找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
% p% _+ Z1 t7 E. U" a) d<TBODY>  k5 a' K0 |2 D" W
<TR>0 s! H  ]2 q# R; X6 a- o
<TD><PRE>Method 01 2 ]6 J( \: |& O5 O; @' [
=========) O) [/ V- c- s2 t: d' v% }5 `

# |$ d7 i, A: z* qThis method of detection of SoftICE (as well as the following one) is
* y9 S/ u9 a3 ~8 Dused by the majority of packers/encryptors found on Internet.* v2 u9 R% c4 K. l& j5 u5 r# |
It seeks the signature of BoundsChecker in SoftICE" Z" n. p+ ^: \
# \& }3 {& \; i  w
    mov     ebp, 04243484Bh        ; 'BCHK', m( J/ R3 Z; f
    mov     ax, 04h
7 f9 z  u9 H$ E" S# i    int     3      
% X$ N5 H! o: b3 O    cmp     al,4* o% |  ?% ^. d5 B8 o
    jnz     SoftICE_Detected- l% f7 v" t& H6 ^9 Y

6 r# i% Y# p8 G9 e# z___________________________________________________________________________! p" E5 F/ \0 o9 g0 i' S# f$ t

- E" ~  S) h4 \% fMethod 02& t! ]- ]1 H5 }
=========
1 O) [, v! K1 i5 V9 m& ^
8 q/ C, f: s5 }7 N5 g0 CStill a method very much used (perhaps the most frequent one).  It is used
/ @5 Q% w$ [0 s7 K5 ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. }9 x# y% L6 m" I( P: E: xor execute SoftICE commands...
, o1 ], T5 d' v" G% z2 @6 bIt is also used to crash SoftICE and to force it to execute any commands
9 z. D; h1 L2 z- C6 a(HBOOT...) :-((    g# I( p( @3 x
0 W# _$ Z8 W1 V3 d+ T
Here is a quick description:. h) P# \/ ~- N
-AX = 0910h   (Display string in SIce windows)
9 Y/ g. r( B# U) v2 T9 w; R-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: k$ u9 J% A6 G0 Z3 B& L7 m' d-AX = 0912h   (Get breakpoint infos)
& H, ]8 z1 g, w7 z# ~6 K5 ^-AX = 0913h   (Set Sice breakpoints)
. m. f' h2 r) c5 H* Q6 B-AX = 0914h   (Remove SIce breakoints)
- N' e+ M* J" ]5 y  Q7 i$ |5 C7 m' B- K  r9 D4 {& o
Each time you'll meet this trick, you'll see:
7 U( F7 D. q5 M* ^# L-SI = 4647h" d% t7 f0 _/ f6 A$ S3 G
-DI = 4A4Dh  |: L* B& u* M0 T
Which are the 'magic values' used by SoftIce./ q7 y. B% U0 B/ N) T& A# J- b# W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 e9 q# T# C" u/ N( w, {% X' I0 z

$ u4 Z7 T; H& V' p  ]" EHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 @! g4 W. u5 t/ \9 d7 u/ rEnvelope utility use to protect DOS applications:3 T) M- B3 t. B3 ?& n7 U
' A% M! j6 G! X) s) D# Y+ v

