找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
4 o% V% O- H; t- `" z) q<TBODY>
7 p2 W/ y1 i+ m) X: u# K<TR>
+ u; L  w8 Q/ c# p% Z* M+ V0 L<TD><PRE>Method 01
2 z! _* a- @% h0 O; n=========+ E/ Z. ~, E, C' c; z9 T

" V+ \/ b' A4 x4 D0 R0 g* h8 |6 QThis method of detection of SoftICE (as well as the following one) is
. C% q$ h- c. ~# Lused by the majority of packers/encryptors found on Internet.9 }) X. }! Z' Q% t* k" n& T- I. R
It seeks the signature of BoundsChecker in SoftICE
; C6 C! d8 o+ q; `2 z5 d! k% f: u2 C: |  C7 w/ a7 l1 X8 q
    mov     ebp, 04243484Bh        ; 'BCHK'
; s& O8 w( h6 v0 R$ m    mov     ax, 04h
: y& s- V4 w( L" n    int     3       $ s% G+ Y1 a& ]
    cmp     al,4) F! f0 p9 @+ v- n
    jnz     SoftICE_Detected; r# T, G9 D; I0 c9 t! c
) b& E+ m9 o! _2 n( Q
___________________________________________________________________________
7 C6 A( o- C/ [
9 p8 l% }- g  x1 `- jMethod 02
2 }: F- b6 N6 \& ]=========4 @/ j2 n8 L' N3 G2 i/ L
3 Z( M; M3 }! M" O# T4 w$ D
Still a method very much used (perhaps the most frequent one).  It is used
# ?; O0 j" ~  J6 A8 k5 ], ]% \! ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, S9 i" M( `* k) X% |/ Aor execute SoftICE commands...8 `- Z  U7 `% k* f; k. U
It is also used to crash SoftICE and to force it to execute any commands
! j1 E# q. A2 ](HBOOT...) :-((  9 U: P  V7 t* d: W

% \# z1 L7 L! H( H# jHere is a quick description:! r1 B4 _% W& y4 m" X
-AX = 0910h   (Display string in SIce windows)9 A4 u$ m) e$ t* p$ ?
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
4 z: A6 L" m7 ?7 A' `-AX = 0912h   (Get breakpoint infos)
6 s. t3 J0 k; A-AX = 0913h   (Set Sice breakpoints)( {! C; Y, p7 d# V
-AX = 0914h   (Remove SIce breakoints)
9 w0 W. E) @" I7 W) A/ {% u8 Y5 D) J! d0 `7 d$ Z0 I; ~5 o
Each time you'll meet this trick, you'll see:+ T6 O% W: v2 ^+ K
-SI = 4647h6 _+ V4 s/ R) X' m) ^& J
-DI = 4A4Dh
1 d; c5 X/ b6 g* _. YWhich are the 'magic values' used by SoftIce.
$ U# W+ j" r! m" R. rFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* C* ]- V. e# f7 y% v/ I$ ]1 Y6 i
% `. y! l# F6 ~  \2 GHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ u$ p$ A5 w8 a/ m% d% x0 v2 aEnvelope utility use to protect DOS applications:
/ ]6 q2 W* Y4 m% o9 |1 L0 k# v+ R1 N' G* F7 u

6 _1 @4 [! @) V+ G; h( Y4C19:0095   MOV    AX,0911  ; execute command.
6 h. [( Y/ A) R8 T0 o3 J" ]" H4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. n& D6 B9 j' Z( O% ?( O" j
4C19:009A   MOV    SI,4647  ; 1st magic value." u$ I  M: x3 X, \" X
4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ y' W$ s% k+ U& Y0 h$ z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( L6 i: O8 p" c5 z$ Q1 @: q$ C2 e
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 @+ K" J+ P+ l( I* U  S( z$ |4C19:00A4   INC    CX
# C+ K1 m8 m( W5 ]- R4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ I, A5 @6 A& b  E, |
4C19:00A8   JB     0095     ; 6 different commands.) D3 w' z) V/ x1 k: \, I
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.) s. d! i5 m- W  P/ r
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)7 ^4 n6 X" e# [* B- Y- B3 Z( C3 y

