找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
% g# W  o2 l+ J6 X+ t<TBODY>
6 @9 k& @- X4 \8 f2 a1 Q<TR>- E5 S, C* i! G* ^) a' L
<TD><PRE>Method 01 / N3 O7 m& u- Z5 G; d. z; @& v, ?1 }% v
=========1 ~' b3 n* T8 J& b& l; y$ D
  y( x" b# V/ A: m+ |: ^. A
This method of detection of SoftICE (as well as the following one) is& O4 j5 f: s4 v
used by the majority of packers/encryptors found on Internet.$ {( a( S$ G7 V2 t) m
It seeks the signature of BoundsChecker in SoftICE
7 s: E0 }  F7 C' }; L% W/ m  G1 u& U- `3 |: f
    mov     ebp, 04243484Bh        ; 'BCHK'1 q& s! c; Z* f& y: H- Q
    mov     ax, 04h
6 B3 `9 ^* H- f5 q3 v    int     3       9 B3 b, K9 j8 u7 j0 Q6 u( C, @3 ?* j
    cmp     al,4
+ t; V8 B+ V4 X, C  I6 y. c    jnz     SoftICE_Detected! w8 i$ h5 o) T/ h8 k
% `8 r* b! ?: d% b: `0 O' S9 q
___________________________________________________________________________4 m$ o, [6 A6 i' `" i( C! C) z! M+ L

' Q( `- {0 Q0 O3 J+ r* hMethod 022 ^/ d  h- s$ I5 G/ c
=========
& T6 e( j" ~" H) i% m4 b% r1 I6 Y) K5 K% Y% S2 [; D
Still a method very much used (perhaps the most frequent one).  It is used  T6 ~6 L2 z* _: H  W* l
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 g$ S  W* M* k6 J6 i# Jor execute SoftICE commands...+ E: `  W6 R9 m# R. j
It is also used to crash SoftICE and to force it to execute any commands
( I' E! k: q3 x(HBOOT...) :-((  5 [5 }9 r- E9 A. G' D9 H- f# b- E
; _/ R7 F4 l; u7 E& u9 R
Here is a quick description:
3 d/ `  c# u$ R0 y( |) a; x-AX = 0910h   (Display string in SIce windows)
* {; x) Y" j" f8 I-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' I" g- {5 z8 c( }- A
-AX = 0912h   (Get breakpoint infos)1 w( Z+ x% J) J; C- ~
-AX = 0913h   (Set Sice breakpoints)
, f5 a5 `. E: [, i; Y2 h-AX = 0914h   (Remove SIce breakoints)( O9 b, P/ \3 ?# J* ~, \. ~" O( [, W8 r

; F2 I' l/ T) ~5 V4 KEach time you'll meet this trick, you'll see:# M& N. P# b6 G" A9 s) z
-SI = 4647h/ {$ G& h: s' Y% B! O
-DI = 4A4Dh
4 y7 y( F/ G6 QWhich are the 'magic values' used by SoftIce.
$ _) ]2 V- S& k6 u5 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# n. s$ S8 s1 t
9 f* e$ g% d* E# t- gHere is one example from the file "Haspinst.exe" which is the dongle HASP2 @  x: X) l( W) B
Envelope utility use to protect DOS applications:- ?2 M( p6 V8 |" I: g/ X5 ^" D
4 k, d+ i  b- ~5 E- d3 {
, u$ s* \0 N& {& L% x: @
4C19:0095   MOV    AX,0911  ; execute command.
# {) z0 c. M. a; n* r% x# \& T4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
7 W  k$ K% M3 Q( W4C19:009A   MOV    SI,4647  ; 1st magic value.
' ^$ c7 G- W3 h, G4C19:009D   MOV    DI,4A4D  ; 2nd magic value." E1 `6 B# H. C2 l: g
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% c5 W$ t* }5 B9 P( A" s' ^4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute+ Z( }' r- [- r# L  c; H
4C19:00A4   INC    CX
2 w$ U) V4 U5 A! Y3 O9 a4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
& i/ `9 L8 m7 F( d6 g, P# l9 a4C19:00A8   JB     0095     ; 6 different commands.
# ^+ [& _4 B$ |, C% @$ x4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& }3 A: P: d2 E5 Q2 Q1 f5 ^1 U/ Z0 q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' B1 N& l5 J6 d# p: M$ Q, h, Q4 ]& F+ z
The program will execute 6 different SIce commands located at ds:dx, which5 l7 H3 m$ F) H& N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; c1 q8 f8 x- w! k, f0 \% a* K" i- U" A$ }( u+ m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 _1 i) i5 J# j3 O( ?___________________________________________________________________________9 U; ^9 x( t( `7 h' y
1 |( i( |4 \4 a9 S: \" H2 v$ ]

