找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>" Z" j3 B% U$ T4 F# P8 b3 A9 z
<TBODY>
- m7 M* ^( o2 B" w# W9 n0 J<TR>
) h1 E0 o8 d; K4 Q<TD><PRE>Method 01 ! q2 Q+ g5 X4 T! [- |4 i9 Y& d
=========
9 I. i/ O" X7 L7 e; F- C
" Q; L6 b" ?$ z7 k: ~This method of detection of SoftICE (as well as the following one) is
' F/ U# A. r5 h$ S$ fused by the majority of packers/encryptors found on Internet.8 ~+ T) E, \+ r; G4 E. g' i
It seeks the signature of BoundsChecker in SoftICE
; F/ ~$ r& j+ P3 W- |' _6 o' B1 V) o; L: r3 _- O6 o
    mov     ebp, 04243484Bh        ; 'BCHK'
( N! h3 [, g5 `) ?    mov     ax, 04h
3 _/ @, W7 ?. `2 ^- x    int     3      
) m8 Q3 `& w& J- j" u, B. x, G. b3 ^    cmp     al,4+ w) e. U& J8 q+ W- t  n( I
    jnz     SoftICE_Detected
0 ~9 o- k, U( |0 K3 h9 i+ }) |  ~+ d4 H) H5 E+ a2 }3 Q4 v
___________________________________________________________________________/ v0 k4 g1 p7 b4 ]  |
" z0 O; I3 x4 C
Method 025 \% A- A6 j% e2 Q
=========; m- f6 O' y' C, V5 U

5 C7 O! Z3 ?; J; RStill a method very much used (perhaps the most frequent one).  It is used
1 F7 B6 l; D, Q) xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,( K5 J, l, F- r# B7 [/ o! c
or execute SoftICE commands...# B# O; ^3 m) F, ?5 `; h' X6 x
It is also used to crash SoftICE and to force it to execute any commands+ w+ p- f4 R# G* i( D
(HBOOT...) :-((  ( j9 R3 q7 |; R
% M1 Q! K/ B7 ?5 B
Here is a quick description:+ B0 _4 j! _7 t& n. O4 c
-AX = 0910h   (Display string in SIce windows)
4 c$ X4 ~& i( i6 d+ f-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 ?, `3 }, r! x& c
-AX = 0912h   (Get breakpoint infos)
- w5 C5 ?1 b1 y# f7 ]-AX = 0913h   (Set Sice breakpoints)
$ r2 p: v, v7 ]5 H8 @7 D* ?-AX = 0914h   (Remove SIce breakoints)/ N  Q9 c% U0 D: V) I

4 V7 H/ q+ [1 ]7 v/ TEach time you'll meet this trick, you'll see:
& R: p5 H$ _0 u3 [$ i- m-SI = 4647h
1 y9 r/ t( b. _. Q$ W-DI = 4A4Dh
' j, F- _( x8 r6 NWhich are the 'magic values' used by SoftIce.$ Y% E# {6 S9 n4 ]
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 g( d. K- ?( Q6 Z' F9 F: M8 L+ ^  K  u6 f  [+ h
Here is one example from the file "Haspinst.exe" which is the dongle HASP' e2 ]4 ?% {: H+ L; o
Envelope utility use to protect DOS applications:$ w* M7 `1 d, Q* i! a+ }
" G" f) }8 u( D  f1 _% t6 I$ o  \
5 F& b! Y& ^) g. q6 q# }
4C19:0095   MOV    AX,0911  ; execute command.$ n0 T7 j3 }+ U9 }/ u( h
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 J8 t, ~4 s8 H2 N, h" }) ~# v
4C19:009A   MOV    SI,4647  ; 1st magic value.
& A+ b( |( ^; Q) d7 u4C19:009D   MOV    DI,4A4D  ; 2nd magic value.. o; R. ^* g' ^7 T
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 Z  I# a' d0 f/ `4 E# f
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! ^- H2 b0 y4 \
4C19:00A4   INC    CX. F0 W- Z* x  u2 t& [
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
0 _; z8 v2 X0 Q8 s5 A4C19:00A8   JB     0095     ; 6 different commands.1 U) r7 G, T7 F8 b4 v3 L8 T, c
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
3 c; `! O( m) ^+ p1 c4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)' o* ?$ f" h9 s0 t2 [5 j
2 o) c0 q* r2 {# W, Z' H' N
The program will execute 6 different SIce commands located at ds:dx, which
& K; P0 a7 N- {% P- v" p9 V$ }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 M: b' Z: R9 d: ?  w

