找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) g( T' _2 T$ q8 L  t<TBODY>1 n: G6 C9 y! q! O, O
<TR>
% k! t9 ?: ?: \1 B1 R<TD><PRE>Method 01
5 ^0 p; R; k( }' W4 o- l=========
  p' o8 L& o- u. f4 l9 ]1 u' V' R# |; O; q
This method of detection of SoftICE (as well as the following one) is
. j. H6 Q% K" V0 N0 Q" P0 sused by the majority of packers/encryptors found on Internet.7 I7 w# m9 o  ]3 d2 n7 n
It seeks the signature of BoundsChecker in SoftICE4 o" Z2 o5 E! Y

4 {1 N* m, c) H4 Z+ i$ [9 O    mov     ebp, 04243484Bh        ; 'BCHK'
( y; w* R' W+ @( v: @' i$ Q4 A' }    mov     ax, 04h
% \/ \9 n3 B7 s    int     3       % b) W; k, V, ]& ?
    cmp     al,4& U. y( I# N: o
    jnz     SoftICE_Detected( b& _: T) ^; a$ N$ w" x
" {# o3 S" l$ h9 A0 j$ _
___________________________________________________________________________
6 F- \" R2 t. E6 S  a
' w2 t, [" K$ ~* [Method 02
/ T7 N* V) Q6 }3 ~' `+ n=========3 \  i' T* U! Z' p: m/ Q& _

" B! X- \; j) Z' j+ `2 ]  UStill a method very much used (perhaps the most frequent one).  It is used$ r$ \3 j& K9 P" ~( c' i  w" A8 x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ s4 f- u5 F6 kor execute SoftICE commands...
, V( V9 h5 K% d/ u" G6 QIt is also used to crash SoftICE and to force it to execute any commands  W( [) l9 j5 K( ?
(HBOOT...) :-((  
5 q4 S9 o# ^3 r/ w* ?
3 ^# m# H; G" |6 u! T; q. w& K+ OHere is a quick description:
7 B; B* j) D# a" \: f; S. P-AX = 0910h   (Display string in SIce windows)
- y# l( q$ ]3 G4 a# A7 W-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); z; _- E6 s1 }4 ]3 R: H0 m' Q
-AX = 0912h   (Get breakpoint infos)
3 L) q% G) p( ?4 l/ O-AX = 0913h   (Set Sice breakpoints)
  B4 v& j3 ^4 `1 l! t  _8 I-AX = 0914h   (Remove SIce breakoints)
" a9 u$ O2 Z7 [0 X4 G8 X& r+ k
/ I. u1 f6 R9 z1 g" T: t( YEach time you'll meet this trick, you'll see:
0 U' ^% g$ D4 S6 C$ T& U8 S-SI = 4647h3 S8 B! d; b$ o! K/ P, B
-DI = 4A4Dh
: M+ _9 W# M# dWhich are the 'magic values' used by SoftIce.$ _$ J  j/ B0 S; L
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 [! d1 K( R2 V# i" M" q1 g+ U
" ]0 W9 R- `! d# s1 eHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 a5 Y4 d) a  r9 vEnvelope utility use to protect DOS applications:# y6 B5 K8 H* K" x# N! {# ]: z! c$ u; e

4 o0 R2 f" U- K4 p! e' m* A( D) ^+ n1 J
4C19:0095   MOV    AX,0911  ; execute command.
. g) T9 i" b% K& I7 g4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; z$ e0 E6 ?; Q% L; I4C19:009A   MOV    SI,4647  ; 1st magic value.
, ]5 E* Y) {' c  z+ H- ~4C19:009D   MOV    DI,4A4D  ; 2nd magic value.2 A& x1 i+ Y4 O
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)" t/ u- L' H0 T/ x
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
  r3 N  i. [4 Q2 C! g4 `' ?. m, [4C19:00A4   INC    CX0 R, S; ~  l- ?
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
0 U/ |8 G+ {+ B* J3 k* m* f8 {4C19:00A8   JB     0095     ; 6 different commands.. Q: ?8 \  h# P7 ~0 t
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 V+ r3 b2 j. _3 e0 g- Q/ `4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# W+ U6 Z. |/ N% G7 }, D7 i* }" d# P# g9 [8 }( w1 ?
The program will execute 6 different SIce commands located at ds:dx, which/ A2 e1 l8 O% F  _4 ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& B  e2 f) q: |7 `/ N1 Y
4 V! N6 |# D/ Y* S9 ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 A/ {: }" k. m! b
___________________________________________________________________________
$ ?0 [1 o/ K9 _8 B" A/ R5 q$ A5 G0 h( k

