找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>0 T$ F9 O; R( D! U; c  a
<TBODY>' r+ j7 z+ ^' n
<TR>
' V* v5 {0 t' D4 w% m! D! Q<TD><PRE>Method 01
) c: l- N3 [% `- s5 e9 K3 _5 v) b8 L=========- {; A: ?: R6 P! z  t# M0 ]; j

( X1 n! F# s5 ~/ j9 CThis method of detection of SoftICE (as well as the following one) is* y6 x" a! a% ^6 f' J( X, h) B) y; [; u
used by the majority of packers/encryptors found on Internet.
0 p/ W( C0 ~" ~+ bIt seeks the signature of BoundsChecker in SoftICE8 {6 g) S( l; z. P& Q

3 {" |2 C5 }, U. L* b6 O    mov     ebp, 04243484Bh        ; 'BCHK'. e. f7 \% H8 l% v+ R! w5 g
    mov     ax, 04h
/ g0 t3 `+ {. P1 ]    int     3      
* w( s9 \  P0 k( L8 ?    cmp     al,45 x% Q3 {: y" _& b- ~
    jnz     SoftICE_Detected' F+ L* E' G" I7 `! y! v

$ I+ I: \5 D+ H6 M8 s+ t___________________________________________________________________________
( f( i) q6 Z  u* R9 h
' l% w' k) r3 Y; e) ~5 ~Method 02
. s3 p" J7 i6 L8 X$ e0 u: S6 s( T=========
$ d( u  ]& v5 [" ~# x: f% V- r) ^0 Y7 o6 J9 m# m
Still a method very much used (perhaps the most frequent one).  It is used
! }% c3 U, I/ }3 X  y5 P4 }: }: ~to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! w- a( v; T) k
or execute SoftICE commands...
0 \5 L% g" W$ b* Z% E$ m) jIt is also used to crash SoftICE and to force it to execute any commands
: e! W/ j9 F5 g. y(HBOOT...) :-((  ( C. \2 k/ y+ L( n2 |1 ?6 M
3 x4 k. X! B- D! X8 L7 O9 @# K
Here is a quick description:- d, J- b6 l1 }. m7 a
-AX = 0910h   (Display string in SIce windows)0 h( |& ^7 o$ _8 E9 g3 y" v
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx): G/ A0 l& }) G
-AX = 0912h   (Get breakpoint infos)
* j4 G* H+ n/ }& b- \- z$ R-AX = 0913h   (Set Sice breakpoints)
0 P9 f' o- Y. o0 j% i6 z$ \-AX = 0914h   (Remove SIce breakoints)
! J2 [* a7 S  c$ w/ v" H9 q; W' c' d0 J% T
Each time you'll meet this trick, you'll see:
; n9 j' j+ `0 X( k, ~5 F  ~: B-SI = 4647h/ G. m, o/ _6 `. C5 J& Y
-DI = 4A4Dh: B  h7 j6 a- a* \* k
Which are the 'magic values' used by SoftIce.8 P4 F6 N% G6 c1 |- a! u5 p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
  p/ G& A1 g$ v$ W* p/ D; o+ m
0 G/ j% t1 w7 Z) d+ THere is one example from the file "Haspinst.exe" which is the dongle HASP7 K0 r- }  T' O  V, Z  i+ \
Envelope utility use to protect DOS applications:: G  O) J$ ^# p) }* K

* X, Y( `& @( D! H7 N
  `# I9 a* p5 `! ]4C19:0095   MOV    AX,0911  ; execute command.
1 f& ^- _5 L, N( ~9 L, Q2 t' o4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% V$ Q6 X1 ~5 i* V
4C19:009A   MOV    SI,4647  ; 1st magic value.6 d1 E, ?0 @' Z- y/ F
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
* Z% O5 V' C& n* p4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' i0 u5 `1 [# H7 ^- E7 Q4 |
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 Z' Z% z7 s4 Z( P( i
4C19:00A4   INC    CX
7 _5 Y: V0 X; L* H5 {4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute3 \0 l  f  k* }6 G  G9 o. j8 E
4C19:00A8   JB     0095     ; 6 different commands.
* e8 \9 F, _" L) Q8 ]5 t) S, Z4C19:00AA   JMP    0002     ; Bad_Guy jmp back.1 }& ?: L0 B1 l) \$ f6 w* o- x
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 M8 _' d$ N' `( G! C, K( U5 e* }0 p
0 d3 N9 ?. |( r4 E' VThe program will execute 6 different SIce commands located at ds:dx, which  Q2 y4 d/ v2 k  G1 s
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ b8 C0 E8 ^/ J; n

