找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' B1 N% l+ F# a. f& B
<TBODY>
: N. W3 F$ W; S  u7 ?. F<TR>
: ~2 A8 H: J9 c* u9 i7 O<TD><PRE>Method 01 ) P) {9 M) Y: x2 c5 P) k0 n
=========
) o+ Y2 a1 S5 G& v
; t) a3 Y! r* }  q: W5 A% y: ZThis method of detection of SoftICE (as well as the following one) is- q2 |7 x! Q3 C9 u
used by the majority of packers/encryptors found on Internet.+ P* e, p5 t& S6 T; h
It seeks the signature of BoundsChecker in SoftICE
/ V/ l, `6 i" O- A
- I; g- d% `, v1 B8 n( F2 H, I    mov     ebp, 04243484Bh        ; 'BCHK'
  P" v5 F2 p2 E4 M    mov     ax, 04h. U. Y# q6 g1 q' r2 l/ {- q
    int     3       ! p6 N- {5 P/ ?+ M8 C# I; A
    cmp     al,4% l* o2 T% S  G' ?+ I
    jnz     SoftICE_Detected
# X8 Q: P9 j( h7 M" A' d! y- c
" z& c$ i0 A. Z' F___________________________________________________________________________
' ^- D: W( L' o- x- p4 N' r' j0 y7 q3 T# w$ w; ~
Method 02
* {5 p( x) G8 I=========
) t2 [  S6 ^- \' k9 A% o% [
- J1 L7 Y) x2 A2 D' v; T* mStill a method very much used (perhaps the most frequent one).  It is used
; M% Q, y; N% ]# _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  f+ a+ R, i& h6 f$ N! For execute SoftICE commands..." @( ~% `2 U+ W
It is also used to crash SoftICE and to force it to execute any commands$ b) P' c- D' T1 C  C4 v6 T
(HBOOT...) :-((  
0 h( t! d- b0 G5 ]" ~& r, S- V" U  F8 d- W" `8 u. P# _
Here is a quick description:
7 q$ |9 T& G$ H3 l-AX = 0910h   (Display string in SIce windows)
+ B4 D7 }, j. [) u' O" o5 s6 r' h-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# N6 ~+ ]1 b) W: T) F5 b! Z- A-AX = 0912h   (Get breakpoint infos)) M0 X- K- f+ F0 o) m
-AX = 0913h   (Set Sice breakpoints)
( q& [; R, I6 i- X2 g-AX = 0914h   (Remove SIce breakoints)
1 h! I! z# O+ \
- M" n7 N% n; {: @6 GEach time you'll meet this trick, you'll see:5 R' ^$ i3 C2 n0 r. U
-SI = 4647h, t3 R7 R* _5 U* P& D+ b6 Z
-DI = 4A4Dh
! ]0 @. p7 D3 D4 EWhich are the 'magic values' used by SoftIce.9 \! d8 z3 `4 m) v2 R& h1 y, t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* l. S  ], i2 `- ]. U) v0 X5 {# l3 V, R! U  t; \! \
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ {) k7 M  Z# w* \
Envelope utility use to protect DOS applications:) G/ e8 {2 H6 z5 G1 H2 t$ Y

