找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- x( Y- V" f9 v<TBODY>8 u- C9 r1 P9 V$ m
<TR>0 |; e7 ^  N) `4 e
<TD><PRE>Method 01
4 e* w* P  V; Y( O: x+ U0 G; l! M=========
- x) \1 g  `) ^+ @- P; [4 ~) U( B
8 Y( d. M7 S" \9 }) cThis method of detection of SoftICE (as well as the following one) is
- ^4 J. n3 p) w' E) z1 uused by the majority of packers/encryptors found on Internet.# R0 o6 j& ?1 }* B9 G  O
It seeks the signature of BoundsChecker in SoftICE
1 m* A' Q8 [7 \0 o9 n6 {. F& j& M8 I' o6 p8 n$ g
    mov     ebp, 04243484Bh        ; 'BCHK'2 `8 R0 i% b; c
    mov     ax, 04h
" P- |! k; }6 l4 Z  D    int     3       ' ]# e  Q/ W" s5 V: X& {
    cmp     al,4
: [! ?3 L& o# a8 e( f' z+ H    jnz     SoftICE_Detected
1 Z2 Z5 ^% V8 C( l1 e
. k" B  @. \+ a6 P( O___________________________________________________________________________6 A2 p, B& y" s4 z% r- J

4 p  A6 l2 g3 Q6 _1 Q. z4 k( pMethod 022 v: j$ Z$ L, r
=========
) W0 A7 e5 u4 ^' }' |7 w! w/ l; E) \: k' {# J/ i
Still a method very much used (perhaps the most frequent one).  It is used/ k$ g9 s( T% ^: E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 ]' _2 e8 {+ F, `& N. Y+ H; Vor execute SoftICE commands...  w$ A4 \6 o" ]) D  Y
It is also used to crash SoftICE and to force it to execute any commands
* e9 j; g" A1 d$ c(HBOOT...) :-((  ) }: B# A0 }& T$ e# z! ?5 I

! p+ w: _6 E: wHere is a quick description:
3 q* Y" u0 n% q% {4 h" n-AX = 0910h   (Display string in SIce windows)9 Z% P% X% l7 n. _/ P* e7 \
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, o1 M& ^; e- F0 S' t-AX = 0912h   (Get breakpoint infos)
0 p2 M2 H2 |- [  |: o* e, {-AX = 0913h   (Set Sice breakpoints)
, p( `, N1 o& c6 h+ {-AX = 0914h   (Remove SIce breakoints)0 i  m, s3 W; ~7 M& l! }1 i
5 O; f& k2 W) A4 P& j2 G- t3 u5 ~' }& G
Each time you'll meet this trick, you'll see:/ c& v0 P# i/ }* u) P0 j
-SI = 4647h
' n. V6 p% o( K4 X" G) }# w-DI = 4A4Dh
( n. W" y  I, [; Y( g* zWhich are the 'magic values' used by SoftIce.
9 `3 o6 }5 `1 T* h5 fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., ?& w4 A0 D. ]# E; d
7 A0 u' }7 ^( S! t6 r) M( G
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ n- D# a! D3 j( h6 b. NEnvelope utility use to protect DOS applications:
- m7 q) _9 ]% }  f/ n6 b% y4 m  i2 b# D) u# F
# @. B( G0 c$ V& {9 ^
4C19:0095   MOV    AX,0911  ; execute command.
2 S0 {* ?8 g; g& A, b0 d! T$ c+ E2 h  H4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ [& {6 w* V, m& N& W& r7 l
4C19:009A   MOV    SI,4647  ; 1st magic value.
7 I+ h6 b) {5 U: Z4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
0 y) w* f& ?0 {4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). C% `0 x' J) ?  U- p. S0 D
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# w' f' |3 x0 w4 k4C19:00A4   INC    CX0 ^3 I2 l- b0 A  |1 X7 y5 Y4 o
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
( H8 C% Q6 C  y2 I4C19:00A8   JB     0095     ; 6 different commands.: A) x0 {' y3 P
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.) @  X7 I. `. p2 U
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) Z/ ]  |; ^6 }2 \0 h5 W: X
% l1 \& F& q+ o$ S' |The program will execute 6 different SIce commands located at ds:dx, which; p, _1 @9 r5 p* w3 M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& l) i1 N( y* G6 f: Z
5 d  ]( b$ g$ {8 y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. Z( X, f4 \; H8 o) C& `5 N
___________________________________________________________________________. ~2 m6 p% K1 @$ m9 m
( d# O  G. W. |5 f8 y4 h3 w6 O

