找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: o9 u/ h! v: A+ e3 n<TBODY>
: n5 Y- G" G9 z<TR>  V! t$ \/ [% i- M
<TD><PRE>Method 01
4 J  A- g, u6 t=========& x" Q5 o; C4 e
; H. ?2 G/ X6 Z0 K
This method of detection of SoftICE (as well as the following one) is  z( i+ q" r  A4 ^, Q
used by the majority of packers/encryptors found on Internet.
% V) ^6 P3 S& l8 r- t/ TIt seeks the signature of BoundsChecker in SoftICE" u2 Q" r! u1 [
/ v4 j% H1 J" z4 G7 E
    mov     ebp, 04243484Bh        ; 'BCHK'1 q+ A! A! y+ E
    mov     ax, 04h
9 Z! t/ U5 b( J/ Y  [! A    int     3      
% m6 p. ~0 _# M5 [7 Z% a    cmp     al,4
( s7 p8 U# {; j0 X; U    jnz     SoftICE_Detected' J' z/ R7 N* L+ F6 [: G

. {) f# s7 g& F9 X8 H___________________________________________________________________________
/ y6 S& V1 s2 k% `( I: V' Y3 R$ A+ z
Method 020 q+ }7 W* K% K3 V/ t
=========
% \# m* ^3 U" B2 \/ G( K
1 u5 U8 s; D( r$ b3 V, ?Still a method very much used (perhaps the most frequent one).  It is used
* B3 {0 T& C& `2 S5 mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! g7 Z# p( J' x) w( Z  I
or execute SoftICE commands...
8 C& K; u6 T( X+ `( A" i) I$ sIt is also used to crash SoftICE and to force it to execute any commands
& J1 }% b8 l. u$ p9 S; T( q2 V(HBOOT...) :-((  / r& s* t7 [' B5 g1 I" C

( Z) j# @, e5 {% E, aHere is a quick description:
" W$ a+ F; j" m3 P5 \4 v# @! G-AX = 0910h   (Display string in SIce windows)
6 a0 z# |7 D' n-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 ^3 c5 F8 v, T; ^* M( g) x. |/ s-AX = 0912h   (Get breakpoint infos)3 E2 z; T! K5 t9 u# g! R
-AX = 0913h   (Set Sice breakpoints)
6 J7 n" k0 z! a/ z! z-AX = 0914h   (Remove SIce breakoints)/ l. V% I+ Z8 o: ]7 X' |! S

* j5 J: l8 S+ U) L! tEach time you'll meet this trick, you'll see:
( V. u# g6 k% R) k$ y# N-SI = 4647h
* s% c) U; S" F-DI = 4A4Dh7 G+ n) `+ t! P5 H! J# [
Which are the 'magic values' used by SoftIce.
  ?' F3 K! [+ \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" y0 ~# Q* B# D# s. z: u5 |+ @" }" j$ J) E7 _1 y
Here is one example from the file "Haspinst.exe" which is the dongle HASP, {' @9 @+ T7 q; x0 f' ^
Envelope utility use to protect DOS applications:6 Y* b0 ?7 g; E+ C% b$ d
6 g5 ]* S# E0 z

  v. p( n  e. r4C19:0095   MOV    AX,0911  ; execute command.9 g1 D" k! l  K7 Z: a
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 F0 {) p& Q; x" ^% B# K5 X% o4C19:009A   MOV    SI,4647  ; 1st magic value.
! B6 [9 ]7 K* o# o7 t2 T/ ?: \8 W* g4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! y7 T% f: Y8 b7 p: @$ R. j
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 B" g0 N- u+ d9 @+ w4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% \2 m7 T$ S# _, w4C19:00A4   INC    CX
3 w2 ~" B! g: Q, w7 O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute& c7 z% h6 E, f3 Y  D
4C19:00A8   JB     0095     ; 6 different commands.
. q' k+ D8 f. ?$ S& r* ~0 [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ R1 B+ s5 g: x9 d2 A/ j4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ U8 `5 F' R, K) M6 {- R* J6 q
6 @  t; E2 j8 N% J; @9 m7 i
The program will execute 6 different SIce commands located at ds:dx, which
4 h. `/ V0 ]6 y  M; M( Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 v- {) v2 |9 d  @, U. T2 m
; z: P; l; y) l6 O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 {: a$ ?3 R( r- o+ q___________________________________________________________________________9 K) S' d/ G3 S+ f2 _# k1 I% X9 s
$ `: x. f' }4 z$ q& I, c8 V

