找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( ]- C" U+ X, S$ i1 T# x( c
<TBODY>
# @+ k. f- [3 ~$ O5 K<TR>
3 k& s+ \+ s) P+ x* m<TD><PRE>Method 01
( y! Y' S# U; Y! `) j, S=========% d1 e2 k5 n% P. D! A

0 R, m% G, i' f& L' gThis method of detection of SoftICE (as well as the following one) is
" R* C0 c/ ?8 Y) N" z6 t! Lused by the majority of packers/encryptors found on Internet.
$ N" T8 j  ~7 E! V$ p' D9 m6 H4 nIt seeks the signature of BoundsChecker in SoftICE
% @6 ]$ n' J" L3 d# ^8 y3 b
* C# _/ v+ g, x: q3 k    mov     ebp, 04243484Bh        ; 'BCHK'/ j& j$ n9 X  E4 l0 n: l# J
    mov     ax, 04h# ?2 d+ E! B+ o3 g
    int     3      
7 m) t9 g7 ~0 Q5 R    cmp     al,4# u/ q" [; p1 j  w$ h1 ~
    jnz     SoftICE_Detected
3 _6 |/ P* m8 D+ ^, X/ [4 X, i2 _' x( h5 p
___________________________________________________________________________
: z, g7 u: x3 C* \# K) v+ b, D7 l' i8 {) l$ B4 z7 s2 j# z
Method 02
2 p6 h# r! w: E" }8 C# O=========8 x- B$ G* G' y

) v2 @& H6 j7 j+ X1 g) z5 FStill a method very much used (perhaps the most frequent one).  It is used
, N* f) V( ^6 }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,6 O- w! t, b& o( |5 V( b6 B
or execute SoftICE commands...8 L  S4 q/ {  k9 h5 A( U/ o  w
It is also used to crash SoftICE and to force it to execute any commands
* b6 N8 {4 U+ u: T% \# s) I(HBOOT...) :-((  3 d5 E/ n. K! r1 |
% a, i5 L. S) c" {; f
Here is a quick description:2 ^6 F$ [! m. h5 c/ W
-AX = 0910h   (Display string in SIce windows)3 P3 d" g, Y5 X% j& j% H: v: v
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 e/ m3 j1 l  x# g, i4 h" s2 r
-AX = 0912h   (Get breakpoint infos)
) n+ x$ P2 `: E& Q. d-AX = 0913h   (Set Sice breakpoints)1 j4 E5 ?6 d% W
-AX = 0914h   (Remove SIce breakoints)
& g9 M* |7 O# ~& Y0 E* R1 G" z7 U# K6 i" Q( e
Each time you'll meet this trick, you'll see:
3 M( M. F/ z% J-SI = 4647h
' V* v, i0 O6 q3 Q-DI = 4A4Dh. N9 X1 w% j! I: _0 G/ D, |: B
Which are the 'magic values' used by SoftIce.& y; O. m4 y& R) p$ G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- T; b4 S( s4 ^1 L& n, P6 N4 \

- F0 ~2 `$ `' B: y+ K3 }  k) _Here is one example from the file "Haspinst.exe" which is the dongle HASP
& X3 B4 b# f. c% f  v1 MEnvelope utility use to protect DOS applications:% L  w& Q% P3 W5 G

! p# b0 b: G9 n: d  s2 X  P
/ m% J0 [' o8 o& I" k& ]* J' X4C19:0095   MOV    AX,0911  ; execute command.
7 F  r/ r( B$ K4 @4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# Z2 _# y6 `. p( V. b5 `- P2 i4C19:009A   MOV    SI,4647  ; 1st magic value.: f" ?4 H) [3 P. T
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 H  E; [0 H' w( C* l4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)3 s- Q, f+ J! G
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 U! r6 ~" T9 N' C
4C19:00A4   INC    CX
, m/ m/ P) K- E+ C# J  C1 ~+ s8 j4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 N( L2 p3 B3 x4 {( e3 X! e
4C19:00A8   JB     0095     ; 6 different commands.( |1 i) n1 e7 r
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
8 @4 W) y- T) D7 ?. n/ i6 `4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), N; ^' ^* b$ N: {- n( @( J

