找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
1 y" t) O/ o% Z7 E. f  y<TBODY>
+ |# t' E7 X% g" T% i( }3 J6 A<TR>3 ^  k; a5 N0 [! ]( y. \
<TD><PRE>Method 01 & \; k! [! N/ A( \7 H  U  i. [+ F2 t
=========# Q% d( i" l3 t$ J

! K( u- b" Q7 i& B" @This method of detection of SoftICE (as well as the following one) is; ?4 w7 ~+ U/ s) g) V5 N! F
used by the majority of packers/encryptors found on Internet., K/ Q9 y" s: A+ W
It seeks the signature of BoundsChecker in SoftICE8 z0 f  q, E* U

4 n7 u) T% O: A: w; u- v& x    mov     ebp, 04243484Bh        ; 'BCHK'
& j- k  Q1 c5 U2 h, j( t9 f  M    mov     ax, 04h2 y) W7 X& W" @/ _8 U* R# _
    int     3       : f0 m; C, B/ J+ z; ]* M
    cmp     al,4
! U, T: v0 s9 P6 t+ q+ Y7 T    jnz     SoftICE_Detected% o6 @# d) y' U- J8 d2 [
+ P7 c3 C6 p4 U# i
___________________________________________________________________________
: s' C) M# b: W6 ~$ r& Q5 N/ b  b2 \. k1 G/ n7 v% o. w/ o7 d
Method 02
3 i. i; u3 {' |% @3 y=========: K5 v: ^' H$ y: v; {6 n) b2 t! r

* e+ i3 Q! c/ \- KStill a method very much used (perhaps the most frequent one).  It is used
! r. _/ w) E- v! oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,* U5 l7 k4 A' N+ R9 ~! v1 G3 V
or execute SoftICE commands...
% B0 l8 {: }4 [  Z' p- h2 u/ U3 {It is also used to crash SoftICE and to force it to execute any commands
0 r' c9 @- @( ~) W(HBOOT...) :-((  
) v7 g/ s* Y9 q6 ^& }' L
* i- Z0 ^6 X. w& J3 X( ~1 j5 JHere is a quick description:* }# _* i  a, g6 V
-AX = 0910h   (Display string in SIce windows), ?( e  c; E1 J/ t4 Z6 m
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 S" i0 M$ _  R& G; Z( g
-AX = 0912h   (Get breakpoint infos)) g& t( c! k5 k* Y" {6 j) [! p
-AX = 0913h   (Set Sice breakpoints)
! W# E: ^! E1 u; R: E2 Z-AX = 0914h   (Remove SIce breakoints)
. z: {$ }. |6 u, v" W& D7 I
1 o) B# H# ?7 r$ e' F+ a2 nEach time you'll meet this trick, you'll see:, Q- h. a; H, S) {% k% m
-SI = 4647h( i% M2 D' E8 Z. \7 f
-DI = 4A4Dh
- F  V0 Q; t4 ?' P# t5 Y+ I( hWhich are the 'magic values' used by SoftIce.% G4 |% p- i) `  t7 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& c, V! t& t& C7 m  W
8 V1 X" {  q: |* h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 v% j  N1 t+ T& q4 @Envelope utility use to protect DOS applications:4 p3 T; H- Q; F, O  e# k
. \2 A+ ^/ S/ x* A& j
0 l+ h1 z0 J' S5 ^
4C19:0095   MOV    AX,0911  ; execute command.
3 l" {4 J9 `" r/ M, D3 M0 w4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( k# I+ `0 p. O3 T1 O3 c+ u9 {2 z4C19:009A   MOV    SI,4647  ; 1st magic value.
9 o. o( I/ T* ~3 Y% C4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& x5 V( v3 L! C$ N
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 Q& U, O( L5 d8 P; v: L4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 y/ R/ Y, A- F9 A0 `0 v4C19:00A4   INC    CX
1 [/ p7 E4 l$ e4 H4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" M' u" [9 Y# X0 u4C19:00A8   JB     0095     ; 6 different commands.
( `$ h9 Z9 n! m" b- [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 S7 ?) Q$ y1 S. z1 [+ X4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
& F/ ^/ P' y* k  H1 [
+ }& Y- {" ^8 i  r9 i$ O! Z# o& vThe program will execute 6 different SIce commands located at ds:dx, which
. w3 w  Z3 @2 w, [) j8 _' \" Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% l5 u3 v4 V; b: ]: y9 Z" r0 b$ j( y1 t5 j/ E) R; _) C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 Q  W( h1 A8 h0 z___________________________________________________________________________, R& \5 o; H0 t4 o; \& ~
& `7 _/ i/ @; `& w% L; `7 |- C

