找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# r! o/ a2 B+ i% n6 q6 G- h2 Q<TBODY>; l' ?4 n( e% H* y+ K9 {7 c
<TR>
' e  x  _% o* q( d  L& M+ E# A<TD><PRE>Method 01
+ u' h7 x+ v& l/ ]+ Y=========/ O7 q+ ~: B7 _
/ k0 `& d% v" K2 d% w; X
This method of detection of SoftICE (as well as the following one) is
: F) }- ^: \* h# _6 V9 L: Oused by the majority of packers/encryptors found on Internet.
5 P$ t& g1 @% D6 v! w4 CIt seeks the signature of BoundsChecker in SoftICE
$ G" y$ q( i9 D. g4 F$ Y- R3 C7 T6 Q$ S/ B) x5 q# j8 ?
    mov     ebp, 04243484Bh        ; 'BCHK'
' w8 _7 i; X" M8 K* T    mov     ax, 04h7 m# W0 e" n$ \( O. X  K) a
    int     3      
0 g: J1 W" h7 N3 X    cmp     al,4/ [) e( Z. R1 x9 M8 Y' e* ?; K
    jnz     SoftICE_Detected
+ n6 d' ~" O+ S. m  Z
+ g0 M: W0 c: {( j; z% g. g. Q6 X___________________________________________________________________________
# h) T  X) b3 n# i7 H1 U4 Z! M5 `9 [; v7 W. L% W
Method 02* S: _3 i( y% p4 }, I
=========" S. F! i# r' X" s
! I/ ~2 j5 g1 ]! |' R& p  `
Still a method very much used (perhaps the most frequent one).  It is used
  r. O. w; i- U! d+ }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ Y3 e8 A( u1 G# d5 y
or execute SoftICE commands...4 h* A% q+ t# t4 q: Y! ~8 |0 Y
It is also used to crash SoftICE and to force it to execute any commands: y: O5 ?& v8 J  u1 }
(HBOOT...) :-((  + T# t+ [4 R/ X! y

" O' q, _5 N0 w( v: o9 yHere is a quick description:
) [* P: i/ v) b% W: c9 U- w: a-AX = 0910h   (Display string in SIce windows)2 D  W, R9 s! X8 {1 |& k& H
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)/ j4 G* [6 Y/ d: q
-AX = 0912h   (Get breakpoint infos)
1 g. v/ Y  _. L5 F( `5 n/ F3 d-AX = 0913h   (Set Sice breakpoints)
/ o' c1 O3 N- V# R- G7 }+ x-AX = 0914h   (Remove SIce breakoints)
7 X; H5 r7 z2 o- C: f0 N0 w3 K
; z6 Y+ z! E5 rEach time you'll meet this trick, you'll see:0 U7 ?' i4 @3 d1 v! r9 c
-SI = 4647h
* C9 P- n0 i3 \/ u6 ]& o-DI = 4A4Dh) O3 F) r$ B- N; m7 ]5 L( A
Which are the 'magic values' used by SoftIce.% z" L3 ^, ^! N0 b7 h) R" E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 B( H# P. D# E+ L" a
$ ~; P2 M" R+ {. f/ KHere is one example from the file "Haspinst.exe" which is the dongle HASP9 }* a5 r  ~1 G  m4 Z
Envelope utility use to protect DOS applications:) f- c' O  ^) Y  d. x6 z6 k
, b0 N9 _; j* m% ?! p- n

