找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 T: y# o6 O/ U. }2 t
<TBODY>
. ^: s# N9 a4 i* J: _' o% X<TR>  H! o2 j- U5 U3 e  _3 p
<TD><PRE>Method 01   d7 G) ?# S5 {- C  e0 v4 S- Z
=========6 Q# [; M; A7 _0 D: j9 ^0 f

. ^* g, T. K4 H) T# c9 lThis method of detection of SoftICE (as well as the following one) is- m0 X0 x4 `2 o- S1 R; x* G
used by the majority of packers/encryptors found on Internet.
# q- F( `& S5 |( t% ZIt seeks the signature of BoundsChecker in SoftICE( ~3 ^5 n  ]# a' i5 \
4 ~  M, E0 q( n3 t# t
    mov     ebp, 04243484Bh        ; 'BCHK'
5 j/ y. K( B% F! k    mov     ax, 04h2 C* J1 K1 k; C5 o7 f
    int     3      
- x6 k7 `8 v' Z# Y0 y/ j    cmp     al,4
0 M* T; x1 H  j( g9 G( p    jnz     SoftICE_Detected
8 ^6 B6 Y# H: D$ X1 T. _6 `
) v. L- i1 {5 T, Y( d2 T. H___________________________________________________________________________
" U0 J. C2 B* P+ _1 k5 _
& V4 p" {* Y5 l- G. e/ g2 `Method 02% c- v3 z: \2 o0 w8 V+ {
=========
3 g( t7 ~; o& h4 r7 |" M1 I' W' Z) I" a4 y7 e9 K% O7 O7 g
Still a method very much used (perhaps the most frequent one).  It is used; {7 M" I3 l/ W% U# L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,  Q: t& b# z5 a. i
or execute SoftICE commands...7 z" |5 Q2 S" `' w  }1 @
It is also used to crash SoftICE and to force it to execute any commands
% [6 t  _. N& }# P2 t( Q) x(HBOOT...) :-((    M$ W, E. ^5 G' t
! ]5 W$ k, L' S
Here is a quick description:
6 g8 e  z4 }2 K9 f-AX = 0910h   (Display string in SIce windows)" w! C) u6 S* \* l2 \, Y
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)" N5 E) k! H, H! H# ?' s) [5 y) ]
-AX = 0912h   (Get breakpoint infos)
" M" V0 B; z9 F6 @, Y4 C9 n+ z-AX = 0913h   (Set Sice breakpoints)' k$ b& c2 \6 ?6 B( E
-AX = 0914h   (Remove SIce breakoints)
; ~# |0 f/ y1 i. s" Y- S" X, w9 g- }! p: ]3 t' K+ c
Each time you'll meet this trick, you'll see:
% L  ]: w. X0 j' t9 J-SI = 4647h( Q9 z) v1 L8 U. m- d2 B
-DI = 4A4Dh
4 Z8 N% ~! O+ [  xWhich are the 'magic values' used by SoftIce.4 [* [9 Q& r& m' T; |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% I5 f, I- A1 v! P% r9 U2 [8 j/ D, n
! G/ y2 D) o, O4 G3 }! [; O5 THere is one example from the file "Haspinst.exe" which is the dongle HASP* g6 J8 J& ~% w2 G
Envelope utility use to protect DOS applications:
0 K; H) w8 ^, \. k3 G) ?7 {) b$ g) c6 E8 A  Z  X- I

; B& M" q; L  v( s4C19:0095   MOV    AX,0911  ; execute command.
" x4 Q1 x) H9 K4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 o: i, R+ P/ U; Y  u4C19:009A   MOV    SI,4647  ; 1st magic value.0 n7 r. \% q. S* X2 G. c+ d4 }
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, j' d: u" O0 z8 K& v4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 w% |% J5 \+ S
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4 K: b+ v3 [! G# n+ ^( Q4C19:00A4   INC    CX
. b3 R0 k8 M0 x6 ?; ~' N- z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 V5 A( L7 C( h" S; Q0 n4 c2 \+ S4C19:00A8   JB     0095     ; 6 different commands.; ?: Z+ \9 ]) G% p; t1 a
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 a8 S% E9 B% e/ u% d; R
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), n$ @) r7 g0 S- K

