找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ @( J8 i; W" T% @+ A& I<TBODY>! s- n+ n4 `7 \, g) U" V& h; O$ r. z
<TR>8 G, C7 O0 d; k: D" S
<TD><PRE>Method 01
9 v' N0 J) W2 m9 C1 ?' Y=========
1 V6 y' E# ^2 s8 d% {) u# G- l" W* c/ u1 ?8 x7 Q* L- t
This method of detection of SoftICE (as well as the following one) is9 D. F% J$ U0 d( _/ ~: F7 \0 f
used by the majority of packers/encryptors found on Internet.3 i* M. Y$ z" L9 p& E8 F! q$ k3 D
It seeks the signature of BoundsChecker in SoftICE, B6 u+ k1 k+ N
% x0 L0 W9 G, _' W! c
    mov     ebp, 04243484Bh        ; 'BCHK') Y& Q! I+ l3 |4 u( A. `
    mov     ax, 04h
0 F4 I; M4 z5 {! }. ^2 S' F    int     3      
! n, x2 Z- g6 Y    cmp     al,4
. J% x# G$ l  M: B4 X; [/ q4 ~    jnz     SoftICE_Detected0 Z4 I" ~! c; G! F0 {! ?- ]
0 [3 g; D% B3 N$ H' w, N
___________________________________________________________________________/ X; T# D8 _' ]# J1 b( w
. z6 P0 w# k7 ?, \
Method 02
- R9 c! F. M; s' X" V=========
! M2 a9 P5 }8 y! y2 m! ^
! V5 F  H2 k+ E3 E+ w  lStill a method very much used (perhaps the most frequent one).  It is used) ^& y* {" p) a
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ b* }/ r* U: u1 e
or execute SoftICE commands...
1 V% x* K# h8 O! |; [1 D* |It is also used to crash SoftICE and to force it to execute any commands( x2 y+ ?* [1 q6 f$ v" f
(HBOOT...) :-((  $ ~/ g7 B; |6 E
. k9 D* _6 t- b3 b- B" b+ J
Here is a quick description:
9 e/ D) o8 X1 e' J* c-AX = 0910h   (Display string in SIce windows)
! K( S+ G$ Q+ Z0 }4 J-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), h1 j7 L, x; _. M# v, R) r
-AX = 0912h   (Get breakpoint infos): A' d- ?" }8 |; B; ~3 K+ u! L
-AX = 0913h   (Set Sice breakpoints)
0 w7 `* W: D. S-AX = 0914h   (Remove SIce breakoints)+ M$ q# |/ ^1 ^' z7 g
. N  `: m4 g/ T, X9 l
Each time you'll meet this trick, you'll see:
: t, P" @9 v+ x-SI = 4647h
# I3 x6 b+ @# D' l-DI = 4A4Dh
: D8 Y$ Q* @$ nWhich are the 'magic values' used by SoftIce.$ m) x, |* E2 r( C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 A8 \1 \" @; ~$ P* ^, \

/ g6 }' p4 G! n( q  O5 W+ T* kHere is one example from the file "Haspinst.exe" which is the dongle HASP2 G& Y$ r. {( G9 I  o3 q, w
Envelope utility use to protect DOS applications:
/ D6 S* Z0 d! W5 t0 R6 `3 P& _+ \' Z! `+ g* h* s0 F
6 G" q) f: c9 W
4C19:0095   MOV    AX,0911  ; execute command.* a  R' r9 S7 y4 n8 P
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).7 Z) }$ U; n) E# d% P6 M5 N6 W
4C19:009A   MOV    SI,4647  ; 1st magic value.
2 L0 z' n+ a9 C. n7 U0 x: Y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
1 n7 ~% m& v4 I9 r0 B! G0 S4 i4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
. j; x. `2 k' R2 Y; E8 x2 G( _( u7 N4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, r3 o+ l1 P+ G4C19:00A4   INC    CX
" w1 l/ w; f3 E' l4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute8 x# S) ?1 M2 x% u
4C19:00A8   JB     0095     ; 6 different commands.9 e. n# @  T' ]2 \
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 z3 O' I- x0 R, ~( N4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" H% ]) ^0 K3 T* ^* L( C

