找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( g1 O6 z" y; u! M
<TBODY>0 z; [0 Y- w* R9 T
<TR>0 G0 I# P8 {# O# L
<TD><PRE>Method 01
5 B* p/ W: u, `. w9 O. j2 s=========" _3 L1 X8 e" G% e0 }! Q

& H- U; i# N) @0 ^' V6 |! cThis method of detection of SoftICE (as well as the following one) is
9 b" d% r0 x' }8 Z0 }used by the majority of packers/encryptors found on Internet.
! c& i! m& F  ~+ h* JIt seeks the signature of BoundsChecker in SoftICE
0 |0 J3 e$ P5 g2 p9 g
% m) ]! n/ `+ ?) K) ]    mov     ebp, 04243484Bh        ; 'BCHK'. p$ C7 [; S& n( t- @6 a
    mov     ax, 04h
9 y1 s, V. U% o    int     3      
! h4 n; @6 j% Z. b; B    cmp     al,4
- J" N+ o7 c# n* [    jnz     SoftICE_Detected" b# e/ ]8 `2 [- i% z' _
/ h* W; g9 j+ C$ M- j3 k
___________________________________________________________________________: h5 K( S: [. n5 G
- ^: ~4 C2 F/ a) m2 S' g
Method 02
4 l0 i" i+ p) ~* T; Z9 a=========
! A6 H7 E4 X, Z7 T, X; p+ `5 g! ?8 c' q: `1 W
Still a method very much used (perhaps the most frequent one).  It is used, L: N6 b1 a. ?+ ^4 A( T, E0 F5 v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 q3 j7 b3 z, A) s4 Eor execute SoftICE commands...
9 \6 p5 a# X! |" KIt is also used to crash SoftICE and to force it to execute any commands6 [$ W! x) S. S) f$ Y/ K  ]" h" _
(HBOOT...) :-((  
% V" L$ {0 Z+ D2 ]' c: V, N$ b& J
' \1 v; T0 S9 C$ X+ CHere is a quick description:
( K  F7 ~* j2 u% y) L-AX = 0910h   (Display string in SIce windows)
8 y0 A6 _: |8 }& H8 z, i-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. _& N% a: E- {. w- ^" V# ~' z-AX = 0912h   (Get breakpoint infos)
7 O9 M1 k4 F3 P! d, k-AX = 0913h   (Set Sice breakpoints)$ x! Z  x9 k4 C" J
-AX = 0914h   (Remove SIce breakoints); ?! e( p% O9 R
) G# u) ^' W6 E
Each time you'll meet this trick, you'll see:8 q4 M$ }- G7 j! Z3 E
-SI = 4647h) g3 Q. e/ ]$ {  w4 j
-DI = 4A4Dh2 |* m' v8 _) G  o1 ^, W% S$ Z
Which are the 'magic values' used by SoftIce.
# ?' \& q2 U' ]; _: S% i1 T8 UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 f. p5 Z6 g" x- p3 [$ i( t
/ y: |. L0 K' X" m) ?1 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
. K0 P2 _! t" V  n2 l3 d" \Envelope utility use to protect DOS applications:  `6 Q6 |% y8 y2 W: U5 f; T
: S; {1 k  D6 m
' \* J1 ~9 b/ U' _: ]  Z. C- j# M
4C19:0095   MOV    AX,0911  ; execute command.; u/ }$ d  v4 X" U  Q
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
' r+ c4 g+ F( c# v' j  w% h7 @4C19:009A   MOV    SI,4647  ; 1st magic value.1 ~6 l: r; Y) v( @  {
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
7 y2 E2 r# q; O) @4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 y7 B& v+ B$ l4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' l( |3 A" A. n, d
4C19:00A4   INC    CX
7 T3 J# x( i6 n6 }4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 B, R! L# B% b  _
4C19:00A8   JB     0095     ; 6 different commands.
8 k% {5 r( J; Y0 |1 Z1 u1 R8 U) k4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ z; I! a: s2 U1 c4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
% A" J& ]% s  u/ \$ W' j- A3 |. f0 C
The program will execute 6 different SIce commands located at ds:dx, which
9 v. M6 {. P3 k: Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ U, |5 n* u" _2 M, b) f
) @, ^& a5 m- Y4 p' f  u, c; r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% {- H5 c6 Q+ o$ j$ t$ q___________________________________________________________________________, o9 I; U' I; {$ b4 y# G5 s

