找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  c6 c) C2 u- [! [$ l' @' x
<TBODY>
7 l, U! S$ {8 S<TR>
5 r* {' v5 ?7 c1 n% \/ K) A<TD><PRE>Method 01
! |1 t/ X0 U$ I5 g0 u=========
# o2 B; @6 p( @" }0 J7 I
# Q$ G0 A! D5 uThis method of detection of SoftICE (as well as the following one) is( {: q) z/ H  Z- D
used by the majority of packers/encryptors found on Internet.
! m0 w  O1 Y; E( NIt seeks the signature of BoundsChecker in SoftICE
# p4 d  O6 Y0 j: b& E  D2 D$ M) S# p8 V5 q+ H+ w
    mov     ebp, 04243484Bh        ; 'BCHK') p. f2 f6 P' J5 H+ }- _5 o
    mov     ax, 04h
; z8 C8 s( A$ [- D3 u. l5 A: Z3 c  @    int     3      
" }; Y/ Q4 w. v6 H+ v    cmp     al,4
7 h+ j! I: o; K3 Z    jnz     SoftICE_Detected
/ S* \2 ?9 U+ t: S" w3 y* |
: v" |* ~0 K4 {2 s: d___________________________________________________________________________
8 C8 ^' a; {  x& S, ?. J6 B4 G1 j" |/ R/ z+ |* r  b  w
Method 02
/ `2 t, `5 c- g. B8 k' K6 {- |=========+ Z: j# Y' N4 H
6 g1 }9 i) E: K5 \
Still a method very much used (perhaps the most frequent one).  It is used7 h; J! |; k) V' L' L, m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 p3 K+ r( w( L' e, Y, i4 x6 U* mor execute SoftICE commands...
$ ^% P. M" m% I2 c" j, ZIt is also used to crash SoftICE and to force it to execute any commands
. j+ G2 W! s% g8 y2 w(HBOOT...) :-((  ( V9 k  O2 Y5 V6 ?7 A; K
. d- \& \0 e8 y+ E8 ?9 ?. J, N
Here is a quick description:
# d# w  |: d" f- x7 D+ X+ R-AX = 0910h   (Display string in SIce windows)
/ k6 E$ `# a- K% T7 [-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)3 C7 ]* e, |- d) S
-AX = 0912h   (Get breakpoint infos)
" t; V( v  Y7 P% x-AX = 0913h   (Set Sice breakpoints)
' j  }' Z, k2 l/ D! M8 h0 {9 {4 k) Y-AX = 0914h   (Remove SIce breakoints)) u# V* _' d) ^; A
& [) H: a* M: ]2 o
Each time you'll meet this trick, you'll see:9 v: a/ Q0 f4 I. Q  f, Q8 D" n4 i0 |( A
-SI = 4647h, D& @0 P$ \# G, Z( z4 p
-DI = 4A4Dh. c& U! i! K' P" @# x" G
Which are the 'magic values' used by SoftIce.
# Q. m' m! D& D2 \+ LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 R/ V  R# s# a1 W3 d3 ?) e8 i& o2 O6 o: m' s9 P; L9 P2 k
Here is one example from the file "Haspinst.exe" which is the dongle HASP: }: [" Y1 Z" d5 a0 A; q
Envelope utility use to protect DOS applications:$ V, m# c% D0 W8 n

0 ~* l7 u+ d9 v/ J3 A5 S* m3 {0 W, Y3 C1 n) e/ A5 P5 a
4C19:0095   MOV    AX,0911  ; execute command.
. e6 W, J' E6 x& H+ ~5 y$ A4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: c4 G0 `; ]- U' C1 q: J4C19:009A   MOV    SI,4647  ; 1st magic value.' [, o: Q" ]' H# j
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
: v# V4 g8 l4 p5 ?4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ i+ s7 t6 }# y. a; I
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, x! T6 {+ C, d% P7 o
4C19:00A4   INC    CX
( k, G2 r+ _3 f4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
( z; O: T# K9 \& R1 R; T4C19:00A8   JB     0095     ; 6 different commands.
- T% v9 |" y+ ]; O7 i  J( P4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 U1 T; T0 x1 }4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), F# V) X4 n5 G
, N; g" b/ i/ E+ @2 U- D& \9 Q( Y
The program will execute 6 different SIce commands located at ds:dx, which: p' b4 S/ G) Y# t( p7 z. `) t2 t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: j" V0 b& Q% p4 O

