找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>$ j  u9 n. M' q4 L* b# y( `
<TBODY>
* R0 {  c9 c$ J" Z6 e<TR>5 z8 i8 z& A5 s- n* G" ~* X
<TD><PRE>Method 01
" m$ d& Z( L+ J* L=========) L/ z! c6 W4 k- j" K

7 R" o" w) W& T& e1 L, Q! x" z# t& {% ZThis method of detection of SoftICE (as well as the following one) is
5 b2 e# H0 F3 B2 O4 B/ Zused by the majority of packers/encryptors found on Internet.) q6 \% A, A- m
It seeks the signature of BoundsChecker in SoftICE/ L7 D$ `2 u3 k1 e# P. n
$ Z  Q1 r8 z! Y& A
    mov     ebp, 04243484Bh        ; 'BCHK'
+ ^$ k$ f8 {: p    mov     ax, 04h
% a) m6 l6 o4 x% m+ C! D    int     3      
# S4 n" D! u& }0 b' v0 j0 I# m    cmp     al,40 z; y; v( ^4 Y+ H
    jnz     SoftICE_Detected
0 ~& C6 h2 Z% {3 b+ J6 I* W6 H4 O9 Z: K# R+ z4 M
___________________________________________________________________________
! s" A- ~  n+ ]7 A  o. a+ W2 \; Y1 E- s; T6 J# g) K8 N
Method 02
; t# j( N# w6 L/ w; z) U=========
! R) J/ `- }! F' l7 e$ `% U2 k
) M* a9 v9 X0 m6 n* f9 T% H  [; xStill a method very much used (perhaps the most frequent one).  It is used# a8 p/ M8 F. C  O9 v  M4 A& x9 E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) G$ l" \2 \4 m' ~4 G% Tor execute SoftICE commands...9 Z2 B4 ]+ k; {, l( p- M3 {
It is also used to crash SoftICE and to force it to execute any commands
( K8 ?1 r/ P2 f: c6 g8 ~7 K- U; m(HBOOT...) :-((  
: I4 `/ H2 h, _' y9 h' \# n$ r: z# x: x: y
Here is a quick description:3 s5 v2 m4 t- N/ n
-AX = 0910h   (Display string in SIce windows)
6 Y( E' n; ~; E* U' u9 Y0 P0 b! y-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)- v/ L, e  m* K
-AX = 0912h   (Get breakpoint infos)
: k! \4 S% Y9 C9 }-AX = 0913h   (Set Sice breakpoints)
" W8 Y7 ]) |+ H-AX = 0914h   (Remove SIce breakoints)
$ |2 {! F6 Y! V2 a6 G0 \8 m. ?" A3 @" r
Each time you'll meet this trick, you'll see:9 k* q# h' B7 ?& W( j# G
-SI = 4647h
2 S. {& ]# p- c, }) m+ [" u0 `0 ?-DI = 4A4Dh
) J) g% n& x) i/ q- ?3 u! ^6 sWhich are the 'magic values' used by SoftIce.1 w, m5 X5 F, Z3 n; }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ @' c) T; I. s; v
: P+ l5 t8 x5 v5 C: S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) Z3 Q) z/ K5 o8 [9 [: dEnvelope utility use to protect DOS applications:: v% e7 p! g! H& A5 T! f- k

( A" C  b& O6 d5 R* p
" U& s9 _8 F& M, `5 X) x9 F# V4C19:0095   MOV    AX,0911  ; execute command.
1 q) [: Z" R+ |4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
/ W& V8 ~) Y2 K: ^4C19:009A   MOV    SI,4647  ; 1st magic value.$ [# K5 B' H; a5 z4 N
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ T: ~( ]6 ^& @/ |4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ L! Y+ w+ y8 Q' `0 x
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# I2 F+ X# ]  `6 D! @4 W9 T+ A4C19:00A4   INC    CX+ R8 {1 N5 X! |0 f0 x
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, C! K6 `  q/ X- F" F' ]8 Q4C19:00A8   JB     0095     ; 6 different commands." d3 I2 v9 K( f3 p
4C19:00AA   JMP    0002     ; Bad_Guy jmp back., g' @& S: g4 e" w
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)8 v! T$ `$ }9 ^: b' _+ n% j

