找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( C4 l& _  n4 Y; R" ^% I7 y7 D
<TBODY>$ g- U) C' @0 ~: J
<TR>
$ M; A4 ~! l- C, J. a1 E<TD><PRE>Method 01 ; ?/ F% c# p, f6 r. g
=========2 P/ v' Y8 \5 Z0 }2 _1 W( k
0 \$ v' S) G- {. ^  I: i
This method of detection of SoftICE (as well as the following one) is
3 ^  ]. H$ _2 `7 d& gused by the majority of packers/encryptors found on Internet., r6 u$ i9 Y" V# q. d* }4 @
It seeks the signature of BoundsChecker in SoftICE
  a3 t* G# _& v0 E
9 Q! ~# H! S; {1 N    mov     ebp, 04243484Bh        ; 'BCHK'& z0 o6 c" g; _2 @+ R3 O
    mov     ax, 04h
# p7 |- g& J: a$ H8 \! E    int     3      
6 l& ?4 C+ R# n1 C6 p    cmp     al,40 t, A' G- U# J0 b, W/ F; u
    jnz     SoftICE_Detected) I  K, l- O4 n0 {; ?

" a) J) [! t  A/ n' I6 s___________________________________________________________________________
0 t. \1 f, W  v% X; ]: {% y
, L2 w. k; _* K8 [6 |, ?5 OMethod 029 f; _$ h8 ]4 O9 Y& p6 c& O* z
=========4 R& D: C, {  w9 N
1 b( ^+ d6 g6 W
Still a method very much used (perhaps the most frequent one).  It is used
/ T$ k2 B( G  r1 v3 n: yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. m& T4 S, A  h( E
or execute SoftICE commands...& s* u& T& r: f' O5 E, M- w
It is also used to crash SoftICE and to force it to execute any commands* H! Z3 ~  |5 g: e5 [4 u/ M
(HBOOT...) :-((  2 L+ j* A$ X0 ?/ A- \
6 d5 {0 H2 N8 V5 p! U
Here is a quick description:* P' R! b+ m+ S4 ^2 Y
-AX = 0910h   (Display string in SIce windows)4 r: R- X  g- E( K5 R- Z/ x
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
/ p+ G  _* g! [-AX = 0912h   (Get breakpoint infos)
& ?' L: ^$ g3 s  s6 @  m' D; e* a$ B-AX = 0913h   (Set Sice breakpoints)- a- v4 h+ m; y3 l9 _
-AX = 0914h   (Remove SIce breakoints)9 O  ~/ t/ l" m: w$ a2 Q+ u6 D
1 x' w4 I3 e* Z" u: d1 ^- s( M/ b
Each time you'll meet this trick, you'll see:
) ?, v+ G* q. ?) H/ m+ ?-SI = 4647h+ D& C2 X6 P& x) m* b
-DI = 4A4Dh
& |7 i" O" [/ _4 D" v3 aWhich are the 'magic values' used by SoftIce.
  ^6 v5 e3 b3 k7 q; K- H7 {7 e- ^For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- [' I( M- F/ C7 m! t8 r
  C3 K! B$ t5 @Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 J% _% ^. I$ b1 A; k# IEnvelope utility use to protect DOS applications:+ z/ g6 o0 w8 e

* g) ?+ p! x9 j) ^% c3 \2 u9 b; D: c6 f
4C19:0095   MOV    AX,0911  ; execute command.
3 L5 ?  m; C$ v' x; e7 |4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 r( X* E; y- w# s0 K# ?# ]" g! ^
4C19:009A   MOV    SI,4647  ; 1st magic value.5 K- W, x( n0 l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, _" p7 F) l8 _$ ^- Y! S" }4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 c4 Y5 Y( i5 y. Q' N' l* r& B! F* G# \
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 \+ E( @1 U9 l" x1 _8 [) _4C19:00A4   INC    CX7 S. [& I; d2 Y! B# L9 B
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, o/ u# \! j) c4C19:00A8   JB     0095     ; 6 different commands.
6 f9 I3 L: I- E  r4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
, h, o) w. ?. R4 i9 x' `5 F( B1 ]) e4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)2 Y+ N. W" o9 W) L

