找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>+ {' K# q7 P. H; T( c0 e, f
<TBODY>& \( V+ @2 C; v8 L; u2 ~3 W9 L
<TR>
9 |  w* Y$ C, Y- A$ a, S<TD><PRE>Method 01
& e- `0 x; q; p/ a=========) p3 r& R* z  f+ \( x% }$ }0 w* \

# C1 y" ?& O5 u2 L+ K4 \1 @This method of detection of SoftICE (as well as the following one) is
0 H! z3 @/ ], \used by the majority of packers/encryptors found on Internet.
: b3 P3 N( F% q" |It seeks the signature of BoundsChecker in SoftICE9 p( g% \8 ^; U1 e/ E- ~

, f8 y& ^4 j5 {- W    mov     ebp, 04243484Bh        ; 'BCHK'
0 o  _2 v  p( g1 u    mov     ax, 04h
+ @6 q/ a! [. [) x% [* u/ ^" e    int     3       - V5 X* q  b; I' {, S
    cmp     al,4
; O+ t+ n8 G; G$ C, h    jnz     SoftICE_Detected# x* R5 g  ?& u8 X# C' c; K1 }8 J% U+ l
( E1 Z& k3 i. ^# y$ R; o3 D7 z
___________________________________________________________________________, d2 |, r, m. G# c8 ~9 m

# B+ I, d; S, J7 I5 mMethod 02
! ?3 |6 {, h' H2 v7 D, s$ n# n/ J=========
% j) q: L" C/ F: Y
% d: j7 o5 m2 \Still a method very much used (perhaps the most frequent one).  It is used, ^7 \+ X( k7 \% v4 |; C+ l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 N1 f4 l, U5 f2 [$ ?- M4 _or execute SoftICE commands...4 f. u: v# B2 s. _& m
It is also used to crash SoftICE and to force it to execute any commands2 D: L: I! g& v2 Y
(HBOOT...) :-((  
. T$ R1 R) C/ T* n2 }) O+ p0 a6 T' _- f0 e! \6 n2 @6 T; `% n
Here is a quick description:  R1 ^  G' K0 i& `+ r7 B
-AX = 0910h   (Display string in SIce windows)4 V8 Z# u4 m* `9 z$ R: W3 F0 F! `
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)" r1 y! m, l6 u3 z% S- k, c; y
-AX = 0912h   (Get breakpoint infos), F. d2 |( K0 I4 e" V$ Q
-AX = 0913h   (Set Sice breakpoints)- f! O; R  Q8 l9 k# {
-AX = 0914h   (Remove SIce breakoints)
! F) y7 s3 E$ B/ |, _; {% ^: q6 X: ]  ]- [+ J2 O
Each time you'll meet this trick, you'll see:
+ y' i) M$ ^/ d3 u5 ]3 }-SI = 4647h' Z0 m, P) w6 P, q, T2 H
-DI = 4A4Dh9 y7 e5 S3 t5 D. {/ v) z
Which are the 'magic values' used by SoftIce.+ |9 E) a! o* [0 n, O/ p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' ^) {8 F- u5 }0 W3 }& ^
7 p- W/ O2 i5 N) wHere is one example from the file "Haspinst.exe" which is the dongle HASP- k% O( _% M* q" z9 D
Envelope utility use to protect DOS applications:5 t" H; S# y+ c( b, m: R

  [; Z6 v9 |- [. v) _9 T, \; B$ z5 v! |
4C19:0095   MOV    AX,0911  ; execute command.( O- V+ Q1 R8 f
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% {3 X) P( ~+ o* t! k
4C19:009A   MOV    SI,4647  ; 1st magic value.9 z0 P4 M8 u: ]! [" d5 l& i
4C19:009D   MOV    DI,4A4D  ; 2nd magic value." i+ U- p5 b* ^, n  N5 |% a
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 r" P" x8 Z6 I! u0 K+ n4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ o% Y; c! ?  ?! o4 M  R4C19:00A4   INC    CX1 A5 O( \, ]) c: c: p
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute. w7 b$ S* I! j
4C19:00A8   JB     0095     ; 6 different commands.
4 s; u, `, V* D1 l  j4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 }, K& j$ l! U. ]9 F
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :). y7 v6 L, }' m1 v) t" I: B

