找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># A3 e+ F& u6 G4 A
<TBODY>
% ~# @8 }3 y) u3 K9 N: j$ m; f<TR>" K0 {9 o4 U. u, v0 \4 i8 H
<TD><PRE>Method 01
' [& z7 P9 w9 z: J: b. b: G=========+ h* m! E$ \( }

$ i" P5 [; S: u/ @( I3 v/ B! M" ?This method of detection of SoftICE (as well as the following one) is
7 n3 d9 t  `% I; A, V1 Pused by the majority of packers/encryptors found on Internet.
* x- n3 M2 ^8 @! {: V; p0 q8 M* `5 `; ~It seeks the signature of BoundsChecker in SoftICE: @, V5 e; Z1 x% p9 m) a
+ ^) v- r2 T) P7 g
    mov     ebp, 04243484Bh        ; 'BCHK'" z. J0 M4 z. o& [$ r
    mov     ax, 04h0 E9 N- }: q7 {
    int     3      
; k) U- G# ^0 S( H. o1 B    cmp     al,4
5 {, C- C! z: }! L9 I    jnz     SoftICE_Detected6 \0 ^2 J# ]5 I

3 v" m+ D0 N2 A5 D- q& j0 e6 e3 ]___________________________________________________________________________% i2 J# C( t1 \  `

. `! O7 p7 S1 U1 E) ?' kMethod 02
0 i5 i+ y8 P$ l/ ^! g  n4 o4 {1 y=========
. M. a: B+ O6 T1 ^8 u
. F: m. B% j) L8 Y7 b! P+ Q/ o& [Still a method very much used (perhaps the most frequent one).  It is used
- c1 L/ s- [8 l7 J9 Ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 e/ D# Y8 _: u- r# R- n& A9 ?or execute SoftICE commands...
: @* }9 J$ ]- [7 eIt is also used to crash SoftICE and to force it to execute any commands
& }' S7 e0 j+ }/ o(HBOOT...) :-((  # E+ |  ^3 h( @- B" i! m
0 I" _6 q* {3 O
Here is a quick description:
4 J- X! M$ j& H0 c" ]-AX = 0910h   (Display string in SIce windows)6 `$ ]1 P( Z5 f  m% E
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)9 L4 b6 n  o: K  [
-AX = 0912h   (Get breakpoint infos)# S# Y7 X( e+ W1 p6 |
-AX = 0913h   (Set Sice breakpoints)  x, v" f2 _0 S" M5 m6 e
-AX = 0914h   (Remove SIce breakoints)* Q4 i' z+ k0 `3 m$ Y3 ~

. a" ~' ^$ h) V0 t# SEach time you'll meet this trick, you'll see:
% B/ V5 k+ ~4 l" l! {$ @" z% A-SI = 4647h) J3 M/ n. ?$ f4 \& n7 Q
-DI = 4A4Dh
5 z) h5 D$ L4 O! G+ |+ K$ _4 XWhich are the 'magic values' used by SoftIce.- y, o6 E, @5 i, r7 F8 M, H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 W2 [9 R7 W' c; t3 i" d# K. y
/ g" H8 N( l- A/ N/ fHere is one example from the file "Haspinst.exe" which is the dongle HASP& F4 I0 e( d2 t. k3 s
Envelope utility use to protect DOS applications:6 Y5 L4 u8 N, e$ d

% c1 ?0 b  I: i5 v& ~, D6 @- @- K1 i3 d$ C7 d8 V5 }/ n
4C19:0095   MOV    AX,0911  ; execute command.
/ m4 `" {) M, d4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  I( W( o" S8 [* m0 b& Z4C19:009A   MOV    SI,4647  ; 1st magic value.
: p8 s. ^1 G* C2 l4 X6 _4C19:009D   MOV    DI,4A4D  ; 2nd magic value., M2 n- d( w2 v; ?; Y  i7 i# Q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
" R3 r/ [) }8 z% ?. L: f4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
+ U$ i* ^& f4 m4 a5 U- \3 Z) F4C19:00A4   INC    CX! E$ ~& q$ \5 }; s
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 \" {& ?  L( j& n7 J) t; v" z4C19:00A8   JB     0095     ; 6 different commands.
4 L( Y  h* s" y2 r4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 L, ?- ?# `, u4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)6 t% g3 P, J7 R* w2 E( y) Q# |

