找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
. I7 [7 H) B3 c% L# F5 P* E<TBODY>$ F1 F+ T0 d+ L/ b+ E+ V  P
<TR>
" |3 a" b/ X$ G# `! ]<TD><PRE>Method 01 & Z0 H/ ?+ B" v( h! S$ [6 o/ K
=========- L2 |- }$ _% O7 L  f; g
) K2 V! v2 O( e, x# i
This method of detection of SoftICE (as well as the following one) is8 ^+ b- P. l* Q3 D' P# Z+ y
used by the majority of packers/encryptors found on Internet.; r  k$ P* f# [3 b
It seeks the signature of BoundsChecker in SoftICE, y2 V7 k; v- O5 e/ e8 r
. {, F% x' @; c. C
    mov     ebp, 04243484Bh        ; 'BCHK'9 ~6 w6 S* f9 V
    mov     ax, 04h* p+ o) E- N; X- n
    int     3      
+ ^2 x1 Z7 K8 l    cmp     al,45 |+ o% C3 L; A' B. F0 `8 T
    jnz     SoftICE_Detected6 \1 Q4 K/ N  Y9 D9 v7 u1 U& {
4 V# P/ E- |( @( @  `- Z- d
___________________________________________________________________________: w- |. _3 V! G6 M2 Y) `) M

3 O' l! ~9 k$ S9 R4 KMethod 029 R' o  y, N' ]
=========9 D1 \- @2 e' `+ t" l7 ~
. o5 K* n2 t+ y* i! m+ J
Still a method very much used (perhaps the most frequent one).  It is used
; o$ \4 @0 m% [1 f; hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,- I) L# D3 k3 e! O8 D- O! k
or execute SoftICE commands...
: ~4 `4 S! K% E" G( K- C1 eIt is also used to crash SoftICE and to force it to execute any commands8 j. O* m- }# q8 Y  q
(HBOOT...) :-((  
7 R& C: I+ D5 S2 `: S* f& u- J5 C
/ G8 b# D" |1 s2 EHere is a quick description:
" I" T9 x+ |7 |' Y& S$ \-AX = 0910h   (Display string in SIce windows)) S4 m2 w1 R8 g; [
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 h9 u3 d* M5 o/ z" @
-AX = 0912h   (Get breakpoint infos)# @/ ]/ J7 p0 \1 m8 `, V
-AX = 0913h   (Set Sice breakpoints)
' V# y9 E$ y, B/ p: B+ X+ q  c-AX = 0914h   (Remove SIce breakoints)! M5 d- h# w" _% v4 \
; S# s& y# E$ F! C
Each time you'll meet this trick, you'll see:9 y, y3 K0 W! {- }# F* z+ z& u6 J
-SI = 4647h/ L7 `0 B6 U' s
-DI = 4A4Dh
6 M/ \2 O* g0 x  rWhich are the 'magic values' used by SoftIce.* ^7 L5 Q$ n$ I+ p/ \8 Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ x* g  W# [3 U- x2 ?# h. k8 T9 e
Here is one example from the file "Haspinst.exe" which is the dongle HASP# g/ `. A: q0 K, {7 L( A
Envelope utility use to protect DOS applications:! q( P! o! Q# v" P
: K( w2 e! @6 }9 W. J
- B7 Z+ _! I, U" i6 ^2 \& F* P
4C19:0095   MOV    AX,0911  ; execute command.: k9 ^( X* L$ |, e4 Z- ?
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 r$ y; q- {+ [; H7 I  Z
4C19:009A   MOV    SI,4647  ; 1st magic value.
6 Y9 c$ W: F0 e  h, d4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 K1 P, P5 e0 [/ P; e: L$ y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 A7 `/ V; D9 v3 O: X5 x( `8 p4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- A0 X5 L3 k! o* S9 Q9 g4C19:00A4   INC    CX
8 |$ {( S/ s/ Y$ u4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute! I) O- M0 n' ~& f8 Z2 R5 v$ f
4C19:00A8   JB     0095     ; 6 different commands.# q" f" T, I- H" h! I
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  H1 C2 O( C9 m" b
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)) d6 ]' w- ]9 C

