找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>2 _! I1 M' N. n, D# ]' l
<TBODY>4 i; @: B5 r+ p; n& K
<TR>- c5 ?0 z7 x$ e
<TD><PRE>Method 01 ) \# K4 ~0 R/ i7 m* V
=========- W6 P( n' T4 j# \
8 N/ |# a8 }0 W
This method of detection of SoftICE (as well as the following one) is* H. L  @( }! y
used by the majority of packers/encryptors found on Internet.: j4 O8 c5 Z  J0 \7 W
It seeks the signature of BoundsChecker in SoftICE# O. I# \" l/ h- r# g  p. |( x

7 a. E7 v0 M" `3 N    mov     ebp, 04243484Bh        ; 'BCHK'% I5 ]6 N/ O( l3 r
    mov     ax, 04h
/ ?( g: ~- Z" ]* x% }) r, |, r1 N5 Z    int     3      
  X! F$ x! H1 y! A( B# T/ _    cmp     al,4
: M% X0 c# L$ \8 V. H, {    jnz     SoftICE_Detected; D( m$ _. B/ @# r; b! I

. d8 l/ e! ^, P) @% q1 W___________________________________________________________________________
$ A2 w# K6 c. }- [" \8 y: n6 b
) x( ]& n  T8 _- ~6 ^0 aMethod 02, i$ g" O2 F8 |& D5 O% L
=========" S0 N' J( u0 |( R( o' \' z8 k
1 _  w, C6 y" N7 G
Still a method very much used (perhaps the most frequent one).  It is used5 K( [" k$ `; `2 _3 J3 z$ r( \' U! A) P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% z9 F/ L4 C; ror execute SoftICE commands...
5 N/ R- U- @% a+ K4 u! sIt is also used to crash SoftICE and to force it to execute any commands. r5 O. X  Z, `1 f+ w
(HBOOT...) :-((  
. c! o/ ~% l' {  s0 p+ F! Y" D& L' w9 Y/ a: [
Here is a quick description:
2 a- L9 @9 M2 r+ q-AX = 0910h   (Display string in SIce windows), e) M1 F$ w$ \' j; |, P8 @$ O
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 X0 a3 h3 o9 y: Z8 D8 u4 f) ]# J
-AX = 0912h   (Get breakpoint infos)/ D; a0 ^. x' n
-AX = 0913h   (Set Sice breakpoints)
1 t) {# M1 x2 m. J+ |-AX = 0914h   (Remove SIce breakoints)# i) _7 y/ ^6 e/ S

( f7 t4 F6 F' ^! j3 R9 o4 ~4 yEach time you'll meet this trick, you'll see:
, F0 c0 s0 J! c& J  ]9 K-SI = 4647h
5 z2 q  s' H" C, ]! N-DI = 4A4Dh2 R4 O1 a) j- Z, _+ k3 S
Which are the 'magic values' used by SoftIce.
/ P) @0 h& @4 k9 C: u. ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 N( d* U% Q  P
* Z, P$ n$ c$ v9 W3 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ t3 P8 p+ h* O& SEnvelope utility use to protect DOS applications:) `) a9 T# s) `3 O: r# z

