找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
0 `- {1 \0 R5 K& n9 p<TBODY>
0 g  t& w5 w2 c, s<TR>
) h$ y$ X! o3 y( f1 j  T<TD><PRE>Method 01
1 |/ c( i3 m+ \0 ~" W8 k. V=========! U% d2 x+ z9 s7 J
: |. c: d  ~8 o: _8 A9 T& O  Z
This method of detection of SoftICE (as well as the following one) is! o: s3 t0 x& y, f, u
used by the majority of packers/encryptors found on Internet.6 a+ ?) H8 S$ C/ J6 l$ c1 G2 k( `8 Y2 j
It seeks the signature of BoundsChecker in SoftICE) s6 {3 I( T- {! R
& S, ?( u5 ^( M3 O& f/ m5 R. {
    mov     ebp, 04243484Bh        ; 'BCHK'
% c/ w+ J; U3 f; e" k" Q) |4 B! L" d    mov     ax, 04h' k7 Q2 d# z" Y; R* E% D
    int     3      
; t' h! O" ?0 t/ I$ L    cmp     al,4% M2 @" s% H9 r; ~. z0 @% F
    jnz     SoftICE_Detected
4 `0 ?2 u( N( s+ x  b/ v2 G) g- V  w+ l0 h
___________________________________________________________________________+ |: s1 X) U* `) c3 f' l( b+ K

+ Y. [+ x* R& XMethod 029 P1 K' e/ e7 ~. l4 j; S
=========
* }7 @' r0 z; n( S; z6 X. |% J
& h7 {$ n- F! _; M3 n7 ~# oStill a method very much used (perhaps the most frequent one).  It is used/ U( C  G! V- v& h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; D" e9 c8 M6 K, U0 I$ F
or execute SoftICE commands...
( G7 {8 l  x5 \: t" e  l; p0 M# [7 eIt is also used to crash SoftICE and to force it to execute any commands
+ Y/ _( q. ]8 h' A  f- {(HBOOT...) :-((    u" ^" R( J  S/ c1 N; O2 p

* M* p5 }8 z0 k0 y7 YHere is a quick description:
  A& S8 z: a! X* ^-AX = 0910h   (Display string in SIce windows)5 Q7 m6 Z: W, ^
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)& o) r: p) @  V
-AX = 0912h   (Get breakpoint infos)
' H: `' w, S- _' o, \/ h) Z-AX = 0913h   (Set Sice breakpoints)1 Z$ d$ U8 q7 B$ Z( U5 j4 {
-AX = 0914h   (Remove SIce breakoints)
: [) ?) c, l: w& c1 o) N" O+ @9 @0 n/ Q
Each time you'll meet this trick, you'll see:) a+ Y  M$ D# c& V# X0 O2 O
-SI = 4647h
: Z# A3 c# F& z3 t- X, p-DI = 4A4Dh4 K7 |# ^, H) Z3 w  ~* l
Which are the 'magic values' used by SoftIce.2 [) k( F5 }& N2 K3 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! B1 ~; j6 c- {! J! i
: G, l% W/ F$ F# {5 _, M5 E# KHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ v8 p  P5 v2 O) L0 s: mEnvelope utility use to protect DOS applications:1 J3 D; O7 f; O! P

0 _: ^' k+ g8 y' [7 Y# e  T  O; S, K0 p) Z0 {% M# K
4C19:0095   MOV    AX,0911  ; execute command.3 s6 Q/ `1 m6 z. F) k. P4 R
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# r9 R" v. W# Q  D; i4C19:009A   MOV    SI,4647  ; 1st magic value.: g8 O+ \. b, o7 e
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! u! \- F9 j+ Y- m6 R$ t6 z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)0 O/ e/ R6 e6 O% w" d0 J1 J& ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  I8 b5 O- _9 z6 B, K7 F3 r
4C19:00A4   INC    CX
, q* M* e6 ?8 V( O& K4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute0 o' C5 H1 {, A9 g+ T
4C19:00A8   JB     0095     ; 6 different commands., s. R1 N- G0 E$ @: K* ]0 ?% u) y9 ?' G" N
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 t# x" W% c; a6 B8 d
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
+ \  k/ @: J; C5 Z! M/ i
0 T' B. Y( Q& J0 ~The program will execute 6 different SIce commands located at ds:dx, which3 S5 U% Y7 A# t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 ^% r4 {/ t* L  B

