找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 L' x8 n. M( q" o' I2 Q
<TBODY>4 E& \* @' J2 J0 d
<TR>
% N) D3 j9 ?8 L- Y0 W6 i/ L# g: ?* J<TD><PRE>Method 01
3 ~5 z/ t4 n" n4 J=========
: E/ h$ D6 @7 I; w' z' M" S$ n
! j4 H5 D; h  tThis method of detection of SoftICE (as well as the following one) is; x$ {4 u# j( w7 N+ k' A9 t* d
used by the majority of packers/encryptors found on Internet.3 C# _2 X' T2 r% m, x$ P/ ~
It seeks the signature of BoundsChecker in SoftICE
; ~7 O6 T- D2 i! l% C# f! s+ S% |3 ], @; b: p3 T
    mov     ebp, 04243484Bh        ; 'BCHK'5 ^; {4 m& M( R% O- Z0 G' f+ v
    mov     ax, 04h
/ o# m5 n9 x3 N- _7 b8 r    int     3      
. v/ s! F/ A- m; t3 ^2 ?, H4 P    cmp     al,4
7 c3 u! E8 n6 c# ^9 n    jnz     SoftICE_Detected6 [$ I& }7 ~3 ?6 o  l. R
0 Q" y& g) v$ V# y- `2 Z- Z
___________________________________________________________________________+ H: d' w  O4 \; Z8 n% @; M
" b$ x+ z: V5 F5 N2 A. t- |: u
Method 023 M& ?" M, a) z7 y- `2 ~
=========
' W. X) H# Q. p8 M7 d: W2 E2 |" b7 k7 d& o$ A2 M- u
Still a method very much used (perhaps the most frequent one).  It is used
: \8 L# E& w2 [to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 p2 g3 [' E9 Y. ]- y- s
or execute SoftICE commands...
( U9 \; y2 n2 x3 ~8 |$ t( d$ p! I8 dIt is also used to crash SoftICE and to force it to execute any commands9 d5 `# z5 f3 W/ Y) U% i# M% D2 ]5 l
(HBOOT...) :-((  : x1 p1 E: }8 x/ Z8 c' T1 i

8 r& K* ^% g7 }. d, K4 l2 AHere is a quick description:
& ]7 [3 K2 W5 t5 f-AX = 0910h   (Display string in SIce windows)
  z) k5 X! B  t  R/ C/ G% x2 k-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 d( p6 y, U# `" P; E  V6 ~/ r-AX = 0912h   (Get breakpoint infos)4 N* t0 }* T0 Q
-AX = 0913h   (Set Sice breakpoints)
5 @% x: n- e' w! R5 V1 P-AX = 0914h   (Remove SIce breakoints)
2 y  H' K( H  [3 P: d: |: s7 r1 k3 m- }0 e: r6 U% [+ B' {
Each time you'll meet this trick, you'll see:
1 K2 w( I; R- d' f( d0 ~* i' w-SI = 4647h& b3 R  d4 g$ p7 H' e6 @
-DI = 4A4Dh
2 R" i3 b& z$ wWhich are the 'magic values' used by SoftIce.9 i) J0 f" x9 u. C- O, Y4 O+ P
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 l- h' ~1 \6 s

3 |- I. g) h& k! r& D- P/ gHere is one example from the file "Haspinst.exe" which is the dongle HASP
# J2 v# h3 L4 YEnvelope utility use to protect DOS applications:7 V  P& e1 v1 o: \
1 K0 v# \6 v/ l: F$ k; H6 G* u

