找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; m* f! ^6 Q* I1 t<TBODY>/ {6 U& ]/ L& _, W- w
<TR>2 J. g/ h! e2 W& L
<TD><PRE>Method 01 & w. }0 ]* K4 [' w8 R
=========
9 a9 m4 ?/ c8 w4 l# r% \! z
& t" b9 o4 o: j: ~( m, o9 s6 p; fThis method of detection of SoftICE (as well as the following one) is4 g6 Q9 O; l; h" V$ v9 q4 e8 k
used by the majority of packers/encryptors found on Internet.$ u1 G5 h) E- x, o! B# E6 O
It seeks the signature of BoundsChecker in SoftICE
1 I7 G7 e' p( z) c/ M
. _5 K7 T) D, h; C  {7 \8 ^* M    mov     ebp, 04243484Bh        ; 'BCHK'
# B! l9 ^7 ~" ^: B    mov     ax, 04h
- F( j" b- [- K# I" A; m2 _6 S* N* a    int     3       % I( b1 }9 H9 l2 }, g1 w9 J
    cmp     al,4
7 @: J1 w# D) J" ?    jnz     SoftICE_Detected2 P7 O  H2 c) Z; s" g
- P0 j, j0 U: b/ E' ?9 G. T8 U. M
___________________________________________________________________________
) b/ X0 [# o4 l, J
- I7 s' m8 ~& @, |) GMethod 02
' i- Y$ G7 ]; G* y" q7 I/ o' T4 _=========2 H3 b) }- X' X6 D7 L. }; q

0 P2 S, f; O# t( G3 A% J- d" D. dStill a method very much used (perhaps the most frequent one).  It is used/ J& _! b  z" Q0 j6 P
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 ^8 H$ H( e- `  Kor execute SoftICE commands...( X! G0 M5 t1 p" {" D& r8 ?
It is also used to crash SoftICE and to force it to execute any commands0 F( J* I. J! d3 M$ `0 c
(HBOOT...) :-((  
6 g. E8 v5 s9 h# H: r$ ^" x. [# {2 Z% q( n9 l# `! k, G4 R. \6 g
Here is a quick description:
; s) O+ ~* ?# u-AX = 0910h   (Display string in SIce windows)
3 g3 ^) J" ^4 Q- O# i) u-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' Q  d( b8 @% S3 F% K: q
-AX = 0912h   (Get breakpoint infos)4 O' v( @1 Y; v, R. L- h9 W8 q
-AX = 0913h   (Set Sice breakpoints)
* l. S# i2 J" o! @2 t-AX = 0914h   (Remove SIce breakoints); D% F0 S% u+ Q+ z8 m8 G
" w- ?* w5 t; Y- X7 X
Each time you'll meet this trick, you'll see:
- F1 C+ x' d; i& \-SI = 4647h: v( h3 @( e) D7 l9 ~
-DI = 4A4Dh2 n6 ]* R1 ~  j5 @% a8 s/ R8 y
Which are the 'magic values' used by SoftIce.
$ A1 l/ k/ B4 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& y- n! C) s; U+ l2 c! _% c5 ]% J/ w  W0 T1 o7 K
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 C6 }" Z; {/ s% {# J7 |
Envelope utility use to protect DOS applications:
9 i6 S: R* |) u5 S, D/ R, C, u6 R, ]$ o& c: \' `/ }7 Y+ w. c
: a# e& N' ]9 ]) @3 T2 e
4C19:0095   MOV    AX,0911  ; execute command.
- Z8 B) u) `9 a% [4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
& V# B7 i5 E" g+ c/ O3 X2 i5 s: T4C19:009A   MOV    SI,4647  ; 1st magic value.7 u$ O8 W6 P, E$ m( |: \6 P( S
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
8 \+ F% P/ Y9 A0 t6 z& `. ]4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( {- B$ x% d9 E" ]' D9 }
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' ^  k- M; c# k6 g4C19:00A4   INC    CX5 P" F, N. R- X5 T1 L
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute& w' O& x9 h: l6 t8 w* y/ L, _
4C19:00A8   JB     0095     ; 6 different commands.& z* `/ H* B4 R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back., \3 i. }1 L6 c* U
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& q6 {5 a* h) p/ a* d9 E
' L) J8 r* H1 V$ @3 k2 H
The program will execute 6 different SIce commands located at ds:dx, which
- q9 ^5 \0 q3 |7 E! u0 K# K6 Bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 q: x7 \/ B5 C: r8 G
! a  s6 E% ~/ u6 y" M. l
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" _+ C# d4 {' S+ O2 M: C___________________________________________________________________________
% {/ U+ v4 Y7 z. k+ F: \* N
5 w' G2 T- F. F8 t. C
, V. N: Y0 D8 }+ k* v, v1 u5 I5 AMethod 03
" l2 m8 Y# U5 F=========% f+ R. ~4 O4 B- s+ a3 k' ]3 v

