找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>7 _5 i. ?! j+ m  `0 B% R
<TBODY># ^7 F& Z: \7 i* @
<TR>$ j2 w  j4 p2 A
<TD><PRE>Method 01 : a( ?) B( k6 W' F$ J; Y( q
=========
1 D6 P4 L, W% o; C2 E( H$ B4 Z/ ]: p$ H
This method of detection of SoftICE (as well as the following one) is! h; L7 ~; z+ `% G6 O
used by the majority of packers/encryptors found on Internet.
  @- p% ~$ g# N: p9 _; j) {, [It seeks the signature of BoundsChecker in SoftICE
  z8 T$ K0 h) h3 l, y) n
; h8 @# Z4 y- T4 Z& e+ }    mov     ebp, 04243484Bh        ; 'BCHK'
* A9 h3 A$ {+ |" d* Y( l6 G$ M    mov     ax, 04h
0 E1 F0 B$ ?2 ^, {1 M6 m" s    int     3      
9 _6 {6 g' k7 N$ d) {! Q" u    cmp     al,43 S9 _% x' @9 Q9 s
    jnz     SoftICE_Detected
$ C" ?' M# i& {; `  x! G$ D" Z$ L2 d5 m
___________________________________________________________________________
6 |* d8 W, m4 s2 Q$ E; B$ [4 c7 O, i2 X+ E7 h& w( k
Method 02" B5 e, T& z' V2 C
=========* H  x9 ], t; K5 j% I; j

" J* R- [' }& [" g) q4 I* p, PStill a method very much used (perhaps the most frequent one).  It is used$ O8 g* Y) v5 j" e' j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ Q9 f* l# f; p4 o0 u: Oor execute SoftICE commands...
. A; {9 h/ A0 T6 f; z" s9 p6 v3 MIt is also used to crash SoftICE and to force it to execute any commands
5 L, h8 M* n% b. n- M; c(HBOOT...) :-((  & A; t, z5 [7 L& p2 [5 ^) b

  ?+ n; ~& T9 `" J9 WHere is a quick description:
( z7 T! z' q2 P: f9 p-AX = 0910h   (Display string in SIce windows)
$ f- A7 k* ~0 `; \$ F9 B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
- l1 W3 a& `# t0 ]* X5 M& c-AX = 0912h   (Get breakpoint infos)' f: C4 d( V, \/ q  C( |! Y/ t
-AX = 0913h   (Set Sice breakpoints)
, D' f; C5 g0 J# C3 e+ X-AX = 0914h   (Remove SIce breakoints)
) T: r% _2 }& n8 E) G9 K3 l; ?  b" l: s( v, U2 e
Each time you'll meet this trick, you'll see:* \3 m1 N0 u0 D+ s. O+ W
-SI = 4647h% S1 h' s$ X/ M1 E& k" C# G
-DI = 4A4Dh
2 c. Q1 i$ ?  K8 M* W& e: g' @Which are the 'magic values' used by SoftIce.# M* ?2 s" j/ n3 H2 M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! V3 R( t4 G9 D3 ~0 t- B

% C! w% c5 _7 X0 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP8 \* P9 `' ~* `0 s0 q/ S0 q# O) i/ M
Envelope utility use to protect DOS applications:
' j# a5 S9 W. ^% M8 `0 H$ u( V& D
7 A- y' i% ]3 H* }
  r# L3 d# }8 ^: m% S4C19:0095   MOV    AX,0911  ; execute command.( ?: g6 Y# q! s* n
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 a; Q4 o* j9 p1 g7 i1 E
4C19:009A   MOV    SI,4647  ; 1st magic value.
; n9 K5 L4 t. x1 H# w! d* h# |; y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ L, L  a) q' A4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
( J, C/ B$ q5 l0 Y. m( q4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4 V- k" A" H- u5 K1 d3 r( @5 N4C19:00A4   INC    CX( r9 P' W& v5 j6 O* S
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
- k+ v$ t' ?( @1 T9 O4C19:00A8   JB     0095     ; 6 different commands.& x2 R+ y; D4 t7 e, B5 H# s
4C19:00AA   JMP    0002     ; Bad_Guy jmp back." E/ {  A7 v( e, [
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
% \; @; {3 d2 f  J% w+ [$ v) X
$ ~) C1 ]4 k. ]- v5 h4 |The program will execute 6 different SIce commands located at ds:dx, which
$ s: h& H% T; [! B  [2 h3 o+ bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ J: {, c! t% f& t# j% w+ ^+ F
6 p# u2 }5 a8 b1 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* ]" {3 h! N! V0 o
___________________________________________________________________________
' r7 W' r" u. G
! o/ m. Y& X7 z4 F" ^) n4 `. h: C( S( l& d, e* l4 \& Y
Method 03
! ]6 @$ y: @  M/ N7 m% H  s=========: |1 ^% N) C8 G( T- P

