找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: V! U! _4 H! V$ u' V<TBODY>6 y/ X$ E3 c5 U$ {( O' |' l: C
<TR>
' ^7 C% ^3 K8 P6 z: ^- v) b1 }, U# m<TD><PRE>Method 01 & `, I: T8 n# g
=========
. Q4 v  Q1 d1 |) M& U/ s# C1 Z, t8 V. |$ g& k
This method of detection of SoftICE (as well as the following one) is
/ |! e8 p/ \& `6 K# V+ R  k' ?3 k8 Dused by the majority of packers/encryptors found on Internet.
3 o% Q3 z/ f) b. x% u6 I0 T2 h1 n; ~It seeks the signature of BoundsChecker in SoftICE
9 o1 D. e, x9 D, R2 ?2 }2 O; q& I+ p. A
    mov     ebp, 04243484Bh        ; 'BCHK'* g& u0 ]2 G8 H4 H" R
    mov     ax, 04h$ F6 Q& g: g" j2 e2 A7 `. b
    int     3      
- G; Q' {( ^. l& i+ V    cmp     al,49 ^% R7 E6 y8 z2 k4 x  ?
    jnz     SoftICE_Detected
' B: A  b7 s8 M  B! ?
# |5 R7 s) _$ H3 \/ l___________________________________________________________________________
- t6 q* U  R) D. r" F& d2 f0 U5 S/ P3 z
Method 023 a3 v- r1 z2 b3 N2 P4 B5 S
=========0 t3 W$ |( |: h+ j2 P' R, w' y
! \" T- N* \0 j3 i7 m6 [  X# c/ V
Still a method very much used (perhaps the most frequent one).  It is used1 a6 |. F  O. o; N1 x5 d- h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 I' u7 z; p- q  u. j* i* B% ~" r! \' @
or execute SoftICE commands...
" P  t3 `. Q5 ?& @% c) kIt is also used to crash SoftICE and to force it to execute any commands. P! A+ L0 g7 l: d; {
(HBOOT...) :-((  2 }/ d( V' B1 r! E
) Z( ?1 t: Y7 a3 j+ B. N$ ~8 A
Here is a quick description:
. D7 r/ c! i( J-AX = 0910h   (Display string in SIce windows)3 x" `* h2 T" H" ]2 |( M& \  \
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)( R8 H5 p" P4 D$ m; N& {
-AX = 0912h   (Get breakpoint infos)% H- e3 e) `6 C3 m3 U* U, h5 ~$ Z
-AX = 0913h   (Set Sice breakpoints)3 ^! V/ k. n6 A6 f4 O
-AX = 0914h   (Remove SIce breakoints): ]4 r9 @5 k2 y- Q

) Q* Z3 n- P) ]Each time you'll meet this trick, you'll see:# K+ h2 `; J% [$ [- p" ]) L
-SI = 4647h
( [/ i" k& a  G; Q# s-DI = 4A4Dh& |. p! w1 T2 T# M( G8 A
Which are the 'magic values' used by SoftIce.6 f* r9 _* F0 u' Z( P* d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. H* H/ t. }$ M5 y3 g" x4 o/ e; e5 f* }9 R  d& a: T
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ d3 I8 e3 ]5 {, u" c
Envelope utility use to protect DOS applications:$ i- T) P: b: d1 P

5 I7 N5 N) k9 t& ^7 J, O4 M3 `1 k4 m4 Y
4C19:0095   MOV    AX,0911  ; execute command.
, b' j: I( I/ O2 H9 \2 V5 s9 G4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 x6 a& t# ?4 ~0 u$ p4C19:009A   MOV    SI,4647  ; 1st magic value.8 R! d5 ?( G2 \1 D# |/ ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) N, K1 n3 U$ g3 D$ ]4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ ?8 \% d1 y' _# c4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 Q4 C8 `9 C. q4C19:00A4   INC    CX
3 ~% M& t7 w, O/ L% G4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- `, a" G) M$ U' |
4C19:00A8   JB     0095     ; 6 different commands.* R# f2 ?" G& S9 }
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
# h8 W+ q/ ^, h/ {4 R! P* Q4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)# y  j3 O7 v7 Y3 J  W9 @* n5 P- R$ m

