找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( D6 p4 Y1 i/ u+ J- n- z
<TBODY>" _: p0 R1 I2 L$ q# g# [
<TR>; Z" p  E8 n  a+ c2 s
<TD><PRE>Method 01 7 S, p, P/ ~9 j- B  S8 i
=========
8 F/ P9 q. Q) U/ E$ t6 K2 f4 D% m
This method of detection of SoftICE (as well as the following one) is" b  W! J6 @/ x' {7 W
used by the majority of packers/encryptors found on Internet.. [: Z7 S' N# B0 P5 n2 w7 I( s! u" w( |
It seeks the signature of BoundsChecker in SoftICE5 V# t3 R, X* S1 x0 H0 k
: q; T/ ?5 x+ f/ E1 z% e
    mov     ebp, 04243484Bh        ; 'BCHK'
: W- V2 t0 s4 U! E5 c) C    mov     ax, 04h
3 }% a! z  C1 }1 O' s$ @    int     3      
6 L2 S+ ]. O" X5 t4 u% F, I    cmp     al,4
; }0 K  a. k* `" {4 a7 k) a    jnz     SoftICE_Detected  [7 N9 J. h: q8 }& N
( r5 C6 n0 a! d5 i
___________________________________________________________________________" j: _/ H6 u7 A- s; ~" O1 ?

6 b( W$ C. s! Z) S; Q0 ~- a1 M' |" pMethod 02" l/ e5 l. J3 T- S9 j; o
=========
4 E' S' [' E: {" ^1 H7 ^! W+ v" b4 Y4 e3 t" \: T  L" v+ m
Still a method very much used (perhaps the most frequent one).  It is used
& C6 H' y$ y2 \0 b2 Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' f+ {* T+ `% V1 n0 [. i4 For execute SoftICE commands...( j0 L; @+ b, j5 b$ |
It is also used to crash SoftICE and to force it to execute any commands6 ]$ m/ b% h( ~# c4 p) W7 R
(HBOOT...) :-((    q' `1 Z, r5 _; [  ]# ^
/ u/ u9 G- @' Y7 ?* _) |) k
Here is a quick description:! o/ ~0 P, a6 o2 U4 S! ~4 j
-AX = 0910h   (Display string in SIce windows)0 u+ R. O0 \1 U& F, B9 r
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 s) n/ z# S  D  r: V9 ?- K
-AX = 0912h   (Get breakpoint infos)
3 O8 Q8 }; X( f9 q7 J" s-AX = 0913h   (Set Sice breakpoints)# b' n$ }5 I; ]. w1 h
-AX = 0914h   (Remove SIce breakoints)
. V; d2 @- X5 k7 r2 K+ s0 L
2 A  b& _( z: z. n) e' d4 LEach time you'll meet this trick, you'll see:& Z3 X" h; n) V. ?) U4 i
-SI = 4647h
$ O1 {) H/ w, p& C-DI = 4A4Dh
% G' W/ h6 v4 b. }( n- B+ s  vWhich are the 'magic values' used by SoftIce.9 `. m( ?+ c7 G0 _: f9 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& R& [4 P4 \9 k2 ~: D0 u. y/ p
" M: R( B  p6 u+ h3 XHere is one example from the file "Haspinst.exe" which is the dongle HASP! u% w" v2 ?) N- @9 ^
Envelope utility use to protect DOS applications:
