找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>+ |9 b9 u  v8 @
<TBODY>
2 L) d" q* c) z1 Y  h( x<TR>
* g; Y4 ?' c1 [) T+ W$ h<TD><PRE>Method 01 - L+ z+ P% [/ i+ l4 `
=========. H  [# D# j$ b
. ]$ [4 Q  [% X: O, L, d
This method of detection of SoftICE (as well as the following one) is
8 q4 _; Q+ Q6 X) b( {# eused by the majority of packers/encryptors found on Internet.
, p, `- V' B$ r& L* U# W! A4 jIt seeks the signature of BoundsChecker in SoftICE
1 ^2 l" E1 q$ P2 Z. r- `: x9 I5 @5 j0 y2 N" N
    mov     ebp, 04243484Bh        ; 'BCHK') m. C" s- p; H# _. n" h; {  P
    mov     ax, 04h
, C' D# C9 @1 u9 M. R. O! g' ?) y    int     3      
& T& c4 k! a& y/ ^3 l/ _    cmp     al,4
4 }& H( \' V' `) E5 L: Z    jnz     SoftICE_Detected2 A# n2 H7 J# ^* m8 ^

: G) V# c2 @6 m$ r) [___________________________________________________________________________
; l  l, L1 O# y" G% e4 j& w' ]
) q: t$ b$ y' f3 ]Method 02+ ?! A9 B  E* l5 H) \4 ]
=========
8 X( ?3 f( X( K4 l3 O$ C; H) J; j  g; ?) N- C
Still a method very much used (perhaps the most frequent one).  It is used. L. I6 k7 y, ^. y7 O. @3 G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
- d9 u& Q: a- G* H# Y! kor execute SoftICE commands...
  [" G0 f. M" z- H. u5 DIt is also used to crash SoftICE and to force it to execute any commands
$ A" q( J% y0 L* `+ X) ]) C(HBOOT...) :-((  
% I9 i& o' \! m
. t, @3 l& @0 B) ~+ wHere is a quick description:
' {6 _5 w9 a/ H4 C. V+ M9 ~-AX = 0910h   (Display string in SIce windows)1 h2 a. j" J/ S0 [7 H1 t
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
0 T& P0 [5 B! ^-AX = 0912h   (Get breakpoint infos)( p3 k! w& M" f6 K( O0 h, b+ i
-AX = 0913h   (Set Sice breakpoints)
% x1 C9 N2 k" _* r1 X% _5 L1 ^$ v4 K  _-AX = 0914h   (Remove SIce breakoints)
; |+ O, Y6 c2 p3 i4 j$ J! w
2 w* J) @" {  Z" h' AEach time you'll meet this trick, you'll see:5 f) g3 f! W& Y% Z! P
-SI = 4647h2 n. [) A" Y+ P0 O3 ]* c
-DI = 4A4Dh2 U. \" _  b, `
Which are the 'magic values' used by SoftIce." E  r- u& u! A2 B3 D' S% }. C4 c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; e* }  O  `3 m
* B. z3 M9 g  P3 q  T7 l* ~Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 J& J: W+ n- jEnvelope utility use to protect DOS applications:
* }; r$ y/ x9 \8 |4 i% g& l8 ~2 j" d& F/ R& }4 u+ B

3 W; V5 \. X1 P# h% V& e- D4C19:0095   MOV    AX,0911  ; execute command.! X2 P" X6 X  e- T/ Y2 Y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).6 U! o# y( `4 @  [5 r$ n
4C19:009A   MOV    SI,4647  ; 1st magic value.
4 w( H& }) V# y7 Z4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 @! b7 }- |% R2 T2 e* J4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# L5 Z3 C4 Y' y+ I* ]* T9 S/ }
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute" C( }; p( N" ]' y  ]0 F0 w8 z
4C19:00A4   INC    CX) @: J% E% c) }' H6 b) k
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
3 c7 }8 Z# U2 C2 {; ?9 d4C19:00A8   JB     0095     ; 6 different commands.$ w* o9 w4 _: J" r9 ~. X
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
: o1 E0 j9 r; B3 B7 Y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 h. ?  {/ g* X  V
# ~. b: T# L! x9 O% I2 i2 n
The program will execute 6 different SIce commands located at ds:dx, which
! D# x$ N: ]$ y/ ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) b# Q" Q6 ~8 ]7 B/ W$ \

