找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
+ Q1 @  h; I1 ]( p- x! i$ v<TBODY>
3 V% E( k6 }+ S<TR>
7 `( f  x1 g* f; ?! ?, v; C<TD><PRE>Method 01 % w+ [- h' w" j' `2 R# b
=========
0 K$ s: _6 x1 _6 ]6 n9 ~* H2 q7 }' p: C1 `5 J* G. T% o  l
This method of detection of SoftICE (as well as the following one) is1 \! k% U$ G7 N3 h2 S
used by the majority of packers/encryptors found on Internet.) S; J5 a) W6 W: |0 s! \8 c
It seeks the signature of BoundsChecker in SoftICE
$ j4 I0 N* K+ a9 a! X% e6 P) N1 q6 C
' z4 y' f% k# d1 S5 Q    mov     ebp, 04243484Bh        ; 'BCHK'* T1 e" Y. J3 j6 e$ W& {9 K0 T
    mov     ax, 04h# L- M  s1 O, c  u5 h
    int     3      
8 U* j: W* w- Y' K    cmp     al,4
' W4 l7 k  B' r    jnz     SoftICE_Detected
- C" J7 p) C+ @/ s. t6 [: l
* ~/ L" t1 K. D___________________________________________________________________________
( z0 |8 u2 }. _6 e$ t
+ J, f8 h0 k( y2 F$ F. j% [Method 02
3 O: f1 d* j2 Z6 O=========
. y' g6 u' C' C+ M9 y# R- O/ Y: W. t: A9 }& a
Still a method very much used (perhaps the most frequent one).  It is used
3 D& p- B6 ^) sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# S: _8 o) p' ^# X, zor execute SoftICE commands...
% _# w$ m) U! t3 g2 f- l; c: WIt is also used to crash SoftICE and to force it to execute any commands
- n2 y8 h, n8 |* ]/ r, A6 |(HBOOT...) :-((  
  s# L2 D0 \' j3 ]9 C) ]
3 H: @. O" i% U" NHere is a quick description:- Z; N; q! V5 q, z6 X7 h
-AX = 0910h   (Display string in SIce windows)0 ^- Q8 k3 S6 P) s
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
4 G2 O. ]! S% U: n9 e& M1 O-AX = 0912h   (Get breakpoint infos)
* @) N: g% ^- R1 _-AX = 0913h   (Set Sice breakpoints)
4 F" [9 e! y" |' Z; g% r-AX = 0914h   (Remove SIce breakoints)
: H3 X( V) a% K7 r
, H, f: ?5 b* ^3 T) x. O; V. h% BEach time you'll meet this trick, you'll see:
& N) a) S; ?$ j* q* g) k/ o1 `-SI = 4647h
4 b: E" Y- j8 G6 p9 j* P7 p-DI = 4A4Dh
* |" ]5 o9 v" }1 g- \4 GWhich are the 'magic values' used by SoftIce.
0 H. b% A, u7 r# O# L8 F/ u% iFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 ^) D: X* P3 D7 G. H7 K+ N- o, k& v

# }0 P7 v% Z7 T8 b5 w. {Here is one example from the file "Haspinst.exe" which is the dongle HASP- J2 k$ R; _3 ]- n
Envelope utility use to protect DOS applications:
- z2 ?6 F5 i9 R9 e8 g8 U/ J9 i2 d$ p1 O# n

