找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) q4 z1 [- U% q4 m0 T7 H' ]<TBODY>
3 d' E& Z" k* {' n& J' z6 x: j<TR>
1 x, e8 U7 v" V  f" z<TD><PRE>Method 01 + r5 h5 }4 h. }5 `7 k
=========# Q8 [+ M) r  A+ M
. O0 p* z" ]% [; V3 ~5 X" K
This method of detection of SoftICE (as well as the following one) is
. ]$ ^0 E+ D/ ?+ i: m8 |used by the majority of packers/encryptors found on Internet.7 w" }; a7 ~( G. O% c# M
It seeks the signature of BoundsChecker in SoftICE
9 F% ^# h# g/ m6 c6 g) k% R7 U+ l$ C) a" C' {2 R- N5 n
    mov     ebp, 04243484Bh        ; 'BCHK'0 n2 \( `1 l& S
    mov     ax, 04h
6 r8 [1 [# s* R) e( [* s0 }8 a: G- q/ I7 R    int     3       " ]0 [3 d0 K0 \  q
    cmp     al,4
5 S* x3 f- P7 `4 Z, Q" S  h0 |    jnz     SoftICE_Detected
8 C7 d$ H) U; k4 Z2 M
5 R7 a# i- f  O___________________________________________________________________________
% y0 v" \3 {- I& T5 z
; f1 Y5 B& \; k' F& }Method 027 R4 w  M% {# w1 e( S3 \
=========
$ N, d  X. G* E1 g9 n& r1 M  \+ X5 p" A  X! \3 b) k! l
Still a method very much used (perhaps the most frequent one).  It is used
4 X  V6 a4 I: x! k$ S4 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! u' x8 p2 a: K1 B0 D; r# [! dor execute SoftICE commands...
: |- j0 G0 ^& J( P% v0 ^/ \It is also used to crash SoftICE and to force it to execute any commands5 _* U) ]  i9 c2 U$ s9 f6 P
(HBOOT...) :-((  ' d& h% m4 c  _  f- o% c4 k

( P$ {& A, [  c" Y* UHere is a quick description:
7 ^9 X9 T6 k0 P+ H% k( |-AX = 0910h   (Display string in SIce windows)
( d9 P! Q+ r$ A  l9 ~-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* ]. p2 s" j" ^% a$ n-AX = 0912h   (Get breakpoint infos)( u$ r& u/ u1 [2 [1 ~7 d2 w9 @
-AX = 0913h   (Set Sice breakpoints)
7 ~5 @8 N) \+ g7 K* W; [  |0 _-AX = 0914h   (Remove SIce breakoints)- [; K4 ~$ r/ J, J, j  {) m  W5 W

# Z' s# |' G# w. cEach time you'll meet this trick, you'll see:
' o8 J- I4 _3 A) e-SI = 4647h1 C, [' ?! H+ o6 D
-DI = 4A4Dh
% p. J- ]2 u! L" H/ lWhich are the 'magic values' used by SoftIce.. t0 r! Q, R% O
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.' R3 H2 f" H3 U: y3 ~3 |; f; g- j

# ^8 B% Z! [' v. x  B2 K, u) Y* mHere is one example from the file "Haspinst.exe" which is the dongle HASP
' |( P1 b3 V0 C/ HEnvelope utility use to protect DOS applications:  W) y. B5 `0 N: U' o( |& {1 q& |