: w" B! o5 m" w0 _) ~Method 03
6 Q5 e2 ^" f( C) ?# `1 _4 r=========
7 L* l1 _8 |- w" u% v  f  E8 V6 f$ n) x) n2 @: ~' Q2 J+ [
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ R1 p. a* O: O+ e5 b(API Get entry point)% M& L4 ~. s9 q- [: `% e# O
        0 @+ x$ ^! p" V1 r; b/ x

7 r& b: H9 ~: S# ^  m4 k* g) j    xor     di,di2 s0 `5 h! P9 q, J" g
    mov     es,di
$ o0 L2 [# g+ j& q( @# B    mov     ax, 1684h       3 i9 ^2 q. ~& S! H, L
    mov     bx, 0202h       ; VxD ID of winice
/ |9 O  L. n( c$ G    int     2Fh  [/ j9 G) n4 X4 M+ z/ H& u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& B0 }+ X6 v2 J* `    add     ax, di
) @; H) ]! p9 d5 H    test    ax,ax
$ _- u7 o& ^' f! c0 p) g    jnz     SoftICE_Detected5 q2 N0 D7 c, `4 F- H
' f7 o3 O' {# E8 L
___________________________________________________________________________7 K) [( b( w; Q: M! y- o* [' \

0 f( i( ^6 o  j, M. JMethod 04
' N; J4 z  l* h& Y9 [& ~/ o=========
8 ]; T0 |0 Q2 j5 t, Z$ E1 V4 q2 s( t; _8 f% D: c! I: Y
Method identical to the preceding one except that it seeks the ID of SoftICE( k) \. q1 t+ T" r- O
GFX VxD.  y. O2 Z( ?4 {# m: X! t

4 P# [7 ~' z/ [: @0 M$ K    xor     di,di
  N9 I' Z1 e7 ~: W    mov     es,di1 `, o# y5 d, }: a; q- r' z4 d8 f
    mov     ax, 1684h       / |& ]* C' ~7 o
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ Z+ T$ v) e- l1 _- A+ p    int     2fh  ?( B7 c. y7 s( U+ p* C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point: ~; {  W/ I& x
    add     ax, di) p  A) Q5 M. c, a, Z
    test    ax,ax* e' d0 h" H. a6 }2 e4 I
    jnz     SoftICE_Detected
3 `$ H! [/ G( I9 h6 D
1 @, `: p8 K: L__________________________________________________________________________
, y- q: A9 T' o1 [/ i/ P% p0 _3 o% t! }6 S  D2 m8 v

; |7 E- S. T$ V! s6 _. C+ l* AMethod 05
2 p5 f& G7 F# i( R6 c+ b0 w5 @=========
1 x" A+ V# U% ^* j2 p
( ~  b0 o# G+ T, E8 _, ~( j. uMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% i7 K( M" {6 P+ v9 xdebugger. It calls the int 41h, function 4Fh.
& _; Y( \0 E- n7 j# EThere are several alternatives.  
& |  S$ `; x+ M2 S3 J. n
! i; H1 ?1 G5 sThe following one is the simplest:* Q+ M" u# r6 S: }

* `  I7 r0 t+ _# }: \    mov     ax,4fh( U, K+ f# Z( R0 i* u
    int     41h
: L, `2 Z' X& ]6 Y+ M    cmp     ax, 0F386
9 v* W- h+ ^( L    jz      SoftICE_detected) Z0 j  l5 P( I5 d% |& a

