找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 y* v- O& n' V
<TBODY>
& m, K, v; J$ J7 q+ e% o<TR>
* m! t9 `$ [5 E) [* @3 N<TD><PRE>Method 01
8 b  t+ N5 ?+ T/ Y- j=========' M/ A2 s- j4 S

$ O5 y) i( D3 f4 o% A# Y/ vThis method of detection of SoftICE (as well as the following one) is' a  c8 a9 f( i/ E% z$ ~. X
used by the majority of packers/encryptors found on Internet.
8 v+ {4 `3 u- D6 T% o2 x  J: v% ~It seeks the signature of BoundsChecker in SoftICE
: k4 X& k$ c) O  x) X" j2 C
, @* _/ m* W9 p4 I0 d    mov     ebp, 04243484Bh        ; 'BCHK'
$ V4 |, t5 x& [' D% G/ Y4 N    mov     ax, 04h: l  S4 d% j+ L" S6 B* m! `6 W- Y
    int     3      
# j: w0 l2 F- @( T    cmp     al,4
. q' H  m. F6 h' I0 D+ j6 f# V    jnz     SoftICE_Detected0 d5 F: j" t) a2 w( t7 d
8 F! q9 w: y2 k! t( G4 x! V
___________________________________________________________________________
6 k+ ]9 X: ?7 W8 _, y( E% h$ y& z7 b! a" c- H2 ?& Q
Method 02
! p7 d  ~. p) W# k* F=========2 p" M% y  A6 z" j8 W

8 e- Q. d* c+ @0 b& N4 }. y* HStill a method very much used (perhaps the most frequent one).  It is used
9 u, C. z  M1 T4 @' pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  o1 y$ F5 G' ]" B- ^/ ror execute SoftICE commands...
0 X9 ^" j! N' EIt is also used to crash SoftICE and to force it to execute any commands
2 E: g3 s3 T% V% t' G7 {5 L. V(HBOOT...) :-((  7 H6 ?. Q6 l( l. ^7 x2 ?

3 m+ d2 A8 R2 q# Z' W! ~Here is a quick description:
) c' \% J$ b3 r, b-AX = 0910h   (Display string in SIce windows)
' G6 Y. ~( _; A1 G5 L4 [-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)2 A9 C9 `* c- J0 ^- t* E
-AX = 0912h   (Get breakpoint infos)
8 `) c- [7 U7 |9 ~2 w8 x1 i-AX = 0913h   (Set Sice breakpoints)
/ v) l7 i1 n3 m4 `" f2 J' J* J-AX = 0914h   (Remove SIce breakoints), j( V) x- ~# L) K( s% }* y
6 c/ J0 ]; S" b
Each time you'll meet this trick, you'll see:
" u) b# O) A- Y-SI = 4647h; D$ S  G1 F/ m# u% I. q3 i9 {+ c
-DI = 4A4Dh8 r/ C6 T7 E. ]& |/ K
Which are the 'magic values' used by SoftIce.
0 X' w8 c9 ]4 g6 GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 a/ E0 n1 v4 A) T! n0 ?" X6 K. {( n6 f
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* u9 _2 ^& k# i3 G  p2 yEnvelope utility use to protect DOS applications:
- V. W( f( g- y* G: N5 ~1 X$ V. k3 |* d! J0 i8 K6 R7 C
: H8 ?9 J/ b3 n( Z0 {6 h
4C19:0095   MOV    AX,0911  ; execute command./ v, S4 U  R% j8 J4 M
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4 d' i4 D5 d! l5 a( P9 v8 t4C19:009A   MOV    SI,4647  ; 1st magic value.
  D. x* Z& d- B( o4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
) p4 [6 P7 t0 m- X8 Z9 a& [4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- y8 y$ I5 I' M% f( s+ w
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 Q2 t/ |  {. P) _4C19:00A4   INC    CX/ X/ w6 x8 Y6 \7 Y; v& u
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  M) {. B2 @' b4C19:00A8   JB     0095     ; 6 different commands.
3 K9 l. }; s1 p1 r1 h" d4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 I3 d! g0 i' w3 K& \4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" d7 H* \& I3 P9 C3 r& I- z. Y  T6 B1 s
+ a. b% Z# N- F' t5 [) t/ Q- |7 d5 OThe program will execute 6 different SIce commands located at ds:dx, which
. B" N/ H7 y! G. s; tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& H3 d4 R4 M: B& I0 ]& y3 \( I$ }
- o; w3 y- U! |( W9 K2 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 l# c2 {& O2 _" T: e- r
___________________________________________________________________________) Q! p3 j7 h1 p: X2 {% j5 x9 q9 Q1 G

