找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
% d: R& Z7 ~6 P. ]9 z, e, x8 {<TBODY>
0 h0 M- ?: j+ z  r8 Q) X& G<TR>- K( [) k+ U3 b+ o" F/ v+ X
<TD><PRE>Method 01
" E/ r+ a( ^: \! [! }8 }=========
9 w; |7 ?$ ~& l6 h, A) J/ E
7 ?4 {8 H2 |, i, |This method of detection of SoftICE (as well as the following one) is; z- H; q9 l/ |
used by the majority of packers/encryptors found on Internet.
$ r8 y" j0 A- m# JIt seeks the signature of BoundsChecker in SoftICE4 b: L* u8 t: M, \9 O

% d* Y; V& E: x6 Z/ n4 N! N2 |    mov     ebp, 04243484Bh        ; 'BCHK'; c2 ?7 K# ~! T& O; c
    mov     ax, 04h9 X7 L* R2 k7 Y% |& L1 [- P
    int     3       2 W2 q+ N( N( R2 x" y5 u
    cmp     al,4
( ~: r; e9 @- z! g    jnz     SoftICE_Detected) s; h$ g3 r, s& p: f
4 t4 C$ E2 r7 Q" h" v$ p0 Q
___________________________________________________________________________
6 K- i' B! Z$ L# k1 [, ^0 C- U2 p' \/ _2 t- f2 ?* t0 m
Method 02. u9 b$ Q$ w9 ?
=========, b. _. e7 L- `
( C- o( ^$ y' i' N
Still a method very much used (perhaps the most frequent one).  It is used
. Z1 y& S( y: B1 Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 ^# Q+ ~$ N$ H1 f# ]
or execute SoftICE commands...
+ O5 |9 n$ i3 I) BIt is also used to crash SoftICE and to force it to execute any commands% e+ p( N) n( K6 s- n& Z9 g
(HBOOT...) :-((  8 U: R8 z3 H! j) q1 W. Z5 q/ S

' D" r0 f4 p% a/ l6 H7 FHere is a quick description:
! S2 \/ q+ R8 t! l- t# ^& s/ J-AX = 0910h   (Display string in SIce windows)$ l3 T1 ]4 Y$ R/ K* p2 S4 q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx): Y$ }% k" m. d
-AX = 0912h   (Get breakpoint infos)
! w2 S% O2 m0 G" W-AX = 0913h   (Set Sice breakpoints)9 P4 m( M5 v, t
-AX = 0914h   (Remove SIce breakoints)7 g6 a: {" w/ a

