找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- A( D& @5 {0 l<TBODY>
. L- J2 n4 j5 c9 {; `9 t<TR>7 i2 p) @) y2 P( ?; V( N4 f0 U
<TD><PRE>Method 01
% H2 L: d3 Q+ E4 k=========
( A# a8 A, V: Y
8 H3 a) L' j1 \+ B  W. h2 wThis method of detection of SoftICE (as well as the following one) is) G. g6 m% o! L$ r$ ~
used by the majority of packers/encryptors found on Internet.
: W: Q6 [- W* n6 I) L/ iIt seeks the signature of BoundsChecker in SoftICE
1 W2 s9 \+ G! X8 I* I1 |9 Y
  [; _# M- o5 q9 l& l9 Q$ A) X    mov     ebp, 04243484Bh        ; 'BCHK'
& V' s2 G9 |4 `; e    mov     ax, 04h
5 ~  q- b2 V2 s/ e; i5 J7 r    int     3       2 |3 B6 k, `- o+ v3 @3 K, @3 }
    cmp     al,4
/ Z$ v# C! S$ v+ I' K: L3 G    jnz     SoftICE_Detected  x! Y+ k+ q1 l5 X  ^& u5 _9 N
4 e+ T( s5 n7 ?2 L6 g" {0 f
___________________________________________________________________________
- }) R% \/ m! S
, }6 z! f7 e4 JMethod 02
6 L  j. l) z8 O7 b. b=========
( F0 J6 ?# f1 S1 @- {* }4 y: {) I% |* C- `5 s6 h9 z- V
Still a method very much used (perhaps the most frequent one).  It is used# H5 W. F! w. _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 x9 }8 D. }$ O
or execute SoftICE commands...( w4 B! i  [6 p
It is also used to crash SoftICE and to force it to execute any commands7 z: Z( K7 j; Z( w1 J/ c; }) b
(HBOOT...) :-((  % Q$ `$ e3 S" `$ b( \

! I, }" @- C1 s$ F: M9 g6 R# THere is a quick description:
- |0 s# p" w" E' b- P( s-AX = 0910h   (Display string in SIce windows)
2 J' E% N' N9 f- o0 f1 Y-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 |$ z( q: r7 A0 \3 E/ l% u-AX = 0912h   (Get breakpoint infos)) [* M# Y* S5 \  S
-AX = 0913h   (Set Sice breakpoints)
$ P0 i( v, o2 t-AX = 0914h   (Remove SIce breakoints)- d, j5 K5 Q3 t$ d

) ?0 C3 o! q2 X4 m9 K! A. eEach time you'll meet this trick, you'll see:. h# u4 ]; C* e' f# f0 J
-SI = 4647h( v9 U4 d3 e( k0 V3 D0 M9 X! S( D; P
-DI = 4A4Dh+ {* l9 Y" z% p+ \8 x, }
Which are the 'magic values' used by SoftIce.9 ?* N: t8 [: I/ C6 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( x. K+ B6 o( W
8 f* @5 H7 i5 }6 {Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ b( ~; D, i% U& c/ ?Envelope utility use to protect DOS applications:
1 ]9 f1 D3 }" R- g6 j* L& l' N+ [% e/ r) z6 r% b

. {5 G* W7 F1 H6 N( t+ u; a4C19:0095   MOV    AX,0911  ; execute command.6 F7 I" O1 U! u+ Z0 V5 G& `
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% E2 F1 _- V$ D8 x% l6 O
4C19:009A   MOV    SI,4647  ; 1st magic value.
+ `. F) U7 z* A- ?( }/ _# c" v4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
( A4 J4 E* I% C# ]: f6 `. @3 J4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). T. Z% F7 C5 o5 @' k- h$ T
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute3 F7 n- c4 Q- X* N9 @
4C19:00A4   INC    CX, a7 q( N% {2 ?) D
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
$ k. e2 W# j! u  f! C4C19:00A8   JB     0095     ; 6 different commands.
# Z( f3 y. R; Q' ^2 d* `( [8 g4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 y$ G0 M5 c7 n5 r) m4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
* X) X  o9 @5 B( ^! ?6 O2 d7 |
. w; c% I+ U( g9 bThe program will execute 6 different SIce commands located at ds:dx, which
0 J# M2 a, X, f; c  b1 G1 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 F9 H, z+ e2 B# _) k9 H# _

