找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
& @+ f0 E# D0 D4 J; H& k+ E<TBODY>
4 t# D; v. ^  ~<TR>. n! m( r2 L8 U
<TD><PRE>Method 01 . Z  @% H! |3 _, F' L
=========" w4 o& T$ _- U) f  J3 R

9 J4 c* I0 J; v5 a2 |# O  ^This method of detection of SoftICE (as well as the following one) is3 |$ @+ p' A. o+ o' T
used by the majority of packers/encryptors found on Internet.
8 Q' o8 ]8 a" r& C0 h7 r7 lIt seeks the signature of BoundsChecker in SoftICE
" x. i% m: k6 w2 {6 R
) p5 v! r1 B2 I8 D! i. c    mov     ebp, 04243484Bh        ; 'BCHK'
5 B4 Q& T/ L8 }$ F- w. \( T    mov     ax, 04h
" L, Y" v0 m& J9 W8 S! x* c) E3 Z    int     3       ! O7 x; m/ F( I$ e3 g4 a* D0 ~
    cmp     al,45 _# K" H9 U& o, i, O
    jnz     SoftICE_Detected
2 y! ~& d  j) p' e( o0 l7 U+ Z" R4 }( j5 M
___________________________________________________________________________
& n. @9 Y$ r5 Z. ^3 D2 P( y" E  ~8 e
Method 02& S- L; L$ K1 [5 o% g2 m+ x
=========
* I4 V* ~: Y+ Y' `* ?& G- ]* e
( z2 S, u( h! d: ]8 aStill a method very much used (perhaps the most frequent one).  It is used
5 o' I3 m0 N3 l: ], \2 ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 Z8 g* b6 ?2 Y( U9 r/ v) H! n
or execute SoftICE commands...
6 S/ _5 j$ h7 e, @It is also used to crash SoftICE and to force it to execute any commands
/ |# K7 m( u6 z. A(HBOOT...) :-((  
8 [8 A+ O" R+ ]' c9 j8 `7 \
) ~% R' T% R% P5 t! `Here is a quick description:: e9 ]; q- z9 B& u! |! s/ b
-AX = 0910h   (Display string in SIce windows)( \' M2 C* x5 m; o4 Z
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 A2 ?2 s1 E( w- |
-AX = 0912h   (Get breakpoint infos)) x1 M4 |3 B6 S& y8 W
-AX = 0913h   (Set Sice breakpoints)7 z# q# y* N! y. B1 I# \) L" E! m
-AX = 0914h   (Remove SIce breakoints)
2 U" Y) C$ h0 d  B( \
" K3 Y8 N, X: d) o, @+ g  U5 a1 UEach time you'll meet this trick, you'll see:3 r; f8 {  y  c
-SI = 4647h
7 H1 d4 |% R- N# {2 ^-DI = 4A4Dh3 g* l' j# Z3 l" P( n4 M  M2 R
Which are the 'magic values' used by SoftIce.
5 j9 w' N- b# z* ?: d% N1 W# DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! x- U2 Y) p* y% r0 r% |. X8 y! }. c; w% k& \
Here is one example from the file "Haspinst.exe" which is the dongle HASP! n" m) t/ P, l9 S
Envelope utility use to protect DOS applications:) N( ?4 T- k9 u$ P
  h6 I5 k3 _7 ~* b, A2 r2 f. D

