找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
9 Y% m* W/ V, o/ g' a8 C+ c" k<TBODY>; w( ?2 L; v7 M3 _# L
<TR>
' D* E7 ~# Q3 _2 Q/ G; S% _<TD><PRE>Method 01 1 |: Z" j3 ]7 G% K( m: @) `# i
=========
' ?" ~/ i+ m' f+ \
+ w* h7 ~4 e  L  V' @: PThis method of detection of SoftICE (as well as the following one) is
% r& o8 M" b$ Yused by the majority of packers/encryptors found on Internet.3 k) F9 e: G' ?( Q. ?' X
It seeks the signature of BoundsChecker in SoftICE) C/ O  L& R" m' N! k7 S: |9 B
$ V( c1 b6 A% e. o) M7 B
    mov     ebp, 04243484Bh        ; 'BCHK'
* I. |1 w' c# [2 s0 b    mov     ax, 04h
3 f. i, W( Q  H5 E    int     3         [* k4 W- N; s( O  F
    cmp     al,4
' c$ d9 Z$ Z: d. S7 N    jnz     SoftICE_Detected: e$ Q! j1 D9 `; S) c3 O
, A7 z2 Z, y( H  F3 p/ k: a$ `
___________________________________________________________________________
  a' f7 t( t! |. j( P% w0 X6 z3 ^: x& h1 q! D& u
Method 02
' B8 p1 s0 h! Z9 c3 [& k: O=========+ y# S% @1 u! q& A

7 b9 C8 y' d& z6 F% A9 L5 dStill a method very much used (perhaps the most frequent one).  It is used
7 b2 C" j) `# j7 x1 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 T- c- M3 z" W1 T+ For execute SoftICE commands...
/ I1 S. T2 b) O; z1 G+ [! f# }It is also used to crash SoftICE and to force it to execute any commands# K. Z) o, u2 u+ D8 B) J* H
(HBOOT...) :-((  ! I; ^' Z5 j+ v/ d1 ^& t6 x
( G1 k6 t1 Z3 h, o! c
Here is a quick description:
6 e/ J( Q+ u6 ~-AX = 0910h   (Display string in SIce windows)# d0 Z  y7 j- [3 k' z4 y. S
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ x  {8 v( K- F, R$ W
-AX = 0912h   (Get breakpoint infos)
3 ]9 {- B6 Q( [: H-AX = 0913h   (Set Sice breakpoints)
- \# g. K3 v, m) L- I' W-AX = 0914h   (Remove SIce breakoints)3 V/ @; W( {9 }% i
/ x0 z+ ]$ m) J
Each time you'll meet this trick, you'll see:
4 Z" L% o1 J  @2 ~3 ~-SI = 4647h6 M* N, \; x/ A7 Q2 z, c7 d
-DI = 4A4Dh
" f- V$ I4 Y# B' u6 C3 qWhich are the 'magic values' used by SoftIce.( a: p$ ~: X- |! n" H/ Q. m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% E. ~3 j9 T3 {( \

. a0 ]& f0 z6 x7 j* ?4 G) aHere is one example from the file "Haspinst.exe" which is the dongle HASP) @2 R( e$ h1 D: _+ J7 ?
Envelope utility use to protect DOS applications:
" D: z' J7 ^4 Y  q  o
: X2 Y# e: C: T
: M) g+ s* d3 L8 Y2 ~4C19:0095   MOV    AX,0911  ; execute command.
: Q8 d  {! K8 ^3 D4 o8 y$ I+ s# t4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ r/ Q! j$ m  c. C0 Y
4C19:009A   MOV    SI,4647  ; 1st magic value.: R% l8 H* f& [, q- D5 m5 t
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.) w1 ^: x9 D1 o; J$ Z, O1 N
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), @& o0 e$ c1 G  ~
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; S9 n- H. a# ?2 o- s$ r
4C19:00A4   INC    CX
7 {4 P- c' n( D( h( N/ r4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute5 q6 h* C$ g) q# u+ y: F6 }# c
4C19:00A8   JB     0095     ; 6 different commands.) p( H6 A) H/ D. e* C1 s+ b. A
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& {2 o; W8 }/ ]8 @2 _! Y4 K
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 o, j6 t2 ^, W5 Z6 Q. N: ^/ j+ I' y* o0 b0 X
The program will execute 6 different SIce commands located at ds:dx, which
) `+ o: w2 G/ jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" X+ i" Z; N) b/ _5 I8 E" u2 l4 \# o; h8 e) f3 C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 g! ?/ t" V$ A5 D
___________________________________________________________________________
: g( O& y7 q/ x. _0 y+ A3 K2 F+ d4 Z
+ `8 F* v% x" q+ S
Method 03
* X; K( b* L9 b) ]=========0 \1 s; i) u# |8 Z. L9 A5 i

