找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>* Q4 C# K, l8 i5 p9 `, w& Y1 ]; g! D% Y, _
<TBODY>
% D# j. P2 j. S. D" Z<TR>1 I6 M* E- p: c) F: a
<TD><PRE>Method 01 , k+ I' U) ]$ m9 x# C  @
=========  m, n7 Z# ~% n; C

% n! t& l; T6 @% MThis method of detection of SoftICE (as well as the following one) is
% f  g$ V" s$ t& Cused by the majority of packers/encryptors found on Internet.- u; n1 L  r, U6 ^, H7 a) d8 _
It seeks the signature of BoundsChecker in SoftICE
, G) w- P7 o6 t! q2 m! L. ~7 H9 z/ g4 y+ M3 i- I+ Q" \5 k/ N
    mov     ebp, 04243484Bh        ; 'BCHK'
" {5 d- J; v" w( y: Y2 g+ o    mov     ax, 04h
. s1 w7 b! b% `; p3 z" H    int     3       $ ?* Z6 r5 F+ P- R0 J1 `
    cmp     al,4
" L! m5 C+ v& ~1 H9 I, X# V- f    jnz     SoftICE_Detected0 \! n' ~' c7 W: k# j* d; ~2 H/ x

  H' U0 \$ w6 H" F0 i  c6 |1 g___________________________________________________________________________
! S# J; \8 m+ ^
. q3 w1 E& ]1 L- D+ `3 D7 T: x& TMethod 024 P8 p! z7 x9 z9 H, P0 _  z) t
=========
% M1 x, E" E3 @" L2 C9 J( g
" x7 T6 l) f. AStill a method very much used (perhaps the most frequent one).  It is used; y8 }. h/ v6 X) J/ ~* S2 j. d
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 o9 O8 z3 i9 _) e$ v
or execute SoftICE commands...) C2 q$ _/ S. Z( @; ^- P
It is also used to crash SoftICE and to force it to execute any commands
/ d. }6 h5 I! D' Q5 z(HBOOT...) :-((  
+ {# ~+ L2 C1 p: c) o' e+ T0 d; k8 V& n8 `" t; O
Here is a quick description:
8 R2 y' p  s3 b/ u& Q-AX = 0910h   (Display string in SIce windows)3 G& N7 ]6 J: |6 D
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: s) V6 I3 `$ C-AX = 0912h   (Get breakpoint infos)
+ ]6 E) F% n, U4 k. c: T  w, j-AX = 0913h   (Set Sice breakpoints)
8 B% U& `& e0 D$ }+ P! R-AX = 0914h   (Remove SIce breakoints)
; L, E; [0 v2 U4 U
1 x/ i' n1 p7 Q! K8 T# HEach time you'll meet this trick, you'll see:5 H% w6 d5 g1 }0 Y
-SI = 4647h
" e; A3 F) U8 b-DI = 4A4Dh2 G$ g/ `2 X9 A! V% R
Which are the 'magic values' used by SoftIce.4 k# b# M' z: I6 o
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 F% ~5 y" G+ C/ }: e3 w2 J/ W; H
- h$ p  k: P4 Y
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 B( k, ^5 N/ `$ V+ s
Envelope utility use to protect DOS applications:" R* {/ X- Y7 }

* K. i3 ?, k/ q# M- t3 z" p- N
; y3 q" L- P0 G) k/ E' y, e4C19:0095   MOV    AX,0911  ; execute command.
! \+ g- E3 z& X3 X+ ?/ v# n, a4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 }' U% i. `+ Q% L( }" F! g4C19:009A   MOV    SI,4647  ; 1st magic value.* J6 ?2 T# H- e% u$ j' G2 H
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.( y$ Q/ L( ?' X/ M5 w0 a; {5 U
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- r; A: p% y7 A' T4 ?
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; y7 D7 x$ }. L- Z0 t; p5 i, D# o7 s2 h
4C19:00A4   INC    CX
: E% _' F4 V6 i0 {4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute) F6 d1 W: D: k9 x" H4 ]
4C19:00A8   JB     0095     ; 6 different commands.
4 X8 E% @+ q# A8 u  d1 c4 J4C19:00AA   JMP    0002     ; Bad_Guy jmp back.- p' u: K! ~2 c, Y+ X" l
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 f! K: V# M/ ^$ \7 @* x
3 l4 w: ]$ T1 V
The program will execute 6 different SIce commands located at ds:dx, which4 z# u3 z9 B) W6 n# t! Z+ ^
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 K* H% p- V: G0 C
" M5 W) ^- M& _2 X# r
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' X" w' X) {6 D  j/ O: L$ A, T" ?
___________________________________________________________________________
' u4 G* h/ v0 E1 v0 D. T- d+ ]% e# f% l

