找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
( M# D. _0 A% J) q; ^<TBODY>
% r% |9 k4 r& d" a+ a# A* x<TR>
8 n$ `: J9 P8 Z, z2 _4 ?5 M<TD><PRE>Method 01
% I6 m; u0 v) s/ _=========
, k) I5 @- h+ |
9 R; d; `2 A) ], i( g& f: d5 i) dThis method of detection of SoftICE (as well as the following one) is
$ _4 J3 n' q% X/ x9 P0 N/ qused by the majority of packers/encryptors found on Internet.. R' n: w$ j' \' f2 U
It seeks the signature of BoundsChecker in SoftICE) b% M" N: `' O9 N) P* [7 }: `

& X* M5 @5 n- v: M( Z, w  M  z    mov     ebp, 04243484Bh        ; 'BCHK'
8 q5 K: Y  \6 L% x0 V" s" u    mov     ax, 04h% y  T, v6 p9 K
    int     3      
, R  v' k% W" f: W# J, S    cmp     al,4
$ u: g9 @5 {, X2 v: T0 j2 m    jnz     SoftICE_Detected2 F) }9 a  X( @/ H6 j

% H# j: o/ B# M3 p7 S___________________________________________________________________________
) T; S( z8 P6 C- k! I, {9 K1 q5 ?# E5 S, |
Method 02
3 |# H3 Q* G( k# r* s/ d2 i/ d=========5 |# h2 c1 v% F, e% I: a

# ?6 T+ h7 D/ o' O) vStill a method very much used (perhaps the most frequent one).  It is used6 |2 j( b: |  Q5 w  R) e( H8 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& m7 r6 k0 T( y9 r3 ]6 X* Aor execute SoftICE commands...( \5 p: N; ~3 D3 u. h
It is also used to crash SoftICE and to force it to execute any commands* v8 ]: a2 L% q
(HBOOT...) :-((  % N- H5 T% W. D8 }& C# R

0 M6 \& l5 g5 n% Q7 U9 mHere is a quick description:' M8 a, w0 s) I
-AX = 0910h   (Display string in SIce windows)* V  w7 A9 f$ n/ a. M: n" i0 ~0 l8 M
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 p4 K! s! `9 {. ^$ c# U( i-AX = 0912h   (Get breakpoint infos). l6 ?% c8 L8 L  J1 p3 F# {  d
-AX = 0913h   (Set Sice breakpoints)
# g) w. u6 J" y9 s-AX = 0914h   (Remove SIce breakoints)
. N/ f( C# R7 ~9 b6 I5 n
' R; A: S- y8 r2 Y% y9 [- ^Each time you'll meet this trick, you'll see:, M4 U5 P: m; ^8 o7 Z2 T
-SI = 4647h1 q" `2 T  s) y
-DI = 4A4Dh
" \% ^$ n6 S) G7 P  oWhich are the 'magic values' used by SoftIce.
: }6 G" ?$ k/ v, dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* N% c4 f: k. _! k

0 M0 p  _) g: P5 Y8 wHere is one example from the file "Haspinst.exe" which is the dongle HASP! \0 X, |% ^7 r% W( k( ]/ X
Envelope utility use to protect DOS applications:" E0 z0 h8 p7 [5 M  C

: T5 k, T* x+ z; c. d
0 o3 e. B4 E0 o6 i4C19:0095   MOV    AX,0911  ; execute command.. Z+ o5 h' T; }
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; z1 o5 w, l- t* z4C19:009A   MOV    SI,4647  ; 1st magic value.
- h; A+ L& ^8 O2 s; [0 @/ ]4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
/ f2 C) m. H! X4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 o! y# i! v" z3 n# R2 V4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute5 q. X/ U9 o' m; M
4C19:00A4   INC    CX) u+ h6 K2 U  f
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ B  M' `1 [8 p4 E  s2 L
4C19:00A8   JB     0095     ; 6 different commands.
( K# F) Q- k8 H; O4C19:00AA   JMP    0002     ; Bad_Guy jmp back.+ i0 U( t2 d  d) g+ g6 u" N
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" Z( v7 t/ ~6 o5 W, y) t- O7 O0 E% g$ L& S; |
The program will execute 6 different SIce commands located at ds:dx, which
& a# p% [8 _6 ?6 k6 uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# |3 l! z8 V( q* i' L0 }+ p" Z
% k( a6 h- O* Q# f. e( u) u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) P' Y4 L' n5 _3 z
___________________________________________________________________________6 a8 n& m6 K5 S. l! e0 Y) m, G

