找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ S* W9 O# C: J1 c8 g1 o' r
<TBODY>
( {  S6 l1 `/ i. e* n/ l<TR>
% E, j" T' O0 n( ~* k- c( }: }<TD><PRE>Method 01 * Q/ ]7 A* C) A% ~
=========
, S) H9 r3 R% e  T. X3 G
( L  B. t" ~' w* h0 AThis method of detection of SoftICE (as well as the following one) is
. n9 X' T. |2 z( f1 O; O, _2 Xused by the majority of packers/encryptors found on Internet.
* p+ [/ g; L3 v! B2 F- yIt seeks the signature of BoundsChecker in SoftICE
( D6 s& ]" v& ]0 W* |  u
8 i' M; a; v2 f2 U6 J+ H    mov     ebp, 04243484Bh        ; 'BCHK'* z" S1 }0 `+ y! L- I$ h
    mov     ax, 04h% G% x5 _' S% `4 L
    int     3       # y5 B( N& J' M% w+ w" g. @+ K
    cmp     al,4
% G3 f7 [4 Q6 Y    jnz     SoftICE_Detected
3 E, P5 T; i3 l; ]( I- i* W3 R
___________________________________________________________________________9 N* e$ [6 N* @3 D
- e* Y+ }) k% Q) T6 l. L1 u/ e
Method 02& y% e1 a4 E9 \" j' u( ~: V! F: Y; P
=========
, d1 {) v2 T5 e, @6 A" ]! W! h9 ]% s* u0 Q) ^8 ?
Still a method very much used (perhaps the most frequent one).  It is used
9 i  b3 u* z5 V+ E& {+ I3 U( Wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 {$ I3 d; I- \9 e  t+ xor execute SoftICE commands...
) Z9 c4 G& b9 k: dIt is also used to crash SoftICE and to force it to execute any commands
8 i  c) V8 S  l(HBOOT...) :-((  % c% W  M9 u4 q. E  U. T

. \" W7 v7 a, v5 lHere is a quick description:# q0 m8 Z/ f- F) ]( W
-AX = 0910h   (Display string in SIce windows)* C: e8 k* k( \% L; [( I) l
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)+ b& f) U2 o* |! x1 |8 ~
-AX = 0912h   (Get breakpoint infos)
- ~) O+ _  l* G3 B2 \; y( X! E-AX = 0913h   (Set Sice breakpoints)8 _' z# b& Z6 ]% u+ W
-AX = 0914h   (Remove SIce breakoints)9 d8 p" l- m6 D2 l7 r5 W
. Z, g5 D* f: y/ o' X$ t
Each time you'll meet this trick, you'll see:
2 E/ F/ Y, C9 v& @# T-SI = 4647h
3 j0 @' w7 B# m; h- N-DI = 4A4Dh
  P9 v: i% e- rWhich are the 'magic values' used by SoftIce.
1 i( r3 F* w) b* ^1 B( L' l- OFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' O1 r, r8 e" W' U4 y
/ p! Y: c- ]( m* }3 e& N' P& D
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* i% m' j4 p4 a) I* SEnvelope utility use to protect DOS applications:  a; F9 @( w" I# u3 T  k; e

( P& u1 c' L, a0 J# o. \* X& ?# d) U; P& A
4C19:0095   MOV    AX,0911  ; execute command.3 k9 U5 L9 y1 Q$ y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 z* B, F1 l1 r+ G# l( c  Z4C19:009A   MOV    SI,4647  ; 1st magic value.% O5 V+ v2 v2 s
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 r0 _% q6 `* e2 q( K, i& X( C) t, \4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ x+ x( u2 ?6 T3 {" O
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 u8 \# f9 m7 R( E4 W
4C19:00A4   INC    CX
- Y! y) W/ [: A: |0 Y  |, D, Q; m. s4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
0 [2 J4 V/ Y% o" P2 ~4C19:00A8   JB     0095     ; 6 different commands." E) u) _+ x$ u
4C19:00AA   JMP    0002     ; Bad_Guy jmp back., h9 _4 a* Y3 y: g: H, c. Z6 u
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
0 t0 n' b2 D6 N8 e8 J
# \% F4 B6 O& zThe program will execute 6 different SIce commands located at ds:dx, which( N) v5 K8 b" I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% Z  b' x$ |& {, J4 m7 N, T
8 m8 q) B  z( l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 T1 v2 Q. o# E___________________________________________________________________________
4 d9 ]& j' b: Y8 n, h2 Y) |- m# G9 B8 C

