找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
! t. L, r/ M8 T& a  F<TBODY>; l0 d2 b. l; s3 P' U, D
<TR>8 `9 y, k1 T+ _/ y! L7 E  n# t
<TD><PRE>Method 01 % X% R2 N5 K. L- f$ Q" A
=========3 E' M2 F; h" }9 ]
1 r: X) `8 A1 ?0 b; B1 _9 J  r
This method of detection of SoftICE (as well as the following one) is
! K! L! y& Q+ G1 ~/ a) J7 C: f. Oused by the majority of packers/encryptors found on Internet.7 U8 [7 e1 `$ h& C+ Y6 H- C
It seeks the signature of BoundsChecker in SoftICE& S6 Y* f9 B/ Y8 B" b# U3 x

' |& u. X* J7 Q. [2 Q5 |' v$ k8 \' X    mov     ebp, 04243484Bh        ; 'BCHK'
; t0 b7 q1 A  I    mov     ax, 04h
) |2 L& O- _" Z$ Y& O7 B    int     3       5 X2 X' F$ l1 h  [6 Q+ z
    cmp     al,4* l% L: u% C% v# g
    jnz     SoftICE_Detected& E' w6 y# ^+ I7 e6 G
5 f0 ~; B! e: R9 b
___________________________________________________________________________5 O' q( N( y( D6 \6 s
9 I9 S# o. h1 U+ O: O3 G
Method 02  E4 N9 Z  D7 m
=========
" Y: z: d7 B3 Z9 ~
- L9 F  T3 O7 Z9 b% JStill a method very much used (perhaps the most frequent one).  It is used
/ e' N% e5 k6 T* O$ O! U) `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* w. ?' w7 R: L  eor execute SoftICE commands...
) K1 s4 p6 @& d: r+ OIt is also used to crash SoftICE and to force it to execute any commands$ x' S  L9 \% H0 f3 T+ K9 d
(HBOOT...) :-((  & y, R9 i5 c) \5 D' P% @) q0 {7 T# u# W
- o& Y9 `8 i$ M/ [5 Z
Here is a quick description:5 i% T' l# o& P7 [
-AX = 0910h   (Display string in SIce windows)9 Z! ?" Z0 K- `6 }1 y; g- y
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* ^+ O2 }4 E, G4 \, u-AX = 0912h   (Get breakpoint infos)7 [- E. Y6 D' g5 I5 R/ u
-AX = 0913h   (Set Sice breakpoints): I8 W; \$ P# ?/ F% _
-AX = 0914h   (Remove SIce breakoints)( y% D! q9 h- G% Q3 \* e! B
" W0 I& O7 X' F: z/ Q( v, |
Each time you'll meet this trick, you'll see:/ K  G  S; w2 {* b# {
-SI = 4647h9 \6 j3 X8 f9 F' I& m
-DI = 4A4Dh
" ?8 D' p9 n, w- nWhich are the 'magic values' used by SoftIce.3 }" z4 g+ G9 Q$ w& W4 |& Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 w2 ?6 Z: V+ m, Q$ `( ~
1 f! j! D" w6 J( a9 EHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ e" c' l; g2 |5 t$ B" REnvelope utility use to protect DOS applications:
$ v' D, v$ C( t
4 j/ a- R1 U- X% v5 |1 t& X* y' g8 z: t) A. k
4C19:0095   MOV    AX,0911  ; execute command./ T4 Z2 R0 d, N# Q
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 L" U5 |8 w5 G( c. r2 ?5 U4C19:009A   MOV    SI,4647  ; 1st magic value.& N7 J' }1 ^8 C6 F( }; p
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 z. q: E1 P, W& O/ p+ {4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% W8 G: A. Q/ n! H7 x9 ^$ G: [/ N4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, W, M) ^! f: r0 T$ G  u4C19:00A4   INC    CX
! C3 J/ e' N. j) d; ]$ L4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute* R5 J8 |# Y$ p2 ]5 K
4C19:00A8   JB     0095     ; 6 different commands.
7 ^+ N9 K* l6 ~" o9 W; C1 S7 e4 e4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 [2 L" `7 p7 E5 y5 n$ A) h& @4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 I: [# F. ^! q) u3 b( C: P$ t3 @
The program will execute 6 different SIce commands located at ds:dx, which1 N0 q8 {. F* @+ J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* Z& L1 @( r" l# h9 j

