找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>6 w, _9 ~$ P" ^. c. w( ?4 d
<TBODY>
  T4 w/ a% H( g$ t; r<TR>$ {7 {4 ]: o; p) T
<TD><PRE>Method 01
; U2 s+ v# i5 g4 X=========
, R- w# i: o, W5 \) m; E
! Y4 m% r- N- n6 I# P5 {+ pThis method of detection of SoftICE (as well as the following one) is
% W3 V0 }) u2 }0 E. I% l5 bused by the majority of packers/encryptors found on Internet.: G3 G* w/ Y7 `1 r% Z1 P
It seeks the signature of BoundsChecker in SoftICE/ _/ p( W. @! o2 }5 @
) e! W( D$ n' p4 ^
    mov     ebp, 04243484Bh        ; 'BCHK'
% F0 C/ I1 H8 l    mov     ax, 04h) _6 L6 e0 f! u2 S! k9 J- ?5 c
    int     3      
- b5 y! j6 o0 E: f( Q    cmp     al,4
2 b; G. W4 b- r+ c+ m4 }& ]    jnz     SoftICE_Detected
& a2 M+ e/ {# N/ n/ V# j
+ k! R: J: a7 v/ a# E, W+ m1 c( G___________________________________________________________________________
" |0 z$ s! g  I9 ~. U+ n, k, T  A; W  H0 P: Y9 a$ X
Method 02* V7 @  n) F9 v! L, d6 C
=========
2 [; f  y8 w2 X2 w0 p/ m' @0 u- U2 b: I7 v( J/ L' |
Still a method very much used (perhaps the most frequent one).  It is used- [: b4 p1 W  V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) \' R1 T. l" z# H4 s1 x
or execute SoftICE commands...
) {9 s/ _6 r( B( \4 C1 [It is also used to crash SoftICE and to force it to execute any commands
; B2 N* ?* `2 m$ o3 ^3 ?(HBOOT...) :-((  
- l) A; y! J0 V+ S: ]8 m1 d4 i1 I9 p  S0 c4 t8 X4 U; Q  ]/ m
Here is a quick description:
: M3 k1 J5 c! D5 |  b- b-AX = 0910h   (Display string in SIce windows)
8 M( M' N  B% j4 H-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); M  k0 P" P+ n$ f) J( N# o  g
-AX = 0912h   (Get breakpoint infos)
  j; ?% k  m* h; v' d2 Y5 S9 Q' u-AX = 0913h   (Set Sice breakpoints)! E0 k% U& b. A+ D. c* k
-AX = 0914h   (Remove SIce breakoints)
3 Z7 Y6 z$ s5 y& O) }! \" g# g
* A  l& V8 Z  q1 iEach time you'll meet this trick, you'll see:
1 c, D; L! f7 o- X  A-SI = 4647h
* {6 q/ E$ a* p-DI = 4A4Dh9 I- R, y# v& S- R4 v- H
Which are the 'magic values' used by SoftIce.; x/ ^3 g- h0 a6 W. _( ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.0 C' T- G% |& e
6 ]/ M' U9 J/ b* j
Here is one example from the file "Haspinst.exe" which is the dongle HASP
4 B6 o! ?6 [0 e) sEnvelope utility use to protect DOS applications:
8 N) N. ~( N7 R* Z1 u+ O* l! h( E' I0 u# l% L' p

