找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, ]& Z! A. t; Y* @2 D& m9 P. E! x( T
<TBODY>7 L. r+ v9 m# r7 \
<TR>
; e! \6 O8 z7 E/ A<TD><PRE>Method 01 " H9 _' N( |5 E& h& z1 U. S
=========* k6 C' i: C6 o6 K
* o. S- i( k' y) N8 l, I
This method of detection of SoftICE (as well as the following one) is4 X8 `$ v0 k! }$ S1 p' X
used by the majority of packers/encryptors found on Internet.
; |, G: W4 ^0 B( IIt seeks the signature of BoundsChecker in SoftICE6 g. \$ j1 T9 l6 u

7 Z/ G& ?6 y/ f/ C8 F% c0 u    mov     ebp, 04243484Bh        ; 'BCHK'9 B4 @6 {; u1 [4 d
    mov     ax, 04h" a/ T& c- Q; r) N/ H/ H( G3 ]
    int     3      
9 }1 ]" n/ @4 d    cmp     al,4
, _' ~3 r% o: [; e& j( Z3 [" j    jnz     SoftICE_Detected3 K& V( ?( }0 w4 Q/ s+ J

3 A2 D1 j! o- p- a0 l___________________________________________________________________________
, v/ c7 \+ c) y6 K, a1 B
2 N  Q' h! v0 kMethod 024 f+ s2 x. A6 o9 Z
=========
! ^' p& E. ]& U
; _0 e* T6 n* I% l2 U! F0 n+ XStill a method very much used (perhaps the most frequent one).  It is used2 s+ S- J# L. E
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,# u7 e; o7 K7 v
or execute SoftICE commands...
) M, [, p- U! [* Z+ Z2 @1 X; d, U! `; ]It is also used to crash SoftICE and to force it to execute any commands! G9 [- `5 g" u, p
(HBOOT...) :-((  7 ?# _6 M0 k" q" u) a+ o

% s3 X: D1 b1 ~1 J6 ~Here is a quick description:
3 {0 i' n' m9 g6 t/ H1 L-AX = 0910h   (Display string in SIce windows). c) n. a) |7 L- c- l3 e4 Q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' y$ f/ @$ c9 l% i" D: i% ]" b-AX = 0912h   (Get breakpoint infos)# {& w0 v& p0 U8 Q7 E
-AX = 0913h   (Set Sice breakpoints)% ], e2 `( Q* y/ h9 I5 k
-AX = 0914h   (Remove SIce breakoints); `+ d8 Y1 |- b9 c( y5 `
8 a) s9 M8 y& }
Each time you'll meet this trick, you'll see:
4 T  t. `4 M# w5 H1 |: _+ M  h-SI = 4647h8 X. r6 F9 [6 L
-DI = 4A4Dh
. {) N) Z, G9 \# [4 x! O7 PWhich are the 'magic values' used by SoftIce.
! q: K" L1 C6 j+ R5 B- B( X0 RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 r; b- M/ f" _7 y! \, q
; ?6 ^0 }! w2 C+ `0 hHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ T% Y5 C& d' @+ o  q% a. U3 JEnvelope utility use to protect DOS applications:
: J5 x( d. A. y2 _* E- {4 |2 {; F/ C: f# n

