找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>+ u! S* ?) }$ b) i0 c9 w4 x
<TBODY>
- S" A, ?$ i+ o' }' b) E<TR>) D8 k: e( R) O3 b5 q/ `
<TD><PRE>Method 01
4 p1 R7 O0 }) o; _4 e; p5 C=========& M0 M3 O* L5 b+ W( [

+ E+ j; O# g4 S; X1 HThis method of detection of SoftICE (as well as the following one) is& h" Z% @9 F) l  R
used by the majority of packers/encryptors found on Internet.
, ^8 l; T0 Q9 _8 rIt seeks the signature of BoundsChecker in SoftICE1 Q, F# c  |, a$ N" |% B: c

) E9 e! d$ Y6 P    mov     ebp, 04243484Bh        ; 'BCHK', l2 a1 s( E1 _: N0 L
    mov     ax, 04h
* I% R( n) `$ ?  ~    int     3       " _. Z2 [2 e' E
    cmp     al,4
  ]3 A/ Q1 J& S    jnz     SoftICE_Detected
( b8 `0 r& I" t, l/ _  B; n1 L! Y4 L- B
___________________________________________________________________________# c$ T( Q$ t, X" e- s! F4 a
  |" n% @! c1 c1 e/ x
Method 02
! J0 x0 w$ [$ K' u: E8 ~=========9 N! }( j, {% I7 M- b

, _" T4 I6 x1 V5 }Still a method very much used (perhaps the most frequent one).  It is used6 [" e6 Z6 I' q; W/ N' {9 _/ m5 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
& s. S9 T. L+ n* T( P8 Q3 l* k" ?2 ~or execute SoftICE commands...0 s9 [% l4 t" I& t. H. q& b. p
It is also used to crash SoftICE and to force it to execute any commands8 W% t7 l! P9 s' k, x7 |; a
(HBOOT...) :-((  1 ?  _) b3 B# J2 L0 D+ A

5 d; D* b( a6 ?3 o3 d  V2 QHere is a quick description:
5 j& l1 B, w6 N9 K-AX = 0910h   (Display string in SIce windows)
3 L4 c5 A! M, T$ ]1 D-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 T: C( ^8 z0 u+ }-AX = 0912h   (Get breakpoint infos)! U; }' }6 T5 p1 D) j
-AX = 0913h   (Set Sice breakpoints)
( D$ [6 c# I+ W- k-AX = 0914h   (Remove SIce breakoints)
2 }- ]( }5 y9 Z  J6 g8 k( q
# {" i) v' d7 T0 i7 {5 [: }Each time you'll meet this trick, you'll see:8 [9 T  Q. ?0 k2 N) e$ u8 a. q
-SI = 4647h& }5 v6 B2 y5 J' {3 M
-DI = 4A4Dh
6 }0 {  w6 A6 mWhich are the 'magic values' used by SoftIce.. z  y3 x! h( k
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, m# ]4 q& l; v* V; n* r6 J; d) M8 g0 z* {
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ T& a& c: f4 n' I" l9 M: |2 _
Envelope utility use to protect DOS applications:
9 q: T0 u; g" }/ ]" j) j
8 |5 M7 b: _8 Q) g& z3 Y
6 R* w' ~8 P! L+ G7 o: k3 |4C19:0095   MOV    AX,0911  ; execute command.. X, Y) K$ |0 `  c+ v" }6 y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
- U6 u, W  x4 Y( h7 v8 _% ~4C19:009A   MOV    SI,4647  ; 1st magic value.( b4 |3 {: c5 x
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
" {- Q+ s% C$ L4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ d$ K; u  V# i0 e. ^; Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, r2 f9 m) G9 C8 Y( F
4C19:00A4   INC    CX, i( y+ m. Q- q
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  o1 P: u: q! X3 [/ w, w9 d$ F1 F4C19:00A8   JB     0095     ; 6 different commands.
7 d( {+ L) r( f, ^* ]7 }# u; _4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 j; [, }; t/ d9 q1 [* D, U5 i4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)2 g( E. @4 ^3 n6 W$ _! v  y

