找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>* [/ i! w7 i+ g  [$ E
<TBODY>$ ]; _9 V/ q( n( I
<TR>
% s1 k3 D7 x: e; ~; {$ ]: e<TD><PRE>Method 01 5 [5 I# p0 j; n
=========) A7 l, I$ ]8 E7 N
, c+ \( z) f6 v, H. L
This method of detection of SoftICE (as well as the following one) is
$ l* X4 X! u- Y: k: O" x' Qused by the majority of packers/encryptors found on Internet.
+ ^3 N$ k) u" ~$ P- HIt seeks the signature of BoundsChecker in SoftICE
2 b3 }6 z7 Q3 y4 G7 J$ a. M4 M' o8 `9 g7 }/ t7 \" Q
    mov     ebp, 04243484Bh        ; 'BCHK'7 {5 B5 t: M( V; @) ^4 g& I
    mov     ax, 04h
4 @( {& Y) f2 z6 {% D; F    int     3       / R- @: U0 t) F* @
    cmp     al,4
' N" [; b( e$ K4 m& E7 u    jnz     SoftICE_Detected
4 @( ~# C7 i# g1 R% g1 S# n2 Z& l* I/ w) b7 A; ~
___________________________________________________________________________
# A' h% r( C9 E" A! z
7 O5 t, H- b% \1 @' `1 J$ yMethod 02
: x; E% A  I3 p7 u1 Z4 ]=========* w* z2 _& d; J+ b6 {3 M. {

( u7 k# S6 O. Y2 P# [$ B" n: u) z' PStill a method very much used (perhaps the most frequent one).  It is used
- X' t9 H; M2 V# Q8 D* M1 B' V' sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( _$ W7 @# A' q# ~2 {. Z6 p
or execute SoftICE commands...
* t2 q! N2 E6 h- G+ }It is also used to crash SoftICE and to force it to execute any commands4 y( Y8 \6 c! ]$ R. x4 e+ M- ?
(HBOOT...) :-((  8 j+ x! b: D  j

( ]7 M' e# D4 S* M$ p2 Q4 Q8 V! zHere is a quick description:% S( {7 _( y' A$ F
-AX = 0910h   (Display string in SIce windows)# l. Q, ], @0 [" L' Z1 r% R
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ L6 ~; Z+ f1 k; C  K) A-AX = 0912h   (Get breakpoint infos)
( n* F' t- ?. s; q( X2 `9 F-AX = 0913h   (Set Sice breakpoints)- `+ T: q/ _: ^
-AX = 0914h   (Remove SIce breakoints)
& g2 B2 `& o% z( o3 Y( P
3 l+ K4 B) k% b7 Y+ B* ?" pEach time you'll meet this trick, you'll see:1 I6 L1 ~5 B4 @) ~7 f3 K
-SI = 4647h
4 F" `5 Q# R& ?: Q  k-DI = 4A4Dh
9 ~) u5 f( n3 L; ]( B8 L- U& j, aWhich are the 'magic values' used by SoftIce.
0 z0 m- p8 q/ g0 T1 RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 O3 T( N& E% W  d( y) L- F

1 i9 E% T9 f1 G1 U* x* rHere is one example from the file "Haspinst.exe" which is the dongle HASP) f7 I$ f$ Y2 w8 b8 s. a" b
Envelope utility use to protect DOS applications:6 b0 Q" r0 d+ q# b

