找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ {" b5 H5 N* n, R/ d/ _<TBODY>+ Z  S7 o( m  r; v
<TR>
( d( F/ d; i2 E0 Q4 c- E* ^<TD><PRE>Method 01
. j6 g# x$ T8 u1 y6 Y6 C=========
) Q$ U' V3 \* _% L) u* z
2 k& p2 h2 Q' e& q7 I2 kThis method of detection of SoftICE (as well as the following one) is
( y4 Z5 S9 W9 f4 `( Qused by the majority of packers/encryptors found on Internet.
+ i% d7 i  k/ d8 y5 c& X9 Y5 i! ~" n. [It seeks the signature of BoundsChecker in SoftICE+ A( [+ \/ u  Q4 t1 Y! M

- B) y" z8 T& J, ^$ s" l) T$ y- @    mov     ebp, 04243484Bh        ; 'BCHK'
- Y8 [) U2 \, {7 s* I1 v    mov     ax, 04h5 ]  ~/ _6 U! A: [" {% T3 M5 ?
    int     3      
" [3 A) x# E4 `# e% _1 a7 s    cmp     al,44 p5 P9 i4 ~0 l( |% b8 \6 t- c
    jnz     SoftICE_Detected4 s8 E: p& }7 s9 c# v* g' m6 b
* k, p! u  W8 N/ k" Y: j; X
___________________________________________________________________________5 K* l' T2 u; N, v% P9 t7 \

- y  ?; x+ Y) v  L4 H0 Q( VMethod 02- }* u: h. ]: c- n/ L
=========& S' |' G. o3 h, _7 z3 B) O9 [

. y  y( D, n# v& VStill a method very much used (perhaps the most frequent one).  It is used
! C7 \* @6 [* y) oto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 s: _" @3 B: S6 X( Y; |0 I
or execute SoftICE commands...
% |$ n; p8 y; t* T' vIt is also used to crash SoftICE and to force it to execute any commands
, v6 i% v1 j# G(HBOOT...) :-((  4 _+ ?. O( Q+ x9 _

# `0 h" ~8 d6 s# r) b, xHere is a quick description:
, a8 _) u0 F) }, [8 \' ~( u-AX = 0910h   (Display string in SIce windows)
9 \! S0 ?% n; D-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. |& h; f) m; ]-AX = 0912h   (Get breakpoint infos). d+ w2 c1 B6 Z; j" L0 p# v8 P8 z" ?
-AX = 0913h   (Set Sice breakpoints)9 |$ c; ^- U9 @
-AX = 0914h   (Remove SIce breakoints)- H- r3 q0 B* t* `4 r

+ h; G; o* _( ^4 DEach time you'll meet this trick, you'll see:/ q% u5 v2 g2 {' |
-SI = 4647h
" v5 F" z% e; d5 B0 d) `-DI = 4A4Dh0 e: a7 \7 p! H% k, \9 A9 j9 |% e* N
Which are the 'magic values' used by SoftIce.2 U! N* q& \" O3 \& f" q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 {% q' H5 {( E& K; N

! V. T6 Y; e  Z) j! MHere is one example from the file "Haspinst.exe" which is the dongle HASP
0 r0 t2 x7 [" LEnvelope utility use to protect DOS applications:7 s5 c  a" l* K: H4 T
$ _7 F6 P9 g0 e9 g7 T, @
: t- K2 Q  x0 T' K4 n8 o8 J
4C19:0095   MOV    AX,0911  ; execute command.
# L6 u  h% P1 R) ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
8 ~/ U9 O2 P" S: w: P; K& u4C19:009A   MOV    SI,4647  ; 1st magic value.! h5 Y! s$ D6 _6 P
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) z& k# n7 K8 u; m9 ~4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
. a7 j2 I  T/ h0 d2 b4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' V! ]' t: K/ P" n4 |! C4C19:00A4   INC    CX
& C% k( a  |1 a8 y0 }  `9 A4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, X) x7 ~4 Q' }4C19:00A8   JB     0095     ; 6 different commands.7 o8 ^+ _$ X) Y9 [( e0 F2 K
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 \7 U3 [% v# ?3 G' B* b4 v9 k
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), b' I* i9 _& [8 x8 ~

! b3 ]. ~4 R' E! I+ w. cThe program will execute 6 different SIce commands located at ds:dx, which
6 p: C$ e2 ^* z5 D0 w- p9 Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 S3 y6 o( s3 ?