. S8 T/ c! U& {" D1 KThe program will execute 6 different SIce commands located at ds:dx, which
/ o8 K, G$ k7 U! Q. a* kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' @2 l$ p2 Y3 V: @6 {& \3 P8 H0 G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* S8 `3 _# G  @" A4 A___________________________________________________________________________9 o% ~2 b  N( v  H
( u0 W6 T) G% ^. |# ^
9 U7 T# H0 Z1 U; I+ `
Method 03, l% x6 z6 k1 h
=========
( \; u, L# i3 {" h) {) u' M: L6 V
' W. V7 l2 X+ u8 m  P' QLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ l! r8 I% t5 k1 |
(API Get entry point)( R" ~2 ?6 H0 Z' ~* K" j: ^
        
# {9 f; \9 Y8 d: S9 n& i$ @6 g# P/ w9 U
    xor     di,di' H  Y# O. j) \( o, Z! ^
    mov     es,di$ d, q# v" z* S# A$ ]- c5 |  g
    mov     ax, 1684h      
) r- R+ Q$ s; ?    mov     bx, 0202h       ; VxD ID of winice  a; H0 v3 l+ D4 \9 Q. ~
    int     2Fh1 b- P. a3 m9 x8 q. @% N
    mov     ax, es          ; ES:DI -&gt; VxD API entry point% h  J) q. e1 Z2 A
    add     ax, di
+ `/ g" {1 k/ Q    test    ax,ax) q/ f( f4 J- O8 ^
    jnz     SoftICE_Detected& d4 n1 I9 C4 J, x  `

' Z  \% f$ t* F. w1 M/ u! w* A___________________________________________________________________________2 y! D5 }" N. R  v: m5 V

; g# p* `) R" m* g- b# j$ k+ a6 wMethod 04; [0 |! _3 t; O2 X! p6 B& o
=========
+ v( E# @3 k5 }1 k; e0 c: R$ w- k) Q
Method identical to the preceding one except that it seeks the ID of SoftICE
' W7 Z, v  d* g. Z# d) `GFX VxD.
3 n5 \9 U9 B6 ^* I, \# k0 S: l3 B4 h$ Z# I: c1 e8 y
    xor     di,di+ X2 ?! K+ U$ p8 E
    mov     es,di) X+ u. d0 H, t1 T* H
    mov     ax, 1684h       & ~3 a7 O9 `) k, K" K$ Q- j6 |" h" [
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
4 |0 ~* d( s4 i5 ]$ H    int     2fh- F* O0 [/ ]( h% @2 r; N) m
    mov     ax, es          ; ES:DI -&gt; VxD API entry point: S  W* [3 P3 ^- W
    add     ax, di
' G) K. [# V6 c4 f4 F& `    test    ax,ax
3 u& W) }; E# T    jnz     SoftICE_Detected
7 a6 x( g6 c- E' S
2 \6 ]6 k( v* ~  t: m6 z8 R% ]% L__________________________________________________________________________: J% p8 `' e  K0 @
7 J, X9 A# E2 C( d  l1 i5 x6 P$ m

3 Y0 s. g& E+ a+ N3 t7 R4 @/ h6 mMethod 059 w  P+ G' o/ B' W* \0 a/ s8 q
=========9 e8 f/ t! N) K3 }) M

; m' d! \- }* DMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ o' [, F( A  q9 c: P9 |# Zdebugger. It calls the int 41h, function 4Fh.
+ p+ [7 p4 ^! l& xThere are several alternatives.  
' @- D" z$ W1 Y1 f: x# ?
: u* X+ v1 C& |$ bThe following one is the simplest:9 h! t" \7 v/ |# v& C

