找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# o" A+ l9 r! p! G0 N3 c<TBODY>
1 X( F  M* d8 [; L8 f- i2 J( K<TR>
+ e# v8 J1 }" F; f$ ^3 }% }  M<TD><PRE>Method 01 7 b1 `& n5 g6 u
=========
0 }7 l  p: k/ O# ?  @* g  j$ |0 Y4 g. X, s
This method of detection of SoftICE (as well as the following one) is- W5 d4 j8 {" x) N4 \0 p
used by the majority of packers/encryptors found on Internet.
$ Z" b# {% A) w4 GIt seeks the signature of BoundsChecker in SoftICE
8 G# k# g& P& Y* B' ~, n' p: i  O7 v, x& n! z" D+ L' U
    mov     ebp, 04243484Bh        ; 'BCHK'
. P* \" c& T# S/ p    mov     ax, 04h
8 w: }: K+ ?6 c. h% m    int     3      
4 o; A% j" z  ~' |9 l( {# ^$ y    cmp     al,4
- I  v7 m7 c: ^; x9 K! u' w" r' Z! Y    jnz     SoftICE_Detected/ l" n) d; I% p0 a& X$ @6 P

7 E9 c8 S# P: V___________________________________________________________________________
1 w/ [) J6 z5 G9 D8 `2 [' q6 N2 M: w
Method 02
; a# e3 _7 u- O/ [) `=========9 h. a# C! I/ P/ C( ?2 `, H

) o& M: b* j- NStill a method very much used (perhaps the most frequent one).  It is used$ n+ b8 _: [: a8 o9 h
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) r: H, V9 W0 z0 o
or execute SoftICE commands...
' j! n6 B- E  h5 GIt is also used to crash SoftICE and to force it to execute any commands0 A- w" b# t$ Z
(HBOOT...) :-((  
  o7 I- O" S* K. a
* u8 ?! [. U  ]  e2 a7 c0 CHere is a quick description:/ |- B( x+ `; a1 d9 V7 m9 m: a; X
-AX = 0910h   (Display string in SIce windows)3 ~! V! f) l9 {* }0 u
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: Y& D- ?1 V! m/ l4 _-AX = 0912h   (Get breakpoint infos)6 H6 |# `7 [: }6 c. `4 [2 g+ J
-AX = 0913h   (Set Sice breakpoints)
4 |! ^1 a" U; ~/ M% J- A. R-AX = 0914h   (Remove SIce breakoints)) O7 b2 d' U' S6 t: C" s
. J0 B; P, m8 W. p0 @5 m+ C
Each time you'll meet this trick, you'll see:
. I0 A6 ~; N+ s' d' [-SI = 4647h
3 t+ P; t/ q; }, ~-DI = 4A4Dh
# a- O4 m" a) B) OWhich are the 'magic values' used by SoftIce.) |# G$ j# {( k/ u
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.4 L; u/ G' I2 i1 Y) K

( D( j8 K- j2 Q- iHere is one example from the file "Haspinst.exe" which is the dongle HASP5 w+ }8 N% U  }5 M! p
Envelope utility use to protect DOS applications:) L' x+ j' B/ D$ M$ \2 t

2 K, H4 U2 t+ o$ b6 C+ S1 U: O
( l/ [0 V+ _4 \, u9 A* t4C19:0095   MOV    AX,0911  ; execute command.7 u1 }1 e7 t8 J* P3 _
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
& G! |( @! w! P; m  d4 r3 k4C19:009A   MOV    SI,4647  ; 1st magic value.2 a! w$ W2 L( R( b7 B! D, x' k! t
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.$ ?+ z; w6 j& D9 h, K% }
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) ~8 b) r2 W* @9 `  l" ^4 t6 h
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! t$ }7 A" J, p
4C19:00A4   INC    CX
* z6 m$ l/ t5 K2 x) R9 j4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
2 w" u1 w- m+ |% _4C19:00A8   JB     0095     ; 6 different commands.7 M! m2 P1 R7 N: N' B* ]# P
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 e) K& b& s0 Z8 {
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  q& r  ?# Z3 c  j

