找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) g( U) o2 W7 X2 |4 |- b<TBODY>
0 q/ R6 D- t2 z9 b% f5 r& Q& A7 ?' l<TR>, M* e# ?: H% g4 |
<TD><PRE>Method 01
- w. G. z! H5 D- j$ _( @' f7 h=========2 A. T& {& j8 y4 Q* K# Y1 t) R
/ o: E% T# c5 S' e
This method of detection of SoftICE (as well as the following one) is5 A8 T3 K  d# P/ U
used by the majority of packers/encryptors found on Internet.
/ Y6 m/ n5 V* N& M. ^- A' W0 hIt seeks the signature of BoundsChecker in SoftICE2 b4 `$ c) w4 n) W
6 A9 k+ f" b# u( x4 H/ Q
    mov     ebp, 04243484Bh        ; 'BCHK'% a+ A  {: P. o: W0 \
    mov     ax, 04h, w/ ~. u& N# ^7 J) ]
    int     3      
" \) }% t4 ~7 w    cmp     al,4
8 g; L( w% C& r/ }% `; D    jnz     SoftICE_Detected
: o9 Z1 c6 ^1 N0 z0 v4 ]5 B& N/ `
) G$ c4 ^) f# v5 W/ q___________________________________________________________________________
0 O  l3 C: `$ A& O6 I" {  H
9 |* H0 c# a# ~; h& x" EMethod 02
# V3 c) n- I4 `& k: e2 t=========
# H0 `% a- S% r- D4 l% ^# r
# u  |: O4 `) X- KStill a method very much used (perhaps the most frequent one).  It is used
' e! |  q8 G1 L" \3 ]2 Bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
, {+ U9 o7 U  sor execute SoftICE commands...% P# H5 C) t+ a7 I5 o: f
It is also used to crash SoftICE and to force it to execute any commands9 W2 b1 @% A( Z" `. _+ g/ h
(HBOOT...) :-((  9 L" M# P8 u3 F1 _4 w& P( X8 E

2 Y1 `3 _) }3 W, ^1 |* w& qHere is a quick description:. V5 K$ }4 Z7 J
-AX = 0910h   (Display string in SIce windows)
7 B2 C, C+ X# u-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)0 N* ?- ^" O9 c8 g% F
-AX = 0912h   (Get breakpoint infos)
2 i* W8 F3 `1 @+ {  V0 u0 q. S$ h/ h-AX = 0913h   (Set Sice breakpoints)
, C& G& n9 a) s: d, f" m& u-AX = 0914h   (Remove SIce breakoints)/ J& @$ U% p. G2 |7 N1 X/ E7 ~

+ F- m, t$ E1 J: ?/ @$ ?$ Z9 AEach time you'll meet this trick, you'll see:+ ~( {  _5 H: X% U. V/ q) M- ~
-SI = 4647h3 y, P0 j. A0 a- h2 L
-DI = 4A4Dh6 K# b# l) B+ R% r
Which are the 'magic values' used by SoftIce.) Q2 k% J- ~! T/ d5 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
8 T- ~3 ^3 A, A0 D! N3 W* s$ Q/ ~7 Z; O* h$ S
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; d! H% y- r2 s8 @4 UEnvelope utility use to protect DOS applications:# h: g5 C$ P" r, ?1 w, v
! }, A( k$ b  v2 f

9 t% E  S$ a% d& K8 q4C19:0095   MOV    AX,0911  ; execute command.# [' i* U, M& e1 Z/ Y  @; V: s
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)., {& A: p! x8 a3 K' N! Q
4C19:009A   MOV    SI,4647  ; 1st magic value.! ~5 T- Y3 e8 ~! j' I
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. |* g4 }$ Y! I+ M7 j. y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 A7 R7 [) r3 A" j" H: E; C4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 p) C3 t9 V/ V( H9 Z  M1 y: L
4C19:00A4   INC    CX$ \+ @3 J9 n! s+ @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 S+ b) a3 P& g  Z9 {4C19:00A8   JB     0095     ; 6 different commands.
" G8 R1 G/ R. C# \. I4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 O* d* w2 j: j3 L2 A/ Q9 i  L4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)# j) h* M- N. B' e

