找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( V8 v  k' y( O" J+ S" {
<TBODY>
/ L$ ~3 U  H( D6 ]. E% [<TR>
1 }. C! a- c: L' O<TD><PRE>Method 01
+ G5 j. F. s: a6 R" v1 r6 L9 ?( W- ?=========8 K8 t3 f' \. e! T6 x* h/ X
+ Y4 z5 X0 v: ?6 Z
This method of detection of SoftICE (as well as the following one) is
' K6 a; P8 i$ i( L& M' L% oused by the majority of packers/encryptors found on Internet.( I3 {0 ~( a, z( e1 @3 M
It seeks the signature of BoundsChecker in SoftICE: U6 K- p7 [' f+ x
* ~" S- u2 U- C% S; q
    mov     ebp, 04243484Bh        ; 'BCHK'0 {' b- W6 k6 ^7 C
    mov     ax, 04h
8 X$ \% g; n0 A% [% S* r. n. c    int     3       9 r. w) z7 s# J9 T. M8 K
    cmp     al,4
: v( t/ w, T6 K) Y    jnz     SoftICE_Detected
* D% X. [: b9 t# _: D+ A8 j6 K$ l: n$ m& i; t) l) f
___________________________________________________________________________
$ }2 v+ C- S( n( @
  U, ?4 G. |. D% E1 J( X  p* o$ d" c2 |Method 02/ b  z( H% j: `0 z
=========9 W$ _/ @/ H1 f8 q+ l
4 u- y! L" s7 `% B4 W
Still a method very much used (perhaps the most frequent one).  It is used" g5 `( @( i) a0 A0 U0 [  v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; D5 I2 d( K. [5 Q( v% ror execute SoftICE commands.../ f4 B* |# u8 r/ M4 g# s( f
It is also used to crash SoftICE and to force it to execute any commands
) @# }+ j* N: I(HBOOT...) :-((  % K% h9 j- ^5 c- b5 V, A
( |; R' v5 M8 |$ g8 W
Here is a quick description:
  `3 ^7 s" J6 f+ n: o- A# D8 \-AX = 0910h   (Display string in SIce windows)
. P' t+ L9 Z/ ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
9 |! i0 X7 M( S5 ^3 D6 i-AX = 0912h   (Get breakpoint infos)
2 w( n  r) G# o" S0 e# f-AX = 0913h   (Set Sice breakpoints)) ?% w7 C7 U5 J/ {
-AX = 0914h   (Remove SIce breakoints)0 \( g- q# F& J

% }/ V6 X% A' g& ]Each time you'll meet this trick, you'll see:1 i! D9 E- }; L2 o- A
-SI = 4647h. u0 |3 Y# ]" {  ~6 |
-DI = 4A4Dh$ A4 t  b3 B& O) @$ n' A0 t
Which are the 'magic values' used by SoftIce.
( N8 W4 A7 T0 l: SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ a8 F3 W7 M. L- z0 o4 M1 A$ B4 P# ]6 s6 a- _
Here is one example from the file "Haspinst.exe" which is the dongle HASP& l9 l) A, V: J, d5 A
Envelope utility use to protect DOS applications:
; f$ a+ Q8 M, @1 W3 Y' ~3 t
; A4 P) k# Z9 f5 W3 a
% W7 ^+ d$ ?% J9 y" w1 g4C19:0095   MOV    AX,0911  ; execute command.
$ R0 `5 g5 q5 g. ]! M4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 M( w6 q( \. [4C19:009A   MOV    SI,4647  ; 1st magic value.
/ a2 a% v, ]' t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
; R8 d. @% s$ ?4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 x' z0 M& G% O4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
) V: S) @) m5 X4C19:00A4   INC    CX
/ Z0 w- s! M; {8 ~7 v, C4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute& f! n. x8 A1 Q4 ^: H- W& a3 p
4C19:00A8   JB     0095     ; 6 different commands.
5 q+ X( U, A& l3 b1 k) u1 \$ h4 E4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' Z; W( E  f: A1 h4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! u1 b, _7 h! D$ O4 u

