找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>6 E0 D- Q7 w4 Q: _8 i- j
<TBODY>  l2 y* Z. v& ?  ^
<TR>
: A; z, v( m; @/ q2 s2 O( O<TD><PRE>Method 01 $ k% Y( O" l" D4 m. o
=========
$ T/ ^  L& H. b7 ~) {) d* {
" R3 v6 D" e3 O* l$ `1 v1 [# t! MThis method of detection of SoftICE (as well as the following one) is4 Y5 ^1 `+ S4 j4 f* y
used by the majority of packers/encryptors found on Internet.5 k( W7 f. ?0 i2 h5 Z* S" Q
It seeks the signature of BoundsChecker in SoftICE
; O% [9 k$ p  e, ]8 d7 x
/ X0 C% P1 n7 c- I5 k3 i    mov     ebp, 04243484Bh        ; 'BCHK'
! |' E: ?3 a; @" W2 k7 c5 L& H7 ?    mov     ax, 04h. e0 h5 ~9 V6 d8 C& }$ e& _$ Q
    int     3       ( p3 |# s' H( H
    cmp     al,4
  d1 S) a0 H% r# E3 Z- W2 F8 y9 L    jnz     SoftICE_Detected7 x+ G9 z- D+ F
2 Z% `8 \% `, M* M0 ?
___________________________________________________________________________. O$ x: p0 J( j1 Y

; H- b5 p% x+ [8 dMethod 02/ H# z% J/ x) z' d
=========
3 o( b4 \/ S3 O. _; O: s" L  S) H" D  A% [) P" m
Still a method very much used (perhaps the most frequent one).  It is used0 z  z) b2 ~9 o" h! k3 v* {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 e: j9 x+ C; u( Y% C
or execute SoftICE commands...$ L' v2 r  |9 P1 ^  `
It is also used to crash SoftICE and to force it to execute any commands4 L' k5 Z. k( K4 c' Y# [* h
(HBOOT...) :-((    k& f9 Z' e; W5 ~# `  C5 m

: M8 X, [2 }7 VHere is a quick description:
1 o9 K  c7 o/ d-AX = 0910h   (Display string in SIce windows)  N  k+ y' P+ f# l
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 v3 V/ y1 `3 t" h-AX = 0912h   (Get breakpoint infos)4 R& d5 k: [6 U
-AX = 0913h   (Set Sice breakpoints)
0 e6 j, [# y" Z8 C$ l-AX = 0914h   (Remove SIce breakoints)1 w) e5 b$ z4 n% u1 f7 W) {+ n8 u& \

" R; e. L' S( J$ ?Each time you'll meet this trick, you'll see:
7 b7 a; C2 I: ~1 {$ }-SI = 4647h
; ]! X. V) V9 H3 i1 p-DI = 4A4Dh
" c! d+ \# r. {* y( e2 T1 Y) uWhich are the 'magic values' used by SoftIce.
8 }( A* S5 Z( [/ j' P+ zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! z, E$ |# z' A; r7 H$ V. n
! P4 ]8 M1 S2 }8 D9 tHere is one example from the file "Haspinst.exe" which is the dongle HASP
( E7 b0 w: J3 M+ y3 o7 m; w  F+ w* jEnvelope utility use to protect DOS applications:* V6 _! [, E4 R

. n* q: ?2 q' I( |7 y
7 }$ k+ D6 `: T: a8 A  i9 Q7 C. h4C19:0095   MOV    AX,0911  ; execute command.& J5 F, P* w# b1 {# k
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 u4 a5 y; }, C7 m6 v
4C19:009A   MOV    SI,4647  ; 1st magic value., v' f0 Y9 w: G
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
! g, o: I6 B9 `/ B/ T$ w4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*); y; p* n$ \% M( `6 }1 j
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, b# V) ?( E4 ^8 v( H  Z- X  _
4C19:00A4   INC    CX
; L, e# h7 \5 E& O* J4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute% c. N2 Y& m# r' l) X
4C19:00A8   JB     0095     ; 6 different commands.
$ f- g% V' U2 N1 E" ^* h4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
, K* S* d" I; ?: u4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
) |- w5 @# T8 M0 J: ~* x3 c6 K* I! {% x! m" G
The program will execute 6 different SIce commands located at ds:dx, which
0 [  N$ k! j& ^8 w8 i+ d$ o$ O. yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT., m; n: K+ Q& B$ p: v' s
7 t' {) H8 c9 x+ Y% o: c
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., R" V8 ]4 F: g0 t4 c
___________________________________________________________________________
; N! o& {0 J; G3 q" ~; G3 b
# `2 E/ ~- u; ?2 `0 O- U8 c) f0 [, Z% q* t$ x0 W
Method 03; r1 ^, O1 W2 ^
=========5 O& G2 N8 `- b/ _! ~8 {" r

