找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>; ], X  Y8 B* J
<TBODY>- r+ S  W" L* b7 I0 E1 C' G
<TR>3 o) l. o; _# H+ A3 k
<TD><PRE>Method 01
' ]6 I4 f/ Q3 y! v  f/ i4 Q=========
: X$ ~6 }7 u  ~
$ z/ i8 y" d' b. V* IThis method of detection of SoftICE (as well as the following one) is: g! N4 F; |6 E
used by the majority of packers/encryptors found on Internet.
& t! f& r9 y: B! [It seeks the signature of BoundsChecker in SoftICE# l# t  i/ R5 B2 Z; N% t+ ?/ R! V- R
, I) C8 j( y/ `* d
    mov     ebp, 04243484Bh        ; 'BCHK'6 y2 S% X- `+ `- P
    mov     ax, 04h7 D1 j' s9 ~9 a
    int     3      
2 O0 a, Z) r3 f. h( T! u+ b  O: Y    cmp     al,4
" u0 j% M: `' }! r    jnz     SoftICE_Detected  o: w, u2 ^* k2 F7 v
, M! r0 U  [" l7 o( j
___________________________________________________________________________
6 ]0 f8 V  ~; p. n+ o, i3 M1 k& S) A- E$ [: i
Method 02# i$ W3 G; m* z7 C1 \
=========
7 ?4 l. L4 k. d/ E% @1 ^
6 Z; p9 y4 }5 Y+ r0 D% cStill a method very much used (perhaps the most frequent one).  It is used
$ y" f6 r1 G* Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# h$ b* z( c9 c- l# a3 B6 |5 a
or execute SoftICE commands...( F- I; \' ?  y+ E' Z/ a+ |3 w# k1 \" E
It is also used to crash SoftICE and to force it to execute any commands
7 K0 h( B- h: f2 R  d' D(HBOOT...) :-((    D$ [5 A3 m! G! v' `
, C( a3 B( I# j
Here is a quick description:0 @- s( A1 t6 Q  b
-AX = 0910h   (Display string in SIce windows)
" |! Q0 C6 P6 k' g" A-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
4 _) [5 [  e* v/ @2 ~-AX = 0912h   (Get breakpoint infos)% J/ Q) S. W5 M' Z
-AX = 0913h   (Set Sice breakpoints)' s) a( C0 ~6 W5 L
-AX = 0914h   (Remove SIce breakoints)! D1 V, a/ b1 A( K! i5 a% u
) |$ p! p- ~/ R' {6 W+ h7 s9 ?- x
Each time you'll meet this trick, you'll see:
+ O$ ?& T, a: K: n( b% s, Y' N  u-SI = 4647h( o: S* |& B% ^0 h+ K# i
-DI = 4A4Dh
6 R7 q2 Q. y/ q& S* k" lWhich are the 'magic values' used by SoftIce.
# i- q) \# K1 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 h9 O4 d  ~) p' y. G' n

: F1 c( C4 c. y7 {4 u$ ^( C& N  \Here is one example from the file "Haspinst.exe" which is the dongle HASP
, |7 c0 _* T+ KEnvelope utility use to protect DOS applications:% C) [8 d+ _2 T9 G

( }- o5 p6 W- g6 V
+ X8 ^; `1 }" [! \! j3 S4C19:0095   MOV    AX,0911  ; execute command.
6 w! x) v% y/ {8 s  r4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).! W' d" A) e+ T
4C19:009A   MOV    SI,4647  ; 1st magic value.: s+ t# {( P) f, k
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& q  u, ?3 C4 P' Y5 x
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& H  C9 v7 F, y9 o7 E4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
; b: Q( V$ v8 x( S* J8 a4C19:00A4   INC    CX* \# P$ M+ n8 R! \
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 p: o+ h7 N" Z% x: k4C19:00A8   JB     0095     ; 6 different commands.
( I" J3 e8 P1 I0 t; ^2 N# w1 f4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
3 q# H/ F* W( l$ x! k4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
6 k4 ]" `5 u3 q+ ~( t" {+ c" r$ e/ Y; U7 F
The program will execute 6 different SIce commands located at ds:dx, which" k8 M' W- Z8 l$ i) M' S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% V( z5 R9 t2 Z. e6 K% x