$ x" e& f$ O2 o" Y2 w) [" l& o& r& P; @3 ^7 n: y
4C19:0095   MOV    AX,0911  ; execute command.
$ @; c, I1 o( c  @. Y( d. T4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 Y' c3 ?. f9 p; G  t' X
4C19:009A   MOV    SI,4647  ; 1st magic value.
. i- E* B0 \0 q: e& |' m4C19:009D   MOV    DI,4A4D  ; 2nd magic value.0 z8 d6 v# ?% q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 V& C) ^- N) w& ^
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* ?8 L& ]% }3 _  e4 A  n
4C19:00A4   INC    CX8 D3 A  Z- e$ V& ]& ?. e$ V! Q
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 n/ c1 y5 C; k2 B) T( l9 N
4C19:00A8   JB     0095     ; 6 different commands.
. v/ M1 ^% }+ W; ^5 \( F6 S- y4C19:00AA   JMP    0002     ; Bad_Guy jmp back.1 m: g" v+ O; ~+ o& C
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) F4 U  y7 S* P, J5 m' U( N. Z% M7 l
: s1 x" u  I8 i" p2 p" AThe program will execute 6 different SIce commands located at ds:dx, which  K' w0 L6 [( Z9 k: v: {
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  w$ G# M: l/ ?# I. v2 g) l, V+ l8 i5 J0 O4 Z7 h
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# [/ D, S+ K8 H. i___________________________________________________________________________
3 J- O; z& z. r3 L7 b% X" \
/ R, X5 t& C% y! K4 J; p; t* t$ m2 q. J
Method 03
9 t  l; C) D* \% V=========
5 N7 q: l1 G6 z1 N; Y: I3 k+ F- h; C6 T# r
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ b3 L+ H# a& Y(API Get entry point)
4 A; l/ z* D) P        
5 ?" h1 ]2 M: c4 _& u2 D' F
) ~8 A  ]4 E7 y/ G    xor     di,di
9 g' G/ T  @+ V% H  Z    mov     es,di
5 x1 }) F" O; a    mov     ax, 1684h       4 _3 W. J. |1 z/ }  V
    mov     bx, 0202h       ; VxD ID of winice
" `/ T  Y. u; u: }( i- G6 d! K    int     2Fh' a3 ~/ C( X  Y  q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 s% I- C. p& t2 u6 M    add     ax, di
: ?" [. i1 h7 b! K- h6 q    test    ax,ax* F3 Y8 e* X7 J* a- `+ j7 W8 |& ^8 V
    jnz     SoftICE_Detected
2 \/ M  w5 E0 y7 }
+ A# D. \% {: Q1 M2 r___________________________________________________________________________
5 f' t5 p0 t* b) e+ t0 \: I
3 m# ]2 I0 l" d/ ?1 ^* yMethod 04/ K  p' {; \3 d+ }
=========( D* k4 V4 x1 K' j, S

! j0 N) p4 D$ r! {' ~Method identical to the preceding one except that it seeks the ID of SoftICE7 [- g) N7 ^$ v7 b0 x
GFX VxD.- K1 z1 J/ s+ Z3 q" f' |6 o

% w4 G* v* [  c. U# q    xor     di,di
- i. f: \7 g- e! Q6 L0 E; l, o    mov     es,di
" q. f6 a8 h% G! [; r    mov     ax, 1684h      
1 _, x' P) C4 u6 \* s! r    mov     bx, 7a5Fh       ; VxD ID of SIWVID3 n% {) K" ?+ U9 c. O
    int     2fh
4 U* z/ P" h3 Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point  u$ k$ v7 ?& I: e6 Q  p8 o9 M& @) r
    add     ax, di4 a1 A4 d/ `- B7 z0 X' l
    test    ax,ax
& g& U. Z5 D6 P+ B  e' N    jnz     SoftICE_Detected- w9 Z5 U0 o3 o. D5 M6 z% K
' s: P- Y# ~* p( ^
__________________________________________________________________________
: r7 E1 ~2 C5 n- ?+ G+ v6 O' Y# o' \* v) u7 B) @
- m4 j3 F6 h* g
Method 05
( w+ ~4 a0 K; W$ c5 b=========0 Z8 _5 Z9 k3 K. B( p+ Y

% ?0 M9 [6 M$ {2 KMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 Z' l7 d7 F5 R0 Z3 h! q
debugger. It calls the int 41h, function 4Fh.
6 N' Y% k! v) \7 \9 W6 I* R+ YThere are several alternatives.  6 [& G9 c1 }* _* e
! O- ^" A/ M3 N& r2 }6 X) j* a: z
The following one is the simplest:- {, o) a, O/ ^7 d! L9 |3 W

