找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
9 g0 t3 X& q% v- |8 {' h2 t* L<TBODY>
5 b: \$ e# U- h- q" }7 ?0 g9 n<TR>
( ]% _/ R4 G) I" V<TD><PRE>Method 01 / g0 O# d' `& V- }; L
=========4 w. {( d2 d/ w. O

+ ~! L/ y0 T$ `* w5 dThis method of detection of SoftICE (as well as the following one) is1 Q/ b7 z9 `: `; j( b
used by the majority of packers/encryptors found on Internet.
. C. p, g: I& y9 m2 W, l9 hIt seeks the signature of BoundsChecker in SoftICE, T  r7 h. i! g; I

, }& G+ W2 t2 B" J' k0 _" f9 n    mov     ebp, 04243484Bh        ; 'BCHK') Q4 G8 s' [4 z. q  G& a7 i
    mov     ax, 04h
. `# s' ]1 w5 R: k    int     3       9 R. g; Y# ?$ \3 U* T, n; _8 y
    cmp     al,43 Y$ Q% E+ A: Y) u4 x
    jnz     SoftICE_Detected# M6 K% {* T. s/ E7 u

- b" ~5 c% I/ N! S! p7 M8 }___________________________________________________________________________2 |! |* c' |  r" o1 n# n0 G7 ^
! T" q( [, G4 F0 x
Method 02- X/ |, V& L: }" s; s
=========
8 }# S% {2 z7 V( N$ U# B, b4 A; X( {; U! p& |
Still a method very much used (perhaps the most frequent one).  It is used
$ I, Q) D8 K1 y6 B9 c* }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) @/ w/ E1 B/ d  P2 m
or execute SoftICE commands...
. w+ n/ ~/ y  ~. s% @- gIt is also used to crash SoftICE and to force it to execute any commands% L; U: ~& c# _# ~" ]
(HBOOT...) :-((  . o; U) D: ?* O6 D6 @- a9 _/ H2 j
/ u; @/ }7 e3 u
Here is a quick description:
8 u: W/ N' ]! T-AX = 0910h   (Display string in SIce windows)9 G% M/ i" J( s8 N- @" i
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' s! p+ X) X9 c
-AX = 0912h   (Get breakpoint infos)
! D8 a9 P- x' u5 t-AX = 0913h   (Set Sice breakpoints)  }" W- n, @  h, Q. j
-AX = 0914h   (Remove SIce breakoints)
# [$ c( ^+ Y: L1 e0 p. T( z. [/ L6 w! {7 {
Each time you'll meet this trick, you'll see:1 X, g0 w" d4 c' M) {% |3 h
-SI = 4647h
- u. V, Q4 N3 C6 M0 v( T8 Z  U-DI = 4A4Dh
/ D4 a: S# X% r, C& c8 J4 |7 OWhich are the 'magic values' used by SoftIce.8 }" S/ ?; e! `* a" u/ m8 C& R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 }- K" f. z  G' X  |1 W
3 g4 l# N" _7 D' z) b0 [) g: A$ X+ Z: o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
3 Q8 O# j; {2 k5 r- _0 CEnvelope utility use to protect DOS applications:) W2 k  G+ [6 a4 p8 _4 e
* F7 {: n; l8 V( y6 Q

