找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! a- a9 p1 U) [4 t7 U5 V! P, L) S
<TBODY>
9 T) J; z, m, Y* B, n4 f( K<TR>. v/ H; u# a8 s+ k$ o
<TD><PRE>Method 01 5 Y; x+ {) u. y0 T
=========
1 c" S" W8 p3 a. ^4 Q$ ]' M: o$ w- n2 U
This method of detection of SoftICE (as well as the following one) is, p5 E- K& @, b1 q: g
used by the majority of packers/encryptors found on Internet.- z- j! f" ~0 g2 o0 n* O+ m9 J
It seeks the signature of BoundsChecker in SoftICE
! V. T( Z1 U$ {4 ~7 @9 \, z' V
4 V+ m2 x6 s, a  d+ z8 [5 O    mov     ebp, 04243484Bh        ; 'BCHK'
- B8 f, A9 i: r& J- u; u    mov     ax, 04h4 }8 ]4 M9 C5 V; N
    int     3       & e: u: R3 w  ~3 V% p. [! `. a0 g
    cmp     al,4' P" n$ I: k( A
    jnz     SoftICE_Detected
  {/ t5 e7 V1 b$ s( F
& o6 n! K/ l! F7 a2 h% e___________________________________________________________________________$ @" F/ m5 n# a4 M1 c, V: j* {

4 ]* \, f4 y" a: M" _Method 02( Y3 |0 b: Q; k, p- C
=========. |# X0 _( _) S, r
# q& j2 |7 p2 a0 `
Still a method very much used (perhaps the most frequent one).  It is used
2 x" s# ?  u8 d; H& k" H0 Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' B5 p7 n9 ^: Y4 J
or execute SoftICE commands...& y) [3 t8 F% Z  x- ^
It is also used to crash SoftICE and to force it to execute any commands2 ?3 k; w4 v5 @& x( L( V
(HBOOT...) :-((  
# U0 h% G6 L0 f  U! H+ k1 @
( V' b( z+ L. |# i" c; MHere is a quick description:
; |2 A* L3 o* b6 Y; U2 p% C-AX = 0910h   (Display string in SIce windows)
# O, T, {& p: @' C: H-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  k9 z, w. O& S3 f-AX = 0912h   (Get breakpoint infos)
0 [  E( i% [# y& _-AX = 0913h   (Set Sice breakpoints)
4 `% h! j6 A9 M. ^8 d-AX = 0914h   (Remove SIce breakoints)
' b( z3 B* L. k' I1 ]+ o1 X+ b$ H) O, p% V/ W( ]; T
Each time you'll meet this trick, you'll see:( ?4 d4 t9 x3 |, H, S& n0 ]0 w
-SI = 4647h2 T5 j) ~2 m  z- n$ [- \6 J7 l
-DI = 4A4Dh/ G. y6 ]$ T( R# n3 M* b: T
Which are the 'magic values' used by SoftIce.
( I8 V5 c% z* J( A" s! kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& ]7 k0 ^' c8 g" M2 a4 a; x- U. H! Z" n! M: `- b, I, c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 Q( ?  s& {5 C- QEnvelope utility use to protect DOS applications:3 {# c2 _7 g: l

/ B+ o; I+ U: s
! `5 b3 y7 p0 E* F9 y4C19:0095   MOV    AX,0911  ; execute command.
$ y2 D' I$ V2 G# L. [' Z4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).7 b# B: D: k* S  l' `5 w& ^* n. ]
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 E7 T: n+ X' u: }2 {4C19:009D   MOV    DI,4A4D  ; 2nd magic value.' s* E6 M! ~. b2 d) d& q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( ~3 p" W( T  t: i
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
  n, [- D  m8 `9 r; ?4C19:00A4   INC    CX
! d7 C, d: u$ @3 Z- q4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute/ Q6 n7 N2 O/ z6 e
4C19:00A8   JB     0095     ; 6 different commands.
- J2 R* s1 c; G4 |! {) F' v4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
/ F5 c. U$ U; R  E5 Z4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 T  l. _$ b6 {+ L" ?1 c/ ~4 |6 A4 @" S5 [' W% M0 n
The program will execute 6 different SIce commands located at ds:dx, which) T. @$ k$ V/ Y1 ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., |7 I# Q0 H9 n2 I; J  e6 V! R! t

