找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! h2 K( o9 S2 d7 j1 j* \1 r$ L, e
<TBODY>' o1 Z- }0 E1 m
<TR>9 b% k$ y7 v0 `4 [3 `
<TD><PRE>Method 01 ( X& }" r: e, u0 h$ b6 h5 X
=========
( D8 d7 x1 `* V0 v7 b$ O+ B( V/ E! {4 K( O$ Z/ r4 @, H5 R: |
This method of detection of SoftICE (as well as the following one) is/ y9 d7 _% r4 N9 T5 [. Q
used by the majority of packers/encryptors found on Internet.
3 S% a# r/ w8 i$ {  iIt seeks the signature of BoundsChecker in SoftICE# ?6 S$ D; F, }& s
$ K2 Q6 [+ ]. \! k. ]) j
    mov     ebp, 04243484Bh        ; 'BCHK'
$ ?4 l# I, R* `% ]/ r6 u    mov     ax, 04h! \8 a3 l) \+ S9 W2 c" i$ A! f2 x; |
    int     3      
. {) f* r( @( \$ N+ R' o    cmp     al,48 F7 B1 ?2 \5 {5 P* m$ f
    jnz     SoftICE_Detected4 g; v( y* B% [- C- T
- ]% Z6 O' Q9 B! e5 @1 u( r7 v
___________________________________________________________________________1 v* ?2 t, {7 U* M' n

2 ^# t' X! A( Z9 uMethod 02  S$ V& k- D9 T; d: z1 Y
=========
7 q: w0 W- V' h3 [) U/ z8 g
; E# D& D7 [& @6 c0 ^Still a method very much used (perhaps the most frequent one).  It is used$ S$ E* D5 h* g6 M
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
% ^( X2 ^6 Q0 o; d8 _1 Vor execute SoftICE commands...7 H- V1 u- j6 o
It is also used to crash SoftICE and to force it to execute any commands
9 V1 g0 `5 x" m- V% k4 a2 @(HBOOT...) :-((  
9 }8 z* N/ ~1 d2 c" Q( Q9 q  J9 l. ~- ?: y' Z- E
Here is a quick description:
& B/ O" R. Z: G, }-AX = 0910h   (Display string in SIce windows)
+ C: L" [$ ?- w5 R7 h- B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 H" y$ a2 _, m+ p& `- y-AX = 0912h   (Get breakpoint infos)
$ C% B* l. I: T% d-AX = 0913h   (Set Sice breakpoints)4 |$ L! t& }9 _" T* F) w# t1 k
-AX = 0914h   (Remove SIce breakoints)4 Z* D( ~0 u& R
# V4 ^* w; \/ G" [- T; s
Each time you'll meet this trick, you'll see:) o+ y$ L0 }, [- @0 T
-SI = 4647h
5 U2 `: |, \2 @+ `' B0 A: k/ O& y-DI = 4A4Dh
( k2 B, r$ `, L$ {  o- DWhich are the 'magic values' used by SoftIce.
, x- ^% G* Y0 c; NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% R" u6 H: z2 k$ k% M9 u9 }

# ?0 Q  u& G! o; Y! t% `1 h; ZHere is one example from the file "Haspinst.exe" which is the dongle HASP2 J' j, q0 E- }0 ?8 Z
Envelope utility use to protect DOS applications:
3 M- r4 P7 A, L  K3 H" b! V" l: S! G
+ {1 j$ A0 l: v1 I  a' j
9 m( e6 R* ]. `* D4 j* v5 s7 l4C19:0095   MOV    AX,0911  ; execute command.' b3 Z. b# w. L  _5 ~6 q1 x* F
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" j$ R: T+ x! N7 W: g! H4C19:009A   MOV    SI,4647  ; 1st magic value.
. |& K, A7 V/ t' c8 @4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# C% J9 B$ c4 V- R$ A+ w+ C4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)7 s6 O2 B1 a& Q" ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute3 T) w! F/ G, F8 z4 T
4C19:00A4   INC    CX- d% ]7 Q& J+ J0 s( S+ ~$ T- }7 }
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 `' ?8 C* p3 O! o4C19:00A8   JB     0095     ; 6 different commands.
: a/ d$ `3 t1 {# v- g4C19:00AA   JMP    0002     ; Bad_Guy jmp back.* L' J* n4 s1 j$ J5 u( ^0 C* {
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
$ z( w% C$ R* A6 {  _- ~& }( n# {0 S+ @8 S) z0 x3 k% G* X# H
The program will execute 6 different SIce commands located at ds:dx, which
! N2 c# _# l/ ?+ Q8 E. kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ _6 \4 T, w7 N) W; U) G7 D: `  r
. C$ E" R* i( L* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 E; D, `; b. y! p4 j9 K0 z
___________________________________________________________________________( d0 g5 l  b/ ~% \. E

