找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># d/ @# B5 V8 ^# y5 |# ^
<TBODY>
& o" w) K0 h4 F2 |' T. x6 f8 R<TR>0 i0 p! l% d) c- U- N
<TD><PRE>Method 01
* y$ Y- I/ l" P6 s5 w7 T=========
/ s  K) P6 L2 N, z$ S! `* D5 T- w! }" b4 V; v% [- o
This method of detection of SoftICE (as well as the following one) is( K. c/ k0 |, y+ r
used by the majority of packers/encryptors found on Internet.
1 F: F' B$ J# K( m! [- E- AIt seeks the signature of BoundsChecker in SoftICE
. E2 G( q: O% t% n
, A6 _5 V3 L5 a$ E2 v    mov     ebp, 04243484Bh        ; 'BCHK'
& t7 N5 V$ l; G5 Z4 }! o8 }( u$ \4 W    mov     ax, 04h- a6 f) X6 O& o% S, X4 |
    int     3      
1 J# a  z  o' p" z' v4 J: _    cmp     al,47 u8 ~; n+ \  D) S% m* S
    jnz     SoftICE_Detected0 |% M/ w6 X* M( ~& O
, Q) Y. Y2 s+ Z8 |
___________________________________________________________________________4 i" Q4 h9 O' y) X
- T8 n& @3 \4 O" T3 Y- J4 K. D6 [5 p
Method 02
* {& W+ V1 J) ~( I! r2 D=========- F0 }8 g& F+ t+ z% U1 S
. c" j& _# T) l: v. Z% ?9 I+ j- V
Still a method very much used (perhaps the most frequent one).  It is used
2 K$ [7 A& b6 n; T  _to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
5 x! N8 B* z1 B: N9 C  uor execute SoftICE commands...: K& ]% V% a( U' j( H4 d
It is also used to crash SoftICE and to force it to execute any commands
( [! W2 q" W3 G(HBOOT...) :-((  
/ }1 K9 }1 e9 [$ L. A& x
6 s" K& a& Q0 E+ ]( z; CHere is a quick description:
/ H0 c4 J; S" w) {-AX = 0910h   (Display string in SIce windows)% M5 _/ S' C9 o, M
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)* P, E2 a: V" {' n6 ?" i
-AX = 0912h   (Get breakpoint infos)
' y. {' U) U# a* w& s9 ]% m-AX = 0913h   (Set Sice breakpoints)
  `/ l; I" A4 W5 |5 ]' {-AX = 0914h   (Remove SIce breakoints)
) N2 W% ~& F! E* @, @+ R& a' I* n: z+ L* C
Each time you'll meet this trick, you'll see:
+ F) n$ S. J; H# K-SI = 4647h7 r( A, l& K: v9 D/ B9 m2 E
-DI = 4A4Dh
2 D/ L5 s2 \- Y4 nWhich are the 'magic values' used by SoftIce.8 n/ v9 B) C+ j3 C9 n) j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' v1 f$ @8 a$ W0 C" f. {
, \6 B0 y1 U& Y# }  v4 ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 \3 \) |4 A' P7 V3 g2 REnvelope utility use to protect DOS applications:
) e( H( L- w) q5 \
/ J& D! ^! u9 Y/ q. _5 O. k. N+ d7 m2 x% d
4C19:0095   MOV    AX,0911  ; execute command.
; x* c4 N- h0 M4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 F4 T9 m% n, {& M; Y4 E4C19:009A   MOV    SI,4647  ; 1st magic value.% K& a, |' a( t' u; A- K
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; q2 X5 m/ a4 b2 ?$ _  }
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  r4 y" ?" `- D( i4 i+ K# U* r
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 Z" l0 P% S5 T! D% S2 O4C19:00A4   INC    CX
: i* ^' X6 l2 X7 j, X4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute& o) E+ k0 H; w; B  ]& ]
4C19:00A8   JB     0095     ; 6 different commands.) v& ]( x) N9 D; o( R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ l& y3 K" G! l4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) i/ O2 X0 l  c9 B- Q$ R9 R" Q5 _/ F4 c5 J& ^: v
The program will execute 6 different SIce commands located at ds:dx, which
% K, F7 E3 V) Z, \: k  Z6 Z0 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
* E  k& W  \" C9 x- p& |% p  p- {8 ]: v( U/ {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( m/ I8 r5 i0 |# K___________________________________________________________________________. e; l- R. O! X9 w) l1 E5 L2 s