8 U! ?2 t+ u' }( w$ ?6 j/ G& a1 ~9 F
Method 03. l8 P7 W! h# p
=========
& s# \" g7 |+ D% E  M. K! Y+ a7 D7 C9 v! J; n7 U. ~" y6 U
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' c5 e- l/ y/ m) C$ b  e& n5 K- z
(API Get entry point)8 |- b7 V# @, h
        # r* A8 x% c$ k. m- \; s/ ^4 Z

; d( Z+ L  K# J( d8 @) O; U: o# a2 O    xor     di,di: \0 z& ~$ }% C9 v% u+ u% @
    mov     es,di0 E7 X  Z, ]: n6 P0 |9 u
    mov     ax, 1684h       ! X( i* W( e6 q  q: @- \
    mov     bx, 0202h       ; VxD ID of winice4 B$ L9 {0 Y0 M2 Z' Q* L
    int     2Fh
1 x- v5 v5 E+ m. u    mov     ax, es          ; ES:DI -&gt; VxD API entry point, C' z/ S" n: \8 o1 B5 {5 Y
    add     ax, di: D( N. @, e2 I- ]
    test    ax,ax2 h, w3 I% O1 i  V
    jnz     SoftICE_Detected
8 ?2 E: c4 ?! l5 z2 M
. x/ j, q6 }  }: C/ x7 F___________________________________________________________________________2 z) q$ `# `! N( `

5 t* r& m! A8 w+ h& DMethod 04
- c* i+ Q- w& V6 o" M" f  v  G=========4 w+ y$ X1 F0 a4 p$ Y, R3 F( H0 n# V) W

8 I) Q$ a0 L0 |- j& N- v4 W0 BMethod identical to the preceding one except that it seeks the ID of SoftICE
- ]4 v, t8 _6 SGFX VxD.
' \$ G3 e6 C. z+ a' m3 M$ }: y/ m* R
    xor     di,di
; N; |% V4 l, a1 G; Y    mov     es,di
3 v" `9 F; h* I; d+ t" R" N    mov     ax, 1684h       5 u  A: [4 ?+ f5 s- B
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
/ K7 O* D0 S* }# q2 b& L    int     2fh
- Z1 |5 ]' g2 Q# J& w, F' x/ H    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" @; S4 `* C# O1 M% o    add     ax, di
8 o) O7 z! m) T8 _    test    ax,ax7 S+ A8 B, Q& `5 k/ l; T5 J$ \
    jnz     SoftICE_Detected# G. {2 s- l8 f5 A9 s* l2 \+ q
+ |! t1 m1 e% L$ }. O
__________________________________________________________________________' L% K0 F9 b( i6 `. x' k
7 W" N: Z& \8 X1 D8 [- D
7 g7 |% I4 x' u7 j! N* S9 u
Method 05
% D, O5 I2 e! {9 M) t: h* o=========
" A1 g  k# G0 e7 p' g4 ?+ f- l# c2 x$ h5 R
Method seeking the 'magic number' 0F386h returned (in ax) by all system; {9 h. B  ]8 [* C
debugger. It calls the int 41h, function 4Fh.2 t9 E  D' s2 K+ W# m
There are several alternatives.  
7 S8 o! [* m" W6 }- c2 h: F0 `6 |/ E
2 ?7 b' P/ \7 R# o1 O. YThe following one is the simplest:
; c' t/ r0 R/ h2 L4 D: s6 s& {* r) U4 n# W+ V* L. i
    mov     ax,4fh
# h$ N5 k/ S2 d1 D7 V' M) ?# T    int     41h9 p& N- j( Q1 \
    cmp     ax, 0F386/ M: \% [) q- F( l0 t
    jz      SoftICE_detected
5 c+ r* \( F8 L1 t. T! ]; D) N3 y5 k: Q

