找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ K: e1 ~0 S  L1 Y6 t- {<TBODY>
% q. P! f) b% g4 N<TR>+ V2 T5 T- a4 ^2 D
<TD><PRE>Method 01
2 P( n( F9 J1 a' Y9 h=========" ?, n9 [7 n4 ~
! z# y5 ?1 S. D4 A
This method of detection of SoftICE (as well as the following one) is$ y$ t- T+ C  w2 E/ \
used by the majority of packers/encryptors found on Internet.
# v, _6 N% J/ mIt seeks the signature of BoundsChecker in SoftICE  J# Y/ V! n0 L

; K. t) r5 s! _/ h! M& _    mov     ebp, 04243484Bh        ; 'BCHK'
/ `9 T0 W) y% k3 b    mov     ax, 04h* H6 e5 E- B% m5 D' d
    int     3       + \5 S" V; q! D8 }5 w# Z
    cmp     al,4
" ~6 Z' w! s0 ~; q0 s  ^* `' J    jnz     SoftICE_Detected
, K  Q* ?+ X3 h* i  Y
4 s) L3 \1 Z) C___________________________________________________________________________8 x# _" V1 a8 T) @2 |& G- {

4 Y! _9 W7 E0 J" o6 UMethod 02" f+ x# `1 w5 `! R8 h& M; {3 Z
=========* @! P( q) ^- M% q6 Y9 s- w
# Y" r' M: [1 J1 U5 Q) J
Still a method very much used (perhaps the most frequent one).  It is used
# p  L4 q: r+ k2 i  U; \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- q" M, p/ L+ J7 `9 t- Q
or execute SoftICE commands..." q% Y# ]+ p+ k- v. x' r/ {
It is also used to crash SoftICE and to force it to execute any commands
6 i* m; D1 `1 T% P* y(HBOOT...) :-((  # Q8 M6 \* x; `, Y6 H0 Z7 D
/ C6 ]4 Q) G/ s
Here is a quick description:& f' D: X, f" \% B
-AX = 0910h   (Display string in SIce windows)
: B0 i/ ]9 \  F! v-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* n: R4 N- t1 V: H' V4 H* D" N-AX = 0912h   (Get breakpoint infos)
6 z. @! l& K1 |/ Y-AX = 0913h   (Set Sice breakpoints)9 s5 u2 X: a/ F! C; t% j
-AX = 0914h   (Remove SIce breakoints)
; J* d% P4 k6 w* M  m6 x4 \
0 W6 _9 \9 z+ m* d. y" t3 ^& V4 c0 BEach time you'll meet this trick, you'll see:
0 N$ }! k1 ^( i$ R' C% p  J: W# a-SI = 4647h! z! X& o& c) Y4 E! |. w# J! g
-DI = 4A4Dh, C2 H, e4 ^* r' F0 s9 e
Which are the 'magic values' used by SoftIce.* O4 G5 D+ [7 W+ S& x/ T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., h. h1 n0 ^5 j4 ^( A
2 d$ ?, @: ?8 b, ~- S/ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP. F5 S* b" X; g; T$ g. k/ J
Envelope utility use to protect DOS applications:  \0 `, J6 [- V% Y6 z- Z( G

2 B7 @" h+ @8 j. D4 R2 |' F* f; r( [6 P# `4 [; F) P; W. G
4C19:0095   MOV    AX,0911  ; execute command.3 H, i" j! B- X
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# M8 E& x6 s7 {- X" X4C19:009A   MOV    SI,4647  ; 1st magic value.
/ G4 b. R- o% _3 i' r6 `0 ~4C19:009D   MOV    DI,4A4D  ; 2nd magic value.) Z  ^; F7 U* V2 @; Q( V/ b
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 a5 E; @+ e- {) A4 u
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute5 k, d2 z' m! @3 D; r( e' `
4C19:00A4   INC    CX: j$ W4 U1 t& M( F1 T& B1 j5 @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
* S. C8 J& Z' a! }# ]4C19:00A8   JB     0095     ; 6 different commands.
  a2 W  U1 J: W! j7 n9 X/ Y4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ e6 @; v% d0 P# w4 `5 o3 n4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)1 Z! z) g$ i% r, N