) |. m$ c, U' w) ~5 H$ i
+ P* Q$ z/ q3 e& g4C19:0095   MOV    AX,0911  ; execute command.. l) s: b" ~2 F3 _: O- v) U
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  \4 |4 u8 n4 i, j, T4 |% F4C19:009A   MOV    SI,4647  ; 1st magic value.
$ d) J& t" Z. a2 s4C19:009D   MOV    DI,4A4D  ; 2nd magic value.. ]2 \' s# L" ]% z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) G, f) m( h8 r* D$ S% f( Z1 W: v# {
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" P# d' b9 ]! F7 l4C19:00A4   INC    CX
6 j. y8 _6 T4 e1 r4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 I, B+ ]. l4 S, q" q# D
4C19:00A8   JB     0095     ; 6 different commands.# o, L7 t. O1 L2 _
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 G1 R. Q& }4 s: ^! ?$ T4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
1 L5 v$ G9 u  o. o. O7 d2 ~! G. k( q/ s0 V6 Z3 B
The program will execute 6 different SIce commands located at ds:dx, which
* N/ K* y+ Y) F9 r* {+ ?0 N- Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: S/ z+ i. X) }" @8 @
, |  r# y  y" w3 Y* J0 y5 Y: l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 a9 u8 o7 c- V" o( q
___________________________________________________________________________) Q* ], C+ e- s$ K
# O+ I; R% k- [! f
5 A' k+ l$ `# D6 V
Method 03' y2 ^! `% u2 Y) c5 C5 {; M4 ^6 P
=========
* b, D. m' l. i% G1 y9 l
+ g/ ?0 ^% K# O3 s# Z1 M% kLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, w9 E% S" Q. N( a
(API Get entry point)4 R1 E& I, @: h( P2 E
        
* s6 f9 M3 K% B
0 n7 e9 ^( `/ Q    xor     di,di8 w% z0 p: l, g
    mov     es,di
( }  @+ g. L9 ?. Z  W- A    mov     ax, 1684h       , @2 z" ?6 I8 p, C4 P
    mov     bx, 0202h       ; VxD ID of winice
7 ~4 _; m1 ]4 H. B4 S& Q- P0 @    int     2Fh7 C7 ~- m4 I. w1 o; M
    mov     ax, es          ; ES:DI -&gt; VxD API entry point* F, c+ }4 W2 {
    add     ax, di/ r4 j% M/ H6 F( r" O* H! p
    test    ax,ax2 _% H3 d& B, C, M( f2 ~+ I
    jnz     SoftICE_Detected
3 y; g2 e- v, x
4 l9 w8 J! q$ G$ n/ ?: Z$ k  S___________________________________________________________________________
: [' K5 \' Q5 R, y' i5 K" o4 T3 O/ o0 A
Method 04, c1 |6 l- n4 @( x( _
=========! {  F. z- o8 `/ t0 S8 [
) ^8 [! P: c( K6 Q3 y9 D
Method identical to the preceding one except that it seeks the ID of SoftICE
  o/ V  f6 G6 yGFX VxD.# U4 {' m) I$ {4 U

' K: t! D+ V5 y! V! a    xor     di,di) [2 G. p  X8 [) j
    mov     es,di2 L0 \7 z0 ]. S: n
    mov     ax, 1684h       + n9 J; o9 x: z& l, S
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 w$ q! z' x' @( J    int     2fh+ z. b7 }2 o8 u2 t, f. \% E5 t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ V  k" |' c2 T- s8 z' U0 u" I
    add     ax, di
) M1 @4 E+ U" ]1 a, h, D    test    ax,ax  j. ~  m1 K5 a: G5 z
    jnz     SoftICE_Detected
$ i9 |& V' [4 K) @2 g0 [7 X" L1 B
__________________________________________________________________________
5 [6 N1 s5 M' f8 V* C) k3 x# @( Q) _! G* R5 a
9 n! Y1 J+ h; H
Method 05
1 \) z4 e" g5 Q) Z9 I=========' z7 t, r5 ^& j

3 i1 ^0 x0 D- RMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& b6 h, o" T6 @) A9 e: Edebugger. It calls the int 41h, function 4Fh.
& t$ L- Z5 R3 t8 ^& WThere are several alternatives.  " ~1 Y3 {: m8 |+ e

5 [  w9 N) K5 t! R/ VThe following one is the simplest:1 K$ S& k* i( ^5 K" f  P' ]; i8 s
" J$ a$ u1 r5 r0 |
    mov     ax,4fh
  [: o5 a0 m5 t6 L7 T    int     41h2 L& R8 C: U5 j, r1 K  g; z4 v
    cmp     ax, 0F386
% E' C& ]+ t4 u    jz      SoftICE_detected9 e" U  m8 a! H- O9 }( z3 J! T$ N

