找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 x. b( j) O: q<TBODY>
" p- C* v0 M1 u) F, I<TR>9 t9 Q. W3 y, I# H! v' P
<TD><PRE>Method 01 ! n3 r6 y4 a# \
=========4 h& g5 r) ^4 g! N1 p
( D- l% s$ l) X8 y9 C0 Z/ v3 n6 |
This method of detection of SoftICE (as well as the following one) is
& v$ F% o6 t* X& mused by the majority of packers/encryptors found on Internet.
4 ]1 r# O; j+ j/ f4 X5 ^It seeks the signature of BoundsChecker in SoftICE
' |* F! M# V: Z4 |( z
1 T2 \/ x& r1 ~6 k$ ~9 u    mov     ebp, 04243484Bh        ; 'BCHK'6 E1 G# X- R4 [5 l
    mov     ax, 04h
  N0 T9 f; [; ~" b# b9 g    int     3      
* {; m3 }* b" x& `5 J3 ?4 G/ _& h    cmp     al,45 y. B9 v0 q6 l% s3 i
    jnz     SoftICE_Detected
: I0 }2 x" N+ a' C+ q/ e7 @/ l- q0 g0 m- Y9 ~' r5 t
___________________________________________________________________________5 M# g% u5 S7 N: V' V( Q2 D! j
. F, T& c/ ^( T' H3 ^
Method 02
2 z$ W/ q+ ]4 Y, w; F=========" U# P6 s# \5 f8 S1 H; R: E% Y( s4 V

/ }2 f2 c9 V9 X$ D! o  ZStill a method very much used (perhaps the most frequent one).  It is used
- X7 A2 ^( e5 B" [9 J( F4 @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* x0 s+ j/ F5 K+ R. l4 H
or execute SoftICE commands...5 S9 _8 q6 r- W7 O+ x7 D$ A. a
It is also used to crash SoftICE and to force it to execute any commands2 R, g0 _- \0 T- A! D; T
(HBOOT...) :-((  0 X9 c( y0 }/ \* Y/ y6 K3 G

9 Q9 m0 W0 T6 f' S: ^! S' FHere is a quick description:
9 u3 N1 F: ~- L* E( @( |-AX = 0910h   (Display string in SIce windows)" |# ^0 u5 }! t  M8 G% D
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)# c6 I0 ?/ ~$ i7 _9 `
-AX = 0912h   (Get breakpoint infos)
1 q% ?: L* s" u: w7 ^* S-AX = 0913h   (Set Sice breakpoints)# F; c* Z& |3 r$ T) z
-AX = 0914h   (Remove SIce breakoints)
  }# F# c7 {) F( ]: i* w1 d/ p  a( R
Each time you'll meet this trick, you'll see:) O+ w( n5 C" X2 d+ H3 O+ v- T  x
-SI = 4647h
' l8 h3 a+ e  p8 W7 H- ~-DI = 4A4Dh
) c4 d( p8 ~8 N0 ]Which are the 'magic values' used by SoftIce.8 X0 r+ K9 b5 H4 y# N
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 |1 o2 w$ u6 v' b) R
0 H& B7 G9 E8 Y' w6 K. z8 FHere is one example from the file "Haspinst.exe" which is the dongle HASP
: c4 D2 [! l3 L; `; NEnvelope utility use to protect DOS applications:
' W& A+ [1 R% x* t6 I2 M0 w0 p1 ?8 V) z, m6 I+ R( z
" O/ W2 ?( T9 Z- P1 Y+ ]* ^& V7 a
4C19:0095   MOV    AX,0911  ; execute command.
# n2 l/ g, r& z1 x4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
/ m  v/ G! p$ g( X7 H3 K8 B2 q4C19:009A   MOV    SI,4647  ; 1st magic value.
) x  C/ v! x. L/ t; J2 }4C19:009D   MOV    DI,4A4D  ; 2nd magic value.  R% P- ?! x* n7 |; A
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 D' j+ ~" t( p0 }# U
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute+ k5 K3 }: s6 `% z& |
4C19:00A4   INC    CX
! o* a9 X& g2 g& O0 O3 C5 ^( A4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) [5 l% J4 T. p4 i/ n2 P/ [4C19:00A8   JB     0095     ; 6 different commands.
2 \# |$ {1 r$ E: S4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 O3 K# W3 n' J+ {7 D
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
% k; ?& r; c' G3 O8 H2 e; s
5 {0 W2 {: t" K3 H9 |( ^The program will execute 6 different SIce commands located at ds:dx, which
4 {9 R$ U  Z9 p7 M! f( O  bare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
+ W/ l4 }( `# @6 T
, z5 T( q* `6 I. s9 r* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. c. y+ a' S5 t( {
___________________________________________________________________________
: M8 D8 h1 C) m. }# @7 \! `
! H8 y3 `/ b! r5 A' N% J# v
0 c0 o( l+ b3 b& o+ bMethod 03  I9 c) j4 \6 n+ R2 F3 O
=========% `/ [4 u; T$ {2 N% s/ i7 F4 _

