找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! r: L& @. S  [# G3 [* O
<TBODY>5 Q* I! k( q" X
<TR>! B$ _, B  h1 f* [& w
<TD><PRE>Method 01 # T: h4 s3 G, K+ J* Q. r6 F3 n
=========2 Y9 D9 `$ x" O6 }
( v' c# }+ m2 c  c
This method of detection of SoftICE (as well as the following one) is
, U! {8 R2 D- C, E, }used by the majority of packers/encryptors found on Internet.
' [! x2 \6 `& r+ q0 ^' |It seeks the signature of BoundsChecker in SoftICE
* l2 N( D6 H5 b- M) }/ V/ m( x9 Q0 h  N. S* v7 `0 d
    mov     ebp, 04243484Bh        ; 'BCHK'$ n8 x+ Z! [" J0 D3 C7 v$ [
    mov     ax, 04h: x  N$ o8 S& P$ x! y
    int     3       0 G  n8 X5 c4 p3 f) p6 d7 B% l
    cmp     al,44 T% m( k# B8 X9 ~: N9 o
    jnz     SoftICE_Detected
9 p3 X3 z3 t  K5 ?* r' X8 r3 ~5 j5 v% A% D
% f- e' X) m' D& T___________________________________________________________________________
& v5 v0 l5 m7 `6 Q! u9 \6 ]- [* [: S3 A+ g1 }( J1 F. |% z
Method 02
3 ?% [( E  f& W% }9 t6 }=========
1 o# p( B* _: C6 y2 c# M
; l6 J1 ^1 h8 |2 g  ~% G2 mStill a method very much used (perhaps the most frequent one).  It is used2 \3 g; B) B- }- j& m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* e5 J. ]" Z, N  c
or execute SoftICE commands...: {: Y! V# p' H4 n& i  \) Q
It is also used to crash SoftICE and to force it to execute any commands
6 p7 R, _2 [$ b(HBOOT...) :-((  / Y6 R0 t$ r. p: ?
+ D% a/ g# i( e* F" }
Here is a quick description:
; C4 U- K/ ?0 n  @-AX = 0910h   (Display string in SIce windows)
6 z9 A1 {3 D8 I' _-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). S# w- l$ R- \/ S7 W
-AX = 0912h   (Get breakpoint infos)
+ J6 u- Q' C3 R-AX = 0913h   (Set Sice breakpoints)& H8 v: q- e2 y$ W/ q% @
-AX = 0914h   (Remove SIce breakoints)2 p2 B/ C1 H( m" c$ D. s3 x
+ x: H6 N0 b; C: k0 U6 L( F
Each time you'll meet this trick, you'll see:7 Z. F+ [; l7 q2 O9 y* T% Y: _
-SI = 4647h
( A/ C5 D/ x  H# ?' g-DI = 4A4Dh
$ Z9 J3 f5 w. [Which are the 'magic values' used by SoftIce.
/ t8 q. x1 {  f9 z7 {  J& DFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* t6 {& U" V# w- n6 C5 y! P6 i0 i" N! d9 t7 |6 `
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ J9 v. p. |. V
Envelope utility use to protect DOS applications:
  @% r5 F+ E  W, n, n5 ^# J) [
# f& ?; y6 t( X& K  C' a7 [. ?3 H, g' I. O
4C19:0095   MOV    AX,0911  ; execute command.
+ d+ r& r9 s& M4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
0 X$ R+ `- x# Q1 M. c% b4C19:009A   MOV    SI,4647  ; 1st magic value.
/ u) w0 O- Z. q8 f4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& O) k! v$ n$ i2 `
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( c" t$ e/ V( `& n1 n% N5 r
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 h  C! F5 D& E
4C19:00A4   INC    CX$ R7 q; G7 w8 r6 i; p* @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' L7 n$ N# f9 t" t! N4C19:00A8   JB     0095     ; 6 different commands.% G7 V( I( C  {
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 P  j$ G9 D: b3 N/ J3 j/ }$ F
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" v) g: ~9 w7 B" q5 p3 v: f' K+ K8 g! ~6 c8 r* B  v: e
The program will execute 6 different SIce commands located at ds:dx, which
9 H# f( Z6 ~0 S. e; r6 g, Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.. N" @/ J2 Z( Z2 e
) w/ c: f& K- j* N2 _4 U9 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! a" b' i2 [( O! I4 U
___________________________________________________________________________
9 P! D/ P  h" V! z- x6 R3 B. b
0 E, W2 P# y3 C; m5 O4 z4 \+ K+ ^$ W; g8 [! a- [7 m0 L9 F* {0 E/ M
Method 03$ k& }* M3 Q% |3 A8 {
=========
0 F  O2 _* ^8 W" X5 L( t# {( C
+ {, W; i; M6 V% y9 GLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, L& j5 r3 a# o9 Y
(API Get entry point)
9 k" ~; p. g4 T/ q5 A2 ^3 i          }$ Y* U: q/ ^0 L# n# w6 g: s

