找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>- C& K+ ^' g( a+ e, G0 r
<TBODY>/ u- P) t; N3 G% b" B/ O
<TR>
9 I6 P, G$ t) A) _2 k+ @( p<TD><PRE>Method 01
7 L' ?6 Z7 J+ l6 [! e- t  [3 J=========0 ^. |: l0 g& _1 ~

. ]4 U  g( s) YThis method of detection of SoftICE (as well as the following one) is5 ?* n; T3 V3 T* M& G2 T
used by the majority of packers/encryptors found on Internet.) y4 m9 A& ~" F% i1 K8 g" r
It seeks the signature of BoundsChecker in SoftICE' z* l* g7 M# W0 F: R% r
7 |/ X1 P  _+ Y% I
    mov     ebp, 04243484Bh        ; 'BCHK'
2 P5 V; j4 }# U/ n! @    mov     ax, 04h; L9 D! y  ^! F1 M, v5 d( F
    int     3       " n; d- A: R; Q$ w$ p6 M
    cmp     al,4
' ^4 c0 d) m, k6 R( }& ^( |    jnz     SoftICE_Detected& X6 a) V9 F1 R# C* v/ @# v" ]
# b: t  g8 s# v: B3 U& ?
___________________________________________________________________________
9 x" O, x! B' Z" |) \) u
" p( m% C8 ^# X  `% mMethod 02
2 P0 I7 z# V! }3 X1 R* K( X=========/ ]* O1 L7 x9 ?4 i5 U  \$ V
# _8 z' Q6 \' m9 x% \# N
Still a method very much used (perhaps the most frequent one).  It is used
( _7 R6 X# `- w& F! eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; K( W8 S8 A1 S, A2 y/ ^or execute SoftICE commands...) `" W& L4 h, ], ?/ q
It is also used to crash SoftICE and to force it to execute any commands
& u0 u; ~1 S9 a" m(HBOOT...) :-((  , s# w6 ^& M5 v8 {+ r/ Q2 W

& D/ X% w% V* U# F5 _, dHere is a quick description:8 h8 f! d! j& J& D' R
-AX = 0910h   (Display string in SIce windows)
  n8 S" m  x: a, C- W: E5 V. k-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 ~2 ]. v0 ], A' B' R-AX = 0912h   (Get breakpoint infos)9 W  r! b+ C( a- r) n3 [; m
-AX = 0913h   (Set Sice breakpoints)7 r" b8 |. C! @6 a, |" \& `! A" f
-AX = 0914h   (Remove SIce breakoints), L: M/ E3 q# `$ ^

* }+ y2 [5 \) `- B& Q+ pEach time you'll meet this trick, you'll see:" ?% f+ o! v$ S9 y- y
-SI = 4647h2 V# v+ S" }$ S1 j1 U
-DI = 4A4Dh1 N: B1 l/ v, X
Which are the 'magic values' used by SoftIce.
# o2 r4 G& U/ RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h./ j5 O0 N# b& h4 v7 W
8 s; U% L1 Z. B
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: ~8 z8 n# y' u/ U$ fEnvelope utility use to protect DOS applications:
  H2 N: R5 V: ?
9 R& w* h7 M5 C1 P6 D# x2 a9 Z
0 z6 n2 ^8 F4 \+ d* [# r0 A4C19:0095   MOV    AX,0911  ; execute command.
0 f. p: m0 P+ h: Z( @' T4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).: g1 p: n8 Q3 e: A5 `' o
4C19:009A   MOV    SI,4647  ; 1st magic value.! n* H2 g, T# Q0 Q4 u' s
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.) C3 e0 f4 t' w7 r% D$ E/ ]
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( s  p* f$ W" i5 z- A  b6 \
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 c3 Q" c0 `7 |, I
4C19:00A4   INC    CX1 c, u  q: d# l3 S
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' j. x! [+ j$ S1 S' t1 T4C19:00A8   JB     0095     ; 6 different commands.
1 d3 y& W/ N, h# |( B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; H& x  A8 I- i$ f* Y6 |
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 z7 o  }8 ]( q, w2 O4 ]" J. l6 h' p2 _3 E4 l% [
The program will execute 6 different SIce commands located at ds:dx, which
* D- j8 z+ x: \5 r, jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# p$ T- f7 l: k5 _+ [( k% u; }( E9 Y3 ~7 ~/ T7 v2 p
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 f7 T1 T* ?4 {; @___________________________________________________________________________( |8 h! f; R( _4 `' {6 |7 v

