找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>% J& j) d; T* n. i; a
<TBODY>" g3 F! ^% B- o8 S
<TR>+ y2 I" x, c) S
<TD><PRE>Method 01
) |* t' Q6 ]0 q( p  f1 b5 G=========
! {1 p" [: u& l: F7 ^- g' B, r* i* S
5 U) }% M! e4 t0 WThis method of detection of SoftICE (as well as the following one) is
4 O7 h$ U, n7 z, M4 ?! ?used by the majority of packers/encryptors found on Internet.4 c% Z0 L) M7 ^" g
It seeks the signature of BoundsChecker in SoftICE; H4 h9 ^  D5 M" @& O: U9 s6 }3 G: c
# X+ K. R( a3 k- {" k' l5 @
    mov     ebp, 04243484Bh        ; 'BCHK'; z1 E9 Y# @) x9 q; F1 h
    mov     ax, 04h- ^2 N5 S# j) Z( }! A6 P0 a) {, v5 n
    int     3      
) l/ v* o1 C. r9 q7 @    cmp     al,4
: R4 Q: Q( g5 ]4 `) ], \7 z# n0 g    jnz     SoftICE_Detected; d6 _' Y: c. c; e  K: ^
* p4 P, y8 j7 k5 [
___________________________________________________________________________' N  D; R. g! z, y0 W" t

, Y# t+ b! P! z4 M1 J1 Z$ ]) ]* xMethod 02" P; F; m5 f) t! q
=========, ~6 r. M+ B6 K1 ]* c% ?4 |7 A# k0 d

) D9 B0 a( z/ K2 i4 P2 tStill a method very much used (perhaps the most frequent one).  It is used
" v9 R! \# C* u6 t( r2 B! Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; \+ @$ X8 Q1 g; I- ^or execute SoftICE commands...
1 o" u2 o- ?9 b& i) C/ iIt is also used to crash SoftICE and to force it to execute any commands" O" K" N( @2 g) n' ^
(HBOOT...) :-((  
/ C# S2 J) M) ]7 A" X9 \1 M  X1 B6 L$ f: C2 o
Here is a quick description:$ Q4 p+ A$ |& I
-AX = 0910h   (Display string in SIce windows)# m# D0 c$ U0 @8 m0 }$ p) A
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; M2 a9 ]9 n( Q* m- R0 }-AX = 0912h   (Get breakpoint infos)$ C9 I% V4 F+ b
-AX = 0913h   (Set Sice breakpoints)2 X! @; Y) H9 I4 k! z
-AX = 0914h   (Remove SIce breakoints)
, m+ z- [" G( y/ `; {+ M
* W; w4 Q$ `9 w  A- EEach time you'll meet this trick, you'll see:
& g4 t* ?- I/ H: c( o. z: Y9 i-SI = 4647h
& ~# @$ d4 C4 O$ _9 g/ B* k# l-DI = 4A4Dh
9 Q2 n% y8 _7 _Which are the 'magic values' used by SoftIce.  L, h, w$ `, j6 ~( W# _( ~7 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 H+ q; Q- |3 r3 u+ E0 B
% s! r; ?' ~4 \6 \& B- |
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& |9 S  I; G$ w7 \) ?/ pEnvelope utility use to protect DOS applications:- [- I: B% O8 A; c& B

/ I4 G1 J6 K3 k( p7 ?
8 x$ Q9 E8 l* @: l: {' n9 ~4C19:0095   MOV    AX,0911  ; execute command.
+ q2 I& X" i) t" R4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
* v8 p7 M% u- ^4C19:009A   MOV    SI,4647  ; 1st magic value.' P8 d- f' E% y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  \8 y4 {" L5 S7 S. v' T* ]% z4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 o; O. X' r8 a+ e( O/ I6 }4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- o6 g% S6 h  H7 `" {4C19:00A4   INC    CX
8 F- Y* @" T9 U: Q, s4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute! K. ]9 ~( N" k+ e( @0 u
4C19:00A8   JB     0095     ; 6 different commands.% W2 k" b0 k2 L, x7 E0 x. H  g. s" Y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- z+ O7 }% n# m3 e) K) G
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); V" V+ b1 x9 N