1 W7 l, e, f) j6 _  ^. KNext method as well as the following one are 2 examples from Stone's $ r# `1 }5 k1 j9 w3 v4 B
"stn-wid.zip" (www.cracking.net):7 u9 i- G4 g6 M
5 m4 z( i) `$ ^: U5 s6 M  x
    mov     bx, cs1 m) C" T8 z7 ?7 g0 D* L3 r7 V
    lea     dx, int41handler2
1 b% I0 E* t  E$ U8 N( [5 L+ T  F6 }    xchg    dx, es:[41h*4]
8 Q- C: s: k" I$ J    xchg    bx, es:[41h*4+2]
8 d5 y# ^4 ~& T: P  k    mov     ax,4fh
$ Y! n3 Z2 ?1 M3 o4 m    int     41h
( w+ U  o4 B3 C; |4 Z4 `. W" i* b" k    xchg    dx, es:[41h*4]
3 O5 R* c& P% f6 E6 N    xchg    bx, es:[41h*4+2]6 k' f" i" _1 c9 L9 P
    cmp     ax, 0f386h
2 @! f, A# n6 O- v8 K. C' a. n    jz      SoftICE_detected
  a; ^; [) v5 _" Q; J
9 S* ]; A) t* s4 }int41handler2 PROC
$ B% X+ v8 C9 K# p    iret" Q: ]9 o# C/ x) c/ ^' A
int41handler2 ENDP
- H5 O, p1 D" N3 F
4 e7 @0 T7 y4 m* B  N; R( M( `! v) y0 r- W$ \7 b, B% s$ q
_________________________________________________________________________5 G' g  q3 `. B
3 s3 b3 N; q% ?5 p8 E1 p# n
; \! G& u4 q+ s
Method 06
+ v0 d! x. n3 }5 h2 J+ W% I=========, O4 A6 `; n- ~7 K
8 T% C, _  v, V' Y4 V+ V
0 q/ i0 d+ p- q# h- j. T! l% g- d
2nd method similar to the preceding one but more difficult to detect:
3 E+ Y" S, k: S" z8 m
2 R- Q/ Z3 L( V" s! _0 [# N4 s
0 ~$ P7 N2 G" o1 Hint41handler PROC
4 d6 l9 F2 q: t/ E+ s( W0 H    mov     cl,al& p) r6 c* t2 k
    iret
' b- m+ g2 B' r7 hint41handler ENDP/ |/ f5 X1 h. S2 ]* P9 k7 Z3 u! V
  l2 _/ I/ G% k- [: C* o

" v0 D& ?  p5 O7 v, p4 C    xor     ax,ax: l  X0 h. y* ^0 z
    mov     es,ax
7 |  r1 G/ [0 y4 x& C8 f2 `8 A    mov     bx, cs4 y; @4 s& J- l: f9 _
    lea     dx, int41handler
# |. o& G" t2 P- ~% o, `0 ^    xchg    dx, es:[41h*4]- b2 l, b, v. F6 U
    xchg    bx, es:[41h*4+2]
- n/ v; j7 O# d% l0 P    in      al, 40h% k9 X: U% [  Q, d& }( C! \
    xor     cx,cx
+ |# a6 q! |, G/ D    int     41h9 c7 }' Q7 f/ V$ K9 ]
    xchg    dx, es:[41h*4]
( g6 f' D3 S& @) E, G8 j    xchg    bx, es:[41h*4+2]
' \( m* X" k* t# C    cmp     cl,al
' `3 a) T6 p1 k/ c) `    jnz     SoftICE_detected, A: ^+ G  `  d' S. q( @% _# d

