找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
/ k8 w: V, V% y2 n* |% H* \<TBODY>
' c* O( E/ _1 ?+ C7 Y<TR>0 S/ e2 a% n' x7 R# T
<TD><PRE>Method 01
3 K: ^3 g, j/ L% D( W! n3 c, l=========; j/ {% Z# Z% x! e' Y

; r5 r+ y# d/ E7 j+ ]2 \4 aThis method of detection of SoftICE (as well as the following one) is1 u- n( P0 O- x" j0 t# Y' h; `
used by the majority of packers/encryptors found on Internet.
' f. m4 \+ o' ]+ o" gIt seeks the signature of BoundsChecker in SoftICE1 v( S6 A4 v( p5 [
$ J( t  Z! F* K/ \: ^
    mov     ebp, 04243484Bh        ; 'BCHK'
# x$ c' g2 }9 o% @    mov     ax, 04h
2 W. h6 f2 x. l: {+ M/ @    int     3       % o6 Y5 @/ n0 S+ K& R
    cmp     al,4
2 k6 W6 m- m* G8 J) P9 T    jnz     SoftICE_Detected
4 d% p" f$ h; b) M4 S3 i* m% K9 u0 k5 y2 o# j
___________________________________________________________________________; l& E) T: A0 `% A& Q
# K2 u, I% P/ q+ w5 W
Method 021 T- {" A- f. @6 J# z7 k& V1 `/ \
=========
4 T; ^$ {8 }9 `6 h  h; I& S" ^3 R/ H' S9 V8 n
Still a method very much used (perhaps the most frequent one).  It is used
  P" g3 A  p/ l) H: vto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ T% B7 D+ |) L+ ~2 ~$ ~6 Z! ^) eor execute SoftICE commands...- G% x) S# d5 Y7 ~9 H. @
It is also used to crash SoftICE and to force it to execute any commands$ X  J0 F, M6 B; r2 s2 p: ?5 ^8 f' Y9 J
(HBOOT...) :-((  
3 J; O  K0 u% r; m* D
  @% p8 g$ c1 vHere is a quick description:
0 p5 d1 Z9 y4 S3 Z" j8 X1 A-AX = 0910h   (Display string in SIce windows)
3 m' [8 ?  G$ @; A' B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  F5 \5 D3 d$ Q) Y( y-AX = 0912h   (Get breakpoint infos)( n: ?3 W5 k5 W" g
-AX = 0913h   (Set Sice breakpoints)& n/ ?; {0 h7 _! |5 ~7 J- @# \
-AX = 0914h   (Remove SIce breakoints)
! w' l& f2 `5 a, J" g
; A  r" i) K, l" X9 M; iEach time you'll meet this trick, you'll see:
1 V7 E0 L7 ?/ I" b-SI = 4647h
2 l4 ?+ P6 |3 \0 w" w' j! E-DI = 4A4Dh. r0 R$ \, p" F! T+ P
Which are the 'magic values' used by SoftIce.
, _2 e& {& z5 n# F4 U; cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.7 I8 x/ F1 S) ~: g! i
& _0 t- U4 [, [6 P) S2 K2 Q* H
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ G0 U8 O4 m! p+ ^1 rEnvelope utility use to protect DOS applications:1 }8 }- L" Q$ U9 w3 j
  i* j" y5 R2 U+ u

; h9 Y1 E$ O2 Y' B# L  P( d% i4C19:0095   MOV    AX,0911  ; execute command.
3 u" U. u8 R, y1 M& S' i- O) ~) i4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)./ Z# U. b  W( N- w* c: `
4C19:009A   MOV    SI,4647  ; 1st magic value.
7 f) N( ~! o" O" f& p, o( R4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ C6 J, S4 Z( D6 M! X$ e7 \7 w% U! n9 Z4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 F- H8 P; l' I% [; F% g" \) ~4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, \9 o; {% T+ P( t8 z6 x8 a/ C6 u; W4C19:00A4   INC    CX
, [3 V( r  K# V& S& |0 d4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute" S" ~5 g% l. [
4C19:00A8   JB     0095     ; 6 different commands.+ {2 K  y3 V# E: G2 @9 f
4C19:00AA   JMP    0002     ; Bad_Guy jmp back." k8 H3 l% E. N; f) h+ J7 O
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 P! Z4 a6 @# G6 ?% W) K( z) C; i
" V5 f4 V7 S/ AThe program will execute 6 different SIce commands located at ds:dx, which  d" {' \, b) G# H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 ~9 T1 S1 o5 A2 C" t2 H, V9 a

