找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
, w: Y4 _: f3 V6 C* o( ^1 M- F: ~<TBODY>
; R3 e3 T& w5 v; c/ p<TR>9 E. f. r2 z+ `/ h
<TD><PRE>Method 01 # W" W+ a# O, J& b! \
=========
( U# f& J) @" ?8 h) I" K4 P
9 l0 o' Y2 i1 i5 E* z% a( _1 KThis method of detection of SoftICE (as well as the following one) is/ m9 B4 e2 _) Y. ~7 p2 P7 ?
used by the majority of packers/encryptors found on Internet.
- ~) ^+ `8 _5 T+ ZIt seeks the signature of BoundsChecker in SoftICE
' r' r, c) [1 M: ?- ]) K3 x
& P# t# Z( Q" {1 v( l0 ~    mov     ebp, 04243484Bh        ; 'BCHK'2 g4 P) K7 f% [3 l- Z& P
    mov     ax, 04h
" f# ?9 {7 L- L7 F' ~0 i1 I, U    int     3      
2 I8 N8 l8 k8 v& O    cmp     al,4
, l0 N+ O: w' k! Y; R% l' Z    jnz     SoftICE_Detected5 R3 Z# c0 E. v& C6 i

( {# d3 [: E9 Y5 N, U; P, O( j: b___________________________________________________________________________
5 z+ m" w, o: c5 c. G! F
2 |# W( a# O0 U3 J; n( p" ^Method 028 @/ h! S( b8 B: A/ C6 ^
=========, q$ Q$ f/ V. x; _* {
- n: ^1 C6 @3 Q, k5 L( Q# b
Still a method very much used (perhaps the most frequent one).  It is used
" w5 }. b* ]4 C% j7 s; Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 D- T' O/ S2 P4 i, Tor execute SoftICE commands...
& x# Q* B8 ^# |, i, _/ M& gIt is also used to crash SoftICE and to force it to execute any commands9 G& K4 @- c7 j: O3 f2 a
(HBOOT...) :-((  
; n0 P/ T. Y7 g5 o" W7 j3 S8 i
/ u# {5 D) n6 c7 |Here is a quick description:9 x' p% Z( i. W5 L+ M8 x3 B6 |& N8 G0 K. @
-AX = 0910h   (Display string in SIce windows)
- H" H! v0 z7 \, i+ \0 ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 S) D5 |/ u% N8 n# w6 Y8 l; o- C-AX = 0912h   (Get breakpoint infos)
& D& f' {/ j$ I" V. q) q7 H' p-AX = 0913h   (Set Sice breakpoints)
4 a& d8 _* m# W: o9 c6 w+ |-AX = 0914h   (Remove SIce breakoints)
- Z" _  A- [- [" n8 t" n+ ?) e8 c( b% ]' `
Each time you'll meet this trick, you'll see:3 e: j  v) T6 }9 T7 h6 b5 S
-SI = 4647h
0 k5 i0 }- ^' R" v" n& F, ^3 v-DI = 4A4Dh" f4 I! R  \$ G- |) t/ T
Which are the 'magic values' used by SoftIce.. b: Z1 c4 D9 z% t: J8 R
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.  |- x) o0 |8 m2 b; L, w, h3 ^$ @

+ o  @9 ?2 N  AHere is one example from the file "Haspinst.exe" which is the dongle HASP
& n( u! D& j; z% |! w  C# wEnvelope utility use to protect DOS applications:
2 t1 @7 z$ I& J; L8 X7 [6 l+ j0 f; }" J- E3 Q2 e

