找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
+ A. r; V; f! \4 u<TBODY>
8 D8 O9 c" e' T& d$ W<TR>- M  l5 N% E5 v5 u
<TD><PRE>Method 01
2 T" q3 }) N7 R( X$ c=========5 n' M5 x8 X9 S2 j$ q0 R

# d; W' N4 |  p# e$ }9 VThis method of detection of SoftICE (as well as the following one) is
- _+ c0 [9 g  G2 W( U) pused by the majority of packers/encryptors found on Internet.% x% I$ `4 T8 r1 s" d) Q
It seeks the signature of BoundsChecker in SoftICE
- q9 ^+ o6 {# j8 k  m. z4 j
$ Z! R" v7 n. _" r! _    mov     ebp, 04243484Bh        ; 'BCHK') u( C7 O- B; o3 w6 K/ D6 N5 a3 ]" Q
    mov     ax, 04h
5 H! K# I! a, u% R+ E4 J2 X    int     3      
2 e# Z/ W. S* z    cmp     al,41 L$ B0 P( C) k
    jnz     SoftICE_Detected# U% Z4 q- E$ Q& ?% ^% e. z
4 w- h5 p- d3 N% m% [
___________________________________________________________________________  M, K) H# U/ U4 t/ n
! n2 ?, x) G( U7 J: A( f$ @
Method 02
3 a9 G& ]& S$ L8 N4 J; J=========6 ~9 j( S( p; d
" z0 N) F' M' `- b
Still a method very much used (perhaps the most frequent one).  It is used. U3 q" {" J( f7 _, G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
$ b6 `7 P! D( e! T  ?or execute SoftICE commands...9 S. X" a$ G9 i8 s% v& `
It is also used to crash SoftICE and to force it to execute any commands
9 X. a* n* p* i(HBOOT...) :-((  % U0 m2 b7 P. A# R& l4 m. e" k  X9 O
/ h9 I# k  M  H
Here is a quick description:
( Y' {7 E! b0 ?: _5 d& j. @! H  b-AX = 0910h   (Display string in SIce windows)
# `7 d! E+ J$ U7 V: B% @' K" V-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)  a% ?* B' K2 E! b! [8 p1 |1 I
-AX = 0912h   (Get breakpoint infos)
0 O/ Y# L+ h9 @' G7 {! {& E-AX = 0913h   (Set Sice breakpoints)/ M* w) Y9 W( r* w' G5 E
-AX = 0914h   (Remove SIce breakoints)/ b- N6 f7 P$ A0 C$ s. `
9 q9 i, R8 {1 L1 z1 Z0 I, v: L1 r2 X
Each time you'll meet this trick, you'll see:% O5 \" y( c6 J: t4 ^# Q$ Z6 I
-SI = 4647h8 V- {1 g1 G$ p! N, ?
-DI = 4A4Dh- I; d! B, l$ V* F4 k9 X
Which are the 'magic values' used by SoftIce.
8 A! Z( }( z  c* c" kFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.& y/ y, |: y' r
7 X! B. c1 n0 |3 _* x" U" q  z! e
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ ?- P! Q# K9 \7 BEnvelope utility use to protect DOS applications:
' w* C* F( q; S4 @9 s/ h' N/ g' B9 P$ g2 i/ o+ K- ]/ O$ F

/ w5 J% D& F+ ~  s0 N$ U7 t  Q! y4C19:0095   MOV    AX,0911  ; execute command.
" H/ }% z; k; e- t9 ^+ D, v4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).  i7 W5 Z* o/ `- ~6 X8 l; `
4C19:009A   MOV    SI,4647  ; 1st magic value.& e& [1 a2 x/ u* }0 I, d# g  s$ l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.) G- H3 p8 _/ k, @
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
8 N" _) ~" f6 t4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& P1 f+ Z( h9 V7 d1 y. Y! N4C19:00A4   INC    CX
' _% f* U& ^4 X+ C# Q! `# S9 ]6 \4 P4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
/ l) t8 q4 K' w$ g. K2 t1 U% K0 ^4C19:00A8   JB     0095     ; 6 different commands.
: t8 g& T6 b+ R8 k2 s9 |8 r9 R4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& u- l/ g0 h( y& \* I7 t4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# T$ [6 [: M) u7 Z! H8 z0 P# r; y- A( p( f5 G9 ?- H
The program will execute 6 different SIce commands located at ds:dx, which
; H0 \& Y3 \5 \8 |- ?$ p, g, @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- s/ m7 w7 r, T2 E
! f4 z- O" t4 f' q$ }1 S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 G2 j4 t% P7 l- x  W, V& r
___________________________________________________________________________& r5 D+ Z! h! r. ^& d# Q

