找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># |3 W! c# G% Q/ n7 d+ Q( S
<TBODY>* Y6 g2 ?6 E" k- q/ {  N
<TR>5 z; ]% c$ B( j* A
<TD><PRE>Method 01 * j) [7 M* p. S( D- f2 D5 l
=========2 c0 j) t4 x* D0 s# h
% y$ t; X/ ?+ h) w) ~
This method of detection of SoftICE (as well as the following one) is! I9 x+ p3 y) N0 V
used by the majority of packers/encryptors found on Internet.
! X2 w% I, R! T. G8 W7 H# d2 w: `* mIt seeks the signature of BoundsChecker in SoftICE
( O! E# S0 U0 c+ ^0 }
7 m2 I6 p$ z$ m- c( a    mov     ebp, 04243484Bh        ; 'BCHK'
" _3 V0 I! E/ J* w) e, i    mov     ax, 04h2 u* P8 M0 |/ N& ^0 M- E) h, Z
    int     3      
) |) p5 a- E0 Q5 k# P  }+ [    cmp     al,42 |5 _/ y! k. Z8 d: I/ G. ], n
    jnz     SoftICE_Detected
0 O. g1 ~( d/ I" {8 O
& O& X9 x* C7 t# O; @3 Y___________________________________________________________________________
& m; P5 R: }& A+ J: h% e) M% Z7 X6 r6 r
Method 025 q0 {6 H7 h3 R- c
=========7 N( S+ [; u- E- `6 k$ U$ x$ ^9 N# M# g

: t5 {  Q4 O! w1 _" F' _2 b$ dStill a method very much used (perhaps the most frequent one).  It is used: ]% J- Y1 t- l; g- }( p& B; g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ Z) w0 ]- W  S# c& hor execute SoftICE commands...
5 O( ]0 O/ B7 t; _6 f6 U7 {It is also used to crash SoftICE and to force it to execute any commands
2 R5 m2 a# ~% V# m(HBOOT...) :-((  
5 \) |; k+ D# C( x& Y0 h) Y3 u8 q# `- K
Here is a quick description:
( ^8 i+ X( M. D. ^# I-AX = 0910h   (Display string in SIce windows)* L! K7 j% P5 j# ]! f6 Y
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)/ b: i4 f/ B, M2 P7 R6 I
-AX = 0912h   (Get breakpoint infos)
" I& T: C5 [1 u% x$ L0 S-AX = 0913h   (Set Sice breakpoints)
. U6 G4 H0 J7 X, K-AX = 0914h   (Remove SIce breakoints)
/ ~6 Y/ p: f$ }+ S
2 r  Z3 C, ]8 K2 T' j% }3 m+ dEach time you'll meet this trick, you'll see:
/ G7 C- k4 O8 d4 ^8 i- `-SI = 4647h. i2 N( [+ t3 R4 `
-DI = 4A4Dh6 {7 S6 m! _# N* b4 n% z
Which are the 'magic values' used by SoftIce.% e" I% {' r* L% d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.  V3 J+ V6 \  f1 c6 r+ S. C
1 O/ a5 F# M" \
Here is one example from the file "Haspinst.exe" which is the dongle HASP- [  E0 f* k9 |% d
Envelope utility use to protect DOS applications:
' l. a% I0 e( F; P# Y) A% q$ k% i* Q9 Z% E! {! d
8 T4 W3 y: Y2 _$ d
4C19:0095   MOV    AX,0911  ; execute command.
8 }1 Y4 t: d/ [1 Q. {! V; }: D4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 J5 P# E/ p: {; Q5 l& O$ A) g/ u4C19:009A   MOV    SI,4647  ; 1st magic value., {% ?( f2 g$ d
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 ?3 z; A& [4 W- Q4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ A' y. G+ W- M# Y: E- W7 @4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( M* Y5 {( k7 s& j8 u' m7 `
4C19:00A4   INC    CX  X: e! Q4 G. s& g, r4 F% d+ Z
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute4 \5 d: Y& |  y# c: U
4C19:00A8   JB     0095     ; 6 different commands.$ F2 ?7 B/ o6 l, y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.1 ]; R4 T- ]+ I
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, d# n  |1 x" @6 L7 z
5 b+ Q: I4 Y9 n3 `6 A! L6 gThe program will execute 6 different SIce commands located at ds:dx, which& I+ H, E: B; d- k1 u5 ]5 q; T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! A4 ?8 l( I  p: I3 J& G' i
( F3 K; W2 X. H' u- \' \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! F1 `5 W: ]% C, L0 J# u
___________________________________________________________________________
. j  ]; \0 ?9 S$ O
2 P! k2 Q. R) o# {1 |% Q- d0 r" g/ }
Method 03
/ X; Z8 A8 v( H: b( l! [2 p* \" T=========1 w) Y" G; O, J: m% U) @$ r

