找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>7 a) y  [" E* p% Y
<TBODY>" `" [% b. K/ U# p  ~  q( e
<TR>+ H* ^! w. \6 J' {; {, Y
<TD><PRE>Method 01
5 l- V3 b/ F9 D3 C8 T9 m7 S=========1 g/ D3 Z6 s  e9 w. n" H
1 o& N$ Q- ]9 Z& Y3 U  O! [7 Q3 [
This method of detection of SoftICE (as well as the following one) is
1 U) @3 \1 ~8 e" w7 d! C- Z4 U" dused by the majority of packers/encryptors found on Internet.
1 t; w! J' R4 TIt seeks the signature of BoundsChecker in SoftICE/ [2 b  P& k- u( S3 X
6 }. y1 {0 [" o. C  n6 K
    mov     ebp, 04243484Bh        ; 'BCHK'
1 g9 t4 r. X2 S  o9 @: M    mov     ax, 04h7 @8 ?% F& S8 {  ?4 B  c
    int     3       6 m8 c# V/ n+ Y, ?4 p- Y  u
    cmp     al,4
; G  v& u& l7 N; f% T: `    jnz     SoftICE_Detected
% c9 ]2 Q- p  t  w0 a1 d' D) ^
8 v1 l( Q% _+ y  ]+ h___________________________________________________________________________* R/ R6 t. ?% u: I0 D

9 I& \( w0 Q" {Method 023 `1 r! E& _. r( b& N$ E
=========
( T; S$ D9 _, a8 l
4 V' \* Z2 t) u3 iStill a method very much used (perhaps the most frequent one).  It is used& Q( p* c1 Y% w1 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 S4 ?7 x9 o* K; Y1 Hor execute SoftICE commands...
( x* N- {2 e% V% wIt is also used to crash SoftICE and to force it to execute any commands3 f0 P: q2 k' P% R1 b( M6 z( k
(HBOOT...) :-((  
! w! J" o: e! H; \
2 U' K+ F& W8 C. R6 ^7 \3 lHere is a quick description:
5 r" w8 h, Y. a  U; \; D9 V% c-AX = 0910h   (Display string in SIce windows): R/ j/ _5 T$ W2 _
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ q  k& j- R" F7 Z$ F# p$ f
-AX = 0912h   (Get breakpoint infos)
- h; i4 ?; q: M! @- D9 _# A# e-AX = 0913h   (Set Sice breakpoints)
- j8 _* B# @% V; X-AX = 0914h   (Remove SIce breakoints)1 w- }5 L$ {: e6 g. B7 L9 h1 O

, ~; l: E% }! j9 `3 m- }Each time you'll meet this trick, you'll see:% `& }4 E- e: i0 n; p' v
-SI = 4647h+ y3 X  _, ^% A5 b
-DI = 4A4Dh' z+ |. I* z. _* ~
Which are the 'magic values' used by SoftIce.+ {% K0 U$ U' _6 x$ e
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 O' ?2 R7 L5 P, I& ]
& M- J  G' z  F, C( `$ ^Here is one example from the file "Haspinst.exe" which is the dongle HASP4 l/ R; Q7 U& \4 r
Envelope utility use to protect DOS applications:
; n5 r3 T5 L7 p1 Y. `& q
2 p, N- [6 E9 p6 |2 t' F8 }+ q4 f) t  C* h. j4 j$ b' R( u' J: h
4C19:0095   MOV    AX,0911  ; execute command.; d9 G7 T# z9 ^* L' J
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
6 E/ z' t# N+ f4C19:009A   MOV    SI,4647  ; 1st magic value.1 v: h6 K8 |  d& J' B7 D) |, Z3 A) F
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 _  \+ ~  g0 E4 J3 C( a5 e
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 m0 |2 P' z% P- K
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
. c& R$ g" M# c1 x9 ^" m. T4C19:00A4   INC    CX
& B; m( U8 l( |; `2 E, Z* n4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute6 a; w  Y3 r2 ]
4C19:00A8   JB     0095     ; 6 different commands.* N9 C6 t/ _( k0 @& z
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 {  o) c# Z1 Y+ w. D6 N% k3 g4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)% [* R; L' H% C- M

