找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>$ @- @5 S9 v* ?5 |+ ]8 }, F: i2 }
<TBODY>6 K; I* {; a) E- p; ?" G
<TR>
. `0 r0 I0 U/ @3 `0 U<TD><PRE>Method 01 " S$ s$ s, q& C; L
=========) |* v( _1 f. B2 ]2 p/ V. X, [
2 n' s$ \* C+ H
This method of detection of SoftICE (as well as the following one) is& E  |+ n. g: d7 C4 q: s, O$ i
used by the majority of packers/encryptors found on Internet.
: x8 N8 W: X; V* d1 B0 R7 zIt seeks the signature of BoundsChecker in SoftICE
$ G% w7 B  P) K0 e# Q1 L5 ?
6 k* D4 r2 ^, z) ?- A' i. V" [    mov     ebp, 04243484Bh        ; 'BCHK'
8 [5 i; J9 Q4 f- n    mov     ax, 04h
- \0 ?! Z7 h% n8 Q9 S9 B. u    int     3      
) c9 I: D; d+ E/ V9 I    cmp     al,4+ a5 \" @, r4 l" W3 |9 b
    jnz     SoftICE_Detected
* _$ H$ Q# x& f+ K3 q5 ^, \. ?" ~
___________________________________________________________________________6 Q  J3 N" k, X" m

2 [6 Y& B, }% W) b% X, ~Method 02
: ~' C. j7 P1 Y$ \7 F, [3 G=========
& w  `% P3 ^; R* p- P' Q8 c
2 K" @7 A- E  e2 U+ `Still a method very much used (perhaps the most frequent one).  It is used
3 X9 w9 P) i: A$ fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
7 ~! i* N0 K7 F5 B  V1 C9 Kor execute SoftICE commands...
! T. [1 B5 Q* c8 u7 b3 D9 hIt is also used to crash SoftICE and to force it to execute any commands+ y8 |3 A0 p$ b8 E$ w/ i. j
(HBOOT...) :-((  
- Y9 v4 C6 j0 d/ H& z
4 [6 F% k3 c- p. U+ h* T! THere is a quick description:
" u3 ^( S7 [! D-AX = 0910h   (Display string in SIce windows)5 d- u7 s  N' s3 L, X
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
4 r% @% k9 y+ B- V-AX = 0912h   (Get breakpoint infos)- q& c( Q& {0 N8 f9 F
-AX = 0913h   (Set Sice breakpoints), u5 g; q! T1 l  a9 s: R
-AX = 0914h   (Remove SIce breakoints)4 E  T! g& }9 L  l" s0 l1 v2 B, N+ u
+ b' D1 ]9 o% L
Each time you'll meet this trick, you'll see:0 l1 v. i$ _# l3 H, l. L
-SI = 4647h
6 z& `. G/ ?2 Z$ `9 ^-DI = 4A4Dh
# K3 p* N/ z8 s( tWhich are the 'magic values' used by SoftIce.
: X* J( S  S; @1 c# l5 z- c. l3 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ b' r8 E4 Q6 `: D' v8 @5 t8 u* V( b8 v1 u' E: |( }
Here is one example from the file "Haspinst.exe" which is the dongle HASP
7 ~1 e2 l& O9 V4 {- LEnvelope utility use to protect DOS applications:3 n& q1 @7 w$ O1 Y9 w/ k6 ~

5 [3 J' {8 t1 a# i! K2 r5 p3 l$ Q. }( i4 n0 G
4C19:0095   MOV    AX,0911  ; execute command.4 m8 L, n; |8 l; u- e
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).5 |: D6 p9 W  U6 n
4C19:009A   MOV    SI,4647  ; 1st magic value.
% `! h0 ~! u4 w4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ ]4 |; e; p0 O2 W+ x
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ J! e% b. [- L( t* H4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* s( d+ ]) Q8 Q0 z6 H( l8 Z
4C19:00A4   INC    CX
3 y% u( t: n9 ~, f4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ P; g+ `2 B8 G( F3 z' b& R
4C19:00A8   JB     0095     ; 6 different commands.
3 G" |9 p; z2 n* C* q) ~4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 D/ f  X* U8 U; Z9 e9 y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ y2 f, l* p+ a; X; K5 }6 P$ a. g* t* O' m: ?
The program will execute 6 different SIce commands located at ds:dx, which
" \/ ^# U4 Q3 Z6 ]4 Z0 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 N5 v' L& K' m" G+ R2 |! |$ w5 _

