找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
7 J6 U/ T( p" `) ~<TBODY>7 o# O7 S& }+ ~# G2 p
<TR>
( H- C. a$ C8 D+ f4 C<TD><PRE>Method 01
8 p$ a4 S8 }6 \' y, N=========, q0 U% M1 G: D7 i  `

% P0 \) r, l( z4 u, u' S( lThis method of detection of SoftICE (as well as the following one) is
) E" r2 Y' J2 e; zused by the majority of packers/encryptors found on Internet.- u5 `) }9 A! W2 ?
It seeks the signature of BoundsChecker in SoftICE
& N2 F5 V0 \0 E  D# s1 Q% v9 N: `+ d( s0 D& O. ]- M3 b
    mov     ebp, 04243484Bh        ; 'BCHK'5 X7 p+ @1 }4 }7 H6 F/ q* V
    mov     ax, 04h+ x+ H1 C& j/ Z8 n; i5 P  g
    int     3      
3 q* F- N% q) V1 }" x    cmp     al,4
4 J7 _% c; m6 D1 M7 I" [, z* h    jnz     SoftICE_Detected+ j" A# \$ o% `

: _* J: Z, b: S6 v9 |# s# h6 L___________________________________________________________________________9 l5 O: a7 Q' n# f. h' N
2 Y, W  h0 @" u! G2 H; H& Q/ q
Method 02  o3 s1 J; V7 a* ]  l7 G, A* Y
=========2 ]7 F3 k1 q0 [
: x3 T  F- [, @, X+ R. c
Still a method very much used (perhaps the most frequent one).  It is used
6 R9 D! J/ r! r' j  E" xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 x; C8 i3 i& \- r% b/ Q. p; d6 ~
or execute SoftICE commands...& t# e( w. Y2 l$ _3 w3 ?
It is also used to crash SoftICE and to force it to execute any commands& o% L8 j, S; t3 O; _' U
(HBOOT...) :-((  
% ?& z1 c% i3 M# V5 ~4 p7 F- o9 @/ ?; L7 G/ O% x
Here is a quick description:
* d* W' a1 y8 j9 B-AX = 0910h   (Display string in SIce windows)
! J/ C8 V, o( [-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ p9 A8 C7 q- P  [9 x. S8 a
-AX = 0912h   (Get breakpoint infos)
* k) Q3 Y3 g3 k5 c5 U  L& @/ d-AX = 0913h   (Set Sice breakpoints)
; s: I. r9 w/ G0 E; N-AX = 0914h   (Remove SIce breakoints)
, }. O8 k- ~5 P# @, D2 }( S( I
( V  [/ i7 g4 O( PEach time you'll meet this trick, you'll see:$ _8 f. i& a* I. i
-SI = 4647h
- d& N6 t! i* s7 W5 ^-DI = 4A4Dh# k0 m# z, O" k! ?; _" o
Which are the 'magic values' used by SoftIce.
, T+ ]* w! M4 p% A! SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 p$ x2 k& y, i2 j+ {

