找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! [9 w3 b, h) {9 m1 i+ @
<TBODY>. o" B! H, o* F: t
<TR>7 \( L$ H9 J; L! L, T. l/ A$ N* q0 m
<TD><PRE>Method 01
, z, f) [% X1 W. {/ _+ O: ]=========
8 @. u: b; ^" q8 z4 _; [. \! _  u
$ Y) l4 S# U! C. w1 MThis method of detection of SoftICE (as well as the following one) is
7 c: [& Q" ?: r9 a) k) T# \$ m* Oused by the majority of packers/encryptors found on Internet.( g/ X1 i! @6 T; s6 b
It seeks the signature of BoundsChecker in SoftICE, |9 w2 S- a; |$ G- ]
# U, ]) l7 F; X6 K7 O9 K
    mov     ebp, 04243484Bh        ; 'BCHK'% m+ A( u! T! C+ k
    mov     ax, 04h; }7 P, a$ s! N$ Z4 t
    int     3      
. ]% o+ o% H' [9 \6 H    cmp     al,4  n  c" t; R( b" G8 p
    jnz     SoftICE_Detected- g( C- o4 c+ L$ K
  I+ B$ ]7 b! h* h6 |& B* h
___________________________________________________________________________2 A# ~3 k7 a, U6 O# \0 _
2 R8 x9 p" ]+ e" \: l
Method 02
5 a/ `) l: r  \5 s( h=========4 R* F* {6 }" J" u
* {! Y, X& X, h7 G8 J1 o% z) C
Still a method very much used (perhaps the most frequent one).  It is used* q  H' h& \5 i/ l+ \
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* D2 o( L/ Y6 d0 `or execute SoftICE commands...
0 J/ ~( c$ J4 ~- @5 x! mIt is also used to crash SoftICE and to force it to execute any commands
7 E# q/ F- R: h, S) C2 f5 E(HBOOT...) :-((  7 t  y1 Q. q7 K- ?$ m

# ?7 J5 c3 E4 x& K" dHere is a quick description:9 q$ n6 `( m: z* {0 y% p# J2 M
-AX = 0910h   (Display string in SIce windows)
; s. E- z% P, a4 P-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx): i+ G; Q; T' l+ b
-AX = 0912h   (Get breakpoint infos)6 G7 C# i, u. N; I8 I9 @1 i: L
-AX = 0913h   (Set Sice breakpoints)
( X7 `1 B% |3 G  v/ d-AX = 0914h   (Remove SIce breakoints)
9 a1 K0 b2 }+ ^: M& l0 }- F# ~# @! X( d# l* T- ]* O
Each time you'll meet this trick, you'll see:- G" {" K" G, x
-SI = 4647h* K1 s0 G; _0 k/ v+ {$ j" R
-DI = 4A4Dh
7 }, s- L5 F0 {( ?Which are the 'magic values' used by SoftIce.
: }6 j( u- s* \; e" a0 sFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% [5 `+ s* v9 Q% L# t/ b0 D$ T6 F* R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- t, t: B* o3 z7 qEnvelope utility use to protect DOS applications:
3 n$ W* c0 p  Y! Z' T% n
* t. i1 s, ^# v! O4 e3 B" n2 Q0 U0 S# `# T4 h3 W
4C19:0095   MOV    AX,0911  ; execute command.6 f3 a! p- G5 Y  ^
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 ~. U  U. v) a
4C19:009A   MOV    SI,4647  ; 1st magic value.& I3 H  a$ @! h: k% G7 F) O1 Y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 B; V- E8 o- [2 ~1 n$ [3 I7 T
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ Z; Z# z3 ]0 R& s  |
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( z. z7 y- K& _  X9 n5 ]7 }
4C19:00A4   INC    CX+ e  ~6 C0 C. q1 @) ]: u9 M
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 a. f  |6 N% C8 x5 C# H
4C19:00A8   JB     0095     ; 6 different commands.; w8 \9 i+ R/ p4 Q
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
/ |, l# O* I8 U' s: N7 g4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; g4 [+ I! F$ _- S3 T6 \
6 P3 |- P0 Z# }/ N( g, V  U) \The program will execute 6 different SIce commands located at ds:dx, which
4 p! R% T3 b3 O3 {/ t7 O$ Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( h$ d( u& @# D# s6 X$ ?
6 n! b3 y. n6 z% E8 W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ @' P# v; X2 N; E; m
___________________________________________________________________________4 H" ]0 q7 Q1 K6 n7 o% f
: [5 D* j& {  D2 A/ I0 p. Z
3 t" F& S& _3 b3 s
Method 03+ Z; n2 z) G) [. Z
=========
* Y( b5 n9 t& I, J6 O8 f, N$ V
/ n/ q, Q+ O  ?: w& @1 JLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h) I% v. ~, b% W8 t$ I( D
(API Get entry point)$ n( R+ w; Z: r, g! t$ Q
        * W2 A* N$ C8 ^, n7 K
5 q  o6 x1 s: T. i5 k
    xor     di,di
* b- r7 i& s7 j# W  @) m1 p9 |# T; o    mov     es,di
* J" K" h% r  A! ?2 }: s$ D0 y& ~    mov     ax, 1684h      
( m/ A' e* ?; [' ~    mov     bx, 0202h       ; VxD ID of winice
" L! z- S0 |- B6 T    int     2Fh
3 O% P* b+ g" h  q4 M3 n; z- v. Z    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! \& B; R+ ]6 I7 s    add     ax, di
4 b8 T4 B" ~* X) N: k    test    ax,ax
2 z( \5 U- A# y- c8 C# S    jnz     SoftICE_Detected# L" l1 ^. k0 L* I0 L/ k
& Q$ p# X& c6 F; H
___________________________________________________________________________
& _! `  o# \7 R, F! E+ z
+ t) z+ U6 E9 }7 u# [& o" zMethod 04
3 |1 V- a3 g* n* p1 j=========2 _) G" J5 V" N' K" G7 u0 r$ w4 o5 @

