找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, \. U8 J- Y+ |  |2 `* {
<TBODY>; t2 @2 _" n  g9 H6 G
<TR>7 q1 T- y, Q. w( U) g6 z  C( U
<TD><PRE>Method 01 0 [' i0 x2 y2 y& k0 s  h
=========
: U7 _8 D. t5 U* T6 i. m
: J) N* m! S) D& z: Q9 HThis method of detection of SoftICE (as well as the following one) is( m5 u1 W" W' G& v! c: |! \. J* I  {: [
used by the majority of packers/encryptors found on Internet.: W/ ^: S' @4 r7 d) b5 G
It seeks the signature of BoundsChecker in SoftICE
8 G0 _% ]+ D0 M1 e2 U0 `
3 O3 v; P$ R, f7 s: @4 S3 C$ }    mov     ebp, 04243484Bh        ; 'BCHK'
3 [4 r3 V1 _. K2 A/ v" m1 `+ F    mov     ax, 04h( e8 t. a' W: U7 ~  h6 ~- H9 y
    int     3      
9 e; q; [4 Y" y7 e9 R    cmp     al,4/ s) s2 M$ w" U$ n% R
    jnz     SoftICE_Detected
5 ]2 Z0 t. p" w* R+ k2 C$ y; d
. L0 _) V( c, ]& d4 |" f! ]___________________________________________________________________________
0 v- \6 {% \1 R, J0 ?" \
  L) G' _2 w0 {. }0 q& W/ G4 WMethod 02# y" r; V) C- }, J+ |
=========  H! \3 g5 R- I: w
) A: z$ s& f, x% v3 o% m
Still a method very much used (perhaps the most frequent one).  It is used6 g& {" A# T0 R3 v' Z: Q4 F+ x8 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" s) d8 w# ~4 R( [or execute SoftICE commands...: a* [& ~7 r, k8 {) d5 Q
It is also used to crash SoftICE and to force it to execute any commands
1 O  J6 u! S6 n" C(HBOOT...) :-((  ! @: l( \8 T, Y" d6 W

. M9 d3 z( S0 k' V* wHere is a quick description:% v5 z7 Z# Z7 R) B- w% D" Y
-AX = 0910h   (Display string in SIce windows)0 B! q5 l/ I! u$ s" p
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
- O$ r- O  r3 R% m' t-AX = 0912h   (Get breakpoint infos)6 L: s: i7 l2 `: p& S
-AX = 0913h   (Set Sice breakpoints), ^+ @; b3 d7 {5 y7 w; S
-AX = 0914h   (Remove SIce breakoints)/ o3 J. d3 e( B! ]
+ C8 w: c" ]2 t3 s, k- i
Each time you'll meet this trick, you'll see:$ T8 I+ L. K( _8 w0 Z+ B6 S
-SI = 4647h
; i% a3 q2 {* q. ~7 F-DI = 4A4Dh
0 E$ u, O. ]: D& H9 V( vWhich are the 'magic values' used by SoftIce.
8 M& z9 F! P$ M, f6 MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 j1 }9 M3 m* @: ]& e, m4 c
. `) F6 C' c2 p" `4 _6 p$ rHere is one example from the file "Haspinst.exe" which is the dongle HASP
% J% J7 t& @3 K9 k+ dEnvelope utility use to protect DOS applications:
( {5 r3 n; R* l0 Y4 s  g
( l  N) M& e% h9 G
. {+ C0 X; z1 x" }0 }4 Q4 x6 h4C19:0095   MOV    AX,0911  ; execute command.
) Q3 q5 W  a8 k4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; r* S: H+ ^9 A! S4C19:009A   MOV    SI,4647  ; 1st magic value.
4 J" |- P9 F" {* D4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
/ }  k5 E% h( ~& h4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)* p" V% Z9 H1 X
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 i/ @- ~9 \+ ?( d! ?6 K3 U, a
4C19:00A4   INC    CX$ r* O- W5 _# @7 q% {" U0 u
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. g% v3 |/ x0 [2 v  t$ Z4C19:00A8   JB     0095     ; 6 different commands.
6 {- U. K/ h. q; r4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
% _" U  N' j1 z: E4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :): v8 u; F  n7 u. w% r

