找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
/ g4 i3 ~( k( Y7 M/ _. s7 N<TBODY>: H% m; M- ~2 S9 h
<TR>6 B* ^+ e- W7 C2 i; O
<TD><PRE>Method 01
6 w, n' t, S' e1 c8 H=========
+ L6 D7 ]* H' ^2 U( m
2 T, ?. w/ S2 E' o0 T/ qThis method of detection of SoftICE (as well as the following one) is
5 x" ~2 T4 ~! C: _used by the majority of packers/encryptors found on Internet.! W* F$ K- B6 x+ N2 N9 p
It seeks the signature of BoundsChecker in SoftICE' j  Y- W7 c6 l+ |
! Q' c9 U# U' h/ ?& m
    mov     ebp, 04243484Bh        ; 'BCHK'1 S1 V$ X7 P" @* u- v+ c$ S
    mov     ax, 04h  Z( L9 H8 Q, S: [- b$ K
    int     3       , l) Y- k  |- K9 |" J% K
    cmp     al,46 K6 m7 o& f% Z8 g) {
    jnz     SoftICE_Detected7 |9 o/ Q/ t- Q" O7 B- b

" g$ V0 L% r9 t___________________________________________________________________________0 @( {1 \! [. Q: f, e

4 B0 w* H; }( J% C2 `Method 02
' H6 g- M  V) Z: \0 l5 g" ^% a: V=========
$ n1 F8 D7 ?' X0 T  q
* {' w% P* J( z; AStill a method very much used (perhaps the most frequent one).  It is used, O- L1 ^: W. W& ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. j  T; @' s: @9 `4 N
or execute SoftICE commands...
& R6 x* ?0 t0 t# j/ u( c) _+ iIt is also used to crash SoftICE and to force it to execute any commands
) W  H# H5 m3 @7 K, K7 {(HBOOT...) :-((  
% D$ b) o  P+ M6 `% w
6 G/ r4 w# w5 b2 S, Q9 R/ \Here is a quick description:
" T3 O' S7 \4 [3 i7 y! i  H& U-AX = 0910h   (Display string in SIce windows)
  |  w# @8 V/ _( |: u-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx), S. A; G$ _+ R- H$ D  a3 I! K4 [
-AX = 0912h   (Get breakpoint infos)
, B2 Y" r) ]7 b7 R; {2 V-AX = 0913h   (Set Sice breakpoints)
8 j1 @  x( V4 Q, Z; E2 o-AX = 0914h   (Remove SIce breakoints)
+ j( n: b3 I7 s; s: U0 t. ^' c  }  ^+ f
Each time you'll meet this trick, you'll see:
" C% S" K8 _$ B$ q  ^/ x7 D-SI = 4647h/ g3 m2 p4 E; a% z" t
-DI = 4A4Dh
, w$ ~+ `% R5 Y- o( s3 a% OWhich are the 'magic values' used by SoftIce.
- p) R+ ?# B" n- r6 wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 ~0 L$ `+ }+ j8 B" R6 X; g' w

! y, \, |2 A0 ?' b2 _: @' \4 jHere is one example from the file "Haspinst.exe" which is the dongle HASP+ E7 n1 r+ W# T* \
Envelope utility use to protect DOS applications:
- @' c7 D% a! Z/ i' z/ z# b5 m# p0 t: D+ |$ g4 l
5 k- S! G# w" q. U6 v
4C19:0095   MOV    AX,0911  ; execute command.; y: n  H# X2 ~( ~* n0 ~8 O
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).( o5 d% Y* O7 T- T& C% G: y
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 q$ H. b" v0 _8 C% Y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 w, g0 ~5 B' t- c0 {4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 X# q6 p3 r; C: f4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute4 s0 B. ?& {; @$ W4 c
4C19:00A4   INC    CX/ H) M2 w- T3 n  q2 H6 s
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
3 `5 U' L' c& i2 k9 `& y& w- \4C19:00A8   JB     0095     ; 6 different commands.
, Q7 ?0 G8 ?" x, v4C19:00AA   JMP    0002     ; Bad_Guy jmp back.% {* s4 B! I* c, |! g; @
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 w$ X) b/ ]0 v. h* h" i/ J4 a# G; l
The program will execute 6 different SIce commands located at ds:dx, which
; T- F7 x1 D$ Ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) ?0 c. s+ k0 O/ o
9 |+ Y+ c2 j1 r- W' `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.! D5 \4 r1 K; j  ]5 ~9 e
___________________________________________________________________________3 ~) u0 r  U( W, ?  g7 A
4 {2 C# j! t* d

