找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
/ S2 `* J; V+ |6 Z. U  z* _<TBODY>
& n4 M( G2 s0 l) f<TR>2 v* u6 ?' d, `, x
<TD><PRE>Method 01 ' a6 H: b! W, ]  J% ?, {% Y
=========( N# A* q- }: d' D
9 C. k, V  `7 e5 Z% s
This method of detection of SoftICE (as well as the following one) is
/ g2 C) ~5 ~- B# ~( T+ ]2 n$ T, w. aused by the majority of packers/encryptors found on Internet.
' ~: w8 j" e9 ~5 eIt seeks the signature of BoundsChecker in SoftICE9 ]* P0 R- {# z7 J* A  ^8 ?
' T+ q. |" C' i. y
    mov     ebp, 04243484Bh        ; 'BCHK'2 |) x- Z; L2 ]0 ^
    mov     ax, 04h
: y/ ?% N& d! m+ c  @0 a    int     3       % f6 H" D( i4 `& a9 u, o4 J0 Q1 t
    cmp     al,4- M4 l# ^' i, \9 U
    jnz     SoftICE_Detected/ A1 P8 F! K# M& U. J' l, h
  w( N8 F+ j% D
___________________________________________________________________________# ^, R1 [) B6 d1 T5 L& Z& t* E

; ~( o7 H0 G5 ~1 M. v; jMethod 02  q% v' m' [' I6 p$ t
=========
8 O% ]/ x1 a- j# W+ w; p9 i$ I0 D* O/ f6 F1 N
Still a method very much used (perhaps the most frequent one).  It is used
, n1 b: f; G+ _7 j/ e* Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 R4 h: v  \5 v8 gor execute SoftICE commands...- O5 ]2 G8 Y3 q8 w1 K0 u  E4 \3 L
It is also used to crash SoftICE and to force it to execute any commands
/ m+ L. B1 [2 z3 l6 ^; L(HBOOT...) :-((  
2 p$ H" }$ p4 d3 q7 I/ c; E2 ?, e
+ C9 B! U& n0 zHere is a quick description:( {  H* ]- U  K
-AX = 0910h   (Display string in SIce windows); p& n  a/ \6 d2 M
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
( V, W; P9 x1 L* M& r8 f8 j-AX = 0912h   (Get breakpoint infos)
  s' ^4 ^) k  _8 e-AX = 0913h   (Set Sice breakpoints)& p+ H& \9 n7 u% @+ k
-AX = 0914h   (Remove SIce breakoints)$ g' o( i9 J/ L8 \% A- n- i

, I! f7 u" J6 B$ aEach time you'll meet this trick, you'll see:
, u& j6 t( _8 F' M! G7 }0 V; B-SI = 4647h$ K. J7 p3 u4 s! _& v7 Q4 l
-DI = 4A4Dh$ f) S% S; X( f* j% m
Which are the 'magic values' used by SoftIce.
* W) ]% Z! R5 J2 d" m* CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) R+ d7 v; [+ r- R& a. n$ k8 D( W
1 c. k1 P/ W6 Y% r  h" p
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 M  O9 P5 L9 n( J# z- f0 _8 s
Envelope utility use to protect DOS applications:" J5 C$ ]& f8 g
7 O# K; M9 E- a
. Q7 T! q# z# S! c  T
4C19:0095   MOV    AX,0911  ; execute command.: J' `2 @3 I' E6 B
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ V; j) Z9 k. V* s: A3 X/ U4 e# B4C19:009A   MOV    SI,4647  ; 1st magic value.5 @: W" c3 F2 F
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.$ A2 I7 A" C& S, P
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& G' E! @' O2 {* r& A9 V. o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 }, b3 L2 c: l0 I  f* x, X" L( w4C19:00A4   INC    CX2 N6 L( _# K& `
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ E( x* D+ W3 v. f5 _5 f
4C19:00A8   JB     0095     ; 6 different commands.
1 K/ }# s. k0 u- V4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
# u" |+ W( \0 C( u4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( A0 }/ C6 H& F' |4 C9 [" [: [/ H" \# y; k& {7 o
The program will execute 6 different SIce commands located at ds:dx, which
+ p! v) X. e- G. Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 J* @* r' B  C% P7 Y* P: Y7 ?& g0 G/ q4 u* Q# u& B, J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; M9 q, O3 s# \6 h4 ]8 ]___________________________________________________________________________) k$ C# K3 t) b9 P' r