8 Y- U2 S; ~  F, t1 s1 `4 j; R0 V/ }, Z! ^/ L- j! i6 e% h' V
Next method as well as the following one are 2 examples from Stone's # `1 f( u3 f/ @
"stn-wid.zip" (www.cracking.net):
: x0 n5 o; R! y8 ?* E4 H4 \; D; m8 A* c3 J* `* ~6 r* O
    mov     bx, cs
8 E  `: \- }* b! Q  @    lea     dx, int41handler2* L" k& K; J7 z" L9 _0 [
    xchg    dx, es:[41h*4]6 F6 `& y2 s) X& e# s+ M' U" I& u% @
    xchg    bx, es:[41h*4+2]
1 O, ]# B! u, t    mov     ax,4fh
! e$ S; |0 U/ [: e& u% Y+ _4 h& \: Y    int     41h
2 W0 r; x* x, a- x, L. {    xchg    dx, es:[41h*4]" \( I" Q: F, S, [$ J4 h5 Y
    xchg    bx, es:[41h*4+2]
! r* z7 s& T% R+ K* k% s1 i. q    cmp     ax, 0f386h0 u+ E/ l& |/ O1 D! a$ d
    jz      SoftICE_detected
& T3 M( |# i$ C
; ~! w! Q, U4 ~  ]" K: ]% \int41handler2 PROC
( L4 L5 t( _$ r    iret
! G# T; V1 ~8 ?$ y7 [8 \( oint41handler2 ENDP, v4 E3 }: L) r4 i* k0 k

5 j" M9 G* l% v5 f9 f/ }6 W
) Y9 q8 n( F. L3 H_________________________________________________________________________. f  H" d- N; N- Y5 _
2 V9 `" {8 L( }5 M! P

' L9 v9 I: {: |$ RMethod 06
  h7 a4 B' q6 l. m=========6 \5 `& e  e3 l6 q0 ~: y+ A
: U3 _8 E/ ~& D3 r1 Q( l# k! Q
$ f/ ~4 @7 I: K6 ~
2nd method similar to the preceding one but more difficult to detect:
0 d7 D4 ^6 o3 ^# u$ {# R) o* h& e. Q6 H6 [% A* e' H1 {% b
: B, ^7 Y  q! F5 M. W
int41handler PROC6 A- H- D6 \9 P) d2 Q
    mov     cl,al
1 |4 w2 }: w6 w8 T+ g! l# I; E    iret0 Y3 u( H. \7 g! Y
int41handler ENDP2 ~7 _1 `4 H7 T
. ~6 z& j! y& ?8 Q+ T; Z+ D. r7 B1 N) _
7 t9 r7 `+ `0 W
    xor     ax,ax
5 H+ x0 m8 \9 w" s& @' R    mov     es,ax. j2 m( Z% ?) m9 \, G
    mov     bx, cs
: ?: z2 J% _" \- Y5 w# W# Q    lea     dx, int41handler
  V6 k0 q7 O1 f& A& q# L, J    xchg    dx, es:[41h*4]8 [7 O0 p$ V, U- \# o. j" ]2 m! J
    xchg    bx, es:[41h*4+2]8 J8 g. a( q3 ?- ?& V/ W5 H
    in      al, 40h
  W+ Q- y! P: s& L! j- A    xor     cx,cx
# D3 m' A8 k. z    int     41h) w; F0 `8 R$ r% F" p( w% O
    xchg    dx, es:[41h*4]
  q' q8 B. A# F. S: W3 U! P0 I    xchg    bx, es:[41h*4+2]
7 {& e( G$ y2 N# s' \7 c& I" ?    cmp     cl,al
9 F. Q( o$ \. w' D+ |, o% X    jnz     SoftICE_detected3 n1 ~! T4 J' v
: S+ y, D. O) |6 r% y/ [  B' Y
_________________________________________________________________________/ E2 ?4 O5 [6 Q" Z5 m' P
3 R% V* m# |! A  I
Method 074 o0 @* G- U, @$ R! d
=========
' c( J3 ^2 y  \, y3 ?$ o$ M( R. T2 a& v
Method of detection of the WinICE handler in the int68h (V86)
$ d) f- c) s7 ~1 Q7 i5 B
* B! ~# K% `! q& U+ R- @, H9 [: S    mov     ah,43h; ?; b" ~6 d! o5 C- z1 r  M
    int     68h2 z2 p$ M! J* \6 F9 \! j
    cmp     ax,0F386h/ l3 |; ~1 ^3 X' M  J( J! V7 O0 p
    jz      SoftICE_Detected" y( G0 z% J* ^
1 \8 f9 i; u, \2 _! z& _+ L: l