: K# P/ F( h- F! Y$ A) b6 x, ]Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ^9 H7 M. _+ ]; L7 O* S* J  L/ J' c
(API Get entry point)" B1 T4 G7 O+ ]0 ?* L. D. W
        % t' O) H# ^" |1 L: d6 e; S
9 g$ H1 ~9 I# ^# j  Q
    xor     di,di8 @& R2 y1 ~! J2 y
    mov     es,di- T3 W. S3 h" Q
    mov     ax, 1684h       ' ~  V+ o6 Q$ o" c% J1 E' x2 ^
    mov     bx, 0202h       ; VxD ID of winice
+ ?  Y) e/ [/ v% N7 f; N    int     2Fh
1 i! `3 W- H! P* L% T( h2 y# \    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 W% a* ?7 Q' Y* M' v    add     ax, di
% A: Q; e. X5 ?' ~2 d    test    ax,ax
  q$ V! l) H+ X  q7 u$ s    jnz     SoftICE_Detected5 D  z5 d/ w: ?, y" O5 n. ]

0 I' x9 Y6 Y2 k1 _- Z; o* {8 S7 x___________________________________________________________________________( R2 n1 Z9 E: a( \1 C
" R: W6 o0 S: s
Method 04- U- b; R* A, M- t6 X6 U: r7 q
=========
; x& ~* v5 Z, {/ U0 u+ N
( `" a! J6 P' v$ j& f2 ~; L; j7 ?0 fMethod identical to the preceding one except that it seeks the ID of SoftICE
% V' z8 E- Y6 o9 U: _% K9 L& A1 gGFX VxD.
' @3 E% [8 v; @$ S7 }8 v; G" t2 A0 f% u2 O4 N, t
    xor     di,di
7 F1 H* U8 e( n% a( R    mov     es,di3 `4 h1 F) d, }: L
    mov     ax, 1684h       ! V0 y7 p( ~0 w% v0 K, {
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
8 M, v7 \$ X% J. v9 X    int     2fh
& B. P- V( |$ {    mov     ax, es          ; ES:DI -&gt; VxD API entry point. _- [5 O# d  O+ e$ G9 K, f
    add     ax, di
! d7 Z& H% X& u3 \/ e3 R    test    ax,ax
  R) R& n$ Y. P7 n  a    jnz     SoftICE_Detected& \, q; @9 m8 D
: I2 W+ v  D% U9 T; \. I
__________________________________________________________________________: O7 G$ q) w" |4 U, ~* l' W
+ @5 M- C- V' Q7 o  _/ f

3 `4 N$ [' K; n5 i% {8 }1 uMethod 05
$ H3 [$ Q1 a% C( O$ u/ h# _6 z* P7 T=========, I/ N9 A6 R/ p$ u

7 k2 \0 ?0 ~5 b# P5 oMethod seeking the 'magic number' 0F386h returned (in ax) by all system
6 o9 ~" M% T: b" ]# X/ Udebugger. It calls the int 41h, function 4Fh.
6 O+ S* s( B. b. m( r0 a- {There are several alternatives.  
% l: `& J! v. C$ c- r# B! ]. D3 a, z5 A2 b
The following one is the simplest:1 J! ]- q! W0 d# a2 m) v1 N

