找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>7 y$ {* C9 |) N/ ?
<TBODY>( v6 C! j# g( q- i+ _% ]' A& _# w
<TR>, x5 D: ]  f% t: l, i3 F9 a0 P
<TD><PRE>Method 01 # T3 A# |( @3 ^, ]6 u8 t2 L
=========9 T) t4 S, H0 w. k5 r5 ], {8 r! ^
2 Y5 ?; a) T5 A* Y2 ~% l! p
This method of detection of SoftICE (as well as the following one) is  q6 i5 @7 C) j' ?- f; @
used by the majority of packers/encryptors found on Internet.! \3 j1 \1 P0 v* L
It seeks the signature of BoundsChecker in SoftICE
3 Y0 l& V! p% [% c, \4 P3 _! x
  \" N9 a- U9 ?4 ]. d% N( [    mov     ebp, 04243484Bh        ; 'BCHK'
7 Y: ~/ H$ N2 c2 g' g4 s) O    mov     ax, 04h
8 W; h% o4 T, I8 m6 K2 J    int     3       6 U$ s8 d' X- {- @; ^1 T# v- B
    cmp     al,4
. G& E( W4 e- m1 B    jnz     SoftICE_Detected  [$ w, ^7 b7 s8 U7 J! B8 p9 _, m- j3 u

. C, e, i( Z5 i___________________________________________________________________________
: ^) q% J5 G2 G$ V1 M3 G, K
& V3 D4 @1 O9 ?( F& m! I* u% }7 rMethod 02
+ ^: P) B* c' @# _# \/ u" v=========
& ~* V$ W- R- @( l3 }( u4 j. t) o& V. f5 Y% l3 Z
Still a method very much used (perhaps the most frequent one).  It is used
+ v' \. i5 }( r( G$ Sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' u: s1 B' ?: ?+ q- Hor execute SoftICE commands...
) f+ v3 ~+ b6 CIt is also used to crash SoftICE and to force it to execute any commands
8 y' d$ ]1 ^6 `1 T(HBOOT...) :-((  ) W4 J2 L5 w3 b* }- m

- v4 t) ]5 _8 EHere is a quick description:* y" T) b& v! o1 d6 u3 T9 a
-AX = 0910h   (Display string in SIce windows)
. h# K5 F8 V. ~( s8 X8 e6 |-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 N7 H/ o& t+ i& d, r( Q-AX = 0912h   (Get breakpoint infos), _" P5 M/ G( r- M% Q
-AX = 0913h   (Set Sice breakpoints)% v9 @2 e: L9 T; g
-AX = 0914h   (Remove SIce breakoints)
  [( A: H! {$ \4 }/ Q( P, I
+ n" m5 N( c* D1 I+ N2 R8 {Each time you'll meet this trick, you'll see:
% Q$ J' Q: p3 ~4 _$ V6 W$ N-SI = 4647h
* A$ D8 {8 G: R/ A7 M* G" L-DI = 4A4Dh, z% |  B" C. K; `& m
Which are the 'magic values' used by SoftIce.3 R+ T) z1 q; _# s' Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ I7 j8 z+ t2 x$ d
  o! w4 G6 B. ~1 sHere is one example from the file "Haspinst.exe" which is the dongle HASP4 r( e( M8 ]7 Y2 n( y
Envelope utility use to protect DOS applications:
5 c% r, d1 A% z2 R. T+ w, c8 D/ y$ C4 k