6 r* G1 ~7 |0 ~' k* E# E0 M# u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; O" B3 U" I$ B$ l2 R
___________________________________________________________________________
9 Z0 L1 N' B: p8 ]2 d
- j/ y/ \& w6 `3 \  H0 P
& X8 B, ]1 |/ c% ~( T8 m+ F* vMethod 03
; L7 U4 l, k- M$ |, G7 ^6 h=========) x: `# X$ J4 ]- t: i0 p
3 M- }1 n  B/ Z* k5 S6 B# K
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- S3 Q+ X; Y# J! {(API Get entry point)7 b5 ^, n4 q5 q% C
        
4 ^4 F  O6 b9 @: a3 J( [( e
0 D5 |6 b) a- d  z    xor     di,di% Z+ o$ N+ F8 x7 p; S
    mov     es,di: S( U, \- k% Y: ]9 T
    mov     ax, 1684h      
1 E% w7 t5 a" _3 X! S4 h    mov     bx, 0202h       ; VxD ID of winice
5 b& I& q+ b+ [& y6 d    int     2Fh
% A/ g/ e. T) J) d, t    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) v* N# B9 q$ V8 Z: L% p- K    add     ax, di7 F& a' i% A3 _4 @: U6 ]+ J2 {
    test    ax,ax
: j  A7 z) T+ w/ }& s$ P. n" \9 g    jnz     SoftICE_Detected
- \) U$ M7 D; T* P) I( H$ _, G! l' a0 h3 ]+ V( c' v1 Y
___________________________________________________________________________
! r, E8 \* u! W( b' |! \+ ~6 L, O; v: m1 w3 H- p
Method 04
8 B4 `& X3 i4 i- R9 Q1 o- l=========
1 {4 H  O9 X* M% e+ E1 h
+ E; _) }5 {1 b, O  [; uMethod identical to the preceding one except that it seeks the ID of SoftICE5 C- C4 d9 S7 W8 ^8 E6 y! C/ q
GFX VxD.
1 H: u. o# _! V. A5 S) _
  o8 Y. u5 @# ?4 e7 S. l4 D    xor     di,di, R9 x+ z( X8 b4 Q
    mov     es,di) l1 j2 g/ V4 U. R1 u8 a/ q
    mov     ax, 1684h      
) C. m; a: Q4 Z# N    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ E, W6 _# S2 p+ _! Y' a    int     2fh7 ^5 N, m4 Q6 z4 c4 V) M9 E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point* ~( h( W) j* b$ E, a
    add     ax, di7 b4 }, c# g; `6 r
    test    ax,ax& N/ j0 k2 `, q( s
    jnz     SoftICE_Detected
7 K: D6 t+ e8 L, E3 w8 }! A' A& o( L9 B
__________________________________________________________________________8 L! g" g* O2 }

