找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
! q  n# J7 b# P1 `& t! k% U<TBODY>: E7 @. T5 U4 R" M
<TR>
  \- h3 d8 w+ c, q" E7 m4 D; T<TD><PRE>Method 01 ( j  }& ?$ E/ ]* ]* x  g- a
=========1 j. K! `$ g6 u7 Q% s6 q

0 z! F6 c/ x  u. U7 R) s' BThis method of detection of SoftICE (as well as the following one) is
) {) [8 ]1 B, b+ n: ]( Fused by the majority of packers/encryptors found on Internet.
# {; z0 J- `+ h# d0 }It seeks the signature of BoundsChecker in SoftICE3 [# r4 H9 {) }" E2 {% |

* I& y( k1 F2 w5 [7 k    mov     ebp, 04243484Bh        ; 'BCHK'
+ \$ ?' a; C1 F' @    mov     ax, 04h
, Q& ?% Z, x" R! n5 p( j3 R7 K& h    int     3      
# o5 @# a: t+ D& p0 Q' j! `  u    cmp     al,41 _! ?5 E2 T$ T
    jnz     SoftICE_Detected7 ^- U/ N, ^$ G) b- P
& o( }) d$ k. z# V
___________________________________________________________________________
, `/ I/ ]/ y/ h: g8 d9 i/ I. T; E# g. S7 [* p+ k. y+ E
Method 02
6 @& M' `, Z$ H) Y# u=========, [, D; K' p5 g7 B; `7 _( i) d3 F

6 x( u7 q# e2 R/ D/ RStill a method very much used (perhaps the most frequent one).  It is used, C) c! [0 y1 Q# l2 ?3 m$ F5 K
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 Z, Q0 H5 o/ o. u+ gor execute SoftICE commands...' b# K" E: K% g9 [  d- T/ ]# K# C& |+ S. o
It is also used to crash SoftICE and to force it to execute any commands; u; u: d. l8 N, Z- o
(HBOOT...) :-((  
3 y1 X- t  v- Z4 k* p! R
3 a4 D. H# \) z3 b, E* W+ cHere is a quick description:
: e  B/ A2 U% k6 g" e# V-AX = 0910h   (Display string in SIce windows)1 \# u) y: }6 l& k$ `
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 q; I4 S8 {' S: {2 j-AX = 0912h   (Get breakpoint infos)
$ j- T& Q* H  s+ G$ o* {8 D" \. h-AX = 0913h   (Set Sice breakpoints); {: q1 u' ^: l# @& H
-AX = 0914h   (Remove SIce breakoints), ^" t1 |* n/ i/ Q: Z

# x5 c. Q: G+ w- N8 xEach time you'll meet this trick, you'll see:3 m; N! t8 E& _
-SI = 4647h% j* r0 X- f* G1 k" b: j( |
-DI = 4A4Dh$ y5 ?- g- _+ N; B
Which are the 'magic values' used by SoftIce.
" x* L# B; J+ S1 D+ |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 [- r$ B  w9 q' ?1 E6 M# W7 i
5 F' G4 O; t' I5 t, c1 ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
- O* L  c  C# v: [+ h5 T7 X& EEnvelope utility use to protect DOS applications:- {" Q2 T, B) M, P- Y; P

