找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
" S2 X. l! i: n9 r  M, E/ @6 l! ]<TBODY>
6 }, l3 ^8 }- E5 {2 y<TR>
9 V: Q, l3 [3 T<TD><PRE>Method 01 7 c: F- m  Y: x* ~2 X% g9 Y3 j
=========
9 y: m7 N* ~9 E# b
3 w# C2 }4 D3 q6 N! h2 S8 aThis method of detection of SoftICE (as well as the following one) is0 M( B+ ]/ y, Z1 A
used by the majority of packers/encryptors found on Internet.( n  y" `1 R  b$ y
It seeks the signature of BoundsChecker in SoftICE% i/ H0 r9 I1 [+ X  Y: u
% l  D( A. w  O8 q
    mov     ebp, 04243484Bh        ; 'BCHK'8 X6 J& O% o; O! F: z
    mov     ax, 04h4 x6 H' W$ F6 Z# g; D! v
    int     3       ; G( t1 S* {) Y3 V; h
    cmp     al,40 `% t) H- g* ]5 J& \- U* N
    jnz     SoftICE_Detected5 |  Y/ P3 O$ L( \( s6 T
/ w( R/ y4 u$ t# z
___________________________________________________________________________! t, F9 R( y0 p' [3 M3 c

7 F1 F+ R, H1 u6 i5 z% qMethod 02* o( h' L- p3 {, I8 n: g( M5 h
=========
  O6 s; q( h0 T  V8 s7 i  V1 b7 K
Still a method very much used (perhaps the most frequent one).  It is used
* F5 ^+ ^' s7 g' V) Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, [3 j2 y1 G& y" F9 |5 vor execute SoftICE commands...5 U0 T. B$ Q( m$ U) U, I( d. l
It is also used to crash SoftICE and to force it to execute any commands
( E! s! M! `* E, R+ ?(HBOOT...) :-((  
  \! D' ]) h- m4 g5 k; r9 Z/ ^. P" w0 b* {8 Z: T( |' C
Here is a quick description:) F. R9 ?1 e0 s
-AX = 0910h   (Display string in SIce windows)
3 G4 s/ b4 D+ H5 l; }7 A% K) `-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)* B5 G- w; \7 y$ v$ |: O
-AX = 0912h   (Get breakpoint infos)7 T4 Z: T8 A. E. B* ~5 e
-AX = 0913h   (Set Sice breakpoints)) |4 ~' A6 y1 l/ {9 t( W# h
-AX = 0914h   (Remove SIce breakoints)
" i" Q8 A( q5 l* O0 k* p  U, G6 U1 F" G* @" q  D
Each time you'll meet this trick, you'll see:. Z. f2 z4 g, ~% T3 G8 w) m/ L
-SI = 4647h
0 x/ s1 p/ k8 F/ N9 w2 [-DI = 4A4Dh+ s) i' f3 O9 y  U  c: L
Which are the 'magic values' used by SoftIce.
6 o, }: G* t9 `, b6 DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
  i7 ], g5 H0 F8 U$ [, l+ b0 N5 ?5 `8 Y/ X3 l/ a
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ g. Q0 h1 w! }7 A( \
Envelope utility use to protect DOS applications:, z. R. v8 U) F! ~3 \. k
* D3 \4 |, k9 F, c' |
: m1 _: g  R. u/ p7 ^1 {
4C19:0095   MOV    AX,0911  ; execute command.+ a4 e7 N) K/ s. `
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
7 M, y! b( o; b' F0 u9 |4C19:009A   MOV    SI,4647  ; 1st magic value., }1 I. L- t; [7 |# V2 o& c" U
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 i; ~/ c& B  x4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 L: S% }$ A. Q$ I( N4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, U; v0 k6 ^0 l$ S9 R( \1 q4 S
4C19:00A4   INC    CX, @8 m6 P: H. N: h; |
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 r) P* j3 D* X( N  H$ U2 Z2 `4C19:00A8   JB     0095     ; 6 different commands.8 p' J" ?, p) I& V: R0 }& k* Y2 s
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) S8 K( k! B' a& {4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
6 B% S( R% _" w8 m
4 }! h  P' Y: g& O! h" GThe program will execute 6 different SIce commands located at ds:dx, which
# y% Y" T5 X6 P; I0 g+ _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." B* A7 u& w  Q! f- k

