找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>8 N( ^/ C1 f2 C, o5 x
<TBODY>  U3 l/ d" Y% z0 R4 n, u$ h( J
<TR>% Y) @* D" d8 |( O. H; P8 R: |! N
<TD><PRE>Method 01
2 M6 @" l" t2 l4 x7 P4 V=========. Z. q: }" V8 R% p8 O9 g
' W; R$ B! y# I6 R
This method of detection of SoftICE (as well as the following one) is
( {) @! t7 C0 M* D6 \" Hused by the majority of packers/encryptors found on Internet.
1 w# S" S' R8 H$ U# y5 mIt seeks the signature of BoundsChecker in SoftICE
$ {: p5 k' _) S1 M. A, T. X3 s- R" p) ?
    mov     ebp, 04243484Bh        ; 'BCHK') _' Z$ A2 P& h' D" k
    mov     ax, 04h
$ N% w# H, o- _    int     3      
8 Y" `5 b  e( x; c1 K& b    cmp     al,4
) C* m( E; @6 L+ m    jnz     SoftICE_Detected
6 F2 z) s' M1 ^  ]( q, o4 N. R, T* ?( @2 _
___________________________________________________________________________
- a* t8 T! m/ J; s7 F) b6 E2 `8 O% r1 w* P, v+ a9 `
Method 02
5 ^: n; I8 r" a=========3 I7 k  w( q5 F

/ C% Z& [7 [6 b3 q3 n+ w, `Still a method very much used (perhaps the most frequent one).  It is used5 Z: Z: s5 V. o4 m& W* N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,9 x) ?) K; E  r# t* d% k7 {, _$ i
or execute SoftICE commands...
; d0 h4 |; V$ W5 UIt is also used to crash SoftICE and to force it to execute any commands
0 U/ I( _; H: b4 ^# p* Z(HBOOT...) :-((  
! x* j# K3 f. W  G2 f6 U8 m
3 _4 m! J) H# i7 _; a! d/ _Here is a quick description:
5 q. I1 k) ?9 @-AX = 0910h   (Display string in SIce windows)3 G  B0 k, S' Z  K0 }
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)5 U5 k  j" M1 T! [. h
-AX = 0912h   (Get breakpoint infos)/ ~' U" w: O# Y1 W
-AX = 0913h   (Set Sice breakpoints)
1 X* l7 f1 S" A( @0 K) J-AX = 0914h   (Remove SIce breakoints)
6 V# U& ]% a" {- C$ W* D3 h* E
$ ]8 j. G( |& ]4 Q. K, tEach time you'll meet this trick, you'll see:& x4 q( B8 }5 [6 s6 }, s5 i9 Q
-SI = 4647h
  U, y- l/ l' V' O9 t-DI = 4A4Dh
* j* Q4 m1 l, S5 c1 dWhich are the 'magic values' used by SoftIce.& }- R; }/ j9 J( P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ |* Q1 F# n! o! d
8 E3 q4 _6 [, M7 r) f4 c4 |& hHere is one example from the file "Haspinst.exe" which is the dongle HASP0 S; M7 n% ?  j5 f
Envelope utility use to protect DOS applications:
/ f& R' M1 y& x6 h% D  U; K
/ r/ m9 d1 U' F  v7 p
7 I! S6 y8 P( F3 j3 Z1 R4 ?' X4C19:0095   MOV    AX,0911  ; execute command.
. i% X3 W! V/ [* V6 a* O( V4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. w; z3 H5 P8 ^9 T
4C19:009A   MOV    SI,4647  ; 1st magic value.. E7 P, B/ A# L
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
' `9 ^5 G8 B5 w- I. J7 I- a4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 B5 ?* v) t' D7 _% R2 W+ _8 [4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
  F; n9 L' j8 R& O' ^4C19:00A4   INC    CX
% y0 E1 A: v" a5 o4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 e0 E6 r& g, ?: D% d$ E4C19:00A8   JB     0095     ; 6 different commands.! p+ D/ C! N/ q% _, |' H
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.) @) @( ]. y" q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)# [" a$ y& e2 Z! T, U% e
5 B# v) J/ a: ]+ w% P5 [
The program will execute 6 different SIce commands located at ds:dx, which$ ]1 p0 p* N# W. {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., P1 T; K  i6 @; o) k* Z: b

