找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>6 `7 @1 l; j$ t& O+ X
<TBODY>
& M% p+ I- C- D- S% Q<TR>
7 H) K3 T/ d% C7 g2 V0 c; u/ K<TD><PRE>Method 01
  n+ m- s  }9 D" H" b. U=========7 F! W' m- ]' I$ Z& p

0 H6 Z/ z, L* x. D( xThis method of detection of SoftICE (as well as the following one) is1 A% `  d5 g+ V& H7 V  [$ Q. k
used by the majority of packers/encryptors found on Internet.! d4 M" y9 b" u& X7 @! X
It seeks the signature of BoundsChecker in SoftICE
! W1 B6 t; ?3 X
( W0 p3 ]3 I' A4 K    mov     ebp, 04243484Bh        ; 'BCHK'  J6 F$ z3 I) h5 C8 y" Z
    mov     ax, 04h
& p* s# j  f0 k, y( q- c& P1 f    int     3      
/ I( m/ I; |3 b- u% G+ ?% Y    cmp     al,4! D. a4 ~1 B! h3 _% M, k
    jnz     SoftICE_Detected# o( {8 a9 f( X# x( ]+ e

/ W1 p5 a* h8 u# e. `: K- R6 ~___________________________________________________________________________6 D9 h3 e+ d% \9 M( p4 E* q; J

9 h& D; S( G- {5 U+ Z- PMethod 023 s( a. Y( l& A9 }$ T6 |
=========
) h& v/ D- R# d: Q. O
% g4 A. W: c$ [  J5 Z% pStill a method very much used (perhaps the most frequent one).  It is used% C4 q$ ?6 _! ?9 G& I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 X3 n1 q: L3 ^2 k
or execute SoftICE commands...: a, @) Z- f- B+ u+ L- X6 y: X
It is also used to crash SoftICE and to force it to execute any commands
. }, _3 ^) ^6 v* E, E0 d(HBOOT...) :-((  
. P8 ~( [: a' a4 b9 N0 K. ^
$ M7 z, y' x" Q# P; _4 pHere is a quick description:
4 l' R; E  F. }! u2 T-AX = 0910h   (Display string in SIce windows)
! z9 ^* \4 Z% I3 s" i- u6 D-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)5 P! H# @7 X0 o
-AX = 0912h   (Get breakpoint infos)
5 R$ V- T+ c+ u, {7 O0 z-AX = 0913h   (Set Sice breakpoints)2 a9 U  ~: S9 z1 i  j" r1 g! n
-AX = 0914h   (Remove SIce breakoints)8 S+ S2 q, K8 M: Y: v% U7 {
5 g$ X; t7 F# j' h
Each time you'll meet this trick, you'll see:1 j2 X, S% c4 E& _2 |
-SI = 4647h
3 z! `9 |$ [3 ]6 r-DI = 4A4Dh
* r# @& j( _/ P) w4 x9 MWhich are the 'magic values' used by SoftIce.1 N5 K0 I' _$ E# |( v, \% m4 `- U$ J5 M  t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.! s$ J) G- U& o' W' z- I

: X" n  o2 D! I2 ]$ a3 E+ qHere is one example from the file "Haspinst.exe" which is the dongle HASP4 s, C1 \$ R. c7 G4 _: p
Envelope utility use to protect DOS applications:* f* r; O$ w0 f

