找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 O7 t6 d* u2 |. b
<TBODY>' ^4 f. G, f* F9 e& X" z* Y
<TR>2 d9 Y% h# I" K; `- H7 T( O
<TD><PRE>Method 01
1 @! a5 d6 o- x( y, B/ ~=========
/ d: x- J4 }2 w. J4 ^
  p6 t3 B# h7 U5 c( V  gThis method of detection of SoftICE (as well as the following one) is
& F+ K$ c! j5 B" mused by the majority of packers/encryptors found on Internet.
" N+ T- |" e% G4 h0 g! y5 g7 AIt seeks the signature of BoundsChecker in SoftICE: ~1 {: C: |! n$ j2 Y; N: ^
. A& H1 R  m0 H# v
    mov     ebp, 04243484Bh        ; 'BCHK'
. D0 N5 l1 D  f- E* C/ f3 Q# j2 Q    mov     ax, 04h
0 H8 W0 d9 L1 h  [, R% t1 p- X    int     3      
2 a# k' r6 h' a1 J    cmp     al,41 `3 D; T! l4 o( U5 R- h3 O' B2 M
    jnz     SoftICE_Detected3 ?7 w* I: m' V- k
9 I: i. V6 T3 o& J- h8 C3 F
___________________________________________________________________________6 Y4 @* c  L% k6 S# Y9 {- F

& f/ W: H0 R3 c8 F: p1 h1 N  _Method 02
+ ]$ _' @. j8 A% v3 ^0 B2 x=========# m, A8 t. i0 v" n0 C

4 a6 i$ a- i+ }2 z2 h1 |Still a method very much used (perhaps the most frequent one).  It is used
" V; i- y6 R: m# f/ ^2 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 r) e5 Z, J$ k/ _9 T. c, Qor execute SoftICE commands...
0 n5 A7 _7 B7 \5 B( ^It is also used to crash SoftICE and to force it to execute any commands& M) g$ x- i# H8 f: U
(HBOOT...) :-((  0 j) ^% @/ p0 E6 K; T

# |3 w. Y# ~: U; }) y8 r+ D9 JHere is a quick description:0 P+ w* M7 l, p' t
-AX = 0910h   (Display string in SIce windows)
! }" Q7 p; ~& n; @) J/ `& t4 R-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! b& i. P0 i# `3 N# H) m- k* \-AX = 0912h   (Get breakpoint infos)3 ?( _0 U5 V; h9 e2 Y
-AX = 0913h   (Set Sice breakpoints)" L+ X* h+ e% e% j" p' `5 l% I+ _
-AX = 0914h   (Remove SIce breakoints)
0 ]' _7 _9 j3 ^
8 v( D0 N/ n6 I/ YEach time you'll meet this trick, you'll see:
2 x) B! W' U0 Z$ \% Q-SI = 4647h% T4 Q2 K" H& |% U& u
-DI = 4A4Dh
" z+ ^; W  Y5 U9 V- N7 HWhich are the 'magic values' used by SoftIce.4 G) o, g0 p1 r% K! M' |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ E& D9 D" v: X& d( V4 q
8 x) I' h. ^4 k. @+ _0 w& GHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 p: |# J4 `6 x4 `# P" S" H' pEnvelope utility use to protect DOS applications:
7 m) D8 r& j/ N: _  V5 o! o) }& P( O* o+ Q" G; J% _

