找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>+ [9 [2 U4 z9 L8 l1 v
<TBODY>+ D0 Q! R0 I. O3 s& ?/ O- d! D7 D
<TR>
! M+ X6 q, ]( y7 T<TD><PRE>Method 01
' A3 J6 Y7 d6 e+ M- x=========1 k4 a. B+ U- g$ E" H; t
! m6 l& ?: ^% h
This method of detection of SoftICE (as well as the following one) is
  i4 z% I8 G+ Wused by the majority of packers/encryptors found on Internet.
- y/ I  p; D& _" Q, AIt seeks the signature of BoundsChecker in SoftICE0 O9 ^4 R6 f* s0 @6 R: w, N

1 Y# W' P1 O8 T& E    mov     ebp, 04243484Bh        ; 'BCHK'5 c1 F* n3 J/ N# n. b" D0 X: s3 U
    mov     ax, 04h
! Z( V3 C* y( X8 d    int     3      
" _' y2 ^- Q. x/ @" q9 Q; {, Q    cmp     al,4( C9 b( A0 T: z* D
    jnz     SoftICE_Detected/ q; E: v9 t* |7 R- X' S9 e

3 U: Q! Q2 ~8 x7 y7 l; B3 l% k___________________________________________________________________________6 F; l9 U* v3 }# M) M$ ]/ f

+ T2 o* [: @8 rMethod 022 w+ I: d, c0 \$ d7 ^: I. V
=========
* q+ V0 B- F8 @8 o3 Z. K) N+ [0 n0 H& m
Still a method very much used (perhaps the most frequent one).  It is used9 t# ]0 J# \% N" S- I+ U
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 n. u8 V6 X+ x4 `or execute SoftICE commands...
9 N3 V) H- x7 H+ j' j( lIt is also used to crash SoftICE and to force it to execute any commands1 T  e8 g& ]  Y: \( l3 i
(HBOOT...) :-((  . n4 H4 y! T' R- m

& t5 y; B2 n( k. W9 x( THere is a quick description:* _% P+ B, X4 T8 n6 H
-AX = 0910h   (Display string in SIce windows)
2 ~) e6 c  ?' V1 b1 w* ]-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)+ d1 P4 P8 N* r: F
-AX = 0912h   (Get breakpoint infos)
/ ^* I9 U  h9 f-AX = 0913h   (Set Sice breakpoints)
2 d* y& J: E& v" N# [% ^-AX = 0914h   (Remove SIce breakoints)% Z. g8 ?5 E! \6 t0 ?, C; g

' \; Q; ^) o( CEach time you'll meet this trick, you'll see:
+ _1 O; ^  I; H-SI = 4647h( [( u, O# K2 {# g4 J: e  U0 ~* {, U
-DI = 4A4Dh
  g( _6 c+ B2 O( I4 n* mWhich are the 'magic values' used by SoftIce.
) R8 ^( A1 S7 b) jFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.# x6 L2 z; W/ Y5 }1 ?2 G

* H/ W2 D8 R+ _$ @  X5 T, Y; vHere is one example from the file "Haspinst.exe" which is the dongle HASP4 w$ E- _8 ^- H
Envelope utility use to protect DOS applications:
+ v/ o0 U1 s; j4 f4 R  c& ~* j' N( w) \: F1 y0 e( x: e; \% P

7 v. x5 t0 `7 C' l& `+ c4C19:0095   MOV    AX,0911  ; execute command.
# c" z; l- L2 a4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 N! `7 x0 R/ A& n% Z5 c3 N0 `4C19:009A   MOV    SI,4647  ; 1st magic value.. P6 ?5 m/ }  Q9 e" S; U0 c/ Q
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 x% `! b3 b% S( e" T" M$ ~
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
  {( ]& y- B2 v, `, ~' D4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& \, f1 G6 R+ Z/ h; Q& j7 b! W& X4C19:00A4   INC    CX- E: N: L2 }6 Y/ D
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 p, f& L+ F) h4 ]( ?- B( Z9 K4C19:00A8   JB     0095     ; 6 different commands.
+ p5 O! Q$ z* x5 J4 Z  s8 C4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 ~% C7 A, ?0 y
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 X" z( {7 \3 Z
7 e+ p! Y3 U  N$ b, o: ZThe program will execute 6 different SIce commands located at ds:dx, which
. o/ m/ r$ G- A0 U9 `4 Pare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' j- C0 h1 {- U