" O, y2 Q6 A: Y) R# r- xThe program will execute 6 different SIce commands located at ds:dx, which
& Z5 l# Q; ?+ \" z% @1 Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ O3 m. u4 g& P( G! I8 Z% ~2 c& y$ Y: x) b6 m9 o( G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 J; A3 @* `0 n- W, y
___________________________________________________________________________) p! T8 n6 Q) h9 r. H3 z

- |" M6 `: j% U  E
5 [* o) ^' Y* X9 M7 a% y) XMethod 03! i- s' B# d. d& y( ?: A* k
=========
; l# O9 O  N" H0 M1 H/ Y  D
* @- m6 @( d& vLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: c  ?: T) q2 I5 O- r, Y4 {
(API Get entry point). u- w. n$ l0 u# v, `; f
        
: Q3 T% |  ~2 N  W0 Q! u* Q$ U- ?1 M. a. }' ^& Q8 m, Q
    xor     di,di0 _" r# \) h; K% g
    mov     es,di
8 [& H) w9 l% d( E    mov     ax, 1684h       7 p8 a5 _6 x+ V0 b! N
    mov     bx, 0202h       ; VxD ID of winice
" J5 ?- O* g, Y" ^    int     2Fh
. c' B1 J+ m: a" a# S! X- J    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 i/ Y* r3 t, R6 N# u6 U% [    add     ax, di8 m& a8 A' H- |. G- c4 U
    test    ax,ax
0 Z7 k! t+ S- I* m. R$ V% s    jnz     SoftICE_Detected
1 D- [; F3 z" s7 {, j: Y& F: P) T
6 c# P# n7 G3 v& o- R1 f2 a: d___________________________________________________________________________
. d8 J/ y- }: y# l7 }  P# a" _0 Y0 ~$ l! z
Method 04
" \; A1 n# u( }$ |$ F=========
. X! X  a: E3 Z2 K9 T- A! R% J; Y4 T4 |1 p8 b# ]4 }+ [
Method identical to the preceding one except that it seeks the ID of SoftICE
& {( ~2 L; y0 }7 ?3 H# J, hGFX VxD.
: }3 T; x4 Y2 ~% ?; ^( q; r
+ I- j$ i' N3 X6 A# j# k    xor     di,di$ B) k% w  \" {8 p
    mov     es,di
, W7 t) m6 B; ~" s    mov     ax, 1684h       3 T- [/ o" k' t5 {1 `" T
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- q' K# j8 E9 {$ s0 ~    int     2fh
3 u7 n. Z& |/ c5 Z+ j: G: t4 F: o    mov     ax, es          ; ES:DI -&gt; VxD API entry point, I. x; F) h5 m" t% ~: W
    add     ax, di& E9 x* [. P6 t, \
    test    ax,ax5 a+ l) ]2 n6 k# h
    jnz     SoftICE_Detected( a: r6 r# w1 s- q( O8 F5 E
" T  z4 K" C1 q' k% P) p
__________________________________________________________________________2 k: J+ v+ l! h8 w6 u3 `" `; V

5 d" ^% I* c3 a; Y, e& }7 f$ T4 ?; Z# ]1 A% D6 \7 m7 b
Method 05; }* E+ D7 e5 Z6 l; k1 `. B% K
=========, J' _8 _: d! f- q0 J; Q8 q
; e! n- `/ |4 J, I! M& j9 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( |4 E: s$ C( B3 v: H. bdebugger. It calls the int 41h, function 4Fh.
3 _9 A8 B" F( u: J/ R8 ^+ y. d1 iThere are several alternatives.  . i* X5 F! D+ z) b! P