0 m3 h; e/ T8 m6 ^The program will execute 6 different SIce commands located at ds:dx, which
& I) e' E) |& Y+ nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* F! U9 z# @6 Q$ ^
6 n3 Q) x% q4 F& x/ g" I9 K* W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: S# \4 o0 C4 F0 W7 T' o& [0 W___________________________________________________________________________8 K1 b. K8 ~4 E9 e# {2 s
+ a1 V8 F7 Y8 v+ J: t, R0 M

5 x1 E* _0 s) rMethod 03% Z( X; H/ o2 F/ E; f3 r  ^: X) b
=========' W0 c# w7 n8 B+ [; b
8 x2 p3 }$ A5 |6 |/ A
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. C( _0 ?% R7 z' s. ]( O) D& \: \(API Get entry point)
' r$ W8 Q9 k1 P8 L* w: y) Y5 N        6 K2 }" A5 \" Q

/ V: U6 \  Y7 h4 m; B3 k    xor     di,di
/ X5 [! I/ b( w+ G# a+ ~    mov     es,di. d, |) A' r, \) y8 u: {
    mov     ax, 1684h      
% b$ A4 J+ z! g. @1 w- b    mov     bx, 0202h       ; VxD ID of winice; `8 v4 d, }- b' q) x* t' p6 U
    int     2Fh2 q8 a+ M/ {- u2 O
    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 ?( A1 [9 t% B5 i8 m8 a
    add     ax, di
: L( l, F* [' P; k8 ^! b  J. {* U    test    ax,ax$ S) \1 |3 X2 _
    jnz     SoftICE_Detected, }8 E% D  y  I* P6 C( ?* d) c: @
; f) }6 r5 f) s
___________________________________________________________________________
" [) {- Q3 p, T- n/ }; Z5 p3 B) V2 X
1 S! J  ^3 |/ r+ QMethod 04
9 t0 h: u* ^0 u' K! v; ]=========
1 W0 Q4 {- }( u. |9 D7 N4 d+ X9 s( |( Y+ c
Method identical to the preceding one except that it seeks the ID of SoftICE
3 m5 {2 n  T1 `- q3 Y1 u. G+ AGFX VxD.
- V- l# x4 N6 V# O/ |+ Q! p8 W( U1 G+ U; r( M, `3 t2 t
    xor     di,di
2 J( `5 p, h: V: k% U    mov     es,di; E$ Y8 @7 ~1 v  O- e' K% C. J
    mov     ax, 1684h       ) e& I$ k$ ^5 a: y* {5 S; }! O/ z
    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 p9 [' J2 m. W( H6 x& l4 l( G
    int     2fh
0 S; y$ a: {3 v6 H* x2 k4 g9 T    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 K$ z7 z+ Q1 Z+ @* Z    add     ax, di
( f; ]  R9 Y# H" C, H* y* Y: v    test    ax,ax
. D" ]4 ?5 @( u1 G" w' S    jnz     SoftICE_Detected
) f2 |4 V. e, y% n0 J, m6 D6 W( o3 e& R: Q9 K/ O; v  q
__________________________________________________________________________  ^! P3 ?) {0 ?5 i
2 |& B, e/ n' E. ?

* ^  Q9 u) t8 o# b' XMethod 05+ D' x# z' B* [7 e# y
=========3 L- a0 E  k8 }4 i

, p- j+ _8 U7 e; pMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 l& X, c" L! `- E: s& F+ U
debugger. It calls the int 41h, function 4Fh.6 t8 S# f' Z" K& `' U
There are several alternatives.  
7 v6 N0 Y: J! n3 I* f/ E4 }9 {1 v1 k
The following one is the simplest:
. r- }3 |6 ]' I6 J8 U: u0 \7 J! Y' R* |, [* M% q) j# ~0 h
    mov     ax,4fh
$ d, Z" U# v. J+ l& e- O2 a    int     41h
0 ], H6 Q- T# V1 O8 k; l$ V    cmp     ax, 0F386
+ u4 n1 n+ l" U( o& y6 q- x    jz      SoftICE_detected
# V) y! Q4 z( a: Z2 t" K$ ^0 d6 e/ h) l$ D

