找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- E- U( q2 G2 W# w* L: ]<TBODY>
9 c8 Z0 j+ \4 C& Y9 R: N2 I<TR>9 O$ i3 r& ]; ^4 ~5 X
<TD><PRE>Method 01
: o3 N) n) [  T- x) M9 T# Z0 E8 W3 h: S=========
9 o$ q* E6 D$ h, c/ P, P' }1 {# C" U7 d
This method of detection of SoftICE (as well as the following one) is" A# l- R3 O  A3 D
used by the majority of packers/encryptors found on Internet.
# x! q) C$ P$ a3 Z5 c# C& nIt seeks the signature of BoundsChecker in SoftICE7 W( I/ R4 [/ T! x

- _! N) A9 L4 D+ C4 H    mov     ebp, 04243484Bh        ; 'BCHK'
5 p7 y; c3 x6 t9 `- `    mov     ax, 04h- t$ G7 o" ^! P( V  w8 O& T
    int     3       1 a7 _5 k! I; a  D) ]
    cmp     al,48 M+ g4 O& @5 @- z
    jnz     SoftICE_Detected
: R6 X/ ?' C; c* T: O# u8 E# w% M
7 }* C/ q% p. `! `- w___________________________________________________________________________
2 q7 e( B0 L/ M* [& T  {2 g/ `4 s' G! K
Method 02% _6 q$ ?6 }( N: e
=========, a0 }, g6 V3 J) [- {3 ]

* M( R! }6 @; u' e; k' pStill a method very much used (perhaps the most frequent one).  It is used# S8 O& h6 W& {" K2 T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& C) T1 f* f2 I, p( t
or execute SoftICE commands...
6 C/ |* W8 V5 t9 K) H3 d4 y7 r8 FIt is also used to crash SoftICE and to force it to execute any commands; M; ]( p& `& i8 _3 T1 ~
(HBOOT...) :-((  
! p5 y& L5 x* a9 Q: Q, ^# t
9 ^! g: [5 e& ?8 g" bHere is a quick description:
" }1 P  L; q( M: R- L6 Q/ P. \-AX = 0910h   (Display string in SIce windows)
" |- z# \" D0 w/ p7 w* V5 P" G  x' f-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 W! v, [8 c3 ?7 J
-AX = 0912h   (Get breakpoint infos)
; E" ^5 \3 O- L; h% E+ N-AX = 0913h   (Set Sice breakpoints)4 q; `, O: F6 Q) F/ Q/ V
-AX = 0914h   (Remove SIce breakoints)  N! ?' z3 g2 D5 g+ _" E

* d& A: H. s% M, X7 lEach time you'll meet this trick, you'll see:
/ F" {+ E1 I2 M0 e/ I# E+ a. h-SI = 4647h
# K) a! ?! ?+ v/ G-DI = 4A4Dh3 j$ G* u4 X5 K7 l5 Z! s7 y. }
Which are the 'magic values' used by SoftIce.. [; u' y& G8 C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ i' _. N; l( F0 G' e' X: m8 R) y; g2 q

! k9 u/ N7 I$ }3 G7 JHere is one example from the file "Haspinst.exe" which is the dongle HASP
" a$ n# }  W! d5 o; A; \+ r$ BEnvelope utility use to protect DOS applications:
7 B) Z+ ?# [  n# z  b, j; f3 ?9 L5 R" X$ i$ K
4 k4 X: J2 o* S% m
4C19:0095   MOV    AX,0911  ; execute command.
0 b2 l4 {( C% a4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 `/ C! b% G! K$ M/ g* a
4C19:009A   MOV    SI,4647  ; 1st magic value.' _5 R* z- `1 [& e1 T
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  m" l3 u( x5 Y0 `; \4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' f1 o' z( D( ~
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 e% w) U: f' ]& [4C19:00A4   INC    CX
) e/ Z9 i5 e5 f- q3 a, S4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute" a" S( z5 ]- L( P% X4 Y
4C19:00A8   JB     0095     ; 6 different commands.
/ F4 N. e" ^( o6 l4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 N) B( W9 P" d1 f/ H1 b6 A( P
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& O( R; Q* |9 Q, {( ^

