找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>- C9 _0 \3 Z' S" {6 u; i7 B
<TBODY>) A0 b' ?1 Q+ `6 C# o
<TR>( g; H& G8 O% r8 z; e. t# h
<TD><PRE>Method 01
4 M1 _) P+ S  d  k( z1 ^& Z=========
, w& m7 `  P% y$ U' u0 N+ M% r/ a- A+ K) U& x! K
This method of detection of SoftICE (as well as the following one) is
' l! t! L* M" Q# V/ jused by the majority of packers/encryptors found on Internet.
: F, V# Z# k) B0 ~; bIt seeks the signature of BoundsChecker in SoftICE
( S: t; i! k$ e/ @: L
- k; h! T$ z5 t6 ]$ u. d8 Q# k    mov     ebp, 04243484Bh        ; 'BCHK'
, e. Z7 V6 }. w: P/ A" v    mov     ax, 04h
5 u+ [; k( @3 T2 j: b. p7 z3 m; I    int     3       4 O7 @; Z. b* Q% Q, A2 n
    cmp     al,4# T) [% a" ~/ m! A7 U
    jnz     SoftICE_Detected4 ^$ a4 k) I- ~3 T' h. T/ N8 e* H
+ A' D& L" |! u" j
___________________________________________________________________________% F, F# v' w# F' {) f8 V0 S! f* v
+ n, h- L& L+ I3 V% i. F- R) D
Method 02, e+ y/ E$ p& b* i
=========5 I" ^' c) k/ e/ s5 V0 W/ T% ]

) C# j( U3 J# ?0 B% ~  CStill a method very much used (perhaps the most frequent one).  It is used& v! i% Z3 B% `9 h: _) L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 f  U" L3 n1 M! P/ Wor execute SoftICE commands...
% {9 S" k1 q# F$ a( ~It is also used to crash SoftICE and to force it to execute any commands: p% u) N" g: U- U7 `$ |  x" [+ A: O3 d
(HBOOT...) :-((  ) Z8 v, L: K! o4 V
$ R, m: |, ?- _: z5 Q0 X1 W
Here is a quick description:# B0 I0 h& C. z  W& S3 U3 |3 G
-AX = 0910h   (Display string in SIce windows); u" g' i$ v- ~6 c7 B: [& K
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)8 `0 B9 @+ ^7 H' ~
-AX = 0912h   (Get breakpoint infos)
0 k9 Q2 V# g' q' C" {1 @+ G2 c, |-AX = 0913h   (Set Sice breakpoints)1 G5 l: e9 h% h, Y; I$ H
-AX = 0914h   (Remove SIce breakoints)5 c9 P1 @) c/ g. z

' M( L( q6 ~+ y1 _  S6 j1 tEach time you'll meet this trick, you'll see:9 @- k5 W# ~- J+ W5 z+ ?  ^
-SI = 4647h- F8 G) d- h. f, V' a; f5 [
-DI = 4A4Dh8 ]( [: W) J: B( f8 d
Which are the 'magic values' used by SoftIce.
9 N& U5 u. Y$ B: PFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ N) G! c* X! Z$ ~7 ]

7 t& a! O; m! B* _Here is one example from the file "Haspinst.exe" which is the dongle HASP
: p! B' Y. x8 C9 k: u* u4 ?Envelope utility use to protect DOS applications:
+ D$ t/ l$ P9 F1 r+ x
) F# V" h9 E7 g! w2 p
+ ?2 O/ L: P4 E' _6 Q4C19:0095   MOV    AX,0911  ; execute command.1 K5 o5 D2 I( Z- h7 F7 e
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: M5 g9 G2 L+ `; l8 v( v8 K4C19:009A   MOV    SI,4647  ; 1st magic value.' c" f; z8 Z7 r! l7 T3 \9 a
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! g0 D% S9 X1 D, p( v- \
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 n8 A0 V0 L/ w# A9 I2 S4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 Z: y8 `9 c* m
4C19:00A4   INC    CX! S6 {$ G9 K9 t8 U7 p( c7 N9 v: e2 k$ M- o0 P
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( W0 O1 t$ \1 ]. V* ~. s
4C19:00A8   JB     0095     ; 6 different commands.
( K0 M+ S! e$ |* P4 M& }$ L4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- L. L9 S: {7 J$ U+ V
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)7 Z8 G6 U9 x5 e7 D: R) K- L5 ~8 l

