找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
& Y9 G8 @2 e+ c( L<TBODY>2 K4 ?9 T$ X, I1 w' @6 ~  s
<TR>
. J5 O7 a. O8 ~<TD><PRE>Method 01
; \1 a6 \* d; o  G" W=========
) n4 O: g1 b+ e+ c8 c% A9 d8 ^! S- S2 X  A& t4 f# }
This method of detection of SoftICE (as well as the following one) is
7 F0 J! @1 o" e  h% m/ @! U- ~used by the majority of packers/encryptors found on Internet.
$ P7 I2 f2 Z5 Y7 {5 iIt seeks the signature of BoundsChecker in SoftICE
3 ]* B+ e6 h6 p5 o) A. ~5 |% `- \6 D5 J/ p! _" `* e
    mov     ebp, 04243484Bh        ; 'BCHK'. ~' _& m& _; u' R
    mov     ax, 04h1 k0 ]2 v$ \1 K% e$ b6 L! @9 a) ^6 w
    int     3       / X# g& b5 O, v8 y( [$ f) \' N
    cmp     al,45 v. D! ^' P5 t' ?! }3 t+ B
    jnz     SoftICE_Detected8 A- J5 ^! c9 |  w: t2 l
: X0 {, c" ]4 q1 a; R7 E( P# x' Y
___________________________________________________________________________
- `: `4 e/ N6 z+ Y! G7 ~2 w# t% d' Y( d* e8 [) R5 p+ P6 T
Method 02# N' Y3 C) N+ l- g3 f! o
=========# }; p# |8 l; l3 J) t4 c
5 ]' G) H! P4 {5 M! l/ {
Still a method very much used (perhaps the most frequent one).  It is used
/ h' k7 X# @2 t$ b" z# \to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ h8 _3 v9 P$ G% N, p  t- k
or execute SoftICE commands...+ C8 t9 P# N) x0 `
It is also used to crash SoftICE and to force it to execute any commands
4 S8 F0 I) w) I9 l4 ~+ s(HBOOT...) :-((  
* j; E) Z* V; J" i7 _* v% _2 g
; M0 s8 M' k2 q( Z: Q) zHere is a quick description:
5 a. d2 ]7 y: `# e: F, {-AX = 0910h   (Display string in SIce windows)% ~) H* j; q8 r
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 w1 T* Z: k+ Q# G8 N2 {, g9 A-AX = 0912h   (Get breakpoint infos)2 X9 a0 m) U5 h* \: \' T+ |; R
-AX = 0913h   (Set Sice breakpoints)
( s' i& {+ H# f& N- J$ e6 U-AX = 0914h   (Remove SIce breakoints)5 v: `9 g- j3 n9 P6 l5 b# V* O
% x* x+ L: T$ z7 b0 [6 h/ u( l
Each time you'll meet this trick, you'll see:
" D+ l5 s4 r/ l: y-SI = 4647h) I* g! {# a' J; e+ Z0 q! B
-DI = 4A4Dh
$ p" v( E6 a6 ~Which are the 'magic values' used by SoftIce.
( `) N/ P8 a4 \# M1 I5 W" U, d$ FFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) j- z* w& ]0 B4 V! y
9 H( e4 {; j- s& ~$ ?8 I5 v' f% D
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ N' F5 q/ X  N' x" Q  _5 T2 ^& l
Envelope utility use to protect DOS applications:& p: Q& E1 P. }" F# L  ]# w
9 i1 U! j) u2 ^# c  k, p

