找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( A$ o% N+ M1 a) M# E1 y
<TBODY>
  r, T) P' D8 ]0 w- }2 p<TR>- E5 L3 [* L9 c/ _" l0 ^0 X7 v% s) g
<TD><PRE>Method 01 ! v. d; S) t8 W" [& `+ ~
=========
( t" B0 A$ `3 f" z7 @
- g1 E: Z0 u: g. }. g! K. ?This method of detection of SoftICE (as well as the following one) is
5 I- |! b6 a" v% `; Vused by the majority of packers/encryptors found on Internet.
, p& \9 H% C' h  TIt seeks the signature of BoundsChecker in SoftICE
5 U8 ]/ C2 z# g) A/ {/ V- b* m! B. I1 j! P+ r
    mov     ebp, 04243484Bh        ; 'BCHK'
( y5 a# `3 w$ v: _    mov     ax, 04h7 A2 N: x+ R6 B( \1 }. H' s
    int     3       0 s) ]2 i$ d# }  U5 W
    cmp     al,4
" L8 K6 R. o6 s! {; Y/ C/ L3 @    jnz     SoftICE_Detected
7 q! N2 q+ s( m
0 S) k. |1 ~" _2 o/ u___________________________________________________________________________% a, a) y8 b: \3 y; I% X

- |- h& h5 y* R9 Y6 [! h: o0 ]- QMethod 02& T1 z- e( i0 ~/ a- ^( g$ U
=========$ C& r3 D2 d$ ?% ~" t4 C- Q2 X
& \; G' g1 }: B6 n0 F
Still a method very much used (perhaps the most frequent one).  It is used, u% E" X9 V, @* x9 ^' C9 {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 b. D) |, |3 x8 d# b- i
or execute SoftICE commands...
) a4 w2 `. H: ^It is also used to crash SoftICE and to force it to execute any commands
. K/ s6 y2 g9 C6 Z' ~1 q- X' z(HBOOT...) :-((  
) W) J  L+ t) R7 n4 w) [4 x
1 d0 l2 X5 q1 E, A  Y- XHere is a quick description:
- J9 Y0 V6 g% }) M* I-AX = 0910h   (Display string in SIce windows)6 m0 b, t8 B0 A5 j8 h
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)- u/ ~4 {, E: U5 c& W8 G
-AX = 0912h   (Get breakpoint infos)
. T- e) t: q9 ]. b-AX = 0913h   (Set Sice breakpoints), Q0 F$ U8 l& t
-AX = 0914h   (Remove SIce breakoints)# X# P1 i) t9 \4 t
3 ~1 }' @* F6 [  \6 b
Each time you'll meet this trick, you'll see:
" N9 |7 R5 p( W! u-SI = 4647h0 ~4 r8 N! u7 C% M: a7 t
-DI = 4A4Dh7 D2 ?0 G( b9 d7 V+ [1 l
Which are the 'magic values' used by SoftIce.
. |2 i1 Q% w. KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- H+ w- s8 g5 f9 l
* {. S0 T8 ^7 @0 CHere is one example from the file "Haspinst.exe" which is the dongle HASP
# N' K! _0 n* g7 `- _& aEnvelope utility use to protect DOS applications:9 O1 Y1 W- M( `8 r# @- j5 u