; ?; N3 i( Z: L- c
1 G8 m3 v* v0 w7 n. z; u, j8 o' w% \0 ^: Z  T& a
4C19:0095   MOV    AX,0911  ; execute command.- y- I) m1 c$ l5 L3 c- k- q$ F
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% g) O5 u  L# Q) D6 @4 f7 B! X# K) Z
4C19:009A   MOV    SI,4647  ; 1st magic value.
2 g1 h/ h( m( n9 c1 Z* k& h6 k4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; f- e2 R. N$ l" `" _+ D
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! b% Q1 _0 Z- B/ v/ u8 B# A
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
) J) ]/ n' A0 N- Z6 B4 r# ?4C19:00A4   INC    CX& H" I2 c8 F3 z- E+ _  t
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. ?" {- p) d* f# g! S8 r9 ?4C19:00A8   JB     0095     ; 6 different commands.
7 T+ Y: G, ~% m9 e, Z2 y1 ]4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( G$ V" a3 B# g* S9 H/ b' Q4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, ~* w: ^6 U, f5 b( B  E  w! F- H  a# l# V5 r% |
The program will execute 6 different SIce commands located at ds:dx, which
1 H  d8 B; L  L3 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: F3 }4 S& a# ~9 }  \. `- o7 v8 T" `0 Y9 Z' e* T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& L' Z7 l! A2 |2 C3 Y; t; i
___________________________________________________________________________
9 {% U2 \9 G- V: q. l# i6 {: t' X) b1 E( x" o: ]
. T' ~+ U+ o3 G* x3 l
Method 03
9 L) _% X6 @. B# I6 H" ~=========
8 n4 w4 c0 B# v% C
7 l( I9 b* Q, \0 f' LLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h) B: n- }& i$ y$ F+ m0 ], ~3 S
(API Get entry point)
) ], u. W9 I7 r, L        7 U. [& K8 k6 g' i8 y5 g+ u- C
% A6 C6 C4 }& N) c0 V4 t% s1 K
    xor     di,di2 h* k5 ?9 [% |4 ?1 c
    mov     es,di
% P  `! J1 \7 W    mov     ax, 1684h       1 L- d+ L/ s3 s9 m
    mov     bx, 0202h       ; VxD ID of winice
9 d* \5 _' O5 L, v% ^    int     2Fh
+ F+ U5 Q, n, l" g    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 W& U9 J& Z# @; X/ l" V
    add     ax, di
1 j1 Q, j8 z6 X0 g& T; u3 t    test    ax,ax
  X* h  q, P/ Z    jnz     SoftICE_Detected& M/ s6 Z+ w0 B$ b
% c  F, B5 Q0 o7 @  w" L
___________________________________________________________________________
0 J- R. ]9 `9 ~: u+ X7 N0 G
8 T3 b9 S# @+ Q1 J& Y8 S% h0 H* iMethod 04  O3 H1 ~5 Y2 `
=========- v; C. O/ |0 R7 h* I; h$ X8 _

