找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! K+ p3 X4 ?# J
<TBODY>
! E' x$ F: o$ {& k/ I<TR>
, U+ s8 e  k( n1 \, j4 Y1 {* g<TD><PRE>Method 01
' N8 e; o9 Q. H5 Z=========7 W. m, C% K; r+ I8 A1 [
9 O1 W9 E" \5 q
This method of detection of SoftICE (as well as the following one) is% K2 n6 q0 B' |7 y' x
used by the majority of packers/encryptors found on Internet.
; c- \# i/ d8 b9 Z3 C( eIt seeks the signature of BoundsChecker in SoftICE
8 D& Z" M. x$ c1 Z/ p- e1 j5 W5 I) L  `
    mov     ebp, 04243484Bh        ; 'BCHK'
& v0 d2 a2 c2 Q4 p! W    mov     ax, 04h$ I# L, D6 n3 Q9 t% S" s
    int     3       ( x% n5 `( ~8 i: k: S
    cmp     al,4" T5 ^) Y. `: `/ t
    jnz     SoftICE_Detected! O4 l) P7 ~3 V* G+ W& h) s
- Q0 l1 t  D$ C, ^, i
___________________________________________________________________________
" n6 J( d5 D: m$ S3 y
( W  L: h8 F, K( g4 `( y8 `: a  jMethod 02! I: f: K# o6 A( {; |
=========
: q" [7 Y5 d+ u% p. u$ m3 _2 M$ s  `% u, g( D7 a# O/ T; q0 R  I0 b
Still a method very much used (perhaps the most frequent one).  It is used' \3 f+ e  s6 i- I1 l( _# `8 F/ r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 H& j0 ?. q4 \0 h% ~$ _
or execute SoftICE commands...
/ j* i. v, {# L3 z4 z! ZIt is also used to crash SoftICE and to force it to execute any commands
# x/ ~2 E5 |' [; ^5 w3 w# X(HBOOT...) :-((  ' E8 L4 \$ p- x: P9 R( k

, E0 i: q& d& @- N3 y, O( FHere is a quick description:- p3 P4 w- S6 [7 f, s
-AX = 0910h   (Display string in SIce windows)6 `, L# ]0 S3 @! A' \6 L
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
8 ?/ X+ S4 Y. o7 g! ^( k# p-AX = 0912h   (Get breakpoint infos). G8 v: `; d* X+ a3 V7 x
-AX = 0913h   (Set Sice breakpoints): m) X* F1 F! W0 }: H% P
-AX = 0914h   (Remove SIce breakoints)
3 A" y0 S- D9 Z2 B8 \7 Z  X! ^0 c5 z/ S! h' w. z7 E
Each time you'll meet this trick, you'll see:
; N4 O3 Y7 a# U3 z* p6 t" J-SI = 4647h  }7 K* w. V2 M2 ?* `: O6 p0 O& A7 p
-DI = 4A4Dh0 V2 ?  r$ u1 ]- h$ z" s
Which are the 'magic values' used by SoftIce.8 E4 Y. \8 R1 g$ j& ~# p- C* q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ D0 }& U& i. I9 N& a' q
# s( o& n/ h, k; A% S% t
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( R7 G) h7 k. a$ }5 I. M9 a$ S( `Envelope utility use to protect DOS applications:  K) n/ g( Y% U1 i* U( s
( u' O' @& ]8 V- U' C