' X% ~- S# L' n6 }0 m) ]$ t& I  ^  z( V
Method 03
1 D. \+ Q, G5 G( {- O8 B=========9 X! K" L; I; G4 ?9 b: ~* v  ~3 t

+ |$ ^) d, ^% `' g& ^6 Z( `Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
! Z6 ^6 X$ D3 r. i: x+ v9 o(API Get entry point)
- X* m3 k6 g5 ]% L1 ]6 d. T" }        0 ~2 o$ b& R: H9 E
6 v; m9 T" Q* r) \9 T
    xor     di,di& s8 T) t( [0 m- c% J- y) _+ Y
    mov     es,di' e" C8 b- q3 [" z. q
    mov     ax, 1684h      
! t7 b9 w5 [) F  K! [    mov     bx, 0202h       ; VxD ID of winice2 C, r8 X9 ]: u4 ~* H
    int     2Fh
# X( K& i" n: |, |  q: u5 L    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 X* T2 K. }& G+ ^( q    add     ax, di
+ m# {( |* v5 b( w  G3 Q    test    ax,ax
% Q4 m$ d5 J0 Y    jnz     SoftICE_Detected1 X5 g; J* [: f

/ n+ ?- Y- T, j4 ?  H2 E: V___________________________________________________________________________" W2 Q. ^+ C9 s5 a7 ^# U4 d; I. Y
9 P- {& K# q( r7 {3 b$ t
Method 046 n+ r' `% B  i" ~# e
=========
$ E1 z) y2 c9 P" C9 f
. J! `2 e. {0 q2 m' XMethod identical to the preceding one except that it seeks the ID of SoftICE& p/ t( p2 t; h" U9 s
GFX VxD.. q2 T/ I8 W: s. @" `$ e" r

7 Q/ {3 `; m# J  c0 w    xor     di,di
& y; Y1 E# C+ s, T    mov     es,di
% o( I- H, n$ X    mov     ax, 1684h       . g9 n+ T, _/ V
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
8 {# Z& E* g9 Z3 Q' A    int     2fh) V) {* Z- ^4 g2 |% ]- ]; D6 t% K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 k) Q4 D$ a2 j; w$ X" \6 W    add     ax, di
8 e7 m. ]8 `, [    test    ax,ax0 r0 \5 `4 e' ~6 ~% X6 n
    jnz     SoftICE_Detected5 ~* Q  X+ U9 s# Z8 a

7 j, Q; f2 C: e( w" \$ x  L5 S__________________________________________________________________________
9 }; m+ ~' Y$ ?2 W+ Q" k! r, s, e% ?
0 W1 p0 {  Q% w7 i+ u8 B/ {! ?! X3 f5 W! t1 C
Method 05
: `6 Q$ [! t& o: L=========4 D3 ?- q# w, X& U* V' q
. z5 n* a$ L- u  M$ Y; c
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 ~* O2 t4 ?" @debugger. It calls the int 41h, function 4Fh.
2 i; c$ k& z# K7 a& ~) }: _There are several alternatives.  8 m: j' U, a! R. \
2 K3 X# q0 b1 u% D
The following one is the simplest:6 r, ^1 F0 o- p* N& B9 f

7 p+ O3 O. f% }& J7 [1 Z' A3 t    mov     ax,4fh
7 Y. I1 X" F! S! M/ m, x    int     41h& G. j$ }' {/ }( F2 O3 H
    cmp     ax, 0F386
4 _, @* V- c$ u3 U) T    jz      SoftICE_detected5 D* W2 @4 r. x5 X9 Q
2 j' q0 a( P" E

9 q& c/ D! A( C0 C, J" p# INext method as well as the following one are 2 examples from Stone's
0 h8 g" v8 h2 B' t- Y, E/ w: u"stn-wid.zip" (www.cracking.net):
9 P+ a' _% [- U$ T: |* h& v7 }  i9 _& @6 |3 z( [! `
    mov     bx, cs, K; z0 W- r$ t# A% e
    lea     dx, int41handler2, `/ u1 [" b9 a. T) y- ?. d; p
    xchg    dx, es:[41h*4]3 H# o% M. k. x% q2 G- y
    xchg    bx, es:[41h*4+2]# S; C9 C) v5 y
    mov     ax,4fh
0 ]% b: W) U9 ~    int     41h
& g1 P( r9 p) O! N    xchg    dx, es:[41h*4]
' I; f/ Q6 c* A) c! a    xchg    bx, es:[41h*4+2]
# x% H3 |$ W( x    cmp     ax, 0f386h2 b, B. `- ^. m/ |1 X, ~
    jz      SoftICE_detected
0 L& ^/ Z3 e: y1 @( R5 @7 v/ X* g; F! S. W. T- x2 E2 M0 {& P
int41handler2 PROC
% Y) N0 p0 J: A3 }( P" F2 S6 w' z  x    iret2 t: V1 d+ m, ]
int41handler2 ENDP
1 ], t% K& p) \. P2 O0 Y
  O! \% T( D8 U8 Q% b4 k$ _" I0 `
/ l- }$ z$ D  I- B+ M_________________________________________________________________________
7 ~8 l1 L/ h# y( U' r, Z$ M. ~$ I7 l9 b/ W2 }% ~. s# ~

