找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 }7 e  y) V2 g" ]: m# e
<TBODY>9 @+ Q, R, U2 Q  e
<TR>
% E% j- [8 n5 K& f7 q. ~3 u. A$ Y<TD><PRE>Method 01 / _0 _$ O6 k2 P$ ?2 g. d
=========
7 h% H0 x4 c0 J  ]5 `/ _# n0 Z6 m# J" ?/ Z) i* C# E
This method of detection of SoftICE (as well as the following one) is
6 u- p+ C$ M* [7 yused by the majority of packers/encryptors found on Internet.
  K+ J1 t; k7 G( dIt seeks the signature of BoundsChecker in SoftICE1 F9 M* J' S7 ?' m/ T+ y/ B% d
7 e7 @1 q3 r6 W$ K' v' G
    mov     ebp, 04243484Bh        ; 'BCHK'% d* k9 a4 M7 ~$ N; B% {3 `( U' }
    mov     ax, 04h
5 O* ?; V# y& j4 G    int     3      
$ N  |  l8 b* }    cmp     al,4
( q3 h+ X7 K% @8 \) K    jnz     SoftICE_Detected
  X5 g5 g2 M1 O4 E+ Y) o- z9 B: z7 g3 f
___________________________________________________________________________
: w+ s% _$ s$ Q& X; q, v  Z  C5 |" v( S" F
Method 022 ]' n3 b& k2 C' q+ G
=========
- k* c6 L- _# `: A; ]0 o! J& _0 a1 b" r- f$ B  I5 {: O) s
Still a method very much used (perhaps the most frequent one).  It is used! k  o$ `7 ^/ e* m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 g; S& }  e$ A3 A* dor execute SoftICE commands...
. Z; j, _% z* `' Q4 V, jIt is also used to crash SoftICE and to force it to execute any commands
) j( I, p" W+ k$ S) M(HBOOT...) :-((  / s$ g8 u" D, L/ X  _% q
- V# D9 a/ L, w! h# p9 S
Here is a quick description:: Y4 e  k; f- m* o3 b4 o9 d1 S
-AX = 0910h   (Display string in SIce windows)' b' R5 L  m5 f5 r
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)/ I! ?+ v6 {1 b2 T& E
-AX = 0912h   (Get breakpoint infos); D/ I2 I1 c' v0 w! |
-AX = 0913h   (Set Sice breakpoints)
7 g1 I8 L/ |6 s# S. i* Y-AX = 0914h   (Remove SIce breakoints)
1 a7 H# a' B6 @6 l: t
1 b9 ]" P& s7 _' f7 ]8 nEach time you'll meet this trick, you'll see:
$ E) N9 U' m+ i' |-SI = 4647h
6 U- Y. g+ ?" T8 h0 `, f, b-DI = 4A4Dh. H, L: V, S! a' m3 d
Which are the 'magic values' used by SoftIce.2 L  @7 P3 p7 T% e2 t; J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' [3 i% c4 }; z8 e/ ]* O+ T  r

( n6 Z& h* ^2 m) D  l$ JHere is one example from the file "Haspinst.exe" which is the dongle HASP
) G3 P# U& l7 _( V5 ~4 p# hEnvelope utility use to protect DOS applications:
( v2 Z4 g' ]0 M' m* V1 Z7 }" Z( I

- _$ n$ P& M! Z; [4C19:0095   MOV    AX,0911  ; execute command.' T1 q+ v% Z9 Z6 U' B+ W
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% r# A; G1 B6 j* ]5 q3 v8 {9 J
4C19:009A   MOV    SI,4647  ; 1st magic value." L. M# M0 S4 \& r
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 S3 X8 C5 f! |0 F( \+ @4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ k$ z" K# L" K; L' l4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 V6 j# t0 t" E+ }2 p1 B
4C19:00A4   INC    CX& r) ]' ^( K* m8 d5 ]8 p( e% A
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
+ L! b, P) w- Y9 G5 Z6 M* {4C19:00A8   JB     0095     ; 6 different commands.
" y7 d. Z$ i" i6 L5 y: w0 ]* N4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 C9 M! q! e8 |0 T9 s5 r3 [4 [( @
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); K. M( Y+ y' z1 I& `: o* B* ^5 T