' k8 ^& h0 f4 ]! C: t$ ]The program will execute 6 different SIce commands located at ds:dx, which4 l& Z2 m) n8 u; i7 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 {  ?5 ~2 ]5 _4 B# H; k/ Q8 J- q( r- d$ F7 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( c! T% N* r* C- d4 c  Z
___________________________________________________________________________) j+ d% U8 a0 R" t! W  z1 f
6 j) O5 v7 h0 u* G3 a' f

2 A- W+ {1 }  q6 H5 l% q/ y* }; S5 AMethod 031 L7 ]) E# i' F6 A) Q: O: G
=========+ e3 F5 y3 L, H2 ]0 ?7 C

1 x: q7 w% B; kLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 j/ ~$ Z9 G2 Y9 M& O5 B+ [# W
(API Get entry point)- m  O8 o* \0 S/ b4 r8 M2 Y
        
+ m% k+ o; d6 I  |, z/ ]' [, c1 i3 I# F; c+ v, ~0 p0 H4 Y
    xor     di,di
& z  X" E3 S1 E! J0 W' t3 E    mov     es,di
* ^, g) r3 j+ t" L2 {: Q# h    mov     ax, 1684h      
8 [3 c$ x) J, f# B+ i& x. d    mov     bx, 0202h       ; VxD ID of winice6 r3 q' u  \; P' }
    int     2Fh
$ P2 C; s! z  a) h0 c7 q0 g    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. c6 s, h7 P" ~5 G8 `    add     ax, di# p. Y; t; D) ^
    test    ax,ax
* e! l3 v0 R. ~2 P, _  G2 U) C    jnz     SoftICE_Detected& K* V% t1 _$ v: b" o! E

' J" I! e) Z& }8 p$ G/ Y___________________________________________________________________________
, J+ f& y" P  K
7 E) Y& P7 I: U' _8 b0 w8 R0 g# aMethod 04
' s# l+ c, o, G. T=========" `  e1 L1 B; v( b1 A

+ H3 |: T9 w' B% F( q) }  S# QMethod identical to the preceding one except that it seeks the ID of SoftICE
' _) j4 O/ z) ]2 _4 }5 uGFX VxD.7 W: _# ^) M) |
3 P, _% ^" Z" c9 c! Q
    xor     di,di
% ]; J1 c1 A, p3 `- |2 c    mov     es,di
; H2 L8 ^0 ~2 d5 y+ m    mov     ax, 1684h      
3 U2 {- n8 }( ^  [& m/ j2 I" r    mov     bx, 7a5Fh       ; VxD ID of SIWVID
' T- g; I" f$ k8 d5 l    int     2fh
' h4 [& U5 Y- `6 f& G    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# T0 Y: S: J6 {6 R: N0 x    add     ax, di
% l0 p' G9 g6 W& A6 h    test    ax,ax, B1 l' {& @( S( R( {/ E! O9 f
    jnz     SoftICE_Detected4 d! D3 `( S& `( V7 B' |6 r" G
# K$ A* W" a. ?! g* }
__________________________________________________________________________/ @" ]/ O* ~/ ]4 J

" E! Z" r- x' r* r. z" ~0 O4 j* B" ]8 p. l' B
Method 05
7 M) _- j; ?, @2 L=========
, j! o$ A' R8 S% S
$ X6 j0 o- w/ z  A+ p; |Method seeking the 'magic number' 0F386h returned (in ax) by all system" [7 ?( o( S$ Q5 R6 }/ P
debugger. It calls the int 41h, function 4Fh.  V1 k5 A( f* B
There are several alternatives.  
! w& F/ W- K+ R" m
0 {% O) A# Z& _1 k  g! Q; |The following one is the simplest:
1 l" y+ n! i" j" N% s4 Q- |6 t  Q8 `2 T# s0 h! R7 f
    mov     ax,4fh
$ y( s* b$ S) A3 K" N    int     41h) u! ?, Z& F# m# r# E
    cmp     ax, 0F386
; S6 c- x& ^. {; s    jz      SoftICE_detected
4 S3 m* [, F- e- o9 r6 M2 E( ?. K: W& t2 A- O+ p5 f

