找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' n3 N1 V- u4 ?. W! @
<TBODY>
* }) ?! m; ?, c; ~( s, X! k<TR>! V0 {6 o2 ~( E- w8 x
<TD><PRE>Method 01
% ~1 Y2 c0 p4 W: L; h=========0 W" n9 y# t+ g, h/ _# [; N+ W( T: U
! Z" }, e1 U# P4 g& e( j5 M3 f
This method of detection of SoftICE (as well as the following one) is
' O1 T8 X4 t& G- w% i& m1 [- pused by the majority of packers/encryptors found on Internet.
* J. S9 x) R$ [8 B, \6 NIt seeks the signature of BoundsChecker in SoftICE( D" `# c, |# u; {* h
, D, f* [5 P  ]( |
    mov     ebp, 04243484Bh        ; 'BCHK'9 s7 ~* c3 `. U" r
    mov     ax, 04h0 F7 e6 s  m, [  L
    int     3       3 s: A# A) N3 w5 H) U( j
    cmp     al,4
9 J( R2 b* U5 S' q* D5 a; }    jnz     SoftICE_Detected
' q/ V$ v9 G0 m9 O2 t" {1 [4 z
___________________________________________________________________________. U1 ^9 b& R; s
0 G4 t# S8 X4 j
Method 02* v7 z  m: p/ C* O6 L7 D
=========  i" Y/ v2 C3 w7 ~
0 [6 q4 H1 J, g* t* n
Still a method very much used (perhaps the most frequent one).  It is used1 [6 k) t. @+ `9 p: H: ?
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# M. ]9 i2 f; Q  ]+ I
or execute SoftICE commands...2 S0 n3 k5 ^6 n, G# B
It is also used to crash SoftICE and to force it to execute any commands1 q# \1 r$ t5 g+ h% q/ J' ~/ [% O
(HBOOT...) :-((  
' A. K  @' \) ]7 F9 ?. H% F' w! H4 `8 o' S  x; D$ `8 i
Here is a quick description:
9 V7 I" F& q, x; _! k+ J-AX = 0910h   (Display string in SIce windows)
: t) q6 Y& q/ |+ t-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ n! c. M, a5 `. a1 A( L-AX = 0912h   (Get breakpoint infos)! w6 Q% s! @1 a. s+ x* z
-AX = 0913h   (Set Sice breakpoints)7 V5 K4 f2 E) z0 \2 Z7 w& I
-AX = 0914h   (Remove SIce breakoints)
/ _8 N* y. I# u# R  ?
9 G6 ]* S' j* _/ y6 E3 W2 G+ VEach time you'll meet this trick, you'll see:. `' @& [3 t! E4 _# e, i( k
-SI = 4647h
( \% A& Y& L9 K5 s-DI = 4A4Dh
  i7 _8 E( O8 b0 SWhich are the 'magic values' used by SoftIce.
/ `* V+ E8 E- D- f' ?( K: AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ }( u; j- y' P, m; y  S2 [
0 x6 @# r/ ^7 v0 A9 i# }; LHere is one example from the file "Haspinst.exe" which is the dongle HASP
' u. \  t  n$ A: Y+ p$ `Envelope utility use to protect DOS applications:5 U3 |! L) U3 ?9 q: `
% V7 D( Y! R4 e- X$ I6 |' H
) }  M* [; q1 R8 d% L
4C19:0095   MOV    AX,0911  ; execute command.
! M  C; @1 Z" V; p4 U4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
4 s5 a+ [: |6 a4C19:009A   MOV    SI,4647  ; 1st magic value., r4 B0 W# D0 I8 F  q
