找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( N& ]8 a9 S& [) p' l) S
<TBODY>
0 E0 T! ^0 N, o5 w<TR>; t/ J5 v1 Q. ]! @& _* R
<TD><PRE>Method 01
2 T2 O% A3 |- z. R& k! G=========
1 W, o" g4 d  A" L" u( l+ V1 v# ~, B6 p4 ~3 J! {* y
This method of detection of SoftICE (as well as the following one) is
& v% t" Z: ^( V4 hused by the majority of packers/encryptors found on Internet.# Y0 [' Y; n; s3 D; j
It seeks the signature of BoundsChecker in SoftICE8 E: M7 ^2 c3 J8 F6 r- {

" R% X4 ~* K) H& {    mov     ebp, 04243484Bh        ; 'BCHK'( o2 T: H! S! r! _
    mov     ax, 04h
; f* u% W) `' U  b4 W: p+ X    int     3      
, C! J  s4 ^$ \$ w$ ^9 `, m3 b) I    cmp     al,44 d( g4 |! }+ J: Y0 l
    jnz     SoftICE_Detected
& E  Q2 F2 y8 r% G; T4 [1 X
7 ~6 q' B' x4 h8 v" U4 `___________________________________________________________________________
" a* m: S: e4 B2 b# ?/ L# v" V% L# f  }/ D& E; G0 p  v
Method 02' L4 a9 y' d4 Y3 w
=========% R- }2 P5 V. \; \5 ^* \( t$ b' D7 v

9 V9 F/ n" ~. z) c# O  L8 H; hStill a method very much used (perhaps the most frequent one).  It is used
. u1 D3 J" C: s4 f. tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 j  b4 c) }6 o' r8 C& K
or execute SoftICE commands...
9 F) k/ L& S3 }# `& G: \It is also used to crash SoftICE and to force it to execute any commands$ J$ P5 O9 O3 ?! m2 E
(HBOOT...) :-((  
2 y- x* P* B- s) u
  X: i- k# B) B8 @) f) I+ t/ u% W( eHere is a quick description:9 }' Z0 E* d8 G
-AX = 0910h   (Display string in SIce windows); s" m9 U$ k- m% e" \' w: q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx): s$ [# ]2 m' z; J  k
-AX = 0912h   (Get breakpoint infos)
& `/ d4 c( k7 ^- @2 `, L-AX = 0913h   (Set Sice breakpoints)0 J3 V" p. j. N- ~2 l* R5 R& |
-AX = 0914h   (Remove SIce breakoints), A6 C/ M4 V$ V! @4 a  x9 X

- g4 J# f! j& _( E9 ~Each time you'll meet this trick, you'll see:1 D& h' d& f4 H
-SI = 4647h
, [: d/ L* D+ e) l/ i) L-DI = 4A4Dh. i( ~3 C8 v) w6 J; k# d, C
Which are the 'magic values' used by SoftIce.( U' L( A' ^6 t' v" f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.* W$ H' U% f; T% m/ I, S  x: Y
; `$ }8 s* M" d9 _* U
Here is one example from the file "Haspinst.exe" which is the dongle HASP
% ?  j% y6 y+ e3 w* LEnvelope utility use to protect DOS applications:
7 ], c$ S1 [! P* R/ V- v  w1 s
" s6 j5 `$ {" d% w% E  T/ X3 I% ~
4C19:0095   MOV    AX,0911  ; execute command.
* }' x! J7 {3 m- k4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
2 j( n2 B& T3 A1 {! d: O4C19:009A   MOV    SI,4647  ; 1st magic value.2 t  |$ g3 F/ F: [2 l
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
: u9 b6 ^# a: d8 D: {( u+ m' y4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( |4 U; ]$ A; s+ Q4 H$ ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' e" w) S0 O, t' b# ^7 E: V% ^3 w4C19:00A4   INC    CX# b( a0 Q/ S  _* @
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( g# I( K) L  h) V3 n/ b( d4 j4 U
4C19:00A8   JB     0095     ; 6 different commands.: U+ @6 h$ f6 Y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 ^- A! B: g# b8 K
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)( a# C( `1 d, I8 _3 x& D- W

