找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>: F/ `$ P1 V$ G% N
<TBODY>
& ^9 T! A; B3 A7 d* K<TR>1 u2 s6 z8 [; a* ~6 x3 _
<TD><PRE>Method 01
/ x, T4 }  u* N- @=========
5 @, {* g: R/ l& k2 s8 P1 n6 {7 t& {
. `( S2 M8 x7 _! Q: w; R) AThis method of detection of SoftICE (as well as the following one) is, R0 G: [3 w: [( Y& z* R9 l
used by the majority of packers/encryptors found on Internet." R# S" q# t; c+ }% I' {
It seeks the signature of BoundsChecker in SoftICE1 M+ Q- Q! b+ C  d# d5 L+ E
; e% e9 g/ q9 E# R& \
    mov     ebp, 04243484Bh        ; 'BCHK'
3 }7 A: ], x+ [  t    mov     ax, 04h7 @; b# v3 I. f3 D
    int     3      
: \5 O! g6 Y6 |7 |9 d% }    cmp     al,4
2 o" B2 w+ J' Y) _: c    jnz     SoftICE_Detected- d3 W/ x# i6 o9 r  B4 G6 J. I

5 @4 x; E# P$ z+ N___________________________________________________________________________8 ?0 \) D( W8 J1 A' h) K, y7 ]4 ?
2 n2 j- k1 {9 r
Method 02
0 t1 M& z  x- ]7 n0 C  @( V=========
1 L, b4 i3 m% ~2 ]' I/ A
& V- N! ?) V# F" X* YStill a method very much used (perhaps the most frequent one).  It is used
# L4 P+ X) U1 Y: rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. n7 }4 U' I# {2 v
or execute SoftICE commands...5 I7 M7 x( u% Q. p- g. V' o
It is also used to crash SoftICE and to force it to execute any commands
0 R2 Z8 F4 j) t3 C; y0 C(HBOOT...) :-((  
5 _5 J/ x% Z' P$ a8 s' {  ]
2 O3 x2 N4 X- ~. O# N/ C5 \* uHere is a quick description:* t3 f6 X, S2 N
-AX = 0910h   (Display string in SIce windows)
  _( R3 l7 w1 L/ }-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
$ {) S) N, ]* Q2 N8 |-AX = 0912h   (Get breakpoint infos)
( o* j+ B( ?! ^' M1 e. \8 O-AX = 0913h   (Set Sice breakpoints)
! R4 p9 _! _; g7 p+ k! z; g9 @-AX = 0914h   (Remove SIce breakoints)& D, A6 ]/ y/ k6 s0 g: A
/ Q. G& b- i) @9 j; s' e  b! R
Each time you'll meet this trick, you'll see:/ d2 Y5 j  k( f5 h
-SI = 4647h" v+ @5 R' Q, s$ P" I
-DI = 4A4Dh" J2 w+ r/ H5 ]0 g. b
Which are the 'magic values' used by SoftIce.
8 g" s" s+ Z; m5 \, c2 x% s5 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ u6 ?1 A; y# I, \

- d/ H9 m! ^: H' b/ E- {* m2 @, D  O5 vHere is one example from the file "Haspinst.exe" which is the dongle HASP. H/ W. c! m, V2 w
Envelope utility use to protect DOS applications:& \- ^& O& V' U7 b% G

# `+ ~2 T9 u* O2 M; r0 ?( V$ B1 C* e! M6 {/ R# W, \
4C19:0095   MOV    AX,0911  ; execute command.! I6 a5 ~/ L2 Q% j9 Y6 |  ?
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. }4 O' L% n3 E& |. U& }, M' T2 Y
4C19:009A   MOV    SI,4647  ; 1st magic value.
6 Y  Z# L( O6 J& h  Z/ t" T- G4C19:009D   MOV    DI,4A4D  ; 2nd magic value.' y5 O8 }% O1 U) k3 Q  j" Z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ `( `$ t, r$ I8 X( F% {1 |0 A7 x
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 C+ g. J& w5 _$ E9 {6 R
4C19:00A4   INC    CX" \1 Y/ n+ I( ]6 v9 a& i
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
; l( z% f6 q9 W5 M4C19:00A8   JB     0095     ; 6 different commands.
" r, u/ M+ W1 K% X, U4C19:00AA   JMP    0002     ; Bad_Guy jmp back.+ M+ Q. r' r% N) W
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 x$ W% h# }$ P+ g: p) O& |; @" v0 u! d9 w; j7 W
The program will execute 6 different SIce commands located at ds:dx, which
+ \+ b6 h/ k! ]/ Dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ N& ~- V( `* I0 B

