找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
" _7 A0 G( d7 M" e<TBODY>5 @1 X8 q; w: _# K6 S) z
<TR>
3 g6 Q# A+ v5 d" b. v$ X6 p<TD><PRE>Method 01
# F) B  p; C2 y5 H! s=========
" |  s' x- r# L* y+ k/ a$ Z& v2 q' X
This method of detection of SoftICE (as well as the following one) is2 f2 s6 Z; I1 K; R% Z3 D
used by the majority of packers/encryptors found on Internet.7 Z1 V% C, h% W* K
It seeks the signature of BoundsChecker in SoftICE
5 y# p$ I& E: W- |) K- u1 ~
- N5 M: v2 L6 d7 T) L3 b    mov     ebp, 04243484Bh        ; 'BCHK'
; u3 {7 C% J9 i% z% M    mov     ax, 04h7 T' n- V1 N) i, v) o
    int     3       # m4 D& D: r8 |: {( D
    cmp     al,4
7 M% z% [* k" j& L0 f$ I# J    jnz     SoftICE_Detected+ c: l1 H* K0 J( X4 M/ W

5 ~6 _6 u6 \' I; M! y4 U9 v___________________________________________________________________________
6 G! L6 o5 b" b. `6 r$ h- K
* U9 ^/ r( g1 u+ ?( _Method 02
4 _- m+ I6 y+ f4 t=========
* W' n4 s" j' i6 X- u- z, q. d
) u  z3 ^0 I4 @$ t; EStill a method very much used (perhaps the most frequent one).  It is used
/ d6 }% D. p3 H* r. p% J$ Vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) \0 I8 F+ P8 }  k! R
or execute SoftICE commands...  o1 q% Y0 S( v
It is also used to crash SoftICE and to force it to execute any commands
/ h1 y. R% u2 ]0 a6 Z3 w. i(HBOOT...) :-((  
; `( M# N( `$ ~" r# y
& {( U2 g6 {8 m; T1 Q9 PHere is a quick description:" j' z, S# ]* q( J, A5 _
-AX = 0910h   (Display string in SIce windows)
: Y  v2 X; m6 `2 A-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, E/ l7 |+ s) l4 ^1 l-AX = 0912h   (Get breakpoint infos)
6 j: u# Y" q( F) n( {  A-AX = 0913h   (Set Sice breakpoints)
2 f$ [4 Z& o9 p; ^( V$ D-AX = 0914h   (Remove SIce breakoints)
) i1 V- d8 s5 a$ }) p5 {; k' {* i* O+ G0 S% o
Each time you'll meet this trick, you'll see:+ U( E6 ?& o) N* e5 X% K/ n( ?
-SI = 4647h
  [" ~- `' y: ^& X$ Y& t5 k-DI = 4A4Dh
) e2 k  I) m, x6 K% ^Which are the 'magic values' used by SoftIce.
2 e( {$ r7 x  Q7 eFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 ]/ ]( e# \" O
' V4 Y, N3 Z5 p* v9 \Here is one example from the file "Haspinst.exe" which is the dongle HASP8 }. [/ M6 ]3 H% p* a3 L
Envelope utility use to protect DOS applications:7 e5 S' s# k1 q& E* |# g' u
+ v& X6 \; j- X1 s

