找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ @. p, x$ q6 X8 M3 S" Z<TBODY>
; E& t1 d( D1 [: y' y0 V* X<TR>& \: b( [# X% Z0 [9 K- X
<TD><PRE>Method 01 1 X* A1 f& b2 O) R% h! v3 R3 _
=========
5 U3 Y1 Q( U# T
- F3 z# _% ~( r- @% h& C/ m- SThis method of detection of SoftICE (as well as the following one) is
: _5 b! ^- T- ]9 a6 O' {+ f4 Y$ A% \used by the majority of packers/encryptors found on Internet.
% n0 d* u( i# }; g0 |- R2 X* n0 yIt seeks the signature of BoundsChecker in SoftICE9 b# s8 Q, |! m1 Q- l& ?
/ v+ y8 d+ o2 o3 n* v3 @
    mov     ebp, 04243484Bh        ; 'BCHK'
  H4 R6 L6 S6 t3 \6 i6 e4 V3 i    mov     ax, 04h
* B  E. n% P: Z1 |    int     3       / I( P! H# V% }- z9 J: D) A* c1 K
    cmp     al,4( [. n& i6 u$ M1 y
    jnz     SoftICE_Detected
6 K2 l9 k  n% R4 @# B2 |5 e! i) ]/ f: H- l& U
___________________________________________________________________________
/ t) R& s3 A- O' S9 |& k: m
7 P& A1 C8 }3 ^+ e, zMethod 02
8 X9 e" I+ V3 _0 R8 W3 g=========
6 P9 [6 U) }4 |' t3 T' O+ X
5 |- \2 ]4 D& N: vStill a method very much used (perhaps the most frequent one).  It is used
$ v, y- T( ~& c3 [0 n( gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 a" O& p% |" f( D$ g8 q9 j
or execute SoftICE commands...
+ m" V8 u+ e: D$ j) k8 AIt is also used to crash SoftICE and to force it to execute any commands: a6 z/ h1 }/ Q
(HBOOT...) :-((  
" |. `; c  n( X- i6 Y- [
$ c1 U9 I! p2 g6 |0 E  k) s/ YHere is a quick description:8 F# V( t5 H* n) B4 ~4 g7 ^1 ~) `
-AX = 0910h   (Display string in SIce windows). e: r. |7 Q/ H4 D- o) B
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 X& ~6 @& r. F7 ~-AX = 0912h   (Get breakpoint infos)4 K$ F* c4 A7 K, Y- C
-AX = 0913h   (Set Sice breakpoints)' k+ W# M" p: ^# t* `
-AX = 0914h   (Remove SIce breakoints)7 D& D/ O( u, Z9 W- W* a" ]

* h9 C7 p! B9 r& [Each time you'll meet this trick, you'll see:! U5 g* s0 C0 X3 t/ V& s
-SI = 4647h
  i- s1 ]) h- d* v-DI = 4A4Dh6 I( b- @9 w4 }5 q9 ~
Which are the 'magic values' used by SoftIce.
6 [/ i% V. {* [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.& u. z- E5 b( A7 A6 v
+ z" i' |; }1 r8 `* {2 X
Here is one example from the file "Haspinst.exe" which is the dongle HASP
6 [- H' t5 p/ ^( G. _- ?5 o$ B- o; SEnvelope utility use to protect DOS applications:$ G% E; V% V- q9 m# n

