找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 S) }% ?8 U* ~7 v
<TBODY>, s' q/ g6 [- v; v5 S  R
<TR>6 X8 v; Q/ d( v
<TD><PRE>Method 01
3 {* w3 w  y: h5 c5 o% f=========" F3 y, B! y# p0 Q2 j( P

% n9 o! ]% O9 N  f6 G, }This method of detection of SoftICE (as well as the following one) is
/ z  v5 Q$ K' u3 Aused by the majority of packers/encryptors found on Internet.& X2 |5 ^1 s9 M  F+ H* e
It seeks the signature of BoundsChecker in SoftICE( ^( E7 A9 W  ~" {

2 U8 F& X+ l7 A, t2 G, i$ L    mov     ebp, 04243484Bh        ; 'BCHK'
' R1 G3 o5 o( l" P" [3 u    mov     ax, 04h
' p9 ?/ F2 `' Y) }    int     3       2 A. Y8 X+ Y' ^) k0 [) H
    cmp     al,4: f/ E; D7 K; ?; n- ?3 K! S
    jnz     SoftICE_Detected
" T$ h, U* b4 [/ C
  h* Y6 c) |$ B( A___________________________________________________________________________2 P8 N, j" q2 v  P: [8 G! J
: E' \8 ]# f  c% f
Method 027 f2 q/ S: L0 I9 k5 [, p7 f& z
=========% p/ _- t$ {( w4 T, d/ n0 x

4 Q9 P7 F" W# n4 w9 y7 dStill a method very much used (perhaps the most frequent one).  It is used! d# Q" m2 `1 y4 i& o  d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 p% z2 `) P8 ^' I+ ]
or execute SoftICE commands...
! y5 T: f" O5 Q3 ~8 G7 i4 N) VIt is also used to crash SoftICE and to force it to execute any commands6 m0 @" O: p  I, ?2 G9 s
(HBOOT...) :-((  
" n- O, A2 h6 p( i0 m# o' y" ?
# ^& Z9 T+ o- vHere is a quick description:
$ X7 V: z  Y* v6 ~9 P$ y, G4 a-AX = 0910h   (Display string in SIce windows)4 e3 r6 v% L) ~; i" J0 q- d
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 S9 d1 A( j  m! m3 Z' f5 g4 t# s( z* A
-AX = 0912h   (Get breakpoint infos)
- c- V' ^) ~% Z# Q$ A5 J-AX = 0913h   (Set Sice breakpoints)$ @& n" g2 r. y
-AX = 0914h   (Remove SIce breakoints)
' }3 I7 c, j9 e4 b) Z
" R0 |3 |+ \$ R" j1 Z( mEach time you'll meet this trick, you'll see:
- W* g+ |0 a: g) e% f- p-SI = 4647h& f( i9 C6 X, g4 \
-DI = 4A4Dh
, y- G, g; ?4 L- v7 C- zWhich are the 'magic values' used by SoftIce.2 j5 h; C9 y) g+ \8 z) Q6 m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- M/ r8 w8 ?3 t2 m  G
6 K% `: |8 B- i  d' p. Y6 F" O
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& W3 A- f+ |$ _4 d: ^1 m9 d6 ~Envelope utility use to protect DOS applications:/ r! u) _: ~" D

1 ]9 x! K( m! O. K( y1 H
1 f6 a9 ?: N7 d7 y/ z6 \, F3 }4C19:0095   MOV    AX,0911  ; execute command.. G' S. x+ ]/ y& T
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: p5 ~; ]3 A1 W' E4C19:009A   MOV    SI,4647  ; 1st magic value.
9 G% S0 z; b6 q! e; V( D* Y% l2 t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 v3 b4 N" H+ R
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 ?) p/ W- @4 Q" F" c4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% G$ F. q: q) W4C19:00A4   INC    CX" n6 Y% O1 [5 w; j
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
; w4 _! N# E1 A0 i4C19:00A8   JB     0095     ; 6 different commands.
- c  @7 s0 D) N8 R- L5 v4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; }' ]7 H7 s! }1 S) A
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 [5 H8 Q  u& |" ?2 [
2 |( d& X9 ^% K  t8 d- R. z
The program will execute 6 different SIce commands located at ds:dx, which+ o) H8 s6 [% C7 Q4 t- I0 V9 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 L" _1 b- i  z: v6 N; I+ g) y
# s0 \" }; L; Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ |+ \& t* ]5 l/ d, t
___________________________________________________________________________% ]# K; S! r. p" ^' P

