找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
9 _5 e2 v; I8 I7 ]- e  W9 K$ y4 V3 `5 Y<TBODY>
# J: H2 X) K4 N* T5 f7 |! v<TR>2 I; f8 D6 K" o; W7 Q! g: n! k
<TD><PRE>Method 01
% m; D4 O, H0 @& \0 e=========9 {! t% s7 F* S

' w  k+ U, O; B$ ]. O: [" Z$ z. Y# nThis method of detection of SoftICE (as well as the following one) is6 ?) k3 [& A* {. E2 s+ d
used by the majority of packers/encryptors found on Internet.
0 s0 @0 t6 o: M9 M4 wIt seeks the signature of BoundsChecker in SoftICE
# ~$ i) I0 _. X# a( @$ u0 W# e: e" t$ u/ B- t
    mov     ebp, 04243484Bh        ; 'BCHK'# z8 }1 p1 N; q
    mov     ax, 04h. d8 R& H0 ]! O( f
    int     3      
; H! O4 _. \5 c& `2 i8 m% T    cmp     al,4% ^2 @0 i1 i* N6 r
    jnz     SoftICE_Detected9 @) c4 W( H1 A( K

5 Y2 ^8 _* v, v5 f9 N___________________________________________________________________________9 n! D, a- A  N+ |4 B

6 U: @, T  R" w( ?  o. JMethod 026 x" t8 q* Y: |3 {2 Q: }
=========
% I# R' v+ E5 h9 x0 |5 i8 u, V1 J* K, X
Still a method very much used (perhaps the most frequent one).  It is used. i, Y/ B3 w& F/ w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 [$ Z$ e# S. h% L& D1 Bor execute SoftICE commands...4 s. \" \& p# ]( n+ n
It is also used to crash SoftICE and to force it to execute any commands6 Q9 @$ O8 |: N2 q
(HBOOT...) :-((  
$ H8 o. v; D& }, F" a. M# C# m  s* \4 {$ ~
Here is a quick description:
  j9 y/ ?( N6 x/ w3 k1 V-AX = 0910h   (Display string in SIce windows)
8 {+ f  [/ A! l( T; D$ u4 |; i* A-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 r: r. d) x  k9 w. M. Y-AX = 0912h   (Get breakpoint infos)
  n  u% x* r- R! x' }$ p-AX = 0913h   (Set Sice breakpoints)5 I7 q1 V% T; z  C, |# F- b1 Z
-AX = 0914h   (Remove SIce breakoints)$ K) H1 ]0 E. D& t- J

3 f( o/ Y/ u! V( wEach time you'll meet this trick, you'll see:
1 s) V/ V$ K1 B- J' l9 s-SI = 4647h6 C5 b  D8 X/ ~' e
-DI = 4A4Dh
1 ~6 r% `, W2 wWhich are the 'magic values' used by SoftIce.
% r) Y- \6 B& F1 oFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ C3 Y/ J( h: d$ H
. F1 x# V1 T+ F' A5 u0 D% [/ B
Here is one example from the file "Haspinst.exe" which is the dongle HASP& }" j; ^. S4 Y
Envelope utility use to protect DOS applications:3 N. F6 z* e) }* X