1 c  s* D$ l) O7 y0 YMethod 03
+ S6 |  `2 u0 \5 M& w- ?1 C=========' C. _2 l' B6 q- A

" k; Q) \# w  |5 Y. P# K# q$ K# cLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, U! J0 I8 [' ]2 u6 Q# ?/ Y/ v(API Get entry point)6 Y; b- _3 T2 q" ?7 f; p: Y
        6 ?# A4 g- H( m' N) w

9 S+ O& z) o9 S    xor     di,di
6 @9 c3 Y5 E! U; b. d) [+ ?    mov     es,di2 z# j  [# t5 G. z6 v
    mov     ax, 1684h       9 f& ~) A/ y7 o9 D2 V
    mov     bx, 0202h       ; VxD ID of winice
! k- {4 M( v, o+ Y' \: u; K" M    int     2Fh, j) {: y& M) w1 d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* h. d4 \) K$ z1 s" _. L    add     ax, di/ l" u1 [  R! a( b# Z  o7 z& S
    test    ax,ax
6 e4 Q+ r- m: a( z9 I2 T    jnz     SoftICE_Detected. ^- {7 }8 E! X+ J, |( Q( p  ?

4 V* ]& {- @% S* X9 e. D___________________________________________________________________________
6 `8 {4 K4 x* [) w
8 k" x: S0 S% g1 J) U$ eMethod 04
0 D/ C" N+ O2 ~+ o* A* }=========0 z& L$ Q7 k. J; s; I& L5 q
5 }% N0 D8 f/ i* k1 p
Method identical to the preceding one except that it seeks the ID of SoftICE
3 r! E) s& L' s2 yGFX VxD.* @# c% Y4 h# ^6 k
  c- o# N% q7 ]/ l
    xor     di,di: v$ i/ I" w! q: z# i/ t  I4 U7 q
    mov     es,di
/ V7 |: |* p% R5 |9 s+ O  s, n- t    mov     ax, 1684h       3 O. [( w7 H" ^  `5 G! n2 \: v7 Y
    mov     bx, 7a5Fh       ; VxD ID of SIWVID: W% X% ^. ~% T+ ]% `
    int     2fh
+ X: }3 @7 _% q* l1 [2 ]    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 R  d7 r1 l& S3 ?/ A0 }) E    add     ax, di2 y3 R1 S( `6 ~8 n' n+ r9 O% H) C
    test    ax,ax
# j9 |* ~0 d$ x) K  u4 S4 y5 {; E    jnz     SoftICE_Detected8 c/ A6 f4 A+ q2 C. O, X/ m3 o* O
, Q2 o4 \3 E& S$ S3 S! h% u, [
__________________________________________________________________________
8 B; B* e8 z# k4 N+ l
' B, o) Z% m: I$ ]5 n" U
7 ~; `' }9 d$ N& u& r0 rMethod 055 ~7 `4 v+ M& F  [' d: C; Z6 M
=========
: N6 T& N* S* Q( k, I5 l0 K; W/ d3 [7 u/ Y- n) w' f3 v' L* g
Method seeking the 'magic number' 0F386h returned (in ax) by all system# k1 W# f7 t* f
debugger. It calls the int 41h, function 4Fh.7 f! W4 e. k# [7 X& [2 }% X
There are several alternatives.  
9 W: U" ?7 E  T4 `; v1 x) _1 m5 u8 U/ x
The following one is the simplest:
2 W7 Q, E% y; }" @% [: }
* }1 |! J- B) c% o; p5 u; \    mov     ax,4fh% }+ V9 A9 Q* {( V1 U' l
    int     41h3 C# B& j# j( v) B! G
    cmp     ax, 0F386
4 _. D9 p( J/ A& i* M    jz      SoftICE_detected/ d3 ]3 ~4 n/ V7 E* w
# T3 b6 L$ e& ^2 H/ V: m6 d