; p' ]5 A! K# Y9 M1 C1 b! N! o! cThe program will execute 6 different SIce commands located at ds:dx, which
, {, }( i+ T0 S; ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT., A7 g1 t0 m+ z3 C- E4 ?" v+ ]4 ~
+ L0 q# c' L4 ]* `# D2 i% j4 t% i
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. b% c! H: c. \9 O- B% E___________________________________________________________________________/ a: V; q5 k, E2 C  R4 b

4 y  J+ r2 @. `0 M0 U. }+ L* z* t4 h
. @$ I- _, A8 t6 l4 R0 B3 B' SMethod 03, U3 d: _7 H& l6 T0 y! U
=========
2 p) J8 j: Y  U3 T6 e/ {1 o
2 R. p# H; m7 O# bLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 C0 y2 c9 F, ]4 W, F: m9 K- n(API Get entry point), Z' a6 e( E6 n1 ?% O
        # Z. ]2 H" s4 m' @# ^# F
! t2 Z" \; ?' ]% [# H% f/ M
    xor     di,di1 M' G( D# i9 O
    mov     es,di0 \8 T% V; M* R; u
    mov     ax, 1684h       ; }( z; ]# e& L' g/ ]" T. e; v
    mov     bx, 0202h       ; VxD ID of winice
" A: d6 T' \* k6 m    int     2Fh
3 L8 C1 _7 Y* M. {    mov     ax, es          ; ES:DI -&gt; VxD API entry point, O* \) W$ `" m9 A* y* L7 {, {* ~
    add     ax, di- J$ d# A! @" `$ {/ n' O; B
    test    ax,ax3 q4 C9 t1 K9 ~1 s" _/ q
    jnz     SoftICE_Detected
, N  X5 Y5 f0 h' I& ?; a, m) p, E( q/ J6 Y2 R
___________________________________________________________________________* q9 J* A) q% J5 S2 |# p

% }( v& U) d5 X" G" P8 ~Method 04/ f6 j% K5 L/ E1 x, w
=========
0 V7 d6 c! T$ g* M5 B$ ^2 z/ z  j. m
Method identical to the preceding one except that it seeks the ID of SoftICE
: Q/ P; u9 Y; t, z* Y/ ^# JGFX VxD.
5 }* h6 _3 b/ }$ J2 G6 a2 e$ z) @# Z/ t6 }0 y. H
    xor     di,di
+ S0 k/ W1 L) ]9 ?9 o: q4 n0 x# V    mov     es,di
0 E$ l2 q# G  {! U( x9 ~. p    mov     ax, 1684h       2 i& X/ v, n6 T0 i8 L
    mov     bx, 7a5Fh       ; VxD ID of SIWVID; J- ?; ~2 \, K( @
    int     2fh
" [* K* Z( ^' d' W6 ?  Z- }% V    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ p" ~5 e% N0 v7 ]# T    add     ax, di6 N+ k( b0 i9 c
    test    ax,ax
9 M' A- ?4 c8 M    jnz     SoftICE_Detected
7 W2 ?& x2 }6 `: o( t4 r6 _" U- X  t4 ~7 p: \$ {6 S) i
__________________________________________________________________________0 [5 Z2 P& r2 M' b% Z
6 K8 p9 L. X! w- D5 n
2 `6 a% Y( ]/ x- {
Method 057 p) E" V/ ~. E6 m5 Q# X1 f, h4 I
=========3 a1 w2 p0 |+ \/ }4 A. ^9 O6 J
9 a$ r3 L( h9 ~9 W# |+ V% C
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: _9 B8 ?: o8 R7 W' T9 Mdebugger. It calls the int 41h, function 4Fh.
: N5 _& q0 z, uThere are several alternatives.  : N3 U  {! U; N& s  Q

( i. i/ z/ J6 O$ _. x/ dThe following one is the simplest:& s' M* Y8 V4 {  l/ r; B, n