0 G: E0 w/ J0 F: T# ~7 TMethod 03$ Y7 N2 T# Q1 N- u! U" u0 Y$ y
=========
" n$ W4 x! E, z. |% ^6 {( p; k  F9 v  A+ h; J* t
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 j0 y4 d. y# b- U' {& `7 e4 }3 I(API Get entry point)
1 N# B0 c, i# E! M2 ^5 S        
2 c4 u" E8 j  I4 Q) l5 T) s/ V: r6 q8 k: _1 u: q. G
    xor     di,di
8 A' W9 S+ Q$ s: S& i0 h    mov     es,di
9 j3 N% n5 z2 Y5 D$ Q1 |    mov     ax, 1684h      
/ H6 p% S3 D4 K' |1 Q: B  V    mov     bx, 0202h       ; VxD ID of winice% ]; N: G. e& D+ U
    int     2Fh
6 M8 G7 Y" ]/ T    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' J: R" q" O- m$ c8 E9 F) g    add     ax, di' \5 l% r- d0 c8 D" K
    test    ax,ax9 s- C% O; K4 {5 x( t
    jnz     SoftICE_Detected" U$ ~# E- F; ^
0 |$ k" \% c& m1 @; [( `
___________________________________________________________________________  [; A3 w6 a( O. q' r

7 f9 K8 V0 ~' D2 H5 W7 cMethod 04
; g. s3 Z7 J3 ?7 M8 R  x8 t=========
) L6 I+ F% w. O" A: E0 o0 o
: ]1 J& ?$ e% a1 i; `Method identical to the preceding one except that it seeks the ID of SoftICE
7 H$ L6 q8 y2 yGFX VxD.
+ P8 _1 [9 c& T2 I5 e' n* v4 s* ^! |) |; r1 K
    xor     di,di* P7 e( G: W/ T) R: s/ ~  r/ {
    mov     es,di& `' s" C9 k8 @, T6 E* J7 m
    mov     ax, 1684h       ; e* V4 ^9 n+ Y. K" B( L. O
    mov     bx, 7a5Fh       ; VxD ID of SIWVID( F: w0 u4 P# k* U  A0 g: u; }
    int     2fh
! N0 h: I; l. ^( m: R. C    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 |* Q  N! N3 H9 g+ j) _    add     ax, di
0 h% S6 L+ d5 R: f4 m8 m    test    ax,ax
0 c  u/ D' t/ t    jnz     SoftICE_Detected
7 S8 i4 D  m5 d1 W4 w. N& o  u- ~! s5 [" B) k. Q$ [7 }
__________________________________________________________________________
/ _8 t6 W" ^- q- ~1 o1 Q( C3 O& ]
- A& |$ h0 O& S0 p
% G% b, B$ [  ?Method 05
4 m1 o! E; f6 x' ?=========
! n/ y: C2 y, X
/ q/ H/ T4 I4 _/ O- \Method seeking the 'magic number' 0F386h returned (in ax) by all system
/ H1 X' \% U5 Sdebugger. It calls the int 41h, function 4Fh.
1 J$ ?, K! X) b( EThere are several alternatives.  
9 o: `6 V: n. r4 _
, K& q' _, d+ Z) W) ~2 n# YThe following one is the simplest:
3 Z: l" n# s8 i* F
0 [: m* j* l" |7 N6 d    mov     ax,4fh; d  Y' ^% ~* |2 q
    int     41h
* J( B& f0 T6 R- K3 s    cmp     ax, 0F386
! B6 c: W3 z) p- T+ `' Q( a4 l) o    jz      SoftICE_detected
1 ^5 N) D- z9 v. o2 L, \* W% R' \. i3 O) I4 V# B' N4 n
& u9 i' p- Z5 k7 \& m& J$ d' X
Next method as well as the following one are 2 examples from Stone's
7 n' e- K& u+ k1 `1 }" E1 X4 d1 w"stn-wid.zip" (www.cracking.net):9 f) g- d8 A4 l
; h+ E+ |  y5 r
    mov     bx, cs* B- ?2 v: ]) j2 R
    lea     dx, int41handler2
  ]$ c( |: L; t8 s    xchg    dx, es:[41h*4]
& Y5 ]1 `8 I. K& x0 ^% W1 L5 m; a    xchg    bx, es:[41h*4+2], }+ }8 }# F. C( J8 Y
    mov     ax,4fh0 F1 F/ J$ r- C2 H
    int     41h' |6 Z9 L9 ~! q9 v8 `7 B
    xchg    dx, es:[41h*4]* P0 ]/ r- }8 l, j6 W
    xchg    bx, es:[41h*4+2]2 l7 ^8 T9 a9 [7 _; z
    cmp     ax, 0f386h
6 y6 Q- I: @( j$ Y2 K    jz      SoftICE_detected
3 z" W( t+ Q( z1 y. \: j" J" D' _+ b# f8 r  d+ C& j
int41handler2 PROC
9 t5 `: X: N: d    iret5 J, i+ K" M( P
int41handler2 ENDP( d5 w: W) N/ K2 M/ n
6 r9 ]5 f, i$ I" N, u