% I$ D. r( q8 w: [5 q0 K, rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h1 j" }7 y9 K: S2 }5 K) \$ }
(API Get entry point)) Z, h  C0 Y0 O. Z& k, E7 M6 j( K
        
+ O9 T% U! i# R0 F
7 G  w. q! ]5 c7 X8 f    xor     di,di
' q7 m* w1 H+ X! x5 e/ X" J    mov     es,di
0 v3 y  A* Q+ u1 \  g# G    mov     ax, 1684h       ; z/ @$ x7 j  J, F. h+ f* o
    mov     bx, 0202h       ; VxD ID of winice4 r( [0 P$ b, z' x+ E
    int     2Fh7 u  Q5 _5 ?9 ?- [5 O
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ N# P0 ?: B# r, K4 ~    add     ax, di! R( ~9 k1 C. L) [
    test    ax,ax
% b) N* F6 d2 J  Q" ?    jnz     SoftICE_Detected$ [1 a* o& ~) H* E% g; _

1 ?0 j% _# ^! q! S___________________________________________________________________________
9 T+ U* b% o( R# l4 `7 W
% X4 H9 \% }* }( {5 g4 HMethod 045 a! X$ z: m7 x$ s3 x
=========
' Z  R" a' o4 ^" D) ?" k5 i; N' h. R: [, D
Method identical to the preceding one except that it seeks the ID of SoftICE, X, e* X- Q& j6 P) L! N% J
GFX VxD.. I9 W9 N0 `/ L2 D

& \  W, A* J) ^( d    xor     di,di
& w$ [. X. H3 F# Y) m    mov     es,di
# n* O! R1 V1 ?    mov     ax, 1684h       5 O9 U* a- B' n/ o; \, T
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
8 y1 ^9 k7 L4 t+ i# x7 a+ N    int     2fh
4 Q5 \3 T& m0 m+ D% S9 ~' q/ N  x    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 A0 j! i! V. }% [) {" J2 f7 n6 M9 G    add     ax, di
* T1 X( b# {) o7 n! {0 [    test    ax,ax3 A: G( y" i! e  H( Q5 r8 U
    jnz     SoftICE_Detected0 V; C% \' X# X8 V; F; n

