找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># Y: c% G. M2 p# q
<TBODY>' s0 M- Y8 S) x( _4 i0 [
<TR>& v  r; `( O3 b/ V; f+ O" F0 b
<TD><PRE>Method 01
6 }: `) H" h( Y" x=========
  H% K  A. n( p2 M6 K/ N
0 I( T! j/ M% Y" |4 bThis method of detection of SoftICE (as well as the following one) is
6 n" r, o- b- aused by the majority of packers/encryptors found on Internet.  ?$ O* V0 k$ I# a1 \% k( J/ }  w
It seeks the signature of BoundsChecker in SoftICE& h2 f8 ?8 K! V6 U

: q9 h5 |6 X6 _7 Z5 l9 T  f    mov     ebp, 04243484Bh        ; 'BCHK'
6 d" I3 E0 Y2 d" J' ^    mov     ax, 04h& P. {% ]& x% l$ S* l
    int     3       ! K3 c/ S3 K; L: t, G" s
    cmp     al,4, O: Q9 U9 t+ y  m& I' G$ ~% C
    jnz     SoftICE_Detected
" i0 w2 F% o( x  [; T
( a  B; }. `8 W+ O/ O___________________________________________________________________________
/ K; c; S3 O2 |6 C6 a0 F; j# z6 w
' h. K" k8 d$ _' {3 HMethod 02! }4 k7 L( s+ \% S9 M6 z% _9 E3 u
=========
) M+ _8 o  D* _+ c- j' W' S6 A! I) Z! g4 V9 m4 a! w$ u* c
Still a method very much used (perhaps the most frequent one).  It is used6 k' u, Q+ G  v* ?2 d  L' V% f- y9 ?, |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% l% G; y* @0 r" c
or execute SoftICE commands...% D4 e% i! [+ a8 Y6 r1 H0 U2 k/ K
It is also used to crash SoftICE and to force it to execute any commands
4 B' z! n0 M7 Q+ R" W4 v(HBOOT...) :-((  
, @2 t8 @1 J/ F8 X+ ?0 c9 b! X9 l, K7 W; z7 {9 }" v
Here is a quick description:
" r" K5 i2 f& v. ^8 W3 D-AX = 0910h   (Display string in SIce windows)
" r( r% \! m; {' Y" P# h2 U3 C-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). T4 a3 F/ n6 W- S- Q; s7 h
-AX = 0912h   (Get breakpoint infos)
9 E0 F0 O' H' z& ?-AX = 0913h   (Set Sice breakpoints)+ r, h9 ~% }; U5 B
-AX = 0914h   (Remove SIce breakoints)2 F& L2 d' |5 `0 U5 y6 n# N, ~: Z
1 w1 q$ s% L% z/ j1 ^
Each time you'll meet this trick, you'll see:
: x5 _9 Y) O0 |4 q/ H, j-SI = 4647h5 L; ]5 q: N3 s5 I
-DI = 4A4Dh: G$ q. p' b+ t: l- a
Which are the 'magic values' used by SoftIce.
3 Y* h; o+ u9 M! ~; K' |" bFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 ~% o6 \/ S3 o) {6 z
; x6 P/ H3 ~( S" Q- R" kHere is one example from the file "Haspinst.exe" which is the dongle HASP
/ t3 G3 N4 P% |! n8 |1 W; mEnvelope utility use to protect DOS applications:* r$ ?. b& b" o  x4 D- E. v) Z+ S

+ H  r3 ~/ o1 _  R7 o) m
# f( s- m- z) w: b# ~4 O, u4C19:0095   MOV    AX,0911  ; execute command.
3 j' M) J5 s4 @# M9 j$ H/ i7 ?4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% c  w# p% i% O8 b$ ]
4C19:009A   MOV    SI,4647  ; 1st magic value./ e" {) N+ I" b( G* M
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 w0 Z# w3 u) C2 {4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 m( I2 u3 R+ M: Y0 D. r9 t4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  Y! Q( D0 P$ h+ w
4C19:00A4   INC    CX
. s$ n4 o1 h5 i% _) N% p  D4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute, C- c% C( S0 \5 F
4C19:00A8   JB     0095     ; 6 different commands.
, q3 z" u, w/ T2 r+ ~7 v1 W% R3 E4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 M9 A2 A* b+ l
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  d4 x2 G# q3 k1 m5 v