  k+ ?# W; A2 M' u' M0 JThe program will execute 6 different SIce commands located at ds:dx, which" l# }& _3 u. N0 j4 j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.6 w( `) C4 G. G! j- ?
6 X  W1 {- ?6 X
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ g) D; c3 f0 V& W___________________________________________________________________________
4 J7 X6 T+ w( x9 W2 q2 P( w$ }8 d5 k) @0 n4 l2 V- o+ E

* r9 I- b; t' D) lMethod 03
- h& i" r+ i& C/ g: T8 c) Q4 J=========( l4 Q2 }  g# h2 O: i8 G: _1 L

$ k8 i0 U/ F0 T9 B: V3 Q/ Q3 @Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
- a, }/ L, X. u(API Get entry point)
. a4 W( Y1 N, ^1 S+ V        
. `% X) `# |/ Z" M  Y
/ @9 K; p' x; z! h/ {4 i    xor     di,di
/ _! N/ K4 e) {4 n    mov     es,di0 C7 H! y5 I1 C9 B+ y
    mov     ax, 1684h      
$ I* n8 z% o  `: W) M7 k- j    mov     bx, 0202h       ; VxD ID of winice/ U! Y# w: }) ~6 j  M& \
    int     2Fh9 ?2 D# F8 B1 C9 ^# i
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 {- n- X; N5 l  B: q: _  K1 [' i6 z2 @2 J    add     ax, di
. y$ F( D1 D4 ^0 a5 W7 m4 U' H    test    ax,ax, |% _& l0 H9 ]( O: b
    jnz     SoftICE_Detected
3 h" p" t, A% j; w0 {0 Y! G
6 c3 m( Q$ U) L( [___________________________________________________________________________
' V/ K' Y0 F2 U: m8 P
/ v0 D. p, I$ X8 bMethod 040 \' \" O' _& z# w0 S
=========
4 m5 ~5 ~- q0 s" S" `  f, z2 f; b" |% a
Method identical to the preceding one except that it seeks the ID of SoftICE0 @  w! y* x' W7 A& T' I$ B2 {( S3 u. E. m
GFX VxD.9 i  E0 N1 G, r* X* y( t( m
: ~7 F& f. q# k# k2 N
    xor     di,di/ s7 u* P- W6 a  {  e
    mov     es,di
& g7 }, g) v8 `. `    mov     ax, 1684h       ( f; l6 I  X# v1 j8 K4 m" J
    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 |- w& i0 r, y! q4 b' f! X0 T
    int     2fh! W6 B8 {' X0 @* j' p1 |$ b. K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 V2 U5 g3 K8 G7 c3 N# Z5 ^6 [    add     ax, di
5 A& q, }* ?2 y8 q4 r) l    test    ax,ax
4 \: R/ A  ^, I. x# o. W' y& N    jnz     SoftICE_Detected
" j  z- f- I1 F4 L* _4 f
( ?& o2 p3 h9 }__________________________________________________________________________5 U9 s) W/ f7 b) e( p
# l, t( m8 Q& T. G: W0 Q9 W
! E6 K2 I' Y$ |: Q  k( Z
Method 05
6 g( r( T  I9 w! R=========
9 v5 b, M$ [) r7 @6 c7 k. n# c0 g! l
Method seeking the 'magic number' 0F386h returned (in ax) by all system
6 m2 t2 p# H0 ^4 j, i- Pdebugger. It calls the int 41h, function 4Fh.
9 J6 r# k/ m/ o! U/ S% j: V9 E- eThere are several alternatives.  ) n6 V$ k; R5 f