- ?) q* h3 M, W3 t& F
1 S, {. S4 Z3 w7 D* T( ?  t) n+ QMethod 05
  t* z2 Z; c0 [  @=========  ~& Q" V$ c7 }) j% }; \1 c' T
- |8 Y, ]: f/ h
Method seeking the 'magic number' 0F386h returned (in ax) by all system. T8 Q/ i6 {, s; F# ]6 G9 }
debugger. It calls the int 41h, function 4Fh.
3 i9 W8 ]. x3 [/ zThere are several alternatives.  # F2 f* G% V* _' w! S$ U7 m
2 \3 s6 ^+ a% M: d$ [% F
The following one is the simplest:
' J8 T4 n* T. b& n9 |! O) ~% c+ G! d7 E
    mov     ax,4fh
& l6 k0 W/ z' [0 i' ?) ?    int     41h' E& K7 I! i+ `% t. ^6 F: D
    cmp     ax, 0F386
$ r+ G" n9 X2 Q" t  L    jz      SoftICE_detected
! j5 g  U" y$ t% J- O2 i4 k2 x" g; u: g. }+ p
& m1 Z$ g% y! f
Next method as well as the following one are 2 examples from Stone's ! L% e3 M2 g! w' T8 h
"stn-wid.zip" (www.cracking.net):
5 I5 f4 w) B" t: [. B; q3 A; V* z4 c! ], m6 s' x
    mov     bx, cs
: @  i4 N4 P: _7 Y7 c    lea     dx, int41handler2* Z" R! m5 N! [
    xchg    dx, es:[41h*4]
  P" j4 `' T9 Y' f- o: a# j  ?  K    xchg    bx, es:[41h*4+2]  w3 t7 S8 [- P4 u$ r1 a% o
    mov     ax,4fh. E( b. d" }" C5 R( Q% N  s
    int     41h
7 Q: u9 G& P' n( G9 j8 r    xchg    dx, es:[41h*4]- w! L* N, o; }
    xchg    bx, es:[41h*4+2]
: U- P) Z# T- M: y4 `( G6 U' l    cmp     ax, 0f386h3 ~5 ^( V# b8 g6 y2 X; S
    jz      SoftICE_detected
: f3 c- m) e' j3 V% i$ d/ P: j, |
7 f5 r! D8 @* S3 k8 @0 _int41handler2 PROC
/ h  x: |$ {( z/ o1 f    iret, T2 [# o( M8 u. j7 l
int41handler2 ENDP
3 y& _3 u* S6 n! M
; I4 _+ B" q+ E- k' j; D. v0 I! [/ T- E, u) [( n! `6 Y
_________________________________________________________________________$ Z: N+ ?) `3 ^. T4 H1 S6 U
% a; I. ?0 q! a

; t/ {8 j) ~4 f+ f* [; j1 JMethod 060 }& U  \, M$ Q+ ?2 p" E& R; }
=========9 h) E; p* b9 K  X/ g% C) U& V
% m8 W! U: P5 z( S/ y

( h& t4 A* h! e; x: Y) a2nd method similar to the preceding one but more difficult to detect:  D: u/ C* ^" V4 I8 i9 t6 [' l

8 k1 [; y/ }) x3 H$ }( H" E/ w8 {
- w3 w) y. b( w6 Vint41handler PROC* d5 @  s( t" c' X  @/ `
    mov     cl,al. v. W3 i4 T1 g
    iret
/ p& I. M! _$ h! P, Eint41handler ENDP' P0 Q0 [# q, G$ f6 j! y
  c: a! {& M8 [& D

& Z8 V6 [/ h% D  N    xor     ax,ax
. @* k5 R2 O, y* U3 K( _    mov     es,ax
+ Y% r, n& ?, E4 y  \    mov     bx, cs# P8 Y' ?* W2 z* V: L$ c: ~2 u8 b6 C
    lea     dx, int41handler- I9 ?0 M' n$ I( Y; @3 ^
    xchg    dx, es:[41h*4]/ h: \- z2 h' s: H* j
    xchg    bx, es:[41h*4+2]' x! y" k3 j3 v$ C4 z, l5 S- ]
    in      al, 40h, p# v$ J8 {  v) O
    xor     cx,cx
" j; U+ `5 m* K    int     41h3 [" Z/ [! ?! s+ O% c1 M% o9 z
    xchg    dx, es:[41h*4]# o3 i% R8 a# R
    xchg    bx, es:[41h*4+2]3 \' @/ I1 f" f. e
    cmp     cl,al$ c6 W5 s& D2 H- M
    jnz     SoftICE_detected
. ~' \: W# w: x4 k; r& q4 c1 w/ @+ j) L9 K5 L% o
_________________________________________________________________________$ ]8 g7 n5 h: |9 U6 k$ \
' V+ g$ k2 D+ I- \! U6 n
Method 07
) K7 }  h3 [( M, i8 K5 Z=========
$ _% ]) }% P. d( d; A6 O$ R! v, |, F; S6 l
Method of detection of the WinICE handler in the int68h (V86)+ h4 s7 s8 u, l