3 v3 b7 {4 M3 O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& x' b% [/ j- i: }. G___________________________________________________________________________9 p5 ^! z% B4 [% F0 o7 C1 O- I; r

& X) E/ G- L3 d+ c* w" a1 u2 W1 l* v  {7 r
Method 03
- x1 V+ f/ n/ j' h( ]: L; m=========+ f3 V! p% N! u( ]

7 ^7 W4 v; b+ L* q; ?, f: xLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ K0 Q; e' I. K! _1 F% N% R(API Get entry point)' s5 u3 c. N8 D2 ?3 {' Z. o8 S
        
% ~( Y6 A" H' t% h+ `( J$ L4 U, s3 e: E9 r- F( O
    xor     di,di0 T$ r0 S) c& K4 `6 O8 O
    mov     es,di' M1 L& J0 s5 k2 ^5 O
    mov     ax, 1684h      
1 ~3 D: \5 b4 Q( j    mov     bx, 0202h       ; VxD ID of winice
) @4 T/ U% M& }; {  q    int     2Fh
6 u7 F) g% ^) h% ]$ F7 N) K9 N    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! I2 y( n" r4 B* N' i    add     ax, di  w  Y! H0 h- u  P/ f
    test    ax,ax
; l/ L2 c& Z# h    jnz     SoftICE_Detected# w2 r" O& ?; m/ t8 ^- r" V9 X

; G" ~- {! z& J___________________________________________________________________________- ^' \6 [* \  @6 i& d
( [8 [, x! R1 Y: ]0 }( x1 I9 t
Method 040 r  {6 L! Q4 B" b
=========8 a6 }0 B, v/ `! a
) J' h9 ^  E' R+ L7 ^5 K! k8 Q
Method identical to the preceding one except that it seeks the ID of SoftICE" K9 w% m1 U4 ^" M! E6 n) V8 R
GFX VxD.9 I0 S7 h9 Y2 ^$ g6 i6 r5 S: H

  A, W1 h6 L0 `1 ^$ k8 i# L! N    xor     di,di( g. G' r$ _+ d7 Y) @
    mov     es,di+ o  a1 Q! w8 V3 j1 F
    mov     ax, 1684h       # g& A: b  k' R4 q$ q9 h* P
    mov     bx, 7a5Fh       ; VxD ID of SIWVID1 A8 f# f9 Q( R4 t5 b0 b; z
    int     2fh
9 Y% J9 V7 R; n' U% E& m    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 r1 o2 p, j* v' e
    add     ax, di
9 u; s( z1 N3 T% P    test    ax,ax
0 ?1 v# w+ t* Q6 k& W! R    jnz     SoftICE_Detected
( X: A; r- V, m9 W, k
* D+ t3 S, w, t: n3 }; s2 B__________________________________________________________________________3 y1 R" q2 ~. [9 g" m3 m