& w8 f: U7 p0 p. r4 _8 O& o+ f% Z  J
0 R! d2 g' L" I+ S2 H' S( l% P5 f4C19:0095   MOV    AX,0911  ; execute command.- v6 w! v1 b! i/ e, r( L, z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) h+ F7 C3 N1 h5 O. N- y, U, f
4C19:009A   MOV    SI,4647  ; 1st magic value.- ]# B1 {  m5 Y1 X
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 @- V# b) m/ i2 o
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 N! h- X% {  N( h( ]6 o
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ I5 w+ H) K) m- H: l  W& a
4C19:00A4   INC    CX
4 L2 S# v! {5 M; \! G$ C$ G7 f  K4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 x& H1 d0 m0 {/ R; `4C19:00A8   JB     0095     ; 6 different commands.: I. b, q! E/ f6 j: {( u
4C19:00AA   JMP    0002     ; Bad_Guy jmp back." \: U2 w' ]* [( z7 {* _% g
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
1 [$ n. I# d: @$ p4 i, ]" f
' x  l5 Q0 |% }1 p2 a, W- }; ~The program will execute 6 different SIce commands located at ds:dx, which5 Z2 O6 A6 {  v/ b1 h, F. M
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  M0 R1 e4 S) [' g; A) U) E
$ B: J8 \$ g4 m/ J- R  n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" d# t+ c- W+ l1 y___________________________________________________________________________8 E/ g6 i- D2 Q- s5 w8 X8 k
  ^% E& x7 K% w6 F' _
0 E8 O* g# }, w0 D0 Q3 r! l
Method 03
# z# _* m4 E* o7 J. x% W=========
7 G4 g* o( q# J8 B4 j: b
, a5 x* k/ Y7 q" J1 s7 B, e0 jLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 g7 h* B/ k, L
(API Get entry point)' B" w& u; U$ p( q7 j' w7 N6 w
        . {3 X7 B. A. {) P

2 I) M& [* ~  }" n9 h: k, C) A7 X    xor     di,di$ G" A% A5 ]- f* a7 Z
    mov     es,di  R# z6 ~7 c# q% `4 f
    mov     ax, 1684h       1 `* P1 o3 G( [5 G' S- U
    mov     bx, 0202h       ; VxD ID of winice
6 k: |$ Q2 u( X9 h    int     2Fh% V% A! N# M+ U" U8 W2 L
    mov     ax, es          ; ES:DI -&gt; VxD API entry point# {+ u' a! @  e9 p
    add     ax, di
: j- M+ T7 q# T0 A8 o+ _) C    test    ax,ax
. J0 N* P5 O  T    jnz     SoftICE_Detected
$ Y8 e2 g# s5 \9 H5 c$ G) E+ O+ q6 k2 J0 v6 m$ q# i& u
___________________________________________________________________________: z% v3 o8 {% Y* s. X  C/ }

# b$ V' i2 p: z: V2 J% }/ J) E% RMethod 04# b! t& Q% h/ @5 x# A
=========+ m, m# Z+ G  W

& x; L6 m2 E( oMethod identical to the preceding one except that it seeks the ID of SoftICE
9 G. M- h! }+ HGFX VxD.' G4 q/ W7 C1 V% @

9 ?9 f/ V! W( V7 k* q8 d9 }/ C    xor     di,di4 X5 ^2 K2 j4 e- T
    mov     es,di! d6 A- v1 o: W5 r4 K! ]3 v
    mov     ax, 1684h       7 S4 ^; q2 Y1 [. c! ~
    mov     bx, 7a5Fh       ; VxD ID of SIWVID; Y& I$ H0 P4 t; h
    int     2fh
/ f: h0 H( F, b4 ?7 B  D3 o. y    mov     ax, es          ; ES:DI -&gt; VxD API entry point. h/ n* A2 q& k5 d0 V& G7 K. d8 h
    add     ax, di& `3 ]. I( a3 a9 x/ `( ~4 h
    test    ax,ax
( o1 `7 ~: p4 i- G3 ~0 s    jnz     SoftICE_Detected
. l3 I: R9 S* M! e; i# [" R' m4 c/ R4 E1 G( j% E4 a) D
__________________________________________________________________________
, T' B8 f- T) o3 E/ g8 \2 k
) q- w6 c/ n! G, s$ R) [
# T( p2 \6 _2 [" k  I  X7 f( J+ F. FMethod 054 _4 t$ d4 @; h8 F+ O* H% I1 n
=========
1 J. M1 @4 r0 ?& I
- v; A) l4 t. |* p  }Method seeking the 'magic number' 0F386h returned (in ax) by all system, ^: M5 k7 b% j4 e7 \( X
debugger. It calls the int 41h, function 4Fh.$ x" A6 m, Z- _
There are several alternatives.  ! G& w4 v  I0 R