) E+ k) j/ \7 t1 P* L! TMethod identical to the preceding one except that it seeks the ID of SoftICE  x% }, n, L: c5 q+ d
GFX VxD.5 m; T" j  k' Q, T: E
, f) x; `% X' Y3 j
    xor     di,di
9 b0 Y! D. _+ z- C    mov     es,di2 ^5 S) B; @. `
    mov     ax, 1684h       8 ^! q6 ~2 r/ W
    mov     bx, 7a5Fh       ; VxD ID of SIWVID. k  A2 E! m7 `/ c% G! n
    int     2fh
) ^) n% ^6 ?! w% v" T* B& d& i    mov     ax, es          ; ES:DI -&gt; VxD API entry point  s$ L( `0 u; g
    add     ax, di+ s! @: y3 Q5 X; [
    test    ax,ax4 B7 `3 Q: G4 J! l
    jnz     SoftICE_Detected! K% X6 @+ R8 v  D

5 m3 O0 l) m& q# @__________________________________________________________________________% p+ n4 A, D* }0 f2 B: u+ R6 h
7 ^9 q! ]$ ^! K6 O+ r

# Q) W. W; P: t% G9 k( OMethod 05
, k: w4 j; n5 U=========: u1 q5 z8 I% o) h/ D; R, ]7 {

% y) ?4 P4 _: L! b% XMethod seeking the 'magic number' 0F386h returned (in ax) by all system- B* }1 F& X+ @
debugger. It calls the int 41h, function 4Fh.3 Q3 u9 _7 B* z" {
There are several alternatives.  
; r6 U/ T0 e  K
6 k( w; Q) j( K/ a' x3 vThe following one is the simplest:
- @( f7 {( C2 d5 U- ^# d5 C1 ~
: X+ L! }- L; y    mov     ax,4fh
$ U3 S) ?! q3 y- R    int     41h3 P" h: v. I) \/ r
    cmp     ax, 0F386
( u! [" m. u' `! d: ^0 I    jz      SoftICE_detected
  o( x8 q+ c3 P* x# k& F+ S- k: z4 l6 n8 [8 l
/ D" t. i9 S# ^3 O
Next method as well as the following one are 2 examples from Stone's 3 O3 }2 U, W3 I- H+ ?( \$ E
"stn-wid.zip" (www.cracking.net):  v* f. c" u3 f: }; {- u5 r; Z

# G9 Z8 [, x2 P3 Y: o: D+ Z    mov     bx, cs
6 E. X6 f. ]; u0 @' `" g6 e    lea     dx, int41handler2
2 J& E4 {- o: h5 h5 l    xchg    dx, es:[41h*4]" I6 u" n) }2 f4 P6 J
    xchg    bx, es:[41h*4+2]
/ E# a$ [8 S' s! c    mov     ax,4fh8 }2 G. I* f1 v
    int     41h
5 z8 z9 {+ _  Q8 a# K# S    xchg    dx, es:[41h*4]- a2 y7 S) @# d
    xchg    bx, es:[41h*4+2]% `" m' \, K5 }9 Z
    cmp     ax, 0f386h$ c  Y" h5 h, }
    jz      SoftICE_detected
9 [" ^- B0 k4 L% a  `2 Z7 t2 j. x2 D1 u9 p  U
int41handler2 PROC: K+ n9 }1 ]- G1 M8 ~1 `
    iret
7 r' h1 H' T% p- k- Qint41handler2 ENDP
1 T2 d1 U4 `$ E9 E% ^
8 Z8 L) J' W. G- L2 I
: n3 m; R- E7 l! s# T" T  ]_________________________________________________________________________
+ J( n) b' V  {+ o& t, Y! `# o3 l" w% g

9 W/ n/ y" w: Q/ K# @Method 06; I' v$ C) p5 f4 f0 L: z  x6 O
=========" |: {. y' A" l! A+ W" g

! U- G+ }- I, }$ ^! b' A$ ^, H/ U0 r" Z- i' H
2nd method similar to the preceding one but more difficult to detect:
$ T/ I7 ?" I8 a+ H  Z: g
7 l' s/ l( _# q) ^3 a* A7 t8 |1 M; ~4 h$ s) ~
int41handler PROC
6 B: \8 N9 ~/ B6 G: D    mov     cl,al
( H; z+ ~6 d) ?, q5 X' \) d$ H- N8 l    iret
5 _4 ^$ K* P) bint41handler ENDP
2 V1 q# M; W2 }5 l, s5 ~. \0 c" y5 i& p; t

0 a7 @( P) i# M( w7 P9 {    xor     ax,ax! J1 S3 L, n) j* s7 t
    mov     es,ax
5 _+ u( Z' n& o& l    mov     bx, cs! _/ e! |2 O- G. R' |
    lea     dx, int41handler
# a. L, Y/ D& E3 i& y    xchg    dx, es:[41h*4]
0 W, Z7 |9 c5 d8 ]& r    xchg    bx, es:[41h*4+2]/ C8 m1 U0 R& ], N3 C  |
    in      al, 40h
/ Y* g' c2 B" j( ?8 {( d9 N$ m' Q    xor     cx,cx2 d: X. W" ?  a5 E* X: f
    int     41h
( r$ P- f, i; y6 h. ~% |    xchg    dx, es:[41h*4]- B2 P- q# T( M, f; ]
    xchg    bx, es:[41h*4+2]
8 ]  _: C; z4 N! D+ b$ U% g  g7 c5 q    cmp     cl,al" u& U  W: f- f) l( D
    jnz     SoftICE_detected% `# u! u; e! Z7 u( f
+ k" w3 @6 U# ?% O7 Z- a/ F/ b
_________________________________________________________________________
% s2 _- i9 K2 g- y; v& y6 Y
1 H2 d7 [1 k; }# z! h2 e9 aMethod 07
0 K0 i* h" y7 i' w6 T=========
( @* N8 M7 H$ l; q5 h8 k
" o. F$ I( ]3 Q8 ?& y2 E, E0 Q1 SMethod of detection of the WinICE handler in the int68h (V86)6 M$ V8 a7 K. \1 H6 x& J