+ U# {* M& z4 Z+ Q) L* U, n4C19:0095   MOV    AX,0911  ; execute command.1 e8 ?% W* u1 ?4 @  I
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 l" V& g! P2 n/ W" G( \4C19:009A   MOV    SI,4647  ; 1st magic value.
" h2 b; b; u  v& k4 E" t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.; b: Z4 L1 F& v
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! V; I8 b0 Y  [$ @( }
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 r; g& W! B) _9 _& Y4C19:00A4   INC    CX8 P) z8 p" w+ I; `1 E
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute6 W2 X& X$ Y3 i0 z
4C19:00A8   JB     0095     ; 6 different commands.
6 c/ x7 @* ^, t# g% B& G4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  r' @5 G* w8 E4 x; `4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)# G2 g5 {% e0 [( ?9 ^" Z3 g1 `; W1 w
+ [& b: f# \1 i# O. L
The program will execute 6 different SIce commands located at ds:dx, which
. \5 U9 X( }" k9 o7 E! j5 o' tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  J! V2 y+ i  M- ]
2 X0 |+ A; y- K5 v, A* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
% m3 Z( k0 B) A. @/ _7 K  z7 u. h$ [___________________________________________________________________________
5 p8 @1 d+ s- w8 F" p8 ~8 r6 B! B( W3 H9 v3 K

3 v. s! V# w0 `7 I$ c% V& _# PMethod 03
2 v* W1 c  C1 a$ V=========
6 g  o6 ~3 T- `# W5 W9 |2 c" [
7 w' B/ Q3 F6 f; K3 T" GLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ y8 i% H4 p- M0 l' E0 \
(API Get entry point)
3 M. ~" m7 o1 E6 i( j5 `9 x        * A+ l) S& c5 T

' u& U3 M) C5 [# _6 M) p; I    xor     di,di
8 n6 X: l0 O/ v; e, j& b3 D( o2 ~$ |    mov     es,di
# b0 D+ P+ m+ ~- W    mov     ax, 1684h      
. e3 J1 q% W- K$ o    mov     bx, 0202h       ; VxD ID of winice, g1 ?/ C1 ^+ f, ?
    int     2Fh( `: p* O( e9 z' H  Q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 V0 C. L0 `3 k, @$ J    add     ax, di
# I# {3 ^% o4 }3 Z    test    ax,ax4 w8 l* f2 ?+ Q! v; O( g0 r
    jnz     SoftICE_Detected
# ]  H" ]2 r# B3 j1 Q8 z4 F$ A9 Y( t4 I: ^9 b- M
___________________________________________________________________________: |& w+ \- x" ^7 i9 T; d
& b4 F, c9 K, [8 f! s
Method 04
9 o; ?9 [8 U0 h9 }, g; k=========
5 P# r' U5 ~& `) {9 u" k, j' |% t( o4 A. z6 ?
3 [* J& p, y( |4 C2 b% \$ HMethod identical to the preceding one except that it seeks the ID of SoftICE
: p0 F& v, i; d1 G5 i( B% ^  BGFX VxD.
+ E1 f/ x; Y( u
- b+ i$ c+ X& `2 k: _, i    xor     di,di- b3 A! {: H) T
    mov     es,di! ^4 u2 k% e2 b% b" z
    mov     ax, 1684h      
! U5 }0 W% l) q  ?    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! B5 R. h8 y# u  p7 l    int     2fh
# ?( ?+ C2 T3 S2 X6 F6 Q  z    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- g3 \' Y& |- |6 O5 E! Q0 `- b; N3 F    add     ax, di
1 X% I2 ^7 Y. p8 A    test    ax,ax
. t( z: H, U9 Z3 `0 ~3 D    jnz     SoftICE_Detected) D/ v& u" [/ p% ]' f: a- c8 {  L' h
, D4 b( k1 ~4 o$ g- Z5 W1 ]
__________________________________________________________________________: \; ^0 ^1 \% n2 w
" ]2 L" q% _* T6 ^- m

5 F/ I. A, {( hMethod 05) f& D' X) F  b) v4 W. q
=========4 z9 e( ~) U( }% u

/ O' D+ Z+ a; N  {, d  F) mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
0 C+ q1 c/ L; ^. d  k) Hdebugger. It calls the int 41h, function 4Fh./ J) O9 |" k3 {0 S9 |
There are several alternatives.  
# k/ N, F- ]4 d7 g
6 S4 H, J/ d; f6 cThe following one is the simplest:
# {( b' V. q$ R  E# J% D' d1 h
/ E; b4 f$ n, O    mov     ax,4fh0 L7 C2 s. i2 D. u$ {
    int     41h  ^5 ^& V& g7 v% e
    cmp     ax, 0F386
, P' l" ]6 t% x, ^    jz      SoftICE_detected7 ^( y0 B) F( }; x

