找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>" q" r5 a2 d! D- p( A
<TBODY>
+ K9 x1 c1 j3 ?% a<TR>6 q% g2 y) M6 I7 [# t8 W* m
<TD><PRE>Method 01
4 V7 q! z" R( h0 h=========
* M; B9 |% r5 E0 O3 q6 D0 w7 c
. ?. B5 P; p& B$ Q2 b) y% R4 ~* X' VThis method of detection of SoftICE (as well as the following one) is
0 l1 n& C3 o' |% [$ vused by the majority of packers/encryptors found on Internet.
  b8 k* w+ l4 e' yIt seeks the signature of BoundsChecker in SoftICE
; p; }/ K, w' F+ e
& i1 E/ L; n1 v0 r) o: D. g- z    mov     ebp, 04243484Bh        ; 'BCHK'; G! D' I! n7 h5 R
    mov     ax, 04h" J& \! q2 Q+ |# i5 E# x! p
    int     3      
7 `+ _: R- c+ o6 M    cmp     al,4
1 _6 F+ `$ i0 ?3 _7 C    jnz     SoftICE_Detected
7 x5 {) ]" l/ q) O. s2 U' |
, R) T0 A+ E% z+ g& e0 M___________________________________________________________________________
0 ?: A! n, k' S4 z$ D" A3 C0 i# f. @& B
Method 02
" n7 F9 y  |/ i! \=========2 i; Q/ J$ z7 p5 h+ D/ |1 |* `4 E+ @

4 G- f, c: r1 C( vStill a method very much used (perhaps the most frequent one).  It is used
4 {8 b" J0 m3 A3 o/ e) R6 Cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. }( w' E! w. S1 Y3 x2 tor execute SoftICE commands...
9 W) T; |0 w1 `" F( ^* VIt is also used to crash SoftICE and to force it to execute any commands
! k5 `" Z/ p4 ^% d(HBOOT...) :-((  " D4 q( j) @3 s% h) y4 |

/ q  q! P; T* z, C6 cHere is a quick description:
: y+ R3 `8 E! G8 R  p' g: c3 ]0 O-AX = 0910h   (Display string in SIce windows)
+ e8 V! B& h) g$ O' K* p-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
% u9 }% c; Z6 Q6 _# v6 T-AX = 0912h   (Get breakpoint infos)
& W  w( O) w$ S# K# L-AX = 0913h   (Set Sice breakpoints)
" v) W" N) c' g. Q-AX = 0914h   (Remove SIce breakoints)9 r3 F1 Y' Z2 T( K& m

; J1 U5 Z% `) u6 p# Q: ?Each time you'll meet this trick, you'll see:- p, l9 H! B4 M
-SI = 4647h! L6 K! g$ a9 T& P( I
-DI = 4A4Dh& z' ]  H6 }6 D
Which are the 'magic values' used by SoftIce.
9 @$ e8 H( \2 p  fFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.- @! ]) {1 O0 }& O6 z0 |& L& K- |
- ~# y! E- \. V' g% ^/ }
Here is one example from the file "Haspinst.exe" which is the dongle HASP, x+ D, Y" S1 m& q
Envelope utility use to protect DOS applications:
6 T9 `: ]& g5 G3 ?* U5 z$ j1 m( H+ x! i8 E5 r$ l$ D