" m  H+ e# y  b+ f5 OMethod 03
+ x% q( E2 q$ t* z# Z=========
' S8 o/ ]6 {* r
/ C) ?) K) w( \: z# rLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ d& ^, s" C% S7 A! @+ p# N(API Get entry point): q& A# L( z6 ?" l
        
+ V  \5 g. j( f
1 X7 ?. c& ^% i: N' S    xor     di,di! i2 J$ f( C% y+ b4 h! R
    mov     es,di
' D) b% N% p! C: v, @2 U    mov     ax, 1684h      
  b4 a/ x; e& `! v9 I    mov     bx, 0202h       ; VxD ID of winice
" U) ~* h$ N3 z  N& l    int     2Fh4 ~, o' J2 Y9 H0 x4 q- H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; W- v  x6 P3 O1 @8 H0 ?; e    add     ax, di. z  s: F# Q- H+ L$ p% D
    test    ax,ax
; ~% i6 k2 c2 e3 I    jnz     SoftICE_Detected( ~' f* p* e( l" W
3 g! M6 ^* d$ @, e" @( m, B+ |
___________________________________________________________________________
6 {: b* X, f' E8 P# v" U) R2 B  Q5 }' O! d4 w) K2 g7 I8 p
Method 04
4 k1 K% b$ |- f& f=========
- C& i2 l2 }9 j, s8 R3 F! J; x! F& @+ I/ }! h; G. i
Method identical to the preceding one except that it seeks the ID of SoftICE
1 N( \# ^+ m0 [+ s7 Y1 Q0 H/ }' JGFX VxD.4 ~! v6 h: K2 S9 w+ S0 a
% F( X! I( \; u+ G/ J; G; f
    xor     di,di( F1 b. w; Y2 d# S$ e4 ^+ ?- j' k
    mov     es,di# G+ i4 i/ t% L3 V% g; C( i
    mov     ax, 1684h       ( N! v& S0 ]8 n- E! M# e9 J$ e( W/ C
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
2 c- |  c% Z. W9 t# q# U' |% J5 e    int     2fh! b2 y$ L* B. R2 @, x) z2 L
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ Y' D! b1 M( F& K    add     ax, di
: j) J5 E8 M8 }3 K    test    ax,ax4 ^) X* ], H8 r+ X- z" u: k1 l
    jnz     SoftICE_Detected
$ a* B7 \) j* m$ z
. ^" ]! w" q/ ]__________________________________________________________________________
1 W: S: u% N: g$ b/ {. S, ^9 d0 k( R; n" _% d$ K+ O
7 S- X; ]: y$ v
Method 057 w# ^9 X1 E+ A! U0 H5 X
=========
. f2 I/ i4 j  K3 G" y+ z
2 H2 W# t5 u3 D2 dMethod seeking the 'magic number' 0F386h returned (in ax) by all system/ o, k: b' ?" q! y; b
debugger. It calls the int 41h, function 4Fh.
$ Q' z  F, Y. ^9 F  J$ ]% QThere are several alternatives.  & `1 i! j. w3 B5 _$ i

