找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>; B2 ?0 V) V0 y% l
<TBODY>
# X3 \5 p# X# d, j8 i" T<TR>
9 B" t8 P/ H* J3 `6 d0 o) n<TD><PRE>Method 01
0 B* g, s/ F0 P8 p9 Y6 b/ _. [=========
9 J% ]- N& x1 F$ t- u0 a4 T+ N7 l2 A2 Y; ~5 r
This method of detection of SoftICE (as well as the following one) is
- P6 W# }" v  {. e0 hused by the majority of packers/encryptors found on Internet.
+ Z- o! z' b9 S- JIt seeks the signature of BoundsChecker in SoftICE
" i% X$ m. }; d4 A' w& w8 z% N5 [+ {3 V) j7 z- f! ~
    mov     ebp, 04243484Bh        ; 'BCHK'' L  |: V3 u6 ^
    mov     ax, 04h9 O9 B: V& {' o$ k
    int     3       , P$ J7 F8 y2 y7 O4 _
    cmp     al,4
# [! R5 `0 q3 H    jnz     SoftICE_Detected0 F% |( C6 u# O- [5 U: F' J

% b6 V9 q( y2 E' t- R6 P___________________________________________________________________________( V; N. r; R4 g! j! Z* |+ s! z

& k2 o+ d4 N! W9 E1 s# V1 vMethod 02* C  @9 c/ G/ F
=========
+ _8 P* f; N# F
# w) f! @( n5 c1 R# @* U6 NStill a method very much used (perhaps the most frequent one).  It is used
: ]( G2 Q: H& }/ Q9 c: b+ ^) \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  i, N+ [' t6 e5 C1 [or execute SoftICE commands...
: p* E% p( Q- e. W7 o- H3 ], G8 jIt is also used to crash SoftICE and to force it to execute any commands, }2 f3 J$ h, K0 v% e$ t- ~
(HBOOT...) :-((  0 o& L% u6 Z" L4 _
" s! w4 `4 O: c* j: K! w
Here is a quick description:
9 {/ j) x' |9 M-AX = 0910h   (Display string in SIce windows)
) Y. V$ `" a( G! b* z-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
/ M9 W+ `- A+ S7 T- u- l3 H, ~-AX = 0912h   (Get breakpoint infos); _, i; n. l" D# F
-AX = 0913h   (Set Sice breakpoints)
$ x. H3 s6 C; a. n3 A" `' m( N$ l-AX = 0914h   (Remove SIce breakoints)
3 g" O! U5 ]' J. B! P& d6 n6 c
# g+ Z, b' ]1 ^! }2 _0 T: NEach time you'll meet this trick, you'll see:
' o1 z& `& K4 A' y: Y: w-SI = 4647h
9 W7 a$ ^" K$ y' D- D-DI = 4A4Dh
8 Q" G8 B  m5 W+ V! t6 l; oWhich are the 'magic values' used by SoftIce.
& Z) ]+ O, Q" U) a" PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
2 W, @5 z( K" r0 D5 d6 ]/ @
: M+ }, i" b' d( D) x$ j, \Here is one example from the file "Haspinst.exe" which is the dongle HASP
) i/ T; E$ S, W0 A9 OEnvelope utility use to protect DOS applications:
0 @- L' |+ c& p! X* G( |) Z( d! ^+ @, Y( N3 M8 _4 a; y
1 Y$ s2 N/ A; K' I5 W8 ^, |
4C19:0095   MOV    AX,0911  ; execute command.
6 o* m: ?1 L  I& ?6 w# A" {- u. q$ a4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).- {8 [; k! s1 {
4C19:009A   MOV    SI,4647  ; 1st magic value.! D# Q/ T" i2 j) ?/ ^6 q
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: F* E8 V6 }. W8 i' ?3 T7 w) j
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! r7 c+ `# e1 v! \5 q# j8 N; N
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( d4 E; I* A- a+ g4 s
4C19:00A4   INC    CX
+ _8 V' q/ o4 M$ u4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 s/ z  P0 f9 B7 w
4C19:00A8   JB     0095     ; 6 different commands.. U. w6 Q0 s$ e( a
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.. Q8 j1 O5 T. U# l0 _# F
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 f- ]% b6 F9 f! y
8 z4 ^! `9 M& j. O9 t0 @3 s1 x
The program will execute 6 different SIce commands located at ds:dx, which
2 n9 F" j6 {+ s" kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 n# d( u: J" b9 m! F
" ~; `6 l" P% J9 Z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 L* p- y# t: [  L, e% p___________________________________________________________________________
; ]4 r/ ^1 C9 h
; Y" N1 M+ J& g1 Y& @* W
: b5 y8 A& F* U: wMethod 03
+ J; `8 i: _' h. S3 J: e+ g. S: t9 J=========
' ?! N# o1 h, T( b1 Q. v* r2 O7 `1 C& n* d2 k
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 s" B1 A/ K! i) r/ k' z
(API Get entry point)
* W0 P. j7 `2 Q1 u* R6 o  a        3 h/ R" {+ b2 x& {3 y5 U
$ S1 J4 r( |/ T2 `! h6 S
    xor     di,di, b2 s5 I2 b- @
    mov     es,di
  `& z1 m  F  }7 O# p    mov     ax, 1684h      
& Y( ]) D- P- [5 T    mov     bx, 0202h       ; VxD ID of winice5 v  ^4 Y! t- U$ U( O
    int     2Fh
- p7 c8 t( k2 R1 A" O1 U" ^3 j    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! ?. ?; T; d% A4 w! H    add     ax, di
7 r- a( n7 \! ]' V; P1 c    test    ax,ax
- m: P1 c, [1 I& @+ W    jnz     SoftICE_Detected/ e! [( k( Z* O& g# k9 i' l
- s7 U/ ~9 Y; S* u9 ?- k& w9 _
___________________________________________________________________________" l& _' l- \! ^