2 w2 `; f9 w" b* s4 S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% K) F9 y' [5 C* _1 U, X
___________________________________________________________________________  c" n* J) `1 w1 i
& p' C/ v) D3 ]$ L, Q& Q% l
+ A/ q4 q1 L0 ]
Method 03" ?% S' m; M3 i! U/ ^# W
=========
' H% ^/ f: B, i0 P2 u$ o# Z( }' Q8 C/ m' T" W
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 c4 O* M9 ?4 ?7 B* S6 ~/ I(API Get entry point)
; h5 I% Q0 g' q$ U8 C        : h7 ?  h! H" H' ]& m, D8 i

8 e- x8 c! ?' `' I    xor     di,di
* _2 d8 S3 C% A; @" F9 L3 \% @$ F( q3 {    mov     es,di
! L4 ^+ x0 o3 B2 m& r    mov     ax, 1684h       $ m( i; ^; N$ ^; R$ D# j
    mov     bx, 0202h       ; VxD ID of winice
% _2 Z5 _* o! m0 F2 \3 z    int     2Fh. R' [; c8 ^, M% k( i; `' d
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" S8 k& X: O. t) u: ]$ A  X  C1 f+ I    add     ax, di, G, n0 D+ e2 M8 g) n
    test    ax,ax2 S; ]1 M# M( r6 ~0 V8 b
    jnz     SoftICE_Detected
, D- [2 @# Y$ B* J5 ]4 L
3 w  c- L- E( u. @) r+ W___________________________________________________________________________
- S. }* I! U  R2 ?
6 w2 t& B: y3 p4 b% @Method 04& y! d7 i# i' W, i: t0 A" A% I
=========
# a) P; K$ Y" R4 K8 t4 [: e& b( x  D6 |4 A( B. Z/ X# r+ f  |
Method identical to the preceding one except that it seeks the ID of SoftICE4 j7 {: W, T+ e
GFX VxD.7 q3 w, x) i  o+ J8 i! M' A
2 }3 N' u: \; p' s0 ?1 j3 h
    xor     di,di# p8 q( l% ~% _: H' O  Q: a
    mov     es,di+ ?. F) @4 ~# V$ g
    mov     ax, 1684h      
* O! }+ B  L4 _" d/ e, q: q    mov     bx, 7a5Fh       ; VxD ID of SIWVID
/ M& R  r, o" B+ G1 G    int     2fh7 Z. x0 }% \& J1 i6 ]
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 z: u/ n0 Z- |& e    add     ax, di
) e% W7 k& {+ T8 j* ]2 O( M# E    test    ax,ax! a7 L" V! h* C
    jnz     SoftICE_Detected3 N* M0 N1 Q4 ]

8 o$ s9 u. V3 @0 ~__________________________________________________________________________  n+ J4 x0 a3 R6 L
5 [6 |  E" a' [7 D, S: y
  r$ p- W$ P2 a* J8 w1 G
Method 05
2 A3 T( Z; T+ E' u; ?% t0 Z=========0 O, L% J1 R6 y) z1 W
6 H1 e3 \4 G( n& r" m
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 v$ @1 C9 x& k& Z5 H; H; Cdebugger. It calls the int 41h, function 4Fh.
, N; v/ d/ x3 ~% ]4 @There are several alternatives.  2 L. ]6 c( \7 Q5 O# Z# f5 ~' D! {0 |

8 X5 |) N" a# w: r  FThe following one is the simplest:
) z$ C5 }5 n( O% v
5 z/ u& i6 N9 A& B) e: x% I    mov     ax,4fh( n( k' Q3 t9 u1 x  R" [0 D2 R5 k3 \
    int     41h
* a& G' @, o5 i) c1 Q/ J    cmp     ax, 0F386
) N- X% `' u$ s4 q  ^) R8 u    jz      SoftICE_detected
9 u' G6 y; N: f4 d$ U+ l7 m" \% l0 V$ C6 ^+ H5 ~

