找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
4 @9 c" U" }0 i4 E" U<TBODY>2 u% ~7 N1 S! Q" r9 p+ l; V
<TR>
  e5 K& a$ w7 Q<TD><PRE>Method 01
$ ^; b) P% q7 e, r  {' L# j=========. p8 a) z: V& @, Q; b2 y

  x4 u: J3 p( Z; h' X# e5 rThis method of detection of SoftICE (as well as the following one) is
9 c. y2 l- t( f2 Qused by the majority of packers/encryptors found on Internet.: A% c9 |4 Y1 R6 G1 g* Z9 f
It seeks the signature of BoundsChecker in SoftICE
) c3 n+ c% X5 v5 A
' }. r( m4 ?5 v% K4 V1 R, [, T    mov     ebp, 04243484Bh        ; 'BCHK'
! C$ K$ a: B: `/ }- U    mov     ax, 04h
* R+ B" L2 u/ A7 D5 M: @" m    int     3      
6 M6 e+ Z+ R/ t4 \* q    cmp     al,4. w$ Y2 g/ B* S
    jnz     SoftICE_Detected  G4 _4 u5 q" h0 e/ K1 T

$ d5 V! h# c- C2 a; U___________________________________________________________________________; U% ]- G, n( L% z( \1 f" a6 v
: Q/ R6 c4 x# R, c8 }6 a
Method 02
$ I: M1 E1 f; l) m3 Z) Y=========
& t" G3 W0 r+ ]& [# }4 Y8 ?8 ~# R, Q
9 f9 a9 I) r& l8 v0 m4 O& U# K1 nStill a method very much used (perhaps the most frequent one).  It is used
7 S3 y. \5 q% \- \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 q* }( o& e/ P0 A* Z' zor execute SoftICE commands...
3 J6 \& w7 t& o& S" r' w# RIt is also used to crash SoftICE and to force it to execute any commands4 b) q3 E& t9 |0 P
(HBOOT...) :-((  
4 O( ]0 `! g: n6 ], l* w# N7 W6 f8 ~  {1 u! ~- F
Here is a quick description:0 B* h( a! p* r; {# ]
-AX = 0910h   (Display string in SIce windows)$ ~5 ~7 d+ @# E
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)- @/ h% m# x1 g1 Y" D* e; A, J/ p
-AX = 0912h   (Get breakpoint infos)' S: T+ o- b% S- v
-AX = 0913h   (Set Sice breakpoints)
( C. v( i' l; B' r0 O6 a-AX = 0914h   (Remove SIce breakoints)8 {8 e' S0 Q4 ^! Z* e

. `: t& ?4 w6 w, V" kEach time you'll meet this trick, you'll see:
; V. x8 b7 P  V, d& Y7 ?' ~-SI = 4647h+ C% U' u  M; H& e. @  D+ G9 I0 b
-DI = 4A4Dh
6 `( ?" a/ [( Y5 K- ?Which are the 'magic values' used by SoftIce.
( f5 M# u$ e( ?' [- o2 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ y5 ^; K" z3 B! J0 R) V
, V6 X, d: t" C# Z2 q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 `  ~8 a6 y/ T" r" K5 |Envelope utility use to protect DOS applications:( y. E' I% i3 M5 R4 k
* ?5 d  G% J. ~( Y4 o' N9 p
. T- O% i! p2 q: o
4C19:0095   MOV    AX,0911  ; execute command.
% A. P0 D4 A6 z4 C% G2 I4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
! l: ]/ K4 J4 d# q& P  g8 Y1 ?7 P  [$ }4C19:009A   MOV    SI,4647  ; 1st magic value." O. U0 w, x! o8 s+ b3 T
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: H' r! ~" h6 X; W1 D& }& i7 d& w+ c
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 S; k4 Y8 f( k: w% w8 A8 a
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 T6 n( C5 h' C0 A- }4 Z4C19:00A4   INC    CX$ B% u- [5 d5 G4 w6 [
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- s6 t% U1 F4 J
4C19:00A8   JB     0095     ; 6 different commands.* N- I* ]: i6 l+ ~+ u- @7 a( [9 x
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 ~  |. G# p. R. L9 v9 J+ ]( @4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
2 a7 `% L! H! R# G
$ U  ?/ S1 ^" o) `The program will execute 6 different SIce commands located at ds:dx, which- X: ^* ~3 R5 D0 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* ~) B. Y8 N8 T# k( _* D  e, b! h9 B

