找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>: z3 j! J1 l8 V+ K: W
<TBODY>
$ D* @1 l- ]5 R' E4 K<TR>/ R9 p- `- W- \6 z' n2 s4 Q
<TD><PRE>Method 01
) V* n, t! w4 u=========0 F7 j: Y6 ]  z- K

7 W) p' F( u6 Z( JThis method of detection of SoftICE (as well as the following one) is
, q8 K! F& m0 d5 k. \) vused by the majority of packers/encryptors found on Internet.
* E9 d6 o. L1 U& U! q' iIt seeks the signature of BoundsChecker in SoftICE
7 ^- w% O  {3 ^% U0 l; L  w9 d6 Q9 }7 ~) T
    mov     ebp, 04243484Bh        ; 'BCHK'9 `, \% {. @& ?2 `# T
    mov     ax, 04h# m1 }- I9 x0 Z  q0 d* Q
    int     3      
5 ?0 X& K; v0 {' t; I) f; g    cmp     al,4, ~' I) @  m0 @/ a
    jnz     SoftICE_Detected- F$ E8 y: F, G( ^5 O  L/ b
) @, O& q! N8 f' @* m, A$ o
___________________________________________________________________________- M! `0 ]% k) \. K. K$ S. h
* v+ x3 p3 F5 C) _
Method 02
4 c8 R* n/ |2 Y/ R" K+ B& W=========8 x, Q2 P, f, D+ [' }
# e! q# z+ A' B/ N( y
Still a method very much used (perhaps the most frequent one).  It is used
! G; E8 l  q+ Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 x% j" o+ [; L& a  k$ G# @& L% M. C
or execute SoftICE commands...$ K4 b) r& Q/ j, K
It is also used to crash SoftICE and to force it to execute any commands4 G8 ]( w$ o! ^4 b9 i4 j8 ?
(HBOOT...) :-((  ' l5 f: p. _; s3 H0 w6 U' Z$ ^( e, @0 U
- d& H% k- W& U- M
Here is a quick description:
- P: w' u1 G; r$ y9 [-AX = 0910h   (Display string in SIce windows)$ V2 O: m+ E2 p: {
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx): c, V% d# L! a- N& m9 |
-AX = 0912h   (Get breakpoint infos)
9 l- [/ R. q% K" K-AX = 0913h   (Set Sice breakpoints)9 [' T( s4 h' @* |
-AX = 0914h   (Remove SIce breakoints)
6 E$ e* G' N6 _% n
" d& T  s( E3 T: rEach time you'll meet this trick, you'll see:
. C; D7 K3 V( s) y2 Q# x' O-SI = 4647h
( U+ m0 R4 j; ?7 _2 ~+ Z7 g-DI = 4A4Dh
: N" u0 c7 X. M( L% D) r0 S1 ~" T+ EWhich are the 'magic values' used by SoftIce.0 v- l" x. |# _8 r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& L' c# F8 K3 W8 o4 p8 N& E  b. ]+ Z
2 k5 s, Q- L7 r" \. l
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ G, W! d) ?$ d$ R5 dEnvelope utility use to protect DOS applications:3 @. A: F2 J+ ^8 s( d, U

# c! ]1 S4 n+ X: M* C) T0 U9 m# N* B
5 a0 i7 D) J% k0 P* C. x& l4C19:0095   MOV    AX,0911  ; execute command.
! w' h4 R& r8 r8 i4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ D# i+ y9 D! V# |- E. b: g
4C19:009A   MOV    SI,4647  ; 1st magic value.4 ~8 S; s4 v5 D, e8 {
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.- l/ X8 K, K  |' t
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ H2 h" z9 v0 j- S- U# f6 A* ?4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# I  b+ O3 J4 x* @4C19:00A4   INC    CX. Y- V! T, Z% X' S
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
% u5 ?2 O& a% T: ~4C19:00A8   JB     0095     ; 6 different commands.* S; L  ~5 ?' U- X: ~9 W; I5 [: h
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 P1 t3 W0 A1 H% r5 r+ u" o" N4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 f% q; ~. l4 R; p/ A) Q0 r
, v* x* S% L8 z6 @The program will execute 6 different SIce commands located at ds:dx, which
6 D) N9 y1 s4 ]3 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" r, }( f! K, W$ R' K; V( e
7 t6 Z6 ?1 \% I" v9 \: C" ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( q% @* f, u" U0 J___________________________________________________________________________
/ M! I" `! j3 d% S9 S, X' J& [
/ i" b' q/ f) b+ `1 ^6 R
1 B8 w5 U  S& xMethod 03
+ D: [7 V: G9 T! l=========$ p2 ~/ l7 M/ h) z6 u; q1 S