$ P( i7 H) ]: W% Y) K- u/ Q+ K+ _
4C19:0095   MOV    AX,0911  ; execute command.1 A! O& F0 W; h6 u9 r$ L4 w
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
- m; G+ i0 W' N) Q4C19:009A   MOV    SI,4647  ; 1st magic value.( i$ r! ~: ~8 [! I4 f- G( b" G3 d
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ }9 N' W5 v$ \$ v% Z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# u7 W9 w  S, y% D9 ?; e* l
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  X9 x4 @0 B! A1 k5 j2 f5 N
4C19:00A4   INC    CX
2 w2 m$ I) E0 j2 O4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( D0 Q6 f) p7 E, H
4C19:00A8   JB     0095     ; 6 different commands.
' N  q& q& B# X; ~! u4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& h3 s- B5 Q% t( P' m
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 k7 V* J; Y% r% H& y! U6 \- g! l; z9 s3 V* G; k5 d
The program will execute 6 different SIce commands located at ds:dx, which
1 z/ ?+ b$ a8 e) E) j/ Rare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ e) S, f& m6 d
+ M+ l) R4 I) g2 Q, q4 J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* |8 H: o  [7 D" B  N& R___________________________________________________________________________  g* w7 n6 w$ X- B' c% U% A
* V" p* i+ ~' }( e0 {! \; t& h9 M

2 |  q2 h* A* C, _; R" tMethod 03" X6 L, Z. ?$ l: g. g
=========. L8 e" E4 ]( Z% J+ d. _* w

6 q+ x# ?, g8 _" g0 jLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h) B  q" Y) p: [. q; x
(API Get entry point)
, f8 r9 J& G! e$ h6 {8 |5 e8 O+ Q7 T        4 B+ p3 N! ]7 I. j! Q
- |' U$ A/ T( C% Z# N: @3 V( v
    xor     di,di/ H& ^  z: u  z( |" I$ U
    mov     es,di- u. v' a& {# P+ y+ u2 c9 l
    mov     ax, 1684h       / a. f7 d, h  }; t
    mov     bx, 0202h       ; VxD ID of winice
- [3 G3 }+ A2 H9 J5 T9 G    int     2Fh
3 K7 p9 `" k: s8 w8 _9 z    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 P  a! r/ e3 O, K- n0 m4 ]4 y3 ]7 A
    add     ax, di' j. Z/ a; a4 g- ~& f
    test    ax,ax
( \. t$ x* H) Q    jnz     SoftICE_Detected
' U5 b8 Y6 I5 l& W/ H: Y7 g6 h: ~( {) h' W3 D- y/ ^
___________________________________________________________________________, I/ @) J( @- K7 G5 X# b1 k* ?

* i. e: x6 h' h4 NMethod 04
1 l6 N) R& z% l# K) N% f=========
1 b  V( @; p$ r9 ~9 m+ I' c' _" f; f' \) N& {* _
Method identical to the preceding one except that it seeks the ID of SoftICE/ ~: i: ?& j% L5 }4 @
GFX VxD.
% {/ p/ s4 M& A7 v0 c3 Y/ P, b5 R1 L+ V2 `4 A; b% R
    xor     di,di
6 X& C& [; R' S  H; A+ s    mov     es,di+ d. N' y" t, e$ }, R
    mov     ax, 1684h      
1 Q1 ]% U2 ?2 l    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- m( y( `6 r/ E" `# x& i: f    int     2fh8 J+ x$ x/ C- Z% e5 u9 }+ X
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( }2 n+ G( H8 x; X4 S
    add     ax, di
# [) p9 G5 y; y, f; y. Y* S# ?  t    test    ax,ax+ I' k9 [/ p. l% n
    jnz     SoftICE_Detected, a4 x# @$ P; x0 Y: a
7 [0 {# |7 d5 }( _# O
__________________________________________________________________________
0 S: m- ]8 D/ m: t# v
% H' {, }. [; m) B% E! q
1 D4 @" T; h; [6 W0 x% PMethod 05
4 S* e/ X3 o4 Z5 n=========7 @1 a8 W7 T9 U' R) B! d

