找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! R; Y" |- W8 O% M$ S
<TBODY>$ u* d) i3 b- Z2 }& N. N) [
<TR># y) Q2 d- q$ Q0 Y5 ~0 L9 B; H! D
<TD><PRE>Method 01
6 I" }; e2 |* a& |=========1 c; Y) \, ?1 X, i. c6 Z% X

& `8 c/ U+ W$ p+ N& B+ v2 bThis method of detection of SoftICE (as well as the following one) is/ J8 Y7 F" i! |1 L* g
used by the majority of packers/encryptors found on Internet.9 b! X1 Y) n- m% Q6 |
It seeks the signature of BoundsChecker in SoftICE3 |6 M% o4 W9 ~  b; `8 f, d
1 W  ?+ V2 b1 u; M2 L1 o3 i; T1 ^
    mov     ebp, 04243484Bh        ; 'BCHK'
! D7 d) x. y5 l9 L, r8 Y) U  d    mov     ax, 04h( }) V! j! Z* u4 T
    int     3      
9 \& K1 ^, a& x0 Z% n. h    cmp     al,4
& ^! {2 s) }5 z4 v. g! i    jnz     SoftICE_Detected
% }3 ?; ]- l* ]7 q, F# I) y' {* s' Y$ s
___________________________________________________________________________
- L  {' ~8 ?; A; i0 X, U7 \# g# ^' F" X4 l7 |3 P$ g* ^/ _
Method 02+ X5 T; E/ S: E3 I# S/ `) @5 N
=========0 P% ]% E3 `3 W# ~* t$ z" p

1 L" n* [: u# N' J" gStill a method very much used (perhaps the most frequent one).  It is used3 D' R$ b) H" [8 E- g
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 M" V5 q( N& ?1 s+ r# Por execute SoftICE commands...0 n4 z8 Z( p2 f( e( a
It is also used to crash SoftICE and to force it to execute any commands
( W+ Z! P! B) ?0 g' R: E(HBOOT...) :-((  + a, T4 H* `, J: M" s" J' O

4 v$ F# a8 x, P1 n  |2 }4 mHere is a quick description:2 h% i  ]& w' W8 K
-AX = 0910h   (Display string in SIce windows)# N  c7 ?9 Y/ @2 @# W5 |0 z4 A
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)) k" }$ o- D1 C( K' W" v0 y; o
-AX = 0912h   (Get breakpoint infos)5 Y, S: a' A  i: z* m: p0 u
-AX = 0913h   (Set Sice breakpoints)+ [; V+ t! z& L$ y$ y  {
-AX = 0914h   (Remove SIce breakoints)
0 _7 q$ d1 t" H& h0 B& h9 D: G
8 U* J7 I0 |! h7 a* @% h4 SEach time you'll meet this trick, you'll see:0 i5 [. ?' ~0 j& L, G3 y- \
-SI = 4647h# d' Y( k" c& c# a! n: W. |# R
-DI = 4A4Dh
& h) U  k7 P' d/ [Which are the 'magic values' used by SoftIce./ b! Z+ h8 \! _; b# P7 P- z* T' Z% Q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* u6 @) r6 o% m) p9 A  `
* r) ]2 \  b1 W9 U) y
Here is one example from the file "Haspinst.exe" which is the dongle HASP
8 x, X  y' V7 P  rEnvelope utility use to protect DOS applications:3 _! E' h3 t- z# a3 J

