找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
2 a0 y( w5 m1 G3 L! e<TBODY>
9 @+ t6 c! m/ ~3 A/ K/ S- S! y<TR>
5 ~/ }. t  E0 g; k* o<TD><PRE>Method 01
. g* [4 ?$ z+ t9 y) `! ]=========) f+ p1 x3 N6 `/ E

- Z) m4 f  l, F. j3 c% SThis method of detection of SoftICE (as well as the following one) is
/ E. X9 }6 {5 a2 [# u% n$ bused by the majority of packers/encryptors found on Internet.: b( y: c8 s  }0 t& j4 A
It seeks the signature of BoundsChecker in SoftICE
8 V( @3 v9 V# k$ y% e1 k) |
- p. P6 R) _& E) Z% k- i0 l    mov     ebp, 04243484Bh        ; 'BCHK'. Z: I. A/ p6 W" v; v( v
    mov     ax, 04h
9 ~; }9 `7 x) G  u, A) [' P, ]) t    int     3      
- j+ }$ a7 w+ V5 L7 D& V3 r    cmp     al,4
" ?/ h  y. U! }; _0 C9 p    jnz     SoftICE_Detected
# g+ A9 m9 T6 o2 E2 _; c: n0 h7 S# O8 @5 j
___________________________________________________________________________7 R1 d; ]5 C2 V/ [

$ `+ ?7 b; c0 t% GMethod 02! O& E( z7 r  ]0 [
=========
; O1 M5 E# C6 a) g: w  S, d& u
' D9 V; _" _8 V4 x1 `) MStill a method very much used (perhaps the most frequent one).  It is used
/ h4 U6 C3 h# ~& S5 dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 k5 O2 X7 J% j* n( C" X; ]
or execute SoftICE commands...
. V1 V$ p, m$ W# q0 U( I, wIt is also used to crash SoftICE and to force it to execute any commands
( u8 o; E; J  x* D0 [2 _) j- P(HBOOT...) :-((  
' m4 _8 M# A0 x9 W/ V5 @/ m# L
. M- ]5 a. D8 T. LHere is a quick description:
! S7 e: A: J& Z4 b& U+ d7 t-AX = 0910h   (Display string in SIce windows)
  P' d9 Z$ Z5 P, I3 V' d: B- O-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. R; Z' g7 X8 M9 u' k6 B- t-AX = 0912h   (Get breakpoint infos); D$ t1 e, J0 D" Q3 o
-AX = 0913h   (Set Sice breakpoints)
" u; `) S3 \, V% N% j-AX = 0914h   (Remove SIce breakoints)6 r( b" P( E, y" }( N6 C* O
% k1 r4 x8 L, X. G  d8 j. ~0 W9 U
Each time you'll meet this trick, you'll see:
# d& u1 J4 P2 e! k% W0 i6 ?6 e. ?) w-SI = 4647h
* M& a) W+ s* h: n$ h& x-DI = 4A4Dh
$ i) |2 F- q* U6 {8 X( PWhich are the 'magic values' used by SoftIce.
- l  ?  I: ]8 G$ l5 {8 yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& u/ T# T8 U9 e; u) \7 f

* m. T# r0 ?3 D/ aHere is one example from the file "Haspinst.exe" which is the dongle HASP
* @# L/ U& G5 jEnvelope utility use to protect DOS applications:
4 o. Z* M& a# l# T* R/ f5 u1 n: _4 Y
7 V/ B" }$ t% G
4C19:0095   MOV    AX,0911  ; execute command.
; T; f0 j! M4 C* w8 t# ~; S4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 q7 \4 A0 |1 z4C19:009A   MOV    SI,4647  ; 1st magic value.' `  X: H) V4 K7 J4 g) ~+ d& S
4C19:009D   MOV    DI,4A4D  ; 2nd magic value." J1 Y; _! f" l' }8 |: U
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- a( Y: k3 I7 k3 O4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" q: y: x7 W+ B4 N4C19:00A4   INC    CX9 ^8 q0 W% ]- C4 Y: z6 `
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ \' ]$ M8 W  Y, D$ M( [
4C19:00A8   JB     0095     ; 6 different commands.% P2 p- i. e* C3 Y% c5 Z
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; E: ^4 |2 N: [- i! t6 x
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
% w* k6 J( M; I0 D+ ~1 h2 j) `  A! L
The program will execute 6 different SIce commands located at ds:dx, which. Q  A. N' Q& r6 ]8 ?5 x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
9 J8 L- @  M  P+ [' d0 q7 e/ k$ Q% Z9 ]4 D) S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& ^- }) |) l8 D5 L/ M2 ?
___________________________________________________________________________
4 u# D; b) n; H8 ^1 F, N7 N7 j( ]/ `; L7 `1 ~