% ]/ _3 f( J4 Q/ W6 @! D8 _The program will execute 6 different SIce commands located at ds:dx, which) X" G3 z+ |) K: |) K
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 J5 ?  v% Q( U0 s1 h
+ l! F3 @3 P6 L* a$ }: Z
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 S6 V0 z( Q0 @6 R( g" u# ^___________________________________________________________________________
# D+ P8 q  h) t% V+ ]
& H8 _. t! v) m: w0 X6 ]: C0 L3 U' l& f( W( m* `$ X- j
Method 03
# _# a2 B1 W, e# \- v=========2 D: P7 {& ~& U
$ q8 O- S3 K, {
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 a6 m7 u; k6 |. P3 f(API Get entry point)
! C- y% g6 a/ N- e+ [! h        # j' |" T% h& d/ ^' T& t" G$ E& g

, ^8 C# m; T/ k* j6 }8 w; T) j, m    xor     di,di5 b/ i6 a0 d2 [6 \
    mov     es,di3 T' y( W4 {: V% l* U4 |
    mov     ax, 1684h       - Z4 ~6 Q' ^$ X9 \% A' P+ H
    mov     bx, 0202h       ; VxD ID of winice
( G4 K* K# Y3 E3 w: ^. q    int     2Fh$ \9 K8 z4 \! s  i
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) }8 R8 G3 {4 n( S0 Z
    add     ax, di% F$ [: \) D$ a0 i$ G+ k% ^- u+ ~7 U
    test    ax,ax
( P3 u8 N( k0 Q    jnz     SoftICE_Detected6 ~8 F9 }' Q, ^' @+ w" _  U/ `

! K9 H& M- H% ^( t___________________________________________________________________________: J! u$ Z5 g! a# U

6 h; c1 U' ]* g. G0 ], O7 [Method 04
: `, L" x1 T# c( K0 e=========( F7 A( x: u3 h) A" ]

$ [6 P3 i7 g) ]) H; e# ^; Q/ j: p' DMethod identical to the preceding one except that it seeks the ID of SoftICE7 ]8 o% k- P# P* E" L
GFX VxD.* Z3 m: Y! S: U' B& i% k

/ h! A, J$ A- m    xor     di,di9 b# k# f1 B' n+ X! J
    mov     es,di
& E9 s; s. J$ A0 U! v8 F1 g- H    mov     ax, 1684h       ( R" T6 p% ^' m$ x/ B% K+ b0 O3 f
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) _' H4 Q# M1 [    int     2fh( X4 k4 e6 g5 h# B$ [+ r
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ L( L% p2 S7 [  J& O  [% l
    add     ax, di
. ]; N+ q0 m$ j! C4 Q" y: G* v    test    ax,ax
4 X: W, S! t2 ]0 ~: e6 m6 g    jnz     SoftICE_Detected. m) ?3 Z& g2 O  Z3 N* \

  S+ n, }/ x# P* X& ]__________________________________________________________________________; Z* c$ ]" p* p) @# P
- D& n' {, o4 i) ^) s4 u# s
5 A4 {3 p4 C2 r1 T4 e8 f- ?
Method 053 j1 g0 d$ e, W0 Y, w. G
=========0 X& ]* h# w6 O1 i+ `$ K5 `
9 P; S/ N, C8 p  M& {) k* p7 H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 k/ @; @2 A1 H3 Kdebugger. It calls the int 41h, function 4Fh.6 [3 ]6 F+ l* H1 n; z
There are several alternatives.  
$ M2 ~! B, L) h0 t9 r2 n  O# l
0 Q. S; J1 L) s& I  _The following one is the simplest:* F) @/ U/ C3 o4 d) K

