找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>. e7 Y3 N3 W3 g- v  D" {6 E/ g/ Y$ J
<TBODY>; d2 \7 E* i. z  W' i
<TR>, @6 f: a6 _+ {( L$ [
<TD><PRE>Method 01 3 u' h. ?8 H) M, q/ f4 _
=========3 d3 u5 C; k' D& [: r
7 W& V" |# T: f1 M+ Z" K
This method of detection of SoftICE (as well as the following one) is- }6 n: d5 m) B- j
used by the majority of packers/encryptors found on Internet.: `  `( q1 r; q1 c
It seeks the signature of BoundsChecker in SoftICE
7 J& _! S, U) E& d2 w; |& `. }
' V$ M9 I3 p! }% Y+ M! d& R- M  _    mov     ebp, 04243484Bh        ; 'BCHK'
9 O$ D* }6 W- a2 w    mov     ax, 04h
5 s. m0 r0 O3 O5 k- H. O5 i    int     3      
4 O1 a) j4 j4 E5 h' S! g$ j+ z    cmp     al,4: v& w! Q, c$ Y
    jnz     SoftICE_Detected
" J, O, Q- h, W' ?, ^
8 i* ?7 |  v  _& k$ ____________________________________________________________________________2 G3 Q; l6 w$ E" H& u7 |5 l
* d6 y7 Z' C0 L7 p( b5 i
Method 02
. a2 q! b7 ~* u* M" P=========1 e$ F% q0 ~% P, e# [, h: s

% z# r9 h" ?1 W4 pStill a method very much used (perhaps the most frequent one).  It is used' p9 ~; q9 b  h  ^+ U7 y6 c6 F
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! i/ c0 h. g) ?2 b/ }% ]4 q% a
or execute SoftICE commands..." q2 u5 V4 M/ J( @
It is also used to crash SoftICE and to force it to execute any commands) H# g& N6 X2 M4 W- x* B- Z0 v
(HBOOT...) :-((  
. F! [/ L6 y% L
$ ^  d' |( T4 X" u4 n+ l6 GHere is a quick description:
( d. h! n' X8 X! x( x3 i9 r* O-AX = 0910h   (Display string in SIce windows)1 }% r: ^* N  E4 A4 i7 ?0 b
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; K2 K; [$ {3 K" E1 A6 K, E: ^# H, H-AX = 0912h   (Get breakpoint infos)
0 c+ I! {' I. Y$ k* P-AX = 0913h   (Set Sice breakpoints)
' i- w% E3 ]$ @. S9 }6 ^5 K-AX = 0914h   (Remove SIce breakoints)3 F  O; f, I# {9 ^" p# i* k: X2 E

" c% H4 p$ P# e; ^Each time you'll meet this trick, you'll see:6 B0 k4 j; c5 i8 w; ^$ V
-SI = 4647h/ S. y0 O2 a8 N9 Z. D# F) \
-DI = 4A4Dh
* u2 t, O9 J' y* c% bWhich are the 'magic values' used by SoftIce.- M! R( B4 n: `" |+ O7 x/ v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.( y3 s4 f5 D2 l5 |