8 e% h: {2 K" YThe program will execute 6 different SIce commands located at ds:dx, which
7 P6 a- n8 E' I4 |are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., f3 _8 q, z" L/ B3 g
4 i3 Z& h( a! ^; u% n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# Q/ r0 q8 N; A' ____________________________________________________________________________' l& r1 m7 V) S* {+ i3 F
  M  A  W0 T8 N, B9 {

1 d. }* d" }% ]Method 03, @6 J; j; S7 b/ s+ o5 C, W- w
=========* R$ M, E9 A" E! H0 O( Z
; H8 P; n3 e2 ^# {% U
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% X6 L+ N3 y6 \. v. l/ U4 @, S
(API Get entry point)6 ~9 ^: b- t1 V$ I
        
& a: t( H/ e5 G+ {# U$ {- U+ t; Z$ c$ Z) L0 V8 k/ R
    xor     di,di: l3 o9 k$ {, O$ b  F2 y
    mov     es,di4 s! |  h* V' m; r& q0 a
    mov     ax, 1684h       ; ^& r! ^* R' ~2 N7 [3 r; t( {
    mov     bx, 0202h       ; VxD ID of winice
: P) Y* N$ H# D9 Q6 V8 z& H" T6 K+ o% t    int     2Fh
3 L) o9 j' X5 ^3 e' \- q4 J' ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point# i4 V" t  U; N5 R  ^3 ~, H7 f
    add     ax, di
, A( g3 Y+ J. x2 n6 v3 T. r9 y: i: ~    test    ax,ax
# \* W) ]6 \7 a- ?- r+ Z    jnz     SoftICE_Detected# i( F  l; Z8 b! q

# K- ^% N! }0 `" K" M___________________________________________________________________________- D5 |5 u, _7 a

% N  w' C" _5 R9 c) nMethod 04
- S! c4 o. O9 e7 \% h9 B=========9 ]. h. k  I, w' v

$ g% b% s3 v4 I- m5 A; @Method identical to the preceding one except that it seeks the ID of SoftICE( O7 P. k7 H7 [8 a0 ^6 L
GFX VxD.
! w9 C7 E9 r( t! M8 H
1 [2 h% j1 I9 `4 a( u    xor     di,di! q- Q5 N) o9 F/ F
    mov     es,di- y9 e( X6 B% K$ v
    mov     ax, 1684h      
+ A6 _, x+ [! I1 q" {6 y    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# G  W5 S- L* U7 [    int     2fh
  S9 e! ?3 m! U: ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point) V1 K$ f% \, z: R( B" D% H
    add     ax, di
/ t  z( W- D: ~! v* c    test    ax,ax; z0 y- L/ R1 c
    jnz     SoftICE_Detected
0 r9 A2 c- J+ d, V0 t$ x' o9 A0 ^0 w6 o6 V9 Q3 Z
__________________________________________________________________________
, y2 I# \. W) f* M7 L, }, W
5 d3 F6 t2 w! ]4 n0 Y7 C" R, h9 J
/ d. r  l  Y% n% pMethod 05
; ]& Q/ z$ P% @=========" j3 n5 D3 n5 x& H6 _2 w