, {; P5 i! g- x9 X: F; R. ^4C19:0095   MOV    AX,0911  ; execute command.
( d, Y4 |( h! s  k! g4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 ^5 s, w) J& `8 ^; X
4C19:009A   MOV    SI,4647  ; 1st magic value.5 g* T  P; |# y0 Z+ ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
* v0 Q. M  n( U4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
5 w9 m* b2 t* N3 B1 z' h4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 `" s5 @' ?( b' u' u, z7 u
4C19:00A4   INC    CX! [+ w& p; A1 g: J* G2 ~
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
- N0 k: Y6 `( d# Q) X7 p  G9 R% }4C19:00A8   JB     0095     ; 6 different commands.$ K6 A: x! Y8 z7 n  z
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.% q( H1 I& [3 k6 K" ]2 {* f
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 s3 T) q- _. d
2 G( L) O# g4 B1 B: \' @% {The program will execute 6 different SIce commands located at ds:dx, which
$ L) {# y% c/ v3 R( R: e7 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 u4 A" l& e+ H; m; G' m; v% a  S3 A4 g- |6 v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 G3 S" }! a. F
___________________________________________________________________________
- G% f% \* G, U2 w8 S* u
& ?* d$ w, U0 n( @, G0 z0 ~0 `3 {9 @  h' K, Y9 g, j
Method 03- I" s( ^" Q0 {2 f# e
=========4 }/ u- I+ i4 k2 D
; J2 [8 ^6 E6 s8 c4 [3 N( q% r  F
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h! N7 U  {7 b. \7 A+ g) x
(API Get entry point)( a" O5 k  Y8 i! P$ P# F) c
        $ [% Y5 r6 J) k/ l" g6 e3 v9 X

: N& I0 }% w( f2 }! q8 \9 y    xor     di,di
* A" v% R2 W- Z/ B3 \* G' [    mov     es,di
' `; S4 |( n) [; M7 }. N& k5 M: h1 z    mov     ax, 1684h       " i; d/ w% N6 {5 r
    mov     bx, 0202h       ; VxD ID of winice6 R7 g7 _5 }+ ~6 ?6 W+ k+ y
    int     2Fh
/ e3 P6 d3 G; b: u$ p: _    mov     ax, es          ; ES:DI -&gt; VxD API entry point* k* X8 z1 r- N6 w2 {3 q
    add     ax, di* ]; q( B8 f, y; `; J8 D
    test    ax,ax
+ Q4 v$ N6 M8 p# S    jnz     SoftICE_Detected3 N# Z, P3 ]/ c3 K5 b9 f2 t
, O$ d0 c. {7 I, E2 V  e
___________________________________________________________________________
. R7 {; S/ i3 Q+ v' U: b5 z1 o/ Q% I
Method 045 B5 `. y  I3 u8 l
=========
2 h9 ~, W3 z7 d! S/ Z: w; F
* ^# _# K# L+ F, z/ RMethod identical to the preceding one except that it seeks the ID of SoftICE
" y/ M" d4 F9 s  WGFX VxD.
+ x4 N7 O- I" \
, k5 q5 A/ E* a4 T+ i7 o    xor     di,di
( @9 o: X5 _% z* P    mov     es,di
/ U" V1 h6 p* _2 g$ P3 b# l8 V    mov     ax, 1684h      
1 k; |3 h9 n7 I3 P    mov     bx, 7a5Fh       ; VxD ID of SIWVID% O/ g$ `* c5 `+ k; v! O. q
    int     2fh
: x, J* l! Q- r. b* Y# U    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' e: S$ i& _7 \    add     ax, di/ E8 ?9 U# f$ V8 o
    test    ax,ax
* U( h( ?  V5 t3 O- U    jnz     SoftICE_Detected
' D  `( @6 a+ H9 l% h) [& Q- [" @
# ~* {5 t, J6 b__________________________________________________________________________
: _# p0 P, t/ m7 J) X1 |- }$ D
6 O" `% d5 ~4 I, M4 ~! F
Method 05
' `+ u2 d  B3 ]  s2 D/ B1 x, e=========
4 i2 i1 M# W6 S7 O+ S
6 L/ i) e$ a7 Y, V) AMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 m$ Z3 G; [& ^7 o
debugger. It calls the int 41h, function 4Fh.
7 ]! Y/ G" f8 \; ]' vThere are several alternatives.  7 e9 ]2 N; o+ C& P( s( y# M4 [

