找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>8 Y2 |7 L) `# V) r
<TBODY>
5 _7 p2 x2 X4 p5 O$ M8 Y( ^<TR>
1 Y' ~% \# q1 {<TD><PRE>Method 01 6 ^8 C9 }! V& q, [' h5 i% N5 g
=========3 G. e$ r- n3 M. F" x* b! h

. C" c( c. R; h# oThis method of detection of SoftICE (as well as the following one) is
7 A# {; Z/ b( X$ Gused by the majority of packers/encryptors found on Internet.0 j, B! t, K7 a  M
It seeks the signature of BoundsChecker in SoftICE
) n+ R$ w: B  k5 K# t  b. b9 e: h% A/ G7 G% a
    mov     ebp, 04243484Bh        ; 'BCHK'( [  B  t; U& z* o# p* A
    mov     ax, 04h, j7 C- w, [. {
    int     3       & X. t. B+ v( k* ^
    cmp     al,4
% M2 O2 [$ i6 \    jnz     SoftICE_Detected  C; I0 A+ p7 o7 {8 G& {7 E  W8 S
; g- R5 |, B  q/ Q9 D2 R& c
___________________________________________________________________________
# W3 o; `; f6 K: n# w
  p+ V! s& ^  f: N2 p5 @+ oMethod 02
7 g/ D) f' D9 T- I5 N=========# V) ^" d: L, x% ]$ {# W, [( O7 `
! X5 S* d2 S2 f$ e& x7 }1 T
Still a method very much used (perhaps the most frequent one).  It is used9 U2 O( x* c1 S' g( g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' F5 V8 B6 B% Z6 ~" d  [8 Ror execute SoftICE commands...
- i& U% A; }4 M* m$ F4 CIt is also used to crash SoftICE and to force it to execute any commands
) d. N* O/ I6 z$ \* `; n(HBOOT...) :-((  4 x. z; h$ d! x) e5 E0 S

