找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  S! [$ [' v5 E
<TBODY>" B& @2 m; h& R
<TR>
1 _, ]8 u, B; ~4 [<TD><PRE>Method 01 ; Y6 X. _) Q* E- {8 h! K! T5 v! P
=========
/ i) j4 \$ {% B. h3 P% `, F/ h
+ P/ e4 s7 @: d8 O3 h3 W5 LThis method of detection of SoftICE (as well as the following one) is
4 S2 _& n; S# c9 A: E. L$ W: zused by the majority of packers/encryptors found on Internet.- R5 q# R$ W# U
It seeks the signature of BoundsChecker in SoftICE; y- B- \+ G: B5 G+ I* J6 F' S5 o
% t, o- T% N# Q
    mov     ebp, 04243484Bh        ; 'BCHK'5 K* z/ W* |! X9 D; G
    mov     ax, 04h
5 l# i+ K9 j% v6 l) {    int     3       : @5 s. Y) P9 |8 e/ @3 v' e
    cmp     al,4
% ?. O8 Z9 x, b& K  G2 ~    jnz     SoftICE_Detected) |6 h# f5 A  d" s
3 K$ K# P' {( A3 g
___________________________________________________________________________0 q1 d. V3 ]6 t4 \

: Z0 n6 W+ b# f. f% E  ?/ kMethod 02
; N* r6 i7 ?9 m4 }# C5 z! t=========8 L+ G# ]! G, ^& |$ h
- Y/ u8 ~, i( C
Still a method very much used (perhaps the most frequent one).  It is used  i) u4 t0 N' y- c* N% f# H2 g1 y& k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ J$ H+ J, s' k. P- Z! d9 Q
or execute SoftICE commands...: y( ?( L. R3 c/ u% d
It is also used to crash SoftICE and to force it to execute any commands
4 q9 E% U7 t& G1 i) Q+ i(HBOOT...) :-((  4 a% h/ f- j* M1 F. @& F8 A. M: l

' u2 v/ [1 {6 fHere is a quick description:- g  S; b9 P; r  q" J! O' b6 r
-AX = 0910h   (Display string in SIce windows)
. a+ w& X2 @$ E-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! f2 Y- p9 O5 k8 g, Q- X
-AX = 0912h   (Get breakpoint infos)
( Y# `4 t% H- ^7 w: M-AX = 0913h   (Set Sice breakpoints)- c( l- v: ]3 \! v
-AX = 0914h   (Remove SIce breakoints)
; L8 x! o  B( X4 H' \/ a& G. W+ U( P  g0 U$ K2 C
Each time you'll meet this trick, you'll see:
6 w! u; O# z# w0 z7 J$ Z: S7 `: w-SI = 4647h
2 y+ ^; ?& s2 f1 ~( l-DI = 4A4Dh
) [; K) i, V; v" ~Which are the 'magic values' used by SoftIce.$ ^3 i! v* V5 a: T; G' x5 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 F' t2 v1 u* p+ G' m+ e1 n# E# G, ?$ K* u& Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP. F3 W# }) N2 t& v
Envelope utility use to protect DOS applications:* L& U4 M1 Z6 P

: X+ D% P# ^5 c& k# ?% R' m: H1 O/ f( q9 c2 a& L. s8 W+ g
4C19:0095   MOV    AX,0911  ; execute command.
- T, D3 u  H( z+ f4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( i: i2 z1 v' ]6 F0 z( `: r4C19:009A   MOV    SI,4647  ; 1st magic value.
' B' r( }$ e2 Q! n3 o) I3 ?4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ Q, C6 ?$ l5 O- t, t
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
* h& {9 q! Q; _1 [* G4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 i% l% e. [& Y1 f& s5 C: V4C19:00A4   INC    CX
3 m( x7 t7 j0 Z! ~0 a4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ D+ d: p1 z2 m/ [
4C19:00A8   JB     0095     ; 6 different commands.
0 d) E* F, j5 ?( |4 ?5 k' T# E( T4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
8 w) L2 L4 J: j2 z4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)) I. J' s1 k' c

