找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ w! s3 B1 a) B8 m% \5 L+ j2 c+ ]9 j
<TBODY>" w" X" @& a9 n4 G/ \
<TR>) u$ p3 [# h. Q# E' @
<TD><PRE>Method 01 0 u  [, t  C" z  F
=========; z6 _! D* _! G* l# Q+ _

9 A" u. E3 w" W) |This method of detection of SoftICE (as well as the following one) is. k9 s" C# B2 J! H) M1 a1 w3 L
used by the majority of packers/encryptors found on Internet.+ {9 R0 `% S+ {: A' U  i
It seeks the signature of BoundsChecker in SoftICE
  x4 V/ e: q) D6 y
2 ^1 X2 o2 k+ i( V- d    mov     ebp, 04243484Bh        ; 'BCHK'
9 @; o5 E+ N% @    mov     ax, 04h
( R( d2 G2 D3 Z    int     3       + U# d6 A5 K& j
    cmp     al,4
8 l" R5 Z8 N$ U: x# z+ F    jnz     SoftICE_Detected- O! v& q" f2 d( H) \8 v2 G9 ~

# D$ [+ I9 p+ q3 ?. M8 @6 \5 U___________________________________________________________________________( b0 s9 G. O. |6 T" H
  b' n' L: _& B* C1 ^
Method 02. _( u; I& t6 o: W' x
=========1 H* a' T7 Q4 H) F2 }7 w

2 b- N- m) }) _( J9 KStill a method very much used (perhaps the most frequent one).  It is used2 b! C  C1 ?$ A% b* m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
  |  m. o8 z3 c$ y4 p9 x' Uor execute SoftICE commands...) \& T# p$ L3 Y8 D8 w$ \
It is also used to crash SoftICE and to force it to execute any commands4 [/ ~# _0 S2 s) o! T  T
(HBOOT...) :-((  3 e7 E; C+ c8 _- Q
" y* c) A+ h9 ^; [, A- `
Here is a quick description:5 u4 |) p1 v" T( f' E
-AX = 0910h   (Display string in SIce windows)1 U3 S) y  T3 n! J+ y, F
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)0 F/ `5 \# O( D0 G% _
-AX = 0912h   (Get breakpoint infos)
# e- S2 B+ g# v* e/ A-AX = 0913h   (Set Sice breakpoints)- j% p" W( X9 T- P) k
-AX = 0914h   (Remove SIce breakoints)5 R3 I' S# x' j  V2 p: D

: N1 ~5 D3 t3 hEach time you'll meet this trick, you'll see:9 U' o7 J; Q7 g8 y- g
-SI = 4647h
8 ?+ B/ y' h# A. |-DI = 4A4Dh' D0 ^/ p9 ?- I
Which are the 'magic values' used by SoftIce.
- k! G' w) p" |+ @6 a( A5 R) JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ m2 k) |; k1 U; y7 j

5 c2 {  B3 K" {0 q( ^0 _6 oHere is one example from the file "Haspinst.exe" which is the dongle HASP: e& N" V; h9 E% C
Envelope utility use to protect DOS applications:7 W9 u( A  ^! J6 N
; `; C7 i, b4 K! n$ I) T# R. s