$ [7 W8 a$ y2 M" F; RMethod 03
" {# C* J' }( j; h=========
& O4 C5 G! r# d' B
: g% M% `$ h5 a4 e2 l: sLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 g6 z( f/ z8 S
(API Get entry point)
+ I) l+ p4 E* b! W) d+ k+ x        
# w7 T6 P% N' Y# p. w" H$ l* q  q9 s
    xor     di,di1 g. ~; A* v" v. b1 O+ u
    mov     es,di" ]& m) X" R6 x0 N
    mov     ax, 1684h      
0 \0 T" o7 W( a. l2 ]) b% w    mov     bx, 0202h       ; VxD ID of winice" ~3 e# U+ _* d/ M4 R
    int     2Fh8 w4 ~( R  u9 [& z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 V8 e2 [, `( z! F+ \' U; D    add     ax, di
2 @* Y4 w' |& o/ u$ T    test    ax,ax
8 \/ C9 ~" k. s2 f* W0 t7 M    jnz     SoftICE_Detected
/ a' d+ _6 O, }3 Y# ?  N& Q& k7 l/ l
___________________________________________________________________________- C- s! S' }1 r4 z
) v8 t/ |. T: n& A' o. s1 z
Method 04: i: q" v; h" x) w9 K+ n
=========
% u8 w; z) |( R/ k8 v
( U* W/ L* [1 x7 \! V8 V1 X& W3 AMethod identical to the preceding one except that it seeks the ID of SoftICE
+ ^! _) A3 {$ BGFX VxD.
; S7 o( S4 A" k, B% `8 M8 j
$ F5 p1 u" h/ P    xor     di,di
6 ~& R7 I0 T  D& Y. x    mov     es,di
' j' @/ v  ~5 e2 }4 h3 b  U9 q    mov     ax, 1684h       6 q& O0 `0 }% K) _8 S' R
    mov     bx, 7a5Fh       ; VxD ID of SIWVID1 o$ O' I. h3 M( b/ \
    int     2fh2 X* [; c: N: s. h: @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( x  T, j, Z& x9 o9 Z
    add     ax, di" T; \+ `. i# D1 \' Y% ~; i
    test    ax,ax) }5 T5 q4 z! {) V. u
    jnz     SoftICE_Detected
7 j# G( N; p5 @$ c* ~* j" G
6 S4 y; n$ Q7 C7 A__________________________________________________________________________
0 a7 ?; {% ~7 S- k9 A2 D4 t! N4 r0 j3 W% O) `- x4 X$ ?+ S" o! |
+ I$ R" U9 q1 l2 {
Method 05: Y% P0 z, K( A8 t$ c
=========0 w5 U0 Z% b, f
9 P; U' d& ~; H0 ^" a+ Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! S( R' c" i' ?1 i  }. Wdebugger. It calls the int 41h, function 4Fh.
% u6 E1 y0 w' ]# a) ZThere are several alternatives.  # d' |6 P  P5 w  C. N0 u

" R1 l2 u5 `# X' N, S0 b. wThe following one is the simplest:6 H  F% x- x7 q
% o% K) a% {( |
    mov     ax,4fh
6 {3 V! O( e% q2 J: J) T* v    int     41h) |- O- w+ d$ s4 M, x
    cmp     ax, 0F386
3 k' L5 n* [! S  a$ n9 j3 H. q    jz      SoftICE_detected7 C' [( o: ]& ^+ x, E  `

