找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
* `: j' S$ `( P6 w  a8 g<TBODY>
" o3 l% [" f9 V5 S' g<TR>$ W6 m) w% d) b
<TD><PRE>Method 01 3 C; e7 X9 m( F( ~5 t: _
=========
4 t. B6 q9 A  U4 y9 c2 _1 z) C
/ `; X8 `2 k' F! J9 j$ lThis method of detection of SoftICE (as well as the following one) is
$ |, @: Z& u# Q/ ~used by the majority of packers/encryptors found on Internet.
" U* @4 f- n: k$ VIt seeks the signature of BoundsChecker in SoftICE
$ Q% V4 j' q& h, K4 Q# W3 W5 x; @: V, S
    mov     ebp, 04243484Bh        ; 'BCHK'; c4 k" t+ w& i9 a6 s
    mov     ax, 04h
1 Y3 |. X# n2 v% U1 b    int     3       8 j8 s0 d3 o) p9 U4 ]8 c9 o
    cmp     al,4
3 o9 W+ N' E& Z. _; m3 v0 H# V4 n    jnz     SoftICE_Detected
8 ^! K% h2 [! u+ L& n! I
$ H. S& ]/ r7 |  n' r+ u___________________________________________________________________________  U  a) D' I: z1 A0 j
8 u* w/ c# h' P/ g
Method 02
: [4 O9 L( r" J& W$ D: ?=========1 n' S. D4 ^  b, U
) e& K# h. b; Y$ l3 m
Still a method very much used (perhaps the most frequent one).  It is used
$ h# i$ Q" A" l8 G) U! C7 _( Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 K5 s+ v: p' a
or execute SoftICE commands...
' G* s8 x% e, \% O; Q. gIt is also used to crash SoftICE and to force it to execute any commands
2 t" T8 H7 p7 D/ Q" n9 ~(HBOOT...) :-((    a' s. k# s/ ]& S: \/ @) m' i) R/ Z
- x7 \5 w8 @+ j& O% v6 R
Here is a quick description:
+ R4 e+ [6 v2 d: q4 h$ K: g0 t, W-AX = 0910h   (Display string in SIce windows)/ u7 j/ d1 M! L) x
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# U4 p  K! ?* E-AX = 0912h   (Get breakpoint infos)2 s! E9 k% C. B& t. Z: L0 ]
-AX = 0913h   (Set Sice breakpoints)/ e4 r, ?) ]/ @' d- k
-AX = 0914h   (Remove SIce breakoints)1 p& z5 S& ?, c7 v, o- _/ f
3 E& ^+ v% m* a+ g! A: @
Each time you'll meet this trick, you'll see:) v9 C) k( o! E- y
-SI = 4647h
% u7 q* X6 E$ g-DI = 4A4Dh
; P& v* B" e, u6 H; kWhich are the 'magic values' used by SoftIce.
+ h; o0 C! j4 V  _; Y& QFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ v9 j# k: h. |0 w

" ^" M$ A" ~, U1 i% R/ x! q* jHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ e5 V& Q% G2 Q8 |' `* z9 m4 q$ r0 Q, [Envelope utility use to protect DOS applications:# z  }+ A& m. e& b6 U) e

2 i! u2 r) G6 ^+ G/ ~) @& o) s2 q2 g; Z9 `
4C19:0095   MOV    AX,0911  ; execute command.- z& C9 A9 Z% x1 k! U+ E" Z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 z/ y5 r) W, _9 \' p: U; Z4C19:009A   MOV    SI,4647  ; 1st magic value.
7 {) ~" `. F- i1 E% N/ D4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 F# @6 H& i$ L5 x# i- q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
. f# m. G5 q/ u! `- u7 m4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! O9 I- j% }, L4 [. V9 o$ R
4C19:00A4   INC    CX+ o* B1 A# ?$ a1 u
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- }# D% B  O/ T" p- }* O1 \$ S+ {# v
4C19:00A8   JB     0095     ; 6 different commands.
  A0 X: {) g* m8 @4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' Y+ T9 v6 H* H. d4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
$ Y7 p) r1 [& z1 K6 y% x4 h: Y0 f7 j7 O1 V  L: {
The program will execute 6 different SIce commands located at ds:dx, which
/ r& P5 z/ O& B- qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 y0 z! N  g0 {

