找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) t# x3 D7 x! C) H<TBODY># c% L0 J. C9 Y) _/ C
<TR>. o+ y9 j2 }5 H( w9 I7 ^8 G
<TD><PRE>Method 01 . ~$ ]2 F& i# j1 H& G
=========
9 I' X4 x4 g3 k5 F0 u0 K+ C5 C+ s" a; b( i! E
This method of detection of SoftICE (as well as the following one) is' F! E$ l" ]1 ]9 V& W
used by the majority of packers/encryptors found on Internet.. S9 O1 X, Y6 U
It seeks the signature of BoundsChecker in SoftICE) o7 X+ j7 v" q

: A  t  @# f5 ]! e* \, E    mov     ebp, 04243484Bh        ; 'BCHK'
/ R& O0 J' f7 h4 x1 B    mov     ax, 04h
/ k5 B9 @, y& _9 Q; G% W' A    int     3      
0 {* t1 A) X. `8 C4 ^) \& O    cmp     al,4. z) A: n% i6 M- v
    jnz     SoftICE_Detected
  E  D5 o8 e+ N) O9 g8 j9 d* {' b6 i" S' ^, L0 K
___________________________________________________________________________6 j$ L, ]+ E. l

8 r7 h8 h8 e- o/ W! i1 }Method 029 B5 ^0 F* T7 Z2 u( m* m
=========2 ?9 V  S3 c# \& ]

5 u6 ~2 U" s! R+ f% tStill a method very much used (perhaps the most frequent one).  It is used
8 c7 T1 k3 @! F% vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 m2 }% _  c) @  ^# j1 e" Uor execute SoftICE commands...
! Z+ _# I( R& O0 I( _& C7 zIt is also used to crash SoftICE and to force it to execute any commands" \8 K# l, G: ~8 x" V; I
(HBOOT...) :-((    K  B8 L1 I; g7 K) F& T1 Z4 N

6 L) r8 G3 Y3 d; IHere is a quick description:* D5 V4 ~( V6 R+ i
-AX = 0910h   (Display string in SIce windows)
0 S# N8 K% q; z- w/ z/ E! N6 o8 T-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! w7 Q- }# g( e& u0 x3 F' I& T-AX = 0912h   (Get breakpoint infos)7 j& k5 B# r" {; N
-AX = 0913h   (Set Sice breakpoints)  j& h- l5 J! |0 c
-AX = 0914h   (Remove SIce breakoints), c9 x! G: r5 G# j) t
- b3 n+ y# M: _- ?1 h0 }
Each time you'll meet this trick, you'll see:
* m6 E: x! L0 ~8 L! m  t-SI = 4647h
: H) y3 P% T4 N/ }; E( L& T-DI = 4A4Dh
' ~' b; o# J- b* qWhich are the 'magic values' used by SoftIce.! h; R( s  o5 j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- M. O3 `. _* a$ i; \. F  F
6 i1 e  Q; ]0 A% W  `Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ s. j  H+ A% aEnvelope utility use to protect DOS applications:
3 ^5 ^, d; h* r1 P% L
: P7 R# N3 {% R% [" R- \+ w
8 I$ L: o! U9 w, K. w4C19:0095   MOV    AX,0911  ; execute command.  m8 d7 G7 v' T9 ^5 f9 P
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) B# }0 O  W# w3 @. v5 S/ Q% K( I
4C19:009A   MOV    SI,4647  ; 1st magic value.
9 {8 |8 i, d+ Y+ h5 F$ G7 P7 e4C19:009D   MOV    DI,4A4D  ; 2nd magic value.8 v* Y& G6 X1 g& w6 K+ Y' J6 m
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 n) G( B' D9 F) L0 A9 C* O4 i2 d1 I8 g
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' I: p3 R3 I; A9 @4 W4 X( y5 F! i
4C19:00A4   INC    CX
- G9 a4 F3 P8 L/ ^4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
* R: d: ], B6 N$ u; L  c; k4C19:00A8   JB     0095     ; 6 different commands.4 Z5 A3 f" D+ I9 U5 K
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 _/ H1 T1 x# a2 S1 V) {
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
* f* w3 R: l+ l: X: ^, [+ s) _0 p, w/ \4 P+ y+ x' I3 o3 U. ^
The program will execute 6 different SIce commands located at ds:dx, which; N# }, L$ c, ?: N
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ S. {# w0 B1 e$ G  b- m, r0 C- G  {$ y! ?# d
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# N% k& r0 k0 Y7 z3 ]( r___________________________________________________________________________  L  g6 ~1 ?; }  n