1 a, m* B1 B4 e+ ?6 J4 p+ V- t7 ~The program will execute 6 different SIce commands located at ds:dx, which$ C6 ~, a, X( o' ?) h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 m2 h! u) l2 B* O) l
0 K3 f* p7 M: |% ^& M/ A' w/ H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, F9 q! M3 o6 N: \; F6 [9 [5 z" f___________________________________________________________________________
  L* A/ M# ~+ G# Y( P$ E5 r& {9 n
6 W4 g+ j7 P7 P' G
Method 03" h# X% l) E$ Q2 r4 n2 ^
=========
- e6 X! ]2 l4 J9 h' w4 x
% l: s3 |7 D; q4 l( ]2 |' oLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' L1 D$ L! b) {
(API Get entry point)
+ j3 o& Y9 c! ^1 n( Y2 l        : i, J+ A4 F; s& R+ ~8 M8 c

! I+ E3 e8 @" j7 J8 G    xor     di,di! J4 C* @2 r8 Q% H* R2 X
    mov     es,di
" b7 S- i) ]! {    mov     ax, 1684h      
% L. \2 p- s1 A; y    mov     bx, 0202h       ; VxD ID of winice4 M2 c/ ~2 U: `
    int     2Fh" p. D0 t/ W7 o8 F, A
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 Z: }. i" {) X    add     ax, di  [& Q5 l/ B/ v1 F1 i4 v' S9 \& F. X
    test    ax,ax
7 X5 G; t5 {" H! _0 b    jnz     SoftICE_Detected/ K" g! q, l! j, p4 k$ x8 B/ ^
' K4 y$ w. G8 i1 H& r+ l
___________________________________________________________________________
+ j/ A3 d8 u$ i8 b* {
6 m" F/ N8 @! Q. f4 ?: f% _6 FMethod 04
! W1 f6 Y4 m0 v0 {/ `=========1 K/ q6 Q6 Q9 V; K

6 ?% F- ~# [3 xMethod identical to the preceding one except that it seeks the ID of SoftICE
# I% E4 Y8 f. sGFX VxD.% ]8 d- d: r3 v6 n, k
$ A& q# z  R& |: v- e7 Y
    xor     di,di
1 U8 ?& p3 E6 C+ Y9 G* Y; z    mov     es,di! Q, J6 c% H1 u0 ~1 k- a- b; R) u' H; o$ @
    mov     ax, 1684h      
# I2 Q8 ]5 V# M. b    mov     bx, 7a5Fh       ; VxD ID of SIWVID
% ^- X* t  o( N/ `    int     2fh
6 S8 R# {9 s, o7 x2 ]4 W3 t    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, P* b/ n3 D/ a! [5 E    add     ax, di5 x- h0 g  x' W2 @
    test    ax,ax  a, c' N2 W) d2 a  F, ~) X
    jnz     SoftICE_Detected) F/ g7 ]4 r4 x+ k: D" r

7 i) I# z& o+ g, i8 W4 x7 }__________________________________________________________________________
$ L) A  W8 ~1 }( y1 w7 V8 A
5 w& ^; K+ S  B4 _( s( r1 p) {; k
Method 05( X2 K. L- f, Q: I# N
=========3 O5 ^- _2 ^/ }# h3 |

