找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
4 U3 S8 [/ y/ L7 j<TBODY>
2 |2 o* M; _5 y, U<TR>. k4 K6 x8 ]/ E1 q( D6 J
<TD><PRE>Method 01 ' u7 A" B6 j9 x7 k
=========# R/ i' y% z; U

5 Y7 r$ R& y) C. f+ b4 `+ iThis method of detection of SoftICE (as well as the following one) is) p: x$ P5 _# x3 s/ w5 ?
used by the majority of packers/encryptors found on Internet.
6 F/ q/ {' H  M( R7 D$ I  n0 v7 tIt seeks the signature of BoundsChecker in SoftICE; e0 T& E' N2 n

  y5 j0 ]! v& y" z' `( i    mov     ebp, 04243484Bh        ; 'BCHK'7 M% D/ I' `$ U
    mov     ax, 04h% k6 z3 d$ S8 |' z: n" R/ m3 n
    int     3      
7 [3 l, W2 w5 j    cmp     al,4
" S; z4 t2 P$ Z9 B3 {1 U* k    jnz     SoftICE_Detected
$ [9 P) m) l, @" @: |- `& l' k" b8 G. v
___________________________________________________________________________; O( W- U! j; b7 J; |$ o! D( V1 S
' @0 V4 \& l/ z( g3 B. Z! _
Method 02. x: c* S* Z/ K6 L* o
=========
# U0 y# b, {% p4 @
* x, Z( _  p8 o# h# u/ a& y& j$ xStill a method very much used (perhaps the most frequent one).  It is used1 d0 c2 M- B3 j, U, V) J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ p5 M4 Y5 S8 v' S' s
or execute SoftICE commands...
( W5 q2 W2 w: w& i- a5 w  sIt is also used to crash SoftICE and to force it to execute any commands
* T6 M4 `; v" B5 ?* w) O! m(HBOOT...) :-((  
7 T6 I; \& y) d1 a
' d5 Y% M2 U  W0 ^Here is a quick description:
- T! \' W' Y' c% I6 l-AX = 0910h   (Display string in SIce windows)
; E! Y6 ?0 H) r$ F-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
) r5 x# l& i/ Z% N; [6 G-AX = 0912h   (Get breakpoint infos)
$ \% u# u. j4 p9 s* Q" X5 F-AX = 0913h   (Set Sice breakpoints)
* A$ Y2 M$ G8 I" w-AX = 0914h   (Remove SIce breakoints): l' \8 j. d% f6 U7 Q

( q( u! d0 w$ G4 Z" I8 ^7 `" GEach time you'll meet this trick, you'll see:. x) a/ ~6 L; K9 s% G8 X
-SI = 4647h( P8 f# [3 }; l
-DI = 4A4Dh8 e1 k% H1 S- ^, D( d1 N
Which are the 'magic values' used by SoftIce.
' Z) B0 y5 G/ {* m1 ZFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.; Y. z( w6 q/ D& t
! k8 z. o  k' C) m( d
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( r# |/ c6 u% j# d# Z! p  qEnvelope utility use to protect DOS applications:; n; c  x3 U# X4 X( ~8 ~8 |. R