1 M3 Y1 |' z4 S) w% OLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, y9 g+ z( z+ ^- h2 {- B(API Get entry point)$ Q1 x6 b) K7 W6 A3 Z$ W* @
        * g) s: c5 t% I; n4 v8 _  p  K  d

. M' b/ G# r/ `0 B  D4 U    xor     di,di
; M5 m! u3 i5 N- X; g    mov     es,di
" Q+ u" |+ Y7 s$ e' g    mov     ax, 1684h       & x6 }. H5 x7 V  t9 s8 L# P
    mov     bx, 0202h       ; VxD ID of winice2 l" v( Y! t0 b* K% ~9 S  p
    int     2Fh6 o5 Q+ {8 l* r8 u! ~4 t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point% ~1 ]# A! q. H
    add     ax, di) Q) R" I0 X, W: c2 U
    test    ax,ax
& I$ x; F; ]* ]    jnz     SoftICE_Detected9 a- o# E& }  I3 D

& x/ L" g& ^. P___________________________________________________________________________
: ^7 w) c! j8 D! S) B9 U- S5 G+ Z5 _. ^
; s. _! O2 R; P2 U' [. F2 RMethod 04
' B  d5 ~* {/ X4 Q=========  a' Y( ^2 X7 ^7 S$ j, N
; B" A2 K$ Q+ k9 [4 G7 ?
Method identical to the preceding one except that it seeks the ID of SoftICE
5 \2 V) U- T0 C& p9 K5 ~% tGFX VxD.
" e7 ]' t2 R4 W; ?6 T) d# T; {( J2 Z0 a9 W7 G: k0 r
    xor     di,di5 ^8 B$ ]. {( |% [0 R
    mov     es,di$ d4 q7 _& C6 w" q) @# u
    mov     ax, 1684h      
4 I; \2 v! s/ h8 Z    mov     bx, 7a5Fh       ; VxD ID of SIWVID8 Z& E7 b/ z7 h
    int     2fh
) D, c; l# K1 R1 E3 u( l    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, o0 R* |5 N  {0 Y, u. w4 M    add     ax, di
: L6 d5 S1 N, w) f; ~5 _* j    test    ax,ax
- G1 Y  Z# z8 B2 c- c    jnz     SoftICE_Detected5 C; R6 q% Z# l+ T3 r* D, o/ e
: K! r4 d, H# S7 ^
__________________________________________________________________________
4 B( Y# Z2 B( g2 e1 c7 c
" c4 n, J3 d* k
' n5 ~# F- P& RMethod 05
, c6 F! ^; j, R) Z* w=========
, L! R8 C  H2 k3 [6 O% z" O- x$ ]7 T
$ y6 E' ~' I, m$ l% Y# hMethod seeking the 'magic number' 0F386h returned (in ax) by all system1 @- Q: E  p. f
debugger. It calls the int 41h, function 4Fh.
8 T4 v+ O2 p; c4 J8 l5 s$ \1 mThere are several alternatives.  : z' w1 v2 ~& r& e+ m

