找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ q, T6 x6 r8 [' U9 n
<TBODY>
& W% F0 `6 b" c& Y<TR>
* [9 H! l" V' R- t- Z, O<TD><PRE>Method 01
$ P! M5 o! G: W4 S# Q4 d=========( h6 i# S: g" M) D7 q) S: G

2 F0 G3 V* v+ B2 P! w! A2 DThis method of detection of SoftICE (as well as the following one) is
7 U- C' r  D6 p3 d* `: D  R! t; c9 C2 Gused by the majority of packers/encryptors found on Internet.! f: C' S2 b9 j- R5 Q
It seeks the signature of BoundsChecker in SoftICE
4 x2 X- p# `1 H1 S
% ]. N0 S, q9 j7 |: [    mov     ebp, 04243484Bh        ; 'BCHK'
# W( S3 H& n) L# F  F( `+ F, V1 p    mov     ax, 04h: M6 _  Y6 G# U
    int     3      
: |: \) a& |1 k. F    cmp     al,4
: v* y7 t1 T+ c' C  u: L    jnz     SoftICE_Detected0 _* Y  R1 H& z0 I, O! r5 W4 @' B

6 |) c# ?, x# b9 |6 Q; [___________________________________________________________________________
% V% N+ G9 F2 H7 U
# ?; N4 b( I. n! ]: pMethod 028 \% W$ X* r+ L! A6 `
=========6 E1 N" d  C5 z/ k' q8 t" z! ^4 a

: U# D) P" [: z2 B: gStill a method very much used (perhaps the most frequent one).  It is used
' f5 s) |! c6 g; dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 k7 j% m0 L$ L8 Y/ \6 sor execute SoftICE commands...% Q, g2 t" h7 s
It is also used to crash SoftICE and to force it to execute any commands+ z0 q7 z5 G  U& p6 f  F
(HBOOT...) :-((  
; r! t6 }9 N" r1 x- w' v- S! Z, g7 ~/ Z9 W
Here is a quick description:
6 G& o- d) q( p$ w-AX = 0910h   (Display string in SIce windows)
! o9 T# S9 v$ j: S1 L- p-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
" j1 l7 |2 ^$ ^-AX = 0912h   (Get breakpoint infos)
' J. c& [1 `- ^6 D6 @. V# D: M-AX = 0913h   (Set Sice breakpoints)
# O9 _: U) R- w3 G2 W% s  A/ e1 \. j-AX = 0914h   (Remove SIce breakoints)
1 |* ?  N) C9 e* K/ V1 J( i6 K( Y. \) B# \% V7 Z+ G' h* G# l
Each time you'll meet this trick, you'll see:
8 w# ?/ k7 Z+ R. \$ R5 }-SI = 4647h' d# r4 |$ H* W! @# i6 i
-DI = 4A4Dh
% R0 M  a; E( F# s( gWhich are the 'magic values' used by SoftIce.
# A1 T; N  I! R1 dFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% S& c2 i6 F# m2 v% M
, x8 ]$ w# ^- A7 z' FHere is one example from the file "Haspinst.exe" which is the dongle HASP
; T' i+ x. u' w# aEnvelope utility use to protect DOS applications:
2 f( @( M3 G( f! L: I; Z( ~* ~: m' x- K" |# K0 \4 R8 J0 Q

& _& j" K1 |3 i! s% t, m4C19:0095   MOV    AX,0911  ; execute command.
5 `; ]6 v$ I7 t( u7 z4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ g; a9 k9 [  w; M$ K% Y8 c, S, b4C19:009A   MOV    SI,4647  ; 1st magic value.2 P0 q- c! O9 H- f
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.* w0 R: u/ C6 r* p+ V4 A7 [1 W
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)# [- M0 z+ T- l* ^- p  L" \
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# e  W# E# M# [3 {5 x7 G, W/ w4C19:00A4   INC    CX
. @" \( k6 w& Y% U/ k8 K4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 B" f6 m) }) r# v
4C19:00A8   JB     0095     ; 6 different commands.7 E2 ]- q/ p3 \& l: W7 h
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 `- y' h/ [3 C; j& ?
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 I2 x: p' S: p; a& C0 G