- N- X3 S7 N; _7 k6 c4 ?* {    mov     ax,4fh- p& q- X7 \8 g. f  z: c
    int     41h: v6 C! O5 T! z8 i
    cmp     ax, 0F386! d% m0 b, p) F! B( v
    jz      SoftICE_detected: ?. q+ b: E& F- b/ _
, W7 D: E" ?! h7 _

- P  ~/ l% D; b. N# i7 MNext method as well as the following one are 2 examples from Stone's
! v. J* n1 v; ?! s0 m4 L2 ^" g"stn-wid.zip" (www.cracking.net):' y, a( B* m; y" b4 m; a3 i

( B, P) T( M4 Q; O7 ~- b    mov     bx, cs
6 Y& q9 A! o7 M- U. [    lea     dx, int41handler2; r6 P, b' n/ y: r7 S0 ]7 j/ r% N4 [
    xchg    dx, es:[41h*4]
' S5 B: @+ Z+ M  k0 N8 W% G3 f7 V3 m    xchg    bx, es:[41h*4+2]
9 A3 j/ {0 @" f/ e- i+ H2 x7 y    mov     ax,4fh4 c9 C9 e0 ?# X, O. q3 A: \
    int     41h
. z) ~3 J- U' z' n: r6 v) C    xchg    dx, es:[41h*4]
# u3 ^8 W6 F& I$ y  `    xchg    bx, es:[41h*4+2]8 H4 J+ S% b. r& ?( A6 W
    cmp     ax, 0f386h
, ^, `- b8 \+ H; E/ j$ u    jz      SoftICE_detected, B7 t  H& v# B  l' ^7 P

  i6 p4 ?) o: ]int41handler2 PROC
) j+ h9 P# b' G( f/ y! W    iret
# ?) O. o6 Q, E* ~int41handler2 ENDP% q" u. F" X! P
9 k- I1 I" {$ A& p( X/ O! V

5 e7 |3 c3 y1 _: |8 h, V_________________________________________________________________________
' E" E) j+ ]7 j- h% ]% f
2 Y9 l; @( `  R# c$ N# \- d( V# Z4 h+ `9 m2 s
Method 06
  c. x5 M; {; X( a4 V3 G=========
% `  M- y$ S9 x7 w8 M, d
) ]8 J& E2 d, ^) |5 N, Y/ X" }2 G) y1 ?2 ]& n" S3 c  I4 ]3 O
2nd method similar to the preceding one but more difficult to detect:
5 i8 s( V5 t4 [  l3 p3 ?
- x' R! k+ [9 r2 o( u1 o8 G7 ^/ f
. k& a- d* L0 e6 k% j& l6 ~4 aint41handler PROC
# g) j) Q( X* f6 E, K    mov     cl,al9 {4 n) M8 y, Y( R0 ?' H' E; Y8 W
    iret
( Q" U& @4 `2 K/ |! I, j6 p4 Yint41handler ENDP
: E. l5 B' q, X. w/ G7 z2 U; y% [$ [) S# _8 [. ]0 F! w
- \$ t# @7 ^" s! O
    xor     ax,ax% {" H* Q$ j/ V1 V
    mov     es,ax5 `/ `7 \% k. G/ _7 H$ |+ P
    mov     bx, cs  R, _' H: m$ b0 ]. F1 O# U( e! j
    lea     dx, int41handler
2 {- Z6 Z. H/ N9 N    xchg    dx, es:[41h*4]0 r" C/ B) X1 x: Y
    xchg    bx, es:[41h*4+2]' D, Z- R$ P4 c! {  h
    in      al, 40h: e6 o% R( ]! M4 J9 @
    xor     cx,cx
5 U' b' f6 k- u% ?+ P- V1 m    int     41h
0 E4 M, {6 W% w0 N    xchg    dx, es:[41h*4]
- `5 F; _! ^/ i, R8 N0 e    xchg    bx, es:[41h*4+2]
* Z' k$ H% n% w    cmp     cl,al$ S4 }9 p8 ^# ^; }+ R0 u' l
    jnz     SoftICE_detected
. M2 D6 v1 [; E# L( V& D# b; L" a- M% G) c( M3 _4 |9 U6 O5 z" W
_________________________________________________________________________5 J5 L2 Z8 _4 A9 ]7 a0 I( {