( h6 }$ t- M2 I2 \6 cMethod 03! o( q. z. K" l, P0 T- r6 z- n
=========
5 n1 b2 j$ ?9 k* U& F6 e- b% M
5 B7 [2 n$ D) w& ?) u7 H, bLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 Y  C% U  W' o( X+ J# B; ]/ e
(API Get entry point)
2 F# b) U* m9 E        " E& M2 Y3 c* R5 X+ m
4 A) ^* `3 r* e  U
    xor     di,di6 s5 f- h& o0 Y# O
    mov     es,di
. [3 k2 j2 ^  |4 a8 R0 _8 w    mov     ax, 1684h       9 e9 e( I, e0 R  T% D# L
    mov     bx, 0202h       ; VxD ID of winice' V3 P5 v1 R3 o4 _! Q0 V6 R/ u& ?
    int     2Fh
9 e8 Y2 I: }3 [# B5 R4 T  u    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ D. ?/ ]0 p3 J    add     ax, di
7 M# e1 j  T( N1 k7 l    test    ax,ax
. S) ?) d. f4 f# t1 O    jnz     SoftICE_Detected- |0 G6 q7 ^$ b
6 ~7 _/ S6 K' F3 v
___________________________________________________________________________
; \/ {, K1 i4 `/ {" L. p5 v0 I0 `8 X0 M4 {  |2 r9 D4 L0 P/ q3 p
Method 04
1 P! f+ i7 l( C) l3 G# x8 ~+ a=========$ `. N6 X1 \7 L9 Q

