找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
& W/ V! a2 N$ f" L$ R<TBODY>4 l4 e2 N( B: {
<TR>3 b2 g) G+ H6 L2 u- U
<TD><PRE>Method 01 2 @3 V: c2 p9 _
=========" J, u/ D% j  r' D
" g4 }1 Y5 a( M3 t! h4 J" A! K
This method of detection of SoftICE (as well as the following one) is6 V7 e% x% Y* R4 t6 C4 E; R- c- j
used by the majority of packers/encryptors found on Internet.  n3 g1 o5 a% G6 h  u
It seeks the signature of BoundsChecker in SoftICE
- L. w2 W3 S* I. s# W. D+ y9 `* f! ]* ?. @) U& L' g& _6 ?
    mov     ebp, 04243484Bh        ; 'BCHK'6 a- o& b7 j4 _. P% y9 E$ G  }8 `1 p% a
    mov     ax, 04h9 B# a& O0 o0 S/ j( N
    int     3      
/ t  s# Y4 [  r5 R6 ~2 H    cmp     al,4, L3 ~3 e) D) W# e
    jnz     SoftICE_Detected
, r5 v& Z$ r9 U, X1 }: ]$ G' S5 b  Y2 m( U" a$ ^! a% A( @
___________________________________________________________________________, [4 ^1 e4 C. y: z
* ^0 _. G5 }) t# I  ]) n7 w& q
Method 023 ?/ p  W* r: ^% d' j* H
=========
3 s' D1 g% B) K, X8 U6 g2 {9 P' z; k. A) Y- g7 J3 i7 L
Still a method very much used (perhaps the most frequent one).  It is used$ z9 J& _5 B$ w" m4 i( W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: d! g5 Y4 J% g8 S3 ]2 ~7 w
or execute SoftICE commands.... r' K% c$ l! ]( j3 \. }3 }1 I
It is also used to crash SoftICE and to force it to execute any commands
* g4 t, w9 M# e- c5 S$ M(HBOOT...) :-((  $ O; n" h( C$ a. w

9 Q6 q! ]8 }8 J7 v- dHere is a quick description:
2 W7 s6 c# |  F+ ?$ y, }  O+ q) S7 _-AX = 0910h   (Display string in SIce windows)
* X; a  G6 C& |, {" f-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)3 I6 O+ n# P2 g3 i0 D
-AX = 0912h   (Get breakpoint infos)
- B3 u4 c9 C2 V: G# o+ l-AX = 0913h   (Set Sice breakpoints)0 j0 F7 Z4 h# \- C5 K
-AX = 0914h   (Remove SIce breakoints)
6 `1 Z* y2 P. w' C* i" ~
8 _8 O/ ?4 e, A4 IEach time you'll meet this trick, you'll see:* b; _% Z# n( ~- E3 G  }" i
-SI = 4647h2 a" w. _( ^5 r; Y5 e# @# v5 \' ^
-DI = 4A4Dh
9 t4 y( \0 Q. W+ k4 h% U$ MWhich are the 'magic values' used by SoftIce.
  h( K, ^* |! R' ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ g# Y2 c5 S4 ^# L/ O: E

* R( G$ B5 y! U" N1 `  v: }! }5 mHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 k8 P( u* q$ R( P8 ~6 o$ XEnvelope utility use to protect DOS applications:0 j5 x, |7 \& N) ~( h; _