, b/ ~) r$ I2 p8 Q: N4C19:0095   MOV    AX,0911  ; execute command.% d& ~' o, e+ N
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
6 f' f6 Z/ e* \( O6 ]* {4C19:009A   MOV    SI,4647  ; 1st magic value.
  q( v7 s4 ~# O0 L" i4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
! T4 u* t3 s1 l$ U) w4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)0 [  s7 G  `" g) g% j  H% @# k' A
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 W  T/ k4 @8 r7 R  z0 F4C19:00A4   INC    CX
9 N" y0 Z4 u. X4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
$ ?: e" y4 l8 Y/ u* _: ?0 k) a9 c4C19:00A8   JB     0095     ; 6 different commands." Z" F+ f# p2 v5 S  m5 h" q
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
; f* e9 K# v- f4 r; x' l4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 r. y/ R$ @  f- m1 }4 A1 u
8 j: f3 V# O0 Q1 e9 W0 sThe program will execute 6 different SIce commands located at ds:dx, which5 d( f& e$ ?! E! W- @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" N9 ]. k7 {. n% x
) x" y' ^+ l* J/ i, z6 z0 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.  m" m' ~# m7 k1 [# ~; a
___________________________________________________________________________
/ Z6 J* t- H* o" ^7 K
4 M, Z, [( H2 b( r( X7 t2 @
. V6 [# R- w1 cMethod 03
$ x/ f8 I9 y8 X) ~=========
3 _7 Q, [& f* e0 H! S& f2 S4 Y* o% F1 ~
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' b* |* O8 _- J" i9 v2 `' X(API Get entry point)9 ^( W8 \0 J/ F0 u+ w' H
        
& M$ R  T; ^' o9 M( _0 ]* R
/ q9 [" p$ U" b/ Y    xor     di,di% a0 N/ g+ @4 I% w) u
    mov     es,di( A0 Z4 I% f% q, C
    mov     ax, 1684h      
% N) H' u: T8 x: z) u3 p( I, k0 q  d    mov     bx, 0202h       ; VxD ID of winice
2 R& u: P8 _+ j% l    int     2Fh6 r. W$ \5 h' F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& O" A2 t+ D' ^* Z) I) }9 n/ \$ w    add     ax, di
% E8 S: u# o3 f  f% R& I1 T    test    ax,ax
  S( y( t& ?! ?' q5 O. z" i    jnz     SoftICE_Detected
0 d% w: E6 e* E5 G8 e7 F1 I! z: z* A# ?& j
___________________________________________________________________________
( B5 h( r1 O3 j( h/ E. G# `  ?5 J9 g
Method 04
6 l$ I  P/ Z% q$ L=========
* h  {3 c1 X: g' q+ ~/ P+ v7 f# l
/ t" B$ F( m2 R; ]& {# Z* P& k3 o0 y# ZMethod identical to the preceding one except that it seeks the ID of SoftICE
/ W4 R0 S. l! s( WGFX VxD.
4 i: a  t! K& L! D  {9 O+ }
' o2 D: t, y# U0 N9 ^    xor     di,di
: U# ]2 D4 N' c3 z$ ?    mov     es,di( m9 s/ l; z0 Y6 ~: j+ V
    mov     ax, 1684h      
) y7 r( n2 O1 U9 ^5 [% `  c/ u    mov     bx, 7a5Fh       ; VxD ID of SIWVID
, E7 @4 r7 x6 q, L( {    int     2fh
; ~" ]% h# @" d3 g    mov     ax, es          ; ES:DI -&gt; VxD API entry point
& ~) A# J  @: Q" v7 i    add     ax, di
! {6 r0 C$ S4 ~2 x; Z1 a4 t    test    ax,ax
9 F* \, x: o7 T/ M/ R4 N5 ]4 N    jnz     SoftICE_Detected
3 B  b* [+ Y+ N, C! E) h# \7 k% n' d
__________________________________________________________________________, C) D* y& q3 |& r* h
0 P4 k" y" g4 {& a
, h# f4 X' g6 l# k# ~' F
Method 05' Z8 p+ O1 x* u) U
=========" t: v( I, y( L1 N. A

