找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ R2 y" ^/ C7 `4 z<TBODY>" v7 Z" t% Y! p2 Q& Q% ]( @
<TR>
( p; N  @, F' a) e<TD><PRE>Method 01
, A5 H8 I8 y5 Y! m/ y=========7 `7 {6 \  \. [- S/ b
6 }/ Y' z  s& f4 ~* @5 u# j
This method of detection of SoftICE (as well as the following one) is
2 q" Q6 b9 ^. w; `* h4 dused by the majority of packers/encryptors found on Internet.0 h- A0 {& m! R3 _
It seeks the signature of BoundsChecker in SoftICE
2 e7 Y9 H5 ?6 z) l2 T% s: v
$ _- p0 n4 X9 Q9 `: z; L    mov     ebp, 04243484Bh        ; 'BCHK'
4 J+ x1 r! Z8 G9 `    mov     ax, 04h
  I. K& s4 x. B    int     3      
, u# j( b- s+ \% ?* X# n. T9 ?' q2 @    cmp     al,4$ y& k& Z( k/ ?9 x2 G4 x
    jnz     SoftICE_Detected
7 `7 [/ Z4 ]2 r% P4 a' P: J
7 F5 }2 n" F5 S( ~/ ~- i___________________________________________________________________________& l$ w4 ?  F) L: _' U6 k6 S

- ~( E. }; a8 A9 m. B3 cMethod 023 z& P/ J' L+ z5 H" j% b
=========2 c) \2 {( `5 z2 ~& I# Z9 S

7 D' \6 h5 N; ^( n; [+ W% K: U- ?Still a method very much used (perhaps the most frequent one).  It is used
8 t, v! H. B' ]  ^( }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 J; f% ?8 K$ W" j4 X8 C
or execute SoftICE commands...% m2 O: @# l! i/ X* K# N
It is also used to crash SoftICE and to force it to execute any commands" `/ E: V; U( b/ D& |. x% t8 p
(HBOOT...) :-((  
3 k$ t! [; R; ~
) R& a! |& ^- k# l: F, mHere is a quick description:) ]' \& f& B2 D% s7 G0 n, B
-AX = 0910h   (Display string in SIce windows)
4 X$ w0 B  n# f% n, t* e-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
% w  Z, b0 ?1 B7 d) Z' S3 M-AX = 0912h   (Get breakpoint infos)3 D/ o! Q% k  ~% o6 C  Z( W* r
-AX = 0913h   (Set Sice breakpoints)+ U9 `- @. n. S0 Q
-AX = 0914h   (Remove SIce breakoints)
2 d9 R" W' f! m
0 g1 \1 m( L( v) q) [7 y4 J4 v% O% BEach time you'll meet this trick, you'll see:
$ N" u. h" r( O( U: E( I  m-SI = 4647h7 g& j9 d6 I: @
-DI = 4A4Dh
! i0 n0 z8 ~- K7 yWhich are the 'magic values' used by SoftIce.
0 c" [- \) D2 w3 h5 P* YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 n) I% N+ E3 a+ n$ n( o5 u* k% I7 y

7 i; `4 }+ e! v# uHere is one example from the file "Haspinst.exe" which is the dongle HASP2 e$ S8 R3 f& |$ n& i
Envelope utility use to protect DOS applications:
( n; V' k. |4 _
3 F9 T7 Z5 v0 E# c& ?  u
, K- p9 B# R& O4 U- c4C19:0095   MOV    AX,0911  ; execute command.
, g& ~( L' D, F  v' F2 a! u# j4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).1 o6 V9 F3 F: m' i  K
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 {4 N* \; v+ `# I4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 f' s9 \0 Z3 u/ D4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( {$ f6 m) ^# t& y) X  n4 {
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 F3 P4 Y3 d0 v# H4C19:00A4   INC    CX
. s0 |$ }8 f3 U  X4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 x5 @- W# O0 s; q% L
4C19:00A8   JB     0095     ; 6 different commands.  p7 k* o' ?0 A) z
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 `2 Y! ]/ P% c
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- t  ^/ W% y4 G5 x2 w7 Q/ P* B5 q, h% w' P
The program will execute 6 different SIce commands located at ds:dx, which
) w" i6 S( g) i- H; sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 h% j( ?7 w9 n% |/ N6 h1 y) j3 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, E. K) C' o% }___________________________________________________________________________, R* c, e0 m1 D