# _6 A6 U6 R: R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; E& B8 u7 v. g6 W8 ?___________________________________________________________________________
- U0 {6 [4 ]/ @- N2 Q+ {' D9 g/ g5 t# f/ I
& F0 H: m9 z0 E! r8 @- `9 g/ t; c- O6 q( N" W3 X. x- x4 i; f7 R
Method 03# f- @7 i, N& q9 I
=========
! M) J: K* y: t' c: ~
& i2 S2 J) {  A8 I& @3 `Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, O, c$ c0 W! R. J4 V(API Get entry point)  o6 b* _' E) b- v8 [
        
; e2 X; O/ Z( p% e! L+ P' d2 t2 }" l2 t4 G
    xor     di,di8 [( o% [/ Y8 |' E& Z
    mov     es,di( [. P  t, Y: g+ |. u
    mov     ax, 1684h      
1 k3 j8 Q$ G2 Q/ Q    mov     bx, 0202h       ; VxD ID of winice7 z9 J  j" r) \5 \' l2 O8 |2 Y, q
    int     2Fh: [, M. @% ?$ F3 Z4 K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) H) s$ K+ c* ?1 I5 r    add     ax, di
- d6 o$ A  q0 l6 A% O; k    test    ax,ax6 E% i& f" e7 l8 U
    jnz     SoftICE_Detected) Y6 a& r) @& Q% R+ W

  R7 x) q" R8 J7 z9 y___________________________________________________________________________8 Z0 a% b8 |8 {$ q  U7 d

) W: C1 `2 ^' Y+ P4 r. xMethod 04
  K; F1 {5 J% J' _=========, ]+ S5 r0 C5 Z9 B

8 ]! z: U+ P* X; zMethod identical to the preceding one except that it seeks the ID of SoftICE
/ V+ G1 M# S& i, m8 Z4 Z6 tGFX VxD.
/ Y; C$ F! K7 v( u3 K
: J# y8 @& V4 i2 p! T6 e    xor     di,di
% K# b$ Z, Z1 n    mov     es,di; N/ ]  Z3 z! e1 v
    mov     ax, 1684h       - x& r. y! L$ r1 y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
' T4 \' U/ f' I- N1 j3 d; }8 `    int     2fh
2 h0 {0 _( e# ]; D: g    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 M' U! L8 a7 Y' |2 M
    add     ax, di
' y- L, F5 O! Q2 Q4 r5 a    test    ax,ax$ p5 ~* }* H$ T, l; z  [( h
    jnz     SoftICE_Detected5 ~+ v2 j; X2 p$ U  O

* W, E( r. T9 Y1 `- x% t__________________________________________________________________________
  t  w2 t  `8 J  J3 X& i
5 Q3 z7 T% ~3 Z
' r0 `) I3 `  m0 VMethod 05* ?/ c) j5 I! a4 g& l
=========3 q# |" V4 y* N1 Q" O8 L# f

