找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) u/ J, d; p8 V% Q' \" Z3 B# w
<TBODY>
, z6 a9 C! i; [& K# k- T' w<TR>7 |1 k/ {9 P/ Z$ U
<TD><PRE>Method 01
! w4 b1 {8 f5 u; H  [0 e& n=========! v6 {2 ]( k9 c: H' ], Q4 j

% ^! H! B) `* p  OThis method of detection of SoftICE (as well as the following one) is
  \9 w9 L( v8 w' X% E) @# K& [used by the majority of packers/encryptors found on Internet.- j. t3 C) O- F: V  H9 y1 ]7 l) T8 N
It seeks the signature of BoundsChecker in SoftICE# n- N' F/ v, c; X( k5 B/ b

& F7 k! @: Z  I    mov     ebp, 04243484Bh        ; 'BCHK'
, k, G) K% F. ^2 J% @- N* I    mov     ax, 04h
/ V% `; w+ {) _+ c# ^0 M' s    int     3       & H- q' p) ~' q2 I$ ~$ C. t
    cmp     al,41 U. G% E' [! P, `
    jnz     SoftICE_Detected3 v" L4 b. b' A; a8 K" S

0 d0 ?  ?6 @/ V" S2 d" R___________________________________________________________________________
5 u% b+ z. r6 g  V5 @  s: S. H0 n+ l) `& v' I
Method 02
6 f0 f# H2 m0 ?. q) Y=========
5 p5 T) ~4 ^0 [- Q" X( ~, P% y& T# A
Still a method very much used (perhaps the most frequent one).  It is used% V% V- b/ J8 \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. y  r( Z/ y- @+ b7 B
or execute SoftICE commands...5 \3 s4 m' f: {" u; \
It is also used to crash SoftICE and to force it to execute any commands
, U, Z1 m" i. z7 X" y(HBOOT...) :-((  
+ p8 C' ]+ f( I& J$ L( Q9 {
% E. t! c; t" n% X$ @% c# iHere is a quick description:4 M! {* w( a: t6 ~; d
-AX = 0910h   (Display string in SIce windows)6 C/ M/ S/ T: C3 D% C
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* q# o* q7 l0 Q5 V1 A-AX = 0912h   (Get breakpoint infos)- P6 D; A! o( E! r# z
-AX = 0913h   (Set Sice breakpoints)
- l% y) d) z, I-AX = 0914h   (Remove SIce breakoints)) _- g9 S" B) t9 ~; X" a

8 H/ n5 ]1 {, i5 L. b" REach time you'll meet this trick, you'll see:
: j6 |+ s3 j" Y7 K) Y. T" `( W-SI = 4647h
  T; |- J2 h  W5 r-DI = 4A4Dh
. [- x& P" b+ |& i1 bWhich are the 'magic values' used by SoftIce.+ i4 `6 E: s3 Z4 q/ t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 t# `! L- u" \0 O8 t3 d( G
3 D( r* J3 b/ t- mHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 V; N+ ~/ b& }8 ^$ _Envelope utility use to protect DOS applications:/ s2 r) C% i. v' D- ]+ I5 J

& |% S4 B  O5 w' Q
+ O9 G' q8 q5 Q3 J' M5 z" a4C19:0095   MOV    AX,0911  ; execute command.' w" ~# E7 Z8 b
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
8 S& V$ J' X& K# |+ R5 j4C19:009A   MOV    SI,4647  ; 1st magic value.
# F; t1 e" r- M4 k) o4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) X/ q& [5 C5 i1 ]: E4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' B" u& ?% x# X0 D4 a- Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
2 T' j1 l# F/ ?! ?4C19:00A4   INC    CX# d8 O& [- J. k3 F$ S" G
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute/ m* {$ F) a" \  ?/ Z/ i/ d
4C19:00A8   JB     0095     ; 6 different commands.  n% J4 Q# c7 W8 }8 y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 Z; h# j0 E: W5 h1 c" L. }
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; M; m  w$ O$ H- |* i# P. K$ d8 X# a
The program will execute 6 different SIce commands located at ds:dx, which  [) H) ]6 o6 [1 P/ l4 X/ C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* ~* U' C3 G  d3 I. `6 \
% E# c; X& v9 o& [$ i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 C5 |# z) T8 Q; z# z( C: P0 [3 Z4 C; w
___________________________________________________________________________0 u1 i1 v" ~# _6 O) j- I. z) x
. h! X; _) x' Z$ i* W0 f7 h6 ]

