找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>; ~) C$ `4 ^5 |. G3 `
<TBODY>; |" d3 L5 u3 A. r! d3 S/ Q0 Q' K
<TR>6 L& m- [( F7 ]9 E+ h
<TD><PRE>Method 01
" U/ H3 H5 J" j# ~6 R5 b5 p=========2 l+ ^7 _9 O& J0 B1 T" a
" E$ T4 _5 D5 d, ?0 c; x# b
This method of detection of SoftICE (as well as the following one) is
; H: {" E* q2 o, b5 m- T, oused by the majority of packers/encryptors found on Internet.
; ?8 j5 ~# k; c9 hIt seeks the signature of BoundsChecker in SoftICE
& Q4 ?) h5 Q  L, `3 ^& I  {* o
$ z6 B: u. }, }1 \! H    mov     ebp, 04243484Bh        ; 'BCHK'# X& d5 ^, s. t' B% H" \
    mov     ax, 04h6 q* a! ?3 K4 @3 T
    int     3      
. w* ]; ^8 N& t4 S    cmp     al,4: M# k3 g% _  e7 H, w
    jnz     SoftICE_Detected* ~" \- o3 L# f- K) \& s
5 e2 k; Q/ w7 H5 E
___________________________________________________________________________& O2 l2 f9 E* a5 @' O0 [9 Q- l
6 T+ g% Z7 _/ j, N
Method 02& Q% k0 g+ K4 k6 O
=========
3 p9 |6 b& i! ]& x8 ^* C  J9 W" f2 }/ t
4 S$ F' F' p' _Still a method very much used (perhaps the most frequent one).  It is used3 w, c6 z3 ^, w. n. S& k+ w
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 p6 k- O$ |. q( W  d7 R) g  O2 h6 for execute SoftICE commands...
8 J& L; K7 E& E8 F1 AIt is also used to crash SoftICE and to force it to execute any commands# W  H- m  v' R* ^
(HBOOT...) :-((  
% r- K+ _9 w2 I8 _: ~+ c9 s$ r2 ^% b: {. m: @: d
Here is a quick description:" _: _1 N1 [2 O7 L6 P) k
-AX = 0910h   (Display string in SIce windows)0 M: Q' m) y- m/ z1 c/ E9 V
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
- Q2 X) N5 p% P-AX = 0912h   (Get breakpoint infos)1 y/ B; K* G% B/ N. R
-AX = 0913h   (Set Sice breakpoints)7 ^6 n1 O9 b2 h+ k
-AX = 0914h   (Remove SIce breakoints)6 X6 I3 k" U  e, n
4 K! d: K: [7 V/ H& r2 g1 o
Each time you'll meet this trick, you'll see:
+ g' }2 p: P* e  N1 F-SI = 4647h6 [" @9 Z# C% i1 K1 V
-DI = 4A4Dh
8 a: u" `: L# k* sWhich are the 'magic values' used by SoftIce.
1 K  h9 x: k0 [1 U- r) b1 c  IFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., O$ A7 |7 i7 |) t, j' B

% j, ]% b0 d! rHere is one example from the file "Haspinst.exe" which is the dongle HASP
! }) a8 @. h/ zEnvelope utility use to protect DOS applications:/ o6 T8 q5 f, u: Z5 Y3 P1 n) ~