8 q, q" [1 W2 k; [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: E3 F! R" l( o; n
___________________________________________________________________________4 o6 b4 e1 k5 H

3 B  w& [9 m. k+ }, M6 u* d9 g- L
Method 03
$ ^( Z6 g0 I) O=========5 f/ [4 ?% n( j6 e
4 s* V2 r7 y7 v+ |) ?5 c' w$ _
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 C' H( h8 S: x, e% ]% H
(API Get entry point)
0 J. E; m/ c5 h# q3 _        
6 e; h3 @$ {( m+ d$ r1 d8 d
, E* r% T. [1 s  ?9 l! |3 c    xor     di,di
$ r% M1 g6 Q& k; v* U/ N    mov     es,di, S' _+ `- A8 y) H% U$ e4 \" W
    mov     ax, 1684h       6 X  Y! Q, d# m, H
    mov     bx, 0202h       ; VxD ID of winice
, Z  {& z6 r; v3 d    int     2Fh  x0 c2 i1 O$ _8 j" ^7 g" Y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ r' i( ~9 x; _5 f% N
    add     ax, di
" L. \4 |" @3 F    test    ax,ax
. U6 Q' e1 ^8 z: w7 K( N; H    jnz     SoftICE_Detected
# A0 U5 K, `, m) j% j$ ]  G0 H- Q# X1 r# Z3 ?4 }
___________________________________________________________________________7 A6 s4 P" A) e
4 ?2 N( i* ^+ s) A! o& {) l
Method 04
9 w6 M' ^( y0 Y=========" L8 w* @/ Y+ o3 `
# {% }+ ?- l' |" V
Method identical to the preceding one except that it seeks the ID of SoftICE3 [& C  U) ?: [# T
GFX VxD.
7 A! }6 n( _0 _# m6 Y  P
) m( a0 }9 ~; ~" c9 F    xor     di,di1 ]. g1 B% F# O! f7 i3 E3 N
    mov     es,di
2 J: ~) F- ]5 W; |2 f% i, M    mov     ax, 1684h       3 t4 `) ]: W3 \( i& ^( L
    mov     bx, 7a5Fh       ; VxD ID of SIWVID. k( x: j& y% K4 h, K* t4 U6 O7 S
    int     2fh2 a3 i  z5 L9 T
    mov     ax, es          ; ES:DI -&gt; VxD API entry point% H8 D( K$ Q4 l2 I: W* o& ?5 k" [
    add     ax, di+ H: l" t. X$ O* f/ Q" r' }
    test    ax,ax9 M' ?" r$ N( H' a$ Z
    jnz     SoftICE_Detected
: |2 s5 d- z+ H  g+ O1 M7 }
2 ]$ h. D9 @  l' A4 e; C& Z! q__________________________________________________________________________
) k; S/ f) j, |/ m; [& N5 `. R
5 s4 S5 r2 d6 _5 i* r/ h- t
" E  Q6 [5 t2 e8 ^7 e* pMethod 05* N7 B0 I6 Y5 d2 W1 `
=========" n0 k1 V0 w+ t4 S
% x# h6 o  j! W2 ?4 p/ H- s7 e
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 u' D* A/ k( c' n. ]
debugger. It calls the int 41h, function 4Fh.5 N) r1 [1 S3 M# \) K
There are several alternatives.  
. F  J+ w/ w7 D4 u3 z' `  u
7 J& }. b- W9 j* B% o1 JThe following one is the simplest:
7 V% ^7 L! }: ?
0 C- r$ b7 y1 Y( h$ m, \, |, Y3 J1 M% V    mov     ax,4fh) g  }" _/ k- G( k
    int     41h2 ?2 s9 g+ J" |/ Y/ ]
    cmp     ax, 0F386% j' f. X4 _/ l
    jz      SoftICE_detected
6 N& `2 l$ O, @' F7 H! L8 B* R5 Z: t( w
$ [4 D# w* k4 q7 _" z4 Z
Next method as well as the following one are 2 examples from Stone's 3 n5 Y. |9 ?/ {8 G* N5 ^) Z
"stn-wid.zip" (www.cracking.net):
6 I3 [! H/ Q6 P0 v7 |- }& k' Z2 u# q/ j, u/ b0 L6 F2 s
    mov     bx, cs0 J' B- A+ H; l# X# ?) i
    lea     dx, int41handler2
/ x' G3 O5 X  k! U3 L7 @    xchg    dx, es:[41h*4]
5 S9 k! y1 \  F: H    xchg    bx, es:[41h*4+2]- G9 ~6 v4 S" B* w, y) G
    mov     ax,4fh
7 ]! b2 H1 w  u: R! _' d7 q    int     41h/ v0 S) G9 v4 D: f6 q5 v6 A
    xchg    dx, es:[41h*4]
, j* [8 R5 N, I* \- a; |, N    xchg    bx, es:[41h*4+2]* P  k4 d% _- G* D2 l
    cmp     ax, 0f386h9 J1 B6 T) M6 Q1 m, `0 t1 `  b
    jz      SoftICE_detected
3 H# w/ X3 I, W1 T% |2 H0 _2 C
# _( @) Y8 `! r4 d4 H3 ^& i' ^, Rint41handler2 PROC: Y7 F' X) u, b  n& c. t- A* X
    iret
2 f7 g/ V, f8 g2 Z) B' M% gint41handler2 ENDP
# E6 B9 F# M2 s0 v3 W% O& Q: H# W5 ?; @' e" E4 @# @; O; E
  w+ l" ~& f' H8 H' @
_________________________________________________________________________
' A# ~! x) Z  t6 w  c1 \$ m8 z. u3 v8 h% d3 l' B/ r, q2 \
1 h& Y% B* V2 Y7 S
Method 06
- ]4 b9 h' q7 K! M6 F=========% f; U+ e) m- p: [2 L+ L1 B# A
) s( U% J4 E" g! y/ L  {

