找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
3 W2 p  o& E6 `- n<TBODY>
) F. F$ k$ \9 h# a1 ~<TR>1 |# Q8 ]/ x' m" G; }& O! d7 c2 M
<TD><PRE>Method 01 , o# u! H( c; R' T* M- {
=========
! R- r/ ^5 L0 C  o
! ~1 d+ U) C2 y1 B/ a( ?) JThis method of detection of SoftICE (as well as the following one) is
- j+ X* _7 B$ r) f4 D8 {) t6 Iused by the majority of packers/encryptors found on Internet.
, l, k9 E) t; t7 ]: bIt seeks the signature of BoundsChecker in SoftICE. M% F" b, O. [7 |, M* ~
% u, U7 q9 E$ s5 v; E
    mov     ebp, 04243484Bh        ; 'BCHK'
. ?& L* G7 E3 X" K  l) @6 d8 G    mov     ax, 04h
  m& D8 R5 k8 o    int     3      
& s3 }/ X2 U* W) F, Y    cmp     al,45 U5 M6 K/ H. w) j0 I& H0 p7 i
    jnz     SoftICE_Detected
3 q+ Y! G2 |% `6 v- l
4 b  s2 p+ [+ `8 w$ z8 E___________________________________________________________________________
! e) [/ r% w  v" o- M4 \
9 r3 W( ?* N3 H" ~Method 021 @  ?) s/ {9 V7 t2 C, T
=========0 g" `/ C6 z# ]- b4 v# Q. @
3 [8 X  h7 h# O# U
Still a method very much used (perhaps the most frequent one).  It is used
6 j, C. i- Z& Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; u6 C2 Q' _# Kor execute SoftICE commands...
2 H7 R6 X! M7 p8 rIt is also used to crash SoftICE and to force it to execute any commands
( y! f  R0 l( k6 j: l8 C(HBOOT...) :-((  0 y5 D. S; |5 M' Y' R  B/ X% b& Q
3 G, {. ?5 Q, p
Here is a quick description:
) v0 E" i. x) c5 X8 S-AX = 0910h   (Display string in SIce windows)
! [' a6 [' d" S$ x-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! s+ b) y/ F  f7 o-AX = 0912h   (Get breakpoint infos)2 G0 S" h" D0 U. t0 e# b, U
-AX = 0913h   (Set Sice breakpoints)
  P6 q( K1 s2 Y. l- s- y+ g8 o# d( K5 [-AX = 0914h   (Remove SIce breakoints)$ G- Y9 |" x* t6 w) L, ?
5 d7 Q  @+ @; T/ ^4 m$ a7 y% T
Each time you'll meet this trick, you'll see:
& Z8 M/ V9 c9 Y-SI = 4647h
% u+ X/ m" U/ q9 E! o; }8 ~; ?-DI = 4A4Dh$ M) u7 w  W- m' K( m1 P7 s
Which are the 'magic values' used by SoftIce.
+ N0 }# K( F: u* t4 V$ EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' c5 O* s! E9 I# \; D; _6 e

