找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
" U8 Z2 T" _! a) w, z<TBODY>
  d3 ^! l: y; i3 Q<TR>
1 X  Q3 `. }" E, ]% b6 R<TD><PRE>Method 01 , C: Z! i3 P  t2 M! J
=========
6 c4 B- u. z0 K3 H( X; a! O1 [7 j6 L5 C  Z: \1 U
This method of detection of SoftICE (as well as the following one) is, c  ^  k' _3 y7 D
used by the majority of packers/encryptors found on Internet.
/ y( h) c3 Z$ n+ E8 CIt seeks the signature of BoundsChecker in SoftICE
' ~8 a9 u! J0 v) S2 _2 l) g$ n
# j" u$ n5 f: G( `7 o  i    mov     ebp, 04243484Bh        ; 'BCHK'
9 Y5 \" a, P" B- r! g    mov     ax, 04h4 U+ A( u/ l  z* a+ f! _0 v
    int     3      
' J7 ?0 U3 H: K0 Q$ M. ?    cmp     al,4+ _* |8 f/ p; l9 t" G
    jnz     SoftICE_Detected! e0 `. b" ^+ l/ G5 ^7 s/ }
8 \6 u+ i0 ]+ O$ n+ J. l
___________________________________________________________________________
. l2 S" c) _- ?4 |( M: ~/ m9 Z
$ Y4 K3 u. \. s' I( ~* H2 e2 M+ `Method 029 x1 q! k5 r7 c3 |! I
=========
" {7 l3 ?2 }2 R3 S& {/ y
# l: f/ G9 j2 S* a1 E8 z. u2 ZStill a method very much used (perhaps the most frequent one).  It is used$ H4 B9 X' g( o# \9 _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ O# g/ m, e0 O) W3 v$ z
or execute SoftICE commands...
4 M; u1 t) q! D9 E( U, p/ N2 z( \! VIt is also used to crash SoftICE and to force it to execute any commands! M& O- W8 }1 s5 S
(HBOOT...) :-((  - z+ M9 J* |/ z0 {& j4 P8 X

0 [, I9 }7 h/ r9 l& r% O) T- w7 rHere is a quick description:
+ A, ?( v5 [& T  ^, ?5 m-AX = 0910h   (Display string in SIce windows)
+ V9 I' k+ e; \0 ?5 \3 [-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)9 x0 I, ]1 O% f; K4 ]4 }8 K
-AX = 0912h   (Get breakpoint infos)# w: ~5 K8 c4 L4 l1 j5 C# ~& q7 v
-AX = 0913h   (Set Sice breakpoints)" A% a: m. h/ B# Q  P5 O
-AX = 0914h   (Remove SIce breakoints)/ T& w" A6 I! c  `
# s" w4 j7 q" x* k+ Q
Each time you'll meet this trick, you'll see:
. r! \- u  x+ J3 w; R; U7 `2 X-SI = 4647h
1 g+ }+ \/ B! L0 L  k-DI = 4A4Dh
6 [+ n& P; r2 p- N7 `! W! O8 m* TWhich are the 'magic values' used by SoftIce.' V) W5 Q" [8 B5 _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- c5 _* N6 F: w2 j5 r" E9 b( J6 k6 [2 c( b" _+ l4 L9 D: x
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 ]3 Y5 Y* f/ [' EEnvelope utility use to protect DOS applications:, U: ~. x2 [) {# e! z4 B. z' G
% E$ o9 s! s( `0 j1 ]; t. n( q- E- A