5 M9 R$ w) y( I6 j/ U0 O+ U% C: x+ T  _$ r) c- E) G- ?
Next method as well as the following one are 2 examples from Stone's
" V( D/ x# \+ ]7 g"stn-wid.zip" (www.cracking.net):
8 n" [( J2 X1 R1 b+ @" K6 r( H1 j4 i& A. j- f" @  N7 |
    mov     bx, cs+ \) w% R# m# I# ^8 r8 B5 e
    lea     dx, int41handler23 ~, x, c; |; f5 p$ {$ Y" Y' n
    xchg    dx, es:[41h*4]# ?/ H9 ]% V) U8 M6 l7 `
    xchg    bx, es:[41h*4+2]1 a' n3 D& }+ j/ _3 e. C
    mov     ax,4fh/ q: e/ o; L/ j/ {- g5 O
    int     41h
) R# x4 K7 T2 A) b) e    xchg    dx, es:[41h*4]
; h8 f! f( K& s1 _; A1 X; ]    xchg    bx, es:[41h*4+2]
! ^. y  q: i) @! V8 s$ G! f    cmp     ax, 0f386h
* \4 b8 Y: p3 z/ X$ k    jz      SoftICE_detected
# Y- W' f- G$ }7 `9 s; @! q2 g3 i8 Q; a" N" Q% d
int41handler2 PROC9 `8 s+ p( S. R( s# p
    iret6 Y8 R/ h( N2 h. f6 W
int41handler2 ENDP
) n$ B0 N" L3 w: F
) {+ _/ g6 N. Y3 x& S2 P3 I# L; Q( A
_________________________________________________________________________
# L; @: j& h' j" w& h0 M; R( j* M5 K# C+ N  X, D

* i9 k& I* L+ }! g) d/ E3 f% k7 lMethod 06
) a7 j- \9 ^) T=========
- ~$ |" c/ W( `4 u  m
0 H8 T  n( ~1 J2 T. L+ E) u
. J; m$ K3 _6 Y# i2nd method similar to the preceding one but more difficult to detect:" f, H, M* q, x$ K+ e- Q1 v
3 [6 Y# h  \# P7 n+ \5 L
( O# p" G1 m* J  q5 K8 Q
int41handler PROC
: |6 _3 u& U5 w7 d  S    mov     cl,al1 P0 `1 b/ c# N7 _. N0 Q  g% h
    iret0 o# p% i  R6 D" ]% G& ~
int41handler ENDP
+ r6 t$ j, r6 ]4 ~& d+ E5 a6 ?' a+ O6 d; h  b0 B3 c
. }# ]* i- i# N/ d5 W" n7 ^& M+ o
    xor     ax,ax" H* K) x6 W4 d8 C3 X# o
    mov     es,ax9 y/ z4 @( ]9 o  `% Q3 {
    mov     bx, cs1 I  H/ F# q* h+ H' N/ Z
    lea     dx, int41handler7 U. E, u: `& i& u
    xchg    dx, es:[41h*4]
% q: Z* T/ k1 |    xchg    bx, es:[41h*4+2]
& U6 I$ J& v# k* ^* f% i    in      al, 40h7 V! g7 e" u' G$ f3 K/ f; v+ a0 M
    xor     cx,cx/ |9 H- w, l% x; ]) z+ X
    int     41h6 ~! y- ]1 B) L3 b
    xchg    dx, es:[41h*4]
' t( \1 l. |" q# Y3 c% ^/ G    xchg    bx, es:[41h*4+2]
2 {: J0 z8 m, H; ~, y    cmp     cl,al
8 e: D" `1 g* D$ N+ K; s7 \- ?( e    jnz     SoftICE_detected5 i2 T* Q3 |7 @% c8 n; }

