找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# [1 {2 A! ~# Y4 Y<TBODY>
( F* ^5 f7 z0 m' ~: J<TR>
! |# O( L+ r8 v1 W  b5 Q<TD><PRE>Method 01
. c' C& b9 i/ u5 H* C=========1 V. U9 p( s( [2 y9 j2 W. c0 t
" ^  b, f3 J, ?6 N0 R9 }
This method of detection of SoftICE (as well as the following one) is
6 l% I* Q( L" Q. l: \' D( sused by the majority of packers/encryptors found on Internet.; m6 e% I* m# E5 ]
It seeks the signature of BoundsChecker in SoftICE
) j7 C& i8 [) d( h. s6 c/ C
2 C/ F8 N* k1 |( K  f1 ^/ r' l2 @7 a    mov     ebp, 04243484Bh        ; 'BCHK'
  v2 u5 q5 [3 a    mov     ax, 04h
3 ~/ g7 j4 H2 R8 u1 Y: R    int     3       ! i7 h: X% z8 w
    cmp     al,4
# e. H1 A4 y/ c" M" E& Y+ R    jnz     SoftICE_Detected3 c  V- e, P- Y, R. ?% B
* ?/ }1 G8 P' M9 L' T# T( C& N
___________________________________________________________________________$ F9 T/ i1 F) M# s0 @# j) f
0 a/ r  R& O3 B/ A
Method 02
# G& g2 P' l0 M2 X* V/ Y+ L9 @=========8 ]- u4 d: d% h; ?+ k
; }. r. i( V, y# ~+ m
Still a method very much used (perhaps the most frequent one).  It is used3 `, q, t4 e$ w3 u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! g$ N$ U" z  ^8 J& yor execute SoftICE commands...
+ {1 I8 f) P& F9 Z9 U$ w. z& n1 {* }It is also used to crash SoftICE and to force it to execute any commands1 l( w( D% Y+ q0 t5 @, F
(HBOOT...) :-((  
1 v* o, }: H1 f7 ^% [+ }% ^. H  r/ ?: r8 |9 d7 S; t0 [
Here is a quick description:9 M$ y2 H8 V6 S( [  X
-AX = 0910h   (Display string in SIce windows)
0 b( p$ b; l1 @-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: K$ v4 ~7 [9 Y* [, J-AX = 0912h   (Get breakpoint infos): h- Z; \7 ~% G" F& d
-AX = 0913h   (Set Sice breakpoints)  b, c2 T1 n& B! G4 L0 W% n
-AX = 0914h   (Remove SIce breakoints)
1 [; W3 A0 z3 q# S" w' n" S7 j3 d0 a  V. j8 C& h! p7 z: t
Each time you'll meet this trick, you'll see:" [, ~/ H( w/ |) |7 E2 E
-SI = 4647h1 J8 Z) U  H; |+ z
-DI = 4A4Dh
, [) O9 {7 B& A& i8 k- N5 @! AWhich are the 'magic values' used by SoftIce.
( M) Q' c8 B8 R9 r1 eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- |5 i$ Z  s7 E
4 ?$ H4 P  E% Y1 uHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ {& v' E: \3 F: ]/ {" e$ n& jEnvelope utility use to protect DOS applications:' d# }8 V% U1 ^, W; O0 H& `2 ^' a

+ ~8 Y/ z" U, x, z
6 i/ q& E; z/ K% i0 O4 I* H4C19:0095   MOV    AX,0911  ; execute command., z3 q+ w( _: y: I2 r
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)." B4 e5 m  W: g. o8 ?
4C19:009A   MOV    SI,4647  ; 1st magic value.4 Z$ R" ^3 v( e. s# N6 r6 Z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) w: K3 u/ B9 t/ G6 \4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 U$ b# o3 A5 w- Q1 r
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ I  o$ I9 B# N" S! \. r4C19:00A4   INC    CX
% ?; A7 x5 u( v; R4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 C6 ~1 H. |3 o% O5 E
4C19:00A8   JB     0095     ; 6 different commands.: Y' R- U- z9 A
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
( s* m3 r3 r- T2 h- z1 S& f* ?4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)2 |% P' V3 M0 @$ R2 U  N
. a* g% n  l+ b) K
The program will execute 6 different SIce commands located at ds:dx, which5 ?6 S" H0 Y5 D5 Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ r* T7 Q: l# R% x+ D