# P) }+ D7 v) @4C19:0095   MOV    AX,0911  ; execute command.* a7 f, P, ]2 }0 T0 _6 k" S+ O# M0 k
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 L! [; G3 y0 w% v4C19:009A   MOV    SI,4647  ; 1st magic value.
* Q5 h1 {% O, b- V, f+ G, T4C19:009D   MOV    DI,4A4D  ; 2nd magic value.1 Q* \! }5 U: L* q: T
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& T5 q3 X! d0 A9 T) }$ v2 G. O4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute- Z1 p, r" T4 ]% J7 V/ i* k% P
4C19:00A4   INC    CX: v; V: l/ U% R5 {7 t
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: k+ F1 m: D2 a3 s" }3 J
4C19:00A8   JB     0095     ; 6 different commands.4 c1 T) Z$ F1 A& F/ c& n1 g! n
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
5 S/ N  _  G) \* P4 j4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 H2 m+ N9 y8 K! X8 x) }% _2 q* i( L; ~1 x' l3 s7 n# Y) `
The program will execute 6 different SIce commands located at ds:dx, which
5 b8 ~3 y% ]' o0 Nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! @7 N2 C5 h  l; p: M$ }* L6 e! C; q- V2 e4 r2 S; Y/ ^/ I  @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) I7 }- ]3 M- O$ }7 J
___________________________________________________________________________
% n0 ?0 _% N. j8 D. i6 G
' m  B. q, V6 I
% h6 z8 u! C2 q' ^9 h) _8 V5 kMethod 034 W; y5 u' z. c
=========1 Z7 ~# n0 V( S; o+ E' C
9 I% f2 _! f; w( j& }% r  Q3 f
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 h& n+ r) C! _' J
(API Get entry point)
1 n6 M/ e( }: F% m( i# `6 {6 W( C        6 a0 l1 R+ T5 P2 S

- b9 V1 `" W+ }; d# {; K    xor     di,di0 U0 D1 g: c- L! J  }: M1 O
    mov     es,di8 {( {2 t2 }5 k% z) S: V4 B
    mov     ax, 1684h       8 Y- `( c5 A9 ?
    mov     bx, 0202h       ; VxD ID of winice
5 h4 M/ [1 c+ `5 \    int     2Fh$ n6 Q  A/ U0 N$ Z8 ]. V6 M- L
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 J& ^% m7 S- @4 h+ M
    add     ax, di& f2 L* g2 a# L, ?* o0 \
    test    ax,ax
2 ]8 K# v2 s/ m8 U$ |' Z* G    jnz     SoftICE_Detected3 s8 f7 Z" v2 V1 q; C# n: F+ }

* ]- R0 w5 A% _5 i$ M4 b; j___________________________________________________________________________; V& L0 A4 E+ m" K- S, z2 c
- R6 P5 f% t% [1 m. m1 w+ K6 B
Method 04
; N' M$ w6 g. f2 D$ b$ s  p7 U=========( G6 j: `: l$ n6 ^

5 |2 O+ Y1 o; K9 U+ I+ ]3 Z, J* p; @Method identical to the preceding one except that it seeks the ID of SoftICE
% y$ H, O/ {' v9 IGFX VxD.
7 G& L8 h7 L7 c4 x+ I; _, A3 E2 A2 t  [0 E( d. h8 E5 ~
    xor     di,di
  Z, ]/ ?. p6 I- z" Y& t5 F7 t    mov     es,di
/ C# z3 [, j% C/ u* p; j    mov     ax, 1684h       3 S3 l4 G7 _( {- ^# G
    mov     bx, 7a5Fh       ; VxD ID of SIWVID# i- X) o! \# g: T8 C+ S
    int     2fh
3 m9 W1 f$ `' O5 o! o" c, v& y    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 U/ [2 l, U  ]( x8 S    add     ax, di
0 o. P* Z7 g1 }) j' K- @    test    ax,ax
6 |1 m9 L& p/ Y5 q5 B. g    jnz     SoftICE_Detected
& d+ h. H6 Y3 C9 A+ L
5 m: y( {" E8 H1 M2 w* c% O__________________________________________________________________________( O. ]( p5 @8 F& g' i2 y; P- p! [
- x0 l' u1 n' U: N5 I+ K
) e/ s9 P- r* |" {) o; \7 I0 A( A
Method 059 m4 g$ o: I: B' o1 ]2 I1 |7 k2 c
=========
; U; F$ W& h5 l, ^& z. }3 v
& z' e( Y9 O8 {4 A" ]- fMethod seeking the 'magic number' 0F386h returned (in ax) by all system
; ~/ o: c; N9 e! ydebugger. It calls the int 41h, function 4Fh.7 S$ y7 z  |; N6 k0 j
There are several alternatives.  
/ H0 V$ o5 S0 V$ l3 c0 f5 l$ a* X5 Y; \
The following one is the simplest:
: E/ o6 B3 F" U/ q: ?+ _
; s2 Y5 F& f$ X# x! g0 W) {+ @    mov     ax,4fh& W) _' _9 _5 s: ]# d) B
    int     41h6 j8 G/ `" E& V
    cmp     ax, 0F386$ ^8 d4 E' ?  b' w
    jz      SoftICE_detected
1 r) L* {# z0 N4 ]  `; v/ b9 g1 [) T$ B- Y- j