- ^. r: g0 p) dThe program will execute 6 different SIce commands located at ds:dx, which
; ^8 _; N+ B3 |' Fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 B, U' z( I3 t5 N. @# m5 Y

8 b6 n& C: f/ s0 y' N# B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ {4 f$ y) p  {6 F2 d___________________________________________________________________________3 V% A- G6 p3 }9 X$ B2 o

* i6 v6 {; ]  ~7 @( K' G% ^. j: e3 R
Method 03
9 x9 Y& m" m  c, v( i1 w=========
# a. M) G2 `/ e" m5 W7 r# o4 L9 Y3 b4 z; ?
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h* V3 b1 V/ h( F. ~& V
(API Get entry point)
2 }: S3 |. e+ o, R/ \+ G$ `  @        0 `- x& W% r7 u0 |" [  n

4 h6 \$ i0 V' `' n  H& V- R9 u    xor     di,di6 g" z2 P1 c4 o4 o0 S. m
    mov     es,di  }: {. v) V& }1 I" l/ ]' i
    mov     ax, 1684h      
! u8 _* C$ k" C; G3 Y# j3 R7 P    mov     bx, 0202h       ; VxD ID of winice8 b1 {. Q3 o; F
    int     2Fh% U3 b9 e+ [( S# S" u9 K- Z& x8 ]8 h
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. j0 S6 ]/ W& ]$ _4 P/ O
    add     ax, di; }0 x5 ]: K6 P' o+ k
    test    ax,ax
# |' Z4 R0 Y" i' ?    jnz     SoftICE_Detected3 @, [9 n# E+ W& k2 o

4 p/ O7 e0 w- L) v! y6 |___________________________________________________________________________& e5 ?9 K  a, K- K: r$ s
& p& |$ u0 w: x
Method 043 [% C5 ^. ]' G$ A2 m/ s$ u/ [
=========  i3 b" d6 _" o% N
+ g" k0 V) u, e2 Z; v" x) d* R, @
Method identical to the preceding one except that it seeks the ID of SoftICE
% o. j4 ?/ g/ e# W3 LGFX VxD.1 t4 e% ]+ s; |* O
0 }5 u" J; j% \: o- Q8 Y
    xor     di,di) k0 [( B: O( \* [, w
    mov     es,di
  x" p' b7 Z1 H! M0 u- D    mov     ax, 1684h      
6 {( c& c/ O9 j2 R9 V+ ~. U    mov     bx, 7a5Fh       ; VxD ID of SIWVID4 _) E) Y' W. q- W3 M: v% Z
    int     2fh3 P3 V, o0 Y$ \9 T
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 T- u6 @7 L8 C/ x$ s7 Y* m& @! G    add     ax, di& X( e+ m$ V$ x4 h% p
    test    ax,ax
- W7 l, b9 D/ A    jnz     SoftICE_Detected
/ _7 O8 ?- V  f$ p
8 p2 e* R7 W6 [) x& {# @__________________________________________________________________________
" `4 }; s) g. J2 O% Q9 Z; a8 X" {- ?! |( {1 ~/ V/ K
  L" O6 W! Y4 E7 m7 ?
Method 05
' ?- c- |, ~4 L; Q/ t% I=========
- D. M" H5 r+ q: {& E; p3 J/ P3 ^& u
Method seeking the 'magic number' 0F386h returned (in ax) by all system  x/ e. D5 \6 {4 Q" z& D
debugger. It calls the int 41h, function 4Fh.
% B0 }. B  w6 v  q8 nThere are several alternatives.  
4 p5 f( f$ r* n$ Q6 T" c% r# j% c8 |- v+ a* |; d5 r1 M8 x: t% M
The following one is the simplest:
" X$ H! q" r2 k' [2 K% J8 n! F$ x" _7 F! k4 |0 P
    mov     ax,4fh
4 W; _) b7 F2 j% a! R$ i8 A, l4 z    int     41h& j0 }+ ]: c; O1 I7 s# H
    cmp     ax, 0F386  X. z/ }- Q" p* B# g
    jz      SoftICE_detected) @) z4 ]/ }. ^7 {6 l, @; s: e  u. I
3 l$ w7 M5 y4 a5 O; R+ v

