找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>6 e2 o/ z$ c% M7 E$ U9 W# v
<TBODY>
5 X  N: p( n- {4 N<TR>9 `5 m" y3 I0 R
<TD><PRE>Method 01 9 X4 Q/ ^+ Q" M$ F& t; U; L3 }5 x
=========4 V1 O# n2 d  }: K

1 g5 ^* h4 p+ M+ H* @9 c+ ]& u% w. mThis method of detection of SoftICE (as well as the following one) is  g: l" T  Q! C# R' ~
used by the majority of packers/encryptors found on Internet./ \! S, Z7 H, X* {4 L5 f
It seeks the signature of BoundsChecker in SoftICE
9 y' ~& I! [* u9 p  N  b
  K7 w2 x! l7 b) o    mov     ebp, 04243484Bh        ; 'BCHK': W& U) K" T7 C
    mov     ax, 04h
% ?5 J/ @: M& A2 G, h% S+ t6 f2 q+ ~    int     3       ; V& H; H% l. B6 O. f' z
    cmp     al,4* H! l/ E2 V* j1 v. u& t
    jnz     SoftICE_Detected' r/ I! l/ R5 J! g4 L% F
: O: M, f3 e/ O2 a: {" Q: t4 y! a$ ^
___________________________________________________________________________
0 @- o# Q# S' G3 j- s; d. |* c6 e  _, S
Method 02
+ r+ T% c$ E6 u+ \=========3 w7 E* \! Q: I/ x8 u

& G$ y% c+ j  [' P1 TStill a method very much used (perhaps the most frequent one).  It is used* a/ S% @6 f. A4 C$ A+ A2 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,& w6 n1 _' a% n" N9 _
or execute SoftICE commands...
  w0 v% I9 u2 p. `: G% O+ G) v+ WIt is also used to crash SoftICE and to force it to execute any commands
" F' f5 H4 ]' V$ ^: A(HBOOT...) :-((  
7 t5 ]3 q0 C2 W* b4 ]8 S& b! |4 b3 t* p3 y' x
Here is a quick description:! G3 u8 {7 i+ @+ C- Q
-AX = 0910h   (Display string in SIce windows)
) [1 t2 x! A) @9 ], ^# W, L-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  X7 Q" v* y+ e0 G0 _7 q( F-AX = 0912h   (Get breakpoint infos): @; n( F: f! X8 p9 W) K
-AX = 0913h   (Set Sice breakpoints)
7 _2 w+ C5 S0 E4 T6 Y-AX = 0914h   (Remove SIce breakoints)5 j5 k% M& _3 X  V- {# C
1 k( I! V) V0 O
Each time you'll meet this trick, you'll see:4 F' g6 v4 f. J4 _. E! E; O& C
-SI = 4647h
' ]: H4 Q6 \1 y# r$ f( n-DI = 4A4Dh0 }9 I, A' d; H7 S  a
Which are the 'magic values' used by SoftIce.& m0 M. P6 ?5 E% z8 x, `: a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- }  p0 I/ q- R* P+ s

" C7 P$ f" n# l- \( YHere is one example from the file "Haspinst.exe" which is the dongle HASP
& }6 v/ r8 F* ]8 n/ ]  REnvelope utility use to protect DOS applications:
2 U) @+ t  _- J. U2 C7 W2 P, b" m
# M* f6 L+ D1 g8 l
4C19:0095   MOV    AX,0911  ; execute command.0 s  k' B' J" x8 n* ~3 p
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).# l) W( m& v/ s+ T" t$ [
4C19:009A   MOV    SI,4647  ; 1st magic value." l- U* m3 S/ ~# G0 e7 T( R
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
0 Q  c3 A4 ?% S* i- j4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( E- H$ `' X) W2 @: o* I
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' S' G' h2 _+ }. \+ j
4C19:00A4   INC    CX
% z/ R8 s, j! \# M4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
$ W+ Z5 O1 `  B' c4C19:00A8   JB     0095     ; 6 different commands.7 f4 E* g+ ^  N6 i, T3 S
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 \5 i) Q) f4 c( R
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)9 E/ J; ?9 H, h" ]$ o

