找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>% a7 o) C7 z5 A  l& d* h
<TBODY>5 S; k/ ?- H8 U  J- F5 L
<TR>0 I. n# j8 e% l3 p! v# i( B# R
<TD><PRE>Method 01
$ y5 c  U, o$ Z=========6 i8 {# o. |0 V3 N& ]; C

! F) i4 J1 Q4 f. @  g2 ~$ IThis method of detection of SoftICE (as well as the following one) is
- v9 \' P7 s2 |, M- n9 ?( cused by the majority of packers/encryptors found on Internet.
) A7 O, ?7 \) e7 AIt seeks the signature of BoundsChecker in SoftICE8 ?1 v# ]: B: ?% P

" r8 h6 |' q; h, K' ^    mov     ebp, 04243484Bh        ; 'BCHK'
1 b# `& q5 O6 J, d$ I! b. }  W# u    mov     ax, 04h
! }; ]6 k7 k: z) S& n3 v; h    int     3       8 s. s! n6 F7 G! Y$ p& A1 F
    cmp     al,4  c8 ?0 F% @8 L) M6 c
    jnz     SoftICE_Detected0 [6 H! w9 Z1 U; u0 n1 C7 e. ]

) [5 X4 I6 u7 u9 }___________________________________________________________________________
: p$ m8 b3 n* I- E1 V0 d7 S) n4 l& j" @2 p6 {+ \6 S5 W0 M, T: s# m
Method 028 J2 r7 R/ x; N
=========
/ ~" }) _- d8 {4 B% I" k
) P! u& ?+ A0 d( D1 J+ tStill a method very much used (perhaps the most frequent one).  It is used
3 ^  H+ r* U4 I6 ]7 Z" G$ Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,' v% [* E& {+ i+ ^0 i
or execute SoftICE commands...
' C- b$ a: u# b5 iIt is also used to crash SoftICE and to force it to execute any commands
8 H% T! t! ?; y2 B/ L" _/ i(HBOOT...) :-((  . p0 h% ]2 H% G8 {" `; G

+ F- ^! r1 {- e, t( ^6 gHere is a quick description:
# A- B% I2 c& }5 H-AX = 0910h   (Display string in SIce windows)$ z4 b! _* J4 A. \, Z
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; V- H1 }! e  ]. i* G# s8 h5 S+ D-AX = 0912h   (Get breakpoint infos)
/ v9 a0 N$ v( B-AX = 0913h   (Set Sice breakpoints)
6 ?, m1 h$ b: j: u' @" n) S-AX = 0914h   (Remove SIce breakoints)$ O/ ]: Z3 Z/ b2 p

. V( o  b4 ^$ A; BEach time you'll meet this trick, you'll see:  }/ c. e" z) f, M
-SI = 4647h
" M4 i8 Z6 D% B-DI = 4A4Dh* E, v; \8 q3 ]4 X
Which are the 'magic values' used by SoftIce.
4 k2 u- m2 y! RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 p0 t- A6 @* }3 o' D

6 `4 H! k6 e" H5 dHere is one example from the file "Haspinst.exe" which is the dongle HASP
  ?/ Y$ e2 g0 m% M, E; BEnvelope utility use to protect DOS applications:
: R, c2 Y4 Y! i8 d3 P
1 T1 j' p% \" Z0 d4 f
* I+ \* m( `7 i% c4C19:0095   MOV    AX,0911  ; execute command.
8 I& R/ u% a3 p6 q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
) P0 z! W; b9 F1 \4C19:009A   MOV    SI,4647  ; 1st magic value.
3 @/ ?  m& E* \4C19:009D   MOV    DI,4A4D  ; 2nd magic value.# B: T1 h: U# J+ j# [1 S1 o
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  j& j' X4 f8 @! K$ N
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, j% b" r; v9 P; d4C19:00A4   INC    CX, F4 y' A: i+ [& v! z
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 l! X7 j$ d; |- l4C19:00A8   JB     0095     ; 6 different commands.
6 z! B! D6 F8 S# H2 j' S4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 J: y# g4 W5 Z. p& y& i
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), s, q: `  [8 S