3 Y" \. S/ `+ u; `6 mNext method as well as the following one are 2 examples from Stone's 0 v" I) G& w6 s: C* U) u: l3 @
"stn-wid.zip" (www.cracking.net):0 `5 y2 C7 X) t5 f

- Q. f) h% a7 R" x/ w    mov     bx, cs; c  a7 ]3 K+ X( z& u( X3 N0 L
    lea     dx, int41handler27 \! Q$ _  `; O1 |+ b$ d- e" `
    xchg    dx, es:[41h*4]
0 Y' N0 W& K: H# g    xchg    bx, es:[41h*4+2]0 s* Y9 g; _( A7 D4 v/ T( k* u4 X
    mov     ax,4fh" F& x2 Z* K! b7 Z) E' T: {
    int     41h+ w  P- ?3 B8 x5 q! a
    xchg    dx, es:[41h*4]/ y. J1 {. m- L  F4 W0 c
    xchg    bx, es:[41h*4+2]4 `! e; V3 Y  q2 J
    cmp     ax, 0f386h
- [1 C* [1 g% i3 Q2 H3 V3 k    jz      SoftICE_detected' p. d1 C. W' {6 a0 k4 e' P
1 Z/ A# E! [/ z8 j+ E
int41handler2 PROC! E* j5 g* |3 W' m
    iret9 w' f. c. b: W( n' t) R: ]
int41handler2 ENDP
7 I& t& |) d5 I# }/ J" A% m
& K0 q9 E- o  r" ~; s6 |7 j. T, c( o1 v: O% J
_________________________________________________________________________
) C% [% H1 j" Q" u2 o/ Z) W
& E# ~# ?* W/ f, |# v- j* g
% {8 r, D3 W( B: B1 x2 v4 JMethod 06
3 J* U2 [- i2 q, A) E1 H' q& O+ j=========
- w6 N- a! q$ R5 v
$ |6 d0 V+ ^3 i, |7 y, x! \( C% r. `7 N$ X6 B
2nd method similar to the preceding one but more difficult to detect:; L* S: H9 I7 S5 P8 m' I  h4 Y

# ]6 W3 K; }3 q7 Q% f& z  s  C4 p9 f, [- d3 v9 q
int41handler PROC- n5 Q* C( }! k4 c* j+ ?
    mov     cl,al
; w2 ^# l- K' g0 y/ q    iret2 i6 N0 F: j* m2 l, o4 i0 s/ d4 `
int41handler ENDP
$ d2 c$ T* F6 n% g9 L: G/ r7 S5 s$ k& o0 d5 e0 G" B6 O4 E, d

$ X8 P7 R/ ~9 {% h% ]4 y; t: D& u    xor     ax,ax
! L* G( M0 L4 j# M7 p    mov     es,ax
  K1 w& G0 d9 F5 {: U2 {    mov     bx, cs
- U' H9 e5 x, O! }' E) k% `5 P    lea     dx, int41handler0 x+ @' o8 B: G5 N" ]2 Y% e' [
    xchg    dx, es:[41h*4]
5 F8 A/ H( a' e6 A    xchg    bx, es:[41h*4+2]
" k1 c: g3 |% z8 y    in      al, 40h
. F8 H: D- u6 V$ Y. T, p$ C* d    xor     cx,cx5 o. L/ b2 L6 W( y1 V
    int     41h+ R# C! Z+ M; v) q) H+ J
    xchg    dx, es:[41h*4]' w6 o- s/ m5 q* [/ Z8 Y
    xchg    bx, es:[41h*4+2]
0 w  \  T% N& |6 k    cmp     cl,al; A$ |1 f' N& m( x
    jnz     SoftICE_detected! }9 t! c$ ^5 x8 g" _% v3 Q
+ R1 C* P" }& G6 f; T
_________________________________________________________________________
/ V* W* Y, {9 D7 b" e% g! \
8 g& ?/ @- U9 r5 r, u  ?5 N' PMethod 072 k3 @, E  a6 U$ y) H  z0 [
=========& m5 q( w! j' Y2 E, y( a4 `