) b4 I* A) Q" M* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 E( j* f# t/ W- v. ~2 ]
___________________________________________________________________________
: t) y+ }; J0 H7 u2 X: E, P! u$ W6 E3 c6 J/ o

& G* j. ~; G" z3 \. F2 d# f) uMethod 03! O3 n9 N* C4 b$ C1 }% \6 W
=========7 w# N4 l, {- F. ^  [8 o/ a' @& @

2 ]4 n9 m& C' m. A7 OLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 l$ }3 \9 p2 K: d9 }. L; J
(API Get entry point)
4 q5 J, ^. o; t1 v8 I. T7 _          y3 T6 u" I( }, ?0 l/ n5 P
' |& }8 m8 o" `# H, b( m7 a
    xor     di,di6 o  k# I' P7 y, ^
    mov     es,di! U  M0 N5 n; E# Z
    mov     ax, 1684h      
6 }- R! }- m( M2 a9 L    mov     bx, 0202h       ; VxD ID of winice
/ g% E$ c6 {3 s. O    int     2Fh
" J! i. x# a& P! Q    mov     ax, es          ; ES:DI -&gt; VxD API entry point& F( `7 ~" h! i' y( \& i# o# H
    add     ax, di
' m) h0 |' D2 P% a1 s    test    ax,ax3 T5 z8 B! K: t) z; C
    jnz     SoftICE_Detected" t2 [& u" d; w/ t
# {3 y" f: Q% I2 s. G0 @
___________________________________________________________________________& A2 A, X( p( _! I8 X

/ g/ c% C1 ?' E$ ^, d9 D, u) BMethod 042 q8 E4 b2 b2 _5 l6 X) X9 P
=========
3 P0 i& W4 p0 w* X" m
# U; E& ^- H- M! ?9 Q- L7 ~2 c7 t8 HMethod identical to the preceding one except that it seeks the ID of SoftICE
: Y7 e- D8 c# {4 PGFX VxD.: o6 O! G+ B" k
# R6 I- L9 i. R4 [8 d0 t2 ?8 \
    xor     di,di
* Y- q# L1 k4 j/ v1 a    mov     es,di
0 a0 q( `' b; m& l' w- z( ^    mov     ax, 1684h       8 P% w% K5 a. |( A2 f3 g
    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 i& C8 v' J- U5 \
    int     2fh
2 i' [' `& T0 Z# Z9 I8 t5 s    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 M, s1 j4 V8 s2 v3 o
    add     ax, di
; K9 n, t# f1 N+ s1 d# @    test    ax,ax
; {/ P& ^( c; |/ E; _% |    jnz     SoftICE_Detected8 S4 |8 }, n8 |( d0 `0 H, r& D
! O# W# f" c- x) ?  P: o4 {
__________________________________________________________________________$ V' u# s2 ^# J, L
( v6 g) E  d! S8 Y  x; G
5 T# E3 {. ]: V1 J% ^
Method 05! G% ?6 X: P- q" I
=========
$ Y; k1 }/ I! |" u6 U0 q7 A7 b, L3 u7 Y; v
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% w( |: P2 h* c, _! tdebugger. It calls the int 41h, function 4Fh.
7 S" _( `3 W3 T" k8 x% x5 g) Z8 ]7 R- gThere are several alternatives.  
% _+ u+ n7 W( N* u" u% @) r" I0 w
% c' G8 H1 b. ]7 @. t3 z/ xThe following one is the simplest:
( W* _  I6 e, w! F3 m  K1 U" t' r) P! {
    mov     ax,4fh9 I& G% I' J7 h8 ?8 Q# g, M1 [
    int     41h+ j1 M3 I0 e( G% t  v
    cmp     ax, 0F386# Z* {6 j; Y3 V5 L: p8 `
    jz      SoftICE_detected
# x) I( J! Y9 Y" |+ r0 A5 I
$ w4 [5 p0 X; _$ X; h0 }/ H: U0 u# W* [7 m: t- X, N
Next method as well as the following one are 2 examples from Stone's & d$ ~6 ~  j$ X/ l+ }& m: k6 U$ l
"stn-wid.zip" (www.cracking.net):
+ _2 ?0 ~( L8 _% o9 T$ W# B. x  n. J# F
    mov     bx, cs
* v3 _) Q8 d$ \: @* e. j$ R    lea     dx, int41handler23 o: Z$ v( f# f! _5 d
    xchg    dx, es:[41h*4]
# H. L, D) {7 ~: a  A) }( R& c    xchg    bx, es:[41h*4+2]
& b2 i( Q* i+ E2 b& O9 N  v    mov     ax,4fh  \% p" w6 ]2 c& H8 r( Q4 N. d
    int     41h& P  j9 ]3 q# n  d, w6 l- C
    xchg    dx, es:[41h*4]
# c7 b, j" E3 |    xchg    bx, es:[41h*4+2]) [9 T0 E( g7 \
    cmp     ax, 0f386h
! X, ^4 C2 W" x" _3 }; }    jz      SoftICE_detected
8 d5 G7 J/ P, p, b6 Z8 D7 `- G  v/ v2 S7 M8 _. Q
int41handler2 PROC
* K4 T# s& n+ P0 U5 Z; ]    iret! E. {2 @; v  i
int41handler2 ENDP1 }8 P4 B" o5 p
' M' @% y: E8 P: q7 T. A. _

