找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& n7 u; p4 @% r4 q5 ~
<TBODY>
/ k' ~' u: L5 C- g7 E0 n& i<TR>; L  Q* Q0 J( @$ X/ g
<TD><PRE>Method 01 5 e6 A. p( A1 v3 u0 k- @
=========' i, j1 ?9 p+ u/ R
4 C( O" z# {% ]7 y# o# J) L! U
This method of detection of SoftICE (as well as the following one) is
4 _+ j8 A/ w0 s2 m$ {used by the majority of packers/encryptors found on Internet.
# \* p' d% V- x5 @$ e; bIt seeks the signature of BoundsChecker in SoftICE
, i5 |- D% u( S. H
, H- e  @4 {8 S" k7 c; @    mov     ebp, 04243484Bh        ; 'BCHK'
6 a% q5 m1 D* u" P/ w- i    mov     ax, 04h$ e: M/ ~* O  B$ y; h$ `9 M
    int     3       * I* W9 _6 U! x4 L# m& B
    cmp     al,4
. g" U% t. a1 t, C" I9 B# |, r    jnz     SoftICE_Detected
% O% B+ v/ z! [$ [' e) s5 i
3 v  I0 L5 H9 k5 L___________________________________________________________________________2 m4 M3 U4 O% X1 a- u

3 j9 Z# S3 d7 e2 r; qMethod 02
. q. C1 R& Q8 ^: J=========$ [3 C( R& X& t; g3 ^/ e- r
3 a, {- S. F! J6 W2 ^0 z
Still a method very much used (perhaps the most frequent one).  It is used  e9 d1 r: v. m, }+ o1 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 R# p+ r! ?& j) D  S; V# D
or execute SoftICE commands...' }" O: ]" c: e0 l
It is also used to crash SoftICE and to force it to execute any commands2 D. o* f, u! {& u- K' h0 S
(HBOOT...) :-((  1 Q- V. @# F/ z8 H9 h0 u& |

1 |! n7 Y9 w/ PHere is a quick description:3 i  a# m  x( k& c) V
-AX = 0910h   (Display string in SIce windows)
  }) D  z" k# B  r/ N  x-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
) z9 v- d2 D4 ]/ u8 b3 L1 P' R: k-AX = 0912h   (Get breakpoint infos)
  \! M' v/ j5 z! \: x-AX = 0913h   (Set Sice breakpoints)
) R: K5 V( `  }2 i- p6 ]) ?-AX = 0914h   (Remove SIce breakoints)& U, `- k5 V* ~! x+ m1 F
, H* A- I! A+ @. E( ?# J, N
Each time you'll meet this trick, you'll see:
5 x  D1 b# b( F' M-SI = 4647h
3 W3 \; a! A" d+ }3 U% N-DI = 4A4Dh  i5 B% R) d3 q8 e8 B3 X9 \
Which are the 'magic values' used by SoftIce.
% t% N  E$ e/ e7 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ `- i$ V, V( y& }0 g" T  Z- M
/ N2 a1 ]! N9 I; X; b7 C/ T
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, \) F! ?9 _$ W; o  xEnvelope utility use to protect DOS applications:
: B! y/ N: d" k+ m' i7 b4 }8 G2 ^: L/ R- G
# K1 G) a5 E% p1 U+ a) x; r' K0 G
4C19:0095   MOV    AX,0911  ; execute command.
* a% y( A  o2 J4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).# z6 G3 s$ p$ l
4C19:009A   MOV    SI,4647  ; 1st magic value.0 R, U) B. ^3 L( r7 f2 A, W
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.- Q( k/ S$ E! _
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! m) ], Z$ l( x4 ^" u
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 ~% u9 I4 L/ E# q8 B; Q! Q; \4C19:00A4   INC    CX/ f/ n  D& b. p% ]3 ]" E
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 b1 f, b4 C, e& ?
4C19:00A8   JB     0095     ; 6 different commands." w; E) i) j' x% U/ e8 ~3 J
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 H+ V$ k- V6 n/ ~) K2 z4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
3 h1 l# ^3 q; Z
: b4 f6 o& D5 s( pThe program will execute 6 different SIce commands located at ds:dx, which+ y# T5 `5 o2 R$ [$ A3 i" \- r5 R" |
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 y; N3 I* i! C: q
6 T) t8 H) H- j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- f5 s; w/ s* P2 H6 F
___________________________________________________________________________) S- O* l1 o5 ^! t1 t( `; }+ w

