找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
2 z4 e0 p, ^1 ]" o2 l4 x<TBODY>+ n% z" S: ]( J. x
<TR>) S/ j! A. G0 w& C+ V: N% q* i( p
<TD><PRE>Method 01
* F: ?/ D. P: ^% ?3 d1 D=========
) O2 c# R6 ^9 v/ U5 ?' F( @; b& x$ o0 A
This method of detection of SoftICE (as well as the following one) is" W  H/ w+ C! |: i" N1 z3 Z
used by the majority of packers/encryptors found on Internet.' M5 ^% ]# E' _
It seeks the signature of BoundsChecker in SoftICE
0 K/ `: F& Q/ x( z9 ?& X! e" Y* ], r
    mov     ebp, 04243484Bh        ; 'BCHK'8 g: R9 K) T2 P; }7 D
    mov     ax, 04h$ l& E: q+ ^8 ^* l2 t" ~* C
    int     3       3 n% u6 z" }1 K2 R
    cmp     al,47 w2 Z3 n. V9 i
    jnz     SoftICE_Detected
8 i( f5 j) q' u! f% ~+ V
, \6 X7 F- G- B% g5 ~1 F___________________________________________________________________________% ]" C$ ?6 N6 E* a3 ]4 Z6 }: g
3 Z* i- {* A& t( g, Q
Method 02
3 e6 p: k- l- @=========
" P) ]5 n9 A& @  v
' K8 R: |5 T. N4 B0 ^; l! DStill a method very much used (perhaps the most frequent one).  It is used9 V% U; |' ~/ L+ ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 y3 I' ~$ l, W( @9 d, [% m+ C1 N# c
or execute SoftICE commands...% h5 P4 f& B! B; z5 \3 f
It is also used to crash SoftICE and to force it to execute any commands
4 j5 {+ ~1 p# `, v7 G(HBOOT...) :-((  
$ H$ o/ m' _! c# \. j2 ?# S: N$ y% Y6 |4 l9 v" D  R- y
Here is a quick description:
3 X+ Y- Q: ~5 y% _+ \- f0 U-AX = 0910h   (Display string in SIce windows)
# Q: R/ K$ q1 T# G-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. R( S: A# q' Y/ c-AX = 0912h   (Get breakpoint infos)
! R8 K- l+ x8 _-AX = 0913h   (Set Sice breakpoints)$ `% Z3 L9 M/ z9 `
-AX = 0914h   (Remove SIce breakoints)& }, J: }) w3 E: q# l. x

9 \2 T. b7 D. K2 [Each time you'll meet this trick, you'll see:
+ {! m6 E! v' r/ Y6 I-SI = 4647h
( v/ [2 O9 _# A* Z  l-DI = 4A4Dh* _8 i1 S# j7 K' F8 p; W
Which are the 'magic values' used by SoftIce.+ n' L2 j: h+ z/ B  B+ w# I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) N* j1 |4 I2 [
# s' E% R4 |& F% @2 oHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 j7 v! w6 B# fEnvelope utility use to protect DOS applications:
, m( R, ?9 o' V( X7 Y
! P* E& e' R" n% E: X( k; j4 v
6 k! d. _: N, j8 f% n# ~" g% ~4C19:0095   MOV    AX,0911  ; execute command.* ^" A" k4 X* T+ l4 s
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).$ E/ q3 r1 s5 H# X# w( s" P
4C19:009A   MOV    SI,4647  ; 1st magic value.# y2 O, P2 M  p
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ W+ Z9 W) k' L4 `
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: t% b" b1 Q. v0 P* o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( h6 [6 G: T) [- z9 U* q% d
4C19:00A4   INC    CX0 t/ j' }4 Z: h2 a/ I: g
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 [: `" G/ M5 X% _* I$ c5 K0 ~4C19:00A8   JB     0095     ; 6 different commands., I( b3 K3 ~' r6 R/ }
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  C# i7 |% q0 ^: w; b( y# A
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 t# w' R5 i9 E* D- E1 G" Q4 s, j! V