% Z6 ^! I1 Y. E4 T' {$ G# g6 [8 R7 T6 U9 Y
Next method as well as the following one are 2 examples from Stone's
9 k+ Y0 J* B4 k"stn-wid.zip" (www.cracking.net):$ Y7 w; A  i$ u0 D) F# U
7 _9 m* ~, V9 R
    mov     bx, cs
# r' M& d0 S: p& @$ a; x# ]    lea     dx, int41handler2
+ e* |' Q% s  G    xchg    dx, es:[41h*4]8 [5 |( A7 H; U- r( {* f
    xchg    bx, es:[41h*4+2]
/ Y' D- D* @8 s- N% E$ k    mov     ax,4fh
6 k0 i- K* |% w* c! L$ l5 W    int     41h5 d. Z& U' ~4 O* t* Z, m1 O
    xchg    dx, es:[41h*4]
$ ]' E0 M, F; L% v% j: j( V: F    xchg    bx, es:[41h*4+2]
4 A3 I- d* Z6 f    cmp     ax, 0f386h2 B  N0 M2 r; M% g- \
    jz      SoftICE_detected' D% }( u" j. q2 O

- g' f5 Z6 P: K: ]& I& P; z+ Qint41handler2 PROC
% |6 h3 Y1 _% c1 E* N" H    iret
9 H! k% a/ |, g/ z( R/ N& k6 k( Rint41handler2 ENDP# F# `  r! k+ u' @4 N

2 O( ?6 M- n1 Y4 i) J7 M) e4 y
. {- X4 c* J0 }/ A7 Y0 z7 @_________________________________________________________________________: Y) j( O% Q# V" {) u

+ B  }. Z* c$ L' g: y6 n* K1 g
8 u4 y7 S0 i' Y: A; _/ z$ bMethod 06
2 G( F2 ^5 L) J- o. G=========
6 E7 d% C, i5 ~; r" O2 y4 S+ J- `
: B% r" O5 E: `' i( s. F
2 D: ^% _2 k. I6 L2nd method similar to the preceding one but more difficult to detect:
5 q7 x) u# ^# j( c6 m
" u8 g, J, h7 d' b
. S5 i5 w; i2 wint41handler PROC
% f" E3 ]; C4 ]4 h* c1 S6 K    mov     cl,al
" ~( O# f- u: m8 q0 p8 t! d    iret1 b' @: Y; I& r) F+ X
int41handler ENDP" O7 [0 t# T7 i$ h( n. T- U  u

( L( q# L. H3 C$ z8 K- A
% d& M" t4 |  j. i    xor     ax,ax
2 l, \; Q" d/ f! l! M/ v4 @    mov     es,ax3 X1 w$ D) M) u  P7 \% p
    mov     bx, cs! q6 |2 \; x# t1 Z6 [3 y6 o
    lea     dx, int41handler
' F; d5 T2 E0 G  w$ Y4 r    xchg    dx, es:[41h*4]
, Q& y( K( f( A* f* ]0 u    xchg    bx, es:[41h*4+2]: p! ?6 e) q) E& y% F
    in      al, 40h7 @9 h" x  K6 P( ]$ v7 D
    xor     cx,cx5 r  v. [7 Y7 m7 K3 T$ N
    int     41h1 g7 y+ C2 Y, D. y2 K7 K8 U
    xchg    dx, es:[41h*4]
. T9 p; @$ h( \. `* E; k  J  k    xchg    bx, es:[41h*4+2]
9 i4 u- O; n* x1 }    cmp     cl,al
/ z. [( v# r1 K: G    jnz     SoftICE_detected% W# ?4 d- ~# x2 J) |) U4 }

