找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>. s( `/ j8 `) w# O: |
<TBODY>$ x. V  U8 q$ d6 I  W5 a1 \8 S
<TR>8 x8 j, N" F) @" {
<TD><PRE>Method 01 ; Y  w2 U" D3 Q7 {7 K
=========# N, ]* @+ b5 s2 P
- y! u$ q9 U2 U' ~& T
This method of detection of SoftICE (as well as the following one) is
* Q+ a) `' p  D* l4 L4 iused by the majority of packers/encryptors found on Internet.8 A) Z: Q: t/ d( P. L9 z) @
It seeks the signature of BoundsChecker in SoftICE3 U9 |! V7 H& C" G

0 K7 C, p: K4 {    mov     ebp, 04243484Bh        ; 'BCHK'* b# P5 q4 Y8 x( S
    mov     ax, 04h2 h# T9 B8 j' K3 v
    int     3       # {2 D0 m" v7 J! b- p
    cmp     al,48 w% j; f' V# h$ b0 G- o  Q1 D
    jnz     SoftICE_Detected
1 {. s2 s3 `  }9 ^# b2 H" }6 S0 p5 U4 R1 m6 O' q0 s
___________________________________________________________________________( V8 C4 r  e. h2 y* p8 {
( P5 D1 V* C% [
Method 02- H# o; S& O% Q+ H/ v: X' B! l
=========0 o1 a; k$ x8 `# P, R
# L$ k, b: L& v5 i0 b( m
Still a method very much used (perhaps the most frequent one).  It is used0 H9 \2 z5 {- S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( Z1 ?: P1 O  |or execute SoftICE commands...0 f7 V- D% g  B% V, r
It is also used to crash SoftICE and to force it to execute any commands
* j. v# m! x$ u) ?& L5 I- D7 k4 m(HBOOT...) :-((  - t1 `; `, {/ Y( S/ @" O% Z1 @

$ O& c7 m* A7 s5 y1 H: YHere is a quick description:
- Q, u# e/ V4 q2 f0 M( J3 D4 _-AX = 0910h   (Display string in SIce windows)% y. D/ C  a1 a, i) N, T7 N
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
& J" A4 J! m# `7 T-AX = 0912h   (Get breakpoint infos)7 X3 d3 i/ G; }6 H- W" ^
-AX = 0913h   (Set Sice breakpoints)5 t3 [6 T  d% i
-AX = 0914h   (Remove SIce breakoints)5 t" E( C- X$ ?, N
: Z# C* |7 ^; z: S2 m
Each time you'll meet this trick, you'll see:1 `3 c" j" l  x( [
-SI = 4647h: O5 Q5 X7 o8 N( ^1 T
-DI = 4A4Dh
& w3 J7 o5 }0 T# C- M/ y( e- x( s# JWhich are the 'magic values' used by SoftIce.) ^" y5 R) t' ~" I5 M' {
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., ~8 u9 M" l! l2 U- R; c! Q0 j
2 \7 |9 t, j3 {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" h5 h5 [6 }# n0 c* lEnvelope utility use to protect DOS applications:
* o$ B6 c  s- F1 P5 ]; S% X; J3 Y" e: W

