找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 o1 I8 g: B5 Y' P8 `
<TBODY>
- h2 T# ~2 I2 o# F<TR>
8 \- V% S3 D0 r, S7 ^<TD><PRE>Method 01 9 h- \4 ]; H' Y
=========( t: R2 Z% d! E/ v3 R

5 f/ {: S5 o! H4 n7 D) i8 dThis method of detection of SoftICE (as well as the following one) is
9 G" I) \7 I3 M+ O/ Y. hused by the majority of packers/encryptors found on Internet.% B% h5 ~! i7 t. t
It seeks the signature of BoundsChecker in SoftICE& `& W$ V. Y, p* V2 R9 }% z# t

2 ?! J/ Z* T1 F7 C7 y2 b; }  J    mov     ebp, 04243484Bh        ; 'BCHK'
! H* S8 N6 T/ |5 k    mov     ax, 04h
+ U( \: q! U1 j. W* K5 ^    int     3       - v5 ?0 n( d0 u8 H5 i$ J
    cmp     al,4
9 g( a+ h/ r: e: t4 ^  Q    jnz     SoftICE_Detected% Y4 f* C. z" D6 c/ g; P' m" A9 t

+ S9 `, }' i6 d7 q3 }  k8 O# c- X# o___________________________________________________________________________
7 W' ~* W# A8 U3 D( S% v$ F% F2 A7 }2 Z- h7 Z
Method 02
0 ?) ~& e0 U" w9 W=========
( Z  Q2 _$ c' i! T! u+ R5 `5 K. p0 l( V5 S" R. q8 e! N" Z' Z
Still a method very much used (perhaps the most frequent one).  It is used
. o2 V! e& i0 u7 Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) @+ c8 E2 U- G1 p: o
or execute SoftICE commands...
: t6 [# ?$ I6 p5 uIt is also used to crash SoftICE and to force it to execute any commands  n% D6 n! a, Q; \' Z5 g  V- I# _
(HBOOT...) :-((  
8 O5 S1 E+ k% m7 J' S' I" Y/ e' I
( z# E7 Q  Z1 E, G# I! w; EHere is a quick description:
2 k4 |' Q  n/ i0 F! w$ G-AX = 0910h   (Display string in SIce windows)
) N, m: R" [# `-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)% f; _7 m8 l: q6 h1 n2 R
-AX = 0912h   (Get breakpoint infos)# O6 N7 S+ f; ^" [% a! j
-AX = 0913h   (Set Sice breakpoints)# U" B5 f/ h; v" C
-AX = 0914h   (Remove SIce breakoints)
! R) T, {, e7 ~( y; l% L$ ]/ p" ^- \2 ]# _/ S3 `
Each time you'll meet this trick, you'll see:; G2 M# N* g9 d% `9 ^$ y% a. t
-SI = 4647h
% H- x+ [9 ~5 ]* P8 @: k, ^+ j; K-DI = 4A4Dh% ]' K/ A/ A; o
Which are the 'magic values' used by SoftIce.. k; b8 |5 p! r, X/ t( u+ I
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 Q+ O& t) H0 ?% s6 f, _

- R' c% K2 R9 ?7 y6 ~  S- mHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 L) G+ h: \8 F* pEnvelope utility use to protect DOS applications:
% ^2 D, C/ S- p: l& \3 w9 |; Z. Z& L2 q, e- e

3 L! W1 l) G4 _2 i% D5 g3 _2 s7 _4C19:0095   MOV    AX,0911  ; execute command.* [# Q( |6 ?9 ~2 q5 @
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
% w' x; S" H; x9 O4C19:009A   MOV    SI,4647  ; 1st magic value.
6 Y1 U1 i& y1 w- s4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: ]+ T) L. z6 I
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*); O! r" s1 x0 R. }* P& S
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, i. n* R2 \/ H2 M7 @/ W* v4C19:00A4   INC    CX
* Q8 ?7 Y2 K" l2 U4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, n% \$ \0 x+ H7 a3 d& k6 a) O4C19:00A8   JB     0095     ; 6 different commands.
) [1 E, I2 D" b$ t2 L( }3 L4C19:00AA   JMP    0002     ; Bad_Guy jmp back.( I' l- i- i9 t; V8 j7 D+ `
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ Y- B6 A* z6 U2 V$ K2 @+ b
' E7 J. @! h6 w3 S
The program will execute 6 different SIce commands located at ds:dx, which8 @6 C8 u( l$ W. N/ F  @
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& D, R; E5 M# x  A: @" Z; J( h7 ?: U9 `1 ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- c* D# `3 L& N( o
___________________________________________________________________________5 R  i( S( ]2 a/ _! ]/ x2 M