  B! o  d  B7 f0 F. {: Y! p: ]- A2 x7 H' |6 G8 s. w  w
4C19:0095   MOV    AX,0911  ; execute command.
! K( y# N1 |; F  N9 @6 n9 z9 U4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 c2 s: `/ h& d4 f
4C19:009A   MOV    SI,4647  ; 1st magic value.
1 z( ^& _) L# X. o3 `4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. |0 D0 M9 ?4 u- l+ B4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; B  Z! G4 K. j4 w) \: K4 R4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( L% t, _' l/ u  m8 y/ x% ]$ L
4C19:00A4   INC    CX
) ?& r2 ^( k1 K* e0 f( U9 y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
& O' R. C+ T% i5 u4C19:00A8   JB     0095     ; 6 different commands.( o4 _* n$ w: A
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 ^7 y: C4 p% S% Z2 i
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' P$ Z9 y% h0 Z2 R9 F  @
( J2 s# c6 R( U1 [4 S" jThe program will execute 6 different SIce commands located at ds:dx, which
, B# F$ _6 {6 p* d$ v* B4 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# T# Z% Z& Z9 S: r6 A
: }7 V- O& u: K: {: v4 F0 A
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 I% F9 `/ R  }, C
___________________________________________________________________________
* y. q6 Z0 C6 p& {" K$ @# S- ^, v# H* Q! |

1 L- n8 C# {+ D" f5 J  ^Method 03' D  h+ Z9 r* \8 r; V1 ^
=========7 ~% {6 [7 i) n, {  d9 h$ ]

& l# N6 N7 h  }/ T5 s( mLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h& `; i- z# Z4 j8 Z
(API Get entry point)
# g6 ]+ J. ^+ ~* T        * {2 q4 x5 Y8 ~( A' ^3 }
$ |& F! f# s% o' e# F
    xor     di,di4 V7 d" F. f/ q6 L. ]' G
    mov     es,di1 X! R3 w( e4 J
    mov     ax, 1684h       / Q: X* a8 O( Y' _" n
    mov     bx, 0202h       ; VxD ID of winice- P+ j5 A2 w+ c" S/ w
    int     2Fh
/ L: K$ }- N* d) ^2 O' y% H0 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ D4 U) s! b7 S8 f' b$ K, D    add     ax, di
, {2 j3 M- u4 r/ Q. s) R    test    ax,ax* L  m# g+ N3 `# p- G
    jnz     SoftICE_Detected
. V9 R, ~0 X5 N* \7 n# i5 |5 R' V& J2 ?7 q: x, U, a  h+ S/ v
___________________________________________________________________________# @# T- P% i" `7 b
7 n2 P7 i" f" E/ c7 [
Method 048 I) ?3 ?/ N  v
=========
5 n9 V- M* w& x5 K. }  b1 \3 O* x! z" N
Method identical to the preceding one except that it seeks the ID of SoftICE
; L$ k" V7 L5 p, F8 ^GFX VxD.  @  t: K- C2 ]) Z! b

. T: v% o7 ]2 P) F' m+ ]+ l9 [    xor     di,di
  `+ O& P$ U4 t/ n1 q    mov     es,di! X% ^. M# G& k) m9 ^( k2 ^
    mov     ax, 1684h       0 H" n+ S& y! X8 D0 ?
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 ^+ m" h$ f- `    int     2fh1 u% g7 f7 ^/ H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! E; z" y' K! g/ \& e& }    add     ax, di
1 Q/ U; L1 g& ]4 r8 [6 K# b' g: |    test    ax,ax4 O" r" L7 x1 A8 Z9 K2 N. _% g9 E
    jnz     SoftICE_Detected
9 ?) l; C* w' Y  c2 q; s6 P
& ]6 q/ N9 E* B__________________________________________________________________________
% d3 x8 N- x" L7 e/ w6 ^
: [5 B% m8 w. A. ]) @5 n8 m8 I8 }. S* i; u% R7 I; V! w
Method 05
/ X$ ~0 U/ k+ ^) e$ {( E=========
7 E/ D: f) N8 x. i& j0 m5 Z* p. }0 M1 L! l$ B" H
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 r) n9 ^4 R8 w1 q
debugger. It calls the int 41h, function 4Fh.6 {# M" D% T3 M0 ^# b0 N# K
There are several alternatives.  : p1 K+ N5 O! B- `4 }$ x7 Z: z
- |. Q* e5 j2 A7 U
The following one is the simplest:
' M2 Y2 R3 b3 o. l
: H9 v5 `9 a9 m' ?    mov     ax,4fh; t9 i# a9 I7 Z$ y8 y' v/ X9 Q7 h
    int     41h3 ]8 ^9 q+ @: j4 C2 |
    cmp     ax, 0F3866 Q: w' Q1 f* S6 {
    jz      SoftICE_detected
- s. i. L  Q/ ?- `0 |) e% n
8 c: v5 {) O# Z( x  X
# j! D' O8 {  Q/ z" E4 ~Next method as well as the following one are 2 examples from Stone's ) @4 ^  `/ Q; E$ T# g7 Q
"stn-wid.zip" (www.cracking.net):: y% O8 g: ?' s7 A5 P4 T

