找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>- c3 R; F: A  {9 ^* @) T* b. u
<TBODY>) _) x$ P  }/ F
<TR>/ m( d# n1 m8 e1 L% E8 U0 c6 l
<TD><PRE>Method 01 9 N4 L- h' V  S9 F/ Y# T0 `
=========) M4 L# z; Y; E. O) W7 l3 d8 e( P+ k

' v7 P4 g, R0 E' x& |This method of detection of SoftICE (as well as the following one) is0 \/ d/ M6 m4 y
used by the majority of packers/encryptors found on Internet.
/ _. f3 |; q, B  BIt seeks the signature of BoundsChecker in SoftICE
' S, ~6 ~, G8 ?+ d
& K: b& n9 A* V) w7 ^* h2 Y    mov     ebp, 04243484Bh        ; 'BCHK'* }" u$ e' M0 {+ I9 r- J! t
    mov     ax, 04h
/ a/ Q- ?( N6 E2 {. x    int     3       7 {0 `- L. q* e0 ?& z
    cmp     al,4+ w6 [3 \# _) J6 c8 K
    jnz     SoftICE_Detected
: Q5 f* E6 S: z& ~. ^$ t* `5 e9 p7 `. W. n* W
___________________________________________________________________________" I4 q: ^* [6 }

: A/ w8 H7 I+ s+ P) Z8 C+ ~Method 02
. V$ @3 Z5 b7 }* ^' i$ X=========$ e5 C9 X( p, z# B5 @& R
  J* m3 u" Q$ m2 O1 g& |; Q
Still a method very much used (perhaps the most frequent one).  It is used5 V7 V8 l$ O2 C  D( ?) a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 z! O2 {( U! s1 D* y2 L) a
or execute SoftICE commands...
; o; _- K! S7 F8 I3 X1 n' r0 G4 LIt is also used to crash SoftICE and to force it to execute any commands# B" N: s8 I  a; ~* ^4 B
(HBOOT...) :-((  
9 f0 B! [" S8 Z7 \$ Z3 y; j, K, i4 x7 V# R
Here is a quick description:
, ^8 c* X+ L: U  {0 ]-AX = 0910h   (Display string in SIce windows); ]% `! n$ v# v6 @
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)# Z* X2 E" h( r( K/ n
-AX = 0912h   (Get breakpoint infos)
4 C! `' X/ G& k7 d; g( P8 s; r* n& q-AX = 0913h   (Set Sice breakpoints)  ?% _- ^6 J) y- G' M4 ~
-AX = 0914h   (Remove SIce breakoints)# S  S6 y/ \- t' M1 {' E

& x* d6 y+ E' p: BEach time you'll meet this trick, you'll see:- n  h0 O, ~! F# S+ [- K8 b% e& A/ \
-SI = 4647h. {# z3 ^5 L% j$ p9 l
-DI = 4A4Dh* U( c' p; ?0 w
Which are the 'magic values' used by SoftIce.
* f* o" h6 f' ]& l, O! O/ z3 w% [% xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. @9 B  v3 m# v9 p5 n7 Q+ g$ J& z) h6 W% {' s) C2 N4 [& e1 e
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 t4 Y" C: O0 N) d4 B8 L
Envelope utility use to protect DOS applications:5 q; u' G# \3 M6 X: B
$ l$ P: v2 ~: L. w: w# }( g9 S

% n/ d! i2 g2 ~3 X0 Q! W4C19:0095   MOV    AX,0911  ; execute command.
1 o" D' O* Y" C, n) @( f! ]2 P( g) F& H8 H4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).7 O+ s2 K6 C+ k8 K# Q3 e3 a- ^5 K
4C19:009A   MOV    SI,4647  ; 1st magic value.& t4 J4 l: o# D& i# y. z& _1 p1 k
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; e$ Y5 T+ M2 _# v3 `4 E- P
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" x( X4 H1 F8 m& u4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 h. u, v9 `3 W
4C19:00A4   INC    CX
4 m$ _# S$ t6 P4 s4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ K$ u: x: Z+ g* N  ]
4C19:00A8   JB     0095     ; 6 different commands.
! w" W7 u: q* k% U; G- R8 h) E% z4C19:00AA   JMP    0002     ; Bad_Guy jmp back.( `( C% S/ B+ U! x* |1 \9 m2 m
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)- ^( b# V2 J! G5 k

