找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ q3 \5 C: @- a" T. o2 \, w3 B<TBODY>  ]3 v+ x- W* _" l) C, ~
<TR>
0 x) q' K& [* N/ y/ C" g% O: V<TD><PRE>Method 01
# W! {& O0 Z1 e=========. w& ?( K7 x3 b
7 K, L! X, a7 Y2 ]1 d
This method of detection of SoftICE (as well as the following one) is: H' Y$ {6 f0 n6 R
used by the majority of packers/encryptors found on Internet.& H$ J: f4 I- T8 Q, B( K
It seeks the signature of BoundsChecker in SoftICE
3 R0 w5 ], s& @% B( o5 H7 ^! C1 d7 p& o2 F$ v; {
    mov     ebp, 04243484Bh        ; 'BCHK'# u9 _* `% W1 d% U' k+ _% j' A
    mov     ax, 04h. e6 h9 O+ h+ f/ p! U# ~9 v
    int     3      
: O( F% \% l& S  e    cmp     al,4" f. W! k- p& O8 k1 v; \9 S
    jnz     SoftICE_Detected
4 @* S" s6 |; k: L) O$ j! G: S5 ^( {3 y1 Y9 [
___________________________________________________________________________
% U; _- G1 X, b" [8 _3 q7 {; E7 d& k3 s; b$ d8 C
Method 02, ?" Y0 K5 U* G- v8 Z
=========( k" ]2 t5 z' k) s% ]) I  W  s
' Z5 u" p* b) O( F) _
Still a method very much used (perhaps the most frequent one).  It is used5 P: Z) s, s; T" k" ]0 `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) r0 \' m7 r% @* d- q8 Z, r. H5 `
or execute SoftICE commands...
! I" ^) k* q0 OIt is also used to crash SoftICE and to force it to execute any commands
& h# I! @$ c8 U. O6 D: C2 M$ E(HBOOT...) :-((  
+ j# T! ?8 R' o1 B4 q2 H
$ Y( a) A8 Z( i$ LHere is a quick description:- g* S3 y1 i$ I" f" j
-AX = 0910h   (Display string in SIce windows)0 V7 O. ]  o8 W( z8 O8 n
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! [. P- H- D' h: I6 P' I
-AX = 0912h   (Get breakpoint infos)
# Y9 }7 r- n5 L5 ^  F' C$ v4 e-AX = 0913h   (Set Sice breakpoints)
# `2 s3 }, K9 P3 j-AX = 0914h   (Remove SIce breakoints)
: P. y+ y/ p2 N4 _' }% e& o
9 {( O; A5 m5 B3 P/ o' BEach time you'll meet this trick, you'll see:
' z: W7 ~: N9 ]  g-SI = 4647h0 [' S. S% Z- \8 h0 G" k4 v6 s
-DI = 4A4Dh" i' ^' }" T6 b% F
Which are the 'magic values' used by SoftIce.
( q2 s  P" A' k7 c- aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' b* Y0 G2 X1 r; i; }- a5 d/ y6 A

" S) b: ]- b1 @Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 v2 J- V2 K( i4 {$ ~( z+ |# VEnvelope utility use to protect DOS applications:2 r1 g: \: R+ f9 f. h- n& W
: ?1 X* Y- x$ Z& F

+ m2 f7 F, m; H4C19:0095   MOV    AX,0911  ; execute command.; p% h; F7 I8 X9 f0 v
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
0 x0 z6 V% R, T4C19:009A   MOV    SI,4647  ; 1st magic value.4 ?  U: E# t( m' F4 J: i, J
4C19:009D   MOV    DI,4A4D  ; 2nd magic value., G% @/ i* \* }0 J) M& u
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 j/ O2 ~0 j2 H+ Q4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 Z' o, g# l* c3 X8 G4C19:00A4   INC    CX6 I. B" L! m' U+ a- ~
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute% }3 A" ]* p2 s' V- v$ K
4C19:00A8   JB     0095     ; 6 different commands.
9 a( d% p1 B. |) l  g4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 E) W& X. m8 T& N$ |& k; m8 R
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, @- @4 L) h( y% {# w) E* X: T
The program will execute 6 different SIce commands located at ds:dx, which
# S, U0 W! x8 M8 M, Hare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.0 [4 D: T$ u0 u

