找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ R' B' m5 t1 C<TBODY>: S* y$ }" Q- W: S0 R
<TR>
, A# A; G8 S* y- h5 f' m: _<TD><PRE>Method 01
  ?# o$ j: G4 i=========
) K$ `2 \' d  `* X: C
. V2 q+ i2 {- j' tThis method of detection of SoftICE (as well as the following one) is
7 w# [+ q6 b9 j& E4 uused by the majority of packers/encryptors found on Internet.
% e* o4 q  i6 [6 BIt seeks the signature of BoundsChecker in SoftICE1 P# |' [, V, O$ ^- i; a4 x9 w, Z

4 A* m8 n- w# C* F    mov     ebp, 04243484Bh        ; 'BCHK'! U4 T  \5 R; T1 s) q' P$ l
    mov     ax, 04h& S* a, [. g2 o! c5 c5 ^' G* K
    int     3      
8 K6 k5 c2 ^' }& \5 E+ h5 g9 x4 \7 @    cmp     al,4
* r$ }$ K4 J  ?  c    jnz     SoftICE_Detected. c* ?0 y6 f0 d: b

; p7 \- Q4 O" ?) d6 L7 k1 ?/ L___________________________________________________________________________
6 U) b/ E# m' q" b3 l6 K' M7 D7 k
Method 02& Z: d3 k0 u1 d# r2 l
=========
: e3 H2 ?7 s. r/ f& I4 Z9 x) M! o) ?2 o; U# |8 v9 }( X% c
Still a method very much used (perhaps the most frequent one).  It is used7 X; r) o. u, q7 I4 D! a% F7 Q) h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  C1 p; L9 `9 v5 z# T; v9 }or execute SoftICE commands...4 F. }9 @2 K+ m! t
It is also used to crash SoftICE and to force it to execute any commands
% c( d: {; L1 u, G, [(HBOOT...) :-((  
' \/ _+ ^7 e3 O* S! h) z1 q& a4 U
( J( B" _7 j( h+ ]& C( iHere is a quick description:! f# u# P$ l8 B. `
-AX = 0910h   (Display string in SIce windows)0 S0 H* h) D+ Z6 u
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
5 T: ]( ]; s7 s. ?  m-AX = 0912h   (Get breakpoint infos)9 a. q9 Y' Y" r9 Y
-AX = 0913h   (Set Sice breakpoints)
5 h1 E8 }* M9 Z0 l-AX = 0914h   (Remove SIce breakoints)& t! c% ?6 `. r4 F  Z
& Y: q, z( H' M9 F5 ^! @$ l
Each time you'll meet this trick, you'll see:
8 P5 U8 p! C2 v& A! z- O-SI = 4647h  `0 F& h4 n3 x; M  c. v3 F. q
-DI = 4A4Dh
" f  T- e1 M; F! Z. {' [Which are the 'magic values' used by SoftIce./ [& }3 O# z2 F" k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- m3 T# Z& `1 `, d* m/ B0 A
( F# @: Z, _0 y/ H; s# @Here is one example from the file "Haspinst.exe" which is the dongle HASP6 g# G3 T. h, H& j: s3 L1 n
Envelope utility use to protect DOS applications:4 N1 b5 M+ a- C, \1 a

