找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: c. q& o. Q- \+ Z4 \<TBODY>
# h6 R7 p" V6 e5 C# q7 S<TR>6 V; K( z5 j8 X1 G! b7 g1 A3 A' s
<TD><PRE>Method 01 1 d0 z5 P5 [5 j$ b7 `" j# B
=========
1 K9 r: p/ }/ P  ?7 F4 U
0 }3 @% e. G3 D: B9 g! RThis method of detection of SoftICE (as well as the following one) is
/ P% ^' A4 V5 oused by the majority of packers/encryptors found on Internet., x' J' {+ D) {
It seeks the signature of BoundsChecker in SoftICE
/ J. P4 t0 a; `9 d) y# v% w2 M! b+ i* ?4 W, N- [4 t  l2 s
    mov     ebp, 04243484Bh        ; 'BCHK'
4 `, J, f; n: K: q    mov     ax, 04h
5 |# I" N4 F. @8 |    int     3       . z( f2 s! A7 E  n) {
    cmp     al,4
! w3 b0 u# K5 ?. N2 {( D, w    jnz     SoftICE_Detected
8 R# u9 h8 G" ]$ M# F/ k' x! L5 y+ e) p/ i
___________________________________________________________________________  Q0 a8 A3 G( M

: S8 p6 M( n& `8 }9 aMethod 025 v+ y; _: i' T+ n( ^' v& s
=========
/ }% C4 R) T% r, x! _3 F, Q3 @+ h% m
Still a method very much used (perhaps the most frequent one).  It is used
% r; ~3 X( K9 G# k& c  yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  Q8 B9 V8 s) }- [" @- k! tor execute SoftICE commands...
; C$ d2 {. f, }, S7 H7 @It is also used to crash SoftICE and to force it to execute any commands2 ?4 W" `( D+ N1 e/ z1 a
(HBOOT...) :-((  - Q. {& J; R# `) u8 B* ]

- ]) `& Y  L' p& X7 ]Here is a quick description:
$ Q. P# B0 J, W( Q! D( k-AX = 0910h   (Display string in SIce windows)8 o2 U  |, R1 X  _/ K9 V7 b
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). p) J- G7 _" L3 B
-AX = 0912h   (Get breakpoint infos)% M* W: D, t2 f7 N; r
-AX = 0913h   (Set Sice breakpoints)
( o2 Z5 F3 N" o/ U-AX = 0914h   (Remove SIce breakoints)
9 S; x7 u$ r$ b! J# G3 `/ l! b& `' m; _2 J* c4 }. P" {" l2 D
Each time you'll meet this trick, you'll see:
- D: `: v, Y/ C1 f+ T, d4 \-SI = 4647h8 ]; C" r! f# S4 \
-DI = 4A4Dh' Z9 z4 o, C' j6 T8 u' @' z3 ^% y
Which are the 'magic values' used by SoftIce.
9 a- \5 }& x- ?# t1 I: }' CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ s, l- R, ~* M% }! h
2 t8 i) m; e3 C4 H2 ]# IHere is one example from the file "Haspinst.exe" which is the dongle HASP6 K3 A& w" q6 S. D
Envelope utility use to protect DOS applications:0 e0 R( A8 k) t9 J! r9 `0 @6 Q$ O
( q. {- [2 U9 ^+ X: p3 [5 C
& c8 J3 ^. [* T' U; G
4C19:0095   MOV    AX,0911  ; execute command.
: N& H: j# z1 d. c9 K9 i& e0 A" A  P4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% q- x* }/ X2 Z5 E$ w9 r; O+ B4C19:009A   MOV    SI,4647  ; 1st magic value.
) r0 M0 R" h7 k4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
* A# X% t! E- v: p4 w4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- i$ ?6 i! @  D7 A; u6 J% b
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' K- j+ |, ~4 ~" E2 s- r7 D4C19:00A4   INC    CX
# h. n" E0 `3 k$ N4 u4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 a  A$ B: u# G
4C19:00A8   JB     0095     ; 6 different commands.
) P( X6 k) P$ S* U, U5 w9 ]4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' {; `% H) k; w" S
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
5 T. m4 @% q! i0 F. S& Q7 y: X, v- G# v$ ~6 r7 E# e* ^$ e' `
The program will execute 6 different SIce commands located at ds:dx, which4 v4 n6 l; S8 J! |5 h0 o, L; K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 k- b5 H8 K0 S1 R7 [