+ n# s; d7 G' U    mov     ax,4fh
3 m' z3 c) j4 n) ^: {/ W; I    int     41h
6 n# k* w* k6 }. R: N8 z& F    cmp     ax, 0F386- o' t; J5 @; Q) c( o
    jz      SoftICE_detected
! i7 N) ]- Q" i  H: j5 a4 H  C2 Q3 u. U
0 ?1 p& R' \' g! j1 k+ e9 T7 `
Next method as well as the following one are 2 examples from Stone's
8 |% X7 w  i% X( y" U"stn-wid.zip" (www.cracking.net):9 I/ p* d7 b) Q$ `* h/ h+ G! c( z
3 C0 R# S' @! b
    mov     bx, cs7 Q) h9 r% |4 _0 X; {
    lea     dx, int41handler2
5 N8 [# f3 @/ W! d    xchg    dx, es:[41h*4]
; [' [0 ~4 q( B6 b6 C; P4 a5 }    xchg    bx, es:[41h*4+2]
, s9 t1 e$ s. h. F' u    mov     ax,4fh
: l0 C7 @$ G% U& d    int     41h
" D, T" j; H, ]/ }    xchg    dx, es:[41h*4]
5 [2 [/ y& |5 [/ r8 H; X    xchg    bx, es:[41h*4+2]8 R6 _0 t. g4 p- T0 o) F
    cmp     ax, 0f386h
- J( v) d1 z) M2 U' t6 u0 M5 A) _    jz      SoftICE_detected% C* \9 v' }4 ]0 Q, H7 Y- K  U
+ v: M( W# ^0 l( ^3 R; Z+ Y8 b5 R
int41handler2 PROC
8 Q" c' g& P6 I4 M    iret
4 V3 I6 B( Z+ P' g5 y3 Mint41handler2 ENDP
1 b' P- C" D3 K" `# @5 d" z* v& {  u

$ i- V* A5 _) ^_________________________________________________________________________
# d% m5 l+ U- O, s0 E0 [) J( @% t) Y9 Z8 O' X  ~! r' i1 L

) u" Q6 N$ d+ h. ^1 F& {Method 065 h$ R) O0 Y. r$ F' y
=========
$ C' C0 `% j- t: {8 w" {4 ]" i4 }
  ^: C# @- D# _7 w
5 L- J7 y4 [/ I3 i4 o& Q0 L: N9 _2nd method similar to the preceding one but more difficult to detect:
) `: K$ F2 T0 a' [/ d2 Y) X0 C9 t0 p4 v/ ~7 |$ `3 H
& ^# h+ {% X, M+ J1 R
int41handler PROC. S, I  g) ?, b( T! N
    mov     cl,al$ b' p/ s% [# R( q  B
    iret
' r$ d! q# x* _+ g% h1 @int41handler ENDP, X$ ~- n" V0 v8 Y+ ?0 h

/ j0 C& Y: r( W' p7 a% {- I. F: ?  j1 N: U5 W$ o+ _7 g
    xor     ax,ax9 H% ]& w% H% N7 Q5 ~7 N
    mov     es,ax! \2 T+ {* C! `$ u: }% d
    mov     bx, cs! Y  y0 y* L8 p) ^1 y. i& S0 X2 z
    lea     dx, int41handler
. V( z# S  K4 b0 n5 t% T    xchg    dx, es:[41h*4]8 K% S/ _+ h( x7 U3 ]# }! g
    xchg    bx, es:[41h*4+2]) P% t8 D# [9 V- N' ?
    in      al, 40h" i  l+ j  A: a  z1 B* O
    xor     cx,cx
, j6 W( g$ X$ b    int     41h1 C4 v+ d+ T0 @, {7 U1 V3 i" v
    xchg    dx, es:[41h*4]* h3 {1 Q& X' o5 D' b% [0 t$ M
    xchg    bx, es:[41h*4+2], l) I7 p1 O: y" R0 a
    cmp     cl,al+ q( G8 B9 _2 F
    jnz     SoftICE_detected2 n# D% S, D2 X4 H$ ^