, D% u! ?& `6 J  f7 bThe program will execute 6 different SIce commands located at ds:dx, which! \! j6 y9 r# i" a! |( ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" ]% H' s! }5 B  I1 L$ [% _/ m: l, h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 `6 X' w3 E7 v
___________________________________________________________________________
$ Q# `% t. ^% s: \+ n& s% D) |6 k3 u" o$ H
8 o* X$ x; d! d
Method 03! J4 ^3 q* n/ m2 T- u' o- R
=========* X! u9 f' a- Z: C

0 E: k$ m8 v4 H$ K, S6 s6 oLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h& h3 s) i7 ~  _( N: Q5 f2 |* o* _
(API Get entry point)
7 [+ D. _: R" C# e: ]% f7 l        : y3 Q( [2 R: p8 n9 I# v

3 F3 F" h9 p' `) c" k    xor     di,di8 l: }' U) ?! ]: v' v+ G8 e+ M% I
    mov     es,di3 ]* p% b. [$ {5 z2 o0 k: ?* c
    mov     ax, 1684h      
0 R6 p/ _" H$ Y4 X    mov     bx, 0202h       ; VxD ID of winice. S6 ^. {1 O6 }
    int     2Fh1 j, V# _  @- R% w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point! J" r! z, b+ A" Z( k, m& w+ _; w
    add     ax, di
$ R# g( d/ h3 a( S6 s    test    ax,ax
, ^  f/ i8 L; q1 h    jnz     SoftICE_Detected
" F5 ^" D, v# a# ^
9 S% @- |! m$ R4 N' Z+ P___________________________________________________________________________
7 e8 Q* D# \, q  z) J) I% ]" G) y, b9 W3 p; j) c
Method 04! a/ a4 t) w- k: m/ `, x$ C) x
=========5 l) P4 |! k# C% W" i  {8 u
: o4 ^1 x. U" h& X8 u1 L0 b! `
Method identical to the preceding one except that it seeks the ID of SoftICE6 G/ d7 f; }2 E# w+ G- ^
GFX VxD.
: R( v" U% l  @4 O: i; v: N0 S* f) K: A  _/ ^8 m- m
    xor     di,di
  S* i1 \; B6 `    mov     es,di' [: [3 k2 m5 I8 K
    mov     ax, 1684h       $ H- z* Y# X) s
    mov     bx, 7a5Fh       ; VxD ID of SIWVID% K8 T6 l. @5 t' X% v7 G
    int     2fh
! \6 ^: q( G* d6 {. @    mov     ax, es          ; ES:DI -&gt; VxD API entry point: n- Z! q* @5 W8 ]7 B0 r/ a; k1 y& T1 [
    add     ax, di
. b4 ?' l: t! J' E% R2 `5 G7 ]    test    ax,ax; ~% O0 k6 n8 q4 A
    jnz     SoftICE_Detected
& m. T9 F) i( C2 h$ B
& F. x8 C' G: G) F% v! I__________________________________________________________________________
$ }6 @( q" a% J7 s- R( k9 U$ w. y9 w
* i/ j& K8 S7 w5 |! G
Method 058 N$ X( I8 S' A- H# X* Q. K
=========
; x; v' G- X/ y' L9 l9 y, B
1 N& m7 ]: w) d/ s; n" v) sMethod seeking the 'magic number' 0F386h returned (in ax) by all system
) q0 m4 y, ?' b9 C9 F" C" Jdebugger. It calls the int 41h, function 4Fh.
# F2 E' T( Q. @4 P; D4 n  P. WThere are several alternatives.  
. M! T3 O& V2 {9 }+ q
) Q1 o: q# d2 N- q# OThe following one is the simplest:) V) u8 R& x! \8 f$ O. s
: `2 G% z) ?" e2 J4 a, D9 `
    mov     ax,4fh+ L8 W7 c" y$ n( t
    int     41h" s; S) v- l, p! X; i
    cmp     ax, 0F3869 u* Y4 R' c& m& W* B7 J
    jz      SoftICE_detected: A5 T! j& p4 }7 P
0 E% h+ Q8 i, ^- k4 d! i
7 I3 r5 I- c; Q5 |) B
Next method as well as the following one are 2 examples from Stone's / c: I5 u9 X! g' I$ o' t
"stn-wid.zip" (www.cracking.net):
9 e" v9 n+ J- I) X- {* D
: G5 i' G# q+ M3 z! B1 d, J! S    mov     bx, cs7 p  W  g, e7 q7 f6 m( y
    lea     dx, int41handler2
. m3 ]8 j% o( Q/ u% W0 k    xchg    dx, es:[41h*4]& k+ I' X3 e0 ?( ~
    xchg    bx, es:[41h*4+2]
% N: n1 |8 q1 A    mov     ax,4fh. [* ^8 j9 r8 C, T3 P
    int     41h4 N/ m8 x9 [. \& L% P+ h
    xchg    dx, es:[41h*4]
$ f4 K4 O/ E  a- p    xchg    bx, es:[41h*4+2]  M$ a& u4 o+ H# u8 W0 a
    cmp     ax, 0f386h/ p0 j" s. [! B- `2 h& T; L( C
    jz      SoftICE_detected3 ?- h6 K/ u; A' a3 ~6 y