. t" w( A0 q3 `9 H* cThe program will execute 6 different SIce commands located at ds:dx, which8 u$ d& W* x: B  B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 o9 [; G" \. _% @6 j7 P8 l
, {, o( S) Z- [5 j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 g  C! Y' |& D7 K___________________________________________________________________________, K8 }* G5 R9 b0 a/ a0 C. F* p
9 S) Z* O3 I; o3 t* P( ?( X% V

  y; i/ g5 s% J; i' NMethod 03
& s/ o! G& M6 T. O=========- O! j' N/ Q; i4 }8 s# ~7 E- ]
- }% e* u, o. ^6 v# y* I* z, ]9 X
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, s  X2 T) B! S1 M, H  T( u
(API Get entry point)5 A- E- y" V% K7 U( N9 S
        
0 ^# }. V. d$ C8 K
  \; Q* p1 l& c+ i: K* _1 y" A, H    xor     di,di$ d) o  i+ F* I( k
    mov     es,di4 p7 R6 q+ @& O0 g0 `1 a6 e; M
    mov     ax, 1684h      
8 [% c/ ]5 w6 s, Y  p2 T4 t/ v    mov     bx, 0202h       ; VxD ID of winice  t& p1 u7 l! D. O* F" j) N  T# U
    int     2Fh* [0 h' x8 J3 V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ E3 u2 u2 B+ ^0 \" N6 k& L0 s    add     ax, di
6 ]0 G% s7 f7 {1 D1 z. w    test    ax,ax
9 k) m+ E3 e' Q- {9 w    jnz     SoftICE_Detected
& t5 {7 b% i8 G  z1 b/ G* g
4 ~3 r8 K0 t) s/ r___________________________________________________________________________- V( v, P! M7 x$ P. y
: U. w0 {4 z; t3 z: j
Method 04/ M6 y& b) w# D! c8 x/ h
=========
8 W# p3 r  Q# I. h% ^9 ?  G! w3 g5 Z/ O, Z! \5 Z5 F- }( ^) B$ v' f
Method identical to the preceding one except that it seeks the ID of SoftICE* f- m$ `+ j$ f) _  H! a
GFX VxD.8 S  S- @3 ]  \& @1 x4 r: A

3 d9 X& O. I( p4 i7 X0 p    xor     di,di
* s: P# P, Z" Q5 J    mov     es,di
, B* T- m' s6 }: @6 E. O+ g    mov     ax, 1684h      
6 n9 u. j- O" [! u; f    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- E; O: {  t8 S* \3 o% L0 x    int     2fh
4 q8 K% x, N% X6 L" p9 c    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 K0 K* N' r) t3 w# `    add     ax, di) q, f- I* t; k* h6 U
    test    ax,ax: N7 [2 _/ T" \% h
    jnz     SoftICE_Detected
. r" g& z5 Z. F0 g2 [- T* s
8 ^/ X" o6 |9 N0 X" I+ |__________________________________________________________________________0 K0 n7 C2 V. @/ i% F- }
7 b- n: \: ]5 q
: N$ `: v/ ^) O) f3 o0 [
Method 055 K3 v9 |4 b# e* I
=========, T$ x5 u0 X! Z8 `7 c

$ D) R  `9 R+ WMethod seeking the 'magic number' 0F386h returned (in ax) by all system$ r4 N3 O: L2 A3 q2 O" l, d
debugger. It calls the int 41h, function 4Fh.
# r  q; z: i  k! k. Y) FThere are several alternatives.  
, s& o* m# P9 I# O+ y* l
; j; `- O2 h: j5 C! U# E" Z: [The following one is the simplest:8 N4 u# Q0 Y) p: o$ S0 Q: r

