找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>; E' R% `3 L' X- R( J" S
<TBODY>
) T5 `$ R1 n7 F* N! M! z) I<TR>8 u6 F6 \0 W1 s' l$ N3 d
<TD><PRE>Method 01
! T1 j. d- I* U5 a=========
+ o# K" _$ p; \, y: M3 Y, Y" D; c1 {! s: u
" j; {9 a% f, \* h! M9 |8 t2 L* bThis method of detection of SoftICE (as well as the following one) is/ _% {8 U1 e4 \' r- E3 |: Z
used by the majority of packers/encryptors found on Internet.
* h, |" j8 Y4 z& Y5 Z+ h6 XIt seeks the signature of BoundsChecker in SoftICE/ }; ^8 T  P, z& q# F* j* @

$ \$ B5 w) ]2 Z6 H! S8 |  V    mov     ebp, 04243484Bh        ; 'BCHK') A7 G$ V( T7 B$ E! ]5 ]5 z, c( k
    mov     ax, 04h
& c' R$ f! v4 v0 K    int     3       ( }0 M; \9 F% r2 `% n
    cmp     al,4
% g. c* W) |- v( r4 c" N8 P    jnz     SoftICE_Detected2 W  c: {0 R1 ?6 n2 _0 u
8 T0 Z6 S4 e* d
___________________________________________________________________________
4 ?& i' T, `- D- ?# b3 Z3 |/ W( [0 z
Method 02
, j+ C- ^9 I, o; e' _=========: M+ s, P% q/ g# j9 p' G
$ g3 D  Z! t- Y$ o
Still a method very much used (perhaps the most frequent one).  It is used/ D$ C1 z* \( j/ X- I/ P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 k6 Y0 k: n! R- i% a# N0 X8 kor execute SoftICE commands...
; t0 g8 @' q4 n: @. ^It is also used to crash SoftICE and to force it to execute any commands
7 H$ V+ R4 p2 C$ R* Y' ?(HBOOT...) :-((  
# _2 H1 K0 O$ R) u% D8 a) i7 W( T7 @
Here is a quick description:" g4 H; A# x2 V) P
-AX = 0910h   (Display string in SIce windows)
  M8 {/ f% M$ {/ |-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; Z% B" i2 c  O- r: p! P-AX = 0912h   (Get breakpoint infos)
: b& O1 h9 H9 G' P' C  \-AX = 0913h   (Set Sice breakpoints). E+ H  W+ ^+ ^" O: W7 R9 V
-AX = 0914h   (Remove SIce breakoints)7 L( f1 R) R9 a
$ U' W& c) q6 P& d; V
Each time you'll meet this trick, you'll see:4 J( C' ^" r9 b. o
-SI = 4647h- H8 D8 Q& w# v) c+ X
-DI = 4A4Dh1 e- c, O6 j2 D; M  j
Which are the 'magic values' used by SoftIce.
+ |' C$ c7 z% s( aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- U& }! y* x. A1 l2 x/ i& R2 [( P0 M; {
Here is one example from the file "Haspinst.exe" which is the dongle HASP( k2 d' R/ k! Z
Envelope utility use to protect DOS applications:( L: ^$ a) |# Z+ K" J7 u: w! y: ~& `
( k6 j& p" B" l1 z
& f8 C' B6 J5 i9 e0 B$ J
4C19:0095   MOV    AX,0911  ; execute command.
2 |' T  Q* |7 S3 e4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).1 a% o# F; y0 P. e5 V# @
4C19:009A   MOV    SI,4647  ; 1st magic value.  h9 O! f  D7 ]7 K/ m, N
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
+ I4 ?# E* W* I$ ]( R; X/ O0 X: b4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 I% b4 Y6 V& e6 h. {$ `4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' u3 U9 s3 Y9 L- i: B  H1 d4C19:00A4   INC    CX+ k; f4 e: m- X) {% O; W
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute6 f6 W1 _, w7 \: r% ?
4C19:00A8   JB     0095     ; 6 different commands.
( Z( k: n8 {% Y3 V; T) S4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 B) H' Q+ T& @1 M! B, x4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) s$ s; ^! \7 }% c! h" v% K4 C6 V
The program will execute 6 different SIce commands located at ds:dx, which
' u2 a: i* J% Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 a  v: d) x( H( N) e$ ]% o
4 m6 K1 j  i1 |: @4 c4 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, A3 [/ V) y- ____________________________________________________________________________2 D  f3 P. E* g$ Y0 u6 m0 x( U4 D2 L
2 X$ \9 V" Z8 W, \4 @1 H9 `( y