$ `* ?& t) e1 o0 k4 `9 m8 s4C19:0095   MOV    AX,0911  ; execute command.
3 I, O' f' n$ g4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
8 }- R7 X) X3 F; U  J2 f& g* n4C19:009A   MOV    SI,4647  ; 1st magic value.
/ e; `$ x. W: ]" M: l4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
: F, e* @: j% l4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  R! Q/ q3 p/ H& a/ g
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 r" x& A2 M: s- _
4C19:00A4   INC    CX- X* Z/ p7 f/ v
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: F& w7 @" p4 J# s6 b
4C19:00A8   JB     0095     ; 6 different commands." R% ?* `, |. ?" S6 R! b
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 g6 ?4 y/ H8 Z7 _! {
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' Y$ r: ~$ I) E( v3 K7 o3 d) O
4 e7 S' J6 R* b' iThe program will execute 6 different SIce commands located at ds:dx, which" Z4 }& @$ K; h; O/ ~) X! R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& M5 Q% d$ E( \
; M1 b2 N- K/ g) j1 ^+ U- a0 y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( Y* q) ?  _5 Z2 S! i/ H___________________________________________________________________________
8 T6 g9 L/ o2 b4 O, X8 M7 A7 H2 ], `4 E: L1 M

+ j4 w2 A& W2 K8 sMethod 03
1 c2 P- f) T* f4 T9 J9 p! [) f=========. f2 |( x- Z5 U$ A% f
  |4 z. b. w$ x# i) N' F
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. J6 g8 [! S3 H: O
(API Get entry point)
! p( |2 S* Y. q        : y4 P- M3 D* ~5 ?$ A

! ?# R2 |1 y0 _$ ^: `5 O6 {. h    xor     di,di" V4 J5 A; @) {; @7 Y' r+ g
    mov     es,di) W# ]: C. N: W& C" e
    mov     ax, 1684h      
! W" b. G1 O4 D7 n& `8 K    mov     bx, 0202h       ; VxD ID of winice
5 q$ b0 f) f9 z# `# k( w( i9 Z    int     2Fh- e3 C5 @8 N! w' q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' `% L1 P7 A4 L' j3 L    add     ax, di
. _/ d- E2 D7 v8 E1 J& O% k    test    ax,ax" d! d, \) v; e( t
    jnz     SoftICE_Detected
+ I  V6 {0 B# U! r- Z/ `
8 a* D+ @. i! S3 T( f+ ]: S___________________________________________________________________________
: h& D. }. D# P1 A
' q2 l9 ^. U9 ^: H6 z2 b! j( dMethod 04& k% R9 @; [1 e
=========2 h2 n& P) {7 C8 [( G7 J$ N: f

' p1 u+ P* H/ ^) e8 U; LMethod identical to the preceding one except that it seeks the ID of SoftICE! z& O5 t4 ?7 \  p/ V
GFX VxD.
. u# Z8 v: G# Q- g
- R" K0 g7 K5 r' @( A% p2 ~! R    xor     di,di
7 T2 j3 g: k& t, n$ u    mov     es,di
! e. ^: l0 Q" ^" v    mov     ax, 1684h      
# W: }& d; o3 o2 H/ X    mov     bx, 7a5Fh       ; VxD ID of SIWVID
2 U# ^# l! k( W4 f5 v, c    int     2fh, _) r- j, s4 n+ a/ c
    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ e9 s. c* L: C/ |! D
    add     ax, di7 i/ B4 ]3 s( V. w0 v( O! X* R
    test    ax,ax9 M' y! n5 V+ p
    jnz     SoftICE_Detected) [% l4 F, E+ U: W* j
2 A: I2 O: }- j% u
__________________________________________________________________________
9 Q, u" J- u$ N' t; `& u" T9 O- [# y0 T( H8 V* k
, e5 c3 i: {, C# R$ q! n2 e+ l/ ~& x
Method 05
1 V* x! K$ K) M) m3 {# A=========
0 @3 X( B( W/ t5 c
$ u) B) C' w6 O3 }Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 X* ]$ S) r# S, J" xdebugger. It calls the int 41h, function 4Fh.
4 k5 y  s' x+ q: x! G1 d7 cThere are several alternatives.  ' C9 K1 G1 b) A