; t5 {6 }7 I% b$ W    mov     ax,4fh
, O+ C; l6 J% Z, V1 w    int     41h
% X. A+ g" W  U1 c    cmp     ax, 0F386
* _9 ~/ U1 t- M& G" s, ?; Y    jz      SoftICE_detected
  w( C+ I7 y; Y/ Y) R/ m4 P: }4 G. T- @' }" V1 S: ^

8 F+ O8 L9 J2 o! Q! V; QNext method as well as the following one are 2 examples from Stone's 0 D7 }- h, }8 z, E+ b& \
"stn-wid.zip" (www.cracking.net):# v/ d/ ~% S, m4 M
8 J5 C( J% b- f
    mov     bx, cs* q5 y% n8 U4 y" q! U8 O$ f
    lea     dx, int41handler2
: @" V& d/ h' u5 U% \    xchg    dx, es:[41h*4]
6 {6 k1 r% d5 m& ?% I. c    xchg    bx, es:[41h*4+2]2 p2 `% Z8 E* T' p% T! [
    mov     ax,4fh
, ~5 \) }( m5 n' k, I4 ~" W    int     41h
0 u3 o; c$ Z: w    xchg    dx, es:[41h*4]5 @4 x; I+ G* R3 L$ d6 p; h
    xchg    bx, es:[41h*4+2]' H% o/ J9 t/ G: B: ]1 y
    cmp     ax, 0f386h
, R0 p/ g- k% \5 U5 ]) a" J% P    jz      SoftICE_detected4 h5 ]$ e' D, |9 u+ k

/ F3 c$ \. {8 Jint41handler2 PROC
5 s6 L  U9 i" L. V+ l    iret6 w0 F) b( e( o/ ?
int41handler2 ENDP9 H, b* i  o1 N

1 N$ ~) B' Z% c/ s; M
8 y" _2 }# q5 C_________________________________________________________________________
% u3 h: h0 `, |: j; c% ^. H! D% A; T- f5 Y& r& j/ `
  ~; x) q% i0 y' L8 m$ n3 {$ I
Method 062 q# e+ }! j3 v
=========
4 g- J$ Y3 ]: f* w+ D4 X  b1 x
( }) `7 G" U1 g5 W: s. K$ I- T: I
2nd method similar to the preceding one but more difficult to detect:. Y! f. d, r& K1 J. l& d

3 m  z# h* g" R& ~4 P7 N
& `: ?) v4 ~5 iint41handler PROC
* L" l  c  I, g7 K2 {+ f. B! o    mov     cl,al( G  M2 U' n' r4 u# H
    iret* P# H" b' S6 J: W  A. o7 g- z
int41handler ENDP) L1 I! _( d& O) h/ H
% i- ~& g" Q! q9 n
& N3 l( j7 |+ B& m
    xor     ax,ax
  E/ x0 p& L8 J6 h$ P    mov     es,ax( G" G% @6 n' i- V& S3 ?
    mov     bx, cs2 G# _+ i7 f+ G! B
    lea     dx, int41handler" O7 g; H  k. a( x3 t
    xchg    dx, es:[41h*4]$ l2 {. D7 z6 `! `0 Z+ N
    xchg    bx, es:[41h*4+2]
5 s6 v0 x3 u& s" r, R. @    in      al, 40h* W  G- K1 q1 x+ e: ]- W6 T1 D
    xor     cx,cx
$ f2 b* s  j. \# n3 b4 @    int     41h
( j0 d, s* r7 s    xchg    dx, es:[41h*4]/ G& X# F% Q8 E
    xchg    bx, es:[41h*4+2]# l/ G: g, Z5 U0 N
    cmp     cl,al
. G, u0 ?) _5 W* N: {3 `, v    jnz     SoftICE_detected
6 H* H! X. ]5 _! T" o$ l# I4 p2 a+ X) y# \7 w) L- ~* M
_________________________________________________________________________
/ R4 w6 Q4 ^* u) Y/ z% _) w' m; Y0 A7 ?! L# b5 c9 \2 A
Method 07- t# V# n- T* |
=========. R: O2 F& F" V: I0 z4 ]: M
' r: _! a$ t2 E/ F* m; g, `
Method of detection of the WinICE handler in the int68h (V86)
% h! E& ~+ z0 V, F# \/ b1 M( P
" B0 T& R  G' j9 ~$ R8 }    mov     ah,43h
" F# O3 N0 I0 w* [/ C- v, \, o    int     68h! s6 p0 `; L* h* B
    cmp     ax,0F386h* [$ Q! o7 \2 E  S" o5 u' I: m
    jz      SoftICE_Detected
5 F: p2 P0 Y* Q% [# E6 ]) {5 Z; V3 D8 W

