找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>+ C3 L* b% H& {2 Q* O9 O
<TBODY>
2 r% t, V( O- q! g* G<TR>
; c% V! f8 t6 n2 ^, t+ H) p<TD><PRE>Method 01 : e# u7 Z1 B; d7 M* o3 u
=========
  q4 X9 @7 H$ ]$ w/ g1 C- t
; b: @( S1 O# NThis method of detection of SoftICE (as well as the following one) is
: h. Y) u' Z" \1 O$ bused by the majority of packers/encryptors found on Internet.
! d% }5 Y4 F$ K  UIt seeks the signature of BoundsChecker in SoftICE- `4 V( g& F) B; l

- ^7 t/ o6 B( [) n7 u& Q4 Y    mov     ebp, 04243484Bh        ; 'BCHK'! G# U, ?! R" g# V8 i$ @3 P
    mov     ax, 04h
' [# W% s) H( N  `5 j' X7 d' k3 A    int     3       : e9 p# L9 P& `. h) Y
    cmp     al,40 b8 B! b$ o% y% |5 P' |
    jnz     SoftICE_Detected
) e9 l) \3 W2 p
8 p5 m. ]" z, h9 L! m1 B___________________________________________________________________________
; F. b2 S/ L6 }7 I/ H& |  C
) W- k  @0 l0 w  bMethod 02
, T" J& k4 M3 p8 `* @/ k3 c=========( w9 e( ^3 k+ t6 m: y5 x: x) ~, s

( S9 A" t; O1 b* i0 B' @Still a method very much used (perhaps the most frequent one).  It is used
; |: W. {: Z$ y3 V1 A. x$ Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- x! ?4 E  j2 [/ mor execute SoftICE commands...* E4 \6 U1 h# h: k6 o
It is also used to crash SoftICE and to force it to execute any commands
1 I/ ?7 {6 P/ s/ u(HBOOT...) :-((  
' \) k7 {2 j% {* y+ v! U1 a9 n1 D6 j' H3 F  t
Here is a quick description:2 Q: F- o8 X. S6 i  }, [
-AX = 0910h   (Display string in SIce windows): i6 k/ @, j1 w
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; h$ l/ [5 Z" W! N, ^9 |% q  J! L7 }-AX = 0912h   (Get breakpoint infos)
) w$ i2 @" t/ G, Q3 ^# N* S3 k-AX = 0913h   (Set Sice breakpoints)- J9 f, F/ w1 \$ b
-AX = 0914h   (Remove SIce breakoints)
; v/ H' T$ G* p8 L. s
" j8 l* v- {1 ~8 Z, N! k) W" MEach time you'll meet this trick, you'll see:; u- z. M+ u, y, A( S! D
-SI = 4647h
7 V$ C; g4 W  S. I0 ^1 M1 m-DI = 4A4Dh
6 [" o  ^8 x1 \, m( m+ ?Which are the 'magic values' used by SoftIce.' o; d" K, ^$ Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' [! }& B# W  y8 @) @) W: f0 |1 K3 ?: j
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ h, ^& h' p$ H3 ~; U
Envelope utility use to protect DOS applications:% C- [' s; T, P
* J( a, J& [# u  f# G  q/ l
4 ^' D1 F# [" {  y5 b- B% i
4C19:0095   MOV    AX,0911  ; execute command.% A$ ~( x) l7 K* [% h) `6 s
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
0 }; Y: Z* S; M0 m  _: n" X4C19:009A   MOV    SI,4647  ; 1st magic value.
; [7 P! y5 P' z  S" j0 F4C19:009D   MOV    DI,4A4D  ; 2nd magic value.# i* f; ~+ ^$ n3 a& A
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 y9 I" w/ S9 h4 R2 P4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 s9 m/ Y' `3 u& R4C19:00A4   INC    CX
* ]* Y9 w% C' c- m9 h, A: \6 I4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute) _' i) b8 V/ k) ^8 Q6 |
4C19:00A8   JB     0095     ; 6 different commands.
8 W( K: e# j' J. ~6 i4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' g6 O2 D6 S4 d+ W6 a4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), i; r1 J0 g' Q1 t6 d9 |% q, `
& ~2 I3 Z9 i4 Q. k, A' F
The program will execute 6 different SIce commands located at ds:dx, which' e0 e) V2 u9 e9 X/ _$ m; C  p9 ^& c
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: }7 P$ M  F  g7 _; Y* A