4 H8 A+ ~, j' ?  J$ h3 x3 j; m+ y) y' H+ [0 E5 _2 T) j9 X& K
4C19:0095   MOV    AX,0911  ; execute command.) t' _& u/ Q) q; |/ q  C
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  Z  g7 ?4 H3 `6 `4C19:009A   MOV    SI,4647  ; 1st magic value.) J% u2 `" Y* V/ m# M) C( l) J1 M
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
% J# u6 A; Z3 Q# c7 O4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)* A- i; |7 K9 S+ ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute# p% U8 U3 P9 O0 S. M# i
4C19:00A4   INC    CX) O6 x5 {* `+ t8 u0 V7 R' y- W
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
/ K* ~( Z  I: W( n. P. [& ]. d4C19:00A8   JB     0095     ; 6 different commands.6 [6 p/ P% M8 u# h0 G
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( G% ?/ w( n6 x5 t* {5 u4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
! B/ x! }& h8 j2 O  d* t( b- v( c6 g
The program will execute 6 different SIce commands located at ds:dx, which; U$ a: _- S  M6 x9 |  l3 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 k; s, \5 r" B$ J( O
  ]. Z) H& f% Z/ B$ ~& Z3 V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% b  C. E' K  b
___________________________________________________________________________
! R- v/ m, [, q; B3 Y4 G4 x
% v  I% m* l( Q+ \7 w
( m" P0 L* o6 F  y: [3 J9 ?Method 03& T7 t1 ~& b+ ]8 ?
=========) v% {% h- a" w0 h

2 H6 q/ ^  H' t4 C* _, K% f( DLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' v. ?# |) N9 h6 L; o(API Get entry point)3 }# l8 y+ p+ M; ]
        
7 ]% A5 B1 q: K, p
2 t4 U8 l. a/ B    xor     di,di
! A! G) c4 b8 D* K    mov     es,di
/ J( _* J" t# n! g' v# G0 j    mov     ax, 1684h       ; Z& N% M8 K% d
    mov     bx, 0202h       ; VxD ID of winice. V' s. M0 Z0 ~+ k2 X
    int     2Fh2 {: H7 [9 r& X2 X# d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( U4 x, d, g* C
    add     ax, di1 Y+ h" [' f# E7 }6 {3 _9 u
    test    ax,ax
% ^& O4 @& l4 i8 M    jnz     SoftICE_Detected
/ R% p) }/ L* x1 e! I5 D5 x- u! _8 n! ~* C4 j4 g% m
___________________________________________________________________________! x- I4 N6 `9 ^! J/ @7 X% W

+ Q4 T. G# N; R1 Z3 sMethod 04  V9 m, |3 @0 Q6 m' |2 d9 w. z
=========
, P3 J& J; a% Z; f: `$ \
) N0 \2 u0 a6 t  B8 t  y2 \Method identical to the preceding one except that it seeks the ID of SoftICE
, ?' L6 Q0 p1 Q# Z# uGFX VxD.
0 e7 E$ r/ S) n9 _4 ^, \/ E
0 @) F/ \4 s* l- B) Q& G    xor     di,di
( a, u! w; r. z8 \    mov     es,di+ R# h' }5 x- _! R$ z
    mov     ax, 1684h       : j* J  e2 [( f! p
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, f8 H) Q, X1 C" G( |    int     2fh
# ~& i* d5 {! |# a1 [    mov     ax, es          ; ES:DI -&gt; VxD API entry point# o# o! p0 W" r- V8 [0 F1 X+ {- [
    add     ax, di: N* s6 ^' J+ p( x7 }' x+ X/ U
    test    ax,ax
. X$ r5 V2 F3 \    jnz     SoftICE_Detected! \% j$ K5 E( N& v) j; S- h
1 _7 E# ?% G) L9 ?! s5 h" O
__________________________________________________________________________
2 K5 A. F% K$ {0 K% Q3 T2 }& W! G1 \4 Z: T/ P% H, Y/ H

( b2 P& s1 e5 K4 ~Method 05. o& s& z; k4 @
=========. Q6 o- y1 O/ H! X8 W* S$ p
2 y) X2 Z1 T$ K) U4 Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" s# o4 d. M1 l' b7 edebugger. It calls the int 41h, function 4Fh.  ?/ H) ]6 j& v/ v
There are several alternatives.  0 Y; q* d6 P) r
8 b8 H( ]7 q! b# Q5 \8 }
The following one is the simplest:
3 A9 n/ x0 U2 R& S4 H# T& }/ o+ b$ Y  _7 I
    mov     ax,4fh+ b( i* ?) h& ~# m
    int     41h
$ @7 x- b, n( G    cmp     ax, 0F386; s  ?" l7 \$ Y7 k/ A
    jz      SoftICE_detected: x2 L" p0 U3 a7 w  w" x, e+ H0 y

