找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
9 }3 D2 J6 Y7 e' `<TBODY>0 M, p' P9 N9 Z4 Q/ W
<TR>! n* c4 J2 J2 D- ]. `
<TD><PRE>Method 01
* ?/ P; _: K  d0 A: G=========: M3 b( F: o0 e; F
5 X! E1 c# E/ E9 S4 ^
This method of detection of SoftICE (as well as the following one) is
: S& o' O* I/ a# qused by the majority of packers/encryptors found on Internet.5 R, x8 V* a# x, B" y; k" n
It seeks the signature of BoundsChecker in SoftICE
7 ], J/ f7 T% r3 O; i1 X
+ [" U( {5 x5 R6 [    mov     ebp, 04243484Bh        ; 'BCHK'7 \9 h, T( X" |4 i3 {1 q0 M
    mov     ax, 04h+ c. y2 s. m0 [5 L2 v
    int     3       ' g4 a' @- i! D5 A5 B4 V& b& @6 X7 e
    cmp     al,4: y, A/ I/ D% W) Z- [0 A# d: Q
    jnz     SoftICE_Detected
9 |- V3 ~) E: ~$ ]7 Y, B; Z1 f' A
6 p: A& m( M% f! C% m% [2 }0 Y. u___________________________________________________________________________
; P7 r6 u; d4 `6 R5 m
2 f; {5 [, z+ A- `; FMethod 027 j- L% Z: L8 _; J2 E- Q
=========
9 N( d- U& y1 U- A8 R# u& z
8 A2 J# ?4 K. V3 FStill a method very much used (perhaps the most frequent one).  It is used) y  Y3 b; M  n# M  Z' X
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,) Z& {: q* l' u2 {- }' w  J
or execute SoftICE commands...: o3 I4 y$ v# w$ [4 t
It is also used to crash SoftICE and to force it to execute any commands( l1 k8 A2 F! ?/ W
(HBOOT...) :-((  2 v# ^# f: Z2 Y5 r* ^! N8 v

, N! n  G$ S0 l/ k& u! tHere is a quick description:, L2 T1 h* |  x4 s! y. B
-AX = 0910h   (Display string in SIce windows)7 d+ J' T& A. ^
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! @# @  r- @" i0 L1 V
-AX = 0912h   (Get breakpoint infos)1 a" b7 A! I0 B& I, U  l" U8 K) \
-AX = 0913h   (Set Sice breakpoints)0 F& W$ r: T! S5 `
-AX = 0914h   (Remove SIce breakoints)& c2 L0 L8 x( K8 t0 i3 `- V

  t5 Y( a/ X' O0 p5 I% P7 SEach time you'll meet this trick, you'll see:
- F- Z* M4 U: n& `- Y-SI = 4647h- V( E$ N  l- `" a9 O+ d
-DI = 4A4Dh
* ^5 Z) x/ a4 k# rWhich are the 'magic values' used by SoftIce.
0 m' M7 Z  @' \7 M+ x* UFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.! p2 m) Z; B- h! _" S) H
8 L# o9 A6 [0 F
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; ~- n4 o6 y$ Z( V$ O" N0 UEnvelope utility use to protect DOS applications:
7 l! }2 ^2 w: O# b
6 y6 h8 `3 D/ r6 T5 x+ u# t
# T6 `1 c* l* b' P6 g+ o9 Z2 A4C19:0095   MOV    AX,0911  ; execute command.) J0 M" d! J4 P  A
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).' N' ?) b8 I# S+ q) L' T. ]- h
4C19:009A   MOV    SI,4647  ; 1st magic value.
# z8 S( r1 S$ s" U5 z3 \4C19:009D   MOV    DI,4A4D  ; 2nd magic value./ ^, f+ X/ _# b6 s0 M0 X- ]
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
7 J+ H: Y9 l1 a! J: N1 B4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 M8 L9 C  }  W
4C19:00A4   INC    CX
  l7 M* P4 d' ^( G! ~4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 Y6 S9 e9 n% b2 P- b' U
4C19:00A8   JB     0095     ; 6 different commands.
1 W, x! m" }" g. i8 R4 O4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 f' V; q( N0 @3 m5 b% U. A" m
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
# D- s+ M/ G. g2 A, X* ?9 z# g/ b% d0 Y1 F7 E6 E4 @' z
The program will execute 6 different SIce commands located at ds:dx, which- I% X* t/ t3 ?0 v- [9 w3 s  j7 m& h
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 @; J6 n7 h8 D$ V; |; v& T
# p) s; G6 ~( g7 j0 ^* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. |. `& i/ z) s- L' D" J8 W4 I___________________________________________________________________________
* O% f! [0 R5 I2 U$ Q, Y
& {/ a; L4 y6 |% U3 {% K
+ _% v% T' a" \1 H7 ~) KMethod 03
- o# q( ~  r/ N! T3 _# E=========+ o% `) ]) p8 v: r: m4 X