& Q/ E  W& p, H1 }. ^+ w* MMethod of detection of the WinICE handler in the int68h (V86)
- R9 d* L$ {7 @6 U
  _0 I) T! y4 Z& n! h* f3 ^    mov     ah,43h  \, Q- g% Q: a0 k  a7 l
    int     68h; a8 L  u+ J: e7 \& ~" |5 j
    cmp     ax,0F386h+ f, E$ ~( C& B, }0 c8 j0 v
    jz      SoftICE_Detected2 [: j+ w6 Q6 l6 X$ w/ A

  F4 U8 K4 J0 u6 z3 {) x. i. [, X( C1 Q
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# i7 P# p; D3 E/ ^
   app like this:
# v& x8 m/ ~: }- ?. W5 v. T/ _, y( t% N2 H
   BPX exec_int if ax==68# @7 ?" v* T1 J% j/ G: O3 M
   (function called is located at byte ptr [ebp+1Dh] and client eip is2 C. Z1 d# ?+ f: S! F  _
   located at [ebp+48h] for 32Bit apps)
% i/ Q5 v; t; Y7 C- @1 @9 M, `__________________________________________________________________________
$ U- o" H; o$ C/ X# S; s$ f1 N0 v4 P; X# s  L/ r
# u1 i8 E% C3 [' E% o
Method 08
2 H+ m. n+ {" |) w=========
: s- b& u9 l4 i5 _3 ]- H8 I
4 u0 d3 m6 f7 w& }' ^: ?It is not a method of detection of SoftICE but a possibility to crash the
8 E# f) E9 ?4 A  _system by intercepting int 01h and int 03h and redirecting them to another# V6 d: z; w2 K3 W; `0 }" H
routine.- ?) P+ v( z1 N8 e+ J8 q$ Y$ F9 P. F, t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
1 y3 V+ r7 }( c0 G( jto the new routine to execute (hangs computer...)' n$ R* r. s7 J* @
$ S7 |6 b! Y1 l
    mov     ah, 25h
. S- c% R0 T  e    mov     al, Int_Number (01h or 03h)2 Y6 n) R# f4 {( N" q9 I8 h
    mov     dx, offset New_Int_Routine
3 M" z" ?% D/ i# g  k5 p- f    int     21h" d& z2 N8 ~9 m' H- m

' }* n9 s8 \; Y$ Z9 m4 Z( R__________________________________________________________________________
9 I* H, B- A9 b5 p9 d, v, [& Q. w3 i$ O, G3 I6 q3 q8 I
Method 092 i& y; ?/ q# X
=========; b5 u$ f3 b) m- i
" }. Z/ W8 F4 V5 e% W+ v0 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, k" z) m% W' Iperformed in ring0 (VxD or a ring3 app using the VxdCall)., u' J- `! E# F+ x
The Get_DDB service is used to determine whether or not a VxD is installed
. p$ J  E4 j' Qfor the specified device and returns a Device Description Block (in ecx) for
( p! y+ p+ z" ^that device if it is installed.& O5 T: ^) |) @6 [/ I4 [
' m; H- |/ t* l! x& M) E: u; N
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID" J/ i5 Y2 `/ Q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& W$ d9 Z2 Y" A( N6 ~4 ^2 `
   VMMCall Get_DDB
+ V1 \- e- T1 k- A' D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; U7 t% P6 P/ i$ h
+ Y  T, H* R) P/ h6 ~0 F+ T! F& R- yNote as well that you can easily detect this method with SoftICE:
( V* L2 Z" S: @' Z   bpx Get_DDB if ax==0202 || ax==7a5fh
# r, C# v. y" x: E
4 m' }/ H! K) i__________________________________________________________________________
2 K% r9 R* ^) @7 Z% r& |
& }7 q1 ?4 n! y( n7 a: g3 k: wMethod 100 n! B# M! p0 a" O6 E& b& X2 S0 G1 W
=========3 P* Q. r1 b/ Z" O4 @! z# L
/ q8 P7 Y  L% @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
9 t7 y( X7 s# Z; S9 V. t  X, X4 v; l  SoftICE while the option is enable!!6 ]. r* R: B" |5 w; c+ e