* ]) o7 M. B8 |) jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 d; w& S3 H1 M7 t# f  p, v& I- w3 odebugger. It calls the int 41h, function 4Fh.0 i' ~9 ~+ y) v1 D/ ]
There are several alternatives.  
3 I: V% M; T' p9 k
8 W; f8 O4 ]3 wThe following one is the simplest:
% v( Q" j/ ~5 m
0 e6 }; t1 `! z& @    mov     ax,4fh
- p6 q; w! k+ Z% }) _    int     41h
' E0 t. U" K4 G# x. n2 R# r( }    cmp     ax, 0F386
0 [" W' {: d) I+ C    jz      SoftICE_detected
; Q1 g& _3 O8 {4 ~/ }1 G" |" t
* s: a8 ^' D; Z* O# D. C+ _
1 T; B1 M0 l# \) ENext method as well as the following one are 2 examples from Stone's
7 Z0 T0 a+ C# d, H"stn-wid.zip" (www.cracking.net):
: z: h" N) V3 Z0 D0 p( X  d7 |/ x  \* D
    mov     bx, cs
/ l4 n# x7 W2 P1 \6 l6 [    lea     dx, int41handler2
! P, r; h1 t6 Z8 ~    xchg    dx, es:[41h*4]' C. V; I9 `9 ]6 H' y0 \  I
    xchg    bx, es:[41h*4+2]
& A$ [. Y2 b6 i& ?    mov     ax,4fh
0 Z5 G, }' b9 X" w3 z' [3 \* U    int     41h, T- C. M2 t7 O% e/ |/ P
    xchg    dx, es:[41h*4]
0 F9 y" L  V% s0 x9 X; d- |    xchg    bx, es:[41h*4+2]
4 ~, D( }/ c' r: h& K    cmp     ax, 0f386h5 a+ E- |+ n; K& l, `" f% F4 F
    jz      SoftICE_detected! j2 f, x. o- z1 q. W2 Y& J
* N7 I1 V, x9 n# i+ V1 I7 G) ^; ]0 [
int41handler2 PROC
) `4 ^2 a$ N% q: ?0 Z- u2 x% v/ S' E& f    iret
0 f" e) c3 y! iint41handler2 ENDP
+ D1 n6 v" h$ l$ x3 c9 A' o- b) j) B* J: o: q2 {
9 r; A1 E( x% `- R* s
_________________________________________________________________________+ Q( y0 f: a4 M$ [& O- ~

1 E2 J0 \3 R$ }
. |- S/ g9 x) pMethod 06
  L6 |7 W) F! U=========$ y4 c. l+ \  J' H  c' W! ^- K
  @6 y3 F  g' w9 f7 {# Q: i
' O, X+ W  |9 U- V# N
2nd method similar to the preceding one but more difficult to detect:
/ a( G" E& ]  m9 p) R: F. A- k: n% n0 [6 [5 m' [4 v

, W( s! ]6 K& t: `9 v- X. mint41handler PROC6 h# `1 h0 c5 J& I3 p2 z
    mov     cl,al' q/ g; J- w  m/ S1 t6 o' H
    iret# S# a% B& \7 j  m1 _( ?7 q. n
int41handler ENDP! w; z8 ?5 L( s: Q1 I% F- s
; L2 v" l; l  P7 k' E2 v0 _; w

+ D4 e) c) F" @" {! y    xor     ax,ax- U4 O, ?: y5 F9 K+ W  M/ y2 x
    mov     es,ax
* c1 w" D3 `; F- ^  c3 ^4 j4 \    mov     bx, cs+ y6 k$ U4 h; I7 E1 ]
    lea     dx, int41handler7 ~# r, C3 a6 J9 M# ]! ~0 M
    xchg    dx, es:[41h*4]
0 z# a  h$ z1 V6 A' G7 }    xchg    bx, es:[41h*4+2]6 y; a9 S4 g* `. u; E, P, l0 T- E" T
    in      al, 40h; e) ^) K, l2 W0 n; ]( q8 w$ q% G
    xor     cx,cx  _/ c4 m( \4 Y# O" T  D
    int     41h7 n  B' [4 o, Y6 F
    xchg    dx, es:[41h*4]
7 L" s& n- x, c. I; B    xchg    bx, es:[41h*4+2]
2 x1 A1 ~, Z8 b" L8 J: A    cmp     cl,al
0 I! H3 k/ t0 W* a    jnz     SoftICE_detected
  ^: C9 a5 K2 J3 ^' s
% A/ Q+ n* W3 h1 s  ?_________________________________________________________________________
; }  \7 b# S& v; B) @( Q" o! w5 v0 x
' J( F0 s  L" k; R5 E6 w+ tMethod 07
! p& {/ |; I- ~9 a8 z4 |=========
3 h; E4 f3 N0 a7 t% K5 m$ N' c- f5 }: D- L* y  T& C+ t5 {, ?
Method of detection of the WinICE handler in the int68h (V86)
/ T5 A( m, Z! W& Q! M" P
/ [7 t: l' A8 i! Z+ W8 i5 v2 V& y    mov     ah,43h) R/ ?5 r/ P$ u0 x/ O
    int     68h
- L" w) M  S. [& {    cmp     ax,0F386h6 J. ^: t/ g$ _+ W
    jz      SoftICE_Detected# z- H* V6 F9 O, `8 C  O( p
7 j9 \6 ?+ l8 B1 D, B0 P5 V% X7 d1 T
0 }: ?/ n* z- M' R* n" N
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 {  \: r- e  L/ f
   app like this:- v* J, ~: ^6 r, G/ E# v$ }