7 I  E5 ~# k3 CMethod 04
/ c0 N2 h0 z) x=========
- a4 g% \: d, [
5 f9 E' I) N7 ]  c, V' ZMethod identical to the preceding one except that it seeks the ID of SoftICE
  w4 Z! z. l5 X, \& n0 `GFX VxD.
% l" g* H+ Q8 B: e
! S$ m1 r, H$ O    xor     di,di9 E5 q$ {! N: X8 l4 E- H$ Z( O  W: M
    mov     es,di
' E# ~6 m9 n. ^2 r2 o    mov     ax, 1684h       " {2 y2 I! w' H) d% S
    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 b3 w# P% p. ?4 x
    int     2fh8 P: g7 v( g. ~( x! Z9 j2 }% r* i
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ q- B1 a; K" L+ n7 G/ f% U8 l. ?    add     ax, di9 P0 Q+ t1 c1 W: J- e
    test    ax,ax
. y) I* a  ^' J  u0 p3 l    jnz     SoftICE_Detected
$ R5 h5 W  L& r5 u( ~' G
! _' ?5 D, u; F4 }) N0 |6 H- e: ?' A__________________________________________________________________________
- J6 Q' h: J1 U3 V2 l& x! p' U" R, r6 k7 E& O' o6 L7 X( \( |