) h8 I# w; H, I
- t0 l& ]3 ?7 l! ~' v9 O/ u' WMethod 039 [( g0 p- X' R, c
=========
- l4 d7 D' @6 E/ w( r) ^1 Q4 j: \8 |/ ~5 l/ q" ?1 l- S% a
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 [; I" q0 h1 ~- `; n% R8 k
(API Get entry point)7 _* t  y0 z4 c- ?: \7 f
        
) N9 J( ?% |6 s4 h. h% L8 l
) J1 `8 z, I" h2 x% I    xor     di,di' O! @5 O9 K) P. M; S
    mov     es,di
6 ?; F+ w7 I) \! L7 r, o5 D9 D    mov     ax, 1684h      
5 ]% X3 a  h* \4 P8 k: s  b$ @    mov     bx, 0202h       ; VxD ID of winice/ B2 I- C1 v4 w8 `
    int     2Fh  Z  O3 @0 X6 Y: J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 u: o/ {+ W4 s    add     ax, di: G7 z  X. Z3 N" u
    test    ax,ax7 b7 M3 q% ?% [3 v" y2 ]; ~* `
    jnz     SoftICE_Detected0 M% x, D- _6 m# ]& i8 }, M
' ]5 _/ @7 a5 v: Y0 g6 \
___________________________________________________________________________1 X3 n. E$ r, l2 u( v3 t
9 n, V4 U0 ?% c* `5 v5 w3 E
Method 04
4 _  ~+ M  l; g1 p( P' _=========4 n8 O$ T  _( L8 p# H; O, q( d

) L1 K, u' [2 v6 i8 a2 SMethod identical to the preceding one except that it seeks the ID of SoftICE5 r7 |, i4 r$ }& o
GFX VxD.
5 x0 U  m0 U. Z+ k
* G6 m: ?. x- i+ e# p; h5 H' n    xor     di,di/ A/ u$ u: B! J' h' v, T( u* s; C
    mov     es,di
( I* P) y* o% Y: K2 g' V    mov     ax, 1684h      
( Q: Q- x* d% W: `+ m! r' l; s    mov     bx, 7a5Fh       ; VxD ID of SIWVID+ P0 a0 P+ q, E8 S5 L
    int     2fh! Y5 I' ^9 T% k1 O+ W1 H. S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 B3 G) ]5 z- m8 Z9 i" L+ s; c
    add     ax, di
% \7 S# M5 q! P. a1 \( E% I; U8 r' C    test    ax,ax
! L8 m+ k5 ^! a( r8 E4 I2 W    jnz     SoftICE_Detected
% D# y& n9 q; G4 Z+ D, E8 a1 ]
. d* w2 p" a0 Y9 o; I% L) b  O__________________________________________________________________________
5 X: ^3 k/ S- H5 y6 w6 C& [, @( j" {' ]

9 r0 r9 F* E4 t& AMethod 05
( D# F) S* i( k=========3 _- Q( Y; q$ C! H: u, z
5 V: j, e: t3 C- ]9 h' ]$ u
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ T( a/ ?% `+ R0 P1 Pdebugger. It calls the int 41h, function 4Fh.' `: F# Q- j& t
There are several alternatives.  # H" t" ?* S- b
' K% h7 Q6 F# V8 X0 Y9 m. G5 ~3 m
The following one is the simplest:
+ u. @. D  e: I- s) c- O% g7 H" |5 K; A
    mov     ax,4fh, y  y7 m" U' X; w
    int     41h
/ A" t. r" R4 }/ n. l0 k    cmp     ax, 0F386' m1 O' ]+ ?  [' M$ {% }( M' `5 n
    jz      SoftICE_detected
1 B+ ]1 D/ x& y7 J& Y9 ^% L- A5 Y8 y2 b3 o: |8 y+ |0 ?7 K( P

  p( `! O- E- k0 X. FNext method as well as the following one are 2 examples from Stone's
9 ]& x" ]/ n: R: H/ S) [( ~( i"stn-wid.zip" (www.cracking.net):' g9 J/ O/ y' z5 L0 u( d$ B