  M# t: c8 L- f) _; I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 M5 ?3 s$ ^+ A) A. M5 g# I
___________________________________________________________________________
: O3 F  X& {$ B0 ^8 k1 |9 x+ X( W) S, P  n1 h/ c
1 U6 B! F8 D# @) N
Method 03! d- |; p, \+ ^" M9 Z0 B+ O
=========
, e/ ~- \0 W; b1 e( v3 f
9 l3 c4 ], D3 \4 TLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% |, Q3 J- M" y% }4 F7 @' @(API Get entry point)
; _  ]6 w( w4 W0 j6 E        
* `  ?2 Q. P( W( y4 Y- b
# J0 x2 ^; @$ X9 X7 ?6 X1 \* j    xor     di,di
) i4 L  M/ l6 Y' s" B( z    mov     es,di/ R, x: `# g1 f
    mov     ax, 1684h      
2 l5 W$ O! ^, t, \    mov     bx, 0202h       ; VxD ID of winice" m* S5 \! t3 l2 P
    int     2Fh3 V( R) J5 b! _% P3 }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 C8 D( R$ L0 E$ @" t    add     ax, di
- H+ u* k/ `' r1 M6 M$ W2 i    test    ax,ax
0 [4 I) w/ C$ G$ H    jnz     SoftICE_Detected
5 {! P/ H# |' c. k4 ]  f8 `5 ]6 L3 |- |0 H1 G% n1 b( A! z) _
___________________________________________________________________________
- E' t% O4 c7 x: ]. d& n
  u& f* V' _; I# L9 RMethod 04
5 u8 C; n, {, o/ R=========& Y0 o% f6 L" J* k
# ^( e2 t" t' ~+ m+ o$ O
Method identical to the preceding one except that it seeks the ID of SoftICE7 p/ D. C' a3 r
GFX VxD.9 _( q$ H7 G3 Q- h
1 K% P8 m, Y) @9 X( ]/ d4 t
    xor     di,di* p# E" v( n! w& v: b
    mov     es,di
1 E" b: X4 ~; L# r$ r2 u! w% O# _$ U    mov     ax, 1684h      
% i, Y4 D" J8 ~$ R- |; [; D" a    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 ^5 s3 B" b# g  M
    int     2fh
: u2 i; Z; Q+ }- H    mov     ax, es          ; ES:DI -&gt; VxD API entry point* c( m& k  j0 z
    add     ax, di% I1 B! C& h8 {, l; i
    test    ax,ax* ?+ T& |4 |7 U! B4 l" u4 S
    jnz     SoftICE_Detected0 @1 z+ r* r0 o/ s0 i9 B+ L* k

- G; O# J% G2 z' I  U- C2 c__________________________________________________________________________0 R7 \8 S% e  r8 `
" P% x4 I- l. ~2 c; ?) ?