( r9 |! b( G* E4 \- I0 n5 E, e' ?   BPX exec_int if ax==682 K  x, M9 v# k" q/ T
   (function called is located at byte ptr [ebp+1Dh] and client eip is5 m9 A; Z  Z" o+ K
   located at [ebp+48h] for 32Bit apps)3 ~! h" @! t1 [# c5 |6 X5 E/ {9 Z
__________________________________________________________________________
9 O/ k8 I3 B& |. \1 M$ _% W) Z' G; r

! f' l+ \1 G+ R5 e' [Method 086 N8 W2 T5 H9 S
=========& ?. y7 F7 W( p0 ^
' Y' c9 O$ |4 {" j, n7 M
It is not a method of detection of SoftICE but a possibility to crash the
: e8 |' l) N. q( psystem by intercepting int 01h and int 03h and redirecting them to another
0 d8 f8 L, }) j  V! }- }$ ^2 Wroutine.
1 m8 A( b* q$ L% v% ^4 u' KIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; J( O- q2 }) g( A" r: O- I! jto the new routine to execute (hangs computer...)9 o5 o" e! n" L0 x5 E
1 X) n" W+ ~  C1 W9 _- ?
    mov     ah, 25h' A! z2 B& ~9 _
    mov     al, Int_Number (01h or 03h)
& }6 C, ~: Z9 W+ |9 J* u    mov     dx, offset New_Int_Routine
, G$ a( Y# k/ M% S/ b: _    int     21h
8 Y% f& O0 u' X( s) D1 F9 |. k+ Y4 u9 N5 j1 N9 ^, ~/ f* K
__________________________________________________________________________& |! T0 j9 R2 p+ q, p/ j$ \
7 ~8 y& R" q6 m7 l
Method 09( Q! X! j, j0 w% l3 X
=========
- t. N3 k# [8 a  J4 v
; h  e0 M1 f9 }" WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ _5 L* W) {9 W, g8 G
performed in ring0 (VxD or a ring3 app using the VxdCall).+ w" D3 O8 l1 i& m1 J2 E
The Get_DDB service is used to determine whether or not a VxD is installed' }/ y$ B6 l1 A" G
for the specified device and returns a Device Description Block (in ecx) for6 `( F( Y0 O" v- J) K
that device if it is installed.
& i+ a" b9 R' T. x) N& A
0 ]$ E" F) h& C) n! B! m" s   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID( @) G5 U: \+ }8 L+ m& B  q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 ?2 B: k2 l( i: t; W   VMMCall Get_DDB: L3 Z; m7 S. U0 D0 Z
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
) I0 K% @. C- c. J3 H1 a& n  l
) `& K" ]) A7 b* m- O* y/ ANote as well that you can easily detect this method with SoftICE:  d$ T  [: E9 ?) \
   bpx Get_DDB if ax==0202 || ax==7a5fh. g1 z) C8 M  q% n' ~; H% `

