找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>$ \+ Q* h2 G7 Z' J" [4 R9 o
<TBODY>7 ^; G7 @' g% u9 @" ]
<TR>4 C. b1 C: L0 R- z; |2 _# z. C
<TD><PRE>Method 01
4 C; |8 L2 {" u. g& A=========- L  u# ]& |. Z
6 H3 p/ ]! @, `+ y$ ^6 G
This method of detection of SoftICE (as well as the following one) is4 m& w& g8 x5 B  a- b; _" A( z' {+ O9 V
used by the majority of packers/encryptors found on Internet.
" U# M) M# q5 O8 R9 O2 d0 S/ qIt seeks the signature of BoundsChecker in SoftICE9 L7 {, u0 c% C- k" M; s+ Z! p
* m0 z4 C. ^7 X1 a
    mov     ebp, 04243484Bh        ; 'BCHK'2 u# S% ^# T2 a* R( X* g6 W8 m
    mov     ax, 04h& M* m9 ~2 [9 u
    int     3      
, E+ o+ C" P0 D: z  ]    cmp     al,4" k2 G% |' h% P, ]' G& U
    jnz     SoftICE_Detected4 B+ `4 y; a( [  @+ P
" ^! w0 D5 x) Q8 q
___________________________________________________________________________
9 K$ t5 P4 M' c% |
! W7 n& v0 b6 Z. c. @! @2 E0 a& sMethod 02
: x$ T0 S% _7 F0 A/ @=========4 ]$ p2 s, _  f+ D

) K8 T# w, z6 B4 ~9 YStill a method very much used (perhaps the most frequent one).  It is used
8 \, t- T6 y. o# \% ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,' M7 y. C$ T" g) m* U
or execute SoftICE commands...1 B3 D" U& R0 ^
It is also used to crash SoftICE and to force it to execute any commands+ O8 Q2 ~$ M  E9 p
(HBOOT...) :-((  * V  ^% p6 J0 S

1 d' G9 |' n1 C/ iHere is a quick description:
: |: M) K# O: L' [$ ~( H3 {-AX = 0910h   (Display string in SIce windows)/ L( D: \* a9 F; W+ t
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)% l7 K5 N' E% }
-AX = 0912h   (Get breakpoint infos)$ C9 B' \! M, q! v* ]
-AX = 0913h   (Set Sice breakpoints)% X8 ~0 d8 z6 t6 y
-AX = 0914h   (Remove SIce breakoints)- O& l( r' P$ n7 f4 f
6 x# ?$ I, w' O% [; N9 {2 j- r
Each time you'll meet this trick, you'll see:
3 M0 q$ n; P: q& h-SI = 4647h3 m9 h7 l3 V7 B" Z# s9 S, t
-DI = 4A4Dh* V/ @, V1 k  a8 {, u9 q( O
Which are the 'magic values' used by SoftIce.' e$ r* T4 t5 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 v, f! G3 ^8 I$ }
9 I2 i( u3 z; D! A9 D4 b
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 Y$ [: O1 }4 Z( c& [3 d
Envelope utility use to protect DOS applications:
# t9 G( U: v% Y: S) z6 ]
9 q9 e4 ]9 @! {& c4 H  _# F5 y  P8 ?/ |5 [
4C19:0095   MOV    AX,0911  ; execute command.9 L9 T* q, j- ^( i) j  n3 n
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 o; g+ b- Q; ~+ \+ Q4C19:009A   MOV    SI,4647  ; 1st magic value.
5 q8 h- x! F9 U4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
& V/ W. R& U/ }, v, R& n! t4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), ]6 W' I0 f) t6 }
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
: T) r1 i5 |0 ~- B! ?8 L; c( F4 X4C19:00A4   INC    CX
' X- p. M+ W; [% H; V9 n4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" m1 O, l* }" R8 ]4C19:00A8   JB     0095     ; 6 different commands.
# c4 Y7 B( ^  h. T, B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
, P6 k+ e% x' s1 S& ]0 E4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
! d% O1 U5 R0 G3 N" J$ S+ Y  c8 x1 U" W
The program will execute 6 different SIce commands located at ds:dx, which
9 M( C- q9 F, P. b! |2 Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 c, H; ?! U1 _* Z% k