$ s- e5 ?4 U1 @+ W  cThe program will execute 6 different SIce commands located at ds:dx, which
0 |$ I2 {2 X- b. N' t7 Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) ]/ Z6 P: ?; E

$ e7 P3 Y4 j4 v) v9 G# M/ v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
0 S+ G) y, W2 x# a3 t: K' \5 A6 U5 f___________________________________________________________________________% Y6 `% l5 i; j, h: c5 g
6 |+ b( S/ J9 Q1 y- Y3 v) J- M* u

  e+ v4 n- g/ K/ s# fMethod 03
5 L# T3 b) l4 ^: c' s. e/ Z=========# V& n* b- y. D4 H: m

6 {, X) B( b& n6 vLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 D% G, L# d( c3 d
(API Get entry point)+ Y) G: {5 Y2 Q7 w; I2 l
        
' u6 `/ N: s! T4 C- B4 ?1 Y6 _0 ~0 P4 b  ~: r. V$ C
    xor     di,di6 I7 r+ ^) F8 _9 q" O
    mov     es,di# S/ y1 c9 t" q3 k- X5 I6 X
    mov     ax, 1684h      
' R5 g+ f" Z1 n) d" h8 w; g    mov     bx, 0202h       ; VxD ID of winice/ g1 x( u( Q& K- m3 [
    int     2Fh
% ?4 |: J% g& Q6 I3 ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# q9 {: [2 ~8 \2 S9 _0 D+ M3 P    add     ax, di
  x2 |! \' y# K    test    ax,ax' j: d, N" i1 A
    jnz     SoftICE_Detected  K, s+ l1 `& C# o0 C
  U! t. i  q5 O" O
___________________________________________________________________________
' J: }) H: r# v1 F; M$ i
# J% u, m  V1 b$ j' F9 ]8 N! @Method 04
% b# }6 f/ V$ k=========
& u- w+ Q3 e8 @. d8 m
) t: j8 G/ V$ a; }. c( t' R$ N5 aMethod identical to the preceding one except that it seeks the ID of SoftICE
" c5 ^4 n7 v- L/ V3 T$ n* rGFX VxD.; v& g: t; t4 k/ l
4 ]2 a& t' ?) z* ]+ A( ?( G
    xor     di,di
/ O2 D5 M' B* l9 ?4 K' g5 V" R) z    mov     es,di
1 N# J" D1 Y- E    mov     ax, 1684h      
5 r- Y* J+ g/ R$ e6 q/ @/ Z! @8 e    mov     bx, 7a5Fh       ; VxD ID of SIWVID
7 m$ L' f- B8 w- J; b; U' X4 A    int     2fh% }# B! t1 ?2 Z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
7 Q, R. ?$ K8 T* o# m2 h( Q    add     ax, di
9 M0 F8 H# i9 W    test    ax,ax
: P. p2 w, A/ H% [: r3 \6 P    jnz     SoftICE_Detected9 M) X. D5 N' Y6 W- ^

  j2 ~" k% ~; ?+ \__________________________________________________________________________8 |, ~/ T* [, W
& k( r- b" @9 U8 D* [! F2 S# |* B( q" W

7 v. e& {# P5 i" {4 [Method 05
; P5 y, Z2 O1 z# _( F- p' s, E=========4 u, [) i( @2 u( s" b
+ i2 Y& ^  t6 s& T0 {
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% x& b$ U% }' A% N0 wdebugger. It calls the int 41h, function 4Fh.
# H& O6 `# b2 _8 X/ g4 B5 c1 NThere are several alternatives.  
& e$ H# h, ]3 Q* h2 e' v0 H
% x2 @+ ?( v6 j. U7 G. RThe following one is the simplest:
' c. M/ H" ~$ f) a6 a0 b# M$ S& r6 ~' `& b; T* k
    mov     ax,4fh
1 F+ S- b) n& C' `. n1 H2 V1 R    int     41h. t0 M9 s& F" l( z6 L
    cmp     ax, 0F386
# v) E/ [  [  I% [0 s2 J    jz      SoftICE_detected
* M: G  [. T% S5 E- _# {! f
$ N. G  b/ h7 ^, O! U. m3 B; L6 n8 Y) {6 A5 `
Next method as well as the following one are 2 examples from Stone's 8 a# j: y2 B( f) d0 F
"stn-wid.zip" (www.cracking.net):: H; I8 C% z  q3 q: h7 ^