# ~$ R$ d# _6 U( K6 ?3 L4C19:0095   MOV    AX,0911  ; execute command.
% s) D, i3 l  ~) j4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
! u) B8 b, h' S1 D& D' d6 z7 K4C19:009A   MOV    SI,4647  ; 1st magic value.
1 w  j1 g& W3 k5 t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
* C6 u( D5 j, c& `! G4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
  H% o( q6 G7 _3 s4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' I) C1 j. x: P  X' K% U4C19:00A4   INC    CX
. |+ x, e$ |3 U" _4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: g% V- e9 s# j& a- [6 f
4C19:00A8   JB     0095     ; 6 different commands.3 `' l3 v" A/ L
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- e. E+ Z4 \) U7 j0 I8 }5 C
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)2 e/ ~2 h- c, g0 P& M( W, k
9 K: t" T4 M- O' s0 M6 i
The program will execute 6 different SIce commands located at ds:dx, which
# ~6 d7 S1 x6 r- S5 }+ l+ Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) \9 l7 u6 C& d- |7 ~1 n* x- v/ o9 b8 b  a( V) N
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ e9 E) M5 L2 S! P
___________________________________________________________________________  d, d: R6 v7 k) M2 d
: H3 Q' q# C" J& W$ q9 ]) p
8 w6 t* J* V4 R  I; w
Method 03
' s2 _. E* z; m* d& Y3 s$ S=========
& J/ K1 U/ {/ w1 K
  j  T. k9 J% B8 u; wLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; T, j# k6 ~; f; w- k& b. F4 t
(API Get entry point). `: X" l+ w& K2 K
        
) |3 o6 i# d2 P, ~% Z# D
) {) x  v, O( s! Q" i    xor     di,di
5 @8 n4 V8 E; E5 B. O' t" O0 @+ u    mov     es,di4 ~" N8 a; }( z  T7 f; `7 T& H
    mov     ax, 1684h      
1 ^) ?/ L% E; a    mov     bx, 0202h       ; VxD ID of winice. N# ]% c- ]2 E
    int     2Fh) E0 q! U% k5 p: z0 @
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( Z5 d- G- D: A, ~$ E, s+ {    add     ax, di! U, I+ R9 \3 A. Y; O5 J/ J' A1 Q
    test    ax,ax5 p  r9 R. {1 O
    jnz     SoftICE_Detected
' f$ g* P. q7 T" K! w! Z2 e- I& t: u
___________________________________________________________________________
2 g6 D6 u7 }% Q$ C  ]$ Q" O$ s1 x* k4 _: T3 i( w
Method 04' |1 H% c7 L, L1 w7 E
=========
- y) U. p+ B7 O7 W
2 E8 l9 K+ u0 p( DMethod identical to the preceding one except that it seeks the ID of SoftICE# K& t( l: _, ?
GFX VxD.
& y* C, v& a) q0 D; J: g- x0 W! l! P1 [& w. x7 }. e! U
    xor     di,di: r0 G) a% B! j( s  \; e
    mov     es,di( J6 Q8 k# S9 A: `7 k; c7 |
    mov     ax, 1684h      
& ~) l: z1 D+ M5 T& x" D0 Y8 L: c    mov     bx, 7a5Fh       ; VxD ID of SIWVID
: r' I4 i/ ]  U( {    int     2fh+ S4 h. V1 x% p9 r7 I
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( _) q2 K# z: @' _; ]8 U5 u4 @    add     ax, di- `6 r5 y) l* P+ J: l8 Z+ r
    test    ax,ax
4 ]8 p! p) e8 V1 Z: c. D! n) \# ~/ n    jnz     SoftICE_Detected
) e1 j% D. |+ @' E8 K6 R1 |* c: d8 ^! r! r
__________________________________________________________________________2 q3 G3 |, z3 q" {/ z

# X2 B, Z# a0 F" `7 \6 ^( b# Q  t* D! k4 h
Method 05
+ x$ h) H3 r% G0 {' ^0 E1 c6 v=========
: b. C: }" ]9 A$ O5 ^& n6 k3 l/ B0 a) m5 M5 i% Q/ E
Method seeking the 'magic number' 0F386h returned (in ax) by all system, a2 Z& M; n. F' n/ t
debugger. It calls the int 41h, function 4Fh.9 j9 p2 z  g  {4 Q
There are several alternatives.  ( q& C% `7 I: P1 w& L8 I$ \6 w
2 m; ~' _' n  U; s* `# e% \
The following one is the simplest:6 B# A' I9 d8 d4 X3 L6 u7 c, ~

