找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) O( F: N+ I+ M1 v% |<TBODY>
. D! C5 x  z" ?6 ~; L' F$ w<TR>! `9 q  R- k! _7 `& j* ?
<TD><PRE>Method 01
4 F0 `+ j( C) q) A. S# V- \2 c7 @=========
: l& G7 E* v5 H& V, \- M7 M& t, b- s- w+ j" Q
This method of detection of SoftICE (as well as the following one) is  y8 E! H# i9 t# S* g
used by the majority of packers/encryptors found on Internet.
, j! G# }9 O' J$ |, Y( y' lIt seeks the signature of BoundsChecker in SoftICE2 f9 A7 A1 [2 b6 y1 @

7 G1 H) u% w' u- V& x6 h    mov     ebp, 04243484Bh        ; 'BCHK'
& \, E0 [. C8 u5 @" h! W    mov     ax, 04h
5 e( ~) n# E% X" N/ f    int     3         V# [, E" F( c7 v6 i2 n% r! [. Q
    cmp     al,4
- W% J3 ?. n1 p( p% D    jnz     SoftICE_Detected
( H; L. T" T7 r8 i* V! `2 C& g
+ f0 i" r+ u  O& N9 s+ f2 Z___________________________________________________________________________
( j4 o1 X1 n' A! M
7 [% U8 }5 |% ]Method 02
' g- B) V% Z, q- t1 D! M=========
$ s. n9 l$ Z1 o' @7 t/ ?: }1 ?- S0 g+ o+ b$ l/ ]3 l$ O+ t( |, U
Still a method very much used (perhaps the most frequent one).  It is used/ R, w- N+ B0 k
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ w) o0 Q( b$ |6 G' W7 \4 b
or execute SoftICE commands...
4 J$ x; m% N0 E/ HIt is also used to crash SoftICE and to force it to execute any commands! j4 i( p1 i* X2 Q7 V
(HBOOT...) :-((  
# g! L! D, C- G6 Z7 x
! q; b5 l& {3 d! L" k$ nHere is a quick description:' `! B" r. b& G# x
-AX = 0910h   (Display string in SIce windows)3 e# t! J0 C6 T* w
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); d) k) y' P7 t9 Y9 W
-AX = 0912h   (Get breakpoint infos)
. @. h2 b& t5 r0 |- ^: P4 I8 `-AX = 0913h   (Set Sice breakpoints)
) y# l# J2 e1 q5 o# W7 f! `-AX = 0914h   (Remove SIce breakoints)
6 d' |6 X( u% n3 s2 G
. w$ x6 s* q5 [. OEach time you'll meet this trick, you'll see:
) w8 r7 }" I/ w8 b-SI = 4647h
8 d8 e8 ]9 I, E) r" }-DI = 4A4Dh
" J, T4 c3 L) H2 WWhich are the 'magic values' used by SoftIce.# T* u1 H3 ~4 c3 Z$ r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- h0 E3 [2 f* l
1 O. u- a1 O0 z& k. l$ w& h) R
Here is one example from the file "Haspinst.exe" which is the dongle HASP) z! D6 @; A/ m8 f7 H: a$ V
Envelope utility use to protect DOS applications:$ r. }7 y3 l, G
7 D; a) ?: ?- ?; l8 E, |% m

6 i) \9 \4 |# b" S' o4C19:0095   MOV    AX,0911  ; execute command.) P0 M  H2 F+ }, s. R. K" ]) Z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" a4 p! }  Q) j( t" L6 a) @4C19:009A   MOV    SI,4647  ; 1st magic value.
# M1 h; P$ S! |& d' b" i# h; B! K4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 P. N$ o; }* o' V* I; m
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& V6 v' s' s3 [4 Y: g4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 C( `7 p, D6 m
4C19:00A4   INC    CX
1 }" |. k" D0 |1 E4 K4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
; q) N6 t* N: S5 t2 Y# l) ]9 P" O2 a$ h4C19:00A8   JB     0095     ; 6 different commands.
9 F7 P3 n& ^8 H( `4C19:00AA   JMP    0002     ; Bad_Guy jmp back." Z7 X4 _1 e4 u0 ^% b. d" W
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)/ U, d! o) r- \8 s/ \