" n8 y* \, ]; h+ s6 [$ U+ bNext method as well as the following one are 2 examples from Stone's
) p' p8 H/ }* b9 O! [# o+ d; O"stn-wid.zip" (www.cracking.net):, m! m# Y, n+ E3 U1 g7 g; U

  A3 I2 g/ `9 W$ o6 t' j1 x9 _    mov     bx, cs! k7 s* X3 J$ @" _" _
    lea     dx, int41handler2
" _1 [0 l8 c' \6 D# M    xchg    dx, es:[41h*4]
' i1 T( n% q4 ~9 m& s' c" L' n    xchg    bx, es:[41h*4+2]' z% t& O% [( y
    mov     ax,4fh
7 Z  o1 ~6 [; j  H2 I. U    int     41h
, z7 D# K" W! a8 Y8 G, V    xchg    dx, es:[41h*4]
% r$ S% c. e- Y* h" H3 M    xchg    bx, es:[41h*4+2]
8 x; {" P; h; `6 w    cmp     ax, 0f386h. W7 S' ?/ s$ ^; ^/ T
    jz      SoftICE_detected
/ h- T. E' ^- U% N7 N
5 \  o# ~% n7 X. {int41handler2 PROC
4 p5 ~+ S; z/ ^9 A- t    iret5 j' t$ t8 D( N$ M& y
int41handler2 ENDP/ [0 }' b- A+ k+ a/ H5 @  T  l
: V9 T9 N# D2 _
1 _- X8 ?* q* R8 Y& P9 }7 |5 y
_________________________________________________________________________! i$ ?, Q8 f$ f5 p
* k# ~  r8 J0 d* r6 I' E  A( d

0 {% s9 a/ R7 W/ y$ u- wMethod 06& a# ~% e$ X7 T2 z( x
=========
& j* }6 E6 |8 d' U/ b% N) _+ E1 B9 H0 K( @7 n$ S& h
2 E6 Q" Z# _6 D; m6 S- Y7 o2 n$ i! @
2nd method similar to the preceding one but more difficult to detect:/ K. ~% ?) O' S  D% F( y' D
8 S, L2 y4 A, i$ R6 B) x3 {; m

9 ~+ @9 K# w+ Y4 ~int41handler PROC. h* b( v& O: `$ j1 Y
    mov     cl,al
6 L. p; l: g( U8 W8 g    iret( r( Y2 g- U+ _4 {* k9 ^: p
int41handler ENDP
, C# M$ ^: n4 i/ s/ E; k6 M! I& h5 {: ~$ n$ y% T, d. `