9 E4 b, |" o' v/ _  H, S4 v, J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., }& z+ ]; ?/ l9 b* i* y
___________________________________________________________________________- Q9 q- m7 d1 O1 S

. W+ q4 E* w+ L1 J6 N" w
0 W& _: G! ?) X9 q0 g) ?4 BMethod 03- w. j" F6 i; v6 e" U6 D
=========  a9 r# e* J4 D" c4 @3 [& f' f

7 a" ~5 \- _# P( f" a- Q: ?" ILess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h( p  |+ {0 `' t, o; a( R9 m
(API Get entry point)
# z+ F6 i0 y) m% I6 \$ I, P        
7 B' x* A2 Q5 @1 k2 Y8 \/ R8 A# r3 h8 b7 t( ]
    xor     di,di, d# Z, s8 y0 y( D9 l5 P
    mov     es,di
9 \0 A2 G+ N( I/ Z1 H- B6 r( L    mov     ax, 1684h       7 N0 m! |% H6 I# z# N
    mov     bx, 0202h       ; VxD ID of winice4 v3 W; D# V0 G! |( T$ D3 k
    int     2Fh+ P0 i8 ]0 E( Z% W3 H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point* @/ n1 Z; u& L8 A3 b; I! l! P1 c
    add     ax, di
+ f& E1 A! E+ v* q9 a" m( h    test    ax,ax; {, H# P8 @1 G" ]9 z
    jnz     SoftICE_Detected2 t; z: Z; s1 {! W4 ^$ I7 e9 l+ ?

1 }% ~* Y* |- Q" @___________________________________________________________________________& `' I- Q9 [! d6 S' g
, h7 {* ]3 e1 h( U0 |; i% k
Method 047 A" r4 E. d. j$ M
=========
  x" ?. l0 r2 m4 l1 s! \/ E( a2 U; A0 b# ^& }  S
Method identical to the preceding one except that it seeks the ID of SoftICE* n; \3 E0 R1 z' i1 t# X
GFX VxD.
9 n7 g; x8 X" I! f( ~( t
0 e- _4 a" v: X) D* S# p4 a    xor     di,di1 s0 E- G! j) A1 {
    mov     es,di
0 W5 |% f9 U$ y% L: S    mov     ax, 1684h      
* W/ V. F- n2 Q2 V3 t. a1 g  K2 t    mov     bx, 7a5Fh       ; VxD ID of SIWVID) g9 ~* U: t# g1 X- I
    int     2fh
9 B8 F. @5 i! f" Y! r    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! P1 a, @+ n* }* M# E. {    add     ax, di
2 P( S% B( ]1 h; T7 ]7 S; k3 t    test    ax,ax
% I5 Z2 \- t! C9 h* q    jnz     SoftICE_Detected
5 u( q# j+ u5 \4 X. R
, H$ u# H2 G' X+ p' s' Y__________________________________________________________________________1 ^) N9 E0 {0 D5 u

" K+ F& q4 C/ {3 \. b
% z  `" f+ _) m4 Y, vMethod 05
8 d1 l+ A, Y) Z$ X% V# e9 ^/ a=========9 F, h8 N8 Z' q2 }2 V
6 M$ `+ @* C+ O4 r3 T6 o4 t4 I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
  @; f! f4 t# R7 `: rdebugger. It calls the int 41h, function 4Fh., f2 m7 X3 B- k5 {) ~
There are several alternatives.  
. Y9 b# F. `+ w" l. J8 B
5 B2 w; @! _7 X/ k8 bThe following one is the simplest:: g( L1 c; F  w6 u  n

