找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>* V+ S" O; A! Z5 t* M. J# j; X
<TBODY>% O% T' Y1 s. K4 f1 h. {4 E5 T
<TR>
) ^% L: K& {5 J  |' j9 ~+ T4 w<TD><PRE>Method 01
* x. V' a- D, h/ L: Z# G" `=========
9 D3 N  @2 z! F2 u$ M4 T; h
. a: C) U  p% R5 |0 E! ^0 ?& [This method of detection of SoftICE (as well as the following one) is2 i  y1 I* m* U' A7 R+ _. v
used by the majority of packers/encryptors found on Internet.
2 R* ~* o  L9 i5 M4 L3 ?' [It seeks the signature of BoundsChecker in SoftICE4 Z1 `' h: i( C4 h3 X
2 m; j' |3 f! H2 U- ?: l' q* O+ K
    mov     ebp, 04243484Bh        ; 'BCHK'
: s* q- B' |( r: H0 F3 o    mov     ax, 04h& E/ s9 L' l* [' T  C5 k( I
    int     3       $ ^4 d& n  M" P. s9 h" e+ w
    cmp     al,4; p$ _9 l; q7 N7 A" C
    jnz     SoftICE_Detected2 g0 \- W* B6 \1 R: R" H4 x

) Y7 n% g& d/ B- u___________________________________________________________________________
, @9 E- m# g0 Y, L4 i$ D
7 ^0 Q, [- m, @, D2 xMethod 022 j9 Y: X) i( e/ E% h' a
=========5 \* S8 e8 K1 S
( T0 R: z3 [- o( p. m6 t: H
Still a method very much used (perhaps the most frequent one).  It is used
- ^6 x2 M3 X' s# n7 g8 gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 U) S5 w" p/ a! x3 r8 u# S' gor execute SoftICE commands...4 G" W' q6 q& K0 m. x
It is also used to crash SoftICE and to force it to execute any commands, x$ u* y6 d+ \- w4 x: O% W5 w* y. k
(HBOOT...) :-((  ( f) q* }" L, @3 i9 E9 w- v2 i

9 H1 Z7 y3 N% O3 hHere is a quick description:
& R: r: U& R  Y3 X$ s$ A) T-AX = 0910h   (Display string in SIce windows)
, X+ F; D, S/ J, b/ D  F, Z0 i-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). r5 O; o) g6 s9 ?* `, D" Q
-AX = 0912h   (Get breakpoint infos)- G$ C0 ?4 y& j  x  }
-AX = 0913h   (Set Sice breakpoints)
+ r) A8 M3 y9 l3 r-AX = 0914h   (Remove SIce breakoints)5 @8 Y8 S3 X6 m* P

, o% |% H( [. jEach time you'll meet this trick, you'll see:9 [1 J/ v( S3 f9 O) S; r1 C
-SI = 4647h
- x' g  t3 F" [2 O# j3 w$ c( L2 I- A( b-DI = 4A4Dh$ y- {1 i6 q$ s, \; s, v
Which are the 'magic values' used by SoftIce.' g8 l5 _4 b2 t% f# g- K4 l# m
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.8 Y/ g( M, H# F" ~( y
) n7 y: s/ k8 ?  Z
Here is one example from the file "Haspinst.exe" which is the dongle HASP
) |0 J. m9 J1 U1 F8 {$ _' mEnvelope utility use to protect DOS applications:; L* r2 ]& }9 v  W9 h

