找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
" q9 V4 L# A6 G0 p4 k$ U0 Q<TBODY>
3 x) O' @$ H* a) x<TR>
; d* d4 i: ]$ W1 ~( m; o( r9 ?* ^<TD><PRE>Method 01 $ Z) x0 Z5 ^% f. U3 j, K
=========
! L1 o: v9 C3 g$ }% t7 l
% h( h1 v7 {' B% kThis method of detection of SoftICE (as well as the following one) is
% N/ z# m5 f5 r6 ^used by the majority of packers/encryptors found on Internet.
& D4 t8 G% a9 `# R8 ~It seeks the signature of BoundsChecker in SoftICE+ _) W5 D2 P* u: R
$ n0 _6 h0 l# k! w
    mov     ebp, 04243484Bh        ; 'BCHK'% j1 u" X( M: F
    mov     ax, 04h. i0 ]5 O( ^6 s* A5 g
    int     3       ' j2 S  U9 Q4 H# k) `: J  d
    cmp     al,43 e3 e1 Z! x) t5 s# i
    jnz     SoftICE_Detected
& q9 T9 K% O; U
7 y. c( g1 q1 `! s; u; }/ E( j___________________________________________________________________________
4 H9 B; |/ V  v% L' z3 v! T4 g* U  @& A. ^* P& {8 a$ V+ U- Q7 k# }
Method 022 c7 n& o2 n6 a1 w
=========, `" a& i" r  O0 `0 _! B

; j% v4 M4 z' ^6 g) SStill a method very much used (perhaps the most frequent one).  It is used
+ g4 Y4 ^4 o1 }( L% Dto get SoftICE 'Back Door commands' which gives infos on Breakpoints," l- M7 l+ v  U
or execute SoftICE commands...1 `) Z! e9 J5 F2 V* j
It is also used to crash SoftICE and to force it to execute any commands6 b) I/ g" C( w" i$ m
(HBOOT...) :-((  
0 P" `( z+ D# f* L* T5 t. U1 M! q: O. J# n
Here is a quick description:
! z$ y4 A/ P3 {& r; E% s-AX = 0910h   (Display string in SIce windows)) f% ^* C+ G4 d* o8 p: z
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). m) w0 W  D2 z+ Q. {
-AX = 0912h   (Get breakpoint infos)
$ O( }' a) P* \1 R; O% x-AX = 0913h   (Set Sice breakpoints)
4 @8 B* X  F! |-AX = 0914h   (Remove SIce breakoints)& g, I$ k3 d% q+ k2 c9 o
% `6 u( F6 Z# Y8 x4 u/ c# J
Each time you'll meet this trick, you'll see:% [9 C# B) h% P! O4 z. v
-SI = 4647h
9 R- u  p; M# K% d# U-DI = 4A4Dh
; V! i: N- {& B3 O  K2 IWhich are the 'magic values' used by SoftIce.! K# j, c. X; E/ q# r- [
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
/ X: h) y$ t. y! T# e! }: W- p) k9 e2 N
5 J$ F/ ]5 c1 z' NHere is one example from the file "Haspinst.exe" which is the dongle HASP
2 F7 a) P3 F' A- mEnvelope utility use to protect DOS applications:8 s7 `4 R! W& B+ t

