找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  C9 z8 t) i& e  }
<TBODY>
, B& x& p- k0 }! @<TR>
/ e# T7 w8 R0 q5 h$ C<TD><PRE>Method 01 7 A. x/ J0 Y$ U: s
=========
* V- @  N  F" i# x2 w4 P" F  S0 r- O' H  a6 B2 [3 j0 j: b
This method of detection of SoftICE (as well as the following one) is
: ~% X3 F) _! w& aused by the majority of packers/encryptors found on Internet.
, G+ P( ^$ B8 XIt seeks the signature of BoundsChecker in SoftICE
+ j! Z; W# \' \& @# p( D! y0 h$ K+ A: G
    mov     ebp, 04243484Bh        ; 'BCHK'
- K! N  h+ n. f# U' l( w    mov     ax, 04h
& p" }2 _! @& _4 ~    int     3      
! M: U1 X% x& F% R    cmp     al,4
& z4 g8 o+ h& t* P" D# x* `    jnz     SoftICE_Detected8 L4 o/ E+ J: c

9 {1 n. q3 i! g) y___________________________________________________________________________2 f' A$ D  C+ }2 \8 U
' z- V, }/ n0 v1 |2 q* C$ `5 _
Method 02
3 f2 H* t# f6 |9 t. c, p9 _, a=========
5 h9 R7 T4 f1 P6 b
5 o6 a( y4 r; x3 CStill a method very much used (perhaps the most frequent one).  It is used; j  S3 m1 [0 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 C- G5 v2 A: m7 ^2 b1 N5 H
or execute SoftICE commands...# S) I7 }' \5 L  p4 P
It is also used to crash SoftICE and to force it to execute any commands  w1 x* C! q6 l" J
(HBOOT...) :-((  # v" I- a+ i0 R7 B
! Z$ C8 u, p( E# g- H
Here is a quick description:4 U4 _, C. M7 u
-AX = 0910h   (Display string in SIce windows)
! q' f' s* Z! @2 i-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
0 `# h( e6 g- W; Y, v! ]0 s-AX = 0912h   (Get breakpoint infos)
# v# ]. R  N; v  t6 j- F9 |  O-AX = 0913h   (Set Sice breakpoints)
" w0 \/ D: S! h-AX = 0914h   (Remove SIce breakoints)
* a" N" h* {& c. [( H! S- T+ o  M/ C  H/ l) M9 j2 d( E$ O
Each time you'll meet this trick, you'll see:
* y& Y& U; R6 A* p  r/ C* {-SI = 4647h# P6 u* K4 Z  Y  K+ o
-DI = 4A4Dh
$ Q; _! F- M4 ^* r: Z6 M: z  l6 a" z  LWhich are the 'magic values' used by SoftIce.2 b/ y/ z( ~- n# F6 v7 b! F- C: c. Z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., W- d" |1 y1 K0 |% n# ~+ w8 L
" O: ]. z0 u+ T5 K/ @+ ^) V
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 C" U" u3 g' H2 H7 C, a: J1 KEnvelope utility use to protect DOS applications:
. n7 p; A& {1 r2 A1 o3 A5 ?2 L
6 ?( X3 p% F3 T1 b: D
- h; M  C9 M( @4C19:0095   MOV    AX,0911  ; execute command.
8 q; [& M8 P% G: F0 r4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 i/ k* K; z1 ~- n1 f3 ^0 U4C19:009A   MOV    SI,4647  ; 1st magic value.+ s1 V: U7 k, L! c  t
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.% A. ^' v- u4 F( U, I$ B
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ h$ G" r! s3 ?2 x6 R# l& L( ~# W) Z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& o' e/ r& V( ~$ K2 P. Y% [2 M4C19:00A4   INC    CX
! W& }$ r/ S( g  z2 O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' ~5 T8 G+ N6 H0 k! x, c
4C19:00A8   JB     0095     ; 6 different commands.0 b4 V$ k8 }" p9 d( e3 p! K
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.% E; M/ @( ~" j
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
+ f) K1 u# C0 @+ R
0 m5 g4 }0 A. X1 x# j" x' D7 bThe program will execute 6 different SIce commands located at ds:dx, which9 r  Z1 \& _0 |) }( |/ ^+ ]' I5 J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- \: f( j! U7 r# v; J3 _# P7 `( G6 @  K+ O" G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
9 |2 [0 h! u6 M6 u* q___________________________________________________________________________" O2 V- W3 q9 Z$ m- K0 G0 p/ O" ^
  {# _" q2 m$ A5 [) R