% G* F: M) Y! I1 I7 wMethod 03
1 j+ Z$ r2 W0 U! N=========& n2 A$ T9 r* e& O
/ u2 _1 T, R* X3 _; S
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 x2 w- k: Q7 \! @(API Get entry point)
) ]) T  x* q7 q0 b8 Z        
" u7 S" }7 M3 H3 g' d2 v
4 U7 z" J3 y) q0 ~! r    xor     di,di, l, \$ H5 X* ]( b9 x8 P
    mov     es,di9 v" ^, W. \# Q5 y) k* w( t
    mov     ax, 1684h      
' x8 g  n# c* l$ Y    mov     bx, 0202h       ; VxD ID of winice) _  O/ R5 K% C- g0 r; Y& x
    int     2Fh, I5 V6 {1 f6 @# o% G  }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- e9 D7 p; V& q7 O+ f    add     ax, di- n/ }+ K( B1 e8 y* n
    test    ax,ax
" j' H/ k4 N! x1 g5 K    jnz     SoftICE_Detected: }0 P( S" K; N2 q$ O2 f- j
& a& E; o6 z/ p) z% b; ?
___________________________________________________________________________
  x9 Y$ e  L4 v$ g" _/ e" J' Z" E: Q' w6 l6 J- j+ m* I" e
Method 04
$ V. H- K, z; @" n' i=========4 ]( x7 E9 ]3 K& F

2 ~: W$ {, T3 n" m" g; bMethod identical to the preceding one except that it seeks the ID of SoftICE* [+ q# l. F4 S9 Q) i
GFX VxD.
1 D2 T; f$ m, J9 W; M$ P* |
4 Z9 W4 ^# H- z    xor     di,di; j, `  E+ r6 j( _
    mov     es,di  _; \1 W1 f" d- S! _3 N8 `
    mov     ax, 1684h      
/ W. k6 [" N$ {7 q& A! F" _    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 r7 s2 G+ h6 ?' P/ K/ p
    int     2fh
% k7 h( d4 ?, Q: v    mov     ax, es          ; ES:DI -&gt; VxD API entry point' t5 j8 J+ W0 E" {. A) ~8 ?
    add     ax, di
: ]  X, b0 F: n1 F    test    ax,ax1 B* o6 x% u* R6 i( V; F0 ?
    jnz     SoftICE_Detected
1 n% i7 J3 t# H% d1 C
! C+ s6 w) q" Q0 _" ]+ F__________________________________________________________________________  M* s+ O$ _1 S
) x, ]$ {8 u: @# l8 O

" j+ ^1 w& j; X1 vMethod 05
4 b8 \! L6 Y# Q. e6 m; x6 }6 e=========1 H$ W9 M4 @) e$ H8 P  E  \
$ _& R2 ]# M& F" `6 k( S( s& N
Method seeking the 'magic number' 0F386h returned (in ax) by all system: @1 T# v6 c" f
debugger. It calls the int 41h, function 4Fh.
  U" o* g3 G* ?0 \  n9 G! MThere are several alternatives.  
# \) |+ N5 i" o9 H9 G9 M+ b. M& m+ d
9 Z) g9 [! ]: M7 L" X( h$ IThe following one is the simplest:
& s7 d5 i' V) l# h: K, k; ?. ]' [6 J8 C* E' ~$ S8 V
    mov     ax,4fh& k4 V! M! _7 k2 L- U) S
    int     41h* F+ ]( J; V/ e8 n, h
    cmp     ax, 0F386: |% z: F8 {5 P" O7 c; Z
    jz      SoftICE_detected
6 V4 D; d  C( _5 v7 ?7 }& w5 k% V$ ?* W4 Q
. Y& T) x! M. K2 C# I, T: Z- t" R3 c
Next method as well as the following one are 2 examples from Stone's 8 f6 e9 C+ z% F( B! c
"stn-wid.zip" (www.cracking.net):, @7 z  c' D0 I- j( T7 G, A2 n

