找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>2 A* M8 W* }( H+ k
<TBODY>4 O* K8 r- S* r! W+ s% j, B) `) J
<TR>
1 J+ q3 h3 }- `5 o<TD><PRE>Method 01
  H+ J$ V1 {% Y8 Q=========
/ G7 @2 S/ D) R; F# f/ c
" O5 J9 `: O' |This method of detection of SoftICE (as well as the following one) is* ?& Q, o/ V3 S/ ?
used by the majority of packers/encryptors found on Internet.3 c4 p! T$ O7 @$ D, |: u' F
It seeks the signature of BoundsChecker in SoftICE, q! |, g9 u* k+ x

' S( S, Z' w( R" y2 }    mov     ebp, 04243484Bh        ; 'BCHK'
3 \6 C2 D4 q4 N4 i6 U    mov     ax, 04h% ~9 N" [: D" c: N) F2 K
    int     3      
; |' G- K4 J7 _* P0 x" P0 Y    cmp     al,4" x8 X0 T; U6 S7 q
    jnz     SoftICE_Detected
  ~! u( E- X0 t
/ o7 ^; g% F  y! F4 l___________________________________________________________________________
8 d) B, E+ q9 I) B% b
; Q5 n0 W7 w/ H4 S1 wMethod 024 B6 A2 I) d$ Z! O5 P
=========, n  m0 E/ s$ Q8 |! |) L
2 G7 f! h3 b* x. L: l; R
Still a method very much used (perhaps the most frequent one).  It is used  {8 i( N( z$ N! B/ X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; c' w  J+ Q( f. \or execute SoftICE commands...
8 {6 M0 a2 I1 B* g7 PIt is also used to crash SoftICE and to force it to execute any commands
) G' v# V! f- z; ~(HBOOT...) :-((  $ T- }5 ~: |- }0 z( m/ |, d; E! f

% [4 |" D- T6 j8 o$ tHere is a quick description:
( w0 e5 @/ _& z9 y$ d& `3 ^! w8 T-AX = 0910h   (Display string in SIce windows)
8 S" ], d  e0 l1 i) M3 _' `-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. _1 I5 n& {3 z! |$ U) F2 q-AX = 0912h   (Get breakpoint infos)
. s; n1 l& l' I& W-AX = 0913h   (Set Sice breakpoints)
+ {7 @9 H! {2 K' r2 P! ~2 v-AX = 0914h   (Remove SIce breakoints)
! m8 J; E2 `4 B* O  i% V# _- j" v! D+ b" {9 |8 G! C3 B* A/ o; j
Each time you'll meet this trick, you'll see:( Y; z  G' F: b" Z/ x& e, V
-SI = 4647h
: g# T" I$ a5 z% n( B-DI = 4A4Dh
3 v" Y9 x) x. K$ w3 b$ v* z! eWhich are the 'magic values' used by SoftIce.2 w0 a7 Q3 g' C- C" G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ b3 `3 i! J/ w* N5 Y' y1 u. r3 S2 X2 L" r9 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 D. K# K, y7 l( b
Envelope utility use to protect DOS applications:4 W2 h; j, _0 k, g5 [

/ r! @5 ^5 v: a% ?
( j  D: C' ~) M2 h: {2 m+ g  b/ V4C19:0095   MOV    AX,0911  ; execute command.9 U, ~& Y# f% V
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: x7 B" @) e7 C6 B4C19:009A   MOV    SI,4647  ; 1st magic value.5 b+ Y' n: u7 N2 Y3 G  J- [
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: a) {+ N; m; G; D3 Z" f& d
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 q( I9 E% H8 L, r
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ D7 ^( p$ _0 d5 T- u" X4C19:00A4   INC    CX
- S) {; Z+ C6 v' N. d: t0 P4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 W' V0 K( i6 c8 A' i4C19:00A8   JB     0095     ; 6 different commands.
' L% D% \- Y' N; }3 [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.* U# |' P% z% A% v7 T
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* f  b; f0 |* q% E3 W' T
+ R- L& e$ h: E
The program will execute 6 different SIce commands located at ds:dx, which2 D7 n, N! g. ]5 Z; ]& _% A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 \. B9 Q$ Z+ d( U  W, d0 A
2 y7 G4 R  u/ P5 R: r8 x' F$ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& t3 Y3 V  Z  y0 d$ F5 k5 @___________________________________________________________________________
& z4 ]2 F6 D. J' Z  _, m4 z$ Y" N& Y8 \" `# u