# Y0 }4 ~4 m1 s" G/ u5 n4C19:0095   MOV    AX,0911  ; execute command./ v7 I9 v2 o0 K% E
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).' p) B/ I  I5 R) m* T$ O8 @; [# L
4C19:009A   MOV    SI,4647  ; 1st magic value.
2 R  {; u0 Y! P* }4C19:009D   MOV    DI,4A4D  ; 2nd magic value.4 f" y1 ]  W7 ]7 h! g
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- p: [2 X6 R% e1 H0 D# v. X% M
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ S6 k* K, K2 V6 `4 a4 H
4C19:00A4   INC    CX9 }' v: {) K/ `, o+ e- m8 o6 I
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" G3 H8 u2 w3 u6 q& f  n4C19:00A8   JB     0095     ; 6 different commands.
8 l  s8 b! A: Q# N! V2 A4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; L/ s; R' B2 c: P% H9 b" S2 X- Q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" d$ {9 ~* K  K7 r) w# ]; x
) j8 V) F/ ]1 ~" V
The program will execute 6 different SIce commands located at ds:dx, which$ ?) n' O2 r1 H$ S% `( \; g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 r7 L  G' e! `! o% x  ]: r
7 D5 j, _6 {0 z( A7 B- j6 i4 T/ z* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& Q4 ~! S/ \1 }9 h$ U7 k___________________________________________________________________________; p. ^( T4 w- z+ {. N, `, D# ^
' ~: N1 }( Z0 i; [9 j5 q( ?2 U
- Y' O6 F2 H+ ^' `
Method 03
# L7 i7 K4 ]# @9 u7 q=========$ f+ I2 ?* W* w# ~+ P# o0 ~
  j: Q; h) c4 r- s" E7 A% i
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" J8 p$ `. |/ p. h+ ?9 U% r(API Get entry point)' Z" t" q7 ^; [0 S3 _: R; C+ B
        
  @. M# N4 o; ?* ~; C
, U1 r7 A2 H; W/ m( Y& L    xor     di,di  M( b8 Q9 b1 R* a4 n
    mov     es,di$ ]4 [: ^, |/ D6 ~/ z0 x$ O" f
    mov     ax, 1684h       " {" @# X+ [. t9 |
    mov     bx, 0202h       ; VxD ID of winice
) G" @2 G8 X" U8 u    int     2Fh, _7 n8 ~+ b6 E# t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. w7 `1 K. W6 D) Y
    add     ax, di2 r! E5 @0 O& Z4 Z: [8 k
    test    ax,ax
' g9 K3 m) G6 U/ M) L6 E    jnz     SoftICE_Detected* Y/ U$ A/ J3 L& `

6 \1 s, h+ ^+ }1 x( N7 ?___________________________________________________________________________- z8 l# F6 O# p% _
# U$ J6 m: q* X& ~+ r
Method 045 h+ C5 `/ X% n* U6 s! V6 y
=========
9 h! U- C( h' W- E6 R  }# }+ x) Z  u) H  @# ~! K* D
Method identical to the preceding one except that it seeks the ID of SoftICE
/ S# H$ z  j/ y+ Q0 E+ Y" rGFX VxD.
( P; H) |# f  M- E& _3 M  `; h/ @- u# y4 k- a' [$ F3 i
    xor     di,di9 I' M5 P: r( }: Z+ ^. y
    mov     es,di
0 }  p( k# G* `& r    mov     ax, 1684h       : Z8 e6 o$ C' Z8 J  s# S, q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
+ p( |! U+ l( N5 w3 F. R$ I    int     2fh1 s# v) |5 x: O9 {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ ~5 E( S) C5 M1 R% \7 G& y0 D
    add     ax, di
1 q* _; b; ]  P% ^& n    test    ax,ax
7 }8 w6 A1 T3 M6 s9 H! U    jnz     SoftICE_Detected
; I( u+ r5 S% q0 z3 a! ]* ]8 f1 M( P* v% i
__________________________________________________________________________
0 ~  e$ L: F5 r1 T2 q. C* a6 _
/ M# O- p0 [9 L5 M, S5 R" s5 h5 P/ N% l  N' i
Method 05( W# K. U7 [6 }6 B
=========
! G0 {& s, a( ?  X- j) j1 G; Z% c3 @+ c
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 C+ ?* w( O& @- E/ Udebugger. It calls the int 41h, function 4Fh.: u. N4 O9 a8 |1 U9 w$ _, B
There are several alternatives.  
$ i, m* D  B# {0 \( T7 a3 y, y0 j7 f8 t$ L; r
The following one is the simplest:
* h& V2 W* s2 {+ h: c
3 ^3 N1 R6 n7 {    mov     ax,4fh
, e( i" T& B* r2 s" z5 ^    int     41h
( ^% `: T8 p7 A$ A3 F    cmp     ax, 0F386$ W3 }- Y# R, @( y# A# r
    jz      SoftICE_detected
' P. A1 f. o( f: @! l4 Y8 w! v% P- c# p( T4 R$ |

