找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
* T# c2 S& \) C) y2 o4 H+ t6 y<TBODY>; Q9 I9 |; L7 k9 s, I+ ~
<TR>
- a* w) i4 Q! H6 R- \<TD><PRE>Method 01
3 O  u  V) P# G5 ^4 P=========
  [$ C: h2 I- \; {# r4 u9 E- G$ G8 O3 v3 e
This method of detection of SoftICE (as well as the following one) is9 P' L2 c/ r) B6 d7 k$ o
used by the majority of packers/encryptors found on Internet.9 L; U' G5 q$ g+ f* _
It seeks the signature of BoundsChecker in SoftICE
4 b% v4 D. _( `0 G# \8 t: x
% z2 L& R2 I! H! _    mov     ebp, 04243484Bh        ; 'BCHK'$ S7 v. v& T  S) v- k* [* m3 [4 S
    mov     ax, 04h
  @! i! p9 c: R: i    int     3       + g1 s: ]' a. M7 L
    cmp     al,4
/ j. H3 p3 w# q: o6 S, F    jnz     SoftICE_Detected
" u/ a( h" \& ]% ~9 D: z
  M, m" o2 f( j___________________________________________________________________________
8 \, ^/ |0 \% h/ N/ a5 v& ]% I' L" x3 M9 O
Method 02
! [. t6 W" u2 }, R=========
% ?: \9 K3 I" Y, [: e4 G
' l$ q6 ^) `/ y  [  l: @Still a method very much used (perhaps the most frequent one).  It is used5 I  k6 `! u0 z, T3 z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 S# @8 }" b/ j! |/ X  ?4 n
or execute SoftICE commands...  ^7 `) ?4 v- P# q9 H8 h+ C
It is also used to crash SoftICE and to force it to execute any commands5 {' I5 ~" A: y; l
(HBOOT...) :-((  * s& ?* I% j. a+ T7 C
' b. V0 F2 u. @; {* G9 f
Here is a quick description:. F( j5 f3 _5 m; V& G
-AX = 0910h   (Display string in SIce windows)
' D8 H& [& ~+ a' a4 c0 v-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), M- d2 ?( n$ {& c, I4 A
-AX = 0912h   (Get breakpoint infos)) T. ?- b' s* D7 [  D) }/ b1 r
-AX = 0913h   (Set Sice breakpoints)! Q/ E  V6 l- \& \' ?
-AX = 0914h   (Remove SIce breakoints)  r! e& @: b% n, o

