找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; y# |) z; m. P4 ^; {<TBODY>7 B( ~# G& ?" x, ]( K' m8 G1 D7 a
<TR>) `4 x# U8 Q; [/ l" R; s
<TD><PRE>Method 01
' U5 G. j, m9 Q; p( P=========
0 E/ d' `$ R) B2 u, n( \
, ]! B, Y: p# t8 |This method of detection of SoftICE (as well as the following one) is( R' d6 \" N, j2 ], h* u
used by the majority of packers/encryptors found on Internet.
  ^1 q" d; e$ L  C! d7 rIt seeks the signature of BoundsChecker in SoftICE
, `1 L5 c. v* K
& G3 _: x0 k! ~% @0 ]    mov     ebp, 04243484Bh        ; 'BCHK'
! t; b: z* `/ P$ R' Q+ Z    mov     ax, 04h
) K1 V6 r! S& I# \7 O' I  P* _    int     3      
) M( ]5 d/ b! I1 N    cmp     al,4: ]# @, v7 w$ ~; ?3 ]& J9 |: w" D
    jnz     SoftICE_Detected# a4 {/ f3 h' n' x/ k
* K& l2 ?$ \5 R9 U! K; G
___________________________________________________________________________: E. B. v, y+ |+ A( S5 X9 W
, ]* v9 F2 e  [+ B$ H
Method 02
# n6 o& l) m& F% k8 S1 G+ _& g=========
" x8 W4 K' `- q' N0 ~( v( c" j
' T9 w% m) b# c1 KStill a method very much used (perhaps the most frequent one).  It is used, Q( A/ G" v4 V7 m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 Y1 U$ V/ T3 u  Jor execute SoftICE commands...
# I) i1 v& a8 W. KIt is also used to crash SoftICE and to force it to execute any commands
& F- D7 W3 i$ Y, U, h& q(HBOOT...) :-((  
+ x+ G  E2 y# m: T  d
3 ]9 o3 @1 M  Q6 Z  o/ SHere is a quick description:
0 g4 w2 z6 o5 J: |: A2 _-AX = 0910h   (Display string in SIce windows)+ I! \) N# k, B& s6 \2 ?% N" N
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
% P8 R# I0 H0 {-AX = 0912h   (Get breakpoint infos)
- y( A% M8 ^9 \+ L7 r-AX = 0913h   (Set Sice breakpoints)5 R3 ?- j# u3 I5 X& i+ }$ z
-AX = 0914h   (Remove SIce breakoints)+ E) w9 l. a+ U5 b7 o4 ~' T

# h* x# V8 D- G5 G+ @  U- AEach time you'll meet this trick, you'll see:* U2 `) V2 R5 p4 T/ y
-SI = 4647h
: s' x; g# a/ ]: T# b9 x6 ]- s$ r-DI = 4A4Dh
: U3 h9 u; S8 T) A6 X1 r* a1 UWhich are the 'magic values' used by SoftIce.% H/ M3 n5 N, _/ s" |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ q( y7 _) u, k# B  X* i- v
$ |% z9 @: |) O7 w% }8 k4 }" T" j( i* @
Here is one example from the file "Haspinst.exe" which is the dongle HASP( U7 [0 C5 B- ~$ j! w8 j
Envelope utility use to protect DOS applications:
, Z  _0 M* h2 \& I
' j: {# n- E& E# r/ h. a# {' e: d6 y
4C19:0095   MOV    AX,0911  ; execute command.
# B5 l$ o* ?  G2 t% j4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).7 o6 i/ m" J- p& a8 @5 K0 k  L* D; s
4C19:009A   MOV    SI,4647  ; 1st magic value.! a# M  L: ]% D* \$ y% R
4C19:009D   MOV    DI,4A4D  ; 2nd magic value., R) v! d4 e7 M( B: k6 I
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! i1 h: D+ e* r) P( ^, B
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 ]' R" q3 V8 Q2 x* w9 o( m
4C19:00A4   INC    CX
2 ^; i- M' v3 S2 w3 g: C4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
/ ^: Q) x  A# o, E3 _( c/ b4C19:00A8   JB     0095     ; 6 different commands.0 ~( I7 P1 [4 x. H+ r6 @* x$ R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 s$ T/ ?9 }) l4 x
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ l$ X: t6 G% g. A1 f9 X' J4 N9 L/ Z6 e0 p
The program will execute 6 different SIce commands located at ds:dx, which8 l: V6 j/ a" p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 T  S: |" u$ ~1 O$ |3 }/ h  g) D7 p8 ?" ^5 R' H+ n2 }# \  s9 l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* n" _9 I6 s1 p
___________________________________________________________________________4 {. f$ |% H  }1 W7 s

