找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, c+ r3 d/ D' f: l  F% M5 x, S6 E
<TBODY>
# m2 M5 Q" |' f7 z7 O8 W<TR>
/ O% l. k  u7 w+ i* L+ c2 n1 S<TD><PRE>Method 01 3 {8 d. @5 h0 E  M; p4 Z* }* o
=========: _  A" A9 R! {5 f( s

( n% k3 n0 \2 A1 x4 Q* R( WThis method of detection of SoftICE (as well as the following one) is( F" V, S( u7 n3 M8 j) o$ @2 c9 r
used by the majority of packers/encryptors found on Internet.) }0 k1 C  T7 P1 A+ ^7 p
It seeks the signature of BoundsChecker in SoftICE: ~! N, p: d! y6 F- J

6 x4 E, L6 A9 F- P4 L    mov     ebp, 04243484Bh        ; 'BCHK'
: u% F/ m% P* e5 o    mov     ax, 04h
7 e, L; b, Y* B. J% E# h  T; C    int     3       ' e1 u' R; x. I0 d6 r5 }) A
    cmp     al,4
* L4 E0 d1 ~7 j7 E! \7 F7 \6 t    jnz     SoftICE_Detected+ A$ @$ }- v+ f: h1 ^! B5 P
: G/ f8 \) }4 t9 a, g+ a
___________________________________________________________________________: q1 E/ w2 Z- M; p% b4 M# @; e6 S% q
& H* O2 k0 N/ x1 @. n# {
Method 02
& p2 q" w; f, x2 j6 D! e=========
( a) X  J$ ~- H- h* l' b' V
7 }4 B0 r" q$ r; T$ s5 CStill a method very much used (perhaps the most frequent one).  It is used
5 h7 w3 o% y. i3 W9 Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 P0 C' S; ?; U) X5 U, mor execute SoftICE commands...
: ^7 z8 O& o8 U1 GIt is also used to crash SoftICE and to force it to execute any commands( X6 g7 I& V6 V2 v) I
(HBOOT...) :-((  7 v! c& |" C+ }) g* l' ]  e: @
- m( Q  W! q4 G+ X, I- Y1 D& h
Here is a quick description:
6 e$ V; Q1 k# r% ], @2 U' h-AX = 0910h   (Display string in SIce windows)
$ W3 x- d  J0 V-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)& m4 L0 |" F9 Q- P- l. ]
-AX = 0912h   (Get breakpoint infos)/ I6 N. a! d# e
-AX = 0913h   (Set Sice breakpoints)
& a  B5 A. D, Z# e$ d- Z2 ~: ?7 p-AX = 0914h   (Remove SIce breakoints)
9 C  P/ h0 V$ c1 e
( K5 l# x1 \- o# ]Each time you'll meet this trick, you'll see:
) ^, w0 ~6 o' @-SI = 4647h
( s! X( D, g$ J-DI = 4A4Dh7 ?; I7 G' `4 k7 d0 M. d7 `6 G8 H
Which are the 'magic values' used by SoftIce.) Z9 q3 z$ X; N$ W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 r: q5 g: W% u, j

3 U# [- `- {, Z% Z! H; T9 zHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 |4 Z1 Q9 d3 m2 n4 X; LEnvelope utility use to protect DOS applications:; Y- ?) k  o3 K+ F2 L0 i9 O

