找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  ]- `3 a2 X0 z0 w$ }0 C
<TBODY>
& [2 \9 d, l) {4 B, D<TR>
6 N% o2 h8 b# x$ u# ?8 s9 o<TD><PRE>Method 01 % R# Z! ~4 J6 `: K- k7 x" Q0 x, g4 ?
=========
+ J5 z8 v- u$ R$ t# C2 F- c/ `- m& @2 ^
This method of detection of SoftICE (as well as the following one) is
" C  L2 c1 E2 M: Qused by the majority of packers/encryptors found on Internet.
- S/ M. R- q3 S' v8 B9 L- WIt seeks the signature of BoundsChecker in SoftICE
9 K; y6 R3 x, ^. r5 e2 [5 `' V
& M% U2 t8 @- h$ _2 z    mov     ebp, 04243484Bh        ; 'BCHK'
2 Z( q' [& J2 Y- M, T; V    mov     ax, 04h
( E4 h0 i8 P  J$ b* B; H    int     3       - Y" b2 U. L) V1 l. `: p2 Y! _
    cmp     al,4. V( w) M% b! C" J1 `- Q* ]! m
    jnz     SoftICE_Detected
; Y1 g" I0 r8 P4 m; K% B
+ n/ Z3 P: G4 X( A1 |+ r. [! @___________________________________________________________________________
" |2 `) k) m( {- r# W5 P5 w& V$ Y8 F
Method 027 F4 D" V2 X+ E
=========
8 o$ O% b* l: j$ C' @* @# _: v- }( ^1 R- q  \3 b& s* l: p% p2 i
Still a method very much used (perhaps the most frequent one).  It is used
) J1 j" o8 t" ^/ O( \. {to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: v3 I, V' \+ C" O9 p7 L! i
or execute SoftICE commands...
9 c5 c0 v) u3 W; eIt is also used to crash SoftICE and to force it to execute any commands& d6 |/ i6 ]. j' ^+ u* g
(HBOOT...) :-((  & Y7 @* Y! a4 F8 F8 [' l

5 H* o6 W1 X; z3 M1 }2 ~7 qHere is a quick description:  k, b% R5 y6 q) Z
-AX = 0910h   (Display string in SIce windows)
/ @3 F1 j  [( ~-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  Y9 Q8 y8 ?! T* D% c- v. v-AX = 0912h   (Get breakpoint infos)
2 m, x4 p! l4 i8 |0 ]9 a) S* u-AX = 0913h   (Set Sice breakpoints)# ?$ U! s: ^% M% |0 E; C
-AX = 0914h   (Remove SIce breakoints): O( B" ?# P' e# O
; O9 ]8 S% H6 \' Z
Each time you'll meet this trick, you'll see:' X' `' q# z- p. k: C
-SI = 4647h9 J( X3 K) |; E* u8 K
-DI = 4A4Dh- D2 Q$ F, K1 _$ t5 q" Q7 Q! n
Which are the 'magic values' used by SoftIce.
' \! S4 V$ V% G! @4 k9 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' b9 ~3 P% l8 Y
. s6 f2 f  A5 ~: \, v9 T3 oHere is one example from the file "Haspinst.exe" which is the dongle HASP* V0 I' n0 P) U, A! T; g; M. t
Envelope utility use to protect DOS applications:
5 ?* L  r) o' g; {$ P) q- N8 o* m& R, s' g/ d
! F0 Q$ U4 |( Y; L2 u! T. v
4C19:0095   MOV    AX,0911  ; execute command.
; y9 ^; {2 ?, ?" B! M) b1 u* |4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) ?' K' [/ Z  q. \# W
4C19:009A   MOV    SI,4647  ; 1st magic value.* Y* ]& g2 a! F1 S0 g4 g1 J9 j* p
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
/ @. y2 o; |0 t! _; L4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*); ]+ i) W; M$ }- g4 B% O# x* f$ ~0 N
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ I+ ]$ N) V3 @. J  Q4C19:00A4   INC    CX
7 n, O! b2 L/ ~+ K- B4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' W" D7 j. g( A- B/ |7 r
4C19:00A8   JB     0095     ; 6 different commands.
3 `- A; Y- F0 `8 T4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 R* K+ I1 m% ]3 y1 n4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
0 I# }/ x% @3 a" I! W  b- M) s, \( F# h7 C  y% w+ Y; `
The program will execute 6 different SIce commands located at ds:dx, which( ]. m* Y7 G7 M1 O0 i
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( K5 b. J3 S  d- a% l4 }& f1 W9 c8 |
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 _: k. M0 J: O6 V1 x___________________________________________________________________________( E' G( @: Q% m6 k/ N2 n6 d- S