# |/ U; h& v9 d; y7 T9 ]+ p0 U9 e* E1 [
4C19:0095   MOV    AX,0911  ; execute command.
; _0 s8 \3 B& V* o& R" P4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).5 n# \9 x8 w0 y# p" ?$ A
4C19:009A   MOV    SI,4647  ; 1st magic value.
1 j# \: H2 K3 _. z/ N4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
8 E! y* j: H; K  k) `4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# r" Q: P7 b; A* ?0 C
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 v) m5 R& s7 r6 E2 Q4C19:00A4   INC    CX1 [% n, B' m+ P, W! B, Y! d5 T
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) O3 k* G* I3 `/ ?" g0 J4C19:00A8   JB     0095     ; 6 different commands.
- t; j& [/ L0 \8 g4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 t, Q7 A) p) T" o$ g: ~5 y: D: E4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  |# r% d9 L0 }) `9 L; e- D2 f% d
, ]+ F3 ~+ a8 W# w' y
The program will execute 6 different SIce commands located at ds:dx, which0 A# \  `6 k% M9 X4 S( _; l+ K  U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 X, E& J, O8 E2 Q+ ?
: q1 {6 j6 i+ g5 r1 a6 g
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 s5 `: p1 v$ D" x& s- o___________________________________________________________________________& Y3 N7 \& f0 Y5 J" q. h3 B  k6 w

0 A) s7 ?1 q# i
4 C# o8 V9 Y! T+ w$ J; O# VMethod 03# l9 Y5 P; Q2 D2 p. _9 Y
=========. ^& i9 T& V- `2 W/ ^% G" h2 \, j
. U$ c: A( x( k" |
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 z" c' t* b9 ?( |; G5 N
(API Get entry point)9 b4 d* A" W0 \" \
        $ a& W1 ]/ ^5 J
3 D5 O4 M6 j0 d) G+ g
    xor     di,di8 j' J6 M4 @3 O& N) X" m4 G+ u6 O
    mov     es,di/ B4 d* {% {0 m# ~
    mov     ax, 1684h      
! z+ P" V+ D" P; ~  t    mov     bx, 0202h       ; VxD ID of winice
: W) M. N6 I3 f+ e1 l9 H    int     2Fh
8 f! A( L; {$ \$ ~) G    mov     ax, es          ; ES:DI -&gt; VxD API entry point; i+ s8 [4 q- v- i% t2 j# A
    add     ax, di
8 ^7 S8 w* m$ K7 H% c9 T) C    test    ax,ax6 V% D- `0 U8 X& Q9 H
    jnz     SoftICE_Detected& f: |6 e+ x/ W! j7 d# e! c

6 C- S; [' w6 j___________________________________________________________________________
4 [7 s; d7 N8 S0 u/ ^! Q. {* l* z, Y& |
Method 04
, Q  v) G2 E5 l9 k=========
: G) Z' B+ E2 g) L8 k0 ?  I4 K6 U3 e) t+ j6 G) w" R
Method identical to the preceding one except that it seeks the ID of SoftICE; l1 J7 A7 }& j, _2 T+ b+ a+ |9 |6 Y
GFX VxD.& S4 Q1 G; j1 x8 U

% |* M$ p3 E; H  j    xor     di,di
1 a+ v$ ]  A' d5 X( y, A4 q    mov     es,di
1 U- {1 ]1 d+ {* ]! m    mov     ax, 1684h       + E. p8 P, r  i( \
    mov     bx, 7a5Fh       ; VxD ID of SIWVID$ d- ~( D* I8 e& a4 R& S
    int     2fh
* v6 r6 N  z1 E# X    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, S# t' K, d) C1 D+ }    add     ax, di" S  r9 ?- D0 ?" |9 Z6 K2 e1 j
    test    ax,ax
' N- Y1 L0 ^" z$ J. q0 t  C) S    jnz     SoftICE_Detected
. @" j: W' z, Z, m% q
! E. _' W  O8 U! z! ^* [& K__________________________________________________________________________
5 G/ m% c' X; a' R- {, V# P0 X5 T; H5 Z$ r- i' ]
0 |. t+ S' \- A  d: p' X; @
Method 05
1 r( ?" G3 m; Z=========8 k; x0 j4 s& j9 N1 [7 X' g

& ]4 W2 M1 `) \3 YMethod seeking the 'magic number' 0F386h returned (in ax) by all system
" O, P- r  Z; mdebugger. It calls the int 41h, function 4Fh.% A" l8 J- D! i% i( I
There are several alternatives.  5 x2 x- a, n/ U0 W7 |

