找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
  _  }0 F* Q# Z& L: U<TBODY>
! _" q5 g0 M9 a0 M<TR>
( M/ V6 G% P/ P: r+ ]: c4 ^& n3 v<TD><PRE>Method 01 * D. |4 }5 D9 Z* M5 R( o
=========, `7 o: Y% ~7 D! L0 Q
+ F: k7 B. i; \. ]
This method of detection of SoftICE (as well as the following one) is
7 R% P" K& w$ c, J" Q" o% j1 Gused by the majority of packers/encryptors found on Internet.
3 o- \0 N$ J3 UIt seeks the signature of BoundsChecker in SoftICE1 [! ^  T- Q, R# V# j, t

( X: E1 f- X' ~1 P    mov     ebp, 04243484Bh        ; 'BCHK'7 h2 E5 [% F: ^
    mov     ax, 04h* U4 O+ s# y# ~( O3 T& W
    int     3       * D- K' i, O2 V% t* \. {# r
    cmp     al,42 a8 l4 V2 p7 z* i7 O" Z# l
    jnz     SoftICE_Detected
4 C0 O) u2 f6 D% i1 ?- [4 {, U" l4 j
___________________________________________________________________________
! {" G" P1 V4 e# @  J
( q- F! ^# x3 }* wMethod 02# d: J/ H3 c3 V
=========
: ]$ U5 c+ h" J" Q8 i, ~6 @- q- ~" A/ J
Still a method very much used (perhaps the most frequent one).  It is used
8 Q  M& A+ r6 X$ p* ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' Q! ~. r7 n' b3 x! V1 Oor execute SoftICE commands...
  _. T4 Y6 i0 CIt is also used to crash SoftICE and to force it to execute any commands
1 i* w% M" {; G! \(HBOOT...) :-((  
# y, J& ?8 {2 q8 ~5 ~- Z: {  c, X! V1 s( J+ p  s" v- H
Here is a quick description:
, v6 ^, x) z& z-AX = 0910h   (Display string in SIce windows)' {" Z' D9 ~  ~0 U: k1 F
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# S$ f8 h$ U" ^7 I# Y-AX = 0912h   (Get breakpoint infos)
! Z9 z) X. z+ m* @) F. Z-AX = 0913h   (Set Sice breakpoints)% q# i! o* e' b
-AX = 0914h   (Remove SIce breakoints)
2 G$ l, F0 T, N
, n, Q+ H7 y1 C$ @) EEach time you'll meet this trick, you'll see:
8 P5 p2 c( @. B; q$ m-SI = 4647h! c, _  O- C! O3 {
-DI = 4A4Dh+ n3 U& O8 o, b0 v7 N$ E
Which are the 'magic values' used by SoftIce.
+ K0 S& i! |2 ~# D: O/ H/ v0 X: cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.. o0 n; N1 m8 h" e

# ?* |/ s" W2 U+ P5 ?2 V: ~. }5 \Here is one example from the file "Haspinst.exe" which is the dongle HASP
, S+ F$ y: f( u( f6 H- MEnvelope utility use to protect DOS applications:
) I: ~. y. {# p2 Q
# e" ?/ Z6 O$ X. G
3 C( F7 s' ^1 g# m! O' R) F4C19:0095   MOV    AX,0911  ; execute command.
; Q% O6 R( s8 p5 X4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 m. t7 K% s4 v5 F1 o& ]. G
4C19:009A   MOV    SI,4647  ; 1st magic value.
6 f: H+ _7 `, B$ r( M, n4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
- e! z1 `: J: M4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)3 i4 t/ J- H; Z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute. K2 ]3 D6 N$ x, u, ~, B
4C19:00A4   INC    CX4 j6 U0 F# Y* H! X% |
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute& Q2 X- f9 b2 ?, R
4C19:00A8   JB     0095     ; 6 different commands./ B% W# C1 A) D0 T. F) Z
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 L0 _- p+ p& ~
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)% x% o  @) ?' C0 i4 w4 [7 ]) c

