找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
' v4 L$ V, t$ B! S8 v<TBODY>1 o+ C# y' ]8 d7 u1 N
<TR>
4 @9 ~% s( u6 @& y7 ^<TD><PRE>Method 01 3 u% O9 V5 G3 Y% H- ~
=========
9 _8 ]8 G$ [7 g0 ?& b& T* {6 ]
) b2 d7 S% Q6 r' |; X9 S8 O0 z1 g$ lThis method of detection of SoftICE (as well as the following one) is
' y8 m. N. q( v: L3 c, u% ~! ^used by the majority of packers/encryptors found on Internet.
( ^: i- I4 z- ]/ U' j6 z& lIt seeks the signature of BoundsChecker in SoftICE
0 g" J' a/ N) L6 e5 [
' e* p2 ]' I" \. m$ f) _    mov     ebp, 04243484Bh        ; 'BCHK'
5 R, m; ]7 n2 l6 W    mov     ax, 04h
  q% |: P& Y/ p$ P# [    int     3      
- F+ c; j& |; b6 k8 k2 M    cmp     al,4/ l1 o  l& t0 x
    jnz     SoftICE_Detected, F8 b7 Z- }( l

8 l/ F' w3 u, g7 U  Q# r  B: x% g) N___________________________________________________________________________0 F( P2 t: @3 z
$ S5 y, f. w8 ^! r* V' a# N
Method 02; j1 ?3 K4 Q( Y& a7 [
=========
$ F" I1 _; T( q' {; X
/ @0 M( G7 _# x% `2 [Still a method very much used (perhaps the most frequent one).  It is used2 w: G! N2 `+ u4 E% ?& w7 e
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 T& H) |% Y/ W) c7 uor execute SoftICE commands...
" t& y- ^8 q6 E  hIt is also used to crash SoftICE and to force it to execute any commands" `7 W9 e( Y$ n4 B" K
(HBOOT...) :-((  + ?6 _8 T2 @! z9 w. f) I% Z

* l( g4 T+ E: zHere is a quick description:
! j" q: z: ^/ Q+ _-AX = 0910h   (Display string in SIce windows)
' C. |4 E3 A" G! @) @-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); h4 s  e8 w1 U, O7 U, }, R5 s
-AX = 0912h   (Get breakpoint infos)  I8 g9 R, K: h  r) Y+ V. s& m
-AX = 0913h   (Set Sice breakpoints)
" E4 Y' Y6 J: `; Z3 l8 Z) e( N0 r-AX = 0914h   (Remove SIce breakoints)+ V! k% x2 @1 S) F0 l
' D+ O7 [& u* C' {6 w' l
Each time you'll meet this trick, you'll see:" }3 J, }7 u4 W0 o. A/ G
-SI = 4647h0 R- v) d# U' H# X/ T$ U4 L
-DI = 4A4Dh6 A) T' o! \# i0 x; j$ x& P
Which are the 'magic values' used by SoftIce.. E0 K, f1 V# ~2 N9 p6 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., ^% |: E3 W: a4 l( H: R

2 `8 F) _) q! w% S4 K4 f) aHere is one example from the file "Haspinst.exe" which is the dongle HASP( O" F5 L* K: v; c" Y/ k% {
Envelope utility use to protect DOS applications:  a! Y4 H# p. ~& ]2 G# p; |

  h  X1 G# H! F. v  i8 _. O
; J' A( }' w- S, {4C19:0095   MOV    AX,0911  ; execute command.7 H9 o% V, a, W
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).; y9 S- M5 z  m* o; P' i
4C19:009A   MOV    SI,4647  ; 1st magic value.
5 V( a8 q2 H) w# H# i+ P4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 L. H- }. K/ k1 x
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)8 R7 L  j7 O8 g6 S, A- L
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" W) K; V0 s3 I1 m: k  t, @- U8 ?4C19:00A4   INC    CX
' I, {  X7 |9 t$ Q4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 u8 f2 Z% o* u5 X
4C19:00A8   JB     0095     ; 6 different commands.
$ l& \) v& j5 Y" l4 l& w4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& e* ?0 B7 \& t+ S6 n& e
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 M) B  }  s# A* e0 |