2 e5 e/ `% \: B0 V7 A( r* ?The following one is the simplest:6 O4 |  }7 ?1 J6 R( j% r: y3 m  A
# \) `9 p; h  ?2 V+ C. X! G% |
    mov     ax,4fh6 e6 k7 _' E& V4 b5 O7 r% s) X
    int     41h
* R/ L. w+ B4 l% A. e% f    cmp     ax, 0F386
0 ^! d; B2 X' P! w2 w( y6 m  ?" S    jz      SoftICE_detected
1 _  }' D  ~  g1 f: c
) t9 C( {" V1 @: Q/ M4 a- T) D, d. g! F. U
Next method as well as the following one are 2 examples from Stone's ' w9 Z+ r& r" w& r. [+ z) x
"stn-wid.zip" (www.cracking.net):
' U, o4 v2 k1 }5 f( |% p" a+ |7 C" G$ L( |: t. c
    mov     bx, cs  J' M& A* N; s' m
    lea     dx, int41handler2, M8 N- n5 w2 Y7 @; M0 C
    xchg    dx, es:[41h*4]+ f3 l% G) @" m% [
    xchg    bx, es:[41h*4+2]
% Z1 x1 o4 D/ g: D, \$ b    mov     ax,4fh
5 @7 ]; S- O3 N5 Z    int     41h4 z9 s0 J0 B$ l; _: j2 O2 u  N. B
    xchg    dx, es:[41h*4], k/ D! \6 X; T
    xchg    bx, es:[41h*4+2]
5 g1 B# c, U3 n) R2 T    cmp     ax, 0f386h: e1 N/ m7 H6 S# y" t5 v/ w$ H5 p4 A
    jz      SoftICE_detected
5 N9 v( d# s- u" C# @) j" }, g3 p7 j) c" Z3 |6 ^
int41handler2 PROC
; N2 l' \6 C0 J* m2 p3 u3 r    iret, G6 c8 C7 U' a7 x1 {
int41handler2 ENDP
2 z3 T; a# W! v) _3 b2 A$ f6 W6 c* z9 H' Z' F1 S

) Z( U+ R0 p* k, N9 T& r+ ?% h! A_________________________________________________________________________
: O5 e: c" K5 s# p, z% E/ c( P( E! m
( `) V3 y! e7 X+ @4 Q. }% J6 K/ V5 K
Method 06
% v7 O) p0 i- S5 |=========9 t: A) k$ w  K: S" l% i
' D7 R6 B5 P: N
% \  D$ Q. e( x
2nd method similar to the preceding one but more difficult to detect:$ y; o5 F8 s8 p" @

/ b+ y7 K) J! O# e+ x3 s) n$ k# Z' P7 w8 s) D- R( ?8 @' F- j3 j& Y
int41handler PROC
3 L7 _5 O7 d7 G    mov     cl,al
+ {' o$ x8 Z" v* O$ A    iret
* S) ]' V% j- iint41handler ENDP
% u6 C8 [0 J7 M% X5 |# u) I
$ F, I8 i3 h6 e  \! A' ]2 g& F8 \9 Z; W; i: ~
    xor     ax,ax: L3 k9 _% a2 ], |- O" ?2 X
    mov     es,ax! S& T, C: U8 \" ?7 y6 u8 b
    mov     bx, cs! G7 x4 ?+ q1 l! |0 C% k
    lea     dx, int41handler
/ A' ]9 U) u/ u/ m" H    xchg    dx, es:[41h*4]
( O( F* N  }0 C) Y& d1 W- Q    xchg    bx, es:[41h*4+2]6 F6 s4 C) E/ q2 j2 b
    in      al, 40h& ~& s* M( V7 n- Q$ e, P
    xor     cx,cx  ?- g" N3 ]  ]5 a) L- v% _" z, b
    int     41h5 {+ j. @' s& F$ c2 w4 f! ^
    xchg    dx, es:[41h*4]% w1 W! n) [% x6 @* U: j
    xchg    bx, es:[41h*4+2]
! m0 ^; G; U7 s6 M( J1 o    cmp     cl,al
: k7 Q6 E3 q1 R; i& P" p8 T    jnz     SoftICE_detected
: F! W4 S& [! _+ w) j
2 b) l$ M" N' D+ U_________________________________________________________________________, n% Q5 P; t9 k5 e- g. {

