找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>- y5 l+ f( j: F0 [- c+ R
<TBODY>
8 y& I$ K: s  a( p, U<TR>- ~1 ^7 X. O* f; `4 G( n* M+ i
<TD><PRE>Method 01 ) t$ S) b& H5 Y7 f8 L
=========" S5 q0 r% t$ P& A# G
+ \) l9 D3 l) `7 ^" j
This method of detection of SoftICE (as well as the following one) is! b0 x  R2 G7 b
used by the majority of packers/encryptors found on Internet.
3 B3 t) R4 z  K2 p7 V% H+ M$ ]! FIt seeks the signature of BoundsChecker in SoftICE
( c9 V  M$ i, g: E) ], l
0 _/ s7 w' M& n    mov     ebp, 04243484Bh        ; 'BCHK'/ M& i) X; K( R
    mov     ax, 04h
; {9 D4 `+ @" O% {    int     3       8 `0 Z1 W- T7 n) \, F# J
    cmp     al,4  L- r5 O7 Q# C) l
    jnz     SoftICE_Detected! z+ ^+ ]8 Q( z0 O9 b, x
+ o8 a6 M5 @0 J  R
___________________________________________________________________________
: k; x9 U, O6 G
! h! U$ L$ u6 ~Method 02
# l% P# u  a4 ^+ A/ H6 q# h8 `=========  c- D: e% d3 L  J5 p' j/ n( u& N: }4 k
- W7 v. n' W9 q; N5 S
Still a method very much used (perhaps the most frequent one).  It is used
% D3 E. c4 c$ b" b6 `/ K6 l4 h: |  kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# x' F6 K$ e8 I3 n6 Qor execute SoftICE commands...8 \; [; a+ t# d! g, W6 }2 a" ~7 `
It is also used to crash SoftICE and to force it to execute any commands
7 O" V& j( R/ _6 D* |7 C0 M(HBOOT...) :-((  ' K) g6 n$ J/ R5 L
; {- A# h7 W' @- u6 P7 |# B
Here is a quick description:, u2 q6 T. b* A
-AX = 0910h   (Display string in SIce windows)
# u$ \" b% h9 x; [$ Q" O& s: [-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  h) N+ U6 S& W3 y- y3 F( j-AX = 0912h   (Get breakpoint infos)
: J) f  R6 ?* g/ O7 m! C# @6 c-AX = 0913h   (Set Sice breakpoints)
" m  C1 r# v7 S& \8 b) @" J+ K5 u-AX = 0914h   (Remove SIce breakoints)  P) @+ j: l5 N
/ b7 p; y/ f+ R4 N/ w! A4 t
Each time you'll meet this trick, you'll see:
% H0 f* Z" R$ f1 V! ]4 K7 ~-SI = 4647h/ o0 U2 P2 a0 L& F) p7 _  D
-DI = 4A4Dh
& }7 @$ k( z: e  \9 U4 dWhich are the 'magic values' used by SoftIce.# c0 ]' f/ ^" J  ]: \% K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 I! `' o2 x. ?, D# Q& V

) e9 F, Q# _  s2 U- q# s% VHere is one example from the file "Haspinst.exe" which is the dongle HASP  T5 r. I2 F0 L5 c
Envelope utility use to protect DOS applications:0 x0 D9 ^2 \2 T3 w$ M5 Q" u
, R) I3 ^# z9 U4 i$ i9 K( Q' N