; s" U) A9 ~; {5 @* q4 ~9 T8 C. H% T% `7 i  j
4C19:0095   MOV    AX,0911  ; execute command.7 e, y/ B- X3 X# E$ x8 [5 F3 ^
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).5 C  Q' V! Q# u  s" O
4C19:009A   MOV    SI,4647  ; 1st magic value.
, T# Y% S7 O) K& k3 y. k! X4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. D& I  {4 x  {* h2 R$ o4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)$ j( Q( P- F7 L# K# h
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute. I3 x8 O% O6 L6 w: {
4C19:00A4   INC    CX$ _8 N' y5 _2 P4 l( U. `. f
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute" a6 P# T' m$ o( u, N9 h
4C19:00A8   JB     0095     ; 6 different commands.( [' L$ ^  o5 L$ W- J3 g. z# G
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.8 i# W2 A' v" Y2 S* h( c: @' j
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), T- V9 k; s6 \6 b) R, V1 i
; u- ]6 }- t8 M( Q6 V9 i- W  W
The program will execute 6 different SIce commands located at ds:dx, which2 E! `/ `* _, m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! O6 o  R# U& Z3 q  h7 g
2 H2 ]" }+ |9 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 Q# L5 D; `6 q9 t4 e
___________________________________________________________________________
3 A. A/ r1 o  I6 i' f
$ w3 h8 }. X6 H% U8 j, J0 |8 Y2 A$ M9 [$ y9 h
Method 03
! d4 n+ H# Q. g=========0 i$ n- f0 V7 Y" h8 z* i' ]
0 c( I2 e2 U) \
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- w$ D( |! P! d" p: t- u: D2 r' A
(API Get entry point)
* v/ V: s$ T% o2 J1 `        5 b5 i2 r% ?) F5 a5 {
$ h9 m9 F9 [2 \* G/ Y9 R
    xor     di,di
4 {, E2 S) U7 v# z0 K6 f    mov     es,di8 ]: p: @$ f# q3 \
    mov     ax, 1684h      
! z4 a: ?2 O9 {" T+ \% ~% S    mov     bx, 0202h       ; VxD ID of winice
3 |; R9 W  n  ]2 Q    int     2Fh7 N: P# I# j; a5 H" x1 D
    mov     ax, es          ; ES:DI -&gt; VxD API entry point* u) q% y. x* P
    add     ax, di
, F: N8 p. Q' K7 n! f    test    ax,ax
) e2 ~, K$ }9 O6 |3 Y$ v    jnz     SoftICE_Detected
; m! k8 I) i' E; e. z/ Q' s9 w- k2 Y& W, b, x! h. Q
___________________________________________________________________________" E0 y* e; a+ g; G2 J& R' j% y

1 Q) o  T0 M1 Z5 w9 s* EMethod 04) A( h: X! [, h7 J
=========! a& o1 Z' `# L; W. f
* Q) V0 i9 }) k- m/ q
Method identical to the preceding one except that it seeks the ID of SoftICE1 F5 a5 d8 W' N' o- |
GFX VxD.7 @- d! i8 P( J3 U) Y9 w( U  O

. F3 k' m& j9 F3 K5 @2 L    xor     di,di- d  I8 X) |) S) }$ O) [, r
    mov     es,di
. @' s" D" r$ e2 Y0 G" X    mov     ax, 1684h      
0 W+ z0 v. N2 e" Y+ b    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) m, D* {' @2 @- `9 j    int     2fh5 N9 i, K# w  |6 c- B7 h! f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. J/ d* _  ~/ }: H7 y3 f
    add     ax, di
% g4 p8 v: t/ D( R+ y& g7 t    test    ax,ax/ w0 v$ W6 a& Z2 m
    jnz     SoftICE_Detected0 M0 l- [, I, z1 Y, z0 \
1 V) @/ b- ]( l
__________________________________________________________________________
/ t& \4 I9 N4 y& v. U. M1 {) N7 t9 ?/ {, c
, `$ f/ q0 ^, h0 h. Z( p: s; C8 a
Method 05
3 I( o* ?8 n  t( P, u=========7 f+ T( m0 D2 n2 D3 K