' \: J: M/ A( S) {; K, C- V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( s& ~1 u+ }- n3 t4 A___________________________________________________________________________/ A! D' I5 z" O9 b" R6 u6 b
0 q; F6 t/ h4 q8 q" u  x

. E; D$ C; F' e( B4 v' ~Method 03
0 c3 \% K& j& d, N: _=========
% N* }1 L& u+ J: k) X& H* J5 @& _0 W: |
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; V7 L. d4 H% E* n; n  A! {(API Get entry point)
8 D0 @- p: \; i4 X. Y        
+ f6 v1 F! `7 G  `5 p5 }
0 y; a- ?) ^, z4 d2 ~    xor     di,di
, b6 B. z: L( V  o  l    mov     es,di! y+ Q& h5 R# m
    mov     ax, 1684h       + F5 j1 E/ J1 u" V
    mov     bx, 0202h       ; VxD ID of winice
8 B5 Q- v- Y5 Z) t2 Y+ ]5 Z* q    int     2Fh
6 f: _* m$ p6 y, F. X4 w' k    mov     ax, es          ; ES:DI -&gt; VxD API entry point" S% b4 y! k. j% V4 ^& \
    add     ax, di( ~% Z5 N! Y- F! W2 r7 |, c
    test    ax,ax
( j/ D; q& Q! j* h; R    jnz     SoftICE_Detected
$ n9 h- p% W, R& e  ]6 V# o. P2 m
5 L, B. o* D- U3 a& m4 P& M, Y2 ]: h___________________________________________________________________________# n5 z( \- }, T1 J7 v# g3 g# B
0 j6 H2 e  T( l" [4 Q2 _
Method 04
( S' b) [  v( a=========: c% H7 K# \1 F& N- z- F
: |- N) W+ ^0 r8 q( Z" @- p" U- }
Method identical to the preceding one except that it seeks the ID of SoftICE2 n* \: L& u' \: P. K
GFX VxD.
4 G* L" p9 a9 ?* N7 r& }' ~" G1 M7 ~+ R  k6 d  d
    xor     di,di# v- e# `  j0 J8 F
    mov     es,di9 {; [% |; B; X- P7 I3 H% @7 q3 p
    mov     ax, 1684h      
/ q. J8 q0 z4 `+ X# }) F  A    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" `, R: f/ {7 `& E% {7 p    int     2fh, H. P. h% h' v' R8 l1 H: d$ l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& B8 c$ E- B) ?! t" B7 R    add     ax, di4 L& E  f. @# w, |( {8 R3 u- ]# `5 u
    test    ax,ax: R4 g: ?: d" G2 V' J+ f1 ~
    jnz     SoftICE_Detected
7 Z9 n0 Q, }! w. E
% P$ U0 m8 S9 W# O__________________________________________________________________________. v; o5 W3 C4 M* Y% w
% h$ z. c  W+ N+ Y+ V" `  K- x7 B
( q/ h6 D7 S5 k) L+ U$ L. c
Method 05
# E, N- B) }( g# s=========
5 x- o; t; l, a5 M
' b$ N2 }7 v3 {Method seeking the 'magic number' 0F386h returned (in ax) by all system: r7 R1 ~- O. C: a8 L
debugger. It calls the int 41h, function 4Fh.8 d" v* C  I; Q' \  \1 Y& W
There are several alternatives.  
0 l) g& d% Z3 q) ^# T
$ s5 q6 p7 l4 b- \' sThe following one is the simplest:" o& {. Y. V. L) J# {: z
# N5 C. F1 ]. O7 q7 ^" a# e3 g
    mov     ax,4fh
' W3 x8 J4 a) A( g    int     41h2 }( O  D0 l: [! J: M  O
    cmp     ax, 0F3863 I' K6 m7 K+ ^7 G5 `3 ]0 d
    jz      SoftICE_detected
9 v0 u5 j3 O1 \
& ?8 R4 i$ m, b  D- c5 o/ J$ Z8 h9 [; Z
Next method as well as the following one are 2 examples from Stone's
' e0 U0 P" v6 Z" T# j1 f"stn-wid.zip" (www.cracking.net):# ?; A& X' c5 \* h+ `
  c$ |$ ~: d% p' v/ b# h
    mov     bx, cs# n$ [. ~- I& H" z+ L
    lea     dx, int41handler2
0 N' g# e1 y+ h" T0 C    xchg    dx, es:[41h*4]
$ ^1 d8 |4 @9 c* c2 m9 J5 ]  {    xchg    bx, es:[41h*4+2], l. F* L8 x' x7 G4 d
    mov     ax,4fh
: {% _  k) g3 p7 y' L; w    int     41h& }( B. e4 ]9 b* d/ U- c$ _
    xchg    dx, es:[41h*4]
7 T- _0 R0 q; ^    xchg    bx, es:[41h*4+2]
/ T! t+ s9 `$ s, `0 ~    cmp     ax, 0f386h
0 m( I$ V) \- L% F; }4 y+ `7 P    jz      SoftICE_detected6 b6 k- [. ]5 k' H' e' E. s* N
0 [: S" ]! M. X8 k' R; q+ N
int41handler2 PROC6 n0 j/ Z; s( Z$ O2 \
    iret
+ c5 n$ Y  X: d, pint41handler2 ENDP
( n( f: `' o) F* s) q* \, j, l  X8 `

