找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# P/ I5 e% C% I  ?* s$ [1 q<TBODY>
' d8 L$ {: |4 F6 X1 C3 F- a- M. x<TR>
9 w; p% p5 |# b. }8 S+ o6 q<TD><PRE>Method 01 # C9 p8 y) G4 Q7 S3 s2 P2 n
=========3 w! M7 D; s& @1 S! s  e: D+ ^7 }

3 S+ m5 _4 n' ]4 }5 vThis method of detection of SoftICE (as well as the following one) is
. N0 P$ c6 Q# I8 Q0 Yused by the majority of packers/encryptors found on Internet.: m4 C2 q$ t! Z: D) A, C' M7 i2 d. }
It seeks the signature of BoundsChecker in SoftICE
6 c0 V- K3 l* R0 E$ r" f( o! c1 d# t' _' k$ O$ m  y
    mov     ebp, 04243484Bh        ; 'BCHK'; n4 H) Q! J" A: r+ J" z/ f
    mov     ax, 04h
7 H" C( P! X2 |1 [! P    int     3      
, ~$ S3 H! C; A/ t% [1 ^6 C    cmp     al,4
0 z5 u. R$ A9 W# A* ?9 Z1 h7 ?    jnz     SoftICE_Detected
* @7 n8 h8 w5 b4 H3 ]% H; F7 Z8 J6 A* w: p' w* O
___________________________________________________________________________
# N( n2 x0 j( D2 F
5 t4 b' @, S* F& Y/ M' rMethod 02' X; O9 v3 v9 T  [
=========2 `' ?' ^! a! p# F' Q! _, p

1 p( t: Q7 }+ i4 p8 ?" ]' N. CStill a method very much used (perhaps the most frequent one).  It is used
$ y8 C/ b0 @8 `to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& d7 U; y. C' O3 C) o5 {
or execute SoftICE commands...* D$ R! H/ T; x; \( G2 S1 H7 d* Z' c
It is also used to crash SoftICE and to force it to execute any commands
+ c( X$ o2 r* S) E* F: p(HBOOT...) :-((  ) s3 W2 j6 v  K8 h

3 C; i9 A' E% hHere is a quick description:* ?; L- _9 h) a
-AX = 0910h   (Display string in SIce windows)* x3 I7 w: u$ y* Z6 n# h
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
8 E/ V$ O' I& n9 G! T, ]- \-AX = 0912h   (Get breakpoint infos)& k  {' F% J' T6 g! f0 }7 {# K
-AX = 0913h   (Set Sice breakpoints)7 i0 V/ j5 F; d
-AX = 0914h   (Remove SIce breakoints)& a- W( k; G% r
. X! P8 K' j; ?9 B  G: `0 Z6 f0 h
Each time you'll meet this trick, you'll see:
) j# J! S! n# T- w% x9 m/ m-SI = 4647h
) {7 ^! c! M8 w$ F-DI = 4A4Dh$ X  D- k& ?' \
Which are the 'magic values' used by SoftIce., I" N2 ]" Y" Z7 a' L# F' t8 l
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% d7 i- n+ ^: H0 y, o: p+ s: |# y

" V1 V' U4 p  ?4 cHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 k$ Y% d' S# mEnvelope utility use to protect DOS applications:5 p9 v% d& _" @) W
$ P% |# ?/ ]/ {# \4 o  Y( \( s

