找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
" ]2 ]9 E. ]: D0 W<TBODY>
4 q8 l! D% f; X. c<TR>5 u1 K; R/ o% F+ E, r9 l
<TD><PRE>Method 01 0 e. C* k# E" Z& _
=========9 U! r9 N* q" G3 @+ |$ D
" m) ]/ d. ]8 ~- i
This method of detection of SoftICE (as well as the following one) is. V- H8 q" g: `$ \7 ~
used by the majority of packers/encryptors found on Internet.
( {, m1 I. O  V" c3 lIt seeks the signature of BoundsChecker in SoftICE
# `9 w3 F7 O) D8 g
; n8 j: n6 w% e" C    mov     ebp, 04243484Bh        ; 'BCHK'
5 V( N& t; C% h) j; c5 B: t' b7 e    mov     ax, 04h
- F1 ^7 m  Y2 u. p    int     3      
! a* h3 B3 {4 D$ G6 A6 F5 ^    cmp     al,4- H( o: T, l; J& c
    jnz     SoftICE_Detected8 O' e9 G4 U& N! g& f$ B
: n8 W4 p7 N# H: H5 x8 D
___________________________________________________________________________
: {! {. d: F9 ?7 H7 q+ Q3 Y5 d- o; m- a+ ~6 B) N# ~
Method 02( ^7 q/ ~+ K6 T" F' ?
=========
: \0 z) y- U. V/ z+ ~0 [  R
0 F/ X* {) \+ yStill a method very much used (perhaps the most frequent one).  It is used
# l3 `8 A1 q8 p' X4 Y* {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 U/ l7 h5 c; x
or execute SoftICE commands..., K! w, r, b$ a& ?$ s0 T
It is also used to crash SoftICE and to force it to execute any commands, `5 G- [/ ~: ?3 F9 n: z$ ^
(HBOOT...) :-((  9 i9 g8 _$ C1 r9 r' F2 n! }

  ?- o& \& K, R& k1 q( qHere is a quick description:
6 K+ ~* ~  H% e9 z) u! S3 a* p/ X5 X' S4 y-AX = 0910h   (Display string in SIce windows)
" L% Y' m" z3 L$ H& W! x/ }-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 V( S. q! B* j; t) H* a-AX = 0912h   (Get breakpoint infos)2 C- X4 }- _+ \' v% D5 s  F
-AX = 0913h   (Set Sice breakpoints)" X, Y/ J- o: C% D. W
-AX = 0914h   (Remove SIce breakoints)2 N# E7 q# w/ K

3 n1 t1 U- u# K' z( lEach time you'll meet this trick, you'll see:0 K. `; o) O/ C5 |. i
-SI = 4647h
. J/ z% i4 ~0 [' g, u, q-DI = 4A4Dh
& F; ^8 p$ q% d$ s$ Z" e6 z+ iWhich are the 'magic values' used by SoftIce.$ ^& B% P# q# l7 D8 h
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 i' C; B$ ~+ Q. j  m

9 B+ h% c  ~4 J; s6 y* qHere is one example from the file "Haspinst.exe" which is the dongle HASP9 ]6 Q" I1 D. i" e
Envelope utility use to protect DOS applications:
( \" C, y" s( E7 n7 G
0 E' A/ P/ {3 M' `$ q4 F
: A7 E1 N  Y$ D& i4C19:0095   MOV    AX,0911  ; execute command.
8 M; j+ \5 A- I& m6 M4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 q" N4 ]( I# L6 U# U* _4 v4 K1 |% I0 J
4C19:009A   MOV    SI,4647  ; 1st magic value.* ]+ n9 L- S/ p) c7 Q
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.8 g4 ?5 o7 z' g  j
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 f6 g! v; K" U1 M- t! O" |% a
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
+ c7 z( m& T$ j3 a4 @* A4C19:00A4   INC    CX! A% t5 Q6 M- x
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
& Z: W( b' \5 L9 {5 W- B4C19:00A8   JB     0095     ; 6 different commands.
/ L/ a# {# M1 o. W' r; F- _4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ Q' I% U9 P+ P2 ^4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 T/ G) _2 [( N7 A, g7 W$ j) L