. C" r0 {5 j; f1 n. ~+ U& Y0 E9 VThe following one is the simplest:2 B+ Y6 ?4 Z' k0 w' q8 m( Q
0 J3 j! z8 f0 R; ^  C9 V
    mov     ax,4fh. [, T7 K. D( r6 Q9 U3 V/ j
    int     41h$ C3 V1 Q% S( v
    cmp     ax, 0F386; g  F9 |5 }6 s" A2 j  d& _
    jz      SoftICE_detected
" S! e+ f- L! ]; u
1 F. r5 c9 P1 U' K0 V
7 x' n& O( I' D+ ^- a3 R* ?Next method as well as the following one are 2 examples from Stone's
/ W8 q& {" i( [7 }3 R"stn-wid.zip" (www.cracking.net):
6 x9 m, N' G. F2 F0 ^8 R
+ I0 X6 @3 @! ^9 I/ M$ r3 u    mov     bx, cs" y) T- k% u/ N& T8 d' K- Q
    lea     dx, int41handler2# r5 E+ f5 Q0 l0 D3 H( [
    xchg    dx, es:[41h*4]
# V& I% k3 D$ M" j( Z1 |& G* P2 c    xchg    bx, es:[41h*4+2]
8 f  z) O& Y. w5 u3 `9 ]& e. ?    mov     ax,4fh) J/ o2 a2 h4 z3 t8 A
    int     41h, G( i3 a( N: ?  a; {/ {2 A' f
    xchg    dx, es:[41h*4]
+ R: z8 v' \8 ]1 O    xchg    bx, es:[41h*4+2], @" J1 I8 C% n/ Z2 X% H
    cmp     ax, 0f386h% d' w/ o& e$ K$ u' J. ^( N
    jz      SoftICE_detected
9 ]3 B. r- Y+ x. O& K( d1 X( l  K5 A* d
int41handler2 PROC5 S' E3 p' x7 ~3 o) [$ X
    iret
5 Q% `9 L. {9 ~int41handler2 ENDP' r4 c2 P! ~. F. C8 B" t

" O2 h0 r6 @) D
8 |) G' ^$ q$ r' b; g_________________________________________________________________________
. ]: V6 t, W2 N/ M" ?: W% x+ X9 v3 `2 _# L* W0 c- D

% S9 N5 ^; ?+ C; m, a0 |1 V2 p: qMethod 06( ~& E# c3 Q+ ^6 L  p
=========+ N, d* L# [) `' g( \
6 f% d  C! ~" e5 V9 g

- P0 I3 T3 o7 e! N7 _2nd method similar to the preceding one but more difficult to detect:
/ T0 M' g* f& g, Z& w4 o3 }. @' u  K6 i* c  X7 ^
: `' D+ O3 e) d6 p8 T
int41handler PROC
7 B( V+ t. u0 y7 }    mov     cl,al3 P/ f& v: V3 m
    iret/ b3 C; ~8 u, H0 N' {5 c
int41handler ENDP) H1 z/ }: E' x; F/ b. f

4 V4 A4 G* R  H, w$ H# X. j* o$ a  k
    xor     ax,ax% `& A% M3 X9 |) ~# u& N& |5 A
    mov     es,ax# y: e% _! g6 P3 W3 p
    mov     bx, cs
& g6 f8 ^( O) n    lea     dx, int41handler
/ C! R0 q7 }/ y/ h! A# m    xchg    dx, es:[41h*4]
$ O5 g% G+ Q; W2 C  @: C, M    xchg    bx, es:[41h*4+2]
- F0 N8 I" Z1 L+ o    in      al, 40h6 x+ W( K7 O  o3 M% r9 }- a
    xor     cx,cx
7 A  W" u* w: f5 o    int     41h
# A( F' ?% j+ a. L& m% a! i  ]    xchg    dx, es:[41h*4]
) P& M, N- p' y: k. _, O+ {4 @    xchg    bx, es:[41h*4+2]" M& o# k. P# Z% Z1 r
    cmp     cl,al0 _: B) T* |6 J3 A
    jnz     SoftICE_detected
) c4 b( ?: Q& E" X5 \1 i1 q* U' u  \  V( j$ h7 E: A
_________________________________________________________________________" H/ a3 T- N+ A" Z! S( Y1 |0 A
% d: |; K0 V$ D) o6 [- M+ K! A
Method 078 _7 t" b' Z1 y7 d+ U, C1 C* J; F
=========0 _% W/ f# b* z1 Z  `