* |  H/ X7 O- wMethod 06# Q& {% q$ t  V: W# y
=========" V1 y2 y' R. A. H- d

1 [! a# q) J8 H: R" ^
7 n9 {/ g: j7 `9 o. q" b9 m2nd method similar to the preceding one but more difficult to detect:  K1 [. X2 X" R
5 ^: u" v$ b7 G* p4 {; f3 T
: {: ?. h6 }1 W* S
int41handler PROC0 N+ [3 z5 ]) q$ ]; x- }
    mov     cl,al) L9 \+ a/ ]6 @: o, X+ g
    iret, W, w% Z" o; g6 `- k
int41handler ENDP
( ^7 s9 k# o/ L( G7 i- A4 U7 E% _; G1 ^1 S. \4 ~, E9 [: ^; v9 d

( ~: t* R& n1 \. |. E    xor     ax,ax
( q* [9 _" t- p1 H, c    mov     es,ax
6 F' Q, v8 q  Q+ M* U5 u. r) `9 x: _    mov     bx, cs3 `# M8 C# ^/ U7 n( |3 A
    lea     dx, int41handler6 ~' n6 u) E) p7 u7 x; X3 z
    xchg    dx, es:[41h*4]
* j4 f5 n4 n6 s: T  Z+ W) P    xchg    bx, es:[41h*4+2]
' _  ^+ w* g  |: @0 V    in      al, 40h
6 u. Z9 Z5 ]/ ~1 X1 o    xor     cx,cx6 l; B# E- k) D2 j) i
    int     41h
, c8 e8 Z- X$ S    xchg    dx, es:[41h*4]
' g! O2 h4 {8 l8 z    xchg    bx, es:[41h*4+2]
0 v7 X$ m8 T  V( m    cmp     cl,al: p+ s0 _5 l3 p: ]5 S/ Z* a
    jnz     SoftICE_detected% f2 L3 H) i: _3 ]  o. E( T$ |
7 p( {2 L+ M8 Z* O2 n* ^4 F
_________________________________________________________________________  G3 d+ R7 @4 H* T

. b4 g6 n; A8 H3 F5 c) `6 PMethod 07
0 E  K3 f) [; U5 U" j5 r=========
% o8 N: z4 \' U3 m+ Q, T4 W# X. j3 K- q; w
Method of detection of the WinICE handler in the int68h (V86)1 z+ w$ D0 S; V6 {  F# b$ O

! I4 I# R4 V2 f( p/ y% ]    mov     ah,43h2 i! N: X* z' z& o  a
    int     68h% S: z1 S) |7 o
    cmp     ax,0F386h
6 a% s- G1 k4 G0 w) a    jz      SoftICE_Detected- H( T1 h0 Z1 W/ X1 }" }
0 K! @* F- ?8 O7 S: V
# T" K6 s$ y5 b  n: V5 F. P
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 S& G& Y. P6 k
   app like this:: I1 }. W+ r5 a! h7 {: u
* r2 W8 |( B  i+ a5 ]
   BPX exec_int if ax==68- G8 P7 }: J5 w
   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 P  y' |, Q# m$ w5 E   located at [ebp+48h] for 32Bit apps)
# {" y3 i3 X9 V- b3 g: d; i: l__________________________________________________________________________! D; I1 ]0 a& ?3 Z
! g/ _' T! `  g# W( K! Y2 N