  Q  m  r9 g+ JHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ M9 j- d& X% ^& zEnvelope utility use to protect DOS applications:* _/ k1 [# I# p' o( f( u6 l' g
8 M7 h: ?6 E( H2 p2 F
* d. W, B+ W4 l/ |$ ]
4C19:0095   MOV    AX,0911  ; execute command.
8 v& B$ E6 v% L" e4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ F  f% L3 ~  {4C19:009A   MOV    SI,4647  ; 1st magic value.* ]* p( A; K7 [/ Y. u) n( f
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 E" Q" S/ N: S% d# T5 @/ M4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 Z" n8 x1 Y3 K% |; F3 }: w( R: X5 ~4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute4 m! v8 c2 J6 E1 }; ]1 {* f/ [
4C19:00A4   INC    CX
! ?9 B: h" T! F0 J2 l5 @4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. w4 X7 z! h* k4 M1 O! @4C19:00A8   JB     0095     ; 6 different commands.
( |% t) ]2 S. I+ E4 p8 Q6 v4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  x4 ^" h# A; `/ D) K# d; P4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
5 d! G4 o# _* z2 K9 u1 }0 P6 R6 z; u5 H9 u" s- J
The program will execute 6 different SIce commands located at ds:dx, which: m& x' {/ V- J6 V+ P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 L! g# D  y1 c8 |7 S* A
  L3 Y+ O8 {! l5 F9 h1 p! O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: R. n* n" L' C% A7 d$ O
___________________________________________________________________________) G8 W; L+ ^8 }" q8 Q
& U5 {, F! {$ L8 R9 ?
# s2 U! @2 D7 W
Method 036 k  ?% c6 x& A2 m1 W
=========2 l/ ]: ]2 r9 [2 e) T% U
0 h* A3 S  Y# V4 g' s# K
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, y  x( e7 U2 |4 B: d8 g
(API Get entry point): q5 M( ^; E" X$ `( f
        
0 G; x! u! V" m8 q4 U  B" C$ D* w9 \0 L6 J& I4 |+ I
    xor     di,di  R+ Z7 \+ v, Y! m" w3 I
    mov     es,di
: e" z8 I7 z$ m4 W- S" U    mov     ax, 1684h       # j" x& v. S4 m( S5 d( S; a
    mov     bx, 0202h       ; VxD ID of winice
  U! }3 L5 V  S    int     2Fh7 g$ p, Y3 w  V2 P/ c& K0 ]2 J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ d: i1 Y9 E( B
    add     ax, di/ g9 w" a/ y* g
    test    ax,ax# U7 v+ v& R) s: C
    jnz     SoftICE_Detected
8 B6 j9 s  H; o8 g1 b  l' m) d8 R) |. d( J8 N/ Y
___________________________________________________________________________
: T1 B0 Y# q' T# X  i* H& R+ t2 p4 F2 L- r& B" S9 t/ e( P
Method 04! \. Y# l/ b) H8 r9 y
=========
$ X% S8 d" C& e4 i" Q( b: J  \+ }7 U8 o" K
Method identical to the preceding one except that it seeks the ID of SoftICE+ Z" l+ E" d" i1 O7 P$ A1 D
GFX VxD.9 F" L! m" M0 v* `0 i/ N; g
2 f1 s, s! E3 n% f
    xor     di,di
- i  U, G  M% |. Q. [! X    mov     es,di
/ a0 m1 K0 X- s) S5 g6 d; L2 n: H    mov     ax, 1684h       5 P9 M8 j0 ]; ]1 x2 I
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
; U; @5 j/ v+ v0 Q    int     2fh# A" r+ O" [* y+ W( N' A$ r
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 ~0 Z2 F5 k8 R    add     ax, di
& _; w* X5 m+ J1 F    test    ax,ax* u+ Q9 g4 B1 b' W0 F( _, |
    jnz     SoftICE_Detected( k) m  H" ~9 ^0 c; h

6 J" a! e" C5 ]( _; D" M( V__________________________________________________________________________
3 D% Y3 @$ L+ {1 S: b( I
4 G" ^7 ~# J7 c9 h/ W2 I! H8 I$ _1 D; ~1 v: n3 j
Method 05
( ?- o1 e. a3 d# n$ H1 c: S=========
' t5 @( D, X5 N; g3 m' a
: D7 ?* U. \& E9 a9 r7 t$ n8 eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# ^0 a; V9 o" ^" X4 y( w# K. m9 _debugger. It calls the int 41h, function 4Fh.2 b7 M$ h( {% M. @
There are several alternatives.  8 ]- o! W  Z" B5 u6 M3 T" _& R8 r
0 [  H$ p$ O, S
The following one is the simplest:
& o  s3 L  L. i- d
+ ^+ l; j. ~3 e. ?9 j/ J) f4 ~    mov     ax,4fh
6 J  ^! S: m2 q    int     41h
  x( g* j' b4 v    cmp     ax, 0F386
" {( m& C" K# f' F( [; d    jz      SoftICE_detected& f' U1 z, Z( \1 v$ ?3 p! H

