找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- o8 L+ O$ e1 W<TBODY># L9 P  ^5 ]; o8 a, {$ P
<TR>
& z/ ^/ I# |( H+ A<TD><PRE>Method 01
6 F1 }3 ?- w' g; D: e=========
, f5 f( m3 |$ E$ |# C" K
( P, T- U8 W9 FThis method of detection of SoftICE (as well as the following one) is
' Z# U+ U& \* N- c0 Kused by the majority of packers/encryptors found on Internet.
; }+ Q1 ?; `2 qIt seeks the signature of BoundsChecker in SoftICE; s4 D3 C6 z& z9 ~" Q1 J
& S" v+ M9 i* k* M+ f$ H0 z
    mov     ebp, 04243484Bh        ; 'BCHK'
, b) k7 f4 _& X    mov     ax, 04h
) O8 Q8 W- b2 {# ^# V3 z$ ^5 e    int     3       3 |  [9 a& E" G  q( X3 o4 y
    cmp     al,4
) |& Y, b) D- k; v    jnz     SoftICE_Detected. W* `, d; O2 O8 I3 c) s; P
; c7 h* D9 s# d3 K4 T' A% _+ f3 E
___________________________________________________________________________
/ `! A$ d3 r( \$ `4 [: [% V
; e( w8 z. _$ @$ q( CMethod 02( T2 u  u- ^1 u; l5 g
=========6 x0 K+ r' B! W+ \3 Q! c
( c. \" U; j8 g1 D
Still a method very much used (perhaps the most frequent one).  It is used7 [* c9 ?& U6 O* s  w/ e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& g8 Y5 z1 X0 m' Tor execute SoftICE commands...
5 b1 o7 x, E* X0 V( ^It is also used to crash SoftICE and to force it to execute any commands
* U0 ~6 ]7 p, ~+ H. F( H- {(HBOOT...) :-((  
" B4 {$ R- O3 H  c4 q( _* x
% G  H7 j# N  b5 _* l0 p% _Here is a quick description:
0 D1 |  I# G- N- V. J% D-AX = 0910h   (Display string in SIce windows)  F6 z# ^, k$ A+ m2 L0 C7 ?
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), g8 V- }+ w) F- _' S
-AX = 0912h   (Get breakpoint infos)4 q+ d. z8 V, Z+ ~* u; S
-AX = 0913h   (Set Sice breakpoints)5 F7 Q! e& a$ l* H5 C- q) X
-AX = 0914h   (Remove SIce breakoints)
; O' X/ {5 x7 u7 T
  D3 b7 ]$ c% [, j. c% ~Each time you'll meet this trick, you'll see:9 ?. ]7 c/ g# c8 J3 F& M) r
-SI = 4647h
9 q8 N3 c8 p' j, h) n1 M) x-DI = 4A4Dh8 S9 t8 D$ W; h9 N4 \
Which are the 'magic values' used by SoftIce.
1 Z6 k# Y4 t' }0 z3 VFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' [( S; l* A( e* u. O9 K

: n/ T' F; j- E3 ]2 y# O7 sHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 W" k5 i! C/ dEnvelope utility use to protect DOS applications:
* k  [$ E0 T/ I$ V9 f- f% E: n3 ?, Z
6 q) U$ f( O) z/ o4 y( m
4C19:0095   MOV    AX,0911  ; execute command.& Q5 b8 H- F0 D2 h& z/ y/ f3 `
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
. R8 f  N7 D: F/ w* p4C19:009A   MOV    SI,4647  ; 1st magic value.
4 t& o" B- O+ l8 g4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 p9 K  L: C/ v
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- d. U" x$ X+ p/ b: j2 t
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' `( q, K# N. A; x8 x* w
4C19:00A4   INC    CX
1 v0 X$ _4 v9 Y. D* B" f) |4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
; N& G) q7 E. k  M6 O. _8 ]4C19:00A8   JB     0095     ; 6 different commands.
. _& q8 _' d  c( R6 g# o- d1 A# D4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( `; s/ @, X$ {4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :). Q" q4 H1 C$ W; n1 O' R4 e" e* @6 M