1 b0 N4 a" J. Z7 h* L5 [4 b4C19:0095   MOV    AX,0911  ; execute command.
$ X% F4 f" B4 ~7 a9 Z% B+ w: N4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).# ^! }! R8 u4 d  r# c7 ]* D5 l
4C19:009A   MOV    SI,4647  ; 1st magic value.* X+ ^' C, F5 U7 {: |
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.1 X0 C5 s& R- o4 _, [- n5 Y% g
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)& A5 L. L; ]; T" V  W
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute% B& E8 A: S* ~. B9 H% S: B
4C19:00A4   INC    CX9 y% O5 {4 v4 J0 \6 a3 i2 P& i3 |
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
8 M1 Z- f& z9 r+ i. ^4C19:00A8   JB     0095     ; 6 different commands.
5 z3 q) U& j/ h2 G9 C4C19:00AA   JMP    0002     ; Bad_Guy jmp back.$ Z+ ?3 n) F" `, @) N
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 e4 M8 p& f6 i6 n. R; ^
5 t- m4 I5 y  t/ ?8 m4 X. G* @
The program will execute 6 different SIce commands located at ds:dx, which+ O3 k+ n% p3 t! {4 u9 {1 ]8 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) }$ n* O: n% [& y9 h( {. m
7 {) y# Y, E/ A; W. J* U! @* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( `0 _0 O4 s+ s& f: n1 [/ ~4 T9 e# h
___________________________________________________________________________3 h0 Y% w: V' K1 ?
- m2 S. S, ?7 C0 I" z
- a7 c: u7 _0 M0 e
Method 03: k) H( m/ i* o! P
=========
" a, L* Q$ P' u, s0 }7 Q! |7 ~. e, B4 k% m* A
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 d& c; Z3 b" b% f7 P- h5 ~. O(API Get entry point)
4 K/ F2 `. T& l8 k4 E        
- E5 i+ V. y  {! R  u& P8 K9 z& ^
- l7 c9 m; X* v& u) f    xor     di,di
3 y6 K, z/ A+ w, A+ H% ?) s    mov     es,di& X# [6 M, b% c. L& t
    mov     ax, 1684h      
1 r( R" M! b5 O/ Q    mov     bx, 0202h       ; VxD ID of winice; l: i, n. c7 z$ A4 ]: {7 o, A" X
    int     2Fh% q7 C: Q: p7 m# m7 X2 Y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 N6 X7 O8 k% m/ Z- W1 }- V
    add     ax, di, Q! ^. |* T7 `# ^' K* ^9 j
    test    ax,ax
9 ~: h- F2 ?' g  P4 W" w    jnz     SoftICE_Detected% h1 q# j* G/ U" D; g
& M* @& G$ G7 g. b: v" d
___________________________________________________________________________
; j: P0 c* u/ m/ x5 S: F( e- ]9 l6 o1 |4 w
Method 04# Q& V  H, @% h4 X6 X  K
=========
4 k" s& v1 ], ]$ ^" S, a0 t: P0 `( e9 T+ Q7 k' C& [
Method identical to the preceding one except that it seeks the ID of SoftICE
3 r2 U  K) D+ ^7 g! S! T' x4 jGFX VxD.* p- I6 X4 I* r! Z2 m
+ H( W+ O/ a- p6 [* J& U% w7 w
    xor     di,di
& b2 X5 p0 L8 [" e( |    mov     es,di$ \4 M4 f, {1 k) C
    mov     ax, 1684h       , l( d% P5 R6 @
    mov     bx, 7a5Fh       ; VxD ID of SIWVID. t1 N/ h! j1 T- i4 A
    int     2fh
) m" h2 u/ g' j* A0 p, r# A    mov     ax, es          ; ES:DI -&gt; VxD API entry point& }, ~9 I9 r4 s, o' [+ i3 r: n
    add     ax, di
" ]5 j' P/ k$ `4 @( R6 [- ^    test    ax,ax* ?/ N8 o" j) q# ^$ C" r
    jnz     SoftICE_Detected! m5 C! Q% C! E  n7 D
+ P+ D1 @. D3 `3 B2 }
__________________________________________________________________________
! t" l% K. b4 W  R- @9 \# c/ d3 t+ E8 J: L
: w# F3 s  ?8 g' Q* ?4 ~
Method 05
. Z9 S+ |# h5 }- k=========
% X) v- ~* r1 @( y7 U
3 w9 ?( R1 m$ \/ M# qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 n7 N) K3 F6 E2 m$ Qdebugger. It calls the int 41h, function 4Fh.
, F) Y7 {) b. kThere are several alternatives.  2 W: F+ X9 ]2 b$ L% @. C6 H/ ~