# m2 T0 X) C! t; aThe program will execute 6 different SIce commands located at ds:dx, which! ^; I) H& B7 W! p; b5 P
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' X) L4 a9 P6 `; e; h( U+ i' _" r

; z- k9 Z4 {) `7 B$ L0 e# P; C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 a+ X, a5 \$ k) D* h5 `___________________________________________________________________________
5 N6 R/ S" N) I" [% a. l
5 S8 B' W9 l" U; F* [8 Z" T. x' N, M+ [! n
Method 030 a7 P# g" n4 O' h
=========& w0 O+ _2 d. C. u

- F8 W1 j; }* \/ |0 ^( j" M* s: B  M! hLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( h8 u! }& T: A$ q0 ]+ J(API Get entry point)! B& Y$ T" S, ^8 t: f( B) d
        / x7 ~! p7 ?4 R4 D8 n2 u
  \( |4 c# Y; w5 P$ L( {- W2 X
    xor     di,di
- j( O1 x' |4 h! @! s9 A- e    mov     es,di
3 q, ?# `, L3 x) @7 }5 X; q    mov     ax, 1684h      
) C( Y5 A: C8 ~# f9 g5 ?    mov     bx, 0202h       ; VxD ID of winice4 T% O. G; M8 @. L5 l' |
    int     2Fh
4 _0 D2 Y2 i. L- N" {' E3 b6 W    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ P/ Q5 r9 S7 \- i/ M) o! L    add     ax, di: O! `2 |* E& f8 z& `, d
    test    ax,ax4 C+ r# u1 V5 \9 {6 n
    jnz     SoftICE_Detected
3 K9 u; V( `* d, A& r0 K/ z) s0 ~7 ]$ s! W7 b/ H
___________________________________________________________________________
: ]3 N' D7 @* e! o! i
" M9 P& u! b+ {Method 047 D9 ~$ n& f0 v+ a% @# J
=========
/ k8 W: K6 q, z: I# x
) d; F! H: N8 w9 q; MMethod identical to the preceding one except that it seeks the ID of SoftICE* ~8 G8 @1 O! P' K9 z( l/ }* l
GFX VxD.7 q; O& i2 P  N4 ]
# K# R  H" b; x% S( g0 P( h  @
    xor     di,di$ |0 M; G- G& ~$ n! ?7 O% L
    mov     es,di
( e) ], c' o: T+ t3 W; K    mov     ax, 1684h       # z, B( y- E6 ^. Q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID, w6 F1 q7 H: \* y! E- p
    int     2fh$ _' I0 c' c. \& q  H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. i) ]: S8 U0 l    add     ax, di
9 p" X6 @' e# g# W' h! k    test    ax,ax6 ^( p* f% a2 h3 @" D
    jnz     SoftICE_Detected2 b) r& x' e" ?3 O7 M4 n
( t( t, y: f' ^6 M2 S2 Q
__________________________________________________________________________4 U! G3 J, c1 Y5 W: Z5 J: D2 R

  |0 ]& u, i' r4 J* k( R& {# o: J% K2 P
. U$ V( P2 y( a" }5 sMethod 054 w, @" E5 ?$ P8 l
=========
2 x3 J. J7 `1 |, y* `1 M8 f6 R7 z7 u- b& @. g4 |9 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: q5 R4 g- t8 o4 Y, q( {6 \debugger. It calls the int 41h, function 4Fh.
; ^, U5 I. Y" l* t& s: b! e' DThere are several alternatives.  4 t! \( y7 m" D* O$ B3 y5 W