$ S6 w7 U+ m/ P4C19:0095   MOV    AX,0911  ; execute command.7 B$ ~3 W7 E: s9 {4 k4 ]5 a1 [
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4 p5 B+ U% P  l. a5 d$ {& d+ I4C19:009A   MOV    SI,4647  ; 1st magic value.
& p9 N/ e* A+ M4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. M6 c. a5 c( f8 m! @" e5 w$ f4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 P6 R/ p1 h* [3 z9 c! u
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute- w+ T  h# k# e+ I
4C19:00A4   INC    CX  \: i# ^# A! d1 x, o
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
* d2 o% R; i  L8 D4C19:00A8   JB     0095     ; 6 different commands.; [4 S( f' D8 e( T
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 u( u$ r. M% w* B! f2 d( @& n
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ c& y+ }& g; G, a6 v4 n& K: I8 X
The program will execute 6 different SIce commands located at ds:dx, which
$ |- M+ j. W1 X7 \& Z5 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! m' B) e! y& l/ U
" }! m# P4 c! v, B3 s* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# K' R; u  G3 l& I___________________________________________________________________________
+ D# q2 a! L- c9 M& R% z" f: _, f. B' T
+ _. J) S/ C- H% {& r; ~7 H4 t
Method 03' _3 y, \* b  A
=========5 S' x' o3 {4 O* n% r/ b" s3 |9 n
" v% M) B( C' i! I% D( N
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ H) Q7 ^9 n2 g$ Y(API Get entry point)' f/ V# _# r6 M5 V. S/ t
        
. X, M" \; L; T  f  b! Y, O9 S2 |$ N* s
    xor     di,di% [. W! j# j  ?& j" I' p
    mov     es,di9 e' u! o! h6 g1 _
    mov     ax, 1684h       1 v2 p6 }! t3 n$ r$ t( {4 t
    mov     bx, 0202h       ; VxD ID of winice
" M7 A" p6 O. i, ]6 D* O$ F    int     2Fh
* ?% I  G6 n7 R0 R, _' x) \/ a    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 H& `  m- g% X) D
    add     ax, di
9 O( p# Y" b9 H- L, f" d    test    ax,ax1 Z0 b4 y3 |! f; L; W- y
    jnz     SoftICE_Detected' K( y# ]: I$ a1 ~, o6 j) \
2 i! C5 \# u% ~
___________________________________________________________________________& m: O2 {. L6 [* v
3 F( u  r* k# O2 |3 G; ~
Method 049 ?/ B! n) O: n, e! D- o. a) N- o
=========4 t- F( E, c+ F+ S: O- ~+ r

& U, ]/ f& |. n( `$ CMethod identical to the preceding one except that it seeks the ID of SoftICE
3 H% e8 m. W3 bGFX VxD.% ?* d/ A; p. a1 s  l% B

. P8 ^2 Y% D. f8 s' a+ X3 e# g. e    xor     di,di$ I, W6 f- N) p6 m. F* L
    mov     es,di
. \! o# P3 A) ~9 P2 [* C    mov     ax, 1684h      
) S+ W$ j* o7 K; X+ j4 E    mov     bx, 7a5Fh       ; VxD ID of SIWVID. x% u4 {6 V6 p+ I5 J. N
    int     2fh3 }+ ^2 B- U0 h3 V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, I) m, s' h! O0 w- }5 G
    add     ax, di' m6 E" L) K0 E2 H6 F
    test    ax,ax3 i8 {; ?2 s* m3 J( H' Q
    jnz     SoftICE_Detected% ?# p' U, \- j
' K) c- f5 G- u0 q
__________________________________________________________________________
" Y; z( ^- y' J& ^/ C: T6 y9 V1 F; b, Y+ z5 m8 k* U" f: y/ p3 v* a
' [+ x! W- D' F; N
Method 05
% u( W$ b  n, Q" L0 y9 m8 Q( l=========' Z: k. t- F; L

6 q# z9 j1 n9 p. v2 sMethod seeking the 'magic number' 0F386h returned (in ax) by all system4 R" t: x3 L+ ?/ C, f& }3 [
debugger. It calls the int 41h, function 4Fh.: S. \1 c) k+ a: H7 F# P0 S6 j& N
There are several alternatives.  
& b+ Q( z; N5 A& _% r3 V  }
. B: J8 P! l2 |; j. H) v  EThe following one is the simplest:9 _" U* `( l' `" m# C
7 n3 E4 B3 G- e( G" S; s
    mov     ax,4fh3 z  l1 f" k) B# c! E. }5 K
    int     41h
4 D7 |* N; E+ O$ b+ r6 Y    cmp     ax, 0F386
% e. |4 C" g6 s    jz      SoftICE_detected
) Y% H: Z: c( S# \9 v9 a9 t! U& ~& T9 M7 l0 X  t' k