/ j4 S( D  l5 {' |5 B: GThe program will execute 6 different SIce commands located at ds:dx, which5 a) J* z& b, r! B  e) C5 \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* Y% D+ W, c6 W& d# }( x1 C- A6 B. L( O: M0 d1 T, p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" N# @% ]% i. z6 C___________________________________________________________________________+ J7 M8 |4 Y- ]* Q& i0 B
0 r3 L7 |# q# s6 F

  {, Z7 J# V5 f, o" iMethod 035 L: Y1 M/ o+ X4 a3 y
=========
/ g- S  s7 t; D4 l7 n" @9 {7 Z3 }+ d' D
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- M" {. `# v6 L% _- s$ W( D( ?(API Get entry point), f' d6 W% E% ^! }1 L) o
        7 I4 S2 H7 k( ?
" A; a, P. ?4 j2 o- Q1 O
    xor     di,di& H+ {. y( [- U6 m; M8 h$ t
    mov     es,di" @, t6 n& H  j! o
    mov     ax, 1684h      
0 w, c: O' @: w" g& x: w; |    mov     bx, 0202h       ; VxD ID of winice( r- d; l: v6 Z9 M
    int     2Fh$ U5 @3 x$ y7 f6 {! ^
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 i$ Q8 e6 s  }% o) Z) q
    add     ax, di  `2 \  D: p; \# M2 ^/ ^5 C6 w
    test    ax,ax
5 X; o$ z; O/ Y$ `! {- w    jnz     SoftICE_Detected
7 ~+ W: A, H" C* [; d& n% L* z4 u% B' H. s
# n% C6 {% K% m___________________________________________________________________________
1 x8 X) d4 v+ u  J  ]2 m3 K
0 g2 ?- z' N7 d! L: S/ c- `Method 04  z3 K# J( p* t
=========
7 ]- O; s; ~4 D% Q2 S
5 E- e6 a$ E) h9 c2 U7 F3 [/ K* pMethod identical to the preceding one except that it seeks the ID of SoftICE$ A) P3 `+ w5 L1 q! J. L. n( n
GFX VxD.
; f) y; p9 K/ c+ ~! Q9 {9 C! H/ P5 c2 m( Y' ~. [, k. I
    xor     di,di
9 w, V5 \0 e/ o5 {2 C! }    mov     es,di
0 b' @) ~' N4 W2 o7 b7 }    mov     ax, 1684h       0 Q+ C# L, F, [4 l& D
    mov     bx, 7a5Fh       ; VxD ID of SIWVID* I+ U! U" G9 t: u9 \2 |
    int     2fh% j1 |# n( n/ |" A, ?
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* b* ^0 }& d* P1 Z    add     ax, di1 z3 i" u: X3 Z2 E. p
    test    ax,ax
. q' j5 _' l/ ]/ ~/ y) x7 A$ |$ v    jnz     SoftICE_Detected
6 y; D$ ]& S/ z1 n6 F. u5 E
" z2 P+ V- Q2 f0 n* w' w__________________________________________________________________________
* K  Z" c8 _1 G8 W' o# A+ ~) s2 e5 R) Q; N, J
4 ?) o& ^5 T: I4 o0 D
Method 05* j9 s$ A! x7 F' K6 h$ x" x
=========: R/ _' M" Q( B5 l8 [6 s( e4 T

6 W; _2 J" C9 @. N8 ]- HMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; N' w& f( x' g0 y# m3 Vdebugger. It calls the int 41h, function 4Fh.' d2 E- v. q( X' n$ m% n6 E( t4 e) A
There are several alternatives.  ( V' i! q% \' n. u6 v
) w7 V/ W0 j) K& S
The following one is the simplest:
+ Q' o& l7 o) t1 n$ v$ Y) i7 z, L; p
    mov     ax,4fh! R- i6 V; z" ^( z0 n; m4 ]4 c
    int     41h
/ r+ ^, `9 d, O: V    cmp     ax, 0F386) O$ T  Z: O2 G; M
    jz      SoftICE_detected1 c/ \& @& I: E  [
5 @" i4 k% [. b, H+ ~% Y: F! z