  |4 b8 c& i5 Q; C- Z    mov     bx, cs
& f" l  b* O( d& Q' ^4 Z    lea     dx, int41handler2
6 c/ y% H9 ~$ E    xchg    dx, es:[41h*4]. k) H7 [7 f; Q1 H+ x+ D
    xchg    bx, es:[41h*4+2]
# f7 f- Q$ N4 _( s' x    mov     ax,4fh; z6 R; M# V$ _9 [6 B9 L# Q
    int     41h
4 D$ }- \+ e. B1 `/ y* M    xchg    dx, es:[41h*4]9 ?% y8 Y0 \" T. w7 G3 {4 r
    xchg    bx, es:[41h*4+2]
: M: O, ~, ^* n, r    cmp     ax, 0f386h- C: Y3 z, E' A7 C# m5 p
    jz      SoftICE_detected
  U. n3 p! c. V# m% ~. m/ V$ [. D. u' ]9 ^2 ?
int41handler2 PROC
4 \1 L, v9 q0 J+ V  E( w6 W    iret
; \1 ~: k8 D( n5 t9 a% V3 Oint41handler2 ENDP
: n  P; b  L" Q1 y! f# G( \" |2 @! g. p( i- u/ ^

0 ]- M$ X3 \7 M6 Y_________________________________________________________________________) v+ X6 a: [( Y1 W: X" Z
, b1 V3 @6 L( o8 C1 P+ T$ c& {

+ h  P) P7 E: h" B- v* L( U4 T. ~Method 06
" p8 ?" D% n$ J( w=========/ x- C- n* O& J. D% @. q6 u

) ~, y% l( k1 p# h6 A5 O8 ?! M* R: Z2 w4 e+ w
2nd method similar to the preceding one but more difficult to detect:
0 T3 z  [& j1 B: Q
/ ^; y1 v8 ?6 }4 g0 z
2 ~3 [& d; I; `int41handler PROC
' _- `7 O, K% d  E0 }" V    mov     cl,al2 h3 {5 V* g1 ]7 C) f  L
    iret
! R& @; ^0 O6 m" Bint41handler ENDP
9 r$ I; p( B3 r& N$ W( K- K  w
3 y/ \2 a7 R4 t6 q4 d, p+ c7 @( S
    xor     ax,ax
* G: S: h2 A* Y7 F  J8 E  Z' J8 g    mov     es,ax5 Q$ q" D7 E- Z, H, Q6 [
    mov     bx, cs  q, G& x9 J. r5 h$ F7 h2 ^/ D$ y" x
    lea     dx, int41handler
, f9 b2 g' c2 Z/ H; P# Z. Z    xchg    dx, es:[41h*4]  W& w+ K' H7 f* J( |$ f" n
    xchg    bx, es:[41h*4+2]( {0 a, ~; W# {  c) i  y5 `
    in      al, 40h) Y* t# q, Y- Z( K9 ~6 C6 i$ f
    xor     cx,cx8 z+ V2 O; x4 }+ Q: C; U( W. N  U
    int     41h
: v. v9 a1 y4 V! i+ H# I    xchg    dx, es:[41h*4]( i0 Y" }8 |* K  S, Q# p
    xchg    bx, es:[41h*4+2]
. m5 Z& G( B# T8 N% X: l; e    cmp     cl,al
8 j  a& k4 a+ J4 R7 G3 T    jnz     SoftICE_detected
0 ?( a8 P( W! d3 g, |" J
, G. q% b* u, e. V2 i: K, N2 @_________________________________________________________________________# z% d' C0 S1 n
$ @2 f& B& x' w5 a' s& ?) H; i! x
Method 07
, ]4 E( r8 }6 `( H# B( E. B1 z=========$ n7 e: F$ g* q+ U  {% u