% _* g4 o2 s4 ^8 _/ x8 h2 U. v=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- c# h2 e  i! r2 `$ Q
   app like this:4 Y% N# ]9 r7 _% g
! J6 l) W/ }0 I
   BPX exec_int if ax==68
5 t8 m) L) f7 h1 ~" }- t   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 G4 k% a. n8 g# ?, C' k6 v" I  v   located at [ebp+48h] for 32Bit apps)4 z! |* `# h6 b6 ?2 r
__________________________________________________________________________
9 [8 r; J# K1 A
, g/ }+ N3 g8 M- C6 s5 ^  Z# T
8 R9 s8 q7 L6 tMethod 08. \- }: g9 c* Z7 O, P/ D
=========
  ^" A+ Y; M2 m  c" Q
: F2 i. I5 C3 d/ X- u$ tIt is not a method of detection of SoftICE but a possibility to crash the$ D# W8 a: F) Z# J9 c! b! w
system by intercepting int 01h and int 03h and redirecting them to another+ B0 J. J) v( |
routine.5 C% q3 r) h8 o
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, F0 g5 t9 w( Q1 l: |8 h0 Q
to the new routine to execute (hangs computer...)
2 b: T; T6 `6 L9 q% B( ]6 t
) C. }. o, R) f: t! H    mov     ah, 25h
/ o" O+ H% Y# ~5 L# |3 E2 w& r; I    mov     al, Int_Number (01h or 03h)
* R" m4 Y0 J9 C+ i) h; g& [    mov     dx, offset New_Int_Routine
9 _( K$ m' ]9 |0 ~! {% B, i    int     21h
* L/ R+ E6 Y8 A/ [' l1 }3 i& Q* e
. B6 L5 `5 m9 g2 D__________________________________________________________________________5 z  t, _0 m" q
3 j/ M0 l  b9 J$ J7 @2 H5 v% w9 q) G% i
Method 09
( u! c7 M* N, \8 w+ {: E=========: u1 S' H3 ^* m

1 r/ G" ~4 d0 gThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 j, J" s! `4 j6 |; M: t4 O: [
performed in ring0 (VxD or a ring3 app using the VxdCall).
( _4 g8 F% s: v, |8 A. i( y; X6 ]; oThe Get_DDB service is used to determine whether or not a VxD is installed2 ^) h6 d. P) p  c/ o7 V" f6 `6 j! X
for the specified device and returns a Device Description Block (in ecx) for2 A( q6 ^8 H# a- M+ _5 F
that device if it is installed.
& b0 x& H- I  G: B3 s# L0 X9 M, W* z' {3 t* }# e) ]
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 ?3 G3 N& I9 B9 t' Y. W% J" t
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! y% G/ K3 Q7 N
   VMMCall Get_DDB
: S7 U9 L  U. j) E   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* s9 `) s" M3 b* [) y9 `8 p; Z! z
1 V8 E; B* X  }* Q& w4 S4 GNote as well that you can easily detect this method with SoftICE:( x6 `: X9 a2 `9 Z( {. f
   bpx Get_DDB if ax==0202 || ax==7a5fh0 a# j  @; F6 b) T- y3 h2 r

