找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># L" U/ E2 X  A" J2 L
<TBODY>; }7 ~2 V- }9 E' d; i2 }) L- i, h
<TR>
: p8 m  T1 X' _) v<TD><PRE>Method 01
" f! `. m2 S6 D=========5 Q0 i0 a& W" S+ P' s8 B+ a
, E7 _. _- T% v6 a) p" q! ?1 v
This method of detection of SoftICE (as well as the following one) is: ~& G+ D. i% J. s4 n
used by the majority of packers/encryptors found on Internet.
* ~& r9 H9 F4 B# ?' iIt seeks the signature of BoundsChecker in SoftICE1 C1 }% e5 Q$ c; x6 @& E

8 t+ _, P+ `5 K" I7 N! P7 o    mov     ebp, 04243484Bh        ; 'BCHK'
  T  c9 N" S/ M* Y3 m7 y3 p1 w. E    mov     ax, 04h% p" A% V- W3 A+ D4 K6 R
    int     3      
( i* f0 ~" L1 P: ]: J; ]  }7 L) z    cmp     al,4( ~7 F3 i+ y8 B; |$ o$ e& u
    jnz     SoftICE_Detected& W3 \1 Y  r4 [2 {' ^* }% H) y" H
& M1 l5 G: t/ @% W+ l
___________________________________________________________________________
+ ^" K: b3 l+ A/ j% A( f3 b+ \$ O8 a! a( T0 W% j% h5 ?) O' N7 {
Method 02
( U' z& n0 H, {4 Z0 _1 n' z6 O# s=========( {+ \7 Z4 m+ B/ \; ?7 b

7 m/ o8 t9 o# p  o% C/ Y0 YStill a method very much used (perhaps the most frequent one).  It is used. ?1 X8 c/ }- L9 Y+ e7 S
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" H' V  m% U* Yor execute SoftICE commands...8 g# s, ^' H! \+ A( y$ I4 o1 c+ F
It is also used to crash SoftICE and to force it to execute any commands; }; \* N+ o0 a) M" y9 U  Q
(HBOOT...) :-((  
4 u( t; I" O  d" M' z7 x6 F3 U) L! b$ w
Here is a quick description:
7 {/ t. u: E' v% A, F-AX = 0910h   (Display string in SIce windows)& a0 f; V& E! i( l2 Y9 u: @
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)" A7 E7 ?, X, q) S
-AX = 0912h   (Get breakpoint infos)
9 a$ U* Q) e4 ]& ^$ l& {  K-AX = 0913h   (Set Sice breakpoints)( |. r! S# H5 G+ N; d
-AX = 0914h   (Remove SIce breakoints)2 v5 V" O9 u7 B; B2 s

2 g$ Y" W/ u- ~! [Each time you'll meet this trick, you'll see:/ h) W5 i6 D) i( c. `) ]
-SI = 4647h
$ p# v2 `, H* U-DI = 4A4Dh
+ N1 K8 F1 x8 W7 |Which are the 'magic values' used by SoftIce.& j3 k+ Q3 ]" j* u/ i0 v
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# ]* W1 l- o6 l
# T( B: \# a" G+ v/ V# C
Here is one example from the file "Haspinst.exe" which is the dongle HASP
$ T) a% e; l7 l- ^" [9 ?+ aEnvelope utility use to protect DOS applications:
5 q2 P6 o9 D" \- Z
% C& O  _0 j# R( P% h. u$ q) g! `. O- a* @! G; _
4C19:0095   MOV    AX,0911  ; execute command.1 y6 G0 k1 ]& b- J# U
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 m# F7 r  _8 e  |& ?+ O. F
4C19:009A   MOV    SI,4647  ; 1st magic value.7 Q4 Y9 Q+ Y! n! J
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, t  Q4 L) T1 ?, [$ F1 h4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
* g( l$ N/ M% [. J+ c# D4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 O6 Z* |/ B1 D1 Q: M, ?: H
4C19:00A4   INC    CX4 X0 k* G1 A) X% J. ~/ l" R
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
- X: u. v) o8 z. n" h- ]4C19:00A8   JB     0095     ; 6 different commands./ V+ D! u* M$ |1 p, n9 e3 O
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! s$ O. C1 Z, v8 Z1 N! w- Q% P2 R" g5 z
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& U, f$ t# @, z; N* o0 O4 I9 e