5 S/ V  N/ C( i3 \; S4 I2 s7 q_________________________________________________________________________0 f( `" _3 ]+ G( R; v

( ]3 T6 |0 R' {0 K. I
7 L- E! i& F- W* \! K$ p" I( w/ aMethod 06
# i& n# o% R9 t* k=========
% X/ u9 r  E' ]+ T7 b% M( S  ^& @6 A& c# v. [0 S4 O
% }& N  J1 C$ e! C! _2 g8 a
2nd method similar to the preceding one but more difficult to detect:
( J, Y+ D0 ^8 a+ c" B4 g  Y# b/ x% |" _: Q0 s" s

) m' {3 R4 L; k2 lint41handler PROC  ]+ a  A; _1 _2 J
    mov     cl,al
  L  v1 Z% g7 k8 C$ w. {    iret
1 S+ w; E* O6 _7 B& lint41handler ENDP' q$ S$ s; T) L9 [: \5 u7 m" u

& c. ]2 |0 `4 U/ l, _& [$ I! U, [! s0 {) |+ v/ u
    xor     ax,ax! D3 y; u1 k- p7 @6 Z
    mov     es,ax
( H' z% H$ ?0 H" d( v. `  t0 v    mov     bx, cs
' s0 H1 o% {& r6 o& T5 I    lea     dx, int41handler+ C+ `# J0 |; B  z
    xchg    dx, es:[41h*4]' r3 t7 E( Y5 v9 \! j
    xchg    bx, es:[41h*4+2]0 k: S4 @6 |; p' N0 C0 f
    in      al, 40h
% Y( r! O+ G1 y4 \; `; b- C" U3 o    xor     cx,cx
# }) Z" S  f" A5 x' h& q- ?    int     41h
8 P- }/ A- [( ]) f2 Y$ t    xchg    dx, es:[41h*4]+ H3 Z6 ?  }8 l. Y) G0 Q2 d
    xchg    bx, es:[41h*4+2]/ h4 E, S7 d4 S& x
    cmp     cl,al9 b: r6 j2 G6 ~/ n0 |- u
    jnz     SoftICE_detected
- U' X, a0 }  A  B3 V
# f! K) @3 d! F4 x* R1 O3 j_________________________________________________________________________
0 m/ e4 H) A( j, g- N& y0 X
! T; k" U0 }% C% _9 a) T# JMethod 07
5 h" K3 ]1 c  v& ^8 E  Z$ [. |=========
8 l4 Q& v# ]: l& `3 ]0 O, j4 q; ^% ]
Method of detection of the WinICE handler in the int68h (V86)
9 d8 u3 v0 B& h8 v2 X: H
6 n" a9 a9 O6 z1 s# F5 A    mov     ah,43h
+ O8 K/ V; S- U1 b! x2 i    int     68h3 ?9 {, v& p, F4 X: b) r/ a! h
    cmp     ax,0F386h" \+ }' s2 v( _$ V
    jz      SoftICE_Detected
5 j! `3 a; L7 T% t- U$ H9 o, j( f7 B9 b5 l( `; I$ O! r  i9 K

