找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ L- u, h. |1 \* }; }% h<TBODY>( V7 {( L  C8 S) G* d: u# L% j; x
<TR>: J& P: u0 T! e3 W6 Y1 S' i
<TD><PRE>Method 01 7 M9 `) M6 l$ R3 c
=========1 K7 d0 J, A! k4 L
' A" {, I4 P' A) B" l
This method of detection of SoftICE (as well as the following one) is
1 l# K6 C! j. y2 f  z& ^used by the majority of packers/encryptors found on Internet.
" t: k; C' [6 b1 {+ YIt seeks the signature of BoundsChecker in SoftICE
# A$ Q0 m4 w8 B' v( A5 \. Q- g9 o4 `8 i+ \, q6 \
    mov     ebp, 04243484Bh        ; 'BCHK'
+ C0 T& G7 N! |2 w5 l. t    mov     ax, 04h
8 u, h9 K! q/ C8 [2 `! f2 D    int     3       5 O# I( {% j# L( e- f6 u
    cmp     al,4
- m) q2 r4 u9 a5 P: ?    jnz     SoftICE_Detected8 `; k! j4 P3 Q. V

2 m' a# L1 L9 l- Z0 Y. J___________________________________________________________________________
0 R  g  z# l' F- \- d/ Q; t3 P
1 c, O; U$ _# ]2 _: \1 M/ p' QMethod 02
! f, d- ^" G. w- g! ]. F=========
6 c% e  }5 v% n: P% U  y3 Y
9 N' F3 m7 R( H1 r% eStill a method very much used (perhaps the most frequent one).  It is used
$ p. ]$ @. o4 Z3 M8 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) |+ I' a, A& x7 I  z) g& m
or execute SoftICE commands...8 d$ `, b6 n3 Z- ]2 ~. P
It is also used to crash SoftICE and to force it to execute any commands
- ]% l: e* C, w6 }7 e; @% k(HBOOT...) :-((  $ l! T& M4 e+ `% S# _

! T4 r! `5 v+ L: d: Q' i% H* sHere is a quick description:1 r; \$ \+ n9 e4 |/ k" Q
-AX = 0910h   (Display string in SIce windows)
5 o- s5 m5 L  |* X6 Z  f' ]' J-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
0 e/ t# u1 _6 I/ u+ D-AX = 0912h   (Get breakpoint infos)
1 ?" n4 t2 `  s-AX = 0913h   (Set Sice breakpoints)
# w3 R) P- X0 F$ y-AX = 0914h   (Remove SIce breakoints)5 Y- `% o! q7 O, X/ e+ y$ a3 G$ @! P

3 o3 h+ x" W8 {" zEach time you'll meet this trick, you'll see:) `0 O" [  O& w
-SI = 4647h% O7 h& ]* @5 U9 }3 h+ c; t
-DI = 4A4Dh: H( J. }8 U/ }7 x
Which are the 'magic values' used by SoftIce.
3 ^' a7 r8 i+ {, h' wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 ~! N8 I9 ]* ?: v  v$ w# G* b3 h: f
& G$ n$ p) Q) C% b8 o) v
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 u$ h* N  X& p0 n. \0 d
Envelope utility use to protect DOS applications:
; m5 z: g: y% E0 P& u' R& j( @+ _4 @' }; h) ^

6 c' {: i! |& [3 Z  J  o: `, U' v4C19:0095   MOV    AX,0911  ; execute command.
& |  F+ D* W% d  A% Q( {7 Y3 L2 h/ q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% ~4 v2 n8 X* L2 F, h
4C19:009A   MOV    SI,4647  ; 1st magic value.
5 G9 W; f/ ~: q& y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
- p% D! G& u5 c. Q% Z8 c4 |; s* Z. L4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
* c9 D3 P" e  b9 J  J8 @4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ T# z# M7 r) p$ P& X; c4C19:00A4   INC    CX
. Q9 H0 ^9 @8 ?) W4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute6 O; ^, T" ^1 u" k* k
4C19:00A8   JB     0095     ; 6 different commands.! n( r  \5 D& ^/ `+ T
4C19:00AA   JMP    0002     ; Bad_Guy jmp back., f) D2 {+ u+ q8 S
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* d4 o( L. \( p" T& ?