1 A# T2 F2 I, b$ T" nThe program will execute 6 different SIce commands located at ds:dx, which
4 k* F- ~* y9 F, u! i' K* u, [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 i6 k  u) Z: |3 x' ^3 h: }: G- u

/ x0 p9 @! g2 P9 i- I; U* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." h/ J1 ?) n5 R
___________________________________________________________________________
! w% Q0 A9 N9 \) ~* n+ l. z6 t% p; K: u% t$ u$ P/ h
0 k" k0 T3 j) x9 l
Method 03
$ j' x+ {: g- g=========+ \0 t5 s2 [& O' k4 V$ m) `+ g
1 g3 |. `5 Y3 j8 u. X  Z6 G1 t' f
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: R5 a# S4 j: h4 Q" A5 f5 W& L1 x(API Get entry point)7 h) @* J, i6 |* k2 `. T* [
        
* |! L5 g! R# U! D0 \$ m8 r3 J  J
    xor     di,di
# b; g4 y# v5 g) P( L    mov     es,di9 L, f% h/ u. D/ h; K
    mov     ax, 1684h       4 [; z/ `3 ^+ ]# k
    mov     bx, 0202h       ; VxD ID of winice
( g3 p: P/ ^! N) N6 x0 I    int     2Fh
' m& P3 ]* G/ x3 u7 w    mov     ax, es          ; ES:DI -&gt; VxD API entry point& S1 R9 R+ k$ j$ |! j
    add     ax, di
6 Q& v5 U% r4 H    test    ax,ax) k+ D0 y: q+ u4 t* p
    jnz     SoftICE_Detected
* M' ~5 ^. b% w7 O8 D* [
7 ]+ d+ w5 \) e( T  G___________________________________________________________________________2 v/ _5 Y2 h- J9 [8 D' A
( T* t& N) ~, p$ I+ l) r
Method 04
( P, h6 B$ z) J=========
4 j4 S, m, P. A
1 T6 ?1 y* b% @: j: {' }Method identical to the preceding one except that it seeks the ID of SoftICE2 V9 i2 B4 t9 S' F
GFX VxD.% j. y( O8 `( G6 B

" L1 v: h/ ?; |7 D    xor     di,di
: z  a6 m2 `5 K    mov     es,di
4 D, v: a: N. l" `. l% \    mov     ax, 1684h       . F) W! I) g7 x. L
    mov     bx, 7a5Fh       ; VxD ID of SIWVID* S% y5 ~) k; h3 c4 N, |$ F
    int     2fh+ I7 l: L7 U9 B8 W$ N9 c0 W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# W& h# v. ?3 A4 ]    add     ax, di
) r' p" ^( y; q1 L5 N6 N    test    ax,ax
) a. Z' ?& r5 j1 ~4 y3 Q( K    jnz     SoftICE_Detected
% ?$ t2 D( g; D1 |' W
% z2 ~" V: r/ \- r, D8 v! X, e__________________________________________________________________________
* H9 N) h! O4 ~- D5 G2 J
; i, \& i5 x. |8 S; j
/ {, B2 k, p) IMethod 058 X9 d. g/ a- }' v6 v7 @
=========0 h: F# D& s# W0 D% L; A

