找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>. d1 C8 s  J1 `8 H( b1 Y
<TBODY>
$ p+ v. S" |, G5 n! }<TR>
4 J0 a) |" A$ G* ?; _0 T" Y<TD><PRE>Method 01 4 J# Q% a8 v1 H) z  E! l
=========
- {( Z  Q& \2 B8 }" ~* M" |. C4 T. s$ ?+ Z# `
This method of detection of SoftICE (as well as the following one) is+ p: f0 @3 ]4 t: A8 N9 b
used by the majority of packers/encryptors found on Internet.7 O# E+ G7 o. S( p0 r* a, L
It seeks the signature of BoundsChecker in SoftICE: t& K' C6 M7 r. r+ A/ E; a- ^  y
# s5 g$ Z% @1 Z, e
    mov     ebp, 04243484Bh        ; 'BCHK'
. H/ Q2 w% t* O: r/ R    mov     ax, 04h
+ S4 e% @' m9 X6 c    int     3      
* F: t4 F/ D. P    cmp     al,4
/ ?; A8 T: }* P; L7 M, Z" [    jnz     SoftICE_Detected5 `' y+ N- [9 C  c( Z) J
/ \9 {4 ^9 [- E/ ~% K
___________________________________________________________________________& @# o* `$ t$ y+ E- a

: |& Y1 d1 y/ _6 \! VMethod 02
9 B9 }& |9 |4 ]9 d% A2 T=========
! L+ r* H& r, ?; s' A! k* v9 t5 @# `& Z
Still a method very much used (perhaps the most frequent one).  It is used: x' [8 l+ m! n' }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- |+ x; ?" g, z% }  x* ?! i2 O
or execute SoftICE commands...% ]+ c+ k8 B9 ^3 X
It is also used to crash SoftICE and to force it to execute any commands
* y1 M( A! b/ J7 K3 M4 {(HBOOT...) :-((  
+ E  s4 T, f# F+ U! N# h; C7 X' U0 P) }+ r
Here is a quick description:  Y( s7 j+ m5 e( q4 Q( W
-AX = 0910h   (Display string in SIce windows)
( L% A- a/ _$ W* S-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 }" x$ {# j0 z1 F-AX = 0912h   (Get breakpoint infos)# z' `; c1 ^% _3 Y2 q- e: ~
-AX = 0913h   (Set Sice breakpoints)" R+ M7 v- a- R6 j
-AX = 0914h   (Remove SIce breakoints)
6 {8 b: D6 `! F
) ]& ]$ L" {! A5 bEach time you'll meet this trick, you'll see:
* f3 T8 E4 O% A1 I8 w; F-SI = 4647h
4 W  j! Y. v* a/ N9 |0 W2 p6 R-DI = 4A4Dh# W* ]! i6 d" o& H
Which are the 'magic values' used by SoftIce.
: {) x$ ^8 ^% Y5 WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.' a+ U" n2 t9 V* m- ?

  m: \% s/ \$ {- \" g% EHere is one example from the file "Haspinst.exe" which is the dongle HASP8 `% i% j+ Y- d1 g9 Z! z
Envelope utility use to protect DOS applications:
  X: r5 N: E+ k* @
. `) j9 l2 w" I# T" G
3 D8 g+ U/ V9 ]$ O2 U$ ~3 t8 R4C19:0095   MOV    AX,0911  ; execute command.
# c) R+ V4 T- O, J+ A" v4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
- I! U( R: M; {4C19:009A   MOV    SI,4647  ; 1st magic value., L9 q, H& D/ P% a) ?$ E; B% g* X
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 G4 Z% D9 E) O) X
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 }5 q) E% z' a7 K: ]. B3 B4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
( O. U" ?. B6 O. \7 i, y3 j4C19:00A4   INC    CX
+ v. q" t* ]; b3 {4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# C' }1 a4 c$ ~' Z  s4C19:00A8   JB     0095     ; 6 different commands.
* v6 |/ G  U% n9 w4C19:00AA   JMP    0002     ; Bad_Guy jmp back.# f; h% _/ S* c* t0 l9 K
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)- V. G9 g& f8 X. W$ v& E0 ?9 L
" M4 g3 Q5 R) |2 d4 y
The program will execute 6 different SIce commands located at ds:dx, which/ R  Z& U7 {2 L1 C7 \% o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ c* W+ i8 W$ m. T, A
& o0 J. S- k  J- ^) y8 J; `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, k  x, I6 G6 {; G3 z___________________________________________________________________________9 W) U: k. x6 [+ y) p