$ _# Y5 S! F4 z8 z: a! N+ k" `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. `+ \3 H3 t, `+ @0 t# G$ v___________________________________________________________________________
6 G7 G9 F. l& E% t, b/ n3 a8 c' j5 }: T& u

) ~, L7 T8 l3 l3 SMethod 03
7 \" ^" n0 x1 ]0 k- Z=========" `9 a/ x; b! S3 d' o8 m, ?; C6 I  G
( c. P/ z* J  G9 F9 q
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 t  w8 a1 w6 Z6 z- w4 g(API Get entry point)/ U/ O0 b, b) B/ h* i2 U; S) l8 U& @
        
7 K* l. q* w+ Q+ H% p% Q6 r! ^* D- ?
    xor     di,di
  |+ _6 l+ n9 r3 v- m2 z    mov     es,di
5 h. M, i- L: S; f    mov     ax, 1684h       / P+ w) O$ p# l) @
    mov     bx, 0202h       ; VxD ID of winice
* c+ M9 Y3 W% G' t8 {    int     2Fh
+ q# P: N6 b/ y! U7 s! t    mov     ax, es          ; ES:DI -&gt; VxD API entry point* C# m* L% n) w
    add     ax, di
, n5 ^' }" e8 Q' l0 U7 `- ?. @  B    test    ax,ax+ c1 d! a& P# t$ `8 J
    jnz     SoftICE_Detected
  x, N- @' B3 u) Y, W: V
. f4 J. P& b! H; q' s' ?___________________________________________________________________________9 `) `2 |. u" x1 K

) \6 Z; ~6 P' z# u% K8 QMethod 04. @/ M( t. o7 N* ~1 W; j
=========
9 z) A* O# V$ V0 N$ L% {
5 J7 o, k" k3 m. Q5 a" s: \Method identical to the preceding one except that it seeks the ID of SoftICE3 [' z" D: g3 l7 K1 Z
GFX VxD.
- X7 u# R7 ]$ V8 v1 v# K" G% O4 t' n  ~3 A2 M7 A
    xor     di,di& B& a; X5 O  C( G+ w% b" J
    mov     es,di' v4 f2 |/ n8 f/ V' i) w! \* s
    mov     ax, 1684h      
: ?6 C; }. ~8 }  i    mov     bx, 7a5Fh       ; VxD ID of SIWVID3 F. k7 e/ h: W$ u! b- K6 A# |
    int     2fh& e9 m' e. R; X
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& r- r& T- a. e; o1 |. A# L  T
    add     ax, di; _+ |  ?+ M- |" |; q5 T" a1 L
    test    ax,ax$ \  ?) l3 a/ K) G3 U8 G1 p
    jnz     SoftICE_Detected
' X$ q/ ~1 ]2 x* a; n: n$ {" Y; X' G% L$ T7 ?
__________________________________________________________________________! p; B/ ^# {1 Q* g- w+ ]. t( Q
5 Q6 J$ _4 M3 W+ y

- H+ R9 w% H" @- \Method 05* }% a1 z! i% O$ s0 e1 Q
=========, ^8 x9 |1 K, h
2 h  N) U2 D2 B8 M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# u  b6 ~% t$ R7 v4 Idebugger. It calls the int 41h, function 4Fh.1 O8 Y; T, o9 b# [6 d
There are several alternatives.  
4 s% P8 A" ^( a6 }: R7 n$ ]3 h- d9 d) u
The following one is the simplest:
' D8 C. R7 W, _/ s, ?/ }1 v4 z8 l' |6 b6 c1 n6 _% v# j
    mov     ax,4fh1 \  l; M* q  W& C) D% v8 s" P
    int     41h8 G5 g6 |) C5 d; T
    cmp     ax, 0F386
6 i9 a% ~) B6 v    jz      SoftICE_detected- n- E5 x5 `$ i: k! o3 B