" `# C! B0 l8 L/ _# K1 s5 cThe program will execute 6 different SIce commands located at ds:dx, which
  o6 B# ~$ O+ mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 m/ B0 _! O! ^
5 j2 ~% W0 x) H# D6 a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 H* _) g% |' C7 ]; L+ d
___________________________________________________________________________- L" i  h3 S& N8 N

9 j9 {9 ~: F, n5 S& F" H6 @+ M
0 l. x9 G1 K+ S9 DMethod 03
# W+ z+ o6 S3 j=========# L2 e4 m6 [' Z& U* L
" N# d3 G; z" z2 _& G3 E4 P! A
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 F( Y+ r1 S) {: C9 s4 O3 E/ C
(API Get entry point)
# ~/ C* `+ L* d  y9 M        3 r. m# e+ E: e

7 V, Q/ {7 P, l! O! U6 F- W    xor     di,di/ w" j6 W3 u( t2 u
    mov     es,di. H4 {# i$ m. @/ t4 ~. \# j6 p
    mov     ax, 1684h      
1 K4 S$ L( E% K+ O    mov     bx, 0202h       ; VxD ID of winice
* Z4 T3 h% y# c& ]    int     2Fh
1 X( K5 P) \' e' z. o    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ i9 ?, ~, H' z    add     ax, di
, j6 j, Y1 @9 c& Y0 U& m    test    ax,ax
& T: Q* |$ p( s- a! Z* T8 }. @    jnz     SoftICE_Detected
/ P8 q, |# ?4 F8 a- s$ U9 [. b- A& b* \1 N
___________________________________________________________________________
( M. I& Z2 u1 @+ ?$ `! Z" v6 ~2 F( O2 |; L! K5 X5 R0 x, x
Method 04
8 ]" w/ V  t' T=========& R+ [% R# L7 c1 L6 Y" v

. @! I) V6 O+ R( K0 nMethod identical to the preceding one except that it seeks the ID of SoftICE
# m3 n* n1 }$ y* X' W+ B0 EGFX VxD.& g4 @5 p" j9 Q; q0 b% w  l) G

3 B4 e. Q/ F% G3 O4 i! W8 p0 Z    xor     di,di
) w1 p3 P' N1 q. l    mov     es,di
5 m' v  f% c% Q& h    mov     ax, 1684h       6 O" o0 N' @9 F3 j7 z
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- N) e* s5 X9 d# D    int     2fh: B1 g  N3 j1 k2 ?: m
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! S# f3 m7 O) L* j4 [    add     ax, di
' R7 [, s/ C& J- V4 V. p    test    ax,ax
) Z: c* l8 M% I+ b* Z    jnz     SoftICE_Detected
- [4 g& {+ n1 f/ i
% ~  @1 d% u. M% `3 `: ^8 _  H__________________________________________________________________________; X* c" i% {0 d4 R' N

. U0 c/ D1 k9 G# b% ?  p, Q
# `* X" {3 |" ?( ^6 W( MMethod 056 K0 s8 q4 ]- s/ x4 S6 s7 ]7 F
=========; w6 ]9 v" c$ y# o7 ~