; |# ~- ~( W! U* g7 K( P4C19:0095   MOV    AX,0911  ; execute command.
' f+ X% x2 B" R& J6 E, I" h" |4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% U* L2 {' G, d( C/ F, y% K  v$ a4C19:009A   MOV    SI,4647  ; 1st magic value.
: @* z2 v0 ^8 c  B$ z1 M' i+ F4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
' O" z$ _& U" x1 f; N* h# K4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& D/ L6 p6 ?: p; y. o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute$ ]0 A/ x1 ~) u) S. \
4C19:00A4   INC    CX( f$ _2 }* ~; M7 ~
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
- v& W, W# K+ Z) t! S" z6 Q+ j4C19:00A8   JB     0095     ; 6 different commands.* J# u1 K$ D; n7 [
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 H9 \8 g( A& x8 ~, ]7 B" H' d2 Q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
2 B" ?. T4 P7 e* L2 ]: F' T+ X: a* c3 |$ c
The program will execute 6 different SIce commands located at ds:dx, which
$ F9 h( ~: f! k: {  r/ aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 [) U! Q' _8 }6 v: g
( h  L& B4 G# _; M* \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 j1 C0 D( \/ [) O" ^___________________________________________________________________________
  _" j+ w0 p* `4 a8 [9 o! v; f
  V" e1 Z# c% O5 H
* i. U) P: z, y5 m/ q% [2 m7 z% C6 Q! k! mMethod 03
3 p/ v( _2 g; v* F6 V=========/ d  U; z$ e7 Q  ?/ g+ V
; e. I; n. s% `
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h& p& v7 L# i# x6 L- t
(API Get entry point), k1 E4 \9 t6 Y- j- B+ ?
        ; ^8 t7 v  F& k3 M5 x  }' [

, v4 J, C# |0 C: L9 F    xor     di,di
0 c: ^' {2 R. G3 \" W: o    mov     es,di
, {! W& Q4 ^4 e3 I- E8 l    mov     ax, 1684h       0 i( D9 e: w4 y$ a! a
    mov     bx, 0202h       ; VxD ID of winice) I& j. O0 g, k' ~! o: |8 _' I8 j
    int     2Fh
4 y" B3 B! q* S" T' ?' _* h& x4 Z    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 _, r0 d4 h) x    add     ax, di4 a; G5 ]( L& [
    test    ax,ax! Q. M4 c% w' h3 ~% O$ G  n' B
    jnz     SoftICE_Detected
5 K4 s- R+ h7 i1 w4 ~8 L/ c* E; q, g+ D. N9 G7 _/ f
___________________________________________________________________________
* I3 m  D6 f! I0 G; A. @8 c9 l8 ~4 E; s
Method 04: Y0 l6 \% i  N; w
=========
$ k0 w: E$ |6 [
5 f7 \# {/ ^" W$ N- jMethod identical to the preceding one except that it seeks the ID of SoftICE
" v+ P: ]9 D0 r3 K( U0 N6 _GFX VxD.' P/ Y% m+ k6 D/ V4 L* r# h
7 ?3 v; }7 s7 f& P4 A  D
    xor     di,di$ d% H+ ]- h! N0 j! A
    mov     es,di
3 W/ l/ }: y$ w8 r8 H+ }4 q! h3 O    mov     ax, 1684h       - z6 T+ o3 w0 W1 j
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
4 j" A% U3 }) v+ `    int     2fh" C/ S$ U, w. R
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& `" W0 R+ G5 }
    add     ax, di
7 s% x" o. V/ V6 |+ }9 t    test    ax,ax
2 O. ?3 _2 b7 V0 N& i0 _4 ?5 J. o    jnz     SoftICE_Detected6 \- ~+ E# p' U  K8 Q

$ `+ c) }4 C$ Y6 d__________________________________________________________________________
3 v% [' a3 t5 @( C8 }/ G
) j' `& M, r' Z! [7 V* X' q; @
9 p5 D! y2 c% s. X, T/ J* B3 cMethod 05
. l) e( _# {0 v$ a! }& c4 W' q! f9 i=========9 H, p) l- u9 U
/ s) O- R& k! H3 d/ ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 |% T- H/ P# P3 n# ?  W
debugger. It calls the int 41h, function 4Fh.
( _7 F& D# E' O' d0 z. rThere are several alternatives.  ( s# g9 r! e4 @9 W: M9 {7 P
! q. Y* d/ G+ m: f# ]
The following one is the simplest:/ @2 F. R- I- N# c* B
4 G- t) M/ K" a( P
    mov     ax,4fh
- [7 A: ]$ t  X% P) J$ a    int     41h
% _" V+ U0 f9 t! k8 E% B/ @# V0 \    cmp     ax, 0F386
, `: ~& M- L- I    jz      SoftICE_detected3 b( S# f5 y0 B
: n- x- y& a: |: t2 I