% M% Z1 R) i3 B& i1 x$ f. sNext method as well as the following one are 2 examples from Stone's " g$ {8 f; e6 @/ t. `8 t( G- |
"stn-wid.zip" (www.cracking.net):
, p' i$ q$ q- F6 y3 o5 u! m
! `# J4 ~. {% @0 B' ^: ~    mov     bx, cs: X" M7 l- y3 T* G. u5 R: E
    lea     dx, int41handler2/ e3 k% l( f7 [# i. \
    xchg    dx, es:[41h*4]6 b% v8 g- a' K" a  f. n. K4 ~! x
    xchg    bx, es:[41h*4+2]
$ w2 V% v+ k: S0 K5 ?7 E    mov     ax,4fh8 N8 X6 l" Q) {- A. J* w/ {
    int     41h
: I- E: h+ D9 z" E7 y' H. I    xchg    dx, es:[41h*4]
8 v; r) h/ E( h1 _    xchg    bx, es:[41h*4+2]  j3 w; b4 u5 }: E: D' u# h5 W# U
    cmp     ax, 0f386h) r2 u6 u# E9 N
    jz      SoftICE_detected
0 G7 C: d# \0 s. ?9 }  g- M/ G1 a/ t' L, ?
int41handler2 PROC
9 t3 M9 B# S5 u4 @! X! o    iret: a* J! j3 B+ M: q7 x$ S  k& A
int41handler2 ENDP! Q9 {- B! m: ^+ J6 [

- l5 c6 @: f: r4 R! k7 U
" K. X4 d% o5 T  H( Z+ _4 ?6 e_________________________________________________________________________
$ x0 x+ o* r+ ~# N1 e( A" Q+ W) N; v! V8 s7 h- _, {4 P5 ~: {( w* ~8 Y

; X" n$ W) Q7 m3 `4 k% IMethod 06
. M* F# |7 j7 b+ q, L% b=========9 i; I1 {: s( h% T* U7 P2 R
1 A8 h) l  b! z6 Z" h
! O  y# Q) Y" o5 |* R  o' f/ Y
2nd method similar to the preceding one but more difficult to detect:# c, P  |  |7 q" I' D: e

8 b8 j- Z2 v: Z. e
9 c& n, K/ ~4 c+ Wint41handler PROC
( X: _1 d% Z1 ?. i: J0 A7 d    mov     cl,al
: N' `3 x. y5 \$ j) W    iret- I1 m, t: {3 b7 |/ Y# N1 v; a
int41handler ENDP
( K/ w' b1 i/ b
# P: l( e  v  a3 ~- n- d, y. \7 f/ H: K: [. v2 o
    xor     ax,ax' P& I1 L" }* l* l/ R- J
    mov     es,ax
0 x" S& N" l5 x! j% o    mov     bx, cs4 z9 j5 b6 e7 U' I0 Q
    lea     dx, int41handler
' }: Q7 f  K! \) W; A  a6 g2 [    xchg    dx, es:[41h*4]! p3 c) w# S9 Z0 |
    xchg    bx, es:[41h*4+2]
& T2 `1 C/ w9 G- S7 y5 P8 j    in      al, 40h, A8 g; G# Q& C+ @" W: m: G: o
    xor     cx,cx, w5 }$ I3 }$ S$ y- f- _6 B
    int     41h
: C$ S# F4 |4 j* {    xchg    dx, es:[41h*4]
9 S8 }* w2 x% x3 J7 z, B; N: ]$ k    xchg    bx, es:[41h*4+2]# }, h5 c. ~( @4 b
    cmp     cl,al! ]. ]9 C% Q5 ]$ |- M1 m" R
    jnz     SoftICE_detected
% i; D$ @( u% t
" c4 x! k- Y$ J/ J_________________________________________________________________________: _! d& x* E0 J$ t5 b# ~9 h
5 w- f5 T6 |4 d3 H
Method 07% e6 S( y. _  s; o
=========, m; d8 y2 P5 K/ s7 l, c- Z