8 b+ F5 e6 ~! ^& \% CThe program will execute 6 different SIce commands located at ds:dx, which" W- p% B7 S; K( C: {2 {) n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! p- l$ e7 `+ g  t- p9 T

/ y- U! ^$ s. b# b$ M+ W! i7 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 B9 K# G1 U- B# n9 f! y: v___________________________________________________________________________+ |: \% V, J; Y6 V6 {* t

$ z* F7 c4 x& m5 f2 w5 W
! H3 K3 _0 ^5 `( }Method 03
% `4 M8 ^6 U3 N! |& ^' C8 J=========
* @2 z; T0 e2 z- y3 \( ?- i/ a$ }8 Q# l* B
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' b0 G* T- _% t! c7 L(API Get entry point)/ R. c0 W$ D" f2 w4 F, M5 N
        
4 V8 E9 u/ q+ p) S- I4 e8 G
$ a" ]# @( C! Y. v+ V    xor     di,di0 T9 d* C. \7 n& f
    mov     es,di
2 K0 [" A% ^! v    mov     ax, 1684h      
: U' f; I9 E4 t0 c0 q9 s: t7 _    mov     bx, 0202h       ; VxD ID of winice0 K+ q7 A9 f6 E0 u' x7 G
    int     2Fh
# F0 o  H2 m; \# A    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 E7 F' s" U9 H    add     ax, di
% j' w4 m# G7 P0 A# g    test    ax,ax1 \* j& r1 j* a+ v- f' w6 s
    jnz     SoftICE_Detected, N( X4 I# G. P- V! z
" j0 M7 v! D- ]
___________________________________________________________________________
4 X4 q( _9 s9 ?0 _2 E8 r& W9 D0 L5 p) M3 [: b4 m/ C
Method 04
# V: \9 H. Y: t9 I. D5 _/ C=========
5 T. O: t  m$ L  t5 C6 N" `( s' \4 J* c) l) c' M/ F5 }7 n
Method identical to the preceding one except that it seeks the ID of SoftICE0 n) K" L  x7 ]2 J3 i$ c/ v: f6 U! ?
GFX VxD.
  I6 {. n: q, [: f; p2 L
  U9 }7 K3 F" [    xor     di,di
7 }$ i- i1 v8 U+ @' m! E3 A5 ~    mov     es,di, [; C: W2 |1 i( d# v& m* ^. i
    mov     ax, 1684h      
: m2 |  B$ f$ P& V, N( n  k    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 a% I8 f4 f( f- i: |) Q5 {
    int     2fh) g# ^, T  V6 U7 L1 A$ W( s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 L6 Z* ^$ o$ [: c( v( b1 o- |    add     ax, di: I: `& ?/ q  K4 p# ]+ M$ z) H
    test    ax,ax6 \! K0 Z. Y! H2 W+ z* E* U2 g
    jnz     SoftICE_Detected
! h" {3 M+ Q# R: X/ W% ?
0 i1 h1 q; j4 r3 H6 ?2 ]__________________________________________________________________________
* U& F' Z- H' r$ Y; }* B$ x2 F
; r! u; U: S7 e! W% S2 I) v9 E6 l) ?- r) k* m$ Z
Method 05
  H: Z5 a: Z; r=========
6 ^: }: H4 ^6 v$ q8 \
7 p- O9 r/ n4 f9 `) KMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ ^& y3 p0 q( w9 T
debugger. It calls the int 41h, function 4Fh.0 D  q: o7 |/ M- @
There are several alternatives.  + o5 k& y/ N6 p% Z! h+ g
6 G' n9 z) S5 K1 t) e6 {; E
The following one is the simplest:
0 z  v+ l7 {, u* H8 ?. J6 u3 n, P! r5 [: {. C8 r
    mov     ax,4fh
- Q7 N5 b# c$ {    int     41h
- j, \& R' t/ g$ ?$ |    cmp     ax, 0F3869 s4 k$ c/ F& s$ }, `- w5 l
    jz      SoftICE_detected
% Z5 W$ n3 o! [% Y. i2 U1 M3 e+ q$ a( @  n- X' a) v

