找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>8 O9 K3 c0 q( Y8 I$ L. ^" \2 g$ r2 ]
<TBODY>
' H" l$ P: w  j* \- ]! t$ T<TR>* u) R5 j- h, J" Z) g
<TD><PRE>Method 01
" C. h1 n2 R; p9 B0 r: O+ p7 L+ ~=========+ b, |- z8 a6 _* t4 X. n

& ~. X+ N/ V2 @This method of detection of SoftICE (as well as the following one) is
6 r. V9 U7 o6 U9 c9 ^  M% _used by the majority of packers/encryptors found on Internet.
1 v& I  C' F& Q: Z6 sIt seeks the signature of BoundsChecker in SoftICE
1 \' V0 H& j9 Y: [* A( b  ^. [' O: {! _
    mov     ebp, 04243484Bh        ; 'BCHK'
8 g2 n9 g2 M' P3 Y( j; H% @# Z2 P    mov     ax, 04h
- ]$ w4 L9 z, `" M! u7 f( I7 q    int     3      
9 T1 o0 Y. G& X' a* h. Q    cmp     al,42 o  ~. _3 Q: [
    jnz     SoftICE_Detected
/ W" A* f6 p1 i$ |! U
, _8 c/ n0 N5 `# p9 y  ?6 `___________________________________________________________________________# [; q2 y$ x8 ~  ]

5 h" a5 X* V1 O& n& h5 kMethod 02
- u8 h% Y+ ?1 W3 K7 Y& H=========2 w; f  `0 W$ |! D, ~, q

: S' T8 E& d1 j) J( KStill a method very much used (perhaps the most frequent one).  It is used: c+ y* |. i7 m6 R0 z4 N/ R
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 g/ y/ P* E% ]* ]or execute SoftICE commands...# M& h5 v$ k: y' E  j9 X
It is also used to crash SoftICE and to force it to execute any commands
$ ^9 ]2 P/ k1 K& K% v. w; R(HBOOT...) :-((  / ^1 M  m9 U: \- }
5 t; ~9 K# ]+ P9 D- N
Here is a quick description:
/ r' {7 `) V  g8 J7 @9 x-AX = 0910h   (Display string in SIce windows)2 X' r6 J3 d2 _6 S' U" H0 ^
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' E+ ]8 l6 g5 Y-AX = 0912h   (Get breakpoint infos)( S$ E: R- a& g- g9 A- x/ u: R% }
-AX = 0913h   (Set Sice breakpoints)
! v6 {5 Y* q8 y-AX = 0914h   (Remove SIce breakoints)
6 E2 u8 `( S: n* a; `0 F
' V2 Z; x: @% U6 Z- _) N, V, UEach time you'll meet this trick, you'll see:
0 u0 U/ R7 b  k  v. \5 F-SI = 4647h
2 g  f) X3 n; Z) J-DI = 4A4Dh
& A7 i* h9 P: B4 ]$ [! b4 g7 tWhich are the 'magic values' used by SoftIce.# c$ B/ Z; c" C1 E6 D4 |
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, z) P9 M1 t; }+ q, p0 f
5 x  @( t! v5 V. T5 Q/ V" OHere is one example from the file "Haspinst.exe" which is the dongle HASP$ ?$ ~5 H6 q% {: p8 V$ h7 Q3 f
Envelope utility use to protect DOS applications:" o; d& W' \& j

