找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 f5 E! c% q* f& r7 j0 v
<TBODY>
( s0 z- O. h, n- P" B" s<TR>
7 _" L% X* C+ D6 O<TD><PRE>Method 01
% E, r3 H; m; ]4 \1 G=========
: T) F0 |+ I9 L! t: Q8 j
* h" ]* i* M6 E$ [5 Y; LThis method of detection of SoftICE (as well as the following one) is- W2 D; @( B- g! y: f$ m$ c) A  w
used by the majority of packers/encryptors found on Internet.* N% {( v0 U! {& B
It seeks the signature of BoundsChecker in SoftICE
& f6 W' `6 N. x
9 N4 O7 }' J- Q8 e3 v! l: m; p    mov     ebp, 04243484Bh        ; 'BCHK'  o7 d8 L! X5 Z2 q* C4 r. M
    mov     ax, 04h
4 h  d* C8 ?1 H; V    int     3      
$ C% j! k/ t  n" `& t    cmp     al,4
% F- V9 H5 [3 h2 u5 f2 s    jnz     SoftICE_Detected& I; d% {# R6 N! g* h
$ P7 S; r9 G4 W- s/ Z) R# t3 w
___________________________________________________________________________
. @) N' P$ @+ ]# N. ]
9 k" M! S- z% _" DMethod 02* W; e' l7 J! \4 D1 c0 K5 J
=========3 L* u, S$ H2 q& K  L

, @# n) d- X6 o( z, Z. e9 |; VStill a method very much used (perhaps the most frequent one).  It is used1 ^- Z6 a& z9 `# E: ?# Q9 N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 O  d/ X5 f0 @( ^1 {8 j
or execute SoftICE commands...
; d! r8 U9 n  q# QIt is also used to crash SoftICE and to force it to execute any commands/ `: [7 ]9 ^! T- a( [- F+ ]( w
(HBOOT...) :-((  
1 M$ S! b" h' t' A& z5 Y6 x9 ~& ]0 z  l6 p) h
Here is a quick description:8 K& W6 j9 U) r8 w( A6 a
-AX = 0910h   (Display string in SIce windows)1 E5 l& z( _8 w! K# V  w2 |
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). g# m- m- Y% d- g0 Z
-AX = 0912h   (Get breakpoint infos)
0 P# e  W) ^) N8 J  H-AX = 0913h   (Set Sice breakpoints)
8 m+ U) g4 Q7 h-AX = 0914h   (Remove SIce breakoints)
% l% X' I# h; @' f$ R) c7 S9 Q7 s4 d, }
Each time you'll meet this trick, you'll see:1 `6 W9 v& S' S2 b7 b  q
-SI = 4647h
2 R6 T. E8 I% S) @* p6 B. r) T-DI = 4A4Dh
8 M" F2 Y* S, M0 {9 @Which are the 'magic values' used by SoftIce.6 e  ^$ H4 X& y" t% y0 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 d) G+ t1 j' O6 K" @
+ U8 a' g3 L+ S$ _- k( f7 V
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 p* L' C' S! S, \Envelope utility use to protect DOS applications:( n7 G) s3 A0 d: g' \- T5 ^* ^

! z8 Y1 R. {' A8 O$ D
/ }8 D9 k' g8 v2 l/ M. c, ^/ t4C19:0095   MOV    AX,0911  ; execute command.
, ~# w( ~4 d6 U- L4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).6 r6 C) @+ m) G, H* V0 a
4C19:009A   MOV    SI,4647  ; 1st magic value.7 [, v/ H1 {$ ~2 ]+ {
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.  c4 Y* S4 H8 N# Z+ q" F
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*); o1 A) ], ?- ]0 U1 g
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 q# j0 u- ]; s2 w5 _! |$ D4 h4C19:00A4   INC    CX. d6 J" N3 |& o
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- t3 V8 N0 r5 C% X1 r  R+ G" X+ R
4C19:00A8   JB     0095     ; 6 different commands.
( ~4 a$ R5 r- R: n2 p7 [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 l: {. w; ~9 B  O% \) J
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  W. `* `5 v, i# {7 {# ^4 p4 |# {8 B8 s
6 Z. t) ]2 l5 |+ C
The program will execute 6 different SIce commands located at ds:dx, which' w0 L4 p) P5 {7 F4 B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.: m2 d2 ?2 `3 V1 Y