) n1 _5 A/ w) g) _! H7 S: y! B. \% ]- m8 d  Y1 i/ k) d! X9 ?
Method 05
# r3 }: z6 u- g& [; D8 F8 O=========
% c$ `5 W$ y: q% j, h! \
& a4 _  R8 X, a( |Method seeking the 'magic number' 0F386h returned (in ax) by all system! C/ f$ {2 P" u6 t6 \; r2 N+ w3 F
debugger. It calls the int 41h, function 4Fh.
( |0 h) p- e, _1 n1 T% hThere are several alternatives.  * n" x2 L# _+ h5 s0 S
, f; K/ q( y5 h7 {2 {
The following one is the simplest:, S) f* T' f, V# y6 t9 f4 d
2 f: q. C0 G: T" L
    mov     ax,4fh
; o' i  I: T3 T+ V8 u9 @9 u& m    int     41h
) L& ~* T4 p8 e8 a: `    cmp     ax, 0F386/ b: }1 h) m$ ]6 H
    jz      SoftICE_detected
3 D; ?" |) w8 J! ~$ |
% x0 |1 d2 l* `+ B$ `8 X/ I7 J* t8 b; Y: \- `2 U5 m5 D( n$ x
Next method as well as the following one are 2 examples from Stone's
' D7 D$ }$ \0 Z* U5 E" G"stn-wid.zip" (www.cracking.net):
3 r3 F# x4 U& M
/ }$ b9 |; P  e4 i4 R    mov     bx, cs
+ J$ U& z4 D$ S5 I4 \- |    lea     dx, int41handler2
/ l7 `. D6 K) Q2 `  N; z: ?) h    xchg    dx, es:[41h*4]$ o; b1 ^; ^* m. r
    xchg    bx, es:[41h*4+2]
1 E' L4 o6 c3 W: L: l! V( ?3 i: U    mov     ax,4fh7 m* m) c  y0 s
    int     41h3 I* Z9 F/ G' {* n
    xchg    dx, es:[41h*4]
% E& W/ l+ Y6 Z  |7 |4 o# {    xchg    bx, es:[41h*4+2], P6 ]$ R/ F& g1 q( D4 c
    cmp     ax, 0f386h
: R+ F2 `. i3 @1 B    jz      SoftICE_detected
4 v& a2 w0 @! ?% |
5 n9 X. w2 {5 Zint41handler2 PROC
. @$ r5 O) J) C. T    iret
* I. ^) Y7 P1 j- y% u) y1 bint41handler2 ENDP
( o$ d) G3 j+ q8 k6 u% |) R$ K4 {5 d, w/ R: P$ |% n/ T
: ^9 Q1 s' H4 O$ e
_________________________________________________________________________
  b' u8 y2 M" F' Z; F& V5 G% G7 h/ [) t
) @# W' D6 D/ Y- a! R( n% g; R
Method 06
9 x; @2 t: t7 g* @3 P=========
9 I4 m6 l7 |. V5 V0 T- o/ q8 p+ m: l$ m" o/ E
! u+ [! N* d& J4 k. n! V% g. K
2nd method similar to the preceding one but more difficult to detect:
; Z2 Q7 X8 K& V- I1 R- [5 K1 m
  u; F. k) q9 \& U; I/ d( s, I
1 r/ c* _$ {( O5 Q; Tint41handler PROC7 v+ V5 K0 e- ^6 ^* ~
    mov     cl,al$ N4 D: g% T( @
    iret/ \! |$ g' F8 \
int41handler ENDP
; v5 a% a0 f# W* i5 a( U( P0 F0 O
* v" U; i2 y3 u) \
    xor     ax,ax5 Y8 E4 G2 |9 P" p* R! B
    mov     es,ax1 `! R% K6 ~+ ]) o* {7 l" [
    mov     bx, cs$ ~: @4 B. n/ z$ H+ L/ v. M
    lea     dx, int41handler; D( I9 \0 ?- d; t8 [1 X
    xchg    dx, es:[41h*4]
$ t$ ]8 n3 m& e7 N$ O& ]% r& F    xchg    bx, es:[41h*4+2]$ j: }- f9 b7 Z' r: w3 t6 q
    in      al, 40h
4 _! S7 W2 l0 c- E7 U8 X" e9 e    xor     cx,cx
& t' Z! O0 A* q1 \    int     41h
1 k# A9 F( j2 H. D    xchg    dx, es:[41h*4]6 `: L! M. f# d2 Y) T7 L! Q! U
    xchg    bx, es:[41h*4+2]$ E" G) g: ^( ]0 M6 t5 \& t$ w$ P
    cmp     cl,al7 m  x) F  Q1 ^8 [2 I6 d( R
    jnz     SoftICE_detected& \  L; V" r' ]( B

