找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
1 t6 y1 I5 o$ _! P<TBODY>
2 v2 p6 Z8 a8 n% b0 |( }<TR>. `+ d) s; k# T2 g
<TD><PRE>Method 01 0 `2 M1 `9 }* {
=========
2 d' P1 U: l( n% ^8 i+ M. ~' b! ~# t. A9 ]3 g5 x
This method of detection of SoftICE (as well as the following one) is
0 ^0 d& j& D* C! b" ]used by the majority of packers/encryptors found on Internet.
+ f- H) w0 b, {2 \. RIt seeks the signature of BoundsChecker in SoftICE
! u4 v- g% U) e9 j. E" C* M: P/ L5 }( {' K# ~
    mov     ebp, 04243484Bh        ; 'BCHK'
' R/ D6 [7 m+ x6 B, B+ m. F$ P* R6 @    mov     ax, 04h$ I" |2 B4 W0 e6 t. R
    int     3       6 @. m7 ~" n# h& {, e% a
    cmp     al,4
: i0 R. k- D# p# _7 N9 v3 m    jnz     SoftICE_Detected  t4 d2 [! }9 e/ R0 M# }% G* _) Y
1 c  X% r" |& [0 P, P
___________________________________________________________________________4 ~' _/ K: M: f* Y' I+ |

. U8 E/ y5 |) aMethod 02) {& C- L6 l1 i5 }/ S
=========
% M/ E, b) ~+ z/ ]3 G. X7 g( h# s! E* Z! S5 [
Still a method very much used (perhaps the most frequent one).  It is used
3 X* [- H" A8 }( Fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; H* F* T# Q6 g" _6 tor execute SoftICE commands...' o* V* L8 g; ?
It is also used to crash SoftICE and to force it to execute any commands' A2 ]- J9 H+ u
(HBOOT...) :-((  4 v$ {8 i( h1 k# x& ]

6 C9 Z6 X  }* Z# ^! dHere is a quick description:* j: f& N) D( x7 d
-AX = 0910h   (Display string in SIce windows)
7 V6 M2 C. j* L" P" {-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
- D( o; M& b" k+ R" ]4 g-AX = 0912h   (Get breakpoint infos)4 @. N: A2 O7 }0 q8 i4 [2 _
-AX = 0913h   (Set Sice breakpoints)3 R: P7 U. S1 t; s
-AX = 0914h   (Remove SIce breakoints)
) Y( r; H+ v" _% E6 D6 C4 d; p: b2 P& d0 ^
Each time you'll meet this trick, you'll see:7 x) i/ _( b9 k% ]5 ~5 y
-SI = 4647h
" K+ A% X1 i( ~8 }6 S$ c-DI = 4A4Dh& E  a: h8 L7 ]6 a
Which are the 'magic values' used by SoftIce.
0 o: C, O7 i0 `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 ^) M3 e: p  K- ~5 G0 @0 U- Q- I! k8 [% ?( K
Here is one example from the file "Haspinst.exe" which is the dongle HASP# i3 P- G8 D! ]/ @) ~1 Q! n
Envelope utility use to protect DOS applications:$ B( Y2 q2 ]* i2 V( f

; V, \& {. p3 l- [
) ?5 J+ u1 k* y& t4C19:0095   MOV    AX,0911  ; execute command.& s( P. O. F! K  G& q8 b
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
7 B" [' U) m1 q! Z4C19:009A   MOV    SI,4647  ; 1st magic value.
0 g4 j1 X- ]2 \  z5 w4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
' t, [3 m5 q) C4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" r1 h3 T9 B& Z1 A% H+ y4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
/ r& p7 K! D( h: L3 l. [2 B! x4C19:00A4   INC    CX' d1 ?+ x5 f# i) `4 U
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 j/ U% u( z- [: u1 T7 r
4C19:00A8   JB     0095     ; 6 different commands.6 @) P& F' J2 b
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ T' U; u5 U: J# S! g# P4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ Y% G1 C1 E8 j% P3 z% M
* c1 G  t  b  g7 n5 T
The program will execute 6 different SIce commands located at ds:dx, which
, ~) J6 D% k1 K. {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) ~4 e; g% ]- l# ~: x8 G) H' p  d: o2 V  E' S5 O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
3 e7 i4 h: [  `% \$ M; Z___________________________________________________________________________
1 n: S1 X7 n2 X' J' H: x; A+ Q0 m, ?9 H