- t( T2 \. V5 x8 i6 mNext method as well as the following one are 2 examples from Stone's
# u  ]) Z: L. D* E7 K* ~7 D4 J: h"stn-wid.zip" (www.cracking.net):+ y# ~# ?& ], }! L- `

5 `. Y6 P/ d$ s) @    mov     bx, cs" |- D2 d' W) ^* A8 a! ^& o
    lea     dx, int41handler24 R0 h% [) _$ B5 a; C+ ?4 d+ u/ Q3 g- c% o
    xchg    dx, es:[41h*4]" p7 x4 A7 o6 u$ u; b( a
    xchg    bx, es:[41h*4+2]" e, a5 x. l+ v7 D: z4 M% x: o; r
    mov     ax,4fh2 w2 V0 h: j0 G) i, I: Y9 ?) n
    int     41h
7 I5 A$ x) q' }. a5 `, g6 A1 x) r' d, `    xchg    dx, es:[41h*4]
) T8 S6 Q  E1 u    xchg    bx, es:[41h*4+2]  s) r% C' D; }6 I  E8 [5 ^
    cmp     ax, 0f386h
! @% I# p) A) ~1 J/ L& ?, b    jz      SoftICE_detected: [8 U) g0 M/ z; B# }5 @$ v
/ k: ?2 l/ e' A
int41handler2 PROC
' S9 {5 N1 @/ p+ \+ t    iret0 R5 O& G% N  J* y2 I
int41handler2 ENDP7 u' }. N' T. S! \9 n" ?: r2 N2 h

- _  P+ u) [. P1 z5 W3 B$ _; R7 c2 m! L' D, E( u
_________________________________________________________________________2 l* M: v4 Q5 W, b0 t  _- z% l' s
) h$ v* W' T% W; E" f; x
0 |. w2 g# j3 q0 v9 z# ^
Method 06
/ [& C! @0 Y% v- @=========: C" p$ X3 e* O4 j: q) x- X
8 b+ I. D) I% t# l* p
: P% \( h8 R# ], K2 X
2nd method similar to the preceding one but more difficult to detect:
5 q2 W5 L/ Y* z1 `) b+ p8 R6 t6 @/ q6 b! n; A

( \2 d+ |2 H3 K* `  bint41handler PROC( x% e0 l' i4 d
    mov     cl,al1 {( M: V1 l/ u& \
    iret
  Q; k5 y6 H$ k) b+ U  x/ Mint41handler ENDP& {& Q& g* L" r$ o* E6 G: c4 j: Q

* F3 z* n3 I3 L% ^+ f( B. z6 x! P( W# w$ N# |/ M
    xor     ax,ax
% d8 h9 U8 x; h" S    mov     es,ax) m5 Q5 q% M5 s" j
    mov     bx, cs  S9 j) W& \+ t" ~. ]" |  P% F
    lea     dx, int41handler
5 B  a8 }7 h+ ^    xchg    dx, es:[41h*4]. y( U7 \. K8 E- z
    xchg    bx, es:[41h*4+2]
# ], q$ \/ c$ u; v' w/ h: G    in      al, 40h% G3 T2 H  t4 p+ g
    xor     cx,cx1 y3 _6 F1 H7 D0 z! Q" l- U' G$ f2 ~
    int     41h
: B9 q* x) n% v# w; e    xchg    dx, es:[41h*4]
  _! F% h) `% X7 S, Y& m    xchg    bx, es:[41h*4+2]+ v& Z9 r- Q$ `  i
    cmp     cl,al* }$ U+ k  o, S, l% `
    jnz     SoftICE_detected
) p: Z" x$ A/ q
6 f2 d, F  y  w* p7 X( H  _- K1 i: Q_________________________________________________________________________
7 {3 p1 d' K" A7 {% g# Y7 g( M
7 C4 J/ @2 {  J# q1 H! D# l/ i; k7 ^Method 079 q, }9 u* [1 L: T' @$ ~
=========6 B+ p( W; S: L" {, i, Y  j
$ N# l& l. f0 X7 L7 ~0 o" g
Method of detection of the WinICE handler in the int68h (V86)3 W/ o8 R: F% w5 I
+ {5 f4 C* t4 `, y/ M6 A% M. f8 V
    mov     ah,43h; M) K( z/ d! m/ @5 p6 ]
    int     68h
; \0 @5 f$ c% Q* S# i    cmp     ax,0F386h
) t( s5 Q6 t. @: d" u; l# ?    jz      SoftICE_Detected
" y  k0 s+ A7 |$ m% G7 f$ D: u; r' u6 o, e/ h5 A# e+ X