& U# O5 m6 P+ h& M$ {9 X) R4 i
) u$ [+ v- j# y" e' R& P! o5 j$ BMethod 03
$ Z; ?' H: u6 g& F=========; G, z. j( s0 P0 i1 s
1 [/ y! B2 N" [4 @. Z
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ^5 I) T! ?4 l6 Y) |2 C& h2 `
(API Get entry point)
+ c5 _  F4 T- }9 n; `; E) s- T+ E: a        , D" x- l: ?4 E/ t
6 m/ D  w2 ?4 U
    xor     di,di
7 R) c6 [6 |1 I. h% K  e5 T9 P    mov     es,di
% P) ^1 }) z& a- p& x; a    mov     ax, 1684h      
( a  j1 _/ R% J1 Y& \8 p    mov     bx, 0202h       ; VxD ID of winice/ Q- i5 Z/ Z0 a* Q
    int     2Fh
7 V: G( E+ `# u7 g1 k    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: u! ]9 R+ O/ r& U4 s: B/ V2 Q    add     ax, di
8 i+ y6 t9 H- b3 l0 t& x- d    test    ax,ax
6 Y- {( k8 f& N    jnz     SoftICE_Detected
# ~* ]* V% {- A) X. D( R& Y6 r+ ]" q, ]0 r% u2 \
___________________________________________________________________________
) J' y2 E+ ]" o* T, j, M: a( {& U2 t! V1 M
Method 04
- b5 J( W  N/ u! c2 W=========5 l! f& \* N) T7 R# S, Z' Z- k

' l' K8 Y5 ?- M" hMethod identical to the preceding one except that it seeks the ID of SoftICE
2 e5 t7 x+ W1 a7 V* |$ s% {GFX VxD.# g7 \( N; r  t# i1 J4 Z6 C- s

( p; R2 @: w# D    xor     di,di  l/ |5 `- v) R" D( |
    mov     es,di
+ @: H1 C. {" H+ O    mov     ax, 1684h      
0 Z# {, H6 N1 H; T/ p) z; O    mov     bx, 7a5Fh       ; VxD ID of SIWVID- h$ F9 q  e5 u; c9 a! Z8 \
    int     2fh9 M' N( J' X; w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 A2 g. i. [6 s9 \7 c5 e    add     ax, di* G  O& _# d( `
    test    ax,ax
9 v) f) o+ i5 r0 l. g    jnz     SoftICE_Detected
) A3 Q/ B6 z1 k0 L! z8 E, S  i' Z% q; I& Z9 B, S( `
__________________________________________________________________________3 i6 T- C* i: V1 A6 n; h( J

2 F0 Z# D/ U9 ~8 \- a4 S1 l" V. e& c; ?, k
Method 05
6 O% }$ z3 F; \, j1 Z4 s: K=========* d" l0 V/ G" B3 }7 a% S
0 q# ^. }$ a2 V% |, t/ H
Method seeking the 'magic number' 0F386h returned (in ax) by all system! w2 L3 N6 t  N' q# s9 d; k
debugger. It calls the int 41h, function 4Fh.5 F1 N4 p8 F  `7 K8 C) l# |
There are several alternatives.  % x8 c7 q! q- a  {

, I8 }" q6 }' t+ {- HThe following one is the simplest:8 M$ d! j# V( F  ^! N& I+ X0 T

