找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
2 [# Y7 N: _( s6 H! p<TBODY>' a6 y: p7 b' u9 i
<TR>% U, `  h+ t$ C) W9 P+ T
<TD><PRE>Method 01 & b1 J3 @3 n6 B+ P& B
=========
# Q0 Y  o/ W! F' x' K' t
7 q6 c3 d4 D2 {# rThis method of detection of SoftICE (as well as the following one) is" R  q( _& H( R+ Z, K
used by the majority of packers/encryptors found on Internet.7 e0 D  x9 x1 }0 y0 ~5 E& W
It seeks the signature of BoundsChecker in SoftICE. _: X$ D4 ~2 F  N/ ]- `0 O9 y

' V! F1 p' r: p$ r0 k' z; P    mov     ebp, 04243484Bh        ; 'BCHK'
7 X! g" b% F1 s. h1 _    mov     ax, 04h( R& q; }  a; N1 Z- @9 T" h$ T1 R
    int     3       , e; U/ Y, S" ~4 o) t/ I7 ~
    cmp     al,4
2 u9 p$ e4 V- _: u: O+ z" W    jnz     SoftICE_Detected, u) Y( Z$ b1 o( [

2 i, [2 S& O/ I7 Y___________________________________________________________________________
7 L. m! t" _" o. H5 E) i1 b' }3 n3 H  o5 a
Method 022 x& y+ m7 |* w; a( M$ K
=========
( ]- Q2 T/ `- y; D# b3 q
  b! x' B  v# y, h4 @2 U- d9 i) @$ JStill a method very much used (perhaps the most frequent one).  It is used
& ~4 Z, }( K, E( r' J( x2 Tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 P# Q- N8 O! Y& l0 ?
or execute SoftICE commands..." c, i8 Q7 o& E7 _
It is also used to crash SoftICE and to force it to execute any commands
6 ]! W4 i" g, v0 F. Q(HBOOT...) :-((  
5 }' ~6 c: U  D. S5 M' V9 W; \" X3 }) y, D) R1 o: A2 d# W
Here is a quick description:
$ c, g, U( g3 J-AX = 0910h   (Display string in SIce windows)* _% y' O5 K5 @# f9 m$ q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 m; R: ~# H8 K. n
-AX = 0912h   (Get breakpoint infos)
+ b4 z5 i: L& n* q6 m4 X0 X0 O-AX = 0913h   (Set Sice breakpoints)
; y4 ~  f4 [+ w0 j0 b/ J- b-AX = 0914h   (Remove SIce breakoints)) A+ M. Z* W  @, k1 l: k2 I
( P  X0 _# @; ^4 Q
Each time you'll meet this trick, you'll see:) s4 V3 i. O  q- `. E8 N, ^- A
-SI = 4647h, t* `: c* A4 J" \
-DI = 4A4Dh
; J/ a2 A2 ?% c) HWhich are the 'magic values' used by SoftIce.# y0 V. }2 y% \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 l1 v+ t5 I, H! n! C

9 w- g2 I) s; j* M+ X/ kHere is one example from the file "Haspinst.exe" which is the dongle HASP; J1 M- U5 Q6 V( `' \: X; H# ^
Envelope utility use to protect DOS applications:9 E  U7 T4 J" y) A4 Z: e0 k

' U' [3 n) L# [: @1 v; H- Q0 X' v9 r5 G* K: d4 l
4C19:0095   MOV    AX,0911  ; execute command.
8 `9 J- i/ n: s3 ^% S( q6 y+ F% ?4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% Q( a, F1 O, h$ A9 h+ q4C19:009A   MOV    SI,4647  ; 1st magic value.( O3 v+ j0 M7 f9 z: E
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 O+ j0 C6 U9 g4 k+ W4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)2 X: k1 W5 x* a# p2 n
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% ?; _+ B5 }# O3 P4C19:00A4   INC    CX2 O5 X$ f; R, d: n
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  @9 X/ H  L5 [2 v) p  @
4C19:00A8   JB     0095     ; 6 different commands.! [% f6 a" q2 a# b, [
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.: r% ^  F! p  A4 ]3 H
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ S, V* z' Y2 ~9 i