' T+ z, U3 g- \3 g: M, [4 CThe following one is the simplest:; e1 ]) {& q- ~- z: D
. ^- @5 M: l5 F, Y6 G, k
    mov     ax,4fh' ^. J8 E3 U7 }/ n- G# r3 D
    int     41h
% @# g, H0 v( P7 X9 m    cmp     ax, 0F386
) O3 M2 V2 [! b% |7 \7 @$ u% l" A  P    jz      SoftICE_detected# Z+ B/ k, Z3 Y5 t) |5 p; P
% V/ D) t) U8 ]! V

9 X5 `: H5 N% ENext method as well as the following one are 2 examples from Stone's   W% p3 Z5 [  ^0 K3 q2 `2 c' ?
"stn-wid.zip" (www.cracking.net):
1 @. ?2 U9 ]/ u! m, i
& S0 J4 B; m6 E0 D' f    mov     bx, cs
: u2 s' P/ l$ ?1 _- R, U  f5 E    lea     dx, int41handler2: h9 ?8 h8 d) @' }' _
    xchg    dx, es:[41h*4]: _% U5 q9 m0 n( E  e, S
    xchg    bx, es:[41h*4+2]
; i* Z# ^# q: H$ U    mov     ax,4fh; ?8 X4 r1 A( m2 k
    int     41h4 V* F# A; G- E& v6 r  W
    xchg    dx, es:[41h*4]
# H+ W' K8 G$ k1 @- f    xchg    bx, es:[41h*4+2]( W# |  N) X# w2 `! r
    cmp     ax, 0f386h
" R! ?& X9 R$ n    jz      SoftICE_detected
* o! }+ @# S" Z; L3 p( Q: F1 I! n& k9 |& Z7 J9 G
int41handler2 PROC
7 h( X% N: H6 E5 z4 c    iret
5 x! B, O9 R9 ~/ w/ Iint41handler2 ENDP
5 ]* Z& x. I1 K; C4 w. n$ H% g6 q& j8 s( `$ O
  u( ]5 E0 q- E
_________________________________________________________________________
2 a- ?( u) H: T8 r; M7 |) T5 i' d4 d! T
8 N) n2 w. P4 d
Method 06* k- P3 `+ m7 h* s; G: J3 i
=========
9 e* p4 W* c& I# X3 ?* t
" A& Y- {' O  R! b0 ^, N1 W, A. h# h; C. L8 s- Y. M0 _
2nd method similar to the preceding one but more difficult to detect:
: g, U# Y' i/ R7 x
" A) F0 Y* ?# T; U* Q3 I" X4 {
4 v5 R- m+ R, [int41handler PROC
1 e  l% C: A* B  t9 _3 b4 Z5 |    mov     cl,al
0 b! z" y. ~! f+ w3 I7 o    iret
2 J' @) A2 k! {% j/ G& `int41handler ENDP3 h3 z6 l1 T1 a/ r
2 D  A6 d4 ?& r( |; H

4 l/ S5 }/ F( K6 G" P    xor     ax,ax, j. [$ B1 l% U  T) M6 q
    mov     es,ax
0 }& w8 q, y4 c0 q    mov     bx, cs& z7 O9 ]' ]4 K3 m9 P# L9 T
    lea     dx, int41handler% o3 A" }9 t  @# R
    xchg    dx, es:[41h*4]. l' T. u3 ]; {/ l
    xchg    bx, es:[41h*4+2]
, ~* e9 S" y3 x# ]* y! ?2 |$ m8 j! d    in      al, 40h5 D' h# ]. ]; n+ V' t/ S
    xor     cx,cx; K9 R* A: C- ~6 a
    int     41h
! Y% V% P, i6 m/ @% v' b" }    xchg    dx, es:[41h*4]
4 @* e  U& c6 V& e! h' D2 o/ `    xchg    bx, es:[41h*4+2]
' p. Z$ v+ N! E8 i: H    cmp     cl,al
2 {" Q# o) l% R+ l6 M    jnz     SoftICE_detected! o1 \" z8 p8 e% d: h7 h- B
2 C* r: o+ k. W/ F# p5 N
_________________________________________________________________________( R3 k. z4 O6 ~; q/ ]. e/ h
8 S$ z0 Q  Z, R" D8 ]. {" c; o
Method 07
' Y6 p0 `" B) ?=========
; L2 S  T$ j' V  V7 s  b, r& S3 R9 S3 ]3 z
, N1 h+ ]4 K) }5 MMethod of detection of the WinICE handler in the int68h (V86)1 T' e* T$ Y! K0 q- s1 A