% a+ R/ D8 j4 \# X& s# I+ ]4C19:0095   MOV    AX,0911  ; execute command.: x, Z4 v$ T$ d" a
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).! `& B5 O) W( Q( t& Q5 y+ U2 ?3 o9 @$ D
4C19:009A   MOV    SI,4647  ; 1st magic value.
8 C: @- s- t" v. T$ X' b3 M3 V3 S4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) i% c+ v9 e3 s& I. r9 K4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). b$ L5 `8 v% \. N6 n/ I* G9 Z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
; W2 _* u* y7 ^) k1 Q4C19:00A4   INC    CX5 x" L$ C% T. J% ~# @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 |9 ]& M6 M( F+ L$ U* [: u4C19:00A8   JB     0095     ; 6 different commands.
, z/ G! j" {- X( |1 T! U) E4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 E/ u3 V6 u$ m5 q) B0 B8 j4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  j- E# F' W6 F8 L9 Y) W' D3 O
( w9 o4 J( a  P6 L* z. F9 d
The program will execute 6 different SIce commands located at ds:dx, which
& m. [  D% W! Q% ?- |1 O( s8 ?& Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% `$ O. v; r4 J. T" K  K. ^+ k& }. {3 ^7 y3 y8 V0 ?9 I
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- J$ C6 V& I7 H___________________________________________________________________________' A; @3 B. Y& K% Z( Z' }! U

5 h1 x0 x1 i2 d" s8 W! g
; _( L% g2 P' R9 R  Y) o9 E5 e# |Method 03
3 y/ z6 i% a! H6 u" H. B! w6 i=========
5 z5 g9 L* _8 }: |  r# S3 h4 L% H
% x" ^: `: d4 K# I/ ^Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# [3 i/ X/ f9 l' Y0 Y(API Get entry point)+ L4 X; q! U. j
        
' N6 d9 v+ \3 e! a$ |
7 ^& R% s% R9 j, G    xor     di,di, W' u' Q: `2 i# z$ L
    mov     es,di' G& l2 u( W  A' ~9 I
    mov     ax, 1684h      
! L/ l* x7 G/ A* v3 G0 c" U    mov     bx, 0202h       ; VxD ID of winice! E8 P* l1 A/ d  Q- V( [+ \/ E1 c
    int     2Fh
' d0 ~" [) d9 Y. k    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) |: \" Q6 w; `    add     ax, di9 J+ Y3 Z2 g2 v5 n% B( q( d0 H/ k
    test    ax,ax+ K, }( P* k# ]1 w
    jnz     SoftICE_Detected+ Z6 `  q3 g$ I/ e  g$ L, L* x: ]/ r# l
: Y& \$ S0 r) Y+ V% L" ?
___________________________________________________________________________
' c: s- ^( [3 B1 r
/ m2 k1 @8 S% g% a* V. N9 tMethod 04
! R) z9 A0 L! _9 n$ E# d) o$ \=========
5 W' T# D  P) ]8 R1 m+ g- g7 N1 Y4 }4 P& B6 V, ~4 U
Method identical to the preceding one except that it seeks the ID of SoftICE
; `# _9 `* W+ X0 jGFX VxD., t9 R# F8 ~5 }5 |3 i$ j

* A8 M* c( n: P    xor     di,di
/ |/ I/ ?7 m  }4 _6 @    mov     es,di
/ m) ^/ K" g7 Y  D9 B* K5 v    mov     ax, 1684h      
7 \5 F+ A. ^; O- i    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 P! O- q) Y. s  }5 ?    int     2fh
6 E+ U. I3 n1 ~6 D$ G% N    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 X/ p5 }! h" w# Y$ E" o6 d
    add     ax, di( k; h4 o  x: u% X: R/ N
    test    ax,ax: e) e$ v! u9 a# i
    jnz     SoftICE_Detected
9 q& x1 z: f3 {/ V/ u! I
0 ~1 h" v* e5 w) j( ~5 \- N  ~__________________________________________________________________________
8 E% @* \8 B9 P+ m: p: z
, @+ R9 i6 z3 c' E; h6 S% c8 ?5 d. P9 F6 V6 _" L
Method 05
: k+ S. `/ q7 U+ p) P  E=========
- r( {# g. E% t- n$ @$ u7 C0 S( {" R6 P$ p7 L0 P5 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system) _+ J4 R+ ~: u5 h  X! ?$ s& Y
debugger. It calls the int 41h, function 4Fh.
/ |5 F( ^- m* Z' XThere are several alternatives.  
; D5 i& X2 q  h* ~4 L1 P! e, y8 e! X8 M0 e; |9 D0 W* s. g9 O
The following one is the simplest:) Q- a+ F% e- E1 t7 ?' S; w5 j
8 O: ^2 |5 L8 B! S8 m  {
    mov     ax,4fh2 x4 Y- y& ^9 h1 `
    int     41h1 w$ n# R- k) c* q- E
    cmp     ax, 0F3867 k/ Y3 x0 w, T( c' n2 g
    jz      SoftICE_detected
1 w7 o7 ^9 s2 g: m- G& S3 m! f2 s5 ]# @