. I7 h) {) |& _* sLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% |* r8 C: k* Q, P  a4 ^
(API Get entry point)9 [0 B: k& h3 A3 D- q, Z
        : T0 v( }6 _% X/ Z
, u5 w3 F7 W" b( Q) J0 B! Q  Z
    xor     di,di
- }' t( `" v$ j' ^3 z    mov     es,di8 V& f9 P) Q) [. |
    mov     ax, 1684h      
" T; d5 R/ j$ N) P# n  B5 A    mov     bx, 0202h       ; VxD ID of winice
: _& M. N; N* ~+ w1 I0 b6 b    int     2Fh
, d: P2 X! T4 @9 j3 f, e    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 t) [, D0 X2 B" R    add     ax, di
, S: }& q+ [! L2 {    test    ax,ax
: z& j( p( ^" {+ b8 F$ y. l    jnz     SoftICE_Detected
9 n2 x, c! S( n$ E8 c$ l; D+ M8 U* j6 Y; S! ^" j8 B! |
___________________________________________________________________________
" F0 A4 t" `( Y
6 P) ?7 c; }5 q$ N7 DMethod 04
) H: H: K1 W, x& _4 {4 F: N' b=========
2 T" C% m2 P& W2 A; C7 h: \
- i$ Q( x8 p# z% R" TMethod identical to the preceding one except that it seeks the ID of SoftICE
6 L9 F/ p1 u8 U: j$ zGFX VxD.5 n& @  V" L- c. G4 K" j# \

( ?" A& c# k2 e$ [, C, \$ [, |, S7 _    xor     di,di
0 E- K; D8 T) n    mov     es,di
0 }- z% B, h! W/ Y4 z    mov     ax, 1684h      
; D/ i; h2 s6 b( d4 V- a* l& a. H    mov     bx, 7a5Fh       ; VxD ID of SIWVID$ a" D/ l! b) S' Q8 U
    int     2fh
. s& O6 U+ S% r4 H    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  ]' F+ @# ~$ w. j6 B    add     ax, di
3 P% h8 e& d* R* v$ S/ j    test    ax,ax
2 O& l! d" M! O    jnz     SoftICE_Detected- H! [. {: V7 C# C3 D# ]

, j! o4 H3 A$ s5 x9 o__________________________________________________________________________4 P+ h( _: E, b# d$ L5 c% R- R. S  N

- D" `* l2 g' s& F# Q; e$ e
/ [5 L, n8 J' W6 ]. y0 CMethod 05
- A% H, q- e, `. O% U1 Q, |7 x. v' J=========
" U# d$ |% j$ i5 }
" [2 u1 \6 j/ sMethod seeking the 'magic number' 0F386h returned (in ax) by all system) X& U* d% d! B& }0 [; V
debugger. It calls the int 41h, function 4Fh.* \4 R9 `: R% }4 O( y( b
There are several alternatives.  4 r. Y" j4 `+ d4 F3 {

  F" o9 V0 W. \The following one is the simplest:1 Z" U8 {3 r! a

5 }0 [* P& Z* j( m, [" \9 A! l    mov     ax,4fh
. Z2 q- \, l1 T7 n    int     41h
; j! V* F  E% z: [; J    cmp     ax, 0F386) ^( L$ E3 U; N1 ?
    jz      SoftICE_detected) F% Q2 Y2 D, R! [/ [

