找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
4 P2 G) l* A$ a& N+ K6 y- E<TBODY># {5 r" n# A, Q
<TR>
* r8 x" c! m) [  P9 J2 J<TD><PRE>Method 01
5 H. z4 t+ l6 {) a3 O=========5 F' T* F. @% p+ z0 c; N8 C

5 _) j+ B+ j9 W! b5 aThis method of detection of SoftICE (as well as the following one) is0 N$ ?3 ~0 ^7 U6 K. t! a
used by the majority of packers/encryptors found on Internet." z0 ?+ _) T) t% v- |
It seeks the signature of BoundsChecker in SoftICE7 a# J4 o: M& b6 V7 E& k' p

( D  Z9 y' I- W/ c( p( j    mov     ebp, 04243484Bh        ; 'BCHK'1 ^: I3 R; X! j/ Q$ R$ t- _) q
    mov     ax, 04h
! o$ l3 ~4 X0 h* l    int     3         W! M8 W! G$ w+ b0 E3 B7 |* R! W5 l
    cmp     al,4! k6 m$ _- n1 \. [9 ^( N* A
    jnz     SoftICE_Detected! O6 q, s+ S/ J# A) u

) u) k$ i" l: T6 \. k9 u___________________________________________________________________________) H) k9 p2 e% \, t% g( ]3 [
: C7 b" U" R* Y  P  k
Method 021 X5 {& g4 W' B
=========; M  R$ Q9 ]4 K; X. T9 n

, W( c# U/ v$ N% e8 t) ?! aStill a method very much used (perhaps the most frequent one).  It is used
0 c3 J) N2 z3 e; Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: F5 A1 C" p* ]" t: S0 Tor execute SoftICE commands...5 [8 o/ m1 r5 Z' h  |+ l* J
It is also used to crash SoftICE and to force it to execute any commands, U) d# U3 Y5 X) z
(HBOOT...) :-((  
9 i$ f, Z/ A+ y: s; f& ?
8 j# ?1 ~7 h% t, }4 t4 d# bHere is a quick description:
. W  F4 w. h; t+ L3 M-AX = 0910h   (Display string in SIce windows)
' |. g! t1 }5 l2 @6 H$ ?+ f-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
9 }) q. x# h# _: n* v8 v3 ^-AX = 0912h   (Get breakpoint infos)
$ c: J7 H0 H  n6 B-AX = 0913h   (Set Sice breakpoints)
8 c2 a. d' M' q9 o( r1 _-AX = 0914h   (Remove SIce breakoints)
/ p& [" x- a" Q) N) ^4 y0 j" K, a- {/ i! t0 h) ~- ]& \) P
Each time you'll meet this trick, you'll see:
/ x9 o% w( K3 n& Y! @4 U' a-SI = 4647h, ?, V+ d& i! o- X6 Z
-DI = 4A4Dh
6 n+ s; I! C1 u9 B; C: HWhich are the 'magic values' used by SoftIce.
) W5 k+ l( h) y- j2 EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 m+ {% f) A5 |, y
! Q8 D2 Z7 |3 D& Y( A2 p" u8 e
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# e( k5 f' l$ UEnvelope utility use to protect DOS applications:0 U3 i$ T* v! v$ {; y3 l. ]
/ T( v8 k! K; B! |! r4 K
2 w0 X9 a: e& g! Q$ J# `# Q
4C19:0095   MOV    AX,0911  ; execute command.
0 K7 P. E/ a6 N( ]& l, Y4 b! y- o4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 a, A* \( s; p4C19:009A   MOV    SI,4647  ; 1st magic value.5 C  y& P9 }8 ]' h  ]' b
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! J; W* @: u2 w  b! p
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" d) {( S7 K, e  N  W6 W1 x4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, j0 |# [) l% i! c3 u, R4C19:00A4   INC    CX6 d  F; r/ L; t, u" I/ ~+ h
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute. x2 |5 Y% q5 O. S% P( G7 s
4C19:00A8   JB     0095     ; 6 different commands.
  q/ u. a) c. X6 u3 ?" @4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! C) k% H3 M. N" `4 f' I% u" w
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' P5 i( z9 D6 W, {7 i  y  Q3 N  k% v7 M$ |. P/ h) w
The program will execute 6 different SIce commands located at ds:dx, which5 E, p: }/ H0 }0 k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 E6 B5 w" e+ }. @) I! Z