& U+ z! V. T4 I& d5 |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; E" k! x0 B$ d/ Y0 ^* Z
___________________________________________________________________________
7 Y) E+ X% S5 u. R
/ a/ n7 x2 G4 {4 \2 ?! @- O! ]  P2 O" I3 D! w
Method 03
5 m4 c, K- X0 `& q=========3 \+ P3 ?0 ~0 N
& I9 o' n0 o( y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 T/ G# o+ x# T( L& ]) A(API Get entry point)! {" A" i- e( }# r* m. _* _
        
. c7 |# p6 X! R8 r4 f) V
8 K* i% u1 z& Z0 n    xor     di,di
8 V2 v8 K, s: ]6 r) u* L+ u) ]1 T    mov     es,di
5 ?4 S4 P. b$ X: X    mov     ax, 1684h       - ~# K6 D0 t2 m+ c% t
    mov     bx, 0202h       ; VxD ID of winice5 y. L* S& M; v
    int     2Fh' ]  |% _: {" n5 W& C( G' D# M; f! U2 A
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" l0 h7 A6 z! D* \9 j- [    add     ax, di
* q. U+ O$ R; ^& z, G    test    ax,ax2 e& P+ \. \" N1 |1 g
    jnz     SoftICE_Detected8 D( S  N) G) m

8 V7 p; Y& _2 Z+ Q% N- N___________________________________________________________________________+ E* f- o0 d  H/ r9 N& Y

  \- _% @/ i* r1 }; I: N5 }Method 04
! Q8 F! D; V1 ~0 K=========
4 R' ]! Y) L$ O' ]* V+ X4 o; A' Q" B1 D0 K" c, b  z5 T
Method identical to the preceding one except that it seeks the ID of SoftICE2 _* ^7 D% C1 z7 W
GFX VxD.: Z% E& p3 l( I- e
( [" m. P6 A# d& F
    xor     di,di
# U: N% e8 c$ I. U    mov     es,di
; R8 O9 U6 b7 v' E    mov     ax, 1684h      
, d7 x- x7 z7 |" y  D    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, ?0 Z9 F* b$ z  w1 t    int     2fh
; ^- O7 }! U! X, ?; M& w% l    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 J$ }- |! B& a8 p/ Y    add     ax, di
. t( O- }6 O! e( I) D    test    ax,ax
" L3 N1 T" C' [, O4 W    jnz     SoftICE_Detected
% k6 r$ d$ O8 c6 _. r/ H
7 h) t; L, G- A# m2 R3 t0 D% y__________________________________________________________________________
8 N+ M# U  a- e1 d9 Y) }: H! z& J: t! @
( V; s! A$ ~' }5 v6 Q  I
Method 05
8 ^9 s' y/ U  [0 l- A0 T=========  e7 i" D% i! `8 s/ }
* u0 h5 D1 N9 k% u; b2 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 M5 @8 e9 p4 S, V5 U4 e: f& _
debugger. It calls the int 41h, function 4Fh.: G* D6 h4 N( E0 h: \' {& O
There are several alternatives.  
- U- |  N' F8 |; i% {1 Q: o" m4 p0 p# ~9 D' L3 U9 I7 e6 [4 D  o
The following one is the simplest:
% f% R+ r4 a0 l* E- B0 u7 v
+ x3 C" ]9 g# w4 J; ]    mov     ax,4fh% S. U( X1 t# @- l
    int     41h
3 ~" q7 ]" l, r. w1 ?    cmp     ax, 0F386
' I) a. X6 j0 b* P, L, _; u    jz      SoftICE_detected2 y, p8 i  c% ?" }

