找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
( w3 W8 n1 M8 x/ y( u+ K3 B8 O<TBODY>. \5 z0 L" j/ b7 P0 n- W" Q/ B
<TR>( ^+ \5 V9 v: A: h8 Y. Q3 ?
<TD><PRE>Method 01 : x) e1 l% P4 k8 p3 h8 y
=========& a  Q2 r9 M/ _  V5 [& U1 C
' l4 H$ o/ U0 @2 Y# t- q8 m
This method of detection of SoftICE (as well as the following one) is0 `9 [8 G$ {, g, Q% B
used by the majority of packers/encryptors found on Internet.
, R! g% ?# u+ i* eIt seeks the signature of BoundsChecker in SoftICE
: ^6 {  J" q5 m% m# q# X# K" t9 ~
. Z' {  n( ~! O    mov     ebp, 04243484Bh        ; 'BCHK'
( g3 e- h1 o5 A. N2 A7 U# s    mov     ax, 04h. u: z4 K$ M( z9 s$ n- m
    int     3       4 D3 \, x) x3 _" i
    cmp     al,4" ~' M: J9 H2 C
    jnz     SoftICE_Detected
% @& _' I3 C9 y! a& q* T. [  T! R; w( P
___________________________________________________________________________
+ `7 W; X7 i0 G# r, [4 {; j0 \
- A- a  c# ]* o+ s; Y! K+ ]- ~Method 021 x& i$ r0 v+ |9 _; b: k
=========
6 R4 {. H8 |# b9 \7 G. @
/ Y# p# j( |0 mStill a method very much used (perhaps the most frequent one).  It is used0 _; y, T6 v9 C& r1 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
# |( L) Q) O8 `$ B) Y6 b  X) ror execute SoftICE commands...+ B& T+ f0 \  K# u: H- D
It is also used to crash SoftICE and to force it to execute any commands
$ r7 j' T- R" @. A6 p- f(HBOOT...) :-((  
# P  V  C, v7 R! g1 S8 l% v4 z" m+ @6 \* G1 s% C  U4 K8 m
Here is a quick description:
  ^8 A1 g& P8 J, O' w. z1 \-AX = 0910h   (Display string in SIce windows)3 A" m7 {$ O3 {, @9 ~$ g4 `* ?
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)* `# n9 n, w7 Y; u' Z
-AX = 0912h   (Get breakpoint infos)6 W7 J! y. S, W: ~5 I% F5 Q$ e% Z1 R
-AX = 0913h   (Set Sice breakpoints)0 @+ \* T% f6 Q$ l+ Q5 W# N
-AX = 0914h   (Remove SIce breakoints)
1 }+ ]' M- o+ f0 p/ d4 x. M, m- n! |: x0 X6 F) P
Each time you'll meet this trick, you'll see:
6 P) R  {! q8 {% B-SI = 4647h) M. z/ a0 y. G% C1 X1 F
-DI = 4A4Dh& Q3 g5 j. V  t' h' l. X2 {+ l1 h
Which are the 'magic values' used by SoftIce.
- M3 M' j' v% N2 e5 x4 Y# p# nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 p& Q5 i/ j1 J2 L: B

: @7 d. L0 A; i  G9 o; g. RHere is one example from the file "Haspinst.exe" which is the dongle HASP
5 m6 c( }% R5 B; A, Y$ DEnvelope utility use to protect DOS applications:7 x1 Z  f9 E4 L* G; T! \