- |; s6 |2 `2 Q& W7 k. y! F9 m& C9 H+ h+ o# [
Method 03! A/ Z. l3 H; M3 V& k
=========
; o0 R- {; l1 Q8 a/ x( S  p. N! e4 p8 \7 \( k$ m( I6 a* m1 ]
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% n6 P9 ^% a* W! k) H. L. r5 y(API Get entry point)8 i) C) r% H; P; A1 `# S! m; F
        " b2 ^. I! E1 `8 ~0 {1 I

) v  I" @' W3 C0 R% A( _    xor     di,di/ n7 H+ k- e" L9 t6 ~1 E
    mov     es,di# v/ p! U0 `  r. c5 L; j. g& m* w
    mov     ax, 1684h       2 G) A' R+ `, @( m' `% F5 F  J
    mov     bx, 0202h       ; VxD ID of winice: t' u9 y3 y, _7 c$ H! @
    int     2Fh( G: A: B2 m5 X8 n3 G4 f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. b/ U7 @  @, L9 N7 d. i$ T; |
    add     ax, di
7 O5 J/ n6 i% P    test    ax,ax
$ N% M3 X  ]# z+ b. g/ c    jnz     SoftICE_Detected
& b( Y/ K; X; Y. Q4 \8 J6 f
3 X5 b2 I" ~7 i3 i3 k___________________________________________________________________________
  }* A7 ^9 Z* s/ E* h7 Q. x5 \7 [$ C5 @" Z- n" O9 z* X
Method 04. W+ U$ @; b0 d5 j9 ^/ T6 Z
=========/ Z/ O5 o1 Y- D/ n1 g+ {4 l
4 z- P. L/ ?/ r
Method identical to the preceding one except that it seeks the ID of SoftICE
3 y2 F  c+ P9 w$ z& Z- H! tGFX VxD., E  M* S( n9 v# i! V# ?

5 O! E: q% N/ d  L% `; N    xor     di,di
4 f, o. d% W! k" w- m1 J$ C    mov     es,di
/ j) Z9 z4 q, L( r: n    mov     ax, 1684h       / \7 w3 \) M: g; E
    mov     bx, 7a5Fh       ; VxD ID of SIWVID  S. r4 E- s' }, M
    int     2fh6 f4 i7 g2 f# ^" O6 M/ ~7 r
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& |. y. z, U; W( O: E
    add     ax, di' O8 H9 V1 j' n1 r
    test    ax,ax
: _+ X( l( F9 Q; Y$ A4 g1 k0 W    jnz     SoftICE_Detected
- M# G4 H# \( P! u/ A2 n$ R. q! W2 e
__________________________________________________________________________
7 i0 S8 G9 X+ T8 P4 g! j' {0 w  I  F1 F- E4 Y( O

: I- f3 ]4 l( q5 Y' L' k8 wMethod 05
# W% U3 _9 D. c3 h% c4 v=========8 }/ L$ n9 \+ M' j& j0 T) Q

- [( X! W8 U5 U. _5 WMethod seeking the 'magic number' 0F386h returned (in ax) by all system
7 K1 g* o7 p- D% @' c0 `0 t0 odebugger. It calls the int 41h, function 4Fh.( b4 r) j1 w; E
There are several alternatives.  : J5 j* J. [9 W( e8 N
  u7 N- j/ A/ `  W
The following one is the simplest:# l; p4 f  @# w' h7 j* j8 ^5 V) a

- B, l3 r0 }0 o    mov     ax,4fh) m. ~3 e+ y6 ]3 ~4 [8 r
    int     41h# Z% W, |! I5 i) b) S+ l" a# y2 B6 y$ `& B
    cmp     ax, 0F3861 V9 q" w( R% {1 \" F! }9 z& N
    jz      SoftICE_detected* n* q) r/ s8 G+ B3 [+ ]