! ~, u" ^3 ^- Z' ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! N% o3 R$ H8 a' E7 a, w6 O+ \% S
___________________________________________________________________________- Q% }5 i  o3 c
+ v2 Q1 o! C& U& r' r) O. r
1 n5 Y5 e2 b; L; z
Method 03: ]! o- c; E; G/ ~9 l; k
=========( x+ m& d) z* t- z! b

4 c  E/ u# V0 w; l: GLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% c$ K6 d5 k/ R( \) e% X
(API Get entry point)3 Q' |; K0 ~9 T/ `8 [
        
' W+ {* V0 b* ]2 h5 P) Y, ?
$ d7 ]* `8 W5 D$ M    xor     di,di  t3 b/ D8 i" z7 a. w
    mov     es,di2 u; K; y" U7 X9 f/ }; c& S# Z5 `
    mov     ax, 1684h      
4 |( ~9 _2 Y$ k    mov     bx, 0202h       ; VxD ID of winice9 t, |/ w8 ?7 x
    int     2Fh: Z  H4 M& |. Q5 `. R- i# K( B+ [$ f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 m( Q  P; z5 F# g( X5 F! A" \, C
    add     ax, di; C" b# R& {! B
    test    ax,ax
6 c8 U! t/ @" g! Y    jnz     SoftICE_Detected
3 J0 k( o3 _; n, s, i" }2 I, R, E: Q* H
___________________________________________________________________________
% K$ k, O5 [) }" x
" t- m+ }* i4 `: y0 GMethod 045 T6 h; [# H. s& N/ q
=========
' }3 o  i# k# b# H) S5 j/ }- W
9 k# ]3 H: E9 y4 l" j; z% aMethod identical to the preceding one except that it seeks the ID of SoftICE
* F6 S8 _" z2 _8 K- Y8 YGFX VxD.  _. k3 Z' A! Y- S5 w
9 ]- j3 }3 [  b+ a+ K
    xor     di,di3 l+ W- t* I$ Y5 I6 {
    mov     es,di, _9 [& @" y4 X( P- W2 N
    mov     ax, 1684h       % U& r, [8 C& ]
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 E7 a2 r/ B; v* b- R" C( G1 m8 D    int     2fh
0 D) l# t6 W1 K) {4 b+ c1 ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point& v+ d3 v; S' N4 N6 K$ i; @
    add     ax, di6 r4 J5 F; E# X3 N* }& K
    test    ax,ax
& n1 f9 {  s1 D9 n1 y) r2 N    jnz     SoftICE_Detected
) [9 ~7 h5 O! [" F1 |6 X
" l& n$ x# p3 E, l__________________________________________________________________________; ]# q1 q/ V0 g! ~. q" M
6 S: J, l" _1 u8 @. \( s7 g
% p' i& n0 [3 A* h. P% P8 C
Method 05
2 M% J* c: b- r5 z5 A  q=========
2 p1 i, b9 R. c$ d: m9 f2 \
0 @- L1 X0 Z* S& A. [Method seeking the 'magic number' 0F386h returned (in ax) by all system: {7 N( M5 \; p0 i
debugger. It calls the int 41h, function 4Fh.
/ U. u) C, n, d1 a$ _! jThere are several alternatives.  
( [/ R9 k+ B. {& w1 O9 h# q6 r5 M
The following one is the simplest:1 v( q! `( y1 j5 _+ H* S; B0 t) X0 l
9 _7 t7 L- D+ {3 e5 T( [
    mov     ax,4fh  y. G& f- I9 l, P% E9 {
    int     41h8 k0 r0 |2 o0 f5 F5 m9 V
    cmp     ax, 0F386: q4 Z7 q) S( {/ j9 g% x
    jz      SoftICE_detected
6 k; [7 J0 \& [1 \6 [! y4 Z$ F. l' \8 u; V/ K! _8 Z
4 w, b$ n. ?6 H
Next method as well as the following one are 2 examples from Stone's
" y/ y' B# w# j) ]"stn-wid.zip" (www.cracking.net):
6 C* I) @) u6 A4 E+ [8 J* H) }! ]) j* j6 C- o  L/ v  v
    mov     bx, cs
( K" s$ K: b4 i7 L# B    lea     dx, int41handler2
) Y! Z. Q+ y/ ?' ^    xchg    dx, es:[41h*4]7 V# `+ ?" p# G/ K. [. D
    xchg    bx, es:[41h*4+2]
5 Q1 ?* o9 a& ^3 g$ @4 r    mov     ax,4fh- z- f& e9 @- U( Y5 F
    int     41h- n8 X8 Q- ^! S
    xchg    dx, es:[41h*4]- w+ b( D/ ^/ Y2 H% b- V
    xchg    bx, es:[41h*4+2]7 _- B, b" T! P6 F
    cmp     ax, 0f386h  D/ ?, i# E7 h
    jz      SoftICE_detected# _) S: ]; n( w+ B
; X9 }0 F' A% r# g
int41handler2 PROC, l# l- B1 b5 W5 C) T+ }
    iret. {& L' P9 p8 y
int41handler2 ENDP
; M2 b7 i9 l$ q/ ?0 @# P8 W1 @9 h, m, c, b( G. e