* O* x3 d! P& k$ i, d: vThe program will execute 6 different SIce commands located at ds:dx, which
; w. R3 Y. e3 Z( ~% j- Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* N" C3 H. F3 [% J" h5 m! A: s

5 U( ]* D6 v: I( d1 E2 P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, Y; c8 s2 n8 F- w/ X$ l, O8 g___________________________________________________________________________
+ _  E& B5 B8 S" D! ^' d* z% m% |% Y/ f2 R9 d

! X( |. E  C' x8 y: G# n' zMethod 03
/ J' d' W9 T! I  W+ n=========2 x! s$ O! s- J
' T  r1 [  A2 |/ H5 I( C' M- N
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ N* z# E* e8 @4 z0 K" `. A/ {(API Get entry point)
+ a' G% t+ s# y" Y9 W+ ~        
, e' G+ r4 K+ R" I, W/ t
1 j4 k. F+ G: W' Z* ?/ L/ ]& k    xor     di,di
' P9 Z+ F; V( k% `1 N    mov     es,di
6 w8 e" W/ h; d" f; U& u3 D    mov     ax, 1684h      
3 w  ^. g! U# }" ?    mov     bx, 0202h       ; VxD ID of winice: S  T/ F1 Z" E4 E0 g  }
    int     2Fh
  t% l9 F. r) [* c, R% p& K    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  t& T% q3 B; H- A& l    add     ax, di
; q' E) }* q3 h    test    ax,ax/ L0 f; c# f8 M- V  }4 f0 k, {1 x3 z
    jnz     SoftICE_Detected. B  P- \" o$ S- Z+ H

2 a* s7 V8 I8 F" c+ L5 R___________________________________________________________________________
. h# H' r/ x3 J9 O9 d" d4 }* M  V- d. G
Method 04
. [6 c, D" j# y" r: n% E=========4 G' k6 T9 c7 m3 E& h7 a
) q) Y* K/ V: s9 y( x$ z' u
Method identical to the preceding one except that it seeks the ID of SoftICE* M& x. w6 l  L9 B1 g- x; b1 ^
GFX VxD." L( G7 M) U5 D" U: j9 p- F* [

, @$ s- O! }( C" D9 B0 E    xor     di,di
6 H* q0 Y6 X1 M- v    mov     es,di  a1 e& Y* o  V5 d8 Q8 E8 j
    mov     ax, 1684h      
7 Q' l8 w. V- v    mov     bx, 7a5Fh       ; VxD ID of SIWVID' s, W0 T, H9 ~% ]8 k% y0 e
    int     2fh: q$ E* ?3 X/ F* W7 |& Y- n
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* ]* K' f/ y- l) F4 _$ p    add     ax, di
0 U: G2 [9 p8 V- g" {6 H    test    ax,ax4 T7 d( t$ Z* T( J- J' V
    jnz     SoftICE_Detected0 o; a* n! L. Y# ~5 N6 C

# v& G  ~! {& @- e. \__________________________________________________________________________
: u: z2 ~, b( i( N& k" k- w  y! i) K6 V

/ }) {; N! S! _. u9 |5 {' I0 [Method 05
# G( z7 o7 ^" @2 {; X=========2 ]0 i! L* S! u' w* r
% |" p$ H$ A2 G- {: p- ~: |
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 Q+ b7 o! J  l  p, q1 K+ s8 m6 E
debugger. It calls the int 41h, function 4Fh.
* `4 V- m5 y9 l& z( r, qThere are several alternatives.  / v4 F% X9 A) i) r( p6 f
; [" F! X. i- {  b$ q% m( ~" c
The following one is the simplest:
  \: X) t: }$ g4 [( j! h+ C% [: [. {3 C' L4 n/ Z) j( }
    mov     ax,4fh# c2 n$ Z! S! r5 N+ C
    int     41h
. O8 b5 ~4 R$ O) [    cmp     ax, 0F386( Q9 ~7 O/ U3 U) {9 c
    jz      SoftICE_detected5 |7 z+ E4 K2 V4 o# ]