  k9 k! n7 X8 E
8 Y2 N8 Q. D/ |3 LMethod 03
9 D7 v& ~! ^7 [+ V+ O* S* w" ]) b=========
$ ?* ~/ j' U$ n) W9 ^: I0 U
: ?- v' k8 F: S. X5 c; @# dLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& m$ m. Y: R: y5 h; Q+ F) V# H(API Get entry point)
9 w3 s" z. z. D. Q, z# `. ?        
6 c: ?6 j$ G2 Q) D$ W! z  k7 y1 e3 f  \6 x) u1 }
    xor     di,di1 C# x& c& w% |: q" K, B! e7 Q  {
    mov     es,di1 U7 ?: s) ]4 n3 h, u
    mov     ax, 1684h       + v& K! M' x0 s* _/ C/ A3 v% r# |
    mov     bx, 0202h       ; VxD ID of winice
: a+ j) d+ A$ K1 G, R    int     2Fh
( B" f" @4 ?% L+ j    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 @  y4 e  }7 r! _: k    add     ax, di- j7 L; M$ r: |, {5 b; e5 ?
    test    ax,ax
, W5 j1 l% m/ U4 O% w+ l* ?& o% y    jnz     SoftICE_Detected: i- a2 |% v0 U$ X# q+ H* Y; D+ b

1 m) L! m8 h$ i8 V+ I1 \( f___________________________________________________________________________+ F6 b. U% r6 r

$ a  B" y$ x% v0 T1 GMethod 04( B. |8 I4 o( H/ I4 j! I
=========, E" n" ^" [9 n3 q% h
5 e# y, H6 W; T
Method identical to the preceding one except that it seeks the ID of SoftICE
. N3 f% S7 G8 Y9 Y3 d9 @3 m4 ?GFX VxD.; i1 w5 C; _* n; E# ^  l: P

7 B. K2 j5 ~0 k# N/ U* E" x    xor     di,di
; A. o+ R! _9 `# ?; y    mov     es,di
3 Y2 ?2 d1 M$ c* i2 Z; [; c    mov     ax, 1684h      
: [/ t* b4 M, R    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 A9 z5 Z6 K/ x$ K    int     2fh
0 R7 U1 d4 b5 N6 O) W    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ ?" c2 K7 U  k$ Q6 u
    add     ax, di
; A, _& J/ Z% Y9 I. J    test    ax,ax
# _  [$ Y! u2 p8 Y    jnz     SoftICE_Detected
& J, e! q' q- S# U( i; P! n' C- `8 g. u6 Y6 S+ K: ~, P
__________________________________________________________________________
7 [. j! w8 K6 r% o1 ~9 M! h6 h" x$ Y. s

2 h" j# J& m* w! LMethod 05
0 M1 a& @) f& b( K* P2 a=========4 ^# t% U( u0 c/ e0 o
1 _+ f7 h( S; c- e* s/ {" _
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 o) g( J$ l& ^- u6 Qdebugger. It calls the int 41h, function 4Fh.
/ s  Y" E& O' M5 _$ OThere are several alternatives.  6 T- s- A& t6 `3 C$ p" ?# V