- P% s% s2 ]5 a: X* ]4 jThe program will execute 6 different SIce commands located at ds:dx, which
6 j, ~3 F& B( t' a# C3 Q* D' iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; H7 f" G, Z" {
' y2 F& v, U+ o1 \" a2 ?8 V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.  k! e( o* Y- n8 p" u' ]
___________________________________________________________________________/ f1 D6 w9 E; {4 `$ m/ H1 I( m
5 b4 D. n* `9 J; Y, x2 z

" }3 d; [- z$ N  DMethod 03
% M( C4 ^: P  w5 P4 R5 q=========, m9 u6 R  B. g! P
- ~% o# f* g% n5 S' A. R
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 y0 X7 W0 L& I2 s8 f- g(API Get entry point)
; G7 |! X7 K  L( y        
: U; u0 i( b! ~1 w6 q3 z! b* G# R0 o8 H5 _
    xor     di,di
- R" C# A9 P8 Y    mov     es,di( k$ q4 O$ z. k9 q7 H
    mov     ax, 1684h      
( y  u& O% I" H    mov     bx, 0202h       ; VxD ID of winice
& S  G1 `5 P% [; v8 I) ?  f: U    int     2Fh
# w* I: U2 V1 Z0 G* X$ L- d1 ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point. W& o5 r: K2 h+ e- \2 D
    add     ax, di. _( t6 U3 V6 X. r
    test    ax,ax
$ A  x: C+ w9 q: C    jnz     SoftICE_Detected9 b( M, u+ Q' L
1 Z, G2 Z6 W; Q$ I9 a. f1 S
___________________________________________________________________________
: U7 d' \3 ?6 W: u& P6 ^; a; a* s. P" }* F: T; N' s
Method 04
2 P+ r( s; p1 n$ D. }6 I=========
) C0 ^7 |* D+ {+ C% v$ w1 L- o# q0 E. _# L4 S3 J) N
Method identical to the preceding one except that it seeks the ID of SoftICE" H# v: q$ h# ?) x
GFX VxD.) w3 R" ]* c+ w; i& ]$ l

; Z+ H. f$ q. m; o' r1 F    xor     di,di. l& z2 |- o6 q" m- G5 O% q
    mov     es,di
5 k5 D6 R0 X6 B/ T+ M7 ?% ]    mov     ax, 1684h       5 v4 T( P: X7 |% |5 b
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) V$ s* U$ {- m! M    int     2fh) m  {5 K& Y3 [2 T9 u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. u% Q6 C4 _& e% g" i! l    add     ax, di  t- ]; P- H4 D' Z; h
    test    ax,ax
( s! z3 A& I+ z4 ~. g  D7 i! r    jnz     SoftICE_Detected
6 @3 `( ~( n5 O+ [0 c" z7 Q5 `" g3 p8 {8 j1 Q* @: m
__________________________________________________________________________9 C# Q& w. ?, a6 u

+ @( q) @" |+ F8 d! ?4 C
% \% P( M* z$ @; J* Q' W' J2 {Method 05& u0 a2 z: [+ X
=========
+ c' l9 Q# R) M  A7 J4 l" m+ ~) y, l
Method seeking the 'magic number' 0F386h returned (in ax) by all system! u0 u3 G2 M4 ~. E" {+ g" w
debugger. It calls the int 41h, function 4Fh.2 b: V0 G) k2 l, e
There are several alternatives.  ! e  z. h  x. \$ c+ ?