) U% Z- z4 a( K+ s- |The program will execute 6 different SIce commands located at ds:dx, which
' Q7 G9 q* P  I/ K& Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) m* v; |6 f; O0 Q. c$ i' H

8 U0 _0 ]$ Z; {( t5 v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, _' o6 z3 _5 z___________________________________________________________________________
: w$ J. m. m- `2 u' U3 ]+ ~; @$ T- [4 G5 n8 h0 E  u
  v0 }  a8 E- h
Method 03
, u0 r3 U: {( n' {1 l! ^=========
# A0 k! E' t( Y1 P, j# T9 t0 H; l$ Y1 q
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ U" g* J  E; J0 r1 X, ^(API Get entry point)& S4 U9 V: c' ]" N. f( n/ `) R
        7 ?9 n6 G3 f; w4 |

, z- q  o5 I- L    xor     di,di8 |+ ?5 w* |* M( z6 l% w3 c+ H
    mov     es,di
0 ?* ]/ M2 L2 ~( I* y! G- u' i    mov     ax, 1684h      
, G, x& d; F% N5 K' D    mov     bx, 0202h       ; VxD ID of winice
5 p6 J: C$ Z  Z, a5 _    int     2Fh( l+ q+ ?* B+ F, k' o
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, v; _* a" l* f+ c: N" W. Q! S. }  P+ {& Z
    add     ax, di1 m" T8 u- f5 c, {
    test    ax,ax2 e6 S/ o4 K4 Z+ f) m. p( Z, Q- c
    jnz     SoftICE_Detected; y3 @5 X7 q+ E% K9 [4 @
: J, X" \; S6 n
___________________________________________________________________________
) u/ m$ S% `" U; a
2 D8 d( M+ _% mMethod 049 H: H0 |* i4 e( k; {
=========
9 m* v* r( E; c4 V) ]/ A
0 X2 F8 H7 p# U4 @, `' Z! `6 ]Method identical to the preceding one except that it seeks the ID of SoftICE) ^+ f6 v) |% P; Z
GFX VxD.6 i7 ^* a) L& e' y! C6 a
2 @  I3 ^) W* F% Z3 E2 @3 [
    xor     di,di% S, n: ^, r! d; ~! @- I. c
    mov     es,di
  ^! ?9 p* c4 w    mov     ax, 1684h      
4 J" u! D1 v5 `5 P    mov     bx, 7a5Fh       ; VxD ID of SIWVID
4 m, l% m# e, S8 A7 K    int     2fh8 i2 K5 h; E3 l5 w' b0 T
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 w, F9 h" P: ^$ r! B
    add     ax, di8 k' l7 R# f8 u) k6 z7 h
    test    ax,ax2 A" ^* u/ K* i9 Z) g: S
    jnz     SoftICE_Detected
9 o8 o) H) n, \% J8 a$ P' ^6 s- m
: t: S0 s$ R. i5 {7 I  Z4 T__________________________________________________________________________
0 d- J" q$ |+ b0 t8 }  l+ B
2 h2 J& P! T) B6 C
9 o5 |2 S1 l. L: ~2 P  d( DMethod 05
7 ]& q% Z+ V/ q3 J/ c) L=========# a3 E% H: A2 O5 H2 c+ \
" v( N( i* \- g! u3 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system- J4 U* b2 Q5 D6 X1 @" a; _
debugger. It calls the int 41h, function 4Fh.
( P' Q* ?7 U! M6 C6 `$ R" t$ VThere are several alternatives.  % F$ a) ]; D8 Z