6 d+ d/ G% y6 _$ `$ K5 |  h" u* O5 L& j/ c' m* ~6 x8 c
Method 03" \. h1 o9 D6 X% m
=========9 H7 D" S4 [# o' T7 _. C

1 D7 w. |& x1 A' k5 s1 b- a# w) ~7 MLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 E5 Y* ^* B: u. n5 G: w4 T/ S(API Get entry point)
0 w+ }* r4 |* t4 X        2 {1 }: V1 s7 v! `% u: B7 ]
9 [0 e8 Q! n1 Y, L* d
    xor     di,di
- t6 A0 a4 b$ @    mov     es,di% w) e2 A; o& @; B
    mov     ax, 1684h      
& v* x, U, o" y* W    mov     bx, 0202h       ; VxD ID of winice
( i7 A# G, M$ E6 D    int     2Fh% b4 N& l# y# b% p* R! f) ?
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( M$ o8 ?$ r- R& {3 C- N# j0 \- I
    add     ax, di5 I: g+ C) ^2 d6 U8 _7 S! P+ V
    test    ax,ax
) U) }0 V. g+ _- I# x  r    jnz     SoftICE_Detected
' W% H  {' J1 h4 h* r4 y
. f7 W& }' {# t2 w/ `7 {! h___________________________________________________________________________" D$ D6 V' _* q. k  _8 ~# l" J

8 d/ t( J9 Y& Z, m* Z8 tMethod 04
, H0 m5 e( l% S9 Z3 i=========& t* `: o0 m1 d) b$ d  c
3 d3 K* r" x/ L+ L: a1 F# N8 b
Method identical to the preceding one except that it seeks the ID of SoftICE3 d( U  u5 R3 t" a, P& a) z2 c  f! z
GFX VxD.
% M. B5 ^3 [& L6 J- m8 l- P. y  ~' C5 a- e% S# K
    xor     di,di
  M5 o- R! S+ o6 e    mov     es,di
4 S+ _" P$ j. x    mov     ax, 1684h       % \6 p( ~$ r  Q0 _' E& x+ W
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, T  C8 e/ G* M) t    int     2fh: _$ b) x. |4 m1 j- r/ i/ h2 L
    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 p; j) ]" H3 Q- a# g6 h8 |
    add     ax, di/ {8 L+ l! G( z( M& [6 W
    test    ax,ax1 Y" V$ C9 v1 ~' u. w5 P- s
    jnz     SoftICE_Detected4 m! T+ E: Y# h4 g* K
7 |3 l. E+ }* M4 R7 H
__________________________________________________________________________
' o9 Q# q0 M. B% k, G) I9 G" Q3 n& Y& {4 i5 Z
5 g# i! t5 u' `9 w# Y; q1 B/ j
Method 05
6 F  \0 e! [# |: m=========
: i- Y0 _& i; r. O, S$ [# ^
; |# s" A  w. D1 L4 t; @6 w' \Method seeking the 'magic number' 0F386h returned (in ax) by all system+ W, W# ^* k9 E- u- z9 }
debugger. It calls the int 41h, function 4Fh.' G# `7 z$ `; A. a5 [$ u! f2 E1 D! l
There are several alternatives.  4 x* N3 `& ?1 Q
& [/ y4 _8 [! @! W6 K# _4 B
The following one is the simplest:7 Z$ z" g6 M: `, K# o