* E1 \8 V5 c! Y3 VThe program will execute 6 different SIce commands located at ds:dx, which
2 E$ P' L5 [) D( I# F8 X! A7 H, ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; I9 D# K. l6 m6 w1 Z$ g

6 r8 Z! H' `- U& v. A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; M0 y: D* ?& ]/ l) h
___________________________________________________________________________' ]- v  S8 q) a
) R  S  z3 |/ u; R$ t+ x3 x9 i. o  |) `
! N! R. y% l$ k# Q4 d4 Y. \
Method 03! ~" H+ e, k7 x5 J. l
=========- e) x& M. M4 X1 k
( G1 O. Y% j. F- R
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* x1 K  o3 C. b) N4 Y( q  L% ?(API Get entry point)& o4 D4 {' ~5 D8 a! P- o
        ) L% T8 @; x" w$ o6 V$ a/ K
9 \$ |) p8 q$ {4 n, L7 U: P. F9 f
    xor     di,di" j0 N& D0 C2 f2 p
    mov     es,di* q1 p$ z% ^6 O9 j- S4 c+ S
    mov     ax, 1684h      
$ j9 o, p. `2 k# `    mov     bx, 0202h       ; VxD ID of winice
  d  O# l: L) X7 l    int     2Fh3 t$ i/ f+ n* \, L; `
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, I% X7 p. I9 G& O6 ~- K0 w. u$ _4 T6 `
    add     ax, di( O+ D4 I9 F- t$ g" }
    test    ax,ax
- e+ H3 E( L" K7 n# L    jnz     SoftICE_Detected
* w0 Q* q- B3 D: L* z3 K. F( J- D& }) V
___________________________________________________________________________
+ z" F! f: c3 u. p' b+ T) ^+ H/ _  A" ~; N: d: `1 y
Method 04
& O, H9 }" @5 g. ?=========
. e. w) Q7 l' R6 e/ F
0 P2 r# K. |9 vMethod identical to the preceding one except that it seeks the ID of SoftICE) d/ l6 b2 H8 Q( ^: y* ^1 U
GFX VxD.7 l/ |, J7 C- I. t: ^" @
$ c$ S# s$ W" v: _* W% j
    xor     di,di  g7 Z* z9 K1 T3 e3 t# g" A5 C: X
    mov     es,di
- X0 I9 @/ A6 c* q2 [3 \    mov     ax, 1684h      
: Z  _9 N( f& G2 J    mov     bx, 7a5Fh       ; VxD ID of SIWVID
( `+ H3 m2 R7 Z+ r) T    int     2fh- z: Q" D0 K5 C9 W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) x3 }* s' q7 c8 m- {    add     ax, di
5 U3 n+ B; G3 j( c8 K( {' Q    test    ax,ax( }5 u- ?) Z* K# P$ |  n) s
    jnz     SoftICE_Detected7 }8 |. ~6 G: \) q
; C1 S, B' N- N( C% S7 t: t( L
__________________________________________________________________________) Q4 G  c% H3 |0 _* u
& m2 u  z$ A" L% j, Y# h1 X

- T- D; i% d5 M+ B  jMethod 056 M# I: y9 |  i! l+ E3 ^
=========% v) F. T* F# U6 i' F( r1 `: R- q
; f0 `8 x3 r" F, M
Method seeking the 'magic number' 0F386h returned (in ax) by all system: u# c/ z$ y7 _  Z( Z+ P3 \. T, `
debugger. It calls the int 41h, function 4Fh.. ^' s0 h7 ]1 s) K
There are several alternatives.  
9 I- G! B4 s( r  z  l2 w& z& o2 [  v7 y, _* N1 p
The following one is the simplest:
1 b9 k2 i& }% Q- P3 \0 H& k' |. d4 Z, d& Y# I
    mov     ax,4fh
2 m* _+ o" p) Z; q% Z. @" m, n    int     41h
( I8 z6 Y& w& k& T8 C$ k    cmp     ax, 0F386
, g  a" @' {, f, \% _    jz      SoftICE_detected
# k3 H; D' ^% m2 E6 X; s3 D- M6 ?/ Z% p