1 L. u+ m% `8 _0 e7 K3 n
. Z* b# ^0 i1 Z" D$ U1 x# L4C19:0095   MOV    AX,0911  ; execute command.1 b9 [7 e2 J  m2 s6 z- w
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 x" x7 _5 U: q; o
4C19:009A   MOV    SI,4647  ; 1st magic value.; J6 u" I, l$ v; r: a/ _
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
/ r; @* W% K. b4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
  Z- {  d( n+ e! x0 L8 O" D! \4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, @8 o: |- N# |. w$ G/ O4C19:00A4   INC    CX' x! d$ I+ M; {
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 q/ _8 _# g0 F" R0 }/ P( u: V4C19:00A8   JB     0095     ; 6 different commands.
0 y0 g. z7 S! s% S# t4 p9 c: ?4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
# A- {" X$ Z7 L4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  |1 O$ k& {2 `; f; Z5 I
; b% H" M  m1 U& T& r( u% ^' ]; ]
The program will execute 6 different SIce commands located at ds:dx, which  @- x3 i( g8 N% `9 p2 i# `
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& U2 l8 n0 ~8 J# G4 v& z5 z
% B2 {9 o, M( {* @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
7 ]9 s. n- b- r( {___________________________________________________________________________
. ?' w. r: L. h, t: h* A
) c5 Q+ K( m3 @/ ]- l- P9 x# g( D5 @. `7 i# U  C3 B* S
Method 03
6 n. r; X$ O9 X3 E=========  f& s3 u- Y5 E

% Q$ Z; |8 i+ b! W" u8 C2 ~4 W- vLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ G& }: o  N. v1 h
(API Get entry point)4 _+ {' e% s# F1 v8 V* `$ ]
        * h0 I3 V" l+ }7 ?5 P7 K( g

9 `' Q6 B( ~2 |& @# T# n    xor     di,di. M* T' h  y: c
    mov     es,di
% L9 g' y1 U$ J  i    mov     ax, 1684h       . y. S0 v/ w- r+ w% P: R, [
    mov     bx, 0202h       ; VxD ID of winice
! c4 m* Y5 m: B    int     2Fh0 [5 u  c8 n+ k5 j0 Q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: ]% q$ Q, _( p4 n    add     ax, di$ a" }5 Z6 C% f( R
    test    ax,ax
; B4 s  X) h8 G    jnz     SoftICE_Detected$ H5 U/ I4 c+ [; B, U' d
$ R+ l: j! C3 i% `- M* o2 [8 T" Z
___________________________________________________________________________
" [3 i4 S6 u2 c' i0 a; M8 M" v5 j) R1 g; Z6 X
Method 04
& S& y; l! @% `6 @=========  i' P% h$ M) O, y, X: N
* ]1 _; W" t6 ?# @$ S* N4 [
Method identical to the preceding one except that it seeks the ID of SoftICE
; H& G/ {8 x2 FGFX VxD.$ X2 L% g% x$ q, g" C

2 p3 i1 l0 D( ~    xor     di,di
$ l% e+ ]' N. s    mov     es,di. Z) X2 o2 A9 V1 E+ F. R
    mov     ax, 1684h      
; C6 q$ N9 T: K    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 Q* e& n: C% Z+ w4 z' `
    int     2fh- r: e' o9 F( P: I0 Q5 ~. D
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) G4 E  m0 v/ H    add     ax, di6 A, [* a+ U" ~$ P$ Q
    test    ax,ax+ r% U3 Q! W: `* B/ j9 F: j
    jnz     SoftICE_Detected
4 Q4 |' I4 ?5 L/ d: z5 J, `- A) u+ m! L2 Q9 [; j7 Y
__________________________________________________________________________
; `3 ]- g- t* {$ P- N. ?4 t" t- e9 ~$ m" S( b! r5 I9 U* `

6 V( a3 f8 V* Y& e. F; }9 mMethod 05
! c- F- K7 h3 i( q=========! v% m0 H( w* u$ \
2 N2 f. @7 l7 |( H
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 O8 L2 D! h2 {9 h$ Z. {debugger. It calls the int 41h, function 4Fh.
, I4 {4 d. I3 u. ], IThere are several alternatives.  8 B. J/ H) }# @7 Y4 o0 W
9 \! o! L; |! Z) q
The following one is the simplest:1 l+ G8 [( l( _$ b/ Q2 t% @1 S0 h