' W, R9 i" q8 D5 j" g* KMethod 03
2 }  f7 ]$ J' W. G=========
3 R* r* C! b% o  Z7 [4 Y( i4 J: O
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% f  R. Z! t+ l7 K$ D; Z9 V! E3 R
(API Get entry point)$ r5 n3 B) }. I' r6 H
        
' j3 w8 u/ b6 g6 _, ?5 \5 [4 h8 L# j' I( R% A
    xor     di,di
2 u  h8 \& A2 @" H% l) ^; D    mov     es,di
2 K. n% ?1 _( E    mov     ax, 1684h      
6 i. l* d1 w% I; v0 d( s4 O5 J$ s    mov     bx, 0202h       ; VxD ID of winice
* y7 S- L4 W1 c  ?1 v6 w    int     2Fh
$ D$ q  `; e* u6 q    mov     ax, es          ; ES:DI -&gt; VxD API entry point  _0 ?& N- w5 ?( V
    add     ax, di. e/ F# Q  z2 x# f+ |
    test    ax,ax) e+ o: d" C" h  q% `, n6 P" v- U
    jnz     SoftICE_Detected+ X3 e* t2 z0 A2 w+ ]
" c' W4 E2 [$ a% S4 t% y
___________________________________________________________________________" m. a/ w$ a9 ], i# e9 H8 |
; A) C7 q" p$ o9 ?- f; r
Method 04
" u! T; m! ^4 o1 @+ g- {  U=========6 |8 ]1 M6 M5 R( ~6 o' v$ L7 v
; [# @& A, Z8 [- ^# U
Method identical to the preceding one except that it seeks the ID of SoftICE  r% c- k. ]" U$ N% `
GFX VxD.
  ~/ n/ I) {6 j6 u3 b( h
7 K0 c0 D  P* r+ j; T7 j    xor     di,di6 V7 e$ ~# q1 W. h/ R( ]4 i
    mov     es,di
% q! f& m) R' M3 v- r3 P$ u7 B    mov     ax, 1684h       , j% C% v+ Y9 J4 `
    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 N2 m8 Q- `0 Z7 Q! o9 n: ]
    int     2fh
5 \% y$ h5 L: l4 P$ r- D* N    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) u& j2 D% l9 T; X7 E: t* q! |    add     ax, di
' o, ^. t/ W6 I* H4 |& u9 ]; t    test    ax,ax: y, ]$ U6 {& x! I% d' }. d0 ?4 X4 \
    jnz     SoftICE_Detected8 P% k5 ]& y: D! l# v

7 M6 Q* E7 g) P__________________________________________________________________________% b3 i0 Z8 J4 z+ u

" _5 ]7 ~9 W! A! Q( E
" e0 n# @* h' ^0 I/ AMethod 055 t7 Y$ C$ b0 J7 y4 o
=========+ b# O7 w* c4 j; E
; O' n  r4 f9 _1 r4 u
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% n3 [; x6 l7 ~# Y$ C8 Gdebugger. It calls the int 41h, function 4Fh.
% F: B& c$ b# U- x7 }# DThere are several alternatives.  + {) F, G6 o" X9 w* N6 W4 }! |% k# i