- ^8 Q  J3 }) r( T: A/ G    xor     di,di
7 U9 d# H; \* j    mov     es,di. x) [( Z  h/ H: v# |7 U
    mov     ax, 1684h       ; N8 Y* [/ |3 D. e$ E  R, }
    mov     bx, 0202h       ; VxD ID of winice6 a  h/ j/ L) W  [
    int     2Fh
& V( f, j  e/ o$ c    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ |: d3 o# v' e* t" B' ?    add     ax, di! k9 n, L; L2 H* F* a# P
    test    ax,ax& J4 q  A$ Y" k
    jnz     SoftICE_Detected3 o4 p- L% n- _7 [4 l# b, E% y" V
$ L; ^' n& y# W4 M
___________________________________________________________________________$ [& I! i5 R- p% E7 g, f7 m+ f

! l; B( @" D/ K2 ^4 M2 i' d  U6 TMethod 04
7 T& n( @8 N( m. y$ |4 D  p=========$ e& d& J. }6 q. W1 ?+ Y$ T

* Z! _3 N% b" g$ R" [Method identical to the preceding one except that it seeks the ID of SoftICE
4 V, A, X! d% p; k* d: h) k; ]/ J; _GFX VxD." {* T7 I' M, }+ D# S4 U$ P
# l, k0 ~7 n8 i
    xor     di,di
- c1 m2 v; a' X) }4 y% s    mov     es,di/ n2 \! ]4 s% r; A# R
    mov     ax, 1684h       9 y0 Q3 r: ^, P, |0 b4 `5 M
    mov     bx, 7a5Fh       ; VxD ID of SIWVID- ?$ W  [8 _& m
    int     2fh. \' U4 J. x7 y) B7 W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point! c; ?! g4 E! M; m
    add     ax, di3 I! C  P, {5 G/ D
    test    ax,ax
+ K# j" f; ^& B+ I- s1 N    jnz     SoftICE_Detected
9 d  s5 D8 i; c) Q
: }! n- I2 u* _+ J__________________________________________________________________________7 D# L& X* A8 p/ \& l5 {
! p" n# W& p1 P

/ q/ [& o: T) A5 m! h! ~/ rMethod 05
% J3 W4 h+ j4 D( ^=========
( D% m6 l4 i) j& Z" Z
0 t4 _! E! A; JMethod seeking the 'magic number' 0F386h returned (in ax) by all system) k. ?- O( x9 ^7 w" [1 U
debugger. It calls the int 41h, function 4Fh.9 S3 f- Q4 t1 i. q; P6 \& v
There are several alternatives.  
1 B4 b0 W* f' W. m1 C2 u1 Z% Q: E2 o; Z1 c; _3 R
The following one is the simplest:
/ c: K$ ?4 ^9 J5 ]) l9 \8 ^6 M! L+ @
    mov     ax,4fh
& `) }, f9 m/ x- U    int     41h
/ R, _. w4 G" S, ]2 F& x    cmp     ax, 0F386
) d6 b  S2 z6 l! T8 S' e9 ]. V    jz      SoftICE_detected
7 R& U# f& h. x* I- K4 x( E0 ^: u9 E+ C2 g' Y# k0 {