$ A4 l, h* K* {4C19:0095   MOV    AX,0911  ; execute command.
. a2 J/ Z* r! p, P' I5 y9 a  W4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)./ P4 L$ C' R# |5 j! k
4C19:009A   MOV    SI,4647  ; 1st magic value.
2 I) m1 m5 S! R2 o0 W4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 G- c, z: Z) j0 G1 K9 I4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! r; Z: g. r/ t" c. X/ g1 p1 }
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
) g; \( E7 h% b8 d4C19:00A4   INC    CX
+ u& H  a# _$ V+ s4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
% k% b: H0 T' \! @1 R: Y4C19:00A8   JB     0095     ; 6 different commands.4 m6 C' C9 X/ }" d* ^
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
/ W+ r1 U! G  l- V4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)( ~. @) z/ p7 J* |1 Y
# I  y8 [2 }2 ?  R' [. O- h7 K! z
The program will execute 6 different SIce commands located at ds:dx, which& |  u. l/ o: `0 ?9 D( J% _% A# h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& b4 l% e% P9 G9 o" k
. x1 ?" q! Y' f' V( S
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 ^$ y% Y: f" |- X7 m___________________________________________________________________________
  f8 c  n3 C% g) L
0 M. A! p5 ]7 V; N  |& o8 U
  S. b8 M) p8 y) ]3 V2 }Method 03
( B1 k$ l9 [- ?& d3 i=========/ l( v6 z" g7 i9 W* B9 j; U
4 g( I0 l' Y! L  n: Q7 [1 f) O$ G
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& f3 v( b5 }: [1 G! N8 M(API Get entry point)
. j: R6 ?' r9 T! D: Y! `4 t+ W        $ b+ g/ `$ s/ V1 {
$ G) i7 L. Y( j, J) v, F
    xor     di,di- g* T; S0 }+ f* V" d. P/ u
    mov     es,di% X6 p( C8 K" L* z; w' C
    mov     ax, 1684h       2 N# S# C! J" A& d
    mov     bx, 0202h       ; VxD ID of winice
1 U0 x! o% u# R6 S    int     2Fh6 [( Q: m7 y* d, G; U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 ~+ I4 t2 r, b6 @1 Q/ T
    add     ax, di
. R: C3 ^( T, g. m) j; V, E, s( y    test    ax,ax
/ _4 U7 B; E  z  P    jnz     SoftICE_Detected
7 J7 l# Y, i! \4 K! ~- c
, s4 x5 {, d  @' ?___________________________________________________________________________
( x7 n) `- o7 ~2 {5 U2 G2 H& {7 f8 D: E+ M
Method 04
% b% r3 b' ]4 q5 f. f2 u=========
3 ^# Q, d( t! i& j! s+ A; O; U
+ I; s4 `% g+ Q2 b; w( V# xMethod identical to the preceding one except that it seeks the ID of SoftICE0 S1 v+ }' K! y1 r9 h# I
GFX VxD.
$ S* W6 |! [) }! G. R0 P  T0 Z. Z+ V# a7 c) d
    xor     di,di
( _. I) H) B, V/ a% h4 _    mov     es,di1 d( i$ }, x+ J$ [" D
    mov     ax, 1684h       " T1 U; R) u  I) v" J2 ^- o
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
1 `; a+ T; y; I3 R    int     2fh5 U+ D. _/ {1 S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point" Q9 H+ L5 R6 o4 `* P
    add     ax, di
' M; o/ p# m" u0 I4 C- P    test    ax,ax
+ y+ [2 ]9 P8 m9 ?/ E9 Z5 x$ Q    jnz     SoftICE_Detected
; ]- e- L1 }, f# ^
' ]% s% i1 e! |( ?& X__________________________________________________________________________
" a/ h5 O1 P5 A- ^
/ @+ ?$ ^) j* }* |, W1 u9 r5 a/ K1 q5 S! M( a5 F0 o
Method 05
; K" i2 J# B2 W: z2 W6 }=========
9 n; `  |, Z' P& l/ Z. e4 O3 o: M: }  u
Method seeking the 'magic number' 0F386h returned (in ax) by all system  Q6 `; @2 q% {2 u8 ?* n
debugger. It calls the int 41h, function 4Fh.5 N- ?. O; r4 L, x, @9 C1 B8 [
There are several alternatives.  ' e" k! B" F7 x5 L9 G& n