. a* @8 n: E* z5 F9 j
5 `: j3 P7 @+ b) ?: l! U9 ^1 J0 E) p4C19:0095   MOV    AX,0911  ; execute command.
- f: d2 r% K7 R3 B1 _9 \4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).; E' L7 Y; Y: ~5 I  M/ t
4C19:009A   MOV    SI,4647  ; 1st magic value.7 f3 J2 h) n) [* U# ~; T
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
! G* [* Z- ~* J6 d4 u, I4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 ?$ W* J8 e* o( {( A4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4 z$ |  g1 }& ~4C19:00A4   INC    CX
9 I7 J! ?, c; d3 C% ]8 }5 k4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: R6 B$ w: ~, M+ G
4C19:00A8   JB     0095     ; 6 different commands.9 r% c1 S4 j" I# w! e5 k/ d
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.# v+ ^9 i6 O! d4 Z
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
1 Y* a4 b( H6 P) f8 ?' Z- m' ^( m* e+ ]; U8 v8 Y0 j# S
The program will execute 6 different SIce commands located at ds:dx, which
( H6 H* Q- n( ^. {& n6 U1 Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ G% T2 H8 Y- c, b
& J% t" m6 A. k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ h; ^& j4 K5 O$ q  ?___________________________________________________________________________
5 y* w4 B1 d# E4 L
" L- d3 h" P: @! x
+ Z2 N+ \' I2 P  A* C7 k" ?' [Method 03( \$ ?% ~, S+ {2 w7 z; q, @. a+ c! b
=========8 z, r. k& c" p3 k

' P2 Z0 u* X+ g% xLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* \# V# v1 `* x6 \0 {: V(API Get entry point)1 }* K) a2 w  Z2 `" F, h
        
0 l5 l0 v, E3 g  w
/ G+ Z, H5 g* n* W    xor     di,di; m3 y! q' s( z, S1 g; x
    mov     es,di4 E1 Q( `, C6 T" j, h0 n
    mov     ax, 1684h      
1 T6 N! ^8 s, D* ~* C0 U    mov     bx, 0202h       ; VxD ID of winice5 h' u$ e: y! h
    int     2Fh- v- _4 D0 H& h$ N, P
    mov     ax, es          ; ES:DI -&gt; VxD API entry point# o4 c2 E7 e+ q' u& ^, g  q
    add     ax, di
" u  Q; `  s7 S    test    ax,ax- {$ \2 O% c" g; m6 w/ H( Z: B
    jnz     SoftICE_Detected
# P. I# T/ g6 Y. k& ~# n# I
+ b1 \" k. E: B! _8 J: d___________________________________________________________________________
/ c/ `2 S/ {7 ^# x0 e3 [: x3 B% S- ~3 z/ A
Method 04
1 b3 t/ s) o; r7 i1 e5 h+ P' x5 G; @=========
. p0 ?3 V" U& ?
3 N. q2 r! E& t% y5 v1 u- DMethod identical to the preceding one except that it seeks the ID of SoftICE% G& r# b- Z# E4 p% S! x" g
GFX VxD.
& k  H6 p4 ~3 {; ^: h; |/ q, T$ j8 A# X& q
    xor     di,di
1 r8 S5 B1 b) X5 R) m+ I4 H    mov     es,di- I7 x) v# m! |
    mov     ax, 1684h      
! c! Q; B  g: z6 G    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ P9 p. c. e$ o; ?: K    int     2fh
' Y" `# U; B* n4 Z: [  Y- e% Q3 ~    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 ?1 f) W  _' W9 C    add     ax, di
' E. E9 N( I7 }    test    ax,ax6 T* |" Y# }8 t) V) c
    jnz     SoftICE_Detected5 U; X1 B2 x- q- s0 c+ ^
5 t6 N1 L7 Q& [. R9 d
__________________________________________________________________________
. ^% N- T( L: d* z3 N* m9 @' d; D. \

0 i7 N: u5 h9 I  u+ R. [* |0 qMethod 05
- {( c7 }( f$ _4 m$ ^=========# y7 |% a" V0 o