6 S- t) Z' M6 k1 i$ I( B; b4 l- P: L* ~! x
Next method as well as the following one are 2 examples from Stone's
) v/ d# i* k5 a% p* T4 G3 Q! R"stn-wid.zip" (www.cracking.net):
3 Y& t$ a7 d2 Y/ H" E7 w
9 |2 U5 Q# @* q7 _8 S    mov     bx, cs+ E3 G& W2 u- |0 p. N9 y  N; K
    lea     dx, int41handler2, p; Y' ?6 H7 ~' g0 k# s; J# T1 q
    xchg    dx, es:[41h*4]
" M( d. C0 w4 n, @    xchg    bx, es:[41h*4+2]
) x; S1 W; q* B" P2 e4 C2 k    mov     ax,4fh
9 b1 T1 i! B9 h8 z) ?. r. _    int     41h% [0 [7 x! p# ]
    xchg    dx, es:[41h*4]
9 l" f- y: P. X9 |  E& z    xchg    bx, es:[41h*4+2]9 d5 [! G% Q  K9 }( T8 q
    cmp     ax, 0f386h
: u# G' k. v% `  o6 A7 z    jz      SoftICE_detected# `& |  s; S) L% W5 y
, D4 [, \  y9 T6 m/ |% W
int41handler2 PROC
1 {4 W4 E9 }5 s, {: n; U7 q    iret% n! N: u+ `" x0 F$ n7 u) u
int41handler2 ENDP( b* c7 }, ]# e4 ?* V3 P* [( g
  O, `! z' [+ u5 m
5 e( W0 k0 V& U  A9 k( h" c! J
_________________________________________________________________________
3 D5 W* e" N% B  Z; I' D
: T: d+ W- D: t( @3 i- [8 S/ H. U2 D) X, a, k
Method 06
+ Q4 b- s8 U( Q0 V: w6 J' C=========* ]6 N+ L! N4 I' H' I
3 I: L( M/ a8 v' W$ g' v
6 p$ @, }) Z( \4 @& X! |0 v% q
2nd method similar to the preceding one but more difficult to detect:  u- U6 T' A3 f' n& F+ g
4 J+ d6 q, b  l( ^  j; R
  p! ?$ @) D* N6 w3 G
int41handler PROC# J# L  x* T; s" K+ F& `+ `5 u  v
    mov     cl,al- m- U8 b9 ^# o
    iret; ~% Y9 [8 r7 ]9 N2 `3 l
int41handler ENDP
/ E# K# z; v3 F4 h8 O% T, L1 b1 e5 w. l) P( e, f

# R. d" y9 [- {: x( i    xor     ax,ax
$ }  d/ s3 k* b% v1 a( C/ ]/ Y& p/ b    mov     es,ax
  s$ L3 [  w3 r0 F6 V2 y    mov     bx, cs( j# Y8 Y8 }. V6 ?6 A
    lea     dx, int41handler# O. _3 B2 D0 u* J
    xchg    dx, es:[41h*4]9 S* f( Z. V! s) U
    xchg    bx, es:[41h*4+2]
6 `: C% f. a( l1 W% n) x    in      al, 40h
5 C' r( o/ X  I! Z1 t; {    xor     cx,cx
/ d6 `, @* G  ~: g4 j5 Y+ ^2 S    int     41h
4 V' q2 L7 u' p4 b9 d$ {    xchg    dx, es:[41h*4]4 d+ ~( `) H) ]+ L
    xchg    bx, es:[41h*4+2]0 T2 W- W6 q1 G5 J
    cmp     cl,al
% [8 q: M& Q7 t2 A    jnz     SoftICE_detected6 y0 {1 L  D7 f' p/ ]" c8 z9 v7 ]
. s1 b8 l/ _' F
_________________________________________________________________________
* ^1 O  u2 S1 Y) |& e6 E1 W% F1 a9 a  Y  u- x
Method 07+ y0 V$ A  Q( G6 M5 K' r; l2 R" U
=========
; q) o" |' K: l7 ?, L, J# ?3 a6 j& R/ W: _  k( L6 |( t
Method of detection of the WinICE handler in the int68h (V86)5 H$ k! K0 v$ B& _3 o