: Z4 v% C/ \& X; n) ZThe program will execute 6 different SIce commands located at ds:dx, which3 S4 z8 k" M" x5 M& s* }& E
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. c/ v( ]8 Z0 L' c
; I! R: t5 H8 X$ f* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% C  }3 k/ S% y$ [1 k
___________________________________________________________________________6 V) E% `( d. u5 E

" q2 S: F% a2 a2 X6 h
* a& I- N( K( _9 z' oMethod 03
! I4 _, B. @. ?- j( w=========
# L7 i+ O9 }5 m  z3 i- p
5 Q* @# g" g6 fLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ o2 Y0 _0 r9 r  F  c
(API Get entry point)$ A9 C& J, p/ {: V& B
        1 D) j9 E3 p: X3 t4 T
! M' N: q) o9 m
    xor     di,di
6 v$ p5 A5 T' d% C+ H; f! b6 W& {    mov     es,di
4 Y6 }. S* k5 g  C4 e    mov     ax, 1684h      
* V1 w& h' }  }8 @$ k, q. P; w9 X    mov     bx, 0202h       ; VxD ID of winice
/ I$ D: o0 e, D( a2 b    int     2Fh& e, F1 ]: U" }6 Y1 w7 z. U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point: }) Q% E% c, D5 u3 F2 L
    add     ax, di
  J  P2 G0 ~  `1 k# `+ N0 |$ e+ n: J    test    ax,ax
# ]( U; C: C9 R    jnz     SoftICE_Detected
; m0 P# p: f1 z/ c* O# r0 V- L) q; o
+ Q& T# H2 J1 Q___________________________________________________________________________
% k9 u; v9 T* B
9 R; X1 |& z, k( h7 a' s# eMethod 043 _) w  R6 }+ y1 L6 y- J5 ]7 S8 q( e
=========  s/ x. {9 J& [) V
; E# [% b# z  X+ [
Method identical to the preceding one except that it seeks the ID of SoftICE
/ O2 t- a4 A. d) I& z4 G& i. F9 [GFX VxD.% v( ~& m$ u4 ]/ I* f
' B; u) Y2 i3 ?& H& ^
    xor     di,di
' E# \( ^. o7 `* h! c; q    mov     es,di
2 i# q: B) S$ S5 Q  y5 N5 s$ D8 k    mov     ax, 1684h      
. O/ u% d5 Z$ Z) p, M/ T    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 C. H4 H4 R% u2 q  ^
    int     2fh( _! v& x1 Q% F' b
    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 O4 v+ Y3 p+ c* A7 S& R6 v
    add     ax, di
- y% g! t) m" O! D  G+ N    test    ax,ax
' T' v: v2 G' t5 o- j    jnz     SoftICE_Detected
: c  W) s' D9 N1 S, v* f  |) e: c9 y+ [4 {2 T  A
__________________________________________________________________________4 f5 \( ]3 K" Z8 j: T
% Z0 T; m6 G# {4 k9 t
+ }' y, V! W- y) p" ], @# y3 A
Method 052 J( S' u4 [6 c& U+ c' f# }
=========7 U0 [: B$ |8 A6 o

5 Z! O; n( s* Q5 X5 B: GMethod seeking the 'magic number' 0F386h returned (in ax) by all system- s; X2 Z, u# I) F4 U
debugger. It calls the int 41h, function 4Fh.
1 f( v, D) [$ O; Y* `2 SThere are several alternatives.  
) M5 x& `- w& s( X# I7 G; h1 c+ w' v" ]; H4 b& b( [
The following one is the simplest:
2 a& x7 m1 M+ G0 S# S) E
) X0 X! I2 Y- u4 _    mov     ax,4fh2 r6 {8 S; O* Q. m
    int     41h4 [0 `7 f, b0 L. `) _  Z
    cmp     ax, 0F386: n! F; B' Y! `) o. E, O* o/ V
    jz      SoftICE_detected7 z. _! D) A5 \: s( ?6 |