# q6 T0 T! c3 n5 n8 b  f4 R
6 l) A# O: x  \1 c) M7 n# gMethod 039 r* w1 p1 O1 E5 `- \4 n
=========# ]/ p% U- P8 |& v$ B
( E" ^  q! f9 o% o
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 r( J: C+ H, f# B, c$ R" K
(API Get entry point)+ I; t' ?9 w# c! {% g: a" {
        
  @2 m) d5 A0 a' U% w/ E1 b8 G( h; `3 z5 n+ H1 s5 U( n, F
    xor     di,di
7 q% m' z6 w# H% J    mov     es,di6 X- {) I5 p' q" {* ]; E
    mov     ax, 1684h       3 _  _% g5 h; H1 M4 [# d1 q
    mov     bx, 0202h       ; VxD ID of winice1 G- ?( d, T$ o' ?4 s/ d+ {
    int     2Fh1 I/ V9 G. H: V8 r( s2 b$ S# F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 A$ A- X: P# U0 ?  t- I    add     ax, di* N5 v7 s) g( u+ E. h0 i0 ^
    test    ax,ax; t, P* T2 c0 t$ |* @" p
    jnz     SoftICE_Detected: t' P4 ~0 p  a0 d+ g2 F1 i
4 d0 y% k& d) P4 b
___________________________________________________________________________; h4 }, u# q$ }, q

$ d# A/ G; O- dMethod 04
; k  R7 ?& o' Y=========( a% D' v% e# W7 j
9 h' Y3 W/ m1 K* f' ]+ j- l
Method identical to the preceding one except that it seeks the ID of SoftICE
0 f& B' b& l$ y7 E- r; s' I: B& GGFX VxD.7 e/ f3 o! l0 E! w

$ m. Z, e7 u0 \( S9 [5 J8 O) i    xor     di,di# p$ p. K: x7 H/ @6 v' R
    mov     es,di/ w2 x5 n. \3 H3 M3 Z3 K% k2 G; J
    mov     ax, 1684h       : ~  ~/ s0 u7 D2 G3 b
    mov     bx, 7a5Fh       ; VxD ID of SIWVID* m' W8 G# g3 Q4 \2 V- Z- q! k; l
    int     2fh( [3 H* G9 c9 P: ~. \: Q8 J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ ]& \, i$ ~, V/ C  {2 ?
    add     ax, di
/ J/ R+ a5 \4 S, D4 F3 e" w    test    ax,ax
* G* t+ I: M% k9 ~) v+ N7 Q    jnz     SoftICE_Detected& b9 f6 E0 E/ J4 A1 s# G
2 k! K6 c; l" n4 s, d3 d/ y
__________________________________________________________________________$ B- \& H0 ?) N/ I+ [

/ i9 F& x7 W8 u  }) G" u* d, a, N1 @
Method 057 K# z5 j9 l+ X8 t4 ^
=========
( C+ g7 c9 b. _) R* B8 J$ E# T# C, Q; \; ]; }) Z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 t! O, f4 v9 [6 w) H/ y% e; w2 _debugger. It calls the int 41h, function 4Fh.% n8 l; j& i7 Y# S' m
There are several alternatives.  % |, Z0 r0 {2 E+ x, u) h3 A: ^

