找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
* Q: {0 m8 n5 K6 A) Y* Q/ u<TBODY>, C" [7 }2 P, O, `/ L8 X
<TR>
. o3 z" {. J  b  Y( x& e<TD><PRE>Method 01 2 _, O; E4 a; d0 n% c: B
=========
" ^- B8 Z6 L9 n+ `3 E. g! P5 V. B3 ?: Z" ^6 s3 h8 ?" U
This method of detection of SoftICE (as well as the following one) is
2 l0 o+ ?* J* y6 [3 }' X& Qused by the majority of packers/encryptors found on Internet.% k1 e4 c& Y; J3 P# s
It seeks the signature of BoundsChecker in SoftICE
* y3 r: {& ~7 U* H: @) F' ?+ H
4 ?$ D) L. S; H- p& T: y5 [    mov     ebp, 04243484Bh        ; 'BCHK'/ M, j, ^, E- V9 U7 v4 }
    mov     ax, 04h
" Y" j$ H9 C# Y# X" L) g    int     3      
- t, z# A6 K( g. C    cmp     al,4
  |2 E( w: c- W/ U- Q( Z1 D    jnz     SoftICE_Detected) i3 V/ Y" E& j0 D' K" B6 g
8 \9 k+ Y0 v& l$ S* ^
___________________________________________________________________________) R6 G9 P3 ~1 H8 e8 f) ?- e0 H# W
0 J6 u1 ]9 B2 w
Method 020 H$ W0 J6 {5 j( _) K, ?
=========
& b6 W& ?" ?/ X( {; w1 G2 Z9 X# N5 q# t- P8 B
Still a method very much used (perhaps the most frequent one).  It is used! n- ?* {# Q% Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# A! ~1 J; U. W1 C
or execute SoftICE commands...
8 N' U0 j& ~+ iIt is also used to crash SoftICE and to force it to execute any commands+ b9 A, l" K" M% Y4 p
(HBOOT...) :-((  
; R+ u3 m1 `* O" d/ p' Z3 A$ q
3 k1 A% T; R% t4 o8 L# jHere is a quick description:: U+ ]2 n$ Y" K- K- D; s
-AX = 0910h   (Display string in SIce windows)6 }9 O  e# ?5 d% q3 M) n8 Y7 M# c
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 P# b1 L% E: P/ B
-AX = 0912h   (Get breakpoint infos)
9 g7 S9 X, n* M- b-AX = 0913h   (Set Sice breakpoints)9 H& C3 \6 D4 `& Q
-AX = 0914h   (Remove SIce breakoints)
, B2 F/ D- s% |& H; C- A) [; P9 P# c; D
Each time you'll meet this trick, you'll see:
2 `" a- R% n$ n. j' a/ z5 x$ n1 V-SI = 4647h; i2 Z/ `- k8 {3 z. h
-DI = 4A4Dh* I. r6 p: x( M& k" O* m& {
Which are the 'magic values' used by SoftIce.
( T* P; j: T: W: V" LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 W$ B8 m* l* i4 s
" ^( c' V. u+ l. r; f) `7 i9 VHere is one example from the file "Haspinst.exe" which is the dongle HASP% `8 m% u0 c' w: ?9 j  V. q$ m: T
Envelope utility use to protect DOS applications:
3 A* q2 e9 w5 ~# ~; @  O1 ~4 p- d/ e& c* L! D. F& M" h! J3 ?
+ g% z: S3 N- C8 t# t# b/ R
4C19:0095   MOV    AX,0911  ; execute command.! d1 s  V- b/ [& @( B% Y8 o: z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 {$ m+ |7 |" J5 ?# j3 U3 Q3 X9 B5 w4C19:009A   MOV    SI,4647  ; 1st magic value.7 i( G! r9 v, t
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 L" f, P3 [" r9 F
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; |& B& c  n  U4 D: P" y) Z* T4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute7 ?8 V8 {7 W8 C- ^  K6 `) n0 f# |
4C19:00A4   INC    CX- M7 D% u1 |: l
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ C/ S2 A* v0 T# V' x( I
4C19:00A8   JB     0095     ; 6 different commands.* {9 r. H# b1 U& T7 O& L0 n& M
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 J: A# J. V- k9 H' b  L8 N4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); L* z% d) a. ~; [* N
) X: z2 @- v$ ]& ~, X1 Z
The program will execute 6 different SIce commands located at ds:dx, which
* @* z$ s8 ^( ^+ D1 X, _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ z% u$ p- \( s+ p  |2 ^% _6 G( v2 m" _& S! [6 R
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% j. \* ^  Q. m0 i/ {
___________________________________________________________________________6 M4 I$ @( ~8 b  {
% k/ m! v& }3 `3 R7 a# b