- k& c2 j! g8 M8 W! }7 ^  e* P& q6 T/ n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; G6 n2 g  S' m. I) @  E
___________________________________________________________________________! b6 d7 m. c2 T3 @; O% t

. Z2 Y+ R  s! Z
, U! R" n& C4 _9 J8 v) vMethod 03
" T3 M4 q+ w5 q, w5 V* Z=========8 V& P& N: G* a1 T$ T" t

4 b/ Y5 ^0 M6 |! |2 C" ^5 vLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. E# J# h/ h9 o3 Q(API Get entry point)5 p3 q0 _8 l  @
        
! t; n  I1 B6 v% x. X2 D
- i* ^# l3 Q% |    xor     di,di
8 |9 Z4 s! J8 |    mov     es,di
2 C3 w; i& Q: L2 I    mov     ax, 1684h      
' J. L* Q8 y$ h" ]: S+ P    mov     bx, 0202h       ; VxD ID of winice% ^% j& R  i% V( g, r3 E. _$ l
    int     2Fh
) p. d, M' {5 _- \    mov     ax, es          ; ES:DI -&gt; VxD API entry point  @  Y) L4 y: w3 V
    add     ax, di
0 r- c* O- Q, P2 P    test    ax,ax
7 K" K: k4 L: t    jnz     SoftICE_Detected: R  Y6 \! G: ^- M, v( r

+ I* i& K+ \& l, E___________________________________________________________________________5 |6 R0 O* L9 t* C9 u: M
& {4 A9 d/ x* m* U
Method 04
0 s+ ]# I6 G. {6 D3 D4 ^8 e2 z6 ?6 n* q=========, r8 l3 O! m5 i  L" z& |
4 C2 C/ T/ ]/ ]! ]" z& y% i( R
Method identical to the preceding one except that it seeks the ID of SoftICE
3 Y/ S  P2 o, N1 A& T5 J' p7 {GFX VxD.
. {4 D/ x$ E9 s% X
9 K2 y* `0 U( Y$ l6 B    xor     di,di! G8 d% |: B& e/ r/ u0 {
    mov     es,di
: t$ o0 W9 w* {    mov     ax, 1684h      
* T$ K/ ^  h( b5 B# R: Z    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 m7 e5 L* L0 J    int     2fh! j5 \+ T0 `& e0 `/ A* j. S1 z0 T
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: [# F. i, Y* L3 q    add     ax, di* T) B! O+ o) P. l9 ~9 L* }. i
    test    ax,ax* j$ q0 j0 |8 f  F+ @
    jnz     SoftICE_Detected( ~# L' k/ u* X7 l! A9 h2 u. A: z

7 q. X: b; N6 U, }__________________________________________________________________________
5 Q% e- m& W5 _/ z: w) v8 C- n, \: {