& z& P( }# s: X" ~Method 054 {  u2 G1 j$ H" _$ a2 t1 q
=========
- [, `% ^2 v; \  s
/ x1 z0 r, y* zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 S# F6 T) _' E6 M8 w$ F' b# wdebugger. It calls the int 41h, function 4Fh.  k0 q3 n$ @6 l8 c
There are several alternatives.  
" E. ~0 ]# ]1 E" l: z' S1 u2 w; w* s' w; I) [) \6 w: R4 K
The following one is the simplest:
3 I& V- t$ n0 y# [- J7 z6 f1 R* Y& m# \: ?- a  c) [
    mov     ax,4fh; I) F% k, e" X: m5 N1 _: f. C
    int     41h
* x, b& c" A% ?, N3 L/ p    cmp     ax, 0F386
- M9 k: r, G. `2 y5 Q  j    jz      SoftICE_detected
( O. Y+ V& S  j6 T3 b: I5 t- d4 q9 q/ C
0 T4 u1 n5 e' C5 U9 O
Next method as well as the following one are 2 examples from Stone's 2 @4 w: C3 }1 A5 o" \6 Y
"stn-wid.zip" (www.cracking.net):
( G' e7 a4 i. U' j' c: V
; r" b/ t- Z" R+ L; J# u! R/ Z/ v8 Y    mov     bx, cs( h3 k0 W" c# ~
    lea     dx, int41handler22 Y7 s( l1 \1 a) j+ ^1 z( O
    xchg    dx, es:[41h*4]
* ]0 W4 v5 z1 N3 W% {- N4 c) O    xchg    bx, es:[41h*4+2]$ t, |5 r5 Y7 O! B$ E! R  {9 Q
    mov     ax,4fh$ |& j5 T- g$ |5 O9 C4 _: x
    int     41h# ]! @" A( c' i
    xchg    dx, es:[41h*4]* |. {/ B/ M. G. g# Q$ X
    xchg    bx, es:[41h*4+2]) ?' F: Z8 a2 [/ [. w
    cmp     ax, 0f386h
! R- K" _" ~. J/ @    jz      SoftICE_detected: F% o* M* V1 A/ V' k! z

- ], }6 `# b( p; R) f5 Z5 B3 aint41handler2 PROC
+ [8 A; i. b9 w3 o, r    iret
8 u- z; W% r2 h2 Y2 jint41handler2 ENDP
/ y5 Y: k* C2 A+ \! X% o5 O/ E4 F$ N0 @
1 t, H' @! h% }* I) t
_________________________________________________________________________
: o; F3 h7 j" L$ k2 `: \, o6 n6 ^
2 ?' K! c  V$ S6 z6 [, A
9 V. w' W7 @1 OMethod 06
6 c. E; E' l' |8 V( X& S=========  ]& v. b8 n( b5 K" ?+ b+ F
" ]- S3 ]: ^) ]5 F3 v9 R5 `7 b
" ^' d' n8 ?1 \6 X& e2 Q; b
2nd method similar to the preceding one but more difficult to detect:
  ]  C; \- M6 q0 _6 n' n4 B9 R& q7 j0 H5 J% Z

9 M" `3 Q. `1 a8 N0 J1 n1 a* jint41handler PROC
. s8 y) n6 R; U    mov     cl,al
: F, V' G! u1 L) W# E    iret
2 h7 r1 G5 d# j2 b  h& B6 B4 }' Fint41handler ENDP
$ Q% B8 _* X7 g
9 \0 z9 n3 {* D2 F
  }/ X1 e& V" J/ w! {    xor     ax,ax
& H" u! r6 Y$ x    mov     es,ax
* ~% v  o; p/ P. p. k. ]& ?: k    mov     bx, cs0 N4 ^0 K- s- M
    lea     dx, int41handler
) ]9 [* ]$ Y) l; Q& B    xchg    dx, es:[41h*4]
! o* e# j( a% g, ^) r    xchg    bx, es:[41h*4+2]0 i+ u, r) H# v# V! _
    in      al, 40h% u2 g4 I& g# i1 E
    xor     cx,cx* _1 o- @7 Q$ B9 ]3 F: `* `2 k. u- i
    int     41h( j+ T' W* y0 L' s
    xchg    dx, es:[41h*4]: a; R" h1 f) D
    xchg    bx, es:[41h*4+2]# ~" q8 o/ e' m" B7 R/ n, N1 n
    cmp     cl,al. f6 G7 R: H0 C, _7 Y; C* V
    jnz     SoftICE_detected
, u+ S8 V- P) H' ^  y, }
3 R! i" H" ^% o/ J( ]_________________________________________________________________________
9 f/ H) r$ p8 r7 t- a* k8 [) u3 [# j* A
Method 07
7 A0 a' U9 {. r=========6 x% A) v7 k# D6 l0 Y: u$ k
7 t3 b& u6 k& Q  U
Method of detection of the WinICE handler in the int68h (V86)
: L3 f( P1 Q, y4 z. A; q* F3 G
, h4 x  l$ ]( z/ x+ a( \- f2 R    mov     ah,43h) \* w/ W, w  n( e- @7 n
    int     68h8 Y$ b& E+ ], D/ M9 B9 i0 ?8 R
    cmp     ax,0F386h& C5 u' q9 H' s* }  ?0 ^
    jz      SoftICE_Detected
2 k7 r1 K: Y* t0 J# l& c
# B' l" A3 o* q3 t) e* N9 X
# }8 ?/ v8 H/ m=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 z) U. ~8 H/ J& X$ e
   app like this:( _1 a% ?" b; a