. }! Y' i6 V" t3 C# U/ e( wNext method as well as the following one are 2 examples from Stone's
0 |4 ]3 O- C* ?/ p3 q* F6 t5 x"stn-wid.zip" (www.cracking.net):1 Z2 A6 X' ?+ p2 D% q, K! C6 ^

8 M' A$ G, O5 D# u    mov     bx, cs
- I- k, w* f/ V  O, P3 d    lea     dx, int41handler2
1 Z( R8 r- b3 t    xchg    dx, es:[41h*4]
# E" u! C! K2 v, H3 L0 s/ U4 S    xchg    bx, es:[41h*4+2]; I" D  |% L: W6 B& p9 H+ Q
    mov     ax,4fh
% s9 s$ u) y) l1 _# T4 i. J3 f    int     41h
, p9 Q  e' T; @" C9 G    xchg    dx, es:[41h*4], S8 w' F6 I( y7 F& w6 i3 c
    xchg    bx, es:[41h*4+2]
2 ^0 N- b$ Y2 S$ N# z" ^    cmp     ax, 0f386h
5 C4 [. L8 V: l; S1 a    jz      SoftICE_detected
* s! ?2 \& R' k. h5 G+ w+ [5 p7 ?( X8 E2 `
int41handler2 PROC
+ R1 p. K" q1 t3 ~! E! F: p: _    iret1 a' A1 n3 _  O: Y* T
int41handler2 ENDP7 p! J. s. [% w4 r2 j; ^  q& ?
& ?; E0 {0 U, C/ ^
0 p3 b5 F0 `+ c: C; h' N+ y* ]
_________________________________________________________________________
' g4 F0 A) j2 [. o! P
' j! z& G. x4 ?& A* e7 T  a( z# b/ y6 u! U
Method 06/ |$ Z" F3 C! g+ A* v  y
=========4 l  g" }# \0 |$ c& N
( X- w- }$ q; _; P

/ x3 t  S% n" A2nd method similar to the preceding one but more difficult to detect:) Q( W7 B- S# ^1 {0 z. x! I; S

. o/ x2 U# i2 E: A2 B6 v9 h
3 }( K2 s, I- xint41handler PROC7 G" j% `2 U! r. c+ r
    mov     cl,al
+ F5 z  [9 T% c" D    iret
* e! M, J- g  q0 M! Zint41handler ENDP& F# v' \+ X9 E7 ?6 w) ?6 c
% P1 Z  B9 A% U

9 U5 D  a" T6 e    xor     ax,ax* Z' O1 Q4 j5 N0 O( [8 y4 U
    mov     es,ax
+ Z4 \) L, @- v( j& @    mov     bx, cs+ o6 k/ E! K0 r  t* a
    lea     dx, int41handler) i( _4 `5 f& }9 I  X( s6 V
    xchg    dx, es:[41h*4]) H# ^( `$ J* v, X) M" s* v. l0 s
    xchg    bx, es:[41h*4+2]
; F3 Y! E$ z& b! H% \0 ~& u    in      al, 40h( B) q( E  e7 j% j
    xor     cx,cx. ^# c8 L. B: O" E/ I/ Q/ k# a: l
    int     41h6 ~& R1 Y9 R0 @; T& c+ ^  A
    xchg    dx, es:[41h*4]
. O' `- ?: p( p6 a/ y; k    xchg    bx, es:[41h*4+2]
) s; Z7 O! C# a& W% x/ [/ G    cmp     cl,al0 v" U% U% Z% v) j  j1 A
    jnz     SoftICE_detected8 X# p6 [: q8 p, v4 o) W; z" _