. h2 }( n  r% xHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 d* \0 _. z8 U' x; N5 j3 {! V2 UEnvelope utility use to protect DOS applications:
  O/ W' M( q# x0 V
# M( H- J! j% o0 p. m$ _. b( h
  U$ [; }7 F9 o; F- W. F: V! R4C19:0095   MOV    AX,0911  ; execute command.
0 O' }* ?0 B$ k) g5 _4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).6 R: L4 n2 l2 E9 {) H3 ^
4C19:009A   MOV    SI,4647  ; 1st magic value.* y2 |' R6 @$ L' z0 p0 l- K$ ~
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, }! [! ~. W: E" q1 i4 i/ L4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 c) n0 j( y. B4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" A/ j9 O1 @) x; v3 d0 C- D4C19:00A4   INC    CX
9 A9 [7 n% @- A7 s4 ]: {" E  @! K4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute, R" S- `* i% c* o7 m. f( l
4C19:00A8   JB     0095     ; 6 different commands.! k: q6 \5 q0 W  U8 L/ _
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! _2 b2 V+ y5 a& \4 p* w8 n2 \
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# R) X6 v2 a2 ~, ~- A
8 y$ A/ }. N. L0 L0 |The program will execute 6 different SIce commands located at ds:dx, which  r% d" s; f! _' x9 ^- J
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 O( V, l" e2 ]6 Z+ j6 t6 Z
" @+ X8 x  N/ U8 L! |' M9 @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; r4 r0 m, U+ T/ I7 d8 ]* J___________________________________________________________________________
/ s% W% q0 q& t, ^+ D
# M, e/ H/ p# r3 @" U2 K9 p9 o3 T& S, P9 U
Method 03
1 J+ H% @7 W: d* H/ x; x3 C=========' H, M  t6 u  Z/ k# Z8 e6 ], p8 O; |

& [" R# R8 o& y$ m! [# nLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' p) T: D7 O. _& o( Q1 ](API Get entry point). Z% R5 l! @( d, o5 W4 @! l
        4 s/ \" n( V% w8 r. a

0 Y- Q: v# `. ~3 h( X6 q& t/ I( x2 e    xor     di,di) ~) _) _" u5 h
    mov     es,di3 J9 I: T- u+ S+ I2 ?( c
    mov     ax, 1684h       : x+ c& B! r0 @# X
    mov     bx, 0202h       ; VxD ID of winice# m& O% M3 ]" X3 N( K! a
    int     2Fh
0 g5 H5 j& L! N0 m1 z( k6 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point% c9 t- `) a6 p0 U8 C: Y) p) v
    add     ax, di
& x+ S1 M& t/ |$ s: z+ Z9 g    test    ax,ax
) ^7 e, B( T$ j5 L/ R' {" r    jnz     SoftICE_Detected
! t* u: v6 k9 a
7 W% N& V" B' J9 Y: m7 M4 r& a3 d___________________________________________________________________________% A. a$ c6 ?* r& _. x# y* p

/ |/ M- ]6 D; K' H7 aMethod 04
; Y  C1 K  E% n$ T0 u) M% t. N=========* `$ E/ ^$ w& o: e
; D, [8 L) e1 f8 a. w& o4 u
Method identical to the preceding one except that it seeks the ID of SoftICE
: X2 T- e# T9 N& mGFX VxD.
% v& X# Z* f7 ]: w; B2 O9 B4 ^" J, I) y& j' E3 F
    xor     di,di
- M2 w/ _6 C* C2 Z$ y$ c/ X    mov     es,di
- L; N4 A- [+ W. l7 b$ J    mov     ax, 1684h       4 U2 }0 Y7 C: E! V# |  }1 i
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
8 h& g" U2 T. x, R3 `    int     2fh: c9 ]4 Y; u- m  B' c9 f7 {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 _, q  Y6 g+ v# M* b" l7 U    add     ax, di: I) `. x9 p; i$ L
    test    ax,ax/ Z7 w8 ]9 R- I0 s8 }. G
    jnz     SoftICE_Detected! n" A6 H( |# ]$ V4 Z3 M& ^$ k

- j4 o: f* u( h7 h__________________________________________________________________________" e; {9 C% m3 I+ X

$ ^5 j' l0 D9 w' j5 [+ N& U  M
$ [: p+ m2 E4 d, X& _" ?Method 05& a7 B% E, @9 @4 w' s  }1 ^; E: ~- @2 t
=========  X. L* @) [; m& i" T4 N) g2 `
8 _; s" Y5 L& u. f+ C( H" U
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ J" J% q. S+ }$ C$ }# z* }debugger. It calls the int 41h, function 4Fh.
- x0 Y; \7 J! y3 [There are several alternatives.  ; N+ [$ Y, t! }

3 c+ I/ @9 W# g7 f' Z' kThe following one is the simplest:
6 ^5 s7 a* S/ s
4 E9 S" N% _/ b2 _2 u    mov     ax,4fh
, F0 ~  E" K4 y0 d4 B" d- w" P& M    int     41h( W! V0 T+ z0 U, S9 G3 `+ y8 q
    cmp     ax, 0F386
4 w! H* k7 A1 R9 x  Z! ^    jz      SoftICE_detected( U" r0 v' f; y' U# v. ?