/ ?* z1 T. ~* w; Z9 eThe program will execute 6 different SIce commands located at ds:dx, which
* y7 Y/ N1 Z' f6 H# @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# d3 S! m- x" o* k4 P( o
. f* Y1 J- S1 `9 O# W+ O( m# B! [% _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* v9 Y! C: W8 J5 I/ R! }7 _& Z/ F8 Y___________________________________________________________________________
6 }8 p0 a( [. e7 @; c$ n8 x& [# y0 B
2 j  V0 t- @' j0 x( v' T5 o% {
Method 03
# c5 F# c& R; ~  N6 Q5 u, M6 J=========
' S+ I4 l2 O5 _; N( B9 _$ e# B# g( X' P7 @
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, E# b, S6 e9 n4 [
(API Get entry point)
3 z* u8 p8 L5 T) F4 [, ~  E1 L        8 S) p, l, ~: T- c

; A3 h( B. O) P- `    xor     di,di6 o5 W$ g$ w/ t" @
    mov     es,di0 U) H* ]: z% C$ k. O5 q2 V
    mov     ax, 1684h      
; x$ O6 @$ Q! b; X0 s0 `, _    mov     bx, 0202h       ; VxD ID of winice: p- ]% F. I2 E7 B: r' X
    int     2Fh
/ R6 ?( t$ Q; k    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" y3 Z7 E1 R  M/ y  N& W% Q    add     ax, di; J9 q( ~4 l3 y$ ?7 u& W$ @
    test    ax,ax
# r9 J) E( r/ H# E1 l. N/ |    jnz     SoftICE_Detected
* f5 B6 L* I3 m, R
# z4 ]8 P% y; h' c  F9 ~___________________________________________________________________________
4 M8 |9 S# q" S# Y3 p, t( P" r# g3 `% ]- a; _/ z
Method 04! G; e. U3 ]# Z0 U( w
=========
  ^$ Y8 p  d2 C, J# P+ W3 v* F: }4 A% Q9 B: a: V" L5 K1 G
Method identical to the preceding one except that it seeks the ID of SoftICE
& Z9 n5 q! U# u8 A0 F0 fGFX VxD.
6 Y9 }/ o! W$ r# k5 s
. @8 Q1 v) M4 A; |    xor     di,di/ Q% i  @* K2 E* r; e
    mov     es,di
1 O3 Q( [0 a& W7 I    mov     ax, 1684h      
% w) [' m* k  q    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ J8 d; d7 B$ z+ x4 r    int     2fh# g+ Z# i- e8 O& a
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& e0 V- D* ~5 l
    add     ax, di
' E. k- {8 a$ P) [* J: _9 z    test    ax,ax8 e$ a5 x1 ^! |6 m1 E) V
    jnz     SoftICE_Detected
  \# E! x7 ]5 z# J3 i
7 Q) Y, y+ z& ?" X7 ~1 j8 b__________________________________________________________________________/ j. t0 Z3 {6 n+ p% I

: c* x0 n* g. _. `' V  D; S$ [0 P, w! A4 u( Z& E& z) U
Method 05
6 T$ G! r% e, b, D; u=========+ d& ]; i! r9 J9 S  M) L7 u6 x0 Z

3 w* k( {+ U, x- Y9 eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
- Z9 m4 @0 `3 G! P$ J* Hdebugger. It calls the int 41h, function 4Fh./ B$ K+ U' p& |* v- H
There are several alternatives.  
) v( y" S2 g6 u
3 W# U/ i& W, }# [The following one is the simplest:* |* n( ]% N" _9 Q
* M. m% B- P; o& |) G+ j
    mov     ax,4fh" W/ |4 i# ~& z" g
    int     41h: g% \& y4 U7 G8 G0 K6 x( E2 }' D0 }2 a
    cmp     ax, 0F386
% F' r' \# d8 F3 _( s: R5 i2 J    jz      SoftICE_detected6 ~- m/ }/ c) X  K, }& C3 O
' R! T8 h$ ]+ U5 c