6 D$ i$ X6 m: Q' ^+ |1 _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 m0 y- R  A# K. Q' r- e___________________________________________________________________________# K& [9 X  g0 p$ A1 t$ e
, s3 z! z$ ?5 f- [/ y" H8 K

8 M7 t+ P% _3 H7 z6 |- X( fMethod 03
3 T$ S4 @1 W- \. J=========8 }$ M+ l; K6 i& N2 q4 P$ N: }
7 m1 L2 ~4 J/ s( A/ L# Y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 U$ l% K9 u4 [
(API Get entry point)
% ~% F% D' Q3 Z1 V0 I        & M. B: A% {$ c& C/ }( K; h
0 o1 ?! v6 C3 _0 [) R
    xor     di,di1 y$ y7 U( _$ H1 l% A& d
    mov     es,di
3 x1 P3 i" X% r2 h; w+ k6 t3 O    mov     ax, 1684h      
( V* ?4 r8 h0 E7 v; g  e, r    mov     bx, 0202h       ; VxD ID of winice
* ~9 P, d- n6 _    int     2Fh
5 N! U- K/ u; m    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 y7 j3 z" e3 S+ t- {    add     ax, di
/ F0 s7 `) O4 ~1 b- c( |& N$ V    test    ax,ax
3 j0 d- M+ J! Q) l* a- i    jnz     SoftICE_Detected
7 I+ v1 F7 a; b) X8 H# l0 u6 B
1 _# r5 e) y/ a5 J9 H- e4 H___________________________________________________________________________
# D# J) a# b; }0 N: [$ g# t7 v9 P4 X+ q
Method 045 I; W& F" p1 i3 l& M& R+ H
=========0 H6 G6 m5 e& _' J. P) Y
" x. @  b4 J. `" q, ~
Method identical to the preceding one except that it seeks the ID of SoftICE+ ^, q4 l( H$ b: E- e# P
GFX VxD.8 L  F, D0 x7 ^4 `2 o+ |, F  e

4 j2 P% C& g  D1 Z" f. A    xor     di,di  S/ A( o" I) w
    mov     es,di3 ]8 f0 A* g; |: ~3 O: {" K
    mov     ax, 1684h      
1 \( f: W# x3 a9 I" Y    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# [  M( B; `8 ^    int     2fh& d& n4 _; E& ?6 F4 |/ S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point# L0 I5 h% r. ?7 K' L1 t
    add     ax, di
* C; Y/ e/ [- \5 _    test    ax,ax2 j& o; k: X9 ^3 {
    jnz     SoftICE_Detected
. X, C# {  W) f8 c$ V$ B7 H! o7 a) p$ p5 A
__________________________________________________________________________
8 a+ l2 b( _; D$ z* L" }* s
* W; t, l# \9 S/ _
* I5 Q2 ]- p( C7 a2 _" HMethod 05
) K& A( ^6 F* C=========" [# E* D+ z4 d- ?6 W  t# n