! W1 m! f  u1 d; LThe program will execute 6 different SIce commands located at ds:dx, which
* e2 w$ J1 t! N9 a1 X6 Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 M+ P* p" Z# K6 f6 _

; V, _& d: V5 }3 y9 ?# m8 Q, I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 `6 Y. P, |' |. k* S3 ?___________________________________________________________________________
* _8 @% i  F1 t8 w+ U
& ]0 y$ F7 n( y) ]4 i% R. D5 f' `# N! e) Q
Method 03
/ m$ n+ d4 B0 z. [6 N# w=========
5 V+ [5 m( S2 d# @- Y: {' Q0 s0 ^: ^. D. w) b" @4 {' C
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: j  V' E2 Z  I; I$ m; [+ g  y3 N$ i! e
(API Get entry point)( f% f$ n+ }! W9 K( P* D  ]- p
        
8 B' b8 t! d# U4 b: m" N8 k4 ~7 _, c, z3 }* }
    xor     di,di2 \  B8 W8 x1 Q
    mov     es,di) w8 h5 G' ^% b. ^6 c1 U
    mov     ax, 1684h       6 |7 w/ H( L& w( w& U" l/ d6 T
    mov     bx, 0202h       ; VxD ID of winice
# ?( E& t1 B- a. n8 N    int     2Fh
# \1 c5 a; B: c    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) E- o( ~9 R- z! o6 _8 e% F    add     ax, di: m: o8 _. f5 U8 P
    test    ax,ax
2 q) E; c; \) y% k) Z% f$ i2 C    jnz     SoftICE_Detected9 q/ M% O+ E- c! R

6 k* |$ `" r" F  N  Z___________________________________________________________________________
3 F) j' W0 ?" {7 e! Y
: s( e- j; `! wMethod 04
" t) F. c" f6 c8 m=========* p/ J6 O! _- x; P! w1 K4 T
6 D9 q+ j" I8 T; g: N* A
Method identical to the preceding one except that it seeks the ID of SoftICE
: Y& |; I9 ?4 _GFX VxD.
) ~2 u; Y& ~' d/ v' w+ g- E0 M; O- Z$ V
    xor     di,di
' n, N( c% a. U0 f& l9 l3 ~    mov     es,di/ W2 ?! T* w3 T6 P6 B& n& r
    mov     ax, 1684h      
. w, |* l; _. E    mov     bx, 7a5Fh       ; VxD ID of SIWVID
& \9 L% k( t% ^' p/ f    int     2fh
) y% K; h' h8 u* }    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 @( B2 k1 f" o0 n& g
    add     ax, di
, g5 j! R& [' p. z$ `    test    ax,ax: V+ n$ M& ]& x; z# e  P/ O4 V
    jnz     SoftICE_Detected8 q7 L& q- W  p, c. p5 C" I

9 L: ~3 R/ h# Z: H) }__________________________________________________________________________
! x! T6 ^, p) g: b7 Q( r+ R4 C+ \0 k0 d7 p9 l

  c0 O/ ]' N/ S) Y5 T" h$ O6 L+ OMethod 05+ [. n* o9 a  j! y% p$ p
=========
$ `7 V/ R1 ]9 @+ y( E
  |. M( _6 k; y/ F; T1 b/ E* AMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, E7 j' a1 u8 B6 `3 G& W6 tdebugger. It calls the int 41h, function 4Fh.
- m  q8 P' t5 C; hThere are several alternatives.  ' {4 g1 o# s* ~9 ]
) _! J! v, g) M2 j- _$ W& R
The following one is the simplest:1 W/ W: |) x: i$ p1 v
9 [5 D6 Z( e" F( h
    mov     ax,4fh
7 n. }# a) M" j, p' A* d    int     41h
7 C, B2 |3 }6 V8 s    cmp     ax, 0F3860 |* ?: d! N% a( |9 P
    jz      SoftICE_detected5 U3 l0 N% d5 s9 [1 ^
$ e2 ^: B6 Y6 |$ c2 J0 n