- \2 Z6 q6 |. U2 E, d0 |7 @+ I9 mMethod 03
) p( d6 _/ V& D9 d=========7 l$ S; J+ b& m2 o! `
8 X* ?* v$ G* S+ d6 g: i+ j) A
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# d6 A$ C) h: s" k" n( [
(API Get entry point)# R6 V9 x) C% j9 V+ ~9 ^' Z
        6 g4 b3 {7 J# D

+ }1 \' B' g+ p    xor     di,di! f; Q+ B- W# D) @
    mov     es,di& ], u0 ]# }( g: G
    mov     ax, 1684h       & p5 X& b4 y; w: c+ s9 B
    mov     bx, 0202h       ; VxD ID of winice  E: `+ O; f; P3 O
    int     2Fh
  W5 x7 @; y" b; X0 k; p/ K1 Z; w    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 u( R: Z5 m4 W5 m- H) k
    add     ax, di, F* x% D2 I7 ^5 {& P1 K0 e& _7 x
    test    ax,ax" j/ N" ~6 j( l' ]4 Y
    jnz     SoftICE_Detected; \0 E1 C, I) a% P& X' t  J

7 L7 y! E+ J7 j& f5 [# C8 Y___________________________________________________________________________
+ l. c+ }) J- j4 w( l
( R/ _9 A5 o2 yMethod 04
  U+ o. y/ n5 T0 D=========% H4 |4 B7 P/ P7 \5 `7 i

2 @0 d8 ~) d# eMethod identical to the preceding one except that it seeks the ID of SoftICE
% q/ l+ s  R3 r2 }GFX VxD.' N0 W. T9 K+ S. M7 j
6 w1 m$ y( s: W9 k  g5 N; g- A2 e& o
    xor     di,di
/ k3 S, b# i" y    mov     es,di
# q* G$ r2 y8 x' H" F    mov     ax, 1684h       4 x' }' M3 |9 ]
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# u' J# x4 E* ~    int     2fh; Y7 s5 z& {; r8 g3 A
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 o# D6 h- g* p- {1 I    add     ax, di
% t  k, e! M6 Y1 U    test    ax,ax
1 X' f) g$ R$ U    jnz     SoftICE_Detected
, z( [: ]$ Y7 v: w3 n* b3 A: j, m6 v+ M/ l
__________________________________________________________________________/ ?  C2 j7 v1 @' B4 d) P8 o' g

& \; y. p  G2 W; D
9 ^3 k& H. p. m: p: OMethod 05( b5 E! a! ^* _
=========
6 X/ z" }- J6 [+ F4 p2 q
6 Y/ Z  d+ g" }Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 z9 u4 W9 D3 T/ o( Xdebugger. It calls the int 41h, function 4Fh.  F9 K/ D( P  w; i( c
There are several alternatives.  
4 Q3 b% Y- Z  d. V) x
: H  }3 y# J' q: s: ?5 B7 o9 V) nThe following one is the simplest:
* {- Y! ^, l+ x0 y
( J/ @- A& V6 W4 \    mov     ax,4fh
% h) d. w$ ]# E6 h    int     41h# p; L8 i3 v/ i- X1 H: d* \. {
    cmp     ax, 0F3862 o$ U6 x6 d% C
    jz      SoftICE_detected4 R% M# r% M$ r! j3 T
0 _" t$ a2 z9 \6 v