1 X% W% M2 c" B# D$ B( |- Q- nNext method as well as the following one are 2 examples from Stone's
! `% H; D6 v0 o7 L% g* \9 R2 d# W7 b3 ["stn-wid.zip" (www.cracking.net):
/ Y$ o- S/ \+ D1 x1 ^2 D3 t, H4 O: o/ {
    mov     bx, cs
5 o) t) _- Q) R; z6 M4 C2 d    lea     dx, int41handler2
# j( D% c9 m* ^! m, x, e    xchg    dx, es:[41h*4]
% _9 @( X& C2 @$ |: }. @9 e5 I0 W    xchg    bx, es:[41h*4+2]
1 s% e0 }* d: {    mov     ax,4fh3 P* z7 a' i, p0 G9 q5 [9 b
    int     41h1 Y& W7 L# V, u% D% A2 `1 W6 s$ k
    xchg    dx, es:[41h*4]
5 u3 v2 I& Q. l( O% @! C    xchg    bx, es:[41h*4+2]  H0 M: g5 I6 Y5 E6 b2 x4 L
    cmp     ax, 0f386h6 e: ]+ w5 V' o. q4 D- s( U, [
    jz      SoftICE_detected
: @, D9 T: i& {& g6 l1 [
+ y/ b! \( h7 k+ X1 A7 Yint41handler2 PROC9 q$ ?  V. }/ |9 G8 j) B
    iret
) t8 E$ p2 l, e8 F+ G& dint41handler2 ENDP$ g' w" ^. G" w4 b& D  Z+ \
6 D$ g& R  t, J4 c& g! C/ `4 Q
$ ]$ x$ [7 _" H. ]$ b
_________________________________________________________________________8 G4 ~0 }$ v: S* T2 z
+ p3 B8 e+ X% w3 w! |
/ ^% z5 S# S  A. I
Method 06
1 ~4 P$ C" z# }4 d$ ]/ ]=========% ?/ k$ ~2 y0 a# y1 C" O
5 i4 R0 b; W$ Y+ b$ o. c/ U  r
7 b1 e; @1 s% b0 F
2nd method similar to the preceding one but more difficult to detect:
( P; @% I* X0 O6 m
# X* l% }  }+ C2 R1 q8 w9 c
1 `$ J" w6 ?$ x3 ?7 C4 Oint41handler PROC
, P% V6 w; T  F. w8 M2 C    mov     cl,al
7 v& `% v+ X$ `; Y9 k, x6 ~    iret/ p: f9 h' f: e. L
int41handler ENDP
5 n; L: ^$ L1 P9 a2 q: c" x
. ~4 C6 ?1 t  v: v, i) S# W- A# q* ?
    xor     ax,ax$ B3 s$ o7 I# m
    mov     es,ax9 X! c6 k( z+ h" D7 u+ Y6 w% t
    mov     bx, cs7 J# N8 K) ?0 H9 f
    lea     dx, int41handler) {) ^+ T8 h- S5 k+ J
    xchg    dx, es:[41h*4]
! D8 v$ t- h, p& s    xchg    bx, es:[41h*4+2]
! l3 l4 L( P+ X, g$ z$ h9 Z    in      al, 40h; U' [) ]1 H% m5 G5 P$ O" n
    xor     cx,cx
- d3 V" x1 d8 P3 g    int     41h0 d2 f+ T" U! B: o; @2 F* J4 s0 r
    xchg    dx, es:[41h*4]
% T2 @- K% R+ }7 n; V2 p    xchg    bx, es:[41h*4+2]& c' m3 P+ x0 x- [* h6 |+ v
    cmp     cl,al
( ]6 k, f$ p9 z' H# w    jnz     SoftICE_detected
" ]" k8 u/ p& i+ o+ {: H$ V0 C$ C: N2 V* c) H
_________________________________________________________________________% ~+ y  z! z7 {  s  w5 Z* u; G