! I) h, v, w: E% d# w2 OMethod of detection of the WinICE handler in the int68h (V86)# A4 U6 o6 x& w4 r
/ z. s, F, O( p: L$ n
    mov     ah,43h: {+ V# J$ T6 v" F6 e5 R+ f* P( d
    int     68h" J" ]4 R  O- V+ X0 g
    cmp     ax,0F386h
; n- @: X% ~1 K    jz      SoftICE_Detected
) `, ~) r4 Z1 I; y; s8 H  n
6 a/ h# T4 u, G* z8 e
2 `9 f1 V, u( I! d=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ ]  C) ^7 }. D$ L' |4 P+ K
   app like this:
/ z+ l! `) ]. o( l2 ]! |3 I+ p1 j3 |8 A/ }) X
   BPX exec_int if ax==68
. s$ A6 Q# t' O   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 R+ j( u0 h5 z; p  e( h' x- D6 @* d   located at [ebp+48h] for 32Bit apps)
& `6 f+ Z- O% ^& J# l% R0 x4 t__________________________________________________________________________
' U' H# W- U& l  Y! B8 A) e" F+ N6 G3 W) {& f

" w( Y: v3 f/ |Method 08( ]3 s6 f5 k) ^1 g* M; b
=========
: P. P5 Z  r3 M  D( h3 w$ X6 X4 m7 k' b) M  s2 f' f9 j
It is not a method of detection of SoftICE but a possibility to crash the0 M6 ~, J9 G/ T7 H# J6 a
system by intercepting int 01h and int 03h and redirecting them to another% X; r# e: @6 X2 V) }. |2 O
routine.: F$ L2 ?: L7 C7 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' H6 r+ _$ D: I3 q2 T" pto the new routine to execute (hangs computer...)
# v. z% @0 y% I# u# C, O& W" i* l3 b* Z. Z& B( K* a% _
    mov     ah, 25h( W2 ~0 W0 Y" ]3 x6 B! _+ x
    mov     al, Int_Number (01h or 03h)) k. ]/ `2 {1 X7 _* ~- E
    mov     dx, offset New_Int_Routine! D& J4 t$ c/ X. @: |
    int     21h
3 ~2 O0 @4 }# R! n
5 Z' j+ E0 }1 K+ n; D__________________________________________________________________________
" m! o0 o  q& {. H3 X2 F7 V! ?3 o' ?1 j$ g9 x
Method 09
4 {1 p4 a$ @' l. a=========+ @+ A+ K/ t5 k' @+ Z/ g
+ w7 W0 Y6 P5 O1 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 R7 h! x, }# A  P2 k  y8 I) n: P
performed in ring0 (VxD or a ring3 app using the VxdCall).1 d1 @8 [  n0 e. z3 X
The Get_DDB service is used to determine whether or not a VxD is installed: f( t+ Y3 O, b" i/ }5 Q+ H. s2 C8 z% v
for the specified device and returns a Device Description Block (in ecx) for! f+ l/ L  x6 f$ a$ z
that device if it is installed.
  P; \2 U( F6 T6 J1 r% O9 j
' y: b! E8 O2 t+ `' z, ~   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Z4 z' d% Z8 T; g   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% h( y8 F5 `1 @  F/ i9 i7 N
   VMMCall Get_DDB
3 n# ]* `& R1 I! p9 |4 A% M9 G   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 v5 H, k5 d; Z+ T  w* O3 m  @: w4 ?" H0 b
' r4 Q1 [8 D( h' g
Note as well that you can easily detect this method with SoftICE:
; a( w' L  k$ ^$ G   bpx Get_DDB if ax==0202 || ax==7a5fh& |1 r" N. S4 o: p7 x- F