: K/ x4 Z% E# Y+ ?    xor     ax,ax# z* X! I7 G  g2 D1 @: W: t/ D9 x
    mov     es,ax7 p+ M$ E8 a: D3 z* B
    mov     bx, cs
6 [3 ?1 ^4 Z) e, u  t! o5 v    lea     dx, int41handler9 z' i  J3 {  L1 {+ t, z; E6 V2 y6 R
    xchg    dx, es:[41h*4], P/ \2 r9 W3 g3 J& U. l1 f% V6 v
    xchg    bx, es:[41h*4+2]% E; R( M; l$ U: z% y. w7 d0 }( }
    in      al, 40h1 \* a+ D/ ]) A# \4 n& h% h
    xor     cx,cx
" M+ y! a, l& Z" I/ H3 l% n    int     41h+ w. _- t8 p# z9 g
    xchg    dx, es:[41h*4]
# V9 Y  R: e& O    xchg    bx, es:[41h*4+2]
' k0 c1 ]# d1 L: S  J" Z    cmp     cl,al0 M4 Z2 H* y, p# i( y( e
    jnz     SoftICE_detected
0 f9 W. y3 |* [) Q/ m0 S4 j, p4 u' t# J+ M! B, ?1 t* ^
_________________________________________________________________________
# Z5 i) G1 n+ q* d/ v! j- `) \% H: O0 b9 ?7 m$ r0 a7 M  ^0 u
Method 07
3 U+ {. Y& t/ f5 w=========
# W- m$ m2 I0 l6 u3 J/ n$ P
# f6 {7 k4 E# z8 h! y/ Q3 DMethod of detection of the WinICE handler in the int68h (V86)
+ h8 O# K! V! v/ j' m
+ ~3 b( g3 ?! M    mov     ah,43h& A7 M3 E* ~2 i8 \
    int     68h
0 C" B5 @0 F& s3 T. x2 D& |  g    cmp     ax,0F386h
" H% q8 x) V/ b' T& m' U# p    jz      SoftICE_Detected
; i, Z+ |4 d) P. _) P1 n- E4 a8 u% B$ u/ g) U3 g# I( R

! S* G( F' ?+ [* F0 ~" o: m7 f* c=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, }3 n( }# i+ d; j3 _, K
   app like this:+ ]& Z  T& E! m4 {! K7 t

7 G3 @, W; ^0 T   BPX exec_int if ax==685 }5 z8 f8 m) a1 _- @- p/ W; L
   (function called is located at byte ptr [ebp+1Dh] and client eip is
9 O/ I8 B: w. z* z5 u" X9 L  z   located at [ebp+48h] for 32Bit apps)
- u4 g9 [( h' O0 k( R8 B! p__________________________________________________________________________
  w' Z+ b  `0 t0 ~# v' k- G' s+ W7 @2 Z) v* P1 c$ d- |
0 D; {4 L5 S) W  D( T
Method 08
  u) O* b4 `+ a; T=========
/ ?5 ?4 ]' Y7 q2 _2 c* M" x  ]
It is not a method of detection of SoftICE but a possibility to crash the% c, C& L7 v3 C9 U
system by intercepting int 01h and int 03h and redirecting them to another- v4 @7 g1 H' k/ z, I) c1 h7 R$ Y* w
routine." b( |4 {# O3 L, r# F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; x0 _/ _8 e5 Q9 B; kto the new routine to execute (hangs computer...)* e5 K& r/ k; t$ r' V/ h

7 k% }" w1 Q! n    mov     ah, 25h6 b6 m3 f# X7 L) v' T+ k
    mov     al, Int_Number (01h or 03h)
# G5 D6 Y5 S- H$ i    mov     dx, offset New_Int_Routine
/ T3 V* i2 ?% `" a& P, C2 J    int     21h
, B8 h2 f4 \2 V8 P% a' E; O4 \6 U9 t- H. e  ^
__________________________________________________________________________' b- d: [# P1 s5 f1 @
4 g  L3 {6 v* ^' W' G
Method 09
# x' m/ N+ [9 g1 y' e=========  W; D+ y1 d, m$ F4 u  l

. \1 `& S8 R6 M& o! ^+ |" b- fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 D9 z: ^) _0 t- E! M
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ C) [) A" o1 r0 g1 o# Y! ~5 BThe Get_DDB service is used to determine whether or not a VxD is installed1 d! t) ~0 V& h3 V6 t! M
for the specified device and returns a Device Description Block (in ecx) for
% G: I# A+ c, H: nthat device if it is installed.# e; l% |, s6 c. b7 Q8 a
* c! }% Q: R3 T6 _7 ^* c# L( O; e
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& w( @: n) N/ k$ {; {   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ k4 X# d$ K+ q  ^- ~7 d   VMMCall Get_DDB
5 [$ f, ^% m+ w. r! m   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed$ S) u" h; G, ]- ^7 }* N% \