8 g( L6 B, [5 y! w7 o_________________________________________________________________________
/ @4 [* q3 Z$ b; M$ j# `5 t" _, ?$ p3 o; I/ \6 ~
8 i- \) _& h* [0 f/ A; |
Method 06+ r! B% T; Z+ w
=========7 b- v1 n7 }- n% e: H
. x$ q( k: J; O0 k! ?
+ _' {8 V" i: c7 b
2nd method similar to the preceding one but more difficult to detect:  z' a9 i+ B1 c3 A, j
; j, G2 i6 M+ k  t( C
8 _9 c6 k$ f, v- z5 l
int41handler PROC6 |6 L6 ^7 t; r9 b5 S
    mov     cl,al; l' x; n$ E) c% @5 k
    iret5 C. M5 O; t& B! N! K
int41handler ENDP$ N1 t% L+ ~5 S$ o& f+ a3 J

0 Q7 i% v2 Y7 P, L) h) l) I/ Y: k  v0 E( n8 x
    xor     ax,ax6 _* f2 B" D) g$ |, V- [
    mov     es,ax% r2 m5 L5 v, ~
    mov     bx, cs
9 G1 x% h" Y4 W% @/ k% x3 i    lea     dx, int41handler# X. |, g5 g; c- _5 a
    xchg    dx, es:[41h*4]
  w0 p/ r' ~' V' U6 J- t    xchg    bx, es:[41h*4+2]
) i+ W& U+ |: s' n    in      al, 40h
  ?9 r! y+ I) B! ^# ~& B* N    xor     cx,cx
6 V  ~2 o5 a7 r/ N) U) d0 L    int     41h' F5 `* K1 M( f8 ]8 i
    xchg    dx, es:[41h*4]
" E9 p" [0 x4 B$ b    xchg    bx, es:[41h*4+2]
) K* r% v+ n4 u    cmp     cl,al* |+ _( T( R5 c" A" y
    jnz     SoftICE_detected
  P* b! h: \/ g3 S& B
3 x; U, w. W" N; W  t/ \_________________________________________________________________________: Z- m) E1 k& r, P