8 k7 @: P  a$ Q! U$ l6 w* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ }( A; ?5 ~3 x7 G$ m___________________________________________________________________________, i- y- c# J: p
$ |# _% b" _1 v0 X7 O' |

( \5 f$ v, U8 J4 O' lMethod 035 p* @& x7 U$ y% Q3 C1 r
=========: ^; y( b+ f' s. q2 Z
8 d- l6 }9 j  @# W+ q7 C. o2 p% A1 w, N
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 [$ E# s' {3 Z8 [(API Get entry point)
' `4 t$ R' p3 G9 S        
8 I% V" u$ @( Z# U' V0 |
7 i3 o, v3 P$ g" o1 I$ f: W' y    xor     di,di
$ O. L$ h( i% F  `    mov     es,di5 J& V% P& J7 s" t' M
    mov     ax, 1684h      
# n8 d4 _, `$ A! u2 g7 m1 p    mov     bx, 0202h       ; VxD ID of winice
# o/ \1 N5 {/ e    int     2Fh; {2 b8 b. D) \+ T7 x# A& R
    mov     ax, es          ; ES:DI -&gt; VxD API entry point; d4 U3 N  u* D( h5 k* B! a
    add     ax, di
* H! s& @1 u# y0 Z, ^! y: q5 V6 c    test    ax,ax1 K* g0 @3 L$ A/ m! b/ j3 f
    jnz     SoftICE_Detected+ V6 R+ h% T# |% R

) m/ G4 ^2 H' r___________________________________________________________________________
+ y2 E/ G* i% x# k9 u% V5 U6 L
; W% D2 Q9 P' V" oMethod 04
3 r# S' G  B9 X0 T% i. d5 D=========& W5 H3 }9 \6 `3 K) d" N; {

8 ~. C  U- F' s7 j: v$ aMethod identical to the preceding one except that it seeks the ID of SoftICE
# Z3 B& ^) }3 gGFX VxD.
2 v! `& L: x1 _: w9 r9 k% j9 m0 r  l1 C6 G
    xor     di,di' t) Y3 Z. L. ]! D5 s; M
    mov     es,di+ ]3 }1 F4 C% I, o/ i) i
    mov     ax, 1684h       6 x, i- m* a* J: i3 {6 P5 f1 m
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ d, J- [: U! M8 _% x2 `    int     2fh
2 f7 }; r9 i* I& E* O2 G& F9 o    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ |! n$ ?7 R  \) T, e: R
    add     ax, di4 @# w2 l3 }; i( K
    test    ax,ax# n) N) l8 d+ K; N
    jnz     SoftICE_Detected
. ?; l; o, T% ?7 ~  }; w$ H8 ~" Y" y: Q% M6 y
__________________________________________________________________________2 Y7 p: T! c4 s! \4 t" q

! F4 ?" ^9 w6 H! E+ U! l  @1 U' \/ n* w
Method 05; P7 T" O4 S, V; Z+ l( Q, ]
=========
, J1 p. V9 O. t# o  {. P/ r( K2 B$ Z+ q6 m
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ R  A5 v% A% a$ o
debugger. It calls the int 41h, function 4Fh.6 E( H  _2 e) P
There are several alternatives.  ; ?" L- [! B1 Q# G0 a8 i  ]' [
4 |9 H' T& x: i! A3 U1 O' S. g- s
The following one is the simplest:
% o" f; G4 M+ J5 d! M/ k
2 D: Y$ q/ _6 u, I* o    mov     ax,4fh; z  j% H0 D; [- y$ z* m7 V3 ?9 B# |
    int     41h& W) d$ O: ^9 ?4 }& J$ n
    cmp     ax, 0F386
2 `3 Z- {2 G) U    jz      SoftICE_detected9 a. }& j" ]/ F/ `. d0 J" m