$ l& i: Q/ f+ ^9 ?9 l  YNext method as well as the following one are 2 examples from Stone's
" B& S) u; P7 ~"stn-wid.zip" (www.cracking.net):
- v+ c& B* l+ E& s1 d9 A6 A  I5 r/ N  |0 A0 m; g  ?( u
    mov     bx, cs7 k/ r5 }! b/ G' u/ I) |4 b
    lea     dx, int41handler23 Y  \( V$ n- k' j) y6 }( c7 n  B
    xchg    dx, es:[41h*4]
7 N7 @- L/ I# a$ }  R6 [, x; B    xchg    bx, es:[41h*4+2]. _5 p, K9 m% ?' c: S' W4 V9 k
    mov     ax,4fh* G4 E/ q+ V! P( x) Q6 O7 N
    int     41h
5 r+ W% I$ q6 c. d! |  ~* g( K    xchg    dx, es:[41h*4]
- {: @& z* o+ X/ c7 O, `    xchg    bx, es:[41h*4+2]
) P$ Q1 [: d/ T    cmp     ax, 0f386h
  ~0 ~# W2 S9 j# l- _; C    jz      SoftICE_detected
. A; x4 T/ F8 x1 q& T
6 {, O) r; r4 @int41handler2 PROC- x9 Z# y( e9 I# b& s. i4 v
    iret
! ?: ^' s9 P0 H" O2 cint41handler2 ENDP
1 t- \8 V4 F, ^& A" S
3 n& R, X5 l) J- S8 p& p$ T6 u  y9 Y+ H/ k$ c* s
_________________________________________________________________________8 E# A: ]) H& x+ u5 `8 m

, b1 _0 F( G) H% ~- {2 M- v( H3 s0 `% Y# E$ u  w. x9 G4 B% U0 x
Method 06
$ n; R+ D& U7 o6 U0 y# Y& \5 z=========
7 o. A  J9 f+ }: Z# |8 P8 }9 {$ ]" o% z3 w4 B( [( Y8 a

/ O2 ^6 ?/ ^9 j' r( f  c2nd method similar to the preceding one but more difficult to detect:
% Q5 F- V" A+ J  {: u+ B
6 n2 F5 d7 A8 F- `/ g' G
# D' ~- w/ Q3 \) U5 t% b0 \+ iint41handler PROC
3 H# u6 w" |3 p$ ]    mov     cl,al
$ U$ k8 L0 b' H/ ~: \# p! X    iret+ k6 A9 N8 s6 u4 ?" V% A$ \( o
int41handler ENDP- n8 X$ Z/ @) Y. V1 g

