找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>; J: D% a- `2 [# l# J
<TBODY>
3 _! X5 E: t+ V4 m4 a$ L<TR>' U8 D* s" N0 e( P9 T) W6 T0 R
<TD><PRE>Method 01
9 i' g$ u; X3 S6 u1 ?4 Z+ m=========. k9 u9 q4 D. n1 f( @. r

: N0 q/ W; q/ F, k' h& ~( jThis method of detection of SoftICE (as well as the following one) is
, s7 W3 X% }! L# Q: bused by the majority of packers/encryptors found on Internet.
) y7 x9 J& x; t" aIt seeks the signature of BoundsChecker in SoftICE. R) m% {! U$ X

( v5 p$ u2 r0 j3 E+ r; ~/ q5 h5 R    mov     ebp, 04243484Bh        ; 'BCHK', N9 g, Q& l2 S* L1 m
    mov     ax, 04h
& ?/ X0 t- B3 `" R    int     3       $ E: b8 c  w1 }; I) ]
    cmp     al,4
- e+ R) u$ \1 c& Z$ f1 b    jnz     SoftICE_Detected
! r+ q7 H/ e% r
. Q' z! c: V* s' D( f4 ~$ J___________________________________________________________________________' H7 z# j& g3 f2 A6 Y- ~

8 w0 c5 g$ t% o2 P5 Q7 cMethod 02# s' t/ [# t# d
=========
+ R, b6 R, G  O
! q9 \# F1 m. C% ^* N* c2 P+ OStill a method very much used (perhaps the most frequent one).  It is used
" [) C3 e+ V7 Q* {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) X5 w* s7 }1 \or execute SoftICE commands...$ b+ S" t# _2 S; L( ?2 y! M) {" X
It is also used to crash SoftICE and to force it to execute any commands
: J' v* q# `8 M! w(HBOOT...) :-((  5 M) i! f$ t9 v; _
. V: {4 ~4 n( p9 u
Here is a quick description:
6 V6 z( L0 ^+ T-AX = 0910h   (Display string in SIce windows)
. U7 m; k6 {2 w/ R( J' S2 k6 f-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ ^" V# ^( o: f2 p5 o  Y& L, o# l! R
-AX = 0912h   (Get breakpoint infos)* q8 @. w  t# c7 w5 p( H- C) m! G
-AX = 0913h   (Set Sice breakpoints)
/ L! R2 Y* R. y- J, Q  L2 p- K' ?! ^-AX = 0914h   (Remove SIce breakoints)
. F, f/ O7 A* x% \4 q; @8 x; U: c- {: O8 u& E" e% l) A
Each time you'll meet this trick, you'll see:+ |- s- R% M4 C4 B/ e+ n
-SI = 4647h9 X! i) \2 n9 e$ T/ ~
-DI = 4A4Dh
# y1 Y% N9 F/ \  X2 RWhich are the 'magic values' used by SoftIce.& F! E2 N4 F  d+ @  P/ Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.  S& d7 g3 m- T  H* T- L

. H  o; O* y6 w8 R1 ~7 U0 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP* E/ q1 g, o( M7 a" Z
Envelope utility use to protect DOS applications:
5 Z* D8 S7 b, w+ e
' T2 \  n: o- U7 Z8 Q3 y
3 O3 ]/ e3 I. m4C19:0095   MOV    AX,0911  ; execute command.% A9 w1 J: w7 Y) R& k
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
! H4 y0 t" O: d4C19:009A   MOV    SI,4647  ; 1st magic value.# H, a$ w) b- A" a# D
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
* p& m  S3 U0 x4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 `" V/ A2 Q9 k' o- O5 Y% T7 H4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ y- n) f5 [7 k0 W6 ~& v7 ?4C19:00A4   INC    CX
6 v0 Y, S3 [! L+ j) I& r, d4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute; e5 I. `0 i) B4 D1 N
4C19:00A8   JB     0095     ; 6 different commands.
5 F) n2 {# Q, n6 x* v; o4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' p9 x$ g, Z: l% h& N) }
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
: x9 y4 i: K7 {4 ]7 v. A2 @' J7 I0 K- D8 f! u
The program will execute 6 different SIce commands located at ds:dx, which
' x" T* v* s2 J) U1 d, e; m# k  Eare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! C# |3 j2 j5 @( T2 T0 |

