找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
1 e9 t- f& [5 f, a+ D, \0 m: z& b! K<TBODY>$ {4 o; _; |9 K
<TR>  W6 B- o3 B0 a6 b" U
<TD><PRE>Method 01 & R( o# Z# t4 \4 ^
=========8 o( H# m9 X( g) a  c

' v; R6 q9 W, {" n8 S( T7 y3 VThis method of detection of SoftICE (as well as the following one) is, O; p7 ~6 R8 C% z- i% O2 F
used by the majority of packers/encryptors found on Internet.
+ i) j( c( K: L; B# s8 i$ bIt seeks the signature of BoundsChecker in SoftICE3 u9 R2 L$ V  J+ a( n' w

! O  S1 e5 Y5 t) p1 [! |+ H  W    mov     ebp, 04243484Bh        ; 'BCHK'
# V9 f" P) k% o0 m( c    mov     ax, 04h
0 e  |9 A  B3 n    int     3       2 S2 [! _0 F/ ]% m7 d7 I
    cmp     al,4
' `4 p$ `. F7 R) ?. w# F    jnz     SoftICE_Detected( s. O7 s/ ?/ `7 V" S
3 d4 a" W& G' q6 ~- }
___________________________________________________________________________
& S* C; c$ {+ G3 J- h" y+ O' H8 c/ R) j
+ I: @* }, q- w! \  H$ [Method 02
6 e( E) {0 J5 A. u6 w& e3 }5 I=========1 x$ i$ d# F" m& K8 i  _9 B# ]
. Y# E3 k1 t2 Q$ d& v6 J
Still a method very much used (perhaps the most frequent one).  It is used  G, C1 k" \, q# v8 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* d: R5 p# N8 J" Qor execute SoftICE commands...
" Z0 R% [9 U, ]: e, HIt is also used to crash SoftICE and to force it to execute any commands
0 [( h2 K7 _/ c(HBOOT...) :-((  
+ Z6 l- A5 d  \) s+ ~/ [  U
0 ~: ~/ n8 G, y4 q& S# \8 B+ VHere is a quick description:
" d2 r2 I. M9 o5 C( d9 P-AX = 0910h   (Display string in SIce windows)
! c9 h1 }/ ?' H9 |( L-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)  y! f  W0 |% K& p5 J
-AX = 0912h   (Get breakpoint infos)) v4 i* v1 Y: O! ?
-AX = 0913h   (Set Sice breakpoints). M( s8 f1 L) n
-AX = 0914h   (Remove SIce breakoints)9 i6 [. H1 ]8 W9 w% ^
$ R1 Z8 W& z& U; g) E1 d; }
Each time you'll meet this trick, you'll see:8 s5 \7 f: \) G3 ?# W
-SI = 4647h0 ~0 k, u) Y! r3 D  b; l1 Y
-DI = 4A4Dh
$ b" m" v4 e3 ?. H  hWhich are the 'magic values' used by SoftIce.! u* G1 p8 S1 k) ?& S$ P2 K0 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% U5 v7 V& X1 a' ?+ `6 f( S