$ W( Q! @* O6 Y4 D. L" FThe following one is the simplest:2 k* _# f7 V) s$ H0 y
# X7 V0 @" X* U( z/ G
    mov     ax,4fh  ]1 J6 J$ r* x0 _: @1 X
    int     41h9 c: G6 {; n9 D$ Q6 p! N/ Y
    cmp     ax, 0F386
3 g. k' B. s  }6 S2 x    jz      SoftICE_detected
, N! Z6 ?; N, K, X1 ?
* L, _9 `( W, x0 |, C0 I  x" R* C4 u. ^6 B7 R; W" I0 k6 I" ^/ ~
Next method as well as the following one are 2 examples from Stone's
' a! y- V. t' F, P7 L' E* R"stn-wid.zip" (www.cracking.net):2 q$ c; G+ c+ o2 W) `
& {, x- j+ r: l$ h9 e- [  @) a
    mov     bx, cs
- N5 M  B' P# M$ m# h1 N; D    lea     dx, int41handler2
/ N! \9 U$ Q" S    xchg    dx, es:[41h*4]; }: q! d. N/ A# [  O, {7 V
    xchg    bx, es:[41h*4+2]/ n- m% o4 m! E+ M  E) v+ Q
    mov     ax,4fh
" M2 y! E: }0 g* X3 g% f  [( [: Q    int     41h
$ x+ `9 j% p/ u    xchg    dx, es:[41h*4]
9 {) P) m' M% Q; N; I/ m    xchg    bx, es:[41h*4+2]
$ N8 a. _  ?+ ~5 i: ?% i    cmp     ax, 0f386h$ e3 d- S1 D5 c) T2 V$ y
    jz      SoftICE_detected
. t) A  m" g6 L0 @& _8 O+ s5 A8 V* J/ x6 r. p8 K9 w
int41handler2 PROC. J; c# _, s* ?& E1 W. `
    iret
" N4 V5 I1 k" O0 b" a, c4 fint41handler2 ENDP, T% A# v2 D1 Y/ N; y1 z0 I

3 V% e) F2 v; \- A6 O" C, O5 N1 [$ E
_________________________________________________________________________
: l1 B. [+ L# ^3 M
* P9 `7 i; u/ `" d
6 a3 Z. @9 {% t% N* cMethod 06% i( Z  `. U% W" _6 W* n% T$ d& h
=========9 g+ K2 Q: l. E5 n2 i

3 S6 U5 e5 L3 q! K6 M) F9 p
, }0 W4 P& e9 E! |6 w- b2nd method similar to the preceding one but more difficult to detect:, v6 v3 ]; |# ^  J4 b4 @

% G% V1 |' n6 w1 D3 `, M% s( U! q/ X
int41handler PROC$ v7 }9 a7 d* A+ [5 J6 Z0 C
    mov     cl,al
7 R5 h8 r+ G* U    iret
% a1 z7 C0 `/ Q: y4 d& b6 J* Cint41handler ENDP
  V8 \5 |$ ~3 i9 e/ J: M3 t; X3 H! t9 e
4 u* @9 h% y! j$ B5 W
    xor     ax,ax
, y: B1 v  y& d: i- P* O( [) s    mov     es,ax; I9 O' ~) P/ z
    mov     bx, cs7 |9 B: F, q$ ~6 M  a# U
    lea     dx, int41handler
, B5 g' T( b) ]! \) h, B# ^( y    xchg    dx, es:[41h*4]
# O& {5 M; y* n: \; |& y    xchg    bx, es:[41h*4+2]
3 \+ s9 _( k8 ^" [9 ?    in      al, 40h- w4 z9 w. p9 V& C( z
    xor     cx,cx7 w7 A  I6 r0 P
    int     41h4 W( Q; B# T& d; A$ O# O( c% l$ \) O
    xchg    dx, es:[41h*4]% o2 m( @% m/ B2 L  Q
    xchg    bx, es:[41h*4+2], t" k( y1 ^/ D/ [% Q0 O5 |+ C
    cmp     cl,al" Z% g! V; m/ B, g
    jnz     SoftICE_detected. e) ]. O: e  B