  M3 Y0 \7 |$ k7 ~, R( y, C+ aThe program will execute 6 different SIce commands located at ds:dx, which' B6 A: g  f. \4 j: n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ o( \! H* D' N# t+ @# s

) c( v% o* P+ c( k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 ?/ c  d' ?7 `0 [* z& i. {6 L: E! u
___________________________________________________________________________
, B; B/ e2 h$ ~/ v. k
0 t2 a5 y' i% n% m
! p7 Q: n' Q" g& ]% v/ v( fMethod 034 b# a7 f3 i2 F! S
=========$ h3 A& V6 {% m( t
/ k* H7 h/ r+ V4 X5 j8 u2 J; V+ ]4 C
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& I! n; ~1 V0 m- z! u(API Get entry point)
: H% V: R! q, ^, }        
, c' ?! u) b% V6 z& D0 T3 X% P$ S
- A5 ^# e8 E5 i. Q: z    xor     di,di
8 X0 M+ i, p( s9 Q' O    mov     es,di& v' Y7 F* i+ A2 i6 A5 K) z
    mov     ax, 1684h      
/ n. x. d# t3 @, e: A    mov     bx, 0202h       ; VxD ID of winice7 s/ D" `+ X7 Z
    int     2Fh3 x7 x9 Y( P4 V$ J" H- ]! B
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- d0 G  w" O3 |5 ~0 ^    add     ax, di1 V6 n. O; l8 J) Q
    test    ax,ax
: E& P; w3 b' y    jnz     SoftICE_Detected( Q1 k) r* E+ ?4 w
/ q' K( W; }/ K
___________________________________________________________________________  P# m4 [6 `8 `: R# [; }: ^

# }# a# \& Q# TMethod 04
1 L  c0 n) G5 |=========  ^* R" q- |  }. t8 L0 A

6 W4 I: G/ v, _8 ?' [( \Method identical to the preceding one except that it seeks the ID of SoftICE
- X1 t, s9 x' g( y4 V! y4 jGFX VxD.8 f" a3 s4 Z' o) g: G- b8 v
' r2 Y0 ~3 D9 b- M6 [2 b0 ]0 N" H
    xor     di,di, |- p. P3 ~8 R
    mov     es,di! @' a" L% U7 M  e
    mov     ax, 1684h      
7 g2 t9 F. p' c( J    mov     bx, 7a5Fh       ; VxD ID of SIWVID4 W& l" J& j- ?" q
    int     2fh
/ v. k7 H" s( y# R; d    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ e" q5 x2 A' j8 A
    add     ax, di
: @  s. K8 J' q( s$ g, u* V    test    ax,ax
; _, A, C$ v* J0 d    jnz     SoftICE_Detected
7 I8 u- C7 Q+ \  r9 R7 X2 ?# F) u" t4 b3 l5 g6 ?0 `6 t
__________________________________________________________________________
5 e, E$ z' J9 X# I: R8 {8 U, q
7 j2 a4 N# }' w1 d* F  R( _& L( z' C& S# l7 O0 h
Method 05' ]5 r2 `4 e& V
=========  Y4 X! Q, M# T' N* v* f  e3 ^2 o1 Q
, S' c$ n' `% w6 U
Method seeking the 'magic number' 0F386h returned (in ax) by all system& P: {5 ^; b# m
debugger. It calls the int 41h, function 4Fh.
& `  b: l/ f. k) g+ aThere are several alternatives.  
6 A! D. r' _  \# E. p) Z
( f3 i' ?. M$ W0 o, YThe following one is the simplest:( X. K) Q0 F+ s' N! f7 E
0 V" z, N- B% t$ C! I% C2 L1 m
    mov     ax,4fh
2 t+ k$ P5 b1 q* F1 }+ C    int     41h& o3 {3 k+ Q+ q+ a: t
    cmp     ax, 0F386
( }  ~3 r) m5 I$ B* y- u" t    jz      SoftICE_detected
) M6 G* G, }: v& |3 Y$ X  E% a$ ^, @2 Z