( E! {6 A5 ^- u    mov     ax,4fh( S: p" r4 |0 ~* [9 v+ g
    int     41h
" [! [3 m5 l6 p/ C    cmp     ax, 0F386
+ q, B1 W* H- |, A) h    jz      SoftICE_detected
. Z7 C' H* @, @8 b! j; m! G' P* t3 _# z- }* Q
8 w$ {1 C; @6 W- @1 @4 f9 h7 q8 G
Next method as well as the following one are 2 examples from Stone's # G9 t8 L( K' |! F/ T# L9 \8 a
"stn-wid.zip" (www.cracking.net):9 C+ |" S$ }( P8 u
& t9 M  P/ @" I$ u7 {, P. u: D
    mov     bx, cs& P' Y$ {! C) c3 [4 _& w! X$ m" E
    lea     dx, int41handler2" e- j3 s$ M1 J* R' d8 g1 P- k) w
    xchg    dx, es:[41h*4]
. S+ W) b1 [4 E, I5 Y# ^  G    xchg    bx, es:[41h*4+2]5 Q1 O4 S, Q! D  j5 ^' B
    mov     ax,4fh: T, B# c) N. R: I- f0 e* R- i
    int     41h" }& Y) r  V2 c1 W& o
    xchg    dx, es:[41h*4]
+ `7 Z& ]) l5 A; l9 y4 t    xchg    bx, es:[41h*4+2]4 L  R2 X1 M& x% V& w5 A3 M
    cmp     ax, 0f386h
- o$ b4 C7 n* U8 L- `  c    jz      SoftICE_detected
; r5 |5 {' u8 }5 p# S
5 J; ^+ J: ?0 P% Q2 ?0 j# |% Oint41handler2 PROC/ x9 P- c7 Y" w. M
    iret
2 p* u2 o, n: g5 _; C1 l2 o0 Dint41handler2 ENDP
: R& b# m5 v& f9 q- Y. i+ d/ t' D: n% g$ ^! \9 v9 v

0 A( G- J2 d9 _& J, l' n) M, t_________________________________________________________________________
  b3 m  R6 c) o9 u/ w
7 a& M& l6 x2 p& [/ Q. O3 a
; c" _- `, N$ @4 l$ q; D9 @7 S+ {Method 063 `& o- m$ G1 O8 O
=========. [& q# Y% T; X9 q( ^1 N
( O, f7 t6 O6 Z% f" E0 M9 u
( ?3 @% e! j* M$ b1 d
2nd method similar to the preceding one but more difficult to detect:2 O+ [# X3 v3 B4 f/ ^# l
0 J  e3 t' l0 {8 l, O: {7 I9 Q

3 o0 t) |+ ?0 L  T* W; ], kint41handler PROC
, Y9 w+ W: z5 q7 C4 o; B7 S9 M    mov     cl,al& k. ~& y4 b, b( T* q, J
    iret
9 {$ `" C% Q; ^# ?0 sint41handler ENDP' [8 w" k+ X' U$ N1 K* K/ i: h+ `; g
  t) J1 q# a7 K

; y, V% G0 V9 x    xor     ax,ax' R5 n5 n" }! ^1 m
    mov     es,ax
& \0 v3 u, z. r& P    mov     bx, cs* b; [. x9 _2 ?* A: r' E0 k4 b
    lea     dx, int41handler! m8 f8 W5 m- o  `, A8 \
    xchg    dx, es:[41h*4]
, n$ @' Q; w/ H5 }" o! \1 h# F- C    xchg    bx, es:[41h*4+2]* y4 M  [( @3 s. q. }. F
    in      al, 40h2 P$ p9 D, T' `  |
    xor     cx,cx
5 J) D5 [7 ~% ]3 l" E    int     41h8 J  e" `& q/ s
    xchg    dx, es:[41h*4]
2 O1 A, o- `1 L# @( b, j" Y# o9 O    xchg    bx, es:[41h*4+2]) I" V$ k) z/ u4 e
    cmp     cl,al+ z4 v1 J* c1 b1 e
    jnz     SoftICE_detected: f  j! F8 v) O/ o0 M* ~" K- g

( p1 t5 }) A6 N, J  A* C, P$ w) g" d. A_________________________________________________________________________* _  {4 M# Y, Y" ~3 F; L
6 P0 u7 C# e5 e( x2 ?" r3 D( l
Method 07
# |. R3 |/ i6 u0 s6 b=========; G0 o$ a! c# I9 w