/ p: Q, ^6 l5 p  b4 E5 }" I4C19:0095   MOV    AX,0911  ; execute command.: q2 s8 I/ B5 p) a
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).  h2 U2 G4 A; X5 r- }
4C19:009A   MOV    SI,4647  ; 1st magic value.! z: ~. Y# l5 l  M0 g/ \
4C19:009D   MOV    DI,4A4D  ; 2nd magic value., q/ X- O4 E! s5 M4 Z7 z0 \$ T. K
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- {4 o+ b8 A# Y/ }' `- J% z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ v9 s1 ~8 P6 f! M' ^5 |5 a1 j
4C19:00A4   INC    CX- `0 k' x9 ^! ]
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( |, z: Y; d: S7 ]* t
4C19:00A8   JB     0095     ; 6 different commands.
' l; A3 _- T/ q9 q4 x5 O& u8 _4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ U0 Z, V6 \4 s8 o4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ M( I+ i1 s" ^& a
1 u4 E$ S" w3 ~, kThe program will execute 6 different SIce commands located at ds:dx, which
' j& F# W- l* T$ z( T4 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! Y. ]+ F& k8 F: r( G& N5 a  z8 p, J0 Q! F( t3 H: |& k- }
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 Y. B) E) A1 p5 v4 m8 X: w___________________________________________________________________________
4 Y4 E) q5 V* b: q7 `
4 O6 G. |/ O7 ~6 N6 }" n; l( p* r+ @0 M5 l- |+ E( z
Method 034 ~- C: M. l6 k* T
=========
- ]2 U- ?+ O2 p" S' U, f4 @+ [: {$ n8 b5 U9 D# k8 z5 w
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- D$ ~8 q7 s* ^
(API Get entry point)
5 v+ U0 H0 l5 l9 f        
+ M, h. l! x" `* \, `
1 d) p* a0 I5 s' M1 w8 f    xor     di,di6 p+ H) Z/ T% U3 X& b! c. d7 A" a
    mov     es,di
% C9 R8 X5 l4 R9 ^) r    mov     ax, 1684h      
* E* m( X* R6 \4 K  c    mov     bx, 0202h       ; VxD ID of winice
% M4 d" _: [* V    int     2Fh3 F  |6 e& ^/ Z7 [! U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ C  x# }, h( w$ E6 T/ G* S+ c
    add     ax, di( @; F/ P) s8 R- n" N
    test    ax,ax3 O& x5 D  N4 e. b, }
    jnz     SoftICE_Detected; J/ u0 W: j2 W+ o
, \6 W1 C# a' a, Z
___________________________________________________________________________2 L9 F) e3 h8 N, h( U

* g& x+ Z) z5 B) Q  H( g* i. A/ xMethod 04
. p: D/ N, E+ Z) n. @=========' T, @9 k/ ?* M

4 q% s) m- m& K# \# \& S2 M+ ~% n; \Method identical to the preceding one except that it seeks the ID of SoftICE: h0 ~8 G1 ^: y+ J) U
GFX VxD.$ D. M" V* ?5 C& E

3 T" @' [8 H  `( g. f    xor     di,di8 [2 Q: O; H& M4 s$ U* A
    mov     es,di
* _9 L0 V, V- w" {6 B* ]    mov     ax, 1684h       : _9 y* G/ |* E! Z3 [7 ^0 G8 p
    mov     bx, 7a5Fh       ; VxD ID of SIWVID) S2 f9 C4 L* _2 a
    int     2fh
' U; r! L- a% z6 k4 E! ^& u    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 n- Q2 m; O1 O- w( w7 c
    add     ax, di
8 M4 Y! U9 T8 C! O  Z( y    test    ax,ax
9 t( x; j* a8 f; ^; \- k    jnz     SoftICE_Detected
' j! L3 N, a# x3 N. J; t% Y& ?
3 z8 u% B- ^2 D6 W9 k6 E1 S5 W__________________________________________________________________________
% Z! o1 p! A& ?/ q* l0 t3 H
* {% x$ X: H( D8 j5 j
  S: o. }" g6 c/ Q. |% }Method 05
. E5 ?( e6 U- n& c. H& P# x=========
0 A2 G3 i$ |- {4 y6 ]" M; B$ l) |
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 D, @/ @6 I* o, E5 _
debugger. It calls the int 41h, function 4Fh.* _' A9 z/ a) d8 P( x+ T! S' m
There are several alternatives.  
& ]8 E$ @. p( B1 K
; O2 O- \+ o9 @# gThe following one is the simplest:
3 c7 Y9 \# o5 J. A+ B0 K$ a& c" s# O1 |3 m; |. M5 R& Q( S
    mov     ax,4fh2 h6 R! J  v# R
    int     41h
6 H/ a3 V2 ]" U/ T9 T  n    cmp     ax, 0F386
8 ]; z& o2 K$ o3 O0 F- e7 c    jz      SoftICE_detected/ O$ o* e% z; O) H9 S& b

