找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 e" p0 q4 \# K) N* m% t<TBODY>5 _) Q: e! ]. b
<TR>* ]7 m) S6 z& f  O. R
<TD><PRE>Method 01 ( `$ @6 R7 y) {% k) h
=========6 F/ N) E) P2 _

: T0 y9 w  n' [( DThis method of detection of SoftICE (as well as the following one) is+ N% H' W3 R6 m
used by the majority of packers/encryptors found on Internet.$ W9 s3 D/ s$ t/ p6 W( L
It seeks the signature of BoundsChecker in SoftICE. s/ O4 b( A7 k  f: y5 ^- R2 R

/ R& U" R; Q) _, r  s3 j6 V( v    mov     ebp, 04243484Bh        ; 'BCHK'
4 m& L  x2 M, @1 D+ R8 ?9 ]    mov     ax, 04h
4 |5 ~9 @: X9 @) [; i    int     3       1 g' `9 E# c' a3 s: \  m
    cmp     al,4
0 b4 K/ ?- l& i" J3 r    jnz     SoftICE_Detected
, Y! B# @. }/ C
7 K8 K* v9 n- u8 a0 i0 i3 p___________________________________________________________________________$ j( m! C- y3 b& [
) U9 I# b  J% M$ ~8 G; a' R
Method 02
$ g. h- _$ A  y/ d=========
; {. `: ?# D8 {8 @+ q' j
# ]. ]" x5 R" R+ n- O1 {: {Still a method very much used (perhaps the most frequent one).  It is used
& s9 U7 B8 p3 cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 I7 L' L2 K/ Z) O( O) q# F
or execute SoftICE commands...
) g, M# L1 R- x2 n3 m* X( @It is also used to crash SoftICE and to force it to execute any commands; S: V6 z- `/ s+ I$ c6 z& U
(HBOOT...) :-((  - I* M8 g! ~; s% l, X. X; c

6 k$ x2 \6 b2 QHere is a quick description:
6 C4 @; @8 ]& m2 q1 _-AX = 0910h   (Display string in SIce windows)
$ s* ~  g" T/ Q$ ?-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). t1 a& d. q2 g9 K9 ?
-AX = 0912h   (Get breakpoint infos)
3 Y* V  g' P& y! P# q! ?-AX = 0913h   (Set Sice breakpoints)) e/ ]# @/ B3 W5 q
-AX = 0914h   (Remove SIce breakoints)
+ Y) }) ?( K: s
( v8 {7 X, a$ P4 F& ~Each time you'll meet this trick, you'll see:
. e: j! |/ X% C% ~-SI = 4647h
0 ]2 [8 a6 X2 F! n+ C-DI = 4A4Dh
5 Q* F3 p0 n& qWhich are the 'magic values' used by SoftIce.! p, a0 _' C$ j. u8 [; S, j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 c1 v9 v( z) `' z
  H- m" V+ |9 u3 _) THere is one example from the file "Haspinst.exe" which is the dongle HASP
' m0 A' u, @, R5 K2 O8 gEnvelope utility use to protect DOS applications:
0 h0 A% B; T! g8 Q# i( k- W5 W7 `" W9 N( w2 ]
* Y/ D* u/ z* v7 R# o& X0 r
4C19:0095   MOV    AX,0911  ; execute command.6 e6 Z9 W" ?, k
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
0 o; P1 b% Y* w6 s  a4C19:009A   MOV    SI,4647  ; 1st magic value.6 p' b5 x+ `4 |5 `2 }
4C19:009D   MOV    DI,4A4D  ; 2nd magic value., N) ?- X  y4 F  i- p" J+ V1 g
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
! N& ], @& ~) x) w' z. D4 D4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ l4 {9 s0 R; e+ D/ f) ]! n4C19:00A4   INC    CX
# b2 ]- [1 `" m5 @4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 Z$ G, ?3 x. p; c, V# U# o
4C19:00A8   JB     0095     ; 6 different commands.; o* q8 ?) v3 `0 u# T
4C19:00AA   JMP    0002     ; Bad_Guy jmp back./ C  V4 }8 z$ I2 @; @
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :). ?. }8 t8 A3 C3 H
: I) i4 {$ G( X- W9 z
The program will execute 6 different SIce commands located at ds:dx, which
% k, U7 L' H7 b/ [6 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) D, c$ C+ x2 f/ ]3 E# K

