找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>" M4 o3 F/ ?6 O4 s; M9 b
<TBODY>
* h* O4 ?3 U& D# F: }/ g& p( o<TR>
0 J& y9 b/ c3 e8 i9 d/ B( J<TD><PRE>Method 01 , e: ~/ T) k3 C2 P: W+ o6 L
=========
- ^( x: ?# B( a3 l* a- b- w
, x/ p4 T- W; W( b9 gThis method of detection of SoftICE (as well as the following one) is2 |: ~7 R& G6 D, g
used by the majority of packers/encryptors found on Internet.7 L' e$ i5 u  O# V& A3 {
It seeks the signature of BoundsChecker in SoftICE/ |: B  Q" N" f  @9 `
& Y$ _* G! r8 r5 H8 P, N, C- W
    mov     ebp, 04243484Bh        ; 'BCHK'
) o% J& C% m4 U0 }% p    mov     ax, 04h$ I( M, B- p% }+ d+ T$ d  r
    int     3       ' F9 B3 p* U' l; B
    cmp     al,4
7 ]* P' e; _' Q+ T    jnz     SoftICE_Detected( N7 R, `& ~( M9 w' o' Q6 a, D
- P  ?6 Q& M# S6 ~- q2 r5 `+ _4 P- y
___________________________________________________________________________
+ R# D" t: i2 \( x$ a; e
9 B1 [5 R4 h0 T3 r! \Method 02, x$ ]2 c- K5 l" V1 h( T7 j
=========, p5 x* }( i, L/ W1 L0 j! c) Y

  E" q) p' L' u" ]( @6 \Still a method very much used (perhaps the most frequent one).  It is used3 z. t2 q* Z8 _3 S9 t( ?$ T/ x1 f
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 q: [! R3 ^" w* G
or execute SoftICE commands...) Z# ]* B+ K- ?8 ]0 e
It is also used to crash SoftICE and to force it to execute any commands2 O3 S. U9 y4 m; ~- n4 n7 x
(HBOOT...) :-((  
' M9 ?" y9 ]* A$ k& T; e# S  l% G1 B$ @3 ^0 z0 X; z3 X. v9 D" d
Here is a quick description:; H9 [* o( `" k
-AX = 0910h   (Display string in SIce windows)
* D& N7 A9 ?9 ^9 t6 A-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 {. N7 C6 i0 u! `. e9 C* w-AX = 0912h   (Get breakpoint infos)
& T) @2 I) O8 a0 J-AX = 0913h   (Set Sice breakpoints)
9 m. N, m$ ~1 c-AX = 0914h   (Remove SIce breakoints)8 i. {. i$ D+ S" f& S! ^
: U; H( l, |' W: E
Each time you'll meet this trick, you'll see:
1 S' `4 v3 U( f9 \2 _* R-SI = 4647h$ t, T3 i4 ]6 t# F
-DI = 4A4Dh
% s; x# W$ K9 rWhich are the 'magic values' used by SoftIce.. W6 K% e( ]2 ~: M9 E; }0 K
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ I5 H7 v- q: k/ y( D9 ?. _( |7 E) F: S. U! E0 \- ?. _
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 _/ A$ g+ z1 y! M0 s) X6 }+ oEnvelope utility use to protect DOS applications:
- f+ v& |( }9 X6 x9 T- H/ u
4 v3 Y2 F$ r+ s# z/ H5 d) n, z
7 r& m1 ~6 P/ ^* o- _5 j" @4C19:0095   MOV    AX,0911  ; execute command.
; a& c% S! j( O# l! ^- p7 W4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).! n1 K+ g1 j  m- P
4C19:009A   MOV    SI,4647  ; 1st magic value.
5 H' f8 O+ W# E) H- Y# m2 k4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 T+ C8 N! X8 F; R4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ R# w3 j6 Q# s( b4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute+ U+ M) ~% s4 _2 w
4C19:00A4   INC    CX& l; B. V) V/ ^# j; ?, p4 a
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' K* p# r( I+ ?2 R
4C19:00A8   JB     0095     ; 6 different commands.
5 [6 Y0 v, K6 w4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
, I6 {4 ]1 {  t4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 h# o. J! U# r- t" h; V, |! F5 x8 [9 K  I8 N' u
The program will execute 6 different SIce commands located at ds:dx, which
3 t; L3 C6 W3 g4 y: _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 s( F( `! b3 N) z) O" N
4 u; T4 {% x, O
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* `  @# t, u/ r& k. L6 C- o
___________________________________________________________________________" a3 X# J( u& V8 U6 O) b7 v7 l

