找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>$ I5 b6 j" y9 J7 l1 o3 s
<TBODY>" y1 Z9 q) ?0 [4 s3 \
<TR>
0 L3 B1 u- O, f) P' c+ w# \<TD><PRE>Method 01 . }) `$ b* U; R, z& T& V
=========7 @6 S6 t0 F  ~) G+ K2 T

$ m7 K; z. w: X0 x; ]: xThis method of detection of SoftICE (as well as the following one) is
7 W7 Y9 h0 s0 o5 v& xused by the majority of packers/encryptors found on Internet.
* j4 [' D& t5 z9 r' {) L/ _2 y; W* rIt seeks the signature of BoundsChecker in SoftICE
" C! G0 W$ W7 z" l
% L* e2 r1 \# U- F$ D    mov     ebp, 04243484Bh        ; 'BCHK'9 ~* Y, Q6 i- G2 p' a6 ^
    mov     ax, 04h" \( @& Y8 e$ P" A$ [) s0 P8 Z
    int     3       / y( A' ^! d# l3 y) |$ H# c
    cmp     al,47 C7 p7 c$ ^. ^
    jnz     SoftICE_Detected5 e7 w4 y& F9 {9 C% {$ O0 f

, C8 N! G9 T/ D+ w___________________________________________________________________________- c. Z  r2 r" F0 L7 Z" Y& P
; c1 f2 W. O0 t, k4 j
Method 02
- M  Y2 G& J! }0 H: d' T- L=========
* f  b  b1 k' W0 s  S' v
, ~3 |/ a% ?( G% UStill a method very much used (perhaps the most frequent one).  It is used4 S: b1 T% F6 Q& ?; y; r$ `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ _! o4 X1 `" ]+ n4 O6 z. h) vor execute SoftICE commands...5 v, ]7 E# j/ B- l& `- e! `3 D
It is also used to crash SoftICE and to force it to execute any commands4 ?! i/ i: r0 N& |
(HBOOT...) :-((  
: ?' I3 d9 R0 y& l7 X4 v' D, n/ u' b4 ~& {
Here is a quick description:
0 J8 }8 T# |0 _# P' ]-AX = 0910h   (Display string in SIce windows)
7 Z& e% Y1 I9 A5 X-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); P# i4 @, \3 ?
-AX = 0912h   (Get breakpoint infos), e% o6 }* e0 x* K6 b# ]. E3 y
-AX = 0913h   (Set Sice breakpoints)
$ W& Z9 q" p, o# x5 `8 k9 F-AX = 0914h   (Remove SIce breakoints)4 p; D- j; P3 e! p
6 Y  F  z6 _  D% Y8 u
Each time you'll meet this trick, you'll see:
7 e4 J8 r; n5 m3 N-SI = 4647h  Q( }8 q' R% p9 z( G
-DI = 4A4Dh
. A- Z2 ]9 Y: |# J+ i1 b7 NWhich are the 'magic values' used by SoftIce.  j4 i1 Q) }* `) Z) w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- L3 z+ e4 Z# x7 q  {" W8 m4 M' W
* S6 \* _5 B1 {0 H& q: LHere is one example from the file "Haspinst.exe" which is the dongle HASP
. S$ D" q. `9 R: PEnvelope utility use to protect DOS applications:& Q# s2 I& z8 T0 K
+ y  |6 a) C- Y0 N

1 u! f- o) s* s4C19:0095   MOV    AX,0911  ; execute command.# \2 j2 ^% H# m& b& ^
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).' n4 d/ @5 l5 w  c' A+ f
4C19:009A   MOV    SI,4647  ; 1st magic value.0 e& Y6 I+ s5 j- C/ M- l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ g6 ^" T% D' s, ?
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
# c; v* |  k. r+ f; E5 w4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& R8 j( g" l1 U; {4C19:00A4   INC    CX
+ p% R& F/ @7 L5 k, G4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
% k2 r  s9 X2 J8 J% O4C19:00A8   JB     0095     ; 6 different commands.6 [, X5 v; B, Q& R$ ]
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 D( _5 r' j/ D4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 p6 K% o" r) l& h# X* c# X4 p
: {! f  f$ d. ^0 w) V, nThe program will execute 6 different SIce commands located at ds:dx, which
$ G. H; i* w' Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& J- h/ B( n/ r  h0 M