  r- c4 v6 `" O# P
7 k  r1 L2 t' x2 U' i- [Method 03' |) }; J& F( z" {2 L
=========+ f8 h7 L! W  A- e! B" Y3 c+ A5 M

+ h" Q; \+ D8 |Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 E, v$ v' [9 ~- Z- i7 M: v(API Get entry point)
4 k7 H! C' u5 j+ r! p8 F* r- G+ x        . d+ X3 w/ D7 u0 G" g, a8 F

# V& \& Z, T& k* g4 G0 @! L0 s    xor     di,di' H( d4 d! @% l# q3 q  E
    mov     es,di2 G0 j2 M7 k( d
    mov     ax, 1684h       ! X6 G7 r2 L0 }1 v8 f6 Y# }
    mov     bx, 0202h       ; VxD ID of winice
$ z& ]% ]& ]& N) u4 I# q* c) G    int     2Fh; y3 u* g2 H" y% N/ j) l6 z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# ^/ [2 j6 C9 o7 h    add     ax, di8 J0 c  O4 `# y8 F) G) `9 y" S
    test    ax,ax
, e7 Y6 l; k! y& h    jnz     SoftICE_Detected' b7 n# T7 d2 ?+ N  p. x

, D+ i2 A2 ~: I) V___________________________________________________________________________$ N9 h& ?$ ^; E& ~) E8 c4 X2 r

* V. f5 A, |- V1 }Method 04
6 {6 d, Z# k: q3 u& I$ ^=========
: {" C# n& G$ B  q5 v1 j1 H* ^/ s4 a
! }* T5 s! ~# w3 e4 _Method identical to the preceding one except that it seeks the ID of SoftICE+ W( d9 g; ?; ?0 F
GFX VxD.5 q  a5 ]) _) T; q2 D/ {

- @0 e3 T5 z( L6 I3 C! ]/ ?    xor     di,di, L; M5 Q5 `0 C
    mov     es,di
4 ~0 }0 s; J3 I  W    mov     ax, 1684h       3 B; i; n0 E2 @6 L
    mov     bx, 7a5Fh       ; VxD ID of SIWVID# \" T$ u- k0 @# |& ~5 i/ ~
    int     2fh
! ?* }$ [5 U% }" U5 M    mov     ax, es          ; ES:DI -&gt; VxD API entry point) h% j9 B" U5 }8 w# k' K9 D" @! H
    add     ax, di
- g7 P2 J  Y+ ~    test    ax,ax
; C- i( e( T4 k    jnz     SoftICE_Detected" j  e/ x: t0 c& l) X, c4 x* W
3 k9 w9 `( [& ~
__________________________________________________________________________: b+ {, g1 B/ e# M) ]( e
  \2 l  ^9 ?( i. O( `) q# z

- m! I- g2 h9 g# \0 eMethod 05
2 Y1 t! p4 D( U3 n% G( u=========
$ [  [, a+ J  [* h& X0 M
7 S9 Q2 D2 Q5 g" o: V4 }( V* E% bMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 J0 X- |+ @/ \7 D
debugger. It calls the int 41h, function 4Fh.3 O3 v. c% u: [7 w9 k4 J
There are several alternatives.  
+ }) x7 O+ a: ~$ r  c, [( q* z6 }* y1 d6 d3 n3 B
The following one is the simplest:5 v5 S6 @: g, C5 _

