找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) y/ ], E* s0 k; t4 @3 J2 A& d
<TBODY>) J" v. w& p  X) ~4 Y+ A
<TR>+ i; f* [& q' k
<TD><PRE>Method 01
: j0 D" X' K$ A, ^4 B  c=========5 o* a# |0 x2 t1 e) o* f8 E

4 _/ g* x7 P0 |2 D0 J: p& A3 jThis method of detection of SoftICE (as well as the following one) is
5 V+ w( j: Y+ d0 m4 hused by the majority of packers/encryptors found on Internet.
3 ~! k0 x' |5 J3 s( B( b1 I' HIt seeks the signature of BoundsChecker in SoftICE
. z! @0 p0 Q. F8 J, w+ O, b
4 S# V' ~( B. L, T: Z! o) O( c    mov     ebp, 04243484Bh        ; 'BCHK'" U. c' |' v/ R( w# }
    mov     ax, 04h8 C7 Q6 h' w; A/ q# f
    int     3       % g$ _! k/ b- W9 @: ]
    cmp     al,46 f, ^3 `' Q5 r5 ]
    jnz     SoftICE_Detected1 {: n5 h" P& |0 _  q2 M% d

9 I* X1 t. b1 o: |___________________________________________________________________________
& t" X. W; ^- Q* Y7 Z+ V2 {8 ^1 V9 J
Method 028 V5 E* S$ M1 R' L; }% O# s, P0 L
=========- Q; _2 A2 J8 |. V# L
% @' s5 F% s0 v+ H1 x
Still a method very much used (perhaps the most frequent one).  It is used
- o$ i# [3 o; p7 g6 g4 J4 s- ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: x, Q* Z4 b0 O& G1 q7 ]# oor execute SoftICE commands...
% Y- M- Y, O5 {It is also used to crash SoftICE and to force it to execute any commands: a  L* a1 F/ m' M9 Q& _
(HBOOT...) :-((  
' V: R8 [1 h% @& Y
1 k7 g  d, n+ n+ B8 r/ V8 mHere is a quick description:* Z3 \7 l/ |% V$ N
-AX = 0910h   (Display string in SIce windows): k( u# _- v1 L' P4 g9 o' f
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 H# O6 V7 D6 `( [5 B1 w( [4 z-AX = 0912h   (Get breakpoint infos)( {9 J- y. T: S* W# T) s$ l/ d0 X
-AX = 0913h   (Set Sice breakpoints)" D8 m5 r+ r$ a; z: Z0 a0 H
-AX = 0914h   (Remove SIce breakoints)
2 m; @/ |& u" Q- y# e: X
4 }2 g" C/ B; SEach time you'll meet this trick, you'll see:- O" [. Y- [* Y$ |" h  y) x+ m
-SI = 4647h
) b+ R! s/ [; a$ M" O3 `7 l-DI = 4A4Dh1 V0 _% J6 _% {. T5 }
Which are the 'magic values' used by SoftIce.
  R  _' J- T0 `0 ~5 A2 jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& s' U7 }7 y1 q2 E6 N9 A9 Q; w1 I& P. u
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 o4 a% L  O' TEnvelope utility use to protect DOS applications:
4 c3 P! h" Q% [
" c( W! x. T+ l8 E6 R2 I  X  D( |7 Z$ B" z) x
4C19:0095   MOV    AX,0911  ; execute command.6 Z4 d  B/ ^/ w. ~+ B( x1 ^
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)./ I4 a' F! M: N5 y  s3 i: C
4C19:009A   MOV    SI,4647  ; 1st magic value.7 x2 F" b2 s$ f
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ F7 t7 w! v& V4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- v7 z) U0 E" b8 y) \% D1 O
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
+ o7 J. |/ U  T4C19:00A4   INC    CX
5 [5 y% {& l( ^- l5 N# m4 v4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 B. `* S1 U4 a
4C19:00A8   JB     0095     ; 6 different commands.
: K# e& G- q9 q! G8 U$ \4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 g) J. ~' ~. f. b3 p0 b
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
0 ]" f5 k( c  y
6 o' D' u; a9 k: g' J0 B) N# L0 m' h# zThe program will execute 6 different SIce commands located at ds:dx, which! O. }& I2 h0 ^8 A" H% d/ S! r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# B+ H3 \' q9 Z8 F" u
( F8 E4 V8 u' ?9 i4 [- n( D* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. f2 V& X) K, j; ____________________________________________________________________________
8 S. o/ x% `0 C* y% i  @" x# l, \, Q( S% R
2 I; _' [9 [8 ^% b/ T) ^
Method 03) G$ c4 v+ l5 s! a2 ~
=========
& a/ n3 T2 Z9 @& [  Z' r
  W. k, U2 {2 C4 e% jLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ b, p9 M/ b" ?  M+ i# p1 n
(API Get entry point)
& Q) |) H& B% @) r7 {        
$ {% p) R+ U3 l
2 k# F% e: i( C8 H    xor     di,di
( Z& _, l! A& N1 ~    mov     es,di4 S2 p1 s/ D, A; l" V
    mov     ax, 1684h       ( l: H) ^4 H: G$ W8 r- z
    mov     bx, 0202h       ; VxD ID of winice
6 p/ h' t& Z+ z: e0 M0 Y    int     2Fh
) P) o# {5 Q+ U( H' I    mov     ax, es          ; ES:DI -&gt; VxD API entry point6 t9 k+ S/ b) r) D% D
    add     ax, di
% [8 v3 M* Y& X% n% H" O) C2 K    test    ax,ax7 E9 `( s% X9 b) S
    jnz     SoftICE_Detected
' h  j8 S# ~+ b- R! I: g6 y' h
0 j) i  R. K3 m% w0 P; ^; r' j___________________________________________________________________________0 @: s& R# ~8 b6 o3 v3 \