6 I2 e3 p1 ], GMethod 03+ i5 c! E0 m1 U% C' `' e; \3 z
=========
6 z( O9 b  I+ {/ i) _* F
: L. B* k: ~- W/ L- w9 }Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 a" {) E" X/ `0 S3 v; x+ \; m(API Get entry point)
) |9 K0 F, }- t( ?$ _        
. _. @/ T. P- M0 x3 L! y3 D: H* X$ T7 W2 n0 J
    xor     di,di/ J  I1 M8 X$ P$ x2 j( h& M# f
    mov     es,di: v- C4 U- @& [* F8 d
    mov     ax, 1684h      
6 T; u! \6 s; \, c: p, a6 f    mov     bx, 0202h       ; VxD ID of winice
# _0 Z* Z$ }+ E1 S  a    int     2Fh% `" f. n9 z% ]: o8 m- k
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ x7 \. G4 U: p) w! x
    add     ax, di
: T, q/ o" i: a9 Y! u" E" t  S& X4 ~    test    ax,ax/ `- `  K% u7 r' @' B. A0 {( O
    jnz     SoftICE_Detected; C5 {9 p2 J1 \9 x- x; ^" e4 `

' A; @  }) C$ H5 F+ _" y___________________________________________________________________________% r$ A/ \2 D1 o3 P: J; T

. }' c/ G/ i1 t) n# X7 ]Method 04
7 }5 L- {) F) W% F! t: L3 I/ P=========
! r: \8 x% X& @2 g3 @# Z5 R! P6 }! y5 ]$ {: _0 {- ~/ a' m
Method identical to the preceding one except that it seeks the ID of SoftICE4 n' w1 y& ?$ Q4 [+ P5 ]. x. e* L, V
GFX VxD.9 G9 `  |2 Y% t* [$ c, S! m8 S7 w