& v- M7 t! B! Z% pThe following one is the simplest:
7 t( k, |3 B: `9 W
; D/ L/ a6 B; o, {) S    mov     ax,4fh
/ {2 ~5 H1 h, o* _  l* e& ]    int     41h# a4 J+ J" `1 e0 [! \2 L' o, e
    cmp     ax, 0F386
. @+ C9 ~% X) O; F. Y    jz      SoftICE_detected
1 U% h# I+ V% |7 q) r* Y% C( [' R* G' E; V
4 x3 A0 \9 Y9 @
Next method as well as the following one are 2 examples from Stone's ) I/ j, Z" k' e) b1 t$ I
"stn-wid.zip" (www.cracking.net):9 V) n6 ^6 c! {) r0 o

/ G5 f5 K; q1 T' ]    mov     bx, cs  F* E: O/ R8 a' r# K4 ^9 @9 j
    lea     dx, int41handler2  \& c) T) i: U2 K% S3 U3 u8 f
    xchg    dx, es:[41h*4]
: G$ T. _( T) G9 Q    xchg    bx, es:[41h*4+2]
. ]! s/ n( n. v' O    mov     ax,4fh
" v. ^0 Q; \3 o0 {    int     41h6 X9 [2 O- s* d1 D
    xchg    dx, es:[41h*4]
7 A: I: T' A( e  ~$ u    xchg    bx, es:[41h*4+2]/ {- z* m- P" ]0 ], Z3 X
    cmp     ax, 0f386h
3 t/ s7 o$ H: F4 q. I6 ?    jz      SoftICE_detected: @" @  Y1 m' r# `5 I, A

+ L! S( a  A5 C" _$ \0 I) Kint41handler2 PROC4 b& T$ O& q% e: d  Z6 K% ]
    iret$ y  K2 V  t) z- G. m- O) n, P
int41handler2 ENDP
. S8 }+ f! ?7 D( t. B: O
& O. V# _6 M. ?3 _+ M# a" F8 `- d( a$ ~$ K
_________________________________________________________________________. K* Q: S! Z3 E  Y& d$ }, o6 c

. `  d1 H; a1 m0 P5 v6 \8 L2 h- ^+ X. p
Method 06
4 {1 T# K* E9 _=========( g: ~0 O1 d/ H6 ^" \/ t

0 [# b/ K/ c' X0 z0 e' E
$ p/ M2 F2 ]/ @  [/ s  o! ^2nd method similar to the preceding one but more difficult to detect:
0 B& n1 y% N; p( r/ i9 Y- v* m3 e/ H* r

$ \. O3 p5 i, ]6 Y& _' t' ]# }$ }int41handler PROC
: D" u7 O& j" H! I' t, P9 [. L    mov     cl,al2 Q8 S& [' L% A% V; \
    iret
! y/ q6 a$ h/ Gint41handler ENDP
$ w( \+ i( ?# z
* \% \$ M: D! b, L: z; u7 |
9 M* z& H8 d8 W; h& v) l    xor     ax,ax; s9 ]8 O5 V. a
    mov     es,ax' s, l& e& t, ^( |( h3 F. S
    mov     bx, cs( s+ ^$ u% k9 y% x! L- C; A
    lea     dx, int41handler' E. z7 J6 j: q8 G' P5 {
    xchg    dx, es:[41h*4]
" r7 q/ |8 \$ i1 {% s) {! [    xchg    bx, es:[41h*4+2]
$ W- c8 T3 |7 j  c- h' L- i    in      al, 40h
  f4 A4 B- z, g% l6 \) Y3 k" ~. b    xor     cx,cx9 p# ~5 b3 v/ e2 K' s( F! i
    int     41h
7 Q6 T4 E& u& `0 Y6 D9 R    xchg    dx, es:[41h*4]
$ @$ g8 Z" m: I# q    xchg    bx, es:[41h*4+2]& E7 H2 n9 |& T, K
    cmp     cl,al  g% l; z; X4 S$ k
    jnz     SoftICE_detected# l4 C9 p3 t- w' X  Q6 _. C, T5 z. A
" U! F9 B2 Y  _: W0 j2 M$ N% C0 b! F
_________________________________________________________________________
9 \+ z: A0 C$ N, q, t% d3 i( }7 `' X1 }) M9 c
Method 07
) C$ e  b! w, v: B0 W2 [=========) i& f$ Q/ Z) z$ f  p( B7 ^5 q