) {6 S1 z, R+ ]4 kThe program will execute 6 different SIce commands located at ds:dx, which
* `5 p% U5 `% C+ Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, f# x# I& O) z" t( B) b# G( F+ m4 h# v  U: o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, d( r7 A9 f$ ^7 m5 Q8 [' l___________________________________________________________________________) a3 V* q9 n/ A! U' R
" c. a. w& D& e  Q% s
: u, a& Y- j0 W3 S
Method 03
, U& w, y3 T) w7 R+ I$ p/ r=========
1 d% P0 A7 k8 j8 ^. c- T& G0 t
& i% ~# e3 R9 }Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' q+ |$ P, q3 T  o(API Get entry point)( d, Y  Z2 n: V( s! ?- q' _
        
' n3 D" k& H) T& i! B( }2 |
# y, A4 z/ O, Y: A    xor     di,di
2 H3 Q9 X" W$ g    mov     es,di
$ ?* _- d2 e2 _5 c! C) s    mov     ax, 1684h      
2 ]' \% c' `3 k1 Y* U, h" H    mov     bx, 0202h       ; VxD ID of winice  K& F9 {1 b. i/ ~
    int     2Fh  W" R2 Z9 l+ @) x; Q" e5 H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 B0 e( ?: V+ f
    add     ax, di
3 I, ~8 n, ^/ |    test    ax,ax
2 R  `! {+ J. A& f    jnz     SoftICE_Detected
$ X9 R) Z; S8 P
9 @7 s7 m* _" x' b1 a. w& t' H  r___________________________________________________________________________
# a: B/ v1 P/ f; l" W: e7 r4 Z5 ?
6 `* D5 p. V* ~$ X9 {' ^Method 04
: H( D$ d( V& o9 n" J! R=========( o! a$ o  \9 y* g+ @' N7 L
. A6 e. F2 ~' ^# d8 M6 Q) E) e
Method identical to the preceding one except that it seeks the ID of SoftICE9 Z6 [, E% f) d6 }0 C' w0 S2 P
GFX VxD.: t# ~1 t5 w1 G1 h+ b3 s0 o
3 R7 `: O5 R" Q3 L% j
    xor     di,di- \) L3 G% y: R" N: L* C
    mov     es,di( g5 X, L/ q6 y9 L, E
    mov     ax, 1684h       , G( ?. T1 }2 `! A% j( Z7 @
    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 ?% O0 N& Z# }
    int     2fh
1 T: X/ l0 M; Q( n  E  d8 L    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 P$ f, F/ \9 @/ U0 h5 w
    add     ax, di
) P0 r& f  F% T) X! N* N; ?3 ~9 |    test    ax,ax2 z' |4 w! L  P
    jnz     SoftICE_Detected
; q- ~4 p5 S* x; [
* N5 t7 _7 Q; V* z__________________________________________________________________________( `2 ]/ D3 J0 x# H
2 c4 m, _1 C! K& y* d0 ]
- S' [7 E8 F; K; D9 M
Method 05
$ V% x7 |; C7 B/ _  O=========
8 \) N& k6 |6 ~! [; C3 ^( t( H: G- G) D# D* ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ d' H5 h* ~! J, H8 Z3 R. v
debugger. It calls the int 41h, function 4Fh.
  C# z# K# N5 P( ~1 s6 H4 c0 \$ VThere are several alternatives.    O( h2 s7 }! y) q
# R  d6 U; {  F, }
The following one is the simplest:
$ ^$ x8 R6 E2 q% x9 c* m) Y' |. o, J" f' E4 N
    mov     ax,4fh
4 Z. H; k+ a( |, A6 j    int     41h. w1 m/ r0 C1 l% x/ l' ]
    cmp     ax, 0F386, K2 |0 r7 Y3 |0 _
    jz      SoftICE_detected. U! Q% ^# O/ R0 y: I, B0 u  _