. t' A: {2 p! v. HMethod 05* d" G8 [1 ^3 L7 l# q5 _
=========
+ t. B' t1 ~. x# {0 Y0 H: Y, I" U
( J! n) o. {$ ~- P; ]. t# jMethod seeking the 'magic number' 0F386h returned (in ax) by all system  \" Y$ [0 ~/ l/ `/ a; X- q
debugger. It calls the int 41h, function 4Fh.
  V% K5 r) J3 n5 z; v- m# fThere are several alternatives.  
/ v) P; G1 _/ @8 n) Q" V
4 Q# x0 O7 s1 |$ |( V  ^/ L1 ZThe following one is the simplest:
) j7 y. |+ c9 i& o3 J4 Y, U
: U1 g* v$ F* ]' L# k    mov     ax,4fh
2 o, f6 k8 m2 \8 D, {1 o) i    int     41h
6 T% M2 k$ W7 a* P2 I& R    cmp     ax, 0F386
9 Z) n3 `9 n" e    jz      SoftICE_detected
: v+ U! P9 z7 g) B. Z- d
: L7 [6 e1 U2 V, G' r0 m$ P( y1 Y5 h; f! B- O
Next method as well as the following one are 2 examples from Stone's * h: x. d% B/ T2 }2 i
"stn-wid.zip" (www.cracking.net):: m) G# y2 J( |0 k! s
8 R( z2 W7 E5 _$ i( g+ A
    mov     bx, cs, j/ r: Z9 z3 a6 m* N2 h' w' t
    lea     dx, int41handler26 P4 m& C5 S  q4 T+ w
    xchg    dx, es:[41h*4]( P/ }- y0 U! n  R' C. B+ _& W
    xchg    bx, es:[41h*4+2]
7 A' q$ s8 h( _% |6 Z3 O    mov     ax,4fh
' {, a3 \6 [) D- z' J    int     41h  ~4 Y, k7 g$ P$ D( d& S
    xchg    dx, es:[41h*4]4 I% m- Y1 U  i# U: z3 ?2 i
    xchg    bx, es:[41h*4+2]# [3 O; ~$ K1 [
    cmp     ax, 0f386h6 ^; L$ [, u/ C6 L
    jz      SoftICE_detected: {* p1 {$ h4 i- X0 I6 r  c- Z8 r

. i2 ~4 Q, f; K1 {6 bint41handler2 PROC: C6 V9 f% x* k" b# y0 }
    iret
. W+ {8 W. C  p* l; kint41handler2 ENDP
& e) g3 z( C) H3 h. G* @! J$ I3 F& i$ X& X% M9 c1 v
1 M8 [, {9 C1 D* b" E1 {4 d
_________________________________________________________________________
4 B" X0 W8 {3 e
6 g& j! d( N8 s  ?& \2 Q" o; Y1 G& W6 g; G0 S+ P, b
Method 06  [9 d4 W3 h( y
=========
) y& z/ z& _: f5 \* u& t0 |& P5 V+ c
1 @' m7 n; h% g9 x, s2 X7 J# |/ V& x' ?$ h0 K% A
2nd method similar to the preceding one but more difficult to detect:3 V0 I7 s5 x4 d+ g
) m6 c4 L. Q. J5 W+ h  S. _

. N$ g- t1 a" q, c: m2 B* Vint41handler PROC5 a: X7 X; y! V4 A8 w
    mov     cl,al
' T& y& [' L* _3 i' X. a    iret
3 w; o( u  G+ F- e6 O1 R7 jint41handler ENDP
3 G0 j3 m. K' a! {& n+ e( G& `% F4 B& N, P/ Z( e! G& d
/ _% N. A1 S9 o; `% z5 {
    xor     ax,ax' x) `3 A7 @- V  Z, D9 `
    mov     es,ax
8 |/ q0 U7 V( }9 [( i    mov     bx, cs
  y2 D) A5 U* c, S" K    lea     dx, int41handler
! R2 F6 A# l$ s/ u    xchg    dx, es:[41h*4]( S+ e  m) `( O: H4 \- ]$ `" Y
    xchg    bx, es:[41h*4+2]
  }* t9 H; X/ {7 h9 I* c" d    in      al, 40h
4 ^  n8 c) L" A+ D8 T6 j5 Y9 @    xor     cx,cx
: i- n3 c6 ^4 Z; {; a9 t+ m    int     41h
, \, a$ p) ]+ S  r  C, ~/ H    xchg    dx, es:[41h*4]
! [! \, ^) V1 b- J" P6 p0 z    xchg    bx, es:[41h*4+2]  c, @0 ]& l- X
    cmp     cl,al
7 f! U$ M: _0 J1 U8 _5 a% E& B" R+ u! A    jnz     SoftICE_detected
  C# ]9 q1 x2 m, }
+ t- |! T4 l! H; {& r, A, n5 U" a_________________________________________________________________________
  k% F: Z/ o& x
) E" L4 [$ v* i7 j3 ^( pMethod 07
8 f8 E4 s: d% x4 @: R. e/ M=========
4 t% ?: X2 H! d
/ J% X' I& r# B, U1 g% pMethod of detection of the WinICE handler in the int68h (V86)- o3 y: v% P0 E% L1 a, |$ Y/ K