' u7 I; X& q1 Q' n$ i$ G' J_________________________________________________________________________" u7 {9 S& \: G1 ]

7 p( ?5 y" W, K! r; P, l' p4 N- z$ N0 D/ V( S. Z: {
Method 06
( h' B# U( l% F+ g! v8 m=========
" @9 D9 |3 n5 B* g# W* O, l4 b3 _. O6 c2 U5 \
; I4 D+ S( x- R- I& T$ g' f' m5 D
2nd method similar to the preceding one but more difficult to detect:6 R) k: R$ b1 i7 V8 j
( ^' z9 d/ [6 s" l6 }7 U/ @
! `! [  ?: G. [+ R/ k* _
int41handler PROC
' r4 w* T3 H6 `8 H8 m, t0 `" C- m5 G    mov     cl,al* d9 k: W: I/ t
    iret
  d  z# D' Z% Y1 G* [  Gint41handler ENDP
  @5 q% X# p# K; e- R6 R
2 E# Q: E' H3 L
2 i: y! S8 \2 ], r! y. {    xor     ax,ax  N. V" ^: j! F" X5 e
    mov     es,ax
0 m+ D/ I, c! h: K9 L    mov     bx, cs* z5 |5 C+ R" D* C+ p$ ^" l+ P6 h
    lea     dx, int41handler
; q) B' l. I9 @0 }4 q) b    xchg    dx, es:[41h*4]( Q/ z2 v% y1 A! k& L
    xchg    bx, es:[41h*4+2]* z& A9 W/ Y% y/ {
    in      al, 40h+ o+ g& r% O6 ~: K8 w3 X8 N
    xor     cx,cx
8 J0 g# P+ G7 i, v    int     41h3 s0 k2 ]( i  ^( k
    xchg    dx, es:[41h*4]
) F- ]. v$ W! s: c. s( u    xchg    bx, es:[41h*4+2]
2 s( f" l# v& d# c) i- t    cmp     cl,al
. k$ l  {* D! W4 T& }) Q  x    jnz     SoftICE_detected
4 b* H8 h/ R/ T7 C0 r3 l5 _
* S6 u! T1 x# A, q+ @. K_________________________________________________________________________
+ U' M* }+ p: D- o# W& R' q* t
Method 07
1 z% U: h5 D: t- v4 f: A' V5 D# \=========2 Z; E% a) P! ^- Q. I# j/ ^* c