* Q% R" r' O% B0 `Method seeking the 'magic number' 0F386h returned (in ax) by all system
& r5 I5 }8 K3 u. I. w2 C& Tdebugger. It calls the int 41h, function 4Fh.3 K* ?/ i7 c( k9 O6 F: b+ g
There are several alternatives.  % T, X; ]0 u6 @
, i" H- Z, `7 j- |# o- g
The following one is the simplest:
9 Q$ R' |& z& u1 B' a/ Z' \$ U* A( {; C- N
    mov     ax,4fh- X5 {: i! P" ^
    int     41h
) X! X/ c4 U: b  r5 I/ B5 W2 v/ T    cmp     ax, 0F386
2 k& Q% l! n- m" }7 @* c    jz      SoftICE_detected
4 j) x. u% ]) ?
0 H: \' c* @. m& l! N
* k1 }2 v# Q, s+ fNext method as well as the following one are 2 examples from Stone's
6 q0 q  J& z$ P2 _# I6 g"stn-wid.zip" (www.cracking.net):! _5 P2 K: e) n: _. ?6 g8 D
' s6 [) w$ k- `8 h2 q2 O$ _* g
    mov     bx, cs
$ _5 Q( z0 I8 E8 b    lea     dx, int41handler2
* R5 J% o. h/ [( m% @( F    xchg    dx, es:[41h*4]
; I% L: v0 Q9 s2 k( V    xchg    bx, es:[41h*4+2]7 |4 f8 M: q/ q+ z" d
    mov     ax,4fh# P+ y: R' J( `! k2 l; o
    int     41h* P4 b0 v/ o* k9 M+ R( u; r# j
    xchg    dx, es:[41h*4]0 A  H4 F( c% J7 x) S" h
    xchg    bx, es:[41h*4+2]
6 w$ ]" d7 f. U& K    cmp     ax, 0f386h% U0 q' Y2 r) {/ ~; q
    jz      SoftICE_detected) l  a* T7 W2 e5 i4 Y

# i( D0 Q% g2 x: r$ g3 aint41handler2 PROC9 M9 K: s; L1 w
    iret
; s+ ~" ^( q. W8 rint41handler2 ENDP9 `) {& G! o- x( N& B$ T3 W3 ]% B

  e- A1 R' ^. P# |/ S- ~1 _; J' A9 q6 L% q9 q
_________________________________________________________________________
# J5 T2 d  Q  i6 Z- o& _- U) W- z7 K% n7 w' y3 _
! G7 g& X5 V- E& [; w
Method 06
9 o7 B# g  `1 _=========0 O. s7 x) f1 |# F5 v3 W' T5 J4 e

: k3 _2 d5 b) r- _* i# K7 h( F& D) P1 b$ ^/ J8 p. U) R6 h
2nd method similar to the preceding one but more difficult to detect:! M& s! X' P: l+ X
# D0 M4 o3 ]/ x5 a1 M& Q
- o. Y  i0 q! g* T* e! \9 ?( t$ s/ e
int41handler PROC2 O& I) c( ]0 b% O
    mov     cl,al
5 [9 ~! a+ e2 }5 w    iret
  Q  B$ r2 u. g% m# Pint41handler ENDP
, A, s% e% d; k. {) ^, u, e$ b4 l* [4 Z+ G9 O

