找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>2 e& N6 y, t7 }# d( ?
<TBODY>
* t; ]6 S: e/ c/ n<TR>
3 U7 d: _: k$ u! T% _* i- Y<TD><PRE>Method 01
9 ^8 X% L& e: S, h! p" g" }=========4 H" J9 l3 D! I# A

4 I+ H$ m0 d: p2 B4 `This method of detection of SoftICE (as well as the following one) is
" x( f3 ^3 {0 ?5 W8 e- uused by the majority of packers/encryptors found on Internet.
8 }- e1 \8 ^% W3 U6 V7 j1 g, pIt seeks the signature of BoundsChecker in SoftICE
8 J6 J" Q& E1 B7 k! E" M: J9 t
" Y; u8 q  i* ~# V' K) o# |    mov     ebp, 04243484Bh        ; 'BCHK'  N  i' B" I* O9 V& U7 S
    mov     ax, 04h1 v) s/ u: n: a9 s5 l, a) C4 ]
    int     3       3 i, k( o5 M5 P9 y+ _) a- \) ]) h
    cmp     al,4- p: Q8 f+ A$ }% A! A8 n' l
    jnz     SoftICE_Detected0 D  ]9 j' |0 E  L2 i3 ^% m
8 @& H, L6 ?5 m. _
___________________________________________________________________________
& X7 ~9 L, Y" T+ e& v2 Z8 `: a9 I/ I, b) N4 H  z
Method 02
7 y+ r; o7 F2 q8 }& k8 ~" L' _) H=========, H) a8 v! S# `1 @1 ^1 Z2 [; l
4 |) ^; K4 W3 Q
Still a method very much used (perhaps the most frequent one).  It is used. C) n7 \; ~- y8 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( Z; N2 Q8 E* a4 p( h9 a. r. [or execute SoftICE commands...
; W, Q: K. ~  G$ p! H( ZIt is also used to crash SoftICE and to force it to execute any commands
% A) v+ [% v/ W( z* b  t' @# Q, _(HBOOT...) :-((  
6 k! I& T# l. j3 A( w/ j
3 K$ Y( l$ J3 [+ Y' j/ B& }( R/ [Here is a quick description:
5 g, m" w6 g* _2 h-AX = 0910h   (Display string in SIce windows)  z) n' b8 C, Z# s
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: C! v  k$ [1 [- G4 P/ N-AX = 0912h   (Get breakpoint infos)+ M* G. Z& h; H
-AX = 0913h   (Set Sice breakpoints)
% D9 S3 K+ C' f) s1 p-AX = 0914h   (Remove SIce breakoints)/ ?, U, j, Y+ k& n! d, i

+ }; v; F3 _/ M% u8 |* xEach time you'll meet this trick, you'll see:/ E3 M% I, V  G% Q9 q/ C
-SI = 4647h1 }5 D0 V: _" J2 K( S5 k7 m6 [# m7 g9 p
-DI = 4A4Dh7 r2 G$ n/ a- N' P! g
Which are the 'magic values' used by SoftIce., }" e. T. g/ B+ s* v/ z
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.5 Z7 k7 q( Z( }8 C1 p6 x

! _1 R9 n( v) h, l* N/ w: IHere is one example from the file "Haspinst.exe" which is the dongle HASP
. F! S" A' H8 ^* L1 N; KEnvelope utility use to protect DOS applications:: E8 `9 ?2 E$ z- f' z* c: T

