找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 l! `/ G3 p/ e) {1 c2 C+ k
<TBODY>4 u5 a( H0 L; q, {
<TR>
! n6 x, s& ~  c+ i' Y6 x1 y<TD><PRE>Method 01
/ E  S4 g% i: _* [- m4 t  ~=========" p8 g# [$ z- S  _

7 i1 A  e" b; B) U# w: h1 eThis method of detection of SoftICE (as well as the following one) is
1 W1 [* n6 J: W8 R' qused by the majority of packers/encryptors found on Internet.
# B  l0 ^: }  V2 G& v: P# h. rIt seeks the signature of BoundsChecker in SoftICE4 x" V0 F6 q( ^) R

7 L# L) Q5 ~8 j4 X  e4 J    mov     ebp, 04243484Bh        ; 'BCHK': j( b; \5 ?9 j- y6 r7 i
    mov     ax, 04h
& J7 e) U& m8 ^' }5 _: n6 S" s9 Z    int     3       ! k4 \) {& V4 G9 F2 z
    cmp     al,43 h9 h! l8 S% C4 l9 Z9 g3 r5 A$ \
    jnz     SoftICE_Detected
, R) D5 C5 K1 a' c& b
( ?$ @3 O3 E% i+ ?' v) e  x___________________________________________________________________________8 o9 C6 @' c4 C# g7 X

+ j+ o+ |' K" `: O) q: ^) FMethod 02
" |0 C; f5 [% A+ x, B=========
4 B2 V% H+ B* Y; B; v0 w! J  p# n% @2 |" {$ L' j
Still a method very much used (perhaps the most frequent one).  It is used
" b- d" K5 E/ yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 Z5 j' O  F. o5 o2 c  F! J5 Jor execute SoftICE commands...
& C: n6 X8 G3 T4 W3 f" z3 c: @It is also used to crash SoftICE and to force it to execute any commands6 V# I) E3 F6 b! p9 s5 }8 E" Q
(HBOOT...) :-((  * W) t! I3 p& B+ v; J
# a" }. L2 E$ ]. c5 A3 U
Here is a quick description:
9 X1 }8 U( d% p" _. ?+ O* Y: H-AX = 0910h   (Display string in SIce windows)
' u$ I2 ?, P: [; Y/ f5 E; p: V-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
7 [" K! F4 ]- Z- D3 `, a-AX = 0912h   (Get breakpoint infos)3 v; C6 j4 t4 [  }  Q$ h
-AX = 0913h   (Set Sice breakpoints)
9 X) I+ N8 r' f& q9 L3 ^-AX = 0914h   (Remove SIce breakoints)
) [% y3 L) _9 B8 O1 b/ h, K
4 O- u" o( R: ?) c# IEach time you'll meet this trick, you'll see:
5 V* C6 W& j4 Z4 Q-SI = 4647h
- b0 ?! `4 n9 A6 k5 t9 O0 g0 h-DI = 4A4Dh2 M9 I* J" e  M) O4 p
Which are the 'magic values' used by SoftIce.
5 E, T4 e4 [1 SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 x- X- A- C7 F4 O/ J+ u/ [+ }: x) ?( ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP
5 T0 r/ B0 j, D5 L, U+ S- p  @Envelope utility use to protect DOS applications:
/ x, }6 ?1 M  {
% J+ s* F. J+ [$ ~# D, F+ [2 X
* |2 i3 {  d  G# M' Y0 J4C19:0095   MOV    AX,0911  ; execute command.
; E0 |" N" {$ `; N8 B7 r( Q7 l/ x4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).& b$ B% B; p: N: d" j# e
4C19:009A   MOV    SI,4647  ; 1st magic value.
, ^0 E" Q* f2 w: Q4C19:009D   MOV    DI,4A4D  ; 2nd magic value.' v8 L5 A# t2 f- {6 z, c, p
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 z! b5 q9 f! M7 l) g* p( y' v4 ]6 ~4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% ~: E/ f  P% M, P4C19:00A4   INC    CX
$ Y* u, ?, K% f  u; S4 p/ u4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute4 {0 n7 j) |1 }4 B& n3 b5 T
4C19:00A8   JB     0095     ; 6 different commands.
' F1 V+ K, E; n* q* X) g4 ?: @/ [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
: [; i1 G5 e5 w& A" Z! n4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! l5 N8 _1 d8 z& @, y  e( O
1 ~9 \1 w1 I! A/ x5 ^( ~
The program will execute 6 different SIce commands located at ds:dx, which% b0 {, A5 _. P% c. ]/ q$ Z
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ A) B' d/ o/ ^& w9 y1 G: C$ U% T: P2 ]5 C) C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! L( I8 X" r$ B3 F* T
___________________________________________________________________________7 F* Q) U) G# F
& n, Q4 e! q% ]8 T8 G