. B, A# |3 z& e8 b4C19:0095   MOV    AX,0911  ; execute command.( ?) V: L# z9 o! ~2 D
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
) @+ D+ S% T9 D" E# T6 J4C19:009A   MOV    SI,4647  ; 1st magic value.0 `0 W; _3 Y& j/ }: N; K- E0 R
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
3 [' I! b9 I' R3 m. I* a0 g4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)+ o8 z2 T5 t+ ^
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute) T) H' Y5 ~1 L( S0 x' i
4C19:00A4   INC    CX
: ]! M9 \/ o1 c' ]  H/ X9 {( U4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
+ S: f6 `+ f( p* }4C19:00A8   JB     0095     ; 6 different commands.
8 }- l1 T& |; \/ }4C19:00AA   JMP    0002     ; Bad_Guy jmp back.# C; Y$ A. \$ C! p3 K7 W# V8 g
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 r3 ]% h' R8 ~6 O- Q$ G
* q$ z) {4 R6 n. w. pThe program will execute 6 different SIce commands located at ds:dx, which
! m2 m# }3 Z; ?$ ^! b" ]0 d- vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ E0 g0 ~0 _$ R" B' j/ F$ s6 l, L' h( c9 k  P$ e# _/ V
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
; ]4 J# \* t, z% w3 ~# ]___________________________________________________________________________3 P- e6 @. w9 z( P2 D' n/ A! v

) h. P' t1 Y6 ^9 _7 [, {# h  P3 P7 F- V& M' W9 V4 d* R* K
Method 033 d* n+ |7 f* q' s% v+ U4 ?  H, r
=========
& v3 N, j) B, ]$ y! R3 N" Q& w! C- p- ^; \. v- l3 ]& y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' _9 w. j  f' l# o
(API Get entry point). O5 Y4 f$ v( v& J  b8 P
        
' x# T2 S# M/ `0 I" G# a
% o1 @! m' K1 k  O. U, U    xor     di,di
8 F* I7 d. x- C, I/ Y$ B; l9 ]: |5 w    mov     es,di
8 r& ]9 O; A: w  g* t/ M4 S    mov     ax, 1684h      
' _/ F* l, J1 n7 A  W    mov     bx, 0202h       ; VxD ID of winice' k- U; {6 h+ I. j# s
    int     2Fh
6 T- [: f  k# ~! ]% D8 }; S    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* `$ h; g1 J) e" a    add     ax, di6 I( l- x2 \5 g+ x2 c6 ~, x1 A
    test    ax,ax
- m6 n/ K/ i$ d8 {/ t    jnz     SoftICE_Detected" q) I1 N& Y& Z; X( Z

; ^( S5 [0 g: j___________________________________________________________________________9 L/ s& m0 b! F6 p$ q$ n- Q$ D

8 u2 m$ C& C" u" K- p5 iMethod 044 v( ~6 k  g2 W6 s. x' j  B2 G4 i
=========9 V8 T: ?  A' t- q

/ ^  b& Y4 |2 A6 sMethod identical to the preceding one except that it seeks the ID of SoftICE
6 A$ y' l% L3 z4 A; NGFX VxD.2 D3 }6 d9 P6 k/ u5 W
# c; K: N  _- s
    xor     di,di/ \8 h$ N; `2 f
    mov     es,di9 `; _5 R9 i& }
    mov     ax, 1684h      
% ~) m4 y% @* j) N. f& b    mov     bx, 7a5Fh       ; VxD ID of SIWVID5 D- p, [( o& o" f7 I
    int     2fh+ a4 @' A* d9 z& T& @1 G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 q& H# [5 a) S4 B1 W' W    add     ax, di7 L' g# }7 u% P* E6 ~
    test    ax,ax
& p6 J, L' n1 o7 B% G3 ^1 q+ r    jnz     SoftICE_Detected% C( o+ t* Z4 Z7 O! M: j) H+ W5 W3 ]
* s$ N7 V  I. z# z/ ^( L
__________________________________________________________________________
# G; D, r; [1 g$ N0 v3 o' n+ G2 h2 T9 E+ H5 L0 r% d* _
. f8 `- l% D  a( c; I- w
Method 056 y7 ~0 E. [6 E- h  U
=========7 i3 U5 \- m2 r" ]9 w) b" U/ v

5 P$ r4 H4 a5 _  L( {3 ~8 hMethod seeking the 'magic number' 0F386h returned (in ax) by all system
4 L" k3 O1 s, R2 pdebugger. It calls the int 41h, function 4Fh.
; X" J6 B1 b' c. v: pThere are several alternatives.  , ^' j5 L% ]- D. g: e3 M( D