. _8 M/ `" j: d* y    mov     ah,43h
5 ?. p7 r, j! k7 c) C    int     68h! V/ Y1 m  }- D6 c7 ~  `8 r
    cmp     ax,0F386h
1 K9 _4 S2 G" t    jz      SoftICE_Detected; Q- M6 A8 |! T2 l

, ^: A7 \0 p: g; o) D8 j1 C  D
" m# S- J2 ?+ u% ~! D% \& g0 Q! s=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 f1 ~& f7 p5 l. r! }/ M   app like this:* k! u) }2 M; i' E6 ]* n* Y5 o

) \+ Y) y9 J1 O: e9 X   BPX exec_int if ax==68) t2 j" c* y2 X. j6 @  C2 N5 p
   (function called is located at byte ptr [ebp+1Dh] and client eip is( c; k: @- n7 z! m. o* {
   located at [ebp+48h] for 32Bit apps)
  l% M' D# r$ [* d+ i__________________________________________________________________________, Q6 I1 s# S) r) u, l

% h# J* c% V( E3 f
3 Z8 f5 }+ n3 R2 }( i- rMethod 08
- X8 B5 p5 m/ r, T+ B=========
3 r" N7 V; \" X# f1 u6 ~5 J; M* n0 W. k$ D
It is not a method of detection of SoftICE but a possibility to crash the4 q3 L4 y4 V7 `  i7 F/ E+ D  K( B
system by intercepting int 01h and int 03h and redirecting them to another
( ~3 U6 [5 W+ e9 R+ Y. qroutine.
, B2 B, b  {/ o5 T5 rIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 Q. u$ w/ j; x8 x( B9 ?7 N
to the new routine to execute (hangs computer...)
* E% V2 _7 D# R2 S
/ Y6 f- N' J" H0 \1 l3 o0 C& L    mov     ah, 25h" d" p$ f' F* f) L2 i" w
    mov     al, Int_Number (01h or 03h)
5 Q: w$ a; g9 V" L- s; V. \! b% w    mov     dx, offset New_Int_Routine
7 B) [* T% B- [# p( u3 R& j  X# V    int     21h+ H% e- c7 n* c: S

3 g$ V: a! C4 L- [$ w3 J__________________________________________________________________________
: A% i5 j2 A6 K
$ S3 {! c- w$ `$ M' l$ w$ `, FMethod 09& t1 B. V6 H9 o* I6 x8 r+ U* \
=========
6 m8 Y' U" J: h$ t! f- L0 |4 o, k& G% u0 C. |, S2 c7 w
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 d4 B$ ^, R* l8 N+ O8 J" S2 \performed in ring0 (VxD or a ring3 app using the VxdCall).
- }# |! s  y# ~; k: iThe Get_DDB service is used to determine whether or not a VxD is installed
& m/ y+ G: E& A( ufor the specified device and returns a Device Description Block (in ecx) for) q% C: e, ~, P$ v# h1 q2 r; ?
that device if it is installed.$ ~6 J' F- V: W# |

2 Q( R; T4 {" v' Q# Z4 U# n   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID6 n! u' s( y7 D+ z0 s' E1 l8 H
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 B# v6 r$ o, u3 A) [  r# w0 c
   VMMCall Get_DDB2 V9 ]; X8 u2 r
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 M$ o. l! s4 n' I) e6 s9 j+ P3 T: f  |* y, ]; S
Note as well that you can easily detect this method with SoftICE:
- w4 L! v3 a5 q7 y+ ?4 ^   bpx Get_DDB if ax==0202 || ax==7a5fh3 `5 _! c# f! b3 M% P, O+ `