) n/ v1 H7 O! ^5 q9 Q& A; y2 UHere is one example from the file "Haspinst.exe" which is the dongle HASP* K& {' J. w" u+ V8 ^
Envelope utility use to protect DOS applications:
6 i( w  J6 P& s! J% `5 v0 `( O
0 O. i' @* C, @, d
5 A/ H; l# H8 U4C19:0095   MOV    AX,0911  ; execute command.. W6 l' p5 I. Z! F! i5 G; D' t
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).: P& k5 M8 `( H6 m( Q1 f3 w( d
4C19:009A   MOV    SI,4647  ; 1st magic value.2 Y0 t- s/ ]; G+ u! k+ a
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.  X5 C$ W+ i3 L
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 e2 h: I) W7 f4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute& @/ R2 _5 o0 ~9 D
4C19:00A4   INC    CX
$ V0 S( J7 W( x7 l( \; [4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute5 e3 e( Q# H3 |5 L' [, [( R
4C19:00A8   JB     0095     ; 6 different commands.
" n6 }6 R+ M4 P$ S" a+ C) ~4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' {5 N: O% W, {8 w% B, D
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, M" A6 b; I% V  I( ^- m. F; m3 W4 I9 }4 M: `; M9 J" F( @
The program will execute 6 different SIce commands located at ds:dx, which
% x/ v: D# Y2 X3 s! i* g$ f& qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ j' _( i; T. H3 E1 b, y: z3 v
3 k3 y7 g! t) _1 h- e  `5 s" Z4 C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 p9 l. e- G& }+ @
___________________________________________________________________________: ]8 i$ ]8 N3 [5 Y/ f: `% i. W, y/ P5 |
% K7 O3 C/ V2 z. W5 s3 K1 o
, H$ R1 D* {1 z1 R6 c
Method 036 }% o/ z6 f2 f& n+ H7 d
=========& L9 _, x0 l. B6 n: a0 H
: z0 ]6 s' G6 G. Q, W, y1 |# [
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h& {! `5 ], h2 V  \: |5 Y& @& z0 j* q* o
(API Get entry point)
8 \  ~) h2 [; q" b" k        
: `% a; \% n* P: D6 e
2 N$ T. R/ B% c, F- z' f, G    xor     di,di/ }6 A7 S9 F- t9 P; t! t" z
    mov     es,di
0 T5 a$ ^0 s4 \& f* r' S    mov     ax, 1684h      
9 U, N6 Y. M/ J) r* F    mov     bx, 0202h       ; VxD ID of winice
9 R6 Y) g3 e6 g    int     2Fh' I9 J$ \2 Q/ p% i( d2 q  m
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 W% x# a. U: W1 B    add     ax, di5 e4 c+ v1 I, [5 p/ X  n
    test    ax,ax
% ]& x; N4 x  f$ X2 z* a& m* M    jnz     SoftICE_Detected+ R4 ?/ M. Y( r8 v9 i9 f" N# ~

6 R2 X7 c/ a$ D___________________________________________________________________________8 h# b% ?- D6 o
0 N4 j: `8 F# q4 O5 o0 u0 E
Method 04
8 [- o5 P' W, u0 ~" P. Q& B=========
4 u8 T% _3 ?2 q+ A" P: I; x. F
- Z7 j, e8 x' u2 IMethod identical to the preceding one except that it seeks the ID of SoftICE3 w5 s) q) I# @5 l8 \
GFX VxD.
4 L1 m# `3 ], M" f2 Q( t/ s
5 i4 T1 x# p' P& g: q/ G$ |    xor     di,di
8 @. O2 m. W; \" l+ H    mov     es,di
# A) v. ?9 Z6 B& C6 e    mov     ax, 1684h       0 m: X6 L: Q1 ~% G8 U; J
    mov     bx, 7a5Fh       ; VxD ID of SIWVID* B: n7 `/ f) D  H
    int     2fh
/ b% x' N3 g7 m/ x    mov     ax, es          ; ES:DI -&gt; VxD API entry point' {& L- ], p, v6 a( h; J+ R
    add     ax, di
  F! }6 b! y. x  X  b: e2 }    test    ax,ax
) Q( z2 i; ?7 j4 u) i; v1 ?    jnz     SoftICE_Detected: x6 `! H/ j0 Z6 g' b
: e) ?8 }% p$ }, m6 X
__________________________________________________________________________7 c/ n% R, U( E9 H  `1 K3 w) z, s) _

' {# [6 }5 ]1 q8 S, ]( _7 h( a3 ^
$ m1 @" c# n9 p9 S3 P- i3 fMethod 05- i, R0 ~; X9 F  O
=========
: D! W# Q2 ?" j# f" @: Z
5 w$ Y, t' v3 {, U: W4 V  TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
* ?" p! P% q* m. N/ i" P9 hdebugger. It calls the int 41h, function 4Fh.
/ w) a9 Q9 @' pThere are several alternatives.  ! C0 n4 a, E1 \, e$ _$ q( V' E

