找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ Z4 W& y3 W) B- d! Q$ _" J- h* O<TBODY>. [* b/ O4 m+ v$ }% X
<TR>
6 j5 L# G' U0 X. u, s! D<TD><PRE>Method 01 % B$ t% W% o, q( v4 L
=========7 |  S. N! A$ s8 |$ [
9 }5 d5 Z( T0 [" J* j0 f" A: N
This method of detection of SoftICE (as well as the following one) is
' S& [# i; N# x( @% \used by the majority of packers/encryptors found on Internet.9 ~5 d$ `3 r, C4 ?
It seeks the signature of BoundsChecker in SoftICE
# D% [6 g; Z; [9 w3 [# \6 V5 `! Q  a. z
    mov     ebp, 04243484Bh        ; 'BCHK'7 v( H5 b3 u$ i2 e6 u$ W
    mov     ax, 04h
, g- @0 v- B* a! g. S- I2 e1 |    int     3      
. {( r, ~- r3 z    cmp     al,4
2 X! |3 M  ^" ?    jnz     SoftICE_Detected$ m4 d$ q7 N1 n
5 K" S" C0 Y2 B: s
___________________________________________________________________________9 Q8 Q, `% K! P0 |6 c, ]

/ }0 R$ u) @3 R. S) jMethod 022 P& n1 P( `# j8 A' @
=========
0 d# v3 O7 M! V# ~
6 |7 ^# G' d6 e$ D0 m3 VStill a method very much used (perhaps the most frequent one).  It is used
8 j5 {# y6 t+ G* @* i) cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- ~3 g2 W; k/ a. r2 eor execute SoftICE commands...2 ?; R$ E" v. b9 h) ^
It is also used to crash SoftICE and to force it to execute any commands
0 o% C) C/ B/ ?& g5 M/ \4 [+ z* b7 x; n(HBOOT...) :-((  
5 a5 y. P6 b: X& J+ R: q" t
2 _6 ~' K. b* |7 g- A5 MHere is a quick description:
9 q  ^! r5 \5 u0 X% Q-AX = 0910h   (Display string in SIce windows)
9 G% t8 o; T+ T- C6 Z1 [. a-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' I) R( q3 d9 _8 v# x8 _2 l+ I# P
-AX = 0912h   (Get breakpoint infos)
! F! }5 V8 L& O8 S& S2 j. _8 j-AX = 0913h   (Set Sice breakpoints)" ?- L0 y( M$ J  x1 @$ U
-AX = 0914h   (Remove SIce breakoints)4 W' D# L6 [. b* y( s: b! x
& N( s8 r3 O* ]2 K
Each time you'll meet this trick, you'll see:# N2 c4 ]$ y$ {, ?
-SI = 4647h
2 d, Y3 t" {0 z3 l. w9 s-DI = 4A4Dh
4 {7 e9 U+ h5 `( D7 b1 `Which are the 'magic values' used by SoftIce.
/ [) l5 q- k. v0 u% gFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 S+ K( z5 {- e$ \  y8 ^; k. t1 z: N% M" d+ `( F( }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
& ~1 |# ]/ a( w' e! S) j3 R$ LEnvelope utility use to protect DOS applications:
9 z1 o& a1 M1 e& e8 Q2 i7 o0 b7 d0 p$ ~0 N; q4 R& d2 _9 Y
% g# [. l( u5 @! Z" V3 w
4C19:0095   MOV    AX,0911  ; execute command.: E3 g: b( N  R5 K$ Y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 ]; I# X8 @6 `$ S1 l
4C19:009A   MOV    SI,4647  ; 1st magic value.
; f- H1 ^1 r8 S) D4 |4 w! L4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
0 |, S  X( }4 O# }1 u. a% v4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)% @6 g; q$ p' J$ A, T4 z% [: G
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, Q% d; P% r) k/ w0 o3 S* D( e1 ]
4C19:00A4   INC    CX
! v8 |( e0 ~$ {/ A" u& z: O- O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  y% z4 N$ }4 Y6 r8 m5 a6 }, i4C19:00A8   JB     0095     ; 6 different commands.% ^6 G6 j' x5 H( H1 x
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 I7 k8 z; Z9 t6 @- b( n6 h4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)( V2 T. n# i2 l& j' p% r! E
3 e+ v1 I) E4 F: }, B3 O
The program will execute 6 different SIce commands located at ds:dx, which$ i3 R. V8 y0 K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
1 i. B- q6 n6 |' z/ [9 l0 l9 N( g1 @3 g6 f( r! q$ a; B
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& b. H' d6 E2 D___________________________________________________________________________* \9 Q: R( s1 ~$ c/ r0 {7 C& f% e9 _