1 Y; p$ U% k! S. ~. c7 [7 R; E/ NThe following one is the simplest:
) X. }/ A$ q6 ]9 W* t' f. ?( b1 n+ B8 Z  L+ ]
    mov     ax,4fh3 p1 A! `( S( M9 m
    int     41h4 j0 L3 e) W! `, {% b/ t
    cmp     ax, 0F386* |3 W; Y( E! P- ]
    jz      SoftICE_detected
% B1 }! b/ |2 i' U' b% n
2 o2 G. @. N( m9 z& M, `8 q2 W# K% Q" t2 L6 Y  O6 g, p$ X$ J
Next method as well as the following one are 2 examples from Stone's / O% R% v# Z2 v, m
"stn-wid.zip" (www.cracking.net):
7 G# ^8 \8 R: C3 ?! ~4 F' ~8 R' {
    mov     bx, cs
6 `$ c% O  P- A! @* N( F# K    lea     dx, int41handler2. w1 v# X6 N" S, H# K0 C& k& l. Q" w
    xchg    dx, es:[41h*4]4 y- a9 g6 }- O) {4 g7 i+ R9 F
    xchg    bx, es:[41h*4+2]
- F# d/ V& ^0 `, w    mov     ax,4fh7 D  k7 C% M1 P) t& f7 {
    int     41h, f; k$ Q3 O- e; {+ Y
    xchg    dx, es:[41h*4]& X4 C* P* a! y
    xchg    bx, es:[41h*4+2]
3 y  t( a7 {5 Q    cmp     ax, 0f386h
4 a7 n0 Q1 y9 k0 N% t    jz      SoftICE_detected
' m' y' S4 L" j% m# P( P, b, Q+ e7 L8 B! {' n/ e  H. Q: |
int41handler2 PROC
1 o- G: q* o! t4 N; L1 e7 y    iret/ q4 x' T5 {% X3 K' H6 n
int41handler2 ENDP2 g" u8 I: {' u. b- h2 y/ y8 M
) c) H9 X, A( \6 Y

: L- V1 u, c+ d_________________________________________________________________________
* I% H: i: h3 M& q  h5 I5 g0 ?. {  [' I9 i( z- S: @1 W
* L; D0 y- t0 T# |# G
Method 06
& W) {, o+ D: x3 q5 T=========
, T& B; ~; w9 n5 f1 k% @6 F4 J- n  e# p
3 k$ u  G3 p- h9 b
2nd method similar to the preceding one but more difficult to detect:
# i2 w1 L% Z1 o! M! D* N4 N' ^- D
( b" ?4 _& L/ d  R2 q" W+ y8 F! a1 c: Y9 m4 P* G
int41handler PROC
: W% ~- ?0 Y% _& q; C8 f    mov     cl,al
+ f8 \* `# \) Q% z# P    iret
" V2 {2 p9 V& M3 }( qint41handler ENDP2 s- Q# d$ p1 Q( [/ T
6 v/ [. e: R" V, f) c" r
4 T4 b9 B; q& j
    xor     ax,ax' x7 H; H0 ^) r/ J
    mov     es,ax) f+ J/ z/ p4 ?, X' F
    mov     bx, cs
7 g; S+ Z" X: B* f    lea     dx, int41handler
; e  V# G& u( T0 ]6 ~- J$ ^) k    xchg    dx, es:[41h*4]
  \: k: N7 w% i    xchg    bx, es:[41h*4+2]
; L2 R$ R9 ^! k3 ?% l' g) ]: a* c    in      al, 40h! N0 ]( e! O% S# o, v
    xor     cx,cx9 [4 \; f  [/ g. r( O( v
    int     41h
* ]6 j- r$ D8 Z0 h/ W1 E. A! B    xchg    dx, es:[41h*4]% _$ Y0 B8 K$ p5 Z5 E, w- ?
    xchg    bx, es:[41h*4+2]
: m# u$ r$ \8 I, E1 `, i) k, p$ u$ P    cmp     cl,al
' J* K: \; _+ L2 O# e6 t" n& D    jnz     SoftICE_detected9 A  R4 Q6 E9 @( t' s5 |- v; n; V

$ A/ K; b: ?+ M_________________________________________________________________________  ?5 r1 o+ F( P7 B3 \0 p

. G# Z& x" w1 n; v, v, G" aMethod 07) V# ^6 r' x/ e& z4 e# ?2 Y
=========9 y4 I; U" |4 ?" V