) r. s! H- F# p4 ?& g! l# `! V1 P+ HThe program will execute 6 different SIce commands located at ds:dx, which- r( w% t  D& I! J) y0 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; t+ Z+ H. w) \- D; z# r1 c
# U6 G- M. ]7 Z' R2 g2 J& m' N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
  ]) U9 R- f' @- t___________________________________________________________________________
' c; N. `  B6 R. O+ E
# |% {7 b8 b( h, C; W9 s. y% l8 Z$ @; J( _& W
Method 03  H+ s6 O  b( Z' R5 n
=========
+ w. n! D8 v- h0 G4 I; C$ P  ~5 }- K& A/ m6 N1 x9 \8 f, \
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' S$ R7 N& T$ b7 I, e8 o
(API Get entry point)
# i9 W) Y+ ~+ Z, l        % a  A+ S# B2 |

% M2 j& l1 z/ O, M3 v( u* }    xor     di,di# G% i2 \* v: y
    mov     es,di
$ x0 r9 O% a1 j+ P. j! p; X% }    mov     ax, 1684h       7 H7 l% y1 r- O2 ?' o
    mov     bx, 0202h       ; VxD ID of winice7 w$ |% c% r- [$ E4 ], ^) P0 `6 [
    int     2Fh
0 x4 ^5 {# V! x    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; U9 f# B2 k$ b5 |5 {! F) j( Y    add     ax, di0 {; T( W( a" c$ w6 u  Y1 m7 r
    test    ax,ax
( s- v0 d7 w7 @' W7 G" A: t3 {- I    jnz     SoftICE_Detected
& }3 K& T" u  S$ c3 T( g+ B4 j4 T# F: c3 {  z9 P
___________________________________________________________________________/ R8 Z- q8 @* K- S; I
0 |" X* Z% r* _
Method 04
) B% H2 v2 O8 j=========
. v9 D/ d; H& m2 ~* d/ E
: R! A. B/ {# qMethod identical to the preceding one except that it seeks the ID of SoftICE+ ]" L9 f' h: x5 M6 b' [, p% e
GFX VxD.
5 M( `0 _" |# e7 y: r
- r4 x$ y' M4 G    xor     di,di
% z2 Q0 y4 y  o: W. e' u( g    mov     es,di
, O% e' d8 q( z    mov     ax, 1684h      
  j+ @0 u, a/ E4 t1 W    mov     bx, 7a5Fh       ; VxD ID of SIWVID& A- k- ~, w7 o: Z% t# r2 {! p
    int     2fh
5 |6 Y! Y. B5 d) r: ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) ^0 G: @% c+ k+ Y' f3 {( P    add     ax, di
1 n- a7 c; U4 a8 p; K# L; O    test    ax,ax! M7 S$ z- X8 w4 Q, p
    jnz     SoftICE_Detected8 ^6 {: ^( E& f
. f4 X0 D; {+ E
__________________________________________________________________________
" D1 x2 h: S4 h- f
6 a5 q, [8 ]; \0 q% D4 {
3 C6 E. L2 S( c$ `4 X1 v$ ~- T9 ^6 BMethod 05
4 a5 e. G  K2 p7 ?$ I/ E/ I; R' C2 W  D=========
7 P0 f) `' c+ F% z! t8 b
* a" D, q# R$ v& N9 kMethod seeking the 'magic number' 0F386h returned (in ax) by all system- G6 j' D! o7 d. {3 u6 o5 O
debugger. It calls the int 41h, function 4Fh.0 Z* ~0 U" P  `( l
There are several alternatives.  4 @: J/ ]. R2 n. |( P- _