& n' _" ?1 ]5 T1 z( U0 _# U' w8 R. V# h; P& f" y4 B' T
Method 03$ c8 E0 t$ V2 g  f. D' g
=========
  J) \' \- {  B+ T& H5 M7 h( V  [- E/ F+ K
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. t. Q1 J7 v' P: R# G( T
(API Get entry point)
% F8 O* x+ a, b1 Q( M0 [+ T) |        
# T! g# t# X; M* }  C& I4 W, U
    xor     di,di: z. S: v4 o* z' i
    mov     es,di
  S" m! M: I8 d    mov     ax, 1684h       8 n; X/ j6 g; k% c
    mov     bx, 0202h       ; VxD ID of winice) i/ n9 ^: F; w
    int     2Fh, e- D8 x6 B+ B% G: ^0 g
    mov     ax, es          ; ES:DI -&gt; VxD API entry point- q8 |% L2 s2 r5 g9 {/ T
    add     ax, di4 Z: D* ?) @' z  t7 `
    test    ax,ax' n0 \4 |7 Q+ x+ }' H5 v
    jnz     SoftICE_Detected
1 `2 m; A$ ^) ]9 ^0 \
# I5 T3 j5 k' y* V; i. C# Q; w. m___________________________________________________________________________3 R1 j& j  J( ?# r# A
. |# [: a& Z; J! A2 @; V
Method 04" K$ g" _) X% k
=========
9 b. d. F! E: a9 c9 Q- r1 u# S0 r& }; ?
Method identical to the preceding one except that it seeks the ID of SoftICE
& M4 X6 I) y( E, S; R$ `9 Z! HGFX VxD.
. j7 z4 l7 C' T6 P
: b$ e: o  D; F0 l7 ~. u/ \    xor     di,di
4 V2 M  R4 _; [" X6 K1 n& x    mov     es,di
: v, H, A, D# E" C    mov     ax, 1684h      
3 S' n" p" m% ~8 c1 s, y2 k  ~    mov     bx, 7a5Fh       ; VxD ID of SIWVID8 Z6 n" T( f: T/ c
    int     2fh( i$ ^+ Y; m) I; E, o
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* _- ]! _+ e7 Y$ ?* L( e1 H) N( A  _$ y    add     ax, di0 S& d3 n' t6 @6 ?( C+ Y
    test    ax,ax
4 a* l( Q5 V+ ?$ r9 n    jnz     SoftICE_Detected
% ?) J4 b* I+ F" L+ }) g& ^2 d3 c6 ?  i5 g9 O
__________________________________________________________________________
! M2 ^3 T' D+ d- E+ Z1 x8 o/ \1 f3 d6 t8 l% x9 z$ H3 s

1 Z2 T2 G9 `1 r" Y# N; TMethod 05  h/ V6 K/ a( U  `
=========
3 {  S" h! j( s/ ^8 N$ q
; o( p6 ]5 }2 _Method seeking the 'magic number' 0F386h returned (in ax) by all system
3 C2 r" }! N) Tdebugger. It calls the int 41h, function 4Fh.
# o$ O# ~& K/ bThere are several alternatives.  9 D9 q6 A/ C8 ]* c6 u" T# Y

