找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
' U3 j6 F0 M4 b  w) q. S$ @<TBODY>
# ^( k1 @! ?$ [# j( L0 b9 ?<TR>
' _* }2 z9 n) f; S( G7 O; V5 i<TD><PRE>Method 01
9 ^1 O& u- Y. n# ?9 g9 T! \=========
2 ^2 s; F. F- V+ s6 H( A( Y9 d
This method of detection of SoftICE (as well as the following one) is+ N' F0 d2 M8 s& x% l' E
used by the majority of packers/encryptors found on Internet.
: R' N# ?/ B% G) _" b: i" QIt seeks the signature of BoundsChecker in SoftICE
$ ]5 Q8 {0 |/ o! ~( \6 c3 V+ r3 p* o0 |
    mov     ebp, 04243484Bh        ; 'BCHK'6 M: p. z& _  p) U6 f/ c# |
    mov     ax, 04h
9 O- P) M, Y  j# W    int     3       0 h7 ~9 X0 X( }# E7 E9 v1 x+ c4 ~
    cmp     al,4  o3 W0 z$ B+ T9 J8 u
    jnz     SoftICE_Detected
- I& _! J, H9 M$ A$ y5 N1 j6 X) y% M5 {+ t4 I  [+ j
___________________________________________________________________________8 ]7 M3 a0 G8 w4 B" y

0 K" h" w% ~! R' Q8 AMethod 02
. s% h7 i; _- U* v  c1 l# ^& `. n=========
: n/ X! U- M0 \/ d4 K) a, O
3 Q1 R9 Y. x1 E5 j6 ]2 gStill a method very much used (perhaps the most frequent one).  It is used  U& w. S: |( \' w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 F" v1 t* e, i) v- v9 z& Y) [
or execute SoftICE commands...
8 C: X' U9 k5 |' M! G/ `, R9 l, rIt is also used to crash SoftICE and to force it to execute any commands' _# {2 q5 n' y9 e. W* ~- h
(HBOOT...) :-((  ) C+ e  ^) [5 L) N& R  }7 n  @

$ S* x( \8 W2 o: W) pHere is a quick description:9 w5 u4 o/ i+ g9 u7 V
-AX = 0910h   (Display string in SIce windows)5 g! q* \3 m7 F
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)% \* l7 R, b) g) W% K( i
-AX = 0912h   (Get breakpoint infos)
4 e5 W+ J& H, r  g-AX = 0913h   (Set Sice breakpoints)/ j4 d2 A; o  {+ j: ^
-AX = 0914h   (Remove SIce breakoints)7 u" ]7 `( p: \, e  }4 s: G& G/ Y7 b

: ~* t% G: w. U5 K3 L) |4 U  ?Each time you'll meet this trick, you'll see:  O5 M# {( y; k/ k& e6 K$ }
-SI = 4647h: `+ n0 K3 a" P7 A0 B
-DI = 4A4Dh
7 c0 J/ O, n) s/ G  \/ rWhich are the 'magic values' used by SoftIce.
% i" J( A( v) w& vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ t" q0 m3 \. n7 `4 \
; }" m) w3 q! p3 h" a1 i, q4 w, i: yHere is one example from the file "Haspinst.exe" which is the dongle HASP
! }/ z/ q  l& c$ ~4 \& W( i) TEnvelope utility use to protect DOS applications:4 g/ H+ u+ Q( L( J  k  l9 U