* M! P- d( X1 x' JNext method as well as the following one are 2 examples from Stone's 0 L  h! a4 x; r& l$ Z  k) p
"stn-wid.zip" (www.cracking.net):
: C' L9 x! U, g1 i4 \! d/ X% R" F! t4 h4 S
    mov     bx, cs5 V/ ]1 q- P, }# b3 i( U; s2 C
    lea     dx, int41handler2
9 b& y# D* @# Q3 }9 j% p( G1 F    xchg    dx, es:[41h*4]
1 _) M, _9 ^* d$ T    xchg    bx, es:[41h*4+2]( k$ O: e% s' c% X5 P9 l
    mov     ax,4fh
9 i" q$ I# s# C: W/ C) e    int     41h# Q9 P5 T( D6 h: ^1 R
    xchg    dx, es:[41h*4]
. L5 m! ?! N. ^5 b2 }% X    xchg    bx, es:[41h*4+2]
* M" c; K6 j5 t2 H    cmp     ax, 0f386h9 G2 D+ S8 J2 A  \" Z+ P- L! B2 M
    jz      SoftICE_detected' ?7 h2 |7 v0 Y  \8 s
& ~8 `  n; V) \' s6 J" \
int41handler2 PROC
4 w2 K. |) s' H$ ]+ Y$ i/ Q    iret( U; H; A9 S, w6 `
int41handler2 ENDP
8 w7 K, Y5 E9 N8 Z" R/ g8 B1 W$ s" J6 O3 Y% o

0 h2 J3 j3 ]: m, J, t2 m  a_________________________________________________________________________
4 ?/ k5 q! s7 S4 B$ O0 w( T, R
! [" l0 ^! F5 N- l# V7 K! l, {% b: Z
Method 06
, o$ q4 _0 o9 Z) ?=========
6 l8 t7 B4 C% _
, f4 S- u' N7 g3 M) s: S9 |
/ l' v+ N9 m8 Y2 [2nd method similar to the preceding one but more difficult to detect:
" G3 R  U4 z/ Y  P
1 @5 ?; ?# H. z) s
+ \4 U7 Z8 M1 M- P$ n9 A, ?int41handler PROC
, j  g, V9 q; n6 x3 F' Y  O6 Z2 _    mov     cl,al
5 }; Q& N$ [9 a8 h) c- P    iret1 I: I6 w( v3 l$ {
int41handler ENDP2 r! d. \+ j* N0 m" P& b6 }
3 H2 _5 e( N- p( o' e0 M

5 `5 O+ H9 v6 |( p    xor     ax,ax
7 w5 O5 a1 X2 s    mov     es,ax
# f; X- M" n+ u5 l8 \' D5 d, S6 s    mov     bx, cs
9 X' E- E6 N* [* w, v0 K$ q    lea     dx, int41handler* X2 }* ]) [$ m' C
    xchg    dx, es:[41h*4]! Z; u% v# P/ n7 N7 u' V
    xchg    bx, es:[41h*4+2]& ~% a* U- Q# N) E+ g, m
    in      al, 40h+ B6 O4 @* T+ p8 G' d$ [, \
    xor     cx,cx2 k9 w" N% Z" U7 H' V: a3 F
    int     41h0 G3 j0 v6 r3 ?4 ~
    xchg    dx, es:[41h*4]
. M( h3 C6 w1 x' i    xchg    bx, es:[41h*4+2]
  N1 K$ }, @& B1 j, b; N    cmp     cl,al9 w1 n# k. ?' O+ J# F
    jnz     SoftICE_detected. M6 ?& E* }9 B. u3 k