& N/ I+ R+ X; a4 [  M) C2 P
) d" C% F0 ?2 v- r! @5 e2 l4C19:0095   MOV    AX,0911  ; execute command.
# a$ L, f# f5 ]4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ z" k; K% c( C% G* f! Q- y) w. p4C19:009A   MOV    SI,4647  ; 1st magic value.
' Y( ], `+ j, ~6 B4 h4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
; D/ ?& q9 t  I8 |( T% x! A4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)" d, [3 K0 K$ }1 j* L1 `3 n* |
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- g4 v& x! {( u4C19:00A4   INC    CX
( v5 o3 f( I: z2 s( `6 ]4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
0 r( T, P. f4 C- R& \4C19:00A8   JB     0095     ; 6 different commands.
% |4 S# W, l0 Y# ]9 C4C19:00AA   JMP    0002     ; Bad_Guy jmp back.8 O- M" Q$ o' e. C: ]
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
- h2 c/ e: g& \! Z) ]6 H+ G
/ x* u( u8 D& Z9 OThe program will execute 6 different SIce commands located at ds:dx, which' b5 g0 W9 L! U6 _
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 M) M* N) X! m4 ^8 w
2 a/ C( O" ]  T/ F* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 Z8 O, [& Q' ]. a' l___________________________________________________________________________
4 Q6 I5 F, B3 u
. _7 I0 ~0 m9 h8 C4 @: S8 `2 b1 ~/ B3 A! S/ d4 P
Method 03
. m& `5 B* `4 U0 o# P8 F+ r* L* f=========
2 q3 k) F+ B) ]. V3 a' G
! V, r: d0 {8 _% J! M# L. NLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, R0 y8 R2 Z  m3 K/ Y0 D2 N' K# |3 N
(API Get entry point)( U9 h) x) {( b1 q! {+ l
        
' ^; D8 C' K2 K, B
% I+ x& o9 A( A# Y! j    xor     di,di
4 q- J$ I& _8 {3 a5 N5 I    mov     es,di1 O" n/ X) h  U/ S  p9 ]: `2 S
    mov     ax, 1684h      
8 K) f% z! d9 B3 T3 a! ~) e    mov     bx, 0202h       ; VxD ID of winice
+ r9 w, D  ^+ @" e1 }1 b2 c- A) F    int     2Fh
" F# x6 N) a. J0 s- b2 z    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# j3 f& U7 s1 k2 P  `- y0 w2 Q    add     ax, di
" `" U. R9 u. U1 g" K' i    test    ax,ax
1 }- @0 v# V, @6 g' _    jnz     SoftICE_Detected
. n" `" \+ j9 O- F5 h3 y
6 E( g6 q9 d1 }0 O" g6 \___________________________________________________________________________) F6 t' o. s/ S7 D$ m: p9 Z
2 ?; K: b2 I6 U
Method 04
, l7 z3 S. Q  X2 Q/ h1 y  E, V$ O7 b=========
/ o& ^1 R+ C' l# G0 o$ B$ P3 |2 F% \: [/ ]3 }; w: J5 `
Method identical to the preceding one except that it seeks the ID of SoftICE
  c0 ]+ P: ?8 o0 _GFX VxD.4 Q" O$ [5 n& L2 q
5 A3 u% K) @" n2 z, d1 F1 P! q& x
    xor     di,di  ~6 ?/ G/ b3 U) S* d
    mov     es,di
1 ?5 C6 I; |' w2 N7 c7 J    mov     ax, 1684h      
% h$ H2 I5 U4 q( t5 M    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! l+ I& ]8 K0 P' n    int     2fh
6 p% i* o+ M& k9 H; i% G3 @    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 @; I" }8 p0 Q% r6 n
    add     ax, di
' y7 M  [8 R3 v8 p4 w    test    ax,ax2 i* D6 a# h) H1 _7 W1 ?5 l0 n/ g4 l
    jnz     SoftICE_Detected
; t& T" \4 ~6 l0 X) B5 V) y) j* u: A7 Y5 o* k9 c
__________________________________________________________________________4 a- H6 ~" ~" o
. U, V" @( M" |7 x/ r
9 l9 }: |- E% Y$ y
Method 05
8 q0 @) b1 \) f=========
2 l. o- x3 `  c# n& _$ U6 K+ ^! G: h, ^6 E5 V8 k
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 q3 g" F$ n+ o3 u+ tdebugger. It calls the int 41h, function 4Fh.' y5 e8 Z* v$ V# H5 \; K0 @
There are several alternatives.  
; V( F% l' r, D+ O7 T. a, J! x5 p5 S7 P9 p; Y
The following one is the simplest:% x1 r" b4 Z7 w  O; c' Y$ Y& X

