找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># k& B" z* t5 k9 k
<TBODY>
) R  K; @* ?4 B: `! `# a4 ?9 V<TR>+ t9 ], w0 [0 ?/ M
<TD><PRE>Method 01 : a! f& u( K7 m  [
=========: z& s! y, m. g; z

9 T8 Q& G8 ?9 L  ~1 D" k  @6 m4 n- ?This method of detection of SoftICE (as well as the following one) is% O* I9 M4 M4 ~; |1 h$ \. {
used by the majority of packers/encryptors found on Internet.1 c$ ]6 ~0 R" F" E
It seeks the signature of BoundsChecker in SoftICE
0 X$ L1 l& q, d# g* X9 |8 X9 y/ e7 i( f: V
    mov     ebp, 04243484Bh        ; 'BCHK'
$ R' s( X! J& Y+ z7 i+ x    mov     ax, 04h
4 n1 _1 T3 s3 i3 N: O/ Y& n+ O    int     3       7 r( r0 e" T: f8 k1 B
    cmp     al,47 `7 S7 j# q0 A4 q8 [" j
    jnz     SoftICE_Detected
5 n$ F1 @% _  ?
& M6 ~% ]( g6 N. r. z: Q___________________________________________________________________________$ p7 B% }( L8 T* \5 I( y
1 j* T, A/ r. F
Method 02
$ n4 _3 Q& D  q/ Z=========
8 L7 k. t* L( h, p9 X- a/ w1 F4 B2 J7 k1 M* h
Still a method very much used (perhaps the most frequent one).  It is used9 H; Z  _" G4 e1 G8 J
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) Y& l& k( _/ K! g0 h  |/ |# I
or execute SoftICE commands...
9 x- N/ u( Q+ g& I" T6 WIt is also used to crash SoftICE and to force it to execute any commands
& I. S5 m" u& `4 K(HBOOT...) :-((  ( R( h0 ~$ x9 _+ }- C  x
7 q  Y" L1 [2 ]+ K4 N& h. C- ]
Here is a quick description:
4 B; J  |3 }6 x$ v/ V1 {" x' G-AX = 0910h   (Display string in SIce windows)* r- y  r! Z% i8 K5 _
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ v" ^. U8 s4 W2 K
-AX = 0912h   (Get breakpoint infos)
) o  G1 N# T0 M% H/ f6 V+ S4 h5 W-AX = 0913h   (Set Sice breakpoints)
' W& z  e" C% i! A4 J/ l-AX = 0914h   (Remove SIce breakoints)# x* Z# {" B: q7 {$ L6 b

. P* x' t9 |' e/ @* o1 sEach time you'll meet this trick, you'll see:
! \) `0 t* o/ D$ I-SI = 4647h( J: N: Y5 u% |7 \( Y5 L+ s
-DI = 4A4Dh) D& P" ^3 C* B# ^, u/ e6 G# k
Which are the 'magic values' used by SoftIce.
- @5 D6 z; {8 p. R" Q7 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.  Q) }" i& ^9 u& `5 w2 L3 {

' o6 b* p& J$ z' ~! Z+ WHere is one example from the file "Haspinst.exe" which is the dongle HASP* u$ d- Z7 N; l4 ?3 U- `0 H
Envelope utility use to protect DOS applications:5 m! o" y( L" i3 Z3 z4 I# [1 R
: {2 N( D! \5 @% J7 ^8 n
6 M/ K! [: i( W0 [7 W! d
4C19:0095   MOV    AX,0911  ; execute command.1 Y/ x# M3 A) |) x3 {8 M8 g- u- c1 g
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 O% l" r) z0 I% E4C19:009A   MOV    SI,4647  ; 1st magic value.
) V5 {( N/ b: l, X- H4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4 L" m) N4 `) _. G% H4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 Y3 S  ]$ y6 [+ O
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* ^& A( ~. D) ]- _9 w
4C19:00A4   INC    CX
& a$ u# H9 j0 X4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute7 Q$ I# Z; `# h: k/ ^
4C19:00A8   JB     0095     ; 6 different commands.
# x7 y' t  h2 ]8 Q! I2 N) h8 ?8 d( |4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
, h; J9 s) j8 D; \+ J+ j4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& ~2 ]# v# e0 [4 I1 a3 j5 m
  i1 c. Z' B" b7 r
The program will execute 6 different SIce commands located at ds:dx, which
2 `8 b* i' R2 u& V7 Z, Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ p% I2 u5 h0 {# X, J* z4 n