9 k* p. B4 z# q    mov     ah,43h
' \0 Z! T( n7 \! G) u1 B! ]9 Z    int     68h
, j9 S) t. W/ `5 u1 z/ i( c    cmp     ax,0F386h
; O; Z. g# n. s  _, ~4 r: l    jz      SoftICE_Detected
0 t4 b5 L4 i' _% D7 y) i) ^+ k. K$ \: m  ^5 @. j

: t+ D8 q) O% S$ N$ B. }/ C' V=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit5 ^8 A4 j6 `2 z0 x3 Y+ R
   app like this:! R2 \& g; R: H5 ?: A9 `. V
! r. J# A- r9 t$ w9 r
   BPX exec_int if ax==68
) c" ^1 b; g: _+ p   (function called is located at byte ptr [ebp+1Dh] and client eip is% {  e4 |) d0 `  ?, ^' g' Y
   located at [ebp+48h] for 32Bit apps)# A0 [3 [- I/ I6 T& W; b% g$ E7 d9 G5 x
__________________________________________________________________________  L) C( J- v! E1 @% E+ v( H( ^4 ]
$ W, B# G# p& E1 o/ t
" s' m$ T1 D3 ^+ f
Method 08
' r- H$ b; o$ i' N0 q=========2 ^/ l$ m* K3 q9 \' b
+ e' f. q& ?3 K1 M: A
It is not a method of detection of SoftICE but a possibility to crash the) S' L# |. i+ C# O2 h+ o( a
system by intercepting int 01h and int 03h and redirecting them to another6 a8 l6 F/ [1 O! A# o
routine.
8 E2 o8 M" x0 ^1 s5 G- SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) L* A9 m' [+ j+ l( P
to the new routine to execute (hangs computer...)+ t  a9 p; q; {8 |5 x# t

0 n) ^( S, B$ }2 }& j3 |    mov     ah, 25h$ x3 h& e6 ]/ P) ~4 r- {7 j$ q! H# A
    mov     al, Int_Number (01h or 03h). `& @8 ?' E! V9 X
    mov     dx, offset New_Int_Routine
# r( R2 Q1 ?6 f. ?# O* S7 [    int     21h8 l0 [4 z) o) A0 c3 q
2 x2 p' @0 i7 {$ F9 R: F
__________________________________________________________________________
+ Y) H% {2 K3 F/ c. _/ Y0 o: I
# X5 b' T- S! O( x# S' j; T# o* l7 d8 TMethod 09
, [; W9 n" h1 ^=========: ~, a! w% S+ z3 Q. K3 W) p' {$ ^& a

  m8 K* S+ x+ c3 H9 c% M  G2 M" [, ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only5 }2 ]' m+ E/ `) ^- a
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 I5 v  ]& t' u0 P* o3 aThe Get_DDB service is used to determine whether or not a VxD is installed% ]: m$ F7 t( h# k& d3 d5 Y
for the specified device and returns a Device Description Block (in ecx) for+ l% e1 x7 |- Y- v6 N3 z% Y7 W
that device if it is installed.
4 T3 ~  y% Z  |4 d) @, z* q9 ^2 K7 [5 R8 Y* W  G1 @$ |
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ F3 a; X0 Y: G% p( O1 g   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- l0 ]- ?" E, _- E   VMMCall Get_DDB
# L9 d, s+ r: f) e4 B9 y% Z! S   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
/ \5 _, f4 F% e. \, n; A9 q* B$ Y- O" Y( h8 c! I  Y3 q1 U
Note as well that you can easily detect this method with SoftICE:
% N+ @% X! P# o6 p  J; I  Q1 `   bpx Get_DDB if ax==0202 || ax==7a5fh3 Y$ |6 R$ U5 D! ~
+ n/ i- A# D& J$ ?( n' n
__________________________________________________________________________" [$ \" x. L4 ]+ Q2 y) g" x7 F
; k9 F; k# Q& n+ j
Method 10) o6 D: J2 ^. m
=========8 n" {9 T/ ^$ z