1 c1 ]9 m" _5 `: ^# Y- B* `=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 g* G8 n) {. v/ B* i! u! N) z
   app like this:7 W5 U& A' T' x$ s( g- z

+ C: D" j: a1 ~3 U- F3 u! l' n   BPX exec_int if ax==68
, |3 s  d% Z% b5 S6 O   (function called is located at byte ptr [ebp+1Dh] and client eip is
, Z1 c! j) }) b+ P9 @& @" h   located at [ebp+48h] for 32Bit apps)* B! c0 U0 V2 i7 ?
__________________________________________________________________________
/ z# p3 @2 k4 b# o! J, k
/ W/ I" O+ _3 @; B: H! M- A& n
) m8 G+ x* e7 p' U9 r$ dMethod 08% E0 i+ J4 v0 F1 D  @* A
=========$ h( p' {3 ?' {

2 S' m8 N: x* k: n. \It is not a method of detection of SoftICE but a possibility to crash the
% N& `% y' J" y# E& ysystem by intercepting int 01h and int 03h and redirecting them to another
* r9 @: u" k; Z4 x4 R! B, l# yroutine.6 p3 I7 E7 f; C3 F9 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  N9 n$ ~7 M4 G% r* a! P# e
to the new routine to execute (hangs computer...)
0 b- Y& Z, N% z$ b# X& }" q1 q1 N* {( D: f) y" s4 b6 G1 U
    mov     ah, 25h
* l. G9 Y+ `/ T$ `    mov     al, Int_Number (01h or 03h)$ n8 \* e) N" [. E7 ?
    mov     dx, offset New_Int_Routine' F% g1 o' y8 N  F2 V% W$ o$ \- J
    int     21h
5 h+ }2 r1 y, G% b3 {- O/ N6 h. @( b3 f. {% x9 W5 t
__________________________________________________________________________9 L) m, o: k+ h9 C
  f( L3 l. x7 W  q6 d" W4 e
Method 09
. Q0 H, V; g1 Q=========8 I" D" M1 @3 \0 o