0 D4 A: u0 r1 ~7 h( n4 `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 |" [' @2 u" U1 i3 u) ?* U
___________________________________________________________________________: {+ G6 {& l3 B/ v) p- N

6 |8 L+ h6 j8 @2 A# w
8 y$ x1 b9 o  I; qMethod 03
6 f0 x. g2 A% B& S=========
7 o2 H" [/ [! s- ~" {. @
& \! p: s& E, l: {Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ u+ c% _5 I& t9 q: W3 B4 n(API Get entry point)% A3 m( e. o6 H' V1 h
        2 c0 L9 r4 u- r
5 }. U$ Y) Z# T" u5 r: X
    xor     di,di
3 |  W* q: C, ~9 \    mov     es,di# A0 g% U7 h! U$ ~* X
    mov     ax, 1684h       5 }/ d* E* y1 s
    mov     bx, 0202h       ; VxD ID of winice
  M* L4 ~5 h* g# J" g% Z0 w* K    int     2Fh
3 A, o3 D* R# _- I( u    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ n. U. b% c; w/ H9 r8 R    add     ax, di
, {) a" |& \  z: Q    test    ax,ax" S6 p% e7 p% c9 s! O8 @) ~
    jnz     SoftICE_Detected
/ [4 A, a/ ^/ W) L4 v* X1 T1 J, ~* b1 [4 s9 Y& L: ?
___________________________________________________________________________0 f- H; C6 e  e- {- S9 S

8 c7 G) }* E* K3 qMethod 04: i! E7 u2 l/ M$ n5 D9 u
=========
* N( u8 O/ M& ?9 V6 q: _& h( x+ s' i2 Y& V
Method identical to the preceding one except that it seeks the ID of SoftICE2 V; X; r( F$ O; D9 S8 _. M
GFX VxD.
( D7 H. f& {, P- j; t( [' l
. }3 s3 O, [( r: k    xor     di,di3 P7 ]7 ?1 A8 X" O2 \
    mov     es,di
8 w! K6 r+ n  ~" Y) B, [" \    mov     ax, 1684h      
5 a* D2 R* z- ^$ [7 d8 x$ V# @. C    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  C8 T0 I  w5 A    int     2fh" Z2 z" G9 h) R5 C( s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% K8 b/ ?9 O* t    add     ax, di
/ t9 B6 G; m8 z1 g- B    test    ax,ax9 S1 w" {, t- e. N
    jnz     SoftICE_Detected2 ?& F5 {$ x' m  }) q1 g- T. }

4 h6 S6 [' }9 a3 t__________________________________________________________________________
8 L# |. [1 f( B6 ?7 p$ N3 Y6 A2 C
; @. P2 ~8 q; [# s7 q: z' }* v! v8 L1 U: w1 F& x3 ]
Method 05
, }# W: o/ i' b/ _# `=========6 |, O3 k$ s" p! L  B$ I5 ?

# ]5 i; g0 R3 hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
1 d1 f, ]9 W0 }- L$ Odebugger. It calls the int 41h, function 4Fh.5 _% X7 u( L# y/ l9 I
There are several alternatives.  
: S! Q2 O; B( H# Q  |
4 C* o; p7 v% Q: t4 z6 gThe following one is the simplest:
' y! _* ~! Z. m' q* `  @$ ?, I
6 Q+ M2 i# H5 g$ j2 F    mov     ax,4fh, h8 S, }0 m( y! K$ g7 l
    int     41h- C) g( I" w% g$ \
    cmp     ax, 0F3866 o3 D4 I' N+ s4 y
    jz      SoftICE_detected+ r9 I) L  g+ X5 {) @