$ m/ E# t8 c" _* `4 N# S& _2 H
+ N( F+ h' U) `: _$ K8 FMethod 03
2 i) s; A0 |$ Q3 Q+ y. C/ \=========
% A$ _* P  R! I" p* g! O3 t
. v+ L9 W( o7 J' q. j  y. }* l8 ?Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 V" N; g1 d1 Q. l# n(API Get entry point)
1 l: h( S1 A) J& }6 G        
0 ~! h! @0 w# f  s( A' H4 M: }: i( u% J4 D5 n
    xor     di,di
1 j/ S! l3 Y( P# {* Y* k, Z    mov     es,di( R; ?. M) v* _: a
    mov     ax, 1684h      
1 I% a+ `( ]9 Y) R. b1 g    mov     bx, 0202h       ; VxD ID of winice
( v; H8 N3 f5 t    int     2Fh
% p2 D( m$ Q5 x! W" ]4 h- S6 B% n    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 y- x* u& q/ [: u4 @9 C+ k    add     ax, di! h* D; c! Y1 m' }! s" ~6 m
    test    ax,ax
# i$ j( S. v6 `. y( ~/ j6 Y    jnz     SoftICE_Detected' F+ O* @$ ]  h8 e  B( A8 b

2 W$ X1 b2 W2 a2 e' A( i___________________________________________________________________________6 ~) P) K; ]8 v6 u! w! Q
' W2 I6 o& M( P; f
Method 04
6 w8 }' f7 |' ?# m=========
, J4 z+ z) D; M& \) a4 R
6 K# E, U! z" v  Z; c; VMethod identical to the preceding one except that it seeks the ID of SoftICE
+ Y) |9 r! z8 k. W* V+ }. YGFX VxD.$ ^# L5 K- ]* b- C' n  Y
- E8 m( V. Q5 C- }8 i
    xor     di,di) C1 q$ I5 j3 n, }, h2 z
    mov     es,di
: i0 @7 F, y- b' g4 j7 V3 p    mov     ax, 1684h      
& t+ z; q" e* a( J* K# U8 |    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ Q2 C/ e! l/ Q; b- K
    int     2fh! q" t$ c8 \& ~3 Y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 L( T8 ?; _3 K    add     ax, di, v3 c" x4 f& H1 `
    test    ax,ax0 f8 F; Q6 B% W; W* p$ i+ p
    jnz     SoftICE_Detected* h7 K5 v$ ^; A9 v1 W7 [, Q
) s: H' D7 X9 K1 `, B
__________________________________________________________________________
2 N& X$ p  D$ E4 }: V7 |2 `, H9 W9 e0 \. \

, P4 z1 Q: y# R. C' l" O# e. E" JMethod 05$ @% V$ ~" X: t5 f! c5 A
=========% t$ l9 J- U; a" @2 h0 F
$ `2 ]& ~; t  t% ]3 ^4 x- G5 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system+ S; i# E4 K8 W4 f7 k. c: y* N
debugger. It calls the int 41h, function 4Fh.
( h8 x5 W& @8 l+ I  HThere are several alternatives.  7 D) g* ~* N3 s3 ^9 k- H( `
$ F( [* n, h$ f! {; r+ M
The following one is the simplest:( i2 w* N/ A  e( u) {
% z' z8 W0 \( q3 |2 r
    mov     ax,4fh( m( ?4 Y* g/ `4 B% ^
    int     41h
6 _  N. o+ D  Y, w1 Q' G0 |& @    cmp     ax, 0F386
$ T1 f' x* ~7 [; w: V% K    jz      SoftICE_detected
- t5 k# r, {+ q* I* z* M# i6 `
5 f$ P3 o3 X1 _9 O5 i- r: _4 Z6 z" ~% f2 i( a% q
Next method as well as the following one are 2 examples from Stone's - }4 ~( M* ?; t
"stn-wid.zip" (www.cracking.net):' u8 `3 K2 K' m, k* ]- x, s. Z% ?! i