8 X+ l- A9 B( e8 RThe following one is the simplest:
8 g: @' O/ h; S/ b' N2 g9 e* x+ |8 x9 N# ~" `9 y' @
    mov     ax,4fh
) j: N( k- V" L    int     41h
! g, z% [5 j, D: G/ [    cmp     ax, 0F386) F) R6 u: a" g% e. i- X, f  ?
    jz      SoftICE_detected0 S& V' w8 C7 F
( b0 r& l7 @2 z$ A7 u; d
, A5 B$ D: J* C. n# o6 e
Next method as well as the following one are 2 examples from Stone's ( C: y: x1 _( `; l0 e
"stn-wid.zip" (www.cracking.net):& D5 T! T) j7 ?9 l8 ~

) I3 u: z( [1 h# u    mov     bx, cs9 x* @) X) {6 t* v6 G, A( R* a' K
    lea     dx, int41handler2
7 w8 e$ L$ L5 q2 v    xchg    dx, es:[41h*4]* S+ G, r4 d! J( k: X1 {- o7 P! x8 |
    xchg    bx, es:[41h*4+2]$ o5 v7 s0 d: U
    mov     ax,4fh
8 j8 x1 i0 v. z% k    int     41h7 }: A( G' p$ W0 s9 n- c" X, a
    xchg    dx, es:[41h*4]
" U2 t3 V' V; p( _4 S    xchg    bx, es:[41h*4+2]$ s- i/ E% ]0 W" J0 H% [1 t' B3 C5 o
    cmp     ax, 0f386h
+ m- H/ y4 w; j( D; ?. Y# n    jz      SoftICE_detected
( ^7 V) ^" l- U1 G0 a( j/ Q3 w5 H  G! P$ R$ w* p, j4 |- n
int41handler2 PROC
# y- e6 K$ f( h    iret7 _7 @4 Y/ l( S* U. G
int41handler2 ENDP% t0 ]9 b1 f5 o! J* {; \
5 v3 O6 R, ]! z6 P
1 G- \+ M1 Y9 H2 b- a
_________________________________________________________________________
6 A6 O. f. X. E/ B8 Q
9 W; s; d# u6 w+ I$ ~0 A: m8 v
3 T' V; e7 k& t3 M: X/ _4 H/ qMethod 06+ @* K' b. s" _7 |8 _6 g3 i
=========/ D  v/ t  D* p
% N. w8 n2 W5 _3 S, {3 M% @# g
6 ~( ]9 w6 j# }8 i) X" P4 b0 U
2nd method similar to the preceding one but more difficult to detect:, @& f# y( s4 p" \3 L- E

$ r; w) h( g4 `" F& x5 |5 F' B0 S4 \( \( X; a/ N$ o
int41handler PROC
3 V& L0 N. r7 n- M* N2 D- L( ~    mov     cl,al
  C2 m* Y  y2 ?& b    iret& k- X  }2 }5 |6 q* o3 N* x
int41handler ENDP) V: ]7 G$ H4 R3 P& M  [
& K3 p  l0 ^1 s7 S$ n- e' d1 i/ j

  Q+ b; P2 }2 b0 m; l0 M" h    xor     ax,ax3 p4 R! n, w' S+ o9 ^" H
    mov     es,ax
: ~. z  a* O, }$ C    mov     bx, cs9 v% R9 _) f' v; x; }: K4 |! [3 K% S
    lea     dx, int41handler$ f  ^3 L* E5 ^+ z
    xchg    dx, es:[41h*4]
  p; X: D- |! v. R6 B8 h. R5 R+ s    xchg    bx, es:[41h*4+2]
! ]6 \6 |  n+ \& X    in      al, 40h7 _1 n4 t) ~5 v) b$ D
    xor     cx,cx2 {1 m* E7 u& `$ c8 c
    int     41h
$ B3 J: X: ~6 z6 g    xchg    dx, es:[41h*4]* \" ~8 |/ W* @, H/ _: T
    xchg    bx, es:[41h*4+2]# E$ S0 R5 {% d. i; U' Y
    cmp     cl,al
! l$ \' K, F" A    jnz     SoftICE_detected
: r& O* w8 W; J7 i; P+ o: b9 K  ], U" L- T2 @& }9 q  j
_________________________________________________________________________0 u2 F. ^: H5 @9 M