- E% U! }2 D' |! b7 S+ P1 GNext method as well as the following one are 2 examples from Stone's
, }5 f! K" l4 }3 o0 R"stn-wid.zip" (www.cracking.net):9 d1 i8 t; F9 w. ^0 x( \. a# t- Y
- p, i& ^- z0 u+ L( m% P
    mov     bx, cs
, v( K/ ~6 A4 v, b    lea     dx, int41handler2% ~( c: ~. k& z) g' _
    xchg    dx, es:[41h*4]
1 R4 [$ m8 a$ i* Z' i; |    xchg    bx, es:[41h*4+2]! S! H% Y% i; D# w) u( |& h+ V
    mov     ax,4fh
" X& D8 u* s$ |: z/ o    int     41h. |/ b! D: U% O* u
    xchg    dx, es:[41h*4]
6 D' C0 _* X( @. W& J7 N    xchg    bx, es:[41h*4+2]
  y  [& b" a+ j" H    cmp     ax, 0f386h
& c  p& g. n1 l8 m    jz      SoftICE_detected1 x/ e( |- x) M

  w' u1 {2 ]0 ], y7 `int41handler2 PROC1 w8 |! H7 ?. t0 h' h* y$ `5 _- D
    iret# Z( H4 j4 m6 q. ~
int41handler2 ENDP2 {9 _2 M: F9 g( E

7 e$ q; N1 j9 G
# I- [5 L# u4 T! y: ~& M_________________________________________________________________________) Q8 q0 r/ }6 S9 U9 E' V  O! G
7 L1 {% S  A, }/ h3 n; E" K

! y# b" M! l% j2 \6 D2 i9 U# OMethod 06
3 q( Z" m+ ?" j: L, @0 n" f9 p( Z=========
+ J0 X/ v9 P8 R; x  `+ a& w- Q( M  D) k' i7 A3 {
, W, P1 N0 L+ z# _
2nd method similar to the preceding one but more difficult to detect:
! h* {6 A5 s; L" R# R3 `4 |
/ F2 P/ a  N9 s% y" m4 }* P4 I' `$ e" t& k
int41handler PROC
- \- \: W" t' u) [! {6 ^/ C: s    mov     cl,al
, X0 {; m( R( H5 `    iret/ g9 I8 x+ s( R8 z
int41handler ENDP
  G8 q1 _2 R% J8 g4 q1 ~' v9 J: d3 H7 H0 `5 Y* Q
6 O+ w, K* n! [9 N% Y" \
    xor     ax,ax2 i) R) C+ ?; C9 U, d3 i
    mov     es,ax! a7 C% t, H, m2 ?
    mov     bx, cs# g- v: d/ J  d& z- e: ^
    lea     dx, int41handler
7 G! _$ S( L5 V, I, n4 g2 c6 B6 Z    xchg    dx, es:[41h*4]
% ?% h+ U) }% G- P( |. _0 m) @5 u    xchg    bx, es:[41h*4+2]; Y: r- ~; B! q: v6 {$ U. B! N
    in      al, 40h
" V6 s: o4 _4 U  w6 d) |* S: ?    xor     cx,cx6 f" Y3 h8 g3 ]9 h4 G8 v: m
    int     41h+ t+ L1 q( v+ J; J) ^
    xchg    dx, es:[41h*4]* O; b7 r2 h2 J& y; Q, j+ L
    xchg    bx, es:[41h*4+2]
) E6 t2 s; `* F    cmp     cl,al5 o" ~9 h& t# R$ n. p
    jnz     SoftICE_detected
  _. z; o0 R+ A' {/ B! q/ G/ e0 I/ C3 S8 y
_________________________________________________________________________
1 h' L! ^; ^. v) W  r' Z
/ [; b0 z; Y1 H$ cMethod 07
0 _  F0 c! ~, ]! R=========; p7 a8 h; l# ?( @) n% _