2 o9 N0 K& l( _% ?/ E& N+ E! o+ k- n% d$ j% V- s& W2 ?7 o0 `
Next method as well as the following one are 2 examples from Stone's
2 w0 {9 G: \+ O. t" z. k"stn-wid.zip" (www.cracking.net):
# Z  P1 \! \9 B+ ^
- J1 F6 G8 j$ H0 |2 ~3 m( L! v    mov     bx, cs
# v& D: }2 A7 D0 Z3 Q) W: T* A    lea     dx, int41handler2
3 f3 e; m3 v' M; ^8 t    xchg    dx, es:[41h*4]! ?% Y7 W6 A4 [5 Y( [( Q* W  I
    xchg    bx, es:[41h*4+2]
8 B% x6 C6 k& y* w! N% p    mov     ax,4fh, o# s+ t6 A3 ]" Y- ^9 n$ F+ V
    int     41h2 o$ N: g# D/ G7 U: z  l4 p
    xchg    dx, es:[41h*4]
' y1 @' Y$ y/ c; Q+ X# V    xchg    bx, es:[41h*4+2]
$ |( Q- Z! v* w    cmp     ax, 0f386h
! `; Q+ \' ?8 i' Q' ?) l' _  H    jz      SoftICE_detected7 @, Z6 }! `6 X/ i1 @

; x+ r4 N5 f8 C; a$ [* g7 Kint41handler2 PROC1 b/ C  d1 A8 V$ r; W
    iret; z5 F; e1 ?- A# f6 M( Z& [" b' u) ^
int41handler2 ENDP
& N- l2 ~) \( o5 }9 {" i. Q5 h5 E+ Y; y- B4 [

* C; Z1 p% Y0 m& W8 N( w8 F( k- P+ `_________________________________________________________________________  X2 M( \! B" m& p
' t/ p5 U1 `. h9 A) ~
" N" X8 @# p$ Y" a- `9 `# f
Method 06! \& r' c2 [, o1 p1 `* e
=========
  R$ O4 v$ W9 Y* ~
4 w5 @( I  F1 o2 h8 ~3 l9 Y& M# V4 ~% }$ U& \! W
2nd method similar to the preceding one but more difficult to detect:
6 }& V$ T. y- O- I. i$ H( f/ S2 b9 N3 Y$ q

/ w# g( H  D2 d0 dint41handler PROC$ u2 u0 u4 P( ^/ \- x2 z
    mov     cl,al9 I, a" s' M3 i, u+ F
    iret# x$ Z7 {, h$ c5 _9 L: ^) p
int41handler ENDP
3 }) V7 O  l0 a( m/ Q
! t3 @# u+ L5 E0 ?+ E( `! d: X, Q) H3 i+ p
    xor     ax,ax
; z* A) `0 L: V. t/ Q$ g    mov     es,ax
& W( B8 M0 X4 S    mov     bx, cs
) h1 g* F0 N6 _# y  P; T6 K8 C    lea     dx, int41handler
. U' }. V+ O4 q) c0 l0 O2 d% z    xchg    dx, es:[41h*4]& B8 h6 M, u8 V4 ~5 W
    xchg    bx, es:[41h*4+2]
5 a' P1 f5 y4 ]    in      al, 40h
9 {) G+ i; f3 b. i0 P3 k4 R: y    xor     cx,cx& k; h. h- ~7 I' @
    int     41h, ]: f8 `5 @1 y/ a
    xchg    dx, es:[41h*4]
% e& N: ^5 w# T" \/ Q5 U, f    xchg    bx, es:[41h*4+2]
# }0 j3 w9 h2 M7 c3 I- n. Y$ M% j5 w    cmp     cl,al
. k* e( O5 j4 a& N    jnz     SoftICE_detected& K; [9 M: g6 o: u5 q3 j
" P- c- K  R2 W2 }6 A- }* Z
_________________________________________________________________________6 R4 G3 s" J/ p. {