" ^4 S  ?1 O' Y  c" `# |* E. B9 PThe program will execute 6 different SIce commands located at ds:dx, which7 e/ a5 T* ^  R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ X. A0 Z9 `1 a7 N' m3 t+ ]$ r
  t8 L1 e' L7 ?" t- t2 U
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! U8 k2 a8 v  V' Y) c8 {
___________________________________________________________________________. e- p7 ]2 |' c2 ]  _; Z
. G0 [% r# _, G6 ?, r, i' d; O
) r5 c) m4 G" Z' k
Method 03! }, m' B% U. k1 f, ]
=========
% ?, \! H/ ]" j: z3 o8 e; ]
8 ?6 O0 ~- L' O: ALess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 T7 v  f( ^8 A0 t1 L' C: Y(API Get entry point)
8 s3 p* s0 b  d        
* C) d4 n* k) m2 m
0 C- _5 e' L& H, P. ?$ ]8 X8 Z    xor     di,di) f2 ~. W' ~  T' ]
    mov     es,di% u' ~8 S. m- E1 K
    mov     ax, 1684h       ; z/ L$ J, o1 M) t0 U
    mov     bx, 0202h       ; VxD ID of winice
- R) f) l# W8 c9 v0 Q    int     2Fh! b3 l" l& w- [. _
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( t9 G% ]7 Z- j8 L+ A! b    add     ax, di& c4 }8 M# m) e- Z( Y( P
    test    ax,ax6 Z  J  Y0 B2 y. I& C) n3 G
    jnz     SoftICE_Detected& S1 w$ s. B& q& Z

2 U& k. p3 b3 d+ A$ H___________________________________________________________________________' |/ w: b8 |" R, S0 ]
8 c, ^% c+ u6 Y
Method 04
  k3 d0 D% Y- \/ }. B5 t; ?; _=========
5 p# _% s; a( ?" O- P* x  a: }. n) ~% }
Method identical to the preceding one except that it seeks the ID of SoftICE' u9 b  _4 V7 }* }
GFX VxD.$ o- K6 d/ G" ?; ~  T

  Z  Z$ S& _8 M; v' z9 x    xor     di,di
) \" z. W# m9 O  Z' z' D- d$ z    mov     es,di5 h# ]9 B! M" p. Y5 ^) c
    mov     ax, 1684h      
" f5 s' C  h( k5 {5 W    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ A, i: h. T" z' {6 X1 a* @    int     2fh$ _  z! R- x. k& h3 x( O- U( Y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ ~' L: y2 w" K( W6 Q# _    add     ax, di
' m$ G. u% x7 ~0 P    test    ax,ax
: R* y8 ~# p# {* s5 c    jnz     SoftICE_Detected! H: _: g6 `: S/ Z0 G8 ?

1 g( @! Z* v+ I__________________________________________________________________________
/ C+ _, V% V$ `9 n# v. A) B
, @6 _" C/ {0 P) ?0 `) J# Q& e
5 _5 B& N1 w, x' ?* B! p' w7 q9 R$ aMethod 05
, k1 y  F2 W( P) n=========% N! Z9 I- B) f, v8 N- f
, _! ]4 A$ P4 f# D3 ]
Method seeking the 'magic number' 0F386h returned (in ax) by all system) y& O: ]5 u. i5 l( D
debugger. It calls the int 41h, function 4Fh.
4 s1 N" m: P' U' nThere are several alternatives.  
( A6 u3 i: l2 B( b( m
" l9 }  X) Y; Z4 i3 `; Z- l2 ~The following one is the simplest:
) |8 J: w; o6 r/ l. `! l
5 M* B% i4 H, p2 l0 }9 H: `9 n& q    mov     ax,4fh
" N9 h- d1 _1 Z9 m0 D9 D3 L: y. D8 G    int     41h% s- X2 S  r: [1 J' \# y- V) N
    cmp     ax, 0F3862 r- m1 e5 z1 x0 E3 U4 R/ O7 y6 W
    jz      SoftICE_detected
1 `3 P& H9 r' J
. @  k; Q, q, F7 S% L# H
& j" O" P  Y7 o$ U# _: s3 vNext method as well as the following one are 2 examples from Stone's " H% y$ _# W. z! d
"stn-wid.zip" (www.cracking.net):. Z* x8 a: p3 p& \) s