* X9 R( Q9 L( ~: ^+ c) L$ QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* c% l' D/ n/ i& b  z* n" pperformed in ring0 (VxD or a ring3 app using the VxdCall).( I/ z7 O' R, \" L
The Get_DDB service is used to determine whether or not a VxD is installed$ R2 I1 e3 R4 p4 Y% a& W
for the specified device and returns a Device Description Block (in ecx) for$ T, F' d1 C' h9 m
that device if it is installed.
/ w3 B$ u, y" b3 G; j$ R0 \) D  M0 q( W
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 Y0 C& r6 i- g
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 ?' c* O3 C( I5 G   VMMCall Get_DDB1 S) H+ x5 H! M
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 B+ W4 O( v' \
# F9 f3 u9 e% M+ L+ u* y$ ]( i
Note as well that you can easily detect this method with SoftICE:9 c- X5 F  _9 M* N8 k7 S
   bpx Get_DDB if ax==0202 || ax==7a5fh
2 d5 {' N% A; X$ C  \# w9 v/ f1 {- r4 U+ c
__________________________________________________________________________# X6 I2 Q$ @' i8 }
4 B9 t' N  Y& ]' M5 s! q
Method 10
# @2 A8 {2 Y/ R7 b4 H9 u4 O=========
: y8 |' |% F! T4 v6 {, |- u' B* }
* b) h+ }2 z# t) q1 C9 q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# \" p2 I" \0 o- b5 ^7 W. v  SoftICE while the option is enable!!# A; K. {; Q7 g. ?! M( U$ ]1 V
4 X6 q, E8 _* |. F4 m
This trick is very efficient:, o% }! x7 w" O
by checking the Debug Registers, you can detect if SoftICE is loaded% N3 F* t/ z  y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 \. P. E. G) C  X( n) }' V1 s" bthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ e8 ^- U3 N, o) P5 i2 V3 u
value (in ring0 only). Values can be manipulated and or changed as well0 R2 n& M) [$ m8 M
(clearing BPMs for instance)
# z1 o4 Q, m# O% M
. H; w4 V: C: ]$ g5 F  O1 G__________________________________________________________________________
6 p" e! o: f% e8 b( X/ }
6 ?3 y* R' z, a8 o% g  p# h+ ]! CMethod 11
. v9 t& V/ G+ _: G=========, D$ C5 E. X3 M& H1 k, k
; X( n) x8 U8 Q* Z) c: E
This method is most known as 'MeltICE' because it has been freely distributed( A5 G" ~3 C; R3 B
via www.winfiles.com. However it was first used by NuMega people to allow; U- Y* u3 d7 [0 L4 l1 M
Symbol Loader to check if SoftICE was active or not (the code is located4 U# L  G* t3 E$ g
inside nmtrans.dll).
* r0 D* F" V2 _" ^; ?3 |1 y7 o7 z
The way it works is very simple:0 T: ^6 Z9 O% ?4 e) b) J7 Q+ Y1 G- d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) x# K8 K6 D% m. y% c$ _WinNT) with the CreateFileA API.$ m. M& ]/ d% W& i/ k, V3 Y7 n" H6 S
- d& w3 `9 u! S8 h
Here is a sample (checking for 'SICE'):8 d4 S8 E8 ~$ n7 H

) k3 S4 W/ T$ H0 \: e% mBOOL IsSoftIce95Loaded(). P' ^# r; V6 `, L0 y3 S; D
{9 I9 K9 f7 P- c! I. s+ q8 _" y
   HANDLE hFile;  6 s- I* L% `% R5 }
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 [3 W8 w8 R7 Z$ p: L; R7 d5 Q                      FILE_SHARE_READ | FILE_SHARE_WRITE,% v$ I$ ]( Q/ v
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ l2 H; K( m' f( H2 p" v" k
   if( hFile != INVALID_HANDLE_VALUE )
1 F# K" @/ u6 [; ?2 T7 |   {% e- d/ ?5 U) S9 k3 S" w
      CloseHandle(hFile);/ L5 {. ~5 D2 ^+ Q0 X! }+ G7 [( [% y
      return TRUE;1 D" G: t, d& C0 X0 N3 Q7 N  H
   }* o6 @8 c3 f8 `2 f  [5 Q. G5 \. c9 S
   return FALSE;+ ^# q  E  d$ B6 D$ M
}
  z0 P5 H6 Q7 f0 t. ^: y7 r8 a3 F
Although this trick calls the CreateFileA function, don't even expect to be
2 A, Y2 d. f. d1 D/ p8 E" Vable to intercept it by installing a IFS hook: it will not work, no way!
5 W8 h0 D% l( }% J% E' n& `: ZIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
) v: D# R& }% A) {+ ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ a* w, u9 o4 B3 oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 q" e6 W# I! Q2 Y, A+ f  Yfield.
2 y& |% D9 ]3 W$ _+ V' hIn fact, its purpose is not to load/unload VxDs but only to send a
& ]/ R$ a: Q# Z! YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- U+ u( U! Q4 a. y3 \& qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 x2 L, B  n) e6 Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ A: S$ N6 c+ K6 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow  k3 C( `" D6 g6 j, y3 F
its handle to be opened and then, will be detected.
5 b2 j$ X+ J" P# mYou can check that simply by hooking Winice.exe control proc entry point
& B* Q6 J+ J+ Y: Z' f2 @) lwhile running MeltICE.- R8 W- ~- f) [. Z; L* ]