) T, x. F( Y4 p3 o0 v% S9 I+ z
  g; k) [! U4 P% @4C19:0095   MOV    AX,0911  ; execute command.
7 M) g  N9 J7 s& F& t* l4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).& M2 j* F% t" Q% ?
4C19:009A   MOV    SI,4647  ; 1st magic value.! k& s$ I$ R4 {9 ?& u
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# A! ?- I. v, ?/ C$ }, y! I4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% L2 J8 \: q& _9 p- J9 H+ j- K, X5 W4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 I. s; W+ U" R# X  [3 z4C19:00A4   INC    CX
& Q; ]1 i* s6 P9 V4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: S8 E3 ?2 h( O1 ~* D0 J
4C19:00A8   JB     0095     ; 6 different commands.
! i. h: i* P9 ~' Y" u% e3 Q4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
# R6 p' p3 w' o+ S. I/ S, @4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)8 j# N  f; [& z
& o: t) j/ Q$ k- e* j. Z5 f
The program will execute 6 different SIce commands located at ds:dx, which
: N2 R9 r: F! d/ aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 r1 b8 B: i! \+ q. J; u! a! _& _! X

: v9 R: e: K3 p: ]1 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. ?9 I7 }8 M9 K  _( s___________________________________________________________________________
, |8 D& F8 a2 g+ p2 m# T7 T. _9 r0 K2 _' Z. E2 r! \" ?& Y8 l$ m4 C

8 t7 `; H8 ^( J* j2 lMethod 03
7 x; p2 }4 m# Y=========
* k" M1 p8 F% ?" n- y8 Q
" V. A1 h% n7 I3 y* c* @Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ @1 a- a. Y4 m' R# z
(API Get entry point)) j4 d' x! i( b2 U7 Q
        
, b% G# q# C& [: \: e2 J1 O
2 ^' M! @: v  q& S6 m8 C  v    xor     di,di  R# e0 Y1 h' }$ v& Q
    mov     es,di
- ?) l( g  Z" R5 b% p    mov     ax, 1684h       * b! G% z& h0 J' _, `1 x- W
    mov     bx, 0202h       ; VxD ID of winice
: Q# z! s: A7 e! [. G. X' a    int     2Fh
2 E* N. b) c, ?. l  P    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( V. \1 I' J+ k. n+ ~; |    add     ax, di% O' k5 m' _$ y( V" @
    test    ax,ax
1 e" m. q! C9 n    jnz     SoftICE_Detected; |1 ~$ |: F$ Q) i

' }( T& Y3 t0 l; E) G% d___________________________________________________________________________
9 f% b- g& e3 U. r) `( d& i& a9 N0 V# ~! w" X9 e- _  \# ?
Method 04& j) Z/ u' z) m  T  o6 T
=========
% [8 C5 z+ @9 B
) V/ E: x& i* aMethod identical to the preceding one except that it seeks the ID of SoftICE
6 H) r  d4 s' }  R; KGFX VxD.! C6 m# c! U1 p# M$ L
' w4 K* O/ R/ m' |; }5 W' m9 b
    xor     di,di% y3 C$ {) T# G, k7 o* m
    mov     es,di5 Z( {  s; L0 b* s3 B7 I3 |
    mov     ax, 1684h         @9 m# ?8 i# V2 t
    mov     bx, 7a5Fh       ; VxD ID of SIWVID# U  I1 d# u' ?; M
    int     2fh
- f7 y8 B! E* O' i8 b3 {! h" v2 S& r    mov     ax, es          ; ES:DI -&gt; VxD API entry point# j1 f* {+ l6 p. w' @
    add     ax, di
5 c/ u9 w; a! M  l0 E% x* G    test    ax,ax, S. M# X! l5 |
    jnz     SoftICE_Detected/ o( e9 `/ j6 ]) b, u! x* j

  j6 k: D5 w4 g/ t& a5 {$ @__________________________________________________________________________- I% D4 P* W8 s3 U
# ^; h! ?& Q6 I( e: R# X. m
3 w7 j) S: o2 n
Method 05' x8 J6 @  I) h% v: Q' f" y
=========7 N, r! ]$ x4 ^

$ N# t* S7 P8 E6 W" B% L- dMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& x% F! a! i0 J; h& R# ~! Zdebugger. It calls the int 41h, function 4Fh.
4 h" w0 T+ G8 U3 o$ _There are several alternatives.  
+ J) V- d7 M# ~( T$ f  Z6 p2 k7 @$ h% i- P0 e
The following one is the simplest:. f" c) s% t4 G& ^  J