# O' h5 K7 Z) k+ m6 t6 N8 t1 PThe following one is the simplest:
1 N. d; `0 j4 u# L
1 G4 f, l/ b; I8 }0 m& S    mov     ax,4fh  J' R+ c0 P2 U
    int     41h( I6 `: N& \2 m) x0 t
    cmp     ax, 0F386
9 f4 k: ~7 @+ p$ A+ P8 s    jz      SoftICE_detected
1 v7 k8 k0 ^9 ?' k8 m# U: j- @) }8 I, T5 x
" F6 c! R- X) i
Next method as well as the following one are 2 examples from Stone's
: S6 N' I; I" _. V"stn-wid.zip" (www.cracking.net):
5 H4 W4 s7 T; R+ h2 ]# j
$ p  {! h% B, i# ~5 j    mov     bx, cs
0 r) Z* t1 n2 K2 [" S) m1 k    lea     dx, int41handler2
3 o2 s0 j3 C; [5 I3 e$ z1 r    xchg    dx, es:[41h*4], w* d5 a8 Z* Q: w0 ]% Z4 ]
    xchg    bx, es:[41h*4+2]* J! f3 D, y1 K
    mov     ax,4fh# M# ~. z; l/ n3 H
    int     41h/ Z5 I( L- O5 `+ ^
    xchg    dx, es:[41h*4]
" ]4 K, I5 N' {- o8 k    xchg    bx, es:[41h*4+2]
: g+ C8 p0 {& W* d# |$ m$ \    cmp     ax, 0f386h
% V& M8 N1 k, t) d" C4 u% k    jz      SoftICE_detected) W( V0 T' H7 W' |" L# g% v+ N

/ f6 o: b7 \# z, }+ f% gint41handler2 PROC
9 H' ]3 [  N. ?: g) D7 k    iret
9 N) ~5 f7 r- f% U* r1 Fint41handler2 ENDP( Q' b$ Z" a# e- \% }

% I* f. h5 p1 p' z# }5 m. ^5 f8 C+ V) a- y0 H8 y; [
_________________________________________________________________________
# ?* m$ {* A8 S8 H& v4 G; ^3 r/ r, o
4 k4 b- V% h: r2 T' e0 F
Method 06
+ E7 u- Z, a; i" f=========
7 [; v4 k6 g9 T5 j3 M6 T8 h1 w( r# L4 `2 D. g  X6 q7 w

7 n, M/ q8 r; i2nd method similar to the preceding one but more difficult to detect:8 k0 @( h! @0 X: D

7 S( R+ n/ V2 R. B# W7 M0 S' }) S/ N3 C4 ~+ V
int41handler PROC
5 a8 _  K* |* [) @7 q; S    mov     cl,al2 F$ x0 d1 r% D' d
    iret
0 i" @1 d' ?$ ]- L+ k# m+ p9 lint41handler ENDP8 V# ]7 Z. c7 O5 B1 w5 K
0 Y6 r+ @% c- U0 U- d+ [