) U5 w7 o- \- U' _; gHere is one example from the file "Haspinst.exe" which is the dongle HASP
  U2 v4 p! z. D" D: [5 o3 oEnvelope utility use to protect DOS applications:
, S. b* i, u) n; |8 O; f5 K$ ^
2 F# }; b: K* d7 e# ^2 o" ~( b/ P  u4 u, b( i; D3 r5 c
4C19:0095   MOV    AX,0911  ; execute command.
% E1 s# a$ {" A7 m! r0 g2 ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).1 F, |# w; P* E- N9 Z
4C19:009A   MOV    SI,4647  ; 1st magic value.
. @" \1 e2 v( v4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! t8 A! A+ D3 W# l, \( w
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% K. U6 u; b' r1 D, E4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
  _+ i. b- C' V+ u" S4C19:00A4   INC    CX
, ?- k' ?/ s) t  e% D" o4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 D( j: S! \2 A. G4C19:00A8   JB     0095     ; 6 different commands.; s. ^4 U. E7 f( H8 _1 Q0 S( V
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
* y6 X+ B/ X' ?& Q3 D$ H. x9 O3 z( K" k4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
. }; h) m7 ~. w9 e/ g* ~
' s! n9 ]0 ^6 S2 @The program will execute 6 different SIce commands located at ds:dx, which: L1 j6 K6 I- Z  z: c% f6 ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# K  P% {  e9 U  y/ U1 z. z; D
7 }/ r5 i0 B3 i" F8 n4 |( Q/ r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) y$ {, b9 a/ N$ F( K; _  R% k$ q+ c
___________________________________________________________________________* _2 `6 r1 j5 `6 A0 J
5 z, m+ S# b6 b+ i4 e3 i  N
, D; y: C* g0 h& ~8 A( `. b
Method 03) u, U) N5 V# n* B4 \
=========
2 U5 f. b% Q: r! q
. z3 m& c0 a  H7 r2 tLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: y! C* J2 W) T. L(API Get entry point)
) L$ k4 l+ u( ~1 H0 F: P  ]+ a& ]        
  @& j1 U; H2 r. p! a( o  x) p
    xor     di,di
5 }" \% u% @5 {7 q( y" _    mov     es,di3 t( M8 G8 t3 w8 {6 V
    mov     ax, 1684h      
0 o, h. @3 o# w% z+ ~: R    mov     bx, 0202h       ; VxD ID of winice. t/ j3 ^5 }# S
    int     2Fh$ v, [$ G8 p1 [- p$ N- ^
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 I9 G& D1 |9 D, J; B6 ?    add     ax, di
4 E. w  E5 D$ O- @: u    test    ax,ax* M% G0 B4 v# _. g
    jnz     SoftICE_Detected, ^0 G7 _0 `( u4 m+ a6 o; e
, O# Z( {1 q- `+ K7 n& {7 ]
___________________________________________________________________________
, M9 b" }7 I- E: a- n; E* @. d: i# f, H0 l8 q- p- H5 I" Y( S, u
Method 04
9 ^2 s' u( y0 _( W5 ^: B=========% m# s+ e4 s# V3 e0 W5 K
, R1 e8 w) E" ~4 D+ h9 Q
Method identical to the preceding one except that it seeks the ID of SoftICE. N8 O3 w) o& x- k; w% k
GFX VxD.; V* D7 ?! b$ I. p4 H$ n9 A
' ]! `9 W  _, D* d3 ]- R6 V( q) ^
    xor     di,di2 P; M! E; |3 r8 L) W
    mov     es,di
; t! N! p: \' P- z- ~    mov     ax, 1684h      
2 B- |' ]; ^1 @; B( I- H2 M    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 l7 Z' b% n7 p4 |$ X5 o& Q
    int     2fh
# K2 H- p  w% v    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- k+ e- h# k) w. s    add     ax, di: |( D& v6 S& G( N* z& ~0 W
    test    ax,ax' l$ L: A: c6 x) j) h
    jnz     SoftICE_Detected
% i5 M5 C" H- s8 b5 R- z3 ^; m" \- e) R6 [4 W! N4 h( d, H6 x
__________________________________________________________________________# v0 ?: |7 f9 y/ L
1 Q) B" C7 w7 h; v0 o

4 y( W* ?4 x. x8 l  s. ]Method 05
7 V+ t' S2 G3 n" t=========: z% J7 h% p# b
3 s+ B7 X3 a. l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# v  Q+ F, I: \/ Y9 L/ m1 a2 X5 ]% `! ndebugger. It calls the int 41h, function 4Fh.- d! `) T& G, j0 {
There are several alternatives.  
0 [. w0 x1 j" G! r' N9 N5 \; z: F& P8 n, H3 g' n
The following one is the simplest:6 x3 S2 v1 W" W: ~$ v/ b