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, r' X) Y7 K: D0 K% `' e/ ^" O4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" I2 q" p: A% E' P: P4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
2 d0 P# G; E! {3 p$ w: u4C19:00A4   INC    CX7 r0 t0 _' T" ?/ n& j+ V4 c; N' P
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: k, W# L; w$ {# W. E( x& Q
4C19:00A8   JB     0095     ; 6 different commands.
+ E7 R, M5 C" n% L2 ^/ ?2 c/ Z9 ]4C19:00AA   JMP    0002     ; Bad_Guy jmp back.: q; G0 P% {- o/ f5 u8 s' L7 P; H
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
& E: ~" n. H7 x; f6 \! H- L& f4 s- S/ u# n; \1 |( ?
The program will execute 6 different SIce commands located at ds:dx, which+ K: @  D2 s* b& M. V: D9 J9 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 f* A3 F0 d6 H# T7 O; ?8 ~0 z0 w: D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.7 t6 E! i6 g+ B5 Y
___________________________________________________________________________
7 h. s0 h1 A2 p+ |: q$ b' T
  J. Q1 t8 Z3 |% u
  {" _, G. l* ~( x; h# xMethod 03
. }* ?3 c; w0 \& Z; R( J=========' f8 a( Y- J  I% K4 g' S/ g- A! |
# j" v% g9 \% C0 A( S* ~" \
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( B8 R7 Q" U2 a; F% I. z6 h(API Get entry point)
' c0 a, c# ?% H        
' c3 d. U4 O' G+ E' n
  K( [$ H$ e$ [* I    xor     di,di1 A) e: E) U  K2 H% S9 v$ r
    mov     es,di
1 o/ D; N0 }! ~( p6 d, y    mov     ax, 1684h      
1 e1 O# U* J: e( z5 k! t    mov     bx, 0202h       ; VxD ID of winice5 w. X$ @, W. d2 c  F/ t1 m  B- y
    int     2Fh0 c5 f" T" G* Z# ~4 w* f; K) o" w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point% f, y* A+ C- E: L# h& ]" Q" o' }2 [$ i
    add     ax, di
3 `% Q8 v, B0 e& Z    test    ax,ax& U) U* r0 v: Z; y' I% [. ]
    jnz     SoftICE_Detected
3 W. a2 j4 o* d: F4 C/ K% t5 j$ i; F5 B; }
___________________________________________________________________________
: V9 M* D1 K3 f5 n3 H
2 F) H$ Y+ s' O# F! {/ k6 lMethod 04
" C+ w! {$ S4 G0 Y* j9 M=========
2 x9 f5 q9 s/ n" g6 U8 M" w5 x% j4 x6 j! |" ?- [
Method identical to the preceding one except that it seeks the ID of SoftICE& y! d6 D1 g( e: f# y8 E# c
GFX VxD.
0 Q/ S& j& T7 N& m# c3 {  D
+ X3 ~5 ~: `0 @* h    xor     di,di/ U: ]9 ?/ h1 C% B
    mov     es,di
, E0 ~9 L. K3 g: j/ E7 G    mov     ax, 1684h       " x" _! e. ?" T6 |) f
    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 G; _" u( ?  s% Q4 M& i7 ?" f( \
    int     2fh
6 ?8 i+ Y+ n" f; `+ G# Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 C: B' b! T0 f6 D' d8 o" {    add     ax, di
/ _' D- K: s7 s0 Z' R) u' X9 E    test    ax,ax
: r  V/ }3 h9 ?9 h) |    jnz     SoftICE_Detected. b8 O7 z6 d$ h8 S) y7 z