/ O) E1 o3 Q: h  F  E4C19:0095   MOV    AX,0911  ; execute command.7 p# p* n4 Z* X% p  b' u
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 ?, q$ ]3 x+ U( }2 t" P1 c$ e
4C19:009A   MOV    SI,4647  ; 1st magic value.% `& a" Q! Q/ q3 ]
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 Z5 K6 z5 y7 k/ t6 Y+ X5 u/ Q4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 v! X; m0 o2 q; i# w4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 o8 }8 A7 ^& ^) G% _6 u4 R& c4C19:00A4   INC    CX9 m2 o8 e2 {& Y  L
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute8 C+ o) x7 z- i! f) g' n3 i$ p
4C19:00A8   JB     0095     ; 6 different commands.5 A6 F! i/ B- [
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) q% R$ V( \; Q: U& q/ w* M3 s4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- `. _% N! G/ ~0 N6 T
+ A" S: y$ C, ?1 yThe program will execute 6 different SIce commands located at ds:dx, which
# y* j9 G+ j6 v9 H0 [are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 i/ l1 |( n9 E0 t
$ k; i0 l1 I4 {. f  ?9 E  W$ }! E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 [/ H& i, B  i% Y$ c3 \8 V
___________________________________________________________________________
% d* W) t: X" v  e
2 F9 r- x3 e5 O0 u9 N+ u9 k7 u) K
Method 03% d0 {5 R. L9 n* e9 V
=========1 R$ h8 {9 ]3 {
5 W8 f  E% X: }, `, y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- F% V9 i% S1 a, n* j7 G+ S. A
(API Get entry point)/ F) |& |4 B" R7 I" e! U, }: }0 I
        , u# n( {, U) D" Z4 m
2 E4 v# e: {  P: J
    xor     di,di
7 B! J8 Z& n' m: ]$ \    mov     es,di
. @  l1 i$ D& t! d/ ?- o    mov     ax, 1684h      
/ ?+ U- Z  z* k  T! {. R  e    mov     bx, 0202h       ; VxD ID of winice
$ I8 M# X3 ?2 M$ G$ p- S    int     2Fh
: @! R7 q" z. M+ O9 N2 f    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' `$ L5 z% K5 W; {( U, T1 T5 g9 z    add     ax, di% ^5 Y) C3 C9 Y5 x2 L' U' T) C
    test    ax,ax
% b! |8 n2 j( k- l) f    jnz     SoftICE_Detected) I2 ?5 {# b8 V+ X1 B( q
* R% {! c# _0 Q0 H; e  ^
___________________________________________________________________________8 ~- T" g7 v9 v7 j$ N8 n

4 `- {! C8 m8 jMethod 04
0 O4 C( A1 K" s& v- m: Z=========
8 w9 o4 _1 n7 @' S
3 M1 ]7 p6 _: E  x+ a8 B; dMethod identical to the preceding one except that it seeks the ID of SoftICE' e) P- w2 K9 x' }; x# x5 N2 ^
GFX VxD.
7 j- I  R- o4 k5 a4 u8 r% {$ y, U0 K$ ^
    xor     di,di
9 q% n  f; u0 ]5 |    mov     es,di
8 E+ {1 X1 W- ?    mov     ax, 1684h       " Q3 N0 L% e3 v' |3 R8 l
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
. s6 H" C, {8 g) u1 A    int     2fh
4 `4 B6 {5 W7 d7 u) \    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ p; j. z  P$ i: q( l% L* ?* J
    add     ax, di, P8 q+ i8 P" Z! T/ [
    test    ax,ax
: L! f1 U# r- Y9 c' {  u: N    jnz     SoftICE_Detected
7 G" R" Y( }- V" Z; ]8 I0 Z4 {
) `- W) O3 \6 t  l8 K__________________________________________________________________________
8 j" O! S7 R( {0 \9 |# P% S0 ^1 }$ i6 Z, [  F" Q. O
* Q3 A3 Q9 \4 |+ k
Method 05
9 c7 e$ S/ o7 y8 h  Q2 h4 F2 Z) j5 f=========
1 W2 R# z( H& L9 d  o3 W
) n4 B5 Y% s% M4 P! O& C5 CMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% p+ [0 m6 }% G1 f$ i* u, Gdebugger. It calls the int 41h, function 4Fh.
+ Y! F" a+ D9 V4 b% p& X4 ]There are several alternatives.  
- F) ]! _4 M/ n+ t. U
9 B" o4 P7 r3 c+ E" L0 f; mThe following one is the simplest:* N5 `8 _* V2 U* T; o+ Q
, @1 ~. |3 m( e) R
    mov     ax,4fh
# |/ e& f5 u: x' ^1 {) @: i    int     41h% Q+ L# \5 t3 U" c  ]% ]
    cmp     ax, 0F386
2 y0 j+ ~% t! ]) O! u; u    jz      SoftICE_detected9 |. H4 `, D( j9 B" h) u

