找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! g( R: C3 ]( g5 z. E
<TBODY>
/ L$ K# ^  e1 y. ?# j% ]<TR>
0 N$ t$ K9 f1 U/ I3 u<TD><PRE>Method 01 3 I# x/ ~) Y+ q7 o
=========
& D7 K* ~5 h3 o4 C, j( u5 f2 W
6 N+ B6 `# `) K, ?This method of detection of SoftICE (as well as the following one) is3 H* w- \* z- C0 }* U. C0 z
used by the majority of packers/encryptors found on Internet.
+ ?/ J+ q4 e, T# T6 S- e$ VIt seeks the signature of BoundsChecker in SoftICE
& b) g9 N3 L* l' H) J  X
/ t* U* }# ^+ p) n    mov     ebp, 04243484Bh        ; 'BCHK'
; K5 j* L1 _# {6 b) N7 D* S    mov     ax, 04h
$ r7 p( ~1 j: r! C9 a; |    int     3       5 m2 C+ X" G6 J' K/ ?
    cmp     al,4* C  U& k% l  P- ?! V
    jnz     SoftICE_Detected" G' G1 }) d# u
$ Y$ a! i: L  p' V9 T
___________________________________________________________________________
: f: l9 z' w9 L1 \  C
) X' `3 c$ b5 j" u$ }Method 022 Z- `0 o% {8 m6 h! I/ m
=========
  m8 S3 \. ~4 M( U) g2 j1 v
' y+ @8 V9 T+ I$ `Still a method very much used (perhaps the most frequent one).  It is used
' F) n3 m2 I. I) M# Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ l. e* _3 a1 Por execute SoftICE commands...1 S7 u( |) \. m& ~
It is also used to crash SoftICE and to force it to execute any commands
# q) L: G$ ^, q; s(HBOOT...) :-((  
. x5 e5 G# m6 n7 m2 c' J  ~" X& B5 X6 g) g. W2 m
Here is a quick description:  N$ R# k% E# @/ a8 }
-AX = 0910h   (Display string in SIce windows)
  h0 v/ D! [+ x3 ]! F9 ?-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)) |0 `- ^/ e( X! x* j2 \4 {# U9 M
-AX = 0912h   (Get breakpoint infos)3 ~- `- [3 ^4 M2 n9 g0 X1 }
-AX = 0913h   (Set Sice breakpoints)
: D1 s! U% @1 c% @, h9 g2 Q-AX = 0914h   (Remove SIce breakoints)
& E: ]5 {; n) i4 I. f% @' P- c% |+ X6 J2 V9 s% b
Each time you'll meet this trick, you'll see:3 j5 ~9 H3 I! n6 O/ ~0 g* ^: B
-SI = 4647h/ c" q7 K  \7 E" o8 I
-DI = 4A4Dh: H( _' C/ G! \4 @4 R
Which are the 'magic values' used by SoftIce.
, E. W) Y: e& O# zFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- w2 q3 b  ]0 \
  S8 c! m$ n0 E+ pHere is one example from the file "Haspinst.exe" which is the dongle HASP5 m  t; `9 o% q. W8 A6 m
Envelope utility use to protect DOS applications:7 V9 y, x; g8 `

% S( o6 t, Q- ]2 f. \  ?  M) H0 \4 \$ {( c# {. \8 i
4C19:0095   MOV    AX,0911  ; execute command.
( f3 B; v% [4 g: X8 m$ O4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)./ r/ x/ e3 m7 K! p: z
4C19:009A   MOV    SI,4647  ; 1st magic value.
$ j2 [: W# P( U* @5 S3 s. p- S2 Y! ^4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
& M2 `) [7 q! ^  w4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ x# Z8 R% X: Q4 a) S" ]3 ?+ i4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' B% H. e% X2 Z, B+ P. A
4C19:00A4   INC    CX# M! I& q# X* J* J7 t( w1 m
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ ~$ ^3 m; B7 d. V* j
4C19:00A8   JB     0095     ; 6 different commands.
+ r+ \* p/ b5 N- y/ I1 a1 d# y2 B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
. M! h1 x5 Q. m. c, L4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
$ H* i5 B* w! z$ x
' A$ _6 q. H3 X5 dThe program will execute 6 different SIce commands located at ds:dx, which" N/ Q1 ?) C6 ?0 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ E; p. g6 B# N9 L4 c2 h8 {
' g! Y5 b/ o% B7 N# W1 m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ k' m4 q' O/ u% |
___________________________________________________________________________" b0 s1 v( T$ K& q$ F3 z
+ w! V4 @! t( d4 U