" M5 r3 b  y5 q7 c: \Each time you'll meet this trick, you'll see:+ v' @! T$ ]5 i  ^
-SI = 4647h
6 M9 Y1 }/ A) r' o1 H! B-DI = 4A4Dh
0 ?9 @8 C" @5 G( QWhich are the 'magic values' used by SoftIce.
( R7 P+ s+ O: ]For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
: q/ v0 _* g& t! v* z) R* ?+ A- i' P1 C: Z9 O9 l; t; T2 Z9 u
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& b0 j; c+ U2 {( i1 b; k9 zEnvelope utility use to protect DOS applications:
+ T- ^/ G3 X  }7 k- G' K
6 h! H9 `- e# P3 h4 _% e
. o1 ~" F/ J5 v, e% W9 A, l& g6 `# c4C19:0095   MOV    AX,0911  ; execute command.7 P; A6 ~# F3 w3 t) d) l
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% \' k% @* S; P7 b; n" q4C19:009A   MOV    SI,4647  ; 1st magic value.7 \0 t1 H/ ?' G, r
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 k3 Y3 |( P1 q- w  q7 B, w& L  X4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
! I1 _' d* [& h1 p. t  q  n4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute4 A* X( a+ {* W3 r" d$ A/ P
4C19:00A4   INC    CX
9 s" B) N! g5 n2 ?2 b( r; f4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
! |$ r2 M" d$ u3 g4C19:00A8   JB     0095     ; 6 different commands.
, X8 M9 j7 ^7 ^$ O  S4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 Z# A0 e" S* H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 c# t2 O' m1 h
; O; J; F8 s1 x7 p# n* B6 TThe program will execute 6 different SIce commands located at ds:dx, which
% J8 K6 F+ g; h$ N4 ^" h% [0 Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& [; ^; k6 d3 f: |( l; f
& y% K( O; M0 w( q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- v- }; ^* B  l" k& y" v___________________________________________________________________________
8 U* B/ e; V8 |/ M
+ r7 q3 z' E6 e1 Y  z# T% |  ]: d. f6 I2 C6 X) b. b9 N" t! ?1 g  ~! f
Method 03
  k6 P& p0 Y. }=========
' d: d0 B4 ?" D7 J$ H" v+ ]0 `& `4 O$ d3 |7 B
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ x# w( J* B( L5 u% f
(API Get entry point)
) J/ s  F5 W: l# h/ D1 L. [        $ G% M8 ?% i  H! P
) y! f* {* R0 b' D* d% V
    xor     di,di2 A8 a' W% u# r9 k7 k% @
    mov     es,di
- R6 n' j- u! D1 m# }- U    mov     ax, 1684h       ) E- l: O  a  m
    mov     bx, 0202h       ; VxD ID of winice
$ n) ~. _0 E' W2 h' H    int     2Fh; @# I6 }$ A+ ~8 y# p. S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 ?. @, L9 ~7 k7 b
    add     ax, di8 F% P; R& i; ?; [/ L$ F: R' j
    test    ax,ax; n) A% b' E0 k8 D. _
    jnz     SoftICE_Detected1 v* ~7 t) ^. }, \

  U1 [( _% C& h" ~: M  G; Q/ p( Y( o___________________________________________________________________________  L' w, `) j( `+ j
( o( Y* L3 t, V/ \4 r( f
Method 04+ _/ m8 E: k% z5 M4 U
=========( [( X) }$ W7 x: b0 B9 k/ R
( s# N) G  g5 J/ ^1 m; }8 l
Method identical to the preceding one except that it seeks the ID of SoftICE
5 ~& C. B) c+ c# g2 e# RGFX VxD.
6 N& V( d: p9 @; a1 @6 p; k0 v8 O) j* N
    xor     di,di
. U6 e+ p' [, X9 i3 o6 K0 t    mov     es,di
& o+ ]: ?" l: b* J7 j" A  G    mov     ax, 1684h      
$ t( f& L/ L3 T6 |5 t/ h. i    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 f& v) Q0 [( L( X( Z9 c
    int     2fh7 K- b; F: |# n
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. Z$ w. s& J- e. ^0 A+ y, Z+ x" u" v: f
    add     ax, di
/ O' D: Q- `3 ?' b    test    ax,ax
) X8 S$ v$ A% k1 S0 Y: m6 M2 y4 y5 M    jnz     SoftICE_Detected. Z  W% D' s9 A

0 N7 P+ `! |! x9 o0 B__________________________________________________________________________
. s  I! J4 Q$ I5 ~
$ |. @! p/ c: ~3 x4 Q( C  D0 O* o6 h0 X# R1 V; w
Method 05
1 }3 o4 S, b1 u) L9 H=========' w* {2 K# C1 O# U) k2 Y

& g! S* ^; y. H6 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system. k" n" G+ [- K! T( U: ]
debugger. It calls the int 41h, function 4Fh.. L4 p1 j# `( @) @2 a  ]- B! L. A
There are several alternatives.  
2 t: p6 G/ S# y% v& X
( n1 y, a+ @2 U0 U6 D" MThe following one is the simplest:
2 |0 C. G% F- ^) E$ Y0 J* _+ @* l+ i9 w/ z( T1 S
    mov     ax,4fh" M0 V  u. X+ E5 y9 {
    int     41h
$ a% |" T4 @- u  q  E% ^8 z8 H    cmp     ax, 0F3865 K1 I" V/ l% U2 J5 d) ?$ q( [
    jz      SoftICE_detected
# E3 o+ h& C* R5 d
  Q# C+ f  j. y3 Y9 B/ e0 Q* O% S; I7 G% k# q$ Z9 r5 S
Next method as well as the following one are 2 examples from Stone's
6 z6 u, N, d7 ~- a0 w8 a1 p"stn-wid.zip" (www.cracking.net):( W: ?2 g/ i) U( t7 i3 N; J