7 L7 d1 T# P2 b6 }- |" N    mov     ax,4fh1 V+ ]5 a3 K6 P# k, |3 R% v
    int     41h
: X2 f9 |" s  ?1 w, [# o) t) H    cmp     ax, 0F386# Q) V: o% m3 G6 @+ D# V
    jz      SoftICE_detected1 B1 z9 L7 b* L" s( ?
! @9 K+ q# @( n$ g  i4 _

4 M! J. F1 @9 F( N" y! `5 NNext method as well as the following one are 2 examples from Stone's
& p' s' M6 [- Q0 |+ ]"stn-wid.zip" (www.cracking.net):0 @, i+ h  z5 b

6 ?- J+ d' ]; }+ F3 ]    mov     bx, cs# Q3 H8 o% o. l$ a* L. N
    lea     dx, int41handler2, e5 K  x+ A# ^$ a  U' `
    xchg    dx, es:[41h*4]" a  R# F8 I: f1 C5 y3 S+ [: u
    xchg    bx, es:[41h*4+2]: P, {7 c3 _0 D  L& P7 T5 O& W
    mov     ax,4fh5 ?. b8 _5 y/ Y' b( A% l) K
    int     41h
& H8 k: n' O, e    xchg    dx, es:[41h*4]2 u0 j" w: {. B& G
    xchg    bx, es:[41h*4+2]
: q/ A+ ~" {1 V9 G0 b) M% L: L    cmp     ax, 0f386h8 c2 l) n' d$ U
    jz      SoftICE_detected# `) r9 \& k/ S5 W
1 G! a" x* q$ G4 P/ Q% h
int41handler2 PROC
2 s" {- m# m0 d    iret9 ?/ \* G8 M. i4 M2 S- ?' I& c
int41handler2 ENDP9 u" i5 X5 x" Y
0 l+ C% e* j7 g" G% W/ T
# B, m/ y$ U' q% y# V2 ^
_________________________________________________________________________$ M) n& K1 U' Q* P( D' }$ p

1 w5 d4 P. j- X' V# l) d8 A3 R) \* h( z+ U2 ]8 _! ?
Method 06
' S8 a1 g1 _. ?" X2 k; y9 B=========
7 e% ^7 ^: Y# m+ K% ~, a
4 N2 `6 Q$ S8 P' m7 K4 [' r) r/ `3 U8 c( c2 x
2nd method similar to the preceding one but more difficult to detect:7 W  A# @, \" K4 T

5 v% u% ]- \6 h' ~& y: i# ^# S- z! X( I; g
int41handler PROC
+ J  q8 x6 k4 m; n" H  K( J    mov     cl,al
: R+ \5 e0 g+ u3 H    iret
- x' y2 S, O! f5 u# q- nint41handler ENDP
$ Z3 h) ^! P9 q6 a- E4 z" H' O
1 d2 J. N" h2 q) L* ~$ v# n/ H3 }
- ~. K" ?$ v" P: ^    xor     ax,ax% z- y+ Z+ m) [7 ~
    mov     es,ax* j2 L- }/ |% p- |9 o# y. Y
    mov     bx, cs
' v* {) x. B6 B2 h2 m! o- U; h    lea     dx, int41handler
) E& w+ O0 q8 `    xchg    dx, es:[41h*4]5 m' J1 j, |2 z" Z2 _
    xchg    bx, es:[41h*4+2]
0 s7 ~% B; ?$ j- t: k8 R7 a    in      al, 40h+ k% q: g( N# T( j  p& Q2 f$ N' v
    xor     cx,cx' Q+ V9 d4 E% v2 X& M- ?4 }0 n
    int     41h
' M1 u5 p5 ^& s  \    xchg    dx, es:[41h*4]& a* `. _1 U2 p2 H0 N2 y5 ]
    xchg    bx, es:[41h*4+2]
6 C: G: f; t% p' n- v    cmp     cl,al, b+ p; _: O1 w  c) @% d
    jnz     SoftICE_detected3 D& R$ m( P/ J( o& q
6 M+ [! w9 M0 T8 h4 S( E; c. E
_________________________________________________________________________
* u, o* f9 F4 G# r& P) z
  R* a( v# o) t4 L( K2 LMethod 074 O9 y+ @& k. x' W2 r0 |4 I
=========
9 M  K/ w8 j, G. t. D# j7 z2 ~2 l2 k, o% L+ ^3 {% p! i) y
Method of detection of the WinICE handler in the int68h (V86)
) S4 q# }+ k6 S- z3 g
0 J  X, q' W* Q. s9 d* y    mov     ah,43h
2 i) j, L3 ?8 _7 [7 V1 J4 l  L    int     68h- y: [5 H1 M" F4 p5 j8 p. M7 x
    cmp     ax,0F386h7 }/ t+ s4 j" n4 b4 x
    jz      SoftICE_Detected
- x( I0 t# P: r  l2 `- U
4 V1 T/ s& e+ R$ p) C( v/ d& o( v2 ~
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 C. I2 j# n$ B2 S
   app like this:/ T3 j: k/ C2 X2 a, ~5 e2 j