' t/ }# {# N. \; h) B* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ s. @( q; T% t  G# b" p
___________________________________________________________________________5 e: Z* \  m3 x) n
; ]9 q2 i' B/ U8 w) O
5 ], s6 e2 M) D3 |- s5 [
Method 03
! L7 `& a- k2 O8 q. s=========7 T% j2 h0 E+ J1 I* Y

6 f6 \2 s# u2 C# A8 wLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
  d# v% m. @/ D! `: H9 A' s  v" v(API Get entry point)8 `+ c6 G1 ]3 ~+ G3 j
        % x9 U! }8 C  E
' ?# d0 h; Y; X8 n& J
    xor     di,di
5 q$ m$ ?5 P3 k. j3 f2 Q    mov     es,di
0 M5 c& D$ {1 m* n$ y    mov     ax, 1684h      
5 h1 P0 A+ d; J( v4 l6 T' R5 C) x    mov     bx, 0202h       ; VxD ID of winice
3 z/ i: V3 D/ ~9 S" ]8 j    int     2Fh7 ~3 X8 o" O1 e3 p/ J6 D) \7 ~
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 K5 R' e8 i% r
    add     ax, di: U# f& Y/ N# [: I1 l
    test    ax,ax$ K+ _& a: o+ k2 W5 I( M) c* W
    jnz     SoftICE_Detected% u  |- C" a3 j' s1 g

5 X* |; G$ Y( @$ X3 T; }___________________________________________________________________________' E4 {7 z. Y7 j" ~9 k: K6 v% ^% a

4 l% I& A' u& G  V' M  u5 g, ZMethod 048 F7 h$ S+ d* r$ z) x
=========
) \% \0 Y) D* J# R& n6 X  h( Q# M: Y5 Y
Method identical to the preceding one except that it seeks the ID of SoftICE3 y. j1 l  [  B1 i' N9 S7 h/ c
GFX VxD.
! W2 w% t- Y  g$ _. D; z4 S6 r" P( R$ u* i; o: ]: \
    xor     di,di
- }/ n3 M( d0 |9 i- t! S* a' P    mov     es,di* |8 x2 F5 _; ~, |. X
    mov     ax, 1684h         A: p  u8 W; ~# A9 i2 V
    mov     bx, 7a5Fh       ; VxD ID of SIWVID7 l; I& [" n( l6 m( H
    int     2fh
! B1 @. q  A. J0 ]9 W% c( \# t    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 s: x# @8 q  Z; x
    add     ax, di
* c6 Z8 r. A* @& D    test    ax,ax! p. b  I# ?4 c: G* V% f4 Z
    jnz     SoftICE_Detected
( k3 a/ ?3 b! t$ D! C0 q% Q' o, ^) E
__________________________________________________________________________
1 P: D9 ~$ {3 }' h# i3 o7 z0 @
- m8 J0 I+ q* K8 i( G& N% J
6 A- m( H9 {5 q. RMethod 05
( B0 {2 g4 s0 X6 B4 B=========0 N* \' M2 `1 D2 p
4 @0 q  f$ p# `: F6 ^% {' p. U; s; M
Method seeking the 'magic number' 0F386h returned (in ax) by all system
, N2 `, r+ A* i8 M( q& Ndebugger. It calls the int 41h, function 4Fh.
1 P, n& j$ h; W/ CThere are several alternatives.    ^/ l1 k6 Y4 V& P5 R. s6 l5 J4 b