/ q4 Q1 w4 O3 M2 A- q! s: Q- v    xor     ax,ax2 \$ E7 x, h, O) O- _4 T
    mov     es,ax2 A3 o2 k0 n6 p. V
    mov     bx, cs
+ T  j$ W& d# ?8 S# \( T& l3 \6 p6 K( ?    lea     dx, int41handler6 Q& _( Z8 g$ u/ I! z5 N% J
    xchg    dx, es:[41h*4]! {3 c" R& H9 y, }% ^+ J4 N
    xchg    bx, es:[41h*4+2]
# u. }' {7 t0 o    in      al, 40h5 L% b6 g+ [  c! P. J* k/ _
    xor     cx,cx
! S! h. ~) s! e) o+ Q1 p3 u    int     41h4 W% P" W1 ^6 y! A
    xchg    dx, es:[41h*4]+ k8 t( q& t, W8 ]8 F6 G( j: T: r; x) H
    xchg    bx, es:[41h*4+2]
( u3 I. c! K! A* _8 M    cmp     cl,al
9 P' ^! M3 ]) L& Y) _    jnz     SoftICE_detected$ |& \5 w' ~: u$ g
4 [6 m+ |5 v% T$ n1 K. l* r! c
_________________________________________________________________________% N! V* C1 T3 H" B
9 D- s3 X! v; y! V% i' u
Method 07
' U: r, @/ J) h! k7 c) k=========
/ b$ T2 ~0 h; K3 Q% h
, w# Y' z$ V3 yMethod of detection of the WinICE handler in the int68h (V86)
$ r# T  C$ J: Q6 ?! R2 Y) Q+ v  v
0 @0 ^- i3 g. T7 U( U" L; E/ F+ T    mov     ah,43h
1 K( v8 @  s# ]( U9 T. k5 N7 u5 {    int     68h
0 u) a( s$ N# ]0 k    cmp     ax,0F386h
2 l0 b3 Y8 m, z* C% X% c    jz      SoftICE_Detected( i0 P% m9 S& O/ a) ]# S2 R
& k! N4 c+ r; b% A. P0 E: k
8 d$ A/ z2 b& Q7 g( M
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) c. t$ l; c' A* C   app like this:
; @" v' m, A, Q) {& _" J# R0 L# \. k( I( C1 g8 e! n# |
   BPX exec_int if ax==68
7 s) ^' W& {: e* u3 }6 S   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ e/ W1 ?; E' K; O  @8 O( C   located at [ebp+48h] for 32Bit apps)
; R/ k# P9 B; ]3 m2 |7 O__________________________________________________________________________0 @5 S8 ]8 p3 G; I4 r

6 E, ~0 Q  w, L) B4 z( n- L8 E2 e5 a6 b" V) i' q: }$ }1 h
Method 085 x0 Z% Q0 k, O
=========& e. R& q3 B/ M
8 d2 K: o( d- \0 N  _9 b! V
It is not a method of detection of SoftICE but a possibility to crash the, d, B" z( |- T
system by intercepting int 01h and int 03h and redirecting them to another
+ ~7 a, e% ?' E* wroutine.7 O9 \9 a/ i# G$ ]8 V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
  i/ n7 D, u" u5 b8 \, Dto the new routine to execute (hangs computer...)4 _: D2 M) A, |5 g3 V9 N
8 C' J) T+ Q- j
    mov     ah, 25h' D: F/ o% w! `# C4 ?0 @; }
    mov     al, Int_Number (01h or 03h)- ]" q! F0 [( H( o# \* X! h; p
    mov     dx, offset New_Int_Routine
3 l1 M* P2 J7 a8 ^, f4 I. b    int     21h
, @3 L0 h' O  h3 @8 Q& W# s/ ?- Q. _
__________________________________________________________________________
% P5 e2 c3 n2 x2 o) R+ C
" R5 ^+ r/ P" T% E3 a5 L9 k# QMethod 09. o4 ]0 g0 k) R) {2 Q! e# ?
=========5 R4 t' Z0 W: O

: v/ n- M( t" H+ eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* n% l: A" i6 p* j9 Q6 R% m6 z
performed in ring0 (VxD or a ring3 app using the VxdCall).+ E% K$ @8 Y5 }# k! t
The Get_DDB service is used to determine whether or not a VxD is installed. ~. B4 x) D2 A+ G
for the specified device and returns a Device Description Block (in ecx) for
/ r  g# R7 r3 _$ Cthat device if it is installed.
0 }( c: S" K# v+ {/ n% h3 e9 a) h; b0 I. x
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; {, E1 J8 {9 k' p: }; d: e
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# L4 m* X) x" i) V& l
   VMMCall Get_DDB
& N& W8 m9 M* v/ P5 D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
, i. ]: I7 k3 P" r+ a& M
/ T3 t: g  L$ B( Q* P; b/ eNote as well that you can easily detect this method with SoftICE:
; Q  i) M) z2 H4 x! P   bpx Get_DDB if ax==0202 || ax==7a5fh) w4 e2 h* M; c+ r9 z& X2 f