) u( e7 o& y* d8 ?3 ^% iThe following one is the simplest:
' H4 _6 c1 ~$ j3 T% |
1 f2 D9 P& N/ o9 U    mov     ax,4fh
3 l* l+ F6 z9 v8 T6 g7 j1 ^    int     41h( Y  q) P( w8 \' w% D
    cmp     ax, 0F386# G+ }4 {9 r  m: t( V) [9 Z
    jz      SoftICE_detected! `5 k+ _, C: k, a4 Z

/ i) q5 l( z4 \& P" B" j9 m. u
+ k  i" z" p( P2 ]9 x5 j. uNext method as well as the following one are 2 examples from Stone's - Q( P9 A" q5 ?: i7 o# y
"stn-wid.zip" (www.cracking.net):
" I2 W6 W$ F( b$ A; s' j9 _* b$ R5 ^5 ?2 R! V
    mov     bx, cs
$ m1 k( p% Q' s$ G) ~    lea     dx, int41handler2
; J, L5 V( a$ I% S: E: s    xchg    dx, es:[41h*4]
) V5 D) w+ {0 _+ X/ U$ r    xchg    bx, es:[41h*4+2]9 N& g/ U- z9 s7 u6 q+ B- m
    mov     ax,4fh
4 `$ {9 k2 j' R' \4 U    int     41h7 ?6 B4 e' z1 o# ?( `8 e
    xchg    dx, es:[41h*4], t2 h" a  U' K# a, x* Z
    xchg    bx, es:[41h*4+2]
" k/ \/ D3 I& W. w    cmp     ax, 0f386h
- P- W6 b1 Y+ S8 R7 Z    jz      SoftICE_detected
. ~- O* b2 w6 W. t
. g* |4 \2 w0 @int41handler2 PROC* Y1 }3 ~6 ?% k) d" i7 a5 d' o
    iret
# J( r  M% I- E6 hint41handler2 ENDP
. \6 @! j; V1 x" Z& Q0 N; w3 g
: {( U  E3 X4 R8 V2 p+ @8 [) A  l
3 m7 e$ F5 c5 i& h_________________________________________________________________________9 N. X" E: [  e7 `

& E1 ]+ H; I- W. D$ N+ j' y
, \1 b! E% \$ x, u- b# u9 WMethod 062 S/ d& R6 _/ E! ?0 x! }) N. n. W
=========4 L. @. m  c: r% s+ Y% [
. M# ]# a2 E* a5 I- m
/ E' c  h0 P: W& {" A# r# X( G. V
2nd method similar to the preceding one but more difficult to detect:
8 D" H; O/ b4 g; c4 E4 d. _* V! S) J* f$ f: N) B8 }7 l$ C

2 }& a4 N7 h& Z' r" @. Mint41handler PROC; V9 m  Z6 q" |, }$ ^1 z. c
    mov     cl,al# ]0 g3 i5 l; y/ c$ M0 j
    iret9 V# e0 L( u5 a; @- S
int41handler ENDP6 \/ Q; X7 ]% z

0 ?  v6 m+ N4 m5 ]9 w; z. l# R3 q. K" C
    xor     ax,ax
8 o& O: ~) M* G9 u2 c, L    mov     es,ax
6 W: C1 ]3 ]7 @    mov     bx, cs& y+ y! w- c/ [
    lea     dx, int41handler
  R( V1 `3 `0 \5 O    xchg    dx, es:[41h*4]
0 E, S/ Q4 ^% ?, I    xchg    bx, es:[41h*4+2]4 t3 Z5 s2 A5 Q
    in      al, 40h+ O: y7 n- ~- N- O( o. j
    xor     cx,cx" c& Z+ Y  Y8 b) g: j
    int     41h
  ]- q$ X  j4 F; g    xchg    dx, es:[41h*4]
. H2 Q) v) p. ?) i/ _    xchg    bx, es:[41h*4+2]& P% Z' z8 @+ ?8 C
    cmp     cl,al
7 z: `( Y$ s/ Z# T4 |' f8 Q3 N    jnz     SoftICE_detected
4 Q4 |% V6 ?. J5 W6 E
: l& K8 e1 [" f& R" i_________________________________________________________________________+ x3 B! F) Q- x/ ?& \8 @7 Y* w% g+ o
! V' Y& v+ J' K2 O4 P! A! r
Method 074 [- y+ j4 _; k5 z* O4 T" B* a+ Y$ n
=========
' N  X# v! C$ i  f) c# f& E" j% L% u1 H1 F2 l' X- t3 c
Method of detection of the WinICE handler in the int68h (V86)
8 z) {) H- v, O+ O
0 |) G: y9 p( W- U6 d) o    mov     ah,43h9 W' l- }& `5 J+ L/ B, m
    int     68h9 u: m( u# f7 w6 x) n
    cmp     ax,0F386h, ?' X6 Y6 q# j4 e$ R
    jz      SoftICE_Detected
* W& e$ s- c- d4 s8 l0 T4 o5 f& i* D# a( p