( C7 j, G5 x# t4C19:0095   MOV    AX,0911  ; execute command.
( h" N3 ^. ?7 U- A4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ v+ _8 \* J( p, O: O
4C19:009A   MOV    SI,4647  ; 1st magic value.7 W# u; P+ I3 W2 X" ?( n, [9 ~
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
% Z9 g9 k2 @$ P* ]. \. b4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" `0 O! ^. p) {0 J; A- O4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( J; C% c1 H! e+ y3 m8 A! x+ d
4C19:00A4   INC    CX7 W3 H7 F: U- B( J/ ^# `
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ p/ u3 |% X0 k  s+ O
4C19:00A8   JB     0095     ; 6 different commands.. M. ~9 `9 p8 G- @
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 c  {' t/ W  s( P' L  m- A
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" E. ]* f& i4 R" W* G, J
- ^) E7 g2 \# H3 {6 U$ a: {
The program will execute 6 different SIce commands located at ds:dx, which8 e: z5 I, k+ G& _! A! o9 z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 o+ D9 ~4 q* J
3 p  _: c2 J& y6 r6 \
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
! X+ v+ F$ H5 b6 K, [/ e___________________________________________________________________________
/ M; w- U0 e  W5 c/ C
* ?  q& S& R' }8 w7 u8 O' r8 c% s* Y2 J0 |. q# H
Method 03
/ `: W2 W- r" ?' X1 y! S=========
+ @/ @9 Q" I8 t* Y0 p9 B( C, e, w) ]# b
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ C) ~% H8 c0 Q* q  O
(API Get entry point); k2 D4 x. V" z; m) `
        
3 c( y1 V9 E+ ^( m8 C2 b8 V. i
    xor     di,di0 @4 |6 {) u- k! T" \+ X
    mov     es,di
7 V6 q- s8 G' w/ o$ q    mov     ax, 1684h       & r2 a3 F9 @, f( \' m( ?1 B
    mov     bx, 0202h       ; VxD ID of winice0 J6 P/ a/ x3 U5 M# Z+ O
    int     2Fh, Q7 S* }0 |3 G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, M+ v# g# G& n6 i1 U2 C# H    add     ax, di
) l5 ^9 |/ H1 f8 O' e2 a    test    ax,ax1 a; @9 z) A6 S+ R3 H! h
    jnz     SoftICE_Detected
; E! |3 E1 T7 {2 r; m1 H: p/ ]& d
+ s5 w0 L6 M; `( N# k' H, j___________________________________________________________________________1 B8 D6 L3 o! u2 v2 p2 W

0 M1 E8 f  [/ C, k% Q9 ]% YMethod 04% ^- r; V7 o1 x' \/ |
=========" ]. H  H& }. i" T+ U

9 i: u" b. Y* J# \Method identical to the preceding one except that it seeks the ID of SoftICE
. }" Z1 k% V) d5 gGFX VxD./ Y' p2 O( k' T* p3 F, z
+ b) w- K0 Q- T4 ^( _2 i: t2 L
    xor     di,di; E- J" d% x8 K
    mov     es,di6 b! V$ V! n; z. {
    mov     ax, 1684h       * ^* N8 ]! h, v  I. \
    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 \& l* D3 N" N# L' D. z9 n/ W
    int     2fh
0 r$ A% i! a/ w1 x* W5 W6 i  V1 L$ x: v    mov     ax, es          ; ES:DI -&gt; VxD API entry point. ]( I- r+ l: O
    add     ax, di
9 ?7 J9 c# k! z% l) C    test    ax,ax) [5 A- L# W; H  t- C+ f( y
    jnz     SoftICE_Detected
& Q4 x6 t' W; l" H* j4 }
8 ^0 t/ S1 I# r; H5 f__________________________________________________________________________
( R' R# ~: I) C9 Q4 E4 H/ V; R3 ~/ _7 K, f5 s$ P
( S1 e" K$ [+ X! v
Method 05' O) h6 L" Z1 B2 s, E/ z" r
=========4 O7 N& u: [/ m0 Z, O) b
; ]% D3 v5 _; i# M5 \  W
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 ]& P) M8 l: e& t0 w' x' n! odebugger. It calls the int 41h, function 4Fh.
/ F' M$ d& M! _9 F0 Q  Q" WThere are several alternatives.  
( D6 ]! B+ V7 w- y$ U- E+ P6 x* H' y5 K; Q- ^: u
The following one is the simplest:! s& W) B, t# P8 N3 ]