! P0 t$ T1 d. k+ r% f' ZThe following one is the simplest:, v+ }5 k+ f) A6 L" C) O5 }

: X6 i5 P* E) h; [# `    mov     ax,4fh
, r% S2 p; k+ S4 W% v# a* q% ^( O; R    int     41h. a3 o6 x, o  C( D2 _7 O) C" \
    cmp     ax, 0F386
% h0 b- w% r3 U% I& e    jz      SoftICE_detected* ~' q: q, l3 p7 e- A3 y  e4 j( R: @
3 y' Q7 D* C* c6 r! m
) J9 w. q- q* L5 o: h
Next method as well as the following one are 2 examples from Stone's ! R$ ~) O: j7 v3 U
"stn-wid.zip" (www.cracking.net):
5 v: h( r0 ~- d$ m4 }. }4 B" {# ^/ b
, ~& N# T2 Z; j, q7 s    mov     bx, cs" b0 ]! t* Q9 D! H
    lea     dx, int41handler2
9 E" c% x0 o- H8 R    xchg    dx, es:[41h*4]& J) y  G$ y$ K
    xchg    bx, es:[41h*4+2]
2 h& n$ i" Z+ g. y) F4 u$ J, _5 f  p    mov     ax,4fh$ o* t5 i( q/ X$ J2 c6 B$ v7 f
    int     41h
$ @3 ^7 N7 s) _; g' ?# Z# J5 R    xchg    dx, es:[41h*4]
0 z- T0 H$ P. O    xchg    bx, es:[41h*4+2]: M7 o- P4 N  @  _5 S6 e
    cmp     ax, 0f386h
$ j  W6 I" u" B) |6 u& i: {    jz      SoftICE_detected) @, q% R8 N+ L( H& x/ R

# M5 y) g9 @6 yint41handler2 PROC
% t. g5 v% B$ y: M/ C& Q    iret1 Z# d6 A: U7 j
int41handler2 ENDP3 ^) A7 \. e& w8 w& v
) t+ }4 r& U7 v, b* a# {

( S3 O7 t4 i0 K+ J_________________________________________________________________________
8 d. R# G$ q, G0 J5 P! P
. U6 n- M, w* C( }9 b7 X$ F( r8 G/ W" ^$ J- c: w
Method 06! A. Y" S6 h+ [5 q  Q
=========
/ ^' d2 Y8 Q3 [. D/ ~! y2 e9 R, W5 ~# V  q6 I
- [2 b3 r* |1 r  j" Z
2nd method similar to the preceding one but more difficult to detect:' ]( M. b3 [) F
2 C9 c) e! V1 e

6 ?0 L7 i5 S' V% |, `7 J6 |  |int41handler PROC9 i# J" y- q0 E+ N/ C
    mov     cl,al8 Y$ x/ b! V$ a( e) n
    iret
' X/ }& c' b" }3 B- P. L0 x* _) qint41handler ENDP  T- M  V6 q. ]# m9 t4 x# \

# w8 O  [& [; Z) j" [7 F5 U; D* v0 x. _2 e! ~" X2 v6 a+ s- z
    xor     ax,ax. B7 Y$ e6 u# t+ ?: A
    mov     es,ax; D. o! H0 Y. O/ V, l# k) \; g
    mov     bx, cs
! |* L/ r, n  K    lea     dx, int41handler
: q; e5 N) [8 S/ ~    xchg    dx, es:[41h*4]
, N5 N2 U0 ?; V    xchg    bx, es:[41h*4+2]
% r8 t% h( x" t6 |- D    in      al, 40h3 R5 @- R0 S* i( Y+ V. \& H
    xor     cx,cx* |9 s) M2 u4 D/ s7 t
    int     41h
2 ^- B  h8 G' r$ m8 K    xchg    dx, es:[41h*4]
7 N. M# d+ V4 c, O. w    xchg    bx, es:[41h*4+2]( H8 c1 N/ W; Y7 B0 B; {& Z' u
    cmp     cl,al
9 `$ i! w9 w8 [- @" Q( b2 ?0 r  s    jnz     SoftICE_detected/ ]9 G  N4 U6 f% Y
, s7 [5 f$ M4 O, b( |2 A: a, N
_________________________________________________________________________
8 i, y8 R  B6 A7 N# I* C
' z, d9 K3 [% NMethod 07
1 {# x$ v3 K( s7 o/ ?& P) y9 \=========+ n" {% s3 R) S) D; j3 \8 _0 D0 `: O