% z' O8 l/ M7 L3 G  ]The following one is the simplest:' }! O* G. A) w3 K9 ?; |

3 _# S1 _" U7 G2 O* \8 i    mov     ax,4fh; d' g* {+ `0 W" s/ c
    int     41h
2 c! i6 m+ G/ Y    cmp     ax, 0F386' H! E) Q" T! Y1 L' Z/ R* x! R
    jz      SoftICE_detected
) h) H, t6 O7 ]8 N
/ a, F2 A; v+ @  H  d% |1 {/ C
% j5 j  A( Z2 }: c6 S: K4 @Next method as well as the following one are 2 examples from Stone's
2 j( d* v; m. t"stn-wid.zip" (www.cracking.net):
/ J! c  ~- d5 v
9 j7 E! A) D  i# W: l0 V    mov     bx, cs5 H1 ?' n4 G& z/ a, `
    lea     dx, int41handler2
, E4 Q0 `& S; `3 C    xchg    dx, es:[41h*4]
1 X1 i. F$ B: u% p, v7 [    xchg    bx, es:[41h*4+2]+ y$ x4 i. \) a* V5 T1 @3 s
    mov     ax,4fh
/ z( F) t' n+ Q3 V    int     41h
# j4 O+ v* z, k    xchg    dx, es:[41h*4]" g/ t( w6 W; N9 u
    xchg    bx, es:[41h*4+2]
! R5 x9 V" _9 v8 |) e2 l: D    cmp     ax, 0f386h, K* ^. r9 i# i# \
    jz      SoftICE_detected. t6 i2 f, h. I% P
$ r6 [6 a4 v; N5 C4 t' t4 X
int41handler2 PROC- d! [/ T, i% ?; c: \
    iret$ A( ^- \" g& Z* p; j5 j" X
int41handler2 ENDP, I4 f. S2 r7 t* i* G& S5 B
% |: N& I  ], X: i. c! e2 H% P
9 V7 u4 c" G0 P: C+ c  O* a1 @/ H
_________________________________________________________________________6 ]8 {7 r& B; O# _+ r; y) W
& Q5 d1 i0 \) ?5 h$ j
9 s% E7 F+ k/ H7 n" W- b) J1 K
Method 06
& S+ T2 o) n7 @=========
+ x4 W8 _, ^0 v& ?
8 Y: Q  c( l$ J8 H& ?
! e  m, H) ~) r6 C, W2nd method similar to the preceding one but more difficult to detect:# b( L' i$ M8 _6 i0 W$ [/ ]

* k+ n$ p) D- D/ M5 X) D
0 }7 _0 g1 t. ?. O% V( T0 i7 Wint41handler PROC- b$ [. I3 A" n2 v$ \
    mov     cl,al! p4 V9 k0 Z. H
    iret
$ W+ X- b; w$ Z1 a) D' G7 kint41handler ENDP" s3 }  r; R/ R" O$ \
9 E) Z1 ^: c% G, \. p$ n4 G