' P/ b3 p- m: w
, V- H( K& [. L9 G/ _$ |Method 03
% ?3 W% A$ g3 P# |, V: F4 _8 B+ A=========1 n5 ]/ ]( p+ T

& J' i! K6 s, Y" lLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h) ~, i  b6 T) J. T
(API Get entry point)  u( Y! Q, |: C7 t; O; l
        0 X% t+ ]' s; E3 c9 e4 h1 r

4 G8 I9 W- `1 [" E    xor     di,di" w8 @# H, b5 W- Q5 n6 `3 d" R* k
    mov     es,di
  y' y; S; c. D3 _3 G    mov     ax, 1684h      
7 l8 t1 ^6 S  h    mov     bx, 0202h       ; VxD ID of winice6 H5 }) [- G8 k0 T
    int     2Fh7 {% P5 M9 J0 \! _  o& n! s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 |4 L! K4 U  h$ B
    add     ax, di
, Y% k; q) b) H( ?    test    ax,ax
/ M' I- n' o) B  z' N3 C! f    jnz     SoftICE_Detected
7 ~$ G, V* ?0 t9 x- ~% X
: A7 Q8 G% i9 T5 l6 n$ B___________________________________________________________________________  ~- ?- ^3 E6 h( H3 O6 p

: B( y% U4 t  x& T$ `; tMethod 04
# F  L" h  U' k=========; }" s4 _+ E2 Q3 [

* X% u$ Y0 D+ {0 z  kMethod identical to the preceding one except that it seeks the ID of SoftICE
2 e9 c3 n* v+ n9 M9 n. K- jGFX VxD.
) t5 V5 A, q4 \! [, N
/ ^' i& l) J' H7 {    xor     di,di
# A0 Q3 W0 Z& a2 v" \    mov     es,di9 J# u( \( j+ b+ G7 b, W) J
    mov     ax, 1684h      
9 \& F/ z* p  {, S6 _    mov     bx, 7a5Fh       ; VxD ID of SIWVID
8 d" e# p; B2 @3 f! ]: P    int     2fh  V" ^: M. T7 _  o8 A4 C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# x# U' b1 f" h    add     ax, di% I5 X  N" P  o& J2 G5 Y
    test    ax,ax
6 u9 R: g8 v# }+ _$ y9 n3 p    jnz     SoftICE_Detected. W/ F9 W/ N; D( |- H
2 z2 M  Z8 g& t, K3 a6 u% n
__________________________________________________________________________* Y. U- s: N4 Y
9 }+ I9 O4 V# u9 z

( N6 B! h+ Y, l/ }1 c, OMethod 05
' i. }. I- M1 T: Y2 B=========
# D. }0 a  N" H& A2 j$ B
/ q3 Z3 x% e3 a4 j/ l7 b: ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 U7 k. v% B9 d5 I; Pdebugger. It calls the int 41h, function 4Fh.
, e1 w: ]7 a% J: s* Z  QThere are several alternatives.  / I1 k4 }- u+ H; Q" Z7 F% K+ X( ?& g- a