# A! b5 Q' j5 m- ~
. \7 U6 @$ j+ tMethod 03$ v  ]6 G5 x  a
=========: Q* l( ]) C  `* F" M& J9 Y

# Q% R, y- x+ o- Q' pLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h  o6 k6 q! o$ S- y( u+ G. L
(API Get entry point)
& r1 y) G% C/ k+ I        : S' m& z" b' Y0 k4 F

* v- V' {* \% D0 x: Y    xor     di,di) V4 H$ E3 i  ~/ j, i5 _
    mov     es,di7 _3 x% G; @9 [+ p7 s! d# O
    mov     ax, 1684h       $ k7 A* a4 M! z( f2 c5 N0 n5 l' E
    mov     bx, 0202h       ; VxD ID of winice, Z5 f3 ]/ L( m9 b3 T1 b
    int     2Fh! l: A. ~3 C& {2 L- Z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& X% @/ v2 {6 W. F) b: k+ c* c    add     ax, di
- n9 N1 \2 s. O5 L& U    test    ax,ax4 }( u8 S% A, V/ V4 Z
    jnz     SoftICE_Detected
& R) `( N' E) [7 Y/ g
" @' D  U- n- M& m( A4 R( ^9 g1 A___________________________________________________________________________
8 ^- o; t- `0 ^% N
* Y. E9 V; ^, b/ hMethod 047 ]& x; D3 `$ k  F
=========
# O* j6 B  w( ]2 W+ R  |2 t/ m
5 S1 [  o6 V' B; |) CMethod identical to the preceding one except that it seeks the ID of SoftICE: U4 C  d1 @; g% D, ^: V
GFX VxD.9 Z% a8 i5 a9 F0 ?+ d& K

