找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>2 P+ f  K  ~: d$ O/ s' x* F2 G
<TBODY>0 d# T  @/ H+ j$ V
<TR>& n  C6 g  y: Y* t. Y
<TD><PRE>Method 01 6 F- C# G# v) N4 K7 Z3 J: T
=========
: a$ J3 _) z) y/ d! A
' k5 `  r! N" }: RThis method of detection of SoftICE (as well as the following one) is' S1 \: f' r3 @. z: ?* f- h5 Y' Q2 ?$ }
used by the majority of packers/encryptors found on Internet.) p# Y) a* s  U: ^! i
It seeks the signature of BoundsChecker in SoftICE
7 G* i4 M7 G6 H$ |5 u5 V+ Z+ Q: z; p
    mov     ebp, 04243484Bh        ; 'BCHK'! O- a$ ?' ~% o1 c& k/ s
    mov     ax, 04h
' j2 H* P9 J6 y2 Y% h    int     3       + C# b$ d6 x5 X- r2 S7 N6 t
    cmp     al,4: q& J0 I3 e6 p; p
    jnz     SoftICE_Detected
- L: A; v$ L3 i1 g2 D5 B! D/ I2 ]( ]7 ]: Q8 v% Q- l8 l
___________________________________________________________________________% V) S0 E, c) m7 u  P$ [2 V0 x+ a

" ~# r, s. ]# K% [7 OMethod 020 r/ ?8 f. a  N; y% ~* k
=========
2 v3 y9 a( g! k& h1 O3 ~6 M" y% d) d! t+ R! m' m- L0 c# d
Still a method very much used (perhaps the most frequent one).  It is used
5 ^0 ~/ ~; W% R% a/ dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. P# b3 C- U7 l* u% q6 d9 n  vor execute SoftICE commands...+ O' q- c6 V6 }+ R0 f0 q
It is also used to crash SoftICE and to force it to execute any commands
5 o9 |2 C: P4 w5 G(HBOOT...) :-((  - Z3 M- N1 @4 `% ]3 o

% ^2 z" X, k4 ~, N: `: NHere is a quick description:
1 s# u7 ~+ L4 c4 g-AX = 0910h   (Display string in SIce windows)
! z% _. |% v5 ?8 d7 u6 G% E-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 ?/ M; Z1 t: |, o9 ]
-AX = 0912h   (Get breakpoint infos)' |5 j0 W  q( A$ Z  Y
-AX = 0913h   (Set Sice breakpoints)
- `9 t/ t5 o& m) l( |& q) ^- c5 w-AX = 0914h   (Remove SIce breakoints)' V; R/ [9 [3 f$ k0 \

4 Y; a( A/ e/ h$ `; s4 @Each time you'll meet this trick, you'll see:7 A; e0 _0 M( ~0 M1 N$ G
-SI = 4647h# n) {& r- m3 K2 p. I
-DI = 4A4Dh0 }; W) N2 f4 q0 f* _" r
Which are the 'magic values' used by SoftIce.& E! U# t+ U( y' j7 x: N% u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! Z5 d0 q' a: R# Y9 t$ ?3 h/ S% G+ n, h$ T
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 x& `& I' e$ v' wEnvelope utility use to protect DOS applications:& R: C- W3 P& t9 X- X( @

& S& G* T+ i4 g* x: |7 k  s& e' b& s: f2 j* m6 E
4C19:0095   MOV    AX,0911  ; execute command.' n2 B& ^4 x4 {& s2 g
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 i& f: |. K3 |# F9 q# \4C19:009A   MOV    SI,4647  ; 1st magic value.* ~, E0 a( u+ Z" j5 c; k2 V
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
- W( F: m2 p8 f$ l4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*); x* ?: F5 t$ I
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 |0 g9 n0 _4 h, B7 K
4C19:00A4   INC    CX
# M$ S  z6 G: b4 y  A7 ?4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 `7 L6 \( |3 e, z) w
4C19:00A8   JB     0095     ; 6 different commands., t6 b' r) D* U# |, h$ i
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
; @1 H& ~5 \; h: s9 p, i  |3 [4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)5 ]+ E3 t. @6 z: O3 {- c: g  \3 W6 Q- `

