找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
7 B+ z4 a- @0 h<TBODY>4 d1 j% O9 R4 q% w
<TR>* D% m% x0 z. o5 m1 @6 g) A; P
<TD><PRE>Method 01 ! e( s* S% Z$ g8 V
=========
2 m# g" x' g6 D- U# y4 q% A% Z. y8 ~3 z1 z1 u! e6 w, c
This method of detection of SoftICE (as well as the following one) is
  V  n7 X9 ?  Jused by the majority of packers/encryptors found on Internet.
, g4 w" {% M9 xIt seeks the signature of BoundsChecker in SoftICE. `& E! b& g) u8 t1 ?

+ c/ E- M& V9 R3 y+ P0 w* I/ ~' R    mov     ebp, 04243484Bh        ; 'BCHK'+ e) m$ J7 c) q  F" c# K3 S
    mov     ax, 04h
* c; a( l$ _4 H$ }) T4 e% p    int     3      
8 {% f+ R. {1 U3 Z3 q    cmp     al,4, G; S( }6 y  t- z6 u: `% w( d
    jnz     SoftICE_Detected
3 F) k) V7 W" P" H3 }/ {4 }
) o! r5 o. h& C___________________________________________________________________________
3 U3 ^* r9 ?2 m% Z
+ F6 ?7 q- j; b% YMethod 027 o/ c: E! W3 e' [+ o; S
=========( I" {/ j2 t+ O/ o& ?

; }& Z, ?3 A8 J& l/ H) A  |Still a method very much used (perhaps the most frequent one).  It is used
" D% M- D1 h) z  b1 A% t" Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ S$ c8 n: h: A- X) ]! ]9 Mor execute SoftICE commands...
- J5 ]/ h3 S; c2 m# Q+ B0 XIt is also used to crash SoftICE and to force it to execute any commands' M" }- y; M* x& y! f
(HBOOT...) :-((  
/ n* J4 r2 k3 n' X
! [+ e" i8 v  NHere is a quick description:& S, h. n$ Z: ]* Q. Y' J
-AX = 0910h   (Display string in SIce windows)5 R. V9 W3 }& z7 c$ a# D
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, C# |4 t: e) p5 w3 k/ f0 r-AX = 0912h   (Get breakpoint infos)
4 Q5 E9 B/ H6 o1 j-AX = 0913h   (Set Sice breakpoints)
# _1 n0 [2 [# l' U2 l4 ^-AX = 0914h   (Remove SIce breakoints)
  H$ S( {7 _9 n. L+ c- ?+ f; ~9 L/ M1 E1 j5 ?; i2 L0 \; v
Each time you'll meet this trick, you'll see:+ E/ V1 [' m6 ]3 r, G
-SI = 4647h
7 L7 q; @# L# L1 U-DI = 4A4Dh- `1 e- A( w6 }+ ~: B. S8 M, A! p2 Z5 E
Which are the 'magic values' used by SoftIce.7 E$ |: K- I1 F/ x; Y0 V8 a
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.. Q. X* a) T' E$ s- x# `
* x1 a/ E9 P" M$ B- o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' S0 t4 k' |/ ?9 ?* iEnvelope utility use to protect DOS applications:- n* P. K- _; P/ B0 Y& [& j& \
8 z, B: D* J; a4 N8 ]" B
0 J* p2 a$ Y+ y
4C19:0095   MOV    AX,0911  ; execute command.
+ A  J. Y+ t* Q9 O+ k, j4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4 j2 k. @% ^  [# s( F3 q4C19:009A   MOV    SI,4647  ; 1st magic value.- T; a, J" Z# M" o4 {9 n
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.. {; y. q$ w( M0 U
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)) b% \  o- m! a! O& z' i
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' R8 x: t& T  d# i  l% O& M
4C19:00A4   INC    CX
4 b& u) b$ P- r0 F7 z+ @4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ q& ?6 `- s2 F: r3 q: l
4C19:00A8   JB     0095     ; 6 different commands.0 N1 J! J3 G$ s( m3 E
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
% Z% K! Q2 _; x2 F" B' u2 n0 t4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 h& B# R' s4 _$ A6 p% T
( ?, D) D: _5 A! W( X% Y, NThe program will execute 6 different SIce commands located at ds:dx, which1 P* ^( M. P9 X) x0 d
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' V1 J: i) C1 Z# _- D3 B+ q

