找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>* D/ c2 n" L  r9 D; d3 o$ v9 S
<TBODY>
- V, J; N; b4 q5 ~<TR>
7 Y$ U, t  W. K. A<TD><PRE>Method 01 6 N6 G! F; x& U
=========+ S: e1 N5 H6 v

8 ]7 l+ b6 x& X2 _( fThis method of detection of SoftICE (as well as the following one) is+ H* l9 y9 i, s
used by the majority of packers/encryptors found on Internet.: q5 K" A" _' B0 G
It seeks the signature of BoundsChecker in SoftICE8 c6 ?/ V3 w+ t2 M' k- y# }& W
3 D; F* E& }7 b* H1 V% l$ o7 ^0 B
    mov     ebp, 04243484Bh        ; 'BCHK'' P* @4 X+ ~% @& X9 J
    mov     ax, 04h+ K* [9 M# P, O: a8 n0 h/ a0 N+ K
    int     3       3 q8 L: c3 X/ w
    cmp     al,4/ _9 R1 i. M4 }# Z6 }5 W; Z
    jnz     SoftICE_Detected% A& Y2 U) V# m9 }9 n( }' g8 t

# i6 v$ j  @. B; e) b3 l7 ~( n' t2 E___________________________________________________________________________  b/ U1 V* c' h9 y
( G+ W2 O1 L( i0 M% C. F: `
Method 02
& a  y' m; f1 ]0 b" O/ F1 E=========& t- T! w; }9 Q5 \

( U( I- v' _/ I9 E! q7 eStill a method very much used (perhaps the most frequent one).  It is used
; d, g+ ^$ V6 ]& i+ ?2 Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 F( Y' k: K/ a2 D  Z5 t$ aor execute SoftICE commands...3 ?8 P2 q! u, n/ l. @2 j0 f$ ^
It is also used to crash SoftICE and to force it to execute any commands. r4 X7 K* h/ Y( l- J
(HBOOT...) :-((  0 Q+ d+ X) j$ t

