找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' g$ |+ x4 `- ~+ `; F
<TBODY>4 A: K* {8 X# F5 W: J6 b+ e/ D4 x0 C
<TR>6 V2 Y$ Y! E- d
<TD><PRE>Method 01 % _3 ~7 b! n4 t) P* Q! I. ~( `" Q
=========
1 G. }" r2 N( b9 E: R* L8 H/ N! p' \6 ?9 M8 s
This method of detection of SoftICE (as well as the following one) is
8 ]1 m* n8 P1 w# L& C& gused by the majority of packers/encryptors found on Internet.
  U  q# U% P$ R& d( ZIt seeks the signature of BoundsChecker in SoftICE
4 n3 ?/ x3 k. k$ c5 w% E! K
9 A. N/ C( A3 d# j    mov     ebp, 04243484Bh        ; 'BCHK'4 A# N0 D6 s( O, }  y
    mov     ax, 04h
) j2 h& B) K' V7 `. V    int     3       + ^( X4 g& n* k3 p9 C( _
    cmp     al,4# a( q  a8 h- J
    jnz     SoftICE_Detected4 s# ]7 P$ [# r. W

4 s- U" g, \) [( u2 I  A- E___________________________________________________________________________8 }, ^) m3 b+ g& v; R
7 n: @1 V% ^" @, N: ]
Method 02  e, |3 D/ L# z; T; a' L8 J& u: \; {
=========
% P2 r: B' l4 K! Q( q. {: r  B6 g/ W5 Z& Q, ^+ H8 q
Still a method very much used (perhaps the most frequent one).  It is used# Z: L1 |0 g, [! k3 Y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 `. |  p5 G1 N& s5 f$ V5 c9 Sor execute SoftICE commands...) i) i( n4 Z2 v' U1 P
It is also used to crash SoftICE and to force it to execute any commands
. X! b" g! Q  {; h. H- j% A(HBOOT...) :-((  $ ~  ^; U8 i, Q2 x0 i6 x+ J
5 s- n/ V3 Y7 m6 [  z
Here is a quick description:! M, |+ F) K* U8 H$ A( s, [
-AX = 0910h   (Display string in SIce windows)
" w! j4 k" {* ^! w( f+ x; L-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)& ~( E& C4 v9 o% a
-AX = 0912h   (Get breakpoint infos)
$ j- `& L- |7 ?4 t: z) E' Y% i5 Q3 T5 j-AX = 0913h   (Set Sice breakpoints)5 H% s7 i& T2 f: z9 Z, D+ A, D. V' \
-AX = 0914h   (Remove SIce breakoints)  T9 ?  h6 T4 a: V; T
- ~0 }8 S- b+ L4 c, H5 {1 Z0 @/ i
Each time you'll meet this trick, you'll see:: `$ J% e1 I' J5 Q
-SI = 4647h+ o( M& {* g" q" M. w" r/ f% F
-DI = 4A4Dh
$ O( o$ ]9 P% ?5 ?; @Which are the 'magic values' used by SoftIce.* D( \% w. p6 C6 c4 A- T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- Z) ]9 |/ f' \/ L6 I
' {# C" g! ]4 K) A7 IHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 Z" Q- a! |# N/ y9 R- dEnvelope utility use to protect DOS applications:2 B& @4 O& h8 N