0 x9 k+ P8 A6 V; X# p/ ~( J" K) |% Q" T. p4 p7 _9 {! N
4C19:0095   MOV    AX,0911  ; execute command.
. X7 O  Z. g2 W; K& K3 o4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ L3 k8 \. ^, O/ R/ ~" W3 _* T4C19:009A   MOV    SI,4647  ; 1st magic value./ O# J7 Z, R0 m: h6 o# \6 O7 _  Y% e
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 B- e  r9 n7 k- V) J7 `
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)+ D6 m$ q* C5 Y
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 E2 N/ D# W5 S7 ^. o/ h( ]1 D4C19:00A4   INC    CX& A5 u4 `6 J& P& A* }
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
  H4 g& r* ^1 r  g- x9 x4C19:00A8   JB     0095     ; 6 different commands.
7 _3 P: A3 [. S, b0 K* b! ^; Z4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
# H3 \% J' |6 o; r# t0 d+ U4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
: x+ R' b8 w, ?7 K& Y% O: `" A
2 I# N$ [$ N% q. @The program will execute 6 different SIce commands located at ds:dx, which
) a, m! R9 q( O! b; e& f  qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
0 _6 W- m1 Y9 s  H( l7 I2 G' P, `0 `: ^( [( Y' h3 E
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.5 ~& m( [2 c$ a" e! U& W, a/ P
___________________________________________________________________________9 q9 B( T2 C: K
9 K* q; S# r8 t# S
0 L9 c% H3 ~) @
Method 03
- U3 b4 z) f9 Q( Q* _=========
* q0 N1 [8 g* h, A* Y/ a( L3 t1 I' y% o& U4 y
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% P0 _2 k# E$ o5 y(API Get entry point)! ^- {  h* C6 n+ z0 Y' L( M
        3 N% Q7 l4 z* d" K% L8 v( {! \3 P

  B7 k$ a+ A- |; s    xor     di,di
& ?6 H! O; t0 ^) a8 T/ s  c" d% [    mov     es,di
2 {* F- M! l3 `6 f5 {5 a: Q    mov     ax, 1684h       , c1 S: c1 ]# ^8 F0 ?0 }6 |
    mov     bx, 0202h       ; VxD ID of winice
$ n% v8 `$ A! w    int     2Fh
& r) O3 d% J6 b7 U+ s- m0 ?7 M    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 R& X& _" R; o# [! v: |    add     ax, di
7 p0 X& b2 B& d3 X- e4 g    test    ax,ax
) Y5 ?3 {: i! k' I7 [    jnz     SoftICE_Detected
4 ]4 N( }& p, r$ R& z7 L' ^
1 q% I4 j+ S1 s/ t. F! F___________________________________________________________________________
% z6 T8 _# ~! |) F; j5 r- ]1 Y9 I( Y0 m% h( N. `: w
Method 04
2 f  O) L2 S9 l) p' S6 N% C+ E3 ]=========( ~) K% o$ M6 v0 {7 W1 w& R

3 d' E8 r- m; S( oMethod identical to the preceding one except that it seeks the ID of SoftICE; P- Y: L! @8 k! E3 {
GFX VxD.
6 F6 \$ W% x' f( M, J3 b! f
2 P5 m* t& _& W/ e, S    xor     di,di* q2 ~# c5 c% h; w( D
    mov     es,di
/ ?, D, \' C0 G  L; x& }    mov     ax, 1684h       3 T2 F; [7 |% D3 r# x4 U* J& [6 ]) Y7 Q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 L: M. j+ f3 K. B% L8 ^; Q1 p    int     2fh
; c; b5 _: V! \, e    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ I( ?1 }0 u& Z  D6 M
    add     ax, di  w! W. B% V8 [  t6 \6 L0 ^5 Z
    test    ax,ax4 h( g4 A1 r% F& Z3 K, J. |
    jnz     SoftICE_Detected
' z4 m" N; T1 s$ _. S% A& n
$ j& r5 G. q1 }7 D3 M/ D6 I- f__________________________________________________________________________
- j5 C2 h- k# I+ W, @& P. A
( }6 W% k4 n- Q) q9 x5 h3 h0 |. K* ?% p
Method 052 p1 K& \2 R% O
=========
2 l) G6 y1 j& I! B
, L1 U* N& {! m$ M! I0 s6 v9 V' ^Method seeking the 'magic number' 0F386h returned (in ax) by all system5 ?  C: Y+ K8 Z# {9 Z/ W( O$ m
debugger. It calls the int 41h, function 4Fh.
* |4 _' y* t2 A9 U/ H& fThere are several alternatives.  3 s1 t* O9 B! C( c