: U! e  _1 x9 f; z' Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( a# |3 F" ]2 N( H/ L4 ?" B___________________________________________________________________________
4 U- V4 I, l7 C0 R1 f, b
9 ?) Z1 i* s6 u9 @7 s7 U. r
9 G6 s( c! @1 t6 B0 A: gMethod 035 b' U5 M2 N. w" K- p
=========
! p4 B+ F* t& P5 p( Q! v5 e0 G$ }2 V7 ~+ e% w; ^
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 ~7 _$ b: p- \$ v$ C, k
(API Get entry point)
6 Q- b" K4 k! u! X        % r  I" f6 e: T5 \9 d

4 t& i- d# Z5 L4 e8 I& y    xor     di,di
. M: G5 I% o0 a: b    mov     es,di
5 J/ O. a, J/ E, d  Z: z, y' A    mov     ax, 1684h         {4 ?! z) A+ M3 \3 Q! G4 R
    mov     bx, 0202h       ; VxD ID of winice* u; F( ]# g) t
    int     2Fh
( z! x1 V! i5 @    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: T* O2 o0 m/ ]8 E3 G    add     ax, di
2 e  }2 `% v' C" G  Y5 F    test    ax,ax
% I9 |8 M/ U4 [6 l+ G4 x    jnz     SoftICE_Detected
$ P+ I: H- J' x4 F& j! Z, q: t% e
/ ^& s" m6 {- T0 ]. E2 V1 I___________________________________________________________________________
- F5 ?: f& K) W, l
8 x  y$ r7 V1 ?2 y  M( ]& D( T/ nMethod 04
& s4 n' p5 ]6 O3 b3 `, v/ Q9 v=========& m9 H* B& R2 G8 g7 k4 N( _; g

4 m$ d" A9 l  c+ W. L3 W- TMethod identical to the preceding one except that it seeks the ID of SoftICE6 d8 }: ^, q! N5 t4 p  {3 q. C% f
GFX VxD.# s  m4 ?/ m: g8 O8 I
) \  W% s4 W0 V( h! c2 v
    xor     di,di
& V0 ?4 w; ]3 C( ?& y6 i    mov     es,di
4 `0 _! `  L. M; s" k5 R    mov     ax, 1684h       6 ]! v/ G- r  ?
    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 v9 u- T. `8 x% F" Q! Y0 k6 E
    int     2fh
0 J3 Y3 ]9 N! m1 ^- ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point& x/ B: d- h2 T, |$ p( W" q9 J& u# d
    add     ax, di
. K/ }9 S3 r& u" E    test    ax,ax, K+ {( `& t0 }; D% _1 ^" h/ }
    jnz     SoftICE_Detected
& m) R+ t1 |3 ?4 Q/ A- _$ k1 m+ w4 A; R
__________________________________________________________________________
( N2 E9 R& M0 ]8 Z* e' l; w: }* R$ J( w+ ]
% M: R$ V/ j+ F/ t: L
Method 05/ a4 P7 b) u3 B* {
=========
3 B* v- G8 c8 M: W
% i% J. S" u) a5 D, G9 A+ |3 rMethod seeking the 'magic number' 0F386h returned (in ax) by all system9 o. [& T  F4 _
debugger. It calls the int 41h, function 4Fh.; Z8 {& Q; B+ \6 q2 U( e& {
There are several alternatives.  3 Q0 o0 C# @. S: R. W& Y
# v* X+ Y( b: [5 k8 q$ j
The following one is the simplest:, T; t; s$ z+ T) U, j
2 F' a  J" F% F; Y
    mov     ax,4fh- `! e3 Y/ I" I3 x9 [* e
    int     41h
2 Y& t- \# [' P. E: D  N" W    cmp     ax, 0F386
9 {" {( F' Q9 n# s2 @* [    jz      SoftICE_detected- C* y1 u2 x$ ?, \3 N- c) Q
( _) L" Q" b+ G5 k& f2 A