8 P7 H) \: [/ F4 ~( i9 a; C+ dThe following one is the simplest:
* w6 a4 R3 k. x  H; d* t0 L+ T9 b8 Q. R$ a* n" c6 |
    mov     ax,4fh
9 C' l7 w; b& d. }* P$ ?) L    int     41h
- r  b6 e9 z3 G3 M2 g# L9 O    cmp     ax, 0F386$ T' {2 @4 P0 ~8 c, y, h
    jz      SoftICE_detected3 V% T0 o0 k3 \' j* Y& E; }, \
+ z( B6 d$ M4 @4 ^0 m
$ n4 \& a' a; ~+ u8 D: e# m+ p8 E
Next method as well as the following one are 2 examples from Stone's : c! \" M, U$ G0 T
"stn-wid.zip" (www.cracking.net):
$ v# t- b; l' h
1 H0 ]$ }) |% p5 v: J4 y7 y% a    mov     bx, cs  v$ |: v7 f2 X9 k* Y( }) @
    lea     dx, int41handler2
. p( U- S- j( J5 \* S4 [3 `    xchg    dx, es:[41h*4]
3 E' M, d9 s" A: O    xchg    bx, es:[41h*4+2]' P, K# y9 ]: Q& I! u3 e
    mov     ax,4fh
/ a* s2 P' |7 i5 {# I    int     41h+ K5 H8 b* C" _  W
    xchg    dx, es:[41h*4]
5 R3 S5 E  U. E9 L0 @+ Y- ~. X    xchg    bx, es:[41h*4+2]
$ @2 M9 l% @" G- k) w; i4 o$ o    cmp     ax, 0f386h
- |+ v% M1 L4 N2 b) |1 M! P3 ?    jz      SoftICE_detected7 v% U, C1 q: a% _# A% F1 r
3 Q4 g0 U* x0 H! F' S: i* h$ e7 ~
int41handler2 PROC
0 w, H, ]$ n8 `% h    iret
7 Q3 C" [8 k3 X% E! o! l; h; vint41handler2 ENDP
3 s$ H, f" K6 j# h! _; W2 J" f2 T9 k2 b8 i, J( r$ z7 z

6 L, t0 U/ @; [5 `_________________________________________________________________________
4 j% K* m* U. {+ t6 a
) z9 `1 U6 {  {' D
4 n$ H5 d+ P- s7 K) t; JMethod 064 c; H; Z' V, ], ~
=========5 ]  X" G# H! ]5 s; ~5 u! q  M+ B
  X6 ~% I4 f8 E2 V/ K8 k( e) ~

7 w  w3 k0 H* i2nd method similar to the preceding one but more difficult to detect:
. D& I0 F, k; c2 N& e( O& k) {$ W. u
1 a0 ^" [2 i; E! ?: `4 Q1 K+ a
int41handler PROC
- y1 M% d; q) E* J    mov     cl,al
* `3 a$ i- G" S0 q5 S% {    iret9 V: Z5 d. Y! T" W9 K
int41handler ENDP
! e& n- T4 s' I% U$ {) L( R  |- a5 C; A' h6 K# y* H

* M0 X9 h# w+ K; h/ W    xor     ax,ax
; K1 S" T* d. r$ R9 C    mov     es,ax
" B* Q$ @5 o1 M  Z6 p/ A    mov     bx, cs
8 S% P- p& H7 E4 @    lea     dx, int41handler
% Q9 }' J2 R5 D: E9 X# D: K    xchg    dx, es:[41h*4], `  @  z+ K. g( P" g% D: l
    xchg    bx, es:[41h*4+2]
! N; @) b2 M- ^' g    in      al, 40h
; `3 ^# F, z0 f: S9 ^! z, l    xor     cx,cx* w* D( U1 \- p
    int     41h
8 y6 w8 e5 o* M) |& e1 @    xchg    dx, es:[41h*4]
" I7 e0 x2 b0 `) ]9 t0 a$ P6 h    xchg    bx, es:[41h*4+2]: K% K3 X; y: `8 f* @0 L9 d1 D" L
    cmp     cl,al+ |% t5 ~" E9 `1 U! c% y/ u
    jnz     SoftICE_detected6 K" t; O/ E! \& s  K" _, t
' B8 a  E9 X. K6 w) @6 Z( Z
_________________________________________________________________________5 m: f- W0 y" L  f% S6 c
9 P( u+ {5 Y2 ]. d  [+ e
Method 07
% ^8 b! w0 |) W  t( E=========
% W, X; }+ d% n6 c; [! a- X$ D7 N
5 b4 ~" q& ^  Y( |) Q) o* LMethod of detection of the WinICE handler in the int68h (V86)
8 Q; K8 |. P* O, n: p; G& H/ E9 M! \5 N
    mov     ah,43h6 R9 _; y" L7 z$ Y+ k
    int     68h
  e9 r( {* A  e9 X, e; g4 s* s    cmp     ax,0F386h. w- y; j: ?% [5 |3 m% S
    jz      SoftICE_Detected, [9 O0 _' c* p7 W% \1 U/ Z