" b: ^6 a& k9 H9 S2 J* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 _9 Z: u6 y8 c+ @
___________________________________________________________________________
2 g( X& ?( q, G& j: o* z( J( s( F% v, Z) n6 G9 [0 w: _' Q& c
2 J# b6 @0 m1 }1 N/ I# Y
Method 03# D/ [0 J# {6 D' z! d4 D
=========
0 H2 b' i2 V& K8 G3 e# n2 n+ b
1 R4 N' c) M4 q! V2 wLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- g7 n, U$ D" q# O2 C
(API Get entry point)0 n0 n3 c* m% R* v8 s( @
        
) r6 X' d8 H, {# i& u4 l- Q5 m  f' L; D: E
    xor     di,di5 ~' M$ d2 k  f
    mov     es,di
; e/ S2 _; ?0 Q. p& e9 p    mov     ax, 1684h       ) ~0 m- r: M: q' I
    mov     bx, 0202h       ; VxD ID of winice
4 f/ v7 P5 q0 H( V: ]4 K. x' A    int     2Fh
" J/ _9 l7 |, F) w7 W    mov     ax, es          ; ES:DI -&gt; VxD API entry point, v7 F& x- F/ \! w8 w
    add     ax, di! F) I0 j: j+ J8 o) V4 R6 U4 p6 E& b
    test    ax,ax( d7 w$ t* J1 I8 b  w  y' a
    jnz     SoftICE_Detected
) J9 {/ _: c* m9 l
6 N0 _& P: q2 h6 x___________________________________________________________________________. f: |2 F! h5 z5 m2 S
( b' A5 y( A& D# l) g3 E
Method 04
, F9 Z9 C* M/ s" N=========
; i" @/ l7 {5 u, c6 n
% [6 [; z& D9 TMethod identical to the preceding one except that it seeks the ID of SoftICE
7 O7 C0 C8 k6 F& gGFX VxD.- _7 \. E; g5 P0 ~( P, N

7 `5 b8 D" {* \    xor     di,di) s/ A9 b2 H# [% y
    mov     es,di6 m9 o& W" U8 r
    mov     ax, 1684h       % }5 e6 G' T+ \5 ^' v3 s
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
( z* t( O; K/ \/ M9 F' G: G8 {( F    int     2fh
* G7 b" g/ W5 j+ h0 r: c3 D8 q    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ H+ v; h& K! R1 q) T( u. O0 N
    add     ax, di
! r* d% X  E- @9 O' Z    test    ax,ax
5 i* c/ @8 L5 v, Q3 s( y. y    jnz     SoftICE_Detected2 x- a3 s0 D% G  K5 n8 E/ ]
0 F+ q" W  d) r: p4 C4 m0 a5 x: Z% x
__________________________________________________________________________: l, h6 s- G! g

9 l5 D7 n2 D; _% P3 k
) O  \, i/ ^2 VMethod 05
/ K) U) |; I% ]: V0 z: ^=========
0 y9 o0 D% F& C1 w% @+ D9 _! ]$ U# j5 ^5 }, _+ f
Method seeking the 'magic number' 0F386h returned (in ax) by all system  J* p' \$ P5 r* G
debugger. It calls the int 41h, function 4Fh.' U/ B5 Y" Z  m# ~( d
There are several alternatives.  2 D5 _+ B+ J$ f# n( N9 L8 p, e
; C6 S  J' E& }" n) P" D5 z
The following one is the simplest:
0 ], k4 \% H8 z2 f7 V& x9 _5 o# o7 m+ a3 x2 o3 D  S  O9 ~
    mov     ax,4fh
% Z9 ]  c- [5 s8 }  I& a( w    int     41h
3 u+ Z" F) ]3 N1 W9 }    cmp     ax, 0F386
$ N, B4 P+ f$ H" H9 S  f5 d    jz      SoftICE_detected, R: o4 r7 }  b9 i$ [