7 Y0 s, P; \. R, [7 Z  q  r/ M( ~Method of detection of the WinICE handler in the int68h (V86)
$ R6 [  W2 {- ]+ b
7 R6 D) u* Q" A0 \+ ?, b+ F0 C# R    mov     ah,43h2 B- X( t5 J& O% [3 t3 ^/ T- D" E
    int     68h: U! I; Z2 N2 U% l  x. J
    cmp     ax,0F386h1 D1 g7 n7 Q0 f: n: N5 [
    jz      SoftICE_Detected
" M4 l. ~' h1 [3 S( a( i4 M: @* E% I8 S
" }% k" X+ U0 U
& R: l9 }. d- Z) V- J; G=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% e  O0 ^% ~) M! m2 R/ s   app like this:3 X6 q$ B5 I4 R9 N
" T! O5 {  d3 L# F! |% ]
   BPX exec_int if ax==68% M: ^% }! F: A4 R% Y% f( z: J
   (function called is located at byte ptr [ebp+1Dh] and client eip is; t3 {% ]% g2 ]* m, r* c! y
   located at [ebp+48h] for 32Bit apps)0 x( ]3 C3 a# U* o/ n1 ^4 @
__________________________________________________________________________& [3 `' B7 E, j( m2 ?$ X: g: m

9 w. L! A6 j9 |: E1 k) s3 |# o; n
Method 08
) t- f4 J; T4 ~1 n1 Y' M=========) h9 ]- V* X7 V# u
3 \4 f' c. i! u% n( s$ m0 t
It is not a method of detection of SoftICE but a possibility to crash the
& V! ?: L$ o* S8 g/ n5 Fsystem by intercepting int 01h and int 03h and redirecting them to another
2 F; X# g: e7 l8 e& z3 c6 X, _7 lroutine.( m: V9 C0 Q9 \5 M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- e4 t' H- o! d. Rto the new routine to execute (hangs computer...)* u( k8 e+ b# Z

; d2 U( E, v, V% {& F    mov     ah, 25h0 h% L% l( ^; J8 u7 a2 s' \$ \
    mov     al, Int_Number (01h or 03h)
& u! P6 `) l- [' o1 A; I  {- H$ w# p0 f    mov     dx, offset New_Int_Routine+ J. P# q; Y  V. _8 h- F1 J( i( y
    int     21h/ d! r2 q/ Z9 T  V1 A

* _2 S. ?8 [" V! R" ~. ^6 z6 {$ m8 ~__________________________________________________________________________7 {4 F4 Q' N. N. I  S$ I' x4 W6 p

) \; k: @8 Y% H* E# _' NMethod 09
; O/ i4 O& w6 P) ?& Q: M! L=========
' C3 W* d4 t9 z+ @
' c" f" ^. B7 l( }' qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. j  \7 W$ `' w0 H9 n5 m
performed in ring0 (VxD or a ring3 app using the VxdCall).$ D4 P# L4 q! a
The Get_DDB service is used to determine whether or not a VxD is installed
  b8 I8 f' {4 s7 lfor the specified device and returns a Device Description Block (in ecx) for5 v: r* g  V, Y. b. O
that device if it is installed./ R1 c' A# O4 @6 A. N
8 B0 {. h1 E  r& I3 q% k- `
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ F$ A2 V% Y" N4 U" n1 d8 g
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-): {- ~$ z- P& N2 [
   VMMCall Get_DDB0 j# L& i' [8 R  u8 T
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& n" n9 U9 {) O3 o6 t' x8 u" V6 y