3 h; G( \; ?2 k- ^3 f# H: l1 i( R9 l, u
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* j# J# }' j8 V3 t/ i   app like this:
, u$ e5 _1 r; q& ]- E1 b, S- `7 N' v* j) G- w4 f' X5 u' Z  M% D- ]/ M# F, h
   BPX exec_int if ax==68+ [7 s6 g  S5 t  W7 j3 U- I, t, E
   (function called is located at byte ptr [ebp+1Dh] and client eip is/ E2 Y6 s+ |9 _; j; m
   located at [ebp+48h] for 32Bit apps)
9 X; L8 W* T" y) c8 ?; J__________________________________________________________________________
) I8 W+ h4 f( Q. e% X2 A" M$ `
1 s. T2 m3 f% ~) ], f% n$ _1 \
  m9 l: r( ^  t( Q0 nMethod 08
' H7 |9 H, b$ I1 b6 n$ `! r4 f! ^6 C=========
# J- E) n/ P- G+ _+ J, f) l: U# M7 U2 W, r' s5 m
It is not a method of detection of SoftICE but a possibility to crash the
' Y# ^6 `- w- ~; z0 B. S  @  [/ z3 Esystem by intercepting int 01h and int 03h and redirecting them to another% @' i* J$ N1 P6 H9 R* d$ p
routine.
% q7 P3 g/ @* o! u( rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 y7 t4 t, x6 X4 _( c/ Jto the new routine to execute (hangs computer...)
! `4 }- `* Y4 F9 i& G- o& m
* ]3 Q, `6 ~5 E+ H6 K    mov     ah, 25h6 d8 S3 Z. D3 A0 n  l  i
    mov     al, Int_Number (01h or 03h)
- S6 |( P- ^5 H" |    mov     dx, offset New_Int_Routine
1 p% G  v& f/ E8 B1 Z: @* l1 X% O3 Y    int     21h0 }2 S5 N7 N- Y3 ?; F9 i

% L/ X* N% n* ]( ^__________________________________________________________________________
7 z! ]' V+ ~" D7 ]) d5 y3 Y" y' _2 F" V3 b3 V( [
Method 09) f/ `  S9 x* Q2 D. y& h" G
=========
3 k6 Q  O; _1 n2 @( i/ e* j8 g% b) J5 N3 u) M9 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only/ ~( z0 k" }# p6 B1 @5 a2 X$ {
performed in ring0 (VxD or a ring3 app using the VxdCall).
3 F0 d: V7 w8 W4 FThe Get_DDB service is used to determine whether or not a VxD is installed
, Q4 l5 o, c( j: g9 o% ~( `for the specified device and returns a Device Description Block (in ecx) for
' O* D7 R$ i+ z* M7 Vthat device if it is installed.
. V9 V# Z, L9 b2 R, N/ `- {2 V4 T4 ~" z5 T
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% z5 ]( L* u9 B' h* F; ~   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; V7 I1 `* C5 N; n6 t! }! K   VMMCall Get_DDB
3 ^$ V. M5 c8 ^   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
3 b3 |: B5 Y# d& C  o6 A* L
: K' w5 X+ x( d- z# ~2 }Note as well that you can easily detect this method with SoftICE:  ~5 Q  S) Z' M' l) b1 i
   bpx Get_DDB if ax==0202 || ax==7a5fh
0 t  T- Y8 J9 R. K% E5 \' o- l0 M5 _2 H) n1 j) b
__________________________________________________________________________9 {& B# w  f5 j  M' H: O% v
( v; e9 V, ^3 e4 \' V6 j5 c6 D7 V
Method 10! R$ s5 E; r( J
=========* n- {  t5 |- S% b