9 b% K' f  ]$ l# `7 gMethod of detection of the WinICE handler in the int68h (V86)* n% N( k) g5 w2 _% F% z; Y
6 J/ ]1 c1 F7 L$ X' g' s  ^
    mov     ah,43h# m1 C1 x  @8 g: W5 ^
    int     68h/ q8 K" ]' M+ @+ g* r1 H# C
    cmp     ax,0F386h
0 t8 [; W4 o8 \+ v. N3 p4 u    jz      SoftICE_Detected
& B' ^9 I' r$ d+ r, ~4 D3 |/ H6 C; I) R" }1 B

7 O$ U) Y$ M! z2 |  f8 ~=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 E1 o; G/ E0 {- z% h# i   app like this:
# a7 ^1 \& X9 Z! k  Z6 `5 K: ^# K4 b2 s5 O' N$ N+ [
   BPX exec_int if ax==68) Z% V: j2 Y' S; g
   (function called is located at byte ptr [ebp+1Dh] and client eip is' j& a, r) c1 v; w7 y3 k
   located at [ebp+48h] for 32Bit apps)
7 V  H9 V7 w; s( k, e' W__________________________________________________________________________& ]3 Z( _3 r; T) ?
6 B  W- Y. Q0 i* |4 D/ U

4 v9 D8 \5 T+ M; BMethod 08, O# t! {0 L* q! A; a" Y
=========" n* I( h$ v+ `& Z

/ Q5 `3 E& _, W3 Y  xIt is not a method of detection of SoftICE but a possibility to crash the" d, Y& B5 C- {# W- y! p
system by intercepting int 01h and int 03h and redirecting them to another
5 O+ v- ]1 K+ \1 Broutine.
+ ^4 o* t$ r0 R, o# V9 i( c+ K! [It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! @; [3 n/ |2 J5 T, M2 H3 cto the new routine to execute (hangs computer...), t$ g: l9 n& ~$ Z; Q" b6 U
9 o8 |$ ?9 k' r; l
    mov     ah, 25h, E( h% S, B4 W5 i* l- E
    mov     al, Int_Number (01h or 03h)3 d, q9 g0 G2 z. u/ J' Y
    mov     dx, offset New_Int_Routine; g) E) t" Z& P1 Y. g- c; R
    int     21h3 K: K! _: y( y% s) q( N
1 c! ^7 {5 \/ E1 B! W" r9 @
__________________________________________________________________________
/ [( F6 S; ?5 Z, {) c' n  I0 {' g  R
Method 091 q2 B5 Z& G, Z* A' z
=========
7 C: v" F3 x' ?! {- l9 b# i& {) \; v+ ~2 w4 ^3 R, o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' H5 W) D. m6 Q8 ^performed in ring0 (VxD or a ring3 app using the VxdCall).
3 X$ t  k1 h) R& e% E/ hThe Get_DDB service is used to determine whether or not a VxD is installed/ n" g2 z9 G" H; X! d, I6 q5 W
for the specified device and returns a Device Description Block (in ecx) for
. y( b3 c3 ?0 [" w: [! D* Vthat device if it is installed.
# ~2 p9 E5 h* g( c' Q) Z5 z% r5 l8 f# r/ ?, b. H7 v1 A$ S1 g$ @
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  Y9 y, a0 {7 J& z( i, P
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 s" m3 R6 j, y2 I9 E) p
   VMMCall Get_DDB
3 B5 S/ V$ B3 W- \( ]& P   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- |: |% e! Q; |" l/ [* p' r* u# t
- r# L8 F$ t: L1 B
Note as well that you can easily detect this method with SoftICE:
5 h; F7 u1 v! x8 ~$ h/ B6 v   bpx Get_DDB if ax==0202 || ax==7a5fh0 V* [& u" y6 x1 L1 X