( T% D& x$ l# __________________________________________________________________________
- A  b! [  R' B1 E. w2 N7 e5 k- O' p# L4 n$ K' J
Method 07
/ U5 z9 n+ m4 P: p/ C=========
/ |+ P( H. Y/ Y7 ]! T8 o
# t* s" w2 r2 D% q+ t6 |; s' o& i" fMethod of detection of the WinICE handler in the int68h (V86)6 G" `$ p; o! o' U& x, v
( W% N1 ?8 k) l1 m! A; @" t' v" w
    mov     ah,43h( O  ^; e: m1 y
    int     68h
* r" c6 P/ g) U% t( ?    cmp     ax,0F386h
7 d& i2 o, Z: m    jz      SoftICE_Detected3 @6 r% F0 y  r) [

/ W' u& ]# i! n. i% z5 k8 W; F3 }8 @+ J7 ]4 v; d, s! u
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( L* J! F  s! I* N/ t, m4 s  ]* ^' J   app like this:) f! F  m: _( M  {; R
5 c3 G* W8 R% e* v: n
   BPX exec_int if ax==68
$ }& I) T# v) M  l4 W   (function called is located at byte ptr [ebp+1Dh] and client eip is
8 l& G9 T" {1 n1 a5 N9 }& ?2 ~   located at [ebp+48h] for 32Bit apps)9 N+ X9 l; v; J* h9 U' Q7 T  h5 J
__________________________________________________________________________- ~# l: N. d, h* Y4 w5 Y  q+ W( R
/ a; A8 i4 K" j% g

! \/ ]  [7 \/ J' b: B- zMethod 08  Z3 ^; a7 b; D
=========
  }) x- z8 p) q7 e: J+ p* U; |  Z, p3 S( v  `: y7 ^6 z, ?; a  |# W$ ]
It is not a method of detection of SoftICE but a possibility to crash the3 }% l- j6 L' ?% \
system by intercepting int 01h and int 03h and redirecting them to another# P% {9 v" ]4 L7 z  n8 b
routine.
; C, u$ D4 n$ `. t& h, B' `! O, TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" f6 E/ `% {" Vto the new routine to execute (hangs computer...)* |- M7 k$ \# v& u  F! B
4 M' A/ _, O  H1 K
    mov     ah, 25h3 ^* y2 t# Z$ m7 |- i# i
    mov     al, Int_Number (01h or 03h)
' W9 o8 {1 I7 u" ]% v/ i    mov     dx, offset New_Int_Routine8 b4 x6 b6 t% \0 S) X. k1 r& G3 Y
    int     21h7 Y7 d! K7 V4 h4 X, a& Z; E

5 P3 B6 i; l, U" O__________________________________________________________________________
2 ?* @; e9 G& \0 j4 y' V3 q4 V0 b% f4 ]1 l( f) x: P+ R3 x
Method 09  F, a& S8 j( v5 M# ^
=========
7 V5 d: _) P5 S0 U6 n- N4 P' t8 {' p3 i
! v) H# B/ k& x- P( v1 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
  s: L1 v9 r2 l, H& c( x2 J9 n1 Y) b8 Pperformed in ring0 (VxD or a ring3 app using the VxdCall)." ~# [# @/ h% y6 Y. h6 b
The Get_DDB service is used to determine whether or not a VxD is installed9 V& V! g- U. U/ `# E: @4 k
for the specified device and returns a Device Description Block (in ecx) for; z! o3 n8 b& n
that device if it is installed.7 n/ X. @4 H# c$ j/ ?+ \

3 g; y* C' M/ Z8 L5 `   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 d% K/ y7 e( p  m8 g   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 [8 i2 M. u. d6 a- b
   VMMCall Get_DDB3 x$ B+ Q% J$ Z  e4 d' z4 O
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed3 ?4 M& T0 r. a" Y7 P9 B
3 j; `# N. u4 x2 b$ H
Note as well that you can easily detect this method with SoftICE:' _& W: _, ~: J+ ^6 q8 ^
   bpx Get_DDB if ax==0202 || ax==7a5fh: a7 r3 w4 D, U1 j