6 p- Y: z# X; d  `    mov     ax,4fh
7 G$ N2 l9 ^0 l( `7 n+ F" C; M    int     41h& |3 D0 D6 K; L( Y1 E; B
    cmp     ax, 0F386
6 J+ Z+ l( i- i$ ?    jz      SoftICE_detected
# ^' p  x: p) l+ q: q$ [1 w/ _* k$ f
# a% u6 ~* j. z$ |. c
Next method as well as the following one are 2 examples from Stone's
2 b3 L/ ?1 l" M1 E2 R) s7 I"stn-wid.zip" (www.cracking.net):6 S5 U% D' n9 ]. s4 _

& X. O; }; u8 g& X$ c    mov     bx, cs0 W% Z+ o4 i! s! |4 `: p2 I
    lea     dx, int41handler2& t+ k( a5 h2 t  l8 v
    xchg    dx, es:[41h*4], f) [7 E; f/ g
    xchg    bx, es:[41h*4+2]5 y6 n& z- E# q3 p* _
    mov     ax,4fh
$ L" A) p, X$ o% M1 Q% a5 L% O. ?7 I    int     41h9 a- d( H. i6 D" \
    xchg    dx, es:[41h*4]4 g' Y" L) z" V. r+ r7 `: e
    xchg    bx, es:[41h*4+2]. q* w6 _& t+ n9 _0 p
    cmp     ax, 0f386h! T7 u% _2 h) B- z' t
    jz      SoftICE_detected; N3 C2 Q1 r; b7 W1 D# |$ Q

1 }; |& A6 C& y& S+ H8 jint41handler2 PROC
" U; F8 {* ^. h/ p    iret1 F; O/ `' ?5 s9 ]4 k, k( N
int41handler2 ENDP' f/ C$ ]( g( ?

) T+ l& g) z" x' ]' Z5 M
3 F/ n  q- F# d& |! T, Z5 B" q_________________________________________________________________________) _. M1 k; k! r8 C- K" j6 U$ R1 A
9 N& Z7 [* c0 t5 t5 R
7 ]2 X3 I, n  p5 n( `) J/ ?9 W5 z
Method 06  b- y; M& L, ?0 }3 F
=========% j6 o1 T. H& ^4 B( h- B" W9 P
) R' `$ [, `6 ^/ c2 T3 S1 i( W# A* G
4 i! ?! r9 r% ~* V! h5 G
2nd method similar to the preceding one but more difficult to detect:
+ H5 _$ ?4 d% ?/ H7 T0 O- h
6 f( M; X# h0 J% e2 L+ {% y+ n5 p; n1 C" d7 t: `( G1 ~# U
int41handler PROC* M- F2 P' ~5 m7 e' @
    mov     cl,al: S( q8 |9 H3 U
    iret
2 K  k1 p2 }8 Y# @int41handler ENDP9 _- z  _2 D( k. Z0 E3 K0 I3 Y
  w& `( Q$ J$ ]( z/ q/ x

0 K$ t) z2 O0 q/ _/ o; D) c    xor     ax,ax
. i1 }& t7 i  X( F    mov     es,ax
% h/ _% o8 i  a1 O6 @    mov     bx, cs
' L6 V$ D7 B$ l  O% }    lea     dx, int41handler  T8 g4 `, i9 g3 ^: h/ x: t& a
    xchg    dx, es:[41h*4]; b1 }7 F' x* h: G& l
    xchg    bx, es:[41h*4+2]" _) J, u3 R  Y8 K
    in      al, 40h
# ?$ t% s" K2 P3 j, H6 m$ L+ C    xor     cx,cx
+ l3 y  T  U$ g* R; d    int     41h3 m' T; N6 k# s; q
    xchg    dx, es:[41h*4]' w2 `! F5 R+ E8 _
    xchg    bx, es:[41h*4+2]0 g: Y- ]. a* M
    cmp     cl,al
' i& n9 f- x0 `2 q0 B* V* s( M& x( u6 h    jnz     SoftICE_detected
# P' \+ A; D: t1 G9 ~- D5 F2 U/ p' |0 X
_________________________________________________________________________
7 u! m# }1 Q* C- M! i7 i) C
$ Q, K- |( J2 ~Method 073 X  M3 ^5 l9 n6 S, U# y0 Q
=========6 l+ S1 `2 w$ r4 L( W- f
  O+ E+ z" V  n. R
Method of detection of the WinICE handler in the int68h (V86); L2 B# w. r5 t  z2 T5 f* u7 T