6 D1 e9 c7 w( F, EThis trick is very efficient:. T2 h, f+ \' R4 ?  k1 {' F
by checking the Debug Registers, you can detect if SoftICE is loaded
2 ^* V1 G  A, C( ^& z: p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ t1 a0 d( }  \$ n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" ~! ~1 I( j/ Rvalue (in ring0 only). Values can be manipulated and or changed as well& F9 H/ _  M8 ]1 F+ t
(clearing BPMs for instance)
/ x/ q) ?3 N6 r& T% K% B# O# @, C  i: U( q% z
__________________________________________________________________________
) H5 j- u- O3 L3 {* ]  X2 ~" R0 f% J  I- p
Method 11
) R5 Z7 ?$ {  U6 \: y=========
1 u+ L- m  K% H( ]" H0 d9 V; I% o$ b( i* C8 J+ R' x6 y
This method is most known as 'MeltICE' because it has been freely distributed% n) S8 I, {, ^0 U
via www.winfiles.com. However it was first used by NuMega people to allow
! g! p- z# l) tSymbol Loader to check if SoftICE was active or not (the code is located
7 L# e9 o1 A( t. t% ?inside nmtrans.dll).9 ~( I: ]) j+ ?$ R& |# K- _
. `7 P8 R$ Y# k
The way it works is very simple:
$ j2 u, u3 A* [0 f4 MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* y1 ^' X2 D) F4 P
WinNT) with the CreateFileA API.
+ i2 Y% h8 d" e1 _6 w$ }4 C$ S* d7 K$ w
Here is a sample (checking for 'SICE'):
! E8 c+ W9 T) J( x# Q9 A* a8 g) i% A
BOOL IsSoftIce95Loaded()
1 B" q$ O* m0 n9 X* ?{' w  |  m6 R- n
   HANDLE hFile;  4 d( X8 q  }. a
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) k; k3 ^/ Y3 }& W; z5 u
                      FILE_SHARE_READ | FILE_SHARE_WRITE,, f; P% F5 X, j( C: K
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% ^+ V" w' [% G  D3 y% e; M' u
   if( hFile != INVALID_HANDLE_VALUE )3 X% N8 r- Q+ [: ?
   {
1 S7 J5 w/ z! V% D      CloseHandle(hFile);3 a' W) s; x+ t, U! J' o( [
      return TRUE;- j4 w* A1 _) B3 c
   }
7 M( ~1 T# D2 T6 ^9 @  |   return FALSE;
, Y, o3 h7 U" z5 K}) X' C3 p( a; ]5 z+ ^
/ \% x  [& t& D4 X; S- S, o+ O- V
Although this trick calls the CreateFileA function, don't even expect to be
( A( V$ h$ k7 Z$ K( }, r5 Cable to intercept it by installing a IFS hook: it will not work, no way!7 r' G! }2 m& y! A6 S; X3 Y3 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 D" M# y- G$ Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 r. O5 u. ^' a0 H! M* F2 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc* n0 B3 B( r; e% T8 |+ [+ v8 z: ~
field.6 k* O" Y+ c* C0 ~2 `5 e1 l
In fact, its purpose is not to load/unload VxDs but only to send a
# R( v3 i' v$ A) vW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 \. x' P5 S. }  z5 _8 vto the VxD Control_Dispatch proc (how the hell a shareware soft could try, [1 \7 q) U8 v/ `, N; ~) a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
  e2 c  _, g0 L* P* }2 A1 l7 {If the VxD is loaded, it will always clear eax and the Carry flag to allow4 N. _- Z5 h. k* ~7 D$ b; B; _
its handle to be opened and then, will be detected.
" f6 e" ?2 A( u1 G4 z, G1 cYou can check that simply by hooking Winice.exe control proc entry point  g# }) N9 N$ Y4 _7 Q% U
while running MeltICE.
! ^/ T1 O1 ~" U8 V
- s1 Q2 C, |& ~7 M: L" U: f: X& l. V7 y" S1 x1 y
  00401067:  push      00402025    ; \\.\SICE! S+ \9 v' _+ v$ O6 x
  0040106C:  call      CreateFileA4 e$ B3 I% w8 N6 D; M/ p
  00401071:  cmp       eax,-001' r8 b) \$ Z7 L: q5 c0 y
  00401074:  je        00401091
8 W7 U% g7 g% v( P
; X& K' ^; M, }$ G( t
# f0 `7 E+ n+ L% O' g, ?There could be hundreds of BPX you could use to detect this trick.+ e& t( N# ~! G3 L; f
-The most classical one is:3 Z- j9 F( G! p
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) \) h1 I5 m. d* n) l/ L
    *(esp-&gt;4+4)=='NTIC'
$ m8 c# R+ Y, |0 N8 C0 C# d3 f$ c: }, f! o# _: J
-The most exotic ones (could be very slooooow :-(
) U7 l+ q2 _' ~" g; d   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ Z, q6 \( e/ l) T) M9 d  p6 o# y( z     ;will break 3 times :-(
$ Q* D5 x" l. p1 E' v) u1 P
7 @3 R, L: G" J5 R-or (a bit) faster: ! D+ {( c7 n. K! P1 w6 w
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 v: k6 n$ C  ~- n/ Y+ q( y  [) f- U$ @5 M3 ^2 d4 F  G( t
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
+ |) _4 P: V1 r     ;will break 3 times :-(
# d, x8 [8 }, e
* h7 n3 Y8 B+ Z! s8 y, k-Much faster:
; t2 p. \5 a/ y6 V& Z  w% J   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" i, _" Y3 ]9 m- M6 l
* B$ D3 ?3 |+ Q: C/ g+ U! [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen  z2 Z8 w5 \4 }, @  N: ~6 C
function to do the same job:
: x' x5 E6 k1 V1 n( u: P
& G5 ^9 W) G9 r4 k3 }   push    00                        ; OF_READ$ w; e( L% c: o. ^& `1 S4 h4 F
   mov     eax,[00656634]            ; '\\.\SICE',0" R' b4 Q, ~6 z( [
   push    eax
% ]6 z) C$ y& f   call    KERNEL32!_lopen5 e* ^4 s( V% r1 t- B3 M( H' z) j
   inc     eax2 s* Z4 D/ T7 g% l. m& d$ _- f
   jnz     00650589                  ; detected1 o7 ^; Q% @9 \
   push    00                        ; OF_READ( J+ x- W' A3 n( i& c
   mov     eax,[00656638]            ; '\\.\SICE'
( ~# t0 z2 C9 t$ r- I( d   push    eax
# z8 K0 S" z5 x- P2 O   call    KERNEL32!_lopen
3 x% A; g: n9 g8 n' l$ g   inc     eax
8 t* t1 M" T2 v2 ~' I, N- A   jz      006505ae                  ; not detected; I! |% d9 U! C: p6 ]5 v: x