$ t! \) S. u# X2 D_________________________________________________________________________- H1 ^/ d) n, L' V) W. b& i

7 \/ ?% F: P6 K% kMethod 070 Z& B3 T$ q# }; O% G
=========
5 d$ ^+ X) K9 ~1 d
# \- S& G4 i- R8 I8 L; X# o8 }& dMethod of detection of the WinICE handler in the int68h (V86)
$ b& `; g. x" ?- g/ Z
* f# i' A4 N/ T5 K1 G) y  O% E( v    mov     ah,43h
" a4 d6 N% b" O    int     68h: L, Y9 F3 m" B/ _; T/ a
    cmp     ax,0F386h
5 j6 n/ @2 }+ c) ^3 p    jz      SoftICE_Detected
  G% a& O" r# A5 S, N: p+ x2 B8 p( Y, z6 F+ O" b( n/ w
# V$ Q' Y. }  e+ _4 N! r
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) L) z) f0 v5 g+ Q; M% T
   app like this:* `; P  k4 A$ {

; R, S( t1 x5 `   BPX exec_int if ax==68$ b( u  K, C6 E
   (function called is located at byte ptr [ebp+1Dh] and client eip is" f7 U% @, C( A$ D2 Z) M, M
   located at [ebp+48h] for 32Bit apps)0 `1 |6 B* {' Z2 O8 B
__________________________________________________________________________6 k0 \& L- Z9 B4 ^  C, ?" ?# w+ L

+ r  T" J. v9 }' ]& }7 m" ^0 \- K4 T- p
Method 08$ h: I/ t+ m3 t1 o# d- a7 `
=========
4 J9 J+ ~5 D* g7 a& r6 D) l. c  G2 P$ ?( O' l, |
It is not a method of detection of SoftICE but a possibility to crash the
9 |  ]2 h- `( esystem by intercepting int 01h and int 03h and redirecting them to another) B& l$ y8 Y( S9 `' t
routine.
. U( J0 h' W. Z7 E# U: ]% F  B% \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
  o; u7 Y- c$ p* g1 \1 m* K, N2 sto the new routine to execute (hangs computer...)
. h+ c, T/ D' `# ~* \% N) h# F  m4 {: u. a" Z1 w
    mov     ah, 25h0 N3 t; b9 I3 K! x% z0 K" s
    mov     al, Int_Number (01h or 03h)2 `. c9 w! z! z- N) ^" K
    mov     dx, offset New_Int_Routine0 K8 m  U* S( Q7 N
    int     21h
( S! w4 j/ i* j, _/ Z. R& r7 y. }, t/ K* R% y( B. l& w" I
__________________________________________________________________________
; A) R7 r) l( h, I! y; M
! X% y/ O+ ~6 ~* ?Method 09, u) W, j/ @5 z1 N
=========
$ k1 U' I* H% v2 U* W8 P% j3 f8 C+ Y3 e3 i4 P; l9 s, o2 e9 k+ f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 M7 x" g' B% p# ]3 O0 X
performed in ring0 (VxD or a ring3 app using the VxdCall).- m5 P/ _1 j( D+ J! M
The Get_DDB service is used to determine whether or not a VxD is installed
: q' ^2 F/ s$ f# h$ @# x" Qfor the specified device and returns a Device Description Block (in ecx) for
' x/ G, S4 \( E; H( s$ zthat device if it is installed." ^& _# h/ U6 d8 ]
2 l1 K6 a5 j# Y: m: N# u! B
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 G; J2 W/ b. A9 p. Z
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 w' f$ ~8 c7 P7 s" o6 f; f   VMMCall Get_DDB- f& R8 T: Y' t- e- X2 [) ~
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 e9 j7 f9 O" d2 V0 w6 }. _  y. q5 n2 ?- O9 R. L) N' J) M
Note as well that you can easily detect this method with SoftICE:
, y: h3 o& A. c+ g# \) D   bpx Get_DDB if ax==0202 || ax==7a5fh
' N, d( k1 H6 G8 w+ j4 }
+ ~# D$ c" ]% [/ s  ?+ P6 }! d) T__________________________________________________________________________' N/ H' j# C! T' j/ \
( U6 X: N- Q# R: e$ h
Method 10* j* M& t6 q( a) {
=========
" Q. n5 K# b2 {& y; f' v3 A5 n1 @& @1 ~0 B9 n4 G
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
; H: ]* B7 }2 l) B, ~+ \6 c: W7 i  SoftICE while the option is enable!!& v) R* o( p% j) m% G4 c
- e' n# ^8 \0 Z* Q  D- S
This trick is very efficient:' Z' Z3 Z& z2 o9 ~7 L1 H
by checking the Debug Registers, you can detect if SoftICE is loaded, S/ y0 M- b. _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# l/ R# D% a# c' Y& Y& I
there are some memory breakpoints set (dr0 to dr3) simply by reading their9 Z+ V, W6 Y9 ]$ _7 ^
value (in ring0 only). Values can be manipulated and or changed as well$ S# D* b7 d/ F/ z6 P
(clearing BPMs for instance)1 B7 a# D, i. N( B4 r0 n

