找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>4 u, y7 i+ q3 B! U4 F! |$ q4 Y
<TBODY>% v3 M4 M0 O6 ~
<TR>
4 T& p- n- `5 O( u" k0 u<TD><PRE>Method 01
" ^$ @" w: s3 j9 t# {=========# i1 X% G8 v! L) G
! w8 B2 W3 }% J- o
This method of detection of SoftICE (as well as the following one) is
) T# u3 L! \) E& ]7 Eused by the majority of packers/encryptors found on Internet.* F6 B" X/ g( U% e- v
It seeks the signature of BoundsChecker in SoftICE
  k6 A$ A) K" T% o5 \
" |" J& I& e) ~4 T    mov     ebp, 04243484Bh        ; 'BCHK'
3 A: c- [+ X/ p$ p    mov     ax, 04h
/ m# g" g* `1 b$ h  n+ G4 X: N# i    int     3       ' K+ P9 Q' D2 a0 A1 }" Y- Y
    cmp     al,4
) M' S4 T9 P6 Q# ?+ d    jnz     SoftICE_Detected
% l  M& [6 D& A% C5 L9 I, t
! _; B" i9 f( u; o& @9 B___________________________________________________________________________
$ @" f1 Z9 v; R5 y4 y  X4 {# ?, _. V
Method 02
* H; D: w: p, X4 e=========) V- d3 A# w- p. S2 Q; w- a' l6 U& [
3 ?# m* g/ h" h# J" Q# G' \; G" ^
Still a method very much used (perhaps the most frequent one).  It is used
: p/ n' j* A8 T+ ~" j& ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# L* |) z- c- z0 I! |2 z1 Uor execute SoftICE commands...
( y5 o& `1 r2 j' l1 aIt is also used to crash SoftICE and to force it to execute any commands
4 ^/ G5 l( Z/ }2 w+ ~% b(HBOOT...) :-((  
1 \2 Z; a! `) p* s1 I0 }; H6 m3 n; G
Here is a quick description:
4 r1 y0 z' r! w0 W-AX = 0910h   (Display string in SIce windows)
: N6 k* _# Y: @% ^+ y: E. d-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
8 L- J0 f! l" q1 g$ o-AX = 0912h   (Get breakpoint infos)" C: B$ {+ Z- s+ F0 Y% y& e
-AX = 0913h   (Set Sice breakpoints)
! c4 x+ ~1 V/ u/ |: J( i-AX = 0914h   (Remove SIce breakoints)# o# V2 k. h8 u) C1 ?

: i5 j* D" J2 L0 E3 B2 {Each time you'll meet this trick, you'll see:2 }" K4 T! N0 r# u5 g. y# V
-SI = 4647h1 t* h" d# _- d- h# n
-DI = 4A4Dh
3 u, a; m4 q! y; HWhich are the 'magic values' used by SoftIce.
* o4 x' l+ ^' EFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 Y6 W! V4 {& m" l& s! S
) e7 _/ e" S; b0 e2 x2 tHere is one example from the file "Haspinst.exe" which is the dongle HASP7 E5 ~! a0 s$ \* a' g) R( t1 F
Envelope utility use to protect DOS applications:- n. B4 o3 s( ~# i% G

6 _( Z. u+ |; h0 C  U4 {0 Y+ O0 X' b. W$ m! f( i+ m
4C19:0095   MOV    AX,0911  ; execute command.
9 P+ e- n% X& |0 x5 m8 P- D, Q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, d% J! Z7 m  g2 j* b* F4C19:009A   MOV    SI,4647  ; 1st magic value.
; X0 c, |, \/ Y9 F% D4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# o; m; o5 |& J4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*), o+ _2 L1 K# d$ f$ ]# ]' t; ?
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 _' B% \' }. |: s& I
4C19:00A4   INC    CX
/ n4 H& p4 n3 G" \: q! Y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  X9 D0 s/ y: Z" U# k4C19:00A8   JB     0095     ; 6 different commands.
4 x5 L8 a/ q; B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ q9 w8 J4 u  b8 b1 d; I4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& O% E: n% s3 `$ V
/ [  Q$ |' Z( t& v. d
The program will execute 6 different SIce commands located at ds:dx, which; ^5 F. f$ d  ?- c5 C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 z. E+ ^: w( C* V: @6 E& Q7 U
& U3 U: J4 v* q; d# n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* u1 u! f* F7 I% f' Y
___________________________________________________________________________6 g2 P/ c9 `. e- ~

