找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>. X' w) l/ @: E* R: p
<TBODY>
/ d9 n/ z" `# }% I2 `) N<TR>% }& p! ?+ r5 K7 M! c$ a9 _
<TD><PRE>Method 01 ) K) e3 J4 n  d$ e9 u# F) f: i
=========7 a2 ?$ k2 p' C1 [2 L7 B' v, L

0 M% I, ~" G9 V( @3 B9 m# l# MThis method of detection of SoftICE (as well as the following one) is, Y9 E# O8 p. B. D6 N3 {
used by the majority of packers/encryptors found on Internet.9 m* z: ~3 w7 Z" {9 X- j! x: N
It seeks the signature of BoundsChecker in SoftICE
/ B0 k# c3 b8 Q: G
: b2 k4 h! z5 v$ H8 o    mov     ebp, 04243484Bh        ; 'BCHK'0 b% W) q: d# a# V9 {9 S$ R
    mov     ax, 04h# G) y" O7 w2 Z6 N' c9 s) I; }
    int     3      
8 s3 H7 e& m/ Q0 ?4 R9 T4 @    cmp     al,4
0 H3 d1 C: i/ M3 V! f% J, R    jnz     SoftICE_Detected0 d( M% K5 s, v4 t

0 v  Q! m3 z2 |; z0 V( Q) s7 o___________________________________________________________________________% j" l8 \# b2 U2 ?+ I) X8 g; Y
5 x( p3 j. P) p8 P3 ]
Method 02
" }3 V2 s! ~$ Z! m3 _! N=========& r4 D4 A$ _3 g2 F, o+ Z

' U% F& d( u7 Z$ g4 k# sStill a method very much used (perhaps the most frequent one).  It is used3 N5 C% S7 R# n* F' s# {8 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! C( d% Y9 f& V* O0 s# For execute SoftICE commands...8 G1 J2 P1 l; r. Z  i& S: N
It is also used to crash SoftICE and to force it to execute any commands2 r: B/ S9 o8 @. z  l) z0 e2 ]
(HBOOT...) :-((  
$ Z+ a3 v7 R0 G4 |% c3 O
" b( r4 R# E% u  H# g5 HHere is a quick description:$ H! S9 a# f# J6 b7 p
-AX = 0910h   (Display string in SIce windows)
/ g: ]' s7 E5 }/ U' ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, `& v; Z, E- a  p-AX = 0912h   (Get breakpoint infos)
8 D& t% q3 L! H/ G) n& C- G4 [3 r. i2 L-AX = 0913h   (Set Sice breakpoints)$ o8 O* t- s0 C, f& n
-AX = 0914h   (Remove SIce breakoints)
4 I  L  y% @+ _0 x# }* m  w5 z5 O" M/ A
Each time you'll meet this trick, you'll see:
1 w+ }+ O8 [1 p2 V" B( N-SI = 4647h% b4 J8 P: [# Q
-DI = 4A4Dh8 |, y& b; _& K- E4 z
Which are the 'magic values' used by SoftIce.
# Z; N9 x/ _: U/ d9 n* k9 ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ Z! d" ^9 p7 p, ^" `4 c
# r4 L( W8 p/ S, {Here is one example from the file "Haspinst.exe" which is the dongle HASP5 g8 Q1 J" `, G' }+ f
Envelope utility use to protect DOS applications:. [' i# g: z/ V! I4 c

