找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 I. x" l; F# {" h<TBODY>) N( ?9 k' T3 v0 T4 Z* F
<TR>( F( y8 ^, E2 [. |1 C
<TD><PRE>Method 01 6 i8 ?' A7 ~# X. o' A6 D4 |8 H" b
=========
0 Z: W9 \  |% I* O7 a/ d( m6 h
- S# Y5 F6 x) A5 I; O4 cThis method of detection of SoftICE (as well as the following one) is$ S1 x' X3 M7 Y. B$ @
used by the majority of packers/encryptors found on Internet.2 P& o8 W$ n% q) p/ q# b
It seeks the signature of BoundsChecker in SoftICE: ?- ]6 j7 D4 \3 w/ ]

( T# _2 Z/ A9 f9 f: }    mov     ebp, 04243484Bh        ; 'BCHK'
7 w+ m/ H8 T! P    mov     ax, 04h
5 f6 V( X- x) D8 W- Q( i: n, s) h: P    int     3      
: ?0 h# f1 S% d8 H/ W' _7 b    cmp     al,4
1 \% C( _- O; Q. A7 O/ T/ x    jnz     SoftICE_Detected
8 n3 `; l$ G( w" B& e0 x; s6 A. u2 B9 a; D; E' T
___________________________________________________________________________1 a! @$ E! P( p' U  c
! j5 t- h2 v  h# C
Method 023 V7 r% R" I9 d! }
=========
" A% q8 w/ D" V# s3 \; T8 ^2 L9 M5 B. N! ^% S
Still a method very much used (perhaps the most frequent one).  It is used2 Y3 w  E! f. J/ e" J1 ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; g: I" a% m; v& c" x/ q
or execute SoftICE commands...; h; g+ G4 o$ {' h; k- r
It is also used to crash SoftICE and to force it to execute any commands$ b. w' X* K1 x) x- N8 s- z5 N* k
(HBOOT...) :-((  ; N" R5 K9 G" {( h' V3 X
( {" f/ p0 I( R2 K1 F  o
Here is a quick description:
$ P/ }) E( n" U# p-AX = 0910h   (Display string in SIce windows)' S; Q( z  |; Y: d! R+ W/ n
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# T8 g6 R& Y& S1 J3 _' m( h. u1 M4 g-AX = 0912h   (Get breakpoint infos)
) u2 Q: g8 b/ q! c" _- n% ~-AX = 0913h   (Set Sice breakpoints)! e. ^# H( C* Y
-AX = 0914h   (Remove SIce breakoints)
( @$ p" C# R3 K- y; ^- u1 j
0 K, t3 m( s! Q7 k$ \6 cEach time you'll meet this trick, you'll see:( A1 m: d/ G# Q: |4 m& G
-SI = 4647h
3 N- m% |( g/ m! P0 V4 I; n2 v-DI = 4A4Dh) w# [* S6 e* c8 a$ C% E
Which are the 'magic values' used by SoftIce.9 P9 V" m& M0 E8 F& m  c2 U
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- u3 x# L+ ^/ h  k) U) h* [" x& t1 g
( e7 |/ `/ x. \7 h: I9 `! {
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. j  ]$ ]$ n# [' s8 j0 vEnvelope utility use to protect DOS applications:
4 y5 A/ G: A7 X- H, l9 ~' R: V8 \! G0 o- S
8 {3 z% ~. ?* c, t$ G# C
4C19:0095   MOV    AX,0911  ; execute command.
8 |) y& d+ W" d+ h( b* p4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; u0 o: D3 a$ K4C19:009A   MOV    SI,4647  ; 1st magic value.
) [) `1 z4 Y" h5 O, Z4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
1 V$ R" I8 u1 |. `4 X4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
/ K3 \( j" c! U3 L% e4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute# H) }  H! n2 p
4C19:00A4   INC    CX6 X3 C; f4 a; S' R8 _
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
% ~6 l* ]& |6 m2 \) P7 {9 T4 h4C19:00A8   JB     0095     ; 6 different commands.
2 G# C. i5 c# `( R4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) C, X9 Y9 o: d  y4 F7 W4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); U$ Z- V6 Y; Q