; V1 C* ^: i' o3 F0 R( D    mov     ax,4fh8 E3 ^" j8 T9 y. j6 y# w: S
    int     41h* N0 l8 E. u6 R8 g
    cmp     ax, 0F386
5 O# {2 B: b, y" M1 {8 E9 ~/ ^: I    jz      SoftICE_detected
/ K% |/ ~; O) I7 }8 |8 |. ^: O. t

) Y; Z! `: }0 @# h6 g: D& M6 lNext method as well as the following one are 2 examples from Stone's / [! I& b  m5 F; [% |$ o, l* J; _6 {
"stn-wid.zip" (www.cracking.net):
7 p( m+ C! W, B3 _# c- r# O/ g
' S" \' n( Z: s; z    mov     bx, cs5 z, s0 k: ?% F+ p7 s, U
    lea     dx, int41handler2$ f& ?/ v7 W( j. n
    xchg    dx, es:[41h*4]  }; s: U* @. E/ Z" I7 a- w7 k
    xchg    bx, es:[41h*4+2]
/ `9 y" y' [- Z+ g' P, r    mov     ax,4fh4 n; q5 a, w) A7 T; M  D: R( U
    int     41h
! K/ Q7 n+ D& k5 n; ~1 G    xchg    dx, es:[41h*4]
0 w) T& I+ D/ H3 f3 d9 h7 r    xchg    bx, es:[41h*4+2]
3 Z; W; [0 G: P# n  l    cmp     ax, 0f386h( ~; u9 p7 w% A
    jz      SoftICE_detected$ r* i1 x$ H% {. ~$ S" P
2 R" H' j: ~% }( E0 _& L
int41handler2 PROC8 }" V( l% v3 T4 H1 i3 m: {7 x1 O
    iret
, w2 x! Q% E& X& ]& ~int41handler2 ENDP$ c$ d! ?- E2 p6 K
; ]3 h7 P( h5 M7 w
5 C; S0 X5 K! A9 P4 Z
_________________________________________________________________________7 h# w$ X- Y. H) g+ A9 n
) p' b8 P1 ~: z4 v/ H, c

4 i2 G7 W: L, o4 IMethod 06
- M: f7 F2 A1 D=========
; {& j! n( D# q$ u0 d
5 \/ k- |8 C# j( o1 }% q
% L8 u2 X: ]8 M0 j; C9 U* X2nd method similar to the preceding one but more difficult to detect:7 _1 G( o( W( D/ o$ S

$ T+ N! X/ e( r8 p" B" g  c! h
9 r/ M$ i  z/ [/ bint41handler PROC' ]: i* N; C3 _  d  l& y
    mov     cl,al
1 h, Q  E# W4 O& u' b  Z. |; d6 F. K    iret9 R3 G  K3 X6 N1 O1 ^+ s
int41handler ENDP' \% B# p) u- H& c4 P9 R

! J+ _" Q" e* l7 U- z5 _3 U) ]- T/ |) [2 F. Z
    xor     ax,ax3 L/ m2 A5 V) |
    mov     es,ax
) ^! L4 W8 ]/ a5 n3 S5 L1 l    mov     bx, cs5 w9 A, w) s7 N+ s
    lea     dx, int41handler
8 K4 S6 }3 |+ H4 i; M% L/ B    xchg    dx, es:[41h*4]
9 K4 e: h- j( N; |  t. c% f: t4 ~    xchg    bx, es:[41h*4+2]
' z$ [. ~" e$ F: g3 F$ U3 [    in      al, 40h
( s0 }3 l7 y# k$ w    xor     cx,cx3 v' @9 q6 I. `* ?
    int     41h8 I# a1 V6 j. f/ @* \3 K
    xchg    dx, es:[41h*4]5 W) D+ B! G/ ~+ r: a
    xchg    bx, es:[41h*4+2]
* V7 T2 x  ]/ u+ {& O7 B( H7 J+ o) D2 v    cmp     cl,al9 v* s# A* c( M# k& U2 |
    jnz     SoftICE_detected
# @; u0 B6 C9 l: M+ n
- J! r; k+ v* O2 B9 E_________________________________________________________________________
2 B% S: G* F( D/ h( C
' W$ y6 l# o8 W2 @+ xMethod 07
3 ^6 q0 A" e7 a$ U1 w# {=========
4 ~+ u- x; B. e" |0 S6 R
, c6 M! j+ |, h( j& ~: aMethod of detection of the WinICE handler in the int68h (V86)  a" I  j7 w$ K% A1 |
* y' d1 v3 o0 g' T! C; Z" H
    mov     ah,43h: g8 p# ]6 k3 G/ i
    int     68h# N" x3 P, X* c) d" Q, K
    cmp     ax,0F386h
% S4 F9 n( E' e# g! ]7 ~9 F    jz      SoftICE_Detected
" G% i5 e3 b7 B( j* I- k& Z7 f; h* V7 o+ i; e