5 D  ]! ^( Q) e$ g* ?The program will execute 6 different SIce commands located at ds:dx, which
4 H" ^0 @' B" X: R4 T, Oare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
- X" t! X) O9 G5 v' \( W3 A. a" ~
* C6 P- J1 I  f, s8 ]4 R* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded." @  ~: ]  g* j
___________________________________________________________________________6 V; n3 v( V) M4 b5 a9 |' Z
0 c$ t5 ^; v' @3 E  F5 D' N  q+ a

4 t9 H8 E: p! @0 oMethod 03( \' o5 h! A9 Y+ i0 I
=========, {9 [2 e7 F+ }1 S0 M0 O
% ?6 D" M+ c; Y9 ~5 g* r
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 |: z: c! c; m! Z(API Get entry point)" q2 S5 e5 ]  w3 [2 \3 O5 `
        ; ^' h+ y* D1 A: h# x

5 ^0 G9 p# `8 T% o  F+ C/ }6 [    xor     di,di
+ u# i  ?# Z" U* s    mov     es,di
* k9 u1 s- F  y% J7 u, i    mov     ax, 1684h         [8 Q3 F$ N" A9 ?9 i& _
    mov     bx, 0202h       ; VxD ID of winice$ j4 n; f/ ^8 U4 O& t
    int     2Fh: ^* w, I- [6 c% \7 L+ C8 R* H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 d3 v8 g' }7 t! l( g0 w" z
    add     ax, di
' q/ F2 r; `9 w- x& a7 E    test    ax,ax4 A' P. w. R+ i# M$ F/ L0 t. j; E' M2 S
    jnz     SoftICE_Detected
/ k/ g6 {1 T% J6 r7 N
% W% l9 [5 s& M: c& w" w& g( a7 ^___________________________________________________________________________
7 o0 i, j: B% u3 h, T' w0 F  e- t2 h( o- D+ I* D3 y
Method 04# K0 Q' e; f4 x5 s  U2 l3 ]
=========
4 i8 B# ]# [# L0 F. ^1 n% \; K
4 i2 W# |* y/ V2 O$ z0 |Method identical to the preceding one except that it seeks the ID of SoftICE% c0 R( G( N6 U" i/ ?
GFX VxD.
, a" N/ [* \. I2 C/ U# S7 a# A+ K' n4 c. |
6 w) o9 b0 H# J! p+ _- v3 j9 i    xor     di,di8 x3 F6 f" T# b% T
    mov     es,di% x. G: f2 C' u1 p# A
    mov     ax, 1684h         H3 m2 A. i' C8 [5 M8 V; g/ ^2 }) w
    mov     bx, 7a5Fh       ; VxD ID of SIWVID- d; i' K4 I$ i4 q
    int     2fh
  ?5 J! a1 g1 k( i    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 D% q- C1 A  |7 m1 M% P' B    add     ax, di  K( ]! e$ c. ^* Q5 }
    test    ax,ax3 o% w$ G% E2 l* {% S
    jnz     SoftICE_Detected
9 c1 {7 [. v" _" V  K) c; r: U) [/ g7 z6 P
__________________________________________________________________________
  x3 O* j% F" _/ m% O
( j+ t' c5 g1 k+ w- G
" V* z( U' w9 w) \& z& I+ b- UMethod 05" ?# `& ]  N- X- ~: M
=========. }) D. K+ O- Q2 E! q. }) F; o

' l0 G9 L8 a5 e; v- rMethod seeking the 'magic number' 0F386h returned (in ax) by all system
% X" F/ }+ U( @. ddebugger. It calls the int 41h, function 4Fh.
8 }  L/ d9 H5 Y- G1 |There are several alternatives.  
& [' J7 }0 r4 f" ~6 O; ]' @1 _
The following one is the simplest:- }" j; [& f) @+ d8 N
( Q0 E( y7 m! t# U; z% X' @8 r
    mov     ax,4fh8 ?3 q! @/ h& [4 ^  J9 t6 {
    int     41h" S4 z( V' j! `  w5 H) w
    cmp     ax, 0F386( X  ]" ~" c9 W+ p
    jz      SoftICE_detected5 V$ w& Z7 d6 I; Z6 ?/ i* s