3 g" s3 m9 j* a* SThe program will execute 6 different SIce commands located at ds:dx, which
' C' f7 ?) x) a! kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; h5 }9 }6 j6 P, a8 @9 s! _4 Q& g$ x1 B  i( x) g3 f5 B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! {2 z) K9 a& y; l" F: [
___________________________________________________________________________: x* Q) R' d% y6 d6 N1 u

# i$ S7 k' h# k0 J4 s* a, P
, W. w' t7 e( [- RMethod 03" S/ _( k- r7 i1 P+ i+ }" S) o
=========6 o- p: ?  }$ o6 m, U
$ ~' `1 a! ~4 w" T8 K9 e; c* U
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 z0 v4 \0 d' |3 y; v; N: z(API Get entry point)0 Q2 u( L  ^; _+ ~3 A: }1 u, F0 ^
        % N% ~7 j0 s* ?

! W) {% `  i& b) L& E3 r2 F4 l" `    xor     di,di9 F, T4 Z/ @, R; L$ I: q8 [
    mov     es,di
( n4 \- P, J6 l1 j* q    mov     ax, 1684h      
7 x+ a; u9 |5 _( M$ ~8 O5 M    mov     bx, 0202h       ; VxD ID of winice
# w. O: ^0 S1 e! T/ \    int     2Fh9 L" y+ f! R6 ?4 h/ \7 _; }- f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 z1 S9 }5 V* D' Y/ q
    add     ax, di
- ~. x7 Z0 y* \2 B( X    test    ax,ax
& \: m5 _6 y: j* e/ w2 U    jnz     SoftICE_Detected* C& R/ D" B4 }, {: e
2 U" ^" u3 f# ?+ h/ v
___________________________________________________________________________
5 g  g+ @. x, O7 H1 k7 _' B3 B
$ ]3 m4 Z7 P2 [5 j5 Y0 CMethod 04
- E. x9 v# s8 \=========4 A* d: U( y  X( E9 E" n" u
9 B7 ?: z8 m  \! _
Method identical to the preceding one except that it seeks the ID of SoftICE
$ M9 Q6 f6 u! AGFX VxD.
; A  @4 t, u* s$ J& `8 Q, G  C8 q3 K( r5 J
    xor     di,di
$ M& c1 T1 i1 y# h8 @8 ^    mov     es,di7 X$ M+ b& u8 w2 I
    mov     ax, 1684h      
. `+ J  i" I- v5 L  N3 [. I    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ M. |1 j7 p# Z* t* W
    int     2fh
, b8 N9 V  d  ~5 t    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 K3 h* E4 L! ~    add     ax, di
: ?4 X' U( B& z9 ?" {% g* ~' {    test    ax,ax
$ O- D8 c$ s2 [    jnz     SoftICE_Detected; c" B7 e3 ?. f  i: ?7 K: Y
3 W$ ~: H7 g2 [6 R) X" W
__________________________________________________________________________9 Y8 _+ ~( E9 V3 r( q
) M. l3 }$ g2 \9 _% ?
/ m8 {) U! y  K7 v- s* z9 q
Method 05
$ H6 c" i# N5 u+ s$ g9 ?=========
4 @4 u% x7 @8 U; t% A$ N' u6 w# {& }% r
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 e) D3 R# m: b7 zdebugger. It calls the int 41h, function 4Fh.2 |0 c( h) f9 m7 o! m, p0 G/ g
There are several alternatives.  
1 o; T5 G+ i5 r3 p
; g8 N( R$ Q" p( m' B( `+ ~1 tThe following one is the simplest:
% m5 K% b, k  f( c# n$ k) x5 ^! f3 @# C: W( v' R: J4 P% m
    mov     ax,4fh
2 v. j( g) P& N2 G    int     41h9 z! M) C- `3 l8 {2 j6 Z
    cmp     ax, 0F386' V. M5 R6 X  R
    jz      SoftICE_detected: ?2 L, `  J+ H# Q
; E$ g6 O4 j* B" a