$ B( s, o% ]  G' i1 zMethod 03
% T" ~$ q1 B* x) x) m9 h5 T=========% A+ @& S  f7 N: l2 L2 X
% i: w, L/ t' h# T- Y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 l. \7 R9 D2 z! R- h(API Get entry point)
9 K( N* a' i4 F- b        
/ W, h2 B' E, g0 l/ b8 H1 s
' [- Y1 c: F8 s# i8 C) n+ p    xor     di,di0 M& m  v$ s) C4 I7 s% M
    mov     es,di) t: B/ j5 p! b- V2 M
    mov     ax, 1684h       3 D* c$ y+ U+ ^# n5 z
    mov     bx, 0202h       ; VxD ID of winice4 _0 @  g/ Y6 i5 @, S# p7 F
    int     2Fh
6 F; O4 T! ~( V7 S' s3 J0 W8 z) E    mov     ax, es          ; ES:DI -&gt; VxD API entry point! c% n1 i6 w3 X% v' T' f& q: }, ~
    add     ax, di
, r9 Y9 ^9 }0 r    test    ax,ax" N) _7 G; m% g
    jnz     SoftICE_Detected
" M( C* H5 I* J) a
) b" A4 a( N) M+ T___________________________________________________________________________6 B" R7 p6 j  ~( W! I/ B
1 v  U: G- Q. x$ O* F4 d  _( d+ j
Method 04
0 ~- m2 H. y1 {1 N7 K- [  a$ B% S- w=========
+ ~% V5 G8 F6 H+ \& o+ y& z, @* J) u( F
Method identical to the preceding one except that it seeks the ID of SoftICE+ S% c/ v  i; x# y0 x
GFX VxD.
0 u3 l& b& O/ Z5 D0 {9 Q$ x+ J1 p' ^' L0 t9 z1 P+ a
    xor     di,di
) X" u( {1 h6 w9 ]) c% p    mov     es,di+ O6 P$ a2 E9 o: `
    mov     ax, 1684h       + C* ?; B$ A* _' M5 M; ^+ B$ [4 `2 [
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
. |; t1 q/ \! S/ S3 Z0 t    int     2fh
- c# A' S9 _7 d$ C; B& O% G* _4 v    mov     ax, es          ; ES:DI -&gt; VxD API entry point, b% R/ y, ?( F" B
    add     ax, di
+ a  C; z0 B5 B! o- E    test    ax,ax
8 {$ x. r. h, f    jnz     SoftICE_Detected
. F5 c! p: I" L3 ?0 a( y  @! i, J
8 j9 N" M0 e6 J' ^, Q6 w" W__________________________________________________________________________6 O( |5 S# Q6 F1 D. N# S4 x

7 z2 k3 l  E& E+ H- ~% \" K6 h) W* F/ l0 M
Method 05
) R: M1 l0 h. q% _: K  Z=========$ [, a8 N7 P/ B2 R. f7 x
0 O0 i$ l4 K9 y/ n( O) a
Method seeking the 'magic number' 0F386h returned (in ax) by all system
8 w- p4 E, B7 K& Fdebugger. It calls the int 41h, function 4Fh.
- D; \* y$ E' k) l$ X7 `3 y* BThere are several alternatives.  
( s5 B  c8 w$ Q) X. }& Y/ s6 C& \3 Q8 T1 ?, v  Z  W
The following one is the simplest:7 R- O: B: q7 G2 c& X) x0 W
0 C, G  M1 D7 V8 n$ x- R$ e; C
    mov     ax,4fh
8 n" K, P4 O8 A6 E8 c: ]    int     41h! D$ y1 Y4 _3 U( L- G. c% Q
    cmp     ax, 0F386* V1 Q8 c8 N, J6 P, ~. ]% Z; |2 n
    jz      SoftICE_detected
" q7 A9 W2 u1 ]0 R% ]3 q- W& o! r& e! n; n( [& n/ g4 Z