7 X1 x1 O9 @* @) @0 x6 D=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* D, C2 Y: `5 O9 `1 \
   app like this:
: R0 ]: _9 M. f1 B
8 K1 Q. X; s# m2 P   BPX exec_int if ax==68- r4 q9 {( d% n! k6 H8 V
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  @* H- |, M" c( X# F1 S1 s   located at [ebp+48h] for 32Bit apps)* {, y, j2 j! J' U$ d* D% W' T
__________________________________________________________________________
7 |6 _6 M8 m& O- L9 B& J
- |& r0 j; k. F" Y0 A% _' W8 t! u+ M) e' R5 H  U; E% T8 K
Method 085 d7 C4 Y5 D, n/ G; W
=========
; h# N$ Q9 e8 M; x$ O; ~- I
& z/ Y" n8 [  T4 V% O( d1 mIt is not a method of detection of SoftICE but a possibility to crash the3 Y# Y& X5 Z8 v! p" N7 k3 z; Z
system by intercepting int 01h and int 03h and redirecting them to another! o, B5 f" L, v; \" e
routine.
% _" m1 b% }  W3 ]5 z- I2 oIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: ?) G  H! ^& c7 \3 l  l/ k) E
to the new routine to execute (hangs computer...)6 S* J& ]! {8 o1 Z9 V
8 I2 D- o9 `( y+ J9 |( C
    mov     ah, 25h# J, I  R& ?7 B6 n
    mov     al, Int_Number (01h or 03h)' p/ c# D, e& I  ?- S
    mov     dx, offset New_Int_Routine
) K. _* [0 z- v- y. P    int     21h" x1 [+ m7 X9 O: s, q
1 P( q/ M) R' f  o
__________________________________________________________________________
. f7 p7 v& a' J% a5 `( ]/ A# q  u9 a
Method 09- l7 e: }3 t4 G$ v) y# ^
=========$ O( s4 g* W; ^* l8 f" ?! Y

1 v, l5 R- ?) h* l' P. q0 GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ h1 `1 d! d6 {$ P5 s6 |5 H  L
performed in ring0 (VxD or a ring3 app using the VxdCall).
# S4 h" @. s& fThe Get_DDB service is used to determine whether or not a VxD is installed
) l- R! P  T! M% g3 i: O) D. E9 [for the specified device and returns a Device Description Block (in ecx) for
6 m/ c& A8 b3 r5 p2 \1 ?% T0 E8 A/ cthat device if it is installed.8 f1 L  K) G) E# h
9 ]5 t; k5 P# c' y; K0 R9 {9 N$ |" W
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ h  |: W" v- n1 {" @   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ G! g2 V1 U& i" y/ ?   VMMCall Get_DDB3 V- C. B3 |' u4 `
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. w; e8 x, }8 j6 k+ X: a; q! a- u* S4 L$ p3 C
Note as well that you can easily detect this method with SoftICE:
/ s2 [- W* z8 h% b# n  o   bpx Get_DDB if ax==0202 || ax==7a5fh4 F: i/ o' }- b: z- ^3 P/ }$ U, ^3 A