% B$ I2 @& X% B8 c8 `0 N8 i- P4 JThe following one is the simplest:
. Z! S2 u5 b5 x/ ?+ i% k3 p2 a* q% x5 r' o# w* M* p
    mov     ax,4fh  r% m/ M) ?2 C
    int     41h
+ l* z% t5 c  w8 p: C- a/ p    cmp     ax, 0F386
9 y+ _" z: `9 d% k5 a    jz      SoftICE_detected
7 v0 H: {; ^0 ~6 h8 A1 A; t- P/ K2 p( {8 m- ~% d
# m0 p5 g" {6 a' K9 s5 K  w  U5 d
Next method as well as the following one are 2 examples from Stone's 8 M$ P8 N$ H$ X$ R% \0 A; M0 h, H
"stn-wid.zip" (www.cracking.net):! l7 E2 Q% c) y/ f/ K4 ~! y  P
5 k  D+ j2 `, }" H- P4 R
    mov     bx, cs) E1 _% c* E9 R; Q8 G1 B9 J" m( q
    lea     dx, int41handler2) z; w4 k% |; Z6 a; g$ N# _
    xchg    dx, es:[41h*4]
9 ^# o6 p$ g. z5 A+ T1 i9 T    xchg    bx, es:[41h*4+2]
" `2 g8 e, q8 V9 J4 L    mov     ax,4fh" W7 m8 T$ z/ e& c
    int     41h: H/ @/ I7 f1 C# p0 n$ e
    xchg    dx, es:[41h*4]
' ?' y( p2 o; T1 @' o- I0 ~, W    xchg    bx, es:[41h*4+2]
6 S9 T  q) b2 l0 H, B9 E' Z    cmp     ax, 0f386h# _2 M1 a, d. d% M$ g! D2 I
    jz      SoftICE_detected1 l" l( e  e  S7 O
7 n7 @7 Q: N; @9 m
int41handler2 PROC6 [! S8 q& N/ r7 f! f+ {% H$ m
    iret7 m7 G2 g0 B( x( w% H) n, V
int41handler2 ENDP
8 g/ O& N2 q( W( Z5 u
! ^3 f6 e2 D4 R$ `# z
, v& K! H* a+ ?4 P: R& B8 i$ Q' U& i. t_________________________________________________________________________
  n* c, e8 a, }9 a: H5 X5 N( _5 g) T8 X2 o) D. d8 \! k9 ]) R+ n

+ r3 u" Y6 n2 w* O- qMethod 06
+ c3 q+ L/ X; S+ D" O: ^6 r=========
* \5 [3 O: L- C/ H+ p
- X& E- ?! D. m5 p  L6 o* I' A
; {- S) e2 f" z! W- V1 b+ X- |4 b2nd method similar to the preceding one but more difficult to detect:
' W( Q! @; W0 }6 u
0 R/ y7 @! U' ^* b% V
: K* ~7 e4 d' H1 t" Cint41handler PROC
9 R& `+ |6 ^$ ]2 j1 j    mov     cl,al- I! @6 j) {' ]
    iret1 I5 l0 O8 r  Z) R
int41handler ENDP1 q+ Q# ?" m, x7 W  I

- q  K7 l. ~8 E+ u& D
: R' r, P' j) g3 k; ]    xor     ax,ax8 H: b5 t: ?- |7 ^/ Z6 E
    mov     es,ax
$ ^2 u& R( I$ j) |2 I) N    mov     bx, cs2 f2 P2 B2 k2 c
    lea     dx, int41handler+ d5 J2 |1 K; i: G9 j9 z
    xchg    dx, es:[41h*4]
+ {* [$ w/ R, v, X    xchg    bx, es:[41h*4+2]
: @2 ]! s) k, z* _4 s8 K1 m    in      al, 40h
5 I$ @3 \# P) W* H    xor     cx,cx
. M! H. V/ V1 U" e/ F9 j    int     41h
! o5 L  E/ [( L8 h- U6 J$ [  c) a    xchg    dx, es:[41h*4]
. [- x/ H4 V2 e/ k- ^# D    xchg    bx, es:[41h*4+2]
; w+ l$ q+ @1 F, z- S    cmp     cl,al4 X% h2 g& X) R' H- \( |
    jnz     SoftICE_detected1 I9 [6 K1 T5 j  W, s
* q# w; I- b  |/ x
_________________________________________________________________________9 ^3 F4 ~' N* D( e5 G