( A' S$ w0 I  a- N% h! E: H8 b* WNext method as well as the following one are 2 examples from Stone's 0 f- c* s9 \1 b% F3 V$ P% k7 z% A
"stn-wid.zip" (www.cracking.net):
8 ?, ~8 c9 k: d/ ^+ ?2 @5 r) X2 [
    mov     bx, cs4 B9 X) ]  t0 Q0 m4 W  v
    lea     dx, int41handler25 k' b1 X+ d' E9 X
    xchg    dx, es:[41h*4]
" V( y# O+ y) G- F! X) [  r- H    xchg    bx, es:[41h*4+2]
- Y' p) X% P+ h3 Q# T' ?: A% Z    mov     ax,4fh+ g. T* {& C% b
    int     41h( B! u6 y  b7 Y6 {: J
    xchg    dx, es:[41h*4]& C1 f/ _9 U# z& _! T
    xchg    bx, es:[41h*4+2]
% |  p/ V- i: B# |    cmp     ax, 0f386h
* T, b4 V. ]" r& _/ v# H! f& H    jz      SoftICE_detected/ U) t2 q" `" l' u
. ^# Y% A, |- f
int41handler2 PROC  q0 F9 v0 R/ h
    iret
- A* h$ R3 b0 Q5 W5 e5 v9 b. Qint41handler2 ENDP: b3 }! W' t4 T+ n

& b3 n, S9 Z) q. j& h& p. L, C  C4 ^6 O* L% J/ c! k
_________________________________________________________________________; z; {' V; {$ ^( j5 _( K

2 v1 C1 {) p, v4 \  z  v) H$ {( ~; I# ?
Method 063 m- p5 j  k& J8 Z$ y. X
=========( [) I2 g6 p( q$ Z( y

' W( x1 h6 A' _, w3 p$ l, a1 E/ D9 [7 W* B
2nd method similar to the preceding one but more difficult to detect:% m3 u0 e* D' E, }0 H& J' l, M+ x

& Z, E& \1 `7 d. R: @) q  i. C/ o, ~7 ]/ i9 X; l
int41handler PROC; s+ U- A' T% j, U  N# n
    mov     cl,al5 w! m; ^2 U" l* V; }/ B
    iret
: I. [, k" l! g) x6 ~4 d: ^int41handler ENDP
* }" q" m  P7 @
5 }' K( s5 t9 `+ r6 b4 |
8 v! k+ L% z9 Y$ y' H    xor     ax,ax7 j9 B' O9 T$ z% |* j
    mov     es,ax0 k) I. B- L$ D- o  k9 c
    mov     bx, cs, c; t% s3 @0 N6 ~( U4 m
    lea     dx, int41handler' e+ Y6 r' B* p' n6 M1 B$ X
    xchg    dx, es:[41h*4]& C5 H: D# J1 J8 Y, p& c
    xchg    bx, es:[41h*4+2]: _3 g' i2 E. ~; F9 G
    in      al, 40h
- u8 ]8 \$ \, t# x6 u5 L, A    xor     cx,cx
) p- z1 J1 c7 \, I% d( v    int     41h* ^7 I/ E0 ~5 s' ?) s
    xchg    dx, es:[41h*4]
# k# P" @2 k) Z' e: _  a2 m    xchg    bx, es:[41h*4+2]! Q9 ?8 c2 I) k9 Q1 s
    cmp     cl,al
+ f0 s1 h# E, _! h; {& O    jnz     SoftICE_detected5 ^8 P! i+ R. Y+ U) q" w