6 W; a' g) d6 a' b$ P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 E" e5 `0 p) V
___________________________________________________________________________
0 a# b3 w7 T) H% X' f8 c% ~# {; @2 c; N9 j+ e- d

0 O6 U6 @1 N# H% Q8 O# d, T  aMethod 033 m8 g6 ]5 v+ i8 {. j/ N, H# r2 {
=========# V& W$ d  S  B
5 h; {! H7 E2 H9 A/ \7 {# N, {
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
) \' `* w: H. ]; ^" i(API Get entry point)
+ }5 N) v( C7 R- a        
+ e) J; T/ v% W: v# ]9 e& ?* `1 Y' g
    xor     di,di9 |) y, n# ]% s. R& s8 F  e
    mov     es,di. u# k1 k0 `* O' T
    mov     ax, 1684h      
7 m2 X# G+ }/ w  x7 u5 T    mov     bx, 0202h       ; VxD ID of winice
$ J6 x7 K* a. Z$ q$ w% C    int     2Fh! D, i% u% {' E2 ^- u* L/ C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point; |' S9 I3 k9 d5 R) ~
    add     ax, di
: @, e8 A/ b# |' ~" X6 D4 ^    test    ax,ax
- z$ I8 S7 \6 H; M4 z2 b    jnz     SoftICE_Detected0 c1 k7 C8 c% h3 k1 n$ L5 K
* \  i+ {- }5 Y# f0 ]
___________________________________________________________________________
' i& X( @) i: b
0 Q  r  l; A* y, @% pMethod 04
3 W' W0 ~2 w- Y9 ]: v=========5 \4 R; h) F! i$ t
. J" E: `% T- f3 l% _
Method identical to the preceding one except that it seeks the ID of SoftICE
* ~$ ]; |' O* _1 x0 FGFX VxD.
3 d) H5 b# I, v3 N. M( B: n/ ]7 o) J; D1 d4 f
    xor     di,di
- l! M3 n" n9 L# g) Q! d    mov     es,di0 l' B( F# q  \( Y* o
    mov     ax, 1684h      
2 Q+ |4 B# f3 p3 l    mov     bx, 7a5Fh       ; VxD ID of SIWVID
2 O" x# q6 V9 ]" e  \" C4 A5 E9 M    int     2fh6 e5 j( z! k/ N; c% z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) _' O% k. i. v1 A  S  D
    add     ax, di
: f) c0 X9 s; v4 s    test    ax,ax
% Z9 E4 Z7 c! Y% g5 U    jnz     SoftICE_Detected
0 ^& ^( a, J! H) D+ @
2 P: l0 _! g8 f0 d8 n  B$ v__________________________________________________________________________- {# r6 C& v$ x8 i

! K3 |% e2 s5 Z. ]. a8 ]" }. Y) R9 p; w$ E, ~( l
Method 05/ E; W0 _- l/ D8 H' f+ {, ~
=========
4 s, v% e- |7 l: O0 a4 r$ X, Q1 p) Q  O( w' f4 t$ G9 G& ?
Method seeking the 'magic number' 0F386h returned (in ax) by all system5 o5 S3 z7 T1 U. y$ y8 B/ ~' h6 p
debugger. It calls the int 41h, function 4Fh.
/ q& }' `) {8 M& [: `; pThere are several alternatives.  / S, Y! b: A0 ~

* o4 i: S/ l9 i* fThe following one is the simplest:! [  s$ ]  R6 {

/ Z$ a6 g# a( z0 I5 Q2 I% M( i( C    mov     ax,4fh
  N$ F# |4 y: V7 \6 ~8 v/ B    int     41h) w( i" i/ T* s+ W2 f; Z
    cmp     ax, 0F386
# K) d/ _# m1 T* N4 V! _4 H    jz      SoftICE_detected( Y, R8 y% q/ \" q, N' n0 B0 R
" T: N6 s7 U: y