- p% \3 f" {5 i# [Method 05* K. Q8 l: F: l
=========
* Q! @2 Y$ a7 Z: H9 T3 Z  a+ \
( s- O) b9 T- \! U2 kMethod seeking the 'magic number' 0F386h returned (in ax) by all system* Y8 m- B" B0 O/ O' D# t
debugger. It calls the int 41h, function 4Fh.% ^) B) y2 }. M0 `
There are several alternatives.  + W& ]7 c& |! e3 e& O/ Z; [
) [5 c( Y  v( K9 a& D
The following one is the simplest:
$ n9 @7 {/ x7 Q! Q
# X  Q5 H% E3 X) }  J1 k    mov     ax,4fh+ e" ?) Y, A& a- n
    int     41h) V$ t# g. O0 e& r- j, e, I
    cmp     ax, 0F386
2 `- c# o2 y, X7 q# ]9 D    jz      SoftICE_detected2 D. O' B* ^' W
7 `" W) a  k) X
- V  h4 |1 Y% b$ d: [/ e
Next method as well as the following one are 2 examples from Stone's
# {9 X+ }; b: U9 {7 r: e"stn-wid.zip" (www.cracking.net):# w$ Y5 @) J0 y
. h4 X# e- D+ {% |& f) l
    mov     bx, cs; H* `9 w1 R8 a2 X3 [4 ]* I5 E/ X
    lea     dx, int41handler25 d% w: u# U6 l3 }) {
    xchg    dx, es:[41h*4]
) o: S; T( j8 @4 ]* A6 n    xchg    bx, es:[41h*4+2]
& G+ r* z2 @" S, b2 `5 X* u. Q    mov     ax,4fh
' M! I/ r' o/ R3 D# b    int     41h
$ e% I* j' f* a( e  ^  W    xchg    dx, es:[41h*4]
* l3 E' s. y  N3 y/ `$ p. c    xchg    bx, es:[41h*4+2]
) e. Q2 Z1 |. C1 k2 E    cmp     ax, 0f386h+ H) P. ]. N8 _6 b; t
    jz      SoftICE_detected1 @# @$ c0 K7 P( g* o6 M; |
. V, h4 \* R# ]1 \, M- m
int41handler2 PROC; B, V. V9 r1 D# _
    iret
) A% ]: t5 F) c+ C8 mint41handler2 ENDP
$ J) j) b6 W' ^) Z  B3 z: R$ B, x; Z4 F2 ^8 [. l: T
: B% m2 i0 t5 c! ?6 J9 Y
_________________________________________________________________________
! b, P% _5 f4 z2 l. a) _6 q3 N9 x6 y& C
0 N! |/ t0 Y( }2 m7 B% ^7 e# ^
Method 063 }7 H( b4 ]4 }% A9 ^' j$ H
=========: w5 v3 `- k3 \! o! F# z

- i; {* W/ \- _4 Y/ w4 r
, ~( b, i! m3 @3 B8 D( C' p2nd method similar to the preceding one but more difficult to detect:2 M& W! B; p. m6 v6 D' K

, n1 v8 o, |7 G; ?' D# ^
' b5 Y! O: D) Mint41handler PROC
0 W) j3 z4 M1 n! q    mov     cl,al
/ ]' h$ ~" Q* v. A( O2 i    iret' u$ y# l8 [, [& Q% V3 x
int41handler ENDP
6 l# V; Y/ b( i. ~. ~
! V: \( C) ]: L) w% ^) `5 ^7 S7 R3 V! }# g" c. J
    xor     ax,ax/ `0 U1 {' j5 R+ ~
    mov     es,ax5 F* V, l( d4 F1 b
    mov     bx, cs
3 x; X; P3 j! d3 f, A" I2 \- f    lea     dx, int41handler: W' W# ~% I% ]  Z, p6 Y0 ~
    xchg    dx, es:[41h*4]
( c* ?/ c. ~% G! e3 N  W; v! n    xchg    bx, es:[41h*4+2]& z$ q( w, z7 [* ^5 Q: j) h
    in      al, 40h
" u. D' l- \2 s8 [7 |/ L+ h    xor     cx,cx
: L" m6 \+ ~7 p; {4 p+ V" N1 B8 c2 t    int     41h
1 f9 w" B! n' l' e- d  _) F    xchg    dx, es:[41h*4]
5 U' g6 r% {7 l# n2 ^    xchg    bx, es:[41h*4+2]4 H. c/ t4 D3 Q. h+ n5 b
    cmp     cl,al
+ k" E7 X; a5 S( L1 j    jnz     SoftICE_detected
1 O1 T. A) Y. D, A* A- [( Y0 {! }5 H1 u& q2 \
_________________________________________________________________________0 k  _3 q; d6 l& ^