5 X0 I- T2 W* ~1 ]( VThe following one is the simplest:
$ T& z& `( W& S1 A  ~6 A- O
1 G/ \. U' T" X/ _( M    mov     ax,4fh/ F% U8 f+ Y0 Z. ]8 x7 w% b. I
    int     41h' M& X6 T1 l% T+ E; m! ]) h# G
    cmp     ax, 0F386, v/ P! B; {3 D
    jz      SoftICE_detected: }; v& j7 D' d* s$ n" z* {

8 Z, e4 J6 ~! @  ^% H5 T* ?* o. i4 P  ?: u: s# X5 W( P/ K
Next method as well as the following one are 2 examples from Stone's - Y& V5 b# ~4 P/ f2 _
"stn-wid.zip" (www.cracking.net):, Z, q' Q5 F; X$ T7 D) k+ |

2 P# m% H% U+ Y, d    mov     bx, cs
% J5 |, ]! ~/ _/ x# O% ?+ o    lea     dx, int41handler2, f, V: P8 H( I
    xchg    dx, es:[41h*4]7 Q* k  f  \$ x: v: x
    xchg    bx, es:[41h*4+2]
$ _7 n+ V! e4 k0 o2 r    mov     ax,4fh
0 f3 n6 x. J9 g: U% X" F% R    int     41h7 C( D0 K/ W4 S3 }$ f0 i. V9 O4 G: j
    xchg    dx, es:[41h*4]
/ i! v9 v" y2 ]5 Q' D    xchg    bx, es:[41h*4+2]: u% q+ C" E/ z* Z. }& {  F$ D) T7 }
    cmp     ax, 0f386h
& w" {8 l9 `% y! V) V# d    jz      SoftICE_detected
9 `4 r( q: @2 p8 o, ?3 V) ?1 j  r8 f3 H. Y1 [6 t' U
int41handler2 PROC# Z! }( R; q; j; W7 h
    iret, R, N3 i! B8 p* H( ]
int41handler2 ENDP
; T! Y" B4 J" D5 A9 P* [! o
; X- j& u8 i* U- E! ^2 M2 o* i; w5 p7 D" }! L" ?
_________________________________________________________________________8 J& b- @: O: f0 s1 e! h3 _# h+ y

9 {0 P) a2 D$ B2 K; R! t4 y/ R, e) _! r; p
Method 06
: Z$ G. m  N# h. J3 R& r6 O4 @& N=========
9 G( P( G1 e3 t- a0 `# N4 S* ?- C9 u; n; S7 h) O% w

; @  ^5 f( v, g2nd method similar to the preceding one but more difficult to detect:6 j# L( x5 i8 e" {. L% w
7 s  @2 l# S' W. F; ^

* e- [! E3 }5 R4 F5 F) \int41handler PROC& T& C: m* Y4 S* }. y+ q
    mov     cl,al* D6 k+ j+ j$ y7 q% c
    iret) o" [' {+ q. h3 i% Y' S
int41handler ENDP
0 P5 U8 ^% C% c0 B; y
7 W3 V) ^1 l: U, H" n; {  O1 H; a0 N4 r0 a; h8 n
    xor     ax,ax* c- x/ P# h2 o# C& K* Y# }6 ]
    mov     es,ax/ F, m+ q) H  E% o5 P
    mov     bx, cs
0 f+ m" x4 z& _: V) P% G: J    lea     dx, int41handler
1 k6 |. f1 f: q/ T9 F    xchg    dx, es:[41h*4]
  X: v, t9 i# @& b    xchg    bx, es:[41h*4+2]# ]0 K1 G, G, H: S: b: R# |
    in      al, 40h
0 Y( D( Q7 {4 F    xor     cx,cx2 L% W& A+ q% E8 m7 P
    int     41h
0 L( I/ ~8 {2 u    xchg    dx, es:[41h*4]3 F7 K& ]" N( N6 N0 S5 n
    xchg    bx, es:[41h*4+2]2 o% J, P$ @/ z  j0 m( \% F
    cmp     cl,al0 @  K; Q" \& p5 W3 u% Y
    jnz     SoftICE_detected
' ~- X1 `: R. L. E6 ~) S- ^$ i( M$ X
0 j! k/ ~1 c& ]6 v: p, o_________________________________________________________________________
& }1 E% E3 e3 S5 k0 a, c
( L% I: j0 S, W. l4 T0 dMethod 07
7 Y1 K# j: L7 u' i% A  ^=========
( K% ?- @* y5 @; H2 I: I; o) D+ R: e* {3 _
Method of detection of the WinICE handler in the int68h (V86)( x% Q& G1 K0 J3 f1 x

