找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ w" q0 Y+ x* K<TBODY>$ w. j( h8 B) o# D+ @$ C2 P
<TR>
: t8 o9 s1 {( `* ~<TD><PRE>Method 01 ! `" f+ [; Z$ w% _* L" ]$ ?6 H
=========
4 {- ]$ i8 b" M( b9 A
) P/ }! L, z3 n$ V; vThis method of detection of SoftICE (as well as the following one) is
3 k: z4 m. p' P2 f% K- a0 c; dused by the majority of packers/encryptors found on Internet.* \+ T6 O: \  {; q
It seeks the signature of BoundsChecker in SoftICE
6 \; g) Z% q$ P
0 @# p' y, l% {1 z- s* |    mov     ebp, 04243484Bh        ; 'BCHK'
" f& ~; `/ M# }: {# t    mov     ax, 04h9 `8 C- H9 V+ h' E* ?3 D
    int     3       0 A2 ]3 h/ Y0 z* O/ i
    cmp     al,41 d  j$ a9 Q5 h0 u2 n
    jnz     SoftICE_Detected% [# U% R1 e+ P+ S& q

# |( _& ]- T+ S- `& K2 B___________________________________________________________________________
0 d  T1 j0 q, t
! b8 @5 p! L# U$ l3 ~: n, KMethod 02: R7 G) I) ?- I! T, B! F# q
=========! l0 `; k5 S7 d' {0 G8 d

. u, U* h# p, F5 iStill a method very much used (perhaps the most frequent one).  It is used! P# Z6 d: @1 W! D9 J9 U  ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 G) v2 I  F+ `- N- n, {3 T
or execute SoftICE commands.... A, [* s2 N. e: ^- H  ^. {# G
It is also used to crash SoftICE and to force it to execute any commands
/ z# q/ b* R1 R9 }& g" f- X1 E(HBOOT...) :-((  
9 W( R9 b0 i: L: A* {( J; T$ k* [6 q0 ^2 z  y+ p8 @
Here is a quick description:
+ u; |  n; g7 A" U% F$ `% L8 \- M( v-AX = 0910h   (Display string in SIce windows)
$ k( y5 W& q8 U9 r-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), P7 x# s2 H- r0 x; F
-AX = 0912h   (Get breakpoint infos)
8 Z6 E0 ?) k3 m, o-AX = 0913h   (Set Sice breakpoints)
% {8 w( ~; {& x; z-AX = 0914h   (Remove SIce breakoints)
3 z' I5 S2 D, S) P
8 G, b5 i! f$ z1 {0 S" V! w  qEach time you'll meet this trick, you'll see:. K" y) D2 @- Z( P
-SI = 4647h
3 L9 A4 }" v+ c; A" N1 \-DI = 4A4Dh
) z4 W2 K) v7 ^* k" \/ ~* ]Which are the 'magic values' used by SoftIce.
! {# t3 ^0 o  j7 S% }% q/ v) IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: j. c* H  @! d" s0 ?

& G0 M1 o6 w; k3 O* B2 N/ K# qHere is one example from the file "Haspinst.exe" which is the dongle HASP
% v+ X' Q! k) l4 d0 b4 R0 ZEnvelope utility use to protect DOS applications:
, Q  r5 r4 b$ ]! v) h4 Z# B6 R. x0 O( o