' w6 r; m( I% X: C    xor     ax,ax/ E9 q+ e: R9 L4 s. U
    mov     es,ax
7 ?# y7 m; J. [; J9 ?. x    mov     bx, cs. i0 b, o5 d# P* o, s
    lea     dx, int41handler2 P0 T; k% @7 m# z, M7 L8 C
    xchg    dx, es:[41h*4]
* z5 O6 s3 S3 F    xchg    bx, es:[41h*4+2]
% K: W! m- o& e+ C    in      al, 40h+ @/ Y) w% }0 U9 @6 @9 k) y, o
    xor     cx,cx
  b( r% a9 _4 F5 I  l    int     41h
/ B# \1 K2 V/ b. _: p& ?$ r2 [    xchg    dx, es:[41h*4]
( b7 h2 i( E+ `( }    xchg    bx, es:[41h*4+2]
6 r4 |% o5 u/ C8 f1 i    cmp     cl,al
: S0 f2 ?7 E+ I$ f1 b$ M! X    jnz     SoftICE_detected
- l# B# h+ A4 _, R$ R# G
% p% j5 A) [- C) o_________________________________________________________________________
$ I: o! ~* F8 J7 [0 k2 c7 X! l
5 t1 d8 t2 l3 h7 ^Method 07
; B" d4 C( L5 s2 t% U! `# S' B=========
9 X7 D) s: V7 k3 Y; F+ u6 `' C9 x6 r' N1 {* J
Method of detection of the WinICE handler in the int68h (V86)
9 D$ B7 ?0 R) w4 J6 d0 S7 V4 d/ c
    mov     ah,43h/ {( O; I, p6 J& l3 v
    int     68h$ P% |  c* N! I; d" n% ~
    cmp     ax,0F386h
& d  n9 O! Q# y; V) ^    jz      SoftICE_Detected: k; ?6 o  i. w. C- `4 G
3 K) g. o9 r& o
+ D( d3 K% b' X( v
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 J5 ]7 Z2 Q# U# Y" g( U
   app like this:
+ H. f% c! F4 H8 _. @( E% s% T( Z) @/ w) j- S
   BPX exec_int if ax==68
( j4 w: I7 k; u3 G6 g" W% S8 m4 [   (function called is located at byte ptr [ebp+1Dh] and client eip is
, k" s# f3 V0 n# K- b* t5 a   located at [ebp+48h] for 32Bit apps)
8 Y4 U0 l. o4 i__________________________________________________________________________
. V  h6 V' g* w6 J0 v
1 q7 a! Y$ t. Y2 [
0 M" h1 {* T+ n: d  jMethod 082 c# P) `6 d0 }; M6 P
=========
8 q& V  i4 o9 y/ j0 E7 h7 h& f$ M7 u, C
It is not a method of detection of SoftICE but a possibility to crash the$ o% S+ A' t, x+ _- w
system by intercepting int 01h and int 03h and redirecting them to another
1 w6 ^% T* t! L7 A/ ?1 Lroutine.
4 U  Z( i8 T3 Q" w- Z) f# MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ H1 F' U/ m1 _2 O# ~0 Yto the new routine to execute (hangs computer...)
# x8 n! V' a1 o3 h! |# g+ C+ L* [& W( k% J
    mov     ah, 25h
5 ]1 x0 a$ u# }0 \+ |. {; E  x    mov     al, Int_Number (01h or 03h)
+ ?) k; i* z$ \9 i3 o    mov     dx, offset New_Int_Routine
8 t4 v" E: i, M4 Q9 v7 C    int     21h# ?* l* D( B$ J+ o( N
) \: z! c; B8 C( `; ^; b, w
__________________________________________________________________________" p( U% U1 _, z7 T% i. k( D
0 R$ A6 F6 Q" J
Method 09* S& Q# v: S# H+ B
=========
5 [6 q* `2 ]1 P- z9 u" u3 Q
6 V7 D: U6 m1 E+ C& XThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ }7 v' }7 Q+ i, F* f' ]
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 F3 @5 q& v6 t  cThe Get_DDB service is used to determine whether or not a VxD is installed2 v, T+ b" C8 l  i* L* L$ P
for the specified device and returns a Device Description Block (in ecx) for! B: C7 E4 {. q7 L* X. w9 @
that device if it is installed.5 u$ [; }1 ]- F: C- ^
1 {; T8 U/ N* P: p) j6 T3 ^. L
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& F( K$ b. C& w" |+ N
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-), ?; f+ N" b) O% t# }
   VMMCall Get_DDB
  @' _3 B1 ]- _0 b, O6 X   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
# Y  p# Q4 H" e$ R, a
3 b8 `8 L3 K$ F1 f9 I- h- F6 `$ N2 HNote as well that you can easily detect this method with SoftICE:
% L2 g9 }7 i+ Q; j/ o- m   bpx Get_DDB if ax==0202 || ax==7a5fh* P$ y' ?2 A, n. U
6 Z- H: |$ k1 F/ Z( w
__________________________________________________________________________
; a; {# Z6 m& l( {* ^5 \- G8 Q' i3 V+ z& G+ U
Method 10  X9 o5 A8 V- Z" A$ s
=========. s" \7 R& Z$ P2 m0 T' [  A
) \( m7 g# j+ c+ I; w0 L! a# w
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. G1 c6 R; i4 }; q  SoftICE while the option is enable!!
; b( q7 E# u% Z+ n; g
0 K1 O: ~( I! }# ?4 N8 d7 F, cThis trick is very efficient:
( G. @9 @2 ?# @; Z2 Cby checking the Debug Registers, you can detect if SoftICE is loaded
4 R& \7 C( u9 d; i. B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ `  k. n9 v* n+ [( p$ z1 Hthere are some memory breakpoints set (dr0 to dr3) simply by reading their
. t9 ]( H" w' ]value (in ring0 only). Values can be manipulated and or changed as well$ b+ z5 E6 A- M$ b9 ~& S
(clearing BPMs for instance)
8 S  L7 ]5 B- Q5 t- f  a- q: k1 Q
! A3 z0 e9 l7 _& G, w__________________________________________________________________________8 Y! _3 t; E2 i" z- V6 D2 x9 M