! {, P8 U) A2 @! V1 r1 VThe program will execute 6 different SIce commands located at ds:dx, which
5 W' v4 I' w- p# B% Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 g; s9 x7 g7 P  n, `" C  c
. o! c2 X- W! a3 L) a; W* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 I4 g- T8 Z: f. S6 P
___________________________________________________________________________0 t1 U; S  W" a( t6 \; {7 H
- ~0 ~6 c, q, {' X
" K5 N4 t9 M5 e$ M" `
Method 03
( [$ M- J  F: A0 K=========
. z# v) P/ C3 @  T5 X  T& P' s- ?3 G+ P. [9 f" R' N! P1 _" q
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# \9 n& b) ^; ?& d, @(API Get entry point)! a' {' i- m5 u3 F& M
        
; C  \4 {& E  Z8 \  U( e  ]+ _2 k3 X; |. k
    xor     di,di8 V7 t  M7 O: E: n
    mov     es,di' G0 ~6 ^3 d6 X. W* x
    mov     ax, 1684h      
: X7 E- f: X* s2 f2 d    mov     bx, 0202h       ; VxD ID of winice7 E2 o6 F0 c5 d
    int     2Fh4 C1 H" m8 m* |
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! A6 Z/ }2 t, x& ]# `* H    add     ax, di  J7 ]  V; }  r) m/ U5 @
    test    ax,ax
: r9 b8 d# w. M1 l  Y    jnz     SoftICE_Detected- M# S# P+ s# z. c1 u

' R' y! h+ [* K/ M% l1 }! h* ~___________________________________________________________________________
, a) S! ]. i$ ~2 n8 F7 f* w/ v/ E- j$ B7 a
Method 04
+ c% D& o! ~) A=========
$ A# ]( W$ A5 m6 K, n# a, K
2 R* V6 B; p. ?) j: a% w+ `Method identical to the preceding one except that it seeks the ID of SoftICE/ Y: L; n6 A9 l. l) j; j
GFX VxD.
  g- j1 A  S# d- M
8 U6 _4 p9 s3 {. ^4 G( Z2 z    xor     di,di
4 |3 P8 U& a4 w' @    mov     es,di( x) \$ j' B4 y' I# I& N. i
    mov     ax, 1684h       5 o/ c! ], E, D  u9 F% Q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 R3 \$ b- ?8 P/ }
    int     2fh
, t6 r! s! H9 p    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 N/ A' v- H. t8 `
    add     ax, di. b$ |4 b+ l4 J/ m2 E8 p
    test    ax,ax# D) G7 A( p( L) O! g! T/ w: ^
    jnz     SoftICE_Detected
  x( i5 K7 X+ L/ C9 I/ `! a6 g3 u$ z9 B; `
__________________________________________________________________________  U) P& T9 g5 d% [; R( z' L