7 W3 @$ ?- R( q6 v- Q2 UMethod 03: L; Z! D. _1 b5 ~5 w
=========
4 S  t3 e' h$ k, [0 W' N: _
) m% c* s, z) p2 P' R6 d. `Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 ~9 f9 H$ E" ^6 ?7 V
(API Get entry point)
% X; d  q2 P  z        
9 O0 E; N0 D: q1 Z
5 P, J' y; S" I3 a4 O. N9 a2 @    xor     di,di0 y6 E$ V; P: r% j
    mov     es,di( s* Z+ |. C7 |0 m4 H
    mov     ax, 1684h      
0 F' l. H+ J( W" N9 Y    mov     bx, 0202h       ; VxD ID of winice
% |- X! s+ [  Z2 \. [0 i! ?    int     2Fh
4 ~5 o) m" m0 }    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. M2 r# u7 G* K& d9 o, k    add     ax, di  f. o2 O7 t- l4 R. W& Z
    test    ax,ax
. A; G, b. U8 Y! t' O. u! U    jnz     SoftICE_Detected5 P* k! k6 r0 {1 L5 K7 H' s9 }" _

2 N1 ^; _  p6 n& p$ I' Q  Q___________________________________________________________________________
) p4 `5 t1 I; ^! T) G5 B7 C4 r* m  u' D. H2 w
Method 04- ~3 u$ f4 ^) }% M# ?. R( N/ J2 R
=========. z9 r' E8 G" m& Y$ i# i3 d

; ^4 z1 n6 Y' {; s) q. f0 [Method identical to the preceding one except that it seeks the ID of SoftICE
  y+ k5 k+ [% R. n# c( ?GFX VxD./ Q  V8 n# @* t" M

" ^" J' y- U" i    xor     di,di
$ r% z& u5 }4 b* A8 l* R' j; o    mov     es,di
% B9 v" Q  r. J4 t& [) P    mov     ax, 1684h       - ^. ]/ h3 n- u- E2 x
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  O. q9 i2 P5 D    int     2fh
1 P! P; Z' X1 k9 P8 N    mov     ax, es          ; ES:DI -&gt; VxD API entry point, R. u- X5 ~' ?" f
    add     ax, di
* q" K+ d% e: N0 |4 G1 y    test    ax,ax( ^9 V  L% D) J2 q) r! ]
    jnz     SoftICE_Detected% r6 B& Z8 Z- D0 Y/ B( D
5 h$ l" y( Y( r5 d, J7 _/ p  r
__________________________________________________________________________7 f( ]; Z) m- L* ]' W  j3 \) `! k" f

3 g! J; p8 ^! F' a/ R; X! U$ j* `+ q! O$ g
Method 05
# C% U7 v# L# B% f5 D=========, ^. [8 x- p; ?- x
+ f# Z1 [, W( O7 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 s& E* A: |7 C1 Q. T' _
debugger. It calls the int 41h, function 4Fh.$ d! R) P& x. i" Z4 C( ^
There are several alternatives.  
* O* M' c" d# B4 ^! q, z: a9 i2 F/ a* }
The following one is the simplest:5 q9 \/ r; Y* m; T
- \2 Q$ w; _1 A. L3 ]! X
    mov     ax,4fh
# `3 K% ?0 A/ x    int     41h# N; p. P3 F- T7 u. `& g) P
    cmp     ax, 0F386
$ s1 X( j+ p5 J6 X    jz      SoftICE_detected: m( t; a; ]( a* {+ U