7 k' X( ^6 i% r1 u( CNext method as well as the following one are 2 examples from Stone's + E/ N  c- S0 Q/ W& N, I
"stn-wid.zip" (www.cracking.net):) ~3 K7 [& c* f) `, j, ~9 D! R/ S

3 J: V3 N- j5 m+ v    mov     bx, cs& r7 q5 K# m7 s) k6 g
    lea     dx, int41handler25 {8 A2 k1 U1 t1 Q! a0 `2 T& h
    xchg    dx, es:[41h*4]# e0 t5 K( \; L# R, s' q
    xchg    bx, es:[41h*4+2]  T1 [6 n3 m) u4 }1 s
    mov     ax,4fh
$ q9 F8 U, t+ T( h9 H6 f    int     41h
. u* ~$ V( D4 [4 @3 N# \    xchg    dx, es:[41h*4]
/ Z8 `6 ]4 X) a! {" ?' W. M; _% a    xchg    bx, es:[41h*4+2]9 y$ \5 ~7 ]1 M+ l/ @
    cmp     ax, 0f386h
  f0 E" |$ f, ~    jz      SoftICE_detected- `+ [! D0 A5 G! l9 Q+ g& t
5 C( e6 m& T3 f% q% I; D
int41handler2 PROC6 \6 V7 c7 K9 U' _* g
    iret
$ h' @# X. V' I+ R9 V( yint41handler2 ENDP
4 O: R1 L$ n; F9 x. B  p
1 p; R- z/ j. A; c
- _0 }: Z1 \* g( H_________________________________________________________________________! P% E0 M" v. I) v6 V; I
( f9 V* L0 C. `* ~/ t# p

2 w% j+ s, @1 x* L% IMethod 06
" L2 C( m- t9 R9 E: f3 W=========
* Q& a7 e4 d  z) H4 {  i% h' m/ n9 _

# H9 N* l1 t* @2nd method similar to the preceding one but more difficult to detect:
; O8 o( C7 L0 W7 s1 m' ?; k; U/ G# z! f
  f% {* i' s  b5 x. }/ k  h
int41handler PROC
$ c$ R$ `8 d, ~    mov     cl,al) Z- N% i& `7 P8 u- d% a( [
    iret6 q: i; i4 A5 ?
int41handler ENDP
! @6 @0 g) o7 I/ u( E2 I
! G' a0 |# q1 R  b1 N8 [& B2 q  P, N
    xor     ax,ax) b; p* G' M% i' ]
    mov     es,ax
+ b# H0 L2 z/ O: P5 @7 x5 J    mov     bx, cs
. `# d) Q  p; M8 _) t, g# x    lea     dx, int41handler9 B! S# M8 J1 k' j
    xchg    dx, es:[41h*4]  i2 [  l) @. r4 {0 U
    xchg    bx, es:[41h*4+2]$ x4 C  d  Z: X/ d9 v: }
    in      al, 40h: V" p/ m0 C1 Z1 _5 Y$ p( `  x
    xor     cx,cx
) h$ \7 z, P+ d$ q' s    int     41h: k/ y% `" }- N$ p6 ~
    xchg    dx, es:[41h*4]" E% J$ B8 Y- [2 _/ _
    xchg    bx, es:[41h*4+2], }1 W4 Q$ x: ~4 n' p
    cmp     cl,al
# N9 I$ J4 u7 j8 n. F    jnz     SoftICE_detected9 i! ]. m8 T( ~! `

6 ^' A( k% ]. a  I8 c7 L" w1 D/ m1 J_________________________________________________________________________
3 t: ]. f4 d$ `' C. z$ N3 m  g5 g; [
Method 07
' A* E0 Z$ P: ^# T$ P=========
3 ?8 N& W3 z! t
! o1 m( C. Q" i0 a# B; B! H, @, ]3 WMethod of detection of the WinICE handler in the int68h (V86)! m( b( N( C# Q. {# E