( [) T* Q0 @# B- P6 `; F8 E! ZNote as well that you can easily detect this method with SoftICE:
$ E# v! m3 ~4 p/ u6 r# B7 E6 T   bpx Get_DDB if ax==0202 || ax==7a5fh+ A: E5 r# P/ Q- y, @) s
& L" s/ W& K8 _+ @
__________________________________________________________________________
6 {* X4 n- m* S* f) a  w$ [
2 |7 J8 V; @* k  g% DMethod 10
* L/ K" h2 }" f8 d. ^! h$ c: s8 {=========3 N0 ^$ b, a6 c: e

% Q) y: g! b$ o0 Y% t/ W=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with6 G5 \& v% l5 p  @1 f1 U0 Z& G
  SoftICE while the option is enable!!9 _8 Q7 D2 Y5 x
- r9 l4 B* R+ s* j2 ]  X
This trick is very efficient:6 e3 f0 E5 i* F8 ?# b  z
by checking the Debug Registers, you can detect if SoftICE is loaded
; r% ?! E$ c7 }6 W4 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* O% z6 h. s5 h7 m; F" g3 I
there are some memory breakpoints set (dr0 to dr3) simply by reading their0 `  f0 e( t! Y, X
value (in ring0 only). Values can be manipulated and or changed as well
+ P% k; q' p, D) g/ [(clearing BPMs for instance)
# Y8 e$ Z4 v/ ~5 v& ?. X8 u4 y! |6 K# J8 P  U
__________________________________________________________________________
! D& V$ {& |9 Q& X) H; R+ m, L  Y& H, {
Method 11
; ^0 m  Q0 T2 f% j5 _, [# i=========' o3 n% z4 n0 A2 `; M# C$ B

1 Q# R8 a* O# k5 j% MThis method is most known as 'MeltICE' because it has been freely distributed4 ?5 q/ D0 E2 G& J8 m; E
via www.winfiles.com. However it was first used by NuMega people to allow$ X2 @+ o" w- o; Y2 T
Symbol Loader to check if SoftICE was active or not (the code is located
! y, v+ f" G5 r* vinside nmtrans.dll).
5 Q  w/ T# A% C7 C
  M2 R! m/ K0 Y! OThe way it works is very simple:5 s8 p" s6 z& p1 I! e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ m, O" }* i' F# C: @( XWinNT) with the CreateFileA API.* q3 n8 E  e' w2 i+ v/ H8 G# j

: G3 M$ W4 W5 t% v- OHere is a sample (checking for 'SICE'):
5 A6 X% L4 A& B0 e
- j" e, t; E# VBOOL IsSoftIce95Loaded()
+ O* I- t5 v# K# }$ t9 W# }; o{% D: c, O+ t4 ~
   HANDLE hFile;  
/ P& R+ O$ T, k3 D* o   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 @% b6 Q' X6 E& n& S2 L5 d7 \                      FILE_SHARE_READ | FILE_SHARE_WRITE,
4 v; Z3 s( C. a5 X7 i! v                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 i8 B; p8 {+ A$ z4 T* N3 }
   if( hFile != INVALID_HANDLE_VALUE )
1 a& ]( B' Q& f   {
- x: z0 a/ h8 l& P) z1 U. e      CloseHandle(hFile);1 B" m9 U# |# r$ @
      return TRUE;
3 L4 s+ t% {: |. O' O: h   }
! b6 u: Q- J7 D6 R, @6 C2 L0 D   return FALSE;
3 Y$ C4 ]. f  c+ E. E+ h3 i}2 m/ `0 \3 ~" l6 T* T) J5 C

, @! ~# i8 j6 {3 P# HAlthough this trick calls the CreateFileA function, don't even expect to be
8 n8 R$ W  ?. l0 S' D5 o* u7 e8 Rable to intercept it by installing a IFS hook: it will not work, no way!
, G9 H8 X8 _: x" l! KIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 d) @1 \4 l4 s  y! U! {; Z$ c
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. d6 _( D; I. Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc; z+ ~5 J* k2 Q: H8 C7 C3 ?7 ?  c9 m
field.  u2 y4 N$ ^( D
In fact, its purpose is not to load/unload VxDs but only to send a 4 k" U+ @9 R* G2 \# n% p
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)7 d0 K5 M( |; B$ {; R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
& Y! f6 n' r6 f2 t0 ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).. X6 O9 p; F9 L, n0 c7 _
If the VxD is loaded, it will always clear eax and the Carry flag to allow  Q. g  Z  U8 R3 H' d
its handle to be opened and then, will be detected.( f$ Y* j1 i1 u& e# C& Z
You can check that simply by hooking Winice.exe control proc entry point
* _6 A+ v! Y! Swhile running MeltICE." c. G7 y3 @2 }/ Y' h