$ ?7 ~- y( B6 z0 u; D2 WMethod 03
9 ?2 h' t/ Y9 n8 z=========2 f0 @- Y. K/ g. P

; w+ c4 X+ \  \% T# {Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 T0 H! A" h- X- k' v7 N
(API Get entry point)
) o% k  D0 z' a& l. _; Z        
$ B* \7 L# \  |# D3 V8 l% ]  z3 Z1 A" t  Y3 [' ^
    xor     di,di, ]- D7 `- S* T
    mov     es,di
7 i$ a' L1 a. X, W( _; A: [$ I    mov     ax, 1684h       7 _, E  H' Q- K3 ^" h/ q& i, o
    mov     bx, 0202h       ; VxD ID of winice
* Z/ C2 k- D5 `9 v7 j, x    int     2Fh
- z+ V0 {& |6 g  O7 H    mov     ax, es          ; ES:DI -&gt; VxD API entry point' e! T! a* l7 u
    add     ax, di
& u2 P( v  o; _. w9 H    test    ax,ax/ k7 Y4 z, V" o9 L( O
    jnz     SoftICE_Detected+ V& g+ H$ a. C! z2 Y3 [

4 w: {; t) {5 O/ N) S___________________________________________________________________________
0 t+ J. r# M3 [) I
" }6 m: R. q# S0 ?4 E% m6 Y  I/ fMethod 04) Y% b9 i9 E& B" s6 |$ a# X5 z
=========# x# d9 A% a& g) Q

& s& `! `; t( [; uMethod identical to the preceding one except that it seeks the ID of SoftICE4 R* C/ ^: s3 P0 A
GFX VxD.
; e6 t2 W+ Y+ R2 Y. A: a7 k( [0 f3 e2 Y
    xor     di,di1 p1 d- j# F% q" I
    mov     es,di
8 |  E5 k3 c' E3 ]) S5 ?    mov     ax, 1684h       + D) n+ k6 V2 y5 Z2 D9 w* A) H
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
% t4 o( L. R+ O% w) Z    int     2fh
' d! U9 Z/ Q8 z, ^; \    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ N7 Q9 h. j: k4 W; X
    add     ax, di
/ w* N5 ?& L, x0 P7 z    test    ax,ax6 F3 E+ i/ r) \: ^0 m+ v; q
    jnz     SoftICE_Detected
" r" {, }: I8 q1 r5 D8 B; c
3 h* h! V3 `; v8 d# h__________________________________________________________________________9 W7 H7 W  s9 D- C* ~
4 j$ p7 w4 V7 @7 S) b
% ?" u* E7 z! b! I. M- Z
Method 05/ r; H/ Q# t* W0 Z, |
=========
2 x! K$ O$ _; G0 m- i3 c: {( L& E1 P& a
9 l3 r# `% Z+ \5 p- ^' zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 k9 @0 w  X1 q4 I& Q8 `& s* Ydebugger. It calls the int 41h, function 4Fh.' ~$ W9 \7 C. i' ?! _
There are several alternatives.  
/ x4 t4 b: o+ [& q5 \4 h( X& f- o  y8 T' k
The following one is the simplest:
2 I3 F* G9 n7 f
  Q) X+ |1 \4 T    mov     ax,4fh
/ `  n6 j6 E9 F' `+ q" Z6 G    int     41h
- w) x$ U) F1 b$ R    cmp     ax, 0F386% y, e  F4 X" Y) b" i& P' C
    jz      SoftICE_detected, E$ }7 \7 D  g# i0 ^
7 |: d/ D; w3 p
$ x$ ^. R1 R; d; I
Next method as well as the following one are 2 examples from Stone's $ e  V6 P8 K1 ]
"stn-wid.zip" (www.cracking.net):8 |$ d( R5 a- k* f/ F/ ?  x

