找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 v7 D$ o: S: y  z8 d( A
<TBODY>
! T- K" M6 ]9 C* E<TR>  `0 j; E( `* k9 u& O1 k0 I
<TD><PRE>Method 01 $ p7 c4 B( ]( A( p6 g
=========
* r5 f" d$ |. y; t7 \& v) [0 o2 l7 T  }* O- b9 K; Y
This method of detection of SoftICE (as well as the following one) is
2 q1 z4 X, u; a" ]- D5 @) hused by the majority of packers/encryptors found on Internet." t3 Z% x! Q8 H' {4 _
It seeks the signature of BoundsChecker in SoftICE
! U, u+ W, C- f. p$ h6 [! J  H- Q. I7 P: W5 P5 V$ \$ z
    mov     ebp, 04243484Bh        ; 'BCHK'
: I- @- y+ x' l    mov     ax, 04h
6 r9 l& v& i9 s1 n! z    int     3       2 e( L- B( `* u. b3 x- L
    cmp     al,4% d* K# L$ ]( P* ~' ?" }
    jnz     SoftICE_Detected
1 c; z; j. o6 Z4 U8 `+ R' T- ]# ], |" w% O
___________________________________________________________________________  u% s+ E  W: e3 F' [0 ]- J9 N

( z3 {: _% w3 M' `Method 02% Q9 `3 ?& i* O+ n9 P' q
=========
3 q+ `' b/ f6 M" o8 M  L0 @" d0 i' l, |. F2 P
Still a method very much used (perhaps the most frequent one).  It is used$ C+ v+ |' z. w5 ]- J( X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* x3 }. P& A  s! z+ For execute SoftICE commands...
5 d& R5 Q1 v4 \" `; V$ |It is also used to crash SoftICE and to force it to execute any commands
0 c- B* D$ j  I# M0 r7 D(HBOOT...) :-((  , |1 B/ w+ N& e/ q/ ?

- P5 N. U; X3 D* o9 d" vHere is a quick description:* ~" H, R$ E& w1 L9 A! P
-AX = 0910h   (Display string in SIce windows)- }  N% O. c7 n
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), [3 A" `+ }% o: D  _6 E3 j+ X, w
-AX = 0912h   (Get breakpoint infos)& f- \' r- V5 m) z* I, ~4 `2 h/ v
-AX = 0913h   (Set Sice breakpoints)
3 F3 ^( n, M2 ~4 c. J& a-AX = 0914h   (Remove SIce breakoints)$ Q' t* I, e  k9 s2 H
0 c9 E+ x4 o8 k# H5 j1 h
Each time you'll meet this trick, you'll see:+ g$ u$ J5 k# [# {
-SI = 4647h$ B+ t  {, b5 T7 c/ s% ~0 M
-DI = 4A4Dh' O7 \7 ]. s! O$ ~9 |8 ~
Which are the 'magic values' used by SoftIce.( U  `+ a+ \7 {2 ?$ _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ y9 h! m. Y! n' w( W! D5 N8 E/ ?& h
Here is one example from the file "Haspinst.exe" which is the dongle HASP2 ]* @) b+ R" f* k8 A- @
Envelope utility use to protect DOS applications:
3 r0 e+ p4 j& ?4 T. b9 L# _  e: `% k6 I

8 X# @; x2 f5 r8 \! _4C19:0095   MOV    AX,0911  ; execute command.
2 t& ~2 f, B0 `5 E) T# r) c& N7 G( e+ w4 _4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).  y# i- D* f7 f6 K2 M
4C19:009A   MOV    SI,4647  ; 1st magic value.# V; @. R1 ~( ~! x, G+ M
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ i7 K: z7 m9 A9 {
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 `2 \8 t; l$ V! [/ Q% j7 H( a; B
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 }9 J. m4 R9 ^& I+ c) @4C19:00A4   INC    CX
8 F+ u0 i; }  M! ?4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  g/ O7 q8 V& M* J4C19:00A8   JB     0095     ; 6 different commands.
4 c9 u$ U# o  Y- d" Z. c4 T9 T2 U& g4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! F. F  ^; \( u0 N
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)/ a0 x4 k4 S# H" C