# h6 u; ~! M/ z. H% ]/ \
  \! E# J3 W) l: a" T+ s: S3 X1 i4C19:0095   MOV    AX,0911  ; execute command.
/ U% G. j: A6 o" s4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, K. G9 o' _1 ~, z0 ?: f4C19:009A   MOV    SI,4647  ; 1st magic value.
! n! m) s, r8 G( K* |8 Q" x# R4C19:009D   MOV    DI,4A4D  ; 2nd magic value.( |$ K% O& f9 M
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
( Q1 m1 j. G% }$ b9 _) B4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 Y+ j0 C! Y* |8 C
4C19:00A4   INC    CX
. `% |) g: R  u6 Z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, c' r8 i5 {2 D4 G+ `5 _4C19:00A8   JB     0095     ; 6 different commands.
% B# k7 t- }- ^! R' |  ~9 s/ F4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
: p4 ?# C7 a( v- i* Y/ M5 x# c4 t4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)/ e5 ^. [& r# j7 j! l2 E
' a% p% h: B: _, l8 x/ z5 f
The program will execute 6 different SIce commands located at ds:dx, which
. b% {1 d" h, @are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( Q8 h/ i" v. w- [: A
# h! f. L5 n, U4 T) t' |8 i* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; ]$ Y4 ?! C) N& r% n
___________________________________________________________________________
  i7 a, |/ u$ i7 M7 }
6 _4 g* z% `: D; m4 b: P$ `/ t0 l0 H/ Q* P, w- X& A7 z$ E" d/ d
Method 03* V& n$ l( a, M$ V5 k9 U5 z
=========" |+ E. n4 b8 R0 |0 z! Z7 C

; i! s  a* n3 g0 ^Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h+ ^! h# P: c9 I" h7 Z' o; e/ [
(API Get entry point)
8 h2 S) p+ ]8 K        / e( J( `5 D# L5 J' q- z2 q/ Z

3 }9 _; T6 ?6 W* A: d- z8 z    xor     di,di1 ^+ h! a, s: T3 z
    mov     es,di
: U; z( }! p- b0 Q2 M4 D% M( E; O7 M    mov     ax, 1684h      
7 a0 p+ h. p+ Y+ ]+ `/ K    mov     bx, 0202h       ; VxD ID of winice
; ~4 ]  g: {: S* W1 E8 j    int     2Fh
% M' j, f& @0 [" S/ B    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* v0 L+ A/ ?( p- A0 A6 [, K) k0 ^    add     ax, di
! R9 |9 ]1 M, c& p- t; D8 U    test    ax,ax
+ t5 f' W% Z8 a( f: j" e' f5 A    jnz     SoftICE_Detected1 \- o' l$ j: B( ^

2 ~4 I6 p8 V# C___________________________________________________________________________
0 {' M$ P3 q- ~; E3 K& E" ~4 c; w. p" d
Method 04; H5 s- g  B% ]4 Z' s/ k/ k' ^( U
=========/ V" s$ L, q" \! |7 K

+ v1 v- i* t; GMethod identical to the preceding one except that it seeks the ID of SoftICE
2 H2 e0 U' _/ I. m& VGFX VxD.
0 d$ @0 o/ a0 f+ [: A. c+ b1 F
5 q# p  w" ?+ Y. `  H1 `    xor     di,di
: k% O: Q, E! k    mov     es,di
9 h* x) q& K/ s1 C$ b    mov     ax, 1684h      
& C1 `5 ?8 ^3 N    mov     bx, 7a5Fh       ; VxD ID of SIWVID  E- L7 ^" Z" U! o$ K
    int     2fh3 f5 Z0 p- @8 Y& m9 }7 z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 f* J5 G7 J4 ~    add     ax, di
' H4 A8 Z2 Z$ ~, i    test    ax,ax% M* \  h, o6 e. d2 o% p8 d1 U/ B
    jnz     SoftICE_Detected( I1 R* g' F5 a

" Y$ ?4 F6 S4 I, J+ Y! d__________________________________________________________________________2 ?* N# F( b5 u" ?0 V1 q
' y6 _+ h3 D0 }) }. G

