找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) ^; o1 n" S& e0 U<TBODY>/ T+ R5 I! W) c+ v, K7 z
<TR>- V# l! q, S8 I! W, N
<TD><PRE>Method 01 ' i, J/ A! x1 N0 U: ]
=========8 R2 P, B: J( y) z6 j

+ Y2 S6 H- O5 O2 uThis method of detection of SoftICE (as well as the following one) is
; d: K* C1 K9 H: p" I$ Mused by the majority of packers/encryptors found on Internet.
: ~3 Z% {4 B* u& fIt seeks the signature of BoundsChecker in SoftICE: U8 w3 [3 n+ c& i* v" e" G

0 W0 f5 i2 n9 N0 e* u& C    mov     ebp, 04243484Bh        ; 'BCHK'
% P# d3 E3 L5 Y2 t. W' i# \    mov     ax, 04h
. n5 d" Q) L" d    int     3       ( p* a  P7 a/ O3 {* ]4 K
    cmp     al,4
1 u/ Z% s& E( M8 g4 \    jnz     SoftICE_Detected/ N: z: ~9 C. j6 j/ q8 J) B* w, \
1 x1 k0 U- L  ]: N; T7 k' x& `  g
___________________________________________________________________________
6 V1 W5 q5 T4 }: w
) @' f9 Y# n; z7 s$ ~7 \" x: lMethod 02
* u. i- m- ]. t* E* K7 u=========
' \% M% Y7 ^" o) |" I1 f7 b, C9 Q0 G- `
Still a method very much used (perhaps the most frequent one).  It is used
# d7 _  |; p& l6 Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" T# l/ ~& ^- z+ U3 Aor execute SoftICE commands...
8 j9 H" z1 i* w, v5 aIt is also used to crash SoftICE and to force it to execute any commands- o* ?/ K# g) P
(HBOOT...) :-((  
( r# c: I; G# R& x7 q7 \) {2 u1 [: i( l2 ?
Here is a quick description:
  ^+ o; n* h; B) e3 k" l, L-AX = 0910h   (Display string in SIce windows)
& w+ I, f4 H, R-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). R7 p! u- B6 w
-AX = 0912h   (Get breakpoint infos)
% l( |3 K) o2 [& n& H-AX = 0913h   (Set Sice breakpoints)
9 j7 R) T" u5 D6 B% I  Y5 V-AX = 0914h   (Remove SIce breakoints)
% I* [" }( n) U4 b% ~% B0 Y( B% T5 H6 v" B4 R, a; ^/ l
Each time you'll meet this trick, you'll see:: i0 r6 a" Q, v, R
-SI = 4647h" o8 R  H; I" m2 J
-DI = 4A4Dh4 i" i& c1 v* E6 H( X5 F
Which are the 'magic values' used by SoftIce.
) H( }- [$ t6 ^9 u8 pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- |% G/ B8 ^. u, E8 o
  d0 @4 G& }9 @9 A* c2 e4 ?1 k. w
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 F0 N3 Y' u$ y
Envelope utility use to protect DOS applications:: {3 j4 d) p2 m$ k& X6 p: P- F; q
4 @; P1 e/ l7 D, i/ U. ?

: v) s: i# J7 A! W9 y' C4C19:0095   MOV    AX,0911  ; execute command.* Z0 K7 v3 ]- d) z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).! `0 N+ {4 M; g, k8 s4 p  q
4C19:009A   MOV    SI,4647  ; 1st magic value.
6 q7 e; J4 H  Z0 L1 J4C19:009D   MOV    DI,4A4D  ; 2nd magic value.. C0 {8 ~& I6 w& s$ C* ]
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ K! s" a7 ^0 Y" E4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 J+ L2 p* c9 y/ e& w1 M
4C19:00A4   INC    CX5 o* O7 p/ N( k4 C
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute& S3 X1 P2 X1 k0 V3 b: m
4C19:00A8   JB     0095     ; 6 different commands.4 l0 g3 }& f# n+ W9 B  n
4C19:00AA   JMP    0002     ; Bad_Guy jmp back., c. Z( i& r) e: V
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* ?7 D) w/ m. [
6 R# D, v  \$ K
The program will execute 6 different SIce commands located at ds:dx, which& p1 g8 b- E" |( U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; U/ }# p9 @7 a4 N3 u" M8 r+ [! I- v4 P3 v3 p; a
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ ~4 a) g7 ]! X# T. l( S! U8 V___________________________________________________________________________9 V6 k! I$ t6 H; q$ L5 V0 J/ N0 H) w