7 [: ]0 Q, Z* G6 G- r7 L( h) y% @Method 037 K; h# @9 q9 a/ m% v5 R
=========
6 G" U0 m0 _* }% ~$ i. [4 E
) |4 v7 m* w, ?" T# Y0 rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 E$ i4 f7 i; D4 i/ E6 h7 J1 D
(API Get entry point): E8 q# f6 q+ t3 U
        
/ W! W+ U1 {0 X. ]0 A5 r% [5 z
3 ~& j4 o1 Z) E$ M3 P* I) I    xor     di,di- N; _. g  L$ E# }
    mov     es,di
" q! O/ l! G5 y  R- W* w% J0 C    mov     ax, 1684h       , i0 e6 s) g# ?8 E. R( L+ ?
    mov     bx, 0202h       ; VxD ID of winice
" y. V6 S% D+ y- e    int     2Fh
" y* F" D8 A4 `    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( C" v9 M( a) {( F$ a    add     ax, di5 Z. k  G4 y6 ~( V7 v
    test    ax,ax
  c: c8 P, g/ J9 J    jnz     SoftICE_Detected
& T+ L3 {8 g4 T, n/ H) T, q" e* @- L1 g3 Q: E: Z- C& O) d5 c0 {1 q
___________________________________________________________________________+ I1 ?: c8 `5 r9 o! f. d

' R& S4 P& n9 [  kMethod 04
: _" {% b; d7 A% D* N=========% F6 W# f, x9 @" P0 h  y% P$ a( U
  W+ K- q$ L- U4 Y7 G. F; h2 D+ i, c
Method identical to the preceding one except that it seeks the ID of SoftICE
& u/ {" z; l8 rGFX VxD.
# L: h" \# N  \- {7 s
0 l* r$ |3 N* T& ~4 M    xor     di,di
8 Y! J3 z( _: D# d0 o  W    mov     es,di: \5 U% d, o& s( r  U  D" R' K1 v
    mov     ax, 1684h      
5 I' m, e1 _0 _; K    mov     bx, 7a5Fh       ; VxD ID of SIWVID' h; n8 E7 N' Y
    int     2fh: `' X4 U* k1 p3 d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point- m8 r0 E# x) n$ u* d
    add     ax, di. X5 F* P' y$ \$ O& O( A0 E
    test    ax,ax
7 Q* P6 K* T3 s    jnz     SoftICE_Detected
4 d! a7 @9 ?5 \2 g$ \: Q
. t0 j7 Q* O$ g1 U__________________________________________________________________________
9 O8 Z+ F! F  c( W4 y* K2 Z: ]: M) u7 a) w% g4 g; I1 \$ n5 [
' _2 n1 _% U8 H) |
Method 05; y5 G4 I! v9 _. I$ r! @% L* `
=========9 B% r5 L+ l8 a" u9 P+ j

# X' N8 F8 @  R, N7 ~Method seeking the 'magic number' 0F386h returned (in ax) by all system
7 |5 _9 H5 F* Fdebugger. It calls the int 41h, function 4Fh., k& V. P& |1 h& v8 ^, u
There are several alternatives.  6 H/ ?4 c* L1 G. a. \3 K3 ?- h

7 J7 F9 z/ @, I& Q0 E( X% [7 hThe following one is the simplest:5 K: Q. U! u& |' \# o

$ c3 o- p! G! I3 ?$ B4 k    mov     ax,4fh
! q6 i- d( w2 l. s3 R# F  P7 x/ ^    int     41h
# R# \2 r- g1 F) d+ q1 f* W) z    cmp     ax, 0F386. |) C  R0 E0 e7 l4 S3 q& R7 m
    jz      SoftICE_detected( ?3 f# A3 V. G2 H1 k; M