' u3 D4 x+ Z0 E  UMethod 03
1 \+ w0 B* N0 ~- m) F=========+ ~6 J1 X! u& Z2 e! r$ T

$ O6 o; D, J3 B2 fLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. ^9 `: G$ l% c4 c" A0 F6 a3 s; S(API Get entry point)
' X& N5 X/ O( j: U        
$ |( _. C/ l' b6 V7 P) O2 L/ k: U6 U
    xor     di,di# l$ H, o4 W" _9 B0 s! I
    mov     es,di
! k( b& e# R# L# L    mov     ax, 1684h       ! ~( }6 R' u- J
    mov     bx, 0202h       ; VxD ID of winice  w  K2 V5 R7 l2 c2 s" e) T
    int     2Fh
% h9 K5 n$ X# _+ C+ u; c1 }# `    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ S6 S+ n$ s" i* r& l    add     ax, di
' [9 U+ P: X% d" ^    test    ax,ax0 L& p/ x. g6 V+ p* M' S
    jnz     SoftICE_Detected
5 D! {  ~% L' n( h6 g6 A6 r4 G/ i, G3 p
___________________________________________________________________________
' h3 u5 o0 S* F& }1 L9 N3 r0 b* ~9 @  P! Y5 P* G) {- ?( s3 Y& v; m, ?+ c, Q* w' B
Method 04( [$ N% P- ^* B" x5 r! K
=========
0 k9 k$ t9 x1 q7 E$ y* @# F  V# {3 b+ G0 J1 {6 A
Method identical to the preceding one except that it seeks the ID of SoftICE0 ?" k$ d8 S/ k' ?+ A6 _' g( @
GFX VxD.
: h: ~" R& Y4 p. s) _
7 z% z( C( e: S- O9 j    xor     di,di
. Y, M/ F, Y, r& `    mov     es,di
& p% I9 [  ?& [6 V    mov     ax, 1684h      
: F; r( W4 S1 r! J8 P) @; O    mov     bx, 7a5Fh       ; VxD ID of SIWVID
; C* k* G; ]; V1 w7 y- H$ ^    int     2fh1 \4 ], b; @6 X/ Z7 M
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& ^& L  Q7 U' @
    add     ax, di
+ X# o' F& B4 D8 Z$ i" @1 q    test    ax,ax; Q4 l! t3 a+ P# y
    jnz     SoftICE_Detected/ l  T$ a+ o9 W' Q7 ], p/ U, F, ?' H) O; K

, W  P6 u" o9 t" s4 M' g__________________________________________________________________________2 ^6 ]. i6 @: o/ n
- [; z$ ^2 @. N

9 h8 q/ y7 b: [- Q7 [4 QMethod 05
/ o) P: `. \& A3 W=========# _/ G' C' b+ z$ W

- i& ^; }9 Z" P* p+ rMethod seeking the 'magic number' 0F386h returned (in ax) by all system- Z$ k8 A. {& y5 h
debugger. It calls the int 41h, function 4Fh.
* S) z0 e( d/ b) m" }There are several alternatives.  $ G1 Y! F" M% [