3 S4 c$ l* ]2 P9 @# g. TNext method as well as the following one are 2 examples from Stone's
: W6 t6 K6 _( k1 q8 X* h1 f/ p4 \"stn-wid.zip" (www.cracking.net):
1 k, K: A  r4 `1 H3 M' d% [' L) y
# L  q4 y5 s/ L2 c/ V1 t/ ~    mov     bx, cs
1 u0 P1 e; v* T, ?3 W: f) P; g    lea     dx, int41handler2( y. T7 [/ w: H
    xchg    dx, es:[41h*4], L& ~  V$ T  [, F  Z; z/ m
    xchg    bx, es:[41h*4+2]
& c5 j7 }9 P/ x: o, ~5 \3 F    mov     ax,4fh
6 h3 b  c# `0 n+ J  ]% N' M/ h    int     41h# q6 y7 Q5 |# Q$ C  o
    xchg    dx, es:[41h*4]2 a  l8 O$ X# u+ R( Y% Q3 K8 h
    xchg    bx, es:[41h*4+2]
3 {+ V( y$ [7 ]% a$ Z4 v    cmp     ax, 0f386h. o# u( I% j" A
    jz      SoftICE_detected
/ b: h2 G8 }% i, s7 H8 W( ^' M# t  G1 U" q* j; W8 H8 m: `- q# s
int41handler2 PROC% a) C" w, q3 w( c/ Y( K
    iret
) S9 j0 `1 I' J; {1 l" l6 @7 f9 Hint41handler2 ENDP% m* `! y2 G. ?7 k# C+ w

$ p" I4 E2 `% V# N/ o" K4 H8 g1 c' O) b) u- Y" ^' o  b
_________________________________________________________________________
0 E+ O' }8 f6 r: a* _4 f
1 _/ [  W; x( U& D* i
8 C) Q( H/ d5 s4 Z, iMethod 06$ l1 M% ?! f6 p4 `1 Q
=========
* C1 P7 L% T6 U: N4 k. q) D& C0 y/ a" c0 z" A8 B! n1 D

/ c, z3 _) n7 ~2nd method similar to the preceding one but more difficult to detect:6 S( m+ X/ j5 B. P; a) h

5 g7 h/ g( J2 \) G, v3 ^  ^$ ~0 W7 g; T4 b. z) x5 W
int41handler PROC
6 Y. l" v) j, l( y# z$ v( X    mov     cl,al
6 q: l( X- Y) b  e6 [5 D    iret6 |9 Q* v* e. F: k5 t6 q
int41handler ENDP6 E, h2 \! L* U% c3 U

/ c4 L, r, P1 r! Q3 v
  ~4 d" R# N' ~; y% ^" D    xor     ax,ax3 `" Z! ^7 d; l  s/ x# X. o, U8 h# j
    mov     es,ax& Q0 ^, z. a* ^% z
    mov     bx, cs
! Z0 \* i: d) Q6 `& R, d    lea     dx, int41handler
% @1 Y- Q2 }2 @7 x- f    xchg    dx, es:[41h*4]# N6 y9 v9 y% `0 Y
    xchg    bx, es:[41h*4+2]7 z2 k$ l, w0 l! _( I
    in      al, 40h
$ A3 e. j$ K, V0 j! `    xor     cx,cx# Z! l9 ]% B4 q; Q1 @3 o* J8 Q! H
    int     41h7 e; v7 r( Z; k, o& r! h# Z
    xchg    dx, es:[41h*4]5 g# {( o. E. }( S
    xchg    bx, es:[41h*4+2]. p! P7 Z* v3 m" V, P; P8 u
    cmp     cl,al
9 K$ B* w6 Q5 n) s$ l    jnz     SoftICE_detected2 h, \" O0 w. a& k% H3 ]) K
+ \0 X4 V- G. y" p- Q
_________________________________________________________________________4 d/ m; v1 V7 b- G  v+ M
6 _6 U" k* V4 H" t
Method 07
2 E$ J$ r. }" E& b$ i4 }- s3 s=========
2 j! x0 |8 `3 z: G. f# x6 \+ t, d7 W7 k) n
Method of detection of the WinICE handler in the int68h (V86): V7 C& {& R; \6 R