6 t: o5 R* n0 ~* D) ]( c$ A    mov     ax,4fh! K2 E4 r8 j, o+ K# B7 k
    int     41h* u- X5 e/ U: T1 \7 [. v- `4 b
    cmp     ax, 0F386/ ]# c  d# }  f1 {
    jz      SoftICE_detected
0 d1 A: A0 [7 K' g8 A6 R3 W
4 u% Z# \7 _: U( N  z/ Z
- r! E- ]$ W( i/ z9 k' |" R8 ONext method as well as the following one are 2 examples from Stone's
6 W2 t1 e2 q' y- G"stn-wid.zip" (www.cracking.net):: V8 r7 Z( ~" ]2 _7 d

2 ~, n( G; m0 }6 F; d# R6 {    mov     bx, cs
6 S+ U7 O' a- e* y6 |9 v( @4 H    lea     dx, int41handler2$ N: s9 P2 r; g& K7 o, t; q
    xchg    dx, es:[41h*4]- n) [/ y' g  a: a
    xchg    bx, es:[41h*4+2]
5 I, h' F" N0 G  [9 Q! U2 F    mov     ax,4fh
  O: M7 E' w" A5 i% `, V  ?, o    int     41h
6 I: a& x2 H5 z: i! G    xchg    dx, es:[41h*4]1 g' ]; v$ l9 F6 g' n8 D
    xchg    bx, es:[41h*4+2]
( x4 |5 U& h/ x0 f8 `0 e( F! I    cmp     ax, 0f386h
; ^/ I7 t) A3 v    jz      SoftICE_detected
% G3 R' N# |: X1 V. J5 W7 b0 ^' D& N! M
. t* h! n$ ]  Q# D' Fint41handler2 PROC
6 K) j) w3 c( ?% B* X% g2 v$ M    iret
* F% T" D( }4 n% tint41handler2 ENDP
% h9 P1 p0 M7 P0 \2 h6 c  P- t- N

6 w- `7 e$ C8 |7 w- a1 v. v5 B_________________________________________________________________________
3 z- a, r# t! y# z! |2 M/ \, D; z, B: {/ w9 S1 b0 |

. {0 {! ]( \0 u4 r- r. aMethod 06
) G4 ~9 L1 G; B+ e. o: B8 y1 m=========: S/ L. G( q1 s8 s! f1 f

2 Q& ~  ^  C8 F0 J0 w" I. ]$ E6 K4 q# q2 Y1 ]; q* b& K  s
2nd method similar to the preceding one but more difficult to detect:
- Q+ n3 J) Z9 A) Q( w- I2 ~. ]& t1 t+ z" }