0 e7 L( p+ v' i$ W- G2 E* o
1 F) _9 r6 P: H, a1 j$ w# ^4C19:0095   MOV    AX,0911  ; execute command.
/ h# U+ ]! Z; b! |: `4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, T, A8 J# b2 G4C19:009A   MOV    SI,4647  ; 1st magic value.
7 z/ I3 ~4 E- x4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 A: y! M4 {, I2 E4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# C& n, E4 y3 J# z: v# E
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 e, A2 z8 V, R; S0 Z
4C19:00A4   INC    CX/ v: j4 }& b: V- x' B0 H( i. i
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
8 N/ w: V: `) E. l- \# B. U- r4C19:00A8   JB     0095     ; 6 different commands.
3 G, O- A8 g" P: I) K! X/ s$ p4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
; L6 m2 @" K5 u3 F6 U! F4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
5 f! g5 q: |2 Z& d" J$ J* S' Y
% J; y" ?: l2 k3 cThe program will execute 6 different SIce commands located at ds:dx, which; H8 Q8 b3 V, D1 _% k8 J3 K. f
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 S! J% g$ ^# d) F" \$ N+ `; h  m3 G+ d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( l) Y0 R: z, L" k, k% f
___________________________________________________________________________
) H# e1 [3 o& \( X/ t% ~/ }8 L& Z' O" E1 x3 V& p( o
. F' N7 O" T; C( C$ L9 U- \
Method 03
8 a$ [% |9 _' K7 {: k" w' M) T=========
  n5 N3 W4 {6 u) x: w( n! k' v# z5 a/ \7 {/ x
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" r' f6 b: @4 W, p% w( R3 R5 n& W
(API Get entry point)( _" v' `% w! |- W5 N& ?) }
        3 K! [; s3 t/ ^, M/ O

9 ~/ ~2 B" J5 B, v$ v: f    xor     di,di3 x5 z, b; j% t' T7 N( h
    mov     es,di( E1 M1 L. U8 Q+ `. n, ], N4 ]
    mov     ax, 1684h       ( k8 q* c, t. H% O# F/ t
    mov     bx, 0202h       ; VxD ID of winice; u* C# ~. F2 M: ^* ^" _
    int     2Fh
" o- |6 P8 f, [8 y    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 A9 h; r  k3 p# i& M' _. y0 p7 E
    add     ax, di
1 p& \. }# @5 |4 e4 B    test    ax,ax
9 I( P7 h; D+ m) c! N    jnz     SoftICE_Detected
( t) f1 {1 ?8 Y6 f+ X- v+ Z0 P; b# F
9 p7 `9 Q9 h) w+ b, z; P& a___________________________________________________________________________& C/ C7 t: G# a* ^
8 i$ M/ D& ]8 g% P' Z
Method 04
- E) `" R9 O9 X=========
% @3 J5 j% r5 T! M
& X" d% W4 B, y" q1 E, dMethod identical to the preceding one except that it seeks the ID of SoftICE
- P( ~3 k2 C6 M! j# V, jGFX VxD.! l3 V# S( F. [. u) L
% S8 J. b+ U2 `( d4 H
    xor     di,di
* i  a7 K0 d* y2 k7 `% x    mov     es,di
. i+ }- W/ ~. B% R" ^+ c  Y; W    mov     ax, 1684h      
2 i0 ]5 M' a/ t, _' S    mov     bx, 7a5Fh       ; VxD ID of SIWVID
: D" Y# u- H: E4 i" n0 R6 Q    int     2fh
$ k* M9 ^3 A* B0 T    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 O; Q/ L# f2 C: A5 S, R1 p
    add     ax, di
& c  T0 V. N2 [! G% u    test    ax,ax
( {- v* ~2 k& Z+ }8 f& ]    jnz     SoftICE_Detected
" q  C: a* k  q# c6 T* y
" f$ Y7 _: z$ A$ M9 o1 c__________________________________________________________________________
' V. [( n. p4 I2 c2 x% S9 O7 C0 n0 j1 n+ z