4 Q5 p# T( F* S2 Z: hMethod identical to the preceding one except that it seeks the ID of SoftICE
4 d- l& ]2 R4 j4 I' F, lGFX VxD.
% m- Y0 F/ @5 m
6 c% z# E' }! m1 A" V" n; {    xor     di,di9 D$ Q6 ?5 l# K  l
    mov     es,di/ a" {. F" o* g7 e" Z! Z# u
    mov     ax, 1684h       ) y( c% g2 ]2 l6 a; \
    mov     bx, 7a5Fh       ; VxD ID of SIWVID* v! M/ d! E" w9 e+ Z. t3 n& L2 [% n
    int     2fh
1 M* ^- Y+ Y$ z# B: s+ l) L    mov     ax, es          ; ES:DI -&gt; VxD API entry point. c$ X0 L$ p( [7 J1 z
    add     ax, di  Z: x( C2 P! z; e! s* z' v$ g' D! q
    test    ax,ax/ o1 m  M3 O' u( x$ S% B* U; S
    jnz     SoftICE_Detected
* g( n' y+ l5 E% C, P0 I( {. m3 z$ n
__________________________________________________________________________
- ]% ~3 e' [8 r) e+ D  {5 f" o$ \2 b' v/ E$ v. l
. h; `" x" M% L5 z: Q) W
Method 05
0 o/ a' R2 ]# T3 g. x=========2 y, E1 h6 j' T
% s) o) o  v  I$ S% o6 G% x4 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" a0 X$ x7 y3 D" adebugger. It calls the int 41h, function 4Fh.
+ C) U/ X/ \+ o" p# p( uThere are several alternatives.  
& K! y3 I  i; e6 |" _2 W6 A  R- s5 ]; k" M. N6 ~/ h* O4 h4 |5 ]0 T- x' \
The following one is the simplest:1 H% Y; ?4 E5 T9 n# _9 p: c
( F3 y. f1 z! @% j" W5 z+ m
    mov     ax,4fh
/ e. Q! H5 U0 `+ a9 _- e    int     41h
5 B3 F4 J0 Q$ O. A0 I4 v( g    cmp     ax, 0F386
! H6 n% ~* Q6 T0 x- y! M    jz      SoftICE_detected5 c6 Z6 u9 N% n7 L4 }
4 Y1 k9 q. p8 l4 N' S3 v
3 N! r$ w6 A4 `& Z
Next method as well as the following one are 2 examples from Stone's 0 g# V6 i* `: L# K% R, m- z
"stn-wid.zip" (www.cracking.net):
4 U0 x. p/ S8 Q! A9 Q) E  ?
  G6 Q' K" I0 E% N, U    mov     bx, cs
( `$ Q# P+ |# i* l% J    lea     dx, int41handler28 u7 x# D$ i, E2 M
    xchg    dx, es:[41h*4]1 y" k5 d0 e  f7 L, Y
    xchg    bx, es:[41h*4+2]
$ f1 Q- k7 ^/ L    mov     ax,4fh; L  s8 i: N2 b) o# U) V
    int     41h! b% E% Q, f( n$ D
    xchg    dx, es:[41h*4]
, c1 F2 Z8 E" l5 J) A; j    xchg    bx, es:[41h*4+2]* A9 S& w4 @  s# H. T4 k
    cmp     ax, 0f386h3 p6 D" E/ e! i8 l. r  }% ~
    jz      SoftICE_detected* O. x* Y8 ]" s; K* Q

* Y8 H  C( o3 F' xint41handler2 PROC, S9 J! m1 ?; B7 W' o
    iret3 W! k) D* N; H# k) m
int41handler2 ENDP8 F6 g& G% h4 a8 z. P5 h3 O5 ]

  c, D' E) F3 o2 Y+ W5 i) M* }2 k
- G1 I! I6 P+ D) P% a% f_________________________________________________________________________
8 S+ j+ q6 I' l2 @* J( N9 f& {
  ]# y. d! e9 v6 b) I! e" I# N" \1 _9 A
Method 06) ~& K8 P3 h; t- y# _, [( f
=========
  @* w2 [) a; j  P+ g( X, C9 z' i
3 B% I- n, o" r+ c! J. J% L
2nd method similar to the preceding one but more difficult to detect:: c8 E+ ], F- Q9 e
, F4 _$ W; e  t

3 t( }0 H4 f" p: ?' [3 fint41handler PROC
7 b# U- O$ p" z    mov     cl,al4 P. x) E( \4 q/ J  \8 u
    iret
2 w' n6 f: T$ a( lint41handler ENDP
7 |/ {% Z1 R" G: n: v4 ~. a3 l5 ^+ Q# U
1 r, S( A8 o! c, g3 }0 l+ P( V: }9 D; h7 R# y
    xor     ax,ax8 Q# V+ n2 o: P5 p$ v3 p$ S
    mov     es,ax/ x" h! O6 _# F3 U  s% _
    mov     bx, cs
& ]1 x% t) \  `& n- p    lea     dx, int41handler: A* x, l7 F$ P# A& S5 `0 \9 \8 H' A
    xchg    dx, es:[41h*4]
  t' v0 F  V+ D6 v    xchg    bx, es:[41h*4+2]
( |5 u& M& I$ z) I# Q! L3 v9 K    in      al, 40h5 Y# R, V3 ~1 d( t; `  r8 a
    xor     cx,cx
7 d. N7 p( I2 M! v* c  s    int     41h' r9 R8 W; O; x% t
    xchg    dx, es:[41h*4]
1 |- E, _, `4 ]  t    xchg    bx, es:[41h*4+2]
6 h+ C  ]) C; z, B# ~9 C  \    cmp     cl,al
* e7 z5 O$ [3 Q# R& B    jnz     SoftICE_detected
8 Q. o0 i/ P6 v1 s
; O- e) s& Y4 l4 `' ?_________________________________________________________________________
2 a6 y! T% v( C+ |
& }2 {5 m" ?$ M: ^+ e  ?- Q2 tMethod 074 w; y' _5 C2 M1 R9 s( C+ R
=========% ]. I  H* |; q. {* j
5 v) L! C$ [) ?3 F1 L
Method of detection of the WinICE handler in the int68h (V86)) J" x; T" W4 O# j3 d1 Z0 l4 k
' V. r3 E9 p6 v. a  v6 q# p
    mov     ah,43h4 I) G* s) p- M# F- c! U
    int     68h* R- _& \) d1 `* C8 S
    cmp     ax,0F386h
# Y( S8 l: {8 R0 \; o    jz      SoftICE_Detected! K: \* Z: M  n' ?