+ H9 G7 X4 d' P5 |* QNext method as well as the following one are 2 examples from Stone's
4 v  l3 Y2 m& [" C. D" E1 Z: k"stn-wid.zip" (www.cracking.net):, x) M" z! `& P2 C2 u/ h* L
2 i0 x- i$ ?* X. ~" y
    mov     bx, cs- ^. L, V: Q6 j# R0 W, q
    lea     dx, int41handler2
9 X: _; w& B0 L' a    xchg    dx, es:[41h*4]+ n4 T0 ^, E6 S8 O+ r# C
    xchg    bx, es:[41h*4+2]
- J4 L* J; D0 q    mov     ax,4fh: M: z& F& |$ A! _, M; z
    int     41h: q6 c5 T7 H8 O/ Q; q  v8 a
    xchg    dx, es:[41h*4]' N, b5 f4 _, B- m
    xchg    bx, es:[41h*4+2]  m1 f8 L" L) R
    cmp     ax, 0f386h- x$ \; ~/ p) M8 y
    jz      SoftICE_detected
& ~  \8 e. _4 C) a8 e% V1 G9 c$ S
int41handler2 PROC
' [) @' u  K8 @/ j- }    iret
0 Q1 e6 d2 F' a3 J. k1 q) ?" bint41handler2 ENDP
3 w: N' I: ?+ ~/ P% a, v% \3 U1 o  }

) r0 R2 ~; y. b) d( H& M_________________________________________________________________________
; Y7 T6 H: f! {) ~& v7 k% b# @4 E/ k. w! h" r% E

4 P* d- R7 O; U, `4 B" XMethod 067 p1 C% F% K. ~4 m
=========" B$ l" t2 F; P3 w1 B6 m- v

- o8 ~/ m' l2 M# n+ O5 g
" ]+ U+ f" S' Z3 i: d8 Q  R" y2nd method similar to the preceding one but more difficult to detect:# p+ k, `3 O$ q- N8 h( M6 _

2 F( ]- P* h( c) b3 y5 Z
1 j9 `  `1 b/ o5 c4 q' N" [- dint41handler PROC# k4 [! |+ I' ^' z$ [9 o- z
    mov     cl,al  v7 I6 y7 V# q: ?; C
    iret& l9 i" t/ M5 s2 U! X
int41handler ENDP
- n' A( N: O. R$ M+ Q3 P2 R  B' j% ?+ w+ ^+ M/ w5 i, d; R( j
/ v! @; T: T; f, {5 |+ A3 A& A
    xor     ax,ax
) I) m  d2 V+ b/ }' _    mov     es,ax
' v9 I! E7 J2 \2 i  A+ Z    mov     bx, cs
" Q% z* d3 j$ l& U: n    lea     dx, int41handler
) F) C' Z: G  U5 ~    xchg    dx, es:[41h*4]
3 ^8 J7 k4 C, i5 G7 [    xchg    bx, es:[41h*4+2]# [) r* C2 V" p5 \
    in      al, 40h# \! J* C; q7 E7 W
    xor     cx,cx
8 V3 W; V/ h/ p1 G    int     41h
, W: O$ D0 h4 p% m    xchg    dx, es:[41h*4]8 e( h1 ~6 z+ I
    xchg    bx, es:[41h*4+2]: j' @& ~; X/ A3 R* ?
    cmp     cl,al# R9 [% I1 ^3 ~
    jnz     SoftICE_detected( W  l5 a  B; s+ n