$ f& ^) n0 {8 F  z' J1 w, t+ P; h. N' x3 F6 S/ G; I
4C19:0095   MOV    AX,0911  ; execute command.
; W4 }- m; R' p8 y# B0 @3 t4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 k/ m; l; C- F$ ]$ E4C19:009A   MOV    SI,4647  ; 1st magic value.
3 E8 V2 r3 r/ k. n+ [% S4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 z" |+ l0 t1 |7 o+ J  y
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ _/ c4 |- Z/ h* C2 N4 \
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute+ Y/ m( H* V. M) G8 q" v
4C19:00A4   INC    CX
* ^; ]! c8 j$ I# t& X/ ~. i5 N4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
/ v! P& G% E# n. g$ u) B4C19:00A8   JB     0095     ; 6 different commands.0 }; C$ }, {! h9 Y& M6 R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 P! d/ x' _/ n9 W9 s9 p) Y; o8 i. f
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 @. ]/ O0 a7 a' @
# L0 J8 G; ~. ~The program will execute 6 different SIce commands located at ds:dx, which8 b4 c+ w7 x/ w: v8 q1 j. f& }: p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
8 h! H0 t8 }( |$ n
$ M0 m* X* k4 x! }* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
) F% ~6 ?* j2 N- D+ s- j: |___________________________________________________________________________
/ L4 F8 h; y; _) r/ F
! f$ F  e$ U0 e: x+ ^
4 X0 d  e1 \: y( pMethod 03
' u, i, z+ B: Y; t7 j" E=========; G6 y* F, h# Y- H3 `' b

! v% m2 B. q* P4 Q# cLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 _: e& i5 k. H3 ?/ W" N: A" P(API Get entry point)
9 P" }; I. ^0 ^( u* a        
, L3 |3 y% C0 y1 S( @( R: s0 w( o. F2 C
    xor     di,di
1 n; @) O) _5 W# p7 R+ x3 V; y    mov     es,di
3 |8 ^, r4 y% u6 q$ i, {# h: ~    mov     ax, 1684h       # u, e; t2 F1 A# R- D7 v/ f4 m
    mov     bx, 0202h       ; VxD ID of winice
$ O0 x; \, r; Q    int     2Fh8 m* [# n; z( A
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 |+ ~1 l: c5 O3 Z# q    add     ax, di
; }. A, X/ C- a( _2 _    test    ax,ax
# ]4 X3 F5 F, B# O3 x    jnz     SoftICE_Detected
8 ~. e. \8 F. |2 ?
( f7 G8 R9 _" M$ a( q% L5 ^) h___________________________________________________________________________
4 r! y& H/ L) I
0 r# X& l8 [: _/ {) N, n# B6 sMethod 04. x8 S" F% r5 A  m1 l' `
=========
# J4 }) M* f- N7 P
" C, Y1 B8 ^- {9 \% E6 |Method identical to the preceding one except that it seeks the ID of SoftICE
( R" V5 ^9 [1 I+ [- BGFX VxD.
, U5 g# Z: I, }7 }3 j7 V8 v1 Y2 w7 x5 V0 v9 R# ]
    xor     di,di
0 d# I7 V# S( D! k    mov     es,di
+ v5 Q% k. j: r$ J    mov     ax, 1684h         R+ j- U  w6 z, A5 A- H& M1 ^6 x
    mov     bx, 7a5Fh       ; VxD ID of SIWVID- s+ M. F, D& N3 d+ f* ]/ p- P
    int     2fh
( R, M" V7 Q& O1 ]    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 n4 w! M5 l1 U' o& C
    add     ax, di; ?' n% i* P" v1 [1 w0 L  u' |
    test    ax,ax
/ h# K% L) |- G0 K; g    jnz     SoftICE_Detected6 T& i9 h9 q% [# _) F# h- v& I* @, f

8 Q( R+ b& Q, Q8 y! G__________________________________________________________________________
( H0 E  e& h( k( b1 U, M* c5 e: e% R6 }" q; o5 N  d
# F) z1 q2 C; p: _$ l" o& X/ ~4 d+ K
Method 05
" s: T* v0 e& Q! A. \! C=========
7 P1 a" ]" \: n
7 [5 T8 l/ O) a# u! `5 y$ \8 aMethod seeking the 'magic number' 0F386h returned (in ax) by all system
5 b7 \8 H/ g; K5 c  l' Edebugger. It calls the int 41h, function 4Fh.
( O: R  O! ^0 _There are several alternatives.  
. ~3 {. B9 D3 W
! X/ ^8 E3 }7 jThe following one is the simplest:
3 B& w: y0 o, a2 |5 ~6 a- A2 [9 t  D9 j8 j% c
    mov     ax,4fh3 k& I: v9 Y" F
    int     41h
) O# \) v5 U; g5 X    cmp     ax, 0F386
9 M* A  \9 J( r) T! W+ f    jz      SoftICE_detected
5 o% m+ q* L+ t( ]$ r: r" h0 C  O$ ?/ s% L3 }

