找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>; d& s/ Y' Y3 W; g7 b
<TBODY>
7 N3 X% O# A5 b6 {0 W6 w1 `<TR>% M0 b# o& A* P4 f* j# ~3 R5 a
<TD><PRE>Method 01 9 `0 K! Y7 H$ ^& ^9 M
=========& O$ O* ~4 w& J+ y( M

! T% G8 s- X/ [0 VThis method of detection of SoftICE (as well as the following one) is* o! {) G6 Q( S& n
used by the majority of packers/encryptors found on Internet./ T. b( \2 d9 d( t% L* g
It seeks the signature of BoundsChecker in SoftICE8 N; J/ X# |: n. f
& `$ C" F' l2 d4 O4 q4 ?+ C; K
    mov     ebp, 04243484Bh        ; 'BCHK'
% a+ \7 @; s& ^" H$ M    mov     ax, 04h
; g* T6 o  w. U8 A: A0 n0 G    int     3      
* i) m5 ~- B# V9 X4 ~. @    cmp     al,4* k* A7 X/ Q- ]9 B* P5 v9 N+ E
    jnz     SoftICE_Detected
$ s% m0 m9 ]% u2 |$ }6 M$ n
* K1 ^: I& j) S  Z( o; K& t! }___________________________________________________________________________
% Y0 D! p# b2 ?; `. Z1 e2 {1 j7 T% @; _2 e0 C  P
Method 029 _7 n; y7 C: Q& B: B9 V/ Y# n+ }# Y8 y8 f
=========
" D/ N$ I. V) g
) I3 D0 F5 B/ ]8 i9 {Still a method very much used (perhaps the most frequent one).  It is used2 p$ o' M2 C9 ]4 ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; h. ^6 _5 Y6 T. J4 L! V" l% J# N
or execute SoftICE commands...- t4 Q0 E$ W; e* j
It is also used to crash SoftICE and to force it to execute any commands2 e' i$ S8 F# @: T9 `. B
(HBOOT...) :-((  5 f5 b# D3 K3 C* z. L
9 E$ `) b* K4 j& T
Here is a quick description:. f3 x# K* Z9 l/ h
-AX = 0910h   (Display string in SIce windows), ~3 R* P4 [# I6 ]& o) C+ f
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)3 }9 m) v9 I9 d+ S
-AX = 0912h   (Get breakpoint infos), A1 H8 v  W  |1 d- r9 |
-AX = 0913h   (Set Sice breakpoints)0 e" c% T% i% u; `
-AX = 0914h   (Remove SIce breakoints): D! }. X' j4 O! L$ ~
3 E& p6 g5 [# \7 i! z
Each time you'll meet this trick, you'll see:
1 ]0 A7 `* e/ y; S# d-SI = 4647h' |; G. H/ N1 g1 k* C
-DI = 4A4Dh
! C8 d; s/ k9 t3 \4 [Which are the 'magic values' used by SoftIce.
+ B2 J! q, }9 ]2 ~) qFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; R. V0 K9 m* F4 E
2 E$ `: [: N* D; q/ ~% ]Here is one example from the file "Haspinst.exe" which is the dongle HASP; U7 D& t* r' G' j. i
Envelope utility use to protect DOS applications:, O" r4 U# @' Q  D- {6 b6 @* M
5 @$ z9 ^. ^! y' L5 N
: o6 y% }% h8 p% j
4C19:0095   MOV    AX,0911  ; execute command.
( w" O) R7 e  x4 N4 I8 w; L  I4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 v/ ?9 C8 L! N9 j4 o  ?! _4C19:009A   MOV    SI,4647  ; 1st magic value.
4 u/ Z5 x  j, f5 r' i" w4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ t* @3 t9 G9 h# g9 `2 x: |1 t
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ D) C/ t' b$ r' M' d4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute& y4 H: W# g) n4 G4 |6 G6 r
4C19:00A4   INC    CX
2 p  s. z4 z: R, p% O) \  M/ J8 {4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute* I+ g; U, M" A3 m1 k8 u! d1 b
4C19:00A8   JB     0095     ; 6 different commands.
- K1 Y, N: m; a4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 D6 }7 S( H) F* T1 G. t5 u* `4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :): W3 G3 [; j, y7 W/ r

