找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>8 z( z6 F* |! z: r  S
<TBODY>
6 q; R1 U' i! F: ?! s. }<TR>
3 _5 l1 p0 L; K( m<TD><PRE>Method 01 2 X2 X) V! m3 J: I+ T+ [
=========
. N+ |# O& T0 K; ]
, j& x. m7 M# U9 x1 ^This method of detection of SoftICE (as well as the following one) is
# r" c" C- r5 O# j9 R8 Fused by the majority of packers/encryptors found on Internet.
1 @" U1 J6 f$ R) b& tIt seeks the signature of BoundsChecker in SoftICE+ C1 H8 z$ @0 N1 ~* X$ F

% s1 U, W+ k1 k) h( q    mov     ebp, 04243484Bh        ; 'BCHK'. B  @+ \3 B1 Y) Q/ B
    mov     ax, 04h
* ~# W. m* o3 r  z    int     3       ; Z. Q. K, a) B) Z9 R" F
    cmp     al,4) r4 ?7 j, M6 B
    jnz     SoftICE_Detected
8 C  b7 j2 A3 O5 h, g& `- h
& b" \# l4 D( n% A9 e4 W___________________________________________________________________________
2 [; v. ^9 Z2 @6 l& \$ z; s4 l8 r4 G2 i; [8 L2 Y8 f$ U- Q, F& d( J
Method 02# u$ G, R7 E/ S- X
=========
! S# j$ w' d/ b* }9 L6 H7 E1 V0 K  t" e7 W7 g
Still a method very much used (perhaps the most frequent one).  It is used
$ U. n* P* {3 }# X5 b1 y, Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 j) P2 \) u8 `( F' ]or execute SoftICE commands...
7 i: o6 b' K* V$ m: Y) ~It is also used to crash SoftICE and to force it to execute any commands
- p! f& S2 \1 e& K* ^2 |0 B(HBOOT...) :-((  
: T9 ?7 Y% Y9 r2 _/ d
4 D4 {) k) X2 b% f: x' hHere is a quick description:5 P7 k3 `& M1 H( q- H% W
-AX = 0910h   (Display string in SIce windows)
0 v9 }. }% U' n0 e- C! W-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)0 B  m0 W2 s* Z! M( Q* C2 d( N, W7 n
-AX = 0912h   (Get breakpoint infos)
& f  f4 A6 n0 k1 K+ q$ O-AX = 0913h   (Set Sice breakpoints)/ D. n6 e! w" S5 D; T
-AX = 0914h   (Remove SIce breakoints)6 M$ u4 G1 i( X1 u9 a- q

; t  P. K/ M! g- |( Z. G6 rEach time you'll meet this trick, you'll see:+ p% C" r/ f# R3 y6 \7 c
-SI = 4647h: J( |( i4 Q. m  ]  q: `# _) M5 [
-DI = 4A4Dh& C; n# I: {7 a
Which are the 'magic values' used by SoftIce.
8 }) t( `' r. ~3 W+ MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 J  S9 D1 c  y$ D. n( n* c3 I+ a; g3 X+ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( Z5 c& e/ c1 V* Q2 d" E: cEnvelope utility use to protect DOS applications:5 ]0 p& E5 c/ R* Q1 o4 O+ E+ [

8 V8 Z, ~- \/ q! q% a, _* @9 J% J0 j# o6 M
4C19:0095   MOV    AX,0911  ; execute command.* O) q% c. c% i' k* N
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)./ ]" F, J- M0 i4 J
4C19:009A   MOV    SI,4647  ; 1st magic value.+ ~. |: S& I4 d" g+ ~4 B1 w
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 G: {$ B: [7 A6 W" b
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- A9 C7 x$ V2 b4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 K" i- Q, f$ f* L4C19:00A4   INC    CX
! s9 B/ _" m1 r, i( w* x4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  b6 t5 s' y9 H; y' x' r
4C19:00A8   JB     0095     ; 6 different commands.# ]* G/ A3 J( e+ W
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ t" [8 x* B2 ^5 u( d6 C0 j4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 ]7 `  a8 _; ]  Q3 q- p; j5 c, j; J1 q8 O( m
The program will execute 6 different SIce commands located at ds:dx, which' e' f6 m: K( `8 D0 D. Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 c* N. H+ e4 E, I! o; G
- D. c$ J( H  b* F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# k$ _& J6 K- }! c# n2 A
___________________________________________________________________________3 k" _5 j; E6 b0 E  }; Z% _