) I. ]  y! I2 l3 V% j3 b    mov     ah,43h
2 W: O) p6 @/ o- n( e    int     68h
; s3 B( |8 q5 u5 s' Z    cmp     ax,0F386h, b# B7 T- ]3 }
    jz      SoftICE_Detected
! ]: C2 o- `- E/ _: E2 L# Q+ ^; @2 ?( ?. f& u

  S# W; _$ H9 J! |8 n& }=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 i; D" h5 }# Z5 c) V   app like this:3 c3 ?9 c' [  e: |% Z
  f1 l  R+ W# y+ H0 l
   BPX exec_int if ax==68  [# a, i  }2 G8 s" @
   (function called is located at byte ptr [ebp+1Dh] and client eip is. [1 W# `8 }" W1 U
   located at [ebp+48h] for 32Bit apps)
  W% s* Q4 ^% E5 ^' u3 {7 S' f8 p__________________________________________________________________________5 `: B+ H; l$ ^) m. e; {
1 H) T5 J, j% U0 M* {0 a6 @
* ^( }, U' W8 o0 y
Method 08
" j- C+ x9 y' L+ ^3 V2 w=========
) v8 n% l- ^6 {( b
; K7 n3 Z7 n- |7 E& }3 C& K6 \It is not a method of detection of SoftICE but a possibility to crash the
1 F5 O6 q! E# J2 R2 G% F, t) [8 esystem by intercepting int 01h and int 03h and redirecting them to another4 T. V2 A- I" I  f) _7 h6 U8 F* q, c
routine.
$ X$ E: d* F4 `9 [. F5 NIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" ?/ ^4 X( P) z5 \( X- i
to the new routine to execute (hangs computer...), N5 @! e" V: n

0 t' P. F3 B7 w% }    mov     ah, 25h
$ }5 \+ ?7 W8 ~. r6 K9 J; Z    mov     al, Int_Number (01h or 03h)
7 @; O2 Y  k$ ?7 J. Y7 u    mov     dx, offset New_Int_Routine" \' `+ P; i* Y% C8 _$ ~2 c
    int     21h2 d2 y9 @/ Y0 i: @( d: e4 t% C

; l# U* C, Q/ E' A$ y' G: r6 C__________________________________________________________________________% n( x8 r4 M- s* g. O  f
+ s& e4 D6 S1 C2 x# i- k
Method 09
4 ^+ W: w8 b5 c# O2 B& Q" z6 E=========
$ u1 H$ z4 [$ ]2 h: U0 T7 S( ]. Q7 J. a9 _4 S% ]( Y# a) [: }
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' ]$ f5 ?, {! F" y8 {) u7 E
performed in ring0 (VxD or a ring3 app using the VxdCall).* U' M6 t5 B+ V9 P
The Get_DDB service is used to determine whether or not a VxD is installed! Z4 V$ T6 Z2 {. c
for the specified device and returns a Device Description Block (in ecx) for! P* U, \) N! S
that device if it is installed.
/ E7 C3 E' X# H  i
+ M! R" D' [( t8 c; z# H+ \8 z, l( w   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" G( [* D8 R3 c- R$ f) e# S+ {$ I   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* [9 f) _. W, l" i( [   VMMCall Get_DDB
  X0 O$ ]" c7 X1 A2 ?! e# L   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed, h. p  @. R- e* \. [