+ H; u: f' u2 E- f$ hThe program will execute 6 different SIce commands located at ds:dx, which
- a4 _5 R- Y% ]9 j4 Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 S" m7 n+ J4 b  ]
) l) }! r6 ?0 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# C" l" A# Z1 @8 B# A7 n___________________________________________________________________________
% J8 j; \9 J2 P" F" m2 _+ @: |1 l
9 ]$ Q8 l! i; Y0 B7 ~' |% Z% T6 L3 I' }8 C- R- i9 n" ^+ d( Z9 z
Method 03  t: J* `- \3 v  ?& s7 D
=========
( q6 y7 D# T* g) D( D; m, E& G& b8 \# {& d& Y+ L2 ~# g
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; o9 {& \! W) F: M7 R2 j* v& M( Q
(API Get entry point)( E, ]- u2 S' [. p1 V. q  w
        
" \7 J9 \9 [7 f1 r0 R2 S1 \1 J) n8 A; \. F' o1 X, B3 z
    xor     di,di! ]" z, o  ~* @+ G9 c- v2 Z
    mov     es,di
5 K/ m1 R2 Z: @4 o: l% t    mov     ax, 1684h      
8 ~  l- t$ \, f# y7 o4 i    mov     bx, 0202h       ; VxD ID of winice
* e5 H3 i( U8 Q! j) p    int     2Fh4 F( f' ]: O- j) j; U6 p9 j
    mov     ax, es          ; ES:DI -&gt; VxD API entry point; c; _* ]" K0 A2 Z$ f* s4 j
    add     ax, di
7 c9 s4 i8 ?3 _7 [    test    ax,ax
( \) l/ w- D" l( m    jnz     SoftICE_Detected
& P4 X0 W4 j' s& L$ B! [& ]. Q0 q
___________________________________________________________________________; D% q: g2 p# c! p" c

, C) ]! \& x3 Y+ G7 C5 [$ m0 g7 sMethod 04
9 ~& N9 a& T2 {8 N9 x# n* z=========8 ~& N' w4 B; U; b7 p. {1 i

, J5 W' O3 c$ n: m/ rMethod identical to the preceding one except that it seeks the ID of SoftICE
0 j  x) x6 W, J! W) k; X1 a! E( VGFX VxD.
7 P, R( k  h% o2 B. ]' j3 u
2 U, [2 T- \: {  n% E" `+ B    xor     di,di* `' T( b; p) x# X% j3 P
    mov     es,di" l+ b% r% s. V) X9 @  ]
    mov     ax, 1684h       ! k; H* m! F. q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID* J1 y. S) H2 L$ y# {
    int     2fh# f9 d4 z! O, G# z3 z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point- j7 @  r* x5 l' W
    add     ax, di( N- v0 K+ h' g7 M
    test    ax,ax( {$ Q: r' {, ]2 s: ^. O% Y
    jnz     SoftICE_Detected
# i. W5 r( j' t0 Q: z6 E  C1 C5 ]4 u8 D6 {4 o" w; d% p3 I0 I
__________________________________________________________________________
1 E3 q' e! b3 y# s- i- F7 u
3 U3 P1 T8 H( S& a5 c7 E# _0 S
! O  k; K7 q$ Z7 H' UMethod 05' c  h6 j1 H9 K) x
=========* X  g, Q3 G6 i/ ]$ I