. J# s( C% K8 Q* K0 F  BMethod 07
3 H- b$ K/ @7 q=========
9 f+ n* b) s+ H( {+ v- h
( G% D$ g7 J& E, tMethod of detection of the WinICE handler in the int68h (V86)( a- i9 i5 J3 B  j
. A5 [5 {+ X9 [* \1 E
    mov     ah,43h
  w' I; `% A; `2 N; Z    int     68h
3 }2 m! w; C: `' x    cmp     ax,0F386h  m* e) p8 S9 G  x; N
    jz      SoftICE_Detected& u' T4 ?% f1 H" I5 J. l: L  X

- W) ^5 I+ G# R2 \
2 H6 f5 f* [& c: c4 x) T=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% r% ~( ]9 @" g/ t5 F   app like this:6 t& \5 {( c" G3 a" J& [

3 }3 v5 Y  }# @+ {   BPX exec_int if ax==68+ }" f6 A8 A1 ]: S. w: |
   (function called is located at byte ptr [ebp+1Dh] and client eip is2 [/ h1 k/ b( u3 o; W
   located at [ebp+48h] for 32Bit apps)2 m$ z) }; n2 r6 U% B; S
__________________________________________________________________________
7 b: [0 [. x4 V
6 b; H4 N6 Q, N/ ~- j% I$ `8 ?8 p& e$ Q
Method 08" i$ {& U- D: Y3 S+ Q: s
=========( d& f( V& y0 {) B$ A' S3 ~  a

* Y9 c+ r) A: K# X0 H, i1 Q8 rIt is not a method of detection of SoftICE but a possibility to crash the) g+ X( A7 H$ n5 `# R- |; g, Z0 L% {
system by intercepting int 01h and int 03h and redirecting them to another2 K2 W+ Y2 H8 B3 x; A
routine.& @1 C' G5 `) z4 }3 L$ n! F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. X+ L% c& y7 H. h. \) A6 mto the new routine to execute (hangs computer...)
( z  |8 C/ S. B* w3 B& x
. j2 Q5 J( r5 ?6 {$ M    mov     ah, 25h. m# u) i, b. x6 ?
    mov     al, Int_Number (01h or 03h)
: L& J5 \: s" z# b6 o" n* Q& C3 O    mov     dx, offset New_Int_Routine
! @- N+ h: o" p! `0 S    int     21h8 b4 V3 o, c& x$ S# z. ~. X. j
6 n8 B) U+ ~7 i, i! n9 {) X4 X
__________________________________________________________________________# R' q+ q. ~, u- W7 s3 O9 v1 B7 x
1 ?( k2 I$ G: M. O& E6 b
Method 099 [% y( D4 F, Y; H
=========
4 o, i& [, p. k6 K4 G! M; z2 X1 u# U5 w0 J$ b$ [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 l+ m7 F" a) i: hperformed in ring0 (VxD or a ring3 app using the VxdCall).
- m- K( O$ U$ ~9 j. o9 c7 wThe Get_DDB service is used to determine whether or not a VxD is installed7 ]" L% i6 b% \- B
for the specified device and returns a Device Description Block (in ecx) for$ Z% u' U) {2 M) m) ?
that device if it is installed.
7 o  e* t" ^9 `1 w$ R6 m  ?! ?5 i& b
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 l1 _' [; k. T; v1 q   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( b- O. y5 i( n' r
   VMMCall Get_DDB
% _2 ?3 H) d/ q   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) v9 }0 ~2 [# A" U
( j# H3 x2 u4 [/ l* ~
Note as well that you can easily detect this method with SoftICE:
+ w2 c, u. I6 y. N   bpx Get_DDB if ax==0202 || ax==7a5fh! n  |  W1 h! [+ T) p' ^
6 L3 u0 s  E) N  y, ^  f
__________________________________________________________________________  A" |/ @$ g* S& y4 m( [
. m/ T$ J- o* B  _; r3 ^- ]3 z
Method 10) p1 Z  C: e; h
=========; T; B% T- ^, L% I' A" l4 O

