找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># n1 ]! W* g. }! Q$ M* F
<TBODY>  i; A9 ]; a  x
<TR>, ~" A2 A9 \3 p4 L3 q7 M' H' k
<TD><PRE>Method 01
- h  ?# Y+ O* t, a$ c=========9 W! U6 w8 `9 `/ }7 x8 ?
" \; C1 [, B" e8 ~* i* ^: `
This method of detection of SoftICE (as well as the following one) is, P. G8 C( ], e& \; I
used by the majority of packers/encryptors found on Internet.. q8 _# N" O& A# A; b2 b
It seeks the signature of BoundsChecker in SoftICE; `) M1 D2 G. Z$ w* L( p
7 X2 P8 o/ _# R1 e) m
    mov     ebp, 04243484Bh        ; 'BCHK'4 F' o  o0 q2 G8 A; N) k6 v
    mov     ax, 04h9 T3 S, ?; X4 v( h/ o: q( a
    int     3      
4 ^: [# D5 _3 o! n3 p0 S    cmp     al,48 Q6 e5 ~! o# l# z) O3 ]
    jnz     SoftICE_Detected! w+ r) t1 y( K! {0 q4 a' }
# L$ [" l! f& h/ O
___________________________________________________________________________4 T4 ^( Z3 [; v. C) }; S
$ c; U) ]  H  g7 S& a7 T" E! L
Method 02: _! \1 n/ {9 p9 Y- e; D$ l
=========; ~; z" `3 j- t" R

, V$ u  G5 Z8 Y  }7 c! [$ yStill a method very much used (perhaps the most frequent one).  It is used
: `- `1 P0 c8 d; b+ L. x, r* Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- m, O% n" m. a/ X* c/ Ror execute SoftICE commands...
0 G) Y+ _' }3 n$ ?$ g( u* F7 pIt is also used to crash SoftICE and to force it to execute any commands/ N; A+ S" R0 M* B0 N1 t
(HBOOT...) :-((  * {# h9 R. E1 X" e$ D. x& ~

8 H, o$ S( L: _Here is a quick description:
8 L6 G" y+ C  l: y" `-AX = 0910h   (Display string in SIce windows)
7 b; z- X3 c% r9 }$ C-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' |1 X( n1 o' X5 O
-AX = 0912h   (Get breakpoint infos)
& K# K( H% q# n- e& y- _-AX = 0913h   (Set Sice breakpoints)
9 t9 g& G% w  [1 {( v1 C-AX = 0914h   (Remove SIce breakoints)
; |$ i: d  M% o9 H
; D4 s/ ?; Z' E  {6 qEach time you'll meet this trick, you'll see:
  Q* ~2 q2 n" b/ V# X% p-SI = 4647h
. F& q' O- b3 w, g6 C, A9 }3 B-DI = 4A4Dh
/ A* c/ U7 O6 P0 }% JWhich are the 'magic values' used by SoftIce.6 p8 {# \+ c" H7 G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& z. r1 P& w/ F" A9 K
" [" y) Q! Q2 x7 O  V6 N+ t! d/ v) w* T; xHere is one example from the file "Haspinst.exe" which is the dongle HASP4 ]7 F, ]3 ]! Y! w- V6 R
Envelope utility use to protect DOS applications:
5 Z; f' @; s& h' B' C& [# P1 C  H! y7 s1 `
& i5 x$ w9 q& R6 [, M( M
4C19:0095   MOV    AX,0911  ; execute command.
- J- k& b- M* c9 E# g4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 C6 I! l/ i0 j' ~$ j5 n/ ?
4C19:009A   MOV    SI,4647  ; 1st magic value.
% p$ K5 ~! y4 H3 r$ O4C19:009D   MOV    DI,4A4D  ; 2nd magic value., G5 d. C7 r7 [. Z7 w
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 ?' N/ u" T1 ?4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# s7 k) k, z# _! y' R$ `4C19:00A4   INC    CX
- k8 w: ^% @" h* y) C2 I- @4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 @- j* ]& v2 L9 N9 _7 X
4C19:00A8   JB     0095     ; 6 different commands.
5 h/ `6 a' k, A9 V) L7 E/ O& @4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' U* ^" M+ W) @6 `4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 F3 T2 n7 h! ]6 n  n# p
$ v. E4 `% c% k- lThe program will execute 6 different SIce commands located at ds:dx, which
6 D/ W2 C% D+ ?8 Z- @, `! U7 z' F: T- Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( \0 x: W" c$ h) L* y0 G
" p% U' i5 U/ C; ], P5 B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 `6 f: r1 @  x7 `. y( a___________________________________________________________________________
: w5 x9 q# e9 \# e. S+ p
8 m! p, A8 f  @. w8 `; M
, Z. z* n" Z9 gMethod 03, o" ~) \% y! k3 d# k
=========1 ?" e, \' V( Z# k& ]2 b8 j