/ {# H, Q) h5 m; l, b8 D, k" i$ y. U! u6 j
Next method as well as the following one are 2 examples from Stone's
8 @* u$ ~2 L7 l% v"stn-wid.zip" (www.cracking.net):
: d/ f. {* A6 c& x% p8 C; U; d% V1 E4 c/ C
    mov     bx, cs) B4 g) r- V& a8 z
    lea     dx, int41handler2
) }. ~5 m+ J8 {( K8 Q5 X    xchg    dx, es:[41h*4]3 G" i7 J2 G, W2 w
    xchg    bx, es:[41h*4+2]
- x0 c0 R0 H1 s: \- ]5 Y    mov     ax,4fh
1 v; f3 E: i* j" s, R4 Z* L    int     41h
  X5 C+ f" Z- q    xchg    dx, es:[41h*4]
- M( I6 I1 V* d# K( ~' t    xchg    bx, es:[41h*4+2]
& ~9 u, I- {/ v; W7 c* [    cmp     ax, 0f386h
, W7 S7 e/ _0 B9 D$ F) L  o    jz      SoftICE_detected& z+ _1 b: @9 D* E4 I

/ y% p+ Z8 K4 m$ w7 Aint41handler2 PROC
2 J' x. x- C) S; [( m    iret
1 v8 y4 d0 D! z: p) jint41handler2 ENDP
8 Z9 C; O9 A0 ~
, x) l1 W0 I0 o0 R& ~3 d7 R, v2 M9 c8 U' [
_________________________________________________________________________
3 r. ]* K8 Y% ^4 M- J) o8 n: G5 x8 d; D2 S: f- q  K  R

/ x% M1 u% Y' RMethod 069 M. V1 J7 v" a- U: c
=========
: `0 l8 T1 L7 v( x5 w; W2 i1 k3 v4 V4 ]0 \! l) \; ~4 V
, D2 M$ G  F" \) P* s; J( Z5 H
2nd method similar to the preceding one but more difficult to detect:
# o/ J, [0 s, k; {8 X0 Q6 t1 N6 s6 V& C2 ~+ `  }( e5 B
; R$ @: K2 W+ N5 v- n" e  }
int41handler PROC# |5 U# `% H: }/ V8 y+ Q2 a7 h
    mov     cl,al. `& U8 ~3 V. a
    iret
* R* P$ d, f' J2 C- a5 A( |int41handler ENDP1 }. L4 j/ J& o/ o# Y
4 q" _2 B/ v# R  e' H) g

0 g/ Y+ c, s% T6 y) }    xor     ax,ax
/ ?3 B3 {' |, B    mov     es,ax
$ J% h3 o& w& q2 l9 j    mov     bx, cs1 {& Q7 W1 _. m+ j
    lea     dx, int41handler
4 t6 m' k: Q. E    xchg    dx, es:[41h*4]
$ M' }3 E  P3 f( v+ Q    xchg    bx, es:[41h*4+2]3 E% H& H8 l! a
    in      al, 40h
; n2 f( ^, C( b- Q& N% L' v    xor     cx,cx3 t+ X6 q; Z. Z: ?7 k# s
    int     41h
" K' E3 H* c- h, E% \- z6 E) d    xchg    dx, es:[41h*4]- n6 j+ Q: H* \& e, b
    xchg    bx, es:[41h*4+2]2 }: b8 t2 r) N) s8 o6 d
    cmp     cl,al
9 A& q( m. n2 k, |: R/ E* E: |1 U" T    jnz     SoftICE_detected
+ c+ \+ d$ x" y8 S: |
, S2 n( q. k( T1 g5 Q_________________________________________________________________________
, D' o- J# X" P1 }; H+ r$ R9 Q/ z
9 y0 K6 ^! Z, ?Method 07
! ^7 \6 C- |7 P/ X/ r=========
9 X, I* E7 I. \; `! K/ T
, D  q/ d* d. E: w3 W& JMethod of detection of the WinICE handler in the int68h (V86)2 u- J/ V( G- R3 h
5 w8 g. f% @  S
    mov     ah,43h
( y; b2 h. A5 `6 q    int     68h
$ r% w) n4 w# W' U0 F- J1 n/ m0 R+ n    cmp     ax,0F386h! @9 N8 ^4 T# L3 d5 i
    jz      SoftICE_Detected
8 V7 y' B  Y. J2 U1 A) n' H# j8 ]( [$ A
: {0 U. L5 H7 Q8 x) ~
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# `" ?0 Q. q; M( u% {( Q   app like this:7 z1 {2 U+ c( u