5 V0 O) a# n9 F6 S# z; `% |5 k- YLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" u- _* ?2 V" x% a3 P" L
(API Get entry point); o5 V: g0 [* G- R$ \
        
4 w( S/ B* @9 D& K1 z1 f8 @; X2 Z
, i! Y$ k4 H( c) }. p# H# g    xor     di,di) d' `( l! {# c6 a) |
    mov     es,di
# n5 g, `' \! _' G    mov     ax, 1684h      
- C0 C/ n" |. |7 C6 R    mov     bx, 0202h       ; VxD ID of winice' N( ]; Z0 f9 Q% _
    int     2Fh
5 N8 _+ d, ~+ m6 O. q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 a" D/ S+ t2 x7 O; Q+ \    add     ax, di5 _4 a" d! ^2 z5 x- N: O0 W" k
    test    ax,ax- O/ p3 W0 `+ D. @7 A
    jnz     SoftICE_Detected
' f$ E% s( b( B
8 M/ D5 Y6 |/ U( `% w! k* D7 \4 W___________________________________________________________________________
) z+ B% k2 l' u# ]1 R- U
) |6 X4 T+ E4 W( g1 P& }& YMethod 049 d* n& l% L5 x4 U+ `4 \* H& A
=========8 G" K5 a& `# h! W$ o

) v; I+ R. k' g/ V& W/ S' ~$ PMethod identical to the preceding one except that it seeks the ID of SoftICE
% t6 U3 b7 F% v% eGFX VxD., ~6 F, T8 P# v' S! B
6 ~6 `) J) x3 O. v: y
    xor     di,di
# c) {1 b* i( D6 K" [    mov     es,di( E$ o% }* u2 H+ J
    mov     ax, 1684h      
4 S1 c+ G% g/ E    mov     bx, 7a5Fh       ; VxD ID of SIWVID
& \2 D$ ?1 ]7 E. u2 x    int     2fh
& E) N: P3 i2 D1 a    mov     ax, es          ; ES:DI -&gt; VxD API entry point, R/ I% D5 T- v- b, y7 j3 K
    add     ax, di
5 C; N! K- X" a1 ?    test    ax,ax% ?! e1 p; m9 w5 M/ t4 O
    jnz     SoftICE_Detected
' }/ x6 t+ O) A  ~& }, H
3 p7 Y: a& p  D  a__________________________________________________________________________& L- I: z3 D4 d+ [# E0 A0 T

# B7 e; ]! Q% }0 S6 l# L! v4 R  Y) Z; |# a
Method 05! N: e1 t+ ~" Y
=========
( C; T9 I# b; t& e8 q  g, V, ?( m3 H. y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: \# g5 g& A- k0 Y+ {debugger. It calls the int 41h, function 4Fh.( V6 A' v5 N3 q' }5 y( G* d% H
There are several alternatives.  6 ^- \1 e0 _- T3 Y' n- M
! U0 r9 k. q. c: C$ a( y
The following one is the simplest:
. t1 c) `+ i1 t$ F1 Y% E, e
) ^/ G' y* g( F, H9 T+ H    mov     ax,4fh
8 ^" e: y' _  d1 W8 K& d    int     41h  ]% y: w' z6 {  Q3 }
    cmp     ax, 0F3864 X- a6 B8 s1 ^+ e! t6 S+ E
    jz      SoftICE_detected1 {2 o: J  J3 @" R( `1 M/ F5 U$ ^