! [0 p& x% j$ _) uMethod seeking the 'magic number' 0F386h returned (in ax) by all system. T# f) `$ Y  ]) K
debugger. It calls the int 41h, function 4Fh.
- Y- Q& r6 ~7 y- c& d# s  b( lThere are several alternatives.  
! W4 m/ W. }6 D% L2 y
* U4 Q/ v0 Y, h. S" iThe following one is the simplest:( }+ r3 M9 z" c5 i$ q" ~, S  G6 L
/ Y% y, S& y4 y/ m& r  b
    mov     ax,4fh9 b" {8 ]& q6 k, x$ a2 w
    int     41h
# V: l; B: ^4 c% ~4 a    cmp     ax, 0F386
* H  V4 _, I; J; v+ r# `    jz      SoftICE_detected
  b* k6 `- i$ T% [& ]( B
3 B, t  m6 M6 F, c  c
& G( `0 B) p( g. |; wNext method as well as the following one are 2 examples from Stone's
; m) u4 [1 y- P9 `  w) Q: R"stn-wid.zip" (www.cracking.net):: D& n/ P/ h' p! u5 O! E, M9 A' x

# s9 e4 y# S# u    mov     bx, cs
! W  k. I- i' {    lea     dx, int41handler20 X. f  X: }8 Z, g$ p( A9 @# I* B+ A
    xchg    dx, es:[41h*4], k& u+ C4 [9 n4 U! c3 m* h
    xchg    bx, es:[41h*4+2]6 Y( s" ?2 M& l; m3 g
    mov     ax,4fh$ x+ u: e; h, Z2 m" h( \' e7 z" A
    int     41h
6 h: _1 G+ B* u7 p& [    xchg    dx, es:[41h*4]
+ \3 L6 G  Y/ B6 W- j2 M3 l3 V. V    xchg    bx, es:[41h*4+2]7 E* Z. y: C1 w3 R6 x
    cmp     ax, 0f386h
8 B4 s$ A& j  L9 A1 ]5 |    jz      SoftICE_detected
; ~5 t4 H# T  S2 j( W
  t) K; u$ |) lint41handler2 PROC
1 r  S, _1 l& Q7 c- o1 F. z( [. C    iret
7 A) s5 C7 C1 m4 G& H1 q- Mint41handler2 ENDP5 C+ E% R  e/ }. Q* h+ r% m" ?
* V2 }3 R. K  J& ]" _

4 k8 Y6 I9 W! H- n_________________________________________________________________________: v" Z) Y! J/ @! f; ?6 m
+ e0 H4 P% X* h/ B
( r8 B( J0 Q# e; c5 r5 f
Method 06+ K" }* J8 \. n3 ^; f
=========- m: k" D; s! p+ y$ D: |
$ {  {4 T# m6 \0 _

% |: W+ y. R6 s; |0 M2nd method similar to the preceding one but more difficult to detect:/ e$ n" Z$ m9 S5 L: p

8 g8 p5 k- R' h) z' k7 T0 n2 ]. _6 H8 [) P  W! [. d9 }
int41handler PROC
5 o  X" l  o0 ?, m    mov     cl,al
' c& b9 z+ l/ F3 p    iret
/ v+ \- K! g( x  V3 }) V. Vint41handler ENDP" Q) S; E4 Q) C- W2 R  m- o

& i# o, E( O- `4 {/ s4 @0 ^, `
- i! F1 k6 L) d! N/ s    xor     ax,ax6 A6 [4 o. I+ {" H) K
    mov     es,ax
# K. a$ U0 x& R* b    mov     bx, cs
2 b9 }* Z: S2 C. [1 Y- B    lea     dx, int41handler+ U5 i) y, F; G' O1 T7 q
    xchg    dx, es:[41h*4]
. f' B" E: d  |- p+ ]0 F    xchg    bx, es:[41h*4+2]# t9 X* K# p  V, `( |- g
    in      al, 40h7 O4 O- u( ^5 h9 J) L: a2 y6 `
    xor     cx,cx- V8 S& u: J1 k) q5 `7 i! u
    int     41h! }/ L& |2 f5 M$ \  o! p
    xchg    dx, es:[41h*4]
' J5 ?/ I5 W1 U1 |    xchg    bx, es:[41h*4+2]
% V# P/ @8 Q$ \, l0 N* U: r    cmp     cl,al
- _0 K+ e8 j5 S$ d$ }    jnz     SoftICE_detected  a0 R* D2 B2 j