# l$ o# i0 A$ Y! e! |    mov     ax,4fh
4 Y" D  Z7 G/ j! t    int     41h2 |2 z7 O% a0 ]* S
    cmp     ax, 0F386
2 A  v( T! A/ U) G    jz      SoftICE_detected
9 x3 j5 x) C1 M$ M  O" {( u' m  ?' |8 x

- l- I! j9 d; S4 RNext method as well as the following one are 2 examples from Stone's : ~7 k( q% V/ C5 ^
"stn-wid.zip" (www.cracking.net):* o9 [7 r9 }1 A8 X& W3 N+ c9 @4 T

, a' B9 y! C# F3 y/ \    mov     bx, cs0 B5 @1 k( ~  [
    lea     dx, int41handler2
* B. C4 D) q! _8 q& @    xchg    dx, es:[41h*4]
) A7 U. O" ~3 w8 H# X    xchg    bx, es:[41h*4+2]
; K& ^' a2 C  h- T/ {  R    mov     ax,4fh
* }' C4 l7 ^& g+ ~$ H$ T    int     41h
# X  H% y- z; l7 s; N6 b. P3 N5 W    xchg    dx, es:[41h*4]! m2 S* s* S" m7 A7 t  B! B
    xchg    bx, es:[41h*4+2]
* I6 Y0 \% U6 L, q3 {    cmp     ax, 0f386h3 N) y1 X# E; E, X  r
    jz      SoftICE_detected7 p, m+ V2 s% ?0 h

. F- V. j+ I3 h; J7 E) Z. Dint41handler2 PROC  M. g# y! i5 }  }% P) m3 V% K) N# x
    iret6 y( f- m) Z, V
int41handler2 ENDP: [: Q! s7 F7 J- y4 k& j) x, Q) V
$ z: H3 ]7 ?" x  |8 E

- q/ ]* r" {, b" X  A, ?% K# g_________________________________________________________________________
1 c# p1 q: D3 D& b% o
! D- ]2 l7 u: e$ \0 e# i" J# X: {- i; L; X$ E+ H& q
Method 063 J2 Y: e$ `" q  s$ h
=========! U$ l1 u* g# P; W* V& l

; P4 L$ F. K  u, d* }0 Z
$ w3 k0 ?6 _' [! a4 s* {( P0 D- _2nd method similar to the preceding one but more difficult to detect:, z! H* v. X; }6 h4 Z3 Z' b+ t2 Z* s

+ d# o/ j2 e" g& U7 J* }' w, d! r- ]  X- Z4 M
int41handler PROC$ U8 O# d9 `& Z
    mov     cl,al& t4 X& i2 Y2 R3 n0 N; B( O+ U+ |/ z
    iret2 O! `" n2 K/ N2 K
int41handler ENDP$ S5 e% P/ ]9 q- c8 T

# d+ ~6 N  Y) f* j) ]0 J( L2 H0 k  P2 P% \* n
    xor     ax,ax
* j. Y  W) @7 T$ K    mov     es,ax& g, j- S5 E- P
    mov     bx, cs" b7 T5 m( Y' m8 L
    lea     dx, int41handler
& f9 d1 }  t; v$ y. P1 N    xchg    dx, es:[41h*4]( a7 f" l* N' l3 ~5 ]/ o
    xchg    bx, es:[41h*4+2]
$ @+ B. F, B" p, o& p    in      al, 40h
" o) ~9 N! N! z+ h' x    xor     cx,cx
7 Z3 P, u6 s5 p0 Z  L7 K    int     41h2 D9 D2 g7 i; Z5 {2 R& o
    xchg    dx, es:[41h*4]% `1 e& g( g' s  }8 ]1 b
    xchg    bx, es:[41h*4+2]
1 i9 @6 t; q- N& I- J    cmp     cl,al+ g8 \% f; R' |- P
    jnz     SoftICE_detected; M# C6 a7 Q! M/ j