8 _9 e, L* e6 d. S( K9 LThe following one is the simplest:
9 A7 O" D! z+ o1 d, N! a. o; O( k# ^* a8 V
    mov     ax,4fh
3 s& }6 b: k3 g" Q2 ]    int     41h6 ?6 C2 u* J! G  ]! K# R
    cmp     ax, 0F386* J6 a* }0 g2 g  p4 h. y$ p
    jz      SoftICE_detected! M2 ^7 B4 C" \, N( i* x1 K

& E) q3 `7 m1 C7 r
. h' Y4 `0 a# q, JNext method as well as the following one are 2 examples from Stone's ) _$ {+ `0 G! P& ]3 S( i
"stn-wid.zip" (www.cracking.net):5 U2 D, `8 \/ I. G; Q; @

0 ^* A! x+ Z  @+ h$ [. Y    mov     bx, cs
; ^5 e. r8 ]6 m( K    lea     dx, int41handler2  |- a! S2 B% j0 z  q6 j$ d) ?
    xchg    dx, es:[41h*4]& `5 G$ B- N$ N# j' L6 O: G
    xchg    bx, es:[41h*4+2]* O- i5 t2 c1 W- U4 F
    mov     ax,4fh  ?1 W3 i& `% ~0 e& a! N7 y6 ?& _* B& o
    int     41h
; D2 b8 B; R1 b* ~    xchg    dx, es:[41h*4]
% a8 P; q2 d; M' q0 I  Q! ]# d    xchg    bx, es:[41h*4+2]% T% d; i$ \5 j( F& q
    cmp     ax, 0f386h8 M; p% Z  p4 T5 s9 l
    jz      SoftICE_detected2 ~. w! d0 k9 L

. j6 ]6 F: W# K* ~  `2 w2 Vint41handler2 PROC
1 b8 K- k# g& U    iret; v; C, q/ U; m$ q6 [
int41handler2 ENDP
) m# Z! f4 t" E0 i" |  L% ~) T0 Q, |% V- ~9 z) E6 |, p
( _6 W& m# I* u  ^" d
_________________________________________________________________________
- ~3 D, N- p/ k& ^7 |- ^( G7 g. Y' A; B$ R, Z" ]7 m# Z2 b8 `

6 P8 N. {$ O9 I4 z7 y- b2 ^Method 06- U1 d) I/ N  _- Z; X0 T" _: g
=========" \7 L) [( U6 y* d) P/ m2 `: J' ~
& P8 x! e' v, Q) z

; t2 \2 Z. Z& Q- z' V2nd method similar to the preceding one but more difficult to detect:. i" D5 p, F2 S( Y2 l7 {8 Y

! b1 y' W) b# J0 {  S7 P
( G6 G7 _8 Q# x. ~* U1 V# \int41handler PROC
& N  B: w" k; ?% }. V    mov     cl,al
% o% I' Q% {6 z' a7 B/ R+ J    iret8 N7 x1 ~& T; d
int41handler ENDP
/ o# Z7 u: z2 h2 A9 M! E7 |  O1 ^+ ^9 S* _8 @
+ w2 B% R* V! h
    xor     ax,ax
. T! \; g/ N* |    mov     es,ax
- m, q1 t% c9 F    mov     bx, cs! ]4 ], W! V0 a/ D  N& V% j: }
    lea     dx, int41handler
" H8 o* i5 h- g    xchg    dx, es:[41h*4]
$ Z0 o' [8 [  V& F: p    xchg    bx, es:[41h*4+2]0 n2 f1 ]6 U/ T: T6 G& _1 m
    in      al, 40h/ N4 w* ?) Y9 [
    xor     cx,cx  ^" O# n& g1 z' y
    int     41h
7 y3 ~+ f7 K2 p7 c  v    xchg    dx, es:[41h*4]* A3 M& B/ ?- w. L; t! S. Z+ R4 [
    xchg    bx, es:[41h*4+2]* y! k4 ^% w( N: X
    cmp     cl,al' v1 _7 ]' `2 i$ o" d
    jnz     SoftICE_detected
. P$ S) e  t$ U' b! v1 J
) T' i& C9 d7 S5 ]. k_________________________________________________________________________! Z/ e9 t% n, w
; o! G& M: B3 a) L8 D+ _
Method 07/ Z8 Z6 `& o% s, m2 H: S" @
=========
8 b# [, Y$ V! z# y( P/ Y: m- D
& h4 q1 q3 I$ a3 @Method of detection of the WinICE handler in the int68h (V86)
4 `$ ]$ M1 v+ x- s' w7 `& r6 {
! H( G. m7 X* e+ [    mov     ah,43h
5 p! ^9 a4 n, s( {3 @    int     68h
$ x2 Y# p; _  l( X    cmp     ax,0F386h; a6 F" G4 _8 ?5 W2 ~" _! R9 u
    jz      SoftICE_Detected* K# _' [. L1 ?) e) u. k( H