9 w6 p+ o5 ?) }+ F1 B    mov     ax,4fh' G& W$ x+ y; e8 q  _+ k
    int     41h- j6 D& v! X2 t7 [
    cmp     ax, 0F386, a7 R; T* d$ M
    jz      SoftICE_detected
9 O4 w) m# \6 V, g- f( l$ N* R8 S9 P
% a0 L7 D. \! o% j& U1 {
Next method as well as the following one are 2 examples from Stone's
# K8 i8 g" g4 m7 _1 P) _% u"stn-wid.zip" (www.cracking.net):, g- U& @, B/ u, Q

* F* \' g- j8 p) W) y" g    mov     bx, cs
& `' C% C; ~* ?    lea     dx, int41handler2. ?, ]; [$ m1 A& z3 ]+ ]+ E
    xchg    dx, es:[41h*4]
/ d# l  M, D# M; X8 K3 C' N( F    xchg    bx, es:[41h*4+2]+ [* X: V2 j- M3 n0 C9 [" ^
    mov     ax,4fh
: j6 I9 d: H; x+ x    int     41h
- c. U9 B0 O& {, V/ c    xchg    dx, es:[41h*4]
9 s+ ]+ b9 N3 [) @; M3 O- }    xchg    bx, es:[41h*4+2]
7 a  P+ x$ p8 E' O; a! Z) p    cmp     ax, 0f386h2 @' H9 n" x) l, M
    jz      SoftICE_detected: u  L& z$ ~. `/ @+ T
( z: m' W" J8 ^5 ]  s7 f
int41handler2 PROC
3 U3 k3 V) X: `( M. X+ D    iret+ o7 l) }. z9 |( m1 v! ^: l6 a
int41handler2 ENDP: Z$ ~2 r( _7 @$ Y, r2 O
, v# v7 @! b1 L( r+ x
5 @* L2 ]4 [, a
_________________________________________________________________________
# x6 H/ S/ \: z6 t: N9 _' ]& Y
  Q0 M6 D9 S/ Y0 |# r$ P$ F& s
1 L& w. G1 V; x; eMethod 06
  v- Q2 `" s# f9 E( x$ Q4 q: L2 P8 T=========! Q* @' o+ m1 n* e' ]' m
% |: Q# `, d: V: k
. P# m, c6 ?, C+ p" q
2nd method similar to the preceding one but more difficult to detect:
- x' L7 y( q  S# F) J4 b/ i  T" s# @; _% [- O: V+ k% R

; i& T8 D+ _% J" ~* q6 e: Oint41handler PROC
" T5 c; w% h/ U  b    mov     cl,al
0 L' r- h) P( U7 c- B6 b8 ^. n    iret' {0 [8 {' {2 S6 d5 b1 J
int41handler ENDP
3 c9 V9 C# G+ e* D3 g* k
5 `  X9 g7 a* a! H$ S) r4 x& a$ g# x$ K. c
    xor     ax,ax! u2 L7 N" X5 g  E1 Y7 S
    mov     es,ax
5 A5 f9 Y' D; x$ t! w3 |    mov     bx, cs
# D9 O' J4 l( P- n    lea     dx, int41handler& J2 y4 e8 G) h2 f+ ?6 i% f
    xchg    dx, es:[41h*4]3 j8 h* R9 Z" D% f; K/ s, _
    xchg    bx, es:[41h*4+2], i# e$ r6 h2 k. Z" r* [/ ~' d
    in      al, 40h
5 ~. |5 j* w' v6 F  Z0 v    xor     cx,cx3 X! L) V: O% v' J1 B
    int     41h
+ `. x1 C7 A) \4 M; v3 a    xchg    dx, es:[41h*4]- L2 p7 N+ _6 n4 `; P: G& c% g* |
    xchg    bx, es:[41h*4+2]5 l8 f6 I( s! m* I9 B
    cmp     cl,al
4 l$ I8 i# o) U- j( @    jnz     SoftICE_detected
) A# a: F/ l! \/ @% P$ v; [- p6 D8 X, m- ^3 U
_________________________________________________________________________( ?- e, J) S+ H' ?3 H
2 {" R  Z5 D& x9 e9 T1 Q" ~, B7 ]8 v
Method 07
( z, p: o6 }' u. r4 P3 c=========% g; i5 s- G  o' \- k  T
5 d. Q! p% r# b4 }/ X* a
Method of detection of the WinICE handler in the int68h (V86)
4 N* i# j  P" f
, {) o# D- I) o- U9 {  V9 p- O8 e    mov     ah,43h
3 k) v6 }& l/ h+ D    int     68h( c1 [8 G7 e4 Y+ Z4 u' R- I. G, t; l
    cmp     ax,0F386h
. J& T" B7 u/ ^% d5 t# r0 Y    jz      SoftICE_Detected( F9 n  B  T  I* s8 ~$ @1 Z
: @' s. S, Y- c9 i* {9 V+ I