. ]' e2 O, z$ s  b! L9 E9 d- J0 L! l: G0 K( R- K
Method 031 z+ R0 k/ I' j) k" E6 P8 u0 G
=========
$ g3 S- \( I) G' Q0 \3 k$ F% m4 Q( B. F$ b, G
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 t( L* `2 w0 n* k9 b: c& K- T! z(API Get entry point)9 m- ?! N! A4 b1 ^( t; q6 v
        
2 L7 m/ B/ z, F/ x) s: C% |. q+ t$ a
2 Z( m+ D7 |3 B; f3 K    xor     di,di
, K% q( q) m) N6 o, w. J2 p    mov     es,di8 T  o. F# f' G( S" q6 K; q, S9 p
    mov     ax, 1684h      
9 O7 U8 m( @  l% v    mov     bx, 0202h       ; VxD ID of winice4 H; h1 O+ B/ T8 n" G4 _" m
    int     2Fh  @) W: t) z: v% Q) Y  k0 N8 g! e
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 b! \8 I# ^6 J" v    add     ax, di
' Q8 x  @8 V! U* W3 _    test    ax,ax
" P2 _5 _3 }3 C! |4 X2 `/ l    jnz     SoftICE_Detected& j# ^# t0 a/ [0 s! g

3 x* x. v* n: G) `0 D" i$ D* S___________________________________________________________________________: T- C# @& L( {$ \7 ]

; @2 s- x2 u% X7 _8 cMethod 044 D7 v" U8 v$ j* B+ B
=========, `  t6 q/ a0 H9 `- n5 d  y' Q

" N+ ?6 A; x/ q3 u4 \4 y" ?7 aMethod identical to the preceding one except that it seeks the ID of SoftICE
# r6 e2 l/ ^. ^; xGFX VxD.
" `& R% H5 I5 v. g+ }4 p1 w; f, o  x- B& A9 I9 B0 F
    xor     di,di
6 z6 {: v1 n/ g  y+ I    mov     es,di
- |0 {& D" Y+ Z$ B    mov     ax, 1684h       / {6 p3 ~9 T5 E0 o' k- D5 V( l
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 {1 A$ X/ r3 x" i7 x    int     2fh
2 h: Q0 Q& K7 O, o/ p0 E$ }    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 |7 h$ {, D2 g3 @
    add     ax, di2 H, k* l9 D7 r% v0 Y' f: u0 ?
    test    ax,ax
, M- _6 @9 \( Q' q4 d    jnz     SoftICE_Detected2 k) _. \& i0 T8 R
) N2 o- t  {, }
__________________________________________________________________________
5 }" C* T, S7 C$ X' S9 a  `. K, a" C4 J