9 U$ [- ^; L" g* c' x6 ?, ^( m# ^, X* O7 n__________________________________________________________________________" a) s" s* }, Y3 Q3 e
, w  s, N1 [+ O# j, l9 I( `; O
Method 10: l3 L* n7 I+ i9 |5 _3 _
=========
9 N0 H& I' i/ N+ f/ E2 E$ w0 S& }/ z# a* ]  b) ^
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  V7 n. \/ m# |  SoftICE while the option is enable!!  V2 q% f1 ]  e$ {2 A4 F8 x1 A; l& h

0 V" `6 a4 ^* @9 X2 TThis trick is very efficient:6 t' S8 ~* Y  |0 \, v# I0 x
by checking the Debug Registers, you can detect if SoftICE is loaded
# G! h, z; B2 D6 s# e9 s5 x: }- V: [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 t! z/ z: M/ f- ?
there are some memory breakpoints set (dr0 to dr3) simply by reading their- d. J$ V$ K) _+ x5 h9 c
value (in ring0 only). Values can be manipulated and or changed as well& a: _6 w1 U: B& S0 X* n
(clearing BPMs for instance); w% P7 y$ l" b+ l: r1 S

" V, t) ]9 A0 }# T: h__________________________________________________________________________. a0 m( Z# L4 q: E) {$ r6 J9 o0 t* z

% J, ^8 n3 ?9 U& \Method 11% o/ h" ^4 l9 }
=========
: E% g" [! t* ^$ A! ~( q0 Z& b5 N2 _" G" V9 `
This method is most known as 'MeltICE' because it has been freely distributed1 Q0 X0 ]  W0 M3 c6 ]
via www.winfiles.com. However it was first used by NuMega people to allow7 G$ h7 I4 Y- `1 n
Symbol Loader to check if SoftICE was active or not (the code is located
( C- g8 c$ t: M3 H" @( H$ ~& Xinside nmtrans.dll).
- `9 K/ Y7 S  x. R6 z5 u7 O2 s  H0 [: B+ \
The way it works is very simple:' s" E' E7 \0 X6 h5 Q3 ~* P3 R" ]9 U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ M! _' V8 b! `3 A- w: m$ ?WinNT) with the CreateFileA API.2 d6 f0 c$ y9 N: y
- R. D) m5 S& _1 r1 z1 K
Here is a sample (checking for 'SICE'):' V& }; f5 q8 |* S

/ y# t" `. ]$ V$ M, UBOOL IsSoftIce95Loaded()
) w" F1 ^" ?8 Z' x! ^4 L{7 m3 a* [( L: _  y- n2 E! R. k
   HANDLE hFile;  
# Z; y3 t! N/ J+ j   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. q$ i, p! C+ p: b  X# k                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 Z! e1 g: d& d- X                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 Z: @3 F0 U, U& z   if( hFile != INVALID_HANDLE_VALUE )
: L+ w9 ?# O; @9 Y- D1 I   {
7 X0 G3 B' h2 z8 I2 C9 A      CloseHandle(hFile);
9 O7 Y2 V% D; ~      return TRUE;2 {( R) S9 t; b5 `
   }3 L+ C+ D! `9 l
   return FALSE;+ `" C5 ]. N; h$ z
}
* P6 W" u% G( Q: F$ s1 _7 M- F* [! [, p2 b$ U
Although this trick calls the CreateFileA function, don't even expect to be
2 ~9 ?# d# E3 e7 Rable to intercept it by installing a IFS hook: it will not work, no way!
. X  D3 c6 f  ?" g" N9 |In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; d$ Y% P- V$ \& K, Lservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 X/ {. J6 ^* O: a9 }2 X( u; ^2 e. d3 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 _$ |2 t4 V, m6 d9 t. C/ Sfield.
' G# [/ B# k8 rIn fact, its purpose is not to load/unload VxDs but only to send a ' v; ?/ W4 z" m
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, q0 k! S7 t7 `2 Z+ P. f% G4 [7 |to the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ m7 f! [+ d6 ?+ Ito load/unload a non-dynamically loadable driver such as SoftICE ;-).# T9 `( {1 `# _% G3 a& |; N
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 R9 w9 @9 r% M7 d9 z" Y4 l3 Nits handle to be opened and then, will be detected.8 B/ N5 z& y5 R+ u; s2 J& P
You can check that simply by hooking Winice.exe control proc entry point+ T6 r$ }; U/ {
while running MeltICE.
. \: _; z, B  ]1 T* {
% t8 g# B* [$ P! E
4 x5 ~& x( Y/ e6 `$ T1 H; }  00401067:  push      00402025    ; \\.\SICE
- N5 J! }; I8 j$ ~7 i  0040106C:  call      CreateFileA
8 Q, I$ p, j/ V" |! y% o* o* b  00401071:  cmp       eax,-001+ E; X; c* \9 X) I+ A4 Q
  00401074:  je        00401091" ~3 `8 v& H+ s4 z: f( G, j
+ D9 {$ M3 s3 d9 a" R