5 s* T. Z  X& ^/ I& f! B/ E_________________________________________________________________________
; [: @! n! x1 u: X' G" x" e8 j" b
  p+ n+ S3 @( D1 c3 a$ y3 w6 hMethod 07
9 m" W, R* M) x/ x! a" z" d=========
# X- M! p: H# q, G% S9 O( U- V0 `0 @# ]) Q/ b" G" h
Method of detection of the WinICE handler in the int68h (V86)* k. U) s2 @5 U: h8 Q& g
# @$ v, @/ O' r3 ^; j
    mov     ah,43h# A; [  r4 |5 ~% ^5 @8 j
    int     68h
* Z6 P9 j7 U1 H/ D7 k2 t    cmp     ax,0F386h9 Y% j2 k5 ~6 D" u
    jz      SoftICE_Detected
2 q" n$ t. T$ w0 q9 l1 V# @& V% X0 [. P9 Q, n7 ?6 d# n: @( l
! b3 O; l8 I/ s! i, v1 ?
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" y( c2 N! ?) X$ N2 x  h2 Q   app like this:
* f2 `* f* R: G1 P0 t0 g" x7 P2 w+ t0 j8 t
   BPX exec_int if ax==68% O, v, D+ \& m' h
   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 r8 R' g& i  V1 v2 c  @" J   located at [ebp+48h] for 32Bit apps)5 n0 P% e  Q8 L3 |( t) h5 _2 V
__________________________________________________________________________8 |! @+ v6 `3 H4 A$ \4 y1 V
, g( I/ r% \4 E& M: ?4 q$ j
. Z( O  j. T( r
Method 08
# }& n" I' |: Y& @/ |% Y=========
4 m: |1 ]$ t2 v" l7 c) Y" ^9 j- w5 G7 }
It is not a method of detection of SoftICE but a possibility to crash the
8 D1 S& H% J: c3 U# Tsystem by intercepting int 01h and int 03h and redirecting them to another
/ _5 V% C/ H: r. c7 mroutine.
$ L9 e9 M, t& d3 @: MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 ]# K# Y2 a) d$ d
to the new routine to execute (hangs computer...)8 e0 v9 i* c4 z) J- q% M* n+ ]3 E$ s

5 m+ \! O1 [1 x$ h1 I" f+ u; J6 C4 F    mov     ah, 25h
- C/ d3 N- _& r    mov     al, Int_Number (01h or 03h)$ C4 }' P$ A# g7 F$ P
    mov     dx, offset New_Int_Routine
) h: N& \1 K0 ^1 B    int     21h
4 W7 x( N4 ]" q! ?8 j0 s( w
* ^3 q. X- J) a  n: I. u4 X4 M__________________________________________________________________________
/ z# M$ i- m# ]1 a6 X/ w' x7 w
9 ^" g2 q( u. M3 U  \! {( NMethod 090 `) s3 l' e- A6 ]! g0 Y& t; a
=========) G/ X7 b/ g% j  l5 S6 h7 O+ X
: }  ^$ _, b2 d7 T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- O  V0 G7 t9 L$ l- {performed in ring0 (VxD or a ring3 app using the VxdCall).: l+ D7 Q+ m% ?! T
The Get_DDB service is used to determine whether or not a VxD is installed' l$ N" L7 a4 x
for the specified device and returns a Device Description Block (in ecx) for
* `& s; W7 E# _! @2 \# Qthat device if it is installed.
- x$ Z1 ~0 `% _* E4 O( ^4 I5 D. Z7 H; A- y& j5 n6 g# Q; O
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: o- Q4 Y5 z7 [, J( {# o9 V   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 [" H1 q5 c* k
   VMMCall Get_DDB
: E( P2 c$ L+ ~3 F+ P) b4 Z! f   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed2 g' w1 `! X. H4 z- b/ }+ N