3 h2 i8 m3 ]& F1 I    mov     ax,4fh
7 R6 }% j4 G% ^2 X    int     41h: V6 E4 A  J% `% Q6 P/ z" y3 ^# o
    cmp     ax, 0F386
/ _1 n. e6 I( y- G6 P/ j4 m# r    jz      SoftICE_detected
) Y6 q" ?3 ?! L5 m1 k& Z: u3 k* e' H& F$ n, z; ^& |

. R; H/ d; h( Z- N3 D- t) \1 s3 fNext method as well as the following one are 2 examples from Stone's
3 S, j0 U# j# o4 T- g9 k: o9 h7 Z"stn-wid.zip" (www.cracking.net):
/ |" N$ y/ N& M, I' H: j: M9 }+ u- f. _$ X
    mov     bx, cs  T8 L1 D6 j6 ~+ k+ D5 z8 L2 U$ V! D
    lea     dx, int41handler2; e6 `% R; Q! t7 l% ~  K, b* i
    xchg    dx, es:[41h*4]
8 K* [3 P4 q; l* `$ P) i' K( M    xchg    bx, es:[41h*4+2]
+ G/ \- ]9 n5 c8 z' k) l* w& n# H    mov     ax,4fh# z+ R  O, I$ w$ [, z2 g
    int     41h/ C, a$ {+ w" B
    xchg    dx, es:[41h*4]
. I* v2 ?+ s! @0 h2 w    xchg    bx, es:[41h*4+2]6 B5 g( t. T# c' W; x
    cmp     ax, 0f386h
. l4 S3 B4 h( ?+ D6 B4 H: P. \    jz      SoftICE_detected
5 E6 r# N8 ]* n- g2 B$ I! {) w6 |) K( f8 ]# p
int41handler2 PROC! S4 }! X. l2 r
    iret" b* L5 J) Y1 @2 F* Y/ _6 J( p
int41handler2 ENDP
$ B8 w8 ~1 R- N9 s; e- _/ K
8 W& |7 ^6 H2 T1 T9 A; F) u
: {# J/ i" L. c1 C_________________________________________________________________________9 j- M" Z: N3 m$ X1 k) p+ H
0 i0 x9 \  }# j4 h) _

9 Y4 X4 ^/ k/ Q. d; s" EMethod 06
& A% y1 v& d5 [: B. S9 U& Z=========
9 a) j" M' w1 X/ \  D7 K' `6 u# u0 L- H$ n
6 |, q1 u2 i/ f1 E2 Z
2nd method similar to the preceding one but more difficult to detect:! L5 L8 |! t  u; N

8 `" B) v+ j) B' O
8 j4 m' F% z, _int41handler PROC
7 L& i" b3 |* ~) c6 `    mov     cl,al4 W: E$ P& Y6 _* L$ w
    iret( B1 }( S+ [# |% {7 {2 M
int41handler ENDP
  [* h9 b5 _& j$ L6 G5 r4 ^: f: [! I; o- C! b

$ a1 `. {# s& j    xor     ax,ax
* ^  I7 ]  p7 p% u' K8 B    mov     es,ax
3 w2 ~- V% ^3 i! S    mov     bx, cs
2 {% k) g" _  p& c/ @1 D+ ^/ v    lea     dx, int41handler
9 `( K+ ^( `, Z8 E8 }! X. a- N9 N    xchg    dx, es:[41h*4]
0 w% `9 P" F: O9 K" b: _* v+ D" M    xchg    bx, es:[41h*4+2]
' ~) K' P5 `8 D* H8 G0 p    in      al, 40h
8 b$ w5 @3 a" c& D$ j    xor     cx,cx
; G, L, q% X% a4 H* X    int     41h
4 p: U: s! \( t' J1 `6 Y+ ~    xchg    dx, es:[41h*4]
# N, C" K8 d+ W( P    xchg    bx, es:[41h*4+2]$ v2 T' v3 m5 O2 E- U( O
    cmp     cl,al% ?) G, ?$ V$ _
    jnz     SoftICE_detected
7 S8 D* H5 p; y6 H+ l
6 ~' c' I7 n. C- {: u+ i_________________________________________________________________________. Y" O0 t- I/ L: @0 g- U