# Y1 y& I5 a! t* q8 i" s/ \Method 05
& c- h/ j) `7 p=========/ c) k$ K4 h$ h- E3 N8 a, z. D

2 w  ^% Y  ^+ }1 z0 G+ q) yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; {2 E9 z: B0 L* X' Ndebugger. It calls the int 41h, function 4Fh.7 d  _) l9 R+ z# ?5 n
There are several alternatives.  $ e5 F; O4 I; v
; }: Y3 [2 V, Y' J% [$ f* a
The following one is the simplest:
% ^" J. Y* q* `- E, k5 t2 V4 @) d
    mov     ax,4fh% T7 k; G" b6 `" W: R& \5 u
    int     41h
$ _0 G9 s; _! u  h" R: ?3 B3 J    cmp     ax, 0F386% M, i, j& r' k7 d4 u
    jz      SoftICE_detected
& P3 S$ i7 f/ b$ _! v) ]9 W
  V4 d' ^6 }* M5 {1 {! W: u, a/ v7 b3 G& c6 z
Next method as well as the following one are 2 examples from Stone's
" q7 A1 Q6 k. v* y# g( c" V: U"stn-wid.zip" (www.cracking.net):
& ?' \* G, K. z. j' X! o7 H6 q
+ ~  @6 g- M1 o3 W+ E5 |    mov     bx, cs
8 ~! y0 A& F2 N8 x" ?1 w8 @) R    lea     dx, int41handler21 L1 p: H' m% u! v# S9 y
    xchg    dx, es:[41h*4]; G3 Z3 \% o  R6 u" B5 H7 V
    xchg    bx, es:[41h*4+2]
' U! U) e! z' M* P2 r1 b    mov     ax,4fh  O9 {4 `# g% w4 M# c% }: q
    int     41h: k3 ]$ ~' D7 o" I
    xchg    dx, es:[41h*4]
. H2 p! g0 `0 Q    xchg    bx, es:[41h*4+2]
2 J& ^- q7 u# C5 z! {1 `5 {/ {, ~. Z5 ]    cmp     ax, 0f386h) Q. r/ V; F: f, i( ?, T. U5 s
    jz      SoftICE_detected
. {5 G, L8 N7 x! }3 Z- A7 V8 B) A7 B* D) B* `' t& E
int41handler2 PROC
) M: _) C. p# x% \4 d    iret
8 w4 a: |' S% R! [, gint41handler2 ENDP
7 d( k+ s" t9 z) L3 k- |5 P8 c7 \3 s- l1 a8 B1 y

1 }7 \4 J2 {3 _7 P8 k6 I5 P- q_________________________________________________________________________* k# a/ i2 h% o2 n

) l2 H2 r3 f7 S/ u
. t0 d& g  z# e! c. rMethod 064 n9 ]# B  N' F" R$ I; ]$ S8 G
=========
/ V! H, V+ F& p% N/ C: a4 I3 m5 r) V

$ y5 \) ^, A2 O  ]+ {- |2nd method similar to the preceding one but more difficult to detect:
" c/ g8 P: k: E2 o6 v8 B; ~  y( R- s% ]8 z

  g0 n+ ~% q( l& g7 D' @. L' L' O+ `4 Tint41handler PROC
& P& J6 [2 U" r/ g: {- l3 k    mov     cl,al& g7 l9 e8 F" ~0 J5 j
    iret
: W, |/ ]- M& x; Q! l% Lint41handler ENDP
# e) |! \" ]! O& A7 w/ o
/ X( h% q8 v4 F$ J) r( z, c, I% |+ t  _0 |3 {3 l
    xor     ax,ax) J  Y' q$ o; G  [
    mov     es,ax% D  c7 x5 g3 c/ Q' p
    mov     bx, cs7 I4 d4 x, b, q
    lea     dx, int41handler
2 i& h. ^9 m8 T* J2 {3 w0 V    xchg    dx, es:[41h*4]
9 A5 Y. Z, Q1 I' l% C8 t& R5 p/ B    xchg    bx, es:[41h*4+2]! s" r2 r1 ~& i( G" N; v4 _0 D. z
    in      al, 40h
6 d, _- `% o  p0 i8 |( z# b  Z    xor     cx,cx. c% H. K0 @' m7 k/ L" p
    int     41h8 A; l3 [% k' d. Z1 \, e- u
    xchg    dx, es:[41h*4]$ x' V% j/ v) Z5 j
    xchg    bx, es:[41h*4+2]
& }! s( A; j2 O. E    cmp     cl,al% G& b" N5 U: q0 P; d$ b
    jnz     SoftICE_detected5 {4 P! O8 D# `  s3 h& `4 q; ]
! w/ H1 B9 j9 N, X' u- t
_________________________________________________________________________: J; C8 @" P# _# i
8 u2 \  V- X9 X1 i2 W$ f
Method 07
% k( u3 L( ?% c# T  Q=========- a, K  `9 Q/ F. S, [0 w
# ?4 O$ z8 }6 e4 ^! L5 d+ K
Method of detection of the WinICE handler in the int68h (V86)0 {/ Q" E$ o! E# y9 f7 n) B& ?2 b) @