3 m% p' [6 `) U8 wNote as well that you can easily detect this method with SoftICE:# G( c1 S. V1 R# G1 Q" r& n
   bpx Get_DDB if ax==0202 || ax==7a5fh
5 k: m3 s. C& B) V) h: e& Q/ h% C+ b8 e. M- b
__________________________________________________________________________
7 F! T: g2 u* i4 _/ N' g
* a) z2 u  U. y  ^  L- }+ }7 s. WMethod 10
( {4 t/ G9 u% ?' o=========
$ f% _8 F8 ?5 s0 ^5 O/ K- j8 C/ T7 B) u9 h: @; d
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with8 }% z- Y. F. Z- X0 C
  SoftICE while the option is enable!!
: g5 W' G/ I5 v6 ~6 G" a+ t
3 V$ \9 V/ k! X! f$ a$ f; DThis trick is very efficient:
5 W9 k! V' W, Q# ]/ K2 {' ^by checking the Debug Registers, you can detect if SoftICE is loaded
$ C  V: q# b! s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- Z: z, \2 V- ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 w0 u; r: U" e
value (in ring0 only). Values can be manipulated and or changed as well) Z, W- W- {; v6 w; ?) o, u2 Z: j
(clearing BPMs for instance)0 I' I! I3 l/ M

; ~( d  t2 J5 Q+ R. P__________________________________________________________________________
4 M1 K" k! n- }! x- _) {) v8 M" i- D: e! L
Method 11  t# |$ s8 I+ ^  D! T. G3 s
=========
( P& `  V  G( G7 n! p" \$ F6 L& B2 H2 b3 A. i% Q& C  L+ c
This method is most known as 'MeltICE' because it has been freely distributed. a8 {( o& v. a4 H% S
via www.winfiles.com. However it was first used by NuMega people to allow
0 c3 k" P  k, A; \+ j: \# DSymbol Loader to check if SoftICE was active or not (the code is located' g& f+ V6 B' w0 S
inside nmtrans.dll).
" l: W" D( Y* }* q8 P2 Z  s7 |# {0 q% U- E! @- ~& t  c0 ^
The way it works is very simple:3 q9 V% w) g# H4 D0 N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! p* `3 u8 l: U+ L
WinNT) with the CreateFileA API.
* H2 ]1 _! Q) B+ G0 O/ Q( |5 F, e. p7 ~# F/ A; S
Here is a sample (checking for 'SICE'):0 O# L6 Z  L( G5 V( K$ i

/ s: r, R8 b9 ~9 }* z6 HBOOL IsSoftIce95Loaded()
4 w4 o- \2 W3 W+ w& k{
/ A9 G6 ]: t. ^   HANDLE hFile;  / p; r( O$ g5 Y; P  J
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ a2 N4 w' E1 b1 N) K                      FILE_SHARE_READ | FILE_SHARE_WRITE,0 e, P0 e1 \. L- v- T
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' m% R& P$ w" Q' P1 v5 H
   if( hFile != INVALID_HANDLE_VALUE )! [# A: d. w; Z
   {
$ m! F* }9 f% Z      CloseHandle(hFile);3 G, H/ _. s8 b- V6 b
      return TRUE;5 C" Y0 ~* f' W+ ?" R
   }
0 \) E0 r. M  G, B& {0 z0 k8 z   return FALSE;4 ]$ l' l" r0 ^
}) w7 v8 x8 p. G$ {7 k
( b, U7 L8 l) d& h% a
Although this trick calls the CreateFileA function, don't even expect to be' Z, D. O* x" D$ e9 Q7 j' t$ U0 C( r
able to intercept it by installing a IFS hook: it will not work, no way!
3 I$ F* W, W# ]0 G0 O4 ^. L1 iIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. I* J8 X: O" t1 E0 V# T1 c8 x" v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ [) z5 k6 I7 v' x+ e; G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
  [0 X& L; v- k9 a" `4 afield.9 j# s0 \3 Q8 q+ P) o
In fact, its purpose is not to load/unload VxDs but only to send a
5 z2 r; h0 c7 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! }; C' A6 p; x' k, c) R  s' Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 D) E+ `4 J: h) i5 q; Y' v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 P. F  _% k; i! [2 z
If the VxD is loaded, it will always clear eax and the Carry flag to allow. A0 V" M8 T3 b/ I; e$ n
its handle to be opened and then, will be detected.1 R) W9 B" d- c$ {; D
You can check that simply by hooking Winice.exe control proc entry point: c7 f9 f& j4 t' n; }( Y+ O( Q
while running MeltICE.
0 G3 K' G- G5 N* }9 U+ t* t; u4 u  ]3 D  c1 a" \- s( ]