& Q0 A( a" b' [, c8 r" P  @% _4 S; b__________________________________________________________________________
, ]: G# I2 a+ d+ D7 e
  z% ?) S% F2 F5 A! l5 E+ D' b1 _/ Z
Method 05' o5 u/ w3 S) [& ?* [5 s
=========
$ t- a6 m3 m+ E: ^! W6 r8 x; [7 f( i* z" n7 w& Y' V$ j
Method seeking the 'magic number' 0F386h returned (in ax) by all system& b& k! c  ^) O$ D: F6 Y6 I- U
debugger. It calls the int 41h, function 4Fh.
# y" m8 I; g& E9 XThere are several alternatives.  
/ g- a+ c6 w' K8 O- n: m2 }2 Z2 o0 t' k2 L
The following one is the simplest:/ c. p" H3 @+ L  [  e
9 i( q9 g8 O( x: ^3 i- L/ d
    mov     ax,4fh- A7 e! J$ H! ~0 ?1 n4 e1 n
    int     41h) l- `6 z  q7 Z2 y4 B6 A1 `, c
    cmp     ax, 0F386
9 A* X2 W" N  ?    jz      SoftICE_detected+ N$ E9 d9 ?6 h, R( f/ P
7 Q. O" k, p) w7 W4 Z8 x' m
  i( w. Q; g* E' V: b2 R
Next method as well as the following one are 2 examples from Stone's 7 H% a# f' E5 W) B: M
"stn-wid.zip" (www.cracking.net):
5 U- b2 i! q8 l8 I9 w+ F/ z7 d
, i8 y) ?; N, c    mov     bx, cs
0 X7 o5 G$ z( V5 L, L1 t    lea     dx, int41handler2
& }3 z* B  ?6 i    xchg    dx, es:[41h*4]
7 m7 W2 i4 `+ A1 w' u& L% n    xchg    bx, es:[41h*4+2]4 {+ W" L# a7 c# w1 R
    mov     ax,4fh: E- Q; y/ w# v$ L: ]
    int     41h
8 R4 R. ?2 h. q8 U+ {    xchg    dx, es:[41h*4]1 A; ~" K, Z# L
    xchg    bx, es:[41h*4+2]
6 S+ z! @9 h8 o    cmp     ax, 0f386h
/ Y9 O4 M, V1 M+ o1 V; W    jz      SoftICE_detected
( o7 @/ y9 c' |7 |" W
/ m% k$ G6 {! ^3 P  D6 wint41handler2 PROC
  a( C# l1 h+ `, K% y! V/ m. `8 S: {    iret
1 \+ P* n. _+ q; x: N$ uint41handler2 ENDP  t; e3 k  L2 \6 i
8 O1 S% [3 J8 x# B

- |% }" \$ |! [0 O- K- {_________________________________________________________________________
+ O) q  ^- w; x3 o5 ~
/ Y: t, Z. H2 m  T; ~! Y; `
5 o$ @3 F- L! A" P: y0 d+ JMethod 06
5 d0 h( B1 f# {0 T  t=========
: r- `2 }" K3 v" H2 N4 F( L8 U- Y6 a$ z) K/ g7 I8 \

) J2 u+ ^$ E/ T1 t( f1 E0 Y  ~9 o2nd method similar to the preceding one but more difficult to detect:
% O, F" s% d% E) d) y1 L$ g, x  Q4 B1 @$ U

8 D2 F  ?9 L9 V7 Z6 }int41handler PROC0 {$ b2 _' \) Y0 L, s3 ]
    mov     cl,al
  f1 L) [: @/ a8 ^6 ~1 t    iret7 p# R, e3 R+ [  s
int41handler ENDP- |4 m2 ^  r. R' d, N! K

& \0 v& H/ W/ P6 k: _$ B. B& [0 c
    xor     ax,ax
$ @  L8 B; z/ H! n    mov     es,ax8 Z8 Y" ?' X$ }: g. \
    mov     bx, cs
% g" l! T# u( C: o& [: g    lea     dx, int41handler4 d) E4 l! \$ C# [* H6 C
    xchg    dx, es:[41h*4]
: b3 E0 g1 A' A0 X    xchg    bx, es:[41h*4+2]' p9 Q+ }, N$ M8 A3 I$ F. `
    in      al, 40h
  A1 t; x8 {$ B5 I    xor     cx,cx
$ k3 M4 ~& N' h    int     41h0 S6 \2 V0 k5 T0 c! U6 |
    xchg    dx, es:[41h*4]
9 f5 ~6 V) t* {) h2 S: j# [# g    xchg    bx, es:[41h*4+2]
+ v5 b- j' P# Z9 r    cmp     cl,al5 b- s- Z* O- v! @/ z) y
    jnz     SoftICE_detected' b2 Z; E/ ^- Z* i; ^% x9 F) P
+ `. J8 y  `8 t4 W  a4 m
_________________________________________________________________________, M9 f  J3 ~3 \
4 m! a5 E9 c/ l# j4 n" ~( P7 ?, ]. ?
Method 07
' ^% [) \/ m' x0 R& I  D=========
( e5 T" S% k3 R  f3 V( {  ~& W" O
Method of detection of the WinICE handler in the int68h (V86)2 P+ p  ^9 ^1 R$ D5 g4 W% X
& x3 S, b% ]2 p+ d- Q/ ^
    mov     ah,43h
# ?" u; O1 K& M- j( v    int     68h
" L( B4 A9 s/ g8 W    cmp     ax,0F386h* v1 Z* d3 q5 A+ t$ B
    jz      SoftICE_Detected
( Z( X0 P$ A9 N8 ~3 N& X- V; X* {& J8 X5 k" C) p