. y8 `' e# T8 Q4 |    mov     ah,43h. x+ I3 q' T' ^4 ^9 X
    int     68h
) {6 T7 O6 m  `/ ?3 @3 ], x1 N) @    cmp     ax,0F386h: s2 q4 g* h  d; Z; D
    jz      SoftICE_Detected; s1 E0 @: ~, z

4 p( m/ v# E) F! J8 W: R
: H8 Q4 t* r+ ~( k8 m=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* L8 C  }* i; m- S- v# [   app like this:. s2 u# `2 t- Y+ A4 z4 q% G* Y  U) L! ~

0 q  B( L  C$ ?; b! h0 K9 h   BPX exec_int if ax==687 L8 D, h; S3 G: F: x6 _
   (function called is located at byte ptr [ebp+1Dh] and client eip is
: n0 Z- q1 P: R  Y- f) @$ x   located at [ebp+48h] for 32Bit apps)
0 W* ^2 q% f. y__________________________________________________________________________/ D4 c$ Q# r1 r: v  d9 p" R4 x4 l

6 ^1 M- B$ e$ ]$ S. I( T
4 r8 O$ `- l1 b9 g3 f. p/ o! r8 @Method 08
, X) P+ _* \5 s( G5 y, W=========6 m" {( e. z. L+ `# N, M: u
; P1 Z# v7 q  v6 V" b+ @& U
It is not a method of detection of SoftICE but a possibility to crash the( v3 Z3 d( X" J2 M. y4 F# r/ i3 Y
system by intercepting int 01h and int 03h and redirecting them to another
$ g7 \+ `3 P6 f" Groutine.$ x: t6 c0 N0 y8 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- c- f4 G6 t$ e$ n
to the new routine to execute (hangs computer...): d9 J# P' |+ M! L
/ w( u& k; [8 N0 T2 Q5 {/ ~
    mov     ah, 25h
1 V5 [! k/ M: ~- A4 V- i    mov     al, Int_Number (01h or 03h)
; \, I9 B7 H2 H    mov     dx, offset New_Int_Routine
$ f) S) n) q$ S, y    int     21h5 V. u" s7 {! K& F" Z4 |7 j

- N  U1 a$ S/ ~1 v4 A5 B' s4 i__________________________________________________________________________. l0 S3 t9 L) R. W4 Z
7 p9 T3 C2 Y+ T' w
Method 09$ {5 J+ V3 r) Q. p7 p
=========
% m* z+ E( U. D7 ^. d; M# M$ {6 U: R5 O( q' {6 r4 L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only1 R# p# c4 Z$ v% f4 f
performed in ring0 (VxD or a ring3 app using the VxdCall)." s9 H/ \+ [8 ^. b, P
The Get_DDB service is used to determine whether or not a VxD is installed$ T  A3 M" r( |' o) r
for the specified device and returns a Device Description Block (in ecx) for
: x" Q5 j+ f4 P1 n3 V7 @0 Mthat device if it is installed.
# \# @" z& E+ C8 K9 B! Q1 d/ A2 |2 |" k" S, q- a
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
: J  B+ D$ T2 n) q5 c* E& J  Z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 \) h0 H2 H6 e' {& N
   VMMCall Get_DDB
' x! E6 s4 `$ E& p1 F   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ a! C+ g2 t- K4 A1 H# d
  {9 F; @+ i, k& i; ?8 O; o3 ~4 VNote as well that you can easily detect this method with SoftICE:
5 W- _4 H) o( `4 H   bpx Get_DDB if ax==0202 || ax==7a5fh  I' K5 D& v$ U% A
% w0 w* u. C  d5 n7 F. e2 {" h
__________________________________________________________________________
+ D7 c! T2 {8 _4 o% ^- ?2 d% ]3 M2 l8 i# B7 }& r
Method 10$ y% t5 n# N, E0 A
=========5 {8 a0 V6 Y0 Z! w" T, b