0 P0 {5 a2 m9 C3 ]+ `5 H1 a% H$ YThe program will execute 6 different SIce commands located at ds:dx, which& a" @4 }$ }* D: \! b& S
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 O8 r: K% t/ \6 O- o. R) M

" @; n+ |  b7 J6 C- S/ O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- k2 T1 `, b1 W
___________________________________________________________________________* v* J  d) n6 D2 _$ r* \  D

# [0 y7 B/ r& n( b" K5 t+ F$ j
, J; g) n7 A! [6 m6 ?Method 03
+ g* }! Y2 h: F% d# p=========
: @  b9 B7 H& ^: O) T
4 |! ~: ]3 O; h8 o* W0 a, D& t& ILess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" ], y8 X$ e5 ]9 w7 ]; U# x' U/ B
(API Get entry point)$ b0 ?6 a) N: R! ?' U( y
          P3 l7 M7 O7 d
% D' x+ A  t% i( b  H
    xor     di,di7 O; K# s6 ^% Z3 e9 B
    mov     es,di2 N" r! H' d  R* `5 x7 {% H
    mov     ax, 1684h       8 O, z: E0 Y% e1 R- s
    mov     bx, 0202h       ; VxD ID of winice8 G7 l/ A" N# i8 y
    int     2Fh
' k; T6 R2 }' Z# m    mov     ax, es          ; ES:DI -&gt; VxD API entry point: j# Q  P# B) E+ }! ~1 h6 h
    add     ax, di
% q( L  Y' i' X7 f4 R    test    ax,ax9 I, f2 H( ~/ X) Z& |! w2 z  l
    jnz     SoftICE_Detected1 T3 L. @* d! I
; i5 t3 L6 j% M3 S9 \
___________________________________________________________________________
( o. j8 G: }" a  Y
; d8 A9 Z8 [" kMethod 04
/ y  y& `: E9 y6 ?=========
8 W. G5 ]6 C) j, A# y4 Q; U8 v3 a% o5 d0 P' E8 E) a/ N2 J
Method identical to the preceding one except that it seeks the ID of SoftICE/ r6 u) P  H4 I/ f% @
GFX VxD./ g: V, ^7 e; E$ ?  M" Y8 L3 Y: d

4 ?0 n# d# `8 n, |  O" T* ?9 M    xor     di,di
# g# h! T4 g+ Q9 O; M0 D( g- q    mov     es,di2 b0 D7 y$ R( ?. F
    mov     ax, 1684h      
4 U4 X4 L" y- U: Y    mov     bx, 7a5Fh       ; VxD ID of SIWVID) m- @7 L  d9 d  {7 B! p
    int     2fh
) S$ E8 H$ H2 m    mov     ax, es          ; ES:DI -&gt; VxD API entry point) M; F% o/ z3 `
    add     ax, di
5 a8 c# V1 ^+ x* b  Q* k. I    test    ax,ax
4 N+ m( t0 W8 F) a    jnz     SoftICE_Detected3 A3 W6 s6 T8 B" B
. {/ Y- L+ F" C! G: K
__________________________________________________________________________. h+ e8 n9 r! t" J. [0 b* C) t

# p0 [% d! T3 z( S. `, ?6 U9 B. }
Method 05% f+ s! G! R7 s& w; J/ i3 Z
=========- Z* r* G% o* W  q
+ c6 U+ v, V0 f7 Y/ p/ u( S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
1 V0 ^& b. Y) Z, v) F) z4 o- qdebugger. It calls the int 41h, function 4Fh.
$ ?" I  ]# r' S8 bThere are several alternatives.  % Y1 M- j, W( T