2 Q# L7 o7 e$ x( ~2 x+ E. o* c0 Y  g" H! O  A6 o
Next method as well as the following one are 2 examples from Stone's % ~, ]8 N8 A+ Q7 c# m
"stn-wid.zip" (www.cracking.net):
& G; t' Z: ?2 ^8 @% U; e# L, Y6 \& ]& L
    mov     bx, cs
- ~) g0 e" x( b2 n9 f$ `4 J    lea     dx, int41handler2
# z' d% W! _5 u2 T( S$ Q    xchg    dx, es:[41h*4]
* d4 K* Z7 J. T% i& B    xchg    bx, es:[41h*4+2]
" J6 r7 }2 q+ N  Q; m    mov     ax,4fh* r1 i' t, n& l# I& E) w4 C
    int     41h6 ^' S* G* q7 T0 A
    xchg    dx, es:[41h*4]7 ^# j/ I) m: W% X" S- b
    xchg    bx, es:[41h*4+2]
+ `7 C  L& d6 ~/ ?& U    cmp     ax, 0f386h
. g( U" l4 C" ?5 @/ X3 D    jz      SoftICE_detected
; Y5 e5 b" [! a* V6 {4 h! p! Y( D: H  D. z4 B' a3 U2 F
int41handler2 PROC
+ Z5 t: T$ r+ V8 [    iret
# V0 G6 V1 |" z! `2 a0 oint41handler2 ENDP
/ d$ H. m7 e# q# u9 p3 L6 j0 U% T  {/ b0 r
( s+ J  T& P; m+ I
_________________________________________________________________________6 t6 l- t- E4 K1 e0 m1 Y
$ ~+ T9 E$ L# R. e' ?/ H) q

/ A9 s. e6 ?' rMethod 067 |0 F& X; }# |* D
=========
+ e. x/ g8 _; n% I9 j  i8 T- Y( z% g  {

: E4 C0 G3 H, R2 C* w/ O/ Q2nd method similar to the preceding one but more difficult to detect:' @* V- U7 _) |, A1 G) B: c, p
4 O4 k7 g6 P1 ^2 X! W" |1 r# U, |
1 N- |+ L$ M* Y- I+ c! f: e
int41handler PROC
2 O* E- J  [  Z7 d) L    mov     cl,al/ u! P. t9 a" S! v! ~% M5 q% @) E
    iret
, Z9 V/ h. z& P  Aint41handler ENDP" Y* W, [/ K! ~' Y: w% y