8 m5 m. _4 n7 X1 lMethod identical to the preceding one except that it seeks the ID of SoftICE
- M9 U5 N% J+ ^. d' a6 w3 m; P+ OGFX VxD.
5 }' h# @$ c% N  ]/ W) J! V9 B2 @5 o8 u9 O: H0 b/ U
    xor     di,di
* |4 P( l6 r, j2 X" x1 ?    mov     es,di- [6 {) }! h8 B8 q, C7 L4 G
    mov     ax, 1684h       % A$ X# J' p; i6 }
    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ _* |& R- O- K& k" ?5 ~$ K
    int     2fh% e8 K! i- t1 e. B
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: U5 Q* i9 o9 ?3 v    add     ax, di
; {1 K) a- q. O% @* Q; i    test    ax,ax1 i% H+ Z' W% x9 {8 M; ?
    jnz     SoftICE_Detected% p. p  y4 V8 k- L, q7 Z' {
9 a! j" [( u4 p. w- }% c( h
__________________________________________________________________________! ?4 }' J6 R2 n6 G+ _! {
2 K5 \  \5 s$ D3 e/ A
/ c, Q0 ~4 ^* u; u% s& H9 R" i* ?
Method 05
+ p  i' P8 V8 d% u* A& ^3 N/ b2 T=========
% V3 L0 N, t) c* f- ~7 v1 y. n  H5 n; y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
- U, r1 ^! g& J2 S5 ]# k/ F# Tdebugger. It calls the int 41h, function 4Fh.
. T, P2 y4 ]( {! e1 EThere are several alternatives.  2 p! Y' I: ]' r. k  R7 F

0 }+ l) m/ K3 A8 a  ^! `The following one is the simplest:- |1 F# h2 R/ o( A# l: l
5 e4 l: a! ~" Z! _/ L6 L
    mov     ax,4fh' _# V8 v, x# C; H1 W, T
    int     41h- p$ H. Q) d& E6 g  C. w
    cmp     ax, 0F386
, X5 k6 R. ]  E+ P& o! n    jz      SoftICE_detected2 l! ]0 g; {+ \2 ?