+ W+ z% k; j: \; X4 IMethod of detection of the WinICE handler in the int68h (V86)% v# O: ~" S$ [; z
4 z  M! ~8 r  A# F2 u
    mov     ah,43h
8 {0 q  X, S7 D- U    int     68h
. \7 S7 `3 f' }7 w& `. }8 |' p: x    cmp     ax,0F386h
  i. [, U0 A$ Z    jz      SoftICE_Detected, g+ [) B6 W3 l4 ]6 Q+ }

3 G  S( _# z2 L* Y/ Z* F
; Z+ G: R/ n7 i/ h9 J+ ?" R7 N=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 `# b7 m; E' @+ _. b3 k; _6 L3 A2 b
   app like this:
( t( ^) t7 ?5 u( V6 \6 Z# t- ~6 S+ u& b; E
   BPX exec_int if ax==68
9 T6 \6 F: v& [8 s3 t. p   (function called is located at byte ptr [ebp+1Dh] and client eip is' b: y  J! h, u. L! c$ _1 q
   located at [ebp+48h] for 32Bit apps)
, G5 i( {% }5 }; i__________________________________________________________________________
$ B, i/ G* x5 D- p6 `) J# Z% E, K# s" T) c. _2 k2 `! s

- s$ B" h% l& w) z3 v0 _7 H+ ]3 gMethod 08
) T. l5 u6 F/ c' ]  |0 k# L1 `! E4 [0 W7 s1 L=========/ |! W9 r) u- b" U& b: K% [
  f* D2 r, c4 Z' f' [* a# g
It is not a method of detection of SoftICE but a possibility to crash the! V/ B# w5 a0 }* D0 p; b
system by intercepting int 01h and int 03h and redirecting them to another5 ]7 [4 \" K* F
routine.
; o! D, M" Y9 Q# PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% X8 n6 V/ `0 t8 D! A, o; [
to the new routine to execute (hangs computer...)% p2 R  U7 ?7 U1 D6 m; o
6 O; V, c7 V1 T" H! F6 p0 Z
    mov     ah, 25h$ @/ ?: x3 H% }8 {* d5 }6 W  n
    mov     al, Int_Number (01h or 03h)" E8 t5 F3 H! p& O
    mov     dx, offset New_Int_Routine& b# ^, q& h: t
    int     21h
) |' @, T3 V$ z6 W3 U" H$ }3 w' G4 l2 M1 K4 @, s) v
__________________________________________________________________________0 A2 [6 Z( k* B. v

, a" o* P- D6 M; I, I8 h* JMethod 09! F" M7 a5 S; `* g" D, @9 C: d/ J
=========
* G" N5 |- a4 C" ]/ R) j0 k# s9 j6 Y( L( J- `! ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ w# ^- o% h' b. r/ A; Y; V; Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 q7 D: L; a9 g8 a% e* G" MThe Get_DDB service is used to determine whether or not a VxD is installed1 u8 a. C# z6 {* r1 I" o& l4 f
for the specified device and returns a Device Description Block (in ecx) for* |4 }( q$ ~) e& _* M+ T
that device if it is installed.
* D! u' r, s" ^5 F" d9 X" n. c1 z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) I0 I' P9 B" U
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' }& y8 V1 }  R   VMMCall Get_DDB
5 s: @7 g3 I* X+ f. a8 h/ @6 Z% M6 ^   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed  H. ^+ m3 b4 g% k0 j" L) h