8 X. P- @  _0 H8 M1 P! z0 r    mov     bx, cs3 h7 J! y: v$ i- W: G
    lea     dx, int41handler21 G( u9 D7 C& R# J& T+ y
    xchg    dx, es:[41h*4]- y. z0 n7 o4 X& L' y
    xchg    bx, es:[41h*4+2]
0 Z* C: r' W; H$ p8 P+ b    mov     ax,4fh
# B8 L6 |$ S) c( n4 @% j0 [    int     41h
, w! ]. u2 G) s' E% i/ o    xchg    dx, es:[41h*4]* F; j8 M, ]) F% ^5 R
    xchg    bx, es:[41h*4+2]3 J* }, O7 h4 d2 B2 r& q: J6 Z
    cmp     ax, 0f386h- H) A2 V: h) |" i$ h. }7 ]) X
    jz      SoftICE_detected
8 i' i6 R) {0 R; F8 _* }- i# [7 Y' e
int41handler2 PROC& v( W7 n- m$ u8 K: E! P
    iret8 N! b( w2 B9 Z; x1 N
int41handler2 ENDP
7 ]( U( u' n0 T/ [7 {$ f, E7 W, |1 ~9 L# y

+ P8 v1 i7 l) I, V" z" l) u_________________________________________________________________________5 h! e0 m. m: q6 b7 ?
9 M- n/ F5 @* E) h: ]2 i' o4 z

( o, A  j8 m  o8 `: b, ?. VMethod 06
, R4 x" R# L* e8 u, w/ n& }9 L=========
  S3 l7 V4 S/ t4 o8 O% k7 R* N2 V9 u, k; h; w9 `+ {) S
! U; f: u9 O7 T% z, H
2nd method similar to the preceding one but more difficult to detect:
. W. E4 u2 v( \. F6 l3 Y1 Q8 z1 ~8 W

, v9 @5 ]1 C% V% A6 D% R$ z  b. Fint41handler PROC
+ |/ g5 Z5 R; `    mov     cl,al6 Z& f: d. [2 q! J
    iret) d1 F: C; W0 U0 M
int41handler ENDP0 I) e0 B: R$ w/ j  _

& j4 t+ t+ h+ C1 a
- `% T# h: k7 n5 o* i& u    xor     ax,ax- M0 N4 A' L. c( w/ S# t6 p) D6 T1 W
    mov     es,ax
. ?  c; J1 P+ T" D" C    mov     bx, cs
$ l* y$ g8 Y  {4 H3 ]    lea     dx, int41handler
- ]# Q" G, S% S2 R3 p* V    xchg    dx, es:[41h*4]
2 Q+ r- F: `! [2 T& ^6 T7 L: ^    xchg    bx, es:[41h*4+2]
2 w- N* m6 V2 c- t+ O, {    in      al, 40h
: s9 X. F0 p& w( I* k    xor     cx,cx
4 Z& c% ~: H3 \8 y4 k+ N  J    int     41h- z' |% h. D& d& V5 g
    xchg    dx, es:[41h*4]
% J: |! Y% v9 U7 i    xchg    bx, es:[41h*4+2]
7 H* c4 {! m  v8 e    cmp     cl,al1 L2 B( X! k0 q  r2 r2 O! g! c
    jnz     SoftICE_detected
; _  [% e) \2 Y- c- s- Y8 |  s- P8 C/ R
_________________________________________________________________________
  I9 w9 R5 {: U1 Z: U8 p3 @( e7 W
! t: p' A1 K# O' f3 G$ c: }6 MMethod 07+ d% W  O7 ]3 f* x# r
=========
+ G% W! X/ m- O5 x, z; \: ?  D, k- M: N9 O! X4 L: z5 s/ T) D/ s
Method of detection of the WinICE handler in the int68h (V86), A) Y" ^) H5 l4 o
( o, T5 E& U1 `
    mov     ah,43h2 t) z+ w$ N/ T7 _
    int     68h. L4 s7 k. j# j
    cmp     ax,0F386h  X4 O6 {1 g% P# o& B
    jz      SoftICE_Detected
! ?0 o7 N& _2 M7 i: u' q7 _# T# _; N& K. l: |/ G  C
3 Y) m9 E& W& I; ?
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! p  ?5 n$ F: a( h9 Q6 {   app like this:1 l6 N4 _. U) _% z, {: z, }# B