5 D# @8 M+ l3 v5 L   BPX exec_int if ax==68
7 P5 _4 Y% s6 Q& G3 @; V0 P   (function called is located at byte ptr [ebp+1Dh] and client eip is
* s# Q- T, S8 f* N9 G- j& _6 t" c, g   located at [ebp+48h] for 32Bit apps)- @3 M; e0 L* w
__________________________________________________________________________
/ M$ }' D, T5 W$ I3 s3 i% Y  ]5 B
" g/ s( R# g; F. q/ h" ~8 \6 V9 H0 N3 K: B$ @! d9 M
Method 08- p& _# F; x' c7 r/ L+ B
=========8 T% ~/ Z* N, N. k

/ s0 H4 G" [1 `7 ~It is not a method of detection of SoftICE but a possibility to crash the2 l1 |) i- J( n6 @1 z9 A  P
system by intercepting int 01h and int 03h and redirecting them to another" ?; N; c& e6 u7 ?. s$ L1 M
routine.' k3 f7 W4 l2 G- T9 j* p4 u8 I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# v) a2 Z  w9 `( w) y) |* F. w) K
to the new routine to execute (hangs computer...)
2 H+ h# k6 ]7 E) H
0 p' M( @5 ?+ L8 W# R3 ?    mov     ah, 25h# a* B) i  S# G+ m& Y
    mov     al, Int_Number (01h or 03h), Z# Q3 }, `3 P1 j$ W# Q2 U! i
    mov     dx, offset New_Int_Routine! C* H4 i7 {; D$ V, t
    int     21h0 O# K% f9 {& `8 I
& X+ R  [2 u$ w/ \
__________________________________________________________________________
/ I+ j, q8 y# \
) |) v  f( h- D, s: @0 rMethod 090 F7 `4 O$ U+ g$ m. _/ I2 M
=========! d' q0 T1 c0 s4 m/ L- G
" W4 L& S4 n( z# d2 E+ F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* T) \: k+ S* m+ \2 tperformed in ring0 (VxD or a ring3 app using the VxdCall).- h4 _, `7 a* e' z, T
The Get_DDB service is used to determine whether or not a VxD is installed  ~# O* a+ x' \6 M/ Z8 ]7 B
for the specified device and returns a Device Description Block (in ecx) for: x- g  c0 u$ Y4 f
that device if it is installed.
% L# I9 a8 n* d/ v+ n
) b6 C" l7 V; w" V& n0 ?0 Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% Z$ v4 |, [4 Q) Q% k   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 l& E- a% ]; g7 q2 A   VMMCall Get_DDB
) D; B! f# y: M1 i+ k  V2 o   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% u% y/ u" t; x- k9 U: V
+ B7 s( _5 U1 i* U* k* w! ZNote as well that you can easily detect this method with SoftICE:
8 N% U/ U) z3 g- i- ~   bpx Get_DDB if ax==0202 || ax==7a5fh
+ c2 h2 V& a0 b  B' m+ ]4 u  G! F- x, V8 O* y3 k
__________________________________________________________________________9 B4 j4 c  N/ Y* d; j2 O
: Y% l3 [) j- i$ r7 V8 {2 B8 @
Method 10
* Z( r! v, D8 \0 g' V0 \7 R=========, r0 H& X% X" {  j% m" U  k