' c* A$ L' {3 u( ~* M1 S7 f; N$ [- p
: h* F8 G  [1 D% l! a) w=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- b% [% N1 X5 x2 _0 N5 R% g
   app like this:+ p3 ]2 V# R4 [3 D  n

: D/ b  w. Q; k+ d; e3 a   BPX exec_int if ax==68
7 C9 I* e- T; J1 F! b: b   (function called is located at byte ptr [ebp+1Dh] and client eip is
# G+ Z3 e; ?9 _- i5 L1 @   located at [ebp+48h] for 32Bit apps)
5 T8 L2 J; V/ U/ |/ }* \__________________________________________________________________________/ n; b% {- V( R0 |3 F
. ]$ x2 f* L, n+ {8 j5 n1 _
$ w  a  [2 V3 s
Method 08! j- F9 X$ [! m( ~: ]; x
=========. _: J/ \8 B$ u) h7 \

+ Y7 I" Y, n% o# n: d9 QIt is not a method of detection of SoftICE but a possibility to crash the
: F( ^$ Z5 F+ y6 O7 y' _# L/ esystem by intercepting int 01h and int 03h and redirecting them to another
# P- z. T" h/ v& q: Droutine.' Z2 r# f# K# S, l' P; Q' r
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 {9 Y7 g5 r" _1 v+ J; vto the new routine to execute (hangs computer...)
# j! h' O& r! n
3 C3 @! \# q) P/ R+ B0 k0 @    mov     ah, 25h
' `/ K# n% Z2 e1 T- s, E    mov     al, Int_Number (01h or 03h)
% H. o% L7 h1 h' @. I* R1 t9 Z4 m    mov     dx, offset New_Int_Routine
4 W4 L7 m+ F+ H5 V- p* F    int     21h% `$ r* N; j( G4 t# B8 j
" D7 B" T5 F: ^- ^. p" w
__________________________________________________________________________
* v) [/ \' Z3 B: [
+ W$ e3 i! Z5 M" EMethod 090 J+ F  Y# [- i# Q
=========+ E$ I/ Q" V0 Z2 @8 h/ C. [/ J  _8 c