, t$ R' |( M3 y2 y# SThe program will execute 6 different SIce commands located at ds:dx, which% L" y0 R! m: [: x3 a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ G$ o/ v5 B/ g1 N' a
: V1 S0 s  R  W/ R% c" O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* t. k  P' [  w7 d" _/ k5 @
___________________________________________________________________________
2 ?/ G+ g* z, e8 S
" w7 C  Q5 q; o- I9 i( g: _" N+ }) l' E* M( L: j1 N- K/ x3 b
Method 03
7 _" Q4 B0 T) i" M=========
( h3 u8 c, N9 N% ^9 y5 q
9 ~; \5 l) @2 o# p$ R) J4 A: qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 n2 I8 ~8 q  A/ q: t* i
(API Get entry point)1 Z7 ?. [% ^1 p0 }6 _- y$ [8 K' ~
        
  ]; j4 J5 t' M$ ~" _; B& w; ]
# W7 {# Q# z4 G' M+ s0 x    xor     di,di
1 _7 q7 y( {6 \3 h7 k& N+ s    mov     es,di
+ H8 E; F/ {2 N( k    mov     ax, 1684h      
  y; Q; c0 n6 O0 d9 s    mov     bx, 0202h       ; VxD ID of winice3 S3 D: n5 E" w% m
    int     2Fh' n% K" j, Q6 L& Q6 d7 Z- s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point* J1 Y  H+ n4 J: N5 Q) \' ^
    add     ax, di
" E: [1 Z, Z1 j" L/ r    test    ax,ax8 ^4 n: z0 ]) c0 u/ f
    jnz     SoftICE_Detected& x' W8 O2 {  b8 s0 {

; g% v0 [) T: Z5 a1 t9 S2 R___________________________________________________________________________
: V7 n( T6 |% T; [! i5 h# c! O+ |$ d! I
Method 04' E6 {, A2 _; H* C& i
=========, a& W8 u  d& G5 R. ~

  ]4 A% B* d# s& A2 p  WMethod identical to the preceding one except that it seeks the ID of SoftICE, |" \, x9 l) V* i
GFX VxD.
# y* t0 E8 w2 w1 ^  @" K3 L. v' R  o) X
    xor     di,di
8 y, z2 [8 E- A4 ]! o1 Y    mov     es,di: N2 @; m) p. t2 ?: d
    mov     ax, 1684h       4 P# l- o6 _  d% c" T
    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 o6 ], U% D6 y* i
    int     2fh7 z% ?7 F2 v8 r' w6 V6 e
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( M( `) c; \6 Q; Y
    add     ax, di/ F) j! ^7 J9 H" w" W* g
    test    ax,ax
+ P' J6 E7 o' l" T  W: L7 ~& y    jnz     SoftICE_Detected
4 m3 R. w- w. T
# s+ B. K1 r7 U& ?( W) Z  }; X5 e__________________________________________________________________________
* j! ]( X5 f0 ]% G% [- g# A9 K  R( q& T& H
* a# K+ F" x3 e6 J$ \( q: S
Method 052 e4 c! y2 B3 L& X
=========
  j; Z9 G$ i7 o/ ~; j% a4 d) B  d
Method seeking the 'magic number' 0F386h returned (in ax) by all system1 |1 B# n, o5 Q% K% L1 D
debugger. It calls the int 41h, function 4Fh.
- l* W1 S% {/ H  \( Q: IThere are several alternatives.  " j. }  F6 x' C# D