, \: L1 `: j9 [7 S( j6 u# Q& S    xor     di,di
/ r: l0 i1 f: w$ y" x4 o    mov     es,di9 ]" K. q) F: ]8 I
    mov     ax, 1684h       , i0 _1 d' k( ?& [& k
    mov     bx, 7a5Fh       ; VxD ID of SIWVID; x; L& J: E. g* A. h+ A" X' w
    int     2fh+ V* z; D6 {2 D) Y  Z# l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, F9 ?6 n% r+ G    add     ax, di1 q# M( A* B7 x. N4 D2 ?9 z' B( q- r
    test    ax,ax
. S, x7 [8 B) f( m    jnz     SoftICE_Detected. e3 u8 z) T7 n5 {; {3 f4 z! B* S
2 ?, e% g- G# L& R3 V
__________________________________________________________________________
7 b' d5 E/ t  D/ F
5 a- h4 x# B8 `) Z! b
  Y, |( H: V! x. D  V' P& yMethod 05' E2 n: `% u  @9 o% P$ W2 `, y
=========2 ~0 Q/ v" b6 A7 A' L0 l
$ \( l" W, a8 ?2 J9 @7 p
Method seeking the 'magic number' 0F386h returned (in ax) by all system
! P& ]; p+ u2 w; ]& y4 ]4 Gdebugger. It calls the int 41h, function 4Fh.
( Y  V: R. g$ ?. Z. m% @There are several alternatives.  ( f4 w: `3 y* L2 @6 M
  r+ c  b+ {, \; ~9 A4 I2 j
The following one is the simplest:
, K, y* p3 r6 r
, U. A; [  t8 J; z7 f, o    mov     ax,4fh4 [" k. a* S! U$ h
    int     41h
# I- e  q2 P* l5 l    cmp     ax, 0F386
& w& p# D+ n% v. n  N9 v- h$ l    jz      SoftICE_detected
' G  D. Y5 \/ ]# P. H
3 g- u, i1 N2 M- |) [  D8 |( F  |
Next method as well as the following one are 2 examples from Stone's : J3 C6 m7 j! u
"stn-wid.zip" (www.cracking.net):
0 X8 v; X1 Q3 E: l# k
1 C8 f3 q9 U; U) |4 I0 ]; W8 z% _    mov     bx, cs
5 K# v2 b# a: g/ h" D    lea     dx, int41handler2
: S) E! ?# B) g% @9 W: f% ]3 K2 n    xchg    dx, es:[41h*4]8 C& }) n/ Z1 t
    xchg    bx, es:[41h*4+2]
9 T, ~8 S5 B/ s+ N1 F4 z    mov     ax,4fh' Z7 ~/ a" E4 O) n# l3 O5 M
    int     41h+ V7 d: h6 D2 k' g- [5 ~
    xchg    dx, es:[41h*4]
' C3 Y& Z7 d$ Y1 K3 M; W+ r- F: V; h    xchg    bx, es:[41h*4+2]9 i  J4 X# ^3 d# @: u( W: l! R
    cmp     ax, 0f386h
' C# K& q0 ?% Z! M    jz      SoftICE_detected
* u' @1 k2 E9 _  n2 i. ^; b4 v$ Y, E  N" ^) N- X
int41handler2 PROC
+ _: q4 ~* R9 j' \) E. ^    iret: _4 o$ n# Q) U# o- E4 Y$ Z
int41handler2 ENDP
* v$ x+ m, A0 i; l) Q# y  \3 s" z4 r0 z0 p1 a6 l

6 M7 X  U- E3 d/ @" K  ?_________________________________________________________________________
( I* O, p6 x  G6 h
  S( `  H5 W! k) F6 d. i* {# |9 Z4 i
Method 06
8 _( r- m$ a. |0 x' a2 A=========6 Y0 w+ t$ R1 x) a

  P( w. Z* `/ h
# h+ P1 P! W3 v3 D' v7 M% Y2nd method similar to the preceding one but more difficult to detect:
9 S0 U8 W8 F+ N" q7 R* P$ c. ?: i3 R+ r  A; K( c
4 T. F& q& @4 [, V% M2 g
int41handler PROC$ I' U: Y8 [* y) W
    mov     cl,al8 ~* J; k- {, r% E
    iret# \5 l$ f& A: ^; q, N0 }
int41handler ENDP
& Q( N+ X5 W6 ]$ I% K. r8 i( N# D. |- L% H9 Y3 R( c/ v

9 ?' A! M6 B, M  B    xor     ax,ax" J1 m, w6 S' A6 t/ w. I9 E
    mov     es,ax9 D8 q) {# J! W  l7 q: R6 o) C
    mov     bx, cs$ n! A6 i2 Z- ?, m4 [$ M, v7 E8 r: m
    lea     dx, int41handler. i4 X# x' F: R& V! @8 }
    xchg    dx, es:[41h*4]
$ d, i. _% W) L2 ?/ u    xchg    bx, es:[41h*4+2]
) ^. B- E  A( ^( G) O4 W    in      al, 40h9 y" [( ?9 n& O; c
    xor     cx,cx. E$ l5 U1 K' }
    int     41h- `0 T2 {7 E# s1 P
    xchg    dx, es:[41h*4]
8 |% L7 O5 b/ z  K# n+ O! O4 d    xchg    bx, es:[41h*4+2]
- Y/ z# Z- Z" |    cmp     cl,al
+ w" G% E; `5 @) Z; w! @- R2 |    jnz     SoftICE_detected
9 Q  ^& H& {4 I' }
; s7 U/ i: k( T% N_________________________________________________________________________
' ~7 }/ ?* K& r, w5 b5 W: g4 d
  l7 e- K  [: m! vMethod 07
0 ^5 o$ M# [" f=========
& d! p' {( G, \8 \9 I+ X
0 i* {! k- [* h2 cMethod of detection of the WinICE handler in the int68h (V86)! U; V0 h! k/ b