: I/ `/ q" q; V5 d_________________________________________________________________________% z2 Y* g/ H# R2 s" m
, N, Y* \) D6 k4 v
Method 07) [$ N* D: I% C
=========
- I& n: U. P$ f( o& H+ H7 Z9 ~! ]( b. T
Method of detection of the WinICE handler in the int68h (V86)
! `8 C. o$ c* f' A# F
- H  M4 Z8 y5 [- v    mov     ah,43h
/ `4 j$ B( a( \6 o2 K    int     68h
3 {; o# s; p+ h    cmp     ax,0F386h
9 I- U  p, [, T7 c8 A    jz      SoftICE_Detected; K1 Y7 Z' ^4 B

/ v8 z+ a3 H0 [- V! S4 h6 H  a
/ {8 E( G  f. B1 O) m: K=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- j, C5 i8 ^# F7 ]. |3 v# Z7 a' D
   app like this:3 h1 E2 g# _' Y0 I2 t

  |; a) Y. g8 H& W  w- \   BPX exec_int if ax==688 c" Y7 A% f6 z5 w  V
   (function called is located at byte ptr [ebp+1Dh] and client eip is1 i. c/ ]8 V; Y3 S( H5 e
   located at [ebp+48h] for 32Bit apps)
! [+ q3 y. d( \* B__________________________________________________________________________
' \6 I" h. {+ m% z5 C% H
/ _* T5 e/ s9 f5 Q0 a
% w. y2 C# n/ p4 K" l5 GMethod 08
5 K4 f/ P4 I) t% b) W+ \=========" f' M( b- d. U. X) z/ x" }

- \1 {2 G% o1 y$ S/ KIt is not a method of detection of SoftICE but a possibility to crash the6 h6 P/ X$ e/ x' P) P& D1 R
system by intercepting int 01h and int 03h and redirecting them to another! l5 H- i( M. w: I' a8 Z) l
routine.
4 {2 }' A! o  P0 U( w3 t! g5 GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 z) q1 Z. J% p" cto the new routine to execute (hangs computer...)
2 t( A- r- g3 `+ p
$ i+ {* d3 L1 Y# W. o: T" u% n: E, R    mov     ah, 25h
4 g2 E, L  Q# w5 L5 e    mov     al, Int_Number (01h or 03h)
! w" s+ e! Q$ |- Q+ H# w    mov     dx, offset New_Int_Routine
; R6 I6 a( y, {    int     21h
1 Y% s* a+ x% _; T% |$ w9 O/ p0 _  W9 J1 t
__________________________________________________________________________
- ]& P# A% N) e2 O1 J0 s2 ~/ B; y, Y+ h$ m- U
Method 09- T+ D' K! L( q$ d
=========
) A. H% N* N$ g2 a
, Q5 i9 x3 q! M2 [5 X# PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& z" U) @( G% s  k; a  K
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 c+ X" r. L0 c, |2 ^The Get_DDB service is used to determine whether or not a VxD is installed
5 i2 Y# `6 u& I; J* v* A. O6 C4 hfor the specified device and returns a Device Description Block (in ecx) for7 x$ l/ [9 J9 j3 \
that device if it is installed.- h, }. c# ?3 C* y3 P0 w

# T$ u/ |! Y5 W+ }- f7 J6 H   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  B  s8 p" m$ h7 t, C! ^  \) x8 f
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 Y" U0 }, F5 ~9 W
   VMMCall Get_DDB
3 @9 _( X9 \0 b" h& M   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 J' M. a8 g/ }% _
8 B! U2 x7 m6 s8 W3 j) Y  h+ [Note as well that you can easily detect this method with SoftICE:
& `' K% X1 T  @# M9 |" @$ G   bpx Get_DDB if ax==0202 || ax==7a5fh
, g! h6 u7 f& z& Z
% ?. e) e$ V0 c' k' h* ~__________________________________________________________________________
' O# e; |0 ~2 R
+ `( H2 K! m: Q% s  V$ _Method 10
: B# O& r: x( l$ L$ Y& f=========9 }% Q  n, Q$ d  e% X) ]
! B# S4 e$ M/ M* ^# B
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with' t; v  O! j9 W' X5 y4 x
  SoftICE while the option is enable!!& h, K- g) [% ]1 m: x0 M& n