. t% D3 ]2 e6 K4 T8 [/ I! yNext method as well as the following one are 2 examples from Stone's 4 k# S6 @7 S! }! P/ J& \0 ~
"stn-wid.zip" (www.cracking.net):; k8 v& K/ [, h3 b3 I0 h2 t
3 v3 T3 E0 k- y- m
    mov     bx, cs
: ~" w% z$ k" A- T) _    lea     dx, int41handler2
. q& h- k1 j. z: c: \# T, d) |' ~    xchg    dx, es:[41h*4]
- J$ C* n; g3 k/ a, J3 X    xchg    bx, es:[41h*4+2]
2 Q2 v' a: {7 k# t4 Q    mov     ax,4fh# ~. f& L# z0 X# P
    int     41h
. b3 ~5 d, X: v$ L    xchg    dx, es:[41h*4]  @* {' [+ \( d/ J8 S7 \: p$ [
    xchg    bx, es:[41h*4+2]
! Q, T' ~; ]) D8 W    cmp     ax, 0f386h1 }- B; x, N7 Y
    jz      SoftICE_detected
2 T& k; P0 g( \( I( q8 [$ m& `4 y) }' ~2 J/ e6 _% H
int41handler2 PROC
, I) j1 H% g  }. {& R/ }    iret
  w6 T7 ?! V. q6 n; g& lint41handler2 ENDP
( w6 z3 K: B4 ?
1 b" ~8 D, f" Q5 \' m  P8 Q2 C/ n  h9 `
_________________________________________________________________________
3 ~' X+ e) T8 D2 i8 M
  O7 ]4 ~  a) O% u: _/ |6 ?$ _
Method 06
: t3 J+ h" [( C& o9 ?1 F=========" y8 F" ~  v/ B3 z: I1 w

7 E; ?3 ~& ?; ]6 J9 H7 u5 d/ o8 ^$ K& X! y5 M- b0 r
2nd method similar to the preceding one but more difficult to detect:6 N6 u5 @* a  \9 n- U

* j" u. A9 x; ~
$ w0 a! Q/ Q+ g: k- l& Iint41handler PROC
5 b  S; Q* M2 i+ r3 ^    mov     cl,al& o1 O/ v# i1 j* B* K/ ~3 c, O
    iret  M1 r5 H) }' ]# ^( u
int41handler ENDP
* |) L1 [$ K8 A: l  v( a# c% x
  P$ K  E1 r2 _8 \5 j& ]4 b& m( f: q3 I; m# M% F
    xor     ax,ax
! l$ Z& j8 E+ c- K. S    mov     es,ax  F$ k4 O' _7 {2 p! M
    mov     bx, cs
1 w! q: Z# P# Q5 I: H2 W/ _    lea     dx, int41handler
2 B0 S/ W% s2 j# Z" m9 ?  y3 i    xchg    dx, es:[41h*4]
- x, d# M) S0 }- v    xchg    bx, es:[41h*4+2]
8 U/ p$ j5 ?: q% V    in      al, 40h
1 N( l$ m; Q: l7 F; y; o/ m    xor     cx,cx( ~  B( u' w% |6 N
    int     41h" T: e$ j8 L2 n& T0 i
    xchg    dx, es:[41h*4]
1 u# e& W( W. F) C    xchg    bx, es:[41h*4+2]9 V) |5 M. I9 V) F: L- C
    cmp     cl,al
  A" ^. I, q9 F  {+ L2 q: p    jnz     SoftICE_detected
+ h* `  ~* ~9 a: l8 Y0 x2 i
! r$ p; P3 E" w5 W_________________________________________________________________________$ _$ Z" \" V+ O7 j