- c4 B  r. b: T; s7 m! A9 [__________________________________________________________________________
7 x+ D! n: q( E7 d( T
& A, d( t' n& f1 ?) @+ iMethod 11
& W. k4 \2 @0 ^& I+ }/ \( A=========' ^. I# A! L& p& H- k# Q

: Q  f; I' X& K- jThis method is most known as 'MeltICE' because it has been freely distributed
  E8 y8 s  R; y  F- H( Cvia www.winfiles.com. However it was first used by NuMega people to allow
1 [4 M* b% o! P1 D# t% BSymbol Loader to check if SoftICE was active or not (the code is located# I, S: k* u/ w1 H" `, b
inside nmtrans.dll).
$ [+ \$ p, j; w4 F( t  a/ _0 M  I0 T2 Y# G
The way it works is very simple:; X/ J# x2 ]4 F7 ]: s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ o# i- y4 Z8 l1 CWinNT) with the CreateFileA API.
! _0 c  d% w9 {
8 u  T$ J# j$ R- QHere is a sample (checking for 'SICE'):7 Q' I& l- H4 R3 W0 a

: }1 x; O# N8 Y- Q6 y$ u% D. R/ oBOOL IsSoftIce95Loaded()
5 c* r6 L- ^3 p4 a* g{8 A- ~  Z: L2 S- ?9 k
   HANDLE hFile;  " i9 b+ p0 F6 ]. e) H0 ]: g
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- Y4 a/ S" p1 N5 Q8 `; T+ H                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. f1 t5 O2 ]4 M+ _4 a# X4 b                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) o; F" ~  J4 T' E9 ^6 m2 j   if( hFile != INVALID_HANDLE_VALUE )3 K3 w) Q. h% c! ]* w9 p
   {- {- x/ B0 G9 i0 ?8 ~, z+ L3 Y' K) A* Y
      CloseHandle(hFile);
# K7 a1 f0 Y& T! E; |# c9 f      return TRUE;
- _2 {7 P0 ?4 Q1 @# ^. N   }+ X3 y2 B/ f- N% ~: {, i, v- h4 \& Y
   return FALSE;
- _2 S6 F. X' M) M2 j7 Y}
  f% X: U4 L3 \2 m0 z) Q7 `6 r  x2 L1 D" E; H  B
Although this trick calls the CreateFileA function, don't even expect to be* K( d. b* n4 n, u, h
able to intercept it by installing a IFS hook: it will not work, no way!2 g- e, X+ C4 a$ K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ a1 ?  H, I$ ~' C" fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: A# r9 o) k4 C& n  k3 r* Gand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 }' U7 B' c. p5 [, K6 N
field.9 z2 }/ [9 o% [: g" f
In fact, its purpose is not to load/unload VxDs but only to send a
8 O% k" ~' g: x6 eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  G: o; }) q2 t7 m8 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 z/ I, b4 m5 I: u1 X+ I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% E2 l/ C! o% Q, c) S( mIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ A) p+ }2 B+ D, x; o" F! ?
its handle to be opened and then, will be detected.
3 _* R, g+ U( s* ]+ s. P! g' CYou can check that simply by hooking Winice.exe control proc entry point8 ^: v+ Q) y, ^$ c/ C4 E. M" ]. _: ^* j4 m
while running MeltICE.& l/ Z; Y" x( d8 g4 T
1 b5 E, Q6 f# `  t9 C) s