! |# l4 }. d) k/ X. t! x1 k* L$ Q7 b6 M. ]( s% D/ x
Next method as well as the following one are 2 examples from Stone's & X5 J! x3 N  W2 z6 P
"stn-wid.zip" (www.cracking.net):$ C: Q! B/ F2 k  e

+ g7 ~" Q" i. W* |8 V    mov     bx, cs7 m3 ~7 G7 X. t# ~3 u
    lea     dx, int41handler2
+ U6 A# `2 j+ @7 s/ w: \    xchg    dx, es:[41h*4]
  r# O' ]" x; e8 g8 K    xchg    bx, es:[41h*4+2]5 x1 a& k% z  j. D( c3 N
    mov     ax,4fh$ `+ B2 O% O1 p, Q6 c% v1 }; e
    int     41h: P. }1 X5 R' w* D& D: l# y
    xchg    dx, es:[41h*4]* o. I* ^7 g' p. h6 I9 p1 }& m
    xchg    bx, es:[41h*4+2]1 Q: n; X' H+ f. E" Y* S- b0 t2 S
    cmp     ax, 0f386h3 d; c/ H) B+ }! r7 P
    jz      SoftICE_detected3 v, _) G4 p* @+ C6 ~2 ]3 F) y

6 |0 ~8 I- c; D1 R" zint41handler2 PROC4 i! M4 X* r2 Y* u, V( J
    iret
  }- V4 P( r( ]* R& U: E& z+ Uint41handler2 ENDP
, _, M9 T* Z& o3 L1 f5 J' j$ ?$ Q
7 a# Z% @% X# `5 r% Y" S$ ~1 P4 A4 P, l* y3 T
_________________________________________________________________________  z3 {. y" u$ I: j! r
; r3 o8 P0 {' Q2 [8 L' k
; |" A) \  i" |3 ?: V2 k
Method 06/ J3 _) i! n3 \( @
=========, ?- D8 H8 l% U: X. p6 M+ |9 j

0 B% n9 `) p# C* E* W- p( r
7 [+ \9 h; w; d) [! f* V; ?2nd method similar to the preceding one but more difficult to detect:
, o# R: [" Z( r% x* ^$ u
% z3 u8 `. I4 C0 \
$ i5 }' R6 n  \1 Yint41handler PROC) ^1 r- v7 ]2 n8 }7 j9 S9 R9 {
    mov     cl,al
: ?- k6 j( V% \5 f2 A. t$ ?    iret
$ o4 H$ a& ?! C. _. E6 j% aint41handler ENDP
+ @3 a" z7 f! m7 h- m- Y# B6 X
8 ^! E' _! C" p* t7 S% [  |- s+ `) K  H& U. H
    xor     ax,ax
2 t$ i! H+ O" [. X/ r2 n9 r    mov     es,ax
. F! z* p, m# s0 d    mov     bx, cs$ p, f% K9 {, j- C5 k
    lea     dx, int41handler. T3 T) d& e. f0 A
    xchg    dx, es:[41h*4]1 ], q3 |6 ~( a4 s- E# z9 k
    xchg    bx, es:[41h*4+2]
6 B! Y% Y* m# p4 s9 `6 Y    in      al, 40h( P( T" J' I& l/ {7 r
    xor     cx,cx/ ]  ^3 d' n8 I
    int     41h8 j  b7 c1 z5 q1 R; d( z0 b6 o3 b( [
    xchg    dx, es:[41h*4]
# Y7 F: i' R2 J( m    xchg    bx, es:[41h*4+2]) N8 _( }: C# {# y
    cmp     cl,al
3 r( N4 E$ L" U+ S" u    jnz     SoftICE_detected
+ ^; x  c/ @' u4 s! G
$ x( f  s3 R- G, k1 L, E: C_________________________________________________________________________
8 f7 E, p. |* I$ L. {1 n$ x0 r. k* a' {
Method 071 j) B& O! t$ p& H' m1 h
=========
4 l- a+ W; B* B) O6 u% b0 q6 N4 R6 R
1 z# c1 {) y  y( g7 ^Method of detection of the WinICE handler in the int68h (V86)  t5 r8 |  B6 O- C% g# G