# H" d! x, p2 d- M0 J8 ~    mov     ax,4fh  h! S  `/ m) w& r' S* q
    int     41h" u1 [( j3 [% w7 w. t3 G3 z
    cmp     ax, 0F386
$ L/ S, F! a0 O; o$ o: I1 {    jz      SoftICE_detected
  `) r& [4 ~0 v
1 ^& h4 d; n1 Q9 j* T' ?$ u, p' [( ^2 O
Next method as well as the following one are 2 examples from Stone's
" _4 C8 p0 |7 Z"stn-wid.zip" (www.cracking.net):0 R- C! j. [2 g3 n

2 S: f; ~/ p2 ~; v, N    mov     bx, cs& q! D5 b1 k( M2 G5 L
    lea     dx, int41handler2. d4 D! ]; M6 z+ U
    xchg    dx, es:[41h*4]1 s5 y  Y* n/ Y; b7 ~/ h
    xchg    bx, es:[41h*4+2]# p' F6 [! e! G3 o  Q
    mov     ax,4fh& }0 B2 J( G/ S! X! E8 |
    int     41h$ R0 V* l. r5 P9 t# H! p
    xchg    dx, es:[41h*4]. j5 [% n7 ]; k9 Q2 R+ m# s
    xchg    bx, es:[41h*4+2]
/ \3 c8 \( {) A& G2 i: [    cmp     ax, 0f386h: R% q" }( W4 W/ k0 U% t+ {
    jz      SoftICE_detected6 [) z* a% u& _9 G, r6 Q# ]' S

: Q6 ^0 f6 k6 \9 T' A" n6 w+ yint41handler2 PROC2 q4 @. @! J- Q3 D; k
    iret3 t9 e, X9 q1 W) W# @  V+ s/ i+ i; r
int41handler2 ENDP
, {& W7 A" ]. l. K/ K7 }
/ M4 j6 h2 i* d9 |4 _, F. `! ~
, |% ?: _7 n, m% ~_________________________________________________________________________
0 N9 `# o) t" D6 i2 Z" ^! j# ]0 u8 S& c$ {

: f0 R6 b# K" M4 d2 k3 w: sMethod 06
# }$ [( ~; R& B2 E; o9 r7 f4 R; f=========, ]" J0 v% k( n7 E
5 Z2 L0 K5 N) q  U6 g5 J5 U

0 y; Z$ B2 |8 f% S8 q' n$ M2nd method similar to the preceding one but more difficult to detect:5 i* w0 L, G2 t5 D' T
1 m1 \7 o( s) z4 K( t6 s
+ P$ s- N' e# v) f8 U
int41handler PROC3 B8 M8 ?# z. A- y# H- e
    mov     cl,al
" \% p) V6 K* Q% B    iret
: \4 Y' i, |& Z+ \8 E8 o/ _int41handler ENDP
0 G7 |( i, s! Y1 U8 F) p2 G: e2 D, H( _

& m# L; \' A- w- Q8 |0 k    xor     ax,ax
5 z  F5 U4 j: Y8 H6 A# M. K    mov     es,ax
  [: r: P5 d& j3 H    mov     bx, cs
& _2 y/ k/ R* {    lea     dx, int41handler& \4 l0 [( {; N; q
    xchg    dx, es:[41h*4]! W' z2 t# B! k! V
    xchg    bx, es:[41h*4+2], }2 m, y% V# b8 k' o3 r
    in      al, 40h/ p4 p8 }- h7 p6 X6 m
    xor     cx,cx
3 P5 _8 Y  D3 X! J    int     41h
" U% G9 p; ^% J" K0 o    xchg    dx, es:[41h*4]
. f# t7 D) ~6 v" J% i; V, K    xchg    bx, es:[41h*4+2]& W# d7 k. a5 G9 G& B: I* A
    cmp     cl,al
9 x8 c2 F% p+ S; k+ D! _    jnz     SoftICE_detected7 T$ Y! B; c8 R

' p# v- \; T1 @" H& _' l% {_________________________________________________________________________! ~+ l$ I4 }) B+ t