' Q7 ?: }1 t, k* }1 O- E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( X# i: m$ \6 {
___________________________________________________________________________: X: x$ k  ^3 Q2 E' y

# s: n; }1 M) V# s3 z/ ?
% G+ ^' E, k& g+ ~0 b" sMethod 03" p; z7 Q( e& w0 O- Q' [
=========
4 R3 k6 {* [5 ~% y( H
$ Z7 b) i& P& z4 pLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h3 p, N. N3 y0 Z  q* o
(API Get entry point)3 Q& U- ]  x, {9 q
        ) p7 C. }! d, ?
6 B# g5 D+ u4 i/ W5 x4 y+ S6 U5 D4 _
    xor     di,di
6 f# h2 ]' P! o2 h5 d7 y    mov     es,di4 u/ f- `/ g3 N
    mov     ax, 1684h      
! \9 l0 k! a+ u+ {& c% k: ^2 y    mov     bx, 0202h       ; VxD ID of winice
' w! O) H5 y% ?$ ^    int     2Fh2 O" L% s. g3 n/ ^) J$ P1 C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point" N1 |  \/ Y$ f& p# J& F
    add     ax, di
9 |6 }* u5 l. Y, l7 p    test    ax,ax
, Y6 E$ |5 D6 v5 X    jnz     SoftICE_Detected8 I/ c! F3 n. Q5 Y' q
3 A6 w* f; x8 B# ]1 J
___________________________________________________________________________% Q6 a) z+ Q2 d8 a" }3 v- ~
( o/ p  R3 M! C) Q0 R
Method 04
5 l# |9 E+ \: g8 Y=========
/ m: S: j' d' o8 q& M* A+ d' r: M  o8 v7 k  _
Method identical to the preceding one except that it seeks the ID of SoftICE
7 N3 W% r- l% ]2 O. tGFX VxD.- r: }- u9 W3 K" K7 B9 }; y& h8 D
. F9 V/ \5 i6 Q) A9 ~* @+ q
    xor     di,di+ H9 k; X* c" O  \! U* x
    mov     es,di& I: S6 w- a( w/ N8 r
    mov     ax, 1684h       3 d6 J7 l# T+ g( i+ _3 v( m
    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 h/ O9 t1 J6 V6 V; M2 {
    int     2fh6 i* D: s+ S* T% o! ]1 S% q1 B" e% r
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 G% H, t6 G) Z4 }6 I  c& J
    add     ax, di
9 S" S7 [4 x( X5 m    test    ax,ax+ a" \8 w8 r; Z) C+ S& N& k  Q
    jnz     SoftICE_Detected  w7 z  C# T' Y/ s6 B
2 h8 L2 u6 ^  d
__________________________________________________________________________' r" i3 G$ ^2 g) ~
1 \$ g) D: z/ q( ]7 U
8 M( ^* o2 F3 }$ i+ V
Method 05
, {6 r9 ?( T, S  G0 ~- ]0 P=========) O7 b) ]+ K' x+ g

8 F7 G: j+ D* \# F7 [3 R0 V3 NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% D1 i5 H+ r$ @% V. D7 D# x# ddebugger. It calls the int 41h, function 4Fh.
  a& j/ z9 a! U, v7 EThere are several alternatives.  
1 ?& u& @& Y1 Y9 @1 w3 j0 G
# t& j5 m2 q) x2 ~1 DThe following one is the simplest:
2 w8 ]4 `! {' Y" E' x' w
& ], v8 F8 B" Q, N3 }/ c    mov     ax,4fh. @' T4 s+ l3 q- ?
    int     41h
6 N2 [; Z$ s+ G  F/ l    cmp     ax, 0F3862 M, J' n2 V8 S
    jz      SoftICE_detected% k- @* J6 p) ~4 p" F1 |) e- ~4 W8 [
3 m. I+ {  v, O7 k