  o2 t2 [" D. _/ c
6 d- I$ Z! T+ o* `' ANext method as well as the following one are 2 examples from Stone's
- r, h- Q( R9 X# N, x8 ]2 e2 e"stn-wid.zip" (www.cracking.net):- d1 r4 s( H' m3 F5 x; Y% P( x: F
: ?+ D- M* F1 s4 h4 v( t
    mov     bx, cs" S. F- n$ Y7 a. p7 \; Y# v0 P
    lea     dx, int41handler20 g8 \0 w4 f7 q3 G
    xchg    dx, es:[41h*4]3 ?- f0 X/ r/ h* h+ N
    xchg    bx, es:[41h*4+2]! B9 V; q8 L% Y4 o' u' S
    mov     ax,4fh
+ c* c& y: U  R+ A# P7 I) B# e    int     41h. S# K- t; ^/ w- l
    xchg    dx, es:[41h*4]- W6 v$ C) r/ _' U! y: \3 I
    xchg    bx, es:[41h*4+2]' y* L* K; c# i: O# O
    cmp     ax, 0f386h
" B6 E$ \# W- w' K    jz      SoftICE_detected
8 T& D' m/ u; e3 d1 Z7 k' h# s3 ^8 n8 l- u  N# a7 d
int41handler2 PROC
; m1 i6 g6 l/ O  L1 h3 a    iret- B+ Z+ ]1 K1 S
int41handler2 ENDP) r& L. M$ D6 ~0 w. \+ K

" Y- {, ^9 `8 o/ Q4 B/ D) }! u# g. Z& X
_________________________________________________________________________
# c# T- l+ Q4 e# g
6 _  H7 A" R$ I$ |+ X+ @* |8 W1 h/ l$ L' T! M$ D! U$ C8 n
Method 06! i/ C4 X* ~% O: c5 l! x" a
=========
% P+ Y7 J: M# t7 j4 F6 G
( ^0 R2 s8 c- M( g/ \
2 p, ~1 v+ h/ l$ P+ C, L  K2nd method similar to the preceding one but more difficult to detect:
6 p# P) |# M7 A) M0 i& i4 f
; B" ~% }& T* H& g; p9 y* e* Y/ y. H  l7 d/ f; M
int41handler PROC
) _7 t% H" l$ N5 S: P6 |    mov     cl,al
6 j6 Q- ^9 Y1 L, t6 @( p! }    iret1 K9 l; ~$ y, i* Y, s2 S6 l
int41handler ENDP
. F/ T. r; ~6 n: }
2 }$ u4 M& i! G( d7 X$ l: c
6 q! ^9 f* s5 N    xor     ax,ax* ?; a1 c# {) k' d
    mov     es,ax% W3 `! ]: G3 |) l( }
    mov     bx, cs
' y4 M7 T* V6 M8 _2 g7 v% `1 b    lea     dx, int41handler$ ?+ m5 B! z' G# X* [. ~9 y
    xchg    dx, es:[41h*4]0 }4 s7 E$ ^; z! g& w9 k- {
    xchg    bx, es:[41h*4+2]8 ?/ u# b* Q1 y
    in      al, 40h
5 b% n+ `& R  M8 T    xor     cx,cx
; l6 S3 |! `  V! o  y  X    int     41h4 k, ?( a  M& `$ `. k9 ^
    xchg    dx, es:[41h*4]
$ C4 J  V9 Z. h5 L* l) \4 e    xchg    bx, es:[41h*4+2]
* g' v7 P; n" {& T( r    cmp     cl,al, u' f8 d/ H! A. S7 z+ E
    jnz     SoftICE_detected
, A; J5 o4 R2 ~3 }. J  e" G+ ]' n
_________________________________________________________________________
  t2 [. n. y1 L( S. Z* i# T, G: o2 {4 v7 L; h) @
Method 07( i; I4 u. R) g+ _2 J* i5 |
=========
. l6 h. j5 m5 V
/ ~( C! W" R+ F" q. R6 mMethod of detection of the WinICE handler in the int68h (V86). k- a  T* \/ {- `& W4 ~