( i8 N, X4 r& `/ ~- |1 kMethod of detection of the WinICE handler in the int68h (V86)4 D: o- X3 W5 ~# Y  Y5 X

+ O) M, W" X$ B9 l    mov     ah,43h  {" A0 t& v! _% j" |4 z# M
    int     68h: ^, x. {2 y7 D
    cmp     ax,0F386h
; K" ]0 K+ B. V5 i/ x- @    jz      SoftICE_Detected9 Y' u& \+ w$ N3 M1 d7 q6 l8 M

2 j  O/ j% p; S1 L9 t# l- v' u9 l; z* M, h
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& z. B3 u' O! D- n" {
   app like this:
: _" @- x9 X. h8 Y! n) |$ |
" e/ Z. P3 t/ N" O" i7 v6 v   BPX exec_int if ax==68
+ r# o# u6 s+ k   (function called is located at byte ptr [ebp+1Dh] and client eip is' [2 B1 I" P8 y7 Q, |; R; W  u
   located at [ebp+48h] for 32Bit apps)
$ _0 m# ^0 _) G: U: f9 N" t__________________________________________________________________________
: f% n5 Z! u$ p  Q% i5 m7 K# L
1 d0 Z  x; s, r# j& P! X6 ^! U( q. m1 V" X5 g" k/ A+ }
Method 082 F% w8 V) q, \, d& i  i0 b6 I
=========
! Q+ X! G" d6 p, |" y+ D# y  i) k8 R& D+ @% D0 C( d
It is not a method of detection of SoftICE but a possibility to crash the
1 d4 ~# E4 ]+ F4 w, D0 qsystem by intercepting int 01h and int 03h and redirecting them to another( `$ {# h$ l& `5 |% ^* J, @1 z
routine.
0 N/ ?9 {8 ~" A" F, T2 c8 y8 {) [1 nIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 \  k% [  d1 l, f+ g* I6 Eto the new routine to execute (hangs computer...)
" U4 t1 b8 F8 c1 X
  [1 a. E: L1 ]* T) A" U$ s; A    mov     ah, 25h8 A8 E; @7 ~' j( ~* s! _9 k
    mov     al, Int_Number (01h or 03h)
( i* L  v, K$ B& C    mov     dx, offset New_Int_Routine
' q! ^' z' O& w: |2 X  C/ E! |6 M* T    int     21h. Y/ U# K1 ~& c: \& Q3 O8 S. ^( S

  c& _$ {* z) u5 p. I* [) |__________________________________________________________________________
) K: g0 A" L  i* n7 u
, I7 E% Q) ~. _9 GMethod 09
6 U2 ^5 M8 n+ u! g* b+ S=========2 T0 l5 d2 m) y" Y  H. S  g
2 N; Q5 B* z2 I& W& A( Q. M1 T1 ]
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; B( ?( c  s2 x8 v* D) Qperformed in ring0 (VxD or a ring3 app using the VxdCall).( N# i: a. Q- w# f# j
The Get_DDB service is used to determine whether or not a VxD is installed
* y2 n0 X! M* o: h* b. a: ifor the specified device and returns a Device Description Block (in ecx) for) S! p/ H0 G: h, p& H! Z; t
that device if it is installed.6 x; X4 \8 k+ X2 Q& z" E8 K

. J; y( G' A* L0 B+ z/ }7 p7 {0 f1 ]7 b% Q   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  p; ?+ T8 Y& G# d9 z6 I
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 D+ R; A6 T# ^( t9 h* L/ h) O! ^   VMMCall Get_DDB* x0 i) Y- {# k# H! K$ a) d2 H
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 m% I# m5 t: U7 t+ ?  f+ ~: |& R  H) v2 I* ?; K! K
Note as well that you can easily detect this method with SoftICE:6 Q' J& f( h5 m/ l
   bpx Get_DDB if ax==0202 || ax==7a5fh4 h4 A+ q/ S0 `% i