, [% Y7 @/ z4 q% N$ R
0 Y' I( X( K7 L1 ]" ^  NNext method as well as the following one are 2 examples from Stone's ; w0 J6 K3 F6 {# M3 A2 m: J' O# h
"stn-wid.zip" (www.cracking.net):$ j3 M8 b* l9 h3 T! m. d3 E4 W

2 i$ ?$ z9 a0 }* G( o+ |* }% D; Y    mov     bx, cs
! g' ]1 }% J: d, ?. u! h  Y    lea     dx, int41handler2% \* p& }/ K6 ?  ]
    xchg    dx, es:[41h*4]# G) G0 O/ q8 a9 K6 n7 f$ k
    xchg    bx, es:[41h*4+2]
3 i  z8 F7 d5 j1 g  e8 q    mov     ax,4fh
5 y( s0 W) i: ^; ?, r/ u9 t- I    int     41h2 n; m" m9 x7 G5 {' ?1 G9 J0 u
    xchg    dx, es:[41h*4]+ z1 I9 [1 c* D' {5 N
    xchg    bx, es:[41h*4+2]: Q! @# R) Q" t2 w" ?3 m: ]
    cmp     ax, 0f386h
( l1 O! Q* N) f* c4 @    jz      SoftICE_detected
+ ~7 H1 G9 ~. }; Z# ]) s6 w8 o$ a1 w+ u7 C7 y) `; N, v
int41handler2 PROC
6 ~5 l! t! ~+ x4 U2 Q/ `- Z0 [    iret
+ d7 {) I. f( n& s% m7 Xint41handler2 ENDP
; T/ J7 f( R" }+ G( ]+ P
) ?- S& l, y- u7 Z" N& C2 c% ?) e2 w3 g1 u
_________________________________________________________________________, t; o4 M2 H  G

( J" R' O/ T9 _6 v8 S  J0 _9 F6 _8 C9 m
Method 06
" t  a3 c+ Z, O- k8 s=========
  v  T- m1 D! q0 k$ {% T
+ }. f# V/ `) A7 X6 i8 x0 [8 S5 r* [" D+ S! }, O
2nd method similar to the preceding one but more difficult to detect:
/ Q: u5 R  R! N  V* \1 q, O9 p6 F! c+ K- x

4 L& D" Y  Z+ G; k2 x1 u& w4 ]int41handler PROC
7 ?& U- J: J6 |% q: ^# ?    mov     cl,al
& v* ^* z1 m7 U* n    iret
. ~, j: o( M9 {+ W# Iint41handler ENDP/ X% e* ]( q1 i, w
+ i8 }8 u- V8 E! I, L  a  J, A