% G2 `  g; q1 |) C/ I" F0 f) hNext method as well as the following one are 2 examples from Stone's
+ l. i6 y/ r% w6 Q/ x"stn-wid.zip" (www.cracking.net):) Y$ }, X. Z: [0 r# u

. u, o1 R. D" T- d- \) d# V2 S    mov     bx, cs% H* ~  W. \1 S- S* A4 B3 L6 \
    lea     dx, int41handler2
8 E; X7 k( h$ S3 ~    xchg    dx, es:[41h*4]) t! A8 u- e" N2 d  \
    xchg    bx, es:[41h*4+2]/ r& `3 \& i9 b8 I: n2 I. ]& D/ k
    mov     ax,4fh) X6 X1 g$ N+ k. R+ q- Z
    int     41h- F7 [% J9 `7 y) K& p
    xchg    dx, es:[41h*4]0 ?; X/ T" X3 w# u  A, O
    xchg    bx, es:[41h*4+2]1 c$ i2 @  ?0 N& M/ \* t# [
    cmp     ax, 0f386h
) [/ s6 _/ K! C6 ^- F    jz      SoftICE_detected1 }* ~7 r2 [8 I: m& m. Q0 [; i/ Y
* D- b' g+ k- f1 H
int41handler2 PROC) m7 a( h: [' ^1 C! y$ Y
    iret. m# |% D. X7 v' }* o
int41handler2 ENDP
. w  a9 j- `( ?: r, r2 Z$ ?  h' Q8 c" S' H1 E# w* l+ D% x
0 r8 E6 f4 h0 P0 e1 d3 n) P  s
_________________________________________________________________________
9 G" i0 a- {! U' p( b, r# A) z' @8 ^- ~5 }7 Z

; {& G* Q9 R9 |+ V" dMethod 06
  L; g. Q; O8 G, V=========/ d9 e) L. k4 [9 |  F% |- T4 @. K
7 e  K+ c  g$ I+ `) W
  _3 i+ [# ?; U2 W
2nd method similar to the preceding one but more difficult to detect:% t" o0 T" j% L7 r: r- U
& ]& o& D; D" D; K6 g* }& ?

6 B5 a8 y( x) Q. f. _) u* Xint41handler PROC3 \3 C' e' ^# @) ~: X# Q3 j
    mov     cl,al' W. r) E7 S: l9 T# ]- \
    iret7 x! k; o$ X# E3 n2 J5 W$ y& e* z* o$ X
int41handler ENDP
; W$ M( J( i: l3 Y6 @* W4 ?+ g3 W& T: V; h4 N1 N$ k# |
8 J3 ]  j3 Q4 X7 E
    xor     ax,ax$ ~: z' D) ^) n5 A0 t
    mov     es,ax
' z* r. l. t6 A$ W8 K# A* \3 ^1 |    mov     bx, cs5 H. s' ?1 M% D! [
    lea     dx, int41handler
; k* @/ A1 Y7 `. d. V6 @/ u    xchg    dx, es:[41h*4]- T+ J( p% C4 L. K
    xchg    bx, es:[41h*4+2]- f/ E2 D: u' {8 x* O
    in      al, 40h
% j/ q- ~2 H" M1 |& e# \' K! W    xor     cx,cx% K" m) b" M$ P, t
    int     41h2 y- Q- u) N; I: H0 P
    xchg    dx, es:[41h*4]
, \! z$ v6 `; t6 T/ z    xchg    bx, es:[41h*4+2]
. x, e9 M) W" h- O/ z. S" X    cmp     cl,al
/ c7 g2 }+ Q1 v    jnz     SoftICE_detected; [* X) I; y' e1 q0 F8 h