$ j# `* [& ^, ]* ?. J# R=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 C2 P3 K' X, U" B
  SoftICE while the option is enable!!+ h& g  P$ R. t* ~: Y. G. G
3 M' B% P9 u* p9 I, ]. ^
This trick is very efficient:  z& c9 r+ W3 \  c- \- K- k' C' {
by checking the Debug Registers, you can detect if SoftICE is loaded
1 E5 L$ y7 [* e  C3 }5 U  k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ u" u% A3 y% _' s; Q1 H5 z0 gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ e1 p) z4 z7 d1 q3 q) Z% b+ m1 gvalue (in ring0 only). Values can be manipulated and or changed as well
! Z8 ^) x5 U  H(clearing BPMs for instance)/ [; J2 H! X7 F
3 n2 d7 E( n( n) y, y2 _
__________________________________________________________________________( ~! ]: b, P5 C! |. @, E0 y

4 |* h- r( |+ k8 BMethod 117 [; {% |  c& A) m+ s
=========+ s$ {% c7 x  p3 W8 s! i( D
( p/ f: q: `' q. O* U" u
This method is most known as 'MeltICE' because it has been freely distributed
% b6 I5 S' B' Xvia www.winfiles.com. However it was first used by NuMega people to allow
7 {* H4 P. u! U& l+ _/ a5 E5 XSymbol Loader to check if SoftICE was active or not (the code is located( V) E3 y' k. J/ X8 H- Y
inside nmtrans.dll).
# {: P- P  I2 m
$ K% @) H" m, e" |The way it works is very simple:
) i8 ~7 |2 P' `% iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. ]' V& _2 i- Q, p2 X4 n$ E0 oWinNT) with the CreateFileA API.0 R% ~9 D" m9 a2 N6 {

6 \; W0 N, |8 [* D+ }1 P) KHere is a sample (checking for 'SICE'):! k& O+ S% t# y9 Y
% f- o8 v4 `- E4 v+ J; t
BOOL IsSoftIce95Loaded()
9 ~% X# R% C) S+ M, n) c{
; w* h9 D6 C0 S! r4 T4 N( z$ h   HANDLE hFile;  , C# z4 A* s+ Y3 j; S- v( Y/ [
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* ]; @( C& Z+ `
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
9 F# s5 ]6 v( k5 j7 M+ n                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, i; e' \9 R% V2 Z8 ^0 H4 [1 s
   if( hFile != INVALID_HANDLE_VALUE )
! ~! r* m9 w7 B7 i. y   {
7 N$ w6 v# h; t5 a: u% a      CloseHandle(hFile);
3 k- g, c4 }6 H      return TRUE;& ]9 }& s1 B, O+ j/ _/ w4 A1 b  P7 w
   }
! f( a! m4 a: R% [7 x   return FALSE;* A+ x, b. s" W5 K" j
}, i4 o. t% T. k" _5 G2 b2 G: c
; L8 _) o& T% t
Although this trick calls the CreateFileA function, don't even expect to be
6 _/ U1 c8 e/ N  S# N7 A* uable to intercept it by installing a IFS hook: it will not work, no way!
- |+ {: A9 i2 r2 I: @# yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, A: M$ B. K* A3 o% Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 ^" u& a; A7 X3 |7 |4 |. @4 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, Q+ a# k+ Z; f# U- C2 K* V, B3 mfield.
! t" g- K9 f+ t6 S, d5 GIn fact, its purpose is not to load/unload VxDs but only to send a
4 [* s/ _' U- r, z& VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! K7 M8 r8 k& y, i  j4 Z" n/ pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ a7 E" v. Y* E- [3 U8 E/ y7 x( ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 R" l: k2 T8 Z+ W9 Q- F" ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 \. y; K( [$ [- ]$ W/ \
its handle to be opened and then, will be detected.. O% P6 t7 U- {- _- {5 i( m
You can check that simply by hooking Winice.exe control proc entry point
; D2 g  c' m+ z% s7 y# p, C3 B9 z) y" Awhile running MeltICE.
, s4 ~8 C8 E' g% Q) r( Z" }: m2 V5 Y( A$ G" k$ [