$ N8 d7 g9 N+ b    mov     ah,43h# x# l7 O" s. n2 U& \
    int     68h! `# U! L# j( p& ^
    cmp     ax,0F386h8 n; f3 R3 c1 g. U. W: s
    jz      SoftICE_Detected8 o+ v6 ?1 c1 L6 s) T. L8 W0 C! h
& a! f' Q: j5 @+ t# l5 o# N

8 P  c" Z, n3 a* Q/ [=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit: Q% E* `6 g! f9 f
   app like this:; z2 I. Y1 t- G- B; {; v: Q
2 N( d- I' X8 }
   BPX exec_int if ax==68
# |. c$ u/ @3 W   (function called is located at byte ptr [ebp+1Dh] and client eip is
" q# z3 m$ \# t; o2 k& [  v   located at [ebp+48h] for 32Bit apps)8 P) y  H+ G; W7 J+ U6 d- O
__________________________________________________________________________
0 R! s8 o0 k6 {* [. g8 X6 b- y/ K( R+ j! U1 q6 K/ @! j+ G
( V$ f  _& `! r+ [% o! B4 O
Method 08
4 q1 f2 Q: p% }=========
" M/ V! t) C2 ]/ Z# B9 [4 Q1 `8 B/ [0 e2 v5 D& P
It is not a method of detection of SoftICE but a possibility to crash the
& X; g1 |' Z- wsystem by intercepting int 01h and int 03h and redirecting them to another. V& O% C% z1 l8 [) B& `& _
routine.# T1 A( u. F" ]6 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
7 l* J/ J& V8 v$ r/ V( Y3 Z) m1 i% mto the new routine to execute (hangs computer...)& q2 W1 M; e+ d- L7 b/ h* \+ S
; y% n+ q9 z+ k1 o$ ?- A. g, ?, M
    mov     ah, 25h! e; q/ U' m7 G) {. h, H
    mov     al, Int_Number (01h or 03h)# o, J' l( o" h
    mov     dx, offset New_Int_Routine
& K% ?( O* e0 q* a& [- U    int     21h
- w4 L) |; O. X& t# O) X% Z. H" J
/ K) `$ J. [! j; @. V- b; w__________________________________________________________________________
) L5 m' [' c) @0 [- s/ T$ Z
7 P% O% w: B+ hMethod 09
* q4 K' e7 V3 h=========4 T$ m: f) ?, O0 V; l+ c/ E9 e
/ w) F" e0 ?) F4 d0 Z1 |- A% A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! P' R3 |: D# J9 Q# ?
performed in ring0 (VxD or a ring3 app using the VxdCall).
2 Y0 E/ c. I- m4 P" V1 B( k5 ~' XThe Get_DDB service is used to determine whether or not a VxD is installed
& Z" ?4 Q8 U, Z5 h4 \0 e/ H7 wfor the specified device and returns a Device Description Block (in ecx) for* o5 L4 V( T; |, @3 E/ w$ b
that device if it is installed.
0 G2 y7 y' A/ h, a6 A: g* A$ |1 R  b4 A* c( e% i2 ~! z
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! ^) n4 @/ W2 }, A+ }
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 p; A( v. S5 i
   VMMCall Get_DDB& y. N! f3 w$ t! O9 m
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
- g0 w. |. o# a+ a0 [# ]4 f
. N& f! Z- m/ E9 CNote as well that you can easily detect this method with SoftICE:4 _6 ~/ z' i( c) A2 D5 u
   bpx Get_DDB if ax==0202 || ax==7a5fh2 t4 B. A5 |+ C, a' j
7 y) k& \$ i0 e% F, @$ w0 F
__________________________________________________________________________
2 R7 G) Z& z* {( X9 K: I0 j( }  d7 x/ _7 U; Y7 P' Y6 L
Method 107 p3 p# F2 g5 F* z. ?0 L8 c
=========
! F( i4 C8 E7 ^' B9 ~7 |0 P8 _- a0 K# P/ l& T
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with; p6 c: F; Z* A6 [8 ?& Z. R9 C
  SoftICE while the option is enable!!  C* Z9 R5 n% u