* i- b0 h0 v3 T: z2 r
0 P' Y; E* s. n4 g' D. t4 _Next method as well as the following one are 2 examples from Stone's ' R+ |" x7 w4 x6 ?1 O6 ^% O1 y
"stn-wid.zip" (www.cracking.net):
7 C, V9 E8 e; r( Y; L
/ H! F- u! A' A4 d( V    mov     bx, cs+ E2 T4 e, G# p! \: v: l
    lea     dx, int41handler2
- z2 d1 Z- m$ l' X. n    xchg    dx, es:[41h*4]
7 ~6 `7 D  W' H, ]# M0 |    xchg    bx, es:[41h*4+2]1 E5 P, ]& N& o# ~& l; s
    mov     ax,4fh
( B( v3 l/ ~+ d( n# k* Y    int     41h
; w1 R+ a9 Y4 @* p0 f) R    xchg    dx, es:[41h*4]
# e9 ~' d3 l" Z# `    xchg    bx, es:[41h*4+2]
0 q2 W/ i# L4 ^! R    cmp     ax, 0f386h. f8 f9 Z  |3 c& v8 `' Z0 N1 {. i
    jz      SoftICE_detected8 [( ], O5 q+ ?1 V2 f

. Y. N- Q7 ~# {! p. U+ Z! dint41handler2 PROC& E+ A8 u" F) S
    iret
  L( X4 `' ~+ f, ?* J  R  uint41handler2 ENDP! r$ ^! {2 b3 D' a
. k& D. _. v* Z) J- ?7 S
! J/ b! W/ p8 y- g% D6 P! {& _
_________________________________________________________________________
; I7 i8 r& }) ~7 w' i9 ~" `& |5 O% s2 C

  ~3 Q7 Y0 _' j# r& J) XMethod 06
) |+ i' h' O, v8 D. f" j( f' ]3 S$ z# s=========# b+ i) e* z9 k+ T) G, v
2 y6 g4 e: }3 |0 I7 s

, o2 l( I, g- T+ z# ?2nd method similar to the preceding one but more difficult to detect:
% ~5 Y' C6 B. C! Q+ I8 L- C) y* y; M7 V' p

5 N- l" D2 z) v* ]; t3 R" \int41handler PROC& p: z7 R$ k2 ]* `  `: Q* q6 e, t& E
    mov     cl,al% D, s* Z) g1 l% e! a, Z
    iret! C3 T1 b0 E: d6 |3 A
int41handler ENDP- J5 ?8 }* p) w, W8 R" o* V
8 j, J# w0 K$ c

  d) U& L9 i% s% ?6 J4 p" N    xor     ax,ax
- o, ]1 ^$ L4 x6 F; [4 m    mov     es,ax9 @" u; a+ J! U5 X  G$ A9 W; |3 I
    mov     bx, cs
* |% ]# F8 u5 T, {1 t    lea     dx, int41handler" V) o# P; W3 P; T( G& `. E& r$ I, ^
    xchg    dx, es:[41h*4]
$ V0 _8 e- U8 T# n9 H0 X- X* d    xchg    bx, es:[41h*4+2]: Y0 h  K6 s0 y
    in      al, 40h  t$ h5 g- `0 E3 H
    xor     cx,cx" B2 f$ p3 h  D+ u: }- Y4 x
    int     41h
0 y5 @2 s$ `+ l( [# i6 \+ b    xchg    dx, es:[41h*4]: V  W( h# m  D: |' o* A8 [0 y8 g
    xchg    bx, es:[41h*4+2]
. Z! h: s. B9 N4 v4 Z/ K$ G6 n    cmp     cl,al  `, g9 W8 {) H
    jnz     SoftICE_detected0 J7 [% W4 U- n- h, S9 E
' b4 ^( F$ |1 O3 I% m
_________________________________________________________________________
1 ^) V0 l8 I5 ~+ |! n4 Z$ ]8 G
2 m/ ~7 |$ S# a7 {9 Y, U0 WMethod 07( B& X" j/ ]% R9 u1 ~; ^* W
=========' B0 Q9 o% X: N0 J1 G* h
- }, S% P& m0 @9 V; q) {
Method of detection of the WinICE handler in the int68h (V86)
+ j6 Q& T; Z! ^, m3 D9 s  K
2 W# K; J) v- Z7 x# u9 m    mov     ah,43h, }7 b& a4 |' \4 }5 i( B+ e  H$ L
    int     68h6 f+ V: H! ]6 X5 C+ {" }) I
    cmp     ax,0F386h# T5 b1 I) r8 \/ ^
    jz      SoftICE_Detected
, i' z/ I9 ?, G* d! F5 V$ s
: {" h4 _, V; X6 o  \  C1 a9 q
% d* z- {6 V9 k' ], `# e0 j' r=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. X) ~: v7 O* J2 v. r9 g7 L+ V   app like this:3 G4 R8 D/ N3 V; z5 y