5 C: @9 k5 P* N# s) @* XNext method as well as the following one are 2 examples from Stone's
% t$ t3 l- T6 j# k! S"stn-wid.zip" (www.cracking.net):! Y( A% i; g: A3 Q- Z

# ^6 e: A- [9 Z5 ?1 {    mov     bx, cs0 H$ T6 E% D* H$ j) h* a! s& p
    lea     dx, int41handler2
5 E. i" y% s7 }    xchg    dx, es:[41h*4]7 Y2 d5 {7 K1 ^# m4 P
    xchg    bx, es:[41h*4+2]" X, {' `7 F8 w% P
    mov     ax,4fh# Z# A9 n( M# J. e7 |; l
    int     41h
% P# H" f, ^. K$ x* `$ @    xchg    dx, es:[41h*4]- ?+ i, w1 x) R+ M
    xchg    bx, es:[41h*4+2]
* S7 e+ g( Q' E8 d+ J" y5 a    cmp     ax, 0f386h. z/ U- F- |4 r( V
    jz      SoftICE_detected- B: P$ Q. S: ?& d* s& O' [6 r& |4 p
- B- F2 ^0 s5 X/ L
int41handler2 PROC
5 a6 L6 }' v' j% V    iret' W$ n: J- F  ^* k
int41handler2 ENDP' ?/ {$ _0 m2 Q( W; b0 e9 @
3 a7 z5 T6 R; e9 P
+ W; ]4 {7 j, R' ^+ T% e
_________________________________________________________________________% k' ]: f7 m) }6 w

" C, s2 Q" w2 w" ]& P" B. `0 R
4 b$ ]; n7 j3 }* z* y' oMethod 069 M* Z+ p+ U) t
=========
9 ]3 W2 \+ s, E3 G1 M- {
2 c) [+ x& n( S% ~7 z7 g5 x) h8 o9 |: C2 w
2nd method similar to the preceding one but more difficult to detect:* `2 ^9 N9 Y' x. I5 `4 G* T; P5 M

9 f( P8 T8 r( E# u, H, G( C; ?6 ~1 u
# D; B6 q9 X3 ~0 Q8 }6 v* Gint41handler PROC
. K0 \+ R: C* D  k! p, z    mov     cl,al
  G' a/ [. m/ Y6 I) \7 B# C/ a6 O    iret
0 d! s$ g$ X) E7 r9 k" Vint41handler ENDP( z" {! ]9 r) {

) @0 ^+ u! b7 O6 y! c+ j* Z0 g+ S
: \5 f* o8 j' G  l( p( S5 U( T    xor     ax,ax
9 I& c& K' R, D9 N0 Q    mov     es,ax
" d: \7 V$ n/ \6 [: S, j8 R* d7 C" I    mov     bx, cs
8 c7 _/ \, b. z- T    lea     dx, int41handler0 G% g$ w( M0 V2 |2 Y) ^$ X/ R
    xchg    dx, es:[41h*4]" b0 Z2 ]1 P. |5 U  R
    xchg    bx, es:[41h*4+2]+ i) ?' r% q9 T) j& ]1 z& Z
    in      al, 40h# _8 J. E: l2 ~9 I
    xor     cx,cx% l5 X2 y: M  o/ L5 {. @) n2 C' L6 u$ D: [
    int     41h% S/ O) X' ^" ?4 n/ t: w
    xchg    dx, es:[41h*4]' I' j( ~$ Q# X
    xchg    bx, es:[41h*4+2]
( S' ]: C4 W9 c" ^/ X/ m: q    cmp     cl,al
7 ^5 c1 h0 M( [" M) a    jnz     SoftICE_detected
2 P' G, Q# E% u2 R; z" P2 [
7 R9 {4 x4 g6 P; |0 m! r0 V: e_________________________________________________________________________& o6 L: s; ~) n
' V) A# @. Z9 S6 @  v( [
Method 07
- Y# R* n# B+ ^6 J0 h8 ~2 H  U=========& j1 e5 }1 n7 _9 R2 E7 `" ?- B3 {8 |
! w3 w1 C" P7 A& P
Method of detection of the WinICE handler in the int68h (V86)$ c) F' l/ K  e: N6 V$ ?1 E1 {
) K0 E1 M8 m. g
    mov     ah,43h
9 v  ]* ]  T$ y& g  n    int     68h
7 M& e4 o9 H: a$ U5 ]    cmp     ax,0F386h
0 x, p' N: b: |, r    jz      SoftICE_Detected, S0 N. V5 Z8 R' i$ d6 p% I6 q