1 B' B, M5 w9 D  x# C( `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. g' _2 F  L4 W8 m6 v- ^! Y
___________________________________________________________________________4 ~& t5 i" H- v/ a

" @* \, I0 K: u9 n$ U5 [% t3 Y5 P% N- @# b' I  X
Method 03( N) T; K  ~$ m6 ?  k: r
=========8 W& j" ^2 d+ q6 P0 U
8 Z4 M# h6 |* v" R3 [7 T. J7 K
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 l* p+ x  ~# G: W( ~/ p+ i5 @(API Get entry point)
$ C# U6 ?5 t0 B& n; i5 C3 s% [        
/ E* ~, D+ K  U# E/ {) t# c+ C6 D+ w: K" ?" p6 d8 o6 A8 c
    xor     di,di
' k2 k+ S/ d1 N3 t9 U( y    mov     es,di
4 V; G* g0 [( T    mov     ax, 1684h      
1 s' T2 q5 w$ o    mov     bx, 0202h       ; VxD ID of winice
# q7 C4 G2 U# D3 p- {, M, X    int     2Fh
4 d: B, i+ `, _3 |    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ W/ C# r$ W7 @1 s, R8 H5 T
    add     ax, di
) @+ J& y1 \9 v/ L8 v$ u( W; Z* @    test    ax,ax7 a' \* z6 ~* o0 @+ M/ C
    jnz     SoftICE_Detected
' L3 F" ~/ t. n! B7 Q1 G$ c
! G6 ~. n7 n0 \/ k; Q___________________________________________________________________________; q; w" s: Q  |$ ^

, p0 @8 l+ s' b; x# N# `- I, mMethod 04
& M; ]% I7 i5 D: G7 o=========
# ]/ f- J+ u: V" G' c, V1 S8 U6 X' s% K6 ~: q3 ~! w* V2 B
Method identical to the preceding one except that it seeks the ID of SoftICE. o) e1 i3 b! W+ K
GFX VxD.1 J/ o1 E: I( r: U

( b- ~6 R) h5 D) m# q# s    xor     di,di
9 }- r. a; H" _% I5 I    mov     es,di, C$ [9 f% i7 g8 Z" L2 [* H
    mov     ax, 1684h      
6 e  V9 D& P$ T, k6 E    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ X, C0 v- h6 y. W; w- f4 ~* D
    int     2fh" p4 y! O$ n% U4 c$ G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 f8 D5 _9 i8 b4 {    add     ax, di' L! E' A$ X2 g. W1 h+ v
    test    ax,ax: a. R% k" D" k. d/ f1 ^5 O7 m
    jnz     SoftICE_Detected0 n' X% R  F% A. H; D/ }6 B

2 N" k  h6 u0 e$ W0 p__________________________________________________________________________
. w8 }# ^' C3 j* p5 y# x8 R
; B% X! l" }- L% W6 o; \2 S* d) q" p/ J
Method 05
8 i# v* ~5 h  {' d  J/ N=========
& \6 I2 P- v7 c2 ]2 j. p  l) L$ \
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 s% C& e. H4 ~! d; s; g+ e
debugger. It calls the int 41h, function 4Fh.: m+ c0 X1 M" D
There are several alternatives.  
6 ~) D( R% `) a) L0 K) x2 L2 c5 Y3 @" A/ J2 J3 Y* j/ ]9 r
The following one is the simplest:
) s6 o# M8 b0 z- r- r  K' [/ e( @( I) |3 D
    mov     ax,4fh
' S6 T7 p+ T" X/ f9 Z- ~0 K    int     41h, |# B% j9 Y2 o7 e7 p( }
    cmp     ax, 0F386
3 B0 m9 K& c% z3 I& H3 O    jz      SoftICE_detected- m) O1 _4 Z$ V) `3 p
9 d4 I8 B* x4 g