0 K! N5 ]' {0 i, O0 i/ d- TThe program will execute 6 different SIce commands located at ds:dx, which
4 r+ i% m, W% j  i& c0 w3 yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, Q; v+ |3 D  i0 n& F  U; I& Z& q- K1 s2 Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 t( f/ S' O4 y$ e  m! q
___________________________________________________________________________
2 J: u) L1 m8 p$ _& B" G# `# i& M$ g5 o% c+ f% ?

1 q- y6 _5 s9 ~Method 030 k5 n! H/ U$ t* e" u2 r/ Z
=========+ K0 n6 q; T* k  P5 O  R9 F% I

* n5 j2 D& u: _* RLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: M+ p, V( \4 {3 Z0 ^+ d
(API Get entry point)8 o3 k  k; x; }- L) E2 e
        
2 i7 c, [4 G# m6 g- q
. w9 ?4 a. f8 S# v    xor     di,di" Z, j0 X3 w9 V( Z3 C% t
    mov     es,di; v' E& Z: u+ ^5 I: ?
    mov     ax, 1684h      
4 e9 K. ^) \9 t; u    mov     bx, 0202h       ; VxD ID of winice0 e& Z, a5 u* B8 J* D
    int     2Fh
/ m' n# j/ ]8 T! T7 |. w    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ G1 Q* f* @# x. B' S    add     ax, di
5 R% s' \/ F( ]" P/ }    test    ax,ax" z3 s$ {) V  E$ b6 }5 {
    jnz     SoftICE_Detected0 X' d0 B2 c( B+ L+ ^

3 e; @5 J# u+ o3 ?! L___________________________________________________________________________
/ {6 n  a5 }5 v0 ^% Z
7 w+ R  ~( \2 g! Q5 A  N- aMethod 04
' W3 |# |5 x: p0 o  P$ R=========1 Q, J6 ^, {/ I( g3 A