: G) b) n* t, b0 G  zThere could be hundreds of BPX you could use to detect this trick.
* _: i6 t6 j+ s4 @" Z# p-The most classical one is:! @, L( F. e/ w, S" k# p: Q7 u
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% e$ m3 J( |, m: M7 l+ r
    *(esp-&gt;4+4)=='NTIC'
  W5 M. |, L+ N( E2 ?6 ~/ E
2 p3 P) v9 J3 a- h-The most exotic ones (could be very slooooow :-(
$ ^+ L; A6 l2 X" G. s1 ]$ U   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- j' ^/ e- Q' n, K; g! j( E     ;will break 3 times :-(# j; |/ q) G# [* z# \

* J1 \1 g# ]- h. V& z' T-or (a bit) faster:
$ k. R$ \% L& j$ T# ^& A& u4 j: }   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 y+ {8 t" @* y
& t0 v" r! K8 `, K- e2 i   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  5 @) v( ?( |9 o0 Z. `
     ;will break 3 times :-(
9 i$ R1 K. c. S, C+ p4 l
; q; t+ `, D+ U' |5 |7 a9 L- U-Much faster:
: z2 s0 p1 o+ u2 _: ~& I8 G   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ I( Q; J  q' c) q
& r7 {/ V- F) s- H" F! a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
4 V) g. w$ _! }# R' T, C3 V9 efunction to do the same job:
+ n3 v5 j# |* h) D0 h8 ^9 H0 H( k; f# \4 m4 O; {" s  E
   push    00                        ; OF_READ
$ Y/ `( G# H& O   mov     eax,[00656634]            ; '\\.\SICE',0, t) Y$ a+ e8 O$ M
   push    eax
8 @' ?7 s& o" q$ _( p& S3 k9 |   call    KERNEL32!_lopen9 K- y5 f* Y  M6 R0 C2 m
   inc     eax5 R: }1 N9 t) i5 W- {2 J
   jnz     00650589                  ; detected
7 B9 f1 U! U# u) [1 ?   push    00                        ; OF_READ
; |8 u# H0 `) A/ l   mov     eax,[00656638]            ; '\\.\SICE'
7 W9 ^. _9 q0 \4 R3 O" X   push    eax6 I7 Y- M1 V! |' @* ?  F. d5 E+ O
   call    KERNEL32!_lopen
% S" F1 A$ c* B. f9 L3 @6 D   inc     eax' V4 ~( ~$ Q  O: S6 g2 s) E
   jz      006505ae                  ; not detected2 Y: A1 |6 e# n% v1 ?6 Y
; M4 z. Y8 k0 z( P6 k
. [* v" k1 F6 o
__________________________________________________________________________! n+ S" x* ~) c( i  I9 ^" h