; r1 L; T* a4 c: F! A  S; s: p
# L) y' l2 G* f7 OMethod 03
7 w5 p; r+ K2 D& j=========
! v/ p$ v6 X8 }1 \. o/ V+ Z) _; Y# ^% p, F
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 ~/ k3 m% b0 Q. k# B* E$ \
(API Get entry point)
/ s* F- P5 K. g        
. t0 O' U* `/ f* j5 v, l" D" C! l  J
    xor     di,di
& p* S5 F" ]  q9 s    mov     es,di2 n1 [% ^6 i% w# w7 j
    mov     ax, 1684h         j( ~" L5 e/ P; S0 I# P
    mov     bx, 0202h       ; VxD ID of winice
+ J7 r3 k! b* z1 F    int     2Fh. l& K8 @; Q% P, u0 b8 v
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 q5 t8 Q. Y& S: i3 A4 [    add     ax, di
" R( K( J% S7 W1 u! p8 u    test    ax,ax+ f1 F) E8 c2 w+ }1 C$ ?. Z
    jnz     SoftICE_Detected" C0 F* R" w; \" {

+ d  W  U5 l) v% g) u3 W9 S" M7 t___________________________________________________________________________2 C) o: k& s* v8 E

7 e$ B% p9 f6 V- E. b9 DMethod 04
, [! h% Z& s) b5 ?6 H# Q=========
+ C- k# f2 G% J
8 b% X/ A( `+ \Method identical to the preceding one except that it seeks the ID of SoftICE
, w! p+ Z! w1 HGFX VxD.
, Q6 Z" l9 e$ x  Z) G
) }- E$ T: G/ b  P- E0 N/ H    xor     di,di  K% j6 g9 u' N
    mov     es,di. S4 y: p) F" g" x% T1 u( }
    mov     ax, 1684h      
) X, A) E# U8 f+ T9 Q# P5 j' ?    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 ]) g) e$ s( G1 T" d    int     2fh$ J* a) e( G$ d  N
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ K, q0 [; N- R+ h    add     ax, di) v4 H9 u" J& v
    test    ax,ax
3 X( ?" x9 R; A, s    jnz     SoftICE_Detected
8 X! j( Y" J  e
4 T( C2 a2 E5 L* V$ U; b__________________________________________________________________________
) v6 V" e( r0 g$ K8 W, d; ?4 `9 f* I+ G0 T  J& `. T* t5 T

  y/ S/ w; u! Y, d; ?2 cMethod 05
0 f" S) V# I  t! B" J& T=========
9 i; O2 G: Q1 k4 e9 J/ ~; c) |. @/ t& b4 o' r9 h
Method seeking the 'magic number' 0F386h returned (in ax) by all system6 |( A* v# A9 F5 f
debugger. It calls the int 41h, function 4Fh.
: e( ^! q1 H* x1 L% W2 nThere are several alternatives.  ' N! _1 j8 M" D' Q+ B( c