/ V5 Q# E. `6 d; t' A. F5 O( h   BPX exec_int if ax==68
- P- I8 I5 z7 B3 j8 W   (function called is located at byte ptr [ebp+1Dh] and client eip is
  Z6 Y6 N1 o5 D) ~0 L+ k( f   located at [ebp+48h] for 32Bit apps)3 ^0 W4 _; Y& }, ?" T
__________________________________________________________________________/ O2 b7 }! o( }( |
8 j; i* p, `1 G, c1 c" o

$ f+ c( z4 g0 ?( K' M+ ]* [Method 08
0 C. m, D9 x) p6 |5 P4 D% F=========
7 A  J& M! t5 F8 }
! J7 s/ Q; B9 _& C2 H3 CIt is not a method of detection of SoftICE but a possibility to crash the, a/ ]2 ~8 F- O/ h: E7 g
system by intercepting int 01h and int 03h and redirecting them to another" \1 k! C+ j3 ?, @# j  n4 A
routine.
- ]8 t+ D1 k% p* g! u2 W7 ]' NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ l' b/ l3 W4 Dto the new routine to execute (hangs computer...)9 z6 b. b4 H; G, ?* g4 ~0 [* n1 M

# F* O; ^/ U+ f/ ]) @    mov     ah, 25h+ C3 A. |1 v* s& \: s# X" v* n
    mov     al, Int_Number (01h or 03h)
0 R6 n9 b8 H# {4 K) C) O    mov     dx, offset New_Int_Routine
0 v. H- l) N8 O7 K; n* e    int     21h7 t/ j8 T/ ]# ^& k

4 l. l7 T# \1 j! z__________________________________________________________________________0 p$ B" b* S5 N. m& w+ n9 s

6 T  o4 V6 ]3 ^3 H/ w: e1 ]1 ~" U7 yMethod 09
$ h: y- \. f9 _+ }) ~' s, C# c/ D=========9 F- Y$ ?- I1 W
. W, e* l4 z0 v1 R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- G* M3 r( a6 P3 _& N2 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).  j8 v6 Y) o; q7 d+ t( g
The Get_DDB service is used to determine whether or not a VxD is installed! z2 L  {0 J2 r; S2 K3 H. w6 Q
for the specified device and returns a Device Description Block (in ecx) for
) f( W2 j8 u% y6 h/ ethat device if it is installed.
, v3 B5 }9 j5 \% W) ?" Y' G: l6 G* c5 Q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 V( b3 B/ \" A8 q- ]   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% k' O) O2 i; t- Q8 m
   VMMCall Get_DDB# f/ i% u7 b! w( O" p8 j" Z, R
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed6 ^! ~# n) ?: {* Q" S) c( b
  p' M0 U. d7 V
Note as well that you can easily detect this method with SoftICE:: u% I  U% q8 {; n
   bpx Get_DDB if ax==0202 || ax==7a5fh' O/ }, F0 y. I