* i+ Z% {& [, `2 w* ?8 N6 G
, F$ f2 r# m2 B$ q4 N    xor     ax,ax
9 C  E* y2 C4 p; T# a    mov     es,ax3 R. i4 H5 v4 n3 G$ ~
    mov     bx, cs& W) R8 n- b( B7 m
    lea     dx, int41handler
# u$ K/ W. p* x; j! R    xchg    dx, es:[41h*4]
1 W+ ~0 ^2 b  R3 J( J9 Q    xchg    bx, es:[41h*4+2]
- w5 R  L5 h9 o( f+ h* }    in      al, 40h
% |+ B, L7 X& f7 L3 x8 T    xor     cx,cx1 C; b/ F) \& w$ }: Y
    int     41h
8 K- R& F  k" C) d. v    xchg    dx, es:[41h*4]
$ N5 }# U/ I% H# m7 _& H  }* j    xchg    bx, es:[41h*4+2]
' g1 i% j9 f; v. w  W    cmp     cl,al4 O) f$ q; @+ i! [# b. c
    jnz     SoftICE_detected
+ V. S& j  f( Q  G" F3 T0 m/ c# Z5 n
_________________________________________________________________________
# N/ S8 P0 g& O) y( T& ~( e" r* ~& u) w
Method 077 J% `; Y$ z9 N- T. |
=========9 _5 Y. y. Y7 y, W% C$ m. H, R1 u
; v/ _) F( t2 F( _- n- c) B
Method of detection of the WinICE handler in the int68h (V86)  `& J( m' h- Q1 I+ |/ d
1 f" }8 n2 m! A; b( a
    mov     ah,43h
0 X& A6 D; J0 x" P- x. @$ A# j    int     68h
- i2 C' w. u8 k% E    cmp     ax,0F386h9 I7 t0 i" F' y6 H" `1 a
    jz      SoftICE_Detected$ Y  ]2 _+ y  z+ x3 ^7 ~" ~! w
) q/ C! R( d) J/ H# ~- I& B) d- t
7 B& v7 {: r" X! P5 B' s
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. V% o: p7 w: Z. @# Y   app like this:
! _+ V! s; s6 s1 O3 f9 T8 z4 s( l& P- v! w  w5 d
   BPX exec_int if ax==68
. x$ V- z* T. e( `. u" H9 [1 T   (function called is located at byte ptr [ebp+1Dh] and client eip is9 ?) d% F5 U3 Q, K/ b
   located at [ebp+48h] for 32Bit apps)2 W/ L  x& J' ~* X  e
__________________________________________________________________________. Z* S: ^/ `% ?* f: I

% N* }2 [+ l3 Y6 u1 `1 i
, }% l& \' F( Q5 E7 dMethod 08
, v& C- M# s5 b* p=========
5 j/ j0 E: `' v/ ?+ l; g5 K5 M1 l( P3 q6 E* e+ W
It is not a method of detection of SoftICE but a possibility to crash the
, t0 M; n, [. t# f3 b1 `4 d6 Gsystem by intercepting int 01h and int 03h and redirecting them to another
$ e9 s- N# @, e& ~0 F( |7 j; |  Froutine., f* n; h$ i# C3 Z# O8 h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( G  s3 m8 D: `* ~# f' H; m
to the new routine to execute (hangs computer...); d) L( }- ?+ t, j/ I9 Y8 E6 H; a( N

  u. t+ O3 Y, X2 c: e& r( D    mov     ah, 25h7 |* l; x7 o4 c, D3 w4 x( J7 J. @
    mov     al, Int_Number (01h or 03h)
' J2 V! A- U# N/ t9 m6 m9 E4 z7 J    mov     dx, offset New_Int_Routine3 d7 |1 ]* C: M" Z
    int     21h
9 N* L  P# g5 S; ?. N  q' y# ~1 T3 n
. ?8 d& F! l& d& Y; C! K; ^# W8 H__________________________________________________________________________0 {8 l# L6 K2 L( ?0 k

9 g% i4 }# j. [: |/ \; X; iMethod 09
& D* e" s) X; a=========
- f) J0 {. Z+ H, ?/ E  F: s4 ^
" \2 T- J! H+ E% M# B7 BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 }  J% w% {) E, k1 {performed in ring0 (VxD or a ring3 app using the VxdCall).8 D6 i. l- s/ V
The Get_DDB service is used to determine whether or not a VxD is installed, g* T1 N3 W" y
for the specified device and returns a Device Description Block (in ecx) for2 ?. k+ @7 i- [. D) D4 U: l6 S7 c
that device if it is installed.
( K" L7 Q, e5 L" Y
$ K+ ?$ g: _" s+ ^3 a" d   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) d3 ^& G; d6 I5 }# T3 l% \
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 v, M; ]$ m8 `8 Q! x' e   VMMCall Get_DDB
3 t& A% c6 u7 m' k) U- K   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed; y0 d; G  \" D; ?/ q
9 ^5 N) c4 }1 a* @) A$ k& i
Note as well that you can easily detect this method with SoftICE:' a7 C6 g5 z; l
   bpx Get_DDB if ax==0202 || ax==7a5fh; O+ ?; @0 g. K
$ r) E% D5 \; k  y) _( P3 m/ q
__________________________________________________________________________+ T) U6 G& W0 I' k
  m* H9 T7 t+ n
Method 10
3 Y2 W% h, @$ _' Z/ u7 @* p, V=========
, ~- \4 B1 H3 v4 a
) S5 B7 j# q" F' H" T/ O2 @=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  X' M5 F, v! f6 l
  SoftICE while the option is enable!!3 U2 |% y; b  {% Y
- d6 ~2 H  n* i" |1 t. u
This trick is very efficient:6 ]% w" r5 _! t, n6 S( o
by checking the Debug Registers, you can detect if SoftICE is loaded
4 U. n: j" @: y& E) `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 l8 o" D7 i: B* C5 ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 B4 v$ \# P3 Y. f; P; S. F3 hvalue (in ring0 only). Values can be manipulated and or changed as well& V/ T' p1 j8 e8 z+ v) l8 i
(clearing BPMs for instance)
+ w: S2 \/ B9 \1 q1 a2 ~; |( e
- }/ v& U- f/ b6 W. y! G6 P: c__________________________________________________________________________- y6 H5 ]% n7 t1 H, J