3 ?) n8 h1 q( b    xor     di,di
" D5 \2 R! e9 ^% \    mov     es,di
$ p! k( \" G4 M+ Z: C    mov     ax, 1684h      
/ C% J1 U+ ]" Y9 v    mov     bx, 7a5Fh       ; VxD ID of SIWVID5 u4 a  w4 d* h8 Z2 @, }1 H
    int     2fh
/ n9 g. N. F: ~1 z& ~    mov     ax, es          ; ES:DI -&gt; VxD API entry point# P( l% J& V, `3 X; r" @& A
    add     ax, di
# o) k) `/ M4 a( N( Z    test    ax,ax
# s" e5 T$ G+ L    jnz     SoftICE_Detected
8 s( c; s+ J  Y! Z2 N
) C0 {! h6 o) Y; ]2 H__________________________________________________________________________
2 H6 P7 W2 V& b* t+ ~5 y) ^' N, }+ Y
4 Y! d; y0 C% J/ O+ |/ h: f$ b1 C! I& ^
Method 05
3 z5 C8 x: v0 G1 l=========4 N6 A8 X8 g' T1 y
, `: z# E$ Z* |; ~  [6 {* x/ i
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: i# _4 z. Z- ^debugger. It calls the int 41h, function 4Fh.
; a. }# _9 w+ @There are several alternatives.  
+ C! \" r5 P  p  q+ U
6 \& n. Y/ Q9 M% e. y  F, Q* lThe following one is the simplest:
$ c  k5 P2 H) I0 b, R" g: b) l1 a6 Y! n6 s% s8 `5 T8 r5 {
    mov     ax,4fh5 N. e) R9 d& o- K
    int     41h
3 O( _5 n+ p/ V  o# Z    cmp     ax, 0F3861 B& ?; H2 C& H
    jz      SoftICE_detected
7 v& U3 h! L9 |4 d7 R
# u3 Z- d# ~; g3 A  T4 r) M$ r1 ^' d- A+ f/ a+ p/ m
Next method as well as the following one are 2 examples from Stone's
! N8 p( o! g5 n5 }5 f- L"stn-wid.zip" (www.cracking.net):
' g5 @( T' {6 w8 W, B% k& t8 S
" `' u/ [& y9 c* g* r    mov     bx, cs
) g  f& {/ i) h8 s    lea     dx, int41handler22 O. R/ _1 `' B. A
    xchg    dx, es:[41h*4]" x* `/ ~) V# U/ c, f* ^( ?" e& C
    xchg    bx, es:[41h*4+2]
0 p( h/ ~6 [1 P& s, u/ }4 D    mov     ax,4fh$ e, l& S( A- f# S3 c/ a* h
    int     41h
/ T! J- |; J8 E& p    xchg    dx, es:[41h*4]) T8 ?- Y+ S) H
    xchg    bx, es:[41h*4+2]& V8 m& j4 I( ]$ U, X
    cmp     ax, 0f386h
, E) |6 ^8 C0 w2 E* K/ @" ?% c1 ^  }    jz      SoftICE_detected  q/ ~* X, w8 }0 ]3 E
, X" K9 I. s0 E+ _
int41handler2 PROC: V0 M: |0 W; U6 h, M
    iret) M' E$ q% g) u& P
int41handler2 ENDP
$ Y- y4 i# \' r5 v6 A1 Y& I1 ?( J# v- b2 h& V/ A$ S' _' ?
7 Z: I# v3 ^' O' u: E
_________________________________________________________________________! v1 G. U" G2 \( l
3 w0 V5 x1 O2 m; ?$ y3 V8 ?* D

! X. ?* [8 G4 Z5 ]1 o: OMethod 06- \, d& q3 [: \2 ?
=========
5 Z' ?4 Q8 _! y2 V: J& ~$ l+ P9 _/ ~& N- [( b% r% e

9 K+ B& Y* T/ G+ f3 q2nd method similar to the preceding one but more difficult to detect:
& z% u& x( o2 V) H0 O; O4 I" Y; O; E( p

/ B9 U6 \3 `: z+ i. pint41handler PROC
/ x$ N+ ^6 ]# l4 [, ^% {    mov     cl,al
7 v1 g& n5 G! T7 \. i    iret# u' M2 M2 T$ T* T$ \" R
int41handler ENDP' f' ^2 R7 j! Z. P) e

) a# t3 D0 r7 X  ?5 p9 L) `6 l1 w; o, E
    xor     ax,ax6 {3 m7 g) g, n$ l8 R5 P
    mov     es,ax
0 _' M6 g7 O3 B/ X& [    mov     bx, cs
: Q3 w6 ~" F4 c. ]3 ^    lea     dx, int41handler4 f# P8 T' G- ~' F
    xchg    dx, es:[41h*4]# w5 d/ o/ v# w2 O3 U# [* h
    xchg    bx, es:[41h*4+2]
! B4 A4 y; j$ K0 g5 \) {" v    in      al, 40h, Q" @0 f% O9 M% V7 y$ Z
    xor     cx,cx
5 Y4 D% J) L  U) x' G    int     41h
+ |% K# f% ]! z0 \3 t    xchg    dx, es:[41h*4]. K& o, ^- E* l2 r4 z, O+ O
    xchg    bx, es:[41h*4+2]% W! K* H( h* }$ ^9 ]; K  }
    cmp     cl,al9 i& Y7 g* \9 l% h, u+ y) o
    jnz     SoftICE_detected. \, G# I+ n" ?% Q# y
; {$ |& t4 ]. l( q0 V9 l2 }
_________________________________________________________________________/ z% ]1 P/ |7 J/ p3 Z/ m/ _& E