* k6 `) a- X. i( E! [" Y    mov     ah,43h. B2 g: R1 y' W% Q
    int     68h3 F+ m+ v+ U, i4 J( u
    cmp     ax,0F386h: @4 r* k) q7 ]  P6 _6 F) ^0 N
    jz      SoftICE_Detected8 o# X; W+ u- Y1 T+ Z) A- a& }

& u1 A1 I0 L+ O% U2 C/ G" E  t4 J1 Z  p, W; R
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 e4 S4 Z! Q& i7 t  V/ O- |1 r: O5 D- K
   app like this:
$ d' f8 L" y! r/ e* D8 C) A$ h5 T( R+ o; S- n
   BPX exec_int if ax==68% t( h8 ]" X6 E& ?. J0 w: X
   (function called is located at byte ptr [ebp+1Dh] and client eip is2 s1 G3 R/ e' t/ w0 O7 R
   located at [ebp+48h] for 32Bit apps)6 c$ Q! E/ j+ M% G( f% l5 T
__________________________________________________________________________6 e. D( F& E. R$ s& g" n6 |
# J5 l8 |# i9 n2 i+ \* g3 Y& Z
  w! O$ @5 v  C9 k5 A4 `% }3 f
Method 08+ s" r$ l8 R8 z. i+ w
=========
+ `+ ]+ n' k/ Y5 T. D
: _; U' X: _  _8 A( Z& ?It is not a method of detection of SoftICE but a possibility to crash the! P' q* N5 l9 B: f' L
system by intercepting int 01h and int 03h and redirecting them to another; m  ]. m( ~, O2 h' g
routine.: H# p5 X: U2 [
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" C' C1 }! t- D: D3 ?
to the new routine to execute (hangs computer...)
" F1 J5 Y2 ^- _# Y! G) ~" [0 J3 p+ j, |% w
    mov     ah, 25h
7 P3 i7 G, P0 u2 Z    mov     al, Int_Number (01h or 03h)
* S2 T  M5 W0 c1 \: A    mov     dx, offset New_Int_Routine5 l' R) w- F# m; L# \
    int     21h
/ r% ^6 \# v5 Y: {/ x* U( _" R( I
__________________________________________________________________________
$ [# M3 r1 x9 }) m( M
5 I- Q  I( L! b( w. qMethod 09
7 ~9 S, w& e8 q0 n- y" V=========- t4 t$ h! U& c  n  Z. H
# B' d2 g9 a' L) `9 v# Q* C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 _( k- |  U: C9 }* z1 {" ]performed in ring0 (VxD or a ring3 app using the VxdCall).# {/ l5 t5 y' z
The Get_DDB service is used to determine whether or not a VxD is installed
, Z, }3 J* o# A& G: Dfor the specified device and returns a Device Description Block (in ecx) for8 z0 p, \1 `/ T2 n
that device if it is installed.& e/ s  R8 r' p

- L: w7 @8 \) c; R   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 e9 ]# J- E% e; A7 {/ D3 E3 \
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-): _) [; A, f7 k7 }5 u/ F. X
   VMMCall Get_DDB5 c, B+ C" [9 T0 u
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 y! t$ \- @% j, O' }
! u! Q, k$ a7 Q; Y) a* \" w/ G3 F
Note as well that you can easily detect this method with SoftICE:
/ J; M# P. w' ^; [! l9 E+ S   bpx Get_DDB if ax==0202 || ax==7a5fh
) d  N6 I- Z7 W' {, d9 b
1 }% ^4 j" G8 D1 M__________________________________________________________________________1 M' h# ^, f% `9 ~
1 v) Z9 T2 L5 Y- F2 B/ t
Method 10
9 S+ V  ?4 F  @1 c5 R6 D+ a# B# ]2 Q6 n=========- I' D" d% z# Y: w; Y0 W/ S& k
* K0 a: `9 A& S2 X+ z; l
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 P9 L) D; |9 }# ~7 B: I  SoftICE while the option is enable!!2 }+ k, c9 W( C) q/ y