0 v" i, J+ ]; T, f! p/ E/ r( u, ^2 A) A8 [9 k4 b  S3 y
Method 03
4 r, ]$ d( Y* |2 g! h% F# \0 W=========
0 g6 b, ^8 R+ Y1 i7 O- N
3 W3 {- j$ a- }# oLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 M+ p$ s1 e. B1 _7 X2 ~. @2 f(API Get entry point)
. a! e" \7 W, W, e: h        
5 k* s( {  ~2 D2 j& u+ K5 p* Y5 C" R. x+ ^* p( p+ a
    xor     di,di. {$ [  g" M7 c- n3 S- ~. M
    mov     es,di
; z, ^6 n6 d2 \6 e. Z6 S    mov     ax, 1684h       9 E" _# h" \4 z* X! V; B
    mov     bx, 0202h       ; VxD ID of winice5 e. n9 K. U4 P; z" }
    int     2Fh/ Q# O( ^5 ]  M$ }5 H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. U5 D  L. j+ n8 X# V7 O# d9 ?& w, C
    add     ax, di! ^6 p  l9 U  h& J& v
    test    ax,ax
$ B1 Y0 H$ v9 X/ b& h9 f! p    jnz     SoftICE_Detected  d: o! b! |5 X9 s& u
/ K" V9 N- E/ P2 _
___________________________________________________________________________. r! {- J& ~3 e/ A* Y6 ^1 o! h
6 I& S( O! X0 k5 V# P
Method 04
: {" t" s9 C  I# V* ]1 M9 K=========5 B3 W' ~# z7 c- Y- O8 s

6 w: u& l' ?' ?( X& oMethod identical to the preceding one except that it seeks the ID of SoftICE- o7 N% q1 N& ?: ?$ [
GFX VxD.
1 i  M( N- L* B
& f* s- |5 ]  ^/ G; O    xor     di,di$ N( \0 M4 m- ^: N' s) O! i% f  j
    mov     es,di
$ ?. Q8 }2 g0 M# y' r7 y    mov     ax, 1684h       , m' Z  f- N% u: o3 E" h" ]
    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ M( U+ q* e& k8 @3 S2 E3 ^, \
    int     2fh
) W3 l2 r8 y% S; O    mov     ax, es          ; ES:DI -&gt; VxD API entry point! j+ i1 I5 W+ [+ ^
    add     ax, di9 w0 `4 L& o! B6 |2 j( u
    test    ax,ax
, _. _" l8 Z. X    jnz     SoftICE_Detected2 ^/ e1 X/ c" R$ s
5 G' Q0 ^8 I# {6 O* y. y: E; U
__________________________________________________________________________
3 c. ]* P& N- i0 d3 V
( n3 {) x- {0 M0 A! c
/ P1 ]0 G" p( c% _( S  f6 xMethod 050 a& B* Y; Z7 q& a( D$ M6 O
=========6 R5 S' p. w3 [( k