$ B0 D8 z( {9 ~, q$ L# E( Z. kMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ k( g( p9 e! i0 [4 ^8 N# q
debugger. It calls the int 41h, function 4Fh./ L) c- f0 R) F2 L
There are several alternatives.  ) w; C! v5 f6 p4 m. y! c  B
  _( f' c! y" N& `! |# s9 S
The following one is the simplest:
* _  i6 U0 S4 j7 O1 K- U3 Y
1 e8 J$ |. ]; I$ L2 C& x1 W" h( a    mov     ax,4fh
1 G: x9 [$ X2 h; w  ?) f    int     41h) W  @  M/ A5 J3 b- F. W
    cmp     ax, 0F386
$ H& T/ i* W+ Z5 e1 ]6 J- j    jz      SoftICE_detected( h) }, @5 e4 [
6 S7 J' u6 r& [* V! p+ H( P9 a
, z6 L0 |) O6 p. F& e- t: J
Next method as well as the following one are 2 examples from Stone's ' e8 K' W) z. T: n$ @8 D: X
"stn-wid.zip" (www.cracking.net):
9 Z" w2 J' R4 ~& J6 N
" n. j5 C; v3 a! V+ y    mov     bx, cs' i, m; B; O* O8 K3 {: v+ N' `& j) c* F
    lea     dx, int41handler2* E8 k; i( ~: d
    xchg    dx, es:[41h*4]
' ]# j% ]) m4 E) D' p0 B  o    xchg    bx, es:[41h*4+2]
' b  s! _% E6 ?9 T6 _+ a  v1 U    mov     ax,4fh
' B' ]; i9 l) [/ C7 W4 }    int     41h
& v+ D; J9 o; g    xchg    dx, es:[41h*4]. G7 v3 d; m) b' R; U  e) q
    xchg    bx, es:[41h*4+2]* x2 g* M7 A2 P& G
    cmp     ax, 0f386h5 R) Q% l  ~) m! T% d$ o5 m. k
    jz      SoftICE_detected
9 h/ A+ P! i* v* ~# Y5 W: ]
% I6 t- `/ A: u2 gint41handler2 PROC
/ O- K* Z6 F* f" m  D" M. g  j    iret1 A5 T1 [: Q9 P
int41handler2 ENDP
* x# i! K  B6 M6 |. x# X0 h( x4 d. a1 c. [

& ]' J) @! ]2 U6 R' {_________________________________________________________________________
9 I7 h. I; `" B5 L5 D
0 y5 n+ i5 c& o  U3 Z2 ~8 t. D' M4 d, U! v1 |. I
Method 06* L* N1 Z, i$ ^
=========
/ E+ e( B# \- S" [7 k: i  {9 q* p8 ]- W. S( f
7 c: E( [5 ?$ T* i5 M# J
2nd method similar to the preceding one but more difficult to detect:8 A8 _3 J" z, {: J

) @8 I* m6 V; i5 A% e, x0 W& A5 G" }  f  U( @  P" n
int41handler PROC5 x; Z( i4 a/ Z" D) n
    mov     cl,al' T. N' u8 }$ C; [: I# D
    iret
( b# f! t4 A! Gint41handler ENDP
# h0 M0 `, w1 R! x" Z$ P$ \$ Y
+ H' P( G: y8 n6 [! U! F# a; p. n5 s  f( A, R
    xor     ax,ax5 H9 \- Z4 N! p: |) Z
    mov     es,ax
) R. r% p8 h) f  z3 P2 |    mov     bx, cs
. Z! ?. E. c4 r# }$ C    lea     dx, int41handler8 O7 n' t0 q  _; q+ d
    xchg    dx, es:[41h*4]/ \5 {4 T! J! p. t; x
    xchg    bx, es:[41h*4+2]' l# ?) [- u, z( U. a6 S: ~* c  }
    in      al, 40h
4 Z( F* W' X& Q8 j  k    xor     cx,cx
1 r* V) a7 J0 ~  t5 N    int     41h
+ G9 }* b8 `/ A2 R0 a" |    xchg    dx, es:[41h*4]8 H3 ?% X; M8 ~% G0 p/ L
    xchg    bx, es:[41h*4+2]
  q% Y8 W; L& a& b9 M! x    cmp     cl,al
( h" {6 t- f. I4 W7 i; ~' W; Z    jnz     SoftICE_detected) f3 L7 Y# _  E' `8 H