! p5 I6 g. j* i2 [/ Z3 z0 X
* |/ O! J' K9 t; tNext method as well as the following one are 2 examples from Stone's & d: R9 H& N, N$ v2 F: L
"stn-wid.zip" (www.cracking.net):
& Y0 j. C  E* z  M) o1 }
# n3 O$ x% q# ]! a- q4 h    mov     bx, cs  V4 ^; a$ N* k; v
    lea     dx, int41handler2  G; |# T  @$ b
    xchg    dx, es:[41h*4]* e! D5 K: K/ [6 F: _, B
    xchg    bx, es:[41h*4+2]
" Q- X+ U+ w# F9 _9 T    mov     ax,4fh
. n! O' y3 ?  @7 d- G( W    int     41h8 M: [  j3 O( ~% |; w: Y. M
    xchg    dx, es:[41h*4]& g) E4 ]; P0 F( n/ u
    xchg    bx, es:[41h*4+2]
4 ~# H$ r$ h' v    cmp     ax, 0f386h) ~; s, g- D/ Z
    jz      SoftICE_detected
* N  b' q# U. t  w( [+ [* |! A
. o+ q" C2 Q! D+ T! oint41handler2 PROC# R3 V% S, Z, o+ ~4 q
    iret8 l5 p6 U( e# t, e% f
int41handler2 ENDP
6 Y& f( O0 v1 W9 U; R& b" q6 {0 h- P- }, }  [
- w. d* b, U# |
_________________________________________________________________________
/ d' f$ n% r1 X6 R. N3 Y$ h/ ~" S6 A
+ X* K; T$ ]) y! ^# O  x+ O
Method 061 x. y3 H# F0 E+ b. i. H/ o
=========/ |( Z: u5 Y- y# v
2 r) i7 ?& B" [) M6 a

" m# h1 |( I9 G2 g! y, j2nd method similar to the preceding one but more difficult to detect:
) Z/ l6 j: l! I9 N0 k/ Y4 @- F2 D$ w# Q# K

0 x3 y3 a! V4 E5 }8 @int41handler PROC
# L& @" F& H/ ~- f6 g+ a  A    mov     cl,al1 E; G) j5 ^' Y+ \
    iret
' p  g! P9 t" ^  Pint41handler ENDP
5 z0 F; c$ n9 l! v$ u# p% }1 U" |$ @" m. O) g" O, ~1 I9 w: R' e% N

; x/ R8 S6 @& V* V) Y    xor     ax,ax
8 |' V/ j+ x! V1 m    mov     es,ax
5 W3 ^8 L2 v7 U% W! _    mov     bx, cs
' d2 p$ T/ b4 [% K    lea     dx, int41handler8 N4 a# R4 k$ N- Z- F' x1 ]
    xchg    dx, es:[41h*4]' Z! N3 T$ {, g$ q* ^* i7 S$ K3 \
    xchg    bx, es:[41h*4+2]
! P! \" x$ v! T. |3 q; g    in      al, 40h" q) b4 e/ ]0 Q$ }7 X
    xor     cx,cx
+ \0 J) y' r) l; t1 }    int     41h
: H4 n* q; n/ J5 Y. s& z    xchg    dx, es:[41h*4]
* N: K8 X( C& X: a. v- S5 w, }    xchg    bx, es:[41h*4+2]& b9 ^' k9 o* Q1 J' {2 L2 `7 @/ M- v
    cmp     cl,al- s: [) o; p& I* z& D5 F  n( a5 E
    jnz     SoftICE_detected
0 q* t* @* S" X: |3 T' S1 }. `2 C! g6 I$ N1 G/ {/ G* @* c2 m
_________________________________________________________________________( @% z& `0 i5 M8 }) ^2 X