$ C: Z$ |/ s5 g8 b6 h" p    mov     bx, cs- U" q$ Y' V8 G# Y3 [
    lea     dx, int41handler2
% p& N9 ]! z& }6 R1 ?    xchg    dx, es:[41h*4], O9 W) F( n( E0 T+ \. ?
    xchg    bx, es:[41h*4+2]
8 Y% ]8 P( u% J# S3 @    mov     ax,4fh( H6 U4 T9 a+ S. o
    int     41h
  u) [. A1 I) M) R    xchg    dx, es:[41h*4]
$ l) J5 S. M- t! N# }    xchg    bx, es:[41h*4+2]
! l! }# t0 I- h0 x    cmp     ax, 0f386h
/ U. v& j  k1 E    jz      SoftICE_detected
4 P! E9 d; c: B2 e' I% M3 u  G7 H: d) L7 ^( f3 A
int41handler2 PROC
" n5 V+ z. m( U! c    iret
) W4 \$ P- D: @7 xint41handler2 ENDP
$ C0 p: a1 t# E$ N2 ?
. r: _! ~7 Z9 }3 c; t
6 k3 O0 T* r$ q( W5 v, n_________________________________________________________________________
$ _' U4 w) ^3 F: s: N" V* @9 l: n. H; p+ v

1 B, T: O4 ?+ y9 f7 |Method 06
4 {' [: L" m9 Q" I1 ]=========
! H4 j' H- W8 q1 \0 S/ [% f5 ^' \: ?0 R
5 \: E" k. W3 ^2 Y
/ `2 f6 E* U: \. }0 u2nd method similar to the preceding one but more difficult to detect:
/ J: P7 c% }9 U5 `/ H( Q4 n& s; V! ?( z% {6 b; B
+ T" Y: f. b3 K& |; p
int41handler PROC8 E) G. a5 S6 K4 M
    mov     cl,al( X- m& ?' q& v0 C0 t# W# `
    iret
, _' s% N9 v( z6 k6 P1 Y8 Q( i' V; ]int41handler ENDP
$ n" `1 C8 q8 Z% U, l/ Y. U$ [! y5 I; J5 o
8 M; x/ J' @4 y3 m
    xor     ax,ax6 H4 ^8 E& ~5 |% R: U( s* I8 Z
    mov     es,ax
4 J& T, h2 \9 d5 B  E0 L    mov     bx, cs
9 H- Q  C1 b' G9 a0 G    lea     dx, int41handler% f$ x2 ?% ]9 g& z/ F, Y
    xchg    dx, es:[41h*4]# f4 [! E" I7 t* }
    xchg    bx, es:[41h*4+2]6 |: B9 p8 ^- X
    in      al, 40h4 ~' I$ O$ O0 f, ]: \6 `2 S% d, L1 i
    xor     cx,cx
+ r' u& A' L5 e. X. N% |    int     41h, k  F9 ^( O9 b+ o4 \
    xchg    dx, es:[41h*4]
. ]' S4 w# z# p    xchg    bx, es:[41h*4+2]5 y( ]5 K/ f1 Z; M4 x7 A# c% y  b, w
    cmp     cl,al
* Z/ ], u9 |& N- A2 u    jnz     SoftICE_detected* Y1 f4 p5 ?: u