9 c$ E/ S4 U) J    mov     ax,4fh
/ _; }; L8 o4 i4 h    int     41h
& O/ I. L: x% ?' H0 `' z" L5 c: m    cmp     ax, 0F386
6 v6 `: B5 Y# Q' b    jz      SoftICE_detected
8 L0 j9 S2 Z6 B, Q' B, s8 ^1 m1 ?& ~1 R' V4 s" q

- A, u3 _# w# q# ^0 b* ], A  cNext method as well as the following one are 2 examples from Stone's
& o2 b. R5 H& Y1 D"stn-wid.zip" (www.cracking.net):
: m5 J- C, J5 e
* `5 k7 O0 K" K, i8 ]& k. l% w    mov     bx, cs
  d4 \5 }% R! b$ ?: s    lea     dx, int41handler2( I3 y6 ~: C- @% ^& @# {% W
    xchg    dx, es:[41h*4]
; F7 H% R+ P! [1 g! t    xchg    bx, es:[41h*4+2]4 |& c; R4 J7 A, I
    mov     ax,4fh4 Q( f3 B$ E& p8 w" w% ^7 [, P; i
    int     41h; K" c' p& h  v. W& I: J3 l. h
    xchg    dx, es:[41h*4]& v! Z2 B+ v2 t$ N
    xchg    bx, es:[41h*4+2]
( M: o9 R( T9 p- V5 n* m    cmp     ax, 0f386h" ~- S$ N7 V9 U; Y0 D6 w1 g3 z* T
    jz      SoftICE_detected
( C& @; m* E( i; u
  p8 n, @0 g8 w; E( b% c1 f0 [- ^% K3 f( kint41handler2 PROC5 Z6 h% ?8 y" h; @$ ?! v
    iret
* p5 t0 \1 b& S( _& u# j4 zint41handler2 ENDP
& e* I! U: e& c+ K! ~( N; Y# H; s3 p+ U! n; A

" H1 S$ c3 z" k_________________________________________________________________________
: n; B* G' B% r  j3 @# O6 b" R- Q$ ~, ^
8 I3 O! u, t; C5 n% s2 r6 h
Method 06
* e4 K& S$ `2 t, J, D1 L=========" l/ x! H4 m* J$ M. N

  k  }7 z5 ]* ?% I3 D( g7 o3 x1 Z! |
2nd method similar to the preceding one but more difficult to detect:" B# t. T' {) T  E& {
0 R) H# p+ z- Z