! _. T4 {: s( ^1 J    mov     bx, cs
; [) \" J4 O4 M- E/ T/ ?3 J7 y    lea     dx, int41handler2. [# o8 B' P0 A
    xchg    dx, es:[41h*4]9 v  n8 g( T$ t  U/ d+ d
    xchg    bx, es:[41h*4+2]
( S' y7 y' W1 r& W    mov     ax,4fh7 a* G& F' N3 s1 Z; Y
    int     41h
5 K9 u. I5 G) K4 A0 }2 Y' w3 _- w2 V    xchg    dx, es:[41h*4]$ r3 P' T5 |$ J( v  i! s; U
    xchg    bx, es:[41h*4+2]
; C, ^; b) c3 [0 F8 K7 X    cmp     ax, 0f386h% E* B+ r, g, o; U0 B
    jz      SoftICE_detected* u( h% P+ ?; k" Y- v# i

7 p  p8 X) s: D  vint41handler2 PROC
; |9 `  S; Y& U' ?, G* Z: S    iret; p  n# N0 O, a' |1 a+ o8 I3 `. `
int41handler2 ENDP7 ^' p5 Y7 x& r1 m. U, I
$ E$ a7 S, u5 Z& @8 d5 v! B  X
' p! a& d; p$ T+ ^
_________________________________________________________________________! M8 s  M5 E+ Q9 M! ^& L. O4 g
5 e8 x0 h9 @, z5 M- s$ r
1 m- r; R2 y* \8 x
Method 06
" N  f3 }  D2 n/ p' A& P" [4 o( y=========
% V+ y+ M0 u& D0 m9 P# Y1 `; d; P4 D
# ?- ^3 O3 g. B% U$ E- T
2nd method similar to the preceding one but more difficult to detect:
' R1 a  }8 e8 C* B7 \) j& I
. y2 ]; E: s% Z) B# G
0 I) h5 a$ A& Gint41handler PROC9 f' W/ k. e! u8 s6 g1 n
    mov     cl,al8 }. G% W) J2 ^) c! X4 u; Y% f  ]
    iret
9 k4 A8 A- W: c3 y% T8 B. p! H" p6 b9 Mint41handler ENDP  Q1 K: n% K* Y9 r  Q: ^
; w" T: O, F: g$ ]% f- f* s: k* k8 E
1 m0 N- l- L$ @' v6 f/ V, U
    xor     ax,ax
3 j& a5 \+ F% [- c    mov     es,ax" }$ r' Z- X# P, C% h7 z
    mov     bx, cs
( v& b3 X; G, l: ]- ~& \( F    lea     dx, int41handler
& f) O- P, T. O4 Y0 f2 c    xchg    dx, es:[41h*4]
0 x' ~; B; U. a3 v! V' J# P    xchg    bx, es:[41h*4+2]
" n" x! k+ s2 O$ A+ [  {    in      al, 40h
6 ?6 l  e5 A! l+ `, z5 w( L+ L    xor     cx,cx  K/ B% @. t5 O. e6 p
    int     41h
! T/ w( l2 c% P9 y1 i: o    xchg    dx, es:[41h*4]
5 g. g# s  U+ r6 [$ M) `! ?3 K6 X6 C    xchg    bx, es:[41h*4+2]
( O2 L3 C: `0 N+ l$ x0 }% w    cmp     cl,al8 w+ B1 D- t, w! N/ N5 r0 |/ K5 n
    jnz     SoftICE_detected, S( ^/ T$ {4 o7 l/ Y' {; C/ e8 r