, s8 b2 q/ h. Q% J, j8 Q! f+ J# ?/ m  kMethod identical to the preceding one except that it seeks the ID of SoftICE
2 }% @& W/ s5 }' o+ _GFX VxD.0 `- r7 w) v3 ]0 _' i
) f+ u0 Y" g% i- H: k* y) [
    xor     di,di
8 h( [, ~' A8 f9 X6 R    mov     es,di
( ~3 {8 k8 Q& e  B3 [0 ]' u    mov     ax, 1684h      
# v4 Z4 x5 e8 u$ F1 w& @2 V    mov     bx, 7a5Fh       ; VxD ID of SIWVID* v+ y% v9 ]8 s  _7 P/ r" a$ ~
    int     2fh
' {% g/ w6 m# J+ ~0 z* u    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ E7 b( y( W9 H( {, W! }$ V
    add     ax, di
+ J0 [3 s) S# A* ]! k0 M; p( G    test    ax,ax$ S2 ]/ T- l  ?# O! M
    jnz     SoftICE_Detected
7 L% p; x* A' D5 u6 u/ R% s+ i. N' n6 [( o  L4 i2 s1 J- P% j& z1 s
__________________________________________________________________________
/ C$ l; Y8 c2 x3 g: u) m; p/ |/ X" [* v" A  l1 @
4 L; L# v& o; G1 H# s& a; D
Method 05- b# [% u! d+ \
=========
. m4 U9 E- X5 b. W! N8 Q2 B0 x- Y6 Y2 f  `( c- x* G$ c. H6 d
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ p, Z! C, Z$ Vdebugger. It calls the int 41h, function 4Fh.
/ l/ v. B5 x6 b0 k/ oThere are several alternatives.  1 p- \. _9 x, A3 M# C
9 ?% t9 P; d* k& {: _, H0 e
The following one is the simplest:
0 q3 R5 k" q( s) L% \8 T
$ x; y# L8 j+ u, K# L" x2 f, V    mov     ax,4fh  t6 n! k' t, n1 ~3 V% M
    int     41h
) s# d: t7 n; A1 ?! R    cmp     ax, 0F3866 x- P/ Z% ^) D4 r5 N  @3 O
    jz      SoftICE_detected
6 N* q1 P- j9 v  v6 a  [6 _
. O9 W: X" \7 |. A8 T, [! r1 s  R8 p2 Q1 c
Next method as well as the following one are 2 examples from Stone's
6 E0 N" \( A) f: D. z"stn-wid.zip" (www.cracking.net):
9 n+ e" U* g1 y3 K" R
, }$ W. M, S! c    mov     bx, cs( O4 g2 e- e. Q3 G, Q4 q& R
    lea     dx, int41handler24 o* G5 j. O9 f& k; N- I4 x3 M
    xchg    dx, es:[41h*4]! n: T' ?* `& {1 ^
    xchg    bx, es:[41h*4+2]: d6 T! v9 Z. _3 ^7 j
    mov     ax,4fh
1 @) \! B  ~! d+ n    int     41h! J. p  j8 G% {
    xchg    dx, es:[41h*4]* x& F* r5 B& u2 l$ a% l: A0 w1 b
    xchg    bx, es:[41h*4+2]0 `6 \4 c. k" y/ {
    cmp     ax, 0f386h5 _$ x8 d+ [; x2 ?
    jz      SoftICE_detected  Z$ ~: n3 T% o! O$ s' n. m
6 y$ r5 d! g' \' e% S
int41handler2 PROC' C+ f8 E# m$ w. t4 Q$ g
    iret
9 a; r0 q) G$ b5 Q. x" u( y) n, Fint41handler2 ENDP, W, t. p9 ], A- q2 U
) n0 B2 U8 v: k$ y% {# ^7 K( o: {
+ ^/ R( {+ [' U6 h
_________________________________________________________________________
- q, I9 m% F4 W! {* O+ q# A; y/ t( G& T: L* b

! i0 b" v$ q6 ]Method 06; ~( K( u" y: w, s) D/ Z
=========' w* y! h  X' g6 Q- v3 V

# q/ \8 b: K/ w; k& g
5 o; ]3 a+ G" P0 _* I2nd method similar to the preceding one but more difficult to detect:
) B) A$ A" m7 q( D9 M/ {
# E) T( k0 h2 j& G: r% K+ ~4 u+ Q! j, s. L( s( w0 Y
int41handler PROC. S2 [7 U6 c0 ]1 d% \
    mov     cl,al' P- M- }" z& l% z/ \& P+ {
    iret
) ~* D5 [, A. Q8 Dint41handler ENDP( A& _- Q$ e; i% q
# X1 N/ {( j0 @) ]

* z# E: f7 `: o    xor     ax,ax  w2 X6 I5 b3 t2 [2 Q
    mov     es,ax0 j6 m- E0 |2 K! ]- N
    mov     bx, cs' u+ t- O* @, N, [7 ]
    lea     dx, int41handler
, K5 p* z! o' N3 h) o' e    xchg    dx, es:[41h*4]! |5 u) M) u3 d6 e) v
    xchg    bx, es:[41h*4+2]
3 `- `% c" B  |3 z    in      al, 40h
. z# s9 W1 }8 `    xor     cx,cx
' X: ?( R  i. ^; {, J, `* o& g    int     41h! d* z' @6 ]! x# F) P
    xchg    dx, es:[41h*4]
- x% q- [3 {3 m) w    xchg    bx, es:[41h*4+2]4 p- Z2 T6 J- F: T) E
    cmp     cl,al
4 U' D+ V5 `6 s5 g7 U9 z8 M    jnz     SoftICE_detected
2 l$ U  _+ c. y2 F) H, E* a7 W) y8 E6 ^2 y" K7 P0 D1 d. Y# _0 {
_________________________________________________________________________
- l/ f0 r) [. G
3 L% P% G6 d) Z9 P6 cMethod 07$ D, g6 c' z6 M- }
=========
$ U. Y( ^2 v1 B6 Y6 w$ C! K! C
7 P7 h( U0 _$ ]+ J8 R; a3 S7 FMethod of detection of the WinICE handler in the int68h (V86)9 {$ Z2 s4 O7 R0 n/ L& x; Y% z

