找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
4 E& j3 n2 g5 n. V+ d5 X<TBODY>8 f! a5 ]0 a8 ^0 |; d
<TR>1 E3 U3 P9 F: M
<TD><PRE>Method 01
! W$ p, d! \& f" b& [=========
; G1 _- q, R+ f3 X+ i/ `3 m; r8 D
This method of detection of SoftICE (as well as the following one) is: z9 G* o2 ^- p) M
used by the majority of packers/encryptors found on Internet.. R  t4 G! v2 }7 @7 r5 x: \0 g
It seeks the signature of BoundsChecker in SoftICE
. D2 H5 s5 o5 ]; z8 w- _' y
3 s& I' D8 f: w) o) C    mov     ebp, 04243484Bh        ; 'BCHK'
2 L! j/ p3 j0 b6 L# {# W    mov     ax, 04h! k. ~8 c3 C* o" z. W1 G9 L7 N
    int     3      
- ?% R) y- s" @9 c2 I1 O3 U    cmp     al,4- [' `( K& |; m+ _$ {7 A8 `
    jnz     SoftICE_Detected: i% j6 Q" r! R7 b" p

# I9 A: o8 I" T' @( {- ^0 E___________________________________________________________________________
% x4 a& X3 q, ^6 i7 X7 i& ]8 S. i; ~3 T8 F5 k
Method 029 @4 u/ r; p/ y3 W& X
=========" L( E7 ]) G0 Y+ A! ~  {/ j, V3 z

& q' i) j7 T* X. L9 WStill a method very much used (perhaps the most frequent one).  It is used
1 D" T2 W3 q- I" {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ A$ g  k, `$ n
or execute SoftICE commands...
* |3 e/ f4 u: l/ UIt is also used to crash SoftICE and to force it to execute any commands
" F* z# o. |/ p8 a8 ^(HBOOT...) :-((  & @, n1 E4 m% s; k' k
4 ~# ~, P2 }- p' P8 s) B1 Z
Here is a quick description:
& E" z$ m0 B+ E% X  w-AX = 0910h   (Display string in SIce windows)
1 Y( t, ?8 N. o) B1 H& N% D& t-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' N% l5 d3 b4 j' _3 q/ _
-AX = 0912h   (Get breakpoint infos)
5 ]+ P% D. C" Q$ U9 X-AX = 0913h   (Set Sice breakpoints)
' g4 n7 s' `+ O% x8 l+ m) b' g-AX = 0914h   (Remove SIce breakoints)
2 S6 i: ?- ?& E0 O8 ]; h% G0 ~
* ]/ E9 j( L! g: }: y/ d- yEach time you'll meet this trick, you'll see:
0 ?3 D. J- o4 z/ T4 C+ ^. z+ `9 t, @-SI = 4647h, c+ Z  t6 @5 m  C- w- p
-DI = 4A4Dh
8 _7 E: }, Z) d: Z, l, l9 P7 e# ^Which are the 'magic values' used by SoftIce.( i) S6 ^8 M2 }  d$ y' @# R* E( _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 d& {$ A" M; W* V! a( e7 Z6 g

! L. n* A" l5 J9 d! iHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 A5 r) J' L# a+ ^3 C( L0 \Envelope utility use to protect DOS applications:
0 I; S7 U2 v5 q0 q2 a: n0 C1 g# B3 k6 h( b# x' Y