; |: A( a) ~% p7 I4 O* sThe following one is the simplest:! s/ i  a9 |7 l! d
' S+ h3 l! G6 _8 w& P8 ^3 ^6 A( N
    mov     ax,4fh
$ g! T3 Y1 g8 L2 M" o    int     41h
3 g% v" p! B2 o& I$ g; \3 [    cmp     ax, 0F386
& }; I" e4 z9 r" J/ B7 v) d1 I    jz      SoftICE_detected5 d3 D8 Q! y) l7 U% A1 H

1 ^9 Y+ W0 T" a: o9 H5 G% q. {7 Q4 t+ `
Next method as well as the following one are 2 examples from Stone's $ G0 f* R. ?" O# Z" S- s8 E3 V
"stn-wid.zip" (www.cracking.net):5 ]1 f$ Q$ T) P( |. V
# e) H. Y) ~, g% `
    mov     bx, cs7 X6 L1 B9 P* u7 c; _
    lea     dx, int41handler2" L* T7 q, i. T' y
    xchg    dx, es:[41h*4]
0 ^" e' ~( u2 R5 S    xchg    bx, es:[41h*4+2]
+ b4 I* ^& Z& Z$ \: \7 h* i    mov     ax,4fh
! o: f$ s# ?* y, |9 H1 b    int     41h% o( k& f+ a" f4 Z4 P4 {
    xchg    dx, es:[41h*4]2 \. o  s7 l" L% V$ r
    xchg    bx, es:[41h*4+2]
' |+ q  H1 ?9 u0 ?, f    cmp     ax, 0f386h+ s! F+ B8 W( K* [1 S
    jz      SoftICE_detected
  A4 ^- N4 R, s$ p1 k5 |  w% a+ t9 M4 U2 L/ n
int41handler2 PROC% e9 p8 _" }/ E, `  M
    iret( x5 {- F* A7 ?5 D% C) W
int41handler2 ENDP
! {, v% B) \; `2 _$ o# v, T: Y: [  J/ V8 Y

1 o  C, E$ n5 h! {* B0 Y_________________________________________________________________________
/ F$ z  H. }/ C7 ]- O7 q7 o
' e! x. O& o2 L
, Q7 l; W3 n* PMethod 064 U) j, j3 G# l0 ^1 y1 s: p' c6 ~6 ?
=========
) h5 V! e" J% h& i. W" U9 D* h" H( ], V
, a- h* I3 t" ]& w8 U, l$ I
2nd method similar to the preceding one but more difficult to detect:8 F6 d7 I9 _, O5 z3 @% l/ x
: H4 y# _0 {, X% `2 a
' }; d) z! G/ P. u
int41handler PROC
" R# h- v$ F  E( e- p    mov     cl,al4 U8 q, B# u" _/ k0 P* l9 m
    iret. O' U7 u5 m5 c& Z( s5 F: s6 C  z
int41handler ENDP
+ X/ D" U7 t6 e. X" N5 S" W7 U$ b3 A6 p' j8 Z# r7 ^

6 ?" ]1 Y6 x" R9 v; b8 D2 i    xor     ax,ax
' [" L" y! c! S2 ^, l' s. O- x    mov     es,ax
5 j) M$ {) c8 Z/ s: X' v3 h( p5 U    mov     bx, cs
4 v+ ]* m3 H% ~" z" g8 `- b& y# l    lea     dx, int41handler# Z: u7 t$ N1 H! N9 O
    xchg    dx, es:[41h*4]# E, I* T7 o1 s& J& \2 p( V- h, z
    xchg    bx, es:[41h*4+2]
! e: A, ^4 [" ^/ z    in      al, 40h' Y9 ~. ]6 U* ~" w! b7 ?7 P
    xor     cx,cx
. g0 N' Q- a7 U: ~6 n# |" d    int     41h
  {- K. Y, {/ t7 |: e+ h+ x    xchg    dx, es:[41h*4]
, `% Z5 a- U  y    xchg    bx, es:[41h*4+2]: u/ N; u7 ?; W
    cmp     cl,al4 M  p8 ^+ b8 X: j8 J9 G
    jnz     SoftICE_detected
- m7 v+ E2 X* v$ m
4 C! t" M5 G: X2 z0 s0 d8 H* G_________________________________________________________________________9 x1 l- A' P2 u5 ^