5 W: j0 t. ~, @" XThe following one is the simplest:' H  M3 ?9 e7 r' f$ z) r
3 {6 ]/ h5 N) h+ R
    mov     ax,4fh
# @% R) O: H5 F% }* n    int     41h
  C4 T1 ?( |5 m( p/ U: L    cmp     ax, 0F386
7 i6 _& G! u" M9 q( o" b    jz      SoftICE_detected
4 U0 v! p7 o2 F4 w, i; i$ n" D( Z. m5 _4 d, _8 D6 I( \" N
% K% y$ R4 v1 J; W
Next method as well as the following one are 2 examples from Stone's # z: H6 J7 D4 J; j& `  n) g* \2 `
"stn-wid.zip" (www.cracking.net):
5 L0 T( _5 h6 L( \8 [
: R* y0 Z, B0 b9 T( t* b' G" b    mov     bx, cs1 N9 d' }6 \* v+ m: T" W
    lea     dx, int41handler2& n7 N- C$ e" Z" [6 t. h
    xchg    dx, es:[41h*4]/ _5 x9 A6 {4 `' e, i
    xchg    bx, es:[41h*4+2]" |( g# Y8 G: J5 Q, q
    mov     ax,4fh
2 A- Z+ W& j5 l6 {    int     41h  D3 O0 t+ V: E2 j* o
    xchg    dx, es:[41h*4]
6 ~2 o& p2 a4 v; U- {! m4 D    xchg    bx, es:[41h*4+2]8 v: N+ B1 |! Q( |, I0 a, E2 B
    cmp     ax, 0f386h
: w( x, J) ~! S6 e- j0 e+ t5 o    jz      SoftICE_detected( I2 z: G0 \5 t
: o+ Q$ t5 _7 h3 u
int41handler2 PROC
7 `  X1 F% O! e/ O+ L    iret& a" Q8 k3 {' \/ Q
int41handler2 ENDP
0 L+ Y3 q4 K/ [, E& m. a, J
6 v3 }2 q# H2 x: m: X6 N
6 P/ V2 `" _# f- V_________________________________________________________________________
6 {7 d  A8 y$ m, p
4 Q7 E6 o# _' h' D" E1 }- F
- E/ K3 ?" m3 a3 l4 A' C; G0 L: ]Method 06
3 u+ E$ H  V5 i: l; L=========
# e# K$ j- P6 ]- K5 D
* s$ N4 b: p0 Z6 j- F! }! W, a
' f! k) Q1 D! h) m$ V+ V9 c2nd method similar to the preceding one but more difficult to detect:9 I( M6 y4 K4 ^

" F% `8 A0 y5 a/ D8 ]4 ~( T- F+ D2 z5 \. ]
int41handler PROC
1 M* b1 B4 ~% y! F0 B4 a" C0 W6 h- P    mov     cl,al' H/ ?6 G) k$ |/ c. y- V
    iret
+ w3 J, A8 J" R5 L: L% zint41handler ENDP' G+ `% F: Y' ^, x. s$ j
4 s3 p' c9 h0 R- D
& Y, w  Z  s* {  W) W9 m
    xor     ax,ax
& @9 K' ?+ N$ x; u    mov     es,ax$ P. s2 r2 G6 J& s+ f
    mov     bx, cs! s& A& B* v7 r4 W# s4 {; z
    lea     dx, int41handler
' B1 B9 S7 f6 b- u+ s+ ~; {    xchg    dx, es:[41h*4]) Q: J/ Y0 d: u. H6 ~; d" `) X
    xchg    bx, es:[41h*4+2]
) O8 s. x4 m2 R# K7 }) A+ k    in      al, 40h8 z  X5 B. ]0 ^& b$ P
    xor     cx,cx8 f0 u# [3 ]0 e$ D! U3 f1 e  v
    int     41h
6 P) [3 i9 |0 D, @    xchg    dx, es:[41h*4]& Y& Q6 m" \  }8 E0 l! p& p
    xchg    bx, es:[41h*4+2]7 e* O# o0 v( ?  J9 x1 P
    cmp     cl,al( n" G' D/ F0 V$ [1 b6 W' _
    jnz     SoftICE_detected# F7 @  h, I: G0 Z0 `8 N

/ ~1 Q: R4 E  E- _+ {_________________________________________________________________________: c2 j. X* T* ]1 J  |