$ s6 V9 b% Y( h% KThe following one is the simplest:
' O7 j5 s8 b9 x1 b! k
) Z  x! |' n2 g: V: q* u    mov     ax,4fh$ C! I4 i2 z1 L' L, y* d4 v5 c5 D
    int     41h
. u2 i% S% \; B    cmp     ax, 0F386: J  V, V# Z; }# |0 H0 Q7 A
    jz      SoftICE_detected
$ L* q8 }' Z' r2 s9 K
3 {& I& A0 \% o, H: [( V: a) a8 _  c& {% S6 C
Next method as well as the following one are 2 examples from Stone's
% X0 |% X7 ]- K# O7 K8 ?"stn-wid.zip" (www.cracking.net):) P5 y, @( _8 r* ~$ C0 P& `. s& w  Z
# X2 ]! u3 N; E  P+ @# O
    mov     bx, cs- c/ M- M5 n' c" y' W8 Q9 I% e
    lea     dx, int41handler25 T% Q0 p4 L1 S# N" ]
    xchg    dx, es:[41h*4]
8 K/ k% F5 }4 E1 p* n6 d0 V    xchg    bx, es:[41h*4+2]
) L2 Q' G2 s- k3 u! g    mov     ax,4fh
" f& o* H, ]$ y; y* E6 t    int     41h- n5 a* }; w2 C$ x, Z
    xchg    dx, es:[41h*4]
5 d6 s2 L$ }$ H" n5 P, J4 g    xchg    bx, es:[41h*4+2]! E7 o2 E, D$ s
    cmp     ax, 0f386h3 c( S0 c* u/ \: s: x- U& z
    jz      SoftICE_detected4 d) ~2 D) l0 z  N& O# f+ a4 R

+ B6 o, C" ~! _  `6 rint41handler2 PROC: d- U8 m2 y$ j$ w
    iret
3 r5 M# D' I% V: d4 I" ?4 z! wint41handler2 ENDP' k; q- O4 Y. Z

1 _- i. C7 i5 v% y, Z* F3 l& n  ?  t
_________________________________________________________________________
2 m; D1 p: E- p9 o4 q
( |; {% j" |* J/ O& i) P+ s. y) C9 T3 z2 [& z0 E
Method 06
: ]1 d4 y5 ]/ T) e1 `7 }- J=========
% w1 y  R4 X9 h' r- u$ _8 ?; Q% |9 {; h4 m; m: M) `+ @" b

8 Q+ m& H: \$ w. r3 Q' |2nd method similar to the preceding one but more difficult to detect:9 H" _- r8 a1 j1 Y' k
" K. ]& I' i# R6 T
3 A: G0 ^! L$ V$ `1 c/ r
int41handler PROC
  ^7 x1 E/ i8 }0 h' e' S1 `1 y8 d6 y    mov     cl,al, c! s" L/ o& H/ M7 l1 ^/ C4 B
    iret
- U+ x3 r4 q- H5 J- hint41handler ENDP
0 _2 O9 ~4 U9 G8 D7 J" Z) ~& r8 Q& q: D4 q& r3 b) G% A
) X) y' D$ Y8 r  k4 V; Q  W% J  e
    xor     ax,ax
- c" A: Y9 C1 [# m8 N5 z& V    mov     es,ax% T6 H+ P! S# t4 y
    mov     bx, cs# a' Q/ s- [8 R
    lea     dx, int41handler
1 }7 R) d+ o( Z& _* X: Y& P: B0 m    xchg    dx, es:[41h*4]
; @8 w. P- |2 s) k# ]7 h) h7 i0 W    xchg    bx, es:[41h*4+2]
: h8 n; d6 k: Y( }. \7 Q    in      al, 40h
6 t  ~" d$ [% c; W! {    xor     cx,cx) Q  I+ q3 C; e- u3 I! p6 v
    int     41h* o* H/ j! U2 ~9 r
    xchg    dx, es:[41h*4]' |: l, }, Q" J( i
    xchg    bx, es:[41h*4+2]
$ I9 P3 |) ?& m6 ?* Y8 z! ^9 Y8 A    cmp     cl,al. m- j) O8 p% t) V
    jnz     SoftICE_detected
* q! m6 b% G7 }/ Q& R2 C, R& q+ g$ ?3 O5 u4 J7 s5 f' Q
_________________________________________________________________________. |' {3 w- W! o  h; p9 N4 C7 o! t
( O# s8 B; c6 |4 ?- _2 x
Method 07
+ k9 W0 E8 X. N3 f=========
# L& l  C# t5 |" v$ x- O
+ w  T: g. Q6 \Method of detection of the WinICE handler in the int68h (V86)9 V3 {) O. C# t- @0 X" J6 G
7 j. ?% B" f& F( X, f4 o" X) p4 x/ m$ W
    mov     ah,43h
# D7 V5 e, Y' A8 |    int     68h
8 t# `0 d  |8 m2 @$ ^& a/ _# M* Y    cmp     ax,0F386h  S3 ^" m6 s6 \! O: [
    jz      SoftICE_Detected4 o% m$ J& @* J3 K( o
+ c# T0 {4 j7 `( Q4 a% B) ]; b& Y