6 X/ e: C; C( @( kMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 r$ O+ ]+ H! j3 f: Ddebugger. It calls the int 41h, function 4Fh.
' D4 n$ N% x$ ]& dThere are several alternatives.  ( M$ Y: U. D; t% N" w8 }
6 ?; R- C" y- A# H4 B% {3 D
The following one is the simplest:9 d1 I: `. {. ^& G7 c/ Q
- ?# p/ Q; @3 I/ z0 k8 y! {% I
    mov     ax,4fh, ?- c+ D0 P8 r: k
    int     41h
) n! _$ x9 G% b0 W; @( K* I* u    cmp     ax, 0F386+ X- ~' ~! [1 k0 M+ h
    jz      SoftICE_detected
9 |( m4 d/ _. U; J- m3 u4 P8 X! [' N9 q, A' I. t+ P4 n  [

9 R# h& l0 T; G* K5 ~0 }2 VNext method as well as the following one are 2 examples from Stone's 3 y  d2 Z# ^7 v) |  y) ]7 b
"stn-wid.zip" (www.cracking.net):9 U1 Z" o  S  V8 G4 i% V  F
& h$ N4 i. E% j. g, I* F& ?
    mov     bx, cs
5 x( }, n( ]8 u+ m+ l3 A* v5 J    lea     dx, int41handler25 V$ x' z6 v$ {
    xchg    dx, es:[41h*4]" k! s& n6 p. q! _; Q( m9 p3 Q  D7 Q
    xchg    bx, es:[41h*4+2]6 K$ Z3 f- z& K/ x! X/ S* d$ u4 o
    mov     ax,4fh1 ]9 V+ C9 O8 I+ S7 f8 p2 h$ O
    int     41h
$ y! X; T$ X+ t3 w4 }# c# s    xchg    dx, es:[41h*4]0 q/ ?; c; l; X+ O
    xchg    bx, es:[41h*4+2]
' G% g4 B, S: h5 l9 N2 r% X    cmp     ax, 0f386h
! u0 q6 v3 d6 B    jz      SoftICE_detected
* j# y9 m0 V, v  |, ]" g) c; k6 l( H" t5 k- C0 z
int41handler2 PROC
& C: [0 F; T/ ~& \$ g$ q    iret
' u/ R0 u% j4 P7 s* Mint41handler2 ENDP
+ M: v- B4 e4 n+ `  p
4 r8 z. r' K$ P2 H- K
; l0 Z. \0 x# \_________________________________________________________________________
' a2 U, @: v6 R$ s" L- d/ A# K# z, \& d5 h# A. ]
# o' J3 L; P* S: K
Method 06
  o6 |; ~% b1 I; j=========4 z; d9 k" j4 C0 S$ q

! q! h' X' g; K( ]8 ?7 |
# t6 |& }2 n2 K2nd method similar to the preceding one but more difficult to detect:3 y. x, o' {! k' A' c
+ v7 P0 J' t, u8 S: I% S/ e2 q% O
6 a( |1 U- W  w2 q! D: T
int41handler PROC
$ @( \; f* L# z    mov     cl,al
% G: w6 Q* `% ?% ^; @8 a) K    iret  F5 k" F  I# D$ r
int41handler ENDP& _6 t: R' [5 D% M' V) ]
  x8 T, H% e$ K$ J' n+ x" m
5 A2 K0 C4 Z9 k
    xor     ax,ax
( Y# m; ~5 a, h3 i( Y, x# w, b    mov     es,ax# d  u- }4 k2 A& w1 [$ [4 ~
    mov     bx, cs, R0 F* L  F" D, y' d3 x
    lea     dx, int41handler' n7 |! p! U3 ~2 q8 q
    xchg    dx, es:[41h*4]* S" N0 ~- o; _
    xchg    bx, es:[41h*4+2]
9 h2 S# s5 L3 Q. u6 `$ H/ O    in      al, 40h
# _' P5 E! C  c" n    xor     cx,cx
7 U% x5 `3 c5 p$ \9 ]( d7 A/ e    int     41h
! S+ Y$ b7 K/ q$ _0 ^; _9 C/ E    xchg    dx, es:[41h*4]
$ r, w, F; a' ~; F; U- U% ~    xchg    bx, es:[41h*4+2]' y: ^* {# q' j0 {: z7 ?( N9 r7 ?  g/ J
    cmp     cl,al
" J! ^, q( f% F8 n- |    jnz     SoftICE_detected
5 R5 J! y/ w( O! r9 V
/ n: j; y  I8 b) K8 X+ B% b_________________________________________________________________________  a2 j4 `2 Y* [) M1 J8 R

