找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& l6 {3 u/ V  n+ s7 g
<TBODY>
9 n- j0 `: Z: @8 S* ]3 v<TR>
5 e( m- L, p+ k! h) T2 ]  p<TD><PRE>Method 01
$ Q: Q; d( H$ d, `=========
  z0 L3 b# g+ g3 }9 H1 m6 A2 n# i4 F+ s' L. p8 X
This method of detection of SoftICE (as well as the following one) is" q2 }2 R8 G* E3 j9 ?
used by the majority of packers/encryptors found on Internet.4 p, e% }3 i) q! S7 N
It seeks the signature of BoundsChecker in SoftICE+ V+ [& C( T- A9 U
3 D: H/ U% W6 i) l  [
    mov     ebp, 04243484Bh        ; 'BCHK'
* p3 ~$ o6 n" w0 W6 m    mov     ax, 04h
, K+ T2 Q3 Q! D  Q! ^. i  |    int     3      
6 S" `7 t( K3 f$ H& }* ]    cmp     al,40 A3 d" l! m' I4 M. f* h
    jnz     SoftICE_Detected
$ m8 A3 Q2 ]0 t
' {2 E/ ~- g" M1 ?" i: T___________________________________________________________________________2 I6 h$ P7 l6 Z0 k) r

% ?- ?( _) J7 \! x5 |3 TMethod 02/ N' m" R) p- Q2 j9 R- [" ^
=========
. I) g* b9 W: |1 R* I% |# b. h1 e' t
Still a method very much used (perhaps the most frequent one).  It is used
: v( V7 S4 ?/ a* ~6 Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 A9 ^& b; H, S/ D# aor execute SoftICE commands...
) E0 f/ a& e6 |1 h% W/ f- KIt is also used to crash SoftICE and to force it to execute any commands$ r- s1 I. D4 f7 c1 T. P7 E
(HBOOT...) :-((  
! f+ ~; [, f7 @. ]/ m$ n* }: ^& z6 ?2 m$ k
Here is a quick description:* Z: F+ c1 S6 [. K
-AX = 0910h   (Display string in SIce windows)- w2 s; P5 w) d. Z1 o$ F( q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
& e6 R3 h$ K) Q! S$ ?! m+ j-AX = 0912h   (Get breakpoint infos)
; y  k6 a" E, l# Q. g  N% P-AX = 0913h   (Set Sice breakpoints)6 |+ V. }% W% _; N1 M, }# }
-AX = 0914h   (Remove SIce breakoints)
! }, C0 j: G8 I- M& ], R" F6 `/ r: n, ]8 h1 b$ d% p1 h
Each time you'll meet this trick, you'll see:
4 t- g3 d( Y0 d0 [, v. V3 i$ |-SI = 4647h
3 a! q- h- c/ v4 s-DI = 4A4Dh4 R2 E7 D' ]% U9 X( H" B
Which are the 'magic values' used by SoftIce." h2 X) t' u) m4 O0 `# X
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) @) M: m& Y4 F$ D; u, M
6 R7 Y, T* _4 }/ X
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ [% a6 W8 o7 ?1 l* _* ?5 I
Envelope utility use to protect DOS applications:
( K/ f4 z$ m0 x& B. O
) m& Q  x! a% u1 f) P
! x( w; u( Y" {2 b& a" C) k# ?* }4C19:0095   MOV    AX,0911  ; execute command.2 i/ O( P" i2 f7 x! i1 `$ K/ i" i
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( q) \% s6 B* n7 \" a* ]: n2 Q4C19:009A   MOV    SI,4647  ; 1st magic value.* Y8 |8 R% m0 Q  ~# P
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.$ J5 n) Z, g4 d7 x
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 d7 G1 m1 S* c6 _, L. a
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! _# J3 I7 z4 S0 e
4C19:00A4   INC    CX! W! }" Y; o& M( d
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
! J. W0 a( v' k* m& l4C19:00A8   JB     0095     ; 6 different commands.7 g; }2 g: W9 i* Q$ b% u' f2 |, G% w
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
3 T' B# [$ i1 s/ l4 a- S4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 q! E% `; N, v& G4 W8 T7 l/ Y$ ?: n4 h3 f
The program will execute 6 different SIce commands located at ds:dx, which
: Q0 x4 T! \: q. Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* g: o8 A+ y, r1 N
" a1 k! ~3 O8 M& N) N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) W7 }% T1 z" S0 k8 a. |. P___________________________________________________________________________
# r' O( M8 @2 S  [5 p& c$ ~* e
# u0 W% s( s% }" u
* Q3 I0 H4 }, d# I+ KMethod 032 F' R2 p2 {. N. P
=========
" m" H, F' s' \
1 l2 y0 h$ H3 B7 k* fLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& h1 H  ^* f) m' y(API Get entry point)) U& p+ e9 O# o% o8 k( g) X" `
        