7 B% ?0 c: \7 @" d* b2nd method similar to the preceding one but more difficult to detect:- r. D4 k+ M5 @8 D

5 w" T- d$ y4 F) c6 |3 T' D
( r) P: G1 Z0 d5 }int41handler PROC
0 ^! e; u: E* V4 z9 L& l    mov     cl,al
% Z7 q1 r! p- E6 e: r    iret" L& D2 n0 \, t& x0 {
int41handler ENDP
9 i0 }( K" m3 d' T* V
' f' ^) S  k! R( k$ r0 i2 Q8 ]. G$ {% A( N' h+ c: E
    xor     ax,ax2 o& ^4 }) O, c, a2 p2 w  @
    mov     es,ax
5 ?- U' h; L, L+ E, m  M8 \3 a    mov     bx, cs
7 G/ s; O) D) m5 }9 f# t    lea     dx, int41handler1 ?) C. O7 c6 O
    xchg    dx, es:[41h*4]
, d1 R+ {4 M( `- d( U    xchg    bx, es:[41h*4+2]
+ `2 A/ ^+ Z( Y; l/ }* H    in      al, 40h4 S2 O# A/ B, E4 H
    xor     cx,cx
0 y) ^+ |% z8 s+ H( o5 X- V    int     41h3 m5 V( A9 ?( x, j- i
    xchg    dx, es:[41h*4]
* o; i9 p5 x4 Y& n; L' ~$ w6 \    xchg    bx, es:[41h*4+2]
; [/ }8 {( N! y' h; `3 U* k! g    cmp     cl,al: y2 ^: W" f# V7 C( T! I; u
    jnz     SoftICE_detected
: {5 _' _- c  H# z/ j6 z" O, X0 ?4 e5 C! z; l/ q/ d) y
_________________________________________________________________________
5 n9 L6 J3 ]+ ^# U8 Q2 Z* R5 R. y; L4 D% B1 A
Method 07, @2 j4 a- K2 q% q% G% V' u+ L
=========9 X& A7 ?# i) c. E" r- X$ I: ^4 r