3 t$ U& p9 F, b# oMethod 07
; S- ]* {& k/ N$ F+ M- X; d=========
( F: V! N& v% q+ `
" v* K. j+ ^  }# v, N5 U8 MMethod of detection of the WinICE handler in the int68h (V86)
1 L# y; o! {# h, }8 V
; b  b" m( A3 |3 ^2 d    mov     ah,43h
  N# c( T, Z# L" ?( Y, f    int     68h  n  z, |- x  P, f0 T7 Y3 F
    cmp     ax,0F386h
7 r% H! `5 a. z3 e' ?- I; |2 J% o6 `    jz      SoftICE_Detected
1 \* Q, v- U6 T& w# C% L
* D7 ]4 ]0 H& R- A* A/ k* n
$ c) z, F  u* E0 a; B=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 y- G  i, }! ^8 L/ u
   app like this:
5 g( ^( x9 F: f& c$ D% }6 }$ W& p  X
   BPX exec_int if ax==68
  |9 R8 p$ I0 T5 {   (function called is located at byte ptr [ebp+1Dh] and client eip is% t  Z# z( Z$ N1 _" s# \
   located at [ebp+48h] for 32Bit apps)
% j6 w& O$ [. C1 R__________________________________________________________________________
& D) f: f2 ?1 P$ d6 E2 A' ^" w6 m6 A- b6 A3 |3 R5 V/ x" Y

$ a$ D8 Y' y; |% ]% t# aMethod 08
9 U* @( P3 T( I4 o' Q=========- B5 _/ V2 }  s$ j3 u" D

% ~4 K) M. l( {* u4 m% o. I; zIt is not a method of detection of SoftICE but a possibility to crash the
, b' h. i* T. e  p+ bsystem by intercepting int 01h and int 03h and redirecting them to another' g  I" u2 Q/ y( j! m) p* a2 R
routine.0 x. u0 y, Q0 o7 T# U; l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& }. }7 I# q9 }% C. E3 pto the new routine to execute (hangs computer...)
( }, z, Y+ d$ r8 @6 }/ \( W/ E9 d& m& S* k, B+ O* D, `& Z
    mov     ah, 25h
  X" o* @4 ~+ |    mov     al, Int_Number (01h or 03h)
3 E. l" {  N# C# f3 C: V    mov     dx, offset New_Int_Routine! c: E1 b+ Q' }1 D0 `9 ^: D2 w
    int     21h
9 R- R* @; X+ g5 o" o( k- ^; q0 k
& L! }7 u# y! H1 n$ w5 [/ Z__________________________________________________________________________
1 i# g5 Z4 ?8 O/ q% i
/ W* H# i- Q9 x! [& L: iMethod 09
5 G: A) ^; l! p" X$ o  h) W0 @: x=========
9 @1 Q+ ^+ N9 W& }0 \" m% [8 y2 @. ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" {8 T+ s- C4 rperformed in ring0 (VxD or a ring3 app using the VxdCall).5 [9 w# H" `5 W3 f
The Get_DDB service is used to determine whether or not a VxD is installed
. }! d  A! z* Gfor the specified device and returns a Device Description Block (in ecx) for
+ }2 [. J) W3 \7 e9 T6 gthat device if it is installed./ g9 Q' G1 W) H7 U! Y* P

# P9 W! J* w4 Y! ~- e% E; e3 c   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ s! e" H1 }$ A. R" K; c   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) F6 Z6 ^( C% P   VMMCall Get_DDB' `+ t$ C6 i' ]+ r
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 K# P! K* j/ [6 p. b' C1 n2 W
! Q% y5 x4 J' F  G: S1 r  B" p5 o
Note as well that you can easily detect this method with SoftICE:
! y$ g% |8 J; a   bpx Get_DDB if ax==0202 || ax==7a5fh
1 \, }' y  a! c& u
6 ~3 I% D% H9 _6 Y__________________________________________________________________________
+ L- d+ b! ]1 r& p% L, X+ e/ S
) S; N' R1 x# h2 wMethod 100 a4 ~  ?* O$ @5 g6 R6 e2 {
=========/ S( \( o0 U4 n