8 g& _7 [+ {7 _: _9 }% ]% x3 j
+ S2 L* k! x; h' K; d1 z9 {  l- _4C19:0095   MOV    AX,0911  ; execute command.
7 F% b2 [/ l& Y$ I& {: |6 u4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).  j& g' W4 Z: ^6 H! U
4C19:009A   MOV    SI,4647  ; 1st magic value.
# s  t0 W+ J5 ^9 S% F' t4 h4C19:009D   MOV    DI,4A4D  ; 2nd magic value.7 e( {, Y! E$ F
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 U! C  k0 B$ ]% B2 O
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 h5 y) v& i; x5 P# V4C19:00A4   INC    CX
# m1 \- f! |5 h/ z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute/ J* W+ x% `+ w9 h. l/ ?5 p4 O+ `0 i
4C19:00A8   JB     0095     ; 6 different commands./ }1 C5 ]2 w+ d4 w6 P8 S5 b- R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 t6 I- k+ O) j/ T" w! A
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
1 X8 e8 G, ]" W
4 K' `7 U1 U* [# [0 \6 f  KThe program will execute 6 different SIce commands located at ds:dx, which8 z- H/ A/ |# S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# j' N. M) T; v! \4 m  ]
. g/ t* L0 [  G0 _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
: d6 F# y# c4 D! T/ _- ?3 l. s9 j___________________________________________________________________________
0 j* C& w' l% t4 W1 W0 u. L
& c1 H3 |: S! F- l' a' E6 p
. x* O' a; i+ B( R  VMethod 03/ w5 o0 N- U, l# T
=========
6 n3 y; [/ ~$ E% x$ }8 N, a) Z" h; }/ _3 X$ o* U
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. W0 W; v; d. h& w(API Get entry point)
! q; {0 Y* @, T' L        
0 H. t+ [& F7 ^0 n- ]- e* y  O- T2 I% z! U) V
    xor     di,di. l2 g* y% m6 h( }4 A, O( a
    mov     es,di
4 R: T3 Q  V# C& Z    mov     ax, 1684h       5 e+ L/ q  n4 S& J6 x$ S
    mov     bx, 0202h       ; VxD ID of winice. `; `! ?- D9 X) ~/ C) E
    int     2Fh
0 S4 @) [# v/ p/ q0 _6 F1 _    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ I: @& w; _8 f3 R! ]7 ~, I- q' G. g
    add     ax, di! }, @9 W, o  E3 A% r- L  s
    test    ax,ax4 d. ?  K$ [- c' V4 q) G& s5 |& p1 X
    jnz     SoftICE_Detected: U5 s8 Z- K  j+ B1 |* X! P

  [! l8 |0 w/ I  |6 E___________________________________________________________________________$ o0 T, `' z" w

! b) j2 O" D; q2 S1 x5 EMethod 04
. e; A% g4 L3 S5 M2 @4 e; H=========! N; [  B( D  m- O

* Z1 K5 X* }9 UMethod identical to the preceding one except that it seeks the ID of SoftICE/ E( H" f  \& n* f; N( u- \
GFX VxD.
: }, j) L; @+ g& }# B6 [/ P* w0 \$ q  Z6 W2 r% a& c* y
    xor     di,di
( u$ ]5 D: Q1 P6 V    mov     es,di) U6 v9 X! n. c0 I! p
    mov     ax, 1684h       . W5 B; z0 K. b" o' T
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
& ~5 C1 V9 \0 _    int     2fh
: I9 K% }% V4 x    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" J# y9 X( m. F# |% \3 F    add     ax, di
3 L9 }7 d' s; q    test    ax,ax
3 S. x* F. Q0 b% l. _0 i    jnz     SoftICE_Detected
0 O. ]( n1 x% a: x" j  c  e! ?
" Q$ C' Q# r1 R9 e# i% x& g__________________________________________________________________________7 Y- K9 F6 i* @- f4 P

1 k/ M  [1 S4 o0 |) ]" a' ^' Y3 N4 `
Method 05
$ y4 C6 C& ^+ }4 `/ z=========$ t; C* B1 N+ q  A+ ^- k

6 a" E# E/ ?2 v8 K* g) q: |7 C3 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 |0 y' u* g+ Z: v( Z
debugger. It calls the int 41h, function 4Fh.
8 M' I5 z2 W5 q) u& K" ^There are several alternatives.  ' \- ^( \" |6 @! [/ l0 G

: e' B& N% e, T0 L0 ?- TThe following one is the simplest:. v0 r7 o7 b0 t: C9 `, j