: i/ U3 Y9 m4 Q0 I; S9 |8 b; {' j- `
Method 036 Z5 y1 D6 z; C' U. {  W4 Y
=========
- V8 c* g3 _0 A+ {/ L2 b* m  h$ _
* ^* y* q* }& Y1 Q3 WLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* q. e- I# N. p: ](API Get entry point)
- X% Q7 a% R# P) ?, i        
1 Z6 X+ A2 ^& ^
' \. V* m% j1 ]! ~9 a; A    xor     di,di4 A4 l/ o: \  S) f5 ]( e
    mov     es,di& ?; V, B+ H% P& P8 K9 j0 E  N
    mov     ax, 1684h      
9 o: d$ |. _) o; p4 h! z& q, d3 E# d% w    mov     bx, 0202h       ; VxD ID of winice
  @7 `6 E1 z  d. Q& I' x" v    int     2Fh! Q1 d" M/ W: b& o% R4 z- {' q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 Q! M+ z. K2 d0 d  z- \
    add     ax, di
! b$ g. b9 C( `( }0 J9 q2 O7 S7 A7 i6 V    test    ax,ax0 o6 k; a( W0 J- p
    jnz     SoftICE_Detected
8 n4 G" v. W5 w% B4 i$ W( i( o2 \7 B) _) L# P& h
___________________________________________________________________________
5 }7 \$ V9 d( E: n$ U' V4 z0 {5 @8 r5 x0 W3 K) z
Method 04! x- W3 \3 F2 a9 c9 J# ~+ O1 n
=========
( \% P$ R7 u9 ~- X& r" V7 E/ h$ p+ S3 Q, E1 B
Method identical to the preceding one except that it seeks the ID of SoftICE
* m1 u- z# G( n! R! nGFX VxD.$ t! K' r1 a) f2 s5 x6 e) U8 ~

( s& \* h% Y$ s    xor     di,di$ [1 [' H5 g; T
    mov     es,di) }5 ?, B; N9 ^& _
    mov     ax, 1684h       - o6 u1 k9 Z& E8 Z
    mov     bx, 7a5Fh       ; VxD ID of SIWVID7 p5 t0 E6 D; X
    int     2fh
: ]! j1 n: q* M( A    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  H: Z( y1 S& W% ?- L' W    add     ax, di
2 i( u! j  M/ Z8 X    test    ax,ax
7 o$ a& k2 {* C4 B" v) b    jnz     SoftICE_Detected& C* ~- b/ ]4 j9 ?8 A- R- e3 N

$ E+ |3 q! h6 A3 \1 J/ x__________________________________________________________________________
9 _9 }  F' T+ O6 Y4 G6 d1 M! z2 J/ g. T( R, K) {8 N7 E$ \