3 H0 K" a. _8 L# g8 v; f& Q6 E' O) r. U9 y5 f
Next method as well as the following one are 2 examples from Stone's
  @" q. X0 Q; k* E"stn-wid.zip" (www.cracking.net):  o/ s1 j! G1 o2 R

* e! m; s9 W' ~" E    mov     bx, cs: p2 }$ z& ]  b5 K3 B: C
    lea     dx, int41handler2' L1 c$ T3 i, w  d" N1 f
    xchg    dx, es:[41h*4]8 {" W) s1 s" u. @( V3 P) J
    xchg    bx, es:[41h*4+2]
2 }/ K; B; ^* ?4 P, x6 |. v    mov     ax,4fh
" D1 ?. H1 Q" A2 s3 {4 S6 l: l5 _    int     41h( @& R0 M8 B3 ]( _! I
    xchg    dx, es:[41h*4]
7 K2 \+ v5 R' l% [& V/ K9 E    xchg    bx, es:[41h*4+2]
) N1 G6 i+ E0 m2 e, L; g    cmp     ax, 0f386h- L1 M- [) w: F- j6 B
    jz      SoftICE_detected2 ]6 `- ^- _' v& Q5 }6 t

2 H$ M  T9 f+ ~, o4 r" Rint41handler2 PROC
; t! K6 Z7 s' W) \" U    iret& h9 [7 F$ x  i8 ]
int41handler2 ENDP2 K% F0 `" P" R6 s# Y9 b- g( ?

2 W3 U7 ^1 A  [$ ~8 P  G" M* h
( Z$ X9 T  R  v1 B; Y7 D_________________________________________________________________________
; A  c7 z% T- _2 K2 }( ?! X" k' e  |$ S4 C( n
; ?; k. C0 S0 M3 |
Method 06' B2 l. g$ q9 f# |
=========: p5 j5 w6 f% \/ d3 f! d* @

) B& `7 D* e: u) b  O% J9 J' d
2nd method similar to the preceding one but more difficult to detect:# e, O. C) X8 m8 O+ n- o( ~8 A

7 U; q* z! u+ Z" \( I" b* z; Q: E" D- N7 Z: R
int41handler PROC
5 ?5 ^1 }& U6 b! ?; `: P: H% U$ c4 [    mov     cl,al$ @/ e; d, z6 i) p9 U3 M
    iret
6 i* v  j, o' y% K7 P; aint41handler ENDP
  o8 K0 I' K3 m3 S. q( L6 a# R3 _6 }4 m

! l" s2 N  H& A! k9 Q2 j; X    xor     ax,ax9 Q" [1 l1 o/ u8 d7 Y% ?9 F, m
    mov     es,ax
6 F- D& l$ y" S: j: h8 b* K    mov     bx, cs4 y# r( a3 A7 Y
    lea     dx, int41handler/ R# g4 J4 v' E; e! c6 K
    xchg    dx, es:[41h*4]/ V3 t; J  V: b' i" X0 o/ T; W
    xchg    bx, es:[41h*4+2]
8 |, D* G" n; Q8 w* ], `- T) a# d1 \2 ?    in      al, 40h, Q0 a" w9 g" h( H; \
    xor     cx,cx
; w6 l2 h; r3 C- C1 I' y/ M    int     41h# G. ^, j, u6 Z/ i  j2 s1 d
    xchg    dx, es:[41h*4]3 M1 N; h6 M6 D& |* T- m: Y0 r
    xchg    bx, es:[41h*4+2]" j0 r. J0 }  m7 [2 l/ J4 l
    cmp     cl,al
  J- D8 b- E# p. Q    jnz     SoftICE_detected
% V$ m2 ~% b$ k6 Z
, \% M) t  ^/ r1 k$ G0 n_________________________________________________________________________* }" _! J. ^1 y" T