8 e# W4 j6 ]* u) i4 y; zMethod 03
: z8 w( M6 ]0 f" \3 A=========3 F& ]% Q# A& f7 F/ H2 n# p4 W$ t

6 k. i; a2 W! x0 ]9 G* a  LLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, |7 L! W9 c: Y( R
(API Get entry point)( K2 a9 n1 Y( e* A% W/ l' j7 {
        ' j2 F" K% o3 s5 r. R! o
' M/ E) P9 L2 [5 i/ z& ^
    xor     di,di9 k6 p1 }, G) [' N
    mov     es,di
* }$ L4 b4 q' D% I! j    mov     ax, 1684h       ! T4 k; q& G# c/ H1 p
    mov     bx, 0202h       ; VxD ID of winice) d2 U, f1 V" d4 l
    int     2Fh
1 N/ h6 U; Z6 J: G" Q, @( d* t    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 K' a! @; @; [# k0 W' F: K: P
    add     ax, di, H' A& Q7 I% c6 Y+ F
    test    ax,ax
& X5 T0 E  S2 g8 \  S8 }/ ?4 D$ F    jnz     SoftICE_Detected) E6 }0 F  y  i0 s& z- a2 l
2 ~# i( I' A* N9 \* o  A/ K5 P
___________________________________________________________________________1 S1 E# `& U# o( y. O( G* N2 [

( q) S& O/ j* ?, v0 RMethod 04  T( E7 @6 l5 W4 d3 i+ q# f
=========( g5 }/ B3 x  x/ B+ b/ T8 @4 b  P
  U1 T1 o  D8 q, \0 I$ S; D
Method identical to the preceding one except that it seeks the ID of SoftICE
; _* \  H# y2 Q& HGFX VxD.
1 D+ r  B* k1 W! m4 k% }- p$ |: I$ x: p% p7 n
    xor     di,di( C: {' o2 T8 n1 b; N
    mov     es,di& H, K" L& n9 s
    mov     ax, 1684h       ; Y- D2 C# Y2 V/ Y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID: }7 }# c0 j+ i6 P( q
    int     2fh; D: B7 i" i- \9 M( b5 L
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 K9 C# ^% u& g4 |6 S0 Y
    add     ax, di
% w+ K/ q1 J/ b+ X: p- O% |    test    ax,ax" c# _  N0 q& |) b  t. H
    jnz     SoftICE_Detected
8 |( t& K% n9 S6 z7 w; ]; V
/ b  a3 P0 o6 ^1 ~  {# f8 J__________________________________________________________________________
; h/ f) b4 S9 x- |! _+ E$ d
+ c7 G# f, R/ c- C8 L
% _  O! Y# h( jMethod 05
3 a# C' b2 k% K* D# y1 |=========
. }5 q3 K4 L+ Z* M. e6 d- b" e! N1 w1 d: m+ {% g# M$ I/ X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 e) L% ]+ @8 B7 P! m9 {% H) W  N7 edebugger. It calls the int 41h, function 4Fh.
. b! A& D2 ?6 WThere are several alternatives.  
  I: h% h  ^" C
: c6 ?$ O2 q* \4 y( m! O& ~( g: TThe following one is the simplest:1 j! C7 H) F" \$ }4 h
! N. M# _& j; _4 p; e! L& k9 c
    mov     ax,4fh) `0 J+ `! G8 Y9 y+ ?5 W# J0 N' U- x" ]
    int     41h
' D. r. C+ m1 z- p9 o- B    cmp     ax, 0F386& i8 a, F: l  c: \8 O
    jz      SoftICE_detected* G: |) A% d0 c3 h# Q+ x+ X
- `# K: D! [7 o; z! j
- h# b) h0 j: G( c4 v  c0 O9 R
Next method as well as the following one are 2 examples from Stone's . W; a9 _3 o# `0 S
"stn-wid.zip" (www.cracking.net):, B0 D6 c, K0 k. g