$ D& l; U/ z! N3 O' T% EThe following one is the simplest:
2 ^6 C( n; N& l3 z+ I
% S  \- C+ y! R$ w    mov     ax,4fh! R$ F& h& E- w& P' Y
    int     41h
) C" s6 o$ G: A    cmp     ax, 0F3863 m) T  N" S: C; u: T4 y
    jz      SoftICE_detected5 l0 l$ U4 j) d

0 L7 Z! U3 X5 v9 J4 J
, i; ?4 b1 A) A4 Z; [Next method as well as the following one are 2 examples from Stone's 5 q6 F( F. ^7 S% u* z+ H6 T
"stn-wid.zip" (www.cracking.net):
2 d9 j$ x% s# a" o9 `# B) u* G! C. h, j9 ^7 Q. C# r! V' X
    mov     bx, cs
# z* p" Y  u: H' J    lea     dx, int41handler2- ~' ~# o6 ~- n  ]* k
    xchg    dx, es:[41h*4]4 P) @5 ^! c) B8 y: h& i
    xchg    bx, es:[41h*4+2]
2 J% ]1 u4 X* k- p    mov     ax,4fh' P4 [. ]; n0 c! S
    int     41h2 g# \8 T/ D9 {; w0 c# G
    xchg    dx, es:[41h*4]
( S4 Z2 `  y9 J: W/ S  T    xchg    bx, es:[41h*4+2]
9 z+ r4 o0 d0 N% f+ w    cmp     ax, 0f386h. h' Q; l5 m# b2 N! T; [" b
    jz      SoftICE_detected, k# }3 c" g* g8 P8 n% o' M
* O. X0 x" V- V3 [
int41handler2 PROC
8 h' x9 h- x+ B" @: A    iret
6 k& m0 e7 _$ h8 N2 Z' aint41handler2 ENDP
, d7 k  ~6 n1 V9 G) Q3 f0 U& Q( o3 J: B0 B: K4 v4 c! @% i5 C- b

* K3 P) a; o* E/ A/ H, w  N5 `_________________________________________________________________________
! M$ S0 T" F) u& Q  D; T" [8 B# J  J4 h# `" c# s  \7 k$ N

6 m/ N$ P5 M( `# R1 t6 p3 GMethod 06
) @% n7 n2 V- y=========
1 [/ M7 w0 A+ h- F% a' S" z
: ^- Q8 w# n$ F4 S+ V# S
6 o- V% p+ r* M3 r' ?2nd method similar to the preceding one but more difficult to detect:  M; G6 O0 z+ v6 s+ }8 U
2 J8 X3 w) m3 j# u, b% A, G- G
, F2 Q. l! A$ K9 _
int41handler PROC
* j8 Y  e6 Q5 Y6 F" y3 Y    mov     cl,al! V$ A6 N7 q& M- r8 z# o. s
    iret
  ~  T6 E' g. P: Xint41handler ENDP
4 _4 P4 A+ C) K: ^* F+ G, w/ A6 J$ g2 v1 n, S4 u/ y
  I: U4 n8 w( k) t8 U
    xor     ax,ax7 F7 r$ y, M& i& y% P; f$ O/ \
    mov     es,ax9 T# L! n+ ~  K" }
    mov     bx, cs. t. t# ~. `+ X6 T! L' M0 p9 t
    lea     dx, int41handler( p# |/ C! K3 S& h7 R* W
    xchg    dx, es:[41h*4]# u, w$ I" D3 G8 a; x" w
    xchg    bx, es:[41h*4+2]& G- q/ N( \' v
    in      al, 40h1 a% o; Q. K" O
    xor     cx,cx0 n, {3 G5 ~' s# K& y
    int     41h; E% k2 x3 i8 U8 C
    xchg    dx, es:[41h*4]/ V5 y! l9 \+ T% `
    xchg    bx, es:[41h*4+2]
$ ?9 D0 Q3 {" s& H5 e; V/ y    cmp     cl,al5 Q9 g! a) K2 d7 f) B* p
    jnz     SoftICE_detected
) r8 V2 E1 S- o! Y, A1 p
3 g; g  q2 ?( [_________________________________________________________________________
5 t) }, @& @/ G5 u0 e4 ~; w  H- @  ], Y
Method 07
2 p, {' [4 B: q8 A6 L2 h=========
) u. e1 C) M! E. w2 s; ]$ Z2 g' K3 C" J0 g
Method of detection of the WinICE handler in the int68h (V86)! O0 P0 h# \, c2 O
" \* p5 y# ?  J$ `
    mov     ah,43h( [3 a5 \: p1 l5 a, F7 `6 F, M
    int     68h4 ^. c! p- G4 U& @1 r
    cmp     ax,0F386h6 \1 A6 R7 }( F5 o
    jz      SoftICE_Detected
# z5 j) I2 D3 o5 Z" Q& {4 E$ [& I" _: a
' K0 _' @1 P4 T$ d& |; N
; r" A/ X+ N% g1 F9 L# z0 I! U=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- p4 z1 ^6 n4 c+ b$ }1 s' t/ R
   app like this:
( q0 _5 h* ~9 |2 a" {
4 Z7 O+ J. J' m+ N* G1 n* v0 U   BPX exec_int if ax==68
2 e- e+ C, P  D' y+ x# z5 c6 T. N   (function called is located at byte ptr [ebp+1Dh] and client eip is
  Q1 J! O6 C" x& n* d' f( X   located at [ebp+48h] for 32Bit apps)
; {% p& ]. ^/ ]! z' N__________________________________________________________________________
& |/ K4 R# f% _( E$ n" H- p" \5 \/ [& z. A: M7 J+ P- w