8 Z' g( C% A7 X' H3 u! F' mMethod seeking the 'magic number' 0F386h returned (in ax) by all system% E0 a5 w6 a, E4 n) t& M
debugger. It calls the int 41h, function 4Fh.- q! Q! b" q. L  J. k1 W
There are several alternatives.  6 l% v1 n  F2 C4 K  ^1 h- z
1 C' V, u9 P. H, t% O  k. q. @$ {% ?
The following one is the simplest:  Y* m; Q+ N2 E, b+ l. h
$ j! G( r; {, J5 \  V- I- |  a
    mov     ax,4fh
' k8 ]8 ~) @! A    int     41h) {7 |* D9 {  G/ y" m) F
    cmp     ax, 0F386& {8 _2 L1 F, Z" v
    jz      SoftICE_detected
( o; U! Z& K# B9 _) c0 Y- ]' G- y! i  R* R) l
5 }% h7 _5 B# U1 ]
Next method as well as the following one are 2 examples from Stone's : O2 `2 Y; V- `, d) o: @
"stn-wid.zip" (www.cracking.net):
" m2 b% h. V" E5 t% [$ ?
2 b% q1 x% r' C  o( _. [) R    mov     bx, cs4 p/ e$ c/ t0 B( e
    lea     dx, int41handler2
- Z: [1 N5 r' ^$ M7 J& d! B- b    xchg    dx, es:[41h*4]. J4 F, l" x/ ~0 S3 S
    xchg    bx, es:[41h*4+2]
# u6 L9 v, ]  m, ?    mov     ax,4fh' x/ Z+ ?- v  S  E$ O
    int     41h
6 \/ s, f0 D+ n# Z( `    xchg    dx, es:[41h*4]
. C5 r- P2 y2 G: f+ }3 L& `    xchg    bx, es:[41h*4+2]' G/ {* o6 w: ?% k. M
    cmp     ax, 0f386h/ q9 F, k+ d* F' @8 _9 Z$ W( v/ M
    jz      SoftICE_detected5 D# z: O: V. e" v

5 l! k7 P2 B3 _& q6 Eint41handler2 PROC
* F( ]+ n; G( w" F* H: `    iret
5 }# z+ m- g1 A2 t( xint41handler2 ENDP& K5 z4 W, }* n4 i3 c0 ~

% B1 F1 J+ m# |; x
. K8 B0 s" Y/ o2 C, y9 v% u_________________________________________________________________________4 I* e, j" A% n* P$ S: q  s, ~
% A# u) D9 P3 @7 {6 S

: ?$ |7 I+ ^* I# G0 @7 mMethod 06, ]6 u3 m5 E8 I& \
=========
# \! K" F; C" u* [+ k7 Q5 x, P! a# H4 U
8 J" @4 I5 E, H6 \. J2 q
2nd method similar to the preceding one but more difficult to detect:! A, ]  E3 }7 z, p4 _! E2 v& Q9 I
( I: o: a8 @& B2 Q

: g% e+ C% D" d% |! pint41handler PROC0 G4 _& l, s2 g' U
    mov     cl,al0 P& S% D4 q% O, M4 q! e
    iret
$ e$ a* m( S4 cint41handler ENDP) Y' f9 p+ u$ n: g2 S( I
* \. Y  Q6 |; I5 h% E+ x) j
, {2 ~/ L5 i+ l/ d# D4 L
    xor     ax,ax  Q) k, E! A1 z
    mov     es,ax
( [. v9 g/ c, ]) s    mov     bx, cs( n$ u* j* F7 c+ d" G2 e
    lea     dx, int41handler3 m# J' r; D1 d; ~, ^% x
    xchg    dx, es:[41h*4]) y( f0 U% u% S. L
    xchg    bx, es:[41h*4+2]
  R/ H! i* x' z9 {8 F. B" C5 Q5 c    in      al, 40h
0 i4 V+ D  v/ a% n. Z" q3 P' l1 H    xor     cx,cx5 x# `9 N! c5 ~$ R' k6 f$ _
    int     41h) @! j9 y# R3 x( y# q
    xchg    dx, es:[41h*4]: a( G7 a# b, ~1 X, ^9 `
    xchg    bx, es:[41h*4+2]3 k- p$ n" }5 @: c3 j  k
    cmp     cl,al# E- p5 e, I- z4 u
    jnz     SoftICE_detected/ e4 f. T! s" ^, g