7 B/ l- u- d3 R! p" u! ^
6 A  Z/ I* d+ R8 y0 t' KNext method as well as the following one are 2 examples from Stone's
9 ]. S- Y/ U$ b! J1 r"stn-wid.zip" (www.cracking.net):
/ t; H# ~9 ^) ^" m: t: z! e+ _( S) k6 P( d+ T0 u" T3 U$ p
    mov     bx, cs
0 r* w4 {: b+ k  W. u) m8 |9 G& {3 D    lea     dx, int41handler2
* L, M0 ^5 w, |# J/ m9 e# i    xchg    dx, es:[41h*4]) A, b; n/ ~; _+ H) }. P2 }
    xchg    bx, es:[41h*4+2]7 [2 J! p' t9 I9 V3 h6 n8 a
    mov     ax,4fh
* E( y. E$ H6 l/ \    int     41h8 [$ |6 x+ v* c$ N$ }: W6 H0 S7 ?% R
    xchg    dx, es:[41h*4]% O  w" w3 p- @% a7 a
    xchg    bx, es:[41h*4+2]$ k; z( p8 z$ o8 n
    cmp     ax, 0f386h" t2 Q- R  }& N8 L
    jz      SoftICE_detected
! f0 t+ y+ E: X2 c4 a9 {9 ~+ ?7 U* @. G8 [0 s, q- J/ p
int41handler2 PROC
/ b$ c3 M! O, {. Y6 N8 j3 E    iret" k  g8 x) L7 N: A
int41handler2 ENDP; d$ ^. T9 O) g2 O8 p3 b6 |
3 S( o9 g) v5 X/ r1 |- ^

" N' M0 t) c2 \9 i_________________________________________________________________________/ T) O( K3 t. A* p
' @8 c7 v  h* r- Z- j
. T( t- q! Q$ X" N4 S1 F
Method 06
4 Q  j% n1 V' I4 l* G+ g: ?=========* [5 A& L3 H+ S5 S

7 f# g; y7 ~" I! n, g. V4 y; ~& j5 o  U3 K& X) x
2nd method similar to the preceding one but more difficult to detect:  z5 k+ W  m/ ]+ Y+ V7 u

! {$ o/ Q/ @/ H6 P  ?9 R) E1 d0 [5 g: Z, v; \% T2 I
int41handler PROC# M  g  \( b' T- S9 |1 i/ V4 ~
    mov     cl,al
, j+ \7 G% g3 @' v' o( e    iret# m5 z/ Y6 e: R* s7 ]" ~. h
int41handler ENDP
6 }6 x$ }6 ~4 Q8 ^/ J& ^4 i' c# n$ Y0 |2 @5 _  M+ e! d0 k
1 p2 j  T' W+ C& D
    xor     ax,ax: _8 O- X; M% k, D$ |7 u2 ?
    mov     es,ax
1 C% N( f2 R5 Q+ }/ p    mov     bx, cs( o! }! W" [' D1 k
    lea     dx, int41handler
" V; E+ g' W8 ?& f* r    xchg    dx, es:[41h*4]4 o6 C7 O1 _6 u: m/ K% S, {: L
    xchg    bx, es:[41h*4+2], S" ]5 n1 d) D1 V* r3 _: F2 G( X
    in      al, 40h
; D8 H+ z% n5 A2 O6 h    xor     cx,cx6 l$ x- Z& b) d
    int     41h
4 t- k, K# Q# l, S' N3 [    xchg    dx, es:[41h*4]
. m& ~2 L% a% `    xchg    bx, es:[41h*4+2]: q% s- D8 c; Y; `- \8 j5 k* _
    cmp     cl,al
1 f2 k+ F, N6 V! K    jnz     SoftICE_detected3 |: m, A- X9 V4 h7 Z% }. c- Q
7 v  i9 V1 B: E4 {* n- S! n' J- v
_________________________________________________________________________
2 v7 m) B4 Q. s( P' U$ o
3 {4 q0 B( g2 L9 FMethod 075 c0 d# V$ m" `
=========) v7 D  K3 ^* m3 a9 A; y; G