: p+ R3 J) ^) p. W9 _7 e$ \. JMethod 073 i% A, M6 a' k; ?& r0 k/ j2 L& W
=========
; a" g! l$ y3 T; q: E* T2 o; `4 [2 E
Method of detection of the WinICE handler in the int68h (V86)
) b$ e7 S7 J3 B9 U, k  _8 I4 s% d: M/ r9 v- ]
    mov     ah,43h
- F8 O& a3 n' G4 `# }    int     68h
5 m. a, l6 i% P  R5 l$ x% c  P    cmp     ax,0F386h
6 g. v; h+ z3 Y& [& X2 ^    jz      SoftICE_Detected
( I  m: b' _2 `5 G5 Q
! j5 d+ I1 v3 h% h! N/ ?) D; p2 X
9 V; ]1 y- Z: s=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 s5 A& b1 T( I' b* R/ G' H   app like this:/ `! K0 e- q  t; a/ Z4 W7 [
0 O9 h0 s% F2 O! ?! |3 T, o2 R
   BPX exec_int if ax==68
- P6 _  l) S1 g& W& v   (function called is located at byte ptr [ebp+1Dh] and client eip is
9 s% S$ ^9 J5 q2 E& d   located at [ebp+48h] for 32Bit apps)3 z& G5 y3 S5 v0 W& ~
__________________________________________________________________________
: l; O. s% d  B, U4 u# V( t' [: w

# j* c8 J1 l' Y- w. |Method 08
+ u  Q6 p7 Z. `, ^=========( ^9 J3 t$ r/ t9 c: T+ B+ K7 F
% b4 ]- M' i# t
It is not a method of detection of SoftICE but a possibility to crash the
4 d9 _. F6 h/ l9 _; H/ Gsystem by intercepting int 01h and int 03h and redirecting them to another
6 |* N# S; K. t( M+ G5 Z# Hroutine.6 j9 u$ ~. p4 k; x! i9 `
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ }, u1 _( V# g' R7 I+ h
to the new routine to execute (hangs computer...)
8 p9 n" w/ L' q7 s- g# d# l2 k" }
8 N  x( L  t- \( Q" t2 T    mov     ah, 25h6 E" y0 F4 j; F8 K! J( z5 e* L
    mov     al, Int_Number (01h or 03h)
/ ]& P/ C' O+ z: e    mov     dx, offset New_Int_Routine  j* A7 h! i% N# i' ]
    int     21h
- u- W9 h( f" W, K: S7 `# n, z4 s( p. z1 b- A
__________________________________________________________________________( {$ _5 b& C, ~, r7 x

, q/ T: `8 \  K9 z. nMethod 099 c! K, G# V% _* h% V% f0 o  a/ d
=========
9 c$ u# l, h, t3 Q! D; U) I/ G7 t" g5 _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* q" J8 g! j/ Y. A0 [8 }
performed in ring0 (VxD or a ring3 app using the VxdCall).
% f( Y, \/ K0 q' o# ?& J2 l- kThe Get_DDB service is used to determine whether or not a VxD is installed. O/ a- J/ @7 {
for the specified device and returns a Device Description Block (in ecx) for" ~2 v$ H6 Q# b" @6 ^. P" y
that device if it is installed.( A. I) L' N) B+ i- J; ~0 o
" ?. P( a% F# }
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 F7 J) }2 Y7 v1 @5 A4 B+ Z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 b& ~( _. S1 V   VMMCall Get_DDB, W  S- W1 u. M/ Y/ E3 z1 O
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
) e$ ]/ k  |/ m  v5 p& ~
, d4 O/ \' H5 H4 [, d% FNote as well that you can easily detect this method with SoftICE:
% }' M/ O9 o- p/ {( L   bpx Get_DDB if ax==0202 || ax==7a5fh- W% o0 T) o( o- W
) I) d4 e, L- O7 K1 R
__________________________________________________________________________' Q2 Y+ Z2 N( c1 K2 @