0 X) K4 d" O* K* j, r0 xThe program will execute 6 different SIce commands located at ds:dx, which6 G3 ~3 e" k- }2 b8 G$ O( X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 N% s7 }' X6 {7 A! U# u; G( |& r, q8 d4 v& _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ R7 n& B0 w9 M___________________________________________________________________________' H* e7 k5 E& \# F. o! c  H1 Q

; T) V% d' S0 r+ }1 S- k
! j4 g2 T- R. k; A6 L# M5 c. WMethod 03
' U# _2 I+ Q1 B6 ?* h! r=========
$ u+ a& I# v3 y5 B  z9 y# ?% Y! ]8 p& U4 h) V/ d
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ @/ R6 ~0 {8 @, U(API Get entry point)5 f8 x' y8 u$ k% J1 t! N" B
        * P- h7 P8 u' @! d6 V. v+ M
& j. B8 `* z/ G$ g$ n& {
    xor     di,di8 [9 ~- D' B+ x' H; ^0 L
    mov     es,di: [8 r* v1 Q. {8 p3 \
    mov     ax, 1684h      
/ r4 D9 m. \9 G! W' Y) A' a2 @0 y    mov     bx, 0202h       ; VxD ID of winice
8 k' b/ |% ?7 ~1 I8 ^1 g) `% u( Q    int     2Fh0 s$ F; n% ^% X9 W2 Q3 J* K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 r  o( m" m: w4 c, T, @
    add     ax, di
8 s: T/ Q/ C+ P. N) K+ l* j    test    ax,ax( e0 G0 j6 G' j
    jnz     SoftICE_Detected
, G) m( `" ~: p( [& c) K; S% L& d% b. c9 S
___________________________________________________________________________! `0 c3 s  S; K7 v8 C4 n
8 C& V/ L6 p8 s* h6 |
Method 04; j3 ~& v: [- y3 ]1 o3 v
=========/ }) G, f. f9 y5 p

% T! Z6 G- N, ]7 u+ RMethod identical to the preceding one except that it seeks the ID of SoftICE
7 x% A, ^$ L0 C3 F2 f, [+ Q8 \GFX VxD.* G$ f0 E- q# a% o; d; D; k

4 L% X0 d0 n& \    xor     di,di& a* v) F) [: t+ ]
    mov     es,di
, f* c5 M% C9 y+ C/ g* C) v    mov     ax, 1684h       ! S- G# q1 s. N/ q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
3 v; F) h; l  r; T8 S" ?" F+ B! }    int     2fh
2 Z7 Q: q' A9 r* g    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ I! X' o+ z. ^8 z
    add     ax, di( r4 E3 U2 x9 L& @* t
    test    ax,ax
: l$ B! k. h' P( q' M$ |, ?) @, ^# e    jnz     SoftICE_Detected' t, Z; j& g# \/ k5 H# J2 U

/ a9 ~2 s# Q! B8 a& n9 H7 Z' ___________________________________________________________________________
% H0 O! ^: U; `( A* M/ I! M$ A& _5 c2 ^* R9 f1 V+ o" p

8 J6 u+ v) n! G& r8 _Method 05
* `" g1 J4 i7 q6 Z: z% k' l=========! u, F: @: f3 H" P1 `" e5 @5 t

0 i! @8 Y( s8 B: n1 g# S" |/ N* uMethod seeking the 'magic number' 0F386h returned (in ax) by all system: G5 Z& O& P$ K3 l! ^' j
debugger. It calls the int 41h, function 4Fh.
3 p6 |: x" Z2 w9 a+ pThere are several alternatives.  
0 b! f0 I0 g7 w6 b& w/ x; T# j
7 v- l" l6 m5 W$ C2 qThe following one is the simplest:! v9 p, Z  Q) Z* y+ z) V