; D6 a# ]& t6 Y+ z& o& z( dThe following one is the simplest:
# Q* f; N2 t& y, [- @8 b/ ^9 D9 l. K3 _5 b: d
    mov     ax,4fh
' S' m. R& y- [1 A    int     41h
- z/ K( ^, ^# t  |! o( T# S) B    cmp     ax, 0F386
! q5 P! t1 I) `# c    jz      SoftICE_detected
7 o/ }0 a. M/ S( X0 T5 d3 p3 i( o& O% v/ U4 L: }
! F& K6 E, T7 v0 [  o  L9 q/ r  [
Next method as well as the following one are 2 examples from Stone's ; D* |/ Z* m% f( X3 E
"stn-wid.zip" (www.cracking.net):
* R, r0 p: E- x/ v5 s1 @
9 k+ K4 [. f1 o3 {, ^. W    mov     bx, cs# i, Z+ p4 ]& s3 k8 t
    lea     dx, int41handler2
! G1 A7 J7 i" u6 D, ]" k3 T    xchg    dx, es:[41h*4]! D1 [0 j. D+ W5 e+ h
    xchg    bx, es:[41h*4+2]1 ^) H! R* X1 N8 b5 i
    mov     ax,4fh
! L% @# Q3 y8 C1 }1 E    int     41h- y$ x# ^# R3 k5 `' {& x, e
    xchg    dx, es:[41h*4]
  p% c# H( P# _% h    xchg    bx, es:[41h*4+2]' }" E; Q- g# U. ~1 @! p6 P$ e
    cmp     ax, 0f386h. [$ x8 s- X. O) M* s) t9 A
    jz      SoftICE_detected2 x- O. s8 O! f0 J! V

5 t- B: `/ F1 Hint41handler2 PROC3 e+ _$ |" h* l
    iret# a: v1 y/ ~8 _( o: F3 @
int41handler2 ENDP
2 w* ^5 Q5 I7 F; }
1 l  |( ~9 Q* ?. H6 O; _: W  a
$ G8 w6 r, k, `* ^, e_________________________________________________________________________7 R7 a& c6 b: R' S/ l, ?) c

; e& y6 h( z/ y) P! T- w% d
: P! p4 }0 L1 q3 {, }Method 06
+ h, d5 i2 L- L9 Z=========
7 }* t% X# N5 f9 E7 y, E0 y: _& {9 d

$ l# @+ l: T+ L2 u2nd method similar to the preceding one but more difficult to detect:
7 B) Q; Q: c4 y' w- u& X+ @! F9 R
. ^; y5 m4 |6 Z- Z
( r( N& t5 X- x; U. A( @int41handler PROC
# I: y7 q' [4 u/ B) w) X    mov     cl,al; f: c. N  b8 u; Z) Z. a3 ^
    iret: G6 c# A/ W% A  T2 d8 `) k7 D) X1 ~( {
int41handler ENDP
6 ^7 Z3 R4 m% Q9 f& x  @9 a. K
& h. z8 h; ]3 B9 v7 z
: l6 ~# Z8 T( O) S    xor     ax,ax/ u% A0 ]& [3 f( q
    mov     es,ax1 j( C* H3 i8 x( y+ `* l; w
    mov     bx, cs
" E9 }$ ~% F" m& i- `. G$ a- j9 v4 Z    lea     dx, int41handler/ S" B4 L2 Z! F4 k0 k- [3 W
    xchg    dx, es:[41h*4]/ a- L- `% K  T$ S( ?/ }
    xchg    bx, es:[41h*4+2]
; l$ E. m" S5 j$ f    in      al, 40h
' {) ~( ]6 D2 |8 Y    xor     cx,cx& p/ m& P/ ?. V6 {# v/ j
    int     41h
) g3 m0 G5 q( J3 e" G' S$ e    xchg    dx, es:[41h*4]
4 n# S1 l. {/ B. t* E    xchg    bx, es:[41h*4+2]
( T0 d# `* d' e3 E    cmp     cl,al5 @2 W/ o. d9 S7 s7 I- {
    jnz     SoftICE_detected5 t+ |2 c! G# |& J, M7 `4 s