  i) X9 c( N+ ^6 \Next method as well as the following one are 2 examples from Stone's
" a5 b: X! g+ b6 ^3 s"stn-wid.zip" (www.cracking.net):
" `: r* b/ W1 q' L( u8 a3 J' ]) `8 _$ |; c' {; k2 d
    mov     bx, cs
% r1 E' I" `9 L% g# q9 c+ M    lea     dx, int41handler2" H* J3 s7 F6 w
    xchg    dx, es:[41h*4]3 I% L' |+ D6 r) S9 F
    xchg    bx, es:[41h*4+2]
" D" Q9 ?% C3 {% r: l; L    mov     ax,4fh
$ U& d7 H. k7 h    int     41h
0 g* P+ W$ F* F  L& j7 A8 r  T) V    xchg    dx, es:[41h*4]) z& X' Q) m& g8 p, ~
    xchg    bx, es:[41h*4+2]
$ {: i( j7 L) \7 I    cmp     ax, 0f386h. R3 F# m+ |1 i; v( i# Z4 T( T! w% R
    jz      SoftICE_detected. T2 F8 f# \4 N' O6 d' I% e8 I

  Q9 j" r( O" `: T' Aint41handler2 PROC. l, S; z8 V7 o1 i9 y
    iret' A5 a# f) @) X, S7 Q7 ?
int41handler2 ENDP2 Q2 x( k+ ?6 T% _0 `9 J7 D
1 L, _+ K4 P* {! ~( o
- Y: a9 a  P1 B7 Z2 H) ]6 K( H* L
_________________________________________________________________________# ~* E! }( t5 E  f- M% @$ i  o3 e6 V

* p/ \. B" z1 B! Z6 n
( w2 e; E' r/ CMethod 06
/ x9 V9 b6 t% X. g, G7 N* X=========
7 d- W7 N; q2 \# L) O
( P; H% S8 @% [/ U" @: t" S( O- p# A
2nd method similar to the preceding one but more difficult to detect:' l( I6 V- Y: F. P
6 i) y) M0 U& |" `& u$ V5 N9 ?

8 i5 o8 j# u- H; Sint41handler PROC
4 E$ E4 B  ~+ K  u$ G% i3 M3 |    mov     cl,al
! i7 H! n! Z, `2 `5 I5 S* ]  m    iret
* d  s! `7 |  ^2 p( Vint41handler ENDP
% C7 T' G) ?7 N+ s: f8 V
* M5 U! A2 i; z/ f/ i1 f, m/ o1 H4 b% e9 ?
    xor     ax,ax
; W2 \* x9 L0 G    mov     es,ax' d& z' z3 X7 F1 C
    mov     bx, cs0 F3 X& @" R- w6 n
    lea     dx, int41handler, A. R0 K  y! h
    xchg    dx, es:[41h*4]. }1 v7 b6 u. r8 I
    xchg    bx, es:[41h*4+2]
/ _& w6 R+ N# k4 o( }$ ~+ ]    in      al, 40h! V4 C; U" `0 J# h4 w, j
    xor     cx,cx
. ?' K2 A: i* z7 {    int     41h
! \5 n( Y$ K8 f) g2 k, q    xchg    dx, es:[41h*4]
& O; _* e8 I8 X9 P' q+ [; b    xchg    bx, es:[41h*4+2]
0 L3 M6 |( N* u, i: t) v    cmp     cl,al* B' m1 a# E% H
    jnz     SoftICE_detected/ B# a8 s5 p/ ]4 x0 T
+ J% `0 k  j! V5 O  c4 H
_________________________________________________________________________7 H' i) v$ x+ `/ X8 I  Z8 ^) M
, y: k! I) Y2 s7 u. D
Method 072 P' f2 K) j( V. |& C/ Q
=========
( S6 H+ S/ @  h' w; h7 _0 F1 T, n: P: e. L6 ?! V
Method of detection of the WinICE handler in the int68h (V86)
, i/ Y( V8 @# _0 o( a# h! k9 @0 i$ g- R& [3 h- w
    mov     ah,43h0 w5 E6 n% w% ~' u) ~, Y( T9 B
    int     68h
& U- ~, }( V8 Z; V# s4 j    cmp     ax,0F386h
4 S$ [. M% S$ F; O    jz      SoftICE_Detected
0 [' u7 j% V, w3 ?+ O3 u6 p  T+ R2 D' `: }2 a: |" z; ?& c, g' D$ c! u/ W+ A2 f