8 Q, _9 E! q( C) I1 H* L; gMethod of detection of the WinICE handler in the int68h (V86)' @" i: Y+ S4 }- R* L& n* m
  e% B  m0 \* i1 m, u2 z, y. D
    mov     ah,43h
, M- C0 W( l  n0 ?) u$ K    int     68h' `1 P9 `0 \7 Q6 \
    cmp     ax,0F386h+ p: I7 V* R1 x! y8 a; }' T' s! F
    jz      SoftICE_Detected
$ J# ~  H. ~3 D# E& r, z& W  L  P" Y% ^/ d* S  @$ p
* H7 K6 |+ D& x& }8 k1 Z1 w
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 M# K- Q" z2 ?% r3 ~   app like this:" Q8 z  H/ _" Z2 `

9 Q$ O9 P  A* b1 B) ?   BPX exec_int if ax==68
/ u( D1 B% _; s3 t- g   (function called is located at byte ptr [ebp+1Dh] and client eip is2 _% q5 r. e1 y- I% }6 s
   located at [ebp+48h] for 32Bit apps): ~& v# l/ V* I  ]
__________________________________________________________________________
( `) |0 ?# }) x3 M) P+ N* q$ I* L9 Q  U

. t9 o4 s% A& y2 I1 B$ vMethod 08
/ D+ _9 X1 o# p  o  V5 L7 @! ^=========
: o$ f0 P6 ]  A% ?/ |
% L. k. X- e6 N  m6 }9 ^It is not a method of detection of SoftICE but a possibility to crash the
( t( n5 V; x: O/ {system by intercepting int 01h and int 03h and redirecting them to another
3 {8 @0 d7 Y2 C3 _4 r: v4 Froutine.
" k# h" F' _/ CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# P& t2 o$ _4 c, g4 S
to the new routine to execute (hangs computer...)
  L$ q9 J/ f; _3 \) u+ k% S. b" d' Q% Y6 |
    mov     ah, 25h
0 K) b5 z2 P# ]6 t5 W$ z0 I" U( S    mov     al, Int_Number (01h or 03h)$ {  E5 e0 N& a
    mov     dx, offset New_Int_Routine
5 m% z) p; M+ ~: }( H7 {    int     21h
. g8 [3 u+ {/ `8 k
7 y9 L# ]  y/ x5 o, d__________________________________________________________________________
( r4 z4 y+ \3 ?0 k5 b
! D. R5 W3 o* o! C9 OMethod 09
9 E1 U* @8 G/ L' n0 k! D=========, f# g1 u# e! v

5 d* R. u$ Y) s/ [+ r, I( iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: \7 h+ M: u7 A, F6 G# \0 i( bperformed in ring0 (VxD or a ring3 app using the VxdCall).
( A9 z4 D2 b9 E9 t; u9 X9 rThe Get_DDB service is used to determine whether or not a VxD is installed
$ y& H# h3 t- ]* Y, [for the specified device and returns a Device Description Block (in ecx) for
3 r& A; n1 c/ m5 sthat device if it is installed.
# }( [* U7 R# {% g9 ?6 r& t) J9 t( D4 i, c6 x) L
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 {( g6 q- A5 H# e: O4 D
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 U0 [" |# e' B   VMMCall Get_DDB# z0 \2 J9 K4 W) E. T
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed' F% J$ e  Z2 m9 h% l; d
! r# e' Q4 p, z0 C4 x$ \7 N8 ]
Note as well that you can easily detect this method with SoftICE:/ T1 z$ P2 N1 ?( K
   bpx Get_DDB if ax==0202 || ax==7a5fh# n0 W2 _7 }6 v1 `$ l
) y) T/ f  Y4 R, c6 V  c& X5 b
__________________________________________________________________________5 P5 \; ]3 v2 G8 ^+ P* q2 x
" e2 J  [, b+ W8 n1 a; R8 [
Method 101 r  @* M6 z# G
=========
2 M9 W7 b0 \6 M* b7 ]( J) F! E: ~' h; t" @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with$ M5 r! w! a/ g; |9 K+ H
  SoftICE while the option is enable!!* o' [* L& f" U9 `  {6 f7 c* R3 b/ `
! D" _4 |: Y; C. @
This trick is very efficient:% i" |4 U6 X4 T) ~0 x
by checking the Debug Registers, you can detect if SoftICE is loaded
- @5 I/ t2 A8 H( q8 Y4 m(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% T! \$ \2 @* {/ Y2 A
there are some memory breakpoints set (dr0 to dr3) simply by reading their! {- p5 }) j- W+ ]! t) V  j
value (in ring0 only). Values can be manipulated and or changed as well
  M! {; I6 J9 f1 l# `2 ](clearing BPMs for instance)9 F1 G4 B& w: i( j0 b* b

