找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>0 C( p  D9 H; s4 t) K* M
<TBODY>
$ U0 t, z( k( b: ~7 h/ Z3 c0 D<TR>5 y: ]; J5 B& w8 C; V: |
<TD><PRE>Method 01
6 t7 o; d5 J0 D- C4 F=========
. o# s* T9 M- h! d
: v$ @! J  V0 b, X; kThis method of detection of SoftICE (as well as the following one) is
2 M7 U8 f9 F0 J5 ^9 [; mused by the majority of packers/encryptors found on Internet./ S' r8 C+ v' I$ X
It seeks the signature of BoundsChecker in SoftICE
" A0 b" |+ N- [
7 ?( ~# t% I+ G  f    mov     ebp, 04243484Bh        ; 'BCHK'
' U- S/ @8 N. w: I. v7 ^    mov     ax, 04h; k; x5 x8 a1 i# w& O4 A
    int     3       4 b# u! {8 ~& c* k, J
    cmp     al,4
' }* |5 z; c  D0 B5 L9 s$ l    jnz     SoftICE_Detected
. _, l) z: M7 V" Y* N; S# V. z. S% m2 `1 o" z1 S" @- G
___________________________________________________________________________
3 k9 j2 h& h. g- c' W0 u: _' G. w. ~2 K. W% N, E
Method 02$ d" x$ p4 Q* D
=========5 P" w  a- w. r2 Z7 s9 L8 t8 H# S: g

- g2 F* D) V7 s  x, D! M4 y4 kStill a method very much used (perhaps the most frequent one).  It is used* R# K! k% S: p9 z' V( _; P2 @
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; N+ O/ a1 D- w1 s" Y1 Y5 c" k
or execute SoftICE commands...
  Y: e$ F/ Z! S& a* W8 w, xIt is also used to crash SoftICE and to force it to execute any commands: F: C$ }, E! R4 R
(HBOOT...) :-((  & {. G( i+ I' o2 b% z% O

% p7 U3 I: @) Q7 ]Here is a quick description:
. F! p+ ^; f0 _( h6 A% L-AX = 0910h   (Display string in SIce windows)
2 K3 E+ w, x* P" U$ v-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 T, `2 h! A8 Y" [$ G1 I-AX = 0912h   (Get breakpoint infos)0 y5 f3 B  j" R: j
-AX = 0913h   (Set Sice breakpoints)
! K; L& Y+ [9 }  y/ M6 g( o-AX = 0914h   (Remove SIce breakoints)! z+ G  n! W- h. ~! S
8 d. B$ N+ l7 J
Each time you'll meet this trick, you'll see:2 Z0 O! A% U2 J. z/ \; @& v
-SI = 4647h
% ^, ~+ f  w% D& U! d9 `" s7 s5 O# E-DI = 4A4Dh: G6 P" O# O$ B" a6 g2 f! G' [7 I
Which are the 'magic values' used by SoftIce.- F5 D& Q' N9 b' p9 k. u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ ^6 {5 t3 e9 Q9 K
; F- A7 D# u; U+ R3 X/ O/ {
Here is one example from the file "Haspinst.exe" which is the dongle HASP- s+ k: a- ?, O5 E+ L9 ?& S
Envelope utility use to protect DOS applications:
, h! c' R- L- L; c, T( L7 U8 F$ S  \/ @% `