5 \6 v  W( r5 F5 ^/ W! f) h. Q: c=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ S$ z5 G  s+ N% e8 n4 g/ {
   app like this:8 g9 @! Z. P, C: {9 C* N  X
0 x$ g' E+ m6 H
   BPX exec_int if ax==68
/ \) O( r) d2 S8 n  e2 @# q3 D  K   (function called is located at byte ptr [ebp+1Dh] and client eip is
, q5 a/ d' ]; k  z) z/ j   located at [ebp+48h] for 32Bit apps)
  E1 p) e/ |# E% V__________________________________________________________________________6 }, j, _# C0 N$ ~% P' _2 y

+ _# L# ?2 x( G3 {1 `, u" }  E. D3 k# Y* s, i
Method 08; E" f6 R2 H9 G: C& I
=========. b$ M5 _% T3 X8 x. X
- w* a% Z' B# p  d. z- c# H
It is not a method of detection of SoftICE but a possibility to crash the' J6 s; j  M0 @* H
system by intercepting int 01h and int 03h and redirecting them to another! f. z- ]! T6 t; Y
routine.
$ t. i( s# Q- l+ VIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 U  a  z1 f: l. P& ~to the new routine to execute (hangs computer...)$ u6 k- r: e# g: @

5 g3 i+ U* z( r$ I$ @4 |5 N; M    mov     ah, 25h% F- j- j7 ]& R5 I; d+ `
    mov     al, Int_Number (01h or 03h)( W4 C5 E+ E! M8 @# ?3 l( X2 T
    mov     dx, offset New_Int_Routine* l2 F4 o8 a; O! g  N$ @
    int     21h
" ]) @$ q! j+ R
$ V/ ]3 D& r0 A9 H__________________________________________________________________________. ^4 E3 `6 m" |( Q1 P" S