0 |9 z9 @7 R, T% j$ @+ S* o5 f7 _! d
Next method as well as the following one are 2 examples from Stone's & W! a4 @' J, w6 ?
"stn-wid.zip" (www.cracking.net):/ w& _- `2 G5 a1 o$ Y+ g& h- ^

2 `+ F) e) @0 ^    mov     bx, cs
8 F# ]6 e. ?7 w2 T% a! }    lea     dx, int41handler2
3 `  `1 X7 r) H; ~# w( k  M, D+ r: ?; C    xchg    dx, es:[41h*4]
9 ?- o" s9 v* R  i" [5 K    xchg    bx, es:[41h*4+2]
2 \& t0 H# I" B* n$ ~" I    mov     ax,4fh( L) w. S1 j+ K0 n( y
    int     41h
" S/ C4 P! v* M2 _7 {    xchg    dx, es:[41h*4]
. Y# S8 n1 n+ l+ X1 o5 Y& S! ^2 e    xchg    bx, es:[41h*4+2]- {/ Y$ Q/ I/ J: w" \
    cmp     ax, 0f386h5 Q% G; M: S( n9 _1 d
    jz      SoftICE_detected2 a5 b; a; h# d! b# G; L, B
5 y* z% V$ [) b: D
int41handler2 PROC
6 g3 R) A! y0 g2 v. `    iret
$ L/ F" D* c% W( z# jint41handler2 ENDP' z/ |/ q! z( a& _$ z
) w6 p- m' y. B9 y$ ~5 z: v
7 _+ x. K0 |3 A* a
_________________________________________________________________________) V7 U- [  l" H% R+ ~6 ]6 k
; C: m$ W; T6 O9 m" ^5 B: a- A0 ~

6 n8 `5 S0 T: m* ~/ l5 g( b( GMethod 06
- Y1 ?) T+ `( D- Y( B( K1 ~, p=========# G1 u; O# {1 c! L

* W9 O: c$ W. x2 g5 a* p% m( d- W) I6 J1 K% S
2nd method similar to the preceding one but more difficult to detect:2 q1 U8 s5 R& Q

. G- R1 R5 N$ S" N8 `% B3 Y1 d- K! u$ O1 F$ c( C
int41handler PROC
/ D  E3 k( C* O4 V" l/ Z7 f    mov     cl,al5 s: i( U4 w4 f1 p9 \1 O4 U% m: O
    iret0 p  m1 B0 g* Z# u
int41handler ENDP
( X9 B* t( z: e$ i8 q+ c' n- b7 F0 [2 N* `
" n% k8 i1 x) s
    xor     ax,ax, ]  \! k# H5 m( S
    mov     es,ax3 R! x9 r& ~/ n7 ?. b
    mov     bx, cs2 U5 K# l& D- Y
    lea     dx, int41handler2 S& s1 d. x3 A
    xchg    dx, es:[41h*4]  N7 ~8 j$ T7 k8 z8 W' Z0 ^' P
    xchg    bx, es:[41h*4+2]! J8 ^4 W& s0 l/ F7 M( a
    in      al, 40h
2 x7 S1 q. G7 \# z" z3 ?5 y    xor     cx,cx  A/ C* N0 f- ^9 g* A) {& D/ q
    int     41h
  D; ]5 `. w: [# [8 ^    xchg    dx, es:[41h*4]
- [: R" U" b! N4 n7 P$ i; X0 P    xchg    bx, es:[41h*4+2]
7 L% ~. \- V' s9 L- O7 Y& F2 C    cmp     cl,al
6 [- |' i% D1 R: E* |* h4 p    jnz     SoftICE_detected+ H7 V1 ]+ h9 A7 x$ x8 X
% u  n" O2 W8 Q2 h! _1 `2 M
_________________________________________________________________________8 r. X$ s  ?3 }/ L2 B: K, E