7 g- o9 ]1 O( o0 I=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" M$ L* c7 H. `
   app like this:/ i( `- W: r7 `. P) C
& m( |3 p* G8 n5 S* v. d$ A  M0 ?
   BPX exec_int if ax==68
: z' Y# e  C3 H1 Q   (function called is located at byte ptr [ebp+1Dh] and client eip is! A% N1 {% Y) I1 G
   located at [ebp+48h] for 32Bit apps)
- C: W+ j" M: o. H+ a1 F% k__________________________________________________________________________$ t; {/ D! Z" \0 `

: W# ?' P* T" X( g7 v$ S- Z# A! c7 M3 ~: b
Method 08& ^7 j4 e$ a6 O$ [1 A
=========
& k$ g3 I8 @7 z( n+ V; O' \. q
' i1 O7 p4 t7 \It is not a method of detection of SoftICE but a possibility to crash the, _0 |; |2 T3 o3 v
system by intercepting int 01h and int 03h and redirecting them to another
; C# J" r4 I; }3 [6 ]5 a; Uroutine.. f- N7 h# C4 _8 N0 ~! b/ D: Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 q0 x. H* g' U* g2 v0 S3 zto the new routine to execute (hangs computer...)
$ x4 h1 f2 [' X8 Y7 I: W
4 a, ^$ Y# Y  B, G4 t0 {0 D    mov     ah, 25h* Y7 x: j) g7 t% }' }
    mov     al, Int_Number (01h or 03h)
3 s* k( ]: {) R  M6 M2 h    mov     dx, offset New_Int_Routine
; j# c" G& N4 p  X* Q6 k    int     21h
" ]$ A- ?8 c+ Q. F- p/ \! M
5 [8 L$ ^5 }% H" x, P__________________________________________________________________________$ n' P3 z! e1 G8 K" @' u4 Z( m3 G
7 f4 N" g% e4 n
Method 09
* p' H+ V" d1 E# j6 z8 x=========7 v, Q- |  d' O( H1 x
% _7 c% S8 d8 Q# K
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 ~2 q/ ^2 t+ r6 [# gperformed in ring0 (VxD or a ring3 app using the VxdCall).0 R0 B2 d/ w; g  o( o
The Get_DDB service is used to determine whether or not a VxD is installed. J8 N' h3 F) k$ F' Y. d. |$ B+ [
for the specified device and returns a Device Description Block (in ecx) for
5 u* F3 T* g3 R! Jthat device if it is installed.
/ h' K: o" H9 X9 N; X1 q: D) x0 h8 X$ A
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID3 q$ C+ Y9 u+ N+ J
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( j% n8 }5 |8 Q! z
   VMMCall Get_DDB
0 u9 a1 a) b8 N; y  i) I: E   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed' z; M3 g0 r6 Y1 V1 F0 j
$ n# i+ e8 }7 L- g* h1 e( `
Note as well that you can easily detect this method with SoftICE:
0 a" |( ?- U5 B+ B; q   bpx Get_DDB if ax==0202 || ax==7a5fh
* A* L" l% \4 T) t, m5 Y* d6 c* k4 I, J0 b" t$ U+ @
__________________________________________________________________________
4 Q" C6 F- L$ ]4 R0 v+ x. T3 [. o5 A; g0 Y, _$ u/ i4 j
Method 109 d: T# F4 T5 T3 W3 m" p
=========" U& K, h7 x0 k; F6 j% }$ h