* h- _7 w: _9 R3 @    xor     ax,ax/ f# b2 X. h. [9 r0 v+ T& ?
    mov     es,ax7 `# V) w: ^/ n
    mov     bx, cs
3 N, q& i# k+ L$ [0 s8 Q    lea     dx, int41handler# X5 P) Z6 U8 x
    xchg    dx, es:[41h*4]* ^% U$ H& f5 F; |
    xchg    bx, es:[41h*4+2]$ u7 J4 s9 K- o& Y- w' Q+ X, ]% Y
    in      al, 40h
* ?/ C# y+ g% k. F1 o) f5 H    xor     cx,cx9 x7 u, b7 k7 K
    int     41h
5 n# f' L! W, p+ n' _6 N! U    xchg    dx, es:[41h*4]4 A/ W4 g3 D5 A) ]  P/ L6 t! m
    xchg    bx, es:[41h*4+2]
9 n. l' y8 F3 d' z9 s" J- R    cmp     cl,al
* i! M3 v. W; O: f; R# Y% Y    jnz     SoftICE_detected
, p7 J: n, W( Z9 _+ S7 @! ]% L; V+ s. M% u/ Y( b$ J
_________________________________________________________________________
' c0 {/ l+ ~1 R9 _* p( D# Y1 _6 u$ L$ J
Method 07' S8 Y5 A( Z, D+ P: D. ?
=========# w2 d' `8 n5 O. S. P
8 _2 ?6 H0 }1 r! W' \
Method of detection of the WinICE handler in the int68h (V86). A, j5 y0 `+ h  }1 d/ h' c! i# X
" A; V/ h* a' f8 m% h
    mov     ah,43h
( ]6 |$ A1 r' l: j0 u    int     68h
, u" `1 X" o! g: z. Z2 E    cmp     ax,0F386h" p' P& }+ `, O+ u& g: W' }
    jz      SoftICE_Detected0 K& U$ _' |6 q1 h9 p
, w, A) W' ^/ C3 V$ R# T: B
% D& b( A  {! [3 \$ Z/ }
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* A8 `7 |) {' Y. F6 U
   app like this:
6 k) X7 u3 S' C, g$ o2 b" D/ @8 |2 |0 P7 C8 f6 n
   BPX exec_int if ax==68
3 X* R7 L! D9 `, k/ \3 z9 n$ H( ~   (function called is located at byte ptr [ebp+1Dh] and client eip is
" ~) A5 W5 d) e   located at [ebp+48h] for 32Bit apps)
5 S( E4 v1 b7 u6 n__________________________________________________________________________* r; j/ O" ~6 H2 r0 m

+ }* y, g' \; p+ [: S8 G
( e$ j, y" G7 W4 M: n) yMethod 08
8 U% b' p* Y! w+ b7 R=========
! F! u! q8 y) k4 [# g/ ]+ [( T& q, L' P
It is not a method of detection of SoftICE but a possibility to crash the
% f' q' n8 U% a" {3 [8 @; Bsystem by intercepting int 01h and int 03h and redirecting them to another
+ t& n0 {0 ?8 |" Z3 h4 aroutine., w. ^3 \- \1 G9 x- Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ S: O! G5 q$ _& N
to the new routine to execute (hangs computer...)
# X3 f8 W' B$ n- C; n1 }. ]1 H6 |
) `8 R; r5 l) F+ }$ g7 e    mov     ah, 25h
  y3 {5 a7 j3 L$ P! q0 @- w5 Z7 X    mov     al, Int_Number (01h or 03h)9 U; \- F! T. Q" ?1 q- t/ r. R
    mov     dx, offset New_Int_Routine; ]  k* y+ o$ a+ ?* e8 \
    int     21h2 u+ o0 }3 X6 S3 `

8 d3 }5 L7 C  v% {' k# Y' f) J& v__________________________________________________________________________. c( N( J# j7 e- U/ ?" B3 D

( k( h; j/ Z( i, w- s; V, C2 G$ TMethod 09" r3 w/ l3 B& O  z
=========
3 c3 @' I# Q' a* k( n
2 s1 V# _: V5 n/ E: l* ]- Y6 XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
  M" W% i: W8 l8 n4 k7 @8 tperformed in ring0 (VxD or a ring3 app using the VxdCall).( J2 U# x0 E6 [& o" P* C+ r5 @
The Get_DDB service is used to determine whether or not a VxD is installed
* ^# z. v! y1 A0 yfor the specified device and returns a Device Description Block (in ecx) for
# I" c: f" r" A9 U/ Tthat device if it is installed.( y, L3 m4 c2 S( k' i) a4 u- r

+ @' D& _$ P, y3 ?  c   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- C# x% S2 H: ]* L   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 K6 |! a  Q7 B   VMMCall Get_DDB
( X* q+ o9 R; r   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& _# \/ W8 c6 K) x1 j

' f0 Z9 T) F' C. }Note as well that you can easily detect this method with SoftICE:- \; r: j: E; R7 R, d
   bpx Get_DDB if ax==0202 || ax==7a5fh  ?2 l( W1 Z$ J( S' u