4 B- I" e  `3 ~9 _+ w# L5 s5 |_________________________________________________________________________( U! \2 y- T/ {6 L9 W

+ u1 n- T. e2 Z# d9 xMethod 073 I+ T6 E6 o* R: V2 ~
=========
' J' q; A% \! X6 `" P% `$ n' D: Z) o6 l8 j) z  t6 B
Method of detection of the WinICE handler in the int68h (V86)
! |% s7 Z6 L8 Z" W' p. P1 N, K8 U* {' K) n! _
    mov     ah,43h( S8 [7 i3 B+ c. \1 O6 q
    int     68h+ N. u5 c( B4 U9 r% J) v
    cmp     ax,0F386h5 S; N# W9 e+ ], P' a3 ]7 w9 a
    jz      SoftICE_Detected
6 K1 j5 J7 o: s' u* K7 c$ x, }# H
6 O: k! \/ z) J- Q$ z4 k  q
) G& d% M% J: m7 _* _=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  n/ k  L* o$ E+ r- C
   app like this:
1 X! o; q$ Z5 `$ Q
& W: e+ k1 ]0 z5 W4 r' u   BPX exec_int if ax==684 @# X( i; [3 e5 F' t: u9 y
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  l0 |$ G. g3 `4 ]5 c( M/ e   located at [ebp+48h] for 32Bit apps)
2 k- G4 {6 q' T__________________________________________________________________________/ i3 M' Z& o6 M( S  x. N
9 x; S7 I! {0 R3 Q$ |- O
% i/ D* _! Z: b2 N4 y
Method 08
0 x  S/ w/ b' Q" I. n: j=========# `: O# @$ s  y* @; n8 l+ t
5 W" j  K- m# Q8 y( u+ b# v0 v7 o; k
It is not a method of detection of SoftICE but a possibility to crash the
- |" P/ r4 t# k$ v& K( Msystem by intercepting int 01h and int 03h and redirecting them to another; h6 l: F! v6 e
routine.
! M$ z2 s# [, C3 }1 L, MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 c0 A3 c. ^6 jto the new routine to execute (hangs computer...)
9 d# g0 x2 p  J" W( @3 ]
' z+ K) I' L' ?3 }; s    mov     ah, 25h
! W3 n) \2 k& i/ P8 P/ M8 E    mov     al, Int_Number (01h or 03h)
. U+ [. s8 |" ^7 I# S# U8 I. a    mov     dx, offset New_Int_Routine
4 t2 H- q( U" R6 s+ L& S    int     21h
. _  C1 s/ I9 O( k
5 w0 j, g! ^7 j$ B2 o! o  i__________________________________________________________________________
* {; }1 U: P9 T- _/ L4 Y- W
) p+ ]. j$ ^7 D1 D4 z/ f. w/ IMethod 09& |6 S* p: G1 Z1 b
=========/ K0 Z% J- G; I* b7 Q
3 p. E3 [& U, a9 z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 Y! e0 M/ E/ ?3 {  x4 r: Vperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 V) i2 S4 L8 i9 w2 C0 }The Get_DDB service is used to determine whether or not a VxD is installed2 w6 A/ y# b- p/ \8 F
for the specified device and returns a Device Description Block (in ecx) for
8 R# C% f0 ?1 ^3 a: Kthat device if it is installed.
  o( j3 }% T& V  Z+ T8 @! o5 k5 d' L: h$ X
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ J9 R/ Y# L/ r' k4 k$ J   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 S" ~2 M' k6 G
   VMMCall Get_DDB
# D& x0 n$ p4 y0 l   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed  {/ V/ ?! t8 U, m9 }