7 `+ a% n( O) ~8 R7 X# N) P=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# i2 m2 [/ M  N  l9 v$ m* M3 p6 u* C( h
  SoftICE while the option is enable!!( k* D+ |2 E8 |- L  s. G; w; }
! q. [9 }' m- \% l, t: V" u
This trick is very efficient:
% e  X6 j. C7 tby checking the Debug Registers, you can detect if SoftICE is loaded
" D# ?- m4 |) k% _- ~  O" B" r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  F) Y+ h2 Q1 Lthere are some memory breakpoints set (dr0 to dr3) simply by reading their. A2 |3 P+ ]3 }( V, k: v
value (in ring0 only). Values can be manipulated and or changed as well# S' w6 d4 A0 [7 @* E
(clearing BPMs for instance)" N# s8 m& X9 L4 u" z& Y
. L* x9 v9 r: b
__________________________________________________________________________8 }/ H9 N- _# W# i' ^$ Q
: r: T6 O4 p+ u# M; S% ?% Z, Q( U( u
Method 11
# F2 o% w+ }1 m1 M3 F$ m! x=========
, W2 m) z% v' W/ Q7 W
% `/ M/ W; Y2 J8 @) b( PThis method is most known as 'MeltICE' because it has been freely distributed
, D0 z- p( b. ?3 p# K6 Fvia www.winfiles.com. However it was first used by NuMega people to allow( j1 Q1 e- M3 \
Symbol Loader to check if SoftICE was active or not (the code is located
$ \+ e; J: V. |* i: Hinside nmtrans.dll).
' n! n8 Q/ h8 t* r
8 k" }" G4 L! X7 \The way it works is very simple:5 ?% E3 t, Y) n8 T3 n* x6 h
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; \! T* G) L9 ]; n4 HWinNT) with the CreateFileA API.  I" {0 e4 V: T- w

- N% \- G1 D0 f: u8 VHere is a sample (checking for 'SICE'):
4 s! h6 F$ D9 u: d
, p% a2 G( h3 T9 B) Y) F8 T* ~/ sBOOL IsSoftIce95Loaded()1 ~2 G* h5 `$ v# ]; ?
{( R; M; {, P/ U9 x
   HANDLE hFile;  6 E( @# _$ Z0 Z
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% n8 O2 V- w2 f$ h/ [
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* V; `6 z$ F/ u% j; |/ e                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 t' P$ D- v. u( Z
   if( hFile != INVALID_HANDLE_VALUE )
. L* ?3 U4 p6 }2 ~$ p* y# O6 q   {( j* A( a7 G7 N0 v
      CloseHandle(hFile);3 X; Q1 r( X  }/ C" p
      return TRUE;3 r4 `" D/ o. }8 ~/ W, J9 b2 G; {
   }. g' B% j; Q2 j8 e
   return FALSE;
/ w: t; H# V/ i$ _- c. D  s}1 q1 a- s( `( k% R+ R% \4 s