" Z: a& A' |5 a% ?' GMethod 05
- Y% C( V8 F" D! ?=========% {5 p) ]7 W. W- }
# z. S. F' `2 L1 F$ Q, {, t; m; ^2 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ]! t" f) E6 G% U/ H' `debugger. It calls the int 41h, function 4Fh.
0 U( S/ V& z+ u- t9 I8 q& MThere are several alternatives.  
8 `4 S5 s# h& R* b$ h( Q
9 {, ?' Q" P3 q: F) S) pThe following one is the simplest:
% k" n# Y( |# v7 h% v9 x2 o! y0 i3 W1 }9 n
    mov     ax,4fh; J# Z9 {& B' B
    int     41h
6 _! K: o; Z0 |6 m1 A1 M2 A    cmp     ax, 0F386
$ u0 p( g* b% O/ F5 A! K' f    jz      SoftICE_detected
5 T! K* S  Q3 y
" A5 e7 w& G- N  h+ c' ]0 v0 R9 u) T% r2 U
Next method as well as the following one are 2 examples from Stone's
. M& p! d& t% `1 U, ?"stn-wid.zip" (www.cracking.net):% s1 R2 Q/ \7 N# |; G7 i6 f# f; s( Q
8 u+ B9 q( P& O* I$ n
    mov     bx, cs3 R. h  U8 c: {( P8 b2 K7 x6 J
    lea     dx, int41handler2
+ X" `$ F7 c# K    xchg    dx, es:[41h*4]) j5 ~; H4 l% u$ M5 B) _; B2 f5 v
    xchg    bx, es:[41h*4+2]
' \! `- v/ }# i+ e( F    mov     ax,4fh
- q$ ?- c) J, s- w0 e6 z9 P2 T+ d    int     41h
) E3 Z* `. h" @2 I: j1 a    xchg    dx, es:[41h*4]
  N: M1 O& |, p: n    xchg    bx, es:[41h*4+2]
7 t. E- V) J" _2 k3 n% J, y" ^    cmp     ax, 0f386h
' b  [  i% V* f1 P    jz      SoftICE_detected3 i. P( ?( _6 X" }/ B
8 Q- W$ S' H, z4 }  C1 ?% D
int41handler2 PROC
9 }" k$ q# N5 u% v) ^. n8 T    iret
  r7 Y4 ]4 @5 n) R- J' sint41handler2 ENDP
" _( l! y( _5 {( q! {* `1 A
, C) B' J' P" x% L6 M
: p" t! n# D$ q! X_________________________________________________________________________" I) @3 I' p0 k. g) A) \. B
: V4 H& E. P" Z7 F$ M9 V
9 I) o4 X+ l; A, E% c" S8 _
Method 06
5 [  F6 i  u/ _0 G4 `- [" W  |=========
6 m. ?/ b7 `7 o+ g6 i0 N! _8 r5 n5 F. s! |1 C  V& x0 C
( W/ r, v2 b/ s9 t' g/ X
2nd method similar to the preceding one but more difficult to detect:
8 E. o/ v  U8 {0 M- R1 j5 e) o4 q2 t% A( X5 f$ L. Z; v1 ~
9 r4 t/ S6 z% G& a4 X4 |# v# J
int41handler PROC
' p- I6 G' ~& v8 Y    mov     cl,al
+ L" h) L" p* d    iret6 h0 f, t; l( G7 M" I9 i" K. o, Z3 K
int41handler ENDP4 B1 ]; V( c4 Y$ P! `

6 E* t0 e) W7 P
8 P" ~; {5 `9 d    xor     ax,ax
) X0 U6 S# v* g$ z2 M$ K# H    mov     es,ax
( E9 {0 D1 K! i4 V    mov     bx, cs$ e1 |2 d" N4 L" h8 s
    lea     dx, int41handler( c  q8 v' f! b  o% M
    xchg    dx, es:[41h*4]
# [2 e: b7 \2 }. M- Q4 q& s    xchg    bx, es:[41h*4+2]2 W% @4 `7 }1 L  F3 r/ T: r0 u* M7 Z
    in      al, 40h( @/ |; L( P/ ?/ j) Z$ p' h, C
    xor     cx,cx% H1 y" J' R! I: E, g
    int     41h5 y$ a4 n5 M8 \! |
    xchg    dx, es:[41h*4]
% k- |% c0 c- s2 v9 n( X    xchg    bx, es:[41h*4+2]- ]2 ?+ f' W) p7 `5 Y$ W
    cmp     cl,al1 s2 K( l( ]/ @- H' x# R
    jnz     SoftICE_detected6 I0 U2 T- }8 y4 b% o: t
/ ]/ T6 l+ H; U- V" U' E
_________________________________________________________________________4 ?8 g8 ]% |" @) i

