找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 ~4 Z- v& Q/ C
<TBODY>) g( m9 M; M& |8 x
<TR>
+ B6 H; ?6 V; T1 c<TD><PRE>Method 01 6 D7 l4 p- d* f" n+ a
=========
8 ^# f, T$ O- b. N* A! h. d4 t% `# `" ?+ v7 E5 y2 i9 C. _+ s; O
This method of detection of SoftICE (as well as the following one) is
& b7 w" \7 }/ D$ _used by the majority of packers/encryptors found on Internet.2 R" a, a) g, Q7 a1 [' b' y
It seeks the signature of BoundsChecker in SoftICE' G# k$ d  e( Y& @; z' g8 H2 Q4 v! I

; p6 N, F: O+ Z3 M. r) |    mov     ebp, 04243484Bh        ; 'BCHK'# e7 t; x1 S9 q, y3 N- g) ~
    mov     ax, 04h# G  E, k0 a; R
    int     3      
9 @" w% x( {$ y' A! W$ U+ |    cmp     al,4' W9 ~8 @0 v" `/ k9 ]  L
    jnz     SoftICE_Detected
; }( g, L' r3 t6 b. G. c
/ B! l+ A) N% @3 N* J___________________________________________________________________________
. d) o/ D; P; E+ {1 W; n5 L. k0 ~( ?; f6 u! z
Method 02
5 t# T, |; h0 M5 |) y8 @5 {=========0 q: L) T; {7 ?- S: b" M

7 Y' S  p- t% u5 n6 v+ f5 y3 O9 vStill a method very much used (perhaps the most frequent one).  It is used
* Y# S3 A, b: |$ l; H% A4 R+ @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 y8 g, L) |! Yor execute SoftICE commands...+ t2 _, w+ h6 f$ x+ U
It is also used to crash SoftICE and to force it to execute any commands+ i& f% V; @1 k% t# A; V, U
(HBOOT...) :-((  
( @2 X  i3 o- u9 d
6 _5 n0 l# K; I$ YHere is a quick description:$ ^& f4 O0 R0 }. y7 ^% i
-AX = 0910h   (Display string in SIce windows)9 n4 M9 R4 s$ l! G0 A6 ?" W
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
- i1 u2 G2 K2 ?6 V-AX = 0912h   (Get breakpoint infos)
+ |/ Q5 V4 Q! F, _-AX = 0913h   (Set Sice breakpoints)
- g- ?! X! a" [( ~) c* P: N) \: A9 J-AX = 0914h   (Remove SIce breakoints)
8 C, i) K, `! N9 v3 m' P% G7 y: m) g$ J1 Z, J
Each time you'll meet this trick, you'll see:
/ w! `. y7 z1 f& s-SI = 4647h& G: t+ c, j# p5 {
-DI = 4A4Dh2 d* n1 j/ S8 a8 }0 J
Which are the 'magic values' used by SoftIce.  c1 C* N  Q# `6 v9 Q' k' L( [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., t9 s4 Z4 j8 [; Z1 ^
0 }8 P1 z8 B% P5 J) q2 r
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ c& ^. A+ _8 x; T% u6 {
Envelope utility use to protect DOS applications:& q8 `( \4 g7 Z# [

2 U! N3 {0 z; W5 [' l7 y! M) r. y2 {3 M& W  G* x
4C19:0095   MOV    AX,0911  ; execute command.$ g/ [* [& R9 q" p7 g' c& H
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; R, r  H9 O; q; [2 O& P4C19:009A   MOV    SI,4647  ; 1st magic value.# C% v- o( l* R$ }
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
/ s1 S+ w1 g- j4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)% h+ G! [  B- N  ]7 v1 J" y: O
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 L. [$ C: D9 S/ u! K4C19:00A4   INC    CX, }$ {/ K- u8 m5 ?* [' ~9 E: h
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute, T8 b; l$ k3 R) U- F! I5 Y
4C19:00A8   JB     0095     ; 6 different commands.
6 _( n& H0 l. V2 p) c$ d4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 f' |7 f+ D* u) T: B4 Y, u
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)5 x* ~. ^% f* H