# @+ |* p1 N  M- Y$ F4 d; \" G) d: r( U' D9 C
Next method as well as the following one are 2 examples from Stone's
5 w( W: M( Q) S) \4 ?1 V"stn-wid.zip" (www.cracking.net):2 \7 g0 V+ v% u) r, ^; j

* ~, P$ M3 i2 R$ w6 ?9 [9 C% W3 t    mov     bx, cs& P' L; o( H/ T- _
    lea     dx, int41handler2% Y* \' k& d9 n
    xchg    dx, es:[41h*4]- f) T; c# w# p3 N& K
    xchg    bx, es:[41h*4+2]3 a% _# ?' H3 S, Q7 D
    mov     ax,4fh9 Q* \, ?2 T; x( V, q$ {. O
    int     41h
% K9 c- a: R/ \7 Z" B    xchg    dx, es:[41h*4]
) e  n5 d, _/ m; m- p8 V; [    xchg    bx, es:[41h*4+2]
# x/ G, ~. a( L, q    cmp     ax, 0f386h+ ~. W$ M  N0 E8 A+ f* f. y, v
    jz      SoftICE_detected
8 j1 f  [  ?. y7 o( o( c
2 D' p% E- y0 P+ H8 ^int41handler2 PROC& k; f$ n- |5 c1 T2 T! u. }: W
    iret0 Q2 [" h6 O6 r) H' W( K9 u4 A# x
int41handler2 ENDP
! S0 J0 b/ |5 |0 g8 X8 [' O' N3 c5 M2 x2 h0 ~

& Q; L! V( b/ ~  L. q0 \_________________________________________________________________________
1 \( \% x# A# i
# j7 ]# w1 V% |6 i* C1 I; g
0 b& m0 g. P( B+ n& j, V- x# }  gMethod 063 y+ b! }: z$ V( E, Z% e) ?
=========; M! Z+ |  x# t8 E3 Q* Z
$ B! g9 M: W/ S0 U+ R9 q& _

$ O2 l* }+ |, G4 h6 i9 b4 ]2nd method similar to the preceding one but more difficult to detect:7 ^1 u8 n. X5 |0 G6 E
" s; ?! Z3 X5 B+ }

5 n+ }+ t7 i1 P+ uint41handler PROC
' W! V$ ~, t, D. k! Z7 E    mov     cl,al  r/ B9 T, _9 Y+ W
    iret0 `2 }2 j! u& Q8 N! j& U
int41handler ENDP
! ?& M, f9 L' z- I9 m$ d* A, s% F# R# L) A* F& x9 l. B

6 @) s: y  \* }6 _. l+ Z2 J/ r3 t    xor     ax,ax
2 O0 V, ?: w) |3 I    mov     es,ax
2 n0 L+ s% p' g' @; O* `" `9 G    mov     bx, cs
) V: V' {' ?, g% B/ Y8 M    lea     dx, int41handler7 O1 l/ k; k* v4 s- h
    xchg    dx, es:[41h*4]7 V( u6 \8 X5 U8 g" N; Z. O
    xchg    bx, es:[41h*4+2]
! R! ]7 x0 Z6 i( @- i( m    in      al, 40h  D+ a* ]6 \( L! Q6 N5 T6 Y, Z# a" v
    xor     cx,cx3 ?- P- [/ U. v! E" s1 O
    int     41h
- D; l/ ~* b" {( o3 E' z3 H    xchg    dx, es:[41h*4]
1 ?/ |. G  C( ?4 I0 v) M    xchg    bx, es:[41h*4+2], A3 u4 O# A! F6 k# U
    cmp     cl,al$ D0 y0 \8 |7 E: F. k
    jnz     SoftICE_detected( |0 a0 t. ]0 g& y* s
. N7 Q) v+ o1 u8 t; b$ {
_________________________________________________________________________2 S9 t. Y5 x) F" j. y* ]