4 W( O) a+ @6 u4C19:0095   MOV    AX,0911  ; execute command.2 x# ^6 Q. g9 X$ I% Z# T7 n! N
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
6 T0 G1 a: o( ^) i& V1 T4C19:009A   MOV    SI,4647  ; 1st magic value.1 Y) U' I# o3 D; @0 O2 ~. n/ H
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
+ d. @$ A. }8 [! I; N4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  L& k3 o( |, q( d, s- q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 c& C- X6 L5 E' Q* ~& q# ?, e
4C19:00A4   INC    CX
- S7 M. _5 B' J) Q4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 ]4 b7 Z0 r1 J  _; f1 Z4C19:00A8   JB     0095     ; 6 different commands.
, P  k2 b. u* W! a  d# J, S# \4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 H4 l  f5 O" l3 D. e: B5 G/ {4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 G2 G6 O7 u; ~4 Q9 @) z' {  d) T! s
The program will execute 6 different SIce commands located at ds:dx, which
& t# c0 \2 ]- Q* g$ ]" hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) ^$ z: L  X* H' g! s( K' Q/ ~  r" F1 A* C2 N* O5 u7 T
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 ?8 `- B  I8 K* n7 f7 ~: j9 v
___________________________________________________________________________
9 _1 G7 W) T! e% i$ q9 ^# t; U2 }( `1 ]6 L
. x) L! m# B! {5 z) r8 |# d
Method 03
/ g- H# `; _7 X3 F8 |=========
9 a/ N8 o9 s9 a3 X
6 Q5 q" f  C0 @, LLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 l" p4 G4 [' H: g- [, k4 H4 n* o
(API Get entry point)
- z! [+ f2 D' B2 a. b* g, _        ( ^' _8 s6 L9 f  l3 T: Y! b6 Q

) P2 n+ t% Q; f& O    xor     di,di
1 r2 ]' g4 Q4 S8 [' r# @    mov     es,di
' |( [* ^/ u6 V) j& y$ I    mov     ax, 1684h      
6 Q4 z$ g+ v" \6 f1 k9 b- O    mov     bx, 0202h       ; VxD ID of winice
) @' ?2 o2 y* q$ ]1 B3 O    int     2Fh
% O  H9 }& m4 K    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& O/ s5 H# ]: y- }2 z/ s    add     ax, di
# h, u% f9 f2 X( f    test    ax,ax# u8 N  N& a; l
    jnz     SoftICE_Detected
9 a4 `9 M7 P* x* U& B) c6 g' [4 B0 `( h, M& V
___________________________________________________________________________
! {! \5 D5 {! b9 u0 e. U0 X; C  m' o6 t, V- C; c
Method 045 ~% k8 R6 R. h# c, U% k
=========
5 B' [3 I4 k, _& r! [0 C( d, D# s$ z
Method identical to the preceding one except that it seeks the ID of SoftICE
3 \9 S. Q' K) g/ g9 J9 _GFX VxD.
! a4 f1 t% S. v
7 u/ f% ?. ]6 Q, f( i% C" o    xor     di,di# }3 x. K# e5 }, p& e$ N
    mov     es,di; C0 E8 {5 n, [$ ?7 l
    mov     ax, 1684h      
1 b" P' T. d& G    mov     bx, 7a5Fh       ; VxD ID of SIWVID; p) j( |: G" j# q, S1 P2 q
    int     2fh$ {9 R  |9 X# i
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. M  e3 W. Q: t; f6 d4 }3 j& `
    add     ax, di4 j6 R4 p) L; W# X% J! b( {) {
    test    ax,ax
1 c* e7 j7 v+ `5 A3 r9 w  O( X# z    jnz     SoftICE_Detected
" d7 D) u$ K4 h! m# C6 i! G# G0 B0 D3 w; H
__________________________________________________________________________  V6 k* @7 m* s9 C- W+ J. r( Z2 Q
- ^$ |! p% D3 }( r: _( n
( @2 Q( s. Z1 ^' L# o3 D
Method 056 y3 q* D' T! x; ^& i; e1 g. U
=========4 \. H4 L! }; f9 o/ t

7 z$ K9 v5 D% f  Z4 P: d8 IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 @1 N5 `& H, l4 D# Kdebugger. It calls the int 41h, function 4Fh.
1 W3 ]" G2 k6 g  oThere are several alternatives.  
0 Z% X( u' E- ]5 I- @
' Q. r  r; C% QThe following one is the simplest:& H! k" c2 k' {