. \) u5 O: L( C6 O( R% j* R; y    mov     bx, cs! s# m" n. B6 ^! F1 W: {6 [! e
    lea     dx, int41handler2
% X# ~3 ?* P- r/ y  p2 p5 `    xchg    dx, es:[41h*4]! {7 b2 ]  X. W# Y8 N3 b
    xchg    bx, es:[41h*4+2]" T# W9 @5 U8 e/ c1 k- z! `
    mov     ax,4fh
$ q' G/ F; r1 f" G: F    int     41h
5 I7 ~3 x8 p* K, m- P    xchg    dx, es:[41h*4]5 s$ [/ o" r2 Q) ?" s" e" v
    xchg    bx, es:[41h*4+2]+ J! Z; S$ F( y/ D
    cmp     ax, 0f386h5 S. o! T' }; x. o* d% i
    jz      SoftICE_detected
4 \! t+ o3 C6 Z" V% g6 L" F) H/ R. m2 q) |7 V8 j
int41handler2 PROC
1 s- ]2 K0 b- \; E$ ]    iret
7 U8 t% ?' e; ]9 G  K! [int41handler2 ENDP
0 n. j' @3 I' J) }! ?, K
0 ~( @, a7 r$ [% f% h6 A5 s: G1 h; y  g
_________________________________________________________________________
+ d; I% b* S$ _% }# u
; M9 \  a3 F" H2 b0 \7 \; |. }' q, l1 [% h% h2 }
Method 06# g9 F8 I& s' S" T
=========( b, P( {, C" ]2 |7 c' c& @
: m' ~& g( ]" S& C2 M! c# M

" v+ {- W! ?4 W' ?% D, k2nd method similar to the preceding one but more difficult to detect:
  k  l, T. a) O* s
7 n2 R& s0 e3 s+ q) g4 n  q5 e5 L4 W1 ~
int41handler PROC9 T% U( i& l& x: [+ Z5 b
    mov     cl,al; |; y( H+ T( q. ]( S5 W
    iret
% m5 y2 z  O) o% K" v/ t) Rint41handler ENDP& h6 a( W9 L7 F* f4 g; y/ |

) m. G9 \: o: d/ k% v" p3 t' J- L( s0 W; E- J/ W  {6 x( Q+ S
    xor     ax,ax
0 R7 r# u# `/ v    mov     es,ax# L6 x( w. U& t' l" }
    mov     bx, cs
& c; N, P( o) A# Q" |* `    lea     dx, int41handler* ]0 t. j& X8 y2 s: R
    xchg    dx, es:[41h*4]$ y! t6 P4 C0 b6 X& Y
    xchg    bx, es:[41h*4+2]
0 t1 }( d' h2 g; `% R    in      al, 40h
# l3 U- ?% z7 Y9 S% K; j6 e; @    xor     cx,cx3 a8 U4 p3 O% m; ?, r
    int     41h) e$ x8 B' w. _' Q/ j* j
    xchg    dx, es:[41h*4]
& H& @0 q! N$ \6 i! k! Q! z- S) ]; O    xchg    bx, es:[41h*4+2]
) H$ Y  w7 M( Q/ j" N( X  `9 F    cmp     cl,al4 _- O) |# k0 r
    jnz     SoftICE_detected
7 @# [& }; r7 R( e. ]3 r8 C$ Y, N2 n; c& ?4 h
_________________________________________________________________________8 f! G# E7 S+ U- z4 ?5 K/ C
8 r& ~, H" w* ~( v
Method 074 m. s% i; V; T. B9 c
=========* B9 ~  C/ ?) B+ ?$ j* E% {" ?# n
) D9 n6 K- ?; c
Method of detection of the WinICE handler in the int68h (V86)
1 y. L6 I) u1 k! V3 ~3 r7 |" R) a* H/ x
$ u; [2 q9 L6 f% f) d2 L9 V7 R    mov     ah,43h* a4 b1 b; w, C) d! n& P8 y% h
    int     68h
; [! @5 R. r; y4 i' z    cmp     ax,0F386h
2 [5 p+ M7 w8 Z8 V- T) `0 K9 _1 D    jz      SoftICE_Detected  u& o4 v% Y: p
" n, z* U6 |$ Q& p& J8 b4 u" ~