  Z* F% k7 Z3 e" f4 DMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 }% y% K' W$ `; h0 @: W. Y* \
debugger. It calls the int 41h, function 4Fh.
/ d; K' ]5 G( @, Z1 V  ?* F9 Z0 uThere are several alternatives.  
% F" R. |. _. W  ^% G" J( I, g* z) H
$ d+ G7 h0 I* e0 I! H. aThe following one is the simplest:
2 {& r1 |4 w9 Y% E- W$ O  C; a% p7 v4 x& x# J8 F, ?+ x2 W3 T
    mov     ax,4fh( D; _) n  D% S
    int     41h
+ e8 t3 J, e4 z2 p* L6 ]) t    cmp     ax, 0F386
* K( I/ k/ k/ ^# M) B    jz      SoftICE_detected
! A# v# o7 E$ p8 o+ \, B# d/ g. U1 l" z  q3 v( P7 e
7 N( \* V; L4 D- M7 J4 Y
Next method as well as the following one are 2 examples from Stone's
- _  t7 I& R7 O$ O9 G/ m"stn-wid.zip" (www.cracking.net):
4 N5 E2 j! Y, c6 I
. z. h2 @) u; p    mov     bx, cs
* [8 M. M5 _/ D    lea     dx, int41handler2
- I% s: V$ k" |0 b% p0 x    xchg    dx, es:[41h*4]- T+ _) ^6 t7 e; [
    xchg    bx, es:[41h*4+2]
" o& a3 Q% S) `+ _  w0 V    mov     ax,4fh
; H7 T- K3 n$ e' {7 H6 T- v# P    int     41h$ f, j$ d: q" g$ x/ b
    xchg    dx, es:[41h*4]  z5 W$ q, V% e. K; l$ e1 L
    xchg    bx, es:[41h*4+2]
/ ]* n7 q% \7 I    cmp     ax, 0f386h
$ u$ J( ?4 z5 a8 g8 E7 T    jz      SoftICE_detected
$ f# Y  s# I; ~2 \
( J8 F  F3 M$ e$ w0 Z% P, [2 j$ Q# L6 tint41handler2 PROC
, T0 n* K: A: l2 P  J* l: ]8 D    iret. b) t/ v# ?( s- Z4 q
int41handler2 ENDP
5 [" j5 S0 L, z0 m- F: Q2 O( M1 Z0 a9 V. d
) \, R, _' e" r/ n& T' `
_________________________________________________________________________  T1 a! x7 `5 \) C/ L

- \  C; ]% x3 Y* H0 t2 U7 b/ ~% J3 e
Method 06
" b8 o! i1 W, Y=========$ S1 [, c- {5 N( d2 R

+ i# R0 H/ o$ j/ W1 T* l+ f) R- W& J$ n) f
2nd method similar to the preceding one but more difficult to detect:3 e0 d7 b1 X% X/ I1 |4 `
' d3 \$ I* y! w6 F

4 z7 b2 N- |4 k. Lint41handler PROC: W# K. H- a+ p( L' a9 l
    mov     cl,al
2 V9 r! }' B+ r4 o8 @    iret" {* `1 o2 d3 y1 |& T$ ^
int41handler ENDP
( Y* u. U: V1 Y1 S$ M5 I- F. k7 j: t1 N5 p1 d9 N

; }) Z% W% m$ r1 E* A    xor     ax,ax( J, C- m* |9 i) M* R( u( N
    mov     es,ax
( R* E5 ^2 u% {2 N- p- q4 Q    mov     bx, cs
. J# g0 \: f. ]: e" n+ n    lea     dx, int41handler5 B: q& C4 W' y, I- c
    xchg    dx, es:[41h*4]8 U$ j! [7 x. x/ ]" _5 N9 K
    xchg    bx, es:[41h*4+2]
8 K2 m3 Z: Q) Y1 Y  a7 c5 J    in      al, 40h
2 k. F8 ~' C, s, i" C( }    xor     cx,cx
5 P! ~# N* G$ m# Z! C9 K    int     41h. I4 s1 Y  ?7 F$ }
    xchg    dx, es:[41h*4]
& |/ L' l0 A0 ]. k# |    xchg    bx, es:[41h*4+2]7 e$ w* u) k2 X: U( S) [% y
    cmp     cl,al$ J# l9 G9 V  k: p# F0 W. k5 ]
    jnz     SoftICE_detected
, g9 s  q2 j. M. y7 L4 \# [9 B) W3 |( h# ?) G4 k
_________________________________________________________________________
- l9 ]8 z4 q+ G5 [! `0 u% I+ S  p8 m
Method 07
/ l) T6 h" X; q: k0 f=========1 B9 H( `! X; I% k2 _