- J4 Q6 ]/ E% O9 sNext method as well as the following one are 2 examples from Stone's
) q( i# A4 f9 |4 p+ t"stn-wid.zip" (www.cracking.net):
, D8 D+ z& n1 l! Z9 \2 O* _/ I+ c2 K$ L! j$ ?- ^( g
    mov     bx, cs9 Z& W% W+ i6 E" F+ b/ v0 o
    lea     dx, int41handler2
" j0 R+ r& C8 }  _' K    xchg    dx, es:[41h*4]" s5 n' C% o7 L) P( m- _0 i
    xchg    bx, es:[41h*4+2]
. |7 \) A9 [& y* F0 Z! W    mov     ax,4fh; x+ O6 o% n" H+ i' B
    int     41h% F3 D8 e% @, ^, N; m; c
    xchg    dx, es:[41h*4]
/ m" s% i' q& g5 h* H6 W7 J    xchg    bx, es:[41h*4+2]% O5 P  X9 c4 Y" [8 O0 J
    cmp     ax, 0f386h' V( k7 K* R: C  h
    jz      SoftICE_detected
  k7 G, [  a: ]6 q  P2 u4 C7 X5 y! o
int41handler2 PROC
0 o) j" C: r4 |  W) {# S    iret
1 f* ?5 w( ]" H* j/ L4 I3 h1 Cint41handler2 ENDP) ^7 @, M0 s5 X, z. g0 |
( n6 g% l. d) f7 u5 j
! T6 [0 a" q1 R$ H& f7 E
_________________________________________________________________________
0 W( A8 [1 a6 ~8 Y1 W( n
" y1 ~2 e$ {# O3 u/ M2 K4 m+ `6 f
& H! t! S: ~5 o% q; JMethod 06+ g* X3 f7 c8 H8 {1 g
=========
2 r! f4 R7 L0 X$ s/ O. h3 v0 {
+ ]. ~4 c% _5 m! L
' F' t6 Q% J) w3 v2 Z. o. X3 _0 G2nd method similar to the preceding one but more difficult to detect:
; [1 I) H; w; [" l
8 Y* f* p. r% w2 N6 |0 L- s) d+ Q, Y; |+ b; Q# d8 f
int41handler PROC- g3 L" _/ t3 N0 Q) ?: h7 ^
    mov     cl,al6 c9 d, {3 X; t! g' ~: P# A
    iret
- ?3 t/ P. X' a/ Xint41handler ENDP* q/ {# g" j4 k9 ~' x1 }& K- T

& y/ z& g) s  I& a, l; D7 T( ^& l& B: q( x1 `# J8 `5 P5 x5 ~# W
    xor     ax,ax
* g$ n/ [+ k8 V# g3 j: s3 v    mov     es,ax0 I5 |, q2 @' `( T
    mov     bx, cs2 i4 w; @" f' N% H( D/ a! g  @
    lea     dx, int41handler' R6 Q7 q" l6 L) E% n2 Y) {
    xchg    dx, es:[41h*4]
( |2 H# E+ B$ C) Y! F    xchg    bx, es:[41h*4+2]  h. V8 F' [, L# ^) j0 \
    in      al, 40h
1 k7 A9 A. q1 W    xor     cx,cx3 K0 q% ^, V! q/ L1 g
    int     41h
2 z7 C+ i! _3 ]* H% j, g( W) Q# P    xchg    dx, es:[41h*4]  v! W6 l9 f+ L
    xchg    bx, es:[41h*4+2]
) _* [/ [% q, k' v, `    cmp     cl,al
. A( f. u+ Q4 M    jnz     SoftICE_detected
0 {( M$ R# ^6 u9 l
; D2 p% {  d* s) q$ t$ E. I_________________________________________________________________________9 R" w8 Q2 j0 n$ h% {- e; m