, ^3 k0 G) x  Q5 X7 V& v3 e, t=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ [( H& \0 `- u# A. C   app like this:
: a; w* g: i* `  p% n5 G1 ?8 G8 h
9 E% L+ r8 S4 \7 }   BPX exec_int if ax==68, {- h" C! ]% u. |" d
   (function called is located at byte ptr [ebp+1Dh] and client eip is
4 X. E7 m- O0 a7 P   located at [ebp+48h] for 32Bit apps)
7 @  D% o+ P  P9 d- g__________________________________________________________________________. l2 Z& C3 c9 z
' d& w' I: q" G

, M6 O- F/ d: y6 V  e' u5 [Method 08
/ f% [8 m9 E+ k  N" W% Z=========3 T/ Q  S0 N  |1 ]3 D  z& C

' d, A: h" O' ?' kIt is not a method of detection of SoftICE but a possibility to crash the% {/ U8 A! m4 e3 x; s
system by intercepting int 01h and int 03h and redirecting them to another
; A5 t4 V# C6 I+ Y" rroutine.
+ K1 T% D& V) qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# g- h( A: |  oto the new routine to execute (hangs computer...)
) ^6 f% o5 b% }/ e3 J6 l3 a- g! H, B$ a+ p1 }1 ^
    mov     ah, 25h8 L0 ]& v, o# f: H# @3 M
    mov     al, Int_Number (01h or 03h)
/ L- s% L# g0 H9 J    mov     dx, offset New_Int_Routine+ B2 m( T7 L% b3 v  H
    int     21h. {) q9 P- ?; ]7 b9 t. s

; A$ b/ j. M, ?6 J__________________________________________________________________________: I! T1 l7 J7 Y" r- J, J  ~' R

8 b% H; N9 v; gMethod 09! x0 a7 L' _, e' r& ^
=========
, u) s0 H; o7 U! f/ Z" J, H
1 ^. w1 h/ f! v4 {- {This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ z# L. N' @$ }( w& j( pperformed in ring0 (VxD or a ring3 app using the VxdCall).
- W! M9 D4 p" \. y  ~The Get_DDB service is used to determine whether or not a VxD is installed* s. ^  Z& g- }( Z7 h+ a( e
for the specified device and returns a Device Description Block (in ecx) for9 v' h+ z8 d9 `
that device if it is installed.
* v) Z: T! a& I
2 f$ B  _% d( T; Z# x   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 Y8 L* _8 o5 R& d; [   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 Z" f* i" P$ H  ?3 c   VMMCall Get_DDB
' ?' Q% e" B% g/ H. r   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( n7 p* a) m$ Y! q1 {- S! d