4 g8 X2 Z- L) T0 m/ X3 l' B2 xMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 \* ~/ \" N* |/ t
debugger. It calls the int 41h, function 4Fh.
+ b1 _% M3 d- a1 f4 E: fThere are several alternatives.  
% e7 `1 a; J! N; y/ _8 B3 x7 p% r# N0 `/ Q0 ^  y
The following one is the simplest:
/ f. ~: B& L3 e6 R$ r5 B$ d6 c4 c4 Z! f" o# }5 c7 j5 S, p# A
    mov     ax,4fh
3 R/ N/ J, A" e    int     41h0 j: E, r" O- P; O! b$ l" I
    cmp     ax, 0F3866 }( F: V# l' K# X# ]5 C
    jz      SoftICE_detected
6 n, l( _! r$ s5 V
0 w. y" w: a( }% P
3 p7 B4 V, u5 @% g* DNext method as well as the following one are 2 examples from Stone's
% h2 u. Z8 Y. A5 ]7 a  y  ^"stn-wid.zip" (www.cracking.net):
" R- ?/ W& H, H" U2 t. B2 y( A6 C  K' [: H4 A: h1 C* W* T2 A9 o5 @: b! z+ Q
    mov     bx, cs
) \! m: X' C3 B4 z    lea     dx, int41handler2
% z  w& P' M( \* c: v    xchg    dx, es:[41h*4]
7 F$ _$ |0 n4 \4 h    xchg    bx, es:[41h*4+2]" ]) ?9 Y, v: N- j/ k
    mov     ax,4fh
3 A5 a) `- s4 s& g    int     41h
. Q2 X: }  D( I6 `* S/ i; z    xchg    dx, es:[41h*4]
4 O. `) B& j" U* l8 x    xchg    bx, es:[41h*4+2]
0 I% }( }3 f$ E9 @    cmp     ax, 0f386h
0 N4 k4 [/ X- e# c    jz      SoftICE_detected
4 z8 I1 N6 [2 k- e- X- [3 S; V: ~3 K: K0 V% R0 l  ]
int41handler2 PROC/ ]" r& T4 \  j) @/ k9 K
    iret
# p! z% S* X4 D" x! D  J; z- d# ~int41handler2 ENDP+ S# S4 B) p  I' x2 x7 v* N: Y

1 ?$ J* }1 a& P+ R- M) ?/ v: G+ O! h" x
_________________________________________________________________________
# l5 S2 M$ N9 Q+ D, H  @" x, m8 }- h) \2 F: C  i, a& _

2 s( S; c2 J4 E% h3 a; PMethod 06  o3 E2 }% f/ ^$ F1 _# b
=========: ?6 `6 n2 b3 s3 O$ r% }

( v9 q3 K( F" q4 u$ [6 G  v6 n  l) a3 T5 ]. L* ?) R+ s
2nd method similar to the preceding one but more difficult to detect:+ H2 I0 R7 ~4 L

2 g4 s1 x- @1 D6 |
$ y5 f/ {6 z" E  F2 L4 jint41handler PROC% ^: ~. u1 p# B7 S: c0 r6 y
    mov     cl,al. F' s! `5 H! F  V8 l& S
    iret; F& B1 Z1 i9 r: w+ d5 G
int41handler ENDP  H  j% W1 i7 r7 L1 I: h- K1 ?) A
1 M: i, p4 Z: _8 l& C2 q
$ F! I0 L  ~% V; H
    xor     ax,ax0 n; I) _5 B9 _/ E6 R
    mov     es,ax
- v  h3 j0 g* U6 d! V: H    mov     bx, cs
3 _7 ?# `. t, e+ o, C    lea     dx, int41handler
* V& c& H' L2 \1 E7 X    xchg    dx, es:[41h*4]8 |& ]' Y- f, N. |
    xchg    bx, es:[41h*4+2]
1 A$ a8 Y: S5 g3 c: v    in      al, 40h4 u! {3 J% L) r, y" \
    xor     cx,cx
) H! u$ h' G' o; o9 }( e; i    int     41h, r7 M* r, I- m- W* o+ r
    xchg    dx, es:[41h*4]
% [- c- ~( t+ S    xchg    bx, es:[41h*4+2]
9 w9 ?/ c0 v( n% U8 f5 v    cmp     cl,al2 ^+ g5 W; x* J9 ?3 n! b
    jnz     SoftICE_detected* n  ^/ V& W/ a1 q1 t  i
( I  J( l6 T9 ^! a5 h( e, o& r
_________________________________________________________________________
  I7 a* N# _0 V9 k+ e; T9 A5 S
/ L- s9 P. Y/ d, TMethod 074 r0 c3 W; m5 Q, Q2 K) `
=========; m" q% U# P/ ?6 P5 ]' N# _
. }6 C, `% L* I
Method of detection of the WinICE handler in the int68h (V86)6 ~* ?5 H3 T7 t/ L9 P. G6 g3 U' @$ @
7 A$ p$ s9 ?* H4 l$ F
    mov     ah,43h5 j0 o# D: P9 x1 a/ O
    int     68h
, l3 w( y, Y5 f2 ^$ f, j' e  o    cmp     ax,0F386h3 s+ T# e8 M1 x" {
    jz      SoftICE_Detected$ M+ `$ R& q$ o8 q
1 j6 Y1 J, F) B) {0 d& u6 H" I, |