  z/ Y# ^6 x* e, ~; D% c& w$ o__________________________________________________________________________
0 `6 T0 H2 [) i3 O1 ^
$ V: m) G( K# zMethod 10& _4 s) v0 D- e; K) O: N
=========5 Y6 M+ [, k$ ~/ N0 V2 I# v
' Y3 h7 M7 i4 w/ ?
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 `( f4 A( F: L  SoftICE while the option is enable!!+ Z) R/ y$ ?2 @, p

3 @0 s0 X% F! }( S$ `This trick is very efficient:
, r5 I# g1 y" T+ r4 L7 Cby checking the Debug Registers, you can detect if SoftICE is loaded5 i/ P3 q; P/ t% ^2 Q, l4 K* ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: ]- U! i1 u! f; @8 ]3 k! k7 hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ ]- Y8 _) F: ~! m$ nvalue (in ring0 only). Values can be manipulated and or changed as well
! H' t4 \+ Q5 e( ]$ k(clearing BPMs for instance)$ J# a- I! |, f

9 q1 }6 q' Q0 ~& X__________________________________________________________________________& P) w: |! [* |, r: n
. x3 t+ A/ M- q& [. @
Method 118 C! I# ^( K& D4 e" W) _
=========
0 B$ a3 r4 G5 U9 P/ o( X
# x. r' s. }+ CThis method is most known as 'MeltICE' because it has been freely distributed- X* p* J# Z5 Y1 g% A6 S
via www.winfiles.com. However it was first used by NuMega people to allow
; b. _" @3 z+ F2 [6 _  t$ |Symbol Loader to check if SoftICE was active or not (the code is located
* g" C; V8 x  finside nmtrans.dll).
) K* _( e; }$ f4 X6 u3 p
, \0 Y) j$ l8 S7 E4 w" |) Q4 ?The way it works is very simple:
6 y; G) w% a- q4 W5 Y2 CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 X: ?5 q' z9 h9 _- [WinNT) with the CreateFileA API.
3 f' P5 m: o: I7 w8 l: K0 X! k" ?+ H5 Z
Here is a sample (checking for 'SICE'):& d1 O  x" |0 _$ H) c0 g

$ ~/ X# w8 X/ b6 l, a  YBOOL IsSoftIce95Loaded()0 P/ F1 d3 e0 O& N7 t
{
; \7 E" D( q" W) `   HANDLE hFile;  
+ {1 A7 g, N- Q- d/ t   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 H! q. x- C% W. Z- g# O
                      FILE_SHARE_READ | FILE_SHARE_WRITE,! w  m& p' H# T
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* y( u. b& D4 k, G9 q
   if( hFile != INVALID_HANDLE_VALUE )
% I4 o9 Z/ o/ D  t   {
: j" I2 B+ m" t      CloseHandle(hFile);/ B' g  ]2 S; w. c' T0 k6 s; B
      return TRUE;" C) t- v" S6 S6 [' d
   }3 F2 _# J7 i# b
   return FALSE;# I+ ^7 p: o/ w- ?" e; X; H
}% j: R+ {( A* J. z3 b% A6 E