! @6 H* X, Q! h4 i* @=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 K6 N4 |3 A7 t+ Y7 n  P$ P
   app like this:# _5 y, w4 ^7 T
: D5 c" ]  o" U6 Y  R0 E2 V
   BPX exec_int if ax==689 G* f; B0 [% d2 ?1 b
   (function called is located at byte ptr [ebp+1Dh] and client eip is8 f* G( G9 t% ?, L) v+ D
   located at [ebp+48h] for 32Bit apps)
/ W( [, X! [9 ^# g3 o9 S0 ___________________________________________________________________________
! ^/ F  S& E  P; r
+ t$ [) |" p6 k* d$ A, y/ V+ ]3 h/ u% i
Method 08
2 S+ P3 B5 W  r" y=========: i2 N' f2 X( n9 f

) {& B1 }3 \( Z: sIt is not a method of detection of SoftICE but a possibility to crash the
* g& W, F0 ]+ U3 L# asystem by intercepting int 01h and int 03h and redirecting them to another. M" [# O8 s5 g3 J7 K
routine.6 v, s" F' c( P: @( c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
) u/ l( ?4 z) C& Xto the new routine to execute (hangs computer...)& M1 C& B) m! Q1 G% ]% K$ A" ~* v

$ u4 x0 }8 ^4 x* l7 B    mov     ah, 25h( V8 H; S& J" K4 ?: f, G8 u
    mov     al, Int_Number (01h or 03h)
. C+ e& o' b( O% z* c" u; v    mov     dx, offset New_Int_Routine
9 u; Y9 h. l  _. Q: u! p: [    int     21h
% P8 _- _! `: J) w/ w9 `; M. n
& c- F$ x: e; _- d" @__________________________________________________________________________
) O7 @6 }, R  S) p. r# Q, B' X' j" Z6 H* b4 k2 A
Method 09
; ~4 d& f/ y- U* c" ?; V' ]2 `6 t1 @=========
" `2 e6 }, `2 m, k
5 k8 K& I8 l4 B& j5 G& eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ ]6 S3 K5 c, E( T) y$ ?3 j- rperformed in ring0 (VxD or a ring3 app using the VxdCall).
1 R' v2 o; D' \% k) D/ e$ Q9 H5 aThe Get_DDB service is used to determine whether or not a VxD is installed; d5 r7 s# T( l* h1 V/ w: a! [
for the specified device and returns a Device Description Block (in ecx) for3 l3 z1 {2 x& I' x) Q7 R
that device if it is installed.- b# k( v5 r  U7 \' Q
$ r/ Y: o+ w8 x
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 @4 i% `' L, P! t7 K5 x/ a   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' X. m% L7 v% u   VMMCall Get_DDB7 h: Z- `( j; B, V
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 I$ s# m* t- m" ]9 q
3 o: y  B. w  m3 i  rNote as well that you can easily detect this method with SoftICE:
: i' O7 g9 |4 D2 S0 ~   bpx Get_DDB if ax==0202 || ax==7a5fh" [8 X/ b, ~; @; d/ c! b$ [
  @6 O- A4 z( Z4 [0 ]
__________________________________________________________________________
. l2 j7 ]% ?7 f8 U$ A. @1 z" r2 L3 U# [2 C8 _) _: l& p/ Z7 T
Method 10
( e  [# z) w) [9 ]=========
1 n# K% e* q4 r2 Q* E" O
- N* s+ _$ x- Y2 z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% F: T; y8 `  \& A  SoftICE while the option is enable!!- |  S- `7 R2 Q/ t2 s' a
- ]& T' S+ a7 i4 L9 P3 P7 s9 V3 \
This trick is very efficient:
8 a% q, `1 N) {; }) y1 L6 c2 y4 y5 iby checking the Debug Registers, you can detect if SoftICE is loaded
# d: x9 z  P- Q, ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& V4 p# _, t# q+ J' b
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& j, ]; V: U+ n- pvalue (in ring0 only). Values can be manipulated and or changed as well
7 Z* Q! r1 B& y' b5 ?/ j(clearing BPMs for instance)  C6 i0 g0 a5 i' x6 x
) S" w. }- h0 G- [' |
__________________________________________________________________________. ?8 ~$ x! g' w9 J5 k2 S- v% h
; t) a& c9 ]5 t! |( w  s* ?
Method 11
6 p$ I' e% c* p% ]/ |* X=========
- z. \- O4 \8 |* |
4 ~3 M8 {( _. y/ L! x9 e6 q8 aThis method is most known as 'MeltICE' because it has been freely distributed
: `2 Q3 F: Z0 @0 rvia www.winfiles.com. However it was first used by NuMega people to allow
( P6 K. G# I" e0 kSymbol Loader to check if SoftICE was active or not (the code is located: i% g7 L& p$ l( u: h3 r! N
inside nmtrans.dll).1 R( h3 |2 Z, q6 g# C