' a( o/ F( a2 b, \This trick is very efficient:
# m  H: m8 _+ z8 c- a; n( {" Zby checking the Debug Registers, you can detect if SoftICE is loaded
* r2 K# j! }- u" |: F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 k* p/ \% T5 C3 l3 R; C  Ethere are some memory breakpoints set (dr0 to dr3) simply by reading their& V# a. R4 y8 Q( M+ b
value (in ring0 only). Values can be manipulated and or changed as well
$ w& ], ?9 V3 C, y, {  r(clearing BPMs for instance)
6 B1 Q1 q* W2 W8 R1 h3 {
$ j; K* N# ^& B9 _! ]* X1 b__________________________________________________________________________
7 n+ Y. N* H( `% V
! Z3 @! W/ X" {" A; UMethod 11! X- i1 t% ?( W; K; U/ \, s$ ^' Y
=========( v. w+ X! f! j3 K8 G7 A

/ o) ?" c  N" S: @This method is most known as 'MeltICE' because it has been freely distributed
3 `2 f  l& T" T" z/ A- B6 ^via www.winfiles.com. However it was first used by NuMega people to allow
# X0 h( O2 G7 `; D' CSymbol Loader to check if SoftICE was active or not (the code is located
6 z3 g' t: c' z6 `& x: y' Y' s6 rinside nmtrans.dll)." D" d6 m/ m/ ^# }: S  c
& O/ g& @" J  N3 }4 t7 w1 P0 D
The way it works is very simple:: e8 w* Q# Y# e- O& B$ F" |8 o- X  r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; ]* Z1 T4 |" s: HWinNT) with the CreateFileA API.4 W0 X, s9 Y- l6 c! }  ~2 _

8 f( n  p+ w1 wHere is a sample (checking for 'SICE'):
$ G$ }' @' C& d5 H. v/ D$ u* m
' ~6 H+ D/ [$ J+ m. ]1 c$ w6 HBOOL IsSoftIce95Loaded()0 ^3 ]. D+ }. _, N3 E
{% L+ I  a; i& u2 r$ |( L
   HANDLE hFile;  
9 t4 K1 d) m9 a  _   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) ~1 G+ [$ o7 e. g                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ ]$ j# T& B* G  g: U* B
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) m8 K! ?/ e/ n, G9 P  k# O0 T& u; |- B   if( hFile != INVALID_HANDLE_VALUE )8 ]" C/ n5 P1 j' v/ c0 }% Q
   {
  }! o; S6 `8 Q! i* u      CloseHandle(hFile);
# k3 N9 {/ ^# W' L% F8 R! M# i4 Z! |      return TRUE;4 _! M2 E1 Q* |3 `) E
   }: z6 t% ]1 T; O2 I
   return FALSE;
6 a3 h0 z: q7 _1 [' e1 ]}
- l) ^' K9 P2 N& O9 {0 I) w6 f/ ^
$ @! I' i6 T) |Although this trick calls the CreateFileA function, don't even expect to be
8 h8 [5 U( W, C) U- e6 x* Y" Uable to intercept it by installing a IFS hook: it will not work, no way!2 I. @1 k% k+ Q: f( z4 ?  \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ \: e# U; E4 M7 u
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: x' W& g9 X4 [( _- i! k% jand then browse the DDB list until it find the VxD and its DDB_Control_Proc# l; l, v- a5 _2 q1 k" I
field.  `# A* R5 X# Q. c
In fact, its purpose is not to load/unload VxDs but only to send a
0 y" N6 T" U4 o5 |5 S" q% zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 W$ x  k5 u* X! Q, j, Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try$ T  ]+ N$ E* C4 h3 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- h6 j' e! o) c9 ~  F3 V# g8 l) @
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 Q& J: l* i% v3 pits handle to be opened and then, will be detected.) M1 a1 t$ T% d* q6 }# x
You can check that simply by hooking Winice.exe control proc entry point
8 d, [! P) z7 O, q' W/ Mwhile running MeltICE.& b7 r& Y  H) C! X( o/ O0 n
, q+ Y& J) A2 K) ?( g7 T7 @