3 A9 R6 l9 Y' s! m* O4 t& O__________________________________________________________________________
) s1 {3 }& u1 q% e( {& G8 s7 V# ]" x5 N$ ^- O  B0 w5 J6 K

8 f, c; x( R# ?+ X0 ], c! VMethod 05
0 q6 K8 ?- `; {% s+ Z) |=========
* B( M2 C: r& A% ?0 M4 g# M. P/ j# t4 R8 m" j4 u1 G% ]1 ?$ A
Method seeking the 'magic number' 0F386h returned (in ax) by all system) Y' ~2 l3 b/ t* C* x; O1 \
debugger. It calls the int 41h, function 4Fh.6 R$ G& q% [+ ?- Y
There are several alternatives.  0 {4 Q, Q& R: _) x# _
! B6 e1 F+ x. ^2 e
The following one is the simplest:* v( {3 A: z& u" q- Q8 |0 v* G

' c8 T2 [- ^) t' u% P7 t" @( f    mov     ax,4fh
; |+ q% R/ F- c/ A) v# S/ h    int     41h7 b2 R3 T' R; ~3 [* F
    cmp     ax, 0F386# J. g) j( G( a6 b+ o# S1 h
    jz      SoftICE_detected- |. P4 w4 h8 v8 Y0 P2 j

8 U: N* u& j# e& k8 ~+ _
& k2 _0 _$ X/ uNext method as well as the following one are 2 examples from Stone's
- j4 F: B" V/ V! l* _9 |; G. z$ t3 s"stn-wid.zip" (www.cracking.net):
( O6 y! K; L- ]! f1 o
4 H* `4 y2 Y+ @; @& r    mov     bx, cs
5 `8 _7 E) c" ?; `. @; K8 P    lea     dx, int41handler22 u" O: q$ j2 v" [' ]/ [
    xchg    dx, es:[41h*4]! B) ^$ R; b8 ?2 C
    xchg    bx, es:[41h*4+2]; H0 P, a) y' U* y+ m$ N1 f% u5 u
    mov     ax,4fh  r: Z, b$ K) I: P
    int     41h
2 u4 W; T. y1 n" ^+ s# _    xchg    dx, es:[41h*4]
2 Y4 v2 f( E" F! H9 Z    xchg    bx, es:[41h*4+2]+ P4 b  m7 Q6 Y  |
    cmp     ax, 0f386h( Y6 D) q& E2 Z. m- n
    jz      SoftICE_detected2 U" w, Z9 J( H6 t
4 u. P6 T  o5 f; n* s/ O
int41handler2 PROC
: Y( N- _# b. ^    iret
! Q7 P- Z7 r8 U: Yint41handler2 ENDP9 P" X( F' Y1 L  l3 g
* Z: U$ T  Z; w
  e" l5 q2 k! @% R0 t! T
_________________________________________________________________________
. G6 [% H9 [* X. L: F2 `% B, t* H& f5 B* o3 X& T
& A4 e" S' {1 M. i5 Y# @7 i
Method 06
% m1 l3 {/ W1 l: f* m  E=========
$ E8 B% P4 j) i; m. {  t0 e7 {# C, Z; k, Q

2 q& L) |( A6 y: f1 R2nd method similar to the preceding one but more difficult to detect:
. |4 P2 A+ b) k  ?+ K# Z# V# d  i" }- q6 [" i! J+ u0 |
/ c* V/ g# I1 E" I3 M8 e1 g
int41handler PROC- T1 u2 M7 k. W( @
    mov     cl,al
, h9 @' R' @: ^6 ^6 |  t8 x5 H6 X$ b2 K    iret
3 s) ]% z5 x5 v& X; u% K6 C& ~int41handler ENDP
" w8 q" R; J7 B% j" r" R5 w0 g# I  N3 U" E6 C
) p8 F: ^, X& V  ]
    xor     ax,ax
& o/ L. Q9 n1 K+ v! G+ Y% P    mov     es,ax1 M' ]5 p7 @5 M: x% \* i
    mov     bx, cs
8 X, w6 L9 v! ^+ Y% O    lea     dx, int41handler9 J( D6 D5 |( C# v* j1 t$ B
    xchg    dx, es:[41h*4]
2 O( p9 G7 u7 T  {* x4 }    xchg    bx, es:[41h*4+2]( X5 @5 A. n  t$ ?
    in      al, 40h1 @9 d# R, C" k* T) m# d8 ?0 f
    xor     cx,cx
  N! O: T6 @: W8 j& s    int     41h
! G4 D5 h2 q7 |    xchg    dx, es:[41h*4]' ], X  E8 P0 |' [: ^6 V
    xchg    bx, es:[41h*4+2]
6 n) Q: r1 ~6 y, \9 w1 q) p( |    cmp     cl,al3 r, q. n1 x2 X; c0 H. h
    jnz     SoftICE_detected
: Q! l2 F/ O8 \) [* c  j0 S$ R7 C, f  B9 D6 S/ V, C% J
_________________________________________________________________________0 |' C+ |& F* z
9 S2 V' {! g9 b, y
Method 07
& O  p# X: K9 }3 P$ ]=========
# y' T2 Q) |) ^4 V# j+ ?; u( ^+ }9 ?, ?3 y2 V, K+ D2 n
Method of detection of the WinICE handler in the int68h (V86)9 i3 P+ |/ y) d* A, _% a4 J- ]- A' M