, {" v, l; S: H; x4 f* d; u: }The program will execute 6 different SIce commands located at ds:dx, which
* I9 n8 ?+ \: f) l# @* oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ O5 @! `# T- |
% n$ J5 k6 A; N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* Y/ T( w5 v8 @. O; X
___________________________________________________________________________+ [2 O4 t; ^% z

+ r- p# u8 a9 E- k, G; X1 F& i
4 y0 O8 ?2 b6 J  h/ y; qMethod 033 a. b/ l0 E1 K$ J9 |4 v
=========' c, V& V. K4 w& `/ ?2 G5 D

, w5 E3 X! ^2 FLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) S2 L) L  K1 _2 S(API Get entry point)+ H# z, m+ \. `5 l) E0 a& `5 C
        
* X+ r  Q3 f9 U! D7 o- k6 f5 b" S" b3 h0 S
    xor     di,di  z; }- Y3 T0 R% N2 c! Q
    mov     es,di, ?( U5 [0 b7 z  Y' j- f
    mov     ax, 1684h      
- ]5 \: p  W; f8 b) `3 x; R  k    mov     bx, 0202h       ; VxD ID of winice
* V2 a8 j" H1 ?3 b    int     2Fh& _- b* x8 x8 t& f+ `4 c
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 n9 G) q( @$ N. s5 U9 O
    add     ax, di6 {, R( a9 s' g: j0 ]' D
    test    ax,ax5 H5 }; C7 z. K: N6 a4 q& O
    jnz     SoftICE_Detected  G% C# d; t  y/ Y4 A

9 X9 h2 B: \& M. F7 ____________________________________________________________________________
, ^7 K2 M" |; q+ g! v
/ A! B& C  `9 Z/ rMethod 04
. X  `4 s" [, C5 l=========
0 T/ d, v/ P3 Q
" q( K# c/ r( |% q& ?/ dMethod identical to the preceding one except that it seeks the ID of SoftICE
- }5 k# L2 J0 U# @( l' E5 UGFX VxD.( G2 w' z  e$ O; h; m+ l9 h. X2 [

! r+ K" m! }) @& v7 e2 t    xor     di,di- ~1 Y: w: w1 j8 w! W+ O
    mov     es,di
$ N+ z$ v& ~: h2 V  R. Y    mov     ax, 1684h       " ?1 c6 l0 v, n5 C! G& Y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID+ y, O% O0 o+ g7 z/ F1 P
    int     2fh0 n4 M; _4 x3 i6 l+ f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! Z  h$ j: H$ x' d    add     ax, di
, `/ v9 |9 I7 Z! k9 d3 ?! f4 r6 Q7 b# s    test    ax,ax, f* @( I' d% `* ]: K$ E
    jnz     SoftICE_Detected
2 F; \6 _+ M3 Z5 C( N1 w4 t# W% Y
__________________________________________________________________________6 S7 ^* y. s& M
. @( n' o  Q' z& G5 M

* q" Q8 A0 @5 F9 y" L' GMethod 05, `/ k3 R: S$ x1 m% ?- g
=========
9 n; o* W4 K7 M* N0 e3 S) K, i
* N/ q0 S9 _: f; p/ T7 N; NMethod seeking the 'magic number' 0F386h returned (in ax) by all system) a# o! b& D( m
debugger. It calls the int 41h, function 4Fh., e7 M1 [: \$ k( P( G( T0 w
There are several alternatives.  
  t8 |: P# t; u3 n( _0 i2 N$ \# a
The following one is the simplest:
7 Y1 I* X/ B2 F% y0 a" W* \
$ k6 R' M8 F: J) R( |- R( ~9 \$ x5 i    mov     ax,4fh$ H% {0 S0 q6 ?& y' i1 ^6 |: _( u+ a
    int     41h: t8 l9 B4 v0 L  N/ `$ A
    cmp     ax, 0F386% p! c# Y) Z, B
    jz      SoftICE_detected
6 K( H& f0 y. Z; Q. g4 ~+ k' R/ B