$ i; X  F! L, X  {) s+ c+ K__________________________________________________________________________
. b$ }% X2 _5 a4 z! o
) V5 l# T: e" ]0 h. \Method 10
! g: `5 R* I" B. \; U=========
: V. O( A! L4 c$ V! ]9 q8 o( K" Z
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ M. \. N8 V  f  I7 s
  SoftICE while the option is enable!!( H9 A3 F5 m# w5 _
* a  O# x) l9 v$ e' X  c3 O* r
This trick is very efficient:
' ]; {$ f2 f- x% Z% gby checking the Debug Registers, you can detect if SoftICE is loaded9 e: o0 d9 n! ]1 c% K! l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% I( c( p* {- w7 I0 K9 s$ }
there are some memory breakpoints set (dr0 to dr3) simply by reading their; t+ ~* E$ r! \) U# [2 I8 [* d
value (in ring0 only). Values can be manipulated and or changed as well
6 Z& c4 c6 s8 G" A(clearing BPMs for instance)
- k+ |  w$ X9 Q4 s: A( c7 P: i' q) E0 p$ n7 E4 b1 f# z
__________________________________________________________________________
0 A/ N7 S$ l! t0 |
; U* m2 T5 W- O0 n7 H$ A0 EMethod 11# C, X/ V+ @8 j. @1 G. H
=========, r* P9 H" F. z
1 X$ E; [8 Q% q: Q, t
This method is most known as 'MeltICE' because it has been freely distributed
7 ~! S) s8 Y# p" W3 Xvia www.winfiles.com. However it was first used by NuMega people to allow
" Z: \! {! J" o1 V6 [+ ESymbol Loader to check if SoftICE was active or not (the code is located
: Y: b' V5 `+ Q# t7 Ninside nmtrans.dll).
4 J, z* v% k( W8 J1 J( i, y" L
/ `& z; \  ], ^0 v" n' m% DThe way it works is very simple:
: p, Y1 e# l5 qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
& ], W9 v' G8 r. E. ~  NWinNT) with the CreateFileA API.
5 R) w2 B4 Z2 N! y  ]1 l* w# {4 T7 Q+ Z
6 _1 R. _0 o* j; f  s. sHere is a sample (checking for 'SICE'):
2 V  A1 M. r% t8 Q: p/ P# F8 O  ?3 a, j1 {% S1 E
BOOL IsSoftIce95Loaded()0 l6 J9 x$ [# d5 a
{0 h- w) |/ G) f4 h( j( ~7 D
   HANDLE hFile;  
  k3 u& K; w% g   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' A; N3 @$ c' ^5 f, T                      FILE_SHARE_READ | FILE_SHARE_WRITE,
; ?; j: ]+ \# `7 r2 ^' v                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ K/ ?, Y: \/ E, w4 t- R
   if( hFile != INVALID_HANDLE_VALUE ); {5 k) m8 G' s: j2 k
   {
1 O3 }: r& z' i+ |6 U      CloseHandle(hFile);( j( u6 O0 a, y1 [2 I4 e
      return TRUE;
2 j4 u1 Y7 }* Z: O   }9 `+ F+ r1 T$ D( @9 R4 o
   return FALSE;# Z# ?9 J7 e1 n, ~. _# s, A
}/ J6 U+ h9 o3 j! x