% P# f7 S; J# g; U$ n6 x+ Z9 ^5 [5 |- T4 k2 L9 F( e8 g
4C19:0095   MOV    AX,0911  ; execute command.
  L6 g! u, q) R1 [) q5 m+ A* C4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ F5 ]' y0 `- c! c6 d4C19:009A   MOV    SI,4647  ; 1st magic value.
* ^* N5 P0 `, t6 I3 J5 p4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ E- r/ z5 c5 n, u' s2 _! f4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 t' ?7 J/ h8 j4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  x" `; T/ ?/ y) P9 }  k, \
4C19:00A4   INC    CX- C( ]) `: O$ Q7 I$ m: [
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 L, o6 Q2 E- W* A
4C19:00A8   JB     0095     ; 6 different commands.
3 @. n: v' k6 H  |% m6 P6 ]; ?- H6 a4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
* }) ?; g. u! a4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" [2 n$ U$ K  ]6 B! Z  h
, a' T, Z% M+ L7 p6 k8 wThe program will execute 6 different SIce commands located at ds:dx, which
( Q+ i; g- T; U0 t% Y9 w, tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' O" I; V0 V% `# d6 }' v8 a9 {9 `6 U0 ^% t( t4 k( o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 i4 B7 M, Z0 r" |& M3 R( v5 e
___________________________________________________________________________
# L, y, J6 k4 _/ M# u. k
+ t  K1 Q* W" |: ]6 O7 _( q- f% S, w
Method 03
: c4 E3 D7 b9 d1 n; K1 s( [=========
  g3 _6 `% c3 T- |# L4 H
+ G) k. t& o8 TLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ n: r1 I, f0 g7 O
(API Get entry point)
* `2 W  w# V7 P! u# ^        ( h6 L% T& n' w+ y2 L) z0 v

) @; v" M  E9 J$ q' s    xor     di,di( n6 v. n: ~2 Q" l4 ]3 _5 ]' u/ W
    mov     es,di
: P8 P& t3 z/ Q- Y1 z; t  g4 x    mov     ax, 1684h       5 f  O% d) K9 L: H" L
    mov     bx, 0202h       ; VxD ID of winice
5 ?6 m* D# f, V1 }) m' Z; e    int     2Fh+ w& y1 x- G2 M6 j
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 I3 A$ ]( u% g0 s/ E# x    add     ax, di
. w9 a4 z+ e$ m0 q2 [) D1 U+ z: }, z    test    ax,ax6 w# ?/ A( P+ @; \
    jnz     SoftICE_Detected: f, x' a; \6 ]* ?& f: _

. `/ j3 n' E! q. }" c/ K___________________________________________________________________________
% Y) C+ |  _, R* f2 L
! v  y/ ?# i5 b% XMethod 04
0 D5 ]8 K5 v7 ~=========
5 n' U1 B; M$ K8 h; R9 h( A( N- q$ S; |# f. `
Method identical to the preceding one except that it seeks the ID of SoftICE
& j; F) N) K! @) W7 F" zGFX VxD.
, N# y7 J  j. l! l) D& U
& F7 |, [8 t2 e9 L" e& a    xor     di,di# o8 ^4 Z  D7 C8 d( E  ?/ E( N
    mov     es,di
% B; W3 V, ?* O) O+ ^; y    mov     ax, 1684h       + j' t  _7 D* q) _# k" M" `) y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 u, w6 u1 S" x; P3 a    int     2fh
$ |/ n3 j' p! D    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( C9 E- \$ v$ L4 }' _  f, q    add     ax, di; n) _6 V; f  k, T2 C: f
    test    ax,ax
: F) _1 n1 W6 C    jnz     SoftICE_Detected
5 J5 k  F7 d/ R% p
3 G" w1 [  Z. m$ v# A__________________________________________________________________________& u  _, _( S& \

# |" J; D& F. F! Z/ m) ^& O* E4 z2 \( {) x" v' X
Method 05
$ ^5 t9 [: T+ {: ~* R7 [+ m=========
& v. K" W: y* H4 P6 U0 v) G8 K# A3 V. t. S2 w% F
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ R( X  ~2 [2 G: Odebugger. It calls the int 41h, function 4Fh.3 s" v) }6 R" a
There are several alternatives.  
6 A- T" `" e, C9 b
" X# {2 R6 k  d5 K0 B) FThe following one is the simplest:
- P1 A( j- [" \& F& C
! J4 b5 l& J7 z! f    mov     ax,4fh
& o- r' C/ N, `$ N  c% ^, h) Y6 G    int     41h0 l% e; O  v+ j( y
    cmp     ax, 0F386
5 t4 }& o1 S' O4 I' m- L    jz      SoftICE_detected8 b" J1 \0 p+ ?! Y- w9 S$ ~
% _$ A' S; X$ n$ g' N. h1 n
7 S# t8 Y. ]4 j- U( m/ `6 O" C; f; v
Next method as well as the following one are 2 examples from Stone's
& y' h4 V4 I& N6 Q3 C- b"stn-wid.zip" (www.cracking.net):# a- |9 Q& k8 X! Z