) ]7 j) E# ]& Z) O8 p. e$ INext method as well as the following one are 2 examples from Stone's ( p/ G, S1 E, [
"stn-wid.zip" (www.cracking.net):/ _5 P; K) g/ A( P+ X
1 f7 e! A( t: j( d# y
    mov     bx, cs
. D. t1 Y/ Q; k* g    lea     dx, int41handler20 E  B" \6 r* n: b( [
    xchg    dx, es:[41h*4]6 t# b% O7 |' U( ?) v  Z, a6 U
    xchg    bx, es:[41h*4+2]7 _& H8 ~0 ?) b* |. X' g/ d1 t
    mov     ax,4fh
% ~" |; O# i& z  Z3 C* e3 j    int     41h7 G( }* a& H7 N
    xchg    dx, es:[41h*4]; b& J7 a( F" ]/ m' x, W0 b
    xchg    bx, es:[41h*4+2]/ k% g% z3 K# o8 E; B. ^4 l4 [1 _
    cmp     ax, 0f386h5 u* N$ W# M) o% W9 |6 o+ x( _
    jz      SoftICE_detected- i" T% a9 C9 I. ~. h

) E& R& \  b) z" C! J# Vint41handler2 PROC
  Y( M* y, ]2 l3 F# i    iret3 ~3 u0 ^3 B3 v
int41handler2 ENDP$ s2 X8 \: ]- b, v3 {

; C" h0 \; k5 F7 m' b1 u1 L4 X# U& U3 S. C- C: j
_________________________________________________________________________& \2 V0 Q2 F8 ^: }5 t

" E: M7 F2 M8 W+ w. r! p( @# U3 ]. l  h6 I% W! G: \8 F3 q% ^( L
Method 065 b1 f8 j% d$ j4 ^- V/ t- X8 \7 i
=========; J1 V) {" }" a5 `3 T/ {7 Y

! \/ p" I, r( G. o6 \2 S: A- o9 u( l* t3 e$ X
2nd method similar to the preceding one but more difficult to detect:; e9 a  E/ h* x' I

1 h! ?: s$ j( W' Y
! R, C! @1 y9 r$ F9 {int41handler PROC! P  W- z- z+ S# j& _! Z" W
    mov     cl,al9 F/ d3 ^9 m5 Q8 j6 a- |5 N9 U
    iret  t# s  P2 i: l8 n* Y
int41handler ENDP1 B+ D- J8 P! v$ l% N3 }
  T0 \/ Y) ~% ?4 j

- [! n1 M+ g9 H  Y6 A- a% N    xor     ax,ax1 T( ?' j4 D, C! x7 \1 C/ A
    mov     es,ax* {2 N4 I& \2 W* e) m1 {
    mov     bx, cs
0 D/ s$ ~1 K4 n( e5 i' ^0 n8 S    lea     dx, int41handler
1 f! ~4 X) l& z3 p1 ?; b    xchg    dx, es:[41h*4]- m# {0 {: D" R; U6 ]9 f  \
    xchg    bx, es:[41h*4+2]+ B# I: L3 T; j2 G4 E" {1 C
    in      al, 40h1 f; ]! a5 z# g, A
    xor     cx,cx$ K+ U0 {2 `* \" ]/ u& C# M
    int     41h
; k. f+ G, `& A. D7 H* S2 H- E    xchg    dx, es:[41h*4]
# b7 c$ w  c; W7 e6 t    xchg    bx, es:[41h*4+2]8 ?6 A8 }  f& h, v
    cmp     cl,al
9 `3 L# z0 p- S( O! O- C    jnz     SoftICE_detected8 w. \! q8 Y2 N9 q