$ K7 y' {/ j0 J! }/ g/ y( p% pMethod 070 F* H( d) r4 y: y3 W0 X. g+ @
=========2 Y) q. }" k( T: ~0 E% H
' ?' I  _2 K# x. i& W6 V/ n" o
Method of detection of the WinICE handler in the int68h (V86)
: E0 u  w5 W) n) ~6 S$ q' y
; ^9 _3 b8 k- I/ v6 U& S2 _6 t" X    mov     ah,43h; P, @1 n, g  j# p& R8 R
    int     68h3 D* Q8 g. V, @" V# |* m
    cmp     ax,0F386h
) ^9 N$ ^+ r) T$ A5 A* S) U    jz      SoftICE_Detected
$ }) C" N8 ?; G' H  K( \
8 A! _* G  f+ K# O6 G$ ~+ d* d1 B$ D
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* @. B% ~$ t; [& W   app like this:/ q1 x; _3 _& k" t8 ~% F. E
! c2 _) M9 C$ Y3 w- ?+ M. a/ h8 _/ }
   BPX exec_int if ax==681 C. f7 ]' Q0 Q. a3 \( l3 r
   (function called is located at byte ptr [ebp+1Dh] and client eip is
$ H7 x* N3 T6 ]3 w- A( {( [1 Y   located at [ebp+48h] for 32Bit apps)
3 }6 Z0 ?7 p. j7 m__________________________________________________________________________1 ?; ^. i1 |! R4 Y+ t8 M
- o( m5 X& }4 `! [9 ?- Q, z

6 q5 L7 W2 E& X, X  [1 A& LMethod 08( ~( L5 o5 W. N4 K7 v
=========0 E+ W2 Y8 W8 {0 @$ g# n" Q
- h2 \, N& b2 ]# J( l2 x' J
It is not a method of detection of SoftICE but a possibility to crash the/ [0 ~. C& n; D4 v
system by intercepting int 01h and int 03h and redirecting them to another
, G& m& @2 [$ ^/ |- F7 k3 k+ croutine.+ j& t1 h4 C( w$ w  a& ~5 n1 i
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 ~: b) o% \8 f" ^to the new routine to execute (hangs computer...)( I' H: r, ]; Q! z3 q
4 h: W, ?* v0 y  m+ d
    mov     ah, 25h3 W: `& O$ e: i9 S4 j/ `
    mov     al, Int_Number (01h or 03h)
% B- ?7 y. [) v) u" Y+ K    mov     dx, offset New_Int_Routine& ]+ b, U/ b  D( z- f, s4 c
    int     21h
+ J: ^/ S' v" I  a% {& D8 ?6 ^2 k7 L
__________________________________________________________________________
9 I/ T. T, d7 v2 T0 y) S- e3 _0 _, O; I) m# q( r1 ?  R1 Y
Method 09
, t( @2 M7 m7 R4 Y=========9 Z1 i/ W8 w7 E5 u
7 E" s3 J1 A/ D0 d) o. ^
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* C. z1 O" A2 l: `" w4 u; tperformed in ring0 (VxD or a ring3 app using the VxdCall).' m( d! F0 v' @. B% C
The Get_DDB service is used to determine whether or not a VxD is installed7 ?) Y, z/ w/ p9 ~% v+ c
for the specified device and returns a Device Description Block (in ecx) for* b6 O; I, \& X% }1 c5 `( Q
that device if it is installed.  C% {1 U0 f0 F# m: R
, H; F& E" A5 D. V# `8 v: C
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 T9 B( ^/ T7 Z  _" Z& {% v6 h   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( |7 t8 L9 S& z$ W) ^
   VMMCall Get_DDB
. s3 _- c" j) v5 A7 ?   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- E; d0 C+ ~6 K, y2 x
) q1 y( C' E, l/ s6 w6 k; Q
Note as well that you can easily detect this method with SoftICE:
* I* P6 Y' d3 h" D; W: D   bpx Get_DDB if ax==0202 || ax==7a5fh
3 k: {/ _: A9 I4 d7 W# m0 @/ ~
( p9 L' o0 e9 l9 ^+ |9 d: I__________________________________________________________________________$ |* [0 u! W' P' v