& h- u  E" X9 e1 a$ z1 o    mov     ah,43h
3 b( `* Y: f' }8 M6 t    int     68h
2 U3 j+ l; q  f/ v+ T1 ?8 w    cmp     ax,0F386h7 s2 O% d, T0 r3 [7 v
    jz      SoftICE_Detected
* ~# M6 ]/ r3 a: N8 s
2 e4 I- y) G8 D* A+ i! a
3 M* L, g3 C" m% G- l0 u7 h=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" }0 j0 G. Q9 r0 o3 U# ^9 ]
   app like this:
" S# P! u& y  k6 a8 f# q" T" Q! Q. J1 ?0 j4 b
   BPX exec_int if ax==68: Q' s: S# |# ]9 G0 S% W+ u' \
   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 l& k  x: V5 c: P" P   located at [ebp+48h] for 32Bit apps)
  J# T# t; g( v( Y4 `6 t__________________________________________________________________________
! `' R/ s$ [6 u! f+ z, o/ ^1 i
4 Q2 P/ _* J8 c9 z3 j: J
0 x( X& X" v' S5 B. t3 kMethod 08
$ n9 j4 _; E2 Y2 r=========
$ W. `  h" U; D
# k& A. N! g: X2 WIt is not a method of detection of SoftICE but a possibility to crash the8 ?' O' i  I. r  w2 Z6 Y0 H* }" Z, b
system by intercepting int 01h and int 03h and redirecting them to another  v4 f3 @% ~( h
routine.
0 `8 K4 Y" v% w0 g* {* r9 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- r, Y  G% F% u: `to the new routine to execute (hangs computer...)
* {3 N: [! @/ O
$ F: M6 q3 Q# k8 w0 I    mov     ah, 25h
, Z* j  m; X+ f# D! j    mov     al, Int_Number (01h or 03h)$ v$ `( H% D1 a
    mov     dx, offset New_Int_Routine
& b$ D' [+ ]& B* {+ H& t3 [    int     21h
$ \7 d0 H8 j- u/ q: G# U5 E
0 `$ ]/ o6 b5 n2 ^. R9 M9 o__________________________________________________________________________$ }$ \2 Z3 c9 p( F7 x3 Q2 l- V

6 O9 b5 v" ~; g- m6 r, VMethod 09- ^5 f4 n) ?; W2 w
=========
+ @: c  e9 N( G1 D
0 A" D1 P6 d) D, ?8 a7 hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 s, w# Q6 d" A" }! A/ S8 B/ M& operformed in ring0 (VxD or a ring3 app using the VxdCall).9 `# T+ i/ \  V. o% K+ P; D1 M
The Get_DDB service is used to determine whether or not a VxD is installed
- J) |9 A2 T1 d/ lfor the specified device and returns a Device Description Block (in ecx) for
3 O, _- w/ T2 C7 Z7 f2 t4 ]that device if it is installed.8 O; e2 |, l4 m2 U

- c4 c* q* }+ @   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! f1 `! m5 p, c% j! v$ S5 h
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 x4 C0 ]0 L3 A   VMMCall Get_DDB/ X  m" Q; w9 D
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) ]0 q# `) o) g. L) |2 @4 a, d

) k  o  S) R* J$ A, A# n/ S* j  sNote as well that you can easily detect this method with SoftICE:
+ g. m* x+ m+ S# n   bpx Get_DDB if ax==0202 || ax==7a5fh
; r" C5 M2 s9 W* \, @! F. ?. {4 {9 m( K* a, I7 |7 n
__________________________________________________________________________
/ C6 G2 M, C: f8 o5 m' v" O
8 E+ u" v4 v( J# _: eMethod 10
' H+ _% m) D4 w$ ^=========: g' ~' \; a. _. \) F) u( W2 J