7 v( @1 C3 f0 j* _    mov     ax,4fh
4 g7 c$ o6 V- X+ n+ X4 i2 f    int     41h
; n7 d- a( G' F    cmp     ax, 0F386
) z7 l; G/ c9 L/ S3 k) A2 Q4 u    jz      SoftICE_detected- r7 f. J6 e; d$ D3 c# U* |0 J! t
- Z, O7 [' B) Z+ {
5 D+ x  F1 o  {7 u
Next method as well as the following one are 2 examples from Stone's
' O8 R. r9 v! ?9 D- l' O$ ?"stn-wid.zip" (www.cracking.net):
& D0 i  C6 ^' V- u0 v3 B# s% l0 C7 ~% r, `7 C  `8 g1 e' r
    mov     bx, cs2 |- _* q4 }7 Z$ M6 E! V3 `
    lea     dx, int41handler2
# t5 a% l/ L/ [    xchg    dx, es:[41h*4]7 g4 N; [/ u8 z! @: z* J4 E- L
    xchg    bx, es:[41h*4+2]
( T2 U5 B  |. p* n0 q    mov     ax,4fh3 m" r. \! K& c1 J/ p; @7 m! H
    int     41h: q& b$ s& c4 n
    xchg    dx, es:[41h*4]5 o1 ~( k7 m" {5 D' a: l& ?
    xchg    bx, es:[41h*4+2]
4 b" L5 Q# ^) M  y8 u    cmp     ax, 0f386h0 u! |' x* z5 f1 ]7 ]
    jz      SoftICE_detected
9 Q2 O5 P9 W6 E1 F, T- m% d5 I
: y, X# j0 C( zint41handler2 PROC
" a# Q' s8 Y) i5 z; _- {    iret+ [5 C# k! q' o, c6 a
int41handler2 ENDP4 u, S' V- S; o  p6 q0 s
7 c7 s2 `( M5 W* D
' f$ T9 X+ R; c  H8 E$ D4 Q
_________________________________________________________________________
( t4 K9 T* `" U% d  \- J8 Y  D1 p5 _$ l9 Z* }; v
9 v7 o2 B- n" u5 q$ ~* U+ s
Method 06
1 l0 w6 J/ b4 c=========% t2 q- i+ P1 }+ f/ a3 \

9 f$ ]" E! j6 P) {/ b0 Y9 x) c' O5 _9 ~; E8 G3 p
2nd method similar to the preceding one but more difficult to detect:" Y' S  m$ {! U& e, e3 `
+ W% k# C; p% A* ?; n. J( j
5 i$ V3 C% M" `) ^, s* `+ K8 G
int41handler PROC
6 U- \0 R4 d) g  Y% T3 N    mov     cl,al
9 b/ x& C/ o; k1 R& m  \    iret
+ L3 F' a' G( ]# {9 Wint41handler ENDP
3 j) F* s2 [5 H. c3 X& {: h) }
3 A  u2 ^/ h" M& N7 j8 n# N; Z" L& B  N& R3 f
    xor     ax,ax
9 ^" ^2 D: H! y& l    mov     es,ax
/ i& g4 e* K" [    mov     bx, cs' Q- R' o# j7 D2 j
    lea     dx, int41handler, ?. n3 t) F. T4 Z
    xchg    dx, es:[41h*4]
: u) d  b9 O4 U, z, `5 d! n( g, I  x    xchg    bx, es:[41h*4+2]0 J0 L- |* t& L
    in      al, 40h
/ O2 J6 t; n* E; ^8 x    xor     cx,cx
) r: A0 ^) ]- ~& n2 I) ?' I    int     41h
8 Y* w  A+ n1 j$ J) R, p    xchg    dx, es:[41h*4]
- g9 D, {* K- G/ e1 ~# L    xchg    bx, es:[41h*4+2]- _3 Y; n) m! p% S* K" @# j2 `3 ]: N) w
    cmp     cl,al
8 z6 b) \# [7 S1 Z6 f' i* ^    jnz     SoftICE_detected
- }  ?2 d8 Z) _4 R6 ~% x6 q% |; y! Q6 U* C" x4 A  d
_________________________________________________________________________
% k* X" t9 X6 f
# u2 T- Y6 B4 HMethod 07
* M/ N7 q* u3 a8 S=========2 e# @% d; J. u" G