  G7 n& O7 T$ M& G* j( Q# fNext method as well as the following one are 2 examples from Stone's 8 B& x8 I1 s4 U, f( M
"stn-wid.zip" (www.cracking.net):/ p: U; P- ?, j

. j- B/ z8 L8 M2 D2 c3 q# C    mov     bx, cs/ n" E5 ~  K- g+ a) W" ?( ^$ D
    lea     dx, int41handler2
. a+ p5 |/ G3 S: t* ^    xchg    dx, es:[41h*4]  \& w( W" [: ]
    xchg    bx, es:[41h*4+2]7 u9 l$ h6 z1 Z: N. a
    mov     ax,4fh# {, p+ C9 l* C' A. U6 A
    int     41h/ q- F$ L! k' C5 O  h' R
    xchg    dx, es:[41h*4]
: a* K( U* P# l: @0 d    xchg    bx, es:[41h*4+2]6 w' S& ~6 e, h' K% E6 {
    cmp     ax, 0f386h
$ z, t- t! y3 H6 a7 a: W. t* E    jz      SoftICE_detected7 I. [& T" q; U3 @$ j( p" h
% a  X4 t. E9 |* w2 Z
int41handler2 PROC
+ T+ L4 r' F+ Z! L, X: o    iret
' e" {3 [2 e# |9 Pint41handler2 ENDP; O% t5 D( h. F
4 ]( P3 t( u7 u* ^9 V

* i9 h& ~+ G% R, c_________________________________________________________________________& o4 b" f, n7 X% e6 R
+ H3 R# o% _3 J1 k" I% y
( w$ E) Z& b! J* l+ G7 w
Method 06
* z$ }# q; ~% _$ O5 G% c. \! ^=========4 ?' T; H3 k, }
9 h& f9 e* s- ^+ I, `: _
. O$ z7 @6 I* g" W5 r& ^
2nd method similar to the preceding one but more difficult to detect:
3 E/ i9 l5 k- t2 ]( w
- y6 N4 V/ \% t8 x! j) p- N' L8 R1 S% }. e9 H
int41handler PROC2 b' ~" _* s, O+ b% G! R
    mov     cl,al: M7 K5 z- \5 ]7 G4 Y" F# P7 N  h6 W
    iret8 m: o; N, e; p% |& x/ O
int41handler ENDP
3 S6 R' K! W& X2 K/ M1 u" n8 s1 f% j' L8 l/ a7 o* o: y

- c+ F' n/ j: S! i6 D; s+ ?    xor     ax,ax9 S3 s$ `4 d, g) M) v2 J
    mov     es,ax
, E5 \2 M  ~( C9 s1 ]    mov     bx, cs
/ I: t  Y  l) X$ F    lea     dx, int41handler( x  v, Y2 s8 ]
    xchg    dx, es:[41h*4]) v- N8 G$ D7 W$ w- S
    xchg    bx, es:[41h*4+2]2 r3 W9 C! N3 U) |6 N9 R8 e
    in      al, 40h7 P  i  c. U& G4 \: f3 {
    xor     cx,cx
3 Z% ]" ^6 C5 u' t& e/ _- q2 p    int     41h$ i* M  r7 i3 E7 [' u" u
    xchg    dx, es:[41h*4]
% i' r& o* S7 X+ ?8 D    xchg    bx, es:[41h*4+2]4 r: P; X5 F) W! r
    cmp     cl,al% g1 X/ q3 l8 x: e5 c
    jnz     SoftICE_detected2 g; e5 d7 o* C% k3 S9 v% d
. ?' D( j" [9 q- L" R2 n+ q
_________________________________________________________________________
3 c7 `: ~2 h- f' i* N
$ u+ {8 b9 X! ^5 lMethod 07" @- K+ n; X* M5 [' w6 s
=========1 d( I7 x7 Y8 r/ ^! ?% ~$ z& v) d