0 U- |7 n5 V# V6 d; x8 ?    mov     ax,4fh" b1 l! b1 q4 b# u, e
    int     41h9 Q! x' |" j- H; K, w
    cmp     ax, 0F386$ V3 i& c# K6 i8 Y+ N0 _4 y" c
    jz      SoftICE_detected
4 ^# f$ l. M1 g/ I- p1 T0 \! Z4 b- \

( ~/ @0 }6 y$ r. q; b$ ?* XNext method as well as the following one are 2 examples from Stone's
1 O; F+ y  R  `9 u* S/ L& Y"stn-wid.zip" (www.cracking.net):
& t8 \: ?* v2 G* a& Q$ ~3 u! l% w" s- w7 k6 P
    mov     bx, cs
* |% v$ p8 [' f2 N& f    lea     dx, int41handler2$ V- X7 E5 h& o' u- w1 R6 ]1 I
    xchg    dx, es:[41h*4]$ d0 j9 T: c7 S2 p, F7 w4 S+ k2 e
    xchg    bx, es:[41h*4+2]6 u( x8 t9 {7 g8 ^/ h8 S
    mov     ax,4fh8 ]* \2 @0 w7 Y1 a8 L
    int     41h" c* |3 D% @1 r$ z5 z, N; k  q/ N
    xchg    dx, es:[41h*4]
: ~' M4 e0 {9 l; x4 y* J    xchg    bx, es:[41h*4+2]
! W+ h( O. Z& Y( @: ]: a8 U    cmp     ax, 0f386h
4 o* s3 a; I$ Q    jz      SoftICE_detected
7 Z7 Z; R: t4 Z2 j; K& W
6 e% M* c4 Y0 m; Zint41handler2 PROC5 M1 J, {# O0 C; T& X8 ]( l* `6 r
    iret6 [2 V) v/ \3 N$ @8 S
int41handler2 ENDP9 I  |/ |+ A0 t' m  ?
2 g$ m; H2 M! v1 c% C
. e9 V7 ^- m' i6 Y1 b& B7 h
_________________________________________________________________________
, i" [; H6 o; t7 m' M: U
) I7 r  G+ d- i/ _5 p0 T" K
  B, ?$ g9 s2 X. N  j$ ^Method 06
" y1 i3 M$ V2 f' K: B=========
5 b3 a) a7 I( ~; D3 K  _5 I: c" e) g. f9 ~3 _/ i) j! U
9 ?8 D. r" x" A8 s/ b( {( k0 x
2nd method similar to the preceding one but more difficult to detect:
. m$ ^6 x8 Z! z" \, x6 e+ ]* x% I  B6 V0 W  Q( I; P' h+ F& F

7 ~; b' r+ R; j3 j/ G% ^) Tint41handler PROC
: \5 P  z2 V4 E: @& ~- W    mov     cl,al
8 k2 z6 g% b& ?7 u  B0 \    iret
; Y5 I4 l9 G7 [- z" M. Y# Nint41handler ENDP
9 v+ O: E8 j! C1 e$ p$ ^
3 r2 J, V$ c& ~) X) v6 L5 A5 \6 c: [" W  M4 {
    xor     ax,ax
: C. [: i! I  Y+ h& o1 Q    mov     es,ax" `6 G; T0 I- M9 O7 c8 L+ L! M1 @
    mov     bx, cs
/ p' q: q" W# e& k) c4 Y- o    lea     dx, int41handler, m: D+ P' H% [/ t7 j" t
    xchg    dx, es:[41h*4]
) v, e9 o  p/ I7 n# L& e+ V- V3 s    xchg    bx, es:[41h*4+2]0 a3 ^+ [- ~: Y$ O+ y; n5 ^
    in      al, 40h7 \, B" O4 K' F" M7 i, G  ?+ ?
    xor     cx,cx
* L5 X8 I: n: `- [$ M2 h' c    int     41h9 F; ^0 s" v+ D- `
    xchg    dx, es:[41h*4]. R( ?1 R3 ^: a2 @
    xchg    bx, es:[41h*4+2]1 f1 O+ U, I3 H+ L& p2 c
    cmp     cl,al& L6 A) k) N1 U1 }( q% o
    jnz     SoftICE_detected
9 C2 r# K" G6 ]0 h! `
9 e. A: r# n' Y  |" }_________________________________________________________________________
: u( R# K) l; L. S
! U  W+ G& @) X! f* q6 v5 b- FMethod 07
3 q+ f+ D. }2 z=========
' a/ d! F' t& q1 s0 a1 b/ Z) a
* r6 g: N0 o* D# mMethod of detection of the WinICE handler in the int68h (V86)
; H. U. C; N# Z  r0 r7 [9 }$ _' [" M2 |* L
    mov     ah,43h
4 r1 F5 l% ^' k+ v  K    int     68h- Z# M7 Z, \& J
    cmp     ax,0F386h% `/ h; u# q. r1 H
    jz      SoftICE_Detected
: k# z; T$ R  Q1 |% H7 g: ^1 t' m5 F0 T& X