% e  e; R4 E  o5 a+ [- q$ Q7 X2 A$ @. K1 ~5 s7 |$ u& T' ?
Method 03* [8 [5 c2 v, G
=========* j" ], V' T+ y  u& e

3 O# K+ U4 t* F0 Y) ]Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* A5 f+ W4 A; k3 G2 v$ q$ l(API Get entry point)
' k! J0 r1 |! t; g          M- g9 k' |7 Z- r" ]7 [; _- D
' u/ ?  Z  s3 u: {$ [! T6 a
    xor     di,di
4 u2 M0 i6 O2 @2 K6 g; U2 ^& H1 M    mov     es,di
( ~* T3 b/ ~5 R" f( g2 C( m4 R    mov     ax, 1684h       & s( B! i2 `! q5 r( W9 Z
    mov     bx, 0202h       ; VxD ID of winice
/ e7 V% `! j7 q9 v2 H( R    int     2Fh3 Z+ x8 A, ]3 C- l+ j8 d2 W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ Y) A+ R/ I- R
    add     ax, di2 A# E. q1 f0 s5 s1 q9 \- P
    test    ax,ax4 V" s7 G' i, c4 y" F6 x
    jnz     SoftICE_Detected
" o( ]$ q  p. `7 I5 N7 J/ t* J1 a, n' k$ U3 V0 X% O; D1 D
___________________________________________________________________________
% `& [4 T! d6 H8 t7 l2 `: i
2 Q, E# C9 V4 N* ^Method 040 _! r9 R9 A/ p2 @( Q
=========
8 H3 d& k: R/ D8 |
; W# H6 Z+ ^1 ]" }' Y1 eMethod identical to the preceding one except that it seeks the ID of SoftICE
1 |% b' n) R2 I" AGFX VxD.
3 {$ D8 K: u8 u; D5 K4 U" t. f& a( P9 Y* B( G$ }% J+ }
    xor     di,di# O! G2 i- v8 o/ b. v' B, z8 _
    mov     es,di
+ H# j. R/ {  B4 x( h% `    mov     ax, 1684h      
4 ~6 |3 R9 A; ]) ~! }0 K    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 ~5 T1 u" F; j! d    int     2fh
# B7 Q* J1 q1 S0 _, @4 ?) N    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% I" @! |3 P; H  ~/ z: [3 p    add     ax, di# D$ d, J2 [& d/ P! a9 g' u
    test    ax,ax
" U9 R/ c# M* O% Y3 ?) N    jnz     SoftICE_Detected$ A# z9 q( w1 T! S: `* ?- ?, j

% V5 d" ]. w2 V6 k, n, ], a__________________________________________________________________________
) j4 f( O0 T% ]9 ~1 p; K0 Q# i/ q4 d+ @' q" G
5 R. j7 ^) ?* [* g  y  _
Method 05* M) T, v; w" H5 k& z
=========0 d- C7 N4 \% t* O, h# z