9 _! b; Q, \8 ~' k, b2 l! Z5 ]& A" S  Q
Next method as well as the following one are 2 examples from Stone's ' J  S* E8 c& E4 \* M9 q3 k( X4 N
"stn-wid.zip" (www.cracking.net):' ?: b# `# q, r* k+ q, u7 D

" S0 V( a; I. Y( ?; e    mov     bx, cs
; A- G6 ^% d/ f; ^# R7 |# Z% \' Y1 v    lea     dx, int41handler2( f( I3 [( y3 U1 i' k! t
    xchg    dx, es:[41h*4]7 h8 e& a1 E( f
    xchg    bx, es:[41h*4+2]
7 i$ y' }) ~, |! \# `7 h0 S- Q    mov     ax,4fh
. C( _: i4 e$ K# j' [0 ~& `, J6 K    int     41h
4 s) C' ]5 \  f; ^) t) h8 G    xchg    dx, es:[41h*4]
9 I$ S. v1 P, C: h    xchg    bx, es:[41h*4+2], P  b( ^( Z8 w. }& T  p
    cmp     ax, 0f386h7 T$ D/ }: v; S+ j5 g1 F! X1 E2 C
    jz      SoftICE_detected6 B# O; s' t. K" {
4 \) F5 y! V4 h% m
int41handler2 PROC
2 X9 N0 g/ ~& ~  N    iret4 @0 B$ B" a. z. F2 R$ i8 @
int41handler2 ENDP6 r! e/ _$ E1 v- {8 Y2 V8 P

1 C9 k# h8 j& n% A
0 c* V  [/ R" c( |9 A! e_________________________________________________________________________
3 r4 d, }, Z) [8 v: N6 O. N2 Z( \9 k4 W( h
6 Y1 S' Q. S9 `( u& N1 ~9 z
Method 06
- {# s9 m/ G7 N. f6 ~. r( R. W=========
! K6 y, R, E9 N/ g+ u
$ q' t( d* P( @0 A9 I  M0 `% R. x8 U7 d2 s) ]9 B1 u
2nd method similar to the preceding one but more difficult to detect:5 ?2 L& N# F2 F0 j. m

! p& e4 e2 M4 P5 E6 U# b: C2 e/ c5 Y# }7 y7 \7 x2 y
int41handler PROC. P$ F! w* t* \5 [3 @5 h
    mov     cl,al
( \8 b6 w( H" J3 Q+ |    iret
/ Z; Y( V3 M# \- m( kint41handler ENDP- }, g' G7 T9 y1 Y! b5 C
8 d4 t' }9 {1 g
( d# d5 z! v. Q( U
    xor     ax,ax
# g5 O( B& H! z9 {( w6 R3 G& Y/ W    mov     es,ax
2 J7 q, k- Y- i% i: j    mov     bx, cs
4 }, J* S, ?, H( {6 D    lea     dx, int41handler$ `8 r8 E( L% Z5 j. {8 d
    xchg    dx, es:[41h*4]3 f0 c4 s$ K+ E4 |8 n* _2 J
    xchg    bx, es:[41h*4+2]7 l! O( J8 E( [3 N0 d1 g* v4 i: C
    in      al, 40h' }; T! I, h& H1 `& j
    xor     cx,cx( S! M  x" ^# J1 S+ U
    int     41h" ^" p6 x7 y" d2 Q% H
    xchg    dx, es:[41h*4]
  {# v0 F8 ?/ U1 j; l    xchg    bx, es:[41h*4+2]
" R$ C3 s  m; i0 S5 z- B    cmp     cl,al- ^8 P/ i% x: u2 s2 r7 b
    jnz     SoftICE_detected+ G8 e1 `+ q# w% j+ f3 M
% R' |5 }8 f$ l4 s- r$ v
_________________________________________________________________________2 n9 Y: _0 {; _/ r" ^