0 k* p0 R, y' Z! R& W    mov     ax,4fh+ v+ B! p( \: ?
    int     41h
+ O0 \, y' G# G: m- b7 X, u; @    cmp     ax, 0F386
! d) ?8 f  `) l( l% A+ z    jz      SoftICE_detected' K: Y2 M, Y$ t0 T
! h1 ]: C  Q& z1 R
, R) |6 v/ [# t& d. M; X* i
Next method as well as the following one are 2 examples from Stone's $ S. ]3 E' d) @4 N4 p
"stn-wid.zip" (www.cracking.net):
4 h) e$ Z) [" ^- D: Q! ]& u' W/ {: W) d8 v0 y6 z" X
    mov     bx, cs
* k+ u  O4 {& z# _    lea     dx, int41handler2
/ {; l( v8 r0 [" _4 n# n, k    xchg    dx, es:[41h*4]
8 p. B& I- C; v* u6 _: @5 i    xchg    bx, es:[41h*4+2]3 S' L, D& g. t7 k3 x+ y/ Y
    mov     ax,4fh$ u2 a3 M6 i! \
    int     41h
: L9 E) T1 [# l3 y5 ^0 a! A    xchg    dx, es:[41h*4]
+ Q: G) z" C8 A/ ^" t# H    xchg    bx, es:[41h*4+2]- z* L% e8 b4 y
    cmp     ax, 0f386h
* x1 d7 V' @7 S. U9 N0 O    jz      SoftICE_detected
9 w4 z" {/ t* ^8 G0 y1 S4 f# s  {, x1 }
int41handler2 PROC$ L  A/ x( C; I* L2 L& r; Q
    iret
' B2 u  p# P- t8 U8 d9 aint41handler2 ENDP
" t7 M- b6 c, l, }- H3 A0 c# ]" e/ e+ b: y' F

# y/ F7 Y7 ~; D! u. z7 S_________________________________________________________________________9 f7 @6 H7 f; B' R; F9 g; l
& C. K& e4 f1 r& M, ?

9 n5 p1 ~) @7 e" ]5 JMethod 068 \( p  K* t" X' B0 [5 c2 t9 g
=========+ K  y7 p. s7 ?$ r6 B. H$ R3 I
% r. n( I# I( w4 n  x$ ?) }/ e

2 e( Q, E/ {* y( j$ r, K2nd method similar to the preceding one but more difficult to detect:
! Q( g8 i5 ^' Z- z; i9 \! R: ^1 O( w# x2 z

8 u# r' Z4 G, C/ Xint41handler PROC
/ x3 o7 z8 i, W    mov     cl,al
& i4 H, m9 X7 e6 e    iret# \; T7 S" E" z. Z6 [8 O, d/ V& _
int41handler ENDP
! H- c7 d9 ^5 o2 f
1 v9 x: H5 i7 b; a9 H# W" t
1 K: W6 ~$ R; W! Z1 L    xor     ax,ax2 m9 K7 P6 G* Y8 a& N- h
    mov     es,ax; p  E% ]& X+ ]0 V$ r
    mov     bx, cs
! w, }" A1 ~+ n1 K' n- A( }4 G9 P: |6 Q    lea     dx, int41handler1 _8 c- j% ]  e  R( j
    xchg    dx, es:[41h*4]
7 z3 l. C- K3 [% z    xchg    bx, es:[41h*4+2]+ a0 g7 T  ]1 ^$ a) ~
    in      al, 40h2 X, C. B4 h( I7 z
    xor     cx,cx8 ~3 ^' h3 S: A  U
    int     41h
6 p: u$ B, ~$ w/ J& O6 G    xchg    dx, es:[41h*4]8 x* X, }6 p7 G: D) s/ R9 g. \
    xchg    bx, es:[41h*4+2]
( d: O% r! j8 Z. _; Y    cmp     cl,al
" M% Y: Q' ?) Q$ u7 b5 X    jnz     SoftICE_detected
, C7 s) w/ J* D+ i7 \3 _
* V: y( E$ y1 S0 |& E3 S+ x, r3 n& N_________________________________________________________________________4 i3 R3 U6 R6 b4 d9 E
; z& S: \! k: C8 l) A$ I& P! t7 l
Method 075 a: M4 W! N/ X( m
=========* J/ c- U2 M3 s" z( T
* N# l" Q, w( |; _' |- }! s
Method of detection of the WinICE handler in the int68h (V86)
& l% |/ D3 p; m. r, @9 G3 Z$ f/ y' e& s0 w/ U& c7 y1 E% e
    mov     ah,43h8 a% `4 m" n1 U" }
    int     68h
: A' p  O* Z& g1 i9 G- [    cmp     ax,0F386h
7 B+ \' ?- d" r* M/ ~2 n, D0 K    jz      SoftICE_Detected' i2 |! {% A' P6 v# C. n
- Y5 J/ }3 P# |2 l+ f2 b5 X