' [' \; a% N' H9 A4C19:0095   MOV    AX,0911  ; execute command.
7 [' b6 d, v# }  q; Q: k4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
8 \3 x+ H4 l7 G4 H6 T8 E4 r8 j4C19:009A   MOV    SI,4647  ; 1st magic value.
" X: p! S1 }$ s4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! v) P! `" k+ \4 m
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): g, t% H- N4 q3 X
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% o% t) U. R/ B3 a9 Z* g# @4C19:00A4   INC    CX
( z$ `; B, [/ U  E4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) M6 s! d5 X% T2 O6 k4C19:00A8   JB     0095     ; 6 different commands.8 {) A3 u$ k7 x
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  c0 S/ K4 q3 w) j" u; s4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' O" [, Z) m+ n( k+ q; c, k
) n+ N6 M/ f. B, p$ p- ^6 uThe program will execute 6 different SIce commands located at ds:dx, which$ T3 _2 c0 Z. g2 U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) V- i0 N1 e+ ^" C& ?  D  y7 V5 _3 Z7 N# A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! B/ U" P+ d7 u___________________________________________________________________________
1 u* d# D( j  G7 B7 i
  V  ?" z) ^( `8 n9 }+ \  V5 h6 \% @9 U; e4 E9 u3 M, T
Method 03
& {" g" a9 z) T6 T=========
5 S$ `% n- V( s% E5 V3 T3 r8 [! z- t9 N
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ }" |! E7 q) M( H) m' D  K(API Get entry point)- |' W. R4 a8 w5 \2 A6 i/ ]
        . B5 ^2 v1 m) E( u7 x, z" v. V

! a3 v; D0 A! [& K' n. e    xor     di,di
- }- O+ T: p  k% _( Q! k    mov     es,di
2 j$ U* L7 R( O0 s- ?    mov     ax, 1684h      
7 C5 J/ ?+ \1 S    mov     bx, 0202h       ; VxD ID of winice
8 V; {) M  w, x9 b- \' s    int     2Fh3 i, W. K& i+ x/ f% O& K% s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; n. E# Q7 j$ K1 }# K    add     ax, di  P7 j( [- `4 D5 f8 g" Z& w
    test    ax,ax, e0 W6 ]4 K, @# ^  b2 e+ S
    jnz     SoftICE_Detected
' Y  C" l0 g  d0 {$ A* \7 ~7 E& R% H' O/ O0 R& m# z
___________________________________________________________________________/ V, V$ r- n( c# h/ v0 Y  ]
7 ?+ R+ S6 n8 p1 }+ |; e
Method 04
: Q1 t4 o6 Q, M; d( I( L5 X=========% m4 _' `5 j+ m( i0 {6 M" |

- z9 V$ |6 X4 [Method identical to the preceding one except that it seeks the ID of SoftICE
; E( z7 Y4 E, ^; c; Y8 h( ]GFX VxD.7 {7 l: h* z; R: @" K3 E. V

' |) }) R! \  ?  d" W: {. N    xor     di,di
( e7 X, y$ u2 _. c/ z8 |    mov     es,di, L9 N7 o8 H" ^$ e
    mov     ax, 1684h      
# }7 o# J) _" T    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 D, a: Q- b7 _* U    int     2fh
' C" M' P1 P; d2 w$ u    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( m; o! L3 r; v& r4 L1 s' e; z3 W4 l( o    add     ax, di2 V1 `7 X& A# z2 D3 \% e9 [# v
    test    ax,ax5 N7 D- f; e+ O. `" K2 s
    jnz     SoftICE_Detected
" u. H: f, Q! k: L% ^! r. _4 p6 h/ H% Z2 i0 _7 ~0 w
__________________________________________________________________________
( w4 D$ ~' z$ E! V
9 a, a4 f- [& t; {- S3 |" v+ T' }. x( P* @
Method 05
. P: I4 _4 ~4 ^! ?: k=========
$ I& L& p- T: i; o$ w5 g# R0 i: ]2 \8 }) b+ W
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 b: i3 k  i" @2 H/ X1 }9 v) f
debugger. It calls the int 41h, function 4Fh.
; P/ v. g, Q. P. L. d: [There are several alternatives.    c  b/ I- \/ _: f

$ A  m! a9 `$ BThe following one is the simplest:6 Y; g5 Z% @, L+ _( y+ q) `
5 O; }3 M" M) s3 K9 @
    mov     ax,4fh
# i7 P  f1 j' }1 G. a    int     41h( D; f. j! _3 Y/ P
    cmp     ax, 0F3868 ?' e3 ]( y8 t
    jz      SoftICE_detected3 _7 ^; j" ~# y, q4 N. |