4 k. r+ f; d4 Z
" K& a/ c4 H# D4C19:0095   MOV    AX,0911  ; execute command.
+ T& a9 y0 P# C. L/ v4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
7 h3 P( X1 G) z" M  M6 S4C19:009A   MOV    SI,4647  ; 1st magic value.
9 {. P8 H: F4 {0 p. c4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 a1 Z0 C! b+ k* ~
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 b! h% j- Y' L& r% U+ u$ \4 y; {
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute0 X& {7 ~. E' x+ k* t
4C19:00A4   INC    CX" y* w' K" ^: d% E  n. @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute9 a- u0 j; r  B. A
4C19:00A8   JB     0095     ; 6 different commands.9 U, _& u- ~- N  i5 r# b1 |1 G  Q) c
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
* O% ~7 T# L/ h* `0 Q% F4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
6 v1 L2 e$ s/ F1 u0 y2 P
/ F" i4 J1 r) \8 v. P) ^The program will execute 6 different SIce commands located at ds:dx, which
7 |* ~* p' \) R' s* oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  z$ q( {0 Y) q) t0 l
9 j9 ~. A; ?5 l) T6 B) T4 `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# M5 [+ t0 }+ B9 O0 B9 l2 ^___________________________________________________________________________; u6 a- d% k3 U

0 ?# E+ |9 P8 r, `0 x6 v
( j& Q0 Q# g0 W  ]3 @' ]( g# a) [Method 033 k4 {8 N0 A# ]; g
=========
. M0 [) H$ K* P6 \9 G$ a
; s& U7 v" I) e3 O- _Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. k. ]9 j% X) \$ R$ y! D' G(API Get entry point)" q& r3 p8 J! [4 l* q# u
        
* K5 o, Y- r4 u& p" m
6 e! T  q8 M3 i9 M. _+ \    xor     di,di) w+ Q- v/ f+ X4 _$ M
    mov     es,di0 T4 b' ]( E9 n4 L
    mov     ax, 1684h       ! Y- Q- E% Z& o8 l' t. I# U9 o5 a
    mov     bx, 0202h       ; VxD ID of winice9 }: y( U+ Y1 a( G9 ^
    int     2Fh: @8 k" d% p# D2 f+ X. l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 X# P( D" c/ j/ Z1 i! p
    add     ax, di+ ~' m0 l5 B. M
    test    ax,ax, [- ~2 I/ w( P9 R* V
    jnz     SoftICE_Detected' }; O* s) F+ ^7 \- l
5 c$ X( F. L' K! m
___________________________________________________________________________* i3 M) [# Z7 C" m- q0 ]# _

: v  p) M, u9 @2 f) J3 v5 S& QMethod 04
) x9 Q% g/ X. Y0 d4 H; l+ `=========2 B0 r4 g  j. n# _1 v

  J4 x5 Y; I" S) k" l: `Method identical to the preceding one except that it seeks the ID of SoftICE* F# [- ~7 o9 k1 o/ E, D7 Z
GFX VxD.* i0 m& }' ~6 V% _. i7 g6 T4 e; L

- v5 n5 r" V1 N1 k8 B) O! T! {    xor     di,di
) [) x8 \6 H$ ~    mov     es,di
  E4 X- F6 ^$ |1 t4 O! ~: Z2 i1 Z    mov     ax, 1684h      
, ?/ i1 \* g9 k/ e% z& J    mov     bx, 7a5Fh       ; VxD ID of SIWVID  f  O- f5 |7 ^
    int     2fh9 i; [* ^2 R9 y4 F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: j* D! E% ^: I  D" `3 l    add     ax, di5 L2 n& v/ n8 d2 @( c
    test    ax,ax
* v; X9 e' d. X* O0 c4 g    jnz     SoftICE_Detected! y; s8 e5 |0 U
+ h( q, r! X/ a! i2 @
__________________________________________________________________________: k3 m' i$ U/ d
: Z3 V4 q$ {5 b- _$ _5 u

6 B% L5 P; m9 L& ]+ r9 tMethod 05
1 l( N- C& ~! r* x: y' p; l; b=========( V! ~7 ^' N2 K; v5 I

- N; @" K$ W5 @5 JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. \/ w; l/ L4 P% P9 \) W2 i/ E% z5 k, Hdebugger. It calls the int 41h, function 4Fh.
) \& c/ C; v7 t4 Q( V, v9 A( J' yThere are several alternatives.  
  v5 E- c* Y- E2 `0 G6 R8 l: J) z3 t5 I+ `
The following one is the simplest:* b+ A7 M2 x( @. D' T9 W/ i