" ~. ~7 f/ p1 T% O! q/ Z, H* o4 z. A
4C19:0095   MOV    AX,0911  ; execute command.+ _, }9 Z6 F' v6 I
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).7 Q4 [5 r# N& H5 m6 c' \+ d
4C19:009A   MOV    SI,4647  ; 1st magic value.! W9 y( r% W$ M' b% B
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 L6 g' [+ S7 n0 y2 I4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% z1 Z* j* }- W4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute  V4 l' D2 H- A. U5 E
4C19:00A4   INC    CX
" `8 y  a" n% p: c4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: o. F- f2 s4 D  {9 c7 @4 F
4C19:00A8   JB     0095     ; 6 different commands.) e7 @9 \: H) _0 c* L2 b
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
% U$ R8 R. @1 q8 a- I4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
, @: ?. Z( h! w) t& b+ a' @1 S0 q: d' A6 n
The program will execute 6 different SIce commands located at ds:dx, which
7 n' d) e0 Q2 ^' [8 ?are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' V* x( x$ ~! E, I0 S! Z) `8 U
) ^& Q' A9 x- T; C* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 n6 i5 W. u) l2 d
___________________________________________________________________________
+ G$ ?; q' i% K
2 T9 r2 y+ X; _& w  ]0 m( V1 f8 R7 \7 O; @* b: g  c
Method 03
# D% o+ t1 t; X=========
, v, j0 {: K" J+ N3 x6 p7 ]* F8 Y! o5 O+ e6 Y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. [3 T% i3 u2 x, i% {2 P
(API Get entry point)2 F( o" X; Z7 `* ^6 S
        
1 i, u$ d3 u% F$ D7 z. K/ Q. N/ D1 |6 J, ?' t5 S, ?. F- `
    xor     di,di2 `, o8 J" _* v4 c% J6 |
    mov     es,di1 b# o! E; j6 F) q% e( w# D
    mov     ax, 1684h      
: @; ^+ V4 b0 q# e    mov     bx, 0202h       ; VxD ID of winice
9 H- U7 `8 \4 ~6 ?6 h( c- P3 \! g- z    int     2Fh
& w  Q) t* a; g; L/ f* A    mov     ax, es          ; ES:DI -&gt; VxD API entry point* ?/ q$ q) u' G) c
    add     ax, di  D$ `% k8 O) b0 v2 A
    test    ax,ax
2 ?( o/ \6 D2 V9 y3 Q    jnz     SoftICE_Detected
% |2 y" z* I  O0 y/ C
2 F3 v, a+ U3 Q( W___________________________________________________________________________0 p1 r/ J1 _  m3 Y0 P+ o7 C# H8 i

$ B! Q2 Q( `. u4 D: N7 B5 n7 P9 fMethod 04, R: b3 y, C' X
=========
/ x% J6 B$ a4 i! F4 [$ N/ |! c4 f/ _! I
Method identical to the preceding one except that it seeks the ID of SoftICE& T; W% z1 }2 `9 T
GFX VxD.
: j9 V) [/ I: i+ p# R/ k& v$ l2 p& g  J$ s5 O- n- _
    xor     di,di
1 M* K7 H( U' z: x0 _. y) b1 R; v    mov     es,di" ^* |2 ]) S  P8 U7 {
    mov     ax, 1684h      
5 w' ]; F6 J( c7 E: m* V. Q    mov     bx, 7a5Fh       ; VxD ID of SIWVID, r* w" y3 C0 U$ X$ Q" g6 a9 B3 a
    int     2fh  z% J' w8 X- S$ h, ]
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 B$ W& Z- N4 I2 r6 j5 E4 w4 H    add     ax, di0 W; _$ _) f% q) A$ z2 T7 h/ H
    test    ax,ax$ r0 {# M1 }" N- m
    jnz     SoftICE_Detected+ R- @( X% }% L$ r- h; q) E