! q7 O! I0 g9 E6 h7 x_________________________________________________________________________/ Y" r2 r* Y2 K/ }  r

: H. ?/ n: T7 m% P% `& RMethod 070 Z  o: s% I  ~' O& ?
=========& X8 F" O2 E# L  k' `3 D
: j3 b+ s) {! p7 B
Method of detection of the WinICE handler in the int68h (V86)
" Z4 n& V  f2 E. g0 n
+ t1 Q9 h2 o# r/ x    mov     ah,43h/ \( j) ?0 Z( P, p* \
    int     68h
+ Q& c6 t+ S) G4 c4 Z# T' v    cmp     ax,0F386h; B$ H  f. D6 f4 D
    jz      SoftICE_Detected2 f0 J8 M* p% P9 w" D$ X7 F
* q# f6 h6 F: U4 @' t  V: Z
. f: L1 r. s1 o7 c  @$ z8 j0 y" }( X
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' }& {0 m/ o, V. A# J0 t! ^
   app like this:$ |5 o4 k, L: m6 x$ n  s
6 a) L9 T/ o0 A. d0 u& L6 S% v
   BPX exec_int if ax==68
, Z7 r) Y$ r. X3 l& g/ G4 ^   (function called is located at byte ptr [ebp+1Dh] and client eip is
" z* [* c$ n) C$ @   located at [ebp+48h] for 32Bit apps)7 }" d; b- n6 V1 A5 @2 F
__________________________________________________________________________2 C$ ~; f! J) H- m8 T. z, e

3 [  Y' _8 B1 U; H: a! D2 `9 P2 W( L
Method 08
/ v* z4 r% x: q=========
9 b1 p* F, N! E. ]( F
8 F7 o! d6 Y& YIt is not a method of detection of SoftICE but a possibility to crash the: x/ \  S& X4 e" z6 e9 o# \! M
system by intercepting int 01h and int 03h and redirecting them to another
% m2 K) f" H  E+ T/ }2 Xroutine.
, n* D; G! `% H$ y/ ^7 l3 L% s1 j1 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% P2 s! N; m* l2 O
to the new routine to execute (hangs computer...)
4 F: }5 V* l. {2 ~4 y- d2 x3 L
5 z; I# {% }& w+ m. g  }8 M# r, \8 t    mov     ah, 25h
, |- T- ^% k. I    mov     al, Int_Number (01h or 03h)3 a0 W; M% b* k, C2 ~& b0 S& \6 }
    mov     dx, offset New_Int_Routine
# }% q; H# N: M  [9 q3 h    int     21h
3 ~% {1 w9 H, n& x& ]4 q3 m
6 J  e  t0 L+ t1 ]9 c1 L% ~__________________________________________________________________________
6 }3 L' c/ u& S) ^
4 j( Q% T$ H8 T2 RMethod 09
/ N# t/ A# p9 u& [( Y9 f=========
; C  V+ @* C9 a% x4 W) d& P! D/ U0 i0 l) Y+ x% _2 x7 e) i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& \2 x# x3 s, s; p1 y% M% Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ c% j9 ^8 f2 g7 i" cThe Get_DDB service is used to determine whether or not a VxD is installed
' \5 J  O. r0 }% _' t$ `for the specified device and returns a Device Description Block (in ecx) for8 p; ]5 H' x( C7 s, q% Z, v
that device if it is installed.
* T2 t# Y4 Y9 s1 }* L& q. _* q  a- d) O& @2 y% _" e
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% ]( n: P& O, r8 n% g# a+ m) f1 \   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 K* A0 g! T2 V' ^$ m# _% ?8 B. W
   VMMCall Get_DDB
4 N: D  q$ u$ o9 ^% S   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 T, e  c( V7 b. r: o
- O1 }+ _! R5 c1 {! wNote as well that you can easily detect this method with SoftICE:
$ i  l% L' r6 f   bpx Get_DDB if ax==0202 || ax==7a5fh! c9 n1 j: D' [
# ?( Q: L4 j% {  _1 ]
__________________________________________________________________________" M( z0 w6 A$ g+ r0 B# K+ s; T