2 U: I4 S4 V1 A; u7 H=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit! M$ M4 g' P9 `5 d& T6 ]
   app like this:
& z% T) w/ g4 Z5 N5 I: P- y! ~+ O. _3 t: ^
   BPX exec_int if ax==68
" g; e: @: K" x$ q) F   (function called is located at byte ptr [ebp+1Dh] and client eip is% c" V* n" R. \1 N. k" M  D! L$ y$ @
   located at [ebp+48h] for 32Bit apps)
$ K: \1 ?) |' W! Q$ j# Y% |$ J8 R__________________________________________________________________________
- i, H* j$ N* R% r* o$ [. s; y9 _6 A: x* x' K- E0 C
1 }& a( S# V' ^5 ]4 {5 [
Method 08# m% {0 }6 @" r+ r. p
=========
' a2 x: C% A* H8 K9 q" r% b- [5 e1 c6 I& [6 I) F0 l- X
It is not a method of detection of SoftICE but a possibility to crash the0 ^' [/ G( \$ S  M
system by intercepting int 01h and int 03h and redirecting them to another
: v/ g' I0 R8 I& Xroutine.3 [0 S) p3 H) z' u3 _, S0 B! }; h
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- V1 \! P9 C. f, Q( l) A
to the new routine to execute (hangs computer...)
+ b! N8 j8 u6 x! u# ~$ `
" Y5 B; Y; U# A3 w# [0 ~& X    mov     ah, 25h, Z' y8 L+ Y+ L6 U
    mov     al, Int_Number (01h or 03h)0 ^# y4 k8 s$ Y, D
    mov     dx, offset New_Int_Routine8 }6 n! z1 v5 ^! g& `$ g. |  H2 d( S
    int     21h9 w" ?' i# B9 @3 p- y2 G