$ B' R6 V5 {# N( ~$ N  00401067:  push      00402025    ; \\.\SICE
7 w, m+ m1 c' I  0040106C:  call      CreateFileA
- ]# R; C0 X; \& W( \7 ?3 c  I  00401071:  cmp       eax,-001
' h+ z6 U1 `0 a4 ^% J  00401074:  je        004010916 H5 ?6 f8 \3 O6 v+ }- ]2 \4 g

' w+ g: I% l- c/ N" C2 y4 `9 }: n
There could be hundreds of BPX you could use to detect this trick.# @) n3 O; {6 G
-The most classical one is:7 r" s. M. ]5 x8 g
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 o) Y+ y0 j2 D
    *(esp-&gt;4+4)=='NTIC'
8 j$ n. v1 G; ?& o2 `- g  j: T/ d& K7 Q
-The most exotic ones (could be very slooooow :-(' C  t: }+ q: d8 h) c7 n* T" b
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " [8 ?. b" e- T  A- V
     ;will break 3 times :-(! ]  |+ B& @" e8 ]* E! p

( j9 X9 s0 [6 K-or (a bit) faster:
. n  E( A$ W) x: E" H- }# K: v/ D   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! K' Q+ O/ A7 E, U  ~2 T
( T0 R, l0 m- j; s- N$ @5 Y" X   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% T8 B+ H+ }  l5 O& L. a' A/ _     ;will break 3 times :-(
7 I# P+ x/ ~3 d7 ~
- S9 i  a8 z- \/ m4 I# N( m! _-Much faster:* c* y, i6 A9 ~% p& _& s% P* Y
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) K5 \; Z1 M7 m! q, P5 m5 z2 Q. u+ k( Y2 |  V1 a6 d6 z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( v" X% M+ s1 b+ W; q
function to do the same job:) O3 o  J9 b: x3 u" N$ d$ V( g
2 ?' Q, v& j( t: W" g5 c0 M
   push    00                        ; OF_READ) Y' Q% F2 e- _+ [2 S7 g
   mov     eax,[00656634]            ; '\\.\SICE',0
9 a' U5 p8 D$ v4 I   push    eax& |! _& Z7 ^% Z  M5 b/ c
   call    KERNEL32!_lopen; Z& E+ P: i0 `: a, z+ p
   inc     eax
/ w+ j& t* I/ M' \0 n) f   jnz     00650589                  ; detected' y7 T5 `- U: e. _) t
   push    00                        ; OF_READ
7 z- U+ \( F& A   mov     eax,[00656638]            ; '\\.\SICE'- R  D4 i) w3 T; ~6 K- O
   push    eax; R2 x" \3 l/ ]
   call    KERNEL32!_lopen
0 b* b* L0 {* {) h   inc     eax2 o+ r4 X: U2 O) v. z
   jz      006505ae                  ; not detected8 O" L# ]( D7 y: O! D2 w  R

: W' \" R' [4 M8 I  k
  n* b. B8 J; S, j__________________________________________________________________________& l& N/ M) j% r( Y3 }' M1 G
8 y) j" x% |/ ~) X1 @
Method 12
" i( N4 L" n% i% i9 O- L8 l: o$ _=========
" B4 y. B- e/ o1 ^2 ^0 l
/ m& B& ~8 R( D% f: e9 @: {This trick is similar to int41h/4fh Debugger installation check (code 05
. E, M! S- Q$ y" T5 Z&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ |8 e- R0 c, ^: R1 k5 S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 O; ~# O, s( I2 G( _, L