3 M3 k3 M! d2 h& k$ ^Next method as well as the following one are 2 examples from Stone's 7 Q6 a0 R9 a3 A
"stn-wid.zip" (www.cracking.net):
' _  \6 `5 }. ~1 p/ p4 v
) j: [$ \5 \3 E3 m& {$ H( G# p1 y6 ?    mov     bx, cs6 ]1 U# u$ q9 W) F* m. p  R
    lea     dx, int41handler2
0 E: B( J: |$ }    xchg    dx, es:[41h*4]
& G' U/ G6 P; W% I9 c, z    xchg    bx, es:[41h*4+2]  ^' X" G/ T0 _* B* Y" ^  i( G
    mov     ax,4fh
* G7 \! ^+ q) m. M, E4 ]    int     41h
; z. K& z1 s6 K) M4 d5 K    xchg    dx, es:[41h*4]* i7 ~4 a) z& E
    xchg    bx, es:[41h*4+2]. v" P. F8 K- F) e& q2 x
    cmp     ax, 0f386h! t& p" Q( K5 D: S! Z" c' R
    jz      SoftICE_detected
& m5 y8 n8 S  O5 e+ W0 H. |4 a, j" h0 H( |
int41handler2 PROC
# Q  p0 j, M  j3 E    iret
5 w! @" v* \; O4 ?% r5 u/ Aint41handler2 ENDP
- K" y4 ?3 w" |/ y" N
# I  K+ C. B( A$ j6 N$ K2 J( ^! E9 ^& U
_________________________________________________________________________; h0 p. ~9 S' c! \- [. w% R3 q
% j# U& l+ K# M, k8 |
0 Y) z8 i8 ?3 H% H6 Y9 x
Method 060 C0 l! z& u, U$ R
=========, L/ A3 B7 k9 d6 `. g$ g: }0 X' b. ]
3 d7 l+ V" r! g2 ]/ B

4 T  z6 _& s' Q' L1 m. v2nd method similar to the preceding one but more difficult to detect:- `$ \  X; u5 z0 A& C. F  F

  A- G; o/ P; W  j" I+ {
" c: @0 i- G6 K3 _int41handler PROC
8 J1 O, f5 [8 g2 \4 p) s) f: a    mov     cl,al6 i" Y  ~2 l; E: P3 g0 N+ r+ x* U9 a
    iret
2 x7 l  T: T+ Z( M/ qint41handler ENDP/ Y8 |8 @. ?# j& A9 ~8 q

7 R6 {$ o% ~0 K0 A$ U4 T6 r( ^3 d1 w% P+ c# H; W
    xor     ax,ax3 S1 v  {; g! D+ W1 R
    mov     es,ax
0 ~* j1 @* B, o% f0 d& @; L% f    mov     bx, cs! c6 z# y- M: W
    lea     dx, int41handler
" s$ t1 t" @  C" R% |( q    xchg    dx, es:[41h*4]
$ D- U6 W7 \# O6 S4 |; `1 w5 W+ a    xchg    bx, es:[41h*4+2]
- ^# A  A0 b" P3 P" F, X    in      al, 40h
" ~4 s' a) b) Z4 I4 w: J2 \2 y    xor     cx,cx# ]$ K$ o/ s" g+ b
    int     41h
4 S1 F, |- l/ I! M+ K0 d    xchg    dx, es:[41h*4]! K# P5 a3 X/ u7 O/ h; h6 B
    xchg    bx, es:[41h*4+2]7 ?7 i% Z! O  c# l8 j0 i0 A- `
    cmp     cl,al
1 j. C+ y5 n( s6 h+ P: ^: |    jnz     SoftICE_detected  e$ @4 d- K) G$ K3 q
- d7 F0 z$ @0 K! Y" I
_________________________________________________________________________. N. F5 ?; h9 H& G  L4 {: y6 |