4 H4 n( P/ V. V* {2 CNext method as well as the following one are 2 examples from Stone's ! D* Y0 h4 q* U9 a. n1 [8 |
"stn-wid.zip" (www.cracking.net):7 x3 C( L2 V. C5 L1 A4 \: ]1 C( h
& ]3 o1 O, p* s0 J3 t
    mov     bx, cs3 b  P: O9 G7 r) o! n
    lea     dx, int41handler2: B7 s6 m! K+ o! j7 w
    xchg    dx, es:[41h*4]
+ L( G/ P% x4 F0 ~8 g1 E. B8 n    xchg    bx, es:[41h*4+2]. C, C; f6 ]) C7 y8 ~
    mov     ax,4fh. z" R7 C/ e: c+ ]( ?2 K7 |3 j
    int     41h
2 w5 i" Z6 P* u: E! c    xchg    dx, es:[41h*4]
! B! G! E5 l6 ^' I  O9 q# ?    xchg    bx, es:[41h*4+2]
' n) H& k* j& S, S. h    cmp     ax, 0f386h2 ?  ~3 U5 q. T
    jz      SoftICE_detected. t6 j" b: G+ D* `
4 s$ a! L4 ~$ A- F" C4 }' I2 `
int41handler2 PROC( t$ _: P+ A9 B1 y# S) l- b
    iret1 X' i. ^9 [: r' V+ B; d# n
int41handler2 ENDP
8 V. w6 X  D8 Q1 Z
) A, [8 K9 z! i) t  T: y! k1 q3 ~: n/ v% U
_________________________________________________________________________
( h& E* E* x! P- V- j% F) j( z% t: Z) }. @

/ ~0 N$ m: a% w8 y# g1 ~5 NMethod 06
9 l" G* m. l) C# i. w4 L  y=========9 M. y+ o3 R5 Y; D7 F
1 t6 M! J" h. e9 ^
& M6 W, }6 |- d# L; W6 j# m0 u8 `
2nd method similar to the preceding one but more difficult to detect:: z6 s5 t4 p* s0 W- @9 n. j

9 z6 Q9 v* M9 E: t6 d' l6 X* a
6 x; b) a- T: G4 r( U! j. C. m0 uint41handler PROC6 l6 F. r5 T2 U' D1 _1 m
    mov     cl,al
$ G% _2 m! T. @5 F- r# [0 J/ k    iret
5 G  x7 q. `; ^2 Y2 h, O  f( Mint41handler ENDP
7 @: [' B' @; T. \  \# `+ {- {2 z( h1 m3 V' D& D( _. d/ x* G. ]5 m
3 b5 f8 ?2 K0 O1 X; v
    xor     ax,ax
6 x4 ?% E  s- Q: [2 X    mov     es,ax! t! Z! x8 ^$ ?: c2 h' L% U  x; m& p
    mov     bx, cs- k- V- M- l1 v/ s; I' I
    lea     dx, int41handler* n- J5 Z! {, P" f4 v, {9 H9 b, Y
    xchg    dx, es:[41h*4]) I. f% K& d- u1 b
    xchg    bx, es:[41h*4+2]
8 G  {) O0 a# q) r7 Y" g! F- }0 k    in      al, 40h
3 k# M5 o1 p" x' Y/ B    xor     cx,cx* a4 |9 Z) T& t9 s4 }
    int     41h$ e; Z3 u  w& U1 e
    xchg    dx, es:[41h*4]( _8 W/ E6 f) T9 J" @. q
    xchg    bx, es:[41h*4+2]
4 x! n( ~1 h8 V: R* Q& V' w2 c' e    cmp     cl,al
- K: q" L$ c4 Y  f  b4 q    jnz     SoftICE_detected1 }, E1 i5 o( L" c( b3 h; p