$ P1 E. K# F- f_________________________________________________________________________0 Z' B1 m' d! G6 }0 T
% l# {) z' I# ?9 @% Q* i7 [( ^
Method 07: ?% X& {; g5 v- z# S6 k% R
=========# I. T4 Q5 |! c: i2 H3 H
3 R: o3 x0 ?9 g0 e
Method of detection of the WinICE handler in the int68h (V86)
  I/ V3 H' \2 K$ G5 k* U
- K' @$ m1 b" q- N  M) G    mov     ah,43h
( J9 q. B" r2 V9 m9 B    int     68h/ h5 o/ A7 ~! {1 _
    cmp     ax,0F386h. U( L8 G; P6 ~$ E9 c( @
    jz      SoftICE_Detected: k0 }' V* b3 d: G+ p7 H- ?( q/ a

  h$ l2 x! z4 T% I- ^) G* `/ e* r( f4 _! o4 p% w  ?
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ w" X+ u6 j) K   app like this:
' M2 S/ \  n% Y4 C2 d1 [! e5 R- w; T  q
   BPX exec_int if ax==68
0 T( Z5 s2 R" q& l  r   (function called is located at byte ptr [ebp+1Dh] and client eip is# d$ P: C$ Z9 B# M( T! l
   located at [ebp+48h] for 32Bit apps)
7 f) ^% e: X  o__________________________________________________________________________' J# h9 \8 g9 ~4 x

  @3 \8 a0 O  i+ ~, o% ^0 q+ k+ x& p  W
Method 08" Y; {# k! c2 |5 @2 Q' c
=========
/ {3 T4 w: M: J+ M, d8 Y4 W
4 M. ]2 Y+ |# Y9 ]+ j* IIt is not a method of detection of SoftICE but a possibility to crash the9 C. @) D1 q, Y9 h# L7 a1 v
system by intercepting int 01h and int 03h and redirecting them to another
9 G: K8 e- P6 |, |' wroutine.' o' ~, x/ I1 C( V- @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
4 C, {. E' v; B# N  gto the new routine to execute (hangs computer...)5 a& k& l/ b; r  N
9 X: h- Q! g# y
    mov     ah, 25h
7 f- }: f% H% q& H& N    mov     al, Int_Number (01h or 03h)
& n2 [! [! M+ V3 x4 A' O/ T/ Z    mov     dx, offset New_Int_Routine4 F  d  o0 y' K- c- a1 \
    int     21h
5 r! u. I. Z, z9 s& |+ e4 r3 l  A" U" w3 z4 R
__________________________________________________________________________
( C2 _' O$ W! d! m& q4 v. H6 B: D# M% c, D/ J
Method 09" Y; m0 B: m3 J2 m) h
=========
1 L; q$ u4 Q, k9 I7 w6 R" D; B2 a5 U  V( `- Z: n1 {# n
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 n7 d( h5 A5 C: N' S1 R! sperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ [* J5 x3 U* @+ G; l& wThe Get_DDB service is used to determine whether or not a VxD is installed
0 G& r6 |3 w! \; L$ c% Y* Nfor the specified device and returns a Device Description Block (in ecx) for- n* k& G' O8 j, d
that device if it is installed.
) t! _' F; Z( ~+ w% D. M1 Q3 ]& h' a5 f
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID. L* v6 d/ ]2 v3 ~1 K$ ^; x4 b, s5 o
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! n) h! t7 I3 @
   VMMCall Get_DDB
! C1 m* i% p4 P3 S$ ?# E" B6 J   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; x/ g- d% L( b( v1 U  p
: p4 T- Y2 B0 I8 I; ENote as well that you can easily detect this method with SoftICE:
2 m" ^2 q. w* S6 W   bpx Get_DDB if ax==0202 || ax==7a5fh
  H. T2 m$ C( e+ N. @  J
9 G5 P. ^0 s. X( c% d__________________________________________________________________________, u" F' {2 U/ o5 h$ }1 k+ @$ U