2 o4 S6 R5 r0 o6 ^0 M" O5 I+ G/ h_________________________________________________________________________, ^' g5 C# [! n+ a3 ^2 R

6 G" _: X- _  ^Method 07
& c! z. f; N: Y% _( S=========
- y" Q6 I2 _4 V6 d2 }! s4 P' k! k4 |5 j
Method of detection of the WinICE handler in the int68h (V86)+ r/ ?* Q$ i; W) G

4 z0 N' |& L+ r& ~% q    mov     ah,43h
3 U9 ?; y4 O( H    int     68h  W3 o; l$ ~2 E  ]
    cmp     ax,0F386h
8 O/ p. C; e6 e$ T8 Q, P4 r& A# g6 j    jz      SoftICE_Detected
/ t. t7 i4 n& }  P) ^
! g+ l& }; B: v4 Q; b) {
, _6 {1 g# R6 S8 Q7 W=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 J. J2 Q3 ]1 }9 i; w  g   app like this:
+ K0 d+ `# x4 y, `: P
) Z5 v* S9 s  P& P5 S   BPX exec_int if ax==68
& e, {- B. o; `& [, j   (function called is located at byte ptr [ebp+1Dh] and client eip is
! ^! g6 }$ Y* |   located at [ebp+48h] for 32Bit apps)9 L7 X: _  N8 A( Q. X8 o
__________________________________________________________________________
! f7 n6 D& {5 \7 U! h3 F) e  a% |# d
9 F+ Q$ o! J3 C0 S! i5 i* s
Method 08
- x" u& u- H* Y* \& k; Z=========
, t0 I1 E+ n/ l- _' D& S: F! f/ l$ z( X+ C, `
It is not a method of detection of SoftICE but a possibility to crash the
- T: ^. ]4 _( [, p. x2 vsystem by intercepting int 01h and int 03h and redirecting them to another3 ^9 o+ q- U; d# w) ^
routine.# X5 i# v0 n  Z7 ^  s. c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* E. R6 t* A$ P0 z3 {0 V+ xto the new routine to execute (hangs computer...)
& I. G1 D8 k9 a" O7 R! l; E* |6 ]) h! R! D+ l+ |( O9 Y; v
    mov     ah, 25h
  O" {$ L2 x( u. m5 S    mov     al, Int_Number (01h or 03h)
$ `1 m2 ]$ B3 |    mov     dx, offset New_Int_Routine% A+ B/ i% c- N% [/ p8 Y/ L9 ?
    int     21h0 U! l, \, o' P* J2 u1 {8 B8 B
# i& A9 p2 H+ M) O: N: k, T
__________________________________________________________________________
' p8 g$ [. @) s% E& Z& q4 P( Y" y3 e0 N( Q+ B: ?2 v
Method 09% M! }/ t' a. `- O/ v
=========
4 r3 U+ }. L2 d! u; _8 T7 U) r  Y, ?: @9 K; W' u/ ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 G6 {! `: [' w0 q/ U; w% m
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 N! d+ r4 W( v, e+ sThe Get_DDB service is used to determine whether or not a VxD is installed1 D( G% c/ \5 \) {' _5 F
for the specified device and returns a Device Description Block (in ecx) for
  ?9 p7 L2 d- t3 w; E' wthat device if it is installed.
1 {) C2 I; w: ]" m. t# K% O+ B4 j% r5 y: h" e/ Q
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 D' n2 i' |" q3 p* C   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); \$ m5 [6 ?8 V
   VMMCall Get_DDB' N% o7 q9 u5 r& l
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( |* z% `7 X5 H
- D# p- z# }( a5 d
Note as well that you can easily detect this method with SoftICE:& S& h2 y6 p1 m; R" U
   bpx Get_DDB if ax==0202 || ax==7a5fh
; j# K% \/ d, d& e5 K4 x( U+ }3 V# J5 D# E
__________________________________________________________________________
) e! f* u( y$ ]2 T2 @; t, {. Y) \* ^: I# k, \5 R" R
Method 103 M, v. J2 j; n# ~
=========% }) \4 w2 W$ c# U6 e' N+ Z
: `; Z0 b2 ^' J& j1 Q, [- p  r- W
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with5 n3 K) F" M% o/ M- P
  SoftICE while the option is enable!!- g, v# V  X; R. ^  O# E# \/ x