) B- W, ?5 L" n( G0 g  k__________________________________________________________________________
- {2 ~# B5 c- G3 ~9 X* o
# }% |# v& ~4 W/ I1 v4 ZMethod 11
4 \3 H* a9 R. b7 d=========4 b" N" Q/ y9 O" V6 e9 y/ i
7 I7 C4 Q( m( R' W
This method is most known as 'MeltICE' because it has been freely distributed: o$ s( U/ L' U2 z  e" W+ s
via www.winfiles.com. However it was first used by NuMega people to allow) F$ j; |0 L+ S6 f
Symbol Loader to check if SoftICE was active or not (the code is located
, M0 V. C; T4 ^; p! U) p+ o) tinside nmtrans.dll).
: y& j6 F, h5 p' k& N* i6 p( N. W2 w7 y
The way it works is very simple:
% j4 F: r7 X6 a1 v( M6 `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# }6 `' ~. f4 a$ \% W& x
WinNT) with the CreateFileA API.
& t  r  ]2 B, g
* R5 Z4 h; r: ]/ I) PHere is a sample (checking for 'SICE'):$ h3 G" y$ o: R. I) V% S
$ P" c' G) m  \
BOOL IsSoftIce95Loaded()
) L# D: C- x6 P* W{! G/ [5 O1 I8 @- d' Q4 y
   HANDLE hFile;  9 n9 ?. z0 \: C7 F) I7 h: g5 \0 H' u
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& }! X4 u# z9 j. a, S* e/ G
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. |$ M% r% L; O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! b1 H4 X, m! Y. I7 Q2 ~
   if( hFile != INVALID_HANDLE_VALUE )1 b$ v3 f, O0 T
   {
) M1 }9 F  N3 [4 Z# D* D3 f3 A0 A      CloseHandle(hFile);
9 n$ l' g9 i* M, I, T  O      return TRUE;( {6 o  x( }% W7 W" I- g
   }6 H1 j/ m! S/ o7 C% b2 z8 h6 k
   return FALSE;- R8 k# m' w* |2 h
}
" u7 \6 `. x, z: ?& y; N
0 a' V/ \; W% f& @8 S; r: F. t; \Although this trick calls the CreateFileA function, don't even expect to be9 k% u- T9 @6 z- V( l7 }( j
able to intercept it by installing a IFS hook: it will not work, no way!
# _) z  T) w3 o2 C- |. }& {) a9 ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! Q: }7 N4 k2 b9 E" A( c' v4 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) [" H; {8 ~  O& R5 Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
& G+ m+ ?6 U+ N  W4 efield.' L) C2 L6 S1 R' D2 f
In fact, its purpose is not to load/unload VxDs but only to send a ; S7 u# U  a6 ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 S4 g" i: L" V1 H( Q4 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
  ^4 d2 i# W! K. U# e# Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).  E7 H' n+ {4 {* ?0 R
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ }4 C. F0 }- T" M7 z
its handle to be opened and then, will be detected.: [* E$ V, S& z
You can check that simply by hooking Winice.exe control proc entry point
- E' ]# I9 U  J% `! Lwhile running MeltICE.( b0 Q; P  w) e" c, J3 {7 M
# _8 V/ L2 l7 B, t4 P  W1 Q8 ^
/ O% E7 n& F) [
  00401067:  push      00402025    ; \\.\SICE" v; s0 N0 U6 x7 j2 P8 ~1 @
  0040106C:  call      CreateFileA
3 E& L4 f, u" U/ _  00401071:  cmp       eax,-001: b  f$ c7 V1 [! o8 u; i" U! [
  00401074:  je        004010913 Y6 j; I3 l# }' Q