  C- L+ Y! h# j' U# w4C19:0095   MOV    AX,0911  ; execute command.2 p- s1 C$ J2 \: _; b; Z. m7 j9 t
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4 d( l& C6 f" O$ B: x4C19:009A   MOV    SI,4647  ; 1st magic value.
% n4 j) J1 Y' |! w4 k4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; _* h% c7 e; A3 ^3 V, ]' x# u
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% w( P) g( S# ]- \5 a( y6 Y" y& ~  v4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
5 I. \+ Z2 Z% z* m4C19:00A4   INC    CX0 {: P! t  ~5 F; X! @% [; @; s
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute! Z7 N, X8 J: z3 E
4C19:00A8   JB     0095     ; 6 different commands.1 l; A/ g# G, {2 H0 i
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- }; R+ a& A0 S4 R/ D
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
& }/ U" a; d. \5 P! b- l) a1 s+ d8 ]) n7 p  j+ p% A/ x
The program will execute 6 different SIce commands located at ds:dx, which
- h2 u3 p' s2 o7 Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ l/ r; N' d* ]; r9 f0 w9 D% ~# I7 _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' c  A2 ^' W9 u* V% f' g" Z; {2 [___________________________________________________________________________
) y8 g9 G0 F; Z- _, l' U8 b6 u& u/ R+ U! u8 t

, j7 a. ?% w) x0 F0 l) MMethod 03
* [7 @" l2 l% V: J=========' [/ D. @* f' S' B+ o( C% Y
* ^- y' ^) g6 L' W& h
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% x( D& T$ c! s4 Z, g- l& }
(API Get entry point)- F8 Q" B5 v6 E: C! d. L
        
, c, n# K6 J' d0 P/ a0 l! O$ H9 p# s' z1 V
    xor     di,di
# h1 P# ?+ l8 ]7 g2 O1 L    mov     es,di
' S" E( M" Y+ {: B6 n. s# g1 g    mov     ax, 1684h       ) I7 F4 N% X- q% P3 k4 x
    mov     bx, 0202h       ; VxD ID of winice9 |" z, X2 H; l  L$ G% v  ^
    int     2Fh; X' e" w  k% t# {; x( t1 [
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, |. V: ]7 \# l' o
    add     ax, di" h+ C* j2 H! P$ l  G# f
    test    ax,ax
0 K- z5 \* P5 u6 }1 o    jnz     SoftICE_Detected& K  }" c" T5 n0 Q5 e/ a8 t
4 g' z  F" P& ?- r" T
___________________________________________________________________________$ ?8 ~9 l, B$ C' U: _# q

# d0 [8 o5 k9 F4 M% TMethod 04+ M" k1 Q0 y2 y8 Q0 }
=========
9 V7 G) G- E0 F
: Q" ]; \/ H5 x% _) n. \+ {Method identical to the preceding one except that it seeks the ID of SoftICE& Z7 U+ I: t* a; O( t3 ?# N
GFX VxD.
# g$ ^1 B% \+ f- C5 m" q* O
, y  A0 S2 ^+ X! c0 y! D    xor     di,di/ y; [! l' u) Y' w/ x3 b
    mov     es,di9 Y! f2 e6 Z6 a
    mov     ax, 1684h      
$ `9 I% `/ K; r; W3 j8 k& n/ z    mov     bx, 7a5Fh       ; VxD ID of SIWVID
5 J. B2 Z! m: K6 S" Z    int     2fh+ Y4 i+ j3 q0 F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, l; i+ ]: k1 c3 ]0 G8 ?1 P    add     ax, di
! r( z" i' j+ e8 j% e    test    ax,ax
: o/ c0 ?/ h* O7 u. r    jnz     SoftICE_Detected3 Z, }3 e9 a9 d& |1 `3 L% s
! E5 L2 y; G$ p0 w- {" r
__________________________________________________________________________4 @( W9 l; V# z6 q6 @

# f, X$ ]# t, E8 b1 I& u- v& N2 s- W: W. m
Method 05
: Y+ I- c* y/ q. ~=========' [0 T2 l; Z" @1 B+ _) n' C1 ^0 A

( i6 T# N1 `7 g" WMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 O- J( q- C& Ddebugger. It calls the int 41h, function 4Fh.
1 K2 ?( L& @% mThere are several alternatives.  
( o: O) o, A  @6 W
- F  q, t) h  m) eThe following one is the simplest:
" K$ h9 j( G' M' P- _
5 P) h1 V3 C7 |* ^( C% L    mov     ax,4fh# ?& R  R$ c- l0 u
    int     41h* e+ U% l* e1 @- {4 i
    cmp     ax, 0F386  h5 s$ v+ s" V6 s( s- T
    jz      SoftICE_detected
( f. `. g: t* `$ r0 D$ l, y  |( t1 Y0 W