3 Q. D  D7 ^6 S4 f1 n( v8 K8 XThe following one is the simplest:
( ]& p7 n  G( W- V, v
7 I  s: R6 B8 @& Q" T4 s    mov     ax,4fh
+ y2 h3 `  S$ Y( ]# h0 o    int     41h- B% ^3 P3 h2 o2 v& G( c) E
    cmp     ax, 0F3861 y, c; y9 ^- q
    jz      SoftICE_detected
# v5 ^3 T( a! `4 j5 Y: R4 Z" q2 z: v0 I+ A$ F4 v+ K
4 W9 |) l; A5 l% h8 Z& u
Next method as well as the following one are 2 examples from Stone's
& q  z! r+ W) [: z8 K' `"stn-wid.zip" (www.cracking.net):2 ^6 b- U9 K8 m) d( h) x
& w0 ?1 x2 T4 J4 v, u
    mov     bx, cs
3 [+ X  A, Z* x; T  H2 x3 v. g    lea     dx, int41handler2" k+ t0 _  ]" I1 R2 w
    xchg    dx, es:[41h*4]0 P+ m4 ~# o3 O+ Y/ M% n
    xchg    bx, es:[41h*4+2]$ l  ~7 e6 {; O0 ]
    mov     ax,4fh
' W$ R. H$ s0 L& C$ j) |' k    int     41h& X+ m5 k. k" H+ x/ P  ]
    xchg    dx, es:[41h*4]
6 \8 m; j; K& M' L# ]8 \0 B0 w    xchg    bx, es:[41h*4+2]; m* G4 G& U) e, `8 F
    cmp     ax, 0f386h# z) P% O( l9 D/ ~+ u
    jz      SoftICE_detected
* H7 I/ V7 |* {! b3 R' t" l0 u, k+ g; _5 M2 v) a6 j; Y
int41handler2 PROC
/ i8 ^+ }1 _, s% C  `5 ?! [) U    iret
! R1 N; k0 W2 ~9 H2 c% pint41handler2 ENDP, f- y- }. ~) m4 V
" c7 I6 e$ G/ Q" S8 l' R
: K. j6 z! y+ o# C
_________________________________________________________________________
0 H* E( c, M( |5 E! A2 W, W/ M, R% @  }+ p
  X* a, D4 k+ C8 G
Method 06% L$ Y/ p0 C& L
=========1 R# S, i2 T9 e) v7 ]+ U8 c4 c' X

/ |, v& `( X3 |
) C/ y/ p: x8 T% z8 n, \+ w0 I2nd method similar to the preceding one but more difficult to detect:
% W& L+ u( Z. w/ s7 b
# k9 _+ M" {8 R7 Z
5 {+ P( k" o) X, D) }int41handler PROC
$ h+ _5 c% P  C    mov     cl,al
" x& ]1 B/ J+ H) f$ G' f& [    iret
$ ^( [8 o! N( C  r; h4 k$ F; A! @int41handler ENDP
8 _! m0 I7 A+ i3 V4 Z; n# k4 e( |/ v6 I. |
8 V; J! p" F/ ~. J% t' B
0 p8 p' \- b, b2 o7 I, S! Q: T    xor     ax,ax
) b1 y9 D1 |% t    mov     es,ax
4 j# L! N0 y, U, r! B9 h* X" _' `    mov     bx, cs
( G! ^' V) u& p- ?    lea     dx, int41handler
" Z. }- c" \3 [1 _* r6 G! c    xchg    dx, es:[41h*4]% R! V; ?. P5 j. b
    xchg    bx, es:[41h*4+2]
1 B4 x7 j- @  v: d7 y% y' a    in      al, 40h  t: k/ _; R: I( @7 {1 c
    xor     cx,cx
" e: {; I5 g- B+ Z4 V: m2 a: [# g    int     41h8 s! n$ Y0 r; v% u7 }$ V0 `
    xchg    dx, es:[41h*4]: j& Q' j- X% O( u0 w
    xchg    bx, es:[41h*4+2]
! m9 u" t' O" s! Z$ A( u4 H    cmp     cl,al7 M% l" R2 ]% K7 O7 G, @" J
    jnz     SoftICE_detected+ @* }8 Y$ l9 `7 M9 w
" o3 _: z6 g+ q9 W3 R9 H6 }
_________________________________________________________________________
* f" h2 d. V6 H( A9 U& V2 I5 [
$ h7 b2 i- ~5 U; ^0 \Method 07/ b: u0 k' }5 [  U6 u
=========8 {6 W3 O+ K/ p2 _; J% j& J9 S