+ }5 m" C0 b" \' h- n- u4 {8 y9 L& O0 q  r+ @! H( H
Method 03
( r( h% Z( E2 G4 ^$ S" Y5 D=========
  d# W4 m4 Y2 V  ~- u: j$ o4 W9 n1 @; {& w3 ?
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; x9 x( m3 x) r! |5 C: ]4 g9 w# R
(API Get entry point)" b! ~! k. ?; M
        - u6 A- F: J/ x* i5 u6 K

2 H1 w) Y# J6 X+ Z* ^1 h2 O    xor     di,di4 }8 O- K% l% f
    mov     es,di
( o: G- Q& `8 r6 y) Q" P: r    mov     ax, 1684h      
* z# y& s3 I3 f( H: m; w1 F2 ?    mov     bx, 0202h       ; VxD ID of winice
, ~9 {7 ]  u# C3 L( t8 W8 d5 x    int     2Fh* c* R* H, m& T9 M/ n% z- f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 d9 Z5 u  t' j& E
    add     ax, di
7 x5 l) k3 {+ e8 {! a" V    test    ax,ax
( g+ ^5 l8 f2 n% y) x+ v; B% W    jnz     SoftICE_Detected
4 \8 a+ z) g. Z
; g. `  U* g2 \1 c0 X___________________________________________________________________________9 Y' Y' M$ c  a  U

3 y" u9 a* P8 u" B; z" a  RMethod 04
$ w& _* {& h, q6 ]; y=========  `# C8 J/ B5 H. N9 T

3 M  N9 e( T- j% y# V1 jMethod identical to the preceding one except that it seeks the ID of SoftICE
7 I) n3 b8 }* w+ [- l: X0 {GFX VxD.+ W8 P. @0 O! J  O

/ O4 [6 K2 {/ U, ^0 ?% M    xor     di,di- m$ g$ v4 _* l: s5 Z  Q% J$ ?# W
    mov     es,di
' P  C2 r# W5 |    mov     ax, 1684h         E# m. J8 X3 @
    mov     bx, 7a5Fh       ; VxD ID of SIWVID4 h+ L- r5 D4 y/ p
    int     2fh8 E7 H) f) u/ H1 O9 Z; e3 Q7 k
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 [4 L2 a2 ~+ d1 n0 M    add     ax, di
5 E1 P3 ^5 M6 P# A. E; s, L    test    ax,ax
8 x9 B3 l4 c/ u" b; o' l    jnz     SoftICE_Detected' w4 u. O9 M( i/ c