) p3 |+ u. y1 v; B5 Z- ~1 hLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 H( v2 q! j4 |3 {: x( D& s
(API Get entry point)# i6 D5 p! l" C0 s2 [1 R8 j
        
3 T; c( n/ i' M; l7 o3 o$ C. Z4 I' o- F5 S( F- j2 B
    xor     di,di! v9 ~/ w8 x+ [1 C! I( o# b
    mov     es,di
: P3 }5 ]; q) G' g5 J6 s7 F    mov     ax, 1684h       3 B% p/ s) @) g0 D5 T6 @2 X  f
    mov     bx, 0202h       ; VxD ID of winice" j: H& ?7 i; n
    int     2Fh
0 ~5 T1 k5 l( {' N    mov     ax, es          ; ES:DI -&gt; VxD API entry point% \, D7 I4 Q/ V$ r* J: `5 ], A: ]
    add     ax, di
; m& k( {) O' i$ L    test    ax,ax: ]/ |5 C; x& L' s
    jnz     SoftICE_Detected
" M# G( h7 O7 k# w. j
# }) ]2 Q1 q' e" m___________________________________________________________________________! X" t/ J9 p: z3 Q- n0 o4 {
; L/ U- K( M: H' P  I4 @
Method 04
; d' g* u+ Q, ?4 k=========
* \! s6 u4 ?. A+ O, R" B+ F4 e
& _3 @% O# z( q! K2 HMethod identical to the preceding one except that it seeks the ID of SoftICE; w0 \* M/ I8 ^5 e( _
GFX VxD.
8 A! W6 o& t" k+ k* k* H( X% M( }- d, K7 p5 O
    xor     di,di: M2 A; r) Z* F9 Z/ O0 X, m" I
    mov     es,di% `5 @# q: f+ b4 s( x2 w
    mov     ax, 1684h       ( G; @. P2 D; \9 v3 T0 Y9 c
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
' j# k5 [' ^1 ?, Z    int     2fh
& u2 ^$ R, [- G6 J$ t    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* M7 e! {  N# k% o/ X    add     ax, di
7 h" W+ b( x4 m    test    ax,ax
9 ~& F( Q8 r/ t. n: I5 y    jnz     SoftICE_Detected
) Q4 e% a! V1 Q- ^6 t* [# P, J! K) F
__________________________________________________________________________
. ^9 D$ u8 ]/ z+ t7 g% d/ ?7 s: u  W$ L

- j4 h9 ~* H$ KMethod 05
) \8 ^: v$ `7 o' m=========
! R1 T* Q9 t7 _# K3 z
. p5 u- o  S0 H& r! NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
, M" p, E. r. m0 ?- [8 z0 vdebugger. It calls the int 41h, function 4Fh.9 V0 P7 e% d( Y, @
There are several alternatives.  
+ T: T' H* B% E' ?: ?$ m  V  ?
9 C. `, }6 h$ nThe following one is the simplest:3 o* ^' F. W9 t$ i. y0 P