$ E8 I2 [6 P% `=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 _; f) R  B8 n  b   app like this:
2 m* Y( n# P1 j8 D
7 T0 v, @7 X; i3 f  t   BPX exec_int if ax==68
4 k9 g) m* S. g& f0 G7 N   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ C: l1 j8 X7 w; p( M   located at [ebp+48h] for 32Bit apps); G& d. x+ ~9 X7 D
__________________________________________________________________________, _- E8 T/ Y% S

) H$ `8 g- }$ V$ z2 l& T
. W( [6 k6 ?0 J" h0 {$ n# cMethod 08
: N8 F0 i, x" X3 B- j=========) K3 Q; d. z7 F1 p0 l
3 E9 H; d2 p( w; H2 ]! D& w
It is not a method of detection of SoftICE but a possibility to crash the1 G  @9 D4 ]* o' \' u3 [
system by intercepting int 01h and int 03h and redirecting them to another
  ?1 a  h- v5 y7 ]routine.: B' W1 d4 A1 n$ o: l4 I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 l3 `) @- T; Y0 i+ d5 |1 N" ato the new routine to execute (hangs computer...)$ l7 c2 P: H$ U' n. W# ~( N! u% f
0 J' R+ U- C: W0 p& S5 T, o; D: J
    mov     ah, 25h
+ U4 ?7 \& }" Q2 \0 [    mov     al, Int_Number (01h or 03h)6 P" }" c5 z$ V$ G- m, R1 n+ a7 w
    mov     dx, offset New_Int_Routine
1 X+ s" @- V* c! E    int     21h" V$ A/ h, W# r; @; u' P2 x* o# V

0 j4 L' p) z; o/ m! _/ |% b__________________________________________________________________________4 V1 H- m$ a: F1 }/ p0 E: J

* I" ?. H; _, h0 T* K0 L. wMethod 09
& U# H" h6 |' e  M0 b=========7 r5 J: z) f, A: D; W

/ M; k) m8 t# K% k1 wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( x4 j& G! K& O9 P1 d& D" X) ^performed in ring0 (VxD or a ring3 app using the VxdCall).
9 P6 w+ I' |' y% Z" k) FThe Get_DDB service is used to determine whether or not a VxD is installed; s4 q9 B: p  u
for the specified device and returns a Device Description Block (in ecx) for5 a# y3 R0 S7 q) [' s" j$ {
that device if it is installed.8 u: j  ~$ S* [4 g