8 E; V3 S2 Y0 e# z& I6 @Method seeking the 'magic number' 0F386h returned (in ax) by all system8 n7 H# L( b3 O. X
debugger. It calls the int 41h, function 4Fh.
' N  a; H# k% O, Z( N/ l1 }1 kThere are several alternatives.  
0 q6 O4 v' {! b. p1 P* b+ U4 M' Q
The following one is the simplest:
# h8 Z  y  `0 f. ^, V$ e+ S7 c: W8 ~
; a  m: N: F: c% O1 T  `2 I" j7 b    mov     ax,4fh
( {7 _% F* M$ E7 n) X" A    int     41h0 l5 i3 x4 v5 O# J
    cmp     ax, 0F386
+ T  A: {4 |! H4 e2 A+ |) C) p- v    jz      SoftICE_detected
+ i- y. f3 Y5 L+ |; j- ]7 m
# }; Y2 A8 ?* E; w: E6 O
  j1 o/ K1 K8 j! `, f5 [Next method as well as the following one are 2 examples from Stone's
5 {( j$ y; B+ Q' G2 c; g9 ?5 U"stn-wid.zip" (www.cracking.net):3 d3 R) h- T  {

8 i8 l; r6 N* |- s) E/ {/ p    mov     bx, cs
" a3 S% u3 o* B# [8 `    lea     dx, int41handler2
' W) O6 ]! {, b. i    xchg    dx, es:[41h*4]( K5 }  ]1 `! a
    xchg    bx, es:[41h*4+2]1 s4 u6 e+ T; O" h8 O
    mov     ax,4fh% u3 s  q* S/ D* q+ J
    int     41h
4 @1 }" }$ d5 S. ]5 p) O    xchg    dx, es:[41h*4]
" J- ?/ z$ G3 z% h    xchg    bx, es:[41h*4+2]- A2 l. [7 l3 ]5 P* t
    cmp     ax, 0f386h: ^" M+ ]9 P) B( N3 m9 |6 T7 ]
    jz      SoftICE_detected/ h& g, X. R; v( c: P" u# e
! q7 O0 o7 X$ q1 c* m" M, W
int41handler2 PROC
1 ^# B2 _: o7 c4 r4 B5 D    iret$ E4 }8 [% d4 x* q4 u9 J
int41handler2 ENDP
8 K! a& _* I- O5 b, ]
2 h# A5 K# \5 A$ C% h4 c7 \9 @! o2 m# r  F
_________________________________________________________________________
) G+ x6 k  J. b" W; x; S2 F1 K# i$ }: F% j* Q! b& K- e/ ~
, N6 W- p' g! a& X7 T& e
Method 06  l4 u. U6 s* e7 ~6 R
=========
; k% T# b" Z* @. i7 }* e+ K- u  s; v) x6 ^1 m5 \1 i
; ?( X- ?' A9 G) h! K
2nd method similar to the preceding one but more difficult to detect:0 f5 J6 N8 X- P+ [: d

& L. z% C' S$ {6 {1 L1 E
! g* O% e+ M$ s* R3 n  ^int41handler PROC
( P) C% r1 p) G3 \' `  Y    mov     cl,al
. t8 O) n! g2 t' {    iret3 A6 L, @- r1 D/ F- z" j, @8 `: r5 f4 g
int41handler ENDP
9 P9 k. ?( v& N$ n7 T- u9 r) D. A  [% r% R
" ^9 j: Y5 D4 s5 n
    xor     ax,ax+ i) E% u5 b  K% ^4 q
    mov     es,ax/ U- y$ N, ^  m6 b
    mov     bx, cs- q' G8 n) X: {0 _. }* b9 K: d1 j" s/ h
    lea     dx, int41handler
( J5 `9 L2 ?) e( v5 E    xchg    dx, es:[41h*4]
4 `8 }. g  d  M( i    xchg    bx, es:[41h*4+2]
4 R/ t" f9 i# O, p    in      al, 40h6 l4 O" A4 q" d( [+ Y' v) O! f% C
    xor     cx,cx
5 ?: R- r+ l; S" x    int     41h8 X! w. {2 I( q- m) R3 }8 q; R
    xchg    dx, es:[41h*4], }3 m5 T6 k7 [5 d8 Y) Q
    xchg    bx, es:[41h*4+2]- ~% _: t& G, R  [
    cmp     cl,al0 g' Q4 ?" u/ e1 W# f' E7 c# h9 l' M
    jnz     SoftICE_detected
9 {% H2 ~5 c) _$ |: r. R3 i4 E6 S6 p6 Z/ R! D7 h
_________________________________________________________________________
$ n% q5 G$ i. H
, X2 h& v: O0 w# J& c; S% i. j( x# ]Method 071 d* E* h' u7 Q; [# ?- Q8 D
=========
6 M9 e0 ^+ I% P" n) ?9 ?; G$ R3 K; R' u' Q/ a; G7 A
Method of detection of the WinICE handler in the int68h (V86): x3 V6 V$ }6 ?% \$ ]