7 W4 A8 r  D# a! {2 x1 a9 W=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' h1 |" l5 a, n, G% L  SoftICE while the option is enable!!9 V$ V0 U: [5 }2 p. I, }
% U+ W; J5 ]/ f5 D  ]
This trick is very efficient:' N! u" B/ z0 G9 |; z$ n
by checking the Debug Registers, you can detect if SoftICE is loaded
+ N4 l# c3 w% v( o1 @(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
( n3 L4 z5 C/ v* @, dthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 z- ^5 O! G5 s  R' N+ A9 d/ ?
value (in ring0 only). Values can be manipulated and or changed as well* H( h! u! N4 G& E
(clearing BPMs for instance)
! y& j, j+ `* S9 l
; J& Y/ z5 M! D% I__________________________________________________________________________
  Q  q5 ]7 f6 g7 }  t3 u, n; u7 n# K2 D) H8 i: a! |
Method 11
$ m  Q5 }$ A9 f" v' q  g& h=========9 B6 C" s1 `! z  V* \6 z- B. x
, z. g- `  {! d) m; ^' q0 C7 d
This method is most known as 'MeltICE' because it has been freely distributed, C% C; [! B- n6 J9 h' f' O
via www.winfiles.com. However it was first used by NuMega people to allow
1 k+ ~; u5 U( G% A- w& mSymbol Loader to check if SoftICE was active or not (the code is located
7 ~  i: n: L7 P! |' tinside nmtrans.dll).
. Z9 b( A6 T, o7 ^2 ^7 x! k. g
  A  q2 l" I9 t4 G% G% k4 Z) [: BThe way it works is very simple:; Z! a; Z  Z' M  v! u* u3 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 s# w: }8 z, DWinNT) with the CreateFileA API.
; q6 z0 a; I5 i$ e' i- {
( e* j7 Q1 `4 AHere is a sample (checking for 'SICE'):% f, y. U  R& N' R% }

$ J0 p9 r/ V! HBOOL IsSoftIce95Loaded()
2 N4 C! X9 W# i2 a' e% m" P{  q7 l8 `8 d1 P3 h6 b$ a  Y
   HANDLE hFile;  5 Q9 [3 a( W( e# }' G1 K
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 @5 N( w( n6 [" }9 u# K                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* ]# ]3 \1 L& N8 Y                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
* c( a  i# k: X& k   if( hFile != INVALID_HANDLE_VALUE )3 Z# b/ D% ^6 s  ]& Q5 N$ m
   {9 o+ F( ~& c' f5 f; }" {' V" w
      CloseHandle(hFile);
: t' G% y( B' h$ h      return TRUE;& R* W' u+ v2 y3 ^$ M  M
   }1 h! J; H8 j+ [0 ?
   return FALSE;. u8 ~' ?8 t0 W: c" C% T
}7 R( V- w9 l4 P% {4 _7 O- Q

8 \! k+ \2 N& |; v3 aAlthough this trick calls the CreateFileA function, don't even expect to be% ?+ l  I- _& |  i% r" ~
able to intercept it by installing a IFS hook: it will not work, no way!
' c, ^! N5 p5 N# p) k/ T4 o! vIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
' R, |1 l) N% K/ H; N3 _& ]service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' E6 T2 \* Z! v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc1 C3 ]9 T; m6 Z8 C  a' p
field.
: |* k. i% b; m$ A' t9 R1 [In fact, its purpose is not to load/unload VxDs but only to send a 4 n, g" E- `. D2 k. A5 h- Y, L
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% f! j" o) B0 a8 w1 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try. q2 v# j! _. Q% g  X$ l) c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( \; T. V: x) p$ p1 F8 KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
$ l* M% d( ?8 }0 V/ W+ h# ?its handle to be opened and then, will be detected.
* Y6 d/ G, D5 R2 {. XYou can check that simply by hooking Winice.exe control proc entry point
% S7 |1 H1 |7 z% ?1 R/ S( ?while running MeltICE.$ m% G# G2 l& M4 F! {, E4 E6 l
- ~3 S1 N! q* ~( ~& E7 U