9 [8 v" Z! v* A' cThis trick is very efficient:
4 o2 M, P* O0 ~9 T: Y4 yby checking the Debug Registers, you can detect if SoftICE is loaded
2 V  E- I# r, }: G* |* u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( w* \8 t7 x; ~5 B8 a
there are some memory breakpoints set (dr0 to dr3) simply by reading their; \$ _7 F! I& T) z: @/ U
value (in ring0 only). Values can be manipulated and or changed as well4 Z+ B: I  N1 O& q% Q
(clearing BPMs for instance)
0 y. U1 I9 J% H% j
3 A3 x; J4 z" G, C6 }__________________________________________________________________________
" P9 _) }3 ?$ h+ t  t9 M/ a" H8 ?# `
+ c8 T! ]+ b  @! l/ ^2 qMethod 11
9 y( P$ t9 k- d3 e0 k# B1 p# T/ J; y* N) W- ?=========' G8 a3 |% O' l/ _
8 E" X/ ?( I( O6 x  p
This method is most known as 'MeltICE' because it has been freely distributed
* i+ S9 b8 p: S' vvia www.winfiles.com. However it was first used by NuMega people to allow+ V3 K2 Q' G! M3 ~" w: E
Symbol Loader to check if SoftICE was active or not (the code is located& k  W" h( Q* Y0 b# ~& z" Q) ^
inside nmtrans.dll).
+ X: R* o  x- [; k8 H, s6 o5 X1 b. Z  C" d
The way it works is very simple:
' A# n4 y' _8 ~% @It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 H. w  h" _& p/ q+ {WinNT) with the CreateFileA API.& M  {& r5 e7 y
( j# w9 c* C: N% X- S* Y% Z
Here is a sample (checking for 'SICE'):
' ^- o! r2 U- Y) O5 |
1 W4 }) }- A2 hBOOL IsSoftIce95Loaded()
# _1 ^* @0 t/ _0 W3 T( \{+ k3 i' m; f+ {# l
   HANDLE hFile;  
& j& z4 K9 d! C+ W" t- A2 d   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ _) Z; A( t+ E( X3 E) B                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( s' ~2 }3 a5 W                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" f2 I( g3 q# M   if( hFile != INVALID_HANDLE_VALUE )
' b1 P7 I% D5 c( F7 \3 ~   {$ P! }! ~& {+ }) g
      CloseHandle(hFile);( f" K# `1 h8 ~4 o0 z2 Q
      return TRUE;2 d( }5 d0 W2 i9 ~
   }
- M/ t4 Y! ?) z" Q   return FALSE;, J1 {  d# f" f6 I- W6 o
}3 q3 W: a9 d3 j" H: d

0 Q) t. G4 H& s* ~4 x/ [Although this trick calls the CreateFileA function, don't even expect to be
2 h, P% `3 Z3 B$ _able to intercept it by installing a IFS hook: it will not work, no way!
/ O$ x9 J1 p9 ~8 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
, r8 w' k8 w  s6 Q! w% D" Aservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# [5 x: {" B8 F2 ^
and then browse the DDB list until it find the VxD and its DDB_Control_Proc. n+ U6 t' [( i' _$ m
field.
0 p8 u3 e1 ~. l1 \  M. pIn fact, its purpose is not to load/unload VxDs but only to send a
, w3 f9 M+ }; ]7 h2 r4 v! mW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 v' q5 Z' _: D" ?: V6 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 L/ r5 \: f6 p+ H( x% ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 z" `9 K+ I# {% K7 p0 {If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 y0 y' W. T' F# E3 d1 i; y9 bits handle to be opened and then, will be detected.+ u- \6 f/ G3 e2 h" h
You can check that simply by hooking Winice.exe control proc entry point
* l; I+ x' ]1 D5 K3 }& @6 awhile running MeltICE.
3 Q, Y; H5 u8 m& e2 |# D- z2 f; Y9 }3 @' s
+ l/ U. d- @! i& B5 r4 h3 a+ f
  00401067:  push      00402025    ; \\.\SICE
2 \' b; r0 X% J, ]( a8 |  0040106C:  call      CreateFileA
# o- h; A+ I6 N# o( @, t  00401071:  cmp       eax,-0015 e- @/ O: F  k8 Y( u4 E+ w
  00401074:  je        00401091
+ b$ V7 U' m1 v3 O5 s: ]/ C4 T. w( r+ E: S- `6 m