& @1 o# [/ t' \5 l! e5 @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: U- d2 r0 K. n1 `
___________________________________________________________________________
8 t# i) N5 r" q* q% u
4 s+ L! \( L, X  Y7 W) j( }' t) y7 E  O* Q
Method 03
2 {! z8 Z7 N; D( p5 m=========8 v2 C% |+ r9 D. }2 t. N% d
) C! T+ b; V/ W
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 Y' E0 H# Z+ N6 w/ t+ x7 z(API Get entry point)
6 J% L; z! a8 _; W8 W        
3 _' U+ R' X/ L% N9 n$ E$ ~$ I
+ Y: F1 U) V* ]) R0 J( v7 G    xor     di,di
0 y7 n, Y7 H% V' _    mov     es,di
" q; G. C" ~1 Q' [. [    mov     ax, 1684h       ) m) p1 K- A5 U2 J7 b( x( L: Q3 ^
    mov     bx, 0202h       ; VxD ID of winice5 z" v0 ^- B% r: E
    int     2Fh7 }# I% w2 X5 C* ^+ `$ X
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ P7 s/ U8 L+ M$ ~' m" q! B    add     ax, di% s' q# G: o; h1 ~
    test    ax,ax  b1 B8 ~! A9 N
    jnz     SoftICE_Detected' W/ Q' E7 C1 ?: _4 ~$ y7 p
8 f0 B5 J: M# u3 U& _
___________________________________________________________________________6 p; U( p  P) {: N& y- ?; b# p& R) t
- k* W3 [# w3 T7 [" x$ C
Method 04) M8 t0 V! J  x2 B- W( |% \
=========
* M; M0 i( U# J' g
+ P- |  g1 x: x7 Q  \2 `8 {5 CMethod identical to the preceding one except that it seeks the ID of SoftICE( j" U' G( O! X  d
GFX VxD.
% v+ S2 Y1 _/ J7 }, _1 X  y; m) t- G( y$ \
    xor     di,di
+ q# {" O+ x5 O( P    mov     es,di0 |! u9 ?8 D4 W5 a, X
    mov     ax, 1684h       3 `9 h/ N' q' [5 m  A. k
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 h0 ^/ j$ ~6 f8 K    int     2fh( [# b7 `. W3 f: o0 r( q+ L0 K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 p$ W8 t3 g$ f, j1 a! I1 G
    add     ax, di. @5 f  M8 E' `
    test    ax,ax0 w# e1 g$ {% K! @2 v% Q) V$ S+ C  `
    jnz     SoftICE_Detected
! ]! I! N$ A* O4 a2 j
/ f6 Z0 D# `8 X  u; {: O0 y__________________________________________________________________________5 V& M' g( A9 x0 H8 c8 ]6 ]3 G
8 W; w3 n$ ]8 l
( I& H8 g8 ~' Z- i3 A* O3 u
Method 05# G# A) S: }. z& c+ ?& s) J
=========
9 o4 F+ i5 k( y+ W) Z1 W9 z. X; r* j) z4 q$ p3 A1 i  M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' @6 ^: V* M5 U" s8 ydebugger. It calls the int 41h, function 4Fh.
% c5 Z3 B- ~$ r) @0 U; @' lThere are several alternatives.  1 ~; Y# M! B- M# W