8 K+ Z: X' x6 n7 Y8 Q% D  e3 mMethod of detection of the WinICE handler in the int68h (V86)
; Q% i3 G7 p- ~8 m6 J
& P, e' t! n. t    mov     ah,43h
' u1 b/ a7 t* i    int     68h
9 L5 O1 Q' f1 Z5 `" M/ i    cmp     ax,0F386h
- y$ j+ S1 R  g- f5 v$ \# r: L& X    jz      SoftICE_Detected9 U6 h& [; L3 B7 C
- j. H( t! A: r: W2 L
' [1 R- H) h8 {$ O, F* a1 r, p0 r! v
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( i) N! f0 {! I9 U  G   app like this:$ l0 @) r: O9 x, B  X; \. p

* |/ G- L6 ~% \) j1 Q   BPX exec_int if ax==68* x2 y3 K; r" Y
   (function called is located at byte ptr [ebp+1Dh] and client eip is6 l8 {0 ^9 J  M  i5 q  l- ^
   located at [ebp+48h] for 32Bit apps)1 X9 G9 m4 i! |( D. e0 w
__________________________________________________________________________
: }/ q5 f* j! f+ g$ q0 N
% |# G$ m7 Y7 {1 n! X" a( C8 r+ M) f$ N
Method 08
* h8 O! f) h4 U$ K$ H5 L=========
3 u, i% @+ t3 |% i& p" s
6 e6 O8 C4 F- `3 |& Q* h) e' YIt is not a method of detection of SoftICE but a possibility to crash the1 S1 I2 x, p4 }/ h3 ]
system by intercepting int 01h and int 03h and redirecting them to another; d8 t/ J* y' H3 X; F4 y
routine.. M# G$ D( E; ]
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 l; p, b' l8 u5 J/ w2 L% Z; @: Dto the new routine to execute (hangs computer...)
& x$ M) O: u: V9 C/ G. N% U# S1 H) p; i( V  `
    mov     ah, 25h0 [9 H* T; J: Z8 m
    mov     al, Int_Number (01h or 03h)
" |+ k. W  r- H    mov     dx, offset New_Int_Routine
( d. v0 v2 [* s$ k3 t. n$ \    int     21h& z# x) q$ p$ Q2 _" O! d2 l# X! [
* R8 G" e9 c8 X+ j$ j- ]8 R) K
__________________________________________________________________________
( Z# R# M# R0 G! F
4 z3 G2 T% ^' C- o1 }  }& DMethod 09
6 \' M$ y, q- P- v2 S=========) L) G1 X, z' Y" M3 n! }

4 `2 }4 O5 k* A, t5 Z, l* OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- x/ w4 Y3 y/ @6 J/ s  t2 q
performed in ring0 (VxD or a ring3 app using the VxdCall).
, o: ?0 C0 _9 mThe Get_DDB service is used to determine whether or not a VxD is installed8 Z& i" j( K; [  h' I. I
for the specified device and returns a Device Description Block (in ecx) for6 R3 ]' M( y9 V0 f  t/ `
that device if it is installed./ |( Q  N) ^8 a& K* _' w
% V- M  n; i. `* b  V: @& K
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
5 W) a1 e. \- Y5 T2 L   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. p6 r: o) B$ h   VMMCall Get_DDB5 l% |+ z# R, x- i; h0 C
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
- j* X. `1 _3 ^' L4 E* J: L1 }- d" {8 O9 c6 K5 x
Note as well that you can easily detect this method with SoftICE:
; [" F3 Q4 x5 u0 @7 }5 c6 y7 f5 |- t   bpx Get_DDB if ax==0202 || ax==7a5fh
$ G) g" u. ?1 Z( Z: H& C# \
6 S( b5 \% C& I% M4 f3 T1 d__________________________________________________________________________
' m; i. ?0 l' D
4 H' ]( v( E- G  b# G. PMethod 10
- A8 Z5 R+ U, ?- O" h: F=========2 g! L' x$ p$ r( j
4 p3 _$ ]8 W; |( G
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with8 i2 t1 ~* M# F4 D" X7 W# R4 V
  SoftICE while the option is enable!!' P" x! Q% T! o$ c( ^