' @2 U) G- Z/ I1 Q2 W; J& K__________________________________________________________________________
, M% ?  h" N6 H* S, O, w9 y( ^) V' o
7 d. J$ K! ^; m: d8 d' y4 T3 ], [
$ Q$ m" Y4 D3 f- v- \Method 05' {# w# O- E1 P% @
=========4 {% ?3 `" Z( p% |7 L; n
0 n3 r" J! B! D! S$ Z4 U/ w) [/ g
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- u/ S6 q6 u  `debugger. It calls the int 41h, function 4Fh.* b: A; E% A: u' n& X) h8 m
There are several alternatives.  
& S; ?3 V9 P- }/ [9 g4 b; Y
+ m. n+ `8 h1 r, Z, o3 _6 x4 P8 EThe following one is the simplest:% X. B/ R$ _* P- i7 a
5 Z3 o* Q* n2 y- N5 m
    mov     ax,4fh
5 n! O* A  R( C9 ^0 ]2 M, r    int     41h0 o, f( n0 R5 M- u5 H
    cmp     ax, 0F386
5 |" T$ H6 _' A' K) ~+ J* J* j. O    jz      SoftICE_detected
6 d% W4 e- u: }$ S& P. D9 u, O0 S1 ?2 z& S$ |6 `! F5 D
. g1 U" }" ~+ f1 |, I+ `( [% i) X
Next method as well as the following one are 2 examples from Stone's
) P  n5 \9 w1 h. S( m8 m"stn-wid.zip" (www.cracking.net):
3 x! r3 ~- O% y7 X# C* D8 `+ {, B3 z
    mov     bx, cs
, k8 B$ _  W" t. d# O; x) `: z    lea     dx, int41handler2
' N) l% N( V6 I2 C    xchg    dx, es:[41h*4]1 n% ]+ ~+ B+ I5 I5 L
    xchg    bx, es:[41h*4+2]' l+ H. e' F1 [3 {% \3 s1 D
    mov     ax,4fh
4 B0 `) E3 R. u7 G2 Q    int     41h( W- p8 [( l5 B0 i. u; t
    xchg    dx, es:[41h*4]* V+ u. Q+ W( b% i8 g* n
    xchg    bx, es:[41h*4+2]
. h# ]8 C' F5 g! h6 a/ r5 g1 C7 g    cmp     ax, 0f386h
8 t0 B! k/ k9 E' e. }1 l! ^    jz      SoftICE_detected+ U% C7 K. o6 b

$ y6 S, I- g& C8 Tint41handler2 PROC
6 r7 A- f0 u9 K8 a3 e    iret
" m; B6 b& O8 B3 _0 zint41handler2 ENDP
& p2 k  [8 k+ y+ W% {* j
" Y8 m9 d9 |: v7 Z
7 F) y, N8 L7 Z% f. B/ H_________________________________________________________________________* P& z9 Q  F) n) B: z7 L  ^4 [. Q

: n4 ]3 W2 F4 o& e! P/ z$ ?
/ v  Y) k% @5 w9 Q8 m0 LMethod 06
+ G: e3 Y" m' }=========/ N0 @: p( q2 X& ?* t4 X, I
- d( U$ @6 M  G

! f8 K* k& l% ^8 S2 S) K2nd method similar to the preceding one but more difficult to detect:2 X4 j) ]: `6 ~# ?8 m% y
& J1 [8 e% ]. @! I# |6 T% \
7 R5 t% O7 B7 F
int41handler PROC0 j7 R7 ]% S! O
    mov     cl,al; `) u& ]  a) [* h$ F! q4 `
    iret! J! w0 l# }- _  a
int41handler ENDP5 c, s- e% u3 m! Z

8 v1 C9 j% R) t) h! V- ~4 J0 {, R5 L* |2 x+ `; d
    xor     ax,ax7 @. M: ^  A  F( x' j. ]
    mov     es,ax8 h2 \/ Y! [8 N7 G
    mov     bx, cs
- i1 G3 p1 n) y% X" X9 R* ]. h    lea     dx, int41handler5 _0 N! _' t, s, l9 F# ?% K% ?8 ~
    xchg    dx, es:[41h*4]
+ m6 x+ s. q0 G, _$ J    xchg    bx, es:[41h*4+2]
- f) L' N) C$ X3 A- H    in      al, 40h
3 y) K1 {5 `" m5 F: x  q. r: [7 X9 D    xor     cx,cx
! d5 B+ v/ I" @8 t' E: P7 {    int     41h
3 b+ ?7 `4 g# q6 B    xchg    dx, es:[41h*4]
4 U' y: G' g( q$ b( @- j    xchg    bx, es:[41h*4+2]
# S- N' P, I" _, U    cmp     cl,al
2 w" o! k8 v% t# @, \* m    jnz     SoftICE_detected
8 Q8 b3 X# l; C* o4 `  C. a
6 q" j: G9 {1 f/ Y! m2 K. k_________________________________________________________________________
. y0 ?; u- Z# C& v
- b; x0 Y- i1 v( e* f9 w7 ^Method 07
0 ^& z3 R+ ^2 t8 |5 z# K4 T- Z" T=========
# \& {7 N7 ?6 p' E% P8 N  ~1 h% L8 A0 t4 b
Method of detection of the WinICE handler in the int68h (V86)4 u' J' X) i$ f
' o- b/ _* d' L; j2 V# x7 @
    mov     ah,43h5 I6 |( z# M! E0 }& f. y
    int     68h6 ]. f2 J) G0 ]4 Q& s- Z
    cmp     ax,0F386h
8 L$ T" v$ d! u" Y5 C: T: u, p" F    jz      SoftICE_Detected
: n/ ^6 P% M" `+ Z) A9 f+ }8 d4 V6 C/ ^, K- ~: z* u
$ I6 N* ?7 G* q7 |
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- M6 U' }% m2 x- H0 R* B: O
   app like this:: f& H% p9 F$ [5 R% o& Z