2 ^% p2 \2 }7 DThe program will execute 6 different SIce commands located at ds:dx, which' ]9 W2 d9 f8 [9 j# X4 g3 ?5 E0 Y
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( a# P9 W8 v0 O1 u$ p. A

% a0 ^# V, U7 H! V: b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 |# q! h2 a/ Q/ Q* ^; \4 k* z. R___________________________________________________________________________7 K& j1 [7 J8 s0 F) V6 E$ u
- q1 v; q: h# @" ^6 M, B  I
8 t3 S/ }( Z$ ?: L; U
Method 03
5 M& H' ^1 K' b3 z: K& k' n7 a=========
5 m! o$ c6 s! f2 ?% g; s' G  B: ~2 s  @( p) e: ]
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h5 i8 N  Z6 \' @7 m
(API Get entry point)
- }$ |4 O& r' m' |        5 A" t5 F- m9 h/ z0 c- E
6 X) n& h2 R& W& Y( T7 Q4 `. i# J2 i
    xor     di,di
' g( n( a, V9 U0 h! [    mov     es,di6 s/ a# R( K2 t1 o& G: {
    mov     ax, 1684h       ) A' i9 C* s8 C  s3 p  W
    mov     bx, 0202h       ; VxD ID of winice
; }3 l! W5 X& p- {    int     2Fh
6 d: |+ ~6 A  c/ K. G( A    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 u5 y( u0 K) O7 h% A9 T, |
    add     ax, di4 T  x  m" D+ k; Q. ]2 F
    test    ax,ax
& f8 a9 y1 V2 J7 k) E% @8 R    jnz     SoftICE_Detected
" Q5 ]. E" H8 J3 D5 r& F, `  O
% a" C! [. I- X% ^, {. A* O& b9 F___________________________________________________________________________* n& f( Q( t# t5 E9 d

) C& W" N- a: \$ ]Method 047 Q5 C3 M, y7 t) z' w  V6 @
=========: I$ P  N: e' u* J; _  W

5 R$ D: x& }" I+ dMethod identical to the preceding one except that it seeks the ID of SoftICE
4 ?; ~8 a$ u9 I8 O9 y* RGFX VxD.
, q% V  o1 D# S+ }: X- l5 x' a' a9 u  n- ]1 P
    xor     di,di
1 E& {& G* n! ^1 n: Q    mov     es,di0 Z# a- y& @' t4 \0 f2 k6 Q, Y
    mov     ax, 1684h      
$ |/ Y/ p  v  [    mov     bx, 7a5Fh       ; VxD ID of SIWVID! f$ y  b7 K0 x* R7 |4 f2 r
    int     2fh! W+ M1 p# m5 v, W: \
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; R7 }4 Z, `$ Z1 k' o' J    add     ax, di: R& y. I; |( O+ P6 r0 J0 K# k7 \
    test    ax,ax
! ^- j8 R0 `( O4 g# V: g. E    jnz     SoftICE_Detected( A( U5 l1 @# a