- L& N% m5 T) W* _. Z4 w# f, k    mov     ah,43h: V- y' A8 I( _3 r" A
    int     68h
( @: ^6 {5 U- m4 Q4 N0 s: @    cmp     ax,0F386h
1 K" E; l  u( [! n# w    jz      SoftICE_Detected
* i$ r% F  O  G1 S! c- T2 O/ `' B/ ]8 h; e  e

% v* ~6 X' `( f! h6 N3 Y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! ~: t! T3 h% u/ F: I9 T
   app like this:
1 ]( a  k  t& @5 T) Q' a+ S. ]% `
   BPX exec_int if ax==68- Y: b, `" g/ g5 C
   (function called is located at byte ptr [ebp+1Dh] and client eip is+ d! f. o* ]# M  O
   located at [ebp+48h] for 32Bit apps), y$ E! z( x" g# N. {
__________________________________________________________________________4 q) {: R2 p# V2 a% ~! W% s

5 B3 `/ S0 T2 y9 \3 n) e+ X/ @* \9 `# P6 X+ n5 h3 ?7 m# W
Method 08- X/ @7 m  ?: i' j
=========
1 H; T6 C" O/ u" R8 M; @
# n8 `% c) f/ `$ Q1 b8 fIt is not a method of detection of SoftICE but a possibility to crash the$ y! T" |( K& E8 C7 M$ q
system by intercepting int 01h and int 03h and redirecting them to another  s& ?1 ]/ M8 _, t( p! ?# @6 j
routine.8 ~8 C* l8 e, M) U0 |1 C/ ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 m% P, \0 ~5 e3 O  j
to the new routine to execute (hangs computer...)
( O+ t; \6 |& {. B/ s
" z+ S9 p; X+ T; V0 T/ Q    mov     ah, 25h
* a. ?9 A) ~4 w0 R. b    mov     al, Int_Number (01h or 03h)
  f! L3 ]: y" l& a5 Z: ^, s    mov     dx, offset New_Int_Routine) }9 h+ ^) d( z" L# R
    int     21h! M% ~' g8 @5 G& I6 d6 R

8 K4 ^! w' P8 Q/ M+ x__________________________________________________________________________3 T1 L' S% z& s0 P1 l7 M
; Q0 C6 o/ j& {- k, w
Method 09
: U, T- v! H; i1 E  v! l4 w=========3 c* B  ~9 V' d9 \9 P3 x

1 ~' G6 H$ R2 |$ Z' HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' O' i( U3 ^8 o+ C9 w* Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
5 d  \  {- \/ |4 j( KThe Get_DDB service is used to determine whether or not a VxD is installed
; v' X$ _& ?9 q' w0 l0 Wfor the specified device and returns a Device Description Block (in ecx) for
4 I- ?3 h. `  L% l. R% {, Uthat device if it is installed.
. o! Y$ t) j% y1 L& @( J2 A7 ^4 l  q. m2 v6 p# s8 u
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ G* q% U+ {, e
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! |& a6 z! X  v   VMMCall Get_DDB: [4 x* H% g9 g
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 z0 M, O8 K! B* Q! T3 J$ Q) c- e- V0 G1 u
Note as well that you can easily detect this method with SoftICE:4 k$ T, z! `1 a* z
   bpx Get_DDB if ax==0202 || ax==7a5fh7 M: t' ~2 \3 Z8 M4 F