2 t% n# ^( \; ?7 Q! N7 b! @. j) {* Q
4C19:0095   MOV    AX,0911  ; execute command.& ^+ C- ?$ o! I0 k& m+ e0 q8 V) L! v
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 D) `, W$ c" o  E7 ]
4C19:009A   MOV    SI,4647  ; 1st magic value.4 ?2 H& [8 i& o0 k/ Q& r
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 E/ R# K. y8 E
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
' ]6 I, I6 J1 G& o# \4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 S$ i0 U# Q, r9 r4C19:00A4   INC    CX
4 F$ E1 ~  V+ d! {1 R4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
$ L) y! `0 R0 Z/ l$ |/ M! f& f4C19:00A8   JB     0095     ; 6 different commands.9 j# S) `  h& M
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 b% E' D/ p% w; h& H  {
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
3 ?/ p% B; b% T, G( ^6 U9 q' ]3 q
% r& a# L5 c! j, ?0 \3 l6 N6 nThe program will execute 6 different SIce commands located at ds:dx, which
# }% x7 e- S2 [" f2 W' a6 Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ ~4 E! D9 r" J+ }0 B6 [' k$ [! s
/ p1 X# p; v& |. V* j4 ]% b. x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 t, Z2 z0 `6 l% K  }% ?
___________________________________________________________________________# f. V3 R. o4 k. H

/ g) o3 J( S, u$ s
' K1 l/ h6 b% F/ y$ J' S' R! FMethod 03* ~3 d8 f( h+ c
=========6 A  w3 ]/ w6 q. P7 ?& V

. n5 u* h4 b+ g2 ?Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 o2 W/ v# ?% y1 x(API Get entry point)/ l$ ?* a$ e' Y* @+ N
        
5 X( X7 K# Y8 c% p4 t0 j2 i8 {) c5 u; T+ `
    xor     di,di0 M. T$ I* L5 q4 v  p5 J, X2 p
    mov     es,di) w! w9 l  n% d5 ^
    mov     ax, 1684h       / p  Q$ b) l6 O' r; N0 A- i' p9 K
    mov     bx, 0202h       ; VxD ID of winice
$ v* P! C: I$ i; @) V) }& o    int     2Fh7 ?: C8 |( y" ~; m8 w; s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" z7 S: Z- N- y2 @4 i    add     ax, di
- c4 V  @+ a0 r! b    test    ax,ax0 i$ q+ x! a8 T7 h  i5 Q
    jnz     SoftICE_Detected
3 K5 J. S3 T! H" v* x; {; |( Z3 {
( o1 I0 L$ }$ v7 c/ V___________________________________________________________________________
  m- l, v: X6 Q" f# a/ l9 g: D# ~  v# n3 e7 F+ V; ~4 {( o7 x$ i: u
Method 042 O" [  i6 j9 q( h( ?8 n
=========0 D" F& y2 `/ u) \
3 k# e: Z; b2 S2 y
Method identical to the preceding one except that it seeks the ID of SoftICE
6 _0 U2 P- Z: {1 A) ]1 x4 }GFX VxD.
! c% E6 D0 A/ k
& ~6 c' q% L$ x/ |    xor     di,di
. O. i# k- L! ?* L, |% Z( {, W) |8 b4 M, G    mov     es,di
: e9 p. t! k6 E) A0 X    mov     ax, 1684h      
0 U" A7 Q( \1 c    mov     bx, 7a5Fh       ; VxD ID of SIWVID4 n$ d* w6 U3 K& T6 C$ b
    int     2fh: ^8 e& n: D# C  E0 g
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ O3 E' X6 C1 N. b2 o' b* F7 c    add     ax, di) [4 o9 q  z. K5 b$ `1 G
    test    ax,ax+ N* \/ P1 [# ]6 j: \
    jnz     SoftICE_Detected8 g1 d3 ^" }  g) w/ m5 ?4 g6 \: I4 _- m
' i/ Q5 D3 T( f" M" U% i
__________________________________________________________________________- q) @" j  U4 {0 b* G& Z
2 n, |3 w, i9 l3 G/ U. l! A