/ a8 H- C( l; J3 G; \/ u; _Method 05( e( |% @, f9 Y+ L" A: M
=========
( c; C6 w8 I; e7 m7 y& m) x
7 i& V, U: w$ YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: D# v* U8 o" bdebugger. It calls the int 41h, function 4Fh.
% y- h8 h2 E- E$ j2 JThere are several alternatives.  ' N/ f; b6 l( \& n$ c1 v) m
. M4 G* Z$ ]! z0 G) a# l
The following one is the simplest:) Y% z# y7 _! e6 p% m" t
# G+ P  \; r7 q3 [8 U# @5 c8 k1 t1 Q
    mov     ax,4fh
7 O/ ?7 n) ~; w/ S9 p    int     41h
. o: x% E3 n0 N. u: y0 }! {, t+ A& D    cmp     ax, 0F386
! H2 i4 a5 X' c# a. l    jz      SoftICE_detected
: i* {+ p. [; R% _* N) M. X$ U8 e9 H7 T1 a+ X9 p4 }
3 c' n0 x7 I# Q5 f/ ^# \8 z, k
Next method as well as the following one are 2 examples from Stone's 7 n4 c7 h, R! E5 ]  d. L+ h1 D
"stn-wid.zip" (www.cracking.net):
0 P5 w) g5 x- R
" @4 }0 l% _% q* U# s    mov     bx, cs" N5 T7 X/ N* P* P- ~
    lea     dx, int41handler20 ~3 A+ m" s4 v; l
    xchg    dx, es:[41h*4]
5 f% |+ |' x) {/ {$ d: r    xchg    bx, es:[41h*4+2]
. [: \) J( w! E9 v3 x3 N    mov     ax,4fh
0 B, D* k$ _& i4 |    int     41h
% b- y4 t1 {: n2 N    xchg    dx, es:[41h*4]9 @% I6 y3 {3 T
    xchg    bx, es:[41h*4+2]0 I3 q; \; }% Y" R
    cmp     ax, 0f386h
6 y  {- W$ O( f" R1 I    jz      SoftICE_detected0 P8 V8 ~# S$ R- \1 E, l5 }+ k

7 p, u- d1 i7 q( r! }8 Hint41handler2 PROC
; R# A  h) s4 j; g  P    iret" j; X* ~( ^0 P
int41handler2 ENDP, N7 u: w( d8 |6 U# H# t

3 X2 J/ A# _, w" b" l7 Z
, E5 V2 x5 [7 p: S_________________________________________________________________________7 G4 T/ z" @" |/ k

& i2 m9 b0 h  d) q. v7 l; H: T1 X, ?
Method 06
# ^9 G6 W! X# G; @/ ]=========) u6 h$ p# _6 _1 J
& E& G/ }1 b& w6 o8 }2 |9 l

+ Z' s2 n2 S, h# [" r2nd method similar to the preceding one but more difficult to detect:  `. ~# @0 ~! p1 J: A

& d! p! x9 k7 \! m3 Q4 t
; \, k9 P, a$ y. d/ mint41handler PROC) p) f. l( A$ l/ e9 P5 S
    mov     cl,al5 v2 M+ W$ F8 K
    iret( K: C* h8 d+ g* f/ ]
int41handler ENDP0 w7 ^/ K/ F4 E% F# L# @

, v! _. K5 ?3 _0 x( Y6 }
! u- o. k9 `2 H8 K' C" E& V    xor     ax,ax0 C& g; Z( I% i
    mov     es,ax
4 D: {# G9 G5 U% w( H    mov     bx, cs% G" Q; n5 {# O3 W+ Q# Y  @. n# o
    lea     dx, int41handler
: a& w0 B  p) m    xchg    dx, es:[41h*4]
0 L# O! ?' s* M# W    xchg    bx, es:[41h*4+2]
0 r- L: Z% P# j9 o( }' V    in      al, 40h
+ S0 v" ~' E* G7 T) Y. H9 F    xor     cx,cx1 }3 [; |& l. d8 Z6 L
    int     41h
! Q# {- Y* B) O; w6 y    xchg    dx, es:[41h*4]. e7 d$ v. B1 J( ^
    xchg    bx, es:[41h*4+2]6 M3 s9 R) t, |" E! C- e
    cmp     cl,al. ~$ ?( e) i, ~, ~; n
    jnz     SoftICE_detected6 Q8 G2 ]5 c) Q7 q1 D) w2 J" B
" L% u$ ]9 F7 `' j
_________________________________________________________________________
. n+ e2 U( u1 V+ Y7 O
& l/ S9 T' Q, X' hMethod 07# o  A: x5 l- i# v* Z( h
=========2 R/ M! H! }, ^
! t) V+ S5 H' C
Method of detection of the WinICE handler in the int68h (V86)& x3 D0 k0 w& D' D( i6 Q/ @2 P