2 c7 H: U% P5 @Method of detection of the WinICE handler in the int68h (V86)
, C# Y) G* c  m3 h1 H8 ]! A- x" @3 }# n, ~8 G
    mov     ah,43h! \8 K+ v4 U! E% F8 \' o5 q
    int     68h3 y( S0 _; b; g: T/ n% Y' R1 C, V
    cmp     ax,0F386h
* w5 o7 Z. \, M% o/ ?, B    jz      SoftICE_Detected
( T- g( M' h7 w; Q5 w1 y" |' w. b. X7 k0 M+ ]0 w
' Y! i* O7 ^  k% `
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ y/ y; C6 j. p' q   app like this:4 f) G) k9 U; N+ n9 c* v
0 V3 j: Y' w0 z" t! p
   BPX exec_int if ax==68! K( u  p5 ]9 o0 R
   (function called is located at byte ptr [ebp+1Dh] and client eip is
* j2 s& s! j" u; [9 T1 X   located at [ebp+48h] for 32Bit apps)0 G2 i/ q- c* R- J: i/ ^! q3 p
__________________________________________________________________________
4 l: ?7 Q# m& t- Z1 L. L- f* i. P) N9 a  V- {

( u! Y9 r* w* Y" n5 h- PMethod 08$ G; A+ e! s/ C  I1 w, g% R
=========) r  |! W' v0 `( Q) E$ h9 s: }

6 q% j" I6 ^; ?7 GIt is not a method of detection of SoftICE but a possibility to crash the" P- ?9 ?3 }% g( z  m8 q  [- |, o
system by intercepting int 01h and int 03h and redirecting them to another0 [* R" U' g# S
routine.# E3 {' C4 @" r: [" a0 D% P
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points$ q8 Z0 B0 X8 s
to the new routine to execute (hangs computer...)8 v, c! G- D  C! h: M
# |/ A7 {& Q9 I! a- o* N, L, E
    mov     ah, 25h, o0 b! G( F. [: t8 \$ {
    mov     al, Int_Number (01h or 03h)
9 ?: F+ q9 j# L- f    mov     dx, offset New_Int_Routine
% `, p' y* }, [- J9 t    int     21h. M1 z+ K' z' Y& F& r5 ~& [
! q. w/ B% }! m% V0 y# T/ ?
__________________________________________________________________________' w* _, \; A$ R" I- p( D
0 Z$ |' n$ `1 H; `2 W
Method 09
" W' m# ~4 j8 G1 o& D=========
0 t) L) I, F" X
4 d9 Y% D7 \3 r/ DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* O+ A, e; J6 O. p' Aperformed in ring0 (VxD or a ring3 app using the VxdCall).
+ i3 e/ l9 i$ Q4 |9 d4 FThe Get_DDB service is used to determine whether or not a VxD is installed
) `1 A6 o6 [, h$ mfor the specified device and returns a Device Description Block (in ecx) for2 v8 I" a) R) u; K( k
that device if it is installed.# A6 r. @0 ^1 d% k- q

" a/ |, l" e5 G2 l8 [   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! P7 i7 c  I9 B. l9 X6 D/ c; A  x! M
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 Q7 V, K' O+ P   VMMCall Get_DDB: c+ W; K/ D9 D0 L- L8 F2 e
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 b; i& ?. p( t$ l