9 Y9 }( }. `1 @; [5 t9 {+ L% ~_________________________________________________________________________
3 ]8 P( c; U( h
1 M2 i, X  g" S7 F( YMethod 07
% p  L) {) |. d6 @' F! H2 ~+ ~9 C1 y" N=========: g8 }; Q" S- K9 E
. k+ q6 E2 O1 ]- H
Method of detection of the WinICE handler in the int68h (V86)
2 e# G9 A2 i! F( c% u/ o$ }# x9 k) n; D. G& c' [' C1 k
    mov     ah,43h
8 y, u& G: S) P' [7 ^5 r    int     68h' c$ U7 X# _8 v2 F0 l: N6 {
    cmp     ax,0F386h
: g$ B; v" I! d9 f6 e6 l3 {) b    jz      SoftICE_Detected
2 t$ R- C9 j9 ?% Y. A6 D7 M# N" n- T: {

& f/ r6 \/ ]$ P) L=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 C# V, J  y4 L% u   app like this:# s- H( V2 i7 B( N9 w9 y" g4 [: N

3 u* |6 f2 Z3 I- G. k  i   BPX exec_int if ax==68( e' X) f2 p, O* k% j% V* w7 i
   (function called is located at byte ptr [ebp+1Dh] and client eip is
9 Z! v3 s4 [& N7 u8 A  h   located at [ebp+48h] for 32Bit apps)
% N. y" n' S& N& f6 o__________________________________________________________________________
: Y! b2 Z; L9 Q; W& H/ a6 Y: d$ r0 D
1 x$ [9 @) Z, ]+ x! ^! k6 X
Method 083 J# U0 z/ H. v( r- ?% f! b  n
=========
6 U' m& K7 |9 O% d+ m: Y) W
# k( `( L4 Z8 t& K5 k/ tIt is not a method of detection of SoftICE but a possibility to crash the& g/ ~  x; I! Y% ~; ^
system by intercepting int 01h and int 03h and redirecting them to another0 t5 ~0 `6 J4 t5 V4 n
routine.. P1 z: ~. ~) b0 D
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 Y! V# U8 T" K" z; x: m. }. Nto the new routine to execute (hangs computer...)* V  u' h0 i( T! `, h

/ E' s7 {; _" t+ v    mov     ah, 25h2 {# X' P. @+ e. C* L; _
    mov     al, Int_Number (01h or 03h)9 T$ t# _/ G" u! [- E7 `
    mov     dx, offset New_Int_Routine
1 N7 T' [# O0 t! h$ R    int     21h
  m7 x" }# z5 {/ [- U6 k
, f$ Q7 T& `+ b1 z! r& [) ^! X* B" J+ L__________________________________________________________________________. E  G3 u" x0 Q' a  \" }
4 r1 \. U) v8 V0 U7 f- K, M
Method 09: L; q/ H* A' s- h, H
=========
- ^& m2 \( |$ Q: |) k; Q
2 B2 g$ B: u. q/ ]; p' e# uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 D5 I6 Y0 S, k' P9 G" b/ H+ T% f% _performed in ring0 (VxD or a ring3 app using the VxdCall).
, i- E9 r" Z1 a3 t/ pThe Get_DDB service is used to determine whether or not a VxD is installed
$ U! D8 I/ u2 Ifor the specified device and returns a Device Description Block (in ecx) for
& f& ]: i9 z5 t0 c/ L2 J  c) `  hthat device if it is installed.
) O- ~! _# t' Q5 I8 P$ ]
2 R2 d" L) Q" ?" }9 A   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% z: _3 x' r5 W" L1 W, W   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( L* x0 H) y9 x* g: e   VMMCall Get_DDB
, B! Q% n3 H" k# |+ m( l   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
: u/ g" ~1 e$ ^2 `" b" m# `1 J& U0 T( i
Note as well that you can easily detect this method with SoftICE:4 N+ w- c+ v2 k: y9 c- N
   bpx Get_DDB if ax==0202 || ax==7a5fh
- y6 B+ I9 D1 ^( }" [% b
3 x( p/ a% f9 W5 M+ \, ?__________________________________________________________________________+ v/ r! m( o0 {
5 g- S  A. |) B7 I' @, ?
Method 105 M* @4 D5 `" G1 F
=========6 O2 z2 [5 h$ ^* x2 a6 n
8 t- \- x+ \" M3 ~4 f
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
2 D; F$ C* l- }  SoftICE while the option is enable!!
9 b( T7 k. K- W4 A6 F, I0 B& f
; D* T% |. |9 s* Q7 |This trick is very efficient:
, v* q# _1 D3 s  p" S/ H/ [* rby checking the Debug Registers, you can detect if SoftICE is loaded+ |+ W: ]9 y- f8 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 H- L! `" F) T( B; g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) I5 {* B. R4 r9 V5 w1 Dvalue (in ring0 only). Values can be manipulated and or changed as well8 \7 q7 }) T0 ]  P- U+ z; Y- O, C
(clearing BPMs for instance)1 U9 {6 B- w; A
# }+ _% c  J7 y1 \* N8 ~& v* g7 W
__________________________________________________________________________$ R1 P; C: z2 ~4 J& U" D. h