9 J, m8 F; O7 k: b6 N# C__________________________________________________________________________
" i8 d) Y+ \) e% `; y% k6 d' Y/ M' w0 w) W0 s' N
Method 10- d% m, s5 l6 [. r
=========
3 c, y2 @6 \. x6 n" k
: C5 h# ]6 s5 n4 M9 E( O/ p& V5 X% {1 R=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% \% N2 N. A& z: }- U' l! Y, b  SoftICE while the option is enable!!
4 }2 P) U8 m$ g1 X3 S8 q/ p$ ]5 _1 y. Y/ ?
This trick is very efficient:
5 n: Y, P2 J- Nby checking the Debug Registers, you can detect if SoftICE is loaded
3 r/ ]4 i0 w) {/ D  Z$ T* R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; A7 M" w7 u9 b; P4 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their
8 V! U8 y# {5 ]/ a0 [) vvalue (in ring0 only). Values can be manipulated and or changed as well" `% z9 U" e. `% i: J2 _0 z; `
(clearing BPMs for instance)/ O% b( L7 M1 r2 Y! v

. l/ B0 s: l( |__________________________________________________________________________
! K) y: K1 |$ J/ O" ~- l
1 j4 g6 g* }6 p- M' |& c! ^3 yMethod 118 T" @+ Z  G3 X# ]6 z, u4 v+ v
=========
, S( b  ]% g' y7 b8 T
5 Z6 m  P- t! R2 g( u- d0 P( fThis method is most known as 'MeltICE' because it has been freely distributed. B, m5 _2 h* D
via www.winfiles.com. However it was first used by NuMega people to allow0 }% ?* a9 X% K# c  d' Z6 U  @) D- ~. `" n
Symbol Loader to check if SoftICE was active or not (the code is located! E. v7 h8 D) w) I, ?
inside nmtrans.dll).# C$ j7 g4 n( u" {4 z+ e

( P- c1 p' M1 g, h& `; v0 i$ KThe way it works is very simple:! [9 T, C# c# Q' u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& k9 n+ j2 x* I+ ~% ?9 H
WinNT) with the CreateFileA API.
: v5 o! o2 i1 ]; |/ O9 i6 \8 b: O6 S3 U  T* H: y4 B
Here is a sample (checking for 'SICE'):7 Q6 j0 B2 }# F3 u2 e: n. H7 t
# s7 ~: P) m( ]
BOOL IsSoftIce95Loaded()
- V- k$ Z5 }! z/ ^{8 b) c' h' a& N
   HANDLE hFile;  ! P* I+ m5 i2 j* \/ Q/ p
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 n3 W' ^( G" v! ^' d" E5 M                      FILE_SHARE_READ | FILE_SHARE_WRITE,& N9 m7 `# m. _) h& Q; N
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; Y2 _1 u8 i# b, ?   if( hFile != INVALID_HANDLE_VALUE ). h- M+ o, ]: `
   {) N+ A, I( V# F8 L8 c
      CloseHandle(hFile);% A" O3 r& R3 T$ g% F: X$ \. N
      return TRUE;$ T: n0 s( Y+ L
   }
5 L2 c  X/ ~1 d8 r1 l' U( t# w- y   return FALSE;
0 {" G1 r$ Q# n' }}2 U! ?8 o- ^0 W) Y" h) U" v& {7 W
4 |# U3 n; y4 `3 D2 B
Although this trick calls the CreateFileA function, don't even expect to be
& n1 e* A) r  d  C2 @able to intercept it by installing a IFS hook: it will not work, no way!/ L7 ]3 y0 u) X# Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! a  d! V& b4 L- T# t. C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), L; M& l6 m0 w1 s1 z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 _3 d2 Z4 n# I* U7 W
field.4 N6 f9 O7 _5 }7 y
In fact, its purpose is not to load/unload VxDs but only to send a
8 a6 v% I6 I1 {; T; ]) p2 NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 H  b; R( m  d* N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" O4 ]2 g8 ~; D" {# C8 |  W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 y  k* a- K0 PIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 ]7 K4 E& O+ l- P0 P
its handle to be opened and then, will be detected.
' o0 ?( ]( W3 A! m& g2 BYou can check that simply by hooking Winice.exe control proc entry point
* P; `. U/ F4 z+ n/ c8 bwhile running MeltICE.
- Y. T6 h/ p8 i9 D1 x. x; y2 N+ N* D' b

