找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 ]8 _2 W7 l3 y' |* c$ G" O<TBODY>
0 m2 B2 s- ~" N% {<TR>5 x* z8 S, W8 F- H. h8 x
<TD><PRE>Method 01
  d0 q; M  G' V9 g' {% z! E7 e& a=========
. K3 k+ ~7 O" q+ c6 H/ Y
  O! ?$ N7 @- J5 D1 ^  eThis method of detection of SoftICE (as well as the following one) is
$ e. H8 r+ _) w6 J& K, N8 y* y1 Hused by the majority of packers/encryptors found on Internet.: m  Z# O& q% f) p
It seeks the signature of BoundsChecker in SoftICE
8 f- T) J5 f8 ]: \! {
% }$ Y3 r7 I: M4 w! [/ Y    mov     ebp, 04243484Bh        ; 'BCHK'
' c& [- a: O# j2 O    mov     ax, 04h7 ~1 \/ |2 |' b' p
    int     3       1 o4 b0 g5 m# d- I) K' A% k: {
    cmp     al,4( g* Z0 R4 G- x
    jnz     SoftICE_Detected
0 g& l# A( K: E! N" \6 j" P4 C* h+ T' ~7 {$ F7 w" s
___________________________________________________________________________( I: g: u- i7 M. k( P
" d0 e' w' Q9 N" O: N6 x) B7 G
Method 02
* I: }# n& `" J; \% r4 {# j=========, u9 @7 E5 k4 M2 R5 f

+ ]+ ]3 ?# w% n% K$ h# F% D" qStill a method very much used (perhaps the most frequent one).  It is used8 w+ P' ?) E+ ~0 u" H2 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ a1 z2 w3 d: A1 Kor execute SoftICE commands...
* w& ?, b7 p- W. H: yIt is also used to crash SoftICE and to force it to execute any commands0 F6 S) n$ s+ x) ~  c. F
(HBOOT...) :-((  
" x+ u% S0 U. F- l% \) S, g, C/ o/ x8 b: f/ L: u3 h: @3 K  Z
Here is a quick description:
$ V& l" b# s) S( I8 \7 X-AX = 0910h   (Display string in SIce windows)" H: N1 U' y5 O2 S
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! N( O# P) c, E6 ?$ T
-AX = 0912h   (Get breakpoint infos)
0 n( m! f$ j. ]+ Y  r9 e-AX = 0913h   (Set Sice breakpoints)9 J) g. K; h& D6 [, F1 U
-AX = 0914h   (Remove SIce breakoints)
) e6 F1 y9 H7 }; \- G) o3 m" u1 Q' `4 a5 s2 w
Each time you'll meet this trick, you'll see:
! `9 h5 v6 U5 f. q1 }8 v-SI = 4647h( O9 u5 q8 H3 y& r' H
-DI = 4A4Dh
3 |: F: o' ?. \# {5 `% Q) n0 XWhich are the 'magic values' used by SoftIce.
/ b* n: E2 N' G+ u4 t& r7 S1 zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 @5 y1 {; `5 C, C- N; M' D) c# X2 r) z7 N. q4 _' r
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 \& G4 c9 w/ mEnvelope utility use to protect DOS applications:
- K1 S$ H+ W9 a( ?
4 A7 v. f8 {. N
: W8 H& S8 s- V* q4C19:0095   MOV    AX,0911  ; execute command.  y* a/ Z% h% q' T9 r0 r  m
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 i) [  q8 G4 x+ K! S( S
4C19:009A   MOV    SI,4647  ; 1st magic value.
! P' M! O! }' H* B& n% M4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 g! |7 s4 n+ z$ F4 K/ p" {4 i4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)$ K5 X6 ?, z+ Y5 d" V/ Q! c
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 b8 P' R2 v6 q" r5 N4C19:00A4   INC    CX
, B4 p+ J/ S$ j! M! R, g4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute7 x5 h$ P- }6 c! l
4C19:00A8   JB     0095     ; 6 different commands.
( Y& y6 r/ G. W$ \8 r9 ~1 h6 Q1 e4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" y! |- V# K$ o0 i4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# S  o$ E, |& [9 S! s/ t. E/ @2 v) C1 E
The program will execute 6 different SIce commands located at ds:dx, which4 z+ x" S4 L7 H# {. u3 s2 v
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% ~/ K  |3 d% z- U9 P$ c# Z1 _% Z" W% K+ Y" K3 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: S+ d, _9 D+ G8 E$ t5 O! J6 f
___________________________________________________________________________$ u$ }; @% j/ Q2 V+ |9 C) q7 {! H