" h7 b$ @) ]& L: qMethod 07- o8 |! }7 p" H
=========+ q9 y, h- c# _5 a6 e7 p( k
6 _  q- J9 e( |5 ]' z6 A) V9 C* [
Method of detection of the WinICE handler in the int68h (V86); y( k/ E* y4 W0 g

: N7 Z* Y5 l4 h! k6 ?    mov     ah,43h2 b8 }  z/ o9 @9 G5 A
    int     68h1 ]! J# ^6 `$ [1 V
    cmp     ax,0F386h5 R) r" u  s2 t  ]* j, o- x: l
    jz      SoftICE_Detected5 ~2 e: p# c) u3 k& @
2 A' D4 S3 p9 |* j4 R

, x. a! \1 `/ ?=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( J0 ^% J  n( O0 e0 g8 x! W* n   app like this:' N7 C' e  g# ?- f+ U3 k: W

2 R" \! n& H0 r" h( r: U- y. [+ n   BPX exec_int if ax==68
" b2 t- X: s) }   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 s( e# [! Q& y) ?/ ]* |   located at [ebp+48h] for 32Bit apps)3 r* v% v0 Z4 e: _
__________________________________________________________________________; A+ m% |6 _* @) Y3 m

( {7 t/ A. Z: c% m/ F5 n0 y5 L5 c( I! y8 O
Method 08
5 i8 B6 h9 m- F/ n=========$ `/ H* E1 b/ M3 [

" }& ~2 |2 i* Q7 rIt is not a method of detection of SoftICE but a possibility to crash the
% h/ X% J8 F3 _system by intercepting int 01h and int 03h and redirecting them to another
" y; N8 v' r3 v% U, O. l7 `routine.5 Q; {/ H; ^* J" {, Q5 v. d* g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 K6 @4 j  f) }% e; P8 O9 L# O
to the new routine to execute (hangs computer...)
, M* [' ~( E1 }: ~+ _% s+ H8 t+ |) Y2 W7 X' u4 o) _
    mov     ah, 25h. c9 E6 }; d+ _2 m
    mov     al, Int_Number (01h or 03h)
$ i. ^5 c) I5 X$ n( D    mov     dx, offset New_Int_Routine
2 b+ Z2 y6 j6 [$ w; ]. F( \    int     21h
( ^' P5 _& C/ [4 _8 X" {! B3 W: L5 m4 d" a9 j) S
__________________________________________________________________________0 ~5 W* C/ R0 F* w* B; ]! q
6 ]6 s2 j" t8 F. m1 I$ s% l" j
Method 09
  C  t. P* y# S$ V' S0 {=========8 w& f5 j6 t, q8 q8 ]
8 C1 {0 d8 D# W: j' K# f% M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, F: e2 _. P8 y( U' F( `% B
performed in ring0 (VxD or a ring3 app using the VxdCall).2 Q: w, \$ G' n$ h
The Get_DDB service is used to determine whether or not a VxD is installed
3 N/ U8 ]3 f$ m1 Z. ]4 C; @: G! {for the specified device and returns a Device Description Block (in ecx) for! l& _1 \. i* H- n  X# l
that device if it is installed.
% N3 d. j5 \' v5 U: P1 {4 X6 A( J
% A1 e- q& \$ v% R+ b6 E5 r   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Q7 X, [8 G( w" \9 |' y2 @( q8 j   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  f# a8 ?- l+ A9 t" h7 w' _' E+ u   VMMCall Get_DDB
9 f# T( i* s5 l  z. ?0 ^3 ?4 u8 {# ^   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: u8 w8 u8 v' v/ X