- c  _, H# q, {; y( c: L* q" v. CMethod 07( J7 B8 g/ m; U! }
=========
# h( E  _4 N# x* l) v' I2 G1 c( {
Method of detection of the WinICE handler in the int68h (V86)" F+ {% h$ h1 z+ ^5 _
# x8 ?0 K. C( p8 w
    mov     ah,43h
: Y4 e( n4 G, b: m+ @8 F    int     68h' e) F, t- V: ^' S9 z7 B6 H5 ~: k
    cmp     ax,0F386h7 n) X8 e. {) j4 J6 |
    jz      SoftICE_Detected6 w% p, D: L- e! z

# I, _+ b7 k* f3 b7 ?
3 u. `8 p% m" d$ c; B# r5 d) B=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 i7 Q! ~- h, V: S9 q- t   app like this:
# y0 N3 a7 o& {- I7 t5 ^
  I+ q& j2 ]: W   BPX exec_int if ax==68
0 W  l/ y8 @3 G: V) a% D   (function called is located at byte ptr [ebp+1Dh] and client eip is4 C6 \! C% I( O' y. Q, Y1 h7 _
   located at [ebp+48h] for 32Bit apps). B) ~( G/ |% ]0 x; v8 j% }
__________________________________________________________________________, W5 U' J" @1 Y$ m1 u
3 y3 u7 {. ]6 h# Y) `
/ Q4 x" v% p7 U2 ?* y
Method 080 y% m/ C  D5 }
=========
* y2 a. s1 W" m2 Y
# A$ r4 h- F. K# H7 AIt is not a method of detection of SoftICE but a possibility to crash the
* Z4 z  w9 G$ L. N6 `system by intercepting int 01h and int 03h and redirecting them to another2 L( |1 x2 u$ D" W4 }3 h
routine.; h1 ]2 q3 |" y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ \1 W1 M/ i& {5 U( Dto the new routine to execute (hangs computer...)
3 N, P5 R: t) G, `/ ^" R+ b) R  s
    mov     ah, 25h
, U6 P" ]2 D( a& F* h    mov     al, Int_Number (01h or 03h)6 t- B6 L6 a, F
    mov     dx, offset New_Int_Routine" v7 {% ]7 y- R# |0 t
    int     21h
) }2 B2 h0 n! ^* N1 ~) A
0 L9 G8 n* o8 Q4 J% l+ t( d3 H+ G5 `/ T__________________________________________________________________________
' ?& y* h- ~* `" x5 j+ F9 b1 p- Y0 i) Q2 p+ v; a, U2 n8 F4 e
Method 09/ {6 Y) S: a, L- Q' G( [' G
=========
4 U) r$ W, A) \2 p
7 b6 `+ ~7 ?0 r# N* [0 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* }6 g9 I6 E; A5 k* T* d, `performed in ring0 (VxD or a ring3 app using the VxdCall).( y: K' s* C/ }0 c4 O! O
The Get_DDB service is used to determine whether or not a VxD is installed$ N! H$ ]( z; k! |% V4 g- Z
for the specified device and returns a Device Description Block (in ecx) for, W8 Z& ~: M8 t& H0 f
that device if it is installed., C' D( A6 m; H: Z+ [
9 G+ W1 y9 b0 f2 D
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; |- L1 ~+ b5 L! w7 f9 C
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% X+ B2 s/ n5 o$ y8 r   VMMCall Get_DDB
5 }( m. J8 S$ [; z3 _5 f; D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& Y9 |' E, e5 P5 n( u% l+ ?8 J* [* H2 u' Q3 u+ ~5 P" U
Note as well that you can easily detect this method with SoftICE:* Y4 h: H! {- P: c2 \8 |, O
   bpx Get_DDB if ax==0202 || ax==7a5fh
3 E# c9 X; R4 e8 [+ `7 s' n( k" i6 J1 j
__________________________________________________________________________3 a. h" T3 P1 J8 k5 \! K
- l$ |& ]% r2 A
Method 109 \& c* _* ]! C4 Y# I( g+ \4 M
=========
1 q8 U8 u0 d. j9 d
5 K: `/ z8 M. h. h2 w& O- k7 y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
* q9 }$ u# S6 H) `$ f! v8 m5 z5 N  SoftICE while the option is enable!!9 h3 k4 K- V. h