' ?0 t# W* P& {# r* b" |    mov     bx, cs
7 o& Q* X  F: g# }/ _1 @    lea     dx, int41handler2, L  G$ x% ^# ?7 W
    xchg    dx, es:[41h*4]: G' m: \! }2 p, @, l
    xchg    bx, es:[41h*4+2]( X/ u& ]1 p, c/ K
    mov     ax,4fh7 V' D5 J* [- ]8 G: y7 b
    int     41h
: T8 N! C! [! `$ |6 c$ c4 w, t    xchg    dx, es:[41h*4]; F/ s1 M. ~) p$ O7 {- w8 \! i
    xchg    bx, es:[41h*4+2]$ b2 J$ K: D5 W
    cmp     ax, 0f386h, a8 c" {7 G, {9 E  e1 E# d) U
    jz      SoftICE_detected+ Q7 k, M! t2 }" V. w: R) h
) Z) X9 m6 Z7 T* r1 e
int41handler2 PROC
( }" @( j8 s. f& x0 ]8 R    iret. W: d/ y2 s. K
int41handler2 ENDP5 i: v; |% Y1 [) c; ~

: k) I9 I' L& c* Q/ o- k! y# K( g) b
_________________________________________________________________________* Z' S$ F  W! _9 D1 ?, Z, ~- a
( D1 E0 u5 O  i

. F' a' e9 d% d0 F2 MMethod 06. }# _+ R. p# q( \  y+ S5 e* ~
=========9 }# n+ O% |$ l( D: M, L% h3 W

$ \5 S4 h. s$ d5 }
" H* T% N6 J6 ~! |9 J9 m3 u2nd method similar to the preceding one but more difficult to detect:9 A* ]& y* Y( j5 K! b
$ H+ N$ L. l. M2 a

4 [7 @3 ?$ N9 eint41handler PROC8 b. o+ f0 s$ U6 l
    mov     cl,al
3 m, L5 Y4 l6 T- _6 p: N  @2 q$ _    iret( g6 I3 J( t( X# @3 u
int41handler ENDP
: X6 B* o  F9 M0 t+ @% h3 u% G+ _  E7 n% m0 {# Y& \

: I) `5 `) @- J1 x. {" N    xor     ax,ax' k$ m: O6 g  z" Y& O
    mov     es,ax0 D! ^( }# M7 |& Z5 Z0 A8 p- Z
    mov     bx, cs
" A  Y# p0 k3 G( q5 h0 R    lea     dx, int41handler9 D* ^0 u) R; A8 o+ G
    xchg    dx, es:[41h*4]4 W7 L. C, M  D* j. Z6 J
    xchg    bx, es:[41h*4+2]
  w* y5 n% q6 Y) _    in      al, 40h
* r7 i3 \. G% [0 m" M    xor     cx,cx
' n& S7 Q1 G* K& F    int     41h" {/ L3 G5 Q: K) `9 p8 Y3 z
    xchg    dx, es:[41h*4]
0 D7 z+ ^, |$ {    xchg    bx, es:[41h*4+2]1 ~4 L) |; z" C# G7 s6 J7 i
    cmp     cl,al
" v6 }: K- f( O% C" @+ Y    jnz     SoftICE_detected* z( `2 u" n9 Q- K

