找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& F/ D+ C6 }! D  g8 ^' r( L/ m
<TBODY>
# T$ A# m3 j3 s9 B& x<TR>  T" i7 B) U8 [1 n
<TD><PRE>Method 01
+ v% \$ J8 ]; I/ O+ C=========
3 |* k8 E7 i' a8 Z; |9 l4 D" m( s3 x  [7 q6 s: u
This method of detection of SoftICE (as well as the following one) is% E7 e! k8 x" _4 r
used by the majority of packers/encryptors found on Internet." q  L. Q  i* x4 t+ D
It seeks the signature of BoundsChecker in SoftICE
  p5 t# H& x' y3 s! L8 @/ l- I# X6 ^( m) @
    mov     ebp, 04243484Bh        ; 'BCHK'
& p2 F) O% T6 Z7 p& b5 _2 U) B    mov     ax, 04h/ a! H8 ^$ \: i& z( U
    int     3       . t, L( L8 @% a- S/ S* X/ b2 Q
    cmp     al,4
" l$ b$ Q5 s  t' E5 d/ L    jnz     SoftICE_Detected1 @, Q& `; a9 V/ H

8 [+ f4 c: \* R. f: I0 d___________________________________________________________________________
1 E. t3 Q8 ]1 E$ a+ e2 c
" j* E! n4 Z' e1 z/ \Method 02
- ~: y4 w+ i7 Q=========7 T( n, J8 v! @4 j! s- w
; x" e+ r7 j  w' P9 K
Still a method very much used (perhaps the most frequent one).  It is used" j* g( Q( W6 o: p, ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) N; g- y4 B6 jor execute SoftICE commands...9 e  H. r" U5 _% L
It is also used to crash SoftICE and to force it to execute any commands5 }# S2 n" \3 {4 o+ i2 I
(HBOOT...) :-((  
0 y( J9 J, H% _$ V
0 m1 s6 U" F9 W; E$ f- SHere is a quick description:9 ^% e, A7 |: b" Z
-AX = 0910h   (Display string in SIce windows)
" v5 J& u+ `, l6 q" {' t1 G-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 G0 c$ v: }' M4 J
-AX = 0912h   (Get breakpoint infos)
4 _; q5 y. F- ~# W8 r-AX = 0913h   (Set Sice breakpoints)
5 k* M" G" w1 S& P3 P$ U-AX = 0914h   (Remove SIce breakoints)# X& K( k- t3 d8 M6 `

* w3 x0 ^6 d2 j) ]+ pEach time you'll meet this trick, you'll see:1 I( h& D9 T2 j& e
-SI = 4647h' B; d/ g0 q- Y0 z$ }+ p7 v: E
-DI = 4A4Dh% I& z. F5 d# x+ I
Which are the 'magic values' used by SoftIce.. F: u! @& m. S5 O7 m0 a# z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, _# X2 g6 t" W! Z5 e  _2 R" n1 o: N% u3 C+ E  X1 A' g
Here is one example from the file "Haspinst.exe" which is the dongle HASP' h5 A3 ^3 w9 T4 j2 \: U( I  l
Envelope utility use to protect DOS applications:" z) p% ^3 p# ^) L+ H2 q7 ?4 E  z
5 o" ?: B  A1 t( z) N" ^  |4 ]

5 d, J# K! Q$ b. ?7 t# v4C19:0095   MOV    AX,0911  ; execute command.* E$ m7 o& V7 T
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" ]2 m0 H% @7 x4C19:009A   MOV    SI,4647  ; 1st magic value.: e/ E2 T* L4 A( ~. q
4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ ^. H3 v! m4 {% Z2 @( X, Q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  r# J, ]" k, r$ o+ @
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 [; T. r: T  x, p2 V! P$ h4C19:00A4   INC    CX
! }3 O- K6 K. ~$ N  [- [. _# q4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' A  r4 d  O8 O. a6 o% l$ _3 k4C19:00A8   JB     0095     ; 6 different commands.
$ e2 |9 B, U# G, b) t, P4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  E; t7 [4 `: `; q4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
. Q5 |3 D) J6 b% p" l
6 y& g9 p+ h$ |8 v' C/ MThe program will execute 6 different SIce commands located at ds:dx, which
& k6 U. U. [& Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  r) }+ w6 {3 ~; Q9 o6 D/ ?2 \# Q; ^$ P+ O7 a# D7 u2 d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: g. N, e/ s; E5 i! ?; A2 E
___________________________________________________________________________
! d; g4 K, |& l1 _* w% f9 s4 Y' Y* i+ M$ P2 g