0 ]: O) l+ ]4 ~+ o=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with- S) V2 b) a" c6 F3 o, Y+ ~" b" P
  SoftICE while the option is enable!!
0 ^1 M$ o+ }0 S. a' ^
& c  h3 U8 f  U5 O. X6 D; IThis trick is very efficient:
4 Z' W) ?; G6 F$ T. \3 Xby checking the Debug Registers, you can detect if SoftICE is loaded9 J6 q. W" J. L' R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; |* e! I! a+ k* X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* R2 x- }" }) P* b$ {* Cvalue (in ring0 only). Values can be manipulated and or changed as well0 p! }$ B9 u" f" [+ y
(clearing BPMs for instance)  a) P+ }$ V5 c- X1 i6 h8 k! ~8 }

' g3 g% M% I2 G0 ?$ r__________________________________________________________________________
- ?4 t. u/ a9 @$ J4 w. k* S( K+ x; T/ R9 N( t) y+ Q3 _# J9 `2 e
Method 11; p( H8 f: T5 ]2 q6 [  ^
=========
8 H3 s! O, o9 J
0 K+ I7 s  J, G6 _- y/ E  nThis method is most known as 'MeltICE' because it has been freely distributed  ]( _, u- `0 \  y% R
via www.winfiles.com. However it was first used by NuMega people to allow# g% r4 C# @# z0 ]
Symbol Loader to check if SoftICE was active or not (the code is located
! H( a$ ^7 W5 M: F' f% x) y7 _' Tinside nmtrans.dll).' G- _1 {0 U# _( L
0 u* k5 d5 }; D& @- R8 F& c% S
The way it works is very simple:
6 n% w3 ?4 T. [& ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" T9 M; S+ N6 }( v4 y  z
WinNT) with the CreateFileA API., [" g" C7 N$ Q5 A
# k1 B( V* f6 A) t
Here is a sample (checking for 'SICE'):, {+ ^  l# ~# q$ u
0 j6 Z$ |2 {) T0 g7 x7 O
BOOL IsSoftIce95Loaded()
2 S" ~4 Z- c7 j{8 R: Q" B; Y# d( H
   HANDLE hFile;  5 ^9 X4 X8 c+ K: [
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ b3 V2 r3 b7 R1 f7 z) F) q1 D
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 F' u4 g: y+ h3 ^                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 e7 h4 E" q+ ?$ \# U
   if( hFile != INVALID_HANDLE_VALUE )
! B% x1 s* L0 C5 H! {   {  f6 F* Z3 v& f% Z) E! ?
      CloseHandle(hFile);
2 \% h9 K$ v! @' b      return TRUE;0 T+ o: D; G6 E3 Z( w/ ^' `& b
   }
) O7 }; s8 J& k/ n   return FALSE;9 s7 k3 v, r  ^) P- P
}
- d& I7 K6 ]$ Q, y  u; b& y1 T0 k& @2 _
Although this trick calls the CreateFileA function, don't even expect to be& w. ]2 [! N7 T# K+ J" V& f
able to intercept it by installing a IFS hook: it will not work, no way!
1 p# i/ m  k3 D- D% c: K5 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 O. j' O, V6 j0 {8 _0 g+ h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 b- }( S# p# S. F8 D1 t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) |7 h" z) E3 R3 L, H3 p( j! A
field.
% d* c/ r4 w; S8 |2 X4 k" n. BIn fact, its purpose is not to load/unload VxDs but only to send a / P  x2 T, Y# q) ]8 ^' K8 l$ D: O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' P- b# M3 c1 [0 T: ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try) ]  t  A' z" l. X: ]3 ?; @$ @2 D  k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 ^+ R/ x, j9 b% b7 o3 |8 `0 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 O: e  Y' p; h0 jits handle to be opened and then, will be detected.
0 E& U: A1 {: A+ n, yYou can check that simply by hooking Winice.exe control proc entry point, U& u/ {; Z6 r  |' o8 {6 g8 n% d+ O
while running MeltICE.' `( [3 Q" S, }, B