' H6 L7 q+ f8 u" J$ L7 E__________________________________________________________________________
, t& j' K" r9 M$ H: f, R+ M
3 W+ p5 Q' Q3 r+ S* wMethod 102 j& d* x; M/ e+ a9 r
=========
: p5 d' M& S6 |) n! q, G% s; _; i# R3 w0 F; c$ w
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# {! B% B! T1 Q& Z
  SoftICE while the option is enable!!; x' `# o' d3 i, W# a' H

$ Y) `; e7 M& n  @% ~* MThis trick is very efficient:3 R7 ]1 R- k% g# A4 B& M* H, j
by checking the Debug Registers, you can detect if SoftICE is loaded
$ e' v+ V, J  a+ \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 r) u7 d6 e5 a3 \8 S- V' `
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: v0 j# i4 o5 r, N7 {6 Zvalue (in ring0 only). Values can be manipulated and or changed as well
) s9 u- g' c7 k: n(clearing BPMs for instance)3 u+ v! O" w4 M! G3 v
& }3 h& `0 t$ \' T! ]
__________________________________________________________________________+ n7 E( A9 u: N5 Z  ~* i/ s2 @6 l7 P
) U! h. |: c0 Z6 L" X6 W5 H
Method 112 k% a/ ]8 D; M7 Z0 D
=========3 K( G- s% |7 s! U' P- T% ?
  X( S9 A2 L& F) c' l9 ]0 w
This method is most known as 'MeltICE' because it has been freely distributed
# A. V9 M# }3 R7 f2 ^* Qvia www.winfiles.com. However it was first used by NuMega people to allow8 r; H% i$ r7 Z6 r0 w
Symbol Loader to check if SoftICE was active or not (the code is located
$ u/ c! w, _, m, a4 w! winside nmtrans.dll).
% |! D6 R3 {7 H/ {+ B# P
0 A' @3 U# r- v4 \6 SThe way it works is very simple:
. o5 C7 Z& r0 I" QIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 b! t; ], l# y( c& \8 d1 gWinNT) with the CreateFileA API.) S7 `* v& R+ T- t! F

8 c/ e5 ~/ Y2 V* SHere is a sample (checking for 'SICE'):; o9 ?$ d  g# y0 A4 P1 S6 P

1 J0 X" m1 s- D2 {BOOL IsSoftIce95Loaded()
2 A0 @1 w* ~$ l9 p) b6 H+ U{% h$ ^1 Y$ i% F
   HANDLE hFile;  
6 l2 P" T% d8 _+ F$ z! t   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; o& B# A! s% S, M                      FILE_SHARE_READ | FILE_SHARE_WRITE,3 i/ l0 \- o: g. A* C4 b
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* n# h( [0 |; H+ }& {2 @2 c" E& f% B% x
   if( hFile != INVALID_HANDLE_VALUE )3 b+ [$ M) F5 Y) k- g
   {% c  U; V$ |7 d  ^
      CloseHandle(hFile);
7 a& G, w! U+ B& s      return TRUE;
, }3 N* e5 v8 T1 z$ b0 z! d! F   }) o, K3 o( Y8 r" P" ^2 h
   return FALSE;9 {. d5 S' @- |! Q
}: h" h$ |( U- t: P* J( t9 V! v

