找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 S- y1 G6 Z: v3 C! S<TBODY>$ o/ U: _% @* d' `
<TR>  c& E6 ]/ Y6 a( Y
<TD><PRE>Method 01
# \4 W1 K- p- t( X=========  `4 q! ?& u! F" t- [+ g

+ P' ~$ Q( [$ E6 Q* C3 A  {This method of detection of SoftICE (as well as the following one) is
. V4 Z# H! I; s& W3 O' }! Q$ Aused by the majority of packers/encryptors found on Internet.2 T/ m" b7 E7 p' ~& C
It seeks the signature of BoundsChecker in SoftICE# K& S( E7 J5 `9 {1 V2 L5 o4 J
) r3 u' |- }2 H# ?' O. c9 d  |' S
    mov     ebp, 04243484Bh        ; 'BCHK', X$ V8 \. k  ?) d; V9 i8 I8 Z0 H
    mov     ax, 04h
+ f' A; N4 f: N% e% f* m    int     3      
# ^) I" [  E& d$ |1 s    cmp     al,4" \5 T' V9 @3 [& s; A
    jnz     SoftICE_Detected) J' F; r6 X6 T% N! ]

$ |) X9 ?9 N* `4 U. s7 M___________________________________________________________________________
" `. _6 J2 W& b4 O& W% f- f8 Y% a& i
- d: @1 ~4 `& [; x" I. J  @2 g; EMethod 024 T& z3 E  L8 B5 J) i
=========
$ |3 `7 c2 ^* |! Z# c6 \+ g% _7 l, A/ u# H* b
Still a method very much used (perhaps the most frequent one).  It is used
8 ~6 w$ c+ y+ V: Y9 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 S$ K9 T1 I: |& kor execute SoftICE commands...
+ z2 s9 [" p/ d" J0 l6 `# yIt is also used to crash SoftICE and to force it to execute any commands
: L; O; d: r* h% ^2 M/ b* s(HBOOT...) :-((  
% {! E$ T; Z4 ?4 k' O- {6 T! u1 ^9 ]: R7 E0 H$ a
Here is a quick description:$ w) V4 C- N% p. d. }0 Q
-AX = 0910h   (Display string in SIce windows)
  m9 c2 }& `9 `( a% V/ t7 M-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; E+ U: ?4 `+ ^: M8 [6 A-AX = 0912h   (Get breakpoint infos). `& M8 `  c8 ?
-AX = 0913h   (Set Sice breakpoints)
. T  e" i. A' G5 d% l5 K! k3 W-AX = 0914h   (Remove SIce breakoints)8 l3 o. i  |& h2 S: |
0 d# l5 k; w+ ~  u
Each time you'll meet this trick, you'll see:
% k2 Q/ H8 B! U-SI = 4647h
8 i9 E3 }: j2 S/ W. v. ]6 S-DI = 4A4Dh( n' E9 K$ T( @- {) P: S$ t
Which are the 'magic values' used by SoftIce.  m+ @- m5 J, z9 D0 q9 ^- q. K8 G: U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 h' Y: u* S/ V. r; q6 H& t$ U: ]' F* x2 [# `
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ ^" Q9 e* {6 i; G; u% ^Envelope utility use to protect DOS applications:
7 U7 _. u! i% e1 G+ y& m9 ]( T7 n$ I
- P# {! M) r  j
4 A# m2 }4 Z. c" R% B4C19:0095   MOV    AX,0911  ; execute command.% j$ ?& {, i+ e" b5 D
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).1 U! j2 v$ C+ R- m' b
4C19:009A   MOV    SI,4647  ; 1st magic value.
1 D# ~4 K3 X3 G9 w7 q+ B5 c4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