  G% [6 z4 \7 E7 |Method 07: ~# W$ G& I& k9 _" i$ u
=========
! P; u. V4 u1 a) h1 h) p2 Z, {& b+ ?: ?  i  R
Method of detection of the WinICE handler in the int68h (V86)' O: V0 S7 G4 {0 W. J
) Q, Y! U" \! |% V+ t( k
    mov     ah,43h
3 i: Y% ^  E) X: U    int     68h
  ]/ Y. n( L" E0 k1 F2 h- @    cmp     ax,0F386h- n+ l9 ?# k2 q
    jz      SoftICE_Detected
/ S+ Y6 T( T# M1 c5 J: h& I8 ~& a0 v! J- k" c# r! B' }

6 @5 H: o9 I/ L7 }+ d2 {8 w- P3 U=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 Q. v: E1 e' g2 c   app like this:" ?% c' P" |2 @  c) o" @+ |* K

- C9 |6 S* q" |! k8 ^   BPX exec_int if ax==68
$ N" V) W# O: K, P, _. o   (function called is located at byte ptr [ebp+1Dh] and client eip is3 v% o0 r$ h- K; A' r9 a8 G7 Q/ ~& U
   located at [ebp+48h] for 32Bit apps)
# \, A' L7 B6 U9 \, b; u9 z__________________________________________________________________________, {6 F) E- V0 _! r

2 G4 _+ W2 f8 P0 _. r7 n- [. [: O) \5 j& ]" A  \# B
Method 08
/ l9 Q/ A7 R) w& f+ |; ^9 j=========! W! k& ?. |6 N% w5 d: _5 X

9 ~/ \; J! H& [. C/ |/ ?- oIt is not a method of detection of SoftICE but a possibility to crash the
/ q8 h5 b: O, i' J0 s8 Vsystem by intercepting int 01h and int 03h and redirecting them to another+ J2 Q9 E) ]7 Z
routine.
* `1 g0 c& R" E) ?4 C& B& JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! ?" ^0 Z: z2 C/ F7 l! q/ N& \to the new routine to execute (hangs computer...)4 m2 ?+ d, [9 H3 x. g) B; V

+ @8 N7 \  o+ m) v' w0 E    mov     ah, 25h
# l* B, Y  f# c7 W# d0 z/ p7 R    mov     al, Int_Number (01h or 03h)
: \3 \6 d4 f) z% Q! x    mov     dx, offset New_Int_Routine+ X: t3 n& _/ B. E# G
    int     21h
, u% A; F/ I& y+ a0 k9 o, F  K7 {2 f
__________________________________________________________________________
! _' v6 P4 D& x& ]# y2 c( f
5 ]6 [& y- |, ?9 p% H- ^, `1 mMethod 09- K  J% p8 Z  b$ K! f
=========, o# l: S$ E% o: v7 o2 O( [0 S
4 y0 U+ x- t0 O. ]# ]( e
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 Q* _5 u7 u' y# Fperformed in ring0 (VxD or a ring3 app using the VxdCall).. D  @4 A/ T# |* P; y
The Get_DDB service is used to determine whether or not a VxD is installed& x* s9 W# w0 [: J
for the specified device and returns a Device Description Block (in ecx) for
9 R( e8 D' O$ F2 nthat device if it is installed.; t0 v  X) ]( t5 c

3 M) x0 [2 K# U; \5 o- Z   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ e) B! v/ ]& V& s# S
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 C9 t0 @8 k/ `* y$ q  G
   VMMCall Get_DDB7 M- h  J  y1 F
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
+ E; s. D8 {$ h; O( q; D+ V  u& [! _* F/ ^8 r  A/ s- I" d# \
Note as well that you can easily detect this method with SoftICE:$ V+ Y+ g, u6 b7 g; S! [
   bpx Get_DDB if ax==0202 || ax==7a5fh% K. k. w% \) q& I' {- k9 G5 |