/ M5 C6 D8 g+ vNote as well that you can easily detect this method with SoftICE:
8 ^; a" C+ U# N* L  m4 y4 p8 z   bpx Get_DDB if ax==0202 || ax==7a5fh% D+ y% a: U4 D7 [1 J
% G8 D) W% |% {% B7 j
__________________________________________________________________________
4 k3 y# c& N( ~4 C3 ]2 N5 }$ `, d- v' I6 ?% ~, v
Method 10
% A5 w$ {0 k6 X; I! Q=========
2 R9 K3 z% c/ c, X) P$ u; T" j" n2 j% P8 ?) z1 u! X
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 ~$ ?  r) t5 f5 x) J* T- [
  SoftICE while the option is enable!!
* V# A) w, W2 O) v
; U7 I# z1 n/ @This trick is very efficient:
3 m0 G# ~2 M: r4 R. f: cby checking the Debug Registers, you can detect if SoftICE is loaded* a& u( ^8 M, A  _4 S/ @
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 `. ^3 ~/ i. D/ b9 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* Z# E3 r0 o9 ~' }" [7 evalue (in ring0 only). Values can be manipulated and or changed as well) _" N: v* w+ ^2 {  C2 W7 Q1 e
(clearing BPMs for instance)3 ]% W& ~" `2 [  t
' W, j6 r, T% |; l
__________________________________________________________________________  a( a/ j2 F5 q$ t1 ~5 C

* i' R- I# u% m# o+ `Method 11
' [- {9 m7 `4 k7 [3 }. ~3 N' H=========
" B. S0 u" D" z  m
6 y: p% v3 k- n  _This method is most known as 'MeltICE' because it has been freely distributed: j6 E" U2 ?8 I) l0 S0 V  A
via www.winfiles.com. However it was first used by NuMega people to allow
9 q' G' \' g9 y) r% s" Z0 ?4 nSymbol Loader to check if SoftICE was active or not (the code is located- n: Y, ]5 B* s9 `
inside nmtrans.dll).
! I# M9 a) V2 \! [" ^0 T9 H
3 B0 T# O* V+ L, OThe way it works is very simple:* H7 Q4 \' T9 Q* W* J* ^
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 H% E! a6 s3 H! Q  X
WinNT) with the CreateFileA API.
+ {) E  t0 @4 ~6 j% K3 ^  i. ~7 ~/ C, ^' S
Here is a sample (checking for 'SICE'):
5 v! u  r* Q2 ~( R0 ^  M
$ u4 x) \9 f( k! R* |BOOL IsSoftIce95Loaded()
. s, R/ P# B0 A{
. F1 K' f" c7 D0 b9 u; @   HANDLE hFile;  
5 d4 t: j; {. z5 q! l- t: s: V   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 A# y$ {! A1 }7 b. W  _9 v                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; E, c2 i, m' N0 r  U0 m, `# a                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( ^7 C7 S8 g8 }# M
   if( hFile != INVALID_HANDLE_VALUE )  V# y' u! I; T
   {
( |: i& l' l/ H! U2 L; m% y5 l5 K      CloseHandle(hFile);
% N1 o! s0 e! J2 ]      return TRUE;
  h; R1 B# Q6 k* M& w+ l   }
* z, Y1 c9 y% A6 H5 E1 c; n( J0 r   return FALSE;
" @& t8 z, C0 h}$ w1 M5 q* r( _" g6 n- u8 L. h
" n, W; [- P# C7 W) I, Y7 k
Although this trick calls the CreateFileA function, don't even expect to be8 G& X" c$ }0 i8 i6 I0 g
able to intercept it by installing a IFS hook: it will not work, no way!
# \/ o- N$ l, Q0 M8 H9 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
" V0 y4 i$ W9 ^2 G  m% e4 nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* u' C5 h* k6 C" r1 \) m) Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc2 V  r' W, @* e' f/ i6 @# u
field.
: v" h2 O8 d0 {7 u0 ]1 G- I4 C$ GIn fact, its purpose is not to load/unload VxDs but only to send a   V) m. k4 A7 l' J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: G# d: F3 ~0 Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 ~, A* k0 `1 P: l9 k; \to load/unload a non-dynamically loadable driver such as SoftICE ;-).! w  W* c& T& `* e! Z" ~7 {$ O5 S6 A9 s
If the VxD is loaded, it will always clear eax and the Carry flag to allow  S& m/ ~6 n4 D3 f
its handle to be opened and then, will be detected.
  i' X* D  x& X* O9 kYou can check that simply by hooking Winice.exe control proc entry point) e0 z: J) e1 x% q
while running MeltICE.
+ b0 g1 H! f: M8 }. g$ U( w3 h
5 n* r" q2 ?& |- }. d! l
) }6 y* y5 ^4 `- {6 I7 d  00401067:  push      00402025    ; \\.\SICE$ f' X6 V3 G# ]/ M, o7 W
  0040106C:  call      CreateFileA8 F# i7 j5 G) A4 @( ^
  00401071:  cmp       eax,-0014 t8 ~' z7 W5 |6 h6 P" \
  00401074:  je        00401091
2 B! X5 ^$ |- Q% h4 Y$ j& N6 T  ]; f( e: A( a