; [  ]9 C; N* A  ^Note as well that you can easily detect this method with SoftICE:' Z  y6 m$ N  a4 \  P% k
   bpx Get_DDB if ax==0202 || ax==7a5fh
+ l0 M; ~/ ?- \. K7 ?! L1 y" T; z+ l7 \" T1 p2 q  [
__________________________________________________________________________
$ I( @; ]* X; F# K2 j+ s
! s9 t# c7 G3 m! |, sMethod 107 r# F! Q; Z& G' d' }8 O9 N2 K; Q& q
=========# d# x3 P8 U" \7 ?$ B8 j$ d) ]
, Z4 ?( L/ W8 w0 @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, K( _  h% L$ w* ^
  SoftICE while the option is enable!!. R3 @, C, H8 j! ]( v9 V  Q8 s  _" h

* `* ?  n# [3 G' @" b  R% c- {This trick is very efficient:. ]- }* @$ W- X& V) }2 `
by checking the Debug Registers, you can detect if SoftICE is loaded
# p* |# r; w3 Y7 \% Z% d8 Y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  I# u. W; y8 K/ k, N# E3 Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
, A: n( L: y  F8 P: {value (in ring0 only). Values can be manipulated and or changed as well  T: P- J8 R% ~  k0 ~4 A
(clearing BPMs for instance)4 C8 I9 |3 @: a' m4 [4 Z; q- }+ t. O
4 a) L; y2 F% D: J2 W/ A$ H: ~
__________________________________________________________________________, G/ z1 G- ~7 L  e
9 z4 j% S& Z; z% k0 E' A
Method 11
0 s- H5 S1 ?% M=========9 k8 j$ s/ U* G

7 z, v0 T2 `# O( F  CThis method is most known as 'MeltICE' because it has been freely distributed0 F# n3 s1 b$ t# R% m3 ~; x
via www.winfiles.com. However it was first used by NuMega people to allow* c( B- @. W( \
Symbol Loader to check if SoftICE was active or not (the code is located1 F$ v1 t( O" a3 p( }9 H- h
inside nmtrans.dll).
. C/ l* C/ Y4 m3 n
, ?6 B& P! j' jThe way it works is very simple:9 K  g9 b" t% b+ J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& S) ~7 I% m' j4 R  o; P
WinNT) with the CreateFileA API.  K# f( n  z+ O. X: v1 B
( T) P1 y1 ]; I& R; |7 ?9 p" [
Here is a sample (checking for 'SICE'):, T* ]( ?  l  d( z: b
) Z3 C, |" e6 v. i2 R( w
BOOL IsSoftIce95Loaded()
; v# L- k' T5 F5 |- p{
2 G) Q' @6 ^) }1 g5 k$ P   HANDLE hFile;  
6 P+ p) @! w: K# _: i   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& r$ p5 @/ O0 E: \" w9 |* r
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% O0 h0 W, f' I: D. \) I) R  W) i) Q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 x4 {) k% ~' r( N' u
   if( hFile != INVALID_HANDLE_VALUE )
# w& t3 I. p" b# g   {
2 b& D1 K6 N+ \      CloseHandle(hFile);% o  V: x8 O: G, j2 F& p
      return TRUE;
( l- f! I7 U. T6 P3 s: m   }
5 Z3 J& \  W, ^4 d. z   return FALSE;
+ G( o* R9 l0 g+ k! O! w}
  _) T! O8 ^: c4 n# H5 `# e3 {7 O/ E2 A$ |3 [5 T
Although this trick calls the CreateFileA function, don't even expect to be
: @2 d1 J0 P: L' n; I' ^# R. o# j2 L# Uable to intercept it by installing a IFS hook: it will not work, no way!
$ y! |" F$ _2 f& d7 l4 wIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 w; j  U) K' B4 J' W* X5 z
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( m! v, p& D  ?  V) b0 t2 [! ~. n5 Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc: p8 p) m! K7 N" @' C
field./ v6 H3 a1 C$ u( m
In fact, its purpose is not to load/unload VxDs but only to send a 5 y. U" ~2 g  t7 F* N: I
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, k8 s3 J1 y+ q, m% U4 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try' `7 A/ Q0 }; t# J& }; z0 h% C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).7 V' ^& c0 A" y9 G' {, z) [& \& f
If the VxD is loaded, it will always clear eax and the Carry flag to allow6 U( d6 Y1 l3 K- g
its handle to be opened and then, will be detected.7 x- n4 t8 k! r8 k
You can check that simply by hooking Winice.exe control proc entry point1 K2 ^* F3 j# ~- X+ L
while running MeltICE.
! }3 ~0 o4 w% ]- N5 a" C6 o$ S/ T5 D$ B* C! y$ c
9 f' V; x, n; W" B4 D
  00401067:  push      00402025    ; \\.\SICE4 }# {. ~& m5 h4 u( N/ z
  0040106C:  call      CreateFileA
! U. Z, e' Z: D* }  00401071:  cmp       eax,-001- i1 B& T+ h% r" C! G8 b
  00401074:  je        00401091: B/ i! h7 q% u2 U( D! E  S