/ J6 V. \% Y2 ]& x6 v2 y0 a4 l3 wMethod 03+ g- p0 j+ G7 W' W; @6 M: s$ Z! n
=========" [+ O3 w5 j0 \/ l- R

2 G# l# E5 @% L: z3 S" vLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; C: z6 E: Y9 w8 ?3 S; i
(API Get entry point)
0 \7 O2 E& x! M0 x+ E& D2 m        
# z6 O$ f9 m; y& }/ W" }6 v
  @. W+ \# }" E6 I& g6 f    xor     di,di& R) o+ l6 T: \' [1 V2 p6 u
    mov     es,di) b4 t, C, @! }0 g
    mov     ax, 1684h      
6 F  p8 S6 u. f+ {& h    mov     bx, 0202h       ; VxD ID of winice$ D! o) _, @. f4 e# i! K* u
    int     2Fh
' S) q3 g3 X. s    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 u9 T6 c  Z1 Z: V* J$ M    add     ax, di
+ g$ P- N4 E0 I: O% y1 Y    test    ax,ax6 G/ o& ]8 P9 v# t
    jnz     SoftICE_Detected
8 f$ r% w. r4 _9 K! S8 g/ E& R1 a) k" m3 ?8 E1 X7 N* i2 W
___________________________________________________________________________
1 C( ^  y9 h- o4 [/ c1 f
5 M2 X, ?8 b* X3 n) `2 h: uMethod 04
& G+ B8 ~! i! i' I. m=========
& A) w+ f/ i+ y" j9 h$ k% b6 |6 ?% U2 s' J: f' f2 I; h0 O! `
Method identical to the preceding one except that it seeks the ID of SoftICE! r- s1 B6 G1 Z1 H  Y; [
GFX VxD.
5 v; @( }! G4 V: i' B6 M8 o0 ~/ c
7 i! r2 ]# {# w/ a  D    xor     di,di
" Z. S/ m0 I! l; E4 ?1 W7 Q. u9 m, |    mov     es,di! E2 a; N  N9 d6 x3 A' C0 [* y
    mov     ax, 1684h      
- N' Z, ~  O" D/ X/ S, `; f2 H    mov     bx, 7a5Fh       ; VxD ID of SIWVID
% U4 V  ~+ J0 }4 d  }    int     2fh
( k4 n( J* a: i  b& W    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 C; z; d! ^* u+ F2 L. i
    add     ax, di1 N0 ?) U( ^) q. |7 [5 u  `6 r, ~
    test    ax,ax8 _" P/ l- o8 W( L* X+ A8 V
    jnz     SoftICE_Detected2 w3 x( j  R2 U( _4 j
$ @$ k9 T, M" r8 k3 f: {
__________________________________________________________________________% q6 d' m3 |9 e3 d1 `
/ m. c# X5 I2 N( B& U3 H% e; E* a
8 l* ]) \7 Z1 c! c
Method 051 M# @2 F/ s+ r  W/ `
=========/ N4 s! i5 {$ [* _1 x: \+ A
! v5 }3 Q; K+ k! H
Method seeking the 'magic number' 0F386h returned (in ax) by all system$ J$ ]5 r6 _: Z; p; s5 a0 ?2 q; r) k
debugger. It calls the int 41h, function 4Fh.
7 @  \& M% Z0 ]2 u: M! l+ d1 A, u# t  BThere are several alternatives.  . N; p& a+ }7 K1 |" `$ B1 K
9 O% t& z. G% Q1 v: R, j  L
The following one is the simplest:
: k' Q( `. e% g+ O5 |$ c/ `
0 O! p$ z9 E% K# g9 |/ G6 y9 L    mov     ax,4fh
% e$ I# P1 X) _8 f0 P    int     41h! N; b! p9 B  i$ [( H6 j( x
    cmp     ax, 0F386
/ c4 d" Y; [9 }0 y+ P' K. }% _/ B* D    jz      SoftICE_detected
9 k# G8 z; u; k; y/ o% t
5 X# Z1 _* J1 I- D% c. p" c: y  A$ F& |2 O) \  h2 _: C
Next method as well as the following one are 2 examples from Stone's # M# V6 V2 c2 [- _+ q7 l
"stn-wid.zip" (www.cracking.net):
: v2 Q& X2 n- K- t, }; a
# A0 T9 l/ M7 D' E, _7 V    mov     bx, cs
2 O& a1 {, U+ a. x1 N* H1 E    lea     dx, int41handler2
+ ~7 X) P, |  H    xchg    dx, es:[41h*4]' W) L1 l; o% R' ^0 g- J
    xchg    bx, es:[41h*4+2]
0 z1 B# Z4 T1 m. R7 u/ l" \    mov     ax,4fh
2 T% t$ V( f2 x5 r1 u! z    int     41h
/ i# m+ y! r1 u    xchg    dx, es:[41h*4]
- f$ S* c& \( C0 j    xchg    bx, es:[41h*4+2]# K4 c- r" O$ t  L1 y$ V! z( k
    cmp     ax, 0f386h
4 e: N( L) ?8 w% q2 A    jz      SoftICE_detected
7 K6 r+ ^. c9 i
. R8 F8 o' w* R+ W& b2 H' @( _int41handler2 PROC3 D4 J/ u) G% N
    iret
% ~2 _7 _" B0 L0 g7 Q* Iint41handler2 ENDP: _- E( F( I3 D+ B7 e% U
; e. Y( V5 E# T1 m+ h: I. X! u1 `/ E
1 K/ x$ c+ E  m$ b% F
_________________________________________________________________________
+ T2 a- L* s6 C7 o5 v8 T
" ~* _( _# x8 h  q/ L# l" _* a3 N5 _+ f: q. A( C( Z6 ]- x8 G; U0 D( W
Method 060 Z2 u6 T- Q0 a# ?7 y* @+ c
=========
. _& q& x& G4 ?, A! h, o+ x* O' X6 Q! i8 L7 y