4 D' s5 M# L) j, f8 Q/ [4 }__________________________________________________________________________
6 G: w6 T. z5 X; V8 u4 [/ K6 w1 ?+ B" q
Method 09
, c# G% c( k/ U  q=========
! b1 \% l: ^. N7 o1 l% R: T6 s6 I) W& i. F7 q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only* ~1 C( [8 o% p4 \9 C1 _
performed in ring0 (VxD or a ring3 app using the VxdCall).. p4 y1 C3 x' e
The Get_DDB service is used to determine whether or not a VxD is installed- K7 F% E. _$ g2 M
for the specified device and returns a Device Description Block (in ecx) for, @/ J. }, y+ T( d
that device if it is installed.
# e; C6 a3 ^( I
+ D$ E3 e  ~7 H4 a   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
9 x, K0 B  I( n   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 N) m$ P* \. e   VMMCall Get_DDB1 u! p3 H+ b; X! I5 l+ F9 n- Q
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 d( T9 a$ y% x7 W- k
1 x3 \4 x7 n  l6 h% M
Note as well that you can easily detect this method with SoftICE:! Z2 m* E! s7 z* |
   bpx Get_DDB if ax==0202 || ax==7a5fh
8 x5 X2 y) A- M, r  V# c; d2 ~0 B3 [7 ?3 K& Z6 X* C. {0 E
__________________________________________________________________________
( k- F6 A7 s2 I/ r! M# R5 T* x- T4 d, R$ x/ j! S
Method 10% K5 d9 g; T8 V1 m1 j+ ^2 c1 `& Z2 i
=========
* S$ ^& ]7 Y- A/ h3 n& k/ K( _8 X" w" O5 p5 q+ e# u5 h
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' ?+ H( Q4 I: W" e3 v  SoftICE while the option is enable!!$ H6 m8 R) u8 k5 O5 I/ A: ~9 K1 Q
, [5 W  e- c5 j# N8 I3 z
This trick is very efficient:# B" L, n8 t  y
by checking the Debug Registers, you can detect if SoftICE is loaded1 e" Y+ |! x5 G' Z& X+ Y- s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* [! x8 p1 M1 C* @4 [# \- k9 V0 W1 dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 d1 |/ C1 r5 m: ]: h- Yvalue (in ring0 only). Values can be manipulated and or changed as well
2 w( W9 S  ]3 o9 S% s0 I0 I(clearing BPMs for instance)
3 R8 \0 A% u9 f# {+ t
* E! r( w% |: \" U) g; }" c: `% R) G__________________________________________________________________________
$ h2 |: b6 J+ j& ^% R3 M4 a7 b% b' W; w" C2 \9 w) ~1 M
Method 11
! g' j/ }$ p: x0 ]" R% T" `=========7 s1 f. q& ^. b3 R6 J) t* d, X' A7 b
4 q% k4 L; Q2 z/ M
This method is most known as 'MeltICE' because it has been freely distributed
  Y+ I2 i8 y* z+ ^: Jvia www.winfiles.com. However it was first used by NuMega people to allow5 M- l; v& m' i1 Z3 O  |- }
Symbol Loader to check if SoftICE was active or not (the code is located
7 d4 c7 H  P7 D" ainside nmtrans.dll).- |) B  i7 B. J, \/ e/ p0 [