+ t/ P8 q/ [9 {" Y6 Z' vMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! S( T" R3 f7 h9 Jdebugger. It calls the int 41h, function 4Fh.$ y  I! }, S3 C
There are several alternatives.  
  T( k' P" B$ W# n+ }6 I' D' I
8 }: f; N3 t- t! O$ _6 R2 sThe following one is the simplest:
/ R- u! M/ o* [/ O$ o* j" ]% I) {6 X' {. r
    mov     ax,4fh
! n9 X* H( U& Y& c    int     41h4 X$ N5 f! |7 G9 m" t! V6 r! o
    cmp     ax, 0F386' M. k: M6 L' V2 B6 w2 H
    jz      SoftICE_detected
9 g; d( K( `+ ]8 A' Z
; F' Y4 B' z' k- y8 |1 T- L8 ~! p! S3 x' N& _
Next method as well as the following one are 2 examples from Stone's ! R' B* J7 n0 e4 @  n: S* a
"stn-wid.zip" (www.cracking.net):
9 a  S; }+ i7 R5 d0 t, g
; a$ j0 l& i8 @! [6 O3 s+ o    mov     bx, cs9 b, H' T6 p3 O5 n5 N
    lea     dx, int41handler23 b0 Z5 D7 A) L0 e* b) M
    xchg    dx, es:[41h*4]
+ g2 ]. v" B$ j4 {& b/ C6 w    xchg    bx, es:[41h*4+2]
% }* _, d4 }2 c+ C* e    mov     ax,4fh2 u8 A+ C% i+ A8 p% r: n
    int     41h$ |/ q0 B7 x" A! v5 H# z
    xchg    dx, es:[41h*4]
8 {$ ~! S6 F- T    xchg    bx, es:[41h*4+2]
: f- a4 _" v2 g( E    cmp     ax, 0f386h& D( `! |/ X) A: Z) {2 r" b# t8 E
    jz      SoftICE_detected
+ C. W7 {! R, }: w* X; c
# L, Z2 e' D9 ^int41handler2 PROC9 K4 p# U3 ]! y+ X2 l7 ]$ Q- e: D
    iret
6 a& m! c/ E; S) `4 sint41handler2 ENDP
% |9 S  x0 Y$ y: s
, k/ Z. p; k: S! f
4 \  `( T0 u6 A3 ~_________________________________________________________________________7 F# K& v- W. E
0 T1 a$ l/ e+ {- `: a8 b1 U

" @" I4 }* Y+ a5 UMethod 06
4 R4 @8 r5 D( b# n5 H+ c9 s=========. F9 x3 @7 c- A8 k5 O4 j
8 |% |! H' L* F
+ M& d$ [* j, z: ^; P- ?6 w% V8 v5 s
2nd method similar to the preceding one but more difficult to detect:) Q2 _3 U/ w* L0 ~

3 A0 k$ \/ C8 W. v+ q; ^' b0 x9 B, E  ~0 `
int41handler PROC; @2 X4 L1 e) H# W7 M9 t: u; }
    mov     cl,al3 h* Z0 S. f/ ?- p6 e. `9 a
    iret  m; m- p9 c6 R
int41handler ENDP
) Z* }4 I) U6 Z" D3 }$ ^! L
% m" O7 q- j% X/ g1 b- l/ k# ~& E; e0 R8 C  J9 i6 [
    xor     ax,ax
8 y/ o, Z  N5 q  J5 q( b2 ~    mov     es,ax; Z  n5 F0 V4 c
    mov     bx, cs
" O; H: x; z  t    lea     dx, int41handler
" D$ W3 V" n; W+ h8 W    xchg    dx, es:[41h*4]8 X& c; L, x9 B0 c# _) y
    xchg    bx, es:[41h*4+2]9 a  ]3 U; ^% ^2 U4 h3 @% E
    in      al, 40h/ C4 ]8 t& e9 V. p6 i7 R, H& p/ H1 X
    xor     cx,cx
; W2 [) C( n( B) a& Y4 e    int     41h1 |: G" u. V' D1 C& z
    xchg    dx, es:[41h*4]
9 U- ?0 S& X. c5 q0 ^: l8 R    xchg    bx, es:[41h*4+2]  J9 @, ^0 ~, s  z
    cmp     cl,al3 P3 |. t8 a) m; R" m
    jnz     SoftICE_detected
' p7 H7 [5 C8 ]2 _$ S
9 |( h5 _( t+ {' B. H* T_________________________________________________________________________
) O8 g5 Y7 g7 H7 ]( _  _4 j
* i1 U+ _2 g  B* l& m8 dMethod 07
# C9 Q* N& Y/ N2 t=========
4 W: i( O" T6 ^. U& I" _- y" L2 }: ~4 t  X& z! j
Method of detection of the WinICE handler in the int68h (V86)
6 m" G$ N  ^$ A0 B: k) q% d: w; K4 m# p9 T3 a% W3 L9 S
    mov     ah,43h/ c& f( O2 E- d7 _- _( A
    int     68h
1 z/ ^3 E& s# |* r; e1 c    cmp     ax,0F386h
3 H3 K: T8 D5 a3 T    jz      SoftICE_Detected
$ r4 _. {- i7 f7 j; R" o1 I  g$ g7 |8 q4 N/ h0 U) \. O, e