- D* @4 d% Q/ u8 o: Z6 fThere could be hundreds of BPX you could use to detect this trick.9 x; ]- [$ ]7 H+ r
-The most classical one is:
9 v7 N  q" u; i; I  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! ]+ ^! O3 a2 u) {    *(esp-&gt;4+4)=='NTIC'5 N4 v$ K" x5 D  ?8 b( P% H/ Y7 @

3 ?0 Z# \7 b! s+ t/ V-The most exotic ones (could be very slooooow :-(5 y0 `" m/ K# [! o/ p
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + E) E, C, R; H! ]$ _
     ;will break 3 times :-(
5 ^; J' i* U8 p. L  h0 o# h  _0 O2 p
-or (a bit) faster:
. D) K2 S; i" z  z1 I# E   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* [) y- R9 f: t& ~8 s; X# _4 Y8 X2 w; Y* C& \: o" D- |) {, L
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 p0 l9 o! X8 Z9 H, d: S8 j* f* h
     ;will break 3 times :-(# h6 v* F" x( I5 F; L
) ?* s, Z. l+ Z! U8 H
-Much faster:5 a: Y6 J2 G) Z/ N7 s) N
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 _9 a' S( n: H1 c8 T! B- y- D) Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ ^1 U/ D( p( \% h% M
function to do the same job:
( S( W( W  K, X1 k4 P! G. C- v
   push    00                        ; OF_READ, k# W: Q1 z* s- ~3 F. d" s
   mov     eax,[00656634]            ; '\\.\SICE',0
, X2 R$ N3 _& p8 _, g   push    eax
( R* I; z+ h4 n) w5 V! [5 |# m4 W+ N; ?   call    KERNEL32!_lopen
: i; c0 `8 d4 z% l   inc     eax0 r9 ^  T- `3 i1 H
   jnz     00650589                  ; detected
3 ]8 Z% I# i, e8 B' y6 o7 [: u   push    00                        ; OF_READ4 b) _# B: c8 O
   mov     eax,[00656638]            ; '\\.\SICE'! Z8 @! o8 P% \6 f7 w3 m  s
   push    eax
& a! ?; S( m/ F$ o   call    KERNEL32!_lopen: M" J$ F! ]" b, `: u3 B2 Q" w
   inc     eax+ H; B& x' u2 K- V, c$ a+ t4 |
   jz      006505ae                  ; not detected
) v; U$ _* L* t7 y! ~! d4 S! r) l( p
' K( o' B9 D: m0 I' V4 ~& z# L
__________________________________________________________________________" N8 u1 w3 d# _3 M3 U, z

9 a5 z7 i" r8 Q# SMethod 12
& H5 r( W* x& m7 q9 M& b=========
& G$ C6 {; I; _' t2 R5 H% [$ C* m
; L9 ?" _6 k$ }3 g0 _' p' H( JThis trick is similar to int41h/4fh Debugger installation check (code 05
% L' Y  X+ g: m* t' z4 A  J&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. m% H$ V: }& S  E/ `  E/ r  w  mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# Q( s& E6 S  p% M