  G5 y7 R  f7 U! i! P# d/ d# T# X) W: {: N, s% p) w. r1 T( L' l
Next method as well as the following one are 2 examples from Stone's 1 s8 f% g7 u) p; {
"stn-wid.zip" (www.cracking.net):$ V- L$ q6 ?" u0 K! g" `3 c8 y1 H

: q! x/ T5 f" m1 Z* i- k& |7 A    mov     bx, cs; ?; b5 {* u+ ?. `/ D* S& V
    lea     dx, int41handler27 J0 g6 \! D. ]+ S2 F5 ?
    xchg    dx, es:[41h*4]
* J$ U2 x' d5 P8 D% D7 p    xchg    bx, es:[41h*4+2]
4 d& j$ h0 t7 c4 n8 [6 F' w    mov     ax,4fh
/ d3 m  Y, f% i) d) F    int     41h
! a- f" `7 N& j    xchg    dx, es:[41h*4]
$ R. E$ M4 H/ l% K    xchg    bx, es:[41h*4+2]
' O6 I" f% _( i# I    cmp     ax, 0f386h& w( V; {* ^! o3 N" [( E
    jz      SoftICE_detected/ T2 C  S( |+ U  t, N9 N
4 M1 y, a* G8 i3 P9 U- n
int41handler2 PROC
! c; S: U) j6 F* b/ N    iret
" _! X/ z# u; P" O4 ^; mint41handler2 ENDP
% _# x# p& Y8 W& i3 w4 _
1 a5 m5 v+ x, M% K9 B8 Y: w  F& p; O3 w( L( r# i& g8 r/ V
_________________________________________________________________________; x, W, @) F1 q! `$ W8 w
. v! B: C. H2 S$ U4 s
1 J' n( X% l: \& d
Method 06/ G# T& `, K, d* c* w6 c0 J
=========
% g5 V- O0 G& g+ f; x. ?- I$ E7 |1 |$ K, L1 k

# G: @7 y2 _' Y% N2nd method similar to the preceding one but more difficult to detect:, ?' L8 H7 ?0 [$ |
* q3 S4 o1 Z& U8 L% t. I6 [  w; r
: Z& O! E  f2 o3 V
int41handler PROC+ J8 Q# T! l4 q, ]$ P& q- F
    mov     cl,al
7 j0 r/ s- |8 Y4 |% |    iret
$ z4 g# k( d- d7 `7 D; C% t  y. l% \int41handler ENDP
2 B$ E; P# B. H9 q" ?- U
1 ?2 ?. F( R/ S
& o6 k# i$ V  ?. J8 `8 t/ a    xor     ax,ax: A1 o% {1 }% C" v, l) t
    mov     es,ax, w* m: |2 \" h
    mov     bx, cs
- }9 p2 y/ ~7 ~$ M+ j    lea     dx, int41handler7 L+ v9 m. J. ^) }6 G0 U; M
    xchg    dx, es:[41h*4]
$ B) u! I6 |6 E: V8 O* T    xchg    bx, es:[41h*4+2]5 _$ M! B) v! ^
    in      al, 40h
" Z' T" o8 R; d/ X' w" j    xor     cx,cx/ i/ I" ], c' H! \9 L. z* d  v% c
    int     41h. J3 y, O1 T+ D/ o- p& A( s
    xchg    dx, es:[41h*4]7 w) A0 X% O7 K& |1 w+ _$ \
    xchg    bx, es:[41h*4+2]
" H, B/ t6 k: u2 c    cmp     cl,al+ l7 v+ U4 W: L5 c" ?- B9 I1 C
    jnz     SoftICE_detected
/ \8 _0 K  |, y1 n( `6 c2 ]  z) |+ q0 I* k- @
_________________________________________________________________________+ {) C- Y, j, ?. Y  Z9 {