: ~* i2 v9 Z2 T& x5 n( a% HMethod 07
/ X" N8 v" g7 l0 T5 ^* K! n=========! j4 G, |! @/ p+ U& |. G* j
3 C7 V- {6 j/ f5 H+ \
Method of detection of the WinICE handler in the int68h (V86)
3 \: z  y3 U) n' ~
: [2 ?4 U; {7 ~  K- f    mov     ah,43h& x$ b! i' Q* H% Q. f+ w; C
    int     68h4 ]; J1 L" e0 R$ V) n
    cmp     ax,0F386h
: u; b9 t1 {  R! [3 N8 J    jz      SoftICE_Detected+ @3 e+ K$ ?3 y# o
& `; \) W1 |2 y0 q+ H) z( B1 N
* v0 r$ t: d8 q$ K$ F; x2 q
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 k, X" b6 Z; t$ W3 A/ B4 C   app like this:
/ a/ d0 w0 k: s" V, [' g$ W" T$ h$ I2 Q
   BPX exec_int if ax==68" K& E6 `) |5 h$ q' ~4 u& F3 S& X& _
   (function called is located at byte ptr [ebp+1Dh] and client eip is
# L' m* W4 E5 x) b7 J   located at [ebp+48h] for 32Bit apps)8 t' A1 |1 l  {, H( e$ u0 e
__________________________________________________________________________* b6 G) j- j/ S
: Z( _  F2 [( M  P
$ Z- v2 R! ?, }  c
Method 08
( M& N- {7 x8 V=========! L* ^: E0 b. O2 M/ W
) o. j3 J! U# H% f& {0 `% `- R
It is not a method of detection of SoftICE but a possibility to crash the! I8 g$ X6 C5 [" ?) o! u+ z
system by intercepting int 01h and int 03h and redirecting them to another
+ v6 ?/ t. l( f8 Nroutine.+ W8 n( d3 }  R- A3 P! g
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 [# q0 f# T0 Z  U4 C2 |1 k0 A8 h+ I" Fto the new routine to execute (hangs computer...)
/ A- O5 Q. F- d3 x4 U& b' }8 r" J/ B8 _3 ]: D
    mov     ah, 25h( T$ P. ]+ Y  j! s$ b! T0 G  Z( x
    mov     al, Int_Number (01h or 03h)  s  V0 e# e' Y- p
    mov     dx, offset New_Int_Routine+ l; {( W% e" t, x
    int     21h
& i4 G% _3 M( b0 T, X; d* U
& ~' p# H# s1 E& q__________________________________________________________________________
1 l9 e4 J; @! f  F* `% }9 Y
# h( c$ R" h6 s. T, y8 YMethod 09
$ l$ Q5 Z" M- {5 X# _# X=========' e" [$ L' K8 T' M7 }3 q

- T0 _. N7 l6 H; dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 R  m% y! ~9 e9 {
performed in ring0 (VxD or a ring3 app using the VxdCall).5 t* p: A3 h' k, e1 n0 Z
The Get_DDB service is used to determine whether or not a VxD is installed
5 d0 Q; k1 ?+ E2 w; X6 Qfor the specified device and returns a Device Description Block (in ecx) for( j! _7 }  c2 C. f9 W" x7 Y/ w+ y6 H
that device if it is installed.
% t. f$ R$ X, N2 p; N( g: ^
# D& C/ P4 k% j5 _; W4 z1 I2 M   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, \8 p* E+ r/ w" `- x   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ Z, ^( Q: O; k2 \5 V" K6 X   VMMCall Get_DDB( p" Y" h2 p: Z" l
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
' ~' z+ `9 Y! w- o6 @3 |, g; q5 v( Z9 F" R* Z. w4 n7 ^
Note as well that you can easily detect this method with SoftICE:3 D: z% |. u9 K$ O/ ]
   bpx Get_DDB if ax==0202 || ax==7a5fh
, ]. \$ s3 E' n! E% M
6 I2 F& z: U- H( j__________________________________________________________________________
  ?2 U" E  h( G% P- i5 ?9 T  A
Method 10
/ r* P9 I. F" A9 w6 I=========( b5 W& j7 N, x+ x- E' N5 P

