找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>3 @# N8 J! b+ @6 [: c0 |" o
<TBODY>
9 m, E2 H# Y; K* m<TR>
6 z0 K4 Q' U1 N, W<TD><PRE>Method 01 , v) ^6 W) I) ~
=========
0 q' X) g6 C6 G# a4 a- }4 V  |6 {( Y; a2 c$ e
This method of detection of SoftICE (as well as the following one) is3 @: b- K) `# F* S, d4 n# }5 e
used by the majority of packers/encryptors found on Internet.& Z& S# Q( k/ i0 F% C) Z
It seeks the signature of BoundsChecker in SoftICE$ \3 [$ r' P: k- |, l8 i

" `: E; G. y+ |    mov     ebp, 04243484Bh        ; 'BCHK'
+ p$ Q$ c$ j2 U0 x% }0 `: q    mov     ax, 04h# h/ g! n+ f: w; `9 t4 J% [
    int     3      
' M4 ~' ^/ [& l, w$ j    cmp     al,48 M- R* i' c2 I) \
    jnz     SoftICE_Detected
; H' m$ H- e+ c7 X' Q6 k
4 s& D5 R( f; b* q* b; Q; ]& z- P: p___________________________________________________________________________
, M# P* D+ h' Y$ X
( O4 R8 f( P  I: m0 m% `Method 02
+ p+ p. Y9 W% R+ P1 B5 m=========
3 _% _' ]; o2 W- o
' F* G  M, H7 r- iStill a method very much used (perhaps the most frequent one).  It is used/ L' n1 ~+ Z- K4 P0 @- D" J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' F" w$ F  w* D$ F
or execute SoftICE commands...
; Q+ N5 C: q! C8 o" ~It is also used to crash SoftICE and to force it to execute any commands
5 `# k: W- O4 Y8 G) F. q(HBOOT...) :-((  0 @  t( O" O- c# T& K
  d8 t0 @% j  k/ j* C6 ?) Z; p
Here is a quick description:
& ~! a  c6 i: z3 K( W4 [3 C-AX = 0910h   (Display string in SIce windows)9 H, }: c& n' h. e) t& o& g
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
- a8 T2 ?/ }; E  _-AX = 0912h   (Get breakpoint infos)
1 O1 B3 }: h  X: G5 W/ ?% D0 F% L-AX = 0913h   (Set Sice breakpoints)8 `' V  Q6 L  {% |' M
-AX = 0914h   (Remove SIce breakoints)
/ f2 H4 s" n3 W( K9 b. B
  S" {7 Q% M# b/ p5 R- t* B- k! tEach time you'll meet this trick, you'll see:
' p  F/ a0 e) ~% M. \4 Q% [-SI = 4647h
+ d+ _7 ?$ l$ W! i% ?+ y3 Y7 o-DI = 4A4Dh4 R6 v. s6 `. M0 _/ ~
Which are the 'magic values' used by SoftIce.
) a& G# {: a. G% t& z7 e8 |For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* j9 U2 o8 R' Q  y  D# e. j# x& `# }% X8 y6 |8 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, g$ h: o: @/ B0 d  E3 J7 pEnvelope utility use to protect DOS applications:
+ B5 M' j, j- x* B. A7 k1 e* w
! D% I6 _2 g" `$ x
$ Q2 C3 _4 o- e, P+ n* u; P4C19:0095   MOV    AX,0911  ; execute command.
% e6 Y) }4 N; K; m4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ A& m+ i# n2 {2 M: S4C19:009A   MOV    SI,4647  ; 1st magic value.
4 G- y+ {4 c" y% X) f4C19:009D   MOV    DI,4A4D  ; 2nd magic value.4 I( b  O# f% g0 a/ v- B- q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' L( K0 H, e& V- F* z; c
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 ?9 |8 y1 ~  f' m: s& O' d- B$ \4C19:00A4   INC    CX
  d  A* A' k# [5 E4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
% s" b* R2 B* E% y4C19:00A8   JB     0095     ; 6 different commands.+ a" p! X# r5 V$ T( B
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) Q& b4 g2 e. k2 V& A4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" I9 o  y3 |# ~0 h8 j. h+ Y) S8 e& o* Y# I7 \6 D
The program will execute 6 different SIce commands located at ds:dx, which: V0 `- m& u) P% @! |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  C0 F% r% L( L6 K6 i2 E6 A
. z: c' J# D7 h0 V3 \" D1 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.2 }. e, P- o8 W. L6 R6 @# h9 R5 \
___________________________________________________________________________
, j; [# I) U5 Q; k1 ~+ F" C6 H1 f4 y  K2 H& L