, J% r# E+ r' l' Y- l0 A" y$ u6 g1 |=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" K' w/ w6 ~% r: E& Z5 c  SoftICE while the option is enable!!
. U' y" V/ e6 }9 y3 A0 z: D$ y6 C6 m/ K' w7 Z' o) w
This trick is very efficient:
. h" }3 z- E% z8 k& b# [* Aby checking the Debug Registers, you can detect if SoftICE is loaded2 x4 C; ^* t( \. M( e
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 i5 e4 U: c# g! v2 _6 `4 L+ kthere are some memory breakpoints set (dr0 to dr3) simply by reading their! @( x3 O" e+ F! `/ [$ V5 D+ u
value (in ring0 only). Values can be manipulated and or changed as well- p& ~* m$ o* W2 z& l
(clearing BPMs for instance)8 |+ {; ^( Z7 _( s
7 M; l& Y) q- h3 \. z' ^
__________________________________________________________________________
! v' P" w; o6 M
3 B' X5 y& I" U+ F4 m! G  r1 v! J" rMethod 11
: E% N& Q6 z) g: i0 n: K=========
% t& F1 [( e' [; K! n! |/ O6 ~0 N
This method is most known as 'MeltICE' because it has been freely distributed
9 S' }+ P# e$ W4 \" V. Y: S0 rvia www.winfiles.com. However it was first used by NuMega people to allow4 p& }) s# q0 q' S+ o  h7 M
Symbol Loader to check if SoftICE was active or not (the code is located$ b" W7 Y+ \2 E3 r. o. X+ ?
inside nmtrans.dll).5 [0 w, I6 t  c9 m2 j+ N
0 h! q/ A+ T! y. E
The way it works is very simple:" i) x& o* }  V& [- j9 k  y7 `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  o3 |2 z1 n+ |8 u+ C' aWinNT) with the CreateFileA API.3 ^( l& s8 C; n. O: I9 E

; W# x/ r: }& f8 ~0 I/ O6 yHere is a sample (checking for 'SICE'):
/ z) y# I0 L# d2 y9 w, Q6 ~1 w! ~+ r
BOOL IsSoftIce95Loaded()
( X& B9 r% Y3 r# @1 x+ n{
& v3 ~2 V1 F$ _  h$ l. E; G: S   HANDLE hFile;  
$ M- w* ~- K" y: X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ B, m: p0 d- H, z
                      FILE_SHARE_READ | FILE_SHARE_WRITE,( `1 f: x" q$ @% e3 x1 k% a
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
, ~: V; M6 f# o/ a7 O1 V; P7 {   if( hFile != INVALID_HANDLE_VALUE )  ^) D  A6 W# l
   {
( R9 C) ~) I- O% Q9 t      CloseHandle(hFile);
) j3 Z; M* v  c' b6 N: V4 L$ |$ ]7 n      return TRUE;& l& \3 I1 K7 Z. l( k/ n; Q$ C
   }
4 f  d, ~- m' P- V   return FALSE;
/ Y" l0 J+ y: d  l4 u}
# F6 n' D/ `; D, Q
, `1 M$ E- @4 j% ?) UAlthough this trick calls the CreateFileA function, don't even expect to be0 G' D6 U* i6 u4 `: S! {
able to intercept it by installing a IFS hook: it will not work, no way!1 L& W/ x% K! j( G+ n8 b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. h( p" G/ u8 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( ^2 @: `; y3 X8 h5 v! Oand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 |( Z/ \2 V) h5 W+ a4 j: f  m
field.
' x1 p& Y# _' a# p8 vIn fact, its purpose is not to load/unload VxDs but only to send a 5 v" J; N' M: E5 z1 t
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% b4 r+ W* S: [! O4 }+ _to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; B4 X- r! Z& x, J$ p9 ~  I/ j% }to load/unload a non-dynamically loadable driver such as SoftICE ;-).( `$ f  n' V% b, a- ^* n. ~; v
If the VxD is loaded, it will always clear eax and the Carry flag to allow
0 j2 [4 m- x# W$ Eits handle to be opened and then, will be detected./ Q: @* A# ^5 w9 a( ?) X
You can check that simply by hooking Winice.exe control proc entry point/ a3 k% ?: e" a
while running MeltICE.% ~( |# Y' @6 i4 U
% A5 j# E7 m/ [# x- S3 X
7 G% E4 G& C7 V- c' f, b
  00401067:  push      00402025    ; \\.\SICE6 s$ v: o: O& Q: E2 n- p: v6 `
  0040106C:  call      CreateFileA
: o  Y2 {, y; X( j" `( x  00401071:  cmp       eax,-0018 H$ {; n% L0 p. H- y
  00401074:  je        00401091
" R, N9 m, h$ s/ I! z( |1 Q( b" \3 Q/ p: z# Q3 h& k  q