" a7 ?% e3 P9 [4 ^0 W$ \=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
" s. q2 F  N1 y9 k+ x   app like this:
( _3 s* s* F" ^, T+ T; K( P& e7 I! @, ?: k
   BPX exec_int if ax==68
+ K: \1 k2 y2 D% \5 y( {) L   (function called is located at byte ptr [ebp+1Dh] and client eip is
) a5 ?! Q: F1 O' t& G4 X: B+ H: z- y   located at [ebp+48h] for 32Bit apps): F. K5 W5 d5 ]; v' Q$ {
__________________________________________________________________________
5 m! c* y8 w" k6 s8 Z& k4 L7 R+ a( u
9 Z8 n* w) i9 s! K; ~; b, g4 }* V3 v0 b
Method 08
3 q  I% o) b  i1 L) d) _' T0 B2 D=========2 G. o2 {( u! }3 ?0 W/ l1 h0 V
+ q) K: R3 q3 Y* D
It is not a method of detection of SoftICE but a possibility to crash the+ X, ~) q4 x$ i& y: E3 p6 X
system by intercepting int 01h and int 03h and redirecting them to another
% ?) u& \  W8 x8 r5 Croutine.0 h. T2 o: J, N
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: b  g- }- U3 _# ]# }( \
to the new routine to execute (hangs computer...)+ b0 b' H! Z3 ]2 ]$ e: j

0 T# O, @8 K! h( o- x4 A2 C    mov     ah, 25h
7 f7 V9 c7 S& w" N  E; F    mov     al, Int_Number (01h or 03h)4 g& ~% F4 Q3 g) c9 @
    mov     dx, offset New_Int_Routine
: i% l- l7 m! l# T% ^8 H. C    int     21h
: |/ i; I. @( H# m7 E, U( c# U( K) B( b7 B/ h1 t8 ^  S
__________________________________________________________________________
1 x! `# v: d7 }0 p) H
, @, u  Y7 Y5 V5 o0 @3 x5 J6 \. VMethod 09
- x. ]6 ~" s) C) Z" O=========
9 k$ y4 p9 n' q' a: }1 q* V! S; _# B, v' p" H- O8 B0 Z" c6 v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, F: u6 v0 v& p
performed in ring0 (VxD or a ring3 app using the VxdCall).
; m4 t# _! p8 B0 r' VThe Get_DDB service is used to determine whether or not a VxD is installed
( B: @: m9 O( d; U1 Efor the specified device and returns a Device Description Block (in ecx) for) N3 ^  _! f' e$ w' G
that device if it is installed.$ p7 N+ {( Z6 K( G

8 r% z7 Y) g6 D- @3 w1 n% q   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  I" p2 {* a- K" ^   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)& d! J" q6 f' w! g  l
   VMMCall Get_DDB# u1 ?7 Y. B7 y! d# [
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
6 c. E4 U, b! t% |0 I6 ~7 A2 c: ~: c( l1 [; Z
Note as well that you can easily detect this method with SoftICE:0 G4 G1 i. ^& r5 R; S3 v
   bpx Get_DDB if ax==0202 || ax==7a5fh4 H: f2 z, k4 P6 R
8 y  c" k- o. m! v( g
__________________________________________________________________________4 O( [) i* X7 R" O