8 A5 Z, F& y  R+ M
6 W& v! o# e4 T6 p5 R% e& @" T    xor     di,di
$ ~* V8 ?- {3 e; t, H9 U& g9 d3 q! n    mov     es,di4 f1 \! @3 K; N- }# y
    mov     ax, 1684h      
6 V) ]" i6 b! L, [    mov     bx, 0202h       ; VxD ID of winice
: {" l: \: v, _; G2 M1 n    int     2Fh
+ v! S$ B0 T$ g" N9 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ q  _& A  e8 W; l$ _. R
    add     ax, di. x& e" i0 d' o# i5 l: W9 b5 ^
    test    ax,ax; c9 x+ Q9 i8 V  O- R' J' q; d" B
    jnz     SoftICE_Detected# }4 C: l6 a3 |) ~# r( n

: Z$ J$ J9 N& k. s: X, {4 I5 H___________________________________________________________________________$ d- n% ^, `9 Q' ~: D9 A

. L! v4 l9 |% x( S! K% _1 cMethod 04
( X0 \+ v. ?/ \* W" A=========3 a" f. Y6 i6 c! R) F9 m) q

  M: o( N: ~) o$ s/ o- sMethod identical to the preceding one except that it seeks the ID of SoftICE$ r3 `! [+ z2 U; `7 p, n
GFX VxD.
" y3 e  ^( c! i) h  l, K' u- Y% j' m+ O& K* F. _
    xor     di,di
# b: I% G3 C. w3 `& U    mov     es,di0 G! m8 p+ N( @5 C
    mov     ax, 1684h      
, i& n/ W* w6 H1 G4 E    mov     bx, 7a5Fh       ; VxD ID of SIWVID" V0 M! J4 i! D8 S' E
    int     2fh
( Y* Y! [" r, q! S( Y0 |    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ H* T& [- ^! x! {( t4 k4 ?, w
    add     ax, di
) H$ Z: i" M. L# H& p& d    test    ax,ax. ?9 L' U8 U# T
    jnz     SoftICE_Detected% U4 K4 V6 v  B6 S2 U. {

, P' ]2 \6 o  P1 B__________________________________________________________________________
0 l! V3 T* d! g  {$ I! [3 y# o2 I7 i/ w' K; W: R# K  e

- u* J: C+ {9 BMethod 051 b  |- j, g8 ?! G- d; W8 `
=========
7 N2 h" i, O) d, P. K( K! N6 a/ f4 d" }9 n* a3 i2 Q% ~
Method seeking the 'magic number' 0F386h returned (in ax) by all system* i5 |$ n# f4 E$ M! _
debugger. It calls the int 41h, function 4Fh.* S$ S9 ?- `( v9 ~4 b
There are several alternatives.  
, ~  R9 k5 Y# Z+ K" I0 `3 G+ h6 q; D1 s# W# Y+ M- d
The following one is the simplest:% ~: F+ U; _# Y5 O8 ?9 A: z4 b: }
7 \' ?; C8 G! s, ~# T; E' K
    mov     ax,4fh
, i1 l4 @8 d% w7 e: v    int     41h
. z2 o* Z; I3 y2 v! c    cmp     ax, 0F386
% O5 P- a, ^; _3 h. w9 A    jz      SoftICE_detected
: d9 n- Q% q! E; X$ u: |, d! R" Q; n( B- \6 U