. ^' Q$ N6 x* [The following one is the simplest:! n# y  n' v4 S

( @: c) f6 v& J2 h5 j" P6 ]3 Z. ]' T    mov     ax,4fh4 v0 L% ~' J( `& b% o- S3 I
    int     41h2 s0 Y! @& q) Q
    cmp     ax, 0F386
. w$ y  ~: M6 Y" _' t5 ]* v. E    jz      SoftICE_detected
& O( A; V7 n' y
7 V; b+ ?' o, s6 S7 ?1 `8 m
* N! K  T- X, b' ^0 T' gNext method as well as the following one are 2 examples from Stone's
9 w/ N* k3 j8 b"stn-wid.zip" (www.cracking.net):# h/ \( y( F( j/ N! y4 h5 z

; a% ^) F6 c5 V" S, S+ \5 G8 w    mov     bx, cs
) a9 K' F3 a8 {5 `8 |    lea     dx, int41handler2
7 F4 H) d6 |, t3 o; w    xchg    dx, es:[41h*4], I( }7 W6 r& {) c! ^
    xchg    bx, es:[41h*4+2]9 s8 x* ]; V; B% o7 j
    mov     ax,4fh( S2 g! Z  J6 y+ g. ?: Y/ Y. _) J  @
    int     41h
0 s% F: X8 B" Z% f+ H    xchg    dx, es:[41h*4]- {( x( o% {; i1 D& v
    xchg    bx, es:[41h*4+2]  B$ `- @1 X" _+ q
    cmp     ax, 0f386h
% w# I6 ?4 U1 u8 f$ m6 ]: a    jz      SoftICE_detected
9 I2 X* O. d( R
  t) S% v! u) D. \4 _int41handler2 PROC8 O. |+ X6 ~" z' U) w! k
    iret% V. ?' N- U$ d" o9 q1 N+ f5 b
int41handler2 ENDP$ k) W! k' _5 O; X& J

7 E" W( `( U$ L) Z. H! N
% g/ K. l7 W* Y0 u" r_________________________________________________________________________
$ J: R  c7 A/ S5 |8 G* d! H$ e+ v, L# U! A3 c

" _  R# N/ ^0 s( |: \: E& m9 OMethod 06
) {4 T9 o5 d9 W+ S5 Y=========
) C/ o, \6 G4 D! f  b- T2 X5 b+ Y0 {5 n& f" B- W; c

0 W) u% e6 q# {2 c2nd method similar to the preceding one but more difficult to detect:/ o3 D2 C& v, V2 p
5 T6 l  H1 w- G- R

9 E6 A0 N0 u. [; nint41handler PROC1 f9 h- [$ C0 b( l
    mov     cl,al
0 @. e# e! o! i4 I: b' _3 j7 a    iret
& a4 T9 `: p; dint41handler ENDP
8 s( U3 u  s  I
" ~; R( G9 B6 I: v
2 p- h; O2 @' E4 D9 `/ C) S    xor     ax,ax/ M- Q. |: j8 ]9 T9 \: M
    mov     es,ax
: g# S0 W+ R0 L! P6 r! ^3 _7 V7 j    mov     bx, cs& N8 I4 x  \  v
    lea     dx, int41handler
: ^% m. Z" X- t    xchg    dx, es:[41h*4]5 m0 |6 V( _8 L% g- X
    xchg    bx, es:[41h*4+2]  a5 }! B2 F: Q" K) H8 y/ O
    in      al, 40h" Y/ k  l) j1 C: Q2 C" b
    xor     cx,cx
3 S. L) n1 y2 \6 y3 p* h8 Z    int     41h6 N, g9 B; f! P6 E2 \$ g
    xchg    dx, es:[41h*4]
4 u. l2 w6 l, q5 x0 V) L    xchg    bx, es:[41h*4+2]
% S2 N$ A. y& L1 C* C0 v! W    cmp     cl,al- W, \1 t6 p9 Q
    jnz     SoftICE_detected+ `) f( n- @% e" g' F