& ~& ^$ g' f% |6 Y__________________________________________________________________________
! L. E  l. W3 c1 |+ t0 ~6 N7 X! t1 l. O5 q) s) Y7 @
, r7 g2 a* G( z$ A% K8 n1 P/ }0 B& z
Method 05
6 L+ p5 F, ?2 m2 e$ p=========
& R% E  g4 `2 e  H5 z0 D5 C  c6 ]! O
! q- s" `% {$ z' {' qMethod seeking the 'magic number' 0F386h returned (in ax) by all system
2 u% t8 m0 e) J! [& idebugger. It calls the int 41h, function 4Fh.
6 z6 p/ J3 l! R: p: a& y2 K$ GThere are several alternatives.  / w# m* L; r% J8 a/ w8 a
! L7 ^3 q7 J7 Q% r. ^6 Y- z3 q: ~
The following one is the simplest:
/ D2 x% v9 I4 W) A. J$ H3 o5 `& m8 L0 a% g! v% Q  `
    mov     ax,4fh, Q' \0 |. B7 H/ O
    int     41h
4 I+ _; R3 E2 Z& M8 e/ D- R    cmp     ax, 0F386% i; w' z* a; {$ K- X# ]
    jz      SoftICE_detected
3 S; N, K0 y  C5 u4 T1 F( U
+ ~; A; J9 f% j  H1 Q% y
  T9 s: Z/ D$ l: h) P5 q7 I3 hNext method as well as the following one are 2 examples from Stone's
3 I4 v: R9 W1 c$ @: M* h- B2 J"stn-wid.zip" (www.cracking.net):. m2 D8 D! B8 J/ g# Q  |" y* h
. V7 H) Q1 h) M4 p3 B
    mov     bx, cs
; R6 u# t7 o4 K' K$ y, w    lea     dx, int41handler2
) m( {" {% T& b5 G/ v    xchg    dx, es:[41h*4]5 a0 T$ ]. t! H9 Z9 l
    xchg    bx, es:[41h*4+2]! w  M4 m! _+ u. }* }. b- C
    mov     ax,4fh
- ]! S2 L5 Y2 H, T- e8 D. j; Q    int     41h7 z# R6 Z) N& J" I2 e, a
    xchg    dx, es:[41h*4]0 y# Z; R  U6 e6 G3 A7 I$ p% C5 i
    xchg    bx, es:[41h*4+2]4 J8 J  ^3 O8 r7 d4 y
    cmp     ax, 0f386h
/ [8 F4 B1 O. L* o8 Q3 P    jz      SoftICE_detected' m. z# q/ A! i; Z$ C2 m

& ~7 c% [& C4 u* `% O( x0 Uint41handler2 PROC
3 M9 }) _# l3 _4 y    iret
  h8 A* T: ]+ u# K. V+ v0 O  u4 Cint41handler2 ENDP
; s6 I" d- I! h- s7 v5 a. S0 `/ A4 U! D+ X

3 i# D# X7 J( a& \6 |. N- o_________________________________________________________________________
  J1 U+ h- q5 t! e" V- K7 s+ e4 S
! o! t1 I3 W7 X: V7 {# s
+ b- T4 @! m- K% h" i' @5 AMethod 06( ?$ V7 t, M( O& h- P
=========
. z; B4 M" C. B! l5 u2 b
: [+ x1 A! w. F; _# }4 V4 u4 F7 u4 F  ?# z5 i9 O8 D
2nd method similar to the preceding one but more difficult to detect:6 {" Z, o" W  r9 B3 i1 t
, J+ y' p  L7 ?# v. p

! ?& \4 Y/ l' Aint41handler PROC9 y; O; Q% N  f5 [6 i  P5 ~
    mov     cl,al+ D8 y7 a! D( G6 U) |
    iret/ A4 Z' y% x; r- c* U+ J
int41handler ENDP
# Y7 W2 D* ]! x. a, G% {" W
% N( C% R( ~5 _+ U+ z5 X, I* C  i$ Q1 {9 T0 U- [6 Q
    xor     ax,ax
4 d4 s" `) R, ]) x  j$ O* i    mov     es,ax/ b1 Z; R% F9 x: I
    mov     bx, cs
- t0 t; }. H% ]. M3 o) g$ U1 X    lea     dx, int41handler
/ ~9 d! C$ G- [9 u4 F' w, ?    xchg    dx, es:[41h*4]9 V9 F$ W4 r5 n* M1 U! `* s5 M! \
    xchg    bx, es:[41h*4+2]
* d. I, c, L  y( Y7 z6 A0 E4 U    in      al, 40h
' O% l! w: l# h5 q8 U, q    xor     cx,cx
1 ]( y; V% E) T+ o2 @1 o" A- e% ^" G    int     41h
$ L2 a, K3 m/ Z, T. @- t- J4 d    xchg    dx, es:[41h*4]
  k2 X. v; k; Z; ~. H    xchg    bx, es:[41h*4+2]$ r9 y; {/ X4 \0 [
    cmp     cl,al
# p. X( ~/ j  Q; z3 O3 V    jnz     SoftICE_detected
7 l3 W, x6 P+ u. ]/ \
' I+ q" E9 t! W3 t_________________________________________________________________________. A# Y+ i; e$ n+ M  r, _4 K6 J! s1 W: K; g