# ?7 l, @4 x0 Z9 a& H=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, M1 c  M  V( Z, ^3 }   app like this:
4 y4 S. R% g5 j( j& X) i0 ~2 P# \# E) g: W1 g
   BPX exec_int if ax==68. ?. ~$ q; [2 z3 e1 H! {3 n
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  t7 x$ ~9 R/ D8 ?   located at [ebp+48h] for 32Bit apps)( R6 J' O, x1 C. ?: E- t3 N
__________________________________________________________________________( O- E, d/ y- p
' a% A' d4 V4 L3 N# E
/ B( w; f- w% x- @+ C, r& m  x
Method 08
+ @, ~9 n- @% e$ I4 J; {=========
4 y# T, m! G6 W4 |% o& Y' Q: x4 T& s2 j) T8 ~- ^8 O
It is not a method of detection of SoftICE but a possibility to crash the
. N0 ]' f+ Z/ {3 f; z. T! r9 ]1 {system by intercepting int 01h and int 03h and redirecting them to another2 n0 L4 w' M4 e. [8 p* Q. e
routine.
: ]/ l% s: a6 Q2 N' C9 \% K# {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 [! i* K! x: b1 Uto the new routine to execute (hangs computer...)
& S# m* d* x+ ~# W3 Z, c1 u8 l- y5 U
    mov     ah, 25h
  {. O" b- I- C; d& I    mov     al, Int_Number (01h or 03h)/ J$ b: H; S! j( y
    mov     dx, offset New_Int_Routine
: Z! B! w! C& M5 i( B    int     21h
. e1 H! r; l4 ^
, L: Z$ s# n+ d__________________________________________________________________________# \8 ^7 j/ x2 I. s7 o

0 U* U" ^: T$ a2 W4 k0 C  ZMethod 09
" v5 ^1 W+ k8 o+ V0 j* [=========
, a+ b9 W* ?8 J
- E& [6 i9 [; T) mThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& b/ \! w3 t# C% h" q+ ~performed in ring0 (VxD or a ring3 app using the VxdCall).
8 w2 l! ^9 n# n$ K" ]The Get_DDB service is used to determine whether or not a VxD is installed
$ @5 s- u+ B% C) a( B) lfor the specified device and returns a Device Description Block (in ecx) for
0 g3 r( A- m) g- O9 }that device if it is installed.4 c6 b- a# w: P% N/ Z$ h
; a/ w1 K& I7 r
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% V- C% e, O7 ~; E! f. r! [
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 `/ }9 |) D  S7 E( g   VMMCall Get_DDB
3 E+ P. U+ w9 a* R! Q   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed6 s/ z/ ?/ i$ z; i( _5 {3 A3 u
- u! q! A9 e" E0 n: x
Note as well that you can easily detect this method with SoftICE:
' B% K" G1 c$ u. }% K   bpx Get_DDB if ax==0202 || ax==7a5fh. `7 D1 P: A  C( Y0 y
- k# x# u: S+ _
__________________________________________________________________________
1 e3 Y6 f8 L! p9 v4 f
4 J  a* {. W% A# r2 qMethod 10
9 W: p$ `: d) E/ c' w; o4 z* ]=========
0 l. W) c! Q& b1 Y, |  |( `/ C3 C
& E+ Y  @* S  q* I=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
) d  K" T! b7 G: |7 o1 S  SoftICE while the option is enable!!0 Z8 s4 Z' G& _& u% P, W- e2 M