; d( h4 T  K4 v: X# ~$ \Here is a quick description:# M5 A$ F# K0 d
-AX = 0910h   (Display string in SIce windows), J- H. ~  M/ H; b) X$ x) @* B
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 `7 F5 F3 j% Z-AX = 0912h   (Get breakpoint infos)
) ?/ Z: |# f" F! H, I) a3 i+ d$ k-AX = 0913h   (Set Sice breakpoints)/ _* W& S5 d' C- V. C7 j- X% O
-AX = 0914h   (Remove SIce breakoints)2 [( o5 x8 @( V* s9 ]
9 T1 X/ s: {' w/ q3 A
Each time you'll meet this trick, you'll see:
6 I0 k' N) `. \+ }0 s-SI = 4647h
4 @. s3 q% z1 j/ u-DI = 4A4Dh
% x" l! ^6 f2 t9 c+ ZWhich are the 'magic values' used by SoftIce.
4 d* w& e' N) X9 `. s5 S7 LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; |( \0 `# C7 V4 b0 g0 B! K
) a1 D; |+ x; b
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- c2 j- C* I  c6 ^+ X5 F0 l- [0 c8 kEnvelope utility use to protect DOS applications:
4 ^2 y& A! X/ h
- M6 F' A3 ~' r3 X- e, X( t" y4 A! n+ s: u4 a  s
4C19:0095   MOV    AX,0911  ; execute command.
$ ]: o; i* t" R6 T$ Y% g( {4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; f: v+ w9 L6 s1 j! Y4C19:009A   MOV    SI,4647  ; 1st magic value./ p& i; o/ D5 V5 ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; p- t2 w3 N1 B0 r* {6 h2 k
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 k& w% V$ @% ^4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 V4 i* O4 ~8 K! A2 T1 }! y4 h
4C19:00A4   INC    CX* b# R5 v1 ^6 G' w
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) w% [/ T* I- \+ `3 U5 l4C19:00A8   JB     0095     ; 6 different commands.# S. g# S; u+ P6 G- D( o% c
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
: d$ R3 U, J+ X4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
1 Q; N: n7 t- ~9 _$ o7 ?0 E; Z
9 c  t; R- h( m: r* D4 b' W) _The program will execute 6 different SIce commands located at ds:dx, which7 }" t& _  H& C: x8 R+ e3 ^0 y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 r! m# _$ [. |( [
* e- q5 B9 j" v# s" a. k
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# l% Z6 V  V( g: p# ^
___________________________________________________________________________
5 s: `2 |! N9 a7 i2 g
( m% c3 ?  J2 x5 M6 X( y
* P) P# V( }) z0 g7 U3 S5 [* qMethod 03; K% K* E+ U( U4 ~
=========' d4 [  h/ a  x5 b( X1 Y
  [3 u# `( p0 ^; c, \
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
  ~! O; R, Y. ~9 f5 }(API Get entry point)
0 u1 _6 |9 h4 C2 a- e: L5 a        ( r$ ]  n/ [0 R( B9 i' a# g5 Z& J
1 Y% T9 t$ ?% r1 c: v8 F" G, e
    xor     di,di3 @  W9 e/ [; j1 Z+ H7 w
    mov     es,di5 b. P3 f  S! [- a1 s
    mov     ax, 1684h      
7 J/ W# l  Q" Y  P; a    mov     bx, 0202h       ; VxD ID of winice
5 `4 r" L+ ~+ u    int     2Fh0 i+ V: g( }- |+ |- [6 n
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 S2 J. B) B4 d$ r# ~    add     ax, di5 T0 y$ s( r4 x9 \  Q" S8 h
    test    ax,ax
8 q$ Z. e2 O' A/ a6 {  {- u    jnz     SoftICE_Detected) C" I5 ^: b- ^) T
- c/ P. D; A  U, w
___________________________________________________________________________
- |9 _* S; T) y' o& I& R' q4 o
& D5 o( ?  ]3 H5 |- t0 N. _" bMethod 04
# N4 R0 \4 ?. h# r7 o; c' {=========9 B! q$ O) Q7 y" k& ^

. l; b# p# _+ H/ q5 }+ z9 wMethod identical to the preceding one except that it seeks the ID of SoftICE5 l( ?/ C  l; E1 B  X$ D
GFX VxD.
4 U6 C& Y( V* U6 W5 F
  F- k, [. E; _* J) j  q9 a: U    xor     di,di; a# x2 j$ Z- \# L7 c7 v0 Q
    mov     es,di
! r; z  ?% K( u" {5 p2 M  s    mov     ax, 1684h      
4 L/ B% \$ A# g: g+ P+ X$ w    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- [- Y; @# U: x) ]$ d    int     2fh  H1 u- ^% \: `
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 `* i. i& k- @& A' I, N% [( ~    add     ax, di
' j1 }7 F  ^% g0 y6 k& g    test    ax,ax. B1 F9 {, ]  X$ ^/ D3 `
    jnz     SoftICE_Detected% d8 d0 W3 e3 K) f, b5 q' H' D

8 I9 e( j. @- F) d__________________________________________________________________________
7 d. ~  N! c' J0 z. |+ U% ?$ X. y0 y7 l" N# a