- p3 @) H1 s" C0 d! [/ o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 B/ B# m& M1 q/ e9 a; |$ a___________________________________________________________________________
' m$ t5 H2 s$ f( k
; o( Y/ j9 i! o* N- a! k5 Q$ k8 ?& \( {. Z; g  p5 J
Method 03
* R% t( X1 i3 v- F=========0 l4 c8 t+ d, b" U: [3 @
0 L9 p5 `/ g" R! d
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 q0 t$ {- S  X+ J* S. z(API Get entry point)9 ?0 c5 x* F/ Y' l6 t
          \) W: @' P) l9 R9 M1 d
! U# J+ m+ l% Q, ?" i1 F0 v
    xor     di,di
9 ]2 p$ j/ v, k9 |* k* @    mov     es,di
+ i% A/ h' S$ a4 c) R    mov     ax, 1684h       $ Z4 @+ l; c) f: E
    mov     bx, 0202h       ; VxD ID of winice
3 ~/ a7 C5 V0 [    int     2Fh
& Z( T' \) }; C0 Y3 L    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' l' J3 l, ]5 v  E- l  {    add     ax, di/ s( M" \8 n1 C
    test    ax,ax; e* x) r/ G5 _( [0 i
    jnz     SoftICE_Detected+ u' Z, E  W' ?. z0 U: }: d

; [! V- ]- o, o: s___________________________________________________________________________3 N9 N2 W* i8 w0 h* w" E
5 y# N) e, l+ N% r8 p& d& B0 C. S
Method 04/ U# O) Y6 ?0 }  b5 ~% Q( y
=========
) R6 w, U; ~, K; Y' J( Q. e% T8 t
Method identical to the preceding one except that it seeks the ID of SoftICE
3 v- q) R$ n% `! i3 u, MGFX VxD.
: H+ U2 Q. y8 }, @$ g* j* ^. i% `. B' i: d8 s% n) K
    xor     di,di; v" S/ w/ f( F
    mov     es,di
8 A) S9 Z/ j! W. J& F* s2 I    mov     ax, 1684h       0 a  B  B$ `" ]% ~
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 s  j2 j: c& A" u. T* F' J- e  ^    int     2fh8 m7 h# j9 v: W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point  A" U3 e) u! s2 _
    add     ax, di
" c6 R& N" C" Q- o    test    ax,ax
8 q% c* Z6 x. K& o9 S. G    jnz     SoftICE_Detected# S' z* |% {6 k) {4 f3 z
; L6 _% n  l7 U% @$ T
__________________________________________________________________________. }+ v; D) q- J2 L) Z6 l
, p9 T; o! O: w( p8 ]# z1 M+ C9 b4 J
/ o' g3 @& n0 y0 E& ]1 O
Method 054 c6 p" \& I9 F; t# \
=========9 f2 |1 T$ {* m& N( K
; {$ k! B; ~: A) M" L4 @/ ~4 u
Method seeking the 'magic number' 0F386h returned (in ax) by all system( q( ?6 j( q! p& J  n  R
debugger. It calls the int 41h, function 4Fh.$ T; t: Y- H& F, X- @0 [2 r0 L
There are several alternatives.  
( j' h- j) E/ _9 d: W0 a2 ^' T4 ]7 d3 G% F) I6 @+ ?4 C! c  Q0 ]) U  r) S
The following one is the simplest:
, N% @3 g. S& {' l- h( X  c0 }2 J& E, p
    mov     ax,4fh8 |/ Z* T- \$ N! U! n
    int     41h
- j3 |4 ]2 w3 I. E    cmp     ax, 0F386+ Q; ?( ^& v- ^
    jz      SoftICE_detected
) l: W3 Q+ h3 ?6 D8 ?
* I5 {8 n: r) i4 G0 r; n0 B, [1 D# L+ R# i& r5 H6 Y
Next method as well as the following one are 2 examples from Stone's
( ]3 f1 f0 W- G/ W  p"stn-wid.zip" (www.cracking.net):
5 H2 Q# h" F% D' m: M
1 S6 K2 o4 e8 n2 t, c4 ~4 ]9 [    mov     bx, cs# W( M  u( p7 |
    lea     dx, int41handler2. C5 R' N+ K6 O
    xchg    dx, es:[41h*4]: ~* v) M. ^* p/ T
    xchg    bx, es:[41h*4+2]6 Y: `% `! ~, y
    mov     ax,4fh
2 G% }1 ]6 H" }$ v) `% c* k    int     41h
# ~/ Q4 {. o( [1 Z9 ~    xchg    dx, es:[41h*4]* \* S3 J5 N4 Z) |  Z% X
    xchg    bx, es:[41h*4+2]4 B; l/ p: [) j) C1 l2 c  t. D
    cmp     ax, 0f386h
& ]2 h+ S& D2 \* V0 z3 P    jz      SoftICE_detected& ~6 |4 D) d/ l/ `$ T5 t7 H( n4 O" E7 Y