3 l: I* O! P2 b* d" t1 E  00401067:  push      00402025    ; \\.\SICE
9 S- ^3 N0 ?. E3 \0 y  0040106C:  call      CreateFileA
! |  S) @# }* g  d& s  00401071:  cmp       eax,-001
7 Y" H1 O+ b; b$ k0 q: P  00401074:  je        00401091. ^9 u0 D+ J8 Q: y# Y8 L1 e( J

" [- V4 u6 ]* j6 y  O% L8 N$ j( y" c3 P9 ^& X' e! d
There could be hundreds of BPX you could use to detect this trick.
. ^& a. S3 K! V4 m3 Z. U+ o4 V- q-The most classical one is:! `) E/ R; m6 X3 h2 s7 s
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||+ \" \+ \! a2 w! [- k3 m
    *(esp-&gt;4+4)=='NTIC'
4 y7 o6 p# {1 t1 F/ _+ E/ v/ U
/ r+ s/ d" N1 F- p-The most exotic ones (could be very slooooow :-(- w! @3 [) y2 I* {* L0 V
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  9 i$ Y; Z, E/ q8 N
     ;will break 3 times :-(
, F$ D& ?* z6 A+ ^9 Y7 k# B1 Z( c' ^
-or (a bit) faster:
5 S' v6 q- z7 @9 W" f- m! y  t: q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 |! q3 A; d1 l/ M1 |5 x, c# S: ^
' t. [$ v% p" X& Q4 a1 \! b+ J   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 b- g+ Z) @! Z0 Y7 m( G  [# g$ K
     ;will break 3 times :-(0 Z- Q' B6 C5 F4 m' G

2 B  Z' p8 ~1 h1 k# t" e-Much faster:
) u  M5 }0 }, `9 `' c/ W' z   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'1 f3 \8 {4 I1 n' ?/ |+ J
7 }4 r0 P6 l! w3 h" Z- Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ y3 M2 v3 i( o4 G" nfunction to do the same job:
0 A3 d. t0 i$ N& C
* L2 B$ D( e# \2 f9 i   push    00                        ; OF_READ
/ ]4 h7 [: @, D' Y   mov     eax,[00656634]            ; '\\.\SICE',0
( |% R; `$ u) y/ }( l2 Z- p   push    eax
- r6 ~7 N$ r' h) r   call    KERNEL32!_lopen! Y' Y9 x2 W, a9 U% Z+ R
   inc     eax
; z" N9 R" U1 @7 g2 O! G& I   jnz     00650589                  ; detected
  e" y3 ?& D9 D2 ^; v   push    00                        ; OF_READ
# Q) z$ _; K. L' X   mov     eax,[00656638]            ; '\\.\SICE'7 ^7 f' d  d" b5 p6 ]! h
   push    eax) y& }) S# o5 m& B* J0 G
   call    KERNEL32!_lopen
; R* E0 o2 N3 v   inc     eax
( U8 [# t$ T: S4 J   jz      006505ae                  ; not detected
& e% {/ Z$ b! c. i" t0 x0 Z
9 b0 _# Y$ U/ ?+ S8 W' N1 {  E9 I8 E4 p. ~; U
__________________________________________________________________________8 r: Q3 z- m6 g# i1 P% L, G! G

6 B4 H1 J/ {4 }% x$ }Method 122 _  I' k; M& S: D
=========
4 J- _: W+ b" g- f% p# q( X
/ i5 r$ ~" U5 E! {6 YThis trick is similar to int41h/4fh Debugger installation check (code 05' K7 a7 I6 d* `- ~. I) X  A' f! q4 I% ~. I
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) b  H1 J: e. Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ M! K+ E% H1 J7 j* j$ k  v% y