% n7 J  v( G" B/ f1 \
/ @0 B1 s$ |2 |Next method as well as the following one are 2 examples from Stone's 3 t+ j* L2 @' U, z7 c1 F- c( F# q
"stn-wid.zip" (www.cracking.net):  f8 t& p" d- c! f" J3 {

9 A$ C7 S& ^3 p# i- ]2 x: S: f- s1 K    mov     bx, cs) g6 O/ I- S/ }9 X# A& k7 ]( B
    lea     dx, int41handler2
4 I. P. u3 L  V; }$ k    xchg    dx, es:[41h*4]
  ^: ~$ \8 i; F- y    xchg    bx, es:[41h*4+2]
) P  }4 t, |  U! [1 q    mov     ax,4fh
/ ?% u" f5 G  m* v    int     41h
; g, n$ V% O8 L. ?+ c    xchg    dx, es:[41h*4]2 b& S8 v8 D( B& a) O- l, M- i7 C3 L
    xchg    bx, es:[41h*4+2]
$ u- ?9 v" u% I7 ~    cmp     ax, 0f386h
! I- J- R4 }/ M3 a* w! \    jz      SoftICE_detected3 C; u4 D& \, p! b, P+ ]
8 X0 @3 E4 C( ]( Z
int41handler2 PROC/ f, y) q( h- v
    iret
) |" J& ?; A8 Yint41handler2 ENDP$ ^  B# }5 M8 d" ?! h( E

9 M$ U0 C, ~1 t
, p# ?5 u; P: S' f_________________________________________________________________________$ V1 L: ^. J! F8 E
3 `0 e: Q2 f" W: {, n; z7 f; l

* q) }8 i  Z5 \- j* O4 U" {Method 06. ?0 ]1 u. s8 R) d/ J- o5 C
=========
! a. S+ H& z: n  C6 Q: q# C# k3 }8 U5 u; M  z& ~

0 R( T$ ~# v" l3 r2nd method similar to the preceding one but more difficult to detect:
& H- w. y* W6 r) ~7 O7 q# v% W$ b0 f1 u3 k8 z
( @4 `2 _$ n1 L5 k
int41handler PROC
5 ~3 e6 c9 w9 v6 q5 [    mov     cl,al
% p0 k& ~$ G$ S2 i8 s& \/ v    iret+ x! _5 D3 W: l+ @$ _. a7 c
int41handler ENDP
) v/ `( r+ ?  n
3 D# Y7 S4 p; s. O( h! \8 \5 Z
5 ]4 ]1 j% }' |' V9 H    xor     ax,ax$ F& m* t. g. ^- A$ {$ y; X' R5 _/ U
    mov     es,ax
8 Q: v2 I* k: ^* J' }6 ^; D    mov     bx, cs
$ C+ I1 Q: d5 j, N  z! F" {% n    lea     dx, int41handler4 _. ^& d; Q+ ^( Z6 B3 _8 f3 V
    xchg    dx, es:[41h*4]% ?) L% X* |0 C" A) Z
    xchg    bx, es:[41h*4+2]
* G  S9 W4 L5 d" |    in      al, 40h
# u: p+ ], `( d7 z    xor     cx,cx
" `$ H% p4 R* i: U    int     41h: I; s0 s) N* z% K  M4 f$ ^
    xchg    dx, es:[41h*4]7 Z5 v2 o8 D# Q1 ]' D+ {9 |2 ]
    xchg    bx, es:[41h*4+2]1 Q9 d( a! L5 c. H# t
    cmp     cl,al
9 {4 _0 ]- r5 Z    jnz     SoftICE_detected1 x1 Y0 |2 B/ [! y$ K
9 l4 N2 t) _3 l7 y6 T
_________________________________________________________________________
' C3 X( x( s% y1 X, K1 R; r- E% G+ M2 \
Method 077 f/ t& \0 q) A# e
=========
- R5 X) a* s2 ~0 Z; |, d9 {8 f% f. W  q: T% I
Method of detection of the WinICE handler in the int68h (V86)
4 n, v  [+ c2 C3 \- u& Q0 d2 K9 ?) t9 d6 T  I8 ^" ?3 R8 K! q# g
    mov     ah,43h9 s2 s. r& }/ k2 I3 @) c8 N* w
    int     68h, ~" \) V9 I. e, |* ]
    cmp     ax,0F386h5 ]2 n+ O# I- B1 F7 N
    jz      SoftICE_Detected! n5 F1 F- e' w* U# x0 m  x, n* I$ E& z
2 P" z6 g" q8 h% j- K