8 i2 h4 d* ^) z: q3 `" b  G    xor     ax,ax+ \2 t; q/ s0 }4 c7 f
    mov     es,ax
7 h# h# u2 O* p- |! w6 G7 \    mov     bx, cs6 S- z( W! d: A* V, G
    lea     dx, int41handler" o$ a) G9 J: C% a5 }( z% G
    xchg    dx, es:[41h*4]+ h- n% F5 I3 e
    xchg    bx, es:[41h*4+2]
- S- r" l/ Q' M- _+ h    in      al, 40h
: l. D% X7 G# t) @1 o    xor     cx,cx* _- K! N6 {7 V' m& O
    int     41h7 a1 H( @* {) b# D5 `1 y, p- K
    xchg    dx, es:[41h*4]2 G9 z6 h5 F- @  ~4 M* K
    xchg    bx, es:[41h*4+2]' T. B( Q, N0 u2 p/ \
    cmp     cl,al% G% L9 E4 ~) U
    jnz     SoftICE_detected
4 Y: e  f/ g9 u. @; e( ?: j& V1 [/ l8 R7 @& h
_________________________________________________________________________
0 C8 E+ M  I  K' O9 D' i0 W) J8 p  g4 X  z. e: G( Y* ^
Method 07
) A4 M& ], ~( M+ |. H/ L: Y=========
: {/ l3 b3 n/ g2 w& C0 S5 \  `$ V. B
9 a+ l9 c  H0 N2 m' x7 jMethod of detection of the WinICE handler in the int68h (V86)
6 A, J" U- R$ w; Y  j' y: x! W5 ]1 {6 B. E; g. T+ {- ^
    mov     ah,43h7 n" E( o& p/ @% l
    int     68h8 m0 j: y4 n1 f0 _
    cmp     ax,0F386h
4 F2 ?: c; U* u1 x0 V    jz      SoftICE_Detected
' Q* B6 i5 h, ?  M* s2 I, i- g$ @% `0 r9 \0 g/ o3 ~
* {, I' [- i) |; P9 m) Y: G
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 H3 K! m8 y3 }; K9 z/ X0 ^- C1 [
   app like this:
# `1 d" x0 B  ]' I1 w9 x* N5 e
/ O4 w+ K  v2 o   BPX exec_int if ax==68# C: H3 ]  I: w: c1 i
   (function called is located at byte ptr [ebp+1Dh] and client eip is9 O  {  S& ]# t; p/ t5 d( ?. ?
   located at [ebp+48h] for 32Bit apps)0 H) B: _$ ~% w. A- T
__________________________________________________________________________8 H$ h' Z# v. r' r2 ~8 ]  Q

8 w' r- k* |/ T7 @& E0 W
) f5 @: C- h( F7 f2 V  W% iMethod 08; v$ {% A9 ?  [$ @7 N
=========9 s$ @3 O3 n/ W5 o
" R2 F# c7 O0 {
It is not a method of detection of SoftICE but a possibility to crash the
( R& S# m0 ]1 J/ }) N5 bsystem by intercepting int 01h and int 03h and redirecting them to another
3 ?6 w. u0 d0 F+ ^/ Q1 ~routine.6 u: }$ F$ Z4 T# Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 H* g" a( Q  E9 P! X) a
to the new routine to execute (hangs computer...)
* Z) B4 w! F/ Q# M7 r! d* D+ X$ @# _+ s* W" e# J* U* O- D( I
    mov     ah, 25h1 e6 P! }: w$ q+ P
    mov     al, Int_Number (01h or 03h)! j) P+ L( w1 |0 U
    mov     dx, offset New_Int_Routine
( o# u: ]; N9 Q    int     21h
) b  F2 D, `) u, J& |- t$ ?6 _
1 S5 J- M, N( s9 o4 H( T- F__________________________________________________________________________* S! a8 T0 p" z" _" q  a
* R+ d, ]: b- x: N9 T
Method 09
2 H7 R% h! O/ E* ]+ L2 @+ ^2 U% O=========
1 l" ~  i: h- ~) [2 |
- M& d( \/ }6 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 a# q  Q2 Z# s5 a3 F" x- n  q
performed in ring0 (VxD or a ring3 app using the VxdCall).
' c0 G+ f! [9 O9 _The Get_DDB service is used to determine whether or not a VxD is installed
' q- L6 F2 k9 e* t+ Jfor the specified device and returns a Device Description Block (in ecx) for- U1 [: |/ z4 N1 e5 \! P6 K* E5 V
that device if it is installed.
  G1 c- ?2 b4 i7 s! ?- D7 X! n8 r  C$ \; j/ I! `
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ }, K) U" S9 e; e6 `: x
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- Y) U7 ^  g7 i6 M   VMMCall Get_DDB
' e/ B" Q# {+ e3 `7 G6 W   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) N% {. u4 C  V1 S0 f4 [6 ]