( H" s8 }6 b. v' U4C19:0095   MOV    AX,0911  ; execute command.; y0 r3 i, I  B2 M! {: a/ L9 l
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 y4 A/ C4 d8 w/ o; y( d9 I: S4C19:009A   MOV    SI,4647  ; 1st magic value.( k: O; M' g' l: F
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  z( C1 B6 g; I9 I6 k. z( M# k4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- J8 {- K6 F* b5 W3 o+ w' r4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 u8 y6 k! p. Y& N6 i3 B4C19:00A4   INC    CX
8 ?6 a7 Z  M; f! P! C4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
3 a) M$ R" S8 m1 }4C19:00A8   JB     0095     ; 6 different commands.3 }, |  G5 u+ n/ H3 D
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
; |2 `$ z. H( T3 n6 \! c/ d2 c4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* Y; u  J) d* ?# i9 g+ o: ^7 L5 M
' w9 ]5 R( x% W, f) w5 Y' M
The program will execute 6 different SIce commands located at ds:dx, which, U# \" j' ~' R0 Y8 ]
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT., I4 l6 n2 X! U9 C& ?$ D- P/ ^
0 L5 Y9 K& I3 y5 v) G
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' S  v8 c% Z9 @9 R/ w) a# b9 e___________________________________________________________________________# k7 e" ^# A; \0 e" F

" _2 u5 Y1 q( t/ }( \
: X. E2 |' j( d- V, r0 E& V. g0 v# [Method 03. P9 W! Q7 D6 W! `* M- U
=========
: q" ^% r2 [; c" d  I7 R# Z
# f, F; t3 S# S+ m# \6 \Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, _! T6 F% F3 o0 @2 P) h(API Get entry point)* V; Y9 O% x/ ^( ?( q
        ; y; u7 R7 B) w; q* f
/ S7 }* C, ?7 I7 J+ S5 H' q! v
    xor     di,di
3 u& _. `( z8 J& l    mov     es,di
) ~: V% Z% K- T. l  N    mov     ax, 1684h      
% X. F' b# F# C& v* c2 c2 k  u7 P    mov     bx, 0202h       ; VxD ID of winice
* j# }$ T' ]6 w' T: j% R- j% n    int     2Fh
" {0 \- W7 I1 W9 _* f% W1 x( ^, j) M    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) ^6 U1 J% F- j% c7 T    add     ax, di
, C0 R% \' _- M& I    test    ax,ax4 M# I3 ^5 r/ c2 B
    jnz     SoftICE_Detected; t' @0 m4 d6 Z3 O% _- \; \' X
% q$ d# P9 `; d. o( r7 k
___________________________________________________________________________6 O. j- D9 V9 O. Q

& d: O. v' x5 B) i$ g' U9 X; nMethod 04" T2 j! u* F( o, z+ U" O' K
=========0 ?. r  n; \3 N0 H4 o9 q; {

% j' K5 Y3 n6 k( v0 |4 h+ PMethod identical to the preceding one except that it seeks the ID of SoftICE
& A1 O4 F+ S) t1 B* R3 y+ ?# AGFX VxD.
' E# T8 \; h# G5 S( T2 N3 y7 P8 L0 H4 v
    xor     di,di
, J5 O4 r3 e' ^8 J0 z    mov     es,di; R; Q% V1 Z9 a! A
    mov     ax, 1684h      
  D, x- e3 p( w7 q/ N    mov     bx, 7a5Fh       ; VxD ID of SIWVID* F6 t' e/ ^! }- v, }
    int     2fh8 V' m: G5 @# \3 x6 o
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 m  F* H  `" z
    add     ax, di) I( q: D2 D; s! k* S) e3 Z7 W
    test    ax,ax' u% H/ Z# A. x
    jnz     SoftICE_Detected- N; I6 ^, N; G" f
9 x. K3 C9 t4 E
__________________________________________________________________________' Q7 N! v% T% M& T

( @2 V5 b. A, ^7 R) l6 y+ ^" ^+ s& r! e3 A5 c( g
Method 05! a) Z2 H! S5 _* \& e8 v
=========$ i) o  o+ Y; H( r1 Q8 d& k. k: O