0 [1 C- N% D0 R5 I  o" E3 K$ ^! l    mov     ah,43h
2 C2 s" L' \. f5 D# S    int     68h3 F: J6 q5 E0 i
    cmp     ax,0F386h
# H1 ]6 D6 a+ D# a; I    jz      SoftICE_Detected' P1 _6 I) }0 {1 w! n

4 p% \! C% U! P1 y# g+ w8 v0 z
* n, V: n, S$ w3 ]=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ r6 B1 p9 T7 ], t5 @5 o   app like this:
$ z, V( _' }/ j. z2 `( x, \/ s8 I6 [8 k. W  t1 N/ t: _
   BPX exec_int if ax==68
) s; B, K; p) `   (function called is located at byte ptr [ebp+1Dh] and client eip is8 _1 ?" b) g) P3 R% T
   located at [ebp+48h] for 32Bit apps)
- H, d9 e7 x0 E$ c* H* E/ x$ t__________________________________________________________________________
$ s  d  f+ L) b0 A9 u1 C
6 j- }9 j% O0 N; `) @3 S) N% R) v
! z4 m" }3 n7 p, D  CMethod 08
9 f8 V7 M2 l2 p" M0 ]=========# n$ {: \, a5 R  l0 S
) c1 t3 M* l4 s4 i' q  ~9 H
It is not a method of detection of SoftICE but a possibility to crash the
( i3 {. f4 l# j9 `' y% _2 {- k9 csystem by intercepting int 01h and int 03h and redirecting them to another+ ]/ X* \7 h* R7 c* H0 P2 b4 W' B
routine.
! }6 i+ A! Z5 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, a) }3 [" |6 W. c$ N' s( A4 D- p' i
to the new routine to execute (hangs computer...)
  B& r# P" v4 R( e5 W9 d5 o3 c4 D$ ]& c
    mov     ah, 25h/ x. Y+ T" {$ s9 M( s) w8 o( K0 O
    mov     al, Int_Number (01h or 03h)
9 F0 F. K, T( _    mov     dx, offset New_Int_Routine
# H1 P4 x; }5 V    int     21h* a7 b: P4 V' h