$ M# `- w8 P; ?3 M* d- V4 b5 Q$ l' h* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ i* }3 h: ^1 L# S, [+ e9 \' y
___________________________________________________________________________% p5 d/ _$ z. j! r# ~% ~, Y. Z

# K7 i4 ~0 a) G
$ G- A( O$ t* U9 I& {7 XMethod 036 [( z# q1 T' Y- F/ x# c; b  k
=========
& D2 C  J7 ^' j; l3 [% J& P) x" F) z; d- V, S( l- ~
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% w' s* D' s9 ~0 k5 e" N(API Get entry point)! D7 A1 {. R5 x
        
4 r2 p; ^: r) J2 f! T9 Z& Z/ p5 x+ }& H3 r( n& R' k1 I8 y* c
    xor     di,di# w2 B* R( m) s) R9 |& b
    mov     es,di; k8 F" {4 l& v  [0 D
    mov     ax, 1684h       8 ^& B1 J# @  Q! {8 ~; ?  [
    mov     bx, 0202h       ; VxD ID of winice
' Z; l" J3 \, o8 G    int     2Fh% h$ ]$ G' d5 B: u/ K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! b  H7 w& A, r! a$ b# a    add     ax, di
6 _9 C/ s1 W! p7 c    test    ax,ax
0 V, W3 ^2 J8 G- O) u; o9 C& o    jnz     SoftICE_Detected% |  A, U& {/ v0 B( E: H
. y1 j& o, ?. Y" F' n- h# U9 [% N
___________________________________________________________________________8 J6 {4 h9 z, {6 ~3 D0 k

5 T; l" A9 @) Z, d/ yMethod 04" ]# j2 R* L% b# v! }* C+ j& `8 B6 Z7 |
=========9 U  u! y  p! M6 Q& X1 V

0 N2 h- P- O2 lMethod identical to the preceding one except that it seeks the ID of SoftICE
- T& Z3 q& W! `  U  B& k$ `1 \% @GFX VxD.( N1 z! r9 H, ]9 D6 s

) G, ]/ D' x  U, a( `    xor     di,di  ]1 n1 S( A5 {
    mov     es,di9 w  k; t$ x  i. u$ q* l; \2 _
    mov     ax, 1684h       0 T+ }  B, X% e5 H- X
    mov     bx, 7a5Fh       ; VxD ID of SIWVID" y$ F$ r& a: {% X
    int     2fh
0 c2 o/ G% O) N. m" f1 Q- \5 K+ I    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ T/ Z1 i' d9 f9 \( {    add     ax, di1 ^& A: f# I$ F
    test    ax,ax
4 V5 y+ g  l- N" N( S5 ?    jnz     SoftICE_Detected' X; l# n. n% l; u

9 [: \$ U! Z5 z! m( f' w% F__________________________________________________________________________! W0 v+ m9 ~7 n
, z7 M8 P2 {' T# X; y: u