. T) z; X+ i% _0 @" K) k; V    mov     ax,4fh( l0 ~+ p5 `/ e( w! E3 _- F
    int     41h0 i+ r" a! a- Q7 f8 Z+ x7 n5 c
    cmp     ax, 0F386
  S1 i1 K2 q. x6 b3 I    jz      SoftICE_detected9 m- l9 z3 L0 n! Y+ _
3 _. s/ F6 S/ F; w

; }( `# D, f# D: p; PNext method as well as the following one are 2 examples from Stone's 6 k4 J4 d7 g# m- j1 s6 M! S% o
"stn-wid.zip" (www.cracking.net):
7 v5 \5 Y: K0 {. y# b6 r% h; x0 t
    mov     bx, cs+ u3 i# y3 X0 q; _
    lea     dx, int41handler2
& v. I( P  o. N* C    xchg    dx, es:[41h*4]& W1 ]$ D) g1 D/ o; s, U
    xchg    bx, es:[41h*4+2]4 O, g3 n3 W6 Y' R' `
    mov     ax,4fh
; g$ c  I- f" v& p& Q& |    int     41h
, Q; t/ k' {( n    xchg    dx, es:[41h*4]
" S$ |4 i: A- `$ _    xchg    bx, es:[41h*4+2]+ }3 T. x" m: B: ~5 D
    cmp     ax, 0f386h
. o- @8 ?' c2 q7 G: P- _    jz      SoftICE_detected: u2 i6 {% Q( f# j  F1 ]

1 k/ [" P2 u% _0 a/ q1 h( Hint41handler2 PROC% A  Z5 a1 i# Z& P8 A
    iret
- y  S0 [5 ^% I  [0 Qint41handler2 ENDP
6 g# w' L0 {0 z7 H  e* I" z$ G. {+ ~: t0 A2 g3 h

) ^4 n4 T' \& J! x( L3 b- L_________________________________________________________________________
7 Q, N$ J4 H0 z) d( L3 |+ X0 v% v4 @; K: \8 k% A2 }
, ^+ P; @" p/ y  j2 L% j8 C
Method 06
; }2 l& u  `. q4 R" ]=========3 \4 i$ G1 t0 [0 b8 X

; o+ p+ e7 l  w- d+ t
+ R* C. |4 H0 ^! ~' @2nd method similar to the preceding one but more difficult to detect:
% U2 Q# z% ^2 M) f! Z0 {; F% z9 k) x5 e1 ]! U

) C* A- R& f: P7 L  h: }2 q1 |; f. Nint41handler PROC/ s: y& m9 M  I7 Y7 s
    mov     cl,al0 n- e- g( z% n
    iret4 p/ |. c: k' s$ p& U+ k/ s4 T
int41handler ENDP  `7 l: `. A" {

, m) f* y& k( `1 N, I' M' ?4 I$ I" S
    xor     ax,ax; ^& y/ f) S9 o4 ~
    mov     es,ax5 k3 ~8 k! o0 O3 {3 J
    mov     bx, cs
/ y7 `$ L- m$ c6 g) j8 N0 p    lea     dx, int41handler
; ?" ]) X% A% M" o# i" Y6 F. \    xchg    dx, es:[41h*4]  B' z8 y0 U% @& E
    xchg    bx, es:[41h*4+2]
1 v* `: L6 z0 j2 b2 B- G    in      al, 40h( \5 ^- C; m$ P4 y$ [
    xor     cx,cx
: q+ \8 \) w$ V    int     41h6 s4 F6 ~% s) G& d* M/ a1 C0 p
    xchg    dx, es:[41h*4]
5 q+ x9 i9 x$ ?; s! G' n    xchg    bx, es:[41h*4+2]7 m4 c" G0 U. g: A8 t
    cmp     cl,al9 }8 r) i2 p- X! x; K& W8 v
    jnz     SoftICE_detected# C7 Q6 S8 U2 [5 k5 x  w+ N

: Z' p& J2 ~. z# s" k8 X& ?) u_________________________________________________________________________+ D' [  `8 c; s! N5 ~  b" @, `) J