4 }3 L+ L) R- p3 ?2 K% W7 XMethod 045 Y2 P3 u9 x' D
=========8 Y8 u5 ?' Q# a' b

' t6 c: ~$ T1 z6 o! BMethod identical to the preceding one except that it seeks the ID of SoftICE7 h/ k2 \. @6 Q$ j9 b  g3 f. i
GFX VxD.
, D! Y3 |' a7 s" V. H! K# ^( V  A4 _* D7 u
    xor     di,di
3 e: l1 F8 y1 s7 q5 `, W    mov     es,di
3 Q4 ]  g5 Q" R/ z& _" }4 Y# k    mov     ax, 1684h       0 R9 `' X; }/ c4 r5 o
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
5 u5 W6 y1 U' w! }    int     2fh- T) _/ ^6 W* P3 h& }% S; `: M
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 X2 o6 R7 y1 x6 c6 D1 d6 N
    add     ax, di
  N( @5 I& b/ a4 {+ ?" z: Z. d% M    test    ax,ax: r8 P( K5 x, C; m9 a8 u
    jnz     SoftICE_Detected: J/ @7 f: N' O& [

% F  [8 z$ e. }: O__________________________________________________________________________6 Y3 O* U; a0 [$ F) G  g3 i

- `4 q) U; b  Y/ n1 I2 I4 K" p2 W- j6 h  o& B5 `% Y& p
Method 05! G2 f: C7 K' ?# @) C4 p$ l
=========
! ~8 C: h7 f) q% l
0 g% D# F, r/ _; z/ OMethod seeking the 'magic number' 0F386h returned (in ax) by all system" S% L: M+ g1 g0 [' R  X
debugger. It calls the int 41h, function 4Fh.
3 V: u+ P( _* ?1 FThere are several alternatives.  
/ r( G, F& A- V& c! s: Q$ c8 W! B  ?4 D+ Y5 u. _. f
The following one is the simplest:
& o. Q4 [8 U# @4 f6 }/ w& q& k- b9 A$ g5 J
    mov     ax,4fh
# T9 c+ }* P3 M, g    int     41h
! v. M+ I. X+ L) P+ z$ T    cmp     ax, 0F386
5 h' _. f4 J# p0 ]: k/ }    jz      SoftICE_detected
5 f6 d6 P( W& H! Z5 w2 k3 s4 p; Q0 h  E% a