% H( g/ a2 [" l, Q) g  h5 pMethod 07! U! T; u- D: x' W+ `& l$ d5 f
=========% O5 w: k# k+ \' h# s+ H
- e& Q1 j: I7 o9 r5 Z# z  N
Method of detection of the WinICE handler in the int68h (V86)
3 M6 z$ N/ Y" n
9 B1 o& }0 G/ s9 M( d    mov     ah,43h
! r! n  O) j: A. P( a    int     68h" X4 N& j9 O/ I$ V6 l; u9 q
    cmp     ax,0F386h
  B% w" ~; K% K' e& b: s    jz      SoftICE_Detected
4 O2 |2 y2 Z% u; \
8 W" K1 f1 K, D. d2 x
  r' `/ Z) b! v$ i=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. p- t' b- z: Q  g' z) g# t   app like this:
6 O1 x8 P& Z0 K5 g6 K
6 Q' v5 K, I$ i( W: ]% i' U' x   BPX exec_int if ax==68  b1 @( {/ Z* D* x1 ], D+ o# V
   (function called is located at byte ptr [ebp+1Dh] and client eip is. L. O; F1 k9 r$ X- `
   located at [ebp+48h] for 32Bit apps)
+ q9 [+ r% R8 s5 ], \+ l__________________________________________________________________________" P3 k3 N( h# |& Z3 a

* w" P+ u4 m  v' B7 |% }4 X# B+ k* }  ?
Method 08
$ R# e5 E( V$ T3 {4 k9 ~" {=========3 y/ j( z* g. k
/ f9 v: }% M. a+ [
It is not a method of detection of SoftICE but a possibility to crash the
( {; P$ v5 ?* lsystem by intercepting int 01h and int 03h and redirecting them to another
3 i9 Z7 L$ d1 F: froutine.
! G' l# Q) P/ B( S5 K9 o! q0 k4 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ b, J7 o5 B4 d
to the new routine to execute (hangs computer...)0 U* v( Q, G# {9 B' I

6 E5 {8 c! d; w6 B    mov     ah, 25h
. h7 F: d: w! e0 @; l$ N8 E3 o$ e    mov     al, Int_Number (01h or 03h)
/ }* |/ v& {0 D0 H' ^# ?3 d    mov     dx, offset New_Int_Routine$ k! C, g5 b" }, E% G1 z, V
    int     21h" k, L: d- ~8 t+ b. {. E2 l
6 z, X+ _% n5 Z) a9 s* |
__________________________________________________________________________$ b# b. P; D+ w1 q' I0 C7 Q9 D

. z* r' ?! q; e& ]8 U/ N: A. S% Z/ SMethod 093 W/ O9 Q. Z# |! p8 F8 u8 Z' R4 B
=========1 X. [8 W6 x# D: `

! U0 U4 {1 c) w% E0 b( aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 |1 F% ~% [8 G" D3 E# j9 ]; L
performed in ring0 (VxD or a ring3 app using the VxdCall).0 K% e# h" m4 ]/ r  A
The Get_DDB service is used to determine whether or not a VxD is installed
1 l' Q, W( m. ?6 Q9 Lfor the specified device and returns a Device Description Block (in ecx) for
4 D7 l4 Q2 i+ ^- n: L: f) }that device if it is installed.
5 G! M$ L9 x; e4 U8 r( ~$ f( b/ T! `2 y. y' O, |
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 n* ^4 T1 t0 d2 M! V2 U! t9 |
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ c6 J. S5 U7 c3 ~/ z: `   VMMCall Get_DDB" j3 g, m4 u+ @/ f* @) R* t: g
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ I, C. j4 h1 U9 ~0 V& q- m. B! m

  @8 o9 ^8 _( u' ^" l$ r* t. KNote as well that you can easily detect this method with SoftICE:
* }8 ~  P) `; E2 n, V: B   bpx Get_DDB if ax==0202 || ax==7a5fh! v+ f0 z  f$ o: H" ^2 J0 f