4 f# V7 Z  T6 V: _   BPX exec_int if ax==68
" B$ T3 _6 @* T3 o1 E$ V: C( C' N   (function called is located at byte ptr [ebp+1Dh] and client eip is! ]* P5 B$ ^* T
   located at [ebp+48h] for 32Bit apps)
  P: ]* o; P( ^; k4 F; ___________________________________________________________________________, k+ Q( [5 [0 e1 o: d2 [

9 |6 d6 W6 o6 J* s9 |4 z) l3 L' ~1 B& }$ O: a
Method 08
( L+ [6 l% j. f4 ?=========( p0 m: K, Z3 k; C8 @6 i6 U- R

: b$ i0 B8 f7 b) P  k1 bIt is not a method of detection of SoftICE but a possibility to crash the4 [) D' D! s% e+ |: G# ?' Q
system by intercepting int 01h and int 03h and redirecting them to another# q$ e3 D/ \" w7 |% f- k
routine.
+ u! O7 G+ w; Y; ~. C* i' XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 r4 @/ E3 o  V5 Zto the new routine to execute (hangs computer...)' `" d" E2 q6 k3 s

5 U2 l3 w/ {# Y8 g; u$ `    mov     ah, 25h# b4 z# W2 T* |/ S
    mov     al, Int_Number (01h or 03h)
" m9 L6 j( O7 N" C3 Q# A8 J4 ]8 N7 h. D    mov     dx, offset New_Int_Routine
/ s5 T+ G4 F, Y# A    int     21h+ V  }. _8 q9 s" U

, W- r0 r* ]1 ]0 J__________________________________________________________________________  A+ ^' ]* ^6 f6 j/ l

6 ]9 T; e, o6 x8 C8 \, XMethod 09
. p9 v4 H- z5 u" @=========3 a  m3 m1 ]% N

- n) p6 t# L( p: ?  t4 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) ?5 x+ \8 x' ]2 g2 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
# a, G, k9 x; s. jThe Get_DDB service is used to determine whether or not a VxD is installed2 D# {) d% ~- i! m$ n
for the specified device and returns a Device Description Block (in ecx) for
7 V9 W( M$ x. ^- \1 kthat device if it is installed.
( h# l) {2 Y, A0 A$ D: `7 d1 h
# Q9 R4 Q1 U" }9 N1 w   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 F! V: y. t# z2 i4 T   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ j0 P/ B" S) w2 k4 s: g
   VMMCall Get_DDB
) U! w% |0 {7 S1 V5 Y, C9 n   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 V9 a/ I1 Y& M- J6 I8 p0 n( {  Q  ]) c4 e2 \6 O
Note as well that you can easily detect this method with SoftICE:
* E8 W4 e& B) S% o1 n) B   bpx Get_DDB if ax==0202 || ax==7a5fh
$ X( m% P6 Z7 a" a5 @  ^+ O5 o2 X! y5 ~  g3 A0 Z8 m
__________________________________________________________________________
! {  z" K* C0 i& Z3 E$ ~, N+ K0 v8 j; L) Y% a( g
Method 10
5 C5 i7 ?6 }8 G, q, F& V% a=========
& k9 Z& ^3 n2 d" `  r; w( e5 k, X3 J8 m' F4 Y
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with* t- Z4 ]% `9 w$ j$ c! X: {. ^: Q
  SoftICE while the option is enable!!6 j/ F/ ]  A4 x& _% C