. t7 E8 W) `6 `- h5 ^, |    mov     ax,4fh5 ~8 J/ [& Y- y+ B
    int     41h% r: |; ]# s; n, A" [0 a
    cmp     ax, 0F386
4 H5 b' _( r& B    jz      SoftICE_detected
8 Z  ]- h& i* Z! k2 q  _! o2 W
# B; ~2 B, R0 _; D* |
& ]: |/ \2 I  VNext method as well as the following one are 2 examples from Stone's ( G- f( C) a( J
"stn-wid.zip" (www.cracking.net):
' e( ?' c: }+ [0 n# `
  p) ~. Y0 C# V; r6 K+ b9 a    mov     bx, cs9 i3 N- k' {$ l
    lea     dx, int41handler2
* }: ~* c3 @0 \0 k5 g9 P* O1 K4 T    xchg    dx, es:[41h*4]
+ I* U, z8 v9 x9 n    xchg    bx, es:[41h*4+2]
7 t# T& E* u. I    mov     ax,4fh
7 i% x  a% C: r" y, H: k! V    int     41h+ Z& i9 j6 B* W
    xchg    dx, es:[41h*4]
) V9 t  j4 a. S2 ^. g; k    xchg    bx, es:[41h*4+2]+ `4 R! o, L5 ~; }5 @; V0 `
    cmp     ax, 0f386h
3 a6 E0 R. {8 F- c* R    jz      SoftICE_detected8 T- K! S% C* C3 s% p4 K* y( R# G. V
5 B2 @( Y0 j6 v: {
int41handler2 PROC
0 e# \8 C4 c3 x- L/ z# T4 ?' m    iret; J' F+ }4 w. W7 }3 k9 e$ o5 o
int41handler2 ENDP: t; e: _* V7 Z/ U1 P! c
0 T# v3 W( X' j8 X  o

' [( n$ o3 ~& w_________________________________________________________________________
* H. c  H, W( [! p; m! @) ~7 O$ }: i6 j! G0 y, {- i4 p8 P

- H2 Z  {" E3 s( ]( m+ a) ?Method 06
6 r1 }; c$ |/ Q5 ^+ F% l=========
' _% I2 l7 l  c! V0 g: w
5 r6 _) z4 m, q% ~" J
' P2 b. A; s* a: I/ {2nd method similar to the preceding one but more difficult to detect:
  n  _: w& W/ b0 `( h' W& t4 A4 q9 I. {2 y+ \' j! @
+ u) @' F' u$ P& F; v* o
int41handler PROC
! w0 M7 l3 z' @  U    mov     cl,al, R( H! O8 y1 x& n4 X# b8 K( B
    iret
; \$ }5 e) T2 _9 |) Wint41handler ENDP
" b$ y0 M) i* N" m: X, N2 q. _6 t
" Y3 z* g+ R. F7 a- U' V
( G3 q, P9 X1 l) C/ S) _& [    xor     ax,ax
3 y5 m! j1 n* b    mov     es,ax
3 `/ N$ X0 r: l! P+ o$ X: e    mov     bx, cs% Y; P6 R. P6 l/ J8 f: A# l
    lea     dx, int41handler
1 ~" l8 b4 Z  c3 k0 x    xchg    dx, es:[41h*4]
7 k0 U  Y$ X4 E( ?6 w0 r    xchg    bx, es:[41h*4+2]
4 v; w3 h' U% ?- P& t5 X" z. Q6 X4 E    in      al, 40h( q6 _2 N& @8 {) d
    xor     cx,cx4 ]4 a/ V  N; D* v- _& d
    int     41h
& o8 M/ K0 y" u+ U9 }  ]    xchg    dx, es:[41h*4]" Q, y3 C# U, J# K7 q" G3 p/ k8 p
    xchg    bx, es:[41h*4+2]
$ i1 O1 a9 A# j+ O    cmp     cl,al
9 J% K6 J# b  N# r& o    jnz     SoftICE_detected
% H7 h7 I/ P7 G* O% ~- n1 t2 L# P' }* S
_________________________________________________________________________
) l; b/ {; z) Z; [
* k8 B8 s2 k- W6 x7 e6 _Method 075 p5 j9 T. z; W7 d9 }
=========4 z2 z6 |: f8 _* z8 N, h! ]: m