  D) p- `' K9 p7 x  @7 K( JMethod of detection of the WinICE handler in the int68h (V86)
2 l, \! t9 W( D' B- B* ?# r
* l0 s) @  L7 y5 b6 `    mov     ah,43h( ?, P' w! X7 X7 e/ L$ K0 e
    int     68h& ?& K: ~7 p$ k
    cmp     ax,0F386h
+ z2 [4 G" j  w- Z; Z    jz      SoftICE_Detected8 B0 C& Y7 @; y. N

, m( [  _- t, o; n. Q9 e/ Z1 j0 h
5 G& @1 m7 o  W=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 e" Q' r) D2 N- B3 |9 t   app like this:: _& `# ~3 `- V. d. K& h' E, s. i1 p

0 X+ j4 C+ q& s" H# Z( M   BPX exec_int if ax==68
5 O/ x$ B' }, n, d' V# H9 l   (function called is located at byte ptr [ebp+1Dh] and client eip is
. b7 C6 \& ~; J% z   located at [ebp+48h] for 32Bit apps)
! q3 c1 d8 ~5 |( y7 u8 H9 ?7 p__________________________________________________________________________7 x* h& C; W2 F% ~: R
1 s5 z7 Q4 q* ~3 {2 L. v- q

* X- G7 W5 A* U& a: ~' \# SMethod 08
# i9 z1 f5 m* W=========
$ C7 [6 y# x* g2 z7 Z) g1 K+ w8 A* n5 w& L8 n: n4 v
It is not a method of detection of SoftICE but a possibility to crash the- o. U4 k' d2 I3 _+ ?2 Q" l- G
system by intercepting int 01h and int 03h and redirecting them to another8 }( G7 g: r" A! _/ I3 j0 F  N
routine.  P% g+ R+ \) B/ J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& j! F5 _3 d7 a) s
to the new routine to execute (hangs computer...)
8 m* l$ M% S: R! v+ {4 n1 s4 ~6 f5 z! e) _
    mov     ah, 25h
; M+ J- a2 s& h; M$ g5 p    mov     al, Int_Number (01h or 03h)
5 w% C3 U+ k  \7 Z% J" q    mov     dx, offset New_Int_Routine
& J) F: A) C0 d- q8 x1 _    int     21h+ T. J4 v" m& {) _
) a$ z( ]! O: v
__________________________________________________________________________) P5 ^4 [% G, K1 d2 e( |( G

3 I( s+ Z; _* C- Z6 Z' hMethod 094 S2 L& r0 Q1 I, D0 F
=========! P" M- H& q7 \* O

% \+ G% {( z6 ^9 ]This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only9 m8 O6 R: X' W
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 [' |' `. H% _0 x) B/ ZThe Get_DDB service is used to determine whether or not a VxD is installed
" t. D, ]( [, x' Sfor the specified device and returns a Device Description Block (in ecx) for
, x9 P- i' F  b) e* gthat device if it is installed.
: A: B/ C$ a2 H. O) }
1 S" y# ^" O2 S: A6 l" u$ }   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 o. E$ n* s; {: w   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& n4 I! u: {! z7 J8 y- W   VMMCall Get_DDB0 k5 i; o/ v4 R0 r5 @! x
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 g/ Q: k; C9 R% z7 ^; |! Y