/ J( W0 H8 R( i, j# d_________________________________________________________________________
7 |3 L5 E' O+ C) B8 o$ u; b) a9 d" b# j- k( h
, V, O$ u; {/ S+ h5 _
Method 06
0 @" I: F* v# n" `$ d=========- u1 l% Y/ }5 e7 |, g$ C% e- g
) ~4 L: Y. p( P: i3 S5 O
# {3 [' N/ r# M, K* }" i) l
2nd method similar to the preceding one but more difficult to detect:2 b; x* L8 b) q9 c
# q5 z' M$ m6 ]' L
8 ^5 T& w6 l8 ~" [! f* A' k
int41handler PROC
2 a- o/ e7 [, Y* k- ~    mov     cl,al
' m5 n# v& q, j8 k% X  S    iret& I5 E( }& d/ _$ m
int41handler ENDP
+ }  [/ E# z- x3 t6 U+ i% V6 h4 P) S5 L5 m/ u
6 J, @$ [* j' o. Z' s6 \, C0 N3 ^- X
    xor     ax,ax4 A) C1 p1 Q4 d# S. n
    mov     es,ax6 K, q) Y1 o( A2 z
    mov     bx, cs
3 L  D" s5 M: c, ~    lea     dx, int41handler
2 Y2 N! }" D: e" z& U    xchg    dx, es:[41h*4]: g& g6 P9 g$ ~  x$ K" [; q* E
    xchg    bx, es:[41h*4+2]2 O) ~4 a' n  E7 Q: W; @
    in      al, 40h, m2 H. @3 W4 a
    xor     cx,cx2 j  @/ x' |" F9 L
    int     41h' {7 H7 e9 w- e& z8 P
    xchg    dx, es:[41h*4]% N; T# m/ x0 T4 C2 I
    xchg    bx, es:[41h*4+2]
( h2 y. _# V3 W* ^" _* t3 s    cmp     cl,al
1 k+ H& r$ S2 }4 M    jnz     SoftICE_detected
- O6 \" I- V! v" ]( Z, M1 |2 i& h+ M9 X% ~
_________________________________________________________________________
# @% p0 l* g6 g  h0 j4 M
% g1 [; F# ~6 b2 Y9 p' W, G, \Method 07& N. ~& G6 @1 U" I. W. k
=========! ^5 U& |, m! s) [