: t# j! F- T: _( m2 R5 U5 E  B, g, C. ]; k! K- e
Method 03
: I  D. O9 ?& s. P=========
4 B/ H- m' O) ^$ v: }, E8 `
7 G( A4 N4 V, U, ZLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; t# q# t: h+ d) v9 f: i1 z" z4 `
(API Get entry point)) J' ?3 L/ X0 E$ {% k
        
/ T; |  N7 ]+ a/ F9 w
" e2 \3 y$ f( s  z    xor     di,di
6 n% h; X  L$ p$ w9 r# i: f/ [    mov     es,di
. c1 j$ f3 F2 {! o& _    mov     ax, 1684h      
: }" i3 ?7 v4 u! U! J8 |- R    mov     bx, 0202h       ; VxD ID of winice
# ^) j: E+ I: m& i. L2 H    int     2Fh' T% l# }- F# m) u( T5 @: v
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: t" I) b1 T+ t    add     ax, di
5 G! M% O! p9 H+ z+ T& l    test    ax,ax
# g- [  D) W. c8 Z! }    jnz     SoftICE_Detected
+ V+ _8 m6 S, ?/ x2 H
. c* h. ]/ h; i$ [6 G___________________________________________________________________________
! H) j0 |8 @% ^2 l
3 d1 e1 F" ?0 T8 h! C' {Method 04
5 _; L, x) Z" F) ]=========- {4 I. ]. G; D' c

$ A( Y) T) D' D: y& n" wMethod identical to the preceding one except that it seeks the ID of SoftICE2 O2 H; ?2 w: A2 e' L
GFX VxD.. r+ E: ?5 P. ~
7 n0 u" {) C. M  {, ~4 `$ O+ S
    xor     di,di
' x5 e6 r; _+ D( l) x5 E    mov     es,di
0 a2 x  m* A: R+ v    mov     ax, 1684h      
$ f3 C: S6 W5 f4 e7 {    mov     bx, 7a5Fh       ; VxD ID of SIWVID8 g: X/ S5 L6 r4 G/ D( Q
    int     2fh
. f) i$ x# z% G    mov     ax, es          ; ES:DI -&gt; VxD API entry point, \4 V4 f: j  ]3 H, Y% i
    add     ax, di
" u- X5 O3 I: D    test    ax,ax6 {& j0 n1 [+ F; ~" y" E' S
    jnz     SoftICE_Detected% m$ w1 L: Z( R) S1 a
4 O  b/ g1 e% w. e/ f
__________________________________________________________________________
7 W# `, f$ e' k% l2 f% E+ _5 O- ^7 d
9 j, _0 m% F! t. D2 Y% T! h( u
Method 05
/ v. a! {# a# ]. y5 W=========
0 Y2 m6 p! g8 j6 B' ?' N/ x2 ~* Z0 C4 X2 z$ A% n  P2 @
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' d# I& x5 ]9 ~) ^2 l$ [debugger. It calls the int 41h, function 4Fh.7 u. H$ U4 `) u1 D9 h2 ?
There are several alternatives.  7 s  U% n  y  ?1 n" t5 p: R  C( a

$ h4 t  d) u! W$ J- D6 i0 iThe following one is the simplest:* w, h$ k' f, U8 V

+ R" v0 Y6 D6 H( I) t! n    mov     ax,4fh
5 Z6 Q& J1 [! E$ p    int     41h$ b+ R: w  `" x/ T$ O: O: E4 L) J8 B; j
    cmp     ax, 0F386- y# h% J% W( o7 }
    jz      SoftICE_detected. e6 ?- W2 f/ |% H; m5 w