4 I( Q, H. [) f" TThe following one is the simplest:+ C8 k$ y6 a3 N& W. N

$ ?. ?& Y0 |$ o# c/ p( n    mov     ax,4fh
3 g' @. P: W8 I( Q% v5 ^    int     41h
( @# C$ H. K" Y8 u    cmp     ax, 0F386
5 T. }, J8 ?8 ~0 a4 ]1 p    jz      SoftICE_detected5 l! X9 _' s( g- L+ k! K. {3 \

* h' k% W6 f, p" E$ Y) B8 x8 v: R. k6 Z1 Y6 i( R
Next method as well as the following one are 2 examples from Stone's $ l/ S: s/ t; F9 t1 {$ M; l' i
"stn-wid.zip" (www.cracking.net):; ?$ l: ^1 E$ E" [; d+ P5 M/ @! C" M
2 F2 z* r& M& q" {: t; M
    mov     bx, cs, h% @3 b- B3 M$ _1 }
    lea     dx, int41handler2
4 e% Y3 o5 \9 D* I7 [( Y- ~    xchg    dx, es:[41h*4]( x9 U: }$ G7 P8 L
    xchg    bx, es:[41h*4+2]
) j/ a) V6 V9 l* B4 `% z    mov     ax,4fh
' K% d- V, q% `  e. ]4 `    int     41h, s$ ^+ K9 [! Q+ d
    xchg    dx, es:[41h*4]: \7 v; i7 N4 _& W" V) K
    xchg    bx, es:[41h*4+2]
; N) w% {8 F- }5 M1 ?    cmp     ax, 0f386h4 [* L: E" ]$ p
    jz      SoftICE_detected7 L$ v* h$ I. }0 [! F

" @, F! |# v! p. \- d" W2 x& L& R7 rint41handler2 PROC
6 P/ c# \& [; u, ?2 ^    iret
2 R* S" h4 w) |0 mint41handler2 ENDP
2 b4 j) H  @1 E) v* {# s9 j% u& n& c8 R+ b% w- r/ @; `

" z. l8 @1 X2 w. G_________________________________________________________________________! k% m3 }/ l+ ^/ r

  |9 k* a% \1 o6 s* ?" ~
) v. ^% `. n% _" ]$ X; E+ RMethod 06' S+ S2 k" W9 ]; S
=========
1 n5 t$ a3 ~2 C- S3 ?: Y* S' t; \& o( A6 A

5 n6 T2 v& b$ P, }2nd method similar to the preceding one but more difficult to detect:6 `/ \9 U" ]/ r  e

1 b; ?% {1 O  ]
  u6 o# s% N( Y/ w" c  Dint41handler PROC
  P9 Q1 w0 i7 O    mov     cl,al6 z9 i! G# m2 d% Q5 a( i- |) B# D
    iret
) p5 _- ~# X5 W8 B7 Vint41handler ENDP* }& J- l0 W1 Z2 `; |! u; R
& O8 z& C% k0 _7 N# l7 J/ _
. z: X* Z$ r& I: @8 B: V, b
    xor     ax,ax
% Z* l2 H* B2 y; {    mov     es,ax$ j. m2 Z8 W" k0 ~
    mov     bx, cs5 Z8 T' n" u3 w) u
    lea     dx, int41handler
. N& \! ~0 F& |) {% k- {, |    xchg    dx, es:[41h*4]
1 T" o& y4 h. M9 `2 M9 m* C. V# A    xchg    bx, es:[41h*4+2]
% X6 |$ J& ]. V6 C9 \; l7 Q8 N1 I    in      al, 40h
8 `1 C5 G& {2 }- a5 W" d( _    xor     cx,cx
) r" J' u: ?0 t- V; i$ G8 R- k    int     41h+ S/ A, @" \( A* S/ e0 W
    xchg    dx, es:[41h*4]& i. h( O! F6 {! ~0 z" d
    xchg    bx, es:[41h*4+2]& ]' I& @1 D: D) J, j& a
    cmp     cl,al
9 |8 w( z: f) r- Q% t% E6 u    jnz     SoftICE_detected
0 w% M* J" b6 R* C# r, @5 O7 S5 F2 S9 h( k( {1 I% C7 w9 [. t. m9 e
_________________________________________________________________________6 p, S9 g  k6 ?4 {+ T' Z3 ?" ~