1 Z" T  v) ]7 u% L. n
$ m$ H2 T; ?* S4C19:0095   MOV    AX,0911  ; execute command.7 i3 q& f! O. P6 d$ b9 v0 ]0 s5 m
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ P; Q3 c# j5 H; c
4C19:009A   MOV    SI,4647  ; 1st magic value.% d' K3 ^( J1 s4 G" l/ t! u; T& i0 Y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 S6 _, {/ {8 ]. y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' ?6 P8 N3 M6 j6 t' O
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& h, E" m( j& a$ l% E4C19:00A4   INC    CX; c, M0 ]: @: X/ ~8 i6 j
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute& k$ `3 ?% u6 \5 R  M: c3 Z
4C19:00A8   JB     0095     ; 6 different commands.
5 G9 E: y0 y. f" @1 p: Z4C19:00AA   JMP    0002     ; Bad_Guy jmp back.) |- f' i9 U; H. y
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
  {7 n& Y" h" H; C+ F2 r, Y/ N) j9 P2 J+ g$ ~8 s4 S
The program will execute 6 different SIce commands located at ds:dx, which
$ ]! p) T9 t$ k. J' p, D/ x( zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ t, s; |8 }* P5 c; Q: c/ d
3 w( J  B9 p' ^1 Q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 n( x. `; M  a* \* |7 c3 q___________________________________________________________________________# A3 t* i! i" n( m! j' |, \) C

! T; H9 Y# l0 }3 O$ |) f! Q# v# d# L6 Z- s
Method 03! N  y" ?4 {; E/ y
=========
& \( Y1 `$ G5 V( \! w9 R4 i* R
0 {* l3 h, O% s; BLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ ?% p3 Z& b% P) _( Y(API Get entry point)* Z& ^- C7 M! K8 b, z
        7 _% w- [9 F% E8 y( b4 `
! G4 q& t% b% }/ S( R2 ]
    xor     di,di
2 u" K& ?$ W& ^  K# K/ M    mov     es,di1 F2 D  F+ _0 U# m) a( [1 o& I
    mov     ax, 1684h      
1 H8 ~, B# r( ?' k) q" F. d  @    mov     bx, 0202h       ; VxD ID of winice: i- O2 h1 @! h  Q) Z# C9 C
    int     2Fh! a7 Q- e& s6 r# c
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# Z: q0 R$ q5 E    add     ax, di
- C! V  \- z& K# Y) f    test    ax,ax8 s& G, u. ~- h8 E. Z* W
    jnz     SoftICE_Detected
+ u  _7 f8 v4 k9 B& Y2 s" Q+ k- F1 {! A6 Q: P6 }/ ~9 D
___________________________________________________________________________
% i& p1 p* J* _% W
- b8 {: t( U, X+ Q  G% D) eMethod 04# E  L: \& f9 Y2 q8 w1 H" n
=========
$ b% n! c* Y$ ]* X1 d1 q' L3 n! ~4 `- E/ p
Method identical to the preceding one except that it seeks the ID of SoftICE
' }" p0 P2 s6 z* ~1 dGFX VxD.
# _1 N7 t7 }1 O8 M, @3 q; {6 T5 }0 N6 T  F( U
    xor     di,di
' |# v0 }5 K( e# p5 }+ s    mov     es,di! }! M! v. Y: E6 Q1 S
    mov     ax, 1684h       ; t4 h0 ~* f+ Z* U
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! Q! P) e7 v/ J; B4 Q    int     2fh
: S4 G' D8 @1 g, v+ T; ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 ?: `/ p) m# i
    add     ax, di7 V8 _9 h* x+ F9 R7 R
    test    ax,ax
9 X* [$ T3 a2 F; S: W' ?2 D    jnz     SoftICE_Detected+ b+ T) h7 o6 m8 t5 h

  H) B( K6 a9 X1 ?) d__________________________________________________________________________
% A3 G5 {9 I7 P* Y5 s! d1 }( F$ j. B) ~
$ i9 ]# e, q; w1 H. s
, u& ], |7 }0 X: d: W% R0 ]' gMethod 05
- v4 T) {1 G6 d& X1 J=========
+ T( [3 p/ C3 d1 I6 t& J6 X7 b( r1 L6 o
Method seeking the 'magic number' 0F386h returned (in ax) by all system; g. ^) H+ E! ]9 V2 d4 B! W
debugger. It calls the int 41h, function 4Fh.
0 P1 b% w3 A# x2 W) B1 sThere are several alternatives.  ) w- Z* M$ V; i