2 r% z0 j" A# c9 E_________________________________________________________________________
& t" V; N3 m+ H! E, F! e7 q4 J% ]  L8 W, P
Method 07( A1 v9 o8 r8 o) |- _# \
=========
( @6 I" M# `8 ^% |8 f' c) _) ]% g8 g, Q( Q% G+ c" X9 R
Method of detection of the WinICE handler in the int68h (V86)
* k- m% n# }( B# i5 b- h' V
- L$ o3 G. {8 U) A- S7 Z    mov     ah,43h
$ B0 ?) q/ Z- k/ o# l( i    int     68h' ^, k( ]! m* u9 {" o$ D/ G' n
    cmp     ax,0F386h
6 v! P% q) ^: d    jz      SoftICE_Detected
. _# |6 l5 ^' p3 o: V: x/ |/ ^1 I2 W" R% q8 G
% F. S! U9 }8 ~- D# i
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 n' w* s. ^1 b0 e. s6 s6 F   app like this:
$ i$ Q  {9 P# `6 ?% G: O: b( i5 v. r2 |5 B, k7 H0 m7 P" f1 Y
   BPX exec_int if ax==68
5 P6 h& j* B$ J   (function called is located at byte ptr [ebp+1Dh] and client eip is# ]" O1 ^! w. G' f
   located at [ebp+48h] for 32Bit apps)
  ~; y: e8 r7 ]__________________________________________________________________________
; ]- G! o! p9 r$ P. A) e/ E. s1 Y
4 T! T$ V& p; c( G- |) Y# F" |, _" J% h! L
Method 08
0 d  g: {) g$ v/ b' U4 ~=========# L. j- J" T2 U: f- h( u
  ~2 g% r& J+ G4 ^& ?
It is not a method of detection of SoftICE but a possibility to crash the
2 {" P; I- {' O9 O# i, L6 Bsystem by intercepting int 01h and int 03h and redirecting them to another8 `8 h- G5 Y8 F+ I
routine.
( ]# I# m% X8 ^- M- DIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( \# v0 B$ h- k4 O1 g4 L
to the new routine to execute (hangs computer...)
+ H: R, C+ K1 G3 V
4 e# e9 p# d, k  A' M, ?    mov     ah, 25h. Y1 T! A, A5 C4 A0 }. K
    mov     al, Int_Number (01h or 03h)! w* @9 {  V$ O4 L. f# ?
    mov     dx, offset New_Int_Routine' L/ O, R% f, b$ ]% z2 ^: G9 X
    int     21h
1 x; E( A0 N/ ^$ w* g# p9 H" ?. F4 x3 v
__________________________________________________________________________
: p8 ]4 ~8 k) p7 k' `& h3 k7 `+ ?  E% p% P) u& C" ?" G
Method 09
# F2 m0 L3 @3 g=========# H' H3 n: u" B2 H/ i4 M

1 H" P& E3 j1 l2 `* H8 ?2 F8 k2 uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% ^# P! Q  k; a; X: L% m
performed in ring0 (VxD or a ring3 app using the VxdCall).* I( j' u' j2 w3 L
The Get_DDB service is used to determine whether or not a VxD is installed
8 g1 S& }) E2 c: I- jfor the specified device and returns a Device Description Block (in ecx) for
" q4 h7 y- A/ s, a9 Qthat device if it is installed.
% p- L6 z' l. N, ?/ f) Q" O
$ u& D9 z: n) ?1 Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ p( T  c2 c+ [; D3 e) w" k; x   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% N6 _. r0 u: L3 i# U  @3 q   VMMCall Get_DDB
2 ^3 g5 h# \3 r1 W+ i   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. I) M% Q0 E  f; d1 m