% F; k" K: P9 H, k( r- O$ [__________________________________________________________________________
( o6 b" O! Y: O; J# e" r; O
" _* H% S, J, xMethod 09
& S" i. }7 m5 P! T9 O& N=========
9 S: f% J: p  h9 E+ r4 ^. z5 S$ S% ~6 ~2 N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ b) C: _4 M5 R9 L+ ~performed in ring0 (VxD or a ring3 app using the VxdCall).
( F! m8 J) [& H7 J2 cThe Get_DDB service is used to determine whether or not a VxD is installed9 l5 L' m5 b% v3 u. {* n- _( p
for the specified device and returns a Device Description Block (in ecx) for5 X/ u; g+ |% L  t2 w8 ~
that device if it is installed.
% L# X" X& ?6 t. b& y9 j! _, u: p" K
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID, p- j( _, \2 J# x
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 _7 ^. f5 Q6 N7 V6 P9 a   VMMCall Get_DDB: m! _& X! V+ O- e4 ^, R# W
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ h* I! O% W+ A5 }0 R) g6 o  w( J7 h$ l# C4 q) G' \
Note as well that you can easily detect this method with SoftICE:1 a9 W- j) F4 f$ P
   bpx Get_DDB if ax==0202 || ax==7a5fh
- f6 k. ]( J( y: W! H  E
4 L2 x( w" h# Q+ G0 A__________________________________________________________________________
6 i. q' n. {% x2 t  Q0 a
) F; N7 B# t& x5 Y4 i4 ^6 n, KMethod 10
; Q  L9 _! j, w4 l9 r( S=========) z; N7 [/ S1 i* h
$ ?# I' Y5 z+ C6 i" j0 F- ^
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ E; A- F8 ]1 y, b7 K  SoftICE while the option is enable!!4 ~0 a  V. I9 s% P% `
/ N$ t& i6 {: v7 h3 o0 E3 T# H/ E4 W
This trick is very efficient:7 n. J4 l. {+ l& [( T: V% t- \
by checking the Debug Registers, you can detect if SoftICE is loaded+ f: D4 n5 e# a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 V& W$ r' {& uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
& c3 L$ Z3 G; r5 a$ m) a2 `value (in ring0 only). Values can be manipulated and or changed as well
2 c6 q- s/ h7 {# _(clearing BPMs for instance)/ O" J; n7 v% l" N' O
; P8 A2 P& k* M
__________________________________________________________________________
- ~! x+ E. h3 ~: A$ S, N2 C( a# C0 L! X+ i+ r5 z+ N" n$ l
Method 116 N  s# A* o% i, r2 f+ C1 J
=========$ k$ x9 ^( g5 R0 A  e- T) D
4 a! K3 T& d  I6 P+ h
This method is most known as 'MeltICE' because it has been freely distributed. R" U  N& ~! q
via www.winfiles.com. However it was first used by NuMega people to allow
: l* Z6 j) D; OSymbol Loader to check if SoftICE was active or not (the code is located! H$ f. T7 y$ ~4 d8 J  b" R! }" @) m
inside nmtrans.dll).
9 b5 b$ k7 @' w) t* M( s9 K3 D* @! }. N
The way it works is very simple:* i9 f2 B' a: c' x# ~" v+ }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) k+ o3 g. i) ~
WinNT) with the CreateFileA API.
+ d- p1 z% N9 B) b
! U- ^& U, K# [1 v7 xHere is a sample (checking for 'SICE'):. n4 f4 o. [* @* x
) m0 m2 O" O% |3 w- v
BOOL IsSoftIce95Loaded()% f" C! E" E. j; O; L9 @% {
{
' w& l7 U$ @# j' ]1 p7 i: R! f: J   HANDLE hFile;  4 c; i8 p0 P, s, |) _0 @
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 @8 C" y) g% l' G$ T5 G, i4 V                      FILE_SHARE_READ | FILE_SHARE_WRITE,
5 I8 s" N1 j% F( q& d% B- v/ r                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! j' U" r0 W! C
   if( hFile != INVALID_HANDLE_VALUE )
8 K, G- ^% j6 J# Z' |   {; e! }. T3 {6 r
      CloseHandle(hFile);
' n% @. G' s5 {' W      return TRUE;
1 y) \$ ^8 g& ^  b& k: F   }" r6 Q  F! n% u0 s4 S3 S
   return FALSE;& r. v7 i) Z/ c" [
}
: ^; G4 A6 A' z" [, X9 V
$ v1 v! |  J8 j" g2 ^  ?/ T( e3 KAlthough this trick calls the CreateFileA function, don't even expect to be
- M4 e0 }0 Q# P2 l: M& Oable to intercept it by installing a IFS hook: it will not work, no way!
/ Y9 |+ J0 k. zIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
  H, H0 O& R( a0 r3 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 L0 S2 n+ j1 r& |/ f5 Y& q7 b% b; j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc) B2 r, q6 b9 M8 T) W) k
field.+ l5 D: q5 h: C! a$ t5 E
In fact, its purpose is not to load/unload VxDs but only to send a
, W4 l- n9 D" B1 D" J2 BW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 Y9 y) f! |. ?8 c- nto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ n' a# e' P0 O
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# \$ {$ t5 D# f; \9 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow/ t& E( M+ j1 \( ~9 m
its handle to be opened and then, will be detected.1 H2 v; ~5 ^8 `* q8 K8 ?
You can check that simply by hooking Winice.exe control proc entry point
/ G) t# H* v4 N  A7 N/ }8 xwhile running MeltICE.5 H7 x: T, Z- \3 K& p+ Y
( w  I- }; N* ^8 P; e
3 ]3 A6 m$ i* G, w1 }
  00401067:  push      00402025    ; \\.\SICE
. I' X4 T5 P% `0 Z; d  0040106C:  call      CreateFileA
* O+ X* w7 x  P' v3 {) T3 q9 W7 ]  00401071:  cmp       eax,-001
8 F7 C" c0 b2 A4 N- C8 o  00401074:  je        00401091
: n. G1 ~6 l# B0 g7 Y7 M9 W" a! p: W* T2 y" b# G