; T$ Y; h* ]3 }' K$ K_________________________________________________________________________
. v" o8 U! b4 I* {# X& c
- o2 B# [" I& [Method 07- u, P: h, ^; [4 S1 B1 M
=========
7 J! K: g; B% t
! t1 i( i9 T7 @9 Y( L- zMethod of detection of the WinICE handler in the int68h (V86)
6 P% h" `. o& I3 }8 ^3 K, w
! ]1 i& v% j6 }( K    mov     ah,43h7 @% W# _3 X1 t4 o2 ]- ]4 Z* S
    int     68h
/ Z5 U+ v$ \& ~    cmp     ax,0F386h
* ]. s  {+ i7 h' I8 D) [1 {    jz      SoftICE_Detected
0 ?3 C- n- d9 G/ G5 G
9 M8 u# f; V$ \" y8 ~# b7 a+ E* d5 _3 x+ y1 i$ z: c' \3 f
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 E, t5 c$ {4 T1 W% x2 F% T* j) u
   app like this:
( w4 P/ I% T7 c8 g
2 D3 C! Y# K5 h  V5 l3 D4 @# M$ j+ f( @0 a   BPX exec_int if ax==68
/ c' f( h! q  e   (function called is located at byte ptr [ebp+1Dh] and client eip is' A+ Q$ K4 c( R! [
   located at [ebp+48h] for 32Bit apps)" d: Y+ J, N$ y& _4 R5 H3 S& t
__________________________________________________________________________
1 I( i: F9 N/ [9 d5 o9 H% p4 b( n% I# _/ [# c! N6 N0 o

1 P6 F! j6 U: @6 k" b; C% EMethod 08
0 p* C  L, c0 S; c9 L+ y=========
/ B( C, t5 u, c; Q4 |( w7 s- N9 f1 W
It is not a method of detection of SoftICE but a possibility to crash the7 {& X. Y/ }& j& P) M. K; P2 L
system by intercepting int 01h and int 03h and redirecting them to another8 c  e' O7 q! V" s
routine.# b* @" \9 @& V* q+ ~+ i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: V3 l0 S/ X0 G1 z( a8 e. a5 X
to the new routine to execute (hangs computer...)9 ?6 E$ l' `9 R: G5 A
1 ]9 _7 T: f  c( M+ W3 O( ~
    mov     ah, 25h7 x9 q% M7 w# V. S7 Y* U4 q' j' V4 ]
    mov     al, Int_Number (01h or 03h)
! j, C% M. L# z- {' B4 r2 m3 U. |    mov     dx, offset New_Int_Routine% @/ ]5 d5 }5 g
    int     21h
0 ?- g, P8 d8 D4 U# C. u* L3 N, @5 T: J6 U) e& }# \# ?8 y
__________________________________________________________________________
8 @: k( Z9 w% a! ^0 r; Z. F1 r
2 S' {! \( d$ \, F9 `Method 09, z' }% J  k1 s& e+ ~; b3 i" j
=========
% ]- g- O  b$ I! Q
9 [0 q# R0 W) DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, A; D7 T4 z- R7 {1 p: m
performed in ring0 (VxD or a ring3 app using the VxdCall).; ?6 `1 Q5 G1 I% u% Y. C8 Y
The Get_DDB service is used to determine whether or not a VxD is installed
5 U& q* C( f. {' T) C$ wfor the specified device and returns a Device Description Block (in ecx) for
& E6 d! C( C& q8 lthat device if it is installed.# }+ p* H' U6 N: |" X% g9 a
6 X$ c3 L" P( w+ E& M
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  Y; W) n$ P: c! n& ?   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 d4 k6 Z1 D: ]  |2 z0 r   VMMCall Get_DDB
4 j& \$ h0 v/ c3 k$ I/ b  b3 g. F   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ k0 K- n) i/ S( T; B
/ c3 T9 J. J2 }0 Q. hNote as well that you can easily detect this method with SoftICE:5 v: I6 j# U6 b* o
   bpx Get_DDB if ax==0202 || ax==7a5fh
8 a! T0 G" u. y' A: e& p* ?, u. c6 L6 K9 P' t% O* U& s
__________________________________________________________________________2 r+ C5 `: F; ]5 m% F5 _