$ d0 W6 [8 F* P; j& H* t_________________________________________________________________________& H9 x1 j9 |% p  D5 ?& z
  o) E, h% S5 f+ ^+ h
Method 07' @, F6 o& ]2 R( b  n
=========
6 l/ n; X/ K6 T1 S" A6 m( M
" G/ @! N% z) F* q1 a# a# yMethod of detection of the WinICE handler in the int68h (V86)% f0 Y9 N: A& |( O
2 T* @0 @2 j1 T6 ]
    mov     ah,43h
" Z6 ?6 S. h# Z6 F. Q    int     68h
' _& A1 x  t; D4 `4 _, M    cmp     ax,0F386h
' N% ^; Y/ V9 p9 _% S7 q- t  E% _    jz      SoftICE_Detected
' A' ]' {' g8 S! Q3 E" e1 O, ]
3 S& s1 R, O' x8 c) y4 j& |/ A
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; \6 y3 p+ ^% i/ A& O   app like this:
4 ~* {1 Z) n" s
$ o2 v1 ?$ S0 d6 Z; p- \   BPX exec_int if ax==683 x. `  T- w! x1 [
   (function called is located at byte ptr [ebp+1Dh] and client eip is2 I" J* \2 {8 P2 W/ j. n. f+ I0 p
   located at [ebp+48h] for 32Bit apps)
' D, y; J( {. ?# f7 u& K  Y__________________________________________________________________________6 Z8 K: P% p  U, L4 e3 u1 w

% Z, O; i0 i1 E6 E
! Q4 W2 t+ ]" l3 FMethod 08
, d* J0 K' N4 r/ t8 u7 @7 z, l( V) r=========
0 q$ R; h2 h5 J4 t7 k
$ c: `: w1 m* c* [It is not a method of detection of SoftICE but a possibility to crash the4 }" d9 m( i5 c1 U9 B' h  h
system by intercepting int 01h and int 03h and redirecting them to another
, `. }0 r: o& O1 Broutine.5 B+ j4 t+ e  b' S
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, i$ E1 w+ u" \) A5 t
to the new routine to execute (hangs computer...)1 Q6 n3 B$ |% S) e8 v% u$ |* U
! a3 A% }. Q- T. ?! p) Y. a( H
    mov     ah, 25h6 I8 M# s! M% k
    mov     al, Int_Number (01h or 03h)1 a* Q6 c( K, j/ r# @5 I& c
    mov     dx, offset New_Int_Routine6 Z1 k& k% J4 z* g. H7 j+ B& I
    int     21h
/ ^5 m' Z4 Z; t" ~% `
. R) o* r" b# B) a; {, D; ^__________________________________________________________________________
- g. S8 `- ?, S8 a: [. x, Z( J$ K1 z  L2 j
Method 09: \2 T) L( X) `! G: {0 h
=========! p& d3 t7 K, Y+ y

3 X* _3 X3 L. |* {" T4 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, r: R4 ]* ~) `  ]9 ^; m
performed in ring0 (VxD or a ring3 app using the VxdCall).
) V; {6 m* `, S( A6 B( N% hThe Get_DDB service is used to determine whether or not a VxD is installed% T( T8 s9 x# N" i' p6 k
for the specified device and returns a Device Description Block (in ecx) for
7 {0 I$ K& k3 f; i6 F9 q' c/ J1 ]that device if it is installed.+ R) l( t/ n# L7 Y3 B4 m; P

% N1 M  L  T% ^( x/ }   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 L# X' V; k3 `; }$ a5 o! C   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. i1 d5 M  k$ [6 Z& z! ^4 s/ i5 l   VMMCall Get_DDB
. x8 y1 ^* y3 c! o. s8 C   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
: M2 V3 P6 j6 @$ f9 M
" s) g% n' w# Z- @  [! [+ CNote as well that you can easily detect this method with SoftICE:' L( x5 U) c0 _1 G6 `7 h* ?  \
   bpx Get_DDB if ax==0202 || ax==7a5fh7 z0 C% J3 l0 M- _( B( U5 t