, ]' l3 I1 u! [5 r' w% i7 c3 @Method 07, l. \3 s' p# \% C0 k& V. k2 W/ D
=========
; k" U/ o% L8 A. L, ]$ {- H- ]
/ R2 y5 p9 e3 X8 r& b8 O1 t+ H; WMethod of detection of the WinICE handler in the int68h (V86). w! y; [9 E: H

! K* u( b5 F/ H# g! f5 P    mov     ah,43h( [: v0 O) w9 D  w/ e. q
    int     68h
- c& V: \8 E6 P5 A) s. N" y    cmp     ax,0F386h0 |) q6 ]8 \* @  s! _
    jz      SoftICE_Detected0 B" D& p6 x  y+ u

3 H( ?. G6 G" O1 J8 T
7 ?' u8 t& c5 d, N6 a=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 e" P' r5 @% V# P8 E% I# [* V  E   app like this:
; T  \& ^' o; z2 W9 V$ D$ Q$ ~* g3 T5 f
   BPX exec_int if ax==68- C0 L* n. ~+ H9 E' H
   (function called is located at byte ptr [ebp+1Dh] and client eip is$ e# b4 ]. o- p; A9 C) B
   located at [ebp+48h] for 32Bit apps)* S# h0 Z) L6 ?5 y4 x0 R
__________________________________________________________________________3 n# s. Q& f; A6 A( d3 c$ b

- w, }' {/ @2 i8 B
9 G$ x  O  y7 A6 c/ B, n! I% U' dMethod 080 A( H( d5 @1 {: A1 F3 L( D) I
=========
) q* `0 x+ _/ @1 g! t( b
/ r: o0 L7 S( VIt is not a method of detection of SoftICE but a possibility to crash the
9 T1 P/ m% c$ W- B) _1 |* Hsystem by intercepting int 01h and int 03h and redirecting them to another
1 N; M: J5 t; Y6 hroutine.' E2 i# l& b$ E! o' Y( a) j. R2 y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
& E7 P7 i8 c6 g& A4 ]. Tto the new routine to execute (hangs computer...)
/ Q- a8 U6 Q$ V5 H5 J  _
1 T& m) r. e0 t  g4 W% H    mov     ah, 25h
" p" u# S: ]2 x- V    mov     al, Int_Number (01h or 03h)7 ]- ?/ t4 e8 }0 T6 d
    mov     dx, offset New_Int_Routine
: Q$ i5 }! _9 C2 t* e' q    int     21h
; |% l  L0 D: K! u
) g7 }3 \* H7 g2 O$ Z; I( @) Y__________________________________________________________________________
0 b5 P, ~7 _2 S% u; d) p) {; B+ d- O8 j; N7 n# m. @/ c( R; @& X
Method 09. b/ D  \8 g- T" X* I
=========& V) _/ ~7 m0 q" D& ~1 A' n
9 e* W, [) {  V( S) L: ^9 ?  q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 P7 R$ a6 _3 u  v: _2 \5 Iperformed in ring0 (VxD or a ring3 app using the VxdCall).
" r/ G5 f: C: U+ G  N* PThe Get_DDB service is used to determine whether or not a VxD is installed
% w% g# S% v7 p  D9 Nfor the specified device and returns a Device Description Block (in ecx) for. S) L& U" T1 p: ^
that device if it is installed." u, N5 m1 C$ m+ c1 x* d7 ]' _+ |8 `; o