% j# W/ O/ X3 f; @; r* `The program will execute 6 different SIce commands located at ds:dx, which
6 @$ y( N4 d- `are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ e0 S, w- v7 E4 ]7 Z0 U8 ~

, F+ r" X7 ^" a: @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 l: |4 K, R, f. S  b
___________________________________________________________________________
8 k, |( J3 A2 [; V" i( O5 P+ X/ o. |

* U7 ~" b6 X9 q& v# z+ WMethod 03/ u7 e, \9 a' X8 K5 f3 |1 I
=========
! J, q7 m; L  H9 b* l6 c) f' x0 K9 ^9 U4 A$ l; M0 f5 L
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 ^# G' T4 B- R) S4 ?1 u9 a" t(API Get entry point)
2 D- Z, ]+ M( w9 J5 N# e        4 }& l( F2 ~* ]6 z$ `* ~, b
1 _- k% \! G5 `  A+ O" G
    xor     di,di8 d  |- y+ E( G
    mov     es,di
, d: y, g  `! L! ]" i    mov     ax, 1684h       7 e* f( R/ i8 l- \3 g
    mov     bx, 0202h       ; VxD ID of winice  m$ Z/ @, S7 J1 C" ~, _" w! F
    int     2Fh+ n4 R1 i4 I; A4 F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point" Y2 i6 H' `4 v" M! ?( V/ R" e
    add     ax, di# L8 z$ M0 n$ [! I" l0 ~! }  P! @' y
    test    ax,ax
# z; }9 @1 y: L9 E; g* R    jnz     SoftICE_Detected
. d) K/ P3 M2 g! ~0 ]% V5 U1 Z2 f. @5 r/ i" o; y+ j
___________________________________________________________________________! y2 s7 b6 T1 O. H3 {4 E+ }  r

& q9 ?( v3 I1 r: ?9 c2 wMethod 04
9 Y  @# o' B* q=========6 [( \$ c) k0 O) U
+ ^( @$ e- c! r: E$ h4 k8 O* `- o
Method identical to the preceding one except that it seeks the ID of SoftICE  I9 [. F+ u% |
GFX VxD.
: B* R; F* B% @" o. V+ h$ r/ j- \6 M5 q3 ^
    xor     di,di2 j1 t2 z) U# m2 H1 L8 T3 z
    mov     es,di9 n8 z, R, a$ k7 g& r9 n& V7 o
    mov     ax, 1684h      
& j9 J* u6 I" n6 Y& f" t    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, r( i; p; g8 R* z/ q  x    int     2fh- m6 i# ~4 r8 V/ A; c7 y- |1 x
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( b; M; M' G+ b9 Z
    add     ax, di- g  j* g/ |% A, M7 M: F
    test    ax,ax/ J  i! c5 p0 V5 Y' c1 S: y( Z% n4 P
    jnz     SoftICE_Detected
3 n" }' @( t, m9 r5 m0 \2 X& ?6 e1 Q8 C3 `2 {- I; k
__________________________________________________________________________
# |* W, `% f4 m
1 u% R4 ~- x6 _6 }5 b3 `1 w
: f8 n$ w+ `; W; L# r3 \Method 05
8 Z; W$ d2 o0 M: \( }/ D5 r& j0 n=========- b8 r% l2 ~8 ~; Y

" z- w% @3 [, x# w- Q; uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! R+ N! o  Z; i  Udebugger. It calls the int 41h, function 4Fh.
/ d/ V" t7 ~% m, A2 u* _3 KThere are several alternatives.  
( {8 |! _2 j- `1 T  }  T2 h1 v0 \
. v' j5 X+ W: r3 o1 j7 B6 W5 TThe following one is the simplest:: g0 b# s" s1 ^! Q, a
$ Y  l' s& F+ m' Y0 x; D
    mov     ax,4fh
. y9 T% p  I0 l; |' K7 D    int     41h
2 ], ?  W' K7 }& P5 x# [: G0 t    cmp     ax, 0F386
/ h" r* ~: n& [0 w$ ~9 M    jz      SoftICE_detected0 [, ]! X) H( K