2 ]/ ?* G. q, O6 sThe following one is the simplest:! V( F" C4 w' F3 b5 V

& _  w1 T6 O; F" {& m. k    mov     ax,4fh
$ B5 D* ~) W  Q  e. a  y    int     41h5 @) |/ J% {" z$ a
    cmp     ax, 0F386+ s+ e  @5 m; z1 s% @4 y+ n
    jz      SoftICE_detected
* S! {* y8 p, G. A/ |3 h' _# f* {6 S* z7 m' ^

! |# ~4 d/ _( `* ], UNext method as well as the following one are 2 examples from Stone's
) S2 ^! k; J0 }% E- O' k"stn-wid.zip" (www.cracking.net):
0 H8 ~; J. e) E. n% p; O; M3 w$ i' h( n, l2 ]
    mov     bx, cs
  y; J- v, Q) R+ J6 r8 c    lea     dx, int41handler2. f9 F2 m" C9 e1 V7 P+ @) a, o
    xchg    dx, es:[41h*4]( P& s7 T$ q# S% I) X0 g
    xchg    bx, es:[41h*4+2]: {/ d( _. M+ `9 i
    mov     ax,4fh
) h' ]/ t- w" p6 o8 X6 f$ G1 |    int     41h
1 M* G: ]/ K$ p4 o, G    xchg    dx, es:[41h*4]9 v( J9 i4 N; ^. f
    xchg    bx, es:[41h*4+2]4 O; q1 ~4 u) [8 @5 ?7 n+ m
    cmp     ax, 0f386h1 [* n4 y, B7 A
    jz      SoftICE_detected
8 b) o0 O0 [& ]1 N! t5 `5 I+ s, i0 }
int41handler2 PROC
" |8 Q) s' _7 c- h+ N- A    iret; k5 [8 }5 v2 s0 U& Y* Z
int41handler2 ENDP
/ ^+ @# `1 X+ C1 S3 C3 m
9 D5 Z, P) c! T+ D/ K' r0 @/ z  z% q
_________________________________________________________________________- P7 ?7 u' V7 R8 L! d- C
  g2 J: e) K0 D0 T5 F

( `5 g0 B' j$ c1 k3 f. V$ l# vMethod 06) F; e0 A& n3 o" o# T8 ?
=========! @! L2 {: w/ ]
8 o5 U+ O4 G2 ~  y+ ?

2 {* l/ Z" z/ E2nd method similar to the preceding one but more difficult to detect:; {% T- Q8 R9 Y1 ]9 b

; U3 D4 ]  O4 y
2 ^  o% @4 C0 W8 Y  _; `6 c1 }8 tint41handler PROC
- z" s; H% |; U& A  W  I    mov     cl,al
8 C: k/ I2 b* r0 g    iret$ l+ }8 i$ A) R! @. O) s
int41handler ENDP
+ \3 [, u4 B) y6 I* j4 W+ o$ g! P$ j4 \' Y" P8 l

) |. ~# Z; |% t; {7 b    xor     ax,ax* r' t& x! e) }4 j! W
    mov     es,ax
8 j; }9 u" t6 e* M! w  T- t- f+ A# D    mov     bx, cs
) T6 C& e" f3 z    lea     dx, int41handler
+ W" k& N" a( I    xchg    dx, es:[41h*4]
- ?/ C1 D4 w8 D6 {) Z8 r8 G0 z2 b( W    xchg    bx, es:[41h*4+2]
+ S7 h& T+ f  ^4 P( k: i    in      al, 40h
. B- k9 W" C' q- c    xor     cx,cx
) v1 k" }+ O9 c7 U- T! D    int     41h0 f) K5 Z) k$ `
    xchg    dx, es:[41h*4]* `- g* @& M$ k& J+ j
    xchg    bx, es:[41h*4+2]; `. n3 H6 I" N7 E0 F
    cmp     cl,al
1 O1 F5 P6 q0 k& ?! h    jnz     SoftICE_detected% g9 f0 O6 D6 G" q
3 R' P# G. O0 N; a7 p# H; X* D
_________________________________________________________________________  h2 Q5 D" i  M: ^( d