; t8 @: _/ l1 j7 G  V__________________________________________________________________________
5 _3 j& h/ [5 R5 ]/ F% e. H
* r( j5 `" e, a* T7 M1 ]; u+ U6 w7 R
0 ?  i' T2 t0 o9 z  w& s! r- eMethod 059 {% _4 A* {" J- T0 \  U. i" d" j
=========- u, t8 L" C$ L' Z7 x' l& l0 H) x
: n( M$ g3 ^. S0 J* X
Method seeking the 'magic number' 0F386h returned (in ax) by all system
" B& ~- L8 G! {/ }debugger. It calls the int 41h, function 4Fh.
0 e+ f8 o4 O5 WThere are several alternatives.  ( q( o2 U; C/ }# a% @6 y
+ i7 G: g* f; N" ?5 t
The following one is the simplest:5 v8 `7 G, O4 n  j1 R
6 j) r& M9 W9 d( m- H; a8 ^/ v
    mov     ax,4fh3 ~3 [* b' N# ?/ P: l& j6 ?6 U9 s
    int     41h
& h+ U( b+ v% v! l3 d3 Q    cmp     ax, 0F3868 {8 o% p: z: D* t. n
    jz      SoftICE_detected
, @9 ~# U4 z* N0 i6 R+ A% P' T, K- ~
' h& F( r" [6 D4 w$ s- S
! s1 Z" c& G7 PNext method as well as the following one are 2 examples from Stone's
/ [, x% h: {: y  T: K"stn-wid.zip" (www.cracking.net):' ^* b" D$ R% _  p3 ]; o
3 D2 q! s' h5 P7 b" a
    mov     bx, cs! d) J) @, V! N0 I
    lea     dx, int41handler2
: u6 k3 O5 \; r! Y* V- P6 i! |2 H    xchg    dx, es:[41h*4]! S4 s& M+ v7 `
    xchg    bx, es:[41h*4+2]4 [, G) f- O/ F6 {/ n# m
    mov     ax,4fh
. I; K3 ]- R; |& |/ t    int     41h
0 e/ a0 G$ N3 E  C; \    xchg    dx, es:[41h*4]
- G' k+ K  L; ~& y9 P    xchg    bx, es:[41h*4+2]$ v8 z  m/ T: ]4 A8 S( \$ G
    cmp     ax, 0f386h
/ ?9 X- t# \: Z: n* b- [3 [    jz      SoftICE_detected
, [# Y5 n* _* r* _
  _8 V! U  e: [0 O( G. S# R9 V. bint41handler2 PROC, @" [6 o$ I1 M) g1 z' d
    iret
2 w+ K2 O; E' k! v7 }int41handler2 ENDP/ A: O5 m6 N4 V0 E, d

3 @4 H& k5 @# `  M# E8 N; P' n% h0 S
_________________________________________________________________________$ R* t, t1 T" d/ ]) [  Y, U8 z2 n5 y
0 P# v& _2 I# ~1 K" F/ B" S
+ @5 j% Q5 R+ o6 n3 k
Method 06( @4 ]  w5 M' _
=========
4 w! D6 V5 k$ _0 L& o( q7 C; u* H4 l% d% k0 |$ l9 E" f& r2 E8 m
" X/ d$ I" y: R; B: }; G. d
2nd method similar to the preceding one but more difficult to detect:
0 x2 o" @8 ]. y/ }' |6 a( ~% o( [7 e- _: L

" T1 Z3 H1 c% w8 _9 S" l) i3 gint41handler PROC; g5 M2 A# |) J# ^) ?. _7 l' V
    mov     cl,al0 V1 R6 L$ f  H5 ]) ?' M$ k
    iret" ]: g* w; _0 C
int41handler ENDP
: g3 s! b/ ~' g" b' x$ d$ C! }& V+ q- B/ Q% T) u2 I8 b
/ ~+ Y6 K! e; a9 [; X
    xor     ax,ax
! ~4 D9 D  V: U1 t# e! s9 z3 ]    mov     es,ax
  U! ^7 v0 v: Q) ?6 A  p    mov     bx, cs. \' W$ U+ g% U) P+ L
    lea     dx, int41handler
+ {6 V8 ~/ B8 k+ _/ U; G# H    xchg    dx, es:[41h*4]
) u. |& o  i! Y' Q/ j- q, J0 F    xchg    bx, es:[41h*4+2]
+ p6 ?5 E7 ~  }. s3 f    in      al, 40h
: i3 g7 E; ?* J; `/ A  ]6 B1 `    xor     cx,cx
+ _5 N4 o. V2 C! z; s2 P    int     41h: \- Q4 N  B' q, @
    xchg    dx, es:[41h*4]
6 T  m" w6 k" \! `& Q  f4 L    xchg    bx, es:[41h*4+2]# \1 i" k6 \9 `% N" D
    cmp     cl,al
2 J& K0 j  q! Y5 F% \    jnz     SoftICE_detected
$ I$ @. P$ o, K* V- l
0 ?  l3 t# D( S) S_________________________________________________________________________
3 `; j7 m/ i, T: M& R
  I  x0 d0 t* B3 m' S* M2 H. MMethod 07( Q5 a0 @  H  C7 Y1 ]* `$ r/ G0 h
=========( g! R4 \0 q. u2 K6 K
8 b: B1 {9 L+ A9 G
Method of detection of the WinICE handler in the int68h (V86)
4 J. u. h7 W* `8 g$ v2 F" E* t0 W. _' L  S% A  f% o
    mov     ah,43h
( m& Q! H2 |- t0 j! j    int     68h
! n! _+ t) `! [4 a6 o3 f! T$ L( F    cmp     ax,0F386h; s, C# e; T2 v+ j4 C: l5 x3 y# L+ e
    jz      SoftICE_Detected, a' }% w2 e0 R/ @