, {* r: ?* l. R( a0 h    mov     ax,4fh# F: \/ v5 a0 L5 I: J: A3 n  Z
    int     41h/ |7 Z1 f' V7 q) B/ {! z
    cmp     ax, 0F3860 j4 _$ }. f  U. A
    jz      SoftICE_detected
4 D, u1 }' G% |* M' h9 S& c
6 E$ V' ~4 F  j! t9 z
  |& w5 H3 m$ B) f+ X7 A6 W, cNext method as well as the following one are 2 examples from Stone's $ A8 t: c8 k' `4 L' d; I
"stn-wid.zip" (www.cracking.net):" W9 l: W  f" u: M$ |
, T+ I9 `& I' k9 `9 _
    mov     bx, cs
8 a" K  H$ s. E! r) j    lea     dx, int41handler2! V% g. h# s' a' S
    xchg    dx, es:[41h*4]; U7 A: }% i' z; l) U* M
    xchg    bx, es:[41h*4+2]
; D% s" O* T" c2 |' O( [% T5 G    mov     ax,4fh
9 ]6 ^; O2 _6 G. O8 `8 Y    int     41h
, X3 _9 a9 M% W    xchg    dx, es:[41h*4]
$ P6 q9 m  K) J$ y- E' L- h2 ~    xchg    bx, es:[41h*4+2]" H9 f$ P8 o! \" ?0 e
    cmp     ax, 0f386h# ~8 \9 }0 i+ N# e) M* x
    jz      SoftICE_detected
( Z$ Q5 r0 `0 ]$ A1 y
0 V( b( u- u# }5 Iint41handler2 PROC
# r* o" D+ \, O' m. M4 t% U5 w    iret: a7 Z8 H8 H& c" F
int41handler2 ENDP2 ~  H# F6 r: J- p- p! e
7 s* {: T" d* e0 f" u

. B( R) _; Z: O2 H. Z; j" ]0 ^_________________________________________________________________________
& e. p' _3 A+ J- o
; U3 Q) L( Q5 k4 j. F
) |3 W; x) t$ V- C9 y1 e6 ~Method 06  E# A0 ^8 W; B; `0 c
=========) [6 C$ K) m; R3 }. ]
1 g7 Y2 ]0 |4 S8 {( `; m
4 b! M* A* w, n  U) _! D3 M
2nd method similar to the preceding one but more difficult to detect:
0 ?( Y$ k5 l* ]5 }% Z2 N
( o, l5 o  k+ M8 ]0 c( t( C1 C
6 g. k. d9 X, s+ `2 y) Sint41handler PROC6 L! U( v! J+ A
    mov     cl,al
- L) a( p: b4 k' l8 a9 X    iret
3 z2 C$ R7 d' oint41handler ENDP
  C5 m2 f' s  a, \, k; e6 p
3 S( Q& ?  ~1 \' t! n' H6 H5 M8 r2 y, Q- H
    xor     ax,ax# ]7 ]8 q7 h3 l! _4 s
    mov     es,ax2 X3 \! O- x$ O. D
    mov     bx, cs
0 h8 f5 d! c9 O3 \2 u3 q    lea     dx, int41handler
% l9 H0 }; p  P5 j5 v) @    xchg    dx, es:[41h*4]
% X( M7 p" X! b  o: ~# T    xchg    bx, es:[41h*4+2], n2 s+ G' F* s. t7 y( [
    in      al, 40h
" [0 ?9 i* i; Q' r9 G4 \1 N    xor     cx,cx* s+ i' D6 U7 ~( S& ]
    int     41h6 u( ~) {# c; F2 o1 U9 s& G
    xchg    dx, es:[41h*4]- k# _" v& ?) Y
    xchg    bx, es:[41h*4+2]
8 }2 {2 G, k% Y# z; c( _    cmp     cl,al, r( C+ W  `% z
    jnz     SoftICE_detected
) L8 j' ~8 T; k9 G% q6 X; Q& j/ y! o! O: G/ e" m
_________________________________________________________________________
# S+ a% H- N* D; ?1 g5 l7 H5 _# o, ^$ k. O1 M
Method 07
! e3 W3 P! d1 E) Y5 C=========# {9 o4 ~) p4 ~) W
7 x6 D5 Y" p8 s! a  Z- ]$ Y
Method of detection of the WinICE handler in the int68h (V86)
& o0 i. K! c3 ^2 d+ F# T- M9 w' I0 a) d3 ?- ^
    mov     ah,43h
6 l( q9 X! @2 X5 y2 }- H    int     68h' H4 K( ]% I0 z4 M) g. d
    cmp     ax,0F386h
# g$ T4 l+ P' P  }    jz      SoftICE_Detected9 [: a) u1 I3 h: R, F6 ?1 L
% p. p, B6 S' M
5 L; t4 {1 n+ Z! b* V: W1 m
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 n$ b& Q7 k; L# v2 r9 `2 X8 C   app like this:
* i+ c: ^8 c& L; n) u' I, A+ w& R/ ~& p) z7 N( G, V
   BPX exec_int if ax==68" r* |3 T& e, O) H. c
   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ o7 h6 h6 ]  ^5 @  X   located at [ebp+48h] for 32Bit apps)
2 o2 e) H  d" n9 G) R+ ~__________________________________________________________________________9 E3 q4 l1 x; D+ f2 u5 y