# o( C0 W, Y$ s2 j& DNote as well that you can easily detect this method with SoftICE:
% c9 o1 k# i3 _  [+ H8 L- X   bpx Get_DDB if ax==0202 || ax==7a5fh
5 W# ~8 M2 y8 B' b7 N6 u7 O5 _
- c1 D7 `- X, D( w6 O' V5 b4 w: s__________________________________________________________________________4 G* m8 U# V) A  G% W1 J
  d  P: M# N4 J' o
Method 10* @. z5 e; r) U' {+ c, F# R% S
=========
7 K2 s% ]/ K% ]
: ?5 e$ G0 V4 ~3 o. D) s=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
1 }% g: H1 N! H3 R. I9 S% M  SoftICE while the option is enable!!
$ N& _% y! ]  Z% ^) w' I5 l8 v3 Q- N& \
This trick is very efficient:
) d5 X  i* A4 s: e1 l; c$ Bby checking the Debug Registers, you can detect if SoftICE is loaded
9 u' {* [* g1 z  K8 E2 d(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# I5 e/ i5 c: N( {
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' u! Z3 T0 O, P3 a: bvalue (in ring0 only). Values can be manipulated and or changed as well: O8 N9 Z9 J8 y1 D# F
(clearing BPMs for instance). Z0 f, v+ z9 M8 y4 T7 W

" `/ \$ H; M3 x' A% `5 y/ `__________________________________________________________________________. c) w! E) R+ R8 t  p

+ r# C- ?# [) t! t2 a1 ^Method 111 s& j2 ]4 V9 S% v6 f# O  M4 \0 V
=========* O" Z6 Y0 w" z# I, G; X1 A

( R$ w" C: L( [) X6 e' nThis method is most known as 'MeltICE' because it has been freely distributed
" W! v4 G& L4 ]" M& S$ Zvia www.winfiles.com. However it was first used by NuMega people to allow
: J7 t+ i6 [- h$ w/ ^Symbol Loader to check if SoftICE was active or not (the code is located5 ]( d* ], X2 B  D2 K4 x0 D; n8 B
inside nmtrans.dll).
' G  y$ L, k7 c! S
' t. J' @% v& H# ?% T% Q2 z/ Z! GThe way it works is very simple:
; G. \% l* Q( E2 |  |9 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( g+ L6 H  B# k/ g! l) c, GWinNT) with the CreateFileA API.
9 _% J, D) w4 n% v) w
1 D$ J1 o$ ~2 E; g  P( a  `5 }Here is a sample (checking for 'SICE'):
8 ~) a. h, E% f, k# p
' I" @/ Q: O5 v' B9 i  E+ oBOOL IsSoftIce95Loaded()3 D1 m. T5 L$ Y% [+ l( j
{9 Y& d% N5 s1 E3 K1 k1 q4 p% v; H
   HANDLE hFile;  
% F6 M+ @7 S8 o1 F7 N+ B, o   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& t; N/ D) ]: h2 `
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) ]1 y. L: e9 b9 y# f% v/ w/ J) m                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
0 u* }" t4 B' j' ?   if( hFile != INVALID_HANDLE_VALUE )/ Q6 S* o5 Q. ]8 k% N8 X
   {: r) d, I7 A9 T7 D! C% P1 o
      CloseHandle(hFile);
5 b8 k9 U' L& a" Q      return TRUE;
* o( Y; e: R. N" i, S4 ]3 ^   }
5 q, Z9 i* T! T' Q+ o, O) ^   return FALSE;
- |* m& D$ C' E' m6 M) J. [}
  e% r: i0 v' {, a" e" A6 u  Q5 M, s6 `  c3 [
Although this trick calls the CreateFileA function, don't even expect to be
0 B6 H, v8 C. U. u' B2 sable to intercept it by installing a IFS hook: it will not work, no way!+ H" M$ q+ ?1 _# A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
# k9 q" v4 H) ~5 F7 `2 V' H, \) dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 N- ?' @2 R1 U3 u% o) F  T  [! J
and then browse the DDB list until it find the VxD and its DDB_Control_Proc; \$ `" R. l& C/ m) g
field.
) S; c+ T; u2 R8 YIn fact, its purpose is not to load/unload VxDs but only to send a
  S& o) ]* y, m7 I! H! ]3 m6 f! IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  }: }0 }! M% v- j0 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, a+ f3 l' E2 ?) b3 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).! O2 }& ?4 y, v! @/ f3 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow. G" p1 j; _6 k6 S* l& E# m
its handle to be opened and then, will be detected.4 H! a' m8 J2 J4 y- J
You can check that simply by hooking Winice.exe control proc entry point: Y2 Z- {( q9 C
while running MeltICE.
" V7 C4 M- e+ k* c/ ~) P
! c/ v; |# a* g/ ^( l. z; ~7 w
3 e* A1 `0 \: I& @  00401067:  push      00402025    ; \\.\SICE
% f# r5 x- h( y) Q! h  0040106C:  call      CreateFileA
& B- T3 G) A' f" k  00401071:  cmp       eax,-001+ b& s8 D  A( E# h1 v" T/ \2 D
  00401074:  je        00401091# Z. |& v+ d8 t
, ~5 }3 x  |+ r
! `7 s4 W% }- @8 ~% Z
There could be hundreds of BPX you could use to detect this trick.' e- I7 |: z% ]1 [3 H7 }# S% S
-The most classical one is:" b) G" k/ g6 X  W* n
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||. B) O5 [3 ^1 c0 M
    *(esp-&gt;4+4)=='NTIC': ?3 U) }  O/ v5 h# e: ]" E
' K+ L- u1 ~; m1 {" H. t
-The most exotic ones (could be very slooooow :-(" ]% [/ H+ r! J3 _7 m
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
3 F3 s3 k& ]) J7 E; S* \     ;will break 3 times :-(- b8 s4 V" ?! m. k8 |$ z