# z  b6 a: J; I& RLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" R7 A2 M" G) y$ j3 P9 e( o' q(API Get entry point)) |* G1 R* x3 V/ ^& k" q
        - w2 P: {2 n4 c4 \1 g- t
) ?  G" f" p& W
    xor     di,di
: y4 d& _; R6 O: \8 `! \" e8 [+ F    mov     es,di
& y9 ^( O2 ]: W+ I8 \3 c- r' D4 o    mov     ax, 1684h      
! t0 n9 h" J5 Z" K    mov     bx, 0202h       ; VxD ID of winice
% h$ o$ G* y  _    int     2Fh
. M1 B. l3 _) X$ `    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 w- L$ Z* i$ q- M% a: X8 R, |
    add     ax, di! Z- }, h* S7 e  I
    test    ax,ax
+ T+ c& D# w; B7 }7 D0 j' Q    jnz     SoftICE_Detected
3 @6 J9 G7 n% Z# o, z% P; R5 `! P. k; H9 ]' l
___________________________________________________________________________
9 a* o+ v: D1 S7 a3 L9 E& K2 t5 |& H/ m1 r$ u: E& P
Method 04
) W# Y+ S& G$ `$ u7 ~: B3 n9 j* E=========
2 J& l  N7 w, W2 O3 u* X% @' Q0 N) e) Y1 D8 t8 c
Method identical to the preceding one except that it seeks the ID of SoftICE- _, J& C# w) n/ t- r1 P
GFX VxD.' J" E+ E  i& ?

7 N2 x2 o3 ^' D- H# M% O9 O    xor     di,di* d, k9 A' I+ B0 M" N3 ^
    mov     es,di
/ x9 D7 w; [0 B7 V: l    mov     ax, 1684h      
! D- q4 V8 P' a' _    mov     bx, 7a5Fh       ; VxD ID of SIWVID* [8 u5 S! V$ H8 P$ u$ w
    int     2fh8 e1 @6 w% M! e. t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 x! A0 s  ?- r8 i
    add     ax, di3 p! u) V$ u# o0 l; C* X
    test    ax,ax
2 R: m/ C: B$ j9 R$ B    jnz     SoftICE_Detected0 [! M- l5 \: F, r: W, u$ T' i
' H4 C. |7 j# s% t9 @
__________________________________________________________________________5 f0 [' w4 V7 m$ \1 b7 p3 d
4 `3 T. t9 d5 y3 x7 y5 g

3 f& c4 X* p4 |0 l7 y# C4 ZMethod 058 a) E+ i: ]  ]8 y: q3 l
=========
2 b2 ]5 B9 A, w( D) ?
+ @  W0 w5 L: L: y5 N# F) j2 m# |Method seeking the 'magic number' 0F386h returned (in ax) by all system% z* C" C. ?* h
debugger. It calls the int 41h, function 4Fh.
. F, W  c- O! E/ c! GThere are several alternatives.  * a! I- R. m3 m3 `- R