: v# S, j' y4 z/ T- m3 ~  k=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit6 ^8 y0 U! l' c% Q: y2 n/ l
   app like this:
/ ^  f7 k% Z* g% t: }! L9 w0 B+ d2 I. i+ [! H3 ]) B" v
   BPX exec_int if ax==68
8 j5 h$ X9 N/ F; `5 y+ I5 `) b8 ~   (function called is located at byte ptr [ebp+1Dh] and client eip is
: ^+ p' J* ~8 h) x7 E; a   located at [ebp+48h] for 32Bit apps). R/ q6 }' U7 S8 h8 U, H
__________________________________________________________________________( i, a" C7 W5 q1 T1 ]- Q! D
. ^2 g3 c+ _# n* R; \
8 R; q1 ~4 ?; U& l% [
Method 08
2 G/ p9 b3 y+ Q=========  j  B. q- N& G/ L2 }# O9 i

4 X! h- u) \' m( N" L' e6 [; g: N* ?0 B0 |It is not a method of detection of SoftICE but a possibility to crash the
; s. S2 v9 V" Nsystem by intercepting int 01h and int 03h and redirecting them to another9 K# K* W, Z( a, @" y
routine.$ p, d- u3 I* s% M' S/ ^" e1 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! k3 ?9 \5 h% q, I  {5 qto the new routine to execute (hangs computer...)8 P- G6 }: a( t5 R
8 g1 M0 e2 @% \4 T3 ?0 Z
    mov     ah, 25h( ~7 O, D+ W' b- h  Q* E
    mov     al, Int_Number (01h or 03h)  D2 ~3 O" K2 h
    mov     dx, offset New_Int_Routine- ^8 ~$ _9 M' K" [: U
    int     21h* s, y, o, _1 h0 L$ V

3 v$ a( m/ `5 ^: ?4 e" {/ o__________________________________________________________________________
4 Y* g: z% V" S; G9 ?
# m) E; I, y( K1 H+ S6 lMethod 093 ^+ h7 Z0 F+ A# l4 s- [
=========* ?% G; ~, ]2 U0 b* @2 ^: J

7 x$ q0 E" e, rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ u3 c1 y& j$ O3 n  ^# ?$ Mperformed in ring0 (VxD or a ring3 app using the VxdCall).' N, R  I' m8 e8 b" n
The Get_DDB service is used to determine whether or not a VxD is installed3 v: r, U2 Z3 b$ y  G& y& c
for the specified device and returns a Device Description Block (in ecx) for
- s7 }9 i) Y1 F1 {: D8 {  xthat device if it is installed.
7 \, n# v2 s! m( f
  C+ W# }3 ]+ _  V) \- W   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 a1 `: [" e: ]   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 J+ B+ n7 }. l3 ^9 a   VMMCall Get_DDB
3 @) p: Z3 P8 K. B7 }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- i  f4 k% p6 r6 ~- `- \+ K- T! x# R