1 M) }% s- N+ t) _! a2 ?; g0 x! CLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 K; [: Q+ G' ]( Q8 h
(API Get entry point)0 P* X: x6 g8 T& w6 w0 c
        
. ?' v9 c: R+ Q. {1 m* X; o) q2 Z6 u1 t5 C6 s
    xor     di,di
' h$ W; v' U$ W6 o, s    mov     es,di
7 K  J# E5 q# Q) s7 H/ N* T- K; U0 K    mov     ax, 1684h       8 i% s7 W/ @2 `4 n: x
    mov     bx, 0202h       ; VxD ID of winice
( N. [$ s7 ?+ l8 X7 S1 l    int     2Fh& |5 o: Q% \+ E$ e8 a" l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: c* t% {( i# g    add     ax, di! D4 L1 v- t! M! G4 ]$ t) T# Y
    test    ax,ax
9 d7 {! O# t7 T. L    jnz     SoftICE_Detected% O6 K( i% G9 `$ U: {. j) l# c$ L
, @$ N, S9 s& ^: G0 V
___________________________________________________________________________
" M- L) f8 @: \1 ?/ g- j5 \+ q; Q
Method 04* [" V, O& q  X" v! a, \
=========
- T+ \6 a+ Z' T6 f
+ w0 }" e4 d1 U; M0 g6 l# i& zMethod identical to the preceding one except that it seeks the ID of SoftICE
1 E" p5 s: A/ s8 r+ UGFX VxD.# n) e* g5 J; @) C, t2 ^
* v) u: ]0 F2 G8 E  ~6 k% K, x' L+ D
    xor     di,di1 k9 k* ]2 M/ {) P* A. S# U: _
    mov     es,di
4 Z' l5 z; b* t: D- e! ^6 a% q    mov     ax, 1684h      
4 A' U4 Q; z% Q    mov     bx, 7a5Fh       ; VxD ID of SIWVID$ L/ o% ?& ~& u( k
    int     2fh( G$ p; d, j  O/ m, y) k% v
    mov     ax, es          ; ES:DI -&gt; VxD API entry point6 R. T/ h8 ?4 Z8 U" E# W
    add     ax, di
, [5 G$ d0 i  X. K    test    ax,ax! K1 w) C4 b( X
    jnz     SoftICE_Detected
+ H3 f% V) G- D! z9 K* o8 V4 o; }8 u; M- D% e& y4 y$ E
__________________________________________________________________________
- c' m9 f6 ?9 v
- {& x. q! r6 X+ T2 b: X
& p# `2 e/ ~. Q9 w0 q/ {; v: Q5 ]5 hMethod 052 Y: r/ }+ X" J
=========6 K# i' T8 d  K* x4 A6 U
, G2 m( x6 q; `) {+ s+ T' i0 b; X
Method seeking the 'magic number' 0F386h returned (in ax) by all system( r% s0 _4 \! w0 L
debugger. It calls the int 41h, function 4Fh.
, b* Q* _9 R2 a- F' @5 E& pThere are several alternatives.  / U  a7 t: v5 \4 l; y
! l7 [7 I% X: }7 K8 d7 e3 |2 s
The following one is the simplest:
. Z  e' X9 b9 E+ Y5 f0 |
: I: ^" s  ~! ?& i" I    mov     ax,4fh. t( i' X# G/ z5 k8 L' L3 m
    int     41h# N! @' |0 \$ W; ~# ]4 {; s
    cmp     ax, 0F386
4 o7 ^6 `* q* C) N; U    jz      SoftICE_detected1 n. @: c  ]2 A
( @, s; h, D0 G
8 ?. J; O8 Z+ `$ Z  e' Z4 _
Next method as well as the following one are 2 examples from Stone's 7 @4 a# C/ Q+ `9 [( o
"stn-wid.zip" (www.cracking.net):9 I+ H" P, s6 X8 h