! E; l" x- W+ k' R5 T( H8 }- H
7 h' `2 i. c$ j* e/ BMethod 03
8 c5 ~7 j0 f0 {=========
  x1 r: Y5 T" |) G7 |, v: s# t2 \6 |
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 h6 k: q' |/ N(API Get entry point)- E. y7 i: d# Q( z) y: ^3 G0 s
        4 N) ]( F! R& V' P; Y! Q
4 U6 W$ d6 P4 U  [
    xor     di,di
- g2 Q4 E; l* v    mov     es,di
# [7 F3 j( |/ z* @2 F! R1 W    mov     ax, 1684h      
& N1 w+ X5 E9 O, B    mov     bx, 0202h       ; VxD ID of winice
8 i0 F+ ?5 Y; c0 U! Z  ?    int     2Fh
8 ~# L; I+ d  M    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ C/ G) D8 ?) T) ~+ O1 J    add     ax, di
: ]+ G( y, b! `9 y  g% T7 g4 o. w    test    ax,ax. A4 t$ T( W) M5 Q# o  H
    jnz     SoftICE_Detected
2 F) k; G- D2 b1 @3 G! M9 f8 c
___________________________________________________________________________
- w8 U8 {% a' ~- \  G1 M
' p$ {3 p1 I6 {! c, x4 @Method 04
+ y' q* H& P* w5 Z=========7 w& s+ ~5 C9 E6 S, o

$ u  ?9 ~" |1 j2 Q) XMethod identical to the preceding one except that it seeks the ID of SoftICE
2 C; {4 _2 E; [1 a: n+ yGFX VxD.1 ^1 N1 ]: w1 b6 x- P+ e

  ~" Q7 F, x4 @    xor     di,di
5 b; V4 T* U0 b% N5 M9 p1 o' c    mov     es,di
! c8 N0 K7 Q. {0 J$ |) H    mov     ax, 1684h      
& P5 {" i! s2 V0 V    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) p! G5 R( l( c    int     2fh
5 a! }2 e) H" l- j    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- N' `5 G; u1 M  r; A7 ~3 l4 `0 A    add     ax, di
" l9 S- i4 |9 G( m9 ^4 t4 g    test    ax,ax
8 j. S2 y( f/ w    jnz     SoftICE_Detected
, L- j$ x8 |) C$ l, |) G" U# U7 e5 a; G, \  b  Y7 w
__________________________________________________________________________
- R$ N+ E2 f8 r% I, u6 U
( Q. n# _- Q4 N' ?, t* ]) D  Y2 H3 b5 {0 I
Method 059 ^; E2 S( R# D& K5 h
=========
- x+ ^9 o- C. {3 E5 z
1 ?: h  C; H# _% S9 z+ \- j9 y7 |& CMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ C2 e0 T* \& V& W
debugger. It calls the int 41h, function 4Fh.5 F  A4 t6 O9 [. ~2 D
There are several alternatives.  
4 n( |' W. ?0 Y/ t/ j- G; u, I5 n& ?1 x0 J2 j: X$ K
The following one is the simplest:; }; H2 D9 {) {, j8 V