  e  Q" D4 g4 `4 A& A1 ^4 j4 I    mov     ax,4fh! r- L5 V' a" G* d# J
    int     41h
* q0 G9 _1 O. d; w. }- c4 L! i    cmp     ax, 0F386: ?- H. l9 k0 R, k+ S
    jz      SoftICE_detected
  z8 Y: T* Q% j2 K3 M) X5 n2 }- W6 e6 Z% m( C0 ~& I* V0 Z, d3 T
/ d1 H- I. B! H9 Y
Next method as well as the following one are 2 examples from Stone's - ~/ N4 ?/ y# B8 D+ s; M) B4 R
"stn-wid.zip" (www.cracking.net):# A2 V3 u- f1 p( I. F% U1 e
' x& x1 a$ v6 `& `. z
    mov     bx, cs& X( \+ z6 k: S2 y5 T9 W
    lea     dx, int41handler2
, F, `8 Z1 w/ ~2 g5 P8 c    xchg    dx, es:[41h*4]7 G1 A, r% s+ W- D0 f
    xchg    bx, es:[41h*4+2]! r& c# s- j& y  Y
    mov     ax,4fh% `3 j. ?: n: H9 Q5 g, k
    int     41h; Y& n8 X- s) \6 l5 T
    xchg    dx, es:[41h*4]
6 [7 Y! r$ I. X7 @( s; b$ A    xchg    bx, es:[41h*4+2]
& x7 a% p) M6 Y7 X/ m' b    cmp     ax, 0f386h
- w7 f) [8 x6 l  u: D    jz      SoftICE_detected
: f7 q" o, E) v* z: D6 r6 }* i
4 o) n) B3 \' V7 m2 X3 D+ B1 `% K/ |int41handler2 PROC! |) i! ^, v( q8 E: V
    iret
5 ]& j: A) \' Q. @9 }, d' Zint41handler2 ENDP
* `  i( B( |' M7 j2 }# |
! }1 r& [& |: h" j' T
$ r: ]" r8 W" }0 e, v, |& [8 c_________________________________________________________________________
1 a: r# v5 h" Q* c9 @* J  g' e' F6 q; ]% p8 \5 ?
4 o, ]6 h7 d; \3 D
Method 06
0 N5 ^7 S5 w; X  L" e& f# k' s=========9 B8 }' b6 P2 {/ ^4 e; Z. w  \4 b5 g

; [8 p8 G( n. D8 l" e- f0 e$ i$ m0 `6 f/ j% G
2nd method similar to the preceding one but more difficult to detect:
' k4 ]. U  T  }. z; `5 v- |6 Z% D" y9 L9 \

, P2 Y9 O7 a0 o. u* bint41handler PROC
& c' o5 T  V# I4 t    mov     cl,al3 v9 V, D8 @. k) F
    iret
, f" d4 H: e% P: c9 Hint41handler ENDP
' w- j2 a2 d, S' }/ l; T8 @3 l/ k" n9 v

' C# ]% [6 E3 L9 [    xor     ax,ax& a+ `: D: a; a
    mov     es,ax
/ Y+ C! I) {. D0 ?8 s2 x3 ^    mov     bx, cs- X6 {% l( U- |. ?3 t, H
    lea     dx, int41handler9 F9 b0 N& x! p0 N1 \' G9 j: c
    xchg    dx, es:[41h*4]1 {  a  t, U5 e! z% o# j9 x% `
    xchg    bx, es:[41h*4+2]% B4 H; V9 p/ l/ D  Z
    in      al, 40h
% A( }- Q. Y. u/ a/ h) B    xor     cx,cx
/ W8 n- H" t" P1 g; V6 e/ k    int     41h
  f0 x; E+ E( ?    xchg    dx, es:[41h*4]+ S# V3 H/ Z( o4 u
    xchg    bx, es:[41h*4+2]9 C7 R* x" G. `2 t7 `; U& ^
    cmp     cl,al
( {9 X: \) {/ ^3 F) S# J    jnz     SoftICE_detected
: {8 H. m) L' S# U7 Q; L+ a7 d* f; m
_________________________________________________________________________
1 q, T3 |4 R+ f& [# G0 g
4 D& e% W. s9 D4 Y4 G% J1 r# H- @Method 07' e8 l( S/ u5 i" [9 i/ u9 m
=========+ q7 A& r2 t- I4 Z