  A6 g8 Q+ K) e    mov     bx, cs
, U7 O" i, R# F0 }' `    lea     dx, int41handler2
3 j5 L: L$ o, `: X& n/ B; v    xchg    dx, es:[41h*4]
% G6 f! w  P) E* A    xchg    bx, es:[41h*4+2]
+ l) {% B8 Q9 ^2 ?    mov     ax,4fh2 t$ m$ ]& B6 p5 M% A
    int     41h+ l; M& z8 W( Z1 ]0 H9 U/ d; C9 p
    xchg    dx, es:[41h*4]0 k4 z  [1 w; V, V7 {8 y
    xchg    bx, es:[41h*4+2]
0 B3 B! j8 `' j) I2 Y) s    cmp     ax, 0f386h
' B8 p- v  ]/ x, s    jz      SoftICE_detected1 r- ?2 U+ x2 C" ^, a. i. ?& J

* x# o+ j9 H% G0 i8 ?int41handler2 PROC
! a, ~( p+ b# W, {9 W    iret$ y/ {* v4 J7 B# w2 f
int41handler2 ENDP
' e, r- \$ W0 T" m+ Y' y. j# S: h5 c. \' p% y4 f
* j& o6 G* d8 h  \
_________________________________________________________________________
- x$ q" i9 E$ Q  _2 w2 g, c! L, D/ }- y, S
5 e1 J0 q& N  s! N  Y# I
Method 06
" f* G2 [6 S4 b=========
7 T5 i) d* t# u; g: y: H8 p, l+ {. n% h- c
; f, g  J  p. r3 h# r
2nd method similar to the preceding one but more difficult to detect:; W; z  `0 E9 H6 x- R# i5 k0 f
! P- J8 @* @% ]7 |

  Q3 u& U( V2 c" n% B. W  E0 o- `int41handler PROC
+ B& T, Z. @1 P3 p4 D& h    mov     cl,al( w% `7 Z$ K% b+ k! K1 {8 i
    iret
" N" H3 Q  d* Pint41handler ENDP  J' \( @- b6 F) g4 _' }
6 `2 F. n' {$ `& ~7 k* `* Z; G: U

( n/ ~6 p6 z" v    xor     ax,ax
5 b' H: F: q# k    mov     es,ax
* i- N( _* p! Q$ z2 F* E) `2 q    mov     bx, cs) \8 {* ]3 Y* b( K
    lea     dx, int41handler: \# Y; Z4 E) u3 ~0 a0 A0 b
    xchg    dx, es:[41h*4]
% o- K. W+ B- p8 D# T    xchg    bx, es:[41h*4+2]# X7 K3 U1 q" y4 W) r: A. ]% s
    in      al, 40h+ l' L  {+ O, I' a% K: W2 N
    xor     cx,cx9 P2 ]7 J( j8 s
    int     41h$ E4 ]5 o7 K( i! S; j+ i8 U
    xchg    dx, es:[41h*4]* R6 j, k7 D! j
    xchg    bx, es:[41h*4+2]9 M4 z6 j% Q1 \
    cmp     cl,al
+ T+ C  `4 R! K, k    jnz     SoftICE_detected
. ^5 w" [$ d. I* D/ |
/ {/ A( t: x* R_________________________________________________________________________' @' O7 o. w  h2 p  x5 m2 h
4 p$ k9 R% P5 Y. C
Method 07
; h6 I. U+ T# v) |4 t% A=========
! L% a9 \" Q+ s- o% s" G, p0 a9 T4 I" o' z0 [# M+ d' }$ B+ ?8 `
Method of detection of the WinICE handler in the int68h (V86)* D0 l1 `- U( \4 A4 y
9 E: g- M! W0 Q4 a' F/ v$ j. U
    mov     ah,43h
2 `0 u2 h  z8 }" c/ e/ t    int     68h  l2 t! f; \3 u. l
    cmp     ax,0F386h
/ u4 j: U7 b8 P. e6 k    jz      SoftICE_Detected
3 S/ a$ s% w$ a$ l% f! K' M( f% j" t3 _