  @4 P  E5 q0 i; Qint41handler2 PROC6 Q9 o! d( p) P
    iret
6 i( J8 K. p6 Z$ ^1 D" V1 ~6 Gint41handler2 ENDP( Y& q( W& @' A* I" v; z

1 g. J9 S4 r- t1 A$ s1 G4 ^9 ~$ g: K' D# B# [$ g8 l* V1 I$ K
_________________________________________________________________________
( o! W: {; d# s' E9 r6 O
, N- V7 W4 {# G+ ^7 e
; b# Y8 H+ B6 M+ XMethod 06
6 R( c% s4 M: c2 _! X+ q+ E, C=========4 z- U6 m5 S) B) y

8 S- `/ V' e. y' I  F, ]9 U9 H) b9 L: y. F" e
2nd method similar to the preceding one but more difficult to detect:# V. G. v- E$ Y$ ~: ?# h4 F
4 L& V% u* x2 t- f0 |# e8 z
8 l" w( M5 v' S
int41handler PROC
/ e" x; D& J1 k6 t, j    mov     cl,al$ H  E/ \0 j. v, z
    iret# P$ v5 {0 `6 r% j3 |- ]0 c" n
int41handler ENDP
, M& c8 ~. f. i3 C8 |; }& c
! l* L0 y( ?& X. v3 [" N; [2 e7 q8 ?4 m! u. ?3 l' B2 z
    xor     ax,ax" C6 G6 N$ D2 r8 K+ @: {
    mov     es,ax
( N+ ^/ D7 N, K    mov     bx, cs
' x3 s6 D- G- [    lea     dx, int41handler
' q1 t9 p. |; s; z1 E; R0 p    xchg    dx, es:[41h*4]
7 [9 y+ `6 {3 i1 H( ^# `; A2 @    xchg    bx, es:[41h*4+2]/ T6 Q1 k; ?. q0 h+ k( d
    in      al, 40h+ P; O2 V5 O% j
    xor     cx,cx
' A4 {& @/ `  t3 j0 `1 {    int     41h
+ c0 \# x  J9 q. X4 e) w$ Y    xchg    dx, es:[41h*4], R& ^. Y7 i/ ?$ H6 R& b
    xchg    bx, es:[41h*4+2]
0 B- j2 D- }+ }    cmp     cl,al
' k0 t2 `, K8 K% ^    jnz     SoftICE_detected
/ j1 t' ^3 d$ J- L- I2 d8 f; n
' ~) W+ ?6 p2 T" G  @_________________________________________________________________________2 e7 }! z4 [7 ~" ]6 M  U