% v9 ?' s$ E0 P: JMethod 07
! e, n, k: p* {=========
  V. ]. I$ D+ H; @2 ~" X7 U9 S% [3 Q% n& w1 I) O6 l2 }! w+ l% a4 o( L
Method of detection of the WinICE handler in the int68h (V86)
% g9 ~' R8 D( \) n) F
  ?  c; [; @" |- k6 J* h/ K: g    mov     ah,43h2 w* I1 x* c% i' }8 o, C
    int     68h
$ S! q9 T# l6 l    cmp     ax,0F386h- S, `! h) Q, W1 ~$ s1 |- R
    jz      SoftICE_Detected: K9 d2 S2 O) M

7 _* d# a& F  x# B5 u- U' @5 r5 z, b; _
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: _6 M) n! v4 F7 _   app like this:
6 L0 `" m- d+ k7 U
, }" i" G5 H0 f   BPX exec_int if ax==68
& E. ]0 @/ L0 h, h   (function called is located at byte ptr [ebp+1Dh] and client eip is
: p8 Z% ~% s! [8 N' L   located at [ebp+48h] for 32Bit apps)
" H# }* c3 M3 D: O  B5 g__________________________________________________________________________5 z( _9 J3 O+ P  i* W3 E8 f% F

/ Q& N5 x4 A3 L
0 k4 J7 M  a9 }: _5 Q/ D) RMethod 08
- T9 C# W, \5 b$ L2 J0 x=========' b8 y- @/ d3 ^7 n$ \# ]

1 p! F4 S$ a) \$ I' K2 t6 UIt is not a method of detection of SoftICE but a possibility to crash the9 i( h4 T; O' D( N! ?# H) {8 u$ T
system by intercepting int 01h and int 03h and redirecting them to another
) {. ^- k/ n6 x+ vroutine.
, q3 C1 Q& G) \2 h( PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# z1 Z/ I! H7 x7 }2 ]& s
to the new routine to execute (hangs computer...)
0 j, Q9 E, l6 D4 K' a# M' w8 ]9 X+ p- t2 r, H6 h, C  Z
    mov     ah, 25h9 G+ ?3 Q, q# p8 I8 R7 S$ i
    mov     al, Int_Number (01h or 03h)% D( h) P5 L* U% Y  k
    mov     dx, offset New_Int_Routine
( G/ Z- G7 \  v" y1 r/ p$ M$ Q' v    int     21h
2 W% o4 B5 X" r8 ?8 N6 S6 q
% S$ K. U% A) B( t! S% _4 Q__________________________________________________________________________" y. g% I, l3 J
' _% O, W" ]: X. H/ Z
Method 09* x3 @3 A8 v! G" {- s: b: W  p
=========
0 O- n1 D( Z, W. {+ h2 @+ M0 k
8 y. _) \" P+ |3 U9 H) zThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) o2 N3 P5 l4 h1 z2 {+ p, D
performed in ring0 (VxD or a ring3 app using the VxdCall).
! _9 @% U: Q4 wThe Get_DDB service is used to determine whether or not a VxD is installed
1 _- u% F6 l7 Q# qfor the specified device and returns a Device Description Block (in ecx) for5 N, X. x+ C. n6 ?# @) K- O
that device if it is installed.
+ j3 n+ V6 f6 Q$ z6 z
7 e) E# w6 |& Z1 V) F( v1 i   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 W" _5 z4 Q7 s- g# K+ ~" ?   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), X  n1 m2 F9 m& L) U
   VMMCall Get_DDB
8 j' G) X7 G$ H8 O# N9 j   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. L: L2 q- ]# k' S8 y. \