7 T9 l: J8 f9 G4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ F6 X( y4 K: @4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* u( u3 A) k% q5 \' p
4C19:00A4   INC    CX
! {$ L% d( D& g3 s4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
8 p! m, x1 K. k+ M0 H4C19:00A8   JB     0095     ; 6 different commands.3 t) m: H! o) a2 ?7 S
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.# I4 _8 b  I& d, G" F
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)' F" J7 b" J+ ^* B. V
* v: s; M, E5 s3 Y
The program will execute 6 different SIce commands located at ds:dx, which
* i; k+ G' t4 b  e+ {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ l9 D: {9 ]( o9 @# ~1 F. T
1 ?% _6 g3 {/ ?& [1 b- W/ N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* T8 S; o) a* P+ J0 U: D
___________________________________________________________________________
! d; K$ d, w$ K9 u' w1 Z) R, S0 F7 |+ j, T- H( C: K' k- u* O' |. A  c
, M) {1 u7 S1 _# ~' D4 q: @) k
Method 03
- ^* N* I1 D% V=========
8 z, l: F) B* k
+ H" B0 }, H- Y1 L! w, w* VLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 f- q) v7 w6 E
(API Get entry point)! ~) ]5 n" ]" T0 N
        : g4 F4 m9 k0 W9 d
9 B( y$ s- ^8 P. L
    xor     di,di: u; X6 g/ n  j, j- r. Y* i3 f
    mov     es,di
0 @0 r4 O1 Y8 u' F: \7 ]    mov     ax, 1684h       , l+ T  f' A, _- d* \
    mov     bx, 0202h       ; VxD ID of winice
; k  g. i* i- u( I* _  }9 O5 R    int     2Fh8 |# f& }8 s' o7 O2 i
    mov     ax, es          ; ES:DI -&gt; VxD API entry point# z% C! U/ V8 y% q. R# u: i
    add     ax, di
3 N) [0 |, a9 o8 m; G5 `: d    test    ax,ax
7 l* [6 O; H) c3 f    jnz     SoftICE_Detected
1 p, E6 `5 x9 Q4 c* Q5 A
) `; N5 p2 n( L5 ~3 }+ ?1 w  Z, B  E6 m) G___________________________________________________________________________
9 F2 u" x- C+ ?% E8 s) l/ e) d# j" x, C! p2 a) _
Method 041 j; I: L" c' p- ^& D
=========. N: n/ {9 u4 R) x! g0 \% D
: U& h; J) A6 o5 m
Method identical to the preceding one except that it seeks the ID of SoftICE
+ }! x" w: k) x. }- @GFX VxD.
! l# i" D! s+ K6 u7 A8 R& l4 ~1 a+ e0 z/ ?  s
    xor     di,di
4 P$ u" A% ~1 _    mov     es,di9 e: ~. h% u. f* @5 c
    mov     ax, 1684h       3 W4 v0 |( ~: k9 P3 B1 O) P' t
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
8 Q" Z9 S2 H  J! f' i: z    int     2fh
' M. K8 S' \8 v# S    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 Q8 j6 K6 d' x$ }5 P
    add     ax, di
# b) I1 a9 d6 J' H# r    test    ax,ax
) t2 P/ w4 I; P7 v1 L& w2 v6 d* b    jnz     SoftICE_Detected3 V/ `7 n6 c  x' h/ o3 _" P! l4 Q

% s1 s+ z  r* f! t! [__________________________________________________________________________* P  y( w' n9 O3 C) ]' R