) S8 f% V4 \  ^% O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." A3 g% ]5 ]  j0 T' p( t% P
___________________________________________________________________________
8 k5 O! k0 }/ a9 G2 w5 Y/ ?0 E- {2 Q9 H5 _  X
/ E4 p) T+ a: x5 t  R. P9 L1 R" E
Method 03
' v& \+ Z% z. s4 ?=========  F' `0 G2 I7 L8 J, [, M& O
* N6 q# t8 t7 l8 P9 g- w
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 P9 q6 n" w# J+ C1 k(API Get entry point)0 v+ o" r- L2 |( X5 K- T
        " M3 `5 g' a3 A+ Z- \1 K# E4 P# F

# k/ E) M5 d! B2 e9 q    xor     di,di
3 k' N& }; s- g    mov     es,di
/ F5 \4 x$ n5 Q: n    mov     ax, 1684h       $ V6 \% P7 k, r: U: \1 T: u: X
    mov     bx, 0202h       ; VxD ID of winice
9 M. |+ H$ G6 k! F    int     2Fh
- e- l' ]0 N- k% m7 C    mov     ax, es          ; ES:DI -&gt; VxD API entry point% h) s8 _# ~& _8 V) g- R' k+ k0 x
    add     ax, di2 B) c- U! p# [2 b: C1 {
    test    ax,ax' c: r0 N3 i, B" k$ T: z
    jnz     SoftICE_Detected" I+ O- j& |  h6 q( h! s0 y
' U: l5 j# O% `
___________________________________________________________________________
3 r+ X2 [4 r6 [2 @1 s2 Q3 j$ v
: h0 R  n, ~0 |. ZMethod 04
. O4 S# z- f% k* L=========
/ ?# u. s$ b, Z6 Z# H* o
' D3 p% k/ z  R! nMethod identical to the preceding one except that it seeks the ID of SoftICE
: j  ~( y+ n7 E6 K6 VGFX VxD.# v( ]% a0 }8 [! ~4 F  H
( J3 t  E5 e, n# c5 r* p9 J
    xor     di,di
& O, j7 G  a* c  b3 e    mov     es,di
+ L+ u$ l$ \2 X2 b8 b8 t    mov     ax, 1684h      
6 v, l/ ~9 S% U' {. J- j! ?' D3 |    mov     bx, 7a5Fh       ; VxD ID of SIWVID+ D; a: r+ X, _& Q
    int     2fh& U" @, K/ c+ g: P' J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point' d# ]% y1 ?6 Y- @
    add     ax, di& r1 s) n# j# }& @( K. {
    test    ax,ax2 ^6 ~8 g9 ^; \2 a7 Y" A& y
    jnz     SoftICE_Detected
% I3 ]; R. R! [4 L/ u. y4 A# U6 M# ^
__________________________________________________________________________/ i2 G" C8 @$ u. o4 P