  [% W, ?. ^+ F/ Z" a' v  G# P1 o7 ^  T
Method 034 C. d# e3 ?; M
=========
% \$ t( I. U3 M  ~* ]
' t9 Z- Z: ]: wLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; [' I$ X6 }. V, Z) n. \& N, l* k, [
(API Get entry point)
# c( G# z0 Y$ _0 ^. A! ]& o0 I        
+ [6 I8 i/ q5 a/ `- R8 Y* L8 q# P3 z# O* U) n
    xor     di,di
) M7 [' K# o: q6 x( Y# @    mov     es,di
8 ~1 V! G: L# a2 c( t0 @    mov     ax, 1684h       # T2 ^6 C/ p0 a
    mov     bx, 0202h       ; VxD ID of winice
; P$ \, e+ d6 ~, ?    int     2Fh
8 r6 }% Q3 k2 Q2 ^; u    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ i# Z+ l3 O, B- ^) ^8 B
    add     ax, di, T  p1 V2 J# R: @+ y$ P0 l
    test    ax,ax
! W& ?+ Q' v5 J* V/ m3 m: a6 I    jnz     SoftICE_Detected0 A3 u  u' L" u+ R

1 M3 {6 s5 `8 B% O4 y___________________________________________________________________________
, G( \- y* o: H. k5 t7 o2 p
7 _# h  w  P" P3 s* B0 pMethod 046 G) O  z4 r# b
=========
2 k% f3 B5 B5 l6 S% x/ R8 ^( K; r$ w: P$ e5 a" I$ H- }
Method identical to the preceding one except that it seeks the ID of SoftICE
0 ^7 b7 \+ E* Z; `- sGFX VxD.
1 U) ~' }7 P* r5 ?4 W4 y; b8 {& f9 O
    xor     di,di5 K5 D3 ?; w- j# X! y$ c. U* _
    mov     es,di! B% s; J$ \& `/ G, |' o& P  B
    mov     ax, 1684h       # O9 x- u) O, k3 X- d7 o
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ s2 r7 M# D% t4 u$ }4 a5 q" z1 e    int     2fh
7 z0 `; {; L* V# g4 A    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 X2 n! j1 L6 C# G7 p& x3 {
    add     ax, di
# g  u" G! X$ |4 a# S9 e7 I, ]8 u3 s    test    ax,ax
, @+ N1 i$ o. O    jnz     SoftICE_Detected
# J1 r0 o' t2 A& a0 |2 a
% o+ |$ h7 m! I2 C__________________________________________________________________________
5 W9 ]  G; g$ I8 m& q
! B9 @/ c- P( I6 O; {0 a
2 y5 |- x% f$ p2 `, YMethod 05
, {6 I" \) _- f* g/ K  V' S6 Y; r=========/ G# p% e0 u! r+ y; \
8 |* n& H+ l2 e4 _; M3 @: `
Method seeking the 'magic number' 0F386h returned (in ax) by all system
& M$ N/ I. `/ H0 Q5 O* ]5 u7 hdebugger. It calls the int 41h, function 4Fh.
- K  A" A* t% V+ \% RThere are several alternatives.  , Q" p& X  N* ~  {
9 ^/ @4 f# `) g+ \% S
The following one is the simplest:
* b4 C* z" c0 h5 [
0 X8 B8 _6 v7 }/ h/ `' {& v    mov     ax,4fh. `+ I1 e0 @% C% B
    int     41h
5 a# G# U) h) r* A- j+ C    cmp     ax, 0F386) n4 @* w. v  c, ~# |
    jz      SoftICE_detected0 N& C& P8 x, D: q' G
1 Z- Y; ^0 j# A) U" W2 r
* W0 ?$ h7 ]- @" r
Next method as well as the following one are 2 examples from Stone's : R& S2 o! g' w  v7 T8 Q
"stn-wid.zip" (www.cracking.net):
. g" N5 M# P, I0 h2 n. X, B
+ ?4 d/ D  b5 S' q7 ]3 U6 s. n    mov     bx, cs
3 s5 i6 u1 |5 ~5 r5 @) b    lea     dx, int41handler2  w; b# n1 p' @! S& ^
    xchg    dx, es:[41h*4]
* _7 w: s5 |; i0 j: I4 d    xchg    bx, es:[41h*4+2]8 J, |8 I; l2 P. O
    mov     ax,4fh1 K) q1 }0 V* f, {; b9 Z* |" @& a
    int     41h
& b: e9 @6 G# ]. ?- d* }7 I& H    xchg    dx, es:[41h*4]
2 o7 U8 I/ ^: }+ E, n  K4 _% E6 D    xchg    bx, es:[41h*4+2]
/ Y" u" r0 @; u! u8 M    cmp     ax, 0f386h
$ {7 U! m' x9 f: p/ [    jz      SoftICE_detected4 Z3 O! g/ D, y0 U* D  o; k