1 I( P" w9 q7 l+ Q2 g  |. PMethod 07
9 z$ c# V! K/ Y0 O! ~! M8 W$ l=========
. x5 ^4 D) m2 t$ d5 y& L& l
2 K1 l$ g" N5 r. mMethod of detection of the WinICE handler in the int68h (V86)
+ o5 w, k, H- i" h3 J; i6 q8 C4 x$ J8 {  Y. w
    mov     ah,43h
& y! n& `: P5 h    int     68h7 ]' A8 Q7 j% M5 ]4 O; C/ m8 x" w
    cmp     ax,0F386h
9 Y# P4 [7 n5 D) s4 @    jz      SoftICE_Detected
% W+ q) E* N4 q5 k0 u0 v" r4 h* x% S+ F5 {! Z) A
! ~7 F4 E3 a/ A. b0 z4 }
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 b% q5 g& W/ Q; y   app like this:+ N5 }+ O5 Q; O

8 [5 Q9 H( P6 s; ?, ?4 {   BPX exec_int if ax==68
: m+ H" T. ~2 j9 T3 e   (function called is located at byte ptr [ebp+1Dh] and client eip is/ k7 }2 V, Q" X& e4 \) U1 h
   located at [ebp+48h] for 32Bit apps)2 R) m; R, f$ T0 u. R; i
__________________________________________________________________________# c7 @* G$ [3 o* G. q# F

) ]& E" T* p3 j  \. e+ j, F  h8 B
( w, N4 @" ?7 m" L- v% sMethod 08
6 b! v" C" K( s' e- L=========1 B% s  ?: n3 p' W5 H
# v+ O' Q8 P: A* r! z8 ~' ~. n
It is not a method of detection of SoftICE but a possibility to crash the& X. g9 y6 `3 R! W
system by intercepting int 01h and int 03h and redirecting them to another. v  K- u5 H) k( `# _
routine.
4 {* @: H# k2 |2 N- e! x" X, UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 `- U. @/ a3 U8 w1 K; D  j
to the new routine to execute (hangs computer...)
+ j$ F! \0 w/ Z3 x' ~+ O
% i2 h3 m3 ]: J' a* p% @6 O    mov     ah, 25h8 d9 k/ d% ], G, i8 j# n7 e
    mov     al, Int_Number (01h or 03h)# o$ y! r2 ?) h  L) L
    mov     dx, offset New_Int_Routine
) c# p0 u6 N& X& b& Q4 f    int     21h
" d; h1 m/ b% K) H' T& A% `7 X4 k' x# b/ K( `
__________________________________________________________________________
. |4 ?" E) t1 I; S% `5 k0 N3 V$ E0 [" D5 c
Method 09
8 `6 H% ]3 B! c- Q=========, E- o8 A* L* b' g8 a; }1 g' G

. b2 @% d4 N6 Z! Z1 W, c( c4 h- Q* KThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ V, J  A8 r. f* v1 V
performed in ring0 (VxD or a ring3 app using the VxdCall).) {" T% F* {: c' w5 H, W
The Get_DDB service is used to determine whether or not a VxD is installed3 e' s7 K5 C7 }: [# `- M- M) H
for the specified device and returns a Device Description Block (in ecx) for5 {2 Z+ W# m1 S$ a' H% h) {9 _
that device if it is installed.
1 @2 ]: ~) A4 y- t( C- v: H
0 ]" z* p9 |  n: [. W0 t   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID9 H2 l& z4 @2 p. U: ~
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)+ B" J4 w4 K" @5 K4 G1 i
   VMMCall Get_DDB, N3 F* n" @7 m( J) m3 }! K
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
! r& z) ~4 d: J& c7 O: Z2 T2 l1 A2 [9 g! T8 |
Note as well that you can easily detect this method with SoftICE:+ B2 v0 j. D$ j% Z" \0 k1 ^
   bpx Get_DDB if ax==0202 || ax==7a5fh+ m( C7 I7 s  N% N! M  j" y