( |6 b( z' d! d+ U- x5 oMethod 05# _4 @' D/ J- B2 m1 B) I, M4 i
=========
# J& H" W' T' h- R$ W$ S8 F! v. X( k& ~! n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
# m% U9 u" h/ }* b1 V: K5 F/ }8 @6 H$ cdebugger. It calls the int 41h, function 4Fh.
- j$ Q, H7 T  u6 CThere are several alternatives.  
% y' K+ u8 \$ s3 h: @" S, }9 x0 c/ |: i; }) e/ N' V6 r  Z) Y
The following one is the simplest:
) ]: P0 |+ ~/ E" W; B1 W* D, {# ?8 ]1 y' {/ y& |, ^" u& U
    mov     ax,4fh
; k% ^% T$ D. H2 Q    int     41h0 r2 c: u. F: @5 t- g
    cmp     ax, 0F386, b% D) I; p" J8 b. v
    jz      SoftICE_detected- a. S9 [/ ]1 l3 H  F- E2 [$ Y
8 ]( i: A: y0 u: i& @
2 D5 V4 M( @$ G+ v  X, X; |
Next method as well as the following one are 2 examples from Stone's 0 f# h1 |# x3 p
"stn-wid.zip" (www.cracking.net):$ j$ I/ B( s3 k" L3 A  G
# d% s4 W* X6 W9 \
    mov     bx, cs% w, k2 V) v4 c+ b
    lea     dx, int41handler2! D4 `4 C4 C+ ]) j7 x0 e2 P4 H0 Y: c3 b
    xchg    dx, es:[41h*4]
0 B2 p1 ^$ }) `3 j% E% L    xchg    bx, es:[41h*4+2]
5 j1 q! p" P9 |, K4 ~8 Q. f7 x    mov     ax,4fh3 E2 l. z1 H3 s' e
    int     41h! P+ Y  x! g, N
    xchg    dx, es:[41h*4]2 X5 x' i- B2 k: ]0 C. F
    xchg    bx, es:[41h*4+2]
" w/ {0 `! \4 Z    cmp     ax, 0f386h
0 V& g2 l; g7 A& m* E. B6 v    jz      SoftICE_detected
$ Y1 T9 S: O7 x( o. m! T
, l/ Y' a/ I: Jint41handler2 PROC* r2 V4 s. s4 F0 }& G  q  \
    iret
2 J* x5 d  O5 W7 E' K# ?int41handler2 ENDP
& g, x+ X) C) G9 p' B/ R
- d9 G# h. N( N$ Z" ]" g; L/ \9 T" d, u$ H* T/ x. m' Y2 H( L" u  A
_________________________________________________________________________6 V* e9 p- N+ z4 @

* P. m. O& {8 V' \& H. n. c% [0 {% g- j& B. T7 }* ~
Method 06
& [; m( E3 `& _9 Q& u=========8 Q' S. F5 g) V0 ?% G/ a, b9 ~
9 ]# T  e  h2 \9 ]0 s( |  O% k1 _
3 `% P2 _6 n; d
2nd method similar to the preceding one but more difficult to detect:0 g& w. `  s( ]7 u0 q0 F
+ Q' E' W9 x! B' J! V1 K7 P

0 T! I; U2 x2 C' O  |5 @5 Wint41handler PROC5 d. Y5 a. s, @- s( ]
    mov     cl,al3 _* [( D% _1 n3 x5 r5 F0 z$ s, Q! E
    iret
4 J3 R' L3 J2 q4 q# J$ dint41handler ENDP- N! Y' @8 Y3 M# e" }
- d% W: W9 z  t2 S% a; v