* D( D7 E% ?3 J+ O3 F, U3 _Method seeking the 'magic number' 0F386h returned (in ax) by all system0 _6 d: O. R7 F' D6 a* J1 \
debugger. It calls the int 41h, function 4Fh.* M. L4 N  Z0 l- Z/ m* c! b. |
There are several alternatives.  
# v- M$ v8 z: {, J8 z" S# ~  G  A) ?8 U
The following one is the simplest:& ~: D- G. @( N& Q5 b2 V
7 Q. D  a3 }# h6 Z5 G
    mov     ax,4fh
; ]7 T8 N; ]$ |, \! }* j8 ?    int     41h+ Q, [5 ^2 F" f% U2 w  R
    cmp     ax, 0F3860 W! e) J$ U& k1 K0 C: {1 @
    jz      SoftICE_detected
2 F% ]7 D8 x/ o+ o# A
+ h2 K! i" M$ L4 s+ F1 G, ]3 q$ v
Next method as well as the following one are 2 examples from Stone's
0 z- y- z* t' h"stn-wid.zip" (www.cracking.net):
5 v9 W% I6 `& i3 [0 R3 R& v! ]* j0 V4 n* ~# j! A/ O2 N6 q+ P
    mov     bx, cs3 x% X+ D( A" A# F
    lea     dx, int41handler26 A, I. A- @. O# P' n$ f5 H
    xchg    dx, es:[41h*4]" z7 a6 c' z" q* ?
    xchg    bx, es:[41h*4+2]
2 _+ H% F4 n9 J- `0 L1 B    mov     ax,4fh
9 Q2 ]* z' x+ w. l6 q# b    int     41h
" k; F$ h, O2 `* H2 G    xchg    dx, es:[41h*4]
9 H' d; o- H3 E- q4 h0 {    xchg    bx, es:[41h*4+2]8 i. Y, W+ G/ h) Q2 P
    cmp     ax, 0f386h
1 T) C) _& x# T" ^$ J! h$ |    jz      SoftICE_detected
" L( H) C# C" P0 O$ U$ Z9 _" A4 h# e) K1 Q8 X% f9 \8 r
int41handler2 PROC& @0 S3 w0 `4 y0 R) ^
    iret( }6 r4 K+ v- ~
int41handler2 ENDP
; D( \6 g/ r- y' _
/ }, A; g' k6 A( g5 S4 ~
$ G  D2 K' c1 L( |9 {; F( w/ O_________________________________________________________________________% O; `5 @; {" W4 K" V

& G6 y; \8 l- `/ ]
- U; Q, J  E* ?Method 06
, ^- ^2 W9 q  K6 c5 W8 t( e3 i( H( |=========( Y/ X4 E7 Z5 t0 u4 p; u
& C; ?1 n. H0 r
  b: \0 D8 b, n" k
2nd method similar to the preceding one but more difficult to detect:
# i' e6 l4 T/ s0 U0 d# [1 D4 b5 [# a" D' c# w

) J% h9 }3 {: ~0 u4 Vint41handler PROC" }/ N& l1 _' @7 `& }8 d
    mov     cl,al
' M. j7 ]0 q  ~5 H( g( ^2 ?" ^    iret
  W: ]) b4 g- D0 c4 V& sint41handler ENDP' p! [8 A, Q9 l! l

, l, s# v% Y$ ^# z
9 \1 K( t: l# L3 L% i    xor     ax,ax
, l2 r( i6 \6 h8 m. j( \) P* f    mov     es,ax" k" ^  K' P; K
    mov     bx, cs
8 {! T' Q& k- Y. ]3 J    lea     dx, int41handler
8 b2 w% f9 c3 c    xchg    dx, es:[41h*4]* W" M) Z% e) O4 |
    xchg    bx, es:[41h*4+2]
; I' @" |& T6 O8 l! E5 x, |    in      al, 40h
$ b5 ^( r: a: R$ u4 ~9 E, s1 U    xor     cx,cx; d; }5 [" C0 t4 _1 |, O2 A$ u
    int     41h
+ w' r( T! P  l1 m# @( r3 q    xchg    dx, es:[41h*4]: O- F5 x* ~- Z. I
    xchg    bx, es:[41h*4+2]
$ Q: _9 L$ Z; ~* G    cmp     cl,al
2 M% U# ^# B7 `; k- E( F    jnz     SoftICE_detected* x9 x* H/ o% N' n6 z0 y7 W

9 D* T$ m6 o$ E_________________________________________________________________________- K* _9 r( _; J8 S. t

$ d: P, i6 x; M9 u5 g8 kMethod 07* t# P& [/ k8 H$ M+ T3 T" E; q
=========1 ?. E3 H. T; W1 g) G# I! z