9 O7 H* }0 x! U: h- x& T0 s' X-or (a bit) faster:
+ x1 n4 k3 ]; x7 u, m/ K   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* P6 v: A! O1 M3 X/ t
, h, _# s3 b% U9 k( b   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 _# y: K: w* |0 {" K- R6 V( ^
     ;will break 3 times :-(
/ z% [, N6 M  O9 u
4 r9 a; i+ E  h* F-Much faster:) C& N0 V/ i2 J0 f! R5 w( ~
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 n; e7 M+ X" |8 _- a/ a: ~! N  H% }/ L2 v) |' d0 K* l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen; F- X& i$ S" Y2 H0 B6 V
function to do the same job:4 ]! [8 {8 b1 T$ u' R: ~

* x; ]( [/ o% P( ~- c* f/ f   push    00                        ; OF_READ) t: U6 O% k, t+ X
   mov     eax,[00656634]            ; '\\.\SICE',0  c3 M2 J! H6 C8 m9 r; @
   push    eax
: q4 l! {% J' J  n) W, C   call    KERNEL32!_lopen; v: c' R3 W# e+ X6 z
   inc     eax
6 z7 Y% s1 o: C   jnz     00650589                  ; detected: o" ^! c) Z7 O
   push    00                        ; OF_READ
1 P# ~$ K$ g- y2 \; R   mov     eax,[00656638]            ; '\\.\SICE'+ ^* ]2 {  M8 ~3 z
   push    eax
" D- \; ~" G* W3 d' L/ y% L3 K* @   call    KERNEL32!_lopen
6 V2 z; W1 E0 f% l7 ]   inc     eax  n5 \) _6 P: F6 d
   jz      006505ae                  ; not detected& H- N4 j( u1 }# a# ?& g
, l' f, L- ?+ \