( w. R! O3 E' t1 e8 Z2 SNext method as well as the following one are 2 examples from Stone's 0 S& C) f% X) @, r
"stn-wid.zip" (www.cracking.net):
  a* ~$ f/ a+ K4 v+ C% B+ [& o# C7 J1 K
    mov     bx, cs2 k* q2 D* s( X& y* B3 W/ S$ m
    lea     dx, int41handler2; U$ r$ \+ _/ C2 m4 t3 X% p
    xchg    dx, es:[41h*4]
4 r; b; T8 g4 O7 q% _, g, d4 T    xchg    bx, es:[41h*4+2]2 I/ M+ h/ L7 L$ f
    mov     ax,4fh6 v) J! {) N/ n/ ]" z
    int     41h
8 i1 U) x/ t1 C3 b6 Z8 ^4 \& X9 o1 \    xchg    dx, es:[41h*4]9 n6 D+ z/ Y( r! C
    xchg    bx, es:[41h*4+2]
, ]6 \4 v; S! R    cmp     ax, 0f386h1 h* H$ w- N+ o2 _8 G% T$ B: f! h% I
    jz      SoftICE_detected: K$ p8 T; t& _$ T) E1 K3 l' `

; X; |+ j* U# A' _int41handler2 PROC) g- f4 _6 F6 a# ~& k' }! \9 x
    iret( e+ `( X8 u) R2 ?9 @! ~# q  E" X
int41handler2 ENDP2 f) z, K& x: r2 S
. g. ]/ q/ O% G4 M) N2 w; f
6 a1 o! H* V* i8 D7 m2 d, v. D# A
_________________________________________________________________________; l' v- r- c0 \5 ?6 |

$ }6 Q/ s5 M7 Q: Y, [8 M9 i! c  K: `7 v6 K3 E& n; k
Method 06
9 R' _; x7 [# m" O, A: D=========- f5 b2 |- w# M, d% I3 h2 M0 q+ ?/ d
  P3 Z& f, j+ f3 u
" O( s. d3 r: M2 ~* h
2nd method similar to the preceding one but more difficult to detect:3 A( h8 z2 ]; a9 s( f

5 M4 r, n: O) O) F2 {6 p$ M  m& O9 A6 W5 Y
int41handler PROC
  j$ O* l8 K7 t8 R- b    mov     cl,al
- V% J: R: ?" `7 Y8 }    iret
8 v8 B, ~% ~' K( M# Tint41handler ENDP
* M6 x" m/ M3 f3 y$ X" f  l6 C! H7 k$ X+ P8 {0 p

/ h: V, p- e! [/ V    xor     ax,ax3 D" ~; f, f) s6 n# z: p8 ~" y
    mov     es,ax0 F. N: L/ @' @+ c4 f9 |
    mov     bx, cs
; x" U: y+ b4 b    lea     dx, int41handler
/ [; {4 J2 f% ^    xchg    dx, es:[41h*4]! l2 }' x/ u' x5 ^6 X3 D: X7 s
    xchg    bx, es:[41h*4+2]
4 K2 [  {- f' Z3 x, |    in      al, 40h
3 ]8 [) a" |3 K    xor     cx,cx  x, w0 L' M& D9 p! n1 `$ g2 k
    int     41h
' E' ]/ R% F, ]: E# \+ o& v+ n7 |    xchg    dx, es:[41h*4]0 \4 {# S* ]% z: |8 G
    xchg    bx, es:[41h*4+2]
# M0 O5 {; g9 |* e! a" B    cmp     cl,al
  ?( p7 O8 P& C: v- y# I; z& T2 `    jnz     SoftICE_detected
1 }6 m3 ?5 ], \- ~) Z$ }0 J7 a+ N
_________________________________________________________________________
; f& Y( W& w0 m+ s1 U8 P: p: c" V# h6 J% R' r
Method 07$ x9 u+ L* j4 \, |
=========+ p# S3 R4 }/ l: @! Y6 R) _6 m