0 |) X3 ?, s8 s! }6 p% q! @Next method as well as the following one are 2 examples from Stone's ( Z" `8 V* i- w6 b# q4 _) b
"stn-wid.zip" (www.cracking.net):& v5 x0 s$ G; h! B* c% F& g6 i

7 R/ z# c+ d3 J3 C- Z  ^1 ?' v    mov     bx, cs
/ B4 u2 k. e* E( q; x7 v    lea     dx, int41handler2: e% e( p: ~/ v
    xchg    dx, es:[41h*4]& Q: H6 D# v8 u; d% f$ ?+ A) n6 L
    xchg    bx, es:[41h*4+2]
& I& S6 n% G6 w8 M+ F1 \0 y! f% b    mov     ax,4fh/ |( [- l! w7 z
    int     41h
. G2 m6 q; ~. Q    xchg    dx, es:[41h*4]
1 o, O  r8 u1 Q7 |) d5 v4 M0 u1 T8 r8 G    xchg    bx, es:[41h*4+2]
! z# v$ ~; J  q0 u. n. O    cmp     ax, 0f386h3 D# |* W5 U; z$ H) ^, V
    jz      SoftICE_detected. T) N+ {6 K! L/ z9 \$ @# q
  }8 O( G! Y# B+ A% U  ^% E
int41handler2 PROC
& d/ t/ M! ]$ g, v' n* v- q6 p2 J+ L    iret. M. \* `* I; [' W8 l% l
int41handler2 ENDP5 l9 S9 c! \0 |9 d* u

! c( n5 K3 k1 @/ M8 R. E  o- k  x, a1 Y  D  }. o' R: L
_________________________________________________________________________
) H' T& I1 X* Y2 g' V! s
" F& ]& f0 p9 F7 [( j
8 J! K6 g' M  v# O8 c+ l+ i8 vMethod 06
/ ]. e+ s% W7 B* m# q! z  ^=========9 g1 I- t0 X8 d  W( j' f( ?
- @( q  p8 G7 t1 U; ~
5 Z. q3 H/ a1 M
2nd method similar to the preceding one but more difficult to detect:( b- n) X' z" E3 E
5 M! q6 P& Y6 l' s( |6 L' R
: `3 l% h1 w# a/ Q8 n% R
int41handler PROC
8 Q, a4 [; i. x& p- T, b( f    mov     cl,al
" F$ Q8 ~* i  }" Q' ]    iret
. B1 j: ?  p+ L7 s$ P3 @int41handler ENDP  e( X7 S, ^1 t( l1 T) j
4 Y  w; O: c4 J, k

- O6 @1 C5 `' _. H' {/ }    xor     ax,ax
( L: W! ^$ t8 u0 L# X    mov     es,ax
5 k7 N* n' C  k) M' }' q. _    mov     bx, cs
  n0 \/ q! s* Q; Z. \    lea     dx, int41handler
5 U( m+ A1 t2 U" M    xchg    dx, es:[41h*4]
+ M' z4 w$ I3 p$ T* j    xchg    bx, es:[41h*4+2]
0 a# t: u& I  P9 ~% r: B# O2 M    in      al, 40h+ `  G' R6 q+ X3 v. [
    xor     cx,cx5 b: M2 p' x6 D  L. c
    int     41h% B- J1 U2 ^8 B
    xchg    dx, es:[41h*4]/ u6 c6 `; N5 j7 p7 H1 K( @! o
    xchg    bx, es:[41h*4+2]
9 T# G; f) ^9 e: }- x1 \    cmp     cl,al& w2 g" N6 S3 G8 ~( u
    jnz     SoftICE_detected$ j, ^9 @: w2 L# t2 h