, ^$ w+ U6 ^* K1 cMethod 10- e) x5 @$ K4 W6 }. J7 Q
=========
! r3 J; }4 h5 ^& ?5 B4 @  ~  V9 t9 K& ~2 }4 |: d4 r2 q. K
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 H, }1 w' Y3 M8 V  SoftICE while the option is enable!!
: N, _8 P$ h) z8 V  S; B' u. y, E5 a, I1 M- \7 K
This trick is very efficient:
5 N, p7 u; \1 J& }# c+ yby checking the Debug Registers, you can detect if SoftICE is loaded4 I8 A( E; G& f# X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* k- ^7 O9 _7 C+ C; pthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 ?! T; d  f+ n5 @" ]value (in ring0 only). Values can be manipulated and or changed as well) [" ~3 C; Z+ ~; t. ?: G5 m0 @- y
(clearing BPMs for instance)- ^' c3 p& m! E

. Q* O) Z% i0 F2 G6 p__________________________________________________________________________
6 I& {% ]7 l% Y6 I' p/ Z4 O" U' W8 @) t' [! E$ F
Method 114 _* M1 l. N$ z' X5 N! ~2 k4 R
=========  f7 n' y( D* U6 @: R) K
9 x+ F, E8 q$ y* ?5 P
This method is most known as 'MeltICE' because it has been freely distributed
4 n1 H% ^0 G- c( p) p& lvia www.winfiles.com. However it was first used by NuMega people to allow
+ I& s& v' P, B. O0 mSymbol Loader to check if SoftICE was active or not (the code is located
. i% ]9 U! U* winside nmtrans.dll).
; W& r9 ^+ q) c/ e/ e& G! C  u# j2 g8 I1 ]0 R$ E0 }
The way it works is very simple:  N: `- A' P& {+ I6 p# {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 S2 K  X' v: K+ M6 Y: K% IWinNT) with the CreateFileA API.) q  [7 p! Y. ^* p: O1 J: S, A# O

" z$ k$ i& F! cHere is a sample (checking for 'SICE'):, N2 C6 Q1 M* I) r; C+ R( Z2 t0 r

/ z$ ^5 m0 x5 n2 a8 LBOOL IsSoftIce95Loaded()% ?) o" P6 ~$ `( H7 A6 w+ I
{
% y# E, u8 |9 F   HANDLE hFile;  
7 {" F0 L# Y( w' d* I2 K   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 s: ^1 E+ P0 J0 ]9 m3 x3 y$ x
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. r5 z5 y5 B# H' q- u7 Z                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- D% j4 Z, S- N& ^/ m   if( hFile != INVALID_HANDLE_VALUE )
8 z3 u" ^$ g, d4 Q   {; b3 M0 y& Y  b) D4 k
      CloseHandle(hFile);
8 n, a( u- h* W2 ]  q" E      return TRUE;" p: v; h3 S4 v% I8 J. g5 J
   }
! m! P5 O/ }$ q1 I& [   return FALSE;9 H! }8 j6 X* M$ A, a1 S$ J
}9 G  _; ~8 Z5 L" Y3 ]" S
6 H# e# Z* U8 _3 T$ @
Although this trick calls the CreateFileA function, don't even expect to be- z% [0 N+ Y- o# R
able to intercept it by installing a IFS hook: it will not work, no way!
& d1 B3 r; w1 f4 X; D7 _2 t/ oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 E2 k% }  E( w/ i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- Q: b7 g! O4 ^1 y. U; Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) A5 T. d3 y7 T& Q' hfield.# ^* X; D+ z+ `7 z0 d% J
In fact, its purpose is not to load/unload VxDs but only to send a
2 U* A: L6 x. ^$ f7 ]% KW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 v3 Z. I2 l) R5 q# F$ T0 }3 K6 Q( Y/ jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ F7 g  q! j% ]: U; ~/ Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: E0 l+ \: N' H* q- lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
5 y. m" i& T) [# m2 H+ Wits handle to be opened and then, will be detected.. w! Y. x7 M) j/ v* X
You can check that simply by hooking Winice.exe control proc entry point
* L0 n# V, O8 I. ~( Kwhile running MeltICE.
, V: r( M$ ]$ P9 s7 j0 A. ^" R( v- y4 U
# z, w' O( \/ F- Y
  00401067:  push      00402025    ; \\.\SICE
6 T( W1 p, X# V1 Y2 O% S  0040106C:  call      CreateFileA9 n' s$ f# ^* d6 C. Y
  00401071:  cmp       eax,-001
: m1 d' a# ~; H: ^" o1 r+ Q( s  00401074:  je        00401091/ J$ }' G9 U2 B; W! j2 z4 n