. Z& m4 K/ x( B! i1 ?: iMethod of detection of the WinICE handler in the int68h (V86)
7 b& z5 X  m, Q+ N* c- j8 y4 z, Q3 P0 Z1 e8 K$ R, I% w0 Q
    mov     ah,43h
- `8 X. y. N3 F5 {    int     68h
9 ~8 L% Z) P2 i- d5 H) B- x    cmp     ax,0F386h. i' b6 d8 p8 x) m3 O! \
    jz      SoftICE_Detected+ P# m  ^& g: Q# ~; r/ D
5 B$ i4 m$ D% l! l' b9 K
/ f' Y" W( L+ `9 X3 n5 I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ i# H8 T* S2 g  i% ~) a. P. s   app like this:6 Z$ u; w1 r; u

& g' W7 P" D' y9 h; T0 O   BPX exec_int if ax==68
1 i7 i6 m' w1 @5 Z' L0 q9 B   (function called is located at byte ptr [ebp+1Dh] and client eip is
$ S( Y4 O, \2 c, V   located at [ebp+48h] for 32Bit apps), l5 H, u9 b) l! A
__________________________________________________________________________0 j! t' _0 X! n: _2 L
$ C) c# C* ?; p# g! ?

- C- u4 K+ u6 g9 l& }Method 083 T/ V/ `4 G$ h* y& X. s
=========9 K2 L8 N6 _+ a0 t$ a% J% e
1 c9 b6 K- a1 c2 O% l( K
It is not a method of detection of SoftICE but a possibility to crash the  O. x# d  U% w" C$ M7 b% w
system by intercepting int 01h and int 03h and redirecting them to another
: D3 }, F" X# g" D6 i- Lroutine.2 ?" }' `" H$ d' R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) _" p& }1 y1 ^9 A  C6 X8 H( ^to the new routine to execute (hangs computer...)
" [2 Y7 V  f+ h: o' {: u* s- X! O; ^
    mov     ah, 25h1 P8 i. ^5 O4 D& k1 x. b) M% [
    mov     al, Int_Number (01h or 03h)
# D9 L2 O) l3 ?9 x5 A6 y    mov     dx, offset New_Int_Routine% P% M" T0 E7 a2 ^/ K
    int     21h
$ R  w7 P/ m. H, z+ Z
) _3 R: x- N/ _7 s0 c__________________________________________________________________________! Q$ `6 c- {& B  d
% I! ?  L' R: H7 T  _5 u' M; B
Method 09
9 e) f6 Q0 t6 J+ \% x=========7 Z9 M( `" h( `% O: ]

. K! e& P0 O, k) VThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only: U6 i: h; n/ o
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 D8 J  o/ d; H2 q% BThe Get_DDB service is used to determine whether or not a VxD is installed
' x# N$ }: l1 _) I5 @. e/ {for the specified device and returns a Device Description Block (in ecx) for' w( {! ]/ U3 h+ x/ X
that device if it is installed.) l, g$ r' V' Y9 l2 |: y