) }/ v2 u3 ]( C3 X4 v, @& C3 k/ uMethod 10  T3 T% i' [1 g( D6 v5 A
=========
: U$ l7 P3 I0 ?! f8 D  X
( t9 l) A# b( _0 P  S1 |=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
1 T# f" k3 H6 c3 W  SoftICE while the option is enable!!
0 x) ~' r  ?+ T0 ^1 e0 M' K- k# K- }" G0 w
This trick is very efficient:- N6 e0 j) n( Q8 T( C5 B* l
by checking the Debug Registers, you can detect if SoftICE is loaded8 H( S; e& f( P4 C! H0 e/ s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 o' Z/ z* U; ~* e1 O8 O: U" H+ e
there are some memory breakpoints set (dr0 to dr3) simply by reading their& O' k6 h' T' ~* X# l6 c
value (in ring0 only). Values can be manipulated and or changed as well
) A4 q' z( V: W4 o5 e5 r/ v" }(clearing BPMs for instance)4 C- C0 ~7 W  P8 U
# P' T( z6 T5 {8 \1 s
__________________________________________________________________________
/ M" a; o8 g) Z6 Z- N) ]6 `$ a3 J3 w, W) k: n
Method 11
/ D+ R6 @  B* U4 b! i6 ~7 l3 @( c/ G# N- o=========9 s* Y( l& n6 _& K2 d* y

( P: x4 @# S* I; C' D' v! X. ZThis method is most known as 'MeltICE' because it has been freely distributed
/ a4 r" @( i! r0 f4 t+ |via www.winfiles.com. However it was first used by NuMega people to allow5 \2 [; P) s6 O' T0 H
Symbol Loader to check if SoftICE was active or not (the code is located
& E) v! t. y' |+ A/ a. yinside nmtrans.dll).1 y- w7 U4 R- z0 E
$ v. l) v6 |. e% U- e
The way it works is very simple:
  R3 A" Z8 z, H4 o. z! hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: z5 H5 g5 I: b$ p6 ]7 v
WinNT) with the CreateFileA API.
/ j6 J4 c1 x6 `' p0 y4 N4 u+ A; `  V3 V2 R
Here is a sample (checking for 'SICE'):
8 T5 R) z* F+ M0 Z9 e
8 K2 Y  i* W5 o. x. C. |) _BOOL IsSoftIce95Loaded()
% D, _6 z; P# c/ I! ^% C  c! u& l8 t{+ z+ ^. V0 ?, Q' B$ ]& t
   HANDLE hFile;  0 W1 i" ?( [  d6 V
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. |7 r% e* s5 z3 \/ }/ ?" O7 I
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 i) _5 S! s) q& Q+ n& |+ i- c                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  L, A! z3 B8 S; n2 J   if( hFile != INVALID_HANDLE_VALUE )! K! ~, j+ k" X, l' w8 I: W
   {2 R' G' |/ P+ |7 ]* x9 }) [- [
      CloseHandle(hFile);/ g8 |* M; p$ D
      return TRUE;9 t# H4 l4 p+ ?) f6 Q
   }
+ }" S' E% f; N3 ?) L2 a  f% y4 b   return FALSE;0 q1 }7 I  x. d# B3 Q
}1 `% H9 s  O) c6 t4 f3 q
4 j" y7 o2 r, @9 \
Although this trick calls the CreateFileA function, don't even expect to be  o; u' Y* h. w+ V9 H
able to intercept it by installing a IFS hook: it will not work, no way!
! F, E' y7 v0 o% M& h" tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, b! `% C, Q) C+ O( Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ A+ z# Y; M( c; zand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ p. `6 ?5 j9 O: k- M$ U! p
field.
% L/ o' r) g# i6 HIn fact, its purpose is not to load/unload VxDs but only to send a
( I0 a. f, k  S2 `0 k" xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! `  T* M% _, y! ?& O3 _" yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ a) v) R7 R' Q& `+ e% B% wto load/unload a non-dynamically loadable driver such as SoftICE ;-).- r. A5 x3 c, W, S' j
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ ^* d$ b6 j( E
its handle to be opened and then, will be detected.3 ?7 \) r8 {6 e" }# V
You can check that simply by hooking Winice.exe control proc entry point
# \: n# O' I1 D6 a" Cwhile running MeltICE./ s1 R" _. r( t2 z, V4 |/ U
. j  N. R( K4 ]! P( ?+ `
( E) N0 s  g- ]
  00401067:  push      00402025    ; \\.\SICE5 S+ ~. ~" H- j1 s  @  u
  0040106C:  call      CreateFileA
7 Z1 ^9 f8 K! `6 r  00401071:  cmp       eax,-001  i; e, e0 _0 ^' m, w1 `" C# R5 _
  00401074:  je        00401091' F% E% A( D3 ^6 R7 o) @
$ o1 V7 Q7 o; I, [2 N