3 i! b! u: {* p- h# C( Y2 j4 Wint41handler2 PROC
" A0 ^& [4 d6 u: R+ b    iret
) K& z. G. u: v/ l  b, lint41handler2 ENDP, `: z# \  [& u' `7 Z; c  L
6 N3 x4 t5 x$ |3 F3 l, W

$ _" }& r& Y1 r/ N' y: K: R3 i_________________________________________________________________________
) q9 G/ \1 K% n3 O8 m; S& d+ ?6 z* d/ ^6 h

0 n4 `# P& z' `) \. CMethod 06
! ^: ?4 |. O5 l=========4 |$ l7 ~* R4 ?- i9 B( e
! x. b1 t' h( w: R1 ^1 V

& s! o6 W6 z( B( Q& o2 U2nd method similar to the preceding one but more difficult to detect:  V# t8 a9 n4 z2 Q

8 V7 t% H0 I* ^6 T, E3 k; Y
# ^( R9 t" i) L+ bint41handler PROC
0 J1 k) X1 l$ x* ?( X9 z9 e    mov     cl,al, [6 g6 D% k  m' I
    iret
. h) A# ~! V5 E% G1 b. t/ eint41handler ENDP' T4 s, k$ L- g1 p

1 a* G% F) j2 M$ Y
. _6 U" D' F9 K    xor     ax,ax9 S1 m1 F3 }- {4 |7 M1 F, G4 n
    mov     es,ax' W/ y0 `5 U  s2 u  n8 z
    mov     bx, cs
' a+ @2 \" f2 R9 v    lea     dx, int41handler
' ~# ~7 L4 C* a) A& A    xchg    dx, es:[41h*4]4 U( R, v& |; i
    xchg    bx, es:[41h*4+2]
5 U4 e+ r' ?5 D9 P& J3 R: W3 {) r    in      al, 40h* z& f6 f1 R, q" i: k$ [
    xor     cx,cx6 u2 ^, ~5 ?. x+ N  H- c/ f2 D
    int     41h
# {! R+ Y( L: w3 I3 p8 {    xchg    dx, es:[41h*4]8 c, U' |9 n) h& ^
    xchg    bx, es:[41h*4+2]
7 V: J$ a# a4 x' e* V    cmp     cl,al" U3 ^8 ^  W6 m+ I
    jnz     SoftICE_detected2 u) Q: \% n5 k& {& A3 l9 H. d
' N* l# X! c+ }) a" h  I
_________________________________________________________________________4 |9 H5 h7 \' ~/ j
- l6 i8 w2 G8 ?# o0 j- t, w( I, ?
Method 07* E# O9 M" M+ v! _' n4 U6 \' |9 X
=========2 W% g: `/ Q1 j6 x! ?