) R& ]9 _& k2 {/ V8 t_________________________________________________________________________/ R% E3 b/ r, h( b
' }. C* A8 y1 r3 R
Method 075 H. l1 c2 W1 x* s8 b' n, x% Y
=========, U( z1 w7 d4 I1 M
* ?4 _# x/ v  j( b8 F
Method of detection of the WinICE handler in the int68h (V86)6 |# M3 q; f6 J0 l

- [: h0 h7 p4 \    mov     ah,43h
  ~/ V/ o- _  A    int     68h* t& V  ]1 z( C1 f6 u! q! u- R0 W
    cmp     ax,0F386h
$ X4 G& }3 t- M: X& l    jz      SoftICE_Detected1 p5 C7 A% @+ ~
- [; S3 f+ b% w% |

- O6 F8 t# V) f% p=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& A- P7 m( l9 ~' a  e0 A
   app like this:
& A8 W3 U" p0 S, e
! W! F. w) M0 W; k/ e- P   BPX exec_int if ax==68! m! m, N, |" i7 ]
   (function called is located at byte ptr [ebp+1Dh] and client eip is2 u* U0 d1 U6 h9 Q. Y
   located at [ebp+48h] for 32Bit apps)
0 Z" ]  [) [/ B( k3 d8 ^) J__________________________________________________________________________
' q  p# M* n/ b
0 L6 M* ]  R3 M7 B/ y; y% F  v
- @/ @8 x% \* ^( v3 aMethod 080 ]! S6 s, Q( n, f
=========  |$ l0 W* t0 @. o0 s: X
: n" X8 ]8 H9 D& `' p" L3 |
It is not a method of detection of SoftICE but a possibility to crash the. r2 G# M, S* R  x
system by intercepting int 01h and int 03h and redirecting them to another; D0 r! r+ G6 m3 M& ]6 W! `
routine.6 b$ ]! ]1 G/ M; s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# v, K3 I0 f& ^+ T0 ]- Xto the new routine to execute (hangs computer...)1 E" K3 D- }+ D8 Y% G0 `

- L4 w" z! m, I( T    mov     ah, 25h
1 i3 e* x4 N$ {" E, ^    mov     al, Int_Number (01h or 03h); ]9 k9 {9 G3 q6 C- R
    mov     dx, offset New_Int_Routine7 g7 @/ c' J3 p1 C
    int     21h& |# J$ Y- t. F8 C

, C" J9 m( r2 p7 f, a- A__________________________________________________________________________8 I* Q  P' O, w* l# A/ T7 x1 e
5 I2 Z3 e3 d7 A% l6 i
Method 09- a- \1 [- b! _
=========
1 W* W& e; I9 _4 y3 e3 l6 e, r1 t# }
# P8 Q6 f+ T. V1 F# ~8 i, Q5 v/ \3 FThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 B4 _2 f+ }9 m4 _  l
performed in ring0 (VxD or a ring3 app using the VxdCall).! w6 y( T5 s4 e  N( R4 C5 x
The Get_DDB service is used to determine whether or not a VxD is installed2 A' p! q; D6 V* g) H1 l
for the specified device and returns a Device Description Block (in ecx) for
& C6 K2 P9 ^0 v, \9 Athat device if it is installed.1 i) N* N5 G4 l! y3 C- d" [7 m