- E) E5 m& @, _) l& h0 {Note as well that you can easily detect this method with SoftICE:: x) E5 K! c( G$ h& t8 [
   bpx Get_DDB if ax==0202 || ax==7a5fh  Q. g8 J" ~- P/ x
6 `/ ?* P/ {- u6 ~  X6 ~
__________________________________________________________________________6 N! h8 \& q& c
: ^, B+ Z: F) D2 b8 e# t
Method 10
& E) K1 S; D# J  {2 ?=========
4 R6 e7 C4 I+ d6 u! R
9 y% m5 E: U" \' f" G8 X=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" q% W/ @' q( C  Q5 g2 g) O; k  Q  SoftICE while the option is enable!!
" W4 \4 w8 V: {% T, j' C% d& R2 i6 N3 \3 k  d( o
This trick is very efficient:
) _  N" S- m5 Q" ?4 |  Bby checking the Debug Registers, you can detect if SoftICE is loaded3 L# n' q' Q! F* R0 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 I+ Q' W7 f) H1 D1 c1 z
there are some memory breakpoints set (dr0 to dr3) simply by reading their5 O0 v" R/ L" b4 u8 U: g4 m1 c7 y* Y
value (in ring0 only). Values can be manipulated and or changed as well9 I2 @" ~' ^& P1 h' S
(clearing BPMs for instance)) A( K- G/ o/ |/ J8 _2 V

  y, _8 b" R# W& w__________________________________________________________________________" \+ h. }* B- c" b- ?# n# _, S
; i# l$ G. ]- q7 L9 D0 L* q& K( B0 O
Method 11
0 A, I/ C  U/ j! {  e=========- G! J! v( F) A: z

5 B0 X% t& I, x4 G% b) R" Q1 vThis method is most known as 'MeltICE' because it has been freely distributed2 ^/ W/ F6 r. e
via www.winfiles.com. However it was first used by NuMega people to allow2 V3 C- d/ X9 C# f" h' [
Symbol Loader to check if SoftICE was active or not (the code is located& d; @3 N! V: G) V( _) L
inside nmtrans.dll).2 z8 a9 F2 T8 J1 G( s
6 s% K( ^' w+ x
The way it works is very simple:0 Y" i* p# I( Y* `/ o
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 s  t+ G- O& p' W3 k
WinNT) with the CreateFileA API.
& m) @2 {7 d: U( G
5 r2 O4 [" z! z6 b/ sHere is a sample (checking for 'SICE'):
4 a, t' c9 D5 R
1 B3 L% X2 A8 OBOOL IsSoftIce95Loaded()
( I, O# Z) Z" Z1 U8 J4 s% l% r{
0 a! T7 x& I# Q. M$ a1 v  W/ A! O   HANDLE hFile;  0 D6 R! L0 r" \* [, g4 |
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 Q6 w7 l' \) C$ g
                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 E% n, i1 K! s) O, l  U
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+ j- V% c: r0 k* v3 \. i& k9 r. N   if( hFile != INVALID_HANDLE_VALUE )
, e7 f6 b1 v; b   {3 Y; b" T) P, A0 {! L. V- W' b
      CloseHandle(hFile);
6 h, @$ F6 G" ~$ i      return TRUE;
7 `4 x& v# h# W+ q   }3 @% H0 X. d& F1 v0 R, V8 l
   return FALSE;
! F# M  `3 Y! S6 u% S}
! Z& k9 d* T* Y0 ^0 k3 p# L: v- r5 W
Although this trick calls the CreateFileA function, don't even expect to be3 [, o, r' Y, S
able to intercept it by installing a IFS hook: it will not work, no way!
1 Z3 `" v( L; D' [+ F, ~& fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 K% ?8 i, j4 {  j1 A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' S; s$ p, Y: ~  s& O: |' h3 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
! Y, a3 o# @4 }" n5 {, Ofield.
8 {$ B: A. C: `0 rIn fact, its purpose is not to load/unload VxDs but only to send a
) E+ t5 Y% m" dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 q& s3 r% U& |" s6 q; O0 X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 U4 f: F6 `7 {3 Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
( O9 c& @! i7 k5 j) m1 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow7 Z1 \2 a  S$ z' ~* d4 v% e& R
its handle to be opened and then, will be detected.7 _; |: G  R4 A
You can check that simply by hooking Winice.exe control proc entry point
* `2 s7 }6 R; R9 ?while running MeltICE.
& c" R' ]6 i0 H; v+ Y! c4 i, m* d7 i# f! ]4 B7 {
! X8 z3 _- r* \2 |7 ]6 B, {
  00401067:  push      00402025    ; \\.\SICE
  l5 ?$ i4 W7 _2 A/ b  0040106C:  call      CreateFileA
# {9 N7 B- E3 A  00401071:  cmp       eax,-001
& R3 X( C/ y5 F4 p+ k1 d& X  00401074:  je        00401091- M' j' B* g- V% c* G
, G8 a& r& y# B