' w" S- T4 u5 |1 m% W# C=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& q) f( g4 w2 E/ C  SoftICE while the option is enable!!. E! F- M# @, g! F4 u! i
2 I5 I1 [' t. v# h4 b9 v. D7 g
This trick is very efficient:$ c$ Y& N/ T+ R+ ~: J6 ~& v
by checking the Debug Registers, you can detect if SoftICE is loaded4 q8 N: m: e. d
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# o* P! K8 Z$ {$ zthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ P9 p) Y) b4 C$ mvalue (in ring0 only). Values can be manipulated and or changed as well
6 m3 [8 G% A% a(clearing BPMs for instance)3 [* R& G# U' \* d/ h* R
2 z+ ~4 A5 E% j# m9 I
__________________________________________________________________________  N+ u$ \/ G/ @$ y

, t, z# W& M% ]! s/ \: [Method 118 v1 h+ ?4 [0 n5 M' v+ n
=========
5 M" w' ?0 p6 p" ~( i5 T) j1 Y3 {3 M+ ^, E0 p( Q
This method is most known as 'MeltICE' because it has been freely distributed1 o' c3 T, p3 B" H
via www.winfiles.com. However it was first used by NuMega people to allow9 J8 ^3 t2 C+ V0 B
Symbol Loader to check if SoftICE was active or not (the code is located
7 H: n" R" @; O+ ^! Binside nmtrans.dll).
7 {, X: L/ `+ |( B& m/ P% b1 o+ I+ H" v; _: F
The way it works is very simple:
' a( p6 w* v9 [It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( a6 j! o- I$ v/ V  v& a* m
WinNT) with the CreateFileA API.
- e/ V+ y& H$ l/ E; W1 P, Z5 @2 @# ]: ]+ J) G& k( }) h
Here is a sample (checking for 'SICE'):! Z- I, R% E: G2 C- {& Z: x

/ B! i5 G! [; m# f* c8 zBOOL IsSoftIce95Loaded()
! ], L2 b. X; w{$ S% h+ X# c( O$ d
   HANDLE hFile;  8 T4 h0 N( D, o1 ?( `( P" t
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: c" I! X; u; J. T: u- |
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( f- \* E0 Z( r- l                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 g3 H' R: p0 V" t5 K. I4 v% ~; j   if( hFile != INVALID_HANDLE_VALUE )  E) V) P8 x  F' m1 G# U4 E9 T
   {
4 @1 s( x9 r3 w! f/ j# w7 L5 T      CloseHandle(hFile);/ [  Z) b, H& K( F) L
      return TRUE;
1 g+ }8 R8 m7 H0 V# a   }
: |) s) q: a2 z/ X- v# T   return FALSE;
( ^! ~" o/ }) R}
/ S2 V5 P# u) A* ?0 Y. e' \3 U9 d+ @+ X" l
Although this trick calls the CreateFileA function, don't even expect to be
/ N  B$ G  S& o& Zable to intercept it by installing a IFS hook: it will not work, no way!  O/ f) N- E: O- |5 p5 R# Q5 p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ t: y* g7 f" x; J' z: o7 b3 q) Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; u5 T; U% |$ R5 \' J  |. [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& o! X' O0 P0 n" hfield.
5 J5 a8 _" i+ w2 G0 c6 jIn fact, its purpose is not to load/unload VxDs but only to send a
/ L  z3 e4 K, _: A! p  E! xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! y6 m+ m; P6 e" h* Q# W& [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" C% m; A# l: _$ Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 S6 l: u4 A$ x5 RIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, P* N. |4 P- d% a, |9 d0 b- Xits handle to be opened and then, will be detected.; Z# a, r& J- `# D
You can check that simply by hooking Winice.exe control proc entry point
8 d! u! U' ]7 }while running MeltICE.
# q6 C5 _1 q1 a: E# a$ _
2 f  g  b0 n: x( p' q# d6 |
! B- g8 X5 k& |# `! m, C; v% l  00401067:  push      00402025    ; \\.\SICE
" |& r1 G$ F) {; M" r/ j& _  0040106C:  call      CreateFileA
1 j8 a* ]- m9 E4 M  00401071:  cmp       eax,-001
! w! c+ X/ o1 Z* c4 g! h! T  00401074:  je        00401091
. y9 o; ]2 H; O' Y- e3 j" s5 O. \# k, [5 n4 o9 l
* F6 K0 V& N2 r# r5 L/ L, W  {
There could be hundreds of BPX you could use to detect this trick.1 p) ?& e- X% z! ~7 z9 s7 c
-The most classical one is:2 k" d3 R! |# h
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
% w: \$ ?: |1 i, u, j" S    *(esp-&gt;4+4)=='NTIC'  R" S& R& J) T* N