# X: p# D  V! |8 J$ \7 N  00401067:  push      00402025    ; \\.\SICE
4 Z1 F4 F* |- |% g. b: r. l  0040106C:  call      CreateFileA
7 ~& `* u, L  d2 z& D, N! A  00401071:  cmp       eax,-001
# r: P( w5 D- C4 @  00401074:  je        004010910 @' ?6 ]! H" s/ S# @$ i

" X# m8 B9 ~+ r6 v! R9 X* v; s1 |" s6 v, X
There could be hundreds of BPX you could use to detect this trick.: ]( X  Y6 c) y7 l
-The most classical one is:
4 M8 g& G9 j& [. n- `1 i  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||" j# T7 M, q$ C4 n
    *(esp-&gt;4+4)=='NTIC'  X% `% B1 C: V( r, ~
3 ^* K$ |5 m9 t+ j
-The most exotic ones (could be very slooooow :-(
0 P) [% `' m' M# {" M0 c" F   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# i3 p0 \) f% {) G     ;will break 3 times :-(
& n; K' e9 ~# i6 u; e& V
- B2 c% }- l0 B! O-or (a bit) faster:
. n2 N5 ], ]' q/ H   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) D7 D- k( V  e/ s2 h# q* ]4 J$ q3 U8 g- Y' i; Q" i4 A
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( c1 B6 {: N: X; j5 p  ~8 I     ;will break 3 times :-(
7 U* T+ O6 {9 z4 d$ K. Q* W# g  e; o5 H, e9 `6 h7 f; G! z, U
-Much faster:
. y8 A( Q% @# ]7 X. {; p, b9 E   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 h/ g0 M/ a) f7 I) V

" x: h: {7 s; c* K$ VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen% K5 x9 \6 R2 d" t: H6 @
function to do the same job:
0 T# p8 H6 `. H. B: R# ~" T2 p& l5 n" u& z4 y. H( A) u
   push    00                        ; OF_READ
' W2 B' ~! q# A8 r+ ]   mov     eax,[00656634]            ; '\\.\SICE',0: h; x* H' @! m. v0 |: n
   push    eax; g# B  {9 x' N6 }$ ]# n: _
   call    KERNEL32!_lopen
5 j: N" ?& a' B+ q* d   inc     eax: n6 k# r1 N6 H& N) q$ U1 r, O5 A* Z
   jnz     00650589                  ; detected  t* o+ V+ q% ~) ?2 @( _+ q1 \  X
   push    00                        ; OF_READ
: @& B7 _9 l1 h+ Y7 y/ C& X   mov     eax,[00656638]            ; '\\.\SICE'; i3 V/ \$ P, h! W& J3 G
   push    eax
: l6 F: R! c; w4 Z4 m1 A$ b   call    KERNEL32!_lopen" h6 W: K( `! c+ I+ L) W
   inc     eax
3 o% e6 b& A; U' i0 y; }   jz      006505ae                  ; not detected
0 Y! c3 `5 `' Y/ i, G: r
0 w, E/ t  o- ^# e
! ]+ @' k8 e6 a* U__________________________________________________________________________
% d! v" c7 a7 G$ ?  V2 a# B+ K* G# a+ m# A6 }  R
Method 12
1 H" v; B: `3 Y. I2 |! S* k6 p=========! t+ }' A, j8 T% S+ C
4 d" N* u  O+ c! G8 a% D
This trick is similar to int41h/4fh Debugger installation check (code 05
$ j7 Z# y1 [5 u1 Z&amp; 06) but very limited because it's only available for Win95/98 (not NT)
+ P8 w4 F6 _" y. c6 Jas it uses the VxDCall backdoor. This detection was found in Bleem Demo.  j& w6 ^- c( O' m
( z$ Q% ]9 t3 F) k* M
   push  0000004fh         ; function 4fh
/ @. _  p( b2 {: ]% Y  Q   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 y7 ^8 M* A/ Y                           ; low word specifies which service
' c( X0 h0 A/ h  Y                             (VWIN32_Int41Dispatch)
- w1 ]8 n9 c( F/ d   call  Kernel32!ORD_001  ; VxdCall6 v, `3 x, p. v1 O& l
   cmp   ax, 0f386h        ; magic number returned by system debuggers
( x- R; z% A. s1 I3 O! a* t   jz    SoftICE_detected
: O. p1 i4 F! ~5 v( `9 n1 V  b) ?- H' _4 B- U
Here again, several ways to detect it:- l$ x; i/ }5 E4 T0 ~