/ G7 T1 Y! K& [+ `3 v8 b3 Q$ W
6 D6 j$ m( _$ e' \4 n! J8 yMethod 05
" `2 d$ k9 M  y$ o=========
2 L7 g, h+ f& j% V( s" f8 O/ k5 }  w, J1 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 T7 i* C  G% ?debugger. It calls the int 41h, function 4Fh.
! |, J5 e+ g) d  b5 g; pThere are several alternatives.  
4 W- J0 `# E7 ?3 c5 `: J0 }7 i6 g4 W  h3 [
The following one is the simplest:
6 {% |! @0 w8 R9 l" K& h. t" Z% X. F. p* ]2 }0 j7 e1 p2 b
    mov     ax,4fh6 K2 R7 L4 S: n. P) _: w  `; u3 P
    int     41h/ w: L, `9 B/ t3 B5 a& y# Q
    cmp     ax, 0F386
/ v6 F+ N0 E/ ^% ]    jz      SoftICE_detected/ ]7 m8 _" m( v2 a1 q- b
' y$ c) x1 m. B8 R  t1 h
2 U4 G7 Z. p' W
Next method as well as the following one are 2 examples from Stone's
+ o" a7 ]8 i2 x; ^/ b"stn-wid.zip" (www.cracking.net):/ h, G8 r0 |% X8 }
! o( }+ Z" V5 l/ p3 H+ @
    mov     bx, cs7 |$ Q8 b. @' E  o
    lea     dx, int41handler2
1 s# n& r: t1 G% b# w! B2 s    xchg    dx, es:[41h*4]5 k1 R; P! z5 U- P
    xchg    bx, es:[41h*4+2]' C& l/ t( f& E) I5 @3 N
    mov     ax,4fh
0 r: m( E$ @2 h3 y4 n/ w    int     41h
% t: ~# \9 m0 _) A8 J  n    xchg    dx, es:[41h*4]6 T3 C" Q% c) _8 c# k
    xchg    bx, es:[41h*4+2]
7 Y: Z0 J5 N5 E& m( r- x    cmp     ax, 0f386h
5 [! ?) B& y, T% ~( A7 ~+ p    jz      SoftICE_detected
7 R; k4 x/ L- \( ]& d3 A2 _- k7 j3 N; `5 ?
int41handler2 PROC
7 e4 i9 a; P6 A1 K4 H( ?8 d    iret
, ]4 Z$ `6 Y) ]9 f. hint41handler2 ENDP! o6 _$ W7 F* `; C- ]3 \8 g

# C) t+ w9 p9 t9 h4 x
; Q' P3 J$ y$ o, Q1 _0 a) __________________________________________________________________________
4 ~5 I& S7 U1 o' w5 |
4 g9 u  a/ D1 [. b
- d4 I. K* W' m6 U+ Q  FMethod 06
6 N3 V" T7 D* Z8 p. V4 {3 L=========5 p* a# ^$ i; A9 u/ U* O" R( `
7 \7 @' o: `6 A6 s! S: W

+ q4 u  C  }5 c5 [" T; z- {5 X# X1 y2nd method similar to the preceding one but more difficult to detect:% N2 ], S$ q& F; r& p
: y# t* r; X1 d: i3 d

5 ]6 Q: G. O* e$ v/ Q$ D  sint41handler PROC
8 k. y+ x% g8 s: Z    mov     cl,al
% O: l" a( A4 R9 {4 U3 O3 l    iret
1 v: O9 G; l8 S4 f8 H$ f' L. Yint41handler ENDP
7 n. j1 f5 z4 B4 N  l5 V1 ]5 @
1 U" M+ ~$ O0 j3 t0 @4 U
1 B' O* l- L8 p2 t9 d4 d    xor     ax,ax% O6 C1 C: }8 Q# j* L2 e4 D9 t
    mov     es,ax* `& Z+ }# X7 r4 v4 ~5 F7 |
    mov     bx, cs( ^5 b% L. I+ @" D( t$ T6 @
    lea     dx, int41handler
, v7 S2 \3 |2 p( @8 V; X# C    xchg    dx, es:[41h*4]& f# L9 m2 g' {, g# O$ S
    xchg    bx, es:[41h*4+2]% d* C" |/ H: K1 J" o7 k
    in      al, 40h6 K; B- p2 u! [8 `2 ], u# z6 E
    xor     cx,cx
" H2 F5 y0 `3 @    int     41h' {! K% h' |$ R) R: ]4 \/ G& X! g
    xchg    dx, es:[41h*4]
. w: J2 m2 V2 J    xchg    bx, es:[41h*4+2]6 Q" D) h3 {: z" k5 q6 M+ X' Q
    cmp     cl,al$ _) I, D! C5 y. u; Y
    jnz     SoftICE_detected
0 V8 N- V% D1 F* D- U1 n  R5 e0 R$ {; o/ z1 ?) k; w5 u/ s# P
_________________________________________________________________________
* j& m7 T; g# L! R5 Z8 B% H1 G" V2 G( }- ~
Method 07, _! y- E2 X2 u" q! H
=========
, R% ?. g' k6 a) J, f8 f2 |5 M8 n4 J
' h& {+ a% T# a7 rMethod of detection of the WinICE handler in the int68h (V86)
( b  N! I; [' Y! D  \3 k% F' X
6 B. q" P3 W+ c    mov     ah,43h  a% U& R. ^8 X5 F9 |4 h3 Q/ p
    int     68h
9 F* D- t; U# T) d7 g- T    cmp     ax,0F386h
1 L+ k! `6 J: x0 [+ h. u- R    jz      SoftICE_Detected) O6 H$ h' q! x( C; m/ M( Y" d
0 m4 N% H, V' V) x8 j7 t8 r3 p9 y! D& u
3 a- g! O5 o% |( ?0 s# U2 o
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
7 R/ O; \* P6 {( W: T: V   app like this:$ B# p* v3 q. I3 p3 l