  W" N# s9 U3 x2 h* @& M" g1 I. b* r3 ^/ a, R
  00401067:  push      00402025    ; \\.\SICE
/ W' \: E  ]' |. x% j( b) q( r  0040106C:  call      CreateFileA
# f+ B; @& t" e+ ^  00401071:  cmp       eax,-0010 c7 j: ^. O2 p% o9 g; ~4 g5 h- V
  00401074:  je        00401091! |' G9 J6 r- L5 i7 X, Z
9 e, @$ Y, Z7 t0 [6 f9 R
& E5 X1 O' n' A* T0 X- T
There could be hundreds of BPX you could use to detect this trick.% r4 ?' `5 W7 Q
-The most classical one is:
$ N4 {2 [* j0 u8 `2 K# Z# t8 ]  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 K& m( M7 _$ U3 L" M1 K    *(esp-&gt;4+4)=='NTIC'
7 B2 w3 f" F4 P9 x
; v1 F: b! ]3 J7 S( t9 M-The most exotic ones (could be very slooooow :-(+ R) s2 C4 @) T  F, s( A5 F% n
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# x* E2 [% |0 h2 F9 y     ;will break 3 times :-(
4 B  _8 Q6 ]; n* |/ @. o! l4 b% Z
# Y9 u8 D" y: E-or (a bit) faster: ! F4 r+ x, C7 S9 j1 E+ j- _: D
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')$ [5 s9 E: w8 t6 x
1 D# g. O" [( v9 t- \
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
5 T. Y0 v8 h8 A$ j# Q# P; h: B* L     ;will break 3 times :-(6 ?  @. g* Z' c. `; l6 _
  C# E3 k0 k, A' b
-Much faster:0 s) P5 q$ D8 X5 y# _) z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
6 s; n  k. ]# b! g$ m  e, J( l6 i6 h; ^+ D* ]3 E: Z) l
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 {- Q. J) w( @
function to do the same job:
- R2 x% u! ^0 t8 K7 }4 b2 a0 I* Z  s# {/ v( q
   push    00                        ; OF_READ
' z4 w4 h# f3 ]. J. @' b   mov     eax,[00656634]            ; '\\.\SICE',0' ]& F) `& s6 |; N$ t% f7 c* Y
   push    eax
- n4 p/ A  R' q. w   call    KERNEL32!_lopen% j1 e  h2 E5 A. X  p# ^
   inc     eax5 V1 |" P4 r% l7 {
   jnz     00650589                  ; detected
. N3 W1 V- `9 K7 ?   push    00                        ; OF_READ
! j1 O: [. G5 g! h) L* ~: H' x   mov     eax,[00656638]            ; '\\.\SICE'% [7 E" ]* g  b* i: r2 v9 r' I
   push    eax& M* A! O: v/ s% e2 Z
   call    KERNEL32!_lopen$ w; e- A" n) m+ a# @
   inc     eax
$ u6 p7 C1 N7 J, }   jz      006505ae                  ; not detected1 e, N! o2 x% J' M2 ?/ z, M
: D$ n7 }9 ~$ B, K- m8 X% N0 F
( v9 g4 N$ W) N# R
__________________________________________________________________________
" X  Y4 `, {! x4 ]* @- M, P7 Z: g+ }% {
Method 122 t+ V" j) P* E  U- L8 D
=========
% r* k3 u1 B1 o+ v; y+ H1 m$ t3 i1 f6 `9 h6 C
This trick is similar to int41h/4fh Debugger installation check (code 05
- j3 V. N3 [( s9 H. V1 D* }6 w&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# ]# ~9 s& Y" Y' W3 M# q! W% Yas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
3 s) B) i* s- a: \; a. I5 K' y1 m+ M- Z5 _
   push  0000004fh         ; function 4fh7 h+ Y/ _0 {/ f# A! p
   push  002a002ah         ; high word specifies which VxD (VWIN32)$ m* c& _; l, \8 T7 }5 Z6 v8 p
                           ; low word specifies which service$ X& z) X7 A  z
                             (VWIN32_Int41Dispatch)
. D- y# a& s' S) ?" K3 y5 N   call  Kernel32!ORD_001  ; VxdCall
' _' u+ \% g1 y& S! b, p& f' @1 X   cmp   ax, 0f386h        ; magic number returned by system debuggers  h) a; a  F- Y
   jz    SoftICE_detected2 R" ^7 n& ^( x5 C
8 [1 P7 r) U0 [
Here again, several ways to detect it:
+ p/ ?' ]8 O' l' W; u7 s% C" p7 [5 e
  {: J* C0 A) Z    BPINT 41 if ax==4f
* _: l& X& Q8 n' {
* I+ Y$ A! U. E" P1 W    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* T8 U) n: p. J0 `( ~; |) F5 X. |+ F5 q( y* u* m# k# m
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
0 Q% r% ]5 k0 M, }* C9 A( U& {: g
( g" U; L! [9 ]    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!2 Z' n: D  T5 X! P5 t  d