/ ]* T% d* w0 ]+ O: t__________________________________________________________________________4 v; f) D: r+ J5 x  S; K6 n2 H+ m+ X/ v

  c3 Z# v7 j# V: s. m4 e; ~- `( P- t  N& pMethod 105 E2 i5 Z# O3 s+ ?
=========
7 Q" U8 O2 i2 ]
7 k- }1 M+ o' Z9 I=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
8 s( R+ {! t: Q; L, t  SoftICE while the option is enable!!6 o/ [9 v/ T$ r  T
& `- Y9 _. u9 k5 \4 ^
This trick is very efficient:
1 l  }# G# F7 X5 c) {7 \by checking the Debug Registers, you can detect if SoftICE is loaded/ h0 X7 g/ `  V& v6 P* s: F& _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; a: S  a- m4 v  `
there are some memory breakpoints set (dr0 to dr3) simply by reading their- }! g% U& R9 n& f
value (in ring0 only). Values can be manipulated and or changed as well
' R  k, K5 Y' Q(clearing BPMs for instance)
# `" Z0 K( n. H) {# g/ {1 w0 a* l0 z$ i; R+ o
__________________________________________________________________________) J! E: ^, o( p6 V6 @, a7 R3 \" f
; H# ^  g: Y9 l
Method 11
( s9 B1 b/ Y7 T. \+ X9 y=========
* x0 m3 s) W1 T6 v8 m0 p' F  |. M( {3 u, w
This method is most known as 'MeltICE' because it has been freely distributed
2 B. W' S, Z! @5 S1 s7 U7 X+ Xvia www.winfiles.com. However it was first used by NuMega people to allow
  |1 k( v9 F$ W1 RSymbol Loader to check if SoftICE was active or not (the code is located
8 j4 ^) B' @* a( K+ Kinside nmtrans.dll)." l/ @- }. N' u4 G2 M0 u; t

5 h. z0 n* \1 ?# V# M) W, V( jThe way it works is very simple:2 K$ r# j, p4 o% u+ W; h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' S# a- {2 S3 \8 A
WinNT) with the CreateFileA API.
/ b2 Q, c- r' m9 C8 v; ~  y, I, l  ~8 c1 {( h# E
Here is a sample (checking for 'SICE'):9 m4 c1 {  P  J( A+ C' x

0 F+ p* x! H& N3 h9 A" u0 pBOOL IsSoftIce95Loaded()1 V4 ^4 `( |& _4 b- ?0 U& x/ h5 k
{
# S% Q9 X, r: c! X   HANDLE hFile;  3 i& L0 f: T9 P; m- r  q" e) ^5 `
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 j0 A  R8 Y! V' ]7 L1 C                      FILE_SHARE_READ | FILE_SHARE_WRITE,; k/ X* `, @9 e
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 F6 Z" @- s- c   if( hFile != INVALID_HANDLE_VALUE )8 I& D* E& R" u
   {
) k+ q  t3 H! o- Q      CloseHandle(hFile);" V* L) A/ Y! x2 y. q
      return TRUE;* r/ c- t; V  o) I
   }: f" v  T- U& I" J: e; ?5 |  {9 m- Z
   return FALSE;# T* E& b1 Q6 {( m3 a+ n, B9 K  O! `6 h2 h
}
" n7 B9 I% q/ y- a$ I
* c6 r" Y# N& x/ m9 \$ tAlthough this trick calls the CreateFileA function, don't even expect to be
/ G. n* B1 W, q- t) l& fable to intercept it by installing a IFS hook: it will not work, no way!
; p# a: }( i  Q; f) H- C* c0 M% yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ ?+ ~) Q: r) ?0 T
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); t; f# g  n+ H; Y# ^4 E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 n. e, T3 ~8 F/ }5 sfield.* [. [1 J+ ~7 l( h& z5 I$ p
In fact, its purpose is not to load/unload VxDs but only to send a $ F5 J* y8 g; r5 u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& a- ?1 j5 ~+ xto the VxD Control_Dispatch proc (how the hell a shareware soft could try# {. g! Y4 o# d/ p+ Q1 n. G! C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 {+ R- R5 k! h4 E
If the VxD is loaded, it will always clear eax and the Carry flag to allow* A6 n+ ]3 y# w, L9 A' [. O
its handle to be opened and then, will be detected." h" X8 Q# V  d! w
You can check that simply by hooking Winice.exe control proc entry point( y% S; F3 c8 @  I7 b
while running MeltICE.
, A' X5 o, L' S2 f- S# {& A* O, R' q4 d, i