; k  ~0 k9 ]! w' g1 m6 {  00401067:  push      00402025    ; \\.\SICE
/ Y, A( j, Q4 p5 U! y- G  0040106C:  call      CreateFileA
6 {  U" Y% {+ m. ~/ W  00401071:  cmp       eax,-0012 k, C0 P8 V1 X! e
  00401074:  je        00401091
7 H/ z1 {- [8 D2 r# p. }9 V
8 T' e# n. P5 C, s
1 w' K( D  s' f5 Z2 FThere could be hundreds of BPX you could use to detect this trick.& o1 f1 ^' \, J: L
-The most classical one is:
+ e# b; W$ b, c9 j' S  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! S( U3 o7 B. K8 E
    *(esp-&gt;4+4)=='NTIC'; d2 D/ B2 E; g
! ]) y: L0 d' P) a* J0 r
-The most exotic ones (could be very slooooow :-(
) }0 w4 C, l4 b3 g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
& x1 h& h0 {, O4 }1 X* v$ m- F     ;will break 3 times :-(
3 t# y, d( i$ R. ?# L/ [+ U) O( @5 F: d  s! s# V
-or (a bit) faster: 3 o/ g9 X2 l2 ]/ k
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! t9 ]5 f. e* n+ k7 U7 l9 i5 g+ f7 {3 \4 E4 [2 m
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* V- C+ l1 Z4 `' a0 q     ;will break 3 times :-(" v7 \2 A5 E: T

& e4 z1 v1 Y4 t) A# P- Y- T) L6 Y-Much faster:
7 ^: W/ V. d3 L- i% `2 m   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. B3 f0 o" @4 K1 _! ~, y- \
& u5 B) M( H) W4 B; E. j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% S. l( i( x2 y. Q$ ]function to do the same job:
# @7 v/ q" W# h% _
4 F& o1 t9 c& i+ W: y. c4 ]1 q   push    00                        ; OF_READ
4 C7 A) ~( U" s; {8 P   mov     eax,[00656634]            ; '\\.\SICE',0
  k* P8 w: G5 c# D: b' V" J* \  j   push    eax
  E/ Z. z( K1 ^$ l' T   call    KERNEL32!_lopen
. S& n8 i$ N5 f3 c& J   inc     eax
6 i5 n7 k0 [  @. c/ n" x! s0 h! `2 B   jnz     00650589                  ; detected8 C$ k$ x/ [/ n/ o
   push    00                        ; OF_READ% f) A5 c7 }. l
   mov     eax,[00656638]            ; '\\.\SICE') ~8 d6 w& q, R( ?. q
   push    eax
) L: u' P  a* L  a; l   call    KERNEL32!_lopen
. G; b% H& [, o) `   inc     eax
  x. n/ G" ~+ W   jz      006505ae                  ; not detected
3 C& k% X" f' Y2 M, d' J/ f  |3 d/ f' D# i