" r4 C, w3 W3 k5 \- e- F1 a/ z. l0 _& D, |
Next method as well as the following one are 2 examples from Stone's
; w3 j; a6 `3 j' ~" u! J"stn-wid.zip" (www.cracking.net):- N( f0 M) M9 {. F( O
% s7 |7 Y: e, w) j# G6 g: y1 @
    mov     bx, cs! }; }7 _9 E$ ?9 a# ~3 ?$ m0 O
    lea     dx, int41handler26 g$ w" q* w% ~6 o$ R8 H' n2 A
    xchg    dx, es:[41h*4]
# l( l6 N! B( S' e  E/ i    xchg    bx, es:[41h*4+2]
8 x- N, n; M- j% X" i    mov     ax,4fh
* p4 X5 e: D; W    int     41h: O0 x2 |2 z4 P  d& Y$ t% |( I7 l
    xchg    dx, es:[41h*4]$ j; o' W( ~1 O) A
    xchg    bx, es:[41h*4+2]
6 Q8 d% _1 S% f' d% t    cmp     ax, 0f386h/ C: B2 H6 L! [" M% L: Q8 O
    jz      SoftICE_detected, d9 r7 ^% T) A5 Y. p: L8 G
& ^9 _' C) z/ Z4 K) v# N" }0 L* ~
int41handler2 PROC' i* d- F$ x2 E( s" q1 |+ I  K
    iret
: ^$ G: c9 y8 Tint41handler2 ENDP- s! ^! q9 N  R

  }0 L& i5 Q! C: B2 L2 m5 x7 V1 ]+ I  V( t; j& m& `
_________________________________________________________________________, [, O  \9 ?' W2 p$ ~2 F/ `

( G  `1 [5 M) U( O0 j; |# ^  ?8 J6 O6 R* {0 x/ k8 {
Method 06( s- E/ [$ G6 M; t. S& E  I
=========
- s2 w$ c# f* x7 I4 T8 `
2 m/ P  }5 Z4 t/ V/ x1 T3 I: p- \! g+ \% G- j: Z* n8 m
2nd method similar to the preceding one but more difficult to detect:
7 b& c5 o3 a" r' J3 _9 p+ ]" P" Y5 g* |' y. C4 x
, W, E. B# \, {3 u5 f
int41handler PROC
3 ?) O: J6 y4 g% D# P5 s& r# m    mov     cl,al
4 B6 w$ [0 e1 w: L/ I# h6 u    iret, h) P1 Y) C0 F( q
int41handler ENDP/ J; U4 _0 t4 n* Z& b* r
* z% z! T, u7 G; H  R/ h
$ o/ C$ e3 N1 z5 g: U& e% g$ W* Y2 T1 ^
    xor     ax,ax
7 K: o; q1 U& ?# _    mov     es,ax
/ a1 @0 N& x0 }5 U0 U    mov     bx, cs
# Z  }; k- u8 F    lea     dx, int41handler, F  c6 n! O: B0 E" D& b# F/ H  i
    xchg    dx, es:[41h*4]2 v3 B( @' p  j
    xchg    bx, es:[41h*4+2]- Y: E. @/ }( y( [. x9 p2 B- L
    in      al, 40h: c$ u* j* @% ~
    xor     cx,cx+ p' N! T' h, l6 B  b3 `6 C
    int     41h2 S" X' _& k1 P7 V
    xchg    dx, es:[41h*4]5 L5 o7 A. M9 W. E0 {
    xchg    bx, es:[41h*4+2]3 a/ m3 c$ l. I7 E
    cmp     cl,al4 a  b0 E. T- I8 L+ N  D) \4 F
    jnz     SoftICE_detected: i6 H' z1 J' Z9 w- N: {& O