6 A" M5 j* |" z* k% `. C3 o_________________________________________________________________________
: ~$ _7 ~6 _) Y" O5 ]% l9 C+ C; Q1 [( R8 T! Z; n6 D6 ]! h
Method 07+ w1 |7 i' n% l7 I
=========  u& x6 w8 z8 E1 B, v1 E
8 f7 k+ S7 ?3 x) @4 U9 j* N  y8 S" ?
Method of detection of the WinICE handler in the int68h (V86)
  x! ~  ]" e; {: T$ k: N- o+ ?, D% r6 l; t/ Y- E+ u9 s$ L8 c
    mov     ah,43h
4 O0 Z# Q* \$ V5 x2 g9 E    int     68h
, I: Y9 W5 U8 Q    cmp     ax,0F386h# y# C2 O. `! ?0 R6 z
    jz      SoftICE_Detected
! B+ R; J  F  u1 J8 @# N# U% u: [: s: w- f3 s! k+ H7 P
- F- S" S: l* ^: I. q: }
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' B' J; t; I3 G/ o
   app like this:
# J0 X5 `. m* O1 Z1 N
/ n( c) d1 w' d- C  \3 _   BPX exec_int if ax==68
3 {% L9 V6 d6 s! v, T* r   (function called is located at byte ptr [ebp+1Dh] and client eip is) ~6 I8 m* \5 J6 x3 m
   located at [ebp+48h] for 32Bit apps)
0 |' M' @: P+ T: Z- Q__________________________________________________________________________; y" w5 _. n: H# b9 x6 F5 A( k

8 g4 U7 _; x2 d( z) g: I& q/ n5 @& T: C) T$ [' X# C4 Q
Method 08
$ V9 R( H' P. Y$ ~" l=========# B) D9 K! H; I" S9 ~; ~6 _

$ w+ N2 d# Y) H( c. }It is not a method of detection of SoftICE but a possibility to crash the
8 P3 W$ F% ], z2 M1 e4 h" asystem by intercepting int 01h and int 03h and redirecting them to another
9 t! R/ b2 R7 L+ ?5 ]& zroutine.. J/ ^. A# I- M" W" T( }
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ B7 ^5 b6 I+ r! ~6 r: ~
to the new routine to execute (hangs computer...)
; B9 C5 E5 K/ d4 y) b& o
4 D! O# `  G4 ~& o# Q2 {    mov     ah, 25h8 s$ }( ?, I3 k3 g1 x/ m" X
    mov     al, Int_Number (01h or 03h)( i6 r* ]  u4 i6 ]3 v
    mov     dx, offset New_Int_Routine1 m/ ~& |1 B0 O) o0 B7 L# R
    int     21h# _# l9 [: E' a: H0 {
0 C7 [0 {# a1 q' ?7 O
__________________________________________________________________________% R8 n, P" H7 k, W1 O  M2 g+ N/ u1 F$ _
5 z6 e% D! i: ?9 y- U
Method 09  H$ l! _5 R6 T" @" ^5 [
=========# x2 ?5 g8 O/ D