4 f' P3 J5 v# ^* F4 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; b. L6 f. U, x* r7 B8 x7 @___________________________________________________________________________. }, z9 Z; @7 t3 \; e

3 ~/ P$ C7 R% Z7 C( A1 H* {( A; B& S" I
Method 039 a3 K2 z8 A9 }" i' @  j2 O; f
=========
7 `* {, h; h- `8 r4 S9 c- w
+ F* Q3 Z0 j* {- M0 m9 B( xLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 d$ w' p4 @4 o+ G. M8 A1 S7 t+ l
(API Get entry point)8 U  l: ?' m! I. r. Z/ z9 Q/ [
        
8 \" e+ ]" U+ v7 F& R/ h( ~5 U; L3 _4 ^. N" w( e- N4 O7 d
    xor     di,di
* a# P# \. Z4 {7 R  T, L    mov     es,di
3 y' |8 y9 s$ Z    mov     ax, 1684h      
- e1 a) v, V) T  g$ Y7 w    mov     bx, 0202h       ; VxD ID of winice- ^& \( Z# L& |7 K1 z/ g) a" L
    int     2Fh
+ A- G! s$ U  ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ M: N$ V" \) I5 f4 s5 m$ m: y
    add     ax, di! h! s) O! i. n9 D6 r
    test    ax,ax
3 p: S; g+ `& ^* T+ F: U6 T    jnz     SoftICE_Detected
$ D  f8 j% F% v* ^8 ~, f
. Z: z, z3 V1 r. A9 m1 |1 B: z___________________________________________________________________________5 L! h8 L# X) s% O2 a
) W1 U/ X' t# t$ R0 @
Method 04! U$ J+ p  a8 _) D7 {6 n
=========
0 y' r" u( S5 n  S0 N: S  e
# h: c: w9 T8 I  W/ h" Z, ]1 JMethod identical to the preceding one except that it seeks the ID of SoftICE+ ?$ ]8 c  G8 F, e6 k
GFX VxD.
) |: `$ ]* _8 t; j4 d/ B5 M0 j( a, Z7 Z+ h( u2 Y" i  V8 |
    xor     di,di8 c. c/ b: S* F7 t7 B3 x5 w
    mov     es,di- k1 @2 C1 c5 N7 k  U- [* {
    mov     ax, 1684h      
4 u! f2 m, D9 z$ s" y- b    mov     bx, 7a5Fh       ; VxD ID of SIWVID7 y! V/ w8 r3 r
    int     2fh
: n/ R! p/ O1 H3 t1 r    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 }' m, Y" s- B8 U, l    add     ax, di6 x! i1 ]* G3 r' V; V1 e
    test    ax,ax" X9 n: x; l: M
    jnz     SoftICE_Detected
: W* @; S3 G2 l2 j5 H0 o
0 ~2 y" F0 T! e1 X; \9 F__________________________________________________________________________0 ?$ }2 s) O2 Q& b
# M" F) O4 q7 @3 \) K) ^2 E* u! e

5 G  W2 B, m1 N- [+ R* e3 F$ SMethod 05
- ?; Y# j9 S& ]) {2 H=========0 C* j( T  c2 L, ~  L3 e" V

4 _- h- P* E, b6 r% D" }' C- e. OMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ ?6 |9 ]/ O* Q& [: g/ {
debugger. It calls the int 41h, function 4Fh.
4 Z% d* t# k* q5 O. i: `There are several alternatives.  / |& O$ L, s1 Q: B$ Y: Z