0 n  ?9 L  S# ]  q# G7 L( }__________________________________________________________________________, |8 b# ]* P6 N8 ?6 S4 o* S7 n

3 O- R* e4 q  G5 s+ _Method 10. e$ D; {$ A) g" j6 ~9 I9 ^
=========
, x! x1 u! P/ T$ R2 T; H
6 k: p% w# `  t) T/ ]' M1 B=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# F" g3 O/ n" C+ [* }/ f* m  SoftICE while the option is enable!!3 \9 x5 O- i; x# w1 f4 ?& Y
" ~* J; J( `" O% W/ ?) [9 f% j
This trick is very efficient:
" F, e9 g6 p; d7 b0 X* wby checking the Debug Registers, you can detect if SoftICE is loaded9 V' h0 u7 J, G6 S+ m% u/ B
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) y/ U$ i* s( ?/ F# W; `there are some memory breakpoints set (dr0 to dr3) simply by reading their
" E2 J; z! O0 ?; |! o! F8 B% nvalue (in ring0 only). Values can be manipulated and or changed as well8 B9 g0 V' q' w- e3 a
(clearing BPMs for instance)* D2 E& v! u2 a( a
, |9 y/ G. i5 S8 l9 q' j
__________________________________________________________________________
: F6 n3 H* Q# R
; `$ e  s5 ]* p+ yMethod 11
4 n6 Y, s2 [4 @9 @5 s/ [/ Z, E5 L=========
& A! Y7 P. J3 E0 `: N' d  N# C0 a( X5 ~! e6 c0 [  P; w; t: ~5 T* y
This method is most known as 'MeltICE' because it has been freely distributed
: E+ V1 H; o" Z' c9 Q' ?! h2 lvia www.winfiles.com. However it was first used by NuMega people to allow
! `# |" ]: i, G3 ySymbol Loader to check if SoftICE was active or not (the code is located0 T5 W* P2 j8 U
inside nmtrans.dll).- M6 _5 l( F1 R9 V/ I% Z+ u- z  y

" t6 _; }( D3 l. ]3 F2 i: T( g, nThe way it works is very simple:- c7 c6 w( y3 V1 A) u
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: e  \- M' k( m: IWinNT) with the CreateFileA API.* ^  v" ]5 {) f7 G5 q0 i$ k7 J' g
! m9 {; m0 x& _! @# f
Here is a sample (checking for 'SICE'):
  n6 t$ h& W( o( k3 ]: F# x
* A7 W( u0 N5 S& T# @" x5 r+ Q& ^7 N2 kBOOL IsSoftIce95Loaded()
+ A- _. y% e8 P( ^% j  d" d' j{
, f( I  E, q  p   HANDLE hFile;    [3 a! j) \$ d/ ]$ y2 f# N
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 [, V! ~7 w# P) }" y- u
                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 b" C) j% p. {  a, ]* k
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);! ]0 X4 N. i! x- T) T: ^9 O
   if( hFile != INVALID_HANDLE_VALUE )
7 s) S" P; C* W$ H! M$ Y$ U$ k   {  y  [, U" Q) l
      CloseHandle(hFile);9 `6 I9 G, z' I4 j" t( y
      return TRUE;! r; s2 Y9 b5 c' f
   }9 P+ t8 u3 I, |# C9 u9 b# g1 p4 o
   return FALSE;6 Q. t% D) J7 t$ R5 k
}: q4 S8 \! ~" Q; d- q2 Y" u
5 U5 E9 J# e' |" K$ s: R& O
Although this trick calls the CreateFileA function, don't even expect to be
; r; x; @. G' W, |, G- E- Kable to intercept it by installing a IFS hook: it will not work, no way!
$ `& t% v- `* bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F- t9 {- E5 h; s, d& K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) A' x! K: _8 C, Hand then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 |% X5 R$ X4 ~field." j; }( N' x+ c4 Z2 K
In fact, its purpose is not to load/unload VxDs but only to send a
& f1 A6 H& w; ~  `! uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)1 i, \# z# C8 n: v! X
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ C; i" a/ y' h- m1 A' F. \# m
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, w% y8 J* I5 ]! @! BIf the VxD is loaded, it will always clear eax and the Carry flag to allow) u$ ~6 A/ I( R2 G6 u
its handle to be opened and then, will be detected.+ b* G6 S2 }# Z5 U' V4 }
You can check that simply by hooking Winice.exe control proc entry point$ C. l$ ?  E. f! n1 t- n
while running MeltICE.
+ b0 y5 E0 l; o( I
  b* [1 H" a1 J$ y, [
$ Q1 f7 e) r: d4 R* i) ]/ B7 h  00401067:  push      00402025    ; \\.\SICE
+ k8 F! }" G1 j  0040106C:  call      CreateFileA
, e, a* Q& I& Z" k  00401071:  cmp       eax,-001
9 M% K' h4 P- N5 [$ e$ r4 t$ K  00401074:  je        00401091( {+ U4 ~+ b9 P, m6 W  o