9 S6 ]% W4 j1 x7 F, g% `$ @
6 X+ Z& e/ Z* G- vNext method as well as the following one are 2 examples from Stone's
% q  f) ]9 q, m6 `$ U"stn-wid.zip" (www.cracking.net):
0 `' e" U. a# o3 {
& y& O# m% b& e  c* o0 S    mov     bx, cs
/ z4 W- P! j% z8 [    lea     dx, int41handler27 A4 ~" N# ]/ [/ X
    xchg    dx, es:[41h*4]
  f6 N/ @) ?6 A+ c" r2 i    xchg    bx, es:[41h*4+2]$ c1 D& [1 _! l! _4 L; s( H) T
    mov     ax,4fh  s$ r' x# ^+ ~1 h( L
    int     41h' [0 \. h$ T9 k# Q( r1 G: ?
    xchg    dx, es:[41h*4]
( V; Z; R9 Z1 H+ C% Y9 F4 G    xchg    bx, es:[41h*4+2]5 w: e) r. d. j2 c. ~2 o
    cmp     ax, 0f386h, O; H0 c, v! S8 L7 w7 s$ A" F
    jz      SoftICE_detected; T: q7 ?  ~" |3 m  @& {
4 K- }! \8 Z5 E; s+ Z8 ]6 {9 \
int41handler2 PROC
0 _8 Z9 n. H! |+ A6 F    iret/ k( @3 U  v9 ^$ a9 }
int41handler2 ENDP
* a6 O$ i% C& s$ w  }3 {4 k2 A) T$ j0 s( q' E" j: T0 ^2 N

8 f* Q; z! S, n_________________________________________________________________________( x3 m/ W9 g, S6 m! B
$ M; m+ ?$ D- S

+ D6 k1 E! |; rMethod 06
5 S" {% }/ ]' e+ l8 w- \+ \' V# G& Y" ^=========3 e& L+ d- U+ A, q
, @8 f, j+ T3 S, Z8 Z/ c
0 j1 E; _; V2 e
2nd method similar to the preceding one but more difficult to detect:
, k  X# H/ s# E' y5 `/ ^2 `8 O0 w, X, T6 s& F
$ [, ]' A8 I5 x- U4 t; a  Q
int41handler PROC
" B" c; |# d/ h2 D, I; E) v: m" ~5 ]0 R    mov     cl,al5 R' r- b1 `' n2 H* j
    iret& l( {. h9 x$ p0 ]
int41handler ENDP0 B' @( Y& m6 f/ I, ]6 n! ~
8 @" Z* l4 G1 F+ L* J5 E4 E+ V
/ K) E1 a: q! }3 v* W+ r' V
    xor     ax,ax  f2 o, D. H- R9 z* g% z! W  @
    mov     es,ax
% x2 ?/ p  Y" @. D) E; J    mov     bx, cs& |( b) ]) J; b. e
    lea     dx, int41handler
9 m6 o5 A" u6 H/ @    xchg    dx, es:[41h*4]
/ J5 _6 S  e+ ~    xchg    bx, es:[41h*4+2]- I6 u$ v# r6 r1 r. V( `7 o
    in      al, 40h# ?1 l# e. f- P$ {$ y
    xor     cx,cx9 \2 ^" D* K/ {# [5 U( }7 W! ^+ b
    int     41h
; a9 \# e7 S& q: l" O    xchg    dx, es:[41h*4]- j  x$ Y( W. S- R2 @  A* o% s: Q
    xchg    bx, es:[41h*4+2]
* Z9 ~, N9 Y4 [8 Y9 f6 q# j    cmp     cl,al
9 p# I" e+ }, d1 m* C3 R    jnz     SoftICE_detected, N" i5 P. H5 `" [% f, A