" M3 J. k! ]1 S* I% J
  l7 M" n" k) wNext method as well as the following one are 2 examples from Stone's
1 t# s/ ^  @# H  T8 ^/ Z, O"stn-wid.zip" (www.cracking.net):( X# s+ }# p, q( _) u/ m% u- _

& Q/ S# {) P- g    mov     bx, cs& G, T7 W3 A) l5 r% n$ G8 Q2 X8 i' S
    lea     dx, int41handler25 x( o- g. f) q& w+ u, Z
    xchg    dx, es:[41h*4]4 j% {9 b: k, P
    xchg    bx, es:[41h*4+2]4 q: M4 {) ?# ]  s4 k2 m6 Q; i- R
    mov     ax,4fh
: `( g' J! V$ `8 l! y4 d    int     41h- E+ o+ {3 @$ B4 s! t) {, l
    xchg    dx, es:[41h*4]" U& U. w! c& A8 ?2 }2 P- z
    xchg    bx, es:[41h*4+2]$ T! a+ \" v* y4 Q- i" u
    cmp     ax, 0f386h
/ I0 }  r3 q8 D; X$ M    jz      SoftICE_detected
$ y/ _6 u- {$ u) t7 d' p3 E+ _: E' J1 |% T, _+ t5 W2 `
int41handler2 PROC
0 b# [: i0 \3 o& b$ x2 e' I    iret. y6 B! I2 {! p: j9 ]
int41handler2 ENDP
# J& c' Z: I: z  F9 l8 I7 N
3 ~8 [/ }' {' r- W% q: s" T7 U% U) X& G6 @- }8 A$ Y; M6 T
_________________________________________________________________________
6 c. C* W; Z; o3 c1 |1 |- N, n* i3 {+ ^! _" L

/ z0 I9 e4 t: T' eMethod 06
# I* w4 Y/ z9 ~$ k' j5 g& ]=========
- n% D" J8 @- g
: d; \) M+ |: l- w3 D# l/ |) s% g  w8 l8 I, b7 p" |7 C6 {$ e" k
2nd method similar to the preceding one but more difficult to detect:; h$ E, R( d$ Q! Q5 Q9 n

% T' ?8 [# F8 H/ w$ m  c, n2 L+ A" f3 \+ V# ?' Q7 `; K
int41handler PROC
& K! F( H( T3 C6 X* q( e    mov     cl,al
/ R0 ]  p( K& o- z1 f$ U- V9 s' Y    iret9 a( p6 m$ u8 Q3 B; x# V1 m
int41handler ENDP6 K  J/ o. R  [, {

9 ~$ c( W& b. V/ X' O+ T  E) K& P) V" R4 c1 J
    xor     ax,ax8 P1 {% a/ b' ^- w! r
    mov     es,ax. w( ?( l/ s0 L0 r
    mov     bx, cs
$ W. B% N8 x# j    lea     dx, int41handler/ L+ g; L) O( F  W
    xchg    dx, es:[41h*4]
1 ^! r& C8 p! ]4 W4 _4 P    xchg    bx, es:[41h*4+2]6 z3 E5 P* ^3 X* }$ E" c
    in      al, 40h1 _9 }# `0 V3 q4 U, K4 s; b
    xor     cx,cx
+ ~) k! |1 {5 T3 U9 e    int     41h* E: ~4 u0 z$ O7 |" H/ M1 n
    xchg    dx, es:[41h*4]; v5 ^4 ?4 I7 C% ?- A- Y
    xchg    bx, es:[41h*4+2]5 ]- b# u# t) x+ B& f! h* q
    cmp     cl,al* h% W4 ]4 X# Z, I* J: S" l
    jnz     SoftICE_detected
' \0 V2 l" R3 g; R2 r
) W" w; l& k& F4 M* Y5 ]_________________________________________________________________________
0 i7 C1 B% B3 N4 }) Z
; s( U4 R9 H1 W( A- H( U9 p/ U! aMethod 07" ^* l- _; P% A* B3 I
=========2 T& C8 q& |! p0 [5 w: C  n. B