$ G- R5 q! l* A! x: U/ J; J6 k' G. p  \) t7 j) n
    xor     ax,ax0 f% s- ~/ q  {5 {
    mov     es,ax
5 Y( X; `  z! Y1 V% P/ ~    mov     bx, cs6 l; ^- v, E* E/ H8 r: A& X9 [
    lea     dx, int41handler
: C0 L7 q6 b- m2 t; X  o# A, n    xchg    dx, es:[41h*4]% y2 H; h/ ]7 J
    xchg    bx, es:[41h*4+2]
+ K0 i" T. a4 g0 q) y$ e    in      al, 40h
' q7 P9 }9 I. T7 W9 q, M3 W' ~& E    xor     cx,cx! l3 l6 C2 \* y3 c: w6 ?
    int     41h& ]$ g0 p3 ]( K, c! x/ p) F3 k) X
    xchg    dx, es:[41h*4]
2 r( x1 b& h: |    xchg    bx, es:[41h*4+2]/ L. B  w: d, B3 P
    cmp     cl,al
( E4 m  _+ s5 w$ r! {1 ]* f    jnz     SoftICE_detected+ Q+ D- ~% C; T. K
+ s4 I( E" a7 J& s3 k
_________________________________________________________________________
, ~# M5 v, O8 v  |/ |( V6 ~. p2 R# d4 {4 K1 O
Method 07
: b3 q9 F4 K9 }3 Y=========' Y) P7 M2 M& ?3 j% h! {# X
  b9 f4 o% Y: A* f/ w% r
Method of detection of the WinICE handler in the int68h (V86)8 B" b( Z3 b% z& a7 G
/ T4 I9 \' N1 e, i" H; L
    mov     ah,43h
. [" `' z/ Y8 B" e% U0 `, M    int     68h
7 o4 C5 C0 m0 l& d$ o4 {( s    cmp     ax,0F386h
. y1 a* H' V/ U' p# @  _  z    jz      SoftICE_Detected
. N3 D" }6 }+ x0 a) a2 z) Z, V
" q' X3 m' }; d9 P# N9 q' Z. z% E- c8 |$ K
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: o# r) I' t) D0 n$ M   app like this:
3 ]" ~3 h- [; }) d* U" Z. p; O
8 p4 S5 f# g$ _6 r' v9 s   BPX exec_int if ax==68
5 Q* J6 b$ B. l8 \- C/ Y   (function called is located at byte ptr [ebp+1Dh] and client eip is+ c. K( O  K5 y: j4 Y
   located at [ebp+48h] for 32Bit apps)
  \# r: m& A) h__________________________________________________________________________
4 k' s  [) a5 H) Z# y" `
! ?) S# g0 _7 T: f# q% v( B$ }0 w/ }& {) i
Method 08
+ X3 ~. i% C) m4 h) n+ I% {* a=========
  J+ Z, e1 G8 }7 r) h7 N! X- H( w6 P
It is not a method of detection of SoftICE but a possibility to crash the$ ~7 M" i2 R3 R- p# f: P0 N+ l
system by intercepting int 01h and int 03h and redirecting them to another8 r- R, E- m% w; i5 m3 _
routine.
7 g2 z9 R5 i- D+ Y% n$ S: qIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# c8 P+ G6 V( k# bto the new routine to execute (hangs computer...)9 `+ @  F( z' b8 t; D; @
$ S9 {# |  E, @& @  J1 X# P
    mov     ah, 25h( x9 o/ U! Q- `/ r- g7 u& q, S9 H
    mov     al, Int_Number (01h or 03h)
- M" x/ R$ b3 [3 g6 ^    mov     dx, offset New_Int_Routine
3 z" v( u+ g) d- v8 ]    int     21h( l: Q7 D4 S% T: `
1 K% A# j/ F) v7 i# B. Q  [4 N
__________________________________________________________________________
# W, s8 J1 r, e/ u7 G9 ~% l" e9 F8 ^, G2 A" q
Method 09- H, h( Q) G% B/ A9 C1 `+ U( P
=========- i, h6 m' I. \- {' h3 \& f1 Y0 H

& e. y5 Z& |3 Y  HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* a1 ^/ p! M, p8 D9 V
performed in ring0 (VxD or a ring3 app using the VxdCall).' E* m$ C/ q: [2 H
The Get_DDB service is used to determine whether or not a VxD is installed
  W" b2 i3 [& q4 ffor the specified device and returns a Device Description Block (in ecx) for! f3 L; [7 X6 [9 u3 B* t2 y
that device if it is installed.& V% g' o' x8 L: _7 x, D