, f/ S9 y8 ^+ k0 r, d7 Q' U: o    mov     ah,43h0 S; L" g, g5 P! H* P; }. ], [* {
    int     68h1 {, ?# W% K$ `& K1 `5 B
    cmp     ax,0F386h
' r, v! |& k) K+ k& A    jz      SoftICE_Detected
' |+ r. C% }9 \
% u" y5 U- K6 q# ]. h7 ?  w/ }# C, D. e
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- t* i' M( M/ w! c1 B# _. c: i9 g
   app like this:$ }; u1 x5 I( c
) L" o2 ]6 e, e) Q. ~+ X$ v
   BPX exec_int if ax==68+ E& S/ s0 N: K- n
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& ]! s( Z. \; B7 @$ S7 K- W   located at [ebp+48h] for 32Bit apps)
& O' W; a. q: L5 n__________________________________________________________________________3 N0 T0 e6 c5 c9 T, V  |
, `/ V, a" k6 g- Q/ Z: }7 ^6 ^
6 o3 b3 X9 N/ ^8 Y6 f2 {% B
Method 08
% C" t  k! z- g=========
& e1 {% `$ D+ t9 m1 d9 I$ X8 W3 p
8 I  T6 Q  J  R! |( W2 ]- U  lIt is not a method of detection of SoftICE but a possibility to crash the
  I  V. ], p9 x3 ^% k# ]$ Ysystem by intercepting int 01h and int 03h and redirecting them to another! t( C* u7 K9 D: Z6 r
routine.! S* }" A' s+ p% }8 S: G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, L5 T- G; g: J& ]
to the new routine to execute (hangs computer...)$ h! H- {' C% |; M& I& ?8 A

$ P+ O$ p4 A& x4 ~! h# y    mov     ah, 25h3 W% n. ?9 |$ I4 w
    mov     al, Int_Number (01h or 03h)+ V0 R9 M) Z0 C' n: h
    mov     dx, offset New_Int_Routine5 ]# ]" I/ ~8 K; @2 P& ]1 X
    int     21h
5 U3 r: Y2 U; Q, {
6 t, w( |0 L$ J- ~9 t/ [/ S0 M8 {__________________________________________________________________________
2 S5 ]2 r( N/ ~8 a; K6 M
) E8 T) a- g# I! L. AMethod 09
6 @  [0 F; E. J+ v* A=========
. w' f  X! H6 e4 s, q  r" O6 W# I: o: z2 U$ @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; g2 O2 t5 I) |4 x/ H, l
performed in ring0 (VxD or a ring3 app using the VxdCall).: H/ T5 y! w  x
The Get_DDB service is used to determine whether or not a VxD is installed
' h1 C9 w1 r$ Q. S, {4 Jfor the specified device and returns a Device Description Block (in ecx) for1 ^' }; t  A2 Y9 i
that device if it is installed., i- M! V% Q7 d5 ?