3 P5 R1 G. _' L/ ^2 fNote as well that you can easily detect this method with SoftICE:
8 o2 \( S  I' v/ c. P   bpx Get_DDB if ax==0202 || ax==7a5fh
" |4 O  J6 M1 k4 [7 ~) s7 C+ S7 l0 j6 A' {) ]1 I7 ?, I! I2 j) t1 |
__________________________________________________________________________
1 I! T' s% V1 t4 W; H
9 m0 _2 {0 N2 z* |' j$ eMethod 10
7 [2 s7 v' V$ j=========6 P7 N6 T: ^) x; D; z- i
: F( j- S* M% \. J8 Z! h$ N
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 \" }; N0 h" q$ t+ t/ V
  SoftICE while the option is enable!!: G+ x% V6 ^/ x! l- c  C7 T5 w6 J2 K
; f4 z, p& T; n
This trick is very efficient:7 M. x9 Q- P. r2 o1 d
by checking the Debug Registers, you can detect if SoftICE is loaded
" k/ d% R5 b2 T, H6 t; J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. u. G5 v0 O- ^9 T) S: w3 t3 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their  Q" R) O5 d$ \9 v
value (in ring0 only). Values can be manipulated and or changed as well
& V& p7 K6 S* M9 p. ~: H(clearing BPMs for instance)
$ l% x( a+ S: E
6 }/ a! z3 J8 y! t& x__________________________________________________________________________$ X8 r& V2 p5 }) X

" y. K- t: w+ U: [! e" E! ]! k' iMethod 11$ T0 F1 _: {0 K
=========! L, U( s! ~6 N1 R$ b# ~

' w2 r( w8 i0 c" mThis method is most known as 'MeltICE' because it has been freely distributed
- X7 x- E3 R: _1 R, a! U/ Ivia www.winfiles.com. However it was first used by NuMega people to allow
6 R7 Q- F8 I9 c& i9 U- sSymbol Loader to check if SoftICE was active or not (the code is located
) a3 {% ~9 r8 ^; \$ d2 Finside nmtrans.dll)., X/ q; @, F* X- m" s& J4 J' ]

% y" P0 g7 S7 C( v1 R  ZThe way it works is very simple:
" e' u' u  c; O. q# B4 SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! F, O1 U( c! B# ?WinNT) with the CreateFileA API.
% z/ V$ C6 P' [# R
7 ~" ], Z5 M+ `8 f) ?* v; }* [Here is a sample (checking for 'SICE'):4 Z4 N0 x" d2 D

+ n4 q% k$ m% R# ~BOOL IsSoftIce95Loaded()
. a7 x; d/ t- v/ u& I{# i5 W( C3 H3 N: T0 X
   HANDLE hFile;  
: Q/ A' e. J$ E( D% }9 I0 F! Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( c) |$ D" t, R7 K) p: W$ P                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* r1 F5 D  S0 U+ I* u# a                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 J- w4 G' a% w5 e2 }   if( hFile != INVALID_HANDLE_VALUE )% Z6 A( |( _7 n/ {
   {
5 l8 L& q; ~" w      CloseHandle(hFile);
+ l$ N0 Y8 L' k+ `0 }" n      return TRUE;
6 T! k& M4 h$ ^8 X( ]; G5 Q   }9 t0 p6 a- P% `2 O
   return FALSE;
0 R* x5 ~& C. w% n}
5 p) {8 H# V& a
; f, J1 u7 [% G& I, I: d* xAlthough this trick calls the CreateFileA function, don't even expect to be8 E% `; |6 d0 F' u% G# h
able to intercept it by installing a IFS hook: it will not work, no way!
- E" f" U# h( z3 z3 qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" w- I8 j& B" m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) e7 }1 Q) j, I9 B. X$ j# Land then browse the DDB list until it find the VxD and its DDB_Control_Proc( k/ @1 x% H7 S
field.
: m5 s4 R! @0 D$ I* {In fact, its purpose is not to load/unload VxDs but only to send a $ v# ~/ H7 N- X: D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 H& [- l; k3 n! qto the VxD Control_Dispatch proc (how the hell a shareware soft could try) p9 ?8 u4 T: w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! t5 ]( s' w3 R/ N/ G( |! M6 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
: r2 \4 }1 u  B6 ^its handle to be opened and then, will be detected.
6 p% P  e1 j7 O+ [. CYou can check that simply by hooking Winice.exe control proc entry point; @3 i4 H  E2 v. A1 c" |. `
while running MeltICE.
: t3 _9 t1 m+ m9 x. l4 h
% v) _' {4 V3 S* w$ B- T8 Z+ y2 C, i9 }* q3 v
  00401067:  push      00402025    ; \\.\SICE
4 f7 U- T5 E2 P* ~- B  0040106C:  call      CreateFileA, C" b( o; s* n; ?2 o
  00401071:  cmp       eax,-001; z2 L5 f# I- U0 J$ t6 U
  00401074:  je        00401091
( l# |5 F( N. k0 P+ h) N) G4 l: |% {# ~( \