# R; h& C8 W' D+ l6 UNext method as well as the following one are 2 examples from Stone's
( S7 b+ ~7 E+ H+ X7 S' z"stn-wid.zip" (www.cracking.net):
# ^# P: k9 E# s
6 q- N& h/ c4 W# x    mov     bx, cs! \! T2 U6 A$ y. P0 Z) e9 K5 K7 {) `
    lea     dx, int41handler2
: W' {- a( S* H; K7 P    xchg    dx, es:[41h*4]+ I( _) t* ]; c% b0 g8 z1 G$ L
    xchg    bx, es:[41h*4+2]) g# `* ~% y7 V0 ^- |5 `: D
    mov     ax,4fh
( p0 p, p! `0 V4 ~    int     41h
# C  v8 [, a. n# C2 R    xchg    dx, es:[41h*4]
8 h( J+ i: F" D0 ~" A    xchg    bx, es:[41h*4+2]
- z! i- G9 E4 H+ T5 e3 g+ y    cmp     ax, 0f386h
! N4 x# J( v5 S1 Z6 O% I, ]& |    jz      SoftICE_detected- `2 R) v5 m4 Z2 ^

" F' w" m* v$ |5 L' l# Oint41handler2 PROC
2 M/ ?8 E2 y: D6 w  G+ e* [    iret
2 G  B5 v- L. ], uint41handler2 ENDP/ b( r1 ^, {4 r8 a3 V. Q6 z
9 i# B+ k% C6 P/ g! }( ^1 z3 W

& t7 S; M" W5 x9 C  I( s8 t6 n_________________________________________________________________________4 V0 j( t: {: r4 U8 _
2 K: X5 |* r# f, B: s; T9 z! m

0 G  ?. P! a9 B5 Y) [6 s3 T. g. T% }Method 06
- W; s! d2 J2 a$ \$ Q6 a+ e8 G=========; [  p3 \+ |* `& ~  w# X& b

! T4 [/ L$ a4 O5 @1 r4 W0 k* u: i! N$ @+ _+ W5 b$ G4 K
2nd method similar to the preceding one but more difficult to detect:& H3 X5 G. K) {* t0 a

* |" G. W& }) F/ F8 ?
' j; E  I' X( K+ }3 g1 o- m* oint41handler PROC/ }5 v. O/ Z& p$ X' d$ o
    mov     cl,al
/ a5 R3 f) E* C1 T* a1 x  X    iret
: ?$ G0 k& H* ~( ^/ gint41handler ENDP# X9 ?4 H- X. F0 X) \& c$ w+ I  `

9 F; U7 t: j/ Q
  P9 G. r+ p9 _$ ]; C# t    xor     ax,ax8 [6 @5 d! @( m4 D' t
    mov     es,ax
1 {- R- C! N! d' \% B    mov     bx, cs
6 C7 V. e0 _1 F, n2 P" i/ M    lea     dx, int41handler
0 I9 F! p& Z. f+ r/ U& L  ^* r4 ?    xchg    dx, es:[41h*4]% [  j* @) l' o6 i1 f  y. i  v
    xchg    bx, es:[41h*4+2]
8 U) p* d2 D$ J1 O) Y: P( w    in      al, 40h
- S6 }2 ~1 X( P( M    xor     cx,cx$ H8 v# C0 ~: g/ b
    int     41h
  n( r3 V5 S6 t" t( g    xchg    dx, es:[41h*4]
4 O0 L( f% ?3 i2 i    xchg    bx, es:[41h*4+2]3 D! m$ \0 h7 e( U, u. Q+ G
    cmp     cl,al" a2 P* |& o. Z
    jnz     SoftICE_detected
# I1 Z* p3 w+ W/ b' D0 T  P# D  E% G" N& `
_________________________________________________________________________
# {$ E* v) X8 |2 q6 z6 u! P- J2 \
( [' G' ]$ R  |! g- qMethod 07
0 w/ ^) j6 [0 @- [! c. f3 [=========0 K8 x3 x7 C3 w5 A. o
, A5 Z/ H( {  @
Method of detection of the WinICE handler in the int68h (V86)
4 J$ g! Q+ g! H4 L. n$ t  L3 g
# @3 I" O/ A9 ~. d$ ]    mov     ah,43h  q0 I. D# |0 Z7 H; `; n1 u7 p
    int     68h2 M# t) }& ^- {+ F
    cmp     ax,0F386h
( n+ w& M# s- ^+ ~8 ^% y3 w& m+ y& I    jz      SoftICE_Detected
3 \$ i& h2 j6 a( T, r$ \
# K6 q( ?/ {, y7 S; |  H0 U, b# p& d& U) T% P+ I  w  g
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ U: Z* P1 C5 G   app like this:
4 Y% t5 ?8 f# S/ v. E3 [" F# R3 {2 E5 j6 N( I5 L- p  q
   BPX exec_int if ax==68
9 ~: N: M. {2 X: o; N. m   (function called is located at byte ptr [ebp+1Dh] and client eip is
" A9 Q! o5 d$ J" [3 C% L   located at [ebp+48h] for 32Bit apps)
" M1 r8 A: @- k7 m. x; ~__________________________________________________________________________
' B, m2 S4 Q7 p) Q7 [4 \2 ?* M) s+ t* v: ~9 e' M. ^" T6 e" A