% \  A; L: b  y; V/ a$ g2 mThe following one is the simplest:
4 f( J6 K* f& r
+ o3 R; O6 p3 E; O" Z6 d    mov     ax,4fh
9 Q4 ?0 g* q* _/ r    int     41h
9 _( P3 O( c' a4 f- L; Y    cmp     ax, 0F386: l, j& U9 a  h; u
    jz      SoftICE_detected
- I( x2 ?( ~% j! |9 O. N( c, K
! K$ g1 J: b) }0 m' Z$ N* a& S2 e# C/ s" p- U7 z1 h
Next method as well as the following one are 2 examples from Stone's
6 c; f* G% ~; V0 E"stn-wid.zip" (www.cracking.net):$ @3 T! U$ D' t) [/ d

5 ^4 c7 {" I6 @    mov     bx, cs' b3 R8 j# k: g  P$ F. L
    lea     dx, int41handler2
: [6 `: X. v1 j    xchg    dx, es:[41h*4]7 T# Q0 W! O  n$ E2 [- e* C- @- |' _
    xchg    bx, es:[41h*4+2]
7 x! a( n" `. D+ j- Y$ A    mov     ax,4fh
. R+ R5 u" x2 t% a1 o( {, ~, P    int     41h
4 ?# K1 j  V; }, R$ h2 D: p    xchg    dx, es:[41h*4]1 V7 ^/ A: K& y- u3 s7 N
    xchg    bx, es:[41h*4+2]
6 p& Y0 d$ a/ X) X4 a3 j    cmp     ax, 0f386h& K) y' G: c% e7 A# [7 o0 v
    jz      SoftICE_detected+ r2 m2 A, w: T2 b

. H9 e2 c: i  c" ?/ C* U9 R4 Jint41handler2 PROC9 C$ a$ ?+ j( I. J
    iret( n( A1 p# g: L0 T5 \& z
int41handler2 ENDP
% ]3 s0 l! o$ a: S. z1 c5 W7 A( g0 p5 B0 q' U- v

# {$ Q/ J! p2 k* k_________________________________________________________________________: ?$ F" n$ l# i2 b/ \0 ^( |* G4 q( u
9 B# U* |* g3 z( V# B& ?# q+ i# W
+ F8 G/ z7 F: |& y6 x$ d0 W* v- a
Method 06
4 s: c6 W) L  c5 c=========3 F9 F" Q. y& j6 b1 l

7 x/ V2 l) R& W$ k# q& C" N" y, u% I8 T
2nd method similar to the preceding one but more difficult to detect:( g1 Q; t1 w- I/ }