. t2 c( z4 _6 _% P$ ^__________________________________________________________________________1 N3 Z6 O) l% A: @& H* A( l
' R2 i6 d1 F; j+ K0 [
Method 123 q  w$ j& f+ r8 l
=========
9 i2 B) N* g( U- I. p0 r" T
' S4 I  k* Q0 h% Q- X# wThis trick is similar to int41h/4fh Debugger installation check (code 05
7 }, I0 k8 o% U  F2 w- w&amp; 06) but very limited because it's only available for Win95/98 (not NT), `6 x/ l! q# K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) t4 V+ v6 k7 z. C6 K- \  J8 k* a# P0 L$ A
   push  0000004fh         ; function 4fh
: c$ m1 Z3 ]% r8 J7 b   push  002a002ah         ; high word specifies which VxD (VWIN32)2 }+ R/ ?7 F4 B; I9 t8 R
                           ; low word specifies which service; O3 ^  ^8 b$ r6 `! H  C
                             (VWIN32_Int41Dispatch)
/ I" s$ u. L# u7 t   call  Kernel32!ORD_001  ; VxdCall+ ~2 Z4 H* u7 z$ w. v4 t+ H
   cmp   ax, 0f386h        ; magic number returned by system debuggers: L1 A" ^9 g1 V& f
   jz    SoftICE_detected
" ]+ C- J* L5 s, T7 H( d3 g  _& y
2 W& d, k$ z; f1 oHere again, several ways to detect it:2 Q9 L4 ^  ]2 B. y3 F
8 T8 A, o) L- ^/ Y. D& h
    BPINT 41 if ax==4f2 k2 y1 o& ]! ]7 h# O) S; n

9 f: {0 y: S1 d3 G6 a* E" z7 \4 ]    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one3 N& d+ W/ g4 c* _
5 r  p( j! S3 s5 ~9 p
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 v* L$ X' }& O1 j1 D2 W" D1 d
$ C. p& Z' p1 |- Z6 i9 W# J
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' L* Z0 Y; Z# W' q0 v% [; m- V7 B6 L/ \
__________________________________________________________________________. C9 v( k9 W( i7 I( n6 h6 D5 V& N7 V
* }8 T0 B& \% u; A2 x1 m
Method 13
( I* r* R3 v. C4 v% f0 x  n=========, X- [+ @) h+ ]9 \( E: _

, w  s) v$ [' x6 n2 b* oNot a real method of detection, but a good way to know if SoftICE is
$ a0 H7 `5 l& N# c& T( jinstalled on a computer and to locate its installation directory.
, j) L/ l1 w9 @4 t! nIt is used by few softs which access the following registry keys (usually #2) :5 n* w$ U. u/ q# G- C4 s% j& L
! d$ O( w4 \  `+ w+ I7 X- d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ |& E: W0 o8 x1 i8 p( ?\Uninstall\SoftICE
4 Q$ q8 c- h" a8 m-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, t. ?1 s- r4 n' k; v  j; D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 S( w% _6 |( R+ _/ X6 z" H
\App Paths\Loader32.Exe
/ ~  y) l4 c0 f8 U  Z3 l, d! |# |( g9 K
! y+ A' Y5 S9 [( B
Note that some nasty apps could then erase all files from SoftICE directory$ j* T! H- ]3 t! _
(I faced that once :-(6 u4 B# c& c' m; j3 g( m/ o: g

9 E4 @6 Y. k+ O* d! J- DUseful breakpoint to detect it:
/ c+ i5 ~- |! _% _3 _
5 ~! ]% W& z1 G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* L7 x0 B! c' L2 Y, p  c; Z; }" R  B: b  g; E
__________________________________________________________________________
. h3 S# j) N5 M. [' k7 @7 A
0 B  B( U1 O$ C2 S2 J6 p$ X; C
8 ^" F' z- c4 T6 tMethod 14 4 X7 `+ b# |/ P1 a/ x9 K
=========
. ^7 G" {& O8 z3 D2 M4 G$ `
$ M3 u" F+ F. \4 F* ~7 P4 w4 cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ \0 v' t9 j& U) T. ?7 D
is to determines whether a debugger is running on your system (ring0 only).
+ p" ]" N8 G8 p& B8 n) H1 n+ h3 g" c% u6 V" B& Y: n
   VMMCall Test_Debug_Installed! p2 L7 C% ~/ q/ l2 `& j0 o
   je      not_installed
1 R; {6 [& B. k) S6 l
3 k9 W  K# H3 r3 `8 t& G! X( P1 pThis service just checks a flag.# g" P1 U% X4 E0 q# b0 K
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-28 13:36

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表