3 n: Q) \% w6 |7 W* O( h2 q5 l' i4 K* {$ P4 r5 m$ W% x3 o; R! \/ t
Next method as well as the following one are 2 examples from Stone's
! A3 U2 k+ i* l' D) E+ l% A' Q"stn-wid.zip" (www.cracking.net):
- o7 }  O. Q# O! J' A" G3 C+ F" N9 O. \
& v$ }# o9 d4 J' h7 V% Q    mov     bx, cs
" t- c- }* m2 W8 y2 K) T    lea     dx, int41handler2' N& N! h, U! o& Z: s; ]) N: Z
    xchg    dx, es:[41h*4]" V$ ^( j% ?$ K9 f  Q
    xchg    bx, es:[41h*4+2]' Q+ S5 x1 I7 d% Z9 W
    mov     ax,4fh$ \* y% E2 v1 ^$ r: H. ?
    int     41h
* M* Y; X% M$ ]5 s) y8 \% f    xchg    dx, es:[41h*4]8 Y2 g7 l; L4 Q8 ~9 B0 |3 }
    xchg    bx, es:[41h*4+2]
0 N9 `( p9 ^( M# |6 o    cmp     ax, 0f386h
% V2 z: h5 a7 n$ ]) N% M    jz      SoftICE_detected: L  }) C0 g1 b7 y# m! a2 h1 V, v
: i3 f4 G4 d: Q: P
int41handler2 PROC( O  e. I. I: W) |6 x. \& A/ m3 e9 e. I
    iret: M% o( }( E6 M2 c$ x
int41handler2 ENDP
( ^# ]4 `0 x( q; U+ }" H0 M
, e  H9 v- A$ z$ \8 {2 m- A5 @! t# ^3 s5 a
_________________________________________________________________________; G4 i0 ~$ Y6 S3 \* \3 L* s

% Q# F# \' k5 Z+ W6 w
3 s5 j6 _( h7 C* o1 u- JMethod 06! B2 w; M/ k8 W( I) L8 f
=========
( D/ [( I3 Q, R/ ]% S$ R( o
% n% \9 o& I$ I+ Z& e& _
9 W, A) G: Z1 l0 s" }( Z2 c2nd method similar to the preceding one but more difficult to detect:
! a; q* L3 m) j7 \' M5 ~' l8 u- [( ~( w( U5 E) D; l( b

# R/ e4 L3 f1 w, t1 U- N$ @int41handler PROC/ O7 v' |4 f. U
    mov     cl,al$ M7 j: b+ m$ w+ T- H
    iret) k  b  C% g. J  U
int41handler ENDP
# h' ^% H& |2 a5 }6 X
0 q5 |  T7 n  ?, [
& m5 O! \2 L8 B. \9 j* p    xor     ax,ax
! a& ~" F: K- a+ [    mov     es,ax8 X" w7 Q5 f! X; p
    mov     bx, cs1 }, ?& e  C  b2 l. o( U
    lea     dx, int41handler. h3 V3 j! \+ M" k
    xchg    dx, es:[41h*4]  U8 Q% O( a8 {$ D
    xchg    bx, es:[41h*4+2]
% A$ p6 P: N9 Y3 [3 ~    in      al, 40h
' S& y3 J( E5 D    xor     cx,cx
" f( {( B0 l: f) c9 B7 V1 {. i    int     41h
9 C" u% J* N8 {- I+ K    xchg    dx, es:[41h*4]6 \9 V8 }( _0 O" q5 f/ Z% `
    xchg    bx, es:[41h*4+2]
6 G9 Q" E4 g4 M  f    cmp     cl,al! [0 [/ V* T# O7 S
    jnz     SoftICE_detected2 i+ M  v  N( [8 [$ B0 `! r! m
6 U- R: h: G; ~& j
_________________________________________________________________________( f6 X3 c6 q1 ?5 ~1 ^0 z9 L7 _