8 z' b% B$ h8 R7 W  gMethod 07& A7 M2 T" l. y/ i! {  K  u% y& B
=========8 ?% V. s8 V$ G* X' T' L( @

2 S/ S5 o9 u6 Q! _5 U: w/ K. kMethod of detection of the WinICE handler in the int68h (V86)' _0 i1 C, Q2 B* Q. E) I
( ]- R1 C' t. c8 h
    mov     ah,43h2 e* L" U" y3 Q* v. I
    int     68h& ~9 y# y9 k' X# J+ N
    cmp     ax,0F386h
; l: l" S! k4 p! f/ o    jz      SoftICE_Detected
. A) m# ~! A% ?  o
! p* P7 O5 v, A4 f; v$ f7 z" H. d- ~% ]( B/ @
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# B8 e& x* W# X   app like this:
# `+ R, s! c4 ~! r" N
6 o0 ?. j, e" `   BPX exec_int if ax==68
4 d  z- i. B, T/ h6 w1 i  E   (function called is located at byte ptr [ebp+1Dh] and client eip is" s! t4 Q% d* ]& o# I% B: j
   located at [ebp+48h] for 32Bit apps)
$ B1 T# z5 y2 ?0 m__________________________________________________________________________
4 K# i* @! x( H" c' T
* h6 y+ ]+ S2 D; W- o8 B- N
% v* Y% a, ~! r7 i6 v, u9 P: f) YMethod 08
/ u, u$ `' a# l2 L+ \& z! [# ]=========
  }) S1 w! O5 G. e
; `% ^5 w4 ]+ i7 J" r2 y) cIt is not a method of detection of SoftICE but a possibility to crash the- z5 t( }* Z) H" V
system by intercepting int 01h and int 03h and redirecting them to another& P! j; d. V& R; ]: j% E9 W
routine.
, \1 f1 m8 Z  D  ^It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  c% i* w( [% @4 @" @( I
to the new routine to execute (hangs computer...)
$ W4 s, X. C  _9 t* Y! s% b, J" x) [3 k
    mov     ah, 25h6 f9 ^8 u4 t0 c+ P
    mov     al, Int_Number (01h or 03h)
7 N  K( {5 B1 w    mov     dx, offset New_Int_Routine9 Q3 `, `- t) P5 v. T
    int     21h
" e# U2 b& O" w- N1 x2 M4 h  `
$ `' _' l; k7 P__________________________________________________________________________
; t8 e, Q% h# S) O+ v7 o9 C
9 L: I7 t& V/ U  E. FMethod 09
. k7 t. C$ `. ~3 F=========+ Y3 [4 y( i) `) y, `0 C7 x' e2 w
9 |" T* c  S! \7 p
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ t" j5 k% O6 y; R' J  v% n7 k
performed in ring0 (VxD or a ring3 app using the VxdCall)." d" J! |$ Z* d* x
The Get_DDB service is used to determine whether or not a VxD is installed
# e( V" W4 y5 x- P( T4 [for the specified device and returns a Device Description Block (in ecx) for0 F& ^* L3 s: o
that device if it is installed.; J8 L( S: e2 X+ S. ~$ w; J
; C1 ^& Q0 u  a# C; x" m
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  m. ^6 c4 ^9 e
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 y# y* W; A; K* e- b, r   VMMCall Get_DDB
. t- p6 U2 j9 z3 x. Q: d( |   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
9 Z, V) f6 {. I, G+ `# F
0 x& N1 C2 O* d; l& KNote as well that you can easily detect this method with SoftICE:2 W* d+ W$ Z7 C
   bpx Get_DDB if ax==0202 || ax==7a5fh4 U& I# w* U( V# N+ }& _