, b( {$ ~9 B5 }3 @2 a, {8 I$ DThis trick is very efficient:
$ l  g* ~" e9 a% Nby checking the Debug Registers, you can detect if SoftICE is loaded# G& L6 p/ X  |- g
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. \$ J. [0 v, Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 b0 J) A' s/ _value (in ring0 only). Values can be manipulated and or changed as well
* d0 ~& x. W+ f# ~3 J0 @0 z(clearing BPMs for instance)
/ B  w. o1 L7 T+ Z5 D1 j6 k
) O- b% \2 F4 N) z6 H9 G__________________________________________________________________________
& d! T! e% x( }8 x! D! j" m5 {
; P) }' T! Q( L' O+ e& h% ZMethod 11
8 B- F+ x* y) n# l/ {=========& q, i# R, K& Z+ Y  m# ~3 t; L
/ F5 W# y( F: f4 ?' V" ]
This method is most known as 'MeltICE' because it has been freely distributed$ I% u( ?- R; g3 p( S
via www.winfiles.com. However it was first used by NuMega people to allow# ~1 s2 s6 Q, h/ ~2 g% U. ?5 O
Symbol Loader to check if SoftICE was active or not (the code is located2 m! G# G$ u4 P
inside nmtrans.dll).
# j6 |3 }  ~# i' |% r/ k) ^( t* K
/ e4 i4 h, g! L1 y* {3 TThe way it works is very simple:
9 v7 V) v# Z  G4 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; S7 i/ u# U, A) l0 d- uWinNT) with the CreateFileA API.
( ]* d" Z6 i/ s5 m) _* b% d, b4 D' \  k! ^5 ~4 o  X
Here is a sample (checking for 'SICE'):
  V* U! \( Z" w; z0 Y* v
" b! g; u$ W5 D7 eBOOL IsSoftIce95Loaded()
7 P- P7 v  [+ v) d& p{
7 ^  w7 G; f- D' u   HANDLE hFile;  
" n/ W% J- `) [2 {   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
# [' X/ g& V  Y% o4 E' l2 X+ o                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 z4 O5 L8 G- o: e0 j2 Y* |                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 b. W9 p7 G7 e/ c   if( hFile != INVALID_HANDLE_VALUE )
9 H; }4 j" u0 A" h: r   {
, ^4 r& n+ i4 ^0 b4 ~/ H" l! P0 U* @      CloseHandle(hFile);/ I! {9 ^5 J6 b, j
      return TRUE;
: W2 {" w% Q# j   }
( ]8 x( U0 K$ p- ~) n, Y   return FALSE;( m% h( q! C& U- k% n9 Q# I
}) ]1 V4 W& a& [2 E. G3 @
0 p4 _' A1 u; x  z
Although this trick calls the CreateFileA function, don't even expect to be8 p' c9 K- N+ K& K5 T
able to intercept it by installing a IFS hook: it will not work, no way!2 ~4 n# ^4 a* d9 `* h9 E+ y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 @3 |" t& q8 O- }3 {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). t; C7 ]* X0 w( ^! N" g! x- |3 g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! z  C+ ]% g2 ]( H! g
field.# L5 T9 _+ @+ b. D% ]6 x0 x2 w
In fact, its purpose is not to load/unload VxDs but only to send a # s5 b7 {3 f& z2 `. w3 D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* i3 U" i/ c5 B7 X/ m( eto the VxD Control_Dispatch proc (how the hell a shareware soft could try( M% c6 f$ _  J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! J  Z7 j) w4 cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: R* d9 P0 Y. s  o# u- kits handle to be opened and then, will be detected.1 d1 N9 ~+ g. J% G! i
You can check that simply by hooking Winice.exe control proc entry point
: M7 ]. d7 G+ M) u, pwhile running MeltICE.
  I4 X, r( G! W6 V/ e$ x. d7 L( A
9 w# X& f2 k: {4 y5 l
- w4 v# S3 [7 d% B( ~. Z* f5 }  00401067:  push      00402025    ; \\.\SICE
0 `( M' X$ P1 I5 i3 [  0040106C:  call      CreateFileA, E7 Q( |4 t' [2 A- r, E/ Y
  00401071:  cmp       eax,-001
4 a, I9 h+ _4 R3 Z  00401074:  je        00401091
, }1 \9 m8 {  f% y8 l! `
6 @6 ]: W. R; y& L* m. y5 F" _1 [/ d' V; P
There could be hundreds of BPX you could use to detect this trick.
. S1 x3 C  O5 R% o) R* U# \-The most classical one is:
& B  L8 X8 c1 }  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 E& P% \+ r  d8 i) X7 ~) h
    *(esp-&gt;4+4)=='NTIC'+ ?* V6 r' S" f! J0 Y6 }; L. Y
" D% B- g+ t9 ]
-The most exotic ones (could be very slooooow :-(- W" N6 \' s, W: ]# [: R3 o( L
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# P9 \" y5 g- I3 f     ;will break 3 times :-(4 D2 f% v( S. s+ \* k
  |# X; \. g  Z) R1 V
-or (a bit) faster:
1 C5 e* _* U: T/ y5 ]3 s   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ e5 o0 D' k' K. {- o( T