/ H  q. i0 c9 H. k4 U% c$ r- U_________________________________________________________________________7 q# n7 U# }: n9 L+ M
; K2 w' {* F: M! M! L2 I
Method 07
0 K- W- C! N: b$ x* Z2 V6 a=========
  t" W) d. |3 L( N" F* ^
) D; a) m" o9 z, v6 hMethod of detection of the WinICE handler in the int68h (V86)
) Y) {% s2 T6 \6 ^$ w: d! U; Y6 y0 a  c$ |; F
    mov     ah,43h" r& G. j1 |% p: H# \3 u6 s
    int     68h
5 `/ |" a# q' [# ~    cmp     ax,0F386h! j1 ?  s5 m1 P( _5 E
    jz      SoftICE_Detected9 s& \! t" s) D& j" a
, i* z- k; o* q; `- P) Q0 m6 C

( K& a7 c9 R. M: L8 M=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& J' d# C: D* K" ?" G1 v8 v1 j
   app like this:
" T4 ~# f. Z# t8 _9 \; y' v+ S5 x. K+ u2 C4 b! n: Q8 o
   BPX exec_int if ax==68
' e  r+ d. o! ~9 r0 j1 y# U   (function called is located at byte ptr [ebp+1Dh] and client eip is" A  P1 k" D+ K; f  j
   located at [ebp+48h] for 32Bit apps)
: ~2 Z! Y: Q. E. n6 o' B__________________________________________________________________________& p! Q* T( ?. C7 _8 {; ?
( L( k0 }; ]8 ]& A# z! \' D9 @( ?% @

) b) g& Z( {, S3 G8 ]Method 08
% N- e; _2 ~3 y  z$ E9 P( A- Q7 f7 m=========
6 Z/ ~" J& K- R; G2 }; x5 ^3 f9 U4 R2 h( v1 m
It is not a method of detection of SoftICE but a possibility to crash the
9 ~$ c2 C% T- W* t. lsystem by intercepting int 01h and int 03h and redirecting them to another9 {% D$ S) o" z( G3 V
routine.1 q& H( J6 b* Z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 M* S" Z: k; I+ x6 k9 p2 a# i( Y4 S
to the new routine to execute (hangs computer...)* A5 X+ B( v4 M% k

) C2 ^) |$ B7 q: s2 J    mov     ah, 25h# ]  a# Y9 c2 C5 A* Z& ^% g
    mov     al, Int_Number (01h or 03h)
  T" \* f0 Y  @    mov     dx, offset New_Int_Routine! C+ c1 L* [7 p* L
    int     21h
4 D, E8 u( ?, ~2 M2 v% G- M$ W
6 S" r. J; m+ Q% m$ A1 @__________________________________________________________________________( U+ x6 O1 I4 m
" M2 J5 R( L. C5 h/ g( Q
Method 09! I  L2 }" l- h- s% E1 t4 B' E
=========; n" l) ]( u" K