. C" A' o) G! @( I+ c& V, C__________________________________________________________________________8 y$ H' N0 n7 e& D
7 ]9 g8 D9 z+ g: y5 E
Method 10
5 @# c# O: u2 k7 i=========
) L* @1 q0 a- r4 z3 V! y4 ?' {4 C8 w) B* L5 ~; R. `, z
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with: _7 T; j9 y) ^8 |) k) s$ E& a
  SoftICE while the option is enable!!# }: B0 x$ D; ~

: M3 `: f. K. V+ ZThis trick is very efficient:# S1 A/ n+ c! E# h3 k" H3 C
by checking the Debug Registers, you can detect if SoftICE is loaded2 J6 _% `7 C5 f; P- r8 |1 N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% A3 R! U6 M, e: Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ a% e( s" D+ w& f
value (in ring0 only). Values can be manipulated and or changed as well+ ]# s+ h, i% T- o9 A6 x
(clearing BPMs for instance)
; I$ T' j( s$ R" D& Q! v
7 ?6 u+ u' @! z8 C$ q+ j- S__________________________________________________________________________
* d+ b5 G$ T# ^# t3 \9 s0 h5 B& C; k+ v$ q" v8 P- _
Method 113 @4 E9 S$ a) q$ x) i7 L6 x: Q7 N
=========+ L4 @4 j% A% y6 o1 M+ L

( d+ h+ n. M1 D' f; l. y( hThis method is most known as 'MeltICE' because it has been freely distributed
3 g4 \) M$ O4 i4 e0 ]2 q! @via www.winfiles.com. However it was first used by NuMega people to allow
) ]# u+ {7 f/ x! ~- u) _$ pSymbol Loader to check if SoftICE was active or not (the code is located
6 \3 L7 X; E" w8 @/ f  Jinside nmtrans.dll).
$ J1 O7 a: k& i1 g! e" Z% \  L- e( p5 M6 i# J- @" |; y- c
The way it works is very simple:3 I* l! a+ ?( f  H% I7 z% w( s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% ]3 q3 [5 N* t- W7 WWinNT) with the CreateFileA API.
, J9 t- O2 e5 R6 M- L' W& c) {% E" F4 h4 e8 ~. F
Here is a sample (checking for 'SICE'):+ V- D# C6 Y% h" u

* L- v$ p$ O5 _) b$ wBOOL IsSoftIce95Loaded()
! g# k' N& ^" U- a{
8 p# a0 J2 g  K- i   HANDLE hFile;  
8 R6 V" N: V) @0 N   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,  ]# j, G& V9 P9 o
                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 Z( @2 a* H) n1 R& H! L% z, l
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; r5 Z, d1 S3 j1 x% }& B& ^   if( hFile != INVALID_HANDLE_VALUE )( A* _: V7 z: p* A
   {
2 N9 U" ]! M4 G1 q" p      CloseHandle(hFile);$ u- Z3 A: P- h6 {" g/ B
      return TRUE;& \% A8 z3 E8 {* c
   }
. @) O0 S6 X% B( F% O2 ~   return FALSE;& _$ ^3 h/ C' b( u: A9 f
}1 {( J0 n# s2 s2 n* ~
4 Y/ F- ]) M. A9 V- Z" a2 {
Although this trick calls the CreateFileA function, don't even expect to be  B) W8 f1 ~( r$ l- U7 A
able to intercept it by installing a IFS hook: it will not work, no way!
; l: ?# V: u8 m6 Z6 KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ t  r+ u* ~: t7 v- L! v( c4 Xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)  \6 j* S. o1 \1 U" C% `9 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc& s" N- G" Z9 ]' k
field.$ r% h5 ^' y1 t, i; @' }$ [9 ^- g& m; [
In fact, its purpose is not to load/unload VxDs but only to send a ! D1 ^0 s7 Q2 A- \
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)( j4 X1 [3 q; ~- J1 x0 I/ l- k
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( i$ H% e+ ^$ ]( a7 [1 K! o. x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& G1 P% ?) Z+ \1 ^. FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
- }' F" I6 S% r) ]its handle to be opened and then, will be detected.& [; h0 T7 B3 k' C& K& t
You can check that simply by hooking Winice.exe control proc entry point
8 l! o2 \+ l% C- A3 r/ ?while running MeltICE.7 |  z, P( Q( q  f/ a9 b; Q