7 z* n) ^% k: y# ?6 J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ o- ^- e  R4 E" X' E
___________________________________________________________________________# b# |$ r3 V2 m1 c  d% N% W

0 H) G$ _) j7 I* v4 t+ {6 v. Z' o& _
Method 03% d2 K2 r: X% e; N# l. G" y
=========) y. t' D  @9 l
. e( C0 A/ K" h' I- z* G0 h1 {; W
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 }0 ]3 _& q; ~# I9 f8 n% `/ e
(API Get entry point)
; u- z' Z* v( q; t! g        
1 m1 v$ t- i& z# I0 Y* P
' e& A" V* I( D' x    xor     di,di
7 J- U+ j$ v1 l& \/ B    mov     es,di- M$ L( N& r5 n% ]% o  j
    mov     ax, 1684h      
* Y" K) C0 y: V6 n0 u# m    mov     bx, 0202h       ; VxD ID of winice+ \) x- C. b  X8 m2 h  L1 s
    int     2Fh
" r1 S9 Q2 v' R: U    mov     ax, es          ; ES:DI -&gt; VxD API entry point( M/ S- M: p; r/ R
    add     ax, di
$ h0 j  `  _0 ^' s; A    test    ax,ax4 ^+ I5 I" I5 b0 h# d3 U9 @
    jnz     SoftICE_Detected9 E/ ^) o4 e( o9 j0 H

* g  s) l6 j: Y% {6 j___________________________________________________________________________* o* V; K7 ^: P, D' b% G
1 b, V& G8 ~3 x% E
Method 043 A# f: d9 O% f7 G# m
=========
4 b/ B6 b6 J& j, r# d8 V: s# a, A7 s$ }6 A1 a) I0 f4 F
Method identical to the preceding one except that it seeks the ID of SoftICE* o1 Y1 E$ J- z6 _: Q' F9 y' G
GFX VxD./ x& O5 ^( N% z, q3 D

) y. @! F7 Z) J  I( I8 ^1 W) Y    xor     di,di0 e9 C8 ~7 J4 O  b
    mov     es,di+ p7 K: E. b1 g! {: r
    mov     ax, 1684h       : }" q- u' ]# e, r
    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 ~" q6 K8 ^% m1 D9 D, r
    int     2fh3 p: W& {4 W% w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. y2 }  b- M) \    add     ax, di, k5 x  ]# t4 l7 F( x% o
    test    ax,ax
& M- }" ~' {3 k0 u- s    jnz     SoftICE_Detected
7 Z" M5 k# Y1 [. U4 Z% t# D& S! B+ {: b
__________________________________________________________________________/ H" }2 _( o& ]0 P% u, E8 l( x( `/ w* I

) i9 p5 c) @& {# i2 f8 k9 D2 y4 H  W2 v6 }
Method 05/ H' r: d# H8 u$ n
=========
, B% W) A. t; W1 T7 Y' ~  @9 I( U/ F7 b0 s: y& s
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; X; [" `( ^2 ldebugger. It calls the int 41h, function 4Fh.
7 l& S! x/ L9 \There are several alternatives.  2 u3 e( Y, C% o: D3 w3 V0 |4 J# I  Z