$ n; o* n6 `2 H) A( \1 |Method 076 H1 M( H9 n. I+ z7 _& s
=========
& V/ T1 S. ^1 F' p5 h5 Y6 O! S$ w% y
Method of detection of the WinICE handler in the int68h (V86)
8 x  O4 B& X$ A+ A9 {
( {/ K' @( o" F, K    mov     ah,43h
3 G0 e: ~' O6 W* T' f( @5 f. b    int     68h
' {% `5 @, T9 G    cmp     ax,0F386h
1 e4 L6 \8 ]$ B& h: _    jz      SoftICE_Detected# I$ c4 v& E  p3 e% i* n

4 q# @/ `. l: G- V2 [$ N! b
, z  J# O9 X: f=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, U( R5 x7 w/ ~
   app like this:
( C7 x7 p* R* e0 P" ~! e7 ]. K& J( ?% q3 N
   BPX exec_int if ax==68! H! g* x) {2 q3 Z2 x$ e2 ]
   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 O/ V. z9 S7 b8 E   located at [ebp+48h] for 32Bit apps)
8 l! l7 p2 F0 |3 @3 w__________________________________________________________________________% x' u3 J, l' X, Z7 M6 s' s
: j6 C5 N* e/ J: e3 m2 x$ O6 q
  K5 \* Z1 R$ M' |8 P
Method 08/ B4 A& g* y) a
=========
/ n* a. \" r, X) U7 V9 n+ n( E- h% x  n
It is not a method of detection of SoftICE but a possibility to crash the
" p2 N# m( d4 n4 J9 ysystem by intercepting int 01h and int 03h and redirecting them to another
) v( }3 D; W1 o3 _: a& Broutine.
0 f0 g# T3 \9 RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ S6 [( I1 D' a+ c4 e' u& H" [to the new routine to execute (hangs computer...)5 X- A) k5 e' A
. H! [3 i3 G( F- |# R  K" N: G
    mov     ah, 25h9 F2 Y. z9 L# z1 z  }% j
    mov     al, Int_Number (01h or 03h)& x  Z7 o+ b; s1 b
    mov     dx, offset New_Int_Routine
3 y7 ?" [1 L, A: D    int     21h9 @% r- z$ P$ G, j6 r

5 C$ X' {) o' z) z5 Q__________________________________________________________________________
" v3 z# Q$ ^, N. n) }3 [3 e3 W! w: |+ k- y# U) A, }; S- Y3 p
Method 09
- G- @  o6 E0 j=========& n& U& h- h6 ]& u

+ H/ f* i3 C! }8 V2 s- h8 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) h6 l) v% A. L6 y$ ^performed in ring0 (VxD or a ring3 app using the VxdCall).- [2 [0 {) T: _7 q7 w5 e
The Get_DDB service is used to determine whether or not a VxD is installed& b; R0 f: [. F0 w8 g: u
for the specified device and returns a Device Description Block (in ecx) for
# ~8 j5 ^) s+ N4 S/ [that device if it is installed.
. Z2 `1 h; S/ D& P4 `
( _7 C1 K) @. [  T' C9 V   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; I5 H& c* Z3 z8 l
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). Z, i6 g' I- j! |9 H) j( c  p
   VMMCall Get_DDB
  A  [1 z5 S7 ?2 K7 Q   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed" v) |4 ?0 \% r

" T+ |1 B7 L! ^2 m9 t* V1 wNote as well that you can easily detect this method with SoftICE:
/ y; p+ G3 _- S+ L1 N& ?- d* J   bpx Get_DDB if ax==0202 || ax==7a5fh5 v2 `3 @  C8 s& l+ c% e7 ~