2 e$ z/ j! G6 L6 DMethod of detection of the WinICE handler in the int68h (V86)
/ @; ~. Z9 A! w) [" o( m
$ F4 L2 o0 p6 o    mov     ah,43h
7 j) P" [' b/ @# y2 @2 x# t* ]    int     68h) ~  Q# P  _" x; b5 p
    cmp     ax,0F386h. d4 U- P1 b% T, L
    jz      SoftICE_Detected* h; q& O& }* ]8 Z8 N$ p+ `3 h
* T3 T; @+ l7 ?( B& l6 y" e. {+ t; j, f& B

7 H. U* |% n, D  q2 \=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ D3 Z' R. [) m   app like this:
$ N' l* ^3 P8 S2 f, `9 \( r! [( r) l" f+ a
   BPX exec_int if ax==681 {. w: R& E# B! [
   (function called is located at byte ptr [ebp+1Dh] and client eip is
! f) D& ^+ j4 B1 ?& x   located at [ebp+48h] for 32Bit apps)8 @3 `, u0 }# v
__________________________________________________________________________
4 Q7 Q1 T2 _$ [9 _* ~% `" A' D9 B: N4 a) o

2 o5 x; I5 |8 V6 z+ [2 D- xMethod 08
, M$ m+ Y: {( h* _4 C; k=========
: K: N% U. J( j. E. v% ?) o, j- o0 r6 n+ }
It is not a method of detection of SoftICE but a possibility to crash the
( j2 Y) Y4 l3 nsystem by intercepting int 01h and int 03h and redirecting them to another' E8 R& w: B  x- v) Y
routine., U9 z, ?: S8 F( j+ ^( d0 s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ [5 n* j. R/ z) F6 Pto the new routine to execute (hangs computer...)
, P  c$ T1 l4 b: w, N+ Z6 u) f- V* x( S, R9 t* @" I! W3 ]  ]
    mov     ah, 25h
; w: l/ ?7 n! E2 R; r: u    mov     al, Int_Number (01h or 03h)
# e* a; \: H/ }    mov     dx, offset New_Int_Routine
& a; H9 A0 _) H# u    int     21h
" H+ z8 b+ O. ~5 `. W4 h$ s+ x6 k) R
1 f5 u7 R, r2 D  k__________________________________________________________________________9 [) R  o6 w5 d- X7 ?

3 j0 }  ]) g# q7 }Method 09
& _0 f4 _# e/ `+ G6 O" h- k=========2 ~) X, Z3 \- d1 O
) i8 k  S$ L" @2 D/ I8 \8 u
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 F% T! V. V4 \3 h4 O$ a7 u2 ~performed in ring0 (VxD or a ring3 app using the VxdCall).
: V/ `/ h; G, dThe Get_DDB service is used to determine whether or not a VxD is installed
$ X0 v; u5 d5 p5 ffor the specified device and returns a Device Description Block (in ecx) for
0 y* w3 p7 C3 P. nthat device if it is installed.
; \( h8 r" I; A: B& L
$ ?3 }& n* X" N/ B. K# D# C   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  n, |3 U' L( c1 q   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 h! t& `4 q" n8 r9 F/ L. l' a
   VMMCall Get_DDB
0 B* z6 T+ r2 j; o   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
: x$ Z+ X& ?+ K- o* P& {9 G
$ Z7 K4 K. A. L: F# S6 b9 D9 iNote as well that you can easily detect this method with SoftICE:$ G. i: ~9 r8 v1 p/ V
   bpx Get_DDB if ax==0202 || ax==7a5fh
  d/ U" c  E3 ]. v; v* \! ?" ]. W2 _- O& X9 H& s# X- p
__________________________________________________________________________
' |: P" z# |6 `$ Y1 o; R) F
& B. u% w3 [4 o7 Y6 nMethod 10
- O( i) t) k! }: ?- N2 x( ^4 g5 X, N=========
5 i6 k' d2 z0 o0 [) [' a8 ]( b
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 Q) R1 e  K7 {6 n* ?
  SoftICE while the option is enable!!
/ o+ b3 C, ~: U% s5 G/ I  _. C" Z3 t/ T7 ~5 B! |, a" n
This trick is very efficient:
+ Q8 D6 t. z( _8 c/ \by checking the Debug Registers, you can detect if SoftICE is loaded
# l8 X0 B2 T  v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ s" l3 A7 ], ~& H6 _& v( L
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 @* R: |7 x  M1 M' V0 i
value (in ring0 only). Values can be manipulated and or changed as well
8 k8 j4 [. G6 A5 C& p+ j  P! S(clearing BPMs for instance)3 Q( \% K8 W* Y! T
+ y: X) ^; p) |. {- u
__________________________________________________________________________
, {  u- J/ V) c  u$ M, H2 X9 [! b# L
2 n2 A1 d# Z" a6 \Method 11, _2 w+ ^  f0 u1 L1 u
=========+ W/ D, l' Q, i- t6 w