! l9 F' `4 `3 T! `* f& AMethod 07
/ Z5 B, J- r/ l- ]=========- P7 f5 x+ F8 `: F% W

, h& O. N4 t1 X1 }  L, cMethod of detection of the WinICE handler in the int68h (V86)
% H1 M% \. d6 N4 n5 a) Y$ V5 M: ?7 W7 [+ X- y7 @
    mov     ah,43h
: ?; X' J% Q' [    int     68h
% H6 e& p( ?& Z  S' E- M    cmp     ax,0F386h9 d7 H' \/ O+ `! J3 ~4 ~$ a7 W
    jz      SoftICE_Detected# ^# W; V! B% `2 l
( ?4 @; t! I$ e$ V) h# @7 l+ d

1 m! d6 ~+ [2 J=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: f% {3 v# ]7 t. }+ n
   app like this:
, Z: m5 d8 }! _2 x: Z) P. w% @3 g# @& X5 s$ j& q" s( l+ J, G% L
   BPX exec_int if ax==68( `, T! l) P, u% g" F+ f4 O* |* T
   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 n. L5 Z2 @. b) A  e1 V+ r9 [   located at [ebp+48h] for 32Bit apps)5 s$ w$ r1 }8 W; N) w
__________________________________________________________________________( e7 `4 V# c5 t  s

+ @. ~# c6 b/ P( D' }# G
0 r4 S2 }7 D. Q6 u( H' z1 {$ S% nMethod 085 E5 K8 B/ W. J+ m% A! y
=========
% [8 ?; Y  A5 q" l, s- x  Y( ]# F
* c/ D* Y, L0 m$ }It is not a method of detection of SoftICE but a possibility to crash the
7 \. J8 j. s9 F! ksystem by intercepting int 01h and int 03h and redirecting them to another! y3 B/ b+ P! Z& A9 |2 s0 H
routine.4 `' H8 s4 Y* q6 x: X6 i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 E" q+ D/ K1 q! F9 d0 `0 H8 p/ Sto the new routine to execute (hangs computer...); L) ]; S1 t' `' {- q

& V) J9 F' U) H9 k8 M& X    mov     ah, 25h2 f! t) ?# G9 J
    mov     al, Int_Number (01h or 03h)0 f- J. B6 @& A! _. z, m' p5 l" j( L
    mov     dx, offset New_Int_Routine, ~( Z0 w  }4 V5 E0 s) |- F# p8 b' s* L
    int     21h$ }+ T" K" K+ y% L) H' @5 B

* c1 i& Q/ U- I4 G4 {__________________________________________________________________________
+ e( R' Z0 k% _9 O- A- j9 _# i% F; U" D% V/ n6 F. ?
Method 09. |* a! l: c- m! s) h
=========9 l, O5 F* ~- a
$ e% D1 j$ O( k. P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 b& |6 A% I9 i
performed in ring0 (VxD or a ring3 app using the VxdCall)." b, O. I4 ?% N7 s4 m0 h
The Get_DDB service is used to determine whether or not a VxD is installed% @% H1 }- Z( \0 l- ^
for the specified device and returns a Device Description Block (in ecx) for
+ O+ C+ d% I# w- Rthat device if it is installed.6 ^0 q+ s9 F: f3 B) l# J
' _( P; j6 Q5 x4 z; |
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; E" N- P0 `. Z1 v- a0 ]# p
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! t+ F$ q9 k% U+ p3 I$ \1 E; t   VMMCall Get_DDB
9 d2 U+ R* z6 v9 A- f3 l: L$ r   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 ?1 x( V- [) U, E