6 ?8 b. d+ s3 B. P& t8 t4C19:0095   MOV    AX,0911  ; execute command.
  h' n9 A/ Y7 z( o7 p6 T) L* _4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).! L# I# _  `- I6 }4 P
4C19:009A   MOV    SI,4647  ; 1st magic value.
* {  i9 b" ?5 }4 e3 c! d: Q4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
: h5 U4 l! `. q. a4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
! l: P8 i  h7 o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 X, I* @. a  I# f, o) s4C19:00A4   INC    CX
1 p. y1 H/ }& p4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
/ ]5 H+ y) \% C% C0 Z3 m4C19:00A8   JB     0095     ; 6 different commands.; ~+ e$ r; f: u: f2 t
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 g; a% \; j  j1 c4 l4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 l: G4 q+ t, {, H+ t) w/ J0 c* o! N2 _/ W! V/ ]- l
The program will execute 6 different SIce commands located at ds:dx, which" r& Z) D) ]6 b# Y6 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  y0 z: t% `  I9 s
( F& r1 w! U0 ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& _9 P; Y& n& J6 C8 E
___________________________________________________________________________
# N# [. y7 n) A, @7 i1 n2 B+ Y+ M
& B+ k' l# t8 w' _$ p  d+ @, }
; \3 E1 S/ E; l6 d1 C; uMethod 03
3 m' ~6 D/ O. p2 p# q) b; u: J+ y' d=========0 O, B' f3 \: Z& W

5 Y( G' n& x7 E$ [Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, c1 G0 w# k& U) ^& I( [
(API Get entry point)1 {$ G4 Z! X# m  \4 j
        
2 T6 b  W& |8 a6 A, D+ }# \# J# g4 m: v) w
    xor     di,di
  @$ X' q/ s& [8 P) [) p    mov     es,di; C% b! M0 b& T
    mov     ax, 1684h      
% z. d# Q) a- A% P    mov     bx, 0202h       ; VxD ID of winice
+ F/ X0 T" z0 X! u* E1 d2 r    int     2Fh5 y# h) o! M2 f3 j! [6 E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 I8 G. ^, _+ p, [+ ^" O& m9 {/ D    add     ax, di
4 f& u, b& @1 P: M! h+ P    test    ax,ax
6 i6 G  L/ T2 h3 V    jnz     SoftICE_Detected
; q  ]) V0 ^. Q: r' ?/ U5 L) Q5 F  n# X7 D9 T) s
___________________________________________________________________________
9 ?; g& w: f+ O: t7 H& Z  @' x% X/ \4 C  b- }+ x9 [: o
Method 04
2 }: S3 U% G; G. N$ t$ c+ g  T=========
7 D1 ]: x/ v4 X: i$ b
9 I! g4 w( X5 X9 N+ g" b$ nMethod identical to the preceding one except that it seeks the ID of SoftICE
: x, Y0 I9 k+ I5 e% a! @GFX VxD.
9 u/ w% m0 O( B3 J' u
  |0 c5 }5 _7 L    xor     di,di0 p1 k! F2 g) f
    mov     es,di9 ^% I& }3 r- ^, N* B  O' n
    mov     ax, 1684h      
  ?: ~, |; I: l/ j3 u* L2 @$ n    mov     bx, 7a5Fh       ; VxD ID of SIWVID) C; |4 N1 p0 w6 ~$ s, @* b0 u
    int     2fh
" L' t* e- p/ f5 b! t  o    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( c5 M! N6 l2 Y' g1 B- X* T    add     ax, di
) g) u9 q/ ?' J' [' v    test    ax,ax
$ q% O1 q, k, E& }    jnz     SoftICE_Detected
* |3 a% P/ D8 ]" S' J! v0 j, p( G: c& m
__________________________________________________________________________& u, h( A1 d$ n1 q$ e
4 g$ {# ^! Z9 y9 y
4 q# Y5 y! H" ^# |
Method 05) w  k- O; \: W* t) {
=========
: F) X1 `! V) b7 V' H, v0 ], a. d/ I+ T) ?& _$ g
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 K; O* G6 V; \, j) I
debugger. It calls the int 41h, function 4Fh.
8 ]/ ]  `2 o3 H8 uThere are several alternatives.  ! o' q8 J3 u) P