3 G" s8 h) c2 b  p% OMethod 055 [' c4 ~$ a) m+ T8 g8 M
=========
0 w' ?4 n" O+ l# k5 h, g" a( A$ u3 o1 F/ Z! N# a3 K
Method seeking the 'magic number' 0F386h returned (in ax) by all system" _& B( {: o9 {0 C6 G. C" M
debugger. It calls the int 41h, function 4Fh.
8 k! W6 _6 F5 S/ a# Y* f9 JThere are several alternatives.  
; W+ W: N: S0 k+ m, h$ w: `0 g3 x& X* S* O9 o/ U6 X
The following one is the simplest:3 }- ~1 y0 V, B9 V) G
- }! O+ {" n9 r  a) z
    mov     ax,4fh- \6 b* L0 U8 ~2 `+ S
    int     41h
  P/ }9 R8 _) d$ P6 |. c) s    cmp     ax, 0F3861 x* B: Z; f7 n! m4 R
    jz      SoftICE_detected
7 ^. W0 K. W: V0 p4 X# q
0 ?+ _" f$ P9 \4 @/ d2 s+ J
2 f& C, N0 s( f) v- q! ]Next method as well as the following one are 2 examples from Stone's
8 n) F; C1 ]8 {" h" y/ e0 \"stn-wid.zip" (www.cracking.net):
* G3 p/ q# X" R: ?, \7 q3 X, f. {, r* H/ S
    mov     bx, cs
! ?) N- v7 s( L% c0 J5 r4 ], _    lea     dx, int41handler2
. ]/ O5 F6 F0 {8 P+ t$ n    xchg    dx, es:[41h*4]; ^# M6 J- C# p# Z9 Z# H
    xchg    bx, es:[41h*4+2]7 ^6 H; }+ f. w6 {; a2 v3 v+ O. Y
    mov     ax,4fh
9 @. \- u% \$ {" q. Y0 y    int     41h
7 n3 v1 w, R/ w2 x- @* P    xchg    dx, es:[41h*4]
& @" I2 e4 v. o; S% [2 x    xchg    bx, es:[41h*4+2]  [0 m, n9 @' D- M) S
    cmp     ax, 0f386h
! g0 e+ l' {, W3 ]    jz      SoftICE_detected
& X8 n- Z: ~" P) y& g  J8 A  Y4 T( K" H  |
int41handler2 PROC- ^' b, {3 S  A
    iret
  \5 o! i* l% aint41handler2 ENDP. y1 T6 u1 l! ]6 L0 D: m

: ?# B0 Z- f7 l2 u
& r  E" W2 e* v( k# K7 ^4 g* T6 _+ Z6 h_________________________________________________________________________
! H+ `+ S9 D8 R+ x4 y! W, z- i3 \: T3 m* v4 V6 d

, h/ Q; u. b0 m# L/ K5 ^8 ~Method 06  ]. y" a8 |) o% F. J  `' Z: @$ W+ Y
=========1 A3 a1 _! X7 L( I: Y9 \2 |1 g

/ P8 K6 n- Y1 Q. Q) _9 ~
5 t% B7 J6 X& Q5 J+ R) V3 r2nd method similar to the preceding one but more difficult to detect:
& w* T6 q8 l, Q6 C
* A& x) S* `/ t5 V' X
, z3 z9 c; o2 f) a) Aint41handler PROC' \; w! Q7 o& T, a% b- Z/ T
    mov     cl,al" j! Z/ x5 h! T, E4 s" I0 z. ^$ s
    iret
2 F+ F$ i% l% [5 i8 O6 p" X( ]% O0 Vint41handler ENDP
. N& d, I5 |3 Z8 q( p0 ?6 m# G& v6 G, I2 z* J+ c

0 v0 J7 ^" w1 X4 u2 d2 M2 A    xor     ax,ax  Y8 R# Q: V  A
    mov     es,ax
/ S+ z6 l& H& q    mov     bx, cs
! |: \# m/ I# S6 U4 H% U  J    lea     dx, int41handler0 s& e5 Q+ C5 o$ ^3 |  f  `4 r; t7 N
    xchg    dx, es:[41h*4]
% r/ N) q3 m3 C. k( N3 b1 D& T5 \    xchg    bx, es:[41h*4+2]7 o& W% V5 O% q5 u- K' t8 l- k
    in      al, 40h  X- v: l  ~6 X% Y) x; ^
    xor     cx,cx
! M# q2 E* F6 u% i6 j0 v. H    int     41h+ J' q9 d/ I: \# \" P
    xchg    dx, es:[41h*4]' G, d& O/ B( Y. s1 J& P, s6 ]
    xchg    bx, es:[41h*4+2]
2 v# ^8 L" }/ d& f" x. }    cmp     cl,al# d% r$ c; ?# @- t3 T
    jnz     SoftICE_detected3 k4 t( C5 H$ Z% b8 A6 k7 J0 w
! K* ?; p7 U) V2 b
_________________________________________________________________________
/ L: X  |; {+ s, }! p* ?- p4 c2 q" ?/ G
Method 07
( G+ a  Y6 h! O=========7 {4 S# R  I4 Q. A