) f7 o5 j, i5 F0 xMethod of detection of the WinICE handler in the int68h (V86), [% \" {: D4 o  o5 I& _
3 V, t4 U+ |! F1 \
    mov     ah,43h
% f, k" v" S0 o; S    int     68h  m, ~  ]8 Z9 q% V" k2 S5 A  U
    cmp     ax,0F386h
* _, F- G0 s5 t) H! _    jz      SoftICE_Detected
8 w* e0 l2 O1 p5 Z5 o9 G3 G" W+ o5 @! N

" }9 I: E8 u- I9 ~=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% v3 t+ z8 y/ a& B- Z   app like this:
2 ^  j2 Q3 E- R  ^; V$ m2 _4 e
! V/ V+ N; l) X. x& [+ R% J   BPX exec_int if ax==68& [! c. J  t) I( M8 G/ E" b
   (function called is located at byte ptr [ebp+1Dh] and client eip is
; T  d1 Y8 ]1 W2 f   located at [ebp+48h] for 32Bit apps)
5 m5 m0 q* \0 [" H1 @__________________________________________________________________________+ ]; P5 I5 R' T, d2 H# Z/ u- i

' S" o& [3 I, y5 {
) r6 V' u3 k. a" T7 y3 wMethod 08
% J" H' t+ V7 N! }1 r=========1 d: u  G% A  |% W2 A8 |& C
2 K) f9 |- m( V0 ]% B
It is not a method of detection of SoftICE but a possibility to crash the
: x: }+ T" W+ C: Y9 D% H7 c7 qsystem by intercepting int 01h and int 03h and redirecting them to another
' `, ^& F, b. v+ `8 R$ troutine.
$ V- T: V2 q7 x1 M% iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 {# f) f  ?9 X- }% yto the new routine to execute (hangs computer...)
, M8 Q! x5 H5 n: z1 S1 d4 r* S+ p: V
    mov     ah, 25h' t+ d! b6 R* X2 [
    mov     al, Int_Number (01h or 03h)
0 n) l( `4 V0 Z  g: H    mov     dx, offset New_Int_Routine
  Y4 Q0 m# E- R/ k    int     21h
5 z# {: u' V3 U! R* F/ C$ L7 B( T4 i6 Y: t5 v- h( h
__________________________________________________________________________1 w) \0 f( ?7 \: [

0 X* c) C# |3 X8 x: bMethod 09
6 r& L+ U% S* k=========
: F9 Y8 P) N+ o" W) W, N7 q' l2 f1 q& T+ {% h* D* d+ q" {% `' `. f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 N: C: K; Z5 A4 K9 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 |& S" I* m" C2 |The Get_DDB service is used to determine whether or not a VxD is installed
) b) C2 t6 d" Z% C4 {  k+ i0 Ifor the specified device and returns a Device Description Block (in ecx) for7 Q! H) m: B5 ]( k5 H
that device if it is installed.
: }6 L( o9 F* j6 X8 d' R# @9 k; D5 E  X7 F" S( L
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 f' C- n* W6 |( ]   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% d" u* j0 ]4 y) K   VMMCall Get_DDB9 [' p1 M5 k% @4 v
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) b. h! m0 b# @: B
, t6 [4 C8 z6 @( p
Note as well that you can easily detect this method with SoftICE:1 K& D( c3 \: O, u, G
   bpx Get_DDB if ax==0202 || ax==7a5fh
- {- b' i# D& l' i6 d1 i8 _) {( w. c$ T# B
__________________________________________________________________________5 P5 N9 |6 Q0 j+ H8 k) x