" p7 E5 u# j, k4 r) i9 w    mov     bx, cs4 k; {; K' U3 I& |: Z
    lea     dx, int41handler2! ?6 O' N' }, |* p: u! d
    xchg    dx, es:[41h*4]: g6 c3 M. V# K1 g) x, J. s6 h, e$ d
    xchg    bx, es:[41h*4+2]
( Q8 I# _% k! g# s# V+ `" J- M    mov     ax,4fh8 Z  K/ {- ^7 `  D
    int     41h* ]6 c8 `. k: e/ c. P- z
    xchg    dx, es:[41h*4]5 m5 l6 R  f! `' m( o3 r
    xchg    bx, es:[41h*4+2]
: A5 M. j/ n' u; e    cmp     ax, 0f386h
' z% T! e3 M% P9 q* `+ R    jz      SoftICE_detected9 _, `& H: I5 b: N

1 F* K. Y  @' E- t  ?" i* Aint41handler2 PROC
" u# L! M  V% w. b* M6 E    iret
6 N; t2 o' }' W( K2 hint41handler2 ENDP
5 n) \: u! `% y' G( t! ~: U5 v( Q5 t$ p8 x8 v& k$ X% L. j

, {9 r2 M1 F! ~+ V_________________________________________________________________________
# L: p# E8 l3 g0 Y5 n0 Z+ e" b5 U: c0 Y) ^+ C
, s: D7 v5 N* u0 l
Method 06# S  q( n* f$ R( `  Q2 j3 A
=========9 W1 `+ G) m2 B) e

3 ?4 T, [; a+ x5 k9 ~4 I% E) y' V/ m) p& L. z
2nd method similar to the preceding one but more difficult to detect:2 q) ]; h5 v$ Q3 u
( e4 b5 ]- {- Z6 y0 ^2 N* t' g
/ L2 g3 ~# C; w, I
int41handler PROC
8 m; @/ G" |0 k7 F1 p* x    mov     cl,al6 p8 [. [5 m6 i0 L6 r5 I
    iret
4 }1 Z4 I0 @  |+ V9 Vint41handler ENDP
. |1 }) D5 |2 D3 @) H* W9 V9 V* P. y) c+ O! ]: D' `% j% v
* W" \0 \/ N; @5 j' R
    xor     ax,ax8 A8 o7 _* w! L. m& n: I& Z' t
    mov     es,ax# I) k1 {' ~" f
    mov     bx, cs
) N( H# i5 y) x9 F: B) _    lea     dx, int41handler! i6 F: R6 H! K
    xchg    dx, es:[41h*4]
5 x. `7 a& K6 R) ~9 v% f$ ~7 H    xchg    bx, es:[41h*4+2]
/ K9 i$ ]$ f/ G    in      al, 40h
" M1 G- x0 z+ U2 y* b$ D, L    xor     cx,cx; W9 M! n8 x1 a; o) D
    int     41h/ ^, ]$ Q: ^5 M' t, c; F/ I
    xchg    dx, es:[41h*4]3 ~0 L1 p! P$ R, c# M' G& H* _
    xchg    bx, es:[41h*4+2]* D4 a: l" F; C5 \. h
    cmp     cl,al" e( a: n, {6 I& g8 e
    jnz     SoftICE_detected$ {% _7 ]8 L) d( l3 w
8 R  K- U& p, e' X/ z# C! U
_________________________________________________________________________
6 E' a' q* O8 I4 j" d2 l9 x+ G- Q  f  z" B( J; f
Method 077 ?! Z4 a" V, d( v" p
=========
. H, H+ }# v" ]# f% f9 i( u* e/ E, p/ t+ n2 z9 s1 z, f- j7 J% G
Method of detection of the WinICE handler in the int68h (V86)8 i6 Z) F( R3 |4 @& o1 [* g; d
; {% m' P$ Z4 z
    mov     ah,43h
9 w% |1 J2 w6 `5 R" [7 u! E! @    int     68h
% K& z; c  m% p& t# v1 Q' L    cmp     ax,0F386h
) @3 @; p# @+ S! O; M    jz      SoftICE_Detected
8 q/ P6 ?: K+ L0 E! T+ E
- M3 H, K; N* t- F3 l/ Q8 T+ f- J. q+ y. a! r
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 J' W; R+ W# p0 L   app like this:, F- j1 U9 |2 w6 ?$ k