/ K+ ~5 y( b3 E( h9 y. z. v8 b8 v; [" U+ n
There could be hundreds of BPX you could use to detect this trick.
; n* Y8 f1 f0 D& d-The most classical one is:- `7 O. y1 C& D  t) K5 g. a" U
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||5 w% z0 X2 M1 N$ W! C
    *(esp-&gt;4+4)=='NTIC'
# `/ s) C& J- w" c& d2 v$ ^! y* y) W, S+ q8 Z8 ^
-The most exotic ones (could be very slooooow :-(2 a6 O* G/ @5 b# V- P9 c  q7 ?
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; C9 m; V! h7 V5 C# W' H: c# D
     ;will break 3 times :-(
- x3 y( k3 z- A0 Q! W9 b' v) I0 @  B0 n2 D4 j
-or (a bit) faster: 8 t/ V" T: X% Q7 |! m* ]
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). b' d* b. Z  Y' e/ O8 U

7 F2 B) c1 J0 l9 e8 X& V6 P; ]   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 S  A* J7 Q& u) h+ `
     ;will break 3 times :-(
- Y/ d$ E" E# B4 V7 B- Q* O
  {2 Y" _2 c9 Y6 O-Much faster:
) V6 B1 I6 h. E# C: a4 M   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: m# q4 v5 Z4 s* y
& i9 s/ Q% A' v' a. n' oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen0 @7 H# Z5 d7 [4 d& ~, [6 M
function to do the same job:
! _# o- I/ ?2 n, G
: j, _3 d( C7 O$ y/ t/ g- A   push    00                        ; OF_READ1 T. w1 U# v% @" e8 x
   mov     eax,[00656634]            ; '\\.\SICE',0
+ c1 C/ `) B7 @   push    eax
. k1 y- Z& f* B   call    KERNEL32!_lopen
+ P; N0 C4 Q$ q) W   inc     eax( O- E5 t! y1 U/ i
   jnz     00650589                  ; detected5 ?; v7 z( C: d  i, m# {7 j" k
   push    00                        ; OF_READ3 h' P' X- {9 v- k
   mov     eax,[00656638]            ; '\\.\SICE'
/ i. K  u9 D/ }  g* q/ w   push    eax
! S) k  H/ y- p- r4 y   call    KERNEL32!_lopen
& @: N+ m: B: d3 G# e   inc     eax
7 t0 `- I( x; n/ }% D8 [   jz      006505ae                  ; not detected6 u, J' G9 g* I# Z; v- \; |
: v) q# u+ {$ F3 g" t/ A& C+ r
( ^* H- g7 |/ T5 M$ |( x
__________________________________________________________________________. S  i, d0 [1 b- `9 M
& w( ~2 P' I5 F+ R! D
Method 126 W1 m6 T2 P2 V0 s
=========
; }  D! L# {" ^% R/ K1 h& b
1 B: O+ y, T8 Y, ~0 i) JThis trick is similar to int41h/4fh Debugger installation check (code 057 Q  e& S2 \% l
&amp; 06) but very limited because it's only available for Win95/98 (not NT)" S" D7 K% b. k4 {" [2 f! M$ i
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
  _+ d. P' ~* J8 H1 o- k% W
( _  f1 R5 E8 w- J   push  0000004fh         ; function 4fh
3 ?* f1 h( W) b% B( N  t7 e   push  002a002ah         ; high word specifies which VxD (VWIN32)6 k. R! r3 t1 ]2 J
                           ; low word specifies which service
$ r5 ~) m; a  v/ l6 b                             (VWIN32_Int41Dispatch)
- J$ }0 H( K/ |1 f6 Z' i+ `   call  Kernel32!ORD_001  ; VxdCall
0 m, ~5 b, `' |5 ?   cmp   ax, 0f386h        ; magic number returned by system debuggers- z, ^* J$ z3 `! x- |
   jz    SoftICE_detected$ V1 w5 f* x2 B" D) V* c0 R