! Z/ o* z: f- b8 l. _+ V9 JNext method as well as the following one are 2 examples from Stone's % C1 m" q* S# k2 d9 }7 S
"stn-wid.zip" (www.cracking.net):7 G: p/ P' P7 p+ U2 B

8 ^+ B$ J$ \& P    mov     bx, cs
" S9 c2 \1 r6 l8 h8 ]4 w5 g- s    lea     dx, int41handler27 d" |$ n) y9 a* m2 ^4 i" r
    xchg    dx, es:[41h*4]
& n* R/ @4 p: r9 |. Q3 u# q6 B/ C    xchg    bx, es:[41h*4+2]
8 L& U9 ?' q4 c- O    mov     ax,4fh/ n; d4 w# B" j% o2 z/ M2 E
    int     41h  ]' N% U% f/ S5 W9 u) x
    xchg    dx, es:[41h*4]. ]3 f8 J) d' m. O% r8 J$ F
    xchg    bx, es:[41h*4+2]! x$ F# y( [; n" q; [
    cmp     ax, 0f386h' Q) h: {4 X) \7 P) U8 f
    jz      SoftICE_detected
2 {9 V* |7 [  N! F7 |* T/ F2 A% `7 i* m* m' A% s1 `, a5 @
int41handler2 PROC7 r+ o. @* _5 K- _  Y4 q$ i
    iret
/ a/ i( D) _$ i- s$ v+ f2 [int41handler2 ENDP
. {% ~3 C8 ^4 H! e* L: d9 U
7 H- ^6 F' d& a, P. S0 G& ]" d
, }; ]# c* _& l1 Y1 \" o/ g1 @1 H$ r) J_________________________________________________________________________
9 l. V4 _) I$ `! K' M
" O2 G( q+ l5 G( s& E: ~" g4 }* l6 K: C: \% f& q5 E7 x" e$ Z5 i
Method 06
; Z' Z0 F2 Z3 W4 c1 M* R7 o2 x% i=========: j: S7 a* o- {& P$ i

6 S' w8 ~" r! X/ z2 z% N/ t$ c; \) H" L: F9 Z2 O1 n5 k9 w- E, q" ~9 i
2nd method similar to the preceding one but more difficult to detect:6 \  Z9 v4 q0 t
3 a. V5 ?" g! e8 O

- q0 `" w! W, j, o: Mint41handler PROC5 |9 C7 W8 i8 G  ~, S$ F: J
    mov     cl,al
$ a7 [4 ^, c4 }5 b* I    iret
) I% u6 H1 Y8 O* bint41handler ENDP0 G3 E4 h% S/ s1 ^

  _5 \. [: H" u. W
/ E2 ^. H2 U- ~$ O# z6 A    xor     ax,ax
. q3 p, g% v5 }' M' D; H    mov     es,ax8 G7 L. a$ A: n
    mov     bx, cs( X0 u) t) l, y& r: a; g9 L+ A8 T- D) A
    lea     dx, int41handler+ m; e8 K7 Z5 w. g3 s
    xchg    dx, es:[41h*4]
7 o) @! j. e9 H1 D    xchg    bx, es:[41h*4+2]
# t$ Y. K6 o7 g: n' F, Y    in      al, 40h
6 Z! J" @' d: N6 O+ ^, h/ t3 a    xor     cx,cx
( h( ]) y! o5 r- ]9 o    int     41h. T0 x- k- @0 R# v
    xchg    dx, es:[41h*4]1 \3 T/ g$ s$ ^) \, c: R: H) l  H
    xchg    bx, es:[41h*4+2]
6 [/ U; e# e( z' L4 O3 N    cmp     cl,al
) ^, c( D1 I0 G1 P/ [    jnz     SoftICE_detected3 d3 f3 P! P; P. L7 \! B
7 @# I/ |7 ~) x
_________________________________________________________________________
" Z$ V6 P2 ]  n  g! W% p/ X2 A% J+ F( {- M
Method 07
* f. R4 f* s4 m* _6 t5 n# _=========
! s/ F- o6 G4 y6 W$ J. ^
# e) a4 M! J" `3 NMethod of detection of the WinICE handler in the int68h (V86)  ?$ o( k! u, y