8 `# }. B8 Z6 v  S$ m# zMethod 05. N. r% e# P- t9 j" f+ b
=========
0 `- r8 ?' i) v5 j" }
8 E; T' d0 N4 T6 c- ~" PMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& X$ E2 Y- a( V: a$ udebugger. It calls the int 41h, function 4Fh.' i8 d" f* a8 Y8 k2 W3 T% j- R
There are several alternatives.  4 ]. \4 f3 I! j: B; R
. @1 T( ~8 a/ M+ W
The following one is the simplest:7 [( p$ f+ T1 F9 r. W  K9 f
0 H, }+ C& g: V) a* ~
    mov     ax,4fh+ I$ C+ H) [% T' y
    int     41h- o% s& k9 A) u1 F
    cmp     ax, 0F3860 h2 t; Q( b" ?0 h4 j  I
    jz      SoftICE_detected
  G/ O  ~+ D* Z& t! p# n! ~& c
0 T- B1 d5 x; `# L$ b+ N% a' M& r( H4 O6 D" R5 F& ?4 c, V) p
Next method as well as the following one are 2 examples from Stone's
2 @! S, j, f& C1 \& p2 Y"stn-wid.zip" (www.cracking.net):
0 T: q$ h/ j+ P0 W6 i# C5 W3 ^2 E3 W3 N$ @
    mov     bx, cs4 |( X7 A) u8 _
    lea     dx, int41handler2. z: o7 @# J, w4 G9 R* A* N: \
    xchg    dx, es:[41h*4]
: Y, @& N; `3 T- @* e% m* B    xchg    bx, es:[41h*4+2]
$ r- B7 O, Z( q) _! I( x) \    mov     ax,4fh
- |* ~0 e4 [, W" l    int     41h0 c7 W3 v& q: T) _3 b
    xchg    dx, es:[41h*4]
4 W+ e! e% X) d! R    xchg    bx, es:[41h*4+2]1 n4 e' p0 v( W7 X
    cmp     ax, 0f386h
% m# a/ F: l# `: r9 ~' ^: z; r    jz      SoftICE_detected
% O! A9 x6 |% U) x
$ T4 G+ T- e4 |! m  Aint41handler2 PROC
  H5 D+ Q2 n; b* f) K$ l/ z    iret
4 ?& ], s; L: o4 P" f" Uint41handler2 ENDP
- N8 M6 ]$ o, b) h
  W0 k& |3 u6 U( `( h7 Z
- W9 X% I: k& A- k* a, W9 q: ~& ~_________________________________________________________________________
8 W$ P4 T4 U. I, p. Q3 m
1 Q4 @9 l  V! L3 b- ^
5 e6 Q, y8 w/ E9 v" S- W  YMethod 06
6 y6 M/ |# L; }1 `7 O=========. `  _( k7 W1 A* \; s* v

8 W  I5 }  s, G0 t! D
) Z: Q7 e" s  j- f/ `# o& E2nd method similar to the preceding one but more difficult to detect:
7 H- ]$ ~; i+ T& s- N2 B& u* ^1 K% ~6 G+ @
2 u; g0 a+ X9 K8 I% I" ^. `% {9 C
int41handler PROC
) U4 F% U( x6 @) F- n. l    mov     cl,al
: e% g0 R8 B( q- O8 u9 F    iret
/ m$ @; ~" t4 R! s: Sint41handler ENDP8 X( H9 U  K+ J0 v

( p$ C2 T  ^( F1 ?* O
: b2 a* f8 [) Z0 L. ?+ c8 R3 o+ W    xor     ax,ax/ S9 y- Q* A* o
    mov     es,ax4 S5 ^! i( Y$ c) X( {; O
    mov     bx, cs
% ~+ E! m4 V: I1 e* |    lea     dx, int41handler) }( \) |4 N2 j
    xchg    dx, es:[41h*4]  Q: D5 h% A; ~5 w  A; C
    xchg    bx, es:[41h*4+2]
9 O. q, [8 P. m6 l    in      al, 40h
8 \* S  i* U: I5 ]" Z6 ~    xor     cx,cx
3 }6 m2 S# n8 w! G' c" o    int     41h+ v$ B# x5 d& Z$ k
    xchg    dx, es:[41h*4]2 U* j; n6 \+ U  n7 Z% b3 t+ Q
    xchg    bx, es:[41h*4+2]( J4 z. |' K7 E( Z. J. C6 F: ]
    cmp     cl,al
" T3 S" n- a* l  r% E    jnz     SoftICE_detected
( x. R) U# y0 I9 z3 c
- g  E' L( a: O% Y. ?# n_________________________________________________________________________4 F* }* B! W) u2 W. M. X8 r- e
8 N# F1 R/ D1 O5 e; i
Method 07" X  {: C/ r" d& t9 u6 z5 H$ y
=========; f) H8 h4 E. K  W! Q$ `