* R# V- L9 e/ CMethod 076 l$ N7 ^3 N  q+ D* Y/ d- l
=========. H* e; w# J) n& X+ N/ a
7 h6 v+ \: s) o
Method of detection of the WinICE handler in the int68h (V86)
8 p0 m  Y! |0 F& _6 N. O" J5 i) E9 J" H/ I- \. \3 T
    mov     ah,43h
' }0 \; J8 r+ ?( W: `    int     68h$ m3 P  ]% s& n6 p9 G
    cmp     ax,0F386h
0 U4 n* q# W# I! Z    jz      SoftICE_Detected: R1 v& J6 _0 W
4 [4 k  L: S' R& e+ E; o

, {( U' V8 w: G/ B' u8 W7 c( T=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 n5 w+ E6 s2 x, Z4 K0 e& d
   app like this:
  y# p0 G% K  x1 `0 n1 e3 d& W, {1 M6 z, |- a7 O7 ]/ U
   BPX exec_int if ax==68
0 }1 f3 {  I: R( v2 a: M   (function called is located at byte ptr [ebp+1Dh] and client eip is
, z$ w$ @5 t, g" j, j4 w5 S" |1 o   located at [ebp+48h] for 32Bit apps)9 {1 M+ _4 N+ N" h
__________________________________________________________________________
7 |2 D; {! ]) c, B8 u8 H% ^
! z; U7 M- P3 I. N5 b: h  T  v# F0 v: l+ b
Method 08+ |; \; a$ d- ^
=========
$ |! [2 N4 j: R  C0 m6 J; c4 _2 {+ [3 O0 y
It is not a method of detection of SoftICE but a possibility to crash the! F9 |1 E3 {% V" L) @: X! c' n
system by intercepting int 01h and int 03h and redirecting them to another, i% `* r$ r. N9 H
routine.# a% H/ F8 Q8 h  m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ z7 X2 A' U: ~. `. ]
to the new routine to execute (hangs computer...)
# }# r- ~( W, _8 b( Q$ I1 A1 e, [/ r
: _$ J  P5 [: b    mov     ah, 25h
6 q( Y( h. W" s) q/ u0 n, l    mov     al, Int_Number (01h or 03h)
2 P+ Z1 K+ ~9 ~# i    mov     dx, offset New_Int_Routine
. Y7 R2 m2 d3 M* I6 y) a    int     21h
# K; ^/ f/ ]- H. _  V
& h3 q# k  k) a( e  L( N__________________________________________________________________________
- n4 [( P# x" i) y, Z4 h2 u' g/ g) ?, c+ D9 `! L
Method 09& k: u: e8 `8 g2 M# j$ N
=========
4 X; p0 G4 O/ A, i
9 S/ u; f! [1 `" K9 \1 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 |2 `5 ~' R5 l8 p  k# ^
performed in ring0 (VxD or a ring3 app using the VxdCall).
( a5 k/ y( r, S6 |The Get_DDB service is used to determine whether or not a VxD is installed. U2 q3 [/ |" `5 r0 ]& a
for the specified device and returns a Device Description Block (in ecx) for2 F- I, y: a. H5 \/ h) m6 N6 j
that device if it is installed.7 Z* p. D) b7 V2 H: s

# ?8 x4 [8 g! M; {. s   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  ]8 F0 b! x5 [$ r9 f: o; B
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). A: s; t3 `3 f' }( |1 R" T4 J
   VMMCall Get_DDB
1 s, Z2 w: E. y8 b1 X; [! @; [   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed4 ?9 K; H9 P" Q8 E7 }  `
1 S0 o0 K) h! j3 X
Note as well that you can easily detect this method with SoftICE:
6 L2 [0 H' _: }& Z   bpx Get_DDB if ax==0202 || ax==7a5fh
+ s0 k' X. x8 Q& `3 H4 h7 O  B4 y& F6 T
__________________________________________________________________________# |( c2 o* c9 p8 m* r' o5 u, X
$ n; o6 ~% v4 Z6 C0 @
Method 101 m3 p" j1 ~7 r! _
=========
8 h3 C! P) [; e$ ]
; i* I3 K# A) v! Y5 N8 U=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 i4 @! X0 r2 O+ b6 g- F
  SoftICE while the option is enable!!, t: }! ~  u! c# v9 y6 ]! r( O; @