" W: U! J/ A) Q+ p  v, n   BPX exec_int if ax==682 p( d0 S0 f6 ]2 r" A, [, K
   (function called is located at byte ptr [ebp+1Dh] and client eip is
% C, j7 e7 O$ I2 ?$ a- M   located at [ebp+48h] for 32Bit apps)4 D4 S: `* P. B/ H) u. D
__________________________________________________________________________0 i; [+ W: O) y: A3 u
3 j) J) L8 N" l# N
) g; k; D1 d; b' R! X
Method 08% V2 H3 A$ X( Y
=========6 }1 C( @- l8 z8 X& f+ {
; Q) @& M& j8 Y" _1 r/ F
It is not a method of detection of SoftICE but a possibility to crash the
: N6 @1 n" ~" T3 }5 H+ z: R& W( U% jsystem by intercepting int 01h and int 03h and redirecting them to another
) h' D$ O4 c7 y; e2 e: }+ E: Droutine.
2 B- B8 K, W5 O& h2 x0 V5 ?4 JIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points1 j5 w' h8 n. R! ?8 L/ p# ]
to the new routine to execute (hangs computer...)
$ w. c! n2 P1 A/ e9 S3 C; Y) e+ E' K" P
1 H! c5 I- w, D! c9 b/ [: D  g6 _    mov     ah, 25h- }  `0 e) [& A2 ^' {9 W
    mov     al, Int_Number (01h or 03h)( `, P; @7 _/ N# f' M
    mov     dx, offset New_Int_Routine
+ l. x( D5 ~$ v% b/ n) G8 Q& k    int     21h
! l+ Y: |9 n' F2 r6 b0 E9 t9 u
$ `8 y' {2 X3 i* z__________________________________________________________________________
& n- Z2 {$ f6 H9 s7 ?& N  w1 Q4 v" O+ s' H6 [
Method 09
8 N. s) n/ `" i* T( K=========' c- Y& a' U4 s- S* T. I" @( T
9 ?0 {6 T, [  ?0 g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 `$ B6 X- U" W  u% D
performed in ring0 (VxD or a ring3 app using the VxdCall).
& B& q0 b; u2 Z0 H  cThe Get_DDB service is used to determine whether or not a VxD is installed
+ v. W2 k) T  d7 S/ J( M' Z6 D. Zfor the specified device and returns a Device Description Block (in ecx) for2 g3 S' v" g' V' L& B2 B7 G
that device if it is installed.6 L9 W) c9 i4 R/ o  S3 B6 u
* O' \6 v+ U- d" q9 C& I& w) W  d4 @
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
) y# l* Y5 n6 a# Y: J0 Y+ V9 P+ L; e   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; M; _- L$ t9 J8 q; d9 @   VMMCall Get_DDB
' ~3 e, T! p+ J& [  @; w! {   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
# ~) x+ p( ]! \+ ?' _9 }7 r
3 x# q9 o9 w5 D" f6 aNote as well that you can easily detect this method with SoftICE:- ]% b1 e9 x" A# a
   bpx Get_DDB if ax==0202 || ax==7a5fh
' O- S  a2 [, c* l: g
5 d5 b; h& ]  W  ]2 G__________________________________________________________________________6 c' @/ ?1 w( s) m2 B5 `* B