' J  }8 _" E0 I_________________________________________________________________________/ Q& }2 d- ~& e7 y1 ]! u8 v

, Q- Z- ^. f  `) C6 X( o" RMethod 07  o* N% V  i+ I! `
=========6 h3 ?% ?# G- J
, M+ e! Z- {  _( S+ D7 n7 N
Method of detection of the WinICE handler in the int68h (V86)
& b' R% K) e$ {8 U: h% `. l' I1 l9 i. u: H+ E3 i7 S7 y
    mov     ah,43h- b, m' C* `# |* D! u
    int     68h
* O+ a7 z' u" ^- k    cmp     ax,0F386h0 `( f: h0 H9 C2 _5 y1 W
    jz      SoftICE_Detected+ \0 J4 Z) [8 Q3 d4 d, s, F
; ?- W) \) O4 r$ ?) Z% Q  H& F8 G
) O, i* ?9 t5 }: {
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- G! A+ t; C9 O6 Z   app like this:" f7 W4 @! O: d4 f# o

; T4 @) x! X8 U/ k& u; C, D   BPX exec_int if ax==68
, a& w- s2 i6 c. {$ Z) K' m% D; L; Z/ k" J   (function called is located at byte ptr [ebp+1Dh] and client eip is% e" t0 B5 Y2 v) @( Y/ Y$ w' H
   located at [ebp+48h] for 32Bit apps)) l* r: P  ^7 x  j# G  Q! D
__________________________________________________________________________5 |! z/ ?& y1 j% Y6 Q- R* z) F

) ~& Q2 ~; w) Y" F/ v6 D+ S: a; E. ]' E4 P3 p# \
Method 08
- Y2 @% S3 f% k, n$ W( C' _- Q=========8 S. I" I3 \+ \

( s2 E3 \# b. h7 U$ IIt is not a method of detection of SoftICE but a possibility to crash the5 W9 F! D$ M- B1 `4 K6 y6 I
system by intercepting int 01h and int 03h and redirecting them to another
/ U3 S) X9 E# y& v; G+ Y5 Yroutine.
) i  O: v0 m: G& Q+ ~8 [' L+ LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. s! F0 n6 T' _+ A  L) G/ l8 t
to the new routine to execute (hangs computer...)5 r/ w8 l! X  d0 c* O6 e
! `7 Q3 T4 j8 v7 m8 |2 p2 ]& E
    mov     ah, 25h: Y; |) c  j1 ~' a. u* @- v* a
    mov     al, Int_Number (01h or 03h), V4 L' A; z, q$ b
    mov     dx, offset New_Int_Routine( A! y+ I) A9 e9 _
    int     21h0 v; ^: `& m+ B
* a1 D8 c2 I2 @3 q6 {, f9 |( q
__________________________________________________________________________( R; {/ E, k* V- S1 w, Y3 Y
5 m5 U. c" n- N+ Q. h) {" w) ]
Method 09/ X; I6 o4 w7 z, Y- ^2 A. f
=========4 @4 n$ Y4 T* W4 r, |- e

; k+ s8 a& F  {, eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 N1 t: c5 x6 B, l6 w) h6 ~) Zperformed in ring0 (VxD or a ring3 app using the VxdCall).8 {" o, f+ ?) V
The Get_DDB service is used to determine whether or not a VxD is installed2 \; W7 G0 b8 j  A$ d2 [- d/ u' p
for the specified device and returns a Device Description Block (in ecx) for
# G1 [. ?) ^3 K+ i# ~/ ~0 Qthat device if it is installed.
4 w# z1 l+ r& i- t+ d# l) _6 K+ H; n
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% z. Z7 |$ B+ o+ b- L7 H& E2 E
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 s" E8 l- ?) x7 A; V; Q& w
   VMMCall Get_DDB5 r- l2 T% c; y/ l: A9 _. Z! K/ {
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* z) o; {% M0 d% l4 q, U
7 u$ R) Q. X5 T3 D, y5 r- lNote as well that you can easily detect this method with SoftICE:
  R9 d3 U/ Y" u   bpx Get_DDB if ax==0202 || ax==7a5fh6 F% E5 Y# {  D- q
. B1 u! p: h4 i6 _6 X8 ~
__________________________________________________________________________7 \* X7 M' G- m1 H( h: C( e  `) `
. h3 c4 Q# T4 n# U6 o
Method 103 r6 z8 N- I( `8 ^; @& _
=========# m' ]: Q+ Y! D) ~) t