9 }9 U1 h9 h" M! D+ K+ C2 @Method 07
: X( F1 `2 i1 w- @: H=========  I  A' H8 @+ O! P8 q' w2 x) }
; B5 U& u3 Y5 L
Method of detection of the WinICE handler in the int68h (V86)5 A+ Q8 w4 J1 V' D

8 e; q: n9 |4 [$ v: r    mov     ah,43h& ~- g, \# r1 j
    int     68h
. \1 c6 O3 U/ l1 W    cmp     ax,0F386h, d) G9 J5 l; {: i
    jz      SoftICE_Detected1 f+ @" I$ t8 m6 L- v+ `
& Y3 J4 [; y( G3 C

- Z% p6 S3 Q" V0 e" L6 ?=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ v6 \9 g3 k: c4 B  g1 v, Z
   app like this:
' K# E  \) `" \, N/ u/ }& C: c* L/ C3 r& Q2 e4 V% p( T
   BPX exec_int if ax==68
* S& L5 C  B) g7 [% m0 q- r   (function called is located at byte ptr [ebp+1Dh] and client eip is3 R! n& {2 S) V% A( O& v! x
   located at [ebp+48h] for 32Bit apps)
  D; E- m: X9 k) y7 N9 S5 F__________________________________________________________________________
& S1 k. m' s7 F. ]" g: |3 ]. X" O( ~6 `) V. c* j3 w  O7 B

3 E5 z3 n4 g- f  aMethod 08
* T: w. }9 Y0 ?$ v. V/ x=========
3 K: S# ~6 P  s. ~& d4 j
3 j% x/ \, a8 t0 ?: x7 KIt is not a method of detection of SoftICE but a possibility to crash the9 l$ q, V& u0 a0 _4 u$ R
system by intercepting int 01h and int 03h and redirecting them to another
8 V/ X0 G' s6 ]. b4 F; e! i" Proutine.
+ n! I+ I$ N" G) B6 c; y  E- TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 m  M" R, d; g, E- v" Eto the new routine to execute (hangs computer...); t  j0 ^% B3 i1 Y* ^2 p; ]  u

/ C, o9 Q+ n2 D6 P; J- P1 t  c    mov     ah, 25h9 @( b, |4 y9 X" j
    mov     al, Int_Number (01h or 03h)) m9 O/ y; E+ [$ Z* t8 Q: T
    mov     dx, offset New_Int_Routine# c3 Q; y& ]- W1 B. p+ y7 x
    int     21h5 I3 W. K' H8 g$ E
+ C& U; ]1 a, }9 E# U& r
__________________________________________________________________________6 B# z0 l8 ^1 |
4 i1 w/ _" P5 O0 p: C; I# J) P
Method 092 ]# I- D' `; j$ A
=========/ X1 Q6 t; P5 _7 R& U  [4 g3 `
# G% h9 p6 ]3 r9 J5 D6 ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ E7 G+ I+ ^3 Eperformed in ring0 (VxD or a ring3 app using the VxdCall).
9 h, g+ R" S7 D& G9 S+ G8 H8 f/ vThe Get_DDB service is used to determine whether or not a VxD is installed: W, X& j( X: B8 S- y
for the specified device and returns a Device Description Block (in ecx) for) ~- p8 P: V; G& I
that device if it is installed.' T% W) E# r* L. C% D' |( j
! y4 @) @' P( j- n9 ~# }5 k) j
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 E- F2 k" i5 G4 w   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( V) r' X& t- `) H; o   VMMCall Get_DDB
; x- v0 a  j6 L0 L8 d+ d" r   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  A1 B: z4 Q" _- h+ v: O! }8 J# t8 X2 y( @
Note as well that you can easily detect this method with SoftICE:
; w+ q2 ~$ a6 F: y! i  N+ @   bpx Get_DDB if ax==0202 || ax==7a5fh, o4 N5 H! W, Z) p7 t
' S6 B9 t7 ?( b! j8 K
__________________________________________________________________________: t  i: O# e1 N' D2 [
) F6 ~. t' Q+ ?7 y' ~  m
Method 10+ H$ e5 t1 t9 t7 D& L
=========
( ^* ]# ^# D+ k( S! l5 B: y
2 \* z4 C: Q& F" B=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% f! D; `9 u' x. y0 d$ m  SoftICE while the option is enable!!
& I; t4 Y( M( T2 P7 g  ^: S9 D3 K4 o2 ~7 F$ }5 f% u% |
This trick is very efficient:$ ^! j5 v' f/ c( N$ N* ^& Y+ t
by checking the Debug Registers, you can detect if SoftICE is loaded- S1 a% o& p0 L2 k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ v. C0 k- p. K
there are some memory breakpoints set (dr0 to dr3) simply by reading their  p1 T" J4 Y7 k% V" t
value (in ring0 only). Values can be manipulated and or changed as well/ e( X& s  U) U6 y* k+ Q
(clearing BPMs for instance)
$ q1 @3 X( O% y1 z2 D4 {7 m# i# G0 M
% t* ^* c8 J; D* u2 l__________________________________________________________________________, g! `% w8 Y. e* f' i0 F