1 y* e7 D: U. o7 h- \0 Z
9 C! Q1 `( k3 O6 [0 @) S6 n" iThere could be hundreds of BPX you could use to detect this trick.
( z; A/ q' J# Y8 T& V, p  S" \! ]( e-The most classical one is:
+ s  d. `$ ]! ?/ O; x4 M2 T0 H( ]) o  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
: v$ V" k6 b- C    *(esp-&gt;4+4)=='NTIC'7 l0 ]+ b: y. E0 c9 A
7 s; G& E+ K" N
-The most exotic ones (could be very slooooow :-(! J, Z* w4 ^4 W# n- d+ o
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 n& U7 {% i& B9 f
     ;will break 3 times :-(
5 Z* f* q+ y0 h8 [/ r, L, @, |2 i4 K& P" Y+ k- p: y
-or (a bit) faster:
3 ]( w0 f% k( N: P# s   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 h, L/ m: ^7 l+ i
# F0 y# T4 h2 C7 ~) X+ ?- E   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  4 _8 j3 d  H/ K8 V, T3 X2 `; E0 W" C
     ;will break 3 times :-() ~5 W- K! `0 w2 y# j: |, J

( k$ f) A) i: {- z0 E+ F-Much faster:
% I& p/ v4 a- J* O   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
# k3 g6 I  Y8 S1 k5 s8 @0 U* W# k" F% |, U7 y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 Z5 \9 ~& M/ ?# A+ `
function to do the same job:
7 A) m3 S7 r% M5 D" f, i! i# E1 d+ `" ?
   push    00                        ; OF_READ
2 t/ e1 v9 p$ {) {   mov     eax,[00656634]            ; '\\.\SICE',0
! O8 N+ b: q) d5 @   push    eax
! J, e! H/ _5 h   call    KERNEL32!_lopen8 J0 ]% D. v& w& @" R
   inc     eax
9 U% L, j8 o# n4 a   jnz     00650589                  ; detected( A1 @5 t! `! p  ~
   push    00                        ; OF_READ. C- E* h+ @8 d4 B- ~
   mov     eax,[00656638]            ; '\\.\SICE'9 |) w! a$ }* E& }
   push    eax
- u; W# w4 e5 V. w3 x5 ?   call    KERNEL32!_lopen  g3 i# O; q& z- y- t5 s! ~
   inc     eax
) ~3 x, x& Y  |0 i, f2 [2 O9 ]/ L   jz      006505ae                  ; not detected3 T8 n+ R8 x) S  Y* ^7 a
) Q" j$ s7 I" m- ~% K8 Z
5 c6 L: ?5 C7 r" T2 V: y
__________________________________________________________________________* `$ z, ~( D# N. G
7 r& a1 x# o- M0 G# a+ F
Method 122 z! c% ]$ C, @
=========, Z1 T. b; k7 `, O% T
  h5 M# }. e5 G3 \4 M2 w9 c, z0 ]
This trick is similar to int41h/4fh Debugger installation check (code 05
- ^4 O+ u$ L7 q. O! Z&amp; 06) but very limited because it's only available for Win95/98 (not NT)6 z: K$ I1 x9 d! l4 y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! i' M; W& z: h8 u" f0 Y- o! X  d/ p! m2 J& ~) M6 f2 t
   push  0000004fh         ; function 4fh$ p$ w; ~/ s  x5 V: l+ ^/ @1 g
   push  002a002ah         ; high word specifies which VxD (VWIN32)! X$ P+ K' B5 T3 Z' o3 [% f! F
                           ; low word specifies which service* _% \1 K4 D/ \, K# _
                             (VWIN32_Int41Dispatch)
0 ~) q. c% F0 P$ v6 Z2 x; [   call  Kernel32!ORD_001  ; VxdCall
9 w  X, o3 ~* p; X; s- X# z8 _   cmp   ax, 0f386h        ; magic number returned by system debuggers; |" K: h+ \2 C# ^( c
   jz    SoftICE_detected
$ Q7 q  |6 ~8 q( y2 p  M6 @; E% O0 \9 U  O! W. F
Here again, several ways to detect it:- o8 h& q6 p3 g9 R9 G8 G2 `