0 S8 P& g" t; |4 b2 LMethod of detection of the WinICE handler in the int68h (V86)' M+ M  m/ n  }- |5 _' U& @

4 i+ T( P& d& H6 X% T    mov     ah,43h7 k5 L! A- B9 r
    int     68h
8 w1 K6 {  o0 j1 r& M. W    cmp     ax,0F386h/ h( ?7 ?" t+ k6 E/ c6 R. t6 R% M
    jz      SoftICE_Detected
) c" k" d8 d# L) M5 w7 Z9 a" V4 k

8 }- J8 P/ b- f; j# d# ^: m=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 Q! ^/ r. |% B6 ^. B# ?   app like this:
  {1 X+ p: v& \
/ \# _, R2 S+ y4 V% E1 C- [   BPX exec_int if ax==68
' I! i3 {9 F. f6 r' v# G$ {7 _. p  U   (function called is located at byte ptr [ebp+1Dh] and client eip is; J: n3 e7 E) T( c1 l3 R. K0 {8 `+ ~* n
   located at [ebp+48h] for 32Bit apps), @# ^- ^; j1 ?' C5 z! D( K
__________________________________________________________________________
2 {2 ^1 Z8 A! m4 G
5 ]- l( l3 F3 K# ?7 M* b
6 h  U9 u$ h; r* ~! {. MMethod 08
8 ~5 ~/ h/ h; ~4 m3 x9 ^8 J=========9 G& z$ s4 x! ?- D1 F3 w# Y2 M
# }( Q& k  I$ q7 v6 v3 n& m
It is not a method of detection of SoftICE but a possibility to crash the
+ D2 m+ J8 d. X7 q- N7 bsystem by intercepting int 01h and int 03h and redirecting them to another  L) E0 R( ^0 x. @  l7 X1 Y
routine.
1 b  b# t" O1 [0 R4 RIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 E9 ?& N$ o7 N
to the new routine to execute (hangs computer...)
/ {( d8 [9 K5 o9 s9 x" u  R; A% G( G- B5 o2 c* Q
    mov     ah, 25h
0 p7 f  k: @8 L8 ]# c    mov     al, Int_Number (01h or 03h)
. r- `5 z# S' Z( I    mov     dx, offset New_Int_Routine
3 h- C( d7 n' W: k# Q: a" J8 n    int     21h3 g! R# \0 `5 y1 H% [7 [' w) a
6 s1 U% Q. e2 F
__________________________________________________________________________+ _& w. c; G) a+ ^3 \$ u4 [6 R2 h  s
4 n- L' H& n7 d( j: B) |+ X
Method 09
& N* A1 M% O3 L! C  Y; C# b=========
$ I+ f7 x# O4 W; W- ^" J' d
) @7 w; Z5 [; j2 c9 z; YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 D9 Q2 N9 Y) l! G: b1 \9 nperformed in ring0 (VxD or a ring3 app using the VxdCall).
  {; L) r9 s3 }/ c) ^% L& FThe Get_DDB service is used to determine whether or not a VxD is installed, {( `3 P8 m# Q3 v, \) o
for the specified device and returns a Device Description Block (in ecx) for
- f- l: I% y; K) T% E$ ^; Wthat device if it is installed.
3 d1 j2 m1 J1 [! V0 O; E( B
9 \9 \* R* ~% `- j   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID! `$ |# Z! w9 W, |) w
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ R8 B5 g& P$ \) t   VMMCall Get_DDB
1 w' ]5 A! D5 _1 f) F0 i   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
6 Z" j3 N7 c& N% x4 b
8 }/ Y" V  }; T& A" u0 u; M( RNote as well that you can easily detect this method with SoftICE:
, Q: U. V7 z2 y' K  ]3 j   bpx Get_DDB if ax==0202 || ax==7a5fh6 S3 l4 \; u+ o0 r6 \
& I( j9 h. _8 C3 ^  c5 @3 _" ~
__________________________________________________________________________
4 c$ F8 ^9 H0 v( [! p: n3 I; |! p' L$ T+ N2 p% T, q9 S
Method 10
; @1 m$ Z" j2 r4 V1 l/ H- ~=========
/ r+ X% i- p! ~" l1 P) I8 C" F* H: r- A  c  F
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 d$ m% B; O5 v% E2 w" c$ l5 T% u# F  SoftICE while the option is enable!!- x9 w; o9 V; u) z