& s) L9 E6 z! n=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' l/ }7 k7 Q- `4 P, `2 H4 y$ K  SoftICE while the option is enable!!/ \( Y9 w4 I; e: ?; v* k

7 d, d5 y3 R7 O! V( I. ~This trick is very efficient:; E1 g* f* ~2 s! u$ {. H
by checking the Debug Registers, you can detect if SoftICE is loaded
5 b2 R1 b' a) `. @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. P6 D$ D3 x# b2 {: n
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 G2 p% R& C% r2 r, a' jvalue (in ring0 only). Values can be manipulated and or changed as well$ t) H+ I9 T3 P0 K0 m1 O& O% m; ]/ Z
(clearing BPMs for instance)
* r6 [1 F% y" O) i5 [+ B8 b3 M. J' _& ]/ y+ e) G3 E
__________________________________________________________________________  y7 X2 f3 ^  U  ^7 k2 t

# r9 x3 O" x" a- N, Y$ L. ZMethod 11
& M0 s1 E6 s9 J=========
) o3 t8 [! g( R) ~+ u
0 i! o+ N4 K7 ]5 A/ F* n; cThis method is most known as 'MeltICE' because it has been freely distributed
5 I, M; \1 V# r, k9 u6 fvia www.winfiles.com. However it was first used by NuMega people to allow
' _$ c  A9 D4 E) R, m/ Q# b9 l# jSymbol Loader to check if SoftICE was active or not (the code is located
- L* B, G  l2 a5 \inside nmtrans.dll).. V( y" ~$ U: Q% q
( o$ t: L& Q; C+ i, S. s9 Y
The way it works is very simple:
" O7 X7 w4 x. C* R7 r+ p7 k: N: ?It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 V# m4 K. t: S1 o* D/ J+ M6 X
WinNT) with the CreateFileA API.3 V' L, k& a( J. g7 j
  A( I& ^. ?$ L' n7 Y: D
Here is a sample (checking for 'SICE'):1 _: m3 X8 y3 k4 F

2 g; P& w# M( m$ JBOOL IsSoftIce95Loaded()
4 j; \* X# G% p0 P7 P  s1 t& @{
" Y6 |- G; _7 M  {( s2 G   HANDLE hFile;  
0 s' m+ B+ i3 ^' Q$ g) P   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,  I. S* ~6 g+ W9 A$ B
                      FILE_SHARE_READ | FILE_SHARE_WRITE,0 I" f' R0 d; r
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ z6 @0 g4 _: \( g7 Y, Y& W
   if( hFile != INVALID_HANDLE_VALUE )/ x. k; J% M' e
   {8 H" e" Q2 `! L" W) s" Q. ^. Q; _
      CloseHandle(hFile);# I% l: D; V- L' O) f
      return TRUE;
$ f$ L1 y. `3 C2 o) S! u   }. i) H. A) m7 X( x  Q
   return FALSE;7 R# Q7 }' X! U/ t6 R
}
1 g* W0 g4 R$ |3 h1 x
6 [1 S! |3 Q& O) b6 M# K- e/ o$ rAlthough this trick calls the CreateFileA function, don't even expect to be* N! X9 x7 ~3 _$ V, k+ ?( _7 M
able to intercept it by installing a IFS hook: it will not work, no way!
/ `9 p* A  a# |! ^% r: ~In fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 d6 c0 l  B$ a6 l1 k- o3 \/ }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. r7 s- ?6 |& h; K. z- Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 ^5 O* o6 m, I" u" n, Gfield.& b7 [* D" n+ g: i& ?/ G6 O  _
In fact, its purpose is not to load/unload VxDs but only to send a ; D: @# k6 H: q) z% H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 A' t9 e/ H) @, O/ ]1 |
to the VxD Control_Dispatch proc (how the hell a shareware soft could try, ?/ A/ i3 |/ m% t; _
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 b2 @; {0 z1 [2 J  {2 U# t; F
If the VxD is loaded, it will always clear eax and the Carry flag to allow; D' N! A. N! h! C" @* m! B
its handle to be opened and then, will be detected.
+ s6 y- r1 m+ V/ ~You can check that simply by hooking Winice.exe control proc entry point
" w3 u( H  c: j0 f; Kwhile running MeltICE.( i4 O$ y! z$ e) i5 f$ r7 c/ F