4 ^& L" j7 R( p8 w: I/ [The following one is the simplest:0 \- \: w8 E+ z/ X: e) ?% c% f
2 r! t& _: |- g/ I8 i+ `; r
    mov     ax,4fh
5 m* y6 M6 s  G; K0 l  X4 L- x    int     41h3 [0 M" D# h' h9 L/ ^2 ?$ m9 Y
    cmp     ax, 0F3863 X) ~4 r, m% N) U, U% q
    jz      SoftICE_detected
/ a1 L9 [  l2 y$ N5 e3 c: d( \% Y( Y' H3 E

5 v# p* \7 ]4 j+ c: k8 @Next method as well as the following one are 2 examples from Stone's 4 l) T1 Y8 I. x6 p; ^) d* A
"stn-wid.zip" (www.cracking.net):
4 f7 u  n& g3 Y6 ]) f7 l; _) g; X0 N2 E* Q1 N& D
    mov     bx, cs( B# i: ?2 n9 B) _) j
    lea     dx, int41handler2/ P  n" G8 x2 u/ Q, I
    xchg    dx, es:[41h*4]
7 ?4 o# P3 z4 [    xchg    bx, es:[41h*4+2]
# x: W( M/ r4 B. c+ y. W# Q    mov     ax,4fh
! s* O9 v4 r# z3 p4 Q, n3 i. H    int     41h% s3 y1 h+ H+ u0 \
    xchg    dx, es:[41h*4]
6 K# u/ c& g2 w) }$ w% h3 t    xchg    bx, es:[41h*4+2]
/ i: k7 ^" z8 j1 [- E  k$ [8 J    cmp     ax, 0f386h4 r2 {+ F- Y" b5 W. ^) O2 u4 |
    jz      SoftICE_detected( Q! O' E8 ^* B* U$ B
: w% t5 ^# P9 H4 Q
int41handler2 PROC( ]* T: ~& O. v& F1 w! l
    iret
6 j2 T6 V) H# `+ x! tint41handler2 ENDP
# r/ I* F/ \% f  f7 x) O/ Z& M% O8 m5 z
2 J0 r# T$ ~" c" M. M
_________________________________________________________________________
9 S1 i3 l. I! B3 n* [3 S" Z$ Z9 M" R$ ~; u2 Q

! K" y7 K; Z4 D6 X( O, kMethod 06- {+ u4 l3 |/ w% ^6 ]7 W
=========
) g% D' j% e- a& R, A0 ]4 e, d$ Y$ S2 z3 Y- k; k

4 t* q5 {% K5 {7 {) o# Z$ g2nd method similar to the preceding one but more difficult to detect:
* I, [  ?  r+ W2 f' y: i/ F
* c' ?" x$ R* x( i( v3 [. |* P9 N
int41handler PROC7 {# ^3 R2 F# G) G+ l
    mov     cl,al  L6 @; A4 |2 n, n, Y
    iret
# Z4 _' c8 M. @( oint41handler ENDP
* g, h. m* g/ N1 j6 S
; p3 {' w2 `* a1 I  }, r
% v5 e# t, E6 q    xor     ax,ax0 y. o* J/ t; G; u* ~
    mov     es,ax
4 [1 j9 t: a* @3 C; O    mov     bx, cs
. K5 y1 |2 D/ p9 A  c$ S9 L    lea     dx, int41handler2 I  k& K* f) M/ i' v3 ]( V
    xchg    dx, es:[41h*4]
0 g" W& M; Q# c/ h( [    xchg    bx, es:[41h*4+2]
, i9 }. [/ V6 h9 N  O- ?7 c    in      al, 40h
4 s/ e/ [5 C' l9 p    xor     cx,cx4 F2 u4 u  c# D0 c, T) W
    int     41h- y# y9 X# N0 t5 y8 s
    xchg    dx, es:[41h*4]7 `# u; `( Y4 E/ L3 @! M+ v
    xchg    bx, es:[41h*4+2]% G7 L7 {1 J6 I* p
    cmp     cl,al- Q/ }; @' U/ O  m  R0 Z
    jnz     SoftICE_detected% X. s/ j; `' ^# o0 r
# \: ~) m+ r( }% Z8 @
_________________________________________________________________________, J1 e- H" f' L2 D9 h7 D