$ @: M2 m  h9 V  J- w' B- SMethod 11
& g$ w3 |% L5 b7 F2 t! q. f' S$ |=========
' w+ h1 }% }! S1 N
- x9 Y0 v  z! L4 n0 ~This method is most known as 'MeltICE' because it has been freely distributed
, R2 W% q* k5 ~+ B2 ^via www.winfiles.com. However it was first used by NuMega people to allow7 J/ r% w$ [" v6 |
Symbol Loader to check if SoftICE was active or not (the code is located7 I- o% D, U, K* \- W% n. M' s
inside nmtrans.dll).$ {! d% B, i) ~) t" ?2 \  w& f
6 B% g8 `6 F- U& }
The way it works is very simple:
( Z1 b" o4 ^* k" p  y! yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, J% P5 ~* ?) f: @
WinNT) with the CreateFileA API.( Q4 c3 Q& I7 ^4 j+ M8 g8 H/ H

$ Q# G$ k7 n& N9 T8 K0 cHere is a sample (checking for 'SICE'):
& S; P; d: \: k) |, u" m' R$ q% V1 ~/ T- a. u
BOOL IsSoftIce95Loaded()
, @3 _2 p8 q6 h8 O; J( K{
/ D8 K- B0 X- X% M, G   HANDLE hFile;  
: f; k# G& J, f$ U" I! S0 G   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ \: f! \8 P) o- A: L" q7 D/ L
                      FILE_SHARE_READ | FILE_SHARE_WRITE,( z4 U0 ~- W) @8 E6 x$ `
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ Y! b. E5 o6 L  M& b: c
   if( hFile != INVALID_HANDLE_VALUE )
/ @& ]" }9 ]5 l9 ?+ O1 J9 P   {; N8 Z6 r% ]  t% Z) {
      CloseHandle(hFile);$ n6 S4 x6 b: C5 }, G
      return TRUE;: Q' I) `* `' y9 q" `
   }" l, R, `& s; t$ i
   return FALSE;
! B& M  G! r6 Z; X5 v; S( D}
# i% i0 F" e. H( n  O9 R* j' \9 p6 t$ X1 ~% y8 x% J! J1 @
Although this trick calls the CreateFileA function, don't even expect to be
4 `; t& @3 V4 c. ?- X: p9 lable to intercept it by installing a IFS hook: it will not work, no way!# A. }6 @4 n- q# [" w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F4 r; B* N/ P5 I) ]" a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. b+ Y9 p4 h/ P& L, S# g) dand then browse the DDB list until it find the VxD and its DDB_Control_Proc% R6 V- l, b1 M; J$ a/ z  L( r
field.1 x% G" c* e! m) U) _5 B
In fact, its purpose is not to load/unload VxDs but only to send a
) m; C8 g) b& E+ |: jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 ?2 M8 y$ ^7 ^5 Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try% L* H# N, Y$ D! W7 j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' r# _$ c5 S5 w& w4 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 F! n1 \8 m% @/ h' s# t3 V6 gits handle to be opened and then, will be detected.# ?9 r" L5 e0 J5 Y
You can check that simply by hooking Winice.exe control proc entry point
$ j4 [! D9 `; A+ W. V2 N. x, Bwhile running MeltICE.
: W5 Q; j. e$ y% v5 z  x1 G: s3 K9 a