! q. Z; `& j" i# {1 yMethod 07
9 X2 T$ y3 z* `7 [=========9 ?5 T: N# D3 \9 L
. t2 C, C% g3 @) \3 s
Method of detection of the WinICE handler in the int68h (V86)6 a0 e. P/ F. a0 W

" \5 Q3 U4 B! t2 L- _    mov     ah,43h5 `- ]9 {7 n) {
    int     68h
4 q/ J; L+ D! k# q: \    cmp     ax,0F386h
+ Y6 S" L, V  `$ i2 C* o    jz      SoftICE_Detected+ j6 b0 T; o+ ~; f: w

: s2 V. T. y& a) J: S
% X1 a, N4 M: L1 a# I8 R" v7 w=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, o6 [; y+ H, O) K$ j   app like this:
7 g% z1 T3 S) y3 r7 o1 ]. K. y/ B  i. s$ v; I, B
   BPX exec_int if ax==686 @2 ~: q  A7 {) u2 w
   (function called is located at byte ptr [ebp+1Dh] and client eip is3 S/ a8 z, [9 b4 b* v4 k
   located at [ebp+48h] for 32Bit apps)
* d) d7 o1 J$ h! D& Z! |, g__________________________________________________________________________# u" v; P: B8 M1 B; @6 ~; |6 v" G

8 D, T% ~+ A( S) v( r# `$ k- q1 K* g* O# V
Method 08( t, U7 x$ y5 S( X! x  i- N6 m" c
=========
; J. U4 f# _; x; `  V
2 Y/ y5 }# F5 D7 X2 I2 y# X9 U' XIt is not a method of detection of SoftICE but a possibility to crash the
/ _$ s. E7 s! B2 ^& r$ l. Zsystem by intercepting int 01h and int 03h and redirecting them to another+ c* |4 i& ?- \
routine.
* W2 _! X# m4 D9 {* y; ?( t& a! {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 Q* R0 q* Q5 k! X6 C
to the new routine to execute (hangs computer...). Q/ D4 z" v1 D6 K

9 d9 D3 `# t( r* O" l    mov     ah, 25h- @# u. T* k1 P
    mov     al, Int_Number (01h or 03h)
7 o- b0 r# f: n/ v    mov     dx, offset New_Int_Routine
5 F& t: f$ Q- j    int     21h
6 z" J+ j, F- _- Q, r& ^3 w) U0 n, q& K2 J! t
__________________________________________________________________________
* b$ N, C1 p/ P! v9 `2 F' n- O" Z+ k& s/ n/ _2 t) ~+ a! R
Method 09
! x' I$ W7 h) K3 [, X! }9 A/ I. x=========
; u& c- r4 J9 r. A5 H
/ Q5 l& \0 @% y+ ~% [+ B; _- VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 b/ Y" @6 b$ Xperformed in ring0 (VxD or a ring3 app using the VxdCall).
3 q; [6 Z: W3 B) f. x6 F+ zThe Get_DDB service is used to determine whether or not a VxD is installed
/ a- p. U# {% S& Xfor the specified device and returns a Device Description Block (in ecx) for: h1 k0 U/ s, m$ ?; X
that device if it is installed.4 m: w* t( Q; W4 R5 Q; V4 `% k

# \/ g0 V& o: n2 U   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 C- V1 ?: ~% o. K) \# n   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 z8 b0 c5 o5 L+ h
   VMMCall Get_DDB
# s- X6 B& y4 `3 C# f( k3 \( H) @   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed2 ?+ A: o- W  Y/ f; ?