5 }( V2 X& |7 ~2 o8 CMethod 07+ a' U9 ^4 `- k
=========4 S8 r  R: _& g$ F! O/ ~

" ~6 ]; p8 w* HMethod of detection of the WinICE handler in the int68h (V86)3 \6 {1 r9 \1 I5 ~
* h( V! h; E. x% D5 Q  k1 s
    mov     ah,43h
) o. }9 R+ n. Y& C3 c  u* c& U    int     68h& {9 ]0 ^2 f# i8 `' L, E7 S
    cmp     ax,0F386h
8 o" n, z* U8 [9 e    jz      SoftICE_Detected8 l8 V' q3 m4 Y1 H

& d5 f, G( R  \$ }# P
4 [9 W7 V) K$ x0 H) e8 _=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, I0 Y/ j5 f/ q8 |3 f. @  v2 x+ S   app like this:
" F  [9 I! X7 Z8 E4 x
! X: P: ]4 i6 [% g5 j   BPX exec_int if ax==685 B* [0 ~; }; n* W( Z2 |
   (function called is located at byte ptr [ebp+1Dh] and client eip is2 m, Y; |! [9 U, ^1 P) _0 W4 j. B
   located at [ebp+48h] for 32Bit apps)) d+ l2 f- Y# I: `
__________________________________________________________________________9 g3 s. {/ f5 D

; A$ B2 s4 j. N! F
8 l4 s* M; O% Y  ~  qMethod 08
# b6 ]% I) `9 D  y$ w=========
% L! i! c# _! ?$ }, B2 y+ b+ [* w3 x% f- r; A# D, \. T
It is not a method of detection of SoftICE but a possibility to crash the+ p/ t; d* u& v0 I, U! z8 p
system by intercepting int 01h and int 03h and redirecting them to another
, w3 o# N9 I% Hroutine.
7 S  E( v/ i% h( @5 YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! e0 P5 ~& \7 v; e4 ato the new routine to execute (hangs computer...)
4 b0 U; \  ?) {: M4 x: ]. N* F, B1 g, v' u3 K5 Y' A0 Q5 m: j
    mov     ah, 25h
" s' y( T* n3 i" J! T    mov     al, Int_Number (01h or 03h)
* ]8 s1 T2 C; ^7 A    mov     dx, offset New_Int_Routine  ?1 N+ w" ^7 R3 D
    int     21h" B# f, D* T6 d: }, l  q0 c3 A
6 v' V* }0 Z& }" l
__________________________________________________________________________
  P3 M$ V( p5 s: n& y+ i. D
% G2 ]% u4 M/ r- X# [Method 09
! e; J9 B% k) l: \=========' i7 E+ C+ G3 ?- s) `

) f$ `( W' U* j0 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 i+ B4 X4 t' F7 M1 k; s! I6 z' F3 s7 X
performed in ring0 (VxD or a ring3 app using the VxdCall).
* Q- b5 J; w7 c" S$ G+ O' M1 XThe Get_DDB service is used to determine whether or not a VxD is installed
, c  W% D1 M8 J, E9 m* ufor the specified device and returns a Device Description Block (in ecx) for
1 V) `  i5 @8 u  m7 ~that device if it is installed., ~4 G3 q$ s: a% F* L! a& \. G

& c* J; z+ Z" L1 {. t6 u   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID8 b2 F$ F  m( W9 u" l- J  Q. J
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# C% F5 J  Y5 D# ?2 d& B! f$ m
   VMMCall Get_DDB
8 j" D1 ?$ S# f- i   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed; U' W# d1 h- E; a$ v) K6 Q