; y3 ?$ G- Y0 Q) o  F2 jThis trick is very efficient:
( {; P1 \; F* P7 K, \; Xby checking the Debug Registers, you can detect if SoftICE is loaded( C, I4 ^% _- g4 W: K6 a
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% k8 v0 X$ X  a' ?there are some memory breakpoints set (dr0 to dr3) simply by reading their2 W  C- A& @" `3 q
value (in ring0 only). Values can be manipulated and or changed as well
7 I! V  }, @7 ]. b0 t/ a* n9 M(clearing BPMs for instance)' B2 B: y! i  }, X5 X
# C- A% B  |1 o
__________________________________________________________________________
) A+ c0 Y4 ~0 M# z) S" z
2 _7 }' c/ c% O/ v2 E( fMethod 117 b8 v3 f# r% T5 V* o4 r
=========' i& A; L  _. |8 e! I7 L0 W4 h8 B, L

: {4 L- D% a7 X" kThis method is most known as 'MeltICE' because it has been freely distributed+ K9 u7 F% j0 f9 `
via www.winfiles.com. However it was first used by NuMega people to allow
5 D! S; U  K) w# x& M3 ?! JSymbol Loader to check if SoftICE was active or not (the code is located
5 F7 g0 M  U( ~# l# O# ~inside nmtrans.dll).4 H' u+ D4 j* A

' M3 e/ P; d/ Y5 MThe way it works is very simple:0 v4 e; _& k# P. g+ L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ r- Y& w: @- U+ s6 \3 T; EWinNT) with the CreateFileA API.
9 f8 ]" q0 n0 ^9 `  W- V/ {8 K* k
% P7 R" h5 |' |2 x2 T+ u& OHere is a sample (checking for 'SICE'):  Q: Q# [2 l! z: c
* v8 c7 v2 [5 q9 w  N! j
BOOL IsSoftIce95Loaded()+ F3 _' u' a! {( E/ S
{
3 v+ F6 K/ B5 v   HANDLE hFile;  + b! _/ R; P7 ~4 b; Y- e
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: T1 X, z+ j9 B4 P' B5 {* q                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 L% T8 F% v) P, K
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 H) Y/ t  ~& ~   if( hFile != INVALID_HANDLE_VALUE )
. I: V5 L  v' J   {$ F3 A6 i" K. d5 J1 U! `. T3 {: c" T+ S
      CloseHandle(hFile);
6 @% ^9 r  I2 C4 `/ ^5 I  T      return TRUE;% @3 E9 T# A9 U6 d) L1 ]2 ?
   }0 p! x0 [" U% g: v, E% P4 u) b2 x8 O
   return FALSE;
% p9 I! D! [, d" F! e/ h7 J& s}
& M* O; f7 H6 K: f8 K; p. c, |4 u  F( j; N* }
Although this trick calls the CreateFileA function, don't even expect to be
9 {" U3 D% r5 r! R# `+ V0 W1 [  _; Aable to intercept it by installing a IFS hook: it will not work, no way!
" x5 N$ @! I. A3 R: NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 V9 I5 U/ Z: _* ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: R. g% H: `7 h7 p$ n# n# @and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- G0 o) `3 R* F4 R* M9 t) R( K) mfield.: I- A0 j4 }" w2 u7 N6 m/ O* Z( I
In fact, its purpose is not to load/unload VxDs but only to send a ; s  h9 Y5 A7 |$ Y) }3 H5 B
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" q8 Q, \2 k3 |- P4 D6 b. Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ q- G1 Z9 p. @! U. x% Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).& Y2 \, q: u+ J: s6 e7 S1 Z0 @" y
If the VxD is loaded, it will always clear eax and the Carry flag to allow5 c7 l( f1 U+ V# C- t; o1 K. {4 Z
its handle to be opened and then, will be detected.
- H# ^4 L) a% y9 v: [- a2 rYou can check that simply by hooking Winice.exe control proc entry point
/ b9 w( h" i8 E+ {' Z+ Rwhile running MeltICE." x" t9 b* e3 g8 ~5 T0 o
, E- x  J$ _, X