; |0 h: N+ X+ N+ Z7 PMethod 07
, r" D* `7 h" V( k" w=========
8 h5 `' Z: e7 [, X5 \  d) p& k6 `/ V, C4 f) c
Method of detection of the WinICE handler in the int68h (V86)
& `# `9 Y& F6 g/ I7 ^& C- M* o3 X
1 Z" C& W; S1 j& d& M; a5 x    mov     ah,43h" v* m6 B- ?5 I# N$ ~9 s0 L* {
    int     68h/ t0 x3 T3 u4 C- s! e! K5 l
    cmp     ax,0F386h* a* ^8 z9 R  V$ Z
    jz      SoftICE_Detected  ~3 O, V5 c4 r+ e
' q' I% ^/ e* n/ }2 S

  m! Q3 V7 L3 |1 A" Y+ \=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ B4 W. o/ S: g. t; z
   app like this:: f( q$ G  h( D6 M8 j5 H! [/ X

, G9 Q" z1 ^% {- r3 }: L   BPX exec_int if ax==68
; y; s9 Z2 U; g: h  Z   (function called is located at byte ptr [ebp+1Dh] and client eip is+ I) d' N/ r9 G5 H5 v& h
   located at [ebp+48h] for 32Bit apps)" @7 Q0 O) O4 W5 K0 s
__________________________________________________________________________
# y& N- p( P- [, @& V8 ~1 m* j3 W
/ n( K1 i3 X7 E2 o% C; H5 i6 A5 Z5 u- P! ?3 A6 M" W
Method 08
$ k# t+ Q- o' {- z9 X: U0 D=========
2 i  Z$ D) G! {! T, J5 t; _: V8 Z6 i9 |6 V% S+ M4 f' X
It is not a method of detection of SoftICE but a possibility to crash the: x" R  M# g+ q: h  X9 o3 o3 x4 f
system by intercepting int 01h and int 03h and redirecting them to another
) Z( n2 p2 o" E  v$ e( @& Froutine.' h  x, E& ?7 o5 t) {) H6 v( u
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 ^; |- }; ?$ h3 q0 @3 [
to the new routine to execute (hangs computer...)6 E2 F8 E5 [  @: Q( I* j
/ @, L. Z, N  N7 O
    mov     ah, 25h, l8 b: P. H+ Z- @9 x4 ^3 [
    mov     al, Int_Number (01h or 03h)
0 p. ]* H4 m0 G2 B9 C$ G/ I! A    mov     dx, offset New_Int_Routine  ]4 ?2 W/ L3 P0 U$ Y7 u, A
    int     21h; d+ n) G- K$ m2 ?9 {

7 W, p! V) w/ B__________________________________________________________________________
5 C' t) w) Z" Q. J2 r  p; [8 M9 t9 m1 n# u
Method 093 {0 k% }! w3 v. E8 V. X& m' d  k
=========; [) w. x( a  d! a6 P. c# F* {6 _