- x6 m. t( S! q
* S4 Y' y' }+ Y, t=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 m- v* q6 ~1 @( Y7 D* G   app like this:: @. x' a- E& T0 V; ~6 V
# ]' V* s" G. n. K9 U
   BPX exec_int if ax==68' U7 p, q* M0 }& E/ y/ Q
   (function called is located at byte ptr [ebp+1Dh] and client eip is( S& I& k; ~# X) v! Q! \3 v
   located at [ebp+48h] for 32Bit apps)  J7 G) B# y" @- J" R
__________________________________________________________________________: R2 g4 l- \3 i* z9 ?' b

# D. C/ j3 V+ w# q' u9 M5 ]
" q: G* M4 O1 U) a6 CMethod 088 L/ d1 ~1 y+ O% ?) c; q) w
=========: ]9 Q1 X2 s/ b6 L

  `4 K4 I9 ^4 XIt is not a method of detection of SoftICE but a possibility to crash the
: U3 ?  `2 ]* [, esystem by intercepting int 01h and int 03h and redirecting them to another
) l8 N! e1 L' z+ Jroutine.
) Y1 I" Q  y' V% y% u4 ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
  q, N: L. c* c2 |4 mto the new routine to execute (hangs computer...)
6 G/ Z0 i! Y) h6 h1 [$ t/ ?8 _& w) E0 N, f) O2 O# l
    mov     ah, 25h3 r6 n, P! T  k0 l" W* \
    mov     al, Int_Number (01h or 03h)& M: h2 g4 E. w" b! h
    mov     dx, offset New_Int_Routine
& a+ U$ D% g8 f* U  w    int     21h# d) X0 M0 w( S8 ?- v- i1 S/ N

. E8 m+ F, N0 w# t% W__________________________________________________________________________; [$ s4 R$ t) d# u( }( [
8 c+ m: C$ U  z* x4 p( ?* f
Method 09
' k6 n7 g( ^* K# s' O  z. h=========
' E. O$ @' b  w- _# \
( p1 `' P+ |! RThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 F/ B' S. y; n4 C% @$ d! a3 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).+ y! I. `9 ^# c$ H; S( a# P
The Get_DDB service is used to determine whether or not a VxD is installed
' m; o5 |0 K$ }for the specified device and returns a Device Description Block (in ecx) for# u+ i( j+ }4 v" R$ y
that device if it is installed.
2 B' s1 d+ ]  h9 a
9 \' C8 d# l& M- @% o   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) v9 R: c2 j& w9 R9 y+ A4 ^" U   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' T1 q+ ?! j( t/ j3 s! i9 P   VMMCall Get_DDB
" \! d, v+ M& D* _! w   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 i9 P3 f; W4 P, S& {: E2 ?1 E  c4 D2 x' G$ H
Note as well that you can easily detect this method with SoftICE:: e* P+ K5 w6 t7 U0 f. S
   bpx Get_DDB if ax==0202 || ax==7a5fh6 o3 y# z- }% [6 K+ y$ s8 E' \