) _! {0 k1 j" z3 k" M! G_________________________________________________________________________
! V. ?5 D; _7 r+ r* n9 _0 x3 N
Method 074 L' D9 `4 Q  e/ U# G- u% F  _
=========
: `0 d  U+ W1 |# {; t" H5 x7 }8 L
- ?/ m! P) v8 F/ j8 O# wMethod of detection of the WinICE handler in the int68h (V86)9 c% b4 w2 n; B1 R& z3 h
9 C1 }: J* v8 ], g' `* x
    mov     ah,43h
3 Q( w) F1 [9 q4 k    int     68h. m  s1 A  O; p+ O: _. I* o# R
    cmp     ax,0F386h
& _  M# g& [+ }0 i: u7 l- T+ }    jz      SoftICE_Detected
1 Z8 ~" D' o  ^( K' F6 G  `% Q2 ?8 D" J

0 L" M4 X6 Q; a8 j* V$ T1 q5 J=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, M. l4 P0 I) {; `
   app like this:6 `# o; s& P4 I* |

' t! N4 h1 O1 h9 x( d   BPX exec_int if ax==68
$ z" ^+ D- l  E. |4 r   (function called is located at byte ptr [ebp+1Dh] and client eip is: f$ \) k& ?/ z. X2 c, o
   located at [ebp+48h] for 32Bit apps)# K3 J4 y, B: l4 U+ }
__________________________________________________________________________
+ c7 F& l& G$ X8 H+ c2 K' L
, n  o& K( _4 a$ ]1 w; n' I; ]
( Y. {& Q) u* ?Method 08
6 k: k3 z/ K! F7 H2 O8 R. {/ U& S6 N=========
4 ^' j. N7 E9 K3 S3 k+ Y( s4 u, U* l2 v2 {- t7 h0 Y( l
It is not a method of detection of SoftICE but a possibility to crash the0 t* e$ ]& E! c
system by intercepting int 01h and int 03h and redirecting them to another: f' d6 V8 Q. i. L
routine.
9 \- L5 r8 w  a  \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 W7 O- E- S' o5 Ito the new routine to execute (hangs computer...)3 p; A& T% a1 I' ?8 R* ^1 B" v. p

2 _, P+ ~* M0 i' D& r$ o1 `9 e' k    mov     ah, 25h" p7 d6 H5 A' x: b2 k
    mov     al, Int_Number (01h or 03h)% J9 K) \5 ]0 N
    mov     dx, offset New_Int_Routine/ ~# g+ T6 X3 c" j# s, ]5 N
    int     21h
7 g; D+ X) l! a: L  c1 }# ?. K5 Z! j* j" I
__________________________________________________________________________+ W! j5 n2 X, u2 x. L) I, m
) }. q# ^% \) k, d, O8 A5 w; ?& `/ p
Method 09
, h% O0 W. F' Q/ W" i; n=========
: O0 S; d( S1 F2 f; a
6 _* T; R$ h' K" n  ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 W5 r+ E# g7 d0 ?! R, U6 {
performed in ring0 (VxD or a ring3 app using the VxdCall).; o% ?  {: z: M) F/ E0 Y
The Get_DDB service is used to determine whether or not a VxD is installed) ?+ |. g% y, n: t# B+ p
for the specified device and returns a Device Description Block (in ecx) for
; L* Z: |: C" f) i) athat device if it is installed., t+ u4 k( ?; S/ \