) c7 A0 r; I% H. h$ c; PMethod 079 l/ b. r$ F2 l' o7 N
=========0 K- c  }6 M! U' v
* a5 n& o4 [7 K+ e
Method of detection of the WinICE handler in the int68h (V86)% ?  {. @! n2 ?1 s* C. S  _1 L. o" I4 |
, c& K% W5 \) @& l- D2 E5 n
    mov     ah,43h) m7 D( B0 R+ @5 g& J& `* j1 f
    int     68h
( o( q. \& S4 x7 q7 P+ p( k- p- b    cmp     ax,0F386h5 u) J' T( U, {# G
    jz      SoftICE_Detected
( ^" L& t# I5 {
! [4 Q/ \. Q, K1 o: T' T) {$ V, H
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ _( P% R5 P3 x8 e' J
   app like this:
% L+ r7 u, i  s+ h9 f, Y" }
" V1 X' E9 F6 V- l0 j+ T! Q. C) i0 V   BPX exec_int if ax==68
+ v# w( G  I* i' t( l* Q- N& u: ?   (function called is located at byte ptr [ebp+1Dh] and client eip is" r  ?8 W2 ]7 W7 \1 W% F
   located at [ebp+48h] for 32Bit apps)
' k/ Z+ a+ ?/ q; P__________________________________________________________________________( B' v/ j6 O' \6 L$ p! T4 _& [

2 S% X6 g, _: b1 v: Y3 l) d  r3 G. C& C$ l
Method 08
3 k+ H  T: [/ K$ {: ~=========
* e" }1 i1 n" P* T% M+ ]/ k: j/ j- X: U/ K
It is not a method of detection of SoftICE but a possibility to crash the, _/ X6 Z5 P  ]! o7 ~  q% ?. I
system by intercepting int 01h and int 03h and redirecting them to another
& [1 ^# `8 R6 \# n  g  J: Yroutine.
1 Y( b$ P4 y/ b& {9 t/ Z9 \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- `. E3 z) e4 t  {/ s3 Pto the new routine to execute (hangs computer...)
4 g1 I! g' }( Y" v9 d" J3 W* @
% ?% B. n, N) x( s  ]    mov     ah, 25h
$ p3 ^* f6 S& w  `% f& L    mov     al, Int_Number (01h or 03h)
1 ?; H. v6 E. M; i) r+ a* S    mov     dx, offset New_Int_Routine% Y! q& X- G. A* x# `! T3 P
    int     21h
! C  n5 P* _; k' Y. f4 a
# e% A; {# z! M4 V__________________________________________________________________________, `8 s4 M! E3 r0 q

2 I/ t' q. ?, A; f0 I& dMethod 09
  q% D% V* A: J5 ?0 L=========
  Z+ W/ U/ I8 X! Y: _* N3 I
9 h2 k' G& B' w# S7 E2 I& WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 c1 i2 m  _: _" N4 |5 w+ M) }, U) xperformed in ring0 (VxD or a ring3 app using the VxdCall).7 V, G6 _, W2 f# d
The Get_DDB service is used to determine whether or not a VxD is installed
& e$ w$ ~4 p& x& x- ?- A/ Cfor the specified device and returns a Device Description Block (in ecx) for
! Q  |; t; L  E$ l4 d0 q6 mthat device if it is installed.& X7 n: g1 V+ c4 S$ A  t
1 h) p+ @1 z7 [3 h4 q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 O* M3 W! r) K( A1 f
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# @( U6 ~- {* Y7 ]/ r% g   VMMCall Get_DDB. Y8 j6 u  ~2 _3 l( e! {
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 D5 o" \- O' k' j1 X  ]0 `
1 t" x/ Y8 C/ z- V- ?
Note as well that you can easily detect this method with SoftICE:
$ E4 x+ e6 O- _9 M' m4 p   bpx Get_DDB if ax==0202 || ax==7a5fh
- c) C3 |5 v8 m: z. k1 o, @) t) f1 M. s2 R7 I% ~
__________________________________________________________________________
3 B& ~/ }5 |+ p0 e1 H$ u9 N6 l  {8 f# ~- \
Method 10! L! c2 C7 g0 ?: ~
=========
% H' n# ?$ L2 `) o" s1 _1 `
* D8 [& g" w  `) u* v+ ^=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# P( t" K6 O$ P+ A* Z) w3 ^
  SoftICE while the option is enable!!/ |5 D& J& {9 e4 V/ ^