$ Y: B6 t) r( o. U8 ~_________________________________________________________________________, L/ L4 Q) r* z2 W( \

; U2 M4 J2 x0 b2 B% KMethod 07
3 H" B/ o6 |+ Q. b) X8 Y0 h=========, k/ d/ A9 i. L8 M5 V5 M' s5 h
6 _  ^% V3 G7 u" ]( A) d- `
Method of detection of the WinICE handler in the int68h (V86)
) h5 L" L5 d( a6 Q1 \2 u
, T6 d" Z: ?) e, ]: L/ X    mov     ah,43h" W! K  W: p6 z1 r* a% J
    int     68h
0 h2 o" d5 `; z' D0 _    cmp     ax,0F386h; L. @$ k5 V. f' ]
    jz      SoftICE_Detected
5 }( S3 O4 _0 `9 M2 A- r
5 S5 j7 @) A( z5 w
; @0 O2 f; {& b: R=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 ]# i" A) O8 n# B6 Y* u   app like this:
3 E. w+ u7 h- {+ f( h: Y: A. u
# ?! e- J: V7 R; N4 `. d   BPX exec_int if ax==689 [. u1 r# i/ R7 n
   (function called is located at byte ptr [ebp+1Dh] and client eip is  h7 {% A2 C- L& {' e
   located at [ebp+48h] for 32Bit apps)4 J) \1 P0 B9 I
__________________________________________________________________________* _& z  W" h: O9 d0 J
8 @- A3 @7 [7 ]- Q8 m6 }
, G6 ?7 ]( X5 _
Method 08
3 f2 W8 u" u1 K8 }7 s=========
3 ]1 q. G: S; r! i, y- a3 b4 J) V( Y& H0 v) A
It is not a method of detection of SoftICE but a possibility to crash the/ e* O+ b' u5 ]$ P9 M2 V, H
system by intercepting int 01h and int 03h and redirecting them to another; o7 r0 B% Q% C' j* n# m
routine." L2 `( i+ K3 l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& O4 r. s- j; g+ S) ?3 E. @to the new routine to execute (hangs computer...)+ {$ O* U% i9 |2 K' W
( }  a% J% P2 `' [5 O
    mov     ah, 25h. i; c$ k) I, i  M
    mov     al, Int_Number (01h or 03h)  K' u$ j9 t3 Q# L" p* e5 T
    mov     dx, offset New_Int_Routine
: P% @- ^# n/ l4 d" t    int     21h7 h' c) V) y! V; L2 m, J, q

! v) ~) P0 D0 y& Q. o& J/ ?__________________________________________________________________________
0 f- e+ N2 R( T3 J' L% k9 ]: g9 e' {5 c  B) Z1 m& C' \
Method 09
  @8 K) \3 c" R/ l- M+ K1 U=========8 t1 @1 q% N3 q2 l5 ?
1 a: \3 I2 }* h0 J8 V
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, \4 a5 Y3 m5 b  c; Y; ?0 }2 k* ^
performed in ring0 (VxD or a ring3 app using the VxdCall).2 H7 E9 N! I6 A4 }" {+ T" I
The Get_DDB service is used to determine whether or not a VxD is installed2 T- t: |3 }) D; D$ {
for the specified device and returns a Device Description Block (in ecx) for
8 l+ f0 T4 E$ }/ O( J! v6 X7 Pthat device if it is installed./ s  ^$ \  `/ j$ |% R/ x' A9 s
+ z/ G, }6 @$ d3 z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: t2 r/ G* S% r   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 D  D# W2 }9 M, I/ a) s( s+ a" O   VMMCall Get_DDB7 _2 |* s- \+ |/ ]% f
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed2 l- P. D% l$ r: y