( V. J9 C$ h9 s( U5 r5 S  RNote as well that you can easily detect this method with SoftICE:
! |1 W: b. y2 c; [1 c2 c   bpx Get_DDB if ax==0202 || ax==7a5fh
/ |8 W: e3 d: a# ?' G1 R8 n; T% p0 L" V1 F5 f
__________________________________________________________________________
  i2 Y0 `$ g( s, e4 J5 z" y0 P3 w
4 `6 L% g( r% {8 M2 H4 J* t$ Z  PMethod 10
& H6 V& b8 Z2 J0 X=========5 v. e; N& n% h* U* Y
3 \! r' t/ Z& @  J8 N
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# w/ ?2 d! _% F/ @2 ~% N2 E
  SoftICE while the option is enable!!- S* ?5 @! v" g$ ]6 ?
1 f8 ~/ ~: c" b$ e1 D
This trick is very efficient:( m: O  E: B! I0 [
by checking the Debug Registers, you can detect if SoftICE is loaded
) q# Q" N9 x. d+ ?9 A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- A8 |6 o. f# R1 H% y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
: P" R9 B0 h  |6 N6 D7 y" J+ y. |value (in ring0 only). Values can be manipulated and or changed as well
- Z" D9 h2 v8 d2 d(clearing BPMs for instance)7 r( x6 R+ t. u
3 Q. x* [7 A9 ?7 s6 l/ S- w! n
__________________________________________________________________________
) P& s  @* ~2 U2 ]$ ~, f$ B* n/ \4 ^: |* ^2 z( {" S; ]
Method 11- k5 E5 L8 s6 c2 }% a! A
=========5 {' W( n2 i, i8 e+ R

6 K, q0 J$ X2 Y" h$ @+ ~7 q4 gThis method is most known as 'MeltICE' because it has been freely distributed- ?3 b! }: C( W  P
via www.winfiles.com. However it was first used by NuMega people to allow
% p% M$ e/ ?7 ?1 [' _Symbol Loader to check if SoftICE was active or not (the code is located
0 y9 n8 n1 j' einside nmtrans.dll).4 L. Q: W0 a! M
4 a, w/ k$ H* w% g5 @: b: V# G
The way it works is very simple:
. D" u7 X* E. m8 N% h1 |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 H( d7 V. ?$ w( Y9 i6 E* MWinNT) with the CreateFileA API.
2 y, ^& p9 @. A/ \) t* N  S" [" P
4 N% }. K9 _% k4 a# x0 CHere is a sample (checking for 'SICE'):/ F  P2 w' l/ `$ a* p
7 _) W1 n4 W' g  ~7 _' R* V
BOOL IsSoftIce95Loaded()
( K* m+ ?" s' Y1 W# `2 Q8 U) a{9 G' o8 a' W+ a
   HANDLE hFile;  
% i1 `2 d; N+ I2 V; d" v, d; l   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. ~4 J& O3 L4 ^/ Z9 e
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
, ~; e/ @$ M7 T+ [5 L1 b$ [1 q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' `0 o4 v: ?+ L) E
   if( hFile != INVALID_HANDLE_VALUE )4 T$ |! S  v; z: Z2 j3 j  J
   {
, }+ `0 j/ B! X$ n      CloseHandle(hFile);! x2 T$ a( }! M5 I: D7 Z; D
      return TRUE;! m, a) j7 g& B( E9 t0 p
   }
7 N) g- x: j, t6 e5 J  F; S   return FALSE;' a6 ~* K3 ]: U0 z% R  j( c
}: D, E! V5 H7 T