) S" Y4 v, Y! F; JNext method as well as the following one are 2 examples from Stone's
) C% k- g9 W9 \  d+ ~+ i"stn-wid.zip" (www.cracking.net):% e% r# Q1 p+ B2 \. h  x

- m- c- ?4 M& ?! V+ C# M, ?    mov     bx, cs  c* Y) V; I( m5 n/ [" {
    lea     dx, int41handler2
# M! [- E' T) A- \! X) l    xchg    dx, es:[41h*4]" g' I( \1 t+ |2 G0 U
    xchg    bx, es:[41h*4+2]: h) ?& {5 R. b
    mov     ax,4fh
$ I% Z) P8 J/ A- t/ V5 }# [    int     41h
0 @( g- U1 b/ O    xchg    dx, es:[41h*4]$ q8 ^0 e" d  ^6 S
    xchg    bx, es:[41h*4+2]
8 C" h5 A$ g( R  @    cmp     ax, 0f386h& U) R' u1 ^. G1 I
    jz      SoftICE_detected
0 e" [1 p1 {. O% K0 ~' h6 o: ~/ F2 w5 p, P1 H% o1 H: R# [1 X: ~
int41handler2 PROC3 p; _# H$ U5 g, l
    iret- O" v' k  q0 K9 h
int41handler2 ENDP# o: w+ e: X5 q! f  K
5 d6 P+ }8 U- u) G$ z! n
' B* F; U; d( i) M! R; g  \
_________________________________________________________________________
% {3 @; x/ A1 {7 _
# O5 P5 J9 `# \! Z, L
0 R3 ~. R% o: P8 O& r) }$ x9 }Method 06
  q& J4 H) R3 w% l* A=========
% s, t# n" i" ]* w6 a9 x0 g: U% L$ n! F" X4 T4 F

3 A; l: t# S' z0 ~% B2nd method similar to the preceding one but more difficult to detect:
0 x7 o, `/ `$ e8 `3 J5 M+ P" p, I, X2 r
4 n' \- X: t1 g$ S  ~* r+ t% m8 H; n4 {# S
int41handler PROC
) q0 y7 S" O) e$ }    mov     cl,al
3 v* |4 I/ ]0 t+ C$ O    iret7 s  t' v  M: H5 I  O( O# e
int41handler ENDP
4 d" O; D9 }0 c2 t$ }
/ Y1 o0 _+ q& }
4 a3 M; \, ]2 m/ m- p2 ?    xor     ax,ax
' A+ h% |3 U6 |& ?7 f( R6 V    mov     es,ax& D7 m( y$ V; z5 d, u) G
    mov     bx, cs. \, S4 s( z7 ~( [  [- t* ^
    lea     dx, int41handler
6 H$ E3 C; q6 [2 [5 i, l8 n    xchg    dx, es:[41h*4]
" |  C; z' T. M3 [    xchg    bx, es:[41h*4+2]1 x" f0 J+ t& b1 n
    in      al, 40h
  f$ w% |" j7 h* ?: F    xor     cx,cx# ?/ h6 c) b. N  w0 t
    int     41h
) ~4 E: U1 X6 x# e  r. @8 n    xchg    dx, es:[41h*4]
; L+ N$ V7 i0 E7 k% d5 Q    xchg    bx, es:[41h*4+2]5 Q1 s' `2 i+ ~/ _
    cmp     cl,al( w5 {5 s2 I4 r+ U
    jnz     SoftICE_detected
  X: O( S# c% m) s: o
9 M7 T2 x0 q3 O# C_________________________________________________________________________; V* d. N& n6 Z$ I2 B) o/ Y