  m9 X3 Q( z$ bLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 i+ B( ~% Y6 A& M1 v- Q) u4 X(API Get entry point)- ?; ?. ]5 f% }6 j  t
        
7 t) v8 f; B2 T* W: s' J* ?0 x" H2 b7 A+ K: q0 k* u; y
    xor     di,di
# F6 G( p' t0 U: w    mov     es,di
- a8 l3 Q2 H: O5 E3 b, j% w1 T    mov     ax, 1684h      
% ?1 `  N; \# u+ B    mov     bx, 0202h       ; VxD ID of winice
% l2 X& k5 I% r: N" i    int     2Fh" [5 K" }0 c" g. H1 Q9 d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 _# L4 `; K8 M8 l# o2 t    add     ax, di
7 G2 ?( G; m4 ^    test    ax,ax9 b- o8 Q/ z) v2 @" j$ y& J8 Q
    jnz     SoftICE_Detected
$ Y3 n9 f; t2 Q  ]  L9 p1 y- r1 l, p) N5 u
___________________________________________________________________________" A/ u% b/ U8 ?4 V

) O* A+ a! m" N5 M4 ZMethod 04* k9 l- z$ w& H8 F
=========- I5 |% j3 P! J$ N( |

$ j. P5 P( L: p0 d' O; b7 b7 F! ?Method identical to the preceding one except that it seeks the ID of SoftICE
1 R! X6 _2 `: ZGFX VxD.2 R, Y7 O+ {& R) g& M
0 a7 t7 C' n/ W3 F" W; K& q7 r
    xor     di,di3 E" c+ d- b' s! ]6 C$ X
    mov     es,di* Z1 p) t8 B" o9 `' Q+ B
    mov     ax, 1684h       2 ^5 b, L* s( Z& j
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
8 Y2 e7 @) J7 H- L$ U+ d    int     2fh; x: z+ l8 N0 |, a
    mov     ax, es          ; ES:DI -&gt; VxD API entry point- F$ `* S' b3 z; t
    add     ax, di
8 y1 y$ P5 m3 Y, B) ]    test    ax,ax9 t+ s8 l- T  ?  Z3 F; J) e
    jnz     SoftICE_Detected: m% E. ^. p3 `/ c
" h2 c) x& H" @
__________________________________________________________________________
4 C! J. z& Z' ?. ~2 \: I! |  e1 T+ G2 e$ d& g0 \' D

/ C& L. l, k1 w8 k& B# s1 {Method 05
& G1 g1 C, g9 D, O2 L=========/ }1 D# T/ o4 y7 S7 j. |( s

4 _" b7 `; |# H* t+ B7 ]0 r4 M5 uMethod seeking the 'magic number' 0F386h returned (in ax) by all system" w+ ?3 `, W9 {6 M# K0 U: R
debugger. It calls the int 41h, function 4Fh.
& ?3 E) O4 b! VThere are several alternatives.  
9 g, h, T* v3 M& ~# A5 v5 `4 m2 `/ F) |: O5 l% k
The following one is the simplest:  Y* `& k! P$ w1 H