# e# e% S% {4 [- uMethod 10
" Q: w2 J1 q/ P: L  K0 K=========
  y0 H- n- @# q( b7 U- P* e
1 i+ M0 |5 F2 M$ k1 P=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
; V# \- I% f" A9 A6 m7 a  SoftICE while the option is enable!!4 e& |( h4 _, _4 w8 D6 |; [2 v

2 z: X' O: c7 @9 EThis trick is very efficient:. Z6 Z5 |' X' S% Y" S# W) O, I: D
by checking the Debug Registers, you can detect if SoftICE is loaded+ j+ X9 n; s8 Z4 y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& y+ E* v8 ]. E) ^+ Q9 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 Z" G% Q3 m6 z, H/ W- h: Wvalue (in ring0 only). Values can be manipulated and or changed as well! i; f7 F* p8 ^& e! d, [. ?% k
(clearing BPMs for instance)
% W* w2 x! ~% x: e/ y* ^
# [1 L- d. p5 u. R% v__________________________________________________________________________
$ `2 \) Y, N7 n
8 W# x2 t# T# t! M& K. `; m3 k& uMethod 11
7 F0 ~) i4 k  g( Z=========. y7 L3 [! J+ Z
7 p) u( F1 E6 W: u1 D6 [6 M
This method is most known as 'MeltICE' because it has been freely distributed
* c$ T; H- s9 rvia www.winfiles.com. However it was first used by NuMega people to allow
: N" v( P$ ^- }/ U4 H! ^! LSymbol Loader to check if SoftICE was active or not (the code is located. w( _5 N$ L; R
inside nmtrans.dll).
6 l( a6 ]8 p$ @. x
: u0 {2 y+ i! N; B  F. j, uThe way it works is very simple:
7 G4 n. z* L6 C: X& j; CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! g) w/ w; r# U+ JWinNT) with the CreateFileA API.' O' S( J  K! j% E
& m( z' p: D9 h
Here is a sample (checking for 'SICE'):
) M% a2 q* e7 G* E) ^$ F
' ~# Y0 Z7 R& u. U% y1 Z) vBOOL IsSoftIce95Loaded()' @# `- d5 B) e: |0 }% Q; A
{
: F+ Z3 `7 M- R7 g2 o* Z% g( B   HANDLE hFile;  
2 c" \6 R( ^, ^  c8 _( j, ^# c6 N   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& p- |4 H% y( Y; A! |                      FILE_SHARE_READ | FILE_SHARE_WRITE,
9 X6 }: y! ]$ L" U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 k! K5 r6 z0 X% e/ i3 [
   if( hFile != INVALID_HANDLE_VALUE )
# P: c' Y9 d1 l7 J   {: X, y& e$ t+ Z6 D7 D# m) \
      CloseHandle(hFile);4 |* ~2 u. B1 N- W* g: _5 o
      return TRUE;
  ]8 P" R: M% B/ F   }
8 G5 K/ b) p; V8 a, M   return FALSE;- @$ f, \5 C( K; @
}
: f' ~% r) j4 a" r- H" S
; h4 l: A/ D2 h& `Although this trick calls the CreateFileA function, don't even expect to be0 A7 V3 k/ V. e$ U
able to intercept it by installing a IFS hook: it will not work, no way!
0 K1 I/ {. a# S2 M5 v7 |/ P* l* NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F* W9 w/ v4 n5 N" m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% H, P+ Q7 B# G  p3 g3 V# O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# n: D: F# B' n6 Y' bfield.0 t' d  t2 h( B0 v
In fact, its purpose is not to load/unload VxDs but only to send a $ {, `- a* Y! s) I% i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; o4 a; y$ l5 F9 Z% f: |8 Tto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ Z* c2 p9 g$ D3 e4 V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 K+ ~2 [" h% ?' U+ R  Z; S5 D! bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; t9 a0 N+ E: Y) u  `5 o! s- e9 Vits handle to be opened and then, will be detected.9 e% Q/ `. T/ g+ A1 `
You can check that simply by hooking Winice.exe control proc entry point8 i! @9 C+ k+ D/ v; l4 p; \2 q4 B& I
while running MeltICE.
! D2 c2 b; A& B% C8 Z) u4 z1 w1 z, R# r6 I& |# o* C+ K( A