6 T! R9 _6 q% u2 ?# ]* FMethod 09) V7 i" \" G4 z, x
=========9 }2 Q4 L2 ]" G( D% A

0 E9 ^4 H, b$ r% }+ d0 gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& E. a8 M: S- d" I/ dperformed in ring0 (VxD or a ring3 app using the VxdCall).
  q/ T9 Z, P( F3 M: t5 C. VThe Get_DDB service is used to determine whether or not a VxD is installed
+ s4 ]9 t; c9 Z; lfor the specified device and returns a Device Description Block (in ecx) for
3 u- I$ A9 t0 J) ?' {0 q- Uthat device if it is installed.1 s" v6 P5 C- l
/ _) V: T5 H$ A) Y
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% ?. Z' S- F2 h; }   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' o) d" w8 y* Z/ W   VMMCall Get_DDB
$ P0 y: \) z, ?& h9 k1 T) V   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
: H7 l4 b: k6 O( F! j  [; l8 z# `
, U  _9 m) h5 J/ G- g( L" [/ mNote as well that you can easily detect this method with SoftICE:. _0 \' G+ _) ]  q
   bpx Get_DDB if ax==0202 || ax==7a5fh
, |' v. ^# R8 ^0 N( Z+ ?* H; o4 t6 H
__________________________________________________________________________( b" l7 E) X. {
: d0 ?6 {8 b3 q( o; ]0 b% J
Method 10
  Z! B7 U* M6 g/ k5 F0 N=========8 {0 K9 L1 \" Z% q! x2 F
' `4 F+ W+ \2 I. }# ^9 r8 c
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with% X3 t# ~6 Y6 ^6 }4 C5 x2 C# H
  SoftICE while the option is enable!!
9 N- u$ n  e+ w: |
9 B3 p4 o" m3 L: @4 P% YThis trick is very efficient:
, O& k. o9 C8 |* b: k, U: Y+ ?" Gby checking the Debug Registers, you can detect if SoftICE is loaded
( x5 R0 I: N  b: X  i9 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 L0 q- J  w$ p& [8 r+ U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 b# E: b1 i6 v+ Z5 H- fvalue (in ring0 only). Values can be manipulated and or changed as well1 b: A4 o; M* S, F, j; F, a
(clearing BPMs for instance)
4 Z) ~8 E% w$ x) I2 o5 j, f( H- B$ n
__________________________________________________________________________
, j, W! m# K0 k6 H! B( x( Q. I' A
Method 11% b0 \3 D, d# Z" d4 f  }8 Y
=========
) ?) x' G0 `7 V1 D- p: r7 O+ o5 v9 D* Y. j3 B1 ~
This method is most known as 'MeltICE' because it has been freely distributed+ q. [8 U6 R2 q. ]
via www.winfiles.com. However it was first used by NuMega people to allow5 a/ ^1 Q, z. K
Symbol Loader to check if SoftICE was active or not (the code is located
: i; a" G2 b+ c& G5 B% X4 Finside nmtrans.dll).
3 W0 M. d! R( D7 I/ u+ J8 }1 J8 R: R' H3 i  h
The way it works is very simple:. s2 ?8 B" g2 Q6 a  ^$ |5 B
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 I% l1 J0 K3 F* y6 L+ B/ b
WinNT) with the CreateFileA API.0 j8 Y3 P9 H7 ~: c# J

- n3 C- ]$ Z, u3 D9 t1 T7 @Here is a sample (checking for 'SICE'):" T- P. N2 j3 P8 ?