7 a$ @9 [, l9 N  A8 G% b* g=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  c) }) _. h) L( w  O
  SoftICE while the option is enable!!
: y: X; g" ]' F
+ {+ R' b! R1 l" NThis trick is very efficient:5 f( `0 l0 W$ }2 x* h
by checking the Debug Registers, you can detect if SoftICE is loaded6 K3 ~$ g) _) Z: t, H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& \% e& u: \, ythere are some memory breakpoints set (dr0 to dr3) simply by reading their- V$ i% ]% f# v3 t  @
value (in ring0 only). Values can be manipulated and or changed as well4 O$ C9 h1 b( U4 r. @
(clearing BPMs for instance)# v! }* o9 p. [( S9 I  o

* ~# G* l/ l( C5 F5 Z# c__________________________________________________________________________
, r/ D: N) y% M- q0 H* N/ L6 c: B+ q; Y
Method 11, }- p, w( \" W- d* Q
=========" F0 W5 z; d3 C! s0 t

/ @* h2 K# f8 MThis method is most known as 'MeltICE' because it has been freely distributed  l8 j; b& C7 M: q" ^# N' v+ `
via www.winfiles.com. However it was first used by NuMega people to allow
' Y. d4 b. c7 R3 nSymbol Loader to check if SoftICE was active or not (the code is located  O. H+ a& j5 |" C9 M7 v* s
inside nmtrans.dll).' A: Y( }6 S" H6 C

: z; T6 M8 B( l* lThe way it works is very simple:1 q. C8 U( G2 X. S" o3 V: E- B! Z3 a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 P/ A+ y' W' z; h, w
WinNT) with the CreateFileA API.
+ k# T7 Q0 J" B0 @# w! e
; L6 M0 g4 y- d+ s$ r( ]9 iHere is a sample (checking for 'SICE'):5 I7 \. G7 `! m7 ~
2 H9 F6 i& K$ ]* _3 }3 B
BOOL IsSoftIce95Loaded()
, u; P) [! [5 {{7 h% D5 W& U# x, [1 P1 w
   HANDLE hFile;  6 d/ Z" g. J. L6 @& E
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 ]+ i+ _- g5 `. l
                      FILE_SHARE_READ | FILE_SHARE_WRITE,/ V, ~7 e, {) Y2 _: K; B( m3 ?
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);9 Y) ^4 c; o0 ?# c
   if( hFile != INVALID_HANDLE_VALUE )* b* {% S5 N$ T& p
   {
; u" E, l( }- r: q1 \, l( w) r      CloseHandle(hFile);
3 C) d4 m, D! ?# q  \' e. ^      return TRUE;% M$ ~) D, W# X9 n$ V* U
   }7 j9 x( {$ Y" I1 H5 x9 w7 T
   return FALSE;7 M* t0 ~( \( V$ i. D
}6 H5 |6 m$ {5 v
* J4 H8 o4 x1 `; b0 \: j6 V
Although this trick calls the CreateFileA function, don't even expect to be; s. G. u( M* g# r) C) G1 P+ L
able to intercept it by installing a IFS hook: it will not work, no way!
. f$ i" D( f9 v, \2 w* g5 sIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 b# ~; r7 P& B' }" Z. i
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 @. Q0 |, U# X6 N; B- r( Y7 Cand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ P5 ?! A3 H' o; n' ?: @+ E6 Yfield.4 V* h' U! j6 N+ K
In fact, its purpose is not to load/unload VxDs but only to send a
( j) c7 i! g# i% U8 [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 n" D- r! |8 ?( Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 J: _/ ]% o5 o# r2 C! m4 Oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 s& H& S# o7 Z+ _, y+ cIf the VxD is loaded, it will always clear eax and the Carry flag to allow# Y0 E! c* c2 k% X, ^8 u9 d
its handle to be opened and then, will be detected.
- S$ X# e0 t- Y7 E8 ~You can check that simply by hooking Winice.exe control proc entry point( S9 X# o$ r* l* M  F4 u
while running MeltICE.
6 O  D1 ?3 t# {/ T# M" ^. ?& x! B6 N" ]' h  e0 ^6 d; K