0 v: L8 n& [9 c- fMethod 07
3 Y2 ^  D0 p/ q* F9 z8 {& `- b=========, [- M, g3 \$ v# C
, t& L) u' Z) Z
Method of detection of the WinICE handler in the int68h (V86)
4 c3 k2 D% _0 T0 C! i7 N* ~0 q8 m1 u8 o! i, j1 `
    mov     ah,43h
+ x7 N1 P& E& s& L& f: ]    int     68h0 n: [# ]7 @- d4 @) X
    cmp     ax,0F386h# Z" X5 M+ W6 C& K( E+ g
    jz      SoftICE_Detected
# c' j5 R7 R& a2 |% D% ]
+ F. u! {; h/ G( _7 i- F4 r* G+ e) d& \# u
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; R( l1 y4 P: [( s* g
   app like this:
* v1 z+ Z3 P0 x: e) X
% }; ]; E9 l/ v+ B   BPX exec_int if ax==68: b" s+ C* X1 v) t( \: Q
   (function called is located at byte ptr [ebp+1Dh] and client eip is! v3 v- A5 D- T# o
   located at [ebp+48h] for 32Bit apps)) z# M' v8 R: Y/ R' U) w
__________________________________________________________________________
" h# g- T$ ~0 K) v6 U$ {" Z) E; s& G2 b* v( ?  U% M" e
- N# |! ~5 k8 C% |1 Y3 m1 U2 ^
Method 08( H' u( H8 Z0 y0 `
=========
" F$ Y! u* x5 x
/ ^1 [2 e( |; rIt is not a method of detection of SoftICE but a possibility to crash the
  v+ }# Z: n, Bsystem by intercepting int 01h and int 03h and redirecting them to another
0 I  H" X- {. w3 jroutine.0 b9 L' f( h5 d6 @0 i6 k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( }6 i/ `0 B7 Q9 z6 y% r( W
to the new routine to execute (hangs computer...)
2 u% _& X: p$ ]9 a4 p
3 Y) O& r' J+ p: Y    mov     ah, 25h+ o, v& y3 o$ L. Y- e% ^. F
    mov     al, Int_Number (01h or 03h)# j" l6 Y0 W& b2 [4 F
    mov     dx, offset New_Int_Routine
1 B  f6 x3 X* ?    int     21h! V1 Y, z6 ~. t( L: v- ]
* ^( W+ R) ?* W# O: c
__________________________________________________________________________
/ a) p7 i* D  m- X& b! A) ~+ N, a5 e3 V+ [. n
Method 09) w# R% R0 x4 n+ e6 r" m# X
=========) d5 }/ U9 I* p2 W7 w, U

' y4 I8 f% M5 \5 qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 m+ D, c% T8 Z* G5 r( eperformed in ring0 (VxD or a ring3 app using the VxdCall).' u( y$ Z5 X' Q" V# e0 E6 x  v, C  @
The Get_DDB service is used to determine whether or not a VxD is installed
' Y2 p, W: p' @3 k- i: zfor the specified device and returns a Device Description Block (in ecx) for
! `) v1 e; L9 ^that device if it is installed.
0 F, Q' g# h; B* E" r. W1 N( y' m5 ^2 C( ~  K
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 k6 X* S: F7 O9 {3 g/ f   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 @$ R% k% ]8 @& K2 k6 u
   VMMCall Get_DDB
% A" s9 e3 i3 P6 _+ w4 t2 A   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 B3 ^, A4 H2 s  x5 K# I7 C7 V$ a8 R7 Y. l9 Q
Note as well that you can easily detect this method with SoftICE:
/ [8 }3 d* k# L. Y$ l/ P   bpx Get_DDB if ax==0202 || ax==7a5fh
2 |+ R6 n! H& b& \" R$ {
+ o; \3 b0 \7 S7 q__________________________________________________________________________7 H2 M: a6 Y3 R& T0 R
* l" l" [$ m& d
Method 10& ~- n' c6 w0 X3 W: c+ D" d
=========# \+ x* O' m3 T+ ]9 }; y