! i0 v; v& X! F* c$ Q8 SMethod of detection of the WinICE handler in the int68h (V86)$ O* }; w- V, ~
: }/ n% j4 w( f7 W0 c8 a
    mov     ah,43h: x& b5 R# h4 S8 l( I" ?( C
    int     68h
# s2 L- j- J# G+ Y; U    cmp     ax,0F386h
) I5 e; f0 K; g! V) U    jz      SoftICE_Detected& A( T- D/ w5 c( j! e. b" i, |

9 u5 ^* ]7 {8 l- \0 @- y/ o/ ?, t  i; ^, r& L5 Q* Y# \
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% X# h  u* a( i' M9 o: R
   app like this:9 _5 W# Z3 X! T& y( {) E
' v7 W4 i- @( Y: r0 e8 V- \
   BPX exec_int if ax==68; `1 H6 X* r7 @# @
   (function called is located at byte ptr [ebp+1Dh] and client eip is( ]8 l0 F! M, ~  K. J% _
   located at [ebp+48h] for 32Bit apps)* P( A' D& ]" s8 M& Q, J& O# e
__________________________________________________________________________/ n- Q) ?6 L5 R: ?& C0 w  c

) p  C/ `! T% Q% J/ `* f5 s1 J5 {* [- U" i
Method 08
2 V0 P! ]4 o2 c  w7 B=========
! y6 E& h1 @- N
1 N) w9 R- B( b$ Z. l* h1 wIt is not a method of detection of SoftICE but a possibility to crash the9 [8 [' k& w9 e( ^
system by intercepting int 01h and int 03h and redirecting them to another" c1 t# P- t5 ~5 N' `- L" d
routine.
* {. c/ c8 d3 v- ]& H' [: AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 e& A7 k6 y' N
to the new routine to execute (hangs computer...): f: S4 K6 z  X& g/ Z
2 {- z4 P1 ]6 c
    mov     ah, 25h) R2 D3 ]- F5 A; F9 j9 K
    mov     al, Int_Number (01h or 03h)
' ?: f* M3 Q$ O    mov     dx, offset New_Int_Routine
* i. r" q7 n/ U0 B0 h. A: g' J* h    int     21h
; I0 C4 X1 V0 T4 C  r5 Z) U0 y5 E% {$ g: g
__________________________________________________________________________& Z: x1 q- D5 K$ H' ~: r
6 z# D  R4 f2 k3 W8 A* @
Method 09" w* S, a+ u; I  ~: f  b3 ^
=========
% l( r! n1 o# g3 ?( \  n, B# X' n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 `7 j( H1 u: |/ M$ t& z, [performed in ring0 (VxD or a ring3 app using the VxdCall).
* p7 c. i; a, W+ B! S4 n' W# WThe Get_DDB service is used to determine whether or not a VxD is installed1 H+ ]9 Y1 A5 `/ E
for the specified device and returns a Device Description Block (in ecx) for
% f: v* o$ d* V' ithat device if it is installed.
1 K$ @. O( o, d! Q; P7 K3 A% K. i! c+ K. ~
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 j6 K3 u! S9 J6 C6 [
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), y" x# b" s/ O( K1 o6 P( V9 B
   VMMCall Get_DDB
+ }% k( `; |7 u3 W+ U- s* g   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed; ^, ?0 u, R9 n/ V0 w. `
' e) t2 A* [8 m1 W
Note as well that you can easily detect this method with SoftICE:
8 ?( L* F) E7 A   bpx Get_DDB if ax==0202 || ax==7a5fh0 ^( g+ h9 _7 x* j