2 n2 S6 @( Z2 L* Y4 S: v2 xMethod of detection of the WinICE handler in the int68h (V86)# t, e7 }/ n! W# o
, |: D, D3 s/ O
    mov     ah,43h
: }& O1 a' a* g8 t& X" g# i$ @; C    int     68h: ^1 ]3 J) m- O/ M
    cmp     ax,0F386h
" u! Z& y; X2 L- P& P" B- W    jz      SoftICE_Detected9 a8 T5 p) {8 F0 K6 h/ J3 l

( I+ O) X7 s' l( X7 `
) O# X7 c( k6 d' a& j=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( q5 Y) D9 p8 x2 O1 e
   app like this:
! J% ^) ]0 \* M* |+ W! k4 k( ?( W# N# `7 M; K
   BPX exec_int if ax==68) s% \  [5 B9 f8 w- p# c; g! {
   (function called is located at byte ptr [ebp+1Dh] and client eip is; |: g$ E6 o# T3 P1 y: g
   located at [ebp+48h] for 32Bit apps)1 y; x' x9 u0 H2 `. K! [
__________________________________________________________________________
4 V) q: w' G3 G! x; E, B" G: w- F
( |& ^3 K$ ]0 U0 ?1 {# Y2 W
Method 085 k$ g1 t' Z6 n: R/ H+ C- P
=========
! u8 M7 @7 J/ H$ r$ P7 E! ~- c- n+ G- T* t0 }
It is not a method of detection of SoftICE but a possibility to crash the' R+ O) Y+ v9 e) I5 @+ |8 N
system by intercepting int 01h and int 03h and redirecting them to another
8 X1 F7 j9 e$ zroutine.
! T6 ]' B5 W! n9 Q2 i: c1 M7 HIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# A" Z7 @, g* q5 A) j* zto the new routine to execute (hangs computer...)- A6 C: t8 Z8 e" {8 u

8 _2 U+ p; [1 E. o3 ?    mov     ah, 25h- }8 G! v4 G. F, Q+ ~
    mov     al, Int_Number (01h or 03h)% }! ~" R0 |7 L& l
    mov     dx, offset New_Int_Routine" J1 r. [3 J% @
    int     21h# |1 O, b& r6 M, g) A3 Z
4 S- n$ o+ U8 a% o& k. X: }
__________________________________________________________________________
, k* e  B  q- n# F. f, _2 E& b5 ^# p) g* I* [2 ?! Y6 A. y
Method 09, T0 t4 u5 J9 E
=========6 N* A! e  n% d+ h2 }
- @6 I2 Z2 a( @: h( ~- L1 e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( B5 t0 B6 ~, z
performed in ring0 (VxD or a ring3 app using the VxdCall)./ F/ C! V( S6 |
The Get_DDB service is used to determine whether or not a VxD is installed
" ?4 s" N$ h) B- Lfor the specified device and returns a Device Description Block (in ecx) for
* y0 y. ~9 ?9 O! |, E! D4 jthat device if it is installed.  H$ U1 a8 k$ |' I