' J: |3 S2 F6 x/ g   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Y) [4 ~! P/ C: a  y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ n/ H" ?4 ^' B$ r, A  n5 E3 l4 \   VMMCall Get_DDB1 N8 X$ Y1 F9 _+ ?6 i
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ x' W( N2 }% H& Y4 B$ h6 h, t) x1 M5 ?
Note as well that you can easily detect this method with SoftICE:7 c. n0 J. r% {  ?( w3 e& h
   bpx Get_DDB if ax==0202 || ax==7a5fh
% R6 q: d, B9 b0 v0 D" G- W5 G4 u6 ?/ m3 o' u
__________________________________________________________________________
5 x, l* g+ _1 ]1 D7 y& p- n/ W$ o4 ^8 k
Method 10
& I+ o* J9 H7 m5 l1 g=========
& {" m; C! P. a5 I4 c% t# p1 d5 J4 |: F  Q) d
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 Z* G$ c  |( r4 M# j  SoftICE while the option is enable!!
1 g* z4 p- d- N0 ?$ T/ s; {
5 r, K: r3 o/ ^4 k/ y1 T( JThis trick is very efficient:
' p: B0 N% l3 F% R" t0 H% h" B" M( Xby checking the Debug Registers, you can detect if SoftICE is loaded! W: s2 g8 i$ H* D- a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 I' v' d  D+ v! D. o
there are some memory breakpoints set (dr0 to dr3) simply by reading their
  v5 {: t% V' A3 D/ c3 Nvalue (in ring0 only). Values can be manipulated and or changed as well
% ^( Q8 s4 h2 [0 d! P$ e0 q! V# g6 Z(clearing BPMs for instance)2 y9 u) W3 k  l+ C8 N
. O3 G. `* C2 C# D( X
__________________________________________________________________________
' \9 P4 ]# Y- I: X) q2 r* u! y1 U+ m. \5 W( U* v2 Y
Method 11* a& }$ p6 K' w; V
=========
7 K7 n9 a- s# V7 X/ S9 A' I* J% i( x; C
This method is most known as 'MeltICE' because it has been freely distributed& s( l* `/ N( s0 R7 W
via www.winfiles.com. However it was first used by NuMega people to allow
, n8 s! C$ o' `( qSymbol Loader to check if SoftICE was active or not (the code is located. ]: R. k/ s/ _( D! {& o, j
inside nmtrans.dll).
* ]4 P! {) ^7 ^( X) @: Z
3 U8 F* {/ s' A3 AThe way it works is very simple:
+ p" [6 _! Y3 a: YIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 U2 {6 _+ z1 T! i7 MWinNT) with the CreateFileA API.! Z5 q* s# Z8 K7 A5 \

7 Z9 d* Q8 z+ wHere is a sample (checking for 'SICE'):3 W0 E' Q( b+ z) X+ F1 W8 s

4 l5 \. @9 E( R6 F7 I/ t. G" h" QBOOL IsSoftIce95Loaded()
1 v  M# c: n& B9 f% |. D{+ m* {0 Q: Q- P* ^# D8 C9 F
   HANDLE hFile;  2 W. l$ g! z. E
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, [+ f/ D8 N. r+ J" O) h) m9 M                      FILE_SHARE_READ | FILE_SHARE_WRITE,
- b7 M) C3 a5 O" C. M                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! `- A5 F) A/ W9 F   if( hFile != INVALID_HANDLE_VALUE ). Z+ o% [4 n, a& i$ c
   {
+ |9 T4 r7 V) J! h5 G      CloseHandle(hFile);
) t- k. p' [2 x, K8 K9 |      return TRUE;5 _9 W; X' G9 G: q* l
   }! _, S+ U# _/ ^" k% f. y* e
   return FALSE;
. f/ v4 n! u4 g/ R# x1 J}; }7 R9 n4 K* A; x1 \3 v0 K2 J

- Q: D& ^4 w$ j2 @3 i- M2 J1 HAlthough this trick calls the CreateFileA function, don't even expect to be
$ `" y0 I; a4 a1 Q& Sable to intercept it by installing a IFS hook: it will not work, no way!
: t: h! U7 S( S2 a$ vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, g3 c9 U4 Y4 d! Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ B# e/ D: K$ }5 t- F5 w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 t8 \( Z* k- r0 f$ _
field.2 H. u8 k/ @& r0 w  \- h# o, k
In fact, its purpose is not to load/unload VxDs but only to send a
: \8 R, X& z" B- `2 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 U8 o4 d" p. N' E1 l1 L: Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 H% l) E7 V; x4 W  ^% o% s; x' ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 O8 X) v1 \7 m4 X4 s1 K/ x
If the VxD is loaded, it will always clear eax and the Carry flag to allow; o9 {; a# a5 u+ G
its handle to be opened and then, will be detected.. e% U8 {5 f. }& e1 z- ?+ i0 j* B; A
You can check that simply by hooking Winice.exe control proc entry point2 i& ^4 |  d  K! Z/ v8 T7 V* j
while running MeltICE.1 H- c' C8 V1 l
9 A7 B7 ~2 h5 M) Z% X9 l, B& t