8 |  q: c0 b5 i; N
* s: F1 Y! `. `3 M: q7 e, p$ H4C19:0095   MOV    AX,0911  ; execute command.4 s* R1 B2 Y) S3 B) a
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).6 d2 T/ b& P" ]. m5 J2 ~6 X
4C19:009A   MOV    SI,4647  ; 1st magic value.
, G. y) [3 o2 Y5 Q% P! I4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
7 N  t. x+ R5 Y; S4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& }7 g4 i/ ?, |; ^4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
+ L( X; D' h6 I* J4C19:00A4   INC    CX( u% _- J) Z& b
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute8 Z0 e, ]0 y0 Y" |1 D) J
4C19:00A8   JB     0095     ; 6 different commands.
* n0 t: h/ G' w+ b: C5 \7 B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 P# \5 {& [2 ?- |
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- `) I8 b6 }/ L6 o
' ~, R9 d- _7 q* ~  j: F' q, r. ?/ MThe program will execute 6 different SIce commands located at ds:dx, which* W5 w% D! m4 ], N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 s' T2 \3 C. a$ f& W+ M0 E+ C0 b9 |6 n4 P8 V6 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: X' k% ?0 v  c- V5 e1 l  ____________________________________________________________________________
' j2 p3 s$ \# _. F0 X- U
0 n4 T3 z. v% A" k9 T8 ~
! S% y/ H% b( X, @6 \+ R! r$ L; @6 uMethod 03
% C! ?! Q0 C- X=========" y5 R- b% }( K# b# R$ H" a( a
; A, q6 ?3 a( ~! U! [3 V* Q9 |# o
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ M  g3 m, ]# S0 p8 @' L
(API Get entry point)8 W1 S" B1 C/ }. a0 q
        
( b/ A& j8 ^; {9 {8 f* N; X. L
1 n. o! V" ]$ A- [  [; l: F: X    xor     di,di( T. ~/ A6 r$ Y6 u' D- B% t! d4 m
    mov     es,di" ]4 b! l5 C: U; _3 I6 E9 T
    mov     ax, 1684h       ! o( [' E% ~& E# _& |4 g) x+ L7 H
    mov     bx, 0202h       ; VxD ID of winice
) S  E  q! ?$ m( Q    int     2Fh
- n& K9 p1 ]4 q# K    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  q8 l) A* V2 u/ M. A1 V    add     ax, di' a+ k- o. v4 L& o3 J
    test    ax,ax% T3 [- ]) \9 i/ @! [0 f! T% v. t
    jnz     SoftICE_Detected: r  |8 {' S- E6 @% m
6 s( x" Y& x$ t/ [6 y- E; F: a
___________________________________________________________________________" L9 M1 I, d' w" a6 v0 z
8 ~1 A3 e7 O3 X% X
Method 04( e# f7 T$ y8 a# U7 o
=========/ i9 ?! y9 U7 X" a" c4 `

) @* ^- y! B9 g  CMethod identical to the preceding one except that it seeks the ID of SoftICE: y. M6 m# ^3 w; x- }2 V4 o* X
GFX VxD.0 W# S- f% H6 {% ]& |& ~
3 @+ P1 `: i2 h$ u
    xor     di,di
# v0 G4 S! W+ z    mov     es,di: a- N+ u" B9 L/ x
    mov     ax, 1684h       0 }$ B" C) i& f0 K1 m& }
    mov     bx, 7a5Fh       ; VxD ID of SIWVID( S: j' S6 w0 N1 Y% o' w: X1 Z
    int     2fh
, r  s# E7 d: U7 i5 s! ]2 X    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: I- F! _+ `+ T  z    add     ax, di
% H; s7 M; V$ I0 ~- B+ `' O    test    ax,ax' G% `' \4 i: r9 C8 @
    jnz     SoftICE_Detected
: M) w& y2 d5 S+ g8 v$ y& V
9 z! n* P4 X2 h6 b) M__________________________________________________________________________7 |0 t$ Q* _$ i# t% L
7 {' Z( e4 U" i
: @0 x$ M. R* t5 S( I+ k
Method 05& R) ]% z; r& C1 L  @9 s& n. l% i
=========7 q0 b& B- q1 q4 `