4 I4 I+ [0 @  \2 ?! H=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- O* s  a  H+ H) O0 i  SoftICE while the option is enable!!6 a; X" `2 x' x. V
- V) v* p6 n: W9 X- O5 F$ d, ^
This trick is very efficient:
4 P1 B* Z: s+ Z( q- rby checking the Debug Registers, you can detect if SoftICE is loaded
/ `" n, m/ E9 ?9 v  ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, f1 O0 T2 R8 h: }# m; S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' I0 T- s0 }9 ivalue (in ring0 only). Values can be manipulated and or changed as well
2 e9 @- F" x& }(clearing BPMs for instance)
- e1 w, r/ H2 \4 w9 P/ A1 B5 b
# {& f6 ]; F: x( M9 S__________________________________________________________________________  `7 g9 g! u: z5 d8 k* ^- q. i  X4 j

! ^( {) }- {7 ~) Z2 B  sMethod 11
* R* g+ {" [5 t=========
6 t3 N; F: ^% t9 |8 _- \# x: j. K" k# _
This method is most known as 'MeltICE' because it has been freely distributed
! [# V2 ]+ E: W: R; `9 W/ b8 Ivia www.winfiles.com. However it was first used by NuMega people to allow8 w# B: {' @# S
Symbol Loader to check if SoftICE was active or not (the code is located
" D+ ?4 F/ b% M% \3 A4 ginside nmtrans.dll).' ^$ {+ r2 V! H0 m8 N# p% ?$ W

; L! X/ B$ Z9 [2 OThe way it works is very simple:% b1 a" o1 Q# q; e9 ]. Q, E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for: b; w5 w/ d& C9 Z0 ~0 Q  u0 [
WinNT) with the CreateFileA API.( w- s: k2 G. _, j0 o

6 N7 ?& v+ U& ~Here is a sample (checking for 'SICE'):
& M8 F# t- l: v% N  H$ f
$ w1 E: \+ h3 S7 H! U. B8 c- \- p  lBOOL IsSoftIce95Loaded(); n# g' ^% t/ P7 X# ~) E! M
{
7 F1 s; l2 q! X8 o: S   HANDLE hFile;  - {) R; R. @2 _! o. g
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ n% J5 e: B4 L" |+ J
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
4 V( _, ~2 Z4 a( Z6 H; p; W) i                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 o+ e1 S+ `: t3 T' _' L
   if( hFile != INVALID_HANDLE_VALUE )
% ?, E# d! i* z" y   {+ C& p, f( }' }6 \% S% M: Z6 M
      CloseHandle(hFile);( U3 Y( F- B3 j- O2 a  N3 T$ P
      return TRUE;
( ^1 G0 T) b* v) k   }8 f* K/ ]# r: G5 X+ l1 Q, e8 Y1 e
   return FALSE;. g4 W: g, S# y# f$ `
}
" V" [/ O6 y0 K
) a' i0 {& l& A2 XAlthough this trick calls the CreateFileA function, don't even expect to be8 \( w1 V/ e% n5 v* s3 e! f
able to intercept it by installing a IFS hook: it will not work, no way!
, F# H6 J7 ?$ H) [4 K! yIn fact, after the call to CreateFileA it will get through VWIN32 0x001F  s$ [) K; P  ~9 c. k; @. |6 E
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! R& g9 d! a$ Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 S9 o3 z1 `- n) o% D  T
field.' A+ x4 Y9 m9 }9 G- L; d
In fact, its purpose is not to load/unload VxDs but only to send a 1 C' e2 @' U3 [
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# O2 Y2 ?9 ?) N6 S" l# E
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, c! K$ ]& C9 y4 x5 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).( J( B. e# B, q+ ~  W- U9 N
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 N4 I4 B: n9 F0 U- }5 V( S. i. j
its handle to be opened and then, will be detected.
9 @; @% R: G, x- S8 Q: BYou can check that simply by hooking Winice.exe control proc entry point
* @" `1 W) I- O( |while running MeltICE.0 d6 R! {# i- O3 ?
8 W# E' n) \/ `( y3 B  T  X