7 _2 ~" @: Q0 j5 d' a  O# b' |% C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- s; l) @' x. |8 q
___________________________________________________________________________
9 {0 p3 s( [: I& o" p- y  n- T7 j
6 C8 h* C/ d! z+ Z( n. x( U7 ?% p- C
Method 03) e5 g: O  U0 j" w0 T% w
=========' I3 V* l1 W1 \0 l, ~" s
# Q6 B: L7 d; i
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% ]; y1 p0 G. m8 {# E9 t(API Get entry point)) t3 S. J# \. p' c/ H$ A$ a" ~% r
        
% y1 T* t0 R6 G3 W, p* T( o7 i
$ V6 {! s7 b6 b    xor     di,di" o: |9 U, P% ?9 z/ X# c
    mov     es,di
0 s# d( E8 j: Y  p    mov     ax, 1684h       5 \) ~% c* ]! E! V+ w$ y* p) j0 i
    mov     bx, 0202h       ; VxD ID of winice
; f  k1 }& ~* X; F0 A1 @# }    int     2Fh/ Z# G6 j9 l( T' ]8 ~$ V# q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 [" Y1 S( f5 N    add     ax, di) u! K/ F8 Y% E9 I# X/ c
    test    ax,ax+ {$ h: \* b( F' i6 g% T* J) d
    jnz     SoftICE_Detected9 P$ i0 {9 x$ `; p) `, o$ Q

; S' z. B5 `8 [/ M1 ~# s___________________________________________________________________________
- q: E) Z7 F! ~* W8 x) F5 E# P5 M4 s, K% h( h
Method 04$ C1 }* e( T: }2 e% g
=========
5 t! q+ P5 }/ C& Z; J( w8 ?- ]
Method identical to the preceding one except that it seeks the ID of SoftICE# O( q# n/ \+ l3 ~) _
GFX VxD./ o; g7 j. E+ @, _. }' u2 C
& R- C  r$ _! |$ r% y
    xor     di,di
/ a$ ?" g# e. |1 |5 U    mov     es,di: m1 ^* i% x- W; }% B
    mov     ax, 1684h       3 [4 |0 U! [: T8 w5 @  A- w
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
' D; y/ v) R% @9 M9 C& J& p    int     2fh) h. n3 o7 q" r" `
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ w( m* j; a% j) O6 ^
    add     ax, di, b+ f% A# J: X; [' }% {
    test    ax,ax
0 u) I  B0 ]# h5 j    jnz     SoftICE_Detected0 x' u1 U( a$ H8 |% ?, R+ r  N3 q

! f; P! e1 N9 l. f! [- {__________________________________________________________________________; `; Z0 v3 y9 o2 A7 U

" Q: h+ p6 H7 I$ {' B3 n. n" {3 e$ I9 e+ U/ _- V7 j5 W& ]& P6 E
Method 05
: C6 I) E, D: |+ a, y1 _=========% m6 ?$ K; b5 I

. q; K4 o6 U( @Method seeking the 'magic number' 0F386h returned (in ax) by all system
- p* R6 j1 d& C8 f% n, ^$ Gdebugger. It calls the int 41h, function 4Fh., P7 l1 B1 t9 R) N
There are several alternatives.  % K' J0 B1 g1 _6 _5 ^' z

/ b) P) S% T# z4 o) p( VThe following one is the simplest:  q! H) ^/ O5 |: G. x) m

' @3 V# }! |; w1 O    mov     ax,4fh+ b' T/ R' J6 P6 ~& }% F
    int     41h# v2 Q' N5 A  |
    cmp     ax, 0F386- i, T, S' Z2 P% u6 q
    jz      SoftICE_detected
3 U9 e" w, S. Q8 ?; p- u6 k+ C! F3 ]