3 u# O) k/ f6 o) m0 i) J! Q   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) |5 Y( X# P5 ]2 O; ?4 @3 M   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) G5 J5 L' c. E; ]' C; V
   VMMCall Get_DDB
- I( j, I3 P* \, q   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
/ ~% B- ^) t9 U* }4 R9 J$ {7 `& h
Note as well that you can easily detect this method with SoftICE:& U5 z& E7 `. s
   bpx Get_DDB if ax==0202 || ax==7a5fh
' \' ]6 ~& z! l1 i
) |$ c7 S" w( e; o4 {0 E2 W7 a, {__________________________________________________________________________, j" L9 [0 }, e5 @
/ Z6 J( w% r  e$ y. N
Method 10
% q+ s. J6 p; c% G/ I3 }' u# `=========
: M) E' T* ~7 T6 j9 S! I% m/ `% z4 u: m  x
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 k/ z" o$ Y# R' x
  SoftICE while the option is enable!!! o' h7 m: ~; C  W% k2 l0 W+ F
" N! G0 M8 q( V4 X- n9 ?! p# }
This trick is very efficient:
6 r& W3 k" |( [. T3 y6 g, C: S  lby checking the Debug Registers, you can detect if SoftICE is loaded
4 w0 V7 s+ `6 s1 u/ o  U(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 H& g# L# t& [" C% J, Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
- e) Q& Z6 B. Cvalue (in ring0 only). Values can be manipulated and or changed as well
; l, b+ l" H5 M0 N. \& b$ \(clearing BPMs for instance)7 ]5 H  H* G% R2 b. D5 m

$ M' H* k6 W2 z  n. G" g__________________________________________________________________________% t- l/ |8 ~/ {% B4 [0 A

+ M6 p" @3 Y/ i7 d5 _* t( k; F# O3 g; UMethod 11" L' c3 o7 @! J3 E  ~6 U  _
=========) J5 O  u# M- z

3 e8 l6 T1 B% H0 e6 v  LThis method is most known as 'MeltICE' because it has been freely distributed3 p% g# [! p/ u, o4 W5 ]/ _4 L
via www.winfiles.com. However it was first used by NuMega people to allow
/ r! r$ l% P. Q2 w' RSymbol Loader to check if SoftICE was active or not (the code is located
8 M3 E3 W+ a4 t1 S$ M& _; |2 W  @inside nmtrans.dll).7 F$ }6 r1 D: W, O: h$ g, `& b# ?8 z

& @) _0 F0 _- W+ N0 R" EThe way it works is very simple:
" l# \1 V& R* \/ bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 X4 n% `% N- V( E$ |% z
WinNT) with the CreateFileA API.
/ ], z1 L$ U( @5 N& Y: Z0 q+ K
  Q8 z  U! W/ W7 J4 jHere is a sample (checking for 'SICE'):$ D# e5 [, `, r1 c

% o6 Z! q$ ?  S& L9 d! ^BOOL IsSoftIce95Loaded()3 p8 K& r. Y% r5 {7 J
{- m3 b1 ]* |+ X! k
   HANDLE hFile;  
; b) A4 |1 L+ u, O2 g4 j0 ~   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, B  |; p- D& |' C
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. t( Z8 A( q- X4 K3 K: n                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# i1 }9 ?' h; z  u- n
   if( hFile != INVALID_HANDLE_VALUE )
# ~( y, c) p, B1 j8 s   {+ i4 Z8 P5 @/ l+ q, q
      CloseHandle(hFile);  B) B+ v  q7 \; A. m
      return TRUE;5 j# j9 n. Y! d4 e( i  Q  b) Y
   }
% q6 ]0 m5 m/ I  K! c   return FALSE;! [% w5 K, {$ \; v  X( k
}; Z& _' \: Q+ ]# E6 {5 o6 |
: n; M7 ^3 b! J2 ?+ a5 k1 V: S2 z
Although this trick calls the CreateFileA function, don't even expect to be: V2 R' C1 b* f1 N9 q* P3 |3 w9 O  w
able to intercept it by installing a IFS hook: it will not work, no way!& j/ }: [* E# W+ i, N7 Z/ J) \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; E1 Z5 e4 ?8 z" }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: A; t- t* n) U7 U) e9 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 k" Z; u# J1 [3 o4 q! d- \
field.. r0 i$ z4 q' U- Q: q& O$ ~
In fact, its purpose is not to load/unload VxDs but only to send a ) e% h3 O& e6 i7 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 b- L5 x  ?0 C, `  |  ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) h, J$ ~  [- w+ A* s) [4 ato load/unload a non-dynamically loadable driver such as SoftICE ;-).7 C, p: ]. e3 ~* D1 {: l, B
If the VxD is loaded, it will always clear eax and the Carry flag to allow' x2 S4 G" @" X9 T
its handle to be opened and then, will be detected.
- _% {7 l/ R1 M" y3 G5 uYou can check that simply by hooking Winice.exe control proc entry point8 y2 t5 w) F3 a# C/ ]6 @) a
while running MeltICE.
, {: |5 h+ h% c1 t+ }3 n9 A
0 M5 `2 m: L1 C! t/ u
4 a) m& C* f& ]/ S  00401067:  push      00402025    ; \\.\SICE
9 s! [* V; g" g$ X2 j8 o3 b  0040106C:  call      CreateFileA
! A( V' \" W2 z/ H4 D  00401071:  cmp       eax,-0015 {8 l# j* N( c& c; o6 h/ ?
  00401074:  je        00401091/ w8 o' u2 @( ]3 A