, l2 L% K4 M! x_________________________________________________________________________7 O1 t  H- K5 m: M
& s- ^3 G6 F' w2 g1 v
Method 07
2 T  E" l  ], @/ U9 J=========( N- `7 `+ h" g2 g+ d
, a( L! g$ n4 i# ^
Method of detection of the WinICE handler in the int68h (V86)
  c' R4 |# |6 Q- w3 d/ C* q
  S, ~9 }/ w* Y  _9 {1 e1 X    mov     ah,43h# ]0 z7 B/ v- p
    int     68h
0 s: L& p& c2 Y) g5 \, u3 o    cmp     ax,0F386h4 K* V2 N! L  h1 K+ F
    jz      SoftICE_Detected
4 `3 Z- F. t7 ^/ T; o, D% t5 W1 _& W2 _$ A

  j& @; H7 L9 H=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 }9 o) o7 ^) ~6 {2 D, `   app like this:
! y& B- s1 ~3 O7 i$ K% I: r1 I9 S3 [
   BPX exec_int if ax==68
! `; y+ e, M3 T6 Z' s; M+ |. v   (function called is located at byte ptr [ebp+1Dh] and client eip is0 \& \8 Q  ~( d9 r3 }: r
   located at [ebp+48h] for 32Bit apps)
! ~. r4 ^7 k& H! {- l( t! w__________________________________________________________________________
7 _$ ]( `! B, c' U% ^) X& C: g) w

: w) f( K) Z$ [. [+ OMethod 081 {$ ?6 J: |; y/ }* Z: l0 C* i
=========' h+ Y/ ^7 X" M- B
9 m3 K- `+ f9 m- F+ U
It is not a method of detection of SoftICE but a possibility to crash the
5 a* B  K& U# S% W  _1 Ssystem by intercepting int 01h and int 03h and redirecting them to another. W1 D! x3 @: v- f3 }0 z# u2 g
routine.
8 \9 A3 d- h& g2 w" j2 x8 |/ kIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ e3 O- |; d( f4 Y- s) A( w" @5 A
to the new routine to execute (hangs computer...)3 S: k& `5 a2 ?2 e( x: O8 Y
1 ]* V6 x6 j# A
    mov     ah, 25h0 v' w# ~, Y( _6 s0 ~
    mov     al, Int_Number (01h or 03h)
& L' q  n) j0 ~2 R1 v    mov     dx, offset New_Int_Routine
6 R2 p, ]2 x. _7 t. J8 d( G    int     21h8 y% O' K2 v" C1 Z' U
, y" C4 I% e# d$ r* A( @6 ~, R
__________________________________________________________________________
# W) ^1 H' p5 T# F* F* r3 t' s% W: U. f( P0 y, t
Method 09# F; q: a6 ?, P% S
=========. o3 S& g0 A. S+ y
4 {7 \! x6 m; q% U7 M7 w8 ~
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# L" u( C$ B) I4 k- `8 O9 {performed in ring0 (VxD or a ring3 app using the VxdCall).5 H1 A# e6 u8 O' ^' H8 ^" s
The Get_DDB service is used to determine whether or not a VxD is installed, E7 n2 h  ]7 y
for the specified device and returns a Device Description Block (in ecx) for
- e' l7 C9 G& D8 N* B: Y: Jthat device if it is installed.
: s; I5 m6 Z- f( w! b6 ^2 h+ ~5 [1 q+ u, r
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ x- L5 b+ a" L" y6 y3 R
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* D- x4 t# [& r3 Z
   VMMCall Get_DDB
1 V4 T& P' C7 J' o2 }0 ]; z+ f, d   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* k9 x4 o1 J6 B: m) L+ q; w