/ [4 \  w, L8 E3 c4 C0 uHere is a quick description:0 k) Q9 L* x7 R  N7 [' N" _6 {
-AX = 0910h   (Display string in SIce windows)
% F$ L; f- }0 q/ b; k-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  }) L& j6 U. [% x8 _* w-AX = 0912h   (Get breakpoint infos)
7 h8 v$ W1 q* I. x) {2 c! _-AX = 0913h   (Set Sice breakpoints)
& @  E* K. l# n1 b) z- Y% J-AX = 0914h   (Remove SIce breakoints)3 c  k6 L; Q5 e1 t
9 D  y( a/ m/ J/ ]" n
Each time you'll meet this trick, you'll see:9 S/ X! X1 X; S' \! T8 j
-SI = 4647h
! o* _! E/ U5 R) M-DI = 4A4Dh0 Z- k8 u7 N5 r
Which are the 'magic values' used by SoftIce.2 P5 t$ E3 n" F, ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ ~# E& X) M: w6 R/ i# M* E3 Z' u7 P5 |; E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 m7 @! h% P( h& p  M' w" NEnvelope utility use to protect DOS applications:9 P0 H, ]5 q5 ?0 W: g
* z5 I  `  `* P
4 G( U* q7 x+ K# P9 ]
4C19:0095   MOV    AX,0911  ; execute command.
1 @! y" a" f) Q' a# d" X4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).: Q9 o! `% {6 s% ]8 N  `
4C19:009A   MOV    SI,4647  ; 1st magic value.3 ]4 a, _- |5 }4 \
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.2 R; P1 e' d4 _* x. K( O4 u2 w+ ]
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 `- {7 U9 p; G' r( V
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! s% c1 w; \/ a" C8 |7 }; w7 b
4C19:00A4   INC    CX+ Y, @% q8 R. R8 ~  M5 }( K+ x
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  g* A7 a! P" c9 X4C19:00A8   JB     0095     ; 6 different commands.0 n0 O8 h4 G' P' K* V
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 r' h( e) B( W9 r6 Y! G: o
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& b9 T3 J) P% r* w. |2 v  q! o9 d( D
/ M* l/ F( E. _7 L% ~4 s
The program will execute 6 different SIce commands located at ds:dx, which! K: `. x& k$ X8 o# }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 _% v. d4 j' e3 i* j
$ l) g# I+ U8 D4 U8 A6 N& x+ ?* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 |5 A- H5 j! O$ }2 S; I
___________________________________________________________________________$ ~: J$ c! q6 F' N) n/ w
2 Y9 m# E& J5 _+ i  U& E% m1 d' s
- H+ E; t; z7 U# y! q. Z. @
Method 03
  I6 A, g2 ^0 x; A=========
. m: {( H3 m3 x. v# I2 ^  r- ^1 b$ G1 v  R' V! X1 y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( e0 |1 k1 a6 J(API Get entry point)
6 h7 G8 s1 E  e; Y( T3 l/ e/ ?* u        
( L7 O, l% X6 \
7 S5 O4 R' K) Q& P- [4 ?( Q    xor     di,di
" ~$ i( o  I( h, G1 O8 ]' z9 n0 `" F    mov     es,di  w& k) w8 b9 R! M5 {" E: X6 j
    mov     ax, 1684h      
* D3 Z) s  `$ B    mov     bx, 0202h       ; VxD ID of winice
; A8 w2 Y" N* m+ Y7 `6 K7 i    int     2Fh/ r* _& l' n& U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 W, g6 O7 e& g$ c
    add     ax, di
! |0 B& d( o5 N' i" c! l. ?4 l2 S    test    ax,ax6 Q/ {$ }8 g) C* i) p
    jnz     SoftICE_Detected! O3 q+ F2 h* L% y8 D5 e+ A
7 {& G3 d4 a: i' s+ W0 m
___________________________________________________________________________
1 f/ R  G) M- K  z: J5 [' x# R
8 N0 Y0 D" ]: Q$ M3 r, p6 uMethod 04$ ?( ~5 L' P- i' L  Z* H
=========
# b* R/ U, O4 P/ _! D0 |* a+ ]7 {) O9 S* m' e! H" k
Method identical to the preceding one except that it seeks the ID of SoftICE
$ n4 E! I$ w8 K( L$ OGFX VxD.* M4 J# e) V6 p

& o  {: _! e, O% A- T1 r7 d! A    xor     di,di
0 h3 Q% r6 ?. o/ ?- D    mov     es,di
3 F  P3 r. @7 K+ t! k, `    mov     ax, 1684h      
1 F) C6 m% `9 x/ I4 q" m$ r; H    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 {3 \: F- G3 \; O& J  Y7 d6 J    int     2fh
7 p% l0 H, G; I4 I4 F7 M8 w    mov     ax, es          ; ES:DI -&gt; VxD API entry point. p. r6 K! K2 V7 N
    add     ax, di* N! v6 `+ B& |
    test    ax,ax
1 U, P7 s/ K! ?/ r* F2 p7 P: M* ~    jnz     SoftICE_Detected
+ j3 O4 d$ }; E5 s' d; p
7 i1 G; G$ h; Q& G__________________________________________________________________________; b1 t. W, i1 ~! b9 [+ r' k# e

' i9 w! e, |. e; k4 C. ~8 G. o; t5 N" `+ b4 t
Method 05% W! v" d% W( `; m, g
=========
5 n1 G# G& u7 U- c9 u! i5 o& |" z$ z
Method seeking the 'magic number' 0F386h returned (in ax) by all system
; x( H" E& d) A, p/ n3 ]! O$ ]debugger. It calls the int 41h, function 4Fh.5 A8 d7 A# m7 I; c9 |  q% M
There are several alternatives.  
! ]6 V) o  s+ k" g' j- S
" u% S' c! f$ kThe following one is the simplest:4 E# h/ l, ]$ L$ e, p