, t, a3 _6 j( y3 F) b" h
; C, _5 |+ N  L$ _& tMethod 05
' C3 H4 E, Z- ~; q- w" t=========
$ j8 V9 u6 r% B8 g" u4 G! _0 B8 j8 T9 i; H! v+ J4 d+ O/ K" v
Method seeking the 'magic number' 0F386h returned (in ax) by all system& x- s' y2 A  m6 {
debugger. It calls the int 41h, function 4Fh.
! j3 X" f' {8 _  e8 b2 T% NThere are several alternatives.  
; p  w* T9 S0 C7 }9 H+ S: {6 E/ `. b' g5 R
The following one is the simplest:
0 H$ h7 p, Z) i
9 K+ u. H  E$ G+ t    mov     ax,4fh
* a# X0 v8 g0 `    int     41h
+ G+ H/ L" P, w- w' ^- a    cmp     ax, 0F386; U6 J2 ^2 _/ k
    jz      SoftICE_detected( S* D9 @/ `' Y. h
) ]0 A5 J1 p1 m+ J& D# a! H
$ i* n; i+ }9 ?6 g4 M
Next method as well as the following one are 2 examples from Stone's
$ E8 f7 K9 J# L8 J"stn-wid.zip" (www.cracking.net):: O- j, l9 _; @& Y$ }

" [" e/ Y  ?6 x* l1 ^* u6 N    mov     bx, cs
) q3 J; K$ r+ ]5 I0 e    lea     dx, int41handler2
  q5 _5 D3 W$ m) _    xchg    dx, es:[41h*4]
0 D! s) b& x) G0 {" M# r    xchg    bx, es:[41h*4+2]
. S6 a6 O1 E- D% p    mov     ax,4fh
6 ^8 p8 Y$ L. R7 r: k    int     41h. F8 ]( Y0 b  N- d- `" f! o3 r
    xchg    dx, es:[41h*4]: B5 C0 s& g3 D- g; k8 L1 X% s
    xchg    bx, es:[41h*4+2]
2 E5 c" b0 B9 V6 M* }9 c    cmp     ax, 0f386h
7 p( I- j. q( z* ~    jz      SoftICE_detected
  q0 J$ i( _! ?, ?. e# d
5 P* ]1 I8 B9 J5 [8 @# cint41handler2 PROC8 q3 ~5 d/ ^, ?1 h5 K
    iret
! B5 O* ?( N* Dint41handler2 ENDP7 c, l4 y# m/ |) ~* I, e" K8 a
$ W% v5 s2 }1 z' U+ v' a4 c
5 r( X3 M2 @. S' F: Z$ z, p! i: R
_________________________________________________________________________
% ]! O1 R, T: I7 J
, o- W2 \, L* ?
: i$ Q( \. ?- i$ PMethod 068 h" E0 t( s, J* W- y  f
=========: X: Y+ E& a) r3 c

% l2 g2 L9 S! r2 J9 r5 u  u) t1 @4 |  o1 y
; P/ s/ L$ {" W9 b8 d% s% \2nd method similar to the preceding one but more difficult to detect:) P6 R& f' Q0 X

) v) t$ p7 }; I6 a# n) D5 z: e! B1 o7 _- X
int41handler PROC7 N9 I' j* Z* U: e2 e0 P6 q0 h) j
    mov     cl,al$ v; ]3 i/ [* |
    iret
: {" y3 A+ R& ~0 Wint41handler ENDP2 D% C0 _' P) }1 g% P  A$ F