* f& L4 y1 e$ ^& cThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ W9 n$ M2 V' \1 operformed in ring0 (VxD or a ring3 app using the VxdCall).
) V& k7 Q4 C8 k1 e  PThe Get_DDB service is used to determine whether or not a VxD is installed8 v0 {) B0 U  U5 q
for the specified device and returns a Device Description Block (in ecx) for
7 W' D  |3 E$ A: i6 Jthat device if it is installed.) Y; f: c$ w' a) e
; J- n( ]. |2 \: Z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* R0 L8 ~+ p* \5 k+ L5 R  _/ D   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 l# w# _0 e2 x; t6 y
   VMMCall Get_DDB
! X+ e/ j" g! v! w' m   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 S2 N1 y5 g. {" ]$ Z* W( D0 ^- ^4 q2 q. B) T! K
Note as well that you can easily detect this method with SoftICE:
0 F) N) m+ s* {/ k  r   bpx Get_DDB if ax==0202 || ax==7a5fh
+ L7 r' U- e, A0 r
6 @6 s7 v4 K! \: F+ k7 p2 O% f* O__________________________________________________________________________
  k" Q$ _. |) n& T6 s
$ Z2 F- G5 |3 j7 jMethod 10
2 b4 ?7 c, o8 T( W=========0 }8 M+ l$ z- f, ~
2 Y8 x7 }/ K9 y; @% p4 q
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with* x" U. `% H4 h4 R) e8 }) z% g; c( U
  SoftICE while the option is enable!!
; G" s2 q8 [5 S- }% |0 m; Y: p
3 x0 |8 C0 X8 }# }& n, Z- N3 VThis trick is very efficient:
/ X2 p9 ~4 I& `+ O' P  h+ cby checking the Debug Registers, you can detect if SoftICE is loaded! w# S- I$ M7 {% u! Y  v
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 f+ Z2 x) s1 `3 t9 s) J
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 c7 {0 `6 x* g- Z
value (in ring0 only). Values can be manipulated and or changed as well
" [! V. p2 A6 ?9 P) b. I, i0 j) i(clearing BPMs for instance)1 g9 P5 E" h7 {' C
8 l# Z! Z8 a7 h4 ?
__________________________________________________________________________
9 f( s7 v5 B" |0 ^5 I* M* M9 r) ~" G& z# a4 O! [! j
Method 11
. p8 P2 _9 g2 ^7 g/ f=========1 x' z8 A/ B! i
5 b* g. L: T- r4 m- {2 S2 V
This method is most known as 'MeltICE' because it has been freely distributed
- o9 R5 S0 j* o6 U7 l  e0 {7 n$ f4 B) bvia www.winfiles.com. However it was first used by NuMega people to allow0 ?/ T$ V( T2 p1 m. I5 Z1 u  q
Symbol Loader to check if SoftICE was active or not (the code is located$ q  _( l# d5 W4 _
inside nmtrans.dll).
# n. D& e, ]* a* G
( t- \3 |& F+ Y6 T& g' EThe way it works is very simple:& u% d4 v8 Q7 d% j8 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 T/ H/ @* g" |) p, [8 \8 G4 T
WinNT) with the CreateFileA API.4 J. o# d; M' B2 S" _7 z) [
1 b/ V7 y: q' a3 t4 S& Q$ U
Here is a sample (checking for 'SICE'):
4 D/ ?5 g- _* g( P" v8 M* `8 }" D+ P# r& ~
BOOL IsSoftIce95Loaded()0 I" E7 r) d& x- o3 R
{
, u2 ?! E" `1 g- U9 Q( M# a7 K   HANDLE hFile;  
1 V1 x( U% a# b3 v* \4 {# u- |" {   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 M' m2 E. q, \% y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,! x0 w! [5 R, }9 l: ^5 G( a8 |4 L$ q
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 S" Q  w) u4 g  V8 g( X8 W3 o   if( hFile != INVALID_HANDLE_VALUE )
; Q. E" P3 p) q2 c; S" I+ r" _  v   {- q) {; K7 K- q' Q, H, S  I9 h2 y4 n0 |
      CloseHandle(hFile);- M" @+ P/ X5 {+ n9 {+ x- d
      return TRUE;/ q. H" ^' ~4 p. A! g
   }
8 T- D% x% ^) B6 i0 i) N& h8 n   return FALSE;
! A7 I0 G; v/ y3 M  y}' x# ~- u/ l6 }) N9 n