8 ^! d* l4 s3 u% R7 D* h; M# wNote as well that you can easily detect this method with SoftICE:5 T$ j6 |) P. U7 P) i3 V/ V6 `
   bpx Get_DDB if ax==0202 || ax==7a5fh* X4 I# q0 D! ?- l" y9 U2 q9 c2 l
# I' A5 |  G! n$ s
__________________________________________________________________________! e0 n' S* r7 d0 Q

% e8 G9 Z! W! u# o7 w% J! a' T" o! O% HMethod 10. L4 p/ b5 l: o
=========
( y( k: l9 t$ n
4 [* l, ?  F8 P  U' [=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with' z; `; K# k6 G: I
  SoftICE while the option is enable!!9 O2 S: ?; l! p0 o5 I
3 A: l, `' `4 a' z/ {0 C
This trick is very efficient:9 v( ?8 g8 i  O
by checking the Debug Registers, you can detect if SoftICE is loaded
8 W+ a$ B- D/ p5 g  Z$ B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 o* p' J: y$ k  Athere are some memory breakpoints set (dr0 to dr3) simply by reading their- f$ ^9 p3 y" k. ^8 X
value (in ring0 only). Values can be manipulated and or changed as well
8 _9 |# v, k  J( s6 c' P(clearing BPMs for instance)' ~2 @+ s! m! |. j1 M- v
4 u# @9 H7 ?; a! n+ n
__________________________________________________________________________+ y% c/ g6 F/ u. j, ]! N) f/ N
( \0 h+ O( M4 V: h! Y/ ^6 R
Method 11
, y0 W8 z) g- w% ?- Z=========5 w8 I8 d6 m3 l6 C2 e

1 q& Z' W; K7 Z. @1 ~9 iThis method is most known as 'MeltICE' because it has been freely distributed* i8 V5 {; D3 L; x) x
via www.winfiles.com. However it was first used by NuMega people to allow
! O, Q7 V! H8 B7 r( X6 xSymbol Loader to check if SoftICE was active or not (the code is located5 h, W7 A: _8 I! H, j* s, x
inside nmtrans.dll).- F3 @% }: s" }( W. i

5 l. \4 k+ ]$ X$ {( E4 ?" Y( [  g3 OThe way it works is very simple:% T8 e6 E5 ?. T: g* r0 {8 b1 l( j. }
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ j- G" K+ L( c$ |% y0 oWinNT) with the CreateFileA API.9 P9 y0 w+ z* ]( z
1 O: u! K3 I& d% h0 @2 K
Here is a sample (checking for 'SICE'):9 @% B' A: u* C4 D
; z8 V* p; g3 w6 E
BOOL IsSoftIce95Loaded(). b! G' W& b! g7 b$ y
{& N( e5 W/ I6 Y$ {0 a' ^8 a
   HANDLE hFile;  
9 A4 \' J' D; J& P4 c5 y% H6 l; `( c   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# V: W. q  e5 y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
9 q4 f1 {' S$ G# l- Z2 h                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; @/ V" n9 M1 V
   if( hFile != INVALID_HANDLE_VALUE )+ Z( C% b7 V6 T* ^6 m
   {- J7 ]! u8 Z' k$ @/ i+ C# U
      CloseHandle(hFile);
+ O3 j7 r, `/ Y+ O" a6 Q" }7 ]      return TRUE;
4 {0 J3 B! A' p2 @   }2 {+ U9 L/ l( d* y& R6 |% L1 k
   return FALSE;
+ O0 W+ Y' ?7 x0 ?9 ~" d; O) c9 L}
! b! n1 N* ~' ~3 D! B- i& Q- `" S& K- }2 t7 v$ s
Although this trick calls the CreateFileA function, don't even expect to be) r% m6 \; r7 l2 b% [; G5 X
able to intercept it by installing a IFS hook: it will not work, no way!8 ]% h7 n" S8 h1 h$ z/ A+ V0 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F0 {; g7 v) S& ^7 a7 R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)& p  f" r9 c7 `' ~1 s  H; }
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 p) o6 E, i5 F) R' yfield.! V* Z6 B6 b9 p3 p/ B
In fact, its purpose is not to load/unload VxDs but only to send a
/ b9 \! J" I  @W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
8 v: M% R1 I# U) l1 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try" e2 _" {, U! S1 P% g' S# y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).5 t' @* O  Z3 j$ V  ]0 k: g
If the VxD is loaded, it will always clear eax and the Carry flag to allow( d4 y4 F& z4 N- L
its handle to be opened and then, will be detected.
: z- Y+ O4 X1 |3 ZYou can check that simply by hooking Winice.exe control proc entry point9 g7 E, N/ y, l
while running MeltICE.
4 b8 A8 ~3 X/ g0 c+ r  C2 T7 S  K  @+ G" h