/ N* n1 `2 G9 R/ ^: C" v    mov     ax,4fh
* X9 L, o5 x- _  z' |7 I    int     41h
  Q( P, `" i% y& C, O    cmp     ax, 0F386
, l1 H: g0 A; D. E4 j3 L+ f    jz      SoftICE_detected
( b  e7 G2 X) Y' \- @# ]' G  w: F( P3 y' F1 p& |# V* X
* U+ r8 _' a: d0 ~
Next method as well as the following one are 2 examples from Stone's
% `1 `$ h2 E, P"stn-wid.zip" (www.cracking.net):
0 b$ X$ Z6 G! y0 g: ]2 m6 ~, f
5 l' J* C: b, |5 t    mov     bx, cs
- M- S4 ~) |/ g- R" s* Z6 [# Q, d3 E    lea     dx, int41handler27 d  F* N5 j1 m; g" q3 C2 G0 e
    xchg    dx, es:[41h*4]6 _* U1 g) r( ]
    xchg    bx, es:[41h*4+2]: x, z. q  ^! l" Z' x
    mov     ax,4fh
: e- l1 N# m# E5 x" l' V/ k    int     41h
- T4 Y) A0 X/ P& y5 p5 P2 g; B    xchg    dx, es:[41h*4]
; z8 g$ ~5 h- }% s! M: M    xchg    bx, es:[41h*4+2]% k% W' D% J' B5 o! Y4 n& u
    cmp     ax, 0f386h
9 e- [8 u, J1 N1 e    jz      SoftICE_detected
+ p5 i' B  e# L9 c/ T( L7 t1 l2 l7 T9 `% g- O6 d8 _  `. Q
int41handler2 PROC% n3 m/ ?8 F! |) L9 m
    iret! ]0 f! O- z% ~) o$ a) c4 x/ C
int41handler2 ENDP
2 Q7 {! _; h9 B9 h8 Y
5 d8 O3 v7 e  b& l# J) i8 F, s3 G8 l% I- R: }$ T' J
_________________________________________________________________________1 c1 L  J1 R8 y% d

0 Z3 t/ @5 J$ _+ b1 q6 G( F, T- U8 \& b( z
Method 06
- c" P" d. M' X: p=========6 U6 M$ N* A8 `  M( l- n" j8 f

. u' R* B- e; V5 x
8 @7 Y3 @/ k# S2nd method similar to the preceding one but more difficult to detect:, H' |3 w3 b9 _
( J: d- {  C* v( o8 v
. u5 [+ ]( I# V. e# p8 t' j' e6 O, q% E
int41handler PROC3 l( T1 P6 c) `  g$ w. O
    mov     cl,al' k! E  y2 r* I2 ~+ W. d
    iret
4 s- r6 o0 R/ }4 P+ ^+ nint41handler ENDP  O; m- g* ~- y. X9 i, j) h7 D+ g
: b7 o8 d4 a; ~

$ `% h% _; N1 A+ n0 C0 B* q    xor     ax,ax1 W3 h0 n: d' @2 J, r
    mov     es,ax1 n; C7 [$ n$ I
    mov     bx, cs# o; Q, c8 y$ z0 [
    lea     dx, int41handler
, i6 u/ A! z! C1 a. \    xchg    dx, es:[41h*4]
8 a" E9 s' t& Q7 S: }3 t; p    xchg    bx, es:[41h*4+2]
; u$ N8 }  x8 Q* @$ X+ ^1 ~    in      al, 40h$ v- e% q2 ]3 Y1 O+ y1 V
    xor     cx,cx
+ K; b2 l0 Y2 T- V8 \6 |    int     41h
0 N3 R9 E4 u! Z; q2 w; Y( z    xchg    dx, es:[41h*4]' z5 x) p7 k6 ]; T( ^' v5 C5 N4 l
    xchg    bx, es:[41h*4+2]: k5 @# U* F0 x) m6 ?5 P
    cmp     cl,al
0 D* g! r! E3 [9 S5 f! W$ c4 n& [- U% _    jnz     SoftICE_detected. |+ h( J0 d* J. o1 P
" d8 Z3 D8 R. |' {. h
_________________________________________________________________________* i: m/ [+ w' Y: j" k8 D
/ \$ \' r- B& ^: U8 e) }
Method 07
& d+ x* i0 o# O=========
* C: i* Y" E% G  K* `, V0 T9 E9 o! E% S  P
Method of detection of the WinICE handler in the int68h (V86)
9 J* v4 u; E: i( z  q  z. Y0 Q& p$ |
    mov     ah,43h
# j( D# j% E3 h8 `5 o+ Q- I7 w    int     68h
7 L1 W. q& g8 ]; v1 o    cmp     ax,0F386h8 q: q" N% q8 [8 j9 a! g+ h; S! |
    jz      SoftICE_Detected* Y1 l) ]& K; A1 x: z0 w