, C6 S" W9 K& r" d2 Q5 q' e+ NMethod 07* |- _0 h6 l- [" P7 P; \8 H
=========
/ H, I$ [# k/ f: {
+ I1 U" Z5 _& i. K# cMethod of detection of the WinICE handler in the int68h (V86)
! ?4 q: t. g. I. a& ]; f- H$ F' p
* p+ ~) F) v# f5 i    mov     ah,43h7 P8 o4 g* _3 m( k0 d: i
    int     68h
8 I  ^: E. Z- t4 v) T5 e    cmp     ax,0F386h
# @, e0 C$ n2 h2 s# t; Q    jz      SoftICE_Detected; K& o" h: g. Y5 R8 G
# g9 I- V) o0 N9 L
( Z. P2 N1 R1 ^9 u+ U' }+ s4 T
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- i% I' u3 X% V
   app like this:
" V" }( {1 U1 W$ [' |
+ M4 B% g* O6 x5 I* q% |) r   BPX exec_int if ax==68
: T% O3 }6 u" V7 I; }% b$ G5 g! c8 C   (function called is located at byte ptr [ebp+1Dh] and client eip is# ]/ Q& G9 {( l5 ~$ ], R: Z0 j6 h
   located at [ebp+48h] for 32Bit apps)6 r& N5 l" Y4 T- a2 X
__________________________________________________________________________% c& i! A( u- n. b  M, O* {

. i5 T7 ~7 }( m& D( T( [1 K- \6 K
0 A9 |' U* }; }1 v' U; k0 EMethod 08( q5 X) e. h# p4 J! N
=========# ?" s, \  ?' [

0 z0 g; u; G# C* I  yIt is not a method of detection of SoftICE but a possibility to crash the+ H, u% I! ~3 T. b# _
system by intercepting int 01h and int 03h and redirecting them to another& n  S, R- t& F2 I
routine." y  V/ m6 f: v& q& _! d  y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& P  w# K. ^# R* {to the new routine to execute (hangs computer...)
+ R8 [1 K& u2 `; _3 U, F  B# D4 s0 O! K  d4 i
    mov     ah, 25h9 F3 d% N0 m* k8 v
    mov     al, Int_Number (01h or 03h)
  `1 U* k1 A% x7 k- v- E    mov     dx, offset New_Int_Routine! O: S7 j6 n" ~) m
    int     21h6 _/ ]: j& R, p$ U
: Y6 K* T9 X1 V
__________________________________________________________________________
: T# G5 X  s6 v7 Z$ W( Q, Q, `. H5 x( H
. k" ~3 a, l- v, R4 yMethod 09
$ R$ R- x! Q8 x( k9 G6 L=========
; }3 J: ^1 `+ V: a, q' l0 ^4 f5 s6 X/ Z; S/ D; Z! g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 j5 Z9 j0 H& r2 iperformed in ring0 (VxD or a ring3 app using the VxdCall).
. T. X+ J- C- ?0 i2 p) MThe Get_DDB service is used to determine whether or not a VxD is installed
5 S4 I* y# d6 H/ w" L7 K" [4 Ffor the specified device and returns a Device Description Block (in ecx) for
/ Y- H9 g3 [" o; f4 f- Zthat device if it is installed.
8 u% P8 Y9 a$ D0 Z7 S. }' o# x8 _4 n$ V. z& v
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) P* T- `( ~9 ?3 g& Z$ m& W   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 U( W1 T3 Y* b5 |3 E% k( I
   VMMCall Get_DDB2 d+ |7 F2 I' k0 c+ c3 U9 e
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
' f9 p7 f5 y) x' g3 v5 w# C$ v/ |( T/ T6 |4 L
Note as well that you can easily detect this method with SoftICE:% Y8 T6 o8 }0 W8 m: z% j/ q
   bpx Get_DDB if ax==0202 || ax==7a5fh4 C/ R' ^: S' ?& p4 S
1 N0 P0 E& I2 C: N
__________________________________________________________________________6 `2 g+ D' e* h) r
' K+ X# ^+ X4 G, }0 T" e$ ~' {
Method 10
( l. I. y" x& v  _=========/ h% {5 ^: K9 s3 W/ b: y% A