; `+ K. ^7 J+ |; I-The most exotic ones (could be very slooooow :-(
  ~5 o& ]1 r. w9 l% {   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # w* @8 Q' d. w8 p5 u
     ;will break 3 times :-(
) x! `2 ~7 ?7 o0 o
! s3 L* }+ ^/ e( B- j3 [# O. M. t2 D-or (a bit) faster:
% j+ c2 |9 t0 d1 I5 k   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 w7 z, Z% D) w% W! ~7 X0 l$ x
( G9 f# V8 ~3 m0 o, e9 r; P7 B   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ E2 r/ \9 U$ M! w
     ;will break 3 times :-(* n: \( M5 p/ i$ a: T

) |  N9 [0 @, D% D7 B-Much faster:# T, X" i) i" M4 s
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 S( d2 [0 {& d' f& p5 \* f
3 y9 J4 I' b+ e- C9 U; ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
, Q, L/ `- g% W6 e5 }2 cfunction to do the same job:
+ Z% |: j( b! q0 Y, x- _& Y% R2 b5 B1 w7 @8 s0 q& P
   push    00                        ; OF_READ
- H# b, R6 j' B+ q# h0 z   mov     eax,[00656634]            ; '\\.\SICE',0. W( X* ^4 h/ u5 F6 p- r0 b
   push    eax
/ }1 `' C- @  w0 m% E5 ]   call    KERNEL32!_lopen+ Q0 z5 q& S! y& b, C0 W& H5 C: d! l
   inc     eax: x7 h! f0 R- _$ a  m# M4 S. N
   jnz     00650589                  ; detected- \& \! I3 b, J
   push    00                        ; OF_READ
0 r4 s6 w! S( {, I$ s0 X# g   mov     eax,[00656638]            ; '\\.\SICE'( ~% ^8 g0 V8 Y( f
   push    eax
* D9 |7 S: n8 _$ q   call    KERNEL32!_lopen9 R4 o4 @+ A0 u) \' Z+ q
   inc     eax+ p: m0 c0 L. l5 P; w
   jz      006505ae                  ; not detected' [7 U* Q' G6 Z) U8 J

4 t8 v1 z9 Q2 H  S- e( }% u' \( }, H
__________________________________________________________________________9 m: o0 u1 W+ q3 D8 j/ a( v7 C