7 P  m2 _7 p* z  |2 C, S# \4 V% p6 B  J- L, E! P/ e, N7 E4 z
Next method as well as the following one are 2 examples from Stone's % Y: a1 G( F7 {0 `4 h
"stn-wid.zip" (www.cracking.net):
  [+ m8 _- w, k2 v6 S- L
8 u  V# g) {' h$ J9 [. v% p    mov     bx, cs
6 U: V8 z$ B: S  I3 I  b  J  W    lea     dx, int41handler2' |/ n0 E' T: _
    xchg    dx, es:[41h*4]
: j9 q  Z9 d8 p4 k    xchg    bx, es:[41h*4+2]
/ C7 U, f$ u  U- y+ W4 A: R    mov     ax,4fh. I+ S1 w: _- j  P# T
    int     41h
& g" A  {, @( [7 c6 A9 Y    xchg    dx, es:[41h*4]% G9 q9 F8 a  {& r( Y  r
    xchg    bx, es:[41h*4+2]
- m2 O7 P5 z  @1 G6 D& {    cmp     ax, 0f386h
% ^2 e1 ^- |5 ^* s! e5 z    jz      SoftICE_detected
" H: ]7 a, l1 b( e& J6 }0 X) J. [& V6 R9 f4 f2 A7 ?
int41handler2 PROC. S; t! K6 s6 t( x$ G( A
    iret
2 C. @" ~: c9 b' f( ~" W4 G8 d# l. m/ Jint41handler2 ENDP
, Y" z$ j% b; m( X9 _3 |, g7 x/ q0 u8 [( L

" Q) u% j) s8 H7 [5 X_________________________________________________________________________( I, A! o' @* Z" W! @

1 u6 c4 l6 B8 K5 S+ J6 Z& ]* E1 f6 C
. D( ^# v  A* c3 S. [0 d( s! p' r4 aMethod 06  T7 t( D, s+ z; U+ l
=========9 I+ c, L2 E7 B# k" C* c
0 y" y# N' U, O, N+ {* }( }
$ Y7 H9 @3 ~% ?: [4 y2 d
2nd method similar to the preceding one but more difficult to detect:! Q4 _: l# v. ]
2 {$ [% K* G: U8 H, a( x

  @4 E' {2 _5 rint41handler PROC
) i9 u9 y+ x* P# ?    mov     cl,al/ B% @/ a& X, _( _- B1 j2 E
    iret) i5 X6 P) J, g7 Q& h2 `
int41handler ENDP: ^$ @7 ]' i! y' J* U* j5 h

2 \: J4 l1 o( B0 y9 |$ S8 `3 ^* ?% H9 Y) O; e, ?
    xor     ax,ax7 O. Q* C& s4 [, S" [+ n8 h+ B
    mov     es,ax9 J5 m: T" ~1 `* a
    mov     bx, cs
7 v% n( D; G9 r6 y  Z    lea     dx, int41handler2 M- {; J% v6 k5 X! K! J6 P( P
    xchg    dx, es:[41h*4]( ~" C2 G/ f3 H8 ^! P
    xchg    bx, es:[41h*4+2]4 ]" q3 V  K3 C' I
    in      al, 40h- p  |4 t' u; @
    xor     cx,cx6 H- V- t  Z4 U+ J$ j5 x- `, E2 s
    int     41h
4 _9 e/ x5 T% Q0 m# f    xchg    dx, es:[41h*4]' l! q% Z- t1 D
    xchg    bx, es:[41h*4+2]
( Z7 _" n3 F* e' t: N2 q  k    cmp     cl,al
1 J& o6 w4 f. K: [1 _0 Z: U' |    jnz     SoftICE_detected
- `+ Y- A' Q+ z% M6 }
7 l0 y% q' L+ i  ^5 q_________________________________________________________________________
5 X% p. A: z$ Q. E2 @3 p! M$ Q2 _0 n  M) {
Method 07
# e+ j, Q) O; |=========
7 Y: O, N9 |! p0 Q/ Z5 W' v! [3 L8 _) i0 y) n. o% N6 z( u
Method of detection of the WinICE handler in the int68h (V86)
+ V" }, n7 n* E, U
) T* b1 M6 G8 p) y    mov     ah,43h2 K  m$ s  U3 O$ U
    int     68h
0 O% K: f2 u: X6 t    cmp     ax,0F386h
3 U1 i, ?) u2 Y" M! L, Z    jz      SoftICE_Detected! U0 S6 }+ K# C0 ~+ }6 c