1 c0 H. _: T) l/ H9 jMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% n. ^) ]& x8 Ddebugger. It calls the int 41h, function 4Fh.' ]" Y* i) L9 s1 S* i
There are several alternatives.  
1 l9 g2 D3 h# T3 D! d" p
. g0 U7 C0 w7 s/ C+ k4 Z/ x2 O- C- AThe following one is the simplest:
, [: Y8 e/ L- O, _4 {0 X8 O0 x* L+ M$ O7 Z4 w5 p9 ~- h
    mov     ax,4fh
, g/ z$ l/ W5 ]  d) p" t; c1 p7 X    int     41h
- X  v8 m$ n( O  K    cmp     ax, 0F386! o% L5 W0 Y9 G
    jz      SoftICE_detected
4 }; c( l" N" @$ e9 j, P* K
% N! x5 \7 `2 Z5 L, k/ ?2 F. F& K% @: g/ e+ P
Next method as well as the following one are 2 examples from Stone's
" q) Q6 R% |) Y7 v2 }"stn-wid.zip" (www.cracking.net):/ l6 T8 x1 M" h2 U, D8 T1 x7 S0 ]

  M2 ?( m$ ~/ L' ?$ \2 S- Y5 V6 t; c    mov     bx, cs
. @; h; k$ O* Y' Q    lea     dx, int41handler27 I8 S6 j. B1 n5 p; O' a; X
    xchg    dx, es:[41h*4]
( B3 w: O+ P* [$ f& h    xchg    bx, es:[41h*4+2]
0 b6 z" H0 s) g6 Q7 @+ h    mov     ax,4fh; H  r; R9 M) K. U* ^0 C/ E0 w: m+ @
    int     41h
# M$ G( |0 S- E0 D    xchg    dx, es:[41h*4]! ~: M) L6 V$ t) z( N* o$ J" X9 o7 R
    xchg    bx, es:[41h*4+2]
) J9 Q6 Y+ T# f; |' n    cmp     ax, 0f386h
9 n1 q1 [# k! Y" O    jz      SoftICE_detected
3 G, o  K  _: E# p/ f, z" l  R' q* r4 z4 Q* ]3 [3 \
int41handler2 PROC
: y* s  P  g# G* c. O/ f    iret
3 y* U* J2 V, Gint41handler2 ENDP# e$ D$ p+ t1 w8 b  z

8 }; K3 s# C7 k% c2 j, b! K! y% v. G  N5 B' w. W6 Q" ~' b
_________________________________________________________________________& a/ b  i+ `. w' a1 n! {+ E

$ X: X* K8 X5 P/ e
1 d* y! q$ a0 F  Q. vMethod 06
+ w* {6 h% z9 y8 {" l" w- S=========. L% ~3 J: p% `$ E  L

3 Y4 o9 T6 p) Y' N4 `5 C7 A  n( v2 @% a
2nd method similar to the preceding one but more difficult to detect:
8 v6 G# n! m; l/ p; o' |
6 Z4 S& z& H" r7 R. d+ |  E: b2 @; N
* \- A% O7 M1 P# B  n4 U, n. Iint41handler PROC0 s; f7 o8 ]" c/ T3 H: N& n
    mov     cl,al5 M0 e+ e3 N& i( p& y" s
    iret* Q/ z# b/ n3 f0 S! \# _# z- S/ c
int41handler ENDP2 G2 y' L" {2 l; g/ b/ S! K6 q) U% A* f
; j7 k1 t" A" c1 X& Z

. G# J( [' N% a9 o1 T0 w! Y    xor     ax,ax
' g; a) j. P9 m; k6 k2 p' ?0 e! F5 n9 h    mov     es,ax) m1 w+ c6 c3 y# }' t
    mov     bx, cs. s5 j7 Q. p* A, U0 M
    lea     dx, int41handler# c5 P9 ]6 O, F: i3 z; g
    xchg    dx, es:[41h*4]* G# B& v) \0 K9 T4 ?. W
    xchg    bx, es:[41h*4+2]; s( }5 {8 b5 W& N- P+ k
    in      al, 40h$ a0 W9 ?. U/ P4 d" ~, @
    xor     cx,cx
( @. c+ m4 \* {4 j" D* x    int     41h
. V7 k! v# v. h( y. ]" x. i9 ^    xchg    dx, es:[41h*4]7 L3 w- q/ X" Q' u! e1 a3 M
    xchg    bx, es:[41h*4+2]; [6 D* s0 S) ?7 i8 k4 M1 @2 {, d* r
    cmp     cl,al1 C2 @+ u3 V0 E. r" H) ~
    jnz     SoftICE_detected+ S# y  ^( z% g* ^
; s- G9 c- |5 `2 l( Z! E; P
_________________________________________________________________________* ]4 g& R. ~# {4 h# \- N: ^