+ j5 `% Z6 ^0 E% p=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& I- A" N! l% Y) h1 ~   app like this:
3 ^/ ?  L" e9 k+ `+ x* B
2 M: _6 h) v# [6 o1 Q0 V   BPX exec_int if ax==68! X! h9 d: o% v' a: [
   (function called is located at byte ptr [ebp+1Dh] and client eip is
4 c3 R+ r: ]& M* h! F, U   located at [ebp+48h] for 32Bit apps)0 i$ R7 H1 m/ b$ @. W/ U  E
__________________________________________________________________________
: p; ~$ D8 @' E- J2 B
# F. [/ U/ t+ F* Z
, `" x6 W4 \; \! }7 oMethod 08; m& W5 b$ m9 W$ N7 e, d7 I8 j
=========
, P; k) h( K6 T& {+ r8 O5 c& e' \4 A( e! \
It is not a method of detection of SoftICE but a possibility to crash the
0 ^% s: \0 w2 ]  }$ i0 c8 _system by intercepting int 01h and int 03h and redirecting them to another/ t, }8 i2 O' U( H% L9 V: B( {
routine., \/ L3 b1 N1 d% |+ O, r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" |, }: [4 T3 m4 a3 X" {* E+ S, A, F% u# Tto the new routine to execute (hangs computer...)
( g% V  \/ P0 H1 q/ U, |8 A; t3 ~# O3 o
    mov     ah, 25h
; t' C8 d$ M' j1 a! L    mov     al, Int_Number (01h or 03h)
: q" S! o( k6 q7 m. L1 S    mov     dx, offset New_Int_Routine
5 J  L, H) Z9 X    int     21h( S/ c; ?: E% p% c& @' E( w( M

( H) @6 l2 B+ t$ v__________________________________________________________________________
7 ^( T: b- I* R* `7 e$ d
  ^' E+ A6 }' m" Z3 F7 sMethod 09
% S4 l$ S( k' x* P+ a=========* \9 N. u8 G- a1 t$ c
# O( j$ R- \% f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( `' ?* k5 w6 a3 ^, z$ |# Vperformed in ring0 (VxD or a ring3 app using the VxdCall).0 {4 E0 a8 j( E6 C% {
The Get_DDB service is used to determine whether or not a VxD is installed
: u2 O/ n$ M0 y' Vfor the specified device and returns a Device Description Block (in ecx) for+ Y" M7 ?- h0 N( D
that device if it is installed.
3 c! ]/ m2 ]0 G+ T1 _+ A
, p; G. K& V, f   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; H& s& g4 A6 L   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- T$ @9 v% k" l7 {0 x
   VMMCall Get_DDB
0 O7 Q7 q) K1 B/ m  ~3 t$ s   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: r0 w5 A  O, I2 l/ m: }4 g! O( i& R
3 S5 g( Q! }; X$ n/ p
Note as well that you can easily detect this method with SoftICE:
$ _) |8 ^4 Z$ @, H& M   bpx Get_DDB if ax==0202 || ax==7a5fh
! i7 F; W' W. D( B0 z( c
1 G( _6 t. r" S" ]7 I3 u__________________________________________________________________________
- K5 [9 F2 N2 h- C# y* `! j7 f+ E0 m6 L( P+ L4 D. \( r
Method 10& @, W$ ^; ?, S/ j2 J
=========
% I" w  m' c0 f( K  F/ ^2 R5 ?2 c- q
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  Y' @1 g( A. D/ M  SoftICE while the option is enable!!
0 o: ^7 p4 T/ V4 T# m
" i0 b& d9 s) tThis trick is very efficient:
1 U. a( R+ H2 ~: J& s4 ]" Bby checking the Debug Registers, you can detect if SoftICE is loaded
9 @3 D1 N& G$ |" [. T, l, ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) _4 b- p" A* j; X+ Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 I* O! u8 R/ C# y8 f4 F7 e  A
value (in ring0 only). Values can be manipulated and or changed as well
; i' x( S/ j: ^7 H8 H/ I$ i- h(clearing BPMs for instance)/ q* j% l2 F; X) ?
; }: T) F: p  O$ f" u' @1 x5 P9 ~3 i2 u
__________________________________________________________________________- x( G! U( o8 b/ c/ U, l" e' t
- [, i* p4 I7 D6 \
Method 11
5 {5 p9 g5 p7 q9 D0 m+ j/ \  U  d=========  b# V" b$ w2 W