. ?/ K: k7 n7 d7 Q    mov     bx, cs7 E. _! s  g: I! C( E
    lea     dx, int41handler2& E0 `  I/ g& d( Z5 A
    xchg    dx, es:[41h*4]
3 G4 P! x- I/ r6 R5 u$ S    xchg    bx, es:[41h*4+2]0 P, Q9 y4 k) ]( y/ u  P
    mov     ax,4fh
9 H' J0 O9 I7 T* x$ p" E' ^! Z    int     41h, K" \5 [4 q- V( X1 j* H* ]
    xchg    dx, es:[41h*4]* L; L1 L6 J9 k3 V8 s/ n
    xchg    bx, es:[41h*4+2]
7 i4 ~. I# d( {; D& f; Z/ q1 ?    cmp     ax, 0f386h
- R) T, Z6 b0 d) E8 i    jz      SoftICE_detected
- [1 B2 A" g. d9 a8 P, m
( U+ I8 _( F8 k" rint41handler2 PROC
0 ^5 E! l# S5 ^+ @3 m    iret! t1 Q) ?- G- V; }
int41handler2 ENDP9 _. D) h/ y6 E

& s" r( h7 T( ~# B- M0 w; ~8 F
( }$ t: z$ @! N5 Y_________________________________________________________________________
# d( o4 M; s2 _* q$ ~0 [" {# ~
2 Z$ X# T' ]: l6 N# x$ T9 F3 q2 |0 t- @% R$ e; i+ s* ~8 ^) {
Method 06
+ x9 Q2 j9 _& \& K$ V=========& h0 G( G5 b$ ^# C$ q, C

; e. p' S5 R( y3 }+ y, w3 Z
& b2 e8 _+ ?; J3 `# U2nd method similar to the preceding one but more difficult to detect:3 d) i7 }0 K/ ?; V

  E/ U3 r: m2 {8 B- W# j& N2 x- D+ @  v% Z4 u& j5 ]& E' t
int41handler PROC
' W% G' B8 y# `1 ]! [& ^    mov     cl,al' |3 g. ]4 `1 i2 r( x3 q$ H
    iret
! c6 G: ~, p, R, oint41handler ENDP
: f2 B0 W9 ~; Q$ u2 i2 E; i: W% ]# `( Y
; c* f# M& H9 V3 b# `. r" N
    xor     ax,ax
" F$ t/ S5 Q2 y    mov     es,ax( Z$ f4 h# C, ~1 `$ O
    mov     bx, cs" i8 G( }- M; D4 M8 T
    lea     dx, int41handler
( x- D+ U) p4 L" t2 S- K1 o7 X* K/ `    xchg    dx, es:[41h*4]
" W* \/ o* m( k* _    xchg    bx, es:[41h*4+2]
- [% f0 x% X" |3 V8 U/ F    in      al, 40h: W0 o. S% Z5 B! O5 U6 d7 a' a; U
    xor     cx,cx6 w+ c, Z5 Z- w* u
    int     41h+ Z, w# A' F# S9 v. G
    xchg    dx, es:[41h*4]
- f9 B$ `. o8 ], g& ^    xchg    bx, es:[41h*4+2]  }; i! G/ K" n! }
    cmp     cl,al- V: g, ?9 B( J" v
    jnz     SoftICE_detected) s  C9 B% {5 P/ c/ v