5 ^5 Q* O# q2 ^# [& n=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) i: ^; Q  x# E8 @
   app like this:
9 x9 G( S* g% [8 X* c1 j" J' {+ o
: T0 Z1 `2 J) B' H0 r) `6 b9 K   BPX exec_int if ax==68
4 K' u* b- g1 O# Z4 i   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ R# H4 X" ^* _# u   located at [ebp+48h] for 32Bit apps)! k3 k+ N% ]4 |4 S* e
__________________________________________________________________________- O0 q: M, u, h$ ^
) c& T+ k' }8 A& E
4 ~1 o, l$ |4 r7 V) o
Method 08
! P8 H% H0 E/ I# c7 ^3 C$ a=========
' a  B0 `' \: |# `8 V6 V, q1 U$ w% K* G7 v, L3 |  ^/ q# U
It is not a method of detection of SoftICE but a possibility to crash the, Y! |- g0 G4 [: m! d
system by intercepting int 01h and int 03h and redirecting them to another$ D# q4 |5 e* \$ N" `7 i3 o
routine.
( v; f' B, U6 T9 M' S9 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% S6 i& y4 p( L0 [' P2 [
to the new routine to execute (hangs computer...)  P8 P8 z( ?1 T4 C# n( [
  o0 A- y- {' O
    mov     ah, 25h4 \+ p& s. x$ |3 u# t
    mov     al, Int_Number (01h or 03h)3 q# s0 ^- k8 Q% I4 D3 e
    mov     dx, offset New_Int_Routine6 i# s1 D/ u' H: H7 Y8 X
    int     21h
' g7 _* {" {7 x5 `6 J  R7 {7 U' j5 D+ H1 a
__________________________________________________________________________: T2 C3 v6 E/ n' C, S7 l$ _5 q
% m+ Y* ^9 L$ ^, n3 A3 y
Method 09
1 i% o: D' A+ U- D=========& a8 Y* l8 X4 P' N

1 t; v7 V" _) l0 Z1 PThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 M4 X1 m! W# j. \+ e
performed in ring0 (VxD or a ring3 app using the VxdCall).
* C- L7 o  o- Z& c/ g. w9 IThe Get_DDB service is used to determine whether or not a VxD is installed; f5 A3 {8 ^. c8 R  l; L2 F
for the specified device and returns a Device Description Block (in ecx) for
1 F2 u+ @# ?8 P+ a3 ]7 {* L, hthat device if it is installed./ f, Y% N, F' j9 D' F! F
, h& p# ], v3 E  h5 G( o
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* m6 p/ B6 i/ s& _0 u, G
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); n3 q; E4 M3 B0 E& P# d1 @4 q
   VMMCall Get_DDB/ |! L9 w$ {$ G- o- n- L: F: g
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ ^3 y1 V, \* H, J0 S
* J8 ]* v/ A  R5 g+ E4 |
Note as well that you can easily detect this method with SoftICE:  d' n. A3 g' K
   bpx Get_DDB if ax==0202 || ax==7a5fh( |% p. n+ R3 @$ j& C
! A# h, Q7 }0 E1 P# s! n1 b! K
__________________________________________________________________________3 C/ W$ A& J9 Z$ D% ~: Y9 k
  W0 ], x2 b4 L( Q% k4 H! k6 f( g
Method 10
! E. ^# c3 H. S% z- g  j=========0 |5 D9 j9 D/ D