* v5 \. b& o7 ~$ L: b4C19:0095   MOV    AX,0911  ; execute command.9 h8 U' E( f+ T$ R
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).# q# T3 T! j6 Q$ p9 L9 [
4C19:009A   MOV    SI,4647  ; 1st magic value.
. n7 B; I2 _* Q3 B4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
9 e1 n  l  X( }8 n4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): C1 M% W" v& U! j
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute4 U% [. u: l* F! x( N  l! w
4C19:00A4   INC    CX# h# X% J, @4 N7 O
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute# q/ P4 b8 e: C: T# V, h' h
4C19:00A8   JB     0095     ; 6 different commands.  w5 r  M; W1 s& a6 W& S
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.: s+ [' X8 B  i3 _8 r( O0 ]  T
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& I+ |0 T# p9 Z; k$ n9 y& h4 {: \% [3 w
7 n2 b- ^" u  t
The program will execute 6 different SIce commands located at ds:dx, which) F3 T% B) l$ g& P' X4 t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 ^2 M7 ^1 O- g+ `
% I& F$ u2 r9 X) W4 h3 u/ H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' j! z# q) t: `& I
___________________________________________________________________________
0 l; Z* }. D6 s* r$ G& z
1 [/ y, e. L, y7 L" \2 m+ O% b2 E' c; x1 F8 \) M
Method 03
5 K7 W( V7 k7 [  k  R5 e1 K=========5 \* b- y/ v* J

3 O* M6 c+ v) [: }Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 F" k2 O8 V9 w$ F0 b(API Get entry point)- d5 @7 v7 V% M4 }. _  x
        9 Y1 N# b! R6 x4 t: l% S: r8 i

* h! b, c0 e7 d& j! Z    xor     di,di
7 r2 T4 K2 o/ d) I% O1 x; h8 X    mov     es,di. h$ U3 @; P5 w6 T
    mov     ax, 1684h       * s) B" U1 y1 q: m
    mov     bx, 0202h       ; VxD ID of winice& T. g- W5 U6 v; W+ \! C
    int     2Fh
! D$ U9 F6 u/ P2 E& F9 X: z    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( [6 N+ B* {. C7 Y- d/ S& j2 `    add     ax, di
. E* P( t! j4 r: P1 d    test    ax,ax
% U" h  h. R1 F3 B- Z$ x    jnz     SoftICE_Detected
; G/ A9 p/ m! Y2 k: k  ]" k/ e7 W# z
___________________________________________________________________________1 K% O! I. n" T: ^0 k- I
$ y+ N! i6 d4 _8 M# q6 u$ I
Method 049 d6 `7 F* q1 R) s
=========
$ h: W1 J# ~" W2 P' n' F, r& a4 d3 @  a* l4 j
Method identical to the preceding one except that it seeks the ID of SoftICE( @: }& |6 |: M: i" v- Y4 G% F. c8 f
GFX VxD.
' i% p$ |0 A" A0 {: K4 g* n# j8 k+ ?( P
    xor     di,di
* y5 ^) G9 w7 Y* t, Y0 q    mov     es,di9 l) N( g4 y4 Y
    mov     ax, 1684h       # Y- `3 ~- }; O4 ^( o$ E- |1 [0 q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID# v) Q: p! U$ j
    int     2fh# X( }& U2 O: Z, s/ t1 C) U" D
    mov     ax, es          ; ES:DI -&gt; VxD API entry point" g" u7 _; o+ M4 ]
    add     ax, di" i& Q  k5 a# J0 O4 x
    test    ax,ax
" \5 y& }% w% x  B& ]0 _    jnz     SoftICE_Detected2 |5 u2 U3 z: r

. X% I9 e0 e8 g  @3 S__________________________________________________________________________
+ o4 |' G) P7 ]. o9 @. l& ^% S6 P/ \$ j$ R
! `1 _# o) _9 ], Z/ a
Method 05
+ ]" H( Z2 @$ G1 @5 P; s% l% U=========' ^" g) K: v3 k8 w6 K% h

) I  W: c  }- q# H' ?Method seeking the 'magic number' 0F386h returned (in ax) by all system
) V* {' q0 N; Ydebugger. It calls the int 41h, function 4Fh.
* I( [0 J/ ?  L% I9 d" eThere are several alternatives.  
* j! [0 d  x8 b5 a8 r
4 H* F  @" {% o4 _/ i5 A1 [* `The following one is the simplest:
) \$ y1 K: B; u/ e# N& Q5 X* ]% H0 [6 W& Q+ ~
    mov     ax,4fh+ f, ]% v/ w/ W8 U" Y! f
    int     41h
, P& _0 k) G1 e) H# c    cmp     ax, 0F386
% r, g8 F0 B* Z6 G* U    jz      SoftICE_detected
3 g/ ]$ L  C+ ~; U  d" m* o9 p$ ?9 r" C# \