# p4 q% N" {$ y( a; t* M1 u4 [   BPX exec_int if ax==68+ X# Q7 E) G& ?6 v
   (function called is located at byte ptr [ebp+1Dh] and client eip is
) @% W" d9 J0 F- d* i9 R$ [4 m( b   located at [ebp+48h] for 32Bit apps)2 `9 I8 d; M6 r0 q4 l: g
__________________________________________________________________________
7 Z1 M! d* @$ ]/ t5 b
  e( U/ j! W8 C( x+ G, g2 E3 ]! o
Method 08: T! R6 t7 `9 i6 c
=========9 p% K: p4 M2 ^& ]9 K+ W7 u6 p

6 u; T8 V7 f% L: \; ~It is not a method of detection of SoftICE but a possibility to crash the
# o! t1 [4 ~5 S8 L7 h8 _system by intercepting int 01h and int 03h and redirecting them to another; i/ x" x; C6 J+ O
routine.
- z9 e, V% W% J( Y2 H* m/ oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- Y1 F4 o  H- J4 {0 A* c* Yto the new routine to execute (hangs computer...)  ?) w; m9 J' z# H" m' t4 B% l2 U
0 I8 b. `- ]" a+ O8 k: f' ~/ z
    mov     ah, 25h
! c, C/ U; U* B5 U0 |    mov     al, Int_Number (01h or 03h)7 t2 Q& `' T/ C2 ]( [4 d
    mov     dx, offset New_Int_Routine' h- D: ]0 x4 X
    int     21h
( v3 F+ p3 m0 Q2 p8 N
+ C1 d5 ]' y9 v& C__________________________________________________________________________
. y# w4 [. p! s; \3 K. [% y( G. A, e* G) a& D! }
Method 09
) [3 M' U' G' |! B5 O. r' ~=========, T+ z2 d' W; y6 }; v6 b* T
2 w9 B0 d* n, @0 ]! @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 B) g% Z4 H5 [5 P+ N* `! W& iperformed in ring0 (VxD or a ring3 app using the VxdCall).
; F- ^$ ~" D: u1 K4 DThe Get_DDB service is used to determine whether or not a VxD is installed
. W* b! z8 J& h5 o* Hfor the specified device and returns a Device Description Block (in ecx) for/ G, l2 B8 N/ r5 t- p0 d
that device if it is installed.' ~1 T8 |$ u( ]2 f0 {

