找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' i! H! s0 L( E( R2 m  [9 A& p
<TBODY>1 B+ Q/ B9 l4 w- T/ i
<TR>
, S/ Z6 S' H; q% k% q<TD><PRE>Method 01 # C# f' p1 @( ]( a; N
=========& o1 O6 [- m7 o4 @% b, M

2 j6 s( V* [1 D0 v- E$ rThis method of detection of SoftICE (as well as the following one) is
2 E% N" o+ E9 zused by the majority of packers/encryptors found on Internet.
7 y' C7 {5 q: M2 P* Z; ^9 mIt seeks the signature of BoundsChecker in SoftICE
# M6 Z. ~# G" c3 W! R  |! s
2 E  _2 S. {1 r3 t    mov     ebp, 04243484Bh        ; 'BCHK'
* t9 I5 B7 Y! t  }/ O7 g    mov     ax, 04h
2 i% ?' F5 f- h    int     3      
  Z$ U4 F+ L0 G$ X$ E    cmp     al,4
$ A# z  n( D. t9 f+ s7 v! \    jnz     SoftICE_Detected+ z& j# i& q- n( m0 r4 \

, e7 \+ O( I3 s: h2 X+ L# g___________________________________________________________________________, k# ~2 u1 u+ O0 J

9 m  T; ]7 Y# R( N2 f4 jMethod 02; t2 E: w# h! w3 n+ t8 Q4 a
=========' }5 f4 X* h. C; `
- X( p6 }& `1 f  ?) O7 e9 a9 `* O
Still a method very much used (perhaps the most frequent one).  It is used2 e6 b* y3 o  e0 x. ^7 v
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; N7 I9 o2 [, C+ D( {, N+ N& Y" Jor execute SoftICE commands...1 [; W! \( T! v) v2 |
It is also used to crash SoftICE and to force it to execute any commands3 U# N1 ]' U" `
(HBOOT...) :-((  
. f8 ?" a% O- v
2 _/ j5 k+ u/ c* X3 a3 cHere is a quick description:
( o7 M* T- H5 q( q& P-AX = 0910h   (Display string in SIce windows)6 P& ^; E; y3 Y& H+ s! @) p
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  C% t: n7 U! M' _) v0 |: [-AX = 0912h   (Get breakpoint infos)
" Y5 g5 D, h$ a8 [2 z-AX = 0913h   (Set Sice breakpoints)
5 I2 m9 L5 A) N# e5 m, k-AX = 0914h   (Remove SIce breakoints)2 B5 n; L; ~% k, s# H8 T
6 g" S# {: y. k& ?+ ?/ d3 m( s0 J5 k
Each time you'll meet this trick, you'll see:
- \1 w( a: \, A$ \: y$ T-SI = 4647h& p- s$ x( r* P0 g
-DI = 4A4Dh
2 @) g" r) e1 dWhich are the 'magic values' used by SoftIce.0 k) M9 Y# @& H' p" K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! i4 b; d) F) Z1 l* V

; A$ R9 Y3 h" d+ j, FHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 }. U% u3 o5 k- l3 `) h$ b. z' pEnvelope utility use to protect DOS applications:
, R( v+ i) h; t  {3 T% `8 Q1 J, O0 D$ {

. ^: b7 V5 N8 N3 X- O# K; R4C19:0095   MOV    AX,0911  ; execute command.
$ m4 D1 d; u/ a: A: i4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; d. z1 `  l7 T, H3 w4C19:009A   MOV    SI,4647  ; 1st magic value.: G! v" X/ E6 ?5 z1 Q- r& ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 S+ g" `# i: I: p$ N% s4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 p8 u9 f. D% }5 j8 r  x/ E4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' h, t1 Q9 {1 L# f4C19:00A4   INC    CX$ n! N3 n  C+ Q2 a* N2 J4 \8 S
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ M- Y6 u/ ]" V- f" ~1 @+ k4 T( W; k
4C19:00A8   JB     0095     ; 6 different commands.' l6 o* `4 E2 m" B- M
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 {; j# B4 `! t- O& Q2 ?4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" n  y' u& z: j4 x& @
; p% y2 Y, G4 x) `8 m$ r  dThe program will execute 6 different SIce commands located at ds:dx, which
4 u: d, [0 H( {7 Q- q( Q  w9 }* Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& z5 Z4 f4 Y) r1 ]4 g; O