- s- ^4 p9 A; {. J/ OMethod of detection of the WinICE handler in the int68h (V86)
0 B0 {2 |$ W- y: _1 h9 U" x. Y. {6 t' n! \# d* w
    mov     ah,43h
1 u4 N$ Q9 w  ~" `/ K    int     68h
0 O8 m* U+ o% _: x) g: O9 c    cmp     ax,0F386h
( J  Q9 c/ n( i1 J* m' h    jz      SoftICE_Detected. a& d  R, t0 f2 L& m6 T

5 j0 t! V7 s2 f0 n! O) M2 q* T% N7 w/ e$ e
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 V7 B: N8 e1 [7 {- F1 a: W! V   app like this:
; H0 B! U$ g3 O- X) }/ A" x1 m+ w/ R  A' l9 ?
   BPX exec_int if ax==68  _& L% e7 _& j+ Q1 r
   (function called is located at byte ptr [ebp+1Dh] and client eip is) E/ l3 I- _" {5 m5 K: Q$ Q. J
   located at [ebp+48h] for 32Bit apps)
  l6 I  [# h9 y* H. N& G! T__________________________________________________________________________
6 a0 I' ~/ A# E: p% Q$ r/ Y: G% m; J+ z

2 S# m) W7 W+ Z* FMethod 08
; S9 e' d9 V6 }& [( q' T( R- @=========! r! O; }, E* p1 S! }
4 {( Q: e. G) p- ]
It is not a method of detection of SoftICE but a possibility to crash the
$ m' W+ m. a) ~$ gsystem by intercepting int 01h and int 03h and redirecting them to another
. x3 z2 r* h5 w) L6 Q2 M: Proutine.! e& D  e% ^. r! m; y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 g* J. \: m$ U$ a4 ^1 z
to the new routine to execute (hangs computer...)6 u% L6 Z4 M& m. w7 p2 h$ o# s2 `/ l

% a) Z" |3 e2 H8 D    mov     ah, 25h
7 v4 U$ I! q. S3 r. P3 }; \    mov     al, Int_Number (01h or 03h)
9 E/ D! ]2 u; `, A/ @+ f    mov     dx, offset New_Int_Routine! A. Z/ o. x) f8 I" u. o
    int     21h) \# B( ]6 O# Y) ^4 S0 Y( e! h

5 J0 ]; w/ W9 p' D% A6 z__________________________________________________________________________
: J% G- L. G. b+ j( r- Y
' h0 I# D/ {! I+ U2 s7 T4 y" W% |Method 09
( a. s, e1 S& i- ^4 D4 L=========
# B4 y$ L/ w* R* B' s& [) z2 l5 W) [: ^9 A1 k+ {- E& W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ B% ]# k6 ]3 s3 \; A! Xperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 @  s6 n. A" S1 \/ K5 s. {% @The Get_DDB service is used to determine whether or not a VxD is installed
% l4 {: ~7 x+ T, h; I& J+ gfor the specified device and returns a Device Description Block (in ecx) for
; G: d% L+ ?- C0 s6 H9 z9 t8 Zthat device if it is installed.: Y% Q) I. x- u6 c

7 U- X! |* R4 h5 _4 [+ F   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 f/ r" a2 d% r& z/ v   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( a% E% T. a  \% ~+ z' Y
   VMMCall Get_DDB* i' f* e3 Q, ~, \3 D
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  r( `' [% ]7 D6 y1 @6 T. t
" r3 c+ o8 w6 dNote as well that you can easily detect this method with SoftICE:
$ b  |, d2 k5 ~( i# _   bpx Get_DDB if ax==0202 || ax==7a5fh$ Q% u" t4 s5 V* {! T4 V