! H0 f" P6 D7 h: B* l& I    xor     ax,ax
) F" o$ e. E8 s) c1 c$ C7 k    mov     es,ax
8 j; C+ G  S& Y. a/ X, ?! b    mov     bx, cs
# z( F! s. K/ {8 A    lea     dx, int41handler
; [% u; l0 }+ f3 y) u    xchg    dx, es:[41h*4]
) n/ Q4 b- _! Q: f    xchg    bx, es:[41h*4+2]
8 E0 n# j4 }; s& R    in      al, 40h
) ]  @; k* E# I6 K6 P4 n    xor     cx,cx
6 K7 {! w8 j% y6 i+ j. b: g    int     41h
- Q0 ?) [$ x) u( G    xchg    dx, es:[41h*4]
3 b$ a* r0 z3 `6 V# }    xchg    bx, es:[41h*4+2]5 _5 r9 U  d. s- z# _1 ?# R6 q
    cmp     cl,al
  n4 X9 y( A5 M, O    jnz     SoftICE_detected
+ o& x* U7 o1 k$ @/ {2 g) C( u" h# a' i& I6 ?# h
_________________________________________________________________________& m7 N; d& g1 `0 i! ?  a
. i" E2 T% @& L0 A' T
Method 07
9 Z! h; ]- h6 N=========( ?( x6 b; S/ j  O
3 C  O4 U9 {0 z/ W
Method of detection of the WinICE handler in the int68h (V86)4 N6 o: M( b) E) W1 d
* E" o- {. k7 f, {( V+ x) p
    mov     ah,43h) ^$ M0 P4 v; W3 P1 g
    int     68h, \+ N, [$ Z( A( r+ F# C
    cmp     ax,0F386h$ K# ^( g9 r, X& _% b7 M
    jz      SoftICE_Detected4 X9 X7 B% |3 }

( g6 R0 s& F1 B- Z. g9 ?
; t# r$ c) A/ F" m( ^=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 A* H: M% E6 ?) [  O
   app like this:
4 k! H. @; C& m
+ S/ \; D& @" p' Z   BPX exec_int if ax==68
6 E; Z! ], i5 U+ [, F: h: w   (function called is located at byte ptr [ebp+1Dh] and client eip is
( L7 o  R9 n# v. P. E   located at [ebp+48h] for 32Bit apps)- D# U( G7 }. @% x4 m2 c3 k$ q+ k
__________________________________________________________________________
/ j) g8 I0 q% q4 @1 T, a* R
" P2 Z$ X0 ?+ {1 r& q) v* \/ Q" e! _& t& b0 e& z
Method 08
" ?: l$ G0 N# I- t=========
/ a1 _5 F/ Y4 \4 g
! S- e( s7 O2 ^It is not a method of detection of SoftICE but a possibility to crash the" {2 m% k. Y9 _; U- S8 A5 a
system by intercepting int 01h and int 03h and redirecting them to another0 K1 L& _% m1 ?) s0 \1 _8 ^  |
routine.
! P0 I4 c; s% Y# E; H8 @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- m- H5 j  F8 rto the new routine to execute (hangs computer...)4 r. ?, ~' r0 n. R8 J

- e! \8 a6 c- q    mov     ah, 25h
) X* M8 D8 |+ v0 i- R    mov     al, Int_Number (01h or 03h)
$ ?5 E/ U' H7 v3 G6 r9 a: F    mov     dx, offset New_Int_Routine
( o+ e7 i/ B1 D# }- `2 k, L    int     21h
# W& B5 R2 @! U" C+ E2 f
: g8 A) J, H2 J+ p- n7 o3 O__________________________________________________________________________
1 o3 O' K- B4 z4 ?, x( q# |& U) @2 F! r9 S' C4 [! g/ s8 \
Method 09
) R4 l3 b4 H7 l, ?, u, t=========) V2 }* Y0 ~' @+ X7 |# D

6 e  x5 g/ V% a9 n9 M$ f  o7 bThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 R7 @, }# Q( s" ~* }
performed in ring0 (VxD or a ring3 app using the VxdCall).8 s2 K" w6 N) l" u2 o
The Get_DDB service is used to determine whether or not a VxD is installed
) o, h; T) \" T# h0 cfor the specified device and returns a Device Description Block (in ecx) for
  F5 A. W, u$ S0 f, xthat device if it is installed.
2 {* F* M" V0 R2 n3 z5 |3 _# Q  w% M: f9 y; U2 Y- r
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. n7 U7 {2 S+ r, B5 z) \9 b   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* R4 |3 R& `& J
   VMMCall Get_DDB9 ^/ E- l) W) y& g$ u
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 \" e( T$ P/ V5 T' a