( G/ {( }. m/ A3 Y% iMethod of detection of the WinICE handler in the int68h (V86)
, B. R4 e: W8 d( h
! o( Z- i" w; p1 j    mov     ah,43h
: P' x  E6 F7 [0 u8 \    int     68h
8 m8 K) j' j; O* v- ]+ u    cmp     ax,0F386h$ W1 [6 V9 \+ J* o9 S  \9 }
    jz      SoftICE_Detected! \, K3 b2 j  H1 ^* K6 ]/ [
% {: I+ r1 I$ M, I

, B( t) _1 l# U' \8 E=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% C5 A& G, B# f3 I' B/ _0 K: e- N
   app like this:* Y/ z- _; P5 D# t
( v( G3 x, f" p' E" P8 x' o0 B: }
   BPX exec_int if ax==683 M% C! I. r  d; {
   (function called is located at byte ptr [ebp+1Dh] and client eip is& x$ X0 X' j! B5 o9 ?
   located at [ebp+48h] for 32Bit apps)$ C! _2 |  T" S+ A; q
__________________________________________________________________________! L6 j: j& b$ B3 o5 A

% a( A! r$ e2 Q7 Q% Q, n; A$ Z" w, _& ^; ]
Method 08# T5 {7 s3 O$ F' d0 }2 |
=========( P, ~' `* K  a( {! X! u
/ T4 ^/ B0 T1 e2 W
It is not a method of detection of SoftICE but a possibility to crash the5 M  X! z' R0 w# z# w2 F
system by intercepting int 01h and int 03h and redirecting them to another
( y* O7 S' n9 g0 [, T- froutine.
8 t' w! @8 P, W% AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
  M5 C! l& i( o2 m( U. sto the new routine to execute (hangs computer...); Q" u/ c. I! i& u0 L) z3 z

9 R; j2 X3 `% N" J: D+ U- }    mov     ah, 25h& \. d$ K. @2 d( ~) ?4 p
    mov     al, Int_Number (01h or 03h)
9 e5 e2 U7 X" G2 d' h    mov     dx, offset New_Int_Routine
. j" s) ]2 N! ?! ^7 s4 `* N/ Y& h    int     21h
. M+ W6 [: D) Q8 }' J  n! A2 o# }# _% z$ _, O  z
__________________________________________________________________________
+ L1 l5 _* r( o' @  c2 P, C. Z0 S5 o& e
Method 091 k9 U" q3 I* n
=========
- u, _6 A1 A* @% a% Y/ S' k& W% I; H: a# E8 B3 u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, g6 k8 e6 n8 u% Q5 Hperformed in ring0 (VxD or a ring3 app using the VxdCall).5 a. L9 o: r6 I- y
The Get_DDB service is used to determine whether or not a VxD is installed
( G$ o$ l/ F( \! b( q" |for the specified device and returns a Device Description Block (in ecx) for
& G7 @: F7 |0 v5 m4 L* Dthat device if it is installed.
+ z' @$ i# G8 z9 y2 E/ A, ]; Z5 B; f/ Y
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; _3 H1 t/ C7 {  ^* ]* a0 c   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); B- R" G3 E% I: }
   VMMCall Get_DDB4 Z* ^6 O8 F# A
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 K; y0 A' y8 S2 a
+ g( [+ z0 ~: \( ?
Note as well that you can easily detect this method with SoftICE:( X% Q0 T4 g' C) l6 W
   bpx Get_DDB if ax==0202 || ax==7a5fh
& Q9 z% m! ?6 j, }1 W" b  Z. [. v' y; S5 m
__________________________________________________________________________! A4 I! t$ S9 J+ S8 S( W' l
4 I( a) [2 g8 N5 @3 @! k
Method 10, N6 M, H" Q3 S% f
=========
- ~5 f8 }7 r6 ~; G' Y/ A2 U0 n$ C8 m* w! D% ?
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 C7 C& K5 R5 M( P$ E  t' b0 v% _  A  SoftICE while the option is enable!!
, ~' x4 r8 s& c) A/ r/ K5 J
5 F9 U2 V: J3 Z9 f; h0 oThis trick is very efficient:
- M# v/ z( }' Z. A; r5 b: |by checking the Debug Registers, you can detect if SoftICE is loaded
) L; f: A! w& ~. V0 z/ r$ p, q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" K2 N) K) v; k7 @7 J9 ^0 \
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) A1 \" F) U9 s+ h6 {6 ?value (in ring0 only). Values can be manipulated and or changed as well  p  `! p5 Z. U7 u* D
(clearing BPMs for instance)& t! L" Y4 b) E+ \: v9 q! c2 ?! f