: X( T3 V+ d9 j  00401067:  push      00402025    ; \\.\SICE/ O, {) w6 ?; Y, k% B+ i6 h0 G$ ^% a
  0040106C:  call      CreateFileA
4 `- y  ?3 A! D$ Q! ?' M8 U  00401071:  cmp       eax,-001" a2 g, [# v8 c6 O/ v" p4 C+ L" U
  00401074:  je        00401091
- ]! f8 _1 N2 x6 I
4 O. o# {% f' a4 w9 l# b, J
" y. u0 r# W1 z; Q$ n  ~* U* LThere could be hundreds of BPX you could use to detect this trick.$ ^+ F$ W1 D/ C) T
-The most classical one is:% P% o6 r) z% t1 Z8 `% C9 a
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
# u7 F4 W1 ?" z& |, z    *(esp-&gt;4+4)=='NTIC'. Q4 Z  L( I0 C5 j/ H$ h7 E! C

, B" p7 r7 K/ v8 t$ _-The most exotic ones (could be very slooooow :-(0 Z' \9 @& J! ^
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
! [; I6 u; l1 H9 U     ;will break 3 times :-(
( J* D" w( n( F& n# \1 ~$ g
/ S# v4 v6 }( w7 H+ Z7 {-or (a bit) faster: ' V" m- n( j+ c' |  q3 P- E
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 o8 }  f3 _( Z, b7 j; e1 }' X3 q8 z8 W2 O3 a
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
: C8 q- N9 f% J7 s     ;will break 3 times :-(
/ Y+ k" _7 }! Z! K9 f8 b' P) x3 w& ?" n4 y4 p
-Much faster:
* M- q# ^9 q  v/ s+ K   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 {  W) v9 A& Z: S8 z

. x: r% ~0 s& V- G9 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 E. D9 B% E% i  f$ p0 Nfunction to do the same job:
0 O( C; N5 ?  X' ^+ A% W( S$ [2 O8 N+ J* ~9 }- t6 T
   push    00                        ; OF_READ" [" s' h- G# A6 b; k/ j6 U7 C+ y
   mov     eax,[00656634]            ; '\\.\SICE',07 j' N. U! `8 B" c1 K3 g
   push    eax; n) L8 i  {( Q' i9 P) O% e  J
   call    KERNEL32!_lopen+ t; i/ z8 F/ T% C* U0 B4 ~* X& \4 I
   inc     eax* i; [5 ^  |- h/ K, U
   jnz     00650589                  ; detected5 u0 d: F8 S. g  Y; t
   push    00                        ; OF_READ- j" {2 p- ?7 v
   mov     eax,[00656638]            ; '\\.\SICE'
# \; v- j; _5 \2 x9 R" q( A' `* F   push    eax5 w4 i1 Y' O+ R/ g$ J
   call    KERNEL32!_lopen6 T4 O8 a7 N; K. X8 w! Y4 J
   inc     eax; D. L; h0 h; H( t) f# h/ J7 z
   jz      006505ae                  ; not detected
# {4 r# @* q. K7 D* C5 a8 k  v+ W7 d0 A9 b& N
+ S% I' P. w) ~" q
__________________________________________________________________________
2 z2 C2 n4 F. A8 M2 L
# @, F. G6 m% f4 M* Y5 X1 WMethod 12
% q( C' ^/ w1 Y, J; `=========
! J7 P7 N; X, `3 g
/ ~7 n' j+ ?' v" u0 VThis trick is similar to int41h/4fh Debugger installation check (code 05& ?# W( k8 f& s; y
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) X1 @9 r- c% e+ S/ `0 S2 n" ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.
  ?& @* C6 \) u7 O, E2 c% r3 O# w/ P
, G' D9 t1 j) m8 M! c5 O) |! m, q   push  0000004fh         ; function 4fh
$ a, e# R; C, h! d   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 A9 v/ J% v, Z; K2 i& w' q6 k                           ; low word specifies which service
8 |  `- g3 z( U                             (VWIN32_Int41Dispatch), c; W; q, @* f( |/ U+ f; \7 g& I
   call  Kernel32!ORD_001  ; VxdCall$ Z! k& B. \0 v7 U
   cmp   ax, 0f386h        ; magic number returned by system debuggers- J' V2 l3 y9 P; a! `& k
   jz    SoftICE_detected
5 p% x6 [( O& i0 n# M1 Y1 V8 ^/ m4 Q" h  F
Here again, several ways to detect it:
, ]" N, k+ o! Y  }& {
6 e  t- ?+ X+ F! n( G    BPINT 41 if ax==4f5 V+ ~& m9 H0 h+ G# \- |
0 R/ y& N/ f' d% T8 _! g# Y6 B
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 K2 F0 {/ I3 Y* F
" T) k. `; s0 h& s    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A! Z5 @# F, G8 M9 \3 d" O" b4 A