1 Z: U) Y% D$ G- {4 \: k' \The following one is the simplest:1 \& ~$ b: v! b: j; u2 L* ], u
2 X' o% @% _$ i; d9 a
    mov     ax,4fh
! R, m  D( i* C; H1 A    int     41h$ |: v& v- J( N: i7 @& ?$ I
    cmp     ax, 0F386# q& s- \# _. U
    jz      SoftICE_detected
9 }& @+ ?* t8 s  b6 g
, o' r- T7 P1 f& u% y& i4 @; m+ U" I* @; o/ C) u1 I" q' u. V
Next method as well as the following one are 2 examples from Stone's
) V. `1 h0 Y6 a0 z- l' U5 V7 |"stn-wid.zip" (www.cracking.net):+ L, q$ h( l* o
+ K9 J$ n6 k, f. P! {8 J
    mov     bx, cs$ b3 n9 I( Y& S* J
    lea     dx, int41handler2
/ o2 O2 D7 w* U8 p$ o% T" o    xchg    dx, es:[41h*4]) k) F; V' \6 ~
    xchg    bx, es:[41h*4+2]
- E+ s; j4 q8 O  Z$ e. D: d2 R    mov     ax,4fh! c) ~. r, s+ Y2 l+ D! A# j( S
    int     41h* `& c, R+ V2 [2 @: S
    xchg    dx, es:[41h*4]
- \. o# n& B/ R: g! g6 f7 E    xchg    bx, es:[41h*4+2]8 q, N# H2 F; O
    cmp     ax, 0f386h2 Q- ~1 ]$ V+ f
    jz      SoftICE_detected
2 _! [0 j) R) C* S3 ~) n
+ R0 S& s8 S* o# `1 `( Jint41handler2 PROC& w% L9 o/ i! a  I5 }6 T
    iret
& H9 }. n, N2 b* c) x" |3 Vint41handler2 ENDP& C4 Y  m$ V0 _0 g+ u5 a  P4 y6 C

$ S1 X% I  e  R# q
/ R3 l; B  L4 |5 M! ~0 L_________________________________________________________________________
% ]' {" x' q, Z  W) _" W6 |, M/ X% h9 q9 ~

6 [0 f; J( I4 c% ~1 S0 ^, n; LMethod 06
7 S- ~# V2 ~: v6 y3 ~7 X=========
6 W" \9 L+ _$ H; ~8 Z& I" W; U1 f0 T
5 o& M- B% S& o4 Q8 A3 n
2nd method similar to the preceding one but more difficult to detect:
: `6 n, U4 d/ |# m* Y; ^+ H1 {$ t4 ~% B6 C

) A, U3 i; I2 a- D+ O5 lint41handler PROC* p) J3 F; l! D( t" ^0 v2 P, J3 H
    mov     cl,al
: p0 q& J" v. [& O8 N0 A! F    iret& a& g/ w6 V# }/ \4 v
int41handler ENDP
' I- v, P9 Q4 D: b
8 Y) n6 y+ I) ]& U/ ]1 o% i0 m% s9 g+ d1 \$ Z4 f0 \
    xor     ax,ax0 K5 P% y9 Z, o% e. ?! Y
    mov     es,ax
) Y1 Y3 L1 n: G2 j" c) G    mov     bx, cs
' H% G* s+ C8 o  Q9 g) G    lea     dx, int41handler5 g/ J1 L  |7 {
    xchg    dx, es:[41h*4]
+ b0 Z& f0 x% p7 C3 }* C    xchg    bx, es:[41h*4+2]
  Z6 D' f, z2 R    in      al, 40h( ?1 V; x7 W5 T% e6 |
    xor     cx,cx
3 w4 @! F4 E0 v, M/ Y! z5 \# I    int     41h
6 N' R. ?) f. S/ q! Y    xchg    dx, es:[41h*4]8 }' ?# T3 ?% c
    xchg    bx, es:[41h*4+2]( V+ |$ ?8 J+ k/ \
    cmp     cl,al1 [+ L7 b1 L  n3 P$ ]4 g
    jnz     SoftICE_detected6 t- i! k3 ]3 N7 s5 _  K/ k5 x6 \# r