& A8 N& E( b! P    mov     ah,43h* D( Y7 u4 o# f: ^
    int     68h
& _* ^/ G) M* l) ]    cmp     ax,0F386h
& ?2 }8 t" m6 j3 Q  J- v    jz      SoftICE_Detected8 i3 e& R5 U6 r% }

5 ^! h0 I' }+ c
7 t1 y& C8 q! s=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* \  F- _! a( ?3 ~" O* k   app like this:2 X) S. S2 _' h' ?, P- \" ^
8 g! K" S3 p% F9 {1 v$ |
   BPX exec_int if ax==686 [6 O! t! Y# g' |
   (function called is located at byte ptr [ebp+1Dh] and client eip is
( A* {8 O) W% c: r. r+ q2 s# y   located at [ebp+48h] for 32Bit apps)& ^6 Y6 N+ M% Y# ?4 U. N
__________________________________________________________________________# S& Y- z  z+ P5 f  x/ P" X

7 B0 m) ~/ z+ f
$ E; q% C: `' S4 jMethod 08
' S. |  |3 k# M+ j9 v' N4 W8 D=========
  k0 h: |+ P  B) M
6 P: S) @3 G5 EIt is not a method of detection of SoftICE but a possibility to crash the1 H7 G# z/ u" Z2 E
system by intercepting int 01h and int 03h and redirecting them to another
% b8 i6 B2 U% y) ?- S  {. o& nroutine.& x& U2 s$ f! V
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 h( `2 z: |3 [( Y  o) H7 c& _' _to the new routine to execute (hangs computer...)$ @2 T/ Q% v1 ?" p8 J
, A8 c6 }. ]: e, I6 o9 [( S
    mov     ah, 25h1 h0 j$ X# R* n" z. @4 n- Y# A
    mov     al, Int_Number (01h or 03h)
- q* f/ s8 S' W/ P* a    mov     dx, offset New_Int_Routine5 E# v2 x6 W: L  I) t
    int     21h
6 z5 j; i0 _9 p5 y" B8 |/ @  O" Y2 ~6 N' C/ L: c& d
__________________________________________________________________________
+ }; [: {' |9 a: T+ Y
" b5 ~8 ^" [" j2 u  i/ L) D) Z- lMethod 09
; A6 m! h$ `4 K! ]: P=========' W( z* \: P$ Z# c* ]5 @
. i" t2 K7 |4 v1 h8 F, E) H! k9 ?7 D# u) F
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 k  [# ~3 j9 L" C+ i; Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 {$ c) y5 ~9 [The Get_DDB service is used to determine whether or not a VxD is installed
" X/ ]0 A; x% m2 v3 d9 pfor the specified device and returns a Device Description Block (in ecx) for- i3 }* m9 u' `8 i6 u& w- T
that device if it is installed.
/ M0 Q- a' M, C8 z$ l& L
: [: L* [: B5 P: K" a6 e! _   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" ^) C2 f1 A, v, J7 s   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* h1 P) v! Z$ p: F7 h- }8 k; e
   VMMCall Get_DDB
' N; q. y2 [% p2 f& K0 O   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% B  H7 |/ k; l9 Z: r