& Y* a2 [2 v/ m" R, ^9 r2 E1 d: T    mov     ah,43h; g( q$ U4 K( v( O- O/ T1 e+ f& ]
    int     68h
- }" Q8 r4 O% ]$ C8 `( h: c7 D. L    cmp     ax,0F386h4 y7 F7 U3 o0 V$ G7 h' P/ N
    jz      SoftICE_Detected
, j3 r# q1 l8 |+ l, |# k
1 a9 m5 \2 B5 r3 [4 b5 W' N
- ?$ U" r/ ?, o* V- ^$ I. s" }. i=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, A- m& Y: ]7 \/ F   app like this:
# V& r1 W+ e) v6 w2 v: K, p! g# G% ~. i3 {, E( E: w
   BPX exec_int if ax==68( s) o+ a& D) f+ K
   (function called is located at byte ptr [ebp+1Dh] and client eip is: }% R3 I1 M) k2 e8 z. z% c
   located at [ebp+48h] for 32Bit apps)! F! V9 r1 }" O; J2 t$ T$ J
__________________________________________________________________________* H" [9 A# S5 D8 q
, w$ c* H, Q0 A: w- x
0 _/ k' u9 k# _2 y
Method 08
; ?+ t$ `+ {3 |=========) L# ?( Q; f* I: m5 F' i
9 V; ]9 y( w9 d. J# X7 g7 w/ |
It is not a method of detection of SoftICE but a possibility to crash the3 x$ p  c& Q1 G0 Q+ X  [; w. Q
system by intercepting int 01h and int 03h and redirecting them to another- D3 A) R; Y$ T/ \
routine.
5 \, ^0 h) |9 ZIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 A/ X! b8 Q7 y! w, G3 [to the new routine to execute (hangs computer...)0 r2 L: F0 \  Y/ t
( b$ ^- ^# E, T: o! _3 I9 e
    mov     ah, 25h" i$ X4 C. F% q2 o9 f6 V
    mov     al, Int_Number (01h or 03h)
% j8 {' B8 J# r1 z- y3 Y/ D7 g/ Y: f4 ]    mov     dx, offset New_Int_Routine
* ?) M: p; U* S* L5 d    int     21h
+ g' X$ w2 s. ]* m! K  `& M1 ^% t: O+ p$ E/ }
__________________________________________________________________________
- C7 J4 o  c& A
( _  N8 |$ {# ZMethod 09# q( {3 B' H; [. Q, @! Q* K
=========
& z+ L1 ?+ V: {; w: C, Z, G
7 @: I9 J0 y# a4 h$ f4 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( q" L! C1 }9 G# o/ ?7 {performed in ring0 (VxD or a ring3 app using the VxdCall).
: @1 G( m7 }3 W2 B& o, [; C; B: KThe Get_DDB service is used to determine whether or not a VxD is installed( F" s! g+ I4 \; M  {6 Z
for the specified device and returns a Device Description Block (in ecx) for
! h+ b, x7 o8 j& c4 ~that device if it is installed.4 `/ i1 `$ k" t0 n$ ^( \  N

& w' [. o- _0 G! ]9 l/ k8 n3 T   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- c6 E# A) f: m) b, U* o; n   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 q6 U" _0 C' X
   VMMCall Get_DDB
8 l8 o: n8 M& L$ m& ?( a! h   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 b+ N/ z1 W. P7 P
  ~% @( `& P" ]" o5 x: Q9 oNote as well that you can easily detect this method with SoftICE:
, f$ D( T: N8 ?& X. k* g   bpx Get_DDB if ax==0202 || ax==7a5fh5 u$ @3 j8 r! a$ a3 A