) B; E2 ?8 \' t; f! }. P__________________________________________________________________________, f# J  j  u1 z+ g& J
  K; _, J4 B4 p- U! C/ U# u$ r& h
Method 10
3 |' A8 F( |! \- h) U7 o9 i- D=========
6 k/ J) _# O; f* a/ |4 l" |/ \) P7 U
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& k! S* v. i- y1 L3 B' L, E3 i  SoftICE while the option is enable!!
4 O" }" I" `; G! B% F. F5 N1 u, V5 M& q  D" W% f/ y) O" A" f
This trick is very efficient:
/ L. v# p/ `5 C- k& Uby checking the Debug Registers, you can detect if SoftICE is loaded, c( d7 x$ G3 B  q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 Z* `6 {) P* A2 k$ g+ t
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 v7 ~5 M" c: M, Rvalue (in ring0 only). Values can be manipulated and or changed as well; x  a6 U  v6 d0 G" V
(clearing BPMs for instance)/ h. v' H* Q% o9 S: L& |; ~" R

; K$ i0 u  ~# Z) n2 H__________________________________________________________________________! {9 }' T) T& Q2 |$ A

* O6 e. q: v; v7 X3 p* ~Method 11  ~( Q0 h. w6 w3 i) X3 v
=========
; r$ y) C) h/ I
' {! ^; l, e% qThis method is most known as 'MeltICE' because it has been freely distributed/ }' ~) r. _0 r0 q
via www.winfiles.com. However it was first used by NuMega people to allow3 h5 ?/ c# {( J. u
Symbol Loader to check if SoftICE was active or not (the code is located" d) {3 w7 y8 {4 N7 i, m
inside nmtrans.dll).) e: U# \- O( r! e$ H

6 j9 p9 R, H4 U( w5 z: P" sThe way it works is very simple:
3 G) W- V; ~- F) dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: ?( n2 Z1 X5 I$ }+ Y4 pWinNT) with the CreateFileA API.
- c2 L* O4 i; b
2 r1 g- @- V4 x9 @4 |% S9 gHere is a sample (checking for 'SICE'):0 M/ E  u5 q6 @) M9 M  d( Q

, a$ _- x+ j* O" o) pBOOL IsSoftIce95Loaded()# t0 |0 U1 M* m, q4 H% E8 n* {
{. d( z4 E' r( E- q
   HANDLE hFile;  5 z+ O/ i, w! h$ j( S7 U
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' \  Z7 ~7 Y" j+ y" a- A6 P                      FILE_SHARE_READ | FILE_SHARE_WRITE,: b; w+ y% I! H8 g; G
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 \0 j7 [& y* N5 e   if( hFile != INVALID_HANDLE_VALUE )0 E+ J, p" _# [+ A, |2 N
   {
4 e% e+ W0 h1 z+ ?5 {/ l* ?      CloseHandle(hFile);
2 V$ \2 ]% ]% B5 W# Y; j      return TRUE;) |! c! h# v. z8 z( L" t
   }9 o  @4 T- S: @: P
   return FALSE;
* @- G! r/ j% j5 L: e9 R1 }}; D4 d6 p" f$ F$ z( {
1 i$ i; x1 b1 ]! [3 p
Although this trick calls the CreateFileA function, don't even expect to be8 O; {  F$ g1 D5 M
able to intercept it by installing a IFS hook: it will not work, no way!) F, O) L$ k/ N2 W# g* z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! T8 J6 K3 L: m% p! Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ ^/ p( W4 x& B5 C; ?! [3 r% c$ U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, ~& M$ \; f) r  d& z
field.3 J& `; H4 |5 V6 R% V9 X  ^, {3 W1 _
In fact, its purpose is not to load/unload VxDs but only to send a
7 I+ U  c* m4 @5 H% F) yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ [0 q$ Q. i8 ?/ [1 D. _) p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 q1 h* S; M/ Z, Q# Q: f; y6 t1 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., F/ u4 F' f5 e9 V  i, r) {% u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! X: {1 p0 O( Jits handle to be opened and then, will be detected.
+ f6 O) ?) y1 `* r0 M2 l, ~9 gYou can check that simply by hooking Winice.exe control proc entry point7 q  |2 H% d, t& j4 u* x
while running MeltICE.+ a% F( u; }: U( r
0 n6 @) j- L$ ]( T0 l$ `