9 J) G0 E6 i9 e. o% }: B- d/ eNext method as well as the following one are 2 examples from Stone's
. E% L; |1 h9 w1 l3 k"stn-wid.zip" (www.cracking.net):5 @  y8 }& |1 M( Q3 i2 T) k
; \! s+ M- V( `# B6 x5 n0 x) @' ^- Y
    mov     bx, cs
, [- o$ o) i9 W) [: H    lea     dx, int41handler2
0 m4 W% t6 Z8 a! Z# [8 A  k    xchg    dx, es:[41h*4]
* w2 B8 {& _3 u. E- [' {6 V1 e    xchg    bx, es:[41h*4+2]
6 l& m: X' |* g( }. x    mov     ax,4fh" r& p7 L. E% j4 I  ]# M0 l
    int     41h
# \; ]* C' X3 B8 a0 J    xchg    dx, es:[41h*4]% O- F  X( M+ l8 L2 K* V' c6 ?
    xchg    bx, es:[41h*4+2]
0 z# Z# F$ A: H* d    cmp     ax, 0f386h
4 [0 Y6 O7 i% C    jz      SoftICE_detected3 H. }( S5 \( E* m3 S
- g+ X1 `" z$ v0 ^) X
int41handler2 PROC! q9 j- O' t/ ?8 h6 Z4 I* l6 ~7 E$ B
    iret) f4 d, s6 G; N4 r% i: N% {
int41handler2 ENDP
; {/ J9 T  m% _9 ~
( s, T1 F- K4 `6 I
, \/ @- v( H+ d3 S0 S% J_________________________________________________________________________
  ], i' u( H* N  D/ ?5 j. n6 F  r) U) o3 B2 s! [
7 o; p, M( o1 Z5 l5 b
Method 064 h# V& \* C9 c! O" q& V$ w! ^
=========
0 i9 \  @1 k  @* s& \3 W6 x/ }2 B8 s4 t4 x; o
- P- z  X" I1 r1 W
2nd method similar to the preceding one but more difficult to detect:
! V# t3 }- w" O' D% X4 X" l" t% _% R5 \' Z
. w0 R' F8 B$ x5 ~: U
int41handler PROC" Q, ]; N2 s* d% p1 n8 j# }
    mov     cl,al
+ \: t4 \& }3 i! I4 L    iret( O8 P. R2 ^: @
int41handler ENDP
$ r' Y) w" i) O1 B, U
3 p4 ~+ @0 @3 L7 O* R) `- o( l5 p
    xor     ax,ax
: r" x- X! R" ?7 l: w( {# O4 ^( _    mov     es,ax5 N. `( D5 K# Y- G. P
    mov     bx, cs
6 x% R5 M1 f" \( _    lea     dx, int41handler
" [4 H' C6 j; A4 T    xchg    dx, es:[41h*4]1 Z/ ]& m3 U0 c, i" l9 k! H8 d4 W
    xchg    bx, es:[41h*4+2]: i& x  x" c) V- e) x7 U
    in      al, 40h
" [% d9 h+ M! j    xor     cx,cx) M* [, c" d7 u+ r
    int     41h
- g* {5 y! G, O/ \# j% h, `    xchg    dx, es:[41h*4]- `1 S2 {4 t, S. ~" X
    xchg    bx, es:[41h*4+2]& F' p9 w3 Z  L- R6 Y2 T
    cmp     cl,al* @- _# f+ i( o& a6 K0 Z/ g
    jnz     SoftICE_detected0 m, m2 Q) [+ H7 I6 G1 ~
5 Z* _) [3 s! D5 U' W$ E
_________________________________________________________________________
# {5 v0 Y7 w5 e' P* j3 d* z5 [+ X  d" O6 x
Method 07
1 P6 h  L/ ?" }  |: E6 S. `=========& B& Y3 q& I) B' H8 k$ D$ t