% d1 x  ]8 Y$ R# f7 t, R' W; z* UNext method as well as the following one are 2 examples from Stone's ' b, v4 t- H' N  ~; B0 a1 Y5 C% \) g
"stn-wid.zip" (www.cracking.net):4 }0 F. I. _& N3 }. t5 W; j, m
: P+ V2 |4 o/ k4 ]& t3 ]0 k' S
    mov     bx, cs
: z3 {: A" a) c    lea     dx, int41handler2
; Z7 j0 V" y& ~1 {7 R- w4 c$ N# N; h    xchg    dx, es:[41h*4]! i1 B3 V0 j' B4 R. k( s
    xchg    bx, es:[41h*4+2]# f3 [% d; `7 m
    mov     ax,4fh3 ?$ Y' w. Y, q& o; W
    int     41h% f$ u9 i* D5 A. l  [
    xchg    dx, es:[41h*4]
: E; V- w9 `$ F  e7 ~% E2 T    xchg    bx, es:[41h*4+2]/ N! o  k  k! C# l9 s1 p
    cmp     ax, 0f386h
. a* G2 x" u6 s, }; |! o- N    jz      SoftICE_detected; \0 T; ?& |! ~, e5 g0 J* K" G
5 |9 j! {0 R3 T
int41handler2 PROC
& c8 D: o& v: U3 |5 q2 ?    iret+ O: c; D/ T/ B
int41handler2 ENDP+ V+ S: g" }/ r4 i" p" M& `

$ a$ `; H1 i1 k: }' g0 U: e2 r- ^5 F3 v1 y3 N, U
_________________________________________________________________________$ j. @! v6 e% Y, p8 B& h2 ^

2 C7 n2 t9 W, O* M
2 Y$ c. H6 r- r" v. f! o/ rMethod 06* n% }( J6 p/ G
=========
6 T8 T! I; ~6 S* z1 M4 }5 @2 A( X% ]1 T3 B: A, S/ @. \1 D

8 I( h2 M/ G8 u6 ~) A7 V1 z2nd method similar to the preceding one but more difficult to detect:
  k* r; L8 A$ w: W) W
3 H5 U6 v" I* M- m: x$ P$ I% l6 C% R7 C8 P' W- `
int41handler PROC6 Y9 I4 ~+ A9 l5 v) I. F! `
    mov     cl,al( l1 G, f" ~/ l4 k
    iret" Q! P) |  k8 }7 ?6 X2 I  I: }/ r/ J
int41handler ENDP
/ k, d* }3 u! }! \7 Z$ M) |1 B* }4 @- Z1 W# d
' i4 ~# |( Y3 K, F6 ]! m6 G
    xor     ax,ax+ G, D1 H: w' o  X) o* m0 P% o
    mov     es,ax. g. e+ h. w8 `' q3 c, o
    mov     bx, cs9 v2 B+ J6 p% q; s0 E
    lea     dx, int41handler" x2 C4 _" C$ s1 ~9 c  G& V0 q
    xchg    dx, es:[41h*4]
4 G" i6 A. Z3 Q' n; M5 B    xchg    bx, es:[41h*4+2]
: s( t5 `5 }- \2 a- o0 k    in      al, 40h
& o( e/ [' H- [  ^5 H4 B8 P0 N" t    xor     cx,cx
/ U5 x0 Q- ?4 U2 o6 X" u8 l    int     41h
% I1 J% ?, ]$ ?    xchg    dx, es:[41h*4]$ V+ j0 D: f) K7 K- R* k* u
    xchg    bx, es:[41h*4+2]
- l1 Y# l% d7 R( \# p    cmp     cl,al
* X5 e5 d+ ?& f2 |, i    jnz     SoftICE_detected
/ W/ C. E' u- {3 w( H$ Q: F/ l. _  L. l# g* ]
_________________________________________________________________________
1 o. T" g9 Q9 d3 J8 n' c# K& {( }/ p* ?# D( H; Q0 y0 g3 V
Method 07
  ]& ^! Z) h" A$ Y=========, Y* l  |5 c( d: ^' Z' E
) _3 d% c! k) X3 K
Method of detection of the WinICE handler in the int68h (V86)
& L& }" F' d3 i* }) F. c
5 z5 a7 k6 U* R( j# w1 b    mov     ah,43h1 V: |* y9 o) @
    int     68h) a# d1 W. v8 X+ W, I* W
    cmp     ax,0F386h% M% M0 H( Q4 L. ?
    jz      SoftICE_Detected" Y* V9 @9 Q# f/ W

