找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
7 k, |5 [# l3 i* M( ^: h<TBODY>
  s/ h* l8 j3 c& h; X- q<TR>4 J: ~% @! y1 Z3 m+ k9 K/ h
<TD><PRE>Method 01 4 g" F% w  Q" ]) ?2 L( v% i9 y
=========
9 n2 n/ f$ M& A! ~' X/ I6 V* m! X% r/ g' |
This method of detection of SoftICE (as well as the following one) is/ S$ w0 m/ S: l+ z6 q6 E' J
used by the majority of packers/encryptors found on Internet.
' x: r2 u  D5 T3 g' d9 z0 OIt seeks the signature of BoundsChecker in SoftICE( ~) H4 R0 ^& J

" U5 r  X7 t$ c! J    mov     ebp, 04243484Bh        ; 'BCHK'
1 s% x0 E1 f" V2 X$ z- X2 j    mov     ax, 04h8 R7 z' g8 x! r; S5 @# Z& ^4 I  N
    int     3       $ Q8 @* m. \6 t
    cmp     al,4
! E% K* F; i( ]6 c* A9 h4 ^1 E    jnz     SoftICE_Detected
7 x9 W1 J% l; k% ]" e0 `( w5 O3 p2 W6 {* g2 |1 h3 z
___________________________________________________________________________+ _! g; x1 y# V% e( t$ T$ ^' o2 @
7 t( L' H- e% ]: U5 |
Method 02
% p. a' l+ Z, u4 r2 b=========6 e% \0 d9 z  P  F* {6 K
" J( {+ |7 Z9 p! n1 b- w% G! A
Still a method very much used (perhaps the most frequent one).  It is used
( N& u# [7 D# R- I" }( f" l2 @, Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 ]5 S  [% J; u! x( N* por execute SoftICE commands...
! g2 ^5 U1 ?5 o8 _" sIt is also used to crash SoftICE and to force it to execute any commands* x1 B2 y: d* n' a# u9 ~4 W$ X
(HBOOT...) :-((  
1 W4 v$ M! g6 C. |, O. r( i  c( g1 {# H) y9 r$ |" `! ^
Here is a quick description:$ J/ u$ d4 ~; M4 T$ d
-AX = 0910h   (Display string in SIce windows)
' x2 Q4 [- I4 V" h) T5 v-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
% U# N- R; v4 t! X-AX = 0912h   (Get breakpoint infos)
; i7 H, B6 \, u6 r-AX = 0913h   (Set Sice breakpoints)' D/ Q7 b- e. O: z, L) q- n
-AX = 0914h   (Remove SIce breakoints)
  X" S: F5 [* g
  r: X+ Z* |3 |# pEach time you'll meet this trick, you'll see:
& _, Q8 b* ^3 M8 y# I-SI = 4647h0 A. p$ h  o( c$ Q
-DI = 4A4Dh
4 A6 M. [* w/ J% x! K5 v1 NWhich are the 'magic values' used by SoftIce.
) z' `5 Z( l" F% A5 P1 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.) H: ~4 h/ x1 c8 s4 m4 ~
" o: W1 l) u( A! a; M/ o+ f
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 o' _. d3 G5 V, B  @Envelope utility use to protect DOS applications:4 e8 F  h9 o/ O- L5 ^

& H# D/ ~$ C( M, V
8 V: W: T, u) s4C19:0095   MOV    AX,0911  ; execute command.
* A- C  a8 c- y3 B/ ^9 f2 _4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
6 ]# S. q! s3 X( H7 y) h+ e4C19:009A   MOV    SI,4647  ; 1st magic value.* E- d7 ~1 a2 d; v% G7 E' \) Z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  U3 m2 h! }/ \- o; H4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)3 B9 p+ B% Q" K
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 ]- n( u: w0 w3 o: T& K3 T
4C19:00A4   INC    CX
- l, y" l, G7 p. z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" y3 L) G. W7 M8 ?- [( C! h7 R1 \4C19:00A8   JB     0095     ; 6 different commands.
! n" c- Y3 \6 m7 \" L" N1 _4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
3 P- H. L1 X% I% |. [" l4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)8 j' Z$ p. x7 G# {: \
; S, g: m8 q. Y; ?' q4 A( {& }% z. f) k
The program will execute 6 different SIce commands located at ds:dx, which9 A3 Q( a1 N# c" t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 c; n; r4 Q4 K: l
5 y9 Y3 M2 ^6 \- G; L1 z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; A* M2 |* i' U5 k# K5 d- a
___________________________________________________________________________
. @* o8 M8 T2 ?, J5 z4 H0 Z: J3 r- O# X5 [1 ?