& s, J  s* i' Y. ]0 I" AThe way it works is very simple:6 g0 w  N5 f- j. K3 Q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 l3 C* Q0 o& Y! z, zWinNT) with the CreateFileA API.
' D) \: ?% ]' e' U, Y( m# z5 P1 ^. v
Here is a sample (checking for 'SICE'):5 a0 z( U+ j- M. l' l4 u* @# ^
5 p4 D: k  E" l& x* N* L, ~  d
BOOL IsSoftIce95Loaded()( p+ l8 ?, O4 Z/ ?, t* n: H, t& Y% t
{2 K3 ^: ?! f$ l3 k7 q1 ^% Q
   HANDLE hFile;  
* T/ m$ P/ [' d. D8 {8 _; D   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- }% y! x: P( r6 `% Q, y$ p% ]                      FILE_SHARE_READ | FILE_SHARE_WRITE,6 Q! w8 g" L1 {! w7 N; ~- ?: B9 j
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- F* |7 O" f' N: x# M
   if( hFile != INVALID_HANDLE_VALUE )
/ h5 w% I1 W& F+ Y' u0 h0 L0 V   {
5 s3 t; h, l. S( m' B      CloseHandle(hFile);
( ^$ Q, ?/ B  j, I      return TRUE;
/ d: _$ x/ A" M, C2 Y   }4 C$ ^  n3 p. B3 f
   return FALSE;
% {' i: h; N0 d9 \}
# p! [2 k4 p, l3 l7 K2 t6 ~9 x" H* L# \/ s* J' r
Although this trick calls the CreateFileA function, don't even expect to be
& G8 c; {" o- y% \. j& m* iable to intercept it by installing a IFS hook: it will not work, no way!
, j5 l0 ]/ o2 h6 N1 F7 b8 L. ~; MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F) B: J# _4 S8 C( w3 m1 R( P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)9 ?2 d' I: P+ G
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# n; f# A# R$ }/ N+ q: b
field.% w; X( ]9 {4 x7 W: k5 }9 P3 R
In fact, its purpose is not to load/unload VxDs but only to send a
: G1 H0 p0 g1 J6 C8 L) bW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  ^# g+ l) b5 o  C- pto the VxD Control_Dispatch proc (how the hell a shareware soft could try9 X" }5 U- N2 }7 V# {
to load/unload a non-dynamically loadable driver such as SoftICE ;-).* }: ^2 @' x1 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow0 Z1 l. {% h) N' f" w
its handle to be opened and then, will be detected.
3 t8 P* [1 I9 x, v* _8 w+ nYou can check that simply by hooking Winice.exe control proc entry point
5 v$ N9 q& X/ d- X1 B6 Wwhile running MeltICE.
0 w9 i% f; L6 |1 C
# j& D$ {8 r: Q2 `2 u
4 G& k% s  Y/ c" y. V' Z  00401067:  push      00402025    ; \\.\SICE0 D( ?( l$ Q0 g7 f
  0040106C:  call      CreateFileA( F2 j1 y; g7 R$ S! E% W
  00401071:  cmp       eax,-001! p0 f% E$ s3 J9 x
  00401074:  je        00401091
( q% D/ t+ A% c* x! P
# t2 P  ~; J: A4 E  @- Y+ c  t) `! ^0 H
# z* V9 P) @) Q/ g, m6 rThere could be hundreds of BPX you could use to detect this trick.
- V% V. X7 c. _3 K, |% \-The most classical one is:
. x/ d# g  M8 f. k  H0 |. r3 D$ S  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' I' _' C/ s: ~7 h1 H    *(esp-&gt;4+4)=='NTIC'. h# w! F0 X8 G5 @5 I% E1 \
( K7 _: o' B5 ]5 T8 ]* V# Q; v) w; V/ ~
-The most exotic ones (could be very slooooow :-(
8 Y  {) E2 v; S1 b! g  [   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + h; H6 o" U7 r$ j3 U1 j
     ;will break 3 times :-(
; P4 F( _! V) f1 m# \" i
5 e% [- s4 Z6 |0 B$ |: D5 f-or (a bit) faster:
% L- F% W* C; E2 H8 U( @) e   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 d1 }. P2 |$ C* m, @; ~
( R, r! J0 y) s, i. }" u   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  % t9 _$ U! W. z$ m
     ;will break 3 times :-(
% m' X# o. j+ s0 C& o! N9 `
" r/ ]/ d2 Y. `) ^3 G3 k" E3 g-Much faster:  V+ v' d5 i. X0 m: \+ b3 Z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% }9 x0 B+ z; X- Y& h% ^5 T5 y& c6 |" K; N
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 P# `. [8 L% F  M5 yfunction to do the same job:  [; \7 S2 Z2 B( p
8 R8 X& O; V5 u) O) a/ Q
   push    00                        ; OF_READ7 y1 j1 N5 C4 f8 k
   mov     eax,[00656634]            ; '\\.\SICE',0
# a6 J/ n/ _" k! i   push    eax
3 \1 Y  g3 v- M' m   call    KERNEL32!_lopen/ }/ ^0 k) O  D$ q1 i" L( n; Y
   inc     eax
/ h' k8 W2 y( _2 k" y   jnz     00650589                  ; detected$ Z4 f5 W, e$ e6 I. a2 u  N
   push    00                        ; OF_READ! c3 L: {' U& a) @6 T' }; ~; i
   mov     eax,[00656638]            ; '\\.\SICE'
; O5 R8 E) C2 p) K/ s5 Q   push    eax
4 r9 P! i' }1 h3 V   call    KERNEL32!_lopen5 n/ b0 w, n; |3 I1 _
   inc     eax  j( m0 d; H( b- v: c, D
   jz      006505ae                  ; not detected- r  w- Q. P9 j& s% C# Q
: n, `% ]. ^  t9 H' X3 i7 a/ {# ?) k
: q/ ]1 a' u% c3 e% S
__________________________________________________________________________
7 l: W6 ?6 c: P, t& [( t% Y; {- r4 Y$ C( |  O; T7 l
Method 12
( K4 p! V0 P. B=========0 S  L8 D( B2 J) @5 Q
' r' |  H. ^2 U7 b5 q) h  e1 F
This trick is similar to int41h/4fh Debugger installation check (code 05
0 d& b; \5 d% V- J) A+ S' [&amp; 06) but very limited because it's only available for Win95/98 (not NT)
+ W/ B6 J( B, t5 V% N9 y; Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
- {) K9 ^2 G" g0 A4 z
. Q) }) j& g9 N0 L1 m# E   push  0000004fh         ; function 4fh
9 ]" o& {, d" \& F   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ ?- J! @' B9 k& [0 O                           ; low word specifies which service; X# d, Q8 Z1 L# F) E
                             (VWIN32_Int41Dispatch)- l8 N7 v  }: ^+ ?
   call  Kernel32!ORD_001  ; VxdCall, G" {' y) Q% _2 E5 F
   cmp   ax, 0f386h        ; magic number returned by system debuggers9 f+ B2 X  _6 n4 k
   jz    SoftICE_detected. Y: t- t$ A2 s6 A7 O( ]9 M