( p+ e( L# g1 q/ g! H; [- T& AThe following one is the simplest:
" y6 }* z+ w; `2 K$ I% x; y# |) P( s- z, d9 b
    mov     ax,4fh
0 T8 O% e" O/ V    int     41h. y% d$ W7 W" e9 i4 J
    cmp     ax, 0F386& ]+ C. j3 W& q/ \, Z
    jz      SoftICE_detected
! t2 d( N6 b3 k" q0 p  Z
% L% M+ w1 l2 l+ \( N8 C6 X& f6 K$ n4 d0 Q  `5 V" h+ \# \7 H8 x, S
Next method as well as the following one are 2 examples from Stone's
  @5 k+ S, O3 @8 r! ]  R% A"stn-wid.zip" (www.cracking.net):+ c! T- ?4 ~9 A2 \' n/ U
, w& a1 v" V0 \" U* A
    mov     bx, cs
. K8 a9 Q$ `% \; ?6 T8 ]! h    lea     dx, int41handler2
8 H: W& |2 D4 w! i    xchg    dx, es:[41h*4]9 r8 ~  l3 c& t& c6 j
    xchg    bx, es:[41h*4+2]
" a) h; Y& P/ E* p. r/ v8 Q    mov     ax,4fh2 T# F8 h9 ?/ n+ s+ }
    int     41h
2 z5 a; D8 |( W: n% b$ B9 g    xchg    dx, es:[41h*4]
/ I/ Q5 {" d0 ~; a+ i) a, K9 F    xchg    bx, es:[41h*4+2]
8 H; k; S) c. P  |2 u8 e4 G* U    cmp     ax, 0f386h2 X( h( y: O& X6 O
    jz      SoftICE_detected8 H( E: M3 @' E" X. ^
4 z1 u/ B2 [3 [' R6 N! K- i
int41handler2 PROC: ?- g' o8 \5 e  Z
    iret
2 i" j; Z$ Q3 l  i+ sint41handler2 ENDP
' v, L1 G# w$ G2 w$ W6 w. |  [) z2 c4 W$ F: m+ U

# P# ?- I  |& F& p2 p" Q_________________________________________________________________________5 r) }9 F  v% T" O% g( v

9 x8 X. @2 L: u+ s& V& q/ ?0 @1 K4 I1 }$ Z- f+ {& `
Method 06/ ]  _0 D8 l9 W) }# m- A' v
=========- X: U2 v% V. D

1 v" s8 l7 D& U$ u7 c3 ?) S2 S: Z7 a) z; t7 K2 `( _* R. A
2nd method similar to the preceding one but more difficult to detect:
5 Z3 r3 m0 U' O: r7 {
' g0 j+ e) P, `7 x: u" \- z6 T1 I) ?
6 w5 O: E  I) Wint41handler PROC
& n+ _7 y/ g7 K4 G4 E7 G    mov     cl,al; @  w5 e2 Z3 V
    iret
& a0 \8 m1 n. ^& N. ^* Wint41handler ENDP
$ U2 _& j9 J( N2 N  A
6 A  H" b' a0 y# y- q
$ A' r& V) v9 G: ^+ x. W5 ?    xor     ax,ax. V, t1 m* W" J7 Y
    mov     es,ax7 S% G$ A8 N! t" r
    mov     bx, cs8 C) W7 S  w- r$ g& a
    lea     dx, int41handler' _% A4 A  y. E% D
    xchg    dx, es:[41h*4]4 y) O0 h0 B) Z8 T, A9 U* J5 R
    xchg    bx, es:[41h*4+2]
% b! L" f# P0 X( w! L) I    in      al, 40h
) c8 T# ]6 H2 H! C, v    xor     cx,cx0 R0 G6 o- M4 Y+ {" H: E
    int     41h
0 l6 I3 L9 E; x$ a$ I    xchg    dx, es:[41h*4]7 G' [0 W( Z; m% l: h  Y! `) g  f
    xchg    bx, es:[41h*4+2]' ^/ }3 J7 l. o$ ^6 C
    cmp     cl,al( M; p# P" \- \) G( {4 I
    jnz     SoftICE_detected" X' D$ i" |3 L! E  ^% G( d+ e