/ ?6 ]5 f! k) |6 x+ z8 f9 O  B' SMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 B; l4 x0 }  Z2 a1 h# F% U  U
debugger. It calls the int 41h, function 4Fh.
# ^) a7 v  I8 Z7 ?1 g( f( Y) ?! xThere are several alternatives.  
. ~4 Y0 ~; Z  Z# R* P( X( C9 e- k$ _& z- v' h0 I- L8 `& E
The following one is the simplest:
  }& ]* H* F+ `3 }9 _0 H' O/ V' x& a! T' a
    mov     ax,4fh
9 P. P8 m8 y9 n+ y4 b1 d    int     41h, \; E. ~3 u" e+ g
    cmp     ax, 0F386
0 x* y' @" s* \    jz      SoftICE_detected. g6 q/ }9 m# j' m
& m# q. G/ m# l6 K# {

( C7 ^. |4 m3 F2 ~2 d- `Next method as well as the following one are 2 examples from Stone's
% s  z; P/ M, Q"stn-wid.zip" (www.cracking.net):
; m+ [* r, _# R& W' V9 l
! `, a& v# f; R& s: Q! K    mov     bx, cs
7 f' R% x# v4 i; R+ j3 i    lea     dx, int41handler2
6 y  u1 [8 n9 M% ^    xchg    dx, es:[41h*4]
1 l1 A! R3 o# I: p    xchg    bx, es:[41h*4+2]
3 }7 @- y- E% ?' g4 K) m    mov     ax,4fh; z: Z3 u% W/ ^4 u* Y# j9 l) I
    int     41h5 m# R* f5 j) `9 ?" ^1 p
    xchg    dx, es:[41h*4]8 Y6 F2 ^& k! q; Z
    xchg    bx, es:[41h*4+2]7 r8 A  A, h% }% s( H/ ?
    cmp     ax, 0f386h
6 l5 I" L6 z& R" q/ V! t7 X: G" y    jz      SoftICE_detected
& e7 P) [# J, ]$ U; O
) s. G8 x3 Y7 R" p" |int41handler2 PROC
3 N% ^0 s3 w+ H* r    iret, b9 e7 K8 a: a# H; H4 x* F, z- s
int41handler2 ENDP8 x4 H3 t  [7 i! I/ B3 ^6 @

* u2 V5 P, |) H+ I3 ~4 u& ]: _" j. r/ Q
_________________________________________________________________________
9 [9 T8 [5 r. H0 V$ Y; R
# _3 w6 D% l6 A, l
* d- b3 B; c$ ~& ]7 M4 @Method 06
5 e% X3 y7 C& {=========  w; w. C" E& ~  q5 S/ V

6 Q7 D. ^1 v' H  y# i- l% N5 |- C2 d. V5 X! A$ s' b& A  B0 _% i
2nd method similar to the preceding one but more difficult to detect:
% m  Z4 I) h; W" u. S* H
) P3 r2 H# j( Q' Z# x, u; R! ^/ c: l! b+ {+ Y
int41handler PROC
$ a/ n3 x7 B& N3 Z& g    mov     cl,al9 c% r7 R" P; z8 K
    iret
' g" L. d! `9 q) b. e- C1 l. rint41handler ENDP' M6 M2 C- X7 `: ~. Q

$ \; u& V9 d+ ?# E# [! w4 ?  p1 L' D$ K- V) d" \; N1 U$ ~
    xor     ax,ax
% c% v2 H8 B: @/ x9 T) E0 Y3 ^, A    mov     es,ax: W" P9 n8 @2 o0 w# _5 _* ^
    mov     bx, cs* Z; F  A1 j$ f# k
    lea     dx, int41handler% _+ d2 }+ `$ Z7 u2 ^
    xchg    dx, es:[41h*4]
+ G- m+ _! w; o8 x; {  y! C! u    xchg    bx, es:[41h*4+2]) R% F/ X/ P' ]8 z4 M3 c
    in      al, 40h. d8 `# C; G, H0 d& r
    xor     cx,cx; u; N  |- Y/ O$ d- x' o3 A
    int     41h& s; S+ p$ _) B; W! I2 ^. Y  `! [
    xchg    dx, es:[41h*4]  L5 }% V; _: u  ^- Q% ]/ b; `, c
    xchg    bx, es:[41h*4+2]5 N9 |: c) G2 K! |0 G
    cmp     cl,al
/ S6 @( O( ]" n' h9 v    jnz     SoftICE_detected
  C9 l3 n! e# _% c
7 J, ~! k( F6 _1 S& S7 `  l+ w1 I1 c) o_________________________________________________________________________
5 j/ z: ]: O' H* D( x* w" f& z
Method 07
/ |& ]" v# p: D2 n! H=========  A- q$ x) c, Q3 O2 W