7 g: f3 ^0 Y6 M__________________________________________________________________________7 }% Y) l' G# \- j( U* A) |
- C# L' v  l. X! V
Method 10( l* S3 e2 t$ ^. [' D. I
=========7 B5 J+ P6 }! J" ]" W! Y

3 j0 x1 k/ ~' E3 e1 w=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" [" h0 ^: O( S# f' P  SoftICE while the option is enable!!8 A: w) P: z( Q# w" i

  V+ J! p2 q1 k# ^This trick is very efficient:
  H$ |+ k& g6 K& d" z9 Tby checking the Debug Registers, you can detect if SoftICE is loaded6 Q4 F1 A  T3 x; Q' P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- Z, x7 }5 q/ W. e1 f) w6 R- w( F
there are some memory breakpoints set (dr0 to dr3) simply by reading their, K: v! I5 i' T5 o: x
value (in ring0 only). Values can be manipulated and or changed as well
* X9 X' O6 X$ v# p( P(clearing BPMs for instance)( s4 ?. B  J% o& l8 p1 `5 h& m
9 Y$ X  s1 I4 {1 o
__________________________________________________________________________
  d0 A% U, G: C7 f
' J( ?. r8 m6 KMethod 119 H% x, t# \8 s2 T7 t" i3 {
=========
& R' t. b) R9 F$ _2 B# |* q0 p3 t! p! p( V6 b; n1 J- N
This method is most known as 'MeltICE' because it has been freely distributed7 J/ d0 {$ D( f& {0 I# [
via www.winfiles.com. However it was first used by NuMega people to allow$ L4 s+ a1 K8 U
Symbol Loader to check if SoftICE was active or not (the code is located! K! q. k; {7 {7 g" ~
inside nmtrans.dll).9 l  K6 \- S" {5 b5 u
0 S9 k& ^8 Y7 H  `3 O
The way it works is very simple:. Y+ A! Z  e/ z. ?) f& F2 o$ u! A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 p4 }) a% \% Y7 m; q7 m
WinNT) with the CreateFileA API.: f# A% `1 V' s

% z# d. X4 L) i# S  d. A2 wHere is a sample (checking for 'SICE'):, D+ @9 U* a; U7 L
" v4 D$ }9 l9 i* E
BOOL IsSoftIce95Loaded()/ N3 h  W* Y6 ~
{0 _) v4 t; E; W4 x* A4 N  m7 B
   HANDLE hFile;  
3 p% l; [5 b9 f, I# X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ b! l4 w9 [" b+ f0 S; C, V                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% M" U3 C" n" Y* i8 A  t1 A                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; G( r) H/ [# o2 L2 Y7 j: H
   if( hFile != INVALID_HANDLE_VALUE )5 A6 F& k. N6 M  I( a0 E
   {
1 L  H* _0 N* r0 Y8 W- p; `      CloseHandle(hFile);
: g  O) ^9 I' V% T% N8 j      return TRUE;' L' [: U4 t. u5 d. c  l
   }0 F2 O- }" {8 x' I6 ]
   return FALSE;  p$ s; {) k! C, O& C
}
6 ^# C# a5 s+ H3 F, a& Z9 z  b' ~
# `; \5 b; n  p9 d. M3 `' W; g0 o: H) XAlthough this trick calls the CreateFileA function, don't even expect to be, N7 s" |9 p5 I, K
able to intercept it by installing a IFS hook: it will not work, no way!
* F6 u1 b- N" {) NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F" e, K* I7 n$ T. ~" U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 G, L4 Z0 `" X' d* Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc  C% A6 ^5 X" s
field.
2 R! f; b; Q- f7 Z7 j2 l, P" BIn fact, its purpose is not to load/unload VxDs but only to send a / `# B. H" y4 G0 O& `. A* d5 T6 a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). l8 z6 T/ \6 ^# g$ P8 D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
' L" C2 H7 m8 n' o" Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 ~0 @3 B& i/ N$ M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 `% K/ m. t& A/ I; O' F$ \its handle to be opened and then, will be detected.0 {- o7 ]* J1 E. E' ^# E8 p0 X
You can check that simply by hooking Winice.exe control proc entry point- h+ p' I" j6 q
while running MeltICE.
: Z7 c1 w$ x0 J& |( F4 G* D6 q8 U( J2 Z" G
  Q) Z& V! |0 u; q8 S+ E, ?
  00401067:  push      00402025    ; \\.\SICE
# x6 v- S# Q2 A$ \: ]+ D  0040106C:  call      CreateFileA* b' d, ^- o) z6 S9 T. n0 S! A
  00401071:  cmp       eax,-001
. z/ x* u1 q$ t4 ^( m  00401074:  je        00401091
9 S. [) A* \8 F% p7 G; a) W. ~$ w- z% z$ y) V