8 t/ \& H/ V  K7 O1 ^Method 10
  j, b  }) d% u=========
6 h) y6 U, u7 c# a( g
7 U; }  x3 Q6 f, P% q, r& b$ X+ T=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
2 _- v' s/ q2 ]( ^9 t0 u  SoftICE while the option is enable!!
% ~! i; T/ a4 G. K+ q/ q$ o7 [/ _9 h' N
This trick is very efficient:' j5 C  Y2 w4 [
by checking the Debug Registers, you can detect if SoftICE is loaded
8 j. H6 c" o# v7 r8 v% T5 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 \+ N5 T5 z: ]- f* U" I6 Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their; J' M/ i' d! J
value (in ring0 only). Values can be manipulated and or changed as well
1 a. D9 {. b, j+ y  K(clearing BPMs for instance)' s: W; N4 A8 B& J, q
! T0 F! {) w: M
__________________________________________________________________________
( s! X' k6 v! ]; S6 }" i' f8 c6 s/ c
Method 11
6 [' D; z/ D& L: l=========& M0 A( C' I1 b! r

2 K) T& t& t" c5 l, Y# A2 r" lThis method is most known as 'MeltICE' because it has been freely distributed
+ x4 s8 T* T, E; Cvia www.winfiles.com. However it was first used by NuMega people to allow
$ P5 S! d( ]. q9 v& w8 X9 BSymbol Loader to check if SoftICE was active or not (the code is located
: R: W! _: h1 e+ l3 v( A- linside nmtrans.dll).+ S4 u0 g- u( `$ Y5 r

) B& s' z  k( B  i5 oThe way it works is very simple:) _5 x8 W5 f( A2 k( t/ d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 `6 P. s3 U3 J$ e
WinNT) with the CreateFileA API.& ?" z/ E3 w  e. g
/ _" F! z: w! X9 X7 U
Here is a sample (checking for 'SICE'):
3 H/ F* [, I! k$ }6 w; c) W# S# E/ I. F  c3 d4 L
BOOL IsSoftIce95Loaded()$ m& |8 b$ y9 w+ F7 s' s7 y  m
{
3 v0 z. {' P  d   HANDLE hFile;  " P5 t( c  Q( b2 N: K9 |  t
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 p& [! H1 k' D0 r) o6 A: T
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 {2 P( ]6 _: c+ t$ V7 @: n+ s& E8 [2 [                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! i  m' w+ K) D. P' c/ b9 t
   if( hFile != INVALID_HANDLE_VALUE )4 a' B& h+ p/ _1 \7 O4 x. T
   {5 a8 V" P2 K2 k8 [' o" R! I" ~/ t
      CloseHandle(hFile);6 B* _3 M' j% v2 J; p+ R; _
      return TRUE;
$ W% D2 O' O3 d   }% V6 S5 J$ |, b3 H% a; t
   return FALSE;
5 b. t' W# h: A8 I( x3 }}
( O. R' X+ C, f2 N6 l% h; m, ]+ H4 n% I8 ], Y
Although this trick calls the CreateFileA function, don't even expect to be% ~! w  u" N9 [2 v1 k  D
able to intercept it by installing a IFS hook: it will not work, no way!& }+ D8 s+ l2 \9 Z! H% l9 ^7 ~/ S' }# N+ K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 q% e" P5 \! u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) \& a3 O9 U* w3 n# P1 S- [and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 T9 X( i5 \% Tfield.5 N7 D. v3 B: B
In fact, its purpose is not to load/unload VxDs but only to send a
% |8 ]: F) w! {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 A6 A: `" Y9 e- l$ Q1 C4 _to the VxD Control_Dispatch proc (how the hell a shareware soft could try* j* ?/ j! V. d8 @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ }8 a: U5 }  uIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 R  A; P  d' `7 M7 {
its handle to be opened and then, will be detected.! u5 g, A  Z0 s. O
You can check that simply by hooking Winice.exe control proc entry point# j5 J9 o+ z" p: f, q) ~$ \
while running MeltICE.
1 _5 e! l/ \, E, @! V7 {
# n# o& V1 |+ }% r1 @/ K$ A8 d: T7 F
  00401067:  push      00402025    ; \\.\SICE
  u2 R) s3 `+ m8 l) i0 b  0040106C:  call      CreateFileA
5 q* S3 U. X6 Z  00401071:  cmp       eax,-001% Z: Z- G# r  n: V
  00401074:  je        00401091
: g* T$ |/ ~' [1 a
  k8 c4 s( K% s! T
* e$ ]8 X# o5 l$ oThere could be hundreds of BPX you could use to detect this trick.
2 J6 ~: y) q; |3 U5 y-The most classical one is:
* }2 v9 _  w# ^! p" ?) D  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||0 v; h0 x; i9 F; w9 @) u
    *(esp-&gt;4+4)=='NTIC'
3 N  X3 v, i, L& |# D" f8 z
; B5 ^0 ^! M+ ^/ l5 Z9 c-The most exotic ones (could be very slooooow :-(- v- u( b7 Q9 P  ~9 |) @; O$ K. E& E8 J5 I
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( {7 I% T2 A- ^6 L, X/ S; @2 d0 h     ;will break 3 times :-(/ `' W# I7 Q- T7 O
3 Q* _! J  [6 L7 d
-or (a bit) faster:
9 ^, g  V/ C3 I+ |' n   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) K! j4 H; r7 O+ O8 p5 E- p: g: u6 e6 t
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % B4 g+ M8 `( L
     ;will break 3 times :-() t% F$ d  y$ ?# x