% X+ P+ a: }3 w% j- a! OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- |  x" z! _' q. Z8 P7 X6 uperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 I; K' p2 J* r% m$ WThe Get_DDB service is used to determine whether or not a VxD is installed
' x, x1 g& v! x$ ufor the specified device and returns a Device Description Block (in ecx) for  u: ]6 _/ S8 G2 V; V
that device if it is installed.
6 [  F  M. T- N
9 {( I3 ~5 {0 O2 o9 C# l$ m; H   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID( r% I. i9 E1 x
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 k$ H, [8 G- Q% L& j   VMMCall Get_DDB
) N0 Y0 w, u" W/ u   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ T3 p, E5 B/ L
, Q4 _: U3 b) x5 v; M
Note as well that you can easily detect this method with SoftICE:; G; V, X" n8 |
   bpx Get_DDB if ax==0202 || ax==7a5fh
% V3 l5 p; [9 ?7 w+ \2 v
' P8 ]0 c0 C: ?# N2 t! X9 q__________________________________________________________________________
, K9 Y( G9 F( H- j3 Q
+ x5 l! ~1 F; g- tMethod 10
; f% L1 n/ H* C" V- I3 j=========
$ F! H! R2 {- N+ l, M5 R6 d. S1 [/ S7 w$ M: A# o4 K; W
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" P# v' i. I% S8 F3 m+ t! \. ~! i  SoftICE while the option is enable!!
2 M* S: a# o- P- [  R9 X9 t
& }& y0 A( |$ e8 p5 `This trick is very efficient:
( N# z  r+ e) u/ a1 Oby checking the Debug Registers, you can detect if SoftICE is loaded) o2 F/ I- l1 u7 H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 X( z  O, Y1 k$ [( ~! v6 N( s
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 m: Q5 A0 d; Rvalue (in ring0 only). Values can be manipulated and or changed as well3 t- g/ H! v, E& x- [
(clearing BPMs for instance)
  T% w$ o& C! u$ L  Z2 {  K5 I$ A: X  k
__________________________________________________________________________+ E3 ~' A4 d+ j9 s; _) a, Z
( y! A& l: F! `$ I
Method 11
- m, V3 M% d; b  X( r=========9 R" J/ j9 _- J
  J9 R7 c' E9 O3 b
This method is most known as 'MeltICE' because it has been freely distributed1 O9 v& h+ R" L6 z
via www.winfiles.com. However it was first used by NuMega people to allow2 @7 b* k( O% G5 M4 Y4 @6 T
Symbol Loader to check if SoftICE was active or not (the code is located
$ y6 R% s% A# N6 c& c+ u, jinside nmtrans.dll).
- N9 x& R% `. q# X# }. V% o$ r3 ^" p& Z4 m' y
The way it works is very simple:' V4 e- g# A, S& L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for( P% ?* z9 z1 }& M* \2 @
WinNT) with the CreateFileA API.
* i) r3 U0 _# V1 w+ u
+ i* ^, B, R* a1 X" l3 qHere is a sample (checking for 'SICE'):3 ]9 n/ P4 ?& m  @  U2 L! W
: {7 V2 V% `, v; g5 g, g
BOOL IsSoftIce95Loaded()
. K4 Q5 ], R! B7 [{7 q4 e% {4 t& |, ]* A+ V
   HANDLE hFile;  ' w( ]2 d! e  ^& X
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 j! P5 h% z8 S                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 [, r' h$ v7 b: a8 B% O. m                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& e! C7 K: _- ~6 ]0 d   if( hFile != INVALID_HANDLE_VALUE )4 k# f, m% a4 u$ f, Q
   {
1 {7 k7 P; \7 j0 b/ t0 u$ ~      CloseHandle(hFile);. }  U1 e8 g; o
      return TRUE;  }% W7 \# u' |7 w' a
   }
, [3 j6 u+ g/ v* C* {" w3 h" j, p   return FALSE;& K! J6 u+ g6 V7 p& Q9 |1 U
}5 o( r7 g7 W: T. z. M! Z% Q

& R$ ^4 Z4 c; wAlthough this trick calls the CreateFileA function, don't even expect to be
" h+ D. J2 Q* j  o. s2 K+ nable to intercept it by installing a IFS hook: it will not work, no way!
* O, C# G$ w% `$ l( o; BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 j6 \( \+ r+ M* K, ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 _+ D5 i1 F: B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 z' r" W* v- G" L+ c: o, {
field.7 e2 a5 V* ~- n
In fact, its purpose is not to load/unload VxDs but only to send a 0 I. Q3 v6 w' i' k" u
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* w5 q. X0 z& I1 h$ b: @8 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ z. D8 G# X% L2 a+ k7 nto load/unload a non-dynamically loadable driver such as SoftICE ;-)., p- ?. d' Z) w5 S+ w3 m( m( W* q
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. _8 Y/ p3 J. M* H  nits handle to be opened and then, will be detected.
: j1 _, W5 r( w' t3 \, j; eYou can check that simply by hooking Winice.exe control proc entry point
2 m6 I4 `. J- E* Q4 }* J/ vwhile running MeltICE.8 J4 N7 `. J0 W  y) u0 d, n' r2 q0 ^
% |- l& l$ ?: }: ~* ?8 V& P8 D