8 b, W7 Z$ I6 V& i9 Q7 O7 _7 f2nd method similar to the preceding one but more difficult to detect:: X# e: Z8 }3 Z$ X
' Y' z! G6 v4 U! [1 ]4 T

4 Y$ J5 T9 R+ k# s: E3 k/ j+ Kint41handler PROC! O0 q2 m. p9 I* M- i: P
    mov     cl,al  ]' ^6 S  W, s* x
    iret6 G2 k0 K* G4 F  Y, B- r
int41handler ENDP
: e. J, P; x. _' _! Z% v
( g9 {( c2 v. Q# A) D
  F" X4 F4 H: N: R9 B    xor     ax,ax
' o# Y& K$ O/ j  J5 f( h( ?! }    mov     es,ax
' O- p' l( D6 E0 `' ?! ~    mov     bx, cs* S8 D, e2 L: u& x9 a2 J1 G, o5 d
    lea     dx, int41handler
" |) N2 o) D4 f" S$ c* X    xchg    dx, es:[41h*4]
+ ~9 Q- ~+ F+ u    xchg    bx, es:[41h*4+2]
1 q, `1 }- o4 A( O! i    in      al, 40h# m$ T, E* D  k( n+ {
    xor     cx,cx
6 Q/ |& ]; I) T    int     41h
$ K( u' r. ?. ^0 v' [    xchg    dx, es:[41h*4]
5 J  x5 Y# w3 i5 y    xchg    bx, es:[41h*4+2]
0 o2 f  u* h% R$ ^    cmp     cl,al9 H3 N$ j% S7 M8 P
    jnz     SoftICE_detected
9 N! U5 a- I7 h5 y. n6 j" v# D
7 U( ]8 s! z8 J: _7 r_________________________________________________________________________
  {( r/ l, K4 j7 N! {2 X3 \$ u9 N+ {8 g4 |9 z
Method 07, z4 ?1 s, t- Y' D8 q1 n, W
=========9 y1 I/ K6 k# _: ~9 |
7 u! g7 p; X2 j
Method of detection of the WinICE handler in the int68h (V86)
3 Q2 S* [8 k. c9 R
' N4 }. c* Q! Y/ _( {    mov     ah,43h+ W6 T# t9 h' O% t! Q8 ?/ ?) P
    int     68h4 I& g* k, h5 W8 q- {+ H
    cmp     ax,0F386h
3 r( V! J1 o% }. P2 N    jz      SoftICE_Detected
) H. ]7 X" ?& t7 U) }
0 `) y4 d! P/ n3 ^1 F: D+ x4 U( A6 q& l, _% N7 H/ f9 E+ @5 I
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 ^0 M2 X6 x7 S9 t   app like this:
# Z# J! y' z& }2 x/ Z* \; b
  c$ O8 n$ m" [% w# a   BPX exec_int if ax==68, y4 h/ p$ V, |. b$ _/ X
   (function called is located at byte ptr [ebp+1Dh] and client eip is
3 b7 ]" C" c) W4 e0 U8 |   located at [ebp+48h] for 32Bit apps); L9 a8 K3 a5 Z  A. L& t
__________________________________________________________________________
# o( k$ U( u/ ^  Q7 h% c  p/ v6 o* w' h$ Q, [
1 l' Q+ J# P$ _2 c- B! \7 u
Method 08
, O( u( Y) J: |=========
" x; V  i0 Q1 ~) |$ C- I' r$ q
