找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>0 d( k. H# T: a
<TBODY>9 q& V4 j1 L8 R' P
<TR>
4 N8 h5 R6 N, Q' \( S<TD><PRE>Method 01
/ W/ ?% o2 s  `) m=========
8 J; ^2 }% S; H3 s. p: r' h
) G: \) C& y! U; p7 ~/ `This method of detection of SoftICE (as well as the following one) is& T* T7 C( _6 ?0 I8 ~
used by the majority of packers/encryptors found on Internet.5 ]$ L. F# R0 I
It seeks the signature of BoundsChecker in SoftICE3 G: a+ |) \; a2 T

6 C7 a6 D+ u: S1 v8 F' B    mov     ebp, 04243484Bh        ; 'BCHK'
4 k: Y  ^8 m5 x' q+ a- F! ^8 p) d    mov     ax, 04h
* v2 f9 A: G2 x& U$ Q4 r6 ~    int     3       . d7 T4 C/ I4 Z, }
    cmp     al,4
; c4 G/ W3 ~9 ^, X    jnz     SoftICE_Detected
7 Q' V$ ]# H, c# V, h! N, V) \4 D- g- D' m. S4 b
___________________________________________________________________________
6 X% a: {# m& N, ?+ N' w9 ^7 G& p% s! t* U  T) V& W
Method 02
% c& q1 F3 o& Z- \* p4 }0 t4 o=========
' @# S  }5 y; j# b2 ]$ U
2 l  S- f7 Z8 J, l4 o' l; g9 TStill a method very much used (perhaps the most frequent one).  It is used
& t/ M: w. u" o0 ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ o5 w2 ^; n! Z4 T$ kor execute SoftICE commands...
! }. A% k* k7 k' jIt is also used to crash SoftICE and to force it to execute any commands
1 Q* _' w# H2 l4 p' ^+ Z7 q/ D(HBOOT...) :-((  8 f* |- U! J: b! F" Q5 J# V

/ e) ~7 p8 J- ^! j) j1 BHere is a quick description:/ A5 ~1 G+ E" X
-AX = 0910h   (Display string in SIce windows)
. o- u6 b! n8 y  S+ h4 s& k3 Z0 G-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)& M+ D9 g  d0 c% X0 _; [8 M
-AX = 0912h   (Get breakpoint infos)
1 A3 c' t" G) k! W( z( q2 X-AX = 0913h   (Set Sice breakpoints)& B8 ?0 N" r0 E/ l
-AX = 0914h   (Remove SIce breakoints)
: b7 D3 o" c( g: }' Q( w
4 o! X9 z- t" p: H. |7 LEach time you'll meet this trick, you'll see:$ u% h7 D8 K# L6 ?+ m" a  q
-SI = 4647h2 p5 k, z8 p5 b) e% R# J
-DI = 4A4Dh1 T; o% u: Y/ x! k2 u
Which are the 'magic values' used by SoftIce.
) K: V8 a) c# k% J$ {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 Z* N  j  d$ Z1 A/ a* P# o: i
- `* l' o4 Y0 r- \, t- s, N6 KHere is one example from the file "Haspinst.exe" which is the dongle HASP  S) Q$ M$ R) [6 ^* w6 q
Envelope utility use to protect DOS applications:
3 D6 D( _1 K& z8 @: B
# }8 c' D; \- |) Z' A1 `( b) U
$ R: k4 K# I+ J' U) i- e4C19:0095   MOV    AX,0911  ; execute command.
$ N. s& `0 L) B+ X% E* L3 l1 j3 R& a4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).7 q: v% Q- l5 N! W/ T" s4 @
4C19:009A   MOV    SI,4647  ; 1st magic value.8 ~: f2 B7 |9 T+ a
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! J) p) h  j- Z/ z, r4 {# r
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 V" g2 q* |! O' J. C
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' n! U  X  K3 X% N5 m' s6 V+ @. x4C19:00A4   INC    CX4 T4 a1 z) h% Z+ H- g% ~  u
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' S2 C, [; L5 Q: w7 x: K
4C19:00A8   JB     0095     ; 6 different commands.
/ ~* E  V5 o  E7 S! o7 U9 t4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
7 K) Z1 U3 w1 t! w4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :). Z) g, i" r. ?( V' Z( j2 j% q