* a& [, i* h/ \* L3 }5 H+ e) G: ]_________________________________________________________________________0 u" _) p/ W& N' W% F

; E3 @  K6 h3 DMethod 074 H, H' k+ x9 W4 D0 w
=========0 b3 N; v# B  E. `

# W( Y! _+ [0 S5 O5 a( l' b" e+ [Method of detection of the WinICE handler in the int68h (V86)# a/ {4 ?1 L4 v$ r  C8 U

' f9 V3 F% V% W) a) t    mov     ah,43h
6 U/ o; H' X* f% K    int     68h5 K) z% i, ]# @4 f. b; ~, D( I$ J
    cmp     ax,0F386h& v: \$ y1 O5 w. o7 p9 y) n- Y
    jz      SoftICE_Detected, C0 R$ ?7 O' \* h
7 m1 s% T9 |/ V6 J3 _& X9 |; J

9 L* B! N8 L7 h" f! W& ^=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: k, K/ H9 e/ l) T4 W% l9 Q   app like this:
; k, t! d6 p! `: G
3 f% C' W7 c- o4 G# F   BPX exec_int if ax==68, C9 A! A0 Z8 E$ t) Y/ q
   (function called is located at byte ptr [ebp+1Dh] and client eip is
4 y0 j1 i7 K' W# c' S! J% G% A8 y   located at [ebp+48h] for 32Bit apps)# Z: {' D3 G; k) g6 B; p4 p
__________________________________________________________________________7 ]; L8 i6 r4 e2 i

: d0 O7 h2 K2 _8 x0 @: b3 q
: s- N0 m5 X  BMethod 08& w& v# W( T8 {( k3 G: E( I
=========3 @0 R4 }* C/ N! [: D2 T4 j5 S

6 y. i. I6 I" U" m2 u! `$ s6 bIt is not a method of detection of SoftICE but a possibility to crash the" h: s' {$ r5 ~- U8 Q
system by intercepting int 01h and int 03h and redirecting them to another6 P8 Y! n% M# q- }+ [
routine.
& u. T& _6 V9 w8 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( }- \8 d! E" R
to the new routine to execute (hangs computer...)% `* z" v8 @7 ]0 Y# h

4 `% M4 d; K  T( X& `7 w    mov     ah, 25h2 v  _3 E2 o  A
    mov     al, Int_Number (01h or 03h)
: i5 e: H" K8 K, }    mov     dx, offset New_Int_Routine
" C/ _% p' r: ]; m8 t3 W    int     21h! y4 R2 a4 F! x8 v! _

, w9 Q5 ^/ T8 b% a( b' r__________________________________________________________________________2 J  g' d" G$ L; M) f, r+ R9 N6 z+ C
5 w0 S( M* c1 w
Method 09
+ W: y/ P+ y, b5 q* u' ?8 k$ N=========1 l6 T% l+ u. y4 u- b
/ p% e% c! m& f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( b( Z( A9 j  _  X
performed in ring0 (VxD or a ring3 app using the VxdCall).( a, D* C! l7 r$ z4 h3 c4 S
The Get_DDB service is used to determine whether or not a VxD is installed
$ D) p  a5 n- G+ N0 S9 Ofor the specified device and returns a Device Description Block (in ecx) for
, U1 ~7 _2 z! H: [( F6 [1 Vthat device if it is installed.3 h. B# v6 H" r$ H: g2 m
$ i# J% |8 Z2 ?, n# B' b
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% v# C9 J5 s* E7 w3 e# B
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
! \. @  ?! l" }. `+ F   VMMCall Get_DDB1 {8 ~/ v4 z  G2 q' i) u; F- e$ p
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
5 R+ `$ m4 V6 p
4 p" h5 M  N- `, nNote as well that you can easily detect this method with SoftICE:+ L2 `' B0 b8 A# U1 `
   bpx Get_DDB if ax==0202 || ax==7a5fh
( y/ u% g. b7 E3 w& i1 p7 m% j3 l2 d$ a$ g" E7 t  z
__________________________________________________________________________
( M1 g. f1 [& G# b, x  l. p! f
, a, k+ U8 ^- D7 @Method 10. F8 ~2 ?6 C/ v. _
=========% a5 t9 U1 W' F2 Q+ K! x# g