, e1 ^# a) H( x1 p2 c__________________________________________________________________________
2 A) X) X& ~( |3 d9 R8 D
2 [! R5 o6 ]( n: ^: h; wMethod 11- Z" F. x4 m: F, K- M; h
=========* J+ R+ ], `( r/ V% S' l/ ?
  i: J+ g+ t7 B5 \; A9 W
This method is most known as 'MeltICE' because it has been freely distributed4 p* q% t6 K" F) Z6 ?
via www.winfiles.com. However it was first used by NuMega people to allow
  t3 F7 c+ v) {- f+ u3 Z- KSymbol Loader to check if SoftICE was active or not (the code is located1 v( _% _! N! Z: P, L, ]- g; m
inside nmtrans.dll).
, i9 K$ Y7 K6 ]5 G' \/ w
! W  G1 n7 s% x2 FThe way it works is very simple:
6 n" G8 T$ }0 JIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* u6 A2 n; ~8 ~1 R3 W$ P! V
WinNT) with the CreateFileA API.
+ n/ T& W8 V9 U& w% ~* n) p' q8 S  i2 P8 ^2 c. `% Q& I
Here is a sample (checking for 'SICE'):
  H& |% r( g! r- o, K6 h  w3 ?! `8 Z' h, ]4 D7 D
BOOL IsSoftIce95Loaded()
' k" g; e) {& j3 ^" Z{
- z4 h/ b# f% @   HANDLE hFile;  
1 R, F6 x9 S2 n0 ?   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ G. E. w# C0 x; _. y( U                      FILE_SHARE_READ | FILE_SHARE_WRITE,% S0 |& c# a6 ^4 n
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) j2 q5 Q7 @- G! f   if( hFile != INVALID_HANDLE_VALUE )
5 z* t5 R! m9 T! u* w) K   {
  n% Y0 U- W9 O# R      CloseHandle(hFile);) x5 h, F6 z$ O: R6 _& K5 y: T1 J; h
      return TRUE;
6 @( v9 v* w& b( ~% E   }
( ?( Q1 T3 ~' W0 a% M+ m8 f: U4 G   return FALSE;) b0 C) A0 N+ w
}5 `1 B: Y: q4 v$ M! w3 D

8 v: g5 y: i! F% N; g' n2 BAlthough this trick calls the CreateFileA function, don't even expect to be! s2 ]6 g, s7 w
able to intercept it by installing a IFS hook: it will not work, no way!# M- Q& t4 e, U. C! d8 r) p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 V+ A# ?* s  j' \' T4 j* oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# z$ M' F8 B- e5 f7 z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 H1 J! ?* Y( r) p. a% R! u2 i) Ufield., V; L5 B! N. ]; ]& p
In fact, its purpose is not to load/unload VxDs but only to send a
& S# |* [  p; ?5 @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 N. w$ Z9 P3 N; L+ t. S' kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ }, H( h0 i6 T6 e) w+ Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 \/ r) d0 Y) W2 j% T4 k! S
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 b9 I4 @* X" ~" z2 ^  a
its handle to be opened and then, will be detected.
4 L1 K8 f; [/ G- DYou can check that simply by hooking Winice.exe control proc entry point3 l# f) m- F& g( x, {8 ~! m
while running MeltICE.
" |- n# d8 i. g0 V) I" @  i$ K9 ?