. N. E8 s. K/ ?. B# ]( d( D/ H# A: X3 p
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! `) g" k& r2 O; [) v0 e; |9 Q   app like this:
2 G6 p% ^5 i7 `1 l. X3 l2 H7 {7 Q  A; `9 Z; l+ M
   BPX exec_int if ax==68
% E+ z5 ~, D' M, ^1 e) r# b   (function called is located at byte ptr [ebp+1Dh] and client eip is' i+ W5 r3 G3 Y( U# m* C( I
   located at [ebp+48h] for 32Bit apps)1 }" }# J% F% u# a+ V4 N) H
__________________________________________________________________________
* e9 ~/ J. E2 i! r$ q" c0 ^" B+ o* N' M; S

* Z1 F8 C. z# ]4 KMethod 08
+ O. `' \9 \5 _9 `=========) \! P$ x% i) x/ h! Q0 }2 ]

0 U2 o) u, b0 \, KIt is not a method of detection of SoftICE but a possibility to crash the1 Q. b0 r& b: R& G
system by intercepting int 01h and int 03h and redirecting them to another
8 w9 [5 v; s$ b. r; I0 g9 b! {routine.- |! H) W' M4 o' f) @) F3 v
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) b. Q8 T3 I) E2 A$ n$ n( g7 e
to the new routine to execute (hangs computer...)/ K5 \) |0 r, j* k$ F$ M# _
2 [8 R) a7 m( N* ~' x& n
    mov     ah, 25h
! u# a; U- B- S5 A3 C6 Q    mov     al, Int_Number (01h or 03h)0 C5 q; R! }7 m4 }  E2 O' P, K
    mov     dx, offset New_Int_Routine8 n) ?! x5 A; _2 x' `7 O& v
    int     21h
9 r& v: A( N+ n( G5 O
+ c9 Q. A: F% E# Z__________________________________________________________________________
5 `0 C& ?" U9 l4 ~. R8 a
2 x: |) D: {; P. G$ mMethod 094 z2 F8 A; |6 r9 `' x5 n1 T* |/ J
=========
+ k) U  J+ Q6 R6 g
; r+ H% H  c% [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 L% y6 d4 e0 r8 b# _8 G0 @# Mperformed in ring0 (VxD or a ring3 app using the VxdCall).5 g5 w! N9 r) ?; G- w/ U1 u0 [
The Get_DDB service is used to determine whether or not a VxD is installed
" O0 j8 y9 k4 _, i" a! m) m  u4 rfor the specified device and returns a Device Description Block (in ecx) for' v$ Y" l3 E4 C4 {4 X
that device if it is installed.
2 n6 s: _) U7 U7 ]3 y( g, ^0 \2 C2 O- H
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) w6 F# q8 ~6 k/ S5 R
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% _: k" N4 l8 X6 {   VMMCall Get_DDB
9 w" T! H/ j/ R! Q* b   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 a( D: R5 m) i- k. `

( U9 Z: t8 @+ P" H5 I" q8 N8 ]Note as well that you can easily detect this method with SoftICE:% Y( H+ Z( V; B0 t( G- P7 y
   bpx Get_DDB if ax==0202 || ax==7a5fh2 }& e; H# Q  L$ t, Z