+ T  d7 S" v9 ?, G5 @Although this trick calls the CreateFileA function, don't even expect to be
7 G+ l* Q1 v7 D* g0 `$ T' r, Cable to intercept it by installing a IFS hook: it will not work, no way!
. F; g4 {, _  u: L" l2 N# S9 d3 eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. g7 E% `6 o1 K# }" ?' C3 Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
9 Z) D0 \- j) m) sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 p) e# J* K% @$ i* m( `7 tfield.. f% o1 k; O- L6 O$ s4 q3 V- ]3 Z( c$ d8 _
In fact, its purpose is not to load/unload VxDs but only to send a
, O# P2 e6 i. j2 y$ ~. {5 i' AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 |5 W5 m( x3 o# D2 sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( M4 Q1 e  r( ?9 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) u% b0 B* n5 S4 vIf the VxD is loaded, it will always clear eax and the Carry flag to allow; F; h' I8 M8 a, T1 V
its handle to be opened and then, will be detected.  t) X' |( R$ {. }0 a
You can check that simply by hooking Winice.exe control proc entry point
7 ~: A$ m. I. W" O/ J! Mwhile running MeltICE.
6 P2 t9 Z# B( x' o# l
2 w2 E, d$ h; _) |+ p. V: w( }1 M  T* K$ D" {
  00401067:  push      00402025    ; \\.\SICE
" Y3 p. C; h. R- u2 i) H* n  0040106C:  call      CreateFileA
+ _( }/ u* J2 ?; H! s3 N  00401071:  cmp       eax,-0019 Y9 i; t1 K7 v3 u  _
  00401074:  je        00401091
" j) l* b- V, g  G$ i: Z, [1 N/ d8 G& v2 a
/ Q/ ^. C- u+ L; {' @9 j; u& R
There could be hundreds of BPX you could use to detect this trick.) Z/ }) a* `& r: [
-The most classical one is:
) _* ]5 E3 u3 s  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||( F$ K4 f' L7 F
    *(esp-&gt;4+4)=='NTIC'
7 D* ~5 e6 q' a0 Z: T5 l4 t6 s  z6 ?! _/ Q4 b+ t, U
-The most exotic ones (could be very slooooow :-(* c2 P) Y2 G: J: j/ ?* v& c: \
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  * W; E" s6 I+ P1 b# P+ A
     ;will break 3 times :-(3 y; A, N) `2 z; Z( V
7 v  H3 x7 m4 ^" H0 L
-or (a bit) faster:
' X: U, w, q# i$ @% @, f$ T# Y   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ ?. w9 q+ g7 `/ X1 p( B1 x4 J; A3 u! z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! }- K3 Z8 v* O' t# _: K# O     ;will break 3 times :-(
+ Y& j" G- ^8 Z0 \! }+ r
8 Y/ v& O' \- |-Much faster:
& x( R. C- O+ G) |8 `0 F, @   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  Y! ^; q! Z# c; u3 \/ v& O# N  N- g9 |. J1 l" b: }5 Z: N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. @, Z& X* x$ N7 E1 T
function to do the same job:
( O6 T0 r7 I( A
- J, T, n% |, D/ P  [" i6 |8 B   push    00                        ; OF_READ* x7 A! |, h/ f/ Z; K) Y9 q; \
   mov     eax,[00656634]            ; '\\.\SICE',0
. |% y  \; G+ ]  `+ L) m   push    eax( Z9 e. G7 @2 q5 m8 A, d1 I
   call    KERNEL32!_lopen/ K* O5 [: D+ X3 R
   inc     eax
: M% h! X/ Y' Q( j& V3 J   jnz     00650589                  ; detected
+ K+ A- R/ }1 d" l) F: d   push    00                        ; OF_READ. h$ Y5 }" |$ Q5 N( E
   mov     eax,[00656638]            ; '\\.\SICE'+ ^5 G) m/ m; g4 g2 V8 J
   push    eax7 p! `% g( x) f5 k% s4 l
   call    KERNEL32!_lopen4 l( s  b2 J; ~" P# S' C' G
   inc     eax
5 q5 Q5 m  d0 f   jz      006505ae                  ; not detected  R0 P9 o. F; t3 S' x- @