( i" Y/ r3 v4 j0 m7 M2 {: G__________________________________________________________________________
$ j1 t- R3 L2 @; u. g& U. }+ e
' g% U/ ^) b; ?5 V/ GMethod 102 i4 p$ p$ B& ^# T2 Q: U2 z
=========
4 s8 O, a: S# x5 l* z  z, N
/ c7 I" t8 E7 B" R: H=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with- m8 n6 y( E  p1 h! p4 {* M" R
  SoftICE while the option is enable!!
) W! `- v" t9 K# o) ?% P, w$ g( E* P  U& V- E/ K* r1 c
This trick is very efficient:3 [# X( x/ A6 ]! d: Q
by checking the Debug Registers, you can detect if SoftICE is loaded
$ s$ K$ _  a( a* r. N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 A- p3 }6 C! g! E& P8 }$ Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( i. W4 r" ]' E9 b, X+ E! _value (in ring0 only). Values can be manipulated and or changed as well
+ w) ~: b( i7 A(clearing BPMs for instance), x* \' w2 R/ B- L; P8 f$ x

9 {+ d2 V7 O; I4 H$ @) Q: h__________________________________________________________________________
& ^& `) b( E& D0 z8 y0 T; }4 z7 \4 s, X
Method 11& c0 E$ i/ U1 r$ I4 s* C1 p/ V
=========4 a3 q8 V( T9 H0 v( ?  u
; b+ |% m1 G! @4 i( i1 F# l
This method is most known as 'MeltICE' because it has been freely distributed
; c9 v# Z& }- q6 S! yvia www.winfiles.com. However it was first used by NuMega people to allow
, z% \: k+ U9 y8 dSymbol Loader to check if SoftICE was active or not (the code is located
- F! _3 y4 O; ]' g8 {4 qinside nmtrans.dll).  A- }! v1 N% Y. O! A/ F
6 f7 w. m4 a3 X: O2 q$ m; H
The way it works is very simple:) v8 H( ]" t. {5 A9 e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 p6 G" Z6 p; t6 y7 Q
WinNT) with the CreateFileA API.
% t6 }; y  _! N% E" v( v0 j( ^3 D: q$ _7 E$ E7 R- U
Here is a sample (checking for 'SICE'):6 t0 C! }2 `. ^: a* g, M
$ K3 a  O% L6 I. x) `
BOOL IsSoftIce95Loaded()
6 o# n# _1 f6 G+ P{4 `8 \( W$ o* z( j+ j! \  S& X
   HANDLE hFile;  % F( x8 T( D3 P# p5 S2 t, ?" x. m
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! U/ G. ]: B! u- H2 j2 f+ K0 z/ z                      FILE_SHARE_READ | FILE_SHARE_WRITE,! o/ x1 @" R1 T5 j- ?
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ j* _8 r4 D; A0 z" D/ w2 C   if( hFile != INVALID_HANDLE_VALUE )
9 f" S( x- y# {; d3 N3 V   {
6 a  N' G4 u; ]6 R7 q' d% s8 u$ F      CloseHandle(hFile);1 R$ S: n5 @3 ^/ l/ h- \6 n! h3 J
      return TRUE;0 c$ M' K$ l1 P9 y* O5 ^/ k
   }