/ r. @/ {+ l) M( SThis method is most known as 'MeltICE' because it has been freely distributed) |1 [9 v$ F  C$ Z
via www.winfiles.com. However it was first used by NuMega people to allow
& P* @* b2 }" Y4 R) l& @Symbol Loader to check if SoftICE was active or not (the code is located
' |* J7 I; f( L: [( o; m# qinside nmtrans.dll).2 }2 \/ d3 d# ]% r) B
; \# g5 b& g' w% l
The way it works is very simple:7 ]) N1 N1 Y/ I. l9 S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 B4 X& c1 G8 q5 PWinNT) with the CreateFileA API.1 t% l- ?% X! ~/ B) S
" g2 C- w( X2 ^$ W
Here is a sample (checking for 'SICE'):
$ O0 U0 [$ U. v; |3 V. @
% [5 `5 J! h% i" iBOOL IsSoftIce95Loaded()
3 k! l2 O4 F% `* z5 q5 X  `{- q9 C; V& \, c0 i! P- \0 x0 `
   HANDLE hFile;  & ]4 m! ^. a/ J' w
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 [5 c4 g& k$ s, L4 `) p3 V6 V                      FILE_SHARE_READ | FILE_SHARE_WRITE,# k' I" F2 w+ ~5 i* G/ l
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( |9 b: {# T9 W( z4 L2 J! T   if( hFile != INVALID_HANDLE_VALUE )
7 u% ^2 V9 c( h* U/ U1 h   {3 M& y1 s. j& F2 r9 P* V
      CloseHandle(hFile);" J' u1 }! F4 S; S" e: U+ Q
      return TRUE;
7 M) _& T# w8 Q3 \# ^   }! l$ i  S( e5 f
   return FALSE;6 \$ d4 F5 N: G- z2 C, M
}& O" e% p7 p  \" X. ~
/ `. ]  r: T. A
Although this trick calls the CreateFileA function, don't even expect to be
7 ]* j% c' K1 ^  |  n2 Cable to intercept it by installing a IFS hook: it will not work, no way!  N; B  V! b& q$ P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- Q2 j! |9 S% i% g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 t7 t+ ^% ~4 v) ~7 J; _and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 r% R2 t- _) `7 e; K
field.
+ @, E8 K! ~1 ]& MIn fact, its purpose is not to load/unload VxDs but only to send a
6 b- {4 A. ]" _, B2 F9 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 w+ C- {; G# I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try/ q& e# O5 n/ ]4 O. B! }
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 [5 D; K' K5 e# S6 W  e" u. y# ]If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 j2 k! v" T4 P# ~6 nits handle to be opened and then, will be detected.1 [7 `+ G: H2 h/ m1 ]+ x$ n
You can check that simply by hooking Winice.exe control proc entry point
( b! S$ E: h1 n- uwhile running MeltICE.8 S6 S! U/ c8 v6 f7 q