& T2 T; N2 }4 h& k( b  T) ]    mov     ah,43h; K- c) m: \! S7 y% s
    int     68h/ a! L+ ~/ H" S6 j- t' [; f/ B
    cmp     ax,0F386h
  T. e' c' N! B; @2 d    jz      SoftICE_Detected* ?5 B6 h+ w; c! S4 B

5 m: g$ K. e7 ?+ G& ]- j
- B  `5 k8 [$ D# B- Y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- y1 C5 h. V. a. r( A' R- W   app like this:) K* K! s# U5 z4 \
) e: L2 V* j4 w. }( ?4 |' }! H
   BPX exec_int if ax==68! A- B+ V# s6 x1 E8 z
   (function called is located at byte ptr [ebp+1Dh] and client eip is) L6 z5 S6 ]% G, e) u" q
   located at [ebp+48h] for 32Bit apps)5 U+ B6 @& `& M  V
__________________________________________________________________________" \7 Z0 h0 Z# F' l& K6 m- c

9 h( Y2 }: O* A% U( m1 R' y! L% A, i; J' \: a+ W: b8 \5 R
Method 08; {# z, l; Y  A/ \, j7 M
=========) o) W/ b- J$ [

6 {4 N( h- ]1 \% D# eIt is not a method of detection of SoftICE but a possibility to crash the
1 N' W9 h5 C. c- C9 ?. x1 |' c+ Usystem by intercepting int 01h and int 03h and redirecting them to another* S3 E- U! ?: g4 X# ^
routine.4 T1 u9 d" S2 q  R. x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: W. L9 D$ M+ Z# Y- j: S- ito the new routine to execute (hangs computer...): e  e4 O! B( ?

. F5 w7 w3 M& t" S& [/ o    mov     ah, 25h
) L6 Q. N( ^. T4 ~* ], M    mov     al, Int_Number (01h or 03h)' ?9 }( T5 X, l, N  U7 T
    mov     dx, offset New_Int_Routine3 ]% v* X' w. E6 x3 L
    int     21h
3 ?4 x: U+ M- w' U8 d; }
& k) \3 {, S& j6 U( T2 H9 p1 m__________________________________________________________________________% a, h& b/ ]6 ^4 a, q7 w

- P6 A/ o0 Y& L) g, XMethod 09  D; d0 z1 h2 Y# M  }% a/ k
=========
) H8 \- m! V% o! s
# U' w' t0 ?9 X" J- \4 MThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; ~( V5 t' o  M) D' N5 p/ `3 c9 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).: Q+ f( C+ D+ D( a, g( X/ u* e
The Get_DDB service is used to determine whether or not a VxD is installed" W7 k. W  ~7 V; E) i2 V9 j
for the specified device and returns a Device Description Block (in ecx) for
; P' K" s& D- i4 {0 o+ [that device if it is installed.3 x5 c+ x7 [8 V2 q( G" z: w