/ ^" o: ?4 T3 M0 c0 k8 `3 {# s7 X_________________________________________________________________________
; V& c9 ?( M& m% R# x0 U$ ^/ ?6 w9 B; Q9 o4 e4 V; q
Method 075 E2 C9 V4 b+ B. Q3 }3 ^; [2 Y9 j
=========
5 l+ @9 Q( ]2 b' y, p* L: q% E" T& F' D
Method of detection of the WinICE handler in the int68h (V86)
/ n' ^6 z2 b; W4 v* y3 h: U
! n. m( Z2 L# }: K: M2 H    mov     ah,43h# C7 b% Y9 v! e" G3 M2 a" }
    int     68h
1 M- S/ U( w% [( Z4 O- l$ W    cmp     ax,0F386h
% i% z0 W( o: A) y  R. A    jz      SoftICE_Detected
' x/ V: `6 u, o- g0 `1 P" g: l/ }
7 {+ L4 V! N" E3 H2 Z. ^
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 B9 [; @/ g# @6 M& E1 b   app like this:
1 |8 {1 y% T; ~3 f/ a' n0 _8 t& I. L) v& a, u# T/ L
   BPX exec_int if ax==68
) e! p" \5 w( x   (function called is located at byte ptr [ebp+1Dh] and client eip is' S' {; z7 V& w6 i: r
   located at [ebp+48h] for 32Bit apps)
: s! G, B  \2 `5 A- g' j9 l__________________________________________________________________________
. J6 v" N1 L! `  n( e* V! ?6 K
5 M* m& H2 H  p' o* O) k9 w" X. x
Method 08
; O& g, g, p$ r% ^, G  ^' G=========$ w+ i0 s; x8 j

" u0 Q- K( \% [4 |) ]3 \It is not a method of detection of SoftICE but a possibility to crash the* _4 c- H0 ?* t3 z
system by intercepting int 01h and int 03h and redirecting them to another
4 l' e3 v1 ^* `0 z6 Sroutine.
  O; S6 b1 E1 ?. QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ H6 z) q) `- F6 F
to the new routine to execute (hangs computer...)0 F3 `7 v: `/ u' h

: l* ]5 ^0 m$ w! U; F    mov     ah, 25h% O7 f: p( ^: ^; w: O0 N
    mov     al, Int_Number (01h or 03h)
) ?0 y2 E" }. J& C    mov     dx, offset New_Int_Routine
* c% X6 d/ f# y) A% E    int     21h
6 Z2 S2 R' F: N
2 T! R" m) F1 j' w__________________________________________________________________________( j+ M, R- K5 d- D7 ]: j' Y& j

6 K* F( R3 S4 j6 X; g; `Method 09
: A2 Y4 m( Q" a; K% ^+ m4 X=========
4 l( L& W+ w' o: w" x* U( }* ?, J8 T6 C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 k" Y% T$ l1 B2 n& ?# qperformed in ring0 (VxD or a ring3 app using the VxdCall).
2 a" I; T9 X5 d  `0 pThe Get_DDB service is used to determine whether or not a VxD is installed
: y2 c( j; ?2 M! R! Pfor the specified device and returns a Device Description Block (in ecx) for/ u% C  g5 u  D+ X
that device if it is installed.& U: B9 [2 \1 G* S2 J0 l0 f8 ^, Q- w

! Y4 D# p* t" @8 B0 @$ Z( s" O   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  I7 {6 G! m  |8 g
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)# x1 k1 K/ {6 `0 R
   VMMCall Get_DDB
! a- M: [! Y2 p9 z, W   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* {1 ~! X6 ~( x5 s- ]" Y, J
* g- C* ], k1 y9 N# C
Note as well that you can easily detect this method with SoftICE:+ r/ s7 Z6 b! q- j
   bpx Get_DDB if ax==0202 || ax==7a5fh- g( Z4 D% z' `) s# G0 `+ Y  g