/ N# w* \5 l9 j8 }4 ?2 R   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 p: P3 h* ^& H# i4 j2 p4 V- Y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
  m8 O0 {; f: i   VMMCall Get_DDB
6 l1 v4 X4 F' }0 d   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed/ g6 m* G( `2 ~/ K! j: t: Z# J" F: Q
# Y7 t: T+ @2 s0 j
Note as well that you can easily detect this method with SoftICE:
2 v/ e' ^6 {# T7 l   bpx Get_DDB if ax==0202 || ax==7a5fh/ X/ p8 A+ Y) s- K3 G) X
* K  j$ c+ L7 y7 w
__________________________________________________________________________
1 n) P/ K' N3 ]% R! h6 H+ D
5 \( ~) N. k- l0 `! {& EMethod 10( t* U. Z: J* G# n# e7 Q" Y& U' Q
=========
' N  A3 I: S: C% q
9 f! C! c' Y6 R* ~! b=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
$ R( a# M# L9 R  SoftICE while the option is enable!!
  U: L! @- Z! H) c. y& ^5 c3 S& P' B6 j9 k' `; `* x# `
This trick is very efficient:3 h: a, q5 M5 g# t
by checking the Debug Registers, you can detect if SoftICE is loaded
6 M( ^7 j$ _! k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* ~; J9 j+ Q  ~  D  Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their+ H) z$ f6 w. m; |. l; g9 y
value (in ring0 only). Values can be manipulated and or changed as well: O# q5 r' X. H2 k+ f; K
(clearing BPMs for instance)
, t* ]3 T6 [6 ^& u+ O4 g, j6 [: ^  {$ s) A; R
__________________________________________________________________________/ _( i+ o+ u$ X

( X5 B5 K- C& p; I( j" N! @% `Method 11
3 W- \$ r- ]/ }% d4 R1 C=========/ [0 {6 o; _, X3 A' X9 r7 f1 U

7 t6 P7 J: x2 V: w" F, YThis method is most known as 'MeltICE' because it has been freely distributed/ I- s5 w3 {) U& t$ L* \( w
via www.winfiles.com. However it was first used by NuMega people to allow
9 I) O6 \0 v7 f$ K7 tSymbol Loader to check if SoftICE was active or not (the code is located
) J6 I* t$ i- b9 d# j! R$ Dinside nmtrans.dll)., S5 @" }2 m) o: [9 d8 q

- U) e# N, F1 E, T) d2 A5 ZThe way it works is very simple:
. k% M' t2 l" B9 oIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ ~4 r4 ^+ P: U/ e/ RWinNT) with the CreateFileA API./ o4 o* W: D( X3 G
# U/ X9 w. A; ~5 ]+ q
Here is a sample (checking for 'SICE'):3 U' ~. ^0 T, E. Y; l+ f6 g9 ?
8 N. B" P  I$ w# j' X
BOOL IsSoftIce95Loaded()$ M9 W$ b. i% R" U, p& ?
{
/ I  H1 d3 S# R' W8 j, n: A2 V   HANDLE hFile;  ) V1 o2 I; J1 q, ^) u1 t
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ W5 P: W9 T$ ], L2 V
                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ s% h' @6 q: k: V
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* t3 E5 b0 n# J4 d   if( hFile != INVALID_HANDLE_VALUE )
5 {8 O% f& t" R) {: |0 v6 j   {, d4 E# g0 X" @% `6 e1 l  V
      CloseHandle(hFile);( ^/ e2 X/ ^, M. a
      return TRUE;" T3 h2 q) h8 ?- }7 W- N
   }
5 k6 ?4 {$ Z. z' @4 z6 ^5 Y   return FALSE;
5 V% c% E7 ~( Y! u  d) n+ P}) \/ j6 p* K! h  Y0 g0 O7 R

2 ~! H5 l% o) Q7 R# c! ~$ \Although this trick calls the CreateFileA function, don't even expect to be
& T1 B7 g7 p: R& {% U# {3 lable to intercept it by installing a IFS hook: it will not work, no way!
, o/ C' p4 r+ ~+ }8 k; GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ U6 C$ J6 d, e& L4 Q6 n3 Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 z3 B) m- D1 {8 w2 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
; _$ J/ o8 {' T3 h! B( J- `field.
( i3 J  z3 n. ^/ p0 y) N# y, E$ G7 cIn fact, its purpose is not to load/unload VxDs but only to send a
7 a6 c4 h( w0 o4 ]% n3 W) V, F$ WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 g9 A* B3 r5 A0 Z7 pto the VxD Control_Dispatch proc (how the hell a shareware soft could try, e! h( i$ E! i
to load/unload a non-dynamically loadable driver such as SoftICE ;-).: Q( ]! A* F- s  N6 ?
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ e5 q! b/ g, \4 w. X5 H' l
its handle to be opened and then, will be detected./ w6 W) [3 r: }" T
You can check that simply by hooking Winice.exe control proc entry point& K4 o- o" q4 g& g( a( B
while running MeltICE.
! |: [  v4 g5 Z) D
% k7 a) c' d9 P$ P$ T6 k4 b4 V) L5 J# M& T4 x% W
  00401067:  push      00402025    ; \\.\SICE
" ?% |% w+ q; b# U  0040106C:  call      CreateFileA, ], |8 m9 ?4 b( q8 i
  00401071:  cmp       eax,-001
# k7 O% ^( i' X: j/ {  00401074:  je        00401091; \2 ~2 k0 |/ e0 P

