找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
4 r: o5 |) `' z" G& t4 V- J7 c' |1 m<TBODY>' ^4 U  X' i( l7 U
<TR>- a# Z7 X: o& G1 F5 o
<TD><PRE>Method 01
' {; {+ C0 b4 ]  _" P=========
: E5 ~4 }& s& p: G: E5 p" O: P8 e/ a+ w- G
This method of detection of SoftICE (as well as the following one) is. `" [+ u3 |, y4 a
used by the majority of packers/encryptors found on Internet.
7 N  e+ ]3 {" @7 xIt seeks the signature of BoundsChecker in SoftICE
' _# N4 |! y. B  @- E; _9 B2 z
, k9 n- o6 n8 z  h! g    mov     ebp, 04243484Bh        ; 'BCHK'0 @: x% t& k7 ]! {
    mov     ax, 04h
# i6 `* t" D" y, t0 T# e    int     3       ; E8 p" B- x" ~. C$ K
    cmp     al,4) J9 y4 b/ q% T
    jnz     SoftICE_Detected7 u, h2 H! ]3 {8 D

9 x: u6 X, ]9 [9 I___________________________________________________________________________1 t, Y4 p: I; X8 L; Y0 b. J

6 ~7 }( c' z6 ~- Q1 {7 OMethod 02: f1 h4 s6 r: l9 T7 O1 n
=========
4 _3 i, R5 M2 ]8 G  v9 a
, S% O1 m  w% J" [  p7 m) h, @# eStill a method very much used (perhaps the most frequent one).  It is used8 P( A; ?. B( A: l4 Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 o% b# n* v# p1 Gor execute SoftICE commands...
( @3 W4 z+ |% Z/ iIt is also used to crash SoftICE and to force it to execute any commands9 K- g0 o5 ~3 _( P2 [
(HBOOT...) :-((  
  q9 z2 i% e+ a' Z! u: R- w
# Q, [. {/ ^0 f% B* X9 xHere is a quick description:
1 x9 E" Y# y: d, b% }-AX = 0910h   (Display string in SIce windows); ?! P- f* l) t. t% d1 f2 v' ^
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. h+ r6 H. l- Z! [8 R/ L* |( @3 U-AX = 0912h   (Get breakpoint infos)# y8 a( @8 y; J$ G
-AX = 0913h   (Set Sice breakpoints)$ e) T6 ?  _' l" Q% \
-AX = 0914h   (Remove SIce breakoints)
7 S, J% S" o2 H& V7 d: R/ x: y4 g
Each time you'll meet this trick, you'll see:
' r! @) b) I% N/ y6 c* z$ m& Q2 \2 G-SI = 4647h5 v1 [" m( V- Y
-DI = 4A4Dh
& U( k) b7 h) f+ T% }8 XWhich are the 'magic values' used by SoftIce.
$ [# F) G$ X% o+ CFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! _  {, N+ f4 ~5 X* D
/ E! F: m0 O' O, hHere is one example from the file "Haspinst.exe" which is the dongle HASP5 Q3 ~: t3 M. d! Y7 `) [
Envelope utility use to protect DOS applications:
# N: x3 e" ?+ _. J
) n# Y4 I, W- C& _/ L2 I) m6 [" M# o7 f
4C19:0095   MOV    AX,0911  ; execute command.
/ X! U5 d% I# [4 _8 a8 _4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
8 x. k  H" m7 U3 N/ t4C19:009A   MOV    SI,4647  ; 1st magic value.9 t7 n7 b( l* l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! _) t% n+ P1 z' P! L! T8 c7 r
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 K5 ~" I' _5 c9 S" ?
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- e# R; B1 [' b* v2 Z: j" m4C19:00A4   INC    CX
  D, R6 H/ C( f5 N! r9 m4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: C& `* a: o; B- f+ ?
4C19:00A8   JB     0095     ; 6 different commands.
# D/ I6 T' k! G/ L0 H5 J4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 Q' u( d6 E8 ], Q* j( V4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- [3 w$ Z/ {' r. D- g) T- G7 q* t4 x1 O- K
The program will execute 6 different SIce commands located at ds:dx, which
& `/ s$ p' K  j! [4 Q9 i- Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, {+ m4 x# L0 Z: ?8 T0 F) r
. U: H( q4 b7 C: E! B  H$ `3 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& z* V5 ~0 x4 B% e/ v/ r9 p___________________________________________________________________________
( T7 s9 _8 {5 f" z: K# P; Z* ~5 {2 W+ k$ Z& b/ E: I
+ l+ V8 P6 b* I+ K+ {/ u. S
Method 03; f+ y) w$ L; c  T
=========
: N& d4 N8 T0 C( ]4 \9 X1 y! t  q+ Q  Z# o" B' `: E; a; h
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ R8 C2 d9 A; p6 \! Q5 T
(API Get entry point)% I* E, q3 L1 k" q% p
        