1 K" w2 E: w' C2 V2 hNext method as well as the following one are 2 examples from Stone's
% {0 c; J- ?2 Z"stn-wid.zip" (www.cracking.net):5 m$ J9 ~8 x4 l# X; M! P" V' \, [* g! }
! a; w2 u' Y4 w7 l/ p: Q
    mov     bx, cs
6 p' ~% L3 B8 Q7 J" M; |    lea     dx, int41handler23 x/ U8 }) N, J* X7 e8 U
    xchg    dx, es:[41h*4]
; C9 r& f0 S. i) {* s( e: p1 \    xchg    bx, es:[41h*4+2]% g7 Q8 y* b& M' m4 u/ v
    mov     ax,4fh
: ?  I! j) H4 |$ `. ^    int     41h$ v4 t1 n+ x. M6 v
    xchg    dx, es:[41h*4], q4 k. t, E# c5 ~) w; T8 x
    xchg    bx, es:[41h*4+2]
% l- O( c% t9 \4 b8 n5 }% S    cmp     ax, 0f386h
! x- o( ^. u$ p% h" i    jz      SoftICE_detected
% p( |  T( ?+ b  c1 Q7 S  ?
5 ?6 d# q2 L2 v! t! Xint41handler2 PROC; {) K* u# j7 P. s# \
    iret
+ }5 s7 b! b) [# |& sint41handler2 ENDP- ~6 e2 N/ M+ k1 {8 H0 O

# Y7 v7 P7 H) `) `
' t3 r: R2 r0 g6 V  C+ k_________________________________________________________________________
/ s9 D; H; L3 q% z) C! J( H, E$ B% c* J, y( ?) I
, e5 z; n- P$ G/ Y: |: |
Method 06; s1 ^- i. S9 q6 }5 v# D! d
=========
! L' l+ q/ s' R. h' N' I3 S9 W- S* S8 \5 W1 t( G

; X% f" J; ^8 v, G7 V: z$ K1 z2nd method similar to the preceding one but more difficult to detect:% I5 P4 P( d* l; j; s. g( b

7 i: @- I4 w! e; G5 z3 D- J* O8 W. `$ K4 j  P
int41handler PROC9 I1 ]9 g5 t9 C3 r' n: c4 b6 O
    mov     cl,al
0 `1 h% S# Y1 I0 i$ c0 K    iret
, E1 R- }1 U: ?- R* m0 u4 tint41handler ENDP
: b+ Q, j& [1 [- x) _& K- ]$ s1 z2 n. D9 J, V
2 _' w. M  {: w6 y  s' Q
    xor     ax,ax
3 C' b, s, T; ~) o$ O$ J* m8 \    mov     es,ax
; F; I1 B) A/ k( V    mov     bx, cs
1 |6 b. N2 }$ f( S- B  ~    lea     dx, int41handler; v9 B1 ]" o; K% S! O" E1 A
    xchg    dx, es:[41h*4]+ t1 d7 |# E( a4 D7 b/ u
    xchg    bx, es:[41h*4+2]+ A6 ?9 l' W4 E" U9 P5 [" {
    in      al, 40h; ^+ g# I" ?2 o; M* V% x0 _
    xor     cx,cx0 {7 Z8 V/ D+ s, ], O8 r
    int     41h& N2 b, j* H0 l9 F& P  `  F. _# Y
    xchg    dx, es:[41h*4]
7 z# Z5 C' ]3 f3 t: z    xchg    bx, es:[41h*4+2]
$ g( z0 N% R! a    cmp     cl,al
& T  d0 W+ T3 s! @* Y8 d9 v( e9 D    jnz     SoftICE_detected
2 @; @" a; r% |$ j% W3 j) d( d+ {# t6 S. ?, }: ^( b, p
_________________________________________________________________________
* M, C! m/ z$ m/ S* r5 F8 S8 V* n( d, J6 m1 \) q
Method 07
! D3 _' ^% L( L=========
( B: t. a5 H: R6 u* C; G" X
& N9 J; O4 m% Y& W. NMethod of detection of the WinICE handler in the int68h (V86)
) ]! F' z1 b% W7 y; H# t* d0 r; _& l2 T8 ]
    mov     ah,43h" m  m' s% {  x2 K% o* ?
    int     68h0 y5 Z# ]/ E- F4 b) d" y
    cmp     ax,0F386h
2 p5 g; d+ N2 V! @7 E    jz      SoftICE_Detected2 v, m3 ~2 _/ n+ a$ z- X