) s. m' A! h- Z  mMethod 11! l/ u6 f+ _0 O+ B8 u
=========* d$ B1 i7 j( O( o4 [

8 _* h7 M. `4 n7 V0 Z3 vThis method is most known as 'MeltICE' because it has been freely distributed
. n% j4 O) Z* nvia www.winfiles.com. However it was first used by NuMega people to allow
! g' S2 O1 `# a# HSymbol Loader to check if SoftICE was active or not (the code is located3 l1 v) O/ \* x
inside nmtrans.dll).
6 c3 W1 }  C* J  ?
& n2 j& n) r0 t" r" {The way it works is very simple:
- q( \9 h$ Z1 ~# [0 j7 FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- q9 o$ M5 k# W; w
WinNT) with the CreateFileA API.) ~. T; _8 j5 S) P
$ g+ M/ h+ J8 ?" K( r. c' }3 T
Here is a sample (checking for 'SICE'):
7 G! r( b0 l% D6 t2 N8 T, m0 K: I% U0 u" c0 l# n
BOOL IsSoftIce95Loaded()
% o, D1 F  v  D. g{# q/ a! F/ A$ O3 _# _
   HANDLE hFile;  3 Y6 d6 g3 ~$ v1 m+ B9 V
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 o8 I& ?: c+ F4 B( k
                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 P/ n6 X) F, `7 Q( k
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 ?; q$ j7 N4 V' k6 y3 l! z
   if( hFile != INVALID_HANDLE_VALUE )$ x4 t' J+ F, k# H
   {
+ q& r: v9 r+ ~1 L/ s% g9 n      CloseHandle(hFile);
; y3 I* r6 R" |1 G  [      return TRUE;4 j  u3 b( y7 A
   }5 m" W9 M+ x' G( D+ h7 r
   return FALSE;
- }$ x/ Q2 j) u2 E# r0 }6 g( \4 b}8 H: r" ~5 e' b9 f  @, N; N! p8 g  Y

. G7 S# a3 X2 I$ M$ o+ MAlthough this trick calls the CreateFileA function, don't even expect to be' C) b  S/ N4 M9 C" N1 I- Y
able to intercept it by installing a IFS hook: it will not work, no way!
% d& ~8 L3 M% ?9 W3 A* N  jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 ?: ^5 W4 e/ \8 Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& B. z0 q$ N) h! A) H: a" ?; Y( l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc" r3 m- V7 g1 u2 t9 V  `) G( k
field., F0 y2 e8 E4 i' m
In fact, its purpose is not to load/unload VxDs but only to send a 6 }+ E+ @8 q/ S+ K$ D% {
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% W* ?0 ^, u8 r* ^/ ^2 u" E6 z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! e& B  |- X& z  k; R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) G  q4 C3 W2 M* C; _- u
If the VxD is loaded, it will always clear eax and the Carry flag to allow, l; b! b3 p/ P% U: ~# Y. P
its handle to be opened and then, will be detected.
  A7 f2 q! I; l! B& {5 w! e& {You can check that simply by hooking Winice.exe control proc entry point
, _8 ~- V3 v  Y7 r$ d! l; `1 v5 Xwhile running MeltICE.
- i0 \& W$ q; ^* A
0 C3 u- n# O0 U( e7 N" \( h  T" W) t+ q- O5 t! ?* u6 J! u$ C
  00401067:  push      00402025    ; \\.\SICE
% {* J. \% V" f9 F* |  0040106C:  call      CreateFileA9 K2 h/ _$ D! p
  00401071:  cmp       eax,-001: i7 c% G) C. {8 D8 t
  00401074:  je        004010918 H0 x* C0 ]! g. i3 ~: W# a3 _