1 X* z! \. l8 F  V3 o$ u    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 F: m6 h3 n8 E% ]" d, {/ N

  ^/ m$ X# l& J. \. p: |__________________________________________________________________________
/ a6 l7 Q3 [' ?6 [% U: ^, k
" E; X' e# ]3 X; j9 ]2 p3 n" p# @Method 13) R+ S6 A7 d* ?% ]: W4 e' }
=========: {- X6 z5 k4 R8 |
7 j  u1 l' }5 {5 F
Not a real method of detection, but a good way to know if SoftICE is, l3 x5 t1 m, m7 D* {
installed on a computer and to locate its installation directory.+ m' ]/ w9 z3 M! m- ~: ]
It is used by few softs which access the following registry keys (usually #2) :
0 D6 ~: [% g+ [
9 u6 ?. Z# e/ ^4 ?* d4 X: o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* X- g& S& P  H6 W6 {6 W5 @6 K
\Uninstall\SoftICE5 [  p/ C0 e5 F5 [- C( r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( H6 @3 G7 y0 |, ^0 V! ^% C+ |/ d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. f5 V5 C1 o& M) J, _\App Paths\Loader32.Exe
' j* M% K; N/ m- K2 e/ u& Q) X! n' T
2 v. T3 V7 B  X8 h0 ]& w  v
Note that some nasty apps could then erase all files from SoftICE directory
% [; l9 H& R/ q; q! r* T6 j$ I& b5 C(I faced that once :-(* b# T+ }" b$ |% u
. v% D" v/ }$ z2 f; U
Useful breakpoint to detect it:
% U. Q4 f7 ?9 ]! X! I6 K0 ?9 ]; J( k
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 q, u6 k6 @* V
0 M$ C* H: {- {' \& G
__________________________________________________________________________- }9 D( b2 @7 E5 V4 e
1 B& h5 I3 _- n) E+ m& x0 \

$ w  {- Z) h/ {4 V( D! W4 uMethod 14 : @3 M( H" I0 H" c
=========7 @6 G; C! k( L0 o+ ]; Z! l

: |* u# U, |7 z' F# ^A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. g2 X, }2 \3 I
is to determines whether a debugger is running on your system (ring0 only).! r. H  s$ P0 [* C( |! G

: {( a( }: y1 P4 c6 d$ ?0 L# m   VMMCall Test_Debug_Installed
) A/ j; E" |6 G, M( y   je      not_installed2 J5 j6 w5 D( q3 Y- [! b
8 N, d( j& _) Z
This service just checks a flag.  t5 K; V9 p) O6 U* H, F, ~
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-18 02:10

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表