( k; n4 _6 o% U; n; B! \It is not a method of detection of SoftICE but a possibility to crash the! W0 I+ s6 M, |6 H9 W
system by intercepting int 01h and int 03h and redirecting them to another& Y  m$ c5 @1 ?  f( l# x7 j
routine.: V" m2 J" a: I, K- y; s4 p9 }% b$ I0 f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 X: H3 C( Q) T4 U, \to the new routine to execute (hangs computer...)
% y4 z( j4 @3 ?7 l
8 `4 c# C7 y+ }$ M% Z- n    mov     ah, 25h
# j4 U& Z, j5 @1 J2 K2 z/ g2 h    mov     al, Int_Number (01h or 03h)
( i! Z7 _3 V) W6 }- A% u% Q! T    mov     dx, offset New_Int_Routine
) p- k9 }) m* _* C6 i9 V2 G9 D2 R    int     21h( }0 h4 u( }' y' I
, S0 r, O, @& Z9 V# K# Q2 R
__________________________________________________________________________: x% R& |, y  S, Z- [5 s$ y& E7 p& i7 ]

# x, o, `2 H% _" j2 e6 P+ d1 ^8 dMethod 09
0 J. |+ C  U3 R=========, w. G8 }- S5 `3 e% E( p# a

1 t9 Z- l* `/ d1 Z( ~) R# E, l. CThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ X, @. a# |3 i6 I! Rperformed in ring0 (VxD or a ring3 app using the VxdCall)./ H$ ^( U" Y% @7 ^7 A1 n' s8 z1 J
The Get_DDB service is used to determine whether or not a VxD is installed
+ K6 ?- v0 ~9 K. x! k5 rfor the specified device and returns a Device Description Block (in ecx) for5 _3 @  V; x  `* F4 O
that device if it is installed.% `4 C9 R4 m& ~0 Y4 \
- J2 @$ e9 ~! |5 R) ~
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 s4 S( J# \5 ~( c" V, h! d
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 f3 d" ~  ~  _! C0 m   VMMCall Get_DDB
( Q9 u& Z9 ?& c; Y0 D  _0 g   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
, s) {: P- r0 U
1 X0 B! ^+ i" ]. `Note as well that you can easily detect this method with SoftICE:5 P3 o0 A; O, S  w# a# |
   bpx Get_DDB if ax==0202 || ax==7a5fh% K; j: W0 e! N) `
# \8 x# p' y* }" M; W9 c
__________________________________________________________________________
) X* ^+ f$ ~8 c* Y
2 z2 s  J& P# s+ S7 aMethod 10
( r  ]% D8 E' `6 S' e3 B=========
+ b& e3 W3 O5 E" y9 G" ]
! G9 V; z+ {0 @- K: J=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with5 K0 H4 x( v2 _9 X0 k& N' [) d  _
  SoftICE while the option is enable!!; j0 C' V3 L7 e7 ]1 `