  S/ o/ H& q9 r) }, z6 aMethod 10: M3 Z  e" t% f* n( \& M6 `, z3 D; D( Y0 M
=========
( j/ T3 w6 J: r* u5 N# j! @3 f1 Q0 e3 b+ @
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
+ x1 U! _6 o/ L! g& x2 t  SoftICE while the option is enable!!
0 V2 N# P' H0 d* v7 S' m; n) P. e) Y+ A9 }
This trick is very efficient:6 t8 e( W. M( @! q
by checking the Debug Registers, you can detect if SoftICE is loaded
$ A/ w- d$ x9 x7 {9 m# e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- M' K' S  s+ s2 S- e' J
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# T* J* B( [% \- r. S4 _value (in ring0 only). Values can be manipulated and or changed as well  }9 \  _( i: n0 N( c6 G  o, \- ~: U
(clearing BPMs for instance)
. V/ T0 O0 p0 |# i3 }/ U2 f
8 G- W" P9 ^* ?4 {+ r) \& j__________________________________________________________________________
" [3 b7 u$ T, }" d, E: _' Y7 t
Method 11
1 K; x  J8 G, D4 O1 z=========
* B7 g6 F6 a  F/ k% c* J. t  j; U% N, r8 w% |
This method is most known as 'MeltICE' because it has been freely distributed0 h" n# m1 P9 Y
via www.winfiles.com. However it was first used by NuMega people to allow
) Z+ x. J) Z& _* J' FSymbol Loader to check if SoftICE was active or not (the code is located
5 V; f$ K# u% m. {3 y9 ainside nmtrans.dll).8 P" t9 `# ]& X* G" U
" D( |* w* Z, O
The way it works is very simple:
% p1 c- m4 z9 E/ s8 l" z% ~It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' R3 N( ?8 V# e6 o
WinNT) with the CreateFileA API.. E, }6 @1 ?+ O0 g) c
. x7 I5 z; j" S$ m/ n3 j9 r6 L
Here is a sample (checking for 'SICE'):9 _( R% @: Q$ T
9 O1 w% X) h# [
BOOL IsSoftIce95Loaded()
  @& w. t7 i- z{' `3 v: `8 |7 U) G7 y
   HANDLE hFile;  8 z9 O9 n! `9 }0 N- D' e- F$ K9 _
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
  R* f6 j/ O* g' ?                      FILE_SHARE_READ | FILE_SHARE_WRITE,8 x1 u8 u" S# o* a2 @( V) \# G
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" S1 j1 o) j5 M8 \   if( hFile != INVALID_HANDLE_VALUE )
+ F. L! ?0 H. ?6 ?   {
# i; q9 P+ |0 q- i      CloseHandle(hFile);3 |# T5 z6 x$ o6 t/ Y
      return TRUE;
& ~8 O) ^0 q7 D& j4 L  P9 f   }& [3 F" o1 H- o( G( F/ A; F+ S
   return FALSE;( f( S- e" o0 d; |% @* j' r
}+ u, l$ [# n- F4 q- [4 C6 i/ O
3 ^  R9 @$ S3 C6 C* }& R
Although this trick calls the CreateFileA function, don't even expect to be
: ~1 u$ o( z" q4 w+ j# ~- H% ]6 bable to intercept it by installing a IFS hook: it will not work, no way!
  l- B+ j- R2 S1 l( AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F8 ^" T4 R  g5 @. v$ v) J4 w- s/ b
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 L/ e2 z% D$ a/ Q; A0 a
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 F6 B& A0 G0 lfield.* ^& |2 n. k+ P. a* l1 g9 K) E
In fact, its purpose is not to load/unload VxDs but only to send a
- }  J5 d: d2 [0 b8 AW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ j; r2 }+ L- o( ?# `0 Ato the VxD Control_Dispatch proc (how the hell a shareware soft could try
: Q, ?7 I1 Z- f& Vto load/unload a non-dynamically loadable driver such as SoftICE ;-).% D# T# V: {$ h% ~% R1 R8 p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: A/ ]+ x9 L! I' K4 J  {" k  Cits handle to be opened and then, will be detected./ p6 n* X  k* `& i
You can check that simply by hooking Winice.exe control proc entry point
' i" D: v$ j! ?* g" m9 Lwhile running MeltICE.7 b' X" r8 ?0 ~2 J) J9 [% Y5 ?
, P' N* u* ?  w' |( N
6 E' `5 G' b) C8 V) y4 h% k
  00401067:  push      00402025    ; \\.\SICE
* ^6 q/ O$ R+ X  u  0040106C:  call      CreateFileA
" m* e3 _/ w( Z' C, J  00401071:  cmp       eax,-001
" ^. H8 Q! L, X, J$ y0 Z& v( L5 G  00401074:  je        00401091
& ]! e; t4 B+ Y7 o& Z7 a
8 \8 M+ }: N7 G2 s: B  [5 T/ z+ r: ^! S  X3 \6 R7 o5 v
There could be hundreds of BPX you could use to detect this trick.; I) g  K' R5 m# [
-The most classical one is:" B9 E3 ]: i8 ~- ~( b6 n' R
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||/ n0 z8 d% {# P4 I, g, A' Z
    *(esp-&gt;4+4)=='NTIC'
9 q* U  j+ T1 a  V  c, Y' }0 K8 r) V$ J# `9 a: F- l' U! `
-The most exotic ones (could be very slooooow :-(6 N4 e8 r' \5 K! i# N+ g5 R. G
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
8 j! A" T" P' U$ g     ;will break 3 times :-(3 K) m1 j+ x4 a& ]1 G+ u3 C