$ R$ y, o( ?4 {1 _/ w" }# t) _/ D+ U  O' x# n$ z6 z
    xor     di,di" S2 }$ o3 h* A4 r
    mov     es,di/ g' }4 p' x4 u. c9 X" X5 s
    mov     ax, 1684h       3 _: j) G6 B8 c% G
    mov     bx, 0202h       ; VxD ID of winice
  P! H6 ?- W- c6 X3 F6 l1 X2 c3 h    int     2Fh5 W1 D9 @  C7 K  a
    mov     ax, es          ; ES:DI -&gt; VxD API entry point% m4 z1 d7 |; ^0 j
    add     ax, di
3 p4 O- f/ c9 b: r1 J$ u    test    ax,ax
4 d. S% W6 I; u, g+ j, y4 J    jnz     SoftICE_Detected; ^/ ]/ q( Z# y
9 M8 p, L( d& _5 l+ `
___________________________________________________________________________1 `7 {. Z- u) A  l6 |+ m

1 U: }& O) g$ w! F; z) h7 \% dMethod 04
* r$ U) y6 P4 k2 u4 Q=========, l2 k) I' L  {" t  ~, P

8 V5 g5 ^1 `# u0 \* v* wMethod identical to the preceding one except that it seeks the ID of SoftICE3 ^8 T  l1 U, b+ A% S/ @% Z+ _
GFX VxD.: P2 h- M) d; ^7 h6 ~( m
  c& E: O3 R$ r
    xor     di,di
( k' R# q6 z+ S! p, `4 Y$ u2 G) m    mov     es,di- P, r( N" E. W# `: B* S- f
    mov     ax, 1684h      
: x1 P! g7 L9 J    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ W$ |& R  D4 b  `' ?0 g4 W    int     2fh! s) u; @: v4 ?
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. O3 `* h. S& @- P% u0 }6 x4 j7 r7 ^
    add     ax, di. K1 O4 v9 c* l. @
    test    ax,ax
. y3 S2 j% J5 F+ z8 o! C, T    jnz     SoftICE_Detected. ]: V% Q1 D, ~* {5 J2 _/ I5 o
1 i$ ]3 b  [+ N3 {& @3 c
__________________________________________________________________________) F. z0 k2 x6 a' Z/ s% n
' O/ S  Z4 M) J# g

) H/ P" {' z9 b1 oMethod 05' h: n. Z" {- s+ H
=========
7 k' G6 F3 I/ U% e
1 o" q+ }* v5 L4 z" qMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 D5 l0 }1 k, B. b
debugger. It calls the int 41h, function 4Fh.
, ~5 O9 o. f* r' xThere are several alternatives.  2 S% D, q6 [7 A/ d5 D2 O
" I7 v! ?  v* G- s
The following one is the simplest:4 n, e! z0 P: v2 H: t# `
0 C8 g" R6 j% z8 |9 `. b
    mov     ax,4fh9 q" ~! T4 j/ E/ l! Z
    int     41h
( ~+ f: [9 w) j+ f7 M. \: y    cmp     ax, 0F386& l8 f) v7 }) x1 i% c, ?1 Q; W. h6 @
    jz      SoftICE_detected& m. H* Z5 d9 {3 M6 Y* R) U- k; b
% N2 ]- Q2 V) t! z( h% y3 Z3 p1 [( V