( w' Y/ t/ M' }7 Z    mov     ah,43h
* h4 c& A: d5 i' l; B4 ]    int     68h7 V6 c" d8 S$ B6 Y# x) [
    cmp     ax,0F386h
  ?! W/ S8 M  Y3 f    jz      SoftICE_Detected
( g4 {, Y: O' P3 t) S. ~7 l6 q; |. K7 Q/ C
, `' b: g8 T5 d) F9 `
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
, \; {! b6 I' c/ x' W   app like this:  q, Q7 b# X. K" T4 k: w* V
5 ^. ]* C% L  |) H. |
   BPX exec_int if ax==68" r' n+ R; T& i5 Q, r
   (function called is located at byte ptr [ebp+1Dh] and client eip is" W# Z& q/ v5 q: j) L3 R
   located at [ebp+48h] for 32Bit apps)
7 J5 F  _, h0 ]. D3 J9 L* M: u__________________________________________________________________________6 C; v% \& ^1 x- k* F. ]

+ p5 h4 X5 S+ P  B% ~0 Q5 ~# H. Q/ n5 W* u4 d- h5 `" o! }9 s
Method 08
. ?: R4 a1 a2 E; L=========+ t1 W: O/ N5 V5 A  }- J+ z1 M

) _2 h: |4 w0 k- J6 cIt is not a method of detection of SoftICE but a possibility to crash the+ I/ P% W6 F1 b6 `4 X1 M1 B" J. ~
system by intercepting int 01h and int 03h and redirecting them to another
( a/ `" X" k. kroutine.
/ {5 V, V2 S& N0 u9 d( RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# V; _3 T+ C1 W
to the new routine to execute (hangs computer...)
( q( q1 {) ~8 r: F( K+ W" k5 b8 U6 K9 V" p6 [
    mov     ah, 25h1 j* q: o6 m0 [' X: w8 c9 F5 [
    mov     al, Int_Number (01h or 03h)
6 j, \3 h9 N6 V    mov     dx, offset New_Int_Routine
& T9 Q& P7 G3 U2 ]' |3 x. R2 [    int     21h; [9 u+ S9 s) ^* h  F