1 Y& W/ e! V; U. J4 Q3 [Method 11
  t! c3 t  V5 y3 V$ z( I0 e=========6 a0 }, L& s4 C( y( s9 }3 F. [

% F2 Z/ a+ a8 c) h; e. |5 T% w8 WThis method is most known as 'MeltICE' because it has been freely distributed
4 @0 p) |% _$ j: \$ h% P% ivia www.winfiles.com. However it was first used by NuMega people to allow1 W! p. _+ g5 S8 @, }) \$ {
Symbol Loader to check if SoftICE was active or not (the code is located
* i7 p- b- A& Z+ P6 b- W& N; rinside nmtrans.dll)." A0 A( v0 {; q( v

. U5 x; B8 w% R2 XThe way it works is very simple:) K6 T$ a3 P4 V3 a  q+ a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* p+ J+ M/ Y" H: _WinNT) with the CreateFileA API., F6 `- D! |& P/ I! b
/ y; k  N3 M# K) C
Here is a sample (checking for 'SICE'):
5 x" f0 v; f$ V9 h' A8 y( ]; Y& N4 Y$ x' ?2 b8 [
BOOL IsSoftIce95Loaded()
5 J' ^) i+ Z+ @% n9 `% P{5 }. W$ A! y: c1 n
   HANDLE hFile;  6 n" G# \( s  D( z1 N3 {1 T1 M
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 i# H( _1 Z! t  |
                      FILE_SHARE_READ | FILE_SHARE_WRITE,6 I" z: Y; i0 C6 f0 W
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ z5 x* j, E/ L  M2 d
   if( hFile != INVALID_HANDLE_VALUE )
( {2 G& C% D* S( G$ t( }# V/ K  C   {: L5 y! ^9 P# I
      CloseHandle(hFile);' |5 z8 w$ r: ?: a9 A) b
      return TRUE;3 h2 ]- q( X& q5 _% I
   }( W# f- I6 W6 H6 x3 }% @8 W' _
   return FALSE;
) Q- p, O- d' ]# Z/ i}3 M" M' t( q8 S) ~8 |4 l. b4 T  U
# n) B& P! j2 i) E+ a' {
Although this trick calls the CreateFileA function, don't even expect to be' `& w$ G& D' ^$ d0 R
able to intercept it by installing a IFS hook: it will not work, no way!. Q, `& N2 U' e8 |7 d7 j( Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 t/ P  E3 F+ L) Qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 d) M4 q* B! @# C% m! H+ @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! Q9 p' {& V( v! l! J4 B: \/ c. r
field.
7 h! b/ R* i( H! t# A1 IIn fact, its purpose is not to load/unload VxDs but only to send a : p; D5 H8 w; s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 }* a2 Q* V4 o* J0 ?% zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
  H$ ?! m4 J1 A6 fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 \3 X/ W& k, n7 g, Q( M/ x' G. {If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 G  M/ `: }. T3 ^3 \! Y& Xits handle to be opened and then, will be detected.
. g* p. u! @. c. c5 ^" JYou can check that simply by hooking Winice.exe control proc entry point8 s2 }5 o1 ^# I
while running MeltICE.
- d8 X8 v# x/ y+ Y2 t+ H+ d9 T0 T- _