$ F' L; l; m% Z& |# N0 u* o; R5 X& E  s5 s$ [+ |( d
There could be hundreds of BPX you could use to detect this trick.
+ J+ R2 h: C4 e' N5 k+ _1 l-The most classical one is:
0 M  K! K3 A9 ]2 ^" L1 y0 }  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
: ^' S- x; @) w    *(esp-&gt;4+4)=='NTIC'
: ~% z# Y9 m  |
0 @* V% w+ {) m$ h4 S; _: ~-The most exotic ones (could be very slooooow :-(0 x: s7 {) a- y. D
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
% @) j' y( b1 F4 p     ;will break 3 times :-(
. P' `# Z+ z- k! D% [3 {, i
! M7 x, S( z& ]! h  A-or (a bit) faster:
9 K' `. S$ u& S9 _# d   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! V8 ]0 G: I, ]7 C0 I+ g0 R; @

$ V0 g7 J+ s1 r4 R/ e8 o   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ R# @4 {2 i' [/ j3 ]
     ;will break 3 times :-(' o- ^  r3 o2 _

6 A8 J7 T: G8 n( W3 D9 y, \-Much faster:
$ I4 f4 o$ w0 G) C   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( e' Q  C1 F% ~* @
. I0 q6 \, X9 I* Y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) }1 s. f0 q$ r7 v" W; \3 ]
function to do the same job:' n& ]* l- P+ Y, G+ j

; {4 @0 K) t- J/ [! \% W   push    00                        ; OF_READ
; X( h! ]8 M# m3 _. e3 H   mov     eax,[00656634]            ; '\\.\SICE',0
$ C7 z0 s( M) {/ ?/ B+ c# \0 _$ N8 O( \1 V   push    eax
9 P, U+ ]6 L, u9 l" D   call    KERNEL32!_lopen) ]/ m4 x, `9 E3 P$ V5 {* h2 V2 P
   inc     eax0 [) r5 g2 M9 S0 b7 }" g' F3 }) b
   jnz     00650589                  ; detected! Q6 [2 j) b+ g6 T9 q6 k
   push    00                        ; OF_READ
3 F& S8 N4 x4 w, Y) B2 n   mov     eax,[00656638]            ; '\\.\SICE'$ K3 C! Z. N6 }' J+ g, b2 e; u$ F
   push    eax
: D! ?9 z! r# [) G0 l   call    KERNEL32!_lopen
2 h. ^  g* Q/ D* h$ T8 b   inc     eax
, D6 l/ ^  q, t' K& o5 J7 @& y   jz      006505ae                  ; not detected
! w5 c) h$ D6 T7 Y8 d9 ^0 r4 h, N& Q  R2 F* W. B5 A
8 X$ l3 M+ x) t( [/ z! Z6 ^4 q
__________________________________________________________________________5 [- O7 e' y1 {6 d- K( L
, d" _# ^# T" y! ?& ?! C3 w
Method 12
& t8 \; O" L) c8 p( {7 L=========0 b1 x5 K# i. r  L8 L; T9 G4 L
" @) I5 J! u& G
This trick is similar to int41h/4fh Debugger installation check (code 05
2 Z3 c# B2 i# V0 x4 w8 @7 ?" @&amp; 06) but very limited because it's only available for Win95/98 (not NT)" c7 Y8 z6 |/ e( G4 s- {5 T0 l4 t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% M, \+ ^; v8 U3 [& ^1 M! f: }