! h6 x3 j* [5 I4 SMethod 07
4 ]) [# _" w7 N: Q=========
/ d/ Z, A7 _. ~. q: W5 Q. K( a# w' p
Method of detection of the WinICE handler in the int68h (V86)
* E# w1 v1 `& r, {: i  R2 Z6 _$ |% _' l0 k) H
    mov     ah,43h7 `' p. I! a, N4 i$ a  ^4 a2 ]% c
    int     68h  z/ F" j2 G' z9 Z7 J
    cmp     ax,0F386h% i& u; j0 [. ~% R6 ?
    jz      SoftICE_Detected' H9 A& f3 z. ?0 l- m) Y' t/ ~" o

7 k8 l2 n0 c7 N
1 s/ Y* G) B6 k$ p8 ]1 o=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" J8 ]: i) B" O9 S   app like this:
+ ^& ^6 ~% ?1 X7 C/ [: w* b2 S$ d! J
   BPX exec_int if ax==68
" R% M; b3 x$ H) N$ F6 _   (function called is located at byte ptr [ebp+1Dh] and client eip is# W* r; b/ A) V9 `% J. o8 t! j
   located at [ebp+48h] for 32Bit apps)
. v/ B( B6 U: k* B__________________________________________________________________________' Y% A, O$ _8 U0 N# Q
1 N2 w- T& z$ F( ]

! h' B: F$ ?: a! M* ^Method 08
4 x3 Y1 B& b, l8 O' ~& T* v  i=========; {; z$ P! C  [. a

1 x1 s0 h* T6 z5 a" ^9 ]1 rIt is not a method of detection of SoftICE but a possibility to crash the, D2 q6 }3 H" o: E% ], P: L  n  N
system by intercepting int 01h and int 03h and redirecting them to another! O9 o/ J5 H: c8 A0 a) X( ^2 i7 K
routine.
0 [* y+ `) q2 p. |8 i% GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 b2 b* L0 C; y4 j
to the new routine to execute (hangs computer...)+ w: \& C$ M% b3 v8 E' m1 U6 R

" F. C- B+ N# L6 [6 M# u: y$ g    mov     ah, 25h
3 r- d! }9 p. i( J6 t    mov     al, Int_Number (01h or 03h)
+ C2 Z/ E% h+ K    mov     dx, offset New_Int_Routine
& _' G. c6 K2 q, A2 Y  K. Y    int     21h9 `- r3 I/ u) ~3 s/ x* u0 Z) J

& X1 u  f% T" l/ L__________________________________________________________________________' Q; m2 d2 W+ {. X5 R, z. C
' K2 ]$ a5 v) z, S5 Z9 _
Method 09# f" ?5 c9 t* C% K
=========
/ p7 M8 |- [( ]9 V/ R; f( W
% Z% C: J! @$ @. @# wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 K6 ]/ y: D* H: pperformed in ring0 (VxD or a ring3 app using the VxdCall).( N6 t: R, m8 w6 J# n
The Get_DDB service is used to determine whether or not a VxD is installed
0 I8 r2 W& J, Y/ B! e' rfor the specified device and returns a Device Description Block (in ecx) for( J1 j- \- r  a& J3 w
that device if it is installed.* u# X  ~3 ~! o5 x7 G% ^
6 }; Q, N) Y  N5 l! d
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& I5 a7 x% n8 t$ R% }; h2 M& _" ?+ K& W
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 s. \2 F  `: U   VMMCall Get_DDB. K5 ~3 J/ Q2 }1 X0 P
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed# T" _! H/ U  t0 n; u0 t* L
% A' X8 \5 F) N" J6 X1 Y) H7 C
Note as well that you can easily detect this method with SoftICE:( t  P9 V2 d" E4 ~2 |* \0 r7 t& d
   bpx Get_DDB if ax==0202 || ax==7a5fh
# f/ l( u+ q, f: I. W
# d: X' o! D) G__________________________________________________________________________& [% S" ]; ~# _) v- a