/ E# R% @5 M0 @5 b% c8 f! qThis trick is very efficient:' H" A; q$ p- _6 V  e2 U
by checking the Debug Registers, you can detect if SoftICE is loaded
/ b: a% j% T& I. U/ g( L- H) Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" G7 L7 o4 ]) ^+ n; R9 R: B8 F& i1 Othere are some memory breakpoints set (dr0 to dr3) simply by reading their
9 {  N# D4 l% k3 D0 Fvalue (in ring0 only). Values can be manipulated and or changed as well1 T0 ?3 p/ U2 e! f( t" Z3 ^  j0 e
(clearing BPMs for instance)
* T( P! f0 U& u
7 T7 h8 a! w1 D; {__________________________________________________________________________! A6 ^# b0 Y1 o

' s5 v& }/ |" u- MMethod 117 o9 \1 u: |- Y* I# d
=========
2 ^8 b( c* Q( f7 S
! n5 v; k/ `' h* yThis method is most known as 'MeltICE' because it has been freely distributed
) Z( \; \7 O$ m/ t/ ^! w, yvia www.winfiles.com. However it was first used by NuMega people to allow* w% h) {" T* L7 Y$ M) W: r% A
Symbol Loader to check if SoftICE was active or not (the code is located$ t7 b+ ]! @" ~! Q; _4 {" G3 l; g
inside nmtrans.dll).
, I7 d$ ?; {: c& m6 W
3 q+ W" a0 n% M' l3 ]& a/ JThe way it works is very simple:
( G, a! O2 `7 H0 l6 |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# \$ m1 B: }7 U% a0 R
WinNT) with the CreateFileA API.
* z+ J9 G3 \' C7 T
/ ~1 Y" e- @# oHere is a sample (checking for 'SICE'):! r2 c8 i/ {) d3 ^$ d
2 L6 Z5 J6 W9 v4 o0 d' ?
BOOL IsSoftIce95Loaded()) N1 [: X: d7 ~
{
: H8 m% D3 P" Q1 @1 m5 j$ u$ c   HANDLE hFile;  
8 _$ I9 Q8 @/ Y# w   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! A& o: g8 p6 W& t& L9 |4 L                      FILE_SHARE_READ | FILE_SHARE_WRITE,- F  g; s/ I, _- |
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 g. \) W; k1 T9 f
   if( hFile != INVALID_HANDLE_VALUE )  ]; H7 {$ c% ]# f9 [3 |
   {" N# }5 g- T- S: m+ W
      CloseHandle(hFile);
) w0 j  h1 v# u: r9 L# ^! ~      return TRUE;: v5 i/ m4 c) ^9 R5 v
   }
  u& K( v& B0 Y) F4 g1 j  v   return FALSE;
5 X( x7 R8 O  ^" i, \1 Z}
: x# x5 P: L8 I5 B9 E( [
  d, Q6 G( C! V  \* V; oAlthough this trick calls the CreateFileA function, don't even expect to be
7 d' y6 }+ X% {) r' ^3 p0 v% Table to intercept it by installing a IFS hook: it will not work, no way!6 F" V  k) k- ^6 b5 }2 M. m
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
+ G6 X. W1 d/ h$ ]0 V- ]& Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( ~5 d& u, H' m! j: M3 \' yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- y& ~& |3 q: [: h0 Vfield.
, j( ]& r  n" K* u- sIn fact, its purpose is not to load/unload VxDs but only to send a
! z2 @4 j! e- x8 z  S5 r/ A' |W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) N+ [2 Z6 y% l9 U( T3 W
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 m7 a. R% H8 \5 ~* G# _1 K9 H1 F8 lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ m* O8 b( ^  L3 p" E2 mIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" ~( t5 R0 `% B" I/ D: T, Sits handle to be opened and then, will be detected.  T( {- i. Z2 l: E
You can check that simply by hooking Winice.exe control proc entry point
$ ~  _, `( u7 _& jwhile running MeltICE.
# Z5 d4 b. p& h" d; b/ y
' F3 u! q. f% M2 }: n2 V/ T% K& j  Q  L# g" G' p9 _$ d' x8 p
  00401067:  push      00402025    ; \\.\SICE
& ^; p( ?3 r" }, c  0040106C:  call      CreateFileA- }! P. ]& k$ x  z5 Y3 O
  00401071:  cmp       eax,-001
8 R8 M) G: ^; t- b' r6 u  M- [! ]  00401074:  je        00401091
' A' h6 K8 `( Q: j) R
! A5 a5 `1 L# b  [5 z# T& Y4 w  \- F! Z, v: L5 [. ?6 r' Z
There could be hundreds of BPX you could use to detect this trick.9 `0 K, u9 U& U4 {
-The most classical one is:' z2 |+ `$ S4 W+ z; O
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" l" s7 v2 ?  w. T3 F( b$ Z% v    *(esp-&gt;4+4)=='NTIC'
; a! O8 _6 y" X2 A+ t# f$ j8 n- f4 D/ z( {/ H( D
-The most exotic ones (could be very slooooow :-(" E$ a+ J+ ?& q) t$ x* b! _& \; v# r
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 c) G, q, S# A6 r0 {$ C
     ;will break 3 times :-(" U# o" G  L+ C& u