" S- b* W* w8 u. [2 JNote as well that you can easily detect this method with SoftICE:
: H- z: l+ {- V1 C: J   bpx Get_DDB if ax==0202 || ax==7a5fh
+ Y9 U4 X; O2 L& g
6 E: g: C- |; @! Z2 [+ `) m% j__________________________________________________________________________
  ~, m) y# ?8 [& ^) X6 h+ D/ g- C. X4 m; M/ ?; ]* F; K" p, }
Method 108 o9 p1 h) q+ v/ m1 w5 I
=========+ X+ p3 v! F8 o9 b! M& z

0 r; ]5 Q1 E  P) ?, Q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# `! f3 C3 X' j0 A# P* P  SoftICE while the option is enable!!# l; q7 V# u/ n4 c

, m' B5 m! ~3 O* uThis trick is very efficient:$ y9 Q* J* i$ R- R  M( U
by checking the Debug Registers, you can detect if SoftICE is loaded
) N5 y  N" j9 a" f5 ?& M(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
; \! c: k/ L6 J4 s+ dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% g& n" e' t1 L. Z( dvalue (in ring0 only). Values can be manipulated and or changed as well" @  P' R$ h9 i! v! z) Q
(clearing BPMs for instance)
# {# U- V  k  Y4 i% N
; U7 ?) l0 X7 P  b: q& R; Y__________________________________________________________________________
) t# i* z* J  c/ Q5 u1 }7 Q: x) Q5 f
Method 11; D  B( O6 c. d
=========+ y& `& _1 |' r/ ]& q! P

+ a- v1 V2 ?$ ^/ ]This method is most known as 'MeltICE' because it has been freely distributed4 Y! z, ~' v0 r* n9 M9 C; Z( A9 R
via www.winfiles.com. However it was first used by NuMega people to allow
7 S) L  z1 z9 a: @/ |7 I" |. ]( H" DSymbol Loader to check if SoftICE was active or not (the code is located' @+ z9 D+ G* P
inside nmtrans.dll).
; U8 [+ O) k- T) e) k7 g' @6 r% t) [6 W8 I" l
The way it works is very simple:' D! S: ?% B# h6 k, L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: x4 N+ ?# D" J  q/ ?' G) J* N* XWinNT) with the CreateFileA API.$ }' y6 k1 k% d9 [2 b- t! N
+ l- R; U7 M" B& G. I
Here is a sample (checking for 'SICE'):% N/ c* z% B; W% n  W. ^
1 f6 a* o  X! h
BOOL IsSoftIce95Loaded()
/ i' x5 ~6 u4 T{; A5 R4 X, T3 Q) a( F) _
   HANDLE hFile;  3 F1 h* _& W) k
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 e$ _0 H$ O. e( |
                      FILE_SHARE_READ | FILE_SHARE_WRITE,- M% X" l3 h' W- a  Q& \
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ c: b/ B9 U1 O* K! }' ?
   if( hFile != INVALID_HANDLE_VALUE )7 d0 s$ |/ c; W' m2 y4 R5 z
   {
# I! d( y4 y. s2 \      CloseHandle(hFile);
( |+ ~* S3 o, }! z1 R+ K3 x      return TRUE;7 q0 b* F( b, s# g. a2 f& q  A
   }
. C& w- b4 @/ a5 Z   return FALSE;# R: c2 S' B0 }0 a+ j9 D
}
) L% u7 e" d* d" V; l- N: ~# g! b  V+ Q" Y% \
Although this trick calls the CreateFileA function, don't even expect to be
( w4 q+ {6 a0 y5 B# ^able to intercept it by installing a IFS hook: it will not work, no way!  g+ H" y( d7 u" H8 B) d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 I) l; k* Q& [1 f9 i2 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ _2 e* n. Z2 ?. U  n6 V4 [5 Y
and then browse the DDB list until it find the VxD and its DDB_Control_Proc* l& a$ q: h5 A1 S
field." u1 _- X9 M3 E0 R& \0 r
In fact, its purpose is not to load/unload VxDs but only to send a ) Y9 D6 h( ^" l4 m' X5 P/ t  C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) k+ `/ x$ \$ S6 w7 |/ R3 _
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 }: r* A& I- ?7 g/ u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 E% g: J2 C. v# J/ b7 ?) \, ^If the VxD is loaded, it will always clear eax and the Carry flag to allow" J8 R! P% c+ R. X7 T$ T9 l) N: L
its handle to be opened and then, will be detected.- z  w2 p! T. [, i0 z. p; O8 \
You can check that simply by hooking Winice.exe control proc entry point
$ f8 b9 x. @' l- wwhile running MeltICE.+ X' m' p; C, J+ S( @) m