7 W- M9 r. h) p; i! q. F) U, zThis trick is very efficient:- v) D' s* m# a! E$ y$ D0 ~4 p
by checking the Debug Registers, you can detect if SoftICE is loaded
/ |# W. X$ _7 e4 J/ d0 }% E# g1 s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 _7 n" L+ u! W# L6 E8 c7 Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 A% J) o, F/ }/ \! S
value (in ring0 only). Values can be manipulated and or changed as well; g! p, B4 y" l8 x
(clearing BPMs for instance)( E1 ]- A5 N; e$ W6 y- ]
) v* o$ h5 M/ X" ?- d. ]" x1 k
__________________________________________________________________________
& V2 ], K0 D6 j8 u, ~+ ~0 ?6 N
8 w5 I0 ]+ p* |& z9 Z, A% |Method 116 m4 t4 D& ~' T1 Y) [* ?
=========
8 b% N# C4 E5 z; w) c; O# ?( W3 E' a  }5 G# Z/ m
This method is most known as 'MeltICE' because it has been freely distributed. O2 O& y, L, N7 f! h$ n$ h
via www.winfiles.com. However it was first used by NuMega people to allow) S' q" K: ^8 [7 z) |$ |7 |- Z
Symbol Loader to check if SoftICE was active or not (the code is located+ d& z+ j+ U7 E5 o  H$ P$ u
inside nmtrans.dll).8 Q  F8 a4 V8 N1 x6 M
& w0 C9 P9 T. e; s7 P: e
The way it works is very simple:
1 S, n5 ^! o. n; W; U* [  ?' c( yIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' e+ j+ ], w2 Y. W
WinNT) with the CreateFileA API.  z( e: A. l' p; L( p
; j- ~! j  N4 M
Here is a sample (checking for 'SICE'):; Q! N1 W5 l: H; a0 D* m' C2 t

+ a. _* W* O# d" {0 J& q+ lBOOL IsSoftIce95Loaded()8 O" o  V6 Q- B/ X
{
" n0 o, w7 C0 {9 h* F   HANDLE hFile;  
0 v) H9 i8 `: `: e. s! C% }   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 B4 r3 K/ I& ?3 U
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
+ e4 Z5 E2 P: y                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ y0 v' E% n% w1 P* K- M+ M# I   if( hFile != INVALID_HANDLE_VALUE )
, l- L4 [# h2 z" w# d/ `( O4 y   {6 q) h) q( L8 O8 G% z
      CloseHandle(hFile);: L. ?; a6 V6 s4 S' ?6 ?2 z
      return TRUE;3 T1 `5 f; f+ K4 Q" }/ c
   }1 \3 [5 V# `, B2 l
   return FALSE;* Q. K  J, a6 N# d% j; N
}
+ x& O, F) D* t9 m  m2 J+ q
0 t) z8 ^; M( e9 T% sAlthough this trick calls the CreateFileA function, don't even expect to be
' B- x4 V5 V3 X2 C# T! R' hable to intercept it by installing a IFS hook: it will not work, no way!
& v( n* d; \5 M! i# {In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ a+ W& a6 t4 ~' R- h$ r! ~% V# w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ E/ |0 z1 _! T8 ~/ [and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 h& P+ C" d. I, D* f
field.
1 t7 I" \* Y$ v) c7 T) XIn fact, its purpose is not to load/unload VxDs but only to send a
9 a' Q' H8 `9 bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
2 K, M5 i' [5 t/ \- Hto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* W1 w. R9 g; l6 Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).' Z% `- a9 D" k- f' p  R' r5 ~! t
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 ~  O. n0 T' I  U
its handle to be opened and then, will be detected.) ^, R6 F% ~' I. {1 F8 T9 |
You can check that simply by hooking Winice.exe control proc entry point. }; \" i4 c, Q& K. c6 B
while running MeltICE.! @+ F0 u, }6 _1 t" x
7 j) l' y+ Q* ]; i% m" ]% V: K