3 x  j: s2 m# F) o8 N) U; ~    BPINT 41 if ax==4f
& ?1 K8 {* b# [
5 F" ]: z9 }: @: }3 }! N    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ v( w! M7 E$ E

4 D; o9 P0 \- m' i( Y    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 ~* H, }. a% ?

( S9 v1 a5 J+ Y/ A" f) o    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 `4 p& H( K  ~9 i* _  v  f: C2 O9 y/ o2 m
__________________________________________________________________________3 Y' P" c0 [  \. ]( }
# c' J4 f3 W+ M$ c* D
Method 13- O2 |  `- B- G+ Z5 j
=========
" k3 g: y' I( D9 F3 x5 k6 I$ T. k, h6 ?
Not a real method of detection, but a good way to know if SoftICE is1 v( z, J3 C) V% s
installed on a computer and to locate its installation directory.
, @2 {" C: S' x: S2 RIt is used by few softs which access the following registry keys (usually #2) :4 F$ \2 m! c" w$ o
- K' [2 B9 y/ d5 g, u. }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ O( G- y2 }' H# q2 u/ D' P5 n! l\Uninstall\SoftICE
& ]3 L- B7 `- ^  x4 L' }5 s, }. V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- a& f- h3 C8 h6 m* l, ~% r( |-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ c2 L4 j" a" y* Y3 Y
\App Paths\Loader32.Exe
$ k; e  b: A' W8 o/ D
8 ?. _: m- I! I" i, h! b
% f+ C. |. n$ r2 V6 ~Note that some nasty apps could then erase all files from SoftICE directory
* q" {" I. H# o9 A- ]" q(I faced that once :-(
) m) R4 F% C- e" D8 M; y1 f" \5 y
# B) T4 f  j  d( w! L$ \0 I$ Y# DUseful breakpoint to detect it:) g7 |' ^- p" K2 W2 Z9 R0 `3 D

6 D2 N$ l  M* I* E8 v& G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 d6 C" w+ q2 r2 o$ X5 M0 V! }! b2 s

7 C. d* n. g7 u2 ^/ t__________________________________________________________________________* y! u- N* ^& H
( Z6 F4 c% w1 K, r

; m5 B2 z- W% }4 H8 E' L8 Y1 J5 oMethod 14 , D( d. z' k; n: b
=========
& D" T% [9 y# ^0 U, H
/ @$ U' N7 z; L0 h  D' ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* t. m0 R5 O% W6 d* }! S0 i- w5 S
is to determines whether a debugger is running on your system (ring0 only).+ c" s: q2 q( c$ @( {+ q

" w4 D  p1 T9 a" [   VMMCall Test_Debug_Installed
" H7 `. J3 n1 a0 w   je      not_installed
; z( U2 T+ ]6 K3 h7 d3 a+ U
) q* U$ I3 U7 N0 t- uThis service just checks a flag.
3 Y7 A4 Z+ q5 i</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-13 05:05

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表