2 Y, j" |; p/ D( D5 h; o; [This method is most known as 'MeltICE' because it has been freely distributed
& z) E3 Z% l/ }$ R8 {8 f8 O0 U% hvia www.winfiles.com. However it was first used by NuMega people to allow
' I' d6 o; h2 [1 T. `Symbol Loader to check if SoftICE was active or not (the code is located4 R: u7 q+ _* ?' V; @7 q: z8 F
inside nmtrans.dll).
  h! e! W# e) }8 w- w# D( p% ~- w5 r  ^* E
The way it works is very simple:
- r  o+ k7 d1 p: j" @) eIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 r5 j: ^% f. j' mWinNT) with the CreateFileA API.$ |3 X4 Y) F( p) q4 t8 U9 ~3 m, R

4 k" \& [$ V1 L1 p2 HHere is a sample (checking for 'SICE'):( r( s9 A9 J5 w+ h

# \  E: F+ \! o  I" U' d6 b! e. bBOOL IsSoftIce95Loaded()" `# h" D  c9 @0 G1 p- b3 w
{! k- \6 F2 }' z9 j& g
   HANDLE hFile;  
# p4 c5 w- c1 o, W  s& n5 f   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; Y* T1 ~9 b# g3 l                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 Q9 @) \) r; \3 m6 E& u- K
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);  x/ h  |; c/ B4 R3 Z- G# c: I: v
   if( hFile != INVALID_HANDLE_VALUE )% i% a% R# m, R, M8 a9 g
   {' b) L; x: V2 x0 ~. r2 R
      CloseHandle(hFile);
- C' L5 S, C& C; l3 H2 {      return TRUE;
4 C8 j: [. r7 H   }
' R* t9 g/ E# j4 g; e/ |   return FALSE;
5 z* j' H+ V: \  Q( N: H}
( R4 u3 ^# L, E
' w' n! ]# S' E! ?; o' @$ `8 [Although this trick calls the CreateFileA function, don't even expect to be8 E4 g0 d( H& O  q
able to intercept it by installing a IFS hook: it will not work, no way!
3 d) U6 Y$ |9 Z, N7 OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 J- \& P5 H7 p4 Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# X  P) O" l: d8 z' hand then browse the DDB list until it find the VxD and its DDB_Control_Proc" Y- `/ C% N0 M
field.+ g. @* k, z9 C$ \5 Y
In fact, its purpose is not to load/unload VxDs but only to send a $ h3 p( F) x) ^  u) S
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- Y: S# z) [6 Q2 n% X. W4 e  ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 b- X; y; j3 {: I( i7 U7 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 M3 l* l2 x* I' W: e6 HIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ |/ N4 Q& Z( S+ Y: K2 wits handle to be opened and then, will be detected.$ R+ L" l* F  N. \: |' H
You can check that simply by hooking Winice.exe control proc entry point  n/ C) z8 Y8 d. M
while running MeltICE.
7 q2 Q0 l- a. [
( g: }9 C1 U0 O8 H! p2 c+ |
3 [' I3 ^/ H/ m# j! Z2 a  00401067:  push      00402025    ; \\.\SICE4 _0 `: S8 k2 F
  0040106C:  call      CreateFileA
6 D, g& }( u5 o3 D( ~) y' y9 y  00401071:  cmp       eax,-001: B$ q1 |2 {0 H( _2 s) V
  00401074:  je        00401091* l& J1 w! q, E$ n3 M
$ V& z9 D  g$ B6 A* y" e, y