7 ~. J' j3 ]- |Method of detection of the WinICE handler in the int68h (V86)3 q' |/ y9 t4 {$ G  W) L3 G

$ _$ ]3 b7 S* b4 j    mov     ah,43h
8 @' X5 I7 V/ ~; H/ ?' H    int     68h+ ^. t. D8 y7 L- \8 e0 L
    cmp     ax,0F386h9 m; t( Y! d: w/ i4 ~/ M
    jz      SoftICE_Detected- U. W9 o4 i) b- v: E3 c
0 Q4 {+ |& J% k% Z3 D
' X& e5 B, }# g( k
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; c4 H( q! `; v; B9 [   app like this:6 |2 C, @4 w- x

9 I/ v$ l, R1 N( \) ~* v8 `   BPX exec_int if ax==685 v- O5 J  D# p% v5 [4 g
   (function called is located at byte ptr [ebp+1Dh] and client eip is+ M5 t8 M; X1 d% J* A
   located at [ebp+48h] for 32Bit apps)+ C. w0 @. r9 A8 r8 `2 I
__________________________________________________________________________
/ a1 _5 Z9 s" M9 ]. S% p
# J9 Q! A2 D4 i" O7 A
3 p/ K6 o, ^" y4 @Method 08! y$ {2 ?  F, W  D* h8 {
=========
  Q6 {. ?5 ~/ b' W: p8 K
' I, z5 g. W  f  t* O5 v: Z3 A$ SIt is not a method of detection of SoftICE but a possibility to crash the0 O) h  _& c/ x# b& Y9 I7 G7 ~; k- n/ k
system by intercepting int 01h and int 03h and redirecting them to another
) |% E4 l9 S# Lroutine.
  n# ]- M" ]! x1 I9 dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( P, o  A3 B; F1 Fto the new routine to execute (hangs computer...)
/ G! c7 M; {0 L# f. U1 R/ O
8 u) M3 N. d5 d. b6 w1 H! y$ K" Z( w    mov     ah, 25h
+ I$ k: ]/ @; f% B4 q    mov     al, Int_Number (01h or 03h)
% L" J8 r$ x4 u, S% B, B* D    mov     dx, offset New_Int_Routine1 K) F5 f* s7 p" G6 f  |
    int     21h1 [8 ~6 y0 N- D0 _' Q. a& B

4 p$ ~- T4 ^# Q& g, h- y__________________________________________________________________________
5 K% e+ P; G# n% N1 p' g* y
/ Y1 J  d9 i* ~" X: H6 ^5 Y; BMethod 09  F! U) @/ c: I
=========* e/ k* b' t' `- _# q7 n

+ j) V3 H6 {' I; ~( }- hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 M# j8 x; a( S. m6 w1 F
performed in ring0 (VxD or a ring3 app using the VxdCall).
% i& a0 S: m9 T2 L) _6 pThe Get_DDB service is used to determine whether or not a VxD is installed1 p9 J- i  j) Z9 m
for the specified device and returns a Device Description Block (in ecx) for2 E$ X7 w+ R5 O, a: T
that device if it is installed.
6 ]( m' |: Q# ^, E, J; [+ W) P: Q( w, a
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 L" a! E& q" m$ p
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; Y: j) R2 P. w' @6 d* Q: V8 _5 w) F   VMMCall Get_DDB: c0 Q. Y/ d" e  \% R- V: w3 W
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed6 F4 Z5 c- {5 V# `) H% ]