/ H* }) u- B+ P% P& l# b) S. \" b% L9 d$ F. G3 n
int41handler PROC
# P  J% E6 j- ?$ J' c1 X8 J1 C& Q    mov     cl,al' _; s# j' s: z+ ^( ?' v- @
    iret
) P5 u9 z. @; f$ H& Gint41handler ENDP
) G: C3 t) ^7 n. W% a
. ?3 _' l4 V) R0 q: X/ a( Y; O+ X
7 T  M9 c, a6 g$ u+ Y3 Z2 ]    xor     ax,ax
$ j/ W; ?6 j4 G* g+ Y1 d. a    mov     es,ax
3 H  x8 Q& @; i9 J  p    mov     bx, cs3 u% [. u0 n  n; o) s
    lea     dx, int41handler
" h1 R% z4 u. Y/ u) `1 j    xchg    dx, es:[41h*4]/ L; i. ~, R/ B( b
    xchg    bx, es:[41h*4+2]
$ E# H1 S5 F9 r4 s$ Q1 Q, V    in      al, 40h
' C; b" O# l/ J+ [0 U0 u    xor     cx,cx! `/ d  ]- i. P) M% m1 J
    int     41h
. i4 \2 a8 s' n7 {    xchg    dx, es:[41h*4]
% o' Y! c6 ]2 b- L) w/ ]9 M, z) d6 Z    xchg    bx, es:[41h*4+2]
/ V) C% T, m- C. ~/ d    cmp     cl,al7 t& t3 a3 _4 P0 l8 M
    jnz     SoftICE_detected- g3 _& s3 w5 o3 O' Y* L
2 n( j' ^' U7 e
_________________________________________________________________________
0 s+ {* ~/ _" j0 S0 _
' H' F2 w: R& O, P' @5 x; U5 u  dMethod 07
8 Y. Z( e" C+ Y  s=========
# y4 f4 c5 k, H& i8 M3 X  M  v% Z9 |- ?+ D8 u( a) J
Method of detection of the WinICE handler in the int68h (V86)
7 K& ]0 v/ `3 v' I, E( `% h% |% @6 f$ [
    mov     ah,43h4 Z* a0 D7 o+ s2 \9 ~+ _
    int     68h
3 u9 N1 f0 i* o, r    cmp     ax,0F386h
4 t. b4 Q, e2 R; e4 c4 p3 E    jz      SoftICE_Detected
- t8 g& m- G3 b5 w; F
3 M6 l) \0 }) T7 t4 c
" p, L9 |3 _# G" G=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 T) d2 h! _# i# M) T
   app like this:
9 Z+ K8 N5 f7 @" v$ w
( f0 h9 p5 z. |7 N   BPX exec_int if ax==68
' i- ?. h2 g& ^: @1 w! z- p   (function called is located at byte ptr [ebp+1Dh] and client eip is
& }: i2 ?. \- F$ K" D   located at [ebp+48h] for 32Bit apps)/ s& p' o# V' [
__________________________________________________________________________
0 }& w3 O$ Y7 D& p9 K: P5 J. ^" v8 H5 W" E$ ]. j

# v+ I( j8 O# J9 uMethod 08. s, m2 \, ?  w1 `' R7 a0 D
=========' n1 B& J4 _' u! ?0 W7 r; m* L

8 E% Y& y6 B* ^/ l7 PIt is not a method of detection of SoftICE but a possibility to crash the
8 {8 N: N1 _; T: |" D% Jsystem by intercepting int 01h and int 03h and redirecting them to another
  n8 r6 N0 a: h- l# G8 c( [& {routine., k3 |1 R5 L3 {+ b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  N1 K+ q3 W) H
to the new routine to execute (hangs computer...)! g8 u4 m8 T9 V. {( b
8 l5 ^+ H; p. V8 k
    mov     ah, 25h9 G3 A# b4 @* o( i; i9 o. }
    mov     al, Int_Number (01h or 03h)
4 [) R$ I( w0 y1 B% v+ D3 c    mov     dx, offset New_Int_Routine3 I+ K  i! d0 O. B. s3 f
    int     21h
, ~) s: j2 l7 p; R* A
$ r! a+ O  w0 j__________________________________________________________________________
0 g) R) k. M" [$ q% X9 s- r( Z" [% `
Method 09
" }; q' ]2 j9 A7 x# d=========
. E3 w* t& U5 z& N
, j: f8 Z2 F; e7 ?# `+ `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" t, P% e( E+ ?8 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).4 o2 ^9 ^1 r; V/ r$ O
The Get_DDB service is used to determine whether or not a VxD is installed/ v- q) X, [- o6 `
for the specified device and returns a Device Description Block (in ecx) for
" j2 i8 s) o) f& g5 r: Hthat device if it is installed.
# _) Z3 R6 S) T; f, j
  k3 ?5 }* P  |   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  t  t: B: N/ r+ o   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)  p7 B0 G7 d$ j: Y
   VMMCall Get_DDB
% w" y  F' T: s* A) O1 U7 ]   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( Q9 m8 T5 u+ [, A% b. L* h# m# A3 i
- D1 \. L# ?3 x
Note as well that you can easily detect this method with SoftICE:/ I7 J, L; Q6 ?! ?: W- d. }8 }; |- K0 h
   bpx Get_DDB if ax==0202 || ax==7a5fh
5 i0 {" J; D5 D! ^3 n. O( V+ m0 O0 _& R
__________________________________________________________________________* r6 U6 t  M8 x- D$ q0 G
( ?% a7 ~5 Y9 U& \5 C3 ?
Method 10
, E; c- ~. K% {& y9 x4 b, ~2 t, v1 c=========$ G: M" ~7 q1 x4 l# o. n