6 s0 v3 Z9 O! y" `# u7 y: Y8 u* X  a5 P( Y
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 H- j% C. T+ |$ s, A2 f
   app like this:, u- f% g# E" q; U9 D  V

) L, I5 u1 v3 `  G+ D/ z) P   BPX exec_int if ax==68
/ q5 j: u; k( w9 M" b9 n   (function called is located at byte ptr [ebp+1Dh] and client eip is& N+ Y. p8 J5 ~: F" A6 M
   located at [ebp+48h] for 32Bit apps)
7 n, e$ C! w0 I. V' l__________________________________________________________________________
3 T# z4 Z5 ?" i: z7 B9 w4 T3 E) T5 O* v! t  d* e

6 n5 v6 q$ a% W: }+ r& O; t4 cMethod 08
; P/ ]: n: j* M9 F# a+ X=========
4 u7 V7 @4 e% ^9 x7 _
7 D% u5 m( c! b% q6 `1 IIt is not a method of detection of SoftICE but a possibility to crash the/ x! r: U" t0 J% }1 ?% O
system by intercepting int 01h and int 03h and redirecting them to another. o6 D) v7 U$ e
routine.
1 b  _; p4 P+ [, `) {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 f- O# \7 {! K# R3 h( Zto the new routine to execute (hangs computer...)
" K! g. M& x5 Q) L, q  V7 a( Y- n+ x0 Z
    mov     ah, 25h
4 i' P9 S; v, r    mov     al, Int_Number (01h or 03h)! P* K% ?$ b- p1 s5 c+ ]8 a
    mov     dx, offset New_Int_Routine- U8 b5 b0 D- a
    int     21h8 s7 W! ]2 k" B5 t3 f9 ]* {

) N$ z" ~: U9 X7 L5 @__________________________________________________________________________) J  \# h# |  {; {2 w

2 u5 a: g. }/ ^0 D) t  [Method 09
/ V9 B/ |  T. y' [2 c7 s=========; @1 f) v" O* t5 _9 r( f% ^7 K