1 H! |/ ^1 i' W8 q% }% p/ W0 E4 P=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% M6 B5 g, e0 H5 l
   app like this:. D5 ^- R/ @& T# J$ a8 W

# [  S: C. T5 j3 n* H   BPX exec_int if ax==68
7 q5 n6 i' U  `) B" K  t   (function called is located at byte ptr [ebp+1Dh] and client eip is
! `* T. V/ y5 x. @/ ?7 f3 s   located at [ebp+48h] for 32Bit apps)/ d* D4 V* L: Y2 _! Y
__________________________________________________________________________
" S7 Q. y  Z9 a! L- l2 _# I; w0 B

1 Q4 L$ ^" p& O0 B" bMethod 08  Z8 @8 W! x, h7 I5 x
=========
; h/ T' G8 h3 ^3 q! }3 D, n' [5 \5 ~9 m( v4 n, o0 C- H) L- P
It is not a method of detection of SoftICE but a possibility to crash the
" k- H" E: j* I- s! |" F( }4 Rsystem by intercepting int 01h and int 03h and redirecting them to another
2 k: l  P: s7 R# V7 sroutine.' J  A0 }, F3 D: j6 h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points8 d! f; e. f" E1 f9 {) Y6 U
to the new routine to execute (hangs computer...)
. S, D9 A3 Q+ l( P1 Z3 j1 f  m8 |" P& D
    mov     ah, 25h
4 x, W& J' b2 `7 R8 _& n% w  H- X    mov     al, Int_Number (01h or 03h)9 v! d9 X& k+ E! e' L2 N: O
    mov     dx, offset New_Int_Routine$ z% @1 @% ?6 Q
    int     21h- U3 W- j6 c' V6 h1 H! u5 T: M! s
- r# O9 V' E9 I* F& F
__________________________________________________________________________
4 F% @* T+ P( w$ q
2 s5 M# P; `. _( h4 y$ L) |' t- H' ?Method 09+ C8 R+ M1 O7 X( L" y  W' D8 Q
=========+ k, m- x5 o& g  I

! X) F5 u# \$ V1 ~+ hThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only' h  V. V$ ^6 D. m0 H
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 [! _1 x: I# J0 }1 C' S! eThe Get_DDB service is used to determine whether or not a VxD is installed
/ @/ p0 ]: J$ J1 @" tfor the specified device and returns a Device Description Block (in ecx) for
+ D. w% j9 h# H+ Q$ q0 qthat device if it is installed.( y( d) c  c' [+ ~, l2 M3 w" U6 K