( f/ Q2 _: c: W1 LNote as well that you can easily detect this method with SoftICE:
" H& `( b7 |* c+ |* O& r5 ~, e5 T0 z   bpx Get_DDB if ax==0202 || ax==7a5fh
. o* m/ \, Q4 t8 H& n
4 ?- z3 J+ l! Q7 H__________________________________________________________________________3 B4 Z  I( R/ t. Q; ]
4 m8 C6 V! x  E6 @) \
Method 10  J5 ~; e! E4 i# q) H# |$ O
=========/ w- k/ ~4 v) f/ f, L. n

' M2 ?- a; x/ _% Y1 o$ d=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with3 U1 M$ C( j* ]7 W4 S, ~1 ]& g/ A& n
  SoftICE while the option is enable!!
  D2 m- H6 N4 r( x* x. H9 E( N2 Q' E# n
This trick is very efficient:6 [* t# [6 z0 K7 O( I3 v0 M
by checking the Debug Registers, you can detect if SoftICE is loaded7 E+ p' N9 V+ K
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ V8 \. L1 s1 M. x3 W3 k
there are some memory breakpoints set (dr0 to dr3) simply by reading their2 B8 _4 R- I0 i3 Q5 W1 ]; q
value (in ring0 only). Values can be manipulated and or changed as well
2 ^! ]2 s9 r( i  t(clearing BPMs for instance)
( J2 W6 p, y8 y# D9 Y% h& A3 j7 c" x9 t" p5 I7 S9 A
__________________________________________________________________________
$ |) D9 o3 q2 N8 ^' f5 I/ e; [) g, X8 _* F5 I8 k9 u
Method 11
0 P( U4 B  \& `- ?( _: ]=========4 s! |# m8 V' z# E* u1 _0 E

; o7 _+ t4 s7 {5 q# y) `% ~This method is most known as 'MeltICE' because it has been freely distributed! \+ J& v, E6 x! _" K! A4 }
via www.winfiles.com. However it was first used by NuMega people to allow
- ~: i6 M+ ?$ y) C) U8 gSymbol Loader to check if SoftICE was active or not (the code is located+ l1 Y) @2 z' w
inside nmtrans.dll).' f; T* B5 m( }+ @/ `