  q8 e6 o6 R: f" k/ l' E
1 m0 I2 B; i# G- s  X/ J__________________________________________________________________________9 P! R5 m0 q, O1 {2 @* r4 s
0 e( ^" S8 P- B1 z; i/ F8 S
Method 12
3 ?. n: y( m. P9 Y. T=========
2 ~/ U$ x7 C+ v
! |+ j/ ^8 N8 h3 [5 }! LThis trick is similar to int41h/4fh Debugger installation check (code 058 @( T& a  K" ?9 t$ j9 g7 S
&amp; 06) but very limited because it's only available for Win95/98 (not NT)# \! e. U$ Y; f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) R- n8 N3 i( Z
& S! G8 A* f1 h0 ]7 `   push  0000004fh         ; function 4fh
& T# S+ l# u) ~% c3 I   push  002a002ah         ; high word specifies which VxD (VWIN32)% z1 Q5 N4 o- A# i
                           ; low word specifies which service
# O1 q3 ^! r7 R" a- |                             (VWIN32_Int41Dispatch)& y$ p( s% Q  P5 B( J2 ?2 l2 R
   call  Kernel32!ORD_001  ; VxdCall4 b( ?% w  ?8 R: O. x& U
   cmp   ax, 0f386h        ; magic number returned by system debuggers
" T. d# p9 U5 i6 J( T9 a4 J+ U$ ?* R   jz    SoftICE_detected+ h% }& X! [* k