& d, O% l5 q/ n3 l4 x2 M% qThis trick is very efficient:
! l; I! f. C7 a. Pby checking the Debug Registers, you can detect if SoftICE is loaded* s+ [/ `7 ~2 f6 n5 `) X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( M" L! [6 y3 M  ^2 j- q8 \there are some memory breakpoints set (dr0 to dr3) simply by reading their: o3 D9 D# T6 N  {- g0 R
value (in ring0 only). Values can be manipulated and or changed as well
) a! Q% r* p) H. Y(clearing BPMs for instance)
  t# k: O* I1 v
0 M# p! M9 t  V9 U! h__________________________________________________________________________0 f: j: T  f' w

1 Y" i" }( p2 Z. ]2 _1 zMethod 11
3 ~* X0 j0 l/ R$ E6 d=========
8 |% q8 z- A8 R1 Y. |# N1 B9 m8 I3 a; M: X/ ~
This method is most known as 'MeltICE' because it has been freely distributed& n2 L& h% U2 f  B0 K" h
via www.winfiles.com. However it was first used by NuMega people to allow
( m; D' u# K: I- pSymbol Loader to check if SoftICE was active or not (the code is located
( m" F( a+ {8 y4 G  Minside nmtrans.dll).# Q  C: Q) M# h- ^8 ?
2 K* E, h" W' T, ?- R% z
The way it works is very simple:
) a' ^! y8 H7 i5 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 j& h% X% g4 P, R4 r& _! q
WinNT) with the CreateFileA API.
8 o6 A+ U+ V+ i* S0 b% I" N0 j5 J) W
Here is a sample (checking for 'SICE'):
1 x4 i- ~  O8 x+ N3 d$ \7 r" z
& g' _. v, x; C: F0 ?BOOL IsSoftIce95Loaded()
7 L2 I. k" D$ N8 L) H! P4 n{
( ?9 s: e% o) C3 D) x   HANDLE hFile;  
) |5 A- w7 A# R! W# C% {% h' G   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 O/ y2 Z$ ^7 u# ~5 m3 l                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 H7 |. T7 B! G/ k, y+ [! v
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 n; r* `3 q5 B7 G
   if( hFile != INVALID_HANDLE_VALUE )0 z& N6 d. P; u9 y1 d
   {2 v+ x3 g% P* A  X$ Q0 \, I/ R4 A
      CloseHandle(hFile);% \! ?" {: g, ]5 S, A% i+ n8 l
      return TRUE;9 ~! M* E8 k* b
   }1 |( [% H# C: [
   return FALSE;6 `8 t& C3 j; \# e8 _% t
}" h/ x) ~  D9 W* I$ q
+ ]; T9 E- m$ a1 N  i; p
Although this trick calls the CreateFileA function, don't even expect to be4 K$ Z$ \6 U' E7 g8 L
able to intercept it by installing a IFS hook: it will not work, no way!& c; `  H8 P' O" t* B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& N, Y: {6 u& k! v" d5 y6 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
  N& O! t2 M6 t0 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 a( k9 ?6 w- D3 U, ufield.+ o. j1 X: |+ \# S
In fact, its purpose is not to load/unload VxDs but only to send a + e( v, j+ \+ @) G3 V; U9 O3 K
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 N; j9 ?  U; B) w2 R% Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try! S2 o0 s0 @+ l# F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 B4 P3 o. }) ^' b  B* C; M0 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow; |  O1 D. D, {7 {- Y. T( C& l
its handle to be opened and then, will be detected.
4 U8 H! F7 }; Q8 ]! b. O5 V& Q! wYou can check that simply by hooking Winice.exe control proc entry point& g8 j  s6 ]( G) G! p0 ]
while running MeltICE.
' E+ ]8 D' Z- \; v$ ^: g% b/ C3 D" J3 A! p
/ T1 W5 S8 C9 B. \; N
  00401067:  push      00402025    ; \\.\SICE
. |5 B1 B! C9 U7 }3 X* Z$ e5 Y  _4 p  0040106C:  call      CreateFileA
2 S$ v, j/ G. r4 f  00401071:  cmp       eax,-001
, ~0 O4 K! a; x1 o6 P( p5 i  00401074:  je        00401091
5 z4 j: i% @' i1 C* b, l8 a
& `5 D; M) F- V% K8 t5 X/ K0 {9 N, i4 ^& R( H/ g
There could be hundreds of BPX you could use to detect this trick.
7 D0 I$ V& T- c' ?+ @8 o6 n( u8 K-The most classical one is:
5 d! i. o2 K: l- z8 V5 O* u" Z  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||; d/ e. O3 B" L, O; I
    *(esp-&gt;4+4)=='NTIC'
* A: G& m: T2 ~8 I5 t$ W' @2 H! _; G/ F2 @( c( N! G& \& Z. J
-The most exotic ones (could be very slooooow :-(
- d$ a9 e6 Q  R8 v9 A2 y  E   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' i8 E$ `) l" h/ [$ H" S. n
     ;will break 3 times :-(+ J% `! y1 M; @8 n* M