, k) R% q  @' W- Q- }, o) x  00401067:  push      00402025    ; \\.\SICE3 |) I4 G' f& I: b
  0040106C:  call      CreateFileA; [8 A5 h) W2 ^
  00401071:  cmp       eax,-001, V0 Z* d/ s3 V+ U0 o
  00401074:  je        00401091, o- {" j$ a8 W
" m5 D0 W6 {+ Z8 ]9 w. `: s
% E. W) d0 r2 ]$ P3 \! U
There could be hundreds of BPX you could use to detect this trick.
0 v. l! _8 o# k4 t2 {8 S- c7 o-The most classical one is:
1 _" c+ o/ [, d) _. D, {5 q  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' P7 H& _% d6 A& ^. Q# x
    *(esp-&gt;4+4)=='NTIC'
7 }) y& E* P3 i- p+ o. x; x4 h" h3 ?. q" V
-The most exotic ones (could be very slooooow :-(
# Q) n, e1 o/ |5 U   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
& z6 k- L! S4 U( O; R     ;will break 3 times :-(
0 v, Y+ p6 O! d5 f+ N
$ e! w  o8 e( k: ], w2 l-or (a bit) faster: 2 [2 c5 |. h5 k# ~
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 V  \* _" h! s6 `2 i
  Y( e% ]% i' g   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ ?/ J) I5 J$ @
     ;will break 3 times :-(
/ I3 F4 `2 m  O% u# ]6 g% K
$ D3 v# H0 A- U1 ?  W: W-Much faster:
' B! i7 Z! g5 A1 c! F   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. c+ E" r: O  g8 i, I/ C! `2 a
/ s2 X' N+ S/ T3 rNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 u! N' r! v& F& Y6 ^. m
function to do the same job:
3 F0 c+ z8 Y& ^; o) B, o& A
' s1 W- T: Z) L- ]8 `6 `, _   push    00                        ; OF_READ' a" {1 z7 z) d4 v9 c* G, ~
   mov     eax,[00656634]            ; '\\.\SICE',07 l% c& L3 ~0 S$ _6 `: s0 G' ?
   push    eax
; \6 N, E7 A1 N+ d# t) h$ C" F' ~0 v2 t   call    KERNEL32!_lopen
0 n+ F( N! c- x   inc     eax4 |1 ?/ n9 ]! k' G! n
   jnz     00650589                  ; detected7 P' `. [. G4 X3 o4 M% c
   push    00                        ; OF_READ
8 m2 z4 b3 g. P4 ~  @8 F4 O   mov     eax,[00656638]            ; '\\.\SICE'4 k$ a4 w9 g% [& |; N3 w
   push    eax
2 }' ]3 q6 F3 J   call    KERNEL32!_lopen- Y7 k) [  Y8 d- J
   inc     eax
' K5 g8 f% R' B2 @8 E2 Q4 j$ V" u   jz      006505ae                  ; not detected7 ]9 b1 N# @4 G& ?; i8 f
5 C) v+ L1 r. A; g8 t, l8 Z0 t  U

0 c( a# I3 x( ?; u) B__________________________________________________________________________! n# G2 P( T" n: f/ ~8 K