0 R0 x  z- m9 h& L    mov     ah,43h" \# c# Q. r" c+ E! m
    int     68h/ I$ U/ T* d; V5 I: H
    cmp     ax,0F386h4 `. W1 Q3 N& C" F5 Y! H
    jz      SoftICE_Detected' X& Q# n, a6 @$ s9 V
1 u9 b$ \) c8 R, O' h6 E. @

" ?) z6 G4 d6 r- k=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& [# J2 d$ T, c! [; v
   app like this:
( w3 u1 Q6 t4 b* e- B, k0 f% ^8 {. g" x! `  Y) }; @
   BPX exec_int if ax==688 z$ K0 h  ?  |: I# g5 M
   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 @% V* V& P0 i/ f$ G   located at [ebp+48h] for 32Bit apps)5 n. d7 W  K8 w
__________________________________________________________________________
/ U1 \2 G' ?5 I  D: [$ D" U+ [* R0 ], W. S; v2 R, g1 b! N
8 a6 l3 k: d8 m  r
Method 08
: _! e9 N0 ~9 [+ X=========$ L' [, ^6 i3 ^0 S5 ~9 h' d* o
8 Q' E2 s- G* j  x5 f+ W
It is not a method of detection of SoftICE but a possibility to crash the9 Q5 ~, E# J- w9 r# M: U/ j7 y
system by intercepting int 01h and int 03h and redirecting them to another
4 f: }, y0 f  [routine., x, p& Q6 n) R7 U6 `$ X/ p
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points9 ]! m* ]5 \7 }. `
to the new routine to execute (hangs computer...)3 f- A1 P; {4 h

, e# D; z; ^) U& G; H) x    mov     ah, 25h
2 z9 D" Z& `9 O- f9 H" @& N4 b. x    mov     al, Int_Number (01h or 03h)
/ V3 _/ y) N7 N; x    mov     dx, offset New_Int_Routine
+ T; d4 f' H& s8 n+ n5 ^- c6 p    int     21h( W3 z% F  ^5 y

/ g( }& R, L2 y# a/ r9 ~: Y/ o) h" W__________________________________________________________________________+ K8 w& i* V3 t: S, X
3 e6 U& u8 `6 w2 r. l# ?5 D
Method 09
" h; X. ]9 j/ q' L3 a- x=========
. {4 m6 k9 f5 g8 t/ Q
: s, U, P: s) O% r3 t8 }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) v* a5 ~5 I- `( Q) f% d
performed in ring0 (VxD or a ring3 app using the VxdCall).
; h$ G, A/ Q: t: @2 kThe Get_DDB service is used to determine whether or not a VxD is installed
  f/ X- V+ u) @: }/ g$ Yfor the specified device and returns a Device Description Block (in ecx) for  `% C1 M" ?* ^4 K! C2 [2 }
that device if it is installed.
- w" P+ o5 t( V) e( L/ M  U8 n4 K) i( }% t8 Y0 p7 C5 Q6 D
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( N6 n* E) {- t   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 b5 X- @9 I9 i. q2 H
   VMMCall Get_DDB* i4 r: f- v6 o1 m, O& g9 _
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& A" |1 ?# o7 j/ ^$ z' b+ a2 Y1 ?4 [6 s# J; H6 S
Note as well that you can easily detect this method with SoftICE:8 h" ]* C- h5 D- F
   bpx Get_DDB if ax==0202 || ax==7a5fh
7 i: H' z2 t3 ]3 a( B2 N; t
( J3 D, G' O6 X8 m1 Q__________________________________________________________________________
% h9 ^2 z- P! ?0 f. i) j4 ?
: Z1 w: S" d4 i9 X' vMethod 10$ L3 m, o# {- U. u2 R# l* F
=========' q1 ^4 ^0 v8 f; |" o) L" f
5 M" r+ h0 [) a2 L0 |) l4 t
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with4 i  g5 _! N2 Y1 q- H
  SoftICE while the option is enable!!+ E! t* T* N( R. c