; ]' n0 @  ]9 m& ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 Z# \6 a5 q6 G8 A
___________________________________________________________________________  x  t6 C0 S: S* K2 i7 \8 v

! H2 [# K( k# K! A6 v
, G& E. z4 l2 g2 xMethod 03
7 Y4 P$ r/ j/ a/ N=========  U0 R, t! O  L4 D) O9 d

2 I3 K- p! K; D" WLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- [% d; q3 F) s" z9 z(API Get entry point)% ~% S9 y) g! I4 C1 h9 d% m! |) l4 G5 Q
        - W6 e/ v/ S% w' D
2 s5 u. o! w( J$ _" S0 l" |" q- M
    xor     di,di8 f- `. Y  W4 }
    mov     es,di
, v; Q6 Z9 a6 e/ z3 m' \    mov     ax, 1684h       ; u+ ~  E4 L5 g! G% Q, N
    mov     bx, 0202h       ; VxD ID of winice
; o' w5 b% c& c' s3 k    int     2Fh
. ]4 M9 D5 s/ }    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 j( r) [* y- q* f! N* i    add     ax, di) }& P+ i0 i. Q5 P; f
    test    ax,ax
( T$ \9 v; m$ u    jnz     SoftICE_Detected
" `6 K# `0 l1 @3 e* V; _+ o/ h5 }' i
___________________________________________________________________________1 T- |) F0 l) M% `' |

7 ?  L* A$ {. [+ S, V9 A: ?9 IMethod 04" [! O* h( _# P1 B5 L4 z1 l
=========9 p* w5 w$ a  u2 y

: q3 _1 i. u  x) T. @' E/ z0 K. rMethod identical to the preceding one except that it seeks the ID of SoftICE
/ q, G! n6 U/ E6 E0 ?GFX VxD.
( j! r9 ^7 E7 U+ N0 L6 T
3 ~# ^/ o6 S$ U; A    xor     di,di
% }! h$ O% ~2 z' g/ l& c7 W    mov     es,di
" b/ t4 Z% c: F4 K4 \- f    mov     ax, 1684h      
6 P/ `8 V9 D! U, h! @. a    mov     bx, 7a5Fh       ; VxD ID of SIWVID; y4 y% o8 h6 ?# X
    int     2fh+ }- D, R0 ~; K9 R4 ]- ?
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, U, y9 ]' h& W6 t7 ~; Y    add     ax, di
6 H9 N9 r, ~" N  B, K    test    ax,ax& L! O, C. U0 _* ]
    jnz     SoftICE_Detected
- Z2 _: R, o' j8 k2 X" b  B# x5 p; |" Y5 v/ R1 n
__________________________________________________________________________& G4 b1 L' f+ A4 s! o8 ~8 F; ~% C

" @7 @0 q) y& r+ i
0 P5 O( ~; ~- j0 l* X0 J0 E  w  HMethod 05
3 ]# i% x$ P% ^6 g; }* [0 ]8 W: i=========/ |3 [% e! J- x: u
0 d+ l6 B6 N1 e0 Z% m, l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ Q: E; d1 K0 kdebugger. It calls the int 41h, function 4Fh.
3 A+ ^- ~5 @, C) K' j) z/ r' kThere are several alternatives.  6 m" T4 b/ M, \9 [; Q