3 a8 k0 `, G) |0 WThere could be hundreds of BPX you could use to detect this trick.5 c  C5 W' _: ?0 f  V
-The most classical one is:4 [, B6 J, c3 q
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) H( H! N7 d+ j: M: ]& @; [1 C
    *(esp-&gt;4+4)=='NTIC'/ F! G4 l1 A( M9 R+ M1 u6 s" b
* ~" R7 ?7 M; P' v. _
-The most exotic ones (could be very slooooow :-(' n: F  B  M; i5 d6 Y9 D. j& k
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; @  ]  W. d4 ]1 c$ V
     ;will break 3 times :-(! `3 ]' u3 y' n% k1 V; ~

% P2 y# M3 [* j! G7 g( ~' G-or (a bit) faster:
" }: k6 Z. X2 x8 y" ?+ X. a   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 o% R# m/ u- S& @% P1 @, G
$ ~+ X1 Q4 x0 P2 K   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. Q* S& E1 P3 M0 P     ;will break 3 times :-(- m* q0 w  t* V" j
$ N% `2 k8 P( q# q9 x; n
-Much faster:
$ [8 t: e6 B# ]1 c  s   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% G& J* R. D# p0 w
- V% w* q7 a# E" [: ~Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 Q+ A; I  s) {# j1 |3 ~
function to do the same job:+ S/ B, ~, X. Z# [  S# n, _" _
5 f# K/ l5 e; e
   push    00                        ; OF_READ
/ E' a$ r. l" @) J; m9 b5 O+ L   mov     eax,[00656634]            ; '\\.\SICE',0! ~1 G5 ~, e  t
   push    eax
2 O3 D" O2 L! T( Q   call    KERNEL32!_lopen
4 P& h! F; b9 F4 N4 k7 _8 u: N   inc     eax) }6 M- \. }6 h7 z
   jnz     00650589                  ; detected9 v; [; c2 h9 c1 ~) M
   push    00                        ; OF_READ: _  ]0 o& v2 V
   mov     eax,[00656638]            ; '\\.\SICE'
8 N7 X% t- F3 q2 T   push    eax9 y/ k9 z) |# O; s+ U5 U
   call    KERNEL32!_lopen
& z) p) F6 T" K2 I/ E% a   inc     eax
9 G0 E7 H& q/ v6 z4 y- y   jz      006505ae                  ; not detected; P% E+ h+ u1 j' \6 z) K0 S

/ W4 n& V" y! @# m. t+ h9 B, J( o
__________________________________________________________________________7 c: \8 A" y6 {3 c& n1 r