$ J8 E7 K1 ^- J  ^# y3 b3 H9 x    mov     bx, cs
- O  q3 b" y$ m5 O    lea     dx, int41handler2
- S! G/ R: R/ Z% R2 D) P$ _  f    xchg    dx, es:[41h*4]
5 V6 H' S* V8 S    xchg    bx, es:[41h*4+2]/ o2 R- j  [, e" }, K! G
    mov     ax,4fh
0 k$ L+ c- E6 ^5 S# c    int     41h5 l$ {7 M& ^$ S
    xchg    dx, es:[41h*4]
/ m" E% p6 V: [    xchg    bx, es:[41h*4+2]7 J  n/ F' \1 y, i" J
    cmp     ax, 0f386h
- R/ K1 n3 s" \" b9 k    jz      SoftICE_detected& g2 Z4 q6 L1 m0 s3 S& T$ D
2 @0 q5 Q2 s7 K
int41handler2 PROC- j8 q9 W  w! W
    iret) ~$ C6 E/ u3 N- ~$ O; v: g
int41handler2 ENDP
8 H3 j$ T9 q+ R% D% K: o1 R+ D# H1 ^8 O2 t. M; F
# [0 R# C, R2 ?3 i2 l" e
_________________________________________________________________________
! h! k& a7 G  A6 [6 X
" T; T& X0 j$ x0 }' @# l! f
5 J: G" ]* b( [8 l3 l+ zMethod 06. b8 }- ~2 S( _4 A
=========
* R3 Q* Z8 l' l' t- t* Z1 f6 f7 e  L5 m1 P
( x8 u& q4 }9 Q: c$ Y
2nd method similar to the preceding one but more difficult to detect:
( j4 l% i" a/ |+ d+ X5 O/ m* j) s* w8 R( ?1 j
& P1 K5 |0 e8 w4 Y5 Q
int41handler PROC
+ G6 T* f/ C; M2 @. ~  b* b" {    mov     cl,al) [1 H8 v2 X& Y2 u4 Z8 G& r4 v5 S. h
    iret
# {% B. @3 ^3 I4 Q* Mint41handler ENDP  B. Y* x  p0 I) {
/ n# b( y  m9 g- q, T" q

2 z' D1 Y' D) X; G1 b+ a    xor     ax,ax
- m* d9 @8 V( H+ F    mov     es,ax
- S4 Y) R7 N+ e+ ^    mov     bx, cs
1 \; B3 x: u% Y1 v7 q    lea     dx, int41handler
% h/ q5 u8 G& U+ x& l/ u# O6 U* B    xchg    dx, es:[41h*4], l& o7 q0 p/ l
    xchg    bx, es:[41h*4+2]
& t0 h' L6 J, n* v! ]    in      al, 40h
, M& U# @2 a+ F    xor     cx,cx
* o9 M6 w& F# h' ~( `    int     41h# e* w+ Y, U$ O
    xchg    dx, es:[41h*4]: Z  h7 H) f  m( G: p0 p0 H
    xchg    bx, es:[41h*4+2]
* s' C+ `# Y1 m    cmp     cl,al
" t2 E3 e: P# Z3 I. y7 p, E6 g    jnz     SoftICE_detected1 q! d  e0 Z) j/ t$ ]! r1 A8 s
- v" v, q! V3 x0 |& W
_________________________________________________________________________/ x5 F5 m* a3 G3 z7 M
6 I9 h9 d- F1 x, Z' W
Method 07
" F' m" j$ U' X=========
- i: z. Z% S, o  y: w
) D! q) U% W: j5 Q0 V) \2 V$ C. RMethod of detection of the WinICE handler in the int68h (V86)* V+ v8 ]0 P( b$ K8 j