3 B- O$ q8 ]! m' uThe following one is the simplest:
0 Q$ u/ h6 g( M: ^
; |5 F8 G2 Y7 N& q7 w# a    mov     ax,4fh
* z) b/ T" H: ]( k    int     41h
( y; f# ~5 ?+ X# l! b) G" N8 l    cmp     ax, 0F386! r) c$ W5 s* w+ R' S  Q
    jz      SoftICE_detected
  W' S! h$ V% F9 _9 I: t- u) s
# e/ l9 c5 N+ [4 p7 |- L/ ^) m! w; C4 f- C4 ?, F
Next method as well as the following one are 2 examples from Stone's
, y, v6 m: C) d"stn-wid.zip" (www.cracking.net):; n2 m  q3 h* }
; l& q: x* D/ }$ ?( G
    mov     bx, cs- Q( T. u. o. ]5 w2 D( O
    lea     dx, int41handler2
3 t( g% K- o+ v3 W( _    xchg    dx, es:[41h*4]
+ Q- L4 Q9 j3 x8 k4 t    xchg    bx, es:[41h*4+2]
" b4 v7 H- t1 a/ ?+ {    mov     ax,4fh* U3 K5 J* o/ d: A: l1 _; ]% y
    int     41h" n% Z/ w3 Z& p/ r. z& n
    xchg    dx, es:[41h*4]2 p/ Y# f" C" v4 V# S1 n
    xchg    bx, es:[41h*4+2]8 \) x5 L  r" P
    cmp     ax, 0f386h( y( O4 G' ?: B( ~- Y1 \* l
    jz      SoftICE_detected
4 o, {* e7 U  b9 L- x. w
5 h# ~/ A! P  a7 Hint41handler2 PROC
9 f* |- a' K7 W" T    iret
. n1 o* W5 u' cint41handler2 ENDP/ E4 K3 V# C/ O$ z; P) V
, I+ _  J" _: g+ n4 b; S' K0 a

/ }! m& `- {! C_________________________________________________________________________" v# o5 {. F( r( f. M( {2 z- P4 M
$ G6 e: @; a. N" F  ?  J
4 w4 |  x. B) q
Method 06
2 u$ g6 Z7 u. F% H& X=========" q! c6 S  x+ V: R1 {! A- ~5 }
1 k4 K- y6 G3 z: o

& z. D+ e( K& g3 a" I2nd method similar to the preceding one but more difficult to detect:
4 Q2 Y7 S, g! p( g6 b( X% y" E# I+ H
. f" B( `2 \8 b- ?- ^
int41handler PROC
  L$ f% h) h3 s1 T) E    mov     cl,al& u8 V( Q( U- n
    iret. N0 r) r( |+ I7 _' L
int41handler ENDP; ^: u7 @8 u' |, E& C/ F
+ v. X. _+ M) k, U  O0 Y/ c" L

2 X* X' R2 x: E    xor     ax,ax" T, R5 R/ j2 T7 w0 I0 [" K1 |- P
    mov     es,ax
; P) b1 W. Q: P' e  R. E1 p/ |    mov     bx, cs5 r" m: k4 c2 N- H( h8 Q' c
    lea     dx, int41handler
2 Y) K3 ?" g" m) @7 o    xchg    dx, es:[41h*4]; |% ]. E  J* ^. x" m; e
    xchg    bx, es:[41h*4+2]( s2 k$ c! |4 u( t4 h
    in      al, 40h
% ~! A6 \4 D2 L    xor     cx,cx' g: o$ a8 q1 c- \
    int     41h# g6 ^4 `: T/ r& _. f+ m
    xchg    dx, es:[41h*4]/ e( o5 N% b  I: r; T( U
    xchg    bx, es:[41h*4+2]' Y) a  U2 C# `6 q
    cmp     cl,al
6 q% e" }& t; u" r( T: y: A    jnz     SoftICE_detected
- h, r2 z) A  {8 @+ L
. f0 z0 v- P. U7 V& A_________________________________________________________________________, U) a0 ]; u2 x: l6 p7 q5 Z; M

2 }8 D! B4 k/ E; e) [9 {Method 07- P# L! I( r/ D1 u1 P* v- w$ o
=========
$ U& U" S& F9 w3 X, G' n. r  b+ K  Y3 [3 h6 n
Method of detection of the WinICE handler in the int68h (V86)  a1 ?4 L# I" [9 t! u