6 q! b/ I! g& `+ w4 F$ f__________________________________________________________________________
& f+ Y& \  Q% v7 }, i& t& R& ]
. g7 k+ c% }$ w- M% {; S, I# P; ]Method 10/ F  \0 E$ K" H8 t
=========
$ T2 a. C- y0 F$ X. c1 ^  z& f
; Z! n( r# h6 O2 p% y- o=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ C1 Z3 Q+ m# f  e$ G4 }
  SoftICE while the option is enable!!
* @4 \# [, {9 S! k% t9 C1 a+ C# e6 E' M
This trick is very efficient:; ~, j: m' d# I; T, _7 W
by checking the Debug Registers, you can detect if SoftICE is loaded" R# p& i/ V7 W4 |& o3 h8 b
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 ~1 M- f+ z( z) b, Cthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 `) d5 O6 n) c! u- h7 H5 _, z
value (in ring0 only). Values can be manipulated and or changed as well" D0 M5 W# b  u
(clearing BPMs for instance)
% B9 M6 n4 V1 Q; j* [, t8 M/ N& Y, ~' ^# y% D
__________________________________________________________________________/ R/ D3 @  b' u' c" J: R- a" z

: h6 @% v+ ?& n' z+ vMethod 11
5 P, Q+ k8 n$ f=========
: C5 O, ~9 k& Q: s* Z. |. s4 ]9 r4 l& O7 z9 H/ h7 D$ d
This method is most known as 'MeltICE' because it has been freely distributed% m; o2 _+ N9 R" R4 [5 a9 p
via www.winfiles.com. However it was first used by NuMega people to allow
& A. O* {, D' m2 n! V# t. s6 H4 YSymbol Loader to check if SoftICE was active or not (the code is located
+ S- E# r& G  g* Iinside nmtrans.dll).' D# C8 @9 l: {/ l& J8 q2 _

# a  V, _, l9 ~8 t! ~7 e/ OThe way it works is very simple:  z% u* Q% G7 v9 _! z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 `7 z( q' W1 ]9 r
WinNT) with the CreateFileA API.6 |" h+ j: Y+ U6 U4 x* q

+ l$ q# B, o( Z- z! JHere is a sample (checking for 'SICE'):
9 L. O$ K/ P* i" W  {# l" B# x
$ p& e9 {' ?/ S. c9 L. VBOOL IsSoftIce95Loaded(): V1 w% S" m( {9 O
{
  s' r- b: f3 x2 D' K  p   HANDLE hFile;  6 K1 N" a3 s' a3 V" P
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ s( \8 v0 _4 e* k9 }( k% C! L
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. W2 V+ \; G: l" Y3 F0 k. c' X                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 i6 `8 Z( W% H7 {$ D" j& M   if( hFile != INVALID_HANDLE_VALUE )
, h6 W4 |& j4 E& k% L0 o. M   {: {* q+ |" q: ^
      CloseHandle(hFile);) x+ r/ A& j0 |- D, q' S
      return TRUE;
# K' q9 f7 @$ l# L+ s   }
, |: ?6 w' K8 {! e0 F# Q6 ^   return FALSE;
) \' g4 o. r* _, K$ F+ A) c}
' ^. W0 l: K: z+ n' B) N
# T" W3 }- _/ Z2 A7 Y7 cAlthough this trick calls the CreateFileA function, don't even expect to be
4 `! r1 W- y+ s9 Eable to intercept it by installing a IFS hook: it will not work, no way!; Z8 ^- c, z# }  @9 v+ J/ a
In fact, after the call to CreateFileA it will get through VWIN32 0x001F" ^( w8 @- U7 y$ U$ K1 w7 p
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function): m) h) n! f4 k/ W7 Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* X% P  K- ?/ n/ N
field.
# j# E$ S! e1 X+ W9 M6 W! }5 @In fact, its purpose is not to load/unload VxDs but only to send a
+ T" Y4 b: C# f- e2 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% C# M1 C6 \, Pto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 P% n, _) d8 X7 X
to load/unload a non-dynamically loadable driver such as SoftICE ;-).1 i3 e. m( D1 q- X3 d7 N( x3 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" M2 o+ J6 P4 Q  Kits handle to be opened and then, will be detected.) T! @4 d) @! \8 P/ q+ g/ j
You can check that simply by hooking Winice.exe control proc entry point& e, d7 L7 {  P4 \; Q; E2 l
while running MeltICE.9 {& W- ~' z" V. o# M2 ]' |; M
1 ^- i) M9 s5 q