+ [7 f' K, Q$ I. [Note as well that you can easily detect this method with SoftICE:
! F0 e6 x' y7 d) {  b" J9 h% ?0 w2 d9 M   bpx Get_DDB if ax==0202 || ax==7a5fh
6 W, a2 H' B# q' f8 J6 h+ V0 [3 p8 r, Q- J$ T, l
__________________________________________________________________________# p+ D# X4 ~$ q+ ?% J
2 w5 Q3 w' r/ S  G& I$ v. k
Method 10  A0 o; N- w' k4 p( d2 K
=========5 A& c" l, |* \" o% }0 S. n) G

$ [' H, n- u) W5 g8 {6 g7 _# P: N=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( M4 y/ |" F+ R& b$ }
  SoftICE while the option is enable!!4 e% g( d1 g) D
  e! l( T: R/ s6 G; Q
This trick is very efficient:. ^0 y  {1 @/ S( T# J. f3 v
by checking the Debug Registers, you can detect if SoftICE is loaded
' d0 P# Z- _+ Q/ {5 o1 ?8 H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ r8 D0 e( t* Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their: H" L) v' f7 ^$ E' m! N2 H
value (in ring0 only). Values can be manipulated and or changed as well3 l; V, {  D. \( M' W
(clearing BPMs for instance)$ T4 S  L% \4 F, I
6 W2 `  k7 ]6 L! {3 E. o0 ^
__________________________________________________________________________
) B6 s0 r6 q, a3 |! ]: i; G
8 f+ i7 W* D' wMethod 11, p" h  L. f% Z
=========; v: [, l2 e5 @& J" l2 o

9 @5 ?6 ]1 n  _: z7 WThis method is most known as 'MeltICE' because it has been freely distributed# K7 ^- y  M  [0 B: _
via www.winfiles.com. However it was first used by NuMega people to allow% a5 K% J- O: V* i: e& Z1 A
Symbol Loader to check if SoftICE was active or not (the code is located) }0 ]7 j: `2 r
inside nmtrans.dll).% n  a1 K8 V1 J5 s4 ]

3 g( M/ v1 p# CThe way it works is very simple:) ~5 T+ J# U. w
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 R- S& D) k8 I
WinNT) with the CreateFileA API.
) v. T/ E3 G& j( U$ _/ ^
9 C- J1 D( O' A" VHere is a sample (checking for 'SICE'):
$ z% ^6 j7 ?, U5 p) p; B0 s1 v9 t
; c) C4 a1 ~+ p: ~BOOL IsSoftIce95Loaded()
/ [0 ]) E- ~  s: L{$ E' e2 `# |/ Z* i) n
   HANDLE hFile;  
, N, A9 y. H1 {) x1 \7 J   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 \5 F& w; s' O% V
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" M/ U& b5 e8 u( r) y& I                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  y7 W* H% \- x% |+ e2 \   if( hFile != INVALID_HANDLE_VALUE )
) i, U! ^7 G! h3 f) R& w   {
3 h  D3 i6 M5 w; v3 S      CloseHandle(hFile);' b$ h  ^- z5 X- |
      return TRUE;3 J0 n8 c" z1 H$ z& e. {, i
   }
1 M3 J; U6 X* z6 ?. e# f   return FALSE;
# C- s8 k0 S5 ~" V( I}$ z" A3 V+ h5 h% D/ F" _