9 j/ h0 H/ ~+ E$ ]- n    mov     ax,4fh3 e5 `& R( i& N/ J, f0 l5 Z! \8 ^
    int     41h
) d0 v' d% ?; ]7 C" r    cmp     ax, 0F386
0 W* p7 k% g, @1 b    jz      SoftICE_detected
' Y7 s. Z& o% v' G, ^- ?5 I) g$ ~+ [% E5 q0 v+ ~  w* D7 J8 f* F9 X
0 \* G8 I# c: O. e  Z
Next method as well as the following one are 2 examples from Stone's . f8 B' \# w/ z" C* f6 [* }
"stn-wid.zip" (www.cracking.net):
& y, z7 L- N7 w! T5 y  ^) L; n' O8 N; |! ]
    mov     bx, cs
( x; \) W9 _' N* u    lea     dx, int41handler2
$ N- K6 U2 `) y: L4 _; s    xchg    dx, es:[41h*4]; l5 O" |3 V1 e+ w; Q5 A- e+ g
    xchg    bx, es:[41h*4+2]& ~$ f; _* F# d+ N
    mov     ax,4fh
& g0 \  Y" R2 L/ j, x9 Q$ S! X* e    int     41h
, s7 u8 p1 I  @9 ?6 B9 U4 ^    xchg    dx, es:[41h*4]
' b6 X( c) T* Y4 H% p    xchg    bx, es:[41h*4+2]
0 w9 U: L- d5 d* V; \/ ?  t: k    cmp     ax, 0f386h. G, _& @" |4 S: X- y& C- X
    jz      SoftICE_detected* V  d5 ^# Q5 a! E2 c; Z4 T
' @: u8 V. F5 ?8 S
int41handler2 PROC
0 _: O: }) r% j0 \    iret1 P$ ^% ^& R) H6 V0 a
int41handler2 ENDP* Z' b+ Z1 h. x! D% q0 Q6 x
1 ]+ v/ O; Q4 U/ c0 j+ a6 X9 z% ^

6 ~( ~) F" f; G/ r( S; Y4 T9 E0 E; s_________________________________________________________________________
/ ^1 S2 B7 Q# c. W' J
% E" Q3 z) C% V) Q) w8 W5 l/ h7 z6 c
Method 06
7 n. t$ B+ o5 J% w* R=========
. d5 L( }2 d8 ]. y1 A" ~3 r" A3 q7 q
- f8 ^8 k1 `: P+ K% E9 |7 X
2nd method similar to the preceding one but more difficult to detect:
8 l, c& y0 {/ @  l' L* d. h( k( h; Y" n% ~; J4 N  Y/ C
& g7 N$ h6 E/ u) P2 z- G/ ?
int41handler PROC
, H, Z) r' W  w; Z    mov     cl,al6 [) z( E. Z9 p; H
    iret$ s( Q% c) A  |  }% P% X" Q" P
int41handler ENDP
% e/ {' S  X7 c( v0 T3 u4 c0 y2 Q

: Q0 n  ]  Z; h. A    xor     ax,ax
* n. S, r' q- k$ |' @    mov     es,ax7 z! g' r8 m: w% ~* w, B
    mov     bx, cs
) t% u3 P8 R! Z# F! O' Y    lea     dx, int41handler& c, {' X$ A9 w6 d* b8 H$ H
    xchg    dx, es:[41h*4]( T6 ]$ _& c: D, y  r: |9 x
    xchg    bx, es:[41h*4+2]) j, n0 p8 P4 o$ g$ Q" V8 r% x
    in      al, 40h) y9 a$ ^3 x; c9 c' y2 D
    xor     cx,cx# a, s% Z6 w4 i+ y
    int     41h
; R( q/ g0 O$ x$ o  F    xchg    dx, es:[41h*4], R" }/ y5 I- f; V. K
    xchg    bx, es:[41h*4+2]
! F  W7 b" F8 U9 ?# D    cmp     cl,al
; `5 J6 R" N/ R$ P    jnz     SoftICE_detected2 i* O6 N. J  D& a% i/ n& }

& ~7 A! o9 G' R1 c$ f_________________________________________________________________________* n8 J! ^, L8 K# @* b5 _