$ r4 K. t9 k: q* q8 ]- {) |    mov     bx, cs
' ]& T9 Z$ X9 |8 ~& J, e5 E    lea     dx, int41handler2
; Y6 t! N, g  c. Z    xchg    dx, es:[41h*4]
" l: u0 z5 a, r- R& _    xchg    bx, es:[41h*4+2]
6 r! _  p# @, }  T; [. t    mov     ax,4fh; a0 ~" Z5 Z" x: ]$ Y
    int     41h+ L) e/ R  g4 n1 [
    xchg    dx, es:[41h*4]: C9 _* h9 U9 |% \% R& V& w8 V
    xchg    bx, es:[41h*4+2]0 S" Y, u+ B4 p* v- \
    cmp     ax, 0f386h' x; c: e2 g3 u( ?+ ?8 c, L7 r5 S
    jz      SoftICE_detected
* Q4 T# n+ d" C9 |8 f1 O9 ]4 x& @& z5 q* d
int41handler2 PROC+ p) f8 N" L. B9 H  c
    iret5 ~( k5 _  h3 `/ G6 N
int41handler2 ENDP
* S3 C8 Q1 y; U, e, p' d
$ {2 }1 D! s0 O% H. f# W) k- x1 D3 J5 f) _! `7 _: \
_________________________________________________________________________
. k9 C( ^* G2 n- c$ p. S/ f/ [2 F) k9 v+ I
# Y# c1 n) Z* y1 w; C+ f
Method 06
* k, D3 E% q/ G' ~=========6 z: v+ M% W4 |

. A+ m. Q  W) y9 F
8 O7 g/ T6 s* P7 D( e1 f( s2nd method similar to the preceding one but more difficult to detect:8 e- I7 |, L1 A0 J0 b" f# v
% Z9 x# H/ A& K6 \; `
( I1 q( b; Y( B& V+ b1 i
int41handler PROC
8 n, F0 q& q+ X! T5 m) C0 {    mov     cl,al
0 Z; M& j9 N. m% U6 _    iret
4 a, X+ }8 O) m% g7 v% hint41handler ENDP% s" _1 q; A) k% j) }! E3 o: v

# V: Z, l5 B% b3 b$ [5 N( i. X4 ?' J9 G- D
    xor     ax,ax
+ k) `( R) m" v6 S2 W9 z    mov     es,ax, E1 c$ N2 i' O1 ?
    mov     bx, cs
5 l: r% @) }2 E2 Q    lea     dx, int41handler$ e6 O) i# z/ M1 K( H% k" [& ?
    xchg    dx, es:[41h*4]
8 b% ?1 g* n, P3 x; j    xchg    bx, es:[41h*4+2]
/ k' I9 a# z' t% ]# I* \    in      al, 40h
7 n" G0 `" o( M/ M1 T1 \& Z: K, \    xor     cx,cx
5 W  r! o) s( U8 k0 P% q% o3 r9 c    int     41h
# i' f4 E2 W( j3 x& C& k" P% w    xchg    dx, es:[41h*4]
& |7 s- o6 m8 e- Q% v    xchg    bx, es:[41h*4+2]4 o  W* O$ j9 B. T7 F/ @5 |0 w
    cmp     cl,al
, t+ N  j+ D8 s+ u2 n  p8 f8 r' a    jnz     SoftICE_detected
5 O2 W, f0 Q% ]- t+ _
3 ]5 `% Q- o7 F1 |& Q8 E  V_________________________________________________________________________
2 }& e8 _( t9 a! c. s
& x! W- o# I6 ]/ m1 e, @7 uMethod 07
6 X' Z: f) q& y5 z=========
* s- {, h3 n- _) x: S. z
$ h  A/ l6 X6 c& H3 g8 @$ cMethod of detection of the WinICE handler in the int68h (V86). b! C7 I- x  d7 V' K9 I: W