0 i0 R: `3 W: b: eThe program will execute 6 different SIce commands located at ds:dx, which5 w7 ?, {8 F: ~, [7 G8 d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! C) j7 \9 L2 B$ c

% `2 F9 V' r! v7 L( s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ _2 f8 {! [8 u, V2 p/ L; R
___________________________________________________________________________
# D2 ~$ ?& t+ i7 X- g8 X
  N/ t" ]% y$ I" B6 N! ]5 ?$ h) v
# L3 {0 ]( m. v  iMethod 03
/ O) t  D6 m; u1 e# c5 }=========' F5 X! e3 A) i, a: |# L  e9 V
3 t. l$ U& h' ]' U
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. r4 u! T/ s/ o5 K5 @3 t
(API Get entry point)+ L* ~" t3 N  r, ^: i* `
        
) Q3 E% {  J6 l/ D6 K9 {: K
% t" V' h: C4 w  W    xor     di,di
/ n4 ~  `. }6 f1 O2 g. d; M    mov     es,di2 l0 {8 G) ]# U2 c
    mov     ax, 1684h       7 Z( l/ e3 i4 t
    mov     bx, 0202h       ; VxD ID of winice
  P: }+ E! b4 s# L    int     2Fh8 K8 C2 B: f& C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 ]; d7 g. n. E8 ?6 x+ k
    add     ax, di* v: t1 Q" m) R) V: O; H1 ?: t% n) Z
    test    ax,ax
% b; F' u" f  n' \0 r" i0 e* ^    jnz     SoftICE_Detected
$ B+ U. z' ]+ u, c/ f3 l2 b6 n0 a! u' h% o; n1 n1 f
___________________________________________________________________________: {0 }% X. z9 G: @0 e- R8 ?

" i8 _: u9 U' y% ~1 XMethod 049 e/ K# k) L. B
=========7 Y, M  J& o1 ~( A0 m1 l
( x/ D$ g; k. Z
Method identical to the preceding one except that it seeks the ID of SoftICE
: I1 }0 C  A" RGFX VxD.5 M, v* w) N0 K0 R. `
2 f& e# A0 O8 Z# W2 j" A; W
    xor     di,di: v8 L0 S! p, p; A& X1 s
    mov     es,di
) {8 R3 G8 d/ r& h7 p    mov     ax, 1684h       ' m4 Q! g! Z2 _5 W5 ^
    mov     bx, 7a5Fh       ; VxD ID of SIWVID* ]/ V# K  u" |  X  d( }
    int     2fh; J2 E8 s" p9 L1 L3 R
    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ a) ]4 s6 O7 r% ?/ x
    add     ax, di: x% ]/ m7 \3 N5 a; E5 _8 [7 V2 f
    test    ax,ax
. W: T9 T/ _6 \* I    jnz     SoftICE_Detected
9 P. F( u1 ~  s( ]9 N
  k+ e4 \; |# c2 X; v__________________________________________________________________________+ b8 Q6 D3 @8 ^2 H
( D/ P* O8 t% ?( c# f4 E

* F% I% ^; O$ KMethod 051 |0 Y$ j+ K$ X9 u
=========
' M; v- }. l0 {; v2 P$ F; _' ]3 y& i% f
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 }1 z2 N! p; v( L1 S; \. c
debugger. It calls the int 41h, function 4Fh.% L2 P3 W5 ]" w& B8 s# n& ]
There are several alternatives.  # B' \/ {5 C1 y; F9 |% Q; r, }
( X# ]) U) F' x8 [; r# k2 K& T9 u
The following one is the simplest:
: @$ R% s9 e$ f$ D0 `
4 P4 k3 I1 g" `7 i2 \    mov     ax,4fh
: K5 o- g) B8 G2 N* \    int     41h
" D8 K- i( v( U3 Q    cmp     ax, 0F386
% u+ t9 q6 Y3 B* J) \5 A    jz      SoftICE_detected$ p& C2 k! Y( S