5 B& v0 A3 u5 F* f* }/ T3 i, [  I( `. ~; Q; u, A
__________________________________________________________________________- \* B3 V0 X1 J/ S0 ~
) T: }& m0 o3 s4 E0 I( g6 e
Method 12
7 p* c6 e' E. p+ Y3 }=========
/ V, W- q- l: l% c  C% N9 W' Y) |* D
! m$ D! @+ T7 @2 C; C: e$ N8 I! vThis trick is similar to int41h/4fh Debugger installation check (code 05
) H( q1 D1 c1 o6 m&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 ?6 d2 k- x) `as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
( @3 @1 A+ K2 J( c; ?2 l2 |2 S% v) Q9 H& e' y/ r
   push  0000004fh         ; function 4fh2 f. K( n6 P: m& ~9 d
   push  002a002ah         ; high word specifies which VxD (VWIN32)
# J* z$ O: s1 R( \: {# S$ u                           ; low word specifies which service
/ M$ h3 g- V. ]  e8 v; A, _) Q! ]                             (VWIN32_Int41Dispatch)' s. U- W8 V% E$ a; S! A; C0 K  S$ X
   call  Kernel32!ORD_001  ; VxdCall- S4 u$ `& U9 m: {. |4 }
   cmp   ax, 0f386h        ; magic number returned by system debuggers& y. H; i! L  y
   jz    SoftICE_detected* W5 [/ q5 ]8 h: D( f
9 v# o3 r8 \- L: _0 U
Here again, several ways to detect it:
* R; Y% i  {9 L5 i$ B
  @( Q' T* Q$ e2 d' ]    BPINT 41 if ax==4f
2 |+ n( {3 z' z% t; s( e$ [, A  \6 b8 A: N$ A4 n
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* V# T. i4 t! W9 `% C
9 ?* q; g6 h, q1 j: ?  Z
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
/ R( ~9 b. A/ t- q. {6 B/ Z7 Z) ]9 A/ i+ w  Z* B# t1 j9 ?
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ f& O. H0 X9 k" |9 w& ~
0 ?7 Q3 A  T5 ~
__________________________________________________________________________
, `2 z# S* S9 n1 a- ~8 ?$ t' J6 o5 s) e" C- W8 r5 L. g5 L
Method 137 n( t5 R; W$ {( J' y  }/ ~' H
=========1 v* ]: |" q& y, f, u$ ?

  }* O$ Y# y+ ]$ U) x/ MNot a real method of detection, but a good way to know if SoftICE is& q1 _. a  Y& p- @# u) |
installed on a computer and to locate its installation directory.: X. w8 p% Z. z
It is used by few softs which access the following registry keys (usually #2) :  x# F) a3 r2 |$ R) H
" C5 B' ^+ V' x" ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 W# I$ L4 w9 _6 I
\Uninstall\SoftICE9 W' m4 h3 l  ~3 K+ Y. b- g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# l9 B+ {9 b% ^$ S4 m  \* Q- S& I
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: S# a  H2 ~: U* O9 Y\App Paths\Loader32.Exe7 ~. ]  |2 \. @/ H# m! |  v

& M7 q8 v4 L  x7 F
; I5 ^! K- ]' N5 z% F1 T: PNote that some nasty apps could then erase all files from SoftICE directory
. [3 ~  h3 C+ u(I faced that once :-(+ d3 K: {) J4 B! n) h" p! Q- z

. L+ Y! W3 r  o6 B! S9 O7 GUseful breakpoint to detect it:
! t+ r) K5 w# P& e3 @: Y  V, [' {& M4 c8 @
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 D$ J$ a1 |. P0 k; V% U- Z3 A6 ?" b6 d5 d8 |# T8 G+ `$ m' |
__________________________________________________________________________7 P9 v. k* [; j9 K0 P
0 r* z, a3 ?# {0 ~
: w3 S& Y% W. A" o# F7 f
Method 14
8 g" r3 p- Z" v4 _2 W=========% q! G. V1 [* ]5 l, x4 e) J

& ^1 z$ J8 D9 i2 Y# h5 ]: e5 S% o3 P$ dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 S5 C5 I: e4 uis to determines whether a debugger is running on your system (ring0 only).
! X# [* v( `) f0 k: }
: V- U6 }& {" t3 e; S# }) s   VMMCall Test_Debug_Installed
/ Y2 ~7 ~' b; i! x) u   je      not_installed
  s! P& z* P9 X6 Z& M: q0 ]8 \  f5 x) m0 ?, J+ l5 H  v! D3 O* E
This service just checks a flag.
# T& e& B9 R, l/ m6 n) _" e% {</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-21 10:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表