$ r: S; w  ?0 ?8 j: r/ [( F=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
* v: G. G8 ~; S& B! [: T, U  SoftICE while the option is enable!!0 I( Q- l- N3 U! v. T. Y/ Q

% K: O* @2 _% p. RThis trick is very efficient:
; z" A% x, |& f  ^& bby checking the Debug Registers, you can detect if SoftICE is loaded8 E+ G% v  _+ i4 V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: k  V" ~9 \+ ]  Pthere are some memory breakpoints set (dr0 to dr3) simply by reading their, ^, _9 `0 i! _7 Q7 Y9 ^
value (in ring0 only). Values can be manipulated and or changed as well
" t; W2 N0 q: q- @( d(clearing BPMs for instance). y9 m4 P+ X7 w0 p5 C9 ~9 S

- _- [! d, V. R" h* u2 d  w* c4 P__________________________________________________________________________. p; G2 m$ s3 H1 \9 [2 }
9 \* `( x& y, b  i. D4 t
Method 11  Y" t; U1 k3 r8 f; A$ a
=========& Z' A2 S% q8 s& O  a3 v
* B9 k. V; s. B; A; v
This method is most known as 'MeltICE' because it has been freely distributed
0 U% `! N' K8 T( W; lvia www.winfiles.com. However it was first used by NuMega people to allow
3 o& m/ @3 o& T# l( S7 \Symbol Loader to check if SoftICE was active or not (the code is located3 j2 T+ J8 T* G2 o: X
inside nmtrans.dll).; _, A- ^0 C# z+ T, q+ o
/ Q3 F4 W+ @7 Y# M9 G/ U' Q4 N
The way it works is very simple:. ~/ T$ x% b. {0 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for  J, a3 N4 J5 `: n8 z
WinNT) with the CreateFileA API.
2 z: \6 N& T: Z* x2 k" o5 V4 a
/ C+ g0 n4 e) R3 EHere is a sample (checking for 'SICE'):
- P  g; q: G7 H$ |
% E' K- h- F: V& t, u5 sBOOL IsSoftIce95Loaded()
% W! {2 H" f; o1 R( m{
+ f; d2 j2 J( t/ n. @8 U' ]   HANDLE hFile;  ! j' g  K6 s) G* m1 q2 i
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ o/ |0 N$ ]0 A" c% D( F) ]" Y- J                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% x4 |  z; Y& ?0 ~: l- i, s  E5 `                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ O( [0 ^, O- }- X3 M; [
   if( hFile != INVALID_HANDLE_VALUE )
& P. ^( D2 e9 S$ `/ W% t   {
+ V8 z( a5 X5 U; Y7 Z* o! @+ E      CloseHandle(hFile);
/ U8 b6 t# d, }  j1 s$ t; {      return TRUE;* t; F7 S6 v6 |1 R& c
   }7 M2 v3 R' p/ c
   return FALSE;  h* A/ w+ g7 q$ E/ H- {
}
: o" k" |; L/ r4 X  `% Q) B3 o% z7 W# I) J5 ~+ t) ?
Although this trick calls the CreateFileA function, don't even expect to be
8 [! u  [; {5 v' l) y- pable to intercept it by installing a IFS hook: it will not work, no way!( ^4 w  I/ v" D1 u' [! {) e8 W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. k; }( e/ h1 O& pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ ?+ \& d( m; v( Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
! y% C! U$ k& e! r7 V$ `7 H6 rfield.
6 D/ ]) L7 ]9 A- }# cIn fact, its purpose is not to load/unload VxDs but only to send a , r) b6 d% W3 f. r" D" R- f, I. q: f
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
3 `/ N: J$ b7 k; zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
, ]8 Z' n% F9 G. @8 qto load/unload a non-dynamically loadable driver such as SoftICE ;-)." X) W$ Z9 z0 ]5 M
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 Z( u) y: V& I5 @5 D3 Lits handle to be opened and then, will be detected.6 w. z5 w# z; D" W
You can check that simply by hooking Winice.exe control proc entry point* x; x+ n; Y# T. j0 a4 I
while running MeltICE.
/ y3 X5 c+ r0 h! b( }
, W0 V  @  Q: y: `* F2 v  z
1 b2 r" G; L  O8 i  00401067:  push      00402025    ; \\.\SICE
) Y1 w+ D' v" E  0040106C:  call      CreateFileA
' w  d6 ]' R8 _3 f8 j# l# Q# C- z* ~' j0 c  00401071:  cmp       eax,-0018 z* h) z# Z+ L1 Z( K  t
  00401074:  je        00401091
; }' e# |( K9 E0 c
$ K2 @& r% W2 E3 L" h" V3 A
; d$ X* B4 R" v+ Y2 y, @9 VThere could be hundreds of BPX you could use to detect this trick.) h) j9 a: [7 b4 B0 A- _7 F3 f4 t) u
-The most classical one is:
) C! K5 O; u& `- ]- x  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||8 `# H3 q9 L9 ?% l$ _- Z
    *(esp-&gt;4+4)=='NTIC'
6 J) P8 q6 G9 r! N: F# C
; r9 Z4 \; w8 [+ o* N  D. K$ C-The most exotic ones (could be very slooooow :-(3 ^" {1 j$ F; V% k
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# W8 z& A) E- n: S8 h     ;will break 3 times :-(
' h5 ?# M" J; X# W3 `+ C+ g. W/ ~! s- m/ o" x
-or (a bit) faster: ! I6 F* G# T$ F5 w# W% Z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')% J. D8 t4 C# y' w, g, k+ P
) A1 u' Y6 G" \' q7 H5 |3 p9 s( O
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ H+ A  n. @" _+ h8 C" h$ n
     ;will break 3 times :-(6 ^0 N$ x- j% z: p! n' W7 W