1 r5 o0 C& h! `7 G7 \  y! x# B- L; z/ ?1 t: T
  00401067:  push      00402025    ; \\.\SICE2 \6 F$ i5 N  a0 E% L
  0040106C:  call      CreateFileA
: N; p0 i5 C0 B5 A% N, z  00401071:  cmp       eax,-001
( R) O! b  S( Y2 f' F7 m  00401074:  je        00401091
- |( m% j3 E" G  }) g0 E  q, c: U+ u( l2 X; P$ b% Q$ F
: W0 S* l3 s7 Q$ s: o& D4 S6 K
There could be hundreds of BPX you could use to detect this trick.1 c8 t3 z" b7 u
-The most classical one is:# r; G# v1 e9 E; D
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||0 Y) y( N9 d5 ^  ?
    *(esp-&gt;4+4)=='NTIC'8 _9 o& K2 i: x! h- ^. g
$ g. s7 x3 \+ c
-The most exotic ones (could be very slooooow :-(
: A& Q% K; j  t' T1 J   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- d4 |/ H& J3 z5 R0 W  |     ;will break 3 times :-(
5 Y  h7 o7 n2 I: l$ e6 b* r/ j2 Z( \$ g
-or (a bit) faster: 5 K4 d6 g4 _$ ^. E
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) ]6 I& N9 F( f; p! C  c

0 ?# `* a2 Y8 z" a5 H; @: [' S1 [4 @   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
# `% N6 x( C' c6 z2 h     ;will break 3 times :-(- ~4 p3 C/ [3 L2 c) \3 }
- w4 Y% x5 C$ n
-Much faster:  r# H! e. r, S1 e9 B6 T8 x/ W
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
( o4 I' A$ [6 G8 _4 ?3 U; c( Y" b6 @, ?5 h3 d6 A7 D% \7 I  L' T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' \1 h; k0 }8 |
function to do the same job:. V5 f" z1 ]. ~1 [
5 U, {6 ~% ?& w& @  I+ B/ Z- \
   push    00                        ; OF_READ
3 p8 k8 K0 K/ h: e- a4 u6 |   mov     eax,[00656634]            ; '\\.\SICE',0& S. L' D# }( R7 t( E) q3 @
   push    eax
+ l! O7 H$ I% e1 Z/ z1 K   call    KERNEL32!_lopen$ T  p  u. L1 X
   inc     eax
; s% ?* i8 `- j1 V7 S   jnz     00650589                  ; detected
0 o5 T4 _, P9 P. p/ k2 p) B) \& o/ V* H   push    00                        ; OF_READ
5 |  i' G3 Z! B% V$ k+ z* V. o   mov     eax,[00656638]            ; '\\.\SICE'
8 ~6 A* {, u- C% F9 a   push    eax( b+ Y) X4 d% [+ \1 V: f9 G# _
   call    KERNEL32!_lopen1 J) v% L/ F8 Q- V9 i) {
   inc     eax
  E- `& J7 c+ M8 }* I2 Z   jz      006505ae                  ; not detected# g7 b: ~# n! _8 ]
4 z, r! O9 P" U. k- B1 V/ [

$ ?) P6 Z8 L4 b* _- Z__________________________________________________________________________
5 m  a& i8 O! w3 |) f
3 W) G' ?+ s2 o/ S' TMethod 12
- K& P$ R0 ]9 n=========1 K! F4 z* u1 ~. a% ^1 e' E4 r