* _* v8 l! [$ g4 O6 j3 z- k=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ C' i5 g9 Z# v& f, _   app like this:
9 a& l# d0 y& u* b  l: s( a
4 T8 m1 E) F! `6 ^0 ]/ x1 N   BPX exec_int if ax==68) `" l2 W, Z% q* f9 k$ k+ ?
   (function called is located at byte ptr [ebp+1Dh] and client eip is: [+ Q" R7 _3 @! e2 f
   located at [ebp+48h] for 32Bit apps)
" j2 A7 ]4 {# z6 ]0 F7 ^__________________________________________________________________________& i4 c2 R5 N* W9 ?8 e# A1 Q: B. R

/ S' S$ [1 Z) e: s* ]3 K! O) j  J1 s& V  a  n4 D$ S  m' ^
Method 08
# j5 C, s; A1 K3 T, U/ r=========/ M( v9 B4 D: h

( X5 V, M# z$ L% ^( z: W: PIt is not a method of detection of SoftICE but a possibility to crash the
4 _/ A' {2 Y: @0 R. z: H0 xsystem by intercepting int 01h and int 03h and redirecting them to another
- A& F+ T$ `* b2 [8 broutine.+ ~% w* X7 E; h: d* k. N( s, }
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ K$ T5 z- i2 p$ D
to the new routine to execute (hangs computer...)$ A! c: R  ?4 K6 V' Z

, P& F/ q1 l* g# P' s    mov     ah, 25h; `; j: C. d$ Q8 O- e
    mov     al, Int_Number (01h or 03h), ]7 M1 N5 k% h3 l# |% ~! V
    mov     dx, offset New_Int_Routine
( v3 h* E) e( Z/ ]- ~    int     21h
0 K5 o% T" J. q& s/ [5 G
3 N9 F: v* W* A3 S__________________________________________________________________________  v7 @6 P  x! Z% F# R
* o4 ?6 g1 G0 l7 N& u1 Z9 l
Method 09
! [3 k. K) S5 W. [4 `# E=========
5 G% h  @" n3 c& Z$ o9 z" m( k( p9 y. R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 e9 t4 N. O% Pperformed in ring0 (VxD or a ring3 app using the VxdCall).4 L/ L( M! v  @& A2 m
The Get_DDB service is used to determine whether or not a VxD is installed) B! t" z. O, H! @; }* ]
for the specified device and returns a Device Description Block (in ecx) for
0 t# W/ L/ D8 S% \* ]8 [! L( F5 R7 R. Ythat device if it is installed.
9 R; e1 B9 G: M- [9 z. V, S# q7 J# i( ~, Y" z/ N! N
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 T4 D7 r+ J( n
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ o! d8 A6 Q. K& m. b: T( l
   VMMCall Get_DDB; ^: r$ |# Q% ^$ h% |  H
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 j/ C% e  t7 R* l1 ^2 z# w$ Z
% k! n+ w: v1 Z# x3 pNote as well that you can easily detect this method with SoftICE:
3 t8 h4 P1 G1 k/ B0 G' n# b   bpx Get_DDB if ax==0202 || ax==7a5fh: t6 @! e6 _' W0 o! n& ~0 v