9 [+ g9 ?; ]5 S/ I4 X3 Z+ K. I   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- d( v8 {4 ?6 ~   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) M  V8 f1 G" C   VMMCall Get_DDB
. M1 n' r" O' q, V8 U. c; w   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
3 t- E3 M: N, d: \- n9 U7 j/ q9 k- t; E; Q5 I" D* e, ^) c# r
Note as well that you can easily detect this method with SoftICE:9 _! @5 Y3 k! _# Y: q  e
   bpx Get_DDB if ax==0202 || ax==7a5fh
. r* E' K; Z- Q) a& n( y  l0 a. D
__________________________________________________________________________2 q1 [3 \" m( |# g$ B$ p
7 x3 h+ Q* C% n
Method 10
9 _  r. Z( U' A& B7 L* Z=========
7 E/ {% _! F* H" j" o
3 e& l  w; R$ M=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with3 @' n7 F! f3 c( R3 c
  SoftICE while the option is enable!!
8 x3 F; F% C! X% C3 |8 a- I2 D: O$ m* I+ T9 u! E3 Y
This trick is very efficient:1 |. x" ?4 G5 Y  F" s' H& C
by checking the Debug Registers, you can detect if SoftICE is loaded' N& R# h/ Y$ A9 y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 d1 a% B; d4 D8 [  B
there are some memory breakpoints set (dr0 to dr3) simply by reading their, h$ }' M% q3 [0 v& Y+ a6 ]: i
value (in ring0 only). Values can be manipulated and or changed as well- ~  X. e# ]9 P
(clearing BPMs for instance)
+ t3 x6 |" O- c; j  {8 t% k$ A6 e- y1 |" L. Y
__________________________________________________________________________8 A: H/ _" M- `% Z

" w2 c. Y6 A) n  B7 wMethod 11
% U- Q% ~  L% g, C& l- Z=========
  G$ l0 S: c& J) E; W
" m+ }- f  f. y2 [7 ]This method is most known as 'MeltICE' because it has been freely distributed0 a4 b+ W# ^6 T# z
via www.winfiles.com. However it was first used by NuMega people to allow
( G1 U2 `& g. c8 u* s6 a4 CSymbol Loader to check if SoftICE was active or not (the code is located
5 \! q) i+ X( k( r; n, N# [4 zinside nmtrans.dll).
' c. O$ G1 D8 i2 U
1 l4 u; k' U& rThe way it works is very simple:
4 P1 B: o- b& K: E: [6 iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
3 B' s( `2 o& a; hWinNT) with the CreateFileA API.' q. H0 @( x9 Z  M) R3 u/ e
- F9 ]8 I" m: X; R& |
Here is a sample (checking for 'SICE'):0 J/ q3 F" c0 `: c

# T2 ]# O" L% T8 h/ JBOOL IsSoftIce95Loaded()! {8 Y! \1 {- y- K/ u" H) r0 w
{
) O: E  z/ i& c; x! n* R& e  a   HANDLE hFile;  0 I7 ^* n7 U; ^% Q  |, D
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 f! W+ L) ^  S% I* x* R                      FILE_SHARE_READ | FILE_SHARE_WRITE,5 N8 L% b+ ]( S0 b( V  G8 X
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( s0 J7 m* D( ]% X% U6 w   if( hFile != INVALID_HANDLE_VALUE )
. I1 z( x/ _  Y9 Z! g   {& [* [- Z7 w7 H- g& U
      CloseHandle(hFile);
0 ?( `- l. L# j  z* {      return TRUE;* d: n5 I0 K+ Q% P, N4 Y
   }
/ C+ h9 F% P/ r; g, _7 U' Z) t   return FALSE;3 a2 c, @' h' L. G8 z7 [1 M2 A
}7 [% d# _8 K$ B  q9 e; x