- c, C) B6 |( Q! E6 J( vMethod 07
- O' f. P. S; ~4 X2 Z, a5 I=========
% S! O4 _6 y- Y; [1 G& |& s$ C- ]" G: m, z$ C! R
Method of detection of the WinICE handler in the int68h (V86)
2 T7 u. n6 h0 }  |) ]( r- p* F* \0 k; A% V# T$ \  \
    mov     ah,43h
7 l' `. w" d! k  x/ m    int     68h4 e& j7 w- ]; ]) A6 [, Z
    cmp     ax,0F386h
& {* b+ u3 g" V! S" ]& |$ ^' o    jz      SoftICE_Detected
1 m% P4 {% t4 k( Z
! K5 s& y( L) G5 T, n+ J9 c
, v3 ~) S1 U5 s' O; i' r=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& x* ?3 V# M# ~" h) P, w! T
   app like this:
; X" q1 t) o  T" @; Z: |6 s9 \+ o! [! T# ~9 _8 V# _
   BPX exec_int if ax==686 i$ Q0 h! |' Z
   (function called is located at byte ptr [ebp+1Dh] and client eip is2 @+ o  f9 O* S4 w
   located at [ebp+48h] for 32Bit apps)8 u/ P6 e' O# T2 g  W' ~
__________________________________________________________________________
9 Z. l2 f3 `5 M. T8 N/ E  [3 A( ?
+ ?! ]* p% G0 Q/ X. |. {: Q8 S  J; t& W) i2 ?; r- _: ^
Method 08. N9 v- Z6 m0 T4 U& E5 U
=========0 Y$ M$ x. ~1 I9 g: d& ^8 Q3 m2 [

$ S" N7 R" J+ }& {$ EIt is not a method of detection of SoftICE but a possibility to crash the
. r7 V1 y$ h% gsystem by intercepting int 01h and int 03h and redirecting them to another/ s" |8 r, M0 \2 o& \" X) m7 D
routine.- P! m2 o- ]$ ?5 K
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ q+ K7 U# [7 `( Yto the new routine to execute (hangs computer...)+ C! P* a2 @$ \7 x, s# Q
. J  |  B) @: `) L8 Y
    mov     ah, 25h
* [! z7 I. E: T+ x; [  N    mov     al, Int_Number (01h or 03h); P# B6 @, m3 a0 L
    mov     dx, offset New_Int_Routine
3 |9 m# g+ N/ Q( E5 q    int     21h
) m8 q. b# b+ t" Z; u. H8 k" w, o8 ?; j& t8 E  g* v
__________________________________________________________________________) c0 F: u( c" ]4 v+ m9 e9 q) e
% Y3 Z' k) N* h/ U- H6 f$ N! M$ u
Method 09; E# Y0 b! v+ v4 H
=========& }) N/ s! V) @
! M. d& C; p( D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 S5 M5 c1 B# t* `
performed in ring0 (VxD or a ring3 app using the VxdCall).
! X( f4 {1 {; V' N; DThe Get_DDB service is used to determine whether or not a VxD is installed
  i; l/ i8 p# R% x4 K+ y" V  Ufor the specified device and returns a Device Description Block (in ecx) for+ o, X+ v2 O" i; }+ p4 f
that device if it is installed.
8 Z1 [0 z1 e( j- {! \) F5 _9 Y+ K) o$ b* r, q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( I8 C- a. p7 D   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( W+ D" g3 z" O' R- I% W8 g- h
   VMMCall Get_DDB+ N1 z+ `4 _. Q8 j+ x
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed4 s  q5 h9 t9 @" o1 k' k
( Y) }, {1 U* ]: o
Note as well that you can easily detect this method with SoftICE:( H; u4 i: I  b
   bpx Get_DDB if ax==0202 || ax==7a5fh; \6 ^7 c  t7 M; n
9 Q( `. L! q2 L+ n6 F( p' R- R
__________________________________________________________________________
6 u0 ]' k. V# _/ e  m8 k3 m' d3 R
Method 104 ^- U& J# F% S- L" f. X
=========" ]8 h8 d' M6 i" q2 Y. f9 F7 q
: K0 g: p" y+ d+ D9 a! n
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& _) {$ D7 G/ `) B  SoftICE while the option is enable!!1 p! }/ d4 V3 r* [6 _5 g