1 ?, @# g! ?) M1 E_________________________________________________________________________
6 S  e% m2 I, I% U2 h7 Y4 _
, a7 j2 u  F& U3 K) w" b! GMethod 07
& e* c% `8 c6 v* e& [7 C  Q; x=========
- r& y$ M- }5 Q
1 F! P7 R/ b4 k" gMethod of detection of the WinICE handler in the int68h (V86). F& X3 v: [) @% B
( w% h, F5 H" j. l, C7 g( y
    mov     ah,43h
; F% c) F" _6 `' D! T    int     68h) n, s. ]/ i- Y! [4 s$ I
    cmp     ax,0F386h( B# G; e% @% O  B2 r" d) A
    jz      SoftICE_Detected
/ ~  l# R6 K( {( }, H+ N* V# a+ w0 A- Q1 m5 e2 Y) v

$ _& p( U4 N* R0 |=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; V& Q+ B7 S6 J6 |: S5 {$ W! O   app like this:
" u6 _3 p* x9 C5 H1 E0 h1 J7 D5 L% h7 \* U" w- Z
   BPX exec_int if ax==68
8 D3 T& S. H1 N+ x# [5 Z/ `   (function called is located at byte ptr [ebp+1Dh] and client eip is
: _( m  z1 q; R% |0 a; O) P   located at [ebp+48h] for 32Bit apps)
% v; Y) C) m7 p8 [0 i__________________________________________________________________________
. D/ }! d$ X7 L  c# u  v$ i
5 q- G& k# v3 }1 i2 T* c- v% ]! i2 |8 Q
Method 08
/ J- Z' V( ~+ r0 T# n* }  K# d=========- J  }8 T5 u  }; ]$ j

" J5 Q# r% ^# S, \2 ]It is not a method of detection of SoftICE but a possibility to crash the
4 i: w- i9 G9 p& M/ ?3 F0 qsystem by intercepting int 01h and int 03h and redirecting them to another
1 f6 B6 _- v' P% R( troutine.
7 W' D* l( }+ [, X* z8 o8 k7 mIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- n5 F! e/ q5 `* P
to the new routine to execute (hangs computer...)2 s% w1 V& m+ B# r- c
8 l( i  e1 W. [3 H0 c
    mov     ah, 25h
, l" d3 m4 F; r8 q5 g/ {    mov     al, Int_Number (01h or 03h)' T# z, Q9 |# d& o2 J3 R3 b; _
    mov     dx, offset New_Int_Routine  _) I/ |! f: ^6 g( J1 P
    int     21h
2 s8 e" Y  o% R# s& a0 v& }$ o( ]& B0 {- R8 l
__________________________________________________________________________
$ q# X( z0 k" Q2 c, Z% l) f% c2 Z0 I  X. a
Method 097 L3 ]2 e7 Z3 P4 }6 W5 f
=========
. ]) F- e) _0 h, [* M( H1 M9 w8 i+ n; r+ v5 N5 P0 M9 X
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ B; N! R. ~' B
performed in ring0 (VxD or a ring3 app using the VxdCall).
9 L/ O: A7 z3 J& k* M* UThe Get_DDB service is used to determine whether or not a VxD is installed2 I3 r5 {' j+ \( q6 ?& k
for the specified device and returns a Device Description Block (in ecx) for" S8 S! @* e0 b! v! c. \
that device if it is installed.
8 G  m7 P: f1 {( C' v5 Q( V5 V" s
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& H& _3 J' y! T+ i1 O+ }
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( |  ~: g7 U6 D4 T7 t   VMMCall Get_DDB  e) |1 |0 n3 c5 F1 B
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- E/ A; C. S) u% `5 S% Q# x6 V

3 N& L- ^( @  KNote as well that you can easily detect this method with SoftICE:
0 g% H% S) {; i: w" o- W, Y   bpx Get_DDB if ax==0202 || ax==7a5fh
3 ]1 X/ y( g5 `5 l$ p! r% [. |/ S2 \
/ m2 [* e# d2 I: F9 y' g+ L. t5 M__________________________________________________________________________" I- @$ P0 m% Z4 v. d