" O; c$ p2 J. a& c8 A; g    mov     ah,43h- [6 }  g( g% X: ~* m, s3 w/ r9 h
    int     68h7 |$ Y4 e3 ^; C
    cmp     ax,0F386h  }2 ^; [% J& u+ L( O
    jz      SoftICE_Detected
+ ~" x" E! Q  j6 I; E! u; d6 I2 k" P- Y1 r

; V; ?! C3 U$ F3 Z=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* D! t( m$ d& m8 Z  [; r; g- `* T( y   app like this:
* W; Q3 }4 w* `$ O' W6 ]$ a
5 A. a8 |" x; f# p1 F$ i   BPX exec_int if ax==68+ v0 [  r! H+ g; J
   (function called is located at byte ptr [ebp+1Dh] and client eip is
9 J3 l- q* ~. T+ E$ T   located at [ebp+48h] for 32Bit apps)
- M; u' g2 I9 h7 Q2 z__________________________________________________________________________
" z9 E+ X& {3 [8 ~7 u
0 w3 j/ |9 T( {' u' p5 O/ v
& a% r. M# ]* S# d" L% ]Method 08
! Q! W5 w! [7 J=========) J& h$ j3 t" J! g

6 k! e6 t& ?8 P2 aIt is not a method of detection of SoftICE but a possibility to crash the& a2 H7 X3 W! [
system by intercepting int 01h and int 03h and redirecting them to another
  v# q0 a3 U5 C) H: {2 p$ ^0 l  `routine.
# m7 ^8 u/ T7 _& lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( U) q* `1 G8 {to the new routine to execute (hangs computer...)0 P6 S1 }2 N) {+ f. E- ^

3 Q: j4 t' F0 j7 V8 c+ A* U    mov     ah, 25h6 Z% O/ U( U. p' s2 Z5 |  v
    mov     al, Int_Number (01h or 03h)8 g* c. w8 ?8 G2 i+ _
    mov     dx, offset New_Int_Routine
* y0 z* |8 K& m6 a% i    int     21h+ s6 s. k, _) k  m( F1 R
6 J7 n5 N+ D7 B( H# D
__________________________________________________________________________
; F0 E0 c! f+ v; Y9 h& f5 ?6 Y: n2 a9 K0 _) [0 n2 ~
Method 099 M2 D. H# j# F; B$ q2 U7 }( n
=========
* A9 y4 ]6 K. f- R6 e: Q( F2 ?/ Z; y; _7 U( `9 O' w! a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 S) p7 p0 M  |) R9 f* A+ R( jperformed in ring0 (VxD or a ring3 app using the VxdCall).: X$ b3 {7 c% o9 `
The Get_DDB service is used to determine whether or not a VxD is installed  y; j! w; H8 X+ z
for the specified device and returns a Device Description Block (in ecx) for
7 Y8 u7 R$ c1 S) o% Gthat device if it is installed.8 o- ?$ Q% Q, `4 x% R7 Z
- ]2 f5 Q' q/ n, P$ V
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 b* ^0 l  S, x   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), J' G4 @9 |9 M0 `
   VMMCall Get_DDB
: z& b* D" J- O1 [5 j5 ~* f   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! a: n+ x! C' ]! w+ i+ b
8 z+ t( k! Q2 ]/ Q" XNote as well that you can easily detect this method with SoftICE:& d3 W. n6 _/ h5 T6 A
   bpx Get_DDB if ax==0202 || ax==7a5fh% e# R6 X% T1 C* y3 c0 ^- f. a4 E
& Z( w/ \% M# y6 m. ]
__________________________________________________________________________6 Y5 s/ H; Z8 J3 R8 |