, N! e* R% @+ t3 k! G/ @  00401067:  push      00402025    ; \\.\SICE
+ k  m4 o+ m4 u  n% C6 E7 O  0040106C:  call      CreateFileA! B  M: u  L- }5 V8 x4 K
  00401071:  cmp       eax,-0012 u  p* Y& n" O9 D& Q
  00401074:  je        00401091
& N6 t5 [3 @" k- e& [
9 Y: `+ F( ?) P8 r; Y
( z  g+ `( y4 Z8 fThere could be hundreds of BPX you could use to detect this trick.! k( n% f! X' M$ o: x
-The most classical one is:
, b( Z* f: S# q2 `* L$ p  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||: L9 ?! S- G3 ^2 u8 a+ l
    *(esp-&gt;4+4)=='NTIC'  \& b5 Y' o3 @' i' {! e$ Y' V

! |2 E+ I, C. e" A5 ~9 V1 [' d8 m-The most exotic ones (could be very slooooow :-(3 l; _$ |& ~6 n3 i  O7 a
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" A; w/ t# G* m5 V     ;will break 3 times :-(
; g1 ]6 @7 O: E! N+ u5 J0 _# m: Q8 N" o2 T  U* n4 R1 R; U
-or (a bit) faster: & ?+ ?" i# j" P) w5 @8 W
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ ^0 o' k; X$ a. M* C3 I! x% h; j
0 l8 c* T9 l6 Q9 ~( ], R
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
- i! A3 b% F& P4 |1 A+ f     ;will break 3 times :-(. h* U5 T7 p6 g1 e4 e3 s
0 p6 i, d. m8 n2 I' ?% u
-Much faster:
* g" I1 z+ l$ w4 B" j# ?1 N) @/ d   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'7 Z$ M' _5 S2 z! U3 P$ A7 N

6 c3 S3 c- `5 |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 J) \* S/ ]& n; ^( Sfunction to do the same job:9 [8 @8 X6 n- o3 h  T
: Y2 ?* y, L' e4 @: a/ Y  `
   push    00                        ; OF_READ
: K" L* ]3 H! }8 {3 S   mov     eax,[00656634]            ; '\\.\SICE',0
7 V. G0 `' f  H: O) L/ o   push    eax
" V9 J2 k# Y5 m8 }) \' }! `   call    KERNEL32!_lopen
! a2 R+ [, p) R$ W, m7 l5 y3 Z- Y   inc     eax0 e2 I4 y# K7 D
   jnz     00650589                  ; detected
3 ~% p- f7 f  s9 X" Z; O   push    00                        ; OF_READ
6 B0 }% Q% X. C+ ]6 h" L: x; d$ Y" ?   mov     eax,[00656638]            ; '\\.\SICE'
$ }8 B4 d! x6 b4 N! H   push    eax0 X0 N4 X; \# T2 m1 M
   call    KERNEL32!_lopen5 R3 H2 H$ {5 e( ?( a1 p  ^- R
   inc     eax
0 k. }$ `& Z% ~- j9 C# W   jz      006505ae                  ; not detected3 y7 z- E) W3 R

) O3 a0 {. G2 t* u  `* q/ z  u
__________________________________________________________________________
- a; \8 k* T4 _7 E9 z
0 B1 n9 S  X" t3 ^2 X( J3 RMethod 12
' r1 r- q4 }. a! y# ^=========
) Y3 H- C/ q9 d) b
8 I4 m# d1 L4 zThis trick is similar to int41h/4fh Debugger installation check (code 05% o/ A# b) f& K3 Y% h/ V
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  ]! o& e2 I- g. U& n  G9 qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# w  p; n) I. F