  X. d4 k" l" i6 }3 i& `There could be hundreds of BPX you could use to detect this trick.
# X' I- Z5 ]0 J) Z/ H( v-The most classical one is:8 d( E4 L( D8 v6 O% ^* N
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||/ G- j: b( W: W9 I3 n( [
    *(esp-&gt;4+4)=='NTIC'" @" w6 R  L9 J  y( A! @

4 j9 }; e* f' Y- s' `* w-The most exotic ones (could be very slooooow :-(0 ?* S( c  \  H
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
8 C$ ~! k; Y3 K) d' e     ;will break 3 times :-(
1 z" G! F" S% W
0 N# q  \' X% M, U' C5 i-or (a bit) faster:
' q5 y$ H3 H( A6 l( k- I4 K- u! z4 J   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- C9 B1 i' h: e& K5 M7 y

& {1 l! t7 G; k' g8 E- O   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 A$ e  J% V/ F: M0 |- G     ;will break 3 times :-(
% k$ U  V: Y# Q7 Q& @) U$ Q+ f8 ]- X; `2 ]7 |( ~
-Much faster:
1 P0 K! B; R8 `; ?   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& R$ j. o$ e7 ^( ]2 m+ s, K: |7 ~
2 r" B# E5 A' J
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) k9 T9 o5 v. a3 K6 ]
function to do the same job:6 t6 l. R0 k0 t: l' Q- i

  z2 s: r1 g1 E0 q9 a$ u" \   push    00                        ; OF_READ
- f) W, \5 f: u& n. i' ?. J* I8 h   mov     eax,[00656634]            ; '\\.\SICE',0* W: ^( h' L9 ]
   push    eax
+ ~) m+ Y( x; P   call    KERNEL32!_lopen" H, G$ h  k1 I2 n
   inc     eax
2 |) ?& K/ W. X6 a& S/ R; s   jnz     00650589                  ; detected
% F3 B8 R: ~" @+ i' p   push    00                        ; OF_READ
+ W+ i1 I7 N& R( {+ t   mov     eax,[00656638]            ; '\\.\SICE'- o6 x* |/ Y! c9 @
   push    eax
1 f/ V$ b" y8 O5 F$ p/ K* t   call    KERNEL32!_lopen
  e; I( g. |  n) b3 u- A   inc     eax  o( V" }; g& u& p3 ?' I1 {$ [
   jz      006505ae                  ; not detected0 t: B8 t" T1 T" z
3 t+ j0 \9 c- Z) @" Q+ ]* D0 z4 K, j
. s0 `" [* y$ N5 {) G# o
__________________________________________________________________________# J+ ]/ e7 A1 ?$ {( D6 U9 ^" c5 z
0 X  c3 D' M5 R- L! D6 y/ d
Method 12
' S% |* ]6 j" k! l, ~=========
) ?1 H* J1 m; }, ~# L4 c9 [2 J4 o/ B" \! J* ~3 ^$ c: I; V
This trick is similar to int41h/4fh Debugger installation check (code 05' L7 j) u' U2 b* M6 B8 |
&amp; 06) but very limited because it's only available for Win95/98 (not NT)* H( X* W- ]  k5 }) \
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ N9 ?) J- M( d( n