/ o' o0 F8 O# G. h: G7 B1 d+ t3 _The following one is the simplest:
  i1 T+ s1 @. B+ G+ H2 X8 ~- P8 Y0 r
    mov     ax,4fh
5 A4 y" W% S/ {! j- G% Q( w    int     41h
) [/ U1 {: G" p# r; d6 L    cmp     ax, 0F3866 Y9 h+ e* y' @! ?  m& w
    jz      SoftICE_detected
- e, @% Y5 X- J; Z. n1 r! q( E' Z) G0 u) T& x4 {
# t7 c/ Z, @* Z7 W" Z( l5 T
Next method as well as the following one are 2 examples from Stone's
4 {$ d3 W5 G/ {% C"stn-wid.zip" (www.cracking.net):
, J- K0 W8 W  s; F& `$ F6 v% ^  s1 l+ N  m) _
    mov     bx, cs
  g$ _, Z* Y6 B8 }    lea     dx, int41handler2' |0 C- X# ~' E) e3 p4 Q1 {* d" x7 }
    xchg    dx, es:[41h*4]
7 D% `1 P4 e! E6 H    xchg    bx, es:[41h*4+2]1 E! X& C& h7 k
    mov     ax,4fh
3 N" y/ u: X1 e7 }( E    int     41h
6 L6 T  s9 Y8 }. A0 o. H9 r    xchg    dx, es:[41h*4]& D) {, `5 E! Q3 u' Q
    xchg    bx, es:[41h*4+2]6 G4 _% |: u' k, [- U
    cmp     ax, 0f386h+ \0 p/ w* w8 B% F; l
    jz      SoftICE_detected- B% i* i3 a* e2 W

' J) {7 y% Q& ~, Tint41handler2 PROC0 k& @& f7 d! ?# V* q" E
    iret
, p# W. d7 r. `8 c2 Y/ R9 b: yint41handler2 ENDP
* @- Y" B. w+ l) a- C/ {$ }/ P& J+ K5 C; V( ?" d
# ^$ z% |% B$ {& ?0 r; M
_________________________________________________________________________
( @8 V" z8 G6 z% B7 v' ~1 ?
/ P1 Q  ?) m4 u& p& m$ A$ z1 A# C" Z
Method 06
* E1 T( p4 O5 B% X7 \' g=========* N; v: W0 A# p) l9 B3 z7 I8 O+ a9 k
2 B) O- L! @4 W

. l5 p/ A) H6 X! A. c& C2nd method similar to the preceding one but more difficult to detect:( T9 }! S) O. Y$ T

2 O" x) Z% X- j/ y% T  T7 F" d4 d& x  G) t
int41handler PROC
. D* B0 E* U) _1 w    mov     cl,al
# x6 T% Q) h  G0 W6 D9 ]    iret8 U/ c4 o1 z  \. m+ m( I5 C) i' }
int41handler ENDP2 M5 j: D8 L4 h# x; e. f9 H

1 t1 q/ v- p( F+ B% W5 }+ f& J9 C9 V$ Y& k2 o2 t& j9 d& p: W
    xor     ax,ax
4 A/ F6 a# Y. S0 L  E    mov     es,ax( D2 ]1 V0 R6 }" M6 c
    mov     bx, cs7 f+ V6 |9 k  t3 `6 u7 m
    lea     dx, int41handler
. T6 h1 R# U* n    xchg    dx, es:[41h*4]$ l/ ]: R! G) t+ a' t
    xchg    bx, es:[41h*4+2]2 k, J+ A8 D1 ]; g9 k8 A
    in      al, 40h3 V6 c. i; U" Y* b' ~- S
    xor     cx,cx
" H8 x$ F) N$ o+ @& U    int     41h; j0 D# }6 D$ P
    xchg    dx, es:[41h*4]* L( h# J8 L% M. u5 i  F7 j
    xchg    bx, es:[41h*4+2]3 [' l5 E4 s3 _0 T: Z  G" {
    cmp     cl,al$ U, I% R5 i$ A7 |
    jnz     SoftICE_detected# ^  J+ N) J9 h+ k! O
# y! y+ _+ A& z% U, h
_________________________________________________________________________' a  c/ ]/ U. Y* g/ F+ w