1 `9 P5 _. i1 p) K' }Method 078 u* P( \- t4 {" M7 M( c
=========& k- z* L# a' F2 q
0 ~) D1 P- k9 `- }- c
Method of detection of the WinICE handler in the int68h (V86)" E3 G4 T8 c- |; j* N2 Y
9 @8 w$ i& a6 y' F( a3 Y  q
    mov     ah,43h2 q+ C$ [$ v3 ^# [
    int     68h
: V2 g; e. _; K( m; S* D    cmp     ax,0F386h
+ U& [0 F& r7 n& v    jz      SoftICE_Detected* O& g/ `5 v% y

4 j9 E, `, @: t2 N3 U
& ~# L( O& g* n2 o6 d1 Y* ~0 K=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 S: N  Y0 M1 F. }" @7 K; h   app like this:/ h) t* d. S2 A
& R0 Y7 f& v7 b
   BPX exec_int if ax==68- o9 h* A. |0 p/ K. Y6 a
   (function called is located at byte ptr [ebp+1Dh] and client eip is0 ^7 y1 f# K9 ?- a* k5 k- E* I& G
   located at [ebp+48h] for 32Bit apps)- X0 E  a( R* ^/ l; V! _* [
__________________________________________________________________________" b4 L5 S" Y# D

: T' s. `/ z+ U0 G1 y( Y3 w% m, `" ^$ j: ~1 Z' _
Method 08
/ D4 M  v% Q7 S1 E! E=========
  G9 H) S+ L9 R+ I, o
' Z2 L" e( H2 T$ |( _- z% AIt is not a method of detection of SoftICE but a possibility to crash the' a* \0 c+ u; C1 C% Z" ^# O7 J
system by intercepting int 01h and int 03h and redirecting them to another# h' `/ Z2 J6 j+ R& m2 C  ^
routine.
4 q$ a9 B0 p- M6 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* B$ t. m( j; @" v0 F
to the new routine to execute (hangs computer...)9 M7 y2 Q% l3 g; ~3 x8 j7 b7 Q

' x$ C: [* V$ Z8 ?" L    mov     ah, 25h
  K' e) N( P- X: l+ L    mov     al, Int_Number (01h or 03h): C# g: E; m4 L" s
    mov     dx, offset New_Int_Routine' v$ I: ^% `  r. W/ j
    int     21h
5 \' D. \  t( d3 J' L8 U6 }9 V- a+ K) m5 V2 G. N: y0 [! q
__________________________________________________________________________  s+ S) v9 h1 [/ \. ^( K

4 w( m* z" V! E3 |1 fMethod 09
& Y% K) X( ~( s& _=========7 G; p6 R$ R' b& ]6 r' U( p% B9 O
* M7 d1 v6 e! i. ~6 P9 C$ Q; P8 y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# u/ Y- h4 X# y" l) m, A; V& iperformed in ring0 (VxD or a ring3 app using the VxdCall).) u3 Q9 X3 l, ]2 G* h; s
The Get_DDB service is used to determine whether or not a VxD is installed
* d1 T+ t: @( |for the specified device and returns a Device Description Block (in ecx) for
. _$ l( _3 M8 s0 t( sthat device if it is installed.  D3 A% J" o' v& I0 e

* W% m1 w! r  p, F   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; \( x" r& `$ x
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  c4 `5 U. f  s! x2 n- i% ~   VMMCall Get_DDB' v; m, F( o4 w  X( z$ }, x  W; Q
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed' ?. x+ ~0 R4 v& H' t, \, g