$ k5 W& g+ b+ z: |. h9 j( M  00401067:  push      00402025    ; \\.\SICE
+ v6 z( p: f; o; b/ x% n  0040106C:  call      CreateFileA+ L0 P# V. U$ r6 i7 K
  00401071:  cmp       eax,-001
4 D/ `9 k1 [& b$ S# e- {# W) W6 C  00401074:  je        00401091  `3 l: p1 d, g% f
/ S9 O% P/ W8 o
. B8 M, q2 m+ d, [
There could be hundreds of BPX you could use to detect this trick.
9 j: N* |. d1 _7 T. o2 v-The most classical one is:4 o2 Y* S: u7 C
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' }( f' O1 e; N$ b  O0 N" Q" e- b    *(esp-&gt;4+4)=='NTIC'% ~! W- `; z) x

. P$ p, w& ?+ f8 U0 Z-The most exotic ones (could be very slooooow :-(
) ~) @/ y9 A. p+ O) x% z/ p8 j; u9 i' ]   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ v2 _* A- V2 a# e" Q     ;will break 3 times :-(6 q) M# }1 j; v# }' P
* t  R' ^. m  S) w& r& d% A5 C
-or (a bit) faster: ( f6 F& z6 [5 @( v4 I* D$ j0 v
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 s3 y5 k5 {9 L; }9 h1 z! Z4 r! ~+ J# Z: `
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
7 k# G5 l* D" m/ D# @: U     ;will break 3 times :-(
/ o# }+ h$ y9 R0 a9 I% D5 L* ^9 ]! |& [2 Z- Y3 W, c+ g9 s, `" G2 l7 o6 |
-Much faster:
- _6 B2 H0 G6 h# x7 v2 `   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 E+ D( c9 V) d' X$ W' z* a8 O
$ z0 O; K7 Y! S6 e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& k$ G# ]( b/ o( e# C, \3 s+ mfunction to do the same job:
& n/ D/ K, {) A9 S5 S" N( W0 U9 ?/ }0 {* X/ ^# }
   push    00                        ; OF_READ
* A* b* V2 d' f$ ?( i   mov     eax,[00656634]            ; '\\.\SICE',0
4 u* H( J: W- `! \, S: C/ p0 }   push    eax2 M' x7 j, y/ B) t# |6 K
   call    KERNEL32!_lopen
- V/ `/ a, c: @2 J8 q" z   inc     eax8 ~  T$ i9 w: Z5 u3 K# M" f
   jnz     00650589                  ; detected
* K4 k" x( ?7 W. n1 N   push    00                        ; OF_READ! B$ R/ P' R% M) y/ a
   mov     eax,[00656638]            ; '\\.\SICE'- f0 U% E/ I* ~* I, l4 O- W" k
   push    eax
4 Y: s. ^0 X2 b) g4 S# C. b8 X; E   call    KERNEL32!_lopen7 @# A. Z$ r/ w- V
   inc     eax# z+ T; J5 n3 u4 d
   jz      006505ae                  ; not detected
" ~9 ?+ H- a- E' ^& J' `
. ]) k6 S/ l" N/ i- Y$ V. z
/ O7 n- X5 y' W, Z__________________________________________________________________________" F! ^$ a4 D) o' k& \4 g/ u1 S
; e) R5 Q) D! c3 x
Method 12, T% Z2 t" @. x, q3 \! B& H
=========
* n; _1 W2 K& J) f8 V' @# S5 Q1 A4 `. o( w- }) ^# n  _4 l
This trick is similar to int41h/4fh Debugger installation check (code 054 _' x  ?9 W7 c% h/ H6 |5 A
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 @$ @% a7 G- ~- Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* K/ l/ r# M- }+ x0 _  {6 B) y7 o' ]- p4 M! H, W) p
   push  0000004fh         ; function 4fh6 K# P+ E. G0 D2 n! |. e+ W; W2 [
   push  002a002ah         ; high word specifies which VxD (VWIN32)/ x$ S1 Q* A8 s* N. D! J* Q
                           ; low word specifies which service
( G, A. @7 h. v+ a& S; L                             (VWIN32_Int41Dispatch), _. d6 Q4 P% n/ {9 [  }
   call  Kernel32!ORD_001  ; VxdCall) v9 r2 j/ e9 j/ z- F
   cmp   ax, 0f386h        ; magic number returned by system debuggers
* ?7 o+ f7 u0 v2 F   jz    SoftICE_detected
+ X/ V! g3 v! }& f3 [$ s- t7 l
) f7 n. w7 F$ p2 q% U/ g+ a  fHere again, several ways to detect it:! D& k" J+ L# `