: E4 i3 \: B4 zNote as well that you can easily detect this method with SoftICE:  g" U  ~: v9 C! V! _
   bpx Get_DDB if ax==0202 || ax==7a5fh
0 H+ R# p" s9 n3 |, P( ?* \% M4 z; E( N+ a6 D
__________________________________________________________________________
0 `7 Z% n( Q6 B5 s; f, |, b: h( n5 Z5 ^2 L6 Y
Method 10* G* N3 g9 O2 R7 L# [
=========- l' x! s/ ]$ o, E- F/ ]5 {6 @7 h
% Y) @$ x7 Y, O( K
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with3 c. M% Z8 y0 Z" @
  SoftICE while the option is enable!!2 {! h& ^( z  U+ e2 ~2 w, H* e

' E" u9 d: ]6 J6 |4 gThis trick is very efficient:
; |8 ^% E) S' L0 Aby checking the Debug Registers, you can detect if SoftICE is loaded% f& T- R# I7 G- s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( ^7 h! R- Q  s7 i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 N! v2 [5 u( ?) o( ~3 Svalue (in ring0 only). Values can be manipulated and or changed as well
( }9 H& T$ p$ v, L. e, |(clearing BPMs for instance)* _2 N; D! ]: T  E
! c6 v# ], I" e6 T  C$ u9 F2 {* [
__________________________________________________________________________
/ S5 m0 S* N% }0 ~) m! u/ p8 |1 J7 E# v4 E4 n" t
Method 11
: E' ^7 N7 i" @7 J$ ?=========
3 U4 J, x2 K& u% ?, N6 ^& J# g1 c* s/ F3 M  m0 W
This method is most known as 'MeltICE' because it has been freely distributed
( U; L- x' V; u/ d1 Evia www.winfiles.com. However it was first used by NuMega people to allow
9 k' f5 v& S  s: FSymbol Loader to check if SoftICE was active or not (the code is located
$ u0 I  @9 @( m' @; S) P2 y& Dinside nmtrans.dll)./ ^5 n# N5 _1 `" e4 p

6 K% w  ]$ Y2 P/ Y! U1 YThe way it works is very simple:
5 }; C) Z" N. a# `0 y/ }6 D+ gIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 |* ^0 v# f7 j2 a( T9 cWinNT) with the CreateFileA API.
+ s% I, n! L$ k; E8 P7 W+ q! k" }2 R
Here is a sample (checking for 'SICE'):
; J- o; Y& S  O) w( F* H5 O. `; Y8 C5 z
BOOL IsSoftIce95Loaded()7 R/ b7 M" L- X+ F" T+ c5 _1 n
{2 b. L! W- P; \! s7 c" K
   HANDLE hFile;  
4 U5 P! D" p" ?8 h   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  w) x. o% ^# e; h0 \& [8 |                      FILE_SHARE_READ | FILE_SHARE_WRITE,* M; P, Z8 Q3 ]1 Z, F; u1 U
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 X" p3 f' M4 c+ d3 w' J% A   if( hFile != INVALID_HANDLE_VALUE )
) X" b  ~: l# l3 H; V# Z   {
# v3 E' _7 p: z/ q3 R, B      CloseHandle(hFile);
8 N$ Y% L) F" R# e# u      return TRUE;7 Y3 B; h9 n: L/ Y, k0 |
   }
% ]' H8 F6 O$ ]; t8 z( K   return FALSE;) r3 o: T# x9 l- Z
}# a" Z) x; Q1 X( q0 b- J