, T/ L$ P3 t9 h: z, cThere could be hundreds of BPX you could use to detect this trick.$ t( i- A/ U) Y
-The most classical one is:" U% I  d, c" m7 [$ F9 B
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||, v7 M0 g' Q+ s) b
    *(esp-&gt;4+4)=='NTIC'3 Y+ y; g# m* @2 Y& O" F0 ]/ G

9 K3 E* S- \# }9 Y* j-The most exotic ones (could be very slooooow :-(5 y- P8 a5 y! ^; ^( B' T
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( \9 s$ c$ ]: _5 n
     ;will break 3 times :-(8 l' z9 r, q7 ~
. f% m7 z2 N3 S& ^2 B
-or (a bit) faster: 8 F* n% c1 `# C. M/ X
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( ^: h! {3 r6 z/ e- O- n
4 l  a# `6 B* C& p- ]4 E
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 H/ }9 {+ e& A" ^2 N: u6 Q
     ;will break 3 times :-(
3 [  @9 u6 Q7 D' ^) A- ^5 T2 g8 W' @& l: p
-Much faster:* d1 ^$ p: m# [
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ j0 o# f- O1 E  V9 |* O
4 p& ^9 Y7 D% Z, K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 U/ N) p( @+ M, W5 o
function to do the same job:% P; }/ d9 O4 K% M$ V# s) o
. E& B+ |; g' b4 `5 ~+ I
   push    00                        ; OF_READ
% a1 ^! I" _+ g; _; O6 i; N8 p   mov     eax,[00656634]            ; '\\.\SICE',0: |+ d3 T* ^4 z5 r
   push    eax4 x  _7 t! Z- t; U9 J+ {
   call    KERNEL32!_lopen, }5 q1 e$ l; m; n
   inc     eax
- z6 W' N8 K& Z7 y9 Y) S+ W: J7 m   jnz     00650589                  ; detected3 G0 v+ T  c; _) J0 k/ ]
   push    00                        ; OF_READ
& ~, D2 S) x! x1 J" F6 u8 w   mov     eax,[00656638]            ; '\\.\SICE'! L6 T& `; q; h* Z# h6 J
   push    eax. o( O" [2 d5 Y. b- h
   call    KERNEL32!_lopen: k% S; Y' G" b, h4 F# t8 `
   inc     eax
" c, X- b, U# f1 ~   jz      006505ae                  ; not detected
9 a- ~1 b! k) b" _# V5 J8 n1 g6 M% ?2 b! r5 G
+ O" d1 |+ T1 g; w  e/ l4 o7 r, {
__________________________________________________________________________
8 n2 o$ P* T6 t, i  ~2 w* r: U2 T5 C* B
3 q- v& F0 Z9 ]' zMethod 123 e3 `1 o( Q% r) _
=========  \% l; b" X- E. H4 g

  B7 n" e. y) |3 l( kThis trick is similar to int41h/4fh Debugger installation check (code 054 @/ B5 r6 I& z! f" X+ k6 k7 n6 L
&amp; 06) but very limited because it's only available for Win95/98 (not NT)  _, c1 }& t7 y% D, _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 t" ^1 T1 y3 ~