% l1 Y2 _" H3 M% ?4 O; p0 G0 K& Z) {; I' a8 G. B3 A" s) z2 X$ v
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 m+ d  J" l% f: X" m8 c$ A, ?   app like this:
* E- ?. o: F) k3 f! H2 d$ G
( `2 w+ S) L- S   BPX exec_int if ax==68# {2 r+ A! x& Z! z/ \6 {5 Z' I
   (function called is located at byte ptr [ebp+1Dh] and client eip is
( e+ l( {5 q" m( b4 }8 {   located at [ebp+48h] for 32Bit apps)5 x/ J4 K" p, [6 p. e; f6 {( u5 n! z* p
__________________________________________________________________________
: C' Y2 Y! |7 Z! Z8 q5 u0 ?, A- [2 Z( s5 I  F* y
0 M8 y5 L* A/ a4 i8 @! q% W/ k1 ?
Method 08
) R& C& H6 g1 z# u9 e! W% y=========
; @6 ~7 _1 |1 v! o! a) @2 v% H3 _7 l
It is not a method of detection of SoftICE but a possibility to crash the
# \, {- r, a3 M% ~+ j9 w3 ]  G; {system by intercepting int 01h and int 03h and redirecting them to another
6 W# V& S; ~& X$ [( A2 Iroutine.$ R1 f/ {- o8 o: c: P/ I/ `9 D% |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! R$ ~- Z* k* S, k. H( ^to the new routine to execute (hangs computer...)$ r# v9 N. c; Z; W

, P5 H! z" T0 Z# Y    mov     ah, 25h; |6 g+ m' t$ f+ }
    mov     al, Int_Number (01h or 03h)0 u6 e- W# d2 \* z' O; L
    mov     dx, offset New_Int_Routine9 V) m1 |6 P- p' C$ k+ w
    int     21h$ k* ~, Y- _( L" g

) R% U* M' [/ L- X& |" F+ }__________________________________________________________________________
6 w$ @0 x, m0 B0 S' ?" N& N
# C  f/ D, b4 ?) d3 ^' f4 j- m9 FMethod 09% e+ f7 e" }5 R* z' c
=========
  t2 g1 D, n4 L3 J7 G! s6 |
6 i2 @3 s" y0 S# K. b6 `This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. o; D7 Z0 d( I4 yperformed in ring0 (VxD or a ring3 app using the VxdCall).
4 `0 p4 V* f: TThe Get_DDB service is used to determine whether or not a VxD is installed" J6 ]3 L* b4 T
for the specified device and returns a Device Description Block (in ecx) for
8 j& M4 h, X8 y# k# @6 E9 othat device if it is installed.* i* w3 e) b; \( P  x

0 F  Q3 j1 O/ {( R: @   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% D: l0 u0 Y/ C4 J" [: N8 |   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 G9 P. P! q6 W" D/ H7 C
   VMMCall Get_DDB
4 Z# P" Y, Q( n2 k3 F   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% S& Q! P" q% \% c

0 z/ |1 b6 A  ^  QNote as well that you can easily detect this method with SoftICE:9 a& j" u+ A; F- C# H# \
   bpx Get_DDB if ax==0202 || ax==7a5fh$ F; X6 y: y8 \% G, R* G  o; M