% L6 X# T7 P: r  y* ]1 \7 {9 i. cNote as well that you can easily detect this method with SoftICE:
: X3 x6 D* n5 ]   bpx Get_DDB if ax==0202 || ax==7a5fh
; B' W7 @$ b& j3 ~$ |4 k
. {" v& T* {2 }( i6 I__________________________________________________________________________
3 P5 o+ Z' O3 m& j! h2 Q9 b0 X9 e0 l; {$ Z% T9 h
Method 10
# g3 L( T. O9 U- d# Y. r=========
+ I! Z) J6 f4 Q. V; V3 d. I* B8 q! s8 I, h0 b5 M7 d
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 t& T; D! b9 V8 r6 D- i  SoftICE while the option is enable!!8 G( G4 e' A' P/ t8 ~

- s- S' V; {4 ~3 C+ L/ I- tThis trick is very efficient:+ `: B: u. v; |$ K6 M
by checking the Debug Registers, you can detect if SoftICE is loaded
  m% U/ U# B1 [5 K5 O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if  Z) j* G; k3 l' H, h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 d6 i8 H$ M  Cvalue (in ring0 only). Values can be manipulated and or changed as well
1 g, k7 F$ S6 U1 f  I' f. `(clearing BPMs for instance)
8 m4 T$ V: P; ~) R1 `  a4 G8 A) q! r5 ^4 S" q; P7 r( V6 j3 G
__________________________________________________________________________: W  Z$ e6 a9 W0 X. i0 H, C  e- |
1 [' t+ P8 ]2 P1 g8 I4 S  r) W
Method 119 z/ k3 b2 c4 Q3 x/ n+ e% g
=========
, ?7 L$ w0 R# Q3 m1 M0 v2 m: `) D: U- z
This method is most known as 'MeltICE' because it has been freely distributed/ d4 j, U! e; h: R! r- _% r7 o; w
via www.winfiles.com. However it was first used by NuMega people to allow
8 [5 H3 ~+ l" G) d, B: WSymbol Loader to check if SoftICE was active or not (the code is located7 L+ P/ |8 w; o9 Q
inside nmtrans.dll).1 S( U/ j% W/ A+ X- m/ w+ j

2 U5 l1 d; M: {  EThe way it works is very simple:
4 B' y' o; t: }( kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ Q! E5 Z, n! j& B& @WinNT) with the CreateFileA API.: d- T9 g8 E, X7 t8 P% |& w

: B% W* n8 y; _( F4 C- l, b: JHere is a sample (checking for 'SICE'):' a0 d$ `4 D8 F

6 V1 o* S3 b. vBOOL IsSoftIce95Loaded()  x9 ]( Z  J1 L, F9 v# d& V
{% b5 K3 `$ S! V% V
   HANDLE hFile;    g% P7 }- t4 r
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. p, \0 ?5 H3 S5 `                      FILE_SHARE_READ | FILE_SHARE_WRITE,; F& @! ^+ k8 x' q9 @8 ?8 ~9 G
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 X2 I: ~1 b8 ?   if( hFile != INVALID_HANDLE_VALUE ), s3 d  h4 o) T1 O3 }7 t
   {7 W. }& P4 J% E. X
      CloseHandle(hFile);+ E$ N6 P- v0 T, f) |3 f$ I
      return TRUE;$ _+ ~& y$ |% [3 a- m
   }
% Q9 C/ o! F$ U- Y   return FALSE;! u) ~$ e) t! k0 p( d9 a: C
}
' Y- g# u* N5 }1 [* U( v+ B1 v/ R5 @! u" S
Although this trick calls the CreateFileA function, don't even expect to be
7 U' f* ^6 Y  c' M7 K6 Z4 Vable to intercept it by installing a IFS hook: it will not work, no way!
. Z2 G% d' J& zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 B( H- e, M' Q8 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 {3 C; ^- D" a6 Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc! z7 T6 ]: _. T. X# n, k' e
field.8 g. k/ a/ }9 a) N
In fact, its purpose is not to load/unload VxDs but only to send a
7 t4 l- m$ l1 f! kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; T# r) S. U  i% wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
& V8 I7 f1 y5 U& K) o9 |5 Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
& d3 K& o4 C: IIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 E% M2 @; k  Q9 x- m$ Z. q# P
its handle to be opened and then, will be detected.& B# L4 Z: x- d7 o' O. m; R7 D
You can check that simply by hooking Winice.exe control proc entry point
8 i% @: e0 _2 K$ r  Z5 D" Ywhile running MeltICE.
8 F9 t+ ]) `) `8 Q1 Z
( L! j; b2 j6 X2 ?: c1 A
, L( _& J  _" N4 s* x8 m+ A  00401067:  push      00402025    ; \\.\SICE3 {8 D/ p, `5 B$ I
  0040106C:  call      CreateFileA, h4 @& g- ~) q# k3 Q1 e4 j2 y
  00401071:  cmp       eax,-0019 r( S6 t( d  i) r
  00401074:  je        00401091. Q4 `0 U# J8 m1 l' O