" W) P# L$ @5 H' o4 qThis trick is very efficient:
# z9 `3 W1 }& f. W( \3 b/ {by checking the Debug Registers, you can detect if SoftICE is loaded6 {: N: Z2 P' F2 _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" w  S' Q$ t& R
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 ~1 d( x( v+ y* C: xvalue (in ring0 only). Values can be manipulated and or changed as well
8 _' a4 A  q0 K  L(clearing BPMs for instance)- V, v, j! R; Y7 Y& B8 B2 X

) d6 W, f: q# {% _2 N__________________________________________________________________________
: C2 v$ a# f  Z( m+ h# G# V% C$ \, m7 M5 B+ H$ J" W+ V, ?. ^: _
Method 11: E6 t. }; ^% \+ v- V7 g7 D
=========( U" }4 v$ s; T5 F1 j6 x
& J, G1 P2 Y3 y0 O" g
This method is most known as 'MeltICE' because it has been freely distributed) s$ {% l6 l& ?4 `/ l8 V9 m# O# [8 S, C
via www.winfiles.com. However it was first used by NuMega people to allow
) @- Q! C' X+ zSymbol Loader to check if SoftICE was active or not (the code is located: @2 W  x2 Z% I6 m6 y3 n
inside nmtrans.dll).: j7 q% F3 A7 R

' p. _1 [8 u, kThe way it works is very simple:
% P( v* M3 \; _+ j( D+ pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 T9 v* }! R# B1 HWinNT) with the CreateFileA API.
8 t: m6 \. Y' A2 V) E
, q; R" C7 ^" Y. V( P1 o+ yHere is a sample (checking for 'SICE'):/ O, d9 q3 p+ N' m6 v# |0 p

" G* `2 @: G# T- GBOOL IsSoftIce95Loaded()% e2 ?* v5 n% S  t" }3 T; }
{0 X2 y8 k4 v7 _% q
   HANDLE hFile;  
( x* A! y/ [9 }7 @) U+ p   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# W' S9 o7 Q* W                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 o; T. A8 f% i                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* I/ \8 X* A- L4 x# R& L3 C4 H   if( hFile != INVALID_HANDLE_VALUE )' M/ J; `. M3 o0 j# l4 z* S, j
   {; l* n$ O; j7 t$ H
      CloseHandle(hFile);
$ Q9 `9 l! Z% [: T3 N      return TRUE;" ~; w. q" L% h$ W
   }
9 S7 J% H" T  F   return FALSE;5 X& e2 L8 Q& E! P7 h+ k8 [
}
- F3 T1 }/ u" S
/ y/ e3 V' l9 s' P) }6 ^Although this trick calls the CreateFileA function, don't even expect to be
( x% Z5 d/ {$ L  t& H4 y, A1 |: L& vable to intercept it by installing a IFS hook: it will not work, no way!" v, X7 K' h+ f" o
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* ~: F& F' p# {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 I9 B+ f7 l( u2 e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc9 z- p3 ?- Z! T; q5 g6 `/ p, u
field.
. t5 X4 q" [) P/ P* @! j. K1 _In fact, its purpose is not to load/unload VxDs but only to send a 5 R! Z$ p2 Q8 x, I1 G: R( \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 S. i* O/ s. T' H0 ~6 A8 h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 f1 X( p; U4 a6 y$ D1 B" A) pto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 x) L7 \( F. k1 F
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 a5 o3 }4 k, H7 S; C
its handle to be opened and then, will be detected.
4 t# V% `8 K! Y5 u; O# vYou can check that simply by hooking Winice.exe control proc entry point
# s& z8 X6 [5 n7 b1 ]# Swhile running MeltICE.  Y  I2 U3 j! q5 p