. B) F* o4 `, }" J# ~1 s3 r! BAlthough this trick calls the CreateFileA function, don't even expect to be; |, o3 o0 U$ R' T6 y, Z
able to intercept it by installing a IFS hook: it will not work, no way!
# c, g: X& H; l7 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% I; T" O3 D+ ]2 K" B' L" V3 Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)  |6 a& N8 j8 E4 r  T) H5 N3 S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 g! E! `, _$ z+ cfield.
+ |% X/ K. i1 G, p& CIn fact, its purpose is not to load/unload VxDs but only to send a / B1 T% p: C8 i/ M+ X+ P* c
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% ^& V: ~( t9 ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ V1 `$ K0 M! c9 W; z4 s1 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 M) P/ w; L0 l+ L$ a! B! j# \$ QIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 J* t& X- s: W- r' ~
its handle to be opened and then, will be detected.+ c; H/ V" [9 ]- l" F5 `- D
You can check that simply by hooking Winice.exe control proc entry point
2 y% i, R; N; ewhile running MeltICE.
0 O* s* c$ Q' B8 e* J
4 I# S! F6 ^3 b  Y7 I* X( v8 k; q, t5 [$ j( h/ ^$ {
  00401067:  push      00402025    ; \\.\SICE
2 v1 X1 ]* {' Y  X3 ^  0040106C:  call      CreateFileA8 q7 V7 T5 W  b& n! t7 n
  00401071:  cmp       eax,-001
: }- [8 A$ L6 \) T: v  00401074:  je        00401091
0 ^9 s+ d! M+ f" g5 v4 L( M. _6 X, T1 Q- M! I: Z$ X' s

8 l- G% k4 x: ?There could be hundreds of BPX you could use to detect this trick.
  Z4 q, B0 y: _; f! h# O/ g; a& F-The most classical one is:! t* C) t+ ]5 T8 u. `% Q2 ^
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ b+ j- v% z* c8 }    *(esp-&gt;4+4)=='NTIC'; j) |' w( R3 \

5 e; U+ u- @2 O# U-The most exotic ones (could be very slooooow :-(" Q# b! H4 d- [5 ^- s
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
3 ^4 l5 k+ A4 k% J# {2 w! E) R: y     ;will break 3 times :-(0 [) A# `/ h# i; s6 A( h
4 A7 f0 @6 `0 k  R0 X: ^
-or (a bit) faster: ' b7 d1 v$ _" }) H9 M* ~
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& m! Q9 O; U: X/ H$ Q! N
  D2 {* B; L4 `% @
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 g6 o! K* t' X: Q
     ;will break 3 times :-(
. h5 ?: ~7 e1 o: T# G' V) r( d1 O( \$ ^. g: K
-Much faster:
  T4 _5 g8 V: [   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
( e; T2 x7 }5 ^& d. A. C9 h) b
  O: O7 M% p! A: a! d! F' _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 Q/ B# o( F# C0 ]; O' V. Pfunction to do the same job:
& W, [# {2 s0 L! V+ D2 |6 K9 c7 V  k9 _
   push    00                        ; OF_READ7 @$ l% h0 h6 v8 F& M1 f5 A
   mov     eax,[00656634]            ; '\\.\SICE',01 S( C8 ]# v+ E! j1 C
   push    eax
# E; a  q3 B+ S/ o& v$ n4 V8 N% [3 p   call    KERNEL32!_lopen+ a6 I+ i5 ]2 w1 R  M0 C1 \
   inc     eax& G: [+ N0 W! O
   jnz     00650589                  ; detected; S( b$ B* z" @% L& J& j
   push    00                        ; OF_READ7 ^, s# t9 G' e- Z3 n  g+ N
   mov     eax,[00656638]            ; '\\.\SICE'" f9 I" }' R) k/ P7 S
   push    eax& [0 F  e# D! H! A
   call    KERNEL32!_lopen
8 x3 l3 Q% b& E  b/ e4 K6 I   inc     eax
( i, l3 m2 S+ v& i- p   jz      006505ae                  ; not detected
' ]" A7 k# t1 m' |$ F2 O# R. Z. @" v: [% }. ?
  U; m* J% C6 A- U9 w0 U8 Z
__________________________________________________________________________
: y0 Z0 f' A& ~/ p% b# Z1 |
" s" Y( u9 Y: u- ^$ }1 T" j* L2 nMethod 12
1 E( m: Y0 d4 L8 V9 a( A2 r=========/ z  S# V; @9 ^! }, M/ {
) h5 {5 R  k. {: h
This trick is similar to int41h/4fh Debugger installation check (code 05
) \0 x* ^. _' B1 s" e&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& ^% i+ h6 x3 I0 ?( _as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- }/ f( v; O3 ?) e  ?0 {0 a8 V, k; V3 ~6 [
   push  0000004fh         ; function 4fh
3 H& @) C/ f8 z* e3 ~( i& Z   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 Y; ~: I: `/ T% a8 t) C                           ; low word specifies which service
8 t' [  K4 _+ V$ a$ l, l                             (VWIN32_Int41Dispatch)( I( ~- X5 Z7 ^$ {/ T; A( B, F
   call  Kernel32!ORD_001  ; VxdCall
( W/ q: e" a- f7 j* a   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 a5 O! \+ |/ Q4 A   jz    SoftICE_detected! u& R) t& |3 d8 c( J
0 H( a+ H8 k. h+ a3 K
Here again, several ways to detect it:+ p) Q. V: n% ^: S