. d* X. y1 @" Y4 m0 nMethod 07
- y1 u$ ?9 z" |2 }. ], S=========
$ F4 L4 ^; B# I, x; z& M4 {
8 E1 f, s& {/ A$ D; MMethod of detection of the WinICE handler in the int68h (V86)6 d2 D0 Q. w4 E5 T5 b+ _& e

: J9 o; V, R- \3 D+ d; q6 f& X1 p. V    mov     ah,43h& `9 f0 \3 S% m! z2 c. h& Z9 x6 h
    int     68h
" @/ o$ M( R1 I. R1 n8 d    cmp     ax,0F386h+ ~1 m( e9 R2 v) r, [+ h# I
    jz      SoftICE_Detected1 H! c2 {. k$ T; F. X

& z+ r; Q$ N1 m) s# M9 c# X5 S$ ^( o7 v- t- a
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ X) ]6 f+ w/ Q4 H& i3 L: |   app like this:
* r' H* u* `& r
. Y) Z# T; Q- z1 f   BPX exec_int if ax==68
. Z7 ]1 n$ i" J# W& Q( `# p8 Y   (function called is located at byte ptr [ebp+1Dh] and client eip is
3 G& ?' [; r- ~" }* ~+ F   located at [ebp+48h] for 32Bit apps)9 y- a- K6 Y% m2 I/ O: ]( l9 I
__________________________________________________________________________+ E3 U: n: K/ O
- P5 F' F5 T8 j# l3 }
7 ]% u/ z. I7 r+ q
Method 08
: ^/ t  Q, ?( k3 t: G=========
" Q$ K1 @: U, T) g- E) o7 U$ V, X0 O/ R3 r" e! ]
It is not a method of detection of SoftICE but a possibility to crash the0 V" R4 X: z4 F: H* v  S4 K$ p
system by intercepting int 01h and int 03h and redirecting them to another4 q; o( {& V0 r5 a$ A; ?
routine.- s! X. w" M8 |, m2 e7 o, F2 Q) A
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& \, V; k; [# x  @# Z- Uto the new routine to execute (hangs computer...). E0 Z8 H' `" ~3 g" m5 R

  y) C( w3 ~" t6 C1 `9 U    mov     ah, 25h  y5 C. r  i9 ?0 ^
    mov     al, Int_Number (01h or 03h)
# P# }% D9 [8 r: j/ u3 e# [    mov     dx, offset New_Int_Routine
1 g. E. t1 N# W; w    int     21h6 v& i/ F6 v. x; F' }/ |. h3 ^5 A5 M
4 k- Q# T6 }; G# Y
__________________________________________________________________________
9 R" x  s. K5 a) \% g
. t# k; M9 N( w" l) aMethod 09
! u$ c8 g8 h2 m& R# o. w8 x' d=========3 s" g9 x$ E/ @8 L+ v& }5 w

- l% L4 h+ q1 cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" N3 v- Z8 ^5 g) [; u# ^6 j* m3 W0 t
performed in ring0 (VxD or a ring3 app using the VxdCall).6 B! y. t7 {- m" I8 {$ H- r; ?- `
The Get_DDB service is used to determine whether or not a VxD is installed
" |. C2 L7 B! j  X/ pfor the specified device and returns a Device Description Block (in ecx) for
7 S" u. g6 m' y4 K2 k# gthat device if it is installed.
. u; U- W* W5 e2 V* K) o% X; U* W+ P' P  p9 c4 z, V
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ p# }5 U+ n* `  J
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 F; H5 a; v2 _& |4 L3 x% V. {
   VMMCall Get_DDB
! s9 r8 J# ]& x8 ?; {   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
' X( d: t, z! h0 g. N+ B" {* {) }$ D0 E; i6 C. x; U2 Y! s
Note as well that you can easily detect this method with SoftICE:; r8 G, I! B! u" q
   bpx Get_DDB if ax==0202 || ax==7a5fh: o5 D/ K8 t( ?4 K8 v# X2 p7 `