. f3 ]4 F/ P* vMethod 10
, |. Z1 H( n# F. ~* a- e7 x1 ^( J- A=========
6 u! S, N- c3 E. B# U2 S) p
. A8 L4 M3 @" k/ P  K+ H- I5 |=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% B7 H" u% T9 z2 c# D  SoftICE while the option is enable!!
2 @8 {  Z1 |: [/ P
( f  f% e# `' h7 `( a# UThis trick is very efficient:
* h4 z8 Q( l; i' y5 r2 u, O3 Kby checking the Debug Registers, you can detect if SoftICE is loaded
! w/ w$ X& h$ S% s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 y* T. G  v" T+ athere are some memory breakpoints set (dr0 to dr3) simply by reading their7 X& P+ A3 b5 J
value (in ring0 only). Values can be manipulated and or changed as well
3 y5 X* D2 V' E  r0 z(clearing BPMs for instance)5 {) m% P0 M7 Y5 _% {
9 S2 k3 G9 e2 O( F& S
__________________________________________________________________________) N  D7 ^( s7 q. F0 P
3 H( p( C  Z2 z- @4 A0 i) O% k
Method 11- v$ w9 U* N' O/ I9 `( O
=========. ]3 L7 `6 i- r
  ]" Z( Q2 ]5 Y) K3 i- f; g
This method is most known as 'MeltICE' because it has been freely distributed
# K' g( K4 W& {' C& t) j0 dvia www.winfiles.com. However it was first used by NuMega people to allow) G: ?8 I9 I: v! X; j
Symbol Loader to check if SoftICE was active or not (the code is located* r( B8 h2 Z; M1 T0 X
inside nmtrans.dll).
% k* p3 N. C4 h2 U& m! F9 ^) J2 C! S. r( L1 D
The way it works is very simple:
6 B$ e4 T* n9 j/ @3 y, z" zIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) ^9 E% |! f7 m
WinNT) with the CreateFileA API.
9 `( f) L8 l* z' r0 C
$ p. {. N% ]9 u4 L* o3 x7 |9 YHere is a sample (checking for 'SICE'):+ @) B3 G. T' B- ]: A! {
5 Y! T( L0 d# g/ f* V
BOOL IsSoftIce95Loaded()( C& [2 V6 e4 y2 i1 W+ |7 e1 B3 j
{! J. F6 ]/ S: s% J# F
   HANDLE hFile;  
0 K7 `3 U* A" R   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 ~; t: Q3 ]* H- s- _8 M3 E3 b                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 t2 o4 x% s* P: V* `                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- E' S  ]' [1 Q( O
   if( hFile != INVALID_HANDLE_VALUE )  q* J' _3 t) r
   {
3 ?& J( V8 W1 H1 n      CloseHandle(hFile);9 v' o  {( a8 W
      return TRUE;
8 P0 i9 G) T2 s1 C+ z" v2 c   }
4 |1 d; m3 P& ?) n3 I, r1 E7 E   return FALSE;; G- k8 q9 ^$ V0 u$ P
}0 h% {! d( Q- w, w( i. \