& k* r  u" D+ q  00401067:  push      00402025    ; \\.\SICE1 O: q6 K* P3 I* C; w9 \  I
  0040106C:  call      CreateFileA
2 U3 \" U: t7 ^( K% T  ^  00401071:  cmp       eax,-001: }6 q$ \  X: X. i, R
  00401074:  je        00401091# I% Z) J6 t' \9 V5 o- t; ]& P2 ]
# d# J% t+ b+ |$ a, k) }. T1 k

& j  ]3 J2 W  `) C, R+ QThere could be hundreds of BPX you could use to detect this trick.
: I: |, I3 s5 H" P1 F-The most classical one is:
5 h  i; `$ J5 Y! |% d% l; n) P  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||5 i# q6 z, B$ c+ }5 B! i
    *(esp-&gt;4+4)=='NTIC'6 s1 d: |% H1 O4 {) Q: k, n

2 k; y. g* Q; I$ M' w, S3 e-The most exotic ones (could be very slooooow :-(7 u' K$ R+ A: c: S: `& h8 ]
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  : f$ C+ @5 L2 `/ W3 b
     ;will break 3 times :-(
# k* F- D* G/ D% H  x1 l6 w
. x$ p) c/ c2 @: T$ l$ z7 @! W-or (a bit) faster: 0 d1 v! k# Z5 F3 ~; v- ]
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  L6 B( k$ ]8 ^& V4 X( m
1 c3 V0 ]& A) u   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 G* K/ A4 X2 O+ z  D& I% i' k
     ;will break 3 times :-(( d3 O: f6 U: B4 C  u4 [

* s) A7 S: w5 `% h- G* o$ Y' z-Much faster:
' ?* k0 p9 N$ e$ B7 {+ d9 f" `( _   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& V! |7 L6 J- S2 u  x, `0 \' ]  }; L/ l: Z3 z5 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, r3 e# r3 w1 X6 }
function to do the same job:
7 h' x1 C; M( h! f! d" e) f, Q. c
; J2 W1 {  |1 v$ O( m; E   push    00                        ; OF_READ
3 A' q( w! J8 W" ]   mov     eax,[00656634]            ; '\\.\SICE',0
  o- U: e/ j/ b   push    eax0 A2 p% V" }! S9 D8 R
   call    KERNEL32!_lopen
+ J6 C" l* `! p3 y( G6 U/ |   inc     eax' \7 p2 b* Z" H$ C
   jnz     00650589                  ; detected/ p& R% m- M( \* C( b
   push    00                        ; OF_READ
- _. b( H  L# U3 z   mov     eax,[00656638]            ; '\\.\SICE'* I% I2 U/ ^) t8 k/ j+ c$ P
   push    eax5 N) Y; f1 L8 a! y( A; D3 P7 }
   call    KERNEL32!_lopen' {. u7 R) E& N9 d$ U
   inc     eax( g& B2 @* \: h$ l) h: p
   jz      006505ae                  ; not detected
7 U2 L% m7 i' a% R+ v2 x9 {
, F; s6 m5 g& \  c. h) I' c4 k& E) F6 I
__________________________________________________________________________
: z; U& u8 \% r8 N4 w9 H3 _! [
% X. J: G! q+ |6 e  S* SMethod 12
" m0 T5 a3 U' e' N/ c: a5 c3 z1 P; Y=========
7 k" p! O4 h" Z( D
' E1 _( V7 ?7 P) RThis trick is similar to int41h/4fh Debugger installation check (code 051 P  D' r! J, A3 b4 X! L4 q6 a
&amp; 06) but very limited because it's only available for Win95/98 (not NT)3 w( A2 p& C% E  J) U3 j1 @3 {! l. A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 V+ @% N& H# R3 P3 M