' |1 i2 v' ~, Q, V0 i
' j: q/ V2 v* H( q=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" D& D% T+ c0 D. J
   app like this:$ P6 \% `# a  r$ `
7 A3 C' q. R; p& D. S7 K, R9 b
   BPX exec_int if ax==684 a& S$ e! o' M6 J. G0 B+ Y/ W/ \( l7 j
   (function called is located at byte ptr [ebp+1Dh] and client eip is
* S5 }# s( B( ~  q   located at [ebp+48h] for 32Bit apps)
1 F5 [. v5 I' Z; L& q& U__________________________________________________________________________0 ?( ~  t% _6 k9 O! L& h. d

# ]7 r' s' @6 I0 s9 X" E: f7 c# K7 _( M5 P4 y
Method 08
6 J6 T0 r& s2 m' b" u: \! D=========
% \8 P+ c8 y  r5 L; D* }2 d/ \+ L* ~: A- d0 k
It is not a method of detection of SoftICE but a possibility to crash the" T( {0 Z+ E7 S! m& o3 x
system by intercepting int 01h and int 03h and redirecting them to another6 u5 y- P8 |. \, O5 u7 N7 M9 d0 B
routine.
" _' B9 ^! k- Z0 {/ q6 \* EIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- o9 q7 F6 }7 K' ?$ E% ^
to the new routine to execute (hangs computer...)
0 p# G& ?5 ^; {$ X0 r
, n4 \2 K( C) n7 A- c    mov     ah, 25h, T  M3 ~# w) }
    mov     al, Int_Number (01h or 03h)8 k& @4 @7 }/ }' ~; w) c/ e- [
    mov     dx, offset New_Int_Routine0 F: D" i8 z, z5 i% H2 ]
    int     21h! Q% K! G) I7 d6 \
1 R% h% r/ o7 m( Q1 i  k$ ~2 A
__________________________________________________________________________2 r7 u6 A3 u8 b! ?( R  @

. ?' H- {; b2 C  [Method 09( X4 y4 O& z+ e2 @' l8 v
=========& [* S. m7 M0 V
4 F& I7 W. h8 P& g! W; |4 B8 G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% f& B! w" x- q% c$ R  {8 wperformed in ring0 (VxD or a ring3 app using the VxdCall).
, a; T. G* p1 E6 t, Z( IThe Get_DDB service is used to determine whether or not a VxD is installed/ S" Y7 L/ Q3 i: T6 e( _9 G5 {4 [9 _
for the specified device and returns a Device Description Block (in ecx) for5 w# \. D7 o% ~, W) _! G7 Q  X$ p
that device if it is installed.
9 g! l1 [1 e# C
+ F/ O& I- L: y# T, o   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, Z' S3 j9 x' Y) s- c: [; l& o   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 p  c2 l- ~) Z* Y1 r+ u' {* Y   VMMCall Get_DDB
8 @- n, r; Y) v. o   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  W4 q+ ^; w% X: @" k3 L3 b( N' w6 Q  N  N% F
Note as well that you can easily detect this method with SoftICE:+ Q: q  Q5 j9 g% i: Q2 J' B5 b5 N( d
   bpx Get_DDB if ax==0202 || ax==7a5fh
  I% \% Y. g+ x5 _) H0 r5 d' Z, L0 f
__________________________________________________________________________
) l& m# O% W9 P5 {! |6 G" X% q
/ b# n- p: L' P- y) BMethod 10% E0 {3 |0 E6 |* r( E7 q% r4 G
=========. W; Z) e' s9 e( `9 R8 C- E/ o" \
: s- t7 [5 U  U$ J) Z
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
* f/ `1 v: f, E" j. @& e  SoftICE while the option is enable!!
: _/ m5 G7 \0 u* }: k" |& E; F' n' O6 F$ {( n  w, Z
This trick is very efficient:2 q3 w3 H) J+ k$ C4 b
by checking the Debug Registers, you can detect if SoftICE is loaded
, K" u/ o2 x! F0 j1 H/ n5 z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 |4 s  d* l# D8 W& g* a" H6 {there are some memory breakpoints set (dr0 to dr3) simply by reading their
; R$ }- C! T* w& F8 X6 B6 Z) E, f( Z- qvalue (in ring0 only). Values can be manipulated and or changed as well
! Q* J/ f, z# J4 e. p' \% Q(clearing BPMs for instance)
/ x* E) @& `; h& D  ~( F- @# \* d6 O! K6 W1 M
__________________________________________________________________________  U7 v. x( S! k; t. h# m