/ Z+ O1 r5 P) }( _" D2 w6 `" y' r: J2 y
There could be hundreds of BPX you could use to detect this trick.  u* Q5 z, ?% L3 a
-The most classical one is:) M6 C8 ]' f3 A9 e
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
4 n; N( l9 z  v+ r- T7 i+ ~    *(esp-&gt;4+4)=='NTIC'" s0 E1 G7 N4 ]0 d3 J# z. E
% x+ v% N" A" |
-The most exotic ones (could be very slooooow :-(
3 A- r# ?# k* Z+ E) ~   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; x; c1 M$ d' b2 P# a! n3 D6 \2 v, |
     ;will break 3 times :-(& G: R6 N7 ?3 o

  B. `: \0 s, l* z4 S( E-or (a bit) faster:
- ?' c: Z9 V* W8 e8 l   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
, x6 y7 @& `/ P, ?- n. T* r2 [6 }) a. j
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 m. m& m/ e+ l2 c$ q
     ;will break 3 times :-(- W! f! `: F3 |7 T" A
2 k: L% y0 }% d/ r
-Much faster:) [; p! N2 t. M' I& @, b. n1 _3 z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 \; o( G% F! Q

2 e' n7 K2 N- O; X' A, z+ {/ ZNote also that some programs (like AZPR3.00) use de old 16-bit _lopen  X6 O3 h0 a* R& t: E& s
function to do the same job:' s! K0 }2 T& t, H, `6 K
* X. {$ f  k/ `
   push    00                        ; OF_READ. |( M( K1 I. d) C: R2 ^0 R
   mov     eax,[00656634]            ; '\\.\SICE',00 Y# L( Q4 E7 |: |6 _  E/ T
   push    eax
' Y  v/ V9 }( _   call    KERNEL32!_lopen7 d: x3 ]! |0 Q, X
   inc     eax# b' O+ l0 z8 y/ C4 E
   jnz     00650589                  ; detected! |. I3 I+ U/ t4 v0 ]* D3 D
   push    00                        ; OF_READ  p% h. X- q$ x+ w
   mov     eax,[00656638]            ; '\\.\SICE'
! E  e! I; X  H, ^% O; t   push    eax
" X, g$ d; ?5 P/ |   call    KERNEL32!_lopen
2 o5 j8 X. B! s+ k' i" A7 [   inc     eax5 ?; s. d1 J. |+ m% U# B0 |5 }' b
   jz      006505ae                  ; not detected8 E- S  M7 ^" w

. p! W% D7 Y6 [7 U# S9 V6 ?
+ {- z# K& h$ X% ^) e4 @__________________________________________________________________________: C$ }7 H) ~; O$ X' h, C
% s3 Q2 U3 H7 k4 F( F: I  ^# f  T( a
Method 12/ O- x1 ~3 n9 @7 \( ]
=========3 b& m# c/ a+ K& y