. g. `& K) L3 S" d- CMethod 10
( W# Z; M8 x9 P' z$ ~=========
) L) r& V/ i, T
: x6 w% g% [, v2 i: G=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ X' \5 _( U' V' l2 n  SoftICE while the option is enable!!1 J& Y9 q  F6 A7 {2 U
8 O$ C7 ]8 ?7 ~
This trick is very efficient:( [: a; V6 b: G+ }8 n8 L* x
by checking the Debug Registers, you can detect if SoftICE is loaded
, D- v7 N2 K" o7 C' H(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if  T2 F$ w! i% d; @" M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! B2 v3 L8 C7 {& [value (in ring0 only). Values can be manipulated and or changed as well8 a4 B4 j. s) |( V
(clearing BPMs for instance)6 v$ e: C$ E( Z1 @. O
, `/ f6 U7 a  X5 V7 |' D8 f
__________________________________________________________________________
' F* R% @* p3 d0 O, x% t5 |* Z$ C0 F
Method 11$ t3 b3 ]" L) F/ _) Q, W$ O
=========
/ K  m$ x2 I) Y# V
$ i( X$ K$ K0 ^7 A% _8 D0 M* @0 zThis method is most known as 'MeltICE' because it has been freely distributed
' V3 V+ w2 r/ H$ j5 {- D" Avia www.winfiles.com. However it was first used by NuMega people to allow
( b# }& i% g4 m) N. t4 fSymbol Loader to check if SoftICE was active or not (the code is located
: ~' `4 h6 b1 P% N' G  y% t% v6 d" Uinside nmtrans.dll).
+ O7 H, m* D6 z( H& I3 _; I- c  z( [3 h1 g' u2 p7 j! V2 Y5 R
The way it works is very simple:+ \. d) w" t# [& v+ d. \5 }$ C4 ~5 u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* f  h6 S4 ~, J# ?2 K3 P
WinNT) with the CreateFileA API.
) I5 ?& s) L# e4 ]9 U0 L$ h& M+ T9 K# }5 q0 |. d( D8 m
Here is a sample (checking for 'SICE'):
. ~9 w9 V- Z9 z/ K7 h0 N
( S6 f' P; F( P. _# t2 bBOOL IsSoftIce95Loaded()
7 E& G8 l' H4 Z$ k$ y{
9 v' A/ s) G- J   HANDLE hFile;  ; P( S# @* `5 H0 c. y( v
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- x5 ^# _" f/ A9 b
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* X; V5 E  z8 k                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, m7 ]' S: k2 S6 q   if( hFile != INVALID_HANDLE_VALUE )# R( [  F: e7 h8 x& ], C7 O, b
   {
, F3 B0 q& d/ s# G      CloseHandle(hFile);9 Z% e. P0 W7 V5 n
      return TRUE;
6 a5 M5 p4 r, \7 I- B5 @* x9 N   }* p6 Q. ^5 y# h5 X( h+ m
   return FALSE;+ [- }8 y* Z: k+ ]
}
3 I" G' M' L* q& }
' m5 a7 T3 P  Y4 IAlthough this trick calls the CreateFileA function, don't even expect to be6 q4 p5 P: ^4 J
able to intercept it by installing a IFS hook: it will not work, no way!4 E# j* g# ^  z( g; c8 D3 ~
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& O6 G$ X0 L; n3 i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 u' s" K: M5 x) Uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( ?: F9 h2 X5 _. z' rfield.
4 E, A- b/ N$ O' O# @0 s" M7 A. W7 ]In fact, its purpose is not to load/unload VxDs but only to send a - a) l( {; r' G$ l0 d8 Q- r
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 _8 Q( V& h) c0 h$ H! b5 a5 M; V4 K" Dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, s+ y2 Y3 T3 l0 a# ]2 f9 o8 |  Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).9 y; E5 _) p' z2 r
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; ~2 ^" M" U  Xits handle to be opened and then, will be detected./ U5 y, b( m) L# l: T
You can check that simply by hooking Winice.exe control proc entry point
+ t+ M( u8 M& z, Swhile running MeltICE.
' a, _( D  @1 w1 e# y  M4 o9 }8 A* E: N0 }$ m7 s: q- B/ |. H
: W$ t' E+ x' ]- N: P. X9 d; m2 _
  00401067:  push      00402025    ; \\.\SICE* v& p5 q/ c) `; p1 e
  0040106C:  call      CreateFileA
: J: K) k) s' S% i3 R! f  00401071:  cmp       eax,-001
3 E$ j" |0 l; S+ N: k4 i! O  00401074:  je        00401091
5 z& y, A6 c4 A9 {. W  Z$ N7 r& N
7 ^9 Z1 P9 O" P; a! L8 D+ G8 T
There could be hundreds of BPX you could use to detect this trick.4 L) ?0 q) h& {1 d
-The most classical one is:  q: C% J* y8 ?/ _$ }
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' \1 C7 f' X5 [& q    *(esp-&gt;4+4)=='NTIC'
- I, P& N3 l0 s
$ a1 q8 e$ M6 B2 }" k-The most exotic ones (could be very slooooow :-(
# L4 T: G5 q' V: Q, U   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; u7 T' p3 T  J5 Z( m  h     ;will break 3 times :-(
7 Q+ }. {/ p# O1 i3 J* v4 c/ n) k& P
-or (a bit) faster: # G( Y# [6 U0 b2 g
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')/ E! ~5 y1 A+ [* O