2 ]/ o: N4 M! D; r# K
+ q: F+ `6 R4 ]* KNext method as well as the following one are 2 examples from Stone's
4 {& q- _7 \' ], w! i"stn-wid.zip" (www.cracking.net):
: i& V1 U6 r3 R: G6 }7 F9 u6 ~
    mov     bx, cs
% L4 k1 u$ p6 W2 p, i- h  n: V; v    lea     dx, int41handler25 S5 R; ]3 G" u' k1 ^# P
    xchg    dx, es:[41h*4]- g& ^) s- s4 x) `+ u( J" d( w; |
    xchg    bx, es:[41h*4+2]$ q, s' k+ s% \3 W" @( q, t
    mov     ax,4fh2 V/ I6 R. W2 V/ @8 U$ `) S# {
    int     41h9 B7 ]$ K$ u& W6 K" p( u' E
    xchg    dx, es:[41h*4]% u, j/ x, B0 I- C* _% k1 X
    xchg    bx, es:[41h*4+2]
( u* o0 o9 G4 p8 V* Z0 G4 r- X    cmp     ax, 0f386h/ `* x4 N( H& U& F. u4 @: u# o
    jz      SoftICE_detected( Q2 m9 F. ]/ p" ^% y
, }! K  f6 }0 {1 Q& w' C
int41handler2 PROC2 S2 z7 d# j: {
    iret
# A7 Q3 o6 t  B. C2 [$ _, Zint41handler2 ENDP
8 \& n5 ^  g. V2 \$ I. I: _, ]& o  g& F8 d' m

4 P- |: }1 C3 t_________________________________________________________________________
/ h5 M4 H7 q, b' L2 ^! k) S
/ l' k- _% A& [% v/ j+ g
8 s8 P! z# Z+ x6 V/ Y4 nMethod 06: o; g- K& H. M, R; A/ }: a9 i
=========2 ~3 S) [; b& u
) {3 Q8 v6 g) \" G! o6 _

9 i$ Q8 D! `5 M9 _2nd method similar to the preceding one but more difficult to detect:# t& q9 r  B. }; T+ p

) @2 H; T- j8 ?& Y$ j; }+ \, o" d, K5 `2 v1 l) ]
int41handler PROC/ I& f5 L- D) G: {
    mov     cl,al
1 M& {. T8 g4 p: F    iret) z* c* p" P6 Y2 a# M: j  ?- g8 M
int41handler ENDP9 E6 E3 y2 Q6 L* f8 F, n# K8 E

, k8 k, U* W) Y4 M8 H& G9 }: O0 h' j' Q& g+ Q/ [4 W& U. q
    xor     ax,ax
: a6 Z( K7 s# D: `8 u( m: a# t    mov     es,ax% R; V6 |) K7 Z4 @& A+ E9 F
    mov     bx, cs( m: k: l. V' W/ N: O8 u
    lea     dx, int41handler& D8 D. E, l5 \- A
    xchg    dx, es:[41h*4]
$ m' D8 e. M0 C5 R0 y; g( B  P4 V    xchg    bx, es:[41h*4+2]( Y1 ~1 Z3 B8 U/ `7 N- o! H$ u
    in      al, 40h
* w; {! p3 l* }& f- k    xor     cx,cx4 y1 J0 n' ?: p* c6 K# F1 `6 b: F/ ^" |
    int     41h& s$ }: j$ h) @  T- I$ o. V. g
    xchg    dx, es:[41h*4]& r3 K. _; ~, T6 j
    xchg    bx, es:[41h*4+2]
2 k0 y# U7 s6 _& n6 r" f7 y2 Q    cmp     cl,al
4 T7 |% ]/ M2 K7 ?8 n    jnz     SoftICE_detected
% G& L( Y; I7 W% `8 I* B
& A5 v7 j5 B. y6 _* y7 i$ W_________________________________________________________________________
  i# B/ w9 H/ f2 Q! d) J4 u
* S6 |. H) `8 i+ m) l8 bMethod 07/ B  [  R! t# V# W6 R
=========
7 |0 g" _! y+ X8 t$ C2 _, f2 p0 G) o; y* ~
Method of detection of the WinICE handler in the int68h (V86)2 g% T8 p) A3 ?: |/ @8 _; |/ {+ W
' R1 |2 _1 Z  c+ n1 B3 M
    mov     ah,43h- Z. ~! d% ?5 ]1 L9 k
    int     68h
: n7 K1 M& X( Y+ Z3 ], o. \    cmp     ax,0F386h) V1 ?, x! k9 Y. E: Q, c
    jz      SoftICE_Detected
. O1 N/ \2 ?! G* O3 P% m1 F5 p6 e. F6 _# B/ U2 i! ^
) K* b3 Z. Y  ]. F; R8 g+ Q' n( Z
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% ]  H( l' i6 q   app like this:2 _3 n4 J6 X+ F9 H1 r* |