# w6 {# }3 R3 Y/ L+ LThe following one is the simplest:
+ Z$ [+ x0 G$ T. E2 H. x* p
+ I  k( e5 F4 |, b3 d1 g  d    mov     ax,4fh* ]& }+ x! R! U; @+ D7 I) `' N
    int     41h0 W; W2 G6 Q+ U; ~( j; x7 c' O
    cmp     ax, 0F386  N6 B+ W1 a4 X+ a( L2 j3 @
    jz      SoftICE_detected
$ _# ~5 F- c" b+ l7 N( L6 P( N! p6 k' w" B
: ?# w, ]9 s, E$ D& S$ w
Next method as well as the following one are 2 examples from Stone's
. M0 A+ P+ A$ \: L: \"stn-wid.zip" (www.cracking.net):
& a: U3 `1 s4 _/ U, B2 f5 d/ a+ ?" x3 F
    mov     bx, cs1 s  M% Q; c. A% ?" S( k% J- s" r& e4 k
    lea     dx, int41handler2* m% E  n" Z- i5 y1 A  u7 E8 h1 n
    xchg    dx, es:[41h*4]1 Z! |% S7 k/ z' c- z5 e
    xchg    bx, es:[41h*4+2]
& u$ b% Q/ q/ T/ v% W    mov     ax,4fh3 |$ Y4 b# a& j6 o4 i- P2 l8 ]8 A3 v
    int     41h
; k; Q+ I& R2 Z    xchg    dx, es:[41h*4]
5 ?1 X9 N7 D+ W6 [2 c) ]    xchg    bx, es:[41h*4+2]
. q. M2 g# h& h" q  G; ?    cmp     ax, 0f386h
7 X. t- J1 a% R/ k* X% R. T/ s    jz      SoftICE_detected  b3 x. H* E! e

2 h' J& n  K, Qint41handler2 PROC9 z9 f7 X6 L  b* G
    iret7 l+ P! g9 }  o. m" {( }
int41handler2 ENDP
+ i! [3 V+ s8 R3 c1 v+ F% i% W3 ]4 H1 Z
% v7 F' }: u/ F8 m! J/ v% k
_________________________________________________________________________
4 D" t: Y% g2 F6 @' a# M& i6 |% w4 W: j5 L0 D9 }

" D2 p6 N3 U* h1 |Method 06
# K( F/ D4 v* S/ q$ b=========1 O4 Q. Y- K4 G0 O5 s0 z+ ~' h4 b

5 y  q( q" m% K, q/ T% D4 v& K- ^0 F' ~5 s" F4 M" J
2nd method similar to the preceding one but more difficult to detect:4 e) Q! q8 x% @* ?* ~9 F( T' b

! |6 K3 C$ q  @. A( `7 h% }5 V  R& Y9 u0 t: z& S
int41handler PROC" ^( x8 L6 S, h
    mov     cl,al
) U. T# k4 u6 i6 K8 l5 x! Y  b; |    iret+ ]9 a9 G0 m! v1 _5 U
int41handler ENDP6 T/ `6 Q% H6 k7 I7 y5 h) K6 l
" {# B" w4 k) @- |% T

' k" ~+ _& ]2 y* C( K; K    xor     ax,ax+ ~* d- u# t' _5 U/ ^
    mov     es,ax& V1 v+ `2 J: l% ~4 N
    mov     bx, cs0 y: l9 x$ ^3 n9 I2 v0 F
    lea     dx, int41handler  ~1 M4 u3 o. a" Q/ Y2 ]. `' V
    xchg    dx, es:[41h*4]% `' l% K9 M, a$ X
    xchg    bx, es:[41h*4+2]; X2 }1 x& }5 X- w+ _
    in      al, 40h
' X8 ~, g- \2 Q    xor     cx,cx
) ^/ O9 a, I8 Y' b9 j    int     41h
% R. I1 A/ s% H2 i; I2 B, d( b    xchg    dx, es:[41h*4]
% Q2 F" v, \7 d# e2 u    xchg    bx, es:[41h*4+2]5 }8 Y' B8 A& T( j& U  N5 y7 N
    cmp     cl,al
/ Z& B$ H; l, {* r6 v    jnz     SoftICE_detected
* O9 X' X' O3 A) Z4 j& ^% w+ |, i8 W' d5 y
_________________________________________________________________________9 y1 D& N" p6 {
3 z2 l& L* r. M
Method 07) d5 e5 p7 n# f
=========
# h- p5 B1 y) C6 T% q# _& a( {% m
. ]# T6 w  L4 a, d1 {. PMethod of detection of the WinICE handler in the int68h (V86)
: @9 h( {; s7 `4 f1 c$ B# K* P7 X4 Z& z  }- y% V
    mov     ah,43h
8 e! m* P8 _) n9 P    int     68h
  p6 X# H6 y3 L+ w6 }4 R4 h    cmp     ax,0F386h
% Q$ i" v2 t' N0 [, O    jz      SoftICE_Detected1 D# `" l4 L/ d0 j. u2 j