8 }" G  p0 ]9 I5 P( [. Z" S1 y5 e
2 v* e9 g( P: {+ @  00401067:  push      00402025    ; \\.\SICE
" u( A# c; }0 y  0040106C:  call      CreateFileA
* p" H" h1 s1 c' E- ^  00401071:  cmp       eax,-001
0 o! a( j, M8 u  00401074:  je        00401091
, E: V* r" U6 K& L) t& \: G8 x
0 S7 f8 Y+ m( ]0 `2 r3 j; J4 M( ?4 \; y# {" x
There could be hundreds of BPX you could use to detect this trick., i  c4 W4 ~; [: b( F. b( w
-The most classical one is:: ?  P& p5 z& g1 E& u8 t' H' `6 b7 t
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 }# \' L, o, K
    *(esp-&gt;4+4)=='NTIC'4 z3 }$ F$ S" c; W( R9 f: l3 {) P% a
" c8 w! h# Z, Z+ C7 W6 S8 ^
-The most exotic ones (could be very slooooow :-(
6 b6 |- u) L1 S3 n5 q3 V   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  * c" `5 s* S) s* |
     ;will break 3 times :-(0 O/ k9 C$ C( p
' i7 e/ e) D, z$ _' i8 X
-or (a bit) faster:
0 K0 X: ^6 M6 q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 m- X; I2 W4 e* s
& y. K/ Y8 v( s/ D4 X/ A- K   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  : T5 P( U9 b; {1 E0 d/ O# u, Y
     ;will break 3 times :-(
" E5 I! ?  t" u& @% x
* a5 |% _- ^+ J  B-Much faster:% I; f# A9 `/ Z- s
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; S2 S- ]* i1 z" d8 T
; x( b" j) q& |; l$ w0 p# ^% T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 \- n8 i; V4 a- Y9 I' D6 L2 O$ Nfunction to do the same job:  i1 Q4 y7 I% m2 ]/ v. J2 ^, l' k
+ N# o& U/ T; `7 Y, y, D; n
   push    00                        ; OF_READ% @1 W# d: b7 J& G  W
   mov     eax,[00656634]            ; '\\.\SICE',0! O* C2 K- _! {; |" k; n( X
   push    eax" ]3 i% D( q) u7 z& P7 u2 o0 ^
   call    KERNEL32!_lopen
3 `: G' l. J% Z( o/ K5 d   inc     eax
7 S& @3 I4 i  S  Z% e3 s1 I   jnz     00650589                  ; detected
% L8 Q' L) ^, Y6 z   push    00                        ; OF_READ
7 `2 \, p' i1 b5 e$ l9 k   mov     eax,[00656638]            ; '\\.\SICE'
' t7 \% Z, A9 a6 i9 x( w0 |   push    eax
; s+ v0 d, \; s% c; Z7 t2 e0 @   call    KERNEL32!_lopen8 M* s7 Q! o# o% m6 ]' J
   inc     eax; I5 @0 G; @; G, Z* U
   jz      006505ae                  ; not detected$ x& d  F& C& o4 `. [) Z
& @/ ]& H5 ?2 {4 K* q

" g: v9 H8 g: W% ]7 W__________________________________________________________________________+ O- m% R% ~9 g( k