9 m: R- E, s8 d* b! B_________________________________________________________________________$ x9 i& a, l, Z
2 g; H. B: |/ ?! u: ]
Method 07
. s6 S; f" }4 y" G6 p=========( f0 B1 }! J' v# \# M; e9 T
: L, |2 }  J# t4 s
Method of detection of the WinICE handler in the int68h (V86)
; j- H7 Y( ?3 {% [( l
1 p# L" ~. j1 q3 b- B% T    mov     ah,43h
4 @5 H! L$ N0 M* C* ^* c$ n    int     68h
7 ]- ~/ f2 w2 A$ z2 m    cmp     ax,0F386h
, v1 ^: B9 u; @* H3 u+ o    jz      SoftICE_Detected; a' v9 r: g4 z# \  i

& c2 l9 F6 O3 |, o$ q5 s1 c0 z9 I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 j9 a2 c+ i2 q# Z2 n   app like this:; M: t) E. H) a3 m) g7 a3 e
2 k- v! H$ T2 r0 C, F/ p! L
   BPX exec_int if ax==68
# a  @) ^  q5 Y( c$ m( E6 z   (function called is located at byte ptr [ebp+1Dh] and client eip is" V* @' T8 N& m% y5 a
   located at [ebp+48h] for 32Bit apps)4 L3 L9 x% j) |& g8 e( G+ \/ l
__________________________________________________________________________1 h+ @# K, k4 ~  ^- m2 }

* e5 c5 P: Z# |! @. x8 e+ R; h, ^, M# y7 G2 K1 H; L0 r( U4 i
Method 08
5 T$ Q! g: R/ a0 k6 H=========! g. H1 v; W: R- O
9 X7 N$ g9 R8 J0 |, E
It is not a method of detection of SoftICE but a possibility to crash the
: Z: w) E) F8 T5 E- a8 l1 w8 Dsystem by intercepting int 01h and int 03h and redirecting them to another
( r! Q* I& I' z% qroutine.
1 ^  ^0 R' A* K* \) NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( J6 M% d- m. n* w: Dto the new routine to execute (hangs computer...)
' |7 e3 o5 z+ X5 y! o. K) n
0 R6 W3 G3 L+ n4 g1 ^0 z    mov     ah, 25h
1 L2 |: i+ Z! \2 z; }    mov     al, Int_Number (01h or 03h)
/ r- C7 N  z, E, O    mov     dx, offset New_Int_Routine9 T0 d9 P7 Q6 R7 w" F& j; }! y! R
    int     21h
. z# [- x0 E, _# q8 I7 x
: x0 W0 e: R+ x, c/ K2 o__________________________________________________________________________
1 S: s) j& o$ H9 J# u5 Z) a; |/ m0 p) m3 y$ i" g) r' ]5 B
Method 09
, u7 {, T3 e& d$ c( n=========
* J. |& }! J. n  \& B* W4 |8 h& W* H" H$ h  X/ N: K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ P$ b* r( l8 [
performed in ring0 (VxD or a ring3 app using the VxdCall).
" f1 v  K, {; G6 TThe Get_DDB service is used to determine whether or not a VxD is installed
% I3 o) m8 o" d9 sfor the specified device and returns a Device Description Block (in ecx) for" V9 I3 e0 W& f4 _0 z2 A5 I' ]
that device if it is installed.
+ Q  Y( p# S" W7 V
; [' ], [( c" n% \( R& u- t& a   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 ^3 u* L0 |) t* V1 b6 G   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: s; n' S" f. J9 I/ T, P   VMMCall Get_DDB
  q. Q: s4 D8 u; G% V( n1 H   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ m' o5 ?+ @* j7 C% P1 }
/ l" V* H, o9 ]1 K, K' f4 JNote as well that you can easily detect this method with SoftICE:. a; T# U& z/ x' [
   bpx Get_DDB if ax==0202 || ax==7a5fh
# N  l1 T$ B$ s" P( A; C3 T  I7 ?/ f. I2 Q6 t8 s/ i3 D
__________________________________________________________________________
+ o& x- [! I$ T' W+ U% F; w
- I  a5 Q2 H3 {, e9 h! iMethod 10
# ]4 x- V  n' L* C" M! N; U: Z=========
8 R) e0 q, t3 [
+ _: H/ T3 U4 ?1 d=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  K2 o: i8 R6 c9 {% j
  SoftICE while the option is enable!!5 }# H9 x) U7 j! }& N: x