2 e0 L7 b4 h9 {8 c2 P% g5 M/ v3 o5 ?7 e( A
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( R. O: }8 N0 U, p- h   app like this:
8 f$ M; b, D, p; S0 z7 \) k2 q, \$ N! h! V. y, {
   BPX exec_int if ax==68
; Y. j. K. T) B! S" M   (function called is located at byte ptr [ebp+1Dh] and client eip is
4 o+ p( J8 Y- C   located at [ebp+48h] for 32Bit apps)* F+ b- C0 \: b% y# q* R; n& x4 i9 S
__________________________________________________________________________
4 f  m3 e4 m4 x3 e+ ]0 ]/ f1 h+ G! S6 K: U! X
  x1 ?; ~, U8 y3 a2 G& W4 @
Method 08; \' c3 s* H% [% i( b
=========
, s! V% A6 G! t4 a! J* |  H% W( Z2 v- H) v: m
It is not a method of detection of SoftICE but a possibility to crash the
7 [; g6 w9 a1 [5 F& b4 H  j# Esystem by intercepting int 01h and int 03h and redirecting them to another7 K! u9 W5 M! e( F) |8 K4 s& E
routine.
/ K9 J$ q( t4 J  SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% d. d" p8 k. R* ]9 w! fto the new routine to execute (hangs computer...)3 z3 ^: k  S* B& T6 ?' b! Q0 A

4 P! z3 G2 [7 O* {4 L    mov     ah, 25h
8 s& z+ S( L5 v; X1 G# u. C    mov     al, Int_Number (01h or 03h), ?; n7 u0 D7 W: T2 K
    mov     dx, offset New_Int_Routine# L5 n6 I6 u. S
    int     21h
# ?7 r5 L( t. a, I7 G5 h1 Q2 N' V1 b2 q/ n: w
__________________________________________________________________________# s! ~2 e* U  k, F" ^. x

! ?3 r6 C6 A/ A! ~$ a- m- fMethod 090 O/ j4 s+ [6 Z7 Q: Q
=========
  W; a5 y6 [. E' ]- U0 `/ ~% J
1 D1 i# e+ ?/ N& KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; B) e. V$ F3 W- i  r' h6 ^performed in ring0 (VxD or a ring3 app using the VxdCall).1 c. a  \! e& \+ p& ~3 `8 @
The Get_DDB service is used to determine whether or not a VxD is installed7 b$ f4 D  L! h" x
for the specified device and returns a Device Description Block (in ecx) for
2 O* N8 B. o, P% o) U0 _0 kthat device if it is installed.
; u1 J; |' f$ y9 p! k5 n7 y! R
* [/ w$ @3 j5 ^; e% V, T" h# O" j6 V   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID: x; ^  m  j' F1 q7 E) V1 d4 u
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 u6 V& c0 ~- z2 I5 I/ u' r   VMMCall Get_DDB
  r0 y1 [+ ~) H$ G; ^! M   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed/ w3 m8 T, l7 V6 w2 w5 q: ~
3 X/ N6 F; \8 Q) E. N- ?7 {! d
Note as well that you can easily detect this method with SoftICE:
7 N* v" _; X8 x: u) ^   bpx Get_DDB if ax==0202 || ax==7a5fh* V, Y9 v& [" H" V  p; R