9 h; d+ E- K7 `7 C1 [7 F; [" w5 m  P* P  a& ]1 `8 g
There could be hundreds of BPX you could use to detect this trick.
$ ~' J  G) i9 Y* W& p( T-The most classical one is:
6 T3 |4 @: H4 s4 |/ d4 N; i+ f  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
4 ^! F9 L- q8 \6 @6 g    *(esp-&gt;4+4)=='NTIC'
% R7 g( A' y" [( K8 m9 ~- F
, d  n3 K- W0 c  {2 S. o1 [-The most exotic ones (could be very slooooow :-(
# @/ d" |' ^% M   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  , I; j2 d; H7 v
     ;will break 3 times :-(
) O1 e5 @2 d7 w$ ^8 W( }
1 g5 S. B# J& U2 J% S9 o4 l5 W5 F8 l9 V; E-or (a bit) faster:
0 x* C( h" X5 S6 I0 S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): e- Q+ x! Z, u3 ~! b9 Z
9 E% T6 U/ o, _$ z; r6 F2 Z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) g& b2 U2 {/ M; Z
     ;will break 3 times :-(! Q( J1 X3 {- b9 X0 x) t

+ b2 x( q2 k% Y; Y( R" c% X+ ]-Much faster:1 n) H' i: p- m
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 W- W% B0 H; v0 y- V+ D3 ~0 Z2 d6 x4 n) B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
; Z% I/ a4 r& ^% ~* B( lfunction to do the same job:
% Z" f- b, d3 t  C! T5 x' D
7 a# z! K( n7 ^) z- X+ s1 a3 B   push    00                        ; OF_READ
  r6 `# h, K/ s$ ^   mov     eax,[00656634]            ; '\\.\SICE',0* ~5 A5 l; j  o( K2 Z9 z
   push    eax7 U& |+ H, Q: D5 |( j
   call    KERNEL32!_lopen
( A* w8 g$ c2 t% ^: v   inc     eax- }! H& E; @) X) s
   jnz     00650589                  ; detected+ o" s9 [$ h" L" [  Y
   push    00                        ; OF_READ
- U; `5 f4 e" H; s0 E   mov     eax,[00656638]            ; '\\.\SICE'
$ c" }# I" i  Q( q. t) ?   push    eax
- t9 e/ \& a8 Q- s4 W* G   call    KERNEL32!_lopen. ^1 v& _3 s9 G4 o4 M
   inc     eax
3 W6 W" c9 P8 i. [' T   jz      006505ae                  ; not detected
0 @' c) O( R! E, j
# ~: ~2 z$ n3 W! j- m! }
& l, T* z# \% U3 k/ j__________________________________________________________________________! V! \2 b+ n6 t

% z; T# _; [$ }+ tMethod 12" h; y' p2 N4 X& k+ k, ]
=========
4 l8 k" x) ~' {; ^$ ^5 B! e/ _0 k9 D$ ~$ k
This trick is similar to int41h/4fh Debugger installation check (code 05: d/ H; e# o. g, S1 o
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
6 n- _) O6 I1 A6 W; oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 ]( b! Z  w3 [8 {