% D  W! T* j3 k6 P% h# n% IMethod of detection of the WinICE handler in the int68h (V86)
6 T2 P3 a. `( E3 B- r
( d  J) Q% l% k8 Z, _    mov     ah,43h* d* a6 E3 q5 R& V, G1 P
    int     68h
. @5 k# B/ Z9 s+ p1 T; t    cmp     ax,0F386h
7 U/ S8 N( W+ U4 L8 f: Y7 a    jz      SoftICE_Detected: R# c; Q( m( L3 s. q

) b4 S: V! X5 j9 `) b  C7 A4 z; h
1 K8 k- X3 Y9 y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; ?) @3 S, T* u  s4 @+ @, I   app like this:
7 _% k# H. n+ C8 \. G( e& q+ T9 y1 ~% E3 U" v
   BPX exec_int if ax==68; U" e0 a& _9 G; i1 V
   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ s  D, l! D  k1 V# {% M, _   located at [ebp+48h] for 32Bit apps)$ o5 W0 {9 f* ]/ w" A
__________________________________________________________________________. f6 \3 V) H- O. d* ]! O
2 h* g% N4 F  S4 R2 _

6 g7 b/ y3 ^% |5 s7 Q6 {/ H" WMethod 08! y, n2 E$ L1 _4 z2 R: V( T5 Z
=========
, E# b) T: L1 ]3 v" _+ e# J  ^2 e* q# y) ]. r4 w
It is not a method of detection of SoftICE but a possibility to crash the" N" N4 Y& h  C) s3 D/ g
system by intercepting int 01h and int 03h and redirecting them to another
0 f) U1 W' n( v# q- Croutine.
) U* A  P+ ?( L) RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 i4 j3 H. z% G* u& B! v$ }2 }to the new routine to execute (hangs computer...)
, o* V7 \/ C2 S& N" X" d2 r
& l  W, _9 v2 u5 O% `    mov     ah, 25h) ]* N4 Q  w2 |$ i. ^3 J* C
    mov     al, Int_Number (01h or 03h)
$ g. f+ |$ C  {    mov     dx, offset New_Int_Routine
# J8 x  R; o$ T! r; V8 ^, \3 u    int     21h
$ E1 j1 [( B* D& o: W! \& Z) b! T' [8 k
__________________________________________________________________________& }) Z( i8 T+ u# @6 t1 [

/ a7 ^6 J1 e0 o; V: _( uMethod 09! I; K( ]9 i$ e  m
=========3 Q# }. J& F" R2 B

& u' I0 t4 v% I& AThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 ~" _8 L, ^& ?/ k
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 j' ~4 @6 j4 f$ @7 m: VThe Get_DDB service is used to determine whether or not a VxD is installed
7 k# ~+ g* f* n) B+ I6 w, Y" Q8 Zfor the specified device and returns a Device Description Block (in ecx) for
! L$ @% L$ S0 V+ ^that device if it is installed.9 `5 S- y' M9 [$ H0 K' H) U; n# s

7 }# y/ ~$ U- b+ l   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 ~4 x8 q2 P# K# A1 s' M, C   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 K0 E" f1 R0 }9 p7 B  c   VMMCall Get_DDB0 u9 Z7 }) B9 }3 M2 s
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed1 t4 `" G+ b( v  @4 y! O/ P
- z3 a) {0 y7 k% B5 M: @2 i% W
Note as well that you can easily detect this method with SoftICE:5 {3 K9 b4 P; I0 ~) Z+ v
   bpx Get_DDB if ax==0202 || ax==7a5fh  u+ d; D. q: S+ j4 m% u. ]( }/ \