% s2 {/ g1 f6 K9 [* {    mov     ah,43h% L# V6 |2 n$ f0 u  N2 B
    int     68h* A6 {- V! u; a4 |( x6 y
    cmp     ax,0F386h2 o, d* v; K5 N# ]$ s6 H% m
    jz      SoftICE_Detected
# ~" \8 D' }0 r) f" ^1 S! C& k6 {( W
5 b' b1 F9 i( M0 S$ B
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ ?' g/ G* y7 C+ n0 x  W: P7 B
   app like this:
' n: b% K2 G$ n& E& O$ @
( }8 |0 P# V5 E& c  P) }6 C   BPX exec_int if ax==683 P* X) w1 Q- {0 i4 @' H' m! @  b
   (function called is located at byte ptr [ebp+1Dh] and client eip is
) X" x' T" l  u6 M8 u   located at [ebp+48h] for 32Bit apps)
: S" _8 h+ H: o' E9 ]8 u) B8 ]6 ^__________________________________________________________________________% @- L; r# n1 U+ i
2 r( w1 r9 X# `* |6 O. {' i3 {
6 i' l8 W, j) k: `. S
Method 08' n6 ~4 V$ t2 W, a, A+ Z
=========
: [! _4 B. u2 f' h  Y& s* }; u9 t0 [" i' J% v
It is not a method of detection of SoftICE but a possibility to crash the
% z& q7 R3 v6 n" A# t0 H+ ^* Usystem by intercepting int 01h and int 03h and redirecting them to another
/ u  g  H: X0 T/ R& J7 Q1 I$ J1 }routine.6 _6 p; F# G0 x) E
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- K" ^3 k2 {' C. k9 ?5 Oto the new routine to execute (hangs computer...)
3 T! d# o+ t2 K
9 e+ x# _' l$ C' c    mov     ah, 25h# l; }& x8 _1 E6 g/ o' ?* C5 o3 c
    mov     al, Int_Number (01h or 03h)! X5 }2 t& P. y( Z1 R4 v. C
    mov     dx, offset New_Int_Routine
/ k# E( Q% O% [% w    int     21h) D) u9 c, a, a4 Z% l3 q
6 E2 J9 F: _& @% x7 O8 W/ i
__________________________________________________________________________
' ]( `. @  |% M9 d0 d8 M6 z- p$ z: I$ r1 H2 P
Method 09, {, n4 x1 H3 J1 e# l9 G& _% j1 ~0 `
=========
/ A1 `( j2 q0 D! F5 E' s' U5 W" z5 C8 y9 N( K0 W' c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 q: g3 `2 e2 W# v' n
performed in ring0 (VxD or a ring3 app using the VxdCall).  p1 n! c% P& P% z/ s4 v4 u  c
The Get_DDB service is used to determine whether or not a VxD is installed
9 X1 L  Q& P8 {7 ~for the specified device and returns a Device Description Block (in ecx) for: `; ~' P( r0 [; D' O4 M, l
that device if it is installed.
0 k3 b$ S' o# @+ c" L) Q3 `( r* t8 y0 B: m; y
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  [6 z+ s: K* }6 ^. c  {' D, A& j   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' S$ L% h$ \; B% E& O, S2 Q   VMMCall Get_DDB
% Q; o- O: t/ `5 H$ N   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: B8 m9 D2 |- m
1 c4 |) M! @9 A" F8 m( f
Note as well that you can easily detect this method with SoftICE:6 {# O; v: f0 ?7 h( j) j
   bpx Get_DDB if ax==0202 || ax==7a5fh) |+ C7 W8 ~: w; L  d: `