3 V9 O3 d' N, k+ `& o6 A0 B1 `Method 07% N- ]% m6 H  Q
=========
' A0 S+ O" m. K7 B1 G& j0 K( s- i& @1 J  r: p
Method of detection of the WinICE handler in the int68h (V86)( a* T; ]  J1 u) q1 a+ }6 l5 e' p

; B: `: p! w, h$ V# D5 y    mov     ah,43h! T; r( R3 E9 V6 A
    int     68h$ v$ {) S; a4 T; R: u$ w
    cmp     ax,0F386h
# G4 O: N% Q( j6 a! c0 T    jz      SoftICE_Detected
* q4 ]. s) ~3 X, N. M" K5 X( Z" I& f) A( ^5 L8 r

% ^1 D, n% q$ x2 ?7 I$ V. M=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# E$ |, C- b7 y! d- S
   app like this:
9 x) y. n% N6 W6 r* x  r( T8 ~. f6 w0 d  Y
   BPX exec_int if ax==685 k% x. y" H2 d) }" N, v
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& X0 P$ c; u' X7 ~   located at [ebp+48h] for 32Bit apps)4 M3 K4 Z* R" [% S" v& E
__________________________________________________________________________
6 R/ m) v8 ?' w4 i$ l, `7 Z3 R0 P# |6 i4 u4 D

) I/ K$ Y: A: [: h* wMethod 08$ @8 j1 N# ^  A) ]
=========
+ x0 o% a3 B* P! y% f' e2 r7 `: i# l& u
It is not a method of detection of SoftICE but a possibility to crash the
+ n* G6 T6 r$ J1 o$ C, psystem by intercepting int 01h and int 03h and redirecting them to another
3 k4 L3 H& F' X( R) o" wroutine.1 D) j1 M9 _. F6 C4 j2 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 h% J7 l) S1 [' \5 f0 K
to the new routine to execute (hangs computer...)
; B* F" @# F- Y+ _/ @! R1 M1 x) ~8 Y
    mov     ah, 25h
8 l3 G* c" O; I+ t$ D+ U    mov     al, Int_Number (01h or 03h)
; }5 e  z# |1 Z; r2 _1 t2 Z    mov     dx, offset New_Int_Routine
& L  H1 s9 {7 C- e    int     21h
6 i% l% G) a- Z; Q
9 c, ^: B5 _# Y" m, H: j__________________________________________________________________________
& Q+ n7 M6 a9 ]5 x- `7 L; W! L+ Z" v* p1 ~4 T6 o
Method 09; M) {# L/ n5 ]
=========
" u9 ?: I3 y/ o% Z: S4 h3 n* c% m# l8 u% \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( |. Y2 i7 D( y; B
performed in ring0 (VxD or a ring3 app using the VxdCall).
! f4 M% s& k$ HThe Get_DDB service is used to determine whether or not a VxD is installed
. g2 h5 \, w8 q9 f# H, ?6 j9 g9 F- Cfor the specified device and returns a Device Description Block (in ecx) for
" C3 w! e9 C: j4 C3 n! A# S! i2 Sthat device if it is installed.+ F3 ?: T6 z1 p2 K7 o) q$ s
" {: D' V8 k: u7 X, K
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID' [) S6 t) S% m2 W# {8 q0 I
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& K9 v- n4 L- ^8 i3 e! a
   VMMCall Get_DDB
5 K- Y& w0 w7 |  _3 t* N+ w   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed# X4 A( t) f8 _; c
, H9 j" F8 r- _/ n  Q" j2 e) k
Note as well that you can easily detect this method with SoftICE:8 R+ y  x$ ~+ w1 a& L& x& ^2 \
   bpx Get_DDB if ax==0202 || ax==7a5fh$ ^8 P. p' V* D2 c
# t. J  t& W$ P! a  D& d
__________________________________________________________________________5 D* k& f' R9 ?, F; h' |# `8 {1 X- U