% B- K1 N8 }2 z$ XMethod 08- b- s" e& F( g$ g7 ]2 Y$ U& n$ u
=========# K( T* K2 M8 m5 S  s0 C  O- U
! V. K6 Q, J4 ^% q8 r) T3 `0 p
It is not a method of detection of SoftICE but a possibility to crash the; h( T/ c# x* P& N
system by intercepting int 01h and int 03h and redirecting them to another
, x5 x& \3 P' q  S! Croutine.+ z& ]" ]. h  ~& [9 P& T/ a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 |# k- D; h+ j" u9 |  {9 V
to the new routine to execute (hangs computer...)
* k% u# \4 C# b( t% u
* x5 T  ]9 Y/ _' c/ `; {: C    mov     ah, 25h
- I: \/ n4 d3 A3 `2 Q/ I    mov     al, Int_Number (01h or 03h)$ D! p4 Q* k* Y/ F; M
    mov     dx, offset New_Int_Routine
; U( a6 D- V) _, r, o& c" m    int     21h
+ R* ?4 D& I, x5 x4 W3 G) b
" ^" p6 Y6 t  ~- [& j__________________________________________________________________________. ]! x) R# u2 R0 x4 X. i+ `

& ?) q' |) x3 x: A0 Y+ DMethod 09% P- z( k. Y6 F
=========5 T/ f( ~) f. b+ \
1 {3 F; W) |- a0 X" v  x4 y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. q; B; n: c, e0 vperformed in ring0 (VxD or a ring3 app using the VxdCall).
& q% c- ]  I% bThe Get_DDB service is used to determine whether or not a VxD is installed; F( l$ F7 f. K) K2 b
for the specified device and returns a Device Description Block (in ecx) for2 X1 j* q  m7 z5 i- v
that device if it is installed.. k7 x% W) f. R* {2 }

! u! X. d# `' I( P; s* \& c   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 K0 E: A% q6 O  k$ G
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ h- y: b! U' s/ n- Q$ ^6 y$ f" d
   VMMCall Get_DDB
' K6 o  P! M# T; I( s3 T   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 }5 a8 G+ g) I. O- H" u& B4 I
: X2 q' U6 {1 p/ ?9 F& k+ ONote as well that you can easily detect this method with SoftICE:$ b0 C: e+ g  c8 c
   bpx Get_DDB if ax==0202 || ax==7a5fh& d" q4 G  V" W) g

" e4 F/ l8 M. p* i' v4 c6 Z6 U6 }0 k$ Q__________________________________________________________________________8 W- k0 s  u8 e! x- F  K" Y