0 U; \0 Q9 t# F! y. r& R5 r2 H    mov     ax,4fh; D( q/ r1 J! x2 V+ T7 P( G" U  h/ S0 I
    int     41h
) L1 D) _5 b, f* t5 d- h    cmp     ax, 0F386" i, y6 s7 ^- D: V
    jz      SoftICE_detected
+ ?* L( F- L6 K7 f1 j  @  ~- R
2 S6 k; y0 B. f7 R6 ^6 H6 \: ~. W! ~! v) W; y$ i: E
Next method as well as the following one are 2 examples from Stone's
% ~/ z/ s2 E' b* i" T  _( N* v; B"stn-wid.zip" (www.cracking.net):) g- j5 g7 w" C9 N7 I/ `& }
# ?! `8 e; J6 G5 U
    mov     bx, cs$ C! \/ b* U6 I# b3 S3 B3 h# t
    lea     dx, int41handler21 t& M+ ~5 o) v6 Q
    xchg    dx, es:[41h*4]
. @1 R. y+ t( c9 U5 I) c    xchg    bx, es:[41h*4+2]
/ m( L. r1 A5 X" O% m* p# \    mov     ax,4fh
. ~) @& m9 p) e* W7 i    int     41h
( z  r( s9 v" k    xchg    dx, es:[41h*4]; f& v8 l; W" g1 M4 z
    xchg    bx, es:[41h*4+2]
! e- e- `+ o, ?6 [2 Y    cmp     ax, 0f386h0 N, v( _; Y" w* V1 O9 d' x9 e
    jz      SoftICE_detected# m2 m( |3 T) m' n5 }: W6 T( k3 o

) h/ O, P; ~. C% ]int41handler2 PROC
  s) w2 X! E8 g: Q    iret9 a/ ?# K  v5 F7 F  v# \
int41handler2 ENDP7 H" Z- f+ d9 J. g6 b; r. Y; Y4 e! K' M

& L8 v8 u# i4 H. z4 g8 t6 r5 g. e  J$ h6 e  a, |9 D5 N
_________________________________________________________________________* d; Y9 C9 R; w& [. n- {# O

$ K% O" p4 T% X, c- G2 g& L
9 ~: G, i6 z3 i- c, \7 W! R2 RMethod 06, {  a, D' j( d" ]1 D. @8 p
=========/ x0 z( R7 _/ P5 t; z( E' W+ i8 }
4 d% n5 m; E7 d; a

, U! U$ p/ G* j" S9 K5 b' N2nd method similar to the preceding one but more difficult to detect:
; c4 j  b/ A  \1 @+ o
) I1 m9 \4 l1 n0 k9 g2 i4 S; J- a9 U0 d7 h- u  [% @
int41handler PROC
. Y# v) H  }0 ^    mov     cl,al
4 s# S' k2 n4 r6 l6 e# a0 S! b    iret
- U0 k: a" R( p2 t" H, Dint41handler ENDP; J/ e4 a6 s, F! K* C

* Y: ^3 ^1 T- {2 }
; o8 V" M: i/ z0 v    xor     ax,ax
* S: B5 H7 h( d# \8 o5 e    mov     es,ax
5 c- q0 f9 Z. A1 j& H! k    mov     bx, cs# D) `& S3 {  D' b6 ^" i
    lea     dx, int41handler
; y6 U4 M, B5 _. d" ]% i* P    xchg    dx, es:[41h*4]9 m3 O* H$ r; e7 M$ n% e
    xchg    bx, es:[41h*4+2]
: g: e1 x1 K4 V6 g: \+ G    in      al, 40h) ~4 s+ w, A5 N. K# I
    xor     cx,cx2 W8 _% |  F7 L( A: n# y: |0 c( _: o
    int     41h
9 f( }- |" g' M# F! @    xchg    dx, es:[41h*4]
( y& w1 o. W: W* u  e  i5 T    xchg    bx, es:[41h*4+2]5 S1 \0 E) A+ U8 C' w9 H
    cmp     cl,al: n+ z2 |  H9 ]' ^) f) t. G
    jnz     SoftICE_detected
2 J- Z; l4 N) m4 n4 T2 P
- U% q4 v1 b7 b- }7 [$ a6 X_________________________________________________________________________6 Z/ e9 r$ W! J9 u& o
  b) N1 V8 Q8 Q2 w( o, ]+ K
Method 07
+ h8 m! M) T& A0 J) Z; z=========) d# h4 q" c0 @
8 m2 f! G1 {2 o+ L
Method of detection of the WinICE handler in the int68h (V86)
* x2 ]1 Y+ w" G2 d, _8 \3 m7 X+ ~9 W' @2 m0 E6 x% M. t
    mov     ah,43h& Y  j5 |8 T; H9 N8 p5 q+ i% q  i
    int     68h
# m5 U% E$ G6 Z    cmp     ax,0F386h6 R; t5 V* l* o( V: G
    jz      SoftICE_Detected# D$ S! j7 y6 a" r: X: }
! q  {- n% c% |1 g: y