# O2 F% o& w: d1 |% wMethod 05
- E0 s! d; f; l4 L1 @=========
3 D& R- |9 N* D+ L4 |
. _5 {: m5 V! K6 c7 h2 lMethod seeking the 'magic number' 0F386h returned (in ax) by all system
. d1 Y9 p' Y  g5 idebugger. It calls the int 41h, function 4Fh.3 v3 s6 H4 |3 }) Q  T& d
There are several alternatives.  ! U7 r$ G7 l0 D5 G
; G0 j' K2 N$ }
The following one is the simplest:
! ^  B; `4 G, }( @* d% [) r$ j& S) o  l+ J0 h* V  e8 N
    mov     ax,4fh
1 K  v! j9 ?1 l: e+ f9 H    int     41h
7 K8 m# x' F% e5 y1 ~    cmp     ax, 0F3868 a% }7 T0 J" K
    jz      SoftICE_detected
0 `0 Y8 \/ `7 q+ A6 c6 o3 u2 H
/ p) {- N! L$ r% {# M
& J  Y, e9 {( d( B( ?4 t8 gNext method as well as the following one are 2 examples from Stone's
- e/ L2 W8 d) k! u: V" @+ w"stn-wid.zip" (www.cracking.net):
0 [1 M/ Q/ j$ L# x
6 \7 i" a2 _+ N5 J1 U    mov     bx, cs# S# e$ B% t# S1 ]1 D6 D
    lea     dx, int41handler2
# C3 i/ K7 a- |) X    xchg    dx, es:[41h*4]
4 b# k: T3 J) t8 o4 S# B    xchg    bx, es:[41h*4+2]6 C6 z  {, H8 H" w  z
    mov     ax,4fh
) Y9 n. C7 ?. U- s; @* z    int     41h2 P& i- i: m/ s9 e. K
    xchg    dx, es:[41h*4]% G1 Q* D2 X/ t  n, x0 A0 j
    xchg    bx, es:[41h*4+2]# i1 l  T% x3 v0 c/ H6 W
    cmp     ax, 0f386h
3 O" t" y6 i/ l5 W    jz      SoftICE_detected
; v# F7 t! Q( Q( r) t' d) ]# m0 G* u+ }8 Q* j
int41handler2 PROC7 m# j; T5 h. d. [# U
    iret
" {  X0 n# c" r: I% A) W( J' M/ Nint41handler2 ENDP
$ e. ^2 `( s' G/ a/ X
( B" \( e3 k4 d* v( @
2 P! f( U' u# t1 f1 P7 E/ D_________________________________________________________________________7 L7 j, P/ m: u# O" c

: ^5 ]4 [5 e  [. w% o0 `: r. f% }& U# _1 ^6 Z6 l
Method 069 W1 q( u8 z8 ?% l2 I5 y
=========
' |; u- R5 L# V- L1 {
1 ^+ r6 b/ ^$ p7 A7 G1 i: ~' E/ s3 p+ x- e* m
2nd method similar to the preceding one but more difficult to detect:' a9 f( E" e$ s6 P( b  v# r