- b9 O- p# R2 Y. @, C% c% D   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
3 X  V5 p; U. w     ;will break 3 times :-(2 y: q0 C# l: N& A3 h7 q
$ j3 M# t* o3 r1 @
-Much faster:
) H- }( y. Q+ }. B  m5 k# `2 z  k7 x   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 O6 O/ I: e" {9 b3 U) }' A
2 I1 g" V" M: P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. V. ]/ R6 h4 S8 K! t. f
function to do the same job:
6 N  t. D& e& p& h7 g# y2 ]6 w( b) T6 u' M1 y1 A1 W
   push    00                        ; OF_READ
, x5 Z/ `! Y/ T$ k9 R   mov     eax,[00656634]            ; '\\.\SICE',0
# F( l( b# E, X/ ~   push    eax
. p4 f* Y# D5 Y. v, j   call    KERNEL32!_lopen; M4 t' {3 ^+ Q* B
   inc     eax
. z2 i1 Q8 [" d$ E6 P# x6 S   jnz     00650589                  ; detected' V: z6 y  Q- y2 l; f* x5 \5 I+ Y
   push    00                        ; OF_READ+ K7 d2 ?! g( m: {8 b1 k
   mov     eax,[00656638]            ; '\\.\SICE'5 X% i0 T% M0 B) i* H
   push    eax' u$ M  w/ M3 [
   call    KERNEL32!_lopen, `# [. @  D) v) z
   inc     eax
: V$ I9 t1 p% K1 _; x   jz      006505ae                  ; not detected
, e- t7 V9 @6 e/ a% ?; j* Z( F/ C' C. T8 |2 V' l+ }
9 u$ T: Z  `% q. t; S0 Z
__________________________________________________________________________
' y3 E) _3 B) g1 Q7 t. G+ H& y
1 J: w* V9 M' c0 xMethod 12
0 u& ~4 J' [! S6 c=========6 E$ U' Y3 Z! K* P2 G% |' z7 L2 d
% D- [' X8 a9 M! R
This trick is similar to int41h/4fh Debugger installation check (code 05
3 t1 G) [( n' ?  ]) I; i: L; S&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ |- C6 Q5 s: G5 F& r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 U5 d% q( y# W  a
4 i) e9 L' h; w* I- i   push  0000004fh         ; function 4fh
9 N, |0 r. T5 V0 A   push  002a002ah         ; high word specifies which VxD (VWIN32)( l# b& i" E& q5 z, a7 c3 e
                           ; low word specifies which service3 q. ?" x0 {: {4 J) z; l( |) L
                             (VWIN32_Int41Dispatch)
- C) R) N3 s9 F1 G) D% X   call  Kernel32!ORD_001  ; VxdCall
: X4 T/ S. j% e& V% {   cmp   ax, 0f386h        ; magic number returned by system debuggers
- i4 t. a; N8 S  r6 X/ `   jz    SoftICE_detected5 U& ~8 e6 R# l- `+ P# t
6 Z2 z3 b! R2 Y/ K2 ?+ Y
Here again, several ways to detect it:' X, I0 Y, Z( C" q4 P0 M