5 N( h9 D: L# E0 j' w/ R__________________________________________________________________________
( w8 Y. ]) Q& S$ k! p# ^# l3 w
( w! v* H4 z4 h- n. A8 [" qMethod 10
; i* j$ F4 t: ]. T. V9 X=========
* b6 S3 D: n* W# b& }  z% N
" V  ^' e7 C  S3 e% o7 _# y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; z) z4 ~8 W" B- l) r& J5 W( u
  SoftICE while the option is enable!!
* R/ \3 j, t2 a! E. P( w. l* D2 O3 x' o, W! L- Q
This trick is very efficient:
/ l0 y* i( V: o$ c' G+ f- tby checking the Debug Registers, you can detect if SoftICE is loaded1 e: a; k+ s2 m6 |6 q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 X: s2 M0 g; a& S, K/ J' [there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 V5 Q0 _. ]3 \, v1 Svalue (in ring0 only). Values can be manipulated and or changed as well
: p0 ?8 {2 m% y  v, ^; {/ j5 {(clearing BPMs for instance)
  e# m# H/ Z' ]6 u( P: R' X9 M) C
__________________________________________________________________________
- u( \9 p' [0 g  X( c) \, A+ |
! y" M7 K" A6 oMethod 11( N8 i3 v: C: J  a% D+ R+ @; @
=========; [# x$ J' {1 ?: P6 `
5 H3 [) I( i: m/ _* S
This method is most known as 'MeltICE' because it has been freely distributed
/ k5 k( C& F2 ?9 w8 q' C' X/ nvia www.winfiles.com. However it was first used by NuMega people to allow/ H6 z9 |$ c( r6 O1 `
Symbol Loader to check if SoftICE was active or not (the code is located
7 m, Y1 v: b/ h. vinside nmtrans.dll).
" v6 i+ p% G9 V6 n1 o  S& g3 R# N2 d$ {/ H: k5 K2 Q
The way it works is very simple:+ j4 e, B# p# o7 i& o- M' j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 `& V# `+ w8 z7 w. @3 T3 z
WinNT) with the CreateFileA API.
; ~- Z9 m" W- P! V+ K5 R4 ?, Y+ T* }7 k) @  }0 m; n
Here is a sample (checking for 'SICE'):! U! J' O1 ?- d& T9 t
( b* H7 d2 d% Y; o7 F' z, k# ~! e
BOOL IsSoftIce95Loaded()
, U( w" |8 }5 x3 c: i{6 v4 H$ r, T2 a' ~
   HANDLE hFile;  $ Q4 E3 r9 x* M" |* I
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& N& ^' }# k+ J5 R% `/ h
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
1 k5 _8 P0 G8 v7 i- l# q' q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! e0 G; {0 [* q2 R3 ~: w* d6 y   if( hFile != INVALID_HANDLE_VALUE )# b0 A; `3 R+ ^
   {
6 E- B/ F" p, X. o1 @      CloseHandle(hFile);
9 L; p" ?; i+ Z& F3 O3 ]( S( o      return TRUE;# |1 h: {4 @0 l% ~* E% `
   }" ?) z# h, `$ m% r) v$ L6 L4 f
   return FALSE;
4 B4 O1 f4 r, s+ ^- l7 l# U}: [  X7 n2 W8 Z" w5 F
  [, |' k: M& l& H, y9 G
Although this trick calls the CreateFileA function, don't even expect to be
% C. p" {8 E. [5 R, _% i( Bable to intercept it by installing a IFS hook: it will not work, no way!
: P- V( K1 g# h, I% |3 HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; D! j. V; W5 T# z, u* tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: }% b$ Y8 ~: M' S% Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc9 e- _, T" Y- F( y" q( E
field.
# I( C9 Z( U8 `3 b' hIn fact, its purpose is not to load/unload VxDs but only to send a
6 `: h7 z" d8 T7 w7 F9 s) e. a2 [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 [$ n) {9 s' h( @/ H" \% ]$ bto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 L3 F# A4 K3 e. Z' p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ Z* V$ j  U  W; U5 E/ O( D
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ T! I: e+ R5 V/ d- j
its handle to be opened and then, will be detected.
% H$ M$ l/ j. \5 U: {: ^You can check that simply by hooking Winice.exe control proc entry point
* |4 m; p9 q: m( X* Qwhile running MeltICE.4 s* I" l$ R- ]# {, j
6 ^" y1 G' q: ~# r+ ~; S% v! l9 w
" O; j" g5 k1 A. @4 ^7 t
  00401067:  push      00402025    ; \\.\SICE
9 u2 Q- x, g* j' I+ y: }  0040106C:  call      CreateFileA
  u: J4 E: P% s( M- J/ I' }  Q  00401071:  cmp       eax,-001  x( t( I9 d5 g+ V2 w
  00401074:  je        00401091
5 _; L9 Y7 c+ X+ K0 S# o! ~8 ?6 H. o+ T% U/ p( |* y  n# l4 b& c7 O/ [
- C2 M) K! S6 {4 @  ?
There could be hundreds of BPX you could use to detect this trick.
" \: T1 d; u/ l, o-The most classical one is:
8 S/ B1 y1 r  D  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# @. t4 m4 P/ |& S; P& ]( h
    *(esp-&gt;4+4)=='NTIC', |  C: ^/ z' D