) d/ e- P) Z# wThe following one is the simplest:
+ i6 H: {( c3 g9 p' ?2 \5 J4 W1 y" T- c
    mov     ax,4fh
6 ]# O% K3 ]7 |    int     41h
0 P/ m) j' Q! |  z% z0 m    cmp     ax, 0F386" F$ ]7 f: T$ V9 t
    jz      SoftICE_detected
; u, l  T& o  m+ v- _) C
4 {5 G2 ~, u* m
  P2 K1 a1 o8 M% g1 E( ]6 n, Q5 T  wNext method as well as the following one are 2 examples from Stone's
  Z; w# S: u7 R  ], V$ s( A2 y"stn-wid.zip" (www.cracking.net):
. ^7 Z: X, S2 l
" G  q5 C+ w' x& `7 d    mov     bx, cs6 o5 ?9 Q3 T! h/ ^3 I( L
    lea     dx, int41handler2
: J/ U3 v8 ]  s/ e; w3 M1 s1 d    xchg    dx, es:[41h*4]6 {9 b* c6 k1 v
    xchg    bx, es:[41h*4+2]* R9 H$ G; J" |
    mov     ax,4fh
6 ?1 B6 a4 S7 n1 H) d. c. n    int     41h
9 U0 E: k: E, z, Y. N3 d    xchg    dx, es:[41h*4]' @# A- C0 D9 a; p8 A+ s& V6 c0 Y8 \- d
    xchg    bx, es:[41h*4+2]7 }$ Y% ^# P( F+ S' E
    cmp     ax, 0f386h
5 o. U# j+ D5 w    jz      SoftICE_detected6 u" D' ~7 |/ u/ a3 h9 J

6 c8 X) B; A8 k2 ^0 Y2 `int41handler2 PROC
6 d- u9 ~- y1 r9 m. i    iret1 E1 Z, ]9 N  I! c, U% C8 Y
int41handler2 ENDP+ z  B! f5 Z- A+ b6 o% R
4 g/ z  @5 _, f& k' a& j8 f0 _
# M1 \  {% l* U& G
_________________________________________________________________________
$ o- a* i. E5 g  _" ]. [. d- f( {% Z4 V1 ^* g+ Z3 G) i
$ m6 E& B4 x5 ^% i0 H- K
Method 06
3 b1 B3 Q% p6 N) Y8 x/ l% j=========6 V0 c6 {- Z% _2 h4 G( f
3 H5 ~0 g6 T* z' Y

4 Z$ _/ V) z" _% j) Z! w2nd method similar to the preceding one but more difficult to detect:
5 y1 b! f9 F) w1 ~* k3 K6 C  r/ t/ ?7 E, N' [/ T2 Y