8 J" w' @* p4 D-or (a bit) faster: $ }9 N; w, K: T) K6 u
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 R5 `9 Z+ U& C5 V
+ h, C  y& `! r: L* I% {; d% m   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
8 ]9 Y9 l: y( G     ;will break 3 times :-(
: \1 Y  h% D! G2 B$ s1 V* a9 y% z/ `  U+ O
-Much faster:
/ p6 q' Z3 \5 e9 d: u   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', }) H' L6 m$ J. X! a0 V2 C
* w' ~- X% v7 ~4 L
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' R* L9 x( K5 v9 B3 l9 ~
function to do the same job:* w  I# ?3 D  O
8 _' D) \# V  g9 T- ^* U  g
   push    00                        ; OF_READ
5 w+ }' h8 r8 V# H) `8 j   mov     eax,[00656634]            ; '\\.\SICE',0  e- Q& P- m! a/ `0 g1 x) z6 n' o+ \
   push    eax
  X2 @) I& t! p& t1 U+ ^' Z   call    KERNEL32!_lopen
) q: J; L) k7 ~" f   inc     eax- z1 q) N2 K9 `
   jnz     00650589                  ; detected3 y3 l  n. n$ k6 A/ D4 L4 ^
   push    00                        ; OF_READ
4 o2 }0 G" i4 l+ C) h; s   mov     eax,[00656638]            ; '\\.\SICE'
- r) A  Z: k: }" y9 z* Z: V; ]% V( x; Q   push    eax! d! F% f( G. I/ |3 R
   call    KERNEL32!_lopen
2 B- F- V# F3 }) w   inc     eax
0 ^* x: Q  b& T' ~$ [" }   jz      006505ae                  ; not detected
/ u7 S2 w% r+ A  o- _+ ]; F0 y8 y2 o, j. C