! V/ a/ g+ d* JMethod 10
! z( _! U0 C5 s/ i1 v=========- Y/ E( F' b) ~
$ y' c, J5 w2 ~
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with6 @- u% q' F0 T
  SoftICE while the option is enable!!% ]0 G7 d* |3 ]) n7 S
" P9 }) K& W0 @5 I! q
This trick is very efficient:2 `0 |) N( ~7 S1 D5 `+ F
by checking the Debug Registers, you can detect if SoftICE is loaded- i$ [/ [2 x0 u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% g8 z% h- j5 Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
* N+ ^/ p  u3 K2 Vvalue (in ring0 only). Values can be manipulated and or changed as well
# P& t4 e+ O. b% l; P  S(clearing BPMs for instance)
3 f  o5 C8 a/ A2 e% b6 S
, x( R9 Q$ o7 R) z__________________________________________________________________________
1 r" S: B# x7 |& g7 N, K* ]% t( o4 }( [" w7 F
Method 11
! ?9 g; J4 M' ~4 j/ \=========4 T, L" ?; m3 ~  ^- z% C. g/ T
" p( r6 ^4 q. E" q" y' F
This method is most known as 'MeltICE' because it has been freely distributed7 A3 l' G7 g4 h0 h# o+ ~
via www.winfiles.com. However it was first used by NuMega people to allow  }; r4 x- G2 i0 b2 f' o
Symbol Loader to check if SoftICE was active or not (the code is located1 E. R4 H4 Q$ x
inside nmtrans.dll).
) [# X0 B6 I4 J7 R- D' A" _2 h6 Z/ k3 `' `4 y8 i, u2 G' E
The way it works is very simple:" g* R, W# y) s' g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) a0 o! E9 {2 h$ l' Z
WinNT) with the CreateFileA API.2 u$ @* [! W5 u9 b  B6 l0 H
; b# d) s) T- x8 R* F4 ~& s/ u
Here is a sample (checking for 'SICE'):
& E/ U8 ^6 X6 V; u( ]1 L! Q" L$ k  j$ ?  d$ F
BOOL IsSoftIce95Loaded()
0 p/ L( b0 u2 U  i  ]* m{( l+ L0 ]9 P* ?6 A$ T
   HANDLE hFile;  
' b& Q& I- N2 A. w7 f   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 U; n8 E9 p% R
                      FILE_SHARE_READ | FILE_SHARE_WRITE,4 x* f  O" {& c! T+ H
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# E7 }. B. v! p8 V3 g   if( hFile != INVALID_HANDLE_VALUE )
  `, ?5 S+ _5 |# I5 _1 F2 H   {
0 F; [3 w3 @* h  J3 S+ p      CloseHandle(hFile);# e( F" H  U& K/ K) ~
      return TRUE;
6 \6 f/ p- [' F0 t- ^. \0 v( \# P   }
% L6 {$ `! L9 J% Q' T; T3 K   return FALSE;1 w, r$ R) D- x  p7 C, E8 Z
}3 N- Z+ z8 V4 E' |

. i2 F/ K8 e  W, R" nAlthough this trick calls the CreateFileA function, don't even expect to be, K0 Q7 q+ M8 Q1 m
able to intercept it by installing a IFS hook: it will not work, no way!
7 V; c; }1 `+ m4 RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& L7 B& P$ B2 r- j+ D; Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 I# C* m( P# ^% A0 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
: I6 T- N% }* V/ P5 X1 efield.7 I7 m7 r- S" r( M: v- G
In fact, its purpose is not to load/unload VxDs but only to send a
& c  K/ b3 d9 p9 i. _/ ZW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  R% x& O4 d% I5 N" F% ]3 H
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- u! t8 `; p+ D( g4 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 S  r- L! o: e* qIf the VxD is loaded, it will always clear eax and the Carry flag to allow# R) k+ o2 L7 V
its handle to be opened and then, will be detected.$ A1 w8 `  t/ g/ ]  [; G& A
You can check that simply by hooking Winice.exe control proc entry point
4 s( D* B9 U/ O+ g7 G+ p9 Awhile running MeltICE.! J" [4 d) O# g3 T