2 u2 z7 l7 ?) X    mov     ax,4fh
3 T$ f& c5 s: U4 C; H# L' g    int     41h
+ l! l4 s- I- L    cmp     ax, 0F386
7 i5 G7 r( D9 @9 k: `    jz      SoftICE_detected) s5 V( _8 ~+ h9 j% R7 q

" t3 A7 S4 _. M8 }' [3 l$ @
$ j6 a9 W+ j8 A$ k% LNext method as well as the following one are 2 examples from Stone's
0 f% N" Y; p. N) x2 |- b+ V"stn-wid.zip" (www.cracking.net):& K6 ?. M7 q# q) V
" v" I3 l- L( s; c: P6 G  U0 j
    mov     bx, cs
+ o3 g( W. c8 T5 x& a    lea     dx, int41handler2
& T( X4 ?3 w8 n0 [4 ^5 ~    xchg    dx, es:[41h*4]
0 D6 E) A' p. G; H1 M0 V! A! e1 _" k' @    xchg    bx, es:[41h*4+2]5 ]3 m( T! x- ^) x/ n
    mov     ax,4fh& I9 |1 y/ \/ e4 Q
    int     41h
. P' i. y3 e$ X    xchg    dx, es:[41h*4]) ]7 R( ]+ N6 R4 P3 U8 M
    xchg    bx, es:[41h*4+2]7 D- n$ `. A% d" y
    cmp     ax, 0f386h
& W( i( W) e3 j    jz      SoftICE_detected
- p: \5 f! I$ t  o# M- o
9 o6 a! D2 e0 N5 [8 iint41handler2 PROC& D* ]7 K/ u8 p$ ^  ~6 `+ q
    iret& N3 A3 u0 r1 e: `1 e
int41handler2 ENDP7 S8 z1 L. y' h
  Y; t( q, ?+ C4 I1 o) j

" P: B5 D' }3 _& N6 I0 J_________________________________________________________________________
/ ^* ^" e1 b- ?* I* u# f( j/ ?4 J( s6 v& m
3 n7 B, G# G: h
Method 06
! ~; {1 t! x$ b2 e( }=========; h5 I1 X& S. m2 m/ b& m$ O$ W

& c7 r  c% b( c) ?5 e1 h: z- `6 ~) A) O" e; T6 S) I# `
2nd method similar to the preceding one but more difficult to detect:
0 a$ ^, S& ~  m, o
+ u# p5 {6 u3 [' Y; x% q7 R
8 ]8 N, c# @! l! ?4 A6 g) X* tint41handler PROC, C' b& v: x' ?
    mov     cl,al
7 [* b# i% M, d3 ]- g3 j' i    iret6 K" B, \) e1 ]& s+ X! U& z+ J
int41handler ENDP6 u7 C% X1 K/ e& \) a. S4 V

; g7 `8 k: I1 Q2 J  u$ f: E( y8 j. O# Y! D7 z/ @
    xor     ax,ax
. C% f' g# e" y0 X2 Z! p( `0 z    mov     es,ax
+ \$ \+ t0 P3 ^" F5 i    mov     bx, cs
0 ~( [& [! j' F/ }& F    lea     dx, int41handler7 n9 o9 D' b0 d
    xchg    dx, es:[41h*4]
* ^. r; X) i# l/ g9 Y# Y    xchg    bx, es:[41h*4+2]
6 x+ T8 |! y& x# u    in      al, 40h
# ^' J$ w% K2 C3 U2 f" z4 V    xor     cx,cx2 ]( m; Z- f2 {$ l
    int     41h
7 I& L  V  D- R" t0 M, H8 ^    xchg    dx, es:[41h*4]
, {, f, \! ?/ Z; r# l    xchg    bx, es:[41h*4+2]7 v, k! O/ u& M6 O7 I$ K: o( q
    cmp     cl,al( s7 ]( y( K& S' {  G% w
    jnz     SoftICE_detected
( H( \; @! \  I" i) Q: I- J1 Q5 V9 [% a  I% I( F
_________________________________________________________________________( @) n/ R+ W- J