, i2 |$ N! C. f# E+ R# h6 p/ @7 K9 G  B
    xor     ax,ax! ~% ]* i1 Y+ x- o* l* v
    mov     es,ax- e6 R! P; w2 w# F! B/ G% `% U' Z1 @/ ?
    mov     bx, cs
3 j3 G$ a+ c% P# ?( T, B2 b    lea     dx, int41handler
. {4 ]9 Y: D, a    xchg    dx, es:[41h*4]
: f+ M$ E) z3 Z( G! [    xchg    bx, es:[41h*4+2]
9 |5 ^% ^7 v! h7 o$ q) M    in      al, 40h
% Q  ^% V) T6 F8 \# }' M    xor     cx,cx  E# k! p: Y" A% C- _; K
    int     41h
) Y* P+ b, n6 v0 b) u; l    xchg    dx, es:[41h*4]
( `- Y. F' _' W7 I    xchg    bx, es:[41h*4+2]5 o1 T3 o, r5 L2 A5 k
    cmp     cl,al
$ n; c3 c9 `- \& d% c" O    jnz     SoftICE_detected
* M  g; B5 s1 ~4 `& j8 v  s6 u, u" h& s/ y' N1 ?1 m1 Y: G% V- ~
_________________________________________________________________________
" Y4 A* o6 L8 ]4 u* l: F7 L
0 r! ]" K4 ?. g  N8 u- G6 lMethod 07& z: I" A/ j+ Z! D+ g. L# |3 }, B% X
=========
+ d. N# l* q6 l* }" S
, B) O5 Y: \" G) OMethod of detection of the WinICE handler in the int68h (V86)5 v: r! M+ A2 k! E; R
$ \1 W4 j; r: c2 F; z
    mov     ah,43h
, I1 u' B- s; s" t4 v    int     68h
/ N- g$ |, `! l5 H    cmp     ax,0F386h) p- e3 }: h- {. h6 X' D0 R
    jz      SoftICE_Detected
' R4 r1 m# ?* g1 |& i% C
5 H4 y6 a" F+ n+ f) m5 T1 }2 ~& O- `9 Q& _8 a1 b) n) _5 B# I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 _5 H6 x8 f9 c$ a; X5 U   app like this:
$ m; F% Y1 O5 h2 K3 W7 g8 T% r9 |9 ]8 C* ^
   BPX exec_int if ax==68
( d; t5 T# o3 m1 Z) p% q   (function called is located at byte ptr [ebp+1Dh] and client eip is6 s4 ~% I/ {8 l- L- b4 A* s2 P! w
   located at [ebp+48h] for 32Bit apps). m9 x( z) a; k2 h: d0 ]7 w- r
__________________________________________________________________________
7 x; v# A' h" d
3 D0 U2 H' o. Q; g& o2 _6 a# N7 R. S4 L5 Y1 i
Method 08
+ Z  w2 o) o( W/ q1 T=========) ~' M" {! P. t
% |& @4 R- T/ `- Z& F
It is not a method of detection of SoftICE but a possibility to crash the
8 s1 w, o9 i3 e$ p( ssystem by intercepting int 01h and int 03h and redirecting them to another
" {  N, p9 e# C5 s7 Y0 _- e7 [routine.1 ^# Q% y& K: a. [" \/ E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 |; P( `  R0 i: I( t' K3 P
to the new routine to execute (hangs computer...)/ R/ [3 p' b& Y; B$ U5 K
( B- R! n' R/ O& J" x7 U$ [
    mov     ah, 25h
- k) n9 n% B. I6 C    mov     al, Int_Number (01h or 03h)+ f8 G+ ^6 k  c+ ~% }6 n
    mov     dx, offset New_Int_Routine' G' |8 y9 F: e5 c5 ?3 }
    int     21h
  g  _( m) S: U' h( h; p
% q3 H3 Y" O& u% g3 X! o__________________________________________________________________________; N0 d+ p! z2 q4 G

  ~2 u( M4 C0 l4 I: {- XMethod 09
2 i4 T9 B& P# H=========
( o  o# A: K, |, Y0 E7 U1 G& B, d) {* j& M$ \/ ~0 E
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ \& d/ I2 `  h9 N2 {performed in ring0 (VxD or a ring3 app using the VxdCall).
: P$ p6 H2 d( }3 GThe Get_DDB service is used to determine whether or not a VxD is installed
0 o7 F% U5 N4 _5 r3 \  n6 Sfor the specified device and returns a Device Description Block (in ecx) for
1 t/ S. y# t3 [that device if it is installed.
( L5 k3 M2 q8 L1 h9 W- ^, k) _  t# f, [2 X# l, `' D1 o  s
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 `. F/ I! K' {/ \7 \7 Y$ m   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! P. T9 `# o- E! @, i$ o
   VMMCall Get_DDB. v! \, f" |$ a* u& W( \  ~
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ T2 ]4 |1 \' G! `  @" S