3 x* R% M' s* i; y' Q! {# jThis trick is very efficient:
- V2 Z% Y, s' t- W, Dby checking the Debug Registers, you can detect if SoftICE is loaded0 [0 V, J  E! W
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( b8 e" U3 i8 a% {3 U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, P- ?( z  s; Rvalue (in ring0 only). Values can be manipulated and or changed as well
+ U; x+ L( H9 ]5 a$ ?+ l4 X% z(clearing BPMs for instance): Q+ J9 I  {& H2 w4 j6 Y) w: ?! ^

; [: t- Z* W8 a$ v__________________________________________________________________________
; I+ ^3 n' A/ ?; v7 n" }, ?$ d0 m! o' P, {8 {; K0 g
Method 11. u; j5 B' f7 j2 l; r% P5 U
=========6 p4 [  ?' H, \2 U' F8 Z

& ], a* f* I- c, f5 V+ pThis method is most known as 'MeltICE' because it has been freely distributed# D% E( S2 k% V, k! w! J( d
via www.winfiles.com. However it was first used by NuMega people to allow
1 r5 F" U6 v5 ~" Q6 DSymbol Loader to check if SoftICE was active or not (the code is located$ y( ~% s' L! H2 o  [' R/ Q$ j
inside nmtrans.dll).+ |4 q! y  ~3 l% o5 |/ |) D9 O
8 O1 A6 y: O; _) s- a3 O) O
The way it works is very simple:
+ r- [/ R  E% D7 V  {% g. e3 E. M  c" MIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ N% P( M* w: R% f8 ]4 f3 FWinNT) with the CreateFileA API.
% P* v2 w1 v5 V" P! {$ _$ B1 D+ U1 w+ a: M" d3 C* t
Here is a sample (checking for 'SICE'):) |1 Q, f8 G3 H4 E

8 M' _( x6 N. G2 jBOOL IsSoftIce95Loaded(); N* G3 \# U9 y$ F6 G4 H5 e
{
7 N- h; D7 U- W9 J   HANDLE hFile;  
' v+ x6 X7 b: \. f2 y+ k  J: ?   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 O: x8 t, @3 W                      FILE_SHARE_READ | FILE_SHARE_WRITE,
1 F: b" a5 t2 R! f/ U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& X7 ^; r% b, W- W   if( hFile != INVALID_HANDLE_VALUE )3 l1 b& W3 D0 T6 v1 P; b& u
   {
: h/ ^+ w3 V# e% ?& _% g2 x      CloseHandle(hFile);  ~7 [5 u% ?4 v; @
      return TRUE;2 U- G4 T: P+ v6 {6 O# h1 V
   }8 x  S, l, K  d, D+ A
   return FALSE;3 x8 }" u( h3 P/ d& F! M! s
}
8 Y3 Z: L- q* D6 ?6 {' s
/ |, O$ W, P. K. J( I& J' M' ]Although this trick calls the CreateFileA function, don't even expect to be
9 Z$ D. H: w- [! q/ ^6 W0 Jable to intercept it by installing a IFS hook: it will not work, no way!& N4 n' j3 M9 J, s- w9 ^* O; a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F( x2 q2 m* F, u" _; M% r* y5 u/ z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 h" V  }( W6 W. e, T; a" R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. N3 f3 A6 r4 Z' J  T
field.
9 B* {! E& l% ^9 A3 f" X6 vIn fact, its purpose is not to load/unload VxDs but only to send a 0 E! b- A  H% [, \. _' p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' L) r, `& Y. y' V/ Q6 y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* {9 I8 j% D/ |) t( C' d0 \; sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
" W8 n1 `  ?# f' g5 {8 B3 l2 NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 F" P9 \+ C5 q* {* _; xits handle to be opened and then, will be detected.
& j  U+ Z8 h/ O8 f9 w) uYou can check that simply by hooking Winice.exe control proc entry point
9 k+ J4 i' {$ q7 Y* {& Wwhile running MeltICE.
5 i' U; Y; u" M5 E) J' x- Z- D7 e0 o8 }5 h
) H  K) s! W( ]( n2 G! E' p
  00401067:  push      00402025    ; \\.\SICE
/ Z2 _2 G4 \, B; S5 F  0040106C:  call      CreateFileA
& e1 {& }/ w- n+ m# L  00401071:  cmp       eax,-001- Q! d5 z: ^- j. n" i% V3 H
  00401074:  je        004010910 s4 f$ d- K$ C8 }
! F+ l' @, [1 K9 D