/ Q0 o, e% C5 g9 p# p, E' u: I    BPINT 41 if ax==4f
1 |1 f8 b9 B& d+ L7 U0 N
4 I& \) M. n$ a0 i. [5 H    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( P$ L' R( ]: ^& A- H8 r
. }* `( H( U9 P# W    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
  B' f7 [" {. E
9 v. q# d# c9 y; q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, Z6 l8 v3 x/ ]8 u/ W8 O- P
8 U' [; p, k" c/ S" G__________________________________________________________________________
3 ?- r* |! |, D% _8 V; r5 j9 S' I
9 s4 ]" P  A3 ]. H  C: E; b5 KMethod 13
6 ^: ?: b0 B7 ?9 M* {=========9 ^" t6 r% H/ b- u* M0 d) [
4 X: P" |$ |0 e) H1 `
Not a real method of detection, but a good way to know if SoftICE is- s  C" B$ b+ L2 m' t
installed on a computer and to locate its installation directory.
5 `. V1 i. W$ W5 @  Q8 xIt is used by few softs which access the following registry keys (usually #2) :0 z: J6 d" U* i8 a! O! o

  V7 H$ D2 f5 \  j$ F$ u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 r- F: d1 A- N- F$ w
\Uninstall\SoftICE, @# t; P" V9 J& A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: q' l# U: N4 e, K* ]' [-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 ^# {( m& u& e& S' W3 Z8 l! p
\App Paths\Loader32.Exe
$ F2 B0 f& x2 y$ U2 @8 z$ _8 G& m* P& E8 V; o0 E

. u& m2 p3 T, |7 l. ^; MNote that some nasty apps could then erase all files from SoftICE directory2 A, y3 D( w6 j5 h$ {0 {
(I faced that once :-(
1 k) U5 D3 e: t5 Z7 S" E, g
4 h$ X4 F9 C! e6 \Useful breakpoint to detect it:0 i8 j" ^4 S; T% z4 _0 x, o+ L

2 q/ d3 z7 U# y: s7 j! R3 t! m     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
: {: f& {. F' b( g: A! l) d$ o5 N5 i2 b9 X6 n3 q% q: _- G5 {
__________________________________________________________________________
5 A8 q0 E4 j" W8 @- b
9 Z4 Z# p- a  {; d9 S0 o1 ]
5 J  J% X% ?- F, g: J. s( J# aMethod 14 ) Z' [0 y/ L  H2 W
=========
" a0 u- X# t& b& B+ U: `% b6 N- l+ F% v' `7 S; X3 z& @. X% Q* y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 e7 a. Q+ J& C* u: T2 J4 s4 U/ f. d7 I
is to determines whether a debugger is running on your system (ring0 only).
. }% }3 h/ R7 n
% b% H3 t' B) v2 d, k# @/ E   VMMCall Test_Debug_Installed' L4 R- M' R+ y, w
   je      not_installed
! N5 J5 K: l' V. e( R' \+ \2 o- E/ \! H+ |/ F" A+ G( v
This service just checks a flag.2 D  U% |  u% j5 j1 k5 L
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-19 15:04

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表