5 ^) D& Y- `! s0 d. @8 m; t6 S__________________________________________________________________________+ f% ?1 j( D8 j

6 F! k  m6 c* p7 SMethod 102 m. R9 x! J6 t7 i
=========
/ e) P: R+ R7 S. K* K; C9 t
' s( G* O2 j! E; G, V=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& ^6 w6 @; e; m4 c/ G  SoftICE while the option is enable!!
: W# F( b. E3 S& ^% [* M
0 o  X" s. [- lThis trick is very efficient:
0 ]2 Q( g+ s6 ?! \3 ?& gby checking the Debug Registers, you can detect if SoftICE is loaded
% x/ Q2 e& W- J6 Q: j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ u5 q( l6 b9 p' o. V) K9 d4 p4 D5 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their: ?. U% E" J% h+ F7 Q
value (in ring0 only). Values can be manipulated and or changed as well
+ p) H( d, n, c! q8 v3 ](clearing BPMs for instance)( @( k& L3 A8 R* f4 C1 {$ P

1 S3 _4 i4 ~8 }__________________________________________________________________________
' u  }& @2 ?4 A6 n. ~, I) g
0 U# H' B" E) j% o. {, H# hMethod 11
* s, v0 l3 j: _1 o: Q2 D=========- F1 W) D8 |" U3 x7 K

! M5 Z/ N) R9 a' p. Y9 _0 jThis method is most known as 'MeltICE' because it has been freely distributed! w3 D$ d- ^& V5 h9 n# S, Q
via www.winfiles.com. However it was first used by NuMega people to allow1 {& \3 t$ K4 ~" E  @9 D
Symbol Loader to check if SoftICE was active or not (the code is located: g- e! G; G$ M
inside nmtrans.dll).' E9 Z" w( V( J# F6 v# H

( a6 }$ u: |4 m) y7 C" \The way it works is very simple:
) l) J" S. V9 N2 \/ t9 Z& Y5 W( OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 s5 y0 O! R0 zWinNT) with the CreateFileA API." t& C/ r* }2 r
, p) h5 [- Z! f
Here is a sample (checking for 'SICE'):
0 ^  q8 d/ i6 n1 D& R& u! C# g; [$ y% k  S
BOOL IsSoftIce95Loaded()5 x7 e' N& {, c" r4 ~6 `
{2 f! d$ r2 v6 U9 ]
   HANDLE hFile;  
) ^( ?' U- g6 Y2 a: B' ]% O( c   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,  T9 A3 V% t/ g6 c
                      FILE_SHARE_READ | FILE_SHARE_WRITE,* i$ X4 y$ h4 H7 x! h' Q  x
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( H8 p7 h: L  c/ k
   if( hFile != INVALID_HANDLE_VALUE ), Y5 U, n0 a0 X/ C+ n- g8 ~
   {
! G. A( T) g+ W      CloseHandle(hFile);1 A. L; q, \' q( `# |# i7 N$ A; Q
      return TRUE;
1 ~: J' U  I" a; i' z: a   }
* R. n7 @: X% u   return FALSE;$ ^. |! d7 ~) T, D7 K0 S
}
* K. {& M& d6 y% M/ L& o1 R: ]* T% ]6 W
Although this trick calls the CreateFileA function, don't even expect to be
" s# N! h4 V* z" ^( @able to intercept it by installing a IFS hook: it will not work, no way!
3 i5 a3 X2 Z5 |1 Q0 z7 N$ qIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) [' t$ F. ^' M- E! G' m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). k. E/ }5 f- o& G# G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 r  `/ v4 D9 w( U
field.
% W" y/ u; u/ U. e5 AIn fact, its purpose is not to load/unload VxDs but only to send a 7 S  u# |; [9 u( Q& Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): X( Z0 N7 W  d% D
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! p& O  f% H0 ]* z6 M8 v+ w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 @. V% ^& n. TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
4 R, S# ^5 w* @( Iits handle to be opened and then, will be detected.
) j0 c: q1 e: Y5 W, F) x/ dYou can check that simply by hooking Winice.exe control proc entry point2 y" e1 `5 N  P6 U) t6 {
while running MeltICE.
/ ]0 v5 ?* n# I: L0 c6 l) }1 p  c  J/ u6 i2 q9 M
% O( y+ f' K, v) [4 F
  00401067:  push      00402025    ; \\.\SICE/ e! v7 c$ U0 i( o) \3 b7 o3 t/ H
  0040106C:  call      CreateFileA8 b. C7 W( `1 }. h2 s- K& ~3 k
  00401071:  cmp       eax,-001
8 D" X9 i  n8 n9 ^( H1 ~4 e1 G  00401074:  je        00401091
; `+ B, x+ m8 b0 g
3 ?8 N! b2 B1 f) L7 j
6 @$ u' _  x) e8 m  A2 w' X  _There could be hundreds of BPX you could use to detect this trick./ u. d  l- ?3 U% ?# y1 ~
-The most classical one is:
& ]: [+ g4 U; q6 o& ~% ?' ?8 i  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
6 K9 h! `) E! S  [0 L" J- |2 Z4 j* l    *(esp-&gt;4+4)=='NTIC'
( B! _1 X8 Y0 s7 z! @
' N/ C3 R* q7 S# I8 p8 P9 @-The most exotic ones (could be very slooooow :-(. p2 W3 G/ x# ^+ B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 n$ I. {* P8 @5 S     ;will break 3 times :-(/ Z1 ~7 A" ~" _: |; Z: T
6 K2 W1 L/ F) ^3 N
-or (a bit) faster:
) F  N* `4 C7 K) R* w   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 K9 o/ }/ R5 @8 x* L, t- l+ a6 K