0 P7 ~* ]: l+ Y: |( J% f4 mThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" Q1 p' e3 W7 {5 Y/ }* A( @" E; t
performed in ring0 (VxD or a ring3 app using the VxdCall).2 F9 h  j5 X4 _# e0 j
The Get_DDB service is used to determine whether or not a VxD is installed
- Z2 }% G3 H; y+ K+ v( g: W) _6 }for the specified device and returns a Device Description Block (in ecx) for
9 q9 N4 k# K1 o# y# |that device if it is installed.
% K5 a7 K+ i+ ~6 C- b3 N: P/ L
1 }+ y1 g4 [3 @- Q$ V- {   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ A3 E. u" V; T: C- ^
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 r$ j1 Q( P4 ]. \8 I. R# \0 o   VMMCall Get_DDB
$ U1 x* q& L: `! ^' g  W1 O2 ~2 T   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 i+ T; T  ~  @. t( j, j1 X5 N' X2 \6 ~2 f$ t$ S: n
Note as well that you can easily detect this method with SoftICE:
5 d8 L  g, ~1 |   bpx Get_DDB if ax==0202 || ax==7a5fh
6 ]  r% ?! k  Q/ I- x) t$ v; E) m( |+ I8 R. I
__________________________________________________________________________9 }7 i5 |+ f. p1 j2 M; z4 w% r
9 p) b; M* _% @$ n
Method 10
$ {8 C) n2 s" }2 H% @3 R=========2 ~6 [: F- t. S! M
+ s2 g- u" l/ d
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 t% a: {, `1 e0 Z7 `  SoftICE while the option is enable!!, x- @" q6 }2 A6 ^
7 q* J5 J# Q1 r
This trick is very efficient:# S) E5 N" s% F& W
by checking the Debug Registers, you can detect if SoftICE is loaded
. f: b/ {/ s# \- Z" D(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* P9 u- A+ ?6 O/ V6 U: h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 J: Z* V9 @6 f  vvalue (in ring0 only). Values can be manipulated and or changed as well
$ ^/ E/ B: k9 E* R0 Z. \(clearing BPMs for instance)
# G4 T* b, F( a; b( p4 ^9 |4 H  [2 M( ^8 l& S5 T
__________________________________________________________________________" w6 Z4 o4 ]- x# |' _+ m

: u* v+ ?/ j! @$ f% ?$ NMethod 11
. Z( r: @) m6 V* N' J=========
. G! v8 k7 g! O  q, ?, s* B& B
$ I% z( u0 t9 @6 \% GThis method is most known as 'MeltICE' because it has been freely distributed
: E5 c& G, s# u0 n9 F' Bvia www.winfiles.com. However it was first used by NuMega people to allow
* V' X/ Y1 K5 g$ C& g( lSymbol Loader to check if SoftICE was active or not (the code is located
( N' n- \* U  @+ Ginside nmtrans.dll).' ~6 m0 L  O( }2 l; {1 h" H
. j' S( K# W) _6 F" A: n$ W
The way it works is very simple:5 a% g! m- d: J! Z& [! D5 t$ o9 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# i9 ?1 {  t  e8 _4 G( N! R
WinNT) with the CreateFileA API.5 ~2 t* `6 O0 B# r
4 \. t1 Q" z5 [6 N2 l
Here is a sample (checking for 'SICE'):
, e7 T7 X: d' K# `
4 |- V, d9 j2 T8 VBOOL IsSoftIce95Loaded()
' f- t0 f; z: k% h0 E{  i/ \! ^/ b6 z: S% ~/ `
   HANDLE hFile;  & T, l* g( Y7 x# s
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  t2 V& {0 _0 B7 h, n. S                      FILE_SHARE_READ | FILE_SHARE_WRITE," ?5 b3 n$ p7 y3 H$ C3 h
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, u0 f# U! x  w# k/ N, I# v/ ^  y/ H   if( hFile != INVALID_HANDLE_VALUE )" K) S1 Y/ Q) |: J
   {
% b' R4 b9 Z. M+ p& G# A) R* \      CloseHandle(hFile);4 f& _& V- `! d/ p; v6 S4 h
      return TRUE;3 O2 j  r9 _, ?) u
   }
& o, s: }4 x) E5 Z: a: B- K   return FALSE;
( s3 n$ \+ h' A. ?4 s, U2 u  L}
. v: F) Z' B) n- T) w# O# K4 O. L4 T) M, [
Although this trick calls the CreateFileA function, don't even expect to be
* b1 q8 E, I8 |% v' ?0 w+ Yable to intercept it by installing a IFS hook: it will not work, no way!
1 ^9 v/ |1 N! f' E( IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: B" ~1 @" u1 ~+ ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 {( M& Z# S0 o. J. x$ D' h6 hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 j$ j* z9 w- H( jfield.
: c- r2 d8 n, g8 [' x' ~In fact, its purpose is not to load/unload VxDs but only to send a 4 x, B' c- }0 L5 |9 }! s4 P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) L, \2 }3 [5 `7 P7 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try; p6 y% M8 @7 O' W* b$ {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! D% ?! ^2 }0 z8 f8 a
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 v7 X. _" |" @/ ?its handle to be opened and then, will be detected.
$ H; i" D, z! g7 zYou can check that simply by hooking Winice.exe control proc entry point0 N; I0 [* O2 B2 I  Y- I
while running MeltICE.# S4 R9 l4 H+ q5 Y
9 J4 o5 D" {; n& z
; V7 V2 r- `  h8 T% X
  00401067:  push      00402025    ; \\.\SICE0 a( \9 f# v8 V( N+ W
  0040106C:  call      CreateFileA
. a6 J% \. Z' O  B  00401071:  cmp       eax,-001
3 N) j3 u) l& Q9 G( S4 z, g  00401074:  je        00401091
! ]7 ~& O2 h- j" g: o
  l! ]8 c* [6 l* C: {8 `. n1 y9 G$ i3 V* w* @& k* b2 _$ E
There could be hundreds of BPX you could use to detect this trick.
: d$ s. o( R" E: M-The most classical one is:
$ k0 p* R2 G. H2 a  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
5 Y5 a9 {. }' P8 H    *(esp-&gt;4+4)=='NTIC'
% n" R+ n3 A& n. F! M
# B9 u! a, P# w4 v8 @; C7 J-The most exotic ones (could be very slooooow :-(' G* Y7 p9 @, S/ Q
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # x3 q" T. O  O- [  p8 L
     ;will break 3 times :-(
. J& R9 A/ n! f; E, D  \- d1 |3 c3 s- F. x( N5 I5 k! e
-or (a bit) faster:
2 `0 k9 a* j+ W* E, s* Q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  h* M2 H1 O5 K& j
; ]1 d3 ~: a* v# h$ G
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  , ~" A  }; ^' D3 F) M# N
     ;will break 3 times :-(
6 x4 h* M9 v, T- z+ {; `# O0 M
% h6 f* a: D. z-Much faster:
6 K$ x4 q! ^' R: [1 e: \* G" j   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
8 ~( }) o0 `( O; n/ X2 {% z9 t4 e5 O8 x8 [1 S9 z+ l+ b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: C) a9 d* w% T  h8 f% {
function to do the same job:  u% y$ U( l2 Z; I