5 F  ^- ~+ Q: o# wNote as well that you can easily detect this method with SoftICE:8 k# A2 r' L! L, j! f+ Y* |
   bpx Get_DDB if ax==0202 || ax==7a5fh* z5 A8 c6 N" |* ~( y
) K. g5 v; H4 n
__________________________________________________________________________
) p  u7 w3 k6 S- K& R% k
: A8 _) @# A$ h; lMethod 10$ z0 j5 H) P( O! [
=========" C. X' m7 t# y- Y$ |( Q0 q2 u# [

) d' O5 h4 y) T3 s# O( r5 h=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( d3 @: a- L7 z0 M; ^
  SoftICE while the option is enable!!/ @2 x; [/ ^3 h
/ M4 U0 d: D2 x, m+ W
This trick is very efficient:3 e$ r1 Q* ?# x! J" @
by checking the Debug Registers, you can detect if SoftICE is loaded( ]7 {/ m7 y( f8 n- U: `( o% R) E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 F8 I& C  D. z( f4 ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their  i4 ?( b: ?, N5 q
value (in ring0 only). Values can be manipulated and or changed as well9 }9 l+ I3 V$ w" D
(clearing BPMs for instance), l7 h4 G) Q. ?

- }0 ~% p6 U$ m, q  L3 a8 u__________________________________________________________________________
) s! w% A, i' t2 t0 i. I, m* Z8 u9 X5 }' \
Method 11
" X$ B+ B& S: `( }=========
' c* F5 ?: g' d6 T3 h" w0 h3 v; r
3 n3 b. V4 ^+ Y+ f2 X3 B! ]This method is most known as 'MeltICE' because it has been freely distributed
( ~4 r4 Q- K; D% X) c+ M2 h9 rvia www.winfiles.com. However it was first used by NuMega people to allow
" I. a6 E) s% P) ?' ~- R8 @Symbol Loader to check if SoftICE was active or not (the code is located
5 B( _7 G2 H( I3 p- {( minside nmtrans.dll).
5 o! n% s/ E! ]8 Y5 T# B* l* z- `* @
The way it works is very simple:
, j( B0 Z; E1 n' [7 p4 z6 R/ PIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  U% ]( N" x! J$ ^7 D; |WinNT) with the CreateFileA API.
5 |/ m) `$ w/ i. N! Q2 J. Z! E+ {  U0 d9 i9 `
Here is a sample (checking for 'SICE'):4 l  o; n% _# G: u* g

: h# G6 x. d7 u# w: d0 ~7 VBOOL IsSoftIce95Loaded(), I  V7 O' @; G
{
8 e% x9 V; R1 N# s9 ^   HANDLE hFile;  ( }4 Q) Q1 X/ y+ z
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- @% y. h! D$ z                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 E0 h. L% N+ N( D. j
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 i# ?& l! q% i/ `7 s' J
   if( hFile != INVALID_HANDLE_VALUE ). l# M: z8 U9 G0 H3 `9 W3 x
   {- E1 V/ r* h; {1 N1 q% Z# e4 l; E
      CloseHandle(hFile);
- _* U/ u( z3 l. B9 D, y      return TRUE;* i8 r& O6 \! [+ S
   }7 u- {/ E) I% e  Y6 s" f
   return FALSE;
, w* R* V9 L$ Z0 m% \6 E% G}
6 P/ K5 |# u7 v
5 C; j' \' |, `' h3 E/ D1 nAlthough this trick calls the CreateFileA function, don't even expect to be
8 z9 C0 j" F- v$ l: M) W7 u4 z+ }able to intercept it by installing a IFS hook: it will not work, no way!% y8 `* }; w: V
In fact, after the call to CreateFileA it will get through VWIN32 0x001F, L: f9 j7 h0 B- `, Q+ e+ |4 P3 K4 I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); K4 d( x- X# w/ j, a: B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc! j/ v& K  L% ^. c7 J
field." d# r1 _" p" k  Q/ D. E9 P6 {
In fact, its purpose is not to load/unload VxDs but only to send a ! z/ s- ~8 j0 ^8 G; \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)3 ]) d% p5 @8 Y/ ]; c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 \  g$ A; n4 O, ?! J" p# ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 j: P; L* f8 m$ x
If the VxD is loaded, it will always clear eax and the Carry flag to allow7 g0 g4 ~% G4 ~5 r# f8 Z& E5 ^) j
its handle to be opened and then, will be detected.
0 X. C  }: d* c6 @You can check that simply by hooking Winice.exe control proc entry point9 G3 [+ C6 m: _3 F& p3 C7 P
while running MeltICE.
& i% k' O6 |- o( P! R- _" K% [9 r; L5 _: N8 u" \
  g1 x( _; |8 }: n$ [0 R' E
  00401067:  push      00402025    ; \\.\SICE5 n' a4 C# L4 ]
  0040106C:  call      CreateFileA7 t% O% E$ |( R! D
  00401071:  cmp       eax,-001& e" k$ \/ H0 p. _
  00401074:  je        00401091
8 @2 k4 l" X! b# P6 H2 L" A8 ~  r+ T8 m& d  z& t