9 K: F- @; @. c) f/ n9 {2 M% kMethod of detection of the WinICE handler in the int68h (V86)$ W5 {+ ~6 [, M/ M% O" [* P
& K( F  G/ G) g
    mov     ah,43h
/ @: G- V5 D+ j1 Y1 P, U9 F1 J    int     68h! s3 J+ |; p2 y& u4 }
    cmp     ax,0F386h
- Z- y% s: o6 e0 p# K. G: @2 _    jz      SoftICE_Detected
3 U5 i  f: k  O# `6 D1 t5 h! o) s% w
2 }$ A6 T. k) X5 C0 e& Y% {
$ N* Y; N" p( ~  ?=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, n: Z% C2 A2 U  n( g
   app like this:' w7 ~/ R; n+ r5 t2 J6 R' i

6 k: L& m! ^' O6 p+ w, t. C: B4 k$ h1 Q   BPX exec_int if ax==68
0 L$ v4 ?! z# d( l   (function called is located at byte ptr [ebp+1Dh] and client eip is
9 k& K" R- L" j# o$ s! }; `3 D9 r   located at [ebp+48h] for 32Bit apps)
* n# P( X. K9 g/ |8 g__________________________________________________________________________. ^) I* H/ Q6 |3 g' X3 `
- H% M% O& K/ M, x5 }9 f$ K

4 F, N- s! O/ c' [3 SMethod 08. T0 p  _( T$ J& P9 L
=========
* h& J0 ^- t* l; `& m9 v1 I2 i) i4 a. B: }, V) {7 O) h4 r
It is not a method of detection of SoftICE but a possibility to crash the
0 U6 M$ ?% A6 v5 d, Msystem by intercepting int 01h and int 03h and redirecting them to another
/ S5 ~8 Y+ c, ~" rroutine.* a& [& m  Q* _1 p& i- Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 z( S: G3 g$ z6 W& ], g) h  Kto the new routine to execute (hangs computer...)
( y" l5 M& v7 Z' M4 d! k. \7 E! ?& a
' F" l- t: \8 _3 w6 z    mov     ah, 25h
/ N3 m2 l% n; [! ~, n9 v: ?0 h- ?; i    mov     al, Int_Number (01h or 03h)
+ y% x! B! G& W; o    mov     dx, offset New_Int_Routine
$ f& W. D% E$ y3 R* V8 {9 \    int     21h: W$ y% U; F% U& R4 _3 I0 ^. d8 P
4 `  ~7 {6 R( Q8 x/ y1 I
__________________________________________________________________________
7 }$ q- P  L" T+ f/ J
% r2 r* n  Z% ?$ j6 AMethod 09  [5 [# W2 k! o( W* p. d5 _
=========
, Y: {$ |& i" b1 r2 {2 t! q; D2 v, L$ a+ T4 v- B: `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
  W1 D6 S9 s- c2 {- \" m0 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
# j$ k1 v. z( b/ x9 QThe Get_DDB service is used to determine whether or not a VxD is installed' g  O9 {$ x  k- }
for the specified device and returns a Device Description Block (in ecx) for) S( Y, e2 C2 a' k# b" \
that device if it is installed., k  h0 {. t9 U/ a; k) I6 L( C

. J- q) A4 X+ H7 f# n   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" m8 F$ ?: H7 l* F& l( v- I1 e   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, }7 M0 R$ w# |7 s8 |" w* W+ U$ {   VMMCall Get_DDB
- Q, p8 T* o2 D& N   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 c6 o3 V! u4 C; |  X5 H
6 p- O+ r  Q0 ^Note as well that you can easily detect this method with SoftICE:
0 i$ m& C5 W8 H7 I) L& _. m' p   bpx Get_DDB if ax==0202 || ax==7a5fh. A& E* o4 F) `& h* I5 L, n! ?1 g
4 C: x- F$ h7 s! R
__________________________________________________________________________) f$ O2 h! E4 p$ P  p