- X0 W9 ]/ D5 AMethod 03* J7 K$ z+ P8 k- J! Y
=========
; V$ g( Y( E: [
! u, Z- ^3 K) @7 `8 d1 xLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ @8 y/ k" X9 ]( b
(API Get entry point)8 b6 _: V8 Z: x, B0 \4 Z  j' P5 c( z
        4 B  k, i/ |( t8 v5 D

9 N( H9 w; w& N    xor     di,di: t6 _  l, ]5 Y2 `, k4 f
    mov     es,di
4 {7 k9 ?% Y& \, e" j8 d# [    mov     ax, 1684h      
3 O* |6 B1 _  U5 q- z8 z3 J& O    mov     bx, 0202h       ; VxD ID of winice7 D$ s0 f: N( x7 ~4 Z# y; {
    int     2Fh
4 o- W  \1 H4 `6 Q4 H) x    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 I$ R- c; [, P/ F7 q    add     ax, di
1 A: @4 \* a2 }& K% X6 R! j    test    ax,ax( ?' w; ]$ J$ P( i
    jnz     SoftICE_Detected# n0 i  W1 y( F3 R

6 m: L! ?$ O, T+ u: W, ?6 Q& j___________________________________________________________________________: `8 |* F4 B* M3 @5 y& z
- X4 b8 v/ v1 [6 E- h
Method 04
" Q, q+ c, E% t$ Q+ R. V=========
; L! ?+ I# B3 o- V: l& |& h
* R, P; r, f+ M  \8 u0 X5 |Method identical to the preceding one except that it seeks the ID of SoftICE
7 B1 R! P  j# c( o5 bGFX VxD.
  G7 Y1 Z: Q9 N# h& _
6 Y+ C( U5 ]. @* g    xor     di,di
3 V- n. \& k2 `) Y    mov     es,di
& h1 t' u/ v- P$ R    mov     ax, 1684h      
/ g4 C- I  B  t) y& Z$ Z5 ]9 r: ]    mov     bx, 7a5Fh       ; VxD ID of SIWVID
1 R" H* o" ^6 ]1 L' X    int     2fh; {$ j3 A& F6 _
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 l; K2 E. A& c2 z8 Z& U    add     ax, di
$ a% q& F2 d" f/ s! \& Z) H    test    ax,ax6 o  G" q) _6 Y
    jnz     SoftICE_Detected. {- l) @( `6 m1 O

. u  m* b7 P/ Q: c__________________________________________________________________________
* T. [, R- n/ ]2 _2 P1 E/ p$ }9 n5 G2 {% j
1 m* G# b2 t6 U4 C$ N) r
Method 05/ S4 |$ f+ I  ?5 |
=========
5 p* l6 e! n2 }& V# O, O+ M/ \: `1 n; G" @- J
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 d* b$ \* x& x, B) H6 e
debugger. It calls the int 41h, function 4Fh.
4 d* f/ p" x, w7 o; \7 o0 YThere are several alternatives.  
( ^( I% B/ M4 M
3 p: E* w* P" Z+ r9 x6 h1 SThe following one is the simplest:1 m, H2 p. M4 B! R$ _