/ j9 ~. R$ o  A7 A7 H' F2 @This trick is very efficient:; O: Y2 Y1 r. @4 p6 u
by checking the Debug Registers, you can detect if SoftICE is loaded
0 D$ ]- l( s/ p6 X" S' M2 }(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if! ]3 a$ Q- J  T4 [: u
there are some memory breakpoints set (dr0 to dr3) simply by reading their1 X/ p( D  E9 r# ?
value (in ring0 only). Values can be manipulated and or changed as well
7 M8 n4 z7 F9 f% `9 M0 u(clearing BPMs for instance)
# P; z; m3 C- N& D& l: ?! T- B5 O/ A: A. X3 q0 i5 V4 z
__________________________________________________________________________* c0 w7 X, _; i0 L

5 }0 q8 }' b& V7 y8 U# i' Z* J: x$ i( U) @Method 11
* m; a( j( y9 I% V+ B& p) E0 f=========. t9 F. F+ G1 h. T8 B4 Y

* ~( Q6 I9 ?1 T7 F, n# U- G5 hThis method is most known as 'MeltICE' because it has been freely distributed- }4 C; c8 }. Y3 N
via www.winfiles.com. However it was first used by NuMega people to allow4 a9 L: N6 y, c* o" \) `# a
Symbol Loader to check if SoftICE was active or not (the code is located
& l: {1 s3 p$ l& X& n: Ainside nmtrans.dll).# v  g  E3 Q2 ?% {# h9 ^  w6 \

4 L0 k0 W2 u) TThe way it works is very simple:
! K; j+ |0 f$ j+ F7 R% `/ b  f: KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- C8 c! o, J- ?* KWinNT) with the CreateFileA API.
* L" S3 g: Z$ c. A: ]6 p& D; W! E4 a! N2 z2 D8 F! ~# k6 {
Here is a sample (checking for 'SICE'):( b" Y7 _$ }2 }" c3 p: {