: Y4 t8 q8 u4 G9 S  p7 v0 F# c+ I# r  T1 ?, \; P! B& W9 T3 t
  00401067:  push      00402025    ; \\.\SICE
; H' N6 t6 P$ q$ u# G$ ~& u8 ?  0040106C:  call      CreateFileA! C. `5 T& y. k, w( N$ T
  00401071:  cmp       eax,-001  C2 {6 X1 F: P1 r
  00401074:  je        00401091& {5 D! C" B; N' [) j) i

' }1 l  O# j3 P1 k1 \" g8 m4 I
. c, k6 U. ]" a3 ?& N5 i3 @$ HThere could be hundreds of BPX you could use to detect this trick.$ J9 Z) Y8 x) s& @( s
-The most classical one is:
' I  r& A! [2 ^0 y5 J  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||/ n& D; M% K2 M& o+ l
    *(esp-&gt;4+4)=='NTIC'
( e$ t! K5 W6 a; |6 E3 @8 [. g2 ~6 {: R' T" x
-The most exotic ones (could be very slooooow :-($ O8 ]$ ^3 }. O. E" H
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - Y& n  R* C" p2 u  N9 C
     ;will break 3 times :-(
7 H' B% H  X, L! M2 A8 [. l5 H, K8 g6 q& U) ?6 a1 E
-or (a bit) faster: + q3 y+ m; y4 H
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
' ^4 W8 M4 e4 x- k6 @" H0 q1 U
1 `/ @; A& c. ^3 R1 Y" ^8 d   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  / ]$ z3 G# s9 D6 B$ y
     ;will break 3 times :-(
+ m* [/ f; x1 m% a
& S6 }* L# W2 N-Much faster:/ z8 Z2 {0 z: h
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. _$ B6 x% F7 l$ ?

& k2 s. i6 j! R, Y1 Q3 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
" |- l2 w1 m1 S6 ^) mfunction to do the same job:% J! h6 B/ n( j) U

4 E& e' ^7 X/ c' B/ H/ {  {   push    00                        ; OF_READ  h1 c/ C- J" [) s8 G
   mov     eax,[00656634]            ; '\\.\SICE',05 q+ ]9 A& Y7 Q3 a; A9 s. q. t; n
   push    eax
* E: s/ E7 G* [) r  u/ k( E   call    KERNEL32!_lopen* y3 |2 @) C/ M+ M: ]/ }
   inc     eax
9 x" ]2 y+ }  w: e6 k$ M   jnz     00650589                  ; detected$ D# m* g/ X  i0 e8 f$ y
   push    00                        ; OF_READ; t* _. r  m2 \) t  u, x1 D% \
   mov     eax,[00656638]            ; '\\.\SICE'& j! k% ^7 Z& B( M7 Z
   push    eax
6 z8 I% @- D5 @, M% _' d   call    KERNEL32!_lopen! O% I9 }( g- R/ C7 ?. b
   inc     eax6 ]- [, @2 V, o9 {
   jz      006505ae                  ; not detected6 H) _0 I' @% Q* Z% F
3 Q( O/ P  B' l7 i! v' v
" K$ K2 Y( i) y" D
__________________________________________________________________________8 z* v. Y# b/ @) Q3 ~+ l