& C6 |. Q3 U& I  \, d5 Y4 X$ TMethod 07
. d. r$ {# J3 {=========
  G( b. I- ]/ z% l$ v8 r+ W; d, m# \2 s0 e( C+ {8 s" i
Method of detection of the WinICE handler in the int68h (V86)8 {5 D3 K- l5 v6 I

' R* e  u/ E0 g7 e    mov     ah,43h. j2 T0 K$ G1 I+ G- L* v. ~  K
    int     68h
+ W8 E8 _5 w" K8 U; |8 a7 J% c! ?6 c    cmp     ax,0F386h
4 h+ y2 i% x9 B# u; p    jz      SoftICE_Detected, H+ B2 F' s8 N2 e% U
+ E) z7 S% G3 ]5 I- y8 g( f/ g
  S, |5 ?# G! X) a
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 O; H9 u& O" V; P   app like this:7 y2 D0 e+ l" m) ]* S2 N* w8 Y
$ ^# P6 [" R- l! r
   BPX exec_int if ax==68( w. v1 s4 {( U8 O( j% Z5 {" @
   (function called is located at byte ptr [ebp+1Dh] and client eip is
# E! n; h0 x0 z9 \& {   located at [ebp+48h] for 32Bit apps)
- @. c5 x5 t5 f1 B$ S, |, |3 L__________________________________________________________________________/ U- T+ j: D, x$ P' ]5 Z

$ x7 @7 x; P3 w; J+ o/ J4 F, B/ i! J1 e
Method 08
8 [2 k- w5 ~, [7 }3 e- E* T4 a5 _=========% e) D' [0 L* g$ _7 t( j. S

3 v* K- ]* W: B- i8 c- \It is not a method of detection of SoftICE but a possibility to crash the) A6 P- U0 _8 f8 d, K4 _2 ]2 V
system by intercepting int 01h and int 03h and redirecting them to another% d" P6 F. v! y
routine.3 p% P: G+ j4 K3 B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ B9 j3 _% A: Z- m) m/ |, @( Z% d
to the new routine to execute (hangs computer...)# \1 [6 O- ?3 u: \7 O