% M: W8 `" _' I
; U' k' L$ C2 hNext method as well as the following one are 2 examples from Stone's 1 W8 H# u+ Y  E) C
"stn-wid.zip" (www.cracking.net):
0 U7 p6 e1 j* s% L( V# Z0 t3 o# c6 Y, Z1 [# d7 H4 F
    mov     bx, cs  v5 ^! Z5 c: J4 c! d
    lea     dx, int41handler25 h- I7 P/ I7 H3 Q4 d# {. |% [& _# V$ s
    xchg    dx, es:[41h*4]
6 m3 X1 F* H0 ?4 d    xchg    bx, es:[41h*4+2]
  @( N& I) t; R5 K+ k; ^0 i    mov     ax,4fh5 G+ o- W. j. \+ f" X7 X
    int     41h  r$ F5 m( q/ ^5 ?- a- h% @
    xchg    dx, es:[41h*4]7 t+ a  S; C! Q% {  f
    xchg    bx, es:[41h*4+2]! ?# K9 ]  q0 w: g+ a6 L
    cmp     ax, 0f386h
7 Q+ X& z  w# T9 X5 j    jz      SoftICE_detected6 @# D5 k3 I# a: i% A" T
+ @/ G0 F- i: z; ~0 L! H# [
int41handler2 PROC7 w( F* J& Y8 j$ ?* F; j0 p
    iret
1 B. x# g2 n  k# Y! @! b0 K' x. oint41handler2 ENDP5 Q* B3 z2 E; w' ?# i
5 l0 C1 C( y3 V6 l5 G

- b/ w/ G1 c, \) m7 |. ]_________________________________________________________________________
! E) z) j1 D% I# ~! [( v% s( `6 q, G3 h% i' W
" X( ^1 {4 c: }  k- U
Method 06) A- O- h# e9 |2 \
=========
0 o, U+ D, s) U& j4 o! _' I- A" Y8 q) m8 s- M

6 P0 |6 G0 Y, ~! ~( r2nd method similar to the preceding one but more difficult to detect:
8 ^9 k9 Q. v* X3 u' e% `: O, o9 d" g4 l/ `2 J; |2 p
/ i% I  y' Y# j5 M1 O
int41handler PROC' D  B; x- n" q  Y
    mov     cl,al: E) \4 g  R# r5 b  f6 p+ k4 u
    iret
: g9 A, Z4 Y" R: J2 N0 c' B0 ^' W, `int41handler ENDP2 i$ u3 W# a% N, |3 R' V