7 F; o, A( D  d& l+ [9 t& H7 ^Method 12
5 m0 \, W7 N9 K! u; G, b( V=========; j7 j+ z* p. R$ v) c& `
6 _# i# X, l" r
This trick is similar to int41h/4fh Debugger installation check (code 05  X+ q  w# c$ q7 X6 }
&amp; 06) but very limited because it's only available for Win95/98 (not NT)+ Q: s' S2 e6 v8 R* b8 @% F$ ^
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* z' ]5 Q  _- G1 h) ~
! J8 k! O% w5 ~9 B
   push  0000004fh         ; function 4fh
1 f# l( G4 T0 F1 Q% J4 x   push  002a002ah         ; high word specifies which VxD (VWIN32)1 k* B- v/ a" N% V& `/ l" j
                           ; low word specifies which service
/ n& G' d0 ~+ d* W                             (VWIN32_Int41Dispatch)# W. r% Y6 v0 P* Y2 }
   call  Kernel32!ORD_001  ; VxdCall( V% |6 [/ O. P
   cmp   ax, 0f386h        ; magic number returned by system debuggers: k8 `; k& X' e. m% n5 c6 F
   jz    SoftICE_detected) o- Q7 B2 A$ K3 }% Y8 @( y9 M8 D# S
8 z: }/ Z* r2 X9 U9 ?- S
Here again, several ways to detect it:' N/ ]8 F# s$ b

6 t# o) @9 N. i  u1 J, i    BPINT 41 if ax==4f
' r' h2 m& S1 C2 \6 }0 H; N
$ @) n- F) `, {$ ~$ m2 ~+ Z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
+ @# }  M. {7 H1 F8 R; x4 `. x( a$ q: r, B7 |& ~, d
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, |! z+ i% @8 g0 q& b" b9 j( d7 q
- x) R7 z+ `5 h& |    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
8 R) w) W6 h3 T3 V2 [5 Z; d
9 j8 C- k( x; C4 k1 P__________________________________________________________________________
" r3 t" X& O8 U3 l+ Q) ^& K* p$ {7 W2 A6 Y
Method 13
$ D4 O& |6 w8 M0 U: Z. F! ]=========9 \6 D' n( _% N  N8 ?# E

3 W$ l( Y. ~9 Y6 M9 y' K% PNot a real method of detection, but a good way to know if SoftICE is
7 c7 O9 }9 s& \# d; {  ]8 uinstalled on a computer and to locate its installation directory.
* I2 o3 z, }0 Z4 W% d( g% e: p$ gIt is used by few softs which access the following registry keys (usually #2) :
% h2 t, }; c. ~* k5 h5 _% p, }9 }, N" S5 z* m$ v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 K5 F8 k- J* D# [) X+ @  U
\Uninstall\SoftICE
6 {3 l& ~: s, K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) `3 ]8 d0 |& R3 L6 F! ?$ i7 t; `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! z7 T8 @5 e, I  H) Y, Z0 d\App Paths\Loader32.Exe
/ w# [' D4 n3 Q" o& d3 K$ Y7 M- ~1 Y0 N; n

3 J3 G$ P  U" Y( a3 Q* c6 r7 ZNote that some nasty apps could then erase all files from SoftICE directory
) \. y2 B2 Y2 `% @3 y(I faced that once :-(
$ R4 I4 V# l% K; v2 b( u3 X- w9 G" B
Useful breakpoint to detect it:$ F- D( q* W6 H0 W

7 f# ^5 C7 {9 {+ A3 ^" ^     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
/ i" ]  e. j+ ^8 `! c+ W1 d# ^. R- {- n# }0 z
__________________________________________________________________________# D/ J' \9 E8 X& G# i. t& u3 }
1 @8 g2 K3 H; |& e
6 l3 R- ]; v2 c3 ]( @" g1 H8 t! }
Method 14 & ?* ~3 z- O5 ^$ r/ y
=========
) g& {& k- x- q! C" Y8 t& ^
; ^* x- u  l1 K1 t2 h0 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 F' F7 \) L) q6 l
is to determines whether a debugger is running on your system (ring0 only).
2 p' {7 I2 |' f! \- ^
( ]4 N# M% S3 z1 L& u   VMMCall Test_Debug_Installed
5 f$ `0 u+ @/ o+ p/ b   je      not_installed* Q# H% p5 @$ e
5 L' D; z5 p8 ]  m
This service just checks a flag.
4 a* W- f3 Z+ O$ l0 b# n' a, j</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 16:25

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表