4 W/ V, d5 f9 W# n5 d_________________________________________________________________________, Z4 t7 p  p6 H: w. h) A
* O# D! s* N$ J. F; V5 S9 S
Method 07
+ T* w, ?& Z) Y4 c; M, u% ?=========, n$ X; O7 |0 L
* I  Y) T# C6 G+ \9 G3 h" l
Method of detection of the WinICE handler in the int68h (V86)
/ w8 {" f3 y3 R3 v' w/ Q1 P( Q' u/ r' ^) Q. O7 R9 n4 J3 l% U
    mov     ah,43h1 b& x/ o9 t7 m7 X, \5 ~* o
    int     68h
6 c5 D/ I. u# J9 Y3 q    cmp     ax,0F386h
9 e) C. ^' e$ s- p( N7 w8 I# I+ L    jz      SoftICE_Detected
5 r1 l% Q# G+ p6 l& d. C# M6 W- N! u+ U- k
6 O- |1 K+ ~# c7 x$ X  @0 m% Z3 z
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" Q" V! w" E% d) D: p   app like this:) X" ?4 \* M* p+ e5 \4 O  M

5 |: s8 N& U' L$ _# Q# k   BPX exec_int if ax==68
7 F* f* d9 z# z2 x3 v   (function called is located at byte ptr [ebp+1Dh] and client eip is
4 J& j$ z  }3 ?9 [. X   located at [ebp+48h] for 32Bit apps)
0 m' u0 [5 Y8 d( _# M$ C7 ___________________________________________________________________________+ ~9 u6 U# B5 p) c& K

( ^% t5 [( G+ e8 r& r( ]
( ^3 o1 @8 X( M* Q/ c6 L" p! Q( sMethod 08
+ w8 K( x' c. E5 N& O/ c=========6 E" B9 W: H" R  C

) O! O! ^. s4 |0 |% K; i  h% ~It is not a method of detection of SoftICE but a possibility to crash the
  B7 G! G0 d+ p7 Fsystem by intercepting int 01h and int 03h and redirecting them to another7 x' x  d% S& p; B* x4 \2 F
routine.# `* n3 [7 u' c* v2 y- c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- f! q2 V- O/ @- K. v2 `
to the new routine to execute (hangs computer...)
9 [% |" {; s% q1 T. _. N& m  }; D
    mov     ah, 25h+ E" X0 P% a9 W4 ~: C& Z  B
    mov     al, Int_Number (01h or 03h), {& V% X, \) g, F& {. @, ~
    mov     dx, offset New_Int_Routine0 _3 q! b0 [" E& T5 Y# b
    int     21h
& C: l" t- j' Q3 ?+ |- q/ `) z9 W( `2 A- V5 \7 q/ L% Q
__________________________________________________________________________& `9 j; q5 D5 }0 @5 Q* s* P
1 A) J1 p' S2 v
Method 09
# @- q; E6 F* u+ i; I1 a=========
7 R& b/ @! @& g
  O, {7 k. y7 K8 e  N! p# y, N, B* F: aThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: a" ^' s! T$ c$ Lperformed in ring0 (VxD or a ring3 app using the VxdCall).7 m8 w# s/ x( c
The Get_DDB service is used to determine whether or not a VxD is installed  A& I* `9 D. b4 J' ~
for the specified device and returns a Device Description Block (in ecx) for1 `# D% q; U' D! D
that device if it is installed.6 c5 Y8 b4 E+ U, n
) `+ G5 D' S2 k2 V8 R- o
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  C3 t( `# [- |6 |& g" v7 H6 T. C   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
3 r: i  r) A" E   VMMCall Get_DDB
9 J. M% i* h& @- e2 ~) j1 y3 r9 e   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: s3 a7 F, |" P4 Q, h7 a

  p$ k, j: f' F3 s4 pNote as well that you can easily detect this method with SoftICE:, j* g2 a: m: d2 g  l$ O. _
   bpx Get_DDB if ax==0202 || ax==7a5fh
, \* X5 V  p  U! C5 |4 G, L% H# u1 Q) N. B, f/ _' _. N5 L
__________________________________________________________________________1 ?  g( I1 O1 Z$ i4 A0 C+ }