" C6 U4 M0 m, Y$ ?* Z1 Uint41handler PROC5 _# m  P, D* j9 i: D$ F$ E
    mov     cl,al  y3 Z: A% i, ]- X
    iret' H2 }. R* x+ j
int41handler ENDP
5 F7 ]  c" J! w  l8 ?2 s- h1 I
8 X& T. K* M* G2 o1 L. F! t0 J& ?! z7 e9 l
    xor     ax,ax2 V1 d' x3 V1 X( S# T9 n+ z
    mov     es,ax
/ p# t* m5 r. Z9 e1 L: a% \% E    mov     bx, cs- X/ a: ?" X: J/ a  p' v2 d7 E! z4 ?
    lea     dx, int41handler
& ?6 a* s' u4 Y# @) q: L* a    xchg    dx, es:[41h*4]( G" T  r  K8 b0 K# T
    xchg    bx, es:[41h*4+2]
3 M3 t" n! c9 h$ ~* ?1 ?# E# A    in      al, 40h
; O) @$ d5 \$ F    xor     cx,cx
3 w1 V0 q6 B4 ^; |3 Q# ^+ x! t    int     41h
- k8 {! d) o2 W0 k; x, R% p( |    xchg    dx, es:[41h*4]" K3 I) Q! S6 C0 C' t) ?
    xchg    bx, es:[41h*4+2]
% Q7 ?; |* v& e    cmp     cl,al
2 C% M2 o) ?3 K# k3 R    jnz     SoftICE_detected
- o3 `) G; J6 I8 Y# @- M' Q1 m" t
_________________________________________________________________________- S/ t. h; s) X. T% ?
) k2 R; w) e) m8 c5 p
Method 07# e& w6 d. N4 B( p4 o5 o/ F9 p7 L
=========
2 E. Z+ r7 K/ w$ g0 w8 N4 u; ^4 h- h# ]
Method of detection of the WinICE handler in the int68h (V86)
& y7 n( s9 j# S; A' n/ ~
8 z) n* V% @2 J3 O8 w1 d% o    mov     ah,43h
, o, T2 c9 o" p1 E  j1 O5 z    int     68h
3 ~- j$ K7 r- P    cmp     ax,0F386h9 n& I& D7 N9 y& t; l+ _
    jz      SoftICE_Detected
3 P& S6 Y0 M5 G3 z# d
+ M* Y% s* B+ O4 N& F
& a2 i- ^# C: }4 ]' L9 G=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  M8 B+ l) k- D4 K3 i
   app like this:
% I& w0 x( n  C  N0 ^2 r1 q' x
8 w3 h6 w- ^# i( }9 P2 z6 N7 Y! V, t   BPX exec_int if ax==68
) v6 t! k* u  q: P   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 a% q0 C; g5 j% r9 t! j   located at [ebp+48h] for 32Bit apps)
9 }. y* @6 I( I. J7 j/ k  V' r8 p1 f__________________________________________________________________________# o" E, S; u7 {
0 y; K2 g7 V! p  U. S2 I6 h
0 n4 L1 B1 v; ?( ?! V; o
Method 08
# d/ n3 g! j% G% N6 T! v5 n=========; ?5 h/ S: g  t
  J6 N2 o$ ~) {- ]; }
It is not a method of detection of SoftICE but a possibility to crash the/ I) ?7 i' G7 f, `9 E2 x
system by intercepting int 01h and int 03h and redirecting them to another
" _1 c! }. Q, u7 t/ i; N5 broutine.2 j, T" P7 w8 y% B2 x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: m* e. p2 b& \# e0 A; V) hto the new routine to execute (hangs computer...)7 u" q2 O. Q! }3 k- y( @
# w2 `3 ~8 X+ X2 z
    mov     ah, 25h- m% c- v- w, W% L5 d4 p; ]1 O
    mov     al, Int_Number (01h or 03h)
6 q' ?% v7 F* r" b* ?9 C' j    mov     dx, offset New_Int_Routine
$ n  _% Y6 \- k$ O# M    int     21h
% }4 k8 s/ C! w5 ?1 [) Y+ q2 G9 }. Z9 w5 I0 N( Y) F
__________________________________________________________________________# j1 I4 x  K8 w( Q; {

6 V) }0 o) Y+ D' _6 l: e( xMethod 09& V- I/ E5 y" g" c1 M7 r
=========) O( L0 P1 s+ Q/ |

: O: G2 f& l3 SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; l8 ~9 U: {' B+ K/ T& q1 G8 c2 Z4 Yperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 ^0 E$ Q* L( ]1 pThe Get_DDB service is used to determine whether or not a VxD is installed% F2 l, B4 Y+ g3 u! J2 X  p
for the specified device and returns a Device Description Block (in ecx) for
; n( ~2 x4 t1 N9 D. _that device if it is installed.
, y: H- U% M; R" c$ V- j" p1 w" r# ?- p' r, U
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID: _1 H" s( D$ `3 t3 b
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  L8 x8 p  Z" N   VMMCall Get_DDB$ `$ E, g# L! e: W# l
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* I0 U' e+ v& A3 }  p4 |. u  K) B$ }# p1 G/ u: v
Note as well that you can easily detect this method with SoftICE:+ o. W7 m* Y1 f. K
   bpx Get_DDB if ax==0202 || ax==7a5fh
+ z, F) L6 ?# Y: @, h- r8 n9 V1 R$ ^7 Z/ X0 [  h
__________________________________________________________________________+ B3 \+ Q# e9 n  ~
; Z# j  S4 N$ x7 P/ B8 B
Method 10$ f. N- |7 p, F% s+ O0 P
=========8 y) p$ v4 o. M3 a* e( n" ^