& y& ^7 M6 w+ p6 W/ L__________________________________________________________________________
$ P2 i. p* O, a# o* G  n
; |+ U( h1 i; n; OMethod 10
5 L1 K. Q: ^% m=========
& W0 H6 A4 v, V* L
7 \( }3 }9 y7 }6 b; R9 ^=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 L; Z9 v- z; O5 e" b% P$ i$ h
  SoftICE while the option is enable!!
) e  e0 j# `6 a% j. b: c
: X8 z$ d) N6 _/ j' @: ^) M) @This trick is very efficient:3 @$ {* ~: G, A
by checking the Debug Registers, you can detect if SoftICE is loaded# O, |  d. q3 T) W/ X  Z' w! y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) X1 }5 D9 B+ W. i2 ?5 A, I0 J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" t# I, O. U, O% f9 x' Gvalue (in ring0 only). Values can be manipulated and or changed as well
) g3 \5 W3 m+ J2 R(clearing BPMs for instance)
) G5 K, @6 m6 L$ R, s# p- j1 p1 M$ G3 }8 @+ g# a0 H) V( U, H
__________________________________________________________________________
* a* H8 y- r+ h# X5 F3 w% L1 b$ F# B* a9 `) z& e; B( \% a3 a
Method 11
, q$ f  _$ o: R0 O: K3 E  b=========
6 q5 h5 X, l- s% d, \6 K& O+ G6 R6 |" f4 X, r9 ^) ]- |
This method is most known as 'MeltICE' because it has been freely distributed% w3 a1 {. H4 E" e% _& s# D) Z
via www.winfiles.com. However it was first used by NuMega people to allow$ l+ o; A7 Z$ o; O) @" W5 M$ S& u. k
Symbol Loader to check if SoftICE was active or not (the code is located/ K- l2 m+ x& t3 v" n) p
inside nmtrans.dll).
1 f8 _/ v! Y- S9 ^6 J$ D  M+ f: a# z: Z7 s; M: c1 X, o1 v( o
The way it works is very simple:
( [5 @2 B6 {2 N3 _( \% x& UIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
, |# K1 x& m; J# r# UWinNT) with the CreateFileA API., v1 H; K( H- H2 g

7 Y. w2 W7 n6 {! Q0 F' q) c! vHere is a sample (checking for 'SICE'):+ b$ N+ D) K; |7 G) u

, C! b/ J. p% XBOOL IsSoftIce95Loaded()
4 l8 a4 t0 V- R3 o& c{
" n1 T- I( T3 b4 V6 O/ B9 A   HANDLE hFile;  
- T& A3 [4 d- q+ p   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 J3 g) p2 }& e                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 A. V- I, R9 N$ n
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( U# h+ D# N9 q   if( hFile != INVALID_HANDLE_VALUE )$ _$ x2 a0 Z4 f( X) _  {
   {" L$ ]% ?2 r* D. Q, x- t6 b) e+ a! ~
      CloseHandle(hFile);
( ^0 P, s/ w: P8 [5 e- T) Q  {      return TRUE;
) a$ _0 I( z6 V  C   }
' p. L& D2 O2 _# w+ t7 ~7 ?% G   return FALSE;; ]- N4 T) C' D2 H
}
3 y3 E5 B( s6 V) N  c& N) p7 p& V) e& o/ V- [' p& D; O( t
Although this trick calls the CreateFileA function, don't even expect to be
0 I+ V) B, V' w  @7 J5 i9 |8 Mable to intercept it by installing a IFS hook: it will not work, no way!
6 k* t6 P& D, J7 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ W4 O9 S( N, }
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ ]0 L# q5 k! R( f8 j3 B, Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc: d( N4 m. T4 l' U7 A; ]
field.
) t+ L# |: s0 a" ]In fact, its purpose is not to load/unload VxDs but only to send a
6 ^1 _( H) j' \1 y" VW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" {- p* J; o' B7 `to the VxD Control_Dispatch proc (how the hell a shareware soft could try' }) J9 ^# ~: E3 Z, H7 W+ y1 {+ Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' b! h" i: a: X( N0 {
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 w& k# `$ L9 \7 {% ]* P- x4 A  M0 N
its handle to be opened and then, will be detected.
. R, q9 {% C5 C1 j% eYou can check that simply by hooking Winice.exe control proc entry point
4 F4 z; @, D: i+ Q! c3 G2 cwhile running MeltICE.' O1 ?- N# t) v/ l. }* ~
* c% b$ P" o0 ^