) ~% f: w7 c5 v) u0 g  V__________________________________________________________________________
' u$ ~6 Y" e0 z1 m. h/ r9 ^+ Y
' M, D/ V+ U, L: f- z1 H6 z3 X' UMethod 10, v; Z* |( p3 K0 ^
=========
0 {% ]8 r- O# @5 o9 p" N: ~. o* [, p
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  H& T  N1 c, x9 o9 g$ U% a, O- a
  SoftICE while the option is enable!!
! T; V( a8 ^5 h$ J
8 O, `7 ^* t7 ]$ ~/ G' k# e6 \7 iThis trick is very efficient:7 w  g  E% G, w) K, B
by checking the Debug Registers, you can detect if SoftICE is loaded
# z5 k; \% L4 k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" l( H9 B& _  b( r9 N. O6 n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
$ \, i/ ~3 _0 B9 C# k( Z  b9 w- @value (in ring0 only). Values can be manipulated and or changed as well
7 V% Q0 F$ T" j1 e) o' ]5 d8 g(clearing BPMs for instance)# ]' M9 }# o* _8 w  H- }, f

3 }7 _* R# w6 m! I9 t* T__________________________________________________________________________8 c, X: r9 c* Z( s
8 t* v2 w* d% x. z$ B
Method 11
& S9 y, f$ ?! X9 H; o0 i. Z=========
3 c8 S8 d' w4 P( `3 X, l1 q1 g1 ?' T' }& E2 H; @
This method is most known as 'MeltICE' because it has been freely distributed
  V! B6 y& ]% T' kvia www.winfiles.com. However it was first used by NuMega people to allow/ |  q  p  G0 P0 S. j
Symbol Loader to check if SoftICE was active or not (the code is located
0 x- m9 }" `) }/ Tinside nmtrans.dll)./ }7 Z; G: C) e! Z6 c5 u( W% f" N

: m0 M' F9 {! d# L7 G+ lThe way it works is very simple:
) m4 K% G8 b% o& GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" c  z% i1 M1 C0 `6 i9 o  i" ^WinNT) with the CreateFileA API.! Z1 b* k) b6 v- \9 P

8 M( ^9 A  E! C! n$ D# LHere is a sample (checking for 'SICE'):( X( Q6 o8 X3 c% _! [

  @! D: g% `$ w1 X2 vBOOL IsSoftIce95Loaded()' t4 I; T- \9 `: B4 G- p7 e
{4 u- X+ ?; e! k( h, d
   HANDLE hFile;  2 v- T: q2 |, ?5 o( s
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; D% G1 F4 Y9 D% c1 [2 n+ X1 Y% E
                      FILE_SHARE_READ | FILE_SHARE_WRITE,( j6 l$ ?7 I! R6 S" H2 G
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 ?2 e% L0 @5 h' G4 p
   if( hFile != INVALID_HANDLE_VALUE )5 e$ K+ t. ]$ m8 F+ s& _
   {
9 l5 g: `6 R4 }2 w      CloseHandle(hFile);$ [8 K' d4 R5 P' p4 c) D
      return TRUE;% ?3 U5 n% S* S1 j
   }
# W3 U! M# j& y( [- z* \/ [   return FALSE;
+ \: L! U+ T7 T# U1 E* D}
6 V; t# v" \2 e: z  S. z, K& S
0 g0 N3 [: }, w0 g- t0 yAlthough this trick calls the CreateFileA function, don't even expect to be
( E' w( Y( P# s% Vable to intercept it by installing a IFS hook: it will not work, no way!
* X1 D' R" C; B+ U$ Y# bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 P) o# w7 S, u; y' M( Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ D5 h+ o8 |4 Q" P" `and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 O: ~6 y6 `; b0 Z
field.
- B+ b/ W8 o9 c1 U* z* }+ s$ cIn fact, its purpose is not to load/unload VxDs but only to send a ( `- [) F3 m! M2 A& r0 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# J& u8 M9 X* y0 b# n7 [to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, i# I4 a& }7 Y4 B, Hto load/unload a non-dynamically loadable driver such as SoftICE ;-)., f3 [7 K" m, Z, w, Q
If the VxD is loaded, it will always clear eax and the Carry flag to allow. r+ ~. |0 J* |% p, o$ B3 U: @
its handle to be opened and then, will be detected.
& n/ p2 \% O& S$ ?% D2 GYou can check that simply by hooking Winice.exe control proc entry point9 d0 {8 W, ]; }/ }, y5 H: a
while running MeltICE.
9 |7 G- Q+ n, {/ v1 h, q; ?' R+ _$ A5 h$ h8 q