, h* T; B5 W! d- m( f-Much faster:
( F) s$ B4 d& }   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# y1 w6 J, H9 e  ]
$ H: T6 S5 m/ a% \5 h& y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen: r; ?& F% G* u( N6 K
function to do the same job:) z9 g" ^  }! u8 Y7 A

3 O$ X6 ^& {, E  P1 @: V6 {1 T   push    00                        ; OF_READ3 u7 B% `" N/ e
   mov     eax,[00656634]            ; '\\.\SICE',0
) u# u7 B; P( b* @% _4 c   push    eax
+ S1 h! [# |) @% v   call    KERNEL32!_lopen5 K' v  m3 K2 s: t/ Y
   inc     eax6 B/ U( e+ g: K: o  O  u: |
   jnz     00650589                  ; detected3 q7 Z2 S" }# h3 t! N$ S
   push    00                        ; OF_READ/ Y" Y$ v4 ?2 @6 z' _7 R' J* w
   mov     eax,[00656638]            ; '\\.\SICE'1 @; n3 w+ i1 a# D- O
   push    eax
7 H- c+ T1 N) ?' i   call    KERNEL32!_lopen
- q$ d- f7 {7 f' j1 }   inc     eax
9 q, B$ o: \. @6 E. H' R, o+ A' r   jz      006505ae                  ; not detected
" H2 T6 w$ R% p6 g0 D! D% h, f( z" C; F. d0 X% H% |