8 F! M/ x- _- N% y% K4 a0 pMethod of detection of the WinICE handler in the int68h (V86)4 P) K" n$ x7 _% N

. m2 x# ~% V2 p# _$ S$ q/ w1 r    mov     ah,43h
0 t, [  F; Z& c0 @9 [& X    int     68h
2 {' Z' n* ?1 f' K    cmp     ax,0F386h
0 p2 p2 v6 v: U$ N1 M7 O    jz      SoftICE_Detected$ N0 ?- E$ r' e- i+ B/ m0 z

) P, g% y' k% `6 U1 s4 y9 g+ N; V, `
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ G4 b# G! u) T3 c   app like this:
: M* ~% m  ?! `* b+ ~/ F6 |7 I( {' ?8 @, F& p/ E) w
   BPX exec_int if ax==687 F  @* T" V) v7 ]* ~& E
   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 L1 E6 f) C, _, b   located at [ebp+48h] for 32Bit apps)
8 I( j0 @0 R* E: R9 |% c__________________________________________________________________________. u; E7 N4 d8 m9 }: F5 y
- l3 s/ Z; m1 m4 H" c: v
0 d4 C3 w( z+ _; j* D8 r! ~
Method 087 G9 ^5 I& x" {; y, M" n
=========
/ [) m0 D+ u5 C9 i# r- ^  z: i5 _6 Q: u* a1 `; Q( {
It is not a method of detection of SoftICE but a possibility to crash the
4 h% f3 Z3 ^7 c! _! ]system by intercepting int 01h and int 03h and redirecting them to another
3 P' T* R- k+ `. _. X2 froutine.
2 ~" j2 R1 J( R7 L/ n3 tIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# h" s6 \5 H, E% }$ Kto the new routine to execute (hangs computer...)
+ X" Z0 V% a# u1 H$ y% m* ?4 c1 p( V. V% ?$ Q
    mov     ah, 25h# C5 f) j6 o/ W
    mov     al, Int_Number (01h or 03h)2 Y5 M8 X5 J# p; y2 H1 y( |
    mov     dx, offset New_Int_Routine
+ f' c  C9 g5 ]& \5 ^    int     21h; t! ^; F! O1 S- |' v/ {
! o+ c/ T' n: Y, p( G2 \4 @
__________________________________________________________________________
6 F/ B9 @! `, x! B  K$ F8 b
2 X. z$ H3 c* D2 c* MMethod 09
) B+ C  Z3 s, L  X( R7 W=========
" P* L* K% P) K& f( U
4 I" O/ |8 a' M, X7 A# ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& c! q$ D+ y! `5 O
performed in ring0 (VxD or a ring3 app using the VxdCall).' T% `/ A& v/ I/ @; I  I; U
The Get_DDB service is used to determine whether or not a VxD is installed
! r) \2 \! l& jfor the specified device and returns a Device Description Block (in ecx) for! E: J% n3 ]+ x7 a( s
that device if it is installed.' R9 D% ~! g# O; Z, Q  r% b7 Q

$ D: z! a5 k! n6 C; e3 T' J5 S  u   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# Y9 F$ o2 \; r6 R# A   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) l2 a8 [  Y4 x+ v9 R4 B3 ]   VMMCall Get_DDB3 D7 v! x& `, d  j
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 T) F' z. J7 ~  V- b& O% C1 \, J: I6 ~+ u" w6 q. f
Note as well that you can easily detect this method with SoftICE:
1 @8 x$ {4 X# G  b$ G) q4 `" n   bpx Get_DDB if ax==0202 || ax==7a5fh
% F1 x/ R! @8 q
; p# j1 F3 {- P7 E6 n& ^__________________________________________________________________________, J0 ?! T8 f7 W( r9 Z
" e- k+ S4 q6 T# }, S& Y
Method 10
3 q6 ]2 t4 c% H. q4 N=========0 |# y" \7 G9 Q/ h" P$ H# l