" h* J( X1 ~1 k- c& g  00401067:  push      00402025    ; \\.\SICE; E5 q! l3 V+ ]* K$ M; L
  0040106C:  call      CreateFileA" R2 q- o- \9 o( m
  00401071:  cmp       eax,-001# ?2 |8 i( t7 {  }* C
  00401074:  je        00401091
0 q& w9 i" `/ r4 Z) ~8 d" g: W/ h6 @" G- f

4 |) @8 p. n1 E* ^6 Y, ]9 h+ SThere could be hundreds of BPX you could use to detect this trick., L- d* P$ v5 \0 B. V( z
-The most classical one is:3 w+ Z& ^& E1 e' w3 X6 s
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||8 e6 _, g. G  U8 f
    *(esp-&gt;4+4)=='NTIC'
: O* u# v$ U. Z) s, n, u/ ^
0 R$ r0 d7 t3 y0 Z2 P-The most exotic ones (could be very slooooow :-($ q2 l/ d# u& C' \1 Z
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  & |1 @2 c0 J1 m' O) R! y
     ;will break 3 times :-(2 u. K+ ~; t5 m
' a" `9 M: k* w8 z# p
-or (a bit) faster:
. C7 v6 R. T+ }! H$ s6 {& R: i+ ~- e   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# h( J& ^, i! K% x
7 `8 ^& q* T+ @& T$ `+ q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  6 u% @3 T" _- j; ~# Y% a
     ;will break 3 times :-(/ H" I8 @. Z" q& F

: r, U: \+ @9 d2 m! m-Much faster:
' Z7 t# }3 c+ S* W   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' x0 x9 i- S8 E$ P- C
) f/ T% {. i( Y) c9 ANote also that some programs (like AZPR3.00) use de old 16-bit _lopen& v: I# M9 U* X( _3 f
function to do the same job:: |1 j. r3 X+ a' W) ]5 J# H1 N6 k3 Y. P

. z/ {  v. E4 y/ q   push    00                        ; OF_READ
+ C; h; A$ h- Q% ~   mov     eax,[00656634]            ; '\\.\SICE',0, S. M  A( _: H7 V5 [4 }  f
   push    eax
( L9 t( p9 K7 J; h* A. x: O   call    KERNEL32!_lopen" a2 I$ p/ i' P' f5 k. @8 E) k
   inc     eax
8 |* }% O6 _" ~( Y4 V2 S   jnz     00650589                  ; detected
% C! I+ g; g; A  N% b   push    00                        ; OF_READ
5 s1 ]+ H9 |3 t7 Q) B; T   mov     eax,[00656638]            ; '\\.\SICE'# p0 t% ^! [4 p3 g% p$ u1 y& k
   push    eax
" B9 s2 @8 I, f+ }9 K   call    KERNEL32!_lopen
" `1 o/ n0 Y$ m& K' M6 f" M, `   inc     eax
& u' Q( X5 r+ k, }# m! n, r   jz      006505ae                  ; not detected
7 n4 m9 Z: V! Q
) E* O% n2 D+ E% s* j+ A2 e- O" G# a
__________________________________________________________________________/ [' g6 }' j' X! a

/ Z1 e, I2 x( d& \0 M1 R5 WMethod 12
& z0 F* i" X  A0 W=========; D! T8 b& y: ?% u( }4 p$ H# h