6 X' @' x5 ~! Q: b/ f' E0 i_________________________________________________________________________
, `4 r; D; D; v6 x4 {( U9 T. X3 b8 i' i) p) c8 o2 ~1 `' _, K
Method 070 |- w0 k  ^+ [4 r/ ?. W
=========
  k; d( C% R8 r
' A3 h' E! H# }3 e% lMethod of detection of the WinICE handler in the int68h (V86)
- J% ~( J- j+ \" K1 O0 f! B
' `* ~* q5 F2 ^% A' g+ g( _* E    mov     ah,43h
2 z* h, S$ _+ e" Y    int     68h
$ t, X4 d' {& B    cmp     ax,0F386h
% Q# g( ~+ }+ J    jz      SoftICE_Detected+ M. L# p6 |* v

) a5 b/ Y- i  h0 @
3 }( K' Y9 `: s% i3 \1 }/ P0 h=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 R; t5 V. m7 F8 @   app like this:. e* S$ f) v( O/ t$ a5 [
2 o( |* D0 R: c! l  v  H2 Q
   BPX exec_int if ax==684 }  F# v9 s& y( E
   (function called is located at byte ptr [ebp+1Dh] and client eip is
' A3 ^+ R3 |8 ~. q. M3 }   located at [ebp+48h] for 32Bit apps)
+ ]* q# L( r9 Q( ^  F5 Q" Z2 Q$ F__________________________________________________________________________  p! B- a6 t" r: w
- M/ |( V9 ^' Y4 y

2 z6 f; ]9 A) s; Q# u) fMethod 08
5 T. k9 Q. @, g- l7 H=========
+ O& J% h  B: L* B+ D
1 a8 i9 \/ }* [It is not a method of detection of SoftICE but a possibility to crash the
9 ^' p. C1 X* F2 K3 G9 l7 ]system by intercepting int 01h and int 03h and redirecting them to another
2 t9 x4 D' l8 e, Zroutine.
& f. m) P9 t8 a# X  `. pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; `( J- h0 w* Ato the new routine to execute (hangs computer...)
( l& i( s2 J6 E/ A/ P% B. u+ M* T; m, G  B! R0 r: z* {" R
    mov     ah, 25h7 J; e* ]0 c  q: B% A" K
    mov     al, Int_Number (01h or 03h)
% `4 f6 F* Y) V1 [, y( @1 j% M    mov     dx, offset New_Int_Routine$ L5 j2 ?2 ~/ g- |: ?' K
    int     21h
9 Q; \4 q* @& T1 U+ G$ u' P; E+ n0 V" \  ]
__________________________________________________________________________
! n+ k! O4 q+ j% T" K1 h: k
0 P& u1 {4 S1 ]9 T. r  xMethod 09
9 |+ ^7 J! u6 A& ]9 j) `& K* S=========
8 K" o' g/ p6 |( ^! T. z, N+ J1 q  A9 d! m! A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, x  [/ N" m. }# Q+ s
performed in ring0 (VxD or a ring3 app using the VxdCall).  G8 Z* m# ~2 _4 @$ g
The Get_DDB service is used to determine whether or not a VxD is installed6 R$ c' W# v( a  Y: k6 Y: f, X& g
for the specified device and returns a Device Description Block (in ecx) for
# v1 B7 r( R* O& |% {that device if it is installed.* Y$ a' \2 ]& |0 N7 s

- u$ x# V7 g% M: r5 ^- p   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID' _+ |7 ?+ }( `+ E
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 U6 ^; g( Y3 d6 N2 f6 ~' _- J7 A
   VMMCall Get_DDB
7 G6 N% \. y0 {. q; z' T! }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
$ H1 L, R& U* }# M$ B) }6 L$ k+ f$ a- \' {
Note as well that you can easily detect this method with SoftICE:
2 c$ j9 u2 g4 h) J" a   bpx Get_DDB if ax==0202 || ax==7a5fh" Z  s  X! o, r; f, |