6 q% _# @! @! ?3 o# d" D( c7 a: J3 B; N2 z
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' X! I3 E; u! q4 R
   app like this:2 k+ q# R& {5 u' C% ?1 ^

/ h1 o9 ]4 o5 \3 j* q; \   BPX exec_int if ax==68% W+ J& m4 T8 R8 e
   (function called is located at byte ptr [ebp+1Dh] and client eip is
) K8 A; K$ ~8 w; ^$ `   located at [ebp+48h] for 32Bit apps)
+ k* k! `2 T, n__________________________________________________________________________8 x% i; }6 }% S$ d5 H1 ^4 G: _
, _6 q0 B7 j8 w8 m& ?% ]% a, a

( |% `2 d8 E: e3 mMethod 08
0 R8 A8 G( y( [# W5 g=========
3 C( v1 o' t6 p2 c0 a  f0 q1 ?% u+ U, x& P' Q7 Z- h
It is not a method of detection of SoftICE but a possibility to crash the
  \' |! A9 M8 w) V: D! @5 ^0 H# Dsystem by intercepting int 01h and int 03h and redirecting them to another8 R0 \& |8 W/ I1 W; I% l& u
routine.
4 }; |5 z! J. YIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( f. B6 Z# m7 w7 k$ I6 z
to the new routine to execute (hangs computer...)6 t8 j9 }  q  s' s

$ l0 D& H- i* M! Z" @, i' {, R. L    mov     ah, 25h
! |- Z( e5 @  G    mov     al, Int_Number (01h or 03h)
( r& @2 R' n( e1 t1 T& @    mov     dx, offset New_Int_Routine$ q; t2 P: l- w4 R  X
    int     21h1 `5 V4 d/ m# g

9 {( }8 U( Z' l5 r  B6 P__________________________________________________________________________
% |6 o5 |% Y7 b" c, m; p' f. d6 E! v3 f, [% G# X1 V$ P+ `2 g
Method 09$ W7 w0 J, X! t
=========
, j. ^" Y9 }  P" V. Y2 d% E( `. d3 ~- s+ L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( L; W; @, m+ h% x3 nperformed in ring0 (VxD or a ring3 app using the VxdCall).1 W5 T. l2 |  M
The Get_DDB service is used to determine whether or not a VxD is installed6 _# y8 v/ p- j; |* x0 t7 W6 P$ r1 J
for the specified device and returns a Device Description Block (in ecx) for6 F. E$ \5 a2 v8 i8 K) r) K; f2 m- ]
that device if it is installed.
+ f8 S& i: M  i, N5 p  G# M2 `6 J; |* `0 x2 l
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! y! d6 M% A: G
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 y% T3 e0 J7 E( U
   VMMCall Get_DDB
; g6 {5 A4 N7 m& r" F8 I   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
( k% Q8 d, Z  ]$ Z) K: W9 y0 e/ b8 J: x( k4 S4 m# E0 c+ B
Note as well that you can easily detect this method with SoftICE:- N& t# A  F' h& b$ K  F; a; ?
   bpx Get_DDB if ax==0202 || ax==7a5fh8 x2 ]) S8 u8 k9 _# x0 u2 @& d  R7 Q7 |