0 \9 S* [- Z  S' p% OAlthough this trick calls the CreateFileA function, don't even expect to be* D5 \' ~' ^5 ^% `" a" E* @6 F8 i3 D
able to intercept it by installing a IFS hook: it will not work, no way!4 l8 U. p- v: }3 o5 p
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; `  L! t- u0 M3 t$ Q, I, Iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. f: E7 l: Z- K8 \$ `; |; Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc" p# q8 w+ K! b" D  F* R  r
field.5 E$ H/ B! \7 t/ b9 g
In fact, its purpose is not to load/unload VxDs but only to send a ) |  t3 q; V- }: e$ _9 ]+ A- y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, L" x- C& I8 N5 T- Oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, }2 x0 ~! y8 g3 y4 a: [. ato load/unload a non-dynamically loadable driver such as SoftICE ;-)., V3 {  N. L% {* A% b
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& c5 d6 N. H5 L" v8 B5 Kits handle to be opened and then, will be detected.5 i2 Z/ Y3 B) p) @) F/ V
You can check that simply by hooking Winice.exe control proc entry point
0 Z; ]1 t# F$ I7 }- Dwhile running MeltICE.
1 y. i( W# _; r, h! T* J: ?- O* ~4 P/ a7 C  V+ k
: ]& q$ b! z  i1 z# y1 W' _
  00401067:  push      00402025    ; \\.\SICE7 U6 t2 m; ^8 i1 q' i5 ?3 B1 O6 C( O, ?
  0040106C:  call      CreateFileA5 K  O) S+ s" z" y2 J7 y( I
  00401071:  cmp       eax,-001
9 N0 a# u; c  e  00401074:  je        00401091
9 r7 o, O5 i. Z. O. [: g( U
  _+ `9 ]" @! K7 [9 M1 J6 g" c, K' r$ b! I& [* e
There could be hundreds of BPX you could use to detect this trick.) A6 \  M' ~1 f& A
-The most classical one is:, @' ?6 S2 Q( P. h- R
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" P) `7 e  z- v    *(esp-&gt;4+4)=='NTIC'$ f% C7 R# \3 i% ~
9 J/ G3 q4 U' U4 i5 o- x
-The most exotic ones (could be very slooooow :-(
. W. B( k0 f2 O9 o, q4 s) Y. v4 J3 r) g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
8 v: A, H6 M- y! p! a* o* t7 G     ;will break 3 times :-(& G- W) t' U7 P% m

$ I. ]7 {; ?3 f4 h-or (a bit) faster:
+ o$ u5 e: q: u9 J5 }  ?   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. ^8 E, W+ b. f
+ d) ?* C- ^" h& B   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* C2 n: O. l* P/ l     ;will break 3 times :-() v' p; k4 ~4 {1 U+ [
% Z) o2 j8 k' _2 U
-Much faster:
1 B2 K/ c" f& V; v2 d3 I   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'* ^7 L2 F5 s" a) u" p9 z

" _% |- {$ u3 B" [. W: Z  j+ ^Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ a" V% T, B; H
function to do the same job:( Q; H- D" x' Y, C+ s3 Q- L4 t" b0 P
+ H" c8 z* E, d$ H* f) h
   push    00                        ; OF_READ
1 O3 }  y1 c% x% q. O   mov     eax,[00656634]            ; '\\.\SICE',0
0 c9 }3 b# ~  [   push    eax
$ r9 T! Y( J, K   call    KERNEL32!_lopen! Y  \% \6 ^- U" D6 e4 B7 n" [# z  ~. A
   inc     eax" O8 f5 a/ n1 a; q# k
   jnz     00650589                  ; detected
- x9 ]! A+ O7 r2 e6 @- {   push    00                        ; OF_READ, q+ |$ x/ G* h+ _& h
   mov     eax,[00656638]            ; '\\.\SICE'% a; \' \: C4 v, `
   push    eax: I4 l" z  \7 ?! W* h3 e  V
   call    KERNEL32!_lopen
! U2 p; g% o9 i$ R- R7 S   inc     eax
" d, G' u2 V' [3 Z* V/ f6 x   jz      006505ae                  ; not detected6 y+ V2 W0 x. t
. x6 ]' z8 y7 U1 x2 v5 T) |; U+ H' L1 j

  ^7 \% N- u$ _8 g2 J: x__________________________________________________________________________
' [9 m6 g' V4 I3 V. f
# h* J4 z9 L1 v( c' c; X/ lMethod 12
/ g1 _) S3 `9 S4 `1 F8 j, z2 J=========* O4 p7 K$ {- L& R8 E0 P9 o

: T; s- i9 ~. I/ U6 uThis trick is similar to int41h/4fh Debugger installation check (code 05
& g- f2 s, ~4 `# I+ m&amp; 06) but very limited because it's only available for Win95/98 (not NT)
4 a5 m/ B+ G9 X/ sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 i' u, d% ]" @3 L6 `