! _) l: X$ H" G9 @2 y" sThe following one is the simplest:8 ?" E+ u8 Z$ Z0 F' m. J' i# I

2 \3 S9 O: r( ~    mov     ax,4fh( G/ i7 _) k) e/ H
    int     41h# ~& [) T6 s* V- R
    cmp     ax, 0F386; s3 B* A& m' @# J1 ?/ j
    jz      SoftICE_detected5 X9 p% n& d: S2 K+ t. @% w
9 T9 I7 a) g1 r# O

* S6 U3 ~' U* I4 e' V( o  A0 i! t$ hNext method as well as the following one are 2 examples from Stone's / o% T0 Y$ ~2 B+ V5 Q
"stn-wid.zip" (www.cracking.net):
' T% O4 U0 ^$ `; Q2 [( }
% w7 y( x' J  k    mov     bx, cs
  a7 t' G$ ~; d5 X/ ^8 x1 x    lea     dx, int41handler2
4 B4 v" K; i# T. }9 M; g1 x) C    xchg    dx, es:[41h*4]5 [1 L/ O5 a8 a
    xchg    bx, es:[41h*4+2]
9 n6 W, Q: g/ l( S* g* c+ ?) ]    mov     ax,4fh4 V/ a, J6 c. V1 S7 r, P
    int     41h
$ h- p; a1 m1 E0 {) p    xchg    dx, es:[41h*4]! U; Y6 m* N/ S. O
    xchg    bx, es:[41h*4+2]" B/ `% f7 u% n  _; }
    cmp     ax, 0f386h
/ r$ B' o$ Y1 e- f& b( W9 f" k    jz      SoftICE_detected
3 _" [& {* W$ c! A) q5 L  H4 i4 u( t
6 Z; O8 C5 _% bint41handler2 PROC7 Y/ z5 j% R+ Q! q6 Q) J
    iret
, v! g! h# {- l+ Q4 w+ A# B; Oint41handler2 ENDP
( B& E: x1 b3 V. ~
* k0 {4 _  q# I. Z* V1 q, g. ^* K3 N, |/ C" ^
_________________________________________________________________________8 b  Z' }1 p! b/ H
9 T0 G& L7 b& h0 @7 q" ]

3 w: v. J. L& D3 _; V: S, hMethod 06. T& r, t9 C$ ^5 ~* q
=========  ~) e3 }+ Y1 z/ }5 x4 }. [
1 }1 a: E( N* F7 W* a# B
8 p# r3 \" [1 l
2nd method similar to the preceding one but more difficult to detect:' y* N. s/ R* D- B: E& L' e; _( z8 J  B
. C9 z% y6 X/ l! ~. N$ j

4 q9 }( {0 D, F- _6 ]int41handler PROC% a9 {5 B+ n7 F
    mov     cl,al
+ R, J- y, c. D    iret6 i" c% \$ M) a3 R' ?3 ]+ u( J
int41handler ENDP
6 u+ M! S. y0 ^2 D1 L- P. n  u7 Z8 Y. n, R# ?
3 a4 J! c0 l5 J6 D! m$ B; p8 Z4 G
    xor     ax,ax
" r. s" R4 {  _! a4 h    mov     es,ax
) e7 G' ~1 P- q( p# s    mov     bx, cs2 @4 k- k/ X% g4 y8 F1 k9 b
    lea     dx, int41handler
7 u8 T( r0 w# ?" L6 ?4 q3 e    xchg    dx, es:[41h*4]
( f) G9 [. T8 O% L) S9 s8 c5 R+ {    xchg    bx, es:[41h*4+2]7 q) K# B3 ]5 d1 h
    in      al, 40h
) o( X7 ?, C- l0 c    xor     cx,cx
! t! n/ G0 m' i: o/ k' w    int     41h6 k+ G" Q1 s) u6 h
    xchg    dx, es:[41h*4]4 C8 r. L4 ?1 c# P5 f  ]! w5 y
    xchg    bx, es:[41h*4+2]. s' ]8 Y9 |1 E* |9 i1 T
    cmp     cl,al: r, Y+ [6 O, ?( i" Z1 K7 ?
    jnz     SoftICE_detected
/ t& e. K+ s6 m/ c5 z7 Z3 Y7 ~8 q
_________________________________________________________________________' d: F- O) A9 u