3 k, c# X! ~$ t  S" e/ B& iNote as well that you can easily detect this method with SoftICE:
( ?* L$ ~; K! x: K! r2 k0 `6 T   bpx Get_DDB if ax==0202 || ax==7a5fh
, Y7 }$ k" i4 O, }! K5 [& B
3 V9 q/ E$ _: q1 O3 ?- ]__________________________________________________________________________) ~5 L0 O) C* H6 L8 C- o

" U- g; u9 C& `# t# O8 O' CMethod 10$ N2 ^5 Y+ H2 M( c- e; x, K
=========) B  ~) x, \! Q! N6 i, K* G

1 e  m# k  o" s) h, {=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" G( l. \- ?& P. Z+ M2 ]  SoftICE while the option is enable!!
& `/ t4 [" r' l" i2 O  J
' D+ l. b3 s; R# [; }% a8 f. N/ rThis trick is very efficient:* z( G! k; E4 b( T5 ?" ?
by checking the Debug Registers, you can detect if SoftICE is loaded
# t: m- D4 \; p$ {# `$ S2 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 a- |; E9 t6 o9 f4 M2 J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, B$ [6 U" q1 o/ W$ svalue (in ring0 only). Values can be manipulated and or changed as well
% T" [1 j: b) Z7 K( n$ W(clearing BPMs for instance)2 D8 H; h7 G/ I! u

5 t$ M& V1 Z, M) [/ {__________________________________________________________________________8 v7 z6 c; Q* C& ]

. v8 y6 f: b" C% {; @Method 11
( e) J! p2 g3 I  V0 v* Y! r, C6 w=========
9 K6 J, p8 w* M2 _% C, y: i
/ x% G- _; ], _, K# m' W  ~This method is most known as 'MeltICE' because it has been freely distributed6 i0 R+ r. R# L3 J, e
via www.winfiles.com. However it was first used by NuMega people to allow
7 Z$ L  c2 D7 D# p& h5 J6 b! tSymbol Loader to check if SoftICE was active or not (the code is located' d& u* Q" H* E8 }3 S" h; W
inside nmtrans.dll).
3 F( q/ |' h8 y8 h' u. p+ D% n+ E( H  P  I. ^2 s0 Z+ V
The way it works is very simple:  }6 _- W! e% z: A# d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& }7 k6 u6 l( c) H; rWinNT) with the CreateFileA API.
7 [3 W/ i2 e. P8 F. a4 [5 k% Q6 y* Y' E, p
Here is a sample (checking for 'SICE'):% m$ S- s; |, O$ n' o! N

) L$ T$ J1 A" s5 F6 R1 o) f% WBOOL IsSoftIce95Loaded()
. z/ J: ^$ K. J8 \{
  F) i  z& M- f   HANDLE hFile;  
7 |, G9 n& m1 J" N% L9 Y8 T5 K   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, Y$ R' f1 I% Q1 i
                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ }, [5 {( C' b7 J7 u3 V! O: A
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 f! y# J& r/ A8 D  K4 L4 p* e) q
   if( hFile != INVALID_HANDLE_VALUE )2 o, c9 O: v1 u4 r- I
   {
: ?. Y9 B( l; ]8 v$ H( S      CloseHandle(hFile);. h( n9 t! a$ I0 U# w
      return TRUE;4 z! q$ i6 Z* F  ?$ i
   }  k* G* u8 N, S" k/ t9 a5 @7 V. p+ Q
   return FALSE;4 b0 W5 K$ |8 A% u5 W
}
/ I& p. [9 u3 N* L1 R: z( E2 ?
) x% m3 L0 h: |* q7 m  eAlthough this trick calls the CreateFileA function, don't even expect to be! Q$ O7 n( u& H6 X
able to intercept it by installing a IFS hook: it will not work, no way!, d% Q1 }" T' a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 t  F& m4 X2 R6 a' x4 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): I7 Y! u' I" b6 D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; Y7 }+ l8 e2 z  Wfield.
7 l7 s9 E& W0 ], G  w+ eIn fact, its purpose is not to load/unload VxDs but only to send a # d( E: S0 c0 A; j0 Z$ L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  z- Z& Y4 ]- R6 F" N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ K/ O$ T& g) ~4 m: g# kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
  L3 h7 a- d% L4 q. v( u) m9 m% vIf the VxD is loaded, it will always clear eax and the Carry flag to allow- J0 u- Z! B& p! V/ A! D
its handle to be opened and then, will be detected.
) s$ j5 r5 u3 ^2 fYou can check that simply by hooking Winice.exe control proc entry point3 q- }6 ^* l# C. |/ z& K  V
while running MeltICE." c' A0 h/ _8 J8 S' @3 y( K& v9 y