$ o4 A4 C6 l: M2 E4 L5 {    BPINT 41 if ax==4f' G; T" e4 |0 o* g" y( u& A

6 s  n; d+ }+ O# M9 d! H    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& a8 O# k, i6 @% T+ E. E) W! l+ m* n: y
- g7 D$ F  I8 N$ l
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
( n% [! w' Z/ x1 z* y2 `; v. S! B+ ~: M" D4 x$ a. Z, B) t
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
0 O4 s' F3 F  Y8 s1 E+ W7 u+ Z: M) f; H$ Q
__________________________________________________________________________
/ K; |4 z/ L' V" B+ w
  N/ N9 |" T) k9 B( f& W# t! \Method 13
* e! ~: c4 o) b- B% l=========! l- u3 c8 E# A

6 Y7 k8 m  C5 \, SNot a real method of detection, but a good way to know if SoftICE is
' p3 H3 L3 V9 zinstalled on a computer and to locate its installation directory.
/ V7 O8 w$ L+ Z3 kIt is used by few softs which access the following registry keys (usually #2) :1 N% e7 G6 D6 ]; b8 c, P8 ]6 b+ w  Q

; j; {5 z: E, o- t/ S. X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; T5 N" k4 A* F4 z" `8 i\Uninstall\SoftICE
2 ]/ u8 N9 ]' d4 V1 G7 U# g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 w* D& p; ]  k3 r/ F0 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 w+ L7 [' `8 f2 {\App Paths\Loader32.Exe
2 Q7 K7 ^1 G: y- D+ k% R/ S- K/ x& A2 l8 f' k! Y

. a* B6 p2 y7 O+ M8 NNote that some nasty apps could then erase all files from SoftICE directory7 r# W, _# b$ M0 e/ z2 [/ C
(I faced that once :-(
, `! t( }. K9 L) u% J) X. _' x/ o
5 h% s! P6 Z) U" D  Y; m! DUseful breakpoint to detect it:; r7 `5 E  `$ U

2 T- I& Z7 e- k( A& ?  I  l$ l3 s     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% `7 J/ x4 Q+ c& }$ H: h7 {! f& z1 A: \
__________________________________________________________________________: O9 A7 Z5 |, }; b% l: s- a0 {

9 E8 z4 u: g  s2 z
2 W: a6 E& k6 CMethod 14 / d' W# o& P) p, i2 i; k2 t
=========
" z2 V' j, ~. E' e- r; s$ Y" d$ i9 ~: y+ R3 m
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 Y. P9 T4 n. m0 Y
is to determines whether a debugger is running on your system (ring0 only).7 z; {9 g# E) ]. p: J

) s/ [$ y1 H8 ?) E# p2 R# X   VMMCall Test_Debug_Installed. T* z- f7 G9 \' H) }, g9 y
   je      not_installed
' @* q* {" G+ u8 f. p  x& x8 A0 \. r4 h" B9 ~- `
This service just checks a flag.9 l" t9 \: q, @3 Y0 g
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 04:06

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表