9 i; A; L8 N% q" }0 n  `/ \  00401067:  push      00402025    ; \\.\SICE4 v. P8 k' p1 a
  0040106C:  call      CreateFileA
6 }$ F7 f. U4 c5 o1 o, e3 z) Z  00401071:  cmp       eax,-001* K) u5 R0 ?& J- p5 B% u1 H
  00401074:  je        00401091
5 H7 V) Q) a: F- E2 z$ K! R' e
9 {: c5 R& W0 u. O  i% B, K! K2 q8 i" c3 N- |3 e& F( v" y
There could be hundreds of BPX you could use to detect this trick.
0 k& ^/ O) ~* ~& O-The most classical one is:% v5 D* I' k2 @( o6 |4 }
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 [$ W, I9 A0 d: f* ~  x) E    *(esp-&gt;4+4)=='NTIC'8 n8 X4 |" Y0 l) |

! j& F6 p3 j$ s3 d5 s-The most exotic ones (could be very slooooow :-(' r# j- k1 o" L2 b/ }2 O
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # n4 A  a, }& q4 ^
     ;will break 3 times :-(
8 H6 |$ k! Z/ K" c* p' ]& x- M4 q) _4 R
-or (a bit) faster:
- i+ M4 g7 U2 k9 I% I   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 E8 }2 c3 M7 i; E# V5 v/ d" q

4 t, e. I! a! s8 h   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ' i; R7 k9 i: ?6 j2 J
     ;will break 3 times :-(5 z. |/ x0 A* X5 r  I
7 ^# k5 `/ B+ {- Q9 P
-Much faster:
1 {' u# i- j. W   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" o) v. G: Y- `4 q( i, h
2 D* v8 Y5 I3 [& l5 g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 X) I! ]5 S' H" j+ n" p5 kfunction to do the same job:
# H! k. q) J: y& H! w, ^0 Q) L2 c& B5 O; t" _- E" b# G
   push    00                        ; OF_READ
% B, L. x! Z5 E% P0 Z9 H2 _   mov     eax,[00656634]            ; '\\.\SICE',0! F, G5 g( O, t' Q+ n- F
   push    eax
! `5 D$ K5 w, F8 g2 s) h- l   call    KERNEL32!_lopen
* r4 I7 |% ?; S9 D" n9 r3 f1 w2 U7 V% E) X   inc     eax+ R/ r6 @  g( U) X0 L2 Z0 \' G
   jnz     00650589                  ; detected- _& d! X8 u/ X: o1 D  g. P
   push    00                        ; OF_READ, H3 G+ f0 R* \) T" y- a( M; }
   mov     eax,[00656638]            ; '\\.\SICE'0 R  z+ p4 V2 G6 I
   push    eax
3 B1 |6 G& U0 r: Q. d- |7 k4 {   call    KERNEL32!_lopen
3 L! q! m$ B3 F   inc     eax
3 H' ~: ^! m1 O, @2 h   jz      006505ae                  ; not detected& L+ j: r( Z- j4 }8 n0 Y+ j
2 U  e! S" A3 _  \$ q

& s6 U- Z+ @8 `2 J$ [* E2 N2 {__________________________________________________________________________1 n! T. ^5 D5 w  i