1 Z& F8 q) P, q$ q! \
& n. l0 M- @0 d3 R; F: n  00401067:  push      00402025    ; \\.\SICE7 J/ E  c! q9 ?
  0040106C:  call      CreateFileA  @. _6 s0 I& m2 @" `. @
  00401071:  cmp       eax,-001( l, r! {1 S) J
  00401074:  je        00401091
6 k" H; w! m. R1 r( `0 ]3 g) k0 Z- e! ?. Z
1 T. u; M4 ]& p0 d, q
There could be hundreds of BPX you could use to detect this trick.9 `1 |5 E' z9 {; H$ Q
-The most classical one is:# r6 K! f8 a' S  H
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||6 Q/ ]0 V. I6 n0 b
    *(esp-&gt;4+4)=='NTIC'" z: ?9 D( ~; P% C* T8 E: n
- j  ~! D9 t7 D; i9 G8 Z7 V- `! y
-The most exotic ones (could be very slooooow :-(9 c1 f% ]% r! h* l- Y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . s  g- U. f7 B" S/ Q
     ;will break 3 times :-(
( _6 S* b5 ]$ u' b; M" B' G
$ t& A: l0 ?" n+ L0 ~-or (a bit) faster: / r9 b7 f/ p2 k7 q3 m8 P0 p
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# L6 F- `: S/ A* k% l/ u
  K6 l; K% p8 b  c* j
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  @$ b; l3 c4 x0 ^9 A3 J     ;will break 3 times :-(
  ?6 {0 X: O4 f4 _: s) i! l0 z! I  v; J1 x! m
-Much faster:
* \; p, _3 r) e1 a& x/ _4 c   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& i1 D& U" u$ J1 C3 n4 E  M
8 M8 f9 |, `8 U+ |0 j; W2 @1 ?
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! R: q  B: |" u* l
function to do the same job:$ ^1 P) U4 h# J+ L$ s

; q" l; l) Y7 X+ A6 u& K3 F   push    00                        ; OF_READ" }1 J3 A, ~" S- W; e
   mov     eax,[00656634]            ; '\\.\SICE',0
6 j2 ?& X+ |+ Z7 J, G' l   push    eax
4 S2 m. J3 o. T4 P3 E0 L! g   call    KERNEL32!_lopen
; K9 t0 U" G" w0 C) Z: H   inc     eax* j! C$ w# s/ M" I' w5 u9 [
   jnz     00650589                  ; detected
% E2 q. [$ ^* Z0 u3 @   push    00                        ; OF_READ9 a7 S# D5 r3 q5 K2 E, J% p) e
   mov     eax,[00656638]            ; '\\.\SICE'
, u' H1 N- S& V   push    eax
, @) Z; p2 v# \, e% ]: j) p   call    KERNEL32!_lopen/ p2 v; G3 c2 I2 Y% O. I
   inc     eax0 L" X1 r! m' ~8 m+ u  M
   jz      006505ae                  ; not detected1 _1 I; W% O, c& _! q
- p8 m" Y" N6 B- c1 |+ z+ b- d2 R
* ~6 Q5 n2 N! W1 R1 m  o
__________________________________________________________________________6 i* _3 I2 K. w