1 I* m' c  S, h/ ^__________________________________________________________________________
- I  r+ e, I: I& ^5 e; u
$ v* I7 h" G1 XMethod 10
2 E) d3 x( K: m! r- t1 `1 \' Q- Z) A=========% e. b& ]  ^+ O0 T

/ w1 G/ F4 z' Y( x; h=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 @8 c1 f. [  x  SoftICE while the option is enable!!
( K' h4 r; V5 F5 U( r
6 n+ n5 t0 e! A& ~% a# TThis trick is very efficient:
7 L5 O2 e: S0 q, v! y& x7 G/ Aby checking the Debug Registers, you can detect if SoftICE is loaded
. q7 N3 B, h# U* a8 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 M* U' I# w  i# S" H" r9 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# q3 t" M5 x" l' @6 Yvalue (in ring0 only). Values can be manipulated and or changed as well7 ^9 @3 n# E% c- T/ z- X$ m/ X
(clearing BPMs for instance)  F6 c/ Y$ L: F- ?% B/ Q! Z
6 r- ]' J9 k. L. Q4 W; ~, y; E
__________________________________________________________________________7 d6 ^$ @0 i1 B0 k  e

# z! t  L! K7 S! _& CMethod 11
7 X# K) ]. `  }! ~=========
/ s; a  o( B/ B+ q3 H2 t$ b
0 Z$ V" @8 o! t6 Z, ~3 [: aThis method is most known as 'MeltICE' because it has been freely distributed
3 a2 D/ Q; P0 M. s* O1 dvia www.winfiles.com. However it was first used by NuMega people to allow6 I0 v( ], I) N- e/ W  c
Symbol Loader to check if SoftICE was active or not (the code is located/ j7 |; u* j+ s. _
inside nmtrans.dll).
# R0 i* a& N) b# r$ `, q; R
3 i5 k2 H- x4 Y1 u2 W- o8 CThe way it works is very simple:6 t; Z% H8 M/ x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 n3 ^$ D7 D- h# p( [' BWinNT) with the CreateFileA API.% U+ T7 Q! `' W. y, `' W

, N9 u  A9 B% H& y6 [% c" oHere is a sample (checking for 'SICE'):
! R% L  u/ ~9 g  _, l: k1 y, t2 u( Z# v1 _1 i
BOOL IsSoftIce95Loaded()4 G8 x9 w" G/ u8 T% I3 b& o4 l
{) M- ]& h* c/ h4 H3 e# ]
   HANDLE hFile;  6 H% |8 P! c* y& r# o
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# H) D' }' A6 a8 Q7 ^$ l
                      FILE_SHARE_READ | FILE_SHARE_WRITE,4 p+ k1 O6 S/ }/ X% X
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 A& p" t. l+ x8 U4 G/ H2 p/ |   if( hFile != INVALID_HANDLE_VALUE )
: t- \; o8 B- }   {; ?' w; ^: a# G
      CloseHandle(hFile);9 t7 V' v4 \# A
      return TRUE;+ B# o; [: f  J" b+ R1 y! r
   }
' m! v1 \) n9 P# g+ C3 w   return FALSE;
; Z8 X  \: e2 W+ ?; h}$ c3 x8 h4 S% M# v0 b3 q* G

, [6 |) \2 F7 x7 S' GAlthough this trick calls the CreateFileA function, don't even expect to be
; p3 z/ b1 Y7 jable to intercept it by installing a IFS hook: it will not work, no way!- ~& E( ?7 `# m! z* j8 }, E! R$ t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. m  I, E3 z1 i  t4 l+ c- g- j0 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" K, R8 a# _$ _  }4 Y" Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ j. T) I! T% x+ j* m& x# K3 Mfield.
" d, f: r7 c$ K  @. R/ g- [In fact, its purpose is not to load/unload VxDs but only to send a ) b9 n- y2 j6 _; _6 }5 n( R/ u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- N5 V. _& m. A: oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 }. p) h4 [0 f# J# f" Q8 t$ eto load/unload a non-dynamically loadable driver such as SoftICE ;-).. g# n6 U; a$ H1 J5 e+ U# W1 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
  x/ e8 g  e% iits handle to be opened and then, will be detected.. K: K) Y# \; z/ V8 F% f  A
You can check that simply by hooking Winice.exe control proc entry point
( n' D1 q% L. h, D, r& ?while running MeltICE.  N( U. e6 |8 \
, W" U+ ~) ?  C* R% t& y