) j6 p$ n0 g/ ~0 @: P: ~There could be hundreds of BPX you could use to detect this trick.
9 D2 g' d. u! i2 R, ^4 `" D& w-The most classical one is:1 B/ |7 C- X3 M
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# `* D  L. ]$ l3 H0 k
    *(esp-&gt;4+4)=='NTIC'- m# J: L* x9 q

5 ]! ]6 b0 M; a; J* ^-The most exotic ones (could be very slooooow :-(  `# y/ Z7 T: n4 g. H
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 G. E. i) }* s% Y' b1 Q
     ;will break 3 times :-(( Z6 H& k, H8 _. x2 g" t
6 l3 e, A# c# Z2 v/ b# I0 i* c
-or (a bit) faster:
4 c  D% ]  N0 V: a   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): w2 }6 S5 x7 z

# z/ K4 X  Q- L! h   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
+ o% p) t* O+ P& z$ b     ;will break 3 times :-(
. F. d# f9 ?1 A2 b, t0 K: c% {. t( F: o$ T+ B' p  }
-Much faster:" F! ^  x! H' n: g
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 F0 c3 C; x! j1 }# p, V# C& |: z
2 N" Y1 R) J9 e! A/ i) o! g5 q! _+ G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) o7 L& V- w1 h
function to do the same job:* t3 e, @1 q) e" A. K

. @7 W, N' V9 w0 ~2 \   push    00                        ; OF_READ& H- E- I* M/ x6 l$ _- K
   mov     eax,[00656634]            ; '\\.\SICE',0" o, ^  I( k( c1 C) `4 Y6 T
   push    eax
  ^* `6 f9 Q1 a! }3 J   call    KERNEL32!_lopen
0 S. |- a  b! W/ ?   inc     eax
4 t% X: E, Q/ g  Y5 u   jnz     00650589                  ; detected& Y( h! Y. ]) N6 d* v
   push    00                        ; OF_READ0 G( a8 ]4 y' n( i9 x4 @
   mov     eax,[00656638]            ; '\\.\SICE'
) d' E6 w, [  T! W+ P   push    eax
  @8 f2 I( U) E! v( G( f8 M   call    KERNEL32!_lopen. m2 J9 f# r# @, s& x, U
   inc     eax
  G9 c& Q* p, L1 t   jz      006505ae                  ; not detected
& }  f" A0 y0 {1 a! u+ T! @2 r! w$ M+ J/ g0 I6 Y# X
- E$ X5 y& V7 N3 M" S& g$ a
__________________________________________________________________________' S( o+ y9 G1 _) ^: o2 L

1 Q& V% G* t' SMethod 12/ Y/ K$ p+ M  G/ R2 {- T( A
=========
- Z, b# h# J$ w- n7 a! Y/ X, q" N( E9 @9 m" G
This trick is similar to int41h/4fh Debugger installation check (code 05) m# o0 t: e7 b8 J+ w$ t
&amp; 06) but very limited because it's only available for Win95/98 (not NT)& P) Z# G3 L0 O% E& b9 K- {- G+ G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.  V: @) z: S: x- |9 x+ F& E& V* Z7 l- [