% c, }3 I- L; M; {  q& }$ V! A. l& H- j$ V. C
Method 05
, b) `% X' j. j' @1 [=========
& l% E3 J9 m+ w, R* L: Q% Q2 O. T) a4 Y" Y* D! O; T
Method seeking the 'magic number' 0F386h returned (in ax) by all system  W0 d6 ]  L5 Q) h! c% p
debugger. It calls the int 41h, function 4Fh.
: j5 I5 P5 J+ |, B+ y2 QThere are several alternatives.  
& a* ]. B7 u  S/ ^# M4 p  G/ T, M& c. }
The following one is the simplest:/ Y" G; u9 ^( J- h1 O: F
6 e, B  P+ [# E1 ~' i+ N
    mov     ax,4fh1 B: ]8 N. Z2 n$ Z2 z3 A1 @6 u
    int     41h$ N, D3 g9 V2 x, v
    cmp     ax, 0F386
3 |' x! M2 A( B0 Q: x    jz      SoftICE_detected
" ?0 }; ?' C  e8 ^: i( [" k! I
' I9 l  }4 V! I1 V/ |# ]8 K3 g$ A, e: U9 S& n- `4 [
Next method as well as the following one are 2 examples from Stone's ) E' T" e4 d8 w% J" Z5 p
"stn-wid.zip" (www.cracking.net):! d0 z' u$ m6 B: W7 J" W5 r8 p: m
. F; l' J- _+ S% N
    mov     bx, cs# w$ s  w% Q' _4 t% ]3 {, Z
    lea     dx, int41handler2" u2 m7 Y: {+ h% n- y, n
    xchg    dx, es:[41h*4]
, A7 S& P6 z2 b1 h  S9 ^: A; U3 f    xchg    bx, es:[41h*4+2]  {" e4 A0 q! f6 m1 [
    mov     ax,4fh
4 w5 E! g8 m* d' I5 B4 A    int     41h
- p$ J. t- n- o    xchg    dx, es:[41h*4]
( ~6 b- k. z" C2 b: H3 b. S    xchg    bx, es:[41h*4+2]1 B! I  U  j. B: V" s+ D
    cmp     ax, 0f386h
( q1 Q# J/ y* I# ^. q, U% \4 g    jz      SoftICE_detected
% f( r- ?) L# X" i4 q/ i4 j" Y! l1 C- g
int41handler2 PROC" A8 Y8 h& }/ I0 Y  l
    iret
$ }# |0 p9 C  x0 O5 D) ~int41handler2 ENDP
0 V; t& g6 h9 H: a' k) |/ u- u( H: d. P! y& X. Y; v

+ b3 B2 r: W- U2 ?, c_________________________________________________________________________
+ a2 B! L( U) ]% R# c
. [5 W  `2 Q0 u  h+ ]9 G; n3 m6 Q% }. h6 _  ]3 e) N
Method 06/ @- b- V) {) U1 S- [' d: ~
=========) ~; E+ _+ ^$ L
+ I6 x0 S! _. t9 V5 J2 i
9 G' c: x+ ?( H' M- w* l/ x
2nd method similar to the preceding one but more difficult to detect:+ G- c4 d0 i+ @, S7 h

2 U5 x5 v. T2 U8 Z
4 E  I% C) A' \& X- dint41handler PROC
) U' Q2 x, U5 K) Q  R1 W( U    mov     cl,al
7 K) e4 D& l, v! S& b" M0 k1 X! U    iret4 \! T) f4 E* ?! d' R: h
int41handler ENDP1 C2 x7 p. E; R/ L3 u; {
  E0 E( q: z( s% {

( P: ?$ k: V# m    xor     ax,ax
. [6 `% w( c5 F3 {3 B    mov     es,ax
2 i' @; ]8 l! @  s    mov     bx, cs& A/ E2 _$ l8 e$ g' s( N
    lea     dx, int41handler
, j; s6 A; f. C6 U2 z6 G0 f- S( R    xchg    dx, es:[41h*4]
' ]! N& {" l5 f5 w! j& m& g    xchg    bx, es:[41h*4+2]; q* w0 u& A4 J6 H& ^, ^" l
    in      al, 40h
4 ]' f# w  I- o5 Q7 F' P    xor     cx,cx$ M: u5 i0 u8 Y& D
    int     41h
4 q7 r1 A* B& i    xchg    dx, es:[41h*4]
* Z0 ]: b$ B* v9 t$ w    xchg    bx, es:[41h*4+2]
( I1 p% `4 b8 f    cmp     cl,al1 C* c1 u( G3 y
    jnz     SoftICE_detected
* G+ L- @% F# h4 L' W
' t7 Z% D" \: U" D/ _/ j& |7 w_________________________________________________________________________
7 V: z! F; C: J/ ~/ @
/ W8 c& |( [( v- PMethod 07# H1 `+ C4 `8 d3 n% U7 H
=========7 c3 v+ t* q6 Q: }# |
, |& V& t/ D) [8 R2 F' J* p
Method of detection of the WinICE handler in the int68h (V86): k/ V( j4 l! F. ]) e
" @5 b3 z( y# B9 F9 L- }3 h, |+ D
    mov     ah,43h1 I1 T% a8 p+ i+ W% @* S8 h
    int     68h
6 ?! ?6 Q: H) s6 R9 p1 |  }  X    cmp     ax,0F386h
) q, K- w; j- X( J    jz      SoftICE_Detected9 e) g- {% d4 a! ?; @3 w
2 E) M+ m; V8 g/ d2 i