7 i, |9 r  T% v' G   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 ?! V2 ]! C' i( N$ A# }; g   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 b3 l0 k& r3 y8 t
   VMMCall Get_DDB
. I- W) ^- J0 `  R, D/ w   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 W/ }; G, j  h1 ]# v0 C
+ X/ E$ y5 ?3 i7 C% `6 }* L9 u
Note as well that you can easily detect this method with SoftICE:
$ X8 \- @4 j& F* p' m4 y* f   bpx Get_DDB if ax==0202 || ax==7a5fh
  d( |& M. l" L$ t* M5 l
2 ~1 t2 A. q: T0 X( Y5 i; o__________________________________________________________________________
' p7 ?# }, f% M. b/ a0 G* a1 s8 w
Method 10
5 f7 m" n1 q* T" {=========
- W2 A5 E* q" S9 F6 I! ?4 X, i" n0 {. {4 h' Z9 j- ?1 D: g
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 y  A9 n! d$ W" s% T  SoftICE while the option is enable!!& T3 K0 V4 J3 F
" |( ^2 p% ?- }+ h0 u# T
This trick is very efficient:' e$ g! y: A# ]6 C7 G- U
by checking the Debug Registers, you can detect if SoftICE is loaded7 ~! V: p! o# m( c. h8 j$ T, q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ D( A' `5 x7 I* E) ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" A7 u3 |9 M6 g3 e: Svalue (in ring0 only). Values can be manipulated and or changed as well
4 x6 ?$ z% ^7 z' l" ?(clearing BPMs for instance)
8 s* q& Q9 e+ ~' M/ ?% j( w
$ w6 f4 C- u. u7 \6 T2 t2 S0 S__________________________________________________________________________$ A( ]$ e" W! y

, l6 @! Z* }7 h7 GMethod 11# [+ E, [; a' ~6 y1 l
=========; W9 @9 x& H2 C$ G
! t) ]/ d5 J1 h8 A2 a
This method is most known as 'MeltICE' because it has been freely distributed+ m8 e) G' k& Z. j( R' w
via www.winfiles.com. However it was first used by NuMega people to allow
% Y: y3 @; r9 x2 mSymbol Loader to check if SoftICE was active or not (the code is located
; a6 B+ ?6 N8 P) Finside nmtrans.dll).* H# B3 T3 ~, \; e' P
, m7 \+ l5 T3 l/ }' N* M
The way it works is very simple:: j9 g$ b: a. ]
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. I: i  \1 u0 C, ?: R
WinNT) with the CreateFileA API.# @/ o1 D& G* S* Q0 D
. V) g3 [# S1 Z
Here is a sample (checking for 'SICE'):. S  |( g. X4 C# v- R3 e4 _

, s: L( d: ^4 L. f5 E; KBOOL IsSoftIce95Loaded()
/ Y1 T2 ~- Q; z$ L- H- t4 u{
& [! f; G* k( |+ q/ G' |   HANDLE hFile;  ; [0 v$ U+ r" G) a# V4 b% L
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ G# ]' t6 g! ?
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" M7 r* ~' t% p. x% {  G2 _                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; o: S$ d2 n# g   if( hFile != INVALID_HANDLE_VALUE )$ ?; O, H) T, Y2 {5 X- B
   {" B7 ~, x) R" a& X, K8 w0 M/ A
      CloseHandle(hFile);. @* l2 {6 [: [
      return TRUE;
8 V0 {* R' T9 B6 Q   }' u! [) h" O% [# r
   return FALSE;
( S$ T, p& W8 b( T# K}
4 L4 }) \% }" [0 R: \7 X- H# i; {- m  I
Although this trick calls the CreateFileA function, don't even expect to be
; k7 v' y0 D  h% m  `# a# h8 Sable to intercept it by installing a IFS hook: it will not work, no way!! V. L% @! w0 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! o% B% W2 E: u' M) ]. B) t3 _$ {
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* W5 S# ~: |0 z/ N9 i2 a3 X
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
' x+ X3 P$ {  W& x! Q% ?( a; `field.
9 w$ c! a6 b- ]6 ]In fact, its purpose is not to load/unload VxDs but only to send a 0 R' k4 @! A; r! [- @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- N# ^- K2 Z) d; r' C# b5 w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ a( \& }$ W9 ato load/unload a non-dynamically loadable driver such as SoftICE ;-).5 g9 W. |6 n2 T; O% m+ m& ~, p( R
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: c6 X( i% Z' Dits handle to be opened and then, will be detected.9 }$ j$ D0 ?; }& k
You can check that simply by hooking Winice.exe control proc entry point3 j% i3 b* }8 x) L; I( N& L
while running MeltICE., E3 o4 b, E) m7 _4 ?' ?
3 R& s4 Z! d3 S& ?* e  A* \  c