9 A: }, D8 g8 x: @+ [=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
2 K# C% T7 [! i! ?  SoftICE while the option is enable!!% d, }6 c, |3 ~1 o6 l
* l8 _9 A" O1 |0 a0 B
This trick is very efficient:
7 C+ f* G" `! D! c9 jby checking the Debug Registers, you can detect if SoftICE is loaded  S5 \$ m( B$ t. ^: _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 T( H. O, ]$ P5 N( |- Tthere are some memory breakpoints set (dr0 to dr3) simply by reading their/ n& \4 E9 }3 x/ h2 V
value (in ring0 only). Values can be manipulated and or changed as well
8 h( y+ M. k9 a5 T; o(clearing BPMs for instance)2 }& x  @9 [$ j+ i6 o$ O; X5 s

7 _  D. }  r3 M" d: Q+ z" x__________________________________________________________________________
; A$ P% B$ T& ?' g9 t, i/ i+ C
$ A. u8 E0 s; D- u* I, a9 N+ O6 HMethod 11
5 k' x9 g: x2 U. r=========
' G. R1 b' @- E4 b$ ]1 d* J( R* h' ], b. h$ i
This method is most known as 'MeltICE' because it has been freely distributed! _  h) X. h, v- n$ ^
via www.winfiles.com. However it was first used by NuMega people to allow5 p: ~% T( a7 B
Symbol Loader to check if SoftICE was active or not (the code is located
' |' Y3 C5 z5 Yinside nmtrans.dll).
# o% ~, z2 P" o" ~( x) _# u2 c% d5 K' m1 n( |- [
The way it works is very simple:
9 ?- E  t- E# q$ C# ^: v' OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- L& W# g. \5 P1 W) \# R
WinNT) with the CreateFileA API.
* b- D4 v, ^6 W: d8 P+ t  {1 ?3 _; p, F) ?# v
Here is a sample (checking for 'SICE'):# v1 c7 w1 E. z- L  {7 \- e8 J
/ H5 x3 A; \# F( F3 ]% f/ T
BOOL IsSoftIce95Loaded()
, i" ~) M5 \/ R0 o" v  f{
  {( h- ]7 G. ^" @   HANDLE hFile;  8 p/ T0 d+ K# m4 j; u0 ^/ S) ?
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" V9 g* y; O7 p  `8 T7 T                      FILE_SHARE_READ | FILE_SHARE_WRITE,' o4 h% I  x+ P  |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 b7 F$ I" w  |   if( hFile != INVALID_HANDLE_VALUE )
: {9 {) Q0 D2 d, r) \3 I   {
$ q5 W  W9 C# ~- F2 x! t7 h      CloseHandle(hFile);( ]& X% R, n4 Q+ q9 K% b  {, M6 S
      return TRUE;. J  c' @* w, S. j9 l9 q
   }
0 s# i, A0 Q4 Q   return FALSE;9 _3 N  l4 s4 |" l8 e3 |3 R6 F7 g
}
; C; @  n' ], N0 D  d. |8 \* Y' s3 v
' t# y/ E7 `/ w! u2 _3 g0 |Although this trick calls the CreateFileA function, don't even expect to be8 F( o- `, _# q$ s- J; y% X
able to intercept it by installing a IFS hook: it will not work, no way!
" }) u0 ?' @# G; M% r2 A% z, L3 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F. I( h) e' Y! a) u  b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
; y7 K' N5 n! kand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) t2 w$ H/ w# z3 l$ s+ V7 Gfield., Y4 M2 }3 w6 l/ ]- _6 U
In fact, its purpose is not to load/unload VxDs but only to send a
& l$ Q+ g& _; TW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ s6 x* W1 b: K- j: \" K2 g
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! D/ ]' ?0 g1 S& q8 _4 ~; C; T! dto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 s! D; I* o- v$ y& Z. |
If the VxD is loaded, it will always clear eax and the Carry flag to allow  L" V4 z+ {% c+ B: U2 }! T6 q
its handle to be opened and then, will be detected.
/ ]1 S/ c9 |' l. M) @0 D1 l* C5 zYou can check that simply by hooking Winice.exe control proc entry point
3 K* Z* W+ w( d& a+ E, Hwhile running MeltICE.
5 b9 o) n( h& h* H7 ^7 w# b# x3 e* H  L5 z; x) a# I4 c% e/ G