5 }, @4 g# f$ P$ j! p0 J: d/ V=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit4 E' e5 |/ h; Z7 n) [' }
   app like this:' S+ `9 U0 f2 v6 A, D+ e
. c! V: `: s  n/ k' t; h
   BPX exec_int if ax==68
4 b2 A. G0 C) x   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 {; I8 ?7 z' k9 D2 _  m0 F# f   located at [ebp+48h] for 32Bit apps)# T( q7 I6 R9 P
__________________________________________________________________________
  d  |7 ?- x- {. a- K. L3 l) l8 X$ j4 B% R; A
9 L! }' d5 C' p/ x' F
Method 08
/ t) A& ^5 K- e% f0 |. h=========' w" @/ p9 X1 [& D

* J2 X" ?5 Y; v* k  z5 S7 U* DIt is not a method of detection of SoftICE but a possibility to crash the/ B4 x4 u. U7 r  e0 a+ d
system by intercepting int 01h and int 03h and redirecting them to another4 l% l7 i$ }3 _: M5 p
routine.
0 Q5 P4 n- T; w  K0 a! OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 c" |% l& n7 r& |2 {to the new routine to execute (hangs computer...)
# x) C$ R& F# V) V
" {$ m: p" a5 f6 {3 Z    mov     ah, 25h
+ t" Y6 W0 @0 T4 g( }. d    mov     al, Int_Number (01h or 03h)/ F, f4 w$ }) K+ N+ |% w! h
    mov     dx, offset New_Int_Routine
' k, c$ z  T; [( m    int     21h8 A, T0 o0 m, R. x2 G# V

  T% n9 P/ J  \3 {0 D, J* h% w__________________________________________________________________________6 D' N" T- {8 M3 ?* P

  [  q6 y% n8 U/ `2 |1 r" V* ]Method 092 W& \( R; y$ V! ]$ Z
=========
5 b, M$ R$ S! ^8 e$ X& k- p7 Z. q" T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 u& d9 j2 a- w( f, operformed in ring0 (VxD or a ring3 app using the VxdCall).
- }0 O+ `# C' [6 N# }, n0 ^The Get_DDB service is used to determine whether or not a VxD is installed
2 g8 j0 ], f5 b9 V& m2 Sfor the specified device and returns a Device Description Block (in ecx) for
8 K! ^3 x* X) I4 t* H4 Wthat device if it is installed.3 F3 p3 c& F8 t" G& ?  f1 u! b

5 ~) F7 I/ B3 [   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. H: i" R: S: G! l7 Y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 K; G% a/ }% w6 ^0 q
   VMMCall Get_DDB' H( `! Y4 l' C7 b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* i/ a! u- c. M* |* H, R/ O" \+ Z! Y6 C1 v/ g# N1 \$ W
Note as well that you can easily detect this method with SoftICE:
; u$ L- v& W! W3 ~) X+ X   bpx Get_DDB if ax==0202 || ax==7a5fh7 b! n& t. C' o/ b% V

7 ^# @0 p9 U) a/ d; Z$ ?9 l__________________________________________________________________________  i, j# P; A: [: R: _9 Q! H) b; f