( K: J5 {7 @8 I* HMethod 10  ]# v1 t# I% `7 n
=========
6 Y9 l! |4 X+ W5 _! w# e' e9 n1 A& t
$ ]9 q* r0 h5 t3 H) p=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; H4 `% \# `( k' R# Q/ d( f
  SoftICE while the option is enable!!$ C# b3 q! X! l2 }9 a, x# E
% S6 }9 H& v' p1 a- b
This trick is very efficient:
8 y- G- m. I9 }+ R) Cby checking the Debug Registers, you can detect if SoftICE is loaded
  M* K2 {6 f/ Z% y' z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ o2 N* N( V+ j% ]" W$ y& K
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 u$ S5 Q7 u3 n7 U( K# evalue (in ring0 only). Values can be manipulated and or changed as well
9 A, E& m( b9 x8 O(clearing BPMs for instance). ^5 }. d! S( [$ p. S- R

$ i* V2 w) `$ d( W7 }* ?__________________________________________________________________________# x2 S1 F( x" `5 o% L3 H$ P& B

: K& v' Y) Z3 f+ nMethod 117 ^, G3 w6 B& [5 k
=========
* T  z* _/ X, X2 d, `/ z1 ^
" H2 O6 L" H  j9 B: FThis method is most known as 'MeltICE' because it has been freely distributed
6 D6 O" X8 T5 [/ x. n8 m7 wvia www.winfiles.com. However it was first used by NuMega people to allow
3 s& h7 p" _! Z3 r! ~! ySymbol Loader to check if SoftICE was active or not (the code is located
3 k6 U2 S: A- n: _+ U6 Minside nmtrans.dll).
6 x2 V) l) k# {5 A, J' L+ s# q3 I" U6 g; Q# J
The way it works is very simple:
) J6 U0 I$ U& t8 J( j" UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- V6 C; f' w  h* P* [
WinNT) with the CreateFileA API.
5 U$ M$ l- b! t0 ~$ z  ]) N7 Z( C0 J% g! W# t, t! I
Here is a sample (checking for 'SICE'):2 n1 K' L- G4 h( i
3 |) X5 y: r& d2 Q' N* j- ]  K! O
BOOL IsSoftIce95Loaded()
0 Y' g$ X' H* D1 |{( e+ g* E$ l  q# ?; n4 Y8 |
   HANDLE hFile;  : _5 N* T3 ^7 A/ [, z4 I6 S
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ _9 r! B& l% A9 i
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" h9 r2 r3 f# u8 t$ l5 L                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! \' V6 L& C1 J* a0 l0 X+ [( @7 \2 M" ~
   if( hFile != INVALID_HANDLE_VALUE )
. f# E3 ?2 k0 ]3 |' I* p1 h   {
: T0 h8 o; Y/ P+ S$ s! K  L# G4 h( _      CloseHandle(hFile);
% N) ]/ H5 i* e3 J. S- T4 A* ~5 w      return TRUE;
& w  L( G) N# B$ u   }
# h' f6 ~$ Z5 K! v   return FALSE;% L6 a* w3 K/ v+ y* [
}
8 T8 \  f' H- A  U6 t' u( H  ~
* A' r) l, d8 N5 h: R  HAlthough this trick calls the CreateFileA function, don't even expect to be
& n- c0 b' m7 d' Eable to intercept it by installing a IFS hook: it will not work, no way!
' H' D6 V1 h- H! R) Q7 z* b2 uIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
1 \( A* C0 Y& G1 e" bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 h7 o% I% \5 v3 Z8 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ w, F8 n% \9 p9 V  q  n, d3 g
field.
3 z; {% F4 B. K% e& R  qIn fact, its purpose is not to load/unload VxDs but only to send a ; ^, x/ I. I* \( h0 v6 H$ J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ e* P1 p: u2 v& b1 Uto the VxD Control_Dispatch proc (how the hell a shareware soft could try& \3 J3 J* m, c% G9 [
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. w' f& _; G' x) n4 [" ^If the VxD is loaded, it will always clear eax and the Carry flag to allow
* E; Z: K7 H1 Z( tits handle to be opened and then, will be detected.. ?2 m/ f: B1 h- b% F
You can check that simply by hooking Winice.exe control proc entry point
' p) X5 y7 a7 n  e1 h( `while running MeltICE.
  S9 {* L* i6 N( X) [6 U0 Z
" E! p2 T8 B! X/ {3 z) u; z( e& G) V. U
  00401067:  push      00402025    ; \\.\SICE
" b1 M6 p8 h1 q+ g; G  0040106C:  call      CreateFileA2 u" e2 n8 _7 s- `3 w) W
  00401071:  cmp       eax,-001! U2 }; R8 q' j. _9 ~
  00401074:  je        00401091/ @" Q# r" ^' }