9 W! Y- X$ R5 S* k) x& i! v    mov     ah, 25h, J  b2 \5 G1 Y7 i' W& T, S% Q2 _
    mov     al, Int_Number (01h or 03h)  i8 K) ]+ k4 P: @( x
    mov     dx, offset New_Int_Routine
8 }6 ]6 \$ b: @0 \" r7 X    int     21h& j4 I- \+ _& `& Z8 I
6 J: `3 n5 F" k3 ?4 b
__________________________________________________________________________
9 e- h+ v+ ?1 C
2 d) D0 B4 o) F3 O* ]% AMethod 09
& {& O' E: d0 S* }  \# s) g=========
/ H5 N: y% t7 t- p; m( D8 ^
% A- x1 Z) K! |7 Z: t, c/ \( yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 M4 H7 I" I  Q8 yperformed in ring0 (VxD or a ring3 app using the VxdCall).! I0 i. M( G8 M1 V
The Get_DDB service is used to determine whether or not a VxD is installed
% R7 S$ S* _' P' x. sfor the specified device and returns a Device Description Block (in ecx) for% p1 v( E4 B( I7 A" Q& i
that device if it is installed.6 @! q* D; c+ d/ @
/ f- L8 |% g9 M" \7 H3 A4 f
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& b- [6 }2 A. [! A2 v7 T9 D3 y" }
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- @, m5 K( Y2 b' t
   VMMCall Get_DDB
" F- i/ C& I" L8 M0 D( G   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% M% {4 M9 U0 {1 S1 y
7 ^4 r5 k) F9 `7 {4 aNote as well that you can easily detect this method with SoftICE:
* ?9 r1 v$ w6 x) V3 V+ [   bpx Get_DDB if ax==0202 || ax==7a5fh
. X( \9 \* |7 }& |; L
' ^9 U/ s& V( D7 i+ N, x__________________________________________________________________________
. V7 I) D2 n3 U) ]6 x, C) h( G0 k  e8 d9 k4 |# ^
Method 102 z! B/ s, y1 v# D9 b
=========2 I" g2 s0 e0 m2 v0 R' c; }
# R" a1 G2 ^+ |" B* c) p
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# N! @% Z; a$ c( s1 L5 L
  SoftICE while the option is enable!!
. m2 ^+ y+ b' [. M
% x2 A+ `: Q9 sThis trick is very efficient:( X6 Y' f7 G4 {
by checking the Debug Registers, you can detect if SoftICE is loaded
. T8 r; H) u7 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 D$ Z! l* e6 S* a$ s% W! cthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& N0 `: X5 G, m/ z( ]4 jvalue (in ring0 only). Values can be manipulated and or changed as well# |! t- |+ t1 x6 b
(clearing BPMs for instance)
7 }( \& n6 A2 o/ g7 P& s& R4 m& `8 W+ N2 W
__________________________________________________________________________
$ r5 @7 H1 s5 R* b
  K% l! u, E/ {! w5 W. kMethod 11* Q3 s) ]( I' l) B" r. D( g8 K
=========  I5 k9 b3 A: L- X- I
- e/ C% B1 g( q! K' G% J3 }$ t* Q
This method is most known as 'MeltICE' because it has been freely distributed6 P. }  L/ H* p
via www.winfiles.com. However it was first used by NuMega people to allow3 ?8 T  N8 ]/ G  y3 d, D
Symbol Loader to check if SoftICE was active or not (the code is located
' W# s  Z6 a; ginside nmtrans.dll).
% d4 D6 R2 G9 t/ ?8 j! `' @, @9 T  G1 T" v/ L) w+ F+ b
The way it works is very simple:& S# w! g9 V7 {. s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ h  o7 b. J, m$ L) t) z' \WinNT) with the CreateFileA API.
- x! ^4 {  o* \
$ y/ n" Y+ h# _Here is a sample (checking for 'SICE'):
" M$ u. L7 r6 I9 \8 b7 |# P
* }6 ~6 M' O0 `3 r% @BOOL IsSoftIce95Loaded()
0 w& K3 S; Z# ]3 E0 b- T0 ^{
2 l% [9 e7 |) l- z# w  G$ q0 W   HANDLE hFile;    |* e% Q% {1 K  v: \
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 i* X) V+ r+ r% _9 i3 B% Y3 ~
                      FILE_SHARE_READ | FILE_SHARE_WRITE,  N% n3 O. g6 |: ~9 R9 c' A
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! |1 N9 j" y0 s, {9 J7 ?   if( hFile != INVALID_HANDLE_VALUE )
+ Y$ y6 @: j7 f   {
& z+ z& b* W9 H! f& e2 K0 j* G      CloseHandle(hFile);1 n" x+ U, y: r6 E& R
      return TRUE;' w/ s  P( x) b( J
   }" e4 U+ Q& w) o0 j1 F
   return FALSE;
' Z: m$ e' v1 x' O+ i8 {}
4 b0 A% v( V* \9 p
- }* X+ {# p6 u3 W9 `# SAlthough this trick calls the CreateFileA function, don't even expect to be
+ I% j% g$ k( eable to intercept it by installing a IFS hook: it will not work, no way!
- ~- ~, A5 d5 {3 }  pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F, z6 }3 I+ }4 r$ F3 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* Y3 k8 k: p9 E; B) F* Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 y9 u1 b. r, j, d/ Qfield.
! l9 |: c6 K$ q; e3 ~3 I4 a5 tIn fact, its purpose is not to load/unload VxDs but only to send a 6 P/ G5 A5 O3 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 r, \/ E4 r/ g8 w0 g7 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
" o; p3 v2 m/ E7 e9 [' @; p" }to load/unload a non-dynamically loadable driver such as SoftICE ;-).. w) Y$ i1 ]5 U  e! S# X% n
If the VxD is loaded, it will always clear eax and the Carry flag to allow. C1 [# }( R4 G  d4 U
its handle to be opened and then, will be detected., a! z% e; R$ Q
You can check that simply by hooking Winice.exe control proc entry point  C, }- a& d' k% `2 Y
while running MeltICE.; ?6 I- X8 l% q, t
, ]6 e6 s6 m, ]: H8 g
5 _# H0 F; S4 [2 P8 _
  00401067:  push      00402025    ; \\.\SICE. h1 D/ m$ R- P1 k- M$ U
  0040106C:  call      CreateFileA+ }5 T) K8 S7 i$ a! _; @9 T
  00401071:  cmp       eax,-001
. e' H5 H+ G( S0 X  00401074:  je        00401091
* b' l2 s$ M% k
/ z* ^% c+ n4 }
! a7 I% L. m- g( Q1 C/ Q) YThere could be hundreds of BPX you could use to detect this trick.; T* o. q4 K! R& T
-The most classical one is:; N/ d. P) l! d
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||0 ]- \" f) d! N, {8 f: ~& p+ N4 @
    *(esp-&gt;4+4)=='NTIC'" \& ?/ J! `3 A) W. r4 U! f# g
7 L- G6 T0 Q& z( H# y
-The most exotic ones (could be very slooooow :-(( Z9 @! U* l; Y) p5 v* j
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 g8 S9 p1 Z: [4 [( B# R     ;will break 3 times :-(
9 T9 r0 J" l- I3 ~1 f0 G7 d
4 ^1 L6 R" _/ H5 u-or (a bit) faster:
5 [0 b6 A- g8 b- [; S4 j6 n% X9 w0 \   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. p. S; S" U# G6 d  J" n" M* ?! o0 d' X7 G
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ L" D7 Q9 f3 }4 v) ~     ;will break 3 times :-(9 d' T$ W: A+ c: O" o! H3 z. g, U