0 A; D, s! H3 \; y- P5 \9 f  00401067:  push      00402025    ; \\.\SICE
$ Q" `# A5 ]9 r8 q; y  0040106C:  call      CreateFileA
/ ^. J- d9 D+ V" p+ t' ?  00401071:  cmp       eax,-001
, n* r( ~1 y& @  00401074:  je        00401091, F8 {  c5 d  Q; J1 @

$ A& s/ f( }# A3 P, ^
+ i& C/ }1 s' _* W  S" z3 m2 {$ AThere could be hundreds of BPX you could use to detect this trick.) {" E3 U. E/ U4 T, N
-The most classical one is:
' q. E' `1 m& S, {1 O  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||" _1 B% S5 G& }2 s
    *(esp-&gt;4+4)=='NTIC'$ L: l) F; o% x7 X0 j7 \
$ z. R1 b9 x- v- I0 q, I
-The most exotic ones (could be very slooooow :-() `4 |* v; D& u* e. G6 a+ D+ g0 U+ w2 j
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % `7 _' H3 S+ O2 z; {1 G- e. ]
     ;will break 3 times :-(/ p' I- e5 }+ I0 V0 ?% z
+ C; u) w% O2 c: I  S% \+ j9 d. t
-or (a bit) faster:
0 Q0 U" Z. N# _" @0 ]1 w   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 g; x( m) x8 a. q) r
# d! |% K# h+ ^, x  u
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( `$ i+ D8 I. g' g3 M( |
     ;will break 3 times :-(
* L" [- p4 D1 u. C5 m% D& _" y% e& B  H+ Q% s
-Much faster:9 M- N8 K  k  j1 M. \' ?$ q
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV') T! S$ M, p7 _& L; K* K
. @& g7 e& I" k- H1 j
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- ], V: b4 {, y7 ^' Ufunction to do the same job:+ P& l3 K* Q7 B5 M/ h* d
2 j3 K$ P9 U2 d6 D
   push    00                        ; OF_READ( R0 q  l7 z0 D' \
   mov     eax,[00656634]            ; '\\.\SICE',0
6 m  F/ x7 Y* R. `0 K' L5 U) l   push    eax
; b$ [6 J7 i+ s' ^* C3 g' }   call    KERNEL32!_lopen/ e! }# Q2 B1 |; h1 s
   inc     eax
. `. B  w  i5 |7 M# |' k: [7 e, Q   jnz     00650589                  ; detected
3 L$ }: P5 p1 D9 S( }   push    00                        ; OF_READ& K: `9 E/ F9 J
   mov     eax,[00656638]            ; '\\.\SICE'
+ X7 `& Y" }2 |1 E   push    eax
: l8 Y% o- ^( i, O9 s3 M   call    KERNEL32!_lopen
7 Q% G& g4 [5 w* f  A$ ]   inc     eax
- M: B* r: u, N4 v. T+ H   jz      006505ae                  ; not detected/ k5 M  m$ c7 ~: O
- U* ?+ v2 x: g, M1 R
; o$ }! P5 M1 i' E8 k- n2 w
__________________________________________________________________________
' ?  `# f8 r; j2 x
7 A6 G; J5 @# s, w+ x; yMethod 12
  v4 C+ g5 ~1 x4 g3 \) T=========, e4 F: R/ q# j" H! B" T7 q3 Y