. F' a! X9 B! I) F/ O+ `Note as well that you can easily detect this method with SoftICE:' s8 m" a& V2 X  ^+ \# d+ |+ |
   bpx Get_DDB if ax==0202 || ax==7a5fh
% A8 R& i2 U2 b1 `8 ]1 l; X4 U- N6 h9 B; w% w( L# y% o
__________________________________________________________________________
) m: k- @1 t6 S/ d8 p1 I& ]  U$ H/ Z* j8 L- Y( J
Method 10! p. ?. o" D3 ~- j. |+ @8 k/ I
=========4 l+ M+ H* ~" \( |2 A; [

; c3 t: e% H; ?" n& k- Z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ r1 @% L  \3 l3 N
  SoftICE while the option is enable!!) ]. ~7 |/ C' [1 N5 _

0 |1 A) W) m; pThis trick is very efficient:
2 I, a8 i; f: L/ K, P2 M* uby checking the Debug Registers, you can detect if SoftICE is loaded: E1 |4 ]7 s5 |- ~) ?0 ]& P1 K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& T% ]  \9 T/ @0 U2 M! ^! S$ Z7 N( Rthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 R6 O) l5 T# q+ H
value (in ring0 only). Values can be manipulated and or changed as well
6 k: D2 x3 Q- d" {( q* ^(clearing BPMs for instance)
: ^8 V, B6 Y- [. f7 O! Z# w2 |9 A! p$ |3 e2 M; a% @3 D1 t
__________________________________________________________________________' @6 B: Y4 b/ q; ?% d

! l; J$ m6 e% P, ^5 i7 g/ y. f' o) MMethod 11
5 U  S% u( y4 c: o" M=========
$ O" a: V' }8 ]
3 x! ~$ \& H  e2 X+ ZThis method is most known as 'MeltICE' because it has been freely distributed
! f  j' Z  c/ [9 q6 k* m. Y& G  Qvia www.winfiles.com. However it was first used by NuMega people to allow
+ u' `# N, ]( L3 R! @Symbol Loader to check if SoftICE was active or not (the code is located4 U5 m! j' y) U
inside nmtrans.dll).
. l  K. [; C& N) I4 x
' c+ I3 m! a! ], f# }9 mThe way it works is very simple:* ~& ]$ m, R! b
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* t& \" A$ x9 nWinNT) with the CreateFileA API.
2 V5 S. d5 }8 n; r, f9 }
/ B5 \5 w* Q# P# hHere is a sample (checking for 'SICE'):
' f& {; I3 g3 y& h2 i
6 m- x- ?4 P& L( x8 o/ _4 k' O! aBOOL IsSoftIce95Loaded()( V' `# v7 V3 U! E0 V
{8 M: d5 ^+ o" X! D/ i+ j
   HANDLE hFile;  ! h: ?; p8 H9 [+ K
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
9 Q( X% e, `3 u" O6 j4 Q, L                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 h; \, i; o0 Q4 D
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 U7 j3 g% w- V   if( hFile != INVALID_HANDLE_VALUE )) c/ M( Z& W0 }8 C; m8 w! C$ \( ?
   {+ `7 J! ^5 ^# A' O5 H
      CloseHandle(hFile);3 j4 P, m- H9 O, I
      return TRUE;
% p+ r' E' V( N; f1 h9 j! o   }
2 G. L5 M8 Y5 V( z, k   return FALSE;0 u/ s. c( W8 U% _& V) B- m
}6 q! ^) o- J/ M2 D2 D