! y' @" Z8 M; U9 T) l0 @This trick is very efficient:
/ t" Y' w/ r+ \0 q+ gby checking the Debug Registers, you can detect if SoftICE is loaded
' J" X& D6 x; ~' ]: t(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& q) `; x  }" c& J% E$ Y; m- R) @
there are some memory breakpoints set (dr0 to dr3) simply by reading their
2 K# l+ y$ c7 H$ Z7 d: p. E: a" jvalue (in ring0 only). Values can be manipulated and or changed as well
: X# @4 ]' ?+ V; @/ j: J- V. O5 U(clearing BPMs for instance)
+ w( m# U$ n; ]8 ?. ^8 o2 v
0 ^2 s3 t& }& N__________________________________________________________________________. e" s; F" ^) j  F/ f

. d$ u* m, f' K. j; s6 mMethod 11
7 N; q! F% b. _" J/ u0 h=========
8 M: g- l" }+ o( s2 K/ v  G  a
3 J. L7 J8 ^4 d- u6 IThis method is most known as 'MeltICE' because it has been freely distributed! C3 `1 I! M# i: R; }
via www.winfiles.com. However it was first used by NuMega people to allow
2 N+ n* q/ a( X5 V, o6 DSymbol Loader to check if SoftICE was active or not (the code is located
5 y8 ]' T: i/ Y' Q& L# _9 [inside nmtrans.dll).
$ U( F) Z4 a6 p& {
: [7 k9 C3 {9 B0 n, }The way it works is very simple:/ x1 ?9 j* }, V9 S  r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 l* Q6 q4 N# p7 _* C7 B: k' Z
WinNT) with the CreateFileA API.
" Q+ u* |8 V, M3 O' @7 q2 I: W9 X/ [( i1 u. a9 H9 G8 c
Here is a sample (checking for 'SICE'):$ t  U2 I1 }8 r; P* J0 r* D

! A8 [% n& \4 D; N6 Q% TBOOL IsSoftIce95Loaded(); V9 m  O' E- O  Y7 P5 s
{& s! j- x" E$ ]. }( E" i- r. X
   HANDLE hFile;  - R5 N! j  l( J
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% Z2 U2 ~- U2 W; |
                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 L, f) G8 Y7 S, O/ s& L2 Y" q$ ]
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# }. Z  V! ?8 ^- }: d9 f3 V   if( hFile != INVALID_HANDLE_VALUE )! H7 O2 I5 }! n+ N/ v
   {: ]) C( ~  [) ]" d/ L
      CloseHandle(hFile);
/ B3 A" Q, p2 i0 L! w      return TRUE;
  y8 W0 R+ m4 d  H   }
9 s, b6 Z1 e2 ^7 B5 Q) v   return FALSE;! v3 X: Z, ^  y+ u: y5 h
}
) o, O7 G% s% M6 Z) g) b2 V
" p+ F3 X( O6 \- b- HAlthough this trick calls the CreateFileA function, don't even expect to be7 L0 e% ]6 D6 I" U
able to intercept it by installing a IFS hook: it will not work, no way!4 q, ?! u& K6 h2 }8 U
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& x9 Y) X8 [) \9 r/ K0 gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 j7 |3 X+ |3 A- c- |7 Y" Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc, E. ~% w3 |  p. e/ i, M) y
field.
" }* Q4 u# ?: T) FIn fact, its purpose is not to load/unload VxDs but only to send a / {5 x% ~" M  d& s+ z8 k) {  W5 i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ O8 R' \7 e) @' U9 xto the VxD Control_Dispatch proc (how the hell a shareware soft could try
; i  B5 k2 Z0 |$ f4 Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 \& i. m9 n: H1 SIf the VxD is loaded, it will always clear eax and the Carry flag to allow. I" a: l) S$ B) o
its handle to be opened and then, will be detected.# x- F, E6 X( i. k2 _! N0 f
You can check that simply by hooking Winice.exe control proc entry point* |1 H) b4 K8 p: q0 ~2 R- H
while running MeltICE.! E" d& c% J2 n( w