" j# R+ e- r8 G  t0 ]7 H8 XThis trick is similar to int41h/4fh Debugger installation check (code 05
) Q+ U7 S7 s; J&amp; 06) but very limited because it's only available for Win95/98 (not NT)
0 O; M7 I* L% Y% m, ]# z8 l: [as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% Y& g# }8 U0 u, w. n* u4 a# M1 {; X% q  `; `- W
   push  0000004fh         ; function 4fh
2 _( F& C/ f* u- d   push  002a002ah         ; high word specifies which VxD (VWIN32)0 a0 V; I  B' p- E& \( ~! ]
                           ; low word specifies which service
& f/ w* V2 B+ s* n                             (VWIN32_Int41Dispatch)! E9 O/ _9 N  N" U' ]! y/ }
   call  Kernel32!ORD_001  ; VxdCall
/ z+ n6 O, ?! I2 b* u" m/ Q. S$ m   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 y1 L( [  Z9 \: L, C! W1 x$ h$ S+ c   jz    SoftICE_detected; g0 y" g3 f9 s. p, J3 J4 S
5 f: }4 @) G; q2 q" @, g& ]
Here again, several ways to detect it:* @. G3 C! E, t3 R$ Y

) ]" K3 [* j' a5 W# T* ^    BPINT 41 if ax==4f
. K/ y& Q, ~1 |2 o6 o
: P/ {5 s) y5 H& ]8 A' r    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one  @! [, b, {! R1 m
' v6 z, ]- D, z) c
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# o+ G/ S$ b; q" K/ Q, @( H' T3 c; c( z6 a" W- \% _! {
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* m5 k4 e. m8 [. U# R" Y
+ F3 {6 V2 a+ H4 ~) A7 Z8 x
__________________________________________________________________________
$ p4 c- k7 F; H: w! T" H  l; P* f0 a
Method 13: M8 U2 ^+ Z! p3 k! c5 ]
=========( l3 p1 \# d" [9 @
' X8 {' R: D% N
Not a real method of detection, but a good way to know if SoftICE is+ `3 V% f8 ~6 e+ `" A( @
installed on a computer and to locate its installation directory.: V1 `' X3 _) J0 W
It is used by few softs which access the following registry keys (usually #2) :
5 Z* y0 S( L! i0 p% ]9 d$ R: W
/ N" m8 N4 a4 P/ R! G3 A" d-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 U; I) [6 [6 s. W# x7 V\Uninstall\SoftICE
& Y% {' ~6 m/ H5 x' S$ g  f+ v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ m6 t" i0 M- ~) [2 Q* a
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 L* g3 Q9 y* _3 m# s6 i0 }, g( ~2 v( ^\App Paths\Loader32.Exe
, S0 h( ?1 x6 X  ^/ K
  l+ d( j4 R. ]& x) A  L/ ]/ C8 X& j  J) E# b. U: c- G  K2 J6 i0 O: K
Note that some nasty apps could then erase all files from SoftICE directory* O3 F$ M* ~1 Z# I" B9 m( x! e" R
(I faced that once :-(
* ~& Y: Y% a1 }" X0 _% J: R" B% X7 x. }( Z% L1 D9 _- s
Useful breakpoint to detect it:  U( R# b: `. F, l( k4 }) E$ L! A
% r, v, g1 j; m6 P: V
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
; I; \6 A- i, e, Z$ ^9 a& b9 P& m* H& E6 H9 y
__________________________________________________________________________+ D/ s- ~  h. h4 z

. j$ y  ~  b, \; f, H' b- y3 j0 N* j- P* e
Method 14 6 w: L+ s1 V& r4 Z  l9 y$ c
=========
- ^) D1 A/ H9 p7 E4 g1 H& s* {4 X" ^! \# {2 z* S; Q8 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 z5 W8 J& `/ P% n: @5 C$ a3 F
is to determines whether a debugger is running on your system (ring0 only)., D. [5 [% v" h7 T
7 [- |5 R2 O( j# U4 Z
   VMMCall Test_Debug_Installed" e  k( \8 [* M- H. g
   je      not_installed
1 I* E* P6 v% K2 a0 t7 M( G; |$ p( t+ f+ `  c; [
This service just checks a flag.
" V  M& X& u4 G, |$ u</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-17 20:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表