/ Z! ^6 Y# [; c5 v8 P5 r/ W- YNext method as well as the following one are 2 examples from Stone's
# @- ^5 n2 n4 p"stn-wid.zip" (www.cracking.net):( m  ]7 |7 ]& d* i) T8 L) r+ o
. r; }& R$ V' c( {$ z: a9 z3 `
    mov     bx, cs
$ ^* z! @2 g8 b8 _7 D. X    lea     dx, int41handler2
9 W$ O( T& m( k1 C# X    xchg    dx, es:[41h*4]
. @0 E& p3 d- l  j4 P' ~( d# a    xchg    bx, es:[41h*4+2]. G4 `" S. i5 O1 A0 M6 z
    mov     ax,4fh! q) q$ @% V. Q. U
    int     41h
0 r8 M  S5 Q0 g( T1 j% z    xchg    dx, es:[41h*4]
( |" `3 i0 n7 Y2 O    xchg    bx, es:[41h*4+2]6 z- X8 k6 y4 S9 E
    cmp     ax, 0f386h2 v) y9 E$ E7 p+ Y8 Q
    jz      SoftICE_detected
2 C( Z' [$ B7 m" G7 ^1 @- i) p. u& H# ^+ L
int41handler2 PROC5 y4 q. ~; x9 s, g% ~% W# Q
    iret! X/ q2 w& t8 _9 F' j! S. a
int41handler2 ENDP0 @' q7 z: D% t) C1 g; O# u
9 u+ F, z( ^4 l: A# e5 A. _

, ]& ^2 R# g0 k% u( X_________________________________________________________________________
7 K/ R7 w$ Z- q: B" @
$ E9 o+ [- O# P& E- I
+ U$ _* m; B+ b6 Z% c( EMethod 06' \6 o  d' B! B# n/ B
=========
# T4 z- k% e- R! o2 {0 v* i+ F
4 }5 h& W/ e4 F+ l( r2 f" E& ]3 Q: ?+ _  ?5 \6 }9 e) Q; I
2nd method similar to the preceding one but more difficult to detect:# V4 }$ v. I: i; t" r

# S, l3 V+ A! s! e! w/ l5 t2 a  F' X
int41handler PROC
* y" r4 p& C! O6 |6 N& W& B! P9 S4 v    mov     cl,al/ g. w7 s8 o! K, d, Y. ]
    iret, T2 l' c& [& y: Z' k8 Z4 e9 g: s8 D
int41handler ENDP
2 O9 B  [! \9 ]0 ~& A# f+ {" D: `% i2 X) |5 C( f  V7 K
1 R# Y9 |. A; `, p' t
    xor     ax,ax) \" |! r! R+ o/ q( A" \
    mov     es,ax
1 ?! W, d% j5 R  t9 j    mov     bx, cs/ G. b1 o6 {$ r; f
    lea     dx, int41handler' c7 @% g9 a! q( M* s" R
    xchg    dx, es:[41h*4]& c+ I# ^% M5 W! \; x0 o  z
    xchg    bx, es:[41h*4+2]' A1 c: b9 i8 w( o; {
    in      al, 40h2 S4 D( W1 {' ~3 R- B+ D/ Z
    xor     cx,cx
+ M- k6 H, P: z    int     41h
! o9 u0 s- n3 f4 I# U    xchg    dx, es:[41h*4]
( p  @% X5 R! y( i" `* t  @    xchg    bx, es:[41h*4+2]
% I, N: Z' n7 }8 W' _    cmp     cl,al
' O" L; W( l5 X$ m5 d- T8 q    jnz     SoftICE_detected
  r; R; a: [/ Q9 X* R3 j2 y9 [2 e0 {3 u8 m* S
_________________________________________________________________________
5 a$ W8 N7 y' S7 p/ x  }# X
! |7 t9 o9 j( b; Q* O3 MMethod 07& g7 ?$ j$ `# k
=========% o( J, u# Z/ }
+ i# I3 I. F& x" P" E: K) M" }+ c
Method of detection of the WinICE handler in the int68h (V86)
& \$ I1 @: K9 `% u$ x# w' Y" |3 @! y4 N2 V
    mov     ah,43h
7 Z$ c1 v% O3 ^" j/ j0 v    int     68h8 o2 `' y& V/ Q/ v1 h4 Y
    cmp     ax,0F386h
/ ]. H; A& u# C, g6 C4 c& Z5 u    jz      SoftICE_Detected( j, v* [2 z  S; J% P
& W! m* t3 t% {  m: _