4 `+ U1 p5 e, lMethod 077 A# \/ Z% P% T; b# o
=========
8 c: m9 b+ @' u' F
, b$ A# B5 @, |3 J. v5 M; O8 d$ EMethod of detection of the WinICE handler in the int68h (V86)
. j. A. D) C! a, H* O7 V1 b+ U
) i3 L: t: g" Q# ^# `( m0 L; q    mov     ah,43h/ O$ W) t% j- U( U/ p$ y) j( @
    int     68h
: H* V3 m7 K, V2 b# L    cmp     ax,0F386h* I9 w# \# H4 B5 |( P" b
    jz      SoftICE_Detected
$ c# J6 T# h: _& v1 p
! A1 ^+ h! t! W: }9 }4 g- X  V# w: K( w
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
  C9 G; a; C; ~; E0 y* i   app like this:
: `  K0 R3 x; h  g' Z% o9 L- j# H) m, c6 e
   BPX exec_int if ax==68* T5 |0 r: I; U# F
   (function called is located at byte ptr [ebp+1Dh] and client eip is5 C# o& y: C! ^  q$ Z4 L
   located at [ebp+48h] for 32Bit apps)
, m9 j  s& _0 c+ X' f. r__________________________________________________________________________; f  I3 h( ^/ a: J5 j) [8 I
4 b3 b+ a" N, i- U& `

$ e  d( T+ z# x* C, A, {! AMethod 08
- u% w! O. k! f  r" Q& o  L5 F) |=========/ X  `9 o) l4 ~+ I; F7 o9 l* F
8 o+ c; h7 Z% j5 O3 U1 B6 @5 k
It is not a method of detection of SoftICE but a possibility to crash the7 b, t8 [% l% s2 b3 j
system by intercepting int 01h and int 03h and redirecting them to another
2 j: w# {0 P/ w) W( ?, ~4 Mroutine.
' r9 L8 S6 y% p1 kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. G$ s( q8 o3 ]( e5 \2 J6 _  j  M
to the new routine to execute (hangs computer...)# w# c3 P- _- q( u: r

3 `  n3 G* a8 w$ w$ @# B    mov     ah, 25h! _" b8 _8 Z, c. W) f+ B/ g
    mov     al, Int_Number (01h or 03h)$ N5 }0 T* p# {/ d1 A* G4 c
    mov     dx, offset New_Int_Routine
  Y' ]% k$ o9 {/ `; f' ]7 k    int     21h
5 o+ A$ \( @2 m% }& R/ V& V( j+ b# c: n1 o8 e
__________________________________________________________________________* D# D: o5 e0 P0 k4 Z) ?* w
6 o$ D, y5 I, Y8 b/ @
Method 09
% h5 M2 N- H( Y6 P/ k/ e=========
9 O& W$ N- N5 T  E# D' Z
$ N  x' _9 h: h) B8 T6 y! O/ ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ D( ^; t; R/ `1 M( e! ^/ U
performed in ring0 (VxD or a ring3 app using the VxdCall).1 N0 ?: A7 ?6 O" \) z5 p
The Get_DDB service is used to determine whether or not a VxD is installed
5 n: a$ d2 W6 D" a" Vfor the specified device and returns a Device Description Block (in ecx) for+ j/ v- d* u/ u, Q6 w! o
that device if it is installed.
, o+ f, U1 o1 y2 M8 t. L: e1 L' e* F( v
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 n, F' _. D! Y4 ~  ?9 u
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). U! q+ p2 J. R
   VMMCall Get_DDB3 A; j" U' u" v  p% Y( m- b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 P& D! O4 R+ P/ b! g% U$ D