, p: Q( s8 L2 |Although this trick calls the CreateFileA function, don't even expect to be
( u  _1 X: i8 Q! |' [able to intercept it by installing a IFS hook: it will not work, no way!( D* n: g5 i: E+ a) y! h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 L2 {/ y7 _; D. X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- B0 f% U0 V* a* h, E- @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, ]6 o3 Q; A% S& o5 Ufield.
" R' @1 @6 j$ F( JIn fact, its purpose is not to load/unload VxDs but only to send a
! O9 M8 \  S. G; \- j5 @7 f% GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- V3 D# o  x+ |2 r! }to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 A/ X6 z8 }/ Mto load/unload a non-dynamically loadable driver such as SoftICE ;-).7 O3 w6 m/ }( N( c  }8 i
If the VxD is loaded, it will always clear eax and the Carry flag to allow( n; G# o) ~" h( `# T. N7 f
its handle to be opened and then, will be detected.& `, ]6 D' V/ ~+ N- h" ]7 R3 O+ b; J
You can check that simply by hooking Winice.exe control proc entry point
" h( f: {( N1 u, }# H- j; Gwhile running MeltICE.3 ]4 C: A2 b, i! V
8 M  X# R" |/ b- D
( P' ~% F7 j3 O5 n, Z& Y+ e4 G
  00401067:  push      00402025    ; \\.\SICE
# U% u) d$ H4 N' }" Z  0040106C:  call      CreateFileA4 [. j$ L" X* p7 O
  00401071:  cmp       eax,-001
# [7 M5 l5 w4 U2 t6 n1 _. a  00401074:  je        00401091, n8 q: P4 z1 t; P5 b

/ u# D6 h" c9 H1 [
4 C! |" C7 ~5 F  XThere could be hundreds of BPX you could use to detect this trick.0 k% E* U+ e- i2 H' E% v
-The most classical one is:! ^# |( J# c2 Z) j/ d# e
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
4 Q) }/ Z4 I) _8 Z( K. }) ^, E* l    *(esp-&gt;4+4)=='NTIC'+ I" {# g" @  y& L% [7 h
) W1 w; z; `0 ?5 V& T
-The most exotic ones (could be very slooooow :-(8 M3 j  t4 A: |
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( u* `6 }1 V# y( N% S
     ;will break 3 times :-(
6 J4 P, ~  V8 j3 l- ^# N9 p5 w
2 p4 D) c5 f7 }-or (a bit) faster: ! c& D: y1 y" i) c$ l: }( L
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- r, C+ n: d* r# j
3 Y' L- H, k9 h0 W: [   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. O  ^5 E% {2 ~. W     ;will break 3 times :-(7 K! H1 K& ^/ h

0 {) n1 H8 S8 F+ m' G- S-Much faster:
5 V2 w: p1 `' m# l% d   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% z' W9 S7 h. ?
* H9 \$ W% F# k2 {1 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 U& }. G5 g3 U5 Rfunction to do the same job:6 L, V: @" N, W4 B5 C: ?3 b0 o" o/ d! Q, k

7 v+ c& `' E" g/ L   push    00                        ; OF_READ
# n( S' Z7 g; s% @- i+ B/ {% V; c/ t   mov     eax,[00656634]            ; '\\.\SICE',04 [5 [3 ~, G  q
   push    eax3 u2 m6 Q6 B. u7 `; L+ D
   call    KERNEL32!_lopen. G, c1 a' p; G) I
   inc     eax! c, x$ p( ~6 O2 c/ A
   jnz     00650589                  ; detected7 _' _2 T: j$ [' Y# a2 H! s& x
   push    00                        ; OF_READ
5 m4 S% c8 S5 E   mov     eax,[00656638]            ; '\\.\SICE'
  q, ^, A) A- }" q0 b2 N' S   push    eax3 X( E/ [, B1 [
   call    KERNEL32!_lopen
8 D9 m/ ?0 f+ u+ G! B9 T. ?( d% l   inc     eax
8 z2 }1 i2 k/ G) }- P" K   jz      006505ae                  ; not detected5 R/ x+ M6 @6 p) b  ^# @0 b8 }# S

: l) n9 w: K, ~2 x, L2 @) b' u( W5 r, b. A
__________________________________________________________________________
3 G. r4 L; N" C" }; H3 G  M/ O
' ~) k8 K6 z  ?5 T" J- WMethod 123 c. K- v% v: _8 S
=========0 u+ D3 z/ \9 |
* g( [, j; [" G0 c+ i
This trick is similar to int41h/4fh Debugger installation check (code 05. H4 O" Y9 ^, Z2 i& V- I' M+ P
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( P& b) f8 {8 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% h& _, S1 e  }7 Y5 j