9 V) W( C7 J. n& C8 X; ]! F/ n__________________________________________________________________________/ L/ I8 V0 }  L' V
0 n7 [$ \2 M( X8 U) g
Method 09. O, G& o3 w; W% X  ]$ l4 ]0 z
=========
+ H: i& ^: g8 D$ q
1 p4 P6 G* u) \This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- d" T; _( b; k# a  s
performed in ring0 (VxD or a ring3 app using the VxdCall).! U5 d5 k/ s$ r! S0 P# j, P* n
The Get_DDB service is used to determine whether or not a VxD is installed8 C; H  h2 D3 M! _  _' C
for the specified device and returns a Device Description Block (in ecx) for
/ U8 b) r+ Y. V+ h1 cthat device if it is installed.
3 _* w' N, j# q# g' u
6 q9 ^  g5 }+ d) h( l; g) C   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; S" Y3 _, s$ A( k3 c. Y* x   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 D3 F" @# h, l* J8 d) w' {1 i/ j
   VMMCall Get_DDB
! y0 ^9 p! h4 L, @8 c6 V# D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed0 @! _) p- f4 v: m, m( u
1 |. j) _* D: {  h% t# Y9 Q
Note as well that you can easily detect this method with SoftICE:
0 z# X2 N+ M( m. C1 X   bpx Get_DDB if ax==0202 || ax==7a5fh
2 x: U: [" h( Q
0 D! T4 N+ M) q" l3 ~7 b: w__________________________________________________________________________
) R" v4 t6 g- V5 r+ G
' E1 x4 ]4 g  H! ]- k: H3 \9 W- Z1 mMethod 10
/ T" b$ r1 S6 O7 X* _. `=========
: ^0 z  M" C/ W+ L
' M: L6 U2 M& _=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with& Q' x2 C1 t, \! e
  SoftICE while the option is enable!!
9 k2 s2 U- T1 i4 ~- \1 ^* R, ], X- |" W8 C* R8 z( @. k
This trick is very efficient:
, @' P, g4 r5 g4 u" i( S( @+ rby checking the Debug Registers, you can detect if SoftICE is loaded, X4 l7 w$ M$ f- O1 w( v- E- R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) `% j1 @% k$ Z. T
there are some memory breakpoints set (dr0 to dr3) simply by reading their' L2 N* @! I6 [' U7 t/ ]+ y3 u
value (in ring0 only). Values can be manipulated and or changed as well
" Q5 z' Y  I$ Z4 q% H(clearing BPMs for instance)# h4 u9 j$ I8 l& O
2 S6 z+ i4 S: H* J, C! N/ i( C
__________________________________________________________________________
7 W: c; z0 R' H+ M$ x% i  o/ X9 k' X
Method 11
- O4 [- v& @9 e, S- `( N=========
& r0 y& N& ?' F6 F/ K+ ]" r8 }; q& A9 C8 k. |/ @4 f; X$ g
This method is most known as 'MeltICE' because it has been freely distributed
% ?2 j; z# }$ [8 I7 Z" B/ Gvia www.winfiles.com. However it was first used by NuMega people to allow' O) O7 k0 B5 E7 I/ N
Symbol Loader to check if SoftICE was active or not (the code is located$ ?) F" v' Q/ k- K+ S/ l
inside nmtrans.dll).
! H4 @% _0 r# v4 r3 V2 A
% l" |& P: t" c7 r! E3 y6 h  cThe way it works is very simple:: l* {! O- N4 B, j2 R( S. ^9 X
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 c: w7 v3 I/ Q* d  J
WinNT) with the CreateFileA API.
. o% f& A2 w# X$ b& c% n3 K( W
- O" ~! `+ ?2 jHere is a sample (checking for 'SICE'):
% L% {& t0 R" q& T3 `# S; l9 S5 m) t( S7 u& b- [
BOOL IsSoftIce95Loaded()+ I5 o* b. k- j7 p3 L( R6 p
{
0 S& G" R/ V( a2 @# E9 n5 C   HANDLE hFile;  4 Z2 ^* ~4 K/ S5 K& l
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
& X0 e5 F$ N( j6 I3 j1 T3 t  Z                      FILE_SHARE_READ | FILE_SHARE_WRITE,; j' y5 E+ J. `2 u/ M7 P) E
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- L4 Y: x+ w4 R% E+ \9 x! Y2 o   if( hFile != INVALID_HANDLE_VALUE )+ A1 F1 M6 H3 W2 B
   {) i. @+ d1 F0 y- m. v/ d8 z
      CloseHandle(hFile);
& H2 L3 O$ u$ v6 F      return TRUE;% t3 Q) |" R* q! ~3 e5 H
   }
2 x) V$ T3 ?% }$ h. h& W+ e   return FALSE;
9 j( `9 S1 u9 o' Q}* P9 {% U/ w% P

9 x8 o: b0 I1 W  nAlthough this trick calls the CreateFileA function, don't even expect to be2 F) _& F) Q( Q& S( ~
able to intercept it by installing a IFS hook: it will not work, no way!
0 z9 c  r: d$ }2 xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ o; `0 }5 r4 d( T. K3 T' C+ jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) b8 l7 J- c, T: c$ G9 j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 @6 F6 E1 G9 X: c+ x  ]field.9 m: N+ c2 e9 m) O0 a
In fact, its purpose is not to load/unload VxDs but only to send a ! m7 [2 G8 o  V9 w; c$ f. l
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% _7 }7 S8 K+ E* jto the VxD Control_Dispatch proc (how the hell a shareware soft could try, Z- t+ v) G8 c7 M  d' m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& A! C  U" ^# c5 j+ C) @8 m% X
If the VxD is loaded, it will always clear eax and the Carry flag to allow
2 y6 a. K' C: \its handle to be opened and then, will be detected.9 g5 }* I. U7 J1 d$ G/ W; C
You can check that simply by hooking Winice.exe control proc entry point
' h5 b1 Y5 C' Y. jwhile running MeltICE.* O0 _4 u; P( Y. P