$ s' x( |- F( ?2 t__________________________________________________________________________; y# |# \8 K4 W1 `+ A: y
& i6 S5 l1 S; G3 j( }6 E7 C
Method 12
6 t! s0 ?* T4 w, ^7 E4 t=========4 f- k4 o8 \: i% H
4 s+ w. H3 B2 [
This trick is similar to int41h/4fh Debugger installation check (code 05
: e+ v4 t2 {+ J6 r" k. X( O&amp; 06) but very limited because it's only available for Win95/98 (not NT)! {# b$ ]- Z3 S+ t
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* S5 o- i/ c: R  |+ d+ Q: I% z3 `1 s) E& z
   push  0000004fh         ; function 4fh
* {# |3 N1 @* w+ \$ d: c0 j* r) o   push  002a002ah         ; high word specifies which VxD (VWIN32)  d% d6 |' V6 J/ y, O# t8 p, ], X! e
                           ; low word specifies which service! o/ }9 w  i8 d% z2 m  Q! a! Q
                             (VWIN32_Int41Dispatch)
8 `0 S7 U. ?3 L2 o" [, Z   call  Kernel32!ORD_001  ; VxdCall
( y/ S( Y7 h6 u/ I' ?( i3 Y   cmp   ax, 0f386h        ; magic number returned by system debuggers: X: M' x; a  C# T2 C
   jz    SoftICE_detected
8 l$ l( i  x3 A/ _  P
9 F# }" r, \+ N0 `( sHere again, several ways to detect it:
* ^1 p  t& B1 t6 M3 X7 u
. j# |" S9 T2 v# a3 e3 a$ z* v; E    BPINT 41 if ax==4f
. o+ p! M  l0 o8 H4 O; I' n
/ T0 |  ~, P, t$ e: j7 M, n; r    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one) b' Q" ~* b* t- r

/ O  z; [) n7 m' y    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
7 b' D( V2 e6 |; d) h0 k) p& [" {& P
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!3 m8 E  T( T3 d& G0 l7 X
& b: H  Q) j: K. H5 R2 {
__________________________________________________________________________
4 x6 K/ Y0 `3 A9 e* M9 P; P4 v  q  Y
Method 13. V3 }' \' z5 R5 K% s
=========
/ c: F0 B5 B3 e3 l" |' Z. V* ?
Not a real method of detection, but a good way to know if SoftICE is
" b- z0 U& {- U# n; A+ R( Finstalled on a computer and to locate its installation directory.
3 q* ~3 t' X  U: ZIt is used by few softs which access the following registry keys (usually #2) :
2 X: k2 ^7 g9 U; f( D/ `
6 N- Z0 Y' `2 A0 w-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 [1 V* ~7 C, D* V2 J6 n6 |4 J; p' K\Uninstall\SoftICE
9 n, L( _! l( V( x4 F; D# U' s# P-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 S7 X, i* d9 `
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ r% t" R& B3 P\App Paths\Loader32.Exe0 Y* z6 L6 Y, H' n
3 a( N( H! {5 C4 {+ R& Q

& Z  B6 e  q+ k* [1 y6 QNote that some nasty apps could then erase all files from SoftICE directory. @! K" a" w' U3 X; G6 E
(I faced that once :-(
% W# r; Y# h- ^' J2 P6 L# r
& h" i- M2 e; {  d' PUseful breakpoint to detect it:
9 W0 k0 W" o7 z8 R1 T; w, g3 |9 C8 }9 y) A
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
; r% H0 d9 _9 P' C, v  \( \3 s: B4 Y' g* F4 e4 Q
__________________________________________________________________________
! A  H0 y! B+ @
. h8 K# T# l" d! n( a- r' t
; Z/ I* ?) `5 L& C4 LMethod 14
* T! ]4 `3 W- L1 U* |, m1 e5 b=========2 T5 F4 m8 g. m' \" \: w
( o8 b( G6 ], L. b8 J: _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
' {% n+ {$ L6 m! \is to determines whether a debugger is running on your system (ring0 only).
2 t9 d/ j9 H6 W+ a
- P  r4 N) @" N7 d; B5 P  z+ J   VMMCall Test_Debug_Installed
, j; p/ X3 {5 e$ P- \$ ~   je      not_installed# U; L" d- a7 G4 ~& f3 q

9 V; \* H% m1 MThis service just checks a flag.
! z8 a5 q4 H. l! [* \- S4 e3 ]</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-12 08:29

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表