( ?5 \' j* y7 T, w' V. L/ J4 A__________________________________________________________________________
9 Z; d$ z+ K( [/ M' x
# U& W5 n5 e# e2 f" T8 `6 F/ [Method 101 s  j% k0 t* E8 B7 @8 r3 U0 _
=========
. {+ P$ H7 n, v* D6 P, O  n/ R5 D# J4 t6 u, E# f
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
  ]) s% W+ |  ]0 w$ }% h3 u& N( d$ O  SoftICE while the option is enable!!
/ w  T' a. d7 \* N. y0 H) r# R* z# V0 a. E) O1 h8 I( N$ D! x
This trick is very efficient:
- n/ k5 W. s# I, l& W0 B0 kby checking the Debug Registers, you can detect if SoftICE is loaded
/ z1 k2 w( y) w(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, h' M2 g2 K3 ^/ ^& d  }there are some memory breakpoints set (dr0 to dr3) simply by reading their
0 y, T3 P8 l' C9 Y. g/ Evalue (in ring0 only). Values can be manipulated and or changed as well( T7 L% X5 e6 X2 w  x+ v) A
(clearing BPMs for instance)
  ^/ L& e, U6 [6 I' V  O
$ F' L! r* l& {; Q& [2 b__________________________________________________________________________' K& ]  _" }7 {' ]
2 |- }1 W* W. x& _6 a- C
Method 11
7 B! T" o1 z, m5 j=========
, x+ B: S6 e2 `! V+ a; p4 T, ^4 w0 J% W, t) c7 ^! s
This method is most known as 'MeltICE' because it has been freely distributed; w, {% n7 R" n0 R; C) U
via www.winfiles.com. However it was first used by NuMega people to allow0 P8 Z( w8 F" x3 U; Q
Symbol Loader to check if SoftICE was active or not (the code is located
% v9 Z1 u# {: Zinside nmtrans.dll)." R' _% h0 O( C" \: H7 \; V

: L  E5 |" I( A1 G; V3 D6 M1 zThe way it works is very simple:
" d% G6 d1 u0 [/ d/ \4 H- NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 U. p( @! n9 P( k! O. t
WinNT) with the CreateFileA API.5 k% u! T- K& d/ A7 }5 O% w