. N+ Z5 I) Y! [& C5 F: T=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
& [5 `' c+ H, C8 l% C, e   app like this:* J$ U$ `) Q1 e7 J/ v" U. S
/ y) F$ y& T  [
   BPX exec_int if ax==68
" a2 p! Z! R# E2 m. u   (function called is located at byte ptr [ebp+1Dh] and client eip is1 g7 N  v' k9 y+ U7 g" C4 s# _
   located at [ebp+48h] for 32Bit apps)
) E! v9 o! U2 ^( G, M$ {2 A__________________________________________________________________________3 u: s+ i  {( s
+ _, m0 f8 `, ?/ v
2 N3 r" h# @- H! x5 L% A# W& R  U
Method 08
4 v1 i% D# C: I" t0 ^=========
* I  m6 c% {% L3 d' G
# i" G- L+ i' ^2 B; ~1 bIt is not a method of detection of SoftICE but a possibility to crash the' `2 p  l4 @7 b  X) @$ ~, y3 L8 Z
system by intercepting int 01h and int 03h and redirecting them to another( Y. W! |+ G& `
routine.$ D% ?1 R2 {0 L6 @# t6 [& V: K$ _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) t1 }4 H  J; T2 o' U% P6 F
to the new routine to execute (hangs computer...); _8 R+ W5 s8 z$ e
! G6 _9 U8 Z( W
    mov     ah, 25h( _& _2 W9 }# V, x# W
    mov     al, Int_Number (01h or 03h)
% \$ D8 g8 E2 @. k1 }& o8 m4 ]( K    mov     dx, offset New_Int_Routine% G" A( i) f' Y
    int     21h( s0 G& g0 M, b% c1 n
( L1 e0 J7 i; O% B) z! U2 ^
__________________________________________________________________________+ `& N5 \% M. `- ~

# N% @+ \0 V  P$ ~# t* S& VMethod 09
3 e& U7 Y+ d0 l=========) O, Y2 {" q% {7 Z. g* K
% X; Z- i/ V, P% w2 T& N
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ M' t# I. S, Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
' m& R2 z/ Z) q! Z: aThe Get_DDB service is used to determine whether or not a VxD is installed: q* c5 n9 w+ T4 W
for the specified device and returns a Device Description Block (in ecx) for. R) y3 Q4 P+ j2 u
that device if it is installed.& i2 r, |8 [' S& {( P

- P6 W- u6 ^) ~9 b+ ?' M* B   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
6 G% [# U0 ?0 v8 ~: ?# }   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 A2 e6 B+ }+ T& i( |  i4 B! g1 G
   VMMCall Get_DDB+ F+ f# _9 ~" ?2 u+ f
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 V4 R, }7 h+ g) x
) |' a3 h5 X, Q' ^
Note as well that you can easily detect this method with SoftICE:
! C; z/ l/ X+ ~" C! `   bpx Get_DDB if ax==0202 || ax==7a5fh" J  ~/ A/ f% x# }5 z

. k/ @& P5 _9 X8 c0 j__________________________________________________________________________2 v; ^1 E% c) O/ A3 d