8 a. v/ t, D8 U6 K; PMethod 10
; J: O5 T( B! l3 Z; }  @=========5 {' H- c- b0 {3 Z& P. v7 a
( O. E# F0 ^5 ~7 ?5 V( K
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' r; }5 t( a2 S( F0 t$ b  SoftICE while the option is enable!!5 F: {7 d5 D& U; E1 w3 W) l( A
, W" F" q% z2 G
This trick is very efficient:2 D" R3 {8 }- t, T0 Z9 y+ d$ y
by checking the Debug Registers, you can detect if SoftICE is loaded
; u2 P/ T$ L$ w5 v3 k' z& C, j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if+ E/ T+ S, V, L3 U3 |
there are some memory breakpoints set (dr0 to dr3) simply by reading their- J3 G$ a; G' h2 q4 C* x$ T  o3 q0 K
value (in ring0 only). Values can be manipulated and or changed as well. ?+ ^3 J" d9 e8 [
(clearing BPMs for instance)
1 S% X' P$ ~5 r' J
+ M2 }9 [2 i! P7 v; |6 a__________________________________________________________________________
' X& b$ c5 e5 r$ b  [) B# ?* N4 {7 e6 y. {
Method 11
# x; d% [" h% W4 U1 ]% Q=========  h$ O2 Q# I3 q9 B5 b- E  [

* a8 |1 j4 A& T+ TThis method is most known as 'MeltICE' because it has been freely distributed# m. J$ V# ?- |# C) w
via www.winfiles.com. However it was first used by NuMega people to allow: ]; R6 e3 k0 b6 A5 i
Symbol Loader to check if SoftICE was active or not (the code is located
$ e8 D2 m# S, Oinside nmtrans.dll).4 l2 ?- a2 `7 w* m7 u6 [" M& v
* ^1 i; W+ J+ m9 J% t- d  |
The way it works is very simple:
: q0 S6 S7 _% D/ g: RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for* G3 l! J3 I! @0 D
WinNT) with the CreateFileA API.
( C! L4 ]% d4 f% D6 E6 m' c' b/ i! ^2 o  F( C' N
Here is a sample (checking for 'SICE'):
" j9 b1 e* x) a$ @$ j# F6 p3 P6 u) b& S/ Z/ U! ~* a" h
BOOL IsSoftIce95Loaded()  d/ W& ~5 g% r- g
{5 V5 g6 d# Y+ H$ `: L4 G' p
   HANDLE hFile;  
! R/ S9 w/ j5 `. f   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; V8 n! L# c$ k  r9 y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( r2 h5 _0 ?7 W# q+ q' R$ k: Y8 O- l  d                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: ~& Z, j, {! \' i   if( hFile != INVALID_HANDLE_VALUE )
3 A: c! f5 S3 b! N3 j/ |: k   {
* q* n+ y/ T# u  K3 u2 Z      CloseHandle(hFile);7 Q) G6 _7 b8 u7 r6 Q) R! y0 f% c. A( q
      return TRUE;
9 ~# N. R- P% u, c( O   }
( t$ o! E  R/ y; h5 A7 k& O% @+ n   return FALSE;6 V/ b. w3 x0 _7 Y9 x; t( e
}
9 p5 K% N$ O: q: |/ W& `/ B# B- G, g' u  G, N8 ]5 _& g0 Z6 T6 z7 r, o- p
Although this trick calls the CreateFileA function, don't even expect to be2 V0 ~( Z7 s, |8 F  w& S' }
able to intercept it by installing a IFS hook: it will not work, no way!
. ^# V  T$ J+ a# O. c6 M1 u: cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; \, r% h. B* s+ {5 hservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 g7 w+ e  @4 Wand then browse the DDB list until it find the VxD and its DDB_Control_Proc3 B5 A% _' ^/ M' V! f
field.
" ]  T2 l6 {. T  fIn fact, its purpose is not to load/unload VxDs but only to send a
/ y0 d" K9 z/ ?  `2 A( Y( TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 {" E/ V. Q1 Y/ C. N6 O2 ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& P" |: @1 g9 [" l0 i. N3 N' t. ^5 hto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 U& |, K' z) J. lIf the VxD is loaded, it will always clear eax and the Carry flag to allow) E9 z/ L8 w2 a) y
its handle to be opened and then, will be detected.
  ^& V+ }) Q: P' N5 F# c8 x0 Y. B& gYou can check that simply by hooking Winice.exe control proc entry point
% u7 o* W- N; N, nwhile running MeltICE.
- e, T, B, J" N% V% q. \% Q) w1 x- u7 d4 p1 m! ?; V" Q  w
' [9 p$ _" W/ J6 B
  00401067:  push      00402025    ; \\.\SICE
+ @3 J0 o8 t4 W  0040106C:  call      CreateFileA
0 H. H  a% p1 G8 E  00401071:  cmp       eax,-001: K) j. y& V) G4 ]( e; v
  00401074:  je        00401091
+ i5 O: [% @7 l
2 V7 d: Z* L& d1 Z  X, @0 o) k$ O1 G8 z9 B2 G. ?- r" M: m
There could be hundreds of BPX you could use to detect this trick.
9 i8 L) r: t  |0 d-The most classical one is:
. p8 D: U) B; e9 h% S8 W* j/ y1 v  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||( K) I- \0 Z8 e6 W; X* u
    *(esp-&gt;4+4)=='NTIC'; g+ M& e  A* `& x  e0 H
/ G, i6 a' t& C0 b7 D$ V- J, V
-The most exotic ones (could be very slooooow :-(
( k8 N3 v, o* \8 f9 O, X! M& ], ^   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( C9 L  I0 q1 h/ O# w# J+ L     ;will break 3 times :-(; R# W5 n1 t! V1 X7 Q+ k