3 J& U% X) |+ [2 Z' l  00401067:  push      00402025    ; \\.\SICE
/ Q, g6 V3 {# Q5 V" ~8 U# A5 Y% Q  0040106C:  call      CreateFileA2 h+ A: Q1 p7 d4 r) Y
  00401071:  cmp       eax,-001
2 c# E8 a1 @) J# U3 d  00401074:  je        00401091
0 O# \: U0 ]3 @0 R' Z* H$ \- x, K* C1 ]7 y
* U7 \) a- P9 x2 q: O6 k
There could be hundreds of BPX you could use to detect this trick.7 T0 K  l! E: ~/ a2 y
-The most classical one is:
5 f& z/ w4 K+ Z4 ^0 r* O/ \  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' Y1 k; C- x: U4 m/ T  d) @' m9 O
    *(esp-&gt;4+4)=='NTIC'2 P8 c8 J; E  G0 J  m
& i- ^' w- Z. L5 D7 B
-The most exotic ones (could be very slooooow :-(
# y  t" q5 l+ F5 G7 p- v  V2 i   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 T4 z. R9 I& D; f
     ;will break 3 times :-(
: ~3 X9 [" M' v( Q# |& ]& J, c4 N9 K5 y  W( Q& }2 D, o! A
-or (a bit) faster:
& w9 A6 N# c9 ~9 ?7 }+ P( V2 V   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* i4 D3 q8 [- \0 M. d

5 P# ^+ A, C' Z2 d  d0 W8 S   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
3 I9 c* v' ^6 z4 d     ;will break 3 times :-(# c" o/ ~8 z  V' i' E' k5 S

* C5 g9 [9 P* q, |% P-Much faster:, A. q2 X$ f$ d
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ p4 e: C: M; U0 G  p9 ~8 }% O) N5 K5 X, a
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; l  M  b. c7 K) f: o8 x5 i& \function to do the same job:
; j8 a% O0 S' h' `$ M- b, {3 y8 ~
   push    00                        ; OF_READ
6 A) ?( I9 s  r2 w   mov     eax,[00656634]            ; '\\.\SICE',0
0 l2 ?; R* F6 W  Z. o2 f: ~2 l   push    eax
! V0 d6 o7 x5 z- [# z# v   call    KERNEL32!_lopen
2 {. r) N1 C% ~  y! v   inc     eax
# [; E+ k& `- X* Y/ t7 w7 _   jnz     00650589                  ; detected
3 X- w7 Q' r/ `4 B. S   push    00                        ; OF_READ
2 W3 A! i- |0 O0 t  d   mov     eax,[00656638]            ; '\\.\SICE'
0 m" [4 A6 P$ ^4 r2 X/ I6 f   push    eax
7 G7 e' d$ a( ~* ?) t3 K# H   call    KERNEL32!_lopen
. E/ u  A  M" U4 Z& h   inc     eax% Z5 O2 z/ O" r- |7 l
   jz      006505ae                  ; not detected
2 h. S7 c( M. `/ |
2 @( r2 ?' J; t% |) j7 ~9 D7 v5 ]' U$ y
__________________________________________________________________________
* L; a, I- K6 M7 G. p3 P. P
( E: G* D9 h8 H; F5 vMethod 12& f4 R/ w0 |8 T& H* Q& a- _' W" j
=========: E  J/ \3 R* v& T3 y