9 d0 y) T$ X! u' N    mov     ah,43h1 Z. ?- a2 l8 K( x$ i' B. z+ k0 h
    int     68h
( Y- v+ r1 c! d8 f! q, w( S4 v    cmp     ax,0F386h
# c) s& c9 H- Y; {+ g$ p* B# u    jz      SoftICE_Detected9 P+ R4 w1 i& W+ q  B

1 p6 i7 a2 o& P0 i# Z; |* Z! [1 J
/ w. D* a- L2 E) a=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 W" t  X: l& i" H- ]! a& X
   app like this:* M% O# J! x0 P8 T0 w
' C; t8 U# e( e& V  [& N7 [- k
   BPX exec_int if ax==68  i) E. S, t; Z/ b
   (function called is located at byte ptr [ebp+1Dh] and client eip is; o2 Q! b& X9 u( h" y
   located at [ebp+48h] for 32Bit apps)& F* k% \) {' B
__________________________________________________________________________
, J5 ?, I. x3 t' w2 _+ a
; A! B: l3 |' `6 X. m; ]3 Z2 s" J* S9 M' O. E
Method 08! `3 D; d' Z& K, `5 g4 [! S6 X
=========9 ^. e! C' H8 l& j' P# C: _

. w% `6 Q2 _/ f" iIt is not a method of detection of SoftICE but a possibility to crash the% v# i( w- W# `0 }! _$ ~$ `2 C4 j2 I
system by intercepting int 01h and int 03h and redirecting them to another: a# O+ F) Q9 k) y( N3 C
routine.: E' @: U- U$ @0 N2 I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 `: O, C5 m) M1 gto the new routine to execute (hangs computer...)! C' M+ y( U9 n5 n5 V* s! p6 A5 ]

/ z5 c; Z- i) F4 `9 W3 C3 G    mov     ah, 25h5 Q9 b! I4 z6 o! f0 _3 _) U' S
    mov     al, Int_Number (01h or 03h)
% H  P; Q. K1 U6 c3 d1 O9 B    mov     dx, offset New_Int_Routine5 S$ Z: ^# Z- z- j, ~
    int     21h/ t5 y  [8 n  ]6 @* G. J

% i9 A, p. R3 G  {. N__________________________________________________________________________
  ^5 k  q! S& O0 a0 \
$ ?, B; I, C1 P& Z: JMethod 09
! q4 r+ \7 z# Q=========
: Y+ b4 F# W, s+ W& W+ Q9 @% e; g: C$ \1 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) B- G5 |' r# _9 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).3 d/ c5 {0 ~$ u1 K  ?
The Get_DDB service is used to determine whether or not a VxD is installed  {7 ^* W& T0 a# h
for the specified device and returns a Device Description Block (in ecx) for
, N+ V; Q, l8 n, _# _: Kthat device if it is installed.$ Q" Z" }( `8 q& i- Z* s% i