$ F! u5 c4 R6 }' {9 zMethod 07
7 Q4 N- l. ^0 v9 m! |- v=========
8 [7 m5 n2 C7 p7 U/ l  \. }, J0 D! w" s6 b) Q$ D; }
Method of detection of the WinICE handler in the int68h (V86), `& {- L) `- M* t6 |

$ z3 z/ j4 i* g) z8 P4 }9 W    mov     ah,43h6 R: l& N( m5 {: M& \
    int     68h
$ O, X0 ^! h3 v6 `- |% W    cmp     ax,0F386h
$ v2 V% f5 V4 f- t/ q    jz      SoftICE_Detected6 u. x& J& `, S! x
+ |3 }6 f- e0 [5 i9 W2 h
+ m% R, ~; w( v3 c
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# Y! q2 p6 P* Q6 M   app like this:4 u1 z* j& q8 n# i: D

* n' y: i# h% _" T8 ~  h   BPX exec_int if ax==68! G( w( n1 }5 x8 U3 Y3 u9 u! [. P
   (function called is located at byte ptr [ebp+1Dh] and client eip is4 E2 M. [; T0 s+ S0 S: j* j
   located at [ebp+48h] for 32Bit apps)
" D; k( a- C' E! @% M$ M9 q4 |; k__________________________________________________________________________: a4 }2 D0 o/ x  W  s
" M7 ?# l0 U' Y# U. j
2 S7 D# y3 J& K9 A) @
Method 08
- S& `- P4 P" c3 @: N/ G7 f4 _=========" s3 {5 `  ^/ A  P% t2 {) ?

: _" i3 m9 |0 p. `. OIt is not a method of detection of SoftICE but a possibility to crash the* }5 g& ~* L& i5 n' u0 e9 I
system by intercepting int 01h and int 03h and redirecting them to another
" G9 b, v4 ~' [) Q9 Groutine.
  ]6 j' k3 }' m- \% I: H4 _) ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& M5 r7 P9 K0 V; W- t8 h. H* R
to the new routine to execute (hangs computer...)
- u% Y. M  U  f7 h' \8 }
2 `" I0 q/ e8 `. f/ \' e    mov     ah, 25h0 c; L  C# i/ b; U" n" a
    mov     al, Int_Number (01h or 03h)5 i' Z$ s6 O" K" H4 M0 F. z$ t# [
    mov     dx, offset New_Int_Routine; |, x: j! _+ g# ^. ?+ M- t
    int     21h5 r' G% a: g' {

( C  W. l. }1 c' {__________________________________________________________________________
! O- l  s9 {5 k: m" \9 z5 Z1 [3 N4 y$ e1 _* g  F3 ^
Method 090 W. n/ c6 I6 n& f; F
=========' I  `( n- |7 Z/ Z" _0 I; _
7 j( T2 O& D- }+ N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( b8 d/ p2 j: fperformed in ring0 (VxD or a ring3 app using the VxdCall).! x8 C' M+ l/ F4 \: V
The Get_DDB service is used to determine whether or not a VxD is installed( Y+ L4 V3 v$ m( d. ^+ F& U
for the specified device and returns a Device Description Block (in ecx) for
$ ~; D3 Y0 r3 L2 Mthat device if it is installed.
6 }) o$ W" B, u& [! Z+ d& W2 N/ l6 U5 I0 Q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& h* _& z9 \# b5 u
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( m. y5 \0 g$ H! t1 X, Z4 }' l
   VMMCall Get_DDB
+ n  s% t! B$ |* ~  [   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 b: f; v" }8 h( v
* d2 h$ c8 ^; x2 a( v- B1 pNote as well that you can easily detect this method with SoftICE:: U6 ^- {2 j6 j6 K( m: P
   bpx Get_DDB if ax==0202 || ax==7a5fh% p2 Q& h0 F9 u  K1 J) W