+ R8 @4 L( K. {  c6 _There could be hundreds of BPX you could use to detect this trick.
" z1 `; D. L9 }) }8 e2 R. H-The most classical one is:
1 L- R! |0 A9 K/ h' L' R. L: n  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  D; r# G! E8 t6 ]6 P9 v4 D    *(esp-&gt;4+4)=='NTIC'* d. l' @9 D( O1 g7 F6 U

, i. _% M% {# E" V/ _-The most exotic ones (could be very slooooow :-() `/ t% a2 H9 B: n
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
6 @% c9 a( C# O4 p2 W* d; r     ;will break 3 times :-(: b% H9 u& N; B; h4 a

- v' C$ x6 \  ~, \; ~-or (a bit) faster:
$ G8 x( K$ G4 |' L( d& X   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' B2 L( [( W8 \) b! R
+ S4 L& ~& h% ~2 s" t1 i1 t. Y
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ! ]' n5 G- W0 p& ]/ v
     ;will break 3 times :-(
. L: l( v; V3 i3 e0 F
; K) r1 \( ?) j" Z# E1 K-Much faster:
9 l, W) r: l: n! M; \   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
" T7 r7 W4 q0 M9 B% O
& U) y3 F( e$ Q; TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
, f" N" x, \; d" `- J% |function to do the same job:
/ ?1 O3 X$ \8 F
0 [2 H8 l2 w" [3 k* Z+ T% A   push    00                        ; OF_READ
: n% b, A! O5 m$ u$ p, G   mov     eax,[00656634]            ; '\\.\SICE',0
6 ]0 k7 q# k' ?8 Y  T( Y& u   push    eax
, d. b  W7 \4 d) Z   call    KERNEL32!_lopen( P" z6 g: H" d
   inc     eax# {0 ~6 j' W/ W
   jnz     00650589                  ; detected& Q6 |+ M# Y# J+ I4 \8 e+ e
   push    00                        ; OF_READ. Y; ?- V+ L0 K# A- w* \
   mov     eax,[00656638]            ; '\\.\SICE'
6 e  }, w  _0 f( T8 o/ u0 `   push    eax/ k; l* S& F) I4 D9 a
   call    KERNEL32!_lopen% ~/ S" n7 S3 ]6 ^
   inc     eax; G& M) R! A- [8 W- K3 \2 e- C
   jz      006505ae                  ; not detected
6 n" b! p3 l  n  j2 l, }7 v# |2 p, m
4 O* l, Y1 i% x3 ?
) e) }0 l) s0 x- v8 I__________________________________________________________________________/ G" k' }0 ^% U( J3 k  p0 }$ u; V

; P' k* M# ^( C! Y* C# uMethod 121 r- B% ]+ w6 b& V, f1 @7 Y
=========+ |  i0 B9 B: q5 }