% U9 \' E+ U$ a6 J! p8 A+ W  00401067:  push      00402025    ; \\.\SICE3 Y/ e$ q& S. y3 p1 v: }# @, Y
  0040106C:  call      CreateFileA, P' P) U3 d4 Y! W# s  l
  00401071:  cmp       eax,-0012 [# l- ?, A2 ^( k" |
  00401074:  je        00401091  f7 w( v) x$ @( Z) n
1 e6 P/ H6 Z- T2 i; R% |, P5 I5 E

" d7 W! ?* v- p% b+ a6 cThere could be hundreds of BPX you could use to detect this trick.
4 x  D% N: G9 E# }-The most classical one is:/ [# l, p& n6 e
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! e/ b+ [) A* p5 r8 {" l) I0 t
    *(esp-&gt;4+4)=='NTIC'
% f; b6 i2 i$ j3 O$ K2 c' ^7 a# W0 P0 G: U! B; |
-The most exotic ones (could be very slooooow :-(# M* @. C/ A- W$ t+ k+ B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
4 d( Q# u5 u- K! O! _     ;will break 3 times :-(- q, \, U2 P9 n7 ]2 k. c, n$ S1 F

- m; |# G- O# j5 w) K-or (a bit) faster:
8 [8 O9 F$ n0 |5 f2 U, p: H   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 G, c2 U4 b2 M( e7 Q# w% F% t
2 H$ U  a0 I  U6 f2 o   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . R3 V; \: N4 X" p6 }! C& z
     ;will break 3 times :-(1 k2 e& |/ M$ H' x' _: }

" h3 A4 O" ~" c-Much faster:
3 {' ?2 W+ j7 E   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', ?& x0 E% ~3 l1 B' ~; x# [8 F
1 p3 r1 O9 c6 `" S* H/ @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen8 k5 `: }6 m, a$ N
function to do the same job:$ r; l5 k& D( K* D: Y- p! ?

+ c6 l8 T# i- k" V) D; R   push    00                        ; OF_READ8 C* E& R2 `& Q" S- d
   mov     eax,[00656634]            ; '\\.\SICE',0
0 {+ c) P: `. ]   push    eax
  p3 v; B7 a  \; W0 \   call    KERNEL32!_lopen
" Y- f: u) A, ?* }4 Y0 Y7 t, W   inc     eax+ i0 G& M5 w  H* s8 _! P
   jnz     00650589                  ; detected, a% w/ H, e* `
   push    00                        ; OF_READ
  c1 Y$ N) R3 _# O% J1 m, T6 m   mov     eax,[00656638]            ; '\\.\SICE'4 N6 j' d5 N+ R! h8 d1 v
   push    eax3 e& t# v( t' ?5 V
   call    KERNEL32!_lopen& F1 d) M9 }8 @6 S' I) p9 `
   inc     eax. k" G5 S& C( b6 t: T
   jz      006505ae                  ; not detected
/ ]* g' z% Q8 x/ d6 `$ W4 c
* P8 d# X2 h& ^9 T  {# y9 m, q
1 F; l/ d5 E3 I( \__________________________________________________________________________
8 g" @4 |& `9 [* s. J# e) |# d1 g
/ y% N9 Q  F! G+ t$ q) ]( T! D* oMethod 12
6 Q2 V6 Y) J% b* ?) e=========
8 d9 u; w  @/ L# U0 s
7 @# _" ^7 G0 [2 a7 [8 w1 ?This trick is similar to int41h/4fh Debugger installation check (code 05
/ m6 Q; @' }. \* i) T&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, e) _" B8 c6 [8 y% Pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% [5 `, Z) o5 M7 V2 d7 a4 `
8 s) G8 K+ @7 E+ S: N
   push  0000004fh         ; function 4fh4 X6 ~8 E5 y- S: D$ X" B
   push  002a002ah         ; high word specifies which VxD (VWIN32)
& R# N4 |4 @) F7 k7 Y. Y1 G' |                           ; low word specifies which service
. g, M0 U+ t( c                             (VWIN32_Int41Dispatch)- s5 _' O5 l1 u) |
   call  Kernel32!ORD_001  ; VxdCall
/ T' }. |/ t9 @5 B8 Z# R& x: ^   cmp   ax, 0f386h        ; magic number returned by system debuggers
; F, M6 M5 [7 p) g/ m   jz    SoftICE_detected
1 n& _: _2 h* o& E) H
4 o, y' f5 C/ }6 `Here again, several ways to detect it:# Z7 D' d- e0 v. z% ?* l) @% E! ^