7 ]. A$ F" U( ~' R2 w3 N8 r   push  0000004fh         ; function 4fh: d. N1 x1 y0 z
   push  002a002ah         ; high word specifies which VxD (VWIN32)
- F; }0 ^' v; p$ [0 X( T                           ; low word specifies which service/ \6 T" t5 Y# W8 C
                             (VWIN32_Int41Dispatch)
! k0 w( e- R" C0 E# t2 N3 ?6 }   call  Kernel32!ORD_001  ; VxdCall  ?& _% E' C# ]4 X$ f( Q. `% G
   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 x. U+ }( D; E1 R$ @* r# z& {   jz    SoftICE_detected% i+ b) p# K, T* Z* R8 ~6 M2 \

2 d. L% D" F, b8 e- U5 X) P8 MHere again, several ways to detect it:
4 V3 K( n7 l% ]" {
' B/ d5 k8 \. x/ l0 L. t! x    BPINT 41 if ax==4f
& R6 G# z6 g. y' y9 V
% ~& J' p0 a3 g- S0 A/ t# N6 Y    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one- T5 F3 x- W* ~) r+ v
8 O2 J1 y+ d  s+ E" L. A
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 n/ u) ]- a* L: ^0 A) ^
- Q! E' q0 S" P4 a) Z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 M: l3 M8 E, @# L
4 ~8 q' I" \$ q5 |  I- @, o
__________________________________________________________________________
& b* X6 T. G! K! X( W0 M
' k6 q( G; t6 E, x5 l1 E4 r* Q' mMethod 13- Z2 k9 s7 V9 F" m$ Q  k6 t" j
=========* n0 X, D& ]- s% }$ f1 C" p
+ P; s2 w* S: U: b
Not a real method of detection, but a good way to know if SoftICE is/ P5 h# E" O- X4 V! ^( z. s5 u2 r6 }
installed on a computer and to locate its installation directory.- H% J5 [9 V9 X2 C  s+ g! A
It is used by few softs which access the following registry keys (usually #2) :0 ~, E- F1 k7 R  A: g
  o0 `8 s7 P( x1 [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 U4 l' i6 M* w  q) u
\Uninstall\SoftICE( W1 s3 {8 i9 ^, C) c5 x" A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; E" u. N4 D7 ^, P% F2 H-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion$ C9 e/ K) h4 x9 R2 l
\App Paths\Loader32.Exe( O% \: C  w  E# j
& z8 S6 A4 i. `
0 ?/ E4 q7 Y8 V
Note that some nasty apps could then erase all files from SoftICE directory  w* m3 s( x2 D# N# O
(I faced that once :-(& M6 L* q' z% F0 R% l3 H

; E# `2 N# H, x+ p+ E$ a% n/ u: sUseful breakpoint to detect it:* P0 r& O' k: `

6 R3 |0 l5 N6 P+ Y  f     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'" w- ?9 o. x0 m- A

) X5 f6 `) @3 T. v1 E; Y7 j- C__________________________________________________________________________! b8 Q9 m/ E& _. y/ V

  B; R5 D0 {; K. s5 }
* a. O! e1 d( W" ]6 K$ IMethod 14
5 n" |' u5 }) u1 D; R) c=========
+ p5 b" p; ~5 e9 X+ w1 e' ~: ]; P; ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 `* q: r* T, x0 Z
is to determines whether a debugger is running on your system (ring0 only).
; `- W$ p: f+ k# ]5 F
6 j$ }- O) E$ v+ S% @4 p   VMMCall Test_Debug_Installed
+ l& g# K" t5 f! f/ H2 W   je      not_installed
9 l& _: R. H6 r) w) d0 {- \; D  h- d* y$ j2 K' y3 v  P- s
This service just checks a flag.
, j! x5 i# N6 |' ~</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-28 09:46

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表