5 y! I* _2 M& S3 A* _=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* S( \1 G4 V8 R3 A. R9 H9 q
   app like this:) H& H% @; v3 x+ v5 [

  M' m( ~8 J7 v3 R2 V3 j   BPX exec_int if ax==68$ H' i3 Y0 m" h# g* n5 {
   (function called is located at byte ptr [ebp+1Dh] and client eip is
$ {1 g0 [4 K% }- k; }   located at [ebp+48h] for 32Bit apps)
6 C0 ~- m' x4 N3 j7 u__________________________________________________________________________
6 d" e" U( _, G6 x( |9 d  o" a( p# }
( L5 @/ I7 L2 S7 u$ F& [3 h5 V3 l$ O1 v) \. g8 B
Method 08
  b* _  }: |# a=========0 ~9 u2 n$ }8 g( M2 D

/ ~$ l5 L; `2 ]( tIt is not a method of detection of SoftICE but a possibility to crash the0 |2 M# O$ A1 n1 T, l) A! h
system by intercepting int 01h and int 03h and redirecting them to another
! a) g: v1 v2 T, i- G! Iroutine.
8 [, i5 Y& i$ }  L. r% l) E  }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 L. g7 m, y5 f( z( `. J) \- a' K
to the new routine to execute (hangs computer...)
& R3 w6 F& g' }3 ?: ?
4 T' G5 t  L7 S4 P2 `4 `1 ]    mov     ah, 25h9 l. O9 T0 J; t9 Z( a3 ~$ B! a1 f
    mov     al, Int_Number (01h or 03h)
) i, e/ J7 c3 B' N. A5 O& p! ~    mov     dx, offset New_Int_Routine
5 Q6 k) }+ d% d  h    int     21h$ X/ I* _# N; x2 H
% E1 z# k- r7 p0 F
__________________________________________________________________________
. I$ f1 F0 v% P$ W: R; Y) `/ R; M9 r
Method 092 p% N" v$ p9 D' p( ^  H1 `6 Q5 d
=========1 a. b7 {% x( T( x9 r
" z% a- n6 ?' h+ D. C& `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' c4 y  N6 S$ w7 c
performed in ring0 (VxD or a ring3 app using the VxdCall).
" [) j1 v* j6 b3 i, l( i2 `7 CThe Get_DDB service is used to determine whether or not a VxD is installed
6 }, A5 x" U! I; {( @, w6 Ufor the specified device and returns a Device Description Block (in ecx) for
* l6 E6 E3 @# g1 t1 c0 dthat device if it is installed.4 \# k( u7 ~- [& }& Y
% w8 W! r  ^+ i- u  e" z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 s5 V: N) i/ w# q* m3 Z
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 e( M% W9 {4 O2 X3 w   VMMCall Get_DDB% z, ]6 H9 [$ }5 T8 G0 K/ X
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. }: p. Q% G% c* @" n
  {2 @6 \8 C; L* n5 \Note as well that you can easily detect this method with SoftICE:/ H  \- R9 y8 W6 ]5 D# D" G, j' L, Q2 s9 p
   bpx Get_DDB if ax==0202 || ax==7a5fh
4 Z  T/ E+ t1 Z/ Y
+ O* E: @% U$ d__________________________________________________________________________" D3 Q( e7 z# |+ ]! Q9 A$ Z
1 d. j! o% i+ m
Method 10. a$ P0 E  V1 \
=========
! M1 ~+ r3 g6 u; U; L: u7 O& n- C* ~: N. M: m
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with. I0 N6 N  g5 x- ]* \- \, b  M
  SoftICE while the option is enable!!
8 N' M0 e5 C2 ^
# r0 }% X6 r8 o  P5 e, xThis trick is very efficient:3 @0 N" w+ t3 G" d
by checking the Debug Registers, you can detect if SoftICE is loaded
9 g% c$ N6 N, j: @% y(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( f5 T1 l! S8 {7 l3 F- B0 s. \9 wthere are some memory breakpoints set (dr0 to dr3) simply by reading their( i6 B& w( W+ }" a4 s5 w- d
value (in ring0 only). Values can be manipulated and or changed as well3 c% s" _  B5 T
(clearing BPMs for instance)( ^1 O4 W, z6 r
6 E& r7 P" I1 x! |
__________________________________________________________________________1 D# c) e4 _) ^- t