2 z  A1 W5 b5 m( N0 X3 r  z- N4 e  kMethod 10
; ~4 v* b/ a: _2 `=========, V0 q8 K; p) ~8 }, |2 T& K
- C( B% j# K$ q" D: ?+ x5 U% q
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# d! S4 K. [' B
  SoftICE while the option is enable!!
# \1 I- ^9 W$ V/ U$ r4 U9 j0 s4 X1 Y7 e6 U5 T6 n0 u
This trick is very efficient:! z' k# C5 c4 ]0 Q1 S% Y* }; o7 x. p* }2 K
by checking the Debug Registers, you can detect if SoftICE is loaded0 C( d! H  p% W% w4 T3 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 L. C8 L2 ~. E: R! l8 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 `( ?7 D/ h* R0 x8 y) Y
value (in ring0 only). Values can be manipulated and or changed as well
. ]- K! z, \& Q7 t* t8 b(clearing BPMs for instance)7 q7 S3 w: |* L% w

! q! ^+ B! f/ z9 D/ y__________________________________________________________________________
: i2 S. B( K5 P. B( S) a2 H1 t
Method 11
) C% g1 r6 \7 g=========6 U  U' [9 u: f) z6 t7 f% ]: z
5 J3 D2 E, M5 Y
This method is most known as 'MeltICE' because it has been freely distributed  o( i3 l1 K! U
via www.winfiles.com. However it was first used by NuMega people to allow
& A- I! d. N1 X' V0 hSymbol Loader to check if SoftICE was active or not (the code is located  L; F7 D% v, ^
inside nmtrans.dll)./ Y* Q7 o" W. a& [$ T' H; E

  c6 E* S/ E( o. j( sThe way it works is very simple:# A! K6 m: \. ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 c6 E  ~9 z0 I% T, TWinNT) with the CreateFileA API.
, x% w9 R* N' |# B. `3 f! x) i- b9 r: b2 W( e' y; A5 @3 U
Here is a sample (checking for 'SICE'):
( }/ Z  W* `5 z" K$ v7 [6 p% h4 b* e5 F( `
BOOL IsSoftIce95Loaded()
0 ~$ J8 j! P. e; y! P, \  `7 S# F{
7 a3 I. r/ j6 y! ~, ~' [2 K6 y  X   HANDLE hFile;  , @8 ^! }7 u* U& u8 {2 Q, T
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! A  t4 |: ]$ T4 Y8 O. ]                      FILE_SHARE_READ | FILE_SHARE_WRITE," Y: e; A& `6 @0 B# ~
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 M: e, t0 q/ V' v* x' O7 p
   if( hFile != INVALID_HANDLE_VALUE )
' O( b4 J8 H7 a6 Z   {
5 s$ M8 a- }1 c$ |5 T1 i      CloseHandle(hFile);. g/ W' K( P( ~5 c6 _, L9 u
      return TRUE;% _7 \3 P) `" r5 D; }1 F
   }- C! X5 f9 k; ]( c8 J7 V8 Q
   return FALSE;+ z' u. W, p7 b, _+ Z4 z. q
}
  }  G6 y$ t) |4 u. N: |( a/ u' r& {* ^4 X
Although this trick calls the CreateFileA function, don't even expect to be
% n+ |6 K5 S* x  D. \able to intercept it by installing a IFS hook: it will not work, no way!! r9 |, H9 k6 F* |, h6 H7 D4 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! c% Y' P- Y* B, ~* Z& I; X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 y( A: {' L3 mand then browse the DDB list until it find the VxD and its DDB_Control_Proc- B$ y1 a- s7 J- T, S7 O% _' n# u
field.& \$ g2 x8 {2 h9 @5 P
In fact, its purpose is not to load/unload VxDs but only to send a $ k6 Q1 R0 {  K: H$ A2 T! l6 h9 H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): P$ D  ?7 J: i" A/ m/ v2 l2 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% M) r, ]+ _1 Q5 B0 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' N/ S% d9 F7 @- M, Y9 K5 \* S
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 u8 _+ k3 S: @. N
its handle to be opened and then, will be detected." f* m& s& H! ^  V* l5 M
You can check that simply by hooking Winice.exe control proc entry point  }, l( _2 a9 o6 E; A1 `7 s
while running MeltICE.
) `. T6 A- d5 e( M, D+ N, E3 o( ]- E5 i1 F4 e# M