( ^7 Y  L. s7 H) Y  ]( ?4C19:0095   MOV    AX,0911  ; execute command.6 f. c* c5 w3 }' a; w- ?
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% h  c" h- W. }" l0 W
4C19:009A   MOV    SI,4647  ; 1st magic value.0 _1 ~# o/ ~7 i' M! l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
& Y$ R0 a- d/ p0 Y% `9 `4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( z: R! ^6 ^0 s0 q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute) M4 e& O/ A% h9 C5 _" q
4C19:00A4   INC    CX
8 @; v* b. h  U7 `1 Q0 H4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( C* h# |! v/ x
4C19:00A8   JB     0095     ; 6 different commands." I" _. ~+ O/ @- i+ C$ N
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.$ i" [* Z6 D' K% A# N
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)9 [4 K3 Q0 k1 r
! `( |" {1 J5 y% I$ i
The program will execute 6 different SIce commands located at ds:dx, which, f) V/ _% ?8 a
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT./ S3 F8 t3 g7 M/ [/ b; B* A* H
2 l( \# i! K( n  F
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ M  g  D/ v! B8 ~) A" g6 p# {: c0 k___________________________________________________________________________
# M* K6 v0 Q. c! g! ]0 ?, u
; A3 A* G% N' \: R  B/ F1 J$ L% }" t/ W- m
Method 039 D) b( w7 ~5 U1 ?0 M
=========
9 T7 n( i+ {1 L' F. Y5 L$ C( i$ b7 f& [% C! E  X3 S8 ^# e9 V
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h$ U8 N3 [6 S1 K" ^  ^
(API Get entry point)% h+ r& X6 f6 r5 S7 \" k
        
8 M* ^0 V; S: g( a# g% @
4 I) t# [9 _3 p7 b5 g  M3 t# L    xor     di,di
6 @7 \9 ?7 h1 t* H) c+ W    mov     es,di3 W  w! f3 P: V2 l
    mov     ax, 1684h      
, s0 j  W4 j8 M3 l# @' m4 h    mov     bx, 0202h       ; VxD ID of winice! c  c- ]' C0 ?; e
    int     2Fh
# a; a9 r/ H' l$ R$ R    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 i4 W: n) d5 C" s" k) @$ W; r    add     ax, di# c2 y9 j) J, [! A/ _; ?+ Z
    test    ax,ax4 h- d: e: k7 t5 L/ m8 V
    jnz     SoftICE_Detected. l- i* x) a' \) c
( c" M# r: k) p- d. g9 v
___________________________________________________________________________
! e7 ~  e- t* ^9 n: U
. N% d+ s7 F' ?$ g, X4 sMethod 04  {) _! ]& Y+ d1 ]' f! Z( A% G3 j, y
=========9 O% `5 {9 K0 F8 ^4 k

; S. T" n8 X" p/ V2 Y/ ]- G- x# b6 _Method identical to the preceding one except that it seeks the ID of SoftICE& [% m0 ?) ]& T
GFX VxD.
% _& l- O0 h# i1 K$ H
& ^3 e' U& J  r; f0 R" X' W2 Q* b& Z5 @    xor     di,di
( r# b* C. x) u' k- w9 ^7 t    mov     es,di
( G& p8 {: T% x6 y$ q    mov     ax, 1684h      
% _+ l9 E% M8 d+ j0 R  L    mov     bx, 7a5Fh       ; VxD ID of SIWVID! i- m2 C1 A. M# C
    int     2fh) x1 O2 u; w! F2 g" M: \& U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) Y4 C+ _1 b3 T. N8 K  i. F3 h    add     ax, di
/ B9 I& J! |" S$ q, w9 P    test    ax,ax
' Z0 u+ f4 {8 G5 v- c" U    jnz     SoftICE_Detected
2 y+ |  B" A7 S6 c4 a
. L! u! I/ b, Q- |; L__________________________________________________________________________
" A7 \5 R5 v! j1 c: I1 K
, P) {" f0 ~2 e, L% T2 |; M; n
7 M" b% i! i& Q; @7 Z4 x8 FMethod 05
* i$ }6 x/ ?- C* X9 e$ R+ |  c=========
2 F4 m$ m1 q: B' x( i8 \1 T' ~3 v* Y) Y2 X2 V7 M) N0 n2 P
Method seeking the 'magic number' 0F386h returned (in ax) by all system
. ?9 \: i  E2 j& h$ `/ \7 x$ ^debugger. It calls the int 41h, function 4Fh.' ], J, U+ R* o0 x: r# Z
There are several alternatives.  7 S3 Z) g; {# a, Q) }0 U