) n6 i$ o( r4 L0 b8 Q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; f5 h4 j* `- E* u
  SoftICE while the option is enable!!' h5 {5 N& V; }9 o. P' t
. I5 O" X% R) `5 c3 `- W
This trick is very efficient:5 x+ }* W/ j! t: z9 e8 p
by checking the Debug Registers, you can detect if SoftICE is loaded) V% m: R) O. m( q) m
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% Z6 i. V/ A' s5 Z: d  v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 f+ O; X* ?, m! Kvalue (in ring0 only). Values can be manipulated and or changed as well
6 D( `7 N# g( Q. T(clearing BPMs for instance)
8 M6 ^& D2 V: ]
. [  [- r$ J; g* k& B3 q6 x__________________________________________________________________________0 U" v' l$ V7 `6 ?& a1 }5 b' B
. T  V" `; S# H/ D  T
Method 11
8 D9 ?! ]- I$ J) K8 ~=========
: h0 @2 y2 g& ~' c: ]% h% |# y9 K9 d% d3 i( F, o- q
This method is most known as 'MeltICE' because it has been freely distributed1 y4 Z" P" k" ?7 ^- `- z' H
via www.winfiles.com. However it was first used by NuMega people to allow! x# D9 }8 p/ H( K
Symbol Loader to check if SoftICE was active or not (the code is located
7 M& N; D7 d8 _: {' ^inside nmtrans.dll).% [- c; w1 a, a" ?
5 p5 y+ h; p- g5 y
The way it works is very simple:) Z8 s6 K! C5 ?& q6 _0 c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  H" ^( \1 J& L3 j: e3 G* n) Q+ B: cWinNT) with the CreateFileA API., g) k3 @5 U" ^$ G
3 b0 g1 B& I+ n8 g. p' j  J. b
Here is a sample (checking for 'SICE'):
' o4 m- t  t; D; U6 G% `/ `/ l  F; c4 }7 `4 a
BOOL IsSoftIce95Loaded()
! `5 k  ]1 ?, o{8 N4 o* ^3 G7 T; [- ?6 a
   HANDLE hFile;  
$ k" `/ Q2 n( {4 F   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 e( m, \/ L. X3 T# ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 m8 N3 x! \' y0 X/ b
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! O$ r# ?6 B6 {# J
   if( hFile != INVALID_HANDLE_VALUE )
: k1 [8 t) w! a8 \1 \7 V   {
1 o& ^( U6 P$ U& \; @      CloseHandle(hFile);9 ^# \3 O( h" a) K, |
      return TRUE;
' j* G$ j5 o: A  x   }
- X- W2 W: L  ?0 c  b   return FALSE;
, g2 z+ f! `0 C3 x9 R; x5 B}7 P- e* V# y0 z0 i, |