* n7 \7 T4 n; G/ |/ Q9 F8 Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' V, i& z2 L$ j1 {   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 H$ r, ?9 _3 O& l% k   VMMCall Get_DDB; R' Y; g, p) E7 T  }
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
3 L6 f# {- M4 [5 _2 t& a' S) c; \( @6 x- E* }
Note as well that you can easily detect this method with SoftICE:2 Z$ d6 J, h. L5 o
   bpx Get_DDB if ax==0202 || ax==7a5fh
3 v' x/ W# ~) n+ J4 v
0 x4 a+ g! i5 F__________________________________________________________________________
4 ]- S* |. R* Z; c3 c% I8 O
4 p2 f2 V1 H+ {; XMethod 10: e% i* \' {5 {, {, q/ b, k
=========
$ X9 u6 \% q. C8 P( ^8 \% [/ G; }1 W
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 t! ~% ]. z/ N$ D) [
  SoftICE while the option is enable!!
. A1 d' Y$ {& R9 E1 P* N* M6 _1 O9 e  _5 t+ V
This trick is very efficient:
% S- u: J! q* h4 n0 {" nby checking the Debug Registers, you can detect if SoftICE is loaded
! f! }) J/ x5 t2 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ M; Z8 O* s$ p+ q: l3 a6 ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 u; t1 w7 b2 _8 |value (in ring0 only). Values can be manipulated and or changed as well
) c- G% D+ Q: |/ O3 g(clearing BPMs for instance)0 J$ s1 m! N: f+ S3 |# F* @
; E, p/ O) m* t2 _7 a( Y
__________________________________________________________________________) G, m9 J& f+ j5 [& j4 l4 X
* l; i: k+ W. Y, o/ N) v
Method 11
: B' N8 T! P+ f' W2 `' R2 Y) A=========
. g% I$ U1 o' N! R
( _3 o1 _* Z' s4 f' |0 J( x7 lThis method is most known as 'MeltICE' because it has been freely distributed
2 Z& T* v8 k' Rvia www.winfiles.com. However it was first used by NuMega people to allow
# y+ }' V% C& ]9 N/ Z( xSymbol Loader to check if SoftICE was active or not (the code is located
( a( }4 E0 I  B: b3 {* {inside nmtrans.dll).% Y. R  n4 A/ I. g
; ^% i# d  _6 X4 h; D6 A; a# N* C
The way it works is very simple:  x3 u/ A" q, `' U7 j! Y; h1 ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- `8 e8 C% H) e8 P: }9 q
WinNT) with the CreateFileA API.
  w5 K9 B6 y( n6 h9 u  \* p& i+ x9 F0 X2 \' @3 q/ \! P
Here is a sample (checking for 'SICE'):
7 Z: ~- C* n; A% M" d% P) P/ u4 _0 K2 P/ @" |) y& P7 I
BOOL IsSoftIce95Loaded()
# N& m4 e" c* K8 E{
6 \8 I0 E1 z4 r   HANDLE hFile;  / ~1 A3 S6 U  J- B
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 _1 M- ~$ ?8 @8 J7 G
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% V' X" b+ _+ V9 s/ U/ S3 p                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 D5 B$ {0 a+ j* b  d
   if( hFile != INVALID_HANDLE_VALUE )
; H& {5 J( D, x   {
& W; p) S3 p! ^) P      CloseHandle(hFile);
& Z3 L9 @: l6 x5 d* R( }      return TRUE;
4 d& {8 `: P( u8 v   }
/ x: n( {# F' `   return FALSE;
2 i: `7 I1 b2 L' R( ~}
, {, H! L" C$ S1 s4 {$ i- O% H0 J$ U9 T
Although this trick calls the CreateFileA function, don't even expect to be
# D" M' H) i- L+ ]- P% j( \9 Gable to intercept it by installing a IFS hook: it will not work, no way!5 h/ _, d5 G) ]% F- ]; ~) w6 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 I( L) X/ J: }" G8 Y1 yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 E- D; O" c# q8 G& D6 h7 qand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ _4 E/ S& p; Y' Tfield.% V8 T  r1 _+ p, l9 R3 a$ C( K
In fact, its purpose is not to load/unload VxDs but only to send a % H( L" P) v6 c5 h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 H  w  N+ i( a% }. A) q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 i- D! {0 W9 }$ A4 Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: G$ W+ ~- ^- e' c2 R+ F0 \If the VxD is loaded, it will always clear eax and the Carry flag to allow
: M" ~! W% Y- M) Z6 pits handle to be opened and then, will be detected.: \' V! n7 K4 A5 K* ^  e
You can check that simply by hooking Winice.exe control proc entry point& z$ p" t0 a% w3 U0 k6 M
while running MeltICE.1 o' t9 y# ]- e  G" o* W2 z