0 p! |8 Q% g4 }There could be hundreds of BPX you could use to detect this trick.
; z, V) v) ^3 r) |-The most classical one is:4 F, b# q+ ^% h/ b3 g0 s
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||) i' H) Q% c: |: q; [! V" J
    *(esp-&gt;4+4)=='NTIC'
8 W2 x2 M* F/ L0 \$ R1 K
' }& e7 U- E( B9 p4 i-The most exotic ones (could be very slooooow :-(
  _  g/ ?% V5 T+ K- |   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
* @: b6 T8 `- \, K" F     ;will break 3 times :-(
' M2 Y) _* u# J7 \6 N4 F# ~7 Z, a3 K, U4 L0 n
-or (a bit) faster: ! E" o4 q, g  N9 B# ~0 h( ^
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  T7 O0 h# v6 f5 E; d( a0 [
) X7 m0 }2 N# S   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  # W( Y$ \# ?) C2 n
     ;will break 3 times :-(
( p9 J0 K: Y$ Y, N4 O0 K2 ]6 W5 a, l7 ~7 M1 n& j6 o; K
-Much faster:; K* _$ _7 Q( [8 a! Z& |8 A+ t" I/ o! d
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'7 U- n  v6 f8 u8 h; k8 o: }1 q2 O

" c2 `$ H" `* r; f5 f. C% B: pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) M4 |/ D' H  |( R: I
function to do the same job:6 W( w, G3 H/ ?5 g2 l

5 h- U7 L$ |  a! r! X& V( G   push    00                        ; OF_READ
( c+ {" C5 d# S1 ^& ^; q9 ^   mov     eax,[00656634]            ; '\\.\SICE',07 |, b4 k3 E$ [3 Z7 a# h5 C, o( H1 C
   push    eax- z" Q$ V# h- T" ~9 T% ]8 {
   call    KERNEL32!_lopen, S6 {& J% T5 X' f2 C! p
   inc     eax" s1 _! ^' F  p5 F
   jnz     00650589                  ; detected
/ M1 w/ S- ?3 m$ n3 h4 g% v   push    00                        ; OF_READ
0 Q5 h  G0 a2 h) z# q( N- r+ ]   mov     eax,[00656638]            ; '\\.\SICE'
/ r. S1 T3 \0 a/ |% I   push    eax
6 A: e" h3 U7 O' `4 w   call    KERNEL32!_lopen. N8 Y3 h0 _& C" f
   inc     eax
* b7 D, I! L% e) P   jz      006505ae                  ; not detected
- c& @) u# X/ `+ u4 w* c9 ~" J0 _8 d* Y