! F# @& \& E0 Q9 MThis trick is similar to int41h/4fh Debugger installation check (code 05# s$ a' o2 E3 X- p' z; s9 y* r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
" A7 e+ i) b6 y' k+ I! Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 Y( }- j- w  ]/ Q4 ^; ~
8 D* y, z- B( E6 R% z  U. \" Y
   push  0000004fh         ; function 4fh
" E& S) s4 m8 c, n  A' y   push  002a002ah         ; high word specifies which VxD (VWIN32)9 H0 v; [. x0 ~4 W. t% B( ^) N8 z
                           ; low word specifies which service
- O7 d# Q3 x  `                             (VWIN32_Int41Dispatch)$ T" b( K! r( l
   call  Kernel32!ORD_001  ; VxdCall
5 K( Y1 N4 p# l1 c$ G& }   cmp   ax, 0f386h        ; magic number returned by system debuggers' A7 s+ W3 M  w7 D, {
   jz    SoftICE_detected3 w- y9 L3 N/ x- K+ {
' B+ F9 M$ _5 A* [. j
Here again, several ways to detect it:
* d+ V0 ^% D+ g6 u  u" {0 ?0 h; n' M" \
    BPINT 41 if ax==4f5 L' r- T4 F8 a1 U' e. R

6 {+ q  V2 B' L; X) {. _3 O3 e    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( r' Z% L% {1 E) E* {  e0 t
% u. M  B  B9 B- p    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
8 ?3 A5 s, Z! B. l# J7 n; u8 A* @8 ?0 ?
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
8 \! h0 q: Q& C, E! l$ ]& B5 @5 N5 A' i) i* W$ _/ @
__________________________________________________________________________
) K, ]5 N; ~- E# e9 e9 F* g. P% Z! g4 j
Method 13
! s' B; A* _9 e% i9 Z" w=========
0 ~! l$ t/ a# D6 Q6 e
1 M4 y# z/ @+ E" w+ ^5 H9 L. ANot a real method of detection, but a good way to know if SoftICE is
) b: ?# _: c7 L( oinstalled on a computer and to locate its installation directory.1 G+ [5 B% l9 q: d5 [! `( W
It is used by few softs which access the following registry keys (usually #2) :& t- G3 X8 B' u

' Q1 ~+ [$ j7 i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 @; U; E5 q+ F+ m* j0 {
\Uninstall\SoftICE' V- p4 p% q% @1 |0 e
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( U( q; W. x& B  ?( m" l9 Y
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) w& ?2 \. @5 W# Q0 c. U5 G3 K  q
\App Paths\Loader32.Exe
5 N: `0 l  V- C# \5 U2 C( S; W/ w! x; F- z

$ I3 H8 [; h7 A2 d; fNote that some nasty apps could then erase all files from SoftICE directory
7 `" s( `" `- h( r) P6 z(I faced that once :-(
0 C4 Z% M. W" W) y: U/ g( F* H# ~: I
Useful breakpoint to detect it:
+ B& ]% v4 O! O& `& O
# ]8 K$ r! E) T6 h$ d. c' W     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
" P# |+ V- w* f1 Q& K$ j9 ~* r! ?3 X: E0 G% Z; I( S9 N2 T  u# {
__________________________________________________________________________
4 j6 k0 Z. Q/ U+ Q8 t1 Q# s4 w8 Y( f. Z% p/ I- D
9 G0 ?8 Q8 a2 U. b$ P& z7 w% Z
Method 14
" a0 V- K) q" P% a9 {=========4 ^. h6 f, [% g+ {, w8 R
7 \: I0 O* L2 }) v# c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. D0 b# B" G0 Q  Z$ |% k3 v5 Qis to determines whether a debugger is running on your system (ring0 only).
% u" \+ L4 W! d9 }- N
" j! ^- x# V0 g: B+ T   VMMCall Test_Debug_Installed) z9 p, U+ @! O1 {& d! S
   je      not_installed
4 n/ a- J; z3 d7 V
; L/ r9 @5 U  m$ ZThis service just checks a flag.
8 P# w. K; W9 O3 Q( H</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-13 08:39

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表