& C& V$ k+ w) m8 [% H5 `# n
) Q, A2 Y# z0 I8 f) qNext method as well as the following one are 2 examples from Stone's 3 o. G" [. X6 I. q, B
"stn-wid.zip" (www.cracking.net):
7 B6 Y8 x$ y/ Q+ j* ]  R# `
/ b9 ?: f7 q# E) ?    mov     bx, cs
* F! M% L( \: }( ^    lea     dx, int41handler2( }1 D; _3 S' M. K1 `
    xchg    dx, es:[41h*4]2 T: p2 }, Z. y
    xchg    bx, es:[41h*4+2]
2 o( i# b' ?7 [    mov     ax,4fh
# U5 o. a+ ^1 n! A2 [1 G) P, E4 Q) R, j    int     41h
: K( S: ]4 @) d+ U7 j* s3 c9 Q( k8 @    xchg    dx, es:[41h*4]
# [. y: `& o% R- k5 t/ o    xchg    bx, es:[41h*4+2]* `  j7 c5 H  Z
    cmp     ax, 0f386h& v9 q  M0 v( n3 ?/ W5 h
    jz      SoftICE_detected
! t7 ^* u7 `* M9 r3 a1 ~6 Z4 b! r  P5 S0 \" N$ r
int41handler2 PROC
- k% z9 h( W/ V    iret
: O& q6 [; L5 q9 q. r/ r0 zint41handler2 ENDP
) R* _" Z$ }0 x8 q/ E, R
6 u5 W3 k& o/ y+ Q$ p% [6 Z  ?+ r# F
_________________________________________________________________________5 j; g: ]* N% P/ ?0 D# ~0 b/ ]/ \

$ p. F0 j! d5 N' ]$ u+ O$ ^; C# G2 e3 E7 ~( {1 U; u
Method 066 m' C) ^0 `/ T2 W6 v
=========7 {) q2 a/ c* |, t
4 y: i( @  a2 l

$ w2 Z7 P/ j' K5 Q* h0 ~2nd method similar to the preceding one but more difficult to detect:
# A2 _- O) q; p% Q! q* y0 P
- V5 c, i7 M( m
) _! j  }/ k6 F$ kint41handler PROC
0 p; Z/ C  I( v' g( `9 C9 l' M    mov     cl,al  M8 D& C) W  A6 h+ D2 S8 }
    iret
0 m0 O: x+ V! S5 g% Fint41handler ENDP, ?5 h$ J6 s/ `
8 p# Y- f0 Y; E4 s

& ^$ h" T) I9 V4 w    xor     ax,ax! {  G6 Y' Y' e6 A1 l; U" u
    mov     es,ax
( z" d6 Y, u/ H    mov     bx, cs
6 {: ?# _+ O. s) o) R/ |0 ]    lea     dx, int41handler
( W2 B, q+ o3 ~    xchg    dx, es:[41h*4]
- }' X, D! N3 l0 K; w1 k7 r, ?7 r, a    xchg    bx, es:[41h*4+2]3 {! P& H- X4 A3 B2 s+ T
    in      al, 40h
+ O5 `: ]" i5 p    xor     cx,cx- K# e) v/ ]% Z+ @
    int     41h- E6 ]) T; n* m( f) k  }5 W% v4 \
    xchg    dx, es:[41h*4]
7 L1 U" ^! p7 I" v& Q    xchg    bx, es:[41h*4+2]
) K- m! i( r6 J# Z6 Q+ j    cmp     cl,al
- h- {" V8 e0 P! b4 x6 }- f    jnz     SoftICE_detected9 l0 _: k1 E5 I. z
' x5 w7 J4 p! O6 Q
_________________________________________________________________________
- ~7 O) C. L  R$ B$ g6 h. w! ^- @6 G$ t
Method 07
1 Q2 n4 \- t5 o=========) @  X" E' q' x4 u# z7 R! M
: S0 |. A- o0 A4 t4 r$ c
Method of detection of the WinICE handler in the int68h (V86)
4 Y) ?( @# B% B, W
2 N9 h* {9 h( L* r  I    mov     ah,43h! Z" k/ a, }9 I  h
    int     68h
. |/ i& Z% N6 D  ^. J8 }2 R9 e    cmp     ax,0F386h
% u$ U1 }, L+ ]  B( C! ]8 N0 b    jz      SoftICE_Detected2 V/ U! X# p  G% d6 m