. B/ s, o* {  R3 ~3 pMethod 08
- O3 y* G* E  t=========
3 R& R' x4 `0 L6 m3 S8 i4 i7 s3 _) A  V# `$ {
It is not a method of detection of SoftICE but a possibility to crash the0 T  V8 S& Q5 M# m" T
system by intercepting int 01h and int 03h and redirecting them to another
( U7 |$ @8 L" t; F, {0 T+ Oroutine.3 g# X/ X4 S8 |. I
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: p- s  m- D" s' C- o0 [  N
to the new routine to execute (hangs computer...), j/ U  z! X% b2 q. N. \2 G; B
3 c& I# }' {* s3 z0 f- R
    mov     ah, 25h
, t  h8 x0 P4 @0 u' W" x    mov     al, Int_Number (01h or 03h)" C% t9 A  H* |
    mov     dx, offset New_Int_Routine
. W+ M' w% ?$ J    int     21h
5 ~6 f' ~: A4 b  C& Y, _( `7 F
  E* [# A; B: c' T/ h- b& ~__________________________________________________________________________
; G9 n  t( M1 T  \( G- p' V" }' C+ n3 B! c
Method 09& G; Y* Y& t7 w8 {7 s
=========
4 X! w! z7 z- R5 Z  W3 n, ]9 Y, G$ X" y" g0 |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; s2 V9 ]% H1 H  x% [% }
performed in ring0 (VxD or a ring3 app using the VxdCall).
& x/ a8 w7 L' k4 B7 L2 e" `The Get_DDB service is used to determine whether or not a VxD is installed
  E9 L1 W- j1 ]for the specified device and returns a Device Description Block (in ecx) for0 [( a; e/ h0 Z- d( @
that device if it is installed.
( Y9 M, l  Y3 ]- n3 L& b/ e3 t, b" G5 A/ |
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 q' N5 F9 Z+ |& v" b% @   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ k+ k' v; f0 G) Q( Q) Q; d
   VMMCall Get_DDB
* F+ U1 X6 o9 V: A# l! W   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed; E# d# D! T/ d

1 |$ b' r1 v7 N4 }3 R# q8 y2 f. \Note as well that you can easily detect this method with SoftICE:
" Q% {5 S% |0 F& D/ A; q! f   bpx Get_DDB if ax==0202 || ax==7a5fh: y; {6 }- R" `4 J

4 O/ R" i/ \9 P2 W# l  V: N__________________________________________________________________________; }- [- I- Y" u, O8 o0 [- D

+ u1 ^7 \, p  V( x4 }9 p# {Method 10) o% U. x0 \4 D
=========# t5 {$ w+ O# U: i

# d' N* ~. C, Q7 t=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 }6 B/ G; r6 Y: b
  SoftICE while the option is enable!!4 o) q! o8 h. p# _6 y9 ~; z* z
3 O2 V6 @) g9 ~5 d" r+ r) w
This trick is very efficient:
7 c5 V/ s; m  M: K! K" hby checking the Debug Registers, you can detect if SoftICE is loaded
$ C8 \$ _0 |, g9 A* o6 `7 n: }: z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. @8 @% u: B9 L( a/ j$ b8 i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 }' w* _0 ]+ A9 P6 u/ k9 ?value (in ring0 only). Values can be manipulated and or changed as well1 q7 A, C! |" `, |  ?: d( Y
(clearing BPMs for instance)
: @& Z6 D+ H3 ?! q, S: I6 V. s
__________________________________________________________________________7 ~6 g2 ^# R) f4 G3 `7 [& P

  q& M0 {$ y% d) s2 d+ cMethod 11, L/ v! x0 I8 a
=========
- `0 _; r. l& C) q: h
  j0 v# P% c* K* ^& F4 MThis method is most known as 'MeltICE' because it has been freely distributed- o' Z  ?) b8 L2 \) T3 x3 `
via www.winfiles.com. However it was first used by NuMega people to allow' _! a; r( q, G2 X6 T- V. n* X0 y
Symbol Loader to check if SoftICE was active or not (the code is located
4 F) [6 _6 O* S$ j- S0 t4 Qinside nmtrans.dll).- p0 @* x) w$ a+ p

3 T7 A  q- g' g3 z* OThe way it works is very simple:: k) p; Z: k9 r! A0 _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  \# u* g  q: @WinNT) with the CreateFileA API.
; l: }+ l; E7 {4 }: x' @" R
2 b) e) @0 t4 c8 _Here is a sample (checking for 'SICE'):
  ~  l( v/ S* A' S8 ^
  a1 ~* e& M9 [/ qBOOL IsSoftIce95Loaded()% i3 l9 V& O. Z  n: [2 J
{
, X, B0 p" `7 f" g; K   HANDLE hFile;  % A) w$ |' L8 @7 z. B
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 ]* B, i$ M. a
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
5 a3 Y6 i) x5 t- W9 j# ^. K% I% M; _; @                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 }2 {. C7 k# K4 I; f" a  D. C. q/ [
   if( hFile != INVALID_HANDLE_VALUE )
( O7 Q$ _, w9 Y1 Z$ k9 P  n! L   {0 i! V# q* K! q8 w4 F$ j5 ^6 ]+ K  b
      CloseHandle(hFile);' L* o9 L1 o0 r1 v. I; M
      return TRUE;* B4 N/ j; i. A
   }
- a7 R. M0 ^, {4 D   return FALSE;: s- i; T; |6 `/ p
}7 k5 b" K! h4 w/ \, ?; b7 t