1 b6 r7 Q& u' \6 L__________________________________________________________________________
1 X! |5 O/ L$ c- r( m/ `; c
% G  q/ Y' Q  x, R+ m# H1 eMethod 12
' v" s; L: D- _0 T3 R=========
. S: r9 L+ E; M: O, A9 z! L- s; X
+ v2 E$ Q4 m0 O* n& X4 v3 xThis trick is similar to int41h/4fh Debugger installation check (code 05) v: ^7 o# a! ~
&amp; 06) but very limited because it's only available for Win95/98 (not NT)* E: A$ A: }1 N  V) P+ B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.9 w2 w7 t, f% t: Y( k! y
) g" b# i3 i3 w2 x5 c; w4 l$ v
   push  0000004fh         ; function 4fh7 e" ]6 v7 z7 l
   push  002a002ah         ; high word specifies which VxD (VWIN32)! A! O2 M/ _% C% d; H6 v
                           ; low word specifies which service
! v$ e5 s% M& c) g# y8 U                             (VWIN32_Int41Dispatch)
& {" c% F1 z3 o! w   call  Kernel32!ORD_001  ; VxdCall" g' a" N  ^5 q, c9 u
   cmp   ax, 0f386h        ; magic number returned by system debuggers) {1 @5 C/ ^3 H2 O
   jz    SoftICE_detected2 k& t. u, ]6 K* j( ~( v% `

9 e4 ^; [2 e% U3 i+ _/ h1 `( rHere again, several ways to detect it:4 B& c8 w- K7 t$ b/ Q  P' d% v

; X0 d0 G; [6 B, {; s$ e2 O    BPINT 41 if ax==4f
. a4 [+ L9 K0 E& j  e
% Q/ p5 U6 U/ e* ?/ p    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
, u* ~5 {/ P1 P1 d
* S! D$ C+ ?. X8 @, I0 R! q3 P    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
" O& O/ ^1 N) F- \8 w/ J0 e
5 n" }1 w$ N& C& C/ B8 u4 f    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' t8 b9 |8 w2 x, e$ T) W) f  {6 {- I' O! r. L
__________________________________________________________________________
* F" ]: [, }' X) S
& [2 H8 j7 j% XMethod 13
3 A1 O  V7 o% X% A/ \* m. k=========" `* }1 i4 ]0 ^1 |. V1 a
8 Q; @4 y2 }7 Y4 [8 c) D
Not a real method of detection, but a good way to know if SoftICE is
8 o& ]9 r# c8 b7 ]installed on a computer and to locate its installation directory.
( G+ U5 V7 S! }7 D$ \1 N; nIt is used by few softs which access the following registry keys (usually #2) :/ s! \5 X$ t7 A' f3 J# P
) M) D3 ^2 x5 b6 P( N2 }
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" u9 l4 ^+ ^) ?) A' k* _
\Uninstall\SoftICE! P0 l2 ~+ w: e: J) W1 P
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE( ?! v+ P- Y+ ?9 @1 ^* W( P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 c' L+ Z1 R' x4 v; ~
\App Paths\Loader32.Exe/ P8 R. {! Y& q* f2 l- i' i

7 x; R4 o6 G) s- ]$ W5 {
/ M, f( ^8 z7 u2 f' e7 ]Note that some nasty apps could then erase all files from SoftICE directory* U* y6 K# r, T0 j
(I faced that once :-(
: v( s& J( O' s4 j' f5 _9 a
; l4 a9 I; L0 I: s5 G& j& ~Useful breakpoint to detect it:$ `5 s" u' o8 m# Z) ^6 V  K

/ ^- g1 \# T* R/ |& k3 c9 B6 X4 h# m     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- p" J  E; _; T9 _4 t. V9 h

3 G. }' A5 F) A- T  L4 L3 N: |- ^__________________________________________________________________________4 r8 `2 n1 k1 r0 s/ t6 i+ ]
' ^9 R  p: t$ }( j/ d* U5 X" v% E

% v: b: N% a' B% fMethod 14 , E; M& e$ U; z. T
=========
9 C: h$ z4 p* w) K" N1 B3 r! z9 G/ N4 n  A6 }
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& x$ \6 k' v# J) Ais to determines whether a debugger is running on your system (ring0 only).
5 W# B2 F5 u" f# Y' F4 @& Y9 Q9 U9 l: K, D, j2 w/ }" @+ `' C
   VMMCall Test_Debug_Installed
( g" K# b7 ~( u# \: e' K' E1 Z7 D   je      not_installed
0 c8 r  A1 r9 n. e$ x. |2 z! }/ H/ c4 w: k! [4 M5 R
This service just checks a flag.
9 }3 T9 ~; _3 y# A+ y9 V% [</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-26 09:13

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表