! C3 O4 v' T  o# z& `4 E9 I   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; B  Q: \+ u$ k* G4 [! M1 n   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 a2 F: Y7 p9 D& [* ?& I3 }3 G   VMMCall Get_DDB. m/ r4 I  X: ^1 B
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed  r9 J& z; G( R- v8 P! [
2 z" W5 I5 v5 f6 H, l1 f
Note as well that you can easily detect this method with SoftICE:2 P- i9 l* t, X6 \& X$ `
   bpx Get_DDB if ax==0202 || ax==7a5fh
: u5 g# k/ @% }+ N
: X: P7 r! K; n! K__________________________________________________________________________
1 [( ?- Q% c& o7 L# G" i; b6 ]4 D' l
Method 10
3 Q( T- q( G5 X5 s* K; b=========
3 o: s0 S( j' A$ J
- \7 M  L4 y# k9 |/ X' ?2 s=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
! P$ x3 `0 |# l. D% m4 m' R  SoftICE while the option is enable!!
6 U1 ]" c  ?- k0 I% _; j% U2 y) ~, h4 J2 K
This trick is very efficient:- W! j) \& G/ c3 t8 _
by checking the Debug Registers, you can detect if SoftICE is loaded
( _- ~6 d7 x! y( V3 |  D! V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 Y) A  o4 }& Athere are some memory breakpoints set (dr0 to dr3) simply by reading their
- [/ \3 M  q9 y% O7 uvalue (in ring0 only). Values can be manipulated and or changed as well
: M  W, }/ Q2 p5 n8 m4 O+ J(clearing BPMs for instance)/ ~5 u3 ]! h* M: R
" H# a! `% ]- f* I4 |; i
__________________________________________________________________________# C5 m0 s7 m! N3 L4 O: Z

; L1 M" {) j5 I, f8 B% uMethod 110 G, q+ c) ^  e
=========
. u* K# Q( Z0 s* n2 `1 E
# K  r- b8 z/ v- D2 i, WThis method is most known as 'MeltICE' because it has been freely distributed
# B+ |( V% e1 G& gvia www.winfiles.com. However it was first used by NuMega people to allow0 G2 ^2 z5 s2 A8 c' P( F
Symbol Loader to check if SoftICE was active or not (the code is located* U! `. E) ^9 v! I- W% J
inside nmtrans.dll).
" {1 K+ X. q+ w, R- [3 b- e0 B# J$ R; O& O0 G2 j
The way it works is very simple:
& ?0 A" |9 U) |# {  G' V! ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( ~5 n* c7 p9 U% X- g- HWinNT) with the CreateFileA API.
/ g. c% J0 F9 @" m  V- ^
" x' U2 X* x4 g+ Y. \' m0 THere is a sample (checking for 'SICE'):6 k& x5 @7 `! H7 B7 {  s
/ Y- x9 z/ [" O8 ]0 V" V
BOOL IsSoftIce95Loaded()' r( C/ {2 ~. R9 i! R6 e/ S8 F1 y
{0 \" q* G7 k4 P' b: q, `9 g
   HANDLE hFile;  
2 ^. H. l$ t* z1 ~6 ^+ z0 K   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; H: Z0 n& C2 v3 j/ X                      FILE_SHARE_READ | FILE_SHARE_WRITE,5 x) b8 z, {6 J2 u1 V
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ Z' z$ N8 N6 R0 C# e
   if( hFile != INVALID_HANDLE_VALUE )' e2 t  T1 N  l, C
   {. V, p) \0 |, g: c
      CloseHandle(hFile);( R. i7 |6 G& g( R7 B) ^
      return TRUE;
2 v' L& F* q( m. Q& S' ?) m   }3 K; i, L/ M: S/ w# g
   return FALSE;
  E! W6 l5 o, t+ _) E8 D- a}
* z: T. l/ D# O# I8 y6 s8 w9 p+ S: L+ D7 e
Although this trick calls the CreateFileA function, don't even expect to be
; W6 U- \6 m: Hable to intercept it by installing a IFS hook: it will not work, no way!5 I  b3 {2 R/ u& e5 s' d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: y! S2 g7 I% H% p, ~2 F, Y' G3 s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ }7 j5 v, ]! q& nand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 X# J& W7 q: U$ [4 [( A
field.% n/ {: E. R0 A
In fact, its purpose is not to load/unload VxDs but only to send a 9 U3 n5 [, q9 v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): \# s9 m( q4 X( n2 O1 \0 W1 c2 `: j" Q& ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 {4 }" X1 n. ]& T# p* rto load/unload a non-dynamically loadable driver such as SoftICE ;-).# I6 o( f& m, ]0 Z, X* ~5 `5 d' X
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 G" Q* E6 o7 F8 R, P$ ?7 N
its handle to be opened and then, will be detected.! u  q9 y6 s$ G
You can check that simply by hooking Winice.exe control proc entry point; o& o0 x! x3 x  V3 r' I# Z( L
while running MeltICE.' \6 Q( J- ?9 b/ P( C; `" ?# U