* |4 n3 ?1 R$ k. }& K9 j  00401067:  push      00402025    ; \\.\SICE
; }3 R$ Y2 B$ K- w; m  0040106C:  call      CreateFileA
: r' Q* X1 ~7 W: y* Q  00401071:  cmp       eax,-001
& t! G) D' g' M7 S# E" f  00401074:  je        00401091) n# n* U6 R  q
$ m3 w) o: }. V! d4 C( S
) s5 g& a3 {, ]! H) h" ^% `' h
There could be hundreds of BPX you could use to detect this trick.( S9 t# |2 O. s( |
-The most classical one is:5 s' E7 P# x8 l( k8 B' e
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' E( p( t. G4 y$ p% Y    *(esp-&gt;4+4)=='NTIC'3 \; K8 M7 m& }
! K: Z1 Z. q# d8 u: S
-The most exotic ones (could be very slooooow :-(: a% q0 i9 x8 E$ a1 ^8 F* u
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - {9 c. ], r9 P7 x% g
     ;will break 3 times :-(6 J( V/ \% m0 D% y, C
/ K; ^9 S; l7 {" v# G: ^- `
-or (a bit) faster: 2 W7 o9 j( o; r7 V
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ x: ]& q- B9 k) S

9 [6 H7 |7 P( [6 L% T% |+ k   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
+ D/ B" p$ \4 @0 |% \     ;will break 3 times :-(3 s( j' P, m5 j3 E$ I! ]# s4 m

. ~5 q9 Q/ r" f$ a+ E1 Q" z3 y7 _* m-Much faster:
, }/ j0 k( U$ ^. P8 k0 s   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# G% H+ U4 F! X
+ Y! ]. w. r  q* `) a$ e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. V. R& b7 V/ {/ L, y- e1 s
function to do the same job:
6 M0 B# `2 B; C. ~6 N# F! i& j( T6 a* C& j* P; l3 a" Z
   push    00                        ; OF_READ
" M# [" r% K) l) \* O) A   mov     eax,[00656634]            ; '\\.\SICE',0
" n5 o9 r, J9 X& H% l0 V   push    eax/ n. `& o* @' N4 z3 d2 b3 K6 h
   call    KERNEL32!_lopen6 ^  f( f% i4 b( w
   inc     eax- j+ |* r, k; z2 E
   jnz     00650589                  ; detected
, q* C$ M: H& j, r1 c9 x1 `   push    00                        ; OF_READ* X& o5 _! X2 o1 K: ?9 n% Q  F
   mov     eax,[00656638]            ; '\\.\SICE'
3 s/ R- |7 _1 r6 b  W1 K4 z7 i8 p   push    eax7 k4 y' h2 x9 M5 h$ K
   call    KERNEL32!_lopen( Y1 S$ P$ t* ]5 b4 N( e; o
   inc     eax
; M- S) \* L- Q1 p   jz      006505ae                  ; not detected; _8 Y( J4 P8 C2 j5 |$ G
' P& H5 y5 X( j