1 E5 N) w- E* T/ z2 n% V% t; j" ~# H-The most exotic ones (could be very slooooow :-(7 A3 \# M1 X5 b# c' q2 r
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - s- w; @. A; n7 R0 x
     ;will break 3 times :-(8 B' b+ Q) s' W: c* I

; {: `! u4 L6 h6 @-or (a bit) faster: ! M* r# k9 Q0 P- |% k7 k; H
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 Z( r8 O7 E' ~0 C
: C, y+ P( R) P
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 b$ h) p  M9 }; U     ;will break 3 times :-(2 N9 x$ A% p* \0 l$ D% X

# F9 B, N+ Q  S$ }" B-Much faster:& [7 Z8 L% T& f0 E. N' \
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ u. T7 P! s+ J2 K
. F* }8 T5 {: f0 I7 [. |: o- P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* p, k5 i. v' Efunction to do the same job:
) S* k; ]$ j. r
' i3 x3 J4 R- J1 F* o3 h$ f. t   push    00                        ; OF_READ
3 Q8 X3 d+ J6 [. q   mov     eax,[00656634]            ; '\\.\SICE',06 s0 U$ C+ G6 F6 h7 v0 w
   push    eax
6 }) Z' x4 K) q8 n   call    KERNEL32!_lopen
5 ?# R6 g: g& T! f. b   inc     eax! E% E' U$ v2 d
   jnz     00650589                  ; detected- n. [. C! n8 g$ U$ p6 Y
   push    00                        ; OF_READ7 m5 o9 r7 k  l# h6 Y0 r( E: d
   mov     eax,[00656638]            ; '\\.\SICE'
* M( A; y. O- p   push    eax7 D# k2 k) M! K" p( Q
   call    KERNEL32!_lopen
( U$ P, r7 ]3 Y6 w" a- K   inc     eax
7 ]" o  {" s+ m, j( p" Z   jz      006505ae                  ; not detected1 r( X. L+ u) G  c: x

$ W/ i7 W& `, l5 l" _$ h( q) X1 B& f5 a% h( u. c3 Z6 @
__________________________________________________________________________6 y  F1 }% |2 d# O: B" X" e

6 V0 b3 B! m. SMethod 12& E$ M# Z- c, L2 B% o- L( X
=========
5 O3 x( T8 }/ H/ u
8 r" G8 f! `/ w1 Z5 b5 j5 RThis trick is similar to int41h/4fh Debugger installation check (code 050 y$ k( c/ y* O: @: P& h4 k; `' |1 Q9 c+ K
&amp; 06) but very limited because it's only available for Win95/98 (not NT)5 k: m9 k' K, W! }$ @' D. w( z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., f. Y! c  D% c6 r! }8 _( S, C