, U' ?6 b, W: G" Z# T% [' _1 I   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) l3 ~4 {0 H7 I4 v+ K. Z
     ;will break 3 times :-(
0 n4 x$ F' S2 [4 C. ~$ ]7 {/ h2 j3 r; r5 o; L9 p! t% |  r
-Much faster:
. X% C. X$ Q9 I   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ l. X# ?' ]- G0 F
/ i4 b( f" U# E4 F/ q0 g0 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 s5 p5 E2 c( V8 D0 f! t
function to do the same job:- T( u, o: Z" b9 k! d! }6 A! }
8 E, N* p: m. {
   push    00                        ; OF_READ3 V) K; U0 x* R
   mov     eax,[00656634]            ; '\\.\SICE',0
2 g1 }" b. i; b/ u( o0 w! ]   push    eax1 z) l- o8 ?. Z% s' Q
   call    KERNEL32!_lopen
4 ]1 F4 \' t# ~# b$ A   inc     eax9 h% ~+ z5 u" r
   jnz     00650589                  ; detected9 p. V0 X8 x* [% S" ?  `
   push    00                        ; OF_READ7 i/ @/ T7 v" u
   mov     eax,[00656638]            ; '\\.\SICE'( r5 J4 ^0 R2 S% \1 g% u
   push    eax
. w8 r! d$ M1 N$ K8 t% n8 G7 o3 s, i   call    KERNEL32!_lopen
( Q6 a( \3 O' K; P   inc     eax
( x! {; t7 q# Y; x   jz      006505ae                  ; not detected
$ U- V5 V$ Z2 W- U& r2 F8 T% s/ M% p2 }  H