' i" H3 }. d7 {2 M$ }1 s6 {; D+ \) |- O
  00401067:  push      00402025    ; \\.\SICE
# s& m7 _. n( G- A& L" `: |  0040106C:  call      CreateFileA* q1 z7 m8 e! a+ Y! u
  00401071:  cmp       eax,-001
2 `- E$ r. \- e  00401074:  je        00401091
# c' L6 J. F9 @9 o, t+ c6 J2 |! O0 c) C" q" I3 m6 ]

# }% t. {4 z4 O/ L2 i) S, mThere could be hundreds of BPX you could use to detect this trick.
1 p) f7 r; ]8 M1 j  Q-The most classical one is:' ~1 I. L$ h4 d$ ?# E
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||, P& `' P, ~% \. R9 V. j* d2 v
    *(esp-&gt;4+4)=='NTIC'* F7 G- Q% u6 d, t& M9 [0 K
. W" y! R! D" y6 K1 }' V$ N* g& Y
-The most exotic ones (could be very slooooow :-(6 o4 K6 b& ^+ `7 ]) z
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - Q% r  C- j" N% j1 {% U& H: V* i
     ;will break 3 times :-(4 H7 i" Q, ~) S1 n4 z# T
; |  X! v! @2 `5 o0 W
-or (a bit) faster: 0 y2 T8 q: ]: J' N
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. h7 q, c0 x3 J" z; E  f# A% F0 g& e4 c# m2 s3 K
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
: {8 T6 e5 j4 S3 p/ v3 I     ;will break 3 times :-(
! ], l+ e, C0 u7 |' _, }; p
9 [" i5 U# C) v8 T2 ]-Much faster:" _/ P. x! H* T. z0 |6 D) g
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- b+ f# W2 j! z. r" Z# Q! c' c: x' K& `) X8 g: A6 J  J( A* U0 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' ~( m) ~3 u% C, l
function to do the same job:
+ d6 L9 O( C" B
2 |9 F2 V9 a6 a5 ^   push    00                        ; OF_READ
) J: H6 \& S" n/ Y7 K. u- |   mov     eax,[00656634]            ; '\\.\SICE',00 g- Q& X/ T  J: D1 _& B0 R$ j/ s
   push    eax5 y" \1 Y6 g' n3 x: h6 Q& Y- }
   call    KERNEL32!_lopen8 o: E0 m& z) R: w( p+ Y, p) ~
   inc     eax
$ u* w3 @: L$ c1 a8 ^4 Z   jnz     00650589                  ; detected: G7 K2 V" V8 W. z& a' M( e* A
   push    00                        ; OF_READ1 |9 k- `. v, u: N3 w
   mov     eax,[00656638]            ; '\\.\SICE'
7 J2 I! |* i/ ~4 c% E  u   push    eax2 i8 Q* \' e6 p( z6 n
   call    KERNEL32!_lopen
1 Q. \1 T* ]7 i. T   inc     eax
5 U, n# x. j1 V7 c8 Y3 c* J, d   jz      006505ae                  ; not detected
  a) c5 w% W7 X& J- S- p
* M7 a) N% D  O+ q
* t4 l! E: C, G* r$ c0 w__________________________________________________________________________# o1 x7 P6 ]* q" T7 {# f6 J; W0 R
1 t. H% K( D) o2 ]* a8 h% t
Method 12. x' J" X0 F. I" c8 P
=========
+ q  d% S  ]8 h8 y: I, V! W1 f9 B: `) F
This trick is similar to int41h/4fh Debugger installation check (code 05
( x1 f& @* R5 _&amp; 06) but very limited because it's only available for Win95/98 (not NT)
2 Z2 z! o8 k& p2 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 R' T5 w0 h- ~! d$ P  {