& S0 u+ p9 M2 v( JThe following one is the simplest:
% {0 n7 I0 m8 A* b, z0 \/ n3 o7 f! O# q+ X7 v
    mov     ax,4fh
. o1 a3 z9 b" j0 c8 L# X- j    int     41h: `5 R' a+ q: i# M
    cmp     ax, 0F386: B  B# s/ Q8 l1 E! N
    jz      SoftICE_detected0 {2 N! J' w+ U

7 H2 S2 c, e+ c, a9 w$ M
+ I, U/ b9 [* [+ |! nNext method as well as the following one are 2 examples from Stone's
3 C3 u0 q2 L) w# H2 Y"stn-wid.zip" (www.cracking.net):
( a4 ~1 V; Y( N6 o; ^0 l. \
1 K. P' S3 F* F" z    mov     bx, cs( z" \" Z9 ^: K% L6 D
    lea     dx, int41handler2) S- s9 C& [/ G1 m5 z. H' _
    xchg    dx, es:[41h*4]
1 ?2 Y  T; Q. M6 B: _    xchg    bx, es:[41h*4+2]+ b8 ^8 s4 [4 c- m
    mov     ax,4fh4 t" B' P7 I! Z6 C. H' J
    int     41h
' ^/ X8 q- j2 _8 \4 z' Z    xchg    dx, es:[41h*4]: G  D% |  V. S
    xchg    bx, es:[41h*4+2]& ~, ]6 f5 j7 ~
    cmp     ax, 0f386h
6 I- L1 D. g( h5 T" u9 X    jz      SoftICE_detected
. `( n2 C7 a8 H7 I/ W% e
# @" T4 }6 f. [: E/ X% g1 oint41handler2 PROC+ P  K5 o" p3 V- [
    iret
$ C6 b! f: `% o' t2 Z% K! e6 eint41handler2 ENDP
1 [, G6 o# m8 t' P# n2 ?5 n; X
1 O5 b3 i$ q1 l( n1 i9 q( \8 F5 g6 {- g7 C# j6 c6 F) z1 J* W2 |
_________________________________________________________________________
! T$ ]1 y6 {* j6 N6 @2 O$ o/ @3 Y! [, G0 g( Y  M6 y

8 I' ?) o9 y* i! h8 G& n; d! B- LMethod 06
( r, s6 i7 O/ y9 t=========
, M4 t0 ?  D) p& m  ?
" V; I5 Q$ M  G; a  g. o. M
5 Y( Q- [1 T$ j' ?, L2nd method similar to the preceding one but more difficult to detect:
% I+ L4 q# a. ^: E- c' [: }3 u, g- e9 {4 {+ \  w& p- G$ c0 _
6 y/ s6 u! k- s! G
int41handler PROC
" j" L; b3 s6 Z# X) |% U    mov     cl,al
$ V9 {) l  @' G3 [7 C; ?    iret
. X4 D! a! O- s8 `0 Z5 N9 nint41handler ENDP
' J; W( p: m: X! G2 J1 t; A  R6 q) O" L, s1 v