) ?; c4 [4 |( m1 I
$ }7 y/ n6 ?+ C$ k' IThere could be hundreds of BPX you could use to detect this trick.# l- ^6 G# u2 A3 z9 t# y
-The most classical one is:
3 K2 h& o( e7 s) O$ n  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
% b* B: _3 d; ?    *(esp-&gt;4+4)=='NTIC'" t7 `( @: w( A8 L5 w' `7 V
3 G- B! c7 v9 e
-The most exotic ones (could be very slooooow :-(% T) ~, p8 P8 D/ C' M% T
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
7 q! S" q8 O8 X- b8 x5 @  K. Q     ;will break 3 times :-(" i! N! t; g. Q
, u: z2 Q4 L+ S7 j* R! r9 K
-or (a bit) faster:
, W4 f5 E" i! k7 S% p( Q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' |+ D$ w/ o% X2 L; j9 c
4 v& b  M$ ^# o+ D$ N- U2 C4 h   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% n* z) S: j$ I. G1 d3 u0 t& u/ ]     ;will break 3 times :-(& ], ^, |2 q" q# q# O

% q; r9 [4 Z4 [( O-Much faster:
8 `- Y: d( }7 ~# L& H5 F1 D   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
4 N* K. ?' W/ i4 O  p5 Y$ ~" U# i/ d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) T) U/ W% o& `" \* l' Y1 a
function to do the same job:8 w. i! b1 F/ U# i  ~- N1 T
, a( b& R5 t, @+ F: s$ w4 C$ M% _
   push    00                        ; OF_READ7 v( ]; M$ D0 F6 ^8 r) E
   mov     eax,[00656634]            ; '\\.\SICE',0
# }% ?3 P7 M0 Q+ f; I   push    eax+ c3 g* k1 ~, U/ k0 G2 h  `
   call    KERNEL32!_lopen
0 Z3 P" h6 W- ~- Z5 Q6 e   inc     eax4 v, v* Z* f1 Z
   jnz     00650589                  ; detected
! e9 R: D6 `$ K- i" T( O' D* [! y   push    00                        ; OF_READ
4 B1 @5 _7 [3 G6 _0 l  S" t   mov     eax,[00656638]            ; '\\.\SICE'
' S/ q1 k4 Y3 ~   push    eax
4 i& f& V. h) w) M7 z4 A4 p3 D   call    KERNEL32!_lopen9 [, W- x7 J1 i* z
   inc     eax
+ b5 i0 w3 Y% P7 w* B0 K   jz      006505ae                  ; not detected1 b- {/ f7 @& j$ N' X* I- {