! b8 S% A% q1 x" l4 B) r& Q- d1 c   BPX exec_int if ax==68: A8 E* a7 P0 j; ?
   (function called is located at byte ptr [ebp+1Dh] and client eip is$ m% O: v2 A) x% v
   located at [ebp+48h] for 32Bit apps)1 G* `/ y$ c3 Q, s6 B* ]
__________________________________________________________________________
# S6 ^: y+ i5 e* `6 ~- ]$ L
' r+ q5 R- {+ d! j: G; \4 s8 J
5 M% d5 _  V+ W9 gMethod 08
9 ?* d8 h& I' I( l5 e( O=========
: [6 c: I  e! D
- H. k1 W( u. `  x/ MIt is not a method of detection of SoftICE but a possibility to crash the
. e& g$ X/ ~  S( @$ isystem by intercepting int 01h and int 03h and redirecting them to another
3 U0 Z6 O) r; R# _8 Sroutine.( V2 Y3 @7 U9 \( h8 r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' [6 K; I  F; w; [
to the new routine to execute (hangs computer...)( C' p* J/ Y, D/ p) T# U& K; y' X6 h
- V$ v2 A7 s) M( y" {4 x( c
    mov     ah, 25h
0 W$ v' B! X* [9 {6 \    mov     al, Int_Number (01h or 03h)
1 }) o  z( Z- Q; P0 R, F    mov     dx, offset New_Int_Routine
+ @$ }( @3 V- O9 z. E    int     21h$ _! R$ z. u) j, ]

2 g3 U9 T/ L$ a6 T( o$ d; @__________________________________________________________________________
: i# b$ a, Z6 ~+ [0 i" N( Q0 ?4 s5 Q( n- p5 G
Method 09
; x- x) A9 [: }+ L3 T4 A=========
2 m: ^3 y! m5 J5 i% o, s. ~0 I' S8 b* x; D% f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, L1 s1 _8 N( {! E
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 j8 e: N/ c0 Z) }) f0 CThe Get_DDB service is used to determine whether or not a VxD is installed5 Q& M$ e* h4 U+ U3 w
for the specified device and returns a Device Description Block (in ecx) for
% \9 E& n0 M7 Y  zthat device if it is installed.
9 r- [" o/ `. l& s; ]
4 j. ^$ W) @9 K7 p9 R& R8 w   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
8 m* I+ q9 b$ a* @   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( c3 f0 O7 N( {, T$ c8 _! k4 x   VMMCall Get_DDB3 b" G+ U- p1 p$ ~
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 W9 n# E! k8 R
+ Y" Q, \* D& g9 V; sNote as well that you can easily detect this method with SoftICE:
' ]- {8 A# S8 V% `* l, [! `+ \% n   bpx Get_DDB if ax==0202 || ax==7a5fh7 ?+ O  ^" j& g4 M) ?