& M. {# _0 T/ h- c( U7 hMethod 104 X$ b( R5 E3 S; w
=========
6 B& ^; [. }9 V: x) r  J. G+ W( k3 R2 G* r" {3 x' S! a( w. J. M# k- n- [! T
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with1 f, a, S8 \5 p0 I$ c1 g
  SoftICE while the option is enable!!4 s) y- g' J3 j
* L* T4 v6 _, a0 w/ v# V
This trick is very efficient:
& T8 n6 q6 E0 E$ @/ u6 {by checking the Debug Registers, you can detect if SoftICE is loaded
0 X! y( X# m" S; [% r(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% o3 O7 r( O1 S8 i$ U0 x
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 d1 r, R  {: a/ b
value (in ring0 only). Values can be manipulated and or changed as well
  e" b1 A- m3 I6 {* P- f(clearing BPMs for instance)  f* S2 T9 j4 }) L( g2 t

3 [3 Z. t3 l8 l__________________________________________________________________________. u1 z! _' ]2 S0 ]! J; q
4 d2 p) \! `; W3 y- ]4 ^
Method 110 _, S: ^6 @3 m: \8 N
=========" D* n+ I0 [& B& [5 t# y( e

6 W0 D2 _8 P( W  DThis method is most known as 'MeltICE' because it has been freely distributed
& A; S) ?2 s% a# dvia www.winfiles.com. However it was first used by NuMega people to allow
5 d: X( B$ T1 Z, eSymbol Loader to check if SoftICE was active or not (the code is located! m/ t) U1 h- @( |  l4 g
inside nmtrans.dll)." C  |( ^2 J+ y3 q# m4 A

1 D5 p. Y6 }5 @* l, tThe way it works is very simple:
6 J% e1 r8 q6 n4 T7 Y. L  aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# V1 v" l6 C' N# D. rWinNT) with the CreateFileA API.
2 j; Y/ {  L3 N$ ^" E# h6 j  S/ I3 k' j
Here is a sample (checking for 'SICE'):
  k1 q5 I: r( X5 `/ R
- x' K: f8 O% L- ?( eBOOL IsSoftIce95Loaded()9 ]  E# S5 `- V0 Q& z* A) y8 h2 D
{
( L) d4 R& a4 P! l) o# ]7 y& x   HANDLE hFile;  
9 l! |& K9 X8 ]) W   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& D/ y" O8 k8 `' v/ c0 W6 {
                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 n! u( t# M1 [5 l2 R9 s% g
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- V, d; R' f: l9 E( J- u+ ^) j' [% }
   if( hFile != INVALID_HANDLE_VALUE )) V, K( G8 R9 o
   {0 j+ M" [  \+ g, N' Q9 C. z, l6 }
      CloseHandle(hFile);
) L2 n5 \9 ]: g. A7 f. a      return TRUE;) c. Z8 [# \. c& L, X
   }3 ~4 }+ V0 x( \: x: C' N% t" m
   return FALSE;. U* H! T: g1 I; ?2 z: e
}
7 s1 D$ x  w# V% a! t+ Y' k' H
4 w  a0 R* Y9 m" m1 [Although this trick calls the CreateFileA function, don't even expect to be8 X. K. e# a' {6 \2 {
able to intercept it by installing a IFS hook: it will not work, no way!
% x, Q; \- T( H* q* a( q+ ]0 YIn fact, after the call to CreateFileA it will get through VWIN32 0x001F4 l5 w# I& g) x; N$ H. f: \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' P8 H9 c- x' @+ P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ ^% i6 X, n3 Z; a5 q/ vfield.3 w3 x( }$ ?+ k) l+ c
In fact, its purpose is not to load/unload VxDs but only to send a
* Q2 t9 F9 I, T. c6 e: IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( e4 U- X3 k# j. \  [4 lto the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 S3 y$ k# j3 m! w; S6 @( |to load/unload a non-dynamically loadable driver such as SoftICE ;-).; e/ s: q9 M, ], ^  T) Y* ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow% H6 q) I" ^; H
its handle to be opened and then, will be detected.% A* ?; L" X& Q) W5 X$ \$ L
You can check that simply by hooking Winice.exe control proc entry point1 l" z# V7 Y& u, T
while running MeltICE.
# e- R- C  T+ P$ W' b+ |
0 A8 e" T0 o* S# R$ M" t! Y7 f+ U7 U& O7 r6 G
  00401067:  push      00402025    ; \\.\SICE
" d/ Q6 L6 @" Z9 B1 A  0040106C:  call      CreateFileA
! X* g$ o; w" |& `# K5 D  00401071:  cmp       eax,-001
7 v: W& t2 P2 x  00401074:  je        00401091
! S; k& ?- A+ R8 g9 \* ?/ d) Z' o$ Q; @; Z2 R8 G* [
1 l* l- c+ z# e) h3 q' \
There could be hundreds of BPX you could use to detect this trick.( k, T) V2 W& f
-The most classical one is:
; u6 T* W. a' c; s  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 m0 s- }9 e3 f    *(esp-&gt;4+4)=='NTIC'
+ R9 C0 p) F* C- k" K- E, V0 u4 R0 n! a" E( ^. y3 Z
-The most exotic ones (could be very slooooow :-(7 ~: E1 b' W! W7 v$ U$ y- m' ^* S
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ h6 R0 J- q* C" N7 Q1 u     ;will break 3 times :-(  _9 c( m& q, \& P( }