- d' |  [1 p; z. w8 d   BPX exec_int if ax==68. f3 r7 u- }! H+ j2 D' S
   (function called is located at byte ptr [ebp+1Dh] and client eip is1 }! u7 `- I' p2 K1 p7 i# u5 q; c! N
   located at [ebp+48h] for 32Bit apps)) J5 c; H0 X5 \" L, H- W7 u
__________________________________________________________________________) s8 U/ |1 V5 H( |& }2 a4 ~: N9 M
0 c, M! R1 H9 E" t

5 N: n% Q; F4 I% `( A8 wMethod 08
* t5 y9 }, }9 y2 v& m' H=========( k6 k( @) I8 ~$ \* e) G# T5 Q1 ?

; }! f5 Y2 z1 |5 K* P% I0 {$ EIt is not a method of detection of SoftICE but a possibility to crash the) J: e! F0 s& w
system by intercepting int 01h and int 03h and redirecting them to another
7 D; u4 a. Y) a; E5 Proutine.
5 K% }/ m& E" h1 s& e3 M/ O3 ]It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* O6 |, ]* i2 t9 Z  T9 A; N
to the new routine to execute (hangs computer...)
* E) z) J' B: [, \! P6 s3 L' ^+ A
6 B, N" v5 v9 y, ~  F$ Y$ t, a    mov     ah, 25h
, O6 e3 {" _4 x4 V    mov     al, Int_Number (01h or 03h); d: H: m/ g: D* z
    mov     dx, offset New_Int_Routine7 v# e4 K+ j) g6 V- T( |. J
    int     21h* m* X+ x- h2 Z9 Q6 Z
$ F$ p* d- M8 c5 Z0 {4 D$ c9 N8 ^4 m
__________________________________________________________________________5 H% k( i  Y  x( J5 d0 T
9 Z6 n# K1 V. Q; n
Method 09+ O5 S; \/ t. w( f
=========
( ~+ E. o" W/ S, u3 A6 {! U
4 ?1 G/ L8 @. ~' gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 m( L# P7 o4 w3 ?$ J1 Tperformed in ring0 (VxD or a ring3 app using the VxdCall).7 Z0 ~5 c! `, I! r0 N$ _
The Get_DDB service is used to determine whether or not a VxD is installed7 ]! p: a% |( K7 n% x: v7 q
for the specified device and returns a Device Description Block (in ecx) for
: }% m& r$ i9 }5 k" I. B! Pthat device if it is installed.
) }4 L7 q9 n) d+ x$ s$ P4 ]
0 h: L- C/ Z: C   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! T' Q/ e7 N7 {4 A& q4 U1 g; }, ?
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ `: L$ L  c3 R" t3 g% Z. E; D   VMMCall Get_DDB- {. O8 i. n9 U2 w+ k1 l# Y
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ d& O2 L! J& Z2 n