( r  X: h! h1 [5 C& H# ]! R. O* n( p* P. z% q! K7 t& G
Next method as well as the following one are 2 examples from Stone's 8 O6 U, G4 A5 `8 W# D0 H$ \
"stn-wid.zip" (www.cracking.net):9 a  L' N' K  ?* t) \

! d. `* z- X/ P' R, C    mov     bx, cs
. i$ s# G& d' f( ]/ v8 W5 w    lea     dx, int41handler2
8 F3 h$ q9 O  C5 A# A8 {    xchg    dx, es:[41h*4]
7 N! N7 C$ Q3 P    xchg    bx, es:[41h*4+2]; R' D! d/ n2 F. a( ~; ?
    mov     ax,4fh
1 I# Y1 e% a2 h+ ~9 ~; Z    int     41h; d/ u# e1 h) ~0 K. A
    xchg    dx, es:[41h*4]
; \/ y) ?$ U9 n1 |; T    xchg    bx, es:[41h*4+2], k% @- x) b5 r$ f
    cmp     ax, 0f386h
3 ?4 i" L- R+ n    jz      SoftICE_detected' e4 V  q$ \7 X, K+ `. t
# R# I! m& r! X) @$ c# s
int41handler2 PROC
2 [: z. J7 n! i0 N, v- E6 r    iret
( j( A/ |8 K* nint41handler2 ENDP$ R+ f5 C  `+ V% h2 I

8 x1 A5 O, V- ~4 c5 [* _& ?! ?$ b$ b5 s; ]" r6 c/ M9 [& }
_________________________________________________________________________# O( i' Y  C+ [5 Z7 q2 r- s

+ H4 h% d# y' W- D, N. S! v
% S# \6 ?- M1 Q7 dMethod 06
/ s2 y% \) g" w=========* D2 L; n; n7 ^$ D8 E
  h( F$ N) I7 K/ E# }

- |; T! b6 ^( g) g/ Q9 D2nd method similar to the preceding one but more difficult to detect:
" k- _) R- b/ ?; V3 M# ]" M: r2 u5 U; t, @
% W: S! V0 r: ?* \
int41handler PROC& W# L3 k% V2 {1 z  }1 h# [6 a
    mov     cl,al
& D( f2 m" |) k4 o    iret
6 S- Z  l7 y" |# u. vint41handler ENDP
% N/ i% N% u0 c) p/ H" i4 a, l* Z8 f9 a% P. O1 \) T
% e' P- f) S2 T1 P8 n, U
    xor     ax,ax
. I! z0 o! K+ X/ }0 b    mov     es,ax: }, z2 V5 Z. B
    mov     bx, cs
% W: z  _4 s- U' E9 q    lea     dx, int41handler
. Q; V* f: W# O* q  Z% `2 Y    xchg    dx, es:[41h*4], m) Y$ e8 K  y0 p4 z% C* f
    xchg    bx, es:[41h*4+2]
, O0 l; l7 z5 p; [+ s    in      al, 40h
3 p7 y" S' b: J9 a    xor     cx,cx0 \* Z3 ?& a4 Q
    int     41h$ l3 L5 _6 q  S( H) u. L% y
    xchg    dx, es:[41h*4]
( m$ M7 s& j: R8 E. A/ X* B    xchg    bx, es:[41h*4+2]
  q9 Z( [+ {) L. e- `' z' I" i3 r/ E* Z$ z    cmp     cl,al
* K1 l8 [+ C4 M9 j; X: ]" T    jnz     SoftICE_detected
/ L9 R) j+ j0 ]& r8 D/ o1 `* u+ _! Q' V0 l9 f# b; {: G& W# c
_________________________________________________________________________
$ r1 t8 X& H5 F6 F2 U/ S3 s$ T9 g
Method 07+ J! X- s- [$ A% F$ @
=========/ A5 B# _! V; f# U7 x5 ?. e
8 a/ I/ k! \; w+ W& v+ i# Q
Method of detection of the WinICE handler in the int68h (V86)
/ N2 b) |4 c  a& v* d
3 |; o% s$ {; V+ r* ]; \    mov     ah,43h" b4 _* b* F/ I" d, O/ P0 ~
    int     68h/ n% P9 e; O7 o; |% I2 N2 |
    cmp     ax,0F386h
* R+ {6 B3 w+ p) S# D  f    jz      SoftICE_Detected
4 h9 g( E, a$ P
! _8 ]- w3 U) m  m; q( g0 r; I
1 q8 x+ X0 b( P% t4 L* k- l=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% K' _  k3 T: \+ n1 _5 W
   app like this:
, E* B# [) h4 @7 z& S# L
9 d5 }* P# z4 ^* A' T   BPX exec_int if ax==68$ s8 l- g0 @7 [2 u; r) Q
   (function called is located at byte ptr [ebp+1Dh] and client eip is
' E! t! }$ G" e5 @! k   located at [ebp+48h] for 32Bit apps)- H) r; o* c1 B0 F
__________________________________________________________________________+ y: N* S+ Y6 R; S- s; b