4 [' n8 L. s- F" r2 r) R) C  ~# d* P& S( y
  00401067:  push      00402025    ; \\.\SICE9 ]2 N/ l3 m8 G7 U
  0040106C:  call      CreateFileA5 n. P* p. O8 C# U4 \
  00401071:  cmp       eax,-001
+ D4 I* i* m  z! {$ H! c  00401074:  je        00401091
. o& J$ }$ ^& W, k
( r: a9 e8 o) @7 x+ O
/ o' L- }9 }' w: j5 xThere could be hundreds of BPX you could use to detect this trick.
& ^) K8 v5 ~0 x' P: L* ?-The most classical one is:7 \3 |2 ?2 @" Q8 s
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
1 V; K2 M* g# r$ h) Z2 f! }+ ?- n    *(esp-&gt;4+4)=='NTIC'
( G( D) v/ P" Q; Y; b% I3 b- n5 J4 ^! s
-The most exotic ones (could be very slooooow :-(3 ]4 z- j  B$ L0 p4 Q( k
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + |, Q9 K) C# g" Y, J. ~( {
     ;will break 3 times :-(8 d1 E8 L# M! K
9 W2 y$ L6 g- b8 P- s9 D. G
-or (a bit) faster:
) R  @  [( a6 M2 p! ?, ~   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% g7 k; j' I. i+ W6 s
0 L7 R5 u1 k* I+ W4 d4 @6 W: q' g
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( o' ^4 {- l. X' N8 H. D( k1 K3 n3 b, u
     ;will break 3 times :-(
9 U4 T, G& C( g5 W+ X' ^9 R3 r7 j1 Q* _1 P" z9 a7 T
-Much faster:6 o' j3 }/ F( {/ W/ A
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  Y) v7 T& K4 {( ]2 ^' C

4 R9 H6 Q# M1 c. A" u+ ^& I( UNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) @8 O& o* Q2 P, |7 m! [. @function to do the same job:0 ^7 l# h5 a- E6 `
$ r* }' D, S; A7 H$ s" s
   push    00                        ; OF_READ0 k+ j: D# t- l1 [% n$ @; G9 b
   mov     eax,[00656634]            ; '\\.\SICE',0+ d( n- p7 y  K) L
   push    eax
& c* T0 p- _, [   call    KERNEL32!_lopen
# k0 I5 V8 z8 [* E/ ~/ s   inc     eax8 @. b; D2 u* n: t5 N: Z% V
   jnz     00650589                  ; detected& K( Y/ ?8 r1 l4 n! M: g
   push    00                        ; OF_READ
# Y- b, Y* U, D. K% q  r   mov     eax,[00656638]            ; '\\.\SICE'  t' m- h% `8 V" f4 k. C& j3 a
   push    eax
: b7 _4 s3 N9 r! |' {3 a   call    KERNEL32!_lopen
3 `) W+ N. k0 m( t7 E' p   inc     eax
; K7 W/ ~" R0 ]" d" s! V0 Z4 Y   jz      006505ae                  ; not detected* _6 l$ g  K$ }* `4 y6 Q- C
$ `1 h3 `; h/ J; T