- r. X8 `. O" T# ^Method 08
6 F9 Z1 A. U7 l4 c' Y! J=========
5 c8 v7 a7 q, V' Y2 e% F& M
0 s) {/ d3 F! ]5 wIt is not a method of detection of SoftICE but a possibility to crash the
2 a4 I' f5 g+ z* x. B% ksystem by intercepting int 01h and int 03h and redirecting them to another8 B: c# Y% b* N! i" N
routine.
* r: F, Q3 w: W: zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 l( Z  ]& g9 C5 S/ T" E- J
to the new routine to execute (hangs computer...)+ \5 q* M) J0 `4 U
. a0 Z9 d( _2 l+ ]" s! T; A
    mov     ah, 25h: `1 [, b, [3 x+ E7 H  p! d  A
    mov     al, Int_Number (01h or 03h)
7 M8 f* j  C1 t# m* T6 f3 t    mov     dx, offset New_Int_Routine
0 e' D1 d, k; P. e1 N; R    int     21h& q0 `+ `, R9 W4 l! T) ^

8 |" V8 [) H; w, i__________________________________________________________________________5 R" O4 f/ c0 H3 ^4 ^
! L7 v0 a- \- t" x  I
Method 091 L; J& \: H1 J$ M
=========
$ Z- F/ q9 D4 Y* t3 _) |1 m
3 S: H7 S. z+ r+ |( QThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
  S6 k9 T8 Y/ O" B8 b7 u* rperformed in ring0 (VxD or a ring3 app using the VxdCall).! n* Z! R! ]! W- D! Y" I1 z
The Get_DDB service is used to determine whether or not a VxD is installed
  N6 _" M. c( Z8 a- D; Q1 |% o) rfor the specified device and returns a Device Description Block (in ecx) for2 H3 X  f  Y$ K  k6 M
that device if it is installed.3 E" e1 x) z2 H; ?9 c( }( M5 L! |( o

/ h- E7 C; c1 o2 t5 C& m6 D. L   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ \- n3 T; s% n# [+ ^5 b( R6 i   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ A( U' S/ P! `+ i2 A   VMMCall Get_DDB3 u( N) A8 N5 D1 y/ O" K
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  l0 S. j/ K. c8 y* I" _7 L$ A6 C  P3 h3 }0 l% |
Note as well that you can easily detect this method with SoftICE:
, j4 D8 s" Y! X   bpx Get_DDB if ax==0202 || ax==7a5fh
/ b" Y. ]+ g/ L- I
' \1 ^1 r( I5 Q7 Y$ w* ~2 L__________________________________________________________________________, I6 k, |! S) _6 Z3 g