9 X! N: ~7 ]8 Y' a3 MAlthough this trick calls the CreateFileA function, don't even expect to be3 i- j* I9 t' j7 T% Z6 Q& |
able to intercept it by installing a IFS hook: it will not work, no way!3 b' P  s, }3 ^2 \% |0 J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F& K9 \. W* p1 ?$ O7 C  g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 V" n( n7 q5 x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% ^4 U. W3 T" P2 @/ g5 G2 r. vfield.
# F9 D- z# y8 u, ?: ?0 q* ^# YIn fact, its purpose is not to load/unload VxDs but only to send a . d, R; ?/ `1 y" i6 C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
* |9 d* s9 V2 l3 G/ xto the VxD Control_Dispatch proc (how the hell a shareware soft could try# U$ W. e& \1 v  |
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
; Y4 S! `! u) R! a, WIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 m3 {9 J2 E1 ?+ [) V
its handle to be opened and then, will be detected.
* r: P3 v3 B# v0 ?0 Q$ E! @You can check that simply by hooking Winice.exe control proc entry point
  y) n2 Y, h0 @$ B6 V9 ?while running MeltICE.
0 T* u$ o' c  {  `+ ^
; q6 S$ `% }$ E7 P# H4 k5 f  B5 s/ z4 y0 b8 _
  00401067:  push      00402025    ; \\.\SICE7 M$ c$ B: I. t- m- w, n
  0040106C:  call      CreateFileA
% w5 O( g3 H) x5 N- o$ }9 S( U/ N  00401071:  cmp       eax,-001; M4 b. ]$ t0 J' M
  00401074:  je        00401091
* i: L7 r5 r! `; i- {+ t
7 y5 l6 I1 X! z! m" q0 `+ m& [& _4 f5 T7 E
There could be hundreds of BPX you could use to detect this trick.! m) a' A4 u% \- Q) F  u
-The most classical one is:4 ]+ K7 d# O# V% L; X# u; i
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# b. L, D7 F6 M: O
    *(esp-&gt;4+4)=='NTIC'- @' W" T. _" w2 n1 c
7 P* c6 _2 x6 }1 F' `. X
-The most exotic ones (could be very slooooow :-(
5 s" u0 y: K" i1 p9 m   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( @9 t$ a: b' Q0 n6 G& U
     ;will break 3 times :-(
4 n+ s6 y" b" l! s$ B
: v) o0 R- S9 a; W- O. J-or (a bit) faster:
, t, k5 z3 N3 i. H8 d; h/ w+ ^   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 O3 e3 o9 L& Z2 E, w) N7 {