. C6 N  }) C5 c% W* C, eNote as well that you can easily detect this method with SoftICE:' w2 {: Q; o! g) z
   bpx Get_DDB if ax==0202 || ax==7a5fh; a( S5 ]# H/ ^% d- E. h+ r, C  r
" {/ Z8 s' Z. o& P" ?7 r! W" O
__________________________________________________________________________$ E+ Y& X( ~+ e- A) F
. H( C. |7 I  K2 H5 m6 y
Method 10
  ?' q$ W1 i' F7 @! B9 q$ Y2 c. a4 R=========
  t3 P3 r& F; E
. G- E# x; l0 Q' Q% C% |7 k, m=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 a) w1 n, |! r/ i. N4 U! Y  SoftICE while the option is enable!!
' ~8 @8 Q0 [( x5 c  X2 c
; g" D$ d; z0 v- f( K/ AThis trick is very efficient:
0 a. A$ W- z7 w& T2 Mby checking the Debug Registers, you can detect if SoftICE is loaded2 W8 O) n, B, ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# B5 h4 o* u( C( M5 }2 N1 V
there are some memory breakpoints set (dr0 to dr3) simply by reading their( m9 n3 h& D0 W. q
value (in ring0 only). Values can be manipulated and or changed as well
8 r4 `1 o8 \, K+ X( ~(clearing BPMs for instance)
. ^& b5 |8 q9 P. n0 Y; B% J5 O% D4 u0 P; J4 y2 q4 n. ~
__________________________________________________________________________
( V+ M9 Z8 T# ~  L
$ L( k* [1 L5 W) z; rMethod 11
8 V! I8 H$ D) K1 m+ r% `=========
4 }* ?3 x+ r) ~9 f: J* Z! w1 i0 z
. s$ V$ `6 v1 ?6 {6 E+ OThis method is most known as 'MeltICE' because it has been freely distributed. A/ N$ |% ^% f8 c8 b0 G9 |( X+ e1 @! O
via www.winfiles.com. However it was first used by NuMega people to allow1 s8 D( R2 ^3 M) }) X2 j
Symbol Loader to check if SoftICE was active or not (the code is located
" _/ K1 t1 J- Finside nmtrans.dll).: U, J! p/ n  b6 ^, C

4 B! d& [$ y" m% ^& Q: f: O2 IThe way it works is very simple:
; |" }$ ~& |0 TIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# H/ q" {* q6 b- ~/ eWinNT) with the CreateFileA API.5 X: u7 U( d- X+ T
( L+ j6 X0 C# }- O5 |8 t
Here is a sample (checking for 'SICE'):
2 q5 w) z2 K+ h, h3 f
/ T5 |) a4 _3 D" P) WBOOL IsSoftIce95Loaded()
2 P2 T2 }  c" i2 w& e{
5 S0 p0 |5 p3 I0 e   HANDLE hFile;  
5 A) U! V# p  h5 Q  F- x   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) q$ x& S9 }' ]+ X/ Y) H                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 Y$ \! v) g0 ~+ p) j: f8 V8 U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 H" J, ?2 w4 u9 C   if( hFile != INVALID_HANDLE_VALUE )4 B) d: G3 e" F' v, N0 Z7 W
   {
! c  ~. `* q2 G/ {9 J      CloseHandle(hFile);. G) W- d4 |+ T( N
      return TRUE;& f0 ]; [! t" k
   }
2 Q0 ~& P/ I' v- ^* c! `   return FALSE;# C* A' C" B* }* ?
}/ A- S* I0 b0 w( @( a
  ^( p% b' Z+ F+ E- }/ _; E
Although this trick calls the CreateFileA function, don't even expect to be
: U, X8 l4 A+ z! a0 }' p1 F) fable to intercept it by installing a IFS hook: it will not work, no way!  z& O  K, ?( G
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! \, K" Q; \# ?2 n( G% X9 m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' \2 e" Y" [6 D, \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
  |' k( g  k, D$ Zfield.
1 |7 ]3 ^  X  e. y1 o& U" E/ e- lIn fact, its purpose is not to load/unload VxDs but only to send a
! `8 U8 k/ W; ]& D/ cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, r4 P6 \$ b8 e5 z& A  z2 Nto the VxD Control_Dispatch proc (how the hell a shareware soft could try' ?- h& I7 h; [+ D- j3 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 c  l0 h! c* t: @* }If the VxD is loaded, it will always clear eax and the Carry flag to allow
$ K' `3 C: L9 P: _1 Zits handle to be opened and then, will be detected.
& K% F1 C3 X. Y% v( ?You can check that simply by hooking Winice.exe control proc entry point
' a6 e& T1 L, x. {6 I+ Q  y) zwhile running MeltICE.8 h) H& \. i3 M! V% i% H2 H7 r