1 E( M+ P$ t7 `: n$ w6 NThe program will execute 6 different SIce commands located at ds:dx, which
; ~5 i% J% `/ j' a* h2 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
" @% q/ m% c0 a+ j, y4 f+ l1 n# q1 o! t, M0 `: i  u( b( {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 e: t$ u. F! A! @. @6 b4 t& h___________________________________________________________________________
3 [' y9 ]2 L# l# W& X0 d0 O. q# M$ Z" J0 ^2 G
, E% {" ~, a, D
Method 03
7 B- J" h/ N9 l5 Z=========
0 n2 @% p9 Q/ K5 g6 z. j) e: I; u( z
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h& X3 q, Z' Q4 H/ {1 ]) t  Z( V' k' t
(API Get entry point)
  o! J! l7 c8 A% H# h        
# f7 b- e# Z; {' o1 g% G! c2 \6 y: j+ Y7 x! I- c4 y# [/ J0 w; h* |. Y
    xor     di,di9 B" r+ J7 z0 I  f) o
    mov     es,di0 L3 w' {+ I7 ]: J; d% q
    mov     ax, 1684h       : t2 m, Y+ Y' r/ x1 L
    mov     bx, 0202h       ; VxD ID of winice
4 D: F4 [4 G7 M8 q+ P1 z7 m. _2 O1 x) I    int     2Fh
9 F+ Q9 x/ r6 Q. x/ L* m$ l    mov     ax, es          ; ES:DI -&gt; VxD API entry point( {2 B: q$ M. }0 Y& `) _$ g
    add     ax, di
* o# K4 C; p7 z+ U# u8 k3 Q, {    test    ax,ax4 b  P' h) l( n/ J) m6 \
    jnz     SoftICE_Detected3 N1 H% S. i8 o1 Q  N3 F

0 x, O/ ~/ e' K1 R2 E7 C, r0 \; {___________________________________________________________________________
4 r! o, S) w8 N4 x. p# |6 ^9 V1 n0 @  R0 N. O+ s9 f
Method 04: j/ }; t8 b8 V) V) U4 ?
=========
! }+ |3 w& J# w
9 h8 D: a$ l2 i% P8 q5 H- [3 e4 g9 ^0 c/ xMethod identical to the preceding one except that it seeks the ID of SoftICE  h) ?( H; [! S8 s6 l8 A
GFX VxD.
5 b/ m6 P7 E4 d
+ {( S3 [1 J, r6 Y    xor     di,di5 {+ n4 q: H" ^  }) x2 j: C
    mov     es,di4 R3 F( Z1 i0 @6 s1 c0 f
    mov     ax, 1684h      
0 Q3 d# w- l6 O+ b: J0 H    mov     bx, 7a5Fh       ; VxD ID of SIWVID% R4 M. }% S: [5 ?6 c1 @
    int     2fh
1 }  {' v5 M  T( b2 n& f' r/ ?; f    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% {* p( m. P' R, V' H0 s* l    add     ax, di8 u( r0 P4 l5 Y; d% B* T2 P
    test    ax,ax& v  @: X% w) t8 t8 F' H% m
    jnz     SoftICE_Detected2 ~" I' w/ k4 m8 I; `% m
5 I1 {. l: M3 t
__________________________________________________________________________0 P6 n% \. Q& W3 x
8 ]4 u# A" B9 t3 Q3 k0 d

: v7 Y0 e( u5 P/ j" ?* N3 ~5 eMethod 05
2 [$ R/ A0 S$ e5 X1 V; r( D  H5 {' a=========- P% `/ [" S, m& z+ w
/ p+ z7 A- Q' ]7 k! i. a! V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ T, p) G$ @- ^: {6 B2 udebugger. It calls the int 41h, function 4Fh.
' q! A* f  g  Y. h# _There are several alternatives.  * `- g( q. F% t% h( U