- E. E$ h0 y7 W  g3 {   push  0000004fh         ; function 4fh8 `0 P" @- c% s; \; S& v9 y, M, p
   push  002a002ah         ; high word specifies which VxD (VWIN32)1 y. `9 y) l- d/ ^
                           ; low word specifies which service
4 R% g6 V9 ]0 X                             (VWIN32_Int41Dispatch)$ S- j6 n. a- m5 l  i$ ^
   call  Kernel32!ORD_001  ; VxdCall* @8 G2 B6 A- C
   cmp   ax, 0f386h        ; magic number returned by system debuggers! N0 u+ f; _3 o% `
   jz    SoftICE_detected- t( k. ]2 L( s" z/ t4 K* a
( c& B' {+ }6 L' w0 ?$ v, w
Here again, several ways to detect it:7 X! `2 E. u6 K
8 _; l# U- K/ H+ e' t
    BPINT 41 if ax==4f* w$ Y9 r7 |, ^3 K; _1 p

9 r) g! J3 p4 L    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one4 h; [5 B( ^! g4 r/ k, e
% E! H! {9 c1 A0 T; f2 C% r$ p
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A) a# T2 ?' F/ z
. I6 O  Z7 d' x4 m2 i3 ^
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!1 j/ {' t; ]* w, c) K3 b  l5 a
0 g) q- P% r% `$ x
__________________________________________________________________________
/ V$ ~. s. v* ~" w
9 }, {2 g( X6 l# Z. @' _; {+ [/ |Method 13
: o* M" a  d4 O- A=========
) G: L* _4 j! r; i6 [' h5 h7 X$ J+ x$ u6 q! Q4 J& h
Not a real method of detection, but a good way to know if SoftICE is4 {' r: f' E, W
installed on a computer and to locate its installation directory.
+ b9 ^+ e5 n8 n; n2 f# tIt is used by few softs which access the following registry keys (usually #2) :
. x# |" J1 s' k0 q/ e' I/ t
) z; l# f% R, ~; o0 f; C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ g( G' c. ?% ~/ |! y  `# ~\Uninstall\SoftICE
* W5 |; R+ E# U4 p% j, [9 o, G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) w) O. H* ]" P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& ]/ i2 l) |, W, H
\App Paths\Loader32.Exe
1 I, m2 G2 o  v/ U4 r$ P3 H6 X3 [
- m% @- [# z, ?( q' n6 O$ ^; _, N' h' P, U" N" t- h. }
Note that some nasty apps could then erase all files from SoftICE directory7 J  z% ]6 X0 y, U, c5 h
(I faced that once :-(
+ d8 w- Q/ D) y: j7 j3 d; c% v, l' k
Useful breakpoint to detect it:
& s/ B4 F6 _2 u( k
8 `. l6 J: @: O3 ]     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
5 `' [( Q) y; V6 R7 ~% ~, H$ ?7 U5 n( v6 I( h' X
__________________________________________________________________________
7 {" H  G2 v  Y4 Y8 d' e
7 E- ^9 b5 T( h7 @; Y- k6 ^
# x2 T9 b3 u- I3 l# ~/ ^$ w: rMethod 14
  h1 a! H5 Z5 Y1 N1 c8 M=========$ [) W. M0 I7 ?4 _# `3 k3 v9 \9 [

8 b; o; d) F, F. X) D" y3 LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ `" E" f/ y0 \( t$ Mis to determines whether a debugger is running on your system (ring0 only).) r+ {) E( N2 J% e/ |' e/ z' M
$ U4 A2 `0 g; v4 f6 G
   VMMCall Test_Debug_Installed$ W$ u3 [1 o& D9 ?- k9 a
   je      not_installed+ @) w' H# G& D8 Z. r0 M' ~/ \

$ p$ ^% o4 _, L: y: ~" r, Y+ OThis service just checks a flag.
# u2 d% b+ m- ^5 ^2 d0 |0 u</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 21:50

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表