1 @$ S( k# X: B0 @' TMethod 07/ l; Z& ?6 i) w/ ?- @
=========0 [* N% D6 b( V; n( v

& j9 r+ t8 x, XMethod of detection of the WinICE handler in the int68h (V86)
8 G. ?" ~0 K3 }9 F6 j
$ V5 [) H6 w. T( |' i- ?7 C1 A' p    mov     ah,43h
! u; g# n% p( c+ Y8 k- [9 }    int     68h, q! x) {1 @4 k- u' j& A. V
    cmp     ax,0F386h5 y& ]) A. _  V/ Q
    jz      SoftICE_Detected
$ l$ ?5 ?9 u5 q$ W5 `' Q8 K; n* {  v; J% r: M) k% ^

: o4 m1 g* o0 [1 O- L1 l=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: M6 u7 P. O1 M1 T   app like this:6 \2 ^  Y6 e: e9 @3 P

$ d: I5 F) c3 K8 U! h   BPX exec_int if ax==68
  A' z1 a( S5 L3 B* |7 O4 ^9 \6 d   (function called is located at byte ptr [ebp+1Dh] and client eip is
$ M( l' t* N, [- j   located at [ebp+48h] for 32Bit apps)
, m+ ~" t" c/ R! q! t/ N) h( I# P) b__________________________________________________________________________' F: v. |% Z2 e; Z! r# E
& B, Z% _' c3 R8 Y' O

) i1 S' j- N* DMethod 088 U' q7 d! |3 k3 S
=========
; b2 A/ S. Q, i5 h. w: i- Z( Z* |! ]1 Q, v! q/ P7 n3 R) ]" G* P9 E
It is not a method of detection of SoftICE but a possibility to crash the; ~* K& p4 G  c1 I" ~
system by intercepting int 01h and int 03h and redirecting them to another: F. q( Z8 d6 s' }2 W
routine.+ f9 A9 |; R& [% M; {
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; ~8 x( \+ I$ ito the new routine to execute (hangs computer...)" n- ?+ l* R3 ?& o9 X7 E2 a
( I: q1 J& d* w/ I
    mov     ah, 25h+ s. u7 i: Q) n, Y+ I8 f% \! N; v
    mov     al, Int_Number (01h or 03h). X6 `) ^4 ~4 a
    mov     dx, offset New_Int_Routine& l! H5 H3 i( E/ r- T4 X, d! N
    int     21h1 x+ Q8 E/ A5 k$ p- y

- X9 o0 {5 ^0 i2 R/ R, s' B: q/ \__________________________________________________________________________
% C- _# K3 `' [  V$ _0 e! e8 M# `" Z0 }
Method 096 [+ V1 m- A8 ?; ]
=========
$ K7 z3 G  v9 d: @4 x+ b% ?
* ]! n( J* N% T" A+ g, s  U' hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 H& M" N4 i4 m. c2 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).5 @( C# L1 S7 C& ?  o. {9 ]
The Get_DDB service is used to determine whether or not a VxD is installed, R$ [6 c) |. y9 K0 R7 v
for the specified device and returns a Device Description Block (in ecx) for4 e+ g( M; R3 y* s. X' m$ Z
that device if it is installed.1 ]  P; b' q3 S& m& n. l0 a0 [8 m

0 u4 x9 k4 s, M9 j0 I   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* `# P; D  q/ f  y
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); R) l3 N0 I% O9 I4 o# X
   VMMCall Get_DDB1 N# |* C7 P" ]" Q
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ N( @2 c  h0 t5 y* `. M
" L' y' E- j, B- @- T" @
Note as well that you can easily detect this method with SoftICE:0 s9 h: }3 G% R7 Q8 t4 ~
   bpx Get_DDB if ax==0202 || ax==7a5fh0 N; u1 G$ G( w( N2 a

* F( P! [4 T; |5 ^. Y9 X5 s__________________________________________________________________________( |1 ~0 F/ l* h( A- f9 e