% [# h& U( `* S6 w; W   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 o2 j( C. d$ P+ G% Q" k+ N# z9 ~! g
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 e" e7 I+ w7 A# j   VMMCall Get_DDB
" S- h) O. d# g3 z: L! A" R   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* G! E# w5 Q+ C" h* L$ @2 N/ F, S  h- _3 {) O. A- C
Note as well that you can easily detect this method with SoftICE:
) W+ O. ^3 G3 u0 P6 G8 Y+ V4 |! b. l   bpx Get_DDB if ax==0202 || ax==7a5fh
+ {7 `% J8 i& G" y( g& X1 t7 D
4 o/ w" T1 U: Y: h9 L/ ^  F__________________________________________________________________________
' t8 W5 E. c7 S7 U& @6 a* x1 C* j6 _* A( `
Method 10
, b$ m  u: w6 h3 Z; ~4 y=========
) L* c! T5 Q1 }3 j, F) z! `5 x4 B7 Q: X
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
+ i) V+ {1 t, E4 N' L9 F  SoftICE while the option is enable!!
) ]% S3 M2 Z" u& Y! y5 B  T8 r8 J; |! R$ T! s
This trick is very efficient:
. Y0 D% k+ y. c) ~by checking the Debug Registers, you can detect if SoftICE is loaded
( C. ]- [- m: `- Y/ R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. S% N4 i! K' s' \! M: X
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; j, w4 Z. c" e6 S8 U) B+ O$ o. Q1 nvalue (in ring0 only). Values can be manipulated and or changed as well' L# i- ?& }( B
(clearing BPMs for instance)
% Y3 x1 q. G6 P: d4 R8 h+ f2 j- u
__________________________________________________________________________+ F! R6 r& b  q& i4 U) W

1 g& r" j) m# t$ G& r5 LMethod 11
- O- e# `- E% I=========
5 E" a( U. K/ v# Y$ L
, {$ q, k3 `  N' s) SThis method is most known as 'MeltICE' because it has been freely distributed
4 V+ {) O5 B) t* U& Fvia www.winfiles.com. However it was first used by NuMega people to allow
' \8 M: Y* s8 V2 E. y/ a7 VSymbol Loader to check if SoftICE was active or not (the code is located
$ _% Q' w8 ?8 }0 f. d4 k: w9 x/ finside nmtrans.dll).6 Z; ~3 h0 q' Z2 {

0 y: x  T4 h( M, O& [9 b1 [The way it works is very simple:$ b) Q3 o0 I5 o% q) E3 J: K
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 D. e8 H, P+ B* G8 G4 w& |WinNT) with the CreateFileA API.
; h% x) h# u: O/ e; A$ b4 n0 l) l+ l0 V3 X: N
Here is a sample (checking for 'SICE'):6 b6 N. l; {4 C4 ?2 V: v2 R
, Q! O* e$ V( U$ x
BOOL IsSoftIce95Loaded()) h6 c; Y; T# h5 N0 }% E
{
+ ?* W$ A4 s! y6 Y2 s/ v' [' K   HANDLE hFile;  - u& |, T# e3 |  E, C1 E
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! n" H2 p  `; L3 w2 K. d: g* V                      FILE_SHARE_READ | FILE_SHARE_WRITE,3 U; s6 C1 X  f$ L7 N( ^
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ t  I" w* n5 x! e
   if( hFile != INVALID_HANDLE_VALUE )
8 t; s. t7 d2 C1 o; A$ D+ \   {
3 b9 V' I) s. b      CloseHandle(hFile);# f8 `/ r$ {/ `2 B- n, J* E
      return TRUE;
# p5 F  F8 n% \' ?, I8 a   }
" E' g+ F) g  C  N5 A5 ]   return FALSE;: g" c( L& A3 r9 w
}. M" u" r. q6 p' w# X

7 i8 J' x% E& `: c8 X  A5 WAlthough this trick calls the CreateFileA function, don't even expect to be5 [! y7 I: g6 c7 Z+ L; l1 h- S
able to intercept it by installing a IFS hook: it will not work, no way!
5 y/ _- K/ H3 n. _& C% o: k1 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F! ]. [+ H" r# V3 W9 d' Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ g& Y. e( a6 u  o6 O, g% Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ ^9 g0 x& w1 P/ v, ~( G
field.
: f7 b- i) l/ U# R5 F% M2 b' mIn fact, its purpose is not to load/unload VxDs but only to send a * q" E2 x4 B3 p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ k/ V7 Z4 |% a* s8 D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, J. b) t8 h5 Z2 P$ eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: C" h8 p* O- U% }If the VxD is loaded, it will always clear eax and the Carry flag to allow( f, t. S- b; E: y  g( D
its handle to be opened and then, will be detected.' `* H  I- e- i
You can check that simply by hooking Winice.exe control proc entry point
4 U. a8 r$ G5 O- ]% \4 Qwhile running MeltICE.  r- _" [0 G9 n7 h& v) Q7 k
  q: Q1 V( v; V* ?# P+ U4 ], s