- [+ m$ v7 c8 E3 I: O( l- rMethod 07( R& A' v- ]6 v' N
=========/ T0 H7 y. O. t2 T. K8 M
! @5 P* L# h( C4 I; o% Y# O8 d. V
Method of detection of the WinICE handler in the int68h (V86)
$ q' z' G* K/ H! w
  }; B# ]8 c7 T+ \, |    mov     ah,43h
, v. D  S1 O7 s    int     68h3 M% p2 L6 n' a0 u/ p0 s' r
    cmp     ax,0F386h: m$ W* z* ~& G/ H; `- C1 p
    jz      SoftICE_Detected. W. G2 I, a4 a: u6 X* f

; s1 G/ \( t! K
5 w# A% C! O: |! C% b=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" H! \+ A% E, S2 z4 e0 T6 Y9 \
   app like this:
, n1 d7 b/ p+ S( }+ _- l9 y% h9 f
   BPX exec_int if ax==68# e# k" ?) ^- m+ I. i
   (function called is located at byte ptr [ebp+1Dh] and client eip is# o" S0 s$ U5 u) I
   located at [ebp+48h] for 32Bit apps)
* P! w1 _. V! ~; w' \__________________________________________________________________________! R/ |, C( s$ {

8 ^& V: {( ]% C: E. d% N
% M0 z$ `% g/ D5 U6 lMethod 088 B7 q# I4 v" E; p
=========/ Y* E: ^$ R2 _  D# L

6 [8 A' \9 |' jIt is not a method of detection of SoftICE but a possibility to crash the2 {% S& d3 r& _4 q# |4 X: b2 f
system by intercepting int 01h and int 03h and redirecting them to another8 c  u3 ?+ ?4 n7 p  t! W
routine.) `" F3 I6 A: d% B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 n1 l) Y4 o: h5 A! O: c
to the new routine to execute (hangs computer...)
3 o6 ^' W" d  H/ ~' O7 w  c# d* P, r6 K' a' @1 b+ |0 }
    mov     ah, 25h
" h+ o0 ^: u0 _" U5 w; R# c    mov     al, Int_Number (01h or 03h)  C1 v' s" a& I" m. B7 W
    mov     dx, offset New_Int_Routine
  ]7 `6 M( v0 F    int     21h
) B' H6 F, A7 ]3 X3 H* v( J) b6 \' ?* [
__________________________________________________________________________: u! s. I$ b; F# q  ~6 a& I

' X6 u/ u' e. H5 E8 X, mMethod 09  n3 g5 P+ d1 N
=========& t0 e. H0 I, Q# ]: A6 F' y

1 Q! C  b7 c1 x! CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& N( C3 ]7 ^7 u" u. W) b; p. lperformed in ring0 (VxD or a ring3 app using the VxdCall).1 j; i1 f* }5 F# |/ q& @, s
The Get_DDB service is used to determine whether or not a VxD is installed
$ Y  A& c! q8 Z$ l. d. Bfor the specified device and returns a Device Description Block (in ecx) for
& E( f! \2 o+ f$ P3 Uthat device if it is installed.! l& h+ x# X) N9 e

% Y* S% `. T( T4 t7 `   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ F" ?2 S  q5 Q% _
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% i* i0 h8 w2 e- Z
   VMMCall Get_DDB8 ~) O$ a2 T+ P$ N+ X
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
5 K6 a! y9 K* A$ J) N% k# W/ ?% D0 S6 Y; f# {2 h
Note as well that you can easily detect this method with SoftICE:
# j4 G  L+ h4 v: S   bpx Get_DDB if ax==0202 || ax==7a5fh
* g, w; @( @( s  K1 ?! b. w6 m$ V  K3 |" g+ L6 C3 L% |
__________________________________________________________________________
2 a+ ^- D/ c- `$ R, Y# X( z2 [" Q. o3 e3 w/ _" f- F7 T1 b
Method 10
- \, `/ e6 C: T: z: ]: X) ?6 x3 l5 r=========1 i0 L$ Z, N# n6 M  D