9 v/ p- H: @6 o! [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. x" C# Q- P& }* N2 V5 d8 ~0 @___________________________________________________________________________
2 _1 o) t; j/ d( u4 |5 W% n- I& _5 [. t" Y/ \1 X) X
! a* W" L3 i8 y" P) x$ b; q" ~( q+ @7 r
Method 03
: g  p# e2 S; x" B1 ]=========
. ]: T) Y7 l8 B& x& @3 J/ O# W
" G7 e; A  L2 t# f$ W# d/ E9 j/ ~7 tLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ K9 x3 c, k$ b& f(API Get entry point)
1 k7 C( d  K2 O( z( y9 D6 A  ]        ' }7 \% R6 T4 G

8 w$ R# o, E. a$ J) o7 w    xor     di,di
" d- v5 p/ M7 `# e1 J# a/ G1 x# `    mov     es,di( D3 q( o+ K  U8 u
    mov     ax, 1684h      
7 e! {, r0 a2 t  y. [+ F    mov     bx, 0202h       ; VxD ID of winice
7 w, ]" q7 h0 n+ a6 Q* u% q) j    int     2Fh- L! R9 ]! \! a: N9 ^0 }6 C
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( [0 _- k8 u0 b) }6 Q* p4 S  |
    add     ax, di- N9 q* J2 U1 h1 r  H2 Q) y
    test    ax,ax
) X, v* T" ^2 t6 _8 ^% g# c' X' Y( l! R    jnz     SoftICE_Detected
0 ?+ ~6 p1 x/ e; V$ C( H0 o$ U4 g  b' g5 ~, ~- A: q
___________________________________________________________________________
% `( f' B7 t8 a3 ^6 S0 |; L/ D, f1 \3 P
Method 049 z2 j2 K0 C$ L4 V+ X
=========: H2 @0 F5 A. H1 e' M  t+ @

# \! x- [4 g& Y4 z4 eMethod identical to the preceding one except that it seeks the ID of SoftICE- j% v3 @+ j( Y+ R
GFX VxD.
( d( p7 F0 ?% ?7 `& I) I* g! `1 H' R; O8 V
    xor     di,di) O, U' S' A( t; M
    mov     es,di
" |5 r+ v+ B% V7 b/ p  v    mov     ax, 1684h       0 }7 x& p+ y" v4 X& D* S
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
2 x/ N% E& s2 @* |    int     2fh
2 Z  I4 V& d# z- y/ M6 |    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 w3 e1 a9 r; S0 G; k6 a1 w    add     ax, di
0 i, q2 a! f1 }    test    ax,ax
* q( R4 o9 S4 i' ]3 L: U/ B    jnz     SoftICE_Detected1 M/ C, f" X3 r7 n: h/ G4 L% {
# i' O" t' B/ J
__________________________________________________________________________
) ]7 v% v4 Q2 @# f5 G- K( ]& y" N" c3 x; n" X

( ^4 e9 d. p: q8 R3 I, nMethod 05
5 b- \9 F% \( U2 h=========+ P! i" g; R$ u8 g0 L

: r* x/ k) H. h: ?8 XMethod seeking the 'magic number' 0F386h returned (in ax) by all system, u# f% z; g- @5 x$ q* ^) y
debugger. It calls the int 41h, function 4Fh., I1 V+ i6 b' K( E- ]
There are several alternatives.  ) ^/ ~6 [" E/ h" K" e0 ?5 a) N  T
6 h/ w0 W( ]' Z" P! h$ P
The following one is the simplest:  }( n6 S' z6 f
# r& s. _3 N! k& x; Y( S
    mov     ax,4fh& N) y! ?7 x" }( f) }% i0 Y
    int     41h% C) ?' V; D% n1 s4 s8 I
    cmp     ax, 0F386/ ~0 o0 g2 [: S7 _
    jz      SoftICE_detected+ u  b  L( ?& K" }1 P