5 k* ~* S3 j- ~' q% r3 e/ ENote as well that you can easily detect this method with SoftICE:
+ W% Q$ C5 v5 h' R   bpx Get_DDB if ax==0202 || ax==7a5fh
  z4 v3 u& L( ?; ?3 J, p1 ~
+ @% {1 b* M0 \7 V. p7 Y1 _. |__________________________________________________________________________
: c' R. B. J1 n1 C" P# X; A& D% V3 M0 n, V) k1 M1 D; V5 s' O
Method 103 Q0 d8 _- x9 k
=========8 k2 q# Q5 b) e& v. [6 D
& }3 d- H7 o5 s/ T- z1 J& a
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% a6 a1 z4 L/ o* G7 a& e6 b  SoftICE while the option is enable!!
! i" r. B5 K# b% |  W9 ?3 a8 }' E$ a! J* y( N! o
This trick is very efficient:
. `1 E/ g! T4 M' Z. Oby checking the Debug Registers, you can detect if SoftICE is loaded: i! R% u) S+ x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  ~  T  b' o8 ~: e+ c6 E$ sthere are some memory breakpoints set (dr0 to dr3) simply by reading their! i! A# s; _+ w
value (in ring0 only). Values can be manipulated and or changed as well
& c2 J8 D2 @. {4 g; u( [( F(clearing BPMs for instance)
6 r. c+ I- ]! t- g8 `0 }% J  \+ v( A8 \& z/ {
__________________________________________________________________________
+ p, _: l4 u. V* |3 t  S2 ]* b+ q1 _9 c$ j' H: u! E
Method 11
# K8 M6 i+ X4 Z=========8 Y! |" j: S- m8 d0 G; X" N3 W: R
9 w5 K4 S) q+ _/ n8 T
This method is most known as 'MeltICE' because it has been freely distributed; {# ^" _- Z6 a# \9 w, o
via www.winfiles.com. However it was first used by NuMega people to allow9 E& S: F  z" ~! ]3 Y! m9 D
Symbol Loader to check if SoftICE was active or not (the code is located
4 |; ?" k: F$ ~: j+ e. pinside nmtrans.dll).; L5 @9 K, b# F) J1 j6 c0 z. x

# \1 [8 B5 G0 E; IThe way it works is very simple:
, s- t- r4 }3 O- OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 w3 X! L* p$ H0 H2 g9 A
WinNT) with the CreateFileA API.9 N. u0 W9 D' F( y
# z5 F  |; `4 I$ M3 R7 T7 ?
Here is a sample (checking for 'SICE'):
( Q6 E7 L: G+ z2 v5 H7 N4 S7 d. V1 Z$ J/ y) H9 z: |& b
BOOL IsSoftIce95Loaded()
: W9 p9 U. t6 r+ F{% @1 Q1 H% g3 a9 b' j8 S0 V' c/ L8 Q
   HANDLE hFile;  
7 O7 q* W% |# W# w  v- A   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) ?! B2 U6 _6 q& _                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' f$ f& A; ?% i5 a( j' I% U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 e6 K5 O7 d" _0 w. q7 A   if( hFile != INVALID_HANDLE_VALUE )6 o6 z0 M+ s* k* C. F( r# Q$ E7 D9 m
   {
5 I+ R  d6 R' V1 ]! H( a1 z- L      CloseHandle(hFile);
! @3 E2 {' v0 M0 \, h# r; t. Q2 t      return TRUE;, O" \, O# ?, E. E& p) F( M% |: N
   }% u( Q2 {% S' W; o& ]1 \! E
   return FALSE;8 M& _* u& A( |! a! X! |' p
}+ {7 W$ |; U, n( j0 f
; D- e: P! y; k9 r4 v3 H- K( L
Although this trick calls the CreateFileA function, don't even expect to be
0 y8 b3 Y# c* Aable to intercept it by installing a IFS hook: it will not work, no way!
$ A3 X( E  r9 W% u! u, uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" `4 {* A7 v: v9 x6 }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 J  U, |! l' y& B- Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& o) E' H! a8 j8 r! T! H) @field.
, o* \/ Q, T/ h- iIn fact, its purpose is not to load/unload VxDs but only to send a . E) C+ o* y, i/ P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! H! I6 ^5 c/ G# v; Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try; R+ S  H- o8 H# c5 r
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 a" M$ D4 e% [# T) ]/ |0 [If the VxD is loaded, it will always clear eax and the Carry flag to allow9 j; O1 ^7 `8 J% x# O7 @$ M
its handle to be opened and then, will be detected.! F8 Z$ X* F4 G2 ]6 S$ d  E3 X& z
You can check that simply by hooking Winice.exe control proc entry point* s2 f- q. Y7 {6 R2 p- P( T/ d
while running MeltICE.
1 s/ F9 C+ a8 C; i
4 R# t3 t. D$ Q" j; V: P
% E& u' `7 a! r2 y) I+ H  00401067:  push      00402025    ; \\.\SICE4 f- x' c. ~& a& c8 d6 D2 ~& A- t
  0040106C:  call      CreateFileA6 h! t+ Q0 h% O3 B! ~
  00401071:  cmp       eax,-0017 C" e6 S4 W5 Q+ M, r. H6 P
  00401074:  je        00401091
: G+ ?* R$ g2 Z; T( S, ^* r3 c' N' q" @7 ?