" e- V8 P0 a5 w$ b( t=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 m4 {8 U3 h; J$ W* p6 U* O
  SoftICE while the option is enable!!
9 {' @0 s5 E% [1 t0 T7 m( X1 e# C1 Z
This trick is very efficient:% ?# f8 w! n( s6 e# ]5 k
by checking the Debug Registers, you can detect if SoftICE is loaded
0 P7 K- C( v$ L; E( w# P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, S. |: k4 g8 j3 W4 {9 u! Z4 B7 z- q
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( K9 O- D* Q) `) v9 j: k' wvalue (in ring0 only). Values can be manipulated and or changed as well2 @' O2 _$ w7 U
(clearing BPMs for instance)
& S2 {% u& n7 g" b' S+ j
, K: D# }0 {3 a  y; v8 b__________________________________________________________________________
3 s, P1 }1 g* N& X: @
8 S9 T" J6 j! r7 G5 NMethod 11- C6 J0 S5 s  j" H
=========" G- |  S* S! ~

6 t" h  E( c; t! \# T0 `% HThis method is most known as 'MeltICE' because it has been freely distributed. I* \) s; s: i4 `/ n" M  F7 C
via www.winfiles.com. However it was first used by NuMega people to allow
9 n' F4 y* Z; n. [/ mSymbol Loader to check if SoftICE was active or not (the code is located+ Z$ l/ N5 ^" F9 b$ i9 m2 ^8 D
inside nmtrans.dll).
2 z" I. C4 C# |5 }
  G# H2 F7 b+ s* B" Q$ q! |The way it works is very simple:
! m6 l( b) p5 Q+ b! `4 tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# U, @& B1 N" A- Q7 FWinNT) with the CreateFileA API.8 [- V' O) u, e- M
/ @2 B4 _. v& U8 r3 V, U* p$ s
Here is a sample (checking for 'SICE'):# V' H- I# k2 @9 q: K

% U8 k. d* R3 w+ V/ m- g% r8 }8 B& cBOOL IsSoftIce95Loaded()2 W6 d1 t4 Q, L0 j, L8 K* f5 P9 s5 E- v
{2 i: P# ?1 Z: o5 L3 N3 n) f
   HANDLE hFile;  , [* ~: u) z$ i/ e4 I7 a
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 B2 f( d/ o+ S$ y& j                      FILE_SHARE_READ | FILE_SHARE_WRITE,
# G8 _) x0 L' j9 U& F- P; n                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 {! T' L% Y4 J% |1 B( X. N   if( hFile != INVALID_HANDLE_VALUE )9 Y) U) R! ]# Q' G* V9 a7 y) J8 |9 k
   {( T, v  z6 l- ^4 w. U! r  \" ]
      CloseHandle(hFile);
) o7 r; z; a  b% s      return TRUE;0 h. y; X. {; K
   }
6 }& \8 E* G9 }! T8 {2 v+ u% e; @   return FALSE;
, a9 P4 Z; w- @- [0 i4 M}5 K. |8 n6 s+ T
4 ]& C2 K3 V, c: D: ]" T1 Q) _
Although this trick calls the CreateFileA function, don't even expect to be4 ?' [0 R4 s! I% o& j
able to intercept it by installing a IFS hook: it will not work, no way!
0 s' N8 g9 d' w  z( ?! T: M) TIn fact, after the call to CreateFileA it will get through VWIN32 0x001F! w! f+ s. O5 O; D
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! x0 K& {# M9 m* mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. u1 E/ ^! |" ]) Efield.
/ \( g' {$ X9 F2 B4 F3 V6 T: u) uIn fact, its purpose is not to load/unload VxDs but only to send a
0 z" g9 v6 f. u1 F0 ^W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)- Q( F3 U% f: ?6 y% `& }- e) v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try* F$ _# N. j. G3 k3 o
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 H8 n3 N, _2 i7 }$ `& ?/ ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow: V. T5 b0 w& Y0 e
its handle to be opened and then, will be detected." n8 G' @* u1 E9 w6 x9 Y2 T
You can check that simply by hooking Winice.exe control proc entry point
' E' n7 q  r- A) S% S0 t% Ywhile running MeltICE.
; V  [4 l9 b- Y1 {( z, z( D- B$ `% K; ]  V2 U5 ~$ F# K0 M