  d5 z! A0 [' M4 R3 }9 qNote as well that you can easily detect this method with SoftICE:
" m6 [6 c$ p3 ?7 r1 }7 m% {0 e( x   bpx Get_DDB if ax==0202 || ax==7a5fh8 E. _9 x. _: I' a, X
& {+ l1 x5 G0 w2 }% u9 q6 d
__________________________________________________________________________
# }8 S$ |: N; U" r  ^9 n8 n) s) u
Method 10. R9 h3 J$ g  H
=========: F5 C9 ]% L4 k( M/ e
% t* v& u+ ^" F
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( ]9 g. ~1 Q4 m8 f. W
  SoftICE while the option is enable!!
  Y  e1 u! |! l( L9 ^' y' c" Y; i' M
This trick is very efficient:
0 y# w& P3 p/ {" Tby checking the Debug Registers, you can detect if SoftICE is loaded7 f1 K7 _4 ~4 U
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& D. |* Z! ?; L1 r3 c: Z
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ S" l  @: {" K/ z1 H2 e, F8 kvalue (in ring0 only). Values can be manipulated and or changed as well
7 Y0 o; ^: ]0 Z* _$ w(clearing BPMs for instance), A# u, e1 o# y6 Y4 p9 f/ c+ V1 G

; k4 Q! W- `9 _* e0 F1 y% l/ s__________________________________________________________________________! ~' p, K$ l! i% w& L

4 v5 e  F$ }$ p) @Method 11
/ j, P7 a0 P) E+ ]=========8 q. a9 x* F! j) K! F' ?

- i+ N2 F* {; U& `$ c2 U' P+ Z* k% t' ?6 XThis method is most known as 'MeltICE' because it has been freely distributed; H! C1 d+ S  O  c7 r- y
via www.winfiles.com. However it was first used by NuMega people to allow/ t& C2 D7 L/ N  }: h3 o4 m- L7 S% p, V
Symbol Loader to check if SoftICE was active or not (the code is located( h" o0 D; u- M; U# _$ r' b" P
inside nmtrans.dll).
/ i# o8 L9 p6 C5 z7 @% |, T5 G/ F! Y7 a: V- K6 d/ M, N
The way it works is very simple:
* Q6 ?3 ^* r* k: ^7 s7 _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 B9 G+ O& T; |6 h4 d# z
WinNT) with the CreateFileA API.3 I$ a. u* E) m7 `; ?, V

9 a/ F& l1 s: o; o- H3 K, RHere is a sample (checking for 'SICE'):
& a, ~- r$ i0 b; ^
( n, L2 a- s  B1 g6 C/ q8 CBOOL IsSoftIce95Loaded()
, r0 o5 c' _2 I{
$ U" `: D# N7 c6 M" l3 @3 ?$ q! |   HANDLE hFile;  
7 W5 x* y  z: y1 E   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  r, Z& `9 f* O                      FILE_SHARE_READ | FILE_SHARE_WRITE,0 A9 M& i+ D5 [, w; l  h, X* S
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 F3 {9 }: u3 m, v' P. H* ^0 L   if( hFile != INVALID_HANDLE_VALUE )
8 T. ?* M, f( W! |1 L& v3 X  j+ Q   {
- Q' Q; s4 p& p5 U      CloseHandle(hFile);: w9 \1 ]/ k3 s6 }4 n
      return TRUE;
7 x/ b- L# R6 G* m8 E% `0 G9 t5 Y  E7 _   }
$ g& D) {6 T! L, Y   return FALSE;5 J1 H  J. L' U7 @0 g  S
}
) l% `$ ^' M9 F2 A8 y% F0 z1 S) ~! E! c0 }) g  W5 {" n. Z* Q5 n
Although this trick calls the CreateFileA function, don't even expect to be6 Y; Y, F7 t* w+ E2 m. [9 G' r
able to intercept it by installing a IFS hook: it will not work, no way!
  d: j, f  o0 r: l' o, aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 d% v1 F  s3 ^% v% f/ o+ |service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* D5 b9 _$ T; {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 [5 R& W" g1 |5 h8 b" y
field.
+ c; ]: z8 z; s9 q$ A# Z4 U9 qIn fact, its purpose is not to load/unload VxDs but only to send a 2 v' y& I2 B7 ~' L6 \2 r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: Y" T% }8 D; }9 f! \( n. S* yto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 j& h2 B% o3 _3 R" H- ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 m: }7 l: O" p- Q; d4 GIf the VxD is loaded, it will always clear eax and the Carry flag to allow
! I3 }+ K5 S9 Z! n" qits handle to be opened and then, will be detected.
5 N* P5 Q% ?5 T8 NYou can check that simply by hooking Winice.exe control proc entry point
- P" i, F- T, `6 ]' R3 Gwhile running MeltICE.
( q3 t5 \6 n9 b8 k/ t
: D# }" G/ z+ P: P6 m% `$ [9 t/ I5 a
  00401067:  push      00402025    ; \\.\SICE7 C7 D% W+ {: o2 d1 Y
  0040106C:  call      CreateFileA
4 ?" F, i6 B8 d* q. l  00401071:  cmp       eax,-001
& ?6 s7 l, \" p6 v5 R  00401074:  je        00401091
" ?- P3 g* N  J3 j! c) f1 @5 m' g( U
% v6 H8 z+ ~' l: x- D: D+ k7 F! s3 b. a$ K! o  \, R
There could be hundreds of BPX you could use to detect this trick.* i* [* ~1 |  z& S# N5 F5 o. ~
-The most classical one is:
' C$ M9 Y- F/ u2 c  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  O, D; r3 D1 w* r6 o- s
    *(esp-&gt;4+4)=='NTIC'  X, x( M- \/ r" E0 }