1 C0 E& X+ h. H& X" gint41handler PROC
$ c4 ]6 U- v/ l# o+ Z! P    mov     cl,al
% ?' O8 n  J& }# N9 C4 d    iret
3 H& B# f1 ]4 d/ w+ I- Y2 aint41handler ENDP
1 \6 S6 B% K# V- {) g5 A/ `3 {- e
& g. V& Y3 U( x" I/ t# [: D' q' m% \  @7 O5 y
    xor     ax,ax
/ l- ^( L5 N- @    mov     es,ax
8 X3 N9 _" D- w; s5 T* X    mov     bx, cs
) ~5 E% \4 b/ \6 g  O0 d* a    lea     dx, int41handler
3 Q8 `! S+ l& [; f, X    xchg    dx, es:[41h*4]0 h  `; l- i- l  r6 B, e
    xchg    bx, es:[41h*4+2]
, i* N$ q5 U0 M0 q    in      al, 40h
3 u0 J/ ~* S& C$ Y# N+ x' Z' k    xor     cx,cx3 x1 B" N* E3 H3 N) O
    int     41h
5 b% b) X" g9 m+ }0 L% X    xchg    dx, es:[41h*4]  I5 o0 J5 F# A( T& {( [
    xchg    bx, es:[41h*4+2]
  x: n1 k& T6 |5 c( D" ~    cmp     cl,al: b. u, i: B* b6 ]
    jnz     SoftICE_detected5 O# q- Z5 b7 x3 A3 |
. Z1 v5 D* U" ?* @* Y
_________________________________________________________________________
) w' @' o% Z% Q/ `' M1 A" Y1 i4 ~$ }4 z. l: O! |
Method 07
+ J+ X! \1 ]# G( f/ `: `$ C) R  K=========
7 V, g$ o( V/ ~7 e' M6 Z* S: J4 i; }# J/ }4 N! t) v8 X
Method of detection of the WinICE handler in the int68h (V86)
! D8 Z5 `+ g+ I2 H2 f( k
9 t5 z  ]. v% ?. o; E    mov     ah,43h
) Z! i+ G5 ]3 U$ P) {2 p5 E    int     68h2 o1 _- U% _) w8 I, B
    cmp     ax,0F386h
0 W, r9 N/ t1 e* _; v/ |    jz      SoftICE_Detected
- A* q9 q2 F* ?& G& u1 f' H& o; f5 A) a( W
! N1 ]) b8 t* c( W
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 T; m- {5 P( X! W( j% W7 B) |
   app like this:: P& U: K3 g( A0 \/ U+ i
' Z" H- Z6 j2 E6 j; F
   BPX exec_int if ax==68
8 H' H3 f8 v! l' t   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 V% g2 I- Y  I7 i  p/ P" a   located at [ebp+48h] for 32Bit apps)
6 X# M. R# Y$ c$ Q# ]__________________________________________________________________________
4 f4 P: u  N/ C# D6 s7 ^
( s6 d3 ?* M0 Z% N' u7 m0 r9 ?" D/ M4 E, v, p- ]0 M* U
Method 08
" H" ]6 D1 E6 x  M% Y/ n) _=========
; C5 E) k+ E5 ~) r5 u* }2 d; E6 ^! \! r5 L
It is not a method of detection of SoftICE but a possibility to crash the
  x2 [1 ^1 i; K' h# Q! j9 n, bsystem by intercepting int 01h and int 03h and redirecting them to another6 G2 X) X. i7 [# u! v
routine.$ j& Y) y+ _/ o/ q* x* J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
: x; S* m, W& w) @3 @8 `to the new routine to execute (hangs computer...)
, a. I9 k  `% e$ g& o
( w% I) L* Y. D% C1 k! M    mov     ah, 25h
1 I6 P! c/ F2 f7 x. @  y    mov     al, Int_Number (01h or 03h)
( _/ X0 \; D2 M- |    mov     dx, offset New_Int_Routine
( X+ P8 c$ q+ v! ]3 X* l1 ?    int     21h
4 J5 [+ o- J/ }9 E) T% I$ o9 w* Z  c, \! w% Z% H: t, f
__________________________________________________________________________
5 z1 d7 d$ t3 w. A1 ?# l6 Y1 n) }) {6 j" c- E* D
Method 09
1 E- _8 N) Z- m/ L0 [! x7 Y=========! M% a; a8 V& L

% f2 T! s" k+ D: I( KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 G8 h2 ?/ K2 m0 bperformed in ring0 (VxD or a ring3 app using the VxdCall).
' _( D4 e! S5 p7 a( HThe Get_DDB service is used to determine whether or not a VxD is installed
/ \( }5 P  e, c/ u% b* s. T! G7 Efor the specified device and returns a Device Description Block (in ecx) for
- _: o; K* H. t9 ]that device if it is installed.2 ]; M& e, E* J/ N

7 ^) q) X2 `) c8 ~7 `   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID: U5 c& {9 z" `' f6 I3 W* z
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). z1 c9 d1 P5 i$ l
   VMMCall Get_DDB! V% W; f0 @$ l! C6 z
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; E( Y( {6 t, t% q. R" Q
1 b6 I) X  X& U5 a+ Z* FNote as well that you can easily detect this method with SoftICE:: E  T8 O: h1 D- Y) s& q/ m
   bpx Get_DDB if ax==0202 || ax==7a5fh
! O# w& t' C8 I" S- g' d$ b$ g
4 H& H2 {3 |/ d* D( o. f__________________________________________________________________________8 F0 f5 I4 r( v" {. I$ B* m; F
. C7 a: r/ k  G& B- ]5 S
Method 10. E4 ^9 i  G3 O$ Y, b- Y7 l
=========" u- a( o+ i. G( G- U9 V