( p) b) L/ o2 {4 V( X5 G+ @7 i. QMethod seeking the 'magic number' 0F386h returned (in ax) by all system( y9 u( C% E' r* c8 R" u$ w
debugger. It calls the int 41h, function 4Fh." Z: g  [8 y4 A9 b& R$ }; V- d8 w# Y
There are several alternatives.  
0 O" A. r! O3 ]; U7 r
1 N8 `; o3 I4 \& @% {* }The following one is the simplest:
5 R" _7 }0 j- g4 \+ Q2 N1 B# T0 Z. F0 R' a, u7 \
    mov     ax,4fh
7 c2 ]$ N0 `* N8 S2 N- n3 K! w* M    int     41h
4 Q  t- _% b4 ^8 j    cmp     ax, 0F386$ I! x1 ^  E0 U& b6 {
    jz      SoftICE_detected0 Q: m6 H" N% ^) E% J' _
0 Y' V7 O8 \2 w0 x: \( C
) G0 @# U6 k, n, j
Next method as well as the following one are 2 examples from Stone's
+ A4 H0 m- q  J" W# K, E( m"stn-wid.zip" (www.cracking.net):8 {- E$ W4 V. T

" r# T/ C' W# {6 K    mov     bx, cs' ^4 G1 T. |! k! Y% }/ B
    lea     dx, int41handler2
/ m" x  e: f& m' A    xchg    dx, es:[41h*4]
- [. i9 O1 r5 t2 @    xchg    bx, es:[41h*4+2], _0 S9 ^5 r/ Q
    mov     ax,4fh' {8 W+ N' |6 c. @/ g- o( b( `7 ]
    int     41h
1 I3 D% p, J- z    xchg    dx, es:[41h*4]. X3 R  x# {6 R- S9 {6 j" U. h0 l
    xchg    bx, es:[41h*4+2]
* P# q8 S8 J$ y    cmp     ax, 0f386h
, g# X  B1 Q  Y' \2 n2 P    jz      SoftICE_detected
/ T6 L4 T9 ~* M. e" n6 E6 B# z  m
int41handler2 PROC: [. X2 Z" |: u/ r: Q
    iret1 V# J) K* h! w& G8 o6 T( D' U
int41handler2 ENDP
5 G! W# n. V  ~( Z1 b; n; u4 Q8 j! A5 R0 E

1 g0 y& q4 L  F7 v_________________________________________________________________________! d2 t% u5 r' h. Y
8 x# a8 J" c0 x8 ?0 X0 X8 L% n, b
( c8 n0 g) B+ f! Q2 I% E3 |$ a6 w
Method 06+ F3 L" E1 `5 U& X; K
=========
4 u/ O% V/ c% a0 b6 U* ~0 B. ?. Y0 H

' F/ b; k& t, H- H1 z. o2nd method similar to the preceding one but more difficult to detect:
- N* h. g' }1 Z0 L
" g; y: l4 @, X: f6 y! m. c2 @7 _4 p! T& b( D- P: J5 U0 N
int41handler PROC
9 T+ Y9 s1 K# H; t' V- L    mov     cl,al3 a; D  C6 v* D" x
    iret* W. `/ _1 X  [% `
int41handler ENDP
& J6 }% ^: Q* ]) i% S4 |2 Y8 z0 e6 @' i1 y5 ?) x; `

. R& _! c, H0 A- f; n    xor     ax,ax
9 c% ~' }/ @4 x7 l1 H9 T    mov     es,ax& t& O7 a" M* |8 F# X) K0 O
    mov     bx, cs
1 ~* H3 S, L8 z6 k# }2 R* `3 A    lea     dx, int41handler( O9 r% J* A0 ^3 z6 c
    xchg    dx, es:[41h*4]5 o- Y7 C$ j0 z- J4 l. O6 ~
    xchg    bx, es:[41h*4+2]  m( R8 l; U; B& |3 \
    in      al, 40h5 u! c! |6 h" g' f: _4 w
    xor     cx,cx
5 y- N; s: B* l6 y    int     41h1 f- s% P, W9 [: c2 i2 }) t5 X
    xchg    dx, es:[41h*4]
$ h8 b, B9 [' i0 C1 h% O    xchg    bx, es:[41h*4+2]
  y* S5 m& R- U* c( }/ ~/ P. Z    cmp     cl,al+ c4 d! A' m* W9 Y0 x5 U
    jnz     SoftICE_detected$ I4 h5 [: k' W# \7 P