5 w0 `! y/ F% SMethod 07- N9 f9 a" D7 R
=========) A, o. {; e8 }* K6 h+ G0 ?- s/ d
  E' ^3 c1 i+ D0 n1 o- g4 ?3 @" s& _
Method of detection of the WinICE handler in the int68h (V86)
2 V0 c3 F' c) ]9 @/ Z" G/ \5 c8 s) A5 w' r( D; B
    mov     ah,43h' x, O' W- L" T# j1 ^
    int     68h' n  S! M$ q" x8 t* \5 j
    cmp     ax,0F386h: Y( M7 J% b/ i: y% J* R
    jz      SoftICE_Detected
: M# v1 W+ A+ R5 B; ~
- V7 a  i5 p5 {) d# ?2 `, X. h- B& b: D! n
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 ^* J# g" |# B6 P' [& ^
   app like this:
0 L4 ]2 a" p" R7 [+ w' L
. n/ F6 m3 S' D/ e9 d9 w, `   BPX exec_int if ax==68
, ~- B  H! Z$ \7 }9 c7 c6 M9 A1 A   (function called is located at byte ptr [ebp+1Dh] and client eip is+ j: {, B7 I1 j+ @$ [
   located at [ebp+48h] for 32Bit apps)
) C+ c$ x" @8 C1 y, Z! m* ~__________________________________________________________________________
: g+ A# i4 t5 X/ _' a1 N: a) V+ y8 r' n9 v8 }" P0 ^

" u0 i/ G. K0 l  T4 jMethod 08
( w# v# b) `! b7 y7 H& M=========
( j# B$ d& k) k9 G$ b% R) \8 M! ?# j6 ^) X4 p& p- H
It is not a method of detection of SoftICE but a possibility to crash the6 D/ _. [9 q  ^
system by intercepting int 01h and int 03h and redirecting them to another
) j# D* {( a( \2 Aroutine.
8 J3 S* h8 g) X; x; hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" Q& C' d# Y# l* j! L) W
to the new routine to execute (hangs computer...)
! h4 @. L  h& z: g. B" L8 z# i5 u/ S! q& l# b. q
    mov     ah, 25h
' [: e: C0 f, v7 }/ I2 A% y* w    mov     al, Int_Number (01h or 03h)
/ e( Q2 V2 O( H  y% h3 w4 c    mov     dx, offset New_Int_Routine
' A9 z2 n0 c6 |& s    int     21h& p2 a! [) ]7 {& @- @

2 ^+ ?- b1 u4 H( r__________________________________________________________________________
5 y" k$ X% \8 \; ]8 S' _7 D# g) u* w% r. z. m* ~
Method 09
0 X( p1 u9 [) E" y9 m; C0 m. d=========# ~$ X' |7 `, k6 C- o1 N/ G

: [, N2 V" V' c% ^+ wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 @9 V6 [6 i3 z3 j  _4 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).
" X9 O: e; j: kThe Get_DDB service is used to determine whether or not a VxD is installed5 F# j3 v+ [4 u1 B8 M
for the specified device and returns a Device Description Block (in ecx) for
: J0 f: e. @0 B, ethat device if it is installed.
! I8 @4 f, @  L1 n
' U* Z& Q& U  m+ _! [/ \) Y! E8 Q0 v   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID- T+ k! D! z: \/ u1 k$ F
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: W  L9 u5 Y6 y' t5 J% s   VMMCall Get_DDB  C- T3 ]: L  K! h9 @9 I1 o4 E
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& }. Z- A3 m( d* D9 f
0 {4 D: y; i7 g$ P
Note as well that you can easily detect this method with SoftICE:
/ I% R9 A/ d+ [8 w8 @) c' A; ~. U4 R3 R: B   bpx Get_DDB if ax==0202 || ax==7a5fh$ G$ ~9 P4 _) X3 o) z' ]
) p' d9 p: F, e& z% Z
__________________________________________________________________________
- M# _) p- @# q9 ^' f/ P
! C3 d9 ?) A% W) S; s% DMethod 10
9 C: j+ e9 W5 W( D8 U+ c8 M0 }=========( E( @3 W5 w% c