; _# W4 a. B: yThe program will execute 6 different SIce commands located at ds:dx, which8 U& z$ d# Z/ ]( `) x
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  m: e& `4 J3 T) A6 u
2 {( c% h! F0 j& e- @* ]! p# L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% E' h+ u, }1 X3 B1 ~___________________________________________________________________________
* B- |/ K$ Q5 x3 C; D' z  K4 w! g: L1 R( G4 f. F# l

1 o9 N# q8 f) n( fMethod 03
+ }5 n& e# s& |=========
+ y5 R( ?: C4 ^* M' ]. ~  h6 L" Q5 ~7 F5 v& `  |& W
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. [/ }8 a4 p2 ?7 r9 K' l
(API Get entry point)8 p+ b8 g2 q# q: @( o
        
; E" s2 z8 v; o1 N/ P1 P# H
. w# X5 b2 [) e6 B: \3 ?3 S    xor     di,di
# @5 u' J9 o7 `1 q& U    mov     es,di
2 j9 u& v; K8 z- I- y3 J    mov     ax, 1684h       " ]: J% `& ^& b* G
    mov     bx, 0202h       ; VxD ID of winice
; i# j/ @  O$ A    int     2Fh( k4 ^+ i, {6 N: g' E/ I' `! Z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point  N1 c/ W# {+ Y8 G! y" t3 \2 M
    add     ax, di
- `' s0 m& n* t! R1 J/ ^+ [    test    ax,ax3 n& B, q; t( o' i1 B. V7 a
    jnz     SoftICE_Detected
+ V8 P6 _) @4 p, c8 `
$ s# G* h+ ?2 B) g- l; R2 E! b  u___________________________________________________________________________
8 z( i& }; _7 o/ ~* L
1 l9 v9 |6 W( h# E8 ^Method 04# _" q* p1 \; P$ V7 U
=========7 I) p, Z$ m) p9 T4 Y

! ?" \- ^, l8 X* q$ pMethod identical to the preceding one except that it seeks the ID of SoftICE  W2 e: o2 U1 q& N$ \
GFX VxD.3 M3 n2 G0 u: ?. ^' k5 e& t/ U
0 v; a3 V& E( W/ t
    xor     di,di  I5 w' G3 a6 h* X* A' F6 a& y* x
    mov     es,di
3 [- [1 N& R" S    mov     ax, 1684h      
* U& I$ P+ i+ l    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ \. t  ^  i/ l0 e' j6 `' \, o4 v
    int     2fh
) `" G9 f9 G7 n8 U1 m    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ h' K+ p6 _1 I/ E7 J
    add     ax, di
, t" t2 c1 c' a7 g! ^+ o    test    ax,ax7 z( R% T0 N1 l, z) f
    jnz     SoftICE_Detected
6 H, ?  v/ s6 `& S/ r
6 x6 U: |4 X" D1 N__________________________________________________________________________! l9 I, D9 A( |& x. _& f