  Y. V. _7 O: o4 \; B
8 Y; |6 d% K; M, w" R$ u. w=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- X& o8 g, i- i: J- p& e
   app like this:
1 k) C* ?) c" ~% }8 B
: L' O# b% J) }( k5 K   BPX exec_int if ax==68# o5 ]) Z- W3 _2 G# t& }, \
   (function called is located at byte ptr [ebp+1Dh] and client eip is
. B: u9 }+ K' @* d) \   located at [ebp+48h] for 32Bit apps)( [  T: o$ j- q5 S9 X8 i
__________________________________________________________________________# {, @1 Y! P% H3 |
2 {; c4 h' m' ]  O7 V9 g1 r
& a) Z6 R! w! F( p2 b; @; \
Method 083 K: v$ a3 h- G% K+ q+ {: Z
=========
' C9 e) L$ n; x9 P% z" z- y$ d# I( O, O" b& s
It is not a method of detection of SoftICE but a possibility to crash the
" J% O) w7 M" U  qsystem by intercepting int 01h and int 03h and redirecting them to another
6 p' T* O+ O& ?8 vroutine.3 U' X3 f9 u1 k4 `5 g. m5 t
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ h/ c) e" u  D* k4 {* Fto the new routine to execute (hangs computer...)
5 [' S. A* R  h2 V5 t. j/ @# r
+ `! ^, z6 x1 S& N' h% F    mov     ah, 25h4 U: Q) @' Q; [6 D
    mov     al, Int_Number (01h or 03h): U# E% C" ?3 e/ }6 |
    mov     dx, offset New_Int_Routine* b7 Z- E: i+ B% d" @3 \7 f1 \
    int     21h& ?  ~$ |+ l8 E! ^1 f/ C3 J
$ x7 J4 |( j# u: I
__________________________________________________________________________
' c/ @4 P7 |: y# L2 W1 ^# x) W. ^9 y/ E/ ]9 s
Method 09
. K6 I+ @. o" Y8 J4 G* V3 B# L=========" i1 L( ^# h& X) H! W! o