- G) m5 O$ `& f; f   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 `: l( ^* b: C) C/ j
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) @. d; s( C8 y$ R6 d* i  c
   VMMCall Get_DDB
0 e  I' |  H" q( b5 Y( T# r   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
" x, l/ T; u! T
8 X3 _  `# c4 H* T( QNote as well that you can easily detect this method with SoftICE:5 |" O  u& q, N8 J1 s4 q9 s
   bpx Get_DDB if ax==0202 || ax==7a5fh
; `+ @/ T# R$ ]% E: b- K2 l
6 v: |% _5 y2 S9 C* t__________________________________________________________________________
0 i. ~4 c/ X) e5 q$ W. M7 a4 C" m% V9 m' {: s7 V
Method 105 s6 H( |9 y0 B9 d- H6 i  o' b' b
=========
7 k% o* z$ y  w1 [% L6 k5 |! d  O4 g# g  L! _& o. P; `
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 Y3 j+ y; x6 Q+ I  SoftICE while the option is enable!!
) q* W* C" K- b8 `8 ]) }3 E+ h4 T, c9 m: r4 e1 D
This trick is very efficient:
; e& [$ ^& }; G  r- {* w; fby checking the Debug Registers, you can detect if SoftICE is loaded$ A5 S  o8 ?$ l! o# ]7 q% z# ?9 ]7 c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ n( z% v, t& l; R5 G% E! J( h
there are some memory breakpoints set (dr0 to dr3) simply by reading their$ ?, \# J* r# a
value (in ring0 only). Values can be manipulated and or changed as well
5 d) G* w# ^( e7 n# z5 m9 d; s(clearing BPMs for instance)1 w, F9 c0 Y) @) ]4 n% V: m. q5 Q/ v( |

: U% `# _* [3 I; `9 B__________________________________________________________________________; h. |, P. N3 v9 b* a

" @2 c+ s& m7 |$ h" IMethod 11
  D1 o: t0 v5 M& s=========
+ r! M  ?/ C! r0 d9 ?( Q
6 |  W0 J4 P2 K0 F1 O; `0 lThis method is most known as 'MeltICE' because it has been freely distributed. V* M: _! U; p% n9 L3 j
via www.winfiles.com. However it was first used by NuMega people to allow
& J# U4 l, D: ESymbol Loader to check if SoftICE was active or not (the code is located
+ _( y7 I# ^, B/ y7 n) Qinside nmtrans.dll)." _% Y3 H' P5 p+ ^9 k5 i. \
/ L4 j0 F: p" }/ t) R, @
The way it works is very simple:. B6 C. p" d" G8 D. p0 [, U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
; h- M- b& d) S$ U$ X# `WinNT) with the CreateFileA API., L3 N+ e" o9 P; W& e+ `$ n7 N7 o, ?
1 a$ V1 }2 R  t  u" l2 n
Here is a sample (checking for 'SICE'):
! K2 w7 y' m1 r5 T% _1 K$ `8 O+ o% F* P* ?! ^2 k
BOOL IsSoftIce95Loaded()
; ?+ g2 N2 ~/ T# q{1 ~7 e- ]' u7 i8 i  Q# P
   HANDLE hFile;  - s* a1 ^$ ~- D5 \( G4 p7 u
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 y; r5 y, R7 F                      FILE_SHARE_READ | FILE_SHARE_WRITE,5 l; J' b7 A6 l: m' L
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% b) z  y; C) Q! y% r6 W  O
   if( hFile != INVALID_HANDLE_VALUE )  S* U4 M/ f& r; \) R) \2 U( h
   {' r) J7 h$ K5 z, Z  V
      CloseHandle(hFile);% W& q7 K/ C  O! t
      return TRUE;
$ h7 q; B" d/ x  u  b: G' I9 N) V9 f   }
$ e4 W% B. h' D# Y   return FALSE;
  t  P& ~* v4 K3 p7 n}8 w# J0 P& ]/ T- _/ [8 u1 I/ a
$ O0 Q3 q0 t* L
Although this trick calls the CreateFileA function, don't even expect to be6 F( Y  c% n, ?
able to intercept it by installing a IFS hook: it will not work, no way!
! H4 Q- F  J! U- A  T8 Y) @# IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F  Z- D+ g2 o2 \% [# @+ G2 |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
5 Q! i  O: X3 ?4 V! Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc7 }: L% e4 J3 b( M' l
field.
$ {" c1 l" t, \2 N, `In fact, its purpose is not to load/unload VxDs but only to send a
; X' c% o* R5 A- L. I5 y2 O/ G% kW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
, ?* t! d, X* s  ^: y: `$ C, f* f# Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 m8 v5 b* k( F' R0 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).5 W. c- X7 B" W
If the VxD is loaded, it will always clear eax and the Carry flag to allow; U/ F' Y; Q+ u$ R' E
its handle to be opened and then, will be detected.1 C, [3 s8 Z* }; V
You can check that simply by hooking Winice.exe control proc entry point7 y: A* E# r$ D& s2 @
while running MeltICE.. A3 _3 M# Z* f8 u, P) Q6 d' {8 X
7 R$ r1 b% r6 H; ]