  a( w- T5 m' c' E_________________________________________________________________________
6 I% [8 b' _% f% L& w: ]: O
, l7 }% G( R) N& w  n, I6 B4 @6 PMethod 07
# H; t. E: Z3 O2 A7 J5 _1 b=========
( e( w* h" ~/ H% f% K6 S2 a4 d% z  g$ \
Method of detection of the WinICE handler in the int68h (V86). I. u. i# H1 l8 _& v
9 H/ x3 Y' R' W: u( l
    mov     ah,43h# H+ J) ^( g2 W6 f- [
    int     68h
: l: n2 v6 T# x& z5 V, s( s# ?    cmp     ax,0F386h
; Y" I, O' w, {: \: n. Y2 w    jz      SoftICE_Detected
+ \- j8 P  \9 x( d$ A6 B/ ~' P' {$ `; f$ |. y! h. [' }' Z6 l' J

3 B0 ?& k; P3 J' ^=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 A5 V2 x2 [# C- N* i5 P( W1 m   app like this:
9 z4 A2 m1 a7 @) m4 g& f
7 d5 y( X% E  Z. `) o6 H   BPX exec_int if ax==680 E5 K( E4 d& j; t  a- r
   (function called is located at byte ptr [ebp+1Dh] and client eip is$ h6 L1 H  t9 Y$ T, r
   located at [ebp+48h] for 32Bit apps)9 y7 r) y+ i2 d6 k1 N+ ?
__________________________________________________________________________
& J6 W$ E. f# N: s% i. T0 H) i- `* K8 d6 s0 z" V( g  t

% R" H* Q% {7 |* V& E( WMethod 08
& C6 j* |/ u, c; i  z+ K, p  w=========
6 j) W+ r1 L6 y! |6 Z7 x0 ~
* m' \/ q3 L/ _/ E. C7 `It is not a method of detection of SoftICE but a possibility to crash the1 e. ]2 X' \" \6 v* b, E
system by intercepting int 01h and int 03h and redirecting them to another
7 W" p- Z, l9 _( h5 n2 d( xroutine.
7 A) B( y6 E3 c  eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ B& A: s. |0 F% Uto the new routine to execute (hangs computer...)/ |% _2 e. j6 \# _
: `, m9 y; h( }* {
    mov     ah, 25h" c6 w* q7 Y' I; y$ d. ^9 d) E' x
    mov     al, Int_Number (01h or 03h)3 s+ h/ A$ E8 b# \
    mov     dx, offset New_Int_Routine
: I: ^- E% I5 |4 O" D    int     21h) X7 [3 J9 s3 C9 b( Q8 I! ?; M
1 V5 f( x% j9 ^: @( I& D
__________________________________________________________________________
# C2 M5 e  f% c% c+ r$ f& i' P4 }; ^' P
Method 09
" y$ T. F, R3 S2 F4 K=========
+ @+ E$ {! g9 a  U
( g5 [$ h% z; C6 o. BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 x6 C  q/ k+ k# k, q0 y" g
performed in ring0 (VxD or a ring3 app using the VxdCall).
. `0 s% I3 R3 [The Get_DDB service is used to determine whether or not a VxD is installed" v6 t5 l) i4 a5 X: S/ t
for the specified device and returns a Device Description Block (in ecx) for
  K$ [' U; o: M4 w& P6 K& b2 f2 a* [that device if it is installed.0 q5 O3 u# j) H7 E