& T, n) Y& C8 {Although this trick calls the CreateFileA function, don't even expect to be7 v! J& k9 j- t3 ?
able to intercept it by installing a IFS hook: it will not work, no way!
; }) g1 Y; I& d5 {% K" D* OIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
; @; Y+ C  B) bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
" U( W" v) \6 T  Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
, z7 z) C; K6 I: `field.
" m8 W0 x& ?6 Y& C7 x% eIn fact, its purpose is not to load/unload VxDs but only to send a   n% n% \6 ?- g7 F$ Z1 W% x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' V! [) r' D, `: A6 I, n
to the VxD Control_Dispatch proc (how the hell a shareware soft could try6 ?' B- \) K$ x% g, c# g
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 _0 `- D- g; H+ `If the VxD is loaded, it will always clear eax and the Carry flag to allow/ O( c/ R8 M0 ^0 _2 z# |. E! Q% x
its handle to be opened and then, will be detected.8 Y: q" M1 B& Y7 o
You can check that simply by hooking Winice.exe control proc entry point
: K' o0 j/ s4 Mwhile running MeltICE.
/ f4 n. |6 x8 N3 d* d
' z3 a1 C  Y9 N  D) o
- P3 D8 D. k* Q, m  00401067:  push      00402025    ; \\.\SICE3 b. `* T. m6 b' J- d& C2 _
  0040106C:  call      CreateFileA
, z( `) @, w3 W3 o2 A  00401071:  cmp       eax,-0018 N# g) l# |6 x) `
  00401074:  je        00401091
. T, V1 ]1 M1 F+ T# Y' Z
0 @( G! Y- z  I: G% s- K; O; v1 a- z
There could be hundreds of BPX you could use to detect this trick.
0 K/ `* `, n  ^. o% P-The most classical one is:
# |, l3 S3 W& u* m  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
$ M  K7 N  [/ _/ x, g0 |    *(esp-&gt;4+4)=='NTIC'
; E( B" }7 a, `$ N  B7 y1 `3 w0 d4 l8 X  n, O6 y8 [& i
-The most exotic ones (could be very slooooow :-(
0 q5 m  m% P6 U4 b7 x7 ]) q   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 I& [; q7 v  c+ d  F
     ;will break 3 times :-(
7 q2 l5 b* u9 h* L& U0 r% @/ K! J9 \4 g8 L
-or (a bit) faster: : m! P& N' p9 X2 n. t8 c
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% i4 S  `: ~# E6 o' Q+ F: ^# t$ V
$ x2 ]8 [7 U) k; M5 ?+ `+ q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! u" {' E* q! q2 Z. h8 s- F     ;will break 3 times :-(# \7 A4 s% w9 }* q2 {$ Y3 m3 ]4 J

2 n3 Q' w6 J4 O& w3 k6 B: s-Much faster:& h" X* Z1 l+ j4 g4 o$ B7 E% {# G
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- G, J1 x9 x' u- u$ u% H1 u7 q8 k1 Z8 H# e% X. h' a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen9 X( b2 W5 z: }/ W
function to do the same job:
/ X( m" E' h4 y7 P9 N
" E1 W8 }9 a/ C0 q# @: ?   push    00                        ; OF_READ, X2 a0 b, U! d7 I0 Q
   mov     eax,[00656634]            ; '\\.\SICE',0
) V  ^6 h3 O3 B  ~   push    eax
$ {  Y+ o  H5 Q  f7 [   call    KERNEL32!_lopen9 p+ G* Q* F0 g0 C0 o. l* ~! X
   inc     eax2 H3 V7 X9 x/ F
   jnz     00650589                  ; detected5 C/ t6 q  m2 e
   push    00                        ; OF_READ5 [4 w- E. m# j8 O
   mov     eax,[00656638]            ; '\\.\SICE'( k# \! D4 R! Z. N0 f' c
   push    eax
* J7 b! u0 M# b& a   call    KERNEL32!_lopen& ^4 n" F* z- {/ g/ V( b. ^  o
   inc     eax
1 P. K" o. L. U$ i   jz      006505ae                  ; not detected
2 Z. h& p% _. |, U6 @' ~
1 {! [, ?  b6 i( q
5 F" i: ?8 F7 Y4 ?" a__________________________________________________________________________
/ ?0 G( G7 K8 S) G- p4 W: ~" j. ~/ K+ c7 r
Method 12
, @: @. n# b7 h4 K4 i) ?6 v=========8 ^2 V% i# \. _1 n
, w! a( L) U1 ~# y4 T$ w: R7 G0 h
This trick is similar to int41h/4fh Debugger installation check (code 053 U6 C: v$ b0 {* E  i5 q* W; ]. O
&amp; 06) but very limited because it's only available for Win95/98 (not NT)  Q" R. {: f& z/ M, E
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 n; R5 `, w  C4 }1 J# c$ j
. d% J  w) E; F0 }+ ^: r# `# K# ]
   push  0000004fh         ; function 4fh
! e4 q) O! h% Z   push  002a002ah         ; high word specifies which VxD (VWIN32)3 w0 P$ X9 M% \3 }( B3 d
                           ; low word specifies which service
+ T2 ], l2 g) W3 B                             (VWIN32_Int41Dispatch)
8 O4 p. k  j  e2 C4 e8 {   call  Kernel32!ORD_001  ; VxdCall
9 k$ @$ t8 V9 Q& z   cmp   ax, 0f386h        ; magic number returned by system debuggers
& |' h+ i( Y+ L! o5 I   jz    SoftICE_detected
* l* L" ^& s5 ^' Y
. N1 c/ ~/ ?2 t2 D& B1 Q4 kHere again, several ways to detect it:/ x. u, O! ]5 K. W
* H. u5 Y& f; u5 V
    BPINT 41 if ax==4f5 X5 Q# b( I1 X. Q
4 a8 ^4 n. R4 I( u! `
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
5 |' m+ a% z" l' i, Y7 J' S( ], y; T) ?" S/ g/ U
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A  g$ W# r; c' M: r