0 b% A& `; a1 _4 y7 J1 \# x1 C
Method 05
& y' X* Z$ J5 Y( T+ r& m7 u=========, F3 n' [( |# W% h4 d
5 u6 w. ?0 f' A9 R, e0 j
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# O8 f( S1 @, s8 r8 adebugger. It calls the int 41h, function 4Fh.
: [- m& s, R8 R4 X/ lThere are several alternatives.  
& M2 R% c5 d8 h# k% i) i6 w6 @7 V3 C- |8 P3 X, v1 l
The following one is the simplest:
7 _( O6 \' P. H. U7 u4 {+ _0 q* {5 R
    mov     ax,4fh- y" Y8 W: Z, J2 J7 O+ a" r
    int     41h) ~& }* z$ @9 H  e
    cmp     ax, 0F386
' W5 g' }9 h7 e# y    jz      SoftICE_detected
4 g0 y1 y3 O$ v" P
- T6 {/ u( P6 y6 L
& u4 X  W# r% j; s/ cNext method as well as the following one are 2 examples from Stone's
: m: t& g1 {8 {7 f"stn-wid.zip" (www.cracking.net):
' F$ @4 y. m) N* S; i
# ^0 \0 b% D# ], n) J    mov     bx, cs( Q5 i' d& i) X9 D) i
    lea     dx, int41handler2
- o; k( X  F. r6 I# m    xchg    dx, es:[41h*4]
+ G6 n: h( b$ @    xchg    bx, es:[41h*4+2]
8 R! v) c3 }/ c) d8 d    mov     ax,4fh0 X; k) P4 }7 T
    int     41h6 |6 C: X$ S7 z: c
    xchg    dx, es:[41h*4]1 y; O- ?4 l6 t
    xchg    bx, es:[41h*4+2]- _0 ], g- J2 i/ n  n
    cmp     ax, 0f386h
" b7 d* @2 B2 C    jz      SoftICE_detected
0 E" ?6 G) `, }, c* R! s6 }* {1 v. L; A/ c* j
int41handler2 PROC* t* T# S8 r7 O
    iret% a3 K9 v, r! R* [. F  n
int41handler2 ENDP
% p3 q# X4 ~% N6 ~# C4 h+ s4 D+ y# q# R3 U4 L

3 U* e5 p. E) P5 U  ]/ R8 y_________________________________________________________________________" G& h' R5 ^. I+ n

: x4 M0 G) H, F# X1 ?
/ H1 l" O6 f, \3 o' Z) IMethod 06, q% a% u. {+ [0 V- s- t
=========5 \* Z' z( c8 E0 N) N$ c3 O

5 M* ?( x  R) R$ k6 r$ h! `3 Q$ O7 ]' Y
2nd method similar to the preceding one but more difficult to detect:  _& b* ?3 @8 P& {+ |