3 Y# E. Z" f* c: ?& {+ g/ j, s$ ]3 n0 \
int41handler PROC) v" N' a: ?' F0 ~
    mov     cl,al1 X' U) z, ?' W7 X- w1 }# _# j
    iret# I/ ?+ }# e3 y# c
int41handler ENDP
- t  f; N$ K) g% {& H1 s
5 J6 j; F# M: V/ Q0 e# e4 t8 j5 r% Q
    xor     ax,ax
; Y2 |1 C! c/ V$ e0 h    mov     es,ax% ?2 L$ r% n- H9 T+ c
    mov     bx, cs: @" u' l- |* z4 U  K7 L2 T: m. U
    lea     dx, int41handler- h7 H& }2 I1 E( y8 M
    xchg    dx, es:[41h*4]6 ^- I7 d6 d2 g) ~7 w2 O9 o, r8 y' O
    xchg    bx, es:[41h*4+2]5 ]' b/ D, p6 |9 a
    in      al, 40h. Z5 m1 X6 W$ b/ }' k
    xor     cx,cx3 L2 W& Q- o2 j0 ]
    int     41h
) l, N! [$ S9 \6 T    xchg    dx, es:[41h*4]# B! k) C$ s" v, X5 r' }
    xchg    bx, es:[41h*4+2]
1 M8 @" P/ n  g9 L. {2 `7 _    cmp     cl,al
2 H5 ^7 ^( C! L+ h    jnz     SoftICE_detected
- O7 X$ t$ r+ n6 Q+ u7 R4 P  I3 [
! o2 k: H5 B/ m$ |6 s5 ^9 K' P8 O, `: M_________________________________________________________________________
% e. Q: A) B( ?7 q0 Y# Q! h# u
/ T! F# U' Y$ r! ]Method 07& L9 N0 v* I: @/ ^; ]2 H
=========
. U' v( S5 T, `8 v- c
' U( e2 q. p% k* W4 B% e8 cMethod of detection of the WinICE handler in the int68h (V86)
# Y% y5 O- y1 y# d2 F9 L5 S2 P! H2 S; E1 W. c$ D* m* i. {. v
    mov     ah,43h
' f: V  d( d' s! I    int     68h5 Y. e! a7 R1 f, @9 G9 o  {
    cmp     ax,0F386h
0 B: k' @0 }. r& l    jz      SoftICE_Detected
6 Y- A3 O& ~. G$ Q
, ~, d  W1 j$ a8 I, K, j' A2 V0 V" R' C, l8 j8 J
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 {' T* ^; a; h- i   app like this:- h, a0 g* n/ X
! Z6 q5 I6 q) g: H/ i9 h/ d
   BPX exec_int if ax==68
: a4 l( e) G: o$ D+ h" j   (function called is located at byte ptr [ebp+1Dh] and client eip is
& \( @9 @# @, ^" H   located at [ebp+48h] for 32Bit apps)
3 p& X" h% E' T! w) i__________________________________________________________________________
( G1 f  R2 k2 Z+ ^: Q) O( g, S( o0 d2 b; S: E
3 q& Y" F  G, K
Method 08
2 V, d3 x3 }1 q. x) E! N" k, g=========, r4 S! H% G6 e4 Q
) \6 I, K0 ^  p+ [4 e7 m, c
It is not a method of detection of SoftICE but a possibility to crash the( x9 W) Y3 E+ B& B4 m
system by intercepting int 01h and int 03h and redirecting them to another
2 r' X% X/ U; {2 y. m. \8 wroutine.5 U; R, A5 S* [# x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% h' X9 g( P1 w2 xto the new routine to execute (hangs computer...)
2 W' ^0 k: L, T1 m8 s5 L: Y1 E- L" |4 e' D# L0 H! @0 \( S& N) h  N
    mov     ah, 25h# o+ Q; z7 U* c* V8 T" v4 [0 U
    mov     al, Int_Number (01h or 03h)
/ ]1 \; M5 Y. Y* ]: L! o1 `+ h    mov     dx, offset New_Int_Routine
( a, D- p3 R1 D1 x3 i- F    int     21h
1 g  C; a3 n3 e: x6 _# ~8 F% D$ h5 T/ B
__________________________________________________________________________5 r& X: N/ J( E0 d) A, z