8 ^! P' z8 S8 _) U6 Z  _1 i  nMethod 10
$ k/ f7 x; Z4 s& L$ w; M( q! }. o=========
; s) x! `' X& s2 F5 q9 G" b) i7 W  g  a, C* O' v
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- x: O) d$ t, y; j  SoftICE while the option is enable!!
& w& z# l2 J" g6 J# b! G. ?2 x* k6 W
This trick is very efficient:0 H! e  O4 E1 J
by checking the Debug Registers, you can detect if SoftICE is loaded
1 Z5 Z) g" V! C, @4 u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 O! R. X: S6 r8 }' zthere are some memory breakpoints set (dr0 to dr3) simply by reading their4 Q2 ]6 U; h) o* H
value (in ring0 only). Values can be manipulated and or changed as well
% h6 p1 }; P4 J(clearing BPMs for instance)
' v5 J  {) N  D, k* Z- Z) b9 L; m; D; ^/ E7 {
__________________________________________________________________________
: b7 n/ b3 q* z* O: T8 c6 T6 T) J( p
Method 11( v3 O1 `+ V) F
=========6 g1 }5 \5 O# R) s. u

, i" u; K; e- ^  P! L' [1 E) GThis method is most known as 'MeltICE' because it has been freely distributed
  a; j' Z* q* P8 X# Tvia www.winfiles.com. However it was first used by NuMega people to allow' P( h. D4 g' |! Z* |* r3 w9 p7 b
Symbol Loader to check if SoftICE was active or not (the code is located
; h4 V7 T9 [! }- a, {" v% Y7 i( L' einside nmtrans.dll).
9 Q# h0 }3 U) I* O! e
( c  y" r/ O7 M0 |2 W3 YThe way it works is very simple:. H* L* I, D+ V. U, d  g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 B  ]2 a+ |1 j7 o
WinNT) with the CreateFileA API.# X, E4 h7 Y$ b( s7 F

  R! u, q7 c( A$ q) r7 j( ZHere is a sample (checking for 'SICE'):
. j* s( ^! M- z1 u" W# }4 F* u! D# |& T& Z/ L
BOOL IsSoftIce95Loaded()4 h4 M. S( n0 i* G2 }
{
( U, N- z8 C- l   HANDLE hFile;  9 r8 {- ^6 t6 X0 }. S% v
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- n7 i3 |: ?/ q& p+ y                      FILE_SHARE_READ | FILE_SHARE_WRITE,
$ \* V  w9 g' i# h" n! w                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% d( y) ]8 `; }( h+ S
   if( hFile != INVALID_HANDLE_VALUE )
& A& ^  F* m5 Z/ B; k% b# G. f8 K   {) a$ F' [# M9 ]& ^- Z/ Y2 x) O6 _, e
      CloseHandle(hFile);
1 ^0 u0 d& k; x8 u      return TRUE;9 c2 ?2 R( Z6 K% c8 c/ ], \4 S
   }
/ F8 s2 G& w3 o+ m   return FALSE;7 i: ~' P5 }$ I1 v3 C9 {4 N$ x
}
5 m; B2 @( p9 W3 Z% S- v
5 r0 ~$ J' {1 x8 A: I4 FAlthough this trick calls the CreateFileA function, don't even expect to be
1 l( p  l, i# S- k8 B8 v# h4 cable to intercept it by installing a IFS hook: it will not work, no way!
- X+ H! \( E& B* R- q6 y  P9 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F$ w& x5 H; P' d* o% ^5 m
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ v& N3 f1 f3 I0 z1 M2 m  Q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 v% C% u) }1 C' u) Xfield.6 L$ s4 ^- \5 L
In fact, its purpose is not to load/unload VxDs but only to send a   T. m3 P1 @) {, j( j" t' `- f; ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 v1 `8 N. D  d3 C9 T8 b* D: m% v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try7 q9 U) P) t  V' m. D6 A; ?
to load/unload a non-dynamically loadable driver such as SoftICE ;-).- g) ^" L% z# L" z* L
If the VxD is loaded, it will always clear eax and the Carry flag to allow
, {8 e& g& e7 L9 ]its handle to be opened and then, will be detected.
8 b7 c4 m/ l0 M, QYou can check that simply by hooking Winice.exe control proc entry point& N* E$ e1 O2 _* I1 e/ l
while running MeltICE.. K; O3 X2 {. b# S' [0 m1 K