% T" s8 R; k+ S; ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* T! D6 _* k: B* A( t* y
performed in ring0 (VxD or a ring3 app using the VxdCall).% X! X7 u' ?# L
The Get_DDB service is used to determine whether or not a VxD is installed
% y, s  _' t3 N9 H7 V, ]! mfor the specified device and returns a Device Description Block (in ecx) for
# f7 g7 Q9 w, d: r3 \that device if it is installed.
  w! r' [: `" _; Y8 s) u
9 m& R3 L" x7 |, D$ k) ^1 m   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ C& u3 u9 h( K, f' f8 u   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- u# b4 n5 Q+ `% G
   VMMCall Get_DDB/ q) ]5 O0 D' u) U, f
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 ~5 o$ _/ j( X# |; L0 n
5 R4 O8 n) i* B
Note as well that you can easily detect this method with SoftICE:' i  p) Z, {( C* F+ q) n8 Q+ q
   bpx Get_DDB if ax==0202 || ax==7a5fh
5 H& [( z% j* L0 \( s$ s. I' V, q2 @+ {& S- e4 R; a
__________________________________________________________________________
! K4 m; R" g9 \, S! v* m* f, p% r; I% Y
Method 10
' A7 V" I  L4 d6 x: i2 `: k1 n' P=========
  @9 f8 w, g: T5 P3 O4 R0 Y1 p+ ?8 m) N+ a* t6 C8 F  h
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
* u& O) e! ]3 M1 ^! E% O8 _7 _2 l  SoftICE while the option is enable!!& t! q' M" I# {
! P0 z5 R- p3 @0 K4 I
This trick is very efficient:4 i- N5 o- R9 N& j# p7 U
by checking the Debug Registers, you can detect if SoftICE is loaded3 N6 }. }2 {5 X7 G7 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( s6 W/ H6 U5 O& K% v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; A5 u1 z* I/ l  dvalue (in ring0 only). Values can be manipulated and or changed as well  r$ e; g9 w0 J- v2 w* q
(clearing BPMs for instance)0 J0 B% x2 C5 L6 F
! |  Y5 |( b0 m" M: t6 m' d
__________________________________________________________________________. j1 j0 i$ t' y; ?* `& b2 p

8 G) G5 F2 S& }1 F5 k9 dMethod 11
7 p7 I8 z2 F% U0 o=========
+ Y* }1 F: R( `" Z" U, x# i0 Z' |' J/ W
This method is most known as 'MeltICE' because it has been freely distributed  \2 c# B5 P- Z* S" H
via www.winfiles.com. However it was first used by NuMega people to allow
* Q5 Y4 s! |5 b0 n: B; ASymbol Loader to check if SoftICE was active or not (the code is located
  {0 q1 h' _  L! sinside nmtrans.dll).7 [1 q& j- p" H; e/ R( B

: f# h& F' G  G  N8 J- v# A9 m2 XThe way it works is very simple:& v$ m" |( j+ n& e( i0 m, W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, l, S; f0 s2 W* v, H' o$ s1 y5 @WinNT) with the CreateFileA API.: n% q: t5 m$ s% L$ H' Q( D

- L$ {7 S# ^, i' o& s0 b. }' GHere is a sample (checking for 'SICE'):
) t& K5 K& u7 j8 \% z& F( Z  Y1 ~3 ^8 U
BOOL IsSoftIce95Loaded()& m7 H- ~5 n7 g" Q- a
{
/ ]5 u+ ^4 U0 }0 Y3 D1 G   HANDLE hFile;  
5 m/ L5 l1 _$ q0 F' }   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; a  w! H$ _7 _5 A4 Y2 w
                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 Y% j' K' d: j! x  A& |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) _1 }& T  t8 B" ?   if( hFile != INVALID_HANDLE_VALUE )
9 ]2 T+ p' ~3 S: _( h0 ?( O   {
% R3 Q: d6 s2 X      CloseHandle(hFile);
' V" d! ?* h( b5 t! p; p      return TRUE;
0 U5 y0 J$ o' }# s7 N   }
# h6 p1 q5 W* _  Y   return FALSE;
0 Y# F7 P+ Y' |* U7 }9 ]/ h, q}8 Q1 l4 J5 E3 s8 @: Z+ C