% D( t( c+ W, V* h-The most exotic ones (could be very slooooow :-(* g- x4 z2 w( x, `# ?. N5 e
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ m+ n! N/ |- Q$ R0 D     ;will break 3 times :-(1 _& b, Q# h$ n- y# {. Y  ], X
% ~( Y8 K7 |- w
-or (a bit) faster: 8 T% b+ _+ D) j: {
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 R, r2 i1 R. t6 {0 r4 F+ n' z: Z+ v

# }- S" M0 b& e* `0 f   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
; j+ P& b  o5 [& ~/ X, ?- R     ;will break 3 times :-(
5 j2 ]7 n. [% g+ O* ~. u
: `9 j. _4 N: \( w-Much faster:
6 F* ]  \! V$ P  Q5 s   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% }6 X3 z9 y8 n6 \
: ~( T8 t3 |" J9 W3 b: {# @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
$ {' h8 W" D& d) xfunction to do the same job:
9 q. F8 W+ P+ h+ Z. ?2 y  T3 v' `2 Q4 u0 N9 H0 p- d0 i% I
   push    00                        ; OF_READ7 g7 u) J, i, L1 u9 W
   mov     eax,[00656634]            ; '\\.\SICE',0
* u. f! {4 r1 U5 [1 x/ p   push    eax
! }9 \( y& ~& P+ v" G$ q   call    KERNEL32!_lopen3 \+ \8 B, E. r* R
   inc     eax, m( A: \" A: r8 {( r4 A# |# P
   jnz     00650589                  ; detected
( ]4 s$ t! Z0 i   push    00                        ; OF_READ
0 y9 r) _  e3 G- h   mov     eax,[00656638]            ; '\\.\SICE'
% C1 _" Q. ^( x) W7 U9 I$ w   push    eax+ ^, m# @- K$ [# J- b4 O" ~
   call    KERNEL32!_lopen
4 `* z7 O3 g6 a) A6 @   inc     eax
" ~4 W6 G8 f  ?7 W; l5 a) o   jz      006505ae                  ; not detected+ c- B# H, z6 `( W$ D: n6 s" J

0 f. u- _, S" ?7 w: w7 t% ~# G6 J; y, Y. L2 N% S1 q& o
__________________________________________________________________________5 v! U' l4 z" U