" F+ Q1 N7 w2 G* v3 `* a' L' y$ l
8 I# T( |) r6 v. j  00401067:  push      00402025    ; \\.\SICE
% x# M) Y/ p" A, k5 U  0040106C:  call      CreateFileA0 r% {; P* M: c
  00401071:  cmp       eax,-001
  G; p# A$ S: k" O7 I  00401074:  je        00401091
3 U/ S* y7 I9 e) ?% \2 n$ k  }) s5 B
9 b% x. l4 ]- b! N& L! S; Y& n3 P& F0 e9 l3 `- q  `
There could be hundreds of BPX you could use to detect this trick.
7 v, I6 ?6 N4 U; o5 [-The most classical one is:8 `* z# h: K5 c; s" f3 f, D
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
8 j( M# w5 ], ]% X8 I! ?    *(esp-&gt;4+4)=='NTIC'
3 i- b  I9 L; H$ i. o& p* ^
6 N& T2 \# w, D/ v9 f-The most exotic ones (could be very slooooow :-(
4 d  z; [: [+ K) P0 G, d   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ) w5 _* }& v2 P# S1 Y% f2 s
     ;will break 3 times :-(
4 M: l( E) `. p( S& D
! Y+ F+ Q# j4 J; u9 @( M- T-or (a bit) faster: ; ]( G5 N! P# U9 t5 y5 Z5 T8 y/ e
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# O+ t2 g% d6 k, Y3 }3 O2 M1 s- O$ j3 X% z4 G, C( g: _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  / b/ a: P2 p0 m% F
     ;will break 3 times :-(
& z  R9 N" w% U% t, G
$ D( Y5 E, j8 s$ n& O-Much faster:
# G$ q$ I; R4 x. ]! K. X+ p2 }   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
2 F) ?: z& o0 |) O! g! n' e+ |! T
  h  h5 Z" U3 ]0 _1 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen9 p" m- e" M) f. t
function to do the same job:
) D4 ~  b7 P4 g3 O$ k
6 _/ _, Z4 I2 F- e' G, i  p   push    00                        ; OF_READ
- G; G7 U4 |# P+ ^9 f" [7 m7 Z1 H- q   mov     eax,[00656634]            ; '\\.\SICE',0
5 k+ o# R3 Z. l   push    eax
0 B% Z2 z. X7 i0 f   call    KERNEL32!_lopen5 o: Y3 m+ S% O  o0 f- \$ ?9 }
   inc     eax1 a8 e- }& i. P' i( `) C; z
   jnz     00650589                  ; detected
0 X, ]& o: E7 u# h% y; C   push    00                        ; OF_READ
$ }8 Z. k% ~6 x& V2 Y& N   mov     eax,[00656638]            ; '\\.\SICE'
* \4 |( c- t" g# t* c0 A/ _" V8 C0 m   push    eax
1 A6 N! @! a  Y6 P% @$ Z   call    KERNEL32!_lopen: u( V9 i& a. |$ `
   inc     eax, {+ u. ~- H- D. T5 e5 _1 O7 E: l! i5 N
   jz      006505ae                  ; not detected
3 W) e8 X) w9 x" W$ w2 N' g2 y
+ r) E! H% Z* L! d7 Q( v) h+ P8 y$ {8 r  N5 l9 ?8 \
__________________________________________________________________________+ j; U0 I# w% A( B7 f' h
% Q& x  h9 @% i+ k. c6 h+ I
Method 12
4 @8 ]8 q+ z; G/ q6 S=========
  ~( y# G0 W& ^; K
, b7 `  i% T! P3 E$ E4 p2 nThis trick is similar to int41h/4fh Debugger installation check (code 05
  K# r6 \) y! b) G# j; B6 @&amp; 06) but very limited because it's only available for Win95/98 (not NT)
* `; P, y# M* u. \. o0 ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 A: w& F2 @% l  n
2 J- r( P- S) v) n1 D9 k4 `
   push  0000004fh         ; function 4fh+ Z! I8 V( g% z
   push  002a002ah         ; high word specifies which VxD (VWIN32)' o0 j: i, x. g( ]9 g
                           ; low word specifies which service
' V. A; R/ j( q5 r3 b* e1 s                             (VWIN32_Int41Dispatch)
% V+ T# e4 f' I& p) _+ A$ T" x   call  Kernel32!ORD_001  ; VxdCall8 y; {: ^. d3 V; n, Z8 v' J2 P8 S
   cmp   ax, 0f386h        ; magic number returned by system debuggers& K. O. {6 c7 B' T. k- i. X/ t) g
   jz    SoftICE_detected- O% z2 P, a6 N4 k
, ]4 P% I' y- r% g9 k
Here again, several ways to detect it:
  ]4 ]" v' K. B8 \7 N* n! |" h+ A: n1 z: }- [* Y6 }: g
    BPINT 41 if ax==4f3 n& R* D# j( _% @
- [0 A, X# O2 ?, a9 n" Y( ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one1 d- y4 B  r# Z: f7 L; s, E7 m
4 G1 p8 Q! }4 m; q4 I* C
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 L  i4 f. T. n- t- t$ _
: B8 ?1 l/ |5 q2 S! v
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
3 }. y; C0 T3 b- u5 a: ?' u- S( }& b4 x6 |: A
__________________________________________________________________________
0 q+ c6 U) D; W7 a- Q8 \
1 F+ {) a  {/ H5 s8 p4 s, TMethod 13% s" I4 O) J) n7 C# N8 x) s6 t  O. k
=========
/ k! G8 R9 ^* l1 W9 y2 P
, I% v1 @# Q' Q& K+ ?2 dNot a real method of detection, but a good way to know if SoftICE is; M5 I: _! l8 q  E  v: o( d5 k. O+ U
installed on a computer and to locate its installation directory.  q: n% X, S# ~4 a  P) n
It is used by few softs which access the following registry keys (usually #2) :
* X- c) T8 ]) W7 Z
# W6 r- Y0 `" x, g! K) l. n-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 b& ]3 M0 _" P3 k+ t4 r
\Uninstall\SoftICE
& Q' Q+ y8 V. b% h1 E, x-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, m4 z2 ^2 `2 ?5 K' n6 F7 U& T/ }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 \6 W6 H- n5 v
\App Paths\Loader32.Exe6 a1 B* J% x8 T6 U
# T# a6 W7 _; N# H