. _0 p6 J( W: {: t: t( \   push    00                        ; OF_READ& \- p; d, _  \, Q' K
   mov     eax,[00656634]            ; '\\.\SICE',0! i9 p3 J7 F8 U# C
   push    eax3 \+ Z- e& T9 ]( Q* H
   call    KERNEL32!_lopen3 `, Q& d2 j: H; y. K
   inc     eax
, q& B  A6 p4 b  w, M   jnz     00650589                  ; detected
9 z4 i. ~) U/ W2 G; E2 J, v* P   push    00                        ; OF_READ( l2 w$ N: v% }
   mov     eax,[00656638]            ; '\\.\SICE'
! t3 G  Y, `2 @$ T- s0 m8 ]   push    eax4 J. O& S# O% E: m7 V
   call    KERNEL32!_lopen  }% n' d2 M" T9 C6 c
   inc     eax
- d5 {( v0 J2 d. I6 l   jz      006505ae                  ; not detected
3 ?7 A) B0 b" O7 r; x* h
! d" u! p+ P4 R( j$ C( `
5 ~7 N  o3 F6 D* _  J: A2 n__________________________________________________________________________7 e/ N( ?# S) e/ |

- B1 `8 H/ }; @/ M# |Method 12& o# _* l2 {! y  W0 E/ V& j% P& z
=========5 t$ R9 v' \; d& y" X  n  m