# ~! S: `3 d4 g0 i__________________________________________________________________________3 @8 S. m4 D( R; B& w% D

3 o$ y' m/ Y" Y' ?& W5 wMethod 10
8 R! o9 y/ |9 w1 ~2 a  g=========! P! u0 L+ ~; b( c

. H  r7 ?( d' L6 v* i=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 O/ A+ x* c6 w* C/ \0 ]4 ]  SoftICE while the option is enable!!
+ H* X2 `* h, d5 w, B9 v8 Q5 f. n2 G# l) L1 M+ o
This trick is very efficient:
$ e- d- {! T3 f& \! v1 V9 \9 |by checking the Debug Registers, you can detect if SoftICE is loaded
: a, b+ m+ i' t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' o" a8 w4 P5 G, S* w7 fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% n: l' K9 p  L  Zvalue (in ring0 only). Values can be manipulated and or changed as well' w7 C% s% y$ ^3 ]# Z$ `
(clearing BPMs for instance). u5 ]: L; y) j- V/ P* e
2 `" \2 y2 {+ s. \
__________________________________________________________________________$ S: A7 f! @# B. z* `' T& d7 d
% w& l- s8 ]5 l+ Q) k$ d' ~  M
Method 115 ~9 ~0 s$ M5 \2 Y
=========. S1 G% e" k5 B6 Z) d# m5 ?

5 M# p; |7 I$ dThis method is most known as 'MeltICE' because it has been freely distributed
0 s6 F/ w1 P0 k. q! Svia www.winfiles.com. However it was first used by NuMega people to allow5 Q5 L; k! c3 u0 L
Symbol Loader to check if SoftICE was active or not (the code is located
7 l# K7 u: p$ K% p% j4 O2 Einside nmtrans.dll).
$ @2 T* f5 u+ I+ C1 r! X
1 R3 q' V% R- P- @' e8 {. T- @The way it works is very simple:
  k! J2 ?6 Y- S: Q; s) qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 p9 ^6 g2 L3 _9 D$ GWinNT) with the CreateFileA API.
6 q. ]5 c/ T( N2 ]4 c2 B& S. i, q
  e- M) ?; A$ e# r  ]+ m5 ZHere is a sample (checking for 'SICE'):" v5 `- [, O& J

) {, Q0 b7 P$ L5 f( J5 B0 q+ W- L4 h! GBOOL IsSoftIce95Loaded()2 x2 b! `! ]; n+ @! k
{
, V: d3 c2 _3 P# f7 O$ B   HANDLE hFile;  1 Y. e) n. J" m: S
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 S% S( U7 \. ^                      FILE_SHARE_READ | FILE_SHARE_WRITE,; S% ?6 n, h* K% ?
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. O3 ?# v0 J4 S/ ?: V% d- P: x
   if( hFile != INVALID_HANDLE_VALUE )0 G" Y* c$ x. w5 g) o0 ^& }6 L; o
   {, y0 k- R0 m& X2 m
      CloseHandle(hFile);2 h( x2 `5 N" b
      return TRUE;
  m( o* U1 ?) h4 v! ~   }: d6 X4 o( h# Q" S
   return FALSE;
$ B% |; V/ L" s- {! ~8 s}9 S9 [, q- ]6 a' L/ C# M

1 e9 {9 z. d" w4 G( QAlthough this trick calls the CreateFileA function, don't even expect to be
1 W! e% Y3 Z5 {" M1 r& [3 Yable to intercept it by installing a IFS hook: it will not work, no way!! g5 }- @$ S% R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; A* A/ ?" j% L0 d5 i# qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 h8 D4 T# |+ W6 d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- _; F. s* t% j3 J
field.
4 v" W# h, r! W, u5 ~9 o% @In fact, its purpose is not to load/unload VxDs but only to send a
6 H& w9 v* {7 ?& ]& Q, a- |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- W7 c! ~2 o3 Z4 T6 p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, n9 |. s5 ]: ^: y0 X8 B, V6 w# _to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ c9 M: x- T0 x' V' W8 \# q7 c- E. u4 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# D! D6 @$ @1 O, Sits handle to be opened and then, will be detected.
/ T8 u1 I( f4 Q* UYou can check that simply by hooking Winice.exe control proc entry point
' N) ~* M5 P* zwhile running MeltICE./ P1 G- F2 r, x1 A- J
) Z' @1 V- ~: {) N/ T7 E3 k( j7 r