& Y$ J* w4 M: w' q, o, i=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with% }5 ?0 T. S0 @* x% l6 O0 i8 r
  SoftICE while the option is enable!!
" _" N. s6 e7 A0 E) |( W) S6 |
; c+ d1 b& `3 W- KThis trick is very efficient:
% p! m" C1 x2 e, s2 |  X- Zby checking the Debug Registers, you can detect if SoftICE is loaded! g+ d) `/ S# n0 Z% z$ T5 R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' V9 V2 {5 S7 J- u9 V! X% v: ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 N% v1 N$ t1 x& z; Ovalue (in ring0 only). Values can be manipulated and or changed as well
/ K/ A1 [- A- H(clearing BPMs for instance); K& N) \7 c1 q. _( w2 ?

1 ~/ s6 G  `% r__________________________________________________________________________+ A3 ?. H" @* D

/ R. E; `% x9 I/ c% tMethod 11! [6 R8 h- J( s8 D$ w
=========
, }# _2 x3 K: N4 p4 q4 m+ g" s8 W* {0 |
This method is most known as 'MeltICE' because it has been freely distributed
  k) d% ~; H+ d, y9 s: Vvia www.winfiles.com. However it was first used by NuMega people to allow
* q9 ~% B: D9 l' U# s6 F6 I0 `7 JSymbol Loader to check if SoftICE was active or not (the code is located! M. j; S" E# {+ ~. Q* \1 v0 B# }! i7 @
inside nmtrans.dll).
2 e3 b; H+ ~) t& E3 A$ P5 J2 Y  m. m$ X
The way it works is very simple:
, Z% v$ }7 `- w- Y+ uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 b+ i2 K0 L, q( S3 VWinNT) with the CreateFileA API.3 l& s6 X) S9 c% U: s7 m
9 U3 ]! d9 m' V+ `" s& N& r3 @
Here is a sample (checking for 'SICE'):' X7 a( \9 r$ @# c
2 l) f. O$ Q( l9 C
BOOL IsSoftIce95Loaded()% Y* S" Z) \- J  {) @
{9 K/ }5 H; s5 x3 R% b, \# r
   HANDLE hFile;  $ R  f3 ?: i/ \/ S7 i
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* R7 a3 m- [( @0 r8 `) z* J2 Y                      FILE_SHARE_READ | FILE_SHARE_WRITE,
: Y$ w' f( J1 }                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ @; G4 y7 N- d. M! R
   if( hFile != INVALID_HANDLE_VALUE )
1 c7 ]* s3 l) A. i6 z   {
  l0 c# ~  b+ A4 v0 p" i      CloseHandle(hFile);
" m3 Q* D3 p. Y8 Z; B      return TRUE;) h+ `. A* a4 O3 s
   }
9 W( m1 |, F! P1 k   return FALSE;5 E* M4 a7 G+ j7 S
}6 o; \+ h- k" P/ p2 B, \  w
. J5 z/ w; R; Y4 E6 W' _! Z9 u% ?. X
Although this trick calls the CreateFileA function, don't even expect to be; J& a! F- y: H+ H0 W
able to intercept it by installing a IFS hook: it will not work, no way!9 @# s1 b' s( O7 r/ V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 I6 p9 I) c% c7 P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# }" ^! ?0 o% }6 pand then browse the DDB list until it find the VxD and its DDB_Control_Proc
4 _! d% e* a1 H4 E" U' @field." Y8 p/ t9 U" l
In fact, its purpose is not to load/unload VxDs but only to send a . z8 Y7 |5 ]3 I- J; z% h, N* W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 D4 g, N) t" f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
* _6 {. ~% U9 S; v/ L  Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 p/ O- c% s/ k3 n$ C' RIf the VxD is loaded, it will always clear eax and the Carry flag to allow- p: o% R8 U! J/ B+ A
its handle to be opened and then, will be detected.1 P  O' B% W: O
You can check that simply by hooking Winice.exe control proc entry point
3 d) t0 ]( C6 G7 U- i( y$ k8 }, Pwhile running MeltICE.
1 Y# ]1 t6 f+ T& H
% Z( b8 h' f/ G4 N
$ g0 p1 Q4 A- j$ j0 N7 {" D# Z  00401067:  push      00402025    ; \\.\SICE
/ n6 S7 q  u, v) t; |" C  0040106C:  call      CreateFileA4 C: Z! e+ u% _: G
  00401071:  cmp       eax,-001
% J- d; A4 ^: M  \+ O3 `6 _, Y  00401074:  je        00401091
, X) j/ U( g( _
* ?& M  \) r( b7 H; [1 [0 l) l2 k7 D: |# q
There could be hundreds of BPX you could use to detect this trick.
) ?' M( c; Q" c( M4 q- w$ O-The most classical one is:
% L# j5 {! _* n( L5 I$ k3 E' K6 |  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ p9 ]8 j' T, w3 v; N4 s2 `* `    *(esp-&gt;4+4)=='NTIC'5 t0 v5 d  ~$ ]$ f4 f