: D$ B; h. H1 OMethod of detection of the WinICE handler in the int68h (V86), Z/ T; A: K, \5 ^, ?6 B+ G
( M& T) x6 H' W9 C3 J
    mov     ah,43h# m( y: g. ?+ X
    int     68h/ d) w5 P* }* m  U) w
    cmp     ax,0F386h" a' J, O9 v9 G4 U. v
    jz      SoftICE_Detected  b. k4 [: B% B  _" h7 S

- u5 Y) }) b- K0 n7 D! e6 Z
$ E$ c3 k1 z5 Z! X# S; w=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 |2 e) L: |& Y0 Z3 C   app like this:/ d& `, v: X3 B1 K

0 }0 P# X. p; i( Z   BPX exec_int if ax==68
! W# l4 |2 i2 Y+ ^: @. H   (function called is located at byte ptr [ebp+1Dh] and client eip is! b: @& M' G* D* s* z* W7 T
   located at [ebp+48h] for 32Bit apps)% K% K: ~# B5 {
__________________________________________________________________________
" R3 Z; _9 k! @8 p: ]# b3 Q! O% ?/ K& W' X0 F, {

! v$ ~+ ~' C+ e  x1 {Method 08) q) Y1 n8 O( I2 r
=========* y& t3 o  q& q5 O+ |7 `- T2 c

% L- J; `1 k2 y9 s- PIt is not a method of detection of SoftICE but a possibility to crash the
. _2 K/ R: Q( W/ z, B3 N  S( msystem by intercepting int 01h and int 03h and redirecting them to another1 {3 t7 [* Y2 N  }
routine.
# B3 R( b- y$ u2 dIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! d8 F, w* q1 `8 Y0 k! K% Yto the new routine to execute (hangs computer...); m% a0 q! e8 U, V
( E0 K; \: ^( g; d: _
    mov     ah, 25h
; X# Z" E; J. d4 s' N9 p9 A" s4 c( V: `    mov     al, Int_Number (01h or 03h)
0 e* |( Q' V7 {- a/ `    mov     dx, offset New_Int_Routine+ x! w- b7 N" n% [4 e$ ~7 K) d
    int     21h( T6 Z! |. K# R
( R/ E4 m1 _; n9 z0 n$ M% l4 f# M
__________________________________________________________________________3 I3 y7 o2 X2 k: m. A4 n1 b

9 d- k5 s! Y# _9 h+ uMethod 09; _7 ~6 a  f/ P
=========
/ ^" ]8 y. j) [7 _' \- q0 a9 V
( L3 ^: \1 ^* d* \7 HThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only# ]: M1 z2 F2 P1 `* f5 h4 [. z% n+ c# O
performed in ring0 (VxD or a ring3 app using the VxdCall).$ M. j3 K4 y4 ^7 R! `+ w& p/ [3 w
The Get_DDB service is used to determine whether or not a VxD is installed
' P6 O, C; }2 \  xfor the specified device and returns a Device Description Block (in ecx) for
! i  p! {" q) P/ H& M% u2 I, Lthat device if it is installed.
$ j+ Y3 n! t3 T9 X7 u( B
: f* W- ]# X* {2 l6 r   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# f. @- [* f6 d+ Q2 u   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ @8 U/ [5 O1 n# u   VMMCall Get_DDB4 i* S+ h, o2 `: v8 A
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
( A8 Y/ x* |! N4 B- \6 T6 U
  M5 [: k9 b8 n- S0 gNote as well that you can easily detect this method with SoftICE:% v6 s' A* G8 z$ N/ ]! @
   bpx Get_DDB if ax==0202 || ax==7a5fh1 ~" m$ w; V2 L  S2 Z
. ~, R( Z; ?! p: y+ d% M
__________________________________________________________________________% o- ^# z& d# f2 Y