& x7 f+ w/ K$ d7 C, S2 _* \__________________________________________________________________________
5 o& R9 V: c% g# Q% j$ l& S+ n$ J9 W$ Q( ^4 [9 f( R! ?( W) D
Method 10" I- Z  L6 D: i. |7 w/ ]8 f
=========
! G' l5 e+ u" s1 ], G
% [' W( n9 R; ]& I& W# x6 w=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
1 R" u; z8 }/ h! s! F- S: k5 J  SoftICE while the option is enable!!: \5 f6 P2 b& A7 O4 j* R
2 Z  A4 H+ y, V% ]% c# P3 ]
This trick is very efficient:7 i7 u; {. T8 m" f* N
by checking the Debug Registers, you can detect if SoftICE is loaded
8 m' D; [+ t6 Q/ h0 R- ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ ^3 a( C2 d4 \2 |- T" ^- Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 R2 F' I- G4 J- U4 [5 T
value (in ring0 only). Values can be manipulated and or changed as well
! K0 F' ~* W. p7 r5 J( D$ X6 Q(clearing BPMs for instance)4 V; ~0 b' E) O' h, T
5 V- G% D& M. ?/ D% @+ Z; _
__________________________________________________________________________& R8 ?/ |. r2 P, q; U  F7 o: ~! @9 y
4 O/ r; L8 ~1 i. ]3 ?5 N- r
Method 11
" G: C  J! O4 B=========# k/ ]8 \, U; a$ _! ^- g

7 q% `' L6 Q, o( Q# L, SThis method is most known as 'MeltICE' because it has been freely distributed5 i; Z2 x3 e9 T# t: A
via www.winfiles.com. However it was first used by NuMega people to allow9 t' q" r+ q8 P+ h$ e: x/ c' x/ b% G
Symbol Loader to check if SoftICE was active or not (the code is located0 a$ a8 s# z" S+ h+ A" A
inside nmtrans.dll).7 D6 f4 ~9 `. ]$ S

" P! v: S- q: b5 u# ^' }The way it works is very simple:6 _- {. I, L0 b) ~- U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- M6 g; k8 C! v( fWinNT) with the CreateFileA API.
3 o; r1 f+ }6 }0 ~7 P" ?. L% V( w, T% [& {8 J
Here is a sample (checking for 'SICE'):
, M( @4 L* X& `# i3 _6 L
6 l5 O; F5 E: I* |  |BOOL IsSoftIce95Loaded()% O% C) ~) O" u0 w$ U4 l* z5 N# j2 k, ~
{
4 Z( h& f% y* d! P3 Y: e   HANDLE hFile;  & R0 f+ H/ z  G; k
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' o8 m8 c& A, t! p( ]                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  D3 e: A3 ~5 q/ G# k' O- S8 Q, H                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( c/ X; A' P2 F8 N% H( t
   if( hFile != INVALID_HANDLE_VALUE )
  x: Y/ N0 r9 T( x8 r   {# v, z* }* s" l6 E( O2 d8 J% a
      CloseHandle(hFile);" W; F# Q% k9 _. K3 s
      return TRUE;- D5 v' g7 z5 R) a' Z
   }9 s8 D4 @) @* H0 S$ M4 E4 W5 x
   return FALSE;  ]2 b% b% y7 I# f, ~
}( l. e1 y- r) S/ _& D" J  h& ]# F

7 L. ]8 }: J/ x/ s% P, z* }# KAlthough this trick calls the CreateFileA function, don't even expect to be
2 w0 P% \& N6 P& }5 k1 Uable to intercept it by installing a IFS hook: it will not work, no way!" Z) x0 ~# n2 ]7 z* ~* ]# z/ p6 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. K+ K( T% d0 p/ G+ \9 s, ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- Q( Q- k6 P2 h$ u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- h- h& l4 }3 M- m' ^& H6 X6 `7 Z8 `. Pfield.) C6 Y- B, l/ x7 h, T) e) j4 g: n8 ~
In fact, its purpose is not to load/unload VxDs but only to send a 6 I7 {4 i. u7 G5 j1 ^# j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). E- h$ j/ u6 {, r1 K- t; }# }/ t5 M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 m6 t* _# Z! }/ ^5 `' m5 dto load/unload a non-dynamically loadable driver such as SoftICE ;-).& e" K  e. c! U) Q4 t& i3 g
If the VxD is loaded, it will always clear eax and the Carry flag to allow" y9 d; o! o: v8 l, J/ E
its handle to be opened and then, will be detected./ ?$ D  y3 O6 Z/ w; P- F5 n' a
You can check that simply by hooking Winice.exe control proc entry point
' x1 A! `; K, |* B4 g! Ywhile running MeltICE.* I1 t0 a8 R* l6 F& J) B
9 ?0 S) d: E1 d+ Q! q  Q