, V9 v. i# q6 M7 B    xor     ax,ax
9 l, b; F: S2 z( B% y  G5 ^    mov     es,ax
7 L* e, Q8 {9 s) M- c- @8 J2 r/ z2 w    mov     bx, cs
6 y* y& G7 v7 D) y+ q/ {    lea     dx, int41handler
) c, O0 x  I" q    xchg    dx, es:[41h*4], W$ c* G) ?9 h
    xchg    bx, es:[41h*4+2]  r; \9 }( V0 L2 L
    in      al, 40h
7 s  _1 }" t- D  F0 _5 l, S    xor     cx,cx4 E4 ]1 G' Q% J3 Q8 H  Q
    int     41h
) B( D! _' }5 q, w0 ~# ^9 O    xchg    dx, es:[41h*4]
- L1 Z" Y' n5 [' @. y1 ^    xchg    bx, es:[41h*4+2]; W+ A% F5 k6 v1 T& _8 Y
    cmp     cl,al
8 k# {/ ~0 r7 q) `8 P    jnz     SoftICE_detected5 ?) h/ L  B0 p0 \/ \
$ C* _0 C4 T, N
_________________________________________________________________________
( C3 I" f, j' L, U( @0 f, S: a) h; L. f! u- Y* w6 d6 I0 S
Method 07
1 K0 O. Q/ l$ O3 M1 b! O: {=========
, E8 ?; h8 s& x  I
: ~9 A! D/ Z- [+ jMethod of detection of the WinICE handler in the int68h (V86)
5 c* `; {4 f# i  i4 Y; d. V6 O) T. {9 `' l: Y" D
    mov     ah,43h) H( ]+ y" N& D; N. k( ?  z
    int     68h( o9 T3 v; G! k, y7 m
    cmp     ax,0F386h
% y0 _/ `- B, n. p    jz      SoftICE_Detected
! U2 o6 R' }  l( a" T
4 B" E! N; w5 J8 j0 V" W) p, P& l1 g, c. J
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" }& B. `( J; P+ V. c/ j0 `3 y+ t   app like this:
% c. L. M! s2 I. A: d% X" b
% a4 t7 u% ~, a& \% P. O   BPX exec_int if ax==68! c1 }- W0 c4 G
   (function called is located at byte ptr [ebp+1Dh] and client eip is) D6 v" n8 r7 \# G
   located at [ebp+48h] for 32Bit apps)
7 }! ~) {- z. e0 ?! D1 l9 e8 {4 v__________________________________________________________________________. q: V1 X1 Y2 y" C
2 j1 l! K  H: r  K! w

! P! ^! m6 q) u; [Method 08
9 J4 }) f# w) B: g) y$ i: S=========; p6 ^' P0 E" K% g" Z2 |% A

$ K6 x. f3 {) |: N" ]1 L/ nIt is not a method of detection of SoftICE but a possibility to crash the; B1 G+ }2 x4 i( A. Q. N5 q, l) ~
system by intercepting int 01h and int 03h and redirecting them to another
+ v6 A9 N2 s; e$ K% U1 o5 [routine.+ s: i) F8 i; h$ J# o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points/ ^3 n% A" U2 S9 r( ?
to the new routine to execute (hangs computer...)
# G5 X: T3 \$ G
! S. ?% b2 y% ]$ F; |4 l    mov     ah, 25h* ^! N. c7 E' ~0 f
    mov     al, Int_Number (01h or 03h)7 W# p) [0 U1 A8 S1 I
    mov     dx, offset New_Int_Routine6 ^+ w0 Y' |8 T, v
    int     21h
6 ~) `3 R# r( T# D# m, n8 C$ U/ Z# ~  ~+ b# i( A
__________________________________________________________________________5 z* B1 t( P! q# n1 [

1 Z; d+ E5 C- [' }% vMethod 092 t* q* Z6 T2 b5 H) E
=========$ F0 b+ P8 d2 ?" V9 P

$ l: [: f9 M2 |0 z7 dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% }) P! ]$ _0 K- `performed in ring0 (VxD or a ring3 app using the VxdCall).8 N1 t* L# f% |) m  n# w$ e
The Get_DDB service is used to determine whether or not a VxD is installed
' K& \9 Z# Q* Yfor the specified device and returns a Device Description Block (in ecx) for
7 L3 `5 I9 Y8 ?+ {. kthat device if it is installed.: ^# p2 S& E5 ^/ t' a+ m: ]7 ]; N9 G
5 E, x/ c6 e7 A
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; r! O1 V( w* d& v! X+ a. J" q   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 i, K; t: o- i8 q7 k   VMMCall Get_DDB+ z& d+ w# g( y: q1 x
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
" C4 ]7 j) y; M/ i& G. z- S  N
Note as well that you can easily detect this method with SoftICE:$ y; u8 d' g/ a  g7 a
   bpx Get_DDB if ax==0202 || ax==7a5fh
! B2 `- [1 K/ x  V* \
* O) T9 d) V9 ?% Y+ ?" |__________________________________________________________________________$ C" W/ [1 g, i2 k0 ?* B' Z( K
" ~/ z8 `/ `. F" ?9 w! p- k
Method 10  r# R4 M; \$ A8 l$ }
=========' k! h7 g2 y8 W. y