/ G! d" W+ \6 e- i- gMethod 07
+ l/ ?& @" R% i=========
# J" ^/ A; X/ X# ]" H
5 w# Z3 i, f6 l3 FMethod of detection of the WinICE handler in the int68h (V86)
& O2 h  b8 H' a# [  Y4 ?$ Y" e3 |% u5 a. v5 L' s8 S2 S! s7 J! c$ F
    mov     ah,43h
3 J- C2 P6 U# _8 _    int     68h3 ~) y0 x2 c2 B" s
    cmp     ax,0F386h0 v" I6 w4 h+ I
    jz      SoftICE_Detected
$ `# y9 K: D& E$ p- h' q5 q! w% D8 F6 X" y+ W& b

+ y4 j( p( L+ h" K) {5 X=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ k1 C/ s5 f& R7 v( v0 }   app like this:2 D" ]8 _3 q9 ?" K* H

. Y, \& v4 d/ W   BPX exec_int if ax==687 T  _, l$ k8 N$ _
   (function called is located at byte ptr [ebp+1Dh] and client eip is
( D4 R6 G* U+ w! U  `, o( E0 M+ |   located at [ebp+48h] for 32Bit apps)6 P7 n& p# H2 o7 X
__________________________________________________________________________
: B' X, o: B% O: E$ @/ E& n$ c! @$ B, v4 K5 B

( t7 e% W" N' O/ W( @: u: u1 @" @5 v5 nMethod 08" |( E, h  u9 S! w! p  \
=========6 a7 f; `& Q( `, Z

( v: g0 X* H6 d7 R+ UIt is not a method of detection of SoftICE but a possibility to crash the
: [9 g- |5 j. v! g# h0 Tsystem by intercepting int 01h and int 03h and redirecting them to another
; K& i: L0 `- ?9 }routine.
! S1 p' |3 ]* F5 k8 r% ?% F$ rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) y$ o# @5 x% z
to the new routine to execute (hangs computer...)
' Q! [' a' g! \% ^; q0 o' I7 U" E: h1 m9 x: O" ^' f
    mov     ah, 25h3 q( G# N4 N. Z8 [
    mov     al, Int_Number (01h or 03h)
- z8 D! ^9 n" G- Q; B- @    mov     dx, offset New_Int_Routine
6 ~1 [# E1 X6 n+ t    int     21h
4 S& V5 M# k' m+ V! y0 M2 J: _
; O1 e: s$ U7 H( w__________________________________________________________________________
+ f$ x9 D1 }# ~) k$ ~: x8 p1 {" J9 v# x0 C
Method 09
' I3 \1 Q# c, c( }5 p  ]=========' e7 g/ A- N1 N$ o1 X9 ~* B
# X; A7 i+ u4 v+ U# m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( S, G5 d: [0 c6 W. ?1 j/ d9 @9 J; tperformed in ring0 (VxD or a ring3 app using the VxdCall).
- I% ^8 O7 t' r! I4 tThe Get_DDB service is used to determine whether or not a VxD is installed+ \  P" Q6 k6 C7 c0 C, D2 G
for the specified device and returns a Device Description Block (in ecx) for* M  \" `/ J$ p- \8 }1 O
that device if it is installed.1 A! V, a  a6 q! k7 \
* F5 a* G% j) i$ v) F+ C/ I
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" Y6 @9 y- |" a   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ D, p& K+ O" X. a6 r, M- g7 h   VMMCall Get_DDB
% e; s. s2 L; K' O8 S) ?   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: X+ T/ Q3 [, a; `/ Z) b; P5 K
; F: o. O! e& o  O7 O
Note as well that you can easily detect this method with SoftICE:
' A- z6 n" D3 D. A8 n) j   bpx Get_DDB if ax==0202 || ax==7a5fh  p4 S9 b( C5 G# @

+ R$ F3 F8 G( [& ^7 P__________________________________________________________________________
8 O( W9 W7 W( s+ d/ @, ^  V) }2 V% s$ l0 Q, x+ Y4 _
Method 108 y3 }8 [/ \3 N2 M* C  s' J. T0 i; r
=========
& _6 q% W6 `3 ?; A# P# W3 }3 A' ^# l2 T6 r; |! `" H  l, u
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 h5 E! v7 V) w" ]/ q  SoftICE while the option is enable!!0 n) }! m9 t$ m! P  m8 n  p. g! _