+ n" N. d3 \9 t1 g  {6 U7 uMethod of detection of the WinICE handler in the int68h (V86)& l3 b, \( T- y

% }8 b/ V9 K1 T    mov     ah,43h" t; a: O- H2 D8 O$ g& X
    int     68h
" R( N: H' l( h  D* P% l8 n* I    cmp     ax,0F386h: x% Q) G7 S, J3 q( @; {! L
    jz      SoftICE_Detected/ P6 E( h5 y# Z1 ]5 E, y" h3 Z

: {9 Y( U0 B+ z0 }$ D: m# V* U8 a" }
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: E% {5 ~# e' W7 i6 `   app like this:
" K- I1 N6 l2 ]5 n3 D8 z( ^9 M) j6 T! P$ K6 U" F) Q
   BPX exec_int if ax==68- l, v9 v. u1 S% p& j) O
   (function called is located at byte ptr [ebp+1Dh] and client eip is
3 C% S' ]: M" w; ~: ~   located at [ebp+48h] for 32Bit apps)& Y$ w8 L: h) q
__________________________________________________________________________! [: z; w$ K) a- u7 y& U' ~
+ h% d6 }# J3 Y) f. o& r

4 M. `2 T& d: x9 F$ _Method 08
* \- u  ^* R) `8 ]. |: F/ X=========. j# O7 D4 j' G. X5 @. J, [# _
6 \$ z4 a2 e5 H; h+ D
It is not a method of detection of SoftICE but a possibility to crash the& A' @; |% ^4 t4 z- [* E8 @
system by intercepting int 01h and int 03h and redirecting them to another/ v1 }4 P' d6 i& z
routine.
0 G; c/ l& a1 _, C, t' AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 E  C) \! I3 r
to the new routine to execute (hangs computer...)
( {0 H$ E, a+ {: @& [$ c7 _+ H% i6 p; O+ ^. _8 V5 X. O
    mov     ah, 25h
* t* K) J, W  s+ y2 }$ j    mov     al, Int_Number (01h or 03h)4 q+ T9 z, o5 R* G6 D* j
    mov     dx, offset New_Int_Routine
! F& T3 \$ O- q, ~+ T    int     21h8 Z# B* ]+ @3 }: V& B% Q
; V2 z* b: J- @5 a+ N
__________________________________________________________________________
3 M8 \" m$ u1 b- v; \5 y7 r* S  Y; [/ e8 I  i. A6 F. D5 F
Method 09, C  T6 U- _- f
=========
2 \+ v6 P" E$ }' o
8 f, P! h5 Z2 e& l- u2 fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( N* W3 i6 R" J& tperformed in ring0 (VxD or a ring3 app using the VxdCall).9 \) ?% E1 U7 w1 j0 x% h
The Get_DDB service is used to determine whether or not a VxD is installed
% g7 \- Y( O* ?2 j. P6 M2 |2 D3 K8 gfor the specified device and returns a Device Description Block (in ecx) for/ L  j' \. o; ~% U
that device if it is installed.5 I2 R/ C9 W* `0 ^& C2 ]