& I$ h) a$ h4 Q3 l. ?: {( ?4 Y# D8 wMethod 10' h* o$ U& t$ A( c& O- X5 H2 B
=========* E+ n6 U$ k7 t- b6 Z8 F
/ o/ Q' {. v9 o8 _* \
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" F# [0 d! Z* }& E  SoftICE while the option is enable!!& _# ^: Y5 l* Y! u4 J
& h" }% v+ e& S/ m
This trick is very efficient:. F* i3 p3 V; k% p$ i1 ^
by checking the Debug Registers, you can detect if SoftICE is loaded
0 f# ^& f: u9 K2 e$ j4 e3 Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
6 P4 F% `) P/ q' d  R; ?there are some memory breakpoints set (dr0 to dr3) simply by reading their/ E9 P0 L. d: C( |5 ?/ l
value (in ring0 only). Values can be manipulated and or changed as well
8 _8 c& @% |  G( i/ `; `(clearing BPMs for instance)$ R  Z: \7 L3 d' N$ x. s# w7 u
: F) a4 \5 t8 f' |" W
__________________________________________________________________________, G, K( ^. ?# {

' D5 b" n" r! b# e( w5 `Method 11
4 u9 F* o( s- e2 v7 K, r+ X; H=========! ]6 ~: m1 x' K9 X4 X

- @8 X0 L+ t; E- J3 hThis method is most known as 'MeltICE' because it has been freely distributed
/ ?  l; [. v( c* P: h2 J$ W' Zvia www.winfiles.com. However it was first used by NuMega people to allow5 D- k. x5 m. ~0 |1 X. G
Symbol Loader to check if SoftICE was active or not (the code is located
+ T5 l. W/ ]# s% Iinside nmtrans.dll).
5 w6 W0 E0 x& D5 r2 U( m8 P- X
2 \0 P5 P- `5 f$ B; G) z7 tThe way it works is very simple:
4 _1 J' O* ?4 D4 S. Y$ mIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( ^& H7 M- \! h6 f6 t/ d; M) OWinNT) with the CreateFileA API.
7 _& V, X  p: X5 Q: u( ]1 n4 r2 W$ ~& T# Z7 t" T/ g8 U
Here is a sample (checking for 'SICE'):- P- m1 `8 I( D6 U- X4 o