% E3 h4 k9 s% b0 O' l3 Y  ENote as well that you can easily detect this method with SoftICE:
+ P4 M2 [3 u# v2 I: p6 O/ G   bpx Get_DDB if ax==0202 || ax==7a5fh( \* I9 h: y7 I4 n# T

0 f0 T( m. Y4 C: d' y2 B' e__________________________________________________________________________
: b! r! y* g: U) J( M4 i$ g& G( t' [0 u, I* y% L' o7 V% V, p2 z
Method 10
+ F: I1 D8 O6 P3 i1 T* y0 I# d" H=========% _2 t' m& C/ N) _

+ R# E* c9 v, d9 d! H: O=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
1 D& o, G& R. ~/ t* T& x( O  SoftICE while the option is enable!!- ]: E. C/ k+ Z

4 R/ c& @2 R0 f! E$ E  q- ^0 J" B+ tThis trick is very efficient:3 c7 Q# W( I( o2 O
by checking the Debug Registers, you can detect if SoftICE is loaded' n. a/ @# c/ d8 P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, K) P3 a0 c1 i+ |* A6 A  _; U
there are some memory breakpoints set (dr0 to dr3) simply by reading their: u- J% x: ]5 N, q+ C
value (in ring0 only). Values can be manipulated and or changed as well; P" a2 O9 N% M8 J7 e3 Z
(clearing BPMs for instance), h% O% |9 n! w

- N$ W" o$ M- X0 w__________________________________________________________________________
: b0 w$ C' h3 |8 C
2 f1 G" s0 E! a3 mMethod 11
& J7 j& ^0 L6 A2 c. [=========
  H; F5 p2 y# o+ T. T
; T/ h$ k6 l% _This method is most known as 'MeltICE' because it has been freely distributed
. x3 A" t6 N# u1 \/ J+ N' v! X, Cvia www.winfiles.com. However it was first used by NuMega people to allow
5 p  z( }0 v+ }. {Symbol Loader to check if SoftICE was active or not (the code is located
1 P) _' T/ w4 D+ k8 K2 linside nmtrans.dll).2 B- v& X7 W  i5 [' u( h7 l+ G7 X
( z, L- {# g( C
The way it works is very simple:; F$ ]& K, |8 B9 l6 y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& K: |; D, |/ ~4 XWinNT) with the CreateFileA API.3 b5 c1 p: a! _. F/ Y8 @
" R' E9 a. a( `" Y
Here is a sample (checking for 'SICE'):
  R( O' l, k' _: S' f1 k1 x& R( P$ Y5 ~
BOOL IsSoftIce95Loaded(); p' m7 @7 G; S3 ], q) R5 c4 @% f2 k
{
5 _8 S# u8 t' G' p* x   HANDLE hFile;  0 s# I) M7 \, X- c) g* u
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, Z7 Y4 V' h$ @6 f* [
                      FILE_SHARE_READ | FILE_SHARE_WRITE,- ~9 i; U% Q1 |- Q$ O; J
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 I0 `9 e, Y+ a" y   if( hFile != INVALID_HANDLE_VALUE )
0 q5 Q2 I& w/ x   {
- y& O) B$ J7 O5 U! g      CloseHandle(hFile);4 y, r% l5 j5 H- t" N' G8 j; ^
      return TRUE;
& m* p5 T  R9 Z6 W   }& j# S: ]7 g5 V/ A- N
   return FALSE;
: ]3 Z8 d. h- F; u}- f4 T# I  k0 j% j" N2 N