1 m3 j. }8 P9 P& b__________________________________________________________________________
* X5 R! d5 k  A* d
8 W9 M  \# c& J  M$ T, PMethod 10
! E- g  r; n; D- ?) x/ S; X! k8 c=========2 R: c! O' t' m+ |; j- L5 P; w& j
7 U. h7 n$ }! X* z
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 J* m1 L4 Z: U+ K  SoftICE while the option is enable!!
3 m1 T! S8 c7 M2 B- l7 k
+ A2 y% u7 F$ J1 X! E- @9 \This trick is very efficient:
: P% }6 d  y7 N4 J& p6 qby checking the Debug Registers, you can detect if SoftICE is loaded" p% }4 |' j: a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 K, J* }0 F8 A* N6 wthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, H6 N+ s0 k  j; P  d- N% A- bvalue (in ring0 only). Values can be manipulated and or changed as well
0 L* u8 o& Z4 k5 R) o* Y(clearing BPMs for instance)
2 l% J0 D1 ?  f! Q* u8 L
4 |1 h% F* \/ E__________________________________________________________________________1 L: |9 ~' G  ^5 J! K, {/ x0 ]

3 V$ v% E) j$ p+ Y2 }7 FMethod 11( m/ n  Y+ R$ t( }4 A5 }
=========
' @; X9 M+ n9 F3 I8 y5 K" s0 O# J1 W6 s/ @4 Y
This method is most known as 'MeltICE' because it has been freely distributed
, z2 g) V# K  P9 a9 cvia www.winfiles.com. However it was first used by NuMega people to allow! l$ r# R: }1 s' x" F7 Z/ t7 z
Symbol Loader to check if SoftICE was active or not (the code is located6 W4 w7 z4 B, l7 @" T( ]  C5 n
inside nmtrans.dll).
! l- h! f2 j) ]) N' I1 M& a: F0 O/ {( W+ Z" {5 \5 ^
The way it works is very simple:2 N. U/ }8 i, v) S% ]7 X! S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, Z3 Z1 m& W3 ~. R
WinNT) with the CreateFileA API.
( _" o3 Y# F6 E$ g+ M. K
7 T1 n3 f2 G0 d) s1 i3 r/ fHere is a sample (checking for 'SICE'):
7 c; i0 t/ {5 s7 z; x$ \- K& _7 _. J6 F% j2 k2 ^9 E# {
BOOL IsSoftIce95Loaded()
# p; [( t: Y8 F# p  {: }{  I' d8 B+ m/ R5 C1 z7 }
   HANDLE hFile;    C6 ?% \5 X# q( |
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 L- o3 I5 ~2 k; s" r4 K4 R                      FILE_SHARE_READ | FILE_SHARE_WRITE,
5 E$ A4 y0 _% T! Z1 I$ K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. P2 i- M$ h9 u( R
   if( hFile != INVALID_HANDLE_VALUE )
, N$ ^1 p, d9 j7 U   {! t& s2 J+ o( z0 m# Z# I* q
      CloseHandle(hFile);6 Y: N3 w0 A) K' K' G5 x% E8 |" w
      return TRUE;7 }5 u7 D7 A4 h: l! G
   }
& j0 z6 A2 h: u6 m6 X5 T9 n   return FALSE;- u$ K+ {1 E5 {9 K' z% U( L
}
# y  K! z( [7 f: ]# a/ @, ?3 L$ |& A0 j& n4 E) |( S
Although this trick calls the CreateFileA function, don't even expect to be6 [- r2 J( L& _! q; r
able to intercept it by installing a IFS hook: it will not work, no way!+ o% Q9 O! w# l  N1 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% E4 ^# h3 C3 c" _8 J) W( ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ A) o1 y3 r1 M5 X  c5 A5 e4 X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* `& V. @2 q  w- [+ B4 qfield.
7 R1 Y* C% m7 RIn fact, its purpose is not to load/unload VxDs but only to send a   X4 ?2 e) Z3 b) B  u- i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 w2 w/ p. f/ Z5 w4 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. p( g3 s; U; m7 k7 \% ?; m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# w) g& {* {, e/ c5 X* o' j$ ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 s( \" p  k6 w3 J) v/ s9 A
its handle to be opened and then, will be detected.
1 B# c6 P; c9 |5 U, a* fYou can check that simply by hooking Winice.exe control proc entry point
8 b) P7 [4 q0 N0 awhile running MeltICE.6 q/ x/ G( }7 N, i