3 p$ v4 s/ v5 Z8 A) y; [% W& Y/ D( b  S: F& _
Method 08( B. E$ N/ X# ?2 R1 x2 k9 ?
=========$ t4 p% l; d" B6 R/ E! t! y
/ m  M4 d: ^) Z, @( q' }
It is not a method of detection of SoftICE but a possibility to crash the' V6 b$ f6 M0 b3 B
system by intercepting int 01h and int 03h and redirecting them to another' L' D8 g) x4 _+ {9 v
routine.
8 i0 |, s$ \8 ^9 I8 a+ WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* F8 Y& [$ r+ d7 n$ W1 `8 v+ J4 bto the new routine to execute (hangs computer...)
% [* s8 `! B5 D( M
% ?; h! e9 @6 x* p' v    mov     ah, 25h
7 d' p7 `2 G+ r& n    mov     al, Int_Number (01h or 03h)
  c. S/ ^( v/ Z    mov     dx, offset New_Int_Routine
# ]( a$ ^* f' e# R% \3 J2 S    int     21h
$ M8 ^7 l% D5 ~3 i3 ?" |! Y4 |
) v0 a" B4 k% M5 G6 A4 x- [__________________________________________________________________________
3 F1 L: F  y  R* A* q' m6 @
* Q  ]8 L, V' S5 M% mMethod 09; c, m& h& j7 f  i
=========- Y& ]# I& E" i( S; d4 t

; }) A9 M; R1 @( D7 D: Y& lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" o) `, A# N9 m, p9 qperformed in ring0 (VxD or a ring3 app using the VxdCall).
% p# S: `6 @0 {* q' {The Get_DDB service is used to determine whether or not a VxD is installed
% t/ d1 O! x' q0 xfor the specified device and returns a Device Description Block (in ecx) for, t3 V' |# ]% C: \; ?, Y6 |
that device if it is installed.
7 F$ V: u/ q0 m. k- }  ^/ e3 r( |9 r6 k0 k9 u
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% }9 J* O* @& y; V; H/ y
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ f; X! ^$ b9 K) d4 u6 J
   VMMCall Get_DDB+ K. n0 Z% i, z: G
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
5 ?. `9 \5 t. S0 [2 d$ C, q
. t8 T" n5 ]5 o3 GNote as well that you can easily detect this method with SoftICE:1 c! C  f2 o( I5 m( x* P
   bpx Get_DDB if ax==0202 || ax==7a5fh) j  U) O5 i+ F# [