' Y5 |5 r; r1 s' `- P! `+ OMethod 12$ D/ P: k3 I% h) ~) D
=========1 |9 \9 D9 G2 ?& C
6 A+ t% t8 H: |4 l
This trick is similar to int41h/4fh Debugger installation check (code 05
6 G8 K. ]" o: q, o1 y&amp; 06) but very limited because it's only available for Win95/98 (not NT)* b" S2 \; K4 h4 H' M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: t+ f( V4 P, e& J! k% R/ X7 G8 j# H  Z! `. H2 ~5 j. f8 d  {
   push  0000004fh         ; function 4fh
# ]% I% v* o% |, f) U   push  002a002ah         ; high word specifies which VxD (VWIN32)8 M( `. A( I  z+ n( p* U
                           ; low word specifies which service! t" r& @! K9 |3 y
                             (VWIN32_Int41Dispatch)1 T+ u4 l$ z4 Y2 L
   call  Kernel32!ORD_001  ; VxdCall( n2 ^4 Z) k# \* B8 d. d
   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 z4 d* a7 p5 @3 v   jz    SoftICE_detected2 W  O2 @$ V4 \1 z/ T4 P

' }* G4 }! x2 Y0 I  e) x0 @" E7 mHere again, several ways to detect it:
& y- E8 z; e: ?5 V6 e! k; V2 w- ?6 T  g5 X% W
    BPINT 41 if ax==4f
6 U) o% p* ]7 j8 F, m/ R0 A8 d3 Q. |; t) Y* l
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, J; }. l: ^! i- j, ^
; D, `# ~+ _7 \' z# P
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A5 J6 `% R7 {: u* c6 ?

  m$ N* q$ q' D; k  D6 n( l# b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ n% M3 @' O; \: L9 w* a
* N) y0 l. r5 h1 r, G4 z
__________________________________________________________________________+ J$ g4 j8 Y. w6 {1 |* H

; e8 E6 B* i) ^0 @$ p* M1 M! ?Method 130 f* t6 m# l& C7 s6 X
=========2 u$ p5 ~3 l, a0 h* ]

6 B4 y) E) a, {0 `# u: wNot a real method of detection, but a good way to know if SoftICE is/ a! p, P, j( Z. s) Z, p
installed on a computer and to locate its installation directory., r8 ?9 S2 n2 _- h# S% \
It is used by few softs which access the following registry keys (usually #2) :
' X9 y/ g# s7 J
3 X* B% ]7 R3 |" E8 J9 i0 ?8 t  G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 k% i; s( J* t/ l- g, X2 n1 ?) s\Uninstall\SoftICE
2 `+ G; [" R8 R" u3 w) b- @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. ], M6 i% j3 Q+ _! w/ ^- X0 |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( l$ @5 \* p$ Y# v1 W& ?: E. l) }. v\App Paths\Loader32.Exe7 ~* Z) V, u4 J& o0 l( j

9 }; t% ^9 ?& a$ e: w0 K& N& \' v! ?# d2 F% u1 X! G
Note that some nasty apps could then erase all files from SoftICE directory9 _# k. ]% X# F
(I faced that once :-(
/ A# f  O$ W+ |3 D0 T
* t. L8 U7 C- @9 f( RUseful breakpoint to detect it:
( s) A. ]2 @6 _2 x7 ]: R1 Y: T
6 S* F8 w2 v+ L. x7 _4 d) s     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# N% o, c* u2 M# a; q

1 m2 C& E' s/ ~5 @( s5 B7 Y7 U__________________________________________________________________________+ a# _+ y- B4 A& `* a

0 l& A  q) B* v) {# h+ p3 l4 L3 R  ?$ z+ W$ W1 l. P0 Y
Method 14 " ?' |' d) V5 R
=========8 H7 u: I, L( B) Z  y* F
1 G) D4 }+ T. Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ s( L4 ^8 \) p+ eis to determines whether a debugger is running on your system (ring0 only).$ i1 P% T# I0 i, ?

" X3 X+ u! I) o8 g  t  t! y   VMMCall Test_Debug_Installed" \! J1 y2 R" s$ s2 U- ]
   je      not_installed4 E6 o# M0 T7 d) p3 K0 G
# i; r4 u  y* ^0 a) G5 J* G# t2 b
This service just checks a flag., \  P2 N% S1 e* b: y: p9 H1 r
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-20 07:10

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表