! I% F3 R" h. u( r; L% @8 oAlthough this trick calls the CreateFileA function, don't even expect to be
# y: M3 a, Z( Rable to intercept it by installing a IFS hook: it will not work, no way!( Q" U: z) Q; n! A# B4 ?
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
' F" e+ `, D% @8 Z' Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 z( L; H2 O; W- C& ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 s8 O3 d8 _  Q- \2 G9 \  ?
field.  u( k- n$ k6 j6 W
In fact, its purpose is not to load/unload VxDs but only to send a
- ~) h  T3 t5 \6 s9 lW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). \. _% o, b! a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 o9 V5 ^  Y) u, L& u3 f
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 \$ |* u; l' T/ _7 n% P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# Y' T, S: b# ]  E& ~$ h6 Tits handle to be opened and then, will be detected.
3 I% M7 B. W2 i1 YYou can check that simply by hooking Winice.exe control proc entry point
, l6 N" o  c/ Pwhile running MeltICE.
3 [, s3 Y1 W! ^* \# x4 \0 _6 O! o0 j* t5 \! x

+ r; z2 j& C  w- k2 T% F: G7 E  00401067:  push      00402025    ; \\.\SICE
- e1 E. B- v9 e* F0 K  0040106C:  call      CreateFileA0 U4 \3 }, T% |0 D. k, F4 m" x& D
  00401071:  cmp       eax,-001; k* S- V- r7 A7 g1 B
  00401074:  je        00401091
& n3 f7 w, r- c
. r/ T1 y4 y5 H$ j$ W. w. ^$ o, F& n! |* e& e/ m) J0 N( K! s6 W
There could be hundreds of BPX you could use to detect this trick.
: E- D/ w( y( w2 z5 b- \" D; t-The most classical one is:9 d9 P3 N8 v/ x) T9 B2 u
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! D7 a, E7 i- C* T  u    *(esp-&gt;4+4)=='NTIC'& M( J4 i6 V, S" t: p% P
0 l4 ?" N) j+ k/ V0 e
-The most exotic ones (could be very slooooow :-(
/ k. x8 o* k& Z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' u& D4 x) j: K  h/ q# D
     ;will break 3 times :-(( t: }3 J. F: m: B
. z6 j/ z' f3 w- b8 u8 n- W
-or (a bit) faster:   u6 ^4 p2 V. u8 f9 \$ s
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. Q. S5 N4 A! I! |8 F# P& z) Z; l, M8 x& K
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
4 R2 w; I6 p! \$ l7 ^! z     ;will break 3 times :-(
9 W" I& r' I# j1 F% A1 L# @! T, _( l, f5 ?- u$ p
-Much faster:
4 o: x8 L" J+ c& z+ }   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'8 {$ D) T# b9 J/ B/ l
% C7 S6 W- E. _
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; a, n, W  c9 P
function to do the same job:
& R' R7 j) S" D
" _3 W5 i& n3 ?. Q! _' O   push    00                        ; OF_READ/ O4 d% q3 r" c/ @$ K
   mov     eax,[00656634]            ; '\\.\SICE',0/ k% q" {/ w; P, f/ z: P  j
   push    eax+ n8 m. j0 w" b) S8 v& r9 \
   call    KERNEL32!_lopen
5 f2 t" O" F7 n2 P- M   inc     eax4 w# K5 ~$ F$ `8 S9 V6 Q+ A; L  C; b
   jnz     00650589                  ; detected0 S7 O4 q; O6 Z
   push    00                        ; OF_READ+ }3 ^  a! ~, ~3 y2 {1 H
   mov     eax,[00656638]            ; '\\.\SICE'# Y7 q! ?& N% V% L
   push    eax
( `; ?4 c$ k6 H$ r* v: x   call    KERNEL32!_lopen
6 G! I/ y( ~7 i4 ?2 N( U   inc     eax8 j' k* x. Z: |) R
   jz      006505ae                  ; not detected. u7 i0 v& c7 F  v& Y, ?