' I9 P4 g: f& B4 N9 _int41handler2 PROC. G& W- a( E8 j) t! \# \0 V
    iret; k8 C. {" [* G  N" S5 G6 ]1 b
int41handler2 ENDP- C4 {" b1 i" R7 y" D# X
; h! _; R" r" M; \3 d/ u
# R+ m0 R2 q7 J7 @
_________________________________________________________________________
2 ^: X4 W8 @/ W8 h
4 n: W! Y* }) M5 Q
& T  c9 _/ r- {2 V5 }7 L' oMethod 06
3 e& f9 j2 P  ]" d. f8 C4 n: B! I3 q=========
0 L, S! M9 X" t( k* l/ L! b4 q3 Y- X& x8 g9 b# Z& w% B2 {
6 n" P* R% d6 t  v
2nd method similar to the preceding one but more difficult to detect:
1 @6 g/ U' |5 M# ?4 `8 _; ]: K  w, h% L9 `+ b* R+ ^( r

/ F+ `" Q" D/ dint41handler PROC6 S2 a- {+ f$ P, j0 |
    mov     cl,al
2 E# T( _. ~. a  D" b    iret
7 `5 S3 Y6 f3 K; z4 {( D1 n+ V, Wint41handler ENDP; Y$ N$ s/ z, D: V) j. E3 a) t
, T7 }* W) R8 }

6 U$ O1 i! }/ ?6 o4 r2 U' y- S    xor     ax,ax" c: P% {( R4 O. ^
    mov     es,ax( Z5 y& D( M* W7 \/ g
    mov     bx, cs1 i  i' v; }+ b8 _
    lea     dx, int41handler
2 p* \; D# r: r7 @    xchg    dx, es:[41h*4]& r1 J- c& w, ?) A9 F+ t5 e  ~
    xchg    bx, es:[41h*4+2]
5 y& H# c" y! C% E6 r    in      al, 40h4 w% B% x3 x9 |$ W; W
    xor     cx,cx
% g! B5 |" M9 b6 u6 x    int     41h
% T% m4 ?, ~0 |9 t0 H: i. `5 q" X    xchg    dx, es:[41h*4]
3 z8 U3 J0 U& y    xchg    bx, es:[41h*4+2]8 O* g+ r$ i+ m2 H
    cmp     cl,al& }" w. x$ F! \8 E- d
    jnz     SoftICE_detected, @; N1 B% z6 t0 ~4 P2 o

8 C) C1 }  ?& v4 @7 L_________________________________________________________________________' \, T- Y- z5 ]# A
/ T" c3 H8 |: c' L
Method 074 T! U% j0 f1 V$ N2 r/ O0 C
=========' Y3 i( S! a% N8 A7 O