$ O3 d9 R" v4 q_________________________________________________________________________
2 d/ I( R- b1 q; l
- D! W* ^, D5 h, a/ n" i. iMethod 07' O( |* Q, B5 L& l1 i# A6 ?
=========9 G# R& q4 K7 ]! I$ L- U
+ U1 \9 Y. `+ @- J) k* D0 R
Method of detection of the WinICE handler in the int68h (V86)
9 h% ^7 [9 [9 [! D3 Q2 k- W- }: `: d8 B
% r% S' O+ O  M8 n" l7 g6 r& `    mov     ah,43h5 Q; V4 |+ E) j1 E, P
    int     68h
8 G) Y5 I2 Y+ t9 x% Q+ @    cmp     ax,0F386h
4 X# ^4 ]  y7 r" Q5 l  ]3 G4 j    jz      SoftICE_Detected
$ q( r9 N  u" G% F2 D
) O3 R* P5 p: [/ G
4 ?3 O0 m- J" l4 {$ w4 \=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* Y5 c2 k- Z2 {) s+ f   app like this:
. N+ z; K3 w( ^$ L+ y% V0 n
; j+ R  ]% n' @  Z4 J: P, ?   BPX exec_int if ax==689 a3 |9 u$ j5 d9 d
   (function called is located at byte ptr [ebp+1Dh] and client eip is0 H0 p6 M5 t$ {3 \, t
   located at [ebp+48h] for 32Bit apps)
6 d/ K- x0 _9 Q+ v6 G__________________________________________________________________________. X. N) n- a: \$ w* ?

  t8 @) N) z! a# A: d$ u8 n/ Q& H  R; a6 @3 B9 T" ^9 Y
Method 08
) O. t6 Q4 X" x4 ~9 |4 f+ f6 M" `# s=========
6 z3 P) d9 m, n: w- Y) w8 s" M- X( O. {& ~, X' k
It is not a method of detection of SoftICE but a possibility to crash the5 {9 R+ U/ ]' e+ z" T# X
system by intercepting int 01h and int 03h and redirecting them to another( R' S$ }4 g& F/ B" ?
routine./ u# ]9 a# e$ K, R% M% Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% z0 b( |6 Q6 _& ato the new routine to execute (hangs computer...)+ U( i, @+ e. A# |% |* J
) s9 m4 r" X2 |
    mov     ah, 25h3 [7 n8 |, w  J9 c- K( G
    mov     al, Int_Number (01h or 03h)
9 {2 J, r. D+ w/ W. [$ o: m$ x    mov     dx, offset New_Int_Routine- S: `- I( \0 c( x  O6 A
    int     21h
  Y. C7 I4 X" ?
; U3 |; S" s; ~: I__________________________________________________________________________
  o" Q' Q7 u, A) f1 o' |( Q! }# C* ]! @+ V
Method 09
+ }  F3 q; U5 N+ c4 d5 P6 _8 I- t=========
% d3 ^; c! b7 ~' u0 |0 z$ @' c/ c+ K1 C9 d4 ?! u) ?( b9 X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 j" f6 B8 W, J$ ]9 }& Kperformed in ring0 (VxD or a ring3 app using the VxdCall).
* d, [& G3 h% z0 X/ L5 ~4 MThe Get_DDB service is used to determine whether or not a VxD is installed
. z# w" a0 e( ^: j4 M/ [1 o0 rfor the specified device and returns a Device Description Block (in ecx) for
: G4 u5 T& [6 @* B* f# N4 W' cthat device if it is installed.
5 ^. H+ H8 i/ K0 j. D) j, \* [0 d( j; {$ X* p. \
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) _, m- u/ i( t3 \- D; e- R7 z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). A+ Y8 C7 R3 T5 M6 j
   VMMCall Get_DDB7 {; Y) n% ]/ a  r
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
/ t. Q: Y! f' _$ U
" q2 O! |; F$ _1 g/ C1 ]Note as well that you can easily detect this method with SoftICE:4 b9 u7 H  \' |" c; X2 ?9 @
   bpx Get_DDB if ax==0202 || ax==7a5fh
( F+ p+ N  i6 j9 {$ U* E) V" c$ O: a
__________________________________________________________________________
( }0 H$ G7 j: E1 K" M' |. H+ x; ?( S( r# D: C: [6 Q
Method 10. b9 X% T0 k% q$ ^5 m0 U$ F
=========3 N' C' M% }! ^- E$ ]
( _/ A( ?. o2 ]+ O
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with1 N8 |4 F% B+ j/ F7 J/ a% F& t
  SoftICE while the option is enable!!
/ J4 s6 r8 T# T, O8 o5 C; m. y4 O4 o8 v8 ]
This trick is very efficient:
7 e/ {' Z* A5 Mby checking the Debug Registers, you can detect if SoftICE is loaded& M3 k( U! t) m4 K& z" d' H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. c, d8 Z% w' @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! S  Z& q3 }4 Qvalue (in ring0 only). Values can be manipulated and or changed as well
! [8 ^  `( l( d8 e(clearing BPMs for instance)
% G2 c. [$ n, f6 L/ H, H8 n8 j* Q# s4 p  F3 u
__________________________________________________________________________
6 `3 V# H5 C5 {! g4 M# N+ H5 y. D7 F# O
Method 11, p& f8 H  o6 l# x, Q6 W# d
=========- K6 N) e& F, W1 y( G