% H  U3 f- l" Z   push  0000004fh         ; function 4fh( ]) o3 S. B: M) M
   push  002a002ah         ; high word specifies which VxD (VWIN32)
# C, [; y; O' P: T                           ; low word specifies which service
' T# H7 Q8 Y0 m; B( t$ r                             (VWIN32_Int41Dispatch)
, u+ P& a& N: V6 C1 k% G7 x( z   call  Kernel32!ORD_001  ; VxdCall# C$ [+ W9 R2 q$ L9 l
   cmp   ax, 0f386h        ; magic number returned by system debuggers
- C5 O. y2 r" i/ K8 S   jz    SoftICE_detected
/ G* P* N6 ~- d: H+ ~- ^. {1 h& F
3 y7 Y+ h  V4 a" I, FHere again, several ways to detect it:# Z; F' K0 e; L6 s0 y
: o$ r+ }5 V: [9 b5 y
    BPINT 41 if ax==4f1 f+ p, z6 T' y
: A$ [' T" R/ e) ?1 R$ b
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one- S( g" ]6 w; Y

' X, P- o2 D6 J2 J6 \8 ^    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 F2 ~2 u" M9 J+ U1 q! {
* e/ Y6 b8 J- L: M' ?5 U) Y
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" I/ n" o7 j6 H
1 P( @5 n3 r- P1 V; e+ Y6 O__________________________________________________________________________1 `3 C% _5 v$ H7 `/ A& J6 B  f  ^
% C% Y. o5 Y+ B! p: r0 t
Method 13
# p- p1 K; R# o. e! E; S=========
2 r4 [5 X; c, ?7 n4 Q; R0 j$ Z$ r0 f( h# A9 t
Not a real method of detection, but a good way to know if SoftICE is
4 p( t* A+ j. ?( I# v2 Rinstalled on a computer and to locate its installation directory.9 I9 R. H/ [5 h8 o" a* {
It is used by few softs which access the following registry keys (usually #2) :
' m2 Q1 G- s  C; s# z' `9 E9 C, i4 ]4 T; U- T! E+ P' O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ P$ ?, P9 [: S4 Q" s2 A
\Uninstall\SoftICE
% h+ G& B+ e( ]3 N2 F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( F6 r3 }; }9 g+ y8 G  v! e8 U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 U! d% q' @' [( }\App Paths\Loader32.Exe8 l6 T2 U7 B( H
) c- \, r( V# v  f7 [* M
0 N, C. @1 ^2 S- ]
Note that some nasty apps could then erase all files from SoftICE directory+ D9 ]& |' @0 I  j8 h
(I faced that once :-(  _! b+ ~8 P  E  Z6 P

" A. [& |3 M) [4 ]0 fUseful breakpoint to detect it:7 ^& x4 N* H  c

/ M4 Y+ [, X' L& J     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' l  T4 @5 S4 |# W9 j& q
0 L$ @% g' n3 o1 B
__________________________________________________________________________
& ~) C& R: W: _8 @/ m/ N2 w, `  \( `3 M0 G, d  e! }/ U- o8 H

8 D9 D, `( O' F& c- WMethod 14 & b/ Y" w. g# _7 i3 W9 D
=========
5 ^# T* W0 V' R3 I5 ~7 l) l
8 d! v1 T. k6 s1 S) o1 PA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# G  v/ E9 m# O3 pis to determines whether a debugger is running on your system (ring0 only).2 d* B7 g* {5 C; \0 g; ~) L. r: T

% J2 Z9 q7 L  ]   VMMCall Test_Debug_Installed
9 q: S! }  [  W6 U6 f7 s8 Q   je      not_installed: A; n& w# m7 M& l( A
  v; T1 Q3 E. k) R, S
This service just checks a flag.
, \/ b7 s8 c* e4 u4 G% g</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 05:38

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表