- T; r" [$ s+ o. M  U+ k- I6 Y8 n: G. o) A
    xor     ax,ax' C1 g9 n4 U: M; o) H
    mov     es,ax- ~* s/ \6 S" D4 M
    mov     bx, cs7 N' a1 ]6 r' n& Q4 Y
    lea     dx, int41handler
/ n' `5 N5 d& ^6 q    xchg    dx, es:[41h*4]
7 x" U; H' s' ]! u' X    xchg    bx, es:[41h*4+2]
) Q( ]) ^1 P0 O. k+ `7 }    in      al, 40h; F8 t+ M; q5 T" Q
    xor     cx,cx
! A0 N  Z- }7 Y9 k+ f2 j    int     41h. B2 @+ n) Q. c8 X- V7 O. O
    xchg    dx, es:[41h*4]8 ^$ I) g! M7 Q0 I
    xchg    bx, es:[41h*4+2]
3 e; t+ _8 l% F& v0 y    cmp     cl,al
0 W! ?0 Z; \6 M) [    jnz     SoftICE_detected# y5 E# h) ?- \# x& y6 ?1 T( I2 I) C
8 W( R* ~; L: G
_________________________________________________________________________
- K, ^2 m& C, A/ T4 V, C1 r, m- o8 W# Y
Method 07# u( E9 S5 M) \3 g, `
=========
$ }+ ?5 c. B5 k$ W
% b2 A$ j1 p" S* o  YMethod of detection of the WinICE handler in the int68h (V86)
9 b9 w; I4 Q) X3 t; i8 [
6 D& ?7 Z$ b/ O" U1 z    mov     ah,43h" S' w0 C+ z2 k$ Y+ k
    int     68h
) C( b% V6 f" |1 X    cmp     ax,0F386h
7 O; r+ o  Z. @. v0 D    jz      SoftICE_Detected
# o1 R3 h2 g7 z
  O# X: h; k' w! i: {$ b' A/ r; r& T: h7 u- ?5 M; y- ~
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: h) I+ f- p/ A/ p1 L0 X6 f8 O( `% K
   app like this:
8 T/ ]6 B% H/ b/ ]8 X+ z+ R
( z, m6 O* A- p2 i2 t2 |, d9 l  h! L   BPX exec_int if ax==684 I1 g9 M* M+ {8 ~( S7 M+ w
   (function called is located at byte ptr [ebp+1Dh] and client eip is% G4 l" L! k1 S' T& b5 V% r
   located at [ebp+48h] for 32Bit apps)- D7 Z3 }2 H" e9 V3 J' I4 u
__________________________________________________________________________
, }* t- O7 n* u; s" V- k" S* h8 C5 b# b, @! c% i5 z+ Y5 ^: X( R
- M; w3 c, E8 z$ O: m# l/ B8 C/ W4 {- |
Method 08  @2 n) o( r4 y. C7 O2 `
=========
7 Z' B# Q) B# [/ V' g( b& ~3 @
& w) ]# O9 E  G) i/ m! S0 [; g" `It is not a method of detection of SoftICE but a possibility to crash the; W5 F4 {. ~% ~" L' u3 m
system by intercepting int 01h and int 03h and redirecting them to another9 A6 j8 N% H' {, b
routine.9 F2 Q* l7 r" z9 s+ b
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! a( v# h3 [! q8 L. T0 T3 W
to the new routine to execute (hangs computer...)
. P# J8 O3 Z7 Y- j4 r" C+ i# n* ?( P- Y9 N6 Z3 [# [# {' P. m
    mov     ah, 25h  E; d0 q- a) U' n7 h
    mov     al, Int_Number (01h or 03h)
1 F6 V0 }. ~$ S$ @: u6 E! f1 K    mov     dx, offset New_Int_Routine; E1 {- _8 M3 ^' v4 A4 q
    int     21h$ o  Q# I' V& V% j) r  [: D
' g  m8 H5 T* C$ p6 l3 y! h9 a
__________________________________________________________________________
1 U  }: k4 n; k! |
& N& m8 v  {5 Y. @- x) JMethod 09: I. P  h2 ?6 S7 W! M
=========( T' y( m6 D+ b

3 O) A# m& ~0 j, lThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* `0 U( _+ W/ c5 L6 G4 ?
performed in ring0 (VxD or a ring3 app using the VxdCall).0 W7 R: f. D2 P
The Get_DDB service is used to determine whether or not a VxD is installed& i) @% E0 b; c5 i8 j
for the specified device and returns a Device Description Block (in ecx) for; r4 Z& _, d2 y$ x1 {1 o
that device if it is installed.1 `8 d) E# a( U$ j9 ?# q( Q

8 Z7 S" [% U- \) d( {   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. l7 l- ]' q( z+ w3 n2 L   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 n) n5 @" k4 a! X( S1 I9 m# y   VMMCall Get_DDB: V5 [' v, M  q& X* l
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ z+ O3 p' [- ?7 e/ T. j: C' P" W