8 Q. P+ }# {/ H- M2 F/ ^* _  q3 z& b* i
int41handler PROC8 c3 V. {, {0 b
    mov     cl,al
4 ^. ~" G+ ~6 M! c( }6 \6 l    iret: ]1 l2 g& R% B6 i* I: V% m
int41handler ENDP
( w2 \' X  n/ l7 L( ~" z: ?2 W& X, r! y  e, X+ u" _9 X1 B$ l5 G
# K9 `. S) G4 C/ p  I
    xor     ax,ax
6 e! m* W& z# \& N, F    mov     es,ax3 d3 M& D% _" i. D
    mov     bx, cs
* x5 e' o2 q* q! T% H    lea     dx, int41handler% _) K% w8 k% a
    xchg    dx, es:[41h*4]0 |2 Z' \" ^( E6 O! H; |8 L! Y4 U
    xchg    bx, es:[41h*4+2]
9 j8 N7 w$ }6 y    in      al, 40h9 m' Q& s0 [; u
    xor     cx,cx
5 L- B1 y; g5 B, i8 w! u7 M    int     41h
! e8 `! c8 j# M% c3 f# p' Z2 U    xchg    dx, es:[41h*4]
# @# B: o7 W2 ?% d    xchg    bx, es:[41h*4+2]8 y$ Q6 L2 O4 x& l! U
    cmp     cl,al0 B3 h, q; t. x3 h
    jnz     SoftICE_detected2 v8 P4 l- d, c* c5 r8 @6 `, R
8 M) R; I2 h" E
_________________________________________________________________________
  A) h0 Y! m1 A, |6 `& f8 \% v# E' S# a$ P' Q6 ~( M. _" _1 h* |
Method 07
/ x: ~/ A+ |7 }! P=========
4 c) _! ^/ L' W+ o8 E' E6 Y5 r! l2 S4 p* D" U( N, D& B% }
Method of detection of the WinICE handler in the int68h (V86)
2 b& C- Y! N5 Y) ~- ?' P% X. X9 O+ Q0 A3 s! w
    mov     ah,43h2 G6 r4 }/ |' f: O7 u
    int     68h6 a& g4 A$ v, }6 [" i
    cmp     ax,0F386h
, R6 o: D: [9 T5 H) Z# x    jz      SoftICE_Detected
" P) C4 b$ s: @: {- W1 J- |* ?# |3 _; q0 U: Y
1 i: x0 I/ i+ T5 @2 q
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, o+ Y' Y0 h  x3 t, ?: Z
   app like this:
2 R6 Z) Y7 r/ d4 ?0 h+ }( F
, k1 l% J- K; F6 h  g- j" ?' X   BPX exec_int if ax==68
8 P: k/ C" c! m0 @, U3 H   (function called is located at byte ptr [ebp+1Dh] and client eip is/ B& M, l4 ?/ O# D
   located at [ebp+48h] for 32Bit apps)  {/ z% ^) d2 K0 E
__________________________________________________________________________
1 x2 p8 i8 a+ E9 m
% U/ x( y& ?% O; ^( \( K. K0 N* X
/ e0 F  J4 @" K& @# F0 r; O; AMethod 088 G: P) \% U2 L
=========
& O( T: c, f% x$ F" L1 R; W+ f; @4 Z% L6 _' Z& r
It is not a method of detection of SoftICE but a possibility to crash the
, B5 M0 E+ C: V) Nsystem by intercepting int 01h and int 03h and redirecting them to another
4 h5 x- h5 p# u. D9 froutine., A! o" p6 }7 S
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ ^$ Z1 a' u) Z+ h  ]2 _; Eto the new routine to execute (hangs computer...)
* A: k' U$ J( r6 L; v" P, e; F
    mov     ah, 25h
9 j; `  F2 |( J, D    mov     al, Int_Number (01h or 03h)' |! K$ Y; {/ e7 ?) t
    mov     dx, offset New_Int_Routine
" p. I& r7 q& p( ]) }4 m    int     21h
3 T, `5 k% B0 e! ~# U- O+ h  \4 B2 h* v% s- B# Z+ W) B- m, K( V
__________________________________________________________________________% [4 D/ H  [7 x7 n7 B' f; V/ L

% }3 r0 v3 N- O: @Method 09
5 Q$ s. v. D6 o=========' |% t; o& I8 r* [, r+ W* f# F2 O$ W

$ l, a; t, g/ d9 I9 O4 zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. F  y* w& z/ s/ {performed in ring0 (VxD or a ring3 app using the VxdCall).
3 G7 M# ^: d. t2 c% F7 |The Get_DDB service is used to determine whether or not a VxD is installed9 c% R& y$ ^2 q3 E! ~9 o9 `
for the specified device and returns a Device Description Block (in ecx) for% U& u: P$ V3 w0 L; Q- M. `
that device if it is installed.
8 X4 u1 t% `; p% S9 |/ G2 U! W+ f5 f& E
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 z- ~4 F; N0 O/ [* ^   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, e* }9 e3 G: u   VMMCall Get_DDB
$ I! m* q* c& j& Z( t5 N& }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed/ C# e4 ?6 `) E& E' P7 r! e
' ]/ F( v! ^3 t/ R
Note as well that you can easily detect this method with SoftICE:
2 X! W7 _  C2 M$ c- I# d   bpx Get_DDB if ax==0202 || ax==7a5fh
; G1 c/ D  T- O( ]: C3 ?
) @0 ^: ~' x6 p" {+ S__________________________________________________________________________
1 h+ Q# F9 P* e3 s! U' |
+ H- Z) @% ^$ Y6 bMethod 103 K; i, S- F7 i7 a# v" J* O5 U
=========
8 l  a* y$ ^* k/ n. Y! Y0 N" H0 R6 ^5 g: B, N" }0 a+ _2 x7 H$ p
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, I" w% s+ Z, [  q. c+ f% }, A. @
  SoftICE while the option is enable!!  t, X* V; v8 \4 i$ k3 H
7 |; [+ H% R9 l1 k( c1 K" Z& ]
This trick is very efficient:
! _/ D0 B& a% |; ~by checking the Debug Registers, you can detect if SoftICE is loaded6 S0 R$ ~, ]" x) F) C
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 ~! i5 c2 A# h; z8 bthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 N( y! l6 y: {
value (in ring0 only). Values can be manipulated and or changed as well( f% e- M: p3 b% e6 ?# g% i" Z( X: B9 i
(clearing BPMs for instance)
  F3 U! ~9 m% t# `( w5 L
4 z; s- e; j" x0 o9 {& Q" y__________________________________________________________________________; c6 f, I0 u7 B1 p9 t