( B+ N0 @0 _" s/ L' I8 h) ]Note that some nasty apps could then erase all files from SoftICE directory1 ^& X" d, C9 U& [# n
(I faced that once :-(7 H* A0 o5 p- `

! [7 i1 Z/ H$ j' j/ v4 HUseful breakpoint to detect it:3 [2 j- {! M1 |' [4 l

7 u) J" ~% d# ^     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
' d- `, J: d8 }/ s4 }- A% z, _9 y2 q
__________________________________________________________________________
3 }, Z" m0 l) j3 U5 O' ~# x: U. i  x- l2 m" R
: V, r* f. a" R6 Q
Method 14
1 a. O$ _" Y" D0 d* W. z=========& p' O5 w% Z. u6 z

- K9 h: O2 B% @8 TA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
. D: l& S4 a9 x0 P& q% }( @: }  ?is to determines whether a debugger is running on your system (ring0 only)." c! r  p7 y  u( ~; g- n) ^
- [. L  L/ C+ r% R. ~1 k
   VMMCall Test_Debug_Installed$ `. Q% d+ D2 t7 h4 U
   je      not_installed- z5 U( s" r1 a  J5 I$ y
2 Y  j8 k' ]8 T& X2 z! Q
This service just checks a flag.* Z+ ], y2 p# I9 [  F( z9 h
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-25 12:40

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表