8 C( y  _% o' C# k) ?There could be hundreds of BPX you could use to detect this trick.
( {; p$ n' r  J-The most classical one is:7 C9 n) \+ C  Q' d9 {% t- H
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) {' s( J+ a0 N8 V  ?9 [
    *(esp-&gt;4+4)=='NTIC'
, q' K3 F) @3 _/ E8 W/ A
5 s8 b* I  u, \% r' ~-The most exotic ones (could be very slooooow :-(8 r7 E. |- ?8 C& C4 ^* \
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  1 o6 q8 Q+ @% _7 M# t6 F0 W
     ;will break 3 times :-(: r/ \! O0 o+ o3 r4 a' X

4 O: n* t6 t& a4 G7 O" t-or (a bit) faster: 1 F4 m  j8 P5 q; @
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; @0 O0 O( F2 z- X
' S0 J, Y8 D  t# p5 A& M- j( ^   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  4 L4 f# e1 D' U! [: |
     ;will break 3 times :-(' ?6 F  o. }& h) T
: ~2 u) H1 y0 \+ c! ]
-Much faster:
2 p, q; T( \4 ?$ X6 S: V7 F* e2 _   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV': f. k" }0 z& j& G7 r4 @* k
! `7 O) w; v. k, n( |7 B, Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" i. n9 q. j$ k; J: l9 \& U
function to do the same job:
5 J: v! P+ ]# I- i0 h- x/ z
. o5 ~' Z4 q9 b7 q   push    00                        ; OF_READ9 ^9 y4 \8 p, ]
   mov     eax,[00656634]            ; '\\.\SICE',0
/ A- B& J) a! E9 ^4 p2 q  q   push    eax
+ [3 j; q. N# b" W, r   call    KERNEL32!_lopen
1 W: V6 |+ i% Q, c   inc     eax/ x& E# Y" A1 \$ S, R, n
   jnz     00650589                  ; detected' m: f6 _' I& f4 L. |4 Y
   push    00                        ; OF_READ" S3 U1 q4 h1 B; M3 z$ O6 h
   mov     eax,[00656638]            ; '\\.\SICE'
' M: U# f9 b2 p* w; S   push    eax% I% S' G7 Q( r5 U
   call    KERNEL32!_lopen" n+ f- r9 J7 ~5 j6 l4 X- v
   inc     eax
+ P+ G( e# i' Q. k0 c& A5 X   jz      006505ae                  ; not detected2 P, H' _2 t2 x  m( _7 O
' C; j$ M8 U8 P9 e! ~' v