7 S& C" n  S2 k  m# \  @1 Z: L# C2 p8 `. D
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* Y: q3 ^( O$ P* X   app like this:; f6 O* |* t# z5 F
% }/ p, M/ ?. P: V6 J4 Q# v3 m
   BPX exec_int if ax==68
  |8 _: [) k9 {( z   (function called is located at byte ptr [ebp+1Dh] and client eip is
: `& k2 }6 q$ ?# @* G6 T2 _' {   located at [ebp+48h] for 32Bit apps)
( V( d9 {% ]+ d" J- r! m__________________________________________________________________________
  ^6 I( y' ?3 L7 t' Z
8 M( L6 B* U# _. D6 c$ {/ U* {( p& e% N- \0 `' u6 c. f! Y
Method 08% a8 }! N+ X6 w* x/ O
=========
% W# j4 Z3 v9 h1 a5 J0 h0 j( o' o) x- t" x, D
It is not a method of detection of SoftICE but a possibility to crash the# h) _4 B9 P# W
system by intercepting int 01h and int 03h and redirecting them to another
9 Z0 ]9 U8 Q1 \1 Oroutine.' S) S& s- C5 ^+ ]& K3 |" u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& H9 r& ~) N( K/ U
to the new routine to execute (hangs computer...)/ ^' s/ q3 H9 S% h+ J  r6 x% z

$ F, a1 S* d  O0 P6 n0 E* t    mov     ah, 25h
' D8 @, I) B2 P. j5 x! `    mov     al, Int_Number (01h or 03h)1 _* B( [; t4 h# B7 e
    mov     dx, offset New_Int_Routine0 f3 C5 o# J4 c! w
    int     21h  i% u, H2 L! L0 ~6 z  |
0 J) a& ]3 I& B$ {
__________________________________________________________________________7 L- L- f4 E' C+ N7 G

5 i0 Q6 H, {% ^6 b2 A* B0 j: A, vMethod 09
, d& l$ m( p7 L/ Y1 d=========
+ ?' c- N3 F2 ~( E- N+ ^9 A! d/ @/ M1 p- j' y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 ]9 N: U- K& q
performed in ring0 (VxD or a ring3 app using the VxdCall)." y7 C  H+ d6 Z! i  R
The Get_DDB service is used to determine whether or not a VxD is installed/ A9 m  h" p$ w
for the specified device and returns a Device Description Block (in ecx) for) r9 P2 y; t& Q. a3 g! w
that device if it is installed.
+ B1 @$ ^; p! O: o! A1 m7 K8 p2 i* g8 m
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 Y3 F2 W0 Y" f( }5 E; y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ j: [/ t) D5 u) X7 J* N% p
   VMMCall Get_DDB, C# E' x" m. u# w
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* O, @$ ~, r' ]

6 [  I( v! [( |  F8 [1 xNote as well that you can easily detect this method with SoftICE:
' G) x( [) M2 t' b3 u   bpx Get_DDB if ax==0202 || ax==7a5fh) x6 K7 c+ a* ?4 {7 W0 p