/ Z% b$ b+ M" p* J7 @) V- a__________________________________________________________________________
& m, c: r0 m, B+ }* P
0 W( o" C2 e% z/ F# E8 pMethod 10
4 x* F% l  z  t$ W  |! @( V  \=========1 }+ b" O/ J7 m0 n! R
# T: z$ s0 r5 y& `4 J& {# r1 P) A) Q
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 ~! {; T3 ?6 x/ o  SoftICE while the option is enable!!# k) F6 y  \5 g! g, |) k! a
: m9 C/ ?* F; g( h* _' w
This trick is very efficient:
# Y$ v" N* `9 ~/ R' ]by checking the Debug Registers, you can detect if SoftICE is loaded" U( G3 C' c6 S/ `" r3 d5 {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 o% ?: T& K3 g) A; |
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 f5 i/ I/ I, B: Y7 ~+ Ovalue (in ring0 only). Values can be manipulated and or changed as well! j0 ?. t- C0 y- @
(clearing BPMs for instance)! {, t0 ?3 k$ E) e  U; }8 L5 a3 _

5 X2 Y8 O$ z4 p. B. Y0 H7 Y3 [__________________________________________________________________________
3 a6 ^' i; ~* B: W- E1 q
# v1 g6 X' a, [1 l# \& UMethod 11/ J  ]/ E  g! f1 |
=========% X9 Y* ]' w2 z: A& o2 L6 I4 ^

6 D: e! i/ ~9 ZThis method is most known as 'MeltICE' because it has been freely distributed
3 f) I5 L# I% {9 U& vvia www.winfiles.com. However it was first used by NuMega people to allow! W, r5 n, @; J3 Y0 V, B5 o
Symbol Loader to check if SoftICE was active or not (the code is located, l5 V3 [3 L' }( n' `
inside nmtrans.dll).- d' [: f. B' Q: R9 p

5 m  j, F4 ~2 z$ UThe way it works is very simple:
) f' v- X  j/ i) dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# m" F' C: I9 C+ h% ~
WinNT) with the CreateFileA API.
# o$ T0 p; a% }/ W% N0 g1 g# y5 z0 I
Here is a sample (checking for 'SICE'):, T' t- d; y4 M4 j% n' a; j; X
; N% \/ o0 T# e
BOOL IsSoftIce95Loaded()' F$ T  V1 U$ v$ K8 s
{
9 [, m, [8 A6 y* Y. G/ i* U/ S   HANDLE hFile;  / N1 U% s) g+ j$ c- X
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," d6 l5 A$ o# |6 n0 _) Y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,0 B/ P: `( g  G, G& U" D- W
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( u2 Q# }' e' w7 h
   if( hFile != INVALID_HANDLE_VALUE )
$ d8 Q$ M; ?8 Q/ Y$ r   {
' J& O, {+ X! N% c: \      CloseHandle(hFile);
  s4 j! K$ q+ P7 L  V6 j. }+ g      return TRUE;' h# ]" o- [) C# r% J5 k9 ]# Z* J
   }  B1 X1 ]' s4 x; Y# u2 Y
   return FALSE;' y* t: }/ x: ^9 h
}2 s6 R! J/ Q4 R. p$ D