! |, t: D+ R5 BNote as well that you can easily detect this method with SoftICE:. s# d* ~- o: a" T
   bpx Get_DDB if ax==0202 || ax==7a5fh0 m2 M8 O# M* e1 ~( p0 r1 Q
) {: q3 m' M: G( K) U
__________________________________________________________________________: B; E5 l  h/ e9 `2 |1 q$ C

$ K, [7 w, \- U. y% NMethod 108 W3 e' N- J) c. n0 D
=========
: d& `. l* i' S/ i3 e  W. s  e. @6 V! H4 B0 R/ c
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with' N" X( V/ F) Z( [) K7 S
  SoftICE while the option is enable!!
( @+ }3 F- ?! U& F  f
* I" n  a( z. Y# p& k* Z/ {& gThis trick is very efficient:& u  j! k- q" }0 Y& E: |, X, m$ b5 @
by checking the Debug Registers, you can detect if SoftICE is loaded
% \1 _5 q* }# @2 {( \4 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% y( ^; v- G0 d' f' \4 R
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% a- S: n, B/ F5 x/ cvalue (in ring0 only). Values can be manipulated and or changed as well
+ Q0 }$ G5 X  f- h# |(clearing BPMs for instance)
, g! ^2 {7 L: C. J# O# C
+ u2 r; S- q# f& c3 a; X' x/ @$ G__________________________________________________________________________& E% v$ C; z0 g$ |) F
  Q+ `: v! T  u/ X
Method 11& z: E+ _3 ^+ k" c% k( g" {( \4 k& m
=========! P% d- |9 m' G: d' J& j1 b

1 T( K* f+ r6 Z5 PThis method is most known as 'MeltICE' because it has been freely distributed) }5 K$ W$ V. l! ]
via www.winfiles.com. However it was first used by NuMega people to allow
0 V$ D, i9 B* v* R4 ?Symbol Loader to check if SoftICE was active or not (the code is located
/ N- o& \  F+ M$ I5 X1 _" f# y4 dinside nmtrans.dll).
4 n/ j3 a1 `; [  W
" J5 f% w8 t9 nThe way it works is very simple:, A" [9 p& s, r' `9 i, w  S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. L; i* P# f+ k6 j" FWinNT) with the CreateFileA API.( z$ t! Y9 b* B( j1 K9 X- Y1 V

9 }% G3 Z3 b0 `1 a- QHere is a sample (checking for 'SICE'):
4 H; q8 S" s# \9 z6 h9 o0 M3 g- D* @+ N
BOOL IsSoftIce95Loaded()
6 S" A% V- O9 U) s- o; b{
2 G3 x% C' f, N7 `! a. q   HANDLE hFile;  
" W% D. [' m3 S! J! ^   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- M6 Q4 z& U6 j; B) T
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! {4 i4 J  f$ T2 x' b( t                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 D9 u+ o# y9 p/ h: E" x   if( hFile != INVALID_HANDLE_VALUE )
: _6 e6 b& U# M" W   {& v% @: a' |, X- T" E5 t9 J
      CloseHandle(hFile);) b' e3 ?& ^( [. J
      return TRUE;5 \# `/ \0 k8 Z1 I0 k
   }
6 X  ^0 Z/ P/ s7 g# x; p   return FALSE;
/ ?0 s: q4 \% o1 z; M}* E5 L, q  Z* {6 M