5 X/ y! F; h+ P# o  00401067:  push      00402025    ; \\.\SICE7 w' a- d1 U# A. w5 i
  0040106C:  call      CreateFileA3 l; G9 w- S7 `' g: [; Q; @0 y
  00401071:  cmp       eax,-001
  z/ z. T: g  a8 }4 y, E  00401074:  je        00401091- L; M, y1 h7 F0 G3 N3 v
2 A$ Z/ J$ M, n9 i7 e

. D* |  M& ~9 M& r* _There could be hundreds of BPX you could use to detect this trick.
9 q1 `( U! x" W; i5 e6 F, s-The most classical one is:7 P$ J, ~! b4 N
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||; z% z1 V0 K  G3 E# v
    *(esp-&gt;4+4)=='NTIC'
* D7 r7 g" k) \& B3 }; X
& X! |' j( }) Q( x  U-The most exotic ones (could be very slooooow :-(+ y  b% h9 Z; J7 j# m' N% j% P; l
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # ?$ I! E# b1 w( }0 w' u8 ^9 e1 }
     ;will break 3 times :-(" i3 }) D$ W: V

+ A5 R; u0 z' e6 {-or (a bit) faster: 1 i7 s1 y0 I, |1 K. O: Q4 S2 {
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  r$ `" S4 K6 L9 r, [- N
% z; d. p8 Y( [8 ~& x( h. u   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ @  m( a0 F! ~7 y3 B! _
     ;will break 3 times :-(
2 C& W$ E1 h: D& z) t/ |
( A, d0 I6 _# r-Much faster:+ p" d- K8 l1 S
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
9 L8 c8 D& D* ^7 c8 r$ ~2 T3 _* X7 x& {' R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' U. X7 {7 Y, r6 J# n, b1 d4 {
function to do the same job:& ?4 V: q7 q* s+ `. u7 s
' e4 I# r9 I0 A; [# c
   push    00                        ; OF_READ
' z6 G. f5 j  s0 }# s3 K   mov     eax,[00656634]            ; '\\.\SICE',0
  v6 y# J5 [1 n$ n   push    eax
: r# k; O* b: D" r) O) r: K   call    KERNEL32!_lopen
, A& Q6 k# |! T- a' ^' O   inc     eax' Y8 f" @3 `$ H8 n& V( N1 _6 m2 s) {
   jnz     00650589                  ; detected
2 ~; w3 R* l( Y   push    00                        ; OF_READ
. b; [/ T5 w9 g   mov     eax,[00656638]            ; '\\.\SICE'1 n4 o& g/ t6 Q* T: N
   push    eax
+ V) k- }: w& K   call    KERNEL32!_lopen1 a# p$ D+ ]+ G) R$ R8 H
   inc     eax% e/ _8 z- {' n8 B+ A6 D1 N
   jz      006505ae                  ; not detected/ E; J3 b: n4 b3 r3 T$ Q) |8 Z# i

  n/ m% \1 Q' G. m( S0 c' n" Z: u  O( I  c
__________________________________________________________________________% q0 J9 Q$ m+ ]+ q6 L4 e

2 Q- f- ^& [! G0 K5 |+ L# O  {Method 12
' D( `2 K' F) F8 J6 A9 N=========: G& n5 d1 T. y5 B; I

* l' I6 }; A" T, {- V9 kThis trick is similar to int41h/4fh Debugger installation check (code 050 [: d& N1 J0 e+ i* B* W0 O+ p8 x& w" d
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, t5 h7 v1 k: Q! I4 Cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 z2 H  ?+ F  ^' X