8 |% F+ G! Y' n1 k1 y2 q, |   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
; c5 F, }  u- U6 J) y3 N- r  J1 Q     ;will break 3 times :-(4 Y! b6 W& e" s5 S8 z; Z: T) T; {
1 J# c0 Q9 w+ j8 p
-Much faster:9 b1 [  }7 P' Z) C- Y( m
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% Q! a, O9 k2 A! c) T2 b, {  z
1 o7 s! v( n; t; |( w* iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# W" V" M8 D2 [* i
function to do the same job:% d) _) M+ u  M; C
; b+ J7 f! Z0 R  B
   push    00                        ; OF_READ
# ]2 o8 C) e$ c4 T   mov     eax,[00656634]            ; '\\.\SICE',0  i! o: i4 Z+ t6 O+ U* v
   push    eax
9 j. R: R9 B( S: P   call    KERNEL32!_lopen; g! S8 B) ~& c% w
   inc     eax3 m# ^0 g: u, u1 t9 k
   jnz     00650589                  ; detected
  ~: D  i& a5 c& f5 z) Q$ `   push    00                        ; OF_READ" u5 q8 ?2 E) [
   mov     eax,[00656638]            ; '\\.\SICE', w9 A2 K3 J. k9 h, f( K! l1 q
   push    eax. `# M. O( ~2 s+ V
   call    KERNEL32!_lopen) U: e1 {4 ?% l- g
   inc     eax
# m  z7 {# E/ r* ?6 n7 N   jz      006505ae                  ; not detected
* N6 u, ?2 H# l/ r' Y0 G) ?- W. A
& G9 [! Q$ I. |: _; g
4 F6 `+ R- _2 e  ?0 l__________________________________________________________________________8 r, y) A$ S7 a5 D
2 E8 }; d7 {9 D0 h; Y" q
Method 12
( ?1 I0 Z4 o% [/ H% ~' N: _. i- P=========, l5 K4 c. n3 n! U; [4 i- L
5 Y" ?3 f5 w/ I) _, f6 |4 z! r
This trick is similar to int41h/4fh Debugger installation check (code 050 w: H0 z2 D4 V+ s9 p- ~
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( A6 ]0 z% j- r" f, ]" l
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 L: ^. _2 V3 |$ F
( ?3 H  B- K' @& R( n% y   push  0000004fh         ; function 4fh9 |! _* C. u8 d- e8 V2 A
   push  002a002ah         ; high word specifies which VxD (VWIN32)% C9 L0 I3 R1 }, N5 |
                           ; low word specifies which service: n5 E0 f$ ~% q% @# F8 v" i
                             (VWIN32_Int41Dispatch)- Z) P4 I: t4 |# {  q( w
   call  Kernel32!ORD_001  ; VxdCall) z8 L% {7 x  V% L, [  o6 H/ Y
   cmp   ax, 0f386h        ; magic number returned by system debuggers4 J3 o7 Z5 o3 E
   jz    SoftICE_detected( X# S. n  T" k9 I1 i) r
, S, Q3 B8 W# [/ f: n
Here again, several ways to detect it:
; ?) p/ {2 i3 F& `  d. x+ ~/ U$ N8 g$ T3 |% U
    BPINT 41 if ax==4f
3 b% P) j/ I1 F; E! p+ b8 v( |8 P- O
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
  g! n% o( X. L' m7 n- ?2 b! P+ |$ K1 P9 o9 V
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 J% R8 ^6 G8 Y4 e) \- L' W2 A7 p* K: w6 g. Y; Q: i. w
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 v6 x1 R, d' p0 f. d' @
4 G1 Z* Z9 F8 S# {) `- C; z$ F
__________________________________________________________________________& v$ V1 [: D3 V5 W  j5 C
7 x) i& @2 ]. ?/ a/ k  q* A1 l
Method 131 ?2 \* \  M" X, _$ n
=========
0 {: Z# j1 D" M; H, ]/ w0 O4 ?% t+ O
% j* \; O% x9 m+ v3 ~Not a real method of detection, but a good way to know if SoftICE is
1 H' b7 ]9 O% `9 H; u6 _( h# yinstalled on a computer and to locate its installation directory.
7 q% U; {9 a0 P' A2 y# fIt is used by few softs which access the following registry keys (usually #2) :
& h3 k* E! Y* |0 }9 \
/ ^3 M) V7 `% C! C0 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! O! h& K, j. z* c/ ?\Uninstall\SoftICE
  u+ ~3 s; i9 D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE& a) O: f" t& O2 O
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 N8 d' _" @: n# D\App Paths\Loader32.Exe# M" T8 a  l, D- M$ V
0 q( g1 @" v; @3 U
7 j; t8 p( t/ y6 O
Note that some nasty apps could then erase all files from SoftICE directory4 X8 y  {9 b3 O
(I faced that once :-(
3 r! {. p% _; c  ~: t% [" V. v' T# t% A; N
Useful breakpoint to detect it:6 i0 B* @7 ^& ~! `4 _. R  M& `& G* E

& z0 V, y3 m+ j     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 `4 {5 T: V, O4 @* u
4 D# D# F( T1 L. v
__________________________________________________________________________3 E- M5 [4 X5 m$ ]( d/ ~! t/ y
7 j+ x& V0 y( O& Z- t( T
7 q$ U2 u( L1 j2 h: J* B
Method 14 6 g( y( [4 k1 x0 B  x/ n+ D& ?$ y. L( `; G
=========
  I2 w- }: U3 z  p
% i4 [5 [0 Z+ ]  U9 VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 a+ ?- Y  o0 `4 g" R
is to determines whether a debugger is running on your system (ring0 only).
+ y1 U0 w5 a4 U3 B: {* u# e5 a# }; r1 ^! ?
   VMMCall Test_Debug_Installed6 O7 D! G- Q6 k2 t
   je      not_installed
4 z9 J3 j- X4 [. H" w- U  P- H+ ]' w$ ~
This service just checks a flag.
1 X6 K8 t! I* Q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 22:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表