5 b. r+ J  E9 _. U$ \There could be hundreds of BPX you could use to detect this trick.
3 n9 s" U$ a; E" z, O-The most classical one is:' o2 W1 c5 n: ^8 N$ _: Z
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 q* u# @! X3 n; o: W    *(esp-&gt;4+4)=='NTIC'- l' q0 i0 q* X6 b# E3 ^
7 d$ Y  [. r# S
-The most exotic ones (could be very slooooow :-(  u: \+ @3 w5 F6 m2 z
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' S# ^! `& V( M7 l+ T& U, D, T
     ;will break 3 times :-(6 Z; `# v4 Y' D; W
& ~) H/ F: F" q5 u0 k
-or (a bit) faster: 5 L: K2 d7 J; h  J
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  {; |$ C1 X& D" u
5 ^! w1 E6 [) T: T: I5 b1 M   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 O6 z$ q4 c) R) f: q' [4 F
     ;will break 3 times :-(
9 V8 k" C; E* G) |4 I  K5 b+ V- I, T$ F6 ]/ f; _& b
-Much faster:7 d2 A0 \+ K$ w: ~. W
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. ]- o2 A# C' e

9 l% y' `& W# N1 h" J3 r, Z+ RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' v& y7 o, D" W5 K9 q7 S! s6 N( y  L
function to do the same job:" e6 z# p7 p0 }+ \. W! w
! p* _, M0 w$ x  c4 w: R
   push    00                        ; OF_READ7 |$ Q9 ~' L3 x+ g, L9 Y
   mov     eax,[00656634]            ; '\\.\SICE',0
* c& Z# U+ c. c& ?   push    eax
) ^; A% l' ^) A+ s0 ?% w   call    KERNEL32!_lopen! M; n) P3 t6 C0 z& c# y1 f
   inc     eax
( |8 T1 M( ^$ }' O   jnz     00650589                  ; detected  @/ P) h, f* Q4 r8 s* F3 \
   push    00                        ; OF_READ- v* Y; U! M# o. U: ~$ _; l  b6 a
   mov     eax,[00656638]            ; '\\.\SICE'
% p# U+ r( \* A5 T; {9 K   push    eax* X' |9 ^6 c5 b# [% y4 j" C
   call    KERNEL32!_lopen
  x4 O0 B$ a& Y7 ^   inc     eax! r6 f8 g. {0 V2 ^2 S* w8 b% L4 j
   jz      006505ae                  ; not detected
2 |  b6 l6 N( O& U2 R
# S' x) p1 ?6 J3 V, P( C: r) g/ d- K" Q; m
__________________________________________________________________________. `1 `. A: N/ N+ F; ?& @
5 Z* a/ i& e, A6 c' X) C& E+ k
Method 12
. H8 O9 w: H- p' p) t! V=========
" h$ N% W, L. O  _2 j$ H
) G- I  y  U3 v; @/ D4 F' DThis trick is similar to int41h/4fh Debugger installation check (code 05) |: Z* x% _& {( n; [4 K& I
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
$ [/ g7 g' h" n1 I1 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' R5 v; @9 D  b$ s8 A