9 X( @$ ]- |/ X2 i" \* b) @Method of detection of the WinICE handler in the int68h (V86)
0 s, E) o; j# I. e. K) J
$ i& {$ A5 M: l    mov     ah,43h. I, z! ]3 G. _9 C/ h
    int     68h
4 n2 _% z; \" p% p& x+ \0 \* i: B    cmp     ax,0F386h9 I. Z* p" c3 F- j3 j# }
    jz      SoftICE_Detected
  ]" K& w. b/ I4 t9 D2 S' Z: K) w
4 W) E+ ?2 n$ m' q: r1 T
; k1 n$ W1 L0 {# ^0 N=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
  B$ {. `) U! H' A- Q8 P- D  Q   app like this:5 P+ U3 F: K$ d0 u' G

; B3 M9 e( S" f* C2 |4 {   BPX exec_int if ax==68- j9 N' {4 i% o. u3 x8 S4 U# z
   (function called is located at byte ptr [ebp+1Dh] and client eip is3 t/ [' O8 S* {
   located at [ebp+48h] for 32Bit apps)
. ^- n1 s; H, E$ s( }* ~# D" e__________________________________________________________________________
! r, _' l  u% a
6 o  {% e" b+ q4 Q; a) c  P3 D2 V" q& d1 F
Method 080 r+ P- C5 w& w: V% s& s% G6 }, u
=========
3 s$ b+ S3 }+ c: h
+ o  W. x, n; X& q- P8 j  D$ |( v( |It is not a method of detection of SoftICE but a possibility to crash the* B- B- P0 e. ]( t/ i
system by intercepting int 01h and int 03h and redirecting them to another/ F' g$ @5 o- \4 K3 y# g1 L
routine.
! K1 C3 }8 {8 D% c. W: mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: U8 D1 B  q; m! }) [9 _( T
to the new routine to execute (hangs computer...). |& O. d) D. O' O  V

$ V7 U  j- z6 m: r, F" D  S+ j    mov     ah, 25h
. Q1 b' k$ W% q- _4 C    mov     al, Int_Number (01h or 03h)1 l1 [! J9 `# c: K* G, O- Y5 j5 N# f0 ]
    mov     dx, offset New_Int_Routine
2 J4 e" g* R# K4 i+ S    int     21h! c% M; h; J/ s) P

7 r$ o' z6 p" P3 r) [# e__________________________________________________________________________- T: S# i, K6 g- z
2 b0 ?* Q. P  A3 p0 L
Method 09  G, Z1 l/ \- J$ p5 ^
=========0 z# k7 X+ a* |3 N

; R* W0 |1 H( C+ l) ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 {# ~$ X! z5 X! K8 U' T# I, l; qperformed in ring0 (VxD or a ring3 app using the VxdCall).9 }" d1 v; D: X$ D
The Get_DDB service is used to determine whether or not a VxD is installed
8 x" f% ~! y& Z- g0 _# ]3 }; B3 Wfor the specified device and returns a Device Description Block (in ecx) for" ~" V9 l' a6 M: {7 \+ N
that device if it is installed.7 U1 A* M1 i% J/ V# w
9 Y3 x2 A$ L5 u% J" p/ L/ E0 P
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% P! i/ m4 l$ s+ p) d   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 Y1 S3 o/ e+ u! ~   VMMCall Get_DDB4 {6 g# O. G& T2 }( y
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 T) b) V6 B2 N! \3 L( p