  M8 i' J: ?& J, H=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
) W. Y; A' D* p, Q& r   app like this:
( d3 ~) I: {2 ^  D% {, W$ R& s; [5 d" b
   BPX exec_int if ax==68
/ L. z: {$ e" |0 |# ~. E6 u+ V   (function called is located at byte ptr [ebp+1Dh] and client eip is
; i# R* ]$ Q; g7 E   located at [ebp+48h] for 32Bit apps)' c' Y; c  B( b$ n7 T# y7 U
__________________________________________________________________________
% u9 @( D* l- F9 E+ y
( o/ ]4 B* E% e5 ~$ j
" ^3 R/ ^. v1 @Method 08
  r% d9 q5 Q2 b=========1 X: _1 j. s5 d! f
" a$ u# }6 a$ [
It is not a method of detection of SoftICE but a possibility to crash the+ W. w) z" F; ^
system by intercepting int 01h and int 03h and redirecting them to another
. \5 ?* V9 ~8 \7 _" P/ oroutine.
& H* d: ?9 }  c3 D" P2 M0 `- ^+ lIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: D: N, R, E' W) M2 o+ z8 l- _
to the new routine to execute (hangs computer...)4 a% k9 A  ]9 p& g

3 o5 H3 b. z1 m  O. G$ h7 J5 t    mov     ah, 25h
! L4 [1 {7 Y* \    mov     al, Int_Number (01h or 03h)
' j2 V% \& d5 Y8 U  `    mov     dx, offset New_Int_Routine
: y/ ?5 x" o0 i  {% g    int     21h
( Q8 C( a# {& P- v* \$ |1 X0 j- |- B
__________________________________________________________________________
; {7 w  H: X+ V  H
. H. H$ r9 d2 T/ lMethod 09
* ?: l4 {5 s- P1 {, }! g$ \=========! g; O" p, u7 l1 O7 @

( r* c; z. u/ S. m" s2 vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 V& y6 u9 F! j1 O1 @; N3 J5 jperformed in ring0 (VxD or a ring3 app using the VxdCall).# z+ ?0 S% z- h0 Y* J% c, ^8 B- O
The Get_DDB service is used to determine whether or not a VxD is installed
% G) p9 Y& H& j0 g9 h1 W2 {for the specified device and returns a Device Description Block (in ecx) for
+ \: Q3 k4 s* d! i, }$ j$ l9 h/ othat device if it is installed.* ^" d0 t1 X. Y4 p" l: B8 l

) x2 q9 {8 k! l3 A' D. V5 W   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ G% m- w, n( x- w
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), C- {& @. [3 I4 S- a
   VMMCall Get_DDB( ~: C; `3 p! o2 ^" l' S1 W/ ^
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% T9 J4 L) ^# |- U
9 l! E- \& p' b* W4 r0 hNote as well that you can easily detect this method with SoftICE:) d- E8 P+ G! V7 C
   bpx Get_DDB if ax==0202 || ax==7a5fh( i& }  d( M8 u) ?6 w$ c8 m" [