5 U4 ^& T1 c2 y2 H- q: b6 F' d* K0 R/ N  00401067:  push      00402025    ; \\.\SICE4 h; @$ S4 w- n) j, y) }
  0040106C:  call      CreateFileA
5 F0 _) \. u9 M9 b* N  00401071:  cmp       eax,-001: H4 o, ^2 {9 o& Q3 G1 }
  00401074:  je        00401091
9 w. W; P2 R3 R7 p1 C& e( [- v& @3 l: t6 s/ q8 S) S$ C  N
7 J4 y* z( K) p% I5 B4 s
There could be hundreds of BPX you could use to detect this trick., o( Q9 ^" `1 @) p. ~- N
-The most classical one is:3 |2 v* d; U& Y0 E+ D' d7 ?" n
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! S: n/ V, e& G! N  u. V, ]
    *(esp-&gt;4+4)=='NTIC'4 t0 s1 {/ o" C& ~
! O* c$ W+ Y3 C9 F" W, J; d
-The most exotic ones (could be very slooooow :-(
, s# O! S1 m8 q( H8 @% M5 U; L   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 c( K! o2 f. J( ]/ R     ;will break 3 times :-(2 I0 M7 g: Z5 Q7 W% V

/ c! {) [9 ?6 c: A! K-or (a bit) faster:
% }8 C0 o3 g( k1 y. @   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' S8 e2 G0 u3 q6 ^
" g5 E: T9 \9 L) q  H' S# `: @   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
- m) @7 g! N6 e) R% k     ;will break 3 times :-(( e4 F) b. {4 k% f- V" F( R" ^

( N' ^8 N' w3 X/ N-Much faster:
, C; s$ i9 k& X5 W   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'5 V; F' d  V  Y# V. G' t" V: f* R

2 Z  y) m7 n7 y. _  K; y+ cNote also that some programs (like AZPR3.00) use de old 16-bit _lopen+ u1 V- _& j6 v# H
function to do the same job:9 i# e9 ?# U* q) b0 |" U
) K1 {" `# v( n& A3 b( I+ W) r
   push    00                        ; OF_READ
5 I  u6 a" O* n4 h. q   mov     eax,[00656634]            ; '\\.\SICE',0
# ?% ^, u0 b, V3 S   push    eax
& l  v5 Z# ~: o   call    KERNEL32!_lopen
6 D2 k+ w% ~& ~/ }   inc     eax
+ Z5 W! G) W$ S   jnz     00650589                  ; detected. s) J8 E2 _$ C/ T0 Z. U* D
   push    00                        ; OF_READ5 q+ v9 ~6 h" r+ }( }! |$ I
   mov     eax,[00656638]            ; '\\.\SICE'
. W. j$ Y4 c8 H* v) S4 K7 F- M7 {3 R   push    eax: F% O& e7 R' Y- h/ w0 q1 s
   call    KERNEL32!_lopen9 q) f2 B% ?' @' e4 o/ @
   inc     eax* g: ?% g0 c5 s% W0 G# H1 p  [
   jz      006505ae                  ; not detected
5 N1 T# Q  I; V# a& x! }' F1 p
5 o* R+ b; z! ~% Q. V6 g# H' B1 f
" i( {3 v+ `" j__________________________________________________________________________
( c& }0 w! }. X% ?; i. e% _8 w* p' }- P7 c' b1 |& q
Method 12
+ z3 |# N' l; ^5 _  s" {  S=========2 {" m; X3 H. @3 ^! P& x/ V: L
/ }8 A; j( J! i/ k. b
This trick is similar to int41h/4fh Debugger installation check (code 052 ]$ ?4 T% Y# j/ c1 k
&amp; 06) but very limited because it's only available for Win95/98 (not NT)' r- m: z; {' n$ j' ?. M
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 Q  P$ V0 {: n7 t1 W- ]/ y) s
4 {( }& w4 r6 t5 `% L# J
   push  0000004fh         ; function 4fh0 S/ r1 }8 N, d
   push  002a002ah         ; high word specifies which VxD (VWIN32)4 h# {& i( y6 e/ ^. y) e7 G
                           ; low word specifies which service% C$ z, c6 M& r+ b" K! t
                             (VWIN32_Int41Dispatch)/ D! C& F- S0 k: Z+ Y) g
   call  Kernel32!ORD_001  ; VxdCall, f$ f7 U+ D, K9 d! q& m+ O8 C
   cmp   ax, 0f386h        ; magic number returned by system debuggers
8 _/ F; U3 h: g% y5 d   jz    SoftICE_detected
, H( K1 `5 y8 X! G
' P- T/ ^" _1 Z6 {1 l. SHere again, several ways to detect it:, @* I; @8 W# Z) b) A+ m