" ?. T- U1 J; a, P
: |% h5 T" K5 s  O  00401067:  push      00402025    ; \\.\SICE9 W% q/ t7 I! ~, A& A; e3 q
  0040106C:  call      CreateFileA
% r  \+ U0 j0 |' N1 f' I  00401071:  cmp       eax,-001
) H3 ~, W% v& z3 A$ m. m! v8 j* n8 |  00401074:  je        00401091
: [. z3 |# A! J
9 H* A; E+ s/ V7 \9 `* ~; G; ~' K; o- q: _
There could be hundreds of BPX you could use to detect this trick.# K6 @& H- s3 J8 o9 N- R8 n0 w1 x
-The most classical one is:8 R7 Q3 b! z( S
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
% z$ |% S/ W1 b0 x    *(esp-&gt;4+4)=='NTIC'( A; W* m4 u" H+ ]" Q' E

: A3 e5 R  j( P, F& R-The most exotic ones (could be very slooooow :-(
( F4 j) Z. m  p$ Q4 g7 ~! j- q' p   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  6 q( L2 F  [, v0 S
     ;will break 3 times :-(6 U. }/ E- s8 z* L" [: \/ R* Z
& @: ^9 f3 O4 C/ B1 u
-or (a bit) faster:
! a7 V; w; M) |( `) ]( u   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* L* X1 t  q& b  B" I. A  M

! R# r( H4 l8 O1 U* |   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# \) ~, u$ N3 \- U0 p! P, p0 R     ;will break 3 times :-(( o6 d- O* Q- z- u3 h" }* ^
7 ~) N! _! r. m, x- _
-Much faster:# D  r! g% F% Q2 E/ [" ?! v# R8 ?
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. ?; ]9 h0 c, m  Y0 F! |* ?
: H; L/ `& d  H1 L, Y% ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 C) h/ J/ F! M: q- s) w1 \1 Wfunction to do the same job:7 y8 M+ R' V3 k  n9 U& n- I; e
7 w$ w0 X0 C' r; u' L0 V
   push    00                        ; OF_READ& U. K/ ?$ T1 l' |. O3 u/ N
   mov     eax,[00656634]            ; '\\.\SICE',0$ F2 M" w% U# d4 p
   push    eax6 B7 t5 @& G" W( s' c# Y
   call    KERNEL32!_lopen$ U+ y" \7 V: W( ~; ~, R: a  b
   inc     eax
% e4 j( [+ ~$ Q   jnz     00650589                  ; detected. ^. f" J& r4 g. Q3 A- n+ v1 ^
   push    00                        ; OF_READ
; H7 d7 N) N1 X& @5 e3 O) d   mov     eax,[00656638]            ; '\\.\SICE'
1 ~# ]0 o: W4 M   push    eax
( S$ s2 D0 K, u- y   call    KERNEL32!_lopen
# G) Z. G6 ?- r+ O# A9 K   inc     eax
  ]: q+ M+ x( x9 t/ e% V   jz      006505ae                  ; not detected) U/ F$ c8 Z; \, r6 D

/ t" Z  k* J8 E0 v
& I" Y* M, @8 e& @5 ~7 N__________________________________________________________________________! ^9 r. x! y3 {  k$ |
4 N  _# X$ M4 c! Q, _7 l
Method 12' Q6 Q4 t* n8 Z8 p
=========( a/ {2 s; A+ f7 Q" @+ I4 }
, J, v8 ~" |( j9 k( ]* D6 E
This trick is similar to int41h/4fh Debugger installation check (code 05: K; x. [) A  A  [/ H& }* P
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 p; l5 W8 {( E8 q4 Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.1 ^" |  m# K2 d5 F