9 `: Q2 i  y7 w/ i" |Method seeking the 'magic number' 0F386h returned (in ax) by all system/ M# @/ L' H, i" B* i
debugger. It calls the int 41h, function 4Fh.
' E* o5 P) k2 }6 M( q: i* \: y# KThere are several alternatives.  
! _* |: b3 C  o' m* ^, p
4 X2 b- `, v/ q; c+ B, gThe following one is the simplest:
; i) P# [3 `, H  f2 z9 ^6 R" L9 U8 l+ m+ k  J! R% u' M
    mov     ax,4fh
! m5 g/ H2 o9 y: P7 U# |8 J0 k    int     41h
, P9 |3 s( N: u    cmp     ax, 0F386+ j! o" T/ c+ _4 w: z" V* o
    jz      SoftICE_detected
7 Z; j3 }5 h. l
3 u8 `% d' w% Z0 {0 @/ u4 D' _: t# d% N
Next method as well as the following one are 2 examples from Stone's % k1 G) P5 x+ ]6 `, i
"stn-wid.zip" (www.cracking.net):
- ]) m0 n7 r- M
4 w5 T( l# y5 h6 f" x& I5 ?    mov     bx, cs9 Y/ x; L* w2 p; H: ?0 U6 j* _
    lea     dx, int41handler20 O+ k+ |" i7 O& L  v
    xchg    dx, es:[41h*4]
& v+ p9 W" n) g; b; E! f    xchg    bx, es:[41h*4+2]* ]4 v+ e: o4 i# h- g
    mov     ax,4fh1 V& H, E( ~. _, O* ^. x0 \
    int     41h' L$ ]; X& h- \  K2 F' {
    xchg    dx, es:[41h*4]! i5 Q+ H# ^% O& B, n- f+ T
    xchg    bx, es:[41h*4+2]
6 d( O1 I/ a7 g3 j+ ]8 n  ^( g    cmp     ax, 0f386h1 w& i* ~# {5 ]0 L2 |3 k' d9 N5 C
    jz      SoftICE_detected( H1 z2 b! C6 ~

$ z( S' F3 e( l; o3 k+ Hint41handler2 PROC, X8 S8 @& {3 y( q: K! S# Q: }0 Z$ p" E
    iret
& v2 f! `4 I0 }7 ~% ?int41handler2 ENDP0 E  M) r3 ^9 h( |3 y  W+ i3 _& {
. R. @1 a* m$ q

0 w/ a* y  o' y* m; i_________________________________________________________________________9 g- E. R4 y$ u

  P. ]# n. ~" L! j1 D& I3 [( {5 |4 \% L  A' [9 S; @
Method 060 V. z5 G4 R. r4 ~8 G, `0 h
=========0 A, Y! ]0 h. k1 m7 D0 y
$ @# H  o& j$ K& E; W# y% n
" p* }0 O8 K9 f; r+ d. a
2nd method similar to the preceding one but more difficult to detect:1 u( P$ z* E  v0 e# N& m
5 L9 E0 \- d8 v5 K8 C2 X
% @) u$ S# g/ p2 o% p; P$ e& h
int41handler PROC- |6 c$ G( Z9 N% ~
    mov     cl,al* H$ \4 g+ c# g6 @0 ?; ?
    iret
0 _: C& Z; B" t' ]) t' `* rint41handler ENDP
- I0 x: J. K! J- @7 ~
( S/ M7 o+ n2 l' K9 K( M- i: d( [5 N3 e! ]
    xor     ax,ax
8 q2 @- q; J6 m1 g$ ]2 R: j% V7 I    mov     es,ax
$ T1 s% H) d& q) X    mov     bx, cs
' ?! ?/ \/ d9 w$ T$ p; l% E    lea     dx, int41handler
7 h; [0 u7 Y) p3 @# b* o6 _    xchg    dx, es:[41h*4]
$ |9 v3 O  a2 m" U& G    xchg    bx, es:[41h*4+2]
( P& G0 }$ d' |8 x6 d    in      al, 40h
( U0 R$ V7 u( d2 `, I    xor     cx,cx: t* a3 d9 S. f! F; F
    int     41h6 z: R- v3 T; J" F! S( M5 X/ X
    xchg    dx, es:[41h*4]
% [# k3 L# |* S9 S4 C# d( y    xchg    bx, es:[41h*4+2]
2 ~0 g( V) x: T8 }1 m5 u6 j    cmp     cl,al/ e& Y1 b9 z; }) X
    jnz     SoftICE_detected' {7 V; g. G6 c6 R6 \