" Q9 W& T- k. R! C- u-Much faster:- x, j0 Q% S+ w$ g" }  K
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) _$ L  h, M7 W
6 ~* U' x2 A0 I* \8 WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 I5 Q- b, b. N3 O. ffunction to do the same job:  o1 M% g! E1 e2 l# ]
$ w/ p: h) d) \2 g4 k: q
   push    00                        ; OF_READ
! ]5 M7 d* S' ~( ~   mov     eax,[00656634]            ; '\\.\SICE',09 n' E: B" B- U9 s8 \
   push    eax9 A  |" G, N9 h2 n9 g1 L* N
   call    KERNEL32!_lopen
" n+ J7 h% w: ?* i; f! Q   inc     eax
4 Z4 a9 d1 f9 v$ e6 ]9 V   jnz     00650589                  ; detected
- |5 v$ N9 b# u; x/ `- h& i' i   push    00                        ; OF_READ( ]9 X, B. N7 M: E8 K
   mov     eax,[00656638]            ; '\\.\SICE'$ H( I8 ]$ C: `
   push    eax
0 \, B7 ]7 N' n5 C6 h   call    KERNEL32!_lopen
. X8 ]6 i" K" }  g* @4 e   inc     eax5 ^( t/ n8 V9 S9 s4 S( D
   jz      006505ae                  ; not detected2 A2 o, ?( M4 C1 j  u4 _
" z# S' j/ V. C, L( q

: `$ ~6 V- T. G; o# P: _9 U0 b__________________________________________________________________________1 m! `! [. ^8 R6 ]& d; b
; }, ~' @7 F8 K* Q
Method 12
5 P, [# b. g' c; k( T=========
, @+ U% U) b6 B+ T* U: @. l% j# ^: [
This trick is similar to int41h/4fh Debugger installation check (code 05* L' m: }$ m5 R9 ~! X
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( f  v- y0 s4 X/ @: W6 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% s. h" a: J2 T$ J; y6 S