( T- _, P* _) I2 @' z+ _8 A; D=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% H, o+ H& H- q) B  SoftICE while the option is enable!!5 l9 a: m- r$ t

. W+ l9 S. z# L. QThis trick is very efficient:
8 [: k/ n& P% k# `by checking the Debug Registers, you can detect if SoftICE is loaded
, N9 E" z2 `) N% }- E0 P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 s) }6 `2 |3 M& b( [
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ y0 D1 t1 I' Y3 I; E- V6 o
value (in ring0 only). Values can be manipulated and or changed as well9 D* k% i# q& a. W1 w6 Z" t$ S* |
(clearing BPMs for instance)9 V% o. I5 Y& |* z; O5 k) V

6 @- O, h/ }# ^; P1 L__________________________________________________________________________
7 `5 e, Z( l. N. @
3 d# m. L% ], |% J$ q$ WMethod 11
: B. |# ~* `  @+ [2 J2 u=========+ D( D' q$ @8 V, O1 ?2 M
+ O" [  @% W7 N; Q
This method is most known as 'MeltICE' because it has been freely distributed
5 h7 B' @/ k, {; n* Ovia www.winfiles.com. However it was first used by NuMega people to allow
5 w; \& ~3 G# O8 Y* l8 BSymbol Loader to check if SoftICE was active or not (the code is located
  D" d  y1 v' n8 w) iinside nmtrans.dll).
. Z4 t4 _; u' ]
( E8 D& x0 O% _' {2 r) `The way it works is very simple:
+ \8 k7 A" G& k  G+ M& B/ t5 nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 @+ G9 ]. [3 ?. ^- X7 DWinNT) with the CreateFileA API.$ k* H0 o* H* H+ m/ p  s) _# t
6 y" M: Z. r1 Z7 p
Here is a sample (checking for 'SICE'):
) @2 H- \3 r3 N* ~5 A- i/ k) |8 ]# E
BOOL IsSoftIce95Loaded()- g, s! E- t# h
{
/ B- {4 g3 z7 Y, n& ~' j   HANDLE hFile;  
, g+ y, c, H9 N( ]6 s% {4 F9 O   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- c- G+ b  ?$ i% _
                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 [$ A" Q) R/ T$ n  S( g  L
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 O5 [7 ]5 Z! z" C4 G
   if( hFile != INVALID_HANDLE_VALUE )0 E& o! y7 i  S0 t) @+ c% k
   {1 _' E0 r( v, X, A/ V* K4 z
      CloseHandle(hFile);
5 e. N8 U/ s3 N% e% Z$ a      return TRUE;1 ~6 f: \; L' V
   }* t4 `. z8 C; b" I5 ~7 C' d
   return FALSE;
) o( Z5 z, H. w( Y! V}
7 X  q8 n9 R4 k7 E! D. p3 K4 G) P. d6 y8 }& g0 @
Although this trick calls the CreateFileA function, don't even expect to be% Z2 w8 \4 `4 r: Q& }0 Y
able to intercept it by installing a IFS hook: it will not work, no way!, M$ j% H# v+ Z, Y  L
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& Y/ s& c) v4 r) gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# Z8 v9 r; J- `# B3 kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& O# u* J1 R1 K7 [! |field.$ H- B  k" f+ V: w* M1 d- v3 k7 A
In fact, its purpose is not to load/unload VxDs but only to send a
, J  q& T0 b9 W% P" _- fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) f4 p; W2 t6 G5 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ f& M# D! n1 `! O7 W  E( g" [to load/unload a non-dynamically loadable driver such as SoftICE ;-).' o! v" `( n+ ?; L2 E8 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ ^+ z" B9 E1 y2 U+ v  vits handle to be opened and then, will be detected.0 z* d+ r7 v; N, P' G& A$ ^
You can check that simply by hooking Winice.exe control proc entry point
, F6 `* O- W5 T; \8 q; F3 gwhile running MeltICE.
" F0 Q# L6 F* z( }- v$ e; d# w% X  d, S( i" I6 H* D/ y