& H# [7 o' @4 @3 X__________________________________________________________________________
1 M- }2 _0 |; d! @. v' F0 C- X5 r$ t; q& c! E
Method 10( i0 x% B8 J$ d/ x
=========
, b; f1 c- s- ^; W" M6 `) B# O4 i1 _
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with. f  Z( @7 ?( P, U5 W- V# ^7 h+ j
  SoftICE while the option is enable!!
& W% k+ D  ?0 |; p$ r* F# v( ]8 i, V3 W. E) [9 N  @
This trick is very efficient:
% O$ f- Y! `$ a" q. nby checking the Debug Registers, you can detect if SoftICE is loaded
9 A3 F/ u0 d/ Y% D2 f+ F$ I1 [7 e! N5 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% b1 s$ _: r) S+ J- l( `3 ]! ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
2 r* b  V& \2 R2 Avalue (in ring0 only). Values can be manipulated and or changed as well
" m4 S  Q  E8 l! @% s1 c" q(clearing BPMs for instance)$ c; L, Q; w* x5 J8 z' U

$ b$ D, n) w, p7 b0 W1 d7 J/ r5 Y__________________________________________________________________________
# ~! C+ Z3 M4 u' @1 X3 s1 s! \6 _3 ]' C$ Y: S9 m
Method 11
' V3 Z# l% ^" s% V2 Z$ q=========
2 M. V( x1 a- \5 a# S( p+ E
  I. \! F0 m; G' ?( \This method is most known as 'MeltICE' because it has been freely distributed
( [1 d, G# N9 c+ Lvia www.winfiles.com. However it was first used by NuMega people to allow
; w# O/ u4 F, ^2 ?6 Z8 B6 z  TSymbol Loader to check if SoftICE was active or not (the code is located
4 z5 d" X5 J* t+ [4 T7 ainside nmtrans.dll).1 W9 j! {2 P$ w' |0 M

8 k$ L# h5 ~3 w$ SThe way it works is very simple:
! w8 j1 z9 |6 D. H) _0 f1 Q# CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& C: W( B1 k  {) mWinNT) with the CreateFileA API.
3 I4 B: y1 _& ^! N% |8 s) X3 x0 t& {' V
Here is a sample (checking for 'SICE'):2 `, o! f9 B& i# J

7 g" m7 i, y1 O% O# xBOOL IsSoftIce95Loaded()' i$ n% U. f6 n1 D" ?$ x
{0 S9 u, m' B1 c0 @
   HANDLE hFile;  
! {! f+ x8 S( h3 {* j$ k8 E   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% ~4 F0 {3 U' C' \( y' C                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ q# A( o& Y5 @7 i+ B: o
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# H, o3 R6 b+ l4 N5 m' V; }   if( hFile != INVALID_HANDLE_VALUE ); _# \9 T) X4 c
   {; f; o! L" s& b& K# d" m
      CloseHandle(hFile);" I. q* o& b8 _/ l# u
      return TRUE;2 Z) ^8 ?6 l. @4 b- O" \+ g2 n# t
   }
" Y8 x& y5 Q0 v. r( C: g5 \  f   return FALSE;
. T$ b3 Q7 m- _; G/ e, }}
% ]6 D& K! Q- `- {1 ]8 K
: z; x3 x5 `1 Z1 |% V! f( N0 JAlthough this trick calls the CreateFileA function, don't even expect to be; B# C/ @5 N6 I; g3 C  Q/ E* J
able to intercept it by installing a IFS hook: it will not work, no way!
& N" H  h6 t) I, DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ G% X" E! S1 O* h7 M$ |3 Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! G, l8 N3 m5 w) U' L. t% F* U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( {$ z- \" c- k0 i- Efield./ }2 w- E. @8 q( A/ C
In fact, its purpose is not to load/unload VxDs but only to send a
1 n- h6 C# ?1 ~/ B) OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 T% J7 m6 f; x* p# u# z2 |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 h+ h: y3 s# A3 u% x" n- xto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- F0 U$ N8 n/ V9 F$ ]& vIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 D5 V3 z! o; G  o( bits handle to be opened and then, will be detected.+ f; o: s/ k" f& ]
You can check that simply by hooking Winice.exe control proc entry point( R5 L% j+ k3 j2 O2 h9 h6 Q8 K+ z$ e: a
while running MeltICE.
7 m$ K; m( m( b$ K" b# q: z- S5 [' ~