, y; B+ j2 }9 s6 g_________________________________________________________________________
3 a# u% Q5 Q' f4 }5 S' S! I" y9 p9 ~- s  k/ O: [! L! h4 Q
Method 07
% n# k: S! x+ ?3 Q0 }=========
4 P2 n( j2 _! u8 |7 ^7 @7 L( i9 s$ R7 e% x$ G! i7 K# T
Method of detection of the WinICE handler in the int68h (V86)) b8 {6 K7 o$ R3 g) A6 Z. B3 \

2 S* }: |8 F# `4 O4 a3 K    mov     ah,43h
+ }5 ^. @  B" G$ {4 u5 s; t1 {    int     68h
7 L# [: I& w2 i  q- P* k    cmp     ax,0F386h
; m+ f1 j8 N# B) I    jz      SoftICE_Detected
! C' S9 G: R/ F! E4 d, }; T! ]' u' F+ Y% x) b
! a  C3 \, N' z- j
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit+ i2 r0 ?- z" S; u. B2 M
   app like this:
2 Q9 y! F/ z% l! |! r' ]2 h- D
& c1 g/ s/ ?) I% T. ]2 Z+ v; ]1 Y! B   BPX exec_int if ax==68
" \# ~6 O- l6 j   (function called is located at byte ptr [ebp+1Dh] and client eip is
- X$ d6 U: h* G! l( j* Z/ ^: O+ f% z   located at [ebp+48h] for 32Bit apps)
" ~' o' ^! d! }! P7 y5 g# }& Y__________________________________________________________________________
, I/ D5 R0 `! R* y, x
7 A0 w, r8 E# U5 ?7 ?% f$ a( B8 ]: u
Method 080 N7 `: j+ v! j- T8 N: A" n
=========
0 A( I3 a1 k" e* _6 _# s' d6 N: p3 T, Q' {+ I  S) F/ f
It is not a method of detection of SoftICE but a possibility to crash the# X* N9 I- o! }) H
system by intercepting int 01h and int 03h and redirecting them to another$ n( h0 H- _# \4 f. b& D- C
routine.
4 c$ n, Z4 ?& c0 y% WIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" A8 z" {0 k* T3 W; u/ Y
to the new routine to execute (hangs computer...)
; U3 S4 T: u) n
1 E! n5 A+ Q! C# [! X! O4 ]8 L    mov     ah, 25h: Y. f% u( Q# o0 T  v* C
    mov     al, Int_Number (01h or 03h)
3 l: z" i4 y2 }3 g  f5 I- f. U    mov     dx, offset New_Int_Routine
0 h4 v- J$ U+ [" |8 D. N    int     21h# X9 A5 N  [" M$ z: ~
6 ~( C0 F5 s( J6 j! Y
__________________________________________________________________________. b, r0 s' Z$ x0 c
, q* N0 z9 J' Z) v0 {5 D
Method 09
% [' Y5 S9 p1 d( X; u=========
/ b: g. H+ D" z- k! }
' a7 j! h/ b0 q$ m- V$ @! iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
2 L  W+ H- }9 r1 {( o& |. r, `performed in ring0 (VxD or a ring3 app using the VxdCall).3 R" E: \7 E( Q1 @  d! n
The Get_DDB service is used to determine whether or not a VxD is installed
9 T5 r) H/ T' V/ L) U' H9 k$ ~for the specified device and returns a Device Description Block (in ecx) for
) Q3 s4 P/ E# D& G9 Rthat device if it is installed.
) C6 ^+ z  P. [4 K- _" o. ?& w0 l% k2 c" A
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ [' k6 ^/ P+ u+ y3 v' D   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( Q* H) J8 n; B5 f0 z% r
   VMMCall Get_DDB% H( g8 m8 e: P6 D0 Z3 G, f
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed4 V, ~6 ?8 K7 Z/ o+ ~