- C2 p+ ^  O4 h4 ^) GHere again, several ways to detect it:
7 {' y3 o+ g* G  `% R/ v, C- c  U5 x+ g& ~, w9 v
    BPINT 41 if ax==4f* ~  q) a/ P5 F1 |# u# |* R
  O1 f6 G9 X3 \; O) f5 d, A
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
+ `3 g8 Q( e4 V- ^% A7 G) x" w% Q" {: U; i
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A7 |' a$ S8 T3 i% Q- S  w
; U0 ~6 P7 G) j! ?
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!$ \' O) b. r) D( k
+ M# \4 I/ T" |4 W
__________________________________________________________________________7 n4 E2 G* j: Z( E6 A
3 [+ r: }9 N5 O1 z; `' q
Method 13' D$ g- J9 m, l+ n
=========
$ D- p; b2 D5 T! N
7 l& S8 h% a) O, z& T: oNot a real method of detection, but a good way to know if SoftICE is7 Z6 D2 g* B- f2 t) k$ t# L
installed on a computer and to locate its installation directory.7 S- p) e2 V7 f/ F7 w* F
It is used by few softs which access the following registry keys (usually #2) :! @1 h+ q' k1 u2 @5 q" [
& D$ N' I1 ^9 R  [. O) N# @3 V
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% A6 G# `1 Z0 f( W\Uninstall\SoftICE
: [- P/ l' I% J2 I  a2 o/ S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ [! ^1 U6 D$ ^( @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, q. K: u* d) S6 G# t# P
\App Paths\Loader32.Exe
- h- s1 v7 D  C5 h' r& F. T; D
/ R8 }6 {* q% c
$ R. I5 G; z8 e6 fNote that some nasty apps could then erase all files from SoftICE directory
: X" r! l" z, M: ?(I faced that once :-(
' x7 T8 U( l* [, I/ Y! T; G' i; v+ a" x
, s% H+ \0 R+ J" G3 iUseful breakpoint to detect it:
1 _& S* e3 d  _' T% }: h
' {) b0 f! W, O0 e+ W     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
: r" ?# \) v  R
; g% Q" m: S' \$ u( g1 \7 t__________________________________________________________________________
$ i4 {8 X. j1 T' e8 @9 D# N8 o6 A. t; v

3 ?0 }2 I% }6 R1 h# ~% l; E5 dMethod 14 - ]5 V/ X" s: b7 m& K9 k4 g
=========
) h# i) ]5 \+ [! z: E  x9 O
0 T- W3 n0 J; i$ p* u% K: m5 nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) t' `4 F- j, L9 d! f, E6 k# @  g! Sis to determines whether a debugger is running on your system (ring0 only).3 n9 z6 {* E6 P+ L. ^0 k! J8 w
/ q* v) G! F( }7 G- ?5 B
   VMMCall Test_Debug_Installed2 s+ w9 m+ h+ D& m% f
   je      not_installed
. L0 g  r6 f, u# e
0 v* {0 P3 k' y# [5 C7 HThis service just checks a flag.
; V# i8 |8 n- I& Z  s: k& g- {- \</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-25 10:12

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表