3 B& l7 p$ J! n   push  0000004fh         ; function 4fh
/ x4 d9 G8 r5 s9 s8 @   push  002a002ah         ; high word specifies which VxD (VWIN32), B1 Y/ U2 Z! u6 G0 N, N
                           ; low word specifies which service
( {* |! e6 R2 _3 k1 N* r+ d3 X                             (VWIN32_Int41Dispatch)
, z5 x6 {. L- v1 A1 [& i  @   call  Kernel32!ORD_001  ; VxdCall- J( h4 N1 m1 A  O3 u
   cmp   ax, 0f386h        ; magic number returned by system debuggers  p- W7 t' V1 j" o; f  s7 X
   jz    SoftICE_detected, b' _# \# }2 Q8 f4 ~
% J8 D( H. U0 z! i' Y6 F
Here again, several ways to detect it:
* v3 t% I+ P) u7 x6 V
! l  \& K$ }) b6 S3 k* I: s1 D! Z. |    BPINT 41 if ax==4f
6 l5 d9 A9 ~4 G! _
$ W8 [. Y* x2 [" W    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 O0 y& x3 u  o% H. B9 s, N. I! P5 z- D$ _  b
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ o! L+ A5 p  {) T7 Z, x. D6 F

7 R; r6 c4 k" A! Z% z9 n    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 W: |" U8 ~8 T; Q3 c  T

3 K; y# T7 {1 s8 H1 f__________________________________________________________________________
* [+ v) \; V% H* J$ G9 z$ \  p; z% u" t0 l$ ]2 M0 K+ e: s) O
Method 13" D) e- `. Y3 `6 x9 U
=========. K1 K$ w8 K. }. w/ i* C
1 L" U4 a6 t1 E4 r: H
Not a real method of detection, but a good way to know if SoftICE is8 Y& K. D6 e2 }5 J- B
installed on a computer and to locate its installation directory.3 y( C( k; x. ?/ m* E
It is used by few softs which access the following registry keys (usually #2) :! d" r# V1 P. g; {

) c% q1 Z. w! l+ r9 ?% S+ B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: G2 a3 [) L7 L\Uninstall\SoftICE$ M. S- a9 l5 }4 j* P3 h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! e+ }9 I& J/ [! l8 V-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 c0 ]9 _* [$ }1 [/ s, F0 ^! F0 o
\App Paths\Loader32.Exe* y9 y+ @7 A8 g: S+ z

* A: N$ [& B, N' @8 W' V$ Y
# B4 j3 A; ?5 N% mNote that some nasty apps could then erase all files from SoftICE directory) X% G. ]9 k3 ]! T- \7 k% i, r
(I faced that once :-(0 U/ M# I7 U- s3 y" I7 [" t( g
1 W9 K3 m  k0 N
Useful breakpoint to detect it:
# G9 q4 }6 @, {+ w8 ]7 [4 k7 L4 n4 `0 W8 U* K2 p% S9 k
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% P, O2 U$ J9 P' U7 m; ^4 T! e. j3 V) D' ]7 x0 @) m* ^% i2 M( L) o8 [
__________________________________________________________________________
+ ~( |' `2 M3 _) W3 d3 p! B% k' Y0 @, H# R( s

; g! j' w2 O: pMethod 14
' H. h  T3 k0 [6 A- ~! s=========
+ [6 r7 m- g& `9 q, x9 I# E0 D- m$ P; I' U+ r: u& D5 F0 V6 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, s* q" E7 @5 d6 R# Uis to determines whether a debugger is running on your system (ring0 only).
% e% ^. I% {9 X  e3 R" L8 H( \+ @' B- F% Y6 h, V! ~
   VMMCall Test_Debug_Installed5 Z) g7 P4 P+ h8 V2 G) k% x
   je      not_installed
" I  K8 m% T9 ?# W% G! ^3 W1 o) m+ k, Z% \6 @
This service just checks a flag.' \2 z- t, K; X+ n$ k8 y7 i
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-15 18:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表