* ^+ D; G2 [% M  00401067:  push      00402025    ; \\.\SICE
; |& s$ l# B& [$ k) d4 E9 ^  0040106C:  call      CreateFileA$ h) p- O) ?  \+ V4 D" T9 I5 w
  00401071:  cmp       eax,-001
4 x' I, o; t( j: G3 W  00401074:  je        00401091
6 S% K1 ]3 r1 C; {1 C# P
* R$ g; B. |6 i; Q' ?2 m0 r2 n- M# P/ |- e4 `% d, f# T7 e) X) j
There could be hundreds of BPX you could use to detect this trick.
. ?9 }6 M' I4 m) _5 z-The most classical one is:
. e1 \9 ?4 _+ ]' j  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' ~& |6 A# @. l5 ]7 j% k& d    *(esp-&gt;4+4)=='NTIC'7 F2 o  \2 B* `. J' }
+ k% x* b2 F5 a& R6 i7 Y* ?! u
-The most exotic ones (could be very slooooow :-(
9 L* j! R& `) W. p# _2 J, a   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " c1 O8 O9 ^- S/ q( _3 ?9 f
     ;will break 3 times :-() {9 t) w' W7 l% |4 \" Y! {( ]0 E
# l3 Y2 o" g& x0 F
-or (a bit) faster:
0 K) F1 s; ^0 Z$ r   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 W. Y! H3 ^+ g6 J, n3 g