7 m/ t+ J% U5 F$ \. G& ~   push  0000004fh         ; function 4fh
; ~$ }" O2 \+ [% ]% S   push  002a002ah         ; high word specifies which VxD (VWIN32)
1 L+ z- G; _& v: S. n# g( [                           ; low word specifies which service( D# N8 L* f4 `7 B
                             (VWIN32_Int41Dispatch)1 h0 M7 p" C2 e
   call  Kernel32!ORD_001  ; VxdCall
* }/ I1 ~0 q! O, @+ M  l   cmp   ax, 0f386h        ; magic number returned by system debuggers8 {# f  z  O; j6 _, g. X- G# M
   jz    SoftICE_detected/ V8 J5 \: q0 y

4 X" [% N9 C* E8 R( M$ SHere again, several ways to detect it:- Y/ a0 O! Y! ~
2 [6 y" }- R, D
    BPINT 41 if ax==4f1 T/ Q6 A0 M2 w9 ~
+ e8 w/ Q- u+ j* }
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 ^8 c2 d% K6 n  L
4 ?1 r7 P2 N+ `    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- s3 k, X! l; O& L; J

; x) A7 J: m) O/ `6 ~& [; c    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
0 _) O+ I( n, D+ V% S" h9 r: o1 s' ^& ]. W& p3 W2 E
__________________________________________________________________________
  ^* D6 K5 c3 T( t7 i6 E: U9 k0 p: ~$ A4 g6 A( h' t
Method 13
4 y1 P# r& i1 i# l7 g=========
/ o# [# ^1 K7 h$ v+ J
" h8 j$ s' l& W' v$ _6 cNot a real method of detection, but a good way to know if SoftICE is. o+ S' U  [, A9 F% Q
installed on a computer and to locate its installation directory.* b' V; h' s' d6 n$ |$ {2 i
It is used by few softs which access the following registry keys (usually #2) :0 A7 ]: u. k# \- `3 S  r* t
. w3 H1 J- W  ]1 J7 r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# C" h$ j" I8 }; @* e) }% b) Q/ n\Uninstall\SoftICE
0 i) F, S: y8 V. h5 u9 U3 G7 S& v% V: W3 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- O: w7 ]# d' P$ I5 `  P: w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 X% N) B! W3 [- r2 B
\App Paths\Loader32.Exe
* m+ _0 G* Q/ v( L+ ~( ~. h" v) U' n3 ^6 r! y9 y% ~; y/ E
' M, D3 H* t) O1 j+ ^
Note that some nasty apps could then erase all files from SoftICE directory% d5 Y0 o1 ?, C' E. i( i
(I faced that once :-(
7 f: ]* G2 m* N2 F8 j& a2 M* {7 T! h4 S8 D  L8 f9 D, ~
Useful breakpoint to detect it:
: H1 m  a- n7 M0 b/ t9 y: O; |/ l  O5 a
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
. s1 T; n$ w5 |0 k0 z0 F- E/ m( x- @& p% Z4 W7 A# c
__________________________________________________________________________; E* Z3 s" `( z
+ R: r9 h* N  ]$ ?5 q

( j- Q5 L( c% h: V" X- z3 KMethod 14 ; W+ O6 V$ P9 t, _5 H7 ?
=========
$ N% Z8 g9 Q- |3 _1 n- N, T* A4 z* k7 {( e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ B* ^$ X1 R1 U/ D
is to determines whether a debugger is running on your system (ring0 only).
6 Z5 M8 X- L2 ^3 E. E9 A0 r- A+ Y; t/ X6 E6 J# h
   VMMCall Test_Debug_Installed
, G/ K+ I$ P2 E+ S( H) T& B( N   je      not_installed1 I6 c& R% u3 b$ r% O
) G- E0 ]( o) n" u9 \  `% @0 _4 S- ^
This service just checks a flag.& D# W# ]/ |0 y& c& R
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 14:41

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表