% K) t& `! o/ v0 C" `1 `8 t% aBOOL IsSoftIce95Loaded()/ D" b- {7 Y4 Q" e) p
{
5 e2 D) A) N: r) B   HANDLE hFile;  
9 U% @$ ~" H- e6 d# B   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) {6 H( n3 C7 T1 n- t                      FILE_SHARE_READ | FILE_SHARE_WRITE,
: o3 @" z8 v( i$ E& h0 F+ N& R# [                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( O0 n6 l7 {0 T7 e0 \6 X% [+ r6 l8 {
   if( hFile != INVALID_HANDLE_VALUE )1 W- b' p. y- _
   {2 J; p' B' I0 j# L3 R
      CloseHandle(hFile);: y$ h4 `0 h5 y5 l
      return TRUE;
- e9 p' v! }! ]* O( |( H# H& T   }
" \5 ~, C  |# l; C0 x; m( d5 {   return FALSE;! ?9 |7 N: r" |
}
" y5 ]$ |. E& |, A6 |* V4 Q+ W7 b$ a' m$ g3 k2 P) }
Although this trick calls the CreateFileA function, don't even expect to be
+ R. L: q/ ]2 cable to intercept it by installing a IFS hook: it will not work, no way!$ }# q) P0 A5 I* s& g5 P4 J
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! \+ a9 [( e: n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ M, M6 X" h: X0 ]4 E6 m- `; Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc  W# {+ O7 e* K9 C# l
field.6 x- w) n* p: a* @4 D  s; F
In fact, its purpose is not to load/unload VxDs but only to send a
# }" ]; x, w8 V; F: d3 jW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 b! ]% p/ P9 n1 M) ]% ^, R- E% xto the VxD Control_Dispatch proc (how the hell a shareware soft could try& _: |& q4 r# [( w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ N/ M) `  ^, b* o) tIf the VxD is loaded, it will always clear eax and the Carry flag to allow
) S9 T6 H4 j* c% C2 W4 S8 z9 Wits handle to be opened and then, will be detected.
, }$ e, }0 h( a8 N7 J! xYou can check that simply by hooking Winice.exe control proc entry point1 h6 q& A! V' Z- p
while running MeltICE.' `9 U2 [& S: G: R8 s' W
  B% c0 {9 e% u. ^
5 f  F# l0 M6 p2 L: ~/ X- ]: x8 ~
  00401067:  push      00402025    ; \\.\SICE3 C; `: G1 \2 f3 R; Q
  0040106C:  call      CreateFileA; x# b& |# g# M. x8 ]+ `' E% H
  00401071:  cmp       eax,-001# c8 O; f8 Z  z) o  B$ x0 c
  00401074:  je        004010915 e* o2 @; E9 e  x1 H3 {
% Z; L+ k* x) [5 p- S* f) j9 ^
7 R# _/ S) @2 f6 `+ W$ M
There could be hundreds of BPX you could use to detect this trick.
+ ]* H$ R8 h* `-The most classical one is:
' g) e& A4 T7 w" ^& F# t  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ z6 C; _' j* U2 f2 Q    *(esp-&gt;4+4)=='NTIC'8 Q6 j$ [) q$ B: \4 `  C& l, D1 |
6 c6 S* i# f- j
-The most exotic ones (could be very slooooow :-(
+ u' e. `  s1 R9 G   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
1 l! ?8 i! w; `! ~+ t     ;will break 3 times :-(5 N5 U) v- F% V. l2 E$ @" z- L: A2 R
% }. ~! h  c/ ^1 l3 W1 o4 V
-or (a bit) faster:
* I2 v! U) {* Q( K) U, Z  u, |1 Y4 T( O   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ t4 W3 c( `9 Q# F, s7 R9 \" g4 P
& V/ P# q5 f; \) }( Y  V
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * g( |0 o# B* B4 i, K
     ;will break 3 times :-(
" @' q* P( v8 i- @/ O0 s  `
7 H& d+ w1 p6 J; h3 a9 ~-Much faster:
/ k4 M( g1 g# ^4 `" P   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'$ M+ Z4 l- _( z5 v1 j; R, [* \
  n7 [. c8 [$ s" k2 [# ]9 `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 V6 t/ Q% _( s& g/ d: K4 Q
function to do the same job:7 Q0 H6 u$ z; a/ I2 T' b
2 A5 V6 y6 Q/ N: O" G' A7 G; u
   push    00                        ; OF_READ: p/ n6 S$ ^$ g4 K7 f
   mov     eax,[00656634]            ; '\\.\SICE',07 I: m! q. N8 m+ }$ i5 H$ E
   push    eax" ~: Y1 |! V) }
   call    KERNEL32!_lopen
% U: T' V  ?9 i# ?6 `# T   inc     eax
+ N; i& f4 J1 Z  u   jnz     00650589                  ; detected% W3 t8 [7 V6 H/ z9 @+ G' t
   push    00                        ; OF_READ
1 S" B( l! F3 j0 e   mov     eax,[00656638]            ; '\\.\SICE'
. A/ ]! l: a0 r' W9 F   push    eax
8 ?% X0 i6 ^9 R" y) w& b4 K   call    KERNEL32!_lopen
; b, n) H. h/ ~7 {4 q; F   inc     eax
( x; {- U5 h; E: O   jz      006505ae                  ; not detected( Y" F+ m; q; p& o9 i- S. M; {$ Q

& L0 u9 G; S: @0 }% Q2 s3 @$ a! {, T% W7 b9 |: Q
__________________________________________________________________________: x, s2 N1 @# X  B( c

* y4 v4 T! h  f6 e+ `0 eMethod 12
- Z1 x1 s2 @" e. L; U) f* \=========
  L: D! |( p! |* g+ s& J- \9 b2 E; D1 G0 C" k5 X
This trick is similar to int41h/4fh Debugger installation check (code 05
9 s; Z! x( A: S' T9 |/ g- a1 l&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) O2 h7 A+ v  Qas it uses the VxDCall backdoor. This detection was found in Bleem Demo.# U# D/ e9 i# @) @0 O3 ]