* G3 m% C; z0 F9 M2 K0 K   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 V) m9 g1 n0 T$ U
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 U$ \. ^1 b1 E; Q) r0 z5 `8 {
   VMMCall Get_DDB+ P7 \$ f+ K5 C. s
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( w/ H3 N! N( P
- M" V9 m$ s' L" K7 t
Note as well that you can easily detect this method with SoftICE:7 K2 H) Z) U1 }; D. y) I
   bpx Get_DDB if ax==0202 || ax==7a5fh
4 |4 O0 q- Z  w) i) `- R
* w) u6 S; m% M__________________________________________________________________________
) h" F. S6 D* U% o$ J8 @& I1 D- P" @' K( t% l8 D' u5 P
Method 103 w; v$ \4 p6 x  y& g' T
=========) V) O/ c5 |) L7 v' v4 M1 d
. B) ]8 q. z$ b  V9 K8 ?5 D5 H
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 l6 N2 P8 c2 _  ^+ C
  SoftICE while the option is enable!!
8 U; a9 y; Z0 ~0 t( W
$ n% v% w# O; T8 E7 V  JThis trick is very efficient:
. Q7 L0 n- o4 U. Z* ^by checking the Debug Registers, you can detect if SoftICE is loaded% ?/ V  o. _; ]7 L# h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( y% T7 [0 m7 b" C% V& {  K; K! H/ \there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 n6 }% r+ z9 ^' \/ D) R% n- Y; tvalue (in ring0 only). Values can be manipulated and or changed as well  V8 r& g' z, X+ }! R
(clearing BPMs for instance)4 x  Z# N0 a5 |
2 K4 q* |# J$ w7 `: j! y7 P# Z+ O/ A
__________________________________________________________________________
) s6 G% G8 @9 R/ f
  D/ i$ }; L2 J; m( cMethod 111 d  {. j1 i! U: F9 ^2 g; H
=========5 p9 j$ V- }5 r- r

2 O7 u- H4 @) ^+ g8 rThis method is most known as 'MeltICE' because it has been freely distributed/ }8 n. ~% S7 f; u+ s
via www.winfiles.com. However it was first used by NuMega people to allow4 d$ i1 U  V: y' Y" A9 x) J7 W
Symbol Loader to check if SoftICE was active or not (the code is located, r: c) }! a' o$ r* f% |
inside nmtrans.dll).9 X6 H% x- t7 ?- Y- O1 K

" j1 G; u! ?2 U9 CThe way it works is very simple:) f6 t' Q. e( z) r+ ^1 C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" W1 \& t' `# L8 _WinNT) with the CreateFileA API.
; ~4 p* o) E: [8 m; m3 }( L/ `  Y6 g* `( s4 E
Here is a sample (checking for 'SICE'):
  i4 J6 j$ d* K7 Y3 z
& L1 e" g; I7 ABOOL IsSoftIce95Loaded()
0 P, C1 q2 N/ ~  @, @+ K{
# R5 Q3 U3 Q7 p4 p   HANDLE hFile;  
% o' L; B  t6 k2 [4 [! J0 ^   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 [7 h8 C  f% ?7 a
                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 Y/ w; Z6 Z7 U! }3 z- I
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: P, @8 y1 {' \, t$ {   if( hFile != INVALID_HANDLE_VALUE ), B  F, C5 f: Y( J
   {
% E+ F- k- d  ~9 }6 R: t      CloseHandle(hFile);
6 X; `" d5 w4 F( X      return TRUE;1 X# f8 {3 q8 Y
   }
# i" y2 M2 p0 Q9 K  e  ~   return FALSE;8 p, |3 w2 v) Q( }% z- I, k
}
4 Q! R2 m. d" D  X
# z% J# ?' ?( M  M2 DAlthough this trick calls the CreateFileA function, don't even expect to be: q8 G0 F+ `+ m7 ~; A
able to intercept it by installing a IFS hook: it will not work, no way!
; F2 C, `& r- s8 x+ d6 }5 DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
# h) S' D& P* p; [- mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# ]/ X9 u) t4 N, gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 }" {0 I6 x& l( S1 w4 Jfield.! ?% L' P6 M0 l
In fact, its purpose is not to load/unload VxDs but only to send a
3 N* x1 h9 H! t4 A  U, p; iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 r( B/ T% H" Q# W3 A
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) _8 i1 \; V6 ~6 P/ Bto load/unload a non-dynamically loadable driver such as SoftICE ;-).1 V, k( @; \4 j( N( |
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# n" _( C: S7 Lits handle to be opened and then, will be detected.. I; O1 q( c0 t1 {# h1 |
You can check that simply by hooking Winice.exe control proc entry point3 d4 J: O9 [( }3 y* ~4 c% s% X
while running MeltICE., N% g- F3 S0 y2 e. {/ W. F: o2 {