6 C; ]1 c/ W+ h% zMethod of detection of the WinICE handler in the int68h (V86)! s8 I, d6 Y1 C

2 f* N+ w9 d0 G1 X- s7 a/ h- p    mov     ah,43h, J, g5 N: X& m
    int     68h
$ S- N+ m7 [6 o& d# O    cmp     ax,0F386h
- z2 U+ V; N) T( ]    jz      SoftICE_Detected& Z2 W( R$ ~$ N: z+ X
" A: u* l& S( |

. D# D6 x# G# }=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: P6 F+ W0 O1 t& K( h   app like this:+ W+ a% A) ^8 ^- q

) f4 E& M0 D, p7 o/ j; U   BPX exec_int if ax==68
0 v/ G  ], U7 L" x   (function called is located at byte ptr [ebp+1Dh] and client eip is/ R* F0 t; Z4 h7 S! K) i* _- ]1 e$ x
   located at [ebp+48h] for 32Bit apps)3 R. N# R8 S: C) h
__________________________________________________________________________8 {" ?4 n) P" r+ J. }
: t9 l/ G& g* X5 v- [2 Y# E, h) Y
' t7 d- Q# E3 \* F: b
Method 08* X" d5 Z% I% C& k6 E4 g0 t0 P  F
=========
8 m+ m& Q6 Z8 ?# E2 r( {' R2 h$ \  m0 N% U: \
It is not a method of detection of SoftICE but a possibility to crash the
% G9 g7 p: u" p) Jsystem by intercepting int 01h and int 03h and redirecting them to another/ s- Q. V) F( \% x! ~7 r
routine.+ _' e8 Z. n' N3 h7 \
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: k/ K# x8 A0 x0 q1 _to the new routine to execute (hangs computer...)
/ q- u. I& M( X4 e0 e2 k8 I* p) h% M5 E- c' f6 Y  h
    mov     ah, 25h
( l) `8 Y2 K) p0 j4 r; v& j% U    mov     al, Int_Number (01h or 03h)
8 ]! a( p+ r0 Y5 E    mov     dx, offset New_Int_Routine
& Q4 s) g& G+ x6 `& w& c    int     21h
( N& h+ \! r, p$ t
4 e& J1 V" K, k" ^5 R__________________________________________________________________________- f- T! Q- n. s7 l& k

% e8 ]6 g) ^9 V1 FMethod 098 C; a: A" F( c3 e
=========
. i/ [0 ?) V2 e+ [7 j  Z! n. g* @. b1 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 v. }* W0 S4 x- {2 x
performed in ring0 (VxD or a ring3 app using the VxdCall).
" U1 ~. E4 ^/ N, V* v3 h9 e4 LThe Get_DDB service is used to determine whether or not a VxD is installed
+ [$ V5 v" V+ J, [& F, U8 Sfor the specified device and returns a Device Description Block (in ecx) for
& ?5 u) @5 ]& n6 @; \- |8 sthat device if it is installed.
3 l7 S) s. g% @5 m- z+ B) B- j- Q, |+ M6 A0 a* M8 }8 ^
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  j) T7 x1 W$ F* p
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-): }) `  ]; c- g. K! f2 y1 h" w
   VMMCall Get_DDB
6 d$ m/ c. G5 f. H' E3 e   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* p* a$ d4 F& ~9 H5 G0 Z* H* l# K& W! ^; S
Note as well that you can easily detect this method with SoftICE:4 R% S% N8 K, C9 Z9 M" Z, K0 K
   bpx Get_DDB if ax==0202 || ax==7a5fh
4 C" U4 P# G+ h1 h# [9 a. @7 P1 |* e: F2 X' A( \
__________________________________________________________________________
: B$ v6 @& s* `1 N
( y% x  H& q. L3 b/ bMethod 10
+ A: @4 g0 }9 j9 k& T- L4 M=========
1 ?- Z5 D$ e6 H7 X# |; j, K1 Z: e3 D
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 p( o7 D0 ?/ Z# {" Q: Q# o' W. T
  SoftICE while the option is enable!!
# u' J5 t& F; w# h2 Z) Y5 D8 o0 g% ^
0 T" P' I" Q) U: [3 _This trick is very efficient:
* c7 l. G& F+ I4 D* q: _9 [by checking the Debug Registers, you can detect if SoftICE is loaded' f- ^& \) {1 h, h' i% q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- \' q; [7 X  x
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 P+ e' ]5 S- y! svalue (in ring0 only). Values can be manipulated and or changed as well
0 ]& O1 O+ `* f" t/ B+ b(clearing BPMs for instance); j. o3 a2 h' ?8 c+ ?3 P. P* f