0 L' l6 I% c% C/ C# D5 E__________________________________________________________________________4 c6 }) Q2 w. F
% }1 A% x) W. V% k, r
Method 10( C. K* e: s8 ^+ R3 n1 c$ k
=========
% N+ H# N: p) q0 ^; n8 G* g& l6 Z9 I% k0 R' f4 x7 _
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' z5 k2 \8 i; s$ V6 ]  SoftICE while the option is enable!!
' `4 v- z4 Y) J8 [5 O) R' q6 {$ m. D  o* h, b& q- C
This trick is very efficient:, [2 T& h3 a. r) p( o
by checking the Debug Registers, you can detect if SoftICE is loaded
; f" i; f0 E6 Z9 W- A% _- K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 t2 x2 b  x" {. athere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 t% F7 k) m  B) W; gvalue (in ring0 only). Values can be manipulated and or changed as well' I  }! L. F& t+ d  _4 ]0 w) z& g
(clearing BPMs for instance)
" P* \& g% B' {) p) Q' ~- T; P
, R& S7 g& t6 @" J# ]__________________________________________________________________________0 V( m1 Y/ S4 x3 n" \0 @
5 _6 |3 @( M6 f7 X5 t+ a
Method 11+ c# S1 B! _5 s1 Q, O( n1 m
=========
! c7 t9 D' y! O3 L+ {2 y. D+ b( r' `& m, d4 _6 _
This method is most known as 'MeltICE' because it has been freely distributed
) `; r5 H* k. N( \via www.winfiles.com. However it was first used by NuMega people to allow
7 }2 g* q1 T0 ?# r' VSymbol Loader to check if SoftICE was active or not (the code is located: d+ w6 v# F+ i
inside nmtrans.dll).
5 v3 F% G. v; |/ O, |. V
. i* \' F4 h3 EThe way it works is very simple:% M0 l! U/ q# Z0 b2 o5 [5 ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ {% x$ |. w: lWinNT) with the CreateFileA API.
" [7 m; U) d: X4 j% Y: N3 T) S* U; H9 o' q
Here is a sample (checking for 'SICE'):
- E7 k- }9 v2 y
6 q  z8 q; T- r5 j0 cBOOL IsSoftIce95Loaded()
1 S; E( ^1 b. t  G5 t! w{
6 o+ [% d8 [6 f1 h* i" l2 y   HANDLE hFile;  8 T& z' W0 B4 z" `+ ?. X
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' K. Z- g4 K4 R6 u+ a& v9 }% O
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 N0 r3 ]5 H4 Z6 g( P+ @8 S                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& D" x5 w) @/ w) R   if( hFile != INVALID_HANDLE_VALUE )
; N7 p1 _) ?2 r' d   {% `  Y4 f  v5 M3 B7 X- S
      CloseHandle(hFile);; b# a! J# Q# E9 p/ k* f# d6 ^
      return TRUE;
2 S0 Z% O  Z  y; e5 i   }% L. `1 Z# g0 L4 k1 b: Z3 j
   return FALSE;# L- \% a' ]& V# `; ?! X* ~( G
}
+ E2 w# ^% l! [0 N
4 n& e# ?1 N( ^7 U) x2 xAlthough this trick calls the CreateFileA function, don't even expect to be5 `# [" }; e% |' a+ j2 z
able to intercept it by installing a IFS hook: it will not work, no way!8 ]( G6 U! F, _2 B) b+ Q- w! c6 z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, B9 i+ Q2 r4 Y, O7 Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 ]! M+ @" |* ~  G) Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc) Z# ?- x( n( Z' v8 X
field.  K6 ]% N* i& O; x
In fact, its purpose is not to load/unload VxDs but only to send a 3 ~! H/ p3 Y; E! ~9 v! P- q
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. Z" ]8 A! `9 K0 @; Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
% |1 V/ V7 I- Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 ^* D$ r5 M/ Z* F" p* O1 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: I8 {$ w2 G# L6 `6 N; iits handle to be opened and then, will be detected.# {# |2 Y5 T0 l8 D) i
You can check that simply by hooking Winice.exe control proc entry point
/ C7 Z& q  E6 \6 [; i& x; k0 G3 V! dwhile running MeltICE.
+ a2 X  N+ O. m- Y0 c4 f
- u7 @6 Z8 p- S4 V" j9 Y
& c, r% k5 q! L6 E' |4 `  00401067:  push      00402025    ; \\.\SICE/ q1 S3 |9 v3 u; y% Q& i
  0040106C:  call      CreateFileA
; K, v7 H$ p0 V  z: e9 `  00401071:  cmp       eax,-0016 V4 l; u  j9 P) P  s* `
  00401074:  je        00401091
" N/ K7 r8 R- R) G! m- e* K
8 h' ~9 i& W* z8 Y: u1 E& V* t# ~* F9 ]5 @! C6 B
There could be hundreds of BPX you could use to detect this trick.
1 A! a; q# W% {% i* s-The most classical one is:( ~) u/ I  S$ g6 b, |% K4 q3 ^
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, p) K6 `/ i# {6 U. u    *(esp-&gt;4+4)=='NTIC'
9 q' R# ~* i0 r8 W, Q/ N3 p& f( c1 Y6 a5 \# B
-The most exotic ones (could be very slooooow :-(
; A. C$ }* y" H- |% Y! p7 P1 u  V( j: ^   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . c4 I/ G+ W8 T' Q
     ;will break 3 times :-() m3 T6 n" n5 x
* P/ d/ a. R: d0 W" i+ D
-or (a bit) faster: 3 `. A9 y9 B% A: f! I
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 X# y, Q8 [0 E7 r6 w9 w