6 g9 m: X% A+ e- ]: P! W; |3 {   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" z1 \6 E6 R* V  H5 P; x' v   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 ?2 k) H3 G3 z* L! b* k
   VMMCall Get_DDB0 X/ \5 W1 x) c: G; d) B& I; E8 v
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. [9 ^% @9 z4 y! F" X
4 Y' k% a' a/ z* Y' N2 t( I
Note as well that you can easily detect this method with SoftICE:
8 I( G, w6 [9 S9 x  ^7 Y% X   bpx Get_DDB if ax==0202 || ax==7a5fh" t- u. b, d; s# L+ W. h

0 A- f$ I# w6 p5 D/ t. c! b3 x__________________________________________________________________________5 M& A% }. z: C$ }4 X
' e7 @9 d) F/ X! B. U
Method 10
6 U( P0 B* y& D6 c% m=========
: G/ S( t3 E2 w- p" E" L" U; r" g9 @1 M% a
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 K# M2 I) c/ d0 t" F9 G! q+ l% w- M5 }
  SoftICE while the option is enable!!7 _3 r* `1 E* H& m, r- P4 E
, c7 X2 ~* }" S" A( ]
This trick is very efficient:% \" _' ^! o$ Y$ \! M* j: D% p8 W
by checking the Debug Registers, you can detect if SoftICE is loaded
- c0 p+ _+ z7 J/ p! g( _(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, Z: Q% H( T4 _' x  o/ y
there are some memory breakpoints set (dr0 to dr3) simply by reading their; Y& l3 v  G4 j
value (in ring0 only). Values can be manipulated and or changed as well
  z1 W) a/ `  @2 N- _! _+ x(clearing BPMs for instance)
) Z3 x$ M, `& @; f6 J
3 ], E! D: v7 p- m3 R6 E- [__________________________________________________________________________
5 v4 a' Z- w; N7 |8 s/ ]3 W, k! K. X. r6 P. w7 E
Method 11
( v3 O& f7 q) `' n) A=========
/ P8 k9 _! t) O* q: Q1 K
" a5 c& l8 Z* MThis method is most known as 'MeltICE' because it has been freely distributed
$ ]- q  H7 Z6 H& V- ]via www.winfiles.com. However it was first used by NuMega people to allow
' i  d+ N. \, w4 jSymbol Loader to check if SoftICE was active or not (the code is located
( j. K) Q- E5 P9 H# ~" ?inside nmtrans.dll).
) J5 B3 G) ?1 m+ @7 T
+ W" C4 r0 _+ d7 J$ U) [0 g+ OThe way it works is very simple:
. _- v- K! k; _" z' X3 _/ V* BIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- B  T* C  K8 y  @8 ~0 T7 V7 i4 H* @WinNT) with the CreateFileA API.7 ~  A- G4 i5 G2 s$ S( v0 w  Z
+ `, X: x) U9 S' g
Here is a sample (checking for 'SICE'):
$ O. N: C: {! w9 W! e% L* o: L& P+ ]3 B. s
BOOL IsSoftIce95Loaded()- j' b7 e" n3 u& ^, X" Q+ r
{" Q/ I! }2 Z1 C% Z* U
   HANDLE hFile;  
, u& f  [8 U7 ~6 P   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
$ C& D7 a& x" }4 _0 e* K6 e                      FILE_SHARE_READ | FILE_SHARE_WRITE,: H; I. @! S3 b5 r2 [% \0 i; v
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 ]  c; o; c$ e3 Y1 f
   if( hFile != INVALID_HANDLE_VALUE )% ?+ d* ]& v/ I5 u4 `* j9 U) _; K! f
   {
4 l4 E. `3 B1 d      CloseHandle(hFile);
/ M, L/ J/ q2 y" k' O& z      return TRUE;: c/ f+ E: `" v' V  m5 x/ u9 {
   }$ m/ D6 ^1 U$ r+ B8 C3 G/ f8 B
   return FALSE;4 W* N6 }- a' }
}/ V$ ]( C1 ^- l! x