$ F- `1 |% Z3 jThis trick is very efficient:
7 J: H; v' Z8 Sby checking the Debug Registers, you can detect if SoftICE is loaded0 o6 N* N% _) P- X( [
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 L4 c% U  L! q9 Y" E" Qthere are some memory breakpoints set (dr0 to dr3) simply by reading their
3 F5 _8 f7 M& u0 U) bvalue (in ring0 only). Values can be manipulated and or changed as well
6 ^0 |6 }8 y9 h(clearing BPMs for instance)
; }' T) y) Y+ m& z/ j7 q% x7 k$ d1 M
( B# r3 G/ |( i! c$ P__________________________________________________________________________9 b% v5 w, ~& s( [9 P) n* V

% M& x5 A3 _8 b$ ZMethod 11
' u" v( u: y' X5 f# o  A( h" k=========/ ~! a% i( Z. |

5 ~3 h- N: V/ cThis method is most known as 'MeltICE' because it has been freely distributed1 N* S6 i" p5 d
via www.winfiles.com. However it was first used by NuMega people to allow* T3 v+ W6 P6 O4 |0 k! Z2 V) {
Symbol Loader to check if SoftICE was active or not (the code is located  d2 e( ~6 ^+ _. t. @9 C1 P
inside nmtrans.dll).% V# ?  \7 \. c+ J: x& ~

+ j: r" P, P* L1 DThe way it works is very simple:
2 ~1 t; O) S* E9 @# q) @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 m% {0 R3 i* V5 M$ EWinNT) with the CreateFileA API.
) j, Q0 l3 j9 o1 o  I2 y1 N1 X7 t, k$ {; U
Here is a sample (checking for 'SICE'):/ }  A: T) S" U6 M% c
/ j; |& y; [7 @# E6 Y. p
BOOL IsSoftIce95Loaded()
( _( Y- D4 ]' W6 m% H0 Q{
1 [0 f, X9 ~) C' D   HANDLE hFile;  
# Y: _, K$ t9 P: q   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& R5 Y4 r  O* K9 D& o                      FILE_SHARE_READ | FILE_SHARE_WRITE,' p: a4 z: e# X$ W
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; }( @3 ^5 |" |) ?; R
   if( hFile != INVALID_HANDLE_VALUE ); m& J( T' b7 H% |: Y- z
   {' m( `' V1 H; j- y. |/ M9 Q
      CloseHandle(hFile);, X) g: |# O5 E- x! r7 `/ N1 i
      return TRUE;
# q; W. [) M! \0 X* j" A   }
) G$ t# A# D# k) B/ l   return FALSE;1 P+ r' X) Q8 `% Z# z
}
0 i* j, g6 t/ z7 T% l5 k
1 W! [5 O; Z  X" G1 jAlthough this trick calls the CreateFileA function, don't even expect to be' V, A+ w. N7 m* Z. X+ z
able to intercept it by installing a IFS hook: it will not work, no way!
" E' Y( O+ k8 I' q* b1 P2 S6 VIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 p3 @! U9 K. W$ N6 d
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 u& Q! y6 u5 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
) V8 v# S' f  f+ sfield.
' `0 V8 Z6 m+ U$ nIn fact, its purpose is not to load/unload VxDs but only to send a " D8 t1 J, B  U% S* ~/ u: ^3 f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& _. W8 `( Y8 ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 a  Z, n6 |/ ?7 I% t
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# ]& c8 p, }, D1 R  r( p% Z2 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ M) |3 k% S2 L& n8 _; j+ i% k  Mits handle to be opened and then, will be detected.( Z1 g4 h7 N6 y  G% O/ q5 F8 G: H
You can check that simply by hooking Winice.exe control proc entry point" _7 ]8 r" K2 v+ O
while running MeltICE.
) k) ^* F2 L3 C* h5 M4 B( _5 @+ W1 K6 F4 h0 J. O% u