: [% \: q. I% M2 R4 f  00401067:  push      00402025    ; \\.\SICE
6 a4 }% O+ `" W) P/ x  0040106C:  call      CreateFileA: q2 q7 t4 C% ^1 T) ?
  00401071:  cmp       eax,-001
. y9 m* U5 [* k8 ^9 W  00401074:  je        00401091
; k! _" n8 l! }  c" ]$ U
0 P! ~! v6 X; ^' Q. O, m
0 ]9 B. A# f- q0 N0 w( lThere could be hundreds of BPX you could use to detect this trick.; s; T/ }$ [3 p2 Y/ Q+ e' j  c
-The most classical one is:
4 ~( d6 t, F! F# a  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' D, K. J* v5 Q+ M( _8 ~, _0 ~1 U2 v
    *(esp-&gt;4+4)=='NTIC'
5 W* x3 D8 z+ x1 R) {. @7 z( e7 }+ E' B/ t$ Q9 y; e) w; Z: M
-The most exotic ones (could be very slooooow :-(
$ X! O9 G! V6 F2 W* g$ G   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 _% Z  ]( O/ _& {& l9 l. q* p     ;will break 3 times :-(% A1 P& k3 e' P/ y+ {4 n

8 j' v- B2 f$ T1 q1 y% ]2 b6 u-or (a bit) faster:
1 ~+ r3 ]9 C4 k' p/ u- a   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# }3 M" ?" z% s1 h" i& J+ t/ A1 V/ ~. Q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 n0 ^2 F  Y, a
     ;will break 3 times :-(
1 g; Q3 J! u: q& k+ _
8 m. c3 J7 H$ W1 b* Y. m1 z-Much faster:
) }2 Q" e* B- w' |   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
2 F6 e! X- Q$ ~2 X( L' d" C
, w# ~! d" U4 A( ]$ U& hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) q* Q( H) Q& E, N( h$ c
function to do the same job:. b( |: k$ x! J* s

1 Y$ L6 N5 F3 s% ^; V. u. I   push    00                        ; OF_READ
  ?: Y6 K# ?1 b  [* K   mov     eax,[00656634]            ; '\\.\SICE',0
- P/ e, E: m9 Y1 p3 K$ q   push    eax% x' E1 G5 Q3 S9 m& q1 r
   call    KERNEL32!_lopen
9 N$ a5 J( {! k3 m  j. E- F   inc     eax3 x. g# S% T6 Q1 L. Z8 P9 y. {
   jnz     00650589                  ; detected
# n- }. `) q% R! F% S/ S   push    00                        ; OF_READ
+ \  W/ s  K  a9 R& F! ^( A% O   mov     eax,[00656638]            ; '\\.\SICE'; c% b7 z7 ?. H3 g+ T
   push    eax
7 y  Z" o1 S/ ~/ @; U2 W* S2 L   call    KERNEL32!_lopen
7 G, B. ^7 {2 }2 W   inc     eax
' U3 u5 @; B; S" L; Z" s, o4 U   jz      006505ae                  ; not detected
" n- K1 K9 E  T: |: ^
+ |" f, j; e! o3 ~, x, k! D( i4 d9 T. r
__________________________________________________________________________" a4 k! v; u5 D, J# Z
+ L$ {/ }; v( U3 j1 G5 \
Method 12
# t) D, `( ^  E/ Z, @6 `1 \=========
- f. K. o5 P* |: ~4 z* i! A% z6 T. R# r$ t2 ~. S# [- W6 u
This trick is similar to int41h/4fh Debugger installation check (code 05
, M' }0 y7 E6 z&amp; 06) but very limited because it's only available for Win95/98 (not NT)
0 L" L1 M+ R2 N/ tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.. s' Z; n  K! {& P1 H4 {0 M
% Q+ z# M2 j0 U* p
   push  0000004fh         ; function 4fh
3 h1 {4 ?* O$ R   push  002a002ah         ; high word specifies which VxD (VWIN32)
! l, d8 B6 I" j& J, p$ U                           ; low word specifies which service- e8 W( V- k% C9 q5 X2 |: q1 m* x$ r) y
                             (VWIN32_Int41Dispatch)1 j9 s& k  q) \6 ^8 _, E+ L) p
   call  Kernel32!ORD_001  ; VxdCall
: U  w+ ?" J( F2 [9 G" v' r   cmp   ax, 0f386h        ; magic number returned by system debuggers9 B6 w  E- k' [* d+ Y8 ~# k9 [
   jz    SoftICE_detected
0 B9 A; B/ w) h0 r7 }0 d' ~% z1 a9 ^2 S0 p0 E3 R
Here again, several ways to detect it:- M, r. `6 A( B9 p2 X/ C! @