/ i2 [( ^: h4 k* b) F- c7 z-or (a bit) faster: & C! L+ ]. X2 [9 e' ?* {* o
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 S2 h5 _% p* V* x5 e: d8 l5 e% ^7 v
! h& e4 g9 C$ i8 M. P   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
7 v2 b3 u2 M5 h, h* _# {/ z     ;will break 3 times :-(' Y) X4 W: ~8 v( |7 m

7 k  t! A, x; \+ x# r- B: A-Much faster:1 M8 b$ S/ x. k* Q" f
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ d& P4 D9 ~1 N) x
8 A4 m" \4 k) ~0 y( z& |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" H4 i7 |% P. O  R
function to do the same job:6 ~; t2 |0 p2 Z" B" M. ]- @! \- h
, s/ E& g" {4 h5 G; y  h
   push    00                        ; OF_READ9 ^/ C) E' ~8 D3 C2 l
   mov     eax,[00656634]            ; '\\.\SICE',04 {9 R8 r! P* w
   push    eax
/ x6 |' m7 `" r- A' Z! j! S4 D   call    KERNEL32!_lopen
* k! S5 y5 V* H) U0 I/ m+ o2 f/ [   inc     eax
$ q  q  [+ M( n6 v6 \   jnz     00650589                  ; detected- `; w" v) C4 V0 H( [1 Y
   push    00                        ; OF_READ
2 K" F( s- i# R0 ~* A! b1 P   mov     eax,[00656638]            ; '\\.\SICE'
8 ~* ^( S7 j& Q  z. C: f8 z   push    eax1 N, N5 T- y% |6 h% ]
   call    KERNEL32!_lopen
7 y5 q. T/ z, X0 w( b( ]   inc     eax9 p1 [% Y5 u2 S5 P
   jz      006505ae                  ; not detected
" M. i+ Z3 Y6 t# C; `* b, O% @. q9 ]
& w- ]9 p+ T5 ~, d1 {
__________________________________________________________________________1 D0 ^7 P6 x6 L2 ]! v4 O
  ]2 d# N7 f5 w. z3 J- w/ H
Method 12
  e5 m+ c' Q5 [9 |3 A3 q=========
$ g# h- B- C, ?6 l! g3 ^4 a5 n
( X% T- n; r0 p: f( q7 BThis trick is similar to int41h/4fh Debugger installation check (code 05
6 p$ }0 F8 F3 I- [) y1 l$ D&amp; 06) but very limited because it's only available for Win95/98 (not NT)8 e# G/ l- r9 M6 Q
as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ j9 h- K$ V1 T/ ~3 u, O- m# l! |1 f
/ c/ H- [9 e( \
   push  0000004fh         ; function 4fh
5 s4 B. L% E5 r   push  002a002ah         ; high word specifies which VxD (VWIN32)
* B: H) t) q7 [- U/ S+ t                           ; low word specifies which service% h2 A: A* C* u8 c  ^
                             (VWIN32_Int41Dispatch)2 i6 h) j8 k' J3 L  \! r
   call  Kernel32!ORD_001  ; VxdCall
7 i2 `( I1 J% u   cmp   ax, 0f386h        ; magic number returned by system debuggers5 ?7 I! ]1 r. {# ~. `8 M  m9 d
   jz    SoftICE_detected8 G1 `! ^/ W/ n% W, _