) \: m3 @$ O+ M0 E: F1 Z, {3 bMethod 12, j+ `5 f2 Y" S6 }  A/ |3 N
=========
  I0 D* A' c* G  a, j
4 L, i8 H& d  \) L( d+ aThis trick is similar to int41h/4fh Debugger installation check (code 05( D. v0 e! b) Q3 S
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( b/ ]' }% }1 {* [8 \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.) @& k* l0 {1 a3 n3 e/ J

1 {4 T+ B4 U7 M- L. h   push  0000004fh         ; function 4fh
$ N, L  c6 u- \9 B   push  002a002ah         ; high word specifies which VxD (VWIN32); O; T7 ]# N* R+ w" z
                           ; low word specifies which service/ c$ I  d% g, e8 B" E2 `+ x
                             (VWIN32_Int41Dispatch). o" [9 j: |4 ~2 s$ H( ?& E
   call  Kernel32!ORD_001  ; VxdCall. O/ @: ^# ~$ e: l" _0 T8 r
   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ y9 G9 U* L/ N* R/ X8 C   jz    SoftICE_detected
1 _8 F( ^; D' H$ j
, G; b) ?& a6 Q) z% F3 UHere again, several ways to detect it:5 ?' P9 h; k/ d4 B2 [$ I
% k% R0 Q1 C3 m" d
    BPINT 41 if ax==4f
* v% R: n4 b/ d; m, ~% c8 B0 G" F
5 |4 n& b5 F7 C: p' X    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& {6 |( f- M8 `1 z4 g
: f! j- i9 A5 u% B# Q# v    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 l, I/ p! z( v' v4 o4 L

3 Y. {# V" h( N8 O5 ~! u    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. v: S$ H- V7 O, T
$ B2 e% k5 ~* e__________________________________________________________________________! `/ a% a, U! ]- h' }5 x
4 r' u7 g  H5 c* Z( X
Method 139 J; j7 P! _6 F% w2 z
=========
2 t# u* \1 `) N/ s! ~3 F/ @! w; V: }6 y+ S
Not a real method of detection, but a good way to know if SoftICE is
9 h5 y$ ^, u. u: z1 Finstalled on a computer and to locate its installation directory.
- w$ ?( _* \5 w) W6 oIt is used by few softs which access the following registry keys (usually #2) :# o; [8 _, q+ Y9 F$ R
. I8 h( @3 }) e$ U" ]# h& U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 w4 D6 R  r* o( A\Uninstall\SoftICE
0 \2 r- w& g9 z  K) {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- a" ^7 P' q5 K4 U- ^-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 m6 m. ]5 m& X) o4 Y
\App Paths\Loader32.Exe
9 ^9 m# y3 t  V4 t) W- s( a# ]$ F, u9 O6 r, [  N6 ?
0 }# y3 s+ l# Y8 n/ s
Note that some nasty apps could then erase all files from SoftICE directory: A4 w8 s5 t. D. _7 q
(I faced that once :-(
, E1 M; u. H. Z0 w/ k
. J1 q( g/ }+ s9 z) wUseful breakpoint to detect it:  H5 j/ c: S- |% K8 W
( o* e) G  g. {& P) i( d/ k
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 l$ T; f3 C0 @  P* V5 s+ ~! t5 m8 P! U, `$ c) _3 p
__________________________________________________________________________7 f, }, u9 b6 \* m
0 D- b* o# f1 v+ d

7 ?; Y" C7 p$ rMethod 14 8 {( h2 {$ T: _( L
=========
5 [+ P/ n- ^. N: w1 M; Z$ K) z8 j! y! G; {( E$ w. v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 @6 \9 F# [; @
is to determines whether a debugger is running on your system (ring0 only).
! ^$ k! d! L' v0 p! F1 m: S
  |. E1 }+ ^( C& [6 f( l1 Q$ z1 c   VMMCall Test_Debug_Installed, Z: O: @( l, o4 ^8 g( k
   je      not_installed
+ y$ D8 _  g: l; `! N+ H  C- l- C' I: x. I
This service just checks a flag.
+ i  J+ f$ E# ?</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-9 18:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表