- l% Z" ?5 Y& o2 d$ ~& ^__________________________________________________________________________
) g0 k7 A2 {2 C7 `* v5 L9 E* o7 j& q. u, y0 ]; S2 ^! A
Method 11
2 R# q' N* ?5 C6 B6 q6 p=========
# k9 V1 t0 [3 b2 |& {3 @" Z5 P' n
This method is most known as 'MeltICE' because it has been freely distributed
% ^" s6 w' F4 T- P( z1 lvia www.winfiles.com. However it was first used by NuMega people to allow
$ h- F# n3 A: h) a0 @' D- TSymbol Loader to check if SoftICE was active or not (the code is located
. [. J) D6 U+ ]2 M& N/ B. Q- E/ H7 rinside nmtrans.dll).
6 O; G* p+ s$ X/ y' Z3 E; |3 g7 t' F( q0 S6 `0 _0 p
The way it works is very simple:1 E' A. W' j  T- \) E5 z9 y8 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: i. O) W- [: i+ _1 Y
WinNT) with the CreateFileA API.
$ b( V' f6 S9 h* H2 B6 P& @$ Q5 h) {1 t3 q9 d! k+ F; G
Here is a sample (checking for 'SICE'):
, y" T. q: Q+ d) C- O9 R# i% T! Z( `, x
  Q3 l7 V4 q2 e+ ^9 bBOOL IsSoftIce95Loaded()
3 V3 ?# ^8 Q$ V& m4 w( z! O, Z{
# l4 v8 S, ~, C5 H   HANDLE hFile;  
1 ]7 X- m& Q6 m" I2 W$ l   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ |2 U. B, g- D8 Z. g                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  q& H4 B% E( C3 c7 G" |                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- {3 U, N" L+ ?  T8 l  Q' o0 r
   if( hFile != INVALID_HANDLE_VALUE )
9 }  X) N9 m+ u# X   {
; z0 c1 z0 x; y8 q      CloseHandle(hFile);; H2 A  b: o  N
      return TRUE;$ D; `; F" G9 }7 S& Q- |0 r  e) M
   }. X0 `4 b7 d7 Q- N% w# q: I
   return FALSE;
' m5 S8 p- q" O1 p}
1 N4 f5 a: P& x2 }) Z& K# S; f# l7 r2 D9 @% P' L2 n) G/ v# ]
Although this trick calls the CreateFileA function, don't even expect to be
3 j9 e  T) k1 l' }able to intercept it by installing a IFS hook: it will not work, no way!+ r# |* }* a6 f( p2 {+ N" }$ b" ]8 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 I, ?/ b# r% U3 l; D1 z  L4 V# r! eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ \* u; j4 ^1 I) d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( a4 U% A* R0 Hfield.
8 n7 `/ K9 {/ u7 O4 Z+ a" NIn fact, its purpose is not to load/unload VxDs but only to send a " \$ T/ i. q; M$ x6 [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: e3 P- ~2 c, R+ Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try& M$ x8 H' z6 g2 u; O  Z( u+ _- t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ e6 e0 V5 R& z3 w" C& @! oIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 _! b# O: A0 ^+ w6 k
its handle to be opened and then, will be detected.
8 p( K# W! N& }You can check that simply by hooking Winice.exe control proc entry point, q" O' w' h' U9 f  F; p2 u8 z( p5 n
while running MeltICE.5 n% W9 C+ r2 Y7 Z0 l3 U4 R
) v% d) V; N2 x  w) {) P* R' M9 u

