找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>4 T. l% @) ^0 y5 z5 z: l2 J
<TBODY>
9 O$ k! R$ G: V: o<TR>
" A, H) z, }( ?, F% b<TD><PRE>Method 01
, W& h- X; e' ~8 I=========- j9 i  w; \' R" B" A- a

" s6 R! z1 I. l4 CThis method of detection of SoftICE (as well as the following one) is
. H* K( Y# ^2 [" lused by the majority of packers/encryptors found on Internet.
1 X% E7 y& e  WIt seeks the signature of BoundsChecker in SoftICE
7 D) u. J2 m1 ?  A2 U: n
/ b6 @& _$ a5 K4 S( e    mov     ebp, 04243484Bh        ; 'BCHK'
& K7 P* a0 a5 j4 I! d    mov     ax, 04h
0 p. ]  P5 n/ z  a# I/ S; ?' g    int     3      
7 O" ^1 c3 Q$ P8 d* q8 B    cmp     al,4- E. B+ Q5 R. ]$ M
    jnz     SoftICE_Detected/ s6 |0 J4 B! \2 l; j  J% J

, W1 [6 X3 O) d9 X( X1 U9 i  P___________________________________________________________________________
6 X4 S4 j* G* H. X) z- ]8 ^- |: u$ I* ]" a2 T
Method 027 |+ z5 D1 j6 S8 P2 q3 C
=========
6 P" S+ w$ x% h
& A( K4 P& q8 `5 v2 k: i' r5 dStill a method very much used (perhaps the most frequent one).  It is used) ^/ A9 }' Q& y8 V' x+ d9 {. S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 D" H* c+ S5 j% }/ P3 `7 Yor execute SoftICE commands...) e. m( Z  g* q. |9 T3 q
It is also used to crash SoftICE and to force it to execute any commands
- @7 g9 C( [+ Z2 b8 z9 c2 z, {(HBOOT...) :-((  
, B( v* Z$ N* ^7 X" W! T# ~
' z1 p, n+ T4 K7 P# `9 ^Here is a quick description:
* f5 V0 b: n+ b2 w-AX = 0910h   (Display string in SIce windows)" J+ L! u* Q6 j! y1 ?
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)3 K9 h% `, R: q: z0 z
-AX = 0912h   (Get breakpoint infos)
6 h" Q5 u- [" Z5 i; P-AX = 0913h   (Set Sice breakpoints)
  J) r- @4 [2 |. c8 T# x-AX = 0914h   (Remove SIce breakoints)
# }0 x- }8 D5 v! }& K& M
  S# S8 t; t/ _3 ?, t' REach time you'll meet this trick, you'll see:( f# _" @' n5 t5 {/ g$ X* v
-SI = 4647h( m$ y- F+ D; @
-DI = 4A4Dh
& p7 t7 A$ a5 a2 [& J4 WWhich are the 'magic values' used by SoftIce./ s3 M2 t. k0 \3 A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h." E$ |' C, ^3 d  Q; S% E

" Z" L5 E1 |" y4 K4 g7 p8 V$ ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
( ]9 p) C; s/ L, l) BEnvelope utility use to protect DOS applications:1 @# ?! y- v. N  d& f
7 s2 N1 C) G' F* h
$ o7 b, f. S! X, A+ [
4C19:0095   MOV    AX,0911  ; execute command.
6 R2 }4 M7 y3 m4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 Y) k' u9 y- c' l
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 ]( b# Y7 l9 D4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ z1 V$ S  C8 E0 [
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)0 t3 b, W5 G! E, g
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% Y3 r9 `+ L0 q2 V4C19:00A4   INC    CX) C, t" s! ~  @4 i+ Y2 k2 ^
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute; O" T) W/ {' r
4C19:00A8   JB     0095     ; 6 different commands.4 K( A4 i% F+ D/ ~+ [7 l
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  S' {5 ~! G3 ^" y: }
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
5 t- y8 y$ X+ ~$ @0 x% R+ X7 c0 _9 ?3 a0 E1 n3 _7 f
The program will execute 6 different SIce commands located at ds:dx, which
4 g# z% f: A" X+ a: W+ mare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- V) J/ O$ z, y3 Y1 C8 z