0 t( Q* J# U; \. qMethod 07
1 y) m( P8 y! w2 ~2 x: T=========/ u( J: o" P, b

; M2 S. T, c4 DMethod of detection of the WinICE handler in the int68h (V86): r  b: o+ B" x1 e

! k1 T- O) O# U    mov     ah,43h
# X" l9 ?+ ^# k' t6 w    int     68h+ T+ Q- q5 _( f/ {
    cmp     ax,0F386h! r1 X) ?/ w- r3 s, E
    jz      SoftICE_Detected
( C- k& T) @9 H4 _+ l# w
, K$ g$ C) P' U5 s( d
6 i( o7 \  k+ k- [, B  b8 g- I" Z3 d=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& A  e* W! Z2 I, }) n   app like this:' Y$ A5 l+ y( Q# X9 \, ?

) [9 R/ x2 Q- V) T   BPX exec_int if ax==68
, b2 r- e9 j0 h0 Z( Q   (function called is located at byte ptr [ebp+1Dh] and client eip is
& s% |$ u' B6 R* R2 ^   located at [ebp+48h] for 32Bit apps)
: P1 f( e) t& r; o  z1 i9 w__________________________________________________________________________3 f0 T/ A; i% M8 e

) U  y+ t, Y- |, K& L4 ^' w
. a: C2 \8 [+ k& J  b( vMethod 08
8 h. o7 Z5 Q8 \=========9 j0 u1 V( |# h1 _. P

3 F" N9 c' y& M" j9 Y; J/ L( XIt is not a method of detection of SoftICE but a possibility to crash the, u/ `: N: T' j; C" f- [/ g
system by intercepting int 01h and int 03h and redirecting them to another" l6 Z$ F7 [6 w- C$ O) d
routine.7 ]8 {* J  b" s! \7 l+ \: D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 Y" ^( X* f0 O; B
to the new routine to execute (hangs computer...)4 }& K& E- _; L2 M9 I; W$ w
7 c" F! r3 v% \. @$ `
    mov     ah, 25h
- c2 m8 _/ K9 a  ~7 G' `& I6 F    mov     al, Int_Number (01h or 03h)
! e6 P3 e3 T& g4 f# e+ t( h    mov     dx, offset New_Int_Routine! I. |* B: ]' h# S3 ]6 @* }
    int     21h
  i# f+ V2 A2 X- D4 {) x: c! w( a0 T, {6 r, \9 P4 [; J
__________________________________________________________________________
5 a) T/ J1 U4 V2 p% ?8 ?# k
# {+ b+ F( n! S+ d+ cMethod 09
; x8 d' }# A3 p# `" C1 j=========: H- u$ d1 x/ o  q6 @& v+ e

# Y3 F* D* ]0 T, ?' \1 L% \1 cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 f8 H, Q! _$ u4 f# P* operformed in ring0 (VxD or a ring3 app using the VxdCall).
2 H, g+ L9 }  h" j& r3 ?+ hThe Get_DDB service is used to determine whether or not a VxD is installed
* n& o* p2 K3 g* Pfor the specified device and returns a Device Description Block (in ecx) for
1 p- Y' V# t6 D# R7 @that device if it is installed.
; G6 ~& t0 H: ~( O1 [& [
+ ~7 N( C& N3 t' X   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" z" h7 X8 {9 a& r! `   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 }6 `/ p. |) X   VMMCall Get_DDB
, k' c2 T, x/ S0 f  s$ c   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 ]% q- c( h2 g9 E2 l