- `$ R& L1 i+ u9 c! y* y9 \) Q' J+ p# P
  00401067:  push      00402025    ; \\.\SICE
0 {/ _1 |" I3 @5 h' S  0040106C:  call      CreateFileA
# T0 r3 _1 _# W/ U; I  00401071:  cmp       eax,-001
8 ]6 G4 `  ^+ n% F5 N  00401074:  je        00401091% c, D# F4 g) e$ Y
  k4 Y+ }2 }) y/ S4 n2 m
% ?* I: O* L, K: _  T
There could be hundreds of BPX you could use to detect this trick.
" m. _! M9 @. ~) M0 s/ I- B5 I-The most classical one is:
% ~9 L/ x5 s9 T% L  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ U/ x+ b+ c4 N" _& F3 e    *(esp-&gt;4+4)=='NTIC'* H* z6 I- U! ^% b0 k! L

! P6 |: E5 ?3 E# o; E4 x  i-The most exotic ones (could be very slooooow :-(3 t- \0 E# D7 I7 ~, U
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
* P2 ^- V& {0 _: l  |( b7 _     ;will break 3 times :-(- y  `" D; C% [

8 O) L# t+ w; h" [-or (a bit) faster: ( C8 m/ {4 w- D) P
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 b/ k/ F# J& \2 s4 J! k5 N9 G( U' w. N4 z& \
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 o( k4 u2 x4 K1 O' P     ;will break 3 times :-(
# u) Z4 L( F& g3 }
8 F6 g: k2 Y. v0 @* ~) y" L' Y- ?-Much faster:; C0 j2 y* ^2 l# o0 w0 @( _
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'4 m+ O( ]  j" N( _$ ?  b
5 `- j. t2 A0 e! J3 s/ N7 E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 E3 |1 O1 u& k0 ~) Ffunction to do the same job:
* @) @( H5 W) u% w  X; r5 V( d2 M# g
   push    00                        ; OF_READ
7 Z' ?# P3 K$ n# |   mov     eax,[00656634]            ; '\\.\SICE',0
4 M8 F6 x" K; L5 U- n( N/ |   push    eax4 A5 a" C+ z. L  f0 @: m; b
   call    KERNEL32!_lopen
- m' ^' e4 K4 f$ C5 j: `$ \  N   inc     eax
% l; h  {* S3 D, a, l) ^   jnz     00650589                  ; detected
# F) f) g0 \+ |3 P   push    00                        ; OF_READ2 _) p3 H8 t) i$ K6 p
   mov     eax,[00656638]            ; '\\.\SICE': P" D# E6 L8 q9 P* {4 Y
   push    eax
2 K% J/ K7 B2 G   call    KERNEL32!_lopen
, _' [/ j* _0 k; w+ }% A9 C   inc     eax% l0 l4 A+ ^! S& }& G0 C% m9 j
   jz      006505ae                  ; not detected3 {8 R$ Y3 i3 W6 A' C8 Q