& J+ v5 J; B  t7 h$ u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# X  I/ \6 s$ X2 \8 @___________________________________________________________________________- L$ E4 Y( k0 Z1 z8 h0 b) N/ s  d5 g

  u- N1 _* Q/ V* O# Y& Y. q" m  N8 m& w( p1 b' j
Method 03, W) T/ v6 Q% X8 w8 o
=========
6 Y- j! L+ d2 n1 D8 H" S7 A2 H8 @$ w( @
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 Y/ I- S+ q* ~) ]. P% x( z% W& Y
(API Get entry point)4 x' O! m/ _  W
        
$ G% Q  G* ]0 L+ F; k0 N1 m9 ]$ G1 T7 [0 D% M" w( I
    xor     di,di2 n, M7 f7 E" L& d1 H, \
    mov     es,di
# o" A# _6 m8 a7 _) Q    mov     ax, 1684h      
5 Y& t) R; ~7 @    mov     bx, 0202h       ; VxD ID of winice: L; z: B8 _! H7 k: O
    int     2Fh0 R2 F+ h. q5 ^' d; C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( y7 t2 |# B6 ?" y    add     ax, di; y# m* Y0 ]; \6 O( c
    test    ax,ax
( Z/ }9 Z4 q! i  f" t$ r# J    jnz     SoftICE_Detected
9 N1 l2 M) y( o8 g  q4 `* W- s$ h3 h5 H$ W
___________________________________________________________________________
7 W; m* F8 F7 C$ E5 i1 r+ |9 K0 v3 |/ v: H
Method 049 P9 u6 Y8 l' o; N
=========5 N# ]0 x4 d! t, K6 ]; R

4 X6 G6 q3 X  m$ {0 U8 k8 c: ?Method identical to the preceding one except that it seeks the ID of SoftICE" J/ K6 Z8 K+ \$ ~6 `* S
GFX VxD.+ C) d0 l; I. @4 p
; F- y- i& x7 d* v( X
    xor     di,di4 w' q: g7 S9 e
    mov     es,di
5 q$ g; z9 _9 }$ `" M    mov     ax, 1684h       , h" a" P' M: g* N# Y6 a+ w, J) p
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 j$ H2 l2 o+ W3 x9 H    int     2fh
  M6 s8 N& P& u; i$ ?! e/ P; F    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ R  w( \  C5 G1 H; j; J8 U    add     ax, di
3 P. C" Z; g% I; S; o: P    test    ax,ax+ L3 D/ [4 w0 l  `. I
    jnz     SoftICE_Detected" a, A3 f# R+ p0 Y9 _' I
; B& {3 b3 G. s1 f& `
__________________________________________________________________________
# f+ b( h0 {! p+ @0 I$ B6 I# R4 N: t. h: q8 H, B5 V6 I& c" r
! _$ F4 d7 A5 y  A& n% `1 K
Method 05
; w  ]' ]4 H, F  r=========% H$ G  X6 p! z6 o6 ^7 e6 |0 o

4 ^# `+ U; s# qMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 S5 X# n3 T/ [% [- z2 I
debugger. It calls the int 41h, function 4Fh.8 N# @% [1 p) l+ w1 W: B2 ~
There are several alternatives.  3 w0 c8 t; p/ ?0 i: d' \