8 U+ U" A4 v* }. [% DAlthough this trick calls the CreateFileA function, don't even expect to be3 J& _# o" i/ n2 q6 Z/ k
able to intercept it by installing a IFS hook: it will not work, no way!' B7 C' A: H1 ^% Z0 T6 B
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* x+ d/ G8 U( Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* s9 u9 a5 k& A2 V5 F
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 V: [# F: j, ^4 q" S
field.% m9 v2 z3 D; ~9 P& k& R5 [( _2 }$ k
In fact, its purpose is not to load/unload VxDs but only to send a
5 j1 o4 P+ c7 F  z) w" D( pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. N& O& k" `- U% g  d8 j# A, ?8 X8 yto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ ]  o. v2 s; m4 S0 }5 @to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 i' T. j+ a- d) P4 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow5 x' {8 y. f* O" e
its handle to be opened and then, will be detected.. g* H2 Z" @+ Y$ E& `
You can check that simply by hooking Winice.exe control proc entry point
* x9 i  r8 C  F0 r$ lwhile running MeltICE.
8 w3 m, @' |$ `( y& y
% e9 q. F' p" n  i% D4 o6 @  Q8 \/ O2 V; Q5 \
  00401067:  push      00402025    ; \\.\SICE$ s* K: z- b3 ?( V( K2 G  |
  0040106C:  call      CreateFileA3 t* u& ?, J2 g0 o( l- A
  00401071:  cmp       eax,-001. e/ b! z% Q$ ]2 N( [
  00401074:  je        00401091
. S. I; [; F- p- n  p2 n; B4 D" M+ s  }( F# ]" I* V3 j# U' t/ M

, \8 n8 \+ d, d  t+ NThere could be hundreds of BPX you could use to detect this trick.- S. r4 l8 L1 ^# ^
-The most classical one is:
' I8 n- B6 ~7 r3 m# s, T) P- y# F  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" s" ?* m0 Y/ m/ A0 {5 y    *(esp-&gt;4+4)=='NTIC'
) t( X' A( F0 k+ \. ]
1 T$ ^. H: m5 ?-The most exotic ones (could be very slooooow :-(
; j- h! _7 y. p1 O+ B   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + a- ~4 v, U: Z: M3 c
     ;will break 3 times :-(, `, B8 q7 d( e4 [' l
5 t. N, H) e9 S% c3 [7 T
-or (a bit) faster: * M8 t: j+ V9 V. u( N
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), W2 [  |1 o/ P
+ S; n8 x* L5 M) T
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % @  z% o8 s1 ], i. v5 R7 m
     ;will break 3 times :-(8 M) ?- b$ O. R4 L/ z2 I2 d5 X* u& Q. I! }

% d6 L6 {- v2 ?, ^-Much faster:
$ ~3 h4 R0 [3 [/ v& s" W   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& s! N1 U1 P/ Y: A; ]" v
3 ~+ p9 P& C6 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen7 g2 a2 ]# Q$ D& j3 Y( D
function to do the same job:
2 l8 x3 k; v, ]9 I- M- z/ j! c0 h6 {* Q3 n( p) }% b
   push    00                        ; OF_READ
4 a2 n2 O3 F2 C3 d5 o6 h   mov     eax,[00656634]            ; '\\.\SICE',0
6 k0 {; [5 L6 a   push    eax. t# y- b. }- C( _& I4 T, h
   call    KERNEL32!_lopen
9 J7 H( e6 K# T$ n- j8 J5 t3 D8 m7 K   inc     eax
) I5 R7 Q: r9 j3 |: ^3 ]$ ~8 ~$ A$ f   jnz     00650589                  ; detected4 S/ g! C# ?: X- o& {0 W% ?/ }
   push    00                        ; OF_READ* z1 v, c5 ?3 \) z
   mov     eax,[00656638]            ; '\\.\SICE'
5 }! Z9 D+ C9 V( V1 e   push    eax8 Y  K/ D3 b6 Q8 q
   call    KERNEL32!_lopen& a; U) o2 ~7 o
   inc     eax
- P0 f# h* x. H: ?, M# j% w: `   jz      006505ae                  ; not detected8 ?# \" @9 u( {! R' t: j
) ?& F+ a: z$ s6 W

, ?3 T, i5 I. N. W  N__________________________________________________________________________+ v3 C' I2 ^3 ]