* R" k* m5 {- x" y! `) C& X) IMethod 12/ p+ x5 N, X* P7 w
=========) @$ t8 a  i4 x) A" ^
8 z5 g  C! _- U0 |
This trick is similar to int41h/4fh Debugger installation check (code 055 y) J( ]3 k; j' z3 W# Z3 f
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  Z+ a; O( y4 V# ?3 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 k$ b+ }$ ^0 {. f2 L1 V+ \1 v
3 @# ]0 j3 e4 V1 `: k1 Y0 s
   push  0000004fh         ; function 4fh8 W7 G) @, j8 }  e
   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ I( O0 C/ N0 {( K! f                           ; low word specifies which service" k: P: u. w9 X6 z5 b! R" G6 X& R
                             (VWIN32_Int41Dispatch)
6 i8 E  k0 k) f; q+ e% w   call  Kernel32!ORD_001  ; VxdCall
7 K% A# S' ~' b7 O: w! Y   cmp   ax, 0f386h        ; magic number returned by system debuggers5 ?6 s# [; u: ?% q
   jz    SoftICE_detected5 S" e' K5 i9 e, C
3 a  M& h- t0 v
Here again, several ways to detect it:
" z; k. R  c8 X4 L8 T
  ^/ m5 s5 l6 }/ C( A3 @% H5 w1 ~0 `    BPINT 41 if ax==4f
! A$ y5 i/ q6 g( m: l. X9 X% Q- |6 E( j. X
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! G  d, W8 J- V8 L# p- y$ t% ]
! R9 M5 Y: `. b+ R
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
1 R6 v  Z# c% N1 R& k8 K
$ _3 y' C* G$ V    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* v5 P3 F, [; ?7 t. D
3 v7 R/ {( v& C, ^3 H__________________________________________________________________________4 C& s  H2 Q0 Q5 ]" h2 R$ c- y
. l9 F( d# |, y8 Y+ B# k- E
Method 139 w3 S' t. L2 r8 `
=========
. Z0 t; P( S$ M4 j7 H# q% P6 d* k
1 M8 R* _* Z  d# rNot a real method of detection, but a good way to know if SoftICE is9 a/ r5 g: d; B- I2 x. R
installed on a computer and to locate its installation directory.
: s4 o/ e7 {! n( G$ r: rIt is used by few softs which access the following registry keys (usually #2) :6 K% y" m; E4 o7 _

- j5 Y; }% O9 @0 L9 S-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! |; k+ s  p  C5 ?\Uninstall\SoftICE8 V" Q+ ?& b- a1 h5 u2 ^6 x
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; Y# H! L) S' @" F! o+ G7 s' O+ F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; ^9 b' t3 B9 _, P  d1 V1 `9 Z7 W
\App Paths\Loader32.Exe$ B) ~6 m: U1 N

, i" l% h+ `; e* a9 D' C+ p; }, a% K/ y: {1 W' p
Note that some nasty apps could then erase all files from SoftICE directory  E. s3 q/ {/ S8 j/ e2 D
(I faced that once :-(
0 ^0 U3 u  k6 }- o3 M% G( I
' x0 w9 q( }7 C1 i3 e5 \Useful breakpoint to detect it:
. N, \6 ]2 h* r) C2 [( D6 ?; G
3 X- Q8 @1 a8 M5 ?+ X  W: ?     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
4 m2 \# q" b6 _5 r
2 K0 v) i( l4 \" O% @/ \' D__________________________________________________________________________) O; I6 G9 }8 _% U1 e% \1 P) P, _& ^
. f* m: q' y) |7 G1 j4 q9 e) N
& H0 I" |& P5 r# i- f! l, X
Method 14
8 S7 ~" H' ~) H! W- L$ B  w! m2 b=========
9 v  L& @1 ^! ]0 B: @4 M1 U$ C0 {( T! R
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* V* v3 @* g' `- Uis to determines whether a debugger is running on your system (ring0 only).! e$ \0 v! B% L2 d

- M, L! [- m3 o& L% i   VMMCall Test_Debug_Installed
% Y7 K2 [7 B  h" h4 a; }" D   je      not_installed& _! V& K: i; O( w( t; K

, Q& r! L, C: c# {This service just checks a flag.9 v2 }: {" t2 N3 V1 x; I
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 03:21

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表