6 s/ [8 A; N/ {Next method as well as the following one are 2 examples from Stone's   j$ j$ q3 n7 h. {; N" j: o
"stn-wid.zip" (www.cracking.net):- o* L3 ?. ~  [* R: Y; p7 z9 s

( T" R, k8 r7 I! ]. G8 F    mov     bx, cs& G% u% ~7 W. b: ^( L* b
    lea     dx, int41handler2
% U+ Q/ \0 j! r; Q/ ?+ w. {! w    xchg    dx, es:[41h*4]
% r, X+ b+ `* j; @: |: i. Y' w    xchg    bx, es:[41h*4+2]
- d' i9 O) d* A# j% `8 Y# m0 C    mov     ax,4fh
( D' M  l- b5 Z$ b1 y    int     41h
) Z/ y4 l2 Q% b! V+ E; P- s( D    xchg    dx, es:[41h*4]2 B/ k7 i; ?+ v6 l% J" o9 e3 g* \+ F
    xchg    bx, es:[41h*4+2]
: s- w5 h0 q: v- P; N4 f3 t    cmp     ax, 0f386h
" W; q9 y) Z' q/ K8 a. t    jz      SoftICE_detected
" }9 ?$ o4 Y: k, @0 u4 D2 Y" }% f! z5 O5 I" z. i2 p
int41handler2 PROC
& h" s4 W3 U8 q" r5 |    iret
* `) N+ @- T% M& Iint41handler2 ENDP
( K( |, f* S& v$ g! }7 A! I9 A& Y8 P  Y* \# S* x8 j) j
' c9 g+ G8 W# U' {4 B. U; v
_________________________________________________________________________
) |/ O9 e5 Y4 ?  [% D  A" x0 j" {1 d* E; H$ W7 a2 H
7 h8 A+ e3 C3 y0 g& V9 m
Method 06
5 Q7 W8 K* V* F* ^=========! V8 _2 A- c! k+ u: ~8 D) e

/ Y! X' u; Y5 `0 C; r$ S  D+ c- t% @  D
2nd method similar to the preceding one but more difficult to detect:% v4 |& z+ d7 W, t9 k

& W$ f  ^# x  M/ e! @& p  s; l
; ]" @6 O  F  X6 R! qint41handler PROC) ^$ T5 p4 z* r5 z3 Y8 J) b
    mov     cl,al
1 a2 t; {/ `, x9 f9 u3 p    iret: t0 j0 P) L9 L+ L3 Y5 Y' A, x
int41handler ENDP" R. O) q  I4 U' k
1 J; {4 O( P6 h' E2 O
9 n# [4 w, n$ T1 i
    xor     ax,ax
7 ^1 M; v0 @5 p) z& X& @    mov     es,ax* y% h) K1 r6 j1 p( H
    mov     bx, cs
! \. V- W- n% f% I" i6 q1 r    lea     dx, int41handler( N5 V- C: I! j5 l9 g, O' @
    xchg    dx, es:[41h*4]
- o4 O, B! r3 `- I9 N    xchg    bx, es:[41h*4+2]
: h* ]6 o) ?7 V6 J    in      al, 40h
) F8 j  V& ~/ G- S# d8 |: u- a# q    xor     cx,cx5 f( [  [. J, O
    int     41h
1 M% R/ ?' `) U0 W2 ^8 V* x    xchg    dx, es:[41h*4]4 q: g( Y  y! _/ f( I
    xchg    bx, es:[41h*4+2]# I$ t& J, X4 m- s$ S7 c' M
    cmp     cl,al
9 [3 M1 I4 x  H% s9 M  S. K4 ~+ [    jnz     SoftICE_detected
- `6 v) c* Y) ]$ B# n
5 g+ f3 `3 m& i+ D+ V# F. Y6 h_________________________________________________________________________
; @  x3 A' [# Y1 \  E# l* x; M% `1 H2 V
Method 071 _5 V2 t  I; q; _, J: y
=========
, K/ ~* t& ?5 c7 a1 P
( e1 ]1 f! K/ \+ z. LMethod of detection of the WinICE handler in the int68h (V86)
& m# N2 {& {. A! h$ v' z0 Z: j4 }
6 ~+ |& Z  S3 h: B/ `" r/ s    mov     ah,43h; ?( D* m3 J3 z6 A4 l9 e/ V. f
    int     68h
& T! R  R/ l+ Y    cmp     ax,0F386h
, [% m  v, J: \& B2 [7 Z    jz      SoftICE_Detected5 X! F7 g; X9 e