* \& x( n# ]. ~6 T9 l9 vNote as well that you can easily detect this method with SoftICE:
! W& P9 ~  @+ P2 K# i   bpx Get_DDB if ax==0202 || ax==7a5fh. e* ]9 K3 h* h2 p4 ~

5 s: x- @- H: R' k5 Z3 X__________________________________________________________________________6 s% s1 G& {" l, F
% Q. X2 h2 v7 ]' A& k
Method 10
4 d. e/ D! l, ?! ^, u7 W6 u=========) J' _# o9 O3 ^& {9 n$ k! Y/ j9 F
6 Z  [: I6 k  x
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# n# @( v, \3 u8 R$ R
  SoftICE while the option is enable!!. v0 i( {- F( n7 R; S
' D4 D( j7 i* D5 b( ~( o: O4 ]
This trick is very efficient:
6 f" F- S9 r8 V% u4 Q5 kby checking the Debug Registers, you can detect if SoftICE is loaded
4 P  _; k: X7 J0 g  h: s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if: W$ _& V( M+ l: s4 t9 F3 A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ m6 Y  U! t* L/ ~0 f2 \$ Jvalue (in ring0 only). Values can be manipulated and or changed as well
. h. [; C/ k$ ~- K% B- a# M(clearing BPMs for instance)
9 z+ B; H5 p8 y8 S
& q+ g4 n7 I5 |0 f; I/ N  D6 U__________________________________________________________________________/ ]8 K# p- y* x  A
5 h& G, R  o; R9 v/ R8 f7 @
Method 11
' d) P0 L( n: {: y- o9 r% X! m=========+ Z- \/ T( p( ]* [! O

- B' ~* p# x+ g: FThis method is most known as 'MeltICE' because it has been freely distributed1 c. U9 `7 P: S4 b9 e; ~
via www.winfiles.com. However it was first used by NuMega people to allow- x& ~0 \+ P. x; d
Symbol Loader to check if SoftICE was active or not (the code is located
8 a3 M- h  C6 sinside nmtrans.dll).
% @" ~1 M) c* I& h; i2 `' _- k) }8 ]$ [. O! w
The way it works is very simple:, ~2 V8 c  u4 v. A; H7 @1 u# P% A* ^4 p
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ~2 J1 A7 O1 C
WinNT) with the CreateFileA API.  H: x$ ^/ _" o+ }

9 I; b" _( w$ b* l  CHere is a sample (checking for 'SICE'):
5 Q2 L% f! A8 q$ u
* w$ M  k, s  _3 ZBOOL IsSoftIce95Loaded()+ Q) ?0 f; R5 k& Z2 k8 l
{
. G6 q5 p2 x- \, f$ P4 b0 @   HANDLE hFile;  
7 g( z/ E8 e& {( X% h/ y   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 P- D; x! v$ G6 c                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" @' _, \. \! T% [                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 |- \) w* S7 P  W
   if( hFile != INVALID_HANDLE_VALUE )
( Y6 [" N2 X) U   {
# o% ?* p/ D( w- j/ l      CloseHandle(hFile);
- o) l6 M% s( Z0 I$ o: Z2 w4 p3 t% A. I      return TRUE;5 ~( F3 D- r$ n, K# B( J9 b7 s0 e
   }6 X+ \2 y3 q9 y: X8 M! N
   return FALSE;
: e% k: E  Y' F}
3 X1 o: _% S! q- r% D+ L) @. D4 F. r. d- S
Although this trick calls the CreateFileA function, don't even expect to be# b/ L1 U9 C, ^% `
able to intercept it by installing a IFS hook: it will not work, no way!7 s  X: @& d# y0 P! C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 O1 t. c  A. i' a1 `! C0 _9 xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( }) e" _' V" \/ gand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 C. a. ?9 @  T0 e
field.# D! D  `( b9 N6 V& V  \
In fact, its purpose is not to load/unload VxDs but only to send a
4 m8 q5 ^/ {* W. h; PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 J; z: L" M, W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- A8 O; u- V3 K% m4 W7 w  E1 `
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ m* H- N8 v3 l$ ]3 g% ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
  g% R2 A7 Q6 w/ b: pits handle to be opened and then, will be detected.# `, r% E, M7 Q# G
You can check that simply by hooking Winice.exe control proc entry point9 y, l! H% X3 S+ @: h; z( k9 e0 R
while running MeltICE.
8 ]! @) G3 }  @) v$ i9 ?) u9 P* P# }2 x" h: U
( G* d( x  L1 G& C
  00401067:  push      00402025    ; \\.\SICE
$ B- W' u, h* I  0040106C:  call      CreateFileA1 O% v0 ^2 M) ~8 e. R* ^
  00401071:  cmp       eax,-001
3 ?+ p" ?' V9 h9 s. @) _  00401074:  je        00401091
% w' c: p  G- k! L. j5 C5 x: Z. {* ?1 f. d$ E$ }
  v! a3 U) E; j! ~/ }  a( u
There could be hundreds of BPX you could use to detect this trick.1 M( J  V/ o8 o  b0 y
-The most classical one is:0 H$ G: J4 J7 i; {; c$ c
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 v. S: V+ r% w  W7 E
    *(esp-&gt;4+4)=='NTIC'8 A% U# \2 |% M" {+ {; E