6 p; j1 B0 @2 B) `   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; ~5 m" H/ q" r
     ;will break 3 times :-(
8 x0 f& B/ Y6 H/ c# Y" Q; L0 C9 l+ q4 m5 W: N5 |
-Much faster:
! W# u+ I0 W% b/ j   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& y( j1 R$ f) U$ H5 B
' s: V7 ~3 L3 }! J, A' i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 h& C4 k& O- C" Jfunction to do the same job:
! Y; ^* ^$ O2 l- q8 D! w% a6 {& q" v
) N- d/ \) b7 {4 ^; C$ E9 w! q+ p   push    00                        ; OF_READ
+ T! Y2 l8 D/ I& C   mov     eax,[00656634]            ; '\\.\SICE',0: ~8 e4 F! x4 c' G7 o/ ~: H
   push    eax
( n) E6 B5 w& Y8 b0 q4 o: {   call    KERNEL32!_lopen6 S9 f, \+ i$ }; T* R0 C
   inc     eax, u$ W& C  o# O0 N1 ^$ o; H: y% P
   jnz     00650589                  ; detected6 a4 x2 I# ?+ @1 G) G$ M. ^' n
   push    00                        ; OF_READ
$ u8 U: q, `: h$ B   mov     eax,[00656638]            ; '\\.\SICE'
* T7 ~1 w' f; D: Q# C/ n   push    eax" h% E, W( N3 @; ~( c
   call    KERNEL32!_lopen0 G  p, q& K, m6 ?* B! `+ Q2 w
   inc     eax9 G0 M6 z: k8 q9 ?3 m4 p. J
   jz      006505ae                  ; not detected
1 E1 |/ }3 O3 f4 o7 O5 C" W8 \
  g& H! o$ i2 R$ O4 K3 Y/ x6 s# D/ u! ?5 z- B
__________________________________________________________________________
5 o3 D& o* l8 `7 d% I1 \
: A+ Y+ B' D0 JMethod 12! k' X0 I1 S% @9 f! g
=========. W/ v! u' n; O1 v

5 D( v$ z* a. v. |This trick is similar to int41h/4fh Debugger installation check (code 05
  |( q- x$ H4 M) M5 d2 N8 _1 r2 A&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! w3 U# Q+ S. o* K; v% ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 G& ^$ i" e, J1 i% T