8 K* m( Q, c" Q& CAlthough this trick calls the CreateFileA function, don't even expect to be8 x. d2 s  |1 d' s
able to intercept it by installing a IFS hook: it will not work, no way!
: H' s% v$ l' N, X* P! NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 w- q2 p! W  T$ O1 I/ B! h$ v/ f- |3 oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). m& E8 L' o+ {
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- l5 o2 |3 \- }
field.! V' V) W( @# C) Y% ^) j* i* a1 E
In fact, its purpose is not to load/unload VxDs but only to send a 7 ^, d2 F# W; Q; T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! d% r% O6 f& z' U" w+ X# \) }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 n1 P0 C. f* j) ^5 ^to load/unload a non-dynamically loadable driver such as SoftICE ;-)., [+ m* {% L5 K3 W' o  r
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" j9 s: G" T+ `  i) Zits handle to be opened and then, will be detected.) Q* J0 }0 X. T- r  s
You can check that simply by hooking Winice.exe control proc entry point! b5 p1 G3 t: L. z; |
while running MeltICE.
: |: _7 K% _: T$ h0 e6 `
& S. A) B, W% d. r5 x6 d9 _# ]& X4 N  _; w7 S3 O* O" R
  00401067:  push      00402025    ; \\.\SICE2 E( a2 A& a2 R& m# T8 g' c" K
  0040106C:  call      CreateFileA
; R+ U1 e7 j( w/ C1 p/ m: }0 b  00401071:  cmp       eax,-001  m5 {. x6 u0 _5 E1 ~. c
  00401074:  je        00401091, a+ [: a8 [* D) i& U+ ?+ w
0 P4 Y; G2 W* ]3 A* a- Q, S' G  N

* i3 H0 C& k/ M! x- kThere could be hundreds of BPX you could use to detect this trick.! A" [& C' w. |( V
-The most classical one is:
) H+ l& x& W8 n! T  ?  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' Z8 k  ]: S6 o5 ]8 h3 H2 |0 F$ l    *(esp-&gt;4+4)=='NTIC'4 p3 K2 `! r! u! u5 k/ B
* a- E, p# E4 g6 N4 Q
-The most exotic ones (could be very slooooow :-() \! O* h+ w% o4 f
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
3 u) G) T6 A% [6 i! a     ;will break 3 times :-(
/ C# D' Q. n8 o
. q4 n+ X( ~' B3 n  s; E6 X1 V1 r) e-or (a bit) faster:
+ C+ T6 b+ c- t7 U% }   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' T3 v* C  C4 z
' K7 v7 L7 e5 i, L   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
+ V) u4 V- c- \3 O; l- I5 v     ;will break 3 times :-(6 k) ~+ M& H6 ?9 i5 l0 e2 C

5 R9 n, A5 }* m-Much faster:
' a. F* G5 @1 B3 X   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV': I+ M% H( t( O( R9 V' p

4 `: z9 z# J, W3 J' V# S9 t# T! B# ^( u; `- SNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! M/ C! o! i$ K0 i
function to do the same job:. r' Z4 x4 Y. e% z) e; c

5 ], m' J/ z, n4 q   push    00                        ; OF_READ& \  y( O6 m6 X$ p2 ]
   mov     eax,[00656634]            ; '\\.\SICE',0
: Q* S5 y3 c1 I0 Q- s6 Y1 P   push    eax
1 i1 X% |0 `, g6 n   call    KERNEL32!_lopen
! n8 b6 m; n# D; A& g% d& Q5 m   inc     eax+ C, U( _* n& u) g; V. G6 @$ K
   jnz     00650589                  ; detected" }* B/ w( Y2 n/ L' Z: Q
   push    00                        ; OF_READ6 J8 t# N& K' k: W; ~- k6 `- c
   mov     eax,[00656638]            ; '\\.\SICE'
9 p* c7 @6 P3 M: f7 s   push    eax8 |* J, a& {) R# b. N+ ^0 `
   call    KERNEL32!_lopen& j& {" e; }  p" N! O
   inc     eax
6 H9 f$ r+ ]6 [3 l# Q! B" x% U* \   jz      006505ae                  ; not detected1 q' {) M3 ?. ]( j) ]5 n

+ `6 z: T, x3 Q( I4 G+ R, f; N/ V  @8 r
__________________________________________________________________________  i% L" l# N) r" o1 ~( o4 q& n  O