1 O& ]1 _1 Q4 f! H9 jThere could be hundreds of BPX you could use to detect this trick.
( ~1 a- S+ d7 P1 F7 `-The most classical one is:
# @( `( Z; m1 T) ^1 V$ Y" d1 ^, U1 J0 N  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; y* ?  j* h7 @    *(esp-&gt;4+4)=='NTIC'
$ \. r3 G+ n, P" {/ I  e" E% C) }6 G1 U( m* C2 H
-The most exotic ones (could be very slooooow :-(9 k; Z, B0 r! i. a7 a# M" z2 A
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ ]$ i. A8 j7 O     ;will break 3 times :-(  g' G9 t4 X9 r/ k# Q0 T) i

, @6 T) }4 v8 q( L' f0 D-or (a bit) faster:
& @/ A0 T$ a) ^' F  g   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, x! w+ {" c# b4 Q, O" ~
5 `' ?8 m/ o; V! ^   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 ~( b4 `4 b" t# s7 G* C
     ;will break 3 times :-(. w: N& @" h  T- Q9 h
  E+ _5 Y; A+ @& n, g2 z
-Much faster:4 {- ^; @. m6 {- B
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'- m( Y3 F& u/ o+ R3 x4 p+ j
- [8 w1 x* a: D4 ~8 J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen, n) M/ w  }$ l
function to do the same job:6 R) L$ f) j7 |. _2 J+ D. V

1 U: S  ]- h( A6 D  }/ L  }/ u# c   push    00                        ; OF_READ5 d4 H. P! z! V: I9 g2 V
   mov     eax,[00656634]            ; '\\.\SICE',08 a# c; W# H; \/ U8 S, R- ]% l, y8 b3 N
   push    eax
4 o6 P3 w# p& e; O2 \! Z2 o4 L   call    KERNEL32!_lopen9 B( @8 A2 u9 i# J; n% w: Q3 S
   inc     eax! l0 F+ V; i6 t# S9 I
   jnz     00650589                  ; detected5 p3 y6 k7 W/ D8 V  E
   push    00                        ; OF_READ
/ @) g5 x5 `* N, z: u   mov     eax,[00656638]            ; '\\.\SICE'
; L1 `( [2 k& Q; A6 R0 ~. Y   push    eax
& J& L+ B% D7 [2 q$ t* c   call    KERNEL32!_lopen
( Q! U! s$ G( n; A! ~8 v' @  Z- y   inc     eax
- J7 |$ C9 }# w+ ^0 l   jz      006505ae                  ; not detected% j' W, ~1 o; u- ?5 Q
* d% d/ v' u- e( X, r0 J8 N- q
+ J' f. ]8 O4 u2 N! ?0 _0 Z# Z/ |
__________________________________________________________________________
, U0 Z) U( h# X5 l- A. D
0 j% P* u" r  HMethod 124 r7 U- P6 t7 q0 r. `0 X' [1 f
=========% p+ \2 G5 N, Z/ [# s: V
' S2 E1 \* ]* {2 F2 G# y
This trick is similar to int41h/4fh Debugger installation check (code 05# q# o) u& L! m/ y: t
&amp; 06) but very limited because it's only available for Win95/98 (not NT); K" v+ V1 a% A3 T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 H5 Y; K( C) [, r( X4 J3 z8 V, |