' r* F  n- ?! \This trick is very efficient:
& V" q9 c2 y1 n; ^0 Nby checking the Debug Registers, you can detect if SoftICE is loaded
. P6 a6 Y: |! o6 c& r& J(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  o. U  ~! ~0 `$ F7 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
: j% ]; V/ y+ p9 a! Q- tvalue (in ring0 only). Values can be manipulated and or changed as well$ O& i, Y+ @: E
(clearing BPMs for instance)) F; `7 F4 p* @% g8 _

3 z( B7 ^- [9 r" s__________________________________________________________________________
! u+ z1 |9 B, h: s4 l
% m! L) {+ k: L, M+ ?' bMethod 11
6 e' i0 \; r, e6 R- w  c=========0 D5 P4 T: w3 m

& E9 E; W, A9 AThis method is most known as 'MeltICE' because it has been freely distributed7 }% @, T! l: p  q4 F
via www.winfiles.com. However it was first used by NuMega people to allow4 {, ~& k7 h% Y
Symbol Loader to check if SoftICE was active or not (the code is located
( C6 d# O4 R# N3 Y$ }! t$ Ginside nmtrans.dll).9 X  o2 w, {" M4 D3 }
: q0 {6 d$ W+ q' C. C: z5 g
The way it works is very simple:9 J& ]) \3 m9 Y8 m* Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 M. ~! k5 m1 `WinNT) with the CreateFileA API.* q3 k0 o5 R. g6 q  L. E( x

! l3 f' e+ Z& b) P5 yHere is a sample (checking for 'SICE'):/ K( R  A/ ]& V4 ]
8 U0 W1 w* q, |& L
BOOL IsSoftIce95Loaded()6 S1 H+ O! M! }
{
! M4 S8 C3 |; p) d   HANDLE hFile;  
" p. a/ a* L) ?  F   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* j9 I, D" I+ X4 n* Q7 _                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 \5 s+ S9 k: j. c1 ]7 l4 G9 s
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 a( v/ k4 ?: b! f4 L* G# B: t* l' c, R
   if( hFile != INVALID_HANDLE_VALUE )
, C# v8 N/ U4 q8 h- M) _   {
% a4 B" s( a  c( Y3 ~: A" j      CloseHandle(hFile);! B" G+ p+ K( K# q& Q4 g
      return TRUE;
7 H1 C) ]- m# H1 O' d   }, R) \! l2 E9 U6 Z% T
   return FALSE;0 T' m) P: h/ ?
}. r+ ^$ r- m! H& P; `0 E

9 X. q, ]; Z$ S: d& zAlthough this trick calls the CreateFileA function, don't even expect to be2 n# w, b, e0 E( ^
able to intercept it by installing a IFS hook: it will not work, no way!
6 ^4 D9 W! m$ l) d& \- \, p5 S9 ]In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; i& A/ u- D3 z: Hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 y- g# J: p! H, @& D/ }- I7 O( R0 U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& _1 K/ S* I4 o) `& {2 l( Z- lfield.& x. j0 q# B0 k0 O0 E& F
In fact, its purpose is not to load/unload VxDs but only to send a " s4 ?7 q' V6 _3 }3 @
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: L( m6 `/ S7 C6 g& pto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ i8 V* y  Q+ s* Yto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ D$ @0 h% r3 d& o  g% u0 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow# I3 C& v3 s" B" K" I  B1 y
its handle to be opened and then, will be detected.2 E. {# {) c/ m$ T( A
You can check that simply by hooking Winice.exe control proc entry point7 M1 H& g" j5 R4 y
while running MeltICE.. G0 ]( v* j7 n3 T! Z: z- M0 t8 I