4 b( |- [6 o6 u/ R3 ?/ k2 G3 z" FNote as well that you can easily detect this method with SoftICE:
4 ?3 m  \8 m( ]" e2 i' b   bpx Get_DDB if ax==0202 || ax==7a5fh
5 [6 E6 _- L& B. b* [: f) D/ T- V  o" y' R# V  A4 D
__________________________________________________________________________" L, e( h* q% v: W6 z9 O; A( i9 @0 U- l

! W' ]" B: D3 WMethod 10  x+ c# N& \: R: o6 k& o% m
=========
0 P) t6 y, {3 K$ C9 o: W. p2 v9 E" z9 ?( o9 @! w9 e
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with: w- L) W9 C9 S
  SoftICE while the option is enable!!
7 ~5 s5 a6 k" }" y3 g3 `/ Z
6 J) Q3 Q& H+ d. W6 lThis trick is very efficient:
, z3 z+ v+ n+ l" k! o1 hby checking the Debug Registers, you can detect if SoftICE is loaded
' o8 j% x; z$ M. O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( d8 ^9 j) ^2 c9 Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* w% |/ I% l' `( ?' Yvalue (in ring0 only). Values can be manipulated and or changed as well" m* e/ w. J+ E1 n: K" n* P
(clearing BPMs for instance)
8 `: W9 w& Z! u. [' f, P
0 a4 Q8 ?( ]$ K! m__________________________________________________________________________
$ ~, L0 H+ z% N! K: h, }8 h! s8 H9 L; C- a) ~
Method 11  o1 ~' q$ n5 }; V* y
=========
# b! [2 {# S3 F: v) i4 m6 k9 V% ^3 K3 r" u; M, i
This method is most known as 'MeltICE' because it has been freely distributed0 d1 k4 j' x) m! g% W
via www.winfiles.com. However it was first used by NuMega people to allow7 S% i* N( S# h. R5 h3 r
Symbol Loader to check if SoftICE was active or not (the code is located% k: p7 K" X" O2 |) r* k( @
inside nmtrans.dll).: ]8 ~) S' H# D: }5 E9 \

; L/ A6 h6 E8 P. dThe way it works is very simple:
* L/ o/ U" G5 `" n# i& KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 O" x1 h! f" {9 Z3 g- t0 j
WinNT) with the CreateFileA API.9 x, t1 a# ]4 E1 w

" E  H0 F# e0 }$ ~' _. H" XHere is a sample (checking for 'SICE'):
& q5 ~. Y" w( l+ g% m/ L. Q: j$ w) O8 r3 r, ?+ P
BOOL IsSoftIce95Loaded()
% B0 b7 |+ e9 h7 t6 A7 O{
$ I: a- R/ |, Q: R9 I3 c) Z0 `   HANDLE hFile;  ( q  @* ]; \$ y4 u
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 ^4 O/ a2 E8 C. t
                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 k* n, X& Y* i4 j  P( h
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) S4 y6 h* m2 ^, X6 V; |- s
   if( hFile != INVALID_HANDLE_VALUE ). q- U3 @+ J# T" u0 i: u5 F4 r
   {* s# W6 P# l4 X8 x1 V- g
      CloseHandle(hFile);- r6 D5 z1 G2 P% X
      return TRUE;
  B3 h! k9 {# c" A6 h7 O! h   }
% z5 x" T+ w! u  a% Q. ~- w   return FALSE;
: Y% X: I* g; f}4 D3 R- M6 v& V6 }% R5 I' T$ n4 G5 b

. r& ~" u. C8 [) IAlthough this trick calls the CreateFileA function, don't even expect to be
4 S4 O$ e/ B5 Uable to intercept it by installing a IFS hook: it will not work, no way!& i  J1 `4 F1 `, H6 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: q7 ^0 C* l$ I' w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 s& R4 H$ D; K; A1 Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 Y/ o/ e; C  e6 t& C; C% n5 L* {field.3 T4 X$ i+ Y$ V
In fact, its purpose is not to load/unload VxDs but only to send a
, _4 I  _0 f6 U5 W6 s7 o; X. dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  U/ j$ `( {" Z+ F* O& uto the VxD Control_Dispatch proc (how the hell a shareware soft could try
% ]/ N# U! H# |9 O# ]! `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" c. }7 ]. D! g7 W4 HIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 o- \+ z2 H* E/ i4 w; S9 l
its handle to be opened and then, will be detected.6 d" F% \% F2 S0 e7 A
You can check that simply by hooking Winice.exe control proc entry point
/ b2 c1 q0 Y0 z% V3 [; Twhile running MeltICE.7 i; g8 [6 g: ~% i