4 Q4 B$ y: X6 G" i9 h" n8 [Here again, several ways to detect it:3 x8 H$ o7 }# J( P4 `) a: S0 p
0 K& c2 f2 b2 Q
    BPINT 41 if ax==4f
  j5 N* `/ C* _; `1 c2 ~: ^- F- j7 g5 L0 S" ]9 J
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
. O1 k) j, O7 g- C1 |) s
' k; @4 v6 |* A: W    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A6 s+ e. ^2 K7 |1 S: f) V# |( R
' |9 O) g; \9 l: a- \9 A) T
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( j7 W/ ]- F* |1 r1 R# l8 p
8 N; A1 o5 o) w8 o__________________________________________________________________________
, _5 _3 X6 w/ e2 W+ \3 L
* E3 H+ O" B; E, A/ M- JMethod 13
% {" y; L( \! R6 N. s( [=========% D/ [+ B3 V; `, G

  T  w4 ~9 F" _& ENot a real method of detection, but a good way to know if SoftICE is4 ?8 {7 o1 F: F6 s
installed on a computer and to locate its installation directory.
& k" }. C5 R. V; {8 ]7 N7 Z8 F# NIt is used by few softs which access the following registry keys (usually #2) :
% l+ U! }: P' Y7 d0 R9 _
# R% f' j" v$ I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: o/ J& q. z0 @# ]2 B\Uninstall\SoftICE
; U  V2 e! H* M; q$ T3 `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ B4 T' M0 |. J
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ S9 W4 }1 [& T+ G\App Paths\Loader32.Exe
! X# z+ ^' A7 q! |
! }" H! B3 l+ w& `4 {7 s: r) {2 S% l
Note that some nasty apps could then erase all files from SoftICE directory
5 E& n, D- B, _9 ]- i2 k' a(I faced that once :-(: M  J8 |: `, H( y8 A
( ?- S3 O" G8 D
Useful breakpoint to detect it:
+ |& n8 O3 ~* \- x4 J% Q' T7 X. f% Y& R5 X
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 G$ \3 |5 F8 c2 h# a* V  y
8 J$ c, P  C( i__________________________________________________________________________: r( j2 @  t  G- F) `, Z2 a  K
. x$ S% _3 S' x7 n4 @- ^

! t5 E6 K# j3 O9 S2 ~Method 14
! n5 G9 u. t, i, s0 c=========
# A) S3 W$ r6 s, e3 @' B& M& C& o- [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. m5 ~: u; J5 W
is to determines whether a debugger is running on your system (ring0 only).
6 t1 U7 q+ j7 I6 c2 H2 G2 m: r( O( o) Z, ~5 V
   VMMCall Test_Debug_Installed6 V6 R0 B5 D; q6 v7 U
   je      not_installed9 e1 n9 K& E' h( V6 F
8 W4 z& J% \- n, h5 {
This service just checks a flag.0 h. t5 N9 w. Q7 X# a0 g/ E8 B
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-3 10:29

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表