+ ~4 b- e! m( B$ v  00401067:  push      00402025    ; \\.\SICE) e' H6 `- R: _, u) y/ U
  0040106C:  call      CreateFileA
2 K* {: v2 [5 r! b1 c  00401071:  cmp       eax,-001( M' o7 }' u& K
  00401074:  je        00401091( [& A" w4 g4 u  U+ U
% L8 c( [2 Q' Z

" ]9 I- O& W9 q* s+ m% ]+ rThere could be hundreds of BPX you could use to detect this trick.6 t4 K* U" G/ {9 ?2 I3 ~
-The most classical one is:8 y' R$ J5 `/ v  }8 V$ I% [0 a7 W
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) y+ z6 @4 o& r! y# Z' q% |# `& _
    *(esp-&gt;4+4)=='NTIC': P3 b8 @7 K4 a9 Z
' N/ M! \& }4 i$ u+ W
-The most exotic ones (could be very slooooow :-(2 D- W3 a7 f% H' q# `
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! h# V$ j+ L& _3 @; P
     ;will break 3 times :-(
/ f- G/ Y& [: j: J$ O$ L$ W: R: U& j1 Q, r1 E' ?) R  g0 h$ S( t
-or (a bit) faster:
  |0 T$ b9 K+ Q) M, I( ~$ M   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# M- h) T1 m# a3 p
8 m0 S2 H0 F& h1 S6 T
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! J# s2 [0 m, N% ^& t     ;will break 3 times :-(& S2 H1 K+ ]0 d7 v3 V

2 Q  U2 [- C9 \# `; K-Much faster:3 P/ p7 q. K' m6 D% u" I+ y
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. O, l) W& Y9 o( ]0 E. |& d3 S7 E
0 `1 s4 j2 o  \" [( K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 X, v  N/ e" ]% {. f" q$ P% z
function to do the same job:
0 u; R$ z* Y1 K% e, ?& o2 A2 f- K  y- l  p) \
   push    00                        ; OF_READ
3 _- j6 j& D3 I& j, f& o8 L   mov     eax,[00656634]            ; '\\.\SICE',0! ]  K9 x5 ]/ I  E" W& \; f
   push    eax
5 D" d( _. L' Z' R$ p   call    KERNEL32!_lopen
3 G8 g; ~5 ]8 i   inc     eax, D( _3 Y! U$ x
   jnz     00650589                  ; detected6 W$ f  e8 Z) N4 `
   push    00                        ; OF_READ8 x0 m" h& K& B. Z  L% J! x0 _
   mov     eax,[00656638]            ; '\\.\SICE'
7 N- n3 }. Y+ B   push    eax
5 M5 r$ A% s2 U   call    KERNEL32!_lopen
) [5 N( q8 W: ^' m/ j/ i   inc     eax* d9 Y3 I7 }4 b9 Y+ h% i
   jz      006505ae                  ; not detected
8 Z& O. F6 d' o  r7 J- b9 F" a8 n+ y. y# G0 |5 c
  k  D* I: e" z- X
__________________________________________________________________________
" I1 u0 s: H! m, Z1 e
0 y# @. e; L) f: W) jMethod 12
! s5 y5 I3 r$ |/ Y% a=========
) E3 n0 |# z5 {9 j2 P/ h
/ ^3 k) t6 w' O8 Z2 z" GThis trick is similar to int41h/4fh Debugger installation check (code 05+ m* Q* ^( P* R# R
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  N; ^$ G2 b- j# T  j6 Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 J3 W7 Y1 _- ]0 p0 l0 R0 c5 j