- w  `- P( a: G# R  q4 [Here is a sample (checking for 'SICE'):
2 T7 @5 f0 Z' ^! F- _& [$ c3 K
4 J0 J8 T* U/ K9 i  g5 mBOOL IsSoftIce95Loaded()
+ G7 M& Z: V5 z5 _4 J) K& c$ N{
6 ]0 I2 {1 M# h: ~' w1 Y& S   HANDLE hFile;  
& w. W# e* X4 o   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: P! \) s  I$ j# ]' b3 h; A6 V                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 R1 t# L9 J! R* P! T$ W                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);% a  |' b, C' R5 p1 P7 O/ \. B
   if( hFile != INVALID_HANDLE_VALUE )
: u/ j$ H0 e. }" {9 u- Z# V/ A6 ]   {4 {7 O8 J: S; n2 O/ S, d5 X5 e
      CloseHandle(hFile);9 f# n! S; }: F  m5 D
      return TRUE;
' z2 W4 \, q9 O1 O1 l+ A   }+ M; }% ?6 r& X; y' y0 z3 _
   return FALSE;
* u% r% p. _4 R1 m0 c% Q}
% z0 F' [3 P+ E4 e9 f' U& `( P9 r! o  @( T' J; x
Although this trick calls the CreateFileA function, don't even expect to be
; d3 [3 _; \1 k5 v& yable to intercept it by installing a IFS hook: it will not work, no way!
9 F1 }+ L+ _9 P1 G; \In fact, after the call to CreateFileA it will get through VWIN32 0x001F" C3 Z* g. I1 \# N. O( g
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 `) @3 M% j4 {2 g2 i- Dand then browse the DDB list until it find the VxD and its DDB_Control_Proc
$ [$ k8 ?% q5 N1 l. T1 G  }field.& S) z$ m5 d3 b8 M; p# H  i
In fact, its purpose is not to load/unload VxDs but only to send a . V& B. A8 p, W' h' T' o8 Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)4 r2 z$ j; [- T8 t/ w- s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try; _& G2 {! D/ D$ i, n4 h* F+ b% k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
" f9 L7 u1 W( C1 [% Q2 zIf the VxD is loaded, it will always clear eax and the Carry flag to allow5 M; x( d; N- C+ \5 O/ @7 l
its handle to be opened and then, will be detected.
7 `) d, s4 f2 T! t8 _You can check that simply by hooking Winice.exe control proc entry point
9 ~4 I; u- Q: g3 o6 Vwhile running MeltICE.
" s( V8 l' P0 T, B7 }
8 g: @: S$ X- ?4 a  l0 [# _
* t* k5 g+ G* x+ Y  00401067:  push      00402025    ; \\.\SICE
9 ^9 u- ~" n9 r  0040106C:  call      CreateFileA
" f! Q! u  p/ T& Z  00401071:  cmp       eax,-001- L5 S6 l# G1 k$ h) E) k, Y% ?
  00401074:  je        00401091
+ ~4 P6 |1 X  v/ q8 G9 O
. I; L) z6 P, Y! A  c% S2 k# G- s- K+ ?  ~
There could be hundreds of BPX you could use to detect this trick.
$ t) g7 q7 @8 }) V" w7 @-The most classical one is:1 _0 o* E2 G# T( k
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  c9 q  B& k# H7 M* G
    *(esp-&gt;4+4)=='NTIC'% @# y4 G4 S$ J! \
; N# K9 Y, _( C8 ^6 P& I  D
-The most exotic ones (could be very slooooow :-(
0 A+ J/ H+ B$ V7 R) m" _$ p6 `   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
( F/ {. T. s4 J) M     ;will break 3 times :-(2 d: y& L1 u( V0 @8 V7 f1 U
; Y/ T7 |, s6 T' r* D: f
-or (a bit) faster:
% T$ ^1 V5 X+ w- \! X   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. \1 E$ `" @& }* l8 p; N1 p
# o6 X  @- @" q   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . w5 s" w3 H7 C% x$ m* r+ X
     ;will break 3 times :-(
$ b0 @, {; d: {6 P2 ~% Y- e  z
: ]( A( b  u7 M, l-Much faster:8 I4 Z% F( w  M8 D9 n9 i- Q8 J
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'! ^4 n( ?; j. N# X
8 A4 z" I- ]& N/ p8 Z5 f+ y: P& I, m
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* n: P1 a8 l( U
function to do the same job:
- V  E7 d$ B! G( {1 @2 s
1 c7 {- |1 [- y   push    00                        ; OF_READ
7 P, i# G1 P$ o; n& C( h   mov     eax,[00656634]            ; '\\.\SICE',05 @, h7 m' F% N3 o& P" c" w
   push    eax
+ F; k3 y4 s3 n6 e9 [# l/ d   call    KERNEL32!_lopen* Z! F" P9 `+ A4 v: G5 ?# R8 ~  ^% f
   inc     eax& }4 T6 e& m9 ]# }9 @
   jnz     00650589                  ; detected
5 J9 @, i1 g3 C5 E' @   push    00                        ; OF_READ2 e3 h5 \7 S) z2 \1 g1 @/ {
   mov     eax,[00656638]            ; '\\.\SICE'; P) [+ E2 L* g
   push    eax8 z) s# v8 ?  P# X$ M" e
   call    KERNEL32!_lopen- R8 A2 l: W( J- A
   inc     eax
' B4 j, v8 [, m. j) p   jz      006505ae                  ; not detected
3 g  z( D1 R+ {) X2 S. L$ D/ o

( i- b) H( `2 X+ p8 i, g) ], ?__________________________________________________________________________
- O9 A" u" n- o; b6 }
7 x( v4 V6 D8 t9 n* gMethod 120 h) [) r2 x& ^' w, k8 N1 v  b  J. E
=========( d4 o) U% M% K- V3 X0 N