% y) q1 |0 ]- w' m5 X7 OMethod 10" e0 b) F1 N2 l% G% Z9 J
=========
& D8 l; Y2 U0 _2 }8 u
' ]5 I9 X/ I& j- q* W* q7 c=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" C( z# R$ R$ j! _- ~8 B  SoftICE while the option is enable!!
; M9 m0 @* O+ V0 M& Y% e4 F: M2 b0 P. A1 [
This trick is very efficient:
0 }7 Q6 Y6 d$ @8 n# @4 J6 Qby checking the Debug Registers, you can detect if SoftICE is loaded
2 x/ T0 ^1 d! J4 I5 Z* E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ [5 R1 }: G0 i1 U3 ?. zthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 E% H+ b2 L, ?6 W
value (in ring0 only). Values can be manipulated and or changed as well$ Y- X1 Z% N3 Y5 }2 V1 H) J
(clearing BPMs for instance)
$ c1 C) C3 V! D1 }  [5 }
9 `; y5 E' ~  r. i1 `, f% e8 U__________________________________________________________________________
- u& J5 g+ z: ~. _! F9 b$ }9 J9 b! Y! x, q# F2 O5 f
Method 11
" {3 G! Q) r" r' C1 f+ P=========
9 I9 v. s: s' r; w2 B4 O; G
$ C3 v2 b# ?' }* e$ t: nThis method is most known as 'MeltICE' because it has been freely distributed0 Y" K9 v: d8 N' [
via www.winfiles.com. However it was first used by NuMega people to allow
! y- r/ S3 _, X9 t6 ]9 I( VSymbol Loader to check if SoftICE was active or not (the code is located
$ I% a3 n1 `, x' w8 @6 _0 Einside nmtrans.dll).$ _( u! o/ l* W7 c& c9 B
- n3 j' F& ?$ C: h! s- _3 h
The way it works is very simple:
  `& P& V2 T8 P  @/ Y1 J$ f1 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; x" O( T. }8 S) a6 S$ m, w$ _WinNT) with the CreateFileA API./ A; B7 r/ y( l& k

# b& j2 C6 \7 @Here is a sample (checking for 'SICE'):0 f* Y) r# `8 `+ C8 g  I

1 }" k3 M7 g- FBOOL IsSoftIce95Loaded()
! D* L# M: r; T5 K& K) `{  L$ q% H. X; w  A. A
   HANDLE hFile;  
2 O$ L( F) H2 a& ?# V7 E( E   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) _2 |" I3 N: g( B                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ A5 P! V" Z# O' X' \! G& `! {: G6 f                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ F' |, R* L0 W8 H5 E   if( hFile != INVALID_HANDLE_VALUE )4 \4 C' p3 ^, V" k: j% h
   {
# n6 u3 ~( ^+ [$ M2 }, F. s4 |      CloseHandle(hFile);
% Y9 h* t% b) L      return TRUE;
8 |( u1 d3 P4 o  d4 R   }
# u! I. R" r1 k, E  z. }* `- L& Z   return FALSE;( ]; d8 A2 k5 a+ J, \! T
}
. ?  l  m! m+ f3 @
6 a! A, x, c5 QAlthough this trick calls the CreateFileA function, don't even expect to be( t- c0 y9 m  i% L5 P5 [
able to intercept it by installing a IFS hook: it will not work, no way!
5 x/ U/ C# J$ E9 H7 v! X: ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F  q$ \/ G4 z  K( J# M
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 A/ g; W; m/ T: [  k  g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! ^3 n8 o0 o5 [field.: y4 q! k$ M( T3 H5 [: L
In fact, its purpose is not to load/unload VxDs but only to send a
9 \6 b7 o  `* k8 D& w7 z7 _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; m$ A. R8 T: Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" k) Y% i5 c$ x0 [to load/unload a non-dynamically loadable driver such as SoftICE ;-).; `% j( y. @3 W5 O, S. _
If the VxD is loaded, it will always clear eax and the Carry flag to allow' y- W6 L" K4 A
its handle to be opened and then, will be detected.' q0 B$ U' J. v" Y8 I7 d
You can check that simply by hooking Winice.exe control proc entry point! V' g. }2 J+ @5 p
while running MeltICE.
, y) p2 q7 }% b- x
; W+ O: v8 a$ m9 a+ f) h' h* O& E; R3 @# j5 X# y
  00401067:  push      00402025    ; \\.\SICE
, M6 a8 P& H+ `4 w4 _  0040106C:  call      CreateFileA
( m) x( x5 C: D" T9 m1 u9 m  00401071:  cmp       eax,-001+ |$ r. Y7 M" `8 @3 n/ i
  00401074:  je        00401091( B) Q2 t4 N* g* C