0 z% [+ ?7 s: \6 L    mov     ah,43h
7 E, L, F- I$ t; S: W  V6 p- Z    int     68h$ K+ [$ t6 T  n8 M$ c2 E
    cmp     ax,0F386h
- p) g6 u. `* R- s    jz      SoftICE_Detected6 j, k3 H/ f3 i5 \1 M0 S
& d2 k' S3 l: x* `
; [% a; v  y% B  E) L8 _" l% Q8 v
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  y. x  R. I  _0 `% I" ~
   app like this:2 r, l/ k9 @8 `* c; [% Y4 J
$ P3 ^5 u- B; |. t2 ^. s
   BPX exec_int if ax==68
- E& t0 h, p7 \# o) U) a   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 |5 o0 C* |6 X3 {1 l   located at [ebp+48h] for 32Bit apps)% w: y1 `9 ~$ J, p/ S9 _- x% _! M
__________________________________________________________________________6 U( k. }& s4 m1 |8 t

5 G2 Z0 f) Z$ n: J
3 h) [4 W  f2 N7 RMethod 08! X+ ~# B8 L3 Q$ p
=========
# K% ~3 ?1 ^9 o* V1 Y1 I
, |, z2 _8 G+ j6 R2 M: Y6 ?: tIt is not a method of detection of SoftICE but a possibility to crash the
. D# ?$ [4 v5 _% X) osystem by intercepting int 01h and int 03h and redirecting them to another* B/ f/ w. A5 L
routine.
  w) E5 O* n" \5 E' zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ h( H, p7 k: g$ R8 \: H( n* }9 D
to the new routine to execute (hangs computer...)
! m5 v: v' G; Q; R/ n" |# }& ?! k9 w4 Z; |
    mov     ah, 25h! x' u0 d1 @. M! J. y2 ]
    mov     al, Int_Number (01h or 03h)% ]7 F, l' D8 V0 P$ y
    mov     dx, offset New_Int_Routine
- I( ~/ Z. g$ w' y* d9 [/ u$ }    int     21h
& |% H: A$ Z- w$ @! G3 S
3 J! \8 V* b! p% `" S__________________________________________________________________________
6 Z5 P- V3 ^; o0 d$ {- m/ c
; D% Z4 H* C; J4 ZMethod 09
9 f8 h. N5 r9 G=========
5 J: G" _$ F/ h, v5 ?! d* v5 q( e6 X: }  v# }1 `  x; m
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; [/ |! c  q: P6 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
0 E( G5 {  L/ k# C" [6 P, x" DThe Get_DDB service is used to determine whether or not a VxD is installed
6 d- x2 K! k1 @8 Q. yfor the specified device and returns a Device Description Block (in ecx) for
' a/ `. |' G8 _/ \9 k8 T) E0 \( E' Vthat device if it is installed.( e% Q' k0 ~4 i. }) U% q
& V& j* b4 g- n* M2 V
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* X) n6 ]3 M  \2 e
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 D: x' Y' ]% g+ Y* U1 `8 _$ P8 d2 d   VMMCall Get_DDB
6 r# v6 a& f! c* W8 r6 Y/ w   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; m! V; d6 {4 s3 n8 a) N) W
" f7 d. a& V3 J1 E: qNote as well that you can easily detect this method with SoftICE:4 {- x, q+ H, ?
   bpx Get_DDB if ax==0202 || ax==7a5fh
' v9 \' T2 ]/ n' X- a0 t! z
3 ]. |$ `1 s! B" L& y. N  |2 }5 r__________________________________________________________________________
/ @9 c9 o5 _5 m; Y2 ^. R& D! ]. B/ y4 |0 D4 V
Method 10
! s+ r1 H+ T9 O' x=========" u6 l& |. R  j+ I4 Y+ ^
! J' t# m2 B% x9 j3 a
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with. n" \% o' x1 k- I
  SoftICE while the option is enable!!
8 ?3 W+ u3 [6 E: p
; l9 ?6 c0 \: K( hThis trick is very efficient:
. V8 }2 I$ B* A4 c0 c; w: ?by checking the Debug Registers, you can detect if SoftICE is loaded
1 {! F* S' C( e7 k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
  `% t  \% V) h' ^there are some memory breakpoints set (dr0 to dr3) simply by reading their$ @* b+ |9 h# I+ h! f4 P
value (in ring0 only). Values can be manipulated and or changed as well
( K1 d. {/ z" A/ Q(clearing BPMs for instance)8 L1 j/ _$ ~- z; H2 t" u& _( I