- X+ V) j3 |6 k! L) f) A__________________________________________________________________________
1 ~1 ~1 t( ]4 I& k8 R1 d7 |, R# d/ N% v8 H! {
Method 102 }+ f. F, c9 b5 v6 m4 W- q
=========. _- o$ p) `% A1 e1 Q+ X
( z- q, v7 h+ h- W$ N- @: x
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 v7 N* e8 D4 k  SoftICE while the option is enable!!; _; b% {: I6 C) \8 o
: H1 T$ |% Q+ p7 D( O2 K
This trick is very efficient:
+ h9 f, h$ r( I6 bby checking the Debug Registers, you can detect if SoftICE is loaded: Z6 w% z2 C# V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 [# Z9 ]5 G+ Z8 r
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; a7 B7 O: z% {! Lvalue (in ring0 only). Values can be manipulated and or changed as well1 I" x3 Q) w4 S" ^+ a$ c
(clearing BPMs for instance)2 I. g5 e% z& L

- [" e: I0 |3 v7 L: m__________________________________________________________________________0 T* D. {. f' e2 O" {4 ]& I- [

1 A  h& G' Q/ a  f- C$ eMethod 11
* A3 |1 `! S! J+ M3 G=========
% a1 }: H$ U5 i5 P3 G
  q  S  c, J5 ?. \, S$ k. e) H! m  `This method is most known as 'MeltICE' because it has been freely distributed
+ F  Y+ f4 q$ T3 Qvia www.winfiles.com. However it was first used by NuMega people to allow( A- v% A9 v; a% F5 D) ~  C
Symbol Loader to check if SoftICE was active or not (the code is located. _6 H7 r9 L! @5 V  H6 D
inside nmtrans.dll).- V* P7 E8 J7 X( q8 ^8 i$ L! Q' l8 B

1 R) n: g4 D1 ?: dThe way it works is very simple:
5 [5 b2 \# ~8 k1 V) cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 L2 i# K7 ]; J) v1 ^( cWinNT) with the CreateFileA API.& ]; j2 Z) D7 B; N

: W" U. O& H& j- ?/ F, e9 eHere is a sample (checking for 'SICE'):$ z- c0 E# ]" c5 j5 k2 M
0 a! [3 Z( {4 b, A
BOOL IsSoftIce95Loaded()
) w  [' g+ Q6 v* m4 Y{( l' O6 E7 Z8 E
   HANDLE hFile;  
7 ~: g7 T0 j9 n2 }- j8 H   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: ^' {) H/ J7 U8 D  C6 M3 i  O                      FILE_SHARE_READ | FILE_SHARE_WRITE," S6 o7 m" i' N+ q
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 |1 N0 G' w6 h   if( hFile != INVALID_HANDLE_VALUE )
) y$ ]) `$ B7 ~. {   {, U- Y+ H  \( p2 t! S% q, A
      CloseHandle(hFile);7 k* y3 z, u/ H/ e9 i8 K
      return TRUE;
; b3 L( Z7 \, U1 J2 ]   }9 \8 M3 U5 M0 I. q# P
   return FALSE;
& m! [: Q1 U8 c6 s' Z}
8 `0 N: r+ Y. O/ P
' h4 }0 `* v1 q  |3 B8 D5 d6 AAlthough this trick calls the CreateFileA function, don't even expect to be! v" ?" N5 P. ^6 @
able to intercept it by installing a IFS hook: it will not work, no way!$ V9 k& ^1 ?% T* O5 S* f$ |6 ]* B; w/ x
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# S- A4 n& n, t0 K" R% Y1 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ N$ V7 w: s5 |: f5 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 X% ^6 D% _. g# W. v0 yfield.
5 R. H; M+ `2 ^  ]1 c1 E  n1 d* mIn fact, its purpose is not to load/unload VxDs but only to send a % l; j! U% e# {, [* O9 W" V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  K( Z: N2 h7 G0 c( yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 T' S8 L  C+ y  o8 E# W  A# |( oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& G% }8 {$ n! }8 }" OIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; O! a% ?' R7 G2 a2 z5 D8 I9 uits handle to be opened and then, will be detected.
2 w& K# `" W7 F/ \( l" I$ ^You can check that simply by hooking Winice.exe control proc entry point
; ^) N# Q. o$ ]# m& F. iwhile running MeltICE.
- D" ~5 Z1 m3 i! c: a8 v/ J( N7 ]! p! N! t