4 d3 D( }1 f+ R1 @& ~This trick is very efficient:
$ Z- b1 S) e3 u7 D% G. Nby checking the Debug Registers, you can detect if SoftICE is loaded
: O4 E9 x: {/ r, ~- e4 a(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 l+ P+ X( b# a$ n/ E7 \. {! p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 c, b" f/ x7 e% H$ zvalue (in ring0 only). Values can be manipulated and or changed as well
: T. h3 j/ V) ^' w$ u, a0 x. {(clearing BPMs for instance)$ O& c: i! ^: ]& M

( p0 Z/ ?9 ^% a6 {/ O% t: d; H__________________________________________________________________________
( Q* ]# W: t2 i/ k) O
; u/ ?( K5 V3 i0 E8 @" j7 ?8 tMethod 11! f! e" v8 r, [; k' m. M3 R
=========
/ ~! g; L, x8 }: G% T! b& _; S/ x% H  V; _7 P8 x$ K
This method is most known as 'MeltICE' because it has been freely distributed
5 W7 e4 L9 A5 s& R- L% {& Tvia www.winfiles.com. However it was first used by NuMega people to allow
- h4 T- @2 C2 {& H( F# PSymbol Loader to check if SoftICE was active or not (the code is located4 g0 T8 p8 w0 x2 A) ]$ E
inside nmtrans.dll).4 B( {3 ?$ t* w. v$ z
2 O, x# k" l  ^$ {& d! W) f$ R4 R
The way it works is very simple:
' h3 c3 Q$ r, \. aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ O3 C+ x( p% z/ u, l' }* Y! IWinNT) with the CreateFileA API.: A4 y% ^4 f/ d% S3 ]