1 \, f# \- Z0 D0 b9 f  00401067:  push      00402025    ; \\.\SICE
7 Z% H, D* l2 E& r3 ]$ u/ \- F  0040106C:  call      CreateFileA
- y' F: w# n9 V' N: y7 Y& a$ S0 {  00401071:  cmp       eax,-001! r; Y# Q: K* Q- V. q8 n
  00401074:  je        00401091
/ e1 G: x8 T* D. t7 N1 G& H# d2 X. K' J1 E; a
$ p0 u3 C5 M# O3 G7 |
There could be hundreds of BPX you could use to detect this trick.- C& u+ L) i% B% V! X6 z. t
-The most classical one is:
- R$ ^0 Z: e1 B/ e3 i- I  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* h; f, ?( R, q: l2 j* L4 F    *(esp-&gt;4+4)=='NTIC'
& q* V$ p: D! C, Z1 F
! m/ |3 ~; D. T-The most exotic ones (could be very slooooow :-(# i( A6 o7 e0 y  Q
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! r  i# Z1 w2 X) w
     ;will break 3 times :-(- r" b: ^+ }/ ~, r4 t" R" u

& |! J1 `" U) q6 ^& ^8 L-or (a bit) faster: 0 d. f1 D8 V1 b9 j( W7 m6 E" h. _
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 M' Q/ r5 V/ ]

1 m  t, M+ V& ~% G) A   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * D1 Q* d4 H2 y+ K
     ;will break 3 times :-($ l1 |! R2 u3 s
/ ^% Y$ N1 g5 X  G# a! Z! ~5 J! w; H
-Much faster:
; b+ }/ E6 s* V. O   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ j/ e# Q$ r& R. V( R
% g* @: @) H* D& |) P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen- }& T# E. g, C( p' E
function to do the same job:
% Z  \3 J$ [1 a; m! [  `- Y2 U3 B
  U" i! p3 a" y5 k" Y5 a   push    00                        ; OF_READ
6 ^, k4 w2 W$ y3 q; K3 _   mov     eax,[00656634]            ; '\\.\SICE',09 g; _) g" |. k& M! ^+ [* `) Q4 k
   push    eax
8 V8 ^" _7 ~( n; |% J- F. s   call    KERNEL32!_lopen3 k$ u, _$ n# a. U/ l" w( i8 l
   inc     eax
! I/ L/ }7 H9 ^8 K8 I% F   jnz     00650589                  ; detected
! j- |; o8 ~- p* G- }  n' ~- ^6 }   push    00                        ; OF_READ
' u* A4 g+ c) y" o   mov     eax,[00656638]            ; '\\.\SICE'
. [% J+ e# d; _! G3 b9 ?   push    eax
6 g8 W3 [. k8 Q* n& K. E0 B) I   call    KERNEL32!_lopen% t, D8 S( o/ m: G
   inc     eax
/ ?9 w( l+ G4 Q1 W" p( S" C   jz      006505ae                  ; not detected
# t' G3 O0 W- x# i& h2 }
% S9 |/ P. ^6 i4 C! q1 S4 l! X
$ I# C* B2 J2 ^) y6 G__________________________________________________________________________$ T9 E5 G, h0 X" z' c+ D
8 h/ X) U1 ], Q) v
Method 12
/ M( k- C. a+ l" B, l7 a1 y. |=========4 p! M* s$ c+ }2 V/ Q+ M8 N