5 N4 ?, a5 e" l8 g  V__________________________________________________________________________6 P( H, K: H& t7 J% m& e1 s; |7 C' h
  F  x$ E( E, h. F% ^# x0 q+ I4 g
Method 10
# K8 N6 j9 N. c=========
% x; J- `2 |  u; k, z% K( b
' f5 u% F! e0 @9 F! N9 l8 X=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 M6 f# F) C1 ~  SoftICE while the option is enable!!5 `; T: Y1 w- W

( C5 B! K0 H1 g: SThis trick is very efficient:
6 Z) P! k0 C9 C& ~0 O( ~" p$ xby checking the Debug Registers, you can detect if SoftICE is loaded
$ c: `& A; M! d4 \; P; {(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. i/ w) J% i% n  w: e( @/ F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
3 |  Y- T$ N! `! ivalue (in ring0 only). Values can be manipulated and or changed as well+ ^8 l0 l* g3 E$ k
(clearing BPMs for instance)3 H- [5 N$ K+ ~+ d- A+ q
7 @* z$ C0 {( k$ s* d
__________________________________________________________________________  v7 }2 ^7 p! t9 v" |, X! d

3 r% G! r7 H; C7 xMethod 113 \4 D% i$ c+ i, J5 i- g
=========
7 h) ~! j9 \3 e" i
% ]7 z% [3 w5 F( AThis method is most known as 'MeltICE' because it has been freely distributed+ i( y/ a0 R- }
via www.winfiles.com. However it was first used by NuMega people to allow% x+ X4 i- r! H% e
Symbol Loader to check if SoftICE was active or not (the code is located
* M. C  X/ q: @& c" K2 jinside nmtrans.dll).
9 ]# B2 h0 X& X$ R( e  i: Z0 x5 \0 G. w" K5 i
The way it works is very simple:
' p4 \# E) ]/ Y0 I: WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; W2 g" q+ K4 e+ B4 t$ `% h
WinNT) with the CreateFileA API.  g7 O7 j5 v8 r2 t  U
$ V1 p- Q' T' P+ i& P6 X8 o; e# O) R
Here is a sample (checking for 'SICE'):
. r" ?) f1 k4 {
% W5 r: E6 ], k2 L+ [BOOL IsSoftIce95Loaded()  ]/ X& i  |( }
{
7 \% P" f) S' O- b# X1 g! b' o   HANDLE hFile;  
4 x0 P7 a" @+ a* \* \   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ h2 w+ ]) Q" a8 o                      FILE_SHARE_READ | FILE_SHARE_WRITE,
- S5 L7 H0 @3 [: Y2 d4 o& \8 U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! U: v, O3 T- p$ J6 g
   if( hFile != INVALID_HANDLE_VALUE )+ S3 |4 G; s  j6 t& L9 @+ p
   {/ P/ ?4 H8 k7 }$ F. S
      CloseHandle(hFile);
7 d% X( Z+ r, o- v' f# U      return TRUE;& E: r1 Y! I$ Z# W, Z; @0 }. ~
   }
( i( \; S. R' G   return FALSE;
9 Z8 b) m1 q0 w5 |4 n! b: ?8 }. g0 ~) n}0 @! F/ b- _) X

" M4 {. _1 T8 [Although this trick calls the CreateFileA function, don't even expect to be
! l4 M/ J+ b5 G- u/ B2 dable to intercept it by installing a IFS hook: it will not work, no way!! u+ ~4 f4 F( S8 `1 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ k9 i8 E* [5 _) \% nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* u( q0 k) \' v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% M; K* J4 r/ R6 r- q3 s; qfield.0 ~/ `& q. I* k3 Z& x/ u9 D9 X
In fact, its purpose is not to load/unload VxDs but only to send a
9 E: J6 O" _$ a0 K+ i+ X" t4 ]9 ^: ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ O) G6 m0 t" D6 Q' ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
0 r9 H% \% `3 F) Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 f/ C6 }$ w- C" VIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ y/ T* {2 S, @3 ]& o4 U
its handle to be opened and then, will be detected.
' y* C* C  P, H0 m1 pYou can check that simply by hooking Winice.exe control proc entry point% [1 [; e$ C$ n) j( F8 N8 P
while running MeltICE.- W  c1 R! u, T! l5 ]  C