3 |5 L: u, q& D& Z- u. }, E8 x1 A   BPX exec_int if ax==68
+ T* r/ F5 L4 `. g   (function called is located at byte ptr [ebp+1Dh] and client eip is
, `4 j; [5 L" o' w5 G   located at [ebp+48h] for 32Bit apps)
5 U% d5 [* i8 k5 H( s% F__________________________________________________________________________3 w: [( T" k) C# l3 ], C1 Y1 X

- k" G1 N! r. e% \/ N9 b6 Q, k$ o4 t/ d) u5 }$ W
Method 08
6 e. t& F- [7 E$ h6 p% s: z$ d' G=========2 e% l# D* ]$ o7 Q6 R
# T) d4 M9 t1 x* L9 j( |% v1 l
It is not a method of detection of SoftICE but a possibility to crash the
: v# }9 `: {5 l/ Isystem by intercepting int 01h and int 03h and redirecting them to another
; m9 y. }$ P. `1 d9 d: @routine.0 M& _. i% F: ]7 ^% u% i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ A" M5 h& c2 q4 v% z
to the new routine to execute (hangs computer...)# ]. p) y6 i) g6 K
; b1 T: Z  R. I. f6 }
    mov     ah, 25h
+ V3 p7 r6 S& w9 n    mov     al, Int_Number (01h or 03h)
1 e4 X6 z  r) K4 {! I/ E    mov     dx, offset New_Int_Routine
2 F0 v+ h5 Q; ~    int     21h
. f- U4 Z% G) ~* g
* C* d4 `% E2 y2 }__________________________________________________________________________
! g4 d) v' D' p* P( {& l3 w5 l* }* y! o. X
Method 09! v! {& e& D4 C
=========
. N* C- ?! ^8 b0 R9 q4 z' [: e
: ]3 Y9 X( I' ~4 m! C, c1 _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( t+ G  C! P3 L& T
performed in ring0 (VxD or a ring3 app using the VxdCall).
  J; ~& q7 ?* D* A! x- t) T& XThe Get_DDB service is used to determine whether or not a VxD is installed
1 [$ q1 m0 ^1 j& H4 A# `" Gfor the specified device and returns a Device Description Block (in ecx) for+ l! r& H0 W6 Y4 g+ @9 e
that device if it is installed.
; }: O0 m' Z/ W5 J/ j! B8 v& V3 R8 v3 q7 m: D7 W2 n
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ f. }' C. T/ X' ~, J+ W: Z
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 p: \# P  t% ?& W6 w
   VMMCall Get_DDB
9 W0 G7 r9 O! l& y5 D+ T   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; X1 q* J0 w( q& ~7 Q; K. Z
$ k. ~$ y% B7 e; h/ o. WNote as well that you can easily detect this method with SoftICE:
3 y: M8 R1 k2 ?- K' D/ U3 v   bpx Get_DDB if ax==0202 || ax==7a5fh
" K! S2 A& a) {& d# F
/ e  u6 G5 R0 H+ Z! m9 S__________________________________________________________________________. l/ M: r! K6 G( {2 |