5 x, F3 p' @* k# S__________________________________________________________________________4 f' E: _' P& V; r7 q9 R

' V+ C! S5 k7 F% ]" F. p* W$ AMethod 108 \8 k" S. M& o8 R
=========
' ]# l: Y, [1 `+ B* Z. A
) V( P/ T2 f9 H7 Z8 C( H" q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  g0 h+ G, I* U8 L/ A) R7 y+ [
  SoftICE while the option is enable!!
: e9 \, B+ i9 e: H" A. g7 B
  i" R) S& u& ]* ]0 SThis trick is very efficient:* N; w7 Y; o) M5 }$ A! L. b9 E
by checking the Debug Registers, you can detect if SoftICE is loaded! ~, ]* ~, P* _% Z; X
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if  |  C' y1 \4 v
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ {1 n+ V) i2 S1 {1 M  L- I( Ivalue (in ring0 only). Values can be manipulated and or changed as well
6 i- f6 Q. Z3 \  Q: C5 a# S1 x, X3 g(clearing BPMs for instance), M! {% x" b2 T( U0 e6 g) a( [
, v  g& J0 Q1 a
__________________________________________________________________________! B: \- K7 \  P+ v8 N
. n6 i3 F7 t, Q1 m( l7 A
Method 113 P' V8 D7 O  ?8 ?" X0 N
=========5 b: S3 I4 O" p) ~+ ^

; j( N: v* }/ v0 I  `( {# XThis method is most known as 'MeltICE' because it has been freely distributed
" w; {! D- \- N4 T8 Rvia www.winfiles.com. However it was first used by NuMega people to allow
" t  d: ]0 w0 l# n0 tSymbol Loader to check if SoftICE was active or not (the code is located
  D' x; ?" t# n5 h( M8 o4 O1 iinside nmtrans.dll).; M- t3 ~/ b, Z

0 f! B1 i) l) CThe way it works is very simple:
) M. g, l# j$ y" P/ WIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
* Y6 ^6 J9 O$ J7 R  `7 ?WinNT) with the CreateFileA API.
. w/ g2 t5 N+ {; y  M
6 k$ _, D' h2 P& k1 k" THere is a sample (checking for 'SICE'):0 \: w+ f: J6 K2 D

! o# f6 H/ F2 C7 QBOOL IsSoftIce95Loaded()
7 }! r1 G4 L$ D9 Q4 [/ u( d3 Y{
  G3 G) ^) E3 r! X. V" O9 r   HANDLE hFile;  . @% {/ r& M/ O% D- f9 T
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
, P7 @. @1 i2 }9 }! s# s                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 G4 w; q+ w; ~4 X9 B: w; l                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 j7 f% B9 \: `7 a/ L, w$ W3 v   if( hFile != INVALID_HANDLE_VALUE )$ L* s8 L  @1 u% |) b
   {
9 O6 }# W3 \% C" D- r" O1 J& L      CloseHandle(hFile);
' d3 ?) f, L/ z: G      return TRUE;
" \7 F. {$ i: n2 U) m8 Z' |   }# f. _4 M# M, q% v2 ^
   return FALSE;0 }$ ]: e" C: f: \5 R/ q
}
, ?+ R: ~. L$ k+ {3 M+ v+ F
4 z* J6 i: I. MAlthough this trick calls the CreateFileA function, don't even expect to be
4 J. Z/ F3 |1 Fable to intercept it by installing a IFS hook: it will not work, no way!
7 u% R: N2 l2 B( ~0 g3 x/ R' @0 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F; r, Q" V. o1 S9 A% J4 x' G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 B$ q0 @* W4 y& j/ yand then browse the DDB list until it find the VxD and its DDB_Control_Proc, c) w2 m4 e% L( A# G( z$ ~* o
field.  N" E7 A; B9 X2 P
In fact, its purpose is not to load/unload VxDs but only to send a ; T  M: w, D1 l6 c2 R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* D* h; o- G' m7 x& c8 n( f- ^' ]( R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! U  m, N4 Q$ Q3 ^/ ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 O! y0 v* C: T2 \" D& q) CIf the VxD is loaded, it will always clear eax and the Carry flag to allow
7 j, U  b4 h3 R- l$ J4 |9 bits handle to be opened and then, will be detected.$ S9 F, n: q( e# a9 r
You can check that simply by hooking Winice.exe control proc entry point, e, X6 [3 [4 B0 |6 [# u- ^  c
while running MeltICE.
. @! R) W, b8 _0 W; c- H3 A! X" f9 r: H8 Y  O2 D