9 \" H4 Q7 P% T- B. u" zThere could be hundreds of BPX you could use to detect this trick.
1 i4 w' F* k& O3 t-The most classical one is:# X. @: |. w. d: r0 \. ^
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||: |) D; M  d0 c6 E' U& ~* K
    *(esp-&gt;4+4)=='NTIC', y; H8 h. M0 ?" S! ?. I
& ~3 F# f4 p9 _
-The most exotic ones (could be very slooooow :-(# t) N# I2 g1 o( ?5 e& ]
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # Q- [$ k6 s7 \! r5 X& D
     ;will break 3 times :-(
  r! e4 @; E2 q  Z
; l, [* y9 L% H4 A+ G2 N+ Z1 h-or (a bit) faster: - n6 Y/ R0 e7 |
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 x# X- C" t" m3 _
; L; s: ^2 h- z0 b% j9 @
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# n. k/ F; y, a; q# g1 n5 _     ;will break 3 times :-(
4 V5 @: s$ h* T$ K) Z3 K4 M5 X& K. y/ f. l
-Much faster:, l! G& ]2 C' X3 |6 u
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', M/ \$ U3 @9 J  u9 `
) _  c0 V9 b% x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 B3 N0 y- z) Q. L
function to do the same job:9 x; E0 U# X- I4 n7 \, z( d7 t$ |  O. s: t
  s" Y8 H8 {+ V5 T9 C6 O+ o- |
   push    00                        ; OF_READ
4 K# s' M% P  [# t% m   mov     eax,[00656634]            ; '\\.\SICE',05 Q* O6 e7 G  G" `+ V1 ?- j' K
   push    eax
1 K* Q8 G2 w! o: T   call    KERNEL32!_lopen9 v8 S! G8 y+ _8 J' K
   inc     eax
7 }( i2 T* v, F) x  u; a   jnz     00650589                  ; detected0 S" Y' q2 P8 F, V
   push    00                        ; OF_READ/ c4 X3 J: f2 g  Q
   mov     eax,[00656638]            ; '\\.\SICE'7 ?& r# b; L3 F6 ]2 W
   push    eax! p7 A6 d: d, W/ N  F
   call    KERNEL32!_lopen/ G4 L# h& ]6 A" @6 \# x
   inc     eax' N+ u+ f1 h3 a7 o
   jz      006505ae                  ; not detected, F" f  h8 q2 n% ~' T; C* L, [