* z; v: l, `- ]) @* YNote as well that you can easily detect this method with SoftICE:
# Z3 _* f% B3 E   bpx Get_DDB if ax==0202 || ax==7a5fh
. D! {  b* w  P. t* V9 b7 X% T
6 v; Y6 c% ]. o4 e' |2 F: ]__________________________________________________________________________
* O- A6 n% U6 b; k3 E: T6 d/ z5 o% H0 w! ^; Y
Method 10- T$ ^' W3 x8 S$ S$ F5 m- |
=========$ O! B' n7 m" X; E! d

* m2 L( ?, m% e  ?6 F; _- i=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 ~( i& s) y9 o4 s
  SoftICE while the option is enable!!
5 a% ^, \6 w& X2 L/ O
9 l+ E8 K9 ~+ w) ]. W7 F; OThis trick is very efficient:
8 M5 x( r3 o7 |. f# ]by checking the Debug Registers, you can detect if SoftICE is loaded' }/ g( W% P8 l# l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; i: ~; Z) S# c" W, Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, i  Y( Z8 `$ Avalue (in ring0 only). Values can be manipulated and or changed as well
4 B$ M# f$ Q* U2 i& i(clearing BPMs for instance)* x! T) R. l9 `% U3 {  k
* L3 p; f8 d" f# ^' t5 k
__________________________________________________________________________
- ?: i% X7 d# J1 z
( H) X6 H* Q7 C) OMethod 11/ N5 Q# U& d0 k
=========
* m# h/ C/ L* ?( W
/ i4 t0 z+ T/ @This method is most known as 'MeltICE' because it has been freely distributed
* [6 i5 M! t8 Z" \. X' r) F" I7 tvia www.winfiles.com. However it was first used by NuMega people to allow
" O) D( O8 e7 ?5 u. ySymbol Loader to check if SoftICE was active or not (the code is located  |  r1 L6 z- K3 p: C- P* t
inside nmtrans.dll).
8 [2 A' P/ M: A% E7 q5 o8 J: ^
- e% J$ x$ w+ i& j4 Y' u. p/ iThe way it works is very simple:
% [( _( K8 b' m7 N/ D& D& p6 jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
" R. R0 j; Q8 I# r' \7 C% ^0 cWinNT) with the CreateFileA API.7 c; \6 x) `+ X  l+ ~, v
/ F- d* i0 Q0 Y' h  W' V
Here is a sample (checking for 'SICE'):, D* V9 {' [; Y! s( {/ `

) G' K5 L0 M* E6 {" N9 l5 V, l( f1 jBOOL IsSoftIce95Loaded()
5 K, Z- ?+ O% a0 _. X, W{
$ }% A: L) k  z  D+ |, Z   HANDLE hFile;  , ?: Y  Z- W7 H9 E; w& g
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,, @# c- }0 t: d9 H3 O% F* [0 r
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  G# f0 r$ l5 _) d& x3 M                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ U4 E9 x) u" g! j+ W* N   if( hFile != INVALID_HANDLE_VALUE ). f" q6 j8 x  C2 ]) x8 a
   {
' K# P/ G4 c. o8 V5 L      CloseHandle(hFile);. H: i8 d( X; h
      return TRUE;3 C# |7 v* [+ c. P8 P- }
   }
7 ~4 a- M  P+ B1 m: q+ v   return FALSE;
7 z1 x8 ~" i  |- s}2 @- W6 q* y& S. N- B