  h! D/ W: w" A" w4 r# A   push  0000004fh         ; function 4fh
7 O8 _! K9 ?0 n5 D2 {$ S4 F* M   push  002a002ah         ; high word specifies which VxD (VWIN32)# D5 @4 F+ i, Z( a- B3 n+ |
                           ; low word specifies which service) h8 Z3 l& f4 f3 z, Y( _+ L  r
                             (VWIN32_Int41Dispatch)
2 m4 Y4 c4 y% a3 h# B4 l   call  Kernel32!ORD_001  ; VxdCall
- q' ]( m* h. |6 V7 r   cmp   ax, 0f386h        ; magic number returned by system debuggers! N8 T1 E5 W+ o, A5 `5 ^
   jz    SoftICE_detected' j6 k2 N& t# B1 e4 d" C
6 w' d: W. n* a5 ^8 G0 ~, i1 ^
Here again, several ways to detect it:  i& i  X/ P1 r5 J( u2 p) s

# I& b, ?6 Y9 s9 O7 K& w3 N; x" a    BPINT 41 if ax==4f
( _( K3 ]# d" N9 K5 ?: q$ |
2 r+ t0 @1 k9 A6 z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
3 n0 Q8 p: A- g  n
3 o8 X6 q( W1 N- M  t$ G    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A$ ]5 u6 [: ?3 c- ?# h! W

+ {3 L% `* g6 y    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 M" f0 H0 b. j% S' {, A% U3 r8 M

6 W8 h. s8 v* Z% b__________________________________________________________________________
- S" }" x/ P) M# D
) }0 P, O- X. K7 L0 {# v; s0 I: hMethod 13
8 X5 f) B7 n7 E2 X0 h% |7 F=========
& `/ s8 k1 a/ V: b$ @' g0 z, ~4 B
& [. {3 s( i# C: NNot a real method of detection, but a good way to know if SoftICE is: c" X$ w' X& z9 Z) G6 Y6 R
installed on a computer and to locate its installation directory.& |# s" Y: Z& D+ ^. z
It is used by few softs which access the following registry keys (usually #2) :: ^, Q) v9 Y. n# g7 [# {) u1 h) c& D' \+ x

3 T. K* S7 P- r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 C/ ~; P0 p) `/ h, |7 \0 F6 D\Uninstall\SoftICE, W: s) p/ n# f& e* |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, Y" f% |/ ]/ i  [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  Y' |: U8 L! I& o+ J2 r& O  S- u
\App Paths\Loader32.Exe
( Z9 O. P) [" I5 `9 S) m' o( _% S$ r5 L- p1 D+ h
4 g$ v' h7 E3 V( J. H
Note that some nasty apps could then erase all files from SoftICE directory' D( ~/ k: A& e0 V5 t2 x
(I faced that once :-(
  z+ E! e% W  C' m! W# J" v% U
2 i+ [0 h, J1 A& QUseful breakpoint to detect it:
. I9 L( h3 y1 |8 V
$ S. n2 w; Q5 Q* u) Z* m* E     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( D3 i7 n# O# d! K  h
; T* }! `6 x" q! D( m% O  y__________________________________________________________________________
8 i7 K3 p- w" M  u# T/ D8 U  X
* J) A3 u% u$ \4 V6 V) @( R
' p: e3 Z7 W) V0 t0 B9 e  FMethod 14
& N- @2 |7 i5 T=========9 e  P. E* X. [) N

" e  c) S6 q) q* [5 @# M. OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# h* z) u6 Z6 b1 F
is to determines whether a debugger is running on your system (ring0 only).
, @# j4 i7 R2 y/ R1 N6 [
% P; A+ _0 k% r; L7 N3 b   VMMCall Test_Debug_Installed& c" Q  @3 |) i) r$ R+ n; ~
   je      not_installed
) G4 ^$ |6 i1 l# W& q1 R) j7 F& Q- ~/ p1 ?" s4 Y" W& }( q
This service just checks a flag.
4 }+ t! ^- _# P! _: @</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-17 00:59

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表