0 ], c$ [/ M+ ^. p" q3 y. M& M   push  0000004fh         ; function 4fh$ ^* F4 U( c8 _9 }- S
   push  002a002ah         ; high word specifies which VxD (VWIN32)
% `9 s9 t' |/ {; ]7 B  v                           ; low word specifies which service
8 o% i, Q9 [+ z4 q                             (VWIN32_Int41Dispatch)
) A$ C5 s' B1 {# k" j   call  Kernel32!ORD_001  ; VxdCall: C. h& G% D( Y, ~+ k0 x- D9 x
   cmp   ax, 0f386h        ; magic number returned by system debuggers
% X" v9 _; h5 ?* P# R( g: r5 S- n: a   jz    SoftICE_detected
: L3 k% h5 h+ U" e
& x; Z/ e* w$ ~  t) }8 ^9 b+ fHere again, several ways to detect it:+ {( W1 N) H/ z" K

2 }0 R0 G7 a6 Y6 R+ o. Q1 I: B    BPINT 41 if ax==4f
* b; i% f: _% }
) M- I9 v( K, l  f    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one3 K" w. }  o, j% @; |' T& B! D

. b7 V7 t6 I4 b: v7 b! M( ]    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 R$ y2 T# i7 ]  T
5 Y- w2 z. p; X3 j6 Q; g( m+ [
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  m& v# Q& h7 {1 b, T6 r% s$ V$ v: t, B9 q9 I, s+ \2 ~
__________________________________________________________________________  E% M8 @0 Q6 a4 k" l
5 w5 E6 w3 I6 A" @# E9 s, y
Method 13
6 C) l( M# e6 H$ t: d=========
& k- a0 l. U% F4 V3 U
& i. O( R& U4 d- K! NNot a real method of detection, but a good way to know if SoftICE is
, g" t% u/ O" H, P- }# q# Rinstalled on a computer and to locate its installation directory./ R- f" x# @, H' Z
It is used by few softs which access the following registry keys (usually #2) :
! b6 K5 _/ ?0 [7 b/ [8 i% W2 e; M' N
& ^/ d, V2 {- V) c. O' N4 ?-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" m2 ^% o' S5 k
\Uninstall\SoftICE
: c% S, ], s* q4 G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 n7 r2 _; P4 Q$ K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 Q* ^# W0 T9 l3 v9 l, ]  q/ T
\App Paths\Loader32.Exe
; d: S( X  F3 p" |5 [4 }# `
8 M& L0 W9 b- |* }4 X# z( e& H+ w, j. t/ z" T0 e) m/ p* E
Note that some nasty apps could then erase all files from SoftICE directory9 _* s: N$ c) ~4 v6 T6 R
(I faced that once :-(' Y  I9 q: B" ^

8 ?1 X4 t: ]; q4 B' \Useful breakpoint to detect it:
0 M% J' x/ N. y9 k7 o6 p2 L3 ^4 [( b9 `+ p9 U; L% O2 t
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
& \1 F4 S& e& v% U5 _' c1 O
/ I) u2 B' ?) o7 ^4 v__________________________________________________________________________
( P% O7 p& o3 |
2 k) I0 v+ x7 }$ R2 _  U) _
  I( h! t/ i, i* h: H6 j; rMethod 14 8 M; i$ V4 ?- J  T
=========
: U( X6 U7 m" K3 _" w$ E6 @9 u7 p# o( _. t' R5 S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 @" U+ S- Y: f6 A
is to determines whether a debugger is running on your system (ring0 only).' K& u" g2 d! P+ J  T8 m+ _

- A, j4 g. r4 E/ r+ E   VMMCall Test_Debug_Installed& n, Q8 ]  m. M+ n$ m% B
   je      not_installed" n; l4 l4 @! j
0 d! y$ U, F, h0 ]
This service just checks a flag.+ \& j, x- M* ^: C
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-10 02:38

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表