# o$ H8 @3 t. k: P+ R( p. QMethod 11& w; |1 m( R7 O
=========% @  S5 S/ ~  h+ R( c0 ?

' Z/ A! d* p" }& i0 ~This method is most known as 'MeltICE' because it has been freely distributed
* |5 H( b- `- A  i6 Tvia www.winfiles.com. However it was first used by NuMega people to allow$ d, B" m2 d$ [* s7 n
Symbol Loader to check if SoftICE was active or not (the code is located
" x! I( G! J% U/ Y& F! D9 \& Einside nmtrans.dll).
* }: J3 j* Z- u2 c- ?& T6 i, l; G& i- V9 ]. ]1 c
The way it works is very simple:" U! {& g5 B( o, z# D; G- Y( Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ r) Q3 b6 I) @/ U+ n0 L& v$ Y! b6 i4 KWinNT) with the CreateFileA API.+ {; q/ v& M8 N7 S: s+ ^

" S6 ~' m) [$ S- c, SHere is a sample (checking for 'SICE'):, s# |% w% g: D+ }7 E

; R1 |; L) K: _9 DBOOL IsSoftIce95Loaded()
; K( k) j) {( x' F' W{* L7 q2 l& @7 F( }# o
   HANDLE hFile;  . e' S3 X8 t  V' V, I
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' \$ e7 C5 u% b. W! e4 u! D) ?                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 g1 l" A/ k7 h, U. X+ P/ q6 H                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 p9 r5 D& @0 f! b; m
   if( hFile != INVALID_HANDLE_VALUE )- N* X6 F& j7 k) J9 D3 M$ g
   {
# h( O/ c6 f/ `& W; h6 |      CloseHandle(hFile);& D, F' t/ H5 N6 F; ]; M! s' n
      return TRUE;
, g" v6 w3 T  K5 e   }
& v$ i7 L/ C# k- F! u& d   return FALSE;, ?3 S1 y. ~8 A; Y  h% U
}4 {( i5 N7 a6 U" i6 B

$ v4 ]% W8 _1 W$ U( UAlthough this trick calls the CreateFileA function, don't even expect to be
- K- L3 `4 z; A0 H' qable to intercept it by installing a IFS hook: it will not work, no way!( N  N. e' M. ~0 t+ F7 x" h7 \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. s' g9 d5 L9 O: i: M5 {service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ S4 L* I: Q) Y$ Pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) [% w1 X& O( O% `8 Yfield.
! D0 T8 o+ B+ j1 L) K4 `7 ]In fact, its purpose is not to load/unload VxDs but only to send a 7 }) l) Q4 A- v
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 L9 r: R1 I: n% n3 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ _4 a/ m* L# q# o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% {, z5 U$ M1 F9 C- J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; \% ~9 U9 n1 t2 U$ R4 ]5 hits handle to be opened and then, will be detected.
+ c! B, n% E- M6 O; s8 s3 t6 d/ VYou can check that simply by hooking Winice.exe control proc entry point4 N: c6 Y7 f: q6 r8 I% o. w- K
while running MeltICE.
& n2 v% g4 R# i/ o+ V
0 \9 y! C, ^- t) K& U' O# c( D6 J% V2 E. _! z( |) M6 [& K4 z1 ^: B
  00401067:  push      00402025    ; \\.\SICE  {. ^8 b1 ?. a& d
  0040106C:  call      CreateFileA$ y0 I. {+ M& |* Q" v
  00401071:  cmp       eax,-001
0 d% w% L; U9 ?, D: z  00401074:  je        00401091; i( n' O% h) s( W" P& A' X$ U