. X( _0 W/ B, q4 {& U
* X% y- U* M+ Z% i=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 q) A3 k) |, ~
   app like this:9 V, W  w: z% i! \* b" a1 Z$ b, v
4 p* e0 ^" v3 E9 m
   BPX exec_int if ax==68
6 }4 l) q& ]" q+ f   (function called is located at byte ptr [ebp+1Dh] and client eip is
; b& @: H% {9 L5 c1 |# X   located at [ebp+48h] for 32Bit apps)& Z0 f* ]/ L/ o% d
__________________________________________________________________________
; g; ~) k1 C4 M) e. h% {; l: }2 u9 C7 |* c6 w

: d* [' m' j5 d5 Y( uMethod 08. @2 u1 d# j! ^2 r" I
=========
$ D4 U) [( l) ~2 n
4 d- z# e1 I, Y0 n8 ^' P$ JIt is not a method of detection of SoftICE but a possibility to crash the
7 D2 R) {: _# ~9 n, C- d% G& Dsystem by intercepting int 01h and int 03h and redirecting them to another
7 ^0 d2 ?% v7 U) o$ O. Aroutine.+ h0 |8 X8 Z5 K5 f! `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 [' F; R/ `1 }, H3 `to the new routine to execute (hangs computer...)
, B& h" g, q# R# A$ w6 S
5 B! K9 I6 ]9 v* \! q5 N/ b    mov     ah, 25h' Q2 S$ j" [" K7 x. Z4 l* }
    mov     al, Int_Number (01h or 03h)5 s& z. D/ @. [: J6 `, f5 X8 t' B
    mov     dx, offset New_Int_Routine
! |; M2 n+ k$ ^    int     21h
, n0 Q) ?+ c  x; t% X' p7 c; Y* K5 ^7 p+ b: ~
__________________________________________________________________________% e' B( ^/ d) e" G) L$ ]' O6 J0 V
2 [& n1 q: @1 P/ ]2 w
Method 09) }' y# p, I! Z$ C) }' t# I; M
=========
# u; v3 Q1 p/ X$ N8 q8 {7 `4 H) o/ n( W) B; J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 L0 M2 `3 l8 _8 @7 p" D
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 [: Q6 u1 ?7 |$ sThe Get_DDB service is used to determine whether or not a VxD is installed; q9 P+ M- ^" R/ f" U" G7 y3 P
for the specified device and returns a Device Description Block (in ecx) for( F1 t9 ~9 _' W& @
that device if it is installed.
" C: R5 p( V# `& [% h2 H- I5 W3 u: P' l# D+ a& H
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 b1 @- Y9 [& M+ u( h+ E
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); z; c% t* h, `3 X. p
   VMMCall Get_DDB
+ Q2 {4 o8 o/ p( S" ~+ s" t   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ X% U5 O- E+ v" {6 ~
. ?+ a! N- u) R$ n
Note as well that you can easily detect this method with SoftICE:0 k0 M1 ]$ Z, ?# L1 h# t9 C
   bpx Get_DDB if ax==0202 || ax==7a5fh/ B" ]. |6 @5 J( o. T% e
; j9 D0 o# ]" U
__________________________________________________________________________, v  g- l# C3 J