. \# N1 m, C$ B0 B6 X7 {# C) m: h6 b, s* X. K% w3 I& E! g
There could be hundreds of BPX you could use to detect this trick.
# E9 v$ H) |7 `0 I( ~9 h& N4 z-The most classical one is:
1 c) B8 f. l2 ?, V$ n: H6 I% R3 m1 B  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||6 j; A. ^9 s4 T& X) q. v/ q
    *(esp-&gt;4+4)=='NTIC'' D5 }" |2 `6 Y
6 ?  K7 Y/ v' v' B& a2 A0 H
-The most exotic ones (could be very slooooow :-(" D( t4 F! y* o4 w. @$ W
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
3 Q4 C) l2 x" L- i     ;will break 3 times :-(0 f, w  L/ q+ N- ^/ e( d% i0 F
. S( O% \! K+ Y" I" D! J
-or (a bit) faster:
% ?+ Z9 z5 u  i1 |- J   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): D: O% D( h1 @$ d/ q) J1 J
9 x; C! O, T( ?2 M0 E
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 C1 s$ A' [7 B+ I1 o     ;will break 3 times :-(0 Q) E) S/ z9 F# J9 a/ g5 g3 F
5 s, H/ p# n+ m/ p+ E& T
-Much faster:
' i  W2 v- S% e$ P0 @: E   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 B# W: ^6 z2 Z) {
1 H% D9 ~( F1 x0 w: sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( H2 i: x5 f1 v3 [/ sfunction to do the same job:
" L! `4 U! c8 ^5 o1 t6 K; A- B5 ?6 R1 S" V% S8 D& X
   push    00                        ; OF_READ9 ~: L- x. K* j" ?
   mov     eax,[00656634]            ; '\\.\SICE',00 H7 [7 R& `; G  B2 J- f$ [# t
   push    eax1 r  U2 \. b9 \0 [) p9 s* Q+ B5 T
   call    KERNEL32!_lopen
. w1 k: \& a1 U2 f/ W   inc     eax2 N2 L& c% n# o5 |
   jnz     00650589                  ; detected
4 p. b' u! U- ?4 S   push    00                        ; OF_READ( G" Y8 o& Q( N" c/ K6 }7 K% x
   mov     eax,[00656638]            ; '\\.\SICE'& o7 t! v4 o& Q0 H1 N/ Z6 u( |
   push    eax
0 l7 s" Y1 B0 d8 o0 d   call    KERNEL32!_lopen
# h& a6 B& b& m, k   inc     eax5 O" b, l$ L# F& ~' s2 R
   jz      006505ae                  ; not detected- m1 q$ g1 W9 x, `! a

0 b2 a1 ^  C. x) v! I& |( X1 _. e- [2 Z: u3 v1 a* @
__________________________________________________________________________
3 F6 w4 [, g( U$ f6 ~! Q
- I6 Y# a; s1 e; m& ZMethod 12
6 e6 Q% G( E/ C' \/ _0 D3 [=========5 h; p* ?2 i6 F; i5 v% L

6 _+ V; ~9 e* t: l# k. o' GThis trick is similar to int41h/4fh Debugger installation check (code 05
0 |2 Y- |; j- H# j, Z&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 Z6 T& r+ N) h1 `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 J1 J- g+ S# q  K8 g7 L* I