- C7 h& |1 {, c; \( C! L9 eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( J# E% U: m% u" R1 {. H& a+ W
performed in ring0 (VxD or a ring3 app using the VxdCall).
, Q6 \( m# b' J. g. ^5 s1 yThe Get_DDB service is used to determine whether or not a VxD is installed
- W2 q5 f: V- S6 C7 jfor the specified device and returns a Device Description Block (in ecx) for
/ w" {# T* _& lthat device if it is installed.
* S1 y; z5 d8 z; |) J7 ]
0 v  E* a; v9 s$ z8 N   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 F8 `. m& M( K1 k: v   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
) j3 T* f3 B( N/ p& z6 Z8 P6 i, H4 \   VMMCall Get_DDB
% q6 i% L0 }7 ?$ h0 d   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
# i5 v: `/ b# T2 f9 [
8 e9 Z' ^) |( S2 Y+ O$ b7 ANote as well that you can easily detect this method with SoftICE:
0 O. z+ j0 V0 X' S" @( u2 a   bpx Get_DDB if ax==0202 || ax==7a5fh
; D4 K4 ^  q" l/ E$ G  R1 y/ Y, F3 l
__________________________________________________________________________
; `$ X) F9 A' o3 {( h4 d$ J6 Q
! O7 D' A% _5 M1 \4 J7 zMethod 103 ~% k( I% d5 M
=========
1 w2 t* D. `# s& ^% d. w
5 c$ N' Z" s( z0 M, @. ~3 y  c+ I=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 J( t5 k7 i, Z% m" S( c
  SoftICE while the option is enable!!: ~% |: X& t# p- c& @4 W' L8 k
& A5 ~7 h6 S& T' V( i1 I
This trick is very efficient:. b# P9 v* Q6 Y& l
by checking the Debug Registers, you can detect if SoftICE is loaded
4 r: Q7 ~2 ^1 R! U' }" |+ z- i(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
+ O. e3 q$ V" M! d1 {there are some memory breakpoints set (dr0 to dr3) simply by reading their0 {6 q6 @6 K+ i$ \( i
value (in ring0 only). Values can be manipulated and or changed as well% ]! e' t, b% O/ e
(clearing BPMs for instance)
: z7 W2 I7 i4 u# v- \3 e  V4 ?' Q3 I6 W. A
__________________________________________________________________________; c: @9 a0 `2 C2 b( p1 F
* f4 g. w; v7 }, {
Method 11
3 H8 ~/ d* |- ]4 Z* v=========
, E! C, g" S7 x1 Y0 g6 s1 d; W% W" Z9 |  U
This method is most known as 'MeltICE' because it has been freely distributed
& z- e1 |$ b9 j- L! r0 y. i% mvia www.winfiles.com. However it was first used by NuMega people to allow' N/ {& E# |7 L) q# V
Symbol Loader to check if SoftICE was active or not (the code is located" \: b" ]# j$ Z" z% u
inside nmtrans.dll).
; q4 _9 j5 }, K) r. C9 f8 c8 C
The way it works is very simple:0 y4 R4 k8 }: Z9 m  X' s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ Y; P( {' I* b
WinNT) with the CreateFileA API.
. A8 ~3 C- i2 e( a+ w! c5 t1 ~" t; `) {! R( r/ u8 f1 P
Here is a sample (checking for 'SICE'):) w( ~; v0 m" M: u" O

0 c* S5 c  P- C9 e  k9 T: ^9 ^2 aBOOL IsSoftIce95Loaded()
: t4 o! J7 E" t4 C! w3 n4 n; `{
7 q+ F4 `- h7 t6 g9 P1 x& H! S   HANDLE hFile;  - X: P9 f$ B+ Z' g, {8 E3 m
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 ]; R1 Q! b& J5 y" D7 V
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% |( L* ]2 e: `                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% r' n9 B# `' c5 }   if( hFile != INVALID_HANDLE_VALUE )
5 b3 U% ]' c& B2 ?/ ~   {' S, y1 z/ j) S& Z4 Y* P) `
      CloseHandle(hFile);
" U: A, D8 c0 S, Q& N% P; Z$ L      return TRUE;1 p+ f" L7 z  o( O) }& n
   }
$ J' P6 i6 V, p9 s. ?# N   return FALSE;' Y+ t8 A! h8 [. v- Y4 _
}
( U# ]3 \7 z3 v# ]
2 [  i' q' J$ |$ M5 q5 d% jAlthough this trick calls the CreateFileA function, don't even expect to be/ G$ H. \8 ?# b: y( t" a
able to intercept it by installing a IFS hook: it will not work, no way!
& s; H3 Z3 M, v: cIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
0 F, K. g7 b: \! G3 Gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# R  }& f: B, h( M
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: j- u% W5 [' U% Jfield.
' J4 o( j. d* a+ b1 t9 r" }In fact, its purpose is not to load/unload VxDs but only to send a
- w/ Z. i. G, `2 M8 s- |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# E2 \8 R8 @; U$ Y/ s/ B* U0 ^9 w
to the VxD Control_Dispatch proc (how the hell a shareware soft could try1 p8 S- q8 h' n( Y! h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 j( i$ t4 D1 w" F. F# e3 z( WIf the VxD is loaded, it will always clear eax and the Carry flag to allow
( M- b9 Y* o, b- o5 y4 u6 Vits handle to be opened and then, will be detected.' k, o# b$ _& H& ^/ X0 w9 H; T
You can check that simply by hooking Winice.exe control proc entry point$ l  _% L# S7 N2 m, K; x; h3 U
while running MeltICE.% F1 q2 r" f& [% d! B
! u% L, ^7 h3 V7 n3 j. T% |
6 w4 Y" S* t( a9 s6 A6 X) W
  00401067:  push      00402025    ; \\.\SICE7 C( H# a0 d1 c$ y1 _4 A# M
  0040106C:  call      CreateFileA, {2 i" D, i5 p  P
  00401071:  cmp       eax,-001
. x1 n" v5 R+ r9 I6 u" @6 e# \6 |  00401074:  je        004010915 x# p  N7 [; _- A# U/ F0 I$ h2 }8 O