; X# V1 ?8 t. }. U$ d_________________________________________________________________________
9 z( ]/ v/ N$ C  N3 }' G" M
, F0 H2 t# Y9 qMethod 07
- y4 ^- l3 h; B- N2 T=========! i; K9 s! Q+ X1 J6 M' T9 A

6 e. k) h) P& R% q0 L/ K: K7 |8 ^2 `Method of detection of the WinICE handler in the int68h (V86)0 E$ r# p4 Z6 p$ H* m) d9 X$ ~
* c6 t( E9 U- u5 i
    mov     ah,43h' g5 v8 O2 F2 @9 J! s* r* y
    int     68h
. Y0 d  h9 V# Q0 N3 A7 F( L6 E    cmp     ax,0F386h
# [( f7 W8 N/ F6 l( w    jz      SoftICE_Detected2 _, D- [9 w1 [
6 B% k6 U; {; r% w5 R
; r; s( g3 X2 M. Y8 }
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ a& ^/ w9 ?* z' L. h
   app like this:5 Q- O/ y' g7 l

1 m# q  f( }) N1 _& n0 \   BPX exec_int if ax==68
3 W! p+ H) E8 Z   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 o+ {2 m- g$ N1 B% a  ?   located at [ebp+48h] for 32Bit apps)* U: C8 `1 C( B1 X9 e
__________________________________________________________________________5 J. N! {) x% J+ \3 R
" ?) R% y% n2 B$ f4 T4 i
! `, G/ `' c# h) k+ w
Method 08
2 X! ~; N: A- h' y=========6 p9 r. [9 b1 f
/ `8 h' m) B% d/ D
It is not a method of detection of SoftICE but a possibility to crash the
! m8 A: c9 V; k4 ^2 Msystem by intercepting int 01h and int 03h and redirecting them to another, Q& N4 l' h' Q( |1 o- M
routine.
5 S, n( t) M4 h2 V2 D/ V* cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ t  i( d( s" s5 U/ p; T
to the new routine to execute (hangs computer...)# H- @3 D1 k6 O+ l9 D# Z
5 u$ ~" H: H. s& s# N' E; q$ {( q
    mov     ah, 25h
' E  q3 ?3 C% }, n    mov     al, Int_Number (01h or 03h), U$ _% f' ?. k$ I
    mov     dx, offset New_Int_Routine
* }( W+ N/ h9 i5 k0 N# h' I    int     21h
3 B: }  O$ R- ?* N4 x6 V9 e+ ^5 [* @, z
__________________________________________________________________________3 v2 C9 T/ J" z* l: H1 [2 i4 h% X

% ]* R* {1 g! Y9 t( `1 `Method 09" M1 m' ?$ S# c
=========6 ]9 G. y; E( C6 O: [
$ W# H$ k" R+ D- o" \6 u% Q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" |; |8 m& X9 L1 ^performed in ring0 (VxD or a ring3 app using the VxdCall).& w" x( `& C: A! Z7 `* U
The Get_DDB service is used to determine whether or not a VxD is installed1 c' Z4 o- {0 V& q5 `
for the specified device and returns a Device Description Block (in ecx) for3 g% ^6 r  D) f; f5 H
that device if it is installed.4 a0 q! |6 o4 C; c4 m
+ }& }% X' B6 W& D) f( R; e
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 K% o' s5 c; n# D) P# L1 w2 a   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 f; x4 Q9 G% y2 Y: e& O# y! d9 S- W   VMMCall Get_DDB3 A& _+ H9 C2 m0 J$ w$ P6 D
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 T  e+ t0 n) t5 |
0 t- m! z3 H' x' aNote as well that you can easily detect this method with SoftICE:! F9 j( h- h5 g! n9 c
   bpx Get_DDB if ax==0202 || ax==7a5fh+ s# n" l/ n/ {) p& ^/ f5 ~$ ~
" j' C! {4 |3 g8 @+ b; \7 m0 e2 a
__________________________________________________________________________- h) Q; O0 z8 n' o5 N/ E