1 X& b  ]! K9 ^0 zMethod 10# ^. S' r  E- S0 X+ j
=========4 }# |5 i: P. H# f  S" }& \

/ J! g3 }( L6 x# Y8 \# ?7 V=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  H+ X6 r# e! x7 w* }1 _' ^) \
  SoftICE while the option is enable!!
! L* u# u' [2 L9 E) C0 K, W8 Z( w- k- D' l2 _" K. E4 d0 k: C5 C
This trick is very efficient:. N9 n# c0 L. R# n% R+ A
by checking the Debug Registers, you can detect if SoftICE is loaded
- n5 D7 M5 v4 ?5 b/ b8 V: X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, ?( G, f( F" T4 @7 m) {/ v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 J+ \8 ^4 {9 t# {  ~value (in ring0 only). Values can be manipulated and or changed as well
- i1 B3 G+ O/ W$ g( ](clearing BPMs for instance)
& _# ]& U3 [* K+ n
) I! b3 ^' D  L  V: Y# W__________________________________________________________________________
  Y& U% k- g+ {( _- Y) ^3 }; `8 W9 ?2 \1 g( m# Y
Method 11
! P1 ?5 M. n$ p=========
+ T) t3 c" d5 v
+ _: Z, L% @9 S5 K9 JThis method is most known as 'MeltICE' because it has been freely distributed+ I6 A3 W0 |7 H* p% e, k
via www.winfiles.com. However it was first used by NuMega people to allow
% [  \0 B, B! N: sSymbol Loader to check if SoftICE was active or not (the code is located, B  o3 a% n% w7 T# j# s- ~, f# U
inside nmtrans.dll).
- |5 |& [( B4 \; D
; J% b# P  E$ k$ |% }! w3 L- s( }9 hThe way it works is very simple:
! b* R) ~# K- C- K- S5 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* ~% j# d4 m( `8 B* c2 MWinNT) with the CreateFileA API.3 N& u/ k8 ^6 c) b% }& o, n1 F' h
8 B7 ?0 P6 x' ]' W) @8 @
Here is a sample (checking for 'SICE'):
5 i$ v+ R" m( n1 Z" V! [+ l- `7 l! C  Y! [* X
BOOL IsSoftIce95Loaded(). c+ i; f% M& J, E* L, J( @! V5 G
{
! e9 ]+ R( J6 U! S+ P/ @* X   HANDLE hFile;  5 H, K5 b1 u* _( b8 A+ O7 n
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," j" O0 P/ G3 Q
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
# q5 t3 f; m2 L                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* ~# E1 V% j( P$ p; X! A   if( hFile != INVALID_HANDLE_VALUE )6 k6 [  `7 E0 Y5 S
   {
+ J# T* q8 w( b  G5 @: ~1 x% v. z# G      CloseHandle(hFile);1 W& n  p; b7 f5 i
      return TRUE;
/ ?1 B2 B" F1 k" F7 O* w   }
" o# \8 r: V- @% `$ t" j: n# c2 R   return FALSE;
  Z9 y; P7 |6 Q3 v3 r( u; N* w& N}3 V) z# E& y. S3 N/ s+ I0 |
4 n. r& Z9 m' ?( Y1 R' q
Although this trick calls the CreateFileA function, don't even expect to be
7 U: B& c: C* F" Dable to intercept it by installing a IFS hook: it will not work, no way!; @9 E4 B: G' a6 A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* i" g# u% i. sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ o8 k  q+ \* f7 I, j) I6 j+ I% i1 yand then browse the DDB list until it find the VxD and its DDB_Control_Proc) ^! b+ J3 `: t9 l% M$ G2 M
field.: b( A9 L" C, ]5 P9 k) m' U7 j0 M- M
In fact, its purpose is not to load/unload VxDs but only to send a
& I+ y( {$ b( ]! \% m& fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) G7 T2 M3 h" E( J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 R; s7 k- F# O: L. c( {8 T, z& ^to load/unload a non-dynamically loadable driver such as SoftICE ;-).3 h; A; v2 c- P5 L/ E7 k# V
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" P8 S  I# ~# a  `$ L  @  Bits handle to be opened and then, will be detected.
9 J+ T+ Y# ~; O7 gYou can check that simply by hooking Winice.exe control proc entry point
5 Q, R- A& T: B5 Ywhile running MeltICE.& @  p+ _; `: v6 x