4 i4 ]1 g  E6 d/ Z+ m  00401067:  push      00402025    ; \\.\SICE" O7 |* Z7 V- J
  0040106C:  call      CreateFileA
9 v8 v/ e3 y- G% @6 p) K  00401071:  cmp       eax,-0016 I; I! z( Z. W2 u" h2 H
  00401074:  je        00401091) {: |( u" u  o( J) V, ?- k
: S- X1 P% L- m/ a) ]3 G5 p
. X! z) G# p4 M& Q8 |
There could be hundreds of BPX you could use to detect this trick.
9 C# a5 D  M/ T& `-The most classical one is:
- W5 R/ P2 x7 R. E1 K! R" u! g  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||/ [6 ?' p! z+ c  X9 F, S8 z# H
    *(esp-&gt;4+4)=='NTIC'
/ J3 q# \; r, d2 b" m- P* B0 |9 P0 k  n/ u
-The most exotic ones (could be very slooooow :-(" x. n' a, [& s2 o
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - k! v6 D1 b0 z" q- H, f) J! f
     ;will break 3 times :-(- \3 `) i6 M9 o! w
% v8 ?5 s7 J6 M0 v: l' P
-or (a bit) faster:
, W$ ?$ |+ V1 {  M   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 C& z$ k; n# a/ Z

( t9 T3 d- w% j& s, c+ v3 V   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ y/ |! B% w& ?9 W; K; d
     ;will break 3 times :-(
. S9 i4 ~% M6 o* ^$ z
, B. v/ K7 {  @; ^-Much faster:3 s& z6 g. |& ^
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% y5 a2 p0 Q: m. {7 h% S

+ i: G& V% ]& q: \! C% RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- D0 ^% E  ^- Qfunction to do the same job:; {- `3 l+ M5 H" K0 c" f
1 g5 ~, n& n) T: g& l, D
   push    00                        ; OF_READ$ J" M  e  {" n* u
   mov     eax,[00656634]            ; '\\.\SICE',0
5 c, e) d% q8 s2 b   push    eax" q$ |: z/ d; i: Q0 ^
   call    KERNEL32!_lopen* I' n* [: j+ V" x* {7 H& Q/ V5 S
   inc     eax4 C1 s) O) J# A5 j6 g0 \
   jnz     00650589                  ; detected
( q  F. f! i: R   push    00                        ; OF_READ' P- k5 O0 v- `! P6 \
   mov     eax,[00656638]            ; '\\.\SICE'
( N% J* v! C7 N% w7 O   push    eax+ s* P6 z7 w7 Z, q
   call    KERNEL32!_lopen
0 N+ d/ {9 N# e* A1 E' v2 e8 W   inc     eax
1 L% G/ T' Q( C# n* U9 H   jz      006505ae                  ; not detected- l9 P- v7 u& o3 H
1 K+ E* T8 _. w0 E" P" p