% w3 [& h* G$ t! n: R* y   push  0000004fh         ; function 4fh
/ C( H# _/ \4 r  k+ U  T   push  002a002ah         ; high word specifies which VxD (VWIN32)# p/ Q( H: ]1 M% F
                           ; low word specifies which service
8 B. C( N( E( R3 ^0 O# q" h                             (VWIN32_Int41Dispatch)( R* }# l: P8 N7 B9 f: _
   call  Kernel32!ORD_001  ; VxdCall6 z. Q3 ^# q- N8 a+ U& _0 }
   cmp   ax, 0f386h        ; magic number returned by system debuggers. }: I2 a) c, F
   jz    SoftICE_detected
; s9 t7 c' g8 t4 ]- Q" i4 s4 S3 w. A9 u; H* c- C" Y4 M
Here again, several ways to detect it:
. f9 O" s. ?5 T  u, K+ D6 d% p1 m5 A' _' i" g5 N
    BPINT 41 if ax==4f
+ f5 `  S- T- a! w3 i* t
3 _6 X, |: v6 m8 d9 o    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* v4 R# T1 Q, H4 V
- N1 G" B$ v( A+ S9 W3 c
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, A5 w& u3 y9 g' v
% W6 y! C3 N1 l& X+ R    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% L8 U3 u0 }- V% t4 u: u+ F' l' h7 a
__________________________________________________________________________
# [) I$ D$ U5 x  I- }) X8 Y2 X9 t* g) Z4 q1 d
Method 13
9 v, I; d! i/ G+ \# j0 A  P* V' Z9 [=========* i; a1 j9 S/ ?

& D* \/ J9 Q0 rNot a real method of detection, but a good way to know if SoftICE is* T2 z: s) J; W5 b: D4 y" L
installed on a computer and to locate its installation directory.
& p9 B( @3 @' e0 o" h+ AIt is used by few softs which access the following registry keys (usually #2) :
/ F9 g) F; r/ p6 W) C6 y: E0 a! i6 ^3 G8 A) j7 G0 m6 d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 [. H9 }9 r6 d) H  M8 z\Uninstall\SoftICE  K5 G0 l6 J/ f0 k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 `8 N0 Q6 l) y4 |) b4 W. A2 J3 `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 }: k1 K: F0 |; J\App Paths\Loader32.Exe
+ K9 y$ e% k- v( Y
7 s" B4 h- z+ Q) w0 x8 b' t+ k0 \% o* o7 d
Note that some nasty apps could then erase all files from SoftICE directory, z8 e! b* a! B7 ?9 E" x5 n' [
(I faced that once :-(& V* F1 q7 j6 y5 w7 }1 R! Q

: o7 {- {- F! U& GUseful breakpoint to detect it:
: J1 D. i& e' f- r1 J8 H$ H
# a  Q; }" ~7 ^  g     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% F9 e2 ]: B: f3 i5 g- D+ _
3 A& w- D1 f; W0 Y__________________________________________________________________________
1 n! M# k) L* ~
/ g" y% T6 ]9 h5 c% h
: Q4 i) Q! `0 X2 P% jMethod 14 4 E& F& M8 D! v& G& t& `; W' {
=========
/ t5 B: F9 W* f1 ~5 @. n, h$ x$ w7 |* Q; N& x& E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 u" r7 _5 c7 ~( F# B4 }is to determines whether a debugger is running on your system (ring0 only).
" n0 Q+ F4 X( [1 y, ]$ G$ ]1 R( p$ t  P: i9 D# o
   VMMCall Test_Debug_Installed
  t' W6 n8 s9 j   je      not_installed
+ D* D% _. E+ ], W
5 s6 |) J" S5 {* K- r9 wThis service just checks a flag.
1 r1 v9 d. V$ X</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-1 18:47

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表