$ l0 m  b: c' b  u
7 L* n! j, G  g3 S8 k. }There could be hundreds of BPX you could use to detect this trick.
* B( {( i* m' _4 Y* V& M-The most classical one is:
2 F% ?' C% [# {. N  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||( E$ n, I8 d# U; E. P
    *(esp-&gt;4+4)=='NTIC'
6 y5 b" Q) Q' R* A5 j, d" p6 m
9 R" F" ?  ?( u  {+ i-The most exotic ones (could be very slooooow :-(
3 h; f- ?4 u& j1 t. T0 u, g4 n   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ a  K  V, Z. f! C- z# Q0 Z3 C3 V     ;will break 3 times :-(
5 N' J: b/ Q# J8 J; G$ [; }. Q4 N0 P" J% y9 I9 Q& c% K
-or (a bit) faster: . M- m+ X4 L/ `
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 a6 f' _2 d/ ~  X, E8 S9 R
8 b9 i( T( z( V0 y2 U   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  + q! r1 B+ z6 A3 n: ~1 y# k
     ;will break 3 times :-(
  g+ Z2 y8 {& b2 x( t* [( m! O
  j; r0 @0 \; \# k6 U-Much faster:
! \/ m9 A( r9 c3 N8 K   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ O# {5 J. {+ R9 p

0 P2 n" W2 o. {+ P( e' {. JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen4 H9 |5 m1 r7 y
function to do the same job:
0 H4 N  F* V: L' x/ D0 C  H$ w1 _
   push    00                        ; OF_READ/ M' z- t6 U0 L' d. A
   mov     eax,[00656634]            ; '\\.\SICE',04 j. D, T4 j9 K
   push    eax
& F% l2 U1 G1 P+ K' V9 p   call    KERNEL32!_lopen* `; u" l% x4 b/ K. p; r7 M
   inc     eax6 }& C* P. G- ?" ]( f+ a
   jnz     00650589                  ; detected
) y: A) ]. G$ h8 S! Y5 [   push    00                        ; OF_READ* S, m9 N+ b+ @
   mov     eax,[00656638]            ; '\\.\SICE'3 i  J  g7 e9 h* c+ P# l
   push    eax
/ I4 q. R0 [! K6 A6 l3 d) `! v   call    KERNEL32!_lopen
; X& G8 r  d1 `" f5 n   inc     eax
  e9 B+ `9 W3 y3 J# x% a   jz      006505ae                  ; not detected
: z# v+ v9 s9 Z4 e) \. p
  A! z! b( F) a
- ^) @/ F* X/ S/ \__________________________________________________________________________
' f- N& l* f0 j! O$ T4 \
( e' R6 d3 G! s1 uMethod 12. u( [8 q7 i+ W/ D5 q2 b" y
=========; I0 q2 T4 U- F
+ G+ Z( a- l& Z
This trick is similar to int41h/4fh Debugger installation check (code 05
$ B( m- v; R0 ^: S3 p5 M. U: Y&amp; 06) but very limited because it's only available for Win95/98 (not NT)
/ A5 L: \" w1 U% e* U+ xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# l: e. d- _: ]4 I( d