9 q  W) {% t( p/ O__________________________________________________________________________
2 B2 u% y. W/ m) B2 R  T- s: |6 }, i  \# }) ]8 E2 k1 L, q* @
Method 11
1 A# d9 @3 X) }( r% @$ z=========
1 S+ a7 t6 P: d, o# p% n' }. {& [3 A$ G5 R5 J7 p
This method is most known as 'MeltICE' because it has been freely distributed9 o5 O* n' t8 o
via www.winfiles.com. However it was first used by NuMega people to allow& W! F1 s! u) u, q# Z. g+ ^) [) {# q' ?
Symbol Loader to check if SoftICE was active or not (the code is located
% j3 W' i. T) K$ Jinside nmtrans.dll).
5 \; c% m) n" m+ x) N) Q( S) K6 `8 ?5 h4 ~" @
The way it works is very simple:
! Q/ H+ T( b) H$ |- Y/ q/ q# ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. w" e0 |9 @' {, O/ u
WinNT) with the CreateFileA API.
) O9 |- x1 I( z1 l) p4 S! y5 l/ U8 X/ w6 s! R5 O$ ^- @
Here is a sample (checking for 'SICE'):
- V5 M0 U. F# A. Q$ w! `0 O5 H2 [4 j- j( N4 S0 n; k. L8 A
BOOL IsSoftIce95Loaded()
# J1 `) v' U$ \/ C: f% I$ Z{
3 b2 N1 Y  _- r8 R   HANDLE hFile;  6 }7 T9 P8 G3 D; O3 H
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 C0 }7 I% n+ `5 h
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" S% r4 f$ ^0 y! j0 T- e! c                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 Y2 I9 X# R  @) ]8 S) w   if( hFile != INVALID_HANDLE_VALUE )
9 K" I: Y" S* B. L   {: K, f: _/ C8 b/ j8 X7 _; u% ^
      CloseHandle(hFile);
' R; i- T5 v7 i5 A9 C8 n1 w      return TRUE;
: t' n0 e/ \9 Y: x   }
  c& K, m9 `; M  h8 ]* U   return FALSE;. s  s' \" z( Q, k$ B: }& \
}2 O( w2 ?8 Q* Y8 R. ?
3 U7 j6 |" ]5 U0 v) \" ~
Although this trick calls the CreateFileA function, don't even expect to be( ^* k* u8 {2 Y2 t
able to intercept it by installing a IFS hook: it will not work, no way!1 ?, U; e; k- ^! g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 ?9 J! i7 Y. s3 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
# ?2 R$ e% |) [& L  E# mand then browse the DDB list until it find the VxD and its DDB_Control_Proc, D- Y% k* @! A1 r9 v" u) v3 _
field.
" ?0 e$ j5 B, kIn fact, its purpose is not to load/unload VxDs but only to send a 7 D  z' t0 k$ i$ U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
- |1 |' {5 C  `; W0 bto the VxD Control_Dispatch proc (how the hell a shareware soft could try
" z( k+ a- A$ P# s& W7 [4 O/ n! qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
; N( E) {* _: x/ Y/ d4 o6 G9 P5 D' dIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ g6 u) F# Q6 cits handle to be opened and then, will be detected.0 B5 `7 W# q& D  b' N; |
You can check that simply by hooking Winice.exe control proc entry point& |3 h; d  M* J- U' L
while running MeltICE.  u4 ~8 Y/ r% Q; I