9 h( y# C: p6 R. H$ s   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* [/ x- q' p+ d% g# M, Y7 ?" t% B     ;will break 3 times :-(
( d& K' w% E  o  c0 y
8 G9 n4 t4 y/ w/ i-Much faster:4 |+ y$ \4 W) M. }" V
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'$ \# e  Y; {' @

, C1 s" a" E9 Z0 y. G7 {; zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen, p; L& E$ m, h, k
function to do the same job:
6 a; U4 s" ?9 Q9 ~, M# w0 [% p. V* [# a: M- t3 `) j5 ?; T
   push    00                        ; OF_READ
/ ^; ?9 p; p  d! k   mov     eax,[00656634]            ; '\\.\SICE',0
% \! q$ \/ w- X0 X& x   push    eax
5 [  N. G" C2 f( r( M   call    KERNEL32!_lopen" b& y. `: ?3 F" }
   inc     eax
& L: p2 J! a4 V; u/ @   jnz     00650589                  ; detected) I7 b6 d' p! a; _2 E
   push    00                        ; OF_READ4 F! Z$ \5 o. B! T3 @
   mov     eax,[00656638]            ; '\\.\SICE'8 \( X. \" ^) B: w& i, e3 y1 Y
   push    eax
5 d! c* V9 [# P1 L, R7 A9 p   call    KERNEL32!_lopen
7 j7 r3 ?  N' X. O   inc     eax8 }* G9 x3 J$ N% M) ~7 g! o
   jz      006505ae                  ; not detected
! b2 M, x9 P" U) N2 d% n& Q, K& m3 T
$ A* t( {; j* `) C7 w$ w
2 w, i+ K. V; u9 H__________________________________________________________________________' E% w0 Q+ l# u6 b
' k$ O) H! z6 ^
Method 12
8 @. ^6 Q5 s) L8 X=========  z2 w3 Q# }+ x5 Z5 b
; n- F/ o1 M( k) l, U3 Y7 m. C% l
This trick is similar to int41h/4fh Debugger installation check (code 05
) e% n8 K4 A7 {" X6 o&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: Y4 Q8 C7 T5 b& b- U+ |% sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ N; [" V- g+ M+ D. k) {& }! N# j! r. m4 v9 ~
   push  0000004fh         ; function 4fh7 U' H0 U/ l- W# B- J' U8 K
   push  002a002ah         ; high word specifies which VxD (VWIN32)
2 ]5 `$ b# o8 R- C" E; p* [; X/ G                           ; low word specifies which service
" u: j3 T* h  L9 n9 S3 @9 ?                             (VWIN32_Int41Dispatch)
" c+ M, h( i* V7 w. l! j4 e; x   call  Kernel32!ORD_001  ; VxdCall
" Y& @9 N& i9 }/ p   cmp   ax, 0f386h        ; magic number returned by system debuggers
- T1 u$ a- r7 Z   jz    SoftICE_detected1 N% P! m$ \, Z  \' Y3 w" z