3 L& D- o  N; t, [- f    BPINT 41 if ax==4f) n% e/ d/ R, L3 V1 d5 m
" M) _5 W$ l, v" Y# o+ y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% j2 x( y$ d9 D* ]) `$ z- h

! C, o# N' `6 ^* O    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A$ n; o0 e% C& w/ E. G

( [0 Q+ d# `5 @    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 E. a, @' ]7 L
* J$ d0 Q2 H: G
__________________________________________________________________________* {3 H  v* W1 ]- {: S
& ~2 p8 e/ ^8 a# t3 Y
Method 13: F6 k+ c5 e2 P. P1 Q
=========( o9 Y; V5 y7 y. m! a* W& c

0 O6 Q, ?# e5 A3 ^5 S; lNot a real method of detection, but a good way to know if SoftICE is
- T5 V: t- K' Z2 [, iinstalled on a computer and to locate its installation directory.
$ W7 ]9 K3 z0 b3 T5 lIt is used by few softs which access the following registry keys (usually #2) :) L  P, n+ Z% C* E

- Z( T# t& B+ m: }9 z/ d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 O; g; A  {1 m- K' ]
\Uninstall\SoftICE6 z" p5 C( Q, w2 ~4 ?; |# j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# T; X/ S2 q* f. W+ i/ S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 o- y8 f/ Y9 C1 [6 [\App Paths\Loader32.Exe3 L  I( b( Z7 ~7 Y: X1 n% N, t% q, g

1 \3 {6 U" [0 ~% E5 W5 H8 e4 a  z  ^/ S: Q- ~7 Y- U- C: }) m3 E
Note that some nasty apps could then erase all files from SoftICE directory& A" |6 q  K& {
(I faced that once :-(: r6 c) A7 p  b& C

, d/ [6 m; ]2 V8 yUseful breakpoint to detect it:" L. R7 ~$ ]8 [9 O) k: L

) `! q- K  Z  u     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 t# P7 n6 j: j$ s7 Q5 `0 ~
  t1 G. n1 G* T; ]# r- k8 w
__________________________________________________________________________5 w7 R! b8 o5 x' e0 s8 n0 W" m0 m

; V+ j& r# A! P- c- W9 {- p( C! D9 _0 f# \. g2 h! E
Method 14
4 ~. _; L8 {+ O/ ^8 N7 ^=========( L1 {$ h7 o0 {" x
& q5 L) q1 N: f/ o- A5 j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! N7 {. b6 ]9 J9 r, m' J' Xis to determines whether a debugger is running on your system (ring0 only).
) {7 `2 M7 C6 N0 a# w5 j  U, |- A8 A  I/ U6 k) d" Q$ j9 L( j
   VMMCall Test_Debug_Installed# {9 K, C: o9 ~! I' ~
   je      not_installed1 }" ^- s  d: d0 t7 Q

" n* ]9 S$ Z8 A* aThis service just checks a flag.( q7 p( F0 t2 W- k& E+ a" ?
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-31 17:01

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表