' z. E! ]# }/ K' \2 g% `& aMethod 038 }5 I4 M5 q6 q: P4 l5 v( ]
=========# G# g) }, z% E9 O" ^
: r8 E) u" W7 @& }: L+ @2 \
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" f5 K  f/ C  U- v
(API Get entry point); T! f; ~, P0 h' l0 T  f) @* J
        0 M7 m# M1 u" Y& a& V# J' v

# G) _! L* {# B0 @- r' U    xor     di,di9 H" U" ^6 [8 c8 Q2 K& N* P) N
    mov     es,di
4 B3 j: d1 h: f  K# u) E0 z/ y8 e    mov     ax, 1684h       : x  |( d! _9 j2 W* F9 I( B5 D
    mov     bx, 0202h       ; VxD ID of winice: H% E  B0 }8 s5 X
    int     2Fh! @6 a2 N# p  u" E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( Q4 w" z! ^' |, k" `3 R
    add     ax, di8 V* H) T: [3 j+ Y  m2 N
    test    ax,ax; }: _; S; p' V
    jnz     SoftICE_Detected
0 [4 t/ K1 |* M) g) X* f% K# L2 h' P$ D8 }4 b/ W* K$ ?
___________________________________________________________________________6 u- ?' o, u1 U9 F2 K
1 S; R1 U8 K) U$ A
Method 04
9 o1 @' w' W+ c) T0 Y=========
5 Y% t% |$ b, y3 A4 m$ D+ d+ A0 j9 O& u1 ]4 H$ D, P/ x
Method identical to the preceding one except that it seeks the ID of SoftICE& h: A/ [& Y$ b& J+ y! ?
GFX VxD.8 o- y- H/ U$ f5 @
' X/ I. t" _: C  r
    xor     di,di# n$ ?* M  V" T7 W  Z1 m
    mov     es,di
' N3 N! }, s" L7 n2 l    mov     ax, 1684h       5 c$ w' E% _' n/ K" G/ {" d% F' t
    mov     bx, 7a5Fh       ; VxD ID of SIWVID  W6 X% x) Q( g. M' r( t
    int     2fh6 r3 ]; b5 U  ^1 |0 H: v3 r& b
    mov     ax, es          ; ES:DI -&gt; VxD API entry point" s/ @% s( R1 ?  B" T
    add     ax, di1 x7 Y& L( C5 P; F- K# D
    test    ax,ax
# P5 J$ z% W3 Q. |- D    jnz     SoftICE_Detected7 b1 i" I: L0 m# t
/ e5 W7 ]+ k( x5 K
__________________________________________________________________________
9 o9 O: @# Q( B* l: L- }& b5 o5 T. b) q2 z

$ l6 X& K3 B& B$ XMethod 05
7 Q. ^; r( P. r& N: s0 b1 o; U=========& z, O' f' J  D; K2 I( M

4 C, w# P8 ]8 a& j5 U: IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; f3 T! O% A3 o4 j) U! ]debugger. It calls the int 41h, function 4Fh./ e, z6 G7 g1 _' R0 Z
There are several alternatives.  
5 \( d, X! C( B
! g" j) U" R; C) b, p: i5 I& PThe following one is the simplest:7 P9 x' b; K2 ^3 o2 V! {5 J0 F