* s' e6 i7 I" F9 P# [# @# W2 X   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  + H% b) W! \( L3 H
     ;will break 3 times :-(
& A8 ~& G4 H; r8 u$ z) A: i; T! q* G8 g& b6 p
-Much faster:
1 `! g# }5 M4 a- {: J   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', z0 E9 d* \4 p( N
9 U; m5 e, v( Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 L- @& c. B) G1 ifunction to do the same job:
0 f9 r$ _( Q0 c  Y9 u
$ ]3 ^; [8 f/ G   push    00                        ; OF_READ% _8 t" G" T2 S0 V
   mov     eax,[00656634]            ; '\\.\SICE',0
! l1 ]6 `9 v" _. J0 b4 N7 ?: C9 M   push    eax. d3 D+ ^4 p0 c2 I0 m7 g
   call    KERNEL32!_lopen
% F, i) j, f$ R  k* ?   inc     eax1 M3 a2 b* x8 G+ ^$ I
   jnz     00650589                  ; detected: {& N8 C% E7 g1 Z$ P
   push    00                        ; OF_READ
: ?( c7 Z) x% f: h   mov     eax,[00656638]            ; '\\.\SICE'! i) U; _$ C+ b9 T' x- O
   push    eax
4 T7 A& X7 ~3 j8 {5 P   call    KERNEL32!_lopen; ^5 C2 u7 |* Y4 Y9 c
   inc     eax& R' K) i7 R" @. m" B* d; g9 L" s- |
   jz      006505ae                  ; not detected
3 b# @( y* x- P) O  h; V" `1 ^3 ]6 D8 r" C* ~0 @
; A. U7 [& V3 `$ H
__________________________________________________________________________
5 ^( _- B+ g1 c- L: ~9 ?* u% v% {
( L* H2 ]* _0 [/ mMethod 12
" ?" |) H# ~+ U4 |" s$ Q=========
- @3 z* S0 ]0 Y( D% @- m' H! q# n5 S. z# {
This trick is similar to int41h/4fh Debugger installation check (code 054 `1 G/ P3 z+ K& k3 X
&amp; 06) but very limited because it's only available for Win95/98 (not NT)6 ~, N) A. X& s  R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' @3 `7 m7 p. ]4 e2 l& H! G4 L) y
   push  0000004fh         ; function 4fh( g* I# G& j/ [; U) o4 j# Y+ F
   push  002a002ah         ; high word specifies which VxD (VWIN32)1 N: m) U, z( p- C
                           ; low word specifies which service+ b8 ?+ j' @2 ?& s0 r! S7 C
                             (VWIN32_Int41Dispatch)& j8 A4 S5 \3 J
   call  Kernel32!ORD_001  ; VxdCall8 Q% x" o2 B( E1 f; b7 Q
   cmp   ax, 0f386h        ; magic number returned by system debuggers
' f) E2 K. K$ f' t  c5 a   jz    SoftICE_detected
' V9 z$ A+ k3 ?' J& t& F
) R9 I- f( E9 X( B* d3 i1 a0 Z& R9 iHere again, several ways to detect it:+ @4 v$ q7 L) }% X( \+ n: M  z
* k/ d% k/ l; t" H: M% v% U4 B% H+ W
    BPINT 41 if ax==4f
* {8 V1 P, T- `- k+ a( h% W8 L7 r# e- x) l; w
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
! M3 V  w$ J! p& D1 }2 c2 b* R( J4 `1 E& i% |- g# g
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 a/ a/ n$ j2 K8 o- N- Q, r2 e! a
0 H+ ?- a& v* p! p$ t$ n4 H    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
+ F4 O4 p0 F% a  T9 [4 ?
, h5 j4 W; X2 k$ Y6 |__________________________________________________________________________
/ c0 h: E! R8 F  h. X8 l, j: N( T1 A
Method 13
3 L. l, B7 E' U% ?=========: ]( a) k8 R& ]  E' _% z
* G! o3 l% B, j: \5 _1 @9 Q. S
Not a real method of detection, but a good way to know if SoftICE is" z. B/ w- V! M" }5 X) f' o, r
installed on a computer and to locate its installation directory.* F. J" y/ s9 Q
It is used by few softs which access the following registry keys (usually #2) :
: v/ Z6 G7 Y2 ?3 P9 q: B0 U% L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- I3 J$ V9 X: Y( i1 l- S* Q  \\Uninstall\SoftICE
5 [5 C/ d0 u+ g1 `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 m6 Q3 p6 ^0 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, g& n3 l" A5 T+ l/ e* `\App Paths\Loader32.Exe/ T  E3 D- V; W, i5 U0 G: D+ j3 }
& |# t( @; \/ J1 ~' m8 j7 s  \

, K4 w% P8 R4 v, jNote that some nasty apps could then erase all files from SoftICE directory; W2 @6 V7 V8 w% `  R; y. w: ^
(I faced that once :-(3 D, z% Y, g* I! E  e1 M

) u& |4 |: Q. L0 ^9 dUseful breakpoint to detect it:
" M% j4 V# ^3 e$ w6 D* p" f
: S; Y+ c& H2 a' m  z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! ^" z3 @; h+ Z! b4 t6 B2 Q
# O# o% j8 N* R2 F# i/ R1 `
__________________________________________________________________________
* y( [, z% s) C; D7 J. [- \
& W: F# S0 x: K, {% ~
8 D) W5 W: ~! X& \2 ^5 S  ?Method 14
$ \6 ]' c, d* h3 b- N! ?" r=========
( v4 r5 H3 ]4 c, v9 n& `
6 E! R" K6 x9 c/ ^" d+ JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 a) l, o, Y# ]2 c' c* B. U/ O) Dis to determines whether a debugger is running on your system (ring0 only).
/ d. h" W! _, G' P0 N1 N3 I; v
4 n* X* x4 t( z: Q' z   VMMCall Test_Debug_Installed
" Y' S' m, |+ ]. e( A; m) s7 |8 L   je      not_installed! a9 g$ Z/ A& h9 S9 Q2 Z0 e' s
6 N0 |) H2 ^6 p: J% i. o
This service just checks a flag.
  M$ \' q) t1 s$ s6 g</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2025-12-16 18:28

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表