% H9 p0 {/ W" \0 R__________________________________________________________________________; [, C* k1 D8 \) p8 z
. D$ Y, ~( z8 G, i* E' E
Method 12
# g4 L% \* O0 j  W; s3 W=========3 o2 ^* a* H# ]! ~/ y* \
* _5 T, N) t) a, `* y* G" T
This trick is similar to int41h/4fh Debugger installation check (code 05
& _, A% x+ L8 M# M( y' \8 W+ D&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 @4 T! \3 J# ?9 e- _( f' u. ?8 I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- R4 O. @/ b6 A) p- G" k' h& `1 z# ~
   push  0000004fh         ; function 4fh
' Q7 S) ^4 |! D: d4 n6 v) I0 Q   push  002a002ah         ; high word specifies which VxD (VWIN32)
3 d8 r' {5 s: I+ e8 M                           ; low word specifies which service7 t2 P  Y; D  A
                             (VWIN32_Int41Dispatch)
& F( {( o( @, k0 g, j/ R$ ?   call  Kernel32!ORD_001  ; VxdCall
! i8 r) h( A1 n5 A. q. x3 `   cmp   ax, 0f386h        ; magic number returned by system debuggers8 t7 }+ Q) q3 z* a( g, H
   jz    SoftICE_detected
% }. _$ s; P/ s
1 ]/ _$ M  x: P! t- JHere again, several ways to detect it:
* ~5 s, v! f) w% u4 W0 W
, V& I+ U4 l) m" @; i$ A    BPINT 41 if ax==4f' z# J% o1 J* ^1 f

& Z: T3 K4 @+ E% e$ o2 S5 ~    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one: t, g7 U5 J! d& q
; P( v* K6 F# w  ?
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 l7 ]- @0 l3 u3 k  Y
6 f0 X$ h2 i* H7 A% U5 N/ v1 I( I    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
: @* N4 J( F: Z4 B
3 _( x8 {# f* s, t__________________________________________________________________________
' u" J! J5 U" T9 `& b/ \+ k! B% d. Q) A6 g) Z' ]5 Y, @
Method 133 g9 |; l* E9 x( l
=========7 K; A! }* O* |  A8 k, b! B* X
$ Y0 c5 R$ H4 g" t5 r; i% z$ \7 W
Not a real method of detection, but a good way to know if SoftICE is% I9 w: i9 @! d$ X/ C) x
installed on a computer and to locate its installation directory.
6 u; i9 }) V8 c& v2 y7 yIt is used by few softs which access the following registry keys (usually #2) :
4 {, J( y8 [& ?4 t) a; T% q* I1 e' \; ?: h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& X6 k& O0 o/ O  d7 @8 M\Uninstall\SoftICE
5 G' _5 Z2 w# Y0 Q( d+ E' V  K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" ^, V6 l5 K& |# W4 e. B/ v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% n/ O( L/ o. l2 b! l; m% W\App Paths\Loader32.Exe- d, k* j/ I9 b: e9 ^+ U  c

  B$ z+ E4 E$ b5 p8 F/ h8 P; e% `% j0 `
Note that some nasty apps could then erase all files from SoftICE directory
0 v: k- y* H6 S(I faced that once :-(
% T- R8 G/ O5 @, \  @) x. o* }! O! h* T4 @# F& {$ c$ L+ Z
Useful breakpoint to detect it:6 {1 V0 }" X* _. u: |8 J

4 U" o4 b/ X" f2 |6 p2 h$ j     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 c8 n1 \1 b0 N" ~
% q* U+ j6 }5 A5 M. F
__________________________________________________________________________8 r& q" Y9 V- v7 \5 v: M2 T( ~

& v, v0 r9 J. e5 X. C' L* V* V9 b! v8 F* H# [/ V$ G; t6 o- N0 B
Method 14
0 W( O+ I( U. a=========
; [. X& F) V: P7 l! M# ~* e: R2 O2 Q  b0 ^
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: r6 p) p2 }# b$ Y6 A) {is to determines whether a debugger is running on your system (ring0 only).
8 ?3 @! `: n) T+ _
8 C7 N( Y- f0 D: ^4 g1 u  b' w  d   VMMCall Test_Debug_Installed
" c; W, R( A) E7 Q" D* d; ~) ^# Z   je      not_installed$ R4 c$ \/ p' V% W

$ g% t1 y& n9 R. i. XThis service just checks a flag.1 L. G$ H, Q- o$ F! @3 q" k
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-12 01:17

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表