+ [! A9 ]; e/ t1 ?/ P__________________________________________________________________________
) i. D* L- ?, {9 |% k1 d8 Z1 P8 d
Method 10
: Z. ?  ]% E$ k% m7 o) A; C=========2 H. ]7 r+ L3 X/ y* r/ w5 h

0 i0 d. T+ B3 G8 `=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with! v* Y% E( Q* }1 X! M2 _$ X* l* y
  SoftICE while the option is enable!!
  C, \* K0 [4 b1 W) x& N' B- |2 L6 W! W: M) \+ a" Z
This trick is very efficient:
3 O) k) q% K' l: v+ \2 eby checking the Debug Registers, you can detect if SoftICE is loaded
9 U0 |# w6 \* O- _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, r( F" Q+ I! ?3 T4 v" a: nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& O, z: `# c4 C# `5 A! S+ Wvalue (in ring0 only). Values can be manipulated and or changed as well9 y0 A9 P, b# ?
(clearing BPMs for instance)! g8 p) t  D& W# q* X

* c  N- Q* m: L; P& L* E( ___________________________________________________________________________
) E3 a8 t$ ^/ L
: s# P, o) }. A' T- q0 J4 k/ H) \Method 11: B# X" i4 _: G& {
=========' ?2 i- y, ^' @/ `6 Y
+ u$ z; M) A4 D, R
This method is most known as 'MeltICE' because it has been freely distributed; s- i  [" o& q5 H- e
via www.winfiles.com. However it was first used by NuMega people to allow; X7 {2 m3 R2 B) z* ]
Symbol Loader to check if SoftICE was active or not (the code is located
  X, S1 J$ ?# S- R5 ^inside nmtrans.dll)., L3 c; E4 [8 G: F" ]8 u

9 {% z$ J7 H6 V3 g: IThe way it works is very simple:- v( ^3 O; q& K, L1 N# x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 E, ?; V$ g3 C
WinNT) with the CreateFileA API.6 t5 }# _1 M" O

8 ?! M# }2 i) f! c" rHere is a sample (checking for 'SICE'):$ ]' o% @; [3 f6 L
  w$ D3 S1 D, }
BOOL IsSoftIce95Loaded()/ }/ C  k1 p7 [% \* r3 {$ v7 `$ |
{
0 ^  S/ Z. N7 U4 p7 g4 x5 X   HANDLE hFile;  1 S$ O+ Z5 U, D
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ \9 C7 |9 i  h; g; ^                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" ?; X* R$ X, ]0 V. c  j7 V                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& g. y6 W# T( I" @
   if( hFile != INVALID_HANDLE_VALUE )2 Q2 S. \2 z: T3 k( ~
   {
' [/ G0 V; k2 t/ Y, r: K      CloseHandle(hFile);
! z! ^2 Y6 h1 b      return TRUE;
/ N3 I0 x+ @8 k. L9 P% t   }
* [; I% F+ C. |( F1 n; v8 W   return FALSE;
. A3 a" X  G+ J. n1 ^}% O! }/ k# U1 Q7 E' @2 E- G