. J) [$ q7 B8 r% w4 t: C' _+ qMethod 11
; q9 V4 K9 d( J' |=========
; K7 B6 o/ h% ^' S8 R& M7 K% o# a6 _7 `6 g) z3 G% r) q  ?
This method is most known as 'MeltICE' because it has been freely distributed# s) g. \, w( @' f4 a# `
via www.winfiles.com. However it was first used by NuMega people to allow  h+ q5 C5 l; @
Symbol Loader to check if SoftICE was active or not (the code is located/ V; N% F" u+ P5 ?6 S( ?
inside nmtrans.dll).8 e; u( h6 F% b$ B8 L8 L9 F- _$ a1 A$ C

* k/ X: p. A6 x  VThe way it works is very simple:
: ?, j- L" {% N. ]: lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 ~, B2 n1 E. k  n* T* B6 F: M
WinNT) with the CreateFileA API.7 H% A3 x. `7 R9 j* `$ {
+ Y# a4 h) a* E1 c
Here is a sample (checking for 'SICE'):
; S( \/ }5 s2 o8 O. P8 \) i: y, X8 k0 `3 F9 {7 t. d, B
BOOL IsSoftIce95Loaded()$ t( _' l9 O$ c$ [( O+ W2 j
{- b4 M9 Z' \7 h) v2 l- {$ j
   HANDLE hFile;    z7 F& I# g" P
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 d: f( v  D, }# V# E& E- u+ W, P                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) a5 g9 s' i& `- a, D4 M                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 _; u/ ?* s% ?: [, G
   if( hFile != INVALID_HANDLE_VALUE )
( _3 r. _" w0 O0 J' G3 f$ Z) o" ^   {
6 X  z; Q) t* ?2 ~$ ^      CloseHandle(hFile);
2 K4 }- a; @) \5 K& }: D      return TRUE;8 b( b; R* i% o7 ^  w
   }$ }% n4 P2 E# o. u4 B
   return FALSE;( t3 n; I2 m& v
}; y. y/ @5 y* Y% m% i
( n6 x& x1 k) m' J2 f
Although this trick calls the CreateFileA function, don't even expect to be
. p. E5 s; P9 y1 |able to intercept it by installing a IFS hook: it will not work, no way!
. W/ W3 {( y. r# W7 N& Q, VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F# n6 {/ u# W& O+ w& R3 i9 b. w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ u* O: U- b- \5 Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 d6 Z& O0 V- ?4 _' I
field.
, y! w' u% A- M4 EIn fact, its purpose is not to load/unload VxDs but only to send a
' \, K" }4 w- e; l1 {+ tW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% @: ], ]' J  g; A2 J/ o9 Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try* R, t. P# U; O  P# k4 q
to load/unload a non-dynamically loadable driver such as SoftICE ;-)./ r+ j$ d. N0 @0 f2 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ i. r3 K" a; w8 H+ q9 o8 r6 E$ Z' U8 n/ Xits handle to be opened and then, will be detected.
0 g$ h+ y. k/ w2 p3 {- |2 D  w& VYou can check that simply by hooking Winice.exe control proc entry point
' @6 D) v* T% a) hwhile running MeltICE.+ M2 J8 S0 v/ ^$ Z$ \0 u8 e