2 V' R6 ?$ S% H3 y8 f& xAlthough this trick calls the CreateFileA function, don't even expect to be, U" l' ?  t$ S' \2 o' u4 F
able to intercept it by installing a IFS hook: it will not work, no way!
  ?( @: b' q, b; G' p) D2 [# WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& d2 G' |2 Y, J- V
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 c4 \9 t- ?: J9 W
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 C+ u8 o0 e% A, p: l( _# O: E; C8 x
field.8 i7 C' q1 }" z/ x1 b+ h' d7 f
In fact, its purpose is not to load/unload VxDs but only to send a
5 @& T8 Z$ P% C! CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); c( y# i7 A4 i! h) Y) }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; r2 \; B& u# d! zto load/unload a non-dynamically loadable driver such as SoftICE ;-)." U. r6 h* X. }! G7 U# }$ ~5 \
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ Y. S. K% [; F# t
its handle to be opened and then, will be detected.
0 g8 l! r) ^; ^$ t# U6 i2 E$ Q; xYou can check that simply by hooking Winice.exe control proc entry point
) x& ~1 K9 L8 c7 E: iwhile running MeltICE.
: q. S/ M+ k& U& ~# H
+ S( f& \( S, B# X5 U0 M/ _/ V6 H6 p0 ^1 w1 D# L  u' m
  00401067:  push      00402025    ; \\.\SICE: j% Z) ~+ h  Q# j
  0040106C:  call      CreateFileA1 W7 _1 Q3 h! ^1 f
  00401071:  cmp       eax,-001
- q) N. ?: T: |3 O, z  00401074:  je        00401091
6 b1 f  C9 m2 ~# \
3 \" R; F, X  c; N5 Q& P
+ g# h- g6 v( r; b/ R: F& @There could be hundreds of BPX you could use to detect this trick.
3 l: G4 J. j, `9 G/ q4 i+ O( E6 r-The most classical one is:
1 w9 \5 g! f* \  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' x- ~6 i1 p' s
    *(esp-&gt;4+4)=='NTIC'
& y+ b6 r/ k5 M: s) g! R7 o3 P1 a: b- v9 m
-The most exotic ones (could be very slooooow :-(
% ]$ H3 k. W; H4 Y+ l   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  8 F' ^) e( O! b
     ;will break 3 times :-(
/ I% x- o8 z- Z) }/ w' f2 ]$ f6 ]& g" h! r, K
-or (a bit) faster:
7 V( G* W) M3 X2 n$ ?7 }' {8 ~) Y   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) d3 c+ ~( w9 ?, u2 X5 U
; n: t7 G. _6 C) L   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! e3 E* f. r, I" L& w4 E8 K     ;will break 3 times :-(
0 j( c( B- g* v2 F9 n
8 C8 n0 L; D1 P4 j3 x$ R3 @-Much faster:& m9 w1 _4 @7 p3 a
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 Z& \4 c- D, Q1 }( i0 L3 v8 M4 N0 t+ E
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ b% t% S3 f% j$ j) n5 y, h9 |function to do the same job:
1 Q0 p, a' A7 J
& |, Q" T+ Z2 b) x1 a* l5 ]   push    00                        ; OF_READ( W  E- ]2 z6 Z# [! C2 D8 M$ I
   mov     eax,[00656634]            ; '\\.\SICE',0
: g+ b3 B" p1 l5 \1 |& |( t2 T: ?/ F   push    eax
1 K& g- o$ k$ m6 K  [  `1 N1 ?! i   call    KERNEL32!_lopen8 R% E7 H8 V0 O
   inc     eax
) W  `  |/ Y* x: V) D. T' W# m   jnz     00650589                  ; detected* }5 Y6 y/ \6 O. T7 d
   push    00                        ; OF_READ
- A+ ], ?' f; c; v' ~  S2 ^  x' A   mov     eax,[00656638]            ; '\\.\SICE'
) `" w$ ^% c7 G! ~: z   push    eax5 [4 Q3 W% n, p9 Q
   call    KERNEL32!_lopen
( C* R5 Q% W8 Y; z* [   inc     eax
% W9 K9 X0 O: n2 z   jz      006505ae                  ; not detected- |9 i* i# C. T* o

1 `' D' s+ Y$ o* G7 {/ c1 t) N0 X7 t+ V9 d1 _
__________________________________________________________________________5 C5 R' R/ q9 X/ r  @2 b9 _% K# [
6 F+ ?6 h/ c  ]( p2 S
Method 12/ H9 N+ W( U8 K* b: _
=========
6 L, P; r$ D( z, O7 {# }
. h9 T! |5 M+ ]7 @" v) GThis trick is similar to int41h/4fh Debugger installation check (code 05
4 [8 x" X* o4 L3 \&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 g, L2 d0 Z7 T2 B1 ^' a9 c7 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* [; Y; ]5 R) n4 @