0 U8 r$ A  }# p8 v3 u1 e$ G
& v$ e+ x; V, k& k& _. ]: |  00401067:  push      00402025    ; \\.\SICE
5 L. C; ~0 Z! }& K, G  0040106C:  call      CreateFileA
! w5 N* b8 p3 P$ G  00401071:  cmp       eax,-0011 K- J0 c' h8 ~( w1 V7 P6 y
  00401074:  je        00401091" S$ b& @+ ?% L4 n2 E7 `( L! F7 s

* K3 i7 B2 J' G: f/ }0 \/ `( j9 g& `5 v
There could be hundreds of BPX you could use to detect this trick.- ~" ]7 a& U. T
-The most classical one is:
. N9 V4 T& ?; C# z7 t7 ~# H. f  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||1 d- W: A+ |% p8 x' H- w
    *(esp-&gt;4+4)=='NTIC'
7 K# ?+ O9 h( m+ N0 J8 m/ m  ~. V0 o
-The most exotic ones (could be very slooooow :-() C2 c* G( q* G9 x
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( `/ \, S# L5 S$ }1 Z4 u+ K& y- n, w
     ;will break 3 times :-(4 |* O) X! s: h4 h1 z

% `/ ^  I1 q5 z4 m2 M0 _9 `-or (a bit) faster:
. o* A) H) O! j8 r, T) b/ f. C   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* A7 l- n2 t: r" U% u& U1 {6 @. M; H

. u( V7 _$ Q2 K" {9 K0 R   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  + [9 A' D2 Y# D6 H& C  o: ^
     ;will break 3 times :-(; t7 Z# f3 s) ]- B. |; ~0 W

& \2 I/ B  J7 A+ _  H-Much faster:
. a9 Q! z# q% q" }) @   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  `# N$ {( x! l  |2 L
5 R9 A5 ]7 ]' j, N) VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) o3 q$ p) @$ W
function to do the same job:
% S4 o4 }, }  C" q0 k
1 l3 y2 O) ^6 c. t* I# d! i- T( h   push    00                        ; OF_READ
; V9 K! G! y0 ?1 C   mov     eax,[00656634]            ; '\\.\SICE',0
& A" g: N- x1 i   push    eax. ?8 N) T. |% M3 V4 ~0 V+ z0 C
   call    KERNEL32!_lopen
: \8 H5 b7 Q3 j: F7 U6 r) o1 P& X   inc     eax3 `% t& B& H! o3 V
   jnz     00650589                  ; detected
# V4 A3 J  Q) A) m   push    00                        ; OF_READ0 h! w# G# Q9 g
   mov     eax,[00656638]            ; '\\.\SICE'
! y+ S4 B( I6 d, U   push    eax+ i3 o# }- Q  U
   call    KERNEL32!_lopen
8 X! d0 x) U: U" d! e3 f4 ^( p   inc     eax# @8 h! I. w5 @, s" a2 v3 H0 N
   jz      006505ae                  ; not detected3 E( d# {$ M4 z: G
! I8 q" K! C, f5 u& z! Q8 ~
1 I/ g6 g; F- F! i* A& \9 U8 G3 j% y
__________________________________________________________________________' D+ Z/ J% d+ K4 [3 h