" e0 Q) k  i  A  z9 v- ~   push  0000004fh         ; function 4fh% k  I* S+ F  r
   push  002a002ah         ; high word specifies which VxD (VWIN32)7 k+ L! ^( x( s/ g' U% D
                           ; low word specifies which service
: I, Z; y/ `$ o7 B! c                             (VWIN32_Int41Dispatch). B! _2 S$ z, [2 r3 Y
   call  Kernel32!ORD_001  ; VxdCall+ A; }  E4 H$ R0 B
   cmp   ax, 0f386h        ; magic number returned by system debuggers
8 h' R7 r0 V% k+ W9 T  Z0 I   jz    SoftICE_detected9 Z: ]/ l% g8 b% w, O

, `% [$ e# o/ G# }3 W; |5 lHere again, several ways to detect it:$ t5 r; K; a4 R! k

& T1 E5 Q$ _+ c    BPINT 41 if ax==4f
! S: U, `* p1 W" v- ^, z/ g9 ~- M1 ^( t/ v3 n+ r% d9 d, h2 f1 R& u
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& `8 T$ z- I3 E: u
" s5 t( _& J/ H* L    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
% U# t) D! R* H9 K0 G( B. K" q. x* t+ D( f4 ~( l- m
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!; ]5 h  [) n0 |% I8 t4 ~: i; m- j
1 p  |; d# r: N1 z; z& D
__________________________________________________________________________
$ d- g) U8 q" r# _1 @/ b1 W, l' x6 Z' E5 d( u
Method 13# U3 U* Y5 f9 _, x' |/ m9 s
=========
7 e& S* V4 k4 c7 Y( o$ e! o7 |" w. g: z+ P% g; [
Not a real method of detection, but a good way to know if SoftICE is
5 P  b: v# e' a+ \3 c( ainstalled on a computer and to locate its installation directory.9 V" F; k4 d6 h9 m3 v: q
It is used by few softs which access the following registry keys (usually #2) :1 L# l, N/ r* |% {

+ U: S5 A0 E, |7 s-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% ?; m, U9 F* D\Uninstall\SoftICE
3 c* v8 _$ k, D  n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* Y' F0 _! S3 s' U( [: M) L5 L* R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- Y9 |( N) x! r5 @
\App Paths\Loader32.Exe1 i7 }- O$ W8 F* q  q& d6 ^
7 l+ `0 \: J2 ^" g8 b

, E0 t4 P, i1 j# J/ f. [/ YNote that some nasty apps could then erase all files from SoftICE directory
( g6 V5 q5 `2 v( X: R( L! m$ F(I faced that once :-(" f* s% e$ Z% E$ \, T# z- b

& g: T$ Q5 y5 x- qUseful breakpoint to detect it:. ~$ [- h) o5 G- f1 u$ Q

2 w4 {; t4 d# u& C# m     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 T0 z$ H; r8 m; `; e

1 V7 x( Y. M, h1 ]__________________________________________________________________________3 Z9 q) E5 \% ?% P8 d) Y) V
) e# ?, Z2 A; J# `7 d

$ G, n1 X+ f# _5 z% CMethod 14
+ ^1 a6 R6 L5 o7 \=========* m( I# _5 x# B
1 B$ Z! ?1 {* A1 H6 ?, z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 _# a; G* _, d! P4 v9 Vis to determines whether a debugger is running on your system (ring0 only).8 Y  p! q* k% w' }

$ n9 E: r4 d8 B   VMMCall Test_Debug_Installed
$ N0 ]/ t* f  y+ v2 k) {3 [   je      not_installed: i6 S! U; z* Q  ]" j4 a3 i* q0 \

& u$ Y5 E0 i) q7 ^3 X3 aThis service just checks a flag.
0 F/ P. X/ j" h; K$ v, {2 ?</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-12 21:15

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表