4 k. l" z8 H  ?1 L
, I, E, i' J4 F" `4 z3 U7 a  00401067:  push      00402025    ; \\.\SICE
% q0 o  W) q7 D3 O' ~  0040106C:  call      CreateFileA9 W* f% D# I6 M, ^' Y! Z+ a
  00401071:  cmp       eax,-001
  W* [9 x3 Z3 s  00401074:  je        004010917 }- F! }* H0 b$ y  F7 m, s

8 c/ K. J! F7 j! u3 E8 q5 t4 k& C( V* Z/ l3 J$ k% ~: U
There could be hundreds of BPX you could use to detect this trick.
" V) p$ }' O& y. s) r-The most classical one is:: G; x5 C6 m& {! M$ f' l
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
& A5 T3 A: `0 g    *(esp-&gt;4+4)=='NTIC'
+ S7 i; l5 j1 k7 u: k4 z1 J3 g
; f$ x0 @0 M/ G8 r- Y* U-The most exotic ones (could be very slooooow :-(4 m. E6 w9 {7 F( i
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) H/ y1 o1 T: E( W" a. l9 g% W     ;will break 3 times :-(
4 l' v7 `% F7 v6 ^
: j: {; e% _( ^: X/ v9 g2 R# Z$ x-or (a bit) faster:
. c, d6 }( q" M; ~: I   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! ]# o4 r3 P- W3 t3 F, `: E1 H7 r
2 H& f+ M% i. R0 E
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! @* g8 _7 ^" A0 p     ;will break 3 times :-(
) e- R# @$ A  V/ s$ I* Z+ {8 Q% O# H! j
-Much faster:* c8 D' F9 z2 o
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  b4 r, y: q3 y- y1 X: R  C* J; t4 _1 x
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: H6 Q$ i& I; A6 q* Efunction to do the same job:) k8 \& Y% H# R, E& W# U8 {

* c0 K$ z: _# O+ S8 W' h   push    00                        ; OF_READ
; q5 }5 w0 c: Z8 \- W   mov     eax,[00656634]            ; '\\.\SICE',0
$ M! o6 |' L9 F9 ?6 }/ j5 ^8 q* |   push    eax
! `; l. [3 t7 U   call    KERNEL32!_lopen
: ]% M  I# U+ _% n. ^& E   inc     eax
9 T1 V- q4 j- f# r/ D   jnz     00650589                  ; detected
, W6 F3 N# z  b* d: \6 s0 C' f   push    00                        ; OF_READ6 O% l+ s6 o! {; C0 R+ ?+ |
   mov     eax,[00656638]            ; '\\.\SICE'" k3 P9 T6 w, D
   push    eax' S' k0 ]! c* ]7 h% T
   call    KERNEL32!_lopen
! A+ V$ Y& N0 l0 d5 m   inc     eax
) f- x; m/ a, X! C' [   jz      006505ae                  ; not detected) r' H3 G6 R+ J$ A+ C/ q: }

8 r8 N0 |9 K. T# T. p
' j( h, N4 k! K1 G) U! F1 _: Z6 V__________________________________________________________________________
* I0 y3 N0 S% t; g4 e  k
. k/ Y4 T6 l6 `9 q2 m9 _4 RMethod 12
7 F7 A( j6 A2 c( H7 p=========
" l$ S0 E8 E4 t2 Q9 x$ |, K: _9 ]! q( U
4 c% P4 }0 p9 f, t5 pThis trick is similar to int41h/4fh Debugger installation check (code 05. k1 g6 w" ~9 W& g1 U
&amp; 06) but very limited because it's only available for Win95/98 (not NT)3 k7 z" o7 V2 C$ `: U/ a6 j% w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 k* N0 |3 H0 }: r" a