3 W. V# @9 N1 a: v- f9 bAlthough this trick calls the CreateFileA function, don't even expect to be
( V5 g' x3 A& o/ |able to intercept it by installing a IFS hook: it will not work, no way!
  d- n* W7 _) JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 q. l8 t  B" F( w/ Y& s
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, x, B6 y& ~! g9 F9 Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
; ]) @2 Z: y* I% k& B7 g( ~field.8 M3 C7 s9 B6 W, z
In fact, its purpose is not to load/unload VxDs but only to send a 3 U; G/ a' y6 k2 l5 A; w) H* T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ r# \$ {; F7 R! P/ yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 h/ b) M9 M; x1 d* {! i8 Xto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ P; O$ g& @5 d5 p/ V
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 S& J; w! Y  o4 j) hits handle to be opened and then, will be detected.
% y0 }8 C: Y0 ^4 M* u; m1 AYou can check that simply by hooking Winice.exe control proc entry point
  r9 k) q* _+ x- r9 w, j! Uwhile running MeltICE.
9 N% r+ x% ^8 Q2 g  G) c5 r
& K/ x% s8 f" ^0 C8 Q( \7 H- f; r+ i* I6 L1 ?
  00401067:  push      00402025    ; \\.\SICE: l0 ^/ ^1 @  B$ K
  0040106C:  call      CreateFileA! E5 G6 w* G, u( i, \+ @
  00401071:  cmp       eax,-001, @% C4 V2 h  O# O0 P( I# k3 D
  00401074:  je        00401091
* J. ^) k6 i# q
/ s' L; P" M; v, B* F9 p& r* a. o& X
There could be hundreds of BPX you could use to detect this trick.
/ S& i' _/ [- H; |, B' i-The most classical one is:  K( {8 ?6 i9 ~
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 R2 p. c7 z) y9 Z
    *(esp-&gt;4+4)=='NTIC'
' E9 a( h6 U9 M9 X
% v. i' n6 o2 G7 ^-The most exotic ones (could be very slooooow :-(
. @+ `8 e3 j( }7 F' Q   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  5 J- h/ }9 [: o$ q! h& I
     ;will break 3 times :-($ f: W7 z* B  n7 ^& l, m
% n! G; `- X* Y! g/ W4 \
-or (a bit) faster:
1 D, |; ]  {: [0 ]" }3 F   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 d# f  C6 y+ |2 s) o

; J3 N2 H2 v( T   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  6 O  b$ D" y5 x) ]  o, |+ L0 X
     ;will break 3 times :-(
8 _" }  D& G; `3 {8 p% ~' A( `3 E
-Much faster:; J7 y1 Y7 k) C- [+ f! i" \; J
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'8 E7 F% i( q9 V& v  q) M

. Z& h/ W) l" TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
8 S& r: P" y2 `" wfunction to do the same job:8 l/ C+ W  u/ l2 K/ y) ?: Y
8 n6 G% D, f6 b
   push    00                        ; OF_READ
4 B3 ?5 B2 K  t- \3 ~/ g9 N   mov     eax,[00656634]            ; '\\.\SICE',0
9 K+ Z2 u/ c! D, ?" V2 F   push    eax& \6 q& n. d# Q4 l* L+ _: m7 w
   call    KERNEL32!_lopen
* ^* ^) v$ Z5 n5 d8 b9 A$ R   inc     eax
% _  {8 _+ V% m   jnz     00650589                  ; detected4 w: P( |; w* q( H7 Q  {
   push    00                        ; OF_READ
6 V- L( ~& `. m/ S4 B   mov     eax,[00656638]            ; '\\.\SICE'0 K8 k3 O9 V; Q" p
   push    eax
  h' w/ r5 s8 a8 R5 N  s   call    KERNEL32!_lopen8 q" A$ }- _5 |. c6 Z3 x% e
   inc     eax; D; g) i( h& O/ `# Z, h- v
   jz      006505ae                  ; not detected$ q5 f9 z( `- @  t: |5 x: E7 l/ m
- u. Q" w5 {/ c  ?