+ ~! C8 j4 y' B; t( a5 QBOOL IsSoftIce95Loaded()& k+ H; f  ^. K/ q
{
- f9 F5 X) T" i% f   HANDLE hFile;  
; ?% w  _! o1 b& M' c! p' x5 e5 T   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! J: z+ C; V- s- C+ n
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
$ y! v9 E! `3 A; [- k                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);. `! `: ?/ }, i1 v& ~) q4 b! @
   if( hFile != INVALID_HANDLE_VALUE )' E5 C$ x0 W: n* s5 L$ L! F: h
   {
$ H# B8 Z& J2 f* e1 W' w      CloseHandle(hFile);: e, f/ }  O) M: e; y% }
      return TRUE;/ M3 K) ?5 b5 o- L6 a4 }. ?
   }
" k6 A  B" V' K: r( S   return FALSE;8 j; L/ l6 u1 p0 Y7 f* n" ?
}
$ }$ u5 T' N5 O: Z  t+ q& T$ B. D1 E5 Z8 j7 k0 Q! Y- W9 S
Although this trick calls the CreateFileA function, don't even expect to be/ X4 O6 r8 a7 n; D' M8 I/ Z4 w
able to intercept it by installing a IFS hook: it will not work, no way!
+ H. @. I4 s# S$ T& u9 [! LIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% q/ r& z* Z( @. ^$ K) Uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( j' X1 f0 {8 R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ Z1 U9 N" ^, o* a3 D  P* U
field.
  M3 j9 N  F9 a; rIn fact, its purpose is not to load/unload VxDs but only to send a
8 H# R* w" L+ xW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% j9 K- w2 M! v1 s, P4 {/ ^* V6 }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 Y' ^9 B" j. H' C0 u: @) r% m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
1 t& [, j  j  F" NIf the VxD is loaded, it will always clear eax and the Carry flag to allow$ b' A* R! D" R, x' m- q+ X4 z
its handle to be opened and then, will be detected.
5 x; ]. g; f* c9 i' v2 E& e& Q3 ~You can check that simply by hooking Winice.exe control proc entry point
1 z: l1 x8 |2 E1 ~. Rwhile running MeltICE.
# Y1 R& e; L% T
# `8 P  H# d" B; m- v
7 w9 L9 j6 _+ `- k5 _  00401067:  push      00402025    ; \\.\SICE, V; E, q8 y! j/ e7 ~
  0040106C:  call      CreateFileA1 b' n( d$ r' q9 P/ F" D, j7 S
  00401071:  cmp       eax,-001
/ m# M+ y: v, E6 U. k$ w; H  p  00401074:  je        00401091
1 y; T7 T1 r# Q1 |  h0 T0 v
" H: ~% U$ m: o" I/ _
2 c& s! N$ m( m2 N+ {  I7 lThere could be hundreds of BPX you could use to detect this trick.- A" w( s8 D5 ~! `7 q; V6 }2 t
-The most classical one is:! a. g6 x  c8 U& b. a
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
# \7 l* T) E; ~    *(esp-&gt;4+4)=='NTIC'  ]" P/ F$ X+ Q' b% e1 g  s9 _5 o
8 Z$ [2 ?( J  b
-The most exotic ones (could be very slooooow :-(- ]5 t/ E7 P3 D& [
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 C2 O2 G/ }9 @* A     ;will break 3 times :-(
8 L7 g6 v# b/ Z) Y$ H$ g9 l$ U
& _7 W8 @# I2 Q4 y. P& W7 Q8 J-or (a bit) faster: ( k3 Q8 O/ p6 K6 }3 s7 F$ s
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# [2 u9 U$ m5 Z% p
$ {3 T/ e2 y  t1 |4 W" s, Q) v5 U   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ! c" Y3 Q/ n, ^: y" g
     ;will break 3 times :-(  m5 v1 d8 C6 s) e/ T

# M/ i) Q7 [# J8 P  n-Much faster:- B- {6 Q' f5 p$ z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
4 O; h$ ^6 O5 _& m) R, _/ Y# j
# R; @/ t. W- M1 B0 g- [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) V, x. ~- I/ l' [% [9 `# _* _
function to do the same job:
8 _' j; Z' ^2 E' W* D. f* K- U7 X5 V; X7 z
   push    00                        ; OF_READ- ^' ~5 x& q, z; y
   mov     eax,[00656634]            ; '\\.\SICE',0
$ L+ T) S6 o% t) v' g+ ]   push    eax
. i2 t, V. W+ n( S# Q( _   call    KERNEL32!_lopen
1 I7 J$ ]1 `0 M7 Z   inc     eax7 G/ _0 K  {) r- N: D* |9 T
   jnz     00650589                  ; detected
! Q) l4 }; N5 ], e+ k: O& b' E   push    00                        ; OF_READ
6 ?2 _* [9 {" F: t% `; e8 j   mov     eax,[00656638]            ; '\\.\SICE'* X, g$ R. ?" C3 a5 `8 u  z( B. g5 |* ]+ F
   push    eax
6 n6 d5 x* Y/ `" s. C7 v4 @* Q# I   call    KERNEL32!_lopen6 b, B! ?2 w/ e! K% o
   inc     eax
) }1 O$ l, u, H# K   jz      006505ae                  ; not detected
4 G; c; p! I2 J( R1 v
& l6 X! c' k3 ?$ t$ g7 A
! K! L) P/ X! ~. r__________________________________________________________________________
. Y7 x- k2 X$ S: V9 _
' D# M9 d& M2 E8 V  x) o. jMethod 12
8 @) o8 h3 y; C( K: P/ j/ b=========
( B) D# a/ n3 r) z9 N- Z
1 u, ~. u8 p. l5 B" rThis trick is similar to int41h/4fh Debugger installation check (code 05
& z5 G8 |; r  @8 \% r8 W&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 o9 L# F6 _, D
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! P) T9 T+ _! v8 `
0 S* g% g8 t  o# B1 X4 O) Q, @
   push  0000004fh         ; function 4fh
5 Q* i7 |0 y1 H  G   push  002a002ah         ; high word specifies which VxD (VWIN32)
  k: E( o7 _, z; O# z5 D3 z                           ; low word specifies which service! H1 N- t, e6 `! S2 ?) n- ?. x0 T
                             (VWIN32_Int41Dispatch)
! r: r$ H) `8 ^! d5 T   call  Kernel32!ORD_001  ; VxdCall2 X; ?4 e; A% g' D. E6 w$ W
   cmp   ax, 0f386h        ; magic number returned by system debuggers( F/ ~  w7 J: T- t& L1 G
   jz    SoftICE_detected
$ ^8 {( L8 U" h/ U1 ]& f$ e) }4 @# s( T) O
Here again, several ways to detect it:) N/ s/ b4 x) R+ C0 M  V1 V- B+ e. v