6 E  m6 ]3 ^8 n$ O. N=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
/ Q' F1 M9 O; ]; C+ w  SoftICE while the option is enable!!
* n8 X6 u: X% Z. s' E9 l! q! m
7 M3 S, O6 A4 n7 uThis trick is very efficient:4 H; |# z4 [6 z! b% ?$ f
by checking the Debug Registers, you can detect if SoftICE is loaded8 s( x4 H* o% @" L* z+ j% F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 S9 m2 Z$ G* U) @! H5 d' c4 G$ |there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ S, @/ N' ]- c5 l/ fvalue (in ring0 only). Values can be manipulated and or changed as well* T" G5 n! X1 J5 u
(clearing BPMs for instance)
3 P8 B) I8 Z; l* f+ r" w+ G9 F6 P
__________________________________________________________________________
) l) w7 J5 M* s4 H' j8 ^# i& F2 [- X' X0 v5 c' f  H3 g$ r+ q0 W
Method 11: y+ [& D& h' M, p2 z" R
=========* b# b9 s" ^0 Y( e5 T% C  d* A0 ^- p

' O! T/ j# ^& \This method is most known as 'MeltICE' because it has been freely distributed
. M. z6 r5 i3 O* jvia www.winfiles.com. However it was first used by NuMega people to allow) s" k% x" p  }3 M6 T
Symbol Loader to check if SoftICE was active or not (the code is located$ \8 O2 C9 v2 @4 y
inside nmtrans.dll).
7 Y& ?) ?' ~9 i; y
  z" X  v3 t+ W8 B( ZThe way it works is very simple:
! s& w" B- i% i1 K0 v3 S0 X5 h. k5 ZIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ X3 P7 V& |- q# _( I4 L* S8 p: Y1 FWinNT) with the CreateFileA API.9 n3 z& V( Z1 G7 l, u

1 i! @9 h* v) a6 x3 L% X( `* b  PHere is a sample (checking for 'SICE'):: y3 O5 V! ~: c- \6 p2 Y
9 V8 U: C" h1 B2 Q/ M' h3 y
BOOL IsSoftIce95Loaded(), B9 j: ^& D2 T. b/ w
{
) ?; }0 y  N0 i   HANDLE hFile;  
1 n9 e+ C0 N8 |7 b& H+ {  p   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ J9 x3 k! F' Y* b9 {3 E
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
, B1 a6 M; A1 g! l) o% F                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, V+ d+ N7 w0 k6 v5 t3 H0 o
   if( hFile != INVALID_HANDLE_VALUE )) ]3 u( ]5 A7 I8 `1 e
   {
; @& t% Y3 R4 C2 l8 H' O: \/ K1 c      CloseHandle(hFile);0 k' L8 I& B0 X* `9 N9 ^6 A
      return TRUE;3 S) t) P1 x5 n7 g  f
   }
; `2 n0 E* p9 k2 j, D3 {% Z9 ]   return FALSE;6 h6 }6 Q0 u9 u; J3 Z
}
- _6 l* G. |7 F: a* f  D6 q/ g- L1 N- k. T7 |5 G# _6 N
Although this trick calls the CreateFileA function, don't even expect to be
8 L) Y. I1 W( Cable to intercept it by installing a IFS hook: it will not work, no way!7 T- q$ h1 P2 w! l" V/ c# @
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( K0 y, R  G# \/ h  k+ xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)( a# O+ E7 l" w3 w) M, R
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 n1 s+ {* \( T: C2 l2 U. W  N0 i" a
field.
# W' t2 P2 T$ ^; f1 nIn fact, its purpose is not to load/unload VxDs but only to send a
0 p: _. B! d2 b$ a+ `, t) R$ CW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 }0 g8 ?: i1 S- o7 x/ }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- {( }* }/ ~) e5 m4 j2 B5 U" B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
# X' R/ K/ s" P) p- k) @) G( \If the VxD is loaded, it will always clear eax and the Carry flag to allow  g  e" [. F7 H$ D! `
its handle to be opened and then, will be detected.
: F& Y3 H7 P' A3 ]0 e# H3 \# kYou can check that simply by hooking Winice.exe control proc entry point0 }% ?' R! G, \# V7 W# y8 e# w
while running MeltICE." p! l4 y" R8 I0 e& w3 l
4 l. p( ?0 A% B: k
6 N) T2 {6 s: ~
  00401067:  push      00402025    ; \\.\SICE0 e  g. P! V" v# `) @! B
  0040106C:  call      CreateFileA' H+ |' [6 O: D" U
  00401071:  cmp       eax,-001
" [: F# r9 Z+ r# R/ v; ?; `  00401074:  je        00401091
! A) f; L; E0 R/ J! P7 I2 i6 V/ o$ V4 @% M