* A. q. P; o4 J0 Q! l9 ~- y__________________________________________________________________________
4 B7 H' _. N% X, U- f9 ^9 g' ?2 }4 e
Method 12
- }3 \# d, T4 A) q% l' Z=========/ H$ t1 j( V: O9 U# H  K
5 N! C7 ^3 \4 Y
This trick is similar to int41h/4fh Debugger installation check (code 05
& C) z% f2 q/ w( i- v  v  V&amp; 06) but very limited because it's only available for Win95/98 (not NT); ~' _4 Z- G( I1 e$ l6 [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 w0 T, M" x5 D/ `8 y
% {% B0 U: J$ B) Q% x% t  P   push  0000004fh         ; function 4fh; U! a' n$ D5 b+ a4 p
   push  002a002ah         ; high word specifies which VxD (VWIN32); r+ g5 `. Z8 Z/ F. ~2 U
                           ; low word specifies which service
2 t" m  K: W% G1 C                             (VWIN32_Int41Dispatch)( M$ d9 `& x1 S- q; J; L% |
   call  Kernel32!ORD_001  ; VxdCall
, w- j0 W. A' |6 z) b. }6 U   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ A. F5 _, T! J6 ~) R) X   jz    SoftICE_detected
. U" i3 P( R% Z0 B* ?
9 J. M$ ^/ e0 s9 LHere again, several ways to detect it:
' H7 ~! Z% O; I" O9 e
8 ^8 r; t# W( K0 j% m! w4 ?% H    BPINT 41 if ax==4f
, I1 t& x, l* L: J% [6 m' k( G
' c6 P  [( |! q6 e1 Z& Z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' L9 x; }; p9 V; W; K; _! s+ R5 f/ L8 @& G" g& b" }0 V
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ I- P3 n1 p+ W' n3 W, `7 V. ]) t" v( W' h  Q& g8 l
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!  J# z$ |6 c) Y0 c  c

4 w3 T2 {' q( s. l0 j% D__________________________________________________________________________+ q; X7 k, {# u8 s# t/ u+ [
7 R" g, G0 r; v  u6 n! J
Method 13
0 Q% X; k& T9 \: i=========4 c, s! o' `$ a: Y" b

5 M+ D8 S* `4 l6 INot a real method of detection, but a good way to know if SoftICE is
' q9 F+ k& F9 e% Yinstalled on a computer and to locate its installation directory.4 @- }  N1 t3 l' T- ]& w
It is used by few softs which access the following registry keys (usually #2) :
/ D6 s  B* F, e1 g# a( a  h) T  _" P$ Q( J
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( Q) w5 x: R3 d' D3 t' k
\Uninstall\SoftICE6 u: e2 R2 n, u$ N% y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 \6 L- u, C7 _8 }3 D; ]; p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: p1 ^6 @( i' I9 Z) Z+ C\App Paths\Loader32.Exe! }7 p" ^% z. b7 q& B

, B3 l. w- k& ]5 O( o6 g. R8 g/ w" y7 i8 b2 j6 P! G
Note that some nasty apps could then erase all files from SoftICE directory
5 m. }' K  E+ M+ k5 x" ~+ @8 O* [  f(I faced that once :-(
' i8 H9 L5 F) D3 c
" p) U; c" H7 R; @8 ~  W; y- BUseful breakpoint to detect it:$ L& p0 {8 E; M* A
4 P( T9 S- @1 {: z% r0 [
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 Y3 v" n* n7 w' g* a' S$ a( l

6 w0 N% x3 Q; N' b5 d__________________________________________________________________________0 ^$ h& M* w+ g% W( X9 M0 Y( a0 i
- q) S0 j& M& L" n1 a$ B: a

+ v7 i4 x& b4 i/ W, E1 z+ eMethod 14 6 O$ C  o- x' l, x- g
=========$ [- L" w9 e+ [9 c8 P9 F7 r

2 H) d0 A* E+ W6 ^. Z2 P( SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& V0 ~0 P* V' X5 ?7 J2 g. ?) Z  k
is to determines whether a debugger is running on your system (ring0 only).
" y& }4 S' B" F4 U
1 v; Y! h" W' P! x% S: {( j9 E0 t% I   VMMCall Test_Debug_Installed
* E1 X( R0 p% p: x' w! @. F  ^   je      not_installed# j; ?8 I4 p1 ]- ^  ^: y
& ]/ j& ^( g9 c3 }  X2 }
This service just checks a flag.
5 i; @  Y( R. Y& |+ k! f</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-11 10:51

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表