) p  o, w2 N0 y5 u# R) h% _4 z5 z# }
  00401067:  push      00402025    ; \\.\SICE+ \1 a. O& R" B4 F
  0040106C:  call      CreateFileA& c! M; {; \2 \, v0 P
  00401071:  cmp       eax,-001+ f3 ^- k% d+ w  `" h5 O7 {( t
  00401074:  je        00401091
, l/ @. {0 ^7 s" [
: M& T5 q+ ]2 D' U' ~+ l( E$ s
4 u  m, ?  q7 w" f! i/ i' c5 oThere could be hundreds of BPX you could use to detect this trick.( d  h5 F% u- Z, u8 o0 O
-The most classical one is:# |5 i. M2 [7 m# Z- {! z
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||+ z. x" ]9 [/ D  _6 n
    *(esp-&gt;4+4)=='NTIC'
& ?! J$ u4 b5 X" j& q& J7 {/ }6 O' E
$ v# P+ _; l/ {/ ]-The most exotic ones (could be very slooooow :-(0 E0 Q* }" ~7 L7 v" [5 \
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' u- ~% h: \1 `, Y! G
     ;will break 3 times :-(
" b$ f3 L! n5 I: B9 O' L  p2 n, L0 r0 [3 x! f! N  Z
-or (a bit) faster:
$ {% W/ U  N% w, a% K: a/ r   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 I. s) L5 K3 i7 i3 Y

: e$ X* O  z. j4 S   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 Y0 L; |0 D( W# s' y
     ;will break 3 times :-(
9 T6 F7 a' F  K8 g- j/ |) N8 I
+ i+ h: C. l- _6 B-Much faster:
  g- W8 v9 x0 V% T( a0 d1 E- U4 X2 {! t   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 r1 P- M2 l$ \
0 w  k& `4 n& A5 T/ w' oNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( u7 H# |* P  K- X; a1 R1 Zfunction to do the same job:
9 A9 K# n9 ^$ w
( f" k! `0 K9 y1 W   push    00                        ; OF_READ2 |% A, C6 Y; O, f' h5 g% [1 j
   mov     eax,[00656634]            ; '\\.\SICE',0
1 \  f& i- m8 p* N" |3 i   push    eax
+ o6 L" \* j* }4 C% I3 H   call    KERNEL32!_lopen
  \( h; q4 s9 f" |0 s( z   inc     eax% ]  x( N% V5 X# Y5 M  L% J
   jnz     00650589                  ; detected
! E) m' Y) L* e2 W   push    00                        ; OF_READ
; A$ F, @, U$ d, @& ~$ h2 i& c   mov     eax,[00656638]            ; '\\.\SICE'
8 D, F: N  z* g   push    eax2 y: R" b; a6 j
   call    KERNEL32!_lopen0 K1 W8 `2 @; Q. K+ E$ x/ C$ z1 n
   inc     eax0 `- q( `5 k7 \7 ]
   jz      006505ae                  ; not detected4 c3 V5 F, n% f. u6 ^6 ?2 ^( C
* z/ T  q2 C9 o
% I7 o2 N' ?) f+ |* s# E
__________________________________________________________________________
! s& K! A; k: K( s& |2 j6 n+ }3 A& H6 R0 o4 ~4 T3 ?0 \, I) q, g7 C6 r
Method 127 d9 }: L! l+ M
=========( n0 H+ j+ C9 {2 C' i; K; i
* M$ J* b1 u' R+ ~! e2 @; ?
This trick is similar to int41h/4fh Debugger installation check (code 05
9 J* @8 ~- C8 c1 \$ L+ _&amp; 06) but very limited because it's only available for Win95/98 (not NT)
2 n- K9 R7 x% Y5 cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ T. P- v! C9 C7 |% R' @1 G+ D5 g" L! J2 h4 ?$ d# u
   push  0000004fh         ; function 4fh
4 W4 T" `4 N" @! |5 y) J. r   push  002a002ah         ; high word specifies which VxD (VWIN32), N0 c( ]) s# i" P
                           ; low word specifies which service
, h! v0 f( r# E                             (VWIN32_Int41Dispatch)
% R  _! ?% [6 Y' j: ?  B6 e   call  Kernel32!ORD_001  ; VxdCall
% O" V% N) {( v* ^" `* @   cmp   ax, 0f386h        ; magic number returned by system debuggers
& e2 X( @, L$ x. d   jz    SoftICE_detected, m9 }  z; y+ k0 A