$ p. r( Q& g2 N) Y9 |: [$ @2 gMethod 077 v( m! F, J8 a2 n) [9 R/ ]
=========7 j% e* k7 f, b2 s; J  }3 ?
) w2 Z: K4 i! F4 Q: b8 D
Method of detection of the WinICE handler in the int68h (V86); p2 z6 Q% A% a9 |
! Q3 }% \" U3 D! A) b- w6 O1 H
    mov     ah,43h# p, K$ ]- O! s  Z" `# s" c
    int     68h7 A  a$ f8 ~6 ?+ W9 a
    cmp     ax,0F386h5 t8 ?6 F& J8 v( F! Y
    jz      SoftICE_Detected0 _/ m8 {. F' N8 x

- w  P: B' [0 o5 j! e3 Q; P
8 t# G! X! \2 O8 J, J+ z( w=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: l3 f* F! p; V! L/ T( `8 B
   app like this:
. |' w  S0 j% |, K3 f6 Y+ e, b% D) P: t( H3 n
   BPX exec_int if ax==68
6 R: r" J0 J/ ?* O) Z) q- T   (function called is located at byte ptr [ebp+1Dh] and client eip is
; p3 ^& A$ Z3 \0 {( I8 A   located at [ebp+48h] for 32Bit apps)* S" Z8 d5 z  ?" G) k: N/ \
__________________________________________________________________________
  J7 X! O! m9 d9 l
- O7 A) S' w  K) V/ `3 j% _3 z- u$ _
. ?  H" [' v. {3 f" C6 ^% b4 B. ?0 fMethod 08: t2 b  s( h0 _/ n  m
=========& C# B3 }/ W3 C

9 h5 d  b! p# {5 `  L/ cIt is not a method of detection of SoftICE but a possibility to crash the
9 d' B1 {' j5 O3 p: W; W6 isystem by intercepting int 01h and int 03h and redirecting them to another
! ~  r+ f& r5 S$ mroutine.
% [6 s0 O6 ]2 t/ U$ pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 I. _* O; g% r3 F- N) Z' k
to the new routine to execute (hangs computer...)
* H9 R! M# f, H! G+ ?  q( K! n, V3 E7 N9 k6 y5 S
    mov     ah, 25h
' l. g) ?5 b4 _( @0 |8 |+ \4 K  J    mov     al, Int_Number (01h or 03h)
: u/ |' t! k; z0 Y+ @0 e  ^    mov     dx, offset New_Int_Routine
, ]" T) C3 j6 n- N2 o: g! g- C    int     21h
$ S# C1 u) z- ~" x8 t6 y& v( L$ \( u; [$ R2 `- e4 W3 `
__________________________________________________________________________% p" J9 U" H- A9 w- c
- k9 K4 r: f: O7 [
Method 09' B4 f) Z6 f! Z4 A
=========
: ?! D$ a5 X/ l! ]: }; f% M" ?& V* ~' j0 q6 l! s  |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" O, h5 b& k6 b8 Y$ X+ O- Jperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 L+ j) g/ T) c( S0 E5 W# QThe Get_DDB service is used to determine whether or not a VxD is installed2 }4 P$ s$ Y! g' h* G! C
for the specified device and returns a Device Description Block (in ecx) for
, x4 V) y' r8 O  n& K- |that device if it is installed.- Q! x* C. d- o: A