  ^- j  k$ k9 n: [4 M+ g    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 u' v9 p# u$ W5 o. D. G1 T+ V: [

9 s* g5 l/ T8 X3 d* U+ G0 x7 Q__________________________________________________________________________" W0 L" y/ }! K  L* d
  m! K# }- P( W3 i/ W4 p
Method 13
* p/ s7 z$ I% G; ~  \; ?. W9 M=========/ @4 i$ L$ }* B3 s2 M8 C
& A) Y7 t+ d5 j! O# V" M
Not a real method of detection, but a good way to know if SoftICE is
/ U$ [+ h, i7 b8 S1 ~, B: |installed on a computer and to locate its installation directory.( B1 u5 M5 H% |; T- F
It is used by few softs which access the following registry keys (usually #2) :4 b+ m# I7 F7 k6 |# u+ e5 b  M

# c. y/ u9 u# `) M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: _( ]* [/ c# M; N% R\Uninstall\SoftICE
, q* V* l( v' D4 Z-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 o% ~9 \* Y: u4 z0 N3 b
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 l' }, A7 H8 r) L$ H( s# h) h
\App Paths\Loader32.Exe4 s' l8 i1 ^. \; L& |: v- Z* C8 ~

% n! q8 q! w; G9 P
' ?3 T0 Q7 Z' j7 }Note that some nasty apps could then erase all files from SoftICE directory
/ K- E1 |! z7 }3 T/ R1 F1 U/ y, f$ n(I faced that once :-(
3 U4 w- V7 @! m4 W1 s7 F8 P1 ?
9 E$ X' i5 U, t& ]! [) sUseful breakpoint to detect it:
& D4 K! _4 z2 S& q/ k+ S5 S( e
; q; e) Y) S/ W     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'& A! P5 k& _& ?7 R" v" U, o1 t6 r1 a
2 n$ Q  Y+ @- t% e/ N6 r
__________________________________________________________________________; l& @6 W% N+ @" V7 b( V

: u) _0 V1 ]6 d5 b( Y5 b
$ ?) F5 A3 f, l$ |7 |( ^Method 14 1 v6 |% ~) m5 x) N# t" G
=========3 y8 t5 C4 ]- K% W: J. p+ p; e+ Y
$ i7 D) M* p/ f) \. M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 s8 j0 _1 n0 o2 w# e) {' x- R5 Jis to determines whether a debugger is running on your system (ring0 only).0 J8 U+ }3 `) l' b

: ]/ c: a. s# h0 }7 }   VMMCall Test_Debug_Installed
7 E2 ^* `& {" W   je      not_installed
5 ~6 ]5 t" D# y+ O. ?
  o" G* E5 U/ y0 iThis service just checks a flag.
! ]  d( ?' j+ f. ~4 M</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-28 18:29

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表