. B. _. U, i5 t+ y( p; u. VMethod 10
9 v: |& B  q2 b) v=========  a6 P" f1 z( D& ]

, d! B: }0 [. R- I; d2 _=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with+ ]. ~+ ]! @; T9 g2 I  b
  SoftICE while the option is enable!!  u7 [. g; a# Z- G% z6 Y

4 n8 G% k" y" _3 zThis trick is very efficient:
/ _; n% `. T! [2 ~0 Gby checking the Debug Registers, you can detect if SoftICE is loaded
& m8 s& `' B" R7 M' H  r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# y5 j! X- A+ H6 c9 D! D; nthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 I) \& c* S6 F5 f( c9 R. F" }! Y2 N
value (in ring0 only). Values can be manipulated and or changed as well. D+ d0 g& m2 V# }7 o; B+ y; q
(clearing BPMs for instance)) a: U5 z. Z. D5 I1 J. H

) r. K! U( h9 j8 N, H& h: Z__________________________________________________________________________
" n% ?) [2 e+ V% y) C6 V0 O: x7 h9 k$ ^. q% {$ v% E8 d
Method 11
1 U6 t, B* z: J=========, _6 k. v2 U# W) N

) R7 N6 H' K$ j+ r7 V% r5 _This method is most known as 'MeltICE' because it has been freely distributed, |; d# E# }* `9 z9 w
via www.winfiles.com. However it was first used by NuMega people to allow- t: \: _; a/ j' v  a& H
Symbol Loader to check if SoftICE was active or not (the code is located' g* `+ W  @5 y) s7 m6 N
inside nmtrans.dll).
# F1 c1 y* B" l2 C: o  E
! w) {' s# c2 v/ F0 [The way it works is very simple:* _) k5 e# \+ Z! F! m; R* u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. Q. K% {' g$ I  N6 m. b' W; r" D; W- J0 Z4 n
WinNT) with the CreateFileA API.
& Y: L9 |2 [& a  O1 ^
/ I4 j. o, @; O: b& Q2 `Here is a sample (checking for 'SICE'):7 x2 N- v/ q& B0 R2 C4 o+ T
8 z" m2 W; n% G. _- K
BOOL IsSoftIce95Loaded()
! j% N$ W; z% d{( ]8 Y3 Q( c  a9 ?& E+ O
   HANDLE hFile;  
1 ?1 t' |7 G: I' T! ~3 W5 ]   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) ~: e( ?& D1 w% ^
                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ I& a: K: M- ?- W! K$ k. T4 y, T
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& ^" ^/ m' I6 X, C9 @. Y, y   if( hFile != INVALID_HANDLE_VALUE )
3 s" o( X& v: B" C. |! @   {
, x" n' c. Z. w# t! Q      CloseHandle(hFile);0 z% C8 Y4 E! h2 v- _
      return TRUE;
" o4 \- \6 B: k9 r: U1 N* W   }: M8 k4 _- o5 G% E6 ~7 V) ~
   return FALSE;
9 C  }& n6 N( I& u}
) \5 Q) j( a/ D7 T7 b  @
! D, a: ~, M3 r9 ^8 xAlthough this trick calls the CreateFileA function, don't even expect to be9 W0 y- T3 R7 g' W- }
able to intercept it by installing a IFS hook: it will not work, no way!
5 r/ |: V- F! F# x" vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 A1 z! `! G2 L1 Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- g" |- i' l. C' S" v- ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc
9 Y4 Q! E( C$ U. m8 E* Yfield.* ^( W/ `6 x- C6 g
In fact, its purpose is not to load/unload VxDs but only to send a * n3 b3 @# p9 ~1 u0 g
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 u# X0 F' U2 ?, K' I  s; s+ {: jto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 P6 _$ ^  b+ b6 q. s/ g- l5 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. Z8 t  n' u* b: h8 i/ c& J
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! f/ {1 Y$ B+ l/ Y' Oits handle to be opened and then, will be detected.
: P) v9 ?  {$ l1 Q. MYou can check that simply by hooking Winice.exe control proc entry point, A4 N# |% o( m! D, g
while running MeltICE.
$ J* i2 \5 A0 W* k
) d, Z9 w+ M5 \9 W! k8 [8 ~! J) l/ P- u8 I% C. k  _1 j  a
  00401067:  push      00402025    ; \\.\SICE
, d- i3 W; C) ?  0040106C:  call      CreateFileA3 O1 x' ]  P( |* d
  00401071:  cmp       eax,-001( g/ J: B7 u) e
  00401074:  je        00401091) i1 y& P0 z6 x