' r# F) o+ L& L/ U, u; i2 r   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 h" j$ }2 n; j+ j- i
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% K9 m$ `* k  n! i   VMMCall Get_DDB
  `, a% V: |( \' `+ t5 e   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: K2 d2 {1 R! p/ s
& H5 n& B& G* P3 _" j0 m3 B  g# D
Note as well that you can easily detect this method with SoftICE:
* ?" n4 E; }" s$ P/ {3 [6 p. I! |  B7 M   bpx Get_DDB if ax==0202 || ax==7a5fh
  ^7 z! \# a1 D2 L2 T: e. A' Y+ Q: W$ ^- b/ O$ W
__________________________________________________________________________
2 N- J! S4 _7 Q" {. a  d( U  `* h: f% G0 m! q  I. @' p  L' z, h/ F
Method 10
! [! N/ z7 B& [$ I9 g% U7 V5 z0 \=========
- i" @4 W3 \, ?& Q  M0 f4 X- F2 h
$ l: e( I4 r5 x. a' w=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# I% {7 L1 k7 t5 t. P  SoftICE while the option is enable!!
  ^5 E8 _) Y/ Z. \/ S; j; g, I$ f7 D. ?  `' A" _& O; X4 v8 C
This trick is very efficient:( {" K$ n4 t' T
by checking the Debug Registers, you can detect if SoftICE is loaded* ~* c, e. Z* t* U5 a6 ?
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 p2 ^  b  B! d* j. x$ [7 ~there are some memory breakpoints set (dr0 to dr3) simply by reading their4 H- U3 q2 c9 d' E
value (in ring0 only). Values can be manipulated and or changed as well! z2 r' F  S2 W% ^. \1 r* |4 W
(clearing BPMs for instance)
2 I9 H2 ^2 Y0 {# w! d7 m
! S+ @1 J2 R2 B& `__________________________________________________________________________/ k# `( \& g$ A' `

8 h+ J* C* b: h) O( e$ fMethod 11  l2 ~! ^4 [4 E$ O
=========2 _, d& a2 y$ ]# t! a6 \2 |

6 e6 W# m3 x- d( e& b& GThis method is most known as 'MeltICE' because it has been freely distributed
2 y  e! M* ^  W. Yvia www.winfiles.com. However it was first used by NuMega people to allow/ c3 c' F/ A" k
Symbol Loader to check if SoftICE was active or not (the code is located
+ J3 Q5 X$ V0 y9 cinside nmtrans.dll).
3 x+ y/ |* u9 U+ N7 T7 t/ j  U, Z* l' I! k
The way it works is very simple:4 a. _+ P* o/ d+ y% |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- c2 j& ^* v# ^% aWinNT) with the CreateFileA API.; p1 k( Q) x3 E) m2 g
( j! c1 @. K8 [3 J
Here is a sample (checking for 'SICE'):- L% J! w# l6 o' g4 e

& K2 i+ a* i+ T# X6 b/ ?BOOL IsSoftIce95Loaded()
! y/ E5 C" M1 y2 N; g# l{
% \" U. C2 K' U   HANDLE hFile;  
5 ~$ u3 N. @( g( S2 D3 O   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 H# i2 L  U! j* J                      FILE_SHARE_READ | FILE_SHARE_WRITE,
$ n" c9 W% e! V/ `  ~# @* U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 B" q9 E% Q- m8 b# t   if( hFile != INVALID_HANDLE_VALUE )* Q* u; v7 Y7 ^& D$ C+ W
   {
! T+ h5 C" y; s' C      CloseHandle(hFile);, N2 P: a4 H( e, w
      return TRUE;
  c1 K" d; e$ ?  w. P   }
% v" b+ H% K2 ?   return FALSE;
+ L2 z5 H  L# A9 E# w5 x: N}
$ j2 {% f6 N( _6 {" R& }/ W, O/ E' r2 V. h" i" b2 \
Although this trick calls the CreateFileA function, don't even expect to be
6 S- U* Z. ~- u; b# [' h: fable to intercept it by installing a IFS hook: it will not work, no way!; d3 m. e0 l. o/ J/ i9 l' d/ h  @' [
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 t( w2 O$ F/ @9 F% P% z& [$ x! B: H+ lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* Z6 C2 l  X' c( |! e$ Tand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" E$ {1 D4 \8 wfield.
& `. G  C  z* o1 v3 z9 E! [- g/ ]In fact, its purpose is not to load/unload VxDs but only to send a 3 q9 B/ C& f7 }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ Z! l( |% G0 a8 g9 K5 v1 h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' G+ f; I* T( a, L- f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* q* w. v4 @  r: r. f* {If the VxD is loaded, it will always clear eax and the Carry flag to allow
) f. [6 R/ e6 \6 lits handle to be opened and then, will be detected.
1 C( K5 e6 Q7 N$ B2 `) ]You can check that simply by hooking Winice.exe control proc entry point
# y0 ^* D& J+ p2 y) lwhile running MeltICE.+ O& w+ J6 n+ z/ |$ U% u
! ~3 {; P4 T9 @; f, @% r6 T% @