# [4 G, c9 u6 N! l2 Y( N7 ^7 NNote as well that you can easily detect this method with SoftICE:
$ w6 G. ^% V2 I   bpx Get_DDB if ax==0202 || ax==7a5fh
( d+ B4 h6 P" q$ \
7 n3 v5 P* S8 p5 \" k__________________________________________________________________________5 b; ?+ O2 ^9 ~
! r( ?, y% A9 e0 `# e7 R
Method 101 }) @  A( _( B& V* X% a
=========
8 s$ e3 k4 G0 c3 g1 k. E9 e$ b. @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with- d. X2 d+ j( P- l6 E
  SoftICE while the option is enable!!
9 _% P- R' u. z( i  b+ Y6 Y3 B* f6 ?; s' F! H8 `2 P/ G, K  e
This trick is very efficient:" @- R8 P6 B. A- f. C
by checking the Debug Registers, you can detect if SoftICE is loaded/ E6 k1 X. @0 m! T8 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ D. w% r0 E  ?' Q$ J
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 r8 I# |$ k: b4 J* d$ |
value (in ring0 only). Values can be manipulated and or changed as well% e4 T/ A7 n: G# f9 ]- d: V8 }  M. b
(clearing BPMs for instance)
; a+ z" ^4 x5 ]; ?& {. R9 @5 \) L& Q' t" {7 s6 Z
__________________________________________________________________________, h( U  Y9 y7 f" M1 n& }+ N+ Q1 L

- [; ]  m5 h% g% P. U6 O0 dMethod 119 ^' F8 [. |8 K& d3 R$ D6 u
=========
$ @; T. K* Y+ O2 o1 g# [7 L( p  K( ]. Y) a4 }+ `
This method is most known as 'MeltICE' because it has been freely distributed/ h* N. u2 c1 i6 N
via www.winfiles.com. However it was first used by NuMega people to allow  h& I4 E3 V& `0 M5 _
Symbol Loader to check if SoftICE was active or not (the code is located3 ]- g1 k4 N" E. E" [
inside nmtrans.dll).
/ C  ~  N0 s) G( K7 T* G$ R# [3 M( l: w! s( d
The way it works is very simple:4 R2 s! E/ B. t' r7 H, n7 V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- u; U: d- G5 F' v6 x- J* q& }WinNT) with the CreateFileA API.4 |8 p8 n7 `2 C3 l) a5 U- n  h
; [6 }+ C0 h9 n" G4 q% x. Y
Here is a sample (checking for 'SICE'):: D* c( f: Q6 ^& T' K1 W

' `7 ?4 l! O. c9 N! }4 u4 u% B0 GBOOL IsSoftIce95Loaded()
# ^0 }% S) u. ]; S/ o1 R{
* j1 }( G6 i% a   HANDLE hFile;  
! [5 R# v9 I+ H  I* f   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* d: w1 w& e  i' \5 t* A" d; p
                      FILE_SHARE_READ | FILE_SHARE_WRITE,  i+ v. y0 N: Y/ J) O) U# k
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& V- `7 R( ]. {; c$ Y1 }% G   if( hFile != INVALID_HANDLE_VALUE ): b) v, Y, g! C6 _( F1 n) E/ a
   {
! S/ I/ e" X. s- }# Y      CloseHandle(hFile);
8 }  R; Z# h% m9 m3 c3 J. _      return TRUE;
) [! [& w* w1 @$ W& K5 h   }
* e0 H: F; u: f& }   return FALSE;( a3 h% l: j) j" Z) Z" L- B
}: }4 _! R9 d8 X, r