$ _4 v( W$ Q  P+ b" V$ X) }__________________________________________________________________________
6 H0 p  i1 K9 z
% d- v; f- D0 `Method 10
% N) R! S  c/ m" y) l2 @=========0 n3 M  K8 {5 k% q+ J) v3 O! P
. }1 G3 m  F; K& {" }
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
! X, ~) q- l& ]$ L$ I  SoftICE while the option is enable!!
& ?8 i- s! N/ _7 S5 e1 C
- x* }  ]) |5 v5 u. vThis trick is very efficient:2 F0 f$ |0 s3 a: ?. `3 V7 d! A
by checking the Debug Registers, you can detect if SoftICE is loaded) R. m" R  V5 A2 g* P/ X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 V+ f6 f% M4 c" g0 Y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: f; N8 t8 Q2 Z3 ?, l& vvalue (in ring0 only). Values can be manipulated and or changed as well
5 {# E9 g2 [9 Z) ?8 J(clearing BPMs for instance)7 U+ Z* I' n2 |' \  S5 _+ m/ [- g
7 j# m( ~  I' q# [% q
__________________________________________________________________________+ }0 q" E& b5 K! u: a, x, X1 u' Y

! K' W# y. M( r( J4 LMethod 11  e! _6 x: U! ?# X) `4 J
=========& `4 A/ T# Q  c& v: j* }
+ A; h4 O0 J; Y. r( T
This method is most known as 'MeltICE' because it has been freely distributed
1 z# q: ?$ L( n  M+ x" d. pvia www.winfiles.com. However it was first used by NuMega people to allow1 z1 T4 B% e5 s( w+ I4 R
Symbol Loader to check if SoftICE was active or not (the code is located( L- B9 C  Q, Q4 h( T6 d' p! [
inside nmtrans.dll).
6 m; g5 S4 N5 g# \7 b/ j/ ?# N% a# H! x- i6 e6 Q$ E( S; t& C
The way it works is very simple:7 Q* b# M) `. s) O  C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 w) E" N+ N+ z- L
WinNT) with the CreateFileA API.9 ~) s3 d* Y" U2 [, E# m5 \0 P
, {. w3 ~- V0 z
Here is a sample (checking for 'SICE'):
+ \2 h  `3 J9 s) N. {! f4 o9 N+ V6 E) Q+ r; O
BOOL IsSoftIce95Loaded()4 v; }! U7 |- Z4 Z- [9 j. N/ q
{2 A" y4 ^! X3 l4 J4 r
   HANDLE hFile;  
8 S9 a, @6 F) {; s   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: y: {% G. [5 J0 }, h2 g
                      FILE_SHARE_READ | FILE_SHARE_WRITE,. @" U9 L; u+ ~# k& o
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' q* `% [, Y% r8 \
   if( hFile != INVALID_HANDLE_VALUE )
6 U3 @% Z2 H# G  p. J$ o   {
# _# ]9 a0 h8 g8 n      CloseHandle(hFile);# t6 ?; T7 [: ?% C
      return TRUE;) D; D9 q5 \5 T# g" l/ P( l
   }
+ f- H9 J: U) b( @   return FALSE;
" |6 ?; A: \4 ]0 p0 k- H' B}& L* M: y/ E& B$ Y# v4 |

1 A; P5 W7 z: d) S! LAlthough this trick calls the CreateFileA function, don't even expect to be
4 P) c9 Q+ K/ Zable to intercept it by installing a IFS hook: it will not work, no way!
( U+ q7 }# I" \+ ?0 X8 d7 ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* W4 p1 _% L& x$ y: n0 m1 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 @" M1 E! I) sand then browse the DDB list until it find the VxD and its DDB_Control_Proc' Y3 Z& ?5 l( `0 O
field.
8 L. n% c7 h' H9 CIn fact, its purpose is not to load/unload VxDs but only to send a
6 b" ]! b- y9 W9 N0 Q- i  fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 P* Z" j6 v. m  q3 J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 [8 T* }3 s$ k( Z3 R: f8 I( z
to load/unload a non-dynamically loadable driver such as SoftICE ;-).# |9 V+ S4 A, R7 ~3 V0 U
If the VxD is loaded, it will always clear eax and the Carry flag to allow. I$ Y1 m; R) l- I' g! y7 S
its handle to be opened and then, will be detected.
2 R4 U: i8 y# PYou can check that simply by hooking Winice.exe control proc entry point
% S: x; a* |: z9 S: o8 Cwhile running MeltICE.
4 M; a, M) Q2 ~/ z: z- e2 V, m/ Q9 m7 A: w