# r; O  D- w& x7 ^: J$ B4 e( TAlthough this trick calls the CreateFileA function, don't even expect to be1 c6 A% V1 I( A6 [" R
able to intercept it by installing a IFS hook: it will not work, no way!
0 k  G! y- f! w6 A/ m" _9 IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: B' D! G+ [; D* o* [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), G6 A3 d  T8 X( c& o3 J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 b; `8 ]. V  n& s" \2 F" H
field.
, _2 a9 h, D0 |  O, L; bIn fact, its purpose is not to load/unload VxDs but only to send a % X% S2 ]5 `, T, r$ R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  I$ P* [! F% c9 h7 v6 z& C3 ~to the VxD Control_Dispatch proc (how the hell a shareware soft could try- @* {" k$ n0 s+ z& I* \
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
) j, ^2 M# M1 kIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, _- Q& s7 Y( T2 ]its handle to be opened and then, will be detected.
- X% {0 f% P  c. PYou can check that simply by hooking Winice.exe control proc entry point
* k2 m3 O- y9 U. ^5 h, ^' a* ^0 Bwhile running MeltICE.
: @9 g3 G* w/ S4 X( O' J, X, }" t1 K( t* j! k4 Z

4 t$ F' C& w" Y; i6 E5 K! V  00401067:  push      00402025    ; \\.\SICE
  P( }6 t" L+ L7 i8 u- ?2 ]2 y  0040106C:  call      CreateFileA
; N0 ~  ?! q7 u' s- I  00401071:  cmp       eax,-001
/ v! W* }  o) s, p' p+ w) O  00401074:  je        00401091
' X6 p9 ^, s, \: ^: I* [  U# w# k% C" Y7 q

% c1 Z* j5 X; E8 `6 d! lThere could be hundreds of BPX you could use to detect this trick.5 J  T: T+ H  X9 T7 A
-The most classical one is:
' N  @: I+ x9 T  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# c* z' M- j, `7 R
    *(esp-&gt;4+4)=='NTIC'9 A; O% c9 D+ ~0 ]& S0 Z/ M. {

0 c, J( d# S$ Y0 [1 |) e8 J-The most exotic ones (could be very slooooow :-(
/ _2 Q8 q8 \- r5 O. j   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; w/ C) |( l! T# x1 S, x
     ;will break 3 times :-(/ m. ]$ i& T0 u3 l  u2 ^) y7 Y
9 k5 ?/ n5 C" S" l* [; h
-or (a bit) faster:
! c& H, @. {' |9 ?- K" \   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& ^! N: h7 q. u