* u6 w7 e/ _1 D5 y1 U0 O; c( F- z! l) c
Method 08% E; a$ Y7 y7 K; P
=========
3 N) h; }4 u; }/ V1 d8 D6 p4 p
2 W( T' v3 V$ I- b. mIt is not a method of detection of SoftICE but a possibility to crash the6 x& k/ a: m$ I4 s7 ?9 P4 f* A# h
system by intercepting int 01h and int 03h and redirecting them to another: p6 T! a, t$ H0 u
routine.2 x% t3 c$ w9 F: A5 R
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 u" w3 q7 ^0 h% t4 ]6 M
to the new routine to execute (hangs computer...)! E3 T/ ~6 M& Q$ l! z! m
4 j+ \1 C5 |1 Y/ y. L, {+ e
    mov     ah, 25h
$ s" O- u3 p  L+ L4 B    mov     al, Int_Number (01h or 03h)
* N: s# S! t$ @2 n+ Q: ?2 z! W! F    mov     dx, offset New_Int_Routine/ ^! j& |* `+ i4 K, x, _
    int     21h6 ^1 @7 O: D6 o2 n& A! F
/ x& G, |) B3 F/ L9 f
__________________________________________________________________________" f; H+ c0 C( ]0 e- ?; E
% v0 O/ }' f% i- T4 q# _+ I
Method 09
4 c3 S- x" j1 A* w1 a  I9 A=========/ i8 I8 b( M/ i7 R

; K; N0 m1 ^: p- `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ Q, [  ~2 j9 M" z  A- h. fperformed in ring0 (VxD or a ring3 app using the VxdCall).
% v) q) V& L& P* MThe Get_DDB service is used to determine whether or not a VxD is installed% H' m  c" x$ H+ H* L" g
for the specified device and returns a Device Description Block (in ecx) for3 F- \  c( r( M6 h4 S. _
that device if it is installed.) N. `+ L4 g6 x3 s7 ~# B
3 q6 G) x  F3 B6 p# d- W
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 b* i5 E: F# h( U
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* C8 U1 X2 I' [
   VMMCall Get_DDB
+ f* R' p; r* d   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
# W* F5 s9 _2 d7 S0 B
3 q- M* ~- y) }1 F/ VNote as well that you can easily detect this method with SoftICE:5 a5 q1 j; M3 Q1 \
   bpx Get_DDB if ax==0202 || ax==7a5fh
  r  n2 s: b; h% Y, a
- k- w3 w6 x# T  R: k1 }__________________________________________________________________________; \+ Y7 D, f0 A5 v& u