% u) r; O. _0 n/ e4 {6 e$ yNote as well that you can easily detect this method with SoftICE:
2 I, L/ e4 S, S# l( ]   bpx Get_DDB if ax==0202 || ax==7a5fh
# q5 ~$ \4 H6 K* v' ?( s& c! `' p. n2 B* d# \5 w0 k, {
__________________________________________________________________________
& Z; P% k' b7 x- U: t- N. |
6 O9 [$ n$ f  o/ l6 _Method 10% p2 P$ [1 Z; z# `
=========
7 e; s7 p0 h  v. `7 B! F
) B( ^6 t: n' K9 q3 o/ \=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ w3 R* N3 I5 r6 C7 d4 V8 V# a4 Y
  SoftICE while the option is enable!!
2 C! a9 S0 ^7 h2 u+ ^# H/ l( s3 ~2 ?1 E" W- d7 ~* B% E& y! V+ R% n
This trick is very efficient:" M* Z. \2 U/ k' o. U
by checking the Debug Registers, you can detect if SoftICE is loaded: e5 w# }9 ], r0 X' [3 g) H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& y+ m% S5 j2 L( c, S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 z) w, N, m( U! C0 \value (in ring0 only). Values can be manipulated and or changed as well
5 D, k' J' O( L1 j7 S) V(clearing BPMs for instance)5 n, V5 J; f5 @0 W
7 ]# Q. k  b: k! e4 v
__________________________________________________________________________- T, [; G, u$ @9 ?# M
% x( p. W& i7 F8 I5 G+ {- W
Method 11; v- \8 o6 K, p- ?8 j' T3 H
=========
2 f  e! r  G0 o7 e  p3 ~9 c
2 I0 |- F. w6 v) j! i+ F! mThis method is most known as 'MeltICE' because it has been freely distributed* u7 W- U" `* L- A- R9 b
via www.winfiles.com. However it was first used by NuMega people to allow
; M! l1 U# y5 e4 {Symbol Loader to check if SoftICE was active or not (the code is located( u  R2 [. j5 U9 O  u
inside nmtrans.dll).
. A0 A7 H7 q; M9 I* l# R4 R9 i7 P- L  Z  @
The way it works is very simple:. t* u! s  E2 L. W1 \
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ l# w- @0 T) A0 l
WinNT) with the CreateFileA API.
9 }+ L1 e9 O: L  a# h
+ w4 ?5 ~" l) L4 i0 WHere is a sample (checking for 'SICE'):
! t1 k* [2 v- g8 m" n9 E
% E. L' X* z% V' \' y9 m% a2 P' O% sBOOL IsSoftIce95Loaded()5 ^% p: d5 }7 w6 |  [4 R. L* I
{0 G! {7 {0 _- T; h
   HANDLE hFile;  
9 _) J6 T0 n, k, e$ X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ _) }2 N$ [" q1 A
                      FILE_SHARE_READ | FILE_SHARE_WRITE,: n9 o+ c6 c. }; H+ s" g
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  R  H" p* r$ ?: I7 ^   if( hFile != INVALID_HANDLE_VALUE )' y  R! y1 m2 X0 [$ ]0 B0 H2 R
   {: I& U8 i: D' c2 N& }. e7 n( X
      CloseHandle(hFile);7 B& }0 j( R, k, o
      return TRUE;
+ v$ u1 r- P* l1 v) Q: }6 J  u! Q) I1 S8 ~   }. n2 O$ z# f, v1 @( W# n3 q
   return FALSE;& }. U" w1 U, n( c1 P4 n
}8 x9 O! q, C0 _& L
* L$ Q7 h; B' A) S# d
Although this trick calls the CreateFileA function, don't even expect to be
, e' W1 u0 S; J/ H! b, Q, Lable to intercept it by installing a IFS hook: it will not work, no way!) n* e8 \5 m4 I: F" t3 y& t9 i
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; x- {1 ~9 w. U& v4 P; x. ^+ n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ V8 q: W: N: A5 a0 k' @7 rand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ D  A8 s% `* O& o3 D
field.
% ~5 }' H9 c" p! oIn fact, its purpose is not to load/unload VxDs but only to send a * d: m* l8 e) q( B. V
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& u! r( `  z# ]5 r  I* ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 c5 \/ g% f+ y6 E5 G+ `to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 @0 l* l" I! H* k5 S
If the VxD is loaded, it will always clear eax and the Carry flag to allow- R" n: H! c: K# U
its handle to be opened and then, will be detected., i) P- S! I- ]2 I7 [/ G( W
You can check that simply by hooking Winice.exe control proc entry point( l. M. P# O; j/ V" F" C# s5 w. B) q
while running MeltICE.
/ ?5 G) u  y5 y$ G# O/ A
( c/ y) w' V8 ?* @  z$ ^7 c. H+ Q" _0 j. I1 u! n
  00401067:  push      00402025    ; \\.\SICE% l$ I6 @5 l( ^& J
  0040106C:  call      CreateFileA- F7 F4 h0 K8 X, p3 N* W+ o
  00401071:  cmp       eax,-001
; r! j& E; M- M  00401074:  je        00401091
8 D2 f, S. r4 c: t
* v2 W% Z3 K; k/ ]
. j0 p2 o) Y2 m3 @  P" N' MThere could be hundreds of BPX you could use to detect this trick.
( `" @+ A5 F  u8 M  h-The most classical one is:
8 [& m9 u( n9 {  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||& G1 c) \) e- @
    *(esp-&gt;4+4)=='NTIC'
4 }& X: _9 c6 Y+ M6 Z: e2 K& {( w( k, @: {" c2 d
-The most exotic ones (could be very slooooow :-(
. \2 K' {3 j$ m; @# l   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
' G& A9 }, ]1 w     ;will break 3 times :-(
( s0 G, y# c$ ]3 K0 ]( X
/ z4 o* t7 D1 w- U9 Z* {-or (a bit) faster: & e& z+ y; V% b1 T$ o' i  i. j6 |
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ [; C& j& B+ d7 u9 _- s5 E6 u/ e, ?* `3 n% s
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 p! ]2 T& q6 T" {' v# A     ;will break 3 times :-(+ G% k3 |9 f# H8 }4 x
* k* ?' X! j" g$ N2 E& S
-Much faster:0 z; q* F5 V# W, a* Z4 U! t1 s
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
# O% u- q: K% a! S
0 c4 q+ E3 {- b& uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
' z3 u% \9 B& u# \function to do the same job:6 R' r" }4 X: f( i