5 \5 f7 o9 J, v, r' rMethod 03: _9 U" H; M/ x# A5 E% A0 S. w
=========) @3 B2 n" Q$ V
7 |0 `# H( C8 {  ?
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ l; u5 e) D& l* V5 p4 b8 F% t# {(API Get entry point)$ F$ o% U+ Z  P( X# U" F
        & A1 v! a* M# J% l& N

$ A  r( L  V: S; B: y    xor     di,di  n' d1 h& X+ c8 b1 W
    mov     es,di- @! r8 x7 [/ I+ J' U
    mov     ax, 1684h       : \2 ?" v# U5 k
    mov     bx, 0202h       ; VxD ID of winice' `! x+ h9 z, j4 g
    int     2Fh
: D) C( s  W1 `  W7 L$ c) R    mov     ax, es          ; ES:DI -&gt; VxD API entry point- r1 M! p8 }7 Q) F# z" r
    add     ax, di
- k% |6 A! r7 v, ^    test    ax,ax
( R! X6 J5 r- m) E5 C7 Z3 a4 n$ m    jnz     SoftICE_Detected
+ h- ^6 m/ N; k) E% Y" m) B* [  u; e/ B: Z( T% [
___________________________________________________________________________
5 X% ]% ~7 n* ~  a& q  H) f
; N9 v6 w6 _7 T7 uMethod 04
: J# r7 k8 |, W3 G* E  G4 ?$ o( o9 T=========6 `" f! I+ z  q" L
$ R: W! ^- N* }4 @1 Y
Method identical to the preceding one except that it seeks the ID of SoftICE
. i! X6 X* Z2 ]9 SGFX VxD." u* x4 j% ?8 Z
5 t2 s) w& {  x
    xor     di,di" E' |+ P8 P& U2 O  d0 G5 H+ I  c
    mov     es,di
: I0 h4 K+ g! ]8 \- |    mov     ax, 1684h      
2 d1 r' h4 i) G7 {    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 k, z  P2 d# W
    int     2fh
& R) |) ?6 S* c    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 }  i  i7 [! E( B& Y( n! N9 o    add     ax, di2 H9 ]* O' l' a) R$ D! J. d
    test    ax,ax- N, L9 u3 d: l0 o  M1 K& j- k- F
    jnz     SoftICE_Detected8 ?# ?- m/ V* Z( Q$ i4 b* ~" r
, {: B: _) P* q0 ^! j+ `, F
__________________________________________________________________________8 w) A, L/ @5 `+ k

+ v5 H/ c- a9 S$ c7 r0 u& V  O$ f, _
Method 05
  l* W  t5 L5 M% A) q=========
5 J" q) ^3 l5 T+ d; q* U1 W/ o1 k
, i' g" `4 u) bMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 s* B7 I5 g1 _! Z9 ~$ cdebugger. It calls the int 41h, function 4Fh.8 B" y' z/ w. `1 F) v
There are several alternatives.  
) N% z8 u2 U6 c/ d; G; p  o
" _2 K- h) v7 o* _, q! \The following one is the simplest:  r; W: r2 b+ r4 e9 n8 X! e