& u1 a. x3 h/ E  L3 a: v% e=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with2 F5 Y7 ]2 }+ E  U- L
  SoftICE while the option is enable!!' @" }$ P8 @) Y

" {/ {2 a4 ?" ?This trick is very efficient:2 ?. n6 g2 ~: D. q# u' x
by checking the Debug Registers, you can detect if SoftICE is loaded
! @9 S6 E, K5 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 n8 x  _& H3 U
there are some memory breakpoints set (dr0 to dr3) simply by reading their/ p& l# r1 u8 q( h0 `# V
value (in ring0 only). Values can be manipulated and or changed as well9 B# ?% f! A9 M0 ?% T
(clearing BPMs for instance): n( \) S" ~- u
6 ^: \9 d; d2 F0 N. g& F* s2 D6 ?
__________________________________________________________________________
. F  j) r. b4 B8 F
  K3 U2 N4 [5 j: j" y3 A% uMethod 11/ j/ h& l& p8 W0 _+ e# ^
=========5 [# a' l5 z- I* s7 ~& A/ d: E
' p- ^% v+ X; _( l+ N. d
This method is most known as 'MeltICE' because it has been freely distributed
- y! r  k+ l7 B, ?& @via www.winfiles.com. However it was first used by NuMega people to allow
2 a0 S' ]! E+ d, _, @3 j, |Symbol Loader to check if SoftICE was active or not (the code is located
+ M8 d5 s+ x* y9 ]inside nmtrans.dll).% ?; V6 \9 x: O

+ H( q+ }% p+ v1 H9 f  S/ XThe way it works is very simple:
0 {5 A3 ^. b: D5 `4 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ |4 x3 D3 m" L( |WinNT) with the CreateFileA API.
) k9 y9 D9 a0 e3 D! C- ]) g, K1 _3 T. u* }
Here is a sample (checking for 'SICE'):6 Q& u. l! C- \9 v- i9 p$ S

" H3 ~. k, G) ]- ]# E# MBOOL IsSoftIce95Loaded()
- O$ Q. A3 n# L( R; P{6 r6 {' T: j+ f& b% H
   HANDLE hFile;  ( o# U+ N, L. }7 u- |1 V
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ [, G* l6 |! d" ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  B8 Z8 b0 Y( K2 F: q. `: M7 t                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ }7 p- A0 t4 x* O! r& j" Y9 A   if( hFile != INVALID_HANDLE_VALUE )! x  W! _; K8 w* |& A: |- a
   {: t- ?( Z9 d) U) t- ?
      CloseHandle(hFile);
3 n# T& ]1 x, K2 z- N& B" ~      return TRUE;
6 F; y6 ]. [) }5 S8 W1 Q   }9 ^7 S% K2 [. M! D4 I/ ]
   return FALSE;( g( Z7 w$ W/ n. w1 x) o
}
; t' J; R1 U1 x  Z) q. ^
4 s5 l% z% h; {! |Although this trick calls the CreateFileA function, don't even expect to be  k# S( K/ f* R) c
able to intercept it by installing a IFS hook: it will not work, no way!( m& T' E' G1 l1 O1 v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 k: ^( Z& s2 W* Z0 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): I$ A" F0 ]4 A; B$ E! ~9 i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 H: S9 H+ d4 t, F& C3 M
field.
( q9 B2 h- `) {2 L6 L# iIn fact, its purpose is not to load/unload VxDs but only to send a * ?- ]1 `/ U5 _! V9 g, {0 n: l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( B. C/ p6 \: N3 u7 d$ A$ k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 T( V3 U1 P* Y, _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 Y( w- _6 a9 z6 v2 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* z: {% {# \( M4 Vits handle to be opened and then, will be detected.1 w" ?. d1 W. P  B
You can check that simply by hooking Winice.exe control proc entry point5 G% f9 \' ]6 s. C/ b7 `
while running MeltICE.5 O/ T3 i% m3 p, T2 o9 ?
+ a' c+ F& B5 f2 T5 H; I* h0 _
0 p( l- X2 r( [/ Y% T' o7 \& z
  00401067:  push      00402025    ; \\.\SICE
7 r. ~$ w$ K6 e7 a# \4 G9 B, g  0040106C:  call      CreateFileA. H- r# z, k8 g' f# W( E* \
  00401071:  cmp       eax,-001
# {# A- b) M4 v% c$ W  00401074:  je        004010915 k- O" G2 M, a8 H