$ T  B, F9 D8 X: q5 Z" l- _Method 10
6 N1 [% ~) M/ `7 \' g1 g=========
4 J+ D0 r4 L) j3 G/ G8 J0 E  g
! i) g& _! ]( x+ _7 K=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with. x2 S' T! N% b8 P) }
  SoftICE while the option is enable!!# Z' i" N& a. ~- D' [5 A: y

+ J( |& y: q- }9 ^: D$ N9 RThis trick is very efficient:
/ T9 t4 N' {$ Z" ^by checking the Debug Registers, you can detect if SoftICE is loaded, T! H6 {% r* g! T
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 M  S8 S" {% P3 ^- e; Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their- Y- M: J2 s3 Y* V! ^5 A( {
value (in ring0 only). Values can be manipulated and or changed as well' d2 }% o) j# v4 ^
(clearing BPMs for instance)5 G& b- N5 V8 V) |3 |, C

  z( L" a3 Q8 y2 F) T__________________________________________________________________________* h; L7 H1 e9 Y; U- O2 s  c7 r
5 {+ u; o7 Q; I9 X% V" y1 U
Method 11
) O2 ~2 k2 {* i+ v" {; e=========% S! [- c% B9 [
$ J- x' p, U6 e0 p  _# q
This method is most known as 'MeltICE' because it has been freely distributed
+ N" l$ [5 K7 K; Gvia www.winfiles.com. However it was first used by NuMega people to allow
9 r& _3 L. B7 y6 W4 L( i' n3 ISymbol Loader to check if SoftICE was active or not (the code is located3 T$ j+ v+ i7 g4 P; l
inside nmtrans.dll).
7 x' U. S- S. h
& X3 O( ?7 b, U. t0 `! XThe way it works is very simple:
$ R, b+ N( x& d$ w6 ]It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
1 S( E8 R: {# o1 f2 iWinNT) with the CreateFileA API.
' A: o! t5 j1 ]- m) U
% I3 O+ H5 D6 @: _* uHere is a sample (checking for 'SICE'):! s! {  W) P6 {1 `) e! l; }

+ E2 u6 {2 h9 n9 E+ [" lBOOL IsSoftIce95Loaded()
2 r$ `% J4 t) ^: o7 L$ i0 Z- s{$ t' F; }7 c. F+ h/ u: R
   HANDLE hFile;  6 c0 A* t  n2 w! m2 m
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ R1 ^. N5 N: m1 S* w; n5 \4 A9 m
                      FILE_SHARE_READ | FILE_SHARE_WRITE,, ]( z+ w$ E+ q6 t2 e. u! E
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 f' a" D- l. s$ ~9 o/ P; l   if( hFile != INVALID_HANDLE_VALUE )
$ e8 @, ?/ g3 c7 Z   {( |6 p5 e) C2 }8 w+ {
      CloseHandle(hFile);
2 _, q* O# w$ K8 t7 ?0 u      return TRUE;
9 C" g' T; x- ^/ k' t# A. ~/ |* R& x( B3 ^   }
* h3 d) c& H  C: I' q! @% S   return FALSE;
* o  q0 o, F; j- H) J}8 {, L/ D: |) q- }

: c/ j  G5 {& g+ N$ T! Z9 GAlthough this trick calls the CreateFileA function, don't even expect to be0 N  D7 G! k& `$ [6 }! R
able to intercept it by installing a IFS hook: it will not work, no way!+ @3 Q0 b! F# z3 V! r" G3 V- B# t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& ^4 F+ [( x$ u1 X1 B: g9 Zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function). S* d. K8 S: C) D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 z* `( S. p2 I3 `* Pfield.0 l- ?4 {/ i( J# F; I8 x; p2 S+ h8 r
In fact, its purpose is not to load/unload VxDs but only to send a
4 e$ x4 X  L, f' AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 T* w( F0 h6 [5 D# f* `7 e3 ?
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% e, {9 b9 u' R+ y6 p3 J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).0 S% r$ Y/ w  E$ v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
& m6 s! W6 V6 J1 r/ I8 I7 f8 r9 }its handle to be opened and then, will be detected.
& G) \7 D* @  T/ \' T! SYou can check that simply by hooking Winice.exe control proc entry point) f! t/ g3 U# D2 T) _* E
while running MeltICE.  Z3 L1 K: Q8 r