2 D; `9 H" D, |3 V$ ?( \=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
! f& x, [, y" W" @1 D" K& W  SoftICE while the option is enable!!) J4 y# }6 b, {* v

' T8 h9 s7 k! y+ E! iThis trick is very efficient:! ^$ }. p% \. i% n) f4 p
by checking the Debug Registers, you can detect if SoftICE is loaded$ u& W: u8 @! u& H) b9 e8 Z3 T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 C5 h) M5 N# m  ~
there are some memory breakpoints set (dr0 to dr3) simply by reading their* F5 m) W( `5 w4 y/ c( l
value (in ring0 only). Values can be manipulated and or changed as well8 O( S% d2 J  T- y' ?1 K6 S4 J
(clearing BPMs for instance)
5 Q2 V6 c9 {( ?$ _' G& i& ]: T- D$ F' m, @5 o
__________________________________________________________________________
( ~9 _& E; N9 Z  I
- _* \7 O+ U* l) V( TMethod 11+ a! N5 v7 [1 e' [1 I: z% h! [4 u4 [
=========
6 F4 [, k+ w7 w1 i  F* |& O' [5 `% j: x# R$ P% \: w& r
This method is most known as 'MeltICE' because it has been freely distributed
( K! M5 d5 S3 C! l8 avia www.winfiles.com. However it was first used by NuMega people to allow2 Z2 t9 _- R6 X
Symbol Loader to check if SoftICE was active or not (the code is located
# q. Z7 e2 m( M9 S( U/ Xinside nmtrans.dll).) @9 h- V8 U/ J! Y) Q

$ f8 P/ @$ \3 y7 I" G/ SThe way it works is very simple:+ u  l. i1 W9 v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 a: t8 S- i5 W4 hWinNT) with the CreateFileA API.
% @+ T( Y" e8 R# T, j9 l
/ e1 b% t, |/ ]; L2 {' ?" qHere is a sample (checking for 'SICE'):! q7 d* @" w) ?3 t
8 E- J* K2 |+ e5 ?; K: }8 ^
BOOL IsSoftIce95Loaded()
6 B+ u6 Z6 E: q  ~% T8 R( V{
  {# N. \/ _, Y   HANDLE hFile;  
; Q4 O9 A) w7 N& j; @  N   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 Z; K4 o& X, k* m: {                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' G- T, e5 k8 Z" U: N5 A. D6 X                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ b; E  z, V, o6 z# @- K) F
   if( hFile != INVALID_HANDLE_VALUE )
5 z! H+ E3 j8 B4 ~1 _7 f% v( Q   {
; O. c) Z. A6 b) L      CloseHandle(hFile);2 i" Y8 A/ P+ E- _2 U+ T
      return TRUE;
0 }$ w; I0 p" O, z7 T   }9 b7 H' H7 U- T0 `0 B$ L4 F7 f4 @
   return FALSE;  Q' Y3 V7 b* i" x
}4 J0 f3 ?) a4 c8 M