2 _1 |$ X# y7 d7 j; S& X! V6 D4 l) z3 H
__________________________________________________________________________  W, O1 b& I+ D4 ?5 H* \
% T' C% |! I1 _/ @; r
Method 12: h( J2 S* Q7 ?* R& `- P
=========
7 t  M  G3 B$ k/ |- D; z/ V5 R; o8 G; `9 C; v& x0 ?# x
This trick is similar to int41h/4fh Debugger installation check (code 05
  p* t, l. N# s; P&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# z( _6 x; I% nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 N) y: D0 y1 t: V/ ^4 e) Z
( I7 h6 @2 c$ u* W. T; G   push  0000004fh         ; function 4fh
+ b- l- ^( L+ U/ S/ Q   push  002a002ah         ; high word specifies which VxD (VWIN32)) ~- T) x9 Y+ d, p$ c5 C  Z  F! T
                           ; low word specifies which service1 f* u7 Z  b* b; X# r
                             (VWIN32_Int41Dispatch)
4 p* X" Z4 z; G! [# v" p   call  Kernel32!ORD_001  ; VxdCall
# T; r3 g; P9 z   cmp   ax, 0f386h        ; magic number returned by system debuggers
% ?' B7 S, O) y; J* Z' F$ B   jz    SoftICE_detected; f7 k3 i6 B: ~. Z" R- p' d

' K5 m/ u( C7 q3 t8 T8 @5 \! m( P: wHere again, several ways to detect it:/ }( e4 K" Y! u5 d6 ~

# O8 \8 `, L' P6 W- a( ?    BPINT 41 if ax==4f4 f- p  X  U$ F5 N

" A5 x0 A+ \, ^6 u- ]' L, ]    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 F$ d0 s  w- y9 h" [4 E/ V& t* b& B, y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- O' P5 s; ~4 R# W  w( k9 g

3 A8 d. J. }( L* }% e4 G% E    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" {* L0 i- w: z7 O& A2 \) ?9 ^6 }& ^$ i  L6 }
__________________________________________________________________________
4 U6 L5 l$ i0 q
7 K9 d& F0 K6 R- @7 ?Method 13
2 k/ a+ ^, U( c  R0 }=========8 j* T* V2 a- e6 O

/ z2 D: d) q+ w4 H! l9 p. i0 YNot a real method of detection, but a good way to know if SoftICE is
) `' i9 e/ Q  u5 m& Uinstalled on a computer and to locate its installation directory.
* P1 o# n* H/ ]It is used by few softs which access the following registry keys (usually #2) :* A) l, E! q3 O3 r, [

$ j' o6 B0 f4 I; {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' p$ x0 n" {. [4 U8 I+ `\Uninstall\SoftICE
( m( S2 \( E" v' ~2 S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 p+ p9 M* r' n$ x) l& v# B-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ e. y& X  Q& H\App Paths\Loader32.Exe
; m. `1 W# G0 o; o0 }5 T; O. x- E9 o: N. ?  D: L

& k0 O$ ~  ~8 ?" L: h. ^7 MNote that some nasty apps could then erase all files from SoftICE directory
3 m1 C# G/ o, q' n; W6 I(I faced that once :-(/ z% Y+ `$ K9 I: m& P8 K

/ y1 ?* R7 M8 P  NUseful breakpoint to detect it:1 q- q- u& R1 _7 s/ d) A: }
5 a9 n  m4 q8 U
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. g8 ~$ ]+ Z1 R0 {
1 k! m2 ~- v9 U- G' x7 R
__________________________________________________________________________+ [& B/ K0 g, i$ H, z, C# _2 k

$ \0 b; ]+ _$ x
. i8 Q6 N% s0 Q+ C5 e  @Method 14 " q: V1 [! w/ N! N# s5 I* M
=========
7 k$ t7 j6 m" V9 ]. ?, }* [9 p! J! s& n8 I; v& g4 ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. w) F' f2 N* g5 ~is to determines whether a debugger is running on your system (ring0 only).
4 A0 ^' l- B. u; `/ l3 r& U" [9 d! ^) ~5 D; [, |1 {
   VMMCall Test_Debug_Installed
1 T8 D! p# X' W! s) R7 g- }+ @) K   je      not_installed* c6 R. w5 ]3 |# W; t6 f6 u

1 z3 p- a  p( [. fThis service just checks a flag.
: n4 {' D5 H) c' {  K</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-23 17:02

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表