1 }( F( u& Z0 _8 A! z' O$ WHere is a sample (checking for 'SICE'):: D' ]3 K) y; J7 ?7 b
. s  P  c$ q8 J0 l( |
BOOL IsSoftIce95Loaded()
6 J6 K% k* C/ [. f6 _{; v9 V/ ]" |; l0 j
   HANDLE hFile;  8 m! N0 ]7 X: a# \5 h
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ W6 g8 p( D. R, {) u' U: f: M                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% E7 q& Q# l4 x5 F' f                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ d, T; j  V- F7 X; ?* Y8 h; b   if( hFile != INVALID_HANDLE_VALUE )
0 ^& j9 _* B9 D/ ]8 T4 S. H/ a   {8 K' t; ^4 m3 v& [0 S$ N: P4 W
      CloseHandle(hFile);
* k4 b: _) B5 G& `, p3 B, B      return TRUE;* l9 x8 J1 P( ]: y+ p
   }2 N+ E) @; v# L$ K  ]" c; h
   return FALSE;4 }6 R8 E& [! i* Z+ A0 L
}4 P( o6 m$ p9 L
6 R' F" M: _* B: \8 h# R
Although this trick calls the CreateFileA function, don't even expect to be+ f- ^$ i: |' E* u$ x1 m" L
able to intercept it by installing a IFS hook: it will not work, no way!8 v; f( o* r6 H! l3 I: `; C; [+ \% n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 k8 Z& w! h( A2 P: Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( v. A/ r# I5 n: T/ ]' b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 L) l- O! u/ y0 Y
field.
3 U# e6 m9 P, X$ K  A- d% N9 qIn fact, its purpose is not to load/unload VxDs but only to send a
0 }) S4 h- }, B% LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ b  J( t4 j9 v2 Q6 j( U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 f% p* j3 G$ ]( B, z. R8 D2 t* F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' Y6 L4 V& v6 ]/ {/ `; ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% x% i3 y, P0 U) Pits handle to be opened and then, will be detected.
! T: K3 _5 x" jYou can check that simply by hooking Winice.exe control proc entry point+ w- ^) N% `- l. H+ F
while running MeltICE.
$ `- Z7 t2 r0 [/ G) n
& f+ H  k3 _2 M% N5 X  }9 E4 K3 G2 l$ r
  00401067:  push      00402025    ; \\.\SICE
$ V) g3 z  @" B2 M  0040106C:  call      CreateFileA2 M' j. m$ q+ O% O0 ~
  00401071:  cmp       eax,-001
; ]" L) `: y2 Y0 M' N  00401074:  je        004010912 J% J4 b  u' w& p; \( I
2 i  c# g' X1 T$ j2 [9 b5 Y
9 S: a3 d" q6 W) Q5 }: L
There could be hundreds of BPX you could use to detect this trick.
9 T. a1 R0 k# y6 i7 f-The most classical one is:% ^* `- S9 C0 l$ K1 E
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||8 H% b( p6 p* A* v
    *(esp-&gt;4+4)=='NTIC'
+ @9 h' j- h3 @( ]$ e: W$ {2 L
% b$ o" z) `+ P6 K-The most exotic ones (could be very slooooow :-(2 [9 Y3 F9 ^( y5 B3 ^" O
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" p2 O* M& N! Y0 s4 ^: R     ;will break 3 times :-(8 q# B3 p: o0 g$ Z
2 V9 l6 r4 v3 P0 R& D' G* y1 i
-or (a bit) faster:
1 {/ M# E2 b* n( D! g   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 t. J( u% f" a4 F
/ a3 |' u2 F$ R8 |+ s
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
3 o$ X. ^/ D# o+ O     ;will break 3 times :-(6 h& G. k3 m8 T/ t
$ o1 I  _% W$ X/ d: Y" {3 L8 U
-Much faster:
$ @5 S* R! |! ]0 [- D+ ]7 \   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 h) A" ?2 s4 C# X( [3 F% `

% f3 P. c: o3 O7 M/ G/ l; S6 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen, d/ j$ ^# [1 @$ |# V
function to do the same job:% y, t- ^6 v1 M: q, O7 c8 U
. ]  {* S* H7 L; P
   push    00                        ; OF_READ
* @3 M: b! a8 Z4 |1 N   mov     eax,[00656634]            ; '\\.\SICE',0
: J5 |1 Y' ?0 L   push    eax
. ~$ m& V( _9 a0 d   call    KERNEL32!_lopen. ]; Q4 d( x8 `+ M8 Q0 }0 T
   inc     eax
& C2 W( |9 b# f- `& _( D- r   jnz     00650589                  ; detected6 Y1 L* B' _' d. x' x0 L6 o! B- v, d6 i
   push    00                        ; OF_READ
' G- v  G1 O& F2 t4 H6 i9 O6 Z: y   mov     eax,[00656638]            ; '\\.\SICE'
# y- ]- _* @/ s7 r9 ^7 n: j# P" E   push    eax
0 ~9 g0 @$ B9 z( M( e5 `& x   call    KERNEL32!_lopen' n$ e& m) @4 ]9 {
   inc     eax
6 t5 x  _# Y% t8 G5 |   jz      006505ae                  ; not detected  u; }) \% Z( o; v& x% L
% q, I/ m5 y2 V; ^- \  v9 a' r8 e
+ p, O- B8 A& n# D% f# P
__________________________________________________________________________; b! H. e; V4 C  e1 B3 d