, q: M7 c8 a- |    mov     ax,4fh
) ]5 e  t9 }; p. i3 E  G  U    int     41h2 c% r8 g7 P  e# B) d
    cmp     ax, 0F386
  s6 @( x5 A+ {6 l4 W    jz      SoftICE_detected3 x0 K. L! H3 k* Y- [# v) G

8 J1 f# G8 |1 R) y2 w2 a8 V* @; s8 H* i4 H; N4 R
Next method as well as the following one are 2 examples from Stone's
+ v: p, Y  s+ j; `. i"stn-wid.zip" (www.cracking.net):7 d  {4 c; j2 v5 I5 ~* x; w

, _8 N) n3 x" z6 P9 G1 G  ?6 A    mov     bx, cs
- R9 P3 [) P& _; c& A" g* Y    lea     dx, int41handler23 Z4 z  @* d- a* v" k9 m* G
    xchg    dx, es:[41h*4]
4 i& v8 G  t& ~- S: s+ R    xchg    bx, es:[41h*4+2]( m* k8 g. o6 C1 M# u' l
    mov     ax,4fh
! E! ^7 C" G' b4 Y- x# ]& O1 H) p    int     41h
  ?( C5 h" [  }: q) Z    xchg    dx, es:[41h*4], D9 u7 y! p8 c: J
    xchg    bx, es:[41h*4+2]
; J& d) {/ X2 I: q6 s7 {6 Q( `    cmp     ax, 0f386h0 r0 y" y  R! q; G+ G
    jz      SoftICE_detected; T  Z9 B' j$ z4 m
& i: r" b% x! L
int41handler2 PROC
* P( _$ e7 `0 s( y    iret  \5 W5 n, E( r1 m. v
int41handler2 ENDP. i  i, z  ^7 q
- V7 K, Z6 J0 X. B
7 i) [$ B' Q$ h: w
_________________________________________________________________________
# ?4 e5 @) m9 r. R" y  h' v' r7 R
  X$ p, I% p1 E+ A/ Q0 K$ Z, K2 B  h# ]# a
Method 062 c$ R/ ?* }0 M$ E: L" @) ~, \& [
=========+ r# W9 X6 ?8 ?
& ?& L& J7 `5 P6 j* c
" f, s& l/ @, i3 b
2nd method similar to the preceding one but more difficult to detect:) e# }5 L9 ?; V
. `: J; m. [  Z! G1 D& ^  Q; K
" J! K# M8 \* J! g
int41handler PROC
6 q6 f7 ?1 y0 R, s* N1 }- v/ N    mov     cl,al( X: S: S* v4 m  i' _
    iret
( b) ~9 C4 [. y. c. i" {int41handler ENDP- i3 x! m$ `0 O% P
2 n; T. B: ^+ ?5 E' |2 N8 S0 n
' v$ \1 J; z2 h( F- T
    xor     ax,ax
" h% I$ Q0 T  E2 m& B9 G    mov     es,ax7 s5 N8 M7 T# b& a8 `9 V
    mov     bx, cs! q" y5 n/ u# Z2 q
    lea     dx, int41handler5 m. ]9 H9 H% S2 n. C( d# i6 A4 [
    xchg    dx, es:[41h*4]$ z% ?% I* L4 E  o3 ~& c
    xchg    bx, es:[41h*4+2]- u; b7 g2 \0 [( q6 ^$ m
    in      al, 40h
0 a( M9 V  V7 J    xor     cx,cx* B- Z1 Z; i- S7 r6 v+ y
    int     41h
$ i6 g3 f8 b* p" K3 ~% I* s9 O    xchg    dx, es:[41h*4]) P1 r8 M" N! o( Q0 l3 \
    xchg    bx, es:[41h*4+2]; g; }) M0 H, o. [  q; m+ V7 N
    cmp     cl,al" \& m/ U3 A. ^) \
    jnz     SoftICE_detected
5 a0 T+ O: N5 P+ j! @$ y5 t5 [
% P8 q, I3 l  l/ j_________________________________________________________________________7 ^0 u$ ]( a4 N7 V* F