! f! V* f) ?% oThe following one is the simplest:
8 I  v$ U. f4 ?1 ]. y; N1 f0 {2 r8 K* w
    mov     ax,4fh
; q! v! N* i; o9 ?    int     41h8 `8 I) ?! n) c  |4 ]
    cmp     ax, 0F386$ ~- G1 S+ V% D
    jz      SoftICE_detected, k. ]! L- L3 }& C/ W* J
) ]; P. J$ V9 y( b

% Y2 x* d% J6 P3 KNext method as well as the following one are 2 examples from Stone's / _) }; G3 F- v7 k+ p$ ^; Q6 |( }
"stn-wid.zip" (www.cracking.net):# d: B6 U+ t, d4 J! d

  z3 g6 j& Y/ C( j1 U, m* ^" Q) `    mov     bx, cs: H0 L' ?$ A/ D
    lea     dx, int41handler2* ^' e8 ^& ]1 m) n( S( y
    xchg    dx, es:[41h*4]
. d2 }" f# N8 i" q; }    xchg    bx, es:[41h*4+2]
" g) x( B  m1 x/ N2 Y) c7 ^    mov     ax,4fh
' m. d5 W" S/ f' g5 _  f  t    int     41h
' a1 o) H- p* G  }    xchg    dx, es:[41h*4]
+ a2 S9 d6 ?+ n2 V# W$ R    xchg    bx, es:[41h*4+2]
+ _# m) E! A+ {2 ]. e    cmp     ax, 0f386h4 z( p8 z8 i7 y, I; O) C
    jz      SoftICE_detected- Q+ m! R" A3 W5 ~! H! Q* X1 \* b; |
7 z6 L6 U/ D0 g. l1 i
int41handler2 PROC, F; r! M# `; w) _1 x4 V, q
    iret
3 _* u2 u' R, I: ]% j% N- Iint41handler2 ENDP
6 |8 |* w  ~0 H  a! A
6 {& i5 p3 F% o! _7 V( ?
! e3 K, }& Z* }1 G_________________________________________________________________________3 o4 n  c( a% V! _

5 t/ I# \3 N( p0 O
) x; ?2 B3 z7 S" O- wMethod 06# }3 ?( z; B! L; `: \* C* s+ j. u6 M
=========; \* ~# Y: Y1 m- G" C) t5 G
2 ~8 z8 z( [7 A8 \

1 Z( x- B+ D& c' n$ ^6 Q- [2nd method similar to the preceding one but more difficult to detect:
) J+ r* o6 X( I1 {+ A( q; o3 [( u9 m! _: I6 J# W* A
4 {) f# S& X1 }; V& Z4 P# z& v4 f
int41handler PROC
7 n" r2 w6 r) M    mov     cl,al
) f# |  a0 C  i3 X- n- A5 ?    iret
% c. w- i* v, C" t2 Kint41handler ENDP
+ P/ F3 ?" f, _& b
0 w' k- _' k# v+ |/ x; ^8 Y
" M4 n: }! e6 z: u  D* x, y    xor     ax,ax3 K% w" w( k  j9 |
    mov     es,ax
- w( D1 E1 Z  @6 n8 x  h. H4 d5 @    mov     bx, cs0 q4 ]$ Q6 _* l, M9 e
    lea     dx, int41handler- N& e) |* ]  D
    xchg    dx, es:[41h*4]
& ~' ^/ z: _6 ?% z( p, ?    xchg    bx, es:[41h*4+2]  E9 G; g, h8 I! i
    in      al, 40h
( v3 o9 J+ U3 f0 y1 b6 t3 N    xor     cx,cx
- _# X/ n8 E( Z    int     41h
8 f* K% G# g4 E    xchg    dx, es:[41h*4]
- U! T1 c- X2 b* y    xchg    bx, es:[41h*4+2]
8 T9 `" H: t, _    cmp     cl,al
" D  R- O7 S, R, H    jnz     SoftICE_detected
6 V& ^& Z/ Y4 y& q  P5 x" B0 p) g9 R8 {, y
_________________________________________________________________________
* j# q' T% z$ f# s; o% R5 w5 j/ ?. R0 ]( K- h) d
Method 07: s3 t6 P) e  C# _+ X
=========# ~0 p5 u4 Y4 Z