- J. f& s7 P$ v; o    mov     ax,4fh
- A1 x  S9 v" a' _9 p    int     41h
$ f, S2 b) _( R. P' A9 y/ W    cmp     ax, 0F386
8 G' K  S+ r: p% J    jz      SoftICE_detected
7 l5 _& L" P  I$ A2 F
$ e. ^; F1 e$ j6 |5 H1 V/ L; `! ?9 c- ~) D+ I9 K5 P
Next method as well as the following one are 2 examples from Stone's
  L7 m3 D$ A, h" t"stn-wid.zip" (www.cracking.net):3 p! z* a; Q1 }* |' p' B$ \* B" l
9 D: I1 c6 W: P  E
    mov     bx, cs
& ]" \4 V" g; m2 \$ s/ P    lea     dx, int41handler2' f2 h) R9 k" F
    xchg    dx, es:[41h*4]" Y) W/ F  S8 T- A8 {! w0 m& ?* T
    xchg    bx, es:[41h*4+2]
; _& W2 h( m  C& O    mov     ax,4fh
% H7 p6 a% w3 _( ]; s    int     41h
. Y# `  c. S- R6 C* K# b+ m% c- L    xchg    dx, es:[41h*4]
! R' B( j! h% D0 f. B    xchg    bx, es:[41h*4+2]
1 r7 R0 K3 ~. O( v: T' K6 R    cmp     ax, 0f386h7 S, A) n8 S3 [% A. e( a# n. e
    jz      SoftICE_detected
6 ~' D$ T" {- n- D; u' b
4 L  @4 {; R5 L" w& l6 Mint41handler2 PROC
, b/ t0 u- n1 E! H2 \9 b    iret4 _# w/ y1 K( d- i' t1 R# q+ i
int41handler2 ENDP
# f( _% T* A- Y: l# k; |0 ]' ?0 i0 G( N+ u
1 s4 u2 V4 L; Q
_________________________________________________________________________
$ u% W+ x7 l8 Q/ q+ C0 U
: v, E( C3 g% D* X. K0 Y5 s0 P* \% m9 H5 k2 O2 R) x* c9 M. t
Method 06" S0 [* S5 Y# s- k0 q6 w7 i' E
=========
7 i& a6 @5 U2 B9 n, ?  E) v/ d# c; H) i5 \4 F
) j- m% R) x6 y6 i& G
2nd method similar to the preceding one but more difficult to detect:! a1 v- a7 ^2 O. I7 s+ H
+ Z6 }% q/ I! o/ ^1 N* B! I

5 a- ?5 r& Y: l- G+ tint41handler PROC5 a, j! w/ r, ?/ Z! x5 n7 z
    mov     cl,al
" j; h+ Q9 f- y- v% x    iret2 b: }/ T: r- b& }) @% g
int41handler ENDP! J# E: C# l& X7 z2 o, `
& Z: j4 Q6 V/ q! f7 I
& n! K9 ]9 T7 e1 x
    xor     ax,ax4 `7 i7 {/ ]% t- u3 p! T1 F
    mov     es,ax
$ g3 _+ s( i7 _, b' |- [% d    mov     bx, cs4 C/ |6 J9 }' a0 G; M' `4 P1 h& W
    lea     dx, int41handler
  g& }) j2 l) I: Z4 {/ J# S    xchg    dx, es:[41h*4]) D% o6 i, k. O) ]
    xchg    bx, es:[41h*4+2]' z& P# s# t0 p' O8 A- l+ v
    in      al, 40h
2 ]  N1 Q8 D) p) ~2 N    xor     cx,cx
0 A4 Y$ g# j& c$ }, b; l* ]& `; j3 a    int     41h$ {2 P7 ]* @. ]; W2 _6 c( |
    xchg    dx, es:[41h*4]  J" B/ n+ V, |; `5 }
    xchg    bx, es:[41h*4+2]3 A$ d2 V7 b' \8 P
    cmp     cl,al+ i! ~. p; H( B0 X& R; m, w
    jnz     SoftICE_detected! b. j; Q7 G+ K' @: U5 y  g" |5 Q; n
8 U1 [) |+ q1 P' z' [
_________________________________________________________________________
1 `1 c- E1 l2 O% x- _$ w* }5 f; q3 R6 P
Method 07" l* [/ B( I/ V; N
=========
" c$ e; v- J: j3 s. Y$ r3 U
" h, S* [6 t" N% E9 J6 LMethod of detection of the WinICE handler in the int68h (V86)8 l& N9 V: s; y. X' T1 y