0 b- N2 U6 [4 ]6 z, S3 m* Q) F, J1 m' e: _% I( I' M' _$ }7 w
There could be hundreds of BPX you could use to detect this trick.) c8 ^  U9 k" Q& m! S2 C
-The most classical one is:
8 W" F4 t# B2 L2 E! K  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' {1 E8 q/ {8 E3 l* q" h% m
    *(esp-&gt;4+4)=='NTIC'" J! |# b! A5 w2 E: O" o6 m, W
- c/ x" x" [6 X0 \# P
-The most exotic ones (could be very slooooow :-(: Y( G, H3 c. u7 s( [' W( ]
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
8 H8 K, ]3 S# B     ;will break 3 times :-(
) ~+ x: G* X$ A8 n- t( R" S7 K3 i: n: N4 M- A/ d/ s
-or (a bit) faster:   F$ n+ C) i9 e2 `- H- R& Z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: @! i5 |- o, h# f! }- p5 ?  N+ V
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . I9 o. T. \. w7 E1 [
     ;will break 3 times :-(7 y3 R- B2 m- ~: @( V% H8 J. c

3 v0 O3 ?4 I) i2 K' D9 o" u' t-Much faster:: V8 p( w- H: @
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
" L+ N. i& K' K" z- k' n: U( l# Q4 d. q! M7 O$ b2 q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 s! s4 L% W$ i: {& D4 mfunction to do the same job:
7 C6 o6 g- Y2 y& r* F% x/ z% P" {! R- L" `) {- E& \! m
   push    00                        ; OF_READ
- W: t( w( @9 h/ ^  v# ^   mov     eax,[00656634]            ; '\\.\SICE',0* M* N& u* w7 U" g) }
   push    eax$ ]" C5 ^  A/ M# \
   call    KERNEL32!_lopen
; x7 L1 ~/ k+ V3 k/ g& v9 {& ?   inc     eax
" L9 }" w  t' B   jnz     00650589                  ; detected
6 P! d3 ~* P7 o& W5 ^   push    00                        ; OF_READ
4 Q) n: l7 _9 ?) N: b0 s   mov     eax,[00656638]            ; '\\.\SICE'
, S; M' G. c( i+ Q8 {, l' r8 f# b: i   push    eax
6 `' c  ?$ ~6 j; C8 l   call    KERNEL32!_lopen+ a2 q' z7 y% l* f( R; B' ^( j
   inc     eax  G5 A& U: Q( g" u6 C0 h
   jz      006505ae                  ; not detected
) f. u+ t6 Z0 p, U' i
6 a2 W! i3 J% a& s& K+ U: b) D  ^  E0 B4 i7 i& T
__________________________________________________________________________
1 c9 x: g) Z; X; h6 c+ V# G2 F- t% ~
Method 12" r  Z, |' {$ r) X! q* S
=========
) F$ q" F3 q& m8 P) m7 Z- R
: K) ^" O1 {" }$ C- E/ ^This trick is similar to int41h/4fh Debugger installation check (code 05! a; D5 k5 M- P: S) a
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( Q8 X2 h6 g7 R+ ^" X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 E( P& }( D+ h% y1 T8 f2 b