" I7 g7 a$ M0 t( h5 J  00401067:  push      00402025    ; \\.\SICE1 L4 j( P( l$ M. s
  0040106C:  call      CreateFileA* ~) b) c$ E& t& ?4 F
  00401071:  cmp       eax,-001
/ D/ o& W! E2 P6 `& }# r$ k4 j  00401074:  je        00401091
! t3 _) f+ u' ~( U5 I- f/ i2 Z* ?. H& f+ w4 u3 a
/ L4 D$ k& q( q0 G
There could be hundreds of BPX you could use to detect this trick.! g9 C. C, _  Q$ E
-The most classical one is:* @& x3 }! C  s6 A" D
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 c' w! q. p" Q- l
    *(esp-&gt;4+4)=='NTIC'* H* e" x2 G) V( e6 Y, S4 j/ k

# e* p, P8 v; K7 x-The most exotic ones (could be very slooooow :-(
7 ^  b5 k: O" s6 w( U. M8 D# U   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % H3 C( Y  R# Z: O7 b/ N' P' [3 l
     ;will break 3 times :-() W3 {9 a! z! K
6 Y$ X) W; T  E
-or (a bit) faster:   ]1 z3 U, e0 U6 v
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% ^1 u( s# `/ N: c0 ^
& a0 E) l+ x7 k5 |. Q3 g
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 E* R5 K. B3 w$ @2 {, f
     ;will break 3 times :-(
$ h: o3 V6 P" @5 s" ^
9 T2 f+ R/ N' V' H  t, [-Much faster:
* v5 z. d# v" t* q$ r6 X* o   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' J$ o+ C3 ?6 K2 h2 n5 w/ I8 T! O% t2 @" z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 @$ L/ o) W$ }' h
function to do the same job:
3 H5 k! M* {; d8 s1 G
1 Z  Q) f/ H& l   push    00                        ; OF_READ! g" U" x0 ~, D* k: V$ N
   mov     eax,[00656634]            ; '\\.\SICE',0( O, y: X) Z+ D, T; q5 [
   push    eax2 |! [+ k! n  X" p- F5 [
   call    KERNEL32!_lopen
3 Y+ K  z" w" ?   inc     eax3 m; i* S. G; A+ y% a( c5 m% W# z
   jnz     00650589                  ; detected
3 F1 N/ h& ^4 p   push    00                        ; OF_READ" e# M4 H* Z- k3 Z+ t) d. W
   mov     eax,[00656638]            ; '\\.\SICE', U  J3 N4 R8 o( Y
   push    eax
5 i' K, i5 D2 v: O2 C   call    KERNEL32!_lopen
. G6 e4 \7 C8 o' e6 a5 b$ j   inc     eax
# M$ H8 |' Y) ?8 U9 G! Q: t$ Z0 ]  P. v   jz      006505ae                  ; not detected
  C* ^1 i: X3 {
: q  R/ i8 a! ?2 E+ }8 U) K: q, k% O7 {  M! I1 u, N
__________________________________________________________________________' `% N  Y5 u- K3 ^