# _$ G/ b2 s$ d0 xMethod of detection of the WinICE handler in the int68h (V86)' y5 K/ m. a0 W$ j0 F
" |/ P$ D( s& ^3 W! d# }
    mov     ah,43h) H* I! g* x/ e7 M
    int     68h
5 z0 n7 O  ]4 L$ @( l7 |; q% l$ ^    cmp     ax,0F386h0 K1 ]3 {3 `  V+ t; W' t$ N
    jz      SoftICE_Detected3 l2 b7 G' M) F- K
8 A0 h2 |5 R. d. X1 Y1 ^, d; T
9 N. v8 ?( k% g2 ]% W8 l0 v
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 s7 h) U: A. X1 Q- I8 |4 l) V' h   app like this:
; u& x# P+ a2 q6 U6 e4 X) R2 b. Z6 K& J- Q* l/ Q
   BPX exec_int if ax==68
! u8 ?& w; O7 F% E   (function called is located at byte ptr [ebp+1Dh] and client eip is; {! z& u# c/ @2 H
   located at [ebp+48h] for 32Bit apps)6 A+ n- C: N0 Q( H  [* D
__________________________________________________________________________
, h; w+ ?0 z! s# I5 a
! O+ L3 Y& m5 |
: ~  {; E* m7 g8 g  FMethod 08
& W0 O$ c/ ?- n- D9 m8 A6 g: ?=========
, A2 ~( a. Q7 t8 y% W# P6 u: O+ u# x5 B7 `  X
It is not a method of detection of SoftICE but a possibility to crash the  `+ F! T6 E1 a8 n7 l* P+ z
system by intercepting int 01h and int 03h and redirecting them to another
- {. b0 |# [9 b5 d# i1 D* Droutine.' Q: [) ~7 K  B) M
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 h  D2 H* p/ H* G/ i2 I8 D
to the new routine to execute (hangs computer...)- f4 g" D* S7 i7 M1 r
9 u3 H1 q6 z# h2 X* l, \7 ?6 k
    mov     ah, 25h
# H- k/ J4 P" U5 `0 l1 X/ j8 t    mov     al, Int_Number (01h or 03h), A& U3 [2 R: U1 |
    mov     dx, offset New_Int_Routine4 }; i2 r( d7 J( _& k) m) a' P/ b+ @
    int     21h
0 f1 n% p& T) _  s. w! I& z' N# W* e" f$ {- ]+ u
__________________________________________________________________________9 ?- A0 }+ R3 _; D; [2 {

3 k5 S: u/ L$ O9 B3 QMethod 09* N* O' w6 n& u7 L4 m
=========
; m) f0 [2 ]% P; G. c
" Y# O: d! ]  ^+ T; N( tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. ~0 `. I; D6 R! }3 x
performed in ring0 (VxD or a ring3 app using the VxdCall).; _3 X8 I2 _8 b# i5 u
The Get_DDB service is used to determine whether or not a VxD is installed
& {# z3 n! c5 _- m0 ^4 Q6 hfor the specified device and returns a Device Description Block (in ecx) for8 r5 e( x7 O4 A) C! `8 l: _8 Z1 l5 ?- V
that device if it is installed.
( s" r" N$ T# W
6 F, c9 N! S* n4 a" s' X) s+ d) H   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 C; I9 Z- Z. {0 d   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& L- m# I6 ?  ~' R! w   VMMCall Get_DDB) B! |( h+ Z2 a8 b- z& Z- E
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
+ t( ~4 |3 Y4 v3 z- u1 Y
  k1 \4 p1 m& _  U& S4 Z  u' [3 WNote as well that you can easily detect this method with SoftICE:# e. \: _! y" x9 \3 G6 F
   bpx Get_DDB if ax==0202 || ax==7a5fh# A- `5 g' g: W) r