) k( t, G/ N- ?% w# v1 p4 s- E  00401067:  push      00402025    ; \\.\SICE% ?" o, w: V2 H6 ~
  0040106C:  call      CreateFileA
3 N) I3 p% h3 }- q  00401071:  cmp       eax,-001
% u& u( h4 \9 N: b  00401074:  je        00401091
0 w- a9 E! Z' n  ]. z2 p+ p0 Y& r1 I* }+ V

0 r2 a3 x5 [) o2 X) t) IThere could be hundreds of BPX you could use to detect this trick.
* |( d( B( N8 ^- @* j0 E! E-The most classical one is:# u8 m- G- p  T7 T' u: q6 |# z+ B+ s
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
$ s7 |) z& U4 n. _, |+ p    *(esp-&gt;4+4)=='NTIC'
6 H+ ^. n& ~. W1 j1 M3 j! W9 k+ D) i7 K& ^
-The most exotic ones (could be very slooooow :-(
5 d$ U& `5 ~. {% A   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 o% L' G" c6 @. {0 y. `     ;will break 3 times :-(
( _% ^2 b4 Q5 j( Q+ D) R  n
" ?( M3 \9 p" ^# \! O-or (a bit) faster:
/ f( ]& H& a" u, D   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! M( O" _/ v% H

# J+ X% ]! @4 W$ O. J) Y- h3 z4 D. o   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 i7 x2 c, r8 t     ;will break 3 times :-(
! t6 H* T- }& }" H6 v: s
. o% ?$ V! X9 u0 s# ]1 }  n-Much faster:6 o5 p# R4 s# X- B  L/ x8 P/ M
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ E9 l5 Q% B" Y; s& ^& c
0 q5 R+ \  h6 Y& u' n. J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 }8 M+ Z' ~) I1 B9 x
function to do the same job:
: O# c' I* ?: m% @5 H( c$ N, V9 S! [7 ]0 v% H
   push    00                        ; OF_READ
% Q  X/ |0 U, I: |) v* D8 Y" u   mov     eax,[00656634]            ; '\\.\SICE',0: u4 u9 h9 s" ^% d
   push    eax; y( B% k% d' Z  v3 c% I
   call    KERNEL32!_lopen9 @* C! L, |% y- b1 H& a
   inc     eax, @3 T1 U; P# n% P$ p6 s  R
   jnz     00650589                  ; detected
) I2 C: i5 G: L   push    00                        ; OF_READ
& V1 F! T! T5 Y4 n1 }, S8 M: A   mov     eax,[00656638]            ; '\\.\SICE'
$ V7 {2 G2 H( m3 T   push    eax
9 C* \4 y/ U" C& ^   call    KERNEL32!_lopen' ?% {/ }) n0 P- ]
   inc     eax
6 q. @$ {1 U. o4 g9 O' O: o1 |& t2 Q   jz      006505ae                  ; not detected0 r' ^0 `- W, m8 V: n, \: g, K