. M8 s) L( R+ h1 g! L; {4 i6 _2 ?-or (a bit) faster: 8 y- z- i7 W; q  `5 T
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 `) V+ o* `+ a1 p7 z* N

& ^; g$ U8 T5 a6 I. L# N   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
& W/ m. d6 ^# @+ r$ q     ;will break 3 times :-(- [- g+ W# l( H. {! U

: l" n1 g0 @- B-Much faster:8 m; r; z1 H0 g! j4 o
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. j6 ^) ^3 A- O

# F" u! i$ f3 x  gNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
* L# N* C$ D; I7 n. Jfunction to do the same job:: h3 {2 l% w/ |4 x+ r
; q1 i' y2 z; k4 g, m4 M
   push    00                        ; OF_READ
' ]* c9 E' X$ b$ G" ?) j) I   mov     eax,[00656634]            ; '\\.\SICE',0
9 c! z7 m' {5 b( J3 G& x   push    eax- d- w* p) M  s& Z
   call    KERNEL32!_lopen: m& `! T3 N! f$ M2 A( _9 O
   inc     eax- h$ x; {0 b8 r# d+ P+ k2 u5 t; w
   jnz     00650589                  ; detected
9 Q/ V- M9 B( W) h' r   push    00                        ; OF_READ
, D. E. i2 Q$ m2 n  Q* M   mov     eax,[00656638]            ; '\\.\SICE'
0 P) F- H1 I3 ?   push    eax
( a& `: ]0 k8 \# |3 e7 ~/ Q   call    KERNEL32!_lopen+ R* u1 n9 Y) b. V( N% F
   inc     eax( @4 Z1 }6 T. T2 }* E
   jz      006505ae                  ; not detected( O4 ?% D" C; b) ~$ R/ O
* x1 t2 f7 j, E& n7 |- Q8 N  `4 c

" G% P6 U. ]4 P; }( ~. Q__________________________________________________________________________! Q. X, P# H2 y6 ]$ \

6 p3 l/ Q8 c& r1 |4 ZMethod 125 A8 H. ^  E7 m: ]' I% b3 h
=========7 L  o  x2 ^0 m4 ]; t) }+ M
4 V8 S9 x7 {# R& q. f
This trick is similar to int41h/4fh Debugger installation check (code 057 ?( E# Z( I/ ]: l+ P
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 q. Q+ `/ I8 {$ V, a3 M9 C- S/ tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 _- n, f$ O% `- o  z0 z% J, ]2 T