1 ~7 t3 V7 T6 B1 h; S+ x7 o* ^   push  0000004fh         ; function 4fh
. J9 V" y; A8 ]4 s9 H* L# {   push  002a002ah         ; high word specifies which VxD (VWIN32), l) x% V/ r; a" [4 {" W
                           ; low word specifies which service; l. S7 K5 B& I9 R( K2 M
                             (VWIN32_Int41Dispatch)
  Q# G) h: i6 [/ j, v& O9 E/ e   call  Kernel32!ORD_001  ; VxdCall
! f/ z' [' l! V) a   cmp   ax, 0f386h        ; magic number returned by system debuggers
! o& h* p* G3 N! f1 v7 Y2 |+ U   jz    SoftICE_detected/ N/ j# z* p5 v2 k: P/ i; ~; s. j

1 C. }# G1 a4 A: v; ZHere again, several ways to detect it:
7 B/ k8 J6 H6 R; `- F8 G1 m
1 [* c- ~9 M6 B5 ]) l: I. v  c    BPINT 41 if ax==4f
1 h9 ^/ B9 o* e3 _/ c1 d$ \0 I9 f" i5 O* r, c
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
6 g; A0 X1 S3 Y0 E* h: e  j8 u, Q
  u! R4 M8 y1 b    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A" y+ ~, I$ F3 F; q4 N

2 }! R+ L2 y5 x# D    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 q( n, d  b! K+ T* O7 e
$ P# l. W% L/ Q. ~- ]2 L5 `__________________________________________________________________________
3 d+ n/ X) x1 ^  L/ G# }; H% ^5 z9 x. P
Method 13
9 {+ w& k' A6 @9 R: U=========
& y' a* O% o! X" v% Q+ O' w1 B$ ^& f7 X. V5 F3 p1 A  p9 L
Not a real method of detection, but a good way to know if SoftICE is
5 e7 i5 @# Q( Cinstalled on a computer and to locate its installation directory.
$ H* \- T4 D7 A; iIt is used by few softs which access the following registry keys (usually #2) :
3 x8 `0 R6 t  `6 `0 m/ Q5 s9 J
  _. X, M) O! b7 o2 {2 i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 B: X9 D" Z; y: k
\Uninstall\SoftICE% c. J& @* D7 q1 C2 U; `% x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, t8 P. B( }3 W9 [) ~1 _-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& q# o4 p  t* I# Z
\App Paths\Loader32.Exe
, y* X2 H% r2 V; U" Q" _! _6 y# A3 {' e9 s: C4 Y& x' Z& t3 r: W

& j0 g. m6 R: zNote that some nasty apps could then erase all files from SoftICE directory
" u  N9 ~1 m; {! a(I faced that once :-(! Q0 I' `! R! U+ G
6 C) Z9 ~! l6 J9 Q$ g
Useful breakpoint to detect it:- L/ q5 `4 O! c  X8 R- t) l
+ k( j4 i( \) E6 M( T! G9 W( o
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 b( z9 N  L' d3 b/ h
/ {5 C' @6 \( v" {; p__________________________________________________________________________
: @' o3 a- n% E
' i+ o2 q6 e4 g
8 w3 f2 q5 M* V4 {Method 14
  ^: q+ q) E# |. S8 ~, ^% l5 U* v=========
  x6 c( S4 I- J5 T# ^2 i( ^. h: m
4 w6 K- j, n+ l( l' {% R& LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ K8 V  J1 \; {7 V0 Qis to determines whether a debugger is running on your system (ring0 only).
$ U- a* {; y6 ^  P' @; w! L% `7 h9 r& H1 N% t8 S  d0 U4 f
   VMMCall Test_Debug_Installed8 ?; n7 U! W1 R) @
   je      not_installed. s) s* x- X6 l+ f! g
7 C. W; M0 [0 ]5 b% D/ T# ], c
This service just checks a flag.& \1 v, Z% P! G9 z& G# F
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-3 11:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表