9 Q6 @4 a/ V# @8 `5 T8 X9 V3 v/ q4 W( Q, K# v: d* s4 K5 ^! J
  00401067:  push      00402025    ; \\.\SICE
4 x5 G5 q$ K( }  0040106C:  call      CreateFileA
5 a  f. z/ C  f& Q! F/ {  00401071:  cmp       eax,-001
- j' U& v1 c- f3 m& V6 l( c; M! H  00401074:  je        00401091
3 I+ a  F" ?) e! Z/ n0 U8 }  T) y4 ^
2 E6 W. S4 C' U) X# f* R
There could be hundreds of BPX you could use to detect this trick.* ], l0 e( }8 H0 D
-The most classical one is:
! Q5 a% w* M6 _  m/ b1 f  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, D: w! t% M0 }5 k: o2 `( Q    *(esp-&gt;4+4)=='NTIC'
3 H' _+ w9 j: c. B- P" H) a
* _  u5 f( v) ~" b7 W-The most exotic ones (could be very slooooow :-(+ x6 S% J2 H$ ?8 _; ^8 R
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 H9 @8 L1 @* c- J& _/ o3 a     ;will break 3 times :-(
: r+ q# b9 `2 x$ e% [! n( w( T* _! n$ y; J
-or (a bit) faster:
$ w6 e  q- {) ?$ ^   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' l7 i! C2 q- ]. e' N* s- p3 U* u1 ]; D  A1 G0 M
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ' C4 p6 x  k' G3 @5 L" W
     ;will break 3 times :-(9 y4 k; s& N# p/ f! Z1 W! |

0 m0 q+ m- n% D  {: \/ O-Much faster:
2 c7 C- I0 c( h* X/ C% c6 o   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'5 I2 E4 `  p4 t6 N& i% d* J

8 e. P/ h3 k4 Q) _& TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 X# Q) v# ^/ w  mfunction to do the same job:7 P6 w( B3 }1 {+ D+ U4 Z  V# q

9 ]4 M% p# w% D+ k   push    00                        ; OF_READ. Y% ~, Z' m# D! E/ Z3 |0 T5 a
   mov     eax,[00656634]            ; '\\.\SICE',0
; H  j  E) i  e9 B; `   push    eax3 ~5 m0 C' f) D! s: m5 Z6 }
   call    KERNEL32!_lopen
$ Y4 }0 |8 n  y, j. G! n' [. n- t   inc     eax( Z! }7 {% A! _4 Z& m7 A/ q/ Y
   jnz     00650589                  ; detected2 a9 ^2 n' ]$ [- w$ M' k
   push    00                        ; OF_READ
3 r4 {+ h" r9 \( K% E9 y   mov     eax,[00656638]            ; '\\.\SICE'  I* A, G( Q8 Y- ?& R3 g
   push    eax
' _; t# \6 m' w! H   call    KERNEL32!_lopen  P+ S# S! P' m8 T" v, v
   inc     eax/ W( c- I( q/ H
   jz      006505ae                  ; not detected
; M* H3 i$ W) f. A9 G' V! m: o- }" B! S& Z

) k# s( v$ c- v8 {__________________________________________________________________________9 F' |4 n8 o1 W" b

7 \& f& M0 G5 W# kMethod 12# O2 m4 m. y1 y( R, |/ z
=========* n! e3 C- z. u8 a  q( n