; o8 O. i& p6 @* W   push  0000004fh         ; function 4fh
5 ^8 x7 X; |. a/ N% X6 g   push  002a002ah         ; high word specifies which VxD (VWIN32)& g# n; y( f8 z, I& {
                           ; low word specifies which service
. o5 {* ~6 [4 j: |& h                             (VWIN32_Int41Dispatch)
9 M" |) q. `% G* e" S; _. G   call  Kernel32!ORD_001  ; VxdCall
4 }* h4 _- o* D, X   cmp   ax, 0f386h        ; magic number returned by system debuggers
; p# w8 E6 y+ u   jz    SoftICE_detected
( K6 y3 g1 y7 x& D, A6 q* ~8 P3 P+ T' R0 m4 O; Z, j
Here again, several ways to detect it:
/ c- f9 U& }& C) x, L. d
# p' Q+ e# m0 O9 J' r1 D$ w    BPINT 41 if ax==4f$ t) {7 d! w% I9 M& Q

" D/ u1 I* A4 V! S. I  D! _$ N    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) O& k, t- N, T  Y# {
6 _. w0 m; L' P4 m! z    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 d. A- D4 r  p0 s5 Z
# Q3 A7 o$ q7 r. p
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!; P0 W3 H& o; c

3 |: R4 V, r% s" n8 L" S6 e8 l4 k__________________________________________________________________________$ n  N- q4 v2 X% m
% x/ X+ H8 B: X# T0 _, z! C
Method 13
4 r: q0 v8 ^- v1 n/ c=========0 L4 j0 M# ?7 h( P4 D9 Q
3 W: ]$ u% V* ~
Not a real method of detection, but a good way to know if SoftICE is
  a( N, D. o" [1 |) e$ Sinstalled on a computer and to locate its installation directory.$ e  a7 V0 N4 X  o' M
It is used by few softs which access the following registry keys (usually #2) :
# L" Q% z$ g3 X
4 r5 w+ q+ w$ }8 V# z) H: S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! `8 v4 b, X' |: V$ l; K
\Uninstall\SoftICE
3 o6 O+ M( A- m9 e) ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 ]; Z" E( X  s  s& _3 ?) Q& O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, L+ J9 y, a9 x4 `9 I% ^
\App Paths\Loader32.Exe5 q  {1 K/ P7 R: b6 l/ ]& K

. ]) ?' _1 G( W& [6 p$ u+ V7 p) i+ e( [9 u
Note that some nasty apps could then erase all files from SoftICE directory
- ]$ k) ]- C# V9 F( ~6 W3 |# q(I faced that once :-(8 I1 I% Z$ r, F* i0 _

3 I* J: Z/ n. g0 g9 \% w6 C& OUseful breakpoint to detect it:
- H4 R0 C$ T+ }$ F% M0 D2 N' d* ?
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'/ o9 l4 |4 k0 C+ R" S( r

  L# m6 o. W  d__________________________________________________________________________1 Q1 }  \* Q4 T. X  _$ l# j
& M8 m. w  z* m0 Z- `9 K2 |% A
1 }" i& i; n0 t5 W& Q" P$ T
Method 14 - B$ x: {7 k' O) Q6 q9 j
=========5 w; h& I  d. a& S- T* T" ?0 i
" `- ?7 V1 e0 G' S+ g" W& k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ [2 e1 d' s2 }# U0 h3 o6 \is to determines whether a debugger is running on your system (ring0 only).
6 d% ], g3 h( q8 d" S  a* y
2 ~2 ^4 o. Q! ~3 ^5 O9 [5 S   VMMCall Test_Debug_Installed3 D$ H  z2 Z& s$ n2 B1 r. @
   je      not_installed
. b! D9 O6 \: e$ l% R- O2 h8 D# J! v) b1 X
This service just checks a flag.: r5 G' c& e, K: T- `- H! i
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-1 23:57

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表