" u1 U' U7 I) X; X8 n/ a* vAlthough this trick calls the CreateFileA function, don't even expect to be2 {1 Z% w7 l- p$ d' g
able to intercept it by installing a IFS hook: it will not work, no way!
3 E# @* ?) Z* U+ f! l2 E+ aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- [: G2 V0 L$ g" l# Q9 P/ G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' n! p6 G# C% e0 `- b  N9 S5 ]  M
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# L1 Z9 y) j  K' b% S( S. |
field.
' H8 }6 z% v& F" B+ V  ?  H, q5 NIn fact, its purpose is not to load/unload VxDs but only to send a
  u2 ]9 `7 C+ J  Z, C( ~& _W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 z8 m& Q- P: c+ |* K. F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try! F) t( [+ N; [' }9 I8 B7 I3 m) q
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ Y' e- `; \( y8 @- |2 R2 @2 W: _4 I
If the VxD is loaded, it will always clear eax and the Carry flag to allow$ ~/ j* `) {: ~8 @, y
its handle to be opened and then, will be detected.' K$ e4 U6 _  w4 x' D( ?
You can check that simply by hooking Winice.exe control proc entry point% o; S7 M9 s, |
while running MeltICE.
6 ^+ H* \( a) q9 U9 T8 K! X! p
# N7 ^: ?  Z: \1 A2 V7 @- F# k7 h$ j. j6 J
  00401067:  push      00402025    ; \\.\SICE
7 O5 M) r1 o0 F% q# x& ?* W2 W/ n  0040106C:  call      CreateFileA$ w4 C! @, p$ w) M
  00401071:  cmp       eax,-001
5 e) `# a4 Q6 Y1 @* K) y0 e  00401074:  je        00401091
8 u! l( l9 Z0 V9 x  q6 ^8 q. T" E
0 ^9 b  i# U) y
0 y2 U" W: r4 X, gThere could be hundreds of BPX you could use to detect this trick.: I! M2 V" i; ]- }$ o
-The most classical one is:* b$ y/ q/ J+ |% }5 P% Y
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 K& b9 o  ?- m    *(esp-&gt;4+4)=='NTIC': }8 H- L2 K0 v& n9 `

1 E' [) W3 S& O  U5 t-The most exotic ones (could be very slooooow :-(
: z" @5 p! \$ ]- t; R/ _! j% l1 Z   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  6 L  r/ E4 m$ r! h" }
     ;will break 3 times :-(1 _2 y! `# g2 c9 V* ]2 n* |

: d: H0 N& Z- l) Q, i6 t-or (a bit) faster:
  u; u# @+ o0 g   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ V: \! {2 D1 {9 m! f4 u5 A! n6 R: ?- @) F3 ^5 \
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  5 \; B) F$ }6 h8 V$ W
     ;will break 3 times :-($ a/ ~! P0 H/ n8 H$ I4 N

' \5 K8 A# ~. N# s-Much faster:' Z) [' [; w" f1 A2 v" B( m
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
* C$ T2 A1 U$ ]. W/ p! |2 A9 O
, D. K) b4 E/ r1 C9 h& z' j' I( JNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 O" c/ g- P  y( Y* W3 V7 ^+ W
function to do the same job:$ d8 S8 K  H  Z( E$ ~
8 D, [2 c1 |: s8 m3 h
   push    00                        ; OF_READ
& M% w8 N% t( G   mov     eax,[00656634]            ; '\\.\SICE',0
- I' t. p' j( {/ n8 W3 K   push    eax" L9 A# l9 H1 f0 T, u. {4 R/ Q- Q) @
   call    KERNEL32!_lopen, }( c( N9 E! d; e
   inc     eax
' a" p/ V; S  Z* O   jnz     00650589                  ; detected
& Q7 G; X8 k9 J1 V+ o2 }   push    00                        ; OF_READ! |1 J3 L1 ?& h" u3 I
   mov     eax,[00656638]            ; '\\.\SICE'
6 v; Z$ [$ `5 T/ K5 p4 `' ^   push    eax
$ j+ c. k4 B6 Q! Z   call    KERNEL32!_lopen$ L. r+ k4 Z! b9 n% b
   inc     eax" z) @& q$ J6 }4 B( j
   jz      006505ae                  ; not detected
% ]% U3 m% n1 k- s# N+ [0 T- R
2 {: c! e4 J0 a6 ^3 e9 Q# R/ U+ ~% Q' M
__________________________________________________________________________* }5 V! Q$ [4 G
7 f9 [, ?6 p1 V
Method 12: d  x) O2 s2 ~1 u
=========( X4 R* i5 g) a