. ?5 r% O2 z  t& E
6 M3 c; C* Z; q9 W7 I- @% F  00401067:  push      00402025    ; \\.\SICE
% K8 c; \9 L. W% ^! F7 V5 [9 M- u  0040106C:  call      CreateFileA
+ w9 u  I; |, W/ R. Z/ {  00401071:  cmp       eax,-0017 o0 x, g. M1 d
  00401074:  je        00401091
- Q! L3 r# |  S0 E, ]' k) ?* C9 \* d. j' i# D
% N* m* l' a3 t
There could be hundreds of BPX you could use to detect this trick.
3 H; l8 o+ L" ?3 X& X-The most classical one is:
3 c5 z4 G" _# {& a" N  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||- a' i! B) `9 a2 K
    *(esp-&gt;4+4)=='NTIC'6 V! d* p' W  N+ d
3 P3 B- \3 y; p1 D  S" r
-The most exotic ones (could be very slooooow :-(
) ^1 P$ e  i. `# v" j   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
& s) G$ |3 m6 M2 A     ;will break 3 times :-(
* Q5 k4 P5 }# \/ c( e8 U
, r( z9 Q( L: o) b2 W$ C4 X  C' T7 a-or (a bit) faster: 8 z2 ^" ]1 Z- m9 {; [. S
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( N: k# A( O- L  Z2 O1 `
2 \- I& G. S: Y2 I! L/ v5 _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
& A7 f. ?% l' ?6 B* V  ]1 r     ;will break 3 times :-(2 E+ x. {9 i& h
$ ^$ M5 ^! d4 m0 P
-Much faster:4 {$ \, y2 n0 r7 G; q" T; J
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; c+ Y/ S& ^- n' d# R* P4 e

: J6 ^1 e) V% Y9 |% Q, o% D# HNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 W$ n* c7 r6 L! n8 f' kfunction to do the same job:
! L" r4 X: l$ C" z
6 D9 K3 e; h! P1 \, a1 Q. N   push    00                        ; OF_READ2 G  G, ?5 ]2 a' P( V3 i) o
   mov     eax,[00656634]            ; '\\.\SICE',03 y3 F  d8 |, K/ c
   push    eax  p( |! `: h5 Q4 ]
   call    KERNEL32!_lopen/ V2 T' O! i' q4 I/ O
   inc     eax
+ c0 u8 w' \* u! h& b  p4 _   jnz     00650589                  ; detected
; x9 D& ]) Y8 w( d& T! I2 G( F   push    00                        ; OF_READ
6 E# X9 `+ Q' Y8 o   mov     eax,[00656638]            ; '\\.\SICE'
# }5 i5 z! H  B   push    eax" D, p- ]5 J7 B% B1 o& h
   call    KERNEL32!_lopen
# C  `8 d7 k3 `   inc     eax
+ p" T5 t6 }# {! v7 G. U+ I# y9 @- N   jz      006505ae                  ; not detected- q4 J1 Y; r4 m# z
: s3 E3 e( E9 G& s3 r2 `
) V3 P' ^; ?/ l6 j# }$ F6 K& g
__________________________________________________________________________
2 Z. J6 j! Z: ^4 y+ J8 l2 ^: L. P' w( x& v; i- L3 f
Method 12
# L) G2 \3 P! j9 K=========/ i, I+ w$ y* f0 o5 c1 p1 K, B$ X" A