9 @8 {$ Q$ d1 s2 l5 T   push  0000004fh         ; function 4fh
' M7 U: r% }' ~& h1 n$ Y2 q   push  002a002ah         ; high word specifies which VxD (VWIN32)% ]' w) X% I: c
                           ; low word specifies which service+ x/ C/ D" x$ k  g$ G9 u! V/ ~
                             (VWIN32_Int41Dispatch)2 ], E, N4 W9 l( {& m
   call  Kernel32!ORD_001  ; VxdCall9 V# ]0 Y% g' H
   cmp   ax, 0f386h        ; magic number returned by system debuggers8 j: C" x, q/ a, }; Z: \' g
   jz    SoftICE_detected
' l6 T1 C2 }! z" Q' m8 i. {) f, T: Q/ [
Here again, several ways to detect it:
* j$ Q( `1 A& p
( |% k4 z9 x0 W7 Z$ z    BPINT 41 if ax==4f. c7 y+ e3 [% F9 R# @" n9 J
, ^) P! ]9 Y5 S. ?
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one6 q7 r2 h" b1 t  r$ c8 Y; A- C. D

# j0 R) W7 Z0 J0 L. r9 a    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 {$ C4 ~- Q6 [6 n2 |
1 \4 I4 F$ m/ c7 n+ Y2 N' J
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 ], M2 [; J: u- Z1 _

: M9 K/ V; \& u' z" }% l  \# r__________________________________________________________________________" a! g6 ^  \% p& [' e3 \! u

$ i! e+ q+ M& d, e2 o2 |Method 13
  i" S0 F3 H! i" N" }' z=========
9 V( a8 e; v8 d( y- P* b8 G* i0 x* y  v! N* |3 g
Not a real method of detection, but a good way to know if SoftICE is! l2 l* m. U6 L( P$ N
installed on a computer and to locate its installation directory.
% e# ~) f" c2 X. L1 g$ J+ rIt is used by few softs which access the following registry keys (usually #2) :1 ?/ {8 a5 j( v/ Q9 H% V/ a

! o* i$ }' s# \: L, g! v$ D6 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' w  T7 j1 p' d/ t: e3 x$ U2 s' z
\Uninstall\SoftICE
$ K* D3 V& L) [$ h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" m6 B4 T( H; [: S& U; l! B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 s; w$ D) w0 y: s
\App Paths\Loader32.Exe% g, T$ _6 U" A0 [4 Q, G, E
$ w0 {. N* A+ @( ?% j7 d: K
& q7 z7 P$ M( \, c  h8 ?
Note that some nasty apps could then erase all files from SoftICE directory
' u$ t- c0 K( o- s! R; Q( `(I faced that once :-(* Z4 C; ^' R* B: v1 J- u' p3 B2 g% L
2 i  v! @) b+ L0 b" }0 c
Useful breakpoint to detect it:
. H* c2 U9 z; Q, \3 `4 M; Y* [  s
. r* l4 C7 t$ d5 b6 ^/ K! @5 X+ L     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'/ U6 ^2 ?: w! N- |9 n! t
; ]' Z; a& Q) |* [' ~- V$ ^
__________________________________________________________________________
% O# T0 n$ D2 B  K* n/ Y1 s: Q: H/ i! d: g0 Q
; i5 d  J" X* \  T; \
Method 14
( R/ L# M8 g( H* t: B2 d/ G=========. g3 ~5 m- J+ P5 m7 y4 `! ]3 N

3 @3 p6 }( L! R% E) E4 @0 k1 t# MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. }# {7 p% ]  ~. d) L
is to determines whether a debugger is running on your system (ring0 only).3 q/ z7 D6 Y: r6 r$ l- |
* A6 B" A7 {: r$ L' A9 i: {
   VMMCall Test_Debug_Installed
/ c6 k; {; h1 _4 I   je      not_installed. Z1 S- T! }2 S2 G: a  L

; ]0 m/ {; p; L+ nThis service just checks a flag.
) r: L4 Q; a+ ~, a/ z& i8 W6 Q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 05:09

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表