: w4 o; v; a: m  X2 p__________________________________________________________________________
. l$ R8 L1 I% W# J' x  m+ H5 ^7 ^4 `0 G  h- K+ l4 A8 ?6 E
Method 10, f/ m5 K6 k" z; ?* z% A* t
=========
1 m' K+ V  o' Q; X+ j2 \7 B( E
. ]+ I4 [6 t: Z* S=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with* E5 @2 v( n: a. \/ e
  SoftICE while the option is enable!!
% P' `8 B3 b% r
+ ]. ^7 X4 w/ vThis trick is very efficient:
, N. a7 D+ }* C: D: J  Y2 A; Vby checking the Debug Registers, you can detect if SoftICE is loaded
+ G# q  S2 i) {  F9 ~7 \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 A7 X( J% t3 N
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 W0 q5 H# w) L: w; R' m1 uvalue (in ring0 only). Values can be manipulated and or changed as well
$ |. s1 i/ f5 N, I& a1 ](clearing BPMs for instance)
! \9 i  ]# e- v7 r- p& V( ?9 N" F' G; K4 [( `
__________________________________________________________________________
% z5 v% F5 v! F' l8 @) V8 ]- K9 U7 t% c. R8 J0 u* y$ z. k) g
Method 11
" G% H* S, ^% Z" n+ v=========
, `, G4 R+ e0 ~. o! e& ]6 i* g& M; q. g2 a
This method is most known as 'MeltICE' because it has been freely distributed
8 F! M& Y' g' ]2 B/ Uvia www.winfiles.com. However it was first used by NuMega people to allow
" `7 ?# @$ T) d  X" ?: s( s$ j2 KSymbol Loader to check if SoftICE was active or not (the code is located
2 a. C2 C% M; S  Q( n  Hinside nmtrans.dll).
$ x% T* q7 f% }1 N7 K/ B
0 B/ Z0 B0 O2 W: _9 ~/ A6 o' q* KThe way it works is very simple:
1 R8 T1 I: H5 `$ F1 t, F8 g9 V& _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' b* ^7 w; m' N- l4 _1 C
WinNT) with the CreateFileA API.
  {. }( `$ ]* |4 \+ E8 s7 B7 h
8 X4 g6 N5 [. Z+ RHere is a sample (checking for 'SICE'):5 ?, o& n- }  Q# B& j* I6 l

" n# k: v3 E' ~( {6 ]+ u. nBOOL IsSoftIce95Loaded()
" h0 X$ u, {. g0 A{4 B  F6 a' g5 |$ t. A
   HANDLE hFile;  
9 I' V; V( ^% \7 i/ X8 w0 ~! Q, c   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 i, X1 V) w- Q                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; i' h; j" i  X+ I6 f! P                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. l0 @. J% G) ^& |1 J+ A+ V& v
   if( hFile != INVALID_HANDLE_VALUE )
# _5 `, S: W7 o- u   {) _; x! j0 T' G, M# Y: C0 i
      CloseHandle(hFile);
0 P) a- Z$ p, q4 q3 X* H      return TRUE;
# Z# X5 S; ^) i" [9 ?   }
: B( ]: R$ K9 o; `; n   return FALSE;9 E- k) b: F2 h) b
}5 |  q. ^/ ~1 m6 A4 Y: ]

0 o( k" G' p, KAlthough this trick calls the CreateFileA function, don't even expect to be
: K+ q3 w+ v  y' T$ M, ?( }# fable to intercept it by installing a IFS hook: it will not work, no way!8 \; x$ i1 m% h8 V$ S% K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 e; n) Y* b7 Y) hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- Z( j% T2 E/ \# ^& nand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 H- m- u$ J- d& r/ R1 `3 k
field.
" E3 S! k& e. k0 i: }In fact, its purpose is not to load/unload VxDs but only to send a
% u4 B" B) W" c- o/ c+ k+ YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& X/ [, K/ u& I4 E# E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( Z" t$ i5 o1 ^; A6 s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' F8 s5 b' Q0 D$ D0 e7 J
If the VxD is loaded, it will always clear eax and the Carry flag to allow; q( R: c- e/ h8 m  S2 L; w
its handle to be opened and then, will be detected.' A" t7 V9 m/ d: N( v
You can check that simply by hooking Winice.exe control proc entry point
  }2 W8 n0 N! N3 Xwhile running MeltICE.+ I6 `# T6 v: K2 W6 d