" z/ p$ l: l' U5 d: m+ f) P5 h4 q8 I5 J. J* d- t3 M
  00401067:  push      00402025    ; \\.\SICE1 z6 u" k# r8 W+ d6 T" ?# [4 F; Z5 `
  0040106C:  call      CreateFileA4 j* {  c0 M7 N
  00401071:  cmp       eax,-001
* e$ |8 e  V! R, i$ s  00401074:  je        00401091% }" w8 Y2 D! L/ X5 d; V
- j3 t, h; x0 O: [
3 B! J0 F7 J; L* q. x
There could be hundreds of BPX you could use to detect this trick.
  k# m2 v5 r; H$ ]0 M-The most classical one is:( F& K9 [* h  t4 o/ t. Z# U
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
$ `- ^6 [0 S3 B6 ]1 B9 d0 g6 m- e    *(esp-&gt;4+4)=='NTIC'
3 A7 P" d. N& a$ |
; C% d0 N) C, U-The most exotic ones (could be very slooooow :-(1 W" y0 a7 l4 U
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  & |) Z# p5 A' V7 _  B
     ;will break 3 times :-(
) s- L, |4 Z7 e* T1 G; ~: i# d: c2 g; t! z; x7 I# i
-or (a bit) faster: / _5 K9 ~$ R2 A5 _3 X  \8 s) c2 s$ @
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 ~+ ]# {* S- |* F6 z6 j% H# {* B0 ~! U' W# j' J
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
4 S3 e+ y) G, _/ v0 p3 S; ^     ;will break 3 times :-(
4 T- c; O/ V6 g: n& _! q; C: K4 o. e1 A$ }( Z" c
-Much faster:
6 K9 T" z0 B8 j2 L! W6 ~   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( w; O: D. s) X$ A% c
% {+ D& V+ p9 A+ {; ?4 f3 ^3 X
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ X% v, q2 j) d. q: Y* h
function to do the same job:
, X: @5 O1 s5 a7 f- x% g$ @; Y' e/ E( P
   push    00                        ; OF_READ
( d/ g; u$ t. T/ u; Z* W) r- |   mov     eax,[00656634]            ; '\\.\SICE',0
1 Q5 z3 j9 F9 \  F+ T& V# C   push    eax
7 U+ t% S& G- _1 y* s  r   call    KERNEL32!_lopen
0 w. l- c$ M) R2 J$ ?- G8 N/ c   inc     eax; x$ b' Y5 X: G. X" h' }" c# q
   jnz     00650589                  ; detected  N! V1 y) E& U. `$ R* d, y4 P
   push    00                        ; OF_READ" K3 {! p* @* I8 n& {
   mov     eax,[00656638]            ; '\\.\SICE'1 U' S. M: R; A  y- n$ \
   push    eax3 v1 \2 m& O; e$ ^/ P9 W
   call    KERNEL32!_lopen9 v2 G8 v# M1 t# s; ~- }* H8 N
   inc     eax% p3 u) o" k, g$ o, A- z+ M
   jz      006505ae                  ; not detected1 N" X2 K$ o6 c4 Y' P# j% V

5 B+ M- t% i+ a4 m( E( {
/ _# Y4 t3 j4 B; K% p0 O__________________________________________________________________________; L- z: D6 x+ G* u' G
- c% G1 G2 [/ B
Method 12
1 F: t# y5 ]/ `$ C+ ~* k. e=========' v" P9 s* {' N1 n- H3 o* v$ o