( \3 m2 v$ Y: c' C. DMethod 125 a" w0 Y; _0 B' \
=========
( C. e8 |+ X% x: A/ x: }- }" f3 d/ P6 f" R# u. O6 n, B* Y
This trick is similar to int41h/4fh Debugger installation check (code 05
: z! U* |( I& I4 [&amp; 06) but very limited because it's only available for Win95/98 (not NT)6 \  `8 O! \) o4 w* F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* L) l" w) Z  n- E* W# P
- J  e7 ?% M! B3 d- v. y- }   push  0000004fh         ; function 4fh
8 M7 L% G1 F& l9 d   push  002a002ah         ; high word specifies which VxD (VWIN32)2 [$ V. n2 z0 r
                           ; low word specifies which service
4 ]4 H4 P! r  i, V9 s                             (VWIN32_Int41Dispatch)' b5 }9 V1 ]$ h, b+ ~; m
   call  Kernel32!ORD_001  ; VxdCall! x: X) W) o( M! E
   cmp   ax, 0f386h        ; magic number returned by system debuggers* O7 y9 I$ X7 |' C0 ]9 q
   jz    SoftICE_detected5 n0 w4 q3 M7 m- r" m
  S" l6 O6 A8 X5 }0 E# j" x* w
Here again, several ways to detect it:
5 x0 u9 {' _0 o' h2 |& h* n, ^- A) A% H- K( f. H* L
    BPINT 41 if ax==4f
8 p( z& p' N) I1 m: \
+ S. v" _5 k4 W  s    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& ?2 e1 b5 T4 _. _9 a2 }9 H) R* A1 A; B, |/ V
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A) `8 X  o8 c/ v5 M
3 D2 W3 x  O$ D+ T! x/ n
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- L9 s8 q+ ?5 s0 t+ ?4 G

' I& s: ?( x6 {# g0 j, y' v5 x__________________________________________________________________________1 L8 X5 f# R* H" `3 h3 L; F( I
' @6 ]8 w( M2 H7 M( ^
Method 132 h) J4 M! Z, k9 H1 T/ C
=========( E/ N4 g  B9 h2 e7 O) `

6 e  Q! Z  @" W  UNot a real method of detection, but a good way to know if SoftICE is8 U  K+ v; I; M+ |) o, B
installed on a computer and to locate its installation directory." I) r$ k+ M. e0 r3 J
It is used by few softs which access the following registry keys (usually #2) :
2 B# G+ m2 B3 A7 A. U. ?8 F) `9 Y. L/ Z. q! O% A9 \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& h  |4 r3 v+ S7 U* T# o\Uninstall\SoftICE6 l3 R' W* A0 q5 p: o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 Q7 B# y! Z1 G& y- S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ W8 c1 ~4 M" N) S\App Paths\Loader32.Exe: n/ t2 p5 W7 a

; Z% u3 q* K( o1 P. u# V0 E5 t4 H% P* E  W- g
Note that some nasty apps could then erase all files from SoftICE directory% W# P$ o$ y. M& _
(I faced that once :-(3 ^$ X6 x" H: T) C* T6 u% c

# r4 E7 K/ K% F+ ]: IUseful breakpoint to detect it:
. Y8 ?: Y5 t  ^- C
# E& m  @7 {6 X% |" }     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 F* l6 |' S; g, R# j7 e7 _8 d
1 u$ `2 U; D! l! b: ?! c
__________________________________________________________________________# K# W/ E3 V3 a! m# H( d
# ]2 B% e0 N/ f. e0 c7 w2 H+ B

5 l5 y& p/ @( a  w4 D% r& ^Method 14
6 o; H8 J1 j; d' D=========* i  Z- p, A' r* L4 L
- h. k6 s) A' s' K# J
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 @7 H5 R* N0 H; L- [% ?
is to determines whether a debugger is running on your system (ring0 only).
' N( L8 M* v! b6 \, ~3 c
/ [7 @' d, S5 y1 H9 |# W   VMMCall Test_Debug_Installed
5 m: Q- Q) \9 {' N1 f- u  A7 U   je      not_installed
3 @5 }+ w' X0 \! q# _
* A5 W$ l  m: G1 J0 K/ {% A5 ^0 PThis service just checks a flag.
* h6 P' t' F+ s3 t</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-4 11:34

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表