& c4 z  N& k; R  ]4 CMethod 11) g/ f! f# ?# Q6 T3 t7 n/ R
=========
. h4 }! v7 m, z' G+ Z1 I
, c4 A1 D) p$ r9 m' KThis method is most known as 'MeltICE' because it has been freely distributed
2 r% u7 F; j* J. J0 D2 @via www.winfiles.com. However it was first used by NuMega people to allow
, a8 }# W/ S1 G- u3 h( DSymbol Loader to check if SoftICE was active or not (the code is located
( v) b) ]4 d" k$ s' a. Sinside nmtrans.dll).1 o6 p6 i  Y" ^; e( s$ v, F
' D# [8 E+ G2 I/ C& o/ F2 c8 g1 n
The way it works is very simple:! {: g8 k4 N' y1 I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' `0 `) }( U+ w- x
WinNT) with the CreateFileA API.9 c+ z" Y4 g9 K- [; r

  s+ ^, _; y0 r8 j; A6 Z# }Here is a sample (checking for 'SICE'):
& N5 I, W+ H! ^: E5 W7 Q. k$ f6 B( h, L, e5 p  u8 @6 |$ Q6 v
BOOL IsSoftIce95Loaded()2 K2 T: O: E9 y6 U/ E. u  x; W, f
{5 Q/ Z9 o; C- C$ j. G
   HANDLE hFile;  
, N( ]# |0 x% J% x+ k5 i! g5 ~   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
% u/ C& J2 g. G3 y- |9 q) l$ @                      FILE_SHARE_READ | FILE_SHARE_WRITE,
/ p. N* Q2 P" t$ h                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ e5 v1 S" q# b0 M: l
   if( hFile != INVALID_HANDLE_VALUE )
: y7 v0 I7 ]0 Y1 a  R   {' m& x$ N, c, h3 U4 T6 B, e
      CloseHandle(hFile);0 o( _8 @: }; d! j' z; l" V8 H8 _5 z
      return TRUE;0 s( a: r. ^  p0 N
   }- O3 I& W& |% @2 `, }* S4 ?" {0 \
   return FALSE;6 m2 Y" \, Y( ]* m) Z
}5 F8 y$ P/ _. |1 u7 O
! T/ k( Q, h- _- M
Although this trick calls the CreateFileA function, don't even expect to be
$ n. F/ u! l- x2 h7 f! U+ r  iable to intercept it by installing a IFS hook: it will not work, no way!
; E7 C# A( E5 A/ y! GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 b9 J" ~+ [$ R5 a, B" O$ q0 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
  K) L, S$ t7 oand then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 j. D2 J0 r& p- L, _field.& y$ p0 O: g  O& N: a1 B. G7 T
In fact, its purpose is not to load/unload VxDs but only to send a / k$ L3 X: s7 Q7 X' {) @7 t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& g7 b: l* t7 Kto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 ?7 y* t( d4 e) r( {! Q3 T7 D
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& n9 i2 K4 Y, p3 C- {If the VxD is loaded, it will always clear eax and the Carry flag to allow
! x6 {; ~6 a( `! k% q: I% y0 l+ v& Hits handle to be opened and then, will be detected.
( Z3 ]7 b. W' vYou can check that simply by hooking Winice.exe control proc entry point
3 S2 ^+ B) T1 U! k3 H* f# Jwhile running MeltICE.: ~: D, ?0 F$ m, ]
3 N) d1 \0 P2 E
% f" d- O% r' @  S+ {0 i' T
  00401067:  push      00402025    ; \\.\SICE
; K$ F( E$ k# P. Q' N7 K8 ~) n" T  0040106C:  call      CreateFileA
( P/ o+ F* u1 E8 g- A7 t  00401071:  cmp       eax,-001
8 l/ A; s% M, p$ j$ i3 g  00401074:  je        00401091
, ]. T; o% h3 `, b* r# e4 S: D2 }+ |5 X: l% i