" k. K4 \( K# H/ D1 K4 n& w0 M2 QThis trick is similar to int41h/4fh Debugger installation check (code 055 J/ D( v, z% u) e* n# u. I3 T
&amp; 06) but very limited because it's only available for Win95/98 (not NT)% t$ n! d2 D0 R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
  }0 o6 V* E& D. J! H
, r, S7 e' M+ c9 o9 R8 c  y   push  0000004fh         ; function 4fh( \4 R8 f+ }$ r4 q* }5 u
   push  002a002ah         ; high word specifies which VxD (VWIN32)
4 y9 A# w& v3 q* h                           ; low word specifies which service9 A0 l8 q7 E! T. U% [" Y1 s
                             (VWIN32_Int41Dispatch)1 \. ?' ^# y0 x, e" {& g
   call  Kernel32!ORD_001  ; VxdCall
* W  p7 I0 _' o2 t8 G   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ t! @2 \0 ^+ l! D9 Z! w8 R. e   jz    SoftICE_detected
+ W  G0 Z6 E# Z# i: I
: ~+ {* x" R/ _2 s& `% \9 \Here again, several ways to detect it:
' X- u$ e. L; @7 i% j3 N- n; {0 U) o8 s; ~) `5 z
    BPINT 41 if ax==4f
) U* K# H5 C/ K$ L$ [  i" M7 l# P) p# _
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one) i) N, M& y3 t4 U9 e* l' G$ ^
! F4 y: t& G# U, i4 L8 E- N
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A( V( [, ?+ r, z) K0 y# M

; M( O( O; o& o# u6 p+ R# E* I3 Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!4 h& p7 r) @9 E/ R! h) j* B

7 O  F$ {. w" ~__________________________________________________________________________
' {8 E, [$ e  n9 [$ E& _) A5 v7 @
4 w7 E! F8 {2 n5 ]0 VMethod 13
! |. n) V0 Y* `2 v/ G=========" U  b/ i% h4 y9 U# k$ Y

/ I- u6 [) ]' n; F- CNot a real method of detection, but a good way to know if SoftICE is
0 }& g9 C$ i( x6 U4 m9 i4 N* Rinstalled on a computer and to locate its installation directory.( t9 ]. A  G! |. w
It is used by few softs which access the following registry keys (usually #2) :
; ]$ d/ h/ h- F- h+ D( S2 ~4 c! {2 ]: |4 J- H
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: c) e( [; Y: r* u$ S! K/ @% N\Uninstall\SoftICE
# e1 k9 w: o0 F9 q8 g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 }, {% T5 u1 R' _- i1 |3 i3 J1 r-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 `1 C8 i: @6 C+ v, D7 |\App Paths\Loader32.Exe
* f: `- o9 q: O) H+ a& k" e/ V
1 g; h9 v' F1 h  W& f4 F
! _  g" N% I/ LNote that some nasty apps could then erase all files from SoftICE directory. Q1 e4 s0 v) q7 r
(I faced that once :-(6 W- a% {$ c7 T

/ V: z3 B7 t- M: `# VUseful breakpoint to detect it:% b! w0 ~: h/ X2 I  u0 D/ }

# J6 M( M7 S7 w* B& ~3 c     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE') `% p2 ^) [3 l  n. P

( s# u3 g( r1 D! h( m# }1 Q__________________________________________________________________________
% R' t4 @' P+ Q- `8 G
% c1 h( ]( M' W4 y+ Y
+ f. P# p. ^/ I# n9 O6 \Method 14
( H& D7 g1 x' E& o1 x; V=========$ ~) h! ^. j7 y

/ m* w0 N' k) `A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ Y1 H; d+ t  f' j* G' o, ]9 \
is to determines whether a debugger is running on your system (ring0 only).( q6 ^. J9 I: [' E
* {! D9 K& \/ y3 ]
   VMMCall Test_Debug_Installed
! Z4 I: b8 B2 U, p% t6 A# P0 z1 I   je      not_installed9 A% S5 X* D8 z! i% Z1 _

$ v3 I& b& o/ y0 \2 E! SThis service just checks a flag.
( H) Z% E$ r- v% r& ^2 Y1 `</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-16 05:08

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表