7 H! [# t0 G5 q) O  ^Method 10
0 w8 K2 `+ }9 {, R% c/ N) I=========
9 P9 N5 U: W1 E4 j- k) j& S
* w- p) V" W" T) u. t. v4 m/ T=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- p' W7 P1 P! `9 Y0 _  SoftICE while the option is enable!!
7 c: Q7 g- X" A8 D1 x; x: H% x
$ G3 j( }; m8 G- ]7 `This trick is very efficient:
0 y' V; ~) |' \; ^by checking the Debug Registers, you can detect if SoftICE is loaded
" Q* r, r1 h  M0 I8 O% \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- F$ k; l/ H2 F; t
there are some memory breakpoints set (dr0 to dr3) simply by reading their  [( W: n7 i0 l# u! B% W
value (in ring0 only). Values can be manipulated and or changed as well
# {, P9 _0 l7 I+ x(clearing BPMs for instance)
* O; p& @2 R# O5 c5 ]
2 n6 S7 h8 e8 k. ^+ s__________________________________________________________________________* m  P3 M5 T" b2 M

  [2 v/ C$ ~8 C% p, l) zMethod 11
4 [& V' Z! b$ j0 W( h7 N  ~' P( n=========5 s! c/ C: V. T: d6 k; u

5 h4 R; i. Y0 mThis method is most known as 'MeltICE' because it has been freely distributed3 ^' a( a& u0 R& u0 a! N. H  R
via www.winfiles.com. However it was first used by NuMega people to allow
  @  g- M$ r: n8 VSymbol Loader to check if SoftICE was active or not (the code is located8 S9 T3 k3 s& c9 _2 K! `$ r9 w
inside nmtrans.dll).
2 r+ `# ?9 k/ D. h- S/ L/ ]8 F5 ^' e8 N( V  w# m9 j8 R8 O
The way it works is very simple:$ m' j3 A3 N/ x& X) L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& J4 Z: `% t# b3 w+ EWinNT) with the CreateFileA API.
8 L% T: G* _5 ]+ i! d1 f% e( F, J1 c; ]2 ]
Here is a sample (checking for 'SICE'):* H, ~: \  ]! B

+ X3 A9 l, j, yBOOL IsSoftIce95Loaded()3 [  l! d; B4 N& w6 U; \: f
{
  @' ^. |" {7 X- A* l+ U   HANDLE hFile;  
5 {$ d" m; ]8 ~. d3 g   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 D" n$ |2 P- G# `                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ ^, B, E+ L+ q8 }" ?                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# `4 s: X! H, C5 F: c( o   if( hFile != INVALID_HANDLE_VALUE )
1 G; z, r3 i- l   {
6 [8 [# z+ l) r8 _* C: V      CloseHandle(hFile);
9 p) b) m# t7 h' ?! W! S! c      return TRUE;
& W+ |7 J8 y/ U& Q   }4 [' [% v: Y6 d! N
   return FALSE;: O. A% j. T6 v, F5 z
}
; n! C9 f3 _; W+ W3 i% r  N. s8 F( u2 u5 W* }
Although this trick calls the CreateFileA function, don't even expect to be
2 d  B" {  B0 ~- Hable to intercept it by installing a IFS hook: it will not work, no way!. F/ j9 A7 J0 l% e% D  M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# }! w& J: W7 t
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# ~  k) H. s# S& |
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' Z$ Z( h* P, Q
field.- ]  v7 ^5 w5 A1 r* g4 ]9 f- Z
In fact, its purpose is not to load/unload VxDs but only to send a 1 }: {/ K3 K, G/ R- G) P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 v2 q( f; \1 u. M& ^: s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ W, a: X, }9 yto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: w$ P& ]7 j5 QIf the VxD is loaded, it will always clear eax and the Carry flag to allow- O8 }$ _) [+ I% i2 }. C' s$ j; w
its handle to be opened and then, will be detected., g0 I# z' p- q6 E! w
You can check that simply by hooking Winice.exe control proc entry point
% w3 o2 y: T9 g7 f' ~while running MeltICE.
0 _  K1 o( R, `6 {' _8 ^1 e9 h: S8 U- q: I, e4 ~9 _