$ ^- v' R+ h1 ~2 Q' N   push  0000004fh         ; function 4fh
, I' O3 |+ B% n' o" W3 n% _   push  002a002ah         ; high word specifies which VxD (VWIN32)
" y: Y* q) N, D$ B$ O4 R# b3 O3 r/ v                           ; low word specifies which service
) |' K: `/ L% ~2 t' k  L7 |                             (VWIN32_Int41Dispatch)$ Z3 P! ^" q6 }
   call  Kernel32!ORD_001  ; VxdCall
) l9 x7 n) C& W  M! X0 i   cmp   ax, 0f386h        ; magic number returned by system debuggers
5 ?' t; R+ N, f: V5 M  f. I1 T4 G   jz    SoftICE_detected8 q5 B& V9 A- j0 V6 t' _3 w

) ?; L- u! }3 fHere again, several ways to detect it:
6 r* [6 v$ e# N3 A. Y& O& i$ ]; d$ Z
    BPINT 41 if ax==4f: ?: Y& H8 o% [

. f7 b' ]2 g" r' o, x    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; Y/ p+ V% a1 w  Q7 K# M8 v5 u0 D. f0 P2 v0 `  e+ a, l9 n
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# C5 q- Z& B* F0 K- K! m. [
3 i' s$ P! [! I& h/ e1 A. Q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!5 ?9 A5 m* O7 K7 d
) F, x! z- B* T) e2 i7 o
__________________________________________________________________________$ i2 G* X0 e" a) p

$ m9 q4 u; r4 J6 a/ w! c' WMethod 13
, w, R2 S4 d$ J- `=========
0 J0 s9 t0 }, H4 w
# l/ F; H* Q8 B! o+ z) D9 TNot a real method of detection, but a good way to know if SoftICE is; y) J4 U* S- W1 z' s5 w& S
installed on a computer and to locate its installation directory.
) h" \- g  _3 \5 h, K2 q6 gIt is used by few softs which access the following registry keys (usually #2) :
4 M9 k5 _# A/ u2 h7 S6 r
" V' Z' C2 A9 \/ }, F) B' I. P. u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* h6 h/ s' x( I) A% g
\Uninstall\SoftICE" j5 t+ @, q3 e3 D% j+ M: m
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( \& ^; ]* ~5 v5 b% V4 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 K# ?+ Y2 m% n' I& O' L5 L
\App Paths\Loader32.Exe4 l% i( P; @, ^" `

& x# Z  b3 B1 n6 v$ e9 \; n5 q  w
* ]4 K% H$ `6 s7 G* W3 yNote that some nasty apps could then erase all files from SoftICE directory
1 i, e0 O' _, Y; f* B/ V3 A(I faced that once :-(; C) I( d0 y2 L1 k  v5 S/ Y
4 F3 S# S6 y) p  _$ Q4 v
Useful breakpoint to detect it:* H/ P9 S! N# l+ k  H7 b' V  O

, E* G# ^: N% C/ X     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. e3 W( [, t6 C" t. K( ?

9 [' i* {6 u: ^; v# q! u" {6 }1 I__________________________________________________________________________
5 s  X* o7 ~' B! u0 e8 \  z6 w
. ]) _* b/ O3 B6 D% Q: Z
" D) T; e) x9 A  SMethod 14 $ a4 h  ?& s; d0 w" `
=========6 D! `; m) d8 r$ I0 }
: C: L- @( @$ F7 w) Q3 M, n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 B7 F1 e. _" F" T+ V
is to determines whether a debugger is running on your system (ring0 only).1 Q( q. D4 a$ l3 S8 F) f; `

' K7 L8 E1 C% s+ F* f, T) K; a  t   VMMCall Test_Debug_Installed
4 _  G2 A2 `% y) U& Z7 h   je      not_installed
- K6 s* S% p/ \$ l. K/ w# i
; l( k( {$ b8 d7 f, {: RThis service just checks a flag.
. j5 s5 c* b, u% g% Y; ?3 _" P</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-13 19:32

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表