) I" J1 h7 w+ [  L/ \3 ?   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% p) I4 P% {0 F( N* O   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' Y  {. o- V5 y   VMMCall Get_DDB
! {; a3 E- V. W% D$ U4 |. B$ i   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& q+ f4 x9 b. U( u. @; b' f$ R! j* `. G+ q  p1 U: n
Note as well that you can easily detect this method with SoftICE:
. M5 x8 A+ v; Y' u8 t* Q   bpx Get_DDB if ax==0202 || ax==7a5fh
( b/ ]! A2 k2 P
" T' r; I! R7 L+ V__________________________________________________________________________1 |' ]5 Z9 L0 x* P
  W; H7 f5 G. I5 H: _) A
Method 10
/ `" r- v! \2 u3 t=========
8 m, J* t' v7 S# R% k. V
) D  E; U+ y' P+ U2 [. c=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' e+ E) r  P4 J  SoftICE while the option is enable!!: F: B3 `3 g2 [5 I: ?
# o6 Z9 u, o3 h1 S' D- h
This trick is very efficient:, m+ m* h% n* v  a7 s4 F
by checking the Debug Registers, you can detect if SoftICE is loaded& Q) t8 p+ t5 i& v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! w" D. {3 y0 u8 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ e% A' ~1 m& W* v$ E4 g
value (in ring0 only). Values can be manipulated and or changed as well
+ F/ C/ V+ U& d6 V! V/ s- L$ Y(clearing BPMs for instance)& r0 [6 b' N* @; A- C. a( o
) {2 E2 e# @5 U$ e9 I
__________________________________________________________________________' m- o: ^8 O- `7 G0 s! f" a2 s
5 k8 U3 [; T4 f( |+ z8 r& o
Method 11
% P2 }" `! a* ]! w/ `# M=========
- F! q" L" a: I8 Q; A' E- q. o7 h
1 `; ~0 i, s. @- s" I( Q/ CThis method is most known as 'MeltICE' because it has been freely distributed0 H; v' b8 I0 Y1 u  K6 K  T
via www.winfiles.com. However it was first used by NuMega people to allow
8 z1 D6 k8 d) A$ q+ J/ I! o) H" gSymbol Loader to check if SoftICE was active or not (the code is located
- m! r- ?/ ?# W$ F$ s) {9 Tinside nmtrans.dll).0 ~# B& Y- S; w9 k7 D1 B; L4 N( n/ b& z

: ?& O" p' u* a. L* Z( L8 p" rThe way it works is very simple:! o9 E5 h3 ~# Y) f
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& o- }$ v( ~! j6 I# kWinNT) with the CreateFileA API.
* n. }0 ^+ @0 y. M3 g
8 q2 g- _1 ]* tHere is a sample (checking for 'SICE'):
& q9 i* B- W& C1 {& p. e5 C& W1 Z! I- L
BOOL IsSoftIce95Loaded()3 B% Z( I% t6 v: V
{
/ }/ N+ g1 N: T9 N; A7 f5 a% ?   HANDLE hFile;  & r+ U1 A+ s% p! _3 P
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& [+ x- c, k  `; R# a( J
                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 h5 O4 A- m" b' X  U
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% i0 ]6 ^6 c1 B! J$ M) Z& T   if( hFile != INVALID_HANDLE_VALUE )
& A. O5 {$ ], y# v  P8 l  V   {
/ r) F2 n- A! W; `" Y' \- Q: z7 T      CloseHandle(hFile);
) [0 x5 f' e3 u0 Y9 R      return TRUE;
! U5 j6 W7 U) Y( G   }
9 C8 Z- G0 B7 r: E. D   return FALSE;
$ i7 U4 \, M9 B' J4 G& q( x) c}$ y# C) G) K* ~* a# N& m' ^1 t