+ a2 v# [. }2 E* ~) _  00401067:  push      00402025    ; \\.\SICE6 N7 S0 w8 A8 r3 i/ w, G; _2 g
  0040106C:  call      CreateFileA
6 j  \4 p4 b3 C2 t4 q% r. O5 y  00401071:  cmp       eax,-001
: X- f" m7 G! m4 y  `  00401074:  je        004010915 Z, J5 D  z$ B$ X, P

2 Y5 V7 r1 m, h" h# @/ Q- p  c- I  H; k2 ~9 I: U
There could be hundreds of BPX you could use to detect this trick.; q& }6 K" [6 b2 A" x3 g0 `: l
-The most classical one is:
! R' ^8 d5 s) E  z7 w( Y" c  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% y" j2 g; e9 e5 b# @
    *(esp-&gt;4+4)=='NTIC'
4 H6 o) c6 w+ W8 ~3 J# C: [$ {" d  h& a: v2 ?+ D7 G
-The most exotic ones (could be very slooooow :-(- V8 ~) p! S0 K: Z" ~: D
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 ^6 ^$ j8 A+ ?; d8 d     ;will break 3 times :-(" e. A8 i1 B. h" t

1 H2 `9 X& u; O" e  b0 G" V-or (a bit) faster:
9 j9 l7 u! d; |3 c: D9 |& B   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 R( k5 l; k( V$ I
- ~/ t) v- }' o5 Q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; D9 |" K8 ?/ i8 c4 ]1 j: R
     ;will break 3 times :-(
5 g' u! B# q3 k2 Z4 h# e  ~& h; Z2 B* x! N0 @* r
-Much faster:
  s% b+ H% G" K  m   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
( |3 a$ I% R+ z  v) E) P; F$ F9 O3 P- i1 B! f0 [& [. E; y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: \( e2 [" E5 c9 I% y- w; O! zfunction to do the same job:6 U+ O. M. N# y3 r+ _! d6 i. C
( ]$ w8 G  t0 w% J7 u8 c0 V- R7 V) t
   push    00                        ; OF_READ
& m* E4 O8 r* r4 b+ j   mov     eax,[00656634]            ; '\\.\SICE',0* h6 r& F/ M3 Y; \  M
   push    eax$ ?1 D/ ~/ i& f: C/ G
   call    KERNEL32!_lopen
5 C0 T' a2 h4 z   inc     eax
0 E3 n; I& y" ]& c. K9 h' _   jnz     00650589                  ; detected; d( K4 ]: ^5 e) v9 {
   push    00                        ; OF_READ9 D4 O; L3 q2 ^. I
   mov     eax,[00656638]            ; '\\.\SICE'
: @. K4 v9 @+ J% u& S  m' }1 k   push    eax
# ?% z- S6 [. W0 z# x) f8 o   call    KERNEL32!_lopen
- Y. z) u) i4 P- s, X. b+ v) S   inc     eax
% `8 u+ ]4 C3 i  [1 a   jz      006505ae                  ; not detected8 w2 N: T# ~) U5 x3 j
3 |& a. }1 q, W  D; Q2 X& p