5 }- J( y- C7 ?, X$ aMethod 12
& c9 c( l, {( e. f, F0 l=========
6 D: X3 K6 h0 j- J2 T' E5 E8 T: [  I9 G. C/ ~
This trick is similar to int41h/4fh Debugger installation check (code 05
; m7 ?; L* ~1 _$ {( G&amp; 06) but very limited because it's only available for Win95/98 (not NT)+ o( W* y) W. U% r2 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) V. a* b* w8 H% U9 Q3 U) G, C( o) Z3 G7 f9 F. _' X
   push  0000004fh         ; function 4fh
  @7 |& G$ s: f, f) h! V   push  002a002ah         ; high word specifies which VxD (VWIN32)
* b4 V) A3 U  l  g$ @                           ; low word specifies which service: Z$ E. h, Q% }2 c
                             (VWIN32_Int41Dispatch)/ K5 S" m) @; V( d) b
   call  Kernel32!ORD_001  ; VxdCall
; i7 @$ r, [3 {3 h( N   cmp   ax, 0f386h        ; magic number returned by system debuggers" C5 C; R' S3 F! Q3 n( |, }8 J
   jz    SoftICE_detected3 U- v8 W' B( h8 t! j* G$ z6 o

3 L4 s( s$ h+ HHere again, several ways to detect it:' d% |' K/ v* n0 |1 {  I
# Q; {8 C& L) f1 B1 {  y. m
    BPINT 41 if ax==4f. W* p! ~6 u/ |6 @

# n3 A( n' F$ H  @9 C1 Q    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, P- S% U3 z! M; d5 h9 B: X% s7 K

% E+ e9 {. o$ G    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; u) h/ {9 @, v; }
4 R6 Z+ o: F  }8 a0 A7 W    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 g/ m4 B9 E1 d5 [" U" [$ {* b

$ h9 z& {4 [1 m1 l3 d__________________________________________________________________________
2 E/ a, o/ g9 I2 ~  M- o: y' Q) U
- i' y) ]( U- F# a2 WMethod 13
  U! [& \+ W: V% L' b# ?& L2 J9 m=========* B# l) h8 d, J8 W  a
# I+ ?- V3 g" H/ D9 i& e- G
Not a real method of detection, but a good way to know if SoftICE is5 f4 H) h1 |. V/ m
installed on a computer and to locate its installation directory.
2 x0 s; _) j, j9 o2 n: pIt is used by few softs which access the following registry keys (usually #2) :
/ R" f/ P  R* a
9 R$ z" m; w5 @/ Y* J* N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 k; \8 B% y) S2 _+ x% e. a\Uninstall\SoftICE
; v+ ^, Q' i4 u% c/ |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* m% C1 F$ D( i1 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 p0 ~3 n$ Q! b  r2 }6 \
\App Paths\Loader32.Exe
4 a( l1 x8 N1 M1 l8 b: ?! O8 X2 X5 d0 n. F
) E- Z0 y( v6 E2 c2 N4 q! h
Note that some nasty apps could then erase all files from SoftICE directory4 N& V. s0 k) r- S4 y$ U  S' S; x
(I faced that once :-(! O! N; ?# _) X% t9 q1 c

& W: o* i' C( b0 h  ~% N5 Q% E7 IUseful breakpoint to detect it:
0 l, o! i5 f# [5 ~$ F* ]' @, t
& i* Z3 N! T" q5 _     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- T3 G, e' G) d, }( B
3 Z6 R6 L& c  s- {__________________________________________________________________________
; U  ^( c. [& t1 z6 Z# @
! D& b$ V  Y' T7 N: M
5 d$ x$ }5 F  z! F/ SMethod 14
' |$ z( d. |6 F3 b=========
* ?& V4 J, ^6 m, a5 C0 D+ u
! y; n( g: G  \& _; J# b5 d  ^( xA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% ?. J: ^! |) l0 F
is to determines whether a debugger is running on your system (ring0 only).% _+ ~4 ?( ^: T" P( {
* ?( a' w# Y+ r- x' o$ U" u  N
   VMMCall Test_Debug_Installed
" A0 Z" s$ v1 ]7 |4 ?" @   je      not_installed
2 h: K1 b1 z. ~
8 y+ @9 i6 h6 ^8 D$ OThis service just checks a flag.
! |- _: c8 P3 Z' x2 E</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-17 20:03

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表