5 |# i$ ^" Q  g8 dThe following one is the simplest:
8 z& A3 N9 B# i  ]7 Q( o" i8 N% e, e* f
    mov     ax,4fh3 z3 o0 I: h! w7 t& e% o
    int     41h
( n" N9 O! M. s    cmp     ax, 0F386* C( C9 I( m9 W
    jz      SoftICE_detected
6 E) E% k. z' G
- {; B  v. V$ o" L" w+ n
2 G6 A7 S" p1 k9 lNext method as well as the following one are 2 examples from Stone's ) r# J" `3 b2 D
"stn-wid.zip" (www.cracking.net):
! Q, B5 j, J* o; d
& O8 e+ @) U; c, ?; y* }% K    mov     bx, cs
) I8 s: ]' R  f2 ?& s3 Y    lea     dx, int41handler2
' T; j8 {' z! W: d0 j    xchg    dx, es:[41h*4]. Y# \& r( o9 V  i
    xchg    bx, es:[41h*4+2]
, {0 }( C; W" ~  m- B$ g" n    mov     ax,4fh' X, M: S& ]' t; ^/ v- Z
    int     41h
$ V- H3 r0 C! ?. F    xchg    dx, es:[41h*4]
# l- u, |! S! {3 E0 Q    xchg    bx, es:[41h*4+2]: U9 d/ Q; E, c- ]: ^
    cmp     ax, 0f386h, ]7 a5 d. h5 X  v" t1 V' I
    jz      SoftICE_detected
4 R, _+ S6 V$ l+ T  }
- f9 o8 f9 M  V1 [8 A7 Rint41handler2 PROC/ j4 ?' l- d7 C) P/ U% f6 t
    iret. [& Y) e, ~' p( ^
int41handler2 ENDP
4 J5 Q# B# E! U1 h
2 E/ s# W, h0 L4 b3 L+ T, T# [; b& f! H2 A* h
_________________________________________________________________________
3 k* P% |" c- E" y( j9 S$ L" |: d
# m$ v# R' y/ Z- X8 u6 [8 Q4 s; a- r% w
Method 06
  z% R. @! S% F0 [, u' n=========9 R% M7 M% k. Q; H* H6 s. N% ]% }
, m* D5 w5 B3 Y! S+ Z; [) O. \
- |6 ]6 b+ J$ h  Q) R* [
2nd method similar to the preceding one but more difficult to detect:
5 ^# `" R' z7 ?* U2 H1 ~; h4 n5 g: U3 z& w% S
/ A3 w  S) L9 U% Z0 |
int41handler PROC: q8 H: n6 Y. d' \  k
    mov     cl,al
$ ~, E' X. z! Z3 Q    iret% A+ K. Y+ g7 H/ N
int41handler ENDP) X/ S; r( y" l; A' t0 z

  a; M8 r6 n9 B2 s. ]4 O& H' S7 Y) J3 q& y- q
    xor     ax,ax
1 C; ~; Z5 K1 `) o$ l/ }; r    mov     es,ax5 A" q2 |" q1 h% H* D. P2 o
    mov     bx, cs
5 l9 b  S/ {1 `2 r4 v    lea     dx, int41handler* l" w/ e7 @3 v9 z* r3 {, J5 l$ A9 I+ N, C
    xchg    dx, es:[41h*4]
. s' t8 {% O: o: ]6 V  G2 v8 h    xchg    bx, es:[41h*4+2]/ E( g: z* M: P7 N/ i; a& [% J
    in      al, 40h
2 H3 O7 y- c$ H3 D    xor     cx,cx
/ ^! w6 Q- l) f% t3 {    int     41h
% k6 t& c5 Z6 ^; ], P4 ]. L4 {    xchg    dx, es:[41h*4]
0 o2 e7 W6 D% [& W; ?" S; P5 |    xchg    bx, es:[41h*4+2]* }" E! Y/ V" F3 v( o+ E& s
    cmp     cl,al
9 p4 q" W& z+ |3 E+ ~    jnz     SoftICE_detected# b2 V1 j7 ^: Z
2 X9 n- a# T9 `6 Z
_________________________________________________________________________
  e$ ?( v( z. m: B
+ S: A; f4 l+ k/ MMethod 07
+ X2 s) W0 T1 k9 [1 _- j=========
/ v0 ?* M8 o9 D3 A+ r6 E) J) ^9 k  `# Y2 N! A2 f" D+ L( j
Method of detection of the WinICE handler in the int68h (V86)
* j8 a3 r/ d& |( O
$ d- m% H2 [1 c    mov     ah,43h5 E+ S/ u& w9 Q; Y. c( c7 S
    int     68h
" l# B% v; j7 u    cmp     ax,0F386h, @! ^: X. A) l1 U1 F
    jz      SoftICE_Detected
4 L/ s% E+ D' w; `0 v
, g' A& Y" e: x, [8 l& i+ `  C/ J  F; t
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 @" `( R+ [& E" t
   app like this:+ v. b  l3 h* J  q' R2 ~
3 R* j+ O' Y2 z. n7 _
   BPX exec_int if ax==68( }; \  u6 i! a6 X/ B9 y
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  W2 u/ U* y5 o7 b: M$ w   located at [ebp+48h] for 32Bit apps)8 L% M. L( r( @+ f8 m  S8 ^
__________________________________________________________________________+ _: f7 Y' A% x, b" x