4 @4 S: o5 l" h' j5 ~This trick is very efficient:
8 s# [; U8 w# V' dby checking the Debug Registers, you can detect if SoftICE is loaded
7 ^5 @7 ]. q# l6 T5 k6 K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, b3 Y5 @: A% U8 k; B& y* Q5 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 I  J. q' Z. }, g- wvalue (in ring0 only). Values can be manipulated and or changed as well
8 @8 F" k$ L7 @' j6 Q(clearing BPMs for instance)
& o2 U& I6 D0 O( F) x. D9 E9 O0 b9 v& D4 y
__________________________________________________________________________3 q, g& |+ T: a
/ V9 j  e+ p' g1 w; u4 f/ e9 p( [
Method 11* o" Y" u) V* I  S
=========# J9 }  c, ^& U3 K/ w# [8 A. k
" T. i) A3 Q" n0 f
This method is most known as 'MeltICE' because it has been freely distributed
* V# e' J5 Z8 `1 ^$ R7 rvia www.winfiles.com. However it was first used by NuMega people to allow- M( }" d  [3 ^, b: a. M7 T% R; |
Symbol Loader to check if SoftICE was active or not (the code is located) ~4 ~/ a5 x" L3 w- u
inside nmtrans.dll).+ M( C& f& V; F0 p0 x3 Z" P# C

5 L" a. r3 B* F" B) cThe way it works is very simple:
7 X/ N6 w/ X) M5 sIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 S0 _+ N4 Z8 x7 c2 R& p" |% p
WinNT) with the CreateFileA API.1 a" x' F* \2 X% a# Y

. A" h+ v1 O0 U+ M1 I5 O; V! p9 qHere is a sample (checking for 'SICE'):
0 \$ Z& Y) J& n* {. J2 n
5 w) r; ?3 {4 g& O" C9 UBOOL IsSoftIce95Loaded()
0 d% M( I; K, X' ]; n1 f# Z{" k; }0 D5 k  M! {1 l  ~5 [3 B
   HANDLE hFile;  
3 |. z7 y# Z& H: y9 \5 ?, l   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! [% X! L; L! Y9 V- G
                      FILE_SHARE_READ | FILE_SHARE_WRITE,+ d% p7 G  j2 R$ {" |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
' f- ~4 i$ H+ A0 L8 ]   if( hFile != INVALID_HANDLE_VALUE )
, n; P, D4 f, ^2 g- I5 J   {
$ @5 u2 _4 e7 D, n; E: I      CloseHandle(hFile);
# J6 Q$ p5 l, c# f/ a( T      return TRUE;
9 z) Z$ q% |( O& J' f6 _# r* A   }# M8 y) ?1 i1 Q1 V$ w; p
   return FALSE;
2 s+ t: }5 |2 g# ?2 n}: H8 \! n! |; T: e. `& D