- T1 j4 l' f; S3 L   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* ~+ d1 A; Y) i9 a1 m- |
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-): ^' e! N% U/ f. A
   VMMCall Get_DDB
: g' m0 z, \; [2 h4 O   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& z+ i8 u0 P5 c5 f% e/ H5 E8 |  w" f" n9 s$ f9 B0 j
Note as well that you can easily detect this method with SoftICE:
3 W( r. `5 {$ H% K4 k   bpx Get_DDB if ax==0202 || ax==7a5fh
. S8 q5 B2 M. g+ Y! i3 t. I' V
4 f" M$ x6 l( j7 y7 c$ t__________________________________________________________________________' v+ }' f: p+ N0 i
* U* R( P5 w+ ]7 i% b+ n4 j
Method 101 Z' |/ H- |- m0 f* W! b
=========2 h6 S( ~! E2 M9 [$ C
0 J, F- [' C$ M  ~  q
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with! `. ~5 J1 U  [9 T: c9 _
  SoftICE while the option is enable!!
7 u. I3 g9 }* `' g# z+ i  B# n$ x7 _; ^: h5 f
This trick is very efficient:5 [% Z* t9 d' z$ A" @: ]
by checking the Debug Registers, you can detect if SoftICE is loaded
! y; h7 H# q, v: t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, H5 A1 T- f+ F* Q" n
there are some memory breakpoints set (dr0 to dr3) simply by reading their! }& ~( D) o) ^% i& {
value (in ring0 only). Values can be manipulated and or changed as well( D6 E5 b  \! o3 {+ Z. f
(clearing BPMs for instance)
0 \' ~4 {3 i- a5 C
; f3 q! I+ A2 u( ]7 C1 O5 G__________________________________________________________________________
* W! m9 P! m% a. @* b
4 \8 k' V* B7 y% g: V5 a+ T( NMethod 112 @: c8 i$ t6 H( d" M! m
=========
- _2 S, ?/ J& A. ]
4 R* D" y8 q' ~This method is most known as 'MeltICE' because it has been freely distributed
; _2 o7 e- t, _via www.winfiles.com. However it was first used by NuMega people to allow* w/ O+ `. O; s( i% L
Symbol Loader to check if SoftICE was active or not (the code is located
( @& W3 p7 _: B( i" e9 C0 r3 W  @# m* linside nmtrans.dll).
+ M5 g5 `; Y) I2 e4 b7 u: u! P  r3 ^" X. F7 y" ^1 z4 b
The way it works is very simple:+ [6 X- z( L' R& N* A/ ?
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ R" F! _9 Q- O3 f, v9 b' XWinNT) with the CreateFileA API.! [1 }( n7 q- S* P( g

+ I( R6 s! d/ o: ~Here is a sample (checking for 'SICE'):* X" l. \% c% c
* Z6 z7 L/ x/ V+ f
BOOL IsSoftIce95Loaded()
: h8 U* G" `. h& l# }{
/ [7 O1 x5 r+ H9 E& H! z3 h. j   HANDLE hFile;  
' a; c. N. p+ W3 u6 m2 ]& K* o# I' {   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ w+ L: j& `, G0 h) t+ e) E& [0 f, U* ?                      FILE_SHARE_READ | FILE_SHARE_WRITE,
$ ~3 A1 C6 M7 c6 @( b. i                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; |  T7 p7 }+ |+ h0 t8 X7 [
   if( hFile != INVALID_HANDLE_VALUE )- F/ G% ], h, M! F' V
   {
/ J* r) ~6 E) V0 w$ j8 D& f0 w      CloseHandle(hFile);9 |# y  |- @% K" w, \- h$ v7 w! O
      return TRUE;
  P# H9 V) G, O   }8 D% O8 C! r/ V- x$ C
   return FALSE;- D  S2 ^1 @7 _0 o' X
}
! U. q7 a, q% \, a; S6 R0 l' `  b- b3 @
Although this trick calls the CreateFileA function, don't even expect to be5 v! I0 c4 H. ^6 @" o
able to intercept it by installing a IFS hook: it will not work, no way!
6 W1 |5 U+ b9 D) f* f: L5 a' MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
& X1 O8 V7 L1 e$ R) |7 pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 b, ]# Q, k  @; V7 q& q: ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* @* m* e. C, F: `  C' efield.
* m- E* Y% U9 q0 _: u* Q, E+ oIn fact, its purpose is not to load/unload VxDs but only to send a
9 s# m& d. x7 c" X4 d$ l7 z- _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  u' x9 a0 T( A( l& u$ x6 v
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% o! O$ p) b4 ~# _( qto load/unload a non-dynamically loadable driver such as SoftICE ;-).
  E3 u$ Q: Z2 H& f$ |If the VxD is loaded, it will always clear eax and the Carry flag to allow3 F+ }5 A7 p' R3 {; a0 a2 I  D
its handle to be opened and then, will be detected.2 _$ E" x" C3 [# T: l) O3 {: R2 G
You can check that simply by hooking Winice.exe control proc entry point+ k% N6 B0 o( r& X
while running MeltICE.
3 @. q/ H$ {! v  n- B5 P- J, |( ~9 H% _! `$ u
: y* n; e$ A$ x" [$ t0 q
  00401067:  push      00402025    ; \\.\SICE
3 {2 B8 P' q6 V) h/ @1 D" T$ Y  0040106C:  call      CreateFileA$ [- \+ \7 @" f, v* Z
  00401071:  cmp       eax,-001- r1 n4 m# [; P
  00401074:  je        00401091' T7 P0 |( ~+ c6 Q* ]% x