* S$ }# _7 e: u3 W  00401067:  push      00402025    ; \\.\SICE
0 f; a" y0 z" [3 W  0040106C:  call      CreateFileA
# G. C7 c/ V: J% x  00401071:  cmp       eax,-001
: k9 _1 A8 i# f$ D  00401074:  je        00401091) M7 v7 v0 Q- ]

0 N, ~9 V# o3 D- B# w. D) d* d  U- c
There could be hundreds of BPX you could use to detect this trick.
/ n2 H+ q9 t+ H" M2 i' W-The most classical one is:. u9 g, U2 K# F6 M
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||; b9 M3 M( c4 R& Q' p* w$ u! a
    *(esp-&gt;4+4)=='NTIC'7 Z# C9 P$ ^0 h  o! q& F' Z

9 x- n' Y0 B6 C& O3 S) Q  Y-The most exotic ones (could be very slooooow :-(- H0 `8 `8 O9 j# O' v# I
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . ]5 n. L# g: ^8 C* V
     ;will break 3 times :-(
7 ^0 M# T2 |; L. _% ]! C
+ `+ a* Y  ], v0 Q/ l- C: B; W-or (a bit) faster:
+ k; S* a# q+ K6 z   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& z, N. v6 v+ i9 y
0 d* n" X7 Q( v- \! n% v; J5 W
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  8 N" }  D( F  Y6 C
     ;will break 3 times :-(
3 q1 [; ?- I( G+ t! q+ v+ \$ j0 G" S$ P. G8 o; `( `6 i
-Much faster:4 T/ B$ h( [2 a6 l# ~9 O" y2 x9 {
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- G; g9 z% b4 J4 Q; |# h2 G
! Q3 S1 a9 h1 d; ENote also that some programs (like AZPR3.00) use de old 16-bit _lopen* L  l' P5 h4 _5 O
function to do the same job:7 t% h, W% P' d9 l2 b1 @

: h$ j4 E) D  ?% L7 M# W. |   push    00                        ; OF_READ
# y$ |3 R: @( V' S+ Q4 s   mov     eax,[00656634]            ; '\\.\SICE',0
. U- `  F$ Y8 Q; h   push    eax, N! N0 D' K2 g. V4 t
   call    KERNEL32!_lopen
+ o0 d- @8 n6 Q% l. X   inc     eax
* U7 @1 F. h. p   jnz     00650589                  ; detected
/ m9 k" ]: |! h. u/ v   push    00                        ; OF_READ2 `/ l0 U# a: p$ k) k& u
   mov     eax,[00656638]            ; '\\.\SICE'
0 j5 w4 m% P) Y   push    eax
" B. |+ v7 T, N( H1 h   call    KERNEL32!_lopen
8 j, S5 P4 e& N( q7 ]! S) n. F; W   inc     eax9 T1 ]8 X0 ]/ C
   jz      006505ae                  ; not detected
9 F' z( m3 O3 z: V8 ~* E
; W9 O! G( m% B6 G# J2 T# C3 {# X7 q, z+ S4 k: b* t
__________________________________________________________________________
( p- S4 g& B! U0 e9 G' v! ~
9 n) L6 T, i. o0 YMethod 12
% M/ f+ B0 o4 [8 x0 v+ N4 [=========
+ D1 W0 ~9 B+ {  B; T% Y
1 }4 J  a$ ]1 d3 h5 KThis trick is similar to int41h/4fh Debugger installation check (code 05
4 H2 r5 N* z, Y/ y% {4 B* ~, q&amp; 06) but very limited because it's only available for Win95/98 (not NT)" `1 R7 H) B  D" W! V# l7 e
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! _% Y  v7 [4 V  J0 P/ N