4 h1 J/ r/ u/ fThis trick is similar to int41h/4fh Debugger installation check (code 05: }- `* Q8 X( Y& _" d+ i
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
* g" Z4 y+ G! F. P! J& has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 c' a0 p: p' G# T$ N' K3 P% r
5 c; c( O8 B! k) G) i( I* R7 Y, l   push  0000004fh         ; function 4fh- f0 e: Y- W* Y3 S+ J$ l' g, x# ^
   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ s" E! i( i3 B2 r4 g+ U5 s- k. r                           ; low word specifies which service
& z1 s' p4 q% H1 M+ Q7 e# m; \                             (VWIN32_Int41Dispatch)0 `& F! U, O. `. G1 J1 ]$ }) j
   call  Kernel32!ORD_001  ; VxdCall
2 D6 E: j. `; Y8 a! \# k   cmp   ax, 0f386h        ; magic number returned by system debuggers" ]: u" l" f' N  g
   jz    SoftICE_detected& v+ `' M) p; j! x4 `
$ s* {2 e% [  `/ _! F5 B5 T1 W) g
Here again, several ways to detect it:, |: V9 S; r" v( [! t0 K* o* z

5 V! f' ^7 s, x  a& S+ B    BPINT 41 if ax==4f
6 D" @; K" g/ L1 s' Y4 s, d. P" V  K+ J7 h% s: u; O2 V
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) V/ P6 E- v, M$ s
& l- X6 P* N' J: D    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
  L+ y& e4 Q, X* R2 R5 G
; Z3 o  P& _' o) q8 f    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!" o+ W! {( V, m4 _" ^( k/ G
: L$ e; I0 {2 A4 Q$ f
__________________________________________________________________________9 }  X* y3 u" m7 L
4 |4 g1 |3 e9 v" l8 |
Method 13+ K- M, c: m5 Y" l/ _0 e
=========! O/ o- ]/ U% G# p

1 K& |8 `% \0 c$ T# S  uNot a real method of detection, but a good way to know if SoftICE is
! e. |1 x, T$ W9 A! ~installed on a computer and to locate its installation directory.
8 t% w' u3 U$ b& ]It is used by few softs which access the following registry keys (usually #2) :& o9 _; Z. v7 @! J  n

8 D# |9 ~. T: w( i2 U4 V2 C2 H3 M-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# X8 U# F2 A- L5 J, Z
\Uninstall\SoftICE
$ ^+ ]# ?# R" n- u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 Y: \( ^: x( e. r1 F-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' s, D; Z, C, j. K. Q
\App Paths\Loader32.Exe9 e$ C% e5 c1 q# q9 O& r, \
; o' q" J( q; B) S) `" D  @0 o

& k& D5 o7 i% O# t2 Z3 G) {Note that some nasty apps could then erase all files from SoftICE directory3 d: j3 e" [$ P6 {
(I faced that once :-(: d: W8 z" ~9 q. r
9 e6 e' J4 Z$ G- @4 J
Useful breakpoint to detect it:& T( r* K. L2 V5 W; \
* i9 {( O: r8 T4 I
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' U+ P7 L9 G8 ]6 F& J

4 [7 o% l* G# ?: [__________________________________________________________________________* [3 S: |# M; Q

& h( ~9 ~0 g6 j5 g4 h# @: E  Q- A: r* ?$ U( }
Method 14
: {4 |: m+ O- ^% ^7 X* u" o=========+ G% s. c8 I2 n/ B& l2 N7 o7 j, k
/ r; i% F  O1 E; t# u0 G
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
, l1 R0 ]& [1 t- f& s6 ?) zis to determines whether a debugger is running on your system (ring0 only).# o0 k4 e' f, @6 L3 _

1 m3 g) z9 b! d; O! g% }) m   VMMCall Test_Debug_Installed- M' O6 g7 c+ o8 r
   je      not_installed2 O5 h5 C3 T4 T' o0 _0 V
8 S5 m7 M) d: i, F8 E
This service just checks a flag.
2 y- G* s5 h& L! M% m, y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-26 18:05

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表