( h+ k  f6 Q1 G9 d8 y  a    mov     ah,43h# n" L1 Q1 s6 I6 W! J. R
    int     68h
" ?4 |* o! ~5 X% F    cmp     ax,0F386h2 {- W( E: V' o" t  S9 g/ }
    jz      SoftICE_Detected1 g4 x% M4 u! ~) T9 M0 O& A( y+ j

3 g  T4 B: C+ w# C
  k8 H$ l8 D2 P  ~3 C7 [' ?! G=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) m* h+ m$ u" v4 v
   app like this:
9 c8 ?* F4 Y+ L1 b6 q2 B: C/ B4 m  x
   BPX exec_int if ax==68
' Z5 ]* L& g8 F1 K' p   (function called is located at byte ptr [ebp+1Dh] and client eip is, e5 N" e. ]4 p' f- j' P
   located at [ebp+48h] for 32Bit apps)
1 G- ?) J9 s7 F3 q& H: N__________________________________________________________________________
' W  h" q, D7 g5 B$ r' I- H# K, b3 `* i/ M3 _
# c+ M1 G( t: i4 j
Method 08
& e7 b& {2 Z8 R  d8 {5 e=========
; v- X8 B) t; i& j9 s' m# [; [
9 {: r$ ~' I  ]8 O, mIt is not a method of detection of SoftICE but a possibility to crash the
# H6 J  ^* s9 e% d; Z: ?, L+ |system by intercepting int 01h and int 03h and redirecting them to another
* J$ l, E8 y: O1 m3 S1 Vroutine.+ ^# P' S5 i8 I% j6 d1 e& U
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" w- |1 J% r( D6 ^2 [to the new routine to execute (hangs computer...)
! t! C' J! t) C, A
  s) J% a; S  u( w  C! d) E    mov     ah, 25h
- }9 Q: R$ {3 g5 `7 E    mov     al, Int_Number (01h or 03h)# M* l4 A% X& i" e
    mov     dx, offset New_Int_Routine
7 E' p* u+ M7 {$ D2 W" Q$ n    int     21h, X. r4 K* R9 @
& C1 `' s9 f; O# k4 M% t* Y- D5 l
__________________________________________________________________________9 L$ P! w( m1 G; A8 G- V
3 H& j8 \/ g, ^" K$ j0 w4 O0 M# p2 M) r
Method 09
* a' ~  z# L1 b' k+ v4 ~=========
# ^. i  i+ h4 o) s4 c4 R; [5 m6 X! X- i
( i1 }2 h+ I% J! Y" _. GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 H7 D( c+ t3 D0 ]performed in ring0 (VxD or a ring3 app using the VxdCall).. U) A7 d$ ]# l
The Get_DDB service is used to determine whether or not a VxD is installed* W4 t+ o* m  ?+ Z
for the specified device and returns a Device Description Block (in ecx) for
7 R- s# M! U' ^0 h8 Uthat device if it is installed.7 J3 f* F, A- J! B
# x% `! u8 \7 _$ Q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 n1 m' v6 T1 ^) X" g; H
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- I% Z  G, p3 w; e, |   VMMCall Get_DDB. A! O1 i. b# S* }$ D% _
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
' J7 _2 V8 m% {* ?0 A- i" b# I! e! `! w8 M6 h4 x9 c8 n
Note as well that you can easily detect this method with SoftICE:$ z* @( k8 {/ W5 s9 A/ y' t* C  [8 J
   bpx Get_DDB if ax==0202 || ax==7a5fh& @$ t3 t5 r# [( u0 Q' H# n) U