% J  ~; d& Z) n7 a5 W$ B   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" D4 D1 m, i  X9 x   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ J" K; s6 j. d. g* Y   VMMCall Get_DDB
+ `3 r. ]1 a% R5 K( u2 x5 ^   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. F" G4 z5 M7 L5 L$ j# W" S
) R! M, ]7 j. {% fNote as well that you can easily detect this method with SoftICE:
* i* o' N' X! F" d   bpx Get_DDB if ax==0202 || ax==7a5fh
& Z1 ]+ d7 C. G. L) E! M' B
7 R+ ]4 h: n( @* i__________________________________________________________________________
7 L4 D' O* |* I" X
& c1 C' s( i" y0 |6 A* mMethod 10( J4 M5 `# i- C$ [' k
=========- t9 v; H7 ?( @/ l$ O: [7 L6 g" Y/ S4 g
9 I, Z  B4 P4 ?  y
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 k' q9 I+ o# p: I2 m; J
  SoftICE while the option is enable!!
: b% k$ u6 b; d' Z2 s/ ^) D
3 q! C3 M# a% _3 u: T$ l6 H. VThis trick is very efficient:
0 c/ j' x! Z- V, O" ^by checking the Debug Registers, you can detect if SoftICE is loaded5 h" B8 @  S1 y- {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ A4 z4 f: D& E9 T1 Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their8 T8 o9 P5 I$ c; Q' ?0 U
value (in ring0 only). Values can be manipulated and or changed as well
: L5 s' y7 P  q* R9 k5 H(clearing BPMs for instance)" c  k; G  j* p

, q( |( p) c, m" ]__________________________________________________________________________
9 U+ a" J9 d9 w
+ @3 {4 O/ z% K% I0 pMethod 11/ E* s  {7 O" N2 L
=========
# w  V* U7 l# W: z4 F9 I1 e4 {* d! p
. i$ _# \5 I3 G2 tThis method is most known as 'MeltICE' because it has been freely distributed
- L% {, j. _$ `$ S& ^# c! R* ivia www.winfiles.com. However it was first used by NuMega people to allow8 M; Z  o) Y% w6 z. |
Symbol Loader to check if SoftICE was active or not (the code is located! y0 e5 s% x6 h# L& D$ H& i) a
inside nmtrans.dll).
! O6 v; e0 s% ?  P9 r; ?5 j  e
' w  U' u) ?7 _The way it works is very simple:/ X: U# G& V9 \* A! Q! w" b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 t" ]3 j" O1 w; f) oWinNT) with the CreateFileA API.2 x% E# z# u1 O* f, P0 L

8 n' q9 W: M2 {2 A# o. T9 c6 I) uHere is a sample (checking for 'SICE'):' u& V" h' Q4 B  C

; a/ E1 b" g8 z4 a6 s3 Y9 FBOOL IsSoftIce95Loaded()
# g& D* a- M' X, G{
) N5 E6 g4 u% Y" n0 a( B   HANDLE hFile;  / q* Q( T/ O6 `, \9 Z6 \  z0 x
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" k/ i3 M& F; `7 w7 Q4 J- R                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 L9 y3 O) L: S; r  w" d# R4 W                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ x: k  N# ]5 {& A
   if( hFile != INVALID_HANDLE_VALUE )! e4 v% o3 |) X, J# V
   {& l; z" ^; u+ P. Z, T3 A1 @" \
      CloseHandle(hFile);
; _4 g: S7 Q( n* k. l      return TRUE;
2 A) v, ~. U! }3 w  h   }
0 P; w% m0 |/ w3 T5 x   return FALSE;
$ E6 D% t4 i' e, U0 B}
% W5 R; ~" \9 Z( p& W- S1 [# a& A! n, a7 a" W
Although this trick calls the CreateFileA function, don't even expect to be
6 ~' n# [8 P( S9 g% Lable to intercept it by installing a IFS hook: it will not work, no way!
5 K' h6 w3 Q* @. ?$ j3 g$ {In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% {4 \5 S+ P1 E; `7 c' pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% I2 n" o$ W* N* @8 {0 O( f, cand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ W& B  Z* k( p/ `, V$ V
field.
& n" t% D' z- J1 X) n1 R* |In fact, its purpose is not to load/unload VxDs but only to send a 3 Y( F' q7 v& r4 Q% m0 p8 Z3 R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 s0 a5 c+ H% z( [1 a8 ?  u0 ~  zto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 K) s( Y6 u9 [, Y. x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, X% D/ o0 L' N* l: g! gIf the VxD is loaded, it will always clear eax and the Carry flag to allow
2 {( R+ F, B+ x% g( Zits handle to be opened and then, will be detected.
: `3 q$ z% o, I/ `2 R! jYou can check that simply by hooking Winice.exe control proc entry point! J, ^$ q' ~% W7 [* R
while running MeltICE.; l' U" m. v* |" z+ m0 n