  @4 U6 ^6 F# l/ c; dThere could be hundreds of BPX you could use to detect this trick.4 A1 T  p2 j' q& `0 H0 Z8 J* j' {# C
-The most classical one is:  s, `9 }5 P, }/ P8 g  ?9 ]$ u# `' t
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
% H1 y2 T( Y' m/ m    *(esp-&gt;4+4)=='NTIC'" R4 u* Y/ n" |4 a9 l3 a" C8 f

4 N7 _2 j9 q. h/ ?-The most exotic ones (could be very slooooow :-(0 B, [& g. j& I1 I9 B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# Z; W( Y1 F. u( ?* k     ;will break 3 times :-(
; O* @2 J3 U$ R( h$ Y
- B4 ?& S# A' f7 [7 a-or (a bit) faster: * T8 U0 ]+ e; |  z" \) u
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- ]8 Q& `1 a7 A. u8 r* {/ H; V  @% ]5 `8 r: Z+ z& N
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
- r, q4 K/ [+ L* H2 o1 ~     ;will break 3 times :-(
7 O& M% U) K5 i' `5 d* w7 F( P. a% M/ v3 S  y
-Much faster:+ j  ~4 A7 D, y  q4 P) J) e
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( h- }/ Y( w% F8 {+ o( q# \# Z' I

5 |; V( V5 a/ e& `) l0 tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# {; D5 G0 W% ]) x; W3 M( _
function to do the same job:' I) s! A8 s4 B, J4 L; T

" d% l, z) g1 O" F4 c- W   push    00                        ; OF_READ4 T/ i" V2 N6 k7 w
   mov     eax,[00656634]            ; '\\.\SICE',0
' j! q3 ~6 D8 {   push    eax
" T6 N7 R2 i0 G7 ?   call    KERNEL32!_lopen# R! ~+ `; u0 d( S
   inc     eax% ]1 t- i( P# m8 |; R
   jnz     00650589                  ; detected2 z* X" \( ^: e+ L/ s6 V
   push    00                        ; OF_READ
: S0 u- F+ S" ^5 t' R* o" J5 k   mov     eax,[00656638]            ; '\\.\SICE': o4 ?) {, o$ F" X7 [) ?
   push    eax7 @; E, x# {6 K9 O7 A
   call    KERNEL32!_lopen
: o" o. a- J$ n  ~& R  j   inc     eax
3 f0 L7 @7 X) Z! Z1 u" ?   jz      006505ae                  ; not detected' h& C/ z' r$ W* t( r0 ^% e
/ v. w/ \5 t+ ]9 ], j; Z! i
6 n' y/ t$ j; A$ n! V
__________________________________________________________________________2 K0 G; e8 S! M9 ^