) Q0 A( ]$ p1 p1 b=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. q4 a5 b* K0 z( U* e  SoftICE while the option is enable!!; {) F$ T; {; p. L/ w4 V; ?
# J5 i+ U3 s! x/ `, K8 x
This trick is very efficient:- z7 f  O+ [# D
by checking the Debug Registers, you can detect if SoftICE is loaded
$ a& m/ r5 h+ V% t2 U, i! F( W(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* S2 I& o4 [. N6 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 L- v# s; Y( j! `: C
value (in ring0 only). Values can be manipulated and or changed as well  [2 U0 Y& y# k4 U4 b
(clearing BPMs for instance)
; }  o8 q* e7 s( J" x  i8 V; v( p5 S: V- T# R7 M: o
__________________________________________________________________________
, ^: o6 m5 m2 I" |# `/ _
/ G, O8 n: \. N: f- wMethod 11" }) N  P* O3 }/ R5 z5 L
=========% H* w& C* g/ D5 G5 C# Z) F- {
$ Y* t3 m; g+ B7 y: Y: H1 `: J- q
This method is most known as 'MeltICE' because it has been freely distributed1 v4 J8 H" P! t
via www.winfiles.com. However it was first used by NuMega people to allow0 ~# R2 W2 t/ R( F9 M
Symbol Loader to check if SoftICE was active or not (the code is located
! F6 J% `) a5 s% s& p  t1 I7 Cinside nmtrans.dll).
1 s( e5 C% U7 N
1 x! t, o% ^2 J3 w, E( L# z3 E& \& EThe way it works is very simple:0 R+ W3 E# Y+ a: L3 n- X. V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. T7 _1 n9 P0 M$ N0 h0 p8 J
WinNT) with the CreateFileA API.
4 p$ {, |' ~! Q# l
- u$ @/ X& G' W, m: R- X, u- bHere is a sample (checking for 'SICE'):: h, ?. v8 q( j8 B- q+ _