3 V& X0 u% c. w. O  F: rMethod 09
6 l8 \! L6 t1 n" t=========* B$ g  x+ T2 _7 ^- K8 x* Z

- f. S; s$ s# x3 ]- G  E- nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
  V, n: u7 W- lperformed in ring0 (VxD or a ring3 app using the VxdCall).3 H- T$ _$ P3 U7 q6 R8 q' Z& n9 o
The Get_DDB service is used to determine whether or not a VxD is installed
) {. [8 }9 i4 ~: M- D8 tfor the specified device and returns a Device Description Block (in ecx) for9 M7 Y! U2 [, B! {+ v8 U, m5 J
that device if it is installed.
% Q: {$ z* i7 o6 t: g, r1 f1 C' i0 P' o6 K5 f
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 ^6 S2 \2 }( S! v   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; h1 T6 Z/ U, g. u" w; P1 Y' S   VMMCall Get_DDB% Z- F$ }8 P* c( k! O2 H3 k8 S( D
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: C! j) ^' g" D9 l: A( Y7 Z
1 h8 q6 V( f. H$ D4 C' n  d( T
Note as well that you can easily detect this method with SoftICE:
- C& j$ q" W) Z   bpx Get_DDB if ax==0202 || ax==7a5fh
% h0 t2 e$ A" [
2 @- B7 m, z- E__________________________________________________________________________
2 R/ D2 |9 o3 C) A) W$ I2 W- Y/ X$ M& V) h# B  _$ ^6 d
Method 10- |3 j! h# h7 {# M9 G$ \
=========3 o2 M1 }& _# C0 E" u/ i
/ ~- i% q$ N2 g! X2 n- E
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" N$ R3 z: l/ g' f, n) Z  SoftICE while the option is enable!!
: {. B2 S5 I( ~/ @: P2 |2 e+ v' |6 Z8 v5 j
This trick is very efficient:
8 L/ T$ a/ [1 g% M( n! Rby checking the Debug Registers, you can detect if SoftICE is loaded
! ]* Q- L/ Q* B9 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, a' I8 K! s- A6 j; C# ]
there are some memory breakpoints set (dr0 to dr3) simply by reading their
7 V" Z% T) }5 D, W4 f* l% Lvalue (in ring0 only). Values can be manipulated and or changed as well5 x. L6 V: s1 P& c" e, n6 f
(clearing BPMs for instance)
2 K' z6 w: G! H! A& [' x  J) [' Q' n2 P2 y# \: ]# T6 \0 I) y
__________________________________________________________________________, G1 n2 X, r+ F

! _& |5 l1 n$ r( K( pMethod 11
) Z4 d' g! x" m. E) R8 z9 z1 _6 o=========% X% E" F. b6 S/ r- g6 Q8 Y( \1 B

9 m2 k$ G6 x+ t" s0 |! DThis method is most known as 'MeltICE' because it has been freely distributed  V9 d2 C5 C, ?
via www.winfiles.com. However it was first used by NuMega people to allow
4 L7 n  p( N. H+ h& ~, _Symbol Loader to check if SoftICE was active or not (the code is located
7 [3 W8 \; H# Q* B  \( w% r3 _inside nmtrans.dll)./ H( d4 K/ Q/ B/ ^: ^
# ]! z4 S9 H; Q
The way it works is very simple:
% Q7 D# ~5 c2 HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ W  |( L6 ]( e- j% H
WinNT) with the CreateFileA API.$ E& e( m) O, v8 P; u# ~
+ I; ^9 |* q- z- u6 Q" V, d! i1 x
Here is a sample (checking for 'SICE'):
  S  k5 M8 G( `6 P5 _' h$ k0 y- ~, K) H
BOOL IsSoftIce95Loaded()6 j: I$ o9 j7 Y' C& G
{' G+ h* M/ O5 J* F* R
   HANDLE hFile;  ' E, h5 i/ z+ i
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* H7 d  u0 l& s% q8 J5 |- b' h
                      FILE_SHARE_READ | FILE_SHARE_WRITE,% u4 [" ^$ W2 U+ [! T
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; H) p4 A! S+ W- |& i2 u& |- q
   if( hFile != INVALID_HANDLE_VALUE )2 C7 R: }8 c6 _2 b0 ^- [
   {
  J5 p- P* X9 s/ Y% \( |      CloseHandle(hFile);6 ?% b5 P) r2 x
      return TRUE;2 S- }* c  f- E' S3 s. K6 g
   }
6 E; }% O( i- W3 z4 L+ |. w6 K   return FALSE;
" U' t5 `7 i1 K/ u- }1 X$ a" c1 I}
5 Z, U( D) ~5 X4 ]9 f9 |! V# Y8 ~# c- n" _4 h8 P, d
Although this trick calls the CreateFileA function, don't even expect to be
5 L6 x4 r; K0 @3 O( M2 M1 x; {able to intercept it by installing a IFS hook: it will not work, no way!9 E8 N$ ]3 K/ k9 h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- _2 _" {- f; w& h4 p0 a9 ?+ W1 oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 }- L: _" Q0 F% M$ d9 Q6 y: eand then browse the DDB list until it find the VxD and its DDB_Control_Proc# L- ~3 m$ O& Z& @& J( ?
field.2 v: C9 X; G' X8 K/ G' I* J! i
In fact, its purpose is not to load/unload VxDs but only to send a
2 }! |  v9 ]9 V  Y) pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). {7 t: a" Y/ f/ h& `* T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 B* C: E% }3 C& ?" N0 Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).. E( c! ^9 f, P+ ^
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; ?- j: t3 r' M3 T# o1 p; uits handle to be opened and then, will be detected.
- r! N3 i) C+ j, _! a7 FYou can check that simply by hooking Winice.exe control proc entry point, F8 S8 {, ?# m  @; O7 t1 [
while running MeltICE.4 n0 M' }  ]# `9 P' L4 O
* r& U( @+ G# A& g" G2 H  R
# d- n% f: b5 u* q1 E8 }
  00401067:  push      00402025    ; \\.\SICE
2 ~% d% z5 C  `- `  0040106C:  call      CreateFileA  P1 j7 Z9 H& c
  00401071:  cmp       eax,-001! z  d' G) ]4 T: L. f6 d, q% o. u  i
  00401074:  je        00401091% u& w/ k! y6 U3 E