, h5 V( U2 C6 c5 `/ b5 _Although this trick calls the CreateFileA function, don't even expect to be
6 ?& T' V1 s) f4 ]% Y# Xable to intercept it by installing a IFS hook: it will not work, no way!! j, F; \2 Y0 b& U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, f9 f# R; \. }; w, F4 ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% P8 m. m3 m. f5 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& s" c) M# v6 h0 k4 R6 c. T, ufield.- f! ^; P! B5 j, @. T
In fact, its purpose is not to load/unload VxDs but only to send a
0 n5 n# b) N- ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% h, d1 [) w1 ^$ a+ s5 O- Q1 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 V+ D0 G* T: k( R2 C% X9 e; n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' k5 f, R4 a5 p5 O# X3 B
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, d. i; K4 U. B  fits handle to be opened and then, will be detected.8 y3 _  R' Q! V$ p( V" T
You can check that simply by hooking Winice.exe control proc entry point$ O* O8 s. y- @$ W6 Y" m3 W( N7 D
while running MeltICE.
9 T+ [" v' a: h2 K+ q
/ R. t% O, a  l" B9 O& ~* g" H( q9 e, _( D1 l& z( Y' L
  00401067:  push      00402025    ; \\.\SICE
0 J1 h9 g) _0 @% m* J1 E+ X  0040106C:  call      CreateFileA# Q2 e$ c7 y4 a2 B
  00401071:  cmp       eax,-0019 `7 v1 `; ]$ f& I
  00401074:  je        00401091
( n8 f, j9 H; B+ `9 K7 y7 z5 V  V& o9 L* o

3 X! s6 ?, _* VThere could be hundreds of BPX you could use to detect this trick.
" u5 ?+ a9 }' A4 e6 Q0 B$ x  [7 l0 o-The most classical one is:
' g, u# x7 p6 x  w: Z  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
8 ~" }* d3 Q6 d; K. t    *(esp-&gt;4+4)=='NTIC'
: T, W; b- P( ]
$ F& Q. g; g* m% `3 ]9 [+ v-The most exotic ones (could be very slooooow :-(
6 P# P: P% O2 J' j/ S2 J+ R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  / Q" n8 s. H% m: C6 ~9 H) m/ |
     ;will break 3 times :-(( d5 D2 |' j2 z$ G
. S6 S2 c) ^8 U4 _# V& _
-or (a bit) faster: # J# Z: @' C/ d5 T* V$ ^
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 I- M! t5 b: I: Z  F% ~/ ?; b$ g
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) q1 L  c3 R7 `8 ^, X     ;will break 3 times :-(
  F: w9 E" F. z  W2 k
! L) T9 p3 d. `/ l-Much faster:) Y( d  s# w) i3 {
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- Q/ n: ~2 a  e) B( c1 F/ o9 V+ S8 X1 B; l. p2 Y8 t/ [; c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; T. ?  j& \3 X$ l& {
function to do the same job:
5 d8 {* b& Z) q7 w4 R7 N3 E+ t1 M- I& |* S1 u
   push    00                        ; OF_READ
0 p7 c: j4 y, p, C4 ~0 h. `0 i( U; z   mov     eax,[00656634]            ; '\\.\SICE',0
' `( z; q& G( z   push    eax
% j) d. I% B$ T   call    KERNEL32!_lopen8 j, I$ t* s7 Y5 y3 ?& }
   inc     eax
8 C; o" _3 W' U. \. m: p4 @   jnz     00650589                  ; detected
9 r' b0 \* ]9 i0 d. [' P8 w9 [   push    00                        ; OF_READ( Z4 V, o( p3 x  W/ q
   mov     eax,[00656638]            ; '\\.\SICE'3 f1 [& z. d0 H# h. F) w4 [
   push    eax7 X/ F3 s/ M% k" \. b
   call    KERNEL32!_lopen. Y; l7 `  A4 ]2 u
   inc     eax0 P% g9 p- ~% U8 \  |3 z: N: H9 L
   jz      006505ae                  ; not detected
7 M: q" W7 ^: O3 k6 {/ p. U9 E# T( H+ }$ k, x+ n% M" `' l# {- }( s