6 v6 j& f5 e4 \; S$ l5 J8 Q1 W   push  0000004fh         ; function 4fh* e$ u5 l5 S9 R$ e) T- N: H$ b* C
   push  002a002ah         ; high word specifies which VxD (VWIN32)
$ s* p/ u5 ]4 @3 D# S) I                           ; low word specifies which service
8 V. z" o' _2 E6 [5 l7 u                             (VWIN32_Int41Dispatch)
7 ?$ N+ x2 h5 D& P   call  Kernel32!ORD_001  ; VxdCall1 }4 }4 e: K3 V# K& r& k9 S
   cmp   ax, 0f386h        ; magic number returned by system debuggers
  O5 t9 n3 l" I4 s  R   jz    SoftICE_detected
5 I; ?& W9 F; p" V- ?1 }% ]# X( m! D; a2 }& T- M8 n$ b0 W, R
Here again, several ways to detect it:& G8 l  j; [3 @+ R% O5 T/ z

2 _! _; r- m$ {    BPINT 41 if ax==4f
( T/ X" X$ p. {  b( K8 g% E9 P4 M. I+ i9 W- b/ H
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one  K  f1 W4 }6 @- m* h# k" @
2 R0 y6 \/ g8 B: J4 ]
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
5 S8 a7 p: M9 [& x3 l. J" P/ ~1 O, V# B
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
& Z' k, v) N) t$ d) L
' M3 a. v" `( O9 s8 x% i__________________________________________________________________________
; G: `8 {0 _6 X9 X2 Q
) p% `1 x) L/ h% JMethod 13
! {2 E7 c% x4 W, S& h2 _/ H=========6 u. k2 v. k! K; k

* `: D; X3 I& H& gNot a real method of detection, but a good way to know if SoftICE is, b5 r+ T1 I( R+ h, d8 C
installed on a computer and to locate its installation directory.( }2 }! L3 J& K1 C( S. P6 {1 R4 P
It is used by few softs which access the following registry keys (usually #2) :1 R. V( j! M! q2 e
' X$ D; C% V' f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, _/ _( S# b. e0 C" c9 A\Uninstall\SoftICE
) R. ^7 `/ w: Q: [  Q- ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( l3 O- h- U3 o* p' Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 i9 B8 _/ I# M$ O2 @
\App Paths\Loader32.Exe
- {- w. f' f1 O$ i  I. S' i7 F1 v$ o, A( _' H* `' W: e
/ H& D, X  N( P' F
Note that some nasty apps could then erase all files from SoftICE directory
. q: \2 s4 ^6 D(I faced that once :-(, \' V/ P* p  q6 V8 m* o7 q' x

7 Y3 u; V. s% o  QUseful breakpoint to detect it:
: d# h3 x! |* s0 N' s
' i* a% S# I% p# C# Z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 n7 F& O5 a. R. N3 m" ]# D7 ]
" v  O2 s: Q! q1 L
__________________________________________________________________________8 l# G/ ~% M6 c# H% B. ~

- X, x7 `; j6 B$ ]
& D9 |% K( M) G; kMethod 14 . N% ~- q; c! D$ q
=========
9 K( F8 w# i! q' G0 ~$ x. f) o- i; ]" T) |) U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( F+ t3 H# A4 z: Uis to determines whether a debugger is running on your system (ring0 only).+ R2 A- ~- K& u1 U3 `
% p; d2 c2 v$ ~1 A! q# y7 {' s
   VMMCall Test_Debug_Installed3 u$ \/ |1 L2 z/ A4 x" z
   je      not_installed
% ^* N( c& Z3 N8 g9 t+ k  x% u* K) e3 S
This service just checks a flag.
$ P/ E% i6 {: c9 |</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 19:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表