& a5 I7 {6 P. TEach time you'll meet this trick, you'll see:
+ c7 C# z3 K2 z% D! e+ ^-SI = 4647h
  X9 @& p! ?$ s2 h4 R7 @-DI = 4A4Dh8 P( z1 w( c+ x. n; n
Which are the 'magic values' used by SoftIce.
+ `! \: C8 J0 P  h& O4 p6 W" E/ XFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: j9 S% g, e( t, v
9 a+ K3 L9 E- s' sHere is one example from the file "Haspinst.exe" which is the dongle HASP
) M3 ]2 v5 n. Q( lEnvelope utility use to protect DOS applications:
2 N+ g" N0 j3 x! M& L+ J0 q
4 C. v, Z& k; y& J: g- x+ A; n) ~, J7 q/ `% |
4C19:0095   MOV    AX,0911  ; execute command.# y7 I! z2 F$ q) A6 {9 Z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)." D# `' H5 }' B8 j- |
4C19:009A   MOV    SI,4647  ; 1st magic value.
$ i7 [) U- c. F  u4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
( u2 ~' u' R% h4 v' N2 d5 ?  p! p4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 J5 \1 S3 C0 f2 c1 }  o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
2 H$ y% I  J  b$ W' U# e4C19:00A4   INC    CX
' l3 T8 b2 m4 T/ i! ~" _9 y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: ]6 z, u( G6 u' ]: p
4C19:00A8   JB     0095     ; 6 different commands.0 c- S: e7 L* O9 Z( B
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 _: q) ~" l! b0 n5 |4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! M! s, j/ q- {* P6 o
5 T( p' W; h1 b( U; E4 F/ Y
The program will execute 6 different SIce commands located at ds:dx, which
8 ^9 u5 t6 S1 ^5 L4 }! Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.% r5 m6 J' F7 p4 _5 a$ F( X
6 R( V( E' `  E5 `6 E3 u
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 F8 [4 U3 T/ i' t6 A' D& r3 a___________________________________________________________________________" w& U+ G: P# S+ \0 j) m
/ P! ]# A. {4 u! Y
- P3 J  J- ^8 L8 u! V0 c; {
Method 03( b9 w- ~# W; ], ^
=========
- m0 O' H2 v# N# P& W$ }4 T5 d, r* O" q. C$ J1 l) r6 ?2 B
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 |) v  C2 X# g4 X  {  [(API Get entry point)
( N% z9 y  M$ W/ p& i$ K        
% ?; X" t+ D* W3 S- p; |3 p, o; K! b
    xor     di,di0 u4 i3 G" ]) G/ r- `+ ?
    mov     es,di
  g+ u& m% D3 P+ g' v1 m* v    mov     ax, 1684h      
; A: S2 k, j; Y) p  g0 V# x    mov     bx, 0202h       ; VxD ID of winice
; x/ K& b* L- v* w    int     2Fh0 n* w% r8 t7 W5 A* q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point! c5 v6 X; C2 q, [, b
    add     ax, di/ }  Y8 a& L. _5 j
    test    ax,ax
" g% f; C2 i8 c! o# c- v    jnz     SoftICE_Detected
1 K9 k, {7 u  `6 \3 t7 A2 y9 o
$ c  a4 u, U! A4 n___________________________________________________________________________
5 A: y' K7 p& j2 C2 d) [, q* J, P. y' `
Method 04$ t# q6 a1 S5 w$ h
=========3 m4 n% }: ]' ]5 R( C

% ~  U" W5 \% l4 {. W2 ^/ `$ hMethod identical to the preceding one except that it seeks the ID of SoftICE  D6 E3 O; Y9 e' \6 b/ G$ X
GFX VxD.
% P& G3 c1 ]5 M+ j; ?% i" a8 v  ^! `" D1 a5 n. \$ O
    xor     di,di0 `/ `# D& A3 g' ?+ r! I
    mov     es,di
& w; N/ Q! c4 g! P0 ~    mov     ax, 1684h      
/ m: O' p3 v/ e+ ^  Y- j& t+ }( p- F& u    mov     bx, 7a5Fh       ; VxD ID of SIWVID% p+ K* j" E% z; A+ n0 ~4 P
    int     2fh
) A- \& q. w8 w/ c* ]- u* y5 y    mov     ax, es          ; ES:DI -&gt; VxD API entry point, v4 ?' [# c% x# G/ v; }* b# @
    add     ax, di$ P- m# V- E8 d* a3 f! Y6 P
    test    ax,ax
; T/ @( n1 `" J6 o! [; Z7 @; _. @& ]    jnz     SoftICE_Detected9 I" P/ d' Z. c% m, W2 N2 W1 g' s
& e+ m: Z/ {, e6 R* e& B$ `( W
__________________________________________________________________________
) I+ F& N8 B# v0 A3 g5 g3 o/ Z# e% a+ `( r2 }$ D( G

, ]% i; a+ M( s8 y; m, X9 bMethod 050 w& j7 Y" }9 E( x$ x
=========" Z8 N6 o2 g# {  a2 m
' Z. I+ n% L4 d# g$ M$ n
Method seeking the 'magic number' 0F386h returned (in ax) by all system: F. F9 [7 g8 S% n
debugger. It calls the int 41h, function 4Fh.6 b) {. e6 Q: k( h. m! H- }& E
There are several alternatives.  
) v) k+ ]3 I9 W4 ^- }+ U5 s
7 j( k& E/ y" nThe following one is the simplest:2 w5 j' o) J+ B# N. E( y1 Z