( E6 D& q% G( w% E) z0 J8 J! I. v   push  0000004fh         ; function 4fh
# f( y( D7 C% t, X0 z9 J  s3 `) [   push  002a002ah         ; high word specifies which VxD (VWIN32)
& z# t0 h7 \# k# s5 _9 D                           ; low word specifies which service; I. B6 N+ P/ v- P
                             (VWIN32_Int41Dispatch)
9 f3 d; [7 m  M: Y5 c/ p$ x   call  Kernel32!ORD_001  ; VxdCall5 ^3 O7 u) o# I3 Z" a% M" L
   cmp   ax, 0f386h        ; magic number returned by system debuggers
# ]$ b; u! |; j$ I   jz    SoftICE_detected
1 Z: S/ U6 _/ I, x9 ?- }, S" ~# K; V
( e. P' D5 S4 S4 I* HHere again, several ways to detect it:
' B, ^: u/ Z" D9 N; l. N; u* ]$ ~% }# P" I2 u
    BPINT 41 if ax==4f+ y, c: F+ z8 \& z' o5 M( A3 z' k
' M- M1 j( b0 O& k
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one/ f! P! y* C5 w9 V2 R8 Z7 M

, O0 v9 R# U, s2 Z5 }/ j    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A8 d1 n, B5 q- y3 j7 g

# @# W# S9 P1 [  P, b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
5 e  B# f5 {( S: q0 _4 j6 y: l4 F6 s0 T3 M! N( O# E
__________________________________________________________________________9 V' U# O0 T2 Y! R) D2 ?# P

7 {! C( b, |7 cMethod 13: d9 O9 P1 m8 |
=========" t8 o4 k* D( ]  R5 `7 `  X

, g! }" |+ X' z) O. `+ xNot a real method of detection, but a good way to know if SoftICE is
2 J0 J* o6 @! V7 H5 B3 x2 D5 Sinstalled on a computer and to locate its installation directory.
* V' e! P# C( |; SIt is used by few softs which access the following registry keys (usually #2) :/ |3 }& k5 _9 L/ v& D9 |
$ [" v  n5 W5 t6 n3 R' u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 m/ p) q: _/ m; X+ q; L7 Q0 ^\Uninstall\SoftICE* V. F% l3 v+ B. n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ R2 L. Q3 B+ M( O2 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( v+ u# ]" o* R+ E, m
\App Paths\Loader32.Exe% U" _- p1 Z) M

6 Y& S7 c( [: i5 m! ?, d" s' ^; [8 T
Note that some nasty apps could then erase all files from SoftICE directory
; @0 L, R8 |2 o! N(I faced that once :-(
- e+ J8 t/ l: \, e( S( w5 q& X
: r4 c  t& p) v% nUseful breakpoint to detect it:
" \* B7 Z; p. [% H. Z* P9 ^! G; a6 p6 H. R& i
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'* N. r& D7 H3 ?

" z# j5 Z9 N( P/ \( A4 u__________________________________________________________________________
' c9 {8 J/ ~$ f. b2 g* Q7 y, F
6 ?" }) b5 k# S7 U$ a4 Z! m: g. C; T4 F, D. R7 |2 [5 r
Method 14
- [% S2 t, a+ K$ e& x: E=========5 J- f6 V1 u: _/ w! h+ f8 T* \

/ ^1 H* W% p) c2 r2 r- f9 fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 m; ]( S0 [* C; N* y3 Q7 {" V
is to determines whether a debugger is running on your system (ring0 only).
. |8 E! k3 `; Z8 q- T! ?, J# `9 \6 ^; n
   VMMCall Test_Debug_Installed
3 c6 @5 `$ ]6 Z3 J   je      not_installed
, |5 J$ M; m1 l) @5 @+ V
% `; `2 y, S! U8 N, gThis service just checks a flag.
0 N: Q/ I8 k; H) ~* \" }8 h0 f4 ]: v</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-18 12:50

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表