, _0 c2 \# ^# w2 p1 B9 K2 s1 b$ D. q   BPX exec_int if ax==681 R( q8 V9 Q, f* b: @
   (function called is located at byte ptr [ebp+1Dh] and client eip is- ?( I+ D- v% ]
   located at [ebp+48h] for 32Bit apps)6 Y' u" z3 K! [+ ?
__________________________________________________________________________7 C! R% K6 F( y8 B

: p  V9 G9 z+ ]- |
! S' |7 e) H9 d# oMethod 089 M1 p' `: W8 h' \
=========
4 R$ s! z" T. A% w4 z- U5 K3 r0 G" H1 y; x$ {2 G3 m7 E! G
It is not a method of detection of SoftICE but a possibility to crash the
4 j$ c2 V: S% ?0 h* q: Xsystem by intercepting int 01h and int 03h and redirecting them to another7 k5 g9 f; r8 \  Y
routine.
4 H- ^% E# d; i3 O  n3 iIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. X' q1 W/ U, H+ [. c  t  W
to the new routine to execute (hangs computer...)& H! y, x+ [; G

) M9 r- }! n1 d- ~  d    mov     ah, 25h/ X) F5 g0 R5 s4 J& n7 a
    mov     al, Int_Number (01h or 03h)
5 _! r* c7 e. |; S+ |    mov     dx, offset New_Int_Routine
( U; R/ X' n; x! z5 n7 `    int     21h
; p5 r9 r2 b* i0 `# M7 t5 @0 G% @+ s8 e. R: |; i
__________________________________________________________________________
& ^0 |. P6 i+ @$ z$ s) t( b! E9 y7 V9 `6 f4 M
Method 09
/ e  [$ {, H( Y=========
7 `& d$ ~' I: ~) O; ?/ s( U
) R6 Y+ k' |) J! w, D& H# V, nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 C/ m8 s( `& O4 y7 D) @performed in ring0 (VxD or a ring3 app using the VxdCall).
: T" D& [  S9 B1 p) @4 U) ?+ @The Get_DDB service is used to determine whether or not a VxD is installed
/ k) h9 u; q. K* n  K4 ^# Ffor the specified device and returns a Device Description Block (in ecx) for
, C! ^/ n* i" Qthat device if it is installed.9 u' P7 M7 f& ]7 L

: @) B; U( Y6 a- T! d$ D( Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID; a- O5 I( ~. N' O& M4 g7 t
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 V" S; m! G4 R   VMMCall Get_DDB+ t1 q3 v) V6 j/ Q% r# B3 B/ j
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
9 z) r1 W6 Z- |8 J  R; e& ^7 \: P& X# _# L4 W/ ]6 H5 y- L/ X
Note as well that you can easily detect this method with SoftICE:( E5 |% X: x+ m
   bpx Get_DDB if ax==0202 || ax==7a5fh$ K; z8 N4 p  `" ], [7 i& d' _/ n$ }& m

. i5 h3 W2 a# P* S7 U__________________________________________________________________________( g0 O; n' `: K( q3 f/ M4 Z! w
/ C8 L0 `2 g% T& f, G3 @
Method 10+ ?, |2 m6 n- \7 ^5 c6 l
=========$ g7 b/ ?: L3 M