* \% l: L% |; B/ E3 C0 p  JMethod 10
/ S8 R( ^2 |! J7 T9 ]! b=========" A# Z" P7 q; X# q& E6 I' r

# \; O+ A( u+ s& x, i$ d7 Q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with" }9 Y5 ~. D" x5 e% ~2 l/ l
  SoftICE while the option is enable!!7 N4 R* f7 O3 c2 K
8 b$ E5 ]5 D% c0 |$ X# u
This trick is very efficient:
( v8 h2 j, G+ W% i& tby checking the Debug Registers, you can detect if SoftICE is loaded9 h( O) @, I% C4 _" \
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: {# `5 I2 l0 T9 f- ^7 V) h. J9 sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
! h/ @: [% P0 k2 Rvalue (in ring0 only). Values can be manipulated and or changed as well. Z% e/ c! Y( d( v( x+ P
(clearing BPMs for instance)+ r# I5 G  b; c5 v9 y

8 q9 r" H4 q$ X9 q, g__________________________________________________________________________+ G+ }8 N/ {+ Z- ~0 l4 d
7 A0 t) @% ]: ~( G7 w  ]7 w  f
Method 11
# b3 @. ?5 k. ^; h=========
  ]3 K9 g$ F4 M+ F3 F. R( h; J! c  [0 s) K+ v
This method is most known as 'MeltICE' because it has been freely distributed
/ X/ M( }& D+ ?6 Q9 Uvia www.winfiles.com. However it was first used by NuMega people to allow, A) B- {2 M* d3 ?
Symbol Loader to check if SoftICE was active or not (the code is located# W7 M/ }, C) B  U: B
inside nmtrans.dll).
$ d4 E( T2 x. I" R; p
; u5 y5 Z  S9 q: \- GThe way it works is very simple:
8 [( _$ g  u& G+ H2 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- T# Z- C5 L+ {, l9 ^
WinNT) with the CreateFileA API.
6 u% w: ]( d2 {5 E
- D" o* y: o5 Y) @  ?5 oHere is a sample (checking for 'SICE'):6 `3 K8 S* w# S4 D: r- w. B1 n

  r) n# Q+ _4 ]! Z4 mBOOL IsSoftIce95Loaded()
; v; l0 w9 G. Z: C{
3 l' v' E, e0 U5 w! r, l   HANDLE hFile;  
+ I7 p7 O' d8 m   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& d$ e4 H+ z6 [3 `% }* ~7 B# B
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) w1 S$ I, Z( H, ?                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( l4 w; S0 N3 p
   if( hFile != INVALID_HANDLE_VALUE )
! ~# l* n. p( G/ c! n   {, U0 ?4 y; L! I7 B( b5 u
      CloseHandle(hFile);% a# Z+ z6 ~: _0 m5 n) Y7 v
      return TRUE;" E" |) C2 {2 ^5 \4 a! w
   }* w2 Q+ h# W; B7 s& R
   return FALSE;; M1 t& T  u6 d; q6 q
}9 N' Z0 h% @* P$ f

4 [. R+ C2 L2 K, Q0 UAlthough this trick calls the CreateFileA function, don't even expect to be! ]! x$ m8 r3 r& @' A
able to intercept it by installing a IFS hook: it will not work, no way!
" O# n4 T* d$ YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F  i7 i5 t% T9 C* _5 [1 [3 f6 [7 M- K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 w* @& T% L. L+ O7 g9 a1 h( s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 Q3 j8 _5 Q/ p: p3 i. F
field.- |7 H- t! O/ Y& L
In fact, its purpose is not to load/unload VxDs but only to send a
, @, ?6 W. i3 }( h5 w( TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, R" W2 H; Q& `  K+ b) V+ vto the VxD Control_Dispatch proc (how the hell a shareware soft could try  f) @, b$ A  W6 f# k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, e  i2 v3 E! l, j$ IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
3 v, o# `3 u% c5 ~4 L, @its handle to be opened and then, will be detected.) ^. @, x+ }* o) b/ g
You can check that simply by hooking Winice.exe control proc entry point. Q8 b2 C4 l% Z1 z$ V# {' k& {
while running MeltICE.
& o9 e" ?7 P( T, s4 `2 _" _
5 S: I4 C( r, \9 R1 o9 z& ^2 K" ~2 b' M
  00401067:  push      00402025    ; \\.\SICE
0 w4 e" N9 I$ j$ b. w  0040106C:  call      CreateFileA$ g" `( p3 s* K+ R# ~
  00401071:  cmp       eax,-001( I7 T- K+ }/ H
  00401074:  je        004010913 f8 y) N. R3 C5 a+ s