, m' t' n0 ~6 n8 V) x+ ]__________________________________________________________________________0 u. ?# o% D0 i, o
9 |8 ~- J; F7 L) @0 W( y
Method 100 x& p1 o9 Q4 T. ?: J
=========
7 ]; Y' [* J+ x3 U( [: D' `
% h$ Q7 N& [6 V- u6 r& O=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ P0 b6 [; o% j/ l. A+ n; {; u* P# P
  SoftICE while the option is enable!!8 \& i8 Q4 D2 `, l
+ D) A8 ?' f$ l, Q. B
This trick is very efficient:- `. e* o: R. Y% w! G9 S5 j
by checking the Debug Registers, you can detect if SoftICE is loaded
4 \/ U- Q2 M* K" f. {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# G( i% U  z4 j" lthere are some memory breakpoints set (dr0 to dr3) simply by reading their, N2 Y; Q' s* w. W  k/ a8 L
value (in ring0 only). Values can be manipulated and or changed as well- x6 f( x0 o; B3 B, c4 \+ M
(clearing BPMs for instance), W# Q0 r& H$ {4 J9 a  b: b9 o
- H/ O- R, @9 ~8 h9 _7 |
__________________________________________________________________________
9 Z: T2 y2 Y1 R2 w  H
6 f: H; [( A. cMethod 11
0 _5 v; E! L: F7 L! O=========
: w& }: R2 x1 x& e2 Z( l1 e  Z5 e7 e
This method is most known as 'MeltICE' because it has been freely distributed
4 `8 q4 n# X8 Z* G6 n+ lvia www.winfiles.com. However it was first used by NuMega people to allow
* e9 C, i* u% N# J5 g, B/ R0 F9 rSymbol Loader to check if SoftICE was active or not (the code is located
2 ^: M6 q: l) o" h& [inside nmtrans.dll).
- L2 b5 V: F. l2 Z
/ }8 O: I$ C3 V3 [" WThe way it works is very simple:+ f" x; a* o+ l+ ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 B, R& M, _/ a1 f  l3 o! h1 fWinNT) with the CreateFileA API.
1 Z$ u0 e. ^! \1 k: M  z# }, O& ~$ k
Here is a sample (checking for 'SICE'):& \/ J! u9 z6 b7 f
; G0 ]: h# e: X3 V. N
BOOL IsSoftIce95Loaded()
$ l( G5 j5 U5 {7 `. H{
8 R6 {+ G) h% {+ s8 ]   HANDLE hFile;  . ]4 I& P  g/ d7 K
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ K# V' o" M. @0 v3 E
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% o# o& P1 @; h& i# z; B                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# h" |$ e7 ]8 }* `& q% R$ z- W
   if( hFile != INVALID_HANDLE_VALUE )
9 ]/ _7 y% O/ f" W- z   {3 C# R- ^; D) `' n  Z
      CloseHandle(hFile);+ a9 X% V  C$ d5 c5 n
      return TRUE;. ?0 \3 H) x/ \. o9 w
   }
% |- u4 G. q9 X  X. c* u4 n   return FALSE;
0 ]: W& A, D/ A/ Q, r5 q3 H+ T7 ^}
' K+ H6 o% i1 a1 Y% V3 c$ e
7 x2 k. F3 c3 F  Q2 c2 V  VAlthough this trick calls the CreateFileA function, don't even expect to be
5 y/ i, `* w  E) R; mable to intercept it by installing a IFS hook: it will not work, no way!' e' @; Q; \+ Z3 l/ V1 ]5 _2 ]
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ m7 \2 A) x, V+ \( aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) [, s5 [: I, t/ u9 f% M1 X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 |2 `( H' [! J0 k; i3 M0 J! @
field.) [1 ]# P6 [$ `1 R5 k( D) D) o7 H
In fact, its purpose is not to load/unload VxDs but only to send a
# i. \& y7 w. l* V, S1 d$ F9 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 X" _- m& {1 f9 D2 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ |' _) y9 n9 Z0 `; ~! Y& ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).+ T2 z' M- J; V! k* E6 H
If the VxD is loaded, it will always clear eax and the Carry flag to allow# m- H/ @9 V% H( @+ c$ l7 I
its handle to be opened and then, will be detected.
  {* a/ n4 o$ z3 }6 BYou can check that simply by hooking Winice.exe control proc entry point, Q* f5 |. x) i4 V. e
while running MeltICE.% v2 F3 q9 E& L9 i* W
2 X6 o2 V4 |, |. U
' t; e  b7 @- ]- `
  00401067:  push      00402025    ; \\.\SICE+ ]8 j/ F/ k$ L+ N) w. e; E' O& k# J
  0040106C:  call      CreateFileA% {. M" K! D1 l+ m
  00401071:  cmp       eax,-001# M! w8 a* X* j
  00401074:  je        004010913 C& X$ \6 _1 R
+ ^1 K7 a! {- w& L  q, l* ?8 }6 T
) o; U7 q  G; |/ R6 h
There could be hundreds of BPX you could use to detect this trick.
9 g' }% o, q9 o-The most classical one is:4 y5 t0 j( C- z9 W8 \6 y/ C
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
4 `1 q  k0 R3 k1 T  }% C    *(esp-&gt;4+4)=='NTIC'
" z4 U0 C2 [* g' T. F7 _, }7 \3 i3 U0 f* k3 K! @
-The most exotic ones (could be very slooooow :-(
8 K# {8 w0 `$ w# E4 m; S   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
4 |+ ?! {) c: w6 J! T6 Q2 D& o5 |     ;will break 3 times :-(
; q  \. i. F% D0 d/ h% i+ f
! ^/ l5 G& M  b3 p& v2 A-or (a bit) faster:
$ d4 B* a. @& G4 d, w   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ n: `$ o9 X% o' }" L) i( I
. G+ g  w" t+ _6 _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* H  q: C9 ^7 t7 Y0 G     ;will break 3 times :-(
9 W! m$ _/ L& o5 A5 L( K3 I6 ~
) F; H9 ?# x- \7 v3 A/ `! N-Much faster:$ ?' K: Q" r. r2 ^, y' a
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'7 U0 C6 Z' {: ?% x3 D+ e. s