2 x9 F, T9 r! z$ z: Y4 jThere could be hundreds of BPX you could use to detect this trick./ C1 _, A& I/ G. Q* @- q
-The most classical one is:
- g. @! W. p& B8 h. d: O  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 @: D- U" G/ W% S8 C
    *(esp-&gt;4+4)=='NTIC'9 y7 }6 A, V, K$ a0 @% |0 {! Z

$ Z& t7 [4 F! i. F4 C# w-The most exotic ones (could be very slooooow :-(
# U4 g+ z. C" c+ m   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
) y- K! f; E4 i) S/ L     ;will break 3 times :-(
# ~  A3 N6 n1 t. N% d
: G3 K- p" D/ B% ~7 C-or (a bit) faster: + g2 v; H8 I, Y7 I: Q. X
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# {5 [0 V  ?" E

6 _- U% T( A& }$ o5 \   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  8 a- t8 \! o: {+ D$ C) h, @! T
     ;will break 3 times :-(2 W3 R$ O- O) p. I: ~9 x

* @: K) C: t/ v; H: X+ d-Much faster:
# I  B) I! q: O9 \4 P   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. f) Y0 c5 K8 G3 P8 {4 i# K4 c
8 R" e  }+ G1 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
! E# N% H, c1 L* w* W0 s* Hfunction to do the same job:
6 @& F  w: F8 i) Q3 M  n2 f  H4 r9 u
   push    00                        ; OF_READ
: E1 D, G; `5 M8 e: B! a   mov     eax,[00656634]            ; '\\.\SICE',0" e" G, `! y6 }4 C# l
   push    eax* q7 j4 }: }  h8 a( I
   call    KERNEL32!_lopen
; G* f  ^( c4 Q   inc     eax9 J2 v" G# j: F. e  B' o2 U* `, m. Q0 k
   jnz     00650589                  ; detected
# {  U3 d/ u8 _" z: r. n0 U3 t/ Q   push    00                        ; OF_READ
3 {6 x. t: _) B) M$ y. o: N   mov     eax,[00656638]            ; '\\.\SICE'
! i. X! i" C, T) I6 T' \   push    eax) m1 `3 Y  y+ ]8 s9 y$ x
   call    KERNEL32!_lopen, ]1 M. x4 J3 y0 P6 i) _
   inc     eax: x) F# x4 e5 f  [9 y: N% }
   jz      006505ae                  ; not detected  [' N6 @. v! S" M9 ]