. S( o5 K* z! m0 Y0 H8 ^  00401067:  push      00402025    ; \\.\SICE
0 y2 }" w: h" }4 E! Q2 j  ~, R  0040106C:  call      CreateFileA" Z3 r9 F/ [3 A" `+ O" u' O: f$ R
  00401071:  cmp       eax,-001
  p. q6 l- ~; \% Z0 }  00401074:  je        00401091
; h2 ^: J9 g  o# e" `; P" J
4 c/ |* L  }6 K" A) ~8 V/ m4 N+ v7 b$ x9 w" J$ }* F1 F5 W
There could be hundreds of BPX you could use to detect this trick.7 }% N# w9 @- N! J* @; p4 X4 c
-The most classical one is:! Y  J% b6 n' g
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, i" E8 K4 n8 C# T    *(esp-&gt;4+4)=='NTIC'. t: {' a; t6 Z7 ^$ l
8 }2 A! ^/ g( f6 W1 P
-The most exotic ones (could be very slooooow :-(
$ e5 g2 Q7 p3 h# a4 i   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  * Z/ d- C/ A' Y5 v8 \9 Y
     ;will break 3 times :-(
, q' }8 \8 ~: o( Z( h5 a# q2 S2 O0 p0 q/ x. s1 a
-or (a bit) faster: # r( A' C( L3 d  b' A
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), V! z+ R& d7 }- t* ~2 G$ R
; |- d# n" c& i# N6 ]# L  [
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & F; F4 `2 {- d3 [1 i. B
     ;will break 3 times :-(- n  R' w5 ~, u8 p( g

- U7 F' y  Q* z2 d2 D' `. L-Much faster:9 b/ t6 T0 t- I9 s% [! x1 a
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', L; O+ U- ?( o6 J* R9 J

1 _1 X6 d& C$ xNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" _* d9 k5 L+ ^% xfunction to do the same job:# \# K/ _2 J( E- k" [
/ z) N0 r; Q- T; ?' Z4 m
   push    00                        ; OF_READ9 s! r7 k: J5 P/ e  o0 E! R$ R. A; N
   mov     eax,[00656634]            ; '\\.\SICE',0/ I4 X$ z! t, h3 e! O" W; S7 D
   push    eax1 E9 L# H' ]: ]9 L& H. \
   call    KERNEL32!_lopen7 C: T* d4 R" o
   inc     eax4 y: g* u; Z/ @5 U; b' b+ _( H7 V
   jnz     00650589                  ; detected  {$ [3 H! H& d; F) i
   push    00                        ; OF_READ2 C  r5 I1 \+ q
   mov     eax,[00656638]            ; '\\.\SICE'
* d% C# I. A3 y* o$ ?5 ]' D2 \   push    eax
  S: D; P+ e( B4 @* M8 Y) m   call    KERNEL32!_lopen
- Y; b9 P: ^( Z# P   inc     eax
" b  n! d# x  ~4 r8 j  ^/ x$ R* @   jz      006505ae                  ; not detected3 q( Y( I+ l  N, ]$ |* Y. ^4 J