* `2 l1 I2 R3 _! O4 w4 A-Much faster:5 H' i; B; M! w/ O2 W+ C1 Z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
$ r4 n3 t& W0 k5 W; m# D* T/ i3 @; [. C- g# T# Z* `5 H: q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 p, z. c; T! s0 T# rfunction to do the same job:
  l. Q6 W, o7 ^( d. t! e
! s. J6 b& q% R* Q4 B& L   push    00                        ; OF_READ
" B; {& p, y& d  ~8 Z   mov     eax,[00656634]            ; '\\.\SICE',0$ E9 V) a- x9 p
   push    eax* V- k* r* {, ]0 S- n
   call    KERNEL32!_lopen! H8 m  a+ i) O% g3 {) A
   inc     eax  ]/ `. i# Y  N3 C
   jnz     00650589                  ; detected& V) |- F9 L* u. S/ U
   push    00                        ; OF_READ! h, r' R% c% C* v- F
   mov     eax,[00656638]            ; '\\.\SICE'
( I( Y' C4 K0 E. k   push    eax, t# Y* n6 o& d
   call    KERNEL32!_lopen8 Z; a$ n" ^6 c+ j  i. e) d
   inc     eax
) w& z) g5 N/ ~" |* M* Z$ _# @% e   jz      006505ae                  ; not detected
! Z' V, a* R% w( H# C  s. S- D) C* C" j" B' f$ b1 H' Q
0 E3 n- t9 y/ |* t
__________________________________________________________________________
" n% F7 ~) D) Q% s" Q9 S; u- P+ v0 V& j  {4 S7 F
Method 129 u$ z) C. N4 c; U+ y4 k
=========$ Q- |/ j$ {; |6 C& @: v( M