: P7 `: x( y/ H+ Q/ ~8 d__________________________________________________________________________+ v. }0 T( |  D5 U1 ?- i5 w- d
6 w6 B! |7 W5 U0 r" c/ D
Method 10' C7 ?  ]+ v, [( m" L
=========9 l7 ^: \7 x0 C9 X9 o: K8 N
' E4 A$ w" ~( G' l7 e- E7 u/ N) |
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 n* b  i# y3 F2 k( [  SoftICE while the option is enable!!
6 N4 F# _8 M/ L* e; j& @/ [* i$ R: S  k* M
This trick is very efficient:( ?. v# w9 Y5 n; u
by checking the Debug Registers, you can detect if SoftICE is loaded* s! w/ `3 o8 ~  U5 [6 h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# v& V* h# b" W6 X7 mthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 e- s! Z! Y  O! H+ G
value (in ring0 only). Values can be manipulated and or changed as well
- Y- h* Z: G$ ~& E# R- l' d(clearing BPMs for instance)
# `* {2 C1 ^0 b- ]1 \+ G/ p. I  P& S, W
__________________________________________________________________________9 j& W4 {4 p" P: D5 D0 T1 D

3 F+ c0 {9 e! ]1 A- i6 RMethod 11
8 M2 T3 \' z' E, T9 h; ~=========
/ `. f- ^, q8 ~! b. i- p5 I, i+ `$ n/ `" K9 g" C. W: n( l; H
This method is most known as 'MeltICE' because it has been freely distributed
' g% K* V* O$ B2 zvia www.winfiles.com. However it was first used by NuMega people to allow
4 D6 Z% N7 y8 D6 G1 U) oSymbol Loader to check if SoftICE was active or not (the code is located
& {# d; [1 Q. Z( |inside nmtrans.dll).
6 k! o4 k: A1 k1 x+ {
  E/ W1 F- d7 Z; q3 A# MThe way it works is very simple:" n4 ~; {, L% \& k# S1 E  S
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 e6 F. c2 L4 n$ s0 r2 k5 RWinNT) with the CreateFileA API.4 g4 x$ @+ d+ P5 y1 }

/ f) M4 E  w) l0 k- r$ YHere is a sample (checking for 'SICE'):' Q) ]7 T' }& D. K/ v/ }2 T! m

( _. E8 ^# l5 \: P$ b" E1 tBOOL IsSoftIce95Loaded()
) w) m, w% d( b- ^2 T{
6 u( H! s* [9 Q. s7 `4 b   HANDLE hFile;  
' Y* G+ _2 C& }% s7 n2 T1 b   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: A6 U7 p1 d; N4 p6 I) d9 o: t
                      FILE_SHARE_READ | FILE_SHARE_WRITE,- r' n: Q6 F4 W: q& I+ b
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ v+ [, s3 h) F
   if( hFile != INVALID_HANDLE_VALUE )
0 o! p% [4 d+ d% @8 `   {
3 l% t/ p+ U- j+ y6 W6 g( p      CloseHandle(hFile);
  l5 I4 R+ m: Q  N6 l. [      return TRUE;& p+ _# T) b3 z  b( G$ n4 W$ Y
   }* z2 S8 b" ^! t( j4 o) H" |7 O
   return FALSE;/ M- V( t3 G' t1 Y$ I! ^4 D# _
}
- ^/ A+ o' n, a1 }. [8 g5 [. Q+ U* I' z) M3 U& c1 \1 ]6 ?# c2 L
Although this trick calls the CreateFileA function, don't even expect to be
8 G/ k& M$ S! p& q/ kable to intercept it by installing a IFS hook: it will not work, no way!! o$ U' T6 C8 k* D) {  i  W$ _
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 h  x3 R' j1 q7 f+ y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 N3 C+ W" m3 b! kand then browse the DDB list until it find the VxD and its DDB_Control_Proc: m1 Q3 |6 ?# r1 J: M* S, d0 c- }
field.' j- u: o1 M* c- ~8 ~
In fact, its purpose is not to load/unload VxDs but only to send a
; D4 F5 ^( L! q, @# r, {* kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' B: S) S$ n7 e" z5 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# O; x# u7 B$ z9 Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., v3 x0 g2 G3 K5 H' C6 c( S
If the VxD is loaded, it will always clear eax and the Carry flag to allow( |% ^8 b% I$ S* I* a0 p0 G+ p
its handle to be opened and then, will be detected.. a* S' p$ r7 \7 R4 R- W
You can check that simply by hooking Winice.exe control proc entry point; e( @$ u$ m! F) T3 }' \$ D
while running MeltICE.# H, S5 n% ~8 f. c1 f# n