" v8 ?& A+ P. e- r# ?4 y
' _% I0 o2 T* a; s  00401067:  push      00402025    ; \\.\SICE" b. x& k3 ~& o) \( u
  0040106C:  call      CreateFileA
/ R7 t6 e/ L  T" o) q( C6 f% G  00401071:  cmp       eax,-001( |. p4 ^6 O, e, J) W; p
  00401074:  je        00401091
3 B% f; R7 ^( Q$ Y5 D/ s( ^4 U5 G( C3 b9 `/ ]; y: E# p

& O7 \  p: n0 `( h- g0 n0 hThere could be hundreds of BPX you could use to detect this trick.
" S( B4 ~; z4 q5 ~1 t+ W-The most classical one is:
( \8 l/ T6 U0 Y% j* p5 d- r# c  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! w/ W/ x& v' N$ F5 O+ ]$ f! {    *(esp-&gt;4+4)=='NTIC'
. L& Z! i5 m  I% O* `: ^
  s. N. |' g; F-The most exotic ones (could be very slooooow :-(+ p- i- q9 l- q7 }# G, \
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  $ Z8 O1 R7 c2 y* k2 I4 u8 f
     ;will break 3 times :-(0 ?7 w+ Y# t( F$ Y8 s& b9 K0 E- l
* r4 y6 j: k! c: n6 ^( M: K- B
-or (a bit) faster: ; O1 O3 V/ K) ~0 ?0 z: k3 E
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ ~/ M" w$ @( V- l' q) v
% z3 \  |2 F& K! _# w% I
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% E1 R7 F* p: k     ;will break 3 times :-(
6 k0 n% T9 j# k/ N+ Q9 h  h3 q2 O2 X9 L
-Much faster:0 G' @5 F$ w0 N
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' t: ]1 I3 N4 y4 z/ B6 w3 l# h) A7 y: V0 s. Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 I) j* R3 U  q- L3 d6 c
function to do the same job:; c5 B+ I( F1 i/ {

! F( s! V% w) b9 B! y   push    00                        ; OF_READ0 A  y! u1 A5 o# b" c
   mov     eax,[00656634]            ; '\\.\SICE',04 b+ F  z2 Z* L) D9 |! h% A
   push    eax+ z7 S& c- J8 R& w; x
   call    KERNEL32!_lopen4 _# I2 _; Y1 R5 L" I: U8 J) _
   inc     eax7 b* j1 K9 b8 e, h1 w% O- O
   jnz     00650589                  ; detected! S7 b  @0 M5 p; r+ {' Z5 Y
   push    00                        ; OF_READ5 n; S! g8 v. ~
   mov     eax,[00656638]            ; '\\.\SICE'
6 z) f( \' ?( Q% o7 o/ u   push    eax
1 K5 x  i& N+ n2 k; i, }   call    KERNEL32!_lopen
6 }4 q, K8 H+ Y* }% B6 Z( a   inc     eax# F4 {% F  d! u/ r7 J7 I+ Q
   jz      006505ae                  ; not detected
1 z1 A, t0 w  a. a( i
2 w  N, {* p1 L8 |( S- N  v
3 w$ p# @1 ]5 G( k  {# g__________________________________________________________________________  k, ^$ z6 y4 R/ D
. X: ?  a$ d: F% O- Q
Method 122 H& i5 I2 t8 c) ]/ X
=========
2 P$ M- b9 a0 C) K5 l
; I- u& Z, }# y% D% {( c- b8 i/ p6 vThis trick is similar to int41h/4fh Debugger installation check (code 05& e4 X6 @) x, B/ G% Q
&amp; 06) but very limited because it's only available for Win95/98 (not NT). @- ]6 m* u& c5 {4 q2 T+ R9 K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- x% j0 X! M5 z7 o8 i' y
  y, o7 I/ X  y   push  0000004fh         ; function 4fh
6 y0 s! H! N; e; @   push  002a002ah         ; high word specifies which VxD (VWIN32)1 C6 V3 {6 b4 d6 i) w: a1 J5 ^2 s
                           ; low word specifies which service
+ @8 n* Z1 S6 @! V: D: q+ [4 z                             (VWIN32_Int41Dispatch)0 z8 f! `9 r# [
   call  Kernel32!ORD_001  ; VxdCall
( A3 j5 H& @- R, y( [6 v: }   cmp   ax, 0f386h        ; magic number returned by system debuggers7 L# n+ |, G. C3 q) H( j& N
   jz    SoftICE_detected+ w8 L# `. ~+ W! |; s