) I: i2 }. @# n; k: s5 pMethod 106 e7 O  ]  @8 ^8 V% r& x/ s  P
=========7 e8 R% I+ N* ~% b2 k' e" Y

; a5 T( z+ G0 A* f, e9 |8 P5 w=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" k' O0 g# y# L) U) i7 U# o1 W3 p  SoftICE while the option is enable!!3 P+ P  Y0 e% Q2 j1 O
  @9 [2 a9 _0 X9 C1 B) @
This trick is very efficient:
; \* p; U2 t- l6 c3 z1 F. Z8 J% uby checking the Debug Registers, you can detect if SoftICE is loaded
) Y4 L! K, Q' F- P3 }8 Y; A/ y" l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# t2 y' j8 z4 V0 X3 ?  A  f) Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 I# w4 Y! c7 w3 Z
value (in ring0 only). Values can be manipulated and or changed as well
( G" `2 N& B$ c# l" d(clearing BPMs for instance)' M' m7 q, B& ]7 K! U9 b
( t. ~# U8 W% e
__________________________________________________________________________+ N! x7 F! q7 M. r5 B2 i
8 ~- a. `% Z6 S7 h/ N; ]3 c0 E& s  n6 s
Method 11$ H3 q% ^' R4 c: S" }, w
=========
- s7 o" A; p: p! m$ Y5 J
3 \2 d' S  P# a! h, }3 ^This method is most known as 'MeltICE' because it has been freely distributed
* f! w  U; m5 ^9 h; E% cvia www.winfiles.com. However it was first used by NuMega people to allow
- Y- O7 i4 Q9 L( F$ ~5 S3 {Symbol Loader to check if SoftICE was active or not (the code is located
. P6 @/ m  j& R" Kinside nmtrans.dll).
8 B( J2 H1 J) Z+ |/ M" G# ~; S4 K) V( g" Q; Z) ]0 e4 j
The way it works is very simple:
: W6 e( M& U' W6 |# kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; N) A; v; Y* M9 F- E, D' EWinNT) with the CreateFileA API.7 j2 c4 p7 i3 r5 B4 j$ f

4 Q1 u7 L% j5 E$ {Here is a sample (checking for 'SICE'):
3 O3 ?1 J  O9 {; m  r
2 r- c2 ^  g8 H1 k8 L- ?: iBOOL IsSoftIce95Loaded()
; `% Z2 E- K7 R5 c! @8 Z# j- M% S{# G5 D- S% q. r- ^) l
   HANDLE hFile;  . _' L+ H5 |) C5 i7 Y6 Z1 O
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 y) }) z7 ?( d
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% A4 @, J7 U% F* B                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 W1 P, F$ d1 ]
   if( hFile != INVALID_HANDLE_VALUE )7 l3 {8 Y( x, e1 L6 J) c' ~
   {! ^1 s% r8 a  Z) a% K' H
      CloseHandle(hFile);
" b. d9 N7 s3 U: }8 _# I      return TRUE;' P0 L6 V3 S5 A: d+ G" ]( J
   }
- k. ]6 j9 u/ M; K1 {7 M* M2 R; C   return FALSE;
4 h7 C, }* X+ n( N1 U& i8 f}
3 M3 Z6 ]4 h  L9 N0 {8 @8 d7 O: l( C  ], a3 w9 Q+ E2 F
Although this trick calls the CreateFileA function, don't even expect to be
: \; I5 }; z3 o' C6 _" _able to intercept it by installing a IFS hook: it will not work, no way!
- f) u+ L5 v, o! P; t+ jIn fact, after the call to CreateFileA it will get through VWIN32 0x001F' q2 f9 S6 Z" w6 M0 p/ s' j
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
: \$ g' t) q3 G9 band then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 c6 l9 a% X% l$ e/ m) i! Xfield.$ a9 K( p0 @$ h
In fact, its purpose is not to load/unload VxDs but only to send a
+ ?- J2 Z; F3 D7 \' qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
4 J( ?" N: a1 g0 Z9 @  p: Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try! `, i0 L9 y! _8 l+ p" m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ f/ {! V) M0 O+ ?, NIf the VxD is loaded, it will always clear eax and the Carry flag to allow
% l/ M- \$ s) r/ i; |1 vits handle to be opened and then, will be detected.
9 x* g+ v( ~+ DYou can check that simply by hooking Winice.exe control proc entry point+ q  \6 t9 w. A% C, s
while running MeltICE.( b' G$ d6 {# b3 i. l( D