: n- A, y8 D+ J- Z# @: @: S. e5 C! r( @: L
  00401067:  push      00402025    ; \\.\SICE
+ q! k5 r8 A) P$ \7 z5 \  0040106C:  call      CreateFileA, H  Q# c( C+ }7 ]7 D
  00401071:  cmp       eax,-001
6 Q0 y5 S' C; k  z# Y+ R, c  00401074:  je        004010914 r; L$ V) J2 k% ]2 Y) H  t7 Z& G

8 B4 D0 R4 y$ A1 l! L7 x7 H) |! M) \- K
There could be hundreds of BPX you could use to detect this trick.
* m4 ?. y: h$ S! z3 l) t5 l-The most classical one is:
; B1 d9 x1 _: u2 U$ o  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
) \& o! L" f/ G    *(esp-&gt;4+4)=='NTIC'; W. F5 p( S( t- @1 F
2 L, ~' ^' ^7 [. u
-The most exotic ones (could be very slooooow :-(
# ^9 d! I2 s1 R0 `5 Q; u   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
9 R" t" |* E6 O$ {7 [  c     ;will break 3 times :-(
+ }3 A+ s0 T! [! B  ]) ]& F! N
! Q0 _: s/ g4 p& g+ X-or (a bit) faster:
! P4 \2 k, H8 g1 j: o   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* x+ `, |7 F% {4 \
) C2 f5 |# u  W' p% c5 }5 @   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 C" Q7 u9 R( O6 Q0 X- Q
     ;will break 3 times :-() S/ F9 d/ l4 [& V( w' M

( G) q. q; j# Q8 k-Much faster:* ~3 ^- |) U9 u+ [% \4 V4 S$ U
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 |6 L+ E, Y% M3 D+ N" b" P
4 l. p0 ^% x, i/ L- h" R% T; \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
* y% g; q, Z! G1 J/ o  Dfunction to do the same job:! ~) R7 k2 @7 V" u' Z5 D3 M. \+ h
: H. O" o; n% x5 W# ^
   push    00                        ; OF_READ5 a: G, i1 E8 \% `1 X, O  x
   mov     eax,[00656634]            ; '\\.\SICE',05 G5 j/ w, ?% E' N: J, H
   push    eax
% H( w# x5 y+ P; z* E" q   call    KERNEL32!_lopen( p: Q) G# e$ V+ `. P
   inc     eax
! i9 M3 b$ b& ?7 U3 X- V   jnz     00650589                  ; detected
% B0 ?& [6 i) r/ _" L- B6 M7 F   push    00                        ; OF_READ
( |4 N& e( X* l8 U. M) w: [   mov     eax,[00656638]            ; '\\.\SICE'
2 A) J% {3 |' d4 s) ~0 r! [   push    eax/ p4 }; v2 l/ n: v0 b
   call    KERNEL32!_lopen
6 F! h& b2 C1 f   inc     eax
- H9 v5 c+ ]& W3 J+ O( H  _   jz      006505ae                  ; not detected
' Y. a5 N4 Q/ _. B. u- R7 z1 N, \8 M3 [  _8 p. g/ Q
7 c3 B2 @  A( ?0 k  Y" W
__________________________________________________________________________: `# U3 v* z' w) `7 H

5 H& i. u5 y7 z! }Method 12
$ p$ |8 W* M* n! Q% o! U=========
1 s7 U9 f: N8 m" d5 ]* M
* G4 R: ~/ h/ s/ uThis trick is similar to int41h/4fh Debugger installation check (code 058 g2 V  a: j, j  ^1 ?( A( ?' ?' w
&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 ^( ]& s  x* j; }1 k
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. n" D. q6 }- k  d