: ~: q  F" N3 H   push  0000004fh         ; function 4fh
: D& t3 N! ]7 c$ e* R/ ]   push  002a002ah         ; high word specifies which VxD (VWIN32)" c) ~* |2 L% P* g: U+ g
                           ; low word specifies which service
% h7 V: H( L$ S# G) M: y! v                             (VWIN32_Int41Dispatch)
' b/ {; r. f$ G   call  Kernel32!ORD_001  ; VxdCall8 C1 Q7 D  |  \1 Y7 i
   cmp   ax, 0f386h        ; magic number returned by system debuggers
- N, m0 A: E3 R6 ^1 g3 ~2 x" N   jz    SoftICE_detected
2 T# n5 j8 D3 O5 O  |& v3 Z9 P- |4 W" G( Y$ O; \8 Y  J8 e0 r
Here again, several ways to detect it:- y' f% Z. p5 t$ F: h% t% r
& Y6 c' D" Y; V1 X
    BPINT 41 if ax==4f
: {' l# Z" w2 X* H7 d
" i9 Z9 E9 q) k" g9 }) q& {    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 V( q5 h3 @5 g4 z3 Z+ J
+ l/ M* _+ ~2 v) h7 H$ I1 p/ w    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  `/ x3 K4 U7 F, w
/ J. f1 m* a5 H2 n; o
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 I* Y- F" |+ X9 `. Q
0 _$ ^- h: p3 a__________________________________________________________________________" X$ x$ |  [& Z8 o! Z. N

3 \- m8 q3 }3 N# K( gMethod 13
+ r* \" g$ D8 |! w& X=========
, S0 u2 H5 v1 U4 @9 Y  L
; l% p8 r$ `+ }3 `, _& gNot a real method of detection, but a good way to know if SoftICE is
7 `2 e( ~7 P/ ]; s2 @6 {installed on a computer and to locate its installation directory.
6 c! u& J5 r0 p, _, VIt is used by few softs which access the following registry keys (usually #2) :
; L. T$ D; l3 |# |4 l
9 V  m& f5 {( G1 f5 ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ h  W" w0 H& |# s9 a3 [' b3 ?\Uninstall\SoftICE
4 z6 m; H3 F- `* H( C$ J. Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 M5 ^& I- ~- r* B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. C$ X) P2 z; [: H. }\App Paths\Loader32.Exe
0 D* j1 o+ _$ t
/ M- f% b4 w( }# W  ?2 |& ]  J, T* L; S9 b2 v
Note that some nasty apps could then erase all files from SoftICE directory2 R' v+ T4 J0 u, r7 H
(I faced that once :-(; a( C2 ~9 X5 E0 \  o1 Y/ p
: Y; U# m$ m0 }& b/ J8 N
Useful breakpoint to detect it:
5 b1 t8 j: |& l6 Y- m8 _+ i0 H, p
6 N2 v5 ^! u/ s# Z5 s& q) v) ]     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 S3 M# B" P, Y5 a* J5 L" t- c0 t: {6 M
__________________________________________________________________________
$ L( _$ t1 i4 K8 E' B' `% c% D, E, H- G7 |8 a) F3 k

# E+ A7 {, W, J9 U' |9 D  B, J+ PMethod 14
5 V/ @7 G- D0 v& k- X' K=========/ B+ C3 l  V9 R3 r; ^/ K- A2 V

0 N7 Q8 \; o/ ~9 Q# a5 \4 G0 I# SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. t' ^! n3 e8 W$ k7 T; G$ S& eis to determines whether a debugger is running on your system (ring0 only).6 v2 O6 A  D0 {6 q
5 {. Y. O  Y' r+ A/ t, a
   VMMCall Test_Debug_Installed
4 j4 C/ q6 t3 P& l) Z   je      not_installed
$ x) C7 I+ ]; m* }2 D, {7 A6 @! K. ]2 j9 I) d
This service just checks a flag.( T. K, f/ U  V: Q2 S( A; Y2 m/ Q
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-6 20:22

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表