- _0 N2 X' I% _: T; F0 Y( Q  00401067:  push      00402025    ; \\.\SICE! \, t4 |2 E( F4 H) P6 F/ K
  0040106C:  call      CreateFileA1 m. S! ]% H' [' \
  00401071:  cmp       eax,-0015 y8 w) y8 ^) \" C( y
  00401074:  je        00401091+ v, f* s: m1 r! b4 Q5 r. {

+ S7 s2 M7 X: n+ m6 k, `/ ~7 [  |) y" T) y4 j% b8 s2 m
There could be hundreds of BPX you could use to detect this trick.6 _, ]7 B8 I6 A4 f% C, Q) p
-The most classical one is:
" D( x* d3 Q6 u( L% w  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 R- O' h8 \1 m1 [5 ?    *(esp-&gt;4+4)=='NTIC'! S5 x8 o& p% q% ^8 f: _- @, c

: g/ B5 w, ]- ~0 R3 n) z# L-The most exotic ones (could be very slooooow :-(
3 Q& ]+ }9 d% U9 v9 R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 a  d% ]2 n! _$ Z% [* j% |     ;will break 3 times :-(/ j1 a1 L. q5 d

, w, N, _( O. P$ \% B1 J* g-or (a bit) faster:
+ ~( z$ ?; @% p$ Q1 r9 P; h   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 O# W4 F0 i( p# K, W$ P
7 O( a( r9 I0 H+ v) P
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
3 T" O1 Y/ ~+ S* F     ;will break 3 times :-(
" r( M; ^' x9 c+ @$ }4 t, z
: M3 [" k: {0 e! i2 G-Much faster:$ t+ J* g' Z% @
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  n) ~2 s% G3 C/ s. i
( Z% y1 s; R$ L2 f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 `/ B; ?# s' D+ L/ z3 }) ?* {
function to do the same job:
4 n1 ^$ A  ]* V' |! [9 _3 Z) Z& f3 h6 V4 c8 Z/ s
   push    00                        ; OF_READ
. e0 Z0 O& R- k4 i   mov     eax,[00656634]            ; '\\.\SICE',05 x" n( B& c" p3 F8 u2 {- W& @7 X
   push    eax  C( v* a+ b' B& y' y
   call    KERNEL32!_lopen8 X2 r  B+ w: S/ a8 Z. x0 P! b' `) T9 b+ v
   inc     eax
( }/ H2 c+ _- n; c) Y- Q: a4 F2 T; }$ [   jnz     00650589                  ; detected
: K6 b- r, C7 R   push    00                        ; OF_READ5 a  l& J% |+ |2 l( D
   mov     eax,[00656638]            ; '\\.\SICE'/ n) c) a) }; d5 [! s/ A
   push    eax
' ^4 D+ ]$ q6 S% X7 [   call    KERNEL32!_lopen9 n, o9 d$ y1 J. J
   inc     eax2 }  Q$ K! B" W2 K6 \1 ^
   jz      006505ae                  ; not detected# f0 w# s" y) w