, U  D  `, ~2 p- c" l7 aMethod 10" }$ d2 A$ S9 E
=========  A# Y2 C, a; q+ Z0 w& a

& J1 p" L) G( w( R=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( y. @5 d" s3 k0 _
  SoftICE while the option is enable!!3 j. Z) q' @; I# y) c( G0 t& W
- y: d3 e5 c; t$ L, |4 l
This trick is very efficient:
5 j; l; G5 b, S' M+ _5 l* Q+ Gby checking the Debug Registers, you can detect if SoftICE is loaded* L1 K; y8 E7 S) z# f
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# }; |/ Y, n2 p" b# k$ i' v! Vthere are some memory breakpoints set (dr0 to dr3) simply by reading their* }& K- N  v) x# j+ u9 W0 r% }- Z
value (in ring0 only). Values can be manipulated and or changed as well
6 Y, R5 Y# F8 b. E. R% b- R(clearing BPMs for instance)
- G) z  l; t) S: E+ B5 E2 S/ r: U
& \) n3 _  r% d* n' [* d( j( l__________________________________________________________________________1 s9 R5 y9 T# E2 O
9 ^9 q/ n  Y( Y; L" f- f
Method 11/ P$ I+ s+ ~9 C" J
=========
6 j; [' {9 N5 J8 N7 s# @. t- l% d" r3 U+ g, P2 F' p
This method is most known as 'MeltICE' because it has been freely distributed2 v$ B1 Y$ W9 Q, o# |
via www.winfiles.com. However it was first used by NuMega people to allow
% X0 X; g" S4 \, S5 l3 c1 WSymbol Loader to check if SoftICE was active or not (the code is located& |$ {1 O$ c4 z7 s
inside nmtrans.dll).
; S6 C2 b& C2 y8 d3 t0 W4 p6 @( t2 A+ L- Y
The way it works is very simple:9 J' `3 m, q  ~; T; z1 |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for1 l2 X8 A# M' X" n+ @  B
WinNT) with the CreateFileA API.
9 K8 u5 n8 |( a4 i
" d7 ~7 ~+ _8 t  i. i( LHere is a sample (checking for 'SICE'):2 A$ ^' D% j2 B4 W" `* y) h: [

! x9 r4 D! d& i# {4 zBOOL IsSoftIce95Loaded()) B( \* C0 u9 i% ]
{
  q$ h4 n9 f* `8 b0 G   HANDLE hFile;  
& M7 Y& n+ C# ?9 E+ V% R( B   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," _8 s- k- T) q* G; d7 I
                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 E- _( }$ {' ^! K6 L7 k
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 c+ t5 h- c+ i( p: w- E# D- v
   if( hFile != INVALID_HANDLE_VALUE )
5 W+ u" j2 i6 P3 u   {. Z' a, f8 e+ M7 O& i7 n. A9 H
      CloseHandle(hFile);
( N* ^8 k; i; A1 ~4 V, k9 o' u- F      return TRUE;
) M0 S0 J2 S4 L& n1 e3 k( O9 G; l# D   }
$ Z" J8 ?2 q( X/ o' R/ Y2 L/ y   return FALSE;
  k$ c- S. i7 Z: u) M- t- G}% U5 r. A! b+ u1 t/ n6 T. ]$ [
' C& e! w& ]: \" J; n
Although this trick calls the CreateFileA function, don't even expect to be
  B; }) _0 U9 m7 w3 qable to intercept it by installing a IFS hook: it will not work, no way!, e+ j2 C/ M: g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 D1 ]& ~! ^; }8 L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); d. b' ?  S6 T! d2 ~
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ V  Z1 Y0 y1 |: j9 j5 qfield.  o, R6 Y# q$ e) F! n: R
In fact, its purpose is not to load/unload VxDs but only to send a 6 F% _7 p) |# ~7 M% C2 n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( @) d  S% y0 _- s# B% a! Fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
. ^- y6 y4 i% c, ]to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 `7 m0 \9 }$ q9 qIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 S1 E2 G" p$ I( z; t) ^1 hits handle to be opened and then, will be detected.9 W, L6 {* F) V& \1 W1 f
You can check that simply by hooking Winice.exe control proc entry point
5 J* M2 c2 q/ p: G& zwhile running MeltICE.
4 ]) O8 \  D0 W1 [% I  U; A6 U0 b; K1 q  R4 x, z- o7 N7 r- l
! N6 v) U! Y; u4 F+ @
  00401067:  push      00402025    ; \\.\SICE
2 C) X3 L4 j1 P6 L3 b  m7 ^  0040106C:  call      CreateFileA
1 z8 Z1 b) r+ \6 A) u6 b2 d  00401071:  cmp       eax,-001" E3 v5 A/ H5 K3 U5 e. W/ ~
  00401074:  je        00401091
) T- y, T. }5 c+ _
9 Q# N/ \. m: d* S- V- ]
) K# g' C( h. W4 lThere could be hundreds of BPX you could use to detect this trick.
) L/ }' V& V4 G& ?# q- M-The most classical one is:# ?1 M, {& C  A* j: p8 S
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
( b5 `; S1 X  L1 ?! r2 H    *(esp-&gt;4+4)=='NTIC': ]- i3 D& E: E( [