3 R7 V; m9 w, B9 s; J  00401067:  push      00402025    ; \\.\SICE. i, o% S$ S8 ^% D, H- r# j
  0040106C:  call      CreateFileA
" b! ]% b& T8 Q2 v, ]  00401071:  cmp       eax,-0016 _# v8 G& q3 y8 i: |5 i
  00401074:  je        00401091
& i/ l  F% s; ?& Z) @
" ]$ @" G4 A% l  U7 O; \% e
8 P( p+ D8 u5 b% ^8 V0 ]There could be hundreds of BPX you could use to detect this trick.
" i  t& G$ V6 \-The most classical one is:
7 O- n5 U- _: q$ M0 d+ m$ a  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||; B3 q9 {$ Y1 h7 B
    *(esp-&gt;4+4)=='NTIC'
; e  w' |+ f  e, W! w
9 B" P6 Q! k" W! O- B0 `9 o/ V-The most exotic ones (could be very slooooow :-(2 T# L' Z$ s- m: M4 n7 y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 |5 {2 A' ~9 U" Y) ~8 {' y& K
     ;will break 3 times :-(
1 L, }/ `1 ?' k8 n7 B) K# y3 X
( R, ?4 R* o7 i( Z# C, x7 t4 y-or (a bit) faster: * B+ W, j% N& f6 ?, f0 ?1 @% Q  e6 |. U
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): `% }1 o- w8 C% ~( {

# H: G$ u6 F/ D$ o2 S4 s   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
: Z" }# H( G" Z  i' }     ;will break 3 times :-(  ]" J" s3 D+ z3 G
: H, l" a  V$ {4 h% g
-Much faster:
: Q3 W7 s; z, h/ L* H0 v( d3 }   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; \9 [' w; i! M  o$ b
9 H  G6 ^3 `5 {
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! ^6 f) E( C6 s9 F
function to do the same job:  t0 y+ q+ M3 B# d  R

6 J+ S" T0 e4 k: F( Z6 s. ?   push    00                        ; OF_READ) n, {2 R4 L$ ]) O, E' a2 c
   mov     eax,[00656634]            ; '\\.\SICE',0. I- \8 [, ?* I7 l3 \4 }& k
   push    eax8 b! x1 g5 Z- k
   call    KERNEL32!_lopen! k2 |% q& @4 `1 B+ q1 E" f
   inc     eax
4 Q/ i/ z2 T- y3 E% t5 {   jnz     00650589                  ; detected
  |7 E2 M; c  Q' e, O$ \   push    00                        ; OF_READ
3 J" Z# P! y/ Z. T/ i   mov     eax,[00656638]            ; '\\.\SICE'6 p0 \! x/ [$ M
   push    eax
; u: H5 l, u' p' o3 A   call    KERNEL32!_lopen
) V5 V7 @% \' D/ Z5 P' ?! d" P   inc     eax
) b0 M1 r0 o# V4 M! O3 A   jz      006505ae                  ; not detected
! A6 j' [( l* A  ^3 Y+ r, Z% h4 \1 X$ Q- ]