5 n' b; I: M7 z& ]7 u) HThis trick is similar to int41h/4fh Debugger installation check (code 05  Q% ~! w  w" F% o) r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 C* s4 e8 ~, V; Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ m, Z& C9 [! H, n

0 V. ]* W( O6 ]+ v. `, a. ~" \   push  0000004fh         ; function 4fh
! |, u( e- {& c. Z% h& W/ q   push  002a002ah         ; high word specifies which VxD (VWIN32), Y! R  J( `6 m1 \" m
                           ; low word specifies which service
0 R3 w) v1 z  ^( }                             (VWIN32_Int41Dispatch)4 Z) Y/ i8 O+ Z; ]' q& i
   call  Kernel32!ORD_001  ; VxdCall
( [2 h( u9 `3 o) e   cmp   ax, 0f386h        ; magic number returned by system debuggers" f" h" R: {$ p
   jz    SoftICE_detected2 U  ]; W' X# `( g/ o8 H

. J5 F: }& A" o  C" sHere again, several ways to detect it:: n& H; E" {4 N( L0 V
3 q" A. }4 B( H5 u' }
    BPINT 41 if ax==4f. {/ b% q( N# b* N; R" B
  Y4 g( @+ A1 e& _
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 h+ W  c- f% R& a# {3 A& |1 I7 |; i5 O6 J( c4 G6 `
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 ]7 Z; B2 @' l7 t. G. a. s* B. \: N0 F" z
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
$ a* ^+ M- |4 M
1 t! L5 P4 B0 Z' r+ k, v2 P! \) l9 g  z__________________________________________________________________________# e1 Q* }9 l1 g2 k4 ?
& R" y' g6 `) G, Q% ~/ h
Method 13
" W# r9 }, f$ Q( F3 q; L" N" c. R=========
$ A- Z: q' w+ z% i/ W5 l+ D& D/ K$ W8 k9 @, ^- v3 @
Not a real method of detection, but a good way to know if SoftICE is1 g, _4 Q* @2 n
installed on a computer and to locate its installation directory.6 j8 G% x. D: P+ D
It is used by few softs which access the following registry keys (usually #2) :3 b' _/ y; t% Q0 ?4 L

- k& @( W3 R7 M9 C6 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# ^" q" c3 S! U# X1 K9 X4 o: p( O\Uninstall\SoftICE
& [5 h0 E1 w! H2 U# Z7 E& }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ |+ g2 \: P( \& f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( L) |* U9 x$ j, Q6 U/ i7 {
\App Paths\Loader32.Exe
& Y5 `' f* U3 e/ d& a, U+ z; U7 I" N

: l! W4 ^5 \: x4 E7 ENote that some nasty apps could then erase all files from SoftICE directory. W7 q$ U( w) L, k! ?  E! o
(I faced that once :-(
9 m1 t5 S5 f6 [) w9 O- C$ n5 r
- u' m& t  f+ AUseful breakpoint to detect it:/ f; \8 k, E( v0 y, k

6 d1 y1 l( N5 F: D4 u6 @     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 z: `- b' [7 E" R8 H
8 ?; I7 N) k0 t
__________________________________________________________________________
: |$ r' `+ H  e! o5 Z# u* V6 @) U. g

+ |6 Y8 S) K& }6 M5 @: S7 ZMethod 14 ' r" ?) D8 `0 U: v9 Y' [; e3 v
=========
7 y1 p" X7 w* D+ X( M1 j, ]0 H9 A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) ^. q" w9 S' r5 sis to determines whether a debugger is running on your system (ring0 only).% a) X2 ~( ^3 D1 h% P
& F7 C1 O$ F3 z' P
   VMMCall Test_Debug_Installed' B, j3 ~7 U/ {4 @- D' B
   je      not_installed
- [2 o; e+ L! q: q/ T9 H  t, j- T/ P* K6 {0 K! ]8 @5 Y
This service just checks a flag.
0 M, U: X* W: g' {</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-11 15:16

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表