4 Q& c8 V3 C  W4 \1 R  00401067:  push      00402025    ; \\.\SICE
" d6 H8 H. ^1 |  0040106C:  call      CreateFileA
5 ]1 z6 K$ ~' k: d" M  00401071:  cmp       eax,-001
+ N4 }, g  k5 l  00401074:  je        00401091( r1 Q# Z* o# F, z7 F" [; ~

& k" }1 A0 {& w8 @
$ d, _. n7 X  D, w2 {There could be hundreds of BPX you could use to detect this trick.
) |# {3 w# R0 f# ~8 z7 t* x-The most classical one is:
  a6 C$ ~) ^% T* M9 A1 A# e9 ]  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
% y3 \3 W  B" t: S% {- v    *(esp-&gt;4+4)=='NTIC'! G5 O& Q+ ~2 `4 P( \" R' Y

& i* ]) o( ^, R. Q0 e-The most exotic ones (could be very slooooow :-(
2 ]+ ?3 J: a4 v4 E! [   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  6 L0 W. M7 s( g- r2 T% s/ i
     ;will break 3 times :-(& s9 B. `3 G5 t! k4 b/ u1 N- P
2 g6 H3 L- Y: C3 G5 Y  g# _
-or (a bit) faster: 1 `7 ]8 z4 N+ v8 J
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ A, N, W) _  @4 J% r
9 Q& A1 q6 v  E3 U# a' C, S6 I
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) m6 W; H0 K! f3 {, K) B
     ;will break 3 times :-(2 X: d4 X0 r" F% X* `4 {
: S' I0 \6 l* {, {2 N
-Much faster:# b9 @/ ~1 ^  A
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
0 e! i4 Q+ ]2 _3 L# M' B- {4 d2 C0 T9 e  g2 \! |0 Q4 Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen  h2 |. _$ z) y
function to do the same job:
+ l; ?4 \* N' a0 R# l3 z6 \& ^' @6 ^, M2 A3 O# M1 a4 W. t& O
   push    00                        ; OF_READ" S/ _- X0 I7 t  C; q
   mov     eax,[00656634]            ; '\\.\SICE',0$ Z# G. |- K# W, g
   push    eax4 @: c/ \( b( @5 Q) l& l
   call    KERNEL32!_lopen
$ p$ Q/ }. G3 ?, t3 N   inc     eax
& P5 T7 }7 |* A% `' b* ~   jnz     00650589                  ; detected% k3 L" n, U% b6 C, I/ K7 f( W
   push    00                        ; OF_READ+ P! x7 a; S) |, Q8 C/ c( q; N
   mov     eax,[00656638]            ; '\\.\SICE') X% Y* x7 v0 z
   push    eax5 H  e! I+ a. q) [: l! w
   call    KERNEL32!_lopen* ]% [+ N* u, W& j4 @+ p6 \" i
   inc     eax" C/ g7 A1 F/ k% i2 q5 D
   jz      006505ae                  ; not detected
! s& F+ F/ v( O2 I4 Q5 s& x4 K$ B3 s1 X/ Y* v' W9 x0 V
( G9 o7 s+ G( D
__________________________________________________________________________  A+ J$ Y, r# B& y) i) {