$ e- J- ]9 n% Z2 t__________________________________________________________________________: G* }1 @# C# N! W
# b% C* e6 U; ]3 m6 S( c) ?
Method 105 V+ @4 k$ p, M! r- h$ r! X  N
=========
# O( ]# H% g) Z1 D; h! J6 `, s8 ^
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. A) {" ?- B+ Y; H1 R4 [  SoftICE while the option is enable!!
& ^- ]) m4 Z6 j; i* c, I8 A9 H/ P
This trick is very efficient:5 S1 C3 f- d& z( B# ?
by checking the Debug Registers, you can detect if SoftICE is loaded" e' F6 L5 i9 G; Y+ Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* A* u/ k# Z; o1 g+ Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 Z$ Z( {9 }: o1 q% P" O4 Z1 u. v
value (in ring0 only). Values can be manipulated and or changed as well
+ R& o9 V" y/ i(clearing BPMs for instance)" i9 o2 N/ k4 G' Z3 E* R2 _- i; Q
5 G: z4 M6 `& j/ `: D* U
__________________________________________________________________________6 J& L" {/ K2 d7 D' l! G% R
  G  \2 M* \/ @
Method 11
  x$ s0 Y  s; K3 n; m4 [3 _1 l0 M( W=========
' _. @0 |; T) N: `" S2 P7 Q: s
) ]% K, R  A' [2 p& ~: V" kThis method is most known as 'MeltICE' because it has been freely distributed" N1 f4 |; k- E# d
via www.winfiles.com. However it was first used by NuMega people to allow& m- T* L% K% T
Symbol Loader to check if SoftICE was active or not (the code is located
, |8 W3 M, {) C/ G- L* n$ Jinside nmtrans.dll).  D" d8 S. D9 Z. ?- C
* A7 }1 j6 _' U2 ^5 `: o6 C' S
The way it works is very simple:8 \& U$ A: T- k' R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 l& `5 |7 R. i; G# g
WinNT) with the CreateFileA API.
2 @* L& h1 z+ \9 W  ~& b! v
# _, x7 y' C6 EHere is a sample (checking for 'SICE'):9 U3 i$ M' n5 I
4 k! U& z! P4 Z' Q
BOOL IsSoftIce95Loaded()' x8 `, j7 B" j$ Y" |
{
( X: U! i9 m2 a# C! K   HANDLE hFile;  : Y- f2 M( b) f- I
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 G% S9 E# k/ S+ p4 ]7 D                      FILE_SHARE_READ | FILE_SHARE_WRITE,  B- N. B) K. k( K; Q1 d- |" [1 w2 k7 C6 v
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' I4 B2 X- {  t0 P( d, {! [7 [
   if( hFile != INVALID_HANDLE_VALUE ): U9 O1 d# }( P5 A' q' I; R
   {
4 z. C5 y+ n8 H( _$ M1 X0 c& x      CloseHandle(hFile);9 i9 z0 e: }1 R# B- Q6 n9 T8 O
      return TRUE;, B+ {5 }7 v* ~. a2 z' }/ c
   }
4 M9 N* Z6 m3 W7 l" B) Z  D0 L# {   return FALSE;, T9 G* L! F0 W4 F3 E; z
}% s, c6 Z, J9 `& Q7 R
) t. c1 @& s+ A3 L4 f8 |2 x; {7 x
Although this trick calls the CreateFileA function, don't even expect to be2 D. Z; y( W* C: f; a9 k, @
able to intercept it by installing a IFS hook: it will not work, no way!1 W* x0 V$ K' s, N% z: L5 m8 K
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) b; y5 S- ?( h5 {/ Eservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) H& y0 \% j) q% \7 [; zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
) S% u) \) L$ n9 T5 g% ^% i; Sfield.
5 S+ X3 F  A% U' z: X' fIn fact, its purpose is not to load/unload VxDs but only to send a
! c, }* G* W1 Q- A8 m" h! w+ fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); [% G. r1 D. p0 W2 p
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; _! S1 {- y# J3 Q$ z1 L9 r) q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" {! J) @9 T4 [  p) ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& V" |& u" R" O: j7 Oits handle to be opened and then, will be detected.
3 d  s0 ~- ~' C3 {. SYou can check that simply by hooking Winice.exe control proc entry point
& Q7 ~; \8 A" f) S: o8 a' {while running MeltICE.0 V8 v3 s/ P. _( m