  Z( ^3 @1 d5 P. `2 ?4 X1 M3 T' M* z4 e+ R  H
There could be hundreds of BPX you could use to detect this trick.% u# c! W7 L) q% F/ u" O1 O
-The most classical one is:* G6 K3 ~! Z/ D- v1 _, w1 N
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' w/ r8 a; o' S9 J- n! D    *(esp-&gt;4+4)=='NTIC'
+ p- l# _  @0 e. }* H6 |+ R5 h" g8 l2 c6 q5 W4 j4 A8 J
-The most exotic ones (could be very slooooow :-(
! O$ y/ K5 S% M$ P, V$ O* E& C   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) \. c$ L$ w/ K3 ~/ b0 S; `     ;will break 3 times :-(# J1 f2 V( M' N/ d0 F! ?( `8 ^; b/ q
' d/ w8 j$ N- j6 Y
-or (a bit) faster:
0 ^1 X6 N7 ^" t1 l   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( k# l8 l8 l# R: ^5 |
5 T' l9 q" m! P% f# H. c9 Y
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  8 p: @1 c" T1 G8 O: J# ]( Q" V8 T
     ;will break 3 times :-(
' L4 b2 B3 l) R  B' w/ C+ S9 C0 M- \( ]) e
-Much faster:
4 p* z* E) [" @2 S7 r   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ h$ W5 d4 F. u# w. g) z' [% ]! s6 F. u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# k; ]) L3 ^% w- m$ G  b
function to do the same job:
9 Y! {: H/ |+ P+ X/ c% X5 s5 R5 d: r# e
   push    00                        ; OF_READ! A% t9 T. ]3 Z
   mov     eax,[00656634]            ; '\\.\SICE',01 ?0 v$ l: @6 N+ s# M: p
   push    eax$ n, ~/ {4 _4 l. W0 \2 }
   call    KERNEL32!_lopen) I! Z% ?7 r1 ~/ @
   inc     eax
* Y: ^2 x0 V# R; k+ T   jnz     00650589                  ; detected" Q' k, ?! ^5 s7 y: t, r
   push    00                        ; OF_READ3 A$ T' f' y$ P# I/ I8 r& v
   mov     eax,[00656638]            ; '\\.\SICE'( O# r; B1 M4 x' {) S: H
   push    eax: d( k* c7 W1 B& |  V9 w
   call    KERNEL32!_lopen
( ~. ~" }; G& L8 u1 ]! o   inc     eax
7 d1 A) ^  a! y! z5 g6 M7 C& g   jz      006505ae                  ; not detected
, K6 S8 C0 G# R# I! Y9 y* Y1 n" g
! D& y1 a; h- P
8 G2 x3 @  j) U7 H__________________________________________________________________________  }5 ?4 T: W5 l2 y  @

; P# M$ E( p% A* M( dMethod 12
  j) j1 }3 ]: m! s& A1 N=========
4 t% L' i; V# b6 F
/ h6 c+ k% R' S: i) Q: OThis trick is similar to int41h/4fh Debugger installation check (code 05! N1 U* h& e8 N' s- z# r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 n6 h4 E; P. T1 x% e* d) a% [% Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.  T4 f" d) s# d% c