( _" x  c0 u/ RThe following one is the simplest:" K- z/ ^0 E! g1 v' ]+ E/ |, E( G1 }* q
1 d4 y: \1 f2 y+ P
    mov     ax,4fh0 e5 v  \" S6 ~, E2 n
    int     41h
- |9 a+ c3 H, N8 m    cmp     ax, 0F386
2 ^7 y% f  P4 F- ]" c- ?( \7 w    jz      SoftICE_detected
  G; |! C! [0 ]5 P( r$ I- S) F( C
9 g0 k/ }% f/ D1 Y9 U0 ?# \
, E0 r( d; I/ K/ n! D' RNext method as well as the following one are 2 examples from Stone's
- m: `' _# a9 x"stn-wid.zip" (www.cracking.net):+ _7 Y/ |4 c% t

% h' I$ E) Q# G' r: ~) o8 x, h, N    mov     bx, cs
0 A# P$ |( @1 a; P5 U    lea     dx, int41handler2
8 k" j6 b' z7 u. Z3 n$ l. e! i    xchg    dx, es:[41h*4]
+ D' A& V% l* ]! q$ V, z    xchg    bx, es:[41h*4+2]/ @6 \3 r$ p/ e3 a# w
    mov     ax,4fh
2 }/ h7 T, J1 `' R" U* `  V" U& o    int     41h
- [5 z6 ?# W' _, F! G8 ?; {    xchg    dx, es:[41h*4], H" ^* b  U! k; H& j
    xchg    bx, es:[41h*4+2]
! s" l# c1 i! f- ]7 f& X    cmp     ax, 0f386h2 B0 R( y# u; H' N
    jz      SoftICE_detected
7 U" _3 h) h! w' M. q) R/ n! P# r. n9 Q9 V  H
int41handler2 PROC7 i8 M; Z0 k2 D( K0 ^0 Y  }
    iret) k; Q  v% y4 L) _1 H7 r
int41handler2 ENDP
# u7 _9 r& Q# a2 Y: c( A) {8 M+ t: ]* ^+ d

, u7 B( X  w4 \6 U* f$ a  U7 W_________________________________________________________________________
. S) F" k& v% h1 N  w9 p- }7 t% j5 P7 x
+ k# X7 x7 r/ K4 _0 y: ]6 b
Method 06
1 W. G; B, D* e3 i9 _5 f+ ]=========
: m9 x$ h+ P# h% G9 I6 X
3 |4 x6 S, T4 s2 L; ?! U% K6 R2 g6 n: ]/ X/ M- L) S9 o
2nd method similar to the preceding one but more difficult to detect:
4 g! O: M" _/ o: g
) \. l  d' f4 w8 F9 e. g8 F
( m2 S' a0 l  ?8 Y7 {  r- Tint41handler PROC
+ {3 w4 E/ L' B" ]7 I    mov     cl,al* B/ D( p4 y1 d! {
    iret
3 k9 J7 `5 z$ l% ]int41handler ENDP
' }$ l) c1 h) j" G( j# o+ o5 k4 d! O
! z, S$ R, i. L2 M6 t6 `) r' f3 B6 R
    xor     ax,ax
( i* {$ @! _+ C7 t& q) i    mov     es,ax9 s8 R8 r2 |: U+ x
    mov     bx, cs
2 a# `1 o' u1 m. s8 g4 t; O6 G; P    lea     dx, int41handler2 Y7 A& J0 n; U; @" d
    xchg    dx, es:[41h*4]
  S& k; z& y/ L% J- V    xchg    bx, es:[41h*4+2]
2 M* q7 p6 h" i5 T6 A    in      al, 40h6 a$ }# N! ?+ F1 s& F( q  s
    xor     cx,cx
- Y* s5 x6 [8 j0 p! Z    int     41h& A+ z  J- O) d! Y" O# M
    xchg    dx, es:[41h*4]
5 L4 v4 M7 D0 ^8 K# k# N! y    xchg    bx, es:[41h*4+2]
' l( n  @# n& C2 Y$ N- L    cmp     cl,al
8 s/ f, \8 R# s; t1 X/ ]    jnz     SoftICE_detected( }' W9 g3 D0 P+ A6 ~