  v. T$ \7 {% r% @1 }4 |6 T8 A  `    mov     ah,43h- _4 K7 d5 {* c2 T1 ]" }" d
    int     68h: s/ r" U& R2 o* Z$ q
    cmp     ax,0F386h
: M' d1 c% ~! t! a' r& G! c    jz      SoftICE_Detected* Q0 Q* d5 {! A2 N5 f3 R$ {/ |
- F2 `: T% `% A' K  {
. B+ V- e/ C$ V- i
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: h3 ^/ L8 C8 ]% U* C* t
   app like this:! Q) x6 Z  u1 V8 W
4 O8 X. I2 I9 W8 Z3 K7 j0 ?
   BPX exec_int if ax==68
$ N$ W9 d3 c5 a& G  f4 o   (function called is located at byte ptr [ebp+1Dh] and client eip is6 I+ h  x- [5 ]( d/ T
   located at [ebp+48h] for 32Bit apps)2 ?" p; e8 r$ n  J  d+ O
__________________________________________________________________________
1 f; E9 [1 z3 J( F- N! m. `8 V
' N. m* W& `. n( o1 k8 L: _7 G9 p8 [; N/ A- j
Method 08
( T& E; X2 m( L  n2 P! n$ f  g9 G=========
8 \) o, h. d" R1 W& n! @' O3 d  ^0 p
It is not a method of detection of SoftICE but a possibility to crash the
: T- b- A9 Z4 ]$ l+ l7 r3 y6 q' Qsystem by intercepting int 01h and int 03h and redirecting them to another
- `6 X2 _  g2 {! H. j* mroutine.
# {0 a. Z0 B7 H/ I/ j! {3 g8 k" cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ h6 |5 o, t+ s1 ^) Lto the new routine to execute (hangs computer...)5 R! d* W- p/ B
9 f/ V2 X" j4 s, N, l- _/ e0 P
    mov     ah, 25h: C* b/ n3 m# P. C5 E
    mov     al, Int_Number (01h or 03h)9 ~6 f. s8 ]# Y2 ~  s; x9 A( p
    mov     dx, offset New_Int_Routine% ?" K6 c# ]# C1 ]6 b0 j
    int     21h( F1 A9 S( w5 s& B7 n, r6 f

3 }8 ^4 k% v, {__________________________________________________________________________/ Z9 g8 n( R; K- _  z

/ A+ x) L" Q* t/ Z! a! dMethod 09( k" z- v7 q* ~  {: V( h
=========
  r* G, X6 j" b9 d$ g. d2 A% P1 G% o% @
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 o9 t* u* {, x2 aperformed in ring0 (VxD or a ring3 app using the VxdCall).3 I, n4 q! _7 m6 L5 _5 H" P
The Get_DDB service is used to determine whether or not a VxD is installed: u: K4 m0 @+ d) R& y- _8 s
for the specified device and returns a Device Description Block (in ecx) for
( Q- i/ c  ?8 X  @& E0 I/ S6 Ithat device if it is installed.
7 w- G4 T, ^  o6 j& c  S/ H( J, _  D3 ^& E6 W9 G# c) u; h
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 F5 ?) S" S2 o; u9 @' @6 w5 O
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 I- p8 G- P& e4 y   VMMCall Get_DDB
+ Q2 P- D0 W, h1 T: n/ ]   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 V* h% |! b( M
# N5 P' U3 l# V$ ]- P
Note as well that you can easily detect this method with SoftICE:
; M0 U0 K. B" _   bpx Get_DDB if ax==0202 || ax==7a5fh
. N% ?- l0 f' d! ?$ b# y) c3 c/ s1 K" g; r
__________________________________________________________________________# L+ u& {9 O+ p# {# L. M4 f
/ N- y/ J4 T! u' {' R; z
Method 10" \( w- y& H/ ]; _9 b' F# c$ y
=========
  X- D! D  f& K4 c5 V* p1 E4 |5 ]! B& Y+ v1 h0 r; D' t1 j
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with. u+ H2 i9 H* Z5 w$ k6 E
  SoftICE while the option is enable!!2 p+ q* E% {+ C+ f5 W" |0 h3 a, ~