! d3 Z+ P" z- B* D2 gAlthough this trick calls the CreateFileA function, don't even expect to be! L) U6 I) R; b2 u) ~
able to intercept it by installing a IFS hook: it will not work, no way!
* J; [4 N: b7 ]5 D. F% HIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 t* H" D2 Q: K/ t  T8 W# _service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 s+ V, h6 ]6 w2 m1 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; I; L- H8 Z+ b2 h9 k
field.9 f0 A% e5 ^: j: w' l
In fact, its purpose is not to load/unload VxDs but only to send a 2 C' l: ?  v( Q* R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) E$ M7 F  _4 ?. X9 E9 x) ?. z: Lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( d7 k+ M9 w! s0 Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
, h5 [3 P2 K) _- k* lIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- J1 L0 i& O- o, @, U2 Y4 Qits handle to be opened and then, will be detected.& q9 o" h( M, @4 C$ \4 V1 B
You can check that simply by hooking Winice.exe control proc entry point7 _+ X4 U* k& M% z9 y
while running MeltICE./ ?# V# y+ G4 ~" W+ b9 x( S& r4 X
9 Q) J  [% E1 X
, R* Y. A  \+ j" C' a- N* {3 v
  00401067:  push      00402025    ; \\.\SICE
  H, I, i2 s8 \6 t" b4 _9 z  0040106C:  call      CreateFileA' l, \( N$ d- q% p/ T
  00401071:  cmp       eax,-001) E2 r+ v* _0 W' w- u) \( J
  00401074:  je        00401091
: w0 o! q* d' H# B0 L- y8 z
6 k$ j: E5 j) W) G; Z3 V3 W6 @# J% f4 X$ r' C( G$ B* _3 K. l
There could be hundreds of BPX you could use to detect this trick.* [( o% ]- U, v9 }5 U
-The most classical one is:
  Y: t( \; w% M% a0 c. b$ f% U& @  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; H% X/ K% U3 Z* }8 Q9 z$ z    *(esp-&gt;4+4)=='NTIC'7 u+ c5 E- U, ]7 S  d- ]3 _; F

. Y# v3 U  `8 i1 i" t5 a! L* D* J- W-The most exotic ones (could be very slooooow :-(' m8 x% S& S1 J1 J6 {
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" z& v3 [: h8 L% Q3 ]" @) J( c4 @     ;will break 3 times :-(
7 m# {% K" V) j) J
* q4 p  U+ j! _& @, v. {! N-or (a bit) faster: 1 v0 m8 g5 G* {+ S$ Z' m
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 `3 X2 `# _' @$ i

. ~  ^4 f% j) d* Q) c9 G   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ! [' S5 m; d/ L, x5 B! j8 h9 ~
     ;will break 3 times :-(0 u& N, h1 O3 C& X& Q

: q0 K- }( e/ m-Much faster:
0 c, m- e( |( v  z   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. H7 f, }6 n" x  ]; S9 A" R6 O4 l+ Y' S6 Y1 Q# k! n9 R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 ?: Z) D8 B  F8 dfunction to do the same job:
  h. c8 u2 f3 i/ G6 Q
: e+ d+ A7 G/ b3 f! }" r   push    00                        ; OF_READ
3 Z5 S& x5 ^5 Q( |( G0 M   mov     eax,[00656634]            ; '\\.\SICE',0( f7 ~) r$ g% k" |8 Z# ]$ v
   push    eax
# A2 o6 w: Y4 `. {  N   call    KERNEL32!_lopen0 I( C" l% C+ i' y8 ?3 W
   inc     eax  Q3 o$ B; j+ _1 M1 V# @
   jnz     00650589                  ; detected
+ |" O( u" o& X   push    00                        ; OF_READ
  R) [* v* a6 m1 q1 z: w% T   mov     eax,[00656638]            ; '\\.\SICE'  m; X* U" W3 v5 z/ ~- I! A
   push    eax
( X+ g4 b7 j5 c& ~: p  k  ?   call    KERNEL32!_lopen
0 |6 V# @7 J# Q, n& B   inc     eax! b& a' N, n5 f
   jz      006505ae                  ; not detected* G7 s" `8 y& M# T- S! v  [, c
2 {3 @$ K. B, ^! Q' Q7 E
" _! L2 n3 A$ ~0 P2 q8 ~
__________________________________________________________________________
/ r6 Y" |+ s, z" D9 E  |+ }5 |5 b+ U9 ]/ `0 f
Method 12
5 Q+ w5 A+ n0 Q# H/ W0 g+ `# Z. _=========
+ G' m% A: \) I5 p/ k9 f$ g; y1 N+ H6 P1 T# d/ _' [
This trick is similar to int41h/4fh Debugger installation check (code 051 M' ~- Z6 R9 ~
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% Z+ \- Y. W- [1 xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. O) R' e7 X" v" \