' `- N: d5 Q" Q" O+ Q    mov     ah,43h% L0 f, x& r$ ]9 P
    int     68h
) H( @' y3 _. t: J0 N. |    cmp     ax,0F386h
- q" o; `3 l" d; N    jz      SoftICE_Detected
& u' c  S( ^! R( ]0 D0 r
3 K  ~0 H( o- j4 G% X3 m- z$ D( r) A: l6 I/ s; g" Y& }
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: u3 F) E! F$ l
   app like this:% o' x; k! Z4 ~( K; W+ H1 {
4 x2 F& p$ C( K* ?+ s
   BPX exec_int if ax==68# `2 i4 w# q1 \% S0 |
   (function called is located at byte ptr [ebp+1Dh] and client eip is
# L3 g' X/ S4 d# x, `6 M: U   located at [ebp+48h] for 32Bit apps)
3 [; n$ A" A2 O  }3 S__________________________________________________________________________( Y! T: X$ b2 H+ y5 O

/ z1 t$ {4 D6 c' G9 i/ ^7 l9 D3 S. t% s6 D* W% o
Method 08
7 p; E8 {+ `. c1 y( s. c=========8 k( c! u: G7 T0 X5 }
* i) J- Q8 F! `; c, k. P
It is not a method of detection of SoftICE but a possibility to crash the
1 ^0 J* ]3 s- f/ }8 f; Z* asystem by intercepting int 01h and int 03h and redirecting them to another; y, q- A$ P( H3 |
routine.
) W2 P) d3 ^' _! l- EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! {0 k" ~+ Y- h3 \# ^to the new routine to execute (hangs computer...)( B, B  ?% E1 W
. @% M" k8 P2 B2 b) W9 ^: ~2 I4 A' Q
    mov     ah, 25h
, J' g0 F5 i8 t$ i6 L! g% R    mov     al, Int_Number (01h or 03h)* B) ]1 @/ D/ x4 a. c' \* [" _& v9 L
    mov     dx, offset New_Int_Routine, h- f/ d; `- n0 P, r3 A
    int     21h
% T: h! |0 j3 O0 ?, c0 g( D7 q# R- s" D$ z: {1 I
__________________________________________________________________________
- A% [; ]1 v$ |
3 X- y* x4 T% O5 F5 h/ ~Method 09
! ^: ^1 v2 t- W3 S. u- f" ]% s=========. `* K! r( l3 F% a, T: m
6 c) c$ |8 E; b- X" u  U
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
" s4 e  {6 m2 i' A% }performed in ring0 (VxD or a ring3 app using the VxdCall).
+ t3 g1 y( S9 }7 Z. W/ T$ wThe Get_DDB service is used to determine whether or not a VxD is installed7 o3 f' u3 v. D* d2 T& e
for the specified device and returns a Device Description Block (in ecx) for
0 J$ M/ e$ P+ tthat device if it is installed.
& m& A6 k0 M. c4 `5 I( Z5 {5 h
4 B! n8 |# Q( H! L! D% O   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 l7 b9 h8 O2 Y/ G! _
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 a/ h# y+ P6 J# Y; i, `! E* s
   VMMCall Get_DDB
" C/ i+ s: j& R   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
/ r8 |" a7 T/ @0 g4 l& ]4 G2 y3 G3 s
Note as well that you can easily detect this method with SoftICE:
3 {; x, ^, \4 `7 ?3 c  d   bpx Get_DDB if ax==0202 || ax==7a5fh: ?: h) Z6 l0 S( f: Z
# i( x. [# h# [8 O' r5 h; v% ]
__________________________________________________________________________
6 Z8 I: Z4 z# ]# T$ |# r1 \# S0 g0 a/ C9 v' Y0 q1 v
Method 10( [6 q0 z, D" Z* n
=========+ c# \$ \4 [, W/ `) r