, B1 W! t3 X5 U4 QNote as well that you can easily detect this method with SoftICE:$ @0 Q) l: v) D
   bpx Get_DDB if ax==0202 || ax==7a5fh
1 T- N$ h5 _7 e  L
& i! e% ^- `# n! F( ]__________________________________________________________________________
3 }, L, r; J5 h$ J% M+ @; O7 g% K6 H) q& ]' x% n& `8 i
Method 10
, g9 L* d# R* r- a: ]; G=========# @: V6 f# j5 `; K
# h4 w) W; K+ T* y1 \' t7 ^
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
+ v* O" V' I$ w. H& i. I& o) x  SoftICE while the option is enable!!9 I% @8 J0 n- ~. K) [; @% Z
8 n: r" `: g- e% g) o: L
This trick is very efficient:
$ f: O5 ^. x; h2 d( e( dby checking the Debug Registers, you can detect if SoftICE is loaded$ O. P5 `* X& Y6 k& u& X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ q- x- C1 s: R+ v; u. B9 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ _0 q+ w( o9 C7 ]9 u4 R
value (in ring0 only). Values can be manipulated and or changed as well; F$ Q# q1 U* ?0 I
(clearing BPMs for instance)
5 }& s5 m4 |3 n9 T* d* N1 L' u, L5 E; }: P1 L, [
__________________________________________________________________________
: A8 Z# k, b" [. t2 J
, |3 h7 l8 T' g) b: m! I- zMethod 112 n( I) A( c6 j* f' K0 o* H  }1 S
=========
" J' Z& I$ T, k+ R* b% o" m& A- g5 Q/ H  R0 |6 g0 U: K
This method is most known as 'MeltICE' because it has been freely distributed+ I; E0 e9 X* W: J4 A( A) a
via www.winfiles.com. However it was first used by NuMega people to allow
2 F; g1 l4 P( r# n; Q2 jSymbol Loader to check if SoftICE was active or not (the code is located6 y/ R# f# ?- V% T# S* V4 N$ [
inside nmtrans.dll).
; I; y5 F: F* F, x% J/ M6 J# j0 ~' T/ _+ _
The way it works is very simple:5 `3 \' s* a, v$ N# K5 P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" c. i, C. |% n' q/ Q3 ~WinNT) with the CreateFileA API.
7 S' J/ ?  B( a, e" E- s% r! M
Here is a sample (checking for 'SICE'):
; f% W. K8 g3 w$ ?5 K/ _, C) t: a4 D" N; V/ y9 ?# L' i9 t; R& e, u0 a
BOOL IsSoftIce95Loaded()
; R7 }9 s0 w. `{( [" \! C3 C9 S5 G1 N3 k* M* T
   HANDLE hFile;  
2 Q2 N# K% s9 ?   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ t$ V! L3 ]( k; s8 k7 p* v                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 p: t. z% j; t0 ]7 t, x
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, e* I& V7 h* b- Y
   if( hFile != INVALID_HANDLE_VALUE )
' f9 m% Z2 P) `; z1 t   {3 {& V2 \4 \, G4 b7 b
      CloseHandle(hFile);  ?5 c. l% l1 N7 Y" {
      return TRUE;
7 l! v) p+ Z3 U6 @: \% F5 j   }
8 q1 [3 ~: A. d2 w7 J* v   return FALSE;$ C7 X* ~6 @; ]# Z/ H
}) h/ ~3 k; u& h/ a3 A5 f5 n