: ]+ e/ ~- q8 M-or (a bit) faster: 0 |3 x" v8 P4 [  z# o# l: ~- |" x
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 ]; v1 X% |' J3 e/ C& [4 t8 ~6 i( y( ?7 O& s
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! W; M7 }2 w& N9 F) A1 }     ;will break 3 times :-(
8 P( _8 A8 H8 [9 c! o+ T6 m0 O9 M# b; S, C  h' Z+ T
-Much faster:6 Q/ `7 M  K1 e7 I
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 `8 M! m9 z' _% Z% t4 G
6 G$ J& _* [( p: M% ~4 [Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 I& b% k% g, |- e
function to do the same job:! [+ |! l2 v- }  z) W% D

% Q* k9 j) S2 K# @) {   push    00                        ; OF_READ* M3 Z4 `' ~$ L  i( }) z
   mov     eax,[00656634]            ; '\\.\SICE',0) c+ }  }3 D6 x1 U6 G* N
   push    eax
* t; [; j8 q/ f/ P, A; `) ?  \   call    KERNEL32!_lopen5 B# f, V8 n" |4 E* j$ a) o
   inc     eax" g! z5 V7 N) }1 P
   jnz     00650589                  ; detected
# F0 s1 n# ^" h3 u# b   push    00                        ; OF_READ
" C2 J3 {( [2 v- U- S) W   mov     eax,[00656638]            ; '\\.\SICE'
' z$ H% J" T2 d7 H( u   push    eax2 O% Z: y3 a% Z) C, W, A
   call    KERNEL32!_lopen
  Z( R# O+ m# |0 s! Y   inc     eax' h+ K' T3 [, s0 [- N: @1 |
   jz      006505ae                  ; not detected1 h5 ~% V  P' r! i
) q1 w: B$ p. {8 ]+ k
% V0 `8 C( W: {" N- N
__________________________________________________________________________
0 o9 D" S- I. i9 {/ f3 t* h
5 L& w# U  B$ HMethod 12) R/ s7 T9 f0 `+ N' S
=========% B' F2 U6 _: U6 ^
& l* }2 C5 q" K: }! r4 `
This trick is similar to int41h/4fh Debugger installation check (code 05' @) V* }4 `$ }  d$ S8 J: ~; p
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
- J$ `, Y6 _2 Tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! P& s( \7 M0 v+ y. A, U: A2 \3 M) d* H2 U& y1 M8 `
   push  0000004fh         ; function 4fh3 b9 c( i1 c7 M4 ]5 Q
   push  002a002ah         ; high word specifies which VxD (VWIN32)9 l" E; K! B1 K0 G- ]$ X: X
                           ; low word specifies which service
4 c- M# s3 _2 ^2 F/ E/ @9 t3 v                             (VWIN32_Int41Dispatch): d: v4 n. F! ~% ^$ U) ?
   call  Kernel32!ORD_001  ; VxdCall5 d1 T+ \& \& h
   cmp   ax, 0f386h        ; magic number returned by system debuggers, v: M* j0 }, j: U/ k, `7 @: n
   jz    SoftICE_detected
6 j, ^; m% I8 ]8 ?  c. C' h; m# T" A/ u! p. E
Here again, several ways to detect it:9 X- t7 C' e  |) T
4 ]7 ~# G4 U8 j9 Q6 q* w2 \
    BPINT 41 if ax==4f
3 V2 i2 O1 G' c4 u+ ~7 P, H8 z. ]8 F, F! \' o" s: O
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 B' N5 s, [% O! |. e' V5 R2 [; e* C( O7 f% m: D) h1 w
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: Q3 X  [/ U5 D