9 ]8 \+ o1 {0 z9 x: P# C% D' P3 O  t
There could be hundreds of BPX you could use to detect this trick.
' K8 x5 p; O6 [-The most classical one is:
- k# ]; M) U+ L/ A, i* y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! h4 m5 w/ e" g' ^5 b  Z
    *(esp-&gt;4+4)=='NTIC'6 f. f/ t$ ]& D

0 A3 j9 J: \" ^) Q4 |6 M-The most exotic ones (could be very slooooow :-(
6 u  |5 b" S, a3 T& o$ j   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  2 w: K: c$ J1 G
     ;will break 3 times :-(
" d2 g+ ^2 r, k" J/ \9 P! B4 k5 o; A6 L
-or (a bit) faster:
3 G2 }8 w8 ^: a) R   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ R" \: I& |( J  t
" k# d5 r8 Y: m: a( Y) d* {   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" @9 b  ?* h+ D: _$ r) k, k! Y4 d     ;will break 3 times :-(
: O' A+ v; f, d# p% J
3 G4 q  H2 P, C& E0 h5 A-Much faster:
, x9 Y$ L) V- E& ?8 P9 ~8 p( [   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'1 k& ^7 G( t1 D9 p1 s8 u9 @) A8 ^
) g4 \1 O) ^- Z1 B, ^, H6 L* k& m8 m8 |% G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* N. h6 m0 b5 ~1 t6 \  W3 H
function to do the same job:, h/ J# \6 S: c& h: R$ F
' y' ^2 d1 Z' Q+ H( Z( S
   push    00                        ; OF_READ: l7 `8 N1 J* |- ^
   mov     eax,[00656634]            ; '\\.\SICE',0, T! e0 r; T  J! W5 j, W' `5 u
   push    eax2 z% r( M/ V4 a% A9 x+ m
   call    KERNEL32!_lopen
9 x: ^6 g6 m) o, x" n   inc     eax
7 y4 a0 O& t$ ~  L9 A# L   jnz     00650589                  ; detected7 F- A: U$ L& y0 x% F2 g9 o9 i) E8 W
   push    00                        ; OF_READ
3 C; y; s5 n( z+ L; f$ J   mov     eax,[00656638]            ; '\\.\SICE'0 Q+ E5 j' [* i% v
   push    eax
. y% T$ a4 o9 K! _- ?   call    KERNEL32!_lopen
+ n) i. I+ @2 H5 x   inc     eax
( ]0 }2 C9 u4 b3 k# W0 {8 G9 N   jz      006505ae                  ; not detected
, D8 v. M2 q5 E) Y& s6 S0 F; g: D# o+ E3 O1 M4 q0 V  B1 C
+ v) o0 m2 _9 E' g
__________________________________________________________________________
9 M4 t4 Y1 h: v, a6 y. K
$ C4 F* d2 E( ~8 X- {" l+ bMethod 12& z- @8 n+ _' x$ l5 _9 n
=========% ?1 b5 O  n. U
: w9 f: U. ~% _2 ?* V9 Q
This trick is similar to int41h/4fh Debugger installation check (code 05& Q, T( _; ~% h/ C" M0 d
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
5 Z9 M$ l! |3 n9 oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& n8 t% p) f2 y+ j
" @) @' v& Z" T6 n% s, k" Y   push  0000004fh         ; function 4fh: A5 u- s" |' K
   push  002a002ah         ; high word specifies which VxD (VWIN32)7 d( e$ _& h; a+ K+ F
                           ; low word specifies which service
! G  o* y9 `4 C* o8 g% Q2 B0 q                             (VWIN32_Int41Dispatch)9 T& {) I/ S, B- T8 k
   call  Kernel32!ORD_001  ; VxdCall
6 [5 x7 m/ S% A- g# X# s/ {' T, x   cmp   ax, 0f386h        ; magic number returned by system debuggers
% K: f/ M# [* J8 f& R1 f$ i% w   jz    SoftICE_detected
* G0 z2 c3 q4 E' x& L! m' h0 E/ ?8 R# \- A% Z
Here again, several ways to detect it:
% K0 n" `9 x) S; F9 m: j1 z0 f
8 }' ?0 @1 U0 U* c/ u6 p4 `: R# W    BPINT 41 if ax==4f( w2 D# h8 L+ i7 O: {! x
( k! v* c# k8 v, s9 t7 d# g
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) V3 c, [( ?) j' @) l  Q
) s& U. n' e/ R: v2 n- X    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  C( w/ G% M" X6 V% |- C2 W7 J
2 j: y0 I+ o) F3 s, B0 \- I% f. x
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
3 Q  Y4 q) z$ ]+ C% ^4 T! f7 N
8 c$ ~" }6 W8 l__________________________________________________________________________
$ [% h: U. z4 Z4 K, f- G' g; @( T' b( u3 I; L
Method 13) v% M3 X- D( u6 V7 R. H
=========7 X# c: l5 w4 J! L+ ~4 y