( S+ S, V: `  P7 K1 I! f6 C- VThis trick is very efficient:
$ m) c& S0 c- Z: Fby checking the Debug Registers, you can detect if SoftICE is loaded
) T' H0 u  m+ X; K! `# u" ~(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 {" d% e3 r9 }" `
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 E/ C4 k$ w. E4 x6 u# f
value (in ring0 only). Values can be manipulated and or changed as well
  T) \" W% Q2 e# u/ ~(clearing BPMs for instance)
3 T( `6 F* \: e6 }* U
- ^  m; n) L% R7 i4 p__________________________________________________________________________
* J7 ?$ {, W0 W7 I& U' y8 Q* u
* p0 p- j  n9 y; P  t; h; bMethod 11
% [7 b) `) E+ b: O+ D! X: l=========8 x1 y/ `' S/ U3 Q2 Q" Y6 J. X& ^7 z
' q8 J' f- `" o0 K7 Z: h2 r
This method is most known as 'MeltICE' because it has been freely distributed
$ f! E7 @5 z  J, T# z, [6 uvia www.winfiles.com. However it was first used by NuMega people to allow( c& Y/ L% @: \+ f. Z6 ?
Symbol Loader to check if SoftICE was active or not (the code is located
& m" h+ |6 k" Hinside nmtrans.dll).) }6 S$ U# k; U6 B, I* ~

# G2 ~/ K7 Q4 q! ?! R, dThe way it works is very simple:' |  b& a: _9 \: [, E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- K* L2 Y. E% H% p# t/ f* D
WinNT) with the CreateFileA API.9 L8 F1 H" K" j2 C

7 U. I4 B: }+ K" l& @, hHere is a sample (checking for 'SICE'):
, ?) ?# g+ E. s, X8 ?! R2 w, ?6 N+ m  t0 |2 W
BOOL IsSoftIce95Loaded()
% z" D/ i$ ^: t; H, d% B. b. v" T0 L{# c% A3 G9 e# z/ y. K( G
   HANDLE hFile;  5 F% p# E* E+ Z. F( z7 x
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,3 F/ {0 M% x5 I' Y* s
                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 B/ B3 K. v$ K/ O+ K& g4 ?
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, D  M$ S" f. x! v: j5 {   if( hFile != INVALID_HANDLE_VALUE ), r: W( e1 |2 g1 ?7 V
   {2 ]0 ]0 j: n1 ]/ m
      CloseHandle(hFile);: q- ~% A$ c7 v% F+ k
      return TRUE;0 c* e& Q7 p7 @6 h' y: S7 w& N/ X
   }
. `; ?# D! @" x9 q$ x- e3 n  L   return FALSE;
7 f/ _1 {3 m3 J}
4 @7 s# t  T+ c" l. _: @. B7 G
* u& Q! K9 m( M: D! `* QAlthough this trick calls the CreateFileA function, don't even expect to be# U0 _& G' C8 ~' K
able to intercept it by installing a IFS hook: it will not work, no way!+ C! n2 E+ P9 M( P- R6 u
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% R* [; p, k& c5 sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
  A, e( I' |3 z. A& a- s! Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc; a3 w2 Y/ N* u2 N9 @5 u
field.
# B( d& W- z2 u! R& xIn fact, its purpose is not to load/unload VxDs but only to send a
' A: j; V9 z5 A9 {! W8 C: y$ Y: d: N- eW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). U" }; N+ z: J) W+ n0 r
to the VxD Control_Dispatch proc (how the hell a shareware soft could try" E0 W' a) M: J  L+ B+ }6 c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 P/ e" F; [" a1 ]1 BIf the VxD is loaded, it will always clear eax and the Carry flag to allow8 ~8 g1 ?, C; Z) Z7 Z8 C! c" f) X
its handle to be opened and then, will be detected.. w1 e* g" h7 g
You can check that simply by hooking Winice.exe control proc entry point( c2 G2 \# L8 D! z5 G
while running MeltICE.
4 x# Q: _5 `# V) s/ f* E$ b) m, o2 \2 y! w' ?* Q3 y0 |
$ M# i% T$ r" J- _& Q: l, F
  00401067:  push      00402025    ; \\.\SICE
6 _+ @/ ]$ {# q1 ]( l5 `  0040106C:  call      CreateFileA! @3 w7 ]$ Z! O& `: R1 }
  00401071:  cmp       eax,-001- F. M7 W# s, r1 _9 \+ f
  00401074:  je        00401091
: n3 w9 p( l4 E5 k0 v# G% t( q8 o
) ~6 a% w4 U1 s" z. H6 a9 z, @# n
There could be hundreds of BPX you could use to detect this trick.: h4 g0 [$ d$ e$ Z
-The most classical one is:8 r$ {% Y+ H8 D. [1 G& t
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||! f7 ?$ B+ M" P5 ~. d1 U
    *(esp-&gt;4+4)=='NTIC'
' r. m- C( B, K% ?9 h, }; ~  H4 S) K9 N# t
-The most exotic ones (could be very slooooow :-(: k' F7 U0 P8 U3 J/ s! J9 ^/ Q/ ]5 a
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
% f0 P# G% b# d     ;will break 3 times :-(
8 l% O4 j, z& y
. Z, n' D+ o0 n. V: L' _% I  w% `-or (a bit) faster:
' g; ?1 Y$ \8 o6 D* u- K   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" ^+ e5 V1 @" A+ g* N3 L