; k% n4 |1 i' G, T: P/ F: \+ PThis trick is similar to int41h/4fh Debugger installation check (code 05; P7 u$ T1 z* |  B6 K0 C2 B
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
0 Y3 @4 E! A8 F5 P# ~as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 m, {0 h5 I' F5 _% [$ |$ E
8 L3 c1 N, C2 q! F
   push  0000004fh         ; function 4fh
' M6 a& G: q3 X7 E" \5 o0 q   push  002a002ah         ; high word specifies which VxD (VWIN32)
' E4 z/ Q6 s% C* N) u                           ; low word specifies which service
& Y! c- G1 t1 t/ f                             (VWIN32_Int41Dispatch)- j0 G1 R: K1 W+ E; n
   call  Kernel32!ORD_001  ; VxdCall; f! Y3 V7 \3 q
   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ o2 D( V4 w' @8 H- T' p8 K1 q   jz    SoftICE_detected' l/ Q, q- N4 C7 z2 m6 M

/ O+ S+ [4 V8 H( z9 U" sHere again, several ways to detect it:& [3 y- D* d0 c% e( y2 V

2 ?8 y0 P0 w7 P8 I; `; O. a  o7 g  E    BPINT 41 if ax==4f
" f! H$ `2 Y4 F* j' K$ u/ b; t5 g3 A) W  j: ]) X+ {/ _# l2 Q' w
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
. z- L0 f! _4 J& C' c
' K  k0 R5 z6 P; O/ W    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A$ x9 w5 c  M4 P

/ X8 o4 O7 s' R( n    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!" r* w+ @' s8 m% \

5 L( ]2 y$ f" k__________________________________________________________________________
) J  [% a, v* f+ p- o& V; `0 ?5 J$ Q$ r7 ]
Method 131 i* e- y* U" X* C0 r* S, F: @
=========
0 C+ t8 ~: U  v! ~8 n
1 f! H! W* ~9 L0 XNot a real method of detection, but a good way to know if SoftICE is* k: m' l. L" G) k- g3 }) m
installed on a computer and to locate its installation directory.
0 F! }# |% [$ d( JIt is used by few softs which access the following registry keys (usually #2) :
  w" X- H/ f0 [6 g* j* e3 M0 T3 K! V; b
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ k5 u. M" {5 o1 p- I- o& M\Uninstall\SoftICE
# U0 Q  Y7 }# V7 y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 S. {2 X) U  S  a. V; u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 d6 p) H6 H! b6 d\App Paths\Loader32.Exe; S! m+ ~% u- p* t

8 @+ z, ^. g) C' t  s7 ?3 Z- E" I# C1 z- W, r
Note that some nasty apps could then erase all files from SoftICE directory
: Z5 U9 b1 Y' |  X(I faced that once :-(" m) N  S3 H7 d6 ]/ b
1 Q  G- k2 w2 S5 k  @, b+ K
Useful breakpoint to detect it:
3 A, m1 [4 \) }" L1 p! R$ r3 a/ p' j
- B# d& S0 y  y+ z& I% _% j& @     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
" E- g7 e% J% i# R
7 I& v0 t) S, w: Q: V9 d__________________________________________________________________________" Y+ ]- K# s% B" k

; r7 ?9 o+ F8 }/ h2 F5 G! j5 V3 v  e+ q5 i
Method 14 % c3 q2 J: m, `7 M5 V) k' E
=========  L0 n2 L* y' S. X5 B

; C1 ~3 B) s& q* U2 iA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ N5 P* W0 Y4 d5 H8 l3 l
is to determines whether a debugger is running on your system (ring0 only).
7 n3 g7 G# ~5 C1 q9 L4 V3 x! o4 [- M; T$ h1 r) b% \$ A
   VMMCall Test_Debug_Installed* y( F* W5 B( V: w5 x" [
   je      not_installed9 G8 h3 b9 v4 D6 v/ {
. S/ X* N. j& I) d
This service just checks a flag.
# U, Y! l% J1 p1 j</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 07:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表