; o; _, o, Q* `9 N__________________________________________________________________________
4 _4 a# B( z( Q3 K- h5 N6 U4 I5 h# m# A1 D; O; s+ b7 N" E
Method 10
& z6 D* W0 Z# ?( h* J( {=========
3 u3 k0 j* O& l
& `: O. b) i0 B& _' G5 Q" R=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; S* @3 R' L2 X7 Q- l( q
  SoftICE while the option is enable!!+ T9 @, C3 u, f, `1 J. ?
+ d  V, b0 G% T1 m
This trick is very efficient:
7 ~9 p6 G  D6 @+ u6 Hby checking the Debug Registers, you can detect if SoftICE is loaded
1 o1 f: d* F' L1 q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  z2 A" {$ k5 }there are some memory breakpoints set (dr0 to dr3) simply by reading their
" e+ J0 s- Z- ^- K# y$ Xvalue (in ring0 only). Values can be manipulated and or changed as well" _9 Y0 s% s2 e* o
(clearing BPMs for instance)
* K0 {: T' t( O% ]$ J0 T" [$ G+ x6 p; F5 U, Z
__________________________________________________________________________
1 l6 _3 ~, |7 `8 A* g, Z6 ^" |! \( y7 W" p& f' o
Method 11
6 ~/ l5 r1 y8 K! o' ]5 A& L=========0 [8 \# u; Y) G# X: o: d, C' A

+ S* [( H! _% o( _1 D" @' ]This method is most known as 'MeltICE' because it has been freely distributed' ^# S+ e. E6 Z: u6 g, {6 u
via www.winfiles.com. However it was first used by NuMega people to allow; X9 Z2 {1 c6 ^  K2 ?
Symbol Loader to check if SoftICE was active or not (the code is located' q& c1 S( h# M' `- A/ `7 T
inside nmtrans.dll).
3 D3 v) q" {) K( P, Y* @# E6 ]! D8 n+ r# y# z2 W: m5 n
The way it works is very simple:
  ^3 w% n! N, Q6 o6 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ L# B  V6 W+ v4 F. I) u! rWinNT) with the CreateFileA API.8 c1 s3 ^# \. a

' q2 X0 @* u$ bHere is a sample (checking for 'SICE'):
9 x" S: X' s3 r3 J7 ^! R, X6 D1 H- j. Z4 ~) P& z9 K, G
BOOL IsSoftIce95Loaded()& C% e  c6 ^# {' U- c! f3 A. a
{
  _9 O6 M, |8 T3 Z8 z  \* ]   HANDLE hFile;  
9 `9 Z& X7 T  k, d' r   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  s/ H2 J" B; }                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 F$ l/ r& m& }1 d" @                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ V$ L6 ^9 H. f; R2 r   if( hFile != INVALID_HANDLE_VALUE )
) O; M8 K5 a+ e   {
' K( |3 d  Z* }      CloseHandle(hFile);
# x5 }- i# E% F2 h& Q- ?      return TRUE;
# {( N; f2 B# w' _* ?* }3 r- g   }
4 K1 ?' m  J* W& h6 N   return FALSE;4 N1 `/ c# X* G) z
}
# w& \$ v  f, l
- R3 p) F+ |4 {8 s& b9 r/ sAlthough this trick calls the CreateFileA function, don't even expect to be; l$ N# Q% z' M3 ]
able to intercept it by installing a IFS hook: it will not work, no way!6 U' K/ x* A5 j9 }# D) |
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 K3 U7 Y; s# Z: d2 C" g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. s" u: _; H2 G- jand then browse the DDB list until it find the VxD and its DDB_Control_Proc! A/ U+ T+ Y( @: L
field.- F9 T: T  d( y' z# ]0 p/ q
In fact, its purpose is not to load/unload VxDs but only to send a
# R" @* j( ^; H9 KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 q; I2 v/ |5 E$ t/ x: y- a% t  S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 n: H* d! V6 C2 I9 k- f0 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 e0 N$ Z) r% |8 C1 S1 Y& F
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) b6 w2 B: R+ p5 m" Pits handle to be opened and then, will be detected.8 A" H! `% N& g" ]0 P- K# F
You can check that simply by hooking Winice.exe control proc entry point
! z' _, w4 u7 Z1 ^2 nwhile running MeltICE.# C. z" i8 M+ i8 i& F- g& T  P
( U5 k" K; m. N$ ?$ J0 e0 \
9 Z/ j# O5 A0 a6 {( U8 ]
  00401067:  push      00402025    ; \\.\SICE
( X2 V% p8 i; T+ e9 Q6 z  0040106C:  call      CreateFileA
0 T: G% K9 V9 u6 S' `# T  00401071:  cmp       eax,-001
- ^7 Z' o2 ^% B; f: x  00401074:  je        00401091
4 y2 `1 R: N# {7 h( X- H/ q
0 G3 _  }% ^+ ?4 b/ x" r
/ l/ c4 L/ S8 C/ cThere could be hundreds of BPX you could use to detect this trick.
: o  Z& Q/ q9 V. H0 N" U1 W-The most classical one is:, [- P  i* @. m; E6 J0 }# d
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! h* P9 V& R$ B$ M& o
    *(esp-&gt;4+4)=='NTIC'
% P# F/ ]* Z! Z  j4 H2 w
. N6 D7 y' r2 B  O( y-The most exotic ones (could be very slooooow :-(( F1 j7 i/ _" r& Y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# T( |! h* o; T7 @0 |* m     ;will break 3 times :-(/ t# s, {* }" [
; b( P+ ]4 P% A& e) ~
-or (a bit) faster: ! }$ i. m; m) }) X
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( v5 u, z! T5 q, J. s" |9 v