' C4 o4 c- }, a' O& c  l: t) |1 Z3 b( u' Q, K+ e
  00401067:  push      00402025    ; \\.\SICE; H* M2 T* x1 v
  0040106C:  call      CreateFileA
6 U  f5 [1 j' e- v, p2 ?  00401071:  cmp       eax,-001
( R) e; ^/ E7 v+ p7 K( ^, r5 ?1 X  00401074:  je        004010916 d# Y7 C5 ?" E; `

8 m# w5 T0 m" d% H# B! m1 p/ V- m$ p6 g
There could be hundreds of BPX you could use to detect this trick.
! G# M) s7 r0 P9 `) D  W-The most classical one is:& ~3 t. c# F0 M" D0 `9 y. [
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||5 Y, w. m4 X4 [% J) X# |& e1 @( C2 E
    *(esp-&gt;4+4)=='NTIC'- u& n1 q. `" D4 q1 c

) H2 }8 p( \$ \5 X# E' w& ~3 m5 P- }-The most exotic ones (could be very slooooow :-(
- \5 e- T6 y( @   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) _4 K5 ]- e3 B+ ~0 g     ;will break 3 times :-(
; M- X( Q1 s$ P! I$ c( a
% V) v  Y/ I/ g* E* G' V: a-or (a bit) faster: % `* B0 x: g% s% V% H
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 u0 h+ K9 w) k' e
$ `" @9 |8 ^) B3 ?8 u
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 [3 K" r$ y" |: t* H5 |  H
     ;will break 3 times :-(
! |' W  ]" C1 H  e' L" }) ^- y9 R" L  Q1 s1 A3 v3 i0 s0 h0 C! V! }
-Much faster:, g. @6 E  J" l( V) g
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'& ?- F( [3 l5 k! `" F3 m1 c2 _% o

) O) e, t  U' ]7 @8 R1 D8 PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen/ c4 A3 _' S( ^4 y% E  y( A
function to do the same job:; d$ g0 I/ K. h0 m2 r8 }/ ^