! ]1 q& D8 K' [/ R. g" ]4 t% s   push  0000004fh         ; function 4fh$ I: d9 \& _( w, G+ b( b
   push  002a002ah         ; high word specifies which VxD (VWIN32)
) u9 W! b) z$ g1 N$ i                           ; low word specifies which service
$ K' a5 X1 a* o9 L$ d! M' r# c                             (VWIN32_Int41Dispatch)- w+ ]0 b2 }5 L' g! S4 q7 j
   call  Kernel32!ORD_001  ; VxdCall6 I% i3 S( t; h- t+ I: X% v# A
   cmp   ax, 0f386h        ; magic number returned by system debuggers
! n2 L- Z7 h1 |2 v- v0 ]! j   jz    SoftICE_detected
: T. Y/ v0 k/ t. J& M
3 F! W6 K! s' v1 r0 ?9 V! uHere again, several ways to detect it:
. @; P- ]3 h0 I- E5 F
! [8 |+ H; F7 q$ b" m    BPINT 41 if ax==4f# ]/ E3 U% C" V

2 F' W5 h5 V7 x2 V( O    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& w. ]0 v7 J0 i7 N& r4 C  l) R6 |
+ T8 y3 g0 d0 P/ p6 ?' g- `
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  n, q, m! W' \/ F  w
) w$ f& P9 ]7 t+ s. T9 M6 C3 [6 \8 a
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
! h- i3 ~  I9 n  y% p- O  }  D# v' `  w. ?3 N
__________________________________________________________________________
3 E/ Z1 M/ u+ j& E3 f' G" c2 e$ k/ @: G
5 Y5 U0 B) {. HMethod 13
, l' i. l  ~$ W=========2 ~, @4 K1 q; p

9 K2 {" m% S& Z( \+ J1 N0 a8 UNot a real method of detection, but a good way to know if SoftICE is
) f; |/ O9 S! C/ }! P* b: Linstalled on a computer and to locate its installation directory.
& R% t/ S# ~# A1 g) ~0 VIt is used by few softs which access the following registry keys (usually #2) :! p) N8 v  c  F2 C; F; `( p
3 E( x& V; H( D) K& I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- _6 H* v6 U: j\Uninstall\SoftICE. l! Z7 L2 V& e# E; ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. b2 I6 H) c% M" J% B# V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 f- e8 [" T8 l( Z% b& W8 i
\App Paths\Loader32.Exe
  ?8 V% K- F% U& y, C" t! R9 ^5 C' ^4 W) ?
$ B! V# P  C6 z% n
Note that some nasty apps could then erase all files from SoftICE directory
4 s+ B8 h4 [( R/ s) N' o% c8 u(I faced that once :-(
' U  T: b4 @7 V' Y" l8 O* i! x
6 A3 y7 R' t2 |# i4 V- KUseful breakpoint to detect it:
- W8 C- e4 m  P) h- }( @1 |- c" _: ]! H9 \* F
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
8 F( C8 t# D* c" W  o$ O# D3 H
# }% N) |* O$ W: V: C" @__________________________________________________________________________; z/ Q* L! L& w  P2 y: D4 Y0 H
' [0 _6 c* W! g' X

5 F+ E& @, e2 n  VMethod 14 1 v0 y' O5 X7 r# X3 a6 O. G8 T
=========" E. r5 W7 j* C- R& ?3 e
3 U0 m( t# Z( `" \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. m) I4 _, O0 F+ h3 }is to determines whether a debugger is running on your system (ring0 only).+ u5 e; Q4 o4 k* M
$ y; L4 M4 ]6 ~! l& u
   VMMCall Test_Debug_Installed
* U- w# U0 @* D- B# o   je      not_installed# G* u1 S1 l: |1 C  p

' g, T: u% `2 g4 Y4 M* v( {This service just checks a flag.
& ]6 T5 F* G8 s; y2 Y" A- Y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-24 16:30

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表