# r* N) E% G. S( V9 x/ a  00401067:  push      00402025    ; \\.\SICE; e0 z9 J$ S0 b0 y( x; g2 i
  0040106C:  call      CreateFileA2 b7 i9 m! |2 [9 x: w8 ]
  00401071:  cmp       eax,-001
5 L& O, |, z: h$ {. H% |2 i4 `  00401074:  je        00401091$ J& \- e7 ]& h( V5 @

! z2 m6 c3 i7 g  S4 v# D" W  g+ m
There could be hundreds of BPX you could use to detect this trick.2 O: G7 s% V9 q  |9 g
-The most classical one is:( T9 V, N1 D! }( g5 I8 ]5 P
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) @0 [1 r$ J% I1 V! H3 W. }: }
    *(esp-&gt;4+4)=='NTIC'
7 o* {/ i2 m& g
, Y! M; G, A. Q- Y-The most exotic ones (could be very slooooow :-(
" L5 T, H+ x% Z1 [( q, ]- l. _0 N   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ) t- [# X7 n. g* b& }6 |% E
     ;will break 3 times :-(
+ J+ r- n4 _: ?3 y
" w; K( Z0 Q+ }6 O' H! I) `% j  @% F-or (a bit) faster: * Y6 M) Z  d$ Y: n) F; r$ u
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) P4 o! r/ m" C' s
. r0 U  A! b( d* W9 X) i   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 {9 V7 j' i7 k/ A
     ;will break 3 times :-(  o! z) r% v8 }3 E5 K. M4 Z" F- _

. [: h* R0 i9 T+ q2 R( u-Much faster:$ Y2 [; B0 D) |9 n
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( N8 k/ F8 E$ W; _

  L) Z2 }1 Y1 l* [0 {9 VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 l  `+ q- A- f$ n! b3 h! b9 J
function to do the same job:
3 N, Y8 ?( ]% x8 F7 {! @% D
% N6 G9 y- F7 i8 P7 @- |. U: G9 i6 d   push    00                        ; OF_READ. a3 I' Q7 S1 Q& \- r* Y& c
   mov     eax,[00656634]            ; '\\.\SICE',0
4 j5 x1 Y- y3 ~8 V7 t/ F* W   push    eax
  R% p- I6 S2 r6 d0 T   call    KERNEL32!_lopen
( c7 ?9 h4 `1 y' C( u   inc     eax
: H( n9 V/ R, _2 e: U   jnz     00650589                  ; detected& r7 z. \! s" [2 X" q) r7 ]
   push    00                        ; OF_READ
2 _; q9 _& g9 E! g   mov     eax,[00656638]            ; '\\.\SICE'8 l4 U4 ~/ a5 T: `% v0 a  g! c
   push    eax
3 ]8 ]5 D( O' w* _! q8 {   call    KERNEL32!_lopen; K6 z6 g- }& W, @
   inc     eax3 n1 z: `; E+ u, d, k! q3 M" W
   jz      006505ae                  ; not detected8 j8 x, _9 p3 |# X- T

& v$ ]2 B8 x4 I- |5 c/ h; u2 q, Y* t7 O+ ?8 s9 Z' }+ J
__________________________________________________________________________
8 O( z5 T4 C2 g( n* Z' |1 J6 g
' x1 N* w- ?: sMethod 12
) M6 k( f! Z* k; O3 O=========) l8 \: J. e7 D( j7 u& V! F

, J% y- s) e7 i0 i, u: O7 qThis trick is similar to int41h/4fh Debugger installation check (code 052 |# J6 }' s7 r; ?
&amp; 06) but very limited because it's only available for Win95/98 (not NT)% G, |' v6 T% x  v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ Q. [9 ^( ~1 O8 ~