; D* K( Z" G& a9 u8 |' u1 }: v: k: g" E5 x9 g+ w
  00401067:  push      00402025    ; \\.\SICE. T; b* V+ p1 k0 b, T
  0040106C:  call      CreateFileA
1 f  H4 E' \/ z7 e( B3 b2 P) X. c; i  00401071:  cmp       eax,-0018 d: U0 N$ s# Q& n$ D9 ^
  00401074:  je        004010917 x! c8 b9 B1 o. O; Q) _3 H

7 a( r& O. U" G; w0 F% L
) h1 C5 g1 S8 K1 I) GThere could be hundreds of BPX you could use to detect this trick.
5 ]7 o+ X7 Z0 l0 x& }% K6 l-The most classical one is:
  I' `" Q! B' A7 F  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! F8 n* e* X9 s" B0 g# x( v6 x    *(esp-&gt;4+4)=='NTIC'
# Q2 e5 s: J8 @4 R' q
+ v- T" V6 W- r-The most exotic ones (could be very slooooow :-(
3 n- S% W/ F" c$ @$ D5 a   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ m2 @" P0 w. X+ j- c8 k     ;will break 3 times :-(- J% B- X+ \: |* I! T2 s
7 y7 ?& t8 ?9 }5 W
-or (a bit) faster: 9 Q" s3 Q: N/ b) L( g
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 r1 g$ h* c# F- F' Z; N) T2 C
1 e, ~' ~, M3 R" j5 {1 q   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* b; O7 L+ t; O) ?     ;will break 3 times :-(, }. c- c: K( U8 S$ ?3 y

" _$ V+ V5 Z" O2 h; S  {-Much faster:# ^: v! g9 i5 n1 U8 z% i/ V
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
$ l8 m1 W6 W1 a$ y
& l& G5 }( f5 G4 w" P) t- JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
: f& l* @4 q. b) c4 T$ [function to do the same job:) v0 M- a9 ?4 A+ H7 ?# \# z% V
% x% M3 ?# J# |& R& Y2 \
   push    00                        ; OF_READ
) o5 {, r' F+ k/ J+ ^   mov     eax,[00656634]            ; '\\.\SICE',0, R3 Y) h1 }* \8 Y6 F
   push    eax
9 f' e+ V/ G* ~   call    KERNEL32!_lopen! E1 C' S) k; c) l
   inc     eax
# u; R/ w6 b+ M2 L) H* a; \+ z   jnz     00650589                  ; detected
# Y) h  v, _7 `  n1 S& d   push    00                        ; OF_READ: v, Q, }$ |% x1 ~
   mov     eax,[00656638]            ; '\\.\SICE'5 X  @0 ^) P4 u# K3 D: z1 e( V/ \
   push    eax
/ B! L$ ]1 n$ S7 w. @   call    KERNEL32!_lopen0 A' ~" q, ]! |: V* M6 G
   inc     eax
( {  d% A  _/ |& U& [/ l   jz      006505ae                  ; not detected
' ^! X2 F3 T: g4 f  j: @4 S; m, N
; }+ ~8 ?! T4 w) s
- H# g2 x8 G# l/ J3 x6 K* K__________________________________________________________________________
$ d) U2 w# X! ]' R1 I! y0 x+ `( |7 y! i4 f1 o
Method 12
1 m0 _& I1 [5 R1 K" `" p1 {- ?: v=========+ C% M, m: U5 t% A