& @+ u! U! y$ W( I! C: K" _   push    00                        ; OF_READ+ \, i# D7 R- ^0 ~) K
   mov     eax,[00656634]            ; '\\.\SICE',0* Y* B. p9 f4 c4 @
   push    eax
- q( N- M0 u3 ?9 v' I+ k8 j0 v   call    KERNEL32!_lopen8 T. @4 U% P) m# s' j
   inc     eax
6 h  M! i0 m, C: X; N   jnz     00650589                  ; detected" D2 M0 ^9 p" v: k& i% H$ L! Q
   push    00                        ; OF_READ
1 _# w2 o- ^! N   mov     eax,[00656638]            ; '\\.\SICE'
+ O8 B, }/ X& f# g% R! \) U   push    eax6 R3 d1 \$ v0 I) C. k4 I. g
   call    KERNEL32!_lopen
1 n6 u% B) K8 ]   inc     eax6 k' N! H$ h9 K" [2 K, w: c
   jz      006505ae                  ; not detected. d4 a; k0 P. Q0 t5 T7 A6 A
' o9 M2 J0 ?8 ]$ U0 G$ u

7 h2 u, s* H- X8 L, H6 F4 n__________________________________________________________________________, P; `" N5 r0 t8 c! ^
2 }) E2 Y, H* u8 c2 R$ x
Method 12
; K& w$ N% s, W+ ~. g8 ]=========! c# x$ Q, K) \$ M

1 }  z9 S' u3 ], ~3 Z. Y& BThis trick is similar to int41h/4fh Debugger installation check (code 05. W8 ^/ y7 H1 @
&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ h0 _- ^/ o' l% G
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ d- `7 i( V2 X$ b+ E) a* [