( E. q; s5 k+ x( G, s
8 f' e4 {' m3 `3 kThere could be hundreds of BPX you could use to detect this trick.
3 n. F' C3 ~8 T8 M0 R; z9 u; _-The most classical one is:( n- c$ v+ ~5 Q! Y- G1 F
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
5 I9 A* V; V: j8 @$ _7 G    *(esp-&gt;4+4)=='NTIC'" e, R5 O+ a7 S, y9 O2 r* L
( m8 m0 ^( M) B, @, a$ V) V
-The most exotic ones (could be very slooooow :-(
) d% n1 j4 o7 ~  t   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
, A$ f' a$ J1 I! d     ;will break 3 times :-(& ?* _: ^: }6 w
$ `5 T- k8 x* ]" S" p2 ^8 }; W
-or (a bit) faster:
5 G6 k( _! O1 b( h8 Z( _   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- P5 [3 o$ x0 l8 C& ~0 Q7 i, ?

- a9 r9 i) y' M% w! v% R4 o: X8 n   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 I5 I, ~7 R6 I8 j% [0 A     ;will break 3 times :-(- {0 j* z& [8 B( m2 j; n& Y
3 f) `8 y- v5 @
-Much faster:- Z, f( Z! D8 y$ C. N# \  Y
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 z6 R5 V8 u/ h3 i: f
$ a1 H0 n5 m% f' INote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 k; Y# W0 N; K% b: S! c% @
function to do the same job:9 r( B* c4 P4 S8 i

6 B6 U) Q7 C, _( q& i   push    00                        ; OF_READ6 o( m/ K9 A5 C
   mov     eax,[00656634]            ; '\\.\SICE',0
& }: Y9 u$ ]) v7 a# V5 ^   push    eax
6 p( e- U% f3 ]  I2 @# ?   call    KERNEL32!_lopen* b6 h8 y$ A- ^% `* T" o. {
   inc     eax
. T# `9 J) _7 \  Y   jnz     00650589                  ; detected
  s& g( I5 c; c: z5 L   push    00                        ; OF_READ% F2 E  n4 `: f- Z1 w
   mov     eax,[00656638]            ; '\\.\SICE'
3 i4 D( w. r8 w& f5 q$ o5 x   push    eax
* `3 t* L4 g8 J8 S   call    KERNEL32!_lopen
! q1 v6 g) L5 C$ H6 |: y3 C- l2 E3 I   inc     eax
: \! @1 f9 D5 P" H   jz      006505ae                  ; not detected- J5 ?6 g- t  k
. Q0 J+ S3 X# h' s7 N- ~
% S6 T! {4 A0 o$ y3 C& B
__________________________________________________________________________* e& z! v0 W) b5 E* b

, E$ C  u( r- D: a) _. BMethod 12; k& h5 _# l. N' E- h# G$ s
=========: A! f- Z% f, v( `1 x- u