! M9 _4 z' r8 @Method of detection of the WinICE handler in the int68h (V86)5 D9 j" U3 P. D3 g* q
+ U* U9 _2 n- R( }. K
    mov     ah,43h
1 _/ j8 n$ W; ^$ S1 q  T    int     68h! I4 ~7 o- `* a, F
    cmp     ax,0F386h# N  {  {( f/ O  f* o0 O( d6 `8 @
    jz      SoftICE_Detected' N6 [: r. s0 V) X4 S8 s
' j) V) P* {3 k8 l# H. c- i. v
- i# K4 ^5 o# k6 ~) C; A
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: G* n4 T6 L0 l: o3 c3 t& _% U! i* A
   app like this:
( @' X$ O2 [4 l( K# i2 y2 z. z3 \9 n
   BPX exec_int if ax==68
: U: i: P( K8 E6 y" l7 \6 p+ s   (function called is located at byte ptr [ebp+1Dh] and client eip is
& X% ]9 e3 j# P1 y" \0 u% y   located at [ebp+48h] for 32Bit apps)) S1 Q2 K! e$ u
__________________________________________________________________________
$ x. d2 G: v, s1 p9 L* W! h3 v( m- Y6 D% w
$ U5 S* d4 g" t
Method 087 P! y6 Y& u* i1 g- u0 I. c/ `
=========
0 m# A8 W2 }  g/ `" }" m; l
* r5 I$ V! I3 N* \& eIt is not a method of detection of SoftICE but a possibility to crash the- g7 q1 ~' U2 Y3 z; t, o) L, g
system by intercepting int 01h and int 03h and redirecting them to another# ], H7 z7 m" z1 @1 r
routine.& w0 Q* ?3 k- S# p( u7 S
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 p  Z5 J$ ]: J" K# m
to the new routine to execute (hangs computer...)& ~) q4 G% |4 |! S9 b, Z
  o. B" c# G" [& x/ @, e
    mov     ah, 25h
8 {3 s1 R0 X! f( S    mov     al, Int_Number (01h or 03h)
4 q  R8 m$ N5 f3 Z7 n    mov     dx, offset New_Int_Routine9 s( {4 W7 ]6 I/ _: X3 J7 n7 Z
    int     21h
* ^- p9 L( t8 M6 u( m
: @4 O, t7 f# k; }% ~4 Y__________________________________________________________________________4 K) H5 z" ?( r+ m8 u, Z/ h

+ D/ N: K* q7 @5 c' j) bMethod 09
1 Q, ~4 Z+ t( Y' X* G=========
  d& |9 H" D6 w) A% d* x9 Q
- r1 k2 F# @& V& [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# s, T' M" n( `9 S) a1 I: G* |performed in ring0 (VxD or a ring3 app using the VxdCall).% S! n/ G2 v+ g: b
The Get_DDB service is used to determine whether or not a VxD is installed4 e  }  u& w9 v4 G  u
for the specified device and returns a Device Description Block (in ecx) for
5 h7 S5 v& V7 _1 \" R9 \) v2 hthat device if it is installed.6 E" g% F: D+ z$ G& |
  }; g4 @) C( N( @1 P" D* D; ~5 v
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ H4 v" ^- ]) o3 R. Y3 m
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ A6 V6 l- m! v  Z" W$ M   VMMCall Get_DDB
$ \- ~8 Y! U7 q5 ~8 E   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed+ Z) l, S+ |4 O* D6 A1 l* J7 {) d

, w. x' @6 b! |6 vNote as well that you can easily detect this method with SoftICE:6 O, u1 |( A# J" c0 j/ c8 U; R% i
   bpx Get_DDB if ax==0202 || ax==7a5fh8 b0 P8 n! p7 g5 V6 \2 J3 F  S

  t; G/ @8 Y" v__________________________________________________________________________
3 z5 i) B+ D) H+ q% ~
  ]. M  Q( j' O7 `& yMethod 10
, s0 s: B$ ~! I( e- {3 k3 ^=========8 X6 ^5 v7 j* r4 \, c