! {* d5 q0 z- A  QMethod 07
# }+ y/ s# l' Y% H=========
; R: R# b; R2 W$ a& l
+ X3 e  c  ~7 n! Y& f: M: H4 }Method of detection of the WinICE handler in the int68h (V86)# c5 \: T) ?$ X8 v

9 Z7 C+ v" C! m: t    mov     ah,43h5 T& L4 S. ?; @0 ~; P
    int     68h0 z: Z, |+ T" F3 j. A, u* C  u$ t
    cmp     ax,0F386h* }  X6 c/ J& [3 Q. T
    jz      SoftICE_Detected
% B$ r& n$ }5 {2 \) v% p' a" K( ~- v& u. u

+ S; {# V+ Q2 X3 Z" e) O" y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: z  A& O2 ~. h! Q6 ~
   app like this:+ K3 z  O$ k( Q% J6 w
2 b% l. o& N8 i
   BPX exec_int if ax==68
* ~# X' j$ u9 T6 f   (function called is located at byte ptr [ebp+1Dh] and client eip is# @+ O7 X* E6 E: I
   located at [ebp+48h] for 32Bit apps)
) B* E0 w0 c' `__________________________________________________________________________. E/ X( W' z( O9 O4 Z! z
& u$ q& {" P& h6 k5 K% i; ~: L0 y
% }& j# `8 M3 @3 V# L' Q0 b, Z
Method 08
) C8 ^  C. G9 j* R, Q=========
% Y1 X* u( K0 r$ R
9 V( l" q" B! ^1 T2 X2 VIt is not a method of detection of SoftICE but a possibility to crash the
3 f9 Z& b; @1 s+ r" ^5 o9 B# ]; Fsystem by intercepting int 01h and int 03h and redirecting them to another" Y4 O0 e! R4 q9 s9 H) y! U. O
routine." F5 B( v- N. Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 o. m4 |6 i* @8 l# O
to the new routine to execute (hangs computer...)
1 f$ a+ v; A4 f( Y4 a: P4 G; I& p7 J# s2 {8 v7 U2 C
    mov     ah, 25h- r, y2 Q$ @! H# O
    mov     al, Int_Number (01h or 03h)
7 X# k! v, i( J! k% R! _2 a    mov     dx, offset New_Int_Routine" i7 D$ ]# p, y: r& T
    int     21h$ U5 H. L5 s& E
) F" u4 L9 l, b( }  W
__________________________________________________________________________: A% z9 j  A+ i4 e

, M4 o: k2 C* ]( }Method 09. x! \, n6 Y* O, w( b  ~' I% B& i! u
=========
' S- y/ ]# ~5 a9 U" N8 S* _
1 V& F: q2 J$ m9 q- eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* M. Y9 O8 `5 N' w2 D0 q+ wperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 q: M1 T, q7 C# E$ }3 xThe Get_DDB service is used to determine whether or not a VxD is installed  \) A5 y. h9 z" k& T
for the specified device and returns a Device Description Block (in ecx) for0 W! y+ s1 U; F! w% e$ a* Z
that device if it is installed.
' P- \+ V" X) u, u! T: z  Z1 F4 a' x5 t. V" v5 x
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* `6 p9 _1 f- l1 x5 B( T" J- w# q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" M9 c+ P, R' u   VMMCall Get_DDB
4 |4 n% {, z4 [: R   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 f; \6 X# v9 o* i( t& L
" o5 w; z. h0 [2 I  u# [$ I
Note as well that you can easily detect this method with SoftICE:: @7 c0 y! g4 W5 J, C
   bpx Get_DDB if ax==0202 || ax==7a5fh$ t- w3 p5 V5 ~1 \- b. p, ?
! c1 K, S8 A# i
__________________________________________________________________________
' T, w# U9 F8 O$ T+ d: Z  O! g' a3 Z# V& ~2 s
Method 10
: L5 Y2 [; j8 _+ B=========
# X& T8 y% w9 k. u! L5 V. T+ B% I; C; S0 h5 Z" G; n! N
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with5 b' N0 ^/ x2 E- N' y7 C/ V
  SoftICE while the option is enable!!4 Q  p! ~' N+ x/ Z- X5 p* R