) ^& t& e) M/ Y0 hMethod of detection of the WinICE handler in the int68h (V86)
( a# s) w+ G% Y' w7 O) J
: m7 H& c2 K  z' t    mov     ah,43h
# [9 e; \7 _* p# r! x    int     68h) x8 l3 b% F$ {( k
    cmp     ax,0F386h
; `& ^/ G% T! M/ {- v    jz      SoftICE_Detected
; i7 f9 u& ?/ B  S, I# g2 E& g
" s) A6 J& K1 V  s2 `0 i
6 d# B' x" m4 w0 ~# L1 s0 \- {=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ j0 Z8 E, ?- e7 b+ }
   app like this:
3 x- [4 E# w* g7 \" _
  h  E, i" }: w2 Y& l) V   BPX exec_int if ax==68
. j; h2 J' F0 T( i   (function called is located at byte ptr [ebp+1Dh] and client eip is7 v; Q( u. o* @1 R
   located at [ebp+48h] for 32Bit apps)$ u) r% S1 t. T: L
__________________________________________________________________________
8 s: B6 \3 b; I& H( F3 m( H, ~% a8 z0 ^
* R3 N9 R4 ?; @" e) X
Method 08
  \, q# _! N+ W5 a0 O* o=========
: m' S- T# ^' }9 M+ n
0 H. r) a3 I9 m" G" F: T- S! kIt is not a method of detection of SoftICE but a possibility to crash the
9 b! \/ a% C  ^. n3 o. N( msystem by intercepting int 01h and int 03h and redirecting them to another
+ l1 G7 z2 A: n/ n: ]% L4 qroutine.
, A8 u) M$ x! ?0 J; M7 U3 A! eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' c, i$ K2 v5 q6 m' Mto the new routine to execute (hangs computer...)
3 t" V! t% ]! J& T) l8 T
; j: u/ F6 {+ t6 e* f    mov     ah, 25h& M9 c' v7 h, ~7 r$ H" y  D
    mov     al, Int_Number (01h or 03h)
1 H; \( n6 c' b! V$ u# D    mov     dx, offset New_Int_Routine7 x9 l3 S) V- C( l5 v
    int     21h5 B  R8 p' r1 b
7 \5 f0 i: C! s! w! f$ h6 K7 \, ^
__________________________________________________________________________
% C9 q" _. ~* s; j0 g1 i& `4 @- d2 @& n3 Y9 m
Method 09
  j; t+ t9 c- g- b7 E=========' H1 t, v# K6 P

% p/ t' h% L- ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 ~/ T$ o3 f' n, ]& r+ t5 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).9 F* _0 c- Q7 Y- X+ j# M5 f
The Get_DDB service is used to determine whether or not a VxD is installed
6 U3 j6 R" L  ofor the specified device and returns a Device Description Block (in ecx) for
4 f3 s6 }# _3 m" Othat device if it is installed.0 K8 W; U4 l3 g! Q
/ @# z% \* P' i3 H" d% k
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID. |( i" J! U2 W8 i
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 Q3 u' Z5 k; {& C   VMMCall Get_DDB& P% |: K( l# ]4 g9 H8 I* M0 ?! i" F
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
" k; P, I2 T" v* m  _6 l! C6 B& }" H0 ~$ Q6 m& P6 Y; `
Note as well that you can easily detect this method with SoftICE:
* U" `% y# H$ t6 N6 R+ W$ ]   bpx Get_DDB if ax==0202 || ax==7a5fh' V( u/ \$ g4 I  A