) c7 X% i, ?4 q* r& |1 Y  U' `   push  0000004fh         ; function 4fh+ `" d4 T: l" D. v; v0 P/ n( L
   push  002a002ah         ; high word specifies which VxD (VWIN32)* W1 w! i0 O( u( N$ u
                           ; low word specifies which service
7 E5 p1 f# E' V* W2 a+ h                             (VWIN32_Int41Dispatch)
2 Y2 ~* M( @2 N% r5 H8 {* C8 o   call  Kernel32!ORD_001  ; VxdCall
; n2 x1 B4 Y; O   cmp   ax, 0f386h        ; magic number returned by system debuggers
( h9 t- z* z5 P+ C7 Y' V   jz    SoftICE_detected
1 q1 @+ q$ ]4 O$ s
# d+ l; w+ f* r4 U: wHere again, several ways to detect it:* A/ t# n9 `) O% ^9 K! z; l
& G; B# l; l# Q: L% D% c
    BPINT 41 if ax==4f
& T/ y. O2 Y6 B7 A) P& Q8 B% C, x
7 S+ b, Y& ?+ D+ O  _2 m    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 s3 i5 u4 C+ J/ z' O( s  n# Y/ \! u1 b, t+ K9 e; R
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
. W3 b2 o; m+ t* P. m4 n4 h
& \- R+ d+ A4 H- Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!' K" ~7 H1 V1 Z' G7 B0 D, \

' h" z+ ]5 ?8 G6 W) L__________________________________________________________________________2 i& _5 w+ X- l6 I+ C3 L' N
  p3 H3 N" I4 A& M
Method 13
% i4 ?; I8 S( e. S: f$ H+ ^; v' E=========6 x" P1 @( n; q. V  q

5 a% s  s6 o' e, P5 g- WNot a real method of detection, but a good way to know if SoftICE is
) [" C$ G. g. u: j/ R  ginstalled on a computer and to locate its installation directory.
4 U6 F. p+ g! dIt is used by few softs which access the following registry keys (usually #2) :1 R' c9 t, `7 A/ h6 K
6 B7 M$ I3 t3 r- S6 R. n- R) h+ E
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: Y  l+ e) }" }! ^$ I: `
\Uninstall\SoftICE; M: f/ m7 I7 r# I5 l) F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 I! Y4 V2 d7 u" I4 c) s# L. z% R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) p& R# ]7 k7 o1 ~; F\App Paths\Loader32.Exe% S2 L) f1 P4 V" \3 ]# \$ R. _
( y0 K, R- X" R" ^7 u

+ C' Q: ?! F( E$ H9 y9 QNote that some nasty apps could then erase all files from SoftICE directory
- v8 K7 I. q  f1 [) b% M1 b(I faced that once :-(" |. ]' E8 N  P, _6 i
6 r' G  X% t% C# ^& y5 J5 G* I7 R- t
Useful breakpoint to detect it:8 x  p9 l" k+ e; u5 _

% n' G2 R% z' A+ }6 P& G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# H' r" S$ C, l- |

& j9 o0 y* w& B, `__________________________________________________________________________
8 y- u6 z, F( Y
( K/ L! _8 v6 K# Q0 @  N% }* R9 t) w$ N3 [. M7 |. G& w5 ~5 t
Method 14 * ]9 a- I! R: K) N  ]
=========* z' b3 V5 d2 F' Y+ k
, o+ p6 }: y+ D8 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" P, Y3 P' c, g9 I7 bis to determines whether a debugger is running on your system (ring0 only).
# p4 V; h# E4 j, @. k. F5 b. r3 r& R: J; W0 x
   VMMCall Test_Debug_Installed2 x! N$ j) \# F' v" [  z9 f
   je      not_installed
- l' U4 {6 b" G- j! z- b  Y- m/ c' G3 [
This service just checks a flag.) M/ D. i: K! y. F" T4 R
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 01:17

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表