7 ~' h. q/ A9 E; C- w  Q; O  00401067:  push      00402025    ; \\.\SICE* t1 s7 r0 z4 f
  0040106C:  call      CreateFileA
4 |& L! W' X) d  00401071:  cmp       eax,-001* z: D9 Y  ?4 d8 e/ c  `$ }
  00401074:  je        00401091
- T7 x/ V1 F' E+ Q3 s" W; Q4 D* I7 t" M1 W; Y

" W) q2 u: G, }/ zThere could be hundreds of BPX you could use to detect this trick.2 {3 r+ \1 N8 j; x7 k; L
-The most classical one is:- h0 c" C" D- @/ p  I# _0 J3 @
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 c( }% c& c! T: {& B    *(esp-&gt;4+4)=='NTIC'
) A& V8 U8 |+ ]: }6 q" E# j+ `; A: C" i, J- r
-The most exotic ones (could be very slooooow :-() F' G' D, {0 O/ U4 R. C
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ) R5 j. z6 G! Q4 ?5 L& Y; R
     ;will break 3 times :-(
3 H( J" b( j$ B$ U( v* f- Z  w! d1 d$ d9 y. r1 _
-or (a bit) faster:   g$ N6 b9 L3 q: m
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 X/ k  t: B0 F2 F" U6 v" L, S& @8 g5 O1 J
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
; ]7 I! b( ?. I3 N     ;will break 3 times :-(
  @4 K$ ^, H& O- s9 b
7 K" E  h6 y/ c! e- x( J) [-Much faster:
9 [4 y3 R5 y  n; X+ z7 I& N: `/ a1 i   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'- ^; |5 w" d1 m7 j" Q( v

1 r6 E$ z8 G. J6 VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" f" d0 w+ t* Y2 i: L( pfunction to do the same job:
4 L1 g& ]1 C/ l; }9 t5 R3 P# k
3 E/ @% t- q1 M9 b   push    00                        ; OF_READ
& ~( q( v0 K, ?* U7 ?# n1 T8 s5 M   mov     eax,[00656634]            ; '\\.\SICE',0, M: G! h+ o) c  w9 b
   push    eax
5 i% k, y8 @+ T0 }( D   call    KERNEL32!_lopen
+ D; m7 \2 q1 G" w* a   inc     eax, C) @3 R7 E; q) ]1 Y+ [4 W
   jnz     00650589                  ; detected( t8 ~& x1 n* Z
   push    00                        ; OF_READ8 z4 x. A; b0 S, x
   mov     eax,[00656638]            ; '\\.\SICE'+ R6 [6 s/ |7 Y! ]
   push    eax
; o3 m: E: I% e/ G1 h   call    KERNEL32!_lopen
. B# D5 H4 q3 Z/ C   inc     eax/ }5 N2 [* F5 M! f( F- u5 R% _
   jz      006505ae                  ; not detected' p# n: B  X3 P7 F7 R

5 Y$ r+ s, I/ {5 R& ]# \* d# k$ D9 T& u( W5 H% q
__________________________________________________________________________
7 G) {1 F" U# m1 Y, c8 @) q+ D6 S
Method 12, ?+ p3 f$ U+ m! B2 V* u- c; H
=========
' F  ?/ A+ `1 ^8 m. G+ w+ V$ Q( n  \7 S2 G
This trick is similar to int41h/4fh Debugger installation check (code 05
9 [1 @1 o) K7 \4 [&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  g9 c! h- Q( t; j' ~% _9 Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.- Q6 `" t% `! p4 X, T: _