$ ~9 I5 q6 G6 w3 H/ Q3 u   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 n$ n) q. L1 T6 u  K# c' Q     ;will break 3 times :-(7 B  X$ f. r0 U- a7 Y

2 ^4 `4 I! f  w0 H7 Q) G3 Q- z-Much faster:
" O$ N0 i8 N" _* ~+ g   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 N. a* }, }+ j: C( \! F

% Q, t1 H/ ^9 b$ ]) X9 _6 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen( ^1 A2 z1 V! Y0 B. [7 m% G1 b
function to do the same job:) G5 P- l8 E- P$ w4 A8 R
$ b3 Q% b2 ^7 f" c+ U" n% n9 B
   push    00                        ; OF_READ3 Z; R; e. i( A! h
   mov     eax,[00656634]            ; '\\.\SICE',0
% q5 t+ P, J6 x   push    eax% K: _  `; }. O6 ~, I
   call    KERNEL32!_lopen) R, I' R. ^0 ^3 i
   inc     eax
' P1 F0 B7 P  e) l& d   jnz     00650589                  ; detected  C! B0 R0 H5 v$ S2 h8 E
   push    00                        ; OF_READ$ K; j& D9 ?2 F! T# p7 p7 v
   mov     eax,[00656638]            ; '\\.\SICE'
9 u# J. T! k# I. V   push    eax( `% X' I/ H7 H1 n
   call    KERNEL32!_lopen
/ H1 b- O, u$ f) b9 }# U& I   inc     eax' |2 m) C. o# Q% `' a$ O  U& f& p0 r
   jz      006505ae                  ; not detected
+ I$ Y2 w+ p) _' e, F9 w
2 V5 P' o8 Q8 H% O) _+ B( ^9 f: {9 b" @
__________________________________________________________________________
. a- n) q' m  R( N; \9 D$ ]2 u; n4 M3 A
Method 12
) N0 V5 h; w# o3 [=========2 w0 t; s% f& v: p2 C' p
! J& {! z* q# z3 h- H) m
This trick is similar to int41h/4fh Debugger installation check (code 05
4 t9 A1 k0 P  i( N# j3 k8 O&amp; 06) but very limited because it's only available for Win95/98 (not NT)- D: m! T: l5 l& _- e, g4 x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
. N; Z" O; H8 ]* N
2 R6 U. V# ]" L  ~) N5 M: T2 M   push  0000004fh         ; function 4fh8 }/ G, c* n1 I/ R
   push  002a002ah         ; high word specifies which VxD (VWIN32)
" @: x9 b, @' T9 F8 y: q  [                           ; low word specifies which service
! \$ F0 D" z: J+ u3 [2 i: E5 B$ o                             (VWIN32_Int41Dispatch)% e; y  u, o$ O9 V; V$ d% P6 ]
   call  Kernel32!ORD_001  ; VxdCall
+ ]2 F& {3 j" P0 q   cmp   ax, 0f386h        ; magic number returned by system debuggers' U) x3 C+ Y- e: \5 y2 Z& {0 \) i
   jz    SoftICE_detected; j  j7 |& K7 w9 F. F+ `