9 Y4 ^' f7 k& y. NMethod 106 ^: \6 X5 I: N& I) G* R
=========
8 B( T  |: D/ ~1 q8 Y
+ ^" k0 w0 a5 [" G=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, o- D* N  {- N2 W3 I  S
  SoftICE while the option is enable!!
  p- N( K; z/ d3 ~. _9 y# T* G: t5 z
3 X; n) B% V! cThis trick is very efficient:0 Z! J" ], P! Y2 Z: P; E
by checking the Debug Registers, you can detect if SoftICE is loaded
! {% ?4 H4 i' ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ d0 }5 S# b) }* [+ y; G1 |there are some memory breakpoints set (dr0 to dr3) simply by reading their- A' v1 j! E% P# K
value (in ring0 only). Values can be manipulated and or changed as well
& b9 b1 l* t1 @(clearing BPMs for instance)
0 z% P5 @! ?' g' n4 R& |8 o
4 g2 M0 K' S, n8 u$ S5 `__________________________________________________________________________( _) l$ N+ N& I3 R6 U
' O. D: m+ t( p
Method 11
# R3 w) _7 v" X# L; E' N2 T=========! p+ |9 _1 n3 Y. P- W

' }: Y1 J' c% x9 W' H5 n4 N! IThis method is most known as 'MeltICE' because it has been freely distributed. k( l% j; s" B
via www.winfiles.com. However it was first used by NuMega people to allow
: t2 n  Q7 G4 O0 }Symbol Loader to check if SoftICE was active or not (the code is located/ D9 Z# \* `1 j2 z' @, d
inside nmtrans.dll).
! k3 j: `+ w, w+ [6 }- @- H4 t
' G; O6 Q. f0 W8 EThe way it works is very simple:
. }8 [! y) w4 B) x8 vIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. q" @0 A7 x0 x2 Z: v) e5 v- b& WWinNT) with the CreateFileA API.
1 C# ]2 S$ @; v8 u% ^) k6 h7 W) s! h: O( h4 N$ D
Here is a sample (checking for 'SICE'):7 X+ k& M8 a' v* b% J
! z5 z( D3 G! p! c# p4 Q
BOOL IsSoftIce95Loaded()
6 A, w1 c( h. Y; e3 ~3 l{
; f8 {9 l1 o  L9 S( I( @& i* a   HANDLE hFile;  
: J. m5 w+ b, j# _" ~7 Z1 k   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 O9 Z. g+ N3 T  L3 Q7 U                      FILE_SHARE_READ | FILE_SHARE_WRITE,& O; W' H" S% K) J$ a$ Z
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& N3 J) ^/ N) L% q9 m   if( hFile != INVALID_HANDLE_VALUE )7 H' k  Y2 L1 z
   {
1 }' A  C' l( ^+ m      CloseHandle(hFile);; A, a, v- z  I  y9 s- t% x7 Y4 `
      return TRUE;
! m0 m- u% e* B5 b, |8 b! h   }7 Q5 o+ K  p( G. q6 U' w% M) T. U
   return FALSE;( ~( y: Y3 c1 ?# ^+ j
}
7 E/ I3 {+ c1 y$ z7 _
2 r' G$ I+ y& ^3 K/ N8 M% o1 qAlthough this trick calls the CreateFileA function, don't even expect to be+ J! s' b# u2 w  |4 U
able to intercept it by installing a IFS hook: it will not work, no way!
- u% s3 n9 O9 g) V8 aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) E9 b1 Q1 N+ u5 [
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# K1 x4 G0 D6 D# _1 o% w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc( D1 D- {- [) x# ]( |
field.8 d% r  d8 E4 A
In fact, its purpose is not to load/unload VxDs but only to send a 6 z9 N3 u/ J1 X2 V* I
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  q  `& j; G3 ?. [6 b
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 u' \, D5 j" t1 ]" v" b- u4 j3 Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).! a  O9 `* r6 N" G
If the VxD is loaded, it will always clear eax and the Carry flag to allow" X. l. y& T( F& O$ j& C2 u
its handle to be opened and then, will be detected.
5 g& M1 P- O' kYou can check that simply by hooking Winice.exe control proc entry point' ?# T: d/ W5 A; S( S
while running MeltICE." J! ~1 H1 h0 }8 i/ E