- _  g5 V) W0 o__________________________________________________________________________, U+ Z/ y8 z7 r- A8 Y! K
4 d0 L0 Y) E8 m
Method 10% s8 X6 y& I) ~( P
=========  A5 u% e) r# {" C

1 p9 b* ^/ H6 {) @$ h" r) l: V: x& n' \=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% t7 ~- g9 X( R3 K; O  SoftICE while the option is enable!!; o( o8 Z/ S6 U* o
, D/ ]# n  Z/ _  C8 R7 J: A
This trick is very efficient:# n/ E( Y& t6 L" ^* d4 p1 W/ }
by checking the Debug Registers, you can detect if SoftICE is loaded. P, u% P) l# w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" j9 t: Z" D; E4 y" C! v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* g$ h: k- [2 v2 pvalue (in ring0 only). Values can be manipulated and or changed as well
# y- N1 F& q# t' J(clearing BPMs for instance)
& u) `' ]' ]% R' z5 l4 B6 j2 \# u
__________________________________________________________________________
* h8 Z( n' x" Q
6 Z- H7 |" {& f8 Z  u$ X& F# k; uMethod 11; l; u; X) z7 h: m: @2 p
=========
) l6 J1 W% c: t% Q3 n* K3 J9 U2 m: H" C
This method is most known as 'MeltICE' because it has been freely distributed
  W% ?: O+ c; V$ Fvia www.winfiles.com. However it was first used by NuMega people to allow
/ s' @  ~. Q  d9 s/ f2 h! h2 B* gSymbol Loader to check if SoftICE was active or not (the code is located
' a8 |, q2 ]' M5 l; U( L+ Winside nmtrans.dll).( p" A. D  l+ R6 m# h( B3 G( T7 U; U
9 k' g8 T2 J1 l8 i4 S* v
The way it works is very simple:! |7 C5 G5 `: s8 m- G- S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, q" e: d5 Z0 s* p: e2 LWinNT) with the CreateFileA API.5 G# _) D. H. S) m; Z6 x
  s0 g' y" y" D5 [
Here is a sample (checking for 'SICE'):+ J6 m% w% I( o7 x: A* Y