9 b8 S- R+ L6 v- F3 T+ P2 ^( @This trick is similar to int41h/4fh Debugger installation check (code 05
: K. X6 i5 h) `! n% j&amp; 06) but very limited because it's only available for Win95/98 (not NT)* x: ]; |- q" E' m. F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* d7 p4 H# N' ~
3 W  q% B# z& W3 E. x7 r   push  0000004fh         ; function 4fh1 y6 u4 L2 |- ~: u; Z
   push  002a002ah         ; high word specifies which VxD (VWIN32), h8 ]# l/ z8 V% ?  ?7 t0 C
                           ; low word specifies which service" w( \" k7 {2 N# B( x
                             (VWIN32_Int41Dispatch)
' D% H, I# I3 |/ U% `   call  Kernel32!ORD_001  ; VxdCall7 O, V" q$ Y) P, ~+ n
   cmp   ax, 0f386h        ; magic number returned by system debuggers4 e* f* F* _/ x) d( N
   jz    SoftICE_detected
. w4 {7 i- k. p  Y8 i6 W9 F! O- P0 p) S0 S' }; f' ?8 }1 V
Here again, several ways to detect it:
2 V4 u: B1 [6 R# ^$ l9 V9 b5 m
2 ^2 u& C  q0 M7 _3 A    BPINT 41 if ax==4f5 ]6 @4 f  q: x; x  z5 T  n

4 m& ~& \& O4 w! C    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& L3 ]9 C2 x7 \) Z) Q% q) l) F
: K0 w% `5 U- F$ z0 ~    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- }& N' T, _5 Z! x. L

4 g% D3 o* }0 |$ W# \6 M, Y    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( b; X% [& e- m' v: s
  \+ O% N' }+ U8 k2 _
__________________________________________________________________________6 a  @" g' ~) B1 ~( c7 b
+ ^! r/ F- W# ~: n! n# _$ ]! ]
Method 13' p3 k2 E4 U& w
=========, c: @6 I& e6 V( ?" _4 f& j

% `" Y) `& J3 t, x$ c; Z+ BNot a real method of detection, but a good way to know if SoftICE is
2 E* ?4 k! A2 l: E3 D2 K% K- sinstalled on a computer and to locate its installation directory.
: a# `5 u2 e, o: d$ \9 A6 jIt is used by few softs which access the following registry keys (usually #2) :
1 Z$ y1 i4 l  `- S
$ c/ S5 r+ l; _+ a8 p( w5 N-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) n( c- L- H8 h: S\Uninstall\SoftICE
0 ?# e7 x9 @. T* I4 ~# l+ b-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* P8 I! W* y% S* i+ k) ?( w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& B8 m9 y2 t4 M* S5 h: \\App Paths\Loader32.Exe# t. P' z$ [; A" {7 t
& P/ Q4 [, n" e/ J7 n1 q
' J+ X9 M8 K6 @/ e
Note that some nasty apps could then erase all files from SoftICE directory
, f- v4 T4 l9 k( c; A& @0 j(I faced that once :-(
$ G- u  _& u, T' T7 |+ _* X
9 w: W9 Z* A4 i, x: R4 E! lUseful breakpoint to detect it:4 o+ M$ e8 e* v% @. [- F9 I: }
1 i0 d& x) H5 n
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 [0 ^: m$ N  t1 d) Z( w

* f5 c5 H0 y  \0 e/ z+ l, I3 l& j__________________________________________________________________________
9 O: J7 l- d  z9 s7 {2 h) Y4 _# p  D3 n% _
* b# i4 p; V3 J# ?+ ]2 y" A
Method 14
$ d& x- I' j; v2 \, j# q=========; U1 b  E4 p) S8 {

" _" X+ }* D  \9 U& v. V% @A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 h7 y+ v' D) H# x7 t: Y
is to determines whether a debugger is running on your system (ring0 only).
9 [0 L- x( u7 t" E+ v
' U' o5 s: T+ @1 ?! L. m   VMMCall Test_Debug_Installed
' w: N6 _+ Y0 C' D2 h   je      not_installed7 q. N, r" H  H5 n
* b4 X  I5 n# `) C* j
This service just checks a flag.
& [6 z9 R9 y7 v& b</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-17 11:42

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表