4 ^1 D* `) y0 Y0 P__________________________________________________________________________* ^- z- a  |0 p$ j) w
7 E+ o* o6 N2 F" d; \2 J- L5 N& z
Method 12, \& v! B- s% ]$ q
=========
$ }8 o$ o  W0 \' p
* S8 L* x; X% zThis trick is similar to int41h/4fh Debugger installation check (code 05
/ y1 \7 z/ B2 A2 Q) {, ?: L3 \&amp; 06) but very limited because it's only available for Win95/98 (not NT)
* S' T, p: z5 U7 I$ \( d1 fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 T* }  D- x& k: _& W+ c' I5 j% o% {1 x( v) Q! j( N
   push  0000004fh         ; function 4fh
  ^# [  G5 W. o  W; c% y* Z   push  002a002ah         ; high word specifies which VxD (VWIN32)
& }6 b) x& \& `1 Z+ M8 \% f                           ; low word specifies which service' f. j, s0 Z5 A* N' b
                             (VWIN32_Int41Dispatch)
6 w% Z( ?2 m3 q; t6 V   call  Kernel32!ORD_001  ; VxdCall
" o" V9 s8 g; p% |$ p   cmp   ax, 0f386h        ; magic number returned by system debuggers2 _$ F8 ?7 w4 _: b- j. k
   jz    SoftICE_detected7 _3 m. }# o  f7 \
/ S! _  z) t# \' c1 f  ]5 n
Here again, several ways to detect it:
2 i7 G1 n! k$ E! V2 F( C0 {$ {6 s9 H/ }. G' m  Y9 j" y8 o2 `
    BPINT 41 if ax==4f! k! x3 t* l! g; c: }8 k

  d0 Q4 A. x( C8 A    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
, o6 r8 j2 |& @& k  ^: i. V, q% Y4 a
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A5 p9 M8 W- C, K( G, g

" q( O7 n. W& Y/ a% x# g( q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!' M6 \. z8 g2 d3 [/ ]  w  ^1 C

# i, I3 P5 q1 ~; _7 r__________________________________________________________________________
* c* t, H7 J! b; C3 |
. C+ S. E. A) aMethod 13
# e- t5 x0 H0 Q! O1 V( c7 h# Y=========
' R) g5 f" }3 Q6 g% X; `& W, k% z5 O9 b8 }. a1 O! t
Not a real method of detection, but a good way to know if SoftICE is+ _/ L4 [6 M3 F$ D
installed on a computer and to locate its installation directory., p4 Z9 }* O0 L+ O# t' Q2 Q
It is used by few softs which access the following registry keys (usually #2) :/ z$ F5 Y/ [# g

& w* K$ @: y6 b+ _* r" g-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  y0 @+ C' j7 U2 X" U. R) V; ^\Uninstall\SoftICE
- A; w# T# t, z3 t4 T2 B/ l/ p7 i8 q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) v9 R+ R' m/ O9 A. ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 P9 D$ l/ _7 \0 W$ j, P0 ?
\App Paths\Loader32.Exe
' d; g: `- A: r2 r9 H& Y. \3 J- R" H" ]" D4 |" F! b$ P/ q
, ?( X+ o; I# J" E5 h4 G% y
Note that some nasty apps could then erase all files from SoftICE directory: F! }1 o9 H+ c' ?) F: X
(I faced that once :-(
) G+ F: M, C) V/ I* N) o" S6 ?! B* J. P# H3 u0 r  i
Useful breakpoint to detect it:8 x# D' w2 ^% \) m
$ x+ n( q2 T6 h& W
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# R0 l; O' T! G8 j; a

( [/ i, e  J1 O7 W__________________________________________________________________________
3 d3 c0 M* k+ ^0 k5 Y/ K2 t; o
) o2 w2 I! ^' b$ B' Y! ~2 ^
% P* B4 @" H5 |; {8 A8 ~Method 14
3 w% I: ^+ D3 y) |; C. ^/ y=========
, q% w) o4 L2 [2 Q: m2 j  M: p/ u0 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, p5 m" O  f6 T  t" P  H9 z$ }4 eis to determines whether a debugger is running on your system (ring0 only)./ W, b5 s$ W0 A0 z# O0 y" G
* ~  w( G$ p" L
   VMMCall Test_Debug_Installed
7 P1 n3 G; O0 k8 t" _9 v   je      not_installed
& `5 u6 a3 j) _3 r. p7 z
0 \2 u1 b/ V+ m/ p$ r# t( E0 ^This service just checks a flag.2 W" u. e5 Q: L- j
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-30 02:17

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表