+ T) X$ e) ~% x; D5 y0 PMethod 10
$ h1 y5 d  O; K' @/ n=========4 K3 v( v# G$ t; Z, f# O- W

) t' E( W6 {1 J# M/ J+ C; i=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
* s9 L3 r7 J5 a# n3 a3 H$ A  SoftICE while the option is enable!!, o6 ~+ c, O2 {: o2 @. v4 x
) L$ N( D) ^( _, r
This trick is very efficient:1 W- i. ]" P# h; ^0 g5 X4 S
by checking the Debug Registers, you can detect if SoftICE is loaded
/ L, r; Q* C9 `0 S( b' X- ]- M7 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ B' u. o% c# V7 H: k3 {3 N. b
there are some memory breakpoints set (dr0 to dr3) simply by reading their# o5 ^& k0 J" m
value (in ring0 only). Values can be manipulated and or changed as well
) b+ I- Q6 D+ m& c(clearing BPMs for instance), o' w5 K; `: e# S) @1 k5 d

' X4 \0 J: I/ ~. W; B__________________________________________________________________________
: v0 i1 i3 m, z" _' [) T; p. n  n, Q6 B, ^
Method 11
9 Y  y. {- |5 `=========4 S1 d/ N2 @8 x  c+ p, G' K7 H; L

: Y+ ]( ?' f3 a( {, {& G! n* fThis method is most known as 'MeltICE' because it has been freely distributed5 u) a% }5 x$ s" ~# }
via www.winfiles.com. However it was first used by NuMega people to allow9 y$ o6 U: s( p2 O3 `! V9 w
Symbol Loader to check if SoftICE was active or not (the code is located
4 S! e9 m& F$ Hinside nmtrans.dll).
! O% O" D3 R) |
2 @! Y  y  P% p$ n- m! |The way it works is very simple:
& }, Y; [) k% \' @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) f) ]/ x) D' b( l, c$ H+ h: R
WinNT) with the CreateFileA API.6 X1 i3 s$ P# k) `1 ^* {
4 j2 M+ b' E5 I
Here is a sample (checking for 'SICE'):+ E: S& n1 o2 n6 {0 n& j8 a
; E& h6 X% K: O% U! Q
BOOL IsSoftIce95Loaded()$ n) M  X& J: I8 p, E6 H% a1 _
{2 k+ _8 H3 j9 g- a2 ]9 K
   HANDLE hFile;  
5 Q5 `3 M+ P/ j   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,  `7 I1 y% o% H4 v
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
, R; }; x# s  R' B  v7 m7 S$ ~" A                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 O9 j8 M( l  S& i, W   if( hFile != INVALID_HANDLE_VALUE )& ]; d3 y5 W- ]9 S
   {6 W8 h' o/ p, f- P9 F0 T% s1 `
      CloseHandle(hFile);
) P4 O6 S3 Z8 C! ]0 l      return TRUE;* b; v/ Q7 {2 \. o% F7 ?, k
   }
5 Q' m: ^, V3 }, R* Q$ z- n   return FALSE;
5 @+ V, p" ]7 o! `& I& Z}! g( s+ G+ ^8 s* ^4 Y5 }4 R

7 n, F5 B5 @; W- P8 M5 u: _Although this trick calls the CreateFileA function, don't even expect to be2 u$ q; L( {1 j( _9 [
able to intercept it by installing a IFS hook: it will not work, no way!) _2 ?" O" ?# Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 J6 ~/ m0 f0 e0 l5 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 w# O8 t6 M( S* C8 Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ ^, K4 y- k2 v& V' i2 Ofield.
$ [8 A& j6 o& R  U4 }7 ~' A) C" fIn fact, its purpose is not to load/unload VxDs but only to send a
; Q5 d; g9 ]3 P2 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; c8 ?( p' D8 s* C9 k. uto the VxD Control_Dispatch proc (how the hell a shareware soft could try4 E- }' T1 _( j3 U
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# B2 Z! g) u6 D8 x0 C$ z9 }! tIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 x& b' d0 W. S1 b  bits handle to be opened and then, will be detected.. U) p$ x6 ?; R
You can check that simply by hooking Winice.exe control proc entry point
; [8 |% q% P) cwhile running MeltICE.. Q4 v* V- w: g