3 z+ l5 i) c( OAlthough this trick calls the CreateFileA function, don't even expect to be$ U9 ^0 I: Q2 k4 l% }6 E
able to intercept it by installing a IFS hook: it will not work, no way!
3 v' ~7 m7 z" YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( ?9 M+ K4 g: ~; }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% X* ]: O2 M( ^5 n2 eand then browse the DDB list until it find the VxD and its DDB_Control_Proc# d" Y: y7 L1 [2 e# y- y4 @3 y" k
field.
) t3 t6 k/ K/ f. TIn fact, its purpose is not to load/unload VxDs but only to send a + u7 P: I. G  l# m8 X5 }: k
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 G  u. O& H% H9 Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ o2 t9 ^: B( ?/ K% gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 {) s1 B8 {/ ]8 Q9 CIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 ^' t' k4 ?( h; G, h% C
its handle to be opened and then, will be detected.
8 x/ l7 X) d- Y7 `You can check that simply by hooking Winice.exe control proc entry point) f" J1 n  I- S( U4 b0 T
while running MeltICE.. ?( |- }4 U+ K" K, \. B
7 ?4 y4 m& U: V. N' e

+ ~% ^( @5 u- ^6 S( F  00401067:  push      00402025    ; \\.\SICE9 y" c7 a( S4 Z
  0040106C:  call      CreateFileA+ e$ X  N$ n- W) C3 H
  00401071:  cmp       eax,-001
% y5 N9 b/ A5 O$ i% C3 C  00401074:  je        00401091
" M, H! S. D% C6 G: j: \7 I& u% d* \$ u5 N' E6 {# K" k; i
8 o4 H: L4 q/ U* ]
There could be hundreds of BPX you could use to detect this trick.+ ?$ S$ S3 A5 w# y
-The most classical one is:& a! M: i( q' k& }& ]
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ r! T  x7 g* ^2 f3 f    *(esp-&gt;4+4)=='NTIC'& k* j9 P( i1 f

5 a0 R4 p" a4 |2 `2 j-The most exotic ones (could be very slooooow :-(
& ^9 R+ o3 p0 P/ ^8 y' F   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  / G3 d* F' u2 B- a/ x5 L
     ;will break 3 times :-(
1 ^" W/ o" R0 b. \  q
$ D  R% G) ~! H6 U. u-or (a bit) faster: ; b5 }7 E% ~+ N+ N& I# Z* o
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 h1 F) T. i- c. k0 C" |# r/ k  l$ l4 G: D% V
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 N) k! n% B7 W
     ;will break 3 times :-(3 h% R) j) _) q$ H

; H# O; U* H, M, _# j1 [-Much faster:) B# J6 b" E& f9 V, v/ z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'! z" c9 j. @7 F+ g$ X3 D! x
/ Q' e' P* G# s5 H( e9 p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& D+ \$ X0 C8 q; m$ I0 E* e
function to do the same job:% o" ^0 y' _) R4 ^
$ {- R! m) X0 E" M  Z# c
   push    00                        ; OF_READ2 D/ M$ I- _& M6 K
   mov     eax,[00656634]            ; '\\.\SICE',0
$ W* m  p& f- q) O   push    eax
9 V5 |  W: z$ E. _# b# B   call    KERNEL32!_lopen+ i  Q- d, g, \5 i
   inc     eax
3 b  f* w/ H+ `   jnz     00650589                  ; detected, p# \' v+ d7 V- m8 V
   push    00                        ; OF_READ
& r! G& l# V% h, G( w0 r  j! d) W   mov     eax,[00656638]            ; '\\.\SICE'
- d6 L" S3 j( Z0 ~   push    eax4 g0 ~- E5 o7 o3 Y$ d4 b+ n
   call    KERNEL32!_lopen. x2 S) v3 w' C" Z3 v
   inc     eax+ o; B& a; w7 v( {; u5 U
   jz      006505ae                  ; not detected. S% w! ~/ p8 A. \
6 N% @' j. A' v4 X