+ Z7 f% f: `  eThis trick is similar to int41h/4fh Debugger installation check (code 05
+ ~$ A! k% f  T6 O' ]2 E2 |&amp; 06) but very limited because it's only available for Win95/98 (not NT)7 C# z" R. a2 o5 I5 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* m, p* u5 b1 D9 f: M) d0 r; I$ _. o+ a0 `
   push  0000004fh         ; function 4fh3 n* S5 i' T! m0 d2 t- ^
   push  002a002ah         ; high word specifies which VxD (VWIN32), r* g" z) ?5 J$ Q! H  M( n$ c
                           ; low word specifies which service& ]7 a* A& G; \  Z) N
                             (VWIN32_Int41Dispatch)
" ~! A. ~# O3 E/ r4 z   call  Kernel32!ORD_001  ; VxdCall
5 G. [7 R3 U: l   cmp   ax, 0f386h        ; magic number returned by system debuggers
! {# L5 Q- y. e: k, b2 M( H" [* N   jz    SoftICE_detected: V: r$ _+ E$ M7 j- x' o

6 [# ~" k* b: N5 vHere again, several ways to detect it:
  p9 U! j9 F2 T. j0 ]1 G' B% I/ @' D8 w% {2 i; o* F
    BPINT 41 if ax==4f
. l+ {4 W% I/ t+ h3 U! t# c7 }  ~6 r8 A7 ]  O( N7 @
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% Y9 t1 V# e4 ^2 A# t

5 I8 c8 p9 G4 y2 \( _( c9 Y    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ E% D" F+ g4 `; ^4 o0 [8 a

6 ]& q( z- F& o1 Z8 Y    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!& w: Q: _+ j& h& f

1 R$ B! F& E4 T$ N+ h' T__________________________________________________________________________
4 P9 F: @; G' b+ D" L7 T: n
! R6 R# ~( w- D" v: SMethod 135 u6 ~9 M" d) J' Q
=========
$ h& V' p$ D7 Y! V9 T8 g. N# s3 K0 _
Not a real method of detection, but a good way to know if SoftICE is
! O: F$ K9 f5 F+ ]+ g( Ainstalled on a computer and to locate its installation directory.
6 P: [& [3 [. BIt is used by few softs which access the following registry keys (usually #2) :8 j$ h4 I0 o" }: n  t

, B+ h! d$ W' s$ S' d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 `  s# M8 e+ D6 u2 H0 A0 Q\Uninstall\SoftICE
8 M7 N% {7 Q8 w1 {) w0 b+ E' c" D9 |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. u6 m" s; m7 ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ^" _4 A. o  M& e7 ^\App Paths\Loader32.Exe; ^( H2 _0 ^2 J( y8 y6 i
& T: Y4 Z; L/ E- D
. I6 p% y: s9 K0 i5 O+ D* l. [/ ^- y
Note that some nasty apps could then erase all files from SoftICE directory
+ Y5 ?' Z+ |! q(I faced that once :-(
# H. X% U+ ^; m7 ?
2 Y) G4 h  A3 ZUseful breakpoint to detect it:
* A, z- [. q" `) q% A" S, d) Z8 v
" n* Z* h" j& L: G8 {     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'" r/ t( D2 {6 I2 r6 ~, }

+ g3 s# |$ Z8 Q4 v( O' @7 X* S4 S6 L__________________________________________________________________________  i5 w: V4 M7 }" p

0 o6 P% a9 H4 X9 H# A% P& O' m' q8 V* A, u
Method 14
$ x$ \$ ?& t# r& E=========7 N  w, o" e  @% w

# ?7 q- w: |# aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 r( i& W# }4 r2 O: P! Q. o
is to determines whether a debugger is running on your system (ring0 only).  |7 B1 s  _0 d% Z+ q2 W/ [

/ q& }4 f- c7 w2 s   VMMCall Test_Debug_Installed
4 Z# }3 @5 L! P- u   je      not_installed3 J- k- u# Y$ O2 q
% T  s  d) F. T  ~/ S. |
This service just checks a flag.1 K3 e( A6 O* M1 i- |: i0 g7 x
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-14 04:58

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表