) H+ j: V" l) H( l$ D9 EAlthough this trick calls the CreateFileA function, don't even expect to be. n0 y4 L& q7 h0 ]" T
able to intercept it by installing a IFS hook: it will not work, no way!
2 y; `8 N- z8 J$ K& ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F" r) ?+ E9 |4 ^2 F6 A" m3 L. l
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( W) n$ f: h5 t4 l" Jand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) `# k  g6 W& {4 vfield.( G/ U6 u! s5 z5 p' v" A
In fact, its purpose is not to load/unload VxDs but only to send a
7 w( v, a/ |! n( J  GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% A3 A' x  ?# f) E! y( c/ Y% dto the VxD Control_Dispatch proc (how the hell a shareware soft could try  `/ U3 G; N" k, J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* I* Q3 ~8 S- S2 |If the VxD is loaded, it will always clear eax and the Carry flag to allow8 N1 I2 r  S9 o" Y5 N
its handle to be opened and then, will be detected.0 ^6 I' p# }3 r$ l- z- H
You can check that simply by hooking Winice.exe control proc entry point7 Y! j1 b! R/ }3 Q4 b6 \
while running MeltICE.
3 g8 G4 j- }/ @8 B
+ W+ m6 J4 T, h$ N  ^. h
' K6 c0 I- b  y9 L& V  w( \+ e( f  00401067:  push      00402025    ; \\.\SICE; S: D' K. I" ?- b
  0040106C:  call      CreateFileA
4 \* @/ C4 L1 }  00401071:  cmp       eax,-001
1 Q; J* {( W* t2 w; O, `  00401074:  je        00401091! l- k/ |* e/ M1 l- U8 C0 t( H
; p: A9 u+ M$ G( u6 O  Z
2 _( r# B8 X( W2 A7 Z( L$ W
There could be hundreds of BPX you could use to detect this trick.
$ Y# x% y7 `3 b9 |' ^: c% K- V-The most classical one is:  J  |6 c( z6 V1 c
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) i- h: @: |6 a6 _$ c
    *(esp-&gt;4+4)=='NTIC'
6 I$ V' ^& i/ S( h4 ]! U) i2 B" d, m4 q) B" {; R6 v
-The most exotic ones (could be very slooooow :-(
2 E8 Z; M. c( |2 i5 H   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 f0 N3 v5 W; r9 \; J6 p% X     ;will break 3 times :-(9 Q( Y0 L" U; L1 ~7 n
& j; m5 _8 N' B
-or (a bit) faster: ) K) ?! |: S& [% D9 P( f+ x8 J3 d
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, V/ |* u; {8 u3 I' T% a5 z" B2 z/ t8 s9 ?- X: V/ {, t1 X
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* @# @: w! l! Z, |% l# F     ;will break 3 times :-(; {/ T+ }5 l( w+ N% q

" B: V4 K+ I* h% o2 H/ D! F% p# h7 x-Much faster:) s8 N$ K/ J9 H4 e
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, @2 C6 l% R7 `+ y/ z9 V0 L' ]1 k, C6 X1 w7 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; I& X- f+ b4 v9 O& Tfunction to do the same job:4 q" c, r4 G/ E# \) C, ]

1 A4 a) V: S1 i, m   push    00                        ; OF_READ
9 T/ W1 j7 G! P   mov     eax,[00656634]            ; '\\.\SICE',0
8 J4 ?1 b8 P% ~4 y/ P4 }& B   push    eax: [1 [) K: \2 x1 W' m
   call    KERNEL32!_lopen  K' K4 H; @# g- R) e( Y3 E
   inc     eax
; ]% F: s' v1 a* H1 C: Y   jnz     00650589                  ; detected
; U' J9 i/ S+ m0 n7 V! O; D- Y   push    00                        ; OF_READ" ~( x: B; g- g2 ^; ?) d
   mov     eax,[00656638]            ; '\\.\SICE'5 K( j, k+ B# M1 h
   push    eax7 s8 r6 q+ [& m& [- t! t: A4 Q
   call    KERNEL32!_lopen
# `* i- J3 L4 i   inc     eax# S, L% A* Z  f1 |% A- S0 _
   jz      006505ae                  ; not detected
3 P9 n) A- ?8 c& B& X5 c: y; Z
4 H4 }+ ^. C; T' m  X
( s# k5 ~2 v" z& u6 U- J' y__________________________________________________________________________
9 P% Y) W+ a0 Q6 }: A+ f
/ Z1 p7 z7 [2 sMethod 12
/ M) h6 h! A; @+ J" F& E) F=========/ {7 B  v: q9 ]5 P/ R4 M& i