, z1 z6 P+ D, L5 q5 K=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ w5 H+ v  g9 o  SoftICE while the option is enable!!
" H; [+ F1 O/ @
$ l' Z4 n7 F0 S6 Z, lThis trick is very efficient:4 o7 j7 a: A7 Y+ }* r
by checking the Debug Registers, you can detect if SoftICE is loaded* u, `, }& W& R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" [7 S& L% U* ]% k3 k0 u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 T% A6 u- _; J8 |value (in ring0 only). Values can be manipulated and or changed as well
3 u7 o- R/ d; H7 E(clearing BPMs for instance)' T5 G: J5 x. b5 U" |- O; ~/ T6 a

4 d+ a2 |( v7 D$ u& x__________________________________________________________________________+ e, L# e- R, Y' L, ]7 b
$ S- d1 k. P1 o% w
Method 11
2 x: K9 B) I7 l2 G3 _% n=========
& A0 F- ]: ?; s* ^8 z  q* m; R% P/ d0 `: E" ?  ^: N
This method is most known as 'MeltICE' because it has been freely distributed
" \" I& Z  z! P. z+ v2 jvia www.winfiles.com. However it was first used by NuMega people to allow
9 h' U2 b  p8 i  o# H  }Symbol Loader to check if SoftICE was active or not (the code is located
6 x. c& t7 k& ?inside nmtrans.dll).+ ^' r, z6 O& f% ?7 Q2 `
0 ], Q# v/ }& U3 _- L
The way it works is very simple:. u  l: }( |/ n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 m5 @7 l& V* g. Z9 f4 ]
WinNT) with the CreateFileA API." U2 F7 S: z4 t) u5 j

0 N; S, |2 x  E6 r' N/ o  fHere is a sample (checking for 'SICE'):
- `, h* C: a1 ~3 z# K$ \. Y+ L) Q* ]- u, f0 y1 S& B
BOOL IsSoftIce95Loaded()& G! Q" n* ~& l3 i6 L6 m: r
{) G# d5 R5 `7 P3 R  \# |
   HANDLE hFile;  ! ~; \0 d( w/ |! D1 y& x' M
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 ?: b# h; \: `* j  W) g/ O                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 c, D" Q1 D9 g/ v7 x9 j
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ k/ q& U0 S) L" T
   if( hFile != INVALID_HANDLE_VALUE )
& P! `8 B% C: d% j9 ?0 x   {
7 X# t- W- c  P" w( X9 A7 n* `& T      CloseHandle(hFile);3 o& W! K, m% P# U) D- W% \
      return TRUE;  ]0 A; f8 s7 }. X' i7 k
   }
+ Q5 j  U' C( w# s" X   return FALSE;( I6 O( L- [6 k# W1 ^( p1 u$ O- @
}
5 A8 m& }  U5 P0 F1 d6 L) L
" ]- ^1 Z0 H7 q  N, a- rAlthough this trick calls the CreateFileA function, don't even expect to be
) o) M) y& m: c& w) iable to intercept it by installing a IFS hook: it will not work, no way!
" t$ @: U6 M2 |2 h" vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- c( e) `+ H2 ?+ T- i0 j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- a6 Z2 R( R: p, k8 yand then browse the DDB list until it find the VxD and its DDB_Control_Proc# ~# S- d& Z& u  H$ u, c. Q
field.* m. D+ i5 @8 u9 \9 e/ @
In fact, its purpose is not to load/unload VxDs but only to send a # T7 c; `/ T! K" R. z: x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* c. c  Q2 W, f5 j( b. O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try  C! E* w9 k" _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- v$ _: g- p1 w* p. G& p& T2 v
If the VxD is loaded, it will always clear eax and the Carry flag to allow* @& u8 a4 ]8 E: E! h$ r
its handle to be opened and then, will be detected.
6 @5 N& J4 ]* TYou can check that simply by hooking Winice.exe control proc entry point- L" f6 e4 z8 K8 \
while running MeltICE./ A  q- E9 B  {7 m" G  u6 f9 O) q9 x
8 O' ?6 t. {: I. Q7 N; C; y$ e: ^! Q- b