7 O. y3 B8 C: P0 l8 [+ [( y; ?* \) G+ X6 w9 q, P
Method 08
$ H+ Q* \3 y* \! Z3 A$ F- l=========3 E6 C( \) k/ k1 U
+ k+ s6 M4 E; O
It is not a method of detection of SoftICE but a possibility to crash the
4 o- {5 U# c6 Ksystem by intercepting int 01h and int 03h and redirecting them to another
5 [# n3 o6 L) `  s! m( ]& Aroutine.( }" S7 P! Z- v8 x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ l- R+ U- ]& L7 Bto the new routine to execute (hangs computer...)
* Q+ P  D" Q; f$ G+ S
$ R, A9 H$ S+ y9 x    mov     ah, 25h5 v6 s: w% t( n; g# |
    mov     al, Int_Number (01h or 03h)
) [7 ^1 m( M  B- U    mov     dx, offset New_Int_Routine; T+ D3 f* l1 T  K
    int     21h* s, K. z1 W0 D8 T/ d

# _* ]( e% h* o# k( q__________________________________________________________________________/ r$ k! x4 n6 w6 K
% ?# I; E- Z( ~2 w% n
Method 09
( z! v1 J6 {, j) \=========
! j# I  v! d) ]! r: y5 {/ n$ C6 K# v9 @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ Z, M+ ], H* T9 R
performed in ring0 (VxD or a ring3 app using the VxdCall).
- R9 F2 Q4 a6 y( @( SThe Get_DDB service is used to determine whether or not a VxD is installed- o8 G# E  f! ^: D* g
for the specified device and returns a Device Description Block (in ecx) for! w: ]# a4 V* _: W( M& [8 V& t
that device if it is installed.
% D2 s4 K: h+ x& I2 s, l9 _; W$ G
6 g3 j- b: d( u; ^; i4 q   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 I6 _5 Z8 U' V4 x7 O   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& B2 N& w: B) e! B
   VMMCall Get_DDB
6 f  N1 o; o1 V; D. t8 n   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 C( ]. s; [( A3 u- H" I  x( S% y' T. G( j3 c' J4 x  l3 B
Note as well that you can easily detect this method with SoftICE:
$ B8 u0 V# Z: P/ x5 d2 A   bpx Get_DDB if ax==0202 || ax==7a5fh! _. ~' a8 a+ B( ]& u' x
. g, G# f# w* q) ?9 F& T
__________________________________________________________________________
. S$ i8 p% t- W: R$ b0 t; g( ^; D  `3 c, F  f; z3 V
Method 10
7 }% w3 B: F2 P# {4 o. m=========; t( t: P( q: l7 F' V
7 N/ |8 l; r) S7 l# N
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' P1 C. `& [. x# r  SoftICE while the option is enable!!
4 x% N8 [1 B& f  Q; @7 u
, E. w$ x- v3 x/ O- VThis trick is very efficient:
' |) Y: ~! o2 |* n7 vby checking the Debug Registers, you can detect if SoftICE is loaded
. `6 q6 z* E7 ?* k5 P(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 p+ z- w0 _3 p( l6 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their; l) D0 j" L/ q6 P
value (in ring0 only). Values can be manipulated and or changed as well9 Y8 P. r: n. G3 f7 m+ H
(clearing BPMs for instance); R$ z% ^3 F0 s4 [" k4 k( ~