, f9 Y% J1 P1 e1 k
4 n: p, z3 ^4 _; j# i  00401067:  push      00402025    ; \\.\SICE$ L7 F% j& ^& ~3 B" e$ k
  0040106C:  call      CreateFileA. `7 E' g8 \4 U9 C. F8 I
  00401071:  cmp       eax,-001
+ x( G, v9 w2 ~0 P4 K  00401074:  je        00401091& j7 e/ }3 ]/ k- E0 s
  ]% \* b, ~9 @, M. g! H& s' C
9 \! z  X; B0 X
There could be hundreds of BPX you could use to detect this trick.
9 o  B6 |9 U& T5 d-The most classical one is:; v9 H# Z/ N( h
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! p* t! _& U( R7 h. r, V    *(esp-&gt;4+4)=='NTIC'
5 G. T/ h( k& ?& i
$ d8 s2 i7 p8 ^-The most exotic ones (could be very slooooow :-(
1 e9 m' i5 t: u8 y, F: {   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + G3 x' _( c% o
     ;will break 3 times :-(. k( p* G3 ]: Z. [4 A: f* |

5 i- ]; V, n7 Z6 a1 o# K4 T) I-or (a bit) faster:
6 ?- C2 D: u- Q! q7 h, \0 |  R   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ w: |, c& n: ~1 H, f$ M  |

3 I4 M4 F$ S$ i8 J5 ]/ W! \   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. ~1 D' _: c, }     ;will break 3 times :-(
/ c. X9 h, m+ t$ q/ S' w& b% @# w& h! o+ q; A& s, z
-Much faster:
: P$ _3 t0 s& L   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
7 M2 C. N: u& E5 P) d2 y( T9 M
% Z8 @7 o) M$ l( P2 K) |5 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ k9 z# a) _9 `1 ^" M2 W: r8 g& Efunction to do the same job:
+ i* f8 P6 z) D  e4 S% f: n1 b1 _" d- g, Y2 n" N" `8 z/ k3 W
   push    00                        ; OF_READ
; s( c, `' |- Y" K   mov     eax,[00656634]            ; '\\.\SICE',08 J& ^9 c* V4 F& A/ D5 U
   push    eax! ^2 [! L% C6 |; u% F  e
   call    KERNEL32!_lopen4 ~( j+ q& R2 ~; j2 x6 g7 d# J
   inc     eax9 ~( V) I: w  A, D
   jnz     00650589                  ; detected
  ~4 e% b% V, u6 L6 f! k   push    00                        ; OF_READ
( J9 d# h1 V- F2 I   mov     eax,[00656638]            ; '\\.\SICE'+ ^9 A6 ~( k/ J2 m
   push    eax
! Q. H" f. t1 Y: S9 _+ e/ T   call    KERNEL32!_lopen- j$ K8 P# v0 b- O
   inc     eax
& I+ ?0 O; m! d   jz      006505ae                  ; not detected3 m& K) l9 T) E# m

# ~+ H1 _5 \7 C
: |% [9 {9 a) J2 A( p* w) j9 z__________________________________________________________________________+ L: W! R  S. }, g7 v