# J! f. A5 }) S& G8 H, X! {  q* m' k" f5 T. v
There could be hundreds of BPX you could use to detect this trick.7 _7 @. J# x0 k
-The most classical one is:
: \9 M3 Z+ I4 c7 R  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; e) L( U# s# W1 Q, }* V' x    *(esp-&gt;4+4)=='NTIC'
8 @* E) n% r9 u+ y  G& h+ W% z$ x  }4 b/ Z+ d% @4 J
-The most exotic ones (could be very slooooow :-(
( a* p% a. z  j" ~$ W0 w  J& O   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; [! {& H" t" a2 b* ~& k  m! i     ;will break 3 times :-(
' ^: J3 [4 g; a0 w6 c% H5 |" m: R
-or (a bit) faster: 4 g/ \) h! L! l
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% q& A- ~9 d' j/ a1 w% \7 p; t
$ J7 s! }5 P# r9 n
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) _$ |9 p- j0 k- q* a& [# g     ;will break 3 times :-(: f2 O9 ]3 _/ K3 ~7 Y! Q9 G

! l6 F' X& _7 F5 a6 \-Much faster:
" |$ Q# [: e( H& N: x! Y% J3 ]   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV': ?) `* p6 S5 m
# `* [# p! G. C: v# o4 q) ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! T/ }" G4 D) ]4 U  e1 [" q
function to do the same job:- p+ V: ?# v' I3 v7 Q

+ D+ X, T% O$ ]   push    00                        ; OF_READ( r, q' e3 c4 \  q* B9 N
   mov     eax,[00656634]            ; '\\.\SICE',01 C* h' u0 j/ {, n/ E% l
   push    eax0 X$ N0 ]8 j: D$ b' i1 ]+ e" Q
   call    KERNEL32!_lopen7 h7 [/ w' E! [7 _+ X
   inc     eax
4 z. ?4 A6 p, |& T" w; O) u  L" @   jnz     00650589                  ; detected
3 W. P; j) O0 h2 P+ Z   push    00                        ; OF_READ
- l1 \9 x$ t6 |& \/ m& Q+ S# ]   mov     eax,[00656638]            ; '\\.\SICE'& N9 `. x# l' L  @- C
   push    eax5 X* Y. M) M" h' m9 S# j( N0 d
   call    KERNEL32!_lopen' s5 G% M; j) D  a! L! T
   inc     eax$ _5 i& i: {) U0 |
   jz      006505ae                  ; not detected
7 N+ `8 c$ x: d8 P! O+ f
8 m& _* Z0 {2 \7 `6 T3 A
+ Y4 E6 y1 Q' d__________________________________________________________________________0 O" ~5 c/ M" {9 s7 a; L