2 h  Q* m8 l6 ]+ qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, K( |' i7 @/ `
performed in ring0 (VxD or a ring3 app using the VxdCall)., l$ N) N: ~4 U7 }
The Get_DDB service is used to determine whether or not a VxD is installed
2 ^1 V7 ]9 U6 j7 cfor the specified device and returns a Device Description Block (in ecx) for/ P$ ]  I& }3 D) b6 z
that device if it is installed.4 x5 V7 l6 ]2 t6 Z
. j9 I/ T0 e& K' R# X0 }
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID' `! Q7 W. k  G; c5 n
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% q; i* H7 x4 A+ L; F3 n. c" ?   VMMCall Get_DDB
4 w$ p* _- n( U9 ]6 r' _1 L   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
/ ^& n( u* q& G+ G
, W" g0 ], @. `* N: [  q- ENote as well that you can easily detect this method with SoftICE:! Y* G7 R# w+ H- Z0 K
   bpx Get_DDB if ax==0202 || ax==7a5fh
! @2 c0 G2 i/ C, l9 X. L+ \9 z+ t
4 o* U* l. o1 N4 w  w__________________________________________________________________________
6 G* p2 I0 P6 w$ A
! [7 F) |; C" BMethod 10
$ U$ s* `+ ~' y" [, |7 X=========- q, j% @# }6 `  w1 w
5 @* n* R7 n& s+ K, b! H
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 F  j) x/ t# w* z" ~  SoftICE while the option is enable!!. F* M0 B# l5 D; d$ q5 z8 u. ]
* }7 L4 D3 r! V5 n" P8 y
This trick is very efficient:
7 M: _1 A+ {+ ?: @; h1 iby checking the Debug Registers, you can detect if SoftICE is loaded& G) N; |8 V# E9 G& C4 {2 T4 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) p# K! \- }9 D) Q( r3 H. v' A
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 k: d* q' o5 Q" C2 }value (in ring0 only). Values can be manipulated and or changed as well2 F' C9 @" b/ R+ d9 @. }$ _; f" L4 R
(clearing BPMs for instance)! U5 R, {# G3 J% W  l

6 G) ~: Q. S+ m3 X2 ?& Y' \__________________________________________________________________________
) x3 r& J& T) A% o) M  M' k2 i: I9 v  j3 [
Method 11
9 S* d! F9 i6 ~1 R6 d=========& E3 g' g% ]. r* T" A
2 J/ B: d4 B4 l4 W( Z7 D
This method is most known as 'MeltICE' because it has been freely distributed6 N1 N) V7 Y: |( R- B
via www.winfiles.com. However it was first used by NuMega people to allow
2 P0 M% i% W9 s7 _) B6 BSymbol Loader to check if SoftICE was active or not (the code is located
& ?+ P3 H( R7 M$ yinside nmtrans.dll).0 C  K6 a% U( v6 z+ q
) T. f7 Z& O; v* ^. T5 v  z
The way it works is very simple:
% A' o( o/ [( B, D$ P8 h" {It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! D7 r! k8 d$ g% g
WinNT) with the CreateFileA API.# H4 P# M# m. k5 w; \* l

  ]( j: r: X! k; W- hHere is a sample (checking for 'SICE'):
, B+ b* B6 Q! |1 I# \1 S0 n
, R* l8 o7 E  ^" h2 U" u- \BOOL IsSoftIce95Loaded()
" l* R' M# K3 j5 L# v. Q0 p{2 ~- ^1 D6 J5 W& d
   HANDLE hFile;  
; L% W2 Q% T+ Y, j& k! d( p   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 H/ i1 q  q$ `5 W" S7 d( K                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) z3 p$ K) R, Z* N0 m                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* p" g5 q" F# X- a( ^* z6 A" m& H/ [   if( hFile != INVALID_HANDLE_VALUE )
% g& P$ ~5 A/ O: L   {5 k  m4 N% _$ [+ p6 X7 I) j. J
      CloseHandle(hFile);. f4 K* L) O2 {! n8 M. U- A
      return TRUE;4 J7 }2 k* {4 R2 W
   }
5 y4 z/ W6 q, f$ B2 B   return FALSE;8 h+ l) G: m" J. m
}, P+ F! `2 y3 G6 F
" ~5 B" [: x! \( O& v0 _8 K" V
Although this trick calls the CreateFileA function, don't even expect to be
) ~$ }+ `! @* Z- S9 cable to intercept it by installing a IFS hook: it will not work, no way!2 t2 x, v+ Q! B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( P+ k$ A& }4 j1 c3 Y/ Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 q, m8 B1 B6 \: E: Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc, g3 S6 t% ^0 l) Z7 M8 c
field.! v+ i& V$ ]4 q; I4 x8 [% {9 a4 E
In fact, its purpose is not to load/unload VxDs but only to send a
6 E1 T4 |6 Y6 zW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% W: k7 k, R3 {3 q% X9 z  Z. ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# I) C! |. i! @! m+ f! O; sto load/unload a non-dynamically loadable driver such as SoftICE ;-).
* ~) ]  i) d1 g# E/ M: N( R9 @* TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
  e! _9 y/ \) s+ P3 d" \) d0 ?its handle to be opened and then, will be detected.# e9 z9 D$ a0 Y
You can check that simply by hooking Winice.exe control proc entry point
  e1 s! o) O/ o0 Vwhile running MeltICE.
% {  w* a' n0 @5 G
0 @4 d- ?9 M9 C9 [: N1 c- S; ~; M7 H1 L, }, P7 J. `; {
  00401067:  push      00402025    ; \\.\SICE
1 Y) |+ X! o5 F; H9 e8 q  0040106C:  call      CreateFileA9 l9 X5 @  v3 m' S7 P7 J! j6 M
  00401071:  cmp       eax,-001
% }: w5 _5 }" P  00401074:  je        004010910 C5 e& j# @# c