' e6 z. D& O6 d! ?- O9 kThis trick is very efficient:7 k2 B; D2 q& {6 A0 `3 W# o7 X# B
by checking the Debug Registers, you can detect if SoftICE is loaded
4 r; O% ?( e* }' S3 B! A0 M# B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% ]8 u& L5 j: D. [3 H7 w' A
there are some memory breakpoints set (dr0 to dr3) simply by reading their; w5 B* `% Q, _
value (in ring0 only). Values can be manipulated and or changed as well+ y: b9 j5 a* }* {* g
(clearing BPMs for instance)
$ ~- x- M: R+ Y7 G. l  t+ Z# @& p4 ^  g
__________________________________________________________________________0 r; V7 U7 i/ A$ [+ B  N

9 x" j) j! D! E* X. lMethod 11
6 ?0 @3 \9 X& }( w8 S=========! a' t9 ~. X' ]
9 K& I' O) I( n# y# W+ N$ Z3 `- |
This method is most known as 'MeltICE' because it has been freely distributed0 ]: n. b7 l: q4 Y
via www.winfiles.com. However it was first used by NuMega people to allow! o/ `$ R7 ]+ Q8 X
Symbol Loader to check if SoftICE was active or not (the code is located
! i# |6 d) m3 h$ E1 q% [inside nmtrans.dll).
, w( M: D9 A8 c' P7 T
9 u  A5 X$ m# V: O' \& [; LThe way it works is very simple:
5 X$ O$ \! I, |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. D3 [/ Q, ?8 j$ n* d! \7 i
WinNT) with the CreateFileA API.! W0 f9 `3 L: T5 o+ d% g5 e2 Q

. k+ A# \, \2 X. w/ ?' |, XHere is a sample (checking for 'SICE'):0 M- |2 O$ N8 F5 v
: }9 J# U" F' m- G7 X: r& I( p
BOOL IsSoftIce95Loaded()
" g) N, X& F" N1 ]" c, k$ H: j{
% ]$ j2 m5 X* H" I; U$ J, c& O! x   HANDLE hFile;  
* J, {$ c( m' j9 J4 b2 Q7 T   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% n9 g$ a, d8 v" w6 S+ O
                      FILE_SHARE_READ | FILE_SHARE_WRITE,( G+ B# C/ ~# v2 E
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 J# s. T7 P: L4 ~& T6 i$ Y
   if( hFile != INVALID_HANDLE_VALUE )
4 Z8 Z" U" h3 M5 X1 h& e   {) l: Y# n3 s- T/ N& W
      CloseHandle(hFile);
( b' b# k" {+ f4 r3 }! P" K      return TRUE;: [" z5 V& k, I
   }8 Q, }4 R! P: ^# h
   return FALSE;
' _8 Q: k- N0 Q, K: S) \# y}" L  A# s% J- W: ]