! A5 b% i5 J- Y. n__________________________________________________________________________
* N% n* f( J4 m* k5 ^
" A- {# @4 R% h& SMethod 10
- }, T8 E8 D  r" \=========! ~; u% f( ?1 c5 G2 O% c! F! h

! H* g* M4 x2 r=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with! W5 w: A6 v# L
  SoftICE while the option is enable!!
; _5 f- ]/ R+ {- Y2 z
5 |. {8 [) M' V2 R3 Z& l! oThis trick is very efficient:$ c) v' g( E1 L% o
by checking the Debug Registers, you can detect if SoftICE is loaded! [" X. F) _& x' {% _: G8 E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% w$ t% j' u5 w; Z& v- Q- Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 {: D0 a) {0 s! b* S
value (in ring0 only). Values can be manipulated and or changed as well; Y7 `6 v. ^4 t1 J9 k
(clearing BPMs for instance)
! I( ]2 j! n/ T/ A2 V( S5 Y. @# v+ b7 ^! p2 Q
__________________________________________________________________________; r9 D) U' {" t4 T  Z
" q3 r" w: `, K% [# u' p
Method 115 A4 E) \' x2 |, N2 l! C
=========2 T, \2 t/ L, e* U1 _
* N; H- I9 t% l; |0 e
This method is most known as 'MeltICE' because it has been freely distributed
' X: D+ V0 g9 B1 v; Ivia www.winfiles.com. However it was first used by NuMega people to allow
3 G( l% a; G% L+ o% kSymbol Loader to check if SoftICE was active or not (the code is located
, u4 o0 ^6 a' V6 P8 U4 p1 \/ Minside nmtrans.dll).
6 h& l: n- v# o1 v9 q- ~+ P0 O: M& M/ U' ~/ H
The way it works is very simple:. s4 H$ h& k' O$ {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 f) `4 h- ?# Q
WinNT) with the CreateFileA API.
5 _1 k( C! m& Q
* E9 B1 V: k9 E) YHere is a sample (checking for 'SICE'):1 L) i  N% t, ?5 _5 h7 h
0 J# w4 z1 s+ X# A( C" _8 _# v+ K
BOOL IsSoftIce95Loaded()( C+ h! e3 p! n) r4 {
{3 p) N: D1 S, _2 `/ C/ Y
   HANDLE hFile;  2 I0 q$ o' \$ f8 ?( x
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' t, [" P- I3 J0 \6 z2 L                      FILE_SHARE_READ | FILE_SHARE_WRITE,# T+ w/ K, X2 M( P' r6 j
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 G8 T9 B* P" D4 U: j( d7 S
   if( hFile != INVALID_HANDLE_VALUE )0 w0 T* g. g. p! x
   {  @% y4 `& P) X/ F
      CloseHandle(hFile);# t$ s6 x: D1 i7 P  e) {
      return TRUE;/ a, c8 m/ |5 m: U! `( u$ U( J
   }
) s6 y0 t, b5 z, S   return FALSE;2 _9 P/ ~4 L" {# P
}
; z, q6 @2 @0 K8 [/ w3 U; f4 g
/ S; h$ }; B0 ?" C$ H& t' [+ d! ~Although this trick calls the CreateFileA function, don't even expect to be
9 E3 N' l  y6 s7 g7 wable to intercept it by installing a IFS hook: it will not work, no way!, r- E" o4 Y' \4 f9 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. c" x* p; Q' M! S0 W; |2 Q, N
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; g4 F( \: a; y7 L' B; Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ c6 C7 b0 n* Y2 d  b! t
field.
5 ?9 `9 P: I/ T" OIn fact, its purpose is not to load/unload VxDs but only to send a
# f; w2 \! S( m. T  t- UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 W1 i5 K/ C0 V8 G' ?) P. f/ l
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 U: `+ p7 o; A# Q, `. A2 Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).4 f7 \1 v! O! ]8 V3 {
If the VxD is loaded, it will always clear eax and the Carry flag to allow& M& g6 ?3 a. T; p: f3 t
its handle to be opened and then, will be detected.& h2 t/ n* B; L/ t4 m+ i  V
You can check that simply by hooking Winice.exe control proc entry point: S4 a5 f) X/ I0 e
while running MeltICE.
' d9 {( o" X+ j, I
' k" v7 ]. n) b  U
) V8 U: J: s1 S) ^  00401067:  push      00402025    ; \\.\SICE! }" P9 A" x4 n8 M, d
  0040106C:  call      CreateFileA
1 I3 b  ]. \9 u6 \  00401071:  cmp       eax,-001
! j/ c. T# u, ~+ ^8 _9 p( K" {( b6 P  00401074:  je        00401091
( n9 D: Y' |: _9 b! P
6 w5 c, V- ~* O6 O( ?. Z, ]) v
9 w' ]% O3 [# BThere could be hundreds of BPX you could use to detect this trick.3 l3 v3 d: a+ n3 P  _  }
-The most classical one is:
( u" {' e! q' p5 Y# B# U  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; I5 W4 A8 m0 r$ n; n" X: s    *(esp-&gt;4+4)=='NTIC'- Y5 m9 V* p6 ]. r4 w2 ^