6 E- @0 d# w9 `# o5 I. i# {  00401067:  push      00402025    ; \\.\SICE7 g+ D' l5 P/ q% u. L0 ?
  0040106C:  call      CreateFileA. q0 A4 O$ N" g' h; w
  00401071:  cmp       eax,-001: [" r' v- {8 `7 V6 o3 f' D& |0 f
  00401074:  je        00401091
- C2 z6 a7 K& R! @, K% M# ]! ~! S" [4 A' i! x
. F% u% S3 L, u+ P) C5 E
There could be hundreds of BPX you could use to detect this trick.
; x6 x, d5 q" E- ~& |3 E9 V-The most classical one is:6 e" R/ R4 n# \  F9 @9 M! m
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# @( I1 I) d7 Y3 Q+ D
    *(esp-&gt;4+4)=='NTIC'
* y) m0 R% U* |% W  K3 P+ U3 ~0 d0 N3 w
  w( M) s1 p6 X7 s-The most exotic ones (could be very slooooow :-(
3 ~. I6 r( c2 V# V* ^   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  1 n# j( D5 i8 B5 `
     ;will break 3 times :-(4 o+ v3 W! g) L- |$ d2 c

" x- U4 ?  Z+ z, |# w+ _/ n) \7 E-or (a bit) faster: 1 @3 t& f) S- m: g  H, d- S; Z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ I$ s% Z: Y1 A4 Z/ G
/ p. p5 X! t( b   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % H; Q6 K/ g+ `# k3 w/ [
     ;will break 3 times :-(
4 t* i2 |& B. k9 V: N
- o/ G$ g0 x/ I. x; N! n-Much faster:
- U$ }! l  e6 `   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, I! w  B* @8 L4 p2 i. k5 a
- r3 F' y% j9 j% d  `1 E( W6 wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 d, n, {$ E6 J( V: q' ~. \6 a2 V) {
function to do the same job:  O% `' _9 c  k* B0 P