! B) l, K3 P! m5 M! ]; a; X# s    BPINT 41 if ax==4f# _# @; \/ X) v" A! p
: m$ v' _& O/ n7 Q7 w% E
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; r, x  h/ _$ p; ?3 r0 F8 u' x9 a; R' L& u
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* W! g" v* f( @6 M. u
: a% g* \- {+ c( h$ g( U3 P    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  q% f* ]/ R& V; m% M
- y6 y, c/ \1 R7 K$ T% M__________________________________________________________________________2 {3 f, S' F& a* a. c1 A' l
6 [) R5 T5 i2 ^% |, t1 k
Method 13; q( Y! J3 P9 n6 D6 w* v
=========
2 H! o: e/ n/ a2 |& V! s( i# n5 s! P
Not a real method of detection, but a good way to know if SoftICE is
, o4 u9 K( y0 A& `& m4 s* Einstalled on a computer and to locate its installation directory.  L5 v) k. |& Y, J
It is used by few softs which access the following registry keys (usually #2) :9 r- ]; j  m! q# u2 u
0 R/ |& H6 U0 J# n2 q0 w" O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 E) T, S4 M, R$ M" ]8 ^+ a
\Uninstall\SoftICE
# H* {4 t8 ~1 I6 ^2 J$ G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& Y7 ^, k2 s+ r6 H) M; a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) v2 v: L7 ~! x) J* N: V
\App Paths\Loader32.Exe
( N0 O) o- W" n; l, \
3 s6 w; i8 a6 C' ]7 S5 I1 t
2 K% }0 h; n' r( h8 `3 g) kNote that some nasty apps could then erase all files from SoftICE directory4 K! D% F2 a# n8 `8 v
(I faced that once :-(
& e2 I# |1 w% O' l/ l2 F, o
5 b  g) E( E! a# E0 F* m. wUseful breakpoint to detect it:
; h" q$ q- F4 V3 k$ }) W% E. i: X- H% q; c9 w
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE': C5 |+ k  M. p5 N! A5 R

4 P/ B% B  O- F__________________________________________________________________________
% Q. l. N/ m& ^4 i; ]
% z( r: ?  V' f1 z* W; t6 L* [, |  }
$ u4 K8 o% l" R8 {8 X. X. NMethod 14
' \& B/ c4 @) Y9 s=========+ q" H3 y; ~8 e. A. m

. G1 [5 e* v5 u3 S" KA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& N# }  ?! ]3 yis to determines whether a debugger is running on your system (ring0 only).) k! k" f) m+ y5 p6 E" U

' Y3 R0 s4 p6 S- f   VMMCall Test_Debug_Installed8 [8 b% L" F! n
   je      not_installed3 |3 a6 D' V! B. U

* A+ W" A+ o" c9 Y1 T% VThis service just checks a flag.
) l$ h: `8 \4 G0 _7 G</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-10 02:24

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表