# j) n1 U& t# _& S( x/ {  s+ p1 z0 N/ S$ {/ S5 N" T
Next method as well as the following one are 2 examples from Stone's
: g7 z2 W9 g6 z) f, U8 s"stn-wid.zip" (www.cracking.net):
: @0 m6 E1 _' B, H7 L5 W/ w# L
6 _& \3 ?! a3 a  c+ s    mov     bx, cs
1 U4 j; x# G0 |9 ?- A    lea     dx, int41handler2
5 h  K0 R8 H+ s8 T1 K    xchg    dx, es:[41h*4]$ G# _4 s+ u! D  L3 m( V
    xchg    bx, es:[41h*4+2]
4 w( m1 x! I$ W' s4 M, {& P    mov     ax,4fh
: S0 N/ @% |* E7 f8 g4 P! O; G    int     41h! R) b! w* q: B# U* f
    xchg    dx, es:[41h*4]
' Q; f7 e) b0 d$ o0 f! B5 p+ f  r5 r    xchg    bx, es:[41h*4+2]. o4 p9 ~0 j6 Y9 R% A5 A2 ^
    cmp     ax, 0f386h7 r  ^% _0 s) R: V* T8 t; d; s7 o
    jz      SoftICE_detected
1 F( a' R# c% U' \& j2 z1 U) J. N
' X. Y5 v7 C- V& @& F  O+ Rint41handler2 PROC
! l7 S, U' A* f* B    iret4 n# ?6 I: a8 M( ]. J
int41handler2 ENDP8 |9 [1 L( \( Z
! E5 d, e& b" ^) L% S  P

: u& a8 c  w- l8 t_________________________________________________________________________
- R, g! A* L; X4 F( j2 _7 w! ^3 b; C+ z  W  [) g; L6 s' _) m
0 p# k% [$ |0 t# _: V! l8 W3 S; \
Method 06
: N9 [8 J6 k7 T" Q=========6 \: M" M% k  ^7 s9 R; x

" [+ N! G+ ~! g' S; _. |% R7 q6 @8 N9 M# K% y3 }( [+ ~0 U
2nd method similar to the preceding one but more difficult to detect:$ y+ j" A3 K' L# E% t6 p
. @; t( q  C5 G5 e6 Y
" }: A" u. g9 J# E% t& ~
int41handler PROC
7 {7 e# f- D$ V* L7 q: I0 U    mov     cl,al1 ?  {0 X2 k+ y' s" @* ~& k; A& _
    iret- G$ t1 ]7 [( o9 x4 ]/ n3 [7 F/ x
int41handler ENDP/ @: M9 H& m# L: q" D* S7 D" G. u2 v
0 E) \4 N. }0 h! t1 L8 e; _7 {
5 u( P# k% f/ ~* r8 H
    xor     ax,ax& C9 M/ F3 E/ {" B8 a3 R5 ?
    mov     es,ax- C1 P( q+ ?% N
    mov     bx, cs
( @0 A/ _2 F7 Z8 }2 [    lea     dx, int41handler! e3 y' N' m* D- N' E
    xchg    dx, es:[41h*4]
0 L/ @" a: g1 O+ w* _0 O    xchg    bx, es:[41h*4+2]6 h) e" ]/ \. g5 l9 ?5 |
    in      al, 40h3 }- ?, o7 k/ y
    xor     cx,cx
$ ^0 U+ [% f) q3 Q7 o' I- h5 D    int     41h
8 F( k- g% o( g) u' O    xchg    dx, es:[41h*4]
# t$ F  |* N# N3 o7 i7 Y0 n    xchg    bx, es:[41h*4+2]; S" R# v6 `* C( I
    cmp     cl,al+ O2 F5 a! |& ?3 L5 n
    jnz     SoftICE_detected' T5 s/ c1 M8 k. z
* l& r1 R- X0 K/ ?3 }! C  }
_________________________________________________________________________. A5 _, n$ r8 U% `  s9 k" }