! X$ H: G8 ?" @2 \  00401067:  push      00402025    ; \\.\SICE
# \$ x) @5 Y  I, j+ H  0040106C:  call      CreateFileA
& j% }. v- q6 r8 t! ]3 {  00401071:  cmp       eax,-0017 ?, K3 z  n) S! `8 U
  00401074:  je        00401091- A" s( x  F7 W: D5 ]" `
& P+ |& n7 L# ]( C  c. U

6 O* j/ j# F* o8 F' kThere could be hundreds of BPX you could use to detect this trick.; c$ R# n  I9 E$ V
-The most classical one is:
- ~0 ^! d  A( l) p. {' w' s# g  _  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||/ T3 @* ], }9 u/ I9 d
    *(esp-&gt;4+4)=='NTIC'% h" U! p  f' d5 K

/ X7 J! Z0 p. C& n2 C  i-The most exotic ones (could be very slooooow :-(
- ]& c1 V( b5 q: y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
. s5 C3 E! Y9 e1 `& @     ;will break 3 times :-(
( Y/ |0 t8 B+ ^) O/ m% {- |) k, S0 S
-or (a bit) faster:
; i. p6 g# W0 d" R: G1 k   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 q( \% \. K/ @3 h" q+ C2 [: b
0 l5 \  E: ~2 S4 K
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% H5 {: S: @2 Y' b. H     ;will break 3 times :-(; L3 t6 _) I* r. [" j8 M! t& f
, i2 ~! D1 _# N4 N# b
-Much faster:
: H8 L3 J4 `* z; T6 l; n  U   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
0 {" Q* x. p5 I
5 A% ?0 ^8 N7 p3 A0 QNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# l  Y6 D* H: Q4 Y( W  H
function to do the same job:. }0 [) U! f( ?- F, N; B9 D

, {. J) P/ m( Z0 I" y/ R6 [: V# V   push    00                        ; OF_READ
) K+ x' z* i( F! a" U' e2 l6 c   mov     eax,[00656634]            ; '\\.\SICE',0
2 g4 |* I, |/ R% i3 Y   push    eax
- t* F1 C& ^! t; e% u) i( E   call    KERNEL32!_lopen
6 {5 P, {, F/ k1 x   inc     eax
7 ]$ \( n. B2 T2 S" n7 {  G   jnz     00650589                  ; detected' l& x2 {' Z" N) b" P
   push    00                        ; OF_READ8 V( d; W2 O7 w, \9 j, @/ I
   mov     eax,[00656638]            ; '\\.\SICE'! s: `. K/ V# K& f8 B" r! j+ K% z
   push    eax# ~# z- a4 v% w9 E" U/ c
   call    KERNEL32!_lopen) _/ t9 p& T# n3 f& f! J6 ]
   inc     eax% d( L5 [7 Z* R9 ^: n
   jz      006505ae                  ; not detected
" `4 `5 i, w& L- v( J+ N1 `- T# \  V+ Y- y$ e  J