/ q+ k# u; c( V0 g4 W8 t! M__________________________________________________________________________
5 a3 P& M  e4 N4 D8 B* x  t( g! b6 q$ N9 q) A
Method 10' N. g: a4 C2 O( T) m# v
=========
& x: t! d  j6 l2 t# u
2 A/ O' A! h5 b. S& H=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. g9 r5 f/ Z% m9 t: Z3 o# _$ g  SoftICE while the option is enable!!" X2 |5 e/ b+ i8 i9 ~5 A

& t& T! ^1 G$ JThis trick is very efficient:
' `3 R  |! e" J: Uby checking the Debug Registers, you can detect if SoftICE is loaded
7 j/ `( u- z/ g$ [6 A# G& E- p: S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; C6 P" `% ?1 g( }5 ?7 ~7 R0 @there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 M; U1 A* f* W6 bvalue (in ring0 only). Values can be manipulated and or changed as well
' V; j$ e6 \4 t3 b0 M7 u+ t(clearing BPMs for instance)! q- Z8 w. E! I! o

' ?9 D8 ^* h2 m__________________________________________________________________________$ _4 d4 q- v1 G+ r6 x: R

" \4 p8 y: ]" y' q( kMethod 11% n# r# I3 z. J7 r/ }/ b
=========
+ ^# d4 J" ^- q6 k# z+ V
. N+ B0 B+ _: c5 R8 T& NThis method is most known as 'MeltICE' because it has been freely distributed% y/ T* F, H$ _" N7 f2 b( s9 s
via www.winfiles.com. However it was first used by NuMega people to allow
8 v! E( `/ R4 kSymbol Loader to check if SoftICE was active or not (the code is located
& S' @5 A5 Z- A. m! kinside nmtrans.dll).
$ w6 d2 v* w% r& u; o2 V+ x* S8 }+ V5 j9 B
The way it works is very simple:
& ~, B. t% R3 ~% X; |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ ]# w8 d0 C4 G/ O8 |: X
WinNT) with the CreateFileA API.' L9 r' q8 `5 p; j3 a* t
3 b* E# `5 P3 ~" A& ]* ~* R
Here is a sample (checking for 'SICE'):) x& E: ?$ s; T- Q$ d

) K: C6 y+ B) R& e9 X0 j6 ~& W- Q' HBOOL IsSoftIce95Loaded()
+ g, z1 ^6 ~+ B{0 @  k. U# f; r: E) g% X
   HANDLE hFile;  7 n; X- N# h- S! Y
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! e6 }3 y2 t' h- ~  y* V, t
                      FILE_SHARE_READ | FILE_SHARE_WRITE,# Z/ l4 U5 R' a3 B6 G
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  b3 T0 V8 E/ n: P   if( hFile != INVALID_HANDLE_VALUE )$ E( y* k) M: D% w9 G# ^" X
   {& Y: e" |. ^+ w( V  k1 F
      CloseHandle(hFile);
6 C, g; n( b; R- \; Q' p      return TRUE;7 U* w$ R$ i) ^. N  V  ^
   }
+ n. x, S% o! K& ^   return FALSE;, c4 g% b0 b: L/ g, N1 T; z
}# q/ |5 S/ p) U1 J6 C