4 I( k, y. w  k9 N  00401067:  push      00402025    ; \\.\SICE) G' W2 D2 q$ v0 d9 I# g' H
  0040106C:  call      CreateFileA
8 ~7 E+ r& e1 C' m  h; Q! B' d  00401071:  cmp       eax,-001
( o/ f# e  D; }  00401074:  je        00401091
! U) w% ]6 N# c/ Q9 i2 L* b1 G" h' L2 y3 J1 D  |! w* y1 O

  [: S& a4 p9 t  L/ u8 E+ dThere could be hundreds of BPX you could use to detect this trick.9 {, h4 Y2 m. L  i
-The most classical one is:- o' `5 V( [  |; B
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, b) O/ Q5 C6 s' W# ]# @7 W  w0 |; U3 `    *(esp-&gt;4+4)=='NTIC'
- O  T' L4 J' a% R9 ]' a: z* H0 v4 d* Q. H( l, U
-The most exotic ones (could be very slooooow :-() Y( a/ m3 I1 n) G1 V! s) E
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; ~8 j: S, {. I2 o0 q. V     ;will break 3 times :-(* i# Y5 N4 _1 f" o9 T
2 {) Y. v  \6 \: T
-or (a bit) faster:
! t4 ]7 S( ]8 I9 }   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 A% {  @1 E# B. L5 A( r

  }/ ~' o5 r: g( z   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
' g' O! o6 \0 Y9 s0 J     ;will break 3 times :-(
8 O) ^7 {. @- j; A5 ~& e
" _' {+ M% a4 O0 y; q2 ^-Much faster:8 d1 p3 z, S/ R6 p! ~9 f
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 j% j- U2 |" |. T; ~, X" I. N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen/ r$ L* {/ a9 [# P& |* F% c
function to do the same job:
4 W& _) S8 N5 H4 ]9 {
/ l/ ^- D& G, z8 T- r1 h" R0 A   push    00                        ; OF_READ
3 d" g2 S4 m4 z+ F' Y$ k4 f! l   mov     eax,[00656634]            ; '\\.\SICE',0
! Q( p+ o# B8 ^' z0 J   push    eax' i+ K4 ]5 A; d8 {5 C5 K
   call    KERNEL32!_lopen1 }' A4 Z* H2 [( l
   inc     eax$ K. _' p5 i5 R# u' g
   jnz     00650589                  ; detected  k, t" l9 t4 {& K7 Y' [
   push    00                        ; OF_READ
, U% C& x' Y! E& `   mov     eax,[00656638]            ; '\\.\SICE'
' j, O& _2 |  u9 Q' O   push    eax
" X" v0 Q. g, Y0 B6 B! p/ C   call    KERNEL32!_lopen) w+ V& {- |6 r. h! V
   inc     eax
4 T- f! J. c" ?+ }& M   jz      006505ae                  ; not detected5 o$ N! I# _+ u1 }
' x9 d- [' x; _9 u9 c
. O% R+ R/ M& o* X' O+ n
__________________________________________________________________________
6 Z6 U+ z, ^0 `7 {! u9 I" P: G
% Y5 i' Y2 U8 }, S& `6 V' hMethod 12
6 g5 F% R6 ?# z$ V& U4 P: n7 E$ p=========
2 J+ e8 s1 T: E) ^5 B: Q* z9 P- j( Y6 J
This trick is similar to int41h/4fh Debugger installation check (code 05
+ F( f. w5 m8 q$ h" r% |&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& |  P  n" ], m: B1 n: D5 Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 S; k( H3 C+ z6 \5 J; X/ g! \/ {; G