# X6 X9 H& B8 n* X& y+ ?/ YThis trick is very efficient:
3 t8 a, `3 n; T# L- }' lby checking the Debug Registers, you can detect if SoftICE is loaded
, w5 M& _" O9 [$ O/ r/ e+ }0 C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! F, K+ ^7 \+ J) o3 H0 y' }; g
there are some memory breakpoints set (dr0 to dr3) simply by reading their
, M& g# C! h+ i% Rvalue (in ring0 only). Values can be manipulated and or changed as well
- l3 u/ z: A! C! R(clearing BPMs for instance)
5 K- V; b0 e2 K, [( h- m- ?: w: ?- F
, `) O% e$ h$ X8 k__________________________________________________________________________
: f5 P7 K8 o: l8 o  Z9 ]; P5 W
) J. z2 ^$ S. d& {5 z% aMethod 11
+ O  N# J/ i7 L8 S% y% s=========" N5 D+ G% f- r; f
9 C2 v( y- |9 d. n7 k
This method is most known as 'MeltICE' because it has been freely distributed# T8 e9 |% ^3 x8 t
via www.winfiles.com. However it was first used by NuMega people to allow
, K- a4 }0 R. N- n9 uSymbol Loader to check if SoftICE was active or not (the code is located: T4 ?: _& I' L" k& T
inside nmtrans.dll).
/ I; ?8 I# m# o" S# N
' L, U! C! p) dThe way it works is very simple:0 ~, j# D+ o# t+ q  c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ F( X9 q$ H8 H6 Z; cWinNT) with the CreateFileA API.
5 ?! z2 A( {3 N% Q6 s* d% Y  }* p( }2 K! Y6 p; z, U& F6 Q* w
Here is a sample (checking for 'SICE'):) Q& |4 r1 g5 a, @% v; ]0 o2 J1 o

; Q' z- r) Q, G! x1 y& A: RBOOL IsSoftIce95Loaded()
, c/ {* P0 d; C2 X" J{  t" x$ g- T) _& K9 `, `4 X
   HANDLE hFile;  ; K* V, W4 e8 B- g
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,1 U% U# @; E7 [) e& \' w- N
                      FILE_SHARE_READ | FILE_SHARE_WRITE,+ c( _2 {. y6 @% _
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% k  t, N3 F; g1 m( G
   if( hFile != INVALID_HANDLE_VALUE )  J5 R3 Q+ _; L9 r9 D$ Z6 z
   {: [, D4 t+ D7 V  A# N4 i, i0 g" t. H2 T
      CloseHandle(hFile);
2 q7 Y7 g* d! X) ^      return TRUE;
; a0 i/ c: i, ^3 R( T8 R, O   }
5 T: s- U3 D* t! V2 U, P   return FALSE;
. H/ {' `. h# R' ^4 }+ z* y}& g( ]  I6 z/ K" F: m8 [
! O  N9 B; `( W
Although this trick calls the CreateFileA function, don't even expect to be
# ^1 r. a2 H. N9 ^9 m' j, S+ Rable to intercept it by installing a IFS hook: it will not work, no way!
1 v9 Q3 K! A( NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. `# `5 P; J8 ?3 U7 t' [6 \) Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- d+ V  v0 Z! W: Y+ r. d: @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc- A0 P- w8 Q: e
field.
" `) P  q+ K9 u+ V% LIn fact, its purpose is not to load/unload VxDs but only to send a : A3 ^2 N, a1 w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& Y: A* l# Q: Q/ Y0 B4 a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! b! }6 _- f7 n- x+ ?- [to load/unload a non-dynamically loadable driver such as SoftICE ;-).% }0 N8 B% f6 A
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: ^  X8 R- z* Q) I8 N2 {its handle to be opened and then, will be detected.
. Z  j7 z) t. z" }4 wYou can check that simply by hooking Winice.exe control proc entry point
3 o" ^' w- J. T4 lwhile running MeltICE.) z3 C# [+ m( w2 w& H7 U+ r
- b' Z' |6 @5 p7 h8 \
5 u0 P& f4 d7 t& h: r
  00401067:  push      00402025    ; \\.\SICE
' g8 Y- q6 Q+ I4 R/ W5 o  0040106C:  call      CreateFileA$ T1 N; W5 I: H9 T* ~. U) v. ?( z
  00401071:  cmp       eax,-0014 ^" B4 H) [" E& p4 v
  00401074:  je        00401091. n- j& R" j4 N) R- Q& u
3 W4 Z- z4 f; V- o, A& x- X/ _

