6 U- N$ F3 i   push  002a002ah         ; high word specifies which VxD (VWIN32)
; m, |) I8 \: @                           ; low word specifies which service
1 S% b: k! A( }8 N8 T1 p6 a. X" Y                             (VWIN32_Int41Dispatch)1 C, b7 s9 _: d+ s, D/ Z  L
   call  Kernel32!ORD_001  ; VxdCall
& u+ u  R1 U7 z" p. k$ N   cmp   ax, 0f386h        ; magic number returned by system debuggers1 s3 K4 G  `! ?. _# Q6 a
   jz    SoftICE_detected
. |7 _% g! y$ Y" I* z. D% E8 T# S: m* n" U
Here again, several ways to detect it:6 ~$ j+ ?/ |: ?6 v
3 I' i0 O7 G1 \  h+ Q$ |
    BPINT 41 if ax==4f4 R: R5 w9 I. k# S

* f" O) ?" {& M9 n; W    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one; S, k# U+ Y: \

7 h1 M( s8 P8 r9 p* h1 G    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
4 [8 w4 K& X( M5 ~6 m+ [4 g  c# u2 N! p  p* s2 ^1 u+ ^8 e
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 [7 g& j6 I3 \. k% x& _
' M+ I7 G4 l7 O& z5 Z__________________________________________________________________________
& E* p; S1 L$ r, V' }6 W3 T7 _9 j/ D( D
Method 133 c& G4 w& L# r: }  Z
=========# N$ N- _+ p( F% F5 {! p3 d
( C) l7 R2 ^4 Z& A) c
Not a real method of detection, but a good way to know if SoftICE is
5 P! t% h4 w. A- Y- Uinstalled on a computer and to locate its installation directory.1 _* B! S2 Y( @. e. e7 u1 r9 \
It is used by few softs which access the following registry keys (usually #2) :
2 w6 h6 M: d3 e; T% Z8 d
+ T) E7 K9 Q# M# p4 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# v( G( Q0 p2 Z4 p- G4 j7 A
\Uninstall\SoftICE) l8 g0 C/ T: _* C4 P7 ^6 K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 K3 W: ]$ C3 V/ k' P1 ]% z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! S) a! J( o- w* ]
\App Paths\Loader32.Exe
' O8 c, {9 Y9 y  Y+ G3 x" `" c% E. X1 g& w$ m/ i) ]

, [6 L6 e  E7 p5 g  k( v2 z5 mNote that some nasty apps could then erase all files from SoftICE directory) S7 J" |: n9 w& j4 v
(I faced that once :-(
# T" u2 F$ C, W
3 w# C6 x; Z+ ?/ w- ?' bUseful breakpoint to detect it:6 b! `! m( H2 l  b
& F# x4 c+ r- E7 J8 \1 K, u$ f! d
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ t: x9 F! |* r) {5 c7 I* z
) m8 w3 K, M. ^9 ?9 g6 u: R% h__________________________________________________________________________
* M, y; r& Y: v. r& s0 u4 m+ u1 H9 s: U/ ^  V$ k6 O
6 H$ ^: ~# ~7 U: T
Method 14 " {. Y; m+ L& q) {: f+ Y. ]
=========
% }  T& [" e9 f' @& v: C; V9 d3 f3 e" D# P* I1 D9 u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' z3 o& V( B  [5 P4 D  |
is to determines whether a debugger is running on your system (ring0 only).8 ~2 e) K1 N3 I- T) r7 l! K
7 a# c* u# H  Y# W8 o
   VMMCall Test_Debug_Installed2 g* d3 h  p! l
   je      not_installed9 T. u+ x$ `1 B- ]( B
/ E5 T1 A7 Q7 L' K& P/ \2 H
This service just checks a flag.& W$ y9 Q5 J( L- {; S3 s
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-4 00:49

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表