. T$ Q1 k1 q9 o2 [3 u9 V   push  0000004fh         ; function 4fh1 I1 O% L; s% D' B, X
   push  002a002ah         ; high word specifies which VxD (VWIN32)% m$ n8 B- @- v' J! t2 ?
                           ; low word specifies which service( r/ [  T. G8 E' z( C; o% p0 `
                             (VWIN32_Int41Dispatch)$ U# m$ t8 v7 H( g* Z
   call  Kernel32!ORD_001  ; VxdCall2 R/ [9 m! G* Y# `
   cmp   ax, 0f386h        ; magic number returned by system debuggers0 C. u4 e+ V$ I: A2 j. Z1 \$ U
   jz    SoftICE_detected" m% r9 V( _( y
- m1 p/ z% @2 [3 L, M. O9 y
Here again, several ways to detect it:0 H% I' U9 I( s! s; ~0 N
/ Y2 L0 e7 l- g1 F( D9 W
    BPINT 41 if ax==4f
; r( y& S7 i, ~5 Y2 C; L
% z) f. }0 k& r/ M    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 Y1 k/ m. ?) `9 t

1 H: V" |4 P; B& \    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( q. U7 G) Z! v- S8 ^4 A

8 ^% H1 `4 W4 }* r5 q: @    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% D0 s( E' K: ]: [6 n- X& ?% [2 F6 S+ N( _. k' F" A
__________________________________________________________________________
" M$ ?; l% Z/ r1 r: D
' r8 m& R; t' K7 r9 ?  mMethod 13- A- s' Z( C! @4 g7 l
=========
/ i& L3 O* S& J. z0 e
$ c# h* Z+ `9 ?3 }Not a real method of detection, but a good way to know if SoftICE is) {. [# V! K5 a, [% ]9 |
installed on a computer and to locate its installation directory.
* h7 ^6 ?" X  _- X6 f+ j, y9 z% |3 WIt is used by few softs which access the following registry keys (usually #2) :% C, H; _2 F: J

, c7 t9 Z) \$ E$ f4 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( a$ I2 D7 ^& q\Uninstall\SoftICE8 v$ s& N" z# c7 J6 ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ [7 ]$ h# J5 a" I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) s% a6 a. s  m. V( y
\App Paths\Loader32.Exe% R$ ^! v- H. C1 u/ S4 L, _" d# S
* f  Q2 K7 W( M+ m
8 j7 i* P- A) u7 N! @# J
Note that some nasty apps could then erase all files from SoftICE directory& V5 T+ z* H3 k: `* r
(I faced that once :-(
& a3 F  a3 K% I. d* s+ x5 b! W, t6 }5 ^3 {' O
Useful breakpoint to detect it:
6 r( a( D& ~' u/ g' [
  N: x8 _. S6 D     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 y* J8 P" W# [" G9 X: i

% Y& u) S5 z5 i- Z7 _4 p) k6 A__________________________________________________________________________
. y) u3 Y6 U) p( y( w% _0 h$ c% Q8 \0 o
; H" R/ T2 [: p$ j" e, [  y/ U- p( `& Q% b& G' U9 x" i6 c- \" X9 k
Method 14 - U- t* ]/ p( I5 a- ~2 f8 S) C
=========& l) y( |" L5 p0 N7 X' M6 M/ t
. w& y3 ?4 D$ ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& X. l4 b4 r& F0 ~  ?9 b4 z/ v% bis to determines whether a debugger is running on your system (ring0 only).
; e0 q2 @( D) O$ N) j1 ~; U& I: m7 q4 `# A$ {/ D
   VMMCall Test_Debug_Installed
& U6 P; i' G, V" @7 y   je      not_installed
" G  p  p2 q/ o
- a8 L6 j  _, n8 \3 HThis service just checks a flag.% R- Y& q  i. m5 U. E
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-10 10:29

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表