3 S1 [* X( ~0 ?. ^  00401067:  push      00402025    ; \\.\SICE
4 B4 `" ~6 W/ R  0040106C:  call      CreateFileA
) |- ~4 U9 Z% Z) q, d9 f2 q: j  00401071:  cmp       eax,-001; e' r. }" [* G3 ^5 t
  00401074:  je        004010915 X" Z: e# r6 e% R$ R

3 E3 ~3 h2 ^0 Y# h) }3 }+ h* @6 v) a' T- r9 B" l, ~# k/ j& s
There could be hundreds of BPX you could use to detect this trick.6 x$ Y# G+ h7 L0 N% Y6 R
-The most classical one is:
# ]7 F% g/ o4 v: o: T  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 C6 ^  T; I8 @; F1 q, c1 y9 J    *(esp-&gt;4+4)=='NTIC'
+ A9 c0 W' s; i
0 s# {1 q& T' c2 i-The most exotic ones (could be very slooooow :-(+ y9 P* W* D6 L: G. m- I- g+ W
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
  n* x; L$ u% r/ i3 g& D     ;will break 3 times :-(- D% |* p+ X! o

# X' g/ l( z- I" t+ x-or (a bit) faster:
# @7 W: z4 I$ I( y) Z4 T% x4 S/ F1 X   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 L1 }5 O, _  z
/ X* R  J) O8 @9 s9 W
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) r5 ?' C# J; p" G
     ;will break 3 times :-(
2 Q# \$ I+ i* a" L0 f7 ?# Z
5 V- x1 R* ?$ ?* J* z-Much faster:
" b/ p6 e, L( |5 s& v   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( W+ Q, r2 Q- [* b# |( C

0 E$ z2 X: x9 YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* a  c4 ]! w, K4 Bfunction to do the same job:8 B4 C6 k/ l' j2 t

+ r5 o& x& B: g3 u   push    00                        ; OF_READ0 e4 w& N* H( |" P+ M
   mov     eax,[00656634]            ; '\\.\SICE',0% ~4 v+ C% o# z: f$ s7 I8 b
   push    eax  {' Y; \) w% J' ~: X/ }
   call    KERNEL32!_lopen2 k4 |, f! f0 C, }( B+ ]( N7 O
   inc     eax. a. A3 z  s" s7 P" h
   jnz     00650589                  ; detected
& ~( z$ k# P7 f6 f   push    00                        ; OF_READ
7 I! m0 T. i. F( r8 `) g   mov     eax,[00656638]            ; '\\.\SICE'
2 L. ~0 @5 w0 X, G/ b. V. d" x# B   push    eax- K5 H, I! U5 B3 k
   call    KERNEL32!_lopen; P: g# m  {0 [1 I8 ~  J
   inc     eax* m/ G' a0 p9 }
   jz      006505ae                  ; not detected1 Z* b0 S% E! Q2 m0 e. i
3 w9 |  K5 w, n9 `' V
: c; p* Q" ]) m2 c6 `2 W( i
__________________________________________________________________________4 J8 o8 ~: n4 r$ U0 j
: P6 f* y8 t/ J9 V2 ~1 v$ `" Y" H2 y1 s
Method 12
* C7 a9 ]3 o. s/ F. ?# K9 J# T=========
3 r6 P9 o, B# f% J8 b8 H. s7 L0 U. z$ ^2 u3 M
This trick is similar to int41h/4fh Debugger installation check (code 05
3 M( `0 R+ x7 F&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, \: w) m" h! |; h1 ?* Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 r9 H9 t' |3 w3 [% n