# _/ U7 N% b  c  xMethod 11
8 ^4 a0 h: H" k; g5 |$ {7 A& M=========1 V( h! w  P( b- i& `

' m6 U# ~1 N$ r+ O& V$ V$ Z' @6 y- sThis method is most known as 'MeltICE' because it has been freely distributed
+ `/ v8 s3 B6 X1 Cvia www.winfiles.com. However it was first used by NuMega people to allow, y" E" M& f1 Z8 j
Symbol Loader to check if SoftICE was active or not (the code is located
7 A8 v4 c! h  L* [inside nmtrans.dll).. w! W) V; H5 b8 ~% P' ~' s, Y
/ A1 J0 G, |' r6 K) S% N/ h. J0 L
The way it works is very simple:! |, W1 t9 a1 W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 C! a  c# R0 c
WinNT) with the CreateFileA API./ K2 ?, \+ j- i0 u7 a" t# \

; G( a9 }1 T9 v8 {* uHere is a sample (checking for 'SICE'):7 M$ L$ C! Y0 c  O

2 {5 ^4 f7 G3 C1 \BOOL IsSoftIce95Loaded()
! ?+ b$ |3 q% {- y# B7 @{
! B5 {* d" v2 ^1 o" H   HANDLE hFile;  8 q& ~% H5 a$ d0 ?3 U
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. Z; u* L4 W. |' |: d4 I0 r
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
0 _; W9 M+ N- y1 y! S                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( c0 z! _' V' ^) b* y6 p3 f. Z   if( hFile != INVALID_HANDLE_VALUE )
6 j/ a$ O% c$ ^; I$ `+ W0 X; p2 Q   {# B' D- f8 u4 `+ E6 C$ ]& L. X
      CloseHandle(hFile);
/ F* Y% n- A3 k( k( f0 U0 j# n+ v/ D      return TRUE;
+ K% d. ^! q4 x$ T3 C  w7 w+ @   }& y2 _; [- S# M, K
   return FALSE;9 |1 [" j) J1 p3 l: o
}
& L( t2 J/ S; l2 f- x
( u5 O6 e  O! t: f/ E3 e' u1 hAlthough this trick calls the CreateFileA function, don't even expect to be
& V* @: q, D! X( Q; o) ~able to intercept it by installing a IFS hook: it will not work, no way!6 \, P( W" @: D4 D6 y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 r( j7 U7 }9 ]+ D+ A5 A+ ]- pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& G% [$ Y* L" i( J. G; F' n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc4 e) N# v6 e3 G) @
field.3 b0 K# W, M* o8 k: t3 A* e  l0 X
In fact, its purpose is not to load/unload VxDs but only to send a / R, y$ r- k  Y0 W0 [, T
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; |+ q. q; u+ G0 v9 t$ j- kto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ I$ U* _6 L4 ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).* u! ^) y* E: H
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 ?' Z$ [& m/ Z; iits handle to be opened and then, will be detected.
. `1 n4 ^  |- n: p4 RYou can check that simply by hooking Winice.exe control proc entry point' v( u" n" x! s" t7 v- a% B
while running MeltICE.
* W7 x7 l/ I& S! ?  o8 X' l3 y( D1 `2 {' ^3 u6 B; z