- `1 l) l  Q  I. p! b9 x7 {Method 07) m* _  h* S" y1 B
=========/ J0 n8 @+ D5 U# m
2 G) M: k8 K% B5 m  v( z" O
Method of detection of the WinICE handler in the int68h (V86)
, \, ?/ O) f" V7 k' t  V+ r; V4 a/ ?* `/ g, A3 @  N: t, L
    mov     ah,43h
. n& f* f; Y; Y4 V* `; S    int     68h
1 i# e; I4 W5 H5 J3 g$ o    cmp     ax,0F386h
# O4 s" S9 J2 V    jz      SoftICE_Detected" L6 ]# ~, i5 E

" S+ h% t  ~% b  M4 w/ w, F* j
' p, S$ Y4 [/ r; F=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) a/ O" e0 p- |1 m
   app like this:# Z3 b+ b% k) b* A. U( N# [( J

2 t, {- K$ j6 V) }   BPX exec_int if ax==687 I6 t( K6 Q4 x# p
   (function called is located at byte ptr [ebp+1Dh] and client eip is' m' y9 R! f8 p
   located at [ebp+48h] for 32Bit apps)
+ T- V7 B+ v4 y+ O( b# w* B__________________________________________________________________________; V* \& r5 Y( [! n! h6 {2 [
/ u$ K' w& F4 F0 B3 h% j% N

+ o( T/ J' Q6 Y9 u" `Method 08
+ `! H# W. I. [- G& N  q, V( c1 |=========
3 @( m* m4 r  }* \, U& D  v5 h' A* @3 P" o9 w, @7 ^/ ]+ {3 C
It is not a method of detection of SoftICE but a possibility to crash the
2 m& ~% |" C+ p4 Asystem by intercepting int 01h and int 03h and redirecting them to another4 [0 n9 t" t' A& S4 b
routine.
( x* o$ f5 o! @( i7 C; zIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 g) E4 `& c, S% N4 D( t! Lto the new routine to execute (hangs computer...)3 r& a" j; X3 P" S( Y
- t. s9 _7 R9 ^, s2 b8 t
    mov     ah, 25h
- s9 J1 ]$ l, U7 E, d- s4 w    mov     al, Int_Number (01h or 03h)8 e! f' k4 E) t$ i  D$ M/ C* M
    mov     dx, offset New_Int_Routine1 m3 P( j* q9 p, u5 w$ P
    int     21h5 O5 E# Y! l' d1 Z
# i2 Z: u5 U0 G( S- N
__________________________________________________________________________
& _# K( s; o$ W5 M2 F  @0 [# [8 p$ q7 S+ M5 ^" L! z+ H) @
Method 09" L' |6 o! z& o+ a0 }
=========) L* o9 [, C; {* s
! V" j& A  j7 ]0 f7 Q4 [
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 d: u7 j, `' L  _2 i1 }. L, Vperformed in ring0 (VxD or a ring3 app using the VxdCall)., P+ L3 x9 N2 |0 M: E
The Get_DDB service is used to determine whether or not a VxD is installed4 G, u, a- \1 r$ u" h
for the specified device and returns a Device Description Block (in ecx) for
, S# z7 y' g+ F7 Y$ [& Ythat device if it is installed.  v3 F( s: z/ i4 p& n