7 p' i% A9 \/ \; i' R6 n4 gAlthough this trick calls the CreateFileA function, don't even expect to be
) @* A3 w  [7 {. X  w6 yable to intercept it by installing a IFS hook: it will not work, no way!8 o  z& |- e: i2 H. v6 Y8 g5 [0 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) ^* i. T( P" jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
& e5 E% `8 t6 h! K+ N* W9 gand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, F3 ?2 p) u2 H4 b2 y8 w2 ?field.0 |' W# P3 L& H" l
In fact, its purpose is not to load/unload VxDs but only to send a + v* Z! R7 _6 U5 X! c  }
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 i: H. {7 V6 R& ito the VxD Control_Dispatch proc (how the hell a shareware soft could try: o3 o$ L1 l5 n) e4 X" w( ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).% ~8 j# D. z2 W" A0 u( j
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* d7 R1 N3 P8 o- ?* |/ y( Wits handle to be opened and then, will be detected.) l6 C- _! V3 t6 A
You can check that simply by hooking Winice.exe control proc entry point
+ A6 v: [  W! kwhile running MeltICE.
9 L, i. j6 k+ i3 y! S& x5 ?' D
5 |0 S+ I' A" m; H# @6 h0 y7 u* o; r/ o
  00401067:  push      00402025    ; \\.\SICE( T) R0 U' K- v% L1 U
  0040106C:  call      CreateFileA
- \. b/ ?. R  i" A5 G  00401071:  cmp       eax,-001
, y" T& }% Q1 R9 Y* V  00401074:  je        00401091
$ |) [/ m: p4 T
) D# H2 }% r1 l! a. y8 s$ x  v" q; f
There could be hundreds of BPX you could use to detect this trick.2 [- u) y4 k9 E' g4 c/ v
-The most classical one is:: j8 n. l  U, P  Y. s
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
% {5 ^8 u) V' A9 A    *(esp-&gt;4+4)=='NTIC'
& `) m) B% R1 }$ ?
# C; _: d0 V8 p+ ^-The most exotic ones (could be very slooooow :-(
9 L! P+ P' o/ K/ e   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  , x2 R8 p# Z; h* p
     ;will break 3 times :-(& ~0 L+ \  r! @" C; u1 e6 A, z
* D- e# n% C' Z* W7 H( q
-or (a bit) faster: * r# N( O) F! i9 K9 s- k
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" a: A" C+ s% U, P) P- q/ R# |& p3 @- W( L. {& g& F
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
8 s  a2 [. t1 T$ @; g3 l7 _' O     ;will break 3 times :-(2 L. M* @) }% S$ r" F% y
# ~8 q$ ?9 u$ m2 w) L* M  G
-Much faster:, J0 `( t7 n% L: e. ?
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% ~; @- l3 _9 u: X
9 c' g1 W* B5 ^9 ~/ ?/ S- N' D7 XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* N5 K) k) }7 i( a5 _function to do the same job:
9 Y! ^  E: O9 x2 _5 Y8 M3 k( J& U) M. x8 x' u
   push    00                        ; OF_READ1 V3 P( N& N  s( p% e
   mov     eax,[00656634]            ; '\\.\SICE',0+ x( q8 V5 b1 }6 c# o1 V2 X* L
   push    eax, I- |4 r7 t' A! T& b; A" P4 u
   call    KERNEL32!_lopen
- P3 P# a- `2 v9 y% t3 l( J8 F   inc     eax- z1 ?& m7 i8 }- S
   jnz     00650589                  ; detected* d/ R/ N! P/ ]8 Y+ g- ]- i
   push    00                        ; OF_READ. P# |$ \, }. D0 Q* x2 r5 B
   mov     eax,[00656638]            ; '\\.\SICE'9 G- j& ?6 S1 U0 H
   push    eax
: o6 Z. `- i2 e' V' Y1 u9 {0 D   call    KERNEL32!_lopen
; k$ f" i8 b% D8 d* G% V   inc     eax
! B/ R7 K) I( {1 }0 E  |   jz      006505ae                  ; not detected, L1 U  ~, K8 v% X6 r2 \/ E( z5 u$ T

# W: s$ \0 {% l/ G) T
7 g+ Y; n1 R' Q1 Y- H__________________________________________________________________________
6 Z# M* {: i* D  X7 z9 a0 y" [
Method 12
( I2 \0 h  }( G' ^: V0 r=========) G5 f6 N# |2 n# w( K