# J3 N  l: h5 G' s_________________________________________________________________________# r/ t! s' ~- b& M9 v; u
3 B) l5 x' A) v3 ]( i! ^
Method 07$ }% U2 i/ k2 H2 d; R
=========
$ o+ x5 I0 W/ T9 T9 H- ^! v* H; r2 H  E/ \# f6 @1 R. \
Method of detection of the WinICE handler in the int68h (V86)
' N$ u( n6 o8 L0 o( t' G  A  a+ d( J5 Z. i/ N" S7 Y0 l. A4 f
    mov     ah,43h
) S0 w" G  E# N    int     68h
6 k# ]6 K3 n4 e% k' ?% R9 N    cmp     ax,0F386h
$ [5 C, @1 b" Z- z4 h) s% l    jz      SoftICE_Detected
* [* i7 `; s) _: r+ Y. ~
: P$ J6 g) X, P  S8 h9 v! i7 W
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ p1 N6 B. F% n, ^6 J
   app like this:& s- A/ C  K7 y! T4 M
% V# I8 b& s. {$ c. n' [
   BPX exec_int if ax==68* f* X$ o0 J9 x1 x( w, j
   (function called is located at byte ptr [ebp+1Dh] and client eip is
8 j# y) U! L/ |   located at [ebp+48h] for 32Bit apps)" Z2 f: q* P7 q- \( T1 A: [, n
__________________________________________________________________________  ^9 A* w5 i  h$ v( _$ W7 D! ~