' E1 g; N, d# Q) q   push  0000004fh         ; function 4fh
% N5 }. K( ?$ T) u) E( Q5 D5 P   push  002a002ah         ; high word specifies which VxD (VWIN32)- ~  I( o) L+ Y. x' z6 L  R4 b% S
                           ; low word specifies which service9 ?% M8 I# S' k: q( h' x& r: d
                             (VWIN32_Int41Dispatch)
- t2 l: }5 L1 A   call  Kernel32!ORD_001  ; VxdCall
% O( h6 a) V" J' ^$ S" f7 ]) C   cmp   ax, 0f386h        ; magic number returned by system debuggers5 b! s! r- U( p$ `  J
   jz    SoftICE_detected
6 o8 \, s7 a3 [# H% ]7 t% I
% s6 A2 P% }6 u. v+ j& bHere again, several ways to detect it:
* m1 o- ]/ p, }, ^) S8 p6 N, P1 P
0 z! ~9 a, w0 w8 W3 ~7 h    BPINT 41 if ax==4f
; R! O3 ]% R! n3 Z  n& v
4 k% `. N/ \& w# X" l! b  S/ q    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one6 h5 I; u: ?& h2 S' o
! r  N& {4 Z! P, F4 I4 g* W2 A
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, H! A# B! h- Z9 ^7 b8 J
# v/ |  x% `8 X6 N) v' I! _    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!& W! Y0 I! E( w  R- d( b- F9 ?

# I1 H3 [" }. z, R2 o) B__________________________________________________________________________
$ G- A* T( ~4 ^8 n, n6 B# ~% Q/ S+ O/ F0 [: _
Method 13  f5 x4 i. h& [! B3 Q6 K
=========, {" U; C; U, O) A* q# E

. Y7 G4 I- i% E( V$ S3 nNot a real method of detection, but a good way to know if SoftICE is4 J5 ?0 |) m# t
installed on a computer and to locate its installation directory.1 c1 K# e& L* O3 H# a& q
It is used by few softs which access the following registry keys (usually #2) :
: K# l- e* o7 R( p, n) ?0 Y, a; h3 m" A& t0 m9 b1 `( s. x2 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 }2 u8 f3 W. J
\Uninstall\SoftICE5 p( i1 l8 u6 x+ m9 O0 h
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE0 \; x3 R% y2 O. i1 _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ Q3 }7 n, x6 \4 J9 q
\App Paths\Loader32.Exe! Z9 }6 B; O! a

# S# K! T/ H1 c& Y% Q$ q  \. `+ w4 R6 @( w. A3 O' C* w( V
Note that some nasty apps could then erase all files from SoftICE directory9 ]' M# p$ x1 T0 V# y6 h
(I faced that once :-(/ I7 w) E$ y7 L/ ~( W* c, B
. X2 Z( K, k# s) c2 b1 x7 J
Useful breakpoint to detect it:3 G: |6 |4 U/ Z/ Q
) ]! N/ M$ r7 a( C
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 W# d6 X  u6 E6 n" ?- B  n! d
; t# q. ]4 F* f- C6 p1 b5 f9 Y
__________________________________________________________________________, [% h! p& }2 i" G( k+ s
1 p+ y$ N+ S4 P1 f7 o+ B9 w

/ ?( i" ], y/ W5 EMethod 14 % J3 b" T& j$ h8 _: q; R) W
=========
9 @7 L, n+ A, u+ B
3 l  K- ^) M! `$ r- W! WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( L8 V- N* B1 U7 x0 M6 `2 E0 k  nis to determines whether a debugger is running on your system (ring0 only).  J/ G* h& ?, K, P/ J, n

" ?9 {$ a1 ^$ R$ d/ n3 c   VMMCall Test_Debug_Installed. @% y% P! Y+ S* A" G0 h0 E
   je      not_installed  Z: l' m5 \) M. h# L+ a+ A

5 V8 {  ^. J; K/ O- `5 G% A# `+ JThis service just checks a flag.3 \, O* c/ e! c2 U& M/ p
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-24 13:31

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表