; A- Z2 u; Z6 o! s9 BMethod 12
  l) M% U$ q9 z, ~: m' @$ R4 [; E=========
1 O5 i  v3 s8 A) L4 H0 s6 b# P9 _$ K  E  C$ Q/ r
This trick is similar to int41h/4fh Debugger installation check (code 056 n4 q2 J! c# X& Y. o; V: E+ `
&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 f$ B1 d3 T; q. J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 \8 S! ]3 \* O( n; X/ X1 K4 Y
: {: J1 F% Y/ R5 m$ L) B* a   push  0000004fh         ; function 4fh! M  `' X0 E; G, ^$ A4 D
   push  002a002ah         ; high word specifies which VxD (VWIN32)
  i7 g- W% h5 i, M# S0 m2 H                           ; low word specifies which service8 r0 C4 I5 j% G! d2 g" ]
                             (VWIN32_Int41Dispatch)$ j" v. x: k, |2 q
   call  Kernel32!ORD_001  ; VxdCall
. r  H; Z* n+ M6 n   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 _; Q1 G4 S7 w/ m8 o3 M   jz    SoftICE_detected: N5 \  X0 D% |1 |8 W% l

7 [% }; o  o3 @* M4 dHere again, several ways to detect it:
5 u' x- F3 u+ E6 [2 ?3 z
  f: G3 {; I/ y% t; a/ J. h    BPINT 41 if ax==4f
" B6 z7 l4 ~2 h1 F. A% o+ W( `6 h
. S; g+ y$ ~, s) o" m) ~    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one  x. v1 T( f- P7 t5 J
) y2 R% V5 z* O
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* c  p* R. S0 Y2 ]9 f# z! p, o  _& g. }
' I- h  H) c* P8 s  `) I# [    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ }3 y- o& i: n$ |( r1 |

0 D4 j8 v3 E  D' b__________________________________________________________________________
" C/ S2 S7 y! l9 Z  Y/ W- x' o( M( g: N. ]+ B3 Z3 z" ^- x  d
Method 13
$ L" j  F% j1 v. n5 Q=========2 {" D  v: \! ?1 X
2 Y& m' f# @( k+ {# b
Not a real method of detection, but a good way to know if SoftICE is8 x: b3 ^& O, G( W  u
installed on a computer and to locate its installation directory.% t0 W& n0 i1 j- L4 F/ q$ y" d
It is used by few softs which access the following registry keys (usually #2) :
7 ]1 r2 c% G$ R8 B2 M2 q8 J5 u: A5 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 G) P5 k$ g' L5 ^0 y& R, J  E
\Uninstall\SoftICE
; Q# Q  a5 S; x6 u' S, I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' V: t9 Y! c* F$ b2 C* z6 _$ O  ~-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* m% t: Q' M- w$ o7 ?( u5 u: Y- j\App Paths\Loader32.Exe
  Y: H" M! k5 E+ s, U% z9 K; ^& ], i

7 O4 _6 @. {! N# n# V. W5 P3 eNote that some nasty apps could then erase all files from SoftICE directory
, {' e" d: a$ ?' x/ z(I faced that once :-(
5 }1 R' j& }; U6 l# L: B5 d7 W( h3 \8 X5 U
Useful breakpoint to detect it:
+ w& l+ E5 F7 @* ?3 y3 ?! G  {$ h
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- h; ]2 g! Z9 E! o

. r1 T6 B) _$ h0 c7 L( @( B' U__________________________________________________________________________/ d! @9 e; v7 ]5 }3 ^

+ O6 v9 y5 m) `( G( g- o* |8 w1 r  F4 W) ?, e
Method 14
7 d7 l% a5 b" R- \. |; B/ q=========
9 S1 g0 i; y; J' z7 r/ V$ l, U; Q5 [- B- I* y% E1 c9 V
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 o4 |) y6 v0 ]$ s$ ]
is to determines whether a debugger is running on your system (ring0 only).
+ E4 W2 k& m5 _- v% l3 n- I5 T' l, x1 l
+ b5 t4 O, E6 r* Z8 K: t; |% E   VMMCall Test_Debug_Installed
- R+ v: D, E1 P2 n% ?   je      not_installed
4 r- B/ z: m5 V; |+ t
0 q1 T3 U; T- r: S/ HThis service just checks a flag.
1 h/ `1 d# j7 d6 c</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 10:23

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表