  I2 T# ]2 n; b# o7 u, ], ]; I   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' O$ o' Z- F, d3 B   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 n7 q3 {9 Y0 W' b5 Z   VMMCall Get_DDB4 o9 ]2 T' ]8 U3 u2 ]3 c+ I/ K
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  O5 K: L, `6 h7 \/ o( {- e/ f) A% `2 z
Note as well that you can easily detect this method with SoftICE:
. @3 A/ R/ d/ H3 u4 R5 `   bpx Get_DDB if ax==0202 || ax==7a5fh: R( L; w8 q8 u  ~
$ \& Y7 n8 B2 f8 p7 w) m7 }
__________________________________________________________________________
/ u* Y6 I% n& G5 Y% b9 K' ^
! z( B7 a0 V  C& ^6 ^2 _1 N: W1 }Method 10
( b: a, r+ y# v7 @+ A=========
4 F5 k* [- p) f; B$ Y: F
& k# S! V+ [# \% j' h* X0 P2 b=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, G, u% s9 K5 G, h$ b5 D1 k2 a
  SoftICE while the option is enable!!% S. Q; i1 G8 N  {+ ?: R
- O# o! o  ]7 }6 R
This trick is very efficient:. W2 g% |9 c& p. F' s( n9 C- a
by checking the Debug Registers, you can detect if SoftICE is loaded
  a6 p2 j$ ~8 @  T" Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: J. ?: d7 b: N# _; P; Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 h* h# I( D9 Z+ [value (in ring0 only). Values can be manipulated and or changed as well7 u  d9 L8 p$ n  N1 g4 M
(clearing BPMs for instance)7 ]/ q, p2 G3 J5 q7 m4 m/ m

( v6 Z# f# i' N3 b__________________________________________________________________________; d& h. r3 ?6 \5 ~% [
% U' {3 e: z3 ?  ]) X. b! l
Method 11
+ d# w. L1 R- e! M- y=========
  r* G" D# C/ x! Z5 p7 n  }: P: y, M- u) c  e8 p
This method is most known as 'MeltICE' because it has been freely distributed
% `/ b' [: j) }) F) n$ ]. a5 Wvia www.winfiles.com. However it was first used by NuMega people to allow
& ]' u( ^) e: _% Q0 [Symbol Loader to check if SoftICE was active or not (the code is located
+ A( T4 g' y& }) y" c, x% z9 einside nmtrans.dll).
$ [- w' q7 b% P! K) g9 Q" h2 g1 @0 J( z4 |- Z& C
The way it works is very simple:/ [: X4 w8 q# n+ F0 L/ m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 z8 A8 V( m6 v, ?* G) q2 mWinNT) with the CreateFileA API.
+ _# l) Y! p& ^- r1 a
8 z5 ^# j" L% A0 z1 u& ?# s& ZHere is a sample (checking for 'SICE'):* {- J8 U, _5 d9 _& u" X

+ M$ }9 v) O  m  I8 `- ]8 jBOOL IsSoftIce95Loaded()
* F4 _  S" Q: V8 y+ F( }{: P: d$ ^7 P4 H% u
   HANDLE hFile;  % e5 {7 D* ~  g8 E
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
5 ^% q6 x" K2 ^# ?+ F' ?                      FILE_SHARE_READ | FILE_SHARE_WRITE,
" O2 o* I) G5 i7 Y8 d% F( G                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 v; a' O( w3 r6 U
   if( hFile != INVALID_HANDLE_VALUE )+ w, G. Y, |1 Z' {  u; K& I
   {
! C4 v0 ?. x  E/ n* H      CloseHandle(hFile);% X2 {0 O7 g" F, }
      return TRUE;0 {7 {  ^7 Z) C0 i# e
   }( P; z) w- n& P7 F  E
   return FALSE;- Z9 t$ ?( D) j
}& {) K0 L% P; q* K; ]6 l
( r+ t: Z6 J0 a6 i' h' w3 W8 x( Z
Although this trick calls the CreateFileA function, don't even expect to be2 p( y0 o& z4 V
able to intercept it by installing a IFS hook: it will not work, no way!, D% Z' f- Q2 f" M! @5 y. P
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: G/ k# {, ^, X6 f6 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# B6 m; s) k/ a+ a' \6 i- j
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 ?  f! N3 c, V* d  kfield.* |5 B  h9 A) W( b. U, t& _5 S) {) ?
In fact, its purpose is not to load/unload VxDs but only to send a 6 q8 O. t$ i' e( U( |- O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 D5 w2 i% z" b& `to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ b( Q1 \# Y( Q# uto load/unload a non-dynamically loadable driver such as SoftICE ;-).3 h; {, I' {$ ^, S/ E
If the VxD is loaded, it will always clear eax and the Carry flag to allow4 G5 w; K* r6 [' `  R7 \
its handle to be opened and then, will be detected.
! `7 y, ~+ i- f5 ^/ jYou can check that simply by hooking Winice.exe control proc entry point
0 V0 e& V% K2 A3 {/ U! _: K) Awhile running MeltICE.% t7 t% z; J" E/ E8 W' t