- n+ z1 }. j# M$ {- b; UMethod 12  H2 U- X. _& {+ _6 n8 s
=========
9 r* D) c; l$ b; D( Z8 [# S! b# c( T2 X" _9 H
This trick is similar to int41h/4fh Debugger installation check (code 05
$ ]' y' k* |( e7 I, h: l&amp; 06) but very limited because it's only available for Win95/98 (not NT)4 R, m: ?% A# M+ r) f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' c, R, }, Y* T( d0 ^8 g7 q" W
$ E8 V! \/ {4 M! O- X
   push  0000004fh         ; function 4fh
: N  z4 v# C+ C1 n   push  002a002ah         ; high word specifies which VxD (VWIN32)
' ~5 V# c, g/ y! g4 F1 @                           ; low word specifies which service
: G* c6 T% P8 a3 E' F9 R                             (VWIN32_Int41Dispatch)$ t  a7 ~1 U  X  R; R
   call  Kernel32!ORD_001  ; VxdCall
6 P- m1 y9 o5 v; Y* G1 c# N) O   cmp   ax, 0f386h        ; magic number returned by system debuggers
, {& C( M+ z) W+ A: q  a   jz    SoftICE_detected
7 u* _5 \7 k. d: z/ M; Z$ R9 D/ M2 o
8 D8 ]- [( v8 Z0 hHere again, several ways to detect it:1 D: V& m. A+ a$ A+ _7 _5 X" M0 E
, a8 E9 x6 Q) c' m, v; G5 I  c
    BPINT 41 if ax==4f
( Z! b8 {7 p9 V+ j8 X  t: R2 B  W. I, t0 p# @% o  v% b/ X
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ ?! T2 m1 n3 l2 l* N% U
+ t. c* F6 M3 D. w& E
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A8 p) q- ~5 X" i4 o3 S

: K* h: F4 U# `5 [/ L2 ^4 _    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!5 d3 y1 P" s$ x8 p+ T5 j
# `4 ^9 T8 w9 x* |2 q
__________________________________________________________________________
7 G8 L' b( S; t
' f' B0 G# S' b" ~, q: p# z5 fMethod 13. T5 ]0 i' d. s1 s. H  M  u# W
=========
3 I- M1 ]4 {3 j2 ^: O# }
1 Y1 A5 S# u! ?# p( K: pNot a real method of detection, but a good way to know if SoftICE is
- d' x2 n. ^7 X# {# yinstalled on a computer and to locate its installation directory.
; E& {0 I+ P  X* }7 G# ~) J3 g6 DIt is used by few softs which access the following registry keys (usually #2) :
, }% e5 G  W: {7 A4 c/ ^6 h; T3 P4 w
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' t/ Y) W! {  g' ?\Uninstall\SoftICE
9 b& `0 {* e) O* k; A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; p7 i& `, R/ n-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: m9 K' r9 X* s\App Paths\Loader32.Exe2 F) H0 c7 O5 L0 ~

4 \7 m' K6 m% Z0 R) Q
2 r9 \  S7 a0 C( E- ^Note that some nasty apps could then erase all files from SoftICE directory# h. C  V5 U% C& A
(I faced that once :-(( N4 @* H- B7 Y+ c8 \( L

7 h4 h+ t' ]4 L- O; \7 r7 G0 IUseful breakpoint to detect it:
2 U+ P7 ?& L  a! V- k8 E/ T
# m, q, M  X/ F! v" a- V7 P8 b     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; M# W' Q1 t# S" z

5 b* N9 T# O" q1 N3 I__________________________________________________________________________
3 t( K8 ?5 d. p" N# ~. d% J! a& P$ q& a. \2 H. L
! F7 q% ~" ~4 L' f
Method 14 3 n- t7 y1 }* [) m& H' U( A
=========% b: z! r# F$ E. _

0 i* u" o% U- k5 h0 D% MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
  b- L, d; E" xis to determines whether a debugger is running on your system (ring0 only).
# O- y2 W9 K. L# r4 Y& `$ T  l4 O" x% q! f
   VMMCall Test_Debug_Installed
2 U& O; o: H3 {9 K* j- S$ N0 h" R   je      not_installed
+ P! K7 I/ H9 U6 K! @( O& E
  C, H$ I; E' h- n$ X" _This service just checks a flag.9 D' ]7 @1 J6 @+ j6 a0 C
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-10 16:55

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表