  B4 }/ r8 q& G. ^0 mThe way it works is very simple:4 @! g1 P  N: I! P! `1 U4 V. L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 b1 M. F( D; E, O
WinNT) with the CreateFileA API.; S1 f3 \' v- \& z! T+ Y/ B

5 Y( E2 s4 d* T* K/ @% v  V/ qHere is a sample (checking for 'SICE'):2 q4 z* F0 z# H0 w, Y& C! c! L

+ I: D) Q3 S! e3 kBOOL IsSoftIce95Loaded()
5 m) @# z: C) ~0 }. j$ [{# L3 {+ u2 \+ E0 ^. b" ?. H* s9 W
   HANDLE hFile;  
$ G' M) s9 T& L7 F* T* o3 |1 u1 v" N& @8 e- q   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% b/ z2 ^) P! G# j8 F8 H; ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,( }- M, v1 s2 u2 o' t5 O
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* q  w1 k/ ^! e8 r2 m) g
   if( hFile != INVALID_HANDLE_VALUE )
' E( v! }) Z0 t* r( J7 m   {$ j" w! C$ N# H$ [+ x7 [4 }* ^' T
      CloseHandle(hFile);
4 ~3 f2 S1 A2 q) u/ A6 B# E      return TRUE;4 o) S* F. m, H
   }
8 A' G& u1 O) P+ t% o% s- ?   return FALSE;
0 q5 t. c! q: e}' [9 ~) r5 x2 ^# q# {' N
4 |6 n8 `) h5 t6 ~- {( b0 n& m
Although this trick calls the CreateFileA function, don't even expect to be
: P) `" ?, z6 W8 t; B- Jable to intercept it by installing a IFS hook: it will not work, no way!) o1 I$ N9 L) D0 |, @1 Q; Q! R- |* R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" g9 C6 |  H! O+ w; lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* s# H# @6 A, M6 J1 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- p! W+ L6 M' a6 v: i# P. Wfield.
6 v% r# P6 m, N' ]* h/ c% |% LIn fact, its purpose is not to load/unload VxDs but only to send a
, M7 S0 D7 W4 b2 O5 v2 I' EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 ~6 \3 S7 [/ [, b8 f7 uto the VxD Control_Dispatch proc (how the hell a shareware soft could try3 A1 i, h4 f; G6 f; N, V
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, [5 ^5 x7 r: T2 YIf the VxD is loaded, it will always clear eax and the Carry flag to allow
1 a; r: z- Q1 u# v0 Kits handle to be opened and then, will be detected.( J, u- O3 [$ r5 {# W2 T- @
You can check that simply by hooking Winice.exe control proc entry point( J' Q9 `4 y$ }6 ], u+ p2 J
while running MeltICE.
: h! s5 |2 ]7 A+ E8 j/ v8 t
  l! ^( \4 A, O1 f' t) Q5 t
+ y2 {. d8 R- b, d- ]) Q  00401067:  push      00402025    ; \\.\SICE
, w4 f- v5 V* L% I. x# |( D  0040106C:  call      CreateFileA0 I: x7 e, r4 t; k, G, V
  00401071:  cmp       eax,-001
" F: x1 Y  S) |  c1 h4 x  00401074:  je        00401091
- {, K0 g! y; H1 k) b% N9 @- y
9 a9 X$ p( O1 e, ~; U$ i$ X
* X  P2 V$ p* @; c3 @4 MThere could be hundreds of BPX you could use to detect this trick.
$ e; Y# \. k/ J9 M+ p-The most classical one is:
2 x: d5 }0 p- u5 `$ }% [& Q  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# \6 G' h# A( |! i* J8 J
    *(esp-&gt;4+4)=='NTIC'% t4 T1 r0 v# N6 V