& i( D* P- s. D  d$ I5 ?-or (a bit) faster:
+ V$ O9 d% |( [   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" ~: J/ ^' X( D4 h/ ]! M5 C4 H
& u& Q6 v7 \2 |& _6 w   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
  y2 |8 U. U: ?) E" l     ;will break 3 times :-(
8 y2 {4 J4 U5 W2 K& w; M
1 S! v1 d5 J) b: \+ C-Much faster:
( x! V; w0 L4 f  w" U7 a   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' H3 _+ O: X0 ?! X* K
1 p+ X6 x- Y5 Q$ L4 iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! H5 k! ^) ?; ?' d! }' Gfunction to do the same job:  h3 ^# w" V: R/ a' I* c7 z" _
+ R7 l$ W5 @7 j  y& `- Y9 ~; ?
   push    00                        ; OF_READ( c% g" N  E7 A/ H+ z
   mov     eax,[00656634]            ; '\\.\SICE',0
4 z$ i  c* r% }6 A: s& ?/ J2 k   push    eax8 J& x0 R) @3 K; \( {
   call    KERNEL32!_lopen
% J! V9 p5 l6 S' \2 |6 D   inc     eax
* s( g4 o# e% Q, T, Z   jnz     00650589                  ; detected+ n* Y( q' W1 _
   push    00                        ; OF_READ) b, Z  }9 B( p  k# k6 N9 ^8 m
   mov     eax,[00656638]            ; '\\.\SICE'
+ j4 Q/ i2 K6 |% O- E; q   push    eax) ]7 P! r, n1 X7 k* i
   call    KERNEL32!_lopen; Y9 u$ D- k( |% ^! ^2 ], _
   inc     eax
% k% O" z6 o  n' e+ a   jz      006505ae                  ; not detected  u' A) ~  m8 E9 D1 x; h5 U* E
6 A! D2 U/ ?! P- `0 X
* M7 w0 I* H, o8 t' y( O
__________________________________________________________________________  m" I- q+ `) w1 {