: _7 a* G& [; g2 r3 [% [! d; }% w    BPINT 41 if ax==4f& k" g$ E5 e- k0 ]8 E) l

8 \4 K. l) Y- W1 _' H    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ h* ]6 |* N# A7 y2 P- A! d) ^

: T! z2 S, W: u. `* X! N    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A! m8 e) O4 v0 u4 h5 D9 Q
: v+ U) C! R+ [
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, {; X! J  S7 g$ p$ X( S# Y1 [) w
; C& i1 y9 r* J3 G5 M3 |  }/ q__________________________________________________________________________
9 o6 q( H* B; f1 e7 T  {$ ]0 i4 X% h2 F: x) l
Method 13
. g' Q+ p4 V# q; z& X. j) ?=========
, J  O+ s$ q/ h2 C6 A6 c
1 Q: d/ P6 U- r2 y; _8 ^: \Not a real method of detection, but a good way to know if SoftICE is
, @& L( W0 b& Y* c' A& Linstalled on a computer and to locate its installation directory.6 S: T5 v/ A2 _; U. X" u+ ?
It is used by few softs which access the following registry keys (usually #2) :
; [) l( o/ {" g5 ^- e' k- L# \& _, R# s/ i/ q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 `; ]* r; M6 F5 R
\Uninstall\SoftICE/ Z+ J% N6 J) |" y1 t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. F" Z/ B( @% T8 _$ G. D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ @& ?  f( U1 R1 ^6 j\App Paths\Loader32.Exe
& B  E: f: g5 B: Y( Z) F
# D5 v& `: K6 d) T* X2 r$ [1 X/ A5 }( t
Note that some nasty apps could then erase all files from SoftICE directory
. J5 ~4 e5 j0 |0 d0 a(I faced that once :-(
7 O- j3 {" B) B, P3 }) G8 D! _  Y) y- v0 j+ ~- }
Useful breakpoint to detect it:
$ M# q$ H9 n/ M/ \, T* t  Y4 f2 p+ V9 t% i' @, v
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'# l: x& }' U/ Q. X# {, b+ ~
: a- @, @: j5 R& V5 Y' {/ v7 E, X
__________________________________________________________________________
. S: r4 ?: s9 g# N2 k7 @, b
" T! J/ E( t! l' h- j* F5 l. v4 G3 |- [* [
Method 14 , O0 b6 m7 X; P" v+ f
=========  r/ }: t( G5 j4 i- [* R

  }! A; K9 U3 R3 V$ H, Q2 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 d; n5 ?5 `* A' c- R+ Dis to determines whether a debugger is running on your system (ring0 only).
8 L0 E) E" g! }5 N' G
, i- w3 r% |! X: [' j* v   VMMCall Test_Debug_Installed
0 e2 P# d$ G( \: w# h% @$ Y   je      not_installed
  X0 a' u. i/ `6 |3 d
* n% B' r2 `9 `  c5 LThis service just checks a flag.
8 `$ V) ~* P' a. L1 H</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-8 04:07

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表