, O9 D. d0 G0 T
  ?" v" t' a8 Q2 X, T2 H  00401067:  push      00402025    ; \\.\SICE- S7 X8 \9 ?4 G4 Z3 X+ F
  0040106C:  call      CreateFileA
7 C& [. A( Z# ^  j2 C  00401071:  cmp       eax,-001
. t6 r+ y1 v& y6 p- T0 X  00401074:  je        00401091
6 S3 l& E3 c$ ?$ y: D' P! m. `) @6 S/ N  K! W: z: X2 _
8 W# q! F- d, P) ]: F# q
There could be hundreds of BPX you could use to detect this trick.
4 D6 ?9 r0 x6 v! j' y5 g-The most classical one is:
4 v% }- f- ~( V  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 B1 r9 n- W. L6 i9 V
    *(esp-&gt;4+4)=='NTIC'# s7 X6 ~; c! d1 A4 ^

. Y; J7 n0 c2 G$ F, o4 N-The most exotic ones (could be very slooooow :-(
; z  k6 [+ b4 s8 [4 u   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  6 H' G$ `7 G6 s$ B; ^* i
     ;will break 3 times :-() F1 ?$ n# W$ |% w/ ?% i4 @

% K/ s$ v6 G. D-or (a bit) faster:
, E# [/ H8 a& P1 U* E6 \/ L; a0 b   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 \, c% t3 t) r
5 I5 w+ r! G5 [3 D9 h; C9 P
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) J2 Z% [! F" ]( ?7 S. Y     ;will break 3 times :-(
5 s' G4 ]* K' t) g, X& e7 d7 R7 W8 T6 c
-Much faster:
; ?2 p8 [1 Y1 W% e' G9 V   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
* j4 ?5 ?6 ^8 v$ G7 l* V/ g
. D- X/ {; N- Q9 E* k0 A, XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 y9 w* O# v3 D- L1 b5 j
function to do the same job:& n; [) m* l/ Q- ]8 y1 `4 Z. |
: p; Q0 [+ I$ h7 I0 z4 S
   push    00                        ; OF_READ8 c* `4 t: w1 }5 c
   mov     eax,[00656634]            ; '\\.\SICE',0& H. ^: C( _% _. B6 Q. k
   push    eax& q2 r3 c/ K" ]- x# q( C
   call    KERNEL32!_lopen4 K; l, m4 _! T; M6 `1 h1 L
   inc     eax
4 z# [% x- }% o' X7 b6 T! K! ^   jnz     00650589                  ; detected
0 T; f" d) g! C) t/ l1 K' _( \- ~   push    00                        ; OF_READ
: A' k/ ?) z1 A5 `& Q5 o1 [   mov     eax,[00656638]            ; '\\.\SICE'
+ i- G& q# W8 o- @( a# n0 ~   push    eax& t; n( q0 e& i* _! [! j
   call    KERNEL32!_lopen0 J" Q+ ^- ?% l4 g1 [
   inc     eax
2 H, r2 F7 d7 r9 j   jz      006505ae                  ; not detected3 s! b, B' J7 `7 a
# R# k+ B/ {0 n! F; ^- [5 v  B

8 J: z2 N( u' T$ l2 `" M& W. ]8 P- |__________________________________________________________________________- v; r$ B. ^% ]: F3 t