5 m' ]" M6 ?$ r1 X4 K4 D' ZBOOL IsSoftIce95Loaded()
2 x0 l+ }. m' T. Z0 C' k/ z0 c{
5 X3 H6 E8 E1 r5 S   HANDLE hFile;  " a4 D$ s- K' H6 Y/ l
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 z% j. j7 O% s. ^; L8 N
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 t- `: f/ c1 ^7 b% @6 H3 J                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) }  a6 b3 a$ b* h- ?- Y! v% c
   if( hFile != INVALID_HANDLE_VALUE )
2 I1 Z* P6 K0 |1 T$ w6 N   {
  f4 W% o3 [+ P) o( J      CloseHandle(hFile);
4 K* r+ x, k" u8 N9 `. D! N      return TRUE;
; v* S: d5 P: }( ~   }
" c1 B& e; w- H3 v$ ]" k- c; W4 `   return FALSE;
( V0 z- Y# |% [. i0 n}
! a- o$ t0 c3 \1 \$ V* o5 _/ ]* X6 m  `* D% r4 ^# E$ w
Although this trick calls the CreateFileA function, don't even expect to be
$ l$ l: E4 K: d, B2 ]; x" uable to intercept it by installing a IFS hook: it will not work, no way!
& A* D2 \& L! G! h8 JIn fact, after the call to CreateFileA it will get through VWIN32 0x001F2 |/ j" _/ U+ {7 A
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 p. U3 z: _( u6 `- W4 gand then browse the DDB list until it find the VxD and its DDB_Control_Proc6 I$ W% n; s' h' d: |& ?' @# _* k
field.
( C7 f7 T: F! }In fact, its purpose is not to load/unload VxDs but only to send a 1 @) l0 h7 O/ q9 N. m: w
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) n, }) \! k0 q, I0 {& r2 C# hto the VxD Control_Dispatch proc (how the hell a shareware soft could try- H: @+ F4 B/ a7 @5 ^1 E
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) Y1 a+ Y) u3 {/ {; R: T( u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- ]! [8 @$ z" L5 o2 oits handle to be opened and then, will be detected.
" _6 w3 L4 O4 w! h( Y1 H+ K/ {You can check that simply by hooking Winice.exe control proc entry point
$ B0 G# I* ~( Y! ?while running MeltICE.
+ [4 N" z2 d5 M0 P3 E
( |; r6 v1 Y: |8 ?( s3 g, x( Z' J& }6 w: h4 F, n1 G1 K
  00401067:  push      00402025    ; \\.\SICE# w" Z8 [. Z9 X- k, N
  0040106C:  call      CreateFileA! T+ c& D& H- B# e
  00401071:  cmp       eax,-001: ~! |: {) t* p3 Y4 j6 B
  00401074:  je        00401091
. y5 ?- p# l1 c- |- S& _
; I4 S/ g# |/ V/ ^' [2 D& U( |2 i. w0 Z4 C
There could be hundreds of BPX you could use to detect this trick.4 m& S! \) e, o
-The most classical one is:( M7 p  P1 ~4 Z) [1 M; H: n) U5 u
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* E; b6 ]! E0 v2 v  C    *(esp-&gt;4+4)=='NTIC'
6 O1 p5 E8 D& F) a4 `7 D; a
; ^- Q) s2 b4 z" f8 i-The most exotic ones (could be very slooooow :-(1 W4 e6 m" q: I0 j$ [
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
' U& d; j$ a+ E+ X9 u9 L/ w     ;will break 3 times :-(
7 f; c  {1 @' ?6 b1 P
9 P1 G$ [. s  z1 B9 q# ~8 h! G' ^-or (a bit) faster:
) a$ w% T$ L. d: q9 i   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  [; J5 t6 R# v
2 r9 n/ q1 G- L# h7 {  K  k   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
- J( q  n& w1 [. G. V# b     ;will break 3 times :-(
' H2 z+ H9 ~) X2 Q: Z" n4 T8 R% W4 L$ ?1 C" k  p) H
-Much faster:6 a% m2 O+ M5 Q3 e- [
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
( O' S% M0 b1 n  [6 j  F& I$ P. G/ \! p' D+ R# w1 ~
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% I, g' r& l8 a/ O, v3 Ofunction to do the same job:: q: @3 Q: R( p& T$ L
* V9 [! y  P# I
   push    00                        ; OF_READ
/ O. a9 m5 c7 K   mov     eax,[00656634]            ; '\\.\SICE',0
. Q" B2 C. {4 \. V( c& x  C   push    eax7 V6 v1 a2 K* X: x, D
   call    KERNEL32!_lopen6 r2 n5 h; X' C$ l
   inc     eax
# k0 a6 s% P  E3 o" `   jnz     00650589                  ; detected: M# N" Q5 V7 \: E" {
   push    00                        ; OF_READ
$ }* ^  C" H: D. m: C# m% U4 @   mov     eax,[00656638]            ; '\\.\SICE'
5 U: y7 G! ?/ u" m  Z$ X   push    eax
; z2 e7 ~% J' z9 _: u) d* ]9 Z   call    KERNEL32!_lopen
" Y3 \: T9 S; u  I   inc     eax
$ u$ A1 q9 o& }, V: s+ {   jz      006505ae                  ; not detected
* E: S" ^; R9 y) Q, b* ?) \) t, T
" I+ ~, s& l. q4 o  e
__________________________________________________________________________* p/ P, d2 E- ?
0 P' C& G9 g' K+ g3 e/ G6 ?
Method 12
- }1 E; ?+ g' x9 B# c5 ]=========
% z5 h# K2 |8 G6 ^$ y
* T- f% l" O. ]$ ]9 M& _; X% ]This trick is similar to int41h/4fh Debugger installation check (code 05
+ K7 Q4 H( k2 ~; y&amp; 06) but very limited because it's only available for Win95/98 (not NT)& b; ^: u6 g+ J. `: g# a3 l& I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! c0 \" j: r/ T, ^
+ w, E7 U3 B& R; Z+ ?5 `# T4 J; E- R) V
   push  0000004fh         ; function 4fh
+ @# S) {: X+ a8 _, `! J' C   push  002a002ah         ; high word specifies which VxD (VWIN32)1 x  R0 P6 R4 G; A0 m, x
                           ; low word specifies which service
7 Z3 M; p% c7 X+ c& {  }& {$ J                             (VWIN32_Int41Dispatch)" U4 _+ }6 h  ~6 f
   call  Kernel32!ORD_001  ; VxdCall0 k! t% T$ e8 D9 e9 A; H* e
   cmp   ax, 0f386h        ; magic number returned by system debuggers
) ?- e  m% E7 D7 _+ V   jz    SoftICE_detected
1 @0 Q# O1 N+ z
( M+ l3 e8 V, F6 k8 F. ?; UHere again, several ways to detect it:
2 n# [' M; F+ K. I; c* j1 S9 E; d# [! P( A
    BPINT 41 if ax==4f, O5 U; l9 U! R9 E
) ?6 I0 l/ E/ }9 ?$ ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; Q" s4 d$ w' u8 m+ R* k! ~, D' w- X5 k+ ~
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
' w5 B; m8 {, z! M, [* I) z8 J7 u' f# s6 _
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 `! ?& C4 }* C% S* e' v9 w! l" |5 n0 E/ ^6 q8 a' g
__________________________________________________________________________
5 i, ]2 W6 s' Y+ M& ]( U! q% B  \! U* D* M# L/ m% P
Method 13
1 ^6 z$ X+ M5 T8 G* z8 _& x4 i+ D=========! W! f7 z; O  D7 F4 u5 H9 {5 W5 K6 i
( E( B2 g. R/ J; F3 _7 `
Not a real method of detection, but a good way to know if SoftICE is
- d  R* c  L  n" a& ?installed on a computer and to locate its installation directory.
2 Q7 z5 g% n6 T5 MIt is used by few softs which access the following registry keys (usually #2) :
) P' _2 i7 o: }# A3 a, ~; @& o9 s: i! |; Z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 f$ A, J/ B* X7 z; V& V\Uninstall\SoftICE
- `6 f% [, Y( k-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ d- X. f8 ^' `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; `7 z( P; b8 g$ Z. g
\App Paths\Loader32.Exe# E! ^5 t" U: s9 u* n2 Z