( Q- s" n0 n- X0 T7 A9 l2 t-The most exotic ones (could be very slooooow :-(
1 v. u& B- I  u4 A! E5 P' Q; w  k   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 |" l) Y/ p7 t, S+ c6 W0 U
     ;will break 3 times :-(% z! J3 x9 X1 _2 z" H( N8 Y
0 I( @" P4 h9 L7 g' y( j
-or (a bit) faster:
) @- K( e# X3 y% E5 i2 p$ f   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 v6 O0 p' j( V- d- {  q1 g( }8 |: m
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
+ ^$ H" v$ P6 q9 b& \8 l! A     ;will break 3 times :-(# _$ B: @) P8 A
/ C( ~9 E- r* C. A9 R
-Much faster:1 h! }- `2 h% u- u3 h3 r
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ I) r" C, _5 e0 i" @4 Q5 s6 `$ s- _+ u+ O$ y! r2 @! a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 M  k7 Z  M/ Wfunction to do the same job:8 Z% Y, ?, _* C

0 `- i! D- N) c) L( w9 P   push    00                        ; OF_READ
) J- h. \( f# x; F% m4 z1 L   mov     eax,[00656634]            ; '\\.\SICE',0
) [  p3 d; w$ j# R) c   push    eax
# D' F/ H% V  h! e4 P   call    KERNEL32!_lopen& X2 r! o8 @2 T. _/ v( i+ o8 {
   inc     eax
- n! w  B9 o/ N( M$ U   jnz     00650589                  ; detected% O8 M& d4 L) @' H: B
   push    00                        ; OF_READ5 p8 W9 ?! ^: k1 c# \
   mov     eax,[00656638]            ; '\\.\SICE'% \+ ]( H+ A( t) g; \1 ?4 w' i, t
   push    eax
$ P2 ~  `; x1 ]8 F   call    KERNEL32!_lopen
7 u- W; s9 a1 Z+ P   inc     eax# R7 Z9 P- C# W# B/ F7 f: W: e
   jz      006505ae                  ; not detected
) }& e& y0 C" y. L) ]
. Y# I) N; I. B8 J9 o2 Z. ^$ h: `& _2 j  H' n. E* s' J
__________________________________________________________________________
# I+ W# P7 u% i% w- ^
, A' T* R6 o$ A* L( C0 M0 rMethod 12) H+ i9 o% @& ^5 i! p: p0 Y5 D
=========( W  D& B7 ]6 }# P