5 ~: o- i: b! I   return FALSE;2 x7 j1 b4 }  Y+ L
}
! S1 m8 e' g# @; f
0 u2 p+ p! @4 `Although this trick calls the CreateFileA function, don't even expect to be
- ^3 p+ q5 w* Nable to intercept it by installing a IFS hook: it will not work, no way!
& R. a! X' v; h2 S* sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& T6 i& i0 ^/ U1 T) s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 S) a! F) \; nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 b$ I+ n5 B: L7 G, T. Hfield.
$ g6 Z2 @8 Q/ jIn fact, its purpose is not to load/unload VxDs but only to send a ! e) ~  ?! ]( l/ {2 c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 H3 m* Q0 j- O7 c, R. t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 Y, @) ^* P& u! T0 \  C$ y6 }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 `4 ^3 l9 G' oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
* v. \5 B% Y0 T; n% M' fits handle to be opened and then, will be detected.
: w  N# J6 }* OYou can check that simply by hooking Winice.exe control proc entry point# D4 C2 G; s  a; |
while running MeltICE.
+ ]8 m; I. D: R3 r& G
6 x, w$ X: ]% A+ ~( t) ]) m) X0 Y$ H4 [; V. Z+ M3 r5 H
  00401067:  push      00402025    ; \\.\SICE
" }& Q( ~& c1 s, @* A  0040106C:  call      CreateFileA. S, K- n" Q+ e/ c5 l, [# j! M( R; U( }
  00401071:  cmp       eax,-001/ s/ M- V- y  E8 k9 b
  00401074:  je        00401091
; b+ u1 c, n8 C# n1 L) O  d# v# `
. X) c3 n7 A0 W+ a$ ]7 V* U* u
There could be hundreds of BPX you could use to detect this trick.% h; Z+ p. W" U! w- x
-The most classical one is:# M$ [! d+ p' P  }, h' ~# `7 n
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 F! i+ I- `5 a+ Y" ]% c9 b    *(esp-&gt;4+4)=='NTIC'
! z0 x0 o/ [+ ?6 ^* U
2 U6 K. b7 S, N1 g-The most exotic ones (could be very slooooow :-(2 B1 c% J! J- P" G' w# j
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  : y8 R6 v5 y0 S
     ;will break 3 times :-(
) C3 z/ b$ r) m/ d) P( Q
0 X# _. @$ L) t* S) z-or (a bit) faster:
" V; r7 K# k' J  t   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! k' {, G1 u& t2 k  _! o
- z' F* Y7 @* u7 ~$ w
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 B% h4 O$ J( s. e) h8 L     ;will break 3 times :-(
9 G" S  N0 o4 T( y
( _+ x) F, |2 s. Z% n-Much faster:& C6 L% w) D, a0 u1 N% q# ?
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'* m  P6 w# S* i