$ t& X# r7 p! p* C. P0 o% mNote as well that you can easily detect this method with SoftICE:& M& m  K- ]. |
   bpx Get_DDB if ax==0202 || ax==7a5fh3 u2 B& F  z7 j7 x

. k" x, c0 T# N) G# ^__________________________________________________________________________
. i+ f% m4 d: l, _* |
, c( H- g$ t+ ]8 P) J" qMethod 10
: W* `# ]% A- \- `! J1 _=========
7 k( o7 q7 Y" p- z! g  [5 u" m+ k# V" {- ?: Y7 ~! |/ m
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# e0 S/ W( I6 s' l& W% @3 E
  SoftICE while the option is enable!!, R/ O7 W+ D. H8 c4 H6 T) m
; [0 D6 l4 n  w+ A: D' I4 J7 m
This trick is very efficient:
: n  z1 h- H/ Q! z6 d: _by checking the Debug Registers, you can detect if SoftICE is loaded1 [  L8 }3 N# N: c* C0 }
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! c5 @) C4 Q/ Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( \, {2 \2 E; @' Tvalue (in ring0 only). Values can be manipulated and or changed as well
, k; F- C( d/ Y" @/ O" T, Y8 r(clearing BPMs for instance)
$ f6 w2 C  T9 |: Q6 O+ f7 _! o
. Z* m) S3 \5 l- f8 c6 j, r__________________________________________________________________________
+ s: q7 k# m+ A! h: {' r$ C% N$ \. ~% A. U0 Y. S8 G5 A8 Y
Method 11
) s+ k+ o9 G& T: O3 U" o=========* w6 @  M! l8 Q* t% V