5 b$ t6 ^& ?; {Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& J$ G, _& T/ Efunction to do the same job:5 p. O( A; G5 n! g' n
/ e5 d, D' |( w) S- \. O0 i& }
   push    00                        ; OF_READ
3 K0 X# B' k: O! o& G- `   mov     eax,[00656634]            ; '\\.\SICE',0
; T2 S. [) H' A   push    eax% W6 ~) k* i5 w2 i/ F
   call    KERNEL32!_lopen3 G6 O  B, e+ H9 c# L) h0 v: S  t
   inc     eax5 o3 z3 a' a& b
   jnz     00650589                  ; detected
6 ?* b+ n( t0 i. _4 I' x/ A) d0 J+ W   push    00                        ; OF_READ
, ^, t( z8 d9 o# e# Y   mov     eax,[00656638]            ; '\\.\SICE'
& w; p+ t4 V' C0 c. K   push    eax
6 s% O. c9 P! q; c- [3 b& }( s0 i* m   call    KERNEL32!_lopen
, v; }9 X! D$ P" x1 ~   inc     eax
: U3 `6 ]# s6 t" |0 O( @, T   jz      006505ae                  ; not detected" G9 S4 ^% W8 I8 @9 E7 F( M
. U. O0 d0 d9 ~

1 q, Y9 x0 V3 p) A0 o9 K__________________________________________________________________________8 o+ T) h/ Q& a& M4 M8 v

! \2 j- y& `7 w7 T/ V- h3 J: BMethod 12
8 o0 V4 e$ B4 Q# D=========. d) |* A( c$ L7 F5 M9 J