0 h6 s4 K7 H7 ]. k   push    00                        ; OF_READ, |1 U( R" l. O6 D( h! ?
   mov     eax,[00656634]            ; '\\.\SICE',0/ E$ [! f8 b, n8 i. V
   push    eax
1 R* A2 a, S1 ?   call    KERNEL32!_lopen( @( E4 K. a& ~8 w# b$ {! d( ^
   inc     eax! ]( A1 _  s/ s. ~
   jnz     00650589                  ; detected; c( M" G1 C* ~0 g4 `) C* q' O* ^
   push    00                        ; OF_READ
8 n, D! S3 L2 r, o   mov     eax,[00656638]            ; '\\.\SICE', R7 Z( `. F6 w! K4 J6 O
   push    eax- u$ c! k) L5 I/ ?) f2 w
   call    KERNEL32!_lopen& ~" L8 U; c$ \0 E( }5 W
   inc     eax
  [" l2 p; f( I' s4 I   jz      006505ae                  ; not detected
6 n# u1 H, ]1 W) s
7 P* y- e7 Q& B; q6 r( c
7 X/ z4 v3 l* o4 E& j__________________________________________________________________________
- ~% j7 B! {/ P1 W1 @  c
8 E+ q* s, ^  x- @/ E$ HMethod 12
& }3 [9 O! S' P=========
' p* l* a3 C2 i& t
! B3 J' n6 s; Q* n& mThis trick is similar to int41h/4fh Debugger installation check (code 053 @7 n+ A; k/ z) i
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
5 ~$ t: Y! M2 |/ _- K. G; was it uses the VxDCall backdoor. This detection was found in Bleem Demo.% ~; m) X* B+ a5 i
' |2 }0 D5 o) Y) g1 s( C4 t. S, `" ~' f4 U
   push  0000004fh         ; function 4fh+ Q8 @4 F& p% K: \
   push  002a002ah         ; high word specifies which VxD (VWIN32); H" D) {& o5 s' S1 v8 g7 K$ Q
                           ; low word specifies which service
) T8 d0 ?# x% ?; W7 z0 ?$ |1 `                             (VWIN32_Int41Dispatch)( C! m) s% m% `+ v
   call  Kernel32!ORD_001  ; VxdCall' Y3 E& w2 b% J  l1 j
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 K+ v' c, P/ e5 s8 E" @% O   jz    SoftICE_detected
7 W8 ^( G) L9 w; F% W* o9 E' Y$ i2 [6 ^) d
Here again, several ways to detect it:! G; ]% p9 ~1 r
) q: \( K& I* e) B6 Z4 Q
    BPINT 41 if ax==4f
, I2 \/ q; {" B  f
, F" ~, _4 P- X. [0 K  Z! S    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
3 S) B* f3 ~0 \& R" Y" R. }7 \; `: Y1 Q) T& A5 u  S3 Q9 ?
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
& o+ Z! b' ?6 \7 A
& V% e8 Y/ p$ A9 Q7 F  f) ^    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!2 U7 s7 R$ b) ?' D4 d0 T. R6 ]
" p# ?7 u' M3 I3 b0 g0 i! J
__________________________________________________________________________. [% W, e$ P0 {$ B. L, {
- t* Q2 S' q$ ^6 m
Method 13
. r& Y! W' I2 L' V" a$ X=========& ^% c; Q* O. {# H/ `! F
" U$ B+ f  e. _
Not a real method of detection, but a good way to know if SoftICE is4 {$ c* m1 i0 m3 d: R
installed on a computer and to locate its installation directory.7 f1 Q2 C  p% |- h2 {+ o
It is used by few softs which access the following registry keys (usually #2) :
& V5 r3 _- |6 p: p
) w2 x  x- E  y. x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- s/ g  m/ x& G3 C; z7 `* e! k" f/ d\Uninstall\SoftICE
! r( z$ U0 |' e* D8 M' N5 }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, ^' h- K2 V4 E- C" z$ |4 ]$ `7 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- B, J( J4 e& ^* |
\App Paths\Loader32.Exe
8 z; l1 R8 B; A2 G3 Q7 z7 B9 y+ J8 }! ?

4 N3 q  A5 E8 J2 ~Note that some nasty apps could then erase all files from SoftICE directory
( I9 E0 Y% g( @& Z4 w(I faced that once :-(
" r$ K- u. V7 q+ V
; i) v. T6 t. ]/ XUseful breakpoint to detect it:
; u# _5 Z( ]$ w
& ~  C. {8 `4 I0 `( b# ?/ f6 o     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- g- W. }  k  a# A

, s- j' J  @. c- d__________________________________________________________________________% ^! Z9 z) l0 |

2 b7 Z% F; I- a2 ~2 J" n4 ?
$ l, i+ w2 {- K) g) B* \9 e8 FMethod 14 $ f6 U: {4 p7 Z- ~0 F$ n
=========+ f1 F9 E; ?! w# U5 `0 S: i4 m
8 W, Y- \/ g& t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( M2 t: r  r/ |
is to determines whether a debugger is running on your system (ring0 only).
/ @9 o9 W0 Z( R# ?( m& r/ t
/ Z& H) }# D+ V$ H+ J   VMMCall Test_Debug_Installed
, [% D0 s$ f8 [% O9 b' A$ R   je      not_installed2 T2 ^6 K0 p8 e- H) W
- d" m$ w$ A( b' f, O
This service just checks a flag.
( {- Q. ]1 O0 B</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-31 19:32

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表