  H0 G1 m5 L( ^  {1 m6 Rint41handler PROC
. |# d+ ]- ?) S1 a; ]( N# [1 I    mov     cl,al! U7 f, `& b( @9 Y# x
    iret
) J6 I% M- m7 _- B) I  X3 x: F! aint41handler ENDP
: Z  o& ?& Z9 X1 X/ P" s$ @
1 P" Z# [- B, _/ l. y9 H' K0 ^4 d: V: A8 |1 c
    xor     ax,ax
* M: @; s) B" L1 ~- m  {; c1 v    mov     es,ax/ J3 N) S+ t8 s- Y  ]" a
    mov     bx, cs9 |  H7 t& n9 u. h! r  x
    lea     dx, int41handler0 F6 Q  V) i7 n0 P' b2 H" A* D' i
    xchg    dx, es:[41h*4], Y) r2 }. L4 V
    xchg    bx, es:[41h*4+2]7 `. h7 Y. Z9 {9 J. e  J
    in      al, 40h& Y' A+ n0 a# H, y% g* [" t
    xor     cx,cx6 K, I1 L$ k8 F! U
    int     41h
* R% u5 r1 F0 R! @: M* K6 u; v    xchg    dx, es:[41h*4]
7 W1 J5 y' }# S* `    xchg    bx, es:[41h*4+2]$ ^/ X) C5 I  M8 b8 K7 e
    cmp     cl,al
* ?4 r( Y: h9 G7 j3 |8 [    jnz     SoftICE_detected
5 ^' s, _" \- Z0 {. R  ]* f! i, j1 x- A1 x
_________________________________________________________________________
( e! B6 E3 _* E' E7 ?0 h# p0 {. ^; p
Method 07" M" A: N& A3 @! K
=========3 m; i3 a8 y( i; u! _* R
1 U1 t% H: c: }
Method of detection of the WinICE handler in the int68h (V86)
2 j& V0 m& |4 T9 O# K7 R* r% B- _( D" F" ^, `3 B$ w5 U. T
    mov     ah,43h% L; ]% B& J& w' }4 Q
    int     68h/ A# w. c: |% E: B0 G
    cmp     ax,0F386h4 i; l# U6 u: Y/ ]# h9 \
    jz      SoftICE_Detected
( E- g% O4 M2 [5 S) a- z, A* \# j
# E/ _2 T% I* d! V+ T- @0 h5 N# e3 O
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( j' I1 i! Z: y' K9 h+ e6 O" t
   app like this:
  g8 P9 l& r/ V
( T- X+ c, G+ s& E9 r   BPX exec_int if ax==68
5 T4 Y9 X3 F1 J  K  G/ @   (function called is located at byte ptr [ebp+1Dh] and client eip is
. D0 q) s! T& J4 m" j! v   located at [ebp+48h] for 32Bit apps)! c) k% i1 \1 v  g; D
__________________________________________________________________________
9 K" b$ u2 \. ?# o( q+ \* o1 \5 p% o$ @( r2 U
- W% B8 V5 X3 U3 j' h" U
Method 08: V: U6 M# _' N
=========
% T  H+ E: {$ j& f1 \8 M8 }) |. X$ p
It is not a method of detection of SoftICE but a possibility to crash the
8 d" b7 J9 J1 f& r$ f8 d. S9 Csystem by intercepting int 01h and int 03h and redirecting them to another# K& K" ]/ d- \% X! I  K
routine.
; h! a3 G  ?; ~) WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: y3 J. M7 j# R* c9 xto the new routine to execute (hangs computer...)) a7 o- P: _0 {% ~) |
' {9 b7 X% f9 d  M0 N' p, o
    mov     ah, 25h6 U* M- A% M- ?  Y1 r1 x
    mov     al, Int_Number (01h or 03h)
( ^8 n/ r3 K1 _, ^8 t& i, j    mov     dx, offset New_Int_Routine' I1 r5 U, d- F, N" {: @  u
    int     21h
" `$ l" U2 X, J& z( f& Y! g- @5 E3 z6 ^7 ^- g0 f
__________________________________________________________________________$ @1 q9 g6 P6 S* Z
4 V7 ?5 t# r8 f, N$ z" z9 T) c
Method 09
6 g7 Q& U  r8 W) X6 ?8 B# [( x=========
7 \8 {: S7 `7 T, l6 i5 q+ P7 V) y1 m4 c1 g- `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only7 e. `# t+ P* y9 S3 y
performed in ring0 (VxD or a ring3 app using the VxdCall).$ Q& f2 A9 a. w  t
The Get_DDB service is used to determine whether or not a VxD is installed. ?; J( M3 U, k5 ~' b: u7 I
for the specified device and returns a Device Description Block (in ecx) for
! D/ N: f/ l* ]4 P% m- Kthat device if it is installed.
1 c) t8 n3 [4 \" R1 X
' x/ c3 |) W4 Z- a- F, T( T   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 u6 l9 }. L& O
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ x6 Q) `% \. @5 @  R   VMMCall Get_DDB
: e. o: Q3 G' {   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed2 j6 ~2 U: w3 ~