( ?9 j, K# ?6 n  A# L, P* RAlthough this trick calls the CreateFileA function, don't even expect to be- I; W7 ?. D( i4 }
able to intercept it by installing a IFS hook: it will not work, no way!
$ j4 n( B) `+ h$ cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) B3 l6 a' [- B0 z2 f. o6 x) T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ G4 E! ~2 u0 H4 ~  S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) m. j8 r: l& D: A' [field.2 Y7 e6 `- u* x
In fact, its purpose is not to load/unload VxDs but only to send a 9 l' N4 T* y0 X* ]( c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: U4 `5 Y4 K* c+ E4 n7 q  @to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* j) I, @( W3 x9 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 g, S9 }: `1 N6 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow# @0 U: E% O, e) j( j: [4 A
its handle to be opened and then, will be detected.- F2 R$ C, E6 ^' g' v
You can check that simply by hooking Winice.exe control proc entry point
/ b2 G/ w- h. M8 G8 u6 twhile running MeltICE., F9 g( |' G/ ^- k, i
: E2 F4 K0 @' \7 O! U1 W3 `
* u/ S0 \, E" |* c, G
  00401067:  push      00402025    ; \\.\SICE
7 J* n8 R  m9 U2 }  u0 D8 h  0040106C:  call      CreateFileA
4 n0 }4 h" f9 O  00401071:  cmp       eax,-001
+ a( c4 Q6 ]( M  00401074:  je        00401091% L1 e, O+ w0 k( }+ r0 _

9 P7 N: J) g; z' q: y& R) c
- W1 Q& }, M4 k" _4 m' uThere could be hundreds of BPX you could use to detect this trick.
/ Z9 H% v9 s+ f* ]# u-The most classical one is:
  f- K3 I6 X" o3 f3 {: Y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 m/ |  y, f' f0 a    *(esp-&gt;4+4)=='NTIC'
- F2 ~6 n1 V2 r7 y4 W. u# ?5 {) o: {* d: N* o& w1 J7 [
-The most exotic ones (could be very slooooow :-(
& v; M( k' @" ^5 D' O  b; C0 k; y* U2 _   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: ?7 v3 ?# N5 }7 x8 ^) N( p     ;will break 3 times :-(7 m' G; s3 a9 I3 S7 @

& C5 }9 G! B0 F/ W# z: _9 j-or (a bit) faster:
) c# C# m2 N# z3 X   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 v6 [5 m9 T( g

+ V4 y2 b: D7 s6 g5 i% [   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % ?4 s2 `$ j. F+ W# a
     ;will break 3 times :-(
! y- u7 O1 Z2 _2 g2 Z! J: ~0 M' r3 f1 S: {" u) R% {
-Much faster:
3 j# f, s. _7 \! ]) ^" d   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: J  `% C/ `( D9 p) S
9 v# @/ E+ M/ ~. z, sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ ^0 y( V5 B7 \function to do the same job:' f* y2 M7 \4 U( l. d) S1 s( F
7 V3 b0 F/ N9 U8 k1 j9 I
   push    00                        ; OF_READ
* u  U0 W# M- Y9 s9 _   mov     eax,[00656634]            ; '\\.\SICE',03 W" y6 T) f: H1 I& t6 \+ z! u- a
   push    eax
2 d0 o* [' }# A7 s; `   call    KERNEL32!_lopen
$ {) V# ~& ~( U, ^   inc     eax+ e0 X. h5 d$ V* x4 D4 S6 g% A
   jnz     00650589                  ; detected
" z* p# Y3 C& ?) H6 J   push    00                        ; OF_READ
4 \9 g! {+ M8 a, _   mov     eax,[00656638]            ; '\\.\SICE', w& c/ x' |3 j2 v7 A+ Z
   push    eax
$ q: Q9 k7 U" Z   call    KERNEL32!_lopen
3 o% R/ R7 m% H! z+ A+ @   inc     eax
7 C' s1 y( \& s+ |& B   jz      006505ae                  ; not detected4 _2 h* v) ?+ U