* W2 E6 j6 q$ q1 @& G  m" N$ @: a9 o6 e6 s4 n* c
  00401067:  push      00402025    ; \\.\SICE9 @* ~! p$ I5 t
  0040106C:  call      CreateFileA
1 u" U; M0 b2 V' z$ b  00401071:  cmp       eax,-0015 F" _( f4 I- H
  00401074:  je        00401091
) w/ g) \# l) w' h  l! J% W( U1 a+ g( M" ^
  L. E: x1 b, m4 n  Q
There could be hundreds of BPX you could use to detect this trick.
9 n" J0 [) n- E* N5 X-The most classical one is:( @% A& {/ ^6 L
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||, y" r. q' z5 [. x) M+ O. S
    *(esp-&gt;4+4)=='NTIC'" h; T9 {* X5 T' {7 ?# j5 |5 V
& f7 }/ t: q/ h: n- u% I; E
-The most exotic ones (could be very slooooow :-(
# O- N( J3 f, \5 B' u   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
& P; @+ l, J. L1 l1 N( d+ v  ^     ;will break 3 times :-(9 C% B7 R. S; @% N
* ?. b' |: h% p7 _2 v) B7 D$ n
-or (a bit) faster: * x& I; i4 ~) T( J, c. k5 q, H
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ F5 v0 H# w6 \) E* b5 n+ m& \' `" R5 Z7 R" Q& B, i" E
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 w: ]8 s: w$ h2 d     ;will break 3 times :-(+ c5 V7 Y) [+ u" ~