& _, [( |5 P( v, _! FAlthough this trick calls the CreateFileA function, don't even expect to be+ E9 C4 H/ a& E6 G2 `1 Y: a$ B* u
able to intercept it by installing a IFS hook: it will not work, no way!8 [& d9 N) T% F% T$ p1 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 J0 I; h+ B9 E2 ~: G' z% w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 T5 X9 z2 p1 P# R, n) I& _3 n4 u. d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 p) C5 ]+ C' c+ X* x5 ~
field.
5 B# `7 ]3 U. y# o8 J. tIn fact, its purpose is not to load/unload VxDs but only to send a
1 d3 w  E2 }4 H9 v; a2 Y. s. PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( P; P5 [2 A  @3 M) uto the VxD Control_Dispatch proc (how the hell a shareware soft could try  C/ D" D2 n4 `; P2 N4 ~# n' K1 |! k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: S5 `1 }: f$ u3 U
If the VxD is loaded, it will always clear eax and the Carry flag to allow. P+ d+ _: V% `  v
its handle to be opened and then, will be detected.  L3 Y) \- X8 ?$ K1 C& k" S
You can check that simply by hooking Winice.exe control proc entry point/ b- _& A& I; H, J8 D
while running MeltICE.
1 W* [' H' ?6 D" Q& H- p4 _+ ^: [2 a
( n- R# z6 V8 L2 c  n
- |- t( L% s1 l; ]& y  00401067:  push      00402025    ; \\.\SICE; I0 E) Y3 `! g4 }. n
  0040106C:  call      CreateFileA
# d: G! N1 C* O; ^- O  00401071:  cmp       eax,-001' k3 O+ l9 R: b! N! G8 ?8 o
  00401074:  je        00401091
5 _" A3 [3 h2 E8 I: }+ b
3 I( l  `/ x% A7 N' D" p
* r* j, v! j5 s! h$ t( UThere could be hundreds of BPX you could use to detect this trick.( t! w- I8 v$ R& k0 Q: D6 s3 j
-The most classical one is:# x0 L2 r: ]( J) H' G! }  H
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 F( Z! t+ C* V6 l2 G. I$ n. h    *(esp-&gt;4+4)=='NTIC'. r* r7 s: o6 `, @1 t
9 O/ F- D. |4 R9 A0 S) e+ K, ]2 l
-The most exotic ones (could be very slooooow :-(
2 p4 l/ w- L" |# G1 l   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
4 E& R* I+ ~2 M& h     ;will break 3 times :-(6 n, \4 z1 H; `- y+ A
2 A' D& `2 H% w9 n$ x
-or (a bit) faster:
5 T! A0 y$ m4 y4 ]4 k3 ^   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 T" n7 P' H/ j. e  G
" a" I1 U  H% S9 s& S1 g) s& q   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 E0 f( }; U5 i& a- w+ ]6 r, Q
     ;will break 3 times :-(
0 `9 @0 [# w0 U7 z9 q8 I
# o0 t9 {8 F+ u) Q: b) J-Much faster:
5 V: P: m/ _" o. g' K6 N8 V) J: D   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
4 ^) ?0 B4 V1 {2 `3 M' d
1 F/ W9 L6 z& n% v' c0 C+ a# \5 j' NNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 j, W! D7 z. q- Z7 r- wfunction to do the same job:: P* ?! S+ N4 G6 L
+ \, X8 F, h9 k
   push    00                        ; OF_READ4 A. |, g1 u% V4 y0 U  Y
   mov     eax,[00656634]            ; '\\.\SICE',0
8 d9 c0 g+ {8 i9 t3 M8 H+ W2 v   push    eax
; f+ A& o% R& T& j+ d% j   call    KERNEL32!_lopen
  \6 b% _; x( X3 C, ?: ]* L   inc     eax. s$ K, G$ d$ q# K, d4 j9 ]5 j
   jnz     00650589                  ; detected; p. q8 h7 L+ L* @1 {. u7 V
   push    00                        ; OF_READ
- P3 X, n4 r* h   mov     eax,[00656638]            ; '\\.\SICE'* F0 k, }+ H7 v, B0 ?+ k
   push    eax
6 V- Y$ b: O# b% {5 d( E   call    KERNEL32!_lopen
$ o1 g9 b7 C8 F. ]   inc     eax
3 d& q7 P! G" i   jz      006505ae                  ; not detected
7 h/ m! q: |- v; r* Q  f; c7 E& R) q/ L4 B- j8 X1 m