5 v& I0 w) D$ @  u" T6 ^   push  0000004fh         ; function 4fh
- ?, v6 W, x8 r% B, \, h. Q' j   push  002a002ah         ; high word specifies which VxD (VWIN32)8 l# E+ ~6 n" A, i: J0 R* d# e
                           ; low word specifies which service
% o7 E& Z$ y% V$ W  z6 o                             (VWIN32_Int41Dispatch)8 N' w$ g1 U' n
   call  Kernel32!ORD_001  ; VxdCall; F; ~& n/ c3 Q$ f3 Y- j
   cmp   ax, 0f386h        ; magic number returned by system debuggers& d" Y# T8 F# d, T- c' r& f
   jz    SoftICE_detected- J) x: \: D* T
. ?% o+ m6 C- o
Here again, several ways to detect it:
% _# X, l# M" K5 t6 A* }# H5 q( r; F. e' e1 J$ Z) w& ~% L
    BPINT 41 if ax==4f
, u0 v" [' _' q( l% ~
5 B7 X; U. \9 f    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one5 x; |6 |5 N4 S* v" h3 g

. e1 ~+ c5 o1 w% V/ z* r    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A, `4 O. T1 ]/ w
1 e1 k% g4 T+ U5 _' e
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 i7 ~' G: U' l2 z( H3 L+ ^
, U& q! ?/ m$ h5 h0 x8 }* e, u
__________________________________________________________________________
* B; t  m* @& j/ ~( s' N" U: a# f8 W+ U2 l, B! s
Method 13
: O4 Y5 J8 ~4 `7 l9 X$ [7 ]=========' {3 x: ^1 e1 W+ ?

; D: Z7 R+ V: |7 @) T7 P( `/ ?- sNot a real method of detection, but a good way to know if SoftICE is
' v4 I5 |/ @+ S/ Z. _installed on a computer and to locate its installation directory.
! G/ [! }0 t( K- R. L1 hIt is used by few softs which access the following registry keys (usually #2) :5 ^- {6 T: b% O' N+ Z* X. Z' s% J
: i' d3 [" `6 y7 S, O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' o( H' A0 X7 ~9 ^) Q
\Uninstall\SoftICE  H& l% S6 k. A/ z7 g$ G, L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 n8 r2 {' K( ~; @3 U+ P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# J5 w/ g* ?' S' u
\App Paths\Loader32.Exe
* K7 j- P9 k  j9 Q- ]+ E) b
) e6 [$ Y) _  R' `7 h4 e  B
, Y; b9 Z4 O2 F6 e4 X) tNote that some nasty apps could then erase all files from SoftICE directory- z5 E7 u; B3 F: R# r3 s  S
(I faced that once :-(
! l( w: V2 T2 R4 `& X0 f3 P/ |+ A5 r; K! B# z
Useful breakpoint to detect it:
6 C/ _. g, {3 |1 m0 U9 _0 [, r+ C: r1 ?8 _
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
) _) l; l) j8 N7 z( m5 M" `
) ~0 \$ |# Z+ u5 J9 R7 O3 T6 X__________________________________________________________________________
* U# I6 [; @6 ?) r( j  L% P- J* `
" X9 [. l3 E% {1 e/ Y  _
: f; P) ~; I. [, CMethod 14
) E7 x# }: t$ p% }  h- O8 n8 n=========& c, i/ }9 g6 D8 @) r( e3 `
+ C- P8 A2 w; [$ W* ~8 \
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 F& O0 l1 a4 ]! ~
is to determines whether a debugger is running on your system (ring0 only).
2 z( t% b0 ^1 c, h3 V0 f% L8 ~) e5 q4 i) y% B" V0 h2 u( `
   VMMCall Test_Debug_Installed
* u" ?5 a; l5 S' s# C, h   je      not_installed
) M1 H5 W9 x& C4 E
: W4 o7 K+ e$ wThis service just checks a flag.
' w' Z+ r8 P+ y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-31 18:24

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表