, t; Q! C% i; g" C2 ?' `; z0 e% t1 I* o  I- h
  00401067:  push      00402025    ; \\.\SICE8 L* n$ c" w# l$ N! ?' @7 m. Y
  0040106C:  call      CreateFileA6 c* z7 Q0 ]4 i) v- S
  00401071:  cmp       eax,-001
1 h3 W  o9 D0 V2 @  00401074:  je        00401091
- S, d2 K! a" v, ~6 `- S" }  |: c( W$ ?# M! G) I8 a

* X7 |* g( o- z4 O3 k# Y. R' YThere could be hundreds of BPX you could use to detect this trick.
' H# |+ y/ q6 K3 I; ^1 R; `- d. Y-The most classical one is:
7 I( Q6 s3 x4 g: Z8 K$ P$ c  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 F+ P) Q, {, T
    *(esp-&gt;4+4)=='NTIC'$ s5 e2 }% u  T) \' |0 y

' ~4 p! C& Q3 n! n: i-The most exotic ones (could be very slooooow :-(! _/ `3 r2 e: V$ p' r' C2 t. I
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
. i1 b9 O- s% v     ;will break 3 times :-(( }2 j: y. f% S" L& s
0 ^% M( m: V( }8 S9 J1 ^% k$ {9 c
-or (a bit) faster:
+ d; l7 M* o7 p$ ~8 q7 L   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 h7 f6 B# ~/ k1 q* j3 X

4 Z! y3 A6 Y- W  n8 c8 e8 R; c% F   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
: h8 A! k/ L. Z+ ?     ;will break 3 times :-(
' C; ]3 s, s% ]$ l4 C6 O$ W  B. M1 {0 Q7 w7 Z
-Much faster:' Q/ ?" c, m0 C$ }$ s
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. L/ I) H; `) u: [+ T- Q
. z3 I1 A- J* P4 z" ^# Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& c: H" P7 r. o: F/ K# I
function to do the same job:
0 |. m; e( E/ ]/ y2 P5 [) f2 c, C. V7 [! p$ M6 \2 M4 y
   push    00                        ; OF_READ4 s6 T) T4 l4 L, Q
   mov     eax,[00656634]            ; '\\.\SICE',0
; R6 f6 d; f% ^3 ]; E   push    eax; M* G. M. I) m8 c1 S
   call    KERNEL32!_lopen0 m* R8 i6 p" M) @3 x
   inc     eax+ X( C# P6 {0 Q. K
   jnz     00650589                  ; detected5 V2 @+ \7 {2 C& o+ v, p+ Q* e
   push    00                        ; OF_READ
& x2 H' @& [6 H3 C   mov     eax,[00656638]            ; '\\.\SICE'& T4 w4 O0 X7 O9 H: N5 o8 p: F
   push    eax
; l! R9 S% z, G   call    KERNEL32!_lopen/ Z5 L& h; {# G9 j* E/ M1 Y
   inc     eax7 P  A, _. c: P* [
   jz      006505ae                  ; not detected' V& {9 V* |& X# C