  L5 [* D! {& H/ C7 q: u' lAlthough this trick calls the CreateFileA function, don't even expect to be, \- N0 m% m' ?
able to intercept it by installing a IFS hook: it will not work, no way!
8 l' y4 u6 r; j% n* d6 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: E4 }& ^/ \( ]: [: M, w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; u+ r/ m: z6 u+ E7 ?) kand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 U4 o. n' |$ q0 f
field.1 |8 N% K: b) t* Y- y: F
In fact, its purpose is not to load/unload VxDs but only to send a 6 b; B% K; [. O& A1 n) \% N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  w* x+ F7 {/ V) Q! v0 N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
: _$ X8 T, q( q8 C! m3 U4 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).8 Q6 B% N4 V: m6 ]9 \3 X6 I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
' ~. ~$ y9 \# H6 x9 eits handle to be opened and then, will be detected.
, g4 u! m1 X$ R) p8 H4 B8 AYou can check that simply by hooking Winice.exe control proc entry point: G) k2 |8 y! b/ E6 I1 |2 S
while running MeltICE.
  X- k7 t# F- G* h4 |
2 x2 k" U5 D9 S! s! g# ~& ]7 f7 E; H/ q; B
  00401067:  push      00402025    ; \\.\SICE1 C  g; [% w% a! O( i( u7 J
  0040106C:  call      CreateFileA
& @. K+ R" w) f; d9 E, {  00401071:  cmp       eax,-001- a) \- `0 H& I8 @
  00401074:  je        004010917 d( E/ }" R7 A
+ f: M0 r7 ?- x( L4 G
6 ]' M1 `. b8 g1 e3 Z
There could be hundreds of BPX you could use to detect this trick.
+ B! k7 X) [3 Z6 W( k-The most classical one is:
! Y( C  ]9 x. H9 w: D% f  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
9 f- \% v) A+ O3 M# ~3 q: L! [    *(esp-&gt;4+4)=='NTIC'
1 x0 t$ M/ Q, W  k9 A- c" l; e8 I/ U% @( |
-The most exotic ones (could be very slooooow :-(
2 ], V7 ]( x: S1 X9 K9 V" L   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ t2 Z$ q/ R0 Z0 |     ;will break 3 times :-(% X  T' _9 @( U" B
+ q. O! c! F8 `8 C6 {- m
-or (a bit) faster:
! \( @5 l- _* v: [9 {   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ \' X6 m' t( K# b  T, ]8 ^3 S
+ a) O, `8 B1 h" J: _/ m   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * c" N- @/ {+ ^
     ;will break 3 times :-(2 Y' s) N4 F% g" b! p
/ o" T, Z$ f1 _! U% v+ n% f, v
-Much faster:
' n4 s( e8 h5 C7 B4 E   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" u5 w6 R) ~9 ?# S4 ]* q6 E( w- {

* v: v9 x' t' \! `: p" Z4 U  O; B: fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
; z# h1 H1 P% v- y+ F( Vfunction to do the same job:
4 z* G( p2 j6 Y! ^! b. ?
  j: h9 a3 I+ T! W) L) r   push    00                        ; OF_READ2 f: H" y# c8 `* }
   mov     eax,[00656634]            ; '\\.\SICE',0
8 ~7 _. S, o" ?! i   push    eax- E; \, e! g  y0 p4 C  E: [" e
   call    KERNEL32!_lopen/ ^+ W; q# Q) A" E/ U' Q" J
   inc     eax/ n% I% Q0 l5 T& Q+ h" D/ |. L
   jnz     00650589                  ; detected5 \% o' C* S1 q) x9 t
   push    00                        ; OF_READ3 h% M+ `" z4 `1 J) E7 S
   mov     eax,[00656638]            ; '\\.\SICE', M- @% ?- L6 v
   push    eax
4 b/ L. c: ^% z' t   call    KERNEL32!_lopen
5 l2 {8 N  y3 @1 B6 N7 m   inc     eax
. M$ T$ O7 n! y3 ~' d   jz      006505ae                  ; not detected
) V& z9 e0 z. A0 @: K
; H8 u6 v# o0 `/ g; m0 [2 J
2 m! M: A# j# L0 Q/ h% O: L__________________________________________________________________________$ Z0 F& O+ `' ^# o) `+ G5 X: b2 S