) W+ r. `, `. J% ^+ F% R/ d0 {* l7 q  M" |4 G
__________________________________________________________________________
/ K/ A8 H; n( R) a
: I. u( _7 y4 F; ?; {2 eMethod 12
: I+ [! Q( B8 P3 H0 F* R4 Q- ?# A=========2 n# @* A5 X( c0 E; z* W
( |2 }" S+ U4 i* v
This trick is similar to int41h/4fh Debugger installation check (code 05
* E* }0 g" a+ J1 B/ p3 R& S- K% F&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 m; E$ D& y4 P: {1 ?8 @
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 v4 U- j% n. o' W9 R3 J# A- Z
" a* o2 T* Y" U( b+ S2 S& h% X
   push  0000004fh         ; function 4fh
, a8 \" b: ?/ S6 g( M, K   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 ^! m8 N3 W4 F                           ; low word specifies which service
9 p" E' i0 r$ V" [2 V                             (VWIN32_Int41Dispatch)
! d! u: J$ [, m( Q8 J" x# _' m   call  Kernel32!ORD_001  ; VxdCall
* F1 Q7 d, n0 Z* f  F1 O) ]/ [   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 t! A$ C. i1 g' F   jz    SoftICE_detected# N4 s4 o5 |" O& f$ @

4 p. v/ K3 Y4 O9 w& s9 PHere again, several ways to detect it:
& K; u5 N, o/ p4 O! k  k, T. ], Z$ `% I
    BPINT 41 if ax==4f
) L( D' U" m" P1 T, k' @; R" P* V, ]/ m0 F7 V7 ^
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 c) a1 K% S) b9 q: M
5 S0 G7 x/ `- A6 V9 g    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) }& q" c8 G# {2 S
3 \8 ^8 V: w  _5 g" w+ ~    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
2 m5 R4 y- I* q% p  o) q8 d3 C6 i
* f1 g' m$ @# o- M9 f5 k- @. G__________________________________________________________________________
" X' ?* i- C; i
: T' z9 D( W, n5 ~% C% H1 ZMethod 13
8 A5 W% r% Y3 l1 _7 H. _=========
: K: Q7 a0 F/ Y8 T/ n
( Z3 `( O7 d$ q1 t( y; T8 w" INot a real method of detection, but a good way to know if SoftICE is
9 Z( j/ ?; i% z4 [4 x8 }5 tinstalled on a computer and to locate its installation directory.
8 N1 d, U( c; d  v5 N8 ]It is used by few softs which access the following registry keys (usually #2) :
# a. h) j* W) P: u0 }% F8 C% s% ?6 Z! a+ a) O: g
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& B* Q) K8 J8 B- x, a& p
\Uninstall\SoftICE
: y) `# R- L* Z; p$ {6 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, u# y) l# d! x1 E. x. x4 E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: s/ A' m+ f) N; |2 X3 f3 i7 b7 X+ G\App Paths\Loader32.Exe" W9 K7 x/ P6 t$ I# T1 D

6 P- h$ d( F: i0 v+ y1 u9 ~" o4 t! i
  S7 J3 Y' M' a+ K. t# G$ A1 KNote that some nasty apps could then erase all files from SoftICE directory
) t$ R$ _  j5 l) I5 {& j(I faced that once :-(
% |0 B: ^) n) O6 |- \4 X: X) P; f  B8 ~2 y  A4 N- X4 L
Useful breakpoint to detect it:2 _" f) H; _8 s2 q' T  b

  m8 u% |. A1 m; ^! l" j% P4 [; Y: i     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
# Q; M, F, X' A0 {. d
; ^- _% K% a/ F6 Y) B  m__________________________________________________________________________3 T& ~) @# u1 T) w

+ o, K/ _9 }; i
4 b/ I7 q- V. g. d$ WMethod 14
/ h: Z1 H( h9 {& |=========
) F. Z0 N2 n" Y9 [# m$ y0 N, W# l5 w- q( g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 a! R* H/ ]4 `( q4 e& b/ X
is to determines whether a debugger is running on your system (ring0 only).
0 ]' J0 d; p1 ]: w
! n# L8 B8 q& Q# n4 v$ S- e2 Y# Y   VMMCall Test_Debug_Installed
5 e; h- b' E( u9 M" c9 Y   je      not_installed* x/ W9 i# ]$ T, D4 F. `: f, J

% @8 O7 Y! C- ~( pThis service just checks a flag.
) p. g1 i/ ~3 z3 d* r4 M1 T</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-29 12:24

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表