) q) ^1 ?! t; B, Q# L! k1 G__________________________________________________________________________" Z! D! Y, ^7 r: f4 c! g
! L! q4 v4 C# k
Method 12, ?2 E2 A+ Z& J" {# Z# t0 B
=========
1 _9 F* X% t8 R) ?* m0 A& R9 W' i& S; ]$ R) @" ]
This trick is similar to int41h/4fh Debugger installation check (code 05
1 F: j6 j; w9 a; J5 @+ k&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 o, S8 y8 C* T  Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 \  r1 T$ O5 Y" K7 ?! V' z, B$ ]8 s9 }) \
   push  0000004fh         ; function 4fh
2 Z& F2 J0 F0 t7 W   push  002a002ah         ; high word specifies which VxD (VWIN32)
# V3 f* f1 D; z: Z1 |                           ; low word specifies which service! C1 `) h4 Z7 l, h( ?
                             (VWIN32_Int41Dispatch)
+ _- m1 h1 t; v1 Q7 E5 G  ~   call  Kernel32!ORD_001  ; VxdCall1 b" h6 N- z* T# }* P! P
   cmp   ax, 0f386h        ; magic number returned by system debuggers
# ?0 {: j0 c( N; U   jz    SoftICE_detected
$ _+ L4 l( _/ F; a( w2 D/ I
% F. \) w- O& tHere again, several ways to detect it:9 J+ U' ?& k3 j3 o8 H+ G9 O

& W1 v3 m/ Y/ U3 D* l. U$ r    BPINT 41 if ax==4f
" @/ S# y" J" I$ N
( X/ d: E9 b. o    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ f" f5 W* ?5 w
0 n/ p6 e' N; q) W# p+ M$ S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, \4 z0 @( _* v5 D  c, s+ O3 t: ?9 u
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( N1 e/ ~" V9 a4 G5 v* V- \
" D0 P! o% ^) X3 t, `" [$ E
__________________________________________________________________________
" S" a- b3 T# h- Y$ Z7 j2 j: s/ ]% k+ c. B% f
Method 13+ k4 f; ?$ [( \  R
=========
/ {3 j/ w) @; M* F# p9 ~7 ^% d8 L1 v! m: X/ K) X  B! w
Not a real method of detection, but a good way to know if SoftICE is
$ C7 O) {& N; v2 \! S' ?installed on a computer and to locate its installation directory.
/ T# c8 _9 _( L3 PIt is used by few softs which access the following registry keys (usually #2) :
. K' l  y: k, M/ ~4 k  U5 L- h% W- b8 Z* f$ \; }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' K# p9 b9 ]) b9 M5 i$ e
\Uninstall\SoftICE
+ t  e3 G! p- M-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; Z- I: o( e  d- M4 z
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% ^: U1 t8 q4 S1 f6 ^: O\App Paths\Loader32.Exe3 `& _- p( s" H) F; a4 ?" ~8 J
- r# Z+ d, K7 K1 {/ B0 f

; l, f8 x4 v3 l' Q; z& uNote that some nasty apps could then erase all files from SoftICE directory
$ N" J! P# c" \- w" {(I faced that once :-(5 i5 p2 ^+ e3 c6 t' f- Y7 J
: Y$ ]* E  ]- i
Useful breakpoint to detect it:: U8 a8 ~* O: {) [1 u
9 o! t. Q: X! f/ z+ O3 z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'& `# y. {- ]) f1 c: x7 g/ v7 v

/ T# G8 e5 y2 b/ r__________________________________________________________________________: b/ V3 @) D# z- _6 f9 }9 C  s

* R0 F( N1 s+ e0 M% O$ q- W; M& G4 N3 D9 M9 L
Method 14 - e6 M% e) B& A, T7 k
=========
1 t  R+ f8 @9 l8 x) t) l" o4 P5 w6 ?" F& f' b4 i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; f; u# b+ @  m$ z- r% Gis to determines whether a debugger is running on your system (ring0 only).
; _4 c  ]& w* Q7 p0 t
. }+ E+ p8 E& `5 i6 M( e   VMMCall Test_Debug_Installed6 H: B9 Y6 s1 ^6 U" `8 K
   je      not_installed
& B# ~' F' F( t% C7 A7 [' i% Q: C( z5 p$ B: U
This service just checks a flag.% Q0 l! A) l1 ^6 P
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-1 23:13

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表