0 V$ U; b$ }6 ^' n/ B% t% V  W7 kHere again, several ways to detect it:
- g; |% R" {* z4 s2 Y/ p  {3 R2 P
    BPINT 41 if ax==4f
! Q- H/ |* Y5 l4 E' ]: i, {  ?* g+ l) \* U
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 H! D; X4 e- U5 |1 C, @7 K* i( {, c  S% y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A1 m: z. I0 A, ^
7 Z* \, f6 B( g- y
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" ~; r- Z$ _" I2 V1 `7 `+ c9 L5 p) j0 k6 Y6 x  q% y. u/ e' F
__________________________________________________________________________
$ w: [9 `8 O0 Q+ @/ i6 }; p( Q( e+ \# Y2 R
Method 13
) o2 v5 y6 A2 p/ P( Y=========, X6 M1 g) V* w: D* L

" W  t* Q; V1 _0 l# \Not a real method of detection, but a good way to know if SoftICE is
0 a0 V; d8 c9 Finstalled on a computer and to locate its installation directory.
4 B+ ^( Y( v, R  [% `! YIt is used by few softs which access the following registry keys (usually #2) :
9 r! K9 `; A; o6 v7 x! _! y: s( o
5 T: C8 S6 ]' X( k  D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: I# K0 Z) k+ i+ ?  U5 X# i/ X2 z$ d\Uninstall\SoftICE. `" I5 w  N( }8 C1 q" S6 p
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 k' R+ s& J& v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 w* n2 `- `$ ?6 ?( ?: b
\App Paths\Loader32.Exe
# n8 I% R4 R3 T
" J: R6 f1 j: H! K
2 `$ q8 M  s5 U  V( M" w; T9 ?- |Note that some nasty apps could then erase all files from SoftICE directory& ?/ M/ V$ e, N3 `8 @$ w2 L
(I faced that once :-(5 t5 i# M  @) @8 l* S9 y
7 o) m$ }9 Q+ g
Useful breakpoint to detect it:# [3 `) j6 ?0 D( [/ w' D" _

' v" s# T1 }/ X3 m7 z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'3 k: E0 o  |5 ~) Z$ Z
8 |' Z. Q8 T/ D% y# i' t$ x! C2 v4 Y
__________________________________________________________________________
- D* Q: o$ P6 P  m
0 d: N/ d9 D; ?8 j; s2 q
0 |3 B3 I  \1 ?3 [/ i; xMethod 14 & _+ q' b7 I" y8 T# Z5 |
=========7 }$ [* Z: i/ b3 [; R* |( M

3 V, p5 {9 C5 B: y' z* L, c* SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& q: \2 M0 f* F7 U/ G3 n% eis to determines whether a debugger is running on your system (ring0 only).
/ p4 w) d5 z* e% ]4 U6 Z5 A$ \' d
   VMMCall Test_Debug_Installed5 N) J" s2 v& V" J+ N% X
   je      not_installed; ^/ ~. q9 G" o. I3 Q' [

4 K; J: g4 u' A5 E0 T4 k; FThis service just checks a flag.
* c' U. Z0 Y4 w) C, \7 Q. \5 K</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 07:09

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表