' H, ?! a. ?9 T9 f6 _Here again, several ways to detect it:
' g+ ?0 Z; i3 x2 V7 y
" U3 P3 P9 T$ q4 N8 \0 p& C7 |# w    BPINT 41 if ax==4f' m+ ?- m1 w/ m: U' A6 L& V5 e* [; W

  ?9 D$ h& q; t4 ]; t& C3 D2 V    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. a# L& O( m3 B9 n+ w* _

+ [3 _+ L& j4 a: U: k    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  \# m- S1 J' k- U: T0 B

5 |, C$ o* B( l8 y    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ v- |" C: T& V/ f9 [

$ h, ~3 N/ B8 x% \% ?- d! B* V__________________________________________________________________________# ~& m" @  L( [2 ^! {- T
6 |; E3 F9 w) O( H0 l
Method 137 t1 L( k$ s0 U! W
=========: p& q, C0 p) b- I: s
. E5 p3 B6 Y! j: q7 Y
Not a real method of detection, but a good way to know if SoftICE is
3 M* M6 r0 w2 D( kinstalled on a computer and to locate its installation directory.. g9 E3 |, p$ _& y9 v6 P, |
It is used by few softs which access the following registry keys (usually #2) :
. @; @- n! Y, L2 C; ~4 z% V0 Z2 ~6 A0 X/ i* n1 v8 i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ I! H, Y/ G; D$ E/ v
\Uninstall\SoftICE8 P" H. o5 {+ K
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- P. j9 ?9 J9 V3 O. ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" C" Q. W9 g" V* a7 E) i
\App Paths\Loader32.Exe
" y% [7 I# e5 Q' b' D* R2 P' D

, ?( y$ z% `9 L8 yNote that some nasty apps could then erase all files from SoftICE directory: J0 {% f" Y  G1 D
(I faced that once :-(
6 O+ v7 y% a/ R0 d. x! K* |7 t7 ^3 F; [, V: p
Useful breakpoint to detect it:
+ ~* d- v  q. a3 G6 \' V6 c
* r& e) g! L* y     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
. t  A! s8 @* q: }' e5 X0 P
' W2 t, q! |  T: s__________________________________________________________________________. I' c- p# A# r/ b
% l* L) S+ C9 `& h' \% y

. z2 ?3 s  w9 X6 m7 l' Q8 t: A' `Method 14
" G- A1 a9 N* g" Y# X=========
/ f# N: h7 L* D. M& A' r/ n" N2 c2 q) L2 E3 U+ b& u; l* [. y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 [, i- n% G0 m: p8 K3 A, |is to determines whether a debugger is running on your system (ring0 only).% s  A2 }- u$ U

: r5 A* \0 w+ B' b   VMMCall Test_Debug_Installed: ~& o! D- i( K5 [6 q* _; @! h6 N
   je      not_installed- [6 K3 v8 }0 b' u6 ~; C
0 o2 }4 |( N9 q: ~! T7 o# G
This service just checks a flag.
- M7 V* Z; O# U' ~; A7 O  O</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-16 12:58

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表