% t% Z: \% D% O4 ?6 W2 \* ^$ C- M- R   push  0000004fh         ; function 4fh
$ N. T' p( o" ?5 o) d/ C   push  002a002ah         ; high word specifies which VxD (VWIN32)
; J  ]' H- C& D2 G$ B; I# N  n! i* I                           ; low word specifies which service! y" \5 b1 D' b& `9 A  o7 r
                             (VWIN32_Int41Dispatch)# x" M/ k5 _) s8 O3 A
   call  Kernel32!ORD_001  ; VxdCall
  J- M4 b; d9 F2 i% ?7 C   cmp   ax, 0f386h        ; magic number returned by system debuggers
5 D' r* A7 H2 J# {   jz    SoftICE_detected! {) P  E1 H" v/ C
- H2 z- o/ s0 n6 e
Here again, several ways to detect it:
; J! S0 v( `5 l3 m& z$ J
& l/ ~# ~. R& b3 U$ ^$ E    BPINT 41 if ax==4f
) a% T( M; P: D) E+ r4 y4 \: ^$ X
. q" ]8 h- L' C! g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one# H- h1 r( C1 L+ }! n" E
% F! d: Q+ T: c3 `( W9 t' K5 e5 M
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: l  @! j. a! j4 W" |5 q
3 @) b$ E4 V8 O9 J# C
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 k; D8 F; o9 D6 g
+ T- u4 W9 f  P% Y; x: t/ Q/ U__________________________________________________________________________
% k, \' {- r+ C5 \& R2 V
, o* t7 V7 a/ U+ mMethod 13
$ W4 F  E; _; R6 x$ u3 U$ m! l* m7 ~" }=========& y: x% w" ?' ~4 L
/ y  Z6 Z! b1 O, J: X4 n
Not a real method of detection, but a good way to know if SoftICE is- N2 ^& w+ J; Y) {
installed on a computer and to locate its installation directory.
0 G) G/ j. d/ C  N  uIt is used by few softs which access the following registry keys (usually #2) :$ z4 n+ T3 S8 L+ z: X

! q$ x5 \2 }- z  @3 a8 F3 a' b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* u8 H* ~9 h9 x( t/ a' a0 A5 X3 D7 u\Uninstall\SoftICE6 h- H3 w: |: R+ ^8 g0 l: o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 e) ^# U/ x: u/ P/ t3 X
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# j7 ~8 A+ k$ E8 ]
\App Paths\Loader32.Exe, M7 p$ o( }! `# q: v. v

9 F* O- P6 ~" G5 y7 s4 P/ P8 p6 E
Note that some nasty apps could then erase all files from SoftICE directory
) i0 }6 L* m" @$ ~/ t0 y& v7 R# r(I faced that once :-(
7 z: p- a- p; j3 I' o% H" |6 _# D7 S3 ?& T: S) a3 C
Useful breakpoint to detect it:
6 ]8 J) o$ Z! ^5 ~9 ?
; @/ R) Y2 C" R; j# \$ {0 c* \# f     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
( F( p6 H5 u; g/ |, s6 d8 L  f5 ?1 q
__________________________________________________________________________6 b7 {0 C& ]/ _& k

0 o0 C0 M- _* q9 t) y
5 l# C( E, J7 P8 |Method 14 2 ~: Q" N" y# |
=========" l" a* j! i) ]9 g
/ [  I9 R% p4 q
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose% t: z* j, a' g- d
is to determines whether a debugger is running on your system (ring0 only).$ z; g5 Q2 o4 g& Y. e; Y
7 I. S% a" C( H
   VMMCall Test_Debug_Installed" H) L: e# T- d  T5 S" {& V2 H  K
   je      not_installed
: S. k2 {6 e, M# x* Z$ u2 y- R
. s8 q- R# a1 \4 _2 T6 @3 DThis service just checks a flag.
& i! E$ V/ v  S5 h</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-4 11:49

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表