9 [% L0 A6 q' @" j4 z" ^& VNote as well that you can easily detect this method with SoftICE:1 T/ d+ |* y- d, Q/ L$ j9 ?
   bpx Get_DDB if ax==0202 || ax==7a5fh# ^7 a: C* k0 o
5 X4 {& ~; v& A2 Q- }4 Z
__________________________________________________________________________! Q! O4 x* Q0 c) W

7 v2 ]3 ^- ~5 w+ T% y8 a4 zMethod 10  x- c! @. x4 z8 u& D, F
=========
) I& a* Y( e4 O: y5 L, f& {
1 R9 N* ?' v5 G& w' d$ Y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 t+ j( Z; q) ~& l) P/ E  SoftICE while the option is enable!!* E  n/ f9 {1 ?% x

4 Y7 ^' W/ P2 L3 kThis trick is very efficient:
/ M' u0 R5 O- X" a- y5 ], L# \by checking the Debug Registers, you can detect if SoftICE is loaded
6 Z$ y, n& Q7 K- W  U  s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- x5 F$ J, b- D: U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
  o0 [$ ?% I% Vvalue (in ring0 only). Values can be manipulated and or changed as well% f" @6 u1 \  k8 }- I& g. p, r% A
(clearing BPMs for instance), i" n( X1 ]% D  x9 ~$ d

+ P" b3 F0 G+ V& E5 M__________________________________________________________________________
7 j8 w/ f& [% A7 C
. v4 i! e% U7 J0 Q. i% k( SMethod 11
: p4 n, W3 z- [: T& F' Y" m=========
4 M. y8 ~5 \; t
, L4 d* J( e8 V" A5 S  r  `; @This method is most known as 'MeltICE' because it has been freely distributed; \6 P, T4 `: B3 f7 e! H! `
via www.winfiles.com. However it was first used by NuMega people to allow
) r1 v* R$ l0 E. S& _Symbol Loader to check if SoftICE was active or not (the code is located
. W" U0 a3 Y1 v  f4 d* V& Rinside nmtrans.dll).
9 P# F+ c* ~7 @* H' w: D. p5 Z1 w, m/ B
The way it works is very simple:
# W; T2 U; {" WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. X$ \! w. D" f0 o# g  [% y
WinNT) with the CreateFileA API.
5 f* `+ z9 O( M9 g  l1 m7 Z( f+ I
Here is a sample (checking for 'SICE'):$ U: @) q2 q. h5 z# S6 t+ x

) y: E/ r! D. k0 n/ k! d! H; Y& o! fBOOL IsSoftIce95Loaded()
( y: S& x5 Z9 e# i5 A: R{
$ n; m) \, P0 w; k9 ^! i! C   HANDLE hFile;  ! n. J: ^* V7 b: T
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; q- \. x" Y/ Q) b
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 C" ]( j" w  |; {( x, h                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ C/ Z  Y$ m: ]- G8 B
   if( hFile != INVALID_HANDLE_VALUE )
, l% l4 u, G& v: ?; p   {
$ U) B1 ^/ A0 C. B$ ~( |' H      CloseHandle(hFile);& J4 W# }( j& U$ p
      return TRUE;
, E2 a3 Y7 u9 y   }5 s" c: o2 q5 ?/ S6 b
   return FALSE;5 l. E% U& w8 x" z
}
: Y& M. i2 {3 ~, \- @+ Y
& O0 C' z, A  F) fAlthough this trick calls the CreateFileA function, don't even expect to be
3 V2 C- m% e2 V( lable to intercept it by installing a IFS hook: it will not work, no way!8 g: x. m/ t  H/ t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 l5 p+ _3 ?. j3 _
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' P; _9 l$ [  H3 I
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( Q* y  t5 u: Z9 r6 Efield.' a' w2 A; x/ y5 j% B0 q* u
In fact, its purpose is not to load/unload VxDs but only to send a . o8 d" a6 T( b
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 ~# h% ]# h. Z+ |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
) W  p. L! P6 `5 m. \0 ito load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ W+ w3 g' J- C+ ^If the VxD is loaded, it will always clear eax and the Carry flag to allow, Q; f! C* I; W/ k; A
its handle to be opened and then, will be detected.
, v/ h0 [7 g/ a# eYou can check that simply by hooking Winice.exe control proc entry point4 I  U' Q& {7 B+ e/ v( @7 m6 G
while running MeltICE.
1 s* m2 i( Q; {7 U; F) X4 \9 K7 b% h( `& x
7 l. P6 \2 `# a4 _& q* K: Z
  00401067:  push      00402025    ; \\.\SICE* ]0 P. M* _6 Z2 g9 Y" Y4 o
  0040106C:  call      CreateFileA9 W! y8 k1 n/ n  D! }
  00401071:  cmp       eax,-001' h* N# k6 d, O$ G
  00401074:  je        00401091$ |. w4 c; }2 X/ C8 x" f