7 m) X. q$ N7 ]' a6 u   push  0000004fh         ; function 4fh
3 f0 X& e# h# E4 ~9 ]) h   push  002a002ah         ; high word specifies which VxD (VWIN32)- i2 X; m7 `1 ?! g! O$ T
                           ; low word specifies which service  C5 ?0 q3 H2 c  `' [# S% f
                             (VWIN32_Int41Dispatch)
* U$ k3 p! d: z( K/ P" Q6 T# Z   call  Kernel32!ORD_001  ; VxdCall
0 J9 d4 L- J& f; h1 B- t) y   cmp   ax, 0f386h        ; magic number returned by system debuggers/ d' A$ x8 N' i! h* E! c- e
   jz    SoftICE_detected& [: [# }1 {7 a
( L( N6 Q2 t' ~- f
Here again, several ways to detect it:; H1 @4 r3 S" B3 q2 z1 q8 {% R
- h; v7 s+ q; q: Z: x4 l& B% ~. `+ M- y
    BPINT 41 if ax==4f
, M" I2 Y, |/ ^8 y/ \% B, b6 n( M6 H1 |/ `' Z. L6 x0 Z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
. [" U3 [& }" f2 z
* G+ t8 Q) _2 w    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 q4 P! ^6 L* B4 P

5 t2 |  D0 X: h$ F  C) ~    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ a8 o1 {: Q* {4 _/ S: P

3 Q: g1 m$ F4 A! f__________________________________________________________________________
3 B# \0 |% k) n% N' k( ~6 [8 ^6 o' a% u+ D9 `
Method 13) W, m  W+ ?7 _# ~# a' q2 `
=========2 N# g8 h6 M. K8 t5 J8 z

+ e) ^- f- b' W# fNot a real method of detection, but a good way to know if SoftICE is
+ ^$ P# v3 u- n% @installed on a computer and to locate its installation directory.
) D# R/ z1 g9 s# W) _It is used by few softs which access the following registry keys (usually #2) :
& d$ J- N  l8 h8 T; O; f. \" H1 I- b$ @* g& e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 {( L# L! Q5 w( j" }
\Uninstall\SoftICE0 N  Z! S% h$ x9 O, b: F) z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* G+ o* x7 T% M6 b$ v; P9 j5 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 x# x8 C( {$ b
\App Paths\Loader32.Exe- I; [6 p1 o" D0 F% i$ Z
; D* G+ i, \! B3 h7 E9 H

8 _( L! o6 n8 o1 v- g$ D3 ^' x- YNote that some nasty apps could then erase all files from SoftICE directory
) x* d) D% M  b9 b) u2 M$ i(I faced that once :-(
% v, i7 ~  u% {) O- P. c* t# M% K9 F8 X1 N. J
Useful breakpoint to detect it:
) d2 |& L% m% h
2 \) c- G/ W9 E' I7 ~     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 V% k  W- Y& [
; g. y5 C% A' F4 u, E+ M/ s- q' x__________________________________________________________________________, {4 ~1 ~1 z' G2 p# ]" _2 u0 V

+ h  w5 z6 ^0 Y
4 Q4 ]' J6 s5 |7 lMethod 14
  q7 o. t; l& |' R* X=========
; R  R2 [# v( x7 x, u/ {) Y: v( _8 I) f% _- m* B! E: H$ ^: a2 ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ V5 ~, Y  n! X* h, l
is to determines whether a debugger is running on your system (ring0 only).' P% j" m2 [. `. x3 K3 `
- p$ F5 v7 B; }" ^
   VMMCall Test_Debug_Installed
2 e7 N$ H0 t: \( H   je      not_installed+ k; N* U3 R* |* u" m5 S! }

" E. e2 I2 n' {7 U$ E& m- uThis service just checks a flag.
$ V6 ^, q6 d" Z+ d# L. z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-11 12:21

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表