' H2 R" U/ V$ y" b7 |" N  00401067:  push      00402025    ; \\.\SICE& |1 F& ~3 m2 p8 z4 Q) I
  0040106C:  call      CreateFileA
. F' A. F) C" N  00401071:  cmp       eax,-001
8 x) e) I( I: C* N! Y  00401074:  je        00401091. `3 @; ]# A7 {( l

  N5 _! @  o* i6 N  h
! T# ~9 k( ~+ w0 R$ y/ NThere could be hundreds of BPX you could use to detect this trick.; B& T/ T8 Z# \5 f" M/ {
-The most classical one is:! O  K( J* \" T+ r; D& W
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! j: g) D1 z" J8 E3 z: X: h    *(esp-&gt;4+4)=='NTIC'
( h5 j5 v3 i7 @" {
9 g8 \7 f& w! b& I, B-The most exotic ones (could be very slooooow :-(
2 H' q$ O1 ?+ E3 @7 m   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ ~$ `. A0 V3 W7 F     ;will break 3 times :-(6 A- x4 [0 H6 O$ i7 v: T+ k
9 S: o* |* V5 k3 @1 \5 u& z
-or (a bit) faster:
" f! I& P: p4 m; B   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& X. D  A  K6 T; K1 x3 O
: Y1 y% h( J$ W- d9 k2 }& p; _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  4 e( V. H. v+ f9 ]3 A
     ;will break 3 times :-(
- v6 z% H9 t( S5 L( g! @2 U: u! U' r
-Much faster:( y5 B$ i3 ~' H1 @
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
7 Z9 N* p3 q6 x4 W& V5 F( e% U
& D6 N; u7 V+ M% m! M6 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: Q! A, A- M# S' j5 C" @
function to do the same job:
- m. ^/ b5 x" g& k: w
% ]3 I# i. t) q8 N   push    00                        ; OF_READ5 K+ [( `' R8 N1 Q" j& V
   mov     eax,[00656634]            ; '\\.\SICE',0
# h- N. a- R7 n9 U- R   push    eax
) u+ @/ P2 h8 L2 @# B3 {# n; F   call    KERNEL32!_lopen
+ ]  x/ b% a$ ~  J; B5 f   inc     eax
3 `2 t3 G9 h7 Z% G) X, M# b. n   jnz     00650589                  ; detected, ?, |) z, V2 O3 u" b2 X
   push    00                        ; OF_READ
6 ]3 u3 a3 K  L- l; E   mov     eax,[00656638]            ; '\\.\SICE'# m) G* T- h0 a6 w0 B
   push    eax1 J% i# I' ~0 F4 V
   call    KERNEL32!_lopen
. v2 T9 X! Z% d. g. @( ~0 ]) ?   inc     eax
7 }$ L# \' v3 y. N5 H   jz      006505ae                  ; not detected
+ X3 _" i; Z+ r; p! q) t5 i
) ?' l6 L1 I# Z6 D7 w- n) D) H
5 [$ a0 J- }6 d. C/ Y! _% i! g__________________________________________________________________________
4 S# H0 J& f5 A$ p( b5 O: d% p
" @  m6 u+ `6 t6 u/ F1 \7 UMethod 12
- r6 X" C: B/ o! q% `=========
9 V6 h# l8 W6 {, L4 r& K6 I5 T1 s! ~4 W6 T$ n  x) U1 ^. ~/ u
This trick is similar to int41h/4fh Debugger installation check (code 055 D% x; B: |% B2 m7 f
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# Y1 M# b, D% I* `+ _2 s3 G1 i" [9 Vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.- `; O$ g0 R1 E1 n7 R& K0 r