& a. t$ _$ N, p7 J0 ~! W/ f$ @__________________________________________________________________________
# Q! r( s) u. u, }. t) [$ b  b$ l9 |$ X. y: o; b7 k
Method 12* Y" n; ]7 d/ Z4 C$ K
=========; I( Q3 i! d4 W/ Q" D
# E" M2 R6 |, V2 C0 A1 J4 g1 }, H  a
This trick is similar to int41h/4fh Debugger installation check (code 05$ t$ u  m+ a( c' _. ^
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) N! `$ R$ G. D1 ^8 x/ L) eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 a% U: Q, C1 ?% Y
. A  H3 Q' w5 v+ K! l/ t
   push  0000004fh         ; function 4fh
: \$ n+ D# `% v( C( n, H, Y6 m" K   push  002a002ah         ; high word specifies which VxD (VWIN32)
( K; A3 s/ L8 a! C( ~1 r                           ; low word specifies which service
6 q% A! ]. P7 F                             (VWIN32_Int41Dispatch)( N: q" T) [) H2 g5 E# n
   call  Kernel32!ORD_001  ; VxdCall
! w; c- g  T7 Z/ H8 N1 ^' W6 X" j   cmp   ax, 0f386h        ; magic number returned by system debuggers* ?. K& M, x; w' w6 `  y5 v
   jz    SoftICE_detected( u5 B' U; q' B' g! h

9 |1 d* `3 T* \5 H$ XHere again, several ways to detect it:8 P- V+ @! H4 v1 n3 ~

3 q2 H7 V4 {+ Y/ Q( S0 Z    BPINT 41 if ax==4f
* a, j# h9 I' i4 a. ^
8 q4 N6 v& Y8 _  ~# Y# E% R% N9 E    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one# L' O5 `' K" |
1 b" A+ f0 j- A
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' [9 N' k& Q: `7 E: Z1 @/ c: v
& P; K5 u, y4 B  H) f$ h    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!5 t6 K$ _1 G" }/ O7 S2 C
0 D" Y- J7 ~8 i, P
__________________________________________________________________________$ }9 {$ x  v& y/ A' \
: q7 F' t% ~& J: D( k0 w
Method 13
* w0 X) i; Y! ~=========
2 g: h. ?4 t1 k5 }  @$ Z. `, p
0 I7 f8 v0 M6 n$ X% E6 @! D* FNot a real method of detection, but a good way to know if SoftICE is$ M& G8 |5 |: Y2 ]$ o3 \
installed on a computer and to locate its installation directory.
0 A+ {8 m2 ], lIt is used by few softs which access the following registry keys (usually #2) :  R' |7 F  Y: O! c
; P( |" }; @* ~5 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# }" G" E+ j4 S\Uninstall\SoftICE. |, k9 {0 R: I) G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, A1 O* C: x9 Y1 e1 k: Y9 ~) M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 |8 \; L) y: Z$ @
\App Paths\Loader32.Exe$ [  j3 d, W/ O' V

6 F, U2 Q3 u2 K
1 M; x' l* W/ `' [! XNote that some nasty apps could then erase all files from SoftICE directory, W9 C8 Q4 n2 Y0 b. }
(I faced that once :-($ c# Q, U' V  U3 G( C2 q
2 V& D9 c) q+ `, K$ Q! b
Useful breakpoint to detect it:
: M0 N. ?" t$ |1 U' b! n% G' t1 [: t- Z4 n
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 p- a" ^$ I9 D" |* P

6 P- w( u* k9 Z__________________________________________________________________________, A4 f* W# s, F5 l) G/ Y8 Y

1 n. W0 P# N0 H* k6 _4 H
/ F9 a6 C6 I$ W. g: fMethod 14 6 R0 E9 [1 e5 c/ E5 l
=========3 @2 F+ i" O0 I  ]- q: X

8 F  F/ u' `5 o9 w( t) BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; m; S" V9 e0 b$ z2 i1 p% g
is to determines whether a debugger is running on your system (ring0 only).
" e0 R- b  W! K5 f3 }. p0 {
6 j  f# _2 q( ^$ R! c# K   VMMCall Test_Debug_Installed7 Y& S  \+ |  w( ^1 C$ P
   je      not_installed
0 V- q- w5 u! l2 y- j2 c* k/ L
- H8 i+ E+ }- T( |This service just checks a flag.& Q$ r1 ~2 r  S' T" X' L
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-6 15:36

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表