9 q* w3 J6 s! P; H* @9 L& _
- A- |. b/ P5 \* Q; W7 ^There could be hundreds of BPX you could use to detect this trick.
' n, U3 Q( R/ L! D-The most classical one is:2 U' l* J! ^$ H8 ~
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
- T7 Q$ N# D, b1 D- C3 j) n    *(esp-&gt;4+4)=='NTIC'
  ^0 I. }2 s9 l2 i% h
9 ?$ F* a+ y( k0 N4 P" P-The most exotic ones (could be very slooooow :-(- J7 P; [7 s0 p/ \0 Q
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ M4 }- |: l6 t# D. E8 b7 C& y% K     ;will break 3 times :-($ I# n. l! T6 j$ o  K4 ~/ x

4 R2 ^3 u% Z; a: p* G3 \2 h-or (a bit) faster:
( F6 `7 e, D3 G8 x3 G) I. N   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 O3 E. \- `- {. Z- h! T* d8 p
$ s: J/ M8 f  W; t8 e  ^
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
- L# t1 ?% ^9 C, K8 y6 f  [     ;will break 3 times :-($ {/ z8 ^$ N' c
# K# Y' ^9 V* v# [" G6 T* M; V
-Much faster:
$ E7 W3 e% u7 u& _   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  U. @5 I0 H+ x8 D/ U  S

; T/ R) f% P" g* I& g, |1 nNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
. J/ r' t! w( F! pfunction to do the same job:! \: b' m9 v; L& I6 D( X
* m+ D+ k: }7 F/ B+ B0 t1 v$ P
   push    00                        ; OF_READ6 F6 I/ ?: u/ l2 t% P7 i$ G
   mov     eax,[00656634]            ; '\\.\SICE',0
. t9 x! P( J. ^$ h% h- }   push    eax
9 l* h* y/ j5 g0 O- |   call    KERNEL32!_lopen
0 J4 a7 b& G* J( C" Y9 n/ f   inc     eax. n+ n9 w8 `# k4 F* e9 A2 ]4 x9 X
   jnz     00650589                  ; detected
  l9 A6 o$ I) i/ l+ c0 G   push    00                        ; OF_READ/ Y5 K. ~+ w  n1 b( D
   mov     eax,[00656638]            ; '\\.\SICE'/ n& h! x4 ^& }$ e5 n; Q* J
   push    eax
7 d% V2 C% f" c8 Q$ ?2 O   call    KERNEL32!_lopen6 b/ D! R2 T* c4 [+ ]
   inc     eax# U, w+ B7 _4 ]) y5 _* C, ~8 U
   jz      006505ae                  ; not detected7 H' ]  C% ?2 @