- [: |. s% X- wThis trick is similar to int41h/4fh Debugger installation check (code 05" t% A, X8 j  m1 D" L# n" R) Q
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) {/ Z! b' @: i9 Q2 Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" x0 f6 E6 @0 X- Y# ?; q
& P* }1 M. f! D2 h* |  T   push  0000004fh         ; function 4fh7 v9 Z4 t1 ~! G! {1 a
   push  002a002ah         ; high word specifies which VxD (VWIN32)+ x& [9 k1 \9 U$ q
                           ; low word specifies which service
0 t, X# G9 B1 _: ~; Q                             (VWIN32_Int41Dispatch)% w/ f4 c. P4 f$ P2 h2 D
   call  Kernel32!ORD_001  ; VxdCall8 D4 Y. }" I7 z; D/ g
   cmp   ax, 0f386h        ; magic number returned by system debuggers2 [2 `7 C- B, U0 w* W
   jz    SoftICE_detected& E& S9 C- N" a0 v

# U0 R, v7 C2 pHere again, several ways to detect it:7 V' t% N; i5 q2 q

" Z, N+ Z7 i# b$ A. F4 U) a2 q    BPINT 41 if ax==4f! e* ?: i5 o; g

' i+ P" j- i0 l; u5 L8 u$ a/ ~& N    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one) e) T9 ~4 l7 z2 l& M- e

/ m: M; ]( n, k% D" o' C    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A! _0 q1 H0 C- ~$ W& ]* W0 l

2 U( R1 t& L8 E7 X    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' g" @2 p5 @2 {' |- y' O: P8 o' G* L0 {" s2 @, E- j
__________________________________________________________________________' k3 \6 G* x: I, D1 {

/ d( C4 g! R2 X2 t# }Method 13
2 `* W: a$ v. C$ L+ p1 G0 V" O=========; \- T( W" |! M& d8 X& X

( m4 {. ~8 r& i- M' i( @Not a real method of detection, but a good way to know if SoftICE is
0 c( W& G% ^& j* J) \" s4 W, minstalled on a computer and to locate its installation directory.
: g* L3 `, R: g4 @It is used by few softs which access the following registry keys (usually #2) :
$ W' q3 }; g  C0 Q% p) d, v9 \7 ?6 n& E5 j9 ^3 h
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 n( G" d& b1 E6 Q( Q7 d\Uninstall\SoftICE
. m8 v( T0 L3 W9 ]3 K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" u% c% `5 K1 n: g6 y/ b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% F! D! |+ L% ~# W: ^0 M6 I\App Paths\Loader32.Exe# e" R. {' [1 Q1 `! b
5 b; Y& j* _7 _
' C1 I8 j* X' A5 U, p
Note that some nasty apps could then erase all files from SoftICE directory
" E6 [4 H9 x3 R4 |& T! r9 J(I faced that once :-(# M, [% i- ~" r( p1 e5 p

! Y5 W- G9 u% s2 C0 b; mUseful breakpoint to detect it:
' ^$ e% `8 Y+ V7 c/ _# [. E3 w+ K' p7 V0 B/ t* x
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 _; O/ L4 ?- d2 e6 Z& q) I
: q6 R# v0 }6 Q' ^__________________________________________________________________________# ^. P8 W9 Q( b( v$ Z
& C# V' L0 B# z2 ^7 F8 O* D0 J( k7 C
+ i. N' C; h% E7 {: O9 z: f. V* z& p
Method 14 0 q! S! J& b' `. m2 @
=========7 d! s! K. C! `9 r9 R# }- ]
  r0 n9 z$ c% d8 m* D6 z4 O8 ]' d, Q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) M8 l# w3 M# k0 i( L8 J8 nis to determines whether a debugger is running on your system (ring0 only).
, n: u* Q4 L: W) r  p- q! O/ u, U5 o& h3 k8 i. o2 D, K6 u; ~7 N& ~& A
   VMMCall Test_Debug_Installed
8 s* P/ O% }3 u5 z1 K! u" ~8 ]  H7 S- ?   je      not_installed
% E5 w  [. F  r8 N2 p9 a- S! d: D- H0 v2 Q$ d
This service just checks a flag.
' f2 @. i% O4 m8 s, i</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-29 13:52

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表