- I1 z! C3 ]! m9 O+ k' }# \; P" U__________________________________________________________________________! }3 _* Q+ h0 R
3 D. a7 ~" X/ I& J% o* ?/ X7 I
Method 12
8 E( A3 Z) N, B' \' e: V; b6 b/ S=========" K0 _2 Q9 G: x$ _0 C3 _6 f
- _4 E( \0 u. C5 P
This trick is similar to int41h/4fh Debugger installation check (code 053 u# U$ @% Y4 W6 s+ v) q
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, f+ e7 r* E! [5 vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% O( C4 _7 @$ `) i7 v5 Q
8 @( S2 l" T6 ]: ~: o! ^( e6 {
   push  0000004fh         ; function 4fh  E# E7 z" T) j. x
   push  002a002ah         ; high word specifies which VxD (VWIN32)
% l+ M) K' n  ^6 F# o  Q% W8 w" b                           ; low word specifies which service
, G9 A  g. s, _6 G! s                             (VWIN32_Int41Dispatch)9 P9 ]; r# {! c: |6 ]
   call  Kernel32!ORD_001  ; VxdCall1 T' y  h6 P3 W5 A8 x" x' T
   cmp   ax, 0f386h        ; magic number returned by system debuggers
  @3 P/ s- I9 c6 _- e   jz    SoftICE_detected
  c3 J4 {+ U2 M7 {" j" ~* |- `. l1 q% @' O# o
Here again, several ways to detect it:  N# P1 g3 t# D2 d) n

4 {% j* N, F6 K% E# }3 e. T: v' c    BPINT 41 if ax==4f4 j. Y: c" w4 Z* B0 C* g% S+ G- V
) x! T' j5 V# P# g/ P. w, K; c
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one6 D! M$ k8 B6 y, ^- G: i

( W" e9 S. I1 U: q    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# s6 I2 K! L' f4 d! k6 T; Y# \0 X7 b7 l- j- q7 @
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
$ j- J$ Q: H, w( [$ n1 r' D$ F4 R- M
__________________________________________________________________________: C6 E2 I: S$ S4 m6 f# u8 s0 {: V

( v/ J9 R# E) t, l1 ZMethod 13! }' X* N+ X( U5 G
=========& d! \2 \) E" u  Z# D( }
# X3 H! ]  V* R  |0 G, f2 L9 w
Not a real method of detection, but a good way to know if SoftICE is- F# `* \2 p" ?2 v5 L/ D/ ?0 o+ X
installed on a computer and to locate its installation directory.
7 `$ D4 T+ F% H8 c( wIt is used by few softs which access the following registry keys (usually #2) :
* w- ]) G- n, k9 Y1 u4 Z+ w/ Z# |' f+ }- Q8 o2 e* ~" P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' H8 |0 I3 j+ O5 G/ k! [\Uninstall\SoftICE
9 V4 l3 ]! h( S% }. ]4 e! g# W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 ?' C' u/ S: C  n, }4 k" e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ]4 ^; ]8 }) c: U$ O- M! Y" H
\App Paths\Loader32.Exe
  M) V0 a* W2 u$ n) X* i4 u0 H0 U$ H
" z6 f& w( d# R  {0 ^5 H" h' o
6 ?3 M0 s- z' g( }8 [Note that some nasty apps could then erase all files from SoftICE directory
1 G5 ^+ |  T8 n$ [) W(I faced that once :-(
5 f; r8 B& G0 L( D4 H/ R4 p; {: \4 ]9 C' b* N
Useful breakpoint to detect it:
% C! E0 i( ]6 n# d2 W; H4 t$ Q: C
6 W1 Z8 \2 i8 ~6 b9 V     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 b1 L  u" }& [: h; N' l! {5 K7 \
1 O- J- S+ j" c1 O__________________________________________________________________________
3 c) w6 K% n  D0 V/ Z7 x2 Y5 P* w: A( {) ?' W
1 O+ l# S, Q# {8 |
Method 14 4 J+ a- n: `& a0 o
=========
  k* v, L8 ~- i$ [/ b7 y, h
, y& K1 j) c7 e) Z+ x2 u4 L" ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 W! r- ?- {& [& @+ i8 Lis to determines whether a debugger is running on your system (ring0 only).8 n% ?8 c& m2 g* n% E8 \
, q6 S5 F6 x  `( K$ a
   VMMCall Test_Debug_Installed
- u- A+ |) Z" m9 c   je      not_installed+ k0 n" n! W) S9 W+ R# }- Q+ D

/ M9 O8 ]. ~7 _This service just checks a flag.+ ?: o' j6 ?# e6 a* v# A3 T4 v
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-13 04:35

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表