; E' X( m+ k4 q  ~1 F& WThe way it works is very simple:( L3 w! g) C" @  @7 n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ V8 v3 E6 {5 ~; t% H
WinNT) with the CreateFileA API.
- I4 c, S- j7 Q
8 l9 y- E2 f+ A* i- t% tHere is a sample (checking for 'SICE'):" p6 B5 W( l/ g- }
% ~' a5 m/ v2 X. ]; r
BOOL IsSoftIce95Loaded()
+ }9 j. j$ J2 @  A{4 ]9 H" V% M) a7 F4 v! {' z
   HANDLE hFile;  % z" p7 v6 L0 v' {* D, y. r
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ O4 [" b  e" m  w4 K
                      FILE_SHARE_READ | FILE_SHARE_WRITE,3 `8 u% B: N: g$ h9 o
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 K- _( Z) T, x8 E, c
   if( hFile != INVALID_HANDLE_VALUE )
5 b) I/ `/ F% j9 c   {  F( {; ^. f3 X9 ~7 _/ v
      CloseHandle(hFile);7 w- H; q  n4 `' E9 x% S$ ^1 g
      return TRUE;0 @& F+ |. r- D1 F" a
   }
! ^1 ^+ S4 p$ o4 [7 n   return FALSE;
7 T5 Q  S; @! s9 K! x}
+ M) [/ Q/ P: F1 M+ O
8 @5 R# |: ?- n& c* n9 V2 q' X2 E# GAlthough this trick calls the CreateFileA function, don't even expect to be
; M6 P) m" P; [* `. j6 Iable to intercept it by installing a IFS hook: it will not work, no way!+ g: B, x: |; p1 i7 \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 X) G) k! c3 a/ @" Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% b# T, B' Z2 s
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
0 L' A" k. m* V5 H5 _field.
0 U) u  p7 Q$ b7 E/ o- ~$ M+ }9 GIn fact, its purpose is not to load/unload VxDs but only to send a
& Q1 h0 m4 k# x) Q# dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 Q4 z! e! C9 p+ F4 M& Vto the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ o/ N/ S* u% F7 c4 t1 k8 Hto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 P* Q7 ~7 m+ I3 ^" _6 L
If the VxD is loaded, it will always clear eax and the Carry flag to allow
1 ^/ y7 W+ {4 f7 R8 A2 B7 c3 eits handle to be opened and then, will be detected.
3 d4 {# L+ l! p( g3 d5 dYou can check that simply by hooking Winice.exe control proc entry point
$ o+ C8 q6 a8 ?while running MeltICE.
$ z+ m5 X7 C0 f  s( o* J, ]% J& J* |, r3 j4 o- N. j/ e2 P
5 u; w2 h) }  s. _+ r" a. L! I7 a- E+ x
  00401067:  push      00402025    ; \\.\SICE
9 o( Z9 i. W/ c8 W- N  0040106C:  call      CreateFileA2 O4 ?# R' m$ `" S; u! e5 z4 a5 Q
  00401071:  cmp       eax,-001
& Z2 h; e8 b: {, h3 Q* I: _1 J  00401074:  je        00401091& ^6 ]) s" v" R4 U# D4 {  G, Q8 @
3 v+ m# \5 L8 |* ^  c) [9 s6 h
+ y# l& a" y/ l
There could be hundreds of BPX you could use to detect this trick.3 U8 \! d& j! X$ i; P
-The most classical one is:( f+ q' z' v+ G# m! o3 x
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* b4 j3 f8 n. k    *(esp-&gt;4+4)=='NTIC'
, B* @7 P! Z+ x7 s3 z1 C) e, u& r  D3 U
-The most exotic ones (could be very slooooow :-(& x' |0 G+ r8 E$ |9 q; \: F) E
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ P# t# [% J& ~! C9 O     ;will break 3 times :-(
/ s8 U7 C/ f/ B+ Q$ _4 j% U2 ]4 d$ I  C
-or (a bit) faster: % W) I- D# q- h4 a2 A- Y
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) b. o, [3 n6 O8 m% V; A: ~) G; X) [# F( A! w+ v
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
0 G: d2 [8 ?) u     ;will break 3 times :-(
2 T3 J0 R- j3 E3 e! S. i
2 U6 o% ^1 @! `, D+ ^6 O-Much faster:
. f: M) v: ?: |' W9 @   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
$ F, H; f$ i4 S6 O
$ J. r- _4 t6 f% |9 lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# b; s+ @0 c8 J: _function to do the same job:1 V8 A: p, m* E/ u
* X5 Z7 |* G% H9 J0 U  ?8 _
   push    00                        ; OF_READ
6 B& E* j4 J! q0 D2 e# _4 j9 ~& @, S   mov     eax,[00656634]            ; '\\.\SICE',0. {9 q9 d, o3 V7 y" ?8 v: Z
   push    eax
: r2 ^& }3 k5 f- ]   call    KERNEL32!_lopen
5 T9 p- |+ u; @; ]   inc     eax
4 i8 \/ e# j" H. }   jnz     00650589                  ; detected1 M6 }5 U5 j/ y4 d
   push    00                        ; OF_READ, p, C- {/ t# g$ g7 U
   mov     eax,[00656638]            ; '\\.\SICE'
; o% ], q' P& ^8 a   push    eax7 g- [. D4 T: q* y
   call    KERNEL32!_lopen6 R) H6 d! S. @( c& l( i
   inc     eax
) U' X7 O2 k2 G) p$ g3 r   jz      006505ae                  ; not detected+ n  N8 L* Y6 k& ^

, j. x/ B$ l: E: o$ `1 i, R4 @* N" {2 L4 A* z5 T
__________________________________________________________________________8 T8 S: o8 h" a

% X& L, W4 g* e. L5 D4 |( I# TMethod 12
+ g4 H% h" q1 A' h9 F! Y6 x( X; U=========
0 C% d- u4 t- z7 K0 }( d7 G, H2 E) i8 `( c3 `. q
This trick is similar to int41h/4fh Debugger installation check (code 05, H6 |* L+ Y( _( z0 x
&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 D& E1 q; _6 w, f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& p! g0 f/ u* ^4 {: R