2 u+ _! }! r  K4 jThis method is most known as 'MeltICE' because it has been freely distributed
  _& L5 ^' W+ \9 }$ A+ V( ?via www.winfiles.com. However it was first used by NuMega people to allow
2 P2 b5 ^* l8 f5 v: D! z2 q4 [Symbol Loader to check if SoftICE was active or not (the code is located
# Y0 H. e8 r: ^# kinside nmtrans.dll).
. z! N0 g7 f* o; [0 m; a% q8 E  A3 Z& Z+ \% I
The way it works is very simple:
6 a  R! U( X; X+ OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' J, J6 X8 W) \9 u: |
WinNT) with the CreateFileA API.9 T& X( }  s, _. }# Y5 N

. c+ S! y; m# NHere is a sample (checking for 'SICE'):
9 W  C1 ~) y0 h, ?+ K, n+ ]  J6 Y6 j  F; b2 c, M; N  h6 K
BOOL IsSoftIce95Loaded()
0 g7 z* d+ N; x5 j7 N2 K, K! L{- [5 G9 l9 }  A$ ~$ @
   HANDLE hFile;  ; _" B7 V! l% f* Q& v" s- }- q
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,  X+ d4 o( a; ?4 r4 y8 K  w4 v7 x9 y0 f8 _
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 M; }$ N/ ^, x                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ S  D( r8 N" T& J
   if( hFile != INVALID_HANDLE_VALUE )
; S/ t2 u9 ]1 X   {/ h/ i/ x$ b4 a0 y* ]5 r  F
      CloseHandle(hFile);
1 z6 H# K5 k' |  o3 e, H+ E      return TRUE;
8 ^* m1 j5 J* ]   }$ N( U/ e: k3 h& E$ N2 Z  w
   return FALSE;% b  v+ E  [' y7 C; D) w
}
4 T9 K1 ?) p) P& |6 i) T! g* e  T1 j; I$ J% o
Although this trick calls the CreateFileA function, don't even expect to be
8 V' v9 T" E& B; ?7 U6 t) bable to intercept it by installing a IFS hook: it will not work, no way!2 ^6 |' J- ?% M: O3 {# z' ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- e$ E4 `7 L$ O2 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- N- o3 V  i- uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, m  t( O% A/ Efield.
  H& I0 \0 Q4 rIn fact, its purpose is not to load/unload VxDs but only to send a # W( Q' J% t, m+ d7 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 [4 ?5 f. [0 ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 m7 L- z, S8 `' b% Y/ p% n1 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 _" n- W0 q# zIf the VxD is loaded, it will always clear eax and the Carry flag to allow, N2 Z, V/ l3 Q) @
its handle to be opened and then, will be detected.
5 V5 j6 y& ~3 R  R/ n1 n6 J, P/ iYou can check that simply by hooking Winice.exe control proc entry point
7 P0 J9 N" I" o  K( b  mwhile running MeltICE.0 J" M5 \! y$ m, Z$ }. |