( I+ i% j2 V, P0 d; Y5 J   push  0000004fh         ; function 4fh
: e) `/ `# [5 g; W   push  002a002ah         ; high word specifies which VxD (VWIN32)% M% t& @( L, u" `4 w3 X" s
                           ; low word specifies which service
5 ^2 z( g7 O7 F, Y9 I) B                             (VWIN32_Int41Dispatch)
: I# o) _+ C* L; }- s, l   call  Kernel32!ORD_001  ; VxdCall
1 D8 B0 `% f( d1 n   cmp   ax, 0f386h        ; magic number returned by system debuggers& V3 ~( U8 @5 f7 V; }3 E" D
   jz    SoftICE_detected4 S6 o+ M6 x- c( f, d

0 o8 P& G: s% u) }Here again, several ways to detect it:* l) S1 M; d; I
+ g$ f  Y9 P% H
    BPINT 41 if ax==4f5 I5 w1 D' A, H0 n2 k* g0 y
+ L, ^. j0 F3 ?; d# v0 d
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one5 _" P8 C0 c  z' V6 \8 h2 ~: c

' y: E$ x$ `  \1 D: q4 F. A; {: P9 x    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
9 }* h$ s. c8 Z, d
. A9 {) C8 P0 f. {    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( r& B  C/ }  n: _2 @6 U2 I8 I+ S& C& \4 N/ d0 q% {' \! Q. s
__________________________________________________________________________& Z! t. h& O( t5 X* O4 v: R# }8 Z
( l( t$ w8 P) \; x# [: }- Y
Method 13
8 I! p: F& L+ K=========; y$ u' Y, g9 T; i! \% `
3 _  u- W6 h( e3 O1 z
Not a real method of detection, but a good way to know if SoftICE is
1 {3 C; N' s/ @) Uinstalled on a computer and to locate its installation directory.
3 ]) O& W( E' P) u/ Y5 a: U' ^It is used by few softs which access the following registry keys (usually #2) :- c% l" a' ]# h# s) K" v) g
* O) @9 ]0 Y* q  A2 c# ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" y. z$ M/ `, Y1 B/ \$ Z" S0 e, p3 H\Uninstall\SoftICE$ [6 Y1 _+ R3 ~( z6 g8 L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: }* A1 T& \8 F5 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ }) \5 J& h6 E3 d) S/ S1 g\App Paths\Loader32.Exe5 u" p) l6 D' E6 t2 R

7 k$ K2 c/ k( x3 I* J9 t
# F6 T4 t, l7 ], d9 s4 N* ENote that some nasty apps could then erase all files from SoftICE directory# U5 b9 \8 h, s/ ]
(I faced that once :-(
- n, }) e2 X6 l- j
2 K3 b( G2 G4 L  B0 u5 I% ZUseful breakpoint to detect it:% q% x3 e5 ~  N+ H6 k8 u

) M6 u0 a2 F) r% d) j. I: m& F     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% h' W4 ?% k& k- {; I1 z+ T, y+ J+ J+ R! Y" d' ^1 N
__________________________________________________________________________
) S% V6 c! N! q+ }$ F: y5 K$ c$ u$ U5 g
+ h( \% A$ X6 J: n' z/ E
Method 14
$ `- r% D. U/ u; q9 Y. s- w=========$ ]3 F" d# K. ]( P; y8 m* s( M

! a6 e* x4 T: t7 {- [1 Q  yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& k* p* `! E3 L0 v+ {; a2 f( ~is to determines whether a debugger is running on your system (ring0 only).. e+ _2 @- y2 c4 W
& z2 K1 o8 y( i* D$ s" A6 Q
   VMMCall Test_Debug_Installed
; A6 L; ^/ R( d   je      not_installed' h- E, y. q/ ]! Z' K- Y4 S
6 r- M. w. B% a. K* J) z
This service just checks a flag.
. S4 }; T2 @4 X* B# `- W1 N</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-4 20:54

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表