# ~, u. K; B, w8 ?! M9 p4 s5 F% \Here again, several ways to detect it:
( K# T7 G% j* f% Z# |& {, ]3 _8 C! O% |# D' W( I0 U, P. n
    BPINT 41 if ax==4f) j! i- a: f0 [

1 W' l) V0 t9 x" z9 q, U    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ L8 E' d: [/ k. g2 b2 U; A
- t1 Z5 \% U* T    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  D5 x2 s) a* @( y
, C% W# @+ f+ X4 M1 Q. @- Q) ^
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!3 V9 n& `, B2 q& U' J4 k& Z
" f$ g4 d9 c- z% i
__________________________________________________________________________9 C$ c+ U" p$ r% e1 K( j4 b7 E

( r; G/ _5 N! a7 M/ Y, _) Q0 |. oMethod 13
/ e  `. {) u- T  j/ k=========
3 n) V* |/ S) v1 O# W: w" x7 \7 }2 B% t: X8 G* x4 K# S! E
Not a real method of detection, but a good way to know if SoftICE is
. l$ Z; s( d0 V6 Finstalled on a computer and to locate its installation directory.0 G# H4 I8 L, K
It is used by few softs which access the following registry keys (usually #2) :/ @  H: f, U" N

4 q+ n/ \- |0 W/ ?4 k  p# Q-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q2 ~/ z' ^* \; B1 s\Uninstall\SoftICE8 T+ L1 M2 k; M1 |5 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) H* z0 q1 \8 A0 z8 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 N/ _6 G4 t) Y, n6 }0 z  m2 W
\App Paths\Loader32.Exe8 O) i4 T2 l( q

* p1 ~" `! |( `' U% H/ l+ B+ s8 y# j: `
Note that some nasty apps could then erase all files from SoftICE directory
1 b) T1 V% w7 {& t# `6 Y# m(I faced that once :-(
, V9 a; p$ o8 t' j: t6 L2 E7 y0 O1 \, t0 y
Useful breakpoint to detect it:
5 T; z7 M9 J$ B; {  D$ H) g1 ]' M3 p. X+ x
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
/ g8 a4 n$ B/ l& l$ s! ]
4 X% x  N" v7 \: n8 x/ o__________________________________________________________________________
. p  B5 t, W4 [& \* i" g0 a
9 ^& F) d: `( [$ l/ u6 p3 n* f8 ~7 e3 f2 y+ p- _
Method 14 " |* M& e+ {& \) P, ^
=========. x1 b) h" x7 j& g. c2 W1 v

! E3 _: ^; e* d$ G  H6 N6 F' _A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
  W9 c3 c/ G% X7 v$ f( W" u9 Xis to determines whether a debugger is running on your system (ring0 only).- ], I; h$ h6 \

0 |/ y4 f$ k. ]& z" j: ^+ o' H   VMMCall Test_Debug_Installed  ?. F6 o, C$ H0 b
   je      not_installed
0 i$ I/ C$ w& J" C$ R' d1 M% c3 V! M0 O, X/ X
This service just checks a flag.
) c; ~' K8 Y, D</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-5 15:27

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表