7 v: H6 v0 k  P% T# h. S. Y2 R$ t- x9 ?9 L% {, v
  00401067:  push      00402025    ; \\.\SICE- U; s  u' S* [7 x* t
  0040106C:  call      CreateFileA$ R3 A4 m: G% _; B: ]' P  U- L
  00401071:  cmp       eax,-001* L/ B- H$ ]9 N- g% Z
  00401074:  je        00401091
$ d& T6 }) B( X# S( I& D
+ b" F, W( h9 L7 `/ i" ]& m
- t' _2 p% S9 ]2 fThere could be hundreds of BPX you could use to detect this trick.. O2 Z% U( W. \1 b$ ~
-The most classical one is:) d" v% }3 _6 ]; v" [5 W
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  y! u9 i' V1 q    *(esp-&gt;4+4)=='NTIC'6 `! J/ j3 A; \' N/ K6 }3 H

. }  G) y) n& r0 i3 D* H0 Q-The most exotic ones (could be very slooooow :-(
, p( E; s+ o+ Y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 f8 K! D  H) N6 M. X* Y     ;will break 3 times :-(: M" W  O9 N9 w0 r- l3 D
: j  K; D$ d. p7 f
-or (a bit) faster:
$ ]! B4 h3 T+ y! T   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  n7 Q; ]. `/ O: }/ m7 l
7 }. D! B5 B& X5 I- E! p: X
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 n  S- {5 E* z% y     ;will break 3 times :-(9 D/ J" ]6 A6 B, `: P4 B

! U3 n2 M( a( |- [-Much faster:1 R; Z/ F( f" f& `
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& o5 s3 Y7 e1 V! P

  O) D2 d7 [3 A- f9 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
) J* B4 _) _8 V% ~' j4 T* m+ pfunction to do the same job:: n/ C, U" k0 T. B- E4 Q, b

# E0 u9 F0 z' s* P- q   push    00                        ; OF_READ
9 ~+ G; i8 v/ g4 X) H   mov     eax,[00656634]            ; '\\.\SICE',0
( {6 R: S5 W4 ^0 D   push    eax) K! f  c1 `% K0 a. V/ N, ~
   call    KERNEL32!_lopen
. J$ z: O: z& p# Y! z% }   inc     eax: ]! Q2 n+ Z7 y
   jnz     00650589                  ; detected
$ I; x' M- E: b% E# p# V   push    00                        ; OF_READ. ~4 e) t' a5 |) q
   mov     eax,[00656638]            ; '\\.\SICE'
) t# L9 ]& j# n5 P/ F5 y6 m$ D   push    eax
+ q2 {3 _8 Z- |( E7 o; i" j- b   call    KERNEL32!_lopen  L" u6 b+ E, n. O) D
   inc     eax  x, U9 K7 i# \
   jz      006505ae                  ; not detected
- }: |9 Z1 ]0 ]; N- P
2 c5 ~9 P  P% A% {0 V, g! K  l5 ]. X' \; b8 a; ^
__________________________________________________________________________
) Y! H  L5 O; G- G/ a) U1 Y: Y4 c: E) G
Method 129 L( j* u5 l! X% y1 `
=========4 B5 p! J5 Q* w: u% [$ X
( Q7 X$ }* _+ e. D% |# G; l- T
This trick is similar to int41h/4fh Debugger installation check (code 050 [0 R# n+ n7 Q' |6 n7 S
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& V3 H3 f% a& [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 B  B' f1 b& o# o! l: V
+ W1 O# f  T( T3 d/ F: A+ \! A6 K   push  0000004fh         ; function 4fh- E7 K: A0 }6 j( E( u, T, i$ k: h
   push  002a002ah         ; high word specifies which VxD (VWIN32)8 ?5 [/ N, |7 t5 T2 E0 m
                           ; low word specifies which service
4 n4 G8 Q0 @# @1 @                             (VWIN32_Int41Dispatch)
2 E6 i- A  [; ?8 |, u   call  Kernel32!ORD_001  ; VxdCall
+ ^% Y# D8 v. |' L- H, }   cmp   ax, 0f386h        ; magic number returned by system debuggers$ e0 T4 S) X9 n& M) `$ V
   jz    SoftICE_detected( i0 M. U! Y! B0 e+ R