% I$ \& `2 z+ g__________________________________________________________________________- c0 j6 ?% S3 k" v% w* P

& {: r! }3 e+ A2 ^3 S& M0 {Method 10+ I7 ?( m! E4 B9 A  L
=========5 o" X8 O, v' W: d' [

5 `$ H4 `2 f; m1 u* _4 ]/ T=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
) V0 L, o# H% q5 e, w  SoftICE while the option is enable!!' ~0 c4 z3 t/ v+ E

: J7 ?, h, T* z! m# D3 R1 B# L7 nThis trick is very efficient:+ q- x0 a* \# X; L" m
by checking the Debug Registers, you can detect if SoftICE is loaded
( Y1 {- Y( j( i" D( K" \3 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: ^2 q7 W; T1 \: i6 s' O" @there are some memory breakpoints set (dr0 to dr3) simply by reading their
! j! T) A! N* K6 Q& J) ]value (in ring0 only). Values can be manipulated and or changed as well
' S" g2 X* @4 W. K6 J1 [(clearing BPMs for instance)
" u; d/ ]. _# q1 i5 t) d* G- X# S7 h5 e( J; g
__________________________________________________________________________
# Q1 K! Y5 c  T2 M) Q
& e8 V5 \- y6 b3 _! RMethod 11. c/ k8 d0 O$ @4 [& g
=========; e+ D! m; o/ F9 B; }
5 q0 W% J: G! T# |8 a: b2 m  h( e, p" I
This method is most known as 'MeltICE' because it has been freely distributed( F* \+ G; g  `8 J0 U( {
via www.winfiles.com. However it was first used by NuMega people to allow
$ ?5 W; k1 k% hSymbol Loader to check if SoftICE was active or not (the code is located
. x0 E' c3 }3 f& v! pinside nmtrans.dll).8 `  O, U" [) P' A
0 R5 }2 a8 i$ ?9 U
The way it works is very simple:
& B4 P& b/ f, S8 x9 K# kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. i- J; {/ F$ B, V  l+ K- NWinNT) with the CreateFileA API.
+ Y4 K% G$ B- B' a; x
- z% [% X: r/ |! _0 JHere is a sample (checking for 'SICE'):
5 z* G' h/ D! u+ o# @( l% ^/ o1 e5 s+ @8 G, ?
BOOL IsSoftIce95Loaded()" [$ {; [% C2 X. J) S8 W: ~6 T% m
{
0 \5 N; k' S0 D( S) K0 q   HANDLE hFile;  & f# U0 a- g, C
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' t: R/ ^  J  F: M9 ^! c
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" @# \$ [/ @1 c( j0 B4 A: X                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 k" u- M* m, F6 }
   if( hFile != INVALID_HANDLE_VALUE )
0 F; W6 M* p% _' d! m6 j+ j   {- h+ Z' b2 ?% m4 l  f  ~5 r
      CloseHandle(hFile);5 [+ E- ~' P6 E  K4 H, [5 q& H
      return TRUE;
. E2 i0 _& h0 l2 U! a) w   }
- V4 ]- Q0 Y, j1 \5 i9 R   return FALSE;# j) `8 C2 u: }) O/ n
}% Y+ J# G( A1 E. F0 f
/ N; ?' w" g5 d  p
Although this trick calls the CreateFileA function, don't even expect to be
, U/ B8 J) L- T* _+ f; x" {! }able to intercept it by installing a IFS hook: it will not work, no way!" r6 Z9 n/ W  a. l# X! G* R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
  h; [) [9 _7 R1 _( T) h3 T: Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 ?1 x% s+ Y' y1 T+ U6 E! ?and then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 [: {1 t6 K, `field.
' K! Z! t$ ^5 o. V* uIn fact, its purpose is not to load/unload VxDs but only to send a ! n9 t; m0 S" N  A! |# t1 q  @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), V% D/ _1 p$ T% G5 `+ j; W4 `
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" W& [9 Q9 P$ j/ @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 c6 j1 z9 y% O; ?# l9 f; IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' F, k7 Q7 ^: e1 Yits handle to be opened and then, will be detected.
! m3 Q5 G/ o" l/ O: h/ c- wYou can check that simply by hooking Winice.exe control proc entry point
8 z8 G" A2 Q0 O. |while running MeltICE.  B1 M7 ~* L! F8 D8 \& Z
" J, l4 E& h" X; F7 P
, h, O1 }9 ]* g! U% j# R7 e
  00401067:  push      00402025    ; \\.\SICE% n! m  b+ x) Q! Q; |
  0040106C:  call      CreateFileA7 _& v9 C6 Q0 m6 ^5 Y1 t0 X
  00401071:  cmp       eax,-001
, U  V( |2 P4 I  00401074:  je        00401091# d# f  X9 W) O$ M