6 @& ?3 x/ Y; ^! Q% Z4 g: l# \  00401067:  push      00402025    ; \\.\SICE& j8 }5 r+ {* _2 L5 C6 x$ L8 b6 T
  0040106C:  call      CreateFileA0 P$ L9 H8 K/ K! m7 @# @
  00401071:  cmp       eax,-001
% k! o# r. \. W: s/ \# B  00401074:  je        00401091
3 b% A, G9 w4 i" V$ Y1 ?" O' S& g4 f7 H2 C
0 X  T$ M& f# D
There could be hundreds of BPX you could use to detect this trick.5 E4 C! u* c9 V
-The most classical one is:
- f/ |5 k8 K+ f. `$ L7 p- P: a" U  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" {9 S' |8 I9 X: N, R    *(esp-&gt;4+4)=='NTIC'! H' F( Y8 y' ]2 _
0 i$ B+ ^1 o( c) h: x) Y8 \/ o4 p- v
-The most exotic ones (could be very slooooow :-(
: r% S! A8 i5 T( n. Y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; v8 D3 T1 O5 X- ^8 T. G     ;will break 3 times :-(
& ]* ]! h' f/ j8 o7 R; R; d: N  i2 `2 g
-or (a bit) faster: & c  s- E, a7 w# R+ e
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ l: p7 d8 _+ r) _% e" p$ ^9 ~6 S: \- T* y; ^. l# U' e
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
, u" m5 v3 ]  l& p' I! ~     ;will break 3 times :-(
9 T: t) V3 T- D( n5 e8 s: l3 c( B8 X. x& j# O
-Much faster:
8 t' r9 X- j6 Q. K   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% Z. h$ K6 l- g0 u/ z7 }( x
8 c' u8 X, G! [* k4 |* l! i+ l" w5 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 Z  k4 _  v6 f, `1 Qfunction to do the same job:3 Z* k; l& [2 g9 I7 q- m

: \. S, Q# |9 |. G( I$ l   push    00                        ; OF_READ/ H. b  ~' n1 A+ G: R; B7 V7 r
   mov     eax,[00656634]            ; '\\.\SICE',0, E5 n; L- D8 a6 [2 B/ n/ z' [# j
   push    eax
5 y$ E3 \- c4 A7 q+ W; `   call    KERNEL32!_lopen# ^" Y7 a" Z6 Q, w: ^
   inc     eax0 L5 Y2 D6 o3 @+ g/ U
   jnz     00650589                  ; detected
; O- Z7 q) q- {7 f: k* Q   push    00                        ; OF_READ
/ T# g6 q  L6 V. r3 S0 w3 K3 }   mov     eax,[00656638]            ; '\\.\SICE'
, L8 A# e9 ~/ c7 V; o   push    eax$ C/ N% y2 r. p) z4 ~, ]3 O4 \
   call    KERNEL32!_lopen: ^3 L- ~6 I) y( {6 Q# T
   inc     eax/ a& t! w' f) A# ~( `; {
   jz      006505ae                  ; not detected
9 p; N& U, ~0 F: x1 a3 _$ @# U+ W$ K* {, y" W* {4 x9 a
2 W) i& l, J+ R# D
__________________________________________________________________________# U: C2 b+ c' u9 y/ f& t2 I

  X5 k2 ?/ l3 j. @9 yMethod 128 W* m! h9 H6 j6 P1 |0 k
=========. t0 L3 `+ N1 m5 e- _, \0 [$ B