; W9 j; m/ `# L" ~" P6 JThis trick is similar to int41h/4fh Debugger installation check (code 05
' V$ A$ ~) _- W5 ]6 e&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 H" t6 W' e* ?7 [- y0 F; e9 vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 q$ J% B: r2 r) K' i+ v1 {
! B2 x: b$ Y/ h# a8 F
   push  0000004fh         ; function 4fh
0 d: d( S0 F# U8 b5 C5 z   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 W4 ^6 i5 ]- v; l                           ; low word specifies which service/ G' N; }2 }& p; S* i7 u
                             (VWIN32_Int41Dispatch)
7 F2 p9 h" {: M) Y6 y$ c2 N   call  Kernel32!ORD_001  ; VxdCall
0 O7 K/ g, A1 `3 l7 Y   cmp   ax, 0f386h        ; magic number returned by system debuggers
% E; v9 a& f/ M  \   jz    SoftICE_detected
& b% f8 |: c9 H- `# @4 P" g+ b/ \9 f6 t8 i* t; h. H/ j1 H
Here again, several ways to detect it:
0 n( h3 u. J& h% k5 Z1 \; W
# q9 k# g6 w7 F; U    BPINT 41 if ax==4f
2 R. q8 _* U/ G* `7 \( F& d# [- n5 G
, W, v1 ^7 ^: x( A" q5 K    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( r' g" Z) _+ q% h+ k3 l) n* ^4 [- h" f% |
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 G$ p1 M1 r. k  F& C7 V4 l  f
7 b) {$ U4 T$ y' o. u
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 s& r" i) C: o! m8 h

5 C8 Y( B6 `8 T% ~- ^__________________________________________________________________________
+ y+ y: F+ l; C3 V) ?4 N
% p4 L1 h" z. b0 \4 C6 j4 VMethod 131 s# Z$ `9 E4 V1 ]
=========* U8 y$ U9 [0 s+ K" G
( Y9 }5 s! a) b+ L( z
Not a real method of detection, but a good way to know if SoftICE is
4 G& d( P5 X: k4 w) x: w/ Ninstalled on a computer and to locate its installation directory.- w  a* C' B# e0 H1 Z5 {
It is used by few softs which access the following registry keys (usually #2) :- h5 R: I( i. ?( T8 b
+ A$ A6 Q' F" A: F9 _' F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' d/ k- T+ z; |/ Q, e/ z3 n\Uninstall\SoftICE
3 n9 \+ l' q. w7 N-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 q- [! @! Q+ S& o6 t* [4 r2 H0 f- J-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. ?% O+ N# v6 y8 f, S# H\App Paths\Loader32.Exe
: ^( {' u/ W6 k  \3 x& X" i/ R
+ ^5 B' b: h3 q& s2 v. T
: t( Q; a/ f6 E* eNote that some nasty apps could then erase all files from SoftICE directory
5 ?/ _1 L  }$ P, J& R# s# q$ w, q(I faced that once :-(
. Q4 D- k# C% f$ o5 _! F7 M! b6 c3 U0 q/ d
Useful breakpoint to detect it:
2 F' }9 k1 m5 }' t+ U; K: a. n0 m
6 U3 H  k' }' {* I/ V4 ~) g     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! f* W/ y8 e/ V! k8 o/ }
$ |9 U% E' F' d- ^, U__________________________________________________________________________
* P% A# X, {/ N+ s8 z6 G* X6 `, o0 d6 `% W% P
: d5 R% z' \( D* F0 n- S* Z. u
Method 14
$ b, o# _0 u' b0 O! {=========
! c8 G, _! H/ O/ u8 D
8 a' I9 H/ f" S& ^  }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ A( B5 E2 M7 P6 uis to determines whether a debugger is running on your system (ring0 only).
, n- _. B2 W" K- x0 H+ ?! F# h% b5 B2 y0 {+ u/ ^" B
   VMMCall Test_Debug_Installed/ S+ b6 n& ^# s9 ]* G, {
   je      not_installed
) W6 H- m0 A- t$ X  K4 r
# G  E* b  e& d, V! b- nThis service just checks a flag.* O$ V. i  H" T  ?3 l  H; A5 h
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 13:03

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表