$ m  `7 j) P& \   push  0000004fh         ; function 4fh
* i$ Z. m# |7 @- W8 v$ G   push  002a002ah         ; high word specifies which VxD (VWIN32); ?  a7 F: B5 ~6 A  b" G" U0 S
                           ; low word specifies which service9 w7 r* X7 ]7 x1 f, H, Q0 o- Y& b
                             (VWIN32_Int41Dispatch)- Z. `- A8 g! F$ b, g# f& Y( _
   call  Kernel32!ORD_001  ; VxdCall
/ O# _7 S. S3 N- f* H6 R   cmp   ax, 0f386h        ; magic number returned by system debuggers
% A: v: `1 I" C3 {5 Z   jz    SoftICE_detected2 k+ @2 p8 \" j9 z  A- S5 W

4 S& h4 Z& @# B1 c! kHere again, several ways to detect it:
2 z' V! h3 u- \! D& E4 d: J! r2 {7 J9 i
    BPINT 41 if ax==4f
1 K' P0 h* q) I! L) L( i( V
6 i/ m) @: v! k: |1 d/ N    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one( |: ~+ o+ r5 y- H

# O6 N" M" u$ z# C# [9 V$ \0 o    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; R1 x, N2 M4 v
$ z1 E; p3 i* U4 O    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!6 N/ W2 l; T6 O4 b

9 L5 a1 m+ ]3 x  Z__________________________________________________________________________' s# N8 @) c) J0 T5 V; }
* H# Y: i+ f+ P
Method 13
" f) x, }& I: U+ ~0 e=========" D) W& R0 |6 e  Z1 O
  i! ^7 b4 C  m5 C7 H9 |2 u
Not a real method of detection, but a good way to know if SoftICE is/ K1 v, G; P5 o7 p. i: ]3 e$ H
installed on a computer and to locate its installation directory.2 c! Q0 c6 D! |* q
It is used by few softs which access the following registry keys (usually #2) :
3 K! `5 V/ x# q: h$ Q5 U3 z7 g
# |$ Q+ S, [: p$ i% L# V-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 ?( H9 f8 n* \! w! b- }\Uninstall\SoftICE
% x* H: E; k; A: r' |/ O  Q; f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
# E0 U- t/ H& W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 N5 U- \. T1 F" A- W+ o2 i. x( A
\App Paths\Loader32.Exe
4 l& L  O' F, P* K, r! _+ e: t; q

4 M* s8 V; `8 N" m. e( TNote that some nasty apps could then erase all files from SoftICE directory5 ]* J  t/ u! h; a( M9 K1 T' D
(I faced that once :-(
5 y. c- z5 [% C4 v0 b/ E' l8 O0 ?, v5 c+ \( o5 Q
Useful breakpoint to detect it:. {6 ^- [5 `$ g1 U- `
. P* F  j6 c( ?8 D8 g5 K4 N7 h; x& O
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% K( Z8 D! n2 _$ X; k3 M! S& U. e. r9 t2 t2 r9 K" u* P3 M* @
__________________________________________________________________________
' \6 D+ |' k" v- ?/ Z. T" s  a4 h( X4 A. O
# y" p+ R! s9 @3 y8 F8 }6 y2 i* k0 X
Method 14 7 i- E8 q( j; w: b9 X& X  n
=========3 @4 F6 Y1 w2 R6 R& u
/ L, v* y. R8 V$ G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: N( X) Y* Q1 _- S4 Bis to determines whether a debugger is running on your system (ring0 only).
6 y# F; _3 x0 x: D% W: i7 t9 @6 {( n9 C) Z
   VMMCall Test_Debug_Installed; g' {. U* o' r& Z2 _9 F
   je      not_installed# f( E3 l* D) L1 S* T0 D5 U+ L: S
7 T2 |6 ^& w' n. f2 l  U
This service just checks a flag.4 T, @! ]0 e: g7 y: f' u
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-11-30 20:45

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表