/ n9 z) y$ C! H( R3 W__________________________________________________________________________
6 ?; c8 D7 J  F0 K4 h( K7 S' Y1 W
8 g0 _* }% u8 \- yMethod 12- z* M7 O; w( H/ p) {
=========
; H5 m2 [2 h/ L& a1 m7 W) b1 Z5 f5 n  ?- h9 c* M; J9 M
This trick is similar to int41h/4fh Debugger installation check (code 05
& q0 H8 w9 ^) }3 o. ]&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' h9 {& t5 |. A1 u1 ras it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# \3 g# Y- A) t" A8 M, }. [. J8 _) ~" ^* l; `
   push  0000004fh         ; function 4fh
, x( Z$ f' C8 M. `% e   push  002a002ah         ; high word specifies which VxD (VWIN32)) o* M3 |. Q! d( Z# Q9 t( W6 `
                           ; low word specifies which service+ b; R# R9 I0 |: M1 \
                             (VWIN32_Int41Dispatch)
, Z! A$ F9 o8 F7 G% x- C   call  Kernel32!ORD_001  ; VxdCall% b3 U+ y0 b" X$ F. d% W+ P
   cmp   ax, 0f386h        ; magic number returned by system debuggers$ d- j2 D! @" b  z/ u
   jz    SoftICE_detected( M% C* e& e* y
9 k0 t8 Z6 H" Q) E5 z/ g
Here again, several ways to detect it:+ [  P) v0 i' B
9 c. q" w0 L# f5 s) t
    BPINT 41 if ax==4f
8 z* I. [8 r! K1 U! v+ R2 T7 s, g1 C! ], g" w9 W. R8 k
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one8 \* [% H; u  s- H4 \1 h
* b6 t$ t) q8 ^' v+ s4 l8 W: U
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ s$ ~) m7 l$ J

$ x9 f0 D9 h1 b. {. y6 v9 i    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!5 D/ Z* s: @0 ]9 U. H
: H, F  e) T5 ^* z6 Q
__________________________________________________________________________
( N" f+ }5 H, J0 `, z
* Q0 Z# ]' C3 v( u# F7 iMethod 13* r5 b  M+ v+ z4 c4 B
=========# d3 w7 L( S7 z. K6 l% w+ z% N
( c" X4 D, S7 U- b/ G2 `4 X) T5 \
Not a real method of detection, but a good way to know if SoftICE is* t( B- v! J# E* c* l* ?. I1 J8 W
installed on a computer and to locate its installation directory.  x1 E9 Q, P* e( F- V0 ?% b8 N
It is used by few softs which access the following registry keys (usually #2) :0 m! {" Y/ y) V6 [6 Z% l: d

* y4 f# E1 {6 N- D, X3 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. f4 D" p! g3 X& i3 T1 i5 U
\Uninstall\SoftICE+ j; ^6 a7 E  @7 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 o# S1 M7 j2 s& E, x& k' m
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: U- ~( H6 d+ y
\App Paths\Loader32.Exe! ~; `3 ]7 R4 L
. v7 Z3 f2 }8 A( U: A8 ?
! `- d+ E' K" p3 F/ r) L4 G+ b& |
Note that some nasty apps could then erase all files from SoftICE directory
( S4 `/ ^- }( T; v3 v(I faced that once :-(% x7 m' d7 v) {# w, l
5 ?" U5 ?/ R  X. {1 \
Useful breakpoint to detect it:2 V* t, J1 n# }" r4 @7 P

2 x7 n8 o$ k( g1 x: y     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# y$ U0 T. M: Q+ f$ y
6 [2 z1 S- n1 b% u. E' H+ A
__________________________________________________________________________
( k: c7 V5 \! Z" d
+ o/ A- k- H4 ~6 E) v, y
3 H' B. S0 z$ E% h" ?Method 14 $ u/ \7 r$ {* B- J7 X8 X
=========: P  w, q# s6 q) S

& A* y% T6 C1 b! Z8 x2 eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" o2 V4 ?) D3 f
is to determines whether a debugger is running on your system (ring0 only).
, r- \3 @0 M0 u6 Q! n7 k& |- y- w2 p' R5 [! y# f" C* S
   VMMCall Test_Debug_Installed
' Z0 H3 q  `9 H. P   je      not_installed
- \$ k( y0 A9 D$ D+ H6 `+ P( f7 m6 Z' m9 w5 _
This service just checks a flag.7 l0 T9 y( c# D
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-15 00:22

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表