" J2 s7 n9 U) ~$ i
7 [4 d. c$ {4 y/ \9 C) f# j1 D  00401067:  push      00402025    ; \\.\SICE, c* m5 N1 M+ c9 _
  0040106C:  call      CreateFileA
# C: j0 _1 F$ z9 Y( S" m& x  00401071:  cmp       eax,-0011 J; b# h  ?: M+ r9 \& \
  00401074:  je        00401091
! N6 f6 M' {+ z6 b, T) P
3 c& H! X; |( m- H9 P3 Q, _& l/ H# [
5 G% X" K( t4 oThere could be hundreds of BPX you could use to detect this trick.
* `% q: O3 @* g7 ~) S-The most classical one is:
: Q; z" K1 y2 Q  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
/ N# H6 q5 O5 i  Z3 }1 V    *(esp-&gt;4+4)=='NTIC'
0 r' }: l/ S0 c. z' o  l1 ?, U3 F5 ?8 i( ~2 y5 l. u* F4 R% b
-The most exotic ones (could be very slooooow :-(
, y& K: I6 J$ D* r1 N7 R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 z) S3 I4 B1 ~1 a; [     ;will break 3 times :-(. D9 s6 q& `2 q( o; Z* h
' K; _1 T! C2 K& q4 V' |6 f
-or (a bit) faster: $ W+ m" G7 u+ H% p: y% P
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- ]; N# j/ R9 A, ]3 S& {0 n5 X8 ?4 U/ {8 j2 B+ b6 t
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
7 j5 G/ t% V; S     ;will break 3 times :-(
3 r1 k7 y2 M9 n# l: S$ K8 t) a  U8 a$ k3 n  |  |5 j
-Much faster:$ ]; w- {% r; S. V5 V
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'1 i. ~& I/ d% f" J4 {
& B% D0 I' y- _6 a5 x. x: k
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen! E0 y$ s0 }4 a- Y+ r3 Z- e- M
function to do the same job:; H- T! R: {7 g9 e

# X% m/ g9 G9 g" O# z# w& X$ a   push    00                        ; OF_READ
5 J4 ]: m$ p/ [  @9 R! a   mov     eax,[00656634]            ; '\\.\SICE',0& U( P% C$ t  ~5 X: P
   push    eax
5 z. M, D* t; }5 t3 e   call    KERNEL32!_lopen
& H8 y/ x% o% v; W  Z   inc     eax
+ C& n2 ~; g5 ~   jnz     00650589                  ; detected3 H+ d4 |. e) A2 N
   push    00                        ; OF_READ
) E7 x3 h2 m# W( A3 u3 ]   mov     eax,[00656638]            ; '\\.\SICE'& j' V3 i; q( J; ?- X
   push    eax
' j2 a# q9 S8 q  F, N7 ^) Y   call    KERNEL32!_lopen
0 c4 O* x9 }- X% L0 Y   inc     eax
+ w! |, r! J2 r   jz      006505ae                  ; not detected; a. O+ Y$ r0 `9 O
4 M: Q" g% Y! ^