3 o' J& ^# R0 B6 o   push  0000004fh         ; function 4fh2 T& L6 i+ g/ o0 B$ k/ b
   push  002a002ah         ; high word specifies which VxD (VWIN32)2 h+ N" ?7 n3 b4 x
                           ; low word specifies which service5 B$ F5 S8 x( [6 E  Q7 X! e" U
                             (VWIN32_Int41Dispatch)( B& t8 H, Y5 s2 i& i  z! A# y
   call  Kernel32!ORD_001  ; VxdCall, _$ N: B4 @" X8 C$ o
   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 z' t8 D0 z- ?$ E3 D- r   jz    SoftICE_detected8 Y9 S/ c: C- {& K0 ]
! s2 T2 o, D6 f! u0 N
Here again, several ways to detect it:5 ~/ D! B8 r7 u& Q, |. O
! @% k# T& Z8 \
    BPINT 41 if ax==4f' n/ B6 T! p- d1 f: g( f& [  |/ `- C

1 ^# z" N/ r2 t    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
3 O* @& S, M9 g- f$ ^  H  a$ G
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 G. v" S. j$ L7 R9 ^/ e
4 ]) f: [2 P8 w4 }  M    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, D( m: e& X8 S7 t" T# M7 c/ w
& X# f* \) p1 n/ G: Z6 S* c8 H__________________________________________________________________________
4 L' w4 w+ U- T7 i! i& I' o" \$ Y
' }: z8 H3 G; V/ wMethod 13
1 ^) l- F6 k2 N$ p=========
9 @& d& M$ D+ |) c6 J0 E, s8 f4 _9 ^- Z0 J, S6 u4 H
Not a real method of detection, but a good way to know if SoftICE is- R! T. _6 d7 p" r6 |: E
installed on a computer and to locate its installation directory.6 Y2 j; W. M. q* M1 F
It is used by few softs which access the following registry keys (usually #2) :
- T. A. o% p" s  e5 L
4 F8 m# L5 S5 V! J" Y4 m, Q6 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 K' m) h$ W3 k& J. F- t: e: v\Uninstall\SoftICE! h* X2 ?8 C: ]5 e  ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ?# S* a7 @- p1 Z! x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ q$ ]' M: z, r( Y/ K\App Paths\Loader32.Exe
" {$ T( J& M/ q# Q7 X9 j* I$ j" c8 e# `) w

; ~. A# ?5 t- }' F& w0 r+ V$ l5 ~Note that some nasty apps could then erase all files from SoftICE directory9 W# E( y8 j- \/ T5 J6 f6 R
(I faced that once :-(: q3 x( e' `; M3 z4 t% C+ S! Q( \: M
' r- K" C- L* {" ^% Y( Y' b( P6 j4 v
Useful breakpoint to detect it:
/ J/ @4 n  g: T$ ]/ a* W% m5 Y0 {4 ^& s2 j" Z9 j1 G% v, k
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
# }% I, A9 _2 B" \: a9 M- f  D% n9 G) f+ ?) j0 F
__________________________________________________________________________
/ z  {5 h' r3 A, O! O) c" _4 e2 E( d9 s( e# v& b7 r; Z

/ Y: G# [5 P- eMethod 14 / T% S$ q& Y8 t* x
=========
' O  G$ ]! b) J- T4 K' p% _& x$ p9 ?0 H& _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! F& t6 t1 p3 w
is to determines whether a debugger is running on your system (ring0 only).
0 D7 B7 D( y7 H5 e/ Y1 T
% y2 u1 N- ^- K* S  v( \5 k   VMMCall Test_Debug_Installed1 n- I- e6 Z- ~& t, c
   je      not_installed7 ?& t9 p. z6 Z7 s5 ~0 i7 C4 Y

7 C! R2 r( Q8 n0 c8 \2 PThis service just checks a flag.6 E4 i6 ~5 `2 k2 i& o' H
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-27 23:54

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表