, m2 |/ ]& H) c* @* [8 ~There could be hundreds of BPX you could use to detect this trick.
6 g2 ^4 \7 K* s. B* m& B& _8 ?, n-The most classical one is:$ p; y* K' d9 ], a1 C3 w
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 G+ L8 J4 }3 s8 m
    *(esp-&gt;4+4)=='NTIC'/ d, D+ L7 q; ^! h% a) z
4 o$ E5 s) L) g# [5 y3 `1 A0 A
-The most exotic ones (could be very slooooow :-(
5 T, Y5 H# B1 ?# H   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
  f; G7 g1 Z) C! x  B4 v+ w: n4 i! \     ;will break 3 times :-(
* z- X- F$ B1 B/ m* c! u8 `0 Z2 }( S4 g7 r: k+ A0 y
-or (a bit) faster:
+ @! l, N& s  E' Q6 o$ N   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'). o( C5 I* }4 [

2 ^5 G( f$ S; b& n) u& M; K   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" ?$ Z0 A4 L+ K! S% L# T9 G2 ?* c9 y" G     ;will break 3 times :-(
; `1 ^1 ~) k3 v* Z
% g8 @" j; R6 N9 |* f-Much faster:( b( s, j( M  ~" z# {% a' a
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ q8 V0 d4 G( B/ R. d0 B" J$ {

* x3 ~& b, F. s" _2 s- MNote also that some programs (like AZPR3.00) use de old 16-bit _lopen5 t6 i7 \4 A% N* V; B
function to do the same job:
6 ]; Y( J- c; ]  h: G2 s; Y& c. f
+ S/ U) |4 I( D* M3 [; q: J   push    00                        ; OF_READ
9 E0 e) ?- g. F2 }8 |* l$ _   mov     eax,[00656634]            ; '\\.\SICE',0
  T/ ]; n* T7 K; s2 J, H   push    eax- H$ G! _7 w( k
   call    KERNEL32!_lopen
5 C1 \& s6 b  h" N' }! n   inc     eax
1 k. S5 i- n9 s$ R7 K2 |   jnz     00650589                  ; detected
5 Q( U% u! q6 k# D. V( S3 \   push    00                        ; OF_READ" E% v& a- X9 p, E# s
   mov     eax,[00656638]            ; '\\.\SICE'! X9 {( U! F3 j
   push    eax) V6 g# }. s4 `5 O3 B: |
   call    KERNEL32!_lopen
' i; Z8 t) u2 G/ |- N   inc     eax0 m* X' t+ i' n; t5 G
   jz      006505ae                  ; not detected2 z3 Q5 c* J/ k5 ]# O- I2 y8 z

! \# o, g4 ]( G' c: J! f: P$ O& S9 `2 D. ^& T; [
__________________________________________________________________________
6 o! i7 y$ S3 Y- g7 q4 q4 B! ]1 O: A  M& t& m9 F/ Q
Method 12* n3 _; B# A6 c1 N
=========! b2 W. J- p" D9 m, V! [
$ [3 J/ I1 v% E  a2 V5 e  A5 y
This trick is similar to int41h/4fh Debugger installation check (code 05
% R% z. ]" Q( e9 c" V4 ?&amp; 06) but very limited because it's only available for Win95/98 (not NT)- b8 a: U% C$ B! u" q/ Z9 E1 Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: c0 a/ T" G. u7 i