& F. Y. S' |5 n7 B( |__________________________________________________________________________, E+ @# u$ L9 j2 [  E
; Z+ [- i+ W, c6 A+ I, d# r. i5 W3 V
Method 12
6 r. f' T# n+ B& Q6 v8 m=========
, O8 m) J$ _9 G2 ~8 [1 f' J4 W: t$ ]% j  L9 P; c( b3 ]
This trick is similar to int41h/4fh Debugger installation check (code 05* K4 ^5 Y* }; [  Z% A
&amp; 06) but very limited because it's only available for Win95/98 (not NT): ]9 O  ]3 h0 V4 v7 n. G3 B: ?6 g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- Q; s' ]3 x( k$ ~- e8 e! |7 x8 Y7 H% R- q2 C% t" [9 [. g  _
   push  0000004fh         ; function 4fh2 Y( o2 p( K6 D& h6 g0 n; ]# G0 f0 e
   push  002a002ah         ; high word specifies which VxD (VWIN32)' O2 v7 k* k! d- y4 Z- F
                           ; low word specifies which service: U6 I# n) f! I) |& U
                             (VWIN32_Int41Dispatch)
1 ?2 r+ d5 O% W   call  Kernel32!ORD_001  ; VxdCall8 T6 E* {2 A/ \5 J$ a9 L/ Z. _9 i" v
   cmp   ax, 0f386h        ; magic number returned by system debuggers4 \9 J  o2 q# ?
   jz    SoftICE_detected" d. w' r* V/ Z1 \
& ^3 ]: {2 t6 ]" C
Here again, several ways to detect it:8 H. ]8 N8 H# R! C

" ]6 e. f; u6 H+ ?    BPINT 41 if ax==4f
, H, o; h0 _1 z: u! j: i. l8 X
# v3 c+ {7 q2 S. a    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 l6 _. u# o+ u( Z% H/ i
+ m: g. ?* M- `2 V* x    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  K& x8 A, R0 Q) f6 _! m5 Q# o
8 h" h9 Y+ [0 u3 J
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  c* N( o/ Y  ?, s6 R9 C
4 x8 j' ~& h  N- b/ u6 t__________________________________________________________________________
2 B; j. U$ \, n1 t, l8 k' f
3 Y# S3 ^. o" t, T; bMethod 13
1 u- X) W: ^4 q6 y=========
% C+ L! `$ i1 C/ M, i8 L5 ]
1 h& R1 P1 }+ n- s6 _0 \5 Y9 RNot a real method of detection, but a good way to know if SoftICE is  ~* v" M8 f2 _  ?
installed on a computer and to locate its installation directory.+ l, U) m0 I0 d- G  X
It is used by few softs which access the following registry keys (usually #2) :1 ]1 Y5 j# @7 E+ r: n

; K5 U3 j" z; {2 }$ a3 C& h1 ~-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! U. \( ^4 u5 ]' ?+ y1 R, ]* k+ l$ d\Uninstall\SoftICE
5 y7 ]- D- ?( m. n% g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 w5 @! G8 ?5 c  ?' N
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, y- b+ d3 M! g2 {; {\App Paths\Loader32.Exe, \+ |3 z+ [: e$ [, G8 G8 Z

- y3 v2 f6 [  N. b0 q. s( S6 m* ~. l& k" b; L" A6 ~  A  l
Note that some nasty apps could then erase all files from SoftICE directory* ], d  t/ n" q+ m- G" Q  @- q
(I faced that once :-(
5 y' V. a0 Z# j; o$ w; s+ U8 J8 [$ O- ~( a! ?5 Q1 T6 s
Useful breakpoint to detect it:& o1 N) w: j$ N
7 V6 u5 j; F# ~$ i* F! c3 J  t' c
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- l- h( |# c( K3 Y% _2 e! ]- s0 N) B8 L4 H$ J/ C
__________________________________________________________________________# {5 C5 d- r  X& }7 l$ Z+ d
0 `) J: }) `- x* `
' B& t2 u1 h% a0 J) y7 }* v
Method 14 * u3 U6 [7 Z- E! K
=========. A' N! M9 s# \0 |. e2 N

1 v0 l! Q" w3 E8 W+ v2 L( ?. oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 Y) ]7 O5 e( |" b3 @/ h' _2 _
is to determines whether a debugger is running on your system (ring0 only).5 A# p4 D% e; R  {0 J9 a/ U7 z
7 a, f1 U9 J3 ~$ a: V* Z
   VMMCall Test_Debug_Installed5 ?8 w4 [+ |8 Q) W) J: B& K  c
   je      not_installed3 U/ A# F- Y2 m+ O
4 L& O6 q! u$ o( K
This service just checks a flag.
& h4 G2 I" h6 a; g</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-7 12:26

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表