# f( Z, i; r) Q' @    mov     ax,4fh* p5 {( o/ i- v2 A) j
    int     41h
' I4 C7 E8 R/ K- N& j6 c    cmp     ax, 0F386
8 L, G7 [3 b+ i    jz      SoftICE_detected8 B6 b2 Q) M9 d1 |
+ S# [& N1 n6 X0 V) H
6 _0 o$ n+ n1 I/ z$ v% I0 `6 |
Next method as well as the following one are 2 examples from Stone's - P) X+ X9 G. ]9 N: Y7 b6 B$ a
"stn-wid.zip" (www.cracking.net):& ~4 \4 ?" K* \% F5 Q/ y
! i8 g8 `! F; M2 ~
    mov     bx, cs0 d0 Z' [5 v- Z+ ]0 o4 G
    lea     dx, int41handler2
4 @5 P: t) x6 z1 t6 x3 A3 O! r    xchg    dx, es:[41h*4]
4 m9 s. ~5 _2 a; e7 t* B" Z    xchg    bx, es:[41h*4+2]& ]2 D. Z" q* N4 h
    mov     ax,4fh5 q8 h4 ]% [5 A; o
    int     41h, c' U# H) |; R) j8 H, L
    xchg    dx, es:[41h*4]# U6 C5 s- X2 E; e+ H. H+ |8 j
    xchg    bx, es:[41h*4+2], A5 T6 g/ E* e6 M, B7 b& i3 r
    cmp     ax, 0f386h
  `7 X8 q0 r+ Z( }+ P, [    jz      SoftICE_detected
, @, f0 X( a) ^* {" \& |. E# V+ i$ h- ?0 h' y$ W/ X' u
int41handler2 PROC# Y- v9 g( M# A9 ^
    iret
( t7 W: E' F7 b! b3 o, R) nint41handler2 ENDP
% _: S, N# l/ |" B* \" l5 i" h3 e. h+ R! G
- h) _6 ]0 J$ I' t+ P( n# p
_________________________________________________________________________# R4 |4 U$ J5 E3 B' `
7 R" u, H4 s6 d! ]* g

+ P, ?; M/ w- e3 z6 x1 dMethod 06: T. H1 l4 s; a& `
=========+ p) t# S! C  p7 r
9 u- x+ X, Q' N

0 o. T; \5 c+ F2nd method similar to the preceding one but more difficult to detect:1 W) p3 R0 e5 q: A2 b0 [: T

. f3 u$ K3 B2 W: j% [2 v
. R( L' h8 D/ ]# kint41handler PROC
  p$ {0 S. y! H% |1 R2 _  ~/ e/ [    mov     cl,al3 x0 h  `8 E" ], F/ t
    iret. J6 O, ?1 _! R
int41handler ENDP: V5 _+ j3 s6 s$ u: Y5 j

2 ~" v% [% O9 ]' B1 X: ^: b7 U9 Q0 f* i
    xor     ax,ax
! F$ U* \+ C9 T$ P8 U' N% ?    mov     es,ax
1 U# r8 N. j- t0 Q1 e    mov     bx, cs  p, r5 `0 c, P
    lea     dx, int41handler2 G  e% J( A" i1 I. e
    xchg    dx, es:[41h*4]
) r% C; L% P! t5 l" M) C' y( w6 a    xchg    bx, es:[41h*4+2]
$ r; h" O8 @; R( L% G    in      al, 40h; `7 k, _9 m( R1 L+ p) X0 N' r
    xor     cx,cx- e+ D+ v4 T7 ]" a
    int     41h
4 _7 G+ U5 Z( D' u    xchg    dx, es:[41h*4]
# ?. }5 n! I4 g    xchg    bx, es:[41h*4+2]+ r4 Y& N9 |9 |* Q, j: b* ?* r8 [
    cmp     cl,al
/ ^0 P6 V0 O7 M  s7 _    jnz     SoftICE_detected
/ D; h; m  ?$ ?/ n, `( O
: }7 E/ r) r3 S+ z_________________________________________________________________________
5 @/ @1 O8 w& @1 R: P- _/ r7 y8 S' m' p( @) F# ~4 F" o
Method 07. R; E/ V9 B% t
=========" N9 u* M' V8 S
3 l" B, n6 {6 E% m8 v: h
Method of detection of the WinICE handler in the int68h (V86)- x& x4 w% a  K: ~6 I- R( j$ b