2 j, T# V* w8 x3 ?* o- p  m0 MThis trick is similar to int41h/4fh Debugger installation check (code 05
9 r4 m  n9 Z. }1 y  l+ ]&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# N9 C, u6 p/ p' R2 {0 _3 Las it uses the VxDCall backdoor. This detection was found in Bleem Demo., x1 m* J8 D6 V

* `4 E# s- i, Z' s1 w   push  0000004fh         ; function 4fh
( H$ Z; P) c5 Q4 b3 [   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 a7 r: {# m8 P                           ; low word specifies which service) H( C$ O3 i8 r+ O4 @5 Z# y' _
                             (VWIN32_Int41Dispatch)
# H* m% h: [8 c% J/ w$ R$ v   call  Kernel32!ORD_001  ; VxdCall
/ d- b% l2 M/ g8 ~   cmp   ax, 0f386h        ; magic number returned by system debuggers( T$ G, u8 d) \) X: q
   jz    SoftICE_detected
7 v- o+ j# b1 U0 r3 K# Z
6 t  i! P, y7 X% }Here again, several ways to detect it:& v2 @$ ~/ Q% u+ X7 C5 e

% d1 c1 w9 P7 E. P! L    BPINT 41 if ax==4f' N9 H1 J# z- T% K+ @3 g
# t3 X3 t3 ]! K* X& m
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
, i! k" t# J. ~5 ?
( _9 m% w2 N) d& U0 ~  w+ S& a    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A1 J6 S5 {; b9 }
( m! d  ^. z9 R8 v9 ^7 Q  Z
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* M& j% o/ S# D2 S! ^/ \2 I/ b
+ C+ y* [# N4 |, o$ Z. b. F__________________________________________________________________________
# O7 ]: S" _: W! H. ]$ x* X: \3 M  o
& n! c* g( G; |5 |/ W" q# CMethod 13
# _0 E: @* j/ I' F" U. t- r- T, \0 x=========, u1 B2 D: E6 q5 [# z. [

' T5 m- `: u8 D) a% WNot a real method of detection, but a good way to know if SoftICE is* W: y3 s9 ~! ~# i9 E
installed on a computer and to locate its installation directory." T0 g: j% q( b
It is used by few softs which access the following registry keys (usually #2) :
  j0 Z3 D4 q! n* c' M8 B: D7 K9 y9 l* f8 P1 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- d1 h# K5 J9 H; S\Uninstall\SoftICE( b, h5 C  E% v+ l: W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, F8 o- o  u; E- M, S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& R; u: x4 [) p1 D, ^
\App Paths\Loader32.Exe1 ~3 \" u5 o* L6 R0 ?0 m

: Y' h1 l4 Y6 k2 Y. V" s
1 }" `) }1 _9 Q- FNote that some nasty apps could then erase all files from SoftICE directory; }4 {  q+ Y7 q1 }/ o; W5 f
(I faced that once :-(0 |& }% t. W7 F* b( [

8 O; g) [, ?& I+ V0 i# i( lUseful breakpoint to detect it:
$ }7 W% S3 |7 k0 T3 s
5 _! F3 I3 X# g4 k4 I     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 s4 L; F' n9 @/ k, ?* K
4 i; b: A/ \: L3 Z! u__________________________________________________________________________. P( l( i) b- p' k$ h) o

* Z" ]' d$ e2 x  n# z9 o9 e3 E0 A9 v3 y, _4 z+ _
Method 14
& W" R9 x7 ~; ]* Y; V=========0 q# C" R- h  q) o' E7 I

$ e( \# @. {2 {6 qA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" R2 f$ I* `2 eis to determines whether a debugger is running on your system (ring0 only).8 {3 l" j# S/ k- E

* o6 D1 K' b2 ]+ R1 s" x   VMMCall Test_Debug_Installed% R+ X& ]4 V/ @! _
   je      not_installed
% l- S( P* l- q" E* g* L  Y( A& z' {; Q( a+ k
This service just checks a flag.
2 T  Z+ L, k  _) F0 |7 Z, N( ^: H</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-21 22:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表