8 G* b) C  A8 D4 s4 R% dAlthough this trick calls the CreateFileA function, don't even expect to be
9 ]$ s1 ?& u( a! ]( iable to intercept it by installing a IFS hook: it will not work, no way!# J. E8 i" j+ w, M4 `# }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& v( ?# y! N9 Q6 s' K) e3 p6 X# b9 I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# J+ I, G3 ^2 i7 Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc) k9 B1 n5 L4 F$ N. H7 H
field.
8 C0 D0 R: B7 Z. k0 LIn fact, its purpose is not to load/unload VxDs but only to send a $ [; Q8 I, ?- A5 p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
: l" y* o: b. ]. w% [1 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 b8 G% u" v" u& E1 ~/ d: qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 [* F. k2 i* D1 k: T+ m# b+ kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
) H% _9 v/ r; k3 D) k/ L$ dits handle to be opened and then, will be detected.' w8 t# x1 N& O$ s
You can check that simply by hooking Winice.exe control proc entry point
6 [! E) Y2 ~' N7 v* O" swhile running MeltICE.  c" B) b( R7 I% S
3 {8 \$ C/ p6 i, Y! |4 i8 U7 \
5 p. i* ^$ c: T* m2 d
  00401067:  push      00402025    ; \\.\SICE
7 V0 e! I$ M! H! \4 p; S" S! A2 K  0040106C:  call      CreateFileA1 h# \8 T) N! ?" \
  00401071:  cmp       eax,-001
2 z. `; M* A7 O/ I! a' \  00401074:  je        00401091
: n: D1 L0 `' i* x& y, m6 |- m! n: @7 y! `9 w' a

( f& t# |& T/ Y7 BThere could be hundreds of BPX you could use to detect this trick.3 V8 D; |0 E+ s+ i
-The most classical one is:
/ q1 N6 q: P, T3 G' v  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||8 F- Z  K" |) y/ o# p
    *(esp-&gt;4+4)=='NTIC'
/ n( M  m# ~, T3 p& K; I; }7 P2 T  W6 ~- s
-The most exotic ones (could be very slooooow :-(
9 X) R1 }7 q* U/ v* ^   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; X" k  L' u( R/ [* d& h' ?8 `* R
     ;will break 3 times :-(/ u% P8 W- B. c9 ~

% X" k! ?2 d6 s% i# t-or (a bit) faster: 5 j6 J' C3 L- n' t$ \
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 K, L8 }0 z; C2 l8 H4 D+ G4 L# f; b* N* J* h+ O
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% U$ C& T' |  ?5 b& M     ;will break 3 times :-(
5 ~# T' y3 T. N+ x) q# M
' v7 }* _( h4 a5 o: \& ^# a-Much faster:
$ w5 G* F! b/ E: R' m* _* S   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& N0 s) z& Z- k! b' h5 \$ w% m$ L2 p' \  N" k2 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# T# c9 q, C2 i. h- e& ?function to do the same job:
" `1 p6 Y: U4 \( X. M+ @) f$ V( B/ N/ a: F4 t/ r# ?
   push    00                        ; OF_READ( ~( j7 t+ H  U, |! |5 `* u
   mov     eax,[00656634]            ; '\\.\SICE',0
6 c! l. {0 m% ~2 Z! W* _   push    eax. z  ^; ^# T! w4 W, F. ]
   call    KERNEL32!_lopen
( _5 P) }2 j. c! J; Q   inc     eax* m6 T: m( j. _) {% Z5 V+ X
   jnz     00650589                  ; detected
8 o& h) Z% J$ k& p/ R- A! D7 h4 Z   push    00                        ; OF_READ
8 M& J0 [$ g% t/ g" }6 q   mov     eax,[00656638]            ; '\\.\SICE'
6 ]$ C% i9 w! c% X  }5 c   push    eax
2 ^% `3 f2 v* E7 G   call    KERNEL32!_lopen' F" i, Y( k! \1 q; D9 n, H+ v
   inc     eax0 f' o9 a2 a, o5 S
   jz      006505ae                  ; not detected# ?0 n  c6 ~1 X1 o

9 z% p! }" T, X  q! i
$ Y$ H- E2 \' t' d9 K' U6 X- X__________________________________________________________________________4 Z- [' M; M: x) M# R! J

2 m; W3 Y5 b0 V% g9 NMethod 12
7 f; W/ h3 s3 {- E=========3 ?0 }: `, B/ V4 U  w$ V