9 T2 G0 d- C* k& a3 bMethod 12
5 p% i8 ^3 A  N8 ^=========& X& V4 Y9 ?# w; `& a
5 ^7 X2 ?% A" h# s. a, {3 w
This trick is similar to int41h/4fh Debugger installation check (code 05
) G% [1 _! B4 c7 P; T&amp; 06) but very limited because it's only available for Win95/98 (not NT)  f( N$ O, [$ }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) E7 d" R! w. d+ K. D4 D0 I* i; n, M: f: C' ?0 `
   push  0000004fh         ; function 4fh+ y, s9 @2 t6 V( o$ N) K
   push  002a002ah         ; high word specifies which VxD (VWIN32)
1 }% L2 C+ Y+ k/ c# I                           ; low word specifies which service/ L% o( L+ R" g
                             (VWIN32_Int41Dispatch)
) n/ h8 `) a; G; @. z* T( f   call  Kernel32!ORD_001  ; VxdCall! X, ?2 J- b* r* {9 t! A
   cmp   ax, 0f386h        ; magic number returned by system debuggers
% a- x' u2 g7 L. D   jz    SoftICE_detected
" y2 k9 T% F' T
. P! ]5 x3 Q& FHere again, several ways to detect it:
& D' \5 G) j$ K# o
: L* j+ G/ h; a    BPINT 41 if ax==4f
$ l( n. ]( t( \! e- P- @6 {  p5 ]0 p! E0 F3 i' Q& ?% y8 `
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one) w; F' |6 p! S1 c  @; V

8 P& c0 [, J4 q* s& ^. n; O: w; d% p    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# i# O& q7 T$ J- v# T* ^' y7 d! ]8 \; T
3 Z% i2 P( M9 g! m2 S' {# T    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!$ n' F8 f/ Y4 g; N& t; ?' g
6 J  \# J; h/ z' E
__________________________________________________________________________: x% O5 M6 ?4 k$ X$ n! L* i6 ^7 R

8 d& b# r* }2 j+ }; zMethod 13
/ G$ P) I2 E% `' [7 u: p=========, Y0 i5 L9 O) j, w/ n  {

- ]; l7 o7 P. I9 t* c5 mNot a real method of detection, but a good way to know if SoftICE is
: P$ _& g- w& l/ `* R* Rinstalled on a computer and to locate its installation directory.
; n: Z/ t7 i( |( y$ ?' U$ S4 @It is used by few softs which access the following registry keys (usually #2) :
3 g# j9 `' z2 Q' b6 M+ ~; P) k
8 ]3 I9 i# n# R7 ?' z9 r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& F4 L" o6 H( M( W' d& M+ U\Uninstall\SoftICE. v( [5 V; y- ^+ h% p! H+ {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ q  [* L& e4 [* U$ w  {$ C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 I) a+ f* n- [/ c
\App Paths\Loader32.Exe
- q" m; m) p( X  Q; ^5 c
) a& i  Y& u! r1 \3 E. j' o
2 W9 B' B' @& n  Q  YNote that some nasty apps could then erase all files from SoftICE directory/ ]/ i8 L* m( f" V  A& g9 p
(I faced that once :-(
) o2 {) F, z, A6 o8 Z  [4 \2 [2 K, B/ P3 @
Useful breakpoint to detect it:1 R1 p9 [& k9 t% ^( k2 B

$ T4 n5 G1 r. n& m' G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'/ o! V  M6 a: R% |7 z, [) {3 ^- O+ R

* S( M' `( A2 ?) t' d__________________________________________________________________________
% ]5 T3 i" n! ]' ~/ \; N, n' ?5 B" J+ C" T; @$ ?2 c- }8 [9 _2 `# [

+ S: i& |) y1 Z% d- U  nMethod 14
! I* |* ^$ p  r' ^=========
6 g! D1 C% i8 n8 \, n3 P: ^8 {, P9 [5 }2 N& \! Q# U2 v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose  X: I( \; y  B6 {& d4 r, Y- o
is to determines whether a debugger is running on your system (ring0 only).
2 [3 H0 d2 z* M. W- N
/ }, {( l, `$ I+ o) h5 _   VMMCall Test_Debug_Installed2 e$ }/ s7 I. {# ?& S
   je      not_installed+ a  I# @# f  X4 P  C

) h" d8 d( ?: y/ v' iThis service just checks a flag.
  M: t- D8 X% O1 Q/ z) F7 A</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-7 06:14

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表