' i" g/ Q3 _1 M$ z) v$ U__________________________________________________________________________
! i: u  S6 N+ v8 p6 T( B) q" S# g: J8 C; o, H0 K/ A: B$ z
Method 11
( X' H& o: H* ~5 G$ k+ P=========
: m/ N# ^! }2 @6 |0 W" R: A9 l5 u( h. ?' ]" [% m" L; D
This method is most known as 'MeltICE' because it has been freely distributed
/ n5 e/ b# [( e+ jvia www.winfiles.com. However it was first used by NuMega people to allow
. V* Z2 H. @& w  I1 T3 V* ^Symbol Loader to check if SoftICE was active or not (the code is located% ^9 p/ `1 [+ t% I" G
inside nmtrans.dll).- Y1 G3 H7 S0 b

) t5 ?$ w) ]5 @/ K& IThe way it works is very simple:
4 L  }5 j; A% n1 ?' @" e3 OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 O/ E7 u7 Z3 O4 O% TWinNT) with the CreateFileA API.
( F4 q; A- T: }0 l% Y  u) i9 c6 p! g9 q. [- e
Here is a sample (checking for 'SICE'):% v$ Y1 O9 y6 c0 ~  [" A
/ {8 y% a' [9 U& R1 ~
BOOL IsSoftIce95Loaded()
, E7 t# s6 v" V{
" N6 D3 ^" \4 n# j$ D   HANDLE hFile;  * d6 ~( ^& X) ~- n) C) Z; e
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 c+ V# J7 _, Z2 d
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
# s, R' C5 d! X" i2 h, U: A& `                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 e; Y* B) d8 p2 \- K* ^8 N4 I- g. ^   if( hFile != INVALID_HANDLE_VALUE )! \$ C3 Y( P$ V& \
   {
$ m* y+ M- j% X# ~& b2 q      CloseHandle(hFile);
/ g  K7 `( x- i5 Z/ h9 ?      return TRUE;
/ t% t# n, j7 P8 M( W   }
1 q# F. \9 ?+ R0 b" t- m   return FALSE;
+ B7 @" a6 C' Y0 c. v4 y6 I3 g}: v( S! F, Q/ d( A4 u

# k, `2 K$ \$ u' |Although this trick calls the CreateFileA function, don't even expect to be9 K0 P# X: l- Y, {# K
able to intercept it by installing a IFS hook: it will not work, no way!& h- R4 j0 p7 R; Z' s9 z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" e% ^, i+ n# f/ }) h
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( e" h# Y- x( V! g
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
  _) n  q/ v/ y$ I# W- R3 |) kfield.
; V, [. h+ l0 `  A( j0 g$ `/ j7 wIn fact, its purpose is not to load/unload VxDs but only to send a 6 i0 o  D6 H+ G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" ^* ~$ D- V# T5 _4 {8 S
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 V8 a8 J7 k! D# m. }to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 B6 |" o6 H. I3 s) x$ nIf the VxD is loaded, it will always clear eax and the Carry flag to allow# [( w0 p6 h$ ^. i/ F) }
its handle to be opened and then, will be detected.
+ W' E9 H3 X* }( I6 _You can check that simply by hooking Winice.exe control proc entry point1 L' b; D0 d9 _, i+ _6 j! Y
while running MeltICE.3 l+ q4 W$ q0 L5 x: _5 S