$ C) J8 ]6 Q2 M5 g5 f( C   push  0000004fh         ; function 4fh
+ Y9 Y2 e9 T/ h' a1 i! y   push  002a002ah         ; high word specifies which VxD (VWIN32); A9 e* H! T  M# n, p5 E) E. j/ o
                           ; low word specifies which service8 G9 \) K/ {8 n8 g) r, E; u
                             (VWIN32_Int41Dispatch)* H+ u1 `3 f5 v- ^+ Z1 ?( Y
   call  Kernel32!ORD_001  ; VxdCall1 L% a: r3 H/ s2 T) E
   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 e( f# ?. M$ m, j' K* O/ M4 S   jz    SoftICE_detected
$ g- F) _% g7 [6 R8 V* P. M& F" n, d& D0 e* Z. n
Here again, several ways to detect it:
1 `. e+ r$ w5 `& W; |2 t' e% ?/ M9 m
    BPINT 41 if ax==4f
1 \* B: P' K$ x; v
3 g9 u: a3 F1 Z& J1 w    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one5 C$ d  \4 `% p, c( \3 u% Q, h
, k1 S! E, y5 K0 ]$ C, ^9 ^0 o7 B0 d7 e
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A" [0 _, r: O* d# j* ?$ Y6 i) e
+ B) w  ?6 I8 b+ f/ W& z8 U
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!: y" s2 f: W% g$ y/ ~" W
, I. _, x7 R# y/ o
__________________________________________________________________________6 M  w- M7 R! G) J2 o

" N- `% z. i2 @2 P7 N8 R8 O0 \5 ~/ EMethod 139 x8 f. b( `/ Y$ A9 F+ |
=========% t: L0 l+ J- P: x8 j
: G1 t+ {. g" I" k
Not a real method of detection, but a good way to know if SoftICE is
- j5 E  O2 E0 }- G% w0 L5 q) a+ cinstalled on a computer and to locate its installation directory.
. I3 [+ }8 T! b7 u$ j& K- n& @. sIt is used by few softs which access the following registry keys (usually #2) :
: x: x: E: w& e/ s7 X: T' ~
' S  L) K5 ~0 E6 m& z4 S4 `-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 M' |* R3 M6 H8 w  Q
\Uninstall\SoftICE. b- W: Y5 L+ [# k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 x! N4 o8 G7 {$ ?' [# [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* u  ?% r& P6 a7 Q' _* Q* V
\App Paths\Loader32.Exe! V  b: {6 K2 K0 t7 l* H$ H

) H$ X4 E/ V. o: j; d: g! v% O4 G' R  N# J; t
Note that some nasty apps could then erase all files from SoftICE directory
  q4 G7 I; Z) ?! T5 ?6 l2 X(I faced that once :-(- Y! f  F5 i5 ^- Q* r
/ |& I2 [* T4 q+ i, X
Useful breakpoint to detect it:
' p$ K; g) Y7 v' G) A+ e3 b$ Z5 y
, R, h- Q  M5 L$ \     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 z1 @1 {, |' o
/ {/ M) R, b# i/ o/ t$ r
__________________________________________________________________________
, `3 Y1 T% e' S' ?) r; ~' X3 @8 _
( ]4 k; ^4 A0 F
: H+ d+ p/ B1 Z# yMethod 14
4 b4 \* K4 f. D. R6 J- j9 X$ Y! W=========8 ?+ @* D. N, c% n1 g0 ]1 A

! A- p2 Y  `+ H( ~* |2 J, L* AA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose) e6 M) [7 _8 h' S
is to determines whether a debugger is running on your system (ring0 only).
9 \9 {/ k6 \. U) s% b3 R2 x
) `  G8 n+ y* t" e3 |; F# ]% _3 r; X   VMMCall Test_Debug_Installed6 y3 W1 {* r) v: b4 |; X& U
   je      not_installed
# t. ~7 M" @0 ?# c5 W& j! y! J+ C' K* q* S6 z( r3 U
This service just checks a flag.
) [/ q3 S2 ?: h* n' o! p</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 11:42

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表