% {  ~' W1 {6 S$ t  r- I    mov     ah,43h8 z+ c' a$ P0 ?- n- l0 f
    int     68h4 l- u! H2 c0 h" [
    cmp     ax,0F386h& j$ i) Z3 W8 U9 l9 p
    jz      SoftICE_Detected% m6 Y: g7 b- D6 Y' d% i

0 ^. D; F$ s; o) a6 n1 ]+ u# v* `: D
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 Y  d3 J  u0 {9 S: `& k: U- M+ H
   app like this:
, d( A# E4 h  i8 D
' n, Q# b! }' S" M/ a2 ]+ X4 V   BPX exec_int if ax==68
" l. h! [3 c: q# a  i   (function called is located at byte ptr [ebp+1Dh] and client eip is2 F- d  g' G. P. e
   located at [ebp+48h] for 32Bit apps)
. C7 g+ s  \* b__________________________________________________________________________
  E* w9 a3 z# L/ h3 V3 W* e3 P# Q* }. j1 j& ^* r6 }& }

. s+ H  N/ h9 W# n3 pMethod 08+ w2 O( C' Z! z
=========) B) c# h" k* A

' s/ W0 A2 x$ }1 cIt is not a method of detection of SoftICE but a possibility to crash the: F) w, x1 g4 c7 r
system by intercepting int 01h and int 03h and redirecting them to another
: o1 q4 _2 g& ]2 \routine.9 c; c$ H4 D* @$ W# X% V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, Q% G: ^) O7 y% Y, O' e7 X0 lto the new routine to execute (hangs computer...)$ B) r. a# Y* y0 q

: {9 R# \$ X$ ^    mov     ah, 25h
. ?% G6 z: [: H    mov     al, Int_Number (01h or 03h)
5 a: b$ i9 l. f    mov     dx, offset New_Int_Routine
8 B2 Z3 U& O6 P" ?    int     21h  J* Y  p  [6 G. E' N7 v
, j0 |* u: M" }4 b9 V- V
__________________________________________________________________________
; @3 H9 K1 ~3 E0 G3 l5 H
) s3 s6 \' s( i# ^$ IMethod 09
4 J8 g3 R% X2 L=========) b3 ~6 c1 {+ U
0 z, [8 Y/ g9 f: d% L7 F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ x  J5 `$ X& P0 m* D9 T* c6 c- Wperformed in ring0 (VxD or a ring3 app using the VxdCall).
( {4 x. c" V( xThe Get_DDB service is used to determine whether or not a VxD is installed
: _5 G3 y( {; C1 h7 ~for the specified device and returns a Device Description Block (in ecx) for
- N# f& T  M( _: w: }0 M5 hthat device if it is installed.
* h$ O7 W. |- }. N$ l& ]: G% Z' e& y. }7 [3 N) w  g! p
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 Q5 P2 q# u3 i! H4 K   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* |1 O0 T( V) k3 A0 ~& F  C6 ]8 H* J   VMMCall Get_DDB, n2 F; P! L. r9 A
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 y9 _# a3 ^: y( [3 z) f
! Y3 p: p7 ]  x$ Y* {, h" iNote as well that you can easily detect this method with SoftICE:& I& n$ D& ^# F) Z& c
   bpx Get_DDB if ax==0202 || ax==7a5fh+ q. w$ }; k5 c! A* L
* _- `$ }. U8 V
__________________________________________________________________________8 s  }% N- q$ J  L: W& N) |; N
0 I. j# l3 y1 i, p6 {
Method 10- N/ R; ]$ r) k
=========
6 H6 ?0 ]: b3 R" h  L
9 h3 E% o5 \- W3 I. m$ X8 o=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 N. O/ N8 ~& h4 j. T! Z  SoftICE while the option is enable!!
3 K% u5 P' ]: d/ d* R' D. i3 O# {2 d7 O8 v4 y7 m9 p* c+ N( P; l% [
This trick is very efficient:7 C: o6 W& m0 I
by checking the Debug Registers, you can detect if SoftICE is loaded
2 w- E# O5 h6 K4 T/ e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& ?" G- z8 ?  q9 B
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. v6 M6 F6 m$ P/ x3 _/ g6 E( ^' Nvalue (in ring0 only). Values can be manipulated and or changed as well
$ K- o; A. \5 o1 J( N$ x1 J(clearing BPMs for instance)# {) a) ]. c3 D6 r
+ r! t6 p/ v) R$ ?$ C0 g
__________________________________________________________________________
& }* J. X3 x3 ?" c  I# m, E
9 G* n2 X; q6 T* KMethod 11/ G$ B5 ]$ r" B) o, s
=========
1 T2 L! j; _! [1 ]6 V* [, S) }# B- G4 D5 w& Q( b
This method is most known as 'MeltICE' because it has been freely distributed
4 r- x6 ~" v% ]* t+ i1 [via www.winfiles.com. However it was first used by NuMega people to allow
- z1 _* A  P" g7 c2 Q( SSymbol Loader to check if SoftICE was active or not (the code is located* c- @. o8 o9 c; U
inside nmtrans.dll).% w$ a9 v6 g# G# J5 n5 z- v
* W6 M4 Z3 n7 z% V' c5 o4 t
The way it works is very simple:# u- `  c! O% x' G
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) Q4 b  J5 Q4 ?+ T
WinNT) with the CreateFileA API.
- S7 E! R8 s5 {4 K% ?( t. j9 I8 Q
# k' N* N- d- _) t! P% ~- @; W, }- sHere is a sample (checking for 'SICE'):/ |, |/ D2 j+ d! C" w