: W4 G. ~1 I6 e5 I5 `# I
) r& e9 U6 {6 IThere could be hundreds of BPX you could use to detect this trick.
3 A5 v, C/ J! J, s-The most classical one is:9 h6 V1 h  f2 J. q3 Y
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' C( h: y2 i$ o& H
    *(esp-&gt;4+4)=='NTIC'
" J3 k9 a+ j2 F7 o1 J* O$ y4 G8 m. }
-The most exotic ones (could be very slooooow :-(2 B# i! v. |$ w/ J+ I1 P* t9 L
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- {0 g! V0 k2 k$ F     ;will break 3 times :-(- s; k# K& A2 s5 L. k( w

6 |4 J7 X/ r( I6 ?8 i/ v/ z; z-or (a bit) faster: & Z% ^% R$ l- D; a8 [  I
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& h. V6 w* v# i( A" n
4 I# s3 E% R9 c1 \7 ]$ K   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
8 O) j0 _6 k& R; w6 D; N     ;will break 3 times :-(
8 D4 U$ I, U, s
  Q) P% X3 t  f3 |. p4 k* u-Much faster:
  ^  H0 }6 \" q; v0 h   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 K# e/ \9 t  u8 `6 s

- P+ S' I2 w6 [9 |Note also that some programs (like AZPR3.00) use de old 16-bit _lopen4 m$ t# E) O8 P: Q
function to do the same job:
/ i7 ^+ n, ?* \! r7 j; ~) y- |8 p5 X; C
   push    00                        ; OF_READ
# w8 y. s4 s$ p/ Q7 }# j7 ?, `   mov     eax,[00656634]            ; '\\.\SICE',0
4 V( C' f/ Y" ^3 a# }   push    eax: g( e, g3 Z/ B% v) y/ f
   call    KERNEL32!_lopen
) P- |( g: E1 X! c9 X9 \- s   inc     eax
2 a' `! \5 B8 u; K   jnz     00650589                  ; detected
1 O1 s* c% g- q: K  x   push    00                        ; OF_READ
4 k3 @9 {5 G  e2 ~: f   mov     eax,[00656638]            ; '\\.\SICE'
5 N& |8 L' T/ l) J; {' X   push    eax1 F+ N- B4 A& v! G" f2 ^+ ~4 G* H0 L
   call    KERNEL32!_lopen7 o5 z& ~2 ~9 o
   inc     eax
( K4 u( p0 ?2 L   jz      006505ae                  ; not detected
- s5 j. ^9 A+ L7 `, s' V
2 y" {+ @, x8 p; i' \. f+ f$ L, I' U9 ^- j0 i! _8 ]: i4 f
__________________________________________________________________________3 U& f1 e" G8 N8 b% |" v+ @/ b. t
$ A$ a, q: S6 [
Method 12& R' `$ h$ V4 w# Z5 N+ p
=========
! i# [' L  f2 R, G/ t+ S, `- }& b7 ^5 A' C- K9 Z
This trick is similar to int41h/4fh Debugger installation check (code 05
% h6 Q( M0 C* m&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  @5 M1 w+ n- p0 Z0 V& j7 w" o) Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# g4 m  S9 C4 x, ?: Y/ s( m) R8 D. {! \* p7 H4 M
   push  0000004fh         ; function 4fh
; b+ ?  x7 i3 u0 A   push  002a002ah         ; high word specifies which VxD (VWIN32)
. J5 K- F* b" E2 K0 `$ M) r                           ; low word specifies which service
2 p8 f/ L( M* B/ ^                             (VWIN32_Int41Dispatch)
3 b" Z6 K& q0 |8 R   call  Kernel32!ORD_001  ; VxdCall
$ K: N) o: b% @   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 x* \- }' U1 f5 j: a   jz    SoftICE_detected
# |. K3 s, a- {$ ^$ K, ?( B0 o0 Q) B4 E1 d7 f8 T4 L5 ?# p3 P
Here again, several ways to detect it:
: h9 t& v' p  W5 V. U# a' a# J; T, [) k9 q5 h0 y) Y' I- P
    BPINT 41 if ax==4f5 K' i, l2 f6 a- c/ M! i
  B+ Z; |5 v" @3 @2 H0 a" j& f
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
, H& y" A3 P3 Q0 r  m: U! u
* G, R8 R  Y. ?7 }& M    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ w7 e; \5 Y% g8 V% x/ X, H9 \7 h- O
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 L$ b/ P) H7 v, G
( w/ Q2 n! I6 y8 ~7 V
__________________________________________________________________________
) C8 \3 v3 |0 l, c8 T' b
0 m1 F1 |' S- e* MMethod 13% |. R8 s3 v- Z3 T- Y, ^
=========) r& `/ P0 t- {& O7 V+ u; U