6 u2 I" C4 A) A) m; C  00401067:  push      00402025    ; \\.\SICE; j% |5 y0 i7 m! D
  0040106C:  call      CreateFileA
* w/ m1 n" X9 ?6 R1 ^, v9 v; T% _; B9 Q  00401071:  cmp       eax,-0017 f" B2 M' ^0 u4 G0 s% S5 l
  00401074:  je        00401091
% q6 H4 `" O' t  o' u
8 T- Z# G8 o, C. M" G  d- P& K
) J9 R7 ]1 s" @. V) cThere could be hundreds of BPX you could use to detect this trick.# f, @; E$ v- [& g
-The most classical one is:
) |! {9 u& @3 }9 [  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||: Y9 C  L9 e- I) W- B7 v6 Q! O
    *(esp-&gt;4+4)=='NTIC'$ @: z1 u  ~+ ~+ d9 B

! T7 J$ @& [% g4 g& A5 J-The most exotic ones (could be very slooooow :-(
# R8 X8 s# i9 [1 Q; j1 W1 A3 f6 S   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  3 h# X4 p5 i. N) W5 y
     ;will break 3 times :-(
* E" i. }6 u2 l  D4 Z# `9 l) y+ w5 e( C8 i0 x7 a: y6 {
-or (a bit) faster: . n) H- i0 Y! f. @% ~7 R
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 N  ]$ u/ b# u  t1 {8 _+ r
8 t. ], {- z/ c8 s   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* b9 e. D8 v# S. L$ x" c     ;will break 3 times :-(
0 B3 H) d& i" w! O5 ^' N& f" c$ P: u- U- h
-Much faster:; ?1 o. Y5 P$ N! u4 ~0 D
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 x+ O+ K; f9 O
+ f6 D* ?6 f- b; i. d- Y9 [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 F! Y- M, m; R9 M0 P
function to do the same job:
# Z  m- A) b4 v( K- w6 h
  y+ g2 z+ `# |! k8 c% ~( V   push    00                        ; OF_READ3 l9 s* P+ V/ S0 l$ J: q9 N
   mov     eax,[00656634]            ; '\\.\SICE',0. G! {9 N- H/ K( }
   push    eax1 _  P; x7 _! i9 c9 F4 Y8 {/ ?
   call    KERNEL32!_lopen
$ R* i- \) @+ {3 d( v   inc     eax! ^3 |# _2 y/ R! M
   jnz     00650589                  ; detected
8 B% |# K1 t- s2 O+ J   push    00                        ; OF_READ
7 H$ L6 y- n: }/ u; ?   mov     eax,[00656638]            ; '\\.\SICE'. `6 j3 k, Y4 P6 A% y
   push    eax7 e3 |  T9 h+ ^. i9 {' _
   call    KERNEL32!_lopen
3 s, `! [) J: a+ F- \   inc     eax- f$ u; S+ X; D+ \0 K) z0 \
   jz      006505ae                  ; not detected6 j- C7 W. \* P3 j& K& G% [2 ^