3 m  a: N3 [- q* c' X7 k! L* f5 rNote as well that you can easily detect this method with SoftICE:
2 _9 r" X7 p! i% Q/ W   bpx Get_DDB if ax==0202 || ax==7a5fh
% |; P: |$ V" v. C  Q$ V  f* d+ j' \* h7 g) \
__________________________________________________________________________
7 |/ L" d, u$ o! `
+ H! s! g8 ~9 Y% o$ s/ HMethod 10
! A8 ]8 L; P: b- O/ j% I; y=========
! v6 C% ?6 Z5 {* B& z2 V9 Y" P9 c9 a, ]8 V$ h% ]# n  h4 @5 s2 r
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. o+ D, }  ~6 G. `3 \  SoftICE while the option is enable!!. a( F* J- k, E

* q5 k3 Q2 k3 ]7 I  \6 d( c2 @This trick is very efficient:
! O7 J+ q1 G2 @  kby checking the Debug Registers, you can detect if SoftICE is loaded& ^& o( W) o( A5 C8 J
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( Y( O* ~! T! r; othere are some memory breakpoints set (dr0 to dr3) simply by reading their3 H2 b5 f) {$ x
value (in ring0 only). Values can be manipulated and or changed as well
" V+ l2 N. U9 a2 K: f7 t2 N9 x' `/ d(clearing BPMs for instance)
; W. s$ B: I% b$ r# r; b% a
4 g( Y* m  z' A$ r: m  }# n; J4 B__________________________________________________________________________
/ ?4 t8 z$ t" @7 g; W7 a. H3 q, Y& G& M  s& u
Method 11
4 a  m4 ?  O* O9 X: j! H=========
  B) W( a4 k" R% p* \7 k6 e5 W, O( E+ C' v* {
This method is most known as 'MeltICE' because it has been freely distributed+ ~* S5 I& k0 O& L8 w
via www.winfiles.com. However it was first used by NuMega people to allow
4 j8 A' n/ \0 P( D& XSymbol Loader to check if SoftICE was active or not (the code is located0 t& w1 j. M8 R
inside nmtrans.dll).0 K" r0 F0 w" v
& X( _* U: [2 O. N- {/ J: ~
The way it works is very simple:
" L) i; J9 K( A+ u, SIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 x' Q% x3 ~. E# I% c' H
WinNT) with the CreateFileA API.
" r5 l; _2 v. G3 |9 N2 }: o& z: Y( V. s* p
Here is a sample (checking for 'SICE'):  @) l3 Y7 y6 B' X

2 X! b+ I9 J6 ~, yBOOL IsSoftIce95Loaded()
; h- X+ b% u& b& Z2 x! f{1 D  o  y0 ?+ k
   HANDLE hFile;  ; O4 \/ @  g5 T; o! J$ s) p3 b' }
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. h# C( G3 {. L                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  g) [7 |4 I2 L% n1 r$ v0 q- u                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; o0 `* q  B- P$ a2 k8 _( ^
   if( hFile != INVALID_HANDLE_VALUE ), g8 N3 _1 m2 z* P9 r
   {
- z$ V7 P' H- h- l8 ~  b# U      CloseHandle(hFile);
: C3 ]; B; D2 V      return TRUE;
/ z) y  \5 X2 A/ y" T   }' ~9 O9 v: n5 n
   return FALSE;) F) c# ^% i, L2 u6 E3 {3 H
}
0 M4 t9 M" |2 v
$ n" D+ t+ h1 O; P6 C. U0 uAlthough this trick calls the CreateFileA function, don't even expect to be! [! I6 y8 ^6 |  Q: ]1 H! t
able to intercept it by installing a IFS hook: it will not work, no way!4 O' B( J+ d  V1 `) K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ Y$ |4 O1 Q  L, e  m) u4 o  s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 ]' {: }( `* b* f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% ^6 v( H( _4 G# O3 Q
field.* ]* G$ q1 p4 Q5 R. f
In fact, its purpose is not to load/unload VxDs but only to send a * _% e0 S( [' l, B, ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): P- s+ @3 w$ ^$ o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, y8 B0 X. ]5 [& \) u! |/ r5 M8 i5 ]  wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
- R% x- s; D, y5 F: XIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' s. |0 X8 t: \  B/ Fits handle to be opened and then, will be detected.
& K4 N4 q" L' J1 @You can check that simply by hooking Winice.exe control proc entry point
/ s/ D" o; t( H7 awhile running MeltICE.% G) r% Y, n/ Y( D2 X4 J