. F8 x' b1 Z# N6 d& NAlthough this trick calls the CreateFileA function, don't even expect to be
1 \7 ^9 I7 I9 v  E% v- ~& wable to intercept it by installing a IFS hook: it will not work, no way!& i$ n  D# w2 b; d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% T; c7 ?: k( l+ K  p+ a2 b' }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ l1 v* L- Z. @; L1 p
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 K8 {$ h1 a( }field." h! [0 ?1 G6 i; q
In fact, its purpose is not to load/unload VxDs but only to send a " y9 ^/ R3 t; m0 ~1 ~- H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ d8 m( Y' E/ E+ Q( j! c, {to the VxD Control_Dispatch proc (how the hell a shareware soft could try8 d* ?& \. C$ g' x6 z. @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& D8 k2 o) {' m% y" w
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" f/ i0 I0 k4 q9 H1 S- A9 L- aits handle to be opened and then, will be detected.& t, X) @& n, [2 D9 z
You can check that simply by hooking Winice.exe control proc entry point
! ]9 U( [2 Y% U7 ~while running MeltICE.
$ l* x( E* e3 _
: q" V8 A  n, x; u
3 \$ y0 H! x. b' s% d/ G$ y+ Z  00401067:  push      00402025    ; \\.\SICE: j) v& P4 Y/ @/ r' J9 K
  0040106C:  call      CreateFileA
0 s# \, ]8 G1 k6 A; f2 F  00401071:  cmp       eax,-001" V! b& d& `, T% U$ l% [+ m
  00401074:  je        004010917 T6 H$ J$ `0 p
8 R# y0 o1 p7 }2 v' @7 x

: n8 J0 I0 |, rThere could be hundreds of BPX you could use to detect this trick.
( c  v5 b1 T2 x8 P" A) w9 R-The most classical one is:
9 C% P( G+ s9 b1 `  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' U1 I" B/ A9 r) `/ e3 Y2 ?1 ~- j
    *(esp-&gt;4+4)=='NTIC'7 c. _6 F- Q5 k$ i; y, C. i

9 K, |1 w( P/ k6 L& k, C-The most exotic ones (could be very slooooow :-(
5 z( t2 S- \1 D6 e& G: G% K   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . n/ I. o9 `" Y
     ;will break 3 times :-(" Z3 D4 ]; w9 u1 s9 r

3 \1 J5 K0 f" M  p-or (a bit) faster: + E, _( {. b% a& r# ]
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( C$ z4 h) E  x* K2 s6 f9 V  O. X3 d4 w( v7 p
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( s6 C; L" P+ Z5 t1 G: `) T( F- H
     ;will break 3 times :-(
6 f8 |+ _. o3 f$ ?* p% t% Q7 k& a8 f  V
-Much faster:+ _3 U7 P& ~) q$ U/ h
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( u/ [9 X% k7 d* {* |

4 B7 k0 k! p# i6 Q6 G; _' u& zNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" i$ p" P/ o' L% y7 [2 t' @9 Qfunction to do the same job:
: @$ x. K* v  z( f9 X3 }. O, O) z3 u( G) n. q+ I& Z- ^
   push    00                        ; OF_READ  a: s. L+ `1 l8 ]+ y4 o
   mov     eax,[00656634]            ; '\\.\SICE',0; s/ F2 f: ^1 ?2 {
   push    eax
2 O( S2 P& @- l* p7 O   call    KERNEL32!_lopen
7 T; n% o' o! s# _! p   inc     eax3 b& n2 f* k, z% G8 g/ d
   jnz     00650589                  ; detected
# q2 u# @0 o4 |% V, ?* K: f" q9 f, D   push    00                        ; OF_READ
/ K( F; [7 t8 O4 m. K4 }! g5 Q   mov     eax,[00656638]            ; '\\.\SICE'
1 @& o6 D8 r$ O  p8 ?8 I9 [   push    eax
( k' R  F  o3 j* o   call    KERNEL32!_lopen1 U% O/ P$ Q* D# h8 v* X
   inc     eax; _6 v7 \& ~' h& m, ^. `5 {4 {
   jz      006505ae                  ; not detected
* D+ a% p% m# a$ r  I
3 m% A9 [) S4 O) W& f5 d8 a  d1 m% ]/ f
__________________________________________________________________________7 O2 @' R: C! V- A  a4 |