" |5 t) U: E( I; p; RThis trick is similar to int41h/4fh Debugger installation check (code 05
' _# o! b8 B7 p; i+ D$ N&amp; 06) but very limited because it's only available for Win95/98 (not NT)! Q" L6 C5 D% G7 l9 _( l: r
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. F& z4 `6 d2 C1 F' R0 t2 I9 f0 l! g- l2 {' u% m, H" [
   push  0000004fh         ; function 4fh! z+ ]& g! i: {2 |9 X% p  ?
   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ q. u* X  m# t0 O8 H1 `) Y                           ; low word specifies which service
0 }% @- @% |& {* E                             (VWIN32_Int41Dispatch)& j, F0 ]% ?) i0 d/ ^5 h' P5 \
   call  Kernel32!ORD_001  ; VxdCall
' u2 ]* J! o- t1 {6 O9 h% ~8 }   cmp   ax, 0f386h        ; magic number returned by system debuggers
3 q2 e! `  S" U+ E9 v   jz    SoftICE_detected
2 i* D2 r* T6 z" V: s: K9 b% {, F' a0 [' B+ n/ g
Here again, several ways to detect it:
* r6 Y  ?% k, s( c# H6 Q" k/ h
+ f, j" Q* M; O' X  I1 M, }+ r    BPINT 41 if ax==4f
( S3 ^. v( J; O+ r" _& V
: O) R3 B0 \" ?7 I    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ w% c3 P: O( W. P- ]2 `( q' K

! V3 v! V( X% K6 j% |    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A, I5 F7 Z  G. v1 z, ~5 c8 B0 S
# P& ?) \+ L. Y$ b( F! H* q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
* B# o# ]* z; x' l2 ?
4 J! ?7 f* `, `" ~9 H& j__________________________________________________________________________
# E# F9 s4 P3 w; z, c& o8 z; Z
- a# z7 \  L1 T# u0 @Method 136 g4 N& U# z; t1 [: O6 ~' b
=========
* Q6 I' s8 `! G5 H0 @/ V4 `) y$ P" |+ R0 q- X" D7 o% b
Not a real method of detection, but a good way to know if SoftICE is
. d$ e7 J2 C% R5 L+ Z, F4 ]installed on a computer and to locate its installation directory.
% j8 ^$ X$ M8 h4 f! GIt is used by few softs which access the following registry keys (usually #2) :7 R' e- e' w% }* E
& }5 w; e  T$ O5 i6 @% f% P( ~. _! V9 x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ H6 j2 o% C! Q% s3 S4 C\Uninstall\SoftICE! X8 ]" @2 J8 O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) m6 S7 }) B) U: m: o
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# b- X5 Y1 s- D
\App Paths\Loader32.Exe) a1 E1 o% \! N0 [+ a+ Y* M

" `+ e, c; D8 t' _3 l/ q
& d! K( D" a: z1 K/ QNote that some nasty apps could then erase all files from SoftICE directory
: B* T/ h; Q! [! C  }& u/ l1 p8 ?(I faced that once :-(
: K6 l2 ?% y$ N$ H  B( \8 |! k. c7 N
Useful breakpoint to detect it:
; j% `3 s+ r& D0 ?6 T$ f+ I+ B" l5 X4 @9 O! ?% f' j
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' _  y8 B# I- n9 ^
6 I, N9 V9 B' @5 l
__________________________________________________________________________
: `( R- @  I# r" Z; N" G5 x
9 W& u2 _, j% q: A1 R7 Q
, G* |0 ?3 d/ I. s3 y- fMethod 14
; l2 |- @& J+ M" s+ D$ q=========, r* C. u! R1 }( w# |' M% A

  ~1 P* F& ]% M8 vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 ?+ B, z' o6 lis to determines whether a debugger is running on your system (ring0 only).: O8 Q, K& @: y* p" a8 v  ?% E( |, ^! \

* E7 r5 r! ^, K" W" a; ]9 x1 y   VMMCall Test_Debug_Installed
. L6 W' F3 y6 H. h   je      not_installed8 o' q- W* D" p9 _) ^3 w# t

3 U! d' E$ I) y) I0 J2 PThis service just checks a flag.
- V* I) y5 [# }  R</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-14 03:21

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表