; w' U# m9 n- m  w2 EAlthough this trick calls the CreateFileA function, don't even expect to be% i+ K6 O! k, N- H. n+ K
able to intercept it by installing a IFS hook: it will not work, no way!7 j& O; P# j; M* I; t% H1 m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 P. ?* o- k; Y; o' p. Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% h3 D, d" ~# S9 t  iand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 Z7 r0 ~2 e6 j9 efield.
1 }: ]* r, J- r! d, yIn fact, its purpose is not to load/unload VxDs but only to send a ! X) m2 f* b$ t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 @, ?# I4 H2 `/ w8 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 H3 f0 X4 K+ N2 p+ Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 \) E! M" A' FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; ]8 p4 q; f- Oits handle to be opened and then, will be detected.# Q  @5 Z1 D* g2 N! ]* M  w; g
You can check that simply by hooking Winice.exe control proc entry point' L1 @1 O( |; \6 {8 b5 B
while running MeltICE.
# a  C6 I: P' e# |( }/ s7 ^! ~& O3 p; e+ @: m
. {) o1 O( b. I& }+ }/ \
  00401067:  push      00402025    ; \\.\SICE
3 j; L; Q% c4 I% W0 N2 ~  0040106C:  call      CreateFileA
% Q. T; _) G4 Z. ~  00401071:  cmp       eax,-001
' o9 v% O- ?5 J* t/ l% R6 N  00401074:  je        00401091
3 g4 P4 Z5 y' n/ r8 C4 ?" R! g5 w, Y
. D# [3 H3 g; q9 J7 ]# g  d; e
There could be hundreds of BPX you could use to detect this trick." j1 I6 f/ v2 k2 k, S* z: o* ?+ M
-The most classical one is:
; d5 X* z; E0 m3 }  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||, r8 c8 D& C$ n0 c) N) K& N6 v
    *(esp-&gt;4+4)=='NTIC'' E( y$ Q: c8 k3 G5 |$ ?! K0 x

: ?: p9 D0 F. M5 L' {3 |-The most exotic ones (could be very slooooow :-(
$ a" x  ?8 A/ R% y% v7 r. C   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  , p( d( x" `: N7 l! O; I
     ;will break 3 times :-(
4 l2 p$ j* ~5 ]( X, l( w) D5 r1 @. x0 D' Z
-or (a bit) faster:
2 j4 a6 Z0 ]  `5 ?. @   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 O) q2 o% j3 t3 C

) j; Q% ~* Y7 ?   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 d* q$ K$ `4 j
     ;will break 3 times :-(. B  s# e0 ^) o% A, h5 v7 A2 N

! t" K, @1 X5 a  [( H! M9 f-Much faster:
2 V/ R% u2 S4 N6 C' t- q   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# A: T# w3 ?1 s9 E1 I

; Q( V  K# b: `* C: ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 b% R/ }! E0 a+ ~
function to do the same job:
- v7 O: v+ i0 }6 L4 Z# b) b/ ~, X$ h. k  i
   push    00                        ; OF_READ
) o3 Y; V5 V3 y4 p5 t   mov     eax,[00656634]            ; '\\.\SICE',0
) d, s$ x- X) d4 B2 c. r( Q3 i   push    eax4 Y) N8 f5 @5 f/ }! A, u
   call    KERNEL32!_lopen
6 F- @+ r' J9 P6 k7 G4 Q" k  u   inc     eax3 t  K0 k" L- m) C6 L; R; q7 t0 {
   jnz     00650589                  ; detected7 p0 L/ W; h- Q) D. }
   push    00                        ; OF_READ
* S0 I: `+ P& d! s$ D# G1 N, h, M   mov     eax,[00656638]            ; '\\.\SICE'/ v& d2 w. X5 c, H0 `
   push    eax
5 T! J, h( t% ^- a9 L" J   call    KERNEL32!_lopen8 d( F+ o. Y3 ~
   inc     eax
. J# @. h. u4 r* l9 h# N: k" B+ a) T   jz      006505ae                  ; not detected
, K: D6 I1 d% t# \# J9 u  y" R* b* `