, b  i7 V3 o8 i+ v  00401067:  push      00402025    ; \\.\SICE
8 i; B: f- U8 e' |- d8 j  0040106C:  call      CreateFileA
2 J( h/ M5 F; Z7 b' N# p  00401071:  cmp       eax,-001
1 U2 g) ]4 m3 A! y3 J  00401074:  je        00401091; }% K( \3 K( R% [+ F

  q3 a* X" M6 z" b2 @
& r! j  H! [' k% c8 K; x3 DThere could be hundreds of BPX you could use to detect this trick.% d: Q: q1 v' T/ l0 D5 p
-The most classical one is:  O# f& t; o3 \+ {+ r5 D. R# E
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||" N+ I% w' o9 _9 C: }* M8 }
    *(esp-&gt;4+4)=='NTIC'
/ [3 E2 |0 I  T9 d/ r5 q: t  K
8 I$ }; r& l* b% W3 U-The most exotic ones (could be very slooooow :-(" D$ v1 \" D6 ~/ q
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  / P2 L' ?" v, W+ y( Z4 D8 o
     ;will break 3 times :-(  I  J/ q# l- Y. M9 T9 y5 m  I
: j4 t5 m4 f& J$ W$ j
-or (a bit) faster:
! i) ]0 c: X/ c5 t% p0 r8 k   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 _: o. e/ a" B9 E3 K( @" d; `8 J6 q$ |9 _3 A; z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  - z9 r& r4 ]- d5 X: [& ~0 k
     ;will break 3 times :-(0 i' C2 z/ y6 R' B3 k( j! v
9 R6 K# [  f5 d8 [
-Much faster:% B# g8 L+ P% N" K0 {
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'$ Z8 o* ~, P6 M0 _" R4 j
6 w$ y0 B6 }& X0 c: v. y) \* j7 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' `+ u! V' C; x/ G& Hfunction to do the same job:2 E5 H; S, w. Q6 T% J) X

+ B  ?6 O" I2 n+ K; Q   push    00                        ; OF_READ- W! l/ G' T, a6 B* b% D/ {
   mov     eax,[00656634]            ; '\\.\SICE',03 j/ `; r6 k0 _9 P) ]- o* J
   push    eax
# Y# [0 k9 _3 m& N: b0 a0 Y- j   call    KERNEL32!_lopen6 v$ I9 G4 v: _% D8 n, Y' a1 y. f
   inc     eax7 N, r1 y8 ~, i& R1 \
   jnz     00650589                  ; detected% ^# m' w  Y+ Z$ L: X4 h( G" v2 I6 C
   push    00                        ; OF_READ6 u% {: p1 [' |* M& t) r& B: A
   mov     eax,[00656638]            ; '\\.\SICE'- v( J/ ^4 v# ?1 n
   push    eax
7 V8 l, J/ g: M6 O5 x   call    KERNEL32!_lopen
2 A1 y6 o  I3 i) L6 R7 o; b   inc     eax, e: m" X: s9 b7 d0 _# c4 b/ A
   jz      006505ae                  ; not detected* J% N/ I) R# L2 u
, v$ a% F4 U8 J+ ?+ l* j5 @& U