3 u: j  O) r- u5 R; e    mov     ax,4fh: A" E- g& C# J# L0 `% r
    int     41h, k0 r$ P6 r3 }9 ^2 g
    cmp     ax, 0F3869 Q" H) X' t% W# F5 S6 M1 t5 c, y
    jz      SoftICE_detected; J8 N. T, g/ c( X% S' R

! B! }4 W5 e' z* m- v( V% N
0 h) l3 }' a1 K5 |5 @9 ?1 u# _Next method as well as the following one are 2 examples from Stone's
; k$ X9 s& j3 U* z7 i"stn-wid.zip" (www.cracking.net):( z, S; n& _! t" `& r: `

& ]6 W; j: m1 p7 F    mov     bx, cs7 i2 \( I; S4 B
    lea     dx, int41handler2# v  E$ ?9 |. u5 \" z6 [7 \
    xchg    dx, es:[41h*4]- K& s' {+ ~( `, p- b$ O, P6 v& Y0 n
    xchg    bx, es:[41h*4+2]2 z+ h/ \5 m: B! t2 G; i
    mov     ax,4fh
( b! K% S1 J- U7 r' B/ s2 y    int     41h$ A- V6 M. j$ O
    xchg    dx, es:[41h*4]
. q# N8 y. w  V1 O    xchg    bx, es:[41h*4+2]0 |& }( I* k% v5 m% i, P- n. s
    cmp     ax, 0f386h
/ r) A7 b) D% l+ N. }9 F! w    jz      SoftICE_detected
) u4 A, e! V* A7 ~0 {7 u; _; S/ r( t! J; q
int41handler2 PROC0 r6 N- }! u. @1 V  ^
    iret
, W; U9 D5 C: z- nint41handler2 ENDP. L( F* _( W( s- h5 \

% [. G8 x. x, s& E1 N3 U6 ?* X  M- o; k
_________________________________________________________________________8 ^; y3 A; j0 s! i
) ]  s+ C; p! l3 d

- K8 y+ v# R. S, j. tMethod 06* W! V5 Q' O- D+ R/ G* ?# [. a
=========
( [# t3 j+ R7 v& H& \  s6 m- Q) K( u$ n" Z$ L
( k! h9 F; }: h  {# D
2nd method similar to the preceding one but more difficult to detect:8 |0 x5 K* T9 ?: E$ @* M

: `, J# v% y( e0 w. F8 u. C, ]8 b; c! \7 t4 ]5 ^9 t
int41handler PROC! T/ W2 y, \2 s1 h7 R
    mov     cl,al6 }) Q: o$ ^% f
    iret  c& Y9 k4 {4 i& R0 \) W# a
int41handler ENDP, u! h4 j6 u2 k! a2 F, n% h7 E- E' [1 \

9 d; N" J4 t' s* z+ A9 c+ B
% m  }! I4 k1 \3 w; d) K    xor     ax,ax
% j' B+ C- M" u- @: g    mov     es,ax* W8 C& Y3 o, S8 A9 i! E
    mov     bx, cs1 Y. L) ]8 L* F* P" z( G9 E
    lea     dx, int41handler, c5 ?) f4 s, x. U- w. J
    xchg    dx, es:[41h*4]
/ j# P% X+ y* m3 A3 b$ j- y. P    xchg    bx, es:[41h*4+2]
5 T  l4 A" ~. g. j, ]% ~% f' Y    in      al, 40h
/ {3 F  j  S8 f) ^% V& L    xor     cx,cx
' L2 ?0 s% O& K" \    int     41h% o9 l( T, y  \2 T$ f4 R
    xchg    dx, es:[41h*4]  q" |# f, a( d& y
    xchg    bx, es:[41h*4+2]  o/ E8 P- Z! q2 Z7 [
    cmp     cl,al7 D# Q2 t3 O" s8 G( f
    jnz     SoftICE_detected/ r( g& W! R; F. W
: L5 l) S: d+ z: U8 a
_________________________________________________________________________+ o7 S: E) B4 J# v6 X! H
; \" f. l5 z, I5 x8 X$ B
Method 07
4 c" C" y7 Q& v' t9 Q" S. G, H=========
, |/ I4 _7 |2 [1 e, h+ Y$ n7 W% c- S, {$ O+ ~# q. B" H
Method of detection of the WinICE handler in the int68h (V86)
& @; ~% Y  c% r1 y( w
. m# g. o4 F. R( g  X. X    mov     ah,43h
; n6 v" B$ s  x$ b, s1 n    int     68h- x! c+ E- U3 q3 F- m3 \: p
    cmp     ax,0F386h
4 L0 k/ o0 N7 c7 S: w$ B    jz      SoftICE_Detected4 v4 _; U4 g' P4 N$ D