1 L2 a. a; c* j% JThis method is most known as 'MeltICE' because it has been freely distributed
4 q# G2 g2 r% dvia www.winfiles.com. However it was first used by NuMega people to allow% O, Q8 J0 z$ i$ Y2 Q/ S
Symbol Loader to check if SoftICE was active or not (the code is located) q- n: T! W# O$ J: x. N7 s$ \
inside nmtrans.dll).% D! f& c$ j% W, }0 h1 W8 K
. J) @4 l1 [; v# w6 D
The way it works is very simple:/ c1 M8 e& S$ J4 A' q3 P
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) ?# V- r2 W0 [4 vWinNT) with the CreateFileA API.# L, }  ~' ?& W5 W; _- O6 l) \2 I
9 _! S/ `9 F, v. M0 I" ~" U
Here is a sample (checking for 'SICE'):! }4 ]" x" Z4 |/ [+ i2 h
& x3 U2 O, @2 k2 X% p* K  S
BOOL IsSoftIce95Loaded()
% h/ X# W' H7 l" R{. d% R( }. s1 Q% E' @
   HANDLE hFile;  9 c) {! u# H$ T  m' l
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,  ^) ]7 R% E- k" v
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) n) t, A7 m" f                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# \, D& o. ^, J* v3 W4 t
   if( hFile != INVALID_HANDLE_VALUE )
5 B9 d6 @) c9 C5 }! i5 P   {
5 ?# m+ Q9 z! G$ V1 Y      CloseHandle(hFile);
! F+ P7 |# j4 d      return TRUE;
3 }' B1 `2 E" S3 V9 _5 l   }" r4 A9 x0 P. i$ e, t; s4 X
   return FALSE;6 w  D8 B7 }! f" B2 J3 p1 m
}$ p( C, ^1 f8 E% v6 v
% m- c7 J3 u/ x: a# \& r
Although this trick calls the CreateFileA function, don't even expect to be9 x% O# C4 X! M1 u2 ^
able to intercept it by installing a IFS hook: it will not work, no way!" \+ H# M( O- r' K  V6 E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& R: v8 w3 H. I/ U6 t, R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% F* C% `& F+ ^' z$ u. L: u7 }and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 M- ~! }: r% ~$ L  D# n
field.
( P) F0 Z( X3 AIn fact, its purpose is not to load/unload VxDs but only to send a 4 _9 p* x& Z. ~8 M4 ^0 j( F
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' O- A# l) C3 Z$ Y7 w& W; ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. q. E6 G) F$ i/ s( ~4 G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. W5 R* @& _% {6 |  P+ B& E; oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 M0 U: U7 Y" h; X  mits handle to be opened and then, will be detected.* O6 O$ ^5 B1 P4 s9 A
You can check that simply by hooking Winice.exe control proc entry point' f. E$ `& h0 k
while running MeltICE.
" g! {, n& j) V+ ~+ J
. d  u2 _  Y1 V% T; M& q. {; d
  00401067:  push      00402025    ; \\.\SICE
/ e3 `( f1 c. X0 [  0040106C:  call      CreateFileA+ J/ ~0 x2 L. K* r+ `3 s
  00401071:  cmp       eax,-001
: a* Y; o; D' d% z: E# m  00401074:  je        00401091
7 @; j5 H6 j! E+ c: Y
5 s4 a( r( |& R9 T/ e' T; U: |) l/ I& i
There could be hundreds of BPX you could use to detect this trick.
/ V+ Z$ A' g" v' p$ `1 t5 W4 e-The most classical one is:
. z" b, I; l5 i, Z2 p  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; Z* {# A/ C4 m5 A8 a6 T, o    *(esp-&gt;4+4)=='NTIC'
5 s$ N# S7 J' L& u' c* S* L8 m& t- D
-The most exotic ones (could be very slooooow :-(8 l' v  {: S* f: r  |5 c
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: m; H7 U9 w# z. C; @     ;will break 3 times :-(. m. s* R$ t! ?1 k' `
" v  J0 D) ^* q' T4 x7 y% k
-or (a bit) faster:
' u0 D, S; Y4 k# I& G  z   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# Z1 {/ c  n4 G/ Y  h
5 V  f: g' j& a+ r) a9 [  t
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % x' \3 U- b, j3 [1 B
     ;will break 3 times :-(
3 d8 R; X; u& v- y( c, I% e
7 ]- K4 n0 `! f6 Z( W6 K-Much faster:
' ?6 h3 O* ?- y. D/ ]   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'- H) x0 g6 `2 J) y& c0 q# E, |
5 v2 A& j1 h+ G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% u) B" M4 h( L" v
function to do the same job:
; B* x! A1 |- X" B+ Y5 f& o2 l& r+ k# N9 e' G7 l
   push    00                        ; OF_READ3 g, X/ V7 g6 c, u/ f; T
   mov     eax,[00656634]            ; '\\.\SICE',04 I6 y; Y* v9 w) q, P6 j
   push    eax
$ G( N9 i  n& I   call    KERNEL32!_lopen
9 j$ M2 J* L' Y4 f9 G   inc     eax4 w8 b; T$ y- q) q7 [0 r" x$ @- K
   jnz     00650589                  ; detected3 [( D9 h7 W8 g
   push    00                        ; OF_READ3 a* M) k' a( V- l+ {" }4 `: i3 h
   mov     eax,[00656638]            ; '\\.\SICE'" z/ ^! _7 H" g
   push    eax
0 A+ }1 y- i0 k, Y   call    KERNEL32!_lopen6 l, R; O/ S3 O
   inc     eax
- _3 \8 l% |0 R$ N5 j% v2 l   jz      006505ae                  ; not detected
' r6 ]( `' }% a' D' h0 R" f6 z& z5 K' @$ Z% Q1 a

  A3 X6 C6 s, z2 h( Z0 h' g__________________________________________________________________________! j* S7 E3 T. ?% p
" [0 i* k+ F* @2 L% L* p
Method 12) W2 r- y# J" E$ H  H- i8 ]
=========
6 P' Y1 m) r* q- H* f+ p2 H5 t- x3 x$ I& W, h( h- @0 [
This trick is similar to int41h/4fh Debugger installation check (code 05
8 V' ?. V* P) z&amp; 06) but very limited because it's only available for Win95/98 (not NT)
0 @' ?1 b8 r4 s( X: O/ Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo./ N; J9 x: F; d% C