% ~! W. U. B. M+ U9 |# uBOOL IsSoftIce95Loaded()
7 I5 b' F' N  j' G7 X' X3 d1 Z6 z{
5 l( r- O- v# E   HANDLE hFile;  & ?  x9 G- Y' k. g1 S) H
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% J2 W3 z3 ~$ u1 {! j! {8 p
                      FILE_SHARE_READ | FILE_SHARE_WRITE,0 P6 S$ E# q7 q6 Q
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. t. O; V9 Q8 p' [  ^9 W
   if( hFile != INVALID_HANDLE_VALUE )
. ^1 a6 O; `( F. t. _7 g  g   {
/ N& o6 U- k* a6 A1 v" ?      CloseHandle(hFile);; R1 U, e  |% R( _/ ]4 @
      return TRUE;
6 F( k# W! h8 {   }) z7 @0 K/ U4 T2 z$ M0 h
   return FALSE;) C( Q6 O- U. l0 Q0 |) d; J- Z1 |
}6 N' f" ~4 p# I+ j
# Q3 y2 Z) @. N, B
Although this trick calls the CreateFileA function, don't even expect to be; [: O7 S( C2 M* i
able to intercept it by installing a IFS hook: it will not work, no way!2 P2 M" q; f3 K% G; @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 E9 W! a9 v, r6 Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 |  m8 w4 g2 L7 x- c6 f
and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ j( V3 }5 ]/ g
field.
. H( c5 `. f6 }" Q1 [! XIn fact, its purpose is not to load/unload VxDs but only to send a
' X, q) e8 |+ Y# kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 ?" C! k. N9 ~( w6 s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ y, r3 a5 \9 }0 Z) Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).0 i9 A3 E! G" E
If the VxD is loaded, it will always clear eax and the Carry flag to allow+ l+ s; [- H, c+ z% x: s5 U
its handle to be opened and then, will be detected.+ V/ z$ T, H) \" A
You can check that simply by hooking Winice.exe control proc entry point5 q) E: l/ b4 q( |9 y
while running MeltICE.
% w# Z0 a) J" p1 \- K% y& @! [
5 u) ?5 G; g, \) @# ~" F6 T" U9 \4 B% m8 z  r3 C
  00401067:  push      00402025    ; \\.\SICE( e" v$ ?: I5 X4 ?) c
  0040106C:  call      CreateFileA
$ D# v' Q2 ^& q8 I6 g. ^3 X  00401071:  cmp       eax,-0014 _' Y/ f: Z$ ]+ b$ ], k. {9 s1 C
  00401074:  je        00401091& c" d) E4 Q: X* m; A! H! A
& h5 |$ S! e6 u7 @, Y: R
1 c1 A& d+ {1 Z, n
There could be hundreds of BPX you could use to detect this trick.
7 s: a* p. S; R' }$ R( i7 V2 L& \* P1 J-The most classical one is:6 \# F/ i8 W) B: m+ @$ q
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
/ I$ X1 \* z6 e+ R; f! A. X: u    *(esp-&gt;4+4)=='NTIC'
# X6 {, `1 P7 _* B) g% F' ~5 X. A. p0 j2 v
-The most exotic ones (could be very slooooow :-(0 \, P/ I9 F* E' l; V2 b
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  3 D5 [/ c( v+ A( [1 a& `
     ;will break 3 times :-(
5 m2 ?0 J4 q& m! T3 t+ R# m/ M3 i5 {! u
-or (a bit) faster:
3 [; u* a  ^0 N  _" V( V+ J; N, i' x   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 q+ }9 v* y; t9 w  r( a/ F2 ?8 z( O4 Y( R7 {  W+ O+ W0 x
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 i$ n3 _1 X4 q. |
     ;will break 3 times :-(- |5 ?5 K0 l  c9 n7 K) B
* `! d) R8 ^9 g1 w+ S4 y- k0 k
-Much faster:
6 E  z# \8 Q) b  r& x   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ N; ~; l6 P, V# O; g8 Z+ p1 W

4 n5 E9 R. w& k: \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) n- B& x- f3 d" Z! t! H3 l$ @" Wfunction to do the same job:( W- V. t4 u( z; Q
. K; y6 n3 |4 c
   push    00                        ; OF_READ
8 J6 t" \( N. h( Q# U6 O   mov     eax,[00656634]            ; '\\.\SICE',0
6 ]  d$ N  b8 o: d* a   push    eax
! L( t3 u0 i" M# u; k7 g5 U   call    KERNEL32!_lopen
* W9 d" _+ D( X( ^' V) P8 h0 @   inc     eax
8 l/ r+ Z* t+ b+ Y9 A   jnz     00650589                  ; detected
4 O' j9 V0 L" t- W/ p   push    00                        ; OF_READ
% j7 o6 x. }# c/ t# j9 [   mov     eax,[00656638]            ; '\\.\SICE') A1 _1 q6 N6 s1 N
   push    eax' o; O7 v8 t0 t$ m
   call    KERNEL32!_lopen
! n+ R' Q6 N6 a. t0 J" U   inc     eax
7 M& v* f  X6 W5 T9 T   jz      006505ae                  ; not detected" U1 z% K& D* K3 V