) ]( g; o; {) E5 R
: F0 N0 M8 r9 F" _/ f, ~* S, a=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 C( C7 r! @1 j$ R8 i
   app like this:
; ^: q6 @& P# i; u: x/ K8 ]: J- Z/ A% Q1 l% }  q9 `; g/ x! B- _
   BPX exec_int if ax==68* ?% R1 s/ l: t4 ~% K
   (function called is located at byte ptr [ebp+1Dh] and client eip is. x6 E3 E! a6 T7 C; [) z& x2 Q
   located at [ebp+48h] for 32Bit apps): k+ F  u" P: V% w, f) K
__________________________________________________________________________5 O7 o3 S0 D* M: N- y8 G
! e  U5 U6 X- O$ C, q
7 j! i9 J2 C, z7 x1 v4 q- a
Method 08
, M, U$ X, ]" |9 {; N' O- z=========" p5 I7 s% V/ L2 e- w& a$ y
) b% @6 q% ^7 r  |8 b7 C  b
It is not a method of detection of SoftICE but a possibility to crash the
7 i/ O* j9 m5 N$ Q, l& w1 qsystem by intercepting int 01h and int 03h and redirecting them to another
' k8 e9 P  T, Y$ Q7 ~; sroutine.5 e% c! T5 H3 k) `1 u+ X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- E& z0 K( H$ w0 t8 x
to the new routine to execute (hangs computer...)0 i. o" T% {: [- f! w  j! ^; }4 Z9 Z( |
5 I; P4 {. L& i& G  r$ F8 \
    mov     ah, 25h/ Q+ A' [7 ?  Z7 n+ R# w6 |
    mov     al, Int_Number (01h or 03h), e$ g, [+ B7 s' l5 @% ]: ]
    mov     dx, offset New_Int_Routine* j) ^: F9 M; f: ]
    int     21h3 S' x& f5 u7 ~1 y
0 ?. v+ U$ w; A& _4 L
__________________________________________________________________________5 g; i# E) f  z: X1 f" g

/ T, U' ~5 R( X- f& D9 pMethod 09" G& }! o7 T2 O$ w% \
=========5 I% m7 A# w" h& m, j+ L+ s
& X) [2 O: g( {, J
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 M5 j- W/ Y9 r7 G' {2 tperformed in ring0 (VxD or a ring3 app using the VxdCall).
! }! L* n$ r$ }! [The Get_DDB service is used to determine whether or not a VxD is installed
4 o& c: \( H1 m3 B% B1 @! F3 Wfor the specified device and returns a Device Description Block (in ecx) for) D+ U6 K" Y3 T2 L* H
that device if it is installed.- o/ @/ C7 n$ p
6 T/ i3 u1 n  v6 ^8 p" I: p, |2 l
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 w* [: ~0 Y. w# {8 i4 ?
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ X/ O( k/ H# I; F- v1 B   VMMCall Get_DDB
- U# P# T7 D: S8 u/ Z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ n8 A2 |) e$ Z5 e% J
2 c+ A1 p4 Z4 |) w  r+ ?
Note as well that you can easily detect this method with SoftICE:
% @; c) r$ Q0 m& I" _. s- B   bpx Get_DDB if ax==0202 || ax==7a5fh
, Z8 d; Y! y, v" R. t! @# X: v9 f# z: b. K# c; {
__________________________________________________________________________
* H; `, |6 q  B
2 h% e  d  J+ N  ^& Q5 H- P: r' G4 [Method 10
/ v" x: S3 D0 S; }! r=========0 U( _0 j% k; w& R0 A6 d