3 z" k8 v( M  O, }0 n, M   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  / G# F/ v* I0 I" j
     ;will break 3 times :-() R/ S) `. D0 f$ D
: `# H# e5 |& z1 R- R" z  B" h
-Much faster:
6 ~! u4 g1 F  Z9 D1 f   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ O& u. |  ]7 k  A$ O2 ^' c( J. h( P& s5 ~7 F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- Z8 @0 q1 |. nfunction to do the same job:6 X$ I$ z- z) K* v8 k' \
2 ?  b1 f* g% J# z; D' ]3 l" v
   push    00                        ; OF_READ
4 R1 p7 h) F* O  ]   mov     eax,[00656634]            ; '\\.\SICE',09 @  z% x, y1 C2 W* X( J9 E
   push    eax
# A  |7 X' }; i  j5 `( I5 m   call    KERNEL32!_lopen9 e& o9 X4 L& u% l' W$ o
   inc     eax+ S4 Z, u) P) G* c8 S, E
   jnz     00650589                  ; detected
' O# {6 V" d9 e4 [   push    00                        ; OF_READ
+ x8 |, u/ a/ }   mov     eax,[00656638]            ; '\\.\SICE'
7 z8 l/ z( g+ d; c. J& m4 t4 A' n   push    eax
; y3 }2 [6 V7 @, \0 I0 c  t" T8 F7 @   call    KERNEL32!_lopen+ S& B9 f7 J- J( b, y/ e
   inc     eax5 z3 F6 B. v) S8 f
   jz      006505ae                  ; not detected
: L$ u( {$ ^5 O! G
3 j8 ~- r. k) P& U
# p0 Q2 f6 m3 L( p__________________________________________________________________________1 Q' m( w# e4 u0 _

3 r9 G; }1 t9 M. _Method 12
& B4 n3 ?0 _: s9 ]6 g- Z. c4 o=========
, n, O! `; L6 a9 n1 o! B% L+ b3 f! k- O, d! M# s' N6 y* L& J# k
This trick is similar to int41h/4fh Debugger installation check (code 057 U* e# j; S/ r" ^5 U& [! Q( m! D& Z0 G
&amp; 06) but very limited because it's only available for Win95/98 (not NT)- a/ E% n) a) ?; W2 f4 r: m( s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ M: d, _7 X0 g1 J, d