7 h" v8 E) i7 ^  u! k) V% x9 w: }; C
2 H/ z/ p$ h/ B6 d" @+ r+ G5 Z  00401067:  push      00402025    ; \\.\SICE
6 Y/ n/ o% {% g6 x9 \  0040106C:  call      CreateFileA" D  |5 k: v+ Z3 d0 B. e
  00401071:  cmp       eax,-001
9 i+ k' m5 @6 w" J  b8 v4 J  W  00401074:  je        00401091
5 A' U& Z% u2 F( B( H" R9 Y
& E; Q. J+ v: g5 H7 E7 }% B& \1 j4 @& {: b8 ^6 W
There could be hundreds of BPX you could use to detect this trick.+ T5 F/ @4 H3 j; `. F; M% t
-The most classical one is:/ d+ J  \; z+ U- a. O1 i' C
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) J) q/ T3 c! d+ R" Y
    *(esp-&gt;4+4)=='NTIC'6 R* @2 v4 g  G/ n) P3 A4 \4 ~, y

7 V3 z& J, s7 q  S( D$ e-The most exotic ones (could be very slooooow :-(
( l, E1 u* g; i' ]( J   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  : n3 ~7 I( T- j
     ;will break 3 times :-(( A, R5 M6 S# G' k+ I0 X
/ H) D. |  C: ~4 m- I! d& [
-or (a bit) faster:
; _! t# s0 n7 _2 n   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* I0 J4 u+ `7 U* W1 I; @7 P( ~; t
& V# x- H; z. K  a+ O4 `2 @0 n
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  8 U3 Q! ]2 [8 X
     ;will break 3 times :-(
3 }% Q, i+ I/ T: ^9 n
. [" g1 y9 _0 N( t3 t& ?! |-Much faster:  d' O% H7 ~/ @4 I" M7 X1 o( E
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
6 k6 V) s" G8 I  p8 Y/ t7 a9 z* E" b) A9 F( L5 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' ?" S9 }- i* U2 H3 N3 [0 z4 ^function to do the same job:
4 ?6 O1 j5 v- H% n: y2 u: N8 l. I- i3 i) s3 w7 J
   push    00                        ; OF_READ
% b# B& Y4 [/ s  K   mov     eax,[00656634]            ; '\\.\SICE',0
. a2 Q) p3 N, j$ R   push    eax
6 m" l! f& W! ?8 v6 X4 q/ h: H3 s   call    KERNEL32!_lopen
2 }, p) X2 ~3 B+ a3 R   inc     eax
( _6 Q/ o( q% P/ l   jnz     00650589                  ; detected
2 Y' X9 E/ |5 @$ D+ v5 s   push    00                        ; OF_READ( b2 B  A* ?% j8 s
   mov     eax,[00656638]            ; '\\.\SICE'6 y* Z$ K9 q+ ?3 b: `0 F. ~* O
   push    eax, s  ]* h' o$ s+ G9 w9 r" \, i
   call    KERNEL32!_lopen- A# J1 K5 S7 w% U3 t
   inc     eax4 S' T$ J5 ]2 O0 K5 [: ]
   jz      006505ae                  ; not detected: }8 r8 P3 a7 G3 @