0 P" s0 B$ z- I' ^  w7 X8 N4 q0 D4 g
There could be hundreds of BPX you could use to detect this trick.0 H9 A# }; f4 w! }" V8 ]/ E
-The most classical one is:
1 N# i: K! c" O. `9 e! c! |/ T  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  u4 \. u7 f3 v+ ?
    *(esp-&gt;4+4)=='NTIC'. s  |1 N9 W" W- S0 p& Z' I
/ b. \2 O; x4 Y
-The most exotic ones (could be very slooooow :-(4 A% t/ L- U+ k0 _; B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" P) U1 e+ u4 }$ G: b* T- Y     ;will break 3 times :-(0 b' ^0 }! A  A2 c# U4 B
8 N4 X6 D( c8 X. w5 g/ W- M! N- n
-or (a bit) faster: 9 A" w! {: g" m7 m0 y' O
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 M6 x( Z' X+ C) l, _/ t
+ I9 {* Q& g- N+ }7 U- i/ d+ P
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  / S" i# ]/ |5 Q& X8 O3 G
     ;will break 3 times :-(
1 h* @/ Z" d% p% D5 J1 }  {% i; Y: ~; g0 y# J
-Much faster:1 R2 g5 z: N( R5 q# d7 n
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'! E; W6 P+ F7 C7 ^; `
4 P& y; X1 J- _3 A6 H; e, L) z9 t
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 ^1 r4 `2 g) G% _' S; I/ ifunction to do the same job:
' z" K. z1 ?) L: ^0 \
3 S- e$ R+ R7 E! D   push    00                        ; OF_READ
8 e; N  s. U2 w% _# w$ F& R: _   mov     eax,[00656634]            ; '\\.\SICE',0# K% M9 W/ M1 C" z! @* A! b
   push    eax6 h9 x; Y; N" Z4 v0 l
   call    KERNEL32!_lopen
" x1 N- t- R0 [1 N3 c   inc     eax
- x+ a! W5 z- c3 N" E   jnz     00650589                  ; detected
- a% r9 b2 q. }& P   push    00                        ; OF_READ$ E% S3 ?; l# Q- J) F, u
   mov     eax,[00656638]            ; '\\.\SICE'# o  Q# B- _: E; U' z! q0 }' ?
   push    eax2 G2 h* ?- V0 i& p) ], T4 @* M
   call    KERNEL32!_lopen# U  ^) W3 G8 X& m! u- r
   inc     eax0 s8 e. X9 w- ~: S
   jz      006505ae                  ; not detected
0 c& t7 A6 D/ V& O' F, q2 R" C* w! T+ b7 S! }  U