+ E4 y9 {! q# c# p! ?# ?This trick is similar to int41h/4fh Debugger installation check (code 056 S# f  O' B/ J
&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 ~+ \3 e+ R5 V8 ~: `- y: `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 m: y$ L$ }# b4 q% R

3 z7 Y; f, V* j; W  \) r   push  0000004fh         ; function 4fh
2 f5 P+ X. }7 ]; C. o' s  r( x   push  002a002ah         ; high word specifies which VxD (VWIN32)+ n7 }1 Z* E3 S& }8 E
                           ; low word specifies which service
; y# v, [( J0 k( k8 C                             (VWIN32_Int41Dispatch)
) L1 e) e& o) `* B8 A0 v   call  Kernel32!ORD_001  ; VxdCall$ e3 ~. Y! O4 U
   cmp   ax, 0f386h        ; magic number returned by system debuggers! h# ?/ ^  g8 K% d, Z$ n+ ]
   jz    SoftICE_detected8 v; a3 n2 q5 `, z6 d; O

+ G( L3 e. p* z/ G3 @1 sHere again, several ways to detect it:
2 |0 ~( a; X& l. U7 }0 U: X% {+ d; n, z' |3 ]# @" v/ J
    BPINT 41 if ax==4f1 j7 u$ H- i( p  D
. k9 z* h# n, R+ v; s1 s. y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one5 v( f3 w0 s# p
& p9 U& h2 R/ m9 _1 z) @% b
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 r0 Z* L+ j! {2 x
7 `$ \  T0 R; D
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 x8 U! K/ h; b" I: x
7 @1 {- `% L3 m1 G& J
__________________________________________________________________________
' I( @% u  ^) d  n3 b  O3 s- j/ {( n; a6 R& H1 _( k
Method 13+ j. n. I  `' U$ [( \1 I
=========  }8 z/ c/ b4 N$ _) N1 P! a

- a' i2 d9 H0 J8 t( kNot a real method of detection, but a good way to know if SoftICE is
+ b* C! V. a% Q9 }installed on a computer and to locate its installation directory.# Z* C1 I/ t7 y- d/ ^- P
It is used by few softs which access the following registry keys (usually #2) :
  B  m) n; ]6 d
8 O2 V* C1 ^: n! S  d% V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, k; T) M. v7 E& t/ Q\Uninstall\SoftICE
) l6 u8 q+ N; h, R: y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* v, O& }; I7 r. N& \7 M-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% n+ n0 `0 [4 E2 R# I
\App Paths\Loader32.Exe
' i% s3 M! w7 W7 w8 d% J0 S$ r8 W% ~: X. h* j$ f$ C

; j: o: Y/ D2 t. M5 e* M, A, @Note that some nasty apps could then erase all files from SoftICE directory
2 n8 W9 n$ f, a8 z; H1 i) L(I faced that once :-(
( R( Y' {, u5 X0 D
: j/ {4 z; b$ [Useful breakpoint to detect it:  c& A6 ^3 Z7 a0 C  [, E
3 D# A+ ?+ I8 q9 h8 q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; g9 \! x% \( [3 l$ u- C- b
* W* U; q! i* S9 h2 h5 q# t
__________________________________________________________________________
& k; P) N" S( P  Z+ y* |7 `0 D8 t* v5 t8 q

7 F  r5 g: ]5 A1 X5 L- KMethod 14
; w8 T! d4 t, g+ p. g0 ~0 B- b=========
4 ]) K+ }* m" z: s- u
! p; M; ^4 Q; n; }( }5 T: e: f' PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 N# ?# G7 q, Z' ris to determines whether a debugger is running on your system (ring0 only).- M  \. C0 p& I3 ?2 |7 {- C

" K5 u4 {: u4 ~& c) a$ d   VMMCall Test_Debug_Installed
- {2 F( `6 @1 |   je      not_installed7 s- C2 h& h/ _2 z1 P$ q/ a

0 Y! ^) @1 `4 P% a# d- c+ Y' FThis service just checks a flag.
  U* R  r: \  c# y& V</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-11 00:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表