: B1 t1 ]% a& I' p( E, v$ Z; t! d. m9 U& i  q' k0 u2 A( }
  00401067:  push      00402025    ; \\.\SICE) D& k- {7 P: o; R/ T% a
  0040106C:  call      CreateFileA
. H! z: K& j. E; A1 Q! [3 g2 b9 |  00401071:  cmp       eax,-001  S9 |# @5 D$ c- S5 j4 D$ {
  00401074:  je        00401091
# i7 N1 Y/ U/ G" N
4 Y1 w6 N9 g" h. k- G( _% |. a
! i/ Z' c9 t- K' l# O9 @There could be hundreds of BPX you could use to detect this trick.4 m: O- Z5 `/ Y- n9 R
-The most classical one is:
. b# W# Y' Q/ W; k. N1 u  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||6 e) ^8 R& w# w; m
    *(esp-&gt;4+4)=='NTIC'; f( ?# j: ^# @0 g

7 k4 b$ i' Y/ h-The most exotic ones (could be very slooooow :-(7 v! H, D& o8 O% b! Z4 t
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - M4 m3 q& l0 p% H. Q# R
     ;will break 3 times :-(, U) x1 L, T( l! K2 {
9 ]) d  V* q, H8 K5 R
-or (a bit) faster:
5 R0 Q/ }/ I' D0 S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ E& j7 Y- s( ^5 }+ H

) e, D- s" f2 W: B4 \   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    n* y4 n" o) E: ?: i. ?& t  Y
     ;will break 3 times :-(
* k( H; d1 ^# i  h# S/ r6 {  j# i- b7 I7 S+ h/ Z
-Much faster:
. k* \1 A$ I7 b   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ c+ F3 W/ n* f* B3 U5 q
. P- M  t* ]4 ?0 b( l- _$ U* ?. H
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; r6 `. w9 _" |: M. E( Rfunction to do the same job:
/ q4 V5 t5 W+ o) v0 S/ w
- Y. w) Q; v5 P; m$ Q   push    00                        ; OF_READ7 t/ S8 B; S1 S/ Y
   mov     eax,[00656634]            ; '\\.\SICE',0
, `4 q0 T$ P6 O8 A   push    eax; Z  Q4 p1 M* Y3 D6 G
   call    KERNEL32!_lopen& n. r' w3 m1 h+ f/ u
   inc     eax+ }4 c* p4 Q+ r0 R, z
   jnz     00650589                  ; detected
6 O. Q$ @2 H/ b, ^* G# j9 w1 B   push    00                        ; OF_READ
. c3 ^2 d+ o- M# d0 K- F8 e0 r   mov     eax,[00656638]            ; '\\.\SICE'* h4 n0 [9 s0 v: i
   push    eax# l$ g4 d& W1 f. _
   call    KERNEL32!_lopen
* u" p, r) v' m& u' h   inc     eax
: l* c! Y6 H' P1 i   jz      006505ae                  ; not detected
  M% ]  A( B$ M/ Y
2 O- |5 ]* |4 y: C7 c0 s- {
; \- g8 E% R- Q__________________________________________________________________________
9 Y! C6 Q0 R% W' n0 Y6 g2 k1 t- M6 H2 l$ Q, O; i
Method 12
* L& f: w8 I: M6 w, t  ^, O# o# A=========) {8 I4 n% l' E. `( U) B