5 E3 v" c& M! v% H9 ZHere again, several ways to detect it:9 j" T+ q# B: \+ W5 N' o

$ z5 h9 o# g4 W" K. e: [8 Y    BPINT 41 if ax==4f7 E8 S, B. R* _5 z. H/ m  d

3 B+ u' n7 Q( a6 u    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
% D2 h: k6 G9 j& x1 B; W+ D4 C. ?, x9 `0 y8 w) x+ u0 y" a, L
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 g- e9 M+ z- D/ f$ x) ?
9 Q: q0 J% U6 C9 c
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!' q$ z' T# r8 |. K) U4 i" ?$ v
+ w3 X" q6 f$ m- r7 b) K4 i  y# u
__________________________________________________________________________0 r: R5 H% m# f: O/ Y* C
/ B& N9 F1 L  d8 @' O9 a
Method 13
) Z+ k1 Y- t/ p) C=========3 P4 U9 l- G$ S6 O$ b3 ^
  V7 [7 ?" y, d) U* Q
Not a real method of detection, but a good way to know if SoftICE is
$ B3 _* [  d1 U" Finstalled on a computer and to locate its installation directory.
1 I; L) X, O9 X- j3 qIt is used by few softs which access the following registry keys (usually #2) :
: O5 j& B- Q/ F' z3 n, Q) n, N5 t, |9 ^3 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- e# E0 d. m2 D7 B# {\Uninstall\SoftICE
4 O7 D( ]% `0 V% y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- Q) W- G& s9 n2 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 r3 _; X2 T* t# |( I, @" h
\App Paths\Loader32.Exe' o7 k) {+ l# g( L

) X: M8 X- O/ i8 `* r% Y# B! n. a/ ~2 j! P
Note that some nasty apps could then erase all files from SoftICE directory7 h3 @+ w; d% H* q) ~2 f
(I faced that once :-(
- O% [: ?* K6 G7 b0 N' v' f. N( \1 _9 ]) T* x
Useful breakpoint to detect it:* o/ r( L- N+ I) [- O+ f% J9 B; p" E3 X
+ q" a) D6 `' r7 X7 Z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
) C5 T, K0 ~8 r2 n9 \7 D% ^/ D
( J1 M' r/ f1 f) @__________________________________________________________________________" f$ q! R5 M9 z3 f9 ]$ J' h

9 e. i0 B4 s4 G7 {; E9 g. w
/ ]/ b0 Y" Z0 |, T. C5 c- U- ~2 s% HMethod 14
' o) }0 m) u. K5 H; ]=========: D/ I2 K! `- }
! Z4 W0 [: D. |, `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# g5 t) M6 W8 n  o
is to determines whether a debugger is running on your system (ring0 only).# l/ ?& r. j& i0 g5 B  ?9 L
8 K/ C2 Z4 s# k3 v7 k" y8 B% L
   VMMCall Test_Debug_Installed- x) s, F+ `5 b2 F
   je      not_installed# z2 P: _# ?/ O" E; x

* M% o/ d- t, L5 eThis service just checks a flag.8 r1 ~9 r& o; f5 r; V- Y% ~
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-11 21:06

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表