4 {4 Y; e  X$ @  J+ M0 N=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 [  |( Q0 U+ a- X2 \1 f$ J2 d4 ^
  SoftICE while the option is enable!!
/ v* l  B& y" X* s8 f; H4 N0 H' `# m- @' x' k% i! q
This trick is very efficient:# t, r3 c! e9 U/ d' p% I2 [
by checking the Debug Registers, you can detect if SoftICE is loaded
( |, r9 c1 n& r! U0 F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 @( H+ v% ~  g1 s8 G+ ~+ Y' s
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 O8 R' h2 a; q  u" M  L
value (in ring0 only). Values can be manipulated and or changed as well, j# M' N5 J5 X. j2 ]
(clearing BPMs for instance)
' p2 |9 O1 c4 o7 |
& Y+ ]9 C' o3 D7 [__________________________________________________________________________9 }  G7 }7 z  W; G: J( W
! d! e- F' O% N% U5 B( i
Method 11
) J; J' K4 \$ p( J9 x=========
/ m* _0 O  z- \" Z* o& R
7 q  D- V. m8 zThis method is most known as 'MeltICE' because it has been freely distributed6 z! E4 L0 K2 c' ?
via www.winfiles.com. However it was first used by NuMega people to allow
8 b& ]  Y& ?$ t7 X' y9 A0 CSymbol Loader to check if SoftICE was active or not (the code is located
* w! a$ u5 H. z1 W; Z$ minside nmtrans.dll).
# t  c$ z' Z% t4 R4 |1 o8 R+ @- O5 l& i! t( Y% |
The way it works is very simple:
4 Y# F7 R* k* L4 CIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" ?# [+ l: D0 U& H( w2 C! O7 ]. }
WinNT) with the CreateFileA API.
( g1 D0 @- D6 }3 @, U' A
  S- G7 G, u, e2 THere is a sample (checking for 'SICE'):
" b" X/ X2 x6 t2 \8 t
* o% j8 I' C: J1 s* w" e7 NBOOL IsSoftIce95Loaded()
* z. |$ h' M6 Q+ j$ ~' F) K{
5 d( M* ?! r! ~0 g* S+ O   HANDLE hFile;  
6 w  w/ J5 g1 ~" g   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ t1 m% Q: E) ]' _  ~                      FILE_SHARE_READ | FILE_SHARE_WRITE,5 ~( f8 ]) u, W2 l/ ^
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);) N* p& h7 |4 f
   if( hFile != INVALID_HANDLE_VALUE )7 c2 r# @& V1 t# W
   {
% s9 x. }  I) u2 O      CloseHandle(hFile);
! e# i% m0 }$ U4 H" j* R      return TRUE;( A! h- S) K* {2 x0 Y7 A' y
   }
/ G1 L: T' I8 B4 K, g; ?- P   return FALSE;
, |; G( T1 {6 R; \5 \5 O' M' b}
& }. X) l, h, m" \' A4 o6 p, L) h2 \0 F% L, W8 H7 c& }
Although this trick calls the CreateFileA function, don't even expect to be" \6 f' |. `' ^7 m2 B9 f; a( I
able to intercept it by installing a IFS hook: it will not work, no way!1 C2 Q/ ~7 R& o0 D+ u9 k9 h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ F3 k! c  X/ J, h  f3 c6 g3 a) C" u2 Y8 tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 c4 g1 ^" T! W7 ^3 L
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 |' L* P! f( p  ?$ t/ i. sfield., U) h2 ?8 C$ S5 T( K' F
In fact, its purpose is not to load/unload VxDs but only to send a / W* E9 a+ F, b% C& s7 D* G9 Y) _
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 q7 z; Z- J: M, q- s, I6 ]9 x! ]
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
9 L8 r* C& r/ ]; l8 G- Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).! q5 R5 o+ T8 J, V8 }7 z; v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
8 Z4 `* q- M2 F% J3 q; Y2 R8 Tits handle to be opened and then, will be detected.8 b" C- m3 Z" Z7 N1 E# A# M0 M
You can check that simply by hooking Winice.exe control proc entry point
1 o& y) W" y7 B9 _- E$ K' x* [while running MeltICE.
7 G  w) W6 p: N( F5 i: Y2 R6 s! V* I
' ?6 I' J; b1 F1 Y" Y- M" _5 x7 Q& x) l- y% P3 G
  00401067:  push      00402025    ; \\.\SICE. D$ l! A4 l  `9 w, ?% d' V0 \4 A
  0040106C:  call      CreateFileA
9 p0 z+ t) M6 n! [4 ~  00401071:  cmp       eax,-001
% v; b8 S- I. o! R6 Y3 b5 x  00401074:  je        00401091
% C& ?7 E5 I! |2 l- C6 ^; K6 n; h
: V5 n4 R- m/ F7 _5 F$ o/ j0 b8 {
% W- m# K0 b: v; x( _: r6 dThere could be hundreds of BPX you could use to detect this trick.
6 m) Z, B/ f5 s-The most classical one is:
' Z4 @" V2 T/ r: }8 s  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||, R) ]( c6 R; N5 d" b+ E8 i9 b
    *(esp-&gt;4+4)=='NTIC'
6 Q( z# X8 X) B  p6 B; o  K+ q$ V4 ]+ a4 l4 n
-The most exotic ones (could be very slooooow :-(
3 W  @7 v  @3 v   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
! ]8 q% Z- K# z( H: j     ;will break 3 times :-(' p' U( ]9 f5 s
# g- Q5 ]  ?) [* z
-or (a bit) faster:
3 k3 A5 `# r( S8 V4 b+ A   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# O7 t# V7 _6 @6 D( O$ u- }/ v
' U$ p4 l# z. j5 J5 Q" y
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'    R: G2 {2 r5 g9 u3 a( U
     ;will break 3 times :-(: Q* x- Q2 B9 Y: ]8 U+ N5 K9 A
3 w6 ]7 R- ^. ~  F2 P
-Much faster:
! o/ s  y: L/ _" n! f2 e0 R, o- t   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'2 \4 @2 f0 ~  ?- n) k