/ Z- K% }8 P% f$ _5 z8 d
0 [- y6 I0 }' R1 w7 cMethod 087 R6 {2 m/ k0 y: N( T+ [
=========
% T: r0 e8 a. F& U' X/ J" H# l1 ?: I$ Y
It is not a method of detection of SoftICE but a possibility to crash the
* v' ]/ T- b- z" Rsystem by intercepting int 01h and int 03h and redirecting them to another
1 |, a& z) d+ c" Q! i( @+ hroutine.8 F" l/ w4 B; z! O2 g; G. g4 H
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 A7 }7 Z# Y$ {# W) l; C
to the new routine to execute (hangs computer...): i8 ~3 ^0 I! ]& |: ?
6 Z; j9 L# F* |3 X
    mov     ah, 25h
; _' R5 g* d3 e$ ?) a2 F    mov     al, Int_Number (01h or 03h)- b" h7 Y  ^: y  Y$ m* [
    mov     dx, offset New_Int_Routine
4 C- N, L+ z% f+ |- t1 ~    int     21h
0 k# ~9 E3 L" u& b; [8 {' S4 U, u7 u" N2 i
__________________________________________________________________________0 p2 I$ D! ^* M6 B, @
8 s6 z3 f6 o- J; q4 c
Method 09) l* z0 U8 \& n$ y" }- u
=========
. a  S  Z. f4 @3 A" r
0 F, ?$ f% `9 g' ~5 d& DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' d; b3 G3 _4 K3 h+ L1 @
performed in ring0 (VxD or a ring3 app using the VxdCall).( b( Y5 w' _; Z7 O
The Get_DDB service is used to determine whether or not a VxD is installed! P7 u: }2 z4 j1 D
for the specified device and returns a Device Description Block (in ecx) for- Q0 _- R- ?' @2 h5 w& J
that device if it is installed.
. E$ |0 g$ G& A' n/ f5 i
. C; r! a: q2 `5 z   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 P/ I0 c" t+ Z) P* H* G7 t   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% q/ X: _( N; U   VMMCall Get_DDB
3 A' a* `1 L9 W2 l( X- Z# W8 w$ d/ x" W   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  ]6 p5 A, B- g
" }9 O( {' H8 w7 ^( y* @; gNote as well that you can easily detect this method with SoftICE:" L* ?* c8 H) f& H
   bpx Get_DDB if ax==0202 || ax==7a5fh
2 D- Y. W: x1 P8 J( N- K
: c( T5 X/ F" n: r5 k__________________________________________________________________________( i. S7 o$ t; w( f/ s3 D
. I* P& ]  i$ c4 k% U* Y9 u5 \' g; |8 L* d
Method 10* n! ^7 _: M: |/ R# `
=========
" ~2 X  k+ I" _! S" Z
: t3 ~' t' |, U& ?+ c# s# a) t=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' q4 E4 }" v- O: Z6 h  SoftICE while the option is enable!!
+ T+ p# {, U; g5 E2 [( ?% x/ k0 J  V+ u5 P: Q
This trick is very efficient:5 ^& K5 X8 i  \- {! C
by checking the Debug Registers, you can detect if SoftICE is loaded) m6 {: J% H. U8 O
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 U! L3 m$ o% c+ {
there are some memory breakpoints set (dr0 to dr3) simply by reading their, d3 u0 N' A9 l0 ^
value (in ring0 only). Values can be manipulated and or changed as well
- [0 p, `7 ]0 j(clearing BPMs for instance)- x4 F& A' I6 W: s# i, |) P/ Z- q, ]
5 o5 e  D, \0 t: I
__________________________________________________________________________* A4 C7 k2 Y* u% y; K
$ i4 o/ h9 Y+ h2 k6 e1 k
Method 115 L+ X; ^  W! }3 \$ K0 v
=========6 n1 x0 m' k  s: x
8 l) z) I& ]( \3 C+ }' G
This method is most known as 'MeltICE' because it has been freely distributed
% d- C( w0 J# ?% D6 avia www.winfiles.com. However it was first used by NuMega people to allow: r1 m" t6 k1 n+ ]
Symbol Loader to check if SoftICE was active or not (the code is located
5 e/ }1 M( {$ Pinside nmtrans.dll).
3 T! J  T" E4 H, D6 R! D( Z( l; |' L$ ~; N. m2 p: D
The way it works is very simple:
1 ^' l; ]- i/ V+ c9 `6 u+ l7 LIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% X( L1 ^+ [) u+ M- X
WinNT) with the CreateFileA API.
1 @: W3 f# Z. U+ i0 y2 O
! [& R4 o3 C% Y! N; w) J, U* uHere is a sample (checking for 'SICE'):" Y- i& p9 |2 n. a4 q
2 i: ]; R) a2 t# I
BOOL IsSoftIce95Loaded()
/ o* q8 A( |: |{9 J" R6 t" R9 [% m" F
   HANDLE hFile;  
7 k8 ^+ I5 \" _2 Q  K   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; S3 e) z$ M0 ~- d
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) o" v! Y5 N: O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 L6 q8 R) q: }; G( q) H   if( hFile != INVALID_HANDLE_VALUE )7 Q5 O. M6 M5 H6 c3 m+ O
   {
- }# w+ V8 U1 h! [" ~" E  S. E      CloseHandle(hFile);0 s5 O; [6 B/ T- w- k/ F+ Q
      return TRUE;
- c4 ~& X7 ~5 F9 s6 @2 i3 T; y   }
4 J4 x3 c7 P/ g   return FALSE;
: N7 F: @( F/ {7 x3 b4 L% b}3 |/ y2 h6 ?# d$ ^, G# n
" b1 x2 o4 i" _; A; T* ]4 l
Although this trick calls the CreateFileA function, don't even expect to be. g& g- p  d0 {% W- Y
able to intercept it by installing a IFS hook: it will not work, no way!4 d/ z5 J2 h) E5 J& t. S
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. [6 i* ]0 D: t0 k) e4 N- Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 _( a" k' D6 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc) x0 p3 _: J5 f
field.! @0 S; Y$ `$ Z- `
In fact, its purpose is not to load/unload VxDs but only to send a
3 J$ ?9 X* V& z5 ?4 x2 o0 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) v7 f3 ~* Q- [1 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) S; |. ]+ C6 A5 S) D4 J/ F8 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).; V7 G8 c$ h/ h+ }( V* u6 J6 W7 B
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 \9 F# d) O4 w* A- Y$ ~its handle to be opened and then, will be detected.
8 {* ~  q6 K, F$ pYou can check that simply by hooking Winice.exe control proc entry point
& `1 z6 E  o7 v! Twhile running MeltICE.
3 v; m$ ?2 r3 Y; c% j8 N( }) l4 j* f# f! O7 }" N