- h: a1 }* O( w. i6 E) T2 D   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  # Z! ]2 l- r9 D5 h
     ;will break 3 times :-(
/ g, W& b1 `1 b- K5 e* B/ A' s( j* @2 f3 \: E- G% w
-Much faster:, {* U8 {- d! P/ H4 ?' l
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
: M/ I! ]/ ]( J: x! t2 N7 M. o+ R
- x  _3 f* \4 @! XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! L: s8 H5 a4 _  Y# B* F
function to do the same job:1 o, L- ]6 |* \
) e8 ?6 C, R0 A6 [3 R2 G+ B8 o
   push    00                        ; OF_READ
! @/ |: \) C* u1 I! ~   mov     eax,[00656634]            ; '\\.\SICE',03 ~6 S8 e+ o" [1 X
   push    eax
! o1 V- a( p& ~8 y2 m) n  Z! Q   call    KERNEL32!_lopen6 w' w2 j! I$ ]  f4 H; W. w
   inc     eax: o3 i: F9 V1 {: y+ q
   jnz     00650589                  ; detected4 h- x: f/ {% Z. B
   push    00                        ; OF_READ- L2 p6 P# J' n5 T/ O% V
   mov     eax,[00656638]            ; '\\.\SICE'
4 L7 z  ]) z/ H! i6 U. @   push    eax; Y' x% A4 h6 k9 a
   call    KERNEL32!_lopen
# W: c6 Y2 [/ e3 c& B! u   inc     eax$ M2 `9 Z" V8 i
   jz      006505ae                  ; not detected' g5 G' D  D" P9 m% a
3 k/ l% @" ^0 {* q; \: |% T
# N; B5 x# y6 W* D0 |9 k$ p% S+ L% t! `6 v
__________________________________________________________________________
, F, |) \3 D: ]$ p' D
, t2 k2 P: k- L3 D; l, g3 }8 WMethod 12: x0 }( T/ ^: N! s& X% [& r
=========% E+ M! L1 T0 |# b/ @
# `, z: M  t! ?1 ^0 S
This trick is similar to int41h/4fh Debugger installation check (code 052 i3 S  g# t& ?9 f
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
$ B( j3 v, t1 ]as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. r! z+ {" O# g  n
) m3 ]8 u# @8 i9 ~  }, R! E6 ~  R   push  0000004fh         ; function 4fh( q5 D6 K4 w, [4 N$ C5 m4 l6 X5 y
   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ \: t! y6 c% t1 h                           ; low word specifies which service  q1 g* G) l% e# A) p- ]" m
                             (VWIN32_Int41Dispatch)% S5 V; `7 k& ~0 b/ n( E
   call  Kernel32!ORD_001  ; VxdCall, n) `. ~+ l  p/ h9 A# k* ?1 T
   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 f8 z2 {7 z# n" \  V( k2 u   jz    SoftICE_detected
: D! d7 r* ?- p6 I* a# ^! r3 {5 H3 [8 b' ^
Here again, several ways to detect it:( S5 |( D+ `6 L
1 @$ _  }- M6 I$ A; u/ @
    BPINT 41 if ax==4f" e( {6 |9 ]+ [. g2 e
0 w0 j' m2 P: F" f* T
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one3 @" a9 A2 f% L6 Q+ `2 R5 o
* j- t  h# u% e% f) T, b
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( T) Q4 u2 M% I% c" T3 K1 F
8 h7 V" `2 E% T
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ W( n- F1 p2 D; \% f8 _7 }( |1 b
6 w( c0 g6 R0 p. p" H! i/ \6 G
__________________________________________________________________________
: v0 l, ]1 \/ \2 {* p
/ i) O1 M- Z, [* @. n) h9 x: Q# NMethod 139 ?8 t: M; x: Q
=========
0 ~, r) l) B2 i: ~6 C; t+ d/ y: p" i! d
Not a real method of detection, but a good way to know if SoftICE is
# {9 n' j) x' I# }( E- Hinstalled on a computer and to locate its installation directory.
3 i7 K( A% D2 _/ ~It is used by few softs which access the following registry keys (usually #2) :4 P9 S4 j3 r2 V8 \$ ]! j9 h

0 e- M6 z2 q, v- Y  X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! f+ b* O4 i7 l& q" [% n
\Uninstall\SoftICE; N: C; x9 p/ A  M' C/ b, l
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 L0 q# P/ u* Y$ f
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ b/ _( h: s+ A0 {) g3 y+ k2 e
\App Paths\Loader32.Exe
; @" ~8 m- r3 e% ?+ @' h7 K/ W' P  `$ g% w% K( b

/ Z/ {9 a' v/ a  z/ MNote that some nasty apps could then erase all files from SoftICE directory5 @! t# ~* y% S* p/ i( C/ U
(I faced that once :-(
8 s. y1 x) U! t, `1 ^
8 h( \) E" Z: j) |* xUseful breakpoint to detect it:& @; r  }8 E" j( S8 U

: p9 w! f7 c( x# d) h5 C3 B/ E1 X     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 H  d/ \8 E7 }
. s* F7 G9 c- |8 m) [# X: y
__________________________________________________________________________; c+ K- O% l; U/ @

: J0 m' I' U8 s- ~
, j! f  i# o& [& M6 P# y0 j8 M2 vMethod 14
, O5 @' X" t$ \, K=========) `! ^7 Q6 b, k; L# W5 g

& Q; S4 [8 u$ l, z+ ?. `2 uA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
; D/ A1 m1 n+ _is to determines whether a debugger is running on your system (ring0 only).
, ?. [) \+ b6 H
3 ^$ x* h- |" \+ z" n   VMMCall Test_Debug_Installed
9 j6 `& Z4 U! r9 N) m   je      not_installed, G' D! w& b. Y1 ?! b+ X, c
: ~' z) v2 h( N3 V. t2 v
This service just checks a flag.; g! e$ Q! s! f* D2 j
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-22 07:29

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表