! d- k! R7 b8 O: @
. J/ K+ {& r) Q. W) l; VThere could be hundreds of BPX you could use to detect this trick.7 h) c9 Z3 C  J0 m3 S7 D# D" A
-The most classical one is:
. I: a% l0 F7 X4 Z1 o$ k  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||; v, \6 W& Q5 u, ]& Y# G
    *(esp-&gt;4+4)=='NTIC'9 G: ?, n2 p% Z9 p% t7 g% e" _
1 B) C: \2 D  h
-The most exotic ones (could be very slooooow :-(; P' o; X( ]9 u) C* ^  ]! n/ [) _3 d
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  . b' A1 [; l+ Y0 ?
     ;will break 3 times :-(+ u* R( X; D( S

0 o3 y  N7 |! w# ^' i* K# ]-or (a bit) faster: % e( F7 p' p  c
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ ]4 e# u) ^, X( {- h) ?
0 f. }& }4 l9 U. N   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  - ]- N' r- _1 L6 {4 l
     ;will break 3 times :-(! t/ @; v  x) }
4 h' o( I& C! e* i6 Q6 Q' p8 p3 h, T
-Much faster:
) c% I. ]) Q3 K" R' k   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. ~  }5 U7 l, o6 u; ~, x: u

: \6 {) X9 U# S! S& B* tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( t. i( ^" j) O5 B7 s
function to do the same job:
3 D; g. H4 o# x/ J
9 {/ U' g. |7 S$ R2 F   push    00                        ; OF_READ+ `* b& }0 @; y
   mov     eax,[00656634]            ; '\\.\SICE',0
% u9 J9 ~2 g3 `: g) n   push    eax! r" J: V' [; {0 ~6 P* o
   call    KERNEL32!_lopen
, P' o& T. K* U6 \   inc     eax
2 t  K7 ]/ D7 G) ~/ I! @3 D: O   jnz     00650589                  ; detected
0 [+ i% ^: ]6 I   push    00                        ; OF_READ) r# K" T- P1 ^/ q
   mov     eax,[00656638]            ; '\\.\SICE'
* \! D# f" Z" S7 N0 L6 v( v. ]   push    eax1 @" \# x' E. _3 j0 E% U0 Y+ r
   call    KERNEL32!_lopen
* E4 [% f$ S+ q" `   inc     eax/ ]: M( h7 N" n  y- h7 }$ U/ E8 R5 d
   jz      006505ae                  ; not detected- ~0 P+ R) K6 W5 H

1 G4 Y6 P) S& t3 Y/ @( B6 l, o3 K$ k
1 A! D2 o. E- Z% C9 Q__________________________________________________________________________5 [# Y6 e. h0 L2 g5 k