8 W# c- P. a5 s( Q  Z: k6 m-The most exotic ones (could be very slooooow :-($ k$ o; {* Z' k# l' }
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 o( M; Y6 O& a- S5 c( a
     ;will break 3 times :-(! a) D) p6 y2 Z# j" e- K+ e
+ h* ?! d7 ?4 d0 O  L
-or (a bit) faster:
) H7 w2 K& n' Y; {  W   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* c9 R; b, S4 ?6 r) o  I

, h$ R0 F: E8 E+ ~   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ d, o8 J) S0 r( ]     ;will break 3 times :-(
+ P' Y; m7 ~5 }) Q. A4 C, ?
' `. v. x. u: u2 E" o/ [# {/ H-Much faster:3 w, D5 o* _. U) J" C
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' @, w  P& C" z, O5 m% D
: s1 {7 Z$ Y$ dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
% m# {' y; u* Z+ T% n& [" [function to do the same job:
" |8 |7 Q, r* c6 N6 f$ \% G9 D
, `5 ^% D5 X7 w1 Y1 L5 P! V& K   push    00                        ; OF_READ
6 P2 r7 ?5 F! L7 f4 ?2 Y   mov     eax,[00656634]            ; '\\.\SICE',0
4 u7 f! ~% H, W5 m3 J   push    eax( I3 w/ }( `9 k/ Y! w) l
   call    KERNEL32!_lopen5 H% z; c8 C3 r! I, s" i
   inc     eax
' J5 @$ a* R: U9 {) d1 F2 \4 S   jnz     00650589                  ; detected
8 M0 M4 z  B4 x  z9 K0 ~9 v   push    00                        ; OF_READ
- I" L0 ^' L0 C/ L; C9 b   mov     eax,[00656638]            ; '\\.\SICE'
! D  e% g& j! s- N8 C- F: E/ }5 f   push    eax
6 B" ]. B9 O1 R1 x0 g$ g   call    KERNEL32!_lopen, x3 U4 f4 L9 O. f
   inc     eax
+ @" \2 a* J- k2 a( [7 q; i   jz      006505ae                  ; not detected5 @6 n9 b9 p' X