7 X3 S% _; n/ T# v5 b: T3 P1 b7 X# n) `__________________________________________________________________________
% h9 F- U/ O6 @+ f3 X: H4 |5 b3 \* ]; N
Method 12; D$ i/ L0 R1 i5 z
=========
% @* `6 L9 J6 ^* q1 ~( x/ w. ]( X! r: c* F
This trick is similar to int41h/4fh Debugger installation check (code 056 t+ Y5 [' E9 }3 r. t
&amp; 06) but very limited because it's only available for Win95/98 (not NT); K) p6 F3 w* l/ p
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 b6 c' i5 O. o; J& j* Q" V
+ ]) l; z' ~" u. Q' m* o& q   push  0000004fh         ; function 4fh" W) J: j# o( y. ?9 p* P8 t) t
   push  002a002ah         ; high word specifies which VxD (VWIN32)) g4 v" f8 c8 ^- J/ Y
                           ; low word specifies which service
% V+ V! G! {* ^" O8 x                             (VWIN32_Int41Dispatch)6 `, E8 E; L# N" w0 w
   call  Kernel32!ORD_001  ; VxdCall$ b0 k. n4 n  ]& p7 v- |
   cmp   ax, 0f386h        ; magic number returned by system debuggers* R, D& U. L- y1 v8 g! o
   jz    SoftICE_detected2 v# ?! Z: G* z) A; r- I

1 ?' A- J1 O* P! [Here again, several ways to detect it:
- B& W+ P7 N  {- f0 f" P6 ]6 m% S: W
    BPINT 41 if ax==4f
3 L* r. ~% b7 [. [$ A# D
3 i$ m* \- _+ a! s5 f    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* Z  {9 N. Q. h; e* ?; C1 G, w+ g' Q4 i: T4 G/ v
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' l- c% r; ?7 h6 C& R
3 Z* L/ ^4 A0 h0 c3 `1 m; p    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 [1 g7 I5 M8 E
. {) N. `4 _* K4 D1 J$ V
__________________________________________________________________________: H7 g! `0 Z  o! i4 W

9 i! i. c( r" J' |% TMethod 133 A( }( r0 r' B7 Z5 V
=========' e% \, w# w$ g: _
: e) u5 S$ m* u3 I! [$ x% q
Not a real method of detection, but a good way to know if SoftICE is
$ z0 ^/ C, K9 e% c/ |; E9 Oinstalled on a computer and to locate its installation directory.7 g$ I2 o, H3 a1 w
It is used by few softs which access the following registry keys (usually #2) :
0 k/ p/ H( R' A% q: U; Y& K, Q, m, B( B+ R
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: h% ~8 q/ u4 w" ]/ K\Uninstall\SoftICE' s  E- S/ A8 q$ x8 b0 j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( P! @3 H) H) M) g% H9 k-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) @2 `( f; z& ~: b: D/ Z7 K; ~/ w\App Paths\Loader32.Exe1 f5 R0 W* m1 K
5 n3 S0 A7 r: O, x1 L' V

9 D2 V8 F" }, U, B: O3 I9 CNote that some nasty apps could then erase all files from SoftICE directory
& p" O; e. u9 g$ N5 G8 H- {) @(I faced that once :-(
7 |/ g9 v8 P8 |# E% s
$ ]$ _, X- A5 f  U. Z1 B* P8 U% kUseful breakpoint to detect it:9 P. D/ B+ O, _

9 D4 y* u: Y& b  ~; h  H: Q& [     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE', s1 X. d. @. g2 B, V1 t- G' Y
8 I, X' o5 c) [- i; E0 U  L0 _
__________________________________________________________________________
# a$ H" {; Z3 D! r: [* }7 j( D; C4 P, X+ l

# X: u) f& J! N. g) i! P) u: NMethod 14
2 i4 J2 P: u3 l) A5 p" t=========
* Z; t) `6 {6 ]4 x0 i
9 k3 Y. ]- P: A, cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: N- H$ j+ ]! h% dis to determines whether a debugger is running on your system (ring0 only).6 B! h* \  G3 |( g) s5 V

* M$ g( B% [8 ^8 o! F   VMMCall Test_Debug_Installed
' |3 i6 ?9 m6 _. s  E- }& o3 h, W$ y   je      not_installed$ v* W" w4 G( y  m& |5 O

. b" w6 I: C$ T! W* u6 Q# ^This service just checks a flag.
5 v2 ?8 p# d* H: F1 A( Y5 {* }</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-23 06:34

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表