4 I1 L- L7 N  x, i% o" n) ~Method 12" U3 C6 e2 Z. ^5 {7 U
=========
3 }' ^1 R: \; Q  i$ W& w8 f3 U0 a8 |! C- S% K) b( S; r
This trick is similar to int41h/4fh Debugger installation check (code 05: Z- s' [. j1 w& D$ E. {+ M" a
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
9 L1 i; e% P  Q- F$ E- [2 Nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- S7 P% J9 Z: j6 y6 M! a9 p; ^& i4 x* R/ G) I
   push  0000004fh         ; function 4fh
% N+ q2 I* j: n+ P/ q( a1 R2 l   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ q9 |3 C3 Y( s: r- z% u  _                           ; low word specifies which service
* S( l7 o3 h2 H                             (VWIN32_Int41Dispatch)
% o" G  J# {0 G% U& X   call  Kernel32!ORD_001  ; VxdCall
2 I: o) D3 Z3 N$ p4 J0 w- {" \   cmp   ax, 0f386h        ; magic number returned by system debuggers
. r! I, w* D/ u   jz    SoftICE_detected/ J" ]- ?- C4 O/ N' z) I
, @  s9 B% J. G1 r0 G
Here again, several ways to detect it:
: Z. N, b3 x# g2 C, F7 c7 b# Y: ?& D4 `6 W0 l5 X
    BPINT 41 if ax==4f
! f# G# w6 t8 m( `& _$ v% k" s
5 `2 u; P- W& z% }# h9 g7 H    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
# d# n  Q! a; P* d7 k1 D+ M4 P0 X8 A0 C0 d
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
. q5 [) N& m% b3 }/ V
$ r% d. f5 Q1 {    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( }) V7 {* q( @
$ I) [( _" U% ^( n. K3 d
__________________________________________________________________________4 o' n( Q' P! g0 v) B

7 ^6 Y9 x* p6 K3 v9 J; |! w) dMethod 13
& {# ^) ]+ E" H8 C4 e6 ]$ m=========4 h; A! k1 j, c; J5 t

4 B6 a# ?! K) q7 lNot a real method of detection, but a good way to know if SoftICE is
9 d) h3 G5 |' p. {: a* l  Iinstalled on a computer and to locate its installation directory.
* b6 N, n4 F) X8 g8 B& j6 pIt is used by few softs which access the following registry keys (usually #2) :
/ |" u# Y9 i4 A1 L7 Q8 y$ `9 h8 v  e( L: p* C
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# ~# W2 J6 Q( {) R, B  w\Uninstall\SoftICE* ]% o& w1 g9 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 ?  u7 l! f: d; ]
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: J' Q' L9 n9 g; @* W3 Y. x\App Paths\Loader32.Exe
9 i  N3 T! R1 V1 F: |: |& \6 o0 t: ~

+ p9 [. S1 ^7 L# Q& m$ qNote that some nasty apps could then erase all files from SoftICE directory3 r6 _* ^; D$ ^/ K6 i
(I faced that once :-(
% }0 n2 t$ X! X/ g7 b6 o  X' R& Z9 m1 S
Useful breakpoint to detect it:4 X0 z$ C7 K/ t' R6 I* u: Q

3 Y; O9 A: p$ J9 |  a     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
# o# Q/ |( ~  q8 G4 l  c: _: |  c* V4 V6 M% m% T
__________________________________________________________________________" m6 C$ b( F0 R  g

3 }7 S3 S' Z% Y- D; H
+ l% g: D! T6 [3 e- F$ [  ?- c" tMethod 14
7 D+ ~4 y/ k+ a# ?, e=========! ]( ^, D) K! O; Z$ h1 d

: a9 O9 I( t; T1 \% s( N% LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* Q; f2 f' I' Fis to determines whether a debugger is running on your system (ring0 only).6 {& A# s# c# P' o0 Z5 ^

7 |( S& o, R) ]+ z, g   VMMCall Test_Debug_Installed% l6 {9 R3 h1 B4 y! v: P8 b+ v6 O
   je      not_installed* X$ J  o( D. \' F
+ N5 G# ?, L' J- h% D( H) @+ P
This service just checks a flag.
: ?, g* |3 U; J* f; v# c* ~</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 15:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表