  G' }" r) ?; ?& g& W, f5 S: b3 e$ t1 j. J# D. c, _! l- h
  00401067:  push      00402025    ; \\.\SICE. [* c* A" S5 }
  0040106C:  call      CreateFileA
( u5 w# h8 O' u) K! x  00401071:  cmp       eax,-001
( t. D- e$ R* P& j4 j5 ~  L  00401074:  je        00401091$ \2 \" K' l8 Q0 T
1 x& a6 Z! ~% B' B4 w9 ~6 O5 Y$ b
$ J7 j, P: D4 K* V4 m; s
There could be hundreds of BPX you could use to detect this trick., M- V! g* L5 Q% Z; t
-The most classical one is:# {4 Q3 {# C) i0 Z, Z' _
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
9 U; e* F! D3 ~; s( W    *(esp-&gt;4+4)=='NTIC'
- G& e9 G% j, ^) J6 R, @4 f& x. B' H" s% b# X
-The most exotic ones (could be very slooooow :-(+ }6 G2 ?% F0 y; A) L0 J, d
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
7 k0 P% d& }. C( t  v. f: c+ U     ;will break 3 times :-(
3 M( V0 }4 I8 D) v
1 |7 u: z1 y2 U! O-or (a bit) faster:
" N0 {3 d, q. e8 a. V- u  d   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  Q3 g1 |2 x" @" k8 U& E
3 H# [* ?6 n) T, M$ Z, N   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  p. n- m3 d" T1 D6 `1 K     ;will break 3 times :-(
3 N- z' ~; ]+ `; M$ E" z. f* C2 F$ e  ]# L
-Much faster:
  ]5 l2 V! e. e; X" l   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 x" C1 O8 d8 e0 w

  `' n, L/ Z- d+ \/ Z6 g! jNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* T6 U) E' B/ p  f1 d9 b$ `
function to do the same job:; ]  g# x0 L" |& B

/ Z1 [; u+ M9 s* g; H   push    00                        ; OF_READ3 f; Z0 C1 C. m7 |) P* \
   mov     eax,[00656634]            ; '\\.\SICE',0
  A" B2 C1 p7 k   push    eax7 s. X- i# y+ m8 _4 N9 {" U; ?
   call    KERNEL32!_lopen6 o# L6 M+ f  ~1 ?# [
   inc     eax
3 t. P7 T8 x' D3 i$ `   jnz     00650589                  ; detected
  D8 z* N% {9 d8 }+ O3 z% O   push    00                        ; OF_READ
% j1 B7 f. i2 V  T0 j7 d* e7 g. D   mov     eax,[00656638]            ; '\\.\SICE'/ v0 m' Z# k, G
   push    eax+ D+ O: |7 T  b; a0 M  _
   call    KERNEL32!_lopen8 m* g" E' F& z" H' N0 \5 U
   inc     eax8 t( @/ d0 ]1 U* ^$ |- D# q
   jz      006505ae                  ; not detected$ a  b5 [) ^8 l. p& _3 ], K) F