9 U; h3 G& @! c+ y/ D
: ]$ U6 H9 t  i$ R3 N, L/ [: a5 ~9 X__________________________________________________________________________) D7 E% B7 b* ]$ Y9 v3 h% B
% p" I2 Y: S; ]- ?. [+ w
Method 12  w- D% L. ?# G0 }- J1 a
=========
8 F, C% m+ |  A* g% d
- f8 J3 J* M8 q& B7 GThis trick is similar to int41h/4fh Debugger installation check (code 055 j2 x+ T9 e; i; G# M& c
&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 a( l* L, Y9 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! C' I) P6 @0 q! q: ]; F: H8 D3 H: }
& f2 q2 v5 v: w# z2 `: k3 [9 s9 e   push  0000004fh         ; function 4fh
! s! d- s6 g! J" X* }0 i+ N2 ~% Q' d   push  002a002ah         ; high word specifies which VxD (VWIN32)* A$ ^( q9 O6 `8 t3 P
                           ; low word specifies which service
# W- ~+ X* ?8 w1 `+ s2 j8 p3 T6 U7 q% z                             (VWIN32_Int41Dispatch)
: o& E% n6 M* z5 x# Z/ j  Y4 N) g   call  Kernel32!ORD_001  ; VxdCall: y/ i: X0 A0 F4 C6 b
   cmp   ax, 0f386h        ; magic number returned by system debuggers
) p9 [3 }* @* a4 _# ?3 v7 D! ^/ r, I' J   jz    SoftICE_detected
- W# t7 u4 W& ^# h
3 f! A6 K4 U  `/ }Here again, several ways to detect it:
" V7 ]" K) P- `$ B2 Q- d5 g/ u& u
    BPINT 41 if ax==4f
, T2 d2 ^7 n! P: X0 c% B! B  {  l) `
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ A, O2 W6 e" p& _! n
4 V5 M/ z4 P2 J- Z
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A. B/ ^& S" P9 @/ ^
& }; e: g2 X, P1 E& \$ T
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
8 F  n2 L: R; E6 I) G& W
6 Q& ^5 W- H/ r__________________________________________________________________________
5 w6 U  `% I9 ?7 _# Y& g/ @
+ G: _% B9 q) `Method 13
3 _/ G7 U- _$ \* R2 m5 Q=========
, x. w2 I5 q- ^. C
5 S- E  Q( t; L8 f* eNot a real method of detection, but a good way to know if SoftICE is/ }! J8 m3 \4 d
installed on a computer and to locate its installation directory.4 Z8 `0 v+ r: q/ q6 _5 ?
It is used by few softs which access the following registry keys (usually #2) :. q, h( x% U. i) n- A

0 s1 {8 j  M# D8 w# Y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: r- P" Q6 h7 V& a0 I
\Uninstall\SoftICE8 B! S+ H( a3 m8 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! L" f! I0 J0 [. {% c( i1 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% ?3 o) r# b% s
\App Paths\Loader32.Exe/ @$ X7 [1 b  q) D  D; S

0 ?/ x' r- O$ W4 m( l* _; e
, J  F: ?+ L$ }7 ?/ _3 C- e3 l6 Z  MNote that some nasty apps could then erase all files from SoftICE directory2 O# F9 f, e( |- r8 U
(I faced that once :-(  Q6 t, a. r; k+ U$ k

" q5 L! o6 o2 H: b: D0 NUseful breakpoint to detect it:; ^7 Z) b8 b& H( O( ^* {$ J, x
* z8 g! G1 B6 F$ n  o
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'$ ?& u! R1 F( m9 }) G' w

) ^# I4 f  x6 ]/ S__________________________________________________________________________
1 H" X2 d' l# X* c! p3 D
$ h( Y) O1 b) q, `% K1 b! i, R; f
Method 14
# B3 [& Q! n0 a# h( ?+ L* i; _! k=========
7 L- K% E& [8 S1 s+ M" N5 `8 W1 w3 A* e! m' l- s- ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& F6 v2 Y! G) }
is to determines whether a debugger is running on your system (ring0 only).
* E) k0 I7 Q  e- b2 a, f# r  B- o1 n+ F
9 X, S* L2 c6 L5 ?5 b6 ^: h# n7 [   VMMCall Test_Debug_Installed
! P( q1 J+ d! {   je      not_installed
7 _" V; |" ]4 Q! l9 X
# s: y% s  q4 i8 e% AThis service just checks a flag.  x& n6 n, ?- f4 b9 U
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-15 01:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表