- P  |4 [0 r9 A   push  0000004fh         ; function 4fh
: a) d1 {4 Q# W4 M" B   push  002a002ah         ; high word specifies which VxD (VWIN32)& N" E. r+ J, }% I( j* |* c2 ?
                           ; low word specifies which service4 Z( W/ x- N0 l) r; H( o
                             (VWIN32_Int41Dispatch)
' {% k+ ?1 a2 g/ h% N) r   call  Kernel32!ORD_001  ; VxdCall
/ _8 M( v& c. t  j5 y# X0 R   cmp   ax, 0f386h        ; magic number returned by system debuggers5 Q0 i1 e" k2 r8 t* q, q
   jz    SoftICE_detected
9 M1 t! X5 Y$ D# b7 ]( Z+ q- j
: r: o9 b, n, C$ \Here again, several ways to detect it:( ~: k. P9 J* G3 A# ~, N
- ?- e# a1 n8 a5 d5 f+ m
    BPINT 41 if ax==4f
8 V5 F, M! l& ]$ q. O) B5 `: t+ w6 G
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& x4 _2 q( e: s: l' N' [4 O1 ^7 ]: K9 ]4 T# d. I
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( {, g$ w  g! ~
; ~9 q1 `! o' |. ?- ~" P" a0 [
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!4 q- r1 k- S& w( N0 u7 @0 d

  D7 r# t9 n% y+ i" Z  E0 ~! J__________________________________________________________________________$ r: \- ~  \# h

, q3 B5 c$ a6 t( XMethod 13; G* n1 Y# Q5 v3 t
=========2 O) L5 r% u4 J0 t  ]1 {

, K! U* x" J* w: ~) k  b3 s# RNot a real method of detection, but a good way to know if SoftICE is/ l, g/ ?) M: v  x" U, D  d  d$ c
installed on a computer and to locate its installation directory.
9 d  A' z& @1 R0 ?It is used by few softs which access the following registry keys (usually #2) :5 t! Y/ c. _2 v7 z
' B! j$ ^% z4 |9 i1 J. \; \. J* j3 R; J9 M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 h3 L% X# i7 |, q, y6 Y. e- }1 G
\Uninstall\SoftICE
* E1 Z+ a/ F3 P* G5 V1 z  D+ g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 \8 A  _& p* x9 a+ z7 m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ n: P2 d' G5 K; @\App Paths\Loader32.Exe) ]/ m1 E) k# A

8 m" w) ~7 u7 ]0 v2 ^5 G
# \, Z4 S6 b6 cNote that some nasty apps could then erase all files from SoftICE directory3 u' E0 K+ t  e% A$ O2 T5 V2 F
(I faced that once :-(
* {% ^# H0 j3 m% `" E! Z' r7 t6 u, g9 m& D* }
Useful breakpoint to detect it:
  c7 s- d5 @$ K
7 @- a) u/ g) ~% H4 s; F: {- g3 g     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
" U9 @+ u( r- c7 i6 q) G" G. ^1 P3 c5 `' U
__________________________________________________________________________
' t1 P. U) _3 R" D5 w4 g% z7 ^
% J" {! R/ H" G
Method 14 $ ?6 w9 U" ?4 ]  @
=========
; P7 o5 o+ H) F7 F6 |. F; ~9 v3 ]) v# W+ o* W0 N1 @
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 B: b$ V- x( F1 N
is to determines whether a debugger is running on your system (ring0 only).
5 Z: Z% i3 l1 [# j; t; e5 H5 c
8 T9 n1 F) Y8 H1 ]7 P& D/ R   VMMCall Test_Debug_Installed2 L! M! o. B8 t
   je      not_installed
. P! c, L0 b0 @) q) H+ N% n. ~8 p3 m
' t9 G) r+ ^' c+ c% ^! @This service just checks a flag.
: o. ^( n$ S$ }, W</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-17 00:35

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表