1 g+ x4 n) _4 r- ?( e0 x" a3 x: c   push  0000004fh         ; function 4fh4 K/ k: x3 @& c: H3 ~8 K
   push  002a002ah         ; high word specifies which VxD (VWIN32)" x* L( [6 L2 e  X
                           ; low word specifies which service
$ k: f& l- l: b                             (VWIN32_Int41Dispatch)
* a' @1 y2 w( n: @+ F+ ~' {0 P  L   call  Kernel32!ORD_001  ; VxdCall( p6 `% M" |) G0 k" l, c& e
   cmp   ax, 0f386h        ; magic number returned by system debuggers
; s/ K' J" E6 T# r+ L8 c   jz    SoftICE_detected
/ ^% r, Q' B9 g* w
. }0 y* k7 v" u# O0 k9 y5 `! U$ xHere again, several ways to detect it:4 g5 D  \1 `4 g8 J% c
9 a4 s2 T' f! t- ?- C
    BPINT 41 if ax==4f; b7 o# S, B) |9 D. i( d/ J  ~$ ]

3 I( ~' B: \: L, v/ o% o    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one1 O7 ], m- A1 K

7 h; \4 h% H! o* \    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
. m9 ?" M9 B6 G: K( s8 @* k
% V8 |3 \& G+ v1 ^* f    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* r7 c7 C$ D& [

- M- P" d) ?/ Z; H3 Z__________________________________________________________________________
0 x8 C/ O$ ~. g: n& Y; Q8 R4 L$ ?- k- K4 E. p
Method 13; H4 i  Y5 G! t: s3 s
=========
0 O5 i6 k+ L% L) T4 d' o0 G; f6 {  P' l; S8 N8 S7 g/ b' y
Not a real method of detection, but a good way to know if SoftICE is
0 o2 j) @7 d2 Jinstalled on a computer and to locate its installation directory.
) h0 Y! p( v' a" WIt is used by few softs which access the following registry keys (usually #2) :
( R/ ~% ^3 t1 W" Q2 Q' m, u' ^, m
/ Q, h% Z! E6 ^, ]. Y5 [* C; ]-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" ~& ^) }& e4 z: c! {, D\Uninstall\SoftICE& }5 D4 c: ^/ G7 p; k! |* e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( a6 W. F5 C. h  W7 w- u8 u
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 u' h2 r; T) X7 y( P\App Paths\Loader32.Exe5 Z! G7 N" K& f/ `- k( O( ]' d
& t9 M# b9 u1 X' [5 M6 a! l' T9 D

* v2 J4 @- m5 b& i" X# s; XNote that some nasty apps could then erase all files from SoftICE directory
- W3 w1 K7 K7 p" J( U& k(I faced that once :-(
: S) m- t' ^* D# A2 @9 b
% a& k3 j& W; T! X3 C4 |3 k1 z, K" x& LUseful breakpoint to detect it:
+ s' C' v* `! [' }: H, V2 m0 u+ Y& x' K/ W% x
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 v7 x# p5 j3 h8 o8 B1 Y
' v& K% ?7 v% n" [' L" v__________________________________________________________________________: j7 F  g# |/ U
& C$ B6 Y3 X" _3 L6 V

2 c9 x1 w& d5 Z- \6 j% eMethod 14 % {. `3 X  N9 Y, y( V) W0 C
=========
$ s5 i& Y" p  v( ?4 l, r2 d5 b$ @: _' a6 F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# L# i, R+ t2 u1 i5 I) V! a- |) ^+ ~is to determines whether a debugger is running on your system (ring0 only).
6 H* H" d+ v8 L# F; g4 c% R( p2 \0 \
   VMMCall Test_Debug_Installed
" I% d+ g% x' g# C( {4 G   je      not_installed
  [- q  T( L' \) e) _) L9 l3 j
8 A6 L3 \) `. W, C4 @! b" [1 H# ?This service just checks a flag.5 X5 k- p+ w; e$ |( W+ ?
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-13 21:38

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表