0 A% U8 C' V" a& ]-The most exotic ones (could be very slooooow :-(, C8 v# N4 Q0 n- l
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: W; A# o/ e( T& M( N; c     ;will break 3 times :-(
! l+ d7 ~  K( a6 b$ d5 v- |* \$ e1 [! _( {# L7 E9 U) O
-or (a bit) faster: $ S9 U5 @' E  J
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
& z# d1 I0 @# V5 G% E5 N2 s; {: a3 P5 |0 R. q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  0 G" P( y" I( R5 f# K
     ;will break 3 times :-(
8 V4 C  J/ P& A% J
' T1 Q; D2 P4 v7 z2 q-Much faster:
% \! Q, y7 g/ b& ^* ~   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ e1 ~5 h1 W9 Y& u% V; o; @- \! p6 r* c) ^& O
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 I# m( ~& p+ E1 b8 l
function to do the same job:
) o6 s- F, g5 g5 ]0 a$ g3 \% m- J  T& F6 ?4 r
   push    00                        ; OF_READ& a1 T  Q# k$ g. D1 u( t
   mov     eax,[00656634]            ; '\\.\SICE',0
0 }# \  T, c3 a1 K2 S4 ]$ r/ t   push    eax
. ]- C+ T& Y+ j: p* \   call    KERNEL32!_lopen
1 I, }' A7 f1 t' p2 E7 j- U2 Z   inc     eax$ D5 @7 A5 d6 m% V1 e
   jnz     00650589                  ; detected
3 ?1 B; p  E/ h  R   push    00                        ; OF_READ
  r4 Z3 X1 [. k* H6 S' r7 g   mov     eax,[00656638]            ; '\\.\SICE'2 s- ]- W7 u0 |) k* w# d  z
   push    eax. {1 j$ `& o8 s
   call    KERNEL32!_lopen5 B0 E$ s& }5 M9 e8 C
   inc     eax
& x3 t' W# f6 U* ]" k7 P( ^' G7 X) p   jz      006505ae                  ; not detected' E# p& J  T) G5 i9 o1 |' X