4 O) D3 {7 C( t) n7 W6 u% k# Q__________________________________________________________________________
( P8 @( l6 ]7 y* W2 t) Y' J. S2 q
% Q# H3 Y% N, k' X& V7 F- x$ `: ZMethod 12
- d- g; C/ V9 [$ T; ]! y% ^=========
1 y6 t, _( ~6 z7 ~- t3 S6 z: L0 |. O% `# E: }5 H1 n6 Y9 f0 _
This trick is similar to int41h/4fh Debugger installation check (code 05! _1 Y  S, P, _# E7 t5 y
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 r6 g0 p* Y3 k! d5 L4 Mas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- q$ v4 h2 c" u8 ]. ~7 Z+ c: K$ @* T% Z: {6 b, C8 ~2 L
   push  0000004fh         ; function 4fh
$ K5 n8 t5 t0 n' s. J; k# P0 Z/ x+ K   push  002a002ah         ; high word specifies which VxD (VWIN32)$ d. r6 g3 u( G3 H  w2 H
                           ; low word specifies which service6 `5 B( c5 M9 \: ~. P& T  J) _* h
                             (VWIN32_Int41Dispatch)
. X) S# `; G" N3 T! u' x( |. W   call  Kernel32!ORD_001  ; VxdCall$ \( O6 o5 i9 o' L# }) `2 P
   cmp   ax, 0f386h        ; magic number returned by system debuggers) b1 u" E3 [9 ~& O* V$ [
   jz    SoftICE_detected
/ u& d' _, v  @$ q' u
6 s, U* Q' s+ M' q) F5 E! C' l5 AHere again, several ways to detect it:
$ k3 r% H0 E2 ]! W& t3 o4 A/ ]+ v
    BPINT 41 if ax==4f
! Z0 }! F5 e" t+ D) F2 ?
. |" Q) _! ~$ m3 k, C( c  E    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' d  H5 Q# ?9 p; @7 g7 S
9 I% d& @& F2 W1 @- H4 V    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
2 }5 p* s9 [; ~) e& f
2 }" E* w6 M/ v; h& _3 ]  l0 Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!4 F, h, I# L; V$ D& R
3 h$ {9 m& s3 i* L
__________________________________________________________________________0 O. W/ [1 |" M1 O/ W  b# a2 e

1 X. J3 n  B" h4 w6 L5 V; dMethod 13
+ j1 t) B' I6 ^3 e+ ^( r1 k- @=========
& K: J0 q  M- F9 E9 h4 A0 X7 ^# y6 t
Not a real method of detection, but a good way to know if SoftICE is! v% u% M8 D- S
installed on a computer and to locate its installation directory.: K% }9 P+ Y8 ]8 U: G1 @" y- P/ ?
It is used by few softs which access the following registry keys (usually #2) :
+ O. W# G" K' T$ j$ t
) C. Q+ d8 X/ V" t+ C; L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 _6 v3 M* e! f* X- c( t9 ~\Uninstall\SoftICE
! i* M  A2 \& L( e2 s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 i( B( T3 w9 E) m* B( f-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 K7 l$ d2 y% B6 d1 O: u9 Z( d
\App Paths\Loader32.Exe0 a7 M  X0 W, W% i7 z2 t. f

2 s/ M( e: H* h2 n7 j
2 V; V+ H- }1 q8 ]0 Y# B$ BNote that some nasty apps could then erase all files from SoftICE directory8 W6 ~9 n9 p7 t% `
(I faced that once :-(
" r/ X  {, ^4 H9 x' E
  e) |1 B! }. T% r( ~0 W" N0 R  FUseful breakpoint to detect it:
, s. Q: s: f9 U4 h7 S( n
6 V* [" Q2 J1 Z  b& F  m# L2 @8 _     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'* r. x5 G: M+ e/ T0 M

' H3 P) k4 B7 T- ___________________________________________________________________________3 k" Z% r2 I) [% Z- \/ a. j) {

) C# N- D! f2 f* H7 t0 H) ~9 K/ ~$ l% W/ N9 Z6 @. i4 e) G, a
Method 14
5 x/ g/ @+ m& @, \6 B=========1 Z+ ~6 a9 i2 w* d0 M3 I1 W2 v9 Z

9 l7 c* V/ M, u/ n* A1 }A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 P  W# E1 Z/ S) B7 l6 C4 ~9 X" ~is to determines whether a debugger is running on your system (ring0 only).
- L8 n/ \+ p; o0 e3 `$ H5 C5 ~% }' i, u& K- g) N
   VMMCall Test_Debug_Installed$ G  Z- |6 r2 Y- y% H, p
   je      not_installed
7 k1 o' K- W( \
9 j$ J( f: C9 E  e% U6 X/ W2 t6 J. YThis service just checks a flag.3 Q3 n/ m, j& _5 T9 \# Q5 l$ t7 J
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-5 03:19

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表