4 n1 y3 ~8 l  |! a0 T5 o
# r: M* u1 c: i) n  ]  00401067:  push      00402025    ; \\.\SICE
; Z: u8 F" ^. F; O+ `  0040106C:  call      CreateFileA7 x  \. I! ^" e4 x  _1 E1 \
  00401071:  cmp       eax,-001
2 Z- H, g$ G/ m0 Q: [5 R$ f  00401074:  je        00401091) S* ?8 t% `; y3 V$ b8 U+ E
5 s! q. p& i, A* v* `1 X
* h- m9 n( ^5 T6 C
There could be hundreds of BPX you could use to detect this trick.
0 `4 Z4 ?1 B. A-The most classical one is:$ E: q: z' E/ g3 J) ?
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 a& z; O/ I8 M( L! f) `    *(esp-&gt;4+4)=='NTIC'  x, d8 F/ S" A% B' s

  g; `( Z7 k& ]4 M: C' g' i9 Z7 ]-The most exotic ones (could be very slooooow :-(
7 D/ \  c0 Y9 ~$ S4 _& h   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 `9 {2 Y& |& o. ^     ;will break 3 times :-(
5 }( H9 Q6 `4 i3 R0 y% c
& {2 J  |6 x: n/ [! H' {) T-or (a bit) faster:
# ]$ ~! F0 w0 P/ S& L) Y0 U4 _& v3 C   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 o3 d3 N; {+ H4 }2 z+ L! ]0 T  u/ P- _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ! O3 Y) J6 c, e4 \& G6 P" p3 C* K
     ;will break 3 times :-(+ Q, v: [- K$ i  Y( w
! F0 e5 M: {) `% a; L8 c
-Much faster:
1 n0 P" B" a' E   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, h2 B/ g7 ?+ R1 K8 L/ F% h$ s% w1 ?& ?: o& w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' J4 T2 A9 w  `1 s' d5 K* O
function to do the same job:2 L- ~1 u+ r6 `$ t5 W' e+ Z7 H) T. z
; {2 p( A0 e4 l% m# T3 p! R4 N
   push    00                        ; OF_READ
# ^+ `. Q8 _$ ^, s( e9 A4 |   mov     eax,[00656634]            ; '\\.\SICE',04 D1 n2 a, z$ z& H. C; i- H. W
   push    eax/ I: J% @5 d' b+ d2 l
   call    KERNEL32!_lopen: d1 {% ~& g' G8 l8 d
   inc     eax* R1 {2 k6 i% [# ~3 t/ I% |5 S
   jnz     00650589                  ; detected
& K! |* J( h3 M; g1 v4 _   push    00                        ; OF_READ, g6 {9 w5 X4 K) y. j& ]
   mov     eax,[00656638]            ; '\\.\SICE'
2 d2 k5 p. [: Z' L' i& J: n/ H   push    eax
# c8 [! u; W5 ]  p# P8 s* w   call    KERNEL32!_lopen
& P* X% y- v& S' |+ H   inc     eax3 ~( g7 y1 F- p/ e
   jz      006505ae                  ; not detected
! N+ H, c5 ]. Y5 B1 i% Z/ e9 _
! S) [1 J5 r6 z2 U: k5 V  b1 f
' d; @- k* _( h9 D- }' f__________________________________________________________________________
# _$ H1 L0 x. V9 y2 t3 [# a8 ~( O# |( t" L# t1 C9 G: ]
Method 12" q, C# q) [9 [8 I
=========
+ L* L9 o8 e4 D. ^
9 Y7 M' X& r; {% Z' V; P. bThis trick is similar to int41h/4fh Debugger installation check (code 055 _. [7 |+ V& G  q7 J
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! I) f% m1 K3 _1 u. I$ Y5 E; Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.  ]# q. x1 Z. G