& s0 s/ y' p) l/ J0 d& DMethod 12
# m% r4 \9 e2 m, _=========  W: \" B  K, X. V
, t% F; H4 p, N% E
This trick is similar to int41h/4fh Debugger installation check (code 05
: ]1 P( `8 [) a) f+ A8 D&amp; 06) but very limited because it's only available for Win95/98 (not NT)4 _/ h9 y+ H2 t, Z* Y4 u# r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 h# f5 L) L' m7 ^7 F, `6 F2 L7 [1 @. p6 e/ a% G% }
   push  0000004fh         ; function 4fh
6 J# l/ W8 J& U1 s. z+ C   push  002a002ah         ; high word specifies which VxD (VWIN32)  D4 \2 k$ ]) I" [3 c
                           ; low word specifies which service
, u! g) p. V- _" G" N) @1 Z  i                             (VWIN32_Int41Dispatch)6 w9 D- q3 s+ G1 I, ?8 e
   call  Kernel32!ORD_001  ; VxdCall) p# Q, H$ @, T8 e! u- w' {! o
   cmp   ax, 0f386h        ; magic number returned by system debuggers
( C* \0 \: p% j3 x% l2 V4 V   jz    SoftICE_detected8 Z, z" g* _# ?, {/ B; y

( r4 K" U' M+ H3 {* V& H' iHere again, several ways to detect it:
3 N. Z" T: P: _  N& C' }$ x: m+ w. z7 }5 t3 s3 N
    BPINT 41 if ax==4f
0 r; N6 G/ y/ x% `. @8 Q$ \/ u
1 n; j* l% n. y    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one4 I& {! W+ O! G: b/ _, d

( W5 ?% ^. i- U, S3 h    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# Y0 v# }1 ^( T' e0 x9 [
$ G$ Q* j4 ?5 ]  l' y    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  p9 j5 Q$ Z* _+ p
( J6 Q" }! L& Z% l! u. f__________________________________________________________________________, W2 w( T  [7 T" d

; F' O2 ]9 j( X, V+ u# e. pMethod 13
7 T! f" A9 Q. I6 R: I# d4 V8 ]=========, N$ r8 X  I# p/ Y* u
, c2 \! u2 |+ q
Not a real method of detection, but a good way to know if SoftICE is; E6 r8 k$ ?$ I8 |6 p
installed on a computer and to locate its installation directory.0 @  s/ w& {1 {! _' u1 B3 l
It is used by few softs which access the following registry keys (usually #2) :6 {. Q$ L; d) B4 Q) p2 s# N# N  D

2 [4 H# J- H+ u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! J3 G, ~0 t; [0 H+ j) `/ D
\Uninstall\SoftICE
! H, p" z5 @( E* A: e1 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: A/ s: ~: m+ }7 m* Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! R5 @2 f3 z+ y5 f  ]6 B" r\App Paths\Loader32.Exe
! q3 t* p. e. e: e8 V! n8 S8 A7 j( K# S+ n

* ~1 u9 A$ f- Y  q3 jNote that some nasty apps could then erase all files from SoftICE directory6 `8 u- ]* r/ A3 O+ r
(I faced that once :-(
$ I) ~; D$ f- i( a( p5 P  R& Q9 q& g* Q
Useful breakpoint to detect it:
( O2 Z! W, p: [$ {2 y4 _. v  V5 m+ {  f3 Q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
4 P, ~& I8 l: s; e* \8 P# G" [8 E/ J- Q3 ^
__________________________________________________________________________
5 d* U4 _: @1 ]1 M2 P- F" o
: k4 H  ^" }2 s
+ W( A: O5 N1 A9 w% yMethod 14
/ k9 C+ T! W- Q) L  f=========
$ v/ t9 c3 F; u. I0 |: i) p2 o2 U' E1 A" ~4 h: z$ k4 s
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 D4 n+ |/ C* O/ }$ v3 Y; Xis to determines whether a debugger is running on your system (ring0 only).* b( w# E  m1 x9 D- T) \
. f' l# U0 V: e- P; Y$ z* D
   VMMCall Test_Debug_Installed* T/ z9 A9 L- L
   je      not_installed
* ^4 w9 F# K! n6 \+ {- S: k  s) i
) J4 V& M' o6 t. W! q0 q" _$ gThis service just checks a flag.
8 `& Z. S, ?8 V4 j0 S; o, E</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-28 03:10

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表