6 t$ g/ v3 H. [5 c7 |   push  0000004fh         ; function 4fh
, x* r0 m6 ^3 q( W   push  002a002ah         ; high word specifies which VxD (VWIN32)
7 K9 O' s, Q3 \7 y8 M                           ; low word specifies which service
- c8 i! t4 x9 p                             (VWIN32_Int41Dispatch)6 j, @$ U4 d2 j. B: Z- A+ e+ m: m0 @
   call  Kernel32!ORD_001  ; VxdCall
% R" A% @3 p2 c   cmp   ax, 0f386h        ; magic number returned by system debuggers
9 ~7 j' E' O, o$ L3 O4 w" o; M   jz    SoftICE_detected  f/ Z$ m- C) f8 u* ]6 V! |
8 P% r+ \, {' M) N' J$ J) a+ l
Here again, several ways to detect it:7 {5 X/ Y  v  [% P6 @, x3 v. k, w

! T: n! Y1 a$ o) b0 y    BPINT 41 if ax==4f$ i; M' @+ Z  `* `8 F4 G8 Y

# t4 s' }4 `! `* F/ a    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ s0 j0 U) F+ K! C
- R7 p5 e$ L8 r& H( |7 o
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A, k8 @2 O4 I( \* m

0 `% A5 y7 I& w    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!$ L! p$ o  w& f' G$ `: O

: T: R+ B3 Y; r* K; C6 G. t) ~__________________________________________________________________________3 N  u% E, w' a! ^+ a+ h6 ~

+ m2 \& l" `' e3 L& A, h/ FMethod 13
, [* t  Y8 B! b! e/ m=========# G" u; U1 F7 t  m

7 t6 ~4 `! M; R( v6 c3 qNot a real method of detection, but a good way to know if SoftICE is! _- s3 k$ E4 h3 Q7 K2 f
installed on a computer and to locate its installation directory.9 a2 E) Q3 ?6 [' W2 R
It is used by few softs which access the following registry keys (usually #2) :
/ m* B8 S) q2 r& h' o7 C& W; ?' h7 A! A6 |2 G" U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 l# F& p$ X5 P9 ~; F* y; T* T7 Y\Uninstall\SoftICE) R% c6 ]' F4 ]2 M! p( j- W$ V; ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 m1 T* l' H9 i7 x-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 `6 j5 P# H3 O4 |8 g\App Paths\Loader32.Exe
8 @! c$ l, p' y4 V9 w
6 ?  b9 D7 h& @  ^: I
% E. P# q6 h9 s9 H1 ]. p1 gNote that some nasty apps could then erase all files from SoftICE directory
; W% _7 S+ h4 s8 z; H4 \9 f(I faced that once :-(
# {) [2 q; ?6 s( g) H. h/ ]+ L1 {8 s
- P; l! \5 t9 R) [. p% yUseful breakpoint to detect it:: ^: i# j- O7 I% n9 E
, w7 N* j+ X4 |5 F& c3 a
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'( C! f- r9 E# K: t% {' H, r1 w' k

# V+ |& N& R* o__________________________________________________________________________+ T- A( u3 `' I7 N5 C. u
! [, v- D1 j! Q& k" D/ D0 b
: M4 F& Y* n( T6 m. ?: K: V" P) |
Method 14 & P  m7 a5 @) i" W: v! P& s' M+ u5 `9 K
=========
. i8 \  Z% o8 g3 }: n8 ~
" l- X. {2 P! @2 OA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, @' O* Z* J$ }
is to determines whether a debugger is running on your system (ring0 only).
0 @+ \% C  O, c2 W* a1 t2 y
+ i7 X2 T' ]6 e4 _; o! t# l/ A' \# a   VMMCall Test_Debug_Installed. n# f' z. d) a/ r( `+ Y
   je      not_installed) E, u$ }( ?1 `$ b

! J" p2 I3 M) o- d$ \# \) V4 `( iThis service just checks a flag.0 d  o! v% z  L
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 20:06

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表