& s5 V8 g( F/ F7 A2 f# jThis trick is similar to int41h/4fh Debugger installation check (code 05, ?  }+ s# v$ k
&amp; 06) but very limited because it's only available for Win95/98 (not NT)* `8 A, S3 W( Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. X: v; ~# X$ k! B! U0 \. C6 {* R$ h$ o3 T  E, a; ~" Y) r0 U
   push  0000004fh         ; function 4fh
) s/ y% O9 d  X/ C   push  002a002ah         ; high word specifies which VxD (VWIN32)
, a6 r1 y9 M6 M                           ; low word specifies which service
1 u4 _3 y, H- o                             (VWIN32_Int41Dispatch)
& Q6 M8 [# i# F, w   call  Kernel32!ORD_001  ; VxdCall
+ T2 `/ V3 [1 f+ H   cmp   ax, 0f386h        ; magic number returned by system debuggers0 Y& ~0 L0 Q& c) O, _
   jz    SoftICE_detected: V8 ^' Z+ G2 }& D1 I

8 c" C: |* K* P, `" n; d/ d8 kHere again, several ways to detect it:
: Q* ?# i) b0 p
4 i/ V5 ~( S. v  t, |5 {    BPINT 41 if ax==4f
: b$ _6 O" n3 }1 K) ]) ~2 A2 x7 E
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% A7 X: F% f8 x2 A& O0 E
  n( a2 P5 I8 T9 [- K# M) u2 p4 x
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
& B: N; y& F# l. q# g+ W1 n
& a4 O  B. X4 S    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 w( V; H# g, D) R) D+ H  E8 A3 C2 q: C
__________________________________________________________________________
/ N) X0 I" U1 n6 N. u6 [9 F( v5 C) }
! i  E8 _( p) L! ?. L" IMethod 13
2 ?5 u1 f- p/ ^0 w=========6 i9 z7 y9 R0 d9 G
" i: I2 Q  G& p; q4 {
Not a real method of detection, but a good way to know if SoftICE is
& c9 o  ^# a2 {  R1 L1 {  Tinstalled on a computer and to locate its installation directory.
3 k5 ]3 O! r# l9 F4 Z- J- fIt is used by few softs which access the following registry keys (usually #2) :) g# w, o: [9 a4 b9 B( w  _( X2 e

  B4 r0 e- }! V5 M& F. D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 M1 U9 P% d$ I& y% G& Y7 r, E/ u' k3 @\Uninstall\SoftICE1 z! m9 s6 O# Y. Y+ L1 g! T) U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 M# O, [& P  S' R' n/ h4 `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) J4 |4 P9 u2 H( y1 j
\App Paths\Loader32.Exe# M0 |+ _2 P2 u- P! M
+ ^" }0 [: H4 }4 n# i

2 f% P! j% j" o+ M- E4 V( }" P  nNote that some nasty apps could then erase all files from SoftICE directory
) J! _" `6 A. {1 M0 s" v(I faced that once :-(
4 P, o- |5 Q0 c$ t( F8 G" @1 e( y4 c1 P- w3 m* I- ^
Useful breakpoint to detect it:
1 ^  h! i6 T; \% ~0 e
* V: u  _. C; v" @) D  t     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 M6 g" f; z' d' H8 z" v' P# Y5 o1 d/ G8 P+ h2 Z1 l( C
__________________________________________________________________________
' {6 m* w! P6 m  M  y' {
6 b( A3 b9 T8 A% t* w( _- w# @) ]0 i- m: e
Method 14 ; \" i6 Z6 p9 t) _
=========* `5 v% @4 x7 \4 o" H1 k

% Z" y! D+ v9 I# E) VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" @( r8 l3 A: v. U5 I2 [+ m
is to determines whether a debugger is running on your system (ring0 only).
5 T( R% i$ R  R' z- U' t
7 a. m* q, E* Z# t" X   VMMCall Test_Debug_Installed
$ n# O+ u, c: B' l   je      not_installed
5 b  P& r, ?( F% R- E! V$ X7 B1 u5 r! l7 L" k
This service just checks a flag.1 h& k. T- G& J" q8 ]
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-14 16:27

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表