/ ^* x3 P# |) P! ]" f/ H" q" v
, F  n* H* u7 V/ U( T  z0 _: I5 G3 sThere could be hundreds of BPX you could use to detect this trick.
/ e9 Z+ Y' S6 f- j-The most classical one is:6 Z- b2 O* X# ?0 {8 _9 ]
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  b6 O1 l0 u. g1 q5 G7 O    *(esp-&gt;4+4)=='NTIC'
. W; j. }7 k% {, b+ s, Z0 j# M- w; f' X0 t
-The most exotic ones (could be very slooooow :-(. z& j; c" s( [7 n: C4 h
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 }9 x0 \- h4 x8 ~/ K     ;will break 3 times :-(3 U+ H7 t/ `+ E8 t# Q, _
1 G  ?7 A( ]8 Q* U  ]+ |- s, S, J) u
-or (a bit) faster:
/ y" H1 |! U/ @$ j4 R% g   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); R3 m5 m9 A6 u3 d3 x5 p

7 T, y/ R5 ^7 }, D   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ! y9 J! S8 `5 _4 }/ d# S, a8 ]! t
     ;will break 3 times :-(% M, W- j" a/ V

' @* Z: V: s8 f' ]. h. c0 w, D4 |-Much faster:
/ T9 K6 i: v3 s" y& I- g   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
4 P7 g4 X9 }* M0 o; G, y8 g( |7 A$ H4 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! Z9 Q$ l( a- g1 W/ Y5 H  Zfunction to do the same job:0 C! v) K* J& ?5 g
  N& i) i6 z) q
   push    00                        ; OF_READ
, i% X6 G. R$ `4 ^: `. M   mov     eax,[00656634]            ; '\\.\SICE',0; k. K: }2 t7 F4 u
   push    eax
0 Q- l& ~3 ?- r0 v' Z0 v   call    KERNEL32!_lopen
% o( V: a, A2 U5 i, r8 y. x6 T   inc     eax8 C  N# [4 k& T  \1 x
   jnz     00650589                  ; detected3 @, R, E, g, `1 W
   push    00                        ; OF_READ
# J$ N& [4 z1 j. U9 s   mov     eax,[00656638]            ; '\\.\SICE'
) A# a, V1 r9 I- B! |   push    eax
7 ?' O* N* o2 Q& y: h# e   call    KERNEL32!_lopen# R* \* m1 z% a* l: I
   inc     eax
2 m" L" S# o" z; [) _+ `  r  R   jz      006505ae                  ; not detected# I& O: E/ U4 G, ^- Y6 a

9 m4 S' P" H* D) l1 I9 a5 b
2 L4 Z: B; K' {7 w/ B__________________________________________________________________________2 f1 ^1 Q- u: E  J