' M  l! B& q3 \4 D- d- h5 X+ a( p- r! z! q$ S0 y0 G7 Z
  00401067:  push      00402025    ; \\.\SICE
+ [6 s+ N# j7 |( }* \7 g0 j7 S7 {; b  0040106C:  call      CreateFileA% |" M* C- P/ r  M6 X7 q4 j: R
  00401071:  cmp       eax,-001) ]- F  W! B$ ~) A2 X  A
  00401074:  je        00401091; v+ a% |* m* R" r6 F" [. s

6 M9 r" o% Z: z2 G3 p- p; R/ I) u
0 w" G# Y8 b- j  rThere could be hundreds of BPX you could use to detect this trick.5 @* c+ x" b1 h7 Y9 h
-The most classical one is:
2 O9 {  b( t) f0 i  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||& a3 q& D& ?5 ~; O. J" n/ m
    *(esp-&gt;4+4)=='NTIC': D2 y; k2 l' F; a. i0 ^1 z. x+ k

% ~& S7 u' z2 V$ h: O4 N) z& ?! `-The most exotic ones (could be very slooooow :-(
, H" B- A% I" h* [3 `% w* n; g) N   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 q5 y+ }/ ]+ G% y4 X4 t
     ;will break 3 times :-(
0 q9 R; S6 d: L
2 v0 P6 J+ O/ b, l-or (a bit) faster:
( h: l/ M9 j% C9 R( }/ p" }5 S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ O0 |# q$ ^  z+ l* {+ J4 _6 |0 V. N3 L4 N/ A4 |
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 v8 X: Y8 w$ `5 u( t9 I6 _     ;will break 3 times :-(0 M$ W8 F& D$ R% _7 b1 W2 g
9 C+ W- b1 n+ `* F4 g9 q
-Much faster:
" Y9 A5 A( I- I5 w- f   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" \3 T2 ^$ E7 |) _
* V  ], J  f8 M/ ~+ v$ w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 ~% g4 n1 {4 g" dfunction to do the same job:& _% B/ v$ q& b3 N9 h

; ~8 q: k2 e4 N& K% p) \6 G   push    00                        ; OF_READ
( c( m# E2 V2 \& A   mov     eax,[00656634]            ; '\\.\SICE',0
  v* M) m4 p. C& y, x7 h   push    eax
2 D; k& h+ }4 }: T1 I   call    KERNEL32!_lopen( \; X: S! y# f+ M. x
   inc     eax
' Y& p& L' |. o5 k   jnz     00650589                  ; detected/ q: k. P. ~) t3 r' Q& c+ J1 G  t
   push    00                        ; OF_READ
2 ^9 j" p9 O" W, W2 b. {) a5 ^   mov     eax,[00656638]            ; '\\.\SICE'4 Q1 X4 i! t8 p0 ?  K! t7 c
   push    eax
8 m4 M. u$ n3 o5 u' e% V   call    KERNEL32!_lopen7 M4 m+ H% o2 s( ]6 }4 b
   inc     eax3 }9 t  n9 I7 P) v2 e" ^2 T5 |2 ?1 M
   jz      006505ae                  ; not detected+ s7 h$ ~  d& o# {; M& |
- m* u' B& D; H! A$ u& S' F