3 h4 p2 J' e& x1 E$ K! M0 y, r  00401067:  push      00402025    ; \\.\SICE) a: ^" e6 [& W5 v( ?
  0040106C:  call      CreateFileA( T5 j7 e2 D7 h! m5 Z, J
  00401071:  cmp       eax,-001
) J* v2 r# L' X$ H3 C) X0 ?0 n  00401074:  je        004010912 B1 R! A1 `5 @  D2 \

0 X. Z1 O( K; O4 ~( Q" I# g
& X* r$ B# \* _  x1 Q9 i/ O) H2 q1 |There could be hundreds of BPX you could use to detect this trick.
9 `5 ^4 ?# ~! O-The most classical one is:9 v: v# k: G0 n; @; S" ^
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
5 G3 r2 W. u( [    *(esp-&gt;4+4)=='NTIC'
+ E5 w' B* W/ K. S0 n# Y, Z
0 a3 w3 _$ a; i+ B  w6 p  _3 Z5 }-The most exotic ones (could be very slooooow :-(
4 H5 P% r  J! K3 f   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  , A6 d, S! S+ i, S5 K3 ]
     ;will break 3 times :-(; K  J7 o9 ]0 k9 E8 X9 l
- x  |1 W# E% N, d& d
-or (a bit) faster: 5 y8 p% {3 F4 s
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 }. {; j3 g) r3 R! q* r7 o" W- g$ f2 m# C& r
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & V4 N2 {1 _! i
     ;will break 3 times :-($ V3 g& U( Y1 u; H, _  A1 e" L5 ?

+ o- j4 R6 g% y/ u-Much faster:
& }# [7 X: C, U6 @! I" H) |  a   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ n9 g8 V. T! n9 }
+ D4 W" O- L1 b+ x6 kNote also that some programs (like AZPR3.00) use de old 16-bit _lopen" }" J8 P" j0 F- j2 g
function to do the same job:8 `7 I$ n) n; D% ~' [3 @
& z( K3 h  [3 V, T( w! y
   push    00                        ; OF_READ
. i4 G# T& ?1 V* m& H   mov     eax,[00656634]            ; '\\.\SICE',0
7 J& h7 J5 j  F* k" ]9 o   push    eax
# ~7 A# M6 H! n7 h" ], K9 j   call    KERNEL32!_lopen! Q' b  F) e( \6 D. B) Z
   inc     eax
% N6 N  y% j  |& n) {   jnz     00650589                  ; detected
9 r: n8 U- J3 N0 }; o   push    00                        ; OF_READ1 D9 Z7 b8 R; v7 g' X+ k( B
   mov     eax,[00656638]            ; '\\.\SICE': I# p$ N& c' L# d3 L7 v4 {
   push    eax
$ B4 y/ K8 u$ O   call    KERNEL32!_lopen2 d( t5 W" N, ]6 F, i( O
   inc     eax
0 _+ G! p1 ]5 n7 e; l& c   jz      006505ae                  ; not detected: p! X; W9 T: U  E5 r8 g* f
( B) J. j" d% f- t. M
( `' x( v7 c; q* E
__________________________________________________________________________
/ N* r2 ]% F. z$ S0 ?& a# @4 p0 j. N+ t6 L2 y
Method 12
4 V$ m4 T; s; u. F  q=========4 }$ C$ j+ s; o3 T1 a2 H

! B# m# f: c% h! y9 C7 dThis trick is similar to int41h/4fh Debugger installation check (code 059 ]5 }7 h# Y. G6 L& y
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( G0 D( [: d7 w7 b) E0 ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 A# f! T$ E: _  k2 k; a: @