& x- Z+ d5 u; U=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
( N" z. S8 ?$ G) `  Q! t" n  SoftICE while the option is enable!!
! S7 o, A4 a  N# `: v# s& Z* l' h6 ~+ z; l/ n; b# |4 A& c' o
This trick is very efficient:/ z3 `; Q, F+ ?/ ?* p
by checking the Debug Registers, you can detect if SoftICE is loaded
8 w6 {9 m& O4 X3 d0 \: s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if% X! S' U' E) p) W% h5 T1 p# k+ m
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 I0 I/ T( k. a" z. h1 X2 rvalue (in ring0 only). Values can be manipulated and or changed as well; e; x( h7 N3 o7 }6 Q$ h
(clearing BPMs for instance)2 T- w" H; v8 u* Y
( J6 p" M5 ]1 t- x( Y& [
__________________________________________________________________________5 Z. W/ s2 a' j' ^+ K$ I8 C( Y

0 {, o, f: J1 c: Z1 nMethod 119 ~: W2 e# U! d2 E8 c1 z: M: a
=========/ E: |  \0 X8 M: I
+ D) c$ M% b, S, d- ^
This method is most known as 'MeltICE' because it has been freely distributed
- j% a& B- V4 gvia www.winfiles.com. However it was first used by NuMega people to allow
5 _& y' N( T) kSymbol Loader to check if SoftICE was active or not (the code is located
4 o: p1 s: x1 x! G( Einside nmtrans.dll).
2 ]  a( o$ b6 S4 V6 J2 J. h$ H# R, ?2 b: v9 d, a& w* x4 ?
The way it works is very simple:
; L& C7 b: x9 Z5 k* HIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for/ w+ x& F. b0 ?2 T
WinNT) with the CreateFileA API.% Y. J, l: x, P  @$ l; m" d! S1 `3 X
0 T7 q4 H) h8 i8 S) w) |
Here is a sample (checking for 'SICE'):8 ^2 p0 b' {; g. g: B( D5 K9 O: r- l
3 O8 l0 ~4 l4 F+ J3 c% c
BOOL IsSoftIce95Loaded()6 {. Y5 d% Z/ q% h9 k9 c
{
/ E7 P7 ]/ k7 R% M5 w- J   HANDLE hFile;  
& C4 H! x3 V' m& ^   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
" e* p: [( s* P, ]0 n                      FILE_SHARE_READ | FILE_SHARE_WRITE,
- J8 D" S0 ~* b; u6 Z# v! f                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( x- z# n5 l; k) V& y8 y6 d# C% @
   if( hFile != INVALID_HANDLE_VALUE )
7 u& L. O( q: U1 M) P   {" m2 _& s, |0 p$ G/ d2 l: G5 b( d# P
      CloseHandle(hFile);/ W7 f( J* z! M. {# ~3 S/ G
      return TRUE;) h. {  a' g) ]
   }
  ?" K: R' {& f% e! T/ V6 F   return FALSE;) U" y( A% F/ M7 J
}
4 A) H) ^! O, O* m+ w1 _7 R  Z
+ ~1 B3 a- D2 O/ l  RAlthough this trick calls the CreateFileA function, don't even expect to be- W8 d7 m* V/ Y4 m) s
able to intercept it by installing a IFS hook: it will not work, no way!- Z8 O1 v! e, `/ @% L* y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% R7 G8 V6 V6 o6 J2 r' a1 s0 f) B: r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" R" b: l" C3 [3 v$ D
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
% a1 V( w, Q8 R2 E! c: sfield.
) G6 h( d* D$ JIn fact, its purpose is not to load/unload VxDs but only to send a
' l% l! I2 ?5 K& p9 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE): i; Z# q  }: A: Q5 g+ m
to the VxD Control_Dispatch proc (how the hell a shareware soft could try0 }  b5 ]. _, k1 h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( S) P- m  `* L2 I6 R. @* P* u2 rIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 A3 x; ]% O) r# K& p9 t& R
its handle to be opened and then, will be detected.! U* ?/ s' @! c/ _
You can check that simply by hooking Winice.exe control proc entry point
3 w+ I+ V: j& Z; _1 G) mwhile running MeltICE.
! ^  f/ @# t3 @+ |( q# o$ m, N# x1 d$ s$ ]3 z
! F) q. V* g( m% t$ g9 i' T1 I& X5 L
  00401067:  push      00402025    ; \\.\SICE
; W+ s2 e$ r! _* p  0040106C:  call      CreateFileA
. B. g8 i8 X+ X4 k# k2 n& S  00401071:  cmp       eax,-001. k3 n1 P" S/ d: {
  00401074:  je        00401091) t' \+ U" [( S8 Q" p# l5 X2 B) Q