9 G8 r/ v0 X$ c; F% m8 @% J1 z7 Q) d: @4 s
  00401067:  push      00402025    ; \\.\SICE, x$ W' j4 y* m( ~3 c, ]2 r0 |
  0040106C:  call      CreateFileA# t3 W' a  F! b4 {5 x5 U) p1 F
  00401071:  cmp       eax,-001, r* k+ k8 w( p; `1 B- x
  00401074:  je        00401091/ j) U) g9 s3 H) S: [

2 r6 y0 O7 j2 ]# `4 N. @+ L
! Y  C' b. ~9 WThere could be hundreds of BPX you could use to detect this trick.: R( d% @! K# p6 ^- w
-The most classical one is:
$ u. }3 G& X( i5 y( C9 N  z: b  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||* S3 q5 x8 L3 A7 v) Z# K1 @
    *(esp-&gt;4+4)=='NTIC'0 F8 R" X  _1 F& `  z

; z7 h7 s2 h) |' Q) Q6 J-The most exotic ones (could be very slooooow :-(, h$ L! z# S# Y7 @8 o: ^
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( }8 H. C" K3 ^. z+ r
     ;will break 3 times :-(
4 L3 T! J2 u/ J& J9 {
- y' ^" @; U. m  A5 _-or (a bit) faster: 5 S' |3 K7 w0 x) c8 E
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')  }$ s7 Q2 [* t* Y& F

/ J& n& P% Q+ A, ^$ @   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 |0 D8 ^; s( n' w4 z     ;will break 3 times :-(
1 k6 i+ P2 t& u, a8 O. [
$ r8 @% k: s! R% S$ G0 ~-Much faster:
0 Q4 x# j6 B6 o3 ^8 c( J   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
0 ]5 u9 s9 m* k/ r% C2 s/ [
3 S  j# j& i4 l3 ^# d* D1 F3 X% D* mNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ X! ~% A7 W/ A* I- |, x) {function to do the same job:( ]( K$ U, L& `5 [$ `' a
0 z" Y6 F/ w* w( b' {8 H( C7 k
   push    00                        ; OF_READ* o: {5 R/ _& u! U# t' e
   mov     eax,[00656634]            ; '\\.\SICE',0
; Y/ H9 v3 a! e# k. {& |/ u4 v# W1 Q   push    eax
5 A/ _; w( n  s, b* |1 W   call    KERNEL32!_lopen
1 K3 L/ z: K- k+ d- `1 v1 v: H   inc     eax
; y3 D1 A8 s( l# y, W   jnz     00650589                  ; detected
) A8 r" ?: ^$ M8 h$ e. i   push    00                        ; OF_READ% _  Y7 Q% L/ f& Q1 s6 t8 {
   mov     eax,[00656638]            ; '\\.\SICE'
7 y+ K7 f- T; V& R. V) R   push    eax$ A  j$ C4 ^& T* u
   call    KERNEL32!_lopen
2 [' \& D$ D: t( X) L: U   inc     eax% x* O( z  L( d$ r* a. g% ?
   jz      006505ae                  ; not detected
- @, o& E( Y. f+ B' E/ T5 X' X) C+ U% ]
; P: @( f0 X& j6 h
__________________________________________________________________________
. ~; Z: X5 _% F$ E
! M$ }( F( \5 q1 K  W+ B. E1 QMethod 12( x( Q3 L9 Q) I7 Z( g4 a. F' j
=========1 ]& W: B" n2 X; u/ Y
- j( H# C! V6 l) Y. O" g
This trick is similar to int41h/4fh Debugger installation check (code 05
  P& W$ T4 j  ]2 U3 S! L! s, k&amp; 06) but very limited because it's only available for Win95/98 (not NT)4 m4 E9 `$ h9 _; z( R2 s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo." L( R9 ?! h6 ?' u3 z. h& z