2 w  G% L! N$ }* g7 }( ]-The most exotic ones (could be very slooooow :-(( ?2 p  d5 s/ X. H6 d/ G5 c9 d- F
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  9 z, `. U3 ?& W4 Z& g  R' ?% s
     ;will break 3 times :-($ k- p' n7 o* G2 Y  l8 N% K
. \, e( k9 ~( a' K# d" a
-or (a bit) faster: $ ^, b1 l3 P) u- x6 V; ~
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* u) J8 S3 e! U% P2 Q# ~9 L% D2 ~2 q( X5 x8 {' s
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  5 Z- g8 n9 h# m4 H$ e% T3 r/ d
     ;will break 3 times :-(
4 T. P: R6 O, u
  i! M% i' t& y9 ]-Much faster:
8 I9 r- ~9 Y9 f; R0 P6 ~   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ ^' ^0 Y: L" j7 W

# K* f7 `* @. dNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 Q7 d/ H% d3 l/ Tfunction to do the same job:/ o# ~" l" c$ Z, V* h
; }+ n3 j- G3 @7 L" I
   push    00                        ; OF_READ$ O6 B' ^: W; e# p0 [
   mov     eax,[00656634]            ; '\\.\SICE',02 l: T4 z$ D& Q! r; {
   push    eax* ?+ X0 t! {; v5 u* n
   call    KERNEL32!_lopen2 l" I: l- Z) @1 Q2 V
   inc     eax
' P1 p, K2 J  y( J. x   jnz     00650589                  ; detected
3 r* b' k, H5 ]" b# V   push    00                        ; OF_READ% l4 X: V) m9 ]& ], T
   mov     eax,[00656638]            ; '\\.\SICE'
0 i, Z8 p# ?6 r' \- g5 ^   push    eax
+ W' G  H7 s) o, F. F' d- U$ x   call    KERNEL32!_lopen
+ {/ A; M/ Z2 k: U$ s8 M4 R+ e- C. ]   inc     eax
' u9 k: w) I. a, h  Y   jz      006505ae                  ; not detected
" Y0 W; w8 d" y2 I9 x
  f7 g, q* b$ P" L# l* n: y, h
$ e2 D9 z; A0 |__________________________________________________________________________: t) t+ {% K, Y8 w  `! n