$ X' ]- k3 |3 C: W- O' a! c  00401067:  push      00402025    ; \\.\SICE
+ {+ E( x1 p8 _) N) j9 u# ?  0040106C:  call      CreateFileA
7 ~% X( ^! H6 W! I5 z7 D; E0 B  00401071:  cmp       eax,-0014 Z* C9 u. u  A; n# q* n+ l
  00401074:  je        004010917 r! a- b2 P4 p0 h5 k0 h
* z+ ?3 @4 Y1 N$ ~3 }: m& i
, v9 r2 D8 x) j
There could be hundreds of BPX you could use to detect this trick.
3 o4 }. O0 n2 E  f# I-The most classical one is:
5 t1 E: |) k/ ~  I! ^0 s  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! f4 }9 D& x1 ~) o0 f
    *(esp-&gt;4+4)=='NTIC'
4 L* O" |  }* H* t4 b! n  I, A9 s1 f' f" S' z/ U
-The most exotic ones (could be very slooooow :-(
7 I( V% z" Y0 i$ g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " l, I. s' S$ @
     ;will break 3 times :-(
/ B: d: @$ D( N# j9 i0 K, y& j' D* ]8 }& y
-or (a bit) faster:
5 K% _9 H3 j& s* ]2 _$ }   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 s  x% P) q% [* _5 T
+ b( F  L) V6 y  ~6 o" a# I" m
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" L/ b* j8 V- I; g, I     ;will break 3 times :-(# e# ]+ h9 b, i# P+ Y6 t# k8 x* F/ l

7 t. C* H( T5 e9 e-Much faster:
- W% w" e) E. n9 _; z$ |   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! e! S/ \/ S* ]" O: G1 y/ U2 f8 G  J) y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" C% g. R, F) I1 b% M3 I( q* e' Wfunction to do the same job:
% k7 C9 w2 g. n. l& k' V' u% t8 p3 D1 C2 y7 \" o4 ~: V# h
   push    00                        ; OF_READ' w" f4 I* N9 O1 z2 N9 h6 Q  d
   mov     eax,[00656634]            ; '\\.\SICE',0
3 F0 M6 g- _& K1 f4 v4 `   push    eax2 e2 d7 P8 d1 \
   call    KERNEL32!_lopen
+ r, z4 O  G0 ?2 O7 f) B9 B, o   inc     eax
( {' h; K$ A! ^$ P% j   jnz     00650589                  ; detected* W6 e, f  Y5 R5 k
   push    00                        ; OF_READ4 v6 G, F6 Z/ N1 V8 L; g6 N' U
   mov     eax,[00656638]            ; '\\.\SICE'4 m7 i! K7 F1 M9 Z0 I. _
   push    eax
2 x) H, {9 ?! L1 N9 {, t/ s   call    KERNEL32!_lopen" q+ C, q4 U: s: c9 Q
   inc     eax
9 d  V9 H' q2 P" q; m5 z; K   jz      006505ae                  ; not detected
, G- P$ V/ [1 {( `3 ]
* u0 E& m, _( J' }$ h& ]% f$ e7 H
' d9 t8 K0 O4 l__________________________________________________________________________0 }& ^- T: m8 ?! V/ @
0 R! t9 G: a- m* m' b; @
Method 12- U8 T4 P7 m# O' n
=========
3 z* Q+ \/ C- H/ g, @. J# B$ ^% {* u/ j/ [4 O7 t; }
This trick is similar to int41h/4fh Debugger installation check (code 05
6 K4 X+ N" X& m" n* V. q/ Y7 R2 w2 h&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% F* ]. Z. F- d# h0 B4 @$ Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 o5 P& l: D: h
; l  m7 t9 o8 H+ f6 y$ m- l+ s$ N   push  0000004fh         ; function 4fh1 R8 @6 F* o7 d  I+ A" Z7 H8 e, w. Z
   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 u  l# T; W+ N0 E7 |  _/ ?& B                           ; low word specifies which service
( w8 Y1 X. e' I0 D, Q                             (VWIN32_Int41Dispatch), P1 A3 d: ?0 c, ?
   call  Kernel32!ORD_001  ; VxdCall0 B9 h# I* D1 Q3 k
   cmp   ax, 0f386h        ; magic number returned by system debuggers
) Y4 b  r  x* |# Z* [2 W( X   jz    SoftICE_detected
" c7 R9 M2 L& R/ F, A
: F$ ~" ]& b5 u' K5 H7 hHere again, several ways to detect it:- `+ A+ c+ c* X" G
) j* C) j/ c4 J/ [! {- u
    BPINT 41 if ax==4f
$ }" k! M8 P# b- J/ ]
, E( P% _+ t" X) M, Y    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% e+ `8 F: I3 q: i