3 S0 y+ @6 U9 S/ C6 D, e    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
$ U! V5 g3 [2 [% N$ [* x6 a8 `' D  T9 k
__________________________________________________________________________
/ w# ]& F6 j. P, ?0 x( D# x  N+ q: m3 y  R
Method 13
8 q% |& I0 n, W0 y1 p" s- {# A+ O=========
3 t& u! [5 n, g7 _  V/ U/ [; H! _/ r9 j5 \; u$ E
Not a real method of detection, but a good way to know if SoftICE is- ^  j* t" H1 [
installed on a computer and to locate its installation directory.  ~& d- M# w0 E2 Z
It is used by few softs which access the following registry keys (usually #2) :5 |8 ^, H# k' w5 d# J
! F! r6 R* I/ {8 H3 t: O
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 ~/ }" o$ |" Z/ |: \. X4 Q7 P+ [7 E7 \
\Uninstall\SoftICE
. A* l* j) G- S+ ~-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: N5 `. |7 T" T5 m4 y5 N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 k+ Z- x! [( l" c8 ^\App Paths\Loader32.Exe
  f5 U3 _5 W; h0 [" x1 l$ D. z# b. E* {

5 Q8 z3 q* j: {) F5 ANote that some nasty apps could then erase all files from SoftICE directory" ^; k$ z8 K- v, N% d( J" a" f
(I faced that once :-(/ d" Y# X6 ?) D6 P' g8 i: b

% B5 r0 m) }) ?3 U2 w, A; WUseful breakpoint to detect it:# i/ p! b' k$ g7 \+ ~* Q" l

( h/ ]: X! R- [+ {" m- [$ [     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 `  y1 S/ w  ?- }+ j  c* q7 s% s

& z# [% \' E# q$ `" S, h2 p__________________________________________________________________________
7 ~" e' v( A" s8 ^  W
1 Q9 S/ {' ?: Q0 A. x# d. w6 P
0 f( x/ V. h* a( x$ UMethod 14 4 H% c- n  @7 M1 J1 C
=========
1 S/ d7 a' T5 G; D9 M8 a& U, m2 M# q: E8 Y
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 ~- ]* j( ?- \+ A, C+ v6 P% Pis to determines whether a debugger is running on your system (ring0 only).
& k4 \$ ?& I- J$ z) f2 h0 s6 ^" _
8 [" t5 O1 O' E/ M' c( Y, J- f   VMMCall Test_Debug_Installed- v/ m3 g. K% Z" r
   je      not_installed$ ]" c" \- ?3 Y( D' n( T& M0 O1 M) O2 o
0 d4 G4 O, m" \
This service just checks a flag.' W; z9 m+ r# I
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-2 01:40

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表