& T9 v, I4 z. B5 ^, U  G=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with2 d2 F4 L6 q2 Y6 l
  SoftICE while the option is enable!!
' B: P- i6 {2 Q9 M1 a! j* ]& h# Y7 v2 Z* p, `4 x' K; k/ B
This trick is very efficient:
5 A) D+ c' T  C- r9 `by checking the Debug Registers, you can detect if SoftICE is loaded( s: R' C: u$ g: k. [1 m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ y8 u/ k) x2 }$ U6 {9 k
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ F5 v: E1 @2 X' F2 A9 q9 f- w; Pvalue (in ring0 only). Values can be manipulated and or changed as well" q0 @* r' t9 U3 r: g7 r
(clearing BPMs for instance)
6 r) G/ C% R: i, i5 D2 y7 r6 w9 p1 W' |" b1 b- L$ F" R
__________________________________________________________________________  ?: A* U1 B; E; m! P" S8 M

" {5 w1 ]. Z$ i- KMethod 11  L1 v" U- q0 r/ E& p/ R+ D
=========
. |) s1 W8 o2 W; I6 P7 m. d" v/ @; t0 ~- u8 e) W
This method is most known as 'MeltICE' because it has been freely distributed
$ H) ^3 h; \2 V& h- e# x5 K7 U- yvia www.winfiles.com. However it was first used by NuMega people to allow
( A% d9 Z  d$ K" ]7 U8 ]Symbol Loader to check if SoftICE was active or not (the code is located& u5 d; {4 ^" k1 G7 Q7 o
inside nmtrans.dll).: X3 @: c4 x# k
  o% m/ Q7 K  s9 ~% t6 }! J/ ~
The way it works is very simple:5 K. M+ j  ]5 J0 x. X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 S! w0 N9 S( }3 C, L9 k% S- TWinNT) with the CreateFileA API." I/ a3 a: x8 y  L, l& [

+ K) `. J' K' _( T) V7 F4 qHere is a sample (checking for 'SICE'):( y6 a' j* H; s
6 A# N' r5 q" ]( a3 t
BOOL IsSoftIce95Loaded()
3 a# q# {; g8 [* Z: J{% ?2 E+ M4 k* g. @% C
   HANDLE hFile;  
/ S+ n/ a( [0 S+ x4 Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( [* W) r2 G) a' G* b                      FILE_SHARE_READ | FILE_SHARE_WRITE,
: o5 G: }* ~6 D) a                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);  U* a- n& w5 L0 l( R
   if( hFile != INVALID_HANDLE_VALUE )9 T( N: a2 Q# v& x8 q
   {4 _& l# Z0 x$ y9 a5 W. b
      CloseHandle(hFile);
' H+ a) T6 B: J) E; h* v1 _0 |      return TRUE;# t( A2 p' g- \% Y( T9 q) H! k
   }0 E* L3 q" H: u
   return FALSE;$ u" F7 w6 g' _3 N
}
) ^6 l* L3 |4 Y& L9 Z1 m# I! Q$ K# Z4 k2 X6 r( _
Although this trick calls the CreateFileA function, don't even expect to be: e$ k) g6 H3 F( y% }
able to intercept it by installing a IFS hook: it will not work, no way!1 h. L+ c: j! _. F; w6 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ H, Y& H0 y% c0 t0 E% R% F$ H6 G3 v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- g' c& V" }8 E: U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 q) G" ?, q; s. y
field.
1 b# Z! u5 O2 c# _6 e- ZIn fact, its purpose is not to load/unload VxDs but only to send a
  B6 M' x2 H) T+ U, b9 _& MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ v0 h( L/ j# g3 Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try" Y) N8 f" C( Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! a/ z9 `5 C8 R6 \+ G/ \+ o3 ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 W6 @3 H) ?- P1 P% i' k
its handle to be opened and then, will be detected.
. l: S. {6 y& ?9 u0 h3 o$ kYou can check that simply by hooking Winice.exe control proc entry point
3 h5 T2 b5 H9 ]  ?* Lwhile running MeltICE.
" g) I* U* Q1 s5 B- k
/ g7 G) O  K/ F5 \/ y! }' _
5 Q0 l$ d. I( o) \; b  00401067:  push      00402025    ; \\.\SICE
+ [- Y: M  T6 Z! B  [6 f, h1 G  0040106C:  call      CreateFileA5 ^/ b) i( ^9 t8 l# P
  00401071:  cmp       eax,-001
- ?# J( b3 N% X: \2 R  00401074:  je        00401091+ Y$ C2 v' Q8 u/ L. J9 }