. v3 C: M2 T; {# U__________________________________________________________________________
5 G+ n* f) D; x( d! b" H, v. \9 M$ @( z; D
( P0 I- l, c2 Z! sMethod 12+ F6 s" D" a% `% b  t9 v3 A1 X
=========/ y; n5 c7 C; j6 |% J2 K
5 c# n, E; |7 n0 |; j. ^
This trick is similar to int41h/4fh Debugger installation check (code 05
0 t7 O% s; k8 J( v&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. j9 n- i# e! ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& k' k; \  N3 n
1 {- {3 c( y6 Y3 S+ I- w2 k  E   push  0000004fh         ; function 4fh
7 w8 E7 Q9 q" \: V' q8 _- W   push  002a002ah         ; high word specifies which VxD (VWIN32)1 C! a& N! K& b
                           ; low word specifies which service
/ n; {; C/ N0 [9 m                             (VWIN32_Int41Dispatch)6 E9 c& O7 S/ ^9 T
   call  Kernel32!ORD_001  ; VxdCall7 t% f0 A8 [% M( b( U6 i  S* d
   cmp   ax, 0f386h        ; magic number returned by system debuggers1 c  B$ C5 Q. ?
   jz    SoftICE_detected
4 D& G7 ^, Y  Y9 K9 q& V$ e5 v  ]/ W/ R$ [& {+ f1 y9 J4 L
Here again, several ways to detect it:
: ?3 U* Y4 b( F) n' m: B# ^; q) i( C' E; q. n$ w3 n
    BPINT 41 if ax==4f* z: Y% a5 s6 m& O+ [& a$ v/ Q

  L" W: b1 m! ^+ E: |+ n! O* v    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' s$ s5 A& {4 b
  Z5 B' a  _' P# ^8 K; s. d; X    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
( E1 |  F* T% U0 L$ D
( L$ M* e6 t6 Y) U% ]( v4 }    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. |2 ^! E9 X; E1 \
, a& v# E1 Z9 x3 Q$ o) Z$ b- b- {; T
__________________________________________________________________________
7 U9 N0 t* V# a2 s: j
5 p6 _8 i  c% L. QMethod 13
. ~( _  }1 w, ~( N; k& S: V3 i=========
/ s, b0 D! U/ v1 G* h+ V; O; J/ f9 K- u. ^. S' Q
Not a real method of detection, but a good way to know if SoftICE is
! R4 F& D8 T* {7 |installed on a computer and to locate its installation directory.2 P5 \" ?& X+ k0 a7 L" G8 s
It is used by few softs which access the following registry keys (usually #2) :1 {/ G0 [' L% l: q9 ~( K- t3 s* ^

$ }, f' N5 @2 E5 O8 Q! o# N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ^5 u# j$ h$ X3 ?\Uninstall\SoftICE
8 X- |. X$ @4 C" `2 E" `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
  s/ ~. u& }: ?+ A) }% u, N5 h8 ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 d# q: v# T9 C) ~* V6 w1 Z
\App Paths\Loader32.Exe
) _# Y# u" z7 @8 F+ N. k2 a; q& P9 z; a/ k
# m8 V7 p4 O; J
Note that some nasty apps could then erase all files from SoftICE directory7 O* c8 }( J. S6 W8 g. c5 M; X
(I faced that once :-(
; A7 O! m, n3 e, ^) `1 |+ Q
5 A: u5 [5 x! j( i; m! D& Y6 J8 mUseful breakpoint to detect it:! {( j& Z3 x% ]& R
! ^4 h1 f( q: l2 m3 L4 r: h  Y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 j+ g7 E0 H3 @; M/ J9 b7 v& g- S/ b3 v' K
__________________________________________________________________________* v9 U  [, _  b1 D  d. a9 c

3 @; O9 M2 `  w! O  n: V/ S  D1 a+ Q# _- N# D
Method 14
: I4 k- F5 k$ G6 W8 X=========
5 z/ E1 ?$ M8 X6 u/ P8 X" \; ~5 Q5 e" \) o" X( P+ \0 k& g
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& q8 ]9 e5 U; P- T4 @. A" x) C
is to determines whether a debugger is running on your system (ring0 only).  j5 _" w( p9 J' g6 ~
! I: G. c% b  q2 ]* C. H- E( i2 x
   VMMCall Test_Debug_Installed
& z  Y$ F+ T) a1 m% C  T% A   je      not_installed, V) H+ |: q% d& E, l. D# p& a* Z% _
5 `. ?: U$ T- a9 i' c( a
This service just checks a flag.
1 _% L; n2 T0 B% g- W* {! `</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-1 19:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表