5 f. T+ @9 l, m/ BThis trick is similar to int41h/4fh Debugger installation check (code 05' B; L8 w3 R  z* ]& s5 T2 t& ?
&amp; 06) but very limited because it's only available for Win95/98 (not NT)+ p3 a+ u( P$ K+ ?( `* o: D6 |
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 I5 E' v( _2 o$ d: j- P
. ~( ]  C6 H* K% j
   push  0000004fh         ; function 4fh' x( L. T" E& j  t, @7 _
   push  002a002ah         ; high word specifies which VxD (VWIN32)+ b$ a6 h, ?1 J. h: C. I, `1 s
                           ; low word specifies which service
. Z0 X( J& B$ F( X' [0 w6 J7 x                             (VWIN32_Int41Dispatch)
& J) s' ^; f, F: J- l  l   call  Kernel32!ORD_001  ; VxdCall
# S1 z+ I+ }# S4 a9 M9 m   cmp   ax, 0f386h        ; magic number returned by system debuggers
- [5 K7 D( K; p* V) n/ \   jz    SoftICE_detected
$ O& D5 {4 ~1 E3 M9 \( h2 d6 D: W; Z, U
Here again, several ways to detect it:/ h; `# f( ~8 ^

" {! h" m. V" H, m5 P    BPINT 41 if ax==4f- N: m2 [& Z1 o
! z( q+ ?3 t0 s# {8 x( v
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
6 W0 V' ?; d' j3 Z0 b! o7 R+ }5 l9 D6 _. `+ E
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
2 e+ F* V* Y4 f6 X$ ~0 i
' P  X) t' `) U% E& L  e    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 \$ m$ h" |/ @8 x# N* u# u5 d
8 ^! {5 {7 K: R$ k6 O__________________________________________________________________________
. E- C1 Q, ~( _( `) o( k
# {0 x0 y, |7 U4 h; f# _1 pMethod 13
. L0 Z2 ^/ o& y$ l/ i# k5 ^; {=========, `% B% P: V9 o- C3 [

& e2 }! b! e& xNot a real method of detection, but a good way to know if SoftICE is( l4 {, @" P) |, G6 S" c( p1 M
installed on a computer and to locate its installation directory.
- w! G, N4 k4 H7 x: G  K/ WIt is used by few softs which access the following registry keys (usually #2) :2 m+ }  A$ R# l

. F( J  G7 F6 X0 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 J& N6 k, ]+ w\Uninstall\SoftICE. o+ G: `: ~8 ]4 w) i$ T- w
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 R; \: X' p' `2 x
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 Y3 M( E; u0 n4 w
\App Paths\Loader32.Exe
: K+ G5 _; E: Z2 U' x: Z4 L; A" g$ V" Z( Q) ?% [8 [, m- r' ~

- Y# z( z" g; g( @. @Note that some nasty apps could then erase all files from SoftICE directory! n/ V: c8 m9 {0 A
(I faced that once :-(
2 j/ h4 h- p0 p  E* h  ~3 M7 a, O
Useful breakpoint to detect it:
! B3 i, d3 H2 o6 P, z
' ]  r- y! P* Z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! D5 J5 T& M" z" E# H5 ~
2 A$ A, i8 m! b8 B
__________________________________________________________________________
# S. _- R, ~3 k  g
, ?% n7 i. z) V* Q+ O8 M) ]8 Z- z0 y9 U. F! C1 k9 X) i! E
Method 14
1 N) z4 W% J* M=========
; S- @, F6 I; s% R; p( Y4 t7 H# G% _6 m2 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: \( T# h; p8 S$ ]is to determines whether a debugger is running on your system (ring0 only).5 V1 u7 q& N' V$ q

& T6 s9 R/ C4 g" D8 @7 v: N   VMMCall Test_Debug_Installed) c: ?* G- M. v& g1 S2 N
   je      not_installed' B- F, u- c4 z0 F+ N

; `' Q4 s0 s6 H* kThis service just checks a flag.5 _9 @6 p. E: D2 T" b- ^
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-1 15:51

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表