7 `# M! A/ `4 }! P1 }# O4 Q" R1 s" I3 u! m4 b6 B+ _4 v3 `" P# {& `
  00401067:  push      00402025    ; \\.\SICE
; O' D7 C; P. d5 E  0040106C:  call      CreateFileA
: d5 G1 ^1 N4 M8 }, T" i- r  00401071:  cmp       eax,-001
% t# V2 V# S- m7 H. R  g  00401074:  je        004010914 b& ?# ?7 Z+ H: E/ P3 p2 A+ y( W
- a" C& o/ F/ m1 Y& O; T
2 _8 t: v3 o- `/ q( z, [
There could be hundreds of BPX you could use to detect this trick.6 n6 P$ h( \( W& q" u' Z
-The most classical one is:
8 P% }* U2 `* G5 s  d  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||# C( M0 t0 V& h, Y$ \
    *(esp-&gt;4+4)=='NTIC'
. {; Q/ @2 w2 H7 k+ m
$ s6 g. B4 T: G  s' H! `3 i-The most exotic ones (could be very slooooow :-(
, J- F6 l$ m# f* t% ]   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  : {5 h) h: T& K3 O. n7 g+ k4 G! N
     ;will break 3 times :-(
+ P( t' C4 l* g; N5 b) |5 [/ U! F% `3 \5 T0 O
-or (a bit) faster: % |" |0 B, b( i
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
7 S6 ~' g) }( `- b2 T& w+ V. O* N+ ^/ U$ {1 o1 U, o) P
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
3 m! C" P; k9 |4 ]& K% h     ;will break 3 times :-(
+ y. \! v& [, K! p2 I
4 n2 x. k. r3 ^- D( s-Much faster:
! U) Y, Q2 ]5 o- X: W$ n   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'9 ]" y* `2 k7 f( k
( N2 Q( `/ l! ]; G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' Y' @) k- Q+ }. [5 o- p& m" {9 ^
function to do the same job:$ b8 m8 t! X  ~

# U5 z: @6 ]9 |8 g4 Z   push    00                        ; OF_READ  [1 j) x8 E1 i4 Q/ F& K
   mov     eax,[00656634]            ; '\\.\SICE',01 d8 ~5 J5 A4 U/ b7 j, ^6 G
   push    eax9 K2 x; Z, e1 p$ t; l8 }! ~; c
   call    KERNEL32!_lopen
2 C2 T$ Q9 R! X; b   inc     eax/ t  U3 z/ V+ ]
   jnz     00650589                  ; detected) Q# `8 [- c' p0 ?' i
   push    00                        ; OF_READ2 z8 }# h% J4 [3 }
   mov     eax,[00656638]            ; '\\.\SICE'
3 q2 h8 c# }8 q. M2 j/ H+ e( k   push    eax
0 Y) p- @0 G; r$ X" O% d2 M   call    KERNEL32!_lopen
8 v) z; C- V7 }! L! Z3 g   inc     eax! d1 R* [. G- n( ?6 t9 l  K
   jz      006505ae                  ; not detected/ k# I9 k% d6 a% P4 R+ `
% U2 O3 j9 G6 v% i$ X$ b' c
/ E/ D- K, v- o+ e
__________________________________________________________________________' C* f2 l/ q! k3 p) B