. p% t7 `5 {" ^; h% R0 h% k   push  0000004fh         ; function 4fh: P8 f- ~2 Q5 ^
   push  002a002ah         ; high word specifies which VxD (VWIN32)* r2 o7 f9 O& K/ A! n1 H
                           ; low word specifies which service
5 c7 q3 a. W+ }* |" N                             (VWIN32_Int41Dispatch)
& y- ^- q% O- E9 M   call  Kernel32!ORD_001  ; VxdCall$ q6 Y4 |) ~' X' Q- P9 B
   cmp   ax, 0f386h        ; magic number returned by system debuggers
, a5 i& O+ ?+ g3 h   jz    SoftICE_detected* ~. D5 Q5 @9 g4 Q. c# \* Z$ j

* P: a( v6 U0 i; w: D, OHere again, several ways to detect it:
: W, b; v. K8 B: }0 W8 B9 Y: u- d3 A" r$ M/ R- u" J
    BPINT 41 if ax==4f
5 V5 |* d/ `( O! P& ^. N2 S! P, r- `  }8 E/ j& P/ l
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* @+ A7 {5 h, p
- g& y& O; ^, k: x$ p
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A. M$ e) g% Y8 i- q: z
" j2 U% A8 U& J2 a, t$ I0 ?4 j
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 z6 ~* d4 e& v2 E0 ^
1 X! g3 [7 C+ G2 u$ G
__________________________________________________________________________% h; f: [) N" S% @* G
5 M' }2 I5 S! K& S) Q9 s
Method 13
: k: C  |2 K5 B( D=========$ |; ], D7 ]+ K, X
2 A+ D  b0 r9 E9 O
Not a real method of detection, but a good way to know if SoftICE is1 Y- q3 u! M+ \" R7 T
installed on a computer and to locate its installation directory.
) d( Z* v- U7 w' FIt is used by few softs which access the following registry keys (usually #2) :
6 E5 g$ ?9 l' F5 C8 C, Z8 l2 c6 j% R  c6 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ \, X" E- ?9 s2 ?8 Y3 c( b\Uninstall\SoftICE
+ _. z% n0 c; O/ |$ y" s0 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- t3 @; r& p, R5 e+ |& f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  `6 x0 \. Y# G+ L5 b6 i\App Paths\Loader32.Exe
& A" R+ O% J* I4 _  t* G
' q5 H' a2 O! p* n: l' I2 @0 X
) j3 T1 E/ w8 U" aNote that some nasty apps could then erase all files from SoftICE directory
' p! t7 p1 Z0 Q" k# u! P7 N(I faced that once :-(9 g  t" \  F& ^6 o3 y: V' }# o
  f& E& L4 X6 q+ E
Useful breakpoint to detect it:
9 \' q. H6 B9 `5 R# s) H+ y
8 X+ t) `! @. a7 A     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'% d9 E( S: z! O) k* W- x

% I$ i; z3 @* O; G/ v& O! e__________________________________________________________________________
' R! y! c, o8 h6 s  K
( {" Z* a4 ?# ?) E+ e8 _7 M$ G' U: R$ }5 ?  |+ z
Method 14
& x+ ^- i* j5 W6 l8 f* H=========
" E# D; f4 C* q+ W; k: F/ k  D0 W, h' S, R- s& ]) y/ \0 i6 p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& Z. w' J" {' _& G
is to determines whether a debugger is running on your system (ring0 only).5 \  S) j3 |4 }9 i% m

: l% M' D: ]+ ]5 c   VMMCall Test_Debug_Installed/ c' d( Q9 |7 s8 {2 l. f" e4 k
   je      not_installed+ l' r; {) C+ {
3 S1 N) Z" U& S/ W7 Z7 m2 W0 O
This service just checks a flag.4 f$ N3 [" M) |5 J. b' @3 Y
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-26 20:06

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表