* b- H3 \% D0 G" i4 L
) a. l3 V% `$ ~' ?0 j" }There could be hundreds of BPX you could use to detect this trick., r. k* L. e0 X/ A# {
-The most classical one is:
1 N: W* }+ a+ u  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% I. u! V' [* N; D& o
    *(esp-&gt;4+4)=='NTIC'3 P6 R4 \2 K9 t+ y9 I/ [) l; y

- m0 x! G+ x8 q, h; @-The most exotic ones (could be very slooooow :-(6 l* x+ a+ F; G1 V
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')    K1 r  B6 z* Q" a
     ;will break 3 times :-(% p% \1 S7 P/ N& S4 G

& @$ W3 X$ Q8 g$ |-or (a bit) faster:
6 l- p3 f8 E. ?& H  G  h  {% j   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' Q( A5 d( J% x$ `$ X
5 _% u* h5 r0 |8 x5 O
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & |' V: {. u4 C3 c" q. n4 V
     ;will break 3 times :-(# e0 Q4 [4 E" j# e( R2 n# W
( f* f8 M1 Y) l4 s- ?
-Much faster:
, ]% j# o# V3 `( N# _% N   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
; r3 ]. T2 m" V; k* j) }- B; A! ?# X$ J+ {' L; C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen1 C$ G  C& d# m& j+ b4 j% u& ~
function to do the same job:
# [# ~) p0 M6 q1 O  e/ B; b% ]" V" p, v, o" o* Y
   push    00                        ; OF_READ" x7 p/ ]* B2 r, ?6 c5 d
   mov     eax,[00656634]            ; '\\.\SICE',01 L+ c( C! R: \& I. ]2 g* n
   push    eax
6 ?0 E" T; l- S) S   call    KERNEL32!_lopen
: C2 g$ D2 X1 B  ~, _2 v. E/ b: z   inc     eax
3 t6 ]) L0 M7 {3 L, r   jnz     00650589                  ; detected
* K. ?9 a: j/ p& I   push    00                        ; OF_READ3 F& T0 a* r  F; g+ _* I3 F
   mov     eax,[00656638]            ; '\\.\SICE'8 _. ^# E. |7 q: h! k
   push    eax
9 G4 ~  L' k* u. u4 ]+ f   call    KERNEL32!_lopen
& m/ |  p1 v- T6 n0 `4 ?& k   inc     eax
/ `% ~& N/ s: Z   jz      006505ae                  ; not detected
# m* b# Y' s% k5 \) q4 q! X7 H3 @, z6 {+ F: w

$ u7 X0 L6 }( m__________________________________________________________________________& S1 x+ H" j3 j' C' q
8 W: P, ^' o: N. _, a3 X8 s, B
Method 121 z7 P$ x; q6 |
=========( O. R. C& F5 Z- v$ M# L