- Z5 T8 M8 x5 Q; Q* p8 I   push  0000004fh         ; function 4fh
/ k( ?- b& W; G6 l   push  002a002ah         ; high word specifies which VxD (VWIN32)! n  r: d% M7 S
                           ; low word specifies which service" ~) k2 ~0 B2 j$ _) z" x
                             (VWIN32_Int41Dispatch)
( m) m7 D+ B4 _+ r; e# Y) X   call  Kernel32!ORD_001  ; VxdCall
) G' e! L8 Q* U- }! p( ?* [- l   cmp   ax, 0f386h        ; magic number returned by system debuggers
: S5 L: h7 b6 ~0 \& [4 d   jz    SoftICE_detected$ ~* z) ~5 m! z; `

5 g& n1 g: p8 f: `; V+ zHere again, several ways to detect it:: |+ x! `0 w1 s8 q% Y/ H2 A
- n) ?$ ]3 M1 z1 h" E5 }' t
    BPINT 41 if ax==4f
& ?; }2 I. V# j  P! T7 h4 d6 @; B8 c, g# K4 d7 x0 o
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one- a" O2 ~, a& b5 e: k- q

$ Z7 [: e$ L! [6 I4 l$ L1 ~    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& c) B  i1 A( S2 h% _* E/ J

( y$ @6 K. ~6 a) l    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' j8 x. l, F/ `/ f6 f( o' S
+ I( ?: v% U' e__________________________________________________________________________
' U2 q' w" i/ A7 r5 M! f
* Q7 J5 p+ f3 U. L. pMethod 13' G, j' ~5 z& M0 j* ]
=========
+ X6 w$ U6 Z, L% d4 c' x; @
3 a& v9 l9 z" S) P* mNot a real method of detection, but a good way to know if SoftICE is
) \+ i0 d7 m) hinstalled on a computer and to locate its installation directory.
7 [! C) W) y: P+ y: R+ E' \& EIt is used by few softs which access the following registry keys (usually #2) :
6 h2 _7 Y9 T5 s+ s" l) T1 A# }" Z4 B* d; l* D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ A. h; g" _6 ?4 ^0 [
\Uninstall\SoftICE/ n5 Z+ E+ C' ?; U0 F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 F; i7 W  F- ?  s0 P! K7 g$ J, p* |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  }* Q# r8 s6 C1 m" n
\App Paths\Loader32.Exe/ A7 l/ J0 |- E6 \( f! z  |! X
! n4 S  v% _* f
' E9 I& ~: f: I1 w2 s$ ?
Note that some nasty apps could then erase all files from SoftICE directory
5 r; n# _9 L1 H- F(I faced that once :-(6 i& v# y6 L7 U8 \7 H& W% l# I5 o5 V

2 w1 _% C0 I2 L9 [/ ZUseful breakpoint to detect it:+ _* o) A$ w0 i; U3 ]
2 a( P* D) U% J+ Y3 J: O
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 o* _: r3 n  U! f) A3 u3 {% k5 ?( h
__________________________________________________________________________) l4 U; Q1 ^9 n# p2 K
8 W$ |2 ~5 c% a( L/ i

& N! B6 f+ c7 g% B+ S' vMethod 14
5 k3 c! ~( t3 o. ^: _. S: M3 \5 h=========
/ v* A8 J7 T" i- b
7 E6 C4 a" B1 Q' g6 B+ z+ ]! XA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. ^# }/ V$ l* m* _; e* H, J: E/ N3 Ris to determines whether a debugger is running on your system (ring0 only).
" R4 F! Y1 G6 l4 w( r6 R6 S% f- p0 W, [
! Z5 a' h2 X$ N# r* f4 t   VMMCall Test_Debug_Installed
5 f% A7 \- a7 x   je      not_installed
! A( {! |' |3 e$ i8 E$ ^5 ~. e
/ y/ P. V& Y( {! ?) d  wThis service just checks a flag.5 r. \; x: I/ @; {1 n) s  m
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-27 00:11

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表