5 Z" }6 |% |8 _  b0 X5 P3 \Method 12. j7 I4 r2 H. q2 T( u7 `/ q
=========% I6 ^3 A0 v4 G2 D3 A

" N2 X7 ^; m4 P+ ~) N0 |7 B: zThis trick is similar to int41h/4fh Debugger installation check (code 05/ @* C; f& X; R% [$ |) x3 ?
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) R9 A/ z, Z  N* }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 v% m; L7 u( P) a# R3 S
6 g6 b6 A* J& s- @
   push  0000004fh         ; function 4fh
/ h; A7 q& U8 l2 m. e* H/ t8 J* J5 ^   push  002a002ah         ; high word specifies which VxD (VWIN32)
2 @% T2 D2 v. s0 q) }/ O                           ; low word specifies which service0 q3 i; l. p% Q) O2 p6 p' p
                             (VWIN32_Int41Dispatch)
# {! n- D. u; H  O; @   call  Kernel32!ORD_001  ; VxdCall& l- M+ E1 w3 }6 u: `; P% g
   cmp   ax, 0f386h        ; magic number returned by system debuggers( }7 n9 P& V$ t2 n9 F2 h
   jz    SoftICE_detected
8 \2 [; h4 N+ J
& K0 K8 F/ A/ g! ^. Q, |Here again, several ways to detect it:/ ~; o. ~% ]! ^

' B% g0 ^* J9 L2 g( b' p    BPINT 41 if ax==4f
) [; p% _) e* j7 j. L9 C
& r* J$ H  R- q7 J* k( V+ ]3 O! }    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. R. e  z( u% |: [

8 X$ j! o+ L8 C    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) L# b; R. O2 r& z) |) K
) O; q2 [$ w$ c    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
2 T& Q5 M4 H% _) _, H
; X$ n( c# L7 a. b6 S- d, ]- P+ i. M__________________________________________________________________________1 D) I4 B- c0 A3 H& b. v2 Z3 u
$ y; |8 ^; h4 x4 `
Method 13' j* i! w. Y9 Y6 z: i6 W
=========
/ R9 n3 g# E* K. S8 }; O  r) l2 k
Not a real method of detection, but a good way to know if SoftICE is( g# B2 ^' I' }; [5 [& ~5 i& U9 Z  D
installed on a computer and to locate its installation directory.
" u/ a- P" D" ~It is used by few softs which access the following registry keys (usually #2) :. V! K  {; U: z. i
0 w4 H% g; q, B; ~. X6 y+ K3 M
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 }5 B3 ~8 B# D7 f
\Uninstall\SoftICE& V% F! ]2 N" h: O7 l4 }$ `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 z2 A+ ~7 M/ r9 X6 `4 c0 }, \+ n1 P/ i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& [& Q) N- P: d) j: J' z8 ]5 m
\App Paths\Loader32.Exe
- R" ]4 z" y( z: u6 z& J8 r
" w7 O& c/ B7 j9 Q+ b0 X- B* y3 t. [
) X( X0 c$ [% x. o5 MNote that some nasty apps could then erase all files from SoftICE directory
& F+ j7 Y* F# j8 [) @% [5 C8 t(I faced that once :-(
; c$ ^: G) W1 B- {$ r5 h* i( [; h: y: m7 u$ F8 x' o
Useful breakpoint to detect it:* k" W. B! A: v; e& W  T9 J8 Y

: L- t4 e. C0 W     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% P" y* P5 \! \$ Q" C4 D
  p3 N  L, o" I- K, C__________________________________________________________________________" x3 `" v0 Y! ^- T: T% o

1 G) _+ u# N; L9 [' q2 D( R
+ E" j; a, C, ?0 c& T8 F# WMethod 14 ) G: O* F. Y9 m6 ~% a* W4 M! l
=========
" x; X& l, N+ Z) A9 c; q
+ ~0 J4 W+ d. j; e% dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose5 ^* c8 B' p0 i, _
is to determines whether a debugger is running on your system (ring0 only).
- s6 W1 p* Q8 c) N- }0 v8 c% b. W# n9 U; ]
   VMMCall Test_Debug_Installed
" K% a3 N% w( B" g7 n+ \   je      not_installed" L* a: y9 \; z# Q. \/ X) w$ ~
7 B& q5 x$ X  T9 Z- m; d% ^
This service just checks a flag., K( d* _1 k% Q9 J' g: A' F
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-3 23:32

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表