  {  Y; A6 D0 W  W3 p, g   push  0000004fh         ; function 4fh
3 F7 Z: L7 t, E$ P; T   push  002a002ah         ; high word specifies which VxD (VWIN32)9 E9 f' x9 v+ ]0 u0 F6 Z' [; ?
                           ; low word specifies which service
5 b$ j& e' [) u* S( r; {2 ?) n  u                             (VWIN32_Int41Dispatch)
3 k( ?* O4 c# n9 l% |   call  Kernel32!ORD_001  ; VxdCall
" T6 l3 Q9 d) j: r; C   cmp   ax, 0f386h        ; magic number returned by system debuggers
. Q1 _3 g; F5 ~' y# q; p   jz    SoftICE_detected3 j% B) R3 O& j+ n3 K

6 n. v, f7 i7 ~) S: H0 x9 aHere again, several ways to detect it:
. `3 w: K5 C( ?, X* T/ m0 f, o$ k; r& N6 h4 e
    BPINT 41 if ax==4f
: y/ G* e1 r5 F+ v7 O- U' E( K: @* Z4 H
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( H# D6 \4 u. T1 a1 k2 q* i' p4 I& x( y6 T% j8 @  e( P8 o
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
" b3 |- n2 m  W. o/ p
( G6 b$ O# D# u+ D/ K5 U* ]. }    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 }; T4 ~- @# c0 [, H4 X

4 z1 M. T' r4 o+ \__________________________________________________________________________
7 d) r2 G. C6 m7 V0 K* e1 b
6 I2 g: B/ }2 `Method 13
! d+ R6 a3 a3 ?0 C# _( @. B=========- M4 B% q8 ^. S" Y' b2 o7 q; r

4 I4 H; _, @% n6 o1 A1 U# MNot a real method of detection, but a good way to know if SoftICE is/ E4 N/ I/ ^- l; ~# [5 T4 t4 A  N
installed on a computer and to locate its installation directory.
9 r4 E. z; `3 K' Y6 bIt is used by few softs which access the following registry keys (usually #2) :' {& }1 [7 A* P% L& \5 c: ]

+ I0 ^* \" Q6 O1 ^7 w0 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! g$ _( |0 z2 |+ A2 r
\Uninstall\SoftICE3 K3 t! x! T& h, u2 l1 a% C1 L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 x2 t  w- |! z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( B. a* q% d! b3 P  e# C\App Paths\Loader32.Exe
7 M, d1 `4 S% H: B
* ]& l$ z  x5 s
; `2 f4 s9 n' K' R, aNote that some nasty apps could then erase all files from SoftICE directory2 E+ v/ ~4 v6 N
(I faced that once :-(, A) Y" g" r1 T
) ^# j5 \* r1 x  v/ r) L; t6 s
Useful breakpoint to detect it:
( E4 z" X6 l1 [$ t8 p) X% k& V1 a9 ~) P8 @" F
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE') C. ]) T6 ]. l, I# Y3 d
- K; I/ P% B) _! ?! N5 m0 g
__________________________________________________________________________3 C, e, K7 y1 J% N& s8 @1 l! t+ W
- a! e6 X% ]  s+ i  Z
; j0 M! x9 w$ T$ y$ u% D. \/ Y
Method 14 0 O& o, X& N' z8 n7 X& ]
=========" r7 {' W, e% B
# R# m# i2 f6 Z, Z' p) ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% b' P: J4 `# ^) b' c
is to determines whether a debugger is running on your system (ring0 only).
$ ]: c( L+ C, Y
9 \/ l' G, i& {8 }% q   VMMCall Test_Debug_Installed5 n4 H% V, H* \3 F: S
   je      not_installed; V+ X/ }' p6 i7 S, w8 A

  s1 [2 u' p$ J9 V; F- }( r; sThis service just checks a flag.! G( }/ z. \& b5 y  Y9 A) w/ G
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-3 00:31

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表