4 N8 m5 |$ U5 @$ r& ]: N( ]1 lBOOL IsSoftIce95Loaded()
. E4 F+ i  s6 R, f% l, `{
+ w  y) E* |/ X  Z" s   HANDLE hFile;  
  v7 d8 O4 J2 V1 z" M3 {2 f, ~   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ i1 z( F2 I6 b; Q& d, z* @& Y                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; v: V: t/ ]* J* [; ]. x; v                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 X, |( ^% ]1 G' P2 D7 K
   if( hFile != INVALID_HANDLE_VALUE )' K5 T& S. ]) e5 d5 S+ B* j
   {
/ K' o1 S/ n1 ~$ F8 h! `      CloseHandle(hFile);
$ s, F7 ?$ J2 E- d  i      return TRUE;
- e" G7 Z+ W0 |2 {6 f7 @   }
/ p; \( i' P4 F# K4 o   return FALSE;
2 N, g( D6 x6 K& Z}1 I9 H+ J! J& y* A8 Z- A  [0 l
+ Z# k( k; X+ |9 ]* v) O
Although this trick calls the CreateFileA function, don't even expect to be1 M0 c7 J# m( h2 k
able to intercept it by installing a IFS hook: it will not work, no way!  I& `/ `* ]/ w6 s; k7 [; @  O! ^$ J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 d8 F" u$ G* D& T" k+ ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) q; T# P9 J% c" e
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% A4 F9 |- s1 y& N$ h9 h
field.
% j! C+ ?% W1 J& h5 J5 uIn fact, its purpose is not to load/unload VxDs but only to send a
5 _" n" ^/ s# S5 _, c9 oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# I# g1 o; y# c/ }% hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
! g9 v) [! b! I; l4 Q9 Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).) ]! S9 j" [+ h1 p$ m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
9 [8 e6 V* L+ {its handle to be opened and then, will be detected.* P5 l, y  j+ {4 K8 E" ^
You can check that simply by hooking Winice.exe control proc entry point( j3 n2 l/ j8 H
while running MeltICE.
  q. A6 b7 t3 H" {7 v8 |- ^: m5 X1 X: O( X1 c% Z) t