9 X; R, [" v. CThere could be hundreds of BPX you could use to detect this trick.
, _7 C/ h' c8 M5 k-The most classical one is:9 b8 C( b* M9 q2 o) {
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 Y+ W: _0 Q4 ?, }) Y    *(esp-&gt;4+4)=='NTIC'
( s9 G0 f# ~" b1 A5 V& C: Y! Q$ F& q1 I  Z) T, s# ~* O
-The most exotic ones (could be very slooooow :-(
1 i$ J+ E0 y4 c- r0 x! I   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % [. j0 e6 R+ q8 O2 Q. ?
     ;will break 3 times :-(1 \/ _& g3 M- n( M+ `8 t0 D/ K

& b0 `  [2 r. N8 }( i: }# |" u-or (a bit) faster:
! L! ~  _8 R  P) Q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 ~/ |7 w' d* m( T, Q# h7 w) O( m2 v1 N' s) z0 X% `
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  8 c8 m- L: o4 Z6 D
     ;will break 3 times :-(
# @% s, x+ ^7 Y7 S; v0 J5 [
; B2 X) A& P. [, _4 R2 }2 c2 a-Much faster:
( E: y) c2 l* w/ a% ]$ x   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) i& ^2 f0 i4 P& `9 v7 G$ J- B& P0 f  T+ ]
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 Q7 E/ j7 m- N3 g% sfunction to do the same job:
6 ~8 X* z! s6 J* [/ x- D; W8 U6 d: @0 [- B3 |4 l: l6 U3 O
   push    00                        ; OF_READ* b& \9 j/ m7 p
   mov     eax,[00656634]            ; '\\.\SICE',0: _. B( a4 h6 L$ H" R0 T5 o: a
   push    eax! I% X9 X2 @9 f6 B9 \' C& c
   call    KERNEL32!_lopen+ c% R4 w/ B' Y" Y% j
   inc     eax/ F) g( B. C& Z# |, U! z' N
   jnz     00650589                  ; detected% M+ U* k; i% p+ D$ J% N3 o. y3 B8 W
   push    00                        ; OF_READ
6 b- l2 q6 X2 F7 W6 K' r$ o   mov     eax,[00656638]            ; '\\.\SICE'- c4 f6 q6 i( {* M6 L
   push    eax/ N; A! q; v8 x7 w( ?7 @9 G: k! F
   call    KERNEL32!_lopen1 h6 K. @1 G& s6 Y
   inc     eax
& V+ i9 H1 K; P( S0 m2 E* R   jz      006505ae                  ; not detected4 P" `  y  m4 s7 c5 E  c

% b/ X% S, M) S- B. N; q6 a! A0 k& n" z
__________________________________________________________________________0 H) W1 V: Z3 }" q+ H8 A: O