. v1 A  y4 E7 p# ~$ @5 Q2 r, E
, y4 a6 o6 A6 F; O& ^6 }' f__________________________________________________________________________, I& H- D! E1 e, r
' V8 S& I# J, T% y0 U  ^& P$ n3 a( C
Method 12
4 G4 {8 ~- {* M! R6 e) |=========
$ u% ^5 n' b/ \
; }  m0 v+ \9 D* ~) p; O( eThis trick is similar to int41h/4fh Debugger installation check (code 05( I+ P0 S+ v3 w1 Y. M
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
: L3 u; d5 I5 H+ Y* B2 ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
8 m0 w0 x! V! v9 @" U  Z9 |) A  x4 ~2 ~3 v- u
   push  0000004fh         ; function 4fh  b- z% a5 l0 y, B
   push  002a002ah         ; high word specifies which VxD (VWIN32)
3 D1 m# B6 U, f  X' F                           ; low word specifies which service& s$ k& I! n4 q4 i8 t1 l' x+ R6 A
                             (VWIN32_Int41Dispatch)) C8 D  Q& C! C' F& V# V" O
   call  Kernel32!ORD_001  ; VxdCall
6 I' q. E* e) m- {* ~+ R( \   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 l$ s* L8 o0 P- l7 I  Q   jz    SoftICE_detected  U+ @- p- m  n

& E# R4 T2 ]$ }. X& ?Here again, several ways to detect it:; ~* m/ O" _# _* x; [! B

) b6 N6 n+ N& h% H  t    BPINT 41 if ax==4f
# N7 `; L* f9 i
( ?3 L9 p# A8 H! q5 e$ E9 n7 ?& h    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one6 V9 S, w% H& D9 W# X8 @0 a( S

4 \( \9 k$ E$ T$ z( l2 P2 S2 h    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A% s! P- a7 }9 U5 E# F

5 P- _. _8 ^! P. u: [- U4 U. c7 V    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( n5 n7 F- D7 V/ z* r9 o8 z7 j+ G$ u( ]  F, R! S0 J" ]  ^
__________________________________________________________________________
" X* `% k6 ~# l+ g
3 f, ^/ E' @; @. a7 s1 g9 ?Method 13: Z5 c) d3 p9 r0 r/ O
=========7 q' V! ^- a- v+ e* c
. a6 @6 b8 [3 h- I$ @& N
Not a real method of detection, but a good way to know if SoftICE is9 e( r/ U, u$ o( a  B. G7 P0 S# t
installed on a computer and to locate its installation directory.+ s/ J& F/ ]9 ?+ G7 t! y* L& }) D
It is used by few softs which access the following registry keys (usually #2) :8 [2 r$ Q( O" y4 I' D1 }

* y/ X2 t4 @+ o" E, E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 u' r' X5 p' Q+ V9 _% {$ N+ k\Uninstall\SoftICE
. O; h+ R& t1 i% B-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ L6 D' n1 d3 P4 |
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. A! \9 v! l! d
\App Paths\Loader32.Exe7 R( C5 P* g- }3 y
/ r& Z" {1 d+ F5 l! x$ ^+ ]7 W
: ?* L& t5 P0 w
Note that some nasty apps could then erase all files from SoftICE directory7 K0 W3 w) m: k2 s" V) `0 s
(I faced that once :-(1 ~3 q' `# k+ K( ]5 u% n+ E& K

, |3 V) I, P: X( {Useful breakpoint to detect it:
* v7 D$ m- e! g6 T2 E5 l, _2 _. e" f( m4 f! |* s
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
4 o& q/ [" R8 l& V, y- c5 @$ d# @8 o7 K% p' ]& L; y
__________________________________________________________________________3 b- k: g$ |3 b0 U" ^; @3 C

# [5 Z  n+ Y& m0 N* y3 c% ~9 z9 A5 v4 x# R8 e) m
Method 14 ( H2 J& k" G: a1 f$ ^
=========% ^  Z2 {6 d. X1 f
! z0 W) W; r5 m; y- F
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 |8 R+ N0 r  S' D* p' t" qis to determines whether a debugger is running on your system (ring0 only).# J% @& \( e1 w5 y; E  Z, z8 F

) l* w6 S8 N  e/ t' s8 ~3 k   VMMCall Test_Debug_Installed
% Y% d( j& M2 N. p6 p   je      not_installed0 v( D( Z$ O9 r. q" O5 S1 ~2 C

7 Z) K7 {" E* w( Z! e" TThis service just checks a flag.
3 W! Y7 t- v1 O; N/ c</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-24 20:21

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表