" ]  A: m6 @! E( }This trick is similar to int41h/4fh Debugger installation check (code 05
* Q0 `. }+ ]* p&amp; 06) but very limited because it's only available for Win95/98 (not NT)% P1 N- i! S7 ~; W5 v- _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ h0 N2 {8 A5 r& b4 s3 L( B$ R

5 f0 }! k5 _% a! M! W! P   push  0000004fh         ; function 4fh
; D$ |) w# c$ h) z   push  002a002ah         ; high word specifies which VxD (VWIN32)6 }) O! }( H  y- Z  W8 n( L8 t
                           ; low word specifies which service; ^/ g& u2 v  g) }1 T+ g, i/ x% c
                             (VWIN32_Int41Dispatch)3 F2 _& q8 @1 F+ n" s
   call  Kernel32!ORD_001  ; VxdCall
9 ]" y+ y; k+ `   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ m$ G+ `4 L$ _) u   jz    SoftICE_detected
7 E8 D. |" B) U
* d) U! m' B/ i; x- SHere again, several ways to detect it:
* _9 p4 O0 G* |2 n+ _8 E
& I( j0 W2 u. f4 j( z0 |    BPINT 41 if ax==4f: G2 I3 a9 l9 F  ]
2 S7 z8 L( r3 n( t6 A! i/ u+ D5 K
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one3 |& d0 h; D6 J4 \0 V6 s
! h  q1 L- L. W
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A. a' ~- ^* [: x( {; e6 D
% |( R" D, N2 C- ?9 }  N7 Q/ X. A
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 _4 q% Q- D* Z

3 B1 O- O) }5 Q- e: ~__________________________________________________________________________7 u, d8 E. r2 b9 y9 N& R6 J: |) o- S
, z& l' j) d9 K# Z9 G& x
Method 133 h. j- n, |3 P0 w9 [9 T, q8 S
=========) j( \2 R/ f3 ?( d) E& Y
# y) h+ j2 [# k( Z3 T
Not a real method of detection, but a good way to know if SoftICE is+ l, I& }! f9 d4 O7 j! A
installed on a computer and to locate its installation directory.
0 p9 f( i1 G$ J; W8 AIt is used by few softs which access the following registry keys (usually #2) :
; P2 y2 O& Z: `5 K, |- L3 r" u% Q8 E6 h; S; ~% U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: B* I# Z5 F% l+ f+ B
\Uninstall\SoftICE  u' |4 I# V( s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: A# a7 v) y- s8 U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 }  x, f0 G  F" [6 k\App Paths\Loader32.Exe
8 `9 `7 U# F2 K# \8 x) Y, S2 ]+ z+ a5 d/ o' [4 F: T
9 ?" d: ]; S! i/ D- {
Note that some nasty apps could then erase all files from SoftICE directory
3 v4 i# n) Z; r+ j) m(I faced that once :-(; Q( ]" }% A% }' A% B
- `' R* K/ ~- A( S- n- E- c
Useful breakpoint to detect it:
" v8 \6 |" _8 f. ]
+ @+ Q9 }* r9 i. L% \     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'* q) {  a; ?' W) ~
- w7 n) K. S' {  O4 T4 `
__________________________________________________________________________
6 {& R8 A: S; z% u5 n3 q
# y3 f; k' t7 G
1 B4 v! G' X: ?/ z* ~; S. J: LMethod 14
5 y3 m- \: X  I3 s  K; D=========6 W1 }; R' z( Z& M, D0 u
7 K7 o# D5 B# G" W% G: B3 g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 @, z. _+ A" G' f, S
is to determines whether a debugger is running on your system (ring0 only).% C4 d5 j" `5 f

+ O0 S) b$ Y8 j   VMMCall Test_Debug_Installed) L, g# o7 t8 U1 ]5 v$ ^; A
   je      not_installed9 h' B* f. }- H  G! ?

' ?& b. z2 I( l; bThis service just checks a flag.6 i. y) }% q7 z$ R) a
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-17 14:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表