- Y2 B# C6 A1 E/ d; C' l
5 d) i. U& c7 b, {, xThere could be hundreds of BPX you could use to detect this trick.  N  u  {6 G+ X; A  i; K) }
-The most classical one is:+ G$ T! \0 T' c/ K6 j
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||: p1 `# G. O% f# `
    *(esp-&gt;4+4)=='NTIC'% t- @$ M! C9 k
2 c6 W- A* E9 G
-The most exotic ones (could be very slooooow :-(
; y# k( w% b3 _7 o$ r; R# b   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % I; ^1 ^* n1 T
     ;will break 3 times :-(
! {$ j3 C. u; c( m
0 N& f/ ~1 F2 I" ^* I, c: L+ Q-or (a bit) faster:
+ F" [  w4 ?7 \) s0 @+ h   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ M  s" X2 C9 p; @2 g# D6 ~; L" m

& I: l4 b8 B$ k% G   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
& U% H+ D; z& D     ;will break 3 times :-(3 _; o1 J9 w; l2 l  c! Y3 ~

  {7 M6 `& h( _0 r6 q* k-Much faster:$ {7 w& A8 Z4 i* l9 e9 E- U5 w
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% ]$ ]  U% v' ^4 U2 {' C" N, W. `" K4 J3 Z. e2 z0 A
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ r! K! a- L/ L+ f
function to do the same job:6 Q$ b1 V$ ^! j% [! Q

1 _& S/ Y3 ?) S$ z! X   push    00                        ; OF_READ/ ]8 n% j" Z, V7 D- E, b4 p" a
   mov     eax,[00656634]            ; '\\.\SICE',0! _* q6 E6 o  @$ ^5 x* l
   push    eax
2 I: t2 v7 Z& [& ?) F   call    KERNEL32!_lopen
2 @* v1 Y) Z- R' k. m   inc     eax
- R; W  U# m' `4 H+ Q   jnz     00650589                  ; detected
% Z4 z! s; E4 x% V% }& @6 z4 g# O, j/ b   push    00                        ; OF_READ
  b1 B8 r: W" _4 K6 p9 ]1 O- E; a8 O   mov     eax,[00656638]            ; '\\.\SICE'/ I/ |: S6 B- Y1 c  s* g
   push    eax$ E4 X6 ~& t2 b7 T
   call    KERNEL32!_lopen/ \0 w( \5 \: W9 \' R/ }0 K
   inc     eax, ~1 u9 X6 `6 a  V$ f9 m
   jz      006505ae                  ; not detected# ]5 [4 o% Z  l5 e: Z
& f/ r# L3 q4 X1 X0 A