% `/ O% L6 o4 z- @) HAlthough this trick calls the CreateFileA function, don't even expect to be
* s# u2 Z* C" U# D" y4 ^  f! w0 Pable to intercept it by installing a IFS hook: it will not work, no way!* v& v/ L) x5 Y0 |4 v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" k0 b: K. \' [7 W' @- @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( N( ?5 e& _. r) s& d) j+ U" [) O
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 ^5 e+ G6 D/ U+ g; P! n
field.6 Q8 Y2 I! U! J# F  D
In fact, its purpose is not to load/unload VxDs but only to send a
3 H5 N: w8 l6 sW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 }! ~' f* f2 }' B. a9 tto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 Z% u3 V2 b! M% K7 p. y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) _1 `  k6 q4 v* H; O0 {5 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
/ t! }. e; m- ?5 A" o6 X6 A0 [; l! ~its handle to be opened and then, will be detected.( A6 t& A$ v8 w6 g$ k5 t! B
You can check that simply by hooking Winice.exe control proc entry point9 w! J5 q' P9 d2 A; z; _) m6 [
while running MeltICE.
# A2 z! U9 Q1 R) I% `
7 ]# k0 ]+ c, _  ^/ ~% m% K  ?$ d9 b4 s* u) S/ f# v/ }
  00401067:  push      00402025    ; \\.\SICE$ \* S6 Q( h4 Z0 K- Z0 {
  0040106C:  call      CreateFileA
6 ]$ q: z2 l& F4 D' O  00401071:  cmp       eax,-001
' \& W0 B* {# d% P) A  00401074:  je        00401091
' ~' p0 ^0 S% B
- d- n  {! _* g5 l9 ?' d
. S. t* g. _! C- ]* r; q; x$ iThere could be hundreds of BPX you could use to detect this trick.
. L  D  z  o/ ]+ J( I* Z( r-The most classical one is:
) D. Y+ c: s9 M  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 b$ N$ ~1 }. K3 B3 m' E
    *(esp-&gt;4+4)=='NTIC'% i7 _: D6 D, k# e6 Q+ A: a
' `/ L+ ^4 j5 |2 H; m" Q
-The most exotic ones (could be very slooooow :-(
6 H; h0 b- i1 T/ o  C6 |   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
  c" m2 u5 ]1 b& L0 Z$ A     ;will break 3 times :-(% ?% i7 J* q. D& p9 {

* F9 |. f+ K( E! @1 }$ L-or (a bit) faster:
7 O( j7 |! G6 g( u   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 G" Y* }8 _7 I2 T) H9 H: J) \/ m1 h+ r$ c, h  R* H
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; n2 t; u6 C) b* l
     ;will break 3 times :-($ K- e  Z" _, I9 ~, i9 U! Z
9 v7 e, m& ]  ]1 c- V: R
-Much faster:* L2 q1 C6 |& \) i" L! s
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'! f  a! q+ T0 j5 o5 _
) Q6 V4 }/ G. s  d+ W% R, i& f- p
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% \5 ~+ B; k. tfunction to do the same job:+ k+ z# d* h' w4 o  z2 J

* t5 e6 f* o% |1 v8 [1 F   push    00                        ; OF_READ% x# u8 i- s9 c* t
   mov     eax,[00656634]            ; '\\.\SICE',0
; P. j8 ?. R- X2 U8 N- ^   push    eax& I6 d# }+ S4 z1 j+ F: o
   call    KERNEL32!_lopen
$ @! Q( }+ ~. x* |   inc     eax6 o; C5 `/ w3 ~3 X# q5 q
   jnz     00650589                  ; detected
8 g: z3 s8 ?( V4 n6 c, v   push    00                        ; OF_READ
* g* U. e+ k! t2 K; [0 {   mov     eax,[00656638]            ; '\\.\SICE'2 d3 X; }; x* }% ~5 ^
   push    eax2 J2 q; Q) R# |4 x
   call    KERNEL32!_lopen% e% K2 c4 Z" f2 {9 l5 S  `9 V) r
   inc     eax
# f/ Y" i" z7 o  [. k- R   jz      006505ae                  ; not detected% H& e* O7 }4 b! e% l" o3 n$ g) i
/ c( N, C: G: t8 x" U

( d9 @: \0 R8 [6 a# S4 S7 w__________________________________________________________________________  {( D6 l' Q+ w( N

9 y. u' @: X( HMethod 12
0 K: s# F/ ?  G; Q( }=========
8 L- e6 |& L$ B/ o7 q) R* [4 a2 F: M0 [1 |8 s7 Z1 ^! A
This trick is similar to int41h/4fh Debugger installation check (code 05
* v# f% M- s7 C&amp; 06) but very limited because it's only available for Win95/98 (not NT)) G, X* I6 y  E6 W$ Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! E8 ^( b9 {( k# f