' r$ ^1 Q+ ~, a; J: f5 M2 r! PMethod 12- v) ~5 \7 V: N8 a; b1 c+ O
=========# k; I) e% \: x
, t0 f( B- m. x# q
This trick is similar to int41h/4fh Debugger installation check (code 05
/ ]% [2 v8 b* s0 m&amp; 06) but very limited because it's only available for Win95/98 (not NT)& c/ ?8 l) D: \: t. ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# G( _* D7 a. k  r& k. H% ~  x" w' u. S
   push  0000004fh         ; function 4fh
8 Y5 z6 F% ~* Y: t   push  002a002ah         ; high word specifies which VxD (VWIN32)* r; w& c7 P" ^# _$ ~
                           ; low word specifies which service) M% v' T: i8 O; A# J; }; u0 O' L
                             (VWIN32_Int41Dispatch)
  |* o& v( x4 r" V& U3 r. ~   call  Kernel32!ORD_001  ; VxdCall
6 T& |; y6 P( S" D" g) S* \7 T$ U   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ j7 t/ ]7 G& n& @5 k) p   jz    SoftICE_detected6 ~% s; o- H. I1 }1 W) g" K( p" ?  Q
: n7 }/ L8 T4 e1 k
Here again, several ways to detect it:
% h7 U3 G  ]- z. Z# y5 j# A5 e" ]" E& I; e* m2 p6 }/ ?0 F# g  h
    BPINT 41 if ax==4f
( c' V3 S) \0 a2 ~7 E* [
4 r2 ^0 N6 ~" U- T7 B9 k* u    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ I6 s4 h0 H- l6 m* w
2 H4 o4 d5 N6 c5 s6 |( y& v! o  e0 g3 J
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( N* S7 x0 U3 _; |7 M& ]% y) }; v

6 a1 c+ m7 I- u    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( z# _' w" c1 e6 ]5 ~; W6 u& S6 v! w

6 E, e' K) H( t( R8 L__________________________________________________________________________
# a- A9 O0 R3 y& s, _" k3 f$ L. [" o/ m8 b$ @6 i- X: b; G5 b' @$ W- c( U
Method 13: x5 Q* j0 R- S, |- w- ~
=========) P: ^9 B3 B  e
6 ]0 c5 I4 z; U, [5 p
Not a real method of detection, but a good way to know if SoftICE is
" H% Z% A: c8 r1 j- Zinstalled on a computer and to locate its installation directory.
. w; Q& Y8 `) N4 mIt is used by few softs which access the following registry keys (usually #2) :5 B( p* y- z, l* X) Z  ^6 D; c+ `

, S: \* n1 q4 N" m- H' x) {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% r( o2 E+ K1 @- U2 e% ^2 a\Uninstall\SoftICE  Y9 A1 v' T0 o5 f  W4 W
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. P3 m% S5 v% i* c/ n# G& U-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# k0 B6 V  M* o7 ?3 I" U0 S' ^\App Paths\Loader32.Exe
7 {0 G+ O# |$ I& G/ Z/ H
, d( X7 K. Z( s: s/ c4 F5 F$ U; G5 X" @+ ?& g
Note that some nasty apps could then erase all files from SoftICE directory
7 s$ u* I* F$ o5 Z. |9 k4 S; ~6 k. ]8 T(I faced that once :-(! {: `; ~' a2 _

2 v5 d: S: s+ o9 ^Useful breakpoint to detect it:% o6 J( e/ x. U2 B. H/ E

: s* p6 D( M% |  M     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 \6 }) A% n( S0 D  ?' `
: Y7 ]) @4 |, N& D1 J5 y4 y! R
__________________________________________________________________________
" }/ V+ c+ D7 U8 U$ D2 X
% c  r% g4 u, C: F# A/ `0 r5 r3 S1 v( Q! i# M" x) _. T1 F
Method 14 + d8 J7 x7 F7 w) q# F, N5 ]. G
=========
! N' |5 I/ \1 }7 D7 ]+ o2 v
' O0 N! ~( D9 ^4 _0 v2 YA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
  Q& ~' x' n# M6 j2 H+ Lis to determines whether a debugger is running on your system (ring0 only).6 h- |4 R  B3 l7 P4 @  g( T

- P; X9 H! e6 g* `/ }# u' s8 i   VMMCall Test_Debug_Installed+ N% y  V! D- h6 o9 c5 F
   je      not_installed2 O/ W4 @. r1 j7 E
& c) E# I+ Y3 d  ?
This service just checks a flag.5 o* @$ i* _4 p( g# W* |% V2 p
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 03:13

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表