& x3 q4 }# @) p  w( N
" |2 P9 C3 L; ?+ K  Z2 c" R__________________________________________________________________________
: r2 b9 M0 a$ c. S" v# q; x) R7 f. k9 m3 h" v  k
Method 12; j+ m. O5 ~4 D
=========+ K/ I6 w8 R+ e# m

  X  [% \1 L& |/ mThis trick is similar to int41h/4fh Debugger installation check (code 05
: P& c  s& [  Y& b% \" I3 M&amp; 06) but very limited because it's only available for Win95/98 (not NT)
" B$ ?) h$ V! ]0 `0 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& \2 g4 e. L0 q0 s: J4 E2 c- ^8 _# v, p( J- }0 \
   push  0000004fh         ; function 4fh  `6 R0 U; Z( g- C
   push  002a002ah         ; high word specifies which VxD (VWIN32)" l0 i! t, H) }; ^
                           ; low word specifies which service
& {+ {& y+ S. B/ x; Y                             (VWIN32_Int41Dispatch): f* P! V) |* P$ V6 B$ }# q5 l
   call  Kernel32!ORD_001  ; VxdCall
9 ~7 S5 A- b6 m$ u0 M   cmp   ax, 0f386h        ; magic number returned by system debuggers8 I& g' y, D$ G( U
   jz    SoftICE_detected3 K7 w2 w8 M  `3 ]- a, b
( C: n; d/ s, C* _0 g' p
Here again, several ways to detect it:' _3 z5 d) }( L$ a5 o! _% s
/ I) F# x) b0 Y" \
    BPINT 41 if ax==4f( V" \* {5 Z' h2 ^
- \) K5 `: e9 L1 h- Y# L
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
# p( R4 T- ?' g
3 W* G- ~3 e8 C% d) T3 H    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A' ?& B! v( u  a% g
6 q6 j- }- p7 s- s7 f6 i2 u
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
: s& v+ k3 z- C' w, p4 t+ w4 b( c8 s4 V& _% d; P8 \0 ~
__________________________________________________________________________
' K1 I9 x7 E0 u  W! _1 T3 {( d5 I8 G+ V0 ?+ V4 s  z
Method 13
8 v1 ^$ v( t! N=========! M2 N9 b  `  b) V6 ?) x
/ B" q9 K" d$ y
Not a real method of detection, but a good way to know if SoftICE is
7 c: q' n+ X% Yinstalled on a computer and to locate its installation directory.
. y9 C6 z6 N/ t- fIt is used by few softs which access the following registry keys (usually #2) :6 c+ E* f0 p3 v/ B8 O
9 q4 k6 n( }/ o6 f4 N; S1 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 p6 s" p0 |3 P2 Y: N\Uninstall\SoftICE2 O, j0 X/ G8 r% \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ n( f* A( C) Z" _3 v" O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ y$ W3 W( c+ r/ Q, Y2 B\App Paths\Loader32.Exe
% s% z5 o& y5 V* I9 w; G  Z, j+ |' E- E9 S* n
2 r% }* K. q2 w
Note that some nasty apps could then erase all files from SoftICE directory
' o5 \1 {& o9 V# t3 H0 V5 _(I faced that once :-(
) \! K: m* m  m% W5 L# [3 R+ `
Useful breakpoint to detect it:
) C/ W2 A. Q. Q3 ~. c' z2 y$ p6 f7 h! a7 A8 @
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 W% h( q+ [- n1 P% h) {6 g

: x# K6 r& M( M5 c: n  P__________________________________________________________________________
) H5 ?9 `8 e1 P' t, R( Y- H! N3 W# G2 |  y! _* F
3 P7 |3 P& K; o  {+ m. U5 R
Method 14
, ^, t! A% B. V; d/ \=========
8 ]/ b+ o; e/ z% M  U' O4 S% ?
) ?" U  G* K; V3 O0 t! u. QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
% M( {; X( F5 l( d+ u6 H0 e: k2 _( Uis to determines whether a debugger is running on your system (ring0 only).7 T6 `+ b2 z+ v1 p# U
/ c' D  ]" T  \+ q: `
   VMMCall Test_Debug_Installed, w" h# s7 \% A; p
   je      not_installed# ^7 p* Q! n9 z2 `
4 w  D, X) a" y7 Z0 q4 u6 h( ]
This service just checks a flag.
9 B5 q+ p4 {2 j( j0 F3 _% O4 z2 n7 Z</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-10 01:02

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表