) u4 S1 `4 g, C  q/ F6 _BOOL IsSoftIce95Loaded()9 T$ [/ K  a' P# m; u
{/ O. r9 j; ^) k
   HANDLE hFile;  
4 a& @4 R6 u% B" H- y/ c   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. V& G4 U' j! c  T) u                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) u, f% ]$ y! N! t; \9 {                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 T1 z  ~& J2 p/ ?/ L9 O
   if( hFile != INVALID_HANDLE_VALUE ). B; e7 [0 ?2 F2 V9 I
   {8 ]. j: [+ A$ m6 Y  v! w2 P4 D
      CloseHandle(hFile);
! v/ A+ `% Q9 p5 U      return TRUE;
/ o3 D0 V( G$ N! R4 s. M   }! K. L: ?. W  k& d  A# J; y
   return FALSE;' h+ e/ K' ^$ _+ l7 r: T5 O
}
4 e( a6 |0 F) v3 t# I! o
: h9 z( I9 W0 h4 C6 ^/ W4 SAlthough this trick calls the CreateFileA function, don't even expect to be
; q8 k0 [) k) X1 J( {6 k' b2 s$ kable to intercept it by installing a IFS hook: it will not work, no way!5 |7 `- V% z. I
In fact, after the call to CreateFileA it will get through VWIN32 0x001F' Z( l. A" O2 \/ d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 @1 t" K0 z2 Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 t, d  n+ P6 [; W$ qfield.
" [" V8 q$ H# F$ u6 E- K$ a/ Y; zIn fact, its purpose is not to load/unload VxDs but only to send a
8 p$ R$ |4 @$ w/ d0 x" H: c, r7 OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 O5 M  o, k. ^% D7 a/ mto the VxD Control_Dispatch proc (how the hell a shareware soft could try
  \' Q; q$ w# U0 V1 d) t" [to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 K6 L0 P* a# t" oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
. `& c. a$ R0 g+ U; r- G9 @7 wits handle to be opened and then, will be detected.) ^9 |# Q( y- d
You can check that simply by hooking Winice.exe control proc entry point
9 V  q% L/ }8 A" ~) ~$ D8 s) Gwhile running MeltICE.
! M8 b( k/ R% D. `6 h+ U1 [
) j% o, \0 O: m7 x: @9 x# I
9 j9 u* X8 I3 f8 @+ [  @  00401067:  push      00402025    ; \\.\SICE
* T: G8 [/ T: n0 L" F4 W  0040106C:  call      CreateFileA
& Y& n0 ~1 _( C0 `  00401071:  cmp       eax,-0016 B, p6 F0 S% O% j5 f9 `* |
  00401074:  je        00401091
8 c" k9 v8 a" b! B- i) g, @% o4 D9 x& D
5 r( M+ v; A1 |' c' U
There could be hundreds of BPX you could use to detect this trick.
8 j7 M9 I8 i" E6 @+ W  `# k3 ~-The most classical one is:
( r' A2 i2 e! B8 L  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||6 f& E- J% `. b6 @! Z
    *(esp-&gt;4+4)=='NTIC'
9 `! N3 n4 X. M6 M
1 B0 V1 G" X+ [1 c-The most exotic ones (could be very slooooow :-(
  C$ }* _% L( Z& e   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + m6 k. D3 g& E, V* Z+ ~$ i
     ;will break 3 times :-(
$ M1 [/ B% p$ G& d! d1 d  d; o, _/ t% T9 ^
-or (a bit) faster: - i  Z9 C6 }& ~/ H4 [+ z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): K; o! F+ P5 F1 n+ W2 v
; n( P* Y" f2 }+ {. C* S7 B/ W0 E7 v
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# }$ e: O, ~. g  @     ;will break 3 times :-(
4 g: l' e* r: I( P1 ]. X0 |) h. n" l3 c- z
-Much faster:
7 L) T' B( @1 c& g   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ [4 f3 z! g# u5 X3 v7 n" S& Y- v; R  D# c% o- U6 r
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ O0 o8 G: V! Afunction to do the same job:
9 B# g8 `- X7 a$ K: O0 B
( P6 G1 w7 z6 ^, @2 F* i   push    00                        ; OF_READ
( U0 X2 o) R$ W3 E   mov     eax,[00656634]            ; '\\.\SICE',0
+ u; u3 y* W9 V+ ^   push    eax# B; S7 e4 c! |' m
   call    KERNEL32!_lopen
  h0 p8 C7 k: x) {% P, _   inc     eax
# |% O: C  k" q4 K   jnz     00650589                  ; detected, L% f7 }) d& \% Q, m# D
   push    00                        ; OF_READ
2 p' ?" N/ _* |9 @1 D- v* w   mov     eax,[00656638]            ; '\\.\SICE'- R2 i! V! \  Z
   push    eax$ b1 Y/ B8 W, C; c1 c) I
   call    KERNEL32!_lopen- M8 d# q" [7 R$ l7 b
   inc     eax
4 C! n' u) J8 P1 |1 m! h/ c5 {   jz      006505ae                  ; not detected
$ Y( ], I! n) o7 b" X1 ^6 e7 {5 Z, B, l/ s" ^+ O

5 p" J. r1 R( Q& L7 o! Q__________________________________________________________________________3 I. I# c- K  j" }; P