: f$ ^1 s' k6 U3 ]   push    00                        ; OF_READ: C& \. R5 H, K5 P0 ^/ s
   mov     eax,[00656634]            ; '\\.\SICE',0
6 u0 ]6 x; T& ^9 t% c/ h$ w   push    eax
* j" F1 Y& j& y$ C, Y   call    KERNEL32!_lopen9 ^- W' U' [8 t  h& \& U
   inc     eax
, W5 L" N  _- X( _: S6 Y5 s2 P   jnz     00650589                  ; detected) s" A: v, R( [
   push    00                        ; OF_READ: n, Q5 {( ?- i- C  b: L. J" j
   mov     eax,[00656638]            ; '\\.\SICE'+ J! x* q$ _  u) H/ e
   push    eax
, ~1 k0 X: `1 u$ F7 Z6 q   call    KERNEL32!_lopen
( m, n/ y8 `2 W   inc     eax
: u' Z) r1 s. z) l: U* U5 j7 u   jz      006505ae                  ; not detected
$ i- l, U- s' j% d! J0 c' S
; y+ j2 X; q' N! L  p% x0 n# D: N2 J" \5 g% }3 D+ ~
__________________________________________________________________________
3 R& E3 C6 W+ E" N" s1 R9 z4 O7 [7 d; @, M/ S. ?
Method 12
; K# M+ W: ^2 Y- D8 ~=========4 F* ]2 ]7 E, r! |3 N
7 \8 g3 T" c) m
This trick is similar to int41h/4fh Debugger installation check (code 05# b5 k# `3 v$ }
&amp; 06) but very limited because it's only available for Win95/98 (not NT), n: y, z; C" r1 w' A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 O. y' I% n5 l  A* y3 k
  Q# @! R7 T/ \6 x3 |# b& q, B   push  0000004fh         ; function 4fh' W9 |: G( ]; z' s/ M8 A, j
   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 B& j: |$ I, ~+ ~# _$ ]                           ; low word specifies which service
. E+ v1 F4 ~+ e                             (VWIN32_Int41Dispatch)- i  Z3 _; G  L! s  P3 d8 b' Y( @/ `
   call  Kernel32!ORD_001  ; VxdCall
5 G" G. F1 m* y0 c% X   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 F( i/ A- v2 Z9 H- t2 w( s/ @   jz    SoftICE_detected
& S3 N) g/ `+ w1 m, A
& k2 t# B- {, ]# K. R8 J* X7 }6 Q4 KHere again, several ways to detect it:
0 x/ I4 P5 a: `. _0 r! J1 L% u
1 O8 f0 k5 g- n$ [/ h- e# p    BPINT 41 if ax==4f
" u. n; k) a; L7 i  i& B/ z& j4 q/ q! t$ w
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ l: x& l) g. v+ w5 B* o6 F
5 T9 }/ u& U1 I% N# }    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 r6 c5 i; ?. f' @9 o' }7 K
! j( b3 k5 w0 R/ O: Y* O
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!3 f& U$ `3 \; I' w  s5 s& L
  N% L! J& J& p2 t* Y, U, o- h
__________________________________________________________________________: m. k& J- a. |$ v& Q
0 p$ C0 ^7 u' W% n+ }
Method 13# Y1 x: }% {# t) g- e
=========( E+ I# Q* |' D# z3 v; n, U* Y
4 e- `( c3 I' U2 j. H' p
Not a real method of detection, but a good way to know if SoftICE is- q" S! r$ U- d$ j% ^
installed on a computer and to locate its installation directory.5 F0 J+ V" V. C* t# w: X4 }5 t
It is used by few softs which access the following registry keys (usually #2) :
  j) Y& w7 S+ @
! k9 w/ a3 ?9 }) j8 P. \-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ?" u9 L/ T' i, F6 j- l6 s
\Uninstall\SoftICE
  \8 ?- _4 H- o5 G5 l, Y) f! n  p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. `2 I0 |6 K, G8 @5 x1 c& {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ G! v0 d4 ~9 H& y4 d
\App Paths\Loader32.Exe9 }9 {' x( `- N5 @2 h4 [: K3 e: m

; Q% E1 Y( }$ W5 b4 e6 U, H
8 n  N2 V, G! O- e2 R7 rNote that some nasty apps could then erase all files from SoftICE directory- @/ J; @( T! q$ Q  ]# C
(I faced that once :-(
% l& z, V1 P3 s. h6 A3 {: d/ h# Y
! R/ g* G/ }' e) r3 gUseful breakpoint to detect it:
- {- S8 F& @) Z! N! ?' g  ]' w/ j! M* F4 S. K, N
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 F' K% u# b% _) T9 _

7 o, o5 H1 G5 \5 h__________________________________________________________________________, L# n; |% c1 v

' w9 s' m6 w- G5 T/ ^! i( l7 A7 A+ S1 L+ i7 h$ v; n
Method 14 * n' x2 Y& N9 f& l1 u
=========# Q* |+ f& a4 }9 b% M/ A4 k

$ ]0 W5 z' }/ B5 x  ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: h# M" U, k! H7 |9 B: ~9 k) y
is to determines whether a debugger is running on your system (ring0 only).- V% @* ^6 q, e( b
5 d/ l% H+ C5 q
   VMMCall Test_Debug_Installed
: w; j; H( T* i   je      not_installed
7 p' ]7 B& [0 o! Y+ l- D' Z# o8 ]& O* u7 ]
This service just checks a flag.
+ ]  a5 V. P& w% W4 u' J! I, t0 z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 01:51

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表