/ q9 u0 w  w$ a2 [This trick is similar to int41h/4fh Debugger installation check (code 05
1 Y$ k7 Q* n$ c* _1 M5 _&amp; 06) but very limited because it's only available for Win95/98 (not NT)
" u; {" h0 g! p+ V) pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. N: A5 Z: }6 Z& H* G, r" F6 x/ k  H" i! X
   push  0000004fh         ; function 4fh  W) X) y! h1 T, O3 F% u
   push  002a002ah         ; high word specifies which VxD (VWIN32): J* k$ _3 M! b/ U4 a9 i
                           ; low word specifies which service9 H7 z, ]1 ~2 k: S2 T# l1 E0 G
                             (VWIN32_Int41Dispatch)5 R& [- Y+ d( j5 u: u, Y7 ?
   call  Kernel32!ORD_001  ; VxdCall& r* G7 B* \5 [+ _) j
   cmp   ax, 0f386h        ; magic number returned by system debuggers  P& P6 }2 @$ _# H5 v$ j; i  `# s, H
   jz    SoftICE_detected
- V( O. j5 L/ H  h
- s) F0 N* x. [Here again, several ways to detect it:4 J2 A: L# D/ A4 ~! Y

% n5 J# W  i# `6 x. R: X; K8 ~0 E    BPINT 41 if ax==4f2 J/ V2 ^5 ?! L" l
) p' e; z4 Y3 z, w7 _( l( f, O
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
! ^5 \' ]0 I3 @) z
6 L- s3 o2 t$ [) @2 Y" f/ `    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; O7 R2 O% K5 @
$ ]  |" L3 z/ R( h: I8 o    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
8 k* j9 w8 h& s$ A% n, d$ M0 |( z6 ^
__________________________________________________________________________
& b+ @- s9 B: m' q6 O; d& O) v. v$ C" h  A, K  r% I& Y2 M
Method 13) ~  |7 L! O3 Z& S% H. g
=========2 c% O$ s! c/ }/ e
6 m  e) ]9 M  x% D
Not a real method of detection, but a good way to know if SoftICE is
+ m! n$ f: A. Q7 ?/ r& winstalled on a computer and to locate its installation directory.
& B, M6 e* w: i' s! U0 B$ z9 wIt is used by few softs which access the following registry keys (usually #2) :
5 E4 {) B" r* D$ p
$ }, x( }0 k6 j9 ?' q4 k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. b! P1 H) V! Q& K' B6 e\Uninstall\SoftICE0 E5 h5 B3 q3 g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 z- Z1 _3 _8 R' z7 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# e& ^& W. f+ D! ?7 q
\App Paths\Loader32.Exe9 K5 h/ |+ V) J4 g7 C

) X7 ]6 B, M: F  F$ y' r$ Q5 _' Q1 e. o2 x9 ^2 r
Note that some nasty apps could then erase all files from SoftICE directory0 J) u" F4 `( v4 Z& s/ ?# @
(I faced that once :-(1 A+ w+ T* G0 j

# l! J0 V) f9 Y7 U+ b( ?0 `; vUseful breakpoint to detect it:" U  ^& v( v# u# i8 W
$ F- v; j* k' N3 G1 q- O( h
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'3 Q2 |8 ^  o! \# X* y

4 ]# A" a( ?, b8 t, b0 F$ w__________________________________________________________________________2 b( N# {3 h  ~5 n% n$ m

! m6 W( n( x. g! z6 R- n( B1 \; V) p
Method 14 / z6 Z! q. _$ T% W/ M* c0 h! F
=========
% l6 n# M6 H; y8 s9 P% c  ~* {- A+ G& W& T3 P+ Z6 M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ c+ _) I* e! @9 }is to determines whether a debugger is running on your system (ring0 only).
! p6 w4 h/ k2 r0 t; u1 I5 J+ H1 p* G) k& ?; q
   VMMCall Test_Debug_Installed
* _" S* b- h2 J# N   je      not_installed
8 M; G+ @6 S2 W3 ?
/ s2 `/ z8 H5 W; Z: o7 NThis service just checks a flag.
6 f: G* Z* G, Z3 ^7 c</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-10 10:36

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表