  [  d1 p' H- h' U0 b' R( ?' a' u1 L0 t
__________________________________________________________________________0 T7 A3 V1 K' R  P5 q  j- }
8 ~8 o' n3 x& T6 T6 `! D9 k
Method 12
) F! V7 \" f  `) v=========
* f0 K3 f2 o- l7 W/ {# ?- x' C
$ J3 ?( o' g' n1 a; CThis trick is similar to int41h/4fh Debugger installation check (code 05; j- |8 O$ K# Q6 k
&amp; 06) but very limited because it's only available for Win95/98 (not NT)$ H9 X" H9 C" D$ H" \: ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 u1 M. M* y' c, v4 c
" Y) q+ p/ K7 _   push  0000004fh         ; function 4fh
: U4 r* `9 i' K& Z. n   push  002a002ah         ; high word specifies which VxD (VWIN32)7 J% [1 a% d- d  z' D
                           ; low word specifies which service1 K+ i& Q. E% x, L8 m) ^( q
                             (VWIN32_Int41Dispatch)
8 d; z0 \  Z0 e7 V3 @   call  Kernel32!ORD_001  ; VxdCall) |9 C/ X- y( O3 u0 g
   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 f5 F( H9 h3 ?- u! I% v: z) I   jz    SoftICE_detected
0 @) N1 s$ B; Z& k7 j; {# D+ o% |" E+ }, M
Here again, several ways to detect it:- j4 l( ?) g* ^+ ~9 U, O
+ q" I* e" B$ a
    BPINT 41 if ax==4f
& |& H$ A0 |+ T( Z& @% g# s, O
% B3 u2 W2 Y, D; C) P' j* n    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, l1 E% e  x: d# p2 [

3 x$ u7 g0 r  r& M" D, c* _    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ x( n4 Y, M# t

9 e; K5 I0 H) T% \/ x5 y    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 r. U5 g6 @' V- M2 p" o, s  |& t6 Z  X5 E/ |- M" [
__________________________________________________________________________0 @; y1 C* R# {
) V: i% p7 O, B, r
Method 13* T; F7 S: ?! ?+ H5 c( O
=========
/ h% d: a* e+ a* f" z' l
! l, J4 d2 r, R: z* n! R6 C- v- V7 TNot a real method of detection, but a good way to know if SoftICE is
" T- e5 _6 X) X6 Kinstalled on a computer and to locate its installation directory.
3 `" @4 |/ A3 O! y5 A  LIt is used by few softs which access the following registry keys (usually #2) :
- M- F0 H" w0 i' J- `' W) T
% J' c$ H8 T& u, V& o+ I-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 m0 v/ q* U8 u( }4 u( a) E
\Uninstall\SoftICE! N+ r4 H, S" z% }$ U* v7 o6 N8 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE; I* e) t2 u4 C* l+ {
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 Z9 X9 M/ K- e- Q- p\App Paths\Loader32.Exe
5 J% x, Z* J! q6 F: M; d- H! s: A/ ~: s. M2 f" J8 B: w. O

' J6 ?# ]  g' y  p) tNote that some nasty apps could then erase all files from SoftICE directory
1 E# F! U0 h# W2 D/ R9 `(I faced that once :-(. J5 Q. G, L! c5 [- `% k% p9 |' [

% N+ `* |7 P+ A) {Useful breakpoint to detect it:
* Y7 l/ T) e3 b- L7 R6 N& f! z+ W& j5 ~, y0 U
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ Y8 c! L+ t& X  U- a3 E5 P9 R7 W
7 i3 @; T% `) A3 a# S0 l, u4 L__________________________________________________________________________
# T9 S9 |) o7 i3 j% d! s( O# P
' }  q/ J( i/ {( i) {) q- x/ m) V, k/ L% g' h
Method 14
8 ?( I* F% y& n$ L6 p=========# p: J4 c# o+ G" `% Y- c: }

6 i( D& f! j2 Z( a3 UA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" l) M# F6 b, m) c: f8 @5 J4 C, Gis to determines whether a debugger is running on your system (ring0 only).
8 W8 Z5 C+ C& {* J6 m! D9 v% K% }, U+ I! Q5 l" e( E
   VMMCall Test_Debug_Installed
% {- T/ O% O, v$ u4 z   je      not_installed$ E+ Y3 ]. E3 I4 V

4 \6 U$ v( D* P1 x6 t, _. I# k8 eThis service just checks a flag.
# o- W, c0 g$ a2 Z$ f</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-2 03:24

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表