; B; B) u( s& S$ J-The most exotic ones (could be very slooooow :-(' v4 d2 ~* }2 ?" w6 s
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) z0 S7 X& b, b     ;will break 3 times :-(
2 j6 c( ?) b8 Y4 l! V  ?6 j* U9 z0 V/ `! Y
-or (a bit) faster:
" s& l2 |+ P  F$ r7 [   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* A8 o1 k9 G$ q" v  u6 k; \: X/ y1 n" t; j. t/ m3 o; f: d" ?! g
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) x$ O7 L: }7 a0 o     ;will break 3 times :-(: I3 p8 }% V( I7 q1 a
- L4 s5 u3 S3 N
-Much faster:& u+ J. n/ T0 G3 T
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
7 ^% q' r0 i. z8 ]* n8 M$ A, E
7 U* {- |" r8 J' n5 c0 GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' s: t$ [% u$ k, _3 u7 t( sfunction to do the same job:
) f' g/ ^2 j3 \& B
8 {' v8 [( p  I5 [! z   push    00                        ; OF_READ+ `/ R* j8 W& i2 q! `0 i
   mov     eax,[00656634]            ; '\\.\SICE',0; e; l1 M+ c5 J- {, j
   push    eax
3 |$ N9 z3 X( b& w, u! k& L, ?   call    KERNEL32!_lopen# G# U) A9 T( \, L" V" @& \' J6 p
   inc     eax
$ U5 k& O+ V$ M8 n! a5 B   jnz     00650589                  ; detected% a( v7 @. E1 e7 ?# a, D6 b
   push    00                        ; OF_READ5 C+ H/ _2 p& I& a+ ^
   mov     eax,[00656638]            ; '\\.\SICE'
8 g3 f1 Q* v' @, j   push    eax2 Q9 ?7 T& U; ]- [  s+ W) k
   call    KERNEL32!_lopen$ A; ~. w- U" m
   inc     eax/ `  Q, x  X% |' X9 J5 |
   jz      006505ae                  ; not detected
& A+ V5 f0 Z) o' g- Y( p7 v) Z1 H" w9 A; `' C- w/ e

; [8 Z# R$ S( U__________________________________________________________________________
1 b3 o" r, h7 }' s& V% E: w  t8 U' E
Method 12
; d4 O+ b- }1 }- n6 K- b2 L; h=========
9 l% H" B8 Z# ^3 m1 ]) k( l$ L$ h4 f' _8 t. e/ A" s/ b" i
This trick is similar to int41h/4fh Debugger installation check (code 05" m: k; Y. k8 d2 h5 x* |
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) l: p4 U3 S+ K' j6 m2 Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: K  q% |* X, Q4 ~) @& f