6 G: w7 l% V2 {1 V' c: Q5 W# z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# i  {+ C) k' f
  SoftICE while the option is enable!!
( a( w4 ?! i" K
( C/ U, [) l( M) |This trick is very efficient:
0 f) H, v. P2 Y. k1 sby checking the Debug Registers, you can detect if SoftICE is loaded
. o' {6 Y$ h* V8 Q/ c$ ~: ^(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, d: H( C! ]2 t1 e& k
there are some memory breakpoints set (dr0 to dr3) simply by reading their% v% {6 V$ Y+ [
value (in ring0 only). Values can be manipulated and or changed as well6 K# Z! n& ]9 v. ^- _* M% E
(clearing BPMs for instance)
9 J; `  q! x; s, ~  i; U/ q) y2 w. g, C/ N# D/ ^. p
__________________________________________________________________________  e5 {1 h9 Z0 M" i) t

! ^! Z9 p6 v7 A/ n/ o- ]Method 11* ?, d7 q2 x: N8 B0 R
=========
7 E. G0 @5 r! j; f* e& o: c- c, e& ]! h( L! T  o( X; x  G* C
This method is most known as 'MeltICE' because it has been freely distributed; M; r  Y8 I2 ~" O  c
via www.winfiles.com. However it was first used by NuMega people to allow# d: M% c% Q# d+ u9 P3 s" C
Symbol Loader to check if SoftICE was active or not (the code is located- ~0 y' C9 B0 G0 k) O
inside nmtrans.dll).& S0 V5 h4 S7 m/ S
; i$ u: ^. Q9 |7 m: v
The way it works is very simple:! ]3 z6 M5 |4 |0 N3 j3 B7 A# N
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for  Z( H3 A: Q, V* R, Z# k( C
WinNT) with the CreateFileA API.
, \$ D# W) A5 q. ?5 R( P  v+ s$ E! J& g3 K+ d) m, Y) i" `
Here is a sample (checking for 'SICE'):8 G% W8 d5 k# E; H; g5 `

% t" ]1 l8 P4 P3 d4 x( ?BOOL IsSoftIce95Loaded()
7 }! O, |# \5 T0 w. _- I5 z" S{
) [) Q( G& B5 D! u) f6 k   HANDLE hFile;  " a3 b2 b3 B4 p) P0 r. d) I
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) }# x2 l9 _8 U' Z. Y$ V                      FILE_SHARE_READ | FILE_SHARE_WRITE,
0 ~! y" v# r0 P$ i, ]+ A                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( |/ j- a, p) |1 _& M1 Y% ]# A
   if( hFile != INVALID_HANDLE_VALUE )+ ]+ n+ U, m$ @% C
   {, O, `& m' v7 s" B1 s
      CloseHandle(hFile);1 I- w6 F5 X9 m; o! w
      return TRUE;
) f6 S! B( e* a& n2 d: \% H& G   }( U1 f7 R2 c( w* H# I7 M5 e4 R
   return FALSE;1 B; H& a' L* K9 P' |, Q
}
; C1 q; S6 e; O+ S
$ m. ]9 M& Y/ {4 S) SAlthough this trick calls the CreateFileA function, don't even expect to be8 M, ?# [1 M, h) P% O
able to intercept it by installing a IFS hook: it will not work, no way!, W, X+ `6 c1 v+ Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 q8 M! n, U% v: o% ?$ l7 T2 Dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" E+ H8 ]9 y- ^# X& j: T" \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( B1 K1 h; }( L+ R/ mfield.
2 \6 C7 A5 {# ^5 ~In fact, its purpose is not to load/unload VxDs but only to send a
7 ]6 Q- `8 |5 g, ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; K- Q$ u" ~5 u' Z1 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 ?0 ?3 y5 B; T: J7 X# j
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. |2 D: {# x7 a/ [
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 V4 q7 T) x4 N% W* R
its handle to be opened and then, will be detected.
7 u- ]+ B' Z, G: |) RYou can check that simply by hooking Winice.exe control proc entry point
+ p0 ?& j) v9 R+ @7 M0 d5 c  Dwhile running MeltICE.
, p* a7 ~2 E! j+ n- r3 H4 N1 i% O0 U1 D# {2 _$ s7 i3 J