! f+ Y+ v, @3 K7 L__________________________________________________________________________
2 x5 [0 }* m5 L% x% ]
2 T$ |6 ?% N3 Q9 L( z. MMethod 10
6 I' ^1 k; u, ^, W=========
4 N( d, [! L  B9 Z; O1 F- }" _5 {  m2 B! n8 [4 m, n
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with: Q/ P* C: z2 H- j+ }- }; p) o
  SoftICE while the option is enable!!% }" g+ V) P* V# x/ F$ ]( M' L5 C; U
$ S) P" b: m" W7 m0 a
This trick is very efficient:
+ `6 i  J  L& S; iby checking the Debug Registers, you can detect if SoftICE is loaded( L9 p& e' Y2 n0 o# A" v" G+ N3 ~
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 w, ?; Q3 H- S! U; D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" a2 I' n0 t1 Y/ l9 D! yvalue (in ring0 only). Values can be manipulated and or changed as well
+ Y" z6 w# B: S2 S8 i(clearing BPMs for instance)
9 R. c3 {4 p1 V4 L0 M3 H7 I- {8 A4 p! D3 |! a5 [" m3 J4 q* j
__________________________________________________________________________3 |6 f$ _$ m7 Z5 \" _3 M' i# u# }
! h. z9 o# ^: b8 `+ E
Method 11
2 J$ I% }. X5 {' o$ B: K. p=========
" E2 I7 j" f0 w; W# s$ Q3 @0 u" x, o0 F0 T
This method is most known as 'MeltICE' because it has been freely distributed5 X$ b% s  O; s$ _# |! P: V
via www.winfiles.com. However it was first used by NuMega people to allow
& r- Z% |# A4 {% ]: F2 ESymbol Loader to check if SoftICE was active or not (the code is located
3 Y3 l6 W- S) {2 Vinside nmtrans.dll).; I/ r' w$ }7 M# E! t1 |* r. s
4 O5 |  |$ x: g9 L# D& v
The way it works is very simple:4 R# X  g) W/ z  [' ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& l- W: L  Z$ K! QWinNT) with the CreateFileA API.( b0 h, Z6 t$ C" V0 m  ], g

3 C' ^( F7 W2 E  P/ u- [9 u9 GHere is a sample (checking for 'SICE'):! ]+ t7 ^1 E3 }

6 d, B: c1 s$ i& O: K" jBOOL IsSoftIce95Loaded()& _6 B. s5 r) ]2 L, b$ u
{
7 {) W' _; l/ v/ S   HANDLE hFile;  
% W* I" {6 M6 w/ l- B4 C   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 c& V4 l: n  {# |/ N                      FILE_SHARE_READ | FILE_SHARE_WRITE,0 M( ~4 q6 y! d. Z
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 N3 G" P! |7 t/ I0 Q6 L   if( hFile != INVALID_HANDLE_VALUE )
7 Q1 I! @- Z* P   {
: X* b  N) d: Z. x& d# ~/ D$ }+ i      CloseHandle(hFile);
  L! c9 P5 ^6 g      return TRUE;
% C. y, l( }' d   }
' X/ @" ]( c( q2 t+ m4 [   return FALSE;
% ]8 p% z% v, w! N. H8 S7 t9 r+ I}
6 K7 U" \- x: _) N3 t8 g2 m$ }8 Z9 ?
Although this trick calls the CreateFileA function, don't even expect to be; \4 W+ J* c5 R. g) l/ ~
able to intercept it by installing a IFS hook: it will not work, no way!
' F' V5 \( _! z3 A1 Z1 n5 |4 {2 kIn fact, after the call to CreateFileA it will get through VWIN32 0x001F& q* E9 A& G( X! q0 ^
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 `+ m2 `6 t; d7 `& h! G' v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. q8 `1 i- V1 b, t2 k) }0 rfield.  l8 F7 Z* q; z3 h( Q3 F
In fact, its purpose is not to load/unload VxDs but only to send a
9 U7 t. c0 P5 b& c9 p2 oW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- S( }. p) F8 _" \, Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try+ {& ~- d- E+ M3 z  \6 L4 m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 k$ S1 \+ k& |. T9 yIf the VxD is loaded, it will always clear eax and the Carry flag to allow( F; M7 O4 N: D, K
its handle to be opened and then, will be detected.
' T; Q. ^: k0 X, Z, ^You can check that simply by hooking Winice.exe control proc entry point
9 ?; G7 Y! B' K1 D' m/ Ywhile running MeltICE.4 C% \: t, c. b3 K# `, J