3 S' P8 A1 G( V4 o: K' {4 e( u' ?3 G    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A6 h9 L* ~% ?. e
- A( O/ j. _+ x' c9 ~, O, C/ X
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
3 ?, z: L3 r! S4 Z; e0 @5 L/ }3 i, E
- l7 |: L0 W- y# G__________________________________________________________________________) ^* i2 l- Q0 E1 C1 |/ W9 j" s

  E: F6 x7 t1 `6 B; @. V; o" JMethod 13: T7 M) R0 r6 @: d- g
=========7 S; N& N3 y5 P7 i% g4 g

' g! x5 M( h( i+ r& [3 jNot a real method of detection, but a good way to know if SoftICE is9 n1 h6 @: Z" n3 ^: s
installed on a computer and to locate its installation directory.0 F5 G7 B8 d2 n6 j6 o* d" @% ]
It is used by few softs which access the following registry keys (usually #2) :( p+ s% ^3 c: ]# y$ ]: s. a

6 w  L) j: a! P4 _6 |: o3 b8 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ d& M0 m+ i" h0 l# N0 p
\Uninstall\SoftICE
( R; r; ?. e  w, D-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* J7 [4 T' G) m! |2 u3 ^4 g- r) f3 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- a0 |+ k3 v6 K0 H  `# S' O3 ^9 G% V\App Paths\Loader32.Exe' s+ c& v/ V; |$ [1 z0 {! D

/ w& f/ I7 b0 k, T, ~1 Y6 b! Y: M1 \0 u7 h  N1 X) S0 f
Note that some nasty apps could then erase all files from SoftICE directory
, s# U, M: Q: n8 i" O2 e9 ?8 [/ b3 |(I faced that once :-(/ `% \& T: w" Z" n. k) m0 f5 P8 `

& u& z# `( z( e, J% Y. ^7 bUseful breakpoint to detect it:
! j; w( X8 j" _+ H2 I& D5 e. }8 B9 E6 L2 K, C7 Y& ~$ y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'+ f8 _5 ~8 Y9 m
$ p& c  A0 k9 ^+ X/ x# w# \+ b3 e& L3 U
__________________________________________________________________________, l- |9 c" T8 U) a
9 `8 [" X' z% f* ^, g: f1 N5 E/ w3 ^

* M5 S% y# n# \' P( t$ _Method 14 # H, D8 k+ J% X$ \3 a# t
=========5 r  A3 G5 k# E" \# O6 L8 v# n

: [6 n! _9 I: m0 R6 lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) u& a2 m' N) t0 x/ \1 {is to determines whether a debugger is running on your system (ring0 only).+ l4 C5 ^( ~" `& `

" A  f3 ]6 B) |% t/ n- F6 a/ v   VMMCall Test_Debug_Installed, Y" d0 I* `9 {9 F
   je      not_installed
+ t3 ^* B) {- q7 Q1 j9 Q* I
( L. c, z: v; Z8 R7 P: G9 ~* I6 KThis service just checks a flag.
1 [- B) m+ G3 F</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-30 08:03

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表