3 |: z4 b/ I( W' L. w  00401067:  push      00402025    ; \\.\SICE! _- @- e) d  f" _/ x4 z$ P5 B& e
  0040106C:  call      CreateFileA
" p" `+ H( M; S1 S" F, F  00401071:  cmp       eax,-0016 Q6 D. u( ]: p2 X
  00401074:  je        00401091
. _* \" o- J2 s( T" ^$ c% {$ l% b( T2 Z# ^: \/ k2 @' @
! k+ H7 |/ V7 b7 W$ X/ Q
There could be hundreds of BPX you could use to detect this trick.# h0 [9 L" c2 r  v5 L
-The most classical one is:
# \2 }" r/ b4 B# z5 P" `" F  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' j+ L; m  J; x  c8 Y3 d    *(esp-&gt;4+4)=='NTIC'/ ]  M/ u  {; ^

* L! c  A8 y4 N+ o+ I  V2 V0 a-The most exotic ones (could be very slooooow :-(9 L; Q; U3 d' W6 ]9 F5 B8 Q
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 `1 ]& y/ O: N/ h     ;will break 3 times :-(7 n* i3 c, O8 u* l1 L* h0 N' T
, q; l; }! z8 F
-or (a bit) faster: & O0 e7 u0 N. X6 ?$ `0 U; C
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" x$ S1 \! k7 ?  h% F

1 F$ z$ k; D8 L( ]6 q   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
, j; T9 M8 V- B- V2 h     ;will break 3 times :-($ Y! n" _" h9 U# a- S

& k- f, d5 f* C& o$ X0 u3 l# a-Much faster:
$ s; R, v8 _% S4 ]: P3 F   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 t- t6 p: S' B* W
+ A0 K- h* ~6 F* U
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 _4 |' b# s  j# y# M5 }
function to do the same job:  C9 D1 M, u1 \7 y% F1 E5 H
! {7 Z. B! y& k8 M% W, P
   push    00                        ; OF_READ
( O" K1 o& O- E5 F   mov     eax,[00656634]            ; '\\.\SICE',07 z4 Z" W( z3 t- u( E
   push    eax3 u( E1 b7 _4 j
   call    KERNEL32!_lopen
5 p2 u' b8 M7 \0 C) B   inc     eax
6 B3 l0 z) c5 E' r2 m+ {   jnz     00650589                  ; detected! Q& C' X. s% W0 f7 {
   push    00                        ; OF_READ3 c# T$ _$ }; J* m+ n. m
   mov     eax,[00656638]            ; '\\.\SICE'
: |, ^. H- Q( Q% E6 _% x   push    eax3 }1 Z" k( d  `, w1 d% c4 G
   call    KERNEL32!_lopen
: f8 U( H5 H+ c- w   inc     eax' o2 E- `+ o4 q* R8 v
   jz      006505ae                  ; not detected) F% u8 F! n% i

& y( y$ j6 Q2 m/ _$ x4 r; O9 J; k" T$ I: ?& P) h
__________________________________________________________________________
( }' F2 p9 i( Z8 ?4 [$ f8 q0 @% C
$ i$ }: X3 v8 Z) F0 f. v- XMethod 12% g2 s" \1 H7 d  O, `2 Z
=========6 b7 M3 F: A( a

! \; t& ?$ A: r2 tThis trick is similar to int41h/4fh Debugger installation check (code 05
  K7 C3 C0 e! O& e&amp; 06) but very limited because it's only available for Win95/98 (not NT)
4 x. b$ L5 N( E. K- }8 Las it uses the VxDCall backdoor. This detection was found in Bleem Demo." Q1 A' A$ i2 a0 J+ _, ~