, g; U2 A3 v9 J8 a   push  0000004fh         ; function 4fh
& j6 \! l: b: y3 o9 h   push  002a002ah         ; high word specifies which VxD (VWIN32)# `  |5 d$ Z4 S  b  W. d
                           ; low word specifies which service3 t; Y! |3 b! N, g" M2 g
                             (VWIN32_Int41Dispatch)' C; n* l! E2 z# O1 T. ]) ]
   call  Kernel32!ORD_001  ; VxdCall
9 y2 Q( m6 \% P6 a. w   cmp   ax, 0f386h        ; magic number returned by system debuggers
/ [6 g+ @# w4 q3 Q* e, p   jz    SoftICE_detected
2 e3 W; Q5 Y% t2 O7 i& w: X* h8 ~$ E2 q& y3 c# \) j! l! U$ n. x0 H
Here again, several ways to detect it:
& c) q8 a: m/ X1 o- |8 ?% J" ~* S) A4 t# f- |9 h2 E
    BPINT 41 if ax==4f
, P4 A' e8 A8 z8 A# f4 t' |; u3 _  H
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one3 U) @4 ~5 ^% z
, m: ]" @0 m$ R! G! B
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A* S; L( x% b! z& v1 ~) p/ ^3 c
/ I. j7 u1 z1 h9 U
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
+ E' G/ R& h2 n9 p/ q7 \* K  D% A) f2 V5 v
__________________________________________________________________________- V( R+ l8 [! _; [) s7 H( X$ Y; ?

& S* E  E6 @, ~7 `% E! i( u  NMethod 13/ @. n+ |7 C- p1 Q; {% l$ g
=========3 E( G; \' H$ h3 U" \: U- s

) P9 O9 Y% V6 cNot a real method of detection, but a good way to know if SoftICE is
2 A2 K& n5 c  O& p( o. dinstalled on a computer and to locate its installation directory.
" f" x: M3 H0 U- ~4 QIt is used by few softs which access the following registry keys (usually #2) :6 H5 l8 g8 [8 [" U% _& Q' d

) ?/ N3 m5 X  x, D) t  @# L. w. b-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' E. c. c8 t; y8 L6 |8 g1 P( ^\Uninstall\SoftICE+ Q; `% D1 A; t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE. \' Y$ M/ s! N/ H% K' M, H
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 k9 O3 F' v. ?% e, b5 m9 o( F
\App Paths\Loader32.Exe
4 @% H8 z* L: z8 s' c1 H6 y/ o7 A! w

9 f3 T; t8 k: B1 K8 {Note that some nasty apps could then erase all files from SoftICE directory1 T5 a# W; Q6 H5 {2 h1 _
(I faced that once :-(
/ [0 z' Q6 x9 Y5 z  |8 K! L1 Q; N4 h% s* I
Useful breakpoint to detect it:
- P! O" l: A' K8 {1 j" _' W+ m# {
( U7 c+ D4 h' B0 z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! d# s2 n6 @6 b8 i. [9 j0 C

! H& P% D6 C( N7 ___________________________________________________________________________2 s+ m* H, i% z! b
( v$ Q* [$ P. d2 m9 r
# ?  }  q$ E! G0 k) j( U
Method 14 9 u4 K- _2 x" E9 F, N8 u* |
=========
6 w! f( z* I' f( Y1 ^$ Y
6 T; b" {8 ^" a$ sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- \8 f  \+ Z' D6 m4 X8 y; v# H
is to determines whether a debugger is running on your system (ring0 only).8 A6 ?5 W0 h% R- O4 g) w* J$ i

+ i3 S* O& _9 C+ b/ ^) W6 [4 s   VMMCall Test_Debug_Installed
% @, ?4 f! N7 y; _/ ~' p# i0 O* v3 ^3 K   je      not_installed
! z( l+ W' ^8 i! w# T5 r5 A+ b4 x4 z5 J$ a! M* U
This service just checks a flag.
5 |% b- g- f# v* k8 I</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-18 09:22

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表