0 ]: R, `0 g1 p  r/ d+ ]% E! X8 R, j! {; o
__________________________________________________________________________
% Q, Z/ N+ V+ w. x9 X2 b# e/ P' L
! T2 [( o) o: z4 h/ A/ PMethod 12
3 o. n/ T  Q* {=========
1 l- u9 w# j  g) W/ i6 W( V6 Q6 r: n; F1 X
This trick is similar to int41h/4fh Debugger installation check (code 05
; ?6 C# n1 \) T" b) ]% S! S&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& b; K# S0 p8 H9 h6 f+ U: Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 l& s- u* \+ p& Z3 M. z! y8 y0 c7 d1 p1 Y& a. u6 g
   push  0000004fh         ; function 4fh4 w5 m; B# M. r$ ]1 ?' p( s% p
   push  002a002ah         ; high word specifies which VxD (VWIN32)* l) C3 a1 r$ C+ x
                           ; low word specifies which service& _! v. u+ L+ ]( ~
                             (VWIN32_Int41Dispatch)  u* w& P% f# f2 T+ i7 Q: Z5 @$ X
   call  Kernel32!ORD_001  ; VxdCall  ^( E% F; I3 q3 {
   cmp   ax, 0f386h        ; magic number returned by system debuggers; ~: [& I* b" ]0 e" B; L" c
   jz    SoftICE_detected# f* m: e5 s5 z

5 k; Q, a8 h" }$ }8 U( UHere again, several ways to detect it:' e; [: c. p1 ?/ ?- f/ e6 N

2 Q: [1 |* I: i+ z. K+ n; d    BPINT 41 if ax==4f
5 H, b# {/ k: g7 ]6 D! ^  l- g' s2 |. r
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one/ f- |* z( U, Y/ z1 Q
" j: w7 a* t9 s( W1 ~
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
( i3 S' U% Q. N. ]. v$ @# k; K3 @9 f
4 t7 X2 R/ E+ V% Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
& q# h  j, L- Z
0 }$ `6 S$ G+ g. U3 a6 ]& v7 \' P__________________________________________________________________________0 d3 l0 Z, ~' i2 H+ ?$ y
, I& P* ]  c  Q( E7 j1 N( c) r" u
Method 13
2 f- z3 X6 v( @) a/ ?5 u( u=========
+ d7 D* |, ^+ v2 V! q) s. l
5 y2 t' Z" \+ i/ t9 xNot a real method of detection, but a good way to know if SoftICE is6 r4 I' b! x  q
installed on a computer and to locate its installation directory.5 |6 {* w9 _& U$ G1 H1 f/ [
It is used by few softs which access the following registry keys (usually #2) :
9 g+ ~! G4 D7 q
/ q, t4 K! g  h) E, o/ v5 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' U1 a# Q& [' a1 s5 e
\Uninstall\SoftICE
2 ^# N; i1 E9 M( N% K: |-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  d# d, O, K9 o0 r$ R: X% H% M! T& W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( J& {7 n# K0 `- d& r\App Paths\Loader32.Exe
0 r% b2 h' z$ K2 f2 L2 B0 ?2 Q5 o% n! Z( p! l% e8 P. j
- y& ?5 A" @6 d1 G* X
Note that some nasty apps could then erase all files from SoftICE directory& ~/ x+ O1 @1 X! a# \
(I faced that once :-(
4 s, S4 i* ^' M. r
# w; E" o* [+ |, q3 qUseful breakpoint to detect it:2 n3 q. o( J& O. R
! l( o# ]" K; A: [# R
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 c3 a5 a# I2 o: D; L
+ a7 k% O+ T1 @. c; B8 v
__________________________________________________________________________
- l3 c6 _) _: Y* X; n( A9 I, J: L: m$ C9 W+ f8 H

+ O; q+ V1 \& h' G1 ?Method 14 / U3 p/ \% N- J1 Y# O' J
=========1 }' T) [4 j& L# v( }
! m( ~6 ?6 D9 d7 j5 e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% U# }: ~% n- F; p# G  q) j
is to determines whether a debugger is running on your system (ring0 only).) \& ]! R; ]; ~! Z3 W4 I

8 E# Z' J) P2 r$ O2 F$ ?   VMMCall Test_Debug_Installed
  `) e' j; {9 ?+ @1 r# A   je      not_installed
, k9 Z+ `8 H' J% \8 g1 N; I" E# r
This service just checks a flag.0 }# d$ S% m. G& l
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 16:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表