0 {; E) p  {2 EMethod 12
1 @7 s" S4 p0 C7 D& k7 B" I" D7 N=========
1 B! e) G. X1 {& p4 M1 J/ ]
# |2 x. O7 s& ~% p2 u) _This trick is similar to int41h/4fh Debugger installation check (code 05: ^( }5 z9 ~' [) R* a$ F
&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 Y; w: P6 ~+ x  U) Z* n: b3 S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* y0 F3 ~7 K# {( L- a% e  e0 Y2 Y+ O& A' |9 O: }2 m) G
   push  0000004fh         ; function 4fh3 d) M4 U, a$ @! v
   push  002a002ah         ; high word specifies which VxD (VWIN32)% B6 Y- R! I0 _. `8 m
                           ; low word specifies which service
+ T; |- u! g" H, P                             (VWIN32_Int41Dispatch)
6 P8 S$ B: a3 E- r8 t4 `   call  Kernel32!ORD_001  ; VxdCall  h( [# e- }- U) ^# \) t
   cmp   ax, 0f386h        ; magic number returned by system debuggers
* |+ U0 D3 o; o  B' H   jz    SoftICE_detected
: u# k# ^7 h/ x- b# ^7 G1 m/ o" @- K) _# A
Here again, several ways to detect it:
6 \) k' F" b4 @3 x) ?: I6 ~7 [; F' P
    BPINT 41 if ax==4f/ s+ F8 L5 O* D' ^1 [7 `# }1 Q+ D
8 V. h/ n( U4 q' \" y' ?9 F6 A0 D
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ _) b8 T, z7 |8 U! f/ {/ p; D' x( X" c
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& U% l6 S6 o; Z" _

! S0 [. @- f. m; D( y9 w    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 _0 w4 H# F( l/ K% B
: x# Y, L) W  N__________________________________________________________________________" O( b; K( A* P3 |) t; ]6 c

3 _  S+ Q0 Z. H" Z& oMethod 13( e, d: A7 V3 ^( Z" o! u! Y
=========* ^+ f) r* [% w# ^; v
  S8 z" G. T; {* ]8 P4 U5 u
Not a real method of detection, but a good way to know if SoftICE is9 f: p( w7 [+ ^+ }6 I
installed on a computer and to locate its installation directory.* [* z, b, ~+ l
It is used by few softs which access the following registry keys (usually #2) :2 Z( U2 x; @6 W( X# f

. Z" N& v9 z" l* K-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ~: A8 n; I) c8 g" d8 v
\Uninstall\SoftICE- Z: k$ t, m! B
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' c. v( F  x5 h9 ]6 Y1 v; i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, R# X& t/ O7 [\App Paths\Loader32.Exe* G1 a0 ~7 U3 |7 A9 V
; v0 a, t7 B2 n: [9 X% d" w0 V) s# i8 W
( d0 i" {5 Y# b
Note that some nasty apps could then erase all files from SoftICE directory  R& d: K/ c" H/ A
(I faced that once :-(# g5 S- Z6 s8 S9 x7 Y- f! [1 |) _
) p. S" e/ v0 a& ]/ s) w, D
Useful breakpoint to detect it:$ h6 W2 R8 @: C3 c3 F

( g# m" Q, p" n3 N     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 x! y+ V/ B  z

& ^3 X! b+ J; o/ ~% w__________________________________________________________________________$ D. j& m# {% C8 S

6 T" Y/ L. A' p( c5 J/ [* d# L5 r! [  g+ C( @) R0 E
Method 14
8 q6 c5 T$ a2 v+ d) O( j" B8 h=========
  d4 g! a# t  v# b* ~/ x8 t% p: d- m0 c+ X$ O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 m0 s" D0 x9 w, m4 F+ k
is to determines whether a debugger is running on your system (ring0 only).1 @$ c9 T% w) B$ a

6 \* w0 H8 \* o0 w: ^+ N- q: j   VMMCall Test_Debug_Installed: ]) ]9 R" y  ~5 P: K; [2 i* Z* `
   je      not_installed4 f1 Y7 K" j* v. J

9 K. F1 G. n9 a6 O+ _. ]& `+ b7 E) FThis service just checks a flag.8 j9 t6 d' g. M, C2 {0 k" Q/ ^. R
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 08:05

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表