* ?1 V  s' b$ `9 U- m__________________________________________________________________________
6 A/ {4 V2 `& s2 F% [4 ~6 {
8 t( z' _$ Y( X" [Method 12+ j5 h$ y- n: n# O
=========+ Y% K, \4 p/ |( E! C4 @1 \
$ @9 s3 `1 k* w& ^* Q, c9 K" T
This trick is similar to int41h/4fh Debugger installation check (code 05' q+ y8 X3 j+ L' w& M6 y
&amp; 06) but very limited because it's only available for Win95/98 (not NT)5 y  r5 n$ f) n& c" L7 q( K0 e5 r) }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: Z2 o+ ]* w2 x! l2 N7 g) U( g1 ?
# Q8 B5 i2 t) t& a( x% m8 v   push  0000004fh         ; function 4fh7 p' L5 G3 T( t5 @8 m; e; |
   push  002a002ah         ; high word specifies which VxD (VWIN32)
' y) r* K* P* E2 ]                           ; low word specifies which service
$ w1 n; V8 t' ~5 L3 [                             (VWIN32_Int41Dispatch)
# I7 P; w# R7 U$ F   call  Kernel32!ORD_001  ; VxdCall2 g3 n& z* c5 _+ E
   cmp   ax, 0f386h        ; magic number returned by system debuggers8 D: ^% m+ o4 C, @
   jz    SoftICE_detected( [0 C/ b, A2 c2 b7 r
! c0 z+ p) ^* W- h# z/ n8 J1 U* L
Here again, several ways to detect it:8 g" l  V2 l- t  C6 W+ _

1 O: l9 `$ H9 a; A! z7 {! s    BPINT 41 if ax==4f) e* x3 [" Q6 r3 [3 d

. L7 N& [9 D% z3 c    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one8 i) `) I5 V0 f, B! Q* y, B! U) M
5 r$ u$ W8 Y& W) Z# h; r5 y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
1 c- B- U+ s* d- Y) Y' e: |' v. E5 G* O4 ^
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" \! v, |" \  `) g8 O% G/ \7 b  R) }9 y- i- J5 `1 I4 R0 w
__________________________________________________________________________
6 C" H% q, j6 p( U: R. c% a6 `$ W0 w
1 z9 Z! @/ E) `Method 13) s6 o+ J) S2 B1 B5 ?
=========
* ~8 B$ k' Z# W
* J$ ]! s% s  B9 T1 hNot a real method of detection, but a good way to know if SoftICE is
8 U' `) f# ^; H$ M* N9 winstalled on a computer and to locate its installation directory.( G) U# W" p4 w4 X2 l) l  M$ A
It is used by few softs which access the following registry keys (usually #2) :; K& F3 E# Z0 A% C0 r2 D

* X, [! R4 h. u& Z: x3 S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ t' O  g7 V5 }. V" D2 {
\Uninstall\SoftICE
& d, l0 g1 N! o- W; c: F9 O-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 }6 ?; m  y' O" d1 Q; L9 k( R
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  p7 g( f& F+ U" @$ W( j$ F1 X, r
\App Paths\Loader32.Exe
  ^9 P4 z8 E- e- m1 C3 A( w0 r8 {( i7 X' w! r( O
# e8 L2 T% l: Q0 b
Note that some nasty apps could then erase all files from SoftICE directory
7 k5 ?' @8 w$ [5 o(I faced that once :-(! R/ E% V& G2 ]: H. w) {3 q( @
6 T3 w2 u3 L) p1 u7 d0 L
Useful breakpoint to detect it:
# R, G' ]3 a$ {" e% _$ @4 i: u
1 c& r  R% A$ b. g, w: k     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'$ q8 I% A# R! {

; i* L7 R) F1 C__________________________________________________________________________
9 |- A% ?2 m- y/ u$ B- e0 }4 N$ ^" S2 z3 t

0 H* m/ c0 A2 i! g5 V7 AMethod 14 ! O7 f8 t9 L$ u4 {, G
=========
8 s- K. c  h3 k1 \) P7 \% F- Q; }/ c; v; v, K2 ]3 N" D4 p% q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 l; x% }! j' R4 g5 }/ G8 ^is to determines whether a debugger is running on your system (ring0 only).
* v. [$ o5 J7 w. I" U, c$ ]4 i5 x# r9 u
   VMMCall Test_Debug_Installed
0 F, Z+ E( Y+ r: f2 q   je      not_installed' ]* k6 l; x$ U/ ]+ {) F
/ Q: d% p- a1 Y& j
This service just checks a flag.
1 N4 B( m6 [3 F0 k* @# T1 L! M</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 18:40

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表