  i; Z, [9 i* |5 \; `8 H9 N   push  0000004fh         ; function 4fh2 v' Q$ Y7 ^* y% Q9 e
   push  002a002ah         ; high word specifies which VxD (VWIN32)
; Z: h, e: t. G/ {0 O$ F7 G; ~                           ; low word specifies which service8 O" l6 _; F) t9 Q
                             (VWIN32_Int41Dispatch)* o: K! T+ p; {% j: }3 _
   call  Kernel32!ORD_001  ; VxdCall
$ ]5 T! M9 U, a   cmp   ax, 0f386h        ; magic number returned by system debuggers
, N- s( c! \  n& M0 s! ]) u   jz    SoftICE_detected
  k6 t# n: @: O- w' E7 o& z, y. ^% T+ H' R& N7 m( y6 C. T% b
Here again, several ways to detect it:2 f, M; y( ]/ n" Y" n- }

2 J, I2 X9 h: ^5 b5 I0 c    BPINT 41 if ax==4f# a- ^8 W- _8 o, n' U
; {1 Z3 K1 K- d5 G
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one0 ~5 B# j" o+ m

! S+ q' l# a  i  d" p, I+ m9 K, g    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
- {% u% c$ ?+ P3 Q0 ]; {. z6 D
6 E. ]% w8 q' v) b9 w" q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( l0 ~  p, u, h- o" V* j+ V# E- z
  f# E/ Y; X/ e  b__________________________________________________________________________
2 D3 b& K" ]+ T& |- A& x6 c  R9 M) r4 d0 v
Method 13
* I% e4 j+ L" y& s=========
# V% J( m: ]1 i! h/ L. x# J! }) b2 V
. `- [9 T+ v3 FNot a real method of detection, but a good way to know if SoftICE is
" ^/ N. Z2 s9 b8 X; `, r3 k5 Ninstalled on a computer and to locate its installation directory.
0 A5 t4 E6 `. J9 u5 ]6 S9 `! `It is used by few softs which access the following registry keys (usually #2) :' G" I4 M8 h+ {; o- A$ C$ B
0 b& ^" I; z8 l3 e! |- r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ v* M2 Z8 \0 ~+ i\Uninstall\SoftICE
: O9 h( t# w8 T) o4 W: I-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! R/ [( t% Q$ T6 u* W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 O' y  x8 c7 v) T\App Paths\Loader32.Exe
* f2 {. B* w; F0 `" V4 \; j4 @/ a) `; s$ W! O

+ S7 y3 f$ [1 y% i+ Y' }Note that some nasty apps could then erase all files from SoftICE directory
: v  b- f& R) }4 d, ~7 l(I faced that once :-(
! m$ p9 q) I* ^* E3 X
* W& S1 R0 u& z! lUseful breakpoint to detect it:
3 y+ y  l4 Z$ L& R! \' n
: j! B, c" y- k- O     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; m! [! X- k( j$ j3 g8 q2 `/ b

+ Z1 G* L3 p# m& |+ V& @/ U% p+ M__________________________________________________________________________. P4 h# a5 @: r# Z
9 U* R/ n! W4 c- B
5 V$ ?+ g# ]/ X* O0 G
Method 14 " {! N) o4 x, u% B  n
=========! n5 H' T' N! I/ z
4 {! b" [( Z! Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 T  E: r  X6 s
is to determines whether a debugger is running on your system (ring0 only).
- \9 v1 v+ [2 s% l+ V+ p
5 `, `: d* {7 L1 }   VMMCall Test_Debug_Installed
- t% M: _  ^* ?5 M2 P   je      not_installed) U6 O! x! Q! ~9 `+ q. ^  ^1 |& o1 O: |
; V. \+ d6 {/ z! a# K; Y
This service just checks a flag.' `; O" k% R. m( X( J
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 05:09

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表