) L+ ^3 R) o! Y( v) |. H
* B% P5 j8 Z3 Z/ g9 B9 l$ GThere could be hundreds of BPX you could use to detect this trick.
  c" ~3 h3 x# k0 E! N" P+ h-The most classical one is:) [. p& r" k' g/ `: h) k1 G9 S3 ?
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
( c" ]# b. r8 P0 e, z9 M    *(esp-&gt;4+4)=='NTIC'
$ e! J1 [4 O  p' m0 S3 V$ N4 V
( \2 O$ \  F$ g+ Z7 q  G) H: H-The most exotic ones (could be very slooooow :-(
3 _! ?* n6 a2 J% k   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; z4 Y+ r+ m+ u, |& v5 A3 Y
     ;will break 3 times :-(6 `; f+ I0 y) ^/ d( Z
( A: ~: j" y, Z; i7 n( v
-or (a bit) faster: , y3 o* [* b2 `* ?" U
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& v! [* i( w0 k
- Y# q+ Y* \6 y  t  o! I7 g
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) T8 n9 [0 r7 S) o2 W( Y( N' T* I
     ;will break 3 times :-(
- ?+ K+ y# j5 J* f8 k0 u
2 O* P. Z. R3 T# i-Much faster:8 q$ j# f! W9 P6 R
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV') Y% Z; k( l/ O$ S
- Y3 c% K: G0 y) G1 H8 l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen& x/ m1 C1 f% `" U
function to do the same job:" A* n3 |5 \+ z( u8 y( j
& v* P( Y6 Z: K* H
   push    00                        ; OF_READ
9 u* b2 O9 e: o. |" j8 y   mov     eax,[00656634]            ; '\\.\SICE',0# k* z4 h. W) D- K- l
   push    eax
! s4 F) s9 o3 h: m# w6 C& T- n   call    KERNEL32!_lopen# x* }6 {% L' O
   inc     eax
8 C2 {* i0 K4 N. \! e0 {   jnz     00650589                  ; detected
6 r% l- {% h# J& {. _# L   push    00                        ; OF_READ6 n" u9 w) o1 o4 m- H5 j; B3 `
   mov     eax,[00656638]            ; '\\.\SICE'
$ L& L! N- e( m1 p5 @   push    eax+ Z, G( c* s2 i
   call    KERNEL32!_lopen
' C2 A( p/ U8 [2 Q8 |5 n3 r+ U3 [   inc     eax& s* [% O0 U8 u0 U) c
   jz      006505ae                  ; not detected4 T- g2 ?0 i8 u% \; m
! {5 C2 J! e! {+ T* w
' Q1 S6 F7 j' J3 w* O" B
__________________________________________________________________________+ O/ t( }# j. n, e

# D: M& L$ I! _3 i6 b% ]4 AMethod 12% e& l8 N8 L( A( k+ w
=========; N5 ^' i% x4 g2 p7 J* G+ k

$ R! B% s8 n* ?% A$ rThis trick is similar to int41h/4fh Debugger installation check (code 05
5 a$ x2 {2 ]! `! n4 j, L&amp; 06) but very limited because it's only available for Win95/98 (not NT)+ j, a5 s7 @+ `: I$ o$ w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.* j( w& F* }$ f& ]