7 b2 ?& X& z1 j- U__________________________________________________________________________, a2 Y3 \9 y% [% W

/ |; O% x9 c* H3 VMethod 10
( P* b8 l) i! v% h  S! \0 F: ?% r=========
- c. u1 N: m8 T0 `  f4 J; \6 @; _; f- p% _( ?
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ h0 R! k' ?0 S( I$ H9 |+ P
  SoftICE while the option is enable!!
- I0 {% k# x% G( _* D. S$ D# k! ]" Z" {( u8 D5 V6 z
This trick is very efficient:  D0 R& b1 |5 p6 P" v" Z" |
by checking the Debug Registers, you can detect if SoftICE is loaded  x% q  `2 J+ g$ G9 c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if. z5 q& W. M7 l" E! d8 _
there are some memory breakpoints set (dr0 to dr3) simply by reading their. u+ d8 Y1 I& ~5 M
value (in ring0 only). Values can be manipulated and or changed as well3 j1 `) U$ j. w; Y4 D6 D1 N9 z
(clearing BPMs for instance)
8 r: g. m* z. U6 V: E. t" v5 Y  @* j! B" D: f/ i% a' u
__________________________________________________________________________$ J) @) x0 |8 N. n! o0 S% @5 [

% b  f. ~& B5 T4 ?8 XMethod 11
9 t/ k5 J2 b0 ^$ M1 a& ]% C: u3 ^=========# T7 f" f. A% f' a3 K. T& ~9 N
' n9 A$ T$ ^  U+ O5 L  P9 W
This method is most known as 'MeltICE' because it has been freely distributed7 }( H& H$ ^) U" G
via www.winfiles.com. However it was first used by NuMega people to allow
* g+ j' x1 g: ]6 Y+ oSymbol Loader to check if SoftICE was active or not (the code is located8 }" W$ i0 o8 ~
inside nmtrans.dll).0 D: R. j0 ^* c/ b% {

) T, A' A* c3 Y( L$ [The way it works is very simple:0 A7 H  @$ R) k' ~2 Z" Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ M; N" h- \. h9 G* JWinNT) with the CreateFileA API./ F. Q; ?$ {8 w- w( u: G

& F( v4 F4 B# h% n2 ^. x5 v6 uHere is a sample (checking for 'SICE'):0 a, _0 d4 W# V
# p* S6 {+ ]9 D  e+ D& @
BOOL IsSoftIce95Loaded()
& n6 D  L9 C) o5 R{  O" e6 h* K2 Q
   HANDLE hFile;  * |- ^- v& f$ Z0 R% W
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 c9 m9 A, s, x  M, }3 C: x6 Y7 T                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 V( t( G5 |* q0 u                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
6 \) a' ^% |, }8 w8 L# V, l8 Y   if( hFile != INVALID_HANDLE_VALUE ): H. [9 E5 x- y- O! S3 g* |4 X
   {
+ Z3 s, J  L9 j      CloseHandle(hFile);; r' V0 B# g# s2 @( i( Y7 ^3 ]
      return TRUE;
/ u1 X. z8 k6 H; x) m   }
: |1 W* u1 V' U   return FALSE;
+ g+ p* u2 k$ a. U: n0 j3 P}
3 c/ s  R1 w& K2 U4 f& k+ R
7 c7 `/ ]$ r: [" H- |$ M5 D; x' LAlthough this trick calls the CreateFileA function, don't even expect to be
" d( q$ ~4 l& }" bable to intercept it by installing a IFS hook: it will not work, no way!+ u' T5 V, w# c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F  D) `5 U; n% W. I$ q* _0 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" g" w+ }! m9 K" G( w3 \0 b
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' z2 d' G8 ~+ Z( S
field.- ]! @: u( s4 p2 f' V  J
In fact, its purpose is not to load/unload VxDs but only to send a
( i# o- J& S1 z: k8 D" `W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! r  I' y) Q" ]" ]+ A! m* j& j8 Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try3 j9 ^5 A6 T% p1 C: B/ R2 P: u; @
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' c- G( k( r. d/ R4 {+ x* U0 m& QIf the VxD is loaded, it will always clear eax and the Carry flag to allow4 j  s5 C6 k' O, u( r6 x! p
its handle to be opened and then, will be detected.
3 ?! e: ?' c3 V( |8 f+ C/ qYou can check that simply by hooking Winice.exe control proc entry point, {" Z/ M4 u: P% t4 B* O1 C
while running MeltICE.9 p. f: k1 g0 }
/ X+ t4 t1 Q- _3 s