& j  Q. Y, O/ b   push  0000004fh         ; function 4fh8 U/ D; W$ k2 u& e) \0 P
   push  002a002ah         ; high word specifies which VxD (VWIN32)/ X: z. w: `" z8 i* j& |
                           ; low word specifies which service8 K& Y  {% m& s! e1 m* B0 x
                             (VWIN32_Int41Dispatch)
  V6 [2 C5 y( W   call  Kernel32!ORD_001  ; VxdCall
, q: V* `6 m6 f) i) R$ d$ M* w   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 }/ X4 ]( p# h: S1 X# k   jz    SoftICE_detected3 K& |' q: S# P2 Q5 }& M
# n  D6 h0 E# e& D4 N! {/ ^
Here again, several ways to detect it:
+ Z; A* f; F$ w% u" G6 E
8 o# u8 k0 o6 j! M9 s    BPINT 41 if ax==4f3 g6 p& c  K# c# C; x
( b3 A. Q% S% n
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
# p9 w! @7 `# a6 Z# l* Y- n2 o! O0 A- b9 @
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; H- ]1 N9 d) L. w3 ]5 F( Y
0 d  `( N" Z' d$ C
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ P* K1 [! v% s5 ^1 `* N) a+ k7 ^+ k
) d6 f4 U. q: |# z: u6 A- I8 Y0 O# t! ^* K
__________________________________________________________________________' S+ _  q7 q  P" C* U& t

8 S# ?4 ]: ~7 nMethod 13
4 \" u( r6 f* \% P" Q) x1 p0 @=========
. F+ i( i2 E. t2 `- d9 J8 M9 f/ Q
( N6 {8 z$ K, `* C: }9 u3 zNot a real method of detection, but a good way to know if SoftICE is
8 Z" E% F4 r' A. g5 }installed on a computer and to locate its installation directory.
0 y$ Y5 S3 M1 E* y# yIt is used by few softs which access the following registry keys (usually #2) :! a) u+ t1 c, I( ~7 W" E3 q

6 _! e. \: L! Y/ e' C9 |/ y$ x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! I: a! i' |  q. Q) J+ f% e- i
\Uninstall\SoftICE
/ T6 Y9 T+ _3 E& f) k& o& S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) {* Q  ?$ ~8 R; h  ?9 P/ _" [( S
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 ~# P$ g% e4 v+ a6 ^
\App Paths\Loader32.Exe
: e3 e' M3 K5 }- W
# O" n, x) Z; n  e: a  C  w; V- e+ C/ p. S  Y- z* m% b: P
Note that some nasty apps could then erase all files from SoftICE directory( \  a& B( q' s# |! I7 ~( ~$ d
(I faced that once :-(# Y7 P1 f! H: I7 q
5 z! `; ?% n% h; _
Useful breakpoint to detect it:
- U* {( k3 Z! r- E9 U
# r0 y. o* q2 I1 T) \) P     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 B: {* E: K' _. j; N1 b
5 Q1 a6 A. r! x& v, @1 }2 q8 o7 G__________________________________________________________________________" j7 `6 {7 _7 L1 j
) ~( U. ?2 Q+ ]! F  y

8 `1 [" n9 ]3 |$ NMethod 14 . K& Q2 C6 t# ^5 ~$ C; P  n
=========1 c2 x  `4 o' Z6 m4 M7 x
9 ]$ E, y; Y8 K4 ~7 {4 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! k; Z" D9 `: T- V, v! U
is to determines whether a debugger is running on your system (ring0 only).( D- C9 M2 c, c* d9 ^4 ^

' v$ @# L. q9 E! N   VMMCall Test_Debug_Installed
) T. P8 U8 Z( X! Q& m3 d/ ?: J   je      not_installed% S! |: H2 ~1 d: @

% Y- Q5 Q3 R7 RThis service just checks a flag.+ H& b  A; Q! V& `% G( Y
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-3 21:49

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表