: ^5 p' Z" G  ^2 ~; G5 RThis trick is similar to int41h/4fh Debugger installation check (code 05
5 h# _5 ]4 B- x  r- l7 X&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& N0 E$ B( _/ S% O0 B5 P3 yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. y( K; K* D7 q( W; T
  F/ w* q- Z$ s# h4 @% `
   push  0000004fh         ; function 4fh# A0 p# E- c% F; L
   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 ?7 P: y. A" t+ H; T$ v8 |. t                           ; low word specifies which service4 s- {: `; P. j5 y7 p
                             (VWIN32_Int41Dispatch)8 f: v' T- K6 }6 ~$ z& k
   call  Kernel32!ORD_001  ; VxdCall% J5 Q# D, s' \+ W+ a4 D
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 z% `' A, Z: _4 g! v2 w   jz    SoftICE_detected
& G4 `3 X) Q1 c1 B7 V& c& R0 ~# j' B( Q& C" E1 A
Here again, several ways to detect it:
, H- ]  H6 u% s% P% E- M! [" b# x6 J/ |! j) i3 E
    BPINT 41 if ax==4f
, N+ X4 a' ~3 i+ G9 L1 J0 Z5 t7 c! D$ S7 Q/ M
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% \. N$ n1 m7 ^. t/ V
0 a, M1 F" J; e" a; _, c    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
$ f/ u) S; S7 f3 z& ~6 D
6 F4 y. f" J. X& y    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- Y' y: S- `: h+ P; z4 o8 s

# r* M$ {0 y! C: s# L4 b% d- O__________________________________________________________________________
; W! h2 a, u% e+ [  e4 R2 d6 e6 P
Method 13- q% _( H- V4 v( Q  x
=========
* }& L7 S! k8 E( N% z; @1 W% w# Y) ]2 F7 G0 @
Not a real method of detection, but a good way to know if SoftICE is" H/ G8 P" s  f* D% O
installed on a computer and to locate its installation directory.
, }- G: N+ I( y4 \! iIt is used by few softs which access the following registry keys (usually #2) :
& F+ A: D% {2 @  @& o( |% e
+ y4 X+ t3 m8 {- x7 s3 p( W- x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' A7 g& Q( z! ]6 P# N& x) E\Uninstall\SoftICE* i1 H3 e% ~5 I1 F$ m$ d( h  G# J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 d7 g" p# L- R  Q) [4 K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% M- }) h- w2 i, q\App Paths\Loader32.Exe
& s/ B! D. K; J* m: H* [6 ^0 U6 p) l$ @$ E
; B1 l9 _8 ~' R* k- d3 T+ _
Note that some nasty apps could then erase all files from SoftICE directory
3 }- l) ?6 \- L: p(I faced that once :-(
$ A  ]; U, W) D5 B
% O+ k# g2 ?. A' p2 e8 lUseful breakpoint to detect it:& c9 g4 m0 z) P  H
0 z' d/ [/ @( J( f6 x
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'( s. w1 I7 @+ g6 P
; T# s: N$ Q7 d5 C3 U
__________________________________________________________________________
( V* o1 A5 e4 J4 T# X' J8 h: U  Z
3 H3 A$ v1 {1 U! i! l* \* g
, w7 _* X4 H* |Method 14
$ e* ~( f- x5 r, E# f( b, [=========
( ]9 L8 m/ ]- B/ S" z
& P& m: P( P7 N- ~: U( D  ?5 @& GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 f6 O  u) A2 k$ P; C/ P
is to determines whether a debugger is running on your system (ring0 only).! A* J/ i% q) I1 f1 j# a8 ^

; N5 `  b  ]4 I! [* \3 ]' O   VMMCall Test_Debug_Installed7 l5 l7 d: m$ E3 x: ]
   je      not_installed
4 ?* o5 b0 d" K: f
7 j* B& J# h- m9 l2 M6 }This service just checks a flag.& L0 P9 C. {  ~* B
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-12 16:23

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表