' I! A+ e0 P2 K9 b  00401067:  push      00402025    ; \\.\SICE
4 j/ @0 O9 N/ o; {$ ?  0040106C:  call      CreateFileA! X9 z; M5 j. ]. q. {) w2 ^$ N
  00401071:  cmp       eax,-0010 b# I3 o# |- C+ B
  00401074:  je        00401091( ~% H" n; h7 R- O" ~

; X5 C3 z0 j" [0 v( J* u' E- H: Z+ W7 N; D7 g0 R! M6 X
There could be hundreds of BPX you could use to detect this trick.
" m$ Q2 l0 `5 |5 \) D, J5 D-The most classical one is:* X" @* c; B/ k: `  o5 v
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 i6 {+ p- B( G8 I3 x% Y4 Y! K    *(esp-&gt;4+4)=='NTIC'
1 O0 u8 X6 ~) M3 I/ {+ h( q, ]4 T" i; N  n; K' d
-The most exotic ones (could be very slooooow :-(3 a. m" b/ N* _
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  1 v- S% }+ W; x1 q% I! s0 n
     ;will break 3 times :-(
0 q5 ~( g, T. Y/ X" `2 p1 E+ M  C% b6 a  i( \* N
-or (a bit) faster:
$ H1 {! m6 A3 \. F9 z; @3 v) h   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); {' u, o- T' ]+ q, \! c1 @( D
1 `! `4 s! D; V7 K9 ~
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) L5 [3 {1 ^* K     ;will break 3 times :-(5 B0 N# @  H' v! n) I9 B7 A

7 _* j! `/ r4 A& s) a" O* P-Much faster:
' s7 O# Y, b) @- R4 r4 B  ^   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% @  a+ b9 D4 R& u7 U6 M
. ~1 `8 K1 G% f5 H( H; INote also that some programs (like AZPR3.00) use de old 16-bit _lopen* N7 F5 k& _: y
function to do the same job:) M7 Z$ n8 c4 q+ n7 ~7 \

2 G) V% g. m; Y7 Q+ ^   push    00                        ; OF_READ
1 r0 W" W6 Y# o: v   mov     eax,[00656634]            ; '\\.\SICE',0- x7 L4 H) m, G6 F' P6 O! V
   push    eax) \$ y6 U! K$ f$ o( \
   call    KERNEL32!_lopen# L5 j! s  c* ^- B& ?7 Y, s8 O
   inc     eax
  B, N) z: n  d& e. C) ]   jnz     00650589                  ; detected
6 I! a7 W  f! M# v: z2 [   push    00                        ; OF_READ& i" g; a+ e! m6 q$ Z
   mov     eax,[00656638]            ; '\\.\SICE'' S* \' ?" b/ K$ o0 s: g4 {8 d
   push    eax5 @+ S* s, ~% v$ p
   call    KERNEL32!_lopen
4 Q0 _, m- @7 Z   inc     eax  d. v- F- J: X
   jz      006505ae                  ; not detected; f) }. ^3 z9 \7 k! K
( T- e8 u0 ?, M5 |. A; E9 t- h/ Z

8 o3 K  y! q0 C" {/ i& s. `& n__________________________________________________________________________
4 |+ F& D9 ~" L
3 h, x0 ?  P; r5 x2 V' T' N# DMethod 12
9 p) s# V' R+ p) x: g" S! q2 l=========4 u: }, _% |( p3 p% v
6 y: k+ h% o( D* M0 x
This trick is similar to int41h/4fh Debugger installation check (code 05! E& d0 `3 l% J8 w. f
&amp; 06) but very limited because it's only available for Win95/98 (not NT)& M3 U0 Z9 g! j1 @4 _1 z! q) }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 s4 x! R2 t5 c5 M$ Y5 i5 Z- W2 ]* {( {7 b4 f
   push  0000004fh         ; function 4fh
# a8 _. @6 L" v1 [& u* M6 S   push  002a002ah         ; high word specifies which VxD (VWIN32)
' p# h6 r5 V; @0 M1 B5 w                           ; low word specifies which service& K$ ~9 o4 @* N/ ?: R# J/ f
                             (VWIN32_Int41Dispatch)+ ]! a/ s7 \8 b) L2 v6 I+ `$ F
   call  Kernel32!ORD_001  ; VxdCall
  Z3 E/ p# ~9 `% A- ^& B   cmp   ax, 0f386h        ; magic number returned by system debuggers
! r3 ^1 \8 l2 {   jz    SoftICE_detected4 K5 O, |: v, t) R1 R7 ]/ ]