; `/ `3 J1 g, Q: T' b- @" y5 N5 \( E6 Z   push  0000004fh         ; function 4fh% k% A" t. Z  @- Z
   push  002a002ah         ; high word specifies which VxD (VWIN32)
2 }9 w6 A7 ?" s+ x% q8 h                           ; low word specifies which service
6 r  D: J3 [, m) F% K- O: e                             (VWIN32_Int41Dispatch). c, g1 d8 O8 a
   call  Kernel32!ORD_001  ; VxdCall
  D) [; j/ l* F+ E- T   cmp   ax, 0f386h        ; magic number returned by system debuggers6 a7 }+ v5 [& i% e6 x
   jz    SoftICE_detected% ]% @8 a9 ]& t( Y+ a4 C3 {
' ?: P  H  _. F; X# J
Here again, several ways to detect it:
5 k6 [- W- |4 x5 v5 [
" e+ a; l' N: a2 p6 t) N9 ^- H3 H    BPINT 41 if ax==4f
: L. l0 v( C6 N  q. X: m& _6 _  k$ R  `: U8 u3 F
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ w6 n% F- U3 e/ R4 N
# G9 y( a! C% d0 ~* {9 [/ \- g' A
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 ]9 n" T2 z+ ?& h3 s4 {  F$ g; s: P7 d7 w, m# d2 L$ m4 Q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
$ k% j: u4 x; E+ r3 Y5 Y9 e  O. X' z
__________________________________________________________________________2 G: j5 i: g0 c. M% W

7 I7 L% C4 A: }0 x8 ?- ?6 gMethod 13* O% ~0 N& C% F
=========
$ V: @- E6 T6 V% p. c: a" L0 ~; r
$ v  b# [' ]. t% d" [Not a real method of detection, but a good way to know if SoftICE is2 e! e$ |4 B8 y, I
installed on a computer and to locate its installation directory.
5 d: @3 b& X9 l, V( D0 v- AIt is used by few softs which access the following registry keys (usually #2) :
/ n# v$ j  A* P2 i
  S9 d$ _2 G$ R# ^+ r* _) r) i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  k% y6 X+ [( C5 [( R; B! g* `\Uninstall\SoftICE
8 |8 K3 S0 D' |2 Y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ D! e- ^0 a  J% x* S) E( l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& d& S/ E1 C9 D& ~# o
\App Paths\Loader32.Exe, b8 B9 h! N& L9 e2 [

/ ^; D5 |- }' s8 {% ]4 [$ I  s0 J$ A
Note that some nasty apps could then erase all files from SoftICE directory
3 U. \* ^- n8 j(I faced that once :-(* c" i6 n3 o$ k8 Q* a8 V; H

) H4 r4 e1 }: aUseful breakpoint to detect it:/ ~" \; }+ w0 L+ B9 k- J) }$ ~

5 w; X2 w) G& C, C$ X     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. R0 v( Q) r# y+ f
( W, \# q7 V# u+ b" T
__________________________________________________________________________7 Q  w" G7 B$ ]$ N2 Y

& o. O! p! I* s- m+ ]
! `) @& h. J; f+ f& i; A/ d! ~Method 14
7 {6 g0 T* z. p8 \. z. e=========
. e: c) g, u( W& q5 x
5 V* O- \+ J. c5 @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* [% `, M$ C4 x! e( kis to determines whether a debugger is running on your system (ring0 only).
  O2 b& X9 b$ _% N- v
, {2 S" `0 A4 _) ^' M; X; Y2 A   VMMCall Test_Debug_Installed0 f* E, V' @/ R- t8 {  N
   je      not_installed' a; [: P6 s6 h5 M

5 B9 j" s1 e3 m( }% M! @This service just checks a flag.& T3 B! z5 T& H; ?  }- d4 L6 {
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-7 07:03

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表