. b( g( j! H1 Y1 x3 `: ?$ X-Much faster:
. [0 m7 @' B+ X: f   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
, Z9 J+ \1 e; B6 _. M) A1 U# O
2 L; p0 y( D* o8 s3 h0 ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 ]: X% {" e! f  X( Pfunction to do the same job:
. \! W7 A* g( A! P; C
, B& E5 e' I  Y) M8 Q( ~   push    00                        ; OF_READ" F3 t; n; `5 n1 b- ^% O2 D
   mov     eax,[00656634]            ; '\\.\SICE',0
! E) o, o6 `0 @4 D9 g   push    eax' q+ T' A5 n# g) W
   call    KERNEL32!_lopen7 z6 L$ V3 g8 f
   inc     eax
4 z7 S, W6 V+ z) W* f4 W   jnz     00650589                  ; detected
) T( H$ {) j& O) ?   push    00                        ; OF_READ9 e3 n. D2 s7 S: W, R
   mov     eax,[00656638]            ; '\\.\SICE') K- j4 p8 F% T- G1 Y
   push    eax
$ `1 k1 R! v) t1 }5 m( L   call    KERNEL32!_lopen! y. o6 h; C% ^4 `6 w7 T/ `
   inc     eax5 U! P  w, K2 M
   jz      006505ae                  ; not detected
3 e4 I- J8 o' x" K9 [: E9 p, m5 `% t5 w5 }. {
2 c" X. K) f9 b* Y# W
__________________________________________________________________________! w, X. u! j- G9 O- `, O1 R2 J3 ]
$ F# A. W, S# i$ r9 Y$ [. D  u$ K
Method 12
- b' s+ j8 o7 F& v) n  a* U=========
7 S! K: U; b+ W. _4 x
/ p: V, j0 m4 OThis trick is similar to int41h/4fh Debugger installation check (code 05
( Y, W, @+ d$ |. d5 i! C6 M0 L&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ H! q2 p9 Q6 N6 M" B! g
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* A( f3 W+ l# X0 r7 E; s
8 I6 C! J! X6 p' u4 l/ K- K   push  0000004fh         ; function 4fh  S2 T6 r  ]$ a8 {' x2 \6 I
   push  002a002ah         ; high word specifies which VxD (VWIN32)
: B8 \9 Q$ H) M) w- t                           ; low word specifies which service+ l, {- @' L" ~) ?
                             (VWIN32_Int41Dispatch)
6 @8 Y, `2 a: _( [* }   call  Kernel32!ORD_001  ; VxdCall
$ Q- A/ B3 ^! Z- P. w  P   cmp   ax, 0f386h        ; magic number returned by system debuggers
0 H; h: x, {$ }# |8 z4 G8 d   jz    SoftICE_detected
; _1 Q4 S' l3 e+ L. ~& l* Y! L" Q
Here again, several ways to detect it:& l  @- _9 Y% R% O7 R1 h
4 o8 r7 E- r$ ^& y! |7 ?% ^
    BPINT 41 if ax==4f
8 G. w* ^9 p) g3 [0 Q) P7 q7 l2 T1 P' N0 f
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 o9 {3 G  W8 ^  e" I  H: r# d. W* @% m# l
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ M" b( ]( S" [+ X, {3 S- C3 k+ E5 V) L/ n1 K! Z0 ^8 r2 |0 s
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( {7 b  n; k9 S: B2 u/ m; l2 E4 x3 B% S7 B9 ?7 R# Q
__________________________________________________________________________
0 `" h7 e9 ^; x& h% k1 r2 q6 y0 H. ^
Method 13* C6 ?. _6 F7 \' g& e% L
=========2 f0 x9 H+ K  `6 s8 `, h3 e& h
( F4 a" p, n8 h" I6 v7 q# ]/ W# ^
Not a real method of detection, but a good way to know if SoftICE is" ^$ Y. ?# g1 w1 f7 ~
installed on a computer and to locate its installation directory./ P3 J" c$ W( j3 T. n4 {* \0 l/ G4 \
It is used by few softs which access the following registry keys (usually #2) :1 Y8 V; o. G9 `, H4 i; }

& r& O, S1 t4 g! c5 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' |6 t) G  y/ u5 G
\Uninstall\SoftICE
- [: s8 z  D% F& ~! G# \-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% Q; E8 n2 |0 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( h: x  |: X/ s* J
\App Paths\Loader32.Exe) e4 I7 I+ `7 D. e& v

; y& r$ \" q% a& G3 O3 w5 X0 g% @. J3 @1 W  m1 _! p! }
Note that some nasty apps could then erase all files from SoftICE directory
" d( d, s2 v6 ~(I faced that once :-(
  ]; h2 b) N( P* t( v. e4 m* R. O+ P
Useful breakpoint to detect it:6 z) ^2 b) V( f! |
0 d, ~: Y4 u: c8 _: W& ~
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 l: x3 [& z# a* \1 n- O- Q* o  U0 N5 j! W; f6 `/ z
__________________________________________________________________________$ m! _' B7 t9 \: i2 q6 B, I* a+ h

; l" `  h0 k0 `# {$ o5 e4 O+ G  r+ s1 Z% `8 c
Method 14 8 C/ x  G, h3 j7 e
=========
9 @4 O- c1 B+ ]) M) U5 w4 f# K7 L7 Z  N; Q" S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ t) g2 h7 S1 H! n
is to determines whether a debugger is running on your system (ring0 only).
- F- ?8 \  L& p! z6 E  q5 ?* B' H1 ~0 L" [' X/ w) _
   VMMCall Test_Debug_Installed- L/ L  |& ]& U; j3 o( O' u: Z+ _9 u
   je      not_installed+ i7 I' l$ _4 a

- L7 j8 j. I7 m! G6 O8 X5 TThis service just checks a flag.* F) B) A: h  \  j! h1 I5 w9 _
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-4 19:28

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表