/ W" ]  F% K: t; M: H; zHere again, several ways to detect it:
7 V5 [+ y! l6 L5 s/ F3 v1 @7 A) T, a: T. W* G8 G5 i& t
    BPINT 41 if ax==4f4 t* F0 I, b5 L0 W5 w7 X( l4 ]

. f6 d. {/ b) Z) X; u) i    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
. o. a3 Y) \& }) V
$ |+ Q! N5 e8 |: f: B' I    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' @" Y5 r6 D6 L! B+ t+ b  m3 Y& y2 a8 A/ |/ @, g' i& Z( y
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
; S0 u- G, L2 Q; z: Y' ]3 D% S' k+ f9 u7 {0 ~, K1 C9 B& o7 }
__________________________________________________________________________8 C$ ^+ K9 O; }$ U0 J" M+ Z# M- H: |

9 q1 w! I( |5 YMethod 132 E* Q! `7 {. E; d* i
=========+ R  @4 h" V6 {( q5 U; m

, }9 }; i2 M7 F2 O, A( i) jNot a real method of detection, but a good way to know if SoftICE is+ {- c1 U* T7 t
installed on a computer and to locate its installation directory.8 ^; Y1 w/ I; r8 H; v
It is used by few softs which access the following registry keys (usually #2) :. g! x6 W. L# x) y3 J- \. Y( m8 O0 [

8 y- z" e# i# I: h' A4 C+ I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ q+ Z- _! m6 I  ^, q2 d( X\Uninstall\SoftICE& _; C( \2 ]1 l  W; Z: i: D. f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& R- ^: _; S9 J+ f1 L9 D: E-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* B3 V$ [! P! e4 r# I6 N  `+ V6 K2 Y
\App Paths\Loader32.Exe
$ t+ o* [1 j/ p  R% ^
; f+ K2 C3 B3 m8 ^9 e
4 i/ e. c$ q$ M$ t1 @; VNote that some nasty apps could then erase all files from SoftICE directory4 w1 r0 D* S! @
(I faced that once :-(
2 q2 U0 Q2 J* p# K) N& }; O' [3 z% k+ d% e, U' P+ C8 C  y3 W
Useful breakpoint to detect it:, s3 k2 x# C/ d" N+ S& _

' x8 V4 V" A8 f     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 x: i( `9 ~0 v4 T! ^, T
2 H9 ^0 D' t/ c; ?. w9 W) Y% \3 k
__________________________________________________________________________
& e* f! i- m/ C: x) R+ Y7 g/ K/ Y0 p) ?1 W5 j6 D& |. N2 A
4 e6 R3 a4 M/ T  ]% s- B
Method 14 & S2 B6 ?' O5 c7 Z; P& E3 M
=========
1 @1 c0 D2 r; l2 R; s% ]7 K7 U+ ]; }& \( X6 \7 `" ^2 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& w0 w. D- g( Z; ]
is to determines whether a debugger is running on your system (ring0 only).
  X/ u4 P, g$ y9 [! \3 T/ }; V9 ?. l, m/ x) K2 Z
   VMMCall Test_Debug_Installed
$ W+ D8 v. b$ a5 Z8 K   je      not_installed0 I- @- M; f7 L3 H$ L

/ J9 F! T: x' [; N( i9 u' Z# wThis service just checks a flag.
  V2 @3 c! B7 q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-16 20:11

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表