; u7 S5 m" _6 ]- a5 u- \* o5 A* W, X; n& D3 Y% O9 l$ n
  00401067:  push      00402025    ; \\.\SICE8 z% V  L) Y5 u( W3 J: Q: t
  0040106C:  call      CreateFileA
. `9 e& l* `$ w  00401071:  cmp       eax,-001$ `2 j# d, o5 y* I8 A! E6 E
  00401074:  je        004010919 c6 r/ `# x% l& b, z9 j9 W2 k! y

( H6 {$ [% f* p$ U% x0 a, F) ~9 C7 _. y7 k' r
There could be hundreds of BPX you could use to detect this trick.! L2 |5 g( n1 }6 Q
-The most classical one is:
! t; F1 a9 r. N& {) F* f$ \3 C  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||7 j, e- s0 i" H4 Q9 p
    *(esp-&gt;4+4)=='NTIC'
) i1 }' W: D& l1 u" b! z) S& [/ E) S9 T5 b
-The most exotic ones (could be very slooooow :-(' e. `1 k5 k7 I
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
& P2 r1 ?; n% d$ K" E6 v     ;will break 3 times :-(. g: v7 `1 Q- v% Z" J$ y  d
+ s9 }" d2 q" a* V! e8 A
-or (a bit) faster: 8 }; R3 q+ v, V( {5 g- M6 W+ o
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  b  L, T0 ?' Q; S1 o- p' `4 }7 [5 J
  H& M0 G6 x+ r# b- I- w   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % j! N  I2 |& c% k
     ;will break 3 times :-(3 N+ I2 f* p0 z+ l2 r4 h, g/ O( p
9 c2 C8 }" L  `! `
-Much faster:3 y6 C2 o# p! q# d# u
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'+ t) d  j( r  Y- J2 b/ j3 u
4 t; v( A( c* w/ D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; m* ]5 v# t" t/ d# [function to do the same job:' C( Q8 ^3 T9 F9 X+ I, I

; N: e% l3 u, v+ S, I7 J   push    00                        ; OF_READ
6 m* x& }" J: F   mov     eax,[00656634]            ; '\\.\SICE',0
2 D" H+ F* P  x5 L( Y* w. g7 ]   push    eax% t! `, V2 e7 l  L( }0 r) Z
   call    KERNEL32!_lopen
% N" ?) C+ b3 u7 P   inc     eax
3 L, m% n9 Y) \" ^7 F* F   jnz     00650589                  ; detected
0 u) x% R& P$ x# l' G   push    00                        ; OF_READ$ A3 T! P9 R% Z) n
   mov     eax,[00656638]            ; '\\.\SICE'
# z4 Z; h" y0 B) x! x5 [2 J/ i   push    eax
' }; K0 k* {! }& Q3 }( k. V( @9 S% A3 S   call    KERNEL32!_lopen$ ?& }* c0 Z4 Q7 S$ T# F+ f& x2 u
   inc     eax. W8 e7 r8 i: y: q" Q
   jz      006505ae                  ; not detected9 o! |9 K, U3 H: m% f& ^: o( Z
. |  X' X# m6 N% @6 C" t