! v9 J! W; U* S! qMethod 12
1 W! s% ?6 X4 M/ M% P: R7 }=========
2 s9 B+ h, m8 Z$ m3 e3 _9 `" E
: p% ^+ O& A- [6 V( Q2 }2 g. R+ `1 i/ }" oThis trick is similar to int41h/4fh Debugger installation check (code 05* V9 g, z" O5 o3 k. h2 Y5 \. a
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' T5 q& |1 F2 g( }+ r! ?% [: Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 |! [( a$ J* m" j9 `- X
5 }9 S* ^" `  g4 |9 y, Z   push  0000004fh         ; function 4fh
  j  w+ c3 M7 ?   push  002a002ah         ; high word specifies which VxD (VWIN32). L& |- i' L. F6 i" Z
                           ; low word specifies which service: B+ M  I7 m8 h) j# I" e8 R& ^2 A
                             (VWIN32_Int41Dispatch)
$ s- N7 Z& f9 J: v, t4 z   call  Kernel32!ORD_001  ; VxdCall- y* I5 U. Q0 M, k: Q! b
   cmp   ax, 0f386h        ; magic number returned by system debuggers  o) e) `, V& F3 _
   jz    SoftICE_detected
$ E: v# z. B# X( t8 G  h2 ?
& N8 f; [7 h( i% w6 aHere again, several ways to detect it:# o& T) P1 i+ _% j. C$ C2 d$ O8 p
# ^: a- i4 s& r5 ^! w2 ]0 n
    BPINT 41 if ax==4f1 C' u5 ]% o& p

. Z7 M5 @4 ~4 E7 {# X    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one- ^# l5 a0 ]1 l/ g" p* z% ^
) }  {  v# _2 O
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 e8 z* _- F0 o0 h* Y2 ]3 ~

8 t, g. ?. T. ]0 p8 @' W+ q* Z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 i- q: x$ |* Q6 c! x% R- ~
/ Q% d) B( t( R( U__________________________________________________________________________
( |/ w$ }5 h. z( G5 i- g2 L$ f0 {0 u7 x) }" H+ e* k
Method 13, X% r; T. N3 e; D
=========5 ~! B2 d. m; V5 u

( {; A9 r5 \  o& [8 W' VNot a real method of detection, but a good way to know if SoftICE is4 G, T$ H' ?/ M& p5 p2 t: B& R+ I
installed on a computer and to locate its installation directory.* _; o1 \( S! A4 y4 U" e& p
It is used by few softs which access the following registry keys (usually #2) :
! T5 J$ C2 p; _8 S8 e. v- c3 k, U- d" O2 b7 P5 L* ^1 i
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  j4 l3 B) |1 m3 r4 N8 e\Uninstall\SoftICE8 Q; ]# E. Q1 W  t" j. a7 K5 Y3 y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. [) J& g( f% U
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! Y" o7 I) `& X7 u5 _6 F+ j
\App Paths\Loader32.Exe" L. }; f2 o3 s* P# i* z) \

/ R% G. n0 a5 s' g4 s- x
( V/ d8 ]' O& q$ h. [Note that some nasty apps could then erase all files from SoftICE directory
6 V0 e  m! p7 I5 a% \+ L3 D(I faced that once :-(
/ p. d6 ^5 l+ n, m& K! k# j/ @4 E' s
Useful breakpoint to detect it:
2 y# Y! P: b* @7 I3 j0 T1 w$ T+ m/ F3 G8 \+ u0 |
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'3 O1 d% Y7 w. A

& F5 g; B- Y( I8 \__________________________________________________________________________. t: F+ n1 F* X$ Y; C

  h- _# p1 \0 ^) w; B- H7 Y8 k! h0 s% f- Z0 ]% ?
Method 14
9 i8 @+ \) i: \! f0 f, T) A7 k9 ?=========9 y# P5 X; O8 E- Q
/ F" H  a6 w) {0 }0 F; z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, U% ?6 O2 X# D3 {0 Pis to determines whether a debugger is running on your system (ring0 only).7 k# `6 t( ^0 @) |1 p5 u

$ ]! S5 J2 G$ p& c8 H   VMMCall Test_Debug_Installed0 Y4 J( C% L9 y
   je      not_installed
7 j, t: m) R- ?9 @5 ~! e, z4 A8 t9 R7 _# X
This service just checks a flag./ Z8 T0 ^. G9 q3 S% @! i8 `. P+ c+ B
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-5 10:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表