, |2 _6 K  ^/ z0 e" D% O' k1 l) j7 T* B3 Q3 [( L
  00401067:  push      00402025    ; \\.\SICE' L9 M  E* Q1 n- e( k- ~9 `
  0040106C:  call      CreateFileA
- e! q6 \% |+ F& V+ K! j/ F  00401071:  cmp       eax,-001& Y+ Q+ d. I" A$ M( Z& ]+ Z' o5 A
  00401074:  je        00401091
  g+ e; g8 `+ P- R6 [& l0 Z$ j  d: c, F5 Q- L8 Z
$ K0 I; C7 z6 e* j/ a  ]
There could be hundreds of BPX you could use to detect this trick.
& p, }* Q4 u. v& S- O  h# {-The most classical one is:' _/ E7 [* ]) G& d& \( ~: e
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' W. P5 X  I0 |1 n3 e    *(esp-&gt;4+4)=='NTIC'7 ]9 {6 k( E/ K

- t: `, ]7 ~5 V4 u$ w& x! j-The most exotic ones (could be very slooooow :-(
$ b8 F& n3 ~/ e3 O4 l   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " |& Q1 H! h  O* ^( O; C
     ;will break 3 times :-(
8 o% T  i9 |8 h1 Y. {
, t+ c) q' Z. r9 I-or (a bit) faster: , e: e: w# K9 \0 N: ?5 r  g
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 Y' T* y4 N0 i) t- p  w

+ ?& G+ [' F6 j. L0 I  R9 P   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 Q# ^  n. x, E& X8 P* n
     ;will break 3 times :-(
5 K  A% \1 o( U( H" z' T$ C) i+ b/ W7 I8 [
-Much faster:; a( ^8 o* q6 ~: |8 f) J: M
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; C- x' |- X& I

/ ^; K0 g7 q  U( e/ qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ T% z4 @" a, j
function to do the same job:% H$ J4 ^8 M: ^
3 W5 q/ r* h: F4 b
   push    00                        ; OF_READ
# e" x7 a5 f& Y   mov     eax,[00656634]            ; '\\.\SICE',0
9 Q6 Y6 {4 s+ ^: N8 ?   push    eax5 i* u0 d% n2 F7 v" [
   call    KERNEL32!_lopen- F; @& T# L1 |) T# T
   inc     eax( u2 P" t  w6 v; t
   jnz     00650589                  ; detected6 m' ^0 [9 m  |9 H1 I2 Y- x. r3 l
   push    00                        ; OF_READ4 w! x) J1 F( K4 m1 Y
   mov     eax,[00656638]            ; '\\.\SICE'  K* N8 p5 k) I- J/ ]
   push    eax
, n" [& Y! E1 o- J9 ?* N4 N! \6 Z   call    KERNEL32!_lopen
& ?4 K! M3 Z' v4 P0 s4 @% }   inc     eax
$ m8 f- N; H* q$ n) `% ?/ F' Q9 D   jz      006505ae                  ; not detected
1 b# e; I* _$ J& [$ u+ [7 k: H7 E% d- X" s" R; ^: N- x' g

' n) D& d# B5 L7 |8 l$ h5 ^__________________________________________________________________________' c* z3 b6 B/ I4 [9 F8 _