) H7 h& t" m/ q' P7 }6 [9 O1 F  A0 [- v3 ?
__________________________________________________________________________# [' q9 ]( x% I' a, b7 q
* p: m+ M! s& {+ e
Method 12
. Q3 [# L) W, _' c" r; l2 c  N=========
" X. H' V4 {% C1 K' ~+ Z8 C4 ~
# L* i' j0 t6 F' h+ B- W* QThis trick is similar to int41h/4fh Debugger installation check (code 05
2 p7 l' l) ^: I9 G/ o4 u' \6 J" u&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! J' W! F- W, g3 s3 a% E) Ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 i  e4 d+ t$ ?* q, J/ B% {7 U
: c0 D% O# T' X4 z! f+ Q" r   push  0000004fh         ; function 4fh3 T: m4 T" p3 R' M, {' e5 n
   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 t' ]9 R% D9 q3 O- `  e                           ; low word specifies which service
' z1 x: T" P7 p, S( p9 J+ i                             (VWIN32_Int41Dispatch)
3 P7 y" R  {) v/ S/ l   call  Kernel32!ORD_001  ; VxdCall+ J% j* j1 o  z
   cmp   ax, 0f386h        ; magic number returned by system debuggers
: C9 |9 R- `8 ?" J" `' m9 t: }   jz    SoftICE_detected8 V4 w+ C6 O" g: X5 v

5 z4 b" g$ F9 ?0 n6 pHere again, several ways to detect it:
( y$ u' ]$ u0 M* C/ o0 E" D$ [
    BPINT 41 if ax==4f
) w" A* _9 w6 j
! s$ b* ]' ~3 z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one- V( \6 ]( u+ C

; [8 D; w9 t$ f; q8 j& X$ X5 l    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 W$ @) E3 T- v' O: A

) o* g+ A( m9 r! S' z3 ^, G! F  ~    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!3 }4 F! L/ W- i# U. A5 e! M
9 L$ }; p6 Y5 ]( D% B' s
__________________________________________________________________________
# Z7 ~! C- @/ O  |4 r0 x( H; l/ J$ u$ \6 G4 W; \7 l
Method 13
" Q* W: i4 L6 F( u4 W5 E' r=========% Q. f% S1 a# D; r3 u2 v3 \+ S& O0 n5 U

2 s: c& C& j/ V% B* f4 [* jNot a real method of detection, but a good way to know if SoftICE is, L/ D' {! h4 l/ x
installed on a computer and to locate its installation directory.& p$ e, t2 C. J# D5 d
It is used by few softs which access the following registry keys (usually #2) :! X+ [1 s% b; r* S' P
3 C/ e- G7 u" b; u  ?! d' p+ U7 F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 v/ H) I: s/ v9 C: X2 E
\Uninstall\SoftICE
! E4 V5 q/ p$ {' Q5 A-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 [: l, D6 a7 v
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# f8 d2 v' ^  A, I/ {  L- V  I; S. ]
\App Paths\Loader32.Exe9 n6 i  c; _& i; b

$ \, }0 }1 A8 o( U6 ~
% {! E) n. y1 s7 ANote that some nasty apps could then erase all files from SoftICE directory6 L, m! Q6 i+ j2 m2 q
(I faced that once :-(9 N2 W- i8 d+ f! {

$ t9 u1 L- ^5 OUseful breakpoint to detect it:, }1 u* h* q1 X8 `' F" N" H% j  |5 Y
  `' z* u% ^0 V: d* Q8 G/ ~
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 r$ ]3 j) @) d- v/ z- C0 V' M) i/ L, C+ y: r& p: y, c& o
__________________________________________________________________________3 f0 f9 h2 K$ o/ b0 F  J& M
) Q' q2 D  N$ }6 h/ d# y

( q. z1 p; k, d* JMethod 14 6 u2 A. M/ M% F" H3 Y, w$ d
=========
7 }$ ^& R# _* T: K7 x. N$ i5 F1 Q6 G. l5 F: _) S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 h4 f9 V! Q% u0 m7 o0 eis to determines whether a debugger is running on your system (ring0 only).
2 U5 P' @! X" t5 z1 @' i# F7 u: O! s# q
   VMMCall Test_Debug_Installed/ d# j8 F: M( M+ [  o
   je      not_installed7 Y9 j+ r$ J- A

( X% E, o/ I6 @# u5 jThis service just checks a flag.! N' N4 L0 Z1 D3 V4 i
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-4 14:01

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表