% m/ A3 `# ]. w* ^1 L  i   push  0000004fh         ; function 4fh  W' z& \( F  {. J6 a4 `; F
   push  002a002ah         ; high word specifies which VxD (VWIN32)
' \* e) [4 `7 l6 W" d" x                           ; low word specifies which service  j1 l- D; r) c
                             (VWIN32_Int41Dispatch)5 D. y% p; u3 A' o
   call  Kernel32!ORD_001  ; VxdCall& d6 f% B0 o1 E( D" R
   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ j. \* _4 y3 v1 {" B. [* @   jz    SoftICE_detected
' n6 l7 E6 S1 S/ e! @+ x6 g2 v  |+ K
Here again, several ways to detect it:
6 p$ m2 [7 |& O/ U3 J: U. G+ s1 e# n  ~; g
    BPINT 41 if ax==4f8 Z- F- `2 ?7 S9 I1 ?; C2 |3 k* d+ K- A

0 O8 h( Q) E- H* G( G) v    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one: P* \! @7 n6 R/ _6 v( _
/ t8 Q$ a' a5 A, [) O
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: X3 P6 f2 }8 U1 E
+ l8 k. P  s6 f, q4 a
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
8 c/ Z% b! ?4 ^' ?% \8 s& l
! f7 }" \& v% ~: ?9 \__________________________________________________________________________0 {& j" A5 p) a8 R

6 Y2 t7 [/ A: AMethod 13
8 R: Z3 M' q' B/ L=========
  O# I) n$ v5 F! v7 c: A3 C0 R. R
, ?0 A% b6 t8 Q+ HNot a real method of detection, but a good way to know if SoftICE is3 T5 \% x, r1 p9 r/ A; t
installed on a computer and to locate its installation directory.
4 ^' {! q4 c' u6 x# F: iIt is used by few softs which access the following registry keys (usually #2) :
; w2 l: T- H- w& ?! W# _' F4 ^2 |! o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 Q8 O9 c  u! P$ M/ i- s
\Uninstall\SoftICE
* c" I6 f# x3 N- y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! j/ b+ [# a7 \4 `6 I-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) {; L4 ^3 V3 U, T1 C) f
\App Paths\Loader32.Exe
0 W  \7 h8 M: I7 X' C9 ^$ q( O
& [" |" O3 E4 b( v; K! c5 @4 z; m; W0 z" b6 I; O2 z* ]5 \
Note that some nasty apps could then erase all files from SoftICE directory% k  K3 ^0 T0 z7 u8 M3 r( s: G
(I faced that once :-(
) e- e2 p! M; |# p. |- t& I
  G" K6 O( J: e" Y1 n( k  v3 N, lUseful breakpoint to detect it:
: c) p: H4 B. V+ v- ]8 g: d4 u( L6 D% c  i) j6 I+ G
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- U, w7 T$ Z- M6 H# k. }4 [' ?+ J* M9 k/ o. w
__________________________________________________________________________
  _" K& U, N8 Y- N2 P# D
* \- w! E& m# ]3 c1 n' ?2 x0 P1 a; ^6 I8 {" X' m- H! D
Method 14 + G/ S7 d& V2 p- J3 ?) H
=========
6 M4 m9 L, J! u' `( E  v& l: w' u' v5 \. N4 ?( Y- Y! o
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& E+ _& V' c* U# X) h9 [6 xis to determines whether a debugger is running on your system (ring0 only).
; V5 g7 T+ p( S* X9 B" ~/ [; w5 M, d  W* ]
   VMMCall Test_Debug_Installed7 f9 `) ~' {* v( x" @0 M
   je      not_installed
" r: X& M# S" b  `( @9 [& U* S  e4 C' t
This service just checks a flag.
7 ?4 S& |- D4 f</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-13 06:12

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表