: b; D6 y* `; qThis trick is similar to int41h/4fh Debugger installation check (code 05. N7 U. y: T# o% Q) X  z
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% W! {/ Z  l; ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 z  o9 ?0 H6 a. @1 k6 D
; \7 {+ R0 u8 H; `/ B: a
   push  0000004fh         ; function 4fh4 k. L; d( e# |' X% m+ B
   push  002a002ah         ; high word specifies which VxD (VWIN32)' p: o& K& E8 n" h$ E" L3 {
                           ; low word specifies which service' \$ @) D+ {( }( x; r
                             (VWIN32_Int41Dispatch)1 }; \( Y1 _( H2 G: \
   call  Kernel32!ORD_001  ; VxdCall
, g& x% s( y8 v   cmp   ax, 0f386h        ; magic number returned by system debuggers
& A- [$ s( k) s( S   jz    SoftICE_detected
, f7 s7 m) h0 ]! g1 Y$ v9 p4 h0 D
Here again, several ways to detect it:4 [3 H! i$ X7 R9 a" C; r( B

' n% G7 `7 q% q- b" l    BPINT 41 if ax==4f- U$ S2 R. L3 w# |4 b9 Z
. Z  J) o1 ]. P) A% f
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ b: a3 `4 R3 Z; |8 @( J

* R9 X2 j. u0 t8 A/ Q0 F0 }    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( s; _3 h- I* d1 P# Q3 N8 M
8 t! s5 I& Q5 s8 @" s3 O. _
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!) ^% g; @( Z8 l5 p0 o+ P2 R

; P! o8 b1 G! Y5 G__________________________________________________________________________1 p2 e3 t8 k; u" W& @& O

& T$ q6 X) }+ l% R& TMethod 13% g2 B; Q) ?6 k! U
=========
  P/ u8 Z, h* ?- J- d, N/ t$ p# m# [- a% M2 J4 r
Not a real method of detection, but a good way to know if SoftICE is
' c# f6 E! ]) g! r5 i7 ninstalled on a computer and to locate its installation directory.
: J& n( W9 C- W+ _7 YIt is used by few softs which access the following registry keys (usually #2) :6 o$ D$ y5 P, F% F

3 L) \! h& i( {: O-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 W( R9 c( a, ]: h4 K6 z
\Uninstall\SoftICE7 q% s- Q. }6 u3 ^( g8 @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE4 |! l9 S: {7 t( K. a* z* h
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ^0 h4 U* I' p" K) p\App Paths\Loader32.Exe# G4 Q( V4 t! R; ~# U
$ R7 N; U. ^% x9 |+ m

, Q2 Z/ [$ `, `1 vNote that some nasty apps could then erase all files from SoftICE directory' v8 \& y4 J/ s: ?
(I faced that once :-(
- Z4 g# b9 Y& ]1 _/ K* f
( N& J/ q9 W& F3 C4 d+ ]: j6 KUseful breakpoint to detect it:
- w) ^, G' ]6 f' C7 h$ \7 f! W/ b. M1 }4 X& \+ Q8 `3 s
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'8 o$ W! f$ W# F! `# [

) `. i/ {( Y3 r$ B__________________________________________________________________________- b$ |8 A% y7 b5 S5 h; [$ R) J8 ~
$ {( \$ E3 c* k( v8 c2 ?' o2 g/ t
2 g  h4 E5 u  F+ k8 Y3 A
Method 14 . M* x" d! k# B$ N; {& q' g; P0 X
=========: x% z4 L3 e+ S5 @4 p$ c! x% i
* e! D: R, D( i4 ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) s5 k# [' j1 x! Kis to determines whether a debugger is running on your system (ring0 only).
+ d4 m4 K$ v5 v  ]
& t2 |2 n% a; F   VMMCall Test_Debug_Installed- O! O0 g8 m2 K
   je      not_installed
% Y0 l6 A7 v4 M8 V. U2 l- K# @8 ^! L
This service just checks a flag.% h$ u# c$ `7 f5 i9 ]* i* h& a1 i
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 10:41

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表