1 j3 I/ J% n5 P# _7 WAlthough this trick calls the CreateFileA function, don't even expect to be8 u0 L. ~' L# X3 J5 O) G* T; a
able to intercept it by installing a IFS hook: it will not work, no way!
9 A- ]6 b- ?7 e) N; [( X. oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F( V6 O+ v# u+ D
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* y1 f) ?( J: m3 C% e, T/ N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! t8 H+ P! p  {# ?& Y) X
field.$ D! p2 D' s- k: o3 M% `
In fact, its purpose is not to load/unload VxDs but only to send a . F3 T1 T1 [/ ^( ]8 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 m0 i7 x$ N' r5 Z  k6 a- }7 B# I9 Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
  K4 @* I" r% ]5 E+ s' [7 g. E- s4 n% Tto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 C9 W' A. _! |+ S) o
If the VxD is loaded, it will always clear eax and the Carry flag to allow
6 A- F3 b( x1 m9 Y( `its handle to be opened and then, will be detected.' a% `7 i: D" S& e9 ~
You can check that simply by hooking Winice.exe control proc entry point, a, X$ W* r# }% K. w
while running MeltICE.
/ p% G2 F1 f. l1 x
6 n: R; G5 T# r$ W! G5 l1 v0 d/ O# {! j# T8 _
  00401067:  push      00402025    ; \\.\SICE
$ [) P( u% c) j7 p) @  V+ E! h" P  0040106C:  call      CreateFileA
, V& p7 {$ m( z0 U1 e  00401071:  cmp       eax,-001
5 i9 u; T1 W7 d+ \, I  00401074:  je        00401091
4 ]: j- F" ^) _6 M8 H
0 c+ ]  d' i: ~* `& t
$ Q" ]! y6 ]! K! yThere could be hundreds of BPX you could use to detect this trick.
+ t8 e& ^, p  N! e7 G-The most classical one is:9 O. F6 X; c2 c+ ]" n5 R/ F
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
8 ~. M; F" {0 @$ R: V$ s( j3 k# m    *(esp-&gt;4+4)=='NTIC'5 p" j$ ]9 [- H4 C

  W' f3 b, ?  h+ y) ~. |7 g  Z-The most exotic ones (could be very slooooow :-(; W- [) Z  K5 M/ _9 x2 Q* U
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + z: t* q$ c6 o# b, ]  h7 e$ D
     ;will break 3 times :-(5 E6 D" q# @: @  b" E# ^
  D& a/ G1 x" a& i- B3 V
-or (a bit) faster: , B/ K( M  f; N9 i' R% C
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): C  W% J* J6 ~/ S' M7 [: F& v5 T

7 i' K& s$ ]8 I( Y   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 i: M: p: m" f' |0 b! Y
     ;will break 3 times :-(
4 ^; }$ M4 e, r& V3 B1 y5 b/ e2 k0 h# \+ L
-Much faster:. A" H8 h) e7 c: u
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  i$ C1 v: A! `6 X5 P; w1 J; n( @0 e
1 Z; o+ G8 w- r/ R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 Z2 g; ~1 P( [
function to do the same job:  {8 Y# J/ ]/ g% ]4 o7 g3 n' d+ j# Z

$ o% D# _( {  u7 e   push    00                        ; OF_READ
! n* Y5 P1 f+ k- @   mov     eax,[00656634]            ; '\\.\SICE',0( ~( Q2 C+ H3 v) l7 m
   push    eax
4 I1 L. s9 @# n7 s   call    KERNEL32!_lopen# [- h5 ]) e+ S4 {( K5 U! O
   inc     eax
' f+ x) S$ c( N5 H' U9 D   jnz     00650589                  ; detected: F( z3 y" Q, ~/ v
   push    00                        ; OF_READ
6 @& G9 _* P6 ^2 u% H8 F) L   mov     eax,[00656638]            ; '\\.\SICE'
; f8 T; D- o: v  `# e' n( `   push    eax% y; s! O5 j* L
   call    KERNEL32!_lopen3 v% m7 k1 \1 X+ J6 J0 v; e# E
   inc     eax' r+ q4 Z7 H4 H/ d
   jz      006505ae                  ; not detected- |# l% l6 G) Y, u# R/ G  g1 b