- u; |: `. V/ O% \$ q! l: L& z/ L+ Q; s
; Q  w8 e% G4 ]3 e: i/ W3 ~__________________________________________________________________________
8 Z6 }' n/ g, g' U; n! m5 {' _2 ]2 Q6 g+ ^
Method 12
4 ?: g- A% G! b0 L=========
. b" e3 h. @9 d5 Q' i& P% G; w; I. x3 k% {  a0 q
This trick is similar to int41h/4fh Debugger installation check (code 05& V$ Y2 c! g  m4 l/ @; L$ n; W4 `$ Z
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, f2 H7 C; t) n3 {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 U' X+ A- Q! K5 ]% z- ?5 B
4 v3 v# v' Y# S% u2 B/ B# s
   push  0000004fh         ; function 4fh
; b9 I& V5 L) z+ \. i9 x% H   push  002a002ah         ; high word specifies which VxD (VWIN32)1 b0 A+ W' T7 q) I- W5 _7 G- X1 ~
                           ; low word specifies which service
0 v* {7 k5 x7 Y& u; ?                             (VWIN32_Int41Dispatch)6 v3 M/ ], m( _, U! N
   call  Kernel32!ORD_001  ; VxdCall6 X, b: B9 m, ^
   cmp   ax, 0f386h        ; magic number returned by system debuggers
% O& M- i' y( k   jz    SoftICE_detected( L; \5 i7 H3 y

0 M7 V) ]' {- N9 lHere again, several ways to detect it:7 ~) \  s, h7 V: L# m

, O: ^8 @9 n' b& x& P    BPINT 41 if ax==4f
0 g' Y+ O& Y$ m+ j' U# z! [0 J
) a/ J3 q8 k3 k# d    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one5 \; c- s+ n- E/ }5 W4 A1 {6 v+ t

  {/ q: e0 }& }% o    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) E! X" {8 Q8 U2 @( a
7 Z# g. r4 ]7 A    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( O1 i% w7 j3 W5 d! `9 Z

& o. I5 I; s* k__________________________________________________________________________
6 y2 O% c( p; [; F# E8 Y
3 S/ \/ s/ G2 B1 L! \Method 13+ }" A  s4 v: a' ~8 \
=========
" R& Q) o* B$ p9 A
5 O, F/ ?& e* d  v+ I! E3 dNot a real method of detection, but a good way to know if SoftICE is
% [+ ^) X7 k2 z4 C# jinstalled on a computer and to locate its installation directory.- C% a* O/ `! i( p2 X; j
It is used by few softs which access the following registry keys (usually #2) :* R) M; k$ b) Z* [' U0 V4 I
( J( A5 n! X4 @. n# E5 h# h: l
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' f& K( p7 V* B$ L' F5 R* o\Uninstall\SoftICE* p3 }0 {) n  z  j( K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 P" u& G: v5 b% O# j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ p8 b# A7 T1 b8 B! E& S\App Paths\Loader32.Exe7 y9 X6 g" Z  g+ q+ q( E& {
1 U* n2 C9 Y+ H7 m+ {
' s6 M8 s# l  m! Q. b' h
Note that some nasty apps could then erase all files from SoftICE directory% g$ l/ ~! _! C% D; J
(I faced that once :-(
) B. C3 i8 w( c+ z% ]- X
6 v& h( L) o# ~2 T: ?0 _Useful breakpoint to detect it:
! K; B# Z: a8 s1 z; a! a8 T: C8 N. O0 A/ r/ ?
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! n2 ~0 ]) K3 |  Q( ?$ S! ^, ~
- t. E" q+ c1 w, a__________________________________________________________________________# Y7 H5 R% B9 X7 u7 w
4 G4 m5 |7 e& e7 x. G
. H5 {/ Z$ l* g4 g# y
Method 14
9 U: ?0 L4 r1 y, E  ]+ |3 i! ~=========
  t# ^, X" N" a$ c4 t/ G$ n. E3 w1 l0 |% ?& u1 c* {( L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 v+ ~- }$ q% M
is to determines whether a debugger is running on your system (ring0 only).# B& C% W& M0 s; ?, l

- b) t4 Y: K( _& U" u  k   VMMCall Test_Debug_Installed' R/ ~/ D/ G' G& a5 {  J
   je      not_installed2 q' K/ `6 p0 C- x* G
$ ~) A: e7 ?( \' B& a
This service just checks a flag.
, V( P# p% _, h* }</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-17 12:19

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表