  S9 N& Z5 q- G( W5 ]1 M. D  rHere again, several ways to detect it:
7 t* I6 p+ m8 i* K2 y0 x" n' K+ q7 `
- u/ y, k6 B  f- f    BPINT 41 if ax==4f9 Y& v1 H  n. G9 H7 d1 L1 `0 b
  k- x2 ~' ]2 e, C9 ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& c9 s' N( Y0 @- y/ m$ o; F2 d9 x

& J: ]1 V4 ?/ f2 N  T* ]- p    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) f0 Q/ G( M2 K
  A, b/ e, U* J  u# Z2 {3 r0 Y2 M* m    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  p+ e& A% t2 ~2 @" U2 z
3 P& ?$ f4 b" Y$ j; g__________________________________________________________________________, O# g: T- S  V& H% V% v
4 \- I" m8 Y' h2 J* a5 M+ Y
Method 13
: R0 J0 G& V* h/ M% @=========
7 R% I; J- |6 S  x4 j3 j* X7 O! L6 Y' I% q% N' o$ P) r' n
Not a real method of detection, but a good way to know if SoftICE is
6 p1 i: {$ R! U# ~& X4 M! F1 l  ?installed on a computer and to locate its installation directory.
( ^- }( y  Z1 l! F7 J4 Q, I7 eIt is used by few softs which access the following registry keys (usually #2) :/ K$ {2 ]$ M) j6 O6 v
2 C3 t% w. T$ ]( c
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' w6 z! `* a& O2 [( Q) Q; ^. n\Uninstall\SoftICE  p7 l+ ^) v8 G( o7 q& o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ z) B: H) y2 R& T0 u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 k; f( Q1 x4 q! E* S$ ]
\App Paths\Loader32.Exe
/ Y/ U+ q: l9 {0 @& x5 n0 h2 h* N; j. T: s+ h, _

1 ~: {6 ^& u! BNote that some nasty apps could then erase all files from SoftICE directory
, G( ~4 f- ^4 R% S' y1 L- x& K(I faced that once :-() }4 e1 T& a5 X- K- g% {

  p0 ]  d" P/ Z) fUseful breakpoint to detect it:7 `: C; m( m5 r5 m; z/ k
! l6 e! F6 T# O# f$ g: d: u% o  f
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
. o, d# W% W, L. ]( Z: k3 d( q# U9 x! A- F* k4 Q
__________________________________________________________________________
  |) R' ?% |6 h0 W
  b5 A* W  e1 c4 b, K
' q& L, g9 w5 @, U2 wMethod 14 & j4 x7 i1 f5 \8 E4 L0 \5 M2 R
=========
& }' {; K! I6 _- ?, x  q- I5 K. M1 s  p$ B) v/ `/ B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ N; S! O: G+ Ais to determines whether a debugger is running on your system (ring0 only).
6 c7 H7 q( U  ~  K6 P  Y
- ~/ @" \; F( H   VMMCall Test_Debug_Installed( E) [8 R( Y& q" k
   je      not_installed( n# ^$ e) d9 D) p# R' W
7 v6 W" m' B, H. ?* Q+ Z6 O% t
This service just checks a flag.
3 l5 b4 O, d1 ^* H</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-20 08:05

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表