' v& p$ _7 s% x8 v3 q, H/ Y  00401067:  push      00402025    ; \\.\SICE1 ]# B6 J/ w0 m. ^) l3 B$ m6 W; N
  0040106C:  call      CreateFileA
# R4 v3 y+ V7 J! p0 c# @" P9 D  00401071:  cmp       eax,-001! I+ N# j# K$ W% U8 J) k
  00401074:  je        00401091
  R1 u7 C# {/ W: G' U0 Z1 a! x$ X6 Y% t
+ V4 n9 p) C3 Q
There could be hundreds of BPX you could use to detect this trick.2 L( w4 _. d& L+ `: m) T
-The most classical one is:
3 [# u* M. @& b4 `  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||5 E) B+ a  X2 N1 {1 d
    *(esp-&gt;4+4)=='NTIC'
$ O7 I! ^3 C) ]( E0 o4 `3 F+ N& ~2 {. H! `% j+ H5 C( w$ R
-The most exotic ones (could be very slooooow :-(
$ b2 a4 m0 k+ v2 ?   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" E( r+ ~$ b; A: [: x0 H     ;will break 3 times :-(* e. A( P  l: `) ]+ A/ O
- j3 |9 Q1 D) e  [
-or (a bit) faster: - s0 b6 Q' x, h  q5 E! x
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ e7 i/ t# B& m2 y* A( D* \: T; k% d3 ^7 C# H$ o
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  4 I$ F  Y% a- T% o6 G0 ?4 f6 L4 G1 w
     ;will break 3 times :-(% o9 D  o0 G! j5 }8 ~. |4 [
- z( t' \2 q% H
-Much faster:
5 e$ p/ V8 X6 }2 d( Y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' \3 ~- ]7 X0 ?' t8 H( \1 J
9 h3 c9 T4 p4 f# e6 ?( XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' m5 J0 l0 Y" l8 Tfunction to do the same job:7 o; v- B& H4 ~2 I& T
; _2 u% r9 O+ y9 ^; i$ e" I! ^* q
   push    00                        ; OF_READ
; f; S5 g* Y' g5 q& ^; t   mov     eax,[00656634]            ; '\\.\SICE',0
1 ?4 N: \9 x' K% R0 Y) @   push    eax% v# P! B* }. a/ m* W
   call    KERNEL32!_lopen' p. m. o# P  q
   inc     eax
1 g, G9 {# t) ~# f% z( G: l   jnz     00650589                  ; detected5 y, B' y: ]. D
   push    00                        ; OF_READ
- ^- l+ s; A% A9 S7 J6 P9 [   mov     eax,[00656638]            ; '\\.\SICE'
* H( Q3 i0 i# Q9 g& ^/ z. z, h   push    eax- g  U6 {/ v; {: J3 s7 M$ C: W4 \
   call    KERNEL32!_lopen
' P5 b+ [! m6 P. H  q* J# k) v. M   inc     eax
$ }4 L8 G1 H/ \5 ~   jz      006505ae                  ; not detected
3 S7 [' o2 s$ l% O
8 H* t! T. j+ D/ V- h/ M1 ]  C4 d7 z  i( z
__________________________________________________________________________1 i- M$ E7 X  k5 _! U, h( B1 U