# W" L4 W. M& T* y8 _This trick is similar to int41h/4fh Debugger installation check (code 051 x3 k  h) W, b: S* R. t. a) i% ]
&amp; 06) but very limited because it's only available for Win95/98 (not NT)3 X8 J& C, _( W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 _# V4 }1 b0 q% N( w8 m
1 _, Z0 q0 N& q
   push  0000004fh         ; function 4fh
5 B! G0 ]1 x" x9 {' [4 @, O! L   push  002a002ah         ; high word specifies which VxD (VWIN32)
: J( `. P* G9 ?' I0 z                           ; low word specifies which service+ s1 l" n' M+ h% v, v0 X$ T
                             (VWIN32_Int41Dispatch)2 {5 V- C; K( ?  j
   call  Kernel32!ORD_001  ; VxdCall! y6 O6 G, v' e5 f
   cmp   ax, 0f386h        ; magic number returned by system debuggers
8 R9 b# v4 \$ u   jz    SoftICE_detected
- N5 \" ~& D0 d- }) `* X/ D7 p  z' q
Here again, several ways to detect it:" @# x3 f' |3 ~

  t8 S9 c" B! Y5 I, ^2 V/ {* Z    BPINT 41 if ax==4f+ e6 s& g+ `# T& A/ y. S+ x
7 e5 v& D; w; y" \( a$ E
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one1 |7 R0 h" w4 D6 y: {; F

+ ^' Y' U$ T6 |; T    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) Y% x) b" \- j( Y2 t% X: l! M( V* p0 ^( q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- J7 f8 f" D7 y; c

. `  ^* k! H  q" g__________________________________________________________________________
6 c' u# g7 `; V( I4 g: h; W1 b2 n) S9 O+ G2 I
Method 13
0 {) r/ M/ c( m( \+ L9 o! K; H=========$ i/ N# ]& D/ I) M( q2 B! E# J
/ z. S$ J. b8 s% b9 F& M# M
Not a real method of detection, but a good way to know if SoftICE is
% @" L0 }7 u0 B! f. [  d4 t' f- cinstalled on a computer and to locate its installation directory.# w5 o$ a' ~/ G6 J: R# ]1 A
It is used by few softs which access the following registry keys (usually #2) :1 {0 m. y2 S) r5 ~. E
* N" B! T) m9 s/ F& x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. r; {: y$ U7 T$ y/ W
\Uninstall\SoftICE
7 F+ L8 ?1 o( E( m+ }8 F% W-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ W- q0 r0 s3 n2 B2 _2 G: z( m3 K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# A9 G, e& J5 |, ^$ }; a" C  p\App Paths\Loader32.Exe
0 ^9 e7 V! B0 i) j1 l; n
6 U: x3 i. o" h, C! b- G0 h
1 g% U" Y1 z7 `8 w# C, r5 X" K, KNote that some nasty apps could then erase all files from SoftICE directory
9 {' w& [( B( ~: r- u- x+ V9 u3 H(I faced that once :-(
2 M; V! b( L- _9 l0 y3 j, `
' E2 b$ G. \# y- f+ ]9 yUseful breakpoint to detect it:8 b3 e* i$ Q1 P" X1 c; H: A" U$ t
( Y" R3 W" P  d& `
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
8 p2 c9 G  s! M8 N& c6 D$ s* v. [5 c3 u( U6 u" _5 K5 q/ ~' }
__________________________________________________________________________
/ ~, K  N- O$ H2 l9 G  T) |* q. f% c5 q  Z
" ^  K, J0 [9 U; ]& c3 B
Method 14
4 z( o. O+ y/ c$ N7 |; P" r( O! r=========
4 h3 J) f5 C! ]2 K. R$ B9 W7 l+ T: [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
  y$ p! h# j. n+ \9 P8 @# Wis to determines whether a debugger is running on your system (ring0 only).
  v1 L$ S  M5 S. T4 r, Y8 y+ }) K' E. }2 ^4 q
   VMMCall Test_Debug_Installed
2 f, A  v. B, `8 C+ U; Y   je      not_installed' O. C" q& h  G; v
( D; H: I2 ~4 t  [1 X' A* x+ j
This service just checks a flag.
# Y7 e3 `! a$ d+ [$ q4 J! C</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-11 03:44

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表