$ `2 W. O" v/ S__________________________________________________________________________
, Z& {6 k7 J- |2 B' B* S3 \) W* l) ^% H% n& _
Method 12
5 c* I) z. ?' E# `0 K=========
& m5 Y/ `7 {! P, b& R7 W' E. g5 @3 u" c& E( ]1 L$ c
This trick is similar to int41h/4fh Debugger installation check (code 05, v9 r+ {9 K# S& p3 c
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
5 H( O+ C+ V: U& R  w0 h/ qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) V$ M3 d0 T" z1 A: i8 D7 v* Q' _! v7 z6 r! c
   push  0000004fh         ; function 4fh
0 H* K3 Z6 i% w) R/ l   push  002a002ah         ; high word specifies which VxD (VWIN32)
" b( W6 M) r, d& H. s3 |                           ; low word specifies which service4 G, y1 j7 r! C% M8 E, c8 g1 {. \+ e  _
                             (VWIN32_Int41Dispatch)
3 x" U. G8 ]3 H) o* K  r7 \3 t   call  Kernel32!ORD_001  ; VxdCall
  P  T. V# }" w: q4 h( g) T$ o: j/ ?5 K   cmp   ax, 0f386h        ; magic number returned by system debuggers2 Q* G& O2 S5 i" ?% B+ ?
   jz    SoftICE_detected$ L* z# S" G) c5 L3 G
' @- A7 v; E0 Z, q  J/ W' V' g
Here again, several ways to detect it:& u! k+ L/ ?& }
* j& Z' R. I9 [) N
    BPINT 41 if ax==4f
4 X& O) e. ^3 @; M) T
" i+ d; U2 y0 v1 }3 e    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
9 z5 |7 @# b" M' w: B2 j
/ S6 W* {- l* ~# Y- L    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
9 U' ]2 H1 P$ M% V2 ~9 p! W+ G7 h+ s9 ?& Y5 a+ h* K4 M7 v
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' O* N% s4 Q! z1 z# N
  X2 \8 \+ @  C) Q. V- [__________________________________________________________________________) G0 c4 Z  }! j4 v+ n3 K
' z: F; u* |4 b5 _- \
Method 13. h; g9 J( E: M# P- O3 I
=========
$ B7 M6 x; d0 h- M+ h5 U
& P8 }* Z( h, Z! l$ T1 a4 tNot a real method of detection, but a good way to know if SoftICE is& @6 k+ X) J) f4 Y8 F, P! b$ Q
installed on a computer and to locate its installation directory.
3 N7 @0 B4 F8 ^It is used by few softs which access the following registry keys (usually #2) :
( L2 x' @8 F; Z/ t+ g. @
1 L3 \5 e! z1 g3 O5 j) j+ I* x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 P6 I- u  [7 A\Uninstall\SoftICE
1 X7 q- ]0 W6 H; N4 Q& i2 G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 l+ W# h! }- `$ t3 ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 |2 n+ e2 \% c) E7 L
\App Paths\Loader32.Exe
# d" v' U, A$ Y3 v
( e. X: f, S* U& Q4 w  F! X9 z
7 G' C# r5 P1 q3 A: GNote that some nasty apps could then erase all files from SoftICE directory6 M' C1 U4 Q, F  y+ j1 ]5 Q& s/ _  G
(I faced that once :-(
( c& P( k  i3 `+ t- F
5 F2 b5 F: _% Y' KUseful breakpoint to detect it:, F" P% g* V. N1 _

; P1 Q# g! _1 o. P2 S) v     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 `3 r) X. o. u7 l5 w% h( ^- t( p. e9 z2 j+ I* i" R
__________________________________________________________________________
# |1 V/ M! H' w2 u
  Y$ _  x) R- o$ U) U
1 \2 {( {4 q9 ?% T8 BMethod 14
* }* S; W0 T/ {6 W=========
0 M' |% @* ~: C6 ?  \6 Y
; M: n) F9 U3 E( ]' O7 D& P, EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: m% C. k; i% j# {+ g
is to determines whether a debugger is running on your system (ring0 only).% E* ^. D8 Y  i3 M) C
4 g* I% |0 m- G; C
   VMMCall Test_Debug_Installed6 m1 L) L' I6 m0 I  v
   je      not_installed
8 @0 @% ~/ j1 {8 K5 x/ o
. G; m$ ~' s# L- m% YThis service just checks a flag.$ }# K' D! `4 c, L. T
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-13 00:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表