5 S5 ~2 \' `: z5 p+ o2 C  {% CThis trick is similar to int41h/4fh Debugger installation check (code 05" q8 B1 j7 q# E1 w* C2 Z
&amp; 06) but very limited because it's only available for Win95/98 (not NT)" G1 L3 R6 `  \4 u
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 I* J9 K& X8 q- E$ H5 {
6 k8 }/ p0 a- I3 ]
   push  0000004fh         ; function 4fh
; Q" W  p, V# X$ B4 v1 b4 `0 S% p   push  002a002ah         ; high word specifies which VxD (VWIN32)3 f, m0 A  p# d+ S
                           ; low word specifies which service
% X1 C" K, s" n" q! I                             (VWIN32_Int41Dispatch)
8 I! O5 V5 p' T  R. S   call  Kernel32!ORD_001  ; VxdCall
$ y5 E; }8 T4 W" H* h# ~. H   cmp   ax, 0f386h        ; magic number returned by system debuggers
* S! R/ o0 j. E2 o   jz    SoftICE_detected
& {0 N6 ^3 N# x6 i$ _
( j! U4 L7 l& m* ?1 c3 v' r  cHere again, several ways to detect it:
1 B4 n- G  ?* ^" ]0 Q( q7 G1 ?% r+ }- X6 s- F( N6 ]
    BPINT 41 if ax==4f
3 a+ l4 p/ Z4 I! C& X/ Y
( R. j5 J* _! W9 Q7 @& s7 }    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ y8 e. h/ C6 r9 M* L/ @  W  q2 G
# m$ X& U9 Y3 z! N  c! O! ?    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
8 G) W( }0 m6 t) G- B- Y/ S+ |0 [9 y* z$ P
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. i. i1 I9 g. M  Q. z+ m! m! {+ n" }" K$ q9 I. O$ H- v
__________________________________________________________________________% o9 Y9 L3 G& z" e. W/ o4 w* U
" R" n- T" k5 `4 U2 T5 i% _5 d) }- H
Method 13
/ D; v8 l) |0 k5 b=========. ^  C+ e4 B0 z0 P6 {2 X* g

2 K( Q- p& B8 t+ ]4 e: I4 v. UNot a real method of detection, but a good way to know if SoftICE is: [6 T' _) b/ ~' B  o  }
installed on a computer and to locate its installation directory.
0 }9 K. g; ]; U/ g/ c0 fIt is used by few softs which access the following registry keys (usually #2) :" L! C/ M+ G6 f7 g3 y. p
- b) s* m. I6 a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 X4 H" P! O/ y/ }# f8 I* g
\Uninstall\SoftICE1 w8 C$ d  W( i6 h" t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( f7 M5 x: `! P2 x+ C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 R$ T6 [; i' ^2 B+ f6 x4 C\App Paths\Loader32.Exe
6 W, _) H( r8 V0 ?+ N
6 q, y& X- P* F3 w1 f% f  A3 M8 i  p/ c2 z; d/ @' Q
Note that some nasty apps could then erase all files from SoftICE directory
: P: I0 A" F. ?(I faced that once :-(
+ _7 I( C. N/ G5 g) g) L8 J7 A4 n) a5 N! i; V0 L
Useful breakpoint to detect it:( c( Z; k' R( }/ v' Q8 p) c
/ T3 s. X' K# K, `# A# m" n
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ U( @* n6 U% D6 U3 u( L. A+ i
1 j5 w! I; }4 Q( t# A6 J__________________________________________________________________________# d" I& A8 q) E; x
3 l! F$ Q  {1 o; n

& R- V/ N0 d' H+ X" |& iMethod 14 + S+ l( f# V% D" c
=========4 W/ a6 @; A% i" f- J/ n2 V# }8 S

. t* H4 P/ T0 R7 S2 {& W+ [9 LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: R% ?" |- s1 L7 Y: W
is to determines whether a debugger is running on your system (ring0 only).
4 ^( n# k# B7 A6 G2 L/ i, ~3 O
. t* ^! O8 r) H  q   VMMCall Test_Debug_Installed
0 |* ~# r( W7 T  F* G8 E   je      not_installed
& `  t9 u0 ]+ k
( ^. q3 o0 H+ Y: J- x# U! w" hThis service just checks a flag.
* r! r% k, n% o6 c: r3 \) }3 ?7 w</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 07:38

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表