& A7 q9 B& e1 H5 a, N0 J   push  0000004fh         ; function 4fh
, {, V' P5 e5 w   push  002a002ah         ; high word specifies which VxD (VWIN32)
! l5 Y% w# i+ r) A! x6 A2 t8 i                           ; low word specifies which service
, O& I% s. J# }9 P                             (VWIN32_Int41Dispatch)' [- J' j4 X, p7 f8 M" Y' L
   call  Kernel32!ORD_001  ; VxdCall/ V. H: {) R/ P  s
   cmp   ax, 0f386h        ; magic number returned by system debuggers: K4 p1 {. t6 i5 y2 @/ J0 N( n
   jz    SoftICE_detected- ]! ]' o5 ?9 E7 h# ]( M3 Q
( }  @6 ^9 k2 \; S" f, K
Here again, several ways to detect it:) J- \, L, e; c$ f1 U) A

4 h2 J5 H4 j$ @; y% |) g    BPINT 41 if ax==4f/ E6 R- Z5 ^  O. h
6 k. K  D0 J4 `2 W4 U8 w
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
3 M  V2 Q5 q- q$ c5 ]0 j# Y1 T3 A& S
/ O  o7 l6 f1 y3 Q% q  A! V    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( U9 I% j3 D% l

# m) @# w! D" i$ n! U* g7 h- P    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- M6 s. {6 }% V0 g2 h+ ]

" w  _* z4 ?0 |& i/ U, v__________________________________________________________________________7 \2 f$ y7 U8 i( D6 Y! K: E
6 m  J# C7 Y) q9 Y0 Z# ]
Method 13! U/ r6 o; x  x6 d( t7 A$ ?
=========
7 j# q; n5 I+ R- V* G% d
( v- ?3 l& z$ i. }3 h4 n" ~' yNot a real method of detection, but a good way to know if SoftICE is" _! u7 {3 o+ j, p9 o, T. A7 [
installed on a computer and to locate its installation directory.
& b' b& |3 f! }$ e- OIt is used by few softs which access the following registry keys (usually #2) :  c  U1 z; h  F4 `1 }7 ?; I
( M5 W/ _/ Y2 Q/ L  G' I+ [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 v5 x1 h0 x1 S: _& v
\Uninstall\SoftICE
7 O( g  |6 Y3 ]# I3 `; R  `* m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. B- ^. f# h3 G! E3 m: w) c; [0 s2 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& W  W1 {$ y) h- G, {
\App Paths\Loader32.Exe
5 U6 X, Q; {: M& m/ E! p. J. R
  B) l' J6 H) N3 _" [
/ Z) s- W3 Y# X5 _- [Note that some nasty apps could then erase all files from SoftICE directory
: \7 L2 y) y7 ^$ s# k8 U(I faced that once :-(, E+ Z  Q" g0 m) w! q9 ?& S4 G1 x* F
/ I* ?" B( i. A" x" \: I) z+ h& {
Useful breakpoint to detect it:' Z/ d# g  L8 ?
* a8 c% x6 m3 k) Z: z/ q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 U0 T1 i+ M& X1 B
, I4 L/ `  l; ^% A9 B& i9 I__________________________________________________________________________; ]. m2 ]4 E1 W* Q6 d
% F$ v9 L5 h) a  V+ ]: @

, k6 ?' b# Y/ gMethod 14
4 \8 j; s  d% |  F/ z& X4 g=========
% o  h6 @, M7 V" e1 L- f' @0 J8 X1 }6 K2 d) W2 B& t- O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 ~5 b9 p9 h+ D: cis to determines whether a debugger is running on your system (ring0 only).
) D, j; U- w2 q% i  x8 d3 s$ Y3 M4 ^% y$ t0 c' {. v1 G0 m% ^" _8 k% ]
   VMMCall Test_Debug_Installed
# P. o/ b% O( [2 Q/ S   je      not_installed
2 [7 w+ }* \+ B4 c1 g( H* `, \0 n1 d1 s: \$ f
This service just checks a flag.
  |2 w: @8 p  {* M</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-2 09:14

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表