- p% ?; L( p) X7 Z8 [   push  0000004fh         ; function 4fh0 w" b- ~# p9 h/ J* `
   push  002a002ah         ; high word specifies which VxD (VWIN32)2 i5 K5 T: i7 T. b& T4 z
                           ; low word specifies which service& h7 ?+ J2 q' P) ]( g7 n" l9 h: _
                             (VWIN32_Int41Dispatch)# `. f3 k4 x) c) F; R
   call  Kernel32!ORD_001  ; VxdCall1 O2 u: n" R- m/ G- k9 I
   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ X$ h# o' ~6 J6 c3 D   jz    SoftICE_detected. Q( }; d/ ^; @' e

7 V+ ~, L8 z! |Here again, several ways to detect it:* L9 K. e2 u- H0 ?' m1 B
& b/ u+ D  B, ^  e4 ^% f# K
    BPINT 41 if ax==4f/ T# s( x3 Y1 D1 T* O

- N, E$ Y+ ^" g) U9 w" \    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) R0 t% e( V5 M7 {
) b" Y) `  H! P! x' o6 S! e    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; p+ g) z' r, y% J7 c4 w6 A
; q- f0 h4 t% e# U  p* x    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
- K" S+ H) b( C. X2 {5 a( u( o) c4 `0 l5 y
__________________________________________________________________________
/ }) U8 m% Q+ K) i/ y% ?, W! h8 W( i% j7 l6 [! T8 f8 A
Method 13. X+ p  t  M) c8 V
=========# F9 Z7 ?5 @7 P5 }* k' U
) }. b: o! k" Y7 O" ?6 W6 s
Not a real method of detection, but a good way to know if SoftICE is
4 t2 X3 ?% `  ?8 _! qinstalled on a computer and to locate its installation directory.- S) F) h& `* v! ]: h! S' c
It is used by few softs which access the following registry keys (usually #2) :# j( j# Z1 R, Q6 i
1 {$ _* W  Y0 e. a1 X2 f- M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ o8 [5 J& n$ i2 r
\Uninstall\SoftICE
9 |& V( x% k% F$ ~( g& M" b% c9 W4 J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
3 k4 {$ F$ b' _; A0 D: O7 _2 k1 O6 e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* p$ W8 o" n7 q. X. w- u\App Paths\Loader32.Exe
2 N3 G0 E; T  x5 N, F4 I( H5 N1 M! I
8 E( ]/ Q) a5 |- T8 {
Note that some nasty apps could then erase all files from SoftICE directory
% U8 g' p* G% m' Z( B" e* Y(I faced that once :-(9 K) {/ w- F9 a, u+ o* L
; H' _) V8 }; Y: t
Useful breakpoint to detect it:% }) n/ t. }3 g/ t0 M5 J3 F, ~

& I+ a6 v& e. A- s* U/ }  ?     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 N1 ^0 R' g5 B3 u
* ?7 m+ U5 I( Q0 t4 }
__________________________________________________________________________+ H& w* a7 u7 W2 p: e' b8 F
$ t; @: j! H; @/ {9 i
% {  H* ]" D; S; D; c  r5 @
Method 14 8 ^6 o( Y# Z9 u* d$ F+ {0 \& {- B4 r
=========- p+ g' m+ }7 f; ]  b. q! i
2 j" a9 I% i: Q  O
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 z1 ]1 \' `$ g# B/ t7 U5 P
is to determines whether a debugger is running on your system (ring0 only).8 _8 e, Y0 M" a) H  v1 D9 o& F

0 D$ m: k4 O2 P" y0 m+ l   VMMCall Test_Debug_Installed6 F* l$ ^  F  l5 v8 D; l
   je      not_installed! A* f3 s6 A+ h0 f

, }6 E# G( e0 E: q* T, KThis service just checks a flag.
# a% @& y8 _' p: _5 g. Y+ O</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 23:02

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表