; q1 ]3 B# y8 ~5 d, q9 E  00401067:  push      00402025    ; \\.\SICE
! k% I0 q3 c. {5 t% Q' z; X  0040106C:  call      CreateFileA" @* J* V. F2 `5 t# E$ S# i
  00401071:  cmp       eax,-001
" z4 \. n! Z0 k- K' ]  00401074:  je        00401091
2 k; B/ x1 m' b! g+ A& D( ?
5 c5 t( I: S! s) Y# A! ?- v' i2 F9 S) Q
There could be hundreds of BPX you could use to detect this trick." y4 c2 r) C+ a# J( B
-The most classical one is:* ]( {! b$ q" O4 a1 D
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% c( \: r# t9 ^- I, _4 ]: E$ R2 g
    *(esp-&gt;4+4)=='NTIC'; l" n; n8 q/ ]' K: b

+ `) t  F) z9 {, h9 d7 W-The most exotic ones (could be very slooooow :-(  z3 F- i$ G3 A
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: E* M9 a- o* Q9 ~' }8 s0 |     ;will break 3 times :-(" Y2 s& S2 h' G8 a- ?

6 _: p4 m/ ~. j3 d-or (a bit) faster: / {% h" d4 v, J9 r" m- }5 ^; P( q
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 R, L* }6 }3 ?! ]' ?% Z
, n3 h9 x" i) l   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ Z" I4 f* w8 Z     ;will break 3 times :-($ Y1 Z# v9 d. O4 a* k- g
8 F5 [! @; ^- s3 |# e' h2 J  i& A
-Much faster:
% T  V" ^. ]3 V   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ f% n: M7 F$ f. x" W2 h4 w* o8 l3 `; U0 M6 T. ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ T0 f! F+ j; {9 q  m+ Tfunction to do the same job:
2 I. C# E) A: B/ s
; ?! F8 a/ F' Y/ {5 t- H! H   push    00                        ; OF_READ
# m2 z. m' e) Z* h& g" s   mov     eax,[00656634]            ; '\\.\SICE',06 ^! j& Q  p- D! x4 C2 f8 L- M5 @
   push    eax
  Q2 d; V3 M( ^   call    KERNEL32!_lopen
% m, n! Y; }8 b6 H) D   inc     eax4 Y+ v# H& H5 H' l
   jnz     00650589                  ; detected
! ?8 t( r2 ]1 S0 g, h- M   push    00                        ; OF_READ
3 _/ x5 A- T3 X: O! R1 O* M: K   mov     eax,[00656638]            ; '\\.\SICE'
) v9 i8 \+ n8 W$ a* J   push    eax
  R/ P' N7 S1 E   call    KERNEL32!_lopen
6 K! \6 w: M' X, ^$ B2 y   inc     eax
  q  z  I0 M% A: q) M+ u5 M   jz      006505ae                  ; not detected
$ b0 s  {5 l7 X) i- C) J6 X$ J( S( P, e0 I: F2 `+ a( B% \6 Z: [

9 O" @# W! K6 T, U7 Y6 v4 O__________________________________________________________________________
, V, e* p5 k, U6 |9 d
5 m8 H: {( \1 A" p8 rMethod 12' ?: ]0 N) h, L6 Y. g6 q$ F
=========0 J. M& |9 `0 J9 E2 [# K! w6 i# V