; z! ]5 W0 M+ `  z) o=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  p* m; C5 C. M* d4 d' k" n& o  SoftICE while the option is enable!!
4 c3 o+ t" V7 N9 _0 s2 r7 i. J5 p& R
! _- c2 x0 S7 t& _6 ?This trick is very efficient:( k6 H- M' E$ |5 p
by checking the Debug Registers, you can detect if SoftICE is loaded* z- Y: r  S+ w5 s9 S4 G( ~- l9 p
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# I: f( s5 r' k; k& @0 m& \8 n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
( V- y+ }2 x4 }/ L; m8 ?. hvalue (in ring0 only). Values can be manipulated and or changed as well/ }1 k! {& R4 g' m9 ^4 F; T
(clearing BPMs for instance)' `! h6 k" Q, O: T. |
8 N% i' Q, F% |( [. h
__________________________________________________________________________
) e/ d" Y* ^# H" Y1 g4 r: z3 Q1 Y) `6 P8 E2 w, T
Method 11
9 ?& \5 ^; \$ h0 u: S9 ?=========& y7 ?2 A' Z0 a, Z2 ]1 S

$ w. b0 A: m8 r% E  o) KThis method is most known as 'MeltICE' because it has been freely distributed
2 c2 Z2 P; C1 I, @via www.winfiles.com. However it was first used by NuMega people to allow
' i7 i- P* L# D% U) C; I7 hSymbol Loader to check if SoftICE was active or not (the code is located: k* z. {+ R1 B/ Q
inside nmtrans.dll)./ o) \# v. G# A

2 I& }# }& c1 E$ f* K0 f5 V, cThe way it works is very simple:
. p2 U' [, C+ pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! w) p4 J8 w, q% B& P- F) PWinNT) with the CreateFileA API.8 [% V6 S3 u$ a& p# M% l3 s5 _" o/ ~

& u# S8 V2 B  ?$ q8 s* FHere is a sample (checking for 'SICE'):8 p* N4 L7 R( J  D& @

: T1 B: U: H. i+ i' z* q- _BOOL IsSoftIce95Loaded()3 f9 T- L% l6 a) I
{9 f+ D6 Y( a5 {, f2 n4 \
   HANDLE hFile;    V( B% i1 O/ ]* j3 m. J
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  g. Q/ z, G) b                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' U% H( o( \0 a                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, O' x2 Y  G6 \7 M/ b/ o   if( hFile != INVALID_HANDLE_VALUE )! e  ]5 |! e7 H6 Q3 T
   {
" R- P  p2 A7 ^3 U) W      CloseHandle(hFile);- _! v2 m4 n! R, q: F5 K
      return TRUE;
2 i" p5 |; E$ ]. j. W7 H) E   }
, \  Y8 X8 m% R4 M! E   return FALSE;
& b7 L$ Z# I4 e$ w- h# }}
5 j$ f; ]4 m2 @+ p. z& G: B) i, M$ s
Although this trick calls the CreateFileA function, don't even expect to be; d6 Z6 g( I" F# I3 ^
able to intercept it by installing a IFS hook: it will not work, no way!
# r( [0 `. F6 `" s; X! A$ H6 }In fact, after the call to CreateFileA it will get through VWIN32 0x001F. v# |, k  s3 q+ j* q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ f* r6 B+ Y7 a& q3 K6 F- J& zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
. v& Z! V) T1 v; N- a; tfield.: S/ C# u  L% g8 }
In fact, its purpose is not to load/unload VxDs but only to send a
* |7 m8 A# I  x, j, I7 I( ?W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ @. m, _1 T, l+ I4 u
to the VxD Control_Dispatch proc (how the hell a shareware soft could try' V) H" \3 X# [; ^$ W: M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
  u! u2 I. X3 V( A7 q7 ?9 Z) L9 DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
3 X) v/ H) ?% H  O+ ?( i$ Aits handle to be opened and then, will be detected.
+ J# E/ h% C6 |9 P* `6 P  ]You can check that simply by hooking Winice.exe control proc entry point
% T, V# w/ Q4 V# Xwhile running MeltICE.4 A% u, D" }: M0 k! O1 Q% N