- ?6 e/ t. W5 a   push  0000004fh         ; function 4fh+ s- d* ]6 x7 Z1 N- L3 s# ~1 v' V, }
   push  002a002ah         ; high word specifies which VxD (VWIN32)' }9 Y7 T& P1 }6 G, s: w& {
                           ; low word specifies which service% \( C2 z( u$ G
                             (VWIN32_Int41Dispatch)% F/ U4 Y) G: H: a5 l
   call  Kernel32!ORD_001  ; VxdCall
; i6 S6 o& t: C1 n1 |. G6 w   cmp   ax, 0f386h        ; magic number returned by system debuggers6 G) w) g% {; l* F. A/ r
   jz    SoftICE_detected" D9 a) R6 {) k
5 ^( j( D: E" W+ f
Here again, several ways to detect it:! d4 A9 s- o' {+ A! H, S

- y: K- n9 [. z: f- L7 z3 b    BPINT 41 if ax==4f8 q: \7 c  k7 c7 `1 w- o1 v/ d
" q! W0 M  h6 D; V) J
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& [- z8 N5 W$ N: ]/ g' c& T
$ }" J5 m2 o0 @- j6 h; ~
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ |0 O5 }: V& }! [2 C: v1 }! |& T  D$ G, z. G
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!% I: v" k. k  s& }# u9 L

2 t2 z: w, C! ]( J7 U+ ?/ S* v__________________________________________________________________________8 z! X" K" Y) p( j

$ e4 Z1 I8 Z( I& S1 U4 V5 t5 w* WMethod 13  {" p- h' T# E# H* E3 Z- ^. v
=========3 ~6 j7 W( `7 B$ K; n

& e6 [" ?1 K' p/ `Not a real method of detection, but a good way to know if SoftICE is! C3 q1 L9 j$ ]: G" b' Z! ~0 g
installed on a computer and to locate its installation directory.
. d1 \2 l% D" W! h9 b- `, }It is used by few softs which access the following registry keys (usually #2) :
) Q7 M3 d" |+ D+ Q- g, R5 _$ \* }; @% ?5 }# d' G2 h" J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 Q- Y1 @" K- k+ X  n% x( h\Uninstall\SoftICE' s+ m( B$ H, q' {* h+ C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! l9 E1 }8 u. x# P: i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& Z, w% Y9 k7 F( {0 m0 F+ `/ a. u9 R. L
\App Paths\Loader32.Exe
7 ?' q* N% F. \: c8 T5 G
' N, C5 p! g8 P( V0 @" K) Q: f+ J/ h/ J% A; B! ]
Note that some nasty apps could then erase all files from SoftICE directory
+ T! P% X( A, R(I faced that once :-(
* q8 A1 i7 T- K7 A( b
# W9 O0 ^' @# g& w; ?) o, HUseful breakpoint to detect it:
0 ]+ r9 o) q5 W% {# {
7 f- [( p+ Q7 _+ {) T     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 I: |" U; a! b8 h7 C0 }; H

2 d$ |' e( j: z$ S* ^1 a8 F$ {__________________________________________________________________________/ ]; d" J9 ?6 H( K. \/ r

: ]: y7 U$ @( z/ @2 o( [, ~) f. v
5 Q( A8 q+ V# o/ J% {3 G+ M9 zMethod 14
7 @% o& @' y* m! D=========4 K9 e% c0 X2 H+ R
6 K& s9 ^$ P6 H' _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ {& v% o2 R0 s3 `
is to determines whether a debugger is running on your system (ring0 only).2 A* Q2 e4 C( p! W- w
: a! e& @8 ^+ ?& a
   VMMCall Test_Debug_Installed, m0 r* x" _; ]- h) W6 @. U0 g
   je      not_installed
- i+ S7 N5 q9 j) o) i& p  E3 H, d% r9 j# Y& a: t' t6 s2 ?
This service just checks a flag.0 Z5 K( @: U; D; W' q2 r
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-14 11:59

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表