, J% l" i5 C3 }/ N+ x9 h2 j# p__________________________________________________________________________
2 B& H4 J; g! a2 i) b" y( X6 _/ _) D1 F
Method 12
2 ]0 v3 X7 T$ |0 |! P5 }: f=========
1 e+ J% r  K+ O: O  D: ~! D! Y2 K- H7 P/ X
This trick is similar to int41h/4fh Debugger installation check (code 05
8 b! K, z8 N3 f5 G&amp; 06) but very limited because it's only available for Win95/98 (not NT)5 @0 h: L) _# h# b1 r& z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ G" n  I, @6 f- W! d
0 k: d$ g$ d" m8 ^; H" s
   push  0000004fh         ; function 4fh
7 _; _5 p: A" g) }8 l   push  002a002ah         ; high word specifies which VxD (VWIN32)$ o; r& j; A$ P2 o0 @" i
                           ; low word specifies which service
5 f3 u4 i; Y6 K                             (VWIN32_Int41Dispatch)8 V3 M5 \( w9 v( R
   call  Kernel32!ORD_001  ; VxdCall
7 ]: k( ?4 S4 G2 ]: G) @$ C4 X   cmp   ax, 0f386h        ; magic number returned by system debuggers
5 H, ~; m: Z6 R   jz    SoftICE_detected
. j0 y: I6 i, K% B
  U5 c. a, c, UHere again, several ways to detect it:
( L4 R8 l0 o. n3 F7 u9 T9 k* G0 i* g" b4 V
    BPINT 41 if ax==4f7 ~; t5 k$ z/ W" m+ P0 a; z( S

( L5 |  h# Y3 O* p+ o    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' W; P8 N- D4 L8 n/ F, \* `! O0 G. M+ O6 ~3 N7 y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
: W" h+ \/ E1 H; ?4 S
" Z# R. x, W; L" ]3 J# d    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ d3 [) e8 O6 `. H/ ^
/ ?  j4 n! J- k" I3 L6 ?, _  o! s__________________________________________________________________________
4 C( [4 E6 _# L9 @- }  p
% S9 \! C% b- J7 v% j2 b, `Method 13
/ M5 p) E) f3 S! K# m. W=========
1 d" v/ j- E, n2 S# x' l0 W6 C0 K, d
0 P8 S( F) E3 z$ _& sNot a real method of detection, but a good way to know if SoftICE is
! _, J: X! u: v" E( O. Einstalled on a computer and to locate its installation directory.
$ A3 t7 {* x% U$ l5 P7 ^; z( G4 zIt is used by few softs which access the following registry keys (usually #2) :" \0 [6 |( N/ Z* L% O/ B% {
+ E  f5 l% t" h( j/ ^  B
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# l4 A) k! a( Y2 {6 m1 L7 [8 `\Uninstall\SoftICE; W1 Y# E8 l$ X7 Z+ i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* E0 v, C: \' @! ~/ g+ \1 _* U5 l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% C' |; d7 l0 u* ^# [3 t
\App Paths\Loader32.Exe" S) a2 b/ h! d5 i2 n; y1 }# b" q
3 ?' K4 t9 Q9 _7 k! U# D1 W

- a) x5 m5 t) q1 }! j2 J& B7 d! }Note that some nasty apps could then erase all files from SoftICE directory
4 D  \- v, |6 ~4 q4 V(I faced that once :-(
* f0 b5 L3 Q: e  D. I0 p" D+ J( w* a- H
Useful breakpoint to detect it:8 N  Z1 l4 P# N( H/ O

4 D. P$ l" @* x7 A$ K- i& Y) w6 i     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 ]" _& k, u- [5 H8 I7 r
6 i2 y$ ~& Y/ m3 ?# ?
__________________________________________________________________________  Z- C2 A/ i: p" I! T7 u

. p" M; I1 J4 P$ i$ y
. Y7 E3 I* [2 ~4 T% }- b6 s5 uMethod 14
, K( P; U4 a0 ~=========
( W" C8 ]0 c* ^# ~2 q1 m+ p6 A: O3 a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 r. n2 _7 T) R; eis to determines whether a debugger is running on your system (ring0 only).* [7 d9 F5 [, s; Z" E# s0 q; X

# N/ m5 A- T) ]2 x' g$ X' {   VMMCall Test_Debug_Installed; p" l- w1 n9 r( x. m* s
   je      not_installed
3 p0 u1 q6 B4 C; m0 ~  u  b6 Z- d0 h9 w* v+ o# z9 ]
This service just checks a flag.
! L, Q2 J  m2 L! L$ O: K</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 12:05

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表