5 k7 W4 C7 \' Z8 b; I) |9 s( b  X; ~8 f' h* f
__________________________________________________________________________
# M1 D; Z% ?& e9 R- @, o: v" O" s) O( z/ \
Method 12
- S/ C1 M* \- r" v4 D1 `=========
& Y. s, [  g$ A! S1 t$ D
; F, K: l" a0 U' x7 bThis trick is similar to int41h/4fh Debugger installation check (code 05% Y+ t3 E  c. D" T/ w
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! {* T6 B3 ]# y% e1 ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& G9 J/ M" S  @0 ^5 s; R  n* I
: v' u5 U+ ^8 F1 L
   push  0000004fh         ; function 4fh
) N$ S- k9 t, ]9 Q4 ?" g! H6 @   push  002a002ah         ; high word specifies which VxD (VWIN32)
" }' b( W' N, P7 ]6 n8 Q2 i                           ; low word specifies which service- c  z5 b, j7 u4 z/ @
                             (VWIN32_Int41Dispatch)
& x! e! u- s/ k8 C) y8 _5 ]% t   call  Kernel32!ORD_001  ; VxdCall
6 G* S. B: A  m* l+ p7 \2 y, L/ W8 q   cmp   ax, 0f386h        ; magic number returned by system debuggers
: y) d3 i0 A+ F   jz    SoftICE_detected
, D2 q' U# D  M" T( l* T( ^
' y# b) U- u" VHere again, several ways to detect it:
# d/ M2 _1 e. J. w5 k4 B2 U+ F' m- W0 t  G! h- L% ~4 Q( Y& }  s
    BPINT 41 if ax==4f9 g2 q. K  s; y& X; u6 T, \, M: ?
; O+ z( D- k; H9 n+ z5 p6 v
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one3 k; ^. {+ Y- l0 z/ h

% G& r9 `4 k! s2 m    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ q1 G$ _5 \  h3 o+ q
! M. r. N1 y4 s/ I; X/ z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!4 B; e% t! ?4 ^5 ^- k! a
0 p' N  r& }1 b/ c
__________________________________________________________________________* p1 O) W0 q* Y; ]5 b7 S0 h9 h

2 U$ z/ i4 ~0 N: R" v  k- vMethod 13) Y6 C" w' f4 B1 s9 v
=========; }! d  P* I2 K- f

: t% U9 h* H7 W2 A) yNot a real method of detection, but a good way to know if SoftICE is0 A1 L6 A( B4 p0 p8 g& p- K) p- q
installed on a computer and to locate its installation directory.2 J3 J0 |$ L, C0 s
It is used by few softs which access the following registry keys (usually #2) :1 ]- A) S% m/ f) K8 R

- Z) j2 r- u- g2 P) Z" o# G; x$ t# Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 f- Q# n& u! n\Uninstall\SoftICE
0 F% j3 a) Z+ |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, s  ?; U; z% f2 |7 d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! k1 C8 b) E# H+ q5 T
\App Paths\Loader32.Exe
, `/ \4 D* p. n& I. s( c1 L5 F9 M1 R' X+ I

4 d) c% N0 E" X" O6 h. O! T0 BNote that some nasty apps could then erase all files from SoftICE directory
  ]& L. ^# p2 c& ^* z9 M( B(I faced that once :-(
, Y, t" D* _. _- L% D4 x# V# S7 s8 B
1 \/ M5 b2 Z  \8 oUseful breakpoint to detect it:
: W, B# I: s6 q2 |0 w3 k1 b# _
, c( \/ B, Y8 r' [     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 E* X: u+ }% p# T- ]: B# m9 f
9 Y+ I- T5 B# |! [( f" S__________________________________________________________________________7 d1 K' m/ N3 p$ V1 C1 K# O

/ a. s$ p' }# n* X! `2 M- l3 `; O) R9 O9 c: G
Method 14
9 F# J+ X* z+ K# R' s* d=========9 u7 Q5 C7 A. v* \; z+ t* K- e: M

6 b. L% D( H9 @! EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose+ e2 I% a! ]( n" d7 A
is to determines whether a debugger is running on your system (ring0 only).
, M8 ?) Z6 A  _: a% G6 g
; \+ I" s& O; H1 n6 H5 c   VMMCall Test_Debug_Installed
! u! |2 p/ y3 _& \3 [   je      not_installed0 E4 I% A' |5 V
, Y  V$ E/ P: p# u& S
This service just checks a flag.% C, A# U& X/ e0 |! j: d
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-11 00:17

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表