+ _5 r4 L  A+ e7 E; C! d- D
9 V4 y: T9 ~; i__________________________________________________________________________2 l% n) b9 F/ @4 A$ O8 \
' G8 }( V% z$ d8 J6 Y* g3 m
Method 12
' t, V1 y6 f4 F8 j( A, K=========% d5 H5 C9 ^/ y. }$ A2 I8 l* \" _/ J
+ a  ]) _; a2 A' R4 U( k" D
This trick is similar to int41h/4fh Debugger installation check (code 05: \* q1 Y' D' D, {( _1 U
&amp; 06) but very limited because it's only available for Win95/98 (not NT)6 F+ u4 f" O( f% d) I; @: `
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
4 Z/ f1 B- u: }6 ~, F8 u
6 B9 u. E3 V3 m   push  0000004fh         ; function 4fh& G3 o( F. X' Q2 k' C
   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ a  f5 T+ s% K5 A' ]0 o0 v3 R                           ; low word specifies which service* h1 B- Q* m# p
                             (VWIN32_Int41Dispatch); q+ n8 J7 ]3 _8 @/ j+ E
   call  Kernel32!ORD_001  ; VxdCall
. G1 V, I7 ^7 q2 T( `6 _% M   cmp   ax, 0f386h        ; magic number returned by system debuggers
0 Z& t2 w0 c% `& S   jz    SoftICE_detected
+ U$ P) ~1 F5 H9 v6 L, D% p9 b( v% t$ b6 n  P" o' o) d  J
Here again, several ways to detect it:- M1 e/ L( J: i/ A+ w* Z

/ v$ P. H5 U, Q& G1 u+ A    BPINT 41 if ax==4f
" f) c4 d( I6 o1 R1 g: O0 B- @* P% A' b9 G0 R/ O
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
. r& O3 h- k# H
0 s- P4 ?1 v3 g+ B' m    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
! I7 E% U3 e7 E6 a- b, @
. X/ k+ k! W- N; U' h8 z3 N4 m    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. y. x& `3 L1 `6 Y: A
/ t/ ~' i  \2 d4 L, X  j( n
__________________________________________________________________________+ k0 B4 S* u0 w9 H9 P  D/ q5 O

% x& O( U& O6 Z' V2 b9 E2 y. _Method 13; g, x, L- {* O6 e/ Z
=========
: `- N& ^  Q3 W( w. Q$ f7 L; G5 k! L
Not a real method of detection, but a good way to know if SoftICE is0 x. N3 V. b2 r# s( v" [
installed on a computer and to locate its installation directory.
  [$ f& Z( @8 L) g* C2 fIt is used by few softs which access the following registry keys (usually #2) :6 A/ i2 m$ p2 {6 z& }
+ J( s* n& l. R6 m, L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# @3 m2 O! s+ {0 x0 e0 M
\Uninstall\SoftICE+ _) M+ F" U. o+ C" M5 m- l6 S
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: C" D, p+ C- A0 T: h0 ~) A8 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 k  o3 P3 \" t
\App Paths\Loader32.Exe
% m' Y: x. J) S9 @: D4 i
! c6 Q- S- e' K# b5 h. u+ u3 K' S# w: z: a% _% P* ]- x1 Q$ n
Note that some nasty apps could then erase all files from SoftICE directory6 P1 G; B/ w& j% L- d( `. ^# E* p; k  K
(I faced that once :-(
% o0 l# O' L* o4 z  p- Y8 L: M$ @$ I
Useful breakpoint to detect it:  }/ z. q2 ?, ~6 W6 H" {
; X( o, X0 w& z6 B
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' b" n; F/ o: T# U2 a( o. G
4 @4 S1 q# y, v1 c' m5 i' w
__________________________________________________________________________/ ?. _8 v) d, {, K- L% X7 i, t$ x

! I+ ~* p/ d+ i0 p7 y; {* K2 c& x4 d$ p- U  K& D
Method 14
% m! d7 s. N* j2 W; }/ y/ a. N=========
/ d4 a/ g9 v# G" a5 M0 X/ s* |
; e0 J4 q" [7 ~A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& v8 ^/ l: o5 h5 v
is to determines whether a debugger is running on your system (ring0 only).
" z, X$ k2 T% i  E+ r; X1 U, u: I% g5 @
   VMMCall Test_Debug_Installed$ N" w- U5 \" Z3 T- g8 E* h% Z
   je      not_installed: z) Q( H/ m& I* E: A& ~2 b( o
1 L/ T" o) j1 k5 d
This service just checks a flag.$ ^1 {$ I' s2 U. i, o( S
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 11:06

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表