" F3 g3 Y6 W9 l) [: p& y1 u/ i; ^: y7 R2 P
  00401067:  push      00402025    ; \\.\SICE
; y1 i7 _5 N) ?/ Z+ Q5 A- V  0040106C:  call      CreateFileA3 Z  Z  P) M& s$ I# y
  00401071:  cmp       eax,-001
' v- Q3 t$ q: n, @1 ]  00401074:  je        00401091
& p) u# K5 J7 s3 l4 x: t' X# o3 B- c9 k, p

2 |5 r+ h4 R% H$ z# \# E2 G( DThere could be hundreds of BPX you could use to detect this trick.
& u' ~  ?: o/ e7 I  v2 ~: G- b, A4 j1 m-The most classical one is:
" p$ g- X- \; p( f: C; q  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 ?1 C: r/ @8 O1 m9 h; t' i3 `; s
    *(esp-&gt;4+4)=='NTIC'
  h: x/ J7 R; B; R$ z% n* ^* I1 x
0 I: L4 ?5 |( X5 E-The most exotic ones (could be very slooooow :-(3 B  h. H/ @$ A7 h1 `& ~, }+ G
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( c, E  O1 \# \& V     ;will break 3 times :-(
3 |9 u( _4 _6 [* i2 c2 x
' I6 G2 j3 ?6 d$ m' O& P4 Z-or (a bit) faster: 7 s: {8 J- p4 R
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): X6 B1 D  C( E, H2 |
7 Z; s/ X* n. E+ F9 A
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . R9 i# R* P5 u$ k$ X/ i, Y
     ;will break 3 times :-(
7 h3 p! @" B/ z; W' m4 s
& ?0 p; l: U) i8 {3 `/ |-Much faster:" c3 \& y* `* A2 R. V
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'! a1 l5 v6 V9 J" E: o; x( `& x
) L* N2 d4 A2 S4 \6 _% t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! t( s: h- ~" N' S" T3 Q$ V# H
function to do the same job:
, J4 ]* |0 \/ @: S* O* @8 S7 [' z: A" i3 R6 w( [: F2 ~2 u9 _1 x
   push    00                        ; OF_READ
; J; v2 d- O1 K; @$ O   mov     eax,[00656634]            ; '\\.\SICE',0
* L/ u. h8 Y0 O0 j   push    eax5 F  U8 `1 y8 M( q1 i
   call    KERNEL32!_lopen
5 F1 q5 X: {& ?9 y$ Y   inc     eax2 _" r8 ~. A( o/ h. z  G" W
   jnz     00650589                  ; detected$ I+ U1 r/ E" m
   push    00                        ; OF_READ( c$ d$ ]9 {1 ]8 }8 d1 k0 i6 g  R
   mov     eax,[00656638]            ; '\\.\SICE') L( C, V5 @7 }- f8 i+ Y
   push    eax
' y. |, s0 |3 o6 E% ]1 d   call    KERNEL32!_lopen
  F  @/ @! r( o+ e) _& C6 o$ o   inc     eax3 T& S+ `; H  A5 a: J- N5 t3 E
   jz      006505ae                  ; not detected
1 E7 f9 {% K& a8 [, V8 H* W" c" L, j+ `5 e
; [5 k  b6 d) d# f+ P
__________________________________________________________________________! d5 ^7 r, }! Z* L$ B
( S( |# f& j! p7 u7 {! N5 U+ o
Method 12% i# ?" ~- p- q
=========- K- k" A( W  o$ F% I! C. |5 ^7 N& J4 s