- w6 b4 v3 u0 s7 u2 @/ Y6 |2 }- d( f  p$ Y0 B3 x
__________________________________________________________________________
" N2 Z) y" D4 X9 T5 x, x) |( Z6 K% Z5 h( j! l9 G! |4 _
Method 12
4 X5 z8 I# g& }3 M5 g" L8 {=========
4 S  D3 q4 ]' m) d9 g2 Y/ Z" g( {
6 A5 C/ }2 I+ s, z0 B5 {: oThis trick is similar to int41h/4fh Debugger installation check (code 05. \3 a3 `9 y# `
&amp; 06) but very limited because it's only available for Win95/98 (not NT). j% [9 Y# W( Q9 S# B" w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 S* C4 l9 @* E) k- l
) c- l. ^5 g  Z3 m
   push  0000004fh         ; function 4fh
9 s- h+ l2 Y* _  ^- b. O1 `+ g   push  002a002ah         ; high word specifies which VxD (VWIN32): t' e0 [, a& A
                           ; low word specifies which service2 I  L: [. I: w* X7 R7 r3 d
                             (VWIN32_Int41Dispatch)1 [. ]1 p7 k0 K9 R. h7 d7 j* p
   call  Kernel32!ORD_001  ; VxdCall& G0 w/ j% D! L6 G
   cmp   ax, 0f386h        ; magic number returned by system debuggers- V: A) w* ]3 |0 u
   jz    SoftICE_detected
* `3 t' |; z7 h+ ?# H& J, {' G% s: k6 U' y) p2 B) ^; B8 I
Here again, several ways to detect it:
, ~9 T7 f7 t% L7 I0 r. b  ?& x, T, A: C1 q
    BPINT 41 if ax==4f
: J2 `% Z4 ]! Q- x2 @
' o) W3 e. T) O' s* H: @' Z( s    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
- S2 h& H" {$ }- ~
6 u  A( m, y- G0 Y9 o0 U  J    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
0 `, ~3 R! g! v
+ q9 l+ S1 V5 o$ |& i" D, i2 Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, R; I, O; C9 D" ]
6 ~) Y0 S$ H3 }! L; w' Z9 ^7 a* g
__________________________________________________________________________
; L1 O  z/ ~! P  |  O3 X6 W/ [' u2 m% Q, j2 d9 A% s- e
Method 13
" G2 k! H1 N. e) v$ m/ ^=========3 X8 \& m% L# K0 b, V2 ?' u

6 f" b! W* K) s2 f7 x& zNot a real method of detection, but a good way to know if SoftICE is
# S6 n% l$ u: p) qinstalled on a computer and to locate its installation directory.6 Z( E9 j1 E+ O
It is used by few softs which access the following registry keys (usually #2) :
$ j& G0 [; E: L- S9 t
1 M- W% ^' d  {2 o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: L6 O2 d4 d7 \! @- h$ [\Uninstall\SoftICE1 e  _! D8 b) |: Q0 J$ N
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 D1 o1 M1 v7 {1 a% s- o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 j4 Y+ D- O& ]3 d3 W1 P/ U
\App Paths\Loader32.Exe
+ w. E* P1 ]% r' _  w6 v- h/ l
0 |2 c4 f  a0 T5 ^
+ T5 O# O. B4 c5 gNote that some nasty apps could then erase all files from SoftICE directory
0 ?1 l+ h. s- o6 Q, r, w. A(I faced that once :-(
# W' D- h0 ^5 @" T3 ^. m& m
8 b3 K3 U$ B. e5 O  w7 U' OUseful breakpoint to detect it:
9 B2 X) M, e  x- N: \# A9 U
" K8 L# j3 p6 f8 d1 o     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'$ T, m9 }; x' `; x

2 n1 e' \+ o( Q& X__________________________________________________________________________
8 H5 `# T* V2 y
# J4 p5 }" G) ]; N1 q1 B. f/ d5 t# |) G
Method 14
* ~; a0 t- o2 |! p- a, b5 l. d1 Y=========  X8 v* I" J6 u; }! X
8 G- j. ^+ A8 S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ \* ]& D& Q* G+ l; b0 F/ m' N. F
is to determines whether a debugger is running on your system (ring0 only).
: U) C1 z8 G$ ]9 D2 q& b. Y1 h) m6 D' @$ ^' T4 O8 [7 k8 B
   VMMCall Test_Debug_Installed7 H: @0 G7 T6 {* h* H" d
   je      not_installed! r" H, y) j$ a
& t" @5 I3 I) L3 C0 N  e4 `3 E; A+ k
This service just checks a flag.
! a" N. e5 ^/ o) O5 `- N/ f! K</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-8 16:51

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表