  g- R, x8 i" q9 p, Y! t__________________________________________________________________________
6 _! q. I* o& X' Q' g: H' V6 a' _  t
0 i$ [9 d( }7 QMethod 122 u  ^, F: _6 z% T6 Y; r6 O
=========
  a& ?$ N  T1 ?3 v
  c+ T. |( w1 B) g# R3 b+ k: wThis trick is similar to int41h/4fh Debugger installation check (code 054 H. t8 z# j1 L3 l
&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ L! y) D& d! D! e& p- J
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( }6 q3 ~- x( F& I$ \# M: }
" w2 z: X9 x+ _0 F   push  0000004fh         ; function 4fh
; |- [. ]9 L4 }: U# H/ ~  U2 p, X# ^3 f   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 ]+ e/ U$ n% t0 B8 |! l4 o' {. `                           ; low word specifies which service
9 m9 Y" f5 K, v1 r6 g& e                             (VWIN32_Int41Dispatch)# o) \4 W( G; a) D3 N
   call  Kernel32!ORD_001  ; VxdCall! P2 d7 E4 u* e2 q
   cmp   ax, 0f386h        ; magic number returned by system debuggers
" Z' V* Z& S1 T& ^' u   jz    SoftICE_detected
) W* m4 u( L# N4 ]0 X: y! y2 Y# U  K! V/ ]+ I$ S; d. k6 ]
Here again, several ways to detect it:
: ~+ R3 o+ F9 f1 {
% @" _: b! E* Q5 ]% t7 ?    BPINT 41 if ax==4f
* p3 g/ y6 [% I3 O8 D/ B
* N/ a7 G+ C. q! N" e7 ^$ h2 l4 t% q/ Q    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 A. X" s5 W$ s) m/ z) p
) x" p: u# T& y, l
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, n  v) G! k# W$ V1 |) ]- U" h* _/ s; }6 ~& v
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!3 K- {4 O" a: Z
, X1 O9 H; G$ N' J. {
__________________________________________________________________________8 D* D+ H7 S! h8 }1 l) e5 v
/ }# W. C) m' C9 D' T5 D, v
Method 13
9 f( Z$ v% p5 [! f$ \# e=========
) T/ g( I; H$ K* e+ u" n* w2 C8 S
/ A9 ~2 s1 k! S0 K, h" L+ V8 i% QNot a real method of detection, but a good way to know if SoftICE is; p" I  ?- K. y% }7 h" _$ U8 k) e
installed on a computer and to locate its installation directory.! M' M2 ?& L9 N) X2 X
It is used by few softs which access the following registry keys (usually #2) :
/ e6 K' h2 v  ?- d& }" k% Q  {9 }; [5 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 q* K1 F% q0 K
\Uninstall\SoftICE
. _$ k, C- T8 M0 x1 O0 Y& L-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ w- f" ~  {# ?- ~  t. S  P-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) ~( B5 G9 G0 X
\App Paths\Loader32.Exe
. H1 c$ H9 f3 e1 @4 _1 C. S, |- M' [" }& _2 R6 V0 g

- }6 O& `3 U6 z7 G0 ~3 X& P+ ]8 gNote that some nasty apps could then erase all files from SoftICE directory! a5 \& h" {5 L- E! E3 N
(I faced that once :-(8 o2 d6 e: _( x, k

/ P& C, h/ ?6 x/ D" t: n2 \Useful breakpoint to detect it:
: O) T" v# `  X7 }  s9 F2 f" Q: s- I% k! L
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 k" k" ^0 a, R  S2 @' S1 B" P

4 F* }* b4 z% F__________________________________________________________________________
8 m" i( \9 ?% ^  S  Z7 ]2 d8 c9 d
# N+ {- |6 Q0 O- v7 q8 B  T% x* M2 k5 }: ^
Method 14 / c9 N$ H; G# b+ |5 V6 I$ Y
=========$ @0 V* p  t3 {
4 Q- g6 M+ T; k7 |' \1 w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 a) M8 E% }# F5 L/ Mis to determines whether a debugger is running on your system (ring0 only).
6 S' a: ]6 l* I  m& m/ T% ^$ C6 @) v4 z. x
   VMMCall Test_Debug_Installed
# H8 A+ R: ~% p+ w, Y   je      not_installed' B8 ]7 J2 a! ^: u( T/ `3 o

+ R9 r/ M1 a& V! v( T$ {! D4 XThis service just checks a flag.9 P# m4 F6 ]6 W
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 16:45

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表