) U% k- l4 o& m: P- pMethod 12
1 Z" t: z0 j* h: T' N9 y=========  b$ R4 Y3 F" }0 X1 i# w
7 S. w, U0 M! w8 g1 j
This trick is similar to int41h/4fh Debugger installation check (code 05
/ o& e! v, r3 c9 `&amp; 06) but very limited because it's only available for Win95/98 (not NT)- o& H7 C* Y/ t( x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 }& m5 Y5 m' A8 E  s' S
5 a) i! Q3 w* R: B: r( d" y- A: A   push  0000004fh         ; function 4fh- @5 d- q" o( {/ g' N
   push  002a002ah         ; high word specifies which VxD (VWIN32)% G" y  g' o' b. W- Q5 O+ f
                           ; low word specifies which service
9 F8 N, t" u: M0 V6 V$ C) O3 p9 ]3 b                             (VWIN32_Int41Dispatch)
4 @  b9 c" n, c' Z7 @; d3 G   call  Kernel32!ORD_001  ; VxdCall
( b% \! g8 T2 Y! X" X! Q   cmp   ax, 0f386h        ; magic number returned by system debuggers* i4 ]1 I6 j% Y; [5 u6 ^
   jz    SoftICE_detected6 j$ n+ W! k9 T' \  I6 b) {

% k4 C; L# v: b7 V& I2 }Here again, several ways to detect it:5 U9 ]/ V8 H* _' l, g
: G- y6 X; C! j: O5 x% L: Z
    BPINT 41 if ax==4f, H9 x" b* u( S6 U& a' c

/ v! d& O; ^. C1 z4 n* s    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
5 B9 N6 M8 X: L( q1 e* }+ x
0 E$ a" g1 I7 S$ B    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; n; T, F0 j. h9 i6 f* U! S1 M4 W5 f
. T1 |, `" J' l
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, ~. q/ G+ ^3 F* K# L- h
- K3 E! r* ~4 p, h  _6 ~/ z8 U3 I
__________________________________________________________________________
, M3 |& d2 m% J8 P* k+ p8 }$ X7 ~# p$ {9 P) O
Method 13
3 H4 d3 J! O0 F; D4 h2 y=========
$ x  x* `+ [) T' g1 B
  P5 d, L- y8 C& x% BNot a real method of detection, but a good way to know if SoftICE is
& a$ {7 ^! {, [4 f- I" qinstalled on a computer and to locate its installation directory.% j5 ^+ l" N1 V; D& g; }) g7 i
It is used by few softs which access the following registry keys (usually #2) :" Z+ X7 S' h* E4 _+ f1 j
+ Y' M6 W2 H3 f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, j$ f/ `8 y9 d! j4 a. X" O\Uninstall\SoftICE
3 z# i+ q! c. E; \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ G# K) S2 Z1 S; E7 B0 U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) ]% C( O2 W9 R' L0 h5 {\App Paths\Loader32.Exe& {. O8 U' {( b( m
* Q4 P3 s/ \$ d; \3 z
( i( M0 T( e' U$ T; p9 n
Note that some nasty apps could then erase all files from SoftICE directory8 I9 |& J8 C. W# N
(I faced that once :-(* }7 u8 D, S3 F1 F0 _* `" r, N# u
( W! r& d* ?% C9 \0 M) e$ J- N
Useful breakpoint to detect it:
6 U8 P8 r% S( t. f; }9 m! O9 c8 I6 w% `1 _8 E7 M3 L9 i7 T( k% C' U
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- |2 a+ K; A% D1 s3 J8 G0 h' {3 n9 g6 p  G2 |) F
__________________________________________________________________________" i; e. h; A3 b- z
4 {% h7 v, J; h# H8 s( r* L

7 L+ n$ q' y7 ]; R& jMethod 14 0 C" s' O0 W/ t: ]
=========
( a) H" h$ I4 q0 y
) @, K0 t1 P3 |1 d. _) aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. J) e3 t! F$ Z& l( ~
is to determines whether a debugger is running on your system (ring0 only).( S! P5 j' @/ D8 H6 z: U0 w. ]" G. F
2 ^1 }9 _; a' h3 {4 F% D2 i) ^( L
   VMMCall Test_Debug_Installed
8 S# Z, }2 Y/ G: U9 X5 ^+ V8 m   je      not_installed
; w0 X9 C" ?1 h9 E* ~) q0 s: S& O+ F) U0 K' V: K% l/ c
This service just checks a flag.
" K" `0 H3 N( b# z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-1 09:51

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表