2 s6 y  Q: a) n6 _6 q$ pMethod 120 k4 S+ J8 s$ a' ]  _# n
=========
% X2 Z1 o$ ]4 ^" j# U2 X+ P! v- ~1 E" d- ]/ C4 W  M
This trick is similar to int41h/4fh Debugger installation check (code 05
( Z/ r- Z  n5 w5 w5 B: I. E&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: j+ K: }* A. e8 w0 y0 g2 [as it uses the VxDCall backdoor. This detection was found in Bleem Demo., }1 `5 i* A. T) {1 R6 U+ a
1 e( k+ R) S3 j' q
   push  0000004fh         ; function 4fh! i/ Y8 _3 N7 d/ E/ |8 V( k
   push  002a002ah         ; high word specifies which VxD (VWIN32)
; f1 H, [7 _' {$ d% n% X                           ; low word specifies which service; F: }) e5 b# m! g
                             (VWIN32_Int41Dispatch)
; F/ o& a9 B5 q7 F" V% [8 K2 g   call  Kernel32!ORD_001  ; VxdCall
+ ~9 T' O/ g0 }! h# B   cmp   ax, 0f386h        ; magic number returned by system debuggers
  }! M, j) X9 a5 o4 N   jz    SoftICE_detected
6 P1 `& y" ]  L% Z! ^6 K9 _& {- n* x- U& A1 t
Here again, several ways to detect it:1 g6 q* C" Z4 K
& z: l$ A, q0 G! o4 _( O8 F9 o
    BPINT 41 if ax==4f
! G' ?0 D/ i9 y9 @% R/ ^; t. C# R: l/ [6 _6 x
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 M! W" l. [3 g: v
" u' W5 \) r) W
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A* e1 c. M! [- d

4 }% i. E2 k7 s9 @' C    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!3 h5 W' _5 }# P8 y- g/ s* w* v

* }8 K+ U! i/ C4 L__________________________________________________________________________% m1 p$ N/ p4 O0 }5 M3 U

5 h  Y2 ]. J7 c/ K  R% iMethod 13
! v. R. n/ `  r; n8 W- c4 t) m=========; T, B1 t$ A+ w3 k1 V, t
) l+ P$ S: R4 H
Not a real method of detection, but a good way to know if SoftICE is
8 r0 }  W7 |: hinstalled on a computer and to locate its installation directory.
. h1 N8 y% ~) r2 ~& H0 d# ]It is used by few softs which access the following registry keys (usually #2) :7 M) e8 m& L4 l1 O  p6 `

. ^9 B& S# t5 S1 ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: d7 b2 b" _& a8 f( ]3 C/ v: z# @1 P
\Uninstall\SoftICE+ v& G0 d% A7 v# [. E/ b: w: z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- y" b$ b7 ~; Q! @! S$ H6 S$ K# a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 F# G' c9 |& W' j/ m+ `6 `
\App Paths\Loader32.Exe& B$ ]; U1 }! \8 M* _
. e: }+ F4 O9 Y* V& d

3 n" e4 j: M3 O5 N( w, ?Note that some nasty apps could then erase all files from SoftICE directory. [4 ?. R& p6 D) D/ _6 e& u
(I faced that once :-(
8 K9 w. o: x" y+ P8 s0 H0 o: Q! ~) I$ b/ i3 _7 D
Useful breakpoint to detect it:0 z2 Q2 v+ g5 _: d8 ?* t1 c8 ~0 N
% `" f" j4 R$ O6 [) y" Z5 m/ Q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- v1 ?: l" y$ s& l, Y- y
, D7 M# W' g1 w: D
__________________________________________________________________________
/ ^. N  n" n. v) W' L  D6 e! P( {( s' d9 g+ C/ D9 P
- l# F: H1 V6 I4 a% p& ]; m# n$ e
Method 14
7 g. b* ~+ b( k=========/ X+ E$ x3 p1 W( j' Y1 g0 Q/ E0 [

8 D7 b! a7 X9 \  G2 N# yA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* {8 ?1 q4 g6 g# B/ E
is to determines whether a debugger is running on your system (ring0 only).$ C6 q, e8 t2 s" M# g. o  ~
; W0 u8 _" \! K; e5 w
   VMMCall Test_Debug_Installed" h4 x' q5 B/ y4 [
   je      not_installed
( `% Z1 `) }. ^" N8 V7 ~6 D$ g/ }  [' H+ K& B) t
This service just checks a flag.3 k1 n! J( J6 p% B& Q
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 16:25

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表