7 d  J3 l) N6 w* d) W5 R, ENot a real method of detection, but a good way to know if SoftICE is
+ c5 N5 f) _! `* v2 Z5 Winstalled on a computer and to locate its installation directory.
) b, z$ c1 `* f# N; VIt is used by few softs which access the following registry keys (usually #2) :
  L9 K) f& O* Q0 ]8 u
4 V$ }# f5 h5 _$ p% q* G- }/ ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 M4 l7 P2 b$ x\Uninstall\SoftICE& D+ R# \! v  P: x: a* |' T
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 ]4 f' ]. a5 q! q+ S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 _! S8 J" t6 f9 G  a8 u7 ~- ?
\App Paths\Loader32.Exe* P7 Y( z$ ^5 `; q8 q  O( Z
% {: f9 [' `+ A4 N* d' Q+ x. X+ H6 `

7 K0 U1 E0 [% P1 I3 TNote that some nasty apps could then erase all files from SoftICE directory
$ O, \7 A4 P- l2 Y(I faced that once :-(% @( D2 V$ U3 f0 ~! j+ D9 c% _
/ J0 l9 K  W, z6 D
Useful breakpoint to detect it:6 _1 F: i) C: M5 X/ t. J
( P' f7 b# S5 X! i6 c( q8 H
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
/ Y6 u& \4 {( ^3 F# s, ?8 y, V* C5 ~& a9 _: \) _4 N
__________________________________________________________________________
6 W1 E* x' ^" O1 B. a7 P) V
6 J3 Y  P# C+ k. W1 {& N0 c
* Z" V$ f$ I" x. P' g5 j) ~Method 14 * ?7 L1 H% ?# u2 f
=========
( o* ?8 n/ L2 @% r9 @( p; T5 M7 r7 X& I1 J+ X8 h* t0 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" T! X& ?) z4 t. m( _4 p
is to determines whether a debugger is running on your system (ring0 only).
) [; }2 O/ T5 B9 ^
2 s$ ^3 e8 W! ^# A$ h, N6 B4 F* j   VMMCall Test_Debug_Installed+ X1 D' _9 K" @
   je      not_installed
4 J+ x8 s8 S, j4 p
( s) c1 z: q. h9 F1 [This service just checks a flag.( _- f" r, H5 @7 K
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-11 12:48

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表