2 B& s( \9 [. {1 ^Here again, several ways to detect it:
# }4 C% E. P5 d5 l8 ^3 w/ z6 c' o+ z4 N
    BPINT 41 if ax==4f& j1 Z3 v7 l9 q# E
" g; C$ d! \0 X
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 x: i1 k, p! U% M$ X9 [- Y8 f- G

, }# ~) u! W5 D" F  K: g    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ S3 `) v7 d% N
+ l, u# [9 ^8 Y4 m# h
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ P( U% j9 x  y

5 _, p2 P/ G" c__________________________________________________________________________
# m) z9 O8 {8 F1 }) r- w$ E7 o2 z4 m' ]9 V
Method 13
4 c6 q: O9 m1 o2 z=========
" \. ^9 L  @1 y0 l) K
0 t4 U- N7 Z2 ^; LNot a real method of detection, but a good way to know if SoftICE is2 E; b0 B' A: j4 q
installed on a computer and to locate its installation directory.
& d4 `( ?0 b- rIt is used by few softs which access the following registry keys (usually #2) :+ z2 f3 Y! }, H1 G5 [6 }2 c0 Y0 B
% {" ~6 u% L8 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ `) ?- `( ?, y7 e# f
\Uninstall\SoftICE/ [) u! c7 j# `& P6 P1 U. F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ ?0 T+ [. Y6 I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# n/ v. o4 D; q5 @" ^0 d& v# n\App Paths\Loader32.Exe# m5 B4 u) O, F6 H8 |
, s- r# P9 N- n# Q

7 L  i5 L, M, S- V4 l7 W% s' ?Note that some nasty apps could then erase all files from SoftICE directory7 y- Q" E% ]* k5 Q6 o
(I faced that once :-(' Z# P5 _# T7 p2 `( o# W2 t( z: h
; J* V- v" L3 p' Q
Useful breakpoint to detect it:- b: J, T7 H2 `7 q/ @; Z
- b" B- \  v6 j$ R4 [: C
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* e* L0 ~- u$ t" A! L$ i+ X8 T# y8 O3 L) l) e
__________________________________________________________________________0 z2 f( n4 [7 R' [8 Y2 x

0 V, ~* z9 i- Q5 d3 ?- Y
7 c, K3 y& o5 C  G1 d1 hMethod 14 $ ]( |+ v1 Q1 ~5 A7 q1 c# x
=========, {% c. X2 a' O! s! I- ~2 S! i

5 r5 b3 k* [+ A+ m$ V9 [A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 y! @2 P" \0 x: C/ Jis to determines whether a debugger is running on your system (ring0 only).# F! |2 ?5 F, t* g. Z( c

+ }2 n, x8 K4 A2 B/ v0 O   VMMCall Test_Debug_Installed! k4 T  _! t. Q. N, ]
   je      not_installed
( s* e5 X  H& t+ W
  S& f! W5 Q1 cThis service just checks a flag.
9 h- K% Z2 B3 ]  j6 b& P  Q  C  s</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-21 02:29

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表