6 a; x2 t& ~. w5 _Method 127 O8 o, T+ f: W. B- D) e! s
=========
/ ]. t+ V1 c) G$ ]. W
- J* F; v5 ?7 K3 r9 @" o$ ]This trick is similar to int41h/4fh Debugger installation check (code 05. s& J  M. G. X$ l9 }. I- }
&amp; 06) but very limited because it's only available for Win95/98 (not NT)' Y' i4 q  o- |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" r" j* G7 B! C
5 b/ g% X6 L( `0 ^   push  0000004fh         ; function 4fh
- @2 W5 T0 s5 j- U. ^- O" ~6 j   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 T1 y& q- |: m/ _; T. [                           ; low word specifies which service
$ z) n1 B8 V" f( J. `5 Y; {  q2 I                             (VWIN32_Int41Dispatch)9 H# q4 Z+ b# g: D# R
   call  Kernel32!ORD_001  ; VxdCall
8 d+ T; M* u0 E4 n: y. ^   cmp   ax, 0f386h        ; magic number returned by system debuggers7 E, m0 Q, M) Q% X! }
   jz    SoftICE_detected
: k& v) a7 |: J& E, Y; Y$ F% |% R
5 u. X6 a, n3 N( X& iHere again, several ways to detect it:/ D' A- a. I/ [# q+ v: ]; Y* h8 r% E

2 t" {* m2 a  q0 o6 F    BPINT 41 if ax==4f6 p# y& {5 i, U' r

) Z6 X5 X& |$ |/ A* @    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 V- T" Y9 n& G7 N' {
! h( c3 w$ t6 G$ r6 h" B0 B* U    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: M' b! }  W' H

( o% M& `6 U' @. L! W6 B    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 U7 ~" q( _: A
; p' S5 T" t8 r* [2 Z__________________________________________________________________________
! t3 f+ w" s  l  X4 E0 x( d2 g0 W6 Y. ~, q* x- t
Method 137 J( ^4 {! L( j* L3 g7 R
=========
2 y( C, A& R. G
/ v1 v; n* u! D3 ]8 @6 H; Z6 BNot a real method of detection, but a good way to know if SoftICE is
5 s  X4 P2 t# Q. [7 F+ A! i4 Kinstalled on a computer and to locate its installation directory.
# j9 v4 v0 Y0 t' k) T2 _It is used by few softs which access the following registry keys (usually #2) :( Y  Q( D- U$ s8 M: a) t2 f

4 C" @' O0 {4 a. _-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 d; v3 j! {! |1 R2 K) u
\Uninstall\SoftICE4 i$ K, T" \8 ?2 k6 y' i% f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. }9 C# `- [1 q9 W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 j' T3 R) i2 ]( R/ E
\App Paths\Loader32.Exe/ D" M/ L2 P; O) R
2 E" d0 u* ?, K- _# N( p

0 R; p7 F/ _" `) ?% H0 c6 g9 fNote that some nasty apps could then erase all files from SoftICE directory
' \& F/ O+ |7 h1 j) |; \: B(I faced that once :-(
1 j! Z" [6 @# i7 P0 f: y: m3 V( C
Useful breakpoint to detect it:# n' P  T, B- e- T/ y$ e
, y7 K/ Z1 P$ t/ y" `) k
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! F. ]2 E- j1 [% w5 B( s& u, h1 G$ J# _" U
__________________________________________________________________________: Z) M1 p0 z2 b

* L: S& l( }4 m2 H# O+ j# [; _% I& {3 Q# ~
Method 14
1 L, h6 h6 a% U6 M( e=========# R5 P( d& N2 c2 }1 G, J
# R/ E4 P- i  [& j/ \* c8 Z3 R' [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) P  k/ p( I) n) F( m8 ^9 c' O1 m
is to determines whether a debugger is running on your system (ring0 only).
$ q. d. J4 Z+ o6 x( @1 S3 J
! B/ \0 l5 l' N9 W4 c   VMMCall Test_Debug_Installed
4 T9 Y* G& d: b! s6 ~! r   je      not_installed
& C1 {7 ^: b. }
' R5 h, d* _2 G- p) yThis service just checks a flag.
, `1 n" R, Z. d</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-12 08:51

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表