, O0 U/ p- J$ S# Q' tThis trick is similar to int41h/4fh Debugger installation check (code 05
5 d9 T9 i3 L* N4 ?$ X* D% F) ^&amp; 06) but very limited because it's only available for Win95/98 (not NT)- P( y  }* V: y) X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 {1 ?+ C) w  n1 x4 `2 \# P8 W4 j* ^# {
   push  0000004fh         ; function 4fh
( S" \% t5 X4 t: U* }& K  ]5 H   push  002a002ah         ; high word specifies which VxD (VWIN32)
1 r% |4 m% g3 b9 `  a: z, Y6 t                           ; low word specifies which service* m* w5 `! D6 m* A
                             (VWIN32_Int41Dispatch)
9 w& H% u6 q0 r# c0 a% S; y1 O   call  Kernel32!ORD_001  ; VxdCall% _" t3 `5 n2 ]0 A# L
   cmp   ax, 0f386h        ; magic number returned by system debuggers- R) U$ {3 P, h/ @$ R$ e* z
   jz    SoftICE_detected* {% ^5 ~) F1 C# [% M
7 @% N" {- ~, D" X
Here again, several ways to detect it:
9 G% _; t/ P& l8 T( K( L+ Y' x4 c! U6 C' }
    BPINT 41 if ax==4f
; q/ X- B4 z% _- i4 n7 J7 A7 x. n+ {  A" v3 ]+ y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
  U$ c9 Y  @* ]3 B8 [" k1 W  h1 n- f1 W: i
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
2 e7 y2 o9 i! Y% N
1 _2 v& q& ]) W    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  b" Z$ P/ P" g3 J. ~9 N- C( l4 M) v0 U; V# x9 x2 _
__________________________________________________________________________
' M9 V! X8 W9 B" R) ~) k
4 I1 m# w: H9 H# C. yMethod 13
+ J( z! ?% G. v  k7 i=========. r/ s) U; Z( j- U6 E

" o- A6 H; O) N4 M! d% |/ gNot a real method of detection, but a good way to know if SoftICE is' f$ g$ S! K7 r# }$ r$ A: d1 s
installed on a computer and to locate its installation directory.+ {6 R/ o4 ?' K/ t
It is used by few softs which access the following registry keys (usually #2) :
& P6 u' A5 l& q4 b9 v5 c6 l5 Z9 |: L
9 p! i; _" a9 I. Q  C+ C1 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 V! M/ c9 ?& ?+ ?) M$ D/ T# U
\Uninstall\SoftICE
. u, g# K  ~* C; {* U" [-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ s$ ?7 @% y+ C' D- ?+ _/ r
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 t# i2 V/ S7 |* l9 R\App Paths\Loader32.Exe
. r% b8 B$ Q# D5 W4 ?& ~
( ^& u) d+ c0 i) ]8 \3 B
1 c5 `$ d" ~' K' f) X6 rNote that some nasty apps could then erase all files from SoftICE directory
: @, `% N# T2 o4 B8 G(I faced that once :-() Z- I) z* b1 f1 c
4 w# q9 V, J8 y: {' f, O+ p
Useful breakpoint to detect it:8 J& p  t: f2 l* g& `3 n$ Z# z
! R5 b5 b2 T% q$ y- @" v+ F0 I8 S' x, }# Z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( ]0 |+ \$ f3 d" L* E+ S; l+ B, r1 X3 Q. k& w
__________________________________________________________________________& i" q# }; k/ v' z  _
7 {2 B1 x- B2 r) X
! G4 i; @3 [, ]/ b
Method 14 8 n. {! [! @1 H$ f6 o( ?
=========% M3 ^/ c2 s( Q) z. B3 a# f" W
$ d# ?& ?: d9 [; R* k- H
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 d# v% `9 t& d. Y; X( u2 Z
is to determines whether a debugger is running on your system (ring0 only).
- z7 b" ?8 w) E) j, Y* n- d" j8 F% Q# K8 U  \' L+ Q* J
   VMMCall Test_Debug_Installed- \9 p! e) |/ q' @9 k: K; [& X
   je      not_installed
% f! K4 `' {: s8 f; `$ d# Z4 l4 p0 ?
This service just checks a flag.- n# a4 A* @, W/ e$ {
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 06:42

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表