/ e% L& d3 ?, w& P4 ^: _! K6 j: wMethod 12
0 q* b' P7 z5 D6 V1 O, x=========6 t& [* T' r5 ^# s
* q# ^  g& A, T& }
This trick is similar to int41h/4fh Debugger installation check (code 05. J4 Z: ]& V8 T! {/ [6 |
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, x" D  E2 n4 G: k- h" F5 R! was it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 w3 A2 w$ h/ O( |) B3 D4 ~) T8 ]
9 f8 M* n5 M# \8 B1 ?
   push  0000004fh         ; function 4fh0 p0 y- {+ k7 I
   push  002a002ah         ; high word specifies which VxD (VWIN32)2 p7 U& s2 v6 y- m
                           ; low word specifies which service/ n- _& `% r: K. G
                             (VWIN32_Int41Dispatch)( k0 R" r5 p! G. I0 K6 T3 z
   call  Kernel32!ORD_001  ; VxdCall$ D* [! t1 [7 ?
   cmp   ax, 0f386h        ; magic number returned by system debuggers' m2 o3 S. i" O5 B7 j8 Y8 E: r
   jz    SoftICE_detected
- @( \" x0 I& T- ]0 a* w' s3 V: _5 Y* B( x" k2 J
Here again, several ways to detect it:- e: Q+ R. g( O4 a6 h

1 u1 H5 [9 ]- u$ u( K* p8 x/ e    BPINT 41 if ax==4f
+ B6 M! h- R( [! ]- l8 p8 l& x" R1 L* i. T8 K1 V
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 W7 Q7 j: `% ]/ j" I6 N1 ]

+ t0 l! k& S/ _( m    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 e/ c! t' Y3 ^8 s8 _% u! |; f, B) O& x- m
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( X6 n6 b0 T6 J4 X+ h

& x0 K# m" a+ m2 r. X__________________________________________________________________________
% ]3 s% A% U% {  A! H; k& C# y, v1 W4 Q$ I  w
Method 13% ]4 b& E2 \" K3 M$ h
=========
) D$ @  J" x) }7 L6 x/ R" Q. z" W& C6 M+ W6 b% P3 z6 H2 [* j
Not a real method of detection, but a good way to know if SoftICE is
: d4 t9 ?4 I/ e) {9 m4 ^9 Z% W% sinstalled on a computer and to locate its installation directory.( t2 V. I4 E( T* T2 n
It is used by few softs which access the following registry keys (usually #2) :
/ Y- ~: k- Q$ H- ?; l' |+ x; [
% p& Q% M! l1 }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 W$ m8 H+ e8 n" C5 `! ^7 L
\Uninstall\SoftICE  W- c$ N: q8 u$ L% f
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ m- f) k& w0 q/ ]% @& t2 D" a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 @6 b0 ~! ?; R6 Y\App Paths\Loader32.Exe6 j* a9 _  H' q% w% _5 |
, C: c& y) e2 f* U
  V& M, ?" X' p- u* F# @
Note that some nasty apps could then erase all files from SoftICE directory
. q' m( T6 j2 D' M8 n. e# [(I faced that once :-(5 O% P1 N1 ]+ b# h

# J- S$ m* i9 l: B( ~' PUseful breakpoint to detect it:+ ^, d% c3 G& N- R: n* |' Z
) u) H4 n. v7 a" E
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% [9 r- {, S) \! V  N4 M1 ]
) A) Q$ u  c* |% v% R  G8 g; M__________________________________________________________________________
9 D  W" y8 V8 ?! v8 K5 X, ~' H- Q; c5 x5 E# [# j3 A4 d- j: I
- U  p/ F+ e) Q, j1 d2 w; l
Method 14
* n% t% ~! `4 K=========
( K5 z& x# E" M) `( g( E  |
, _/ E1 ^$ w! P7 F) ]: e% nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ @9 H8 p4 J* Z$ ~4 h/ U. t
is to determines whether a debugger is running on your system (ring0 only)., }6 X. @# K+ e( c1 O/ j
& E/ z9 f5 s. O/ S2 b
   VMMCall Test_Debug_Installed
" m& Z4 ~4 p  x   je      not_installed
2 x) F$ u. J) K, n/ ^5 S8 F  b9 p6 D7 G$ L; q1 g5 S( m* @$ l) |! t; c* Y
This service just checks a flag.
% {' J, \9 j2 `0 w9 O! A$ a" i</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-7 06:55

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表