9 k; Q7 S" L/ K0 }% Z' |: j. e   push  0000004fh         ; function 4fh% f6 d- s: h' s4 D- @2 H
   push  002a002ah         ; high word specifies which VxD (VWIN32)
. C& b' J* e8 g! _* |3 U7 V                           ; low word specifies which service
5 U) e. H; @5 M- P                             (VWIN32_Int41Dispatch)
. q2 N! v+ ]$ O9 k# O; P   call  Kernel32!ORD_001  ; VxdCall
/ |% Z1 L; N! w7 m   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ P! t3 ^2 e9 {8 t7 p/ q4 f   jz    SoftICE_detected7 c7 W4 P# j. ]0 Z+ v
" r3 E1 M& [4 Q) X0 w) B
Here again, several ways to detect it:: ]6 C- W0 _! a1 ]. M& L/ K( {
7 p! v6 j3 d; v$ Y, e, k  b8 x8 Z
    BPINT 41 if ax==4f
0 T; z7 o9 o0 q; F0 h9 k9 Y3 d9 z' W0 T0 s. M
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one0 w: {$ B3 u0 e! ]) W

) P3 t  N8 Q/ Q5 i) g+ c    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ U0 K2 o$ N, F$ \% M
  }& @6 u8 G, A- A0 C( p# Q9 g
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ O  b5 W, I  F' ]6 }2 o

) f) S4 k, p6 M; M__________________________________________________________________________
% T& Y: {, R( M2 V, D. y
7 y9 d7 v5 D( w. |Method 13
% I, W* {7 V0 q6 F) n/ u4 H* J8 H=========
+ Z' F; l: L' a! v% ~7 I  I
. {) c' Z& W# \! w. O+ ]. h' bNot a real method of detection, but a good way to know if SoftICE is
, a+ |8 j: m0 q" Rinstalled on a computer and to locate its installation directory./ q$ E; b* B& a  G4 |
It is used by few softs which access the following registry keys (usually #2) :0 e2 A3 _$ r7 [) v

4 t' A# v1 `0 C" E7 E+ _" R, y-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% ^& v+ k: T7 o7 U! |\Uninstall\SoftICE
- }+ d# p5 r% o# J* T-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ Q4 Q4 j9 B. N$ e5 E; [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& j. [6 |. a8 ~( E\App Paths\Loader32.Exe
  f. a7 v- P7 k4 `6 C$ P* r! {' k* S5 ^% v
! D+ U, U% d- D6 E
Note that some nasty apps could then erase all files from SoftICE directory* X3 m5 E" s/ [
(I faced that once :-(
# N5 k! o7 v! y
$ u* W* {" k+ ?, kUseful breakpoint to detect it:( C# \% a& m% N8 I

, l; c+ T% O6 o5 h" R     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
8 u. b+ N/ M: Q/ R; h% o) ?$ i8 T) Z$ Y9 N; z- O
__________________________________________________________________________1 V- R- L! [2 o% Y: Q) E( ?

# @9 Y$ m% V9 b
" V( }; c6 W/ s! g0 NMethod 14 # n6 n5 C( B% n3 g
=========
; C$ g) J$ u" n0 f! q  K1 A
" l) s- ?" X3 H. ~3 N% y5 GA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" K- ]' W+ Z7 Zis to determines whether a debugger is running on your system (ring0 only).
6 d; [/ w3 O) C$ |" ^
4 R: [6 V, A1 t+ a+ b) I2 c   VMMCall Test_Debug_Installed# A+ [7 l8 v! h$ |/ P6 j1 `5 i- m1 P
   je      not_installed9 T  M* p& s4 D) F* q
! V3 k( V; M# J3 R9 y+ x
This service just checks a flag.
8 P$ G6 a# m: x: Y2 d9 {8 A</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-6 20:00

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表