5 k/ t1 n; A. E0 k$ ?    BPINT 41 if ax==4f! k, v' O, E# v5 Y4 x
# S1 }, g3 N* D
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one! X3 m( p1 y6 d1 @
- Z3 O6 R$ t7 p6 f$ q5 E
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ F, C- ~5 |7 ?8 c; Y$ U% f5 s9 |
7 \/ Q0 E. n4 M4 U: C# M/ D; f
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
9 j! j3 y, O) D8 w5 }* p
" M9 L5 r- ], R* \5 u__________________________________________________________________________% o: s  [2 I/ C# z
2 G2 {% j' J& T' q1 B4 G
Method 13
' l" z' o5 n6 x5 w# f& H1 R=========
/ w. C" _6 k2 a+ |0 U+ S5 q5 e+ o$ C
Not a real method of detection, but a good way to know if SoftICE is
) B* ~7 h( y8 T' Y3 M8 r" Linstalled on a computer and to locate its installation directory.
& n9 W5 m3 [# v5 p$ I! Y0 ]7 kIt is used by few softs which access the following registry keys (usually #2) :
2 l8 ?( f; s# _- l) `0 J4 [1 H9 s  p, c5 ]) m- h" h9 {4 r6 J2 w6 D
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: }! r& `0 F! L: Y+ K& a
\Uninstall\SoftICE! R5 J% Q- e6 Z  W5 ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 _( ?" n2 E7 B8 N5 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 r' K2 B3 ?8 m- g\App Paths\Loader32.Exe( G8 P9 f. i6 O  k6 Z9 q1 T
" {8 H9 V- [' e6 {* C
% ]. o5 o0 ]( D/ K' c
Note that some nasty apps could then erase all files from SoftICE directory  K, X- V, Y- {$ }( a) O
(I faced that once :-(
" B+ j1 L( K5 A$ n& C' S( H
* q. r& |6 f% Z) P0 `Useful breakpoint to detect it:
8 U# |" p9 v1 C) v, D4 W; Y7 k6 ]" {# t  B2 ^& N  E% p
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 Q2 [, m' @& u& `+ g, n& p8 u2 I+ x8 Q0 x& R7 K' W! q* B
__________________________________________________________________________
. v4 u  r1 p7 W2 L- B
8 U# m% ]' ?+ |+ E+ p( k
. i. b% h! U. a" y3 j+ o9 ]  u; a, bMethod 14
( I" u) c3 _/ j=========
  S- o5 i  e- i+ e1 h, \3 c& z; a; h, b9 z, e+ P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# v6 I1 I5 P# [# X. K2 ]* K0 Uis to determines whether a debugger is running on your system (ring0 only).5 h" ^/ C' c7 t  U# {( b1 E
: }+ p: H% r& d; l8 N/ M, \  F
   VMMCall Test_Debug_Installed
1 r* d' n  _6 Y' j6 _   je      not_installed- f4 _. w/ @& D- S0 H0 N

3 G) J1 S) v2 l: bThis service just checks a flag.
; f2 {7 W9 ?; W+ V; h9 x6 N</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-24 18:55

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表