2 v. A7 O9 H+ w. @1 z2 s9 e__________________________________________________________________________
! n5 w  n9 J8 w6 z$ T, z4 `4 q  w; t/ b6 x1 P+ `
Method 12
; u; ~$ B/ t# A! P=========
" L6 H9 L; K) G1 S6 d( z: ^% g: W* ^( `5 u* g8 z% T
This trick is similar to int41h/4fh Debugger installation check (code 05
* s9 W1 s- s, N  F* }&amp; 06) but very limited because it's only available for Win95/98 (not NT)( [1 g! h1 c) O, U) }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 q# L2 p6 e. f; F% R
8 E$ t! E  _  J- N3 M% Q   push  0000004fh         ; function 4fh
% Z9 \' y# c6 ~0 @   push  002a002ah         ; high word specifies which VxD (VWIN32)
( w' A+ [- K5 k0 Z                           ; low word specifies which service9 P' R* U+ |% Z% P
                             (VWIN32_Int41Dispatch)
5 B, v/ J1 D0 s4 U1 Q* N   call  Kernel32!ORD_001  ; VxdCall
) L3 ?/ P- y! u7 s4 o   cmp   ax, 0f386h        ; magic number returned by system debuggers
* e. P- n$ v. I% @% _   jz    SoftICE_detected  l  v: _9 J8 N# V8 ~

9 e' ^" l) q" t$ ^1 SHere again, several ways to detect it:
* g. a5 e9 n, ~# D* Q8 y3 P) \
5 S$ Q7 Q+ U( B    BPINT 41 if ax==4f
& X- G! `# j2 h' \2 ^4 M3 N5 _5 ]& f2 r. J
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) ~' Y. |# L3 `+ K* A
) H3 O$ ?8 n5 Q    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
; C, Q: x, [  [  w3 n2 c/ V
6 c; W) L) [* }7 T7 C; p    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* J( N4 H8 P; |/ f' t6 p/ `5 w3 Q! h" q2 _3 e' p, T' M) d
__________________________________________________________________________( P5 i% P3 n2 N' ]( D1 Y3 q
- H: ^, l& s8 i) \
Method 13. V4 [+ i# v* p. |( b4 Q3 \0 E
=========
! B! O: V6 a9 n. v1 c  t! ~( v
& Z8 {( c3 g. Y0 vNot a real method of detection, but a good way to know if SoftICE is, C3 o1 R* q; x( {
installed on a computer and to locate its installation directory.
! g2 g$ F3 T4 b" I; CIt is used by few softs which access the following registry keys (usually #2) :8 K0 X0 ~$ A, a7 F+ y/ M. R) [5 W/ f

  @% C. ^) P: l' t0 l7 b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) T2 o* p0 N! m- H7 @0 U\Uninstall\SoftICE
% m" V8 h  {6 t$ i! `  `7 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. o+ M1 z1 j- E* w7 `- G: u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% A( O8 ?4 F, s- o+ P\App Paths\Loader32.Exe5 ?2 }: n; |2 V# S8 }

' _+ p: y% p/ g/ u3 i
7 q+ ^. ~5 l* ONote that some nasty apps could then erase all files from SoftICE directory
, d. R$ b5 \6 N4 T' u% U(I faced that once :-(
4 z; ^, Q" }0 s9 j
! I9 v3 w" V* O9 `; iUseful breakpoint to detect it:
+ L7 `: {2 g2 u
" B9 h8 T) U& j6 f     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 M4 h; n% D& b: r1 [
+ B& W1 w& ]+ r__________________________________________________________________________* Z* M  L0 {: c0 V" {
/ i" G; w' |: l7 {! j8 ~$ z& `
. C& ]6 |7 p8 |. [8 K( {7 A8 K- a3 g- u
Method 14 4 C8 j& m: p% k4 S! G* N* Y
=========1 W% M/ H+ [! D
! E. [7 K3 R# Z6 i+ `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 D! s) X" R/ lis to determines whether a debugger is running on your system (ring0 only).9 g% Q; i. `& |. H2 f6 E
8 I* s( w# l; W
   VMMCall Test_Debug_Installed/ a  B( f4 T, H+ a
   je      not_installed
* Y& N% v3 g+ D' _4 _  f- x0 u' P' d5 Y8 y) @* S) I& Q3 v4 ]# ?
This service just checks a flag.( e! [9 p  U3 R- K. Y( r  ~  r- J! L
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-18 01:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表