! m, j! q" `7 P! I6 E2 [. L, ^   push  0000004fh         ; function 4fh" \( j: h0 }4 o  d+ ?0 l" D
   push  002a002ah         ; high word specifies which VxD (VWIN32)4 p7 r2 q0 O5 f9 X/ F
                           ; low word specifies which service
2 V/ G; ^* U, N                             (VWIN32_Int41Dispatch)
; h2 t- v, }! n   call  Kernel32!ORD_001  ; VxdCall/ E' B. {" \; ?
   cmp   ax, 0f386h        ; magic number returned by system debuggers8 `/ H7 d% B2 U9 \) V' b$ N
   jz    SoftICE_detected2 a. S1 h$ m0 t# H1 h# K4 z

; K3 \1 S9 }% _6 r( t- kHere again, several ways to detect it:
" |$ H2 E* X! \2 e3 z: u8 S. }: O# r4 P$ o
    BPINT 41 if ax==4f
+ @) U: w: r! M) d1 N0 x: Z! A3 }, `' Q. Y' }. N
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* L! }2 e' o7 ~# p/ Q
0 w- ~# M+ E$ X4 z    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ W) y9 M! q9 [
* ]. C9 q6 g: \2 ^7 _0 i2 |
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 W1 I5 g8 x1 k' k% g6 [# g# g( b4 Q8 t4 c$ J
__________________________________________________________________________
* M0 @! c1 w+ Y" U4 ~' i" Z- ]  l/ X
Method 13
7 D) F% D% r! W3 ~1 ?/ S  l=========
# J  k6 \5 H2 f7 t9 W5 {; s# \1 m. f7 q$ \3 d, ~1 r( b
Not a real method of detection, but a good way to know if SoftICE is
$ B( ?* ]  z, g: uinstalled on a computer and to locate its installation directory.  g3 ^9 ]6 U0 j+ k) c* @' ?  y9 B2 l
It is used by few softs which access the following registry keys (usually #2) :/ R# ?+ k" K. _  t* C+ ?
  p. Y9 R' T: e" {5 _3 M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ n+ x9 ~5 T- D! ]* i3 O( l: [\Uninstall\SoftICE* m' |; ?8 I6 |  @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 u$ Y6 ^& R+ T-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; @" C) i$ t6 e\App Paths\Loader32.Exe
$ _# ?! ^2 T2 m0 ?) e+ G4 s2 g, f3 ^: a$ x3 p3 d  \% y' q# K

* J( m" [# F0 ^9 L; CNote that some nasty apps could then erase all files from SoftICE directory
& O. T- H- N( d7 c) ~- j4 Z8 @(I faced that once :-(
. h) p0 U' N$ O" c* m" p8 ?* P/ y3 R9 }2 i; K. Z
Useful breakpoint to detect it:" e' b( P% W$ O2 Z0 p

3 z$ _1 r* z. d" o* D1 m) Y& f% S# K. P     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
! V- K1 K7 U, u6 D- B7 A% `
5 ?9 O% N' V3 K( {, R: ?3 r( [) S__________________________________________________________________________
+ G& [4 Y7 P0 a, ~' v& p
" p' R  x/ y" V, L6 T
* o; ^1 X) C9 l9 N  FMethod 14 % j4 w* m9 u% I& @+ k6 ?5 f# D
=========
) J/ J$ I, k# s% M! m; g$ b6 L* @8 F& S5 H6 i/ u
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
1 y! }4 a- X+ I2 e. [/ Vis to determines whether a debugger is running on your system (ring0 only).
2 E- x  i7 N0 {6 Q4 _* j
- G( U  N' c2 o$ M5 U# h1 w, v) {) p4 y   VMMCall Test_Debug_Installed& R/ Y. {+ K5 w. J
   je      not_installed. \6 u6 z8 b& W) ?

9 f$ n" v' ]5 V' tThis service just checks a flag.3 [( b; b" D3 g9 q! c  j( t
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-13 12:44

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表