  B5 _7 @+ D( s  q' {) z2 u2 i
4 j9 d' `2 E1 @2 p1 p: H1 v7 f__________________________________________________________________________' o& `: A" J+ A$ x" J
, Q" c+ [; F0 u5 e' u9 c
Method 12
" r: q# @: L+ {( @1 t' {=========
: A- w' q; N( ^% Z' R: o" Q
( H6 k  c; u/ P/ i. zThis trick is similar to int41h/4fh Debugger installation check (code 05
- Q. T; q- r, F3 C&amp; 06) but very limited because it's only available for Win95/98 (not NT)8 @- _( v7 o( l& c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% `9 z3 a- V5 i( c. {8 h; w1 z+ }
$ Z4 _& s# E+ Q6 ~) l
   push  0000004fh         ; function 4fh8 E+ @/ K6 o( y3 I0 s" h3 `
   push  002a002ah         ; high word specifies which VxD (VWIN32)8 \/ S: h- A3 }& ^" t* |
                           ; low word specifies which service; W* d; [* N$ N. \* a9 M, m: c
                             (VWIN32_Int41Dispatch)5 X7 l/ q3 |2 `3 Y3 R
   call  Kernel32!ORD_001  ; VxdCall5 V, `; S$ z! E7 }5 e: k
   cmp   ax, 0f386h        ; magic number returned by system debuggers" R  s- y" s/ X; |8 [3 M, L! H
   jz    SoftICE_detected0 ?# l* N* d$ y9 w

2 N; J$ m3 Y4 ~* `3 p" {; [' rHere again, several ways to detect it:
9 n% L4 u$ I6 Z8 ^: T! Z2 p4 R. p9 c# u$ u, A# H" H; x
    BPINT 41 if ax==4f
. m, s4 o# U: s: ]
( q9 M* J6 p  r3 w6 `6 k. g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. f% ]/ }! u9 `1 a

% Y- X8 D( f% T5 c# S" S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
1 |- i/ S5 r7 _. `: `! o& a& v- r
! r5 f( M2 K6 g" C1 b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!  y" T& K9 U: [" b; T
& l  b& l7 t* c/ b+ E
__________________________________________________________________________/ }9 d; r1 s5 E; f

5 s# Q' Q$ M; ZMethod 13( s$ n! ?/ u0 P8 [1 l1 K
=========6 e0 ^: u* }0 S% {$ N
1 Q. ~1 A5 \: C% Z4 q
Not a real method of detection, but a good way to know if SoftICE is
+ {; I! C& |! V; F- ?3 X" Finstalled on a computer and to locate its installation directory.! ]0 P) c1 W9 v, a
It is used by few softs which access the following registry keys (usually #2) :3 {$ d! l' i) ?

' z, H4 U8 ]6 L; n  }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! n: k; P2 G3 R$ |$ y! E\Uninstall\SoftICE
$ P; v' ]1 D& m4 B& @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' b" |5 J+ _, K/ U; h: d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 N/ y' i8 s; k. T
\App Paths\Loader32.Exe
+ H6 ~0 W; B/ {/ a6 @- J
- D5 {& |8 G5 j6 J8 C+ \& s3 x, f; d4 s
Note that some nasty apps could then erase all files from SoftICE directory) {% f6 k$ ^' f! Z* d
(I faced that once :-(8 ]+ G- h3 m% z  u% R5 T  W( g! s) ]3 r
' J$ R6 H( W& ]. }/ H! g0 p4 m
Useful breakpoint to detect it:2 E# }) Z0 i4 a5 a; O
5 r7 v3 v9 \8 L- H  I: v
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 ?/ _6 v" ?+ F/ Q6 b  V1 s' D; W
4 T. k. k, L5 u3 J0 c; J6 B6 f
__________________________________________________________________________- q: w5 l) a! N. G, ?5 x

1 x0 O& e0 J1 t# I1 s! J
* x( Z/ E0 ^: [3 N( R8 X1 P6 YMethod 14 0 s8 @3 a" u$ }
=========: Q/ n) Z" n: l- q+ M
7 x4 e# B3 U$ w* ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ H2 J/ X! T3 Z4 ^
is to determines whether a debugger is running on your system (ring0 only).  u! t5 E; y$ X* c" }

3 O+ R$ v- d. k  g   VMMCall Test_Debug_Installed6 G3 ^5 y9 s6 W. h( s# B" h
   je      not_installed
  a; z, \3 K( E$ c( r
+ W. x1 L9 b" n: o! [This service just checks a flag.9 ]* a/ b7 R9 m6 N
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-1 10:34

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表