; u3 `: O+ U1 i_________________________________________________________________________: k# W- w- @9 x: {' [

) }# E  U1 l% l! {Method 077 ]! y" G( Z- P! e1 T) ^# x; j( ?
=========
. D# ^8 R1 P2 p2 S
! Q, V- i1 h" L4 vMethod of detection of the WinICE handler in the int68h (V86): l& g% O& N/ M: v
$ i, J5 v6 t) N( W# W. C
    mov     ah,43h
7 q/ @  f5 Y. ]7 x    int     68h7 k/ _' T* h4 F; ^* y6 Y% G) |- l
    cmp     ax,0F386h& V- q# j% J* `8 Y* t  l0 \7 p
    jz      SoftICE_Detected. a9 p4 x1 p1 t1 L* ^
7 R! F" P9 O, K+ G4 f

" U) I% z# _3 ~) s=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) t! q8 x) K6 A6 o5 Y8 e   app like this:8 ^+ T. R6 V  D2 ?' R5 r  }
, Y* ~' Q: V* ~# b
   BPX exec_int if ax==685 [3 K9 b/ E, I% L8 ]0 R
   (function called is located at byte ptr [ebp+1Dh] and client eip is
! z1 g% C* l- i   located at [ebp+48h] for 32Bit apps)
* V* o7 k0 Q# t) W: a__________________________________________________________________________+ a2 s. a' ?" B* ]# @

/ E- j5 ^0 |3 C! p4 d7 k
$ h2 B3 H1 t) \Method 08* z7 t, e) o& W7 {+ f: X! E1 B
=========8 ^- t9 ^+ Q( a+ \- ~: I% D+ z% J
! S: _8 I$ X/ J( O* q% h5 Y- R# i
It is not a method of detection of SoftICE but a possibility to crash the$ V, T; g# M: u; G" u) a5 _8 ^/ U
system by intercepting int 01h and int 03h and redirecting them to another! K: o, a8 I8 ~
routine.5 \* X# b; I3 @' S& \$ m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points7 r. u5 x# X. w& c8 X6 z+ ^4 R
to the new routine to execute (hangs computer...)
8 R/ T! h+ `7 z$ I' |/ k, }! ?
5 ^, q; }7 g0 ?( m8 s/ F$ K+ c    mov     ah, 25h, s' }" _% f$ ?. E
    mov     al, Int_Number (01h or 03h)
- {' ~% `* U- w! m    mov     dx, offset New_Int_Routine
; U. Q8 c8 \* F7 L9 G    int     21h: t) f$ V+ g+ X# E5 i, k
4 _" z" d6 G4 h* c1 [; J  j& p
__________________________________________________________________________5 h2 o" S( u2 Z

) U* u( T0 F: S8 X3 D' ZMethod 096 q+ W$ a+ s7 ?. s
=========: v" t/ C4 H0 ?: U7 r

# P+ C& Q: A" u' ?4 l7 hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. t; r' D4 g- r2 b4 fperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 A$ ~1 w. X0 uThe Get_DDB service is used to determine whether or not a VxD is installed
& M# y& ?6 C& G/ u2 C, M6 M9 y, ?for the specified device and returns a Device Description Block (in ecx) for  K4 W- c# A$ R4 Q- J
that device if it is installed.
- C& O$ ?& l, V! `8 Y$ O' g. `. F& D( t8 |1 ^" O/ b$ z$ F& x1 V
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  Y- L- ~4 X1 ]) e% \" l9 L   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
9 Q, p6 g3 ~& w: c   VMMCall Get_DDB
; I) A$ t1 @! I# u   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& k' d; M2 |( B/ Q; ^2 V
; I0 o. a7 U1 X9 j# d
Note as well that you can easily detect this method with SoftICE:9 r) p) z3 z+ d
   bpx Get_DDB if ax==0202 || ax==7a5fh
+ R8 X8 C( I: s; L
$ Y# i2 W; B2 a. I__________________________________________________________________________
$ F6 S" ?. D) R& `# D+ n5 U- v, n) A
Method 108 U/ r, k: p: z' @- H0 h1 s- l
=========, f8 X2 z; u' c+ Z' Y6 E