% T' x% S4 |& H2 _; w__________________________________________________________________________
3 f8 K$ Q8 E) v" j
# K5 a# _5 i- d0 R2 GMethod 12" Q7 i) {$ N( A/ D6 J% A% O
=========
- B/ R6 x- }0 [/ Z9 }# e. J! @/ A" r2 f! g1 r. j  ?
This trick is similar to int41h/4fh Debugger installation check (code 05
3 L, {$ u4 G# l* b' ~/ @3 X, U& y&amp; 06) but very limited because it's only available for Win95/98 (not NT); L" C# v% y& c+ `+ q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 q& f/ s  @& J; L. ]( s& {4 ^6 Y+ v! I3 G
   push  0000004fh         ; function 4fh
* d' |* N) K& g  r  Z   push  002a002ah         ; high word specifies which VxD (VWIN32)- x: {% a9 C( }; Z% M
                           ; low word specifies which service* G8 U) c' C* m. @) N& Q
                             (VWIN32_Int41Dispatch)4 _9 `3 n9 I3 J
   call  Kernel32!ORD_001  ; VxdCall
& f* F7 m7 ]  p5 |/ A3 S' W  F   cmp   ax, 0f386h        ; magic number returned by system debuggers9 B7 r: Q) Z1 i( M
   jz    SoftICE_detected- d8 Y( I3 ]; [

1 W$ b8 ~( q8 A% @0 n8 @Here again, several ways to detect it:' `) @. j  P7 e/ r. [

, a  k  D$ M* r9 A  H  d    BPINT 41 if ax==4f
; Q6 f2 S) ?5 u, ?) L; S3 I4 O- {0 m3 N1 ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
1 Q9 |( M4 J1 m2 V
& ]% {, c& @: u7 D! Q" S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; ~0 @; y; `9 F% E* d% {  n5 w/ p
( z) [4 d2 j' X# z( R    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  Y$ F3 b) [6 A! M. L0 v1 N' B" ?2 [
__________________________________________________________________________& }$ o# w; |8 T9 u7 Y8 Z6 S
& V+ a$ Y3 d  I8 ^# {" d2 |
Method 13
8 C1 u. D; }; S. ?7 O=========! @. Z/ J9 e0 m( ]6 ^

) C. H5 G& N: c' NNot a real method of detection, but a good way to know if SoftICE is
' U- v( ?$ _  S6 z: o# ]installed on a computer and to locate its installation directory.
$ N& C# w8 v) U% AIt is used by few softs which access the following registry keys (usually #2) :5 R( O- v0 S( b' N
9 |% E; i- X& Q, k; O" I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; x7 j) j: F  v1 L- S; h\Uninstall\SoftICE
; D* Q/ {% {; E" r# \; n& J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 b  P) ]! a+ O1 i. b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 O( z" u# w, E8 m% Y
\App Paths\Loader32.Exe# u! z$ O$ f2 L- w, J* L+ u% j

0 j% Q- g/ _* [% Q2 B8 W( }0 u8 n3 u2 {( d% O+ S6 }
Note that some nasty apps could then erase all files from SoftICE directory0 Q4 h4 d. ?0 Q1 Y# O5 \
(I faced that once :-($ k( [( S! ]( i) h
- ~2 Y$ V8 F! H4 e. k
Useful breakpoint to detect it:
: [' [' q0 [6 y: O
# z) \: q6 I, k9 S/ o" o" t     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'7 Q( T" N6 j( A9 R3 q: o& _

3 ^5 O; o# A8 a  V( y& e__________________________________________________________________________
1 X7 s' H& p* w  `+ l
# Y! R& L( J1 M. r* @0 E; c4 y+ `; q, I- X  M1 }# z0 |9 q
Method 14
! ?; C" G& P2 |3 M=========
+ i: N( r7 g- B5 g3 {6 W' L: c- H" x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; Z0 t7 k" s5 r! y* Nis to determines whether a debugger is running on your system (ring0 only).
" `! c7 ]& r5 S* b5 J7 v) l- T7 N; x8 w
   VMMCall Test_Debug_Installed
5 x1 T& L2 z8 n' V) j   je      not_installed
; v: N2 U, v. u$ A6 H
; X+ b+ s1 X: f: W3 A9 TThis service just checks a flag.
; M' V2 ~6 Z2 E3 |& A0 L</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 20:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表