6 \4 K4 l" Z8 A) `! F1 F, w: i; {, s  y3 t4 _2 j
__________________________________________________________________________
- U/ t: \' Z! f0 L. N3 M' S2 }' b% r/ F. t; o. f
Method 12
( i; M# `* q$ D# J) I$ C" W- V=========
6 C! y% H7 V( V4 ~7 v9 B4 W* ^2 Y: f
This trick is similar to int41h/4fh Debugger installation check (code 05
9 F) ^/ T/ {  [2 A&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 F7 |. U2 g/ t* N2 Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 j+ O4 ?# ]# d9 _$ d( d& a& S$ F' Y+ G
   push  0000004fh         ; function 4fh; ?6 V- t- X7 c
   push  002a002ah         ; high word specifies which VxD (VWIN32)" ?9 l, b# S& e, j0 x0 B9 r
                           ; low word specifies which service; x! s- ~9 {, C4 t1 P
                             (VWIN32_Int41Dispatch)
0 j4 o, ^* ?8 a  T# F   call  Kernel32!ORD_001  ; VxdCall& q7 w$ p  ^6 t
   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 Z( O8 z9 T+ g0 I   jz    SoftICE_detected
% `0 u+ w! s1 }: \3 {1 \6 S, F  c: N' ?. K+ \# w
Here again, several ways to detect it:
4 s( `" J. u3 M5 j3 d# e( W4 ?% W( r7 o. o6 V& J
    BPINT 41 if ax==4f
4 J# b; d& ~; x9 J
3 o! k; r, J+ A! h0 j0 n/ ~    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; Y/ I4 }3 f" ~; |" b# ]& M2 g. ^# H4 }
( y4 J$ X1 j# q  ^    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A% T" u) P7 p/ U

' U( z& z& L1 V6 o% d( C! T    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ o1 r- s1 N, i$ _( Q, N9 X
3 l% m, {6 n7 g+ H  h) N
__________________________________________________________________________
7 L6 ?! B6 u8 b) L7 e9 j" g4 ~
  [6 U! e1 a0 P/ PMethod 133 C$ G3 K" f: c9 n, J- k. ]
=========3 k0 N% Q- E7 F
# O0 k( G  o$ {2 u
Not a real method of detection, but a good way to know if SoftICE is
. q7 N7 |9 H3 hinstalled on a computer and to locate its installation directory.
2 L7 f* _8 ]" eIt is used by few softs which access the following registry keys (usually #2) :2 G, q* I# h& M1 D
( \' A* V, B1 t. s2 u" q% [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 j3 ~- j$ \3 w4 a5 m
\Uninstall\SoftICE
: G( X  g0 X9 y0 C2 D! B9 E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! q  B1 ^0 v* ]' q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 }9 I) c- _% r\App Paths\Loader32.Exe) a6 \# D8 Q* S" A

/ Q/ n+ J& e$ r2 T1 Q' O% k3 U! t0 `( J% i. S8 p
Note that some nasty apps could then erase all files from SoftICE directory
9 k8 g# U- u: G# f; k9 I(I faced that once :-(* {+ L- ?- o/ s5 S& ~& ^
+ N$ V& Z  K/ @' g8 p( F; Q# T
Useful breakpoint to detect it:
. r, a) k/ z. x& m1 Q
6 J9 ~5 j+ z) N  P. u     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( k  J9 D% z$ [6 x% r
! P4 b) D1 C6 \1 w7 |! l; C. T+ M) Q& B__________________________________________________________________________2 Q7 H0 S9 ?$ r& M3 d/ C8 N# D* q

! ]2 F# n# r% t* I+ C* [. R
3 o- ?& F8 R# p3 r% NMethod 14
* {+ D, j* d8 t9 V=========. P! D; p) w& N

/ b  m6 G8 z  b, P  C- LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 t7 s7 n: ?/ K) n  [+ n% r! uis to determines whether a debugger is running on your system (ring0 only).- M% k5 g2 J  r1 R) ?8 y: L) x: _

! v- n& L' I; U4 X8 a7 d   VMMCall Test_Debug_Installed8 p4 j; _+ d: P; J
   je      not_installed
# V; v  z# c$ L
) e( u: [7 U4 [5 f% HThis service just checks a flag.! a. v; F' `4 z% |4 W9 T. ?2 n8 ?
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-28 17:22

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表