5 p( m+ G# r% K1 e3 sHere again, several ways to detect it:
/ C6 R' A1 E% p7 C! v$ ]3 M! J0 p, m& s2 I4 H
    BPINT 41 if ax==4f
) P9 d# A: p/ [- W+ |4 Z' z, S3 j( F- q2 W7 {
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* q7 ^( W( e1 d+ g& _* f

5 G* w% V% r" ~1 x. E    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 V% k9 |. w! T& A: P& U; Q

: s/ t1 X7 k7 h" n- j9 X8 W  o    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. H* @: u5 L# w4 N2 u* z! i7 E; d5 l# @$ M& W
__________________________________________________________________________5 I- q2 M) I6 \7 ?  [3 S

6 R* t, F" n8 p" k- P% c/ \. uMethod 13
( D5 }$ ?8 }# J9 D6 T; h=========8 }' D8 ?. W) i3 C0 R# e
0 C# K* ^6 I# A
Not a real method of detection, but a good way to know if SoftICE is) X! F+ Q7 j" H0 I! l% w- A
installed on a computer and to locate its installation directory.
0 b+ ?' b1 X5 C$ M/ CIt is used by few softs which access the following registry keys (usually #2) :
& _- P4 Z1 i+ [; ^4 \' ]3 e& x; c$ y* P% W1 }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ^( _2 b" |* p, B# R1 u\Uninstall\SoftICE2 Z2 k9 z% e( T! V' G1 e$ `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) [( u+ m# Z* ]) S4 H- g4 f3 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 I6 c, e0 T* u; @; r/ G\App Paths\Loader32.Exe
1 {- R7 R# I: t& `. \
* w9 \# a/ u0 y1 a8 f! O" p- U
/ H3 z# h" |* wNote that some nasty apps could then erase all files from SoftICE directory
5 O/ j# d( o3 g5 `  a7 _(I faced that once :-(
) ?1 l- {2 t) d- j  d! c3 T3 I4 o6 Y1 ]9 b) Q$ x0 w! E% I8 W* n
Useful breakpoint to detect it:: |1 M! `$ k  u  ~: o
9 k0 k& A' z  D( a
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
5 J* S0 W1 O: j8 z+ o5 d4 R: E+ Y5 W2 a% _. k7 J
__________________________________________________________________________
7 }- n+ I4 C$ O  I9 T: V' V
( `: z1 J" J8 ~$ z, \7 ]4 L1 z  L0 f
Method 14
1 R2 u9 o- L* Y=========
. u+ T3 o5 g$ ^- v' z4 E4 `* u" ?6 `9 `. Y3 t* N
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose' N, ?0 e( ?1 \" }( ]5 X
is to determines whether a debugger is running on your system (ring0 only).
+ }! E3 n9 n+ X2 [3 Z3 _& O1 z3 J+ T
   VMMCall Test_Debug_Installed1 w9 g# L' z8 Q7 i) y
   je      not_installed
7 o/ p/ o4 @" [" Y* U, S) M0 H4 F  Z% d# U
This service just checks a flag.: w' }  M* @9 i$ p$ @5 f6 H
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-29 13:15

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表