: F1 u& {$ i) w: J0 eThis trick is similar to int41h/4fh Debugger installation check (code 05
4 d6 D1 i7 r& i3 |" x: Z4 U&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) v/ b6 l, O+ F( t, has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 _1 k7 X/ v, m% g7 P1 Q4 L8 ~) j/ I
   push  0000004fh         ; function 4fh7 a9 G4 J+ h6 S! q# i! n
   push  002a002ah         ; high word specifies which VxD (VWIN32). ?# ]# f7 w$ X2 w( v+ [
                           ; low word specifies which service
& ^3 g1 C. w2 K6 [4 s7 z7 M' p  C                             (VWIN32_Int41Dispatch)8 u$ m: V+ f. @+ G
   call  Kernel32!ORD_001  ; VxdCall9 w' X& _8 _2 Y7 e. u
   cmp   ax, 0f386h        ; magic number returned by system debuggers
2 |& Q& Z. b# E6 J- l3 s. ^$ n2 S   jz    SoftICE_detected
- L# m; `/ n. \* W; I
' |* F- Y, L& q* s5 MHere again, several ways to detect it:
: W2 p( O+ z) y" q$ B( @- i- a2 L2 w
    BPINT 41 if ax==4f' H4 m! T+ K5 W7 ^+ ]* q
! v3 q. Z' Y0 j
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
# p" V$ ?! y- S& w& f, _. y, x; h. V: J, f5 e4 B2 X( ~
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: u8 [( B+ Y3 o0 W

+ K9 s( X% ^5 y9 o& P: b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 F* ]! w+ ?6 q8 z1 |. B& Q
% ]  D* A" a6 Z9 ^+ m* n! ]& u" L
__________________________________________________________________________, @2 J: z' V4 e$ Z- I% A
' f6 E2 `! Y8 T0 {
Method 137 H0 U) V$ i7 _; H$ o4 x
=========1 u+ t1 e7 H8 J' k5 x; s- |" G

2 o# {0 y& Z+ Z4 z; ^. J; w; X- _' GNot a real method of detection, but a good way to know if SoftICE is! c2 q0 U. D; R( L
installed on a computer and to locate its installation directory.! r7 M0 W. d5 X( S4 ~
It is used by few softs which access the following registry keys (usually #2) :
1 A9 G+ T2 k! P! E+ {* _1 A0 l) i1 N9 \1 ^8 B$ a6 e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 i# A, O/ N/ a  E9 K
\Uninstall\SoftICE
  j3 q" _5 I7 }  @$ G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! m$ Q! z% T6 N  {6 }
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* Q: f$ E9 Z( y! D; Z6 w; `
\App Paths\Loader32.Exe
9 \! w; @9 ~- u- M$ ?" E* I- B3 H. u. l3 n! ^

/ d, d9 A7 T+ f5 Y) ]% _8 LNote that some nasty apps could then erase all files from SoftICE directory
; D8 L8 k  x3 e(I faced that once :-(
  M! t$ q1 k. |4 {. k, I
: k3 z' W, c2 I/ n5 I7 S: F9 [Useful breakpoint to detect it:& @9 [6 z- F& K- S! q- U7 z2 h. C
: h! R# S: N  l2 T3 I9 a; Y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 l' b  o, t" v2 j. ^) k
; i2 P# v/ D$ N; W1 a: h  Y& o" `
__________________________________________________________________________
# [4 w4 N# z% P8 H/ }1 N! b+ P* t6 @

% h' }; b% |' @3 Y; MMethod 14
& K2 v6 Y. T7 ^$ i( p=========, `: x$ @+ H% I4 U. R

- I8 A8 P" n" f; }  o) |- P4 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 R$ _) N) E0 Q% d
is to determines whether a debugger is running on your system (ring0 only).2 X: D, i# V. b" z; w9 v

' A' H. v; V! p) b   VMMCall Test_Debug_Installed% k1 l6 J1 a# P8 x- ~. c2 a. P4 n0 @
   je      not_installed
: X5 q" l# ?$ ~* }% z8 X
! K. i$ e" P  a" iThis service just checks a flag.  u: I0 v1 x  ]* P
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-7 13:21

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表