: b6 y: G6 q* G' A3 oNot a real method of detection, but a good way to know if SoftICE is1 j- a9 i% }8 n7 B7 D
installed on a computer and to locate its installation directory." {. [4 [9 L/ ?2 D
It is used by few softs which access the following registry keys (usually #2) :' v( A5 t7 W5 V! P
$ H( V# n0 t1 b, _' x, @, u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; q) W% h( V# {  A& S\Uninstall\SoftICE. ^! _2 p3 j* Y6 ]. R& b5 W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" i" ]+ h3 a3 F# j
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 r5 @, B- E: s
\App Paths\Loader32.Exe$ Q8 I: C8 d; `: r2 ]
: u5 Z4 g' ?1 x" y/ Y0 I% F

& ?9 U+ t) h  H& [3 M( C$ FNote that some nasty apps could then erase all files from SoftICE directory. f4 [; C& l8 m, o
(I faced that once :-(+ F: R5 i" z8 b' t' ?1 L
2 v; A- J2 D4 Q% l
Useful breakpoint to detect it:
4 o; t, i, G5 g  Z! I- R. x$ }" }6 v* `& H4 A4 r6 N5 A
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE') x6 @8 R" B( F& L1 |7 T( ~  x
# x9 d/ J9 W4 H0 S3 j
__________________________________________________________________________
# @& d3 d# y  v. g2 |
# Q- N( e; g" F& o" w0 }' {0 A5 r) d
1 z& {  I! ~2 Y* x7 \+ dMethod 14
* ?. L! y! V1 D=========( `( h3 v# O# D! \  M& s/ T

2 V5 w% J7 p, H, K8 K3 C2 G" CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 G/ U4 _% y; K; c# x! ?! Q" Nis to determines whether a debugger is running on your system (ring0 only).
9 Y' `$ ^" S  `. R1 {
2 P+ Y8 |$ |5 q0 d$ r3 `( M' w   VMMCall Test_Debug_Installed7 x4 R, n- ~: S3 [
   je      not_installed
3 x3 L, J5 k3 `' l8 M' R# K; f% c7 U$ o) q* c$ `2 Y
This service just checks a flag.$ s3 Q2 F5 V" I) @/ t
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 00:51

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表