* D6 m$ u) X0 B' M* L
0 ^+ ^  ?! K9 Z+ Y8 aThere could be hundreds of BPX you could use to detect this trick.
+ G5 b2 c0 A. u* K-The most classical one is:
" D/ \* y  G2 T5 e, J" G  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||7 q; m% T  {7 n7 Z
    *(esp-&gt;4+4)=='NTIC'! ~4 j% p6 e0 r" g' q0 ^
3 f4 h$ V8 Z' Y0 y
-The most exotic ones (could be very slooooow :-(6 j- e) O4 O4 M8 g& p+ b1 X+ h
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  * B5 Z/ {7 [7 @  U- H
     ;will break 3 times :-(! W* E  r* e& C, ~, ]

  F% ~# Q6 s3 y9 t; t" ~-or (a bit) faster: 5 `) O0 A- e* \; x* v, M
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')5 ?  T: p8 e) m0 Y& M0 s- A/ R6 z

- E+ z+ m8 R% R9 d  Y9 K, ^% X   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
4 ?9 j7 F! j9 _0 {& x     ;will break 3 times :-(. j5 V0 K, M- r. {! K
8 h' I* s7 l% W, X! [
-Much faster:
& \  L+ ^, T9 A4 y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 R& n. r$ H7 b  L1 ]$ a- B* L& l
$ C* ]  l7 [" w7 J1 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
( o  u# X$ w; E$ d/ ^# I1 cfunction to do the same job:6 T, o! y6 y1 a' {+ V. B) R6 q
, y7 k9 e6 z8 J
   push    00                        ; OF_READ  i8 S' }" `* r7 T+ ~
   mov     eax,[00656634]            ; '\\.\SICE',0
0 ]( Y; c7 w4 i. q( |. S+ N  O   push    eax
/ E+ x$ z3 @& x% Z   call    KERNEL32!_lopen
. |9 N, D( W7 O) ^2 t5 ~% v1 H   inc     eax7 D% e. o+ w5 U' A& ]
   jnz     00650589                  ; detected
+ v6 n! Y3 O/ E4 U$ A   push    00                        ; OF_READ% D. }' t; _* ^" K9 {$ y
   mov     eax,[00656638]            ; '\\.\SICE'. l% @# n# ^9 y1 D8 y; d! U5 ^
   push    eax+ f' H+ R2 A3 w8 ~, F( J
   call    KERNEL32!_lopen
: ~% i# C7 x2 h) z& i; l; i   inc     eax
# _( z* V: |" G   jz      006505ae                  ; not detected8 D) i* t3 a* R' |/ I/ R; f# {
5 }  ?) d0 i, ]  V9 u! q  e
& [" R9 R" n2 y. Y0 r9 z
__________________________________________________________________________# b+ B. K# R3 Z2 O+ `  j' A/ s
* I3 s# N- O5 c0 C9 P: k. }
Method 12
2 x6 F; [; O4 \8 d$ R9 u6 A=========, m7 O, ~; Z% ]( n5 h
; p5 {4 ^2 ^- g* j3 D$ h  d$ |: @
This trick is similar to int41h/4fh Debugger installation check (code 05
6 `# W$ v; Y$ y, Y6 R$ s; a, I&amp; 06) but very limited because it's only available for Win95/98 (not NT)# b: P# y) K" g7 D( v
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; y/ r0 s+ |4 k9 L; g; ]  U) M, N6 j7 Z  J) y1 N8 q6 ]$ d
   push  0000004fh         ; function 4fh
; t4 m) \3 u1 B   push  002a002ah         ; high word specifies which VxD (VWIN32)( r5 i" w% _6 h0 m: |( D4 D. [' ^
                           ; low word specifies which service
( m" `7 f' j/ d, S3 \" m- c/ J" m( {                             (VWIN32_Int41Dispatch)/ O7 }& _& o$ }" S. z; P
   call  Kernel32!ORD_001  ; VxdCall
7 }9 J7 r4 f: U7 n9 p# T   cmp   ax, 0f386h        ; magic number returned by system debuggers3 B8 E2 Q1 F: v9 O
   jz    SoftICE_detected
- N' m* H4 l# Y0 K1 |% t# D& Z. f5 Y' r# W7 r
Here again, several ways to detect it:
6 R6 J) d6 J3 O6 A
* g; G/ g' C1 S    BPINT 41 if ax==4f
& v& ^5 j7 ~& y6 J. v8 d; I
( G# N, p5 B* P# `    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
: h7 u4 N  ^3 `, f
* a; O/ D7 }3 l0 i1 |& V    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A6 G! g9 q% O+ r3 @. k+ A* }