4 c. V3 H  i3 a/ qMethod 12: W8 J, f4 m3 P# _% Q9 v) a
=========
5 y# }- n  ]  M/ A- \9 U8 J
5 W' s3 A/ r4 s3 H& VThis trick is similar to int41h/4fh Debugger installation check (code 05( B7 Y: j+ e# a8 U
&amp; 06) but very limited because it's only available for Win95/98 (not NT)- j; f# Z, Y# C4 \, ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% ?( @2 b; x3 n/ p  P8 z4 X$ C9 o, z
   push  0000004fh         ; function 4fh
) A; \* P& \, Y) j   push  002a002ah         ; high word specifies which VxD (VWIN32)
1 u4 M4 f/ w* w# z                           ; low word specifies which service2 G0 f2 C$ `6 c; L
                             (VWIN32_Int41Dispatch)
2 Q3 l9 Z- j7 s/ x: Y- j   call  Kernel32!ORD_001  ; VxdCall
) q2 Y' g- x. p* Z   cmp   ax, 0f386h        ; magic number returned by system debuggers, m( i  a% s$ b3 Q
   jz    SoftICE_detected
  |0 I) c2 h0 ~9 {+ T8 j  |3 Q0 q/ K9 P3 h0 ]: L7 k2 T
Here again, several ways to detect it:+ {# _8 l" {( d; a) b# h& r
6 {0 B9 X0 s2 j
    BPINT 41 if ax==4f
) E' ^7 \# u& X9 v, n# D9 o! M: c, U& n* o0 Q5 C0 `$ M2 N5 f
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
0 w) |/ h$ Q, `6 |, w7 X( \+ s/ F* h$ V- O& @
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
% y) j  N5 }9 g4 m0 j. K* [+ Z; {4 o0 H3 v
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!) ?9 }) p$ {" `+ ~

) U& Q5 ?& P' J+ i2 }__________________________________________________________________________4 O$ n3 j6 ^1 Q7 \! |

3 O4 ~, p$ L& A! XMethod 13
( o1 D9 x' Z1 X$ V5 S/ p* H4 w4 _$ y=========
& W/ }2 P( e5 a4 I2 ^
2 @: r# D7 [8 e* F7 mNot a real method of detection, but a good way to know if SoftICE is
4 c% z# }( }+ l6 Ginstalled on a computer and to locate its installation directory./ V; x! o" H7 J$ I- G: C) ^4 U
It is used by few softs which access the following registry keys (usually #2) :
( k* u& B9 T. f% }/ W2 |, U; g( V
1 ^7 d& p4 E5 \( x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 u' z! w; |; z. L\Uninstall\SoftICE
# b- o3 F+ \3 B  p$ g' f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
5 {) A7 N2 d7 R) t. N( Y0 Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 x! ?/ t' I( w) [) n& [
\App Paths\Loader32.Exe* I6 ~) J) s% @6 H, B

. a6 u* M" i9 X1 y
" R) D2 U" H/ q0 vNote that some nasty apps could then erase all files from SoftICE directory# }- E8 B9 Y7 v% f! n" A  B% t: W# ~
(I faced that once :-(
7 Z* X# u& \) S( a; m1 O& Z3 z. t# p8 r! w
Useful breakpoint to detect it:
& k$ s# D% H- E! K) X
1 x1 G" H. w5 r: W4 o7 u# Y7 L5 n+ a     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'% o- L" ~* W0 w
- s2 b8 @, ~# {
__________________________________________________________________________' [" _# x& r/ S1 R
; {4 Y4 ?% C) v& {5 ~* l
) d; Q% T# p0 S, t
Method 14
8 v  D0 r- J3 b! z=========% W* I9 R% u" w% O& X
& O' H- G- k! B! x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 y, b& G) n' N4 w- kis to determines whether a debugger is running on your system (ring0 only).
9 @+ H. x+ j" H' L
" M& p  A, w7 U& e: B3 C- x   VMMCall Test_Debug_Installed6 p4 {8 e% i0 ~  I4 d! l; i5 b
   je      not_installed
- l) g* v( I% D( O) S! w- q! U" r) j& p/ M' o  P4 \
This service just checks a flag./ Y5 G. B1 Q6 Z- j
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-10 01:04

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表