) i8 p" J/ U% g7 s    BPINT 41 if ax==4f3 ?* S# W' D+ S0 c8 T

+ L6 @0 ?, @4 u- W    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
5 G/ u- B# _9 {+ r) K+ _4 J# C% ~
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
5 B# R8 D  j4 _, m0 X8 y" U# k
' `( o" d, w8 \& v! W" U    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" C4 S7 Q: V8 J! G% z. a% ^) R4 v' V: A% z* G! z6 w
__________________________________________________________________________
4 w- B$ B6 P8 p, s6 n9 }, ~2 Q: w( y  ?; b! F) g
Method 13
; s+ T& s( {& i- B=========
3 U/ m  D: [) A$ A  n# D/ C% g; k5 C; U( ~. ?, {% c
Not a real method of detection, but a good way to know if SoftICE is  g+ |& @5 t( `4 w5 d2 d- D
installed on a computer and to locate its installation directory.
( s7 X( n( r. v$ R) r" r8 bIt is used by few softs which access the following registry keys (usually #2) :! y9 z4 Q0 J8 @) m1 }

. G/ I, J- w& A3 |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( J: c: I$ z5 b9 h$ t4 l: e( n\Uninstall\SoftICE
, d/ {; ?# c4 w5 @1 b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ N) k. x4 W' L5 y- W6 g- l! u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; b- {& v2 r) r! p
\App Paths\Loader32.Exe6 z0 Z8 X% g; f0 P
+ I$ X' t0 Y$ x' x7 U
$ S9 o2 O! e" i0 o% L8 B4 \0 e
Note that some nasty apps could then erase all files from SoftICE directory" Y( L5 |  K$ n* _
(I faced that once :-(- X3 m5 ~0 q8 d# J2 ?

, v9 U+ ]7 |. O+ u2 @Useful breakpoint to detect it:3 \9 d" v, a1 H+ R' P0 ?+ r, ]
0 `- X5 C0 ?8 `
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( t7 S. \( d/ y: r  j( [5 N& _& X5 i: I, d
__________________________________________________________________________# X. E1 b! L; q: g  m, K
) s) a8 J& z* J: I4 k. R  ]" B
( N. w8 u7 V* W+ k% i7 z$ @
Method 14
/ Q! J  A# Q7 a: F" A, j=========
+ i- B$ D  b# P5 W. @
! G% J& \4 U2 p) P! vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ G+ w9 j* f/ |  L8 W; _4 a
is to determines whether a debugger is running on your system (ring0 only).
& U) n) A% L5 A8 c0 Q: K
! E* V- @9 h8 [) w   VMMCall Test_Debug_Installed. f6 E, B9 _' A. M- J* @% ~& B" c
   je      not_installed
8 v' }& w4 y2 u0 J; X% T# ]/ R9 x8 h& Q+ E
This service just checks a flag.6 o0 n. l! h) s( w" }
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-4 19:52

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表