4 _: h  m1 M2 t0 N+ n    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!) b! ]: y8 ~  k* E. [

! Z3 {" Y; s8 ^__________________________________________________________________________
* W4 j: F. O" r4 p  y
. c2 ]- [8 c/ U. f. f- I* ~+ `4 LMethod 13
! z/ K  p2 E3 Q8 \* g) j=========# q+ ?9 m  m  x1 _+ v$ G

. T. u" s' _5 ]2 \4 ^- _Not a real method of detection, but a good way to know if SoftICE is
* [5 C: F/ U* [" }1 O7 iinstalled on a computer and to locate its installation directory., O. Q' u" ~7 x! M5 l$ H, r; L  F
It is used by few softs which access the following registry keys (usually #2) :
2 @: o$ w/ V. I& J! o! m
. [0 H# [1 V& w9 o% ?9 c8 h& t. z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 ^) @2 Y" G& N4 ?# K5 L\Uninstall\SoftICE
! ?" h9 L+ n! m( ?# G-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, C  L9 c* W; o% u+ [
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 D: @0 v) W; l9 R8 ^7 E" @) @. U4 w/ \
\App Paths\Loader32.Exe  z0 d. N$ z, [

6 G, h$ c. j9 I2 f5 U1 V& S2 s& o+ m" A% m" ^0 j4 I
Note that some nasty apps could then erase all files from SoftICE directory
% d5 C9 W; X5 S9 b! ^(I faced that once :-(( H. A) E( \0 S* X
2 |) x* C7 I+ R, a. u6 j+ ]
Useful breakpoint to detect it:# p6 Q4 D$ Q0 \: ~- R% K* d9 n  J9 H1 J
4 r0 ]) B! ~4 t$ U
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 s8 b4 @. E* M& g0 ]3 K  C* e8 `6 S7 ^6 B& x3 d) }
__________________________________________________________________________
( j/ i2 e- Z. p) p" p7 ~1 J, |3 k! `3 _7 H: H! H
, i& S; s- ]1 ~9 k' N
Method 14
6 a; x' I7 S+ I  x. H: }* Y=========
6 v% K" V) G$ a3 V4 Y0 r: Y* E! H2 T. X& c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& J! b) d. L! L1 h
is to determines whether a debugger is running on your system (ring0 only).
. i4 u% I0 ^4 i& L, z$ `" A$ M0 @  G. r* M' b
   VMMCall Test_Debug_Installed
7 j- w- ?. c! z/ \, _9 h( K   je      not_installed( |& r3 D. O0 d; W

; A! C9 I+ y5 |This service just checks a flag.( k7 ^: D/ c2 U2 `* Z. i
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-3 10:28

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表