5 G  q& ]0 m: [7 K    BPINT 41 if ax==4f
1 H1 g. f( I7 D( p- I: t
# F+ V% N! U3 ]! Y$ f0 g& _    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
- H+ L8 y8 k  D  \' w/ r
( A1 R- z4 B1 X5 Q  |    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A% Q: A% [5 o0 t) x
1 x& X& ]  t* M
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 b! E! x/ v& ?0 h) i
6 h  g- D' g# K4 H
__________________________________________________________________________
% Y0 g3 O! e8 y" r3 n8 E, ]4 c
- u. R2 y+ w- f& j' I; _Method 13( X3 b8 Y5 P! ^1 [8 k
=========' Y) t" ]; B7 N

( d. q; r" C/ X3 p5 T* {/ [: U7 FNot a real method of detection, but a good way to know if SoftICE is
0 j( V9 [  }( x( H) g* xinstalled on a computer and to locate its installation directory.7 I2 E4 U* V' O
It is used by few softs which access the following registry keys (usually #2) :
: M0 M9 @. {$ `$ t1 a6 b( \5 g4 X/ M  z4 j" `' K5 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ p, `& m- w2 L# N! H$ e- t( B\Uninstall\SoftICE
* \' d. ~$ a  |0 g1 S/ V$ m( V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 Q5 u8 G1 R5 L1 Q6 A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( u( f8 v- H' M1 W6 O\App Paths\Loader32.Exe
2 B0 b7 _5 B& |% c- ?) ?& t  x4 F3 V- h! k
; l5 v; a0 A* O2 ^& R8 u  J' ?! `
Note that some nasty apps could then erase all files from SoftICE directory5 X  C& Z6 g7 a0 V, I, P
(I faced that once :-(
# `+ \1 Z8 l, ^& U  E$ B6 V) Q; e* M- n0 a, ^9 j. c! y, F$ L
Useful breakpoint to detect it:
' X4 |. s  U) j5 R, p0 M/ {, n; T/ |& M1 ^5 C
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE') H) j/ H7 G7 T
  L7 M& G& N' E( v9 S+ G
__________________________________________________________________________
* L3 A1 f" U& W1 ?$ s
1 g1 q* P# S, B
, f& c* `- I7 ?. }3 R$ v1 AMethod 14 3 [0 O: }5 V+ w9 b0 N+ N. \
=========
& H: `- L1 G6 K/ F
3 W/ m2 o5 c4 e! f: N# A7 v5 r, lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose  F, V( F; B5 J) b/ q
is to determines whether a debugger is running on your system (ring0 only).( J. k( h5 k4 R) B
1 _5 M8 A, P' i. z) g
   VMMCall Test_Debug_Installed) ^  U1 w# H2 w! H* B7 r
   je      not_installed
& K5 ]  }4 X, V1 Y3 [
1 g$ n6 J1 K+ B' p9 hThis service just checks a flag.* c- \# X3 s( _
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-12 01:48

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表