0 c7 U( t: L3 G* t6 i) |& w; B2 QMethod 12
  W: l. B# a* y; ?& @& n1 D' M=========
+ p3 g" ]7 U! V
9 q$ V- `! N9 r7 C2 m2 F. f* aThis trick is similar to int41h/4fh Debugger installation check (code 05
3 u  s- n+ g1 L: {&amp; 06) but very limited because it's only available for Win95/98 (not NT). Q7 f/ Y: }. f: |0 R% Z" g8 [  N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* m& z4 L/ }6 R8 J3 e
) ]7 ^# `1 I4 F3 j. g
   push  0000004fh         ; function 4fh. A, j5 t/ ~2 V' F& ]. }: v. K
   push  002a002ah         ; high word specifies which VxD (VWIN32)
" C, y  Y/ d  x                           ; low word specifies which service
9 R; G, M; [! _0 a) H; Y) o4 P                             (VWIN32_Int41Dispatch)  i7 F* M1 k! i: x, `
   call  Kernel32!ORD_001  ; VxdCall' Z, E+ x2 ~, Y$ T! P7 v0 z( V) v
   cmp   ax, 0f386h        ; magic number returned by system debuggers- F6 W. s6 \/ s5 w# I
   jz    SoftICE_detected0 ]7 U* m' v+ b% G
( |# w- _+ `) C1 g$ ~# ?7 M* @
Here again, several ways to detect it:
. |1 ]3 Q- Y9 O6 l7 X; x, E! ^9 A" v' P8 v2 g1 q
    BPINT 41 if ax==4f* p0 h7 E( c2 e! l

# m0 M& z  |% ^0 Y& j- J1 o; ]! \    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
, w6 Q: i6 C3 u5 D; X3 h! J+ Z( O( X4 K0 G" [" ^' B
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
1 z1 e' S* Y( h0 e( `3 F2 k. p$ y4 l' S; U) ~, v+ }5 R
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!1 [+ D5 g0 h5 Q# u& H: {5 [. u
4 y7 ~$ C1 C! \: f
__________________________________________________________________________3 |% A% c) z5 q  c0 h. b4 C
1 b1 E  n7 u% l6 C0 G) o' _
Method 13
; O: Z# F! H1 ^+ M=========0 c' R4 G: _; \! O# L

; G7 K& Z/ X/ \6 ONot a real method of detection, but a good way to know if SoftICE is" V" C! h, r& [' o
installed on a computer and to locate its installation directory.
4 O: t4 o1 I; M0 eIt is used by few softs which access the following registry keys (usually #2) :
& U7 Q% b/ w( e% G6 r# p& A. ~2 V8 c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* }2 F; R' w. |\Uninstall\SoftICE& D% l! n  N1 W) G; x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ n4 G* {9 q0 f* m/ b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 ?! [: {& F$ `4 _; w5 R2 K/ y9 ]& i
\App Paths\Loader32.Exe
7 ~  Z8 ?: Y2 D4 u
/ j! Y# e! q1 g& f$ g5 t: i! T6 y3 U" A* I  q) @  }6 `3 y
Note that some nasty apps could then erase all files from SoftICE directory8 E* w- p, {' V1 M+ Y7 ]
(I faced that once :-(
" A: _  {, U) l3 E1 U% g/ f/ C# U/ _# A# z+ @+ N) ~
Useful breakpoint to detect it:
2 J" o/ r0 ~* B* H5 H2 s
! L2 B9 P, W: s8 w" M$ h, _, J( T     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'3 y" ?3 c9 g- l* w5 O- B/ Q6 X* ?

6 g& g" S. l5 k  e__________________________________________________________________________/ e7 @/ Q1 A9 v7 J  Y* J
# f  I6 d7 J" y1 Q5 @

& u, Z+ b# M% U/ Z  N+ I) n, ~Method 14
$ y3 V. Q! l! S- Q! J=========; x# b5 j+ `$ g- {3 k. u

6 ?+ m! q1 s# u' r. [3 T9 ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 e6 Z" {( ]: k3 M  E) tis to determines whether a debugger is running on your system (ring0 only).
, O0 ]8 }. I; i" \2 S8 `3 a' r9 q' q6 m* O8 h8 {7 U6 i3 E
   VMMCall Test_Debug_Installed
) q# \0 z' X% _8 u& j% a! i   je      not_installed( _7 H% \4 h& q4 z! u* t( E

! `$ c. }: A: G! v8 E6 E9 r/ NThis service just checks a flag.
" g( Z9 U+ _1 q8 Y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-3 04:23

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表