. u/ I8 I0 W) Z  ^$ U3 TThis trick is similar to int41h/4fh Debugger installation check (code 05
4 x$ i& E) G( M4 }9 m6 p* v: Y&amp; 06) but very limited because it's only available for Win95/98 (not NT)6 D2 R1 [- K; R. E/ x! {' E9 X9 q9 }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% p- @, w3 R' [+ W

2 S0 I/ [& b  C' l   push  0000004fh         ; function 4fh2 \! A9 }: c+ d. f' ~
   push  002a002ah         ; high word specifies which VxD (VWIN32)2 h2 [+ k8 R! L
                           ; low word specifies which service
" f' i& d. x; v( U# c                             (VWIN32_Int41Dispatch)
0 L& S" y9 |3 H1 [6 W   call  Kernel32!ORD_001  ; VxdCall: s" p0 k$ f9 [! q1 C) G1 l0 H
   cmp   ax, 0f386h        ; magic number returned by system debuggers
: `- ]4 @2 b" c  q2 E   jz    SoftICE_detected, q! m4 w7 ~) a# O; i  L5 w
3 Z9 b  V1 o0 F" l* G
Here again, several ways to detect it:! |: f5 t; P. p6 A
# S' m' r2 u) e& o1 P
    BPINT 41 if ax==4f% r8 E' B* G6 \9 a' o5 h

- s: Y) y, b% z- W* e5 |8 h    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; R" G7 Y" Z7 b0 \
; i; v/ A* B7 b" @7 [  K6 ^    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
3 J# w+ l8 O4 p9 P% [
" W3 }3 [: r( V8 y7 n, N    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' n" N. ]5 |9 S* z
' g& {4 L' ]9 l__________________________________________________________________________
1 T4 R2 O. \, P% Z2 g! f) G
& B/ Q* q& c( O6 {% ^; _) O6 }Method 13
: g4 l4 ^6 M: B6 s=========
0 Y2 s- Z3 v' W' A! N3 G
- H0 K+ {/ Y  y8 r& lNot a real method of detection, but a good way to know if SoftICE is
  M. Z( R! n7 |& P  ?4 Sinstalled on a computer and to locate its installation directory.
8 n" {8 Z6 h) q* z" gIt is used by few softs which access the following registry keys (usually #2) :9 q2 r- f- v9 a/ P1 |6 @

( w2 s/ B) z1 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* x% ]# v% o$ }+ Q5 T; ~
\Uninstall\SoftICE
* c+ {& k4 @8 T& P; A; S6 ~  O1 B$ F-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 N# z. j1 _- V+ {! Z, J* e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 F9 ^' U) P/ A6 u6 i\App Paths\Loader32.Exe
' J- l9 |6 g% D- M: E" k& W2 r( B* M* S# E4 ^9 N
2 w( @8 h! E$ H
Note that some nasty apps could then erase all files from SoftICE directory! {( k. ~9 \4 ~7 M7 J1 S
(I faced that once :-(2 }: E" p2 Q2 f0 {+ ^5 i% a1 _2 {- p
) S! X+ x$ }: u8 i# o/ s
Useful breakpoint to detect it:
( \$ T$ u1 j/ Q! q$ R4 L8 O; _/ g. ?7 _4 X3 b# Q2 J# c
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'/ h; n/ N, e6 k" s" L* a* R% G

$ W. c% u* u) s- U+ E__________________________________________________________________________% L2 W( i- a* S8 x0 F, @  K
6 A6 a4 ~& V8 e! ?" Q% }0 }
& t* I( B! U# @  u
Method 14
6 H0 N# S0 t3 t- V' r=========) ^2 ^" u' [5 y

% H; ?2 |1 h) b; pA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
+ K; o' \# K9 d0 Y2 l9 Uis to determines whether a debugger is running on your system (ring0 only).$ ^; }# }  w9 z* ]

# i6 j, F# `; O   VMMCall Test_Debug_Installed  }) m# h5 }# ]; K
   je      not_installed
/ Z4 F9 r; K. G" h) u( A) U: v, t" M3 Z- _9 G3 ]
This service just checks a flag.( s" U  M1 F3 W- F) ^
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-5 15:58

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表