7 r1 d' p+ q+ U__________________________________________________________________________+ b! e1 V( ~5 P# K/ S
* C+ U0 j3 N6 ]5 @
Method 12& w9 j& Y$ e9 i% `4 u4 y6 _: w
=========
4 H; y& k1 M+ y0 {7 b1 R
2 }0 D& ~" e) D8 z3 YThis trick is similar to int41h/4fh Debugger installation check (code 05
% [* S& z7 H* o0 O) Z! {6 x&amp; 06) but very limited because it's only available for Win95/98 (not NT)6 C0 |/ R; R; ]5 v0 d
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) p( _+ b% t- ^1 @- j1 Y
; a# P) ?! D* z5 K0 S6 c  d
   push  0000004fh         ; function 4fh
, }2 f% G- Q; e  O! b  _   push  002a002ah         ; high word specifies which VxD (VWIN32)4 h* e) H, r  D8 U( E$ S
                           ; low word specifies which service
( r9 T4 y  c: x$ B0 z5 ]6 w* b' E                             (VWIN32_Int41Dispatch)
3 ~1 g& M8 f; V. F   call  Kernel32!ORD_001  ; VxdCall
* l8 s" z8 V1 [# T: v$ ]   cmp   ax, 0f386h        ; magic number returned by system debuggers
, n! v9 r; ]: M  y# e   jz    SoftICE_detected. A5 R% r# [1 H: _) |2 [. ]

( S. \8 E' B! r; |8 W1 ^Here again, several ways to detect it:
$ Y4 i; A+ A8 M$ f6 v. g
. _2 E6 R% N& Z, G0 O$ U    BPINT 41 if ax==4f
8 F/ S, I" n% g8 j, c3 I. E( ?# K0 |& n) b5 G
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ h$ O% \& g$ Q! }/ c

( Q: i' Y8 o9 n- A8 z  Q9 h    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
: Z5 h1 F& B4 @: l" ~
& ]5 v6 _: p: q. N8 a    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# D1 q8 K: I& k) n9 V9 I
+ N9 \% w' q6 f1 H__________________________________________________________________________
0 H( f2 \7 D$ r+ u
. k) T4 r9 Z  J. oMethod 134 g, c. T/ c3 [- v0 }5 B
=========
; e* e% H* F. e. M% u
% h, M9 t( h4 u! `Not a real method of detection, but a good way to know if SoftICE is8 |$ ?+ g* e& _/ n
installed on a computer and to locate its installation directory.% `& Z- P' x8 `: \
It is used by few softs which access the following registry keys (usually #2) :
, a1 M, i6 T! R; |9 k/ ~( H2 G% g
: T! S! y, A! i" f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* C  O$ o5 L9 X+ I7 h' E5 ^4 G1 M9 d\Uninstall\SoftICE
8 \8 o, r% E7 ]( N. {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& R1 `) N5 h( ?! A/ l- Q% E# q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 `1 a  v' X( \3 w, C  w\App Paths\Loader32.Exe
- o3 M0 j8 W  C# C2 W9 f
9 S- d5 ~0 J" I) I
* n5 v! X9 P. G; n3 T3 [* p3 @Note that some nasty apps could then erase all files from SoftICE directory9 \" N0 ]0 y9 d  H7 j
(I faced that once :-(
( K' ^! T7 [) S6 E( D9 `4 P7 z' x& i! v- Q$ b: ]  l1 u) c
Useful breakpoint to detect it:
/ o! F" t# E. S; w- ]( ?- d6 u% G/ N8 \$ i% C7 t, y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! `2 H7 d6 _# P) z

  s3 d. ?$ {- y5 m' {__________________________________________________________________________
: h0 Q  j* c( E! l
! R  A' G& V5 b5 ?3 z: b5 E% j! n( _, s0 F. Y
Method 14 " `% D" S4 C- N
=========, _. X# J: P$ K: K: ?; m/ P& M
+ A) |# \0 G5 B" [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 V# A3 U& K, u- n# I
is to determines whether a debugger is running on your system (ring0 only).
$ K6 b- U1 e+ O& y" @
% _4 X# @3 H; I* _' K   VMMCall Test_Debug_Installed- ]' |/ M& ]! K
   je      not_installed" }' |. J! V8 T! ?

' g. i. R+ G- Q7 z. oThis service just checks a flag.
4 [* ^! p) m0 v" j, j) }</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-20 05:51

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表