- S' D' F* }- x" p& z/ i6 {1 jMethod 12
( l/ s$ o$ E- ]( Q4 h=========
. @0 ~4 b1 i% s
3 h  m$ ?+ G7 H+ W% u' @This trick is similar to int41h/4fh Debugger installation check (code 055 ]5 G$ B# l" i' T
&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 y3 ~  _! J% }( g2 B% X/ }: y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 e% L5 ~, L: l$ ^  M- e# r
- I' R1 g2 E/ m' H& x& |: a3 P, h
   push  0000004fh         ; function 4fh
2 {0 e: ^8 G7 a   push  002a002ah         ; high word specifies which VxD (VWIN32)
* r7 Y9 Y8 r0 X, y                           ; low word specifies which service% e0 Y3 ^7 N. X
                             (VWIN32_Int41Dispatch)9 W/ T# \3 R! W2 h6 B6 v
   call  Kernel32!ORD_001  ; VxdCall& h0 `* Z2 s( E! {
   cmp   ax, 0f386h        ; magic number returned by system debuggers& j! B3 T. {8 E% J, R2 j2 @: i
   jz    SoftICE_detected
/ I: G0 x3 p* L
" P3 i; g+ {. gHere again, several ways to detect it:
4 a% F9 I- X' V- {
0 l- R! x: V- D    BPINT 41 if ax==4f
. w3 f6 a4 `( c. s# q8 L% H
# x# n9 X+ j% B, v. j) a    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, I0 ^1 g0 L$ _- P1 ~1 b$ X. p
+ ^4 d/ Z- k- _; o( |2 S
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: y! o. q/ S: d& K7 w& _+ S5 v4 y
& v" C% y+ h5 Z, b6 R1 {6 j  u
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# x+ Z( h# J. W7 p0 c
+ Y4 t6 ]" [# q' t__________________________________________________________________________
5 P: |* c% K3 l
+ n+ ^1 r8 K& u0 ]$ l- E" ?9 tMethod 13& E1 a# V: z9 r3 a+ N+ ^
=========4 ~% d1 ]$ a1 }. c" c: q5 Q
5 q1 n8 m) N( z
Not a real method of detection, but a good way to know if SoftICE is
% \/ W6 r. K9 t! ]installed on a computer and to locate its installation directory.
  Q9 o/ L  ?) Y, M1 S6 Y0 f8 cIt is used by few softs which access the following registry keys (usually #2) :1 r2 a2 E/ W; b2 }
9 s( O, ?! w. @, G' N* Y  c3 v# {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! u( W6 q7 W9 h
\Uninstall\SoftICE: u$ K8 u/ o0 I7 h$ x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 H. I4 `' @  }. n
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 z) ~* n5 D$ D, p* X
\App Paths\Loader32.Exe/ d, w7 ^5 S  J6 [2 O" r/ E
6 ^5 H) p+ F- K# ]9 n! g5 c

  ?3 W7 c; d4 ?, e% }9 jNote that some nasty apps could then erase all files from SoftICE directory
! b& P: A* l; u) {2 ?(I faced that once :-(
! ^# g  |; y: X
2 p: z( `. X* W7 h9 OUseful breakpoint to detect it:( l: E/ y- }4 T3 }
5 ^+ l, K3 W/ K0 T6 N
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 c0 @4 ?. U3 D4 Y0 j

) g4 W. l! W6 m' E__________________________________________________________________________0 Y. r% o2 C+ W

8 g7 A5 q3 P) `, k) E' x- ?% [% X& t' E
Method 14
3 P# ^8 j; S% N% q* R+ ~# \=========
* n- o3 x9 |3 H1 E: O# M9 {" ]! m5 Y- D4 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! c( S' c, w8 X2 n' ]6 {$ Tis to determines whether a debugger is running on your system (ring0 only).4 k" p8 U6 c1 c  P4 P
4 H6 T! z' M9 s  ?* R8 M
   VMMCall Test_Debug_Installed2 \8 w) K" Z% c5 w1 F' `4 \4 R7 P
   je      not_installed
$ F" \' P! J; s! l, g8 ?2 l3 v- [9 P  ]9 v% }, ~" t' e
This service just checks a flag.( l9 x( _; g2 \& {/ |! m6 V
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-24 06:32

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表