2 t, G/ N: v- Q__________________________________________________________________________
1 J7 p6 c3 j- r: K) P* @* m& R& O: K; E
Method 124 Y4 \3 c( A) K4 V: |6 @
=========
) p/ v3 p! r. U. N0 I# \0 J* V9 W/ k9 e/ R  k" K0 u/ y3 R
This trick is similar to int41h/4fh Debugger installation check (code 05, }: u* v9 A1 I; L8 [9 q
&amp; 06) but very limited because it's only available for Win95/98 (not NT)- q& m* e" Y: [0 P
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 L3 p+ s4 ^+ u* W. Y
* G$ e; R. K" p' m& Z! a
   push  0000004fh         ; function 4fh5 ^4 T; j+ b$ q# c4 p5 p
   push  002a002ah         ; high word specifies which VxD (VWIN32)
% t4 T: I4 k5 _7 O8 w                           ; low word specifies which service  Y0 B% q* O# `
                             (VWIN32_Int41Dispatch)
$ h4 N- G: O+ {   call  Kernel32!ORD_001  ; VxdCall6 n+ j/ I# M. O: }9 V4 @
   cmp   ax, 0f386h        ; magic number returned by system debuggers0 v( [* K; K( z# ~% e2 o. d+ W! O
   jz    SoftICE_detected9 k/ a, }" N6 m$ y7 {8 \7 C* l+ R
$ s6 x; y9 Z6 ^( Q/ ]: D
Here again, several ways to detect it:! B! P+ C# B" _: I+ w8 x: `0 @; {

) I, K% V! C2 [8 U4 z/ |    BPINT 41 if ax==4f
8 M# v+ }7 l7 o: |! s) U' [: w  v* c6 |' |, i4 D3 c
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ y- y: Y8 K. ?

* f- }  J7 }# h2 s* N6 ~$ r6 l" h    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* W$ ], R. y8 Q8 {
5 ^( K) K1 M& k9 G  s! m. \" O    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' F$ Z, g; U- M5 [3 f9 u' x& T: p/ P. ^( C$ R( Y" R9 F1 w
__________________________________________________________________________0 }8 E" j) Z( B, i6 i
9 |( U4 z5 \+ l0 p- n, y4 S
Method 13
* i8 z3 t+ I8 M=========
! c" p2 C. P5 A  ?# s0 i( c
. Z& a' W6 g! o! v& t  QNot a real method of detection, but a good way to know if SoftICE is
' ]* D- @) O8 h$ M: k: K% t' e) pinstalled on a computer and to locate its installation directory.8 X  ]4 `8 Y$ ~5 H
It is used by few softs which access the following registry keys (usually #2) :5 f& ^8 n; r9 P3 f' C. J' ~
+ z. z7 k0 F3 o2 ?6 p3 ?$ \
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- [; p: s3 F6 U# m8 g0 \\Uninstall\SoftICE& F7 U+ b8 A$ e0 w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ^& x6 G. u' ^: Q. k1 c  L' o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- x8 G. x$ s* Y' Z# C8 _
\App Paths\Loader32.Exe3 L. D6 U0 r& F! U+ s& \- l5 x6 `7 y

& F% R0 I$ i* f/ B
2 L& l! C- {: i, s2 c; N4 p9 ONote that some nasty apps could then erase all files from SoftICE directory/ ]- n3 M' h! ]- f4 y: b# B
(I faced that once :-(5 l& }* ~+ w% R3 M3 ?3 u7 A

8 r- {- z% f; u( V; ^( @4 D" f  c/ CUseful breakpoint to detect it:$ m" E8 d& l2 O( q* y
/ l, `0 f6 R+ F& X
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! \9 F* I1 }3 ?. a' ~

* m5 g0 ^' i% C& I/ V( G. R__________________________________________________________________________
( N! ]0 @+ \  C& d1 |# R( M! ~
6 t% G7 [4 o4 g3 ^/ G6 x# q9 Y! P8 K" Q& s; D
Method 14
. ~4 e" m1 B* C) f- L1 K2 r=========% \+ \/ {$ d8 w& T5 Y' K

& X. H4 f0 t' DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- N5 S2 B& q0 o' Y' c
is to determines whether a debugger is running on your system (ring0 only).2 H$ Y  d8 T" f; O& x& O

% b8 E' q9 F) `% t4 |   VMMCall Test_Debug_Installed& ~+ i3 v" {% C3 e/ u3 |. F
   je      not_installed
4 I. I' t6 c% c7 l* ~6 K
( |* ^* C" C% O+ m; ?# VThis service just checks a flag." J4 t, D2 C: E
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-28 03:26

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表