# _2 v: s- e- U3 `1 t9 U=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. |+ B* b! ]4 N- L9 F  SoftICE while the option is enable!!
/ [5 b1 t4 k2 \' e0 X$ X6 q; s0 H/ n) r1 o
/ c. o7 s" G4 V* U& [This trick is very efficient:2 y: ]- a6 }( m& ?$ g8 g( |2 r% }
by checking the Debug Registers, you can detect if SoftICE is loaded' L$ e4 `7 ?& Z6 Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) I* e# {$ E9 M) R( R, |5 ythere are some memory breakpoints set (dr0 to dr3) simply by reading their# j7 ?0 u, {4 `9 t
value (in ring0 only). Values can be manipulated and or changed as well# q1 S, D8 E( k9 E& d% K, g
(clearing BPMs for instance)
' x$ }7 O( s3 f
7 J& i+ U: S  j4 U7 P; {, h__________________________________________________________________________
! t9 q/ K3 t$ w7 u6 ^6 M" h$ {* Y; a; k6 Z4 X9 d
Method 11
5 S" c" C0 e: y2 ~) Z=========6 V; s( w6 C6 v# q9 ~( }5 z4 P

4 L- L. Q% m' MThis method is most known as 'MeltICE' because it has been freely distributed" m9 V1 q& k! k" a+ T; r. D; [
via www.winfiles.com. However it was first used by NuMega people to allow+ e2 E6 k6 a0 F* e4 l. g. v5 L; @
Symbol Loader to check if SoftICE was active or not (the code is located% a# F2 d: O! H& S
inside nmtrans.dll).
' A8 K" |0 G/ X" @; F
1 x% [0 i9 `+ t3 uThe way it works is very simple:
2 ?. l& \2 v5 Q& \$ d8 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 p1 i% P/ k/ L! `1 j# d) ]9 nWinNT) with the CreateFileA API.
2 Z& D! `% n& a% x9 M& Z7 E. C" o3 E" Q9 B  q# }8 q6 A
Here is a sample (checking for 'SICE'):( G7 j1 h/ I9 W* y( R  H

5 K6 d5 X: p+ d9 I* @BOOL IsSoftIce95Loaded()
+ \5 q( f6 @$ l{
3 j, p" ^$ k+ Y/ m   HANDLE hFile;  2 ^1 J5 |5 O4 v4 d! v/ E
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# V0 u) {/ q- e- Z( Z3 n/ R8 p# X                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( P) m  r; R) F# J$ W                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" `3 b" q& m9 _  s. C# k9 [" Z
   if( hFile != INVALID_HANDLE_VALUE )/ o9 k' h% G: o' u( d
   {
  m. ]6 `! {+ g      CloseHandle(hFile);
8 Y3 M# _) X: Y. ~3 |6 b      return TRUE;" i/ c) w- M+ _5 L) @6 L
   }
$ \0 C8 @/ ]% J! N6 F* Q   return FALSE;
5 f* H' h3 E% e}
9 h1 V/ y) }+ A( u- ^, h+ A) q2 {" _1 e$ Y, x0 t
Although this trick calls the CreateFileA function, don't even expect to be' f4 L+ t: y+ X- ~( g' {  ?
able to intercept it by installing a IFS hook: it will not work, no way!* l2 f; c, w: X" P  B* W' c! ?8 E) A$ w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& u  Z8 y( G5 z' P) D
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% Z$ c! E( [( h* T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( f2 y4 s6 C# P! E; v2 A1 Y5 ~+ Bfield.
, v- n  z' ]+ O: D. L% IIn fact, its purpose is not to load/unload VxDs but only to send a # L( Y- q# ~' X1 `- H- v+ e. Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 J+ N; M! x5 ~+ e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ S- ]7 s; p9 }/ ~5 N) }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
- Q4 {- T1 G  o  OIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 I0 W: P3 n1 ^3 `9 Qits handle to be opened and then, will be detected.
+ Z/ L) X+ t" C: [7 qYou can check that simply by hooking Winice.exe control proc entry point
! V0 a, V& ]# U# C$ v/ ^- G! Fwhile running MeltICE.
  S) r; l1 T" L/ \  _" D3 }
1 W! O* {( h+ `1 a) v) i
" j: T/ q& @5 \/ b  `$ h) A  00401067:  push      00402025    ; \\.\SICE
- C" C* R9 W; X5 c) @1 S  0040106C:  call      CreateFileA
. C- z4 F9 b7 x$ U9 z0 Z  00401071:  cmp       eax,-001
$ p" W% [( e' v- ~; q  00401074:  je        00401091% M' q; D* w' C! R, T