) M, R5 T  g5 r2 ?Although this trick calls the CreateFileA function, don't even expect to be0 b5 y& e# b0 {- U1 j# w
able to intercept it by installing a IFS hook: it will not work, no way!
+ K% D& f& c+ g9 q: n, v  @In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 k. k! T. |. e6 f- r% A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% i; |* i& ?+ Z" \8 i: jand then browse the DDB list until it find the VxD and its DDB_Control_Proc' A* K6 S' k! L& I: M: a5 X
field.
# e8 p1 @1 b" V# K  aIn fact, its purpose is not to load/unload VxDs but only to send a 8 g4 o0 P  C" |% X' D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! t; A8 v" x/ D# y6 t
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 o: o5 ?" o0 U, e- mto load/unload a non-dynamically loadable driver such as SoftICE ;-).' M1 o+ Z' |! A0 v' W- |
If the VxD is loaded, it will always clear eax and the Carry flag to allow& J8 F5 _" V2 S/ s
its handle to be opened and then, will be detected.4 I7 G, \/ W' x
You can check that simply by hooking Winice.exe control proc entry point
: f% [  Y* a! O/ gwhile running MeltICE.
  _6 d& ^) \/ M/ f- s; U& U0 O7 N" W
" m2 B1 i* T. c5 W6 ~$ ~7 I
  00401067:  push      00402025    ; \\.\SICE: R2 R$ h2 T# O. O! g
  0040106C:  call      CreateFileA2 i, @. O/ |' g* L
  00401071:  cmp       eax,-001
4 X6 m! }( W. M$ |  00401074:  je        00401091
' A+ d" s6 O: E- L! ^' t: C& y6 o! a6 z, o0 ~2 D3 N; f+ [9 H/ N
% g1 {7 p4 Z& J. L& C# f' }" d" x
There could be hundreds of BPX you could use to detect this trick.
/ L/ A- j: H( l, Z7 j-The most classical one is:
9 O' y& S! r0 |6 l" i% `2 D  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ b9 m# x+ \, B+ `8 N    *(esp-&gt;4+4)=='NTIC'
9 P5 F  X+ j& f2 y+ G+ r
2 w/ w  n0 s' ], a, F0 x% H-The most exotic ones (could be very slooooow :-(* [7 _4 I2 V2 K) r! r
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
. h1 R1 {2 w4 g6 O4 i' _     ;will break 3 times :-(
* r: ?. o4 i) l7 D# J! w5 G. X/ n: |3 Z6 T
-or (a bit) faster: 2 J. u- e* d1 z$ d
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% \9 Z3 `; M- t, F+ n) Q
' _; |- Z- c9 p8 c8 Q6 d
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
; B2 Z+ R/ V, B9 Q) C, k" `     ;will break 3 times :-(0 |' I- W6 P* F1 D9 S

4 d* Z# e: p& T6 Y-Much faster:
$ K. F5 E: f0 Z# ]9 V  v   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
* X' q, o) K# ~1 ~$ C' E0 z
$ o6 ?. w8 Y$ T2 r/ zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; L1 \8 E& }! x* J5 B: `$ A
function to do the same job:2 s0 s4 G8 v" Z! c: E
: m. @7 P1 z# C4 \# X; e( P
   push    00                        ; OF_READ; a8 X! o  m- s, b* \' u: a
   mov     eax,[00656634]            ; '\\.\SICE',0
$ y$ a: {3 ~3 I4 ?9 f2 g( a0 L   push    eax* F9 D5 p& i& u! G- _
   call    KERNEL32!_lopen& o' n+ ?# |& P7 E
   inc     eax/ A  P6 X  H' k. i/ W. v( R- A
   jnz     00650589                  ; detected7 m' q7 x; W. u. Y
   push    00                        ; OF_READ
4 f+ |+ j) {& B* A% \& M- W   mov     eax,[00656638]            ; '\\.\SICE'
/ T0 c+ t# i0 u   push    eax
- @% \. ]2 K+ A. }! i( ]   call    KERNEL32!_lopen+ X1 P* p( Q* z" U  [9 Z% o
   inc     eax
* [$ ~9 j6 g# O" J0 `   jz      006505ae                  ; not detected
! k3 L: d& B0 y1 o# U
; F2 _" O+ a; Y/ C# ?
9 T. T2 x) T# D6 l9 u; s__________________________________________________________________________" \/ {- n, Y5 V& D2 B% \