4 t7 y& [2 q+ c" q9 B; C3 eMethod 12! Z, I8 {5 B; W/ Q0 g6 M2 b) f
=========
2 V  t$ P. h& i0 ?. `3 w) h0 Y% z6 Y! V' _; j4 Q& x
This trick is similar to int41h/4fh Debugger installation check (code 05% O& W) w0 E/ E' c- ]' D
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. {2 E! G4 E) W$ N  _1 y2 bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% d; r/ I! {* V! r% B. V! \
0 d$ S: N$ Q& ]+ n8 A7 n  s& y   push  0000004fh         ; function 4fh
! r1 y7 H' r$ i0 V2 J7 m   push  002a002ah         ; high word specifies which VxD (VWIN32)
7 p8 O4 X: ?% x; j2 F0 ~1 d  i                           ; low word specifies which service
& N( W% a  F$ k  n7 Z                             (VWIN32_Int41Dispatch)5 D9 Z6 p( a0 S5 Z/ k! d
   call  Kernel32!ORD_001  ; VxdCall
2 v9 p) S! h2 Q0 |" D   cmp   ax, 0f386h        ; magic number returned by system debuggers
* r% B: z3 |  F* A- X   jz    SoftICE_detected% P$ r* n4 X/ k: j
/ N9 u* d% p* F
Here again, several ways to detect it:  P& P5 ~- n3 ?

( S; g) ~; p. h, ?$ L1 ^. @! d7 A  \    BPINT 41 if ax==4f' I, O3 E" \  ?# I
1 y# ?! w& H4 t6 c3 s. o
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% r2 r* L) k+ d( h2 D
1 l5 F1 I2 }9 j+ ^/ t# G    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A9 o- L; O1 X) i8 o) ^. @9 z
- \9 J7 M& _0 [* h$ D% y. f: R5 i
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
: U! o" e! b9 v/ w8 \1 D/ p+ G- |/ m5 Q9 b
__________________________________________________________________________7 r2 b! c/ u! p* Y0 R9 b
1 n8 M6 R4 b* J
Method 13
8 B1 O8 o& }, a+ \  f8 D=========
# _+ r; q4 z) f# W2 `5 _* r- h: Z2 |% f6 P
Not a real method of detection, but a good way to know if SoftICE is4 Y4 R2 H8 H, v
installed on a computer and to locate its installation directory.& [7 c- M0 y, K: t  @  O
It is used by few softs which access the following registry keys (usually #2) :# }* u5 ~, Q+ B
- c9 }, P/ l& s; z0 \7 [4 B6 n4 N- b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: U. ^5 |, c( j9 @
\Uninstall\SoftICE$ G9 `( N; C, ~  ]7 @( ^! `& V# P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* M1 J, e" j7 k1 N6 U* Q: f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* O, I7 W6 f+ h, O6 O* m& S' H\App Paths\Loader32.Exe
2 w0 H0 ~2 b) I. a  a& E7 d1 x) y/ L6 w+ ~

6 I% }& w5 b) \$ M! f+ v- ANote that some nasty apps could then erase all files from SoftICE directory$ d' D' [0 `  {2 K% f8 J4 O
(I faced that once :-(# \8 _  p& ?! ]- [/ W/ K; v
0 V$ F, U- A$ ?3 u  h, C+ v  z
Useful breakpoint to detect it:" g7 D9 k( ?$ j/ w& r  u/ W

. i7 j4 h' U, p  g" q- ]# E/ G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'8 `! V6 g6 R4 ^) I( q/ P$ M

" X6 Q& {. h/ U5 `/ d) w/ y__________________________________________________________________________
2 A$ x% f5 E: u. A( @
; b6 k$ w0 J" Z- Q8 l
3 \, r% Z- j2 D, JMethod 14 ! V* V' |. `- p( c: ~' h2 |
=========
5 }* \6 {# O6 d( }8 h0 A( A- a  ~5 D
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) K% s4 h9 K! B6 c2 x# gis to determines whether a debugger is running on your system (ring0 only).
/ e9 s1 i& o" N0 R
4 `$ o7 T% p6 X! I! S. X5 |   VMMCall Test_Debug_Installed( s; s/ p7 ?5 t  W3 z* V
   je      not_installed/ i6 D. Z2 n# b, A+ ~( p
, \& z: @. l/ n% c2 a! Y& f3 V
This service just checks a flag.
% a$ l7 Y2 ]) C1 z1 x</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-6 07:54

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表