% X. p# W- Q! TMethod 12* U" a; f, `9 e7 I$ h9 N" e
=========7 L+ Q8 z7 z7 O$ J! r( G. ?
. Y# E: r: }) R- c+ i$ _: Q* n. x
This trick is similar to int41h/4fh Debugger installation check (code 05
9 N; f) L! D0 D&amp; 06) but very limited because it's only available for Win95/98 (not NT)
2 m3 j4 t1 O  u' u3 ~" @as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 D& v: A5 F# @# R: q% n9 o
5 r/ M& |+ k+ @" Q- [0 F   push  0000004fh         ; function 4fh
+ n% \  G2 L  c   push  002a002ah         ; high word specifies which VxD (VWIN32)
' T7 e$ \3 ]* K/ j" |                           ; low word specifies which service
5 I  @3 [& Z' x                             (VWIN32_Int41Dispatch)
/ w' |8 _" `% V1 s9 g* ]) Y   call  Kernel32!ORD_001  ; VxdCall$ e& p& X9 `: Q+ B9 \
   cmp   ax, 0f386h        ; magic number returned by system debuggers
# L! n: Z% i  Z   jz    SoftICE_detected! ]) g8 C$ r. Z4 g

/ H* F. \; |7 N- Q! K! VHere again, several ways to detect it:
; K- }0 I9 r! }! _, ^: h5 l( y) N5 q: W* f
    BPINT 41 if ax==4f6 h7 g8 J5 o1 L; T! [
& j" x4 i+ G1 f; u& q
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! ^+ B! `, `5 z6 B/ u
- b* Q# S7 Q4 G& N$ o3 v3 ]
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ I8 L. F0 h: B

) T6 b) |: R; m2 w& i2 b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% E& t1 c4 ^' S7 b. G
( t$ T1 H) F0 U+ i% x0 B__________________________________________________________________________6 ?+ q4 c4 E: F3 T' E$ \
) X( [- ^3 l* m$ B4 G  W
Method 13
3 E7 s0 d/ c- K3 z% i$ e2 J=========
* r4 R% P4 ]1 E5 h- x6 O5 x% i4 Y
Not a real method of detection, but a good way to know if SoftICE is
5 |: q  y# X8 A+ q. A* t- I* O- {installed on a computer and to locate its installation directory.
+ N! T' ~/ U% l% v' I2 w/ bIt is used by few softs which access the following registry keys (usually #2) :
8 u& I! {8 z  r5 ?1 D4 {, M' {. h/ {
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 ?$ {* [( ~2 _2 J  U\Uninstall\SoftICE
, }+ h# `% s! h7 B, S7 s' E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& m$ m9 \; ?3 @4 n$ o+ q! c3 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, V( q; r! E" l) K# W# q  H\App Paths\Loader32.Exe
7 \7 p9 O% C8 u3 Y' y  A2 a2 I; @7 T
/ i8 b: D& n( T8 }2 n* d
Note that some nasty apps could then erase all files from SoftICE directory
9 ^9 N+ m7 w- D8 [(I faced that once :-(
9 E7 c, O# R' {+ U4 S' r9 F" F; c* ~2 Q# R' p+ b- K
Useful breakpoint to detect it:% E$ D8 F4 s' w* a0 n
' z9 P7 U5 v$ h5 k1 v3 P2 h& x
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 u# T' V8 E3 z( j  g- p; J) ?6 d9 E. c; p+ g8 w: k
__________________________________________________________________________
" q3 O2 w4 A* Q! H
8 X+ s# x" m, p
. _$ S0 x2 u3 N- }Method 14 : c0 O4 d- z  E+ U1 F5 e  G% A
=========3 j/ x4 A/ U+ P, D3 l
9 N# o( c' U- v1 `  T5 c9 x$ v0 c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 d; g% o/ m8 b8 S
is to determines whether a debugger is running on your system (ring0 only).- A& q8 ^  y" g) J$ D# C

9 g& C5 `7 {% f4 U3 X& @   VMMCall Test_Debug_Installed
7 L# R7 H* e) p8 v   je      not_installed4 ^: a4 }3 [' \

2 G6 Q% y  j  B! u; rThis service just checks a flag.% ^2 p" \) Q: q9 T3 j
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-13 21:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表