7 Y. P3 o8 D3 l
% X( Y6 u2 \6 Y% W8 C5 V' I' y__________________________________________________________________________
7 }6 _- i; b+ M" D
# z' W$ g  v0 h" VMethod 12+ m  w6 Z9 ^5 z/ `( o0 n% [, x
=========
; |  _8 m& J5 S& m$ A% E* m& }6 F0 l
This trick is similar to int41h/4fh Debugger installation check (code 059 G4 V) b+ j5 Q9 a
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: ]- y2 F/ N# X' D( p, D/ p; u: ias it uses the VxDCall backdoor. This detection was found in Bleem Demo.: k2 D5 N' A: @/ M2 ]7 L2 u: h' V5 t7 y
6 ~/ D4 O6 s1 x
   push  0000004fh         ; function 4fh
- `0 ^: Y" G7 ?5 g  B# g* P2 v   push  002a002ah         ; high word specifies which VxD (VWIN32)
# ~9 }* G# T- }; g5 M" t: h. Y                           ; low word specifies which service
* E% h+ P2 m3 e/ g                             (VWIN32_Int41Dispatch)8 E0 a& x3 E9 X/ ^- \
   call  Kernel32!ORD_001  ; VxdCall& C/ o( V- G+ A% H
   cmp   ax, 0f386h        ; magic number returned by system debuggers
  p# V4 s" @. u; [- r   jz    SoftICE_detected
2 l' G# z2 G/ Q7 e3 b' f9 l8 ^2 G  `8 I, y4 o8 X  o6 J" `
Here again, several ways to detect it:
! d  _* I( m( V3 J8 t7 D* d% q0 T% _! c
    BPINT 41 if ax==4f6 }" p4 M% a7 N( B

: _+ N) i1 E! N7 L( L) g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one) Q/ q- U& M" w6 ~+ d

( m0 _0 n  L5 B$ t  o" f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
9 h; `% X) N, m/ y! m. l, M' d; s( m: n! o' b1 v; ^: b
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!3 ?& @- z8 P- m5 f0 u

# v; w1 ?) ]* D% F9 U__________________________________________________________________________) }  e, F+ c4 @' @. Y2 g9 `* z

% O9 c: ~4 Z& R: n: oMethod 13
0 b; W& U6 }. i& k" v" C5 T" o5 {' y=========
/ w" _# _  ?7 d2 J  l% A4 w* h( a4 s4 e1 o* u  Z
Not a real method of detection, but a good way to know if SoftICE is0 p$ g" K* u' ^' U  T
installed on a computer and to locate its installation directory.
: g7 O0 N" W! V8 `8 k# rIt is used by few softs which access the following registry keys (usually #2) :
( N  E& }. f% s( Y8 k' A- J. W. s
9 Y0 H  g2 F+ }6 J: h) g$ U" G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; c# F$ Q% b# @\Uninstall\SoftICE
- l/ l$ |/ Q2 B/ V( U& T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% h4 R2 V  z' V" X0 F" a; A# i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- y( c0 B0 ]6 l( c; r8 Z. O9 n; L\App Paths\Loader32.Exe! N# k8 P! ?. H% O* ^8 o. D

8 z2 t2 Y2 C5 G# C8 K2 f) ]1 f* K2 k, d3 k
Note that some nasty apps could then erase all files from SoftICE directory
+ l% n) Z: ]2 N* g; H(I faced that once :-(  X, F2 v6 z' g' C5 M
7 t: B" o/ b! B, g  O2 @6 W7 l
Useful breakpoint to detect it:) L0 S# l& ?3 F: M5 o0 i
. `! i* V0 `7 q" n
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' V% ^6 F) W# c/ L9 I. n; ^

+ V  E) Y% W* m% M__________________________________________________________________________7 F$ M0 q' K( h

+ t2 r3 C. U" R% b. d4 z
2 \" ~* g& z- g" i* S0 E" R6 `9 e0 xMethod 14 , ?* S4 `5 ^+ m
=========) n; }- k; ~7 O

& c* Q- `7 ^/ D8 N4 D1 l/ Q3 ~: TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, n9 Z/ S7 n8 t' S' L, Fis to determines whether a debugger is running on your system (ring0 only).
5 a1 h: R3 A' r' l  e. U2 q& \9 V) u+ ^+ q2 |
   VMMCall Test_Debug_Installed2 [' f" S6 I+ [& D0 r
   je      not_installed
8 K4 X; y5 m6 T/ {( y) r  L; f3 [$ C' \1 R( W6 q
This service just checks a flag., p. @# K& H3 D% |4 U
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-31 23:19

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表