0 \! I6 _0 E( T# q' A4 i# M2 Z6 B2 ^$ H   push  0000004fh         ; function 4fh; y# f# q/ a) p- M
   push  002a002ah         ; high word specifies which VxD (VWIN32)1 z# {' |# O" g" g" a, D& {
                           ; low word specifies which service
0 m, `1 k9 ~- g                             (VWIN32_Int41Dispatch)
. L# G7 t! V! B# L5 h' L   call  Kernel32!ORD_001  ; VxdCall( _5 N( b, r3 G. Y# r0 s
   cmp   ax, 0f386h        ; magic number returned by system debuggers
) T' a9 j3 g4 E# r. g( O$ E$ s   jz    SoftICE_detected
1 W  D$ R3 Z& u, Y; A) o7 q3 y5 k. d, B, b) C/ z+ }) r8 V
Here again, several ways to detect it:
) L3 I' v) V7 x% Z' ^# G9 r3 e1 Y- Q" c2 x9 V9 Z" K
    BPINT 41 if ax==4f  X( l9 ]3 r/ N4 Q
& R# ^& \: G' o
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ x6 N  K0 w$ j+ j6 ~/ \
  w, D: v( M8 \* c
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; B3 Q4 o# n! t8 {9 [* ]

: G4 c, Z$ a- q5 b1 q$ h+ ]7 R" Z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 e* z  ~1 `, e& z, c6 q

5 V" L# s3 c1 E# B: o+ `; c) I/ L__________________________________________________________________________
; G$ S  ^2 b1 l' P9 @, n3 U
* N0 i0 h& N% v# LMethod 138 X. r/ D( F9 C$ @1 a
=========
" P- d1 c) x  D6 L! C
% B' a' u+ v& uNot a real method of detection, but a good way to know if SoftICE is: L4 y& t- ]/ x( t& m  U
installed on a computer and to locate its installation directory.  Y: k; Z5 F+ U# i* E) p- v' s1 X3 P/ L9 k
It is used by few softs which access the following registry keys (usually #2) :" m0 ?& s/ y) {' L+ c
% M/ \2 s, d0 b- b  Q. U( `9 e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 `- M- {: _$ t* w  A
\Uninstall\SoftICE* s- B, `( I$ g( G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! i. K& X/ y7 Q6 w% Z1 Z, o  b-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: R( ~7 l' [" |) S
\App Paths\Loader32.Exe
) Q* _# v. D) d2 z% K- {1 _; a( i. n' d1 v! G
. O0 |' T, o6 G! n$ U3 Q9 @, E
Note that some nasty apps could then erase all files from SoftICE directory
& b2 {: u8 p; S: Y(I faced that once :-(
/ Y( ^  Q7 p3 ?% Z; ?3 O6 L) X* b" T' [
  l& x1 I( }$ r5 f! m! |Useful breakpoint to detect it:
# B* ]4 l4 c2 A. Y! F
7 A& g* i8 o+ F     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* c. B( V) E" O* ?7 f5 c8 l2 p8 I9 m2 C
__________________________________________________________________________, Y' C) H% E# s) N* C: ^5 W8 R

! K* H2 K2 _. r5 A) `  B( i& T
; q* X8 s4 b+ D0 PMethod 14 " O% T! o4 K' U, e5 ~6 Y
=========
1 |. h. Y5 F; a' S7 a- R2 `" U$ _- l6 n# [1 {
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ S, `& ~5 |% u. t' X# yis to determines whether a debugger is running on your system (ring0 only).
. t5 T$ h* ~8 V$ S) N7 X3 k' l+ P! Z- _
   VMMCall Test_Debug_Installed
/ w2 q3 i+ G4 `. e0 M   je      not_installed/ t& ^% ~2 Q; S+ P, D: f
* H1 O  d, E" e9 f
This service just checks a flag.5 O# y  g0 t: A# P
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-10 10:13

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表