- v  G. c& J8 Y  O$ ^& K2 ?Method 129 r$ a. q4 z; W  m( [# m
=========
; A! l; E7 S: e: J" d7 K( `  F
, k- m, o) w/ l# w' {This trick is similar to int41h/4fh Debugger installation check (code 05! K0 I! I9 i4 Q- p
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! j" y* u# A6 a. F( t* i: p/ kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% U0 r9 R4 E7 k' J2 E5 h
# X6 r5 n7 x+ _5 h   push  0000004fh         ; function 4fh
( T4 @& q, T+ ]3 ^9 K: |3 Z7 W" d   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 i* H' X! B- D* y: o$ x                           ; low word specifies which service; e6 v/ q* Z  Y& W% y: `+ f
                             (VWIN32_Int41Dispatch)
1 R0 @; u/ H9 x" P% s+ E   call  Kernel32!ORD_001  ; VxdCall
# L6 {6 m! S0 F/ q7 e( g   cmp   ax, 0f386h        ; magic number returned by system debuggers% j2 }0 M1 g) l1 c2 T
   jz    SoftICE_detected4 A3 M. T, [* U: D2 [4 j5 [- }

1 Q9 v$ C3 {+ P, [Here again, several ways to detect it:3 r& A7 k/ `6 |3 s& a9 Q

# ?) |7 z( D/ @! V    BPINT 41 if ax==4f
7 J/ H( B& }. j# G6 S* s$ A! G" u+ c: A* z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one" O2 ?3 g4 p( ^# U* e4 _

$ n) `& I& ^/ A0 `  }& Z) u    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& @' k$ [, z& V7 @( ^; s
6 M# ^0 f! Z1 N  V" W3 x$ X
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% n) Z* ~7 Y& d4 o/ x# P7 C1 ?
7 ], {+ G2 o- F8 q$ ~__________________________________________________________________________, c$ J  q* F7 Z3 E6 z

+ ?5 A# h8 M7 t  @# @9 B1 MMethod 13- ?5 e, e5 B3 \% T8 `; r# U
=========
$ b. T* Y: w; `+ \$ h$ X9 e) I- q/ W
Not a real method of detection, but a good way to know if SoftICE is
* j* N9 \; L9 c" Pinstalled on a computer and to locate its installation directory.
" S1 Y' N: ?# E3 L* B3 dIt is used by few softs which access the following registry keys (usually #2) :
. L, c" K% y2 |" [- n: r# [5 o* w: r. l7 s0 h% {5 B! Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' c7 q' B% s* y0 A9 g1 R\Uninstall\SoftICE
4 n+ w- X3 A4 y' a-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 L& u! a4 d8 e2 e# ]' k0 r; D
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ P1 u: L/ F% m# ~3 K
\App Paths\Loader32.Exe3 i- j& u! D) h6 g( w, s

! Y; k; C% d1 ?  V( d) ^1 W1 r. B8 U* r* l6 Q
Note that some nasty apps could then erase all files from SoftICE directory
3 @3 Z5 K& Z0 ~, L4 T(I faced that once :-(' y- s6 X" `# K0 @* K* q: [! [2 S

, k0 h5 J6 ~# \# pUseful breakpoint to detect it:0 q# P. k+ X+ ?4 b- x# `% U
' x( s+ n: A' ^9 [
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% c! L' i. s% t
2 |/ W* c4 |; E+ V__________________________________________________________________________
$ k, Z. l( t. y1 V) V: L  L- ?9 v; w* i1 H& a; p9 z3 i, g4 p
1 N' S* I( F# j0 v2 q3 x6 J* c8 k
Method 14
! P+ M" F8 N3 B7 j0 ]* A7 ^=========
0 R7 u% M! l  e  X
$ _! P3 m7 X0 XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 I, m# g% U0 ^/ P7 tis to determines whether a debugger is running on your system (ring0 only).
0 W4 S/ ?% f; Y: b! b$ V7 m! u/ U
( j5 p1 C% g# d" H+ T5 s  n   VMMCall Test_Debug_Installed- `6 u0 i# J4 L
   je      not_installed
( c. X$ y/ _* N2 |! ?0 Z9 }  ~  i; [
This service just checks a flag.
# h- d$ H1 y, l5 j9 n3 c9 @</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-24 23:49

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表