/ N' Y9 q. ^) K* F   push  0000004fh         ; function 4fh
9 S  L! |" E0 \0 i7 q, K   push  002a002ah         ; high word specifies which VxD (VWIN32)
# B8 N; q. K8 c  S/ U7 e                           ; low word specifies which service/ v+ I8 U1 I8 o6 {! M
                             (VWIN32_Int41Dispatch)! U7 p2 g' F, Q
   call  Kernel32!ORD_001  ; VxdCall+ m$ d' [" t9 C) ]* l7 l
   cmp   ax, 0f386h        ; magic number returned by system debuggers" J  f% L& c+ h9 ~
   jz    SoftICE_detected
. y( {! d+ c8 s/ K; {3 X! @/ V# T, t% Y4 U/ F
Here again, several ways to detect it:& E( ?" [- h) Z) B  [

2 x: g) ~5 X3 \7 B( H, `    BPINT 41 if ax==4f
! F0 M6 ^* i5 p# l* \1 C% o
1 v- N. Q$ y, V8 W    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one8 G+ `- d4 j& h3 h" h4 G; c  r
# n3 {: V7 R  h1 g' X1 N. y  W
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& i8 t+ A0 ?' U8 O5 c+ F: F

; e4 f4 J( B( F' d# L% X    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!6 s& [( F! |9 H; n8 x; U, n

! _/ ]* {' @2 Q9 ?2 k__________________________________________________________________________
5 q2 F" V9 P& L: V2 j5 |# [. }) v8 X$ T% e" Y/ g- n( p( k/ G! @
Method 13
: N  @$ T. _: J5 b. t6 S2 S) s$ {- l0 J=========
9 ~. o- U8 m2 ~, ^  ?& n
- [  n* A' ]( g: sNot a real method of detection, but a good way to know if SoftICE is
9 T" D- L+ d" u: T& Y' Vinstalled on a computer and to locate its installation directory.9 n" \7 }& \% |' {- E2 \0 `
It is used by few softs which access the following registry keys (usually #2) :3 v; D# ~: u8 X: H9 t

6 A: u& t& K6 I% U! ~7 A. w+ S1 f-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 h$ b, U, @8 q
\Uninstall\SoftICE
, r! Z5 n# Q' _* {& x/ _-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. e+ R2 {& s8 ?9 o5 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* y' h& S  Q: d5 s\App Paths\Loader32.Exe
1 u/ j3 @8 C/ }
% J1 v8 `0 Y1 l- c  B
8 a+ V! p1 ~0 \% ^4 E* ZNote that some nasty apps could then erase all files from SoftICE directory
, L" a! u. i. ]) E, x) ^! X- _(I faced that once :-(; X; m  ]; f0 G3 j

5 u# z. Q* g' _2 PUseful breakpoint to detect it:8 a; ?0 G2 a; w0 J0 f4 l3 O

* x* j8 k1 ~% y5 U$ n  T     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 a* s$ h4 T9 k& y7 \6 o

* B: L6 W; W( k( y- ~8 u; _& u__________________________________________________________________________8 |& e- G, f/ I! T  |. c9 T; j

) C4 J4 P1 f4 J" }& c: x, A0 f7 K, X, C. E( }
Method 14 ( E( A# f, Y' j$ B  }' F, |8 I0 \
=========9 L; f0 H+ ^$ P6 p

, b& Y0 z0 L  hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* e8 D4 I/ J- P3 ~5 Iis to determines whether a debugger is running on your system (ring0 only).
/ G/ B( W: }: S. V+ r/ A' ]. s! O" }3 M9 n; x& V% G8 y
   VMMCall Test_Debug_Installed1 {! u8 l5 r, \. }. M  x: W
   je      not_installed
& w6 L' `. E5 p4 {& a
8 I& P) P' B- p: \, jThis service just checks a flag.0 T+ n4 O: o; x( i$ v  e$ @
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-27 15:31

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表