: }% A4 l8 v% y' LMethod 12: p0 V. ]( z$ r8 @$ @& r" z, ]
=========3 b: w( O, B% y. d: H
0 H; O4 M' M: `# u9 P
This trick is similar to int41h/4fh Debugger installation check (code 05
: J( F3 G5 ?; p+ N&amp; 06) but very limited because it's only available for Win95/98 (not NT)
- I2 h5 W1 F+ _3 P$ S2 q' vas it uses the VxDCall backdoor. This detection was found in Bleem Demo.* u  J1 l# x7 W
& Z4 f5 {, a: g: x/ J+ J6 c
   push  0000004fh         ; function 4fh. n$ m3 y8 V7 ~- b: z  S& E, f
   push  002a002ah         ; high word specifies which VxD (VWIN32)0 e' M6 [/ k& V6 ^5 R
                           ; low word specifies which service
/ v  e' \7 |5 z* H                             (VWIN32_Int41Dispatch)! u4 A+ |9 J8 f  Z+ j; ~
   call  Kernel32!ORD_001  ; VxdCall
6 v2 d5 n* ~; x3 l. \* `4 |   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 K4 q' ]0 w( n   jz    SoftICE_detected$ y! x; S. O& \* ~' e" F
/ m6 v' p3 i  o
Here again, several ways to detect it:6 t7 F/ l1 ~! m
% L7 K. _$ e0 ?3 n; \1 u
    BPINT 41 if ax==4f/ g( b% B$ ^+ A1 C

' G, h' A5 r3 P    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' z6 i" j; k: j7 T8 H. W9 s# `

$ Y. G! f! q6 n+ V* G    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; P  ~( R7 I0 h; m

% Q! Y5 y6 [' d9 Q* \; p5 c. i9 d    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, a1 v. \6 e+ C; O( i. @9 U
1 C& L' V7 R" g$ n* f, O__________________________________________________________________________1 R& X% d& b* {$ k5 L

- ^; ?$ W$ H9 h/ X$ Z+ w+ KMethod 13
# U* A1 ?+ {1 a# d0 A& \% q=========. @1 e; ?" Y; {- ]( _, ~1 y

9 W2 n7 y' h0 Y0 K& [1 H1 j. zNot a real method of detection, but a good way to know if SoftICE is0 _/ s) u# v' g- r
installed on a computer and to locate its installation directory., L2 K  J1 L2 q, c
It is used by few softs which access the following registry keys (usually #2) :5 H* m$ U4 v" Z

5 _& f1 C! a5 I0 v; ]/ C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 z$ [. Y0 a) E4 H0 S9 o3 D
\Uninstall\SoftICE
5 _" S6 `5 \# h1 K  ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE* `6 I% F5 J  I* g2 P) q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" o" S5 L6 H: g" _# Q' f( U
\App Paths\Loader32.Exe
( ]2 C# @  C* y) F* s6 g# {4 g6 o2 w7 g: R

/ o: \6 m  K  q2 zNote that some nasty apps could then erase all files from SoftICE directory# y) t4 G, S5 O& ?& {
(I faced that once :-(2 X+ S  ^1 }" v7 i8 o" I% D' }

+ V. z( p6 _- {Useful breakpoint to detect it:
7 u" `0 G& Z/ H) w1 B$ J9 ]8 n% M7 y% U
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'8 S0 H! `. m3 v! e
8 }: K8 N, Z% x! T. F& N
__________________________________________________________________________' J2 C/ V2 t" s! h

1 d: d$ V( r2 ?! O; l* U* A1 }) F' O- E! J+ F% d3 f  u
Method 14 + k" G* x( U- u+ a
=========# i: o5 a# J8 A8 i7 W
) ]( h; }. t8 _3 ^' W5 S  f* S- T) n
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! O! V/ N9 h/ t4 {+ F
is to determines whether a debugger is running on your system (ring0 only).
# N- U" ]2 @7 m; W/ k) ^. k
, T* b5 g) Z4 I/ X9 n% p   VMMCall Test_Debug_Installed9 j8 W6 t2 K2 ^' H( {9 k& J: F  [
   je      not_installed
# K0 q& Q1 R, D' g  L8 P3 _
) Z. b) j! V  QThis service just checks a flag.! @3 T; O7 f9 f
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-2 01:35

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表