) s, m: d+ J5 z/ {7 {$ EThis trick is similar to int41h/4fh Debugger installation check (code 050 Q0 R. u# c- w4 {- `
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: w4 O; @: D$ G) F+ ?; m# Z- tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 y  W9 e. V" @  N1 j4 }% O' F- A( C1 n% f; A  a! y
   push  0000004fh         ; function 4fh. a; R- x- W, Q8 A: N
   push  002a002ah         ; high word specifies which VxD (VWIN32)
- ]1 R7 q# f1 t3 P                           ; low word specifies which service
: a2 C9 L3 j9 I( ]% Y                             (VWIN32_Int41Dispatch). J: e4 P2 G2 [0 v  Y
   call  Kernel32!ORD_001  ; VxdCall
0 m! Z! ~+ G/ z& x0 C1 T/ B+ {3 z) n   cmp   ax, 0f386h        ; magic number returned by system debuggers
, ]( o5 e3 T) `   jz    SoftICE_detected
# O) `' ?8 D2 ]4 J3 p7 {
# q$ N9 |' B4 ~5 Z+ fHere again, several ways to detect it:
8 J! L* L' v% d& M, K7 B
; U9 g0 D; I( V    BPINT 41 if ax==4f* o, k4 m4 a) @  q3 Y) P- i# [

- m5 C1 w7 g+ B    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ Z+ L+ I" [; ^0 f4 W" H
. }1 D) l+ k7 r) J* L& z5 G+ C    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A" X  }4 q$ g2 _0 y; A% @
' l: [$ h+ ]8 n# C- {
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ [$ Q8 C! n/ x7 j

; U) w9 k* }, k0 g__________________________________________________________________________$ n# J. Y9 }$ ^

: Z! h5 a8 j. z* P' aMethod 139 I2 p" g! e8 C7 H! p/ {
=========2 a) V) [+ L8 H3 ^6 Q0 m

  L6 }4 Y9 F. m% Y2 h! f/ TNot a real method of detection, but a good way to know if SoftICE is
7 p- }9 @1 i' p' {% n0 Iinstalled on a computer and to locate its installation directory.
' i( I! l" D2 @' c$ C$ o$ G  LIt is used by few softs which access the following registry keys (usually #2) :2 B% g1 U7 L8 R8 O# b0 b9 H5 y

2 a  U' `& D5 Z6 c-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) h8 c4 J$ Z3 [# {9 n+ V
\Uninstall\SoftICE
0 w; i% L  j4 e3 ?+ l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 V" ~, U! A' u; j  W5 E# U-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* j  i) l3 b1 m6 `* [\App Paths\Loader32.Exe0 w5 h! x- L0 E0 n" E; \

" `- Z% Y1 D: d) Q( u. \! D2 j0 g* o7 U6 G* b* I
Note that some nasty apps could then erase all files from SoftICE directory# o, q# a2 Z6 K0 R
(I faced that once :-(  A& `2 I5 H- F

& P, x- w0 b6 O6 l4 S- X' EUseful breakpoint to detect it:
- A7 g% w/ Y  ~' U
4 ]: G! f+ i( ~: J. W+ Z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
1 s1 s; ?! H4 b5 k0 \- {- i  @& ^8 N% f0 n/ s& y
__________________________________________________________________________
: k. t" z0 |) P* `! ~$ O7 r: k' k' f7 s, d) i, H2 u: C
5 B+ w$ n% R9 O8 ]  A
Method 14 3 Y2 T: f7 A! h9 Z0 O$ c2 Z
=========; w9 @" \, O4 V' e
0 K% Z- }/ M) m2 o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 R% H5 p' a$ S7 n1 }
is to determines whether a debugger is running on your system (ring0 only).
+ i3 X& s/ h$ B. d8 ]. q2 k* {  @/ m
/ [% h! _) F' k8 S, J) i   VMMCall Test_Debug_Installed
" W7 U' a! k8 D% a0 p2 w9 x1 X   je      not_installed
: p" b0 E# u  J/ s
% H+ ~; A  p3 E, _6 O, g4 `This service just checks a flag.  B$ o- A: ]9 i# q# t3 N/ m
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-20 16:31

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表