0 S6 K3 [; C! e4 h8 V( W  j; {   push  0000004fh         ; function 4fh
, N: H- f! p$ [+ z" u/ ]" u% G; ~   push  002a002ah         ; high word specifies which VxD (VWIN32)
3 w/ V9 c$ i, u3 S6 q% c/ y                           ; low word specifies which service9 N1 f! S7 ?, \8 Q" J4 N! r
                             (VWIN32_Int41Dispatch)- R1 X5 F7 W" \' F( @
   call  Kernel32!ORD_001  ; VxdCall/ v* t! g& A+ ]& t# U4 N7 l
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 D0 r+ @" n3 ^) t. E   jz    SoftICE_detected
$ \' j2 U/ \+ X4 u7 C: M
; t# ^/ W& V- H/ `, U* SHere again, several ways to detect it:
9 L6 H3 v5 T7 a3 G) @! i0 L% t; v% ?% l8 l; d- T: c
    BPINT 41 if ax==4f4 e: k/ ]) C  }# |' c/ `
# X0 \7 Z8 B8 D
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one- \' a/ X+ y. ?, g' k9 H: |2 y% U

$ y% w/ U  F/ |9 f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
7 m9 j5 N, e2 _& z! b- Y9 @' K% m, M) u: Q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ P- k# y& b" `8 y3 R
- p$ g4 _' o# R6 \9 Q5 f3 j# h3 U
__________________________________________________________________________# I) d5 x0 v* E7 K( p  c6 I
) h: R- m+ a1 \- r# b7 i, f
Method 13: S% g" q4 \# w6 o% k2 Z1 L* R
=========7 N0 k$ C* D" s4 ]- Z2 l

5 g  ~8 K7 t/ |( Y" }. G' T( xNot a real method of detection, but a good way to know if SoftICE is2 v0 b3 z" N* ?  k7 K1 n; j( A
installed on a computer and to locate its installation directory.& p0 g% u. p4 }8 w1 W) w% \
It is used by few softs which access the following registry keys (usually #2) :
3 Y8 D5 g( k5 v7 l' `9 H6 h3 S! z" x* U$ I! x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ ~( w1 J( g3 J2 _6 K# u3 m
\Uninstall\SoftICE
8 e( {* H" x6 u. a8 ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' p- w, Q- R" i) p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! C! b  W) I0 o# E- d% Z$ u: U
\App Paths\Loader32.Exe
$ s3 s1 ~0 z7 O3 d
5 b) U8 ~5 H; q8 @: [# X. p% c4 a: A+ {) {/ B& R, P* f
Note that some nasty apps could then erase all files from SoftICE directory
' u0 p7 z. Q3 `9 T' u$ \& [(I faced that once :-(/ O4 F- i! C# h& ^) n6 I

& w3 U2 k* _' K1 e. OUseful breakpoint to detect it:
4 I+ z- M; k' r1 [
. L% s3 J  N, w3 F# m  ^     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 g% f! [6 H3 y5 G" ^- a$ K' Z

0 B* Z. T  j! G__________________________________________________________________________
  z: }  e  V. \6 J2 }' U
' G( M0 ~% n' ]" {' N/ t: L
& b1 F  e: |! iMethod 14 , l4 l7 C" U2 V( `
=========
8 z$ X9 Z( I- s: U; i7 e
1 Q* z& M& l* B; z) F5 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% \  J; o* K) F
is to determines whether a debugger is running on your system (ring0 only).! g  M! d9 w# Y0 j

, |# ^' f% e7 ~6 ?7 u   VMMCall Test_Debug_Installed
, z8 x: [2 d1 y   je      not_installed; |/ H  s* \4 Z0 u* ^

" _: z, Y/ ~+ B5 [This service just checks a flag.
1 l2 z/ e9 j5 ~, w3 D</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-2 13:07

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表