$ H# w3 g. i* t6 c& b8 S9 a   push  0000004fh         ; function 4fh7 x& t; x7 Y$ p" ~
   push  002a002ah         ; high word specifies which VxD (VWIN32)3 E4 |* x5 m3 L. E+ b7 a
                           ; low word specifies which service
1 x3 Z- k" R- L0 \                             (VWIN32_Int41Dispatch)
: B$ x9 t! c# f; M/ d   call  Kernel32!ORD_001  ; VxdCall
% |7 V3 h9 D. G, M( p) h! G' x0 f  c   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ y; |, E; T& m) Z5 Y   jz    SoftICE_detected
$ H6 c( k' j7 k% n4 ]
0 K: W7 c' I4 `0 q% ~% nHere again, several ways to detect it:, d' e; }% d) j% w9 d

6 ]7 T, D/ M- z; f! e    BPINT 41 if ax==4f2 ~5 c$ L' L1 i+ V1 R
% V  k/ u3 Z. t& ^6 ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% }9 D. [/ o  E# m& h  l$ @! l' b* a  l# G( \' U5 P  s# j8 I5 k# ^+ I
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
- f3 X# t: ^! f/ i
. S2 R3 r+ W8 B! E7 g3 n. Q4 h    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, o* f9 H4 J! F  G- i- _: h& y4 v, T7 t, E
__________________________________________________________________________* D1 E# H/ ]) B; X1 o

/ O! R1 b9 {+ H0 E* @Method 137 J3 X1 M1 b5 y
=========) U4 j# w- g$ M; t& G# {/ i" Y2 V4 y
) d1 v5 h! l1 L, P, p
Not a real method of detection, but a good way to know if SoftICE is
+ w! c2 T9 o! y* Y3 c+ a; ?installed on a computer and to locate its installation directory.3 I1 A8 ^2 z: Y  X% f3 g% q
It is used by few softs which access the following registry keys (usually #2) :1 G( m1 ~: d& O3 P

. q: s9 W7 n. v5 G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 B5 S0 X' U3 L2 R9 A: r  X- ]# D
\Uninstall\SoftICE
+ k, P/ J  s1 Q1 Q  W( y$ ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 Y# T4 W" ^1 J3 s4 x9 f1 R1 v  B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& m) U) X& f! W; t
\App Paths\Loader32.Exe
+ X( z$ K( j1 C  h3 \# h5 y0 m: [# L5 W, z" G

) [; F7 R$ q- Y" B! T. r+ x5 h6 iNote that some nasty apps could then erase all files from SoftICE directory& V7 m7 k* b# w9 c/ f2 c. c
(I faced that once :-(8 r+ j7 M2 H% l& ?$ Z! f2 v  X

: |. D6 P0 h; C* M4 MUseful breakpoint to detect it:
0 ]5 J, t' [7 u$ L% e
* X2 ]4 l* u. g% l* Y( Q0 V% z2 @3 G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'" j  s; y. U6 Z/ ~5 O( h9 a# w& N
. t7 c. g1 H& N6 V! E8 c" f
__________________________________________________________________________9 ?: C& E; A, @1 r. U9 w0 c# a/ w

) j( `  V- V5 K& v- y& M
9 r2 F; B  k3 B# U9 j0 t% }  yMethod 14 % M* x; Y% O# T, }( y" z  h8 i
=========
* d6 h9 R- J. K" U! e5 f3 I1 {% `! ^7 }! K% s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# T7 x9 S$ M9 c2 w  f5 sis to determines whether a debugger is running on your system (ring0 only).6 p* H7 S2 t! @# V& r( `
  O8 \% l4 M9 f- W# x0 Y- q
   VMMCall Test_Debug_Installed) Y3 N- L3 t" _* n4 d( I
   je      not_installed" g2 D8 z; l6 v7 ]: g
; |1 Z  N- P) g
This service just checks a flag.6 v. [* x2 y: D! }- t. _
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-7 19:08

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表