+ N( f9 O+ q/ L$ i3 T' n# E/ ?5 d4 p, ~9 i
There could be hundreds of BPX you could use to detect this trick.
" s, U1 {/ o5 U6 B: O# K  B5 B-The most classical one is:
3 ?+ s$ b7 l/ h2 n  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* J3 f( P; u8 l7 U7 d" r  W    *(esp-&gt;4+4)=='NTIC'. E& K' c8 e9 x: T; C& J

/ H9 U- M3 ?8 v: x5 G6 m-The most exotic ones (could be very slooooow :-(
2 }& D- r' T, e, k   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( b+ F3 ^/ a) c     ;will break 3 times :-(0 r; Z2 }9 e4 c3 J6 t. s8 _7 F( c2 ?

) P8 j: B9 ?% X) r2 s$ T-or (a bit) faster: # X; @; e0 C. \; t( Z- X- T
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! [1 E. G) `; P) O% z7 V

3 X3 ?" O% \# w; F. m   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) h: k$ m0 e, a0 f; X% k
     ;will break 3 times :-(
- F; @4 q6 b' R0 s  v9 m- S7 R) c
-Much faster:
( L) f( `! \( C. ?1 d& c& f8 X* [) n   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& q8 ]( q  Q* O
$ E9 s  D% @$ g. Z' INote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- j( _; l6 K7 x) Nfunction to do the same job:; [4 F& h( N# Q9 I4 y8 f5 ^
2 f: G7 W; r3 M) n! ]1 F) E
   push    00                        ; OF_READ
8 \, b2 z& h# l# S; H7 n   mov     eax,[00656634]            ; '\\.\SICE',0" W* |- `1 [4 C
   push    eax
2 L) W% `, g9 e) i' `   call    KERNEL32!_lopen
+ r" C" v1 j" i+ k- p! O! ~) u- H0 T   inc     eax
. ^; ~! K) h! S   jnz     00650589                  ; detected
9 e( K. n" `2 S4 t; v. J   push    00                        ; OF_READ
6 j# U. ^9 |7 @1 Z) k0 o- R7 e& g   mov     eax,[00656638]            ; '\\.\SICE'1 w3 q' F7 y6 @/ p+ U  D
   push    eax+ P7 m& ]. C( c5 X6 }* j
   call    KERNEL32!_lopen, A6 Q6 t8 z' R7 b5 s" @3 {$ r
   inc     eax
( N& j  l6 @4 n+ [- |- B   jz      006505ae                  ; not detected7 v' {3 f) @5 x" R4 a
: H( }6 P8 P% J& H

" _5 Q$ ?; C# o' X( k8 l% \0 E__________________________________________________________________________4 v0 X' Q5 r4 m' L8 e9 _  }$ \: ^6 R

1 n! \- w+ [5 ?Method 12
7 l6 k: B9 j/ J( n: l=========
8 N$ G5 i5 E+ \+ P( N( i; n, q/ e' N9 T  x
This trick is similar to int41h/4fh Debugger installation check (code 05) n: M, X3 @+ j; D
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
0 M! G- N( M; u# J& qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.) T4 A4 C- R* f! G5 [