( X) M8 @8 A# g3 G4 y   push  0000004fh         ; function 4fh
3 d- x& a6 P$ ]  E8 w( b   push  002a002ah         ; high word specifies which VxD (VWIN32)
( i$ Q1 {1 a8 e& \8 ^, O4 }                           ; low word specifies which service
4 N8 z- ~( L) z; p/ J                             (VWIN32_Int41Dispatch)$ P4 u+ j& w4 s1 p! P
   call  Kernel32!ORD_001  ; VxdCall; B4 f" d9 P- g  C0 T" p. E
   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ a# L& Z, V7 T6 q6 ]7 `. Q9 |$ g   jz    SoftICE_detected
; \) t; r; ^9 u
9 m9 H" W4 t/ h, T: VHere again, several ways to detect it:
5 \$ t3 L/ z" C# ?: S/ ?7 P& l
8 m7 z( G* H" L1 E: E' j; x0 P; d    BPINT 41 if ax==4f
' Q& z- k. ^2 Z0 ?! J) N, W" c0 d5 b# u4 r7 D9 K' W
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ J& T3 n. y* l, ]9 w# i: f$ d' {8 e7 \: x! B
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
- N  R) n7 I# L5 O# H
0 A8 l) X8 {/ K8 h    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!) u* W0 K# y  k2 Z5 R

/ y, H) ^6 A( K__________________________________________________________________________
5 ]8 b1 p/ E, E5 V+ [/ a. E5 C% C- V1 W3 K( p, @6 _2 G+ ]
Method 13  P5 t4 ?4 J" ^9 V% q4 W
=========1 x& u" d7 }4 Y6 F. c
; [4 q: i# F% t4 z4 b  d
Not a real method of detection, but a good way to know if SoftICE is* h2 T* M2 t6 G* n& U
installed on a computer and to locate its installation directory.
) ]2 Y/ u1 e6 ~% Z; p) @It is used by few softs which access the following registry keys (usually #2) :) z! z- W' E9 ~
/ p( N0 Y$ k0 K8 v4 B; A+ b# F
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* }# ^, T/ `# @8 k! r- ]: y7 q2 X4 m
\Uninstall\SoftICE2 F( `0 N9 v. h! @0 b
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 ^" L1 {8 P) t) [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 N# `, U$ `8 O
\App Paths\Loader32.Exe% L; v6 f" A$ ^- Z; F, ?

- P: P! ]+ [3 \. I1 c/ k9 O& k, T& {0 ~1 m+ C' k
Note that some nasty apps could then erase all files from SoftICE directory- w$ t% Q9 c; w; T: ?+ E
(I faced that once :-(7 D" Y7 r4 \: s

/ d! @0 h/ E  R& \: \2 y. a8 SUseful breakpoint to detect it:
4 b9 x+ ~2 U- V; I' b( d
/ H9 j! M1 X' d8 E: g7 x" `     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. ?0 g) s$ q9 T. S) e0 _+ a+ y; v

+ L$ }; R1 x5 h& H0 j; V__________________________________________________________________________& V: w3 ]8 p7 F4 Y2 w

( Q1 p5 l& |7 [7 R# P+ I+ L4 D. h) Q) Z, a
Method 14
6 ]: M$ W) j! t1 }! E8 t, u=========% J6 O8 U# X' X
! Y7 [7 f, Z/ \- v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) ~( N$ a; _3 Z- B& t: T$ Tis to determines whether a debugger is running on your system (ring0 only).
% ~$ `" p$ o7 _) y+ I; S2 J+ G! G$ i; |# m# Z" }
   VMMCall Test_Debug_Installed
. M% c8 E; V- D   je      not_installed9 `. q' k4 ~% Y
& V7 m: N# o" a8 Z! P
This service just checks a flag.* o: L: k# `  B# |; o" g
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-12 12:55

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表