+ n0 }% Q" z0 @- Z" DNote also that some programs (like AZPR3.00) use de old 16-bit _lopen, r; W9 f8 r) v$ p/ a/ l
function to do the same job:
! f& Z4 a2 q$ p8 ]6 G1 I- G" G5 I' G% W! P$ U( r% S
   push    00                        ; OF_READ7 \3 [8 g& Q, h  D( b
   mov     eax,[00656634]            ; '\\.\SICE',0/ A6 }/ f8 G% s) w( O
   push    eax
' U9 c* X4 v& h3 I, c) J1 l# X   call    KERNEL32!_lopen! v* O3 h- |# _
   inc     eax
  b- z  o6 O! L1 A   jnz     00650589                  ; detected# _& C6 c* T! c8 K" {
   push    00                        ; OF_READ6 N; |' `% Y6 K$ O5 H6 d
   mov     eax,[00656638]            ; '\\.\SICE': m1 j7 e& E& c3 A: d% f
   push    eax5 X, E+ `- S9 u! @4 U
   call    KERNEL32!_lopen6 @# q$ ~/ V% D- A9 U7 t
   inc     eax4 O; s, m7 U( m$ f0 l' K3 X: X; F
   jz      006505ae                  ; not detected. Q; B' C0 p% q

5 d9 ~# G; N* g9 e4 y2 R( `
- g& E6 ^' e9 r" d5 Y: M__________________________________________________________________________
6 ~# V4 O' b  \" w
! N  C; A6 D2 i1 M6 u2 ]* `  kMethod 12
3 C; R* b" L# w& G* k=========
* c3 M$ F& ~8 K; e* Q! b6 {) A3 e  s! x5 }0 j
" M9 L- k5 q: h# t( _This trick is similar to int41h/4fh Debugger installation check (code 05
, I0 p$ F1 P5 x1 ~% o* r2 Q) E- d&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 A' ~1 s4 a* z+ ^- o5 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 D* y7 a" Z( C1 |9 `
* M9 c2 y8 T. V# Z1 {   push  0000004fh         ; function 4fh
) J* D1 u/ R* V/ g   push  002a002ah         ; high word specifies which VxD (VWIN32)
* l, {9 ~4 J* _& R' B6 H7 H, X                           ; low word specifies which service. F; Z  m$ ]( v: z6 f
                             (VWIN32_Int41Dispatch)2 m7 O& U9 g! ^; Z3 m- A& A2 d# U- W
   call  Kernel32!ORD_001  ; VxdCall" `! ~; i: l4 d( v
   cmp   ax, 0f386h        ; magic number returned by system debuggers
. C' O' t( {5 @% `) l9 e: P' _: F   jz    SoftICE_detected
/ u: r% y+ q- L+ \- D5 x; I7 v. U/ \; n- w
Here again, several ways to detect it:5 d% [0 |! u0 x/ _; a* [  f
& e2 _9 B; L; \& J0 O* o+ }
    BPINT 41 if ax==4f  o1 r; G* d8 _

6 K3 R0 |2 ~, t    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
: f4 d9 a! b7 m" ]0 u1 P
2 i# u$ _2 }! M7 ~* f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; L' a+ ?7 n8 @* m; v% i9 ^% E+ j+ ]( u( X2 v8 ]7 e
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!# s% h/ f! y; M' y( s
$ ~5 w! k; S# Z% W$ y; e
__________________________________________________________________________$ d4 z+ F+ g$ w+ F" o7 r$ w8 x& i: ]

5 c2 S  C3 T" p6 v" D$ W9 bMethod 13* F( F- T: O/ A: C
=========! L$ R0 M; S0 N2 s2 R" I% o' T

$ n9 ]! \% \, [5 z# O- v4 h+ uNot a real method of detection, but a good way to know if SoftICE is9 D+ d5 P, z8 r- a! g* A3 Y
installed on a computer and to locate its installation directory./ s" n' q, l& U! c
It is used by few softs which access the following registry keys (usually #2) :: \' U  x; F5 T2 M  ~2 H
9 j! z8 w: r" C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  p  O) {. O) W\Uninstall\SoftICE. F5 a, _/ D# q) L5 p0 l8 W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# @# ?2 ~1 x) l+ ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 q  E5 o" Z8 o3 _* S\App Paths\Loader32.Exe
& w# ?, R( K$ u5 A; F/ A+ X5 j9 X+ p% r4 G

( l! L  O6 Y1 W  z6 L* zNote that some nasty apps could then erase all files from SoftICE directory; W$ F. @, Q& r0 H, z+ g( N
(I faced that once :-(! ^! P6 {7 H9 p

2 i& ^8 m$ E; oUseful breakpoint to detect it:
! a7 H0 Y+ b9 v2 f5 X  j2 g2 \3 n% z/ z1 L. n
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 {; Q- Y3 o2 I9 w; B' H% N4 v
  R1 x! ~; B' ^  D. R__________________________________________________________________________
& [; `7 `2 O; O. T$ I( G6 N5 y# a( V
1 x6 B* x; Y/ s, V
Method 14
5 ^' i+ s! j9 v8 v=========
+ m5 H. y, |2 L' g5 Y- j5 t
; z$ [! \% V' X3 w7 v. l2 @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, p' Y) G7 c9 {. {( vis to determines whether a debugger is running on your system (ring0 only).
* p! L  k) g! `$ O$ k& ?5 s' o! c8 T% r) A( n* A- b' c# C$ h
   VMMCall Test_Debug_Installed( `, M. [, `9 ?
   je      not_installed
( x0 W) J8 q0 c, T7 Q9 a
1 z7 ?5 Q! @( x: X( N; R6 ^This service just checks a flag.
' Q' T3 \# d" A# a  K</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-16 17:49

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表