4 ^0 C" |& r* @( W: s   push  0000004fh         ; function 4fh0 y( m7 ^. [* y6 a
   push  002a002ah         ; high word specifies which VxD (VWIN32)
- Q8 ^0 B! q) A& z' \2 K                           ; low word specifies which service
" B! @# j3 F; r1 B: L  |                             (VWIN32_Int41Dispatch)  C6 T$ g7 ?* x1 B" b+ C
   call  Kernel32!ORD_001  ; VxdCall8 G4 Q- K- Y2 f* r) w9 l
   cmp   ax, 0f386h        ; magic number returned by system debuggers1 w7 g0 R8 x9 V' k8 @* O4 U
   jz    SoftICE_detected
/ T) x+ |" Q8 z( H8 J) q' K. p1 K; Y1 T+ h8 m
Here again, several ways to detect it:. i- p! \" _" c, X: J

7 J5 w" I6 v9 I' h    BPINT 41 if ax==4f
# S, H4 U" v6 u4 T* f
/ N1 L1 {* D2 F0 V    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 u  s! R$ R) e5 n

1 B( }5 I$ P- S7 a    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
4 A% K' M; t* m! Y) t
9 m/ `+ B; A# E    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ }/ S2 w, c' ]- W
- j' k: T% S* {__________________________________________________________________________) N) K! n- F8 s- C2 f8 s* M+ U" O
$ J! @6 o- _0 Y9 b, ]0 D) n; h/ G: U7 U
Method 139 a* G2 d1 K& R- F1 w  c8 j
=========
! `* s9 t) `: E! i; \8 V' V. P
8 P9 ]- w0 d  UNot a real method of detection, but a good way to know if SoftICE is
0 {4 D9 N' ^' ?! |* }" }  z+ X9 x7 Tinstalled on a computer and to locate its installation directory.1 M* N1 i" q; p  V7 O, l
It is used by few softs which access the following registry keys (usually #2) :7 m9 ^( z( K) y4 I0 c9 r
$ J. F- s  Y# S! ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 K+ e* T  S/ C- K/ q\Uninstall\SoftICE. N2 T2 @; K  n5 ?
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ N4 o- m$ ]0 l3 S! ^. c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Y! @$ p8 K, o$ o/ \\App Paths\Loader32.Exe
" \, ~4 E& ^1 t) E
) \. {8 ?! k) t0 U+ e5 L' I$ V5 s" ?% Z; _. E* C  N
Note that some nasty apps could then erase all files from SoftICE directory
8 r& K+ X7 e' p7 o6 B, l6 i5 c(I faced that once :-(
4 U# @: z. w3 J/ [* Y
2 M+ @) m5 s2 @0 }6 \! OUseful breakpoint to detect it:+ r4 |9 w7 @& M% p% H
, d7 |( y6 @" t0 B, M' g2 i
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 C+ S# `0 x  E  Z
( `! }1 w- z# O2 ]8 e! E
__________________________________________________________________________8 X$ a$ A0 e# @0 B! Y) E
+ K9 L5 F' ~: l

! w- D8 x( v: F# Y; m0 k) N0 lMethod 14
1 R* M" G4 c0 ~3 P=========
) M. J2 r% L+ c4 ?
/ A2 |/ j' V5 c7 jA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ O/ @0 L$ d: yis to determines whether a debugger is running on your system (ring0 only)., D( n2 m1 e- c: E
# n6 C) ^- M5 V7 ?9 G% E
   VMMCall Test_Debug_Installed
4 G8 t/ T" S1 W# |+ H  m* J' `   je      not_installed
$ E6 D  U- g! N% d
, o' z3 H/ @# F1 j4 a; rThis service just checks a flag.
0 h% F* O3 S4 a( I</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-6 22:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表