4 [# C) N" ]# k; W0 f& n7 m. a( G* b; [
__________________________________________________________________________% X' |( q: }& x; \: Y* y
. s+ F2 @  C5 A8 d, ^) V' J' }1 X
Method 12
6 s% O: a) z; M- G6 ^2 o=========5 I0 ]5 P% n0 Z* L) j( W
6 A. X2 ]- B" `4 }
This trick is similar to int41h/4fh Debugger installation check (code 05
8 V  b1 D0 F# P6 c3 u9 J: h&amp; 06) but very limited because it's only available for Win95/98 (not NT), P8 Z5 f" @6 \1 N1 X6 E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
  R0 R6 c6 K- J& P0 u- i
/ S# R' T! t" s; @+ b   push  0000004fh         ; function 4fh3 q5 m* v( d' S6 Q+ {
   push  002a002ah         ; high word specifies which VxD (VWIN32)# g0 V* k! w. i2 ?9 L2 ]% z
                           ; low word specifies which service8 t& F! i, _9 r# X. _
                             (VWIN32_Int41Dispatch)3 _- h, b& j2 h/ [
   call  Kernel32!ORD_001  ; VxdCall
" m5 b  j; x' P! L" `5 b   cmp   ax, 0f386h        ; magic number returned by system debuggers" u/ f# {8 |7 e# I% y
   jz    SoftICE_detected) Y# E. i2 P! d$ j0 h4 q, ~, }

' C$ [9 i4 Q5 B/ @6 W. M! LHere again, several ways to detect it:/ ~9 _. l( _2 V8 e, i0 F# u3 I% y
7 S4 g( m% k" G$ v) I
    BPINT 41 if ax==4f4 x8 k' x4 G9 R. q1 z
  D3 |! Z; K, L' O7 U. T
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 C) X% D. Z4 h% A- H+ t. h3 A
( H& l. p( L  k    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
7 }1 u4 ?0 W" a9 D0 _0 K3 Q( g0 e
! O7 i6 ]# H' h& K% j8 x6 w    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% N$ Y, G! z  B" y8 Y3 Z5 b' W" X8 }& j+ C1 }
__________________________________________________________________________
6 J* Y4 A: @% s. d
$ E) ]% L1 h8 kMethod 13
- N+ e, A+ {/ O, t: ?% K5 A* B* E=========
* L8 Q4 F! E& v. ]- t# b+ T5 T# y% h3 ?
Not a real method of detection, but a good way to know if SoftICE is
7 O/ U* \1 ~& q" Y  z, j) jinstalled on a computer and to locate its installation directory.
2 O9 m" f8 N% `It is used by few softs which access the following registry keys (usually #2) :& B) U; W# C2 i0 G! s
: N  _/ S+ z" I. r: a' V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 N1 H: Q% L  F. q$ O
\Uninstall\SoftICE) T' O" g9 j: U% C  V
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ Z' ]+ B. K% A0 y# T  ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 M# B+ \' S0 j: ]
\App Paths\Loader32.Exe( Q  `& P% X) [$ N

6 k$ t, i$ d1 \5 U6 w7 J9 u+ D! `3 V( j, S
Note that some nasty apps could then erase all files from SoftICE directory* l6 L+ S" t8 @, M, a
(I faced that once :-(
3 d$ b% S2 l) o8 Z
8 F* W) E: a& M: ~Useful breakpoint to detect it:
+ ^) }; I( R2 O% ?' D
. C8 ~+ K; S" B4 ?     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- ?6 Q$ A4 Q$ s" b
3 A( ^. A" u& p
__________________________________________________________________________. u6 R. M- A! B; N& h( _

& @" L' b: k5 Q. O
9 N" C1 D4 z0 M3 \Method 14
4 k( `- x7 H" b; Y4 e) d=========7 I9 I$ G- M$ C; q3 s9 L7 f
1 ~+ A9 m2 M/ G+ K$ V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 h) W0 B+ S5 A+ o; o
is to determines whether a debugger is running on your system (ring0 only).
+ A* B" m: S8 G0 w$ C( J
) Q" J' Z  d6 Q   VMMCall Test_Debug_Installed
0 @; ?9 `4 M$ f7 \& F9 R1 I   je      not_installed. N6 }( h% i# y( B! t3 \6 @

+ d  R  P5 N6 C9 p3 O, yThis service just checks a flag.
/ n" ^* N* I$ d1 B1 L  Z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-25 11:46

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表