  l1 p+ f% ~& p- C* c+ eMethod 12
2 k$ i# c1 c  o/ O=========# [  e2 i4 \7 R, E/ E$ a0 o- Q; N
: N. y& V( H' o) Y$ C( Z$ {# v0 a# e
This trick is similar to int41h/4fh Debugger installation check (code 05
- Y" Q* j. y0 x: A&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) |1 x% n- c' nas it uses the VxDCall backdoor. This detection was found in Bleem Demo." E$ {$ U9 P8 m! D1 U2 S' I4 P
, y% p" k& k5 z
   push  0000004fh         ; function 4fh7 [% o6 t4 m( {+ {1 P
   push  002a002ah         ; high word specifies which VxD (VWIN32)
! F, O& J( v; d                           ; low word specifies which service
! L8 r! R3 @/ a% r0 U/ C                             (VWIN32_Int41Dispatch)$ O8 }5 O" }% J/ C3 K% e( c; M
   call  Kernel32!ORD_001  ; VxdCall
/ h, ^1 ]6 {& A. `6 n7 N' K   cmp   ax, 0f386h        ; magic number returned by system debuggers  i) V! l0 {4 q: F  `0 I4 j' @
   jz    SoftICE_detected" G& s* c) R% ~, J

+ j# p" O" d6 L6 h, t3 R  i" IHere again, several ways to detect it:
5 J5 G4 }; ?+ M
+ a5 ?, S6 q' `$ r0 j3 U8 I    BPINT 41 if ax==4f
) h* Z0 p& @! |/ @$ D$ w
: |0 s: l/ s* P* J    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
, f- `/ E$ z; V  C
) k9 l( s$ b1 W% [1 J    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A1 L- N5 G4 r7 z; D2 z# T
/ W8 a. {! O$ y7 b/ P/ m6 }. s
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 _3 i# h3 Q! ?, l* z; O" U

7 @5 F  T# ~( L) m8 e7 s: F  Y__________________________________________________________________________
1 ]% E; ]/ \( o- u$ y0 ]" q$ b/ b6 g, N. g- E
Method 13+ @5 k( f( w# \/ v5 ^; q4 b
=========- g  o% s! S7 F1 |

$ y4 ?* z' I3 _, |+ t- S8 U; Q7 ]Not a real method of detection, but a good way to know if SoftICE is
2 d& f8 d" [' B/ Cinstalled on a computer and to locate its installation directory.
! c3 k6 f" v" ?/ vIt is used by few softs which access the following registry keys (usually #2) :
8 Z5 x. I# g6 U2 a, s8 q  y% P& G5 p7 G* e" C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 d! n' X& `9 J- U( _& J5 d
\Uninstall\SoftICE
4 y- P8 r2 n9 J' y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( A5 _* K/ h& r+ T
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 D# k2 ^4 o3 ?7 ^' e\App Paths\Loader32.Exe
* q; }1 Y# C  N7 C' n% S' V9 K0 ?

: S: ?* G9 {7 ?  r0 _- ONote that some nasty apps could then erase all files from SoftICE directory! h5 C& p3 o4 d3 q8 m# G$ q
(I faced that once :-(
" V' j2 c5 J* A2 H% @
7 _* W3 T3 N# b! t  d3 d: PUseful breakpoint to detect it:4 Y" F) z+ b* e# J

/ I* d. e5 b2 |) q- n5 R+ J     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 `5 ]3 Y6 z, Z  I
/ @: N7 S, c0 y4 U6 @
__________________________________________________________________________
, C6 O! u0 V3 b2 Y0 c- u$ b/ A3 s2 ]( b& W) e7 U
9 i" y0 f( `2 r
Method 14
+ N2 x% T6 Z7 J( O8 B/ N, w=========
, O3 ?- J3 o: J, y0 \
( z$ ^. o5 R! hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 ?( Q' y1 g6 {9 O4 y) g1 x# p
is to determines whether a debugger is running on your system (ring0 only).
0 g6 @* g4 {) s
! ^0 S+ w: g4 S3 S   VMMCall Test_Debug_Installed
: |# V- g& n3 H   je      not_installed
6 u0 p" G1 n, c  G! N& s. X
- z7 x# o2 @0 M' E# X. rThis service just checks a flag.+ W. d3 n- ^" T) W$ J" ?% I" d
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-15 06:20

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表