" [% p7 [2 J3 h3 L- }! {, H0 eNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: A3 ^6 W1 F7 T& L
function to do the same job:
. E, A/ A2 x5 B$ e) Q  p$ V( q( o& J  Y
   push    00                        ; OF_READ
% h3 t4 F; n& b/ l   mov     eax,[00656634]            ; '\\.\SICE',0
2 G: v. z. N- L- |; N6 u   push    eax1 ?, R7 [& I  C; ~3 V
   call    KERNEL32!_lopen
- y, w) B" o1 o  M   inc     eax/ a/ I. E- H! P3 A! D  W
   jnz     00650589                  ; detected) n0 B8 u% e" }$ G* S
   push    00                        ; OF_READ; z2 v  s5 l" A4 _& S! \: o
   mov     eax,[00656638]            ; '\\.\SICE'
; i( z' m' g1 u2 m- i   push    eax
8 C6 v/ R9 X5 l) `3 P$ e   call    KERNEL32!_lopen
  b0 n, c# v+ F+ z( l" A   inc     eax7 x9 H8 S+ {8 L6 X
   jz      006505ae                  ; not detected
3 [. L0 w0 X5 [, n4 v$ w8 ^# D/ G5 a0 K3 p, v

$ i# @/ b. o* M- U__________________________________________________________________________
3 ~" \/ d$ r6 }) p3 k: z- q/ I& M. S  Y6 Q* e' @9 e4 U
Method 12
+ ^  n8 h: [7 z! ?' r) H=========
% C+ A1 b( ~  j' l9 X; @$ a
) d3 S7 ~* q2 ]  o% rThis trick is similar to int41h/4fh Debugger installation check (code 05  u2 l7 I4 o+ _& b* @
&amp; 06) but very limited because it's only available for Win95/98 (not NT)- Q" G' L6 h6 R7 F! u1 Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ N. a: \6 x+ k+ f5 ?1 j