9 C1 n, @5 C5 a0 h1 v9 |) h3 }: d9 l$ G4 h& y
  00401067:  push      00402025    ; \\.\SICE
' U! E9 q. a0 m; o+ ^2 E% R& }% _+ b  0040106C:  call      CreateFileA
0 f! ?, W) p- W7 F; W' x  00401071:  cmp       eax,-0016 r2 X, k) _+ R& Q( a5 Q. j% S
  00401074:  je        00401091
# P* o& P, O* E; p, g1 [& a" `+ U3 _; P  _2 O: j( _7 o- A

3 G* X5 S5 f* `% U- YThere could be hundreds of BPX you could use to detect this trick.
! o9 `: r$ A/ K1 B) ^-The most classical one is:+ O0 Q* k' E+ t% h# A
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||7 p. P  D1 v2 B
    *(esp-&gt;4+4)=='NTIC'
4 b8 d) F0 T9 S0 N/ I" X1 k+ _% \% j5 o8 F/ [
-The most exotic ones (could be very slooooow :-(
" l7 ?8 i! s3 c7 B9 e   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ u: N" Y: |* M4 V: a$ G     ;will break 3 times :-(( m$ |  }4 D7 O

' d! e0 I/ N& h7 E) O-or (a bit) faster: / O. B; t9 \4 w" B5 n' {
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; f9 @1 E  S! r3 T# Z5 Q% s7 l( e8 q$ P. T( v% k
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 ^% U$ @# I1 u# [1 I; M: a
     ;will break 3 times :-(
3 F% a; B5 g  p2 @, ~
; a; V$ b6 S; G5 t-Much faster:
9 \6 E: \" ?' j8 {% o9 G   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ H+ F# k4 H  b. {5 v, j* z) K/ r& p( B4 K/ [6 ~$ i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* w" [  }2 k8 A- k) Q: y$ R
function to do the same job:
, n- g3 L1 c4 ?! @# N9 h! l9 H; w! A# m
   push    00                        ; OF_READ
3 {! m; n" t# _   mov     eax,[00656634]            ; '\\.\SICE',0+ @) |2 R" ~' l: _0 h
   push    eax+ k& g, E0 d. g- ]9 K. f5 `9 n. G5 w
   call    KERNEL32!_lopen
0 A3 m0 f' c0 M   inc     eax; R+ T! C. A8 K7 c
   jnz     00650589                  ; detected
8 |5 P9 f5 Y2 w* f, z6 c   push    00                        ; OF_READ
7 O* A" d) Y* ^" d   mov     eax,[00656638]            ; '\\.\SICE'
) e9 a+ c9 L3 h+ N   push    eax6 P" v% R9 B( O  j( k! l( Z
   call    KERNEL32!_lopen, B4 t3 N  C0 y7 ?
   inc     eax, Y1 w2 H0 C" h8 C0 O
   jz      006505ae                  ; not detected# T2 E" A9 r4 U, x0 H0 k) |1 N
2 F9 @5 s& G' O2 \7 k0 }