* N; G( F; n+ r3 KThis trick is similar to int41h/4fh Debugger installation check (code 051 h; B2 r9 Q4 A; D
&amp; 06) but very limited because it's only available for Win95/98 (not NT), L) y( Q5 e5 n; I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 y" n% o! b5 J. P
1 e, \' q+ g4 L# Q
   push  0000004fh         ; function 4fh
: o- I3 X! K, u0 Q# B6 D   push  002a002ah         ; high word specifies which VxD (VWIN32)6 l- T$ U& u& Q5 g6 D) U
                           ; low word specifies which service
& s& R4 {% |( ?& Z                             (VWIN32_Int41Dispatch)8 S# H7 w2 e; b& c* u0 D
   call  Kernel32!ORD_001  ; VxdCall
9 C. K( w. ?; W& e   cmp   ax, 0f386h        ; magic number returned by system debuggers7 G7 R* A" n1 p
   jz    SoftICE_detected
3 p6 M8 A$ M% e+ {9 i( n- n$ w- x8 {! a/ j" t
Here again, several ways to detect it:
- y- j+ m4 B" O2 R. a# G4 ?1 p) W  G9 \0 K" N. i! h
    BPINT 41 if ax==4f6 @4 w- a! z: t1 d
: g9 ?( n* ?4 p1 C
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; I* \& I0 W5 E3 o& i- t' Y2 t/ o/ J' c* s4 a' Z/ I9 c
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A9 o/ l. }5 z/ ?# |2 c3 [
# d1 f3 W( a5 Z+ g) y9 ?
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- h3 c7 V! A! i  l2 c
( h- y2 n* G& B$ X5 k  y% [
__________________________________________________________________________$ U( B  a9 B9 Q# p

* Y, u; L& i; H" q0 ~  qMethod 13
! P' K- z6 S/ L1 V. P=========
1 }) X' h8 H$ s; `& Y. b: v5 l& [2 Z4 r0 s4 h: i- x0 J4 {
Not a real method of detection, but a good way to know if SoftICE is
) R/ Y) c" W1 Zinstalled on a computer and to locate its installation directory.. p9 @, \. v+ t2 G$ p  U# x
It is used by few softs which access the following registry keys (usually #2) :
$ _) b' J. U7 l( l- R
% k7 _8 g7 k& f8 r8 A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ ?8 K1 z& R; L+ b' c( [\Uninstall\SoftICE5 h% A& d5 x" w  B/ z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" t! o! y8 Y$ o+ ^4 O2 C-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 }2 q8 J" }2 f! E5 _\App Paths\Loader32.Exe
2 ~. m" g7 ?2 {4 D1 y
' j% f/ k4 `* H- D: C% G, V. M  l8 F6 _9 V$ n$ p
Note that some nasty apps could then erase all files from SoftICE directory$ {) Q' h, K+ }2 Q/ p2 T. ^
(I faced that once :-(8 ?: y# M7 i9 N3 N& v5 d, w2 }. E
% F8 Q) i% Y# j8 y3 o/ Q" a4 n; @
Useful breakpoint to detect it:" m) K2 u7 e3 D' S" Z7 h
6 d& D+ {; t+ O* w( P0 u. ]
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 M  O1 c% S* X9 p0 x! ?1 O9 d! f0 L$ ?' s) C1 ^* f( S
__________________________________________________________________________7 }' L4 d8 {, @% c
2 R+ {6 e  x" \- [' y( I
2 b  a" u' p! C* G4 k
Method 14 4 Y6 v! C. c, ?# u
=========3 r& K, F7 T2 g4 B3 R- d6 x

9 i5 u) B2 B  p9 D( J/ F0 w) fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose  x' a- i: b- ~- d
is to determines whether a debugger is running on your system (ring0 only).
1 d- C; ~* m- o0 a3 O3 O. |! d8 ^% z, V3 g  q. h/ y5 H( ?
   VMMCall Test_Debug_Installed2 e7 Q. y5 t, t1 E0 S4 P
   je      not_installed; P, I. a3 _) T
. c$ \/ N) _6 C% E) Q+ H! N
This service just checks a flag.
# B5 ?' I- P% X  ?</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 09:51

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表