! ]3 `8 c8 H6 t2 m__________________________________________________________________________
6 J* ~3 c% k1 G" a  H, N! s7 _9 h6 \( p4 P  }
Method 12
8 \: [4 |/ B" m6 r. F& N8 J6 u+ c=========$ Z9 a2 ~0 j+ G0 A
) _4 }3 o6 R, R$ ]& r
This trick is similar to int41h/4fh Debugger installation check (code 05
. h4 v  j; J$ h5 ~! x% P&amp; 06) but very limited because it's only available for Win95/98 (not NT)
0 u) U4 D* c  ]4 E' L! Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ S/ d& p: d6 [* U7 o  s. ~4 C- v" S3 y  f! `- @/ G* c7 b4 ?2 w( f
   push  0000004fh         ; function 4fh- I0 u( d% F; N& H
   push  002a002ah         ; high word specifies which VxD (VWIN32)
) ~* m' P. \  P2 t6 l                           ; low word specifies which service( n; j4 i6 j; O' X4 \4 T: V' _
                             (VWIN32_Int41Dispatch)- A1 i% d3 H. @) x0 D, ]! g
   call  Kernel32!ORD_001  ; VxdCall2 U' ~, U9 ^7 M) W" x# g- ^  ]
   cmp   ax, 0f386h        ; magic number returned by system debuggers6 w0 i4 n" Z0 x
   jz    SoftICE_detected
. z! n& D1 K6 c* u8 `8 ?4 d5 z5 |4 S. M9 o% c  F9 h4 \" L5 Y
Here again, several ways to detect it:' {6 r& O6 T: a! _9 s

, Q- @3 X9 e' C+ n  `+ }! `8 K    BPINT 41 if ax==4f  b) H" B: P7 Z" K
% f4 g  Z4 E( B5 h$ S+ p% j
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
5 E7 C. J; N! J. Y& ?5 O2 T
  r& |  T) }# W7 {# H* V    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, w- c) u, j* @: d3 g! n
6 `, |; g( @, C% M    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
2 h. Y$ a, o; H! ]6 F( ~
& ?, e5 ^6 t3 z3 C- H2 Y3 q$ P0 s3 ?__________________________________________________________________________( z' l1 l, U' D* j
) `4 c# ?! I# v0 R; f0 a7 x& \& @
Method 13
5 X% m& {" I/ y=========8 E0 [3 c) b: n& w/ O6 A1 n

. n$ [0 Y- @0 ]0 bNot a real method of detection, but a good way to know if SoftICE is6 A$ }; B$ ]  q3 T9 N4 h8 f9 n1 `& F
installed on a computer and to locate its installation directory.8 R' A! I( x9 ]! i+ I
It is used by few softs which access the following registry keys (usually #2) :: q  r5 A% w. b. A" u
0 ~5 _, S6 ~( @. @& b; \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! y1 H6 N% o5 j
\Uninstall\SoftICE
/ H" Z) x* D: K% E9 B  y  |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& g! C: O4 i* ]. ]: I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 s+ S$ K$ o' ~( h6 y5 m% B\App Paths\Loader32.Exe
) u7 |& L( F5 D/ x5 N. F
$ S1 j4 T5 R; G+ b% q& w" z, v& x2 Y
2 g: ^3 y# M; s7 ~' oNote that some nasty apps could then erase all files from SoftICE directory. f6 W8 d5 ~! S3 I; k! a9 k, R
(I faced that once :-(
) m) H0 y6 z" f" f# Q
2 d5 b- v9 ~$ [6 ]' [: j- g" ~$ ]Useful breakpoint to detect it:- m$ J* O: O" ^& Z. r

1 q  l" Q7 q8 ?3 g     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'" @( X* k: C& o
4 v1 z& E; X1 S% w
__________________________________________________________________________# P# B- s4 y+ V
; |; p7 z8 a- Y% z2 E6 d
" w9 B: Z' R( J" y+ Q+ E2 L
Method 14
* l) B" X9 I" m- |& U=========- P9 f0 x  q' y4 |) S8 ~7 ?
+ |1 V# z! r) x1 s2 r5 p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( u. N0 R( {( F5 O$ Z% l
is to determines whether a debugger is running on your system (ring0 only).
$ B) [. k, M  W; N: s8 P) }+ t
; r" p; z, E$ W   VMMCall Test_Debug_Installed( N. T1 f* V+ b, C
   je      not_installed
( K* y' @; y+ N% h( h) [* X
8 A/ w' v6 e- A1 GThis service just checks a flag.
4 \. U3 }  ]7 `# P% b</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-8 23:40

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表