+ G. l7 B7 b& P/ O6 J# ]" |% Q
! R+ [3 F" l) E  00401067:  push      00402025    ; \\.\SICE% E4 D  e6 v% F6 Q2 W
  0040106C:  call      CreateFileA7 _" Z1 R0 ~0 H$ P
  00401071:  cmp       eax,-001
5 A3 `% z* F5 C. J( T: s  00401074:  je        00401091
7 b2 {- H! `, g+ R% u) L+ g9 _, {7 b6 a" E; o# Z$ L

; n  \0 F( @0 `3 V4 ^There could be hundreds of BPX you could use to detect this trick.8 y( Q- q+ B$ \/ w9 l
-The most classical one is:  ]# Q/ X' O& x) F: I6 o  [# @- Y2 N( }
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||/ ?6 t9 M: l$ Q, O1 y+ g, w
    *(esp-&gt;4+4)=='NTIC'
- D5 \: \  B6 M- ]7 a; c' T' L, s0 F) ~
-The most exotic ones (could be very slooooow :-(3 o- O5 l2 s! G( ]3 ]6 v
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 N8 q( z0 M8 z4 F$ M, l7 p$ O
     ;will break 3 times :-(/ i1 w2 v9 @# G: V4 j. N7 u; p
6 r, q1 z$ t* W
-or (a bit) faster: & C% q) t& L8 s1 b
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): C5 ^% {: d1 a4 a

  V9 i, F% n0 Y7 \) v$ V/ S   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 O( S7 y9 O' S8 D
     ;will break 3 times :-(
* r5 d0 r! Q% D# K; D, b
3 D0 Y5 H- ~' R8 T. X-Much faster:+ C" N( q" m* M# z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'' Y! E  m( F; {: C; l+ W
" M  Q, j5 V' k( Q2 Y5 N( }
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 {, j3 r1 m9 Q( P8 afunction to do the same job:
1 k! a4 _; Z1 J' t3 c% E5 N( `, b* l. o2 f1 t6 h
   push    00                        ; OF_READ
4 S( Q. a: R7 ]   mov     eax,[00656634]            ; '\\.\SICE',0
- C, t) c$ X# s8 d   push    eax( P& \0 t/ J9 w" F
   call    KERNEL32!_lopen# @2 G; q, h0 o4 c+ f
   inc     eax7 d5 L6 t! p3 [: Q
   jnz     00650589                  ; detected
# f' S" ~6 y- V   push    00                        ; OF_READ: u& E$ }# M* X
   mov     eax,[00656638]            ; '\\.\SICE') X% \" S3 I. e5 a2 G- P, A, Y
   push    eax
3 v7 w0 R. f+ [* Y3 u   call    KERNEL32!_lopen1 J0 |* N$ V% @- w" x
   inc     eax
9 h7 ]$ @$ N1 \   jz      006505ae                  ; not detected
* I6 u8 T7 x, A! k
0 l' P( {. t* ]9 B: R, t9 w1 P  W% x/ s  Z+ L
__________________________________________________________________________
* E- I" O0 C2 e+ ?9 K  k3 U. t7 l, S1 S9 N* w  O
Method 12
% q; d" h/ x" k=========1 j2 h8 G- B+ n