% ]5 _; P7 `; `% I  l) U' ^: G0 I; r0 k   push  0000004fh         ; function 4fh
0 l& b+ o& E' D   push  002a002ah         ; high word specifies which VxD (VWIN32)8 A) I! x. k1 ^" F* D; `# W
                           ; low word specifies which service
' Z2 U: Z1 \0 ~1 T2 A5 q6 a3 I* \1 R                             (VWIN32_Int41Dispatch)1 H7 d& j" w8 t3 {2 h$ g) V
   call  Kernel32!ORD_001  ; VxdCall
/ u! h6 }0 b8 ?9 c   cmp   ax, 0f386h        ; magic number returned by system debuggers  y# _1 v7 Q3 A
   jz    SoftICE_detected
; m6 T: @( K- |$ ~& o' u
5 O/ \' j* J2 U/ l1 d7 \Here again, several ways to detect it:
% B/ x0 W( Q/ r2 X: M( x
9 s, c# U5 {" l, f; I    BPINT 41 if ax==4f9 Y6 G( Z5 f1 ^( i2 f
( f7 z& d8 _) W% a
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
1 ]* l. z& U+ U& q" e! ?- k% Y4 |; {( v* b
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 R$ a6 ?8 T; N' ]# D. l0 h' t2 J# c) T* b
9 m5 T- V% O8 ]! K, d4 `% f& q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ {, ?5 l* _* j2 g# ?& J

2 H1 ^' L7 `+ f6 Z; ]__________________________________________________________________________
# I% Z; }& Q8 h% l8 E4 U. d) i
6 K( c7 L, M6 |8 m7 O1 lMethod 13+ l0 R3 N3 ~7 A& c" U& m; Q) J% E
=========) J# I1 L: T7 A1 T
  E4 U) W( S/ F- N. U0 D+ u  X
Not a real method of detection, but a good way to know if SoftICE is
3 _8 ?$ I. y3 }) u# \! _( l' D8 Qinstalled on a computer and to locate its installation directory.: O. _5 L$ `  {9 B" O0 ]
It is used by few softs which access the following registry keys (usually #2) :7 x5 o9 F  P& A$ j9 z
7 x# p- q; {  f1 W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  g9 Q- D0 M0 N9 e4 J. Q
\Uninstall\SoftICE
6 R; P* O1 K! M: u-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
% ~  T1 @/ P) C) T) s9 h9 [  E" S-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. O8 C* [" F  i9 ~
\App Paths\Loader32.Exe
# i6 S/ ]/ C& \  P0 w5 ~
; ]* A, X" v4 W
6 I/ [6 _  U; {' }. T$ ?Note that some nasty apps could then erase all files from SoftICE directory3 K' S, ?0 ~4 E* G7 C' X! ^$ T
(I faced that once :-(
* K$ U4 q* G* Q3 r# T5 j
9 o; u# S& a* z7 }/ R8 hUseful breakpoint to detect it:
, G. e* P* \1 f7 L
6 }$ @6 r) i& ]/ w3 O     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 d( L( U5 r8 ^8 x

. m( T2 Z% O  l5 u9 `0 k" @__________________________________________________________________________
- e+ w8 c* N* r3 Z* I" B$ ~3 |
* A2 P- i, D6 p6 |# h0 s
- n- w8 }9 ^: b9 @& c& L9 ~; ~0 sMethod 14
$ K) R: Z! Q- \9 d=========
& Z( B9 b* t9 [3 {/ W5 s; c$ ^! L$ F* ]2 _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# _# N' q2 `' H$ m8 @  ~4 M
is to determines whether a debugger is running on your system (ring0 only).% o9 H) L& P- v9 e/ R9 C+ J& c

3 c% A. f- W- G/ u8 P& q5 d   VMMCall Test_Debug_Installed
5 ?) J! c" l! o% D  a$ Z% @   je      not_installed
7 v) Z) G" b) ?( |1 z% x+ b9 l/ i- F3 F& I  g$ e" X+ ^
This service just checks a flag.; f- t+ z' h- `# e* S9 m
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-9 14:19

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表