' S) j: h; S8 l. u: Q. F/ o" M
; p: K/ A7 y) Z5 N( n* t. b) u__________________________________________________________________________
% P* E8 h6 Z1 S0 }. A5 ~* ~1 \/ N! @3 b. G
Method 12
7 g7 k; T) B# F1 S; x* V- `6 e=========
" A/ _6 J0 X% q3 `" n4 u3 Y4 `8 F- b, m' ?7 J& t5 @
This trick is similar to int41h/4fh Debugger installation check (code 05
& P0 I$ M. F8 J' |+ Y$ p5 P) n&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 R! B1 Y; x, z+ T, C+ r) Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& `$ }; H5 X5 g9 h' a0 N+ S
) M7 ]6 a; O0 j5 b$ |- k1 y4 x! h   push  0000004fh         ; function 4fh
* b- K* U! ^  T2 \9 g/ S   push  002a002ah         ; high word specifies which VxD (VWIN32)* d% N: P! {' n% r' z
                           ; low word specifies which service& {& E2 i& e& D4 O7 K. N) _$ y
                             (VWIN32_Int41Dispatch)
9 \% G( C5 x9 h% B0 A% s   call  Kernel32!ORD_001  ; VxdCall
  k0 D8 {4 f( x3 x* o5 y   cmp   ax, 0f386h        ; magic number returned by system debuggers
% N5 e/ Z% o4 s: R! ~/ @. Q7 f2 H   jz    SoftICE_detected
; W& q0 T8 V2 g' `  r0 H8 Q/ V6 z3 ]' f. f7 k) ^# o3 D, p
Here again, several ways to detect it:
% M) v7 Z& ~2 ~/ a) }
8 S4 ^; x3 w) O0 A; W. B& S    BPINT 41 if ax==4f
. u* l! {9 Q/ d' t: a
4 Y7 A$ |& e% q    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one7 T. k* Q. f, ~- K& D

3 o' C, f0 K. n( x! q. J8 k# w/ f    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 s+ |+ U( r1 o( x0 C
2 M# X; D% N8 T6 U. e
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!8 \8 W" a  l) [7 i' [

% ^1 `: }6 S  V+ E6 Y__________________________________________________________________________" G& M9 E7 C% _/ g" I

8 ~( ~0 J! \' d7 }' j5 nMethod 13
: n) K0 J8 y3 ]9 V=========( ], i1 r* G6 c' R/ l( v

8 g" `; c- C% I, kNot a real method of detection, but a good way to know if SoftICE is% t% ^$ z% W0 n& b; g" ?# q
installed on a computer and to locate its installation directory.: H' S7 M8 {$ a( j7 }
It is used by few softs which access the following registry keys (usually #2) :: u/ `0 v. c& s, `, \- l4 G0 e2 }
: i4 W+ v1 I/ K# e+ K/ L1 `) S4 i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ h! o3 F1 W% t$ l: y6 B\Uninstall\SoftICE
% P1 j' A, w% |$ S8 M% t0 ?-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; V; \% [- K/ R: A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ e8 J7 V8 [3 i% t7 }5 t$ P* P
\App Paths\Loader32.Exe; ]2 f6 Y0 U' q) v

1 W' c/ c: i  `0 ~/ }9 O1 A: @0 v8 F3 o* ~% M# K4 R- j. @+ y$ ?; l
Note that some nasty apps could then erase all files from SoftICE directory
  E' |2 }3 X. W8 F( Y. k7 ~$ n(I faced that once :-(
( W8 D4 l- T* d4 E' r" c! V4 h& d* L
Useful breakpoint to detect it:
0 g& E! q* \3 O$ {# s' u/ O8 t$ C
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; y* J7 W$ p% c

4 V7 W0 r$ d$ Q8 I$ V$ [' J1 R3 J__________________________________________________________________________5 S4 S/ m/ W- l3 Y

  c+ h0 }, a$ N( @! |* W% l+ c' V( }9 ?6 J3 v
Method 14 + \/ ^8 `+ Q5 C9 z0 a# u* L, A
=========
' p3 S7 j5 X, T$ \
( T( E+ t* W! X: o' Y# {8 GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( @! \( g+ N+ Z. S8 f1 x
is to determines whether a debugger is running on your system (ring0 only).
) M8 O8 z' B. I2 {! y" v5 A# o( ~" S$ ?; {
   VMMCall Test_Debug_Installed
4 ^8 ]8 e  w, c% v) O   je      not_installed7 m& R, d- C3 f4 A( b3 s
5 z5 \  X3 e1 c3 u* I: h' y0 c
This service just checks a flag.0 {; Y( O4 q4 s$ g0 @: r
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-27 03:55

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表