% s9 R% i+ h  Q& q4 |% t" M5 lThis trick is similar to int41h/4fh Debugger installation check (code 05
+ Y0 p6 l! t2 S+ V' o&amp; 06) but very limited because it's only available for Win95/98 (not NT)4 r) ?  w3 Z! V4 {* V5 M; R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 F$ F6 V, V6 s! O. X% s+ r) w( s* d7 {6 H0 s( ]
   push  0000004fh         ; function 4fh) w' H, b/ N4 `- N
   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 X% `- }* I) w4 o9 L" R+ ~                           ; low word specifies which service; B5 ?. m  e5 K' I. g' X4 N
                             (VWIN32_Int41Dispatch). Z# \! m1 {& V9 m( d
   call  Kernel32!ORD_001  ; VxdCall0 i# T0 x5 ~  V8 A4 _4 }
   cmp   ax, 0f386h        ; magic number returned by system debuggers( F9 J- h" I+ C  \
   jz    SoftICE_detected: n3 W* k: z9 ?& c, o

$ R3 f' i/ A* M0 i" ?# UHere again, several ways to detect it:
% n4 T& Z0 e5 y% L+ Q! H$ U& y! Z
    BPINT 41 if ax==4f2 [0 t  N* k% [6 D4 ^5 r0 t
1 _9 v8 m  J- B$ y6 U8 I) ?' z+ Q9 S
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one/ l6 Q/ T& g9 |2 N) n) i

( z3 t5 |7 R5 [) t; N; f5 v" S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A) d0 |6 J; u" N

0 _" H/ K# U. k    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!1 v/ M2 Q) F7 K' x) x: i4 C2 v) ?

, m* }. J5 t1 L__________________________________________________________________________
) [2 ~. Y$ r& \
1 `/ v% O/ K* e; d( h! r# K- eMethod 13
" {- L, a' F$ |! d- v; H: e; ?=========
( z; V7 q9 `6 ~- K! j1 j! G0 E
: U$ E0 O+ S: C: yNot a real method of detection, but a good way to know if SoftICE is* g& Z  K: u5 C
installed on a computer and to locate its installation directory.
3 B8 v# B  y" o( F' kIt is used by few softs which access the following registry keys (usually #2) :
+ q) N- v# o8 a) G, ?9 j9 {& ?3 h5 Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- E$ z! C& E; Y9 A& s6 ], |7 m$ C# F
\Uninstall\SoftICE
2 D0 k+ v( P+ p2 ~% R; v  w4 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ u5 T% y4 K* J7 [. a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- F! A: U! Z9 F9 C. R
\App Paths\Loader32.Exe' m( d5 `( j9 {: ^8 e. w9 A0 i
+ {# a# C  m% O" W! c8 x
$ _& q! m2 |$ x! J; V6 C
Note that some nasty apps could then erase all files from SoftICE directory% k* X2 v3 E' y7 ?$ ^4 u6 X6 {% B
(I faced that once :-(5 ^2 w- E" O% y- a3 }% I# |
6 O0 ^& c8 N" ]
Useful breakpoint to detect it:2 p4 |. J. k9 ~. d
9 o3 F% ^  f: v
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 z( S' u# f$ v0 s  N$ O8 D3 S% y; Y5 M- v" i) t
__________________________________________________________________________* J2 E+ d) F  ^, \2 L: w
5 {  \) A% q: m" T  `% `
& R+ B& K( @! o+ y! t& ~2 P
Method 14
; M4 d$ Y( J' e+ c=========' r8 ^: j# s9 P8 S! q% g& T$ W8 q
3 f0 ~, L$ j. c' |' _; y1 N) x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose8 f$ t& E& P; P+ j; U% B
is to determines whether a debugger is running on your system (ring0 only).
& o- n  e/ w0 ]' V2 E
' q! d3 J3 n7 r' f   VMMCall Test_Debug_Installed
" R3 `; v7 W2 D2 \, |( A% \   je      not_installed
9 d9 ]* e& D5 Z/ s9 J
3 w6 L) O: k: h5 t3 ?2 v4 |7 {2 GThis service just checks a flag.+ g& t6 S& N0 ~
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-8 02:24

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表