6 H5 O! u- c$ V2 Q: P3 Y__________________________________________________________________________( B8 N) p- W% x5 x% U
& i, k* w" y7 J& m# |7 L
Method 127 c, H6 Y* \4 F4 c* B5 U
=========
0 D1 X9 J5 l1 f2 z9 B7 U; m
* w$ D) ~' G6 KThis trick is similar to int41h/4fh Debugger installation check (code 05
; T7 l1 H+ H  r&amp; 06) but very limited because it's only available for Win95/98 (not NT)
$ N7 _5 x" x/ `, D; I; t, U" ~; P" oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.5 R5 Q0 a, W3 i8 L7 R2 e- S& r
. z: _. _3 d# G
   push  0000004fh         ; function 4fh
- {6 E) P, v  l1 J3 s   push  002a002ah         ; high word specifies which VxD (VWIN32)9 M1 L3 q4 T  B; Q5 w3 D+ ?+ L0 d
                           ; low word specifies which service
8 X3 N$ W- a0 B+ o  o- R                             (VWIN32_Int41Dispatch)
5 a8 ?' b1 @( U! v% P) X3 I: G( C   call  Kernel32!ORD_001  ; VxdCall4 t+ }; d* E4 J1 H( Y6 G
   cmp   ax, 0f386h        ; magic number returned by system debuggers
% ^) d* }  v9 c, Z. d7 k: i   jz    SoftICE_detected  `3 y- |1 V5 A6 Y

2 ^1 \. N4 I# D0 w- h# k2 FHere again, several ways to detect it:
8 G! Y/ Q8 ^$ u$ d4 }6 y' M+ x0 u
    BPINT 41 if ax==4f' Y/ b; T- o+ d$ p. D

$ b4 h4 f2 u& y. Q    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% n/ j1 v; o1 y+ x3 t5 ^3 I& ~( k* K8 m0 a: p- O' P
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
: P3 E8 G+ O, G' H* j
* a# r* e0 k2 A5 E3 M    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
; F2 _  Z4 R. `1 r6 a+ X2 q1 @& D
__________________________________________________________________________
3 R* v- O2 R. z4 w. ^4 h/ O' t" T' V# J( N
Method 133 x6 j& ?* Q. }- b; i) e! p/ z
=========2 V) c2 D1 x# s+ i4 K1 t
; J1 c: I7 C! h- {6 S# r4 {, m
Not a real method of detection, but a good way to know if SoftICE is$ @$ l" O$ f* e2 [4 O
installed on a computer and to locate its installation directory.
8 s& }$ m8 s2 EIt is used by few softs which access the following registry keys (usually #2) :
3 b/ I: ^7 E2 ~5 D% r, q& s2 b2 }% G7 ?8 n: k# k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! Q& @7 A! ^0 `\Uninstall\SoftICE
1 g2 v* z3 ]8 T! Z) Z3 O; l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% Q/ h; h, L# y3 P' I) Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ J" s: S% i6 n  c: y: G  \0 P4 l
\App Paths\Loader32.Exe6 S& O- p: m, E* b) f4 ]- R

8 j9 j6 [) x+ B# O. h6 u: n! k
4 j1 O# G/ R' ]! L, Z+ ]; A1 U6 xNote that some nasty apps could then erase all files from SoftICE directory$ D. V: o) M- h) o* [! Y- D4 f5 F6 }
(I faced that once :-(
& G1 R9 y" Y3 g% }3 B' g, s  f; \" f( p! U* r, L
Useful breakpoint to detect it:
0 `0 q! z" T1 R) H( ~' I* y9 W/ b- O8 f: J# E6 a
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'7 y& R$ j" H/ G% |& \" T! T# T

5 a# @9 m- F3 Y! \2 ]& d__________________________________________________________________________
8 e7 r6 {( B! E/ z9 n$ a% h' z# A8 S/ C3 x( I% H! F

' W: ]5 Z0 n7 G4 H" j1 m+ yMethod 14
; O) I; }9 }' p3 u( E=========' r+ d, b1 X* q' t3 n
+ R( y$ q4 `1 G6 J* X, a/ Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) R+ d, G5 b' B3 j2 V7 Vis to determines whether a debugger is running on your system (ring0 only).4 ?* j( E1 N+ j9 f- h  C
: k# j9 {+ \; T+ o0 M: s
   VMMCall Test_Debug_Installed
! d0 a7 a8 @; @+ j5 E% G; \7 z. n! j   je      not_installed5 I' x8 E/ }) e7 T' F
1 u: Q% @; A3 h, r" a. x' W
This service just checks a flag.3 }) u2 t, s5 n2 d" R# s
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-19 04:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表