/ q, X' P+ @/ L& }  [; C1 S6 ^   push  0000004fh         ; function 4fh
. ?. x7 n: Q! A9 ^4 V   push  002a002ah         ; high word specifies which VxD (VWIN32)2 q$ o/ Z/ e( f# q- R
                           ; low word specifies which service
# p( }# m! s# S9 J- ^, T; E/ q# C                             (VWIN32_Int41Dispatch)2 y1 e# h4 U( k
   call  Kernel32!ORD_001  ; VxdCall
* q; ?  ^/ Y" k4 X2 u   cmp   ax, 0f386h        ; magic number returned by system debuggers3 A/ k8 v' k3 G) |4 A: x+ b) x' m
   jz    SoftICE_detected
7 i! [' d& T) H- F
1 B* k6 I4 i; Q* Y+ t5 tHere again, several ways to detect it:
& v1 Z3 F; z9 v2 D, J  ~2 f% l4 {5 T! Q+ w0 D7 k) ]% }: [& C
    BPINT 41 if ax==4f; F; C8 b6 p* Z. @

5 G9 i7 R$ p% ?8 H8 z4 w% v8 ?    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
9 V, w+ j. [' \' W  c2 d
: O0 d3 n9 k" [) w" N    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A! V$ @1 A& S* M6 r& V

% R' v- {" ?, G, b3 ]    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 c* Y5 |. i9 F$ t4 }1 J  p& Q9 ~0 l
$ q+ G$ Q/ }$ {$ E__________________________________________________________________________
! B( F% u) Y( e/ R  G! b7 e7 L5 K1 J' r" C5 T9 h, r# X
Method 13: x7 R9 w' p7 t6 H: j, Y2 X! `
=========, @4 z: ^. `) s# p! d

( w" ]& g( x) d4 @! R" L3 Q; O1 iNot a real method of detection, but a good way to know if SoftICE is
& ~& |; T, t+ E0 [# {5 X; u% `% T$ Einstalled on a computer and to locate its installation directory.% v" d, O2 {, L. l' T8 G4 o5 R* a
It is used by few softs which access the following registry keys (usually #2) :7 I1 \1 Q) G! B9 Q

( a; E8 g2 `) E) h# b5 P-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ l- b6 n$ R( k. ^: f
\Uninstall\SoftICE! P, A5 `( t9 ?( C) P& s2 F
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 C6 B+ H* c7 m: ]) k( g4 e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) D, F6 W# b: }" k# ]6 L0 Y4 r7 ^
\App Paths\Loader32.Exe
- z" j8 |: ~5 Q- l( g
# I5 @& h: O) H1 X6 S$ O, S; N8 n9 A8 K3 a6 u
Note that some nasty apps could then erase all files from SoftICE directory
. _4 F8 n0 C. V(I faced that once :-(
3 n, v0 z3 P+ K6 Q% J2 W, d% b- ^' v6 K! R% [
Useful breakpoint to detect it:
& k" V4 u- m7 Q9 y1 i4 J
9 E0 c0 W  W0 ~8 \- ]     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- u+ I! M" I0 T
6 l5 `  i3 R8 B; e- G* A" q7 B__________________________________________________________________________' [7 T5 H9 m+ a8 U! ~

# O4 L" e2 t- _* U: R5 O, X
' @) R4 S2 z! h4 h( z: N7 WMethod 14 5 ]1 M( a3 `* L# l9 F& O
=========
) g- Z# e3 y+ B; N9 C- b  O8 {' R1 v, m( W6 ]6 c5 ~( A3 L
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 ~: [1 `0 c( n& S, @% sis to determines whether a debugger is running on your system (ring0 only).
( k, M2 W! R$ ?6 J6 X  b( Z4 u; ?% [' |) P% d& T
   VMMCall Test_Debug_Installed
' c# {; v9 }$ V   je      not_installed& Y6 ~9 b% B: m# a$ l+ O
$ l! P# i3 H+ b, p6 E* f0 @
This service just checks a flag.1 N4 T! O, |+ W$ }; Z% q$ `0 L4 K! O8 P
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-1 04:42

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表