; h7 j: `2 q. fMethod 123 D5 G) x+ _3 u# E4 ~
=========+ O4 |( c/ m) J" E

* m; v/ [" ~5 F/ a2 vThis trick is similar to int41h/4fh Debugger installation check (code 05! L0 p# S$ q/ l2 w
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
4 N* V4 ?, g. f% zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% c! O5 N7 G! H( w( l% }
+ l9 h' q) _0 }5 o6 k   push  0000004fh         ; function 4fh/ z6 K+ G  |$ x
   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 Y0 r+ R) K. ~5 V2 o. k9 m                           ; low word specifies which service5 g- \& D% I; D% b& \1 V
                             (VWIN32_Int41Dispatch)
  X0 q0 O: }6 r) T; s% U   call  Kernel32!ORD_001  ; VxdCall8 F  @, E% N# @: ^
   cmp   ax, 0f386h        ; magic number returned by system debuggers
" A  ?- t, `+ J" }% F   jz    SoftICE_detected
, V. C9 G6 `3 U. Y+ P4 x6 T5 q. K( W
Here again, several ways to detect it:
4 w# ]- I0 t! D5 F7 P7 y3 L
; e# I6 I. F  {4 I  C% N, p, {    BPINT 41 if ax==4f
6 a" z% ^: i# X* i0 s& ~! g
5 Y1 Z: A* E% y3 E- Z* G    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 D, p; i1 ]9 N1 k$ e. A
: S3 N4 V7 T- `    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
. D& S. H  F$ F" F( i2 H  m& }, B1 G) b3 ^( M! F8 U
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
+ @/ `$ z* w# @0 O% o. F+ u  u; k! e* Y$ p
__________________________________________________________________________: i" k3 j4 p' o! K+ A5 L9 Y; |

+ a" u& d+ z, vMethod 13
9 Q7 R" {% V% J$ [' F=========+ e+ s; A( {- {- ^4 s. Z

, W2 C5 q' C& u8 u# s  ~Not a real method of detection, but a good way to know if SoftICE is
- E+ e; f" k1 binstalled on a computer and to locate its installation directory.
1 }6 d, J' q! f- o6 jIt is used by few softs which access the following registry keys (usually #2) :+ X) I% o4 |+ Y( b2 w

, m5 z* v' U! C1 C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 D/ B; q8 P) o
\Uninstall\SoftICE
0 E* ~$ L0 j5 M2 W; r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 ^: B4 ]4 f, o/ g" c- w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ E2 S" J: x( x/ Z  h! |" Z* u
\App Paths\Loader32.Exe
; O( l- r0 ~6 y, L4 a/ ?2 o
9 F  w9 l& |5 h& v
8 {- B1 z- ?8 J. C. N7 pNote that some nasty apps could then erase all files from SoftICE directory/ v; i2 X. v) |2 U+ L" Y
(I faced that once :-(3 d  ?8 R0 T/ I+ Y; B& f, K

8 h( o7 T5 V# m" N( kUseful breakpoint to detect it:
9 Z5 R+ q2 D" _0 e2 n- h- N; ]& C$ @
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
. O; X  ~3 {* ~/ S0 v0 z
/ P% z! c6 N) J+ i__________________________________________________________________________# ~/ ~7 X, M8 F& N, I
/ M9 d" c& h5 V$ Z9 M

4 i( P( q4 k; \, OMethod 14 + a! [/ Q5 S: W: R3 _
=========
" W1 [9 S- \$ Z8 c8 h
  k! j3 a7 P2 a, [" TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ U  G4 w% s7 `. R3 ]is to determines whether a debugger is running on your system (ring0 only).
5 c& r$ `& b5 y0 b2 s! p6 B% w" t; g) l/ Z. _
   VMMCall Test_Debug_Installed. \# V. l2 }. r; G3 h
   je      not_installed
! f, s: Q: `  C9 d0 x4 ^: j6 G5 B9 c( E1 d4 M/ a; t
This service just checks a flag.: A+ Y  e4 o! |- w
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 14:43

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表