& F! m  o, n: W9 G8 f  h. G$ Y__________________________________________________________________________
0 {& Q" q4 H, m# ~
# U  V" k0 v# _) a6 I. k/ u1 mMethod 12; v1 h+ S  i9 X" T( E# x
=========
! t0 Q( G0 e0 D8 F4 t6 M; b* Z- P2 B. G
This trick is similar to int41h/4fh Debugger installation check (code 05" n1 ~! \  y* A- {* I
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( d, T( g+ T3 |+ A0 l, O$ T# Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* p0 e2 ]# }# h2 O# x
5 M! F( i; h# x9 {! g& K   push  0000004fh         ; function 4fh
6 R+ R/ L, h. L* l9 u, e   push  002a002ah         ; high word specifies which VxD (VWIN32)
& }& f. s+ c* J# H# e6 r                           ; low word specifies which service
+ |6 k* v0 j7 o' T" h) H                             (VWIN32_Int41Dispatch)
' O+ [9 l: o( j: A   call  Kernel32!ORD_001  ; VxdCall6 q/ I, ?2 H, ?, I7 R$ x! L
   cmp   ax, 0f386h        ; magic number returned by system debuggers" Z; Y& l1 G: y2 \$ y
   jz    SoftICE_detected9 F3 _6 w# b( b3 w8 ~8 m6 q6 ~8 K

- t! F2 a; M7 U  O5 Y  t; O2 qHere again, several ways to detect it:
0 w' q. F2 A' ~9 ^6 K1 h4 C4 m/ |& Q/ `( W# Z! G$ X. e2 x
    BPINT 41 if ax==4f! |: f- J% ?& }: i; o0 @

% a. b( y. X+ I( Z+ L3 w( g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one  S# {9 R% j+ e8 v* C+ |

/ q' o& W) h* f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
8 [3 l" Z, Q( Z1 {
4 U8 i' X( b/ p$ A4 v+ [% E    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* R1 e, x! j$ h# J
0 T* p: Z  U  v* ^# y  f, n__________________________________________________________________________/ l0 Y5 a4 x* o

- C9 N7 F6 m2 E- i7 @# LMethod 13" R1 g/ w5 y- Z* D
=========  `" \% X: m' Y) p

1 h! U2 o! y# z2 r. j9 ~* ~. S9 W. JNot a real method of detection, but a good way to know if SoftICE is
: ]* a$ m( `1 dinstalled on a computer and to locate its installation directory.
  E7 }, b% Y# t! \" q/ ?It is used by few softs which access the following registry keys (usually #2) :
6 W8 h+ T, g  ^. z8 `* A! w# i6 \  Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) U- C& ~- I, W' d5 s# \
\Uninstall\SoftICE
! f# O, `" n1 u& m0 v( P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! R( k% P& V5 _% x; Q0 C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 n! ]9 F* y, A3 V4 M: o3 g, J' W' z
\App Paths\Loader32.Exe* t# d% j- Q: ^
5 U4 L' |4 Q7 O/ p
3 G  ^" b1 `  q3 y8 |% _
Note that some nasty apps could then erase all files from SoftICE directory- y0 Z% S: {. r8 w7 A. O: N
(I faced that once :-(
% O0 v9 [( {) c8 T* L) X+ R# ]8 g+ K& {
Useful breakpoint to detect it:
# @& `8 \/ P& C# `# [. P+ q: ]# Z1 n( I
" i# V) i' Z8 W; p7 D     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
' R! S" a2 O7 A  c
* N- q% d0 h' t5 f$ _# v7 L/ ?__________________________________________________________________________
' k/ K4 w; W2 {6 B2 n# {
7 D& \4 _" r2 T8 B9 L- m" i: {8 d# C0 O" K7 w& A9 N
Method 14
4 G5 T1 Y! @$ M6 R0 Q=========3 F( c8 J4 R2 f% i
  W& M  R5 j5 `! b# F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# m: L! t4 G/ r) y5 q/ Y$ S
is to determines whether a debugger is running on your system (ring0 only).9 ]9 @5 r7 D8 {( w  E) W
8 H. n/ i% ~; H3 p8 a
   VMMCall Test_Debug_Installed
* E6 h1 N3 E# M. d1 b5 L   je      not_installed  ~9 n5 z' G8 o: ?$ K- B

/ W6 ?+ f1 E6 v" f$ J  DThis service just checks a flag.3 j$ Y4 r; Y3 ?/ S0 b
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-6 05:37

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表