9 u# F% Z- G( P) G  oMethod 12
1 \5 g: b# M* L8 Q0 {=========4 E& t; r3 k1 d0 g0 N% H
# i' a# o6 s, H) Y# `7 V
This trick is similar to int41h/4fh Debugger installation check (code 05
! h4 v/ Q. t1 T0 p# E+ m1 K; x&amp; 06) but very limited because it's only available for Win95/98 (not NT)
4 z) w: {# ^3 d5 ]3 a! W6 oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# w- ~8 B+ Z4 ], M; n7 C- l: B4 T8 `2 \( v7 q
   push  0000004fh         ; function 4fh
4 U( w; _* h1 t+ ]7 i7 |$ S   push  002a002ah         ; high word specifies which VxD (VWIN32)$ F2 ~2 A# {& [3 F0 v
                           ; low word specifies which service6 R& P, a* K$ {( W
                             (VWIN32_Int41Dispatch)! G; h2 T4 r2 f- r8 |; X5 }
   call  Kernel32!ORD_001  ; VxdCall
  x: o4 i' v- [; C   cmp   ax, 0f386h        ; magic number returned by system debuggers
. h5 n: N2 L2 s% z5 x& Z& u   jz    SoftICE_detected
7 Z; t8 j( p# ^* m+ K4 l5 ]  C9 j5 g7 y- h0 h
Here again, several ways to detect it:
) p/ G2 O2 Q) R0 O1 z' m
, G2 e" r4 R. ]0 u0 u    BPINT 41 if ax==4f5 V8 M* k) v4 }+ V0 Y7 m
" z, U8 N- J" n4 G
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( K" h1 Q1 g; {
. u3 i) ]" f/ l, }  |    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 B3 r( a8 z: y
* Q7 l0 k7 f3 c1 g5 H; Q/ [    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
5 T! C1 }# t+ b: _3 w- |0 N! ~$ \
* [7 k1 O6 o1 v. H__________________________________________________________________________
0 q4 @5 y# t* `% S* x  p5 ?4 O* ~0 v3 A- ]
Method 13. C8 `% k' @0 @  T7 Z: v  u* `
=========1 h/ g9 [/ D2 P0 E

% N7 G  }/ X1 fNot a real method of detection, but a good way to know if SoftICE is% t% P* n) F2 Q& r
installed on a computer and to locate its installation directory.& r7 [0 r3 A  O. X0 `& f
It is used by few softs which access the following registry keys (usually #2) :' K  \$ {" X" ]

8 k7 p7 d- b1 e% x1 S5 U8 r: a; T% E, p: ?-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ F/ D# [7 B* A. S# Z+ g% f
\Uninstall\SoftICE6 y9 }8 y  L! F  V6 G! q9 d' K* o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 Q! j0 A5 z$ }4 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 C, J9 X4 i6 y- Y6 ]+ D9 L. X7 v* S\App Paths\Loader32.Exe0 {0 M, b$ ^8 f) v% B" a" n
; ~+ |: ^9 U7 ?9 B+ W
4 K: F1 ?: C8 H: V% F8 x$ {
Note that some nasty apps could then erase all files from SoftICE directory8 R3 h8 J2 Q: Q/ `/ ^/ g
(I faced that once :-(
# M8 H4 ?- X2 s1 L6 |5 R" f4 |
  [6 l! `; V# m3 H4 Q! tUseful breakpoint to detect it:
7 |% r  R: y  o9 t+ N. O6 S9 S2 N1 j, K: x+ w
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'3 y5 ~) x. z- t8 M, }9 b" a1 ~! [

) O3 N/ U! b! q__________________________________________________________________________
# o9 {+ l1 S; K3 J& Z( }% m
$ s% U) }5 t( @+ m: Y. P3 U) T# B# F3 T( A9 Y7 w+ o
Method 14
8 L7 U8 u. V9 c  k2 e=========
/ k( B" a5 _$ j" G% o, ?  G  ^+ `
* V$ z0 `5 T! R1 ~- s2 kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 ]6 T7 _* d- L& m$ R, Q5 c
is to determines whether a debugger is running on your system (ring0 only).7 H  e1 K3 i9 S* O+ j7 d

$ C' Z; w5 D  V+ ]5 k4 H   VMMCall Test_Debug_Installed/ R7 U8 A) O: G& g
   je      not_installed
6 v" V$ [- u" S% b
3 X$ O8 v0 k$ {2 Y7 h' @+ y5 vThis service just checks a flag.$ o, ?2 v6 K/ V) R/ a. j3 F
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-5 01:56

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表