# [1 A$ A5 a+ V! A1 V4 A__________________________________________________________________________! V* _0 ]) Z' E( T$ b7 E

2 u: `9 W3 a  i, D0 UMethod 139 Y" v1 \7 T9 G8 U/ f
=========
# i8 o5 |5 I% O; S
3 a4 z( k8 H( t% SNot a real method of detection, but a good way to know if SoftICE is
) N4 n# M" J! y- u+ I! P& k' T1 X: Qinstalled on a computer and to locate its installation directory.. w8 c1 X. _2 c4 N
It is used by few softs which access the following registry keys (usually #2) :
4 V3 @) K4 c/ Q  U' R, }3 e- a) n& T) T. \6 B( A. o3 P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: P" @+ m3 M; p9 ^\Uninstall\SoftICE! E3 S8 ^( x) i$ Z
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# K& S; q, ]3 t% f' l9 f# H, d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, y& p$ a3 R/ x0 C6 h( \! z4 w( ^8 N\App Paths\Loader32.Exe
4 g  e0 A7 B4 n% o1 S9 E. N! U! w/ G$ l( U( u/ X5 F, x* n5 K
& O2 R  T4 I/ q& A
Note that some nasty apps could then erase all files from SoftICE directory
7 ^% Z3 I( w8 D. g) T(I faced that once :-(% s; d0 b. j3 T- n
- J& A5 @/ ?, v# Y
Useful breakpoint to detect it:2 ?4 b# {4 {) V% q  a" Y

/ p4 `- f' o6 T: G3 T7 s     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 }3 W, u! J8 Y3 Q. f, u. M0 u1 m6 S" J7 r5 [
__________________________________________________________________________5 Y  s2 P" x# r, O% X; `" N6 u& v/ Z

7 @3 G7 K  c5 c1 b
$ _, i2 _! _* L* kMethod 14 3 a, r* V4 B# Z  B7 I/ ^' c( w
=========; R: ^4 f9 d% ]! ]
0 e7 ]' S, W. j, V* D1 p
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 V. X. z6 Q, a
is to determines whether a debugger is running on your system (ring0 only).' r" Q: G5 R0 P' A5 {! r/ x6 O

( Z! |" E5 }" |/ S/ y   VMMCall Test_Debug_Installed# m7 t4 B6 W, s
   je      not_installed; E5 d- j, u" e5 Z# @4 H, Q

0 d8 S) w* Q4 r5 _6 wThis service just checks a flag.
2 e0 g. t; n4 B  Y4 q( U, e</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-4 05:32

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表