; J( F( @" q1 }8 F8 X1 tMethod 12
( }9 s! I. }8 P1 J=========7 m! w' n& P( ~0 f5 f

  o2 O0 R" H+ a, o. K/ A& Q! OThis trick is similar to int41h/4fh Debugger installation check (code 05
8 z0 b4 R4 |+ |8 o&amp; 06) but very limited because it's only available for Win95/98 (not NT). E* i8 p1 g  g: O5 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' [. I: V9 y( ?) f3 r; O3 L4 a: Q
/ x- O; }6 x2 a# M! e# `) K
   push  0000004fh         ; function 4fh, S& |* D1 g9 E3 r. b. J
   push  002a002ah         ; high word specifies which VxD (VWIN32)
9 k0 s' e4 z, U$ @) b) G                           ; low word specifies which service
% @3 a2 Y( t) p; J& U                             (VWIN32_Int41Dispatch)
  E9 @: `9 j7 z3 c1 ^; b3 e. `   call  Kernel32!ORD_001  ; VxdCall
' v6 k4 L( }! j4 R6 Q+ N) p$ q- }   cmp   ax, 0f386h        ; magic number returned by system debuggers
0 y2 n' y' E$ `" t) V   jz    SoftICE_detected
; z- b6 Q1 L* }! l7 p6 G6 @/ d% n$ f" K' i: R$ i
Here again, several ways to detect it:  C9 `& D1 i% A' ]4 ]# d. O( u
% ?4 K6 T! B* ]
    BPINT 41 if ax==4f
0 k* I# v( u$ \$ S* Z
. {6 i7 J! [3 z9 g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% S9 ~1 F- {  `/ e6 l8 i* p

3 k& }( V& \* K( S' Z& [& t1 V3 N    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A! J2 ^* Z9 }# `$ i
  s; [3 A. ?, w" e
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!1 A: p9 d; T- i9 n; X( Z

& ]" }' @& i$ S( K) E__________________________________________________________________________
8 V1 Y( l- o% s8 M9 i- x1 Y7 N) m4 t8 b% p0 M/ Z8 `, N8 e: C. q
Method 134 t5 S: V% @; h4 i4 V. w3 u$ b
=========
$ D" |4 @8 w# c, v
( n5 n5 m% V, R$ @Not a real method of detection, but a good way to know if SoftICE is8 }9 _9 H7 C( a; D' M3 }8 s
installed on a computer and to locate its installation directory.
1 q2 u9 m* q' n( ^+ GIt is used by few softs which access the following registry keys (usually #2) :+ Z& I4 l: e3 l0 P$ S0 \

& t+ f* _: B! F0 F4 \2 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 `% q* Y  q4 [$ V- x\Uninstall\SoftICE
0 H; x/ x! k" |- S; a* ^-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 j& e% M  r4 z* T& B8 M: S4 x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 d( s  X# S- B* f& ~( o. I\App Paths\Loader32.Exe* \! i8 ]# p8 g; `# u

, u" ~# w8 T! E. z. R
/ K8 {' Q6 ?2 yNote that some nasty apps could then erase all files from SoftICE directory+ h% n( J4 k6 k5 |5 T: I
(I faced that once :-(7 x" M9 q! Z& i0 ]6 R- l3 l

0 k9 [4 V  Z, CUseful breakpoint to detect it:
1 L" x  t8 ~7 L# A, l6 ~( n0 Z# R7 h9 g+ c
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# _( p4 |) w5 J; N

' f- D! o: A7 U" O__________________________________________________________________________
+ ]1 Y8 \! Q/ w& B/ }
6 ~9 {- J1 E+ f( e
- ^* N7 w, k3 WMethod 14 1 i% |2 U+ h2 i  E" \
=========0 U: `- e* G  t- }! Z( N9 M7 L+ b
; {7 i( o3 @& d7 T% u9 N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ r- t- ~' n" R, M% w
is to determines whether a debugger is running on your system (ring0 only).5 b  G& `: T/ p5 l2 L, ]$ c& p2 r: K
: K& c5 Y( L7 n, H: i
   VMMCall Test_Debug_Installed
/ L# d! p' p# v  C) G) ^) z: D   je      not_installed
  A# C% a* d+ N8 z) d0 P& G) b: D: Q3 H# }9 |8 y8 x. b9 g/ ^
This service just checks a flag.
5 g. f- N* N$ H' p, u</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-16 04:36

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表