4 [4 T- d, Q! C" \8 {2 W6 C6 P2 H4 M% I+ O# g# P( m
Note that some nasty apps could then erase all files from SoftICE directory% w! G/ h" ]; [+ H8 H  _
(I faced that once :-(
+ d, K7 @' }' r4 Q% [3 q& p$ v+ b" o# ~1 J) e6 ~6 d( f6 l7 Y
Useful breakpoint to detect it:. [( }+ M' h3 n% T/ g- _# ?5 U0 R

( d! @6 k/ d8 d# s% v7 `     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'2 d4 [* ]$ |& R
/ [/ \, C. h7 D. r/ w  @+ P
__________________________________________________________________________
: n5 O0 Y6 j1 }8 s& |
& i: g% O2 k' S6 y* U
% b1 P4 n6 }; Z1 X3 v5 Q# pMethod 14
! A- z$ O! [* ]* X, }=========5 A  j0 P9 Y) t& [5 {) b5 j9 t9 Y
; y) W# L# N) P" |! n2 ^' X3 y) a
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ v& N9 |5 c$ R" i% {) `! R, sis to determines whether a debugger is running on your system (ring0 only).
  M; g( z3 q3 `7 x7 |+ d& ^2 B6 e/ A: J4 i* D& j
   VMMCall Test_Debug_Installed0 t3 _  N; S$ i9 b7 c* p
   je      not_installed: M. m( R# a/ W: P+ T4 f

3 q% o2 D6 E6 \# P' y7 {This service just checks a flag.7 `: y9 J  I6 R& g2 o) ]$ S
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-6 01:18

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表