* Y& Z9 B9 p! {) uMethod 124 b0 n3 h$ c& c$ ~& i( Z
=========
; N0 k3 F# I# a. j% o$ B5 H8 K% t* r  e' K: c% X' u* u
This trick is similar to int41h/4fh Debugger installation check (code 059 [$ w9 H6 K7 _0 K' D
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( x5 x) [1 H  O8 c3 |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.; Z5 \' ], B( Y9 Q
5 ~! g" _0 f7 D5 h& w+ l
   push  0000004fh         ; function 4fh# i3 |: |/ ^3 M+ L- X
   push  002a002ah         ; high word specifies which VxD (VWIN32): i7 t$ s4 O# j* V
                           ; low word specifies which service
  [& z  R2 D  M1 \                             (VWIN32_Int41Dispatch). Y1 S6 n% F: S) i: N6 h7 _) D
   call  Kernel32!ORD_001  ; VxdCall/ m2 V$ Y) a& b# ]. f. |
   cmp   ax, 0f386h        ; magic number returned by system debuggers! h6 }. m3 _' j) P
   jz    SoftICE_detected2 m3 P1 a9 u' U& `7 T
$ y" r3 U7 j6 B: ~' k4 `, F
Here again, several ways to detect it:& ~7 Y" a8 Y% C/ B8 D
; M( P1 z1 x( A7 O. B! j
    BPINT 41 if ax==4f8 K9 _) L3 I' T5 Y! U' |- w. \
: l5 I$ f* _% g& u- u( s+ H
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
9 V8 a* ^; y  Z/ Q- z# ~) ?4 M
* s6 q% N2 N* p* G/ o% `% P    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
! h7 ^# P7 o8 Y) h7 j0 J0 T  p3 X3 I( U7 e0 e
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!; }7 {2 ^" h% s  U$ ]5 Z
/ T/ z% Q. @5 ]- U* ~
__________________________________________________________________________. a& f" s! N  d3 P8 K0 \
( R3 A; Z& r' g3 u" f0 ^* }: H
Method 13& a, [" Y4 ?' v9 t( C. H
=========
$ w, w+ z6 A7 W! Q* b- Q' b5 z5 y$ Z# s7 K- B' F
Not a real method of detection, but a good way to know if SoftICE is
. U5 r% h$ f0 _! d2 V; O+ {installed on a computer and to locate its installation directory.8 p' F3 v/ N# J! u, Z
It is used by few softs which access the following registry keys (usually #2) :+ }& |$ M1 c) d1 g/ ~% d# h

7 P  p6 |- F7 b4 H0 P& G-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 u0 c; \$ d: S3 d, L* b
\Uninstall\SoftICE6 t! }5 U1 T. v) |! x1 D0 J
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ X* t! G; Y; V% v4 M6 w  M6 O: ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  G9 t/ Z! b" ^& R9 T( T
\App Paths\Loader32.Exe
$ t# Q1 ]# {; l' B( ^0 v
, }5 ]% U$ H$ a( Y% n7 U" ?4 I+ F: V' e. W/ P- n) c/ k( @
Note that some nasty apps could then erase all files from SoftICE directory( a; A, w. K7 R& j" Z3 H" n' N% V# v3 ]
(I faced that once :-(3 K+ ^, d- U( ]8 w8 J* w8 D, p
4 u. [: U5 i$ ]% ^( H# n3 l# w: R
Useful breakpoint to detect it:: Q; I# C' E$ d* N+ w- p2 S
/ N5 S1 A" t3 y* z+ [/ I, N$ ~
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( [9 \8 }) G/ m3 n6 c6 B1 @! v3 \- T1 L; |6 h; ~. E$ Q* t
__________________________________________________________________________$ D% T& B/ ~) G
# n( B2 Y! G7 s4 C8 W% b' L
" j' f; B0 a  ?/ G
Method 14
$ ~: X5 [# {8 ]: K' A=========7 S7 U  L8 O2 H5 L5 ~7 F, s% s

. }9 k- r7 D" }% PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: ]0 e# g4 j( l7 e' I5 Dis to determines whether a debugger is running on your system (ring0 only).( U1 q9 f, u# O/ D/ _% w+ ~8 p
- O7 W: l# c2 e) B
   VMMCall Test_Debug_Installed
+ x- g6 s, x* _0 t6 W+ b& Z   je      not_installed, U3 _) C2 {* N+ i, @( j3 Q

3 ~% M1 I- H. s* O2 q7 `* t, @4 pThis service just checks a flag.
! n0 K- t) F8 i/ j</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 11:35

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表