0 V7 a4 K( R8 Z* k+ [9 n
9 d7 ~; y& p3 K$ R2 C6 R6 }9 q__________________________________________________________________________
/ Q: ]$ P; y9 x6 v/ {1 A5 y$ O: p
. j/ s0 O. l+ v$ J3 xMethod 12! s8 P% j3 C' \
=========
- Y7 ^  Z8 A" D( L, V6 ^5 ]8 H4 j
This trick is similar to int41h/4fh Debugger installation check (code 05
/ v7 _/ S( c; [, Y, I$ x' J&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# P4 k) J. c" t$ f5 w/ m$ Uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% q% r! h+ C$ R8 n# H/ `3 s. e3 \: r
/ G/ X$ W) [3 n) a) N   push  0000004fh         ; function 4fh
0 `. I9 ]7 `* H$ V* k0 d! `; A. X9 @   push  002a002ah         ; high word specifies which VxD (VWIN32)
$ @; u7 Z  r; K3 L! y                           ; low word specifies which service
  X) e+ z3 l: e9 ^                             (VWIN32_Int41Dispatch)" W  i4 q% j1 F% C. L* M+ i+ D1 H4 V
   call  Kernel32!ORD_001  ; VxdCall
1 g% |; G& a+ I   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 v6 _7 r8 Z  L8 z   jz    SoftICE_detected
. m0 D' Y7 b& S' N' [! ]% S4 b
$ y2 X7 ^, y) V: u9 ]Here again, several ways to detect it:+ E; a" `  z* R4 k2 ~2 F

/ C- u5 y$ S% U8 x3 K    BPINT 41 if ax==4f
% ~; k) r. P7 k1 B& m, ?4 j, q/ A& o4 ]( Q) m0 L* n
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
8 I% c8 o! M! p0 Y" \  J3 H2 `- k* h8 E. Q7 L# G7 f9 X: u
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
- R* D1 d+ Y& }/ K% g( F& Y0 z% f, ^: \* a2 ^
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- S# [1 y2 K, m) \
" \9 O$ }+ p2 U8 R+ T5 V5 b$ e' ^
__________________________________________________________________________' f. X' E0 D- V1 @
# W3 P3 a* X2 E4 @: E6 C0 G6 _6 @
Method 13
; ]# f! _9 S2 J: r) _9 f- \# C) ?: K=========5 g9 H" q6 G* Q% u
: `' ~# w- A5 f0 n9 ^" ^8 U
Not a real method of detection, but a good way to know if SoftICE is/ s' w8 k% ]/ ~7 p
installed on a computer and to locate its installation directory.
+ t9 q/ D. j$ ?, WIt is used by few softs which access the following registry keys (usually #2) :
: U+ z/ z- ]+ M$ x/ ~  E& r# s8 g! E) X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* S+ D  x; B! C; d2 \( Q, p. I\Uninstall\SoftICE: P' M6 U* f/ T( W% w" e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE8 S: P- \5 c2 o6 K
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  k4 P' h0 r" F$ X' U/ c\App Paths\Loader32.Exe
. j7 x+ b$ V& N) s4 ^  i  t" y3 f4 |
3 I& a" v- }/ m3 y
Note that some nasty apps could then erase all files from SoftICE directory) |  m, w2 i. S$ o$ a0 G6 O
(I faced that once :-(! I/ x; e' x& y3 b6 j

( h( z$ K. Y" u- z- g8 DUseful breakpoint to detect it:
: u4 |' h4 g" f9 |
3 U# L" A* G9 |; ~1 J% u% f! {     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. \  Q, B/ @1 G3 d) c

4 W: t7 K$ s6 j9 ___________________________________________________________________________! J& S/ R) A% g- x; ]
9 Y" v; r7 I3 Q. O- i6 r7 @
8 L$ C7 U* T3 U9 Y  C7 E
Method 14
. T8 h4 \" W6 f  P9 E  v=========* n- v  c$ x- g
: J" \1 s' @4 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; x6 ~: _( K# E' n6 Z" Qis to determines whether a debugger is running on your system (ring0 only).# v, R0 B' ^. h: ~" d! \  T8 c% z
, C  {* n- z. r0 c; T- a$ H
   VMMCall Test_Debug_Installed
( c/ ]: F) ~0 }. L! m! \0 U6 w) T   je      not_installed
9 k& s3 ~4 y* r2 m, V5 @1 b; i0 S: F/ g( H
This service just checks a flag.  v& A; I) d) \' j7 x2 O
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 05:15

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表