找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>7 t9 T: j; W+ M: L8 d6 M2 m" ~9 A! e
<TBODY>3 \+ @+ K+ D0 w, ~) }9 K. I
<TR>
: G6 @5 H+ A) Q/ p, A& E<TD><PRE>Method 01 ( \+ b* c; U! m- s) _+ Q
=========
% c/ G$ H2 B3 k5 _! S, B
' d2 Q+ y4 H5 ^: SThis method of detection of SoftICE (as well as the following one) is& v2 Z, r) v6 k/ w$ n
used by the majority of packers/encryptors found on Internet.5 U- ]/ H& b4 Q/ Z. N- s
It seeks the signature of BoundsChecker in SoftICE
! t! s1 m5 `$ O$ B; X
- o* K6 q1 I  X- T8 W    mov     ebp, 04243484Bh        ; 'BCHK'
5 s: r( Q* i3 o5 C. e, E" v    mov     ax, 04h7 c& t* L2 Q/ D/ R% }5 _
    int     3       , W1 j" C8 V, K
    cmp     al,4
& H' t4 j; w6 R8 ]; }8 @    jnz     SoftICE_Detected
) [' {- ~3 p2 P; E" J
0 H$ O) F3 b. \4 y6 j___________________________________________________________________________. k* I  k; Z% ]0 _2 ?

) s5 ]7 {8 x3 ?: e8 AMethod 02
" e7 k% v  d; A2 H=========6 u3 m/ ?% w4 N( d# p/ u- G

" v% }9 Y* X- N3 q' s3 [Still a method very much used (perhaps the most frequent one).  It is used
, [$ _6 w- P* n' ]6 uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! \" n/ S7 z; B  [7 ^/ l) H: M& ]or execute SoftICE commands...
1 w: A4 p# w6 k9 o! G3 k' K' O5 |It is also used to crash SoftICE and to force it to execute any commands
8 q' g' [, y9 n4 Q/ {6 @1 g(HBOOT...) :-((  
: u% K# P# `& {4 V& j( C2 }8 Q& `2 B
  p! f+ k1 k' v% b* w7 SHere is a quick description:1 e2 M) A* s4 }: r$ i0 O% T9 _) V  e
-AX = 0910h   (Display string in SIce windows)
7 k1 Z, c- F  d: n. R% p-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 k* R5 Q$ ?) b
-AX = 0912h   (Get breakpoint infos)
7 u+ a6 v) ]1 E9 p+ H-AX = 0913h   (Set Sice breakpoints)
* c7 J6 e. n# Y4 l-AX = 0914h   (Remove SIce breakoints)6 u' D5 K# f1 b4 k
' Z2 }( J3 d6 T6 w( X6 R& l
Each time you'll meet this trick, you'll see:9 W7 F/ d/ |# i1 v2 V
-SI = 4647h! n1 x) T: S# U4 X8 @! `+ u, L
-DI = 4A4Dh* w' E& T) b7 d* J$ w
Which are the 'magic values' used by SoftIce.
  U7 e- ?' b4 q! }7 aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) ]1 F. s8 b3 W8 U9 \6 C: z! c& b7 A4 o& @" R2 w& J0 L
Here is one example from the file "Haspinst.exe" which is the dongle HASP( R. B: A$ e. S- V2 \2 x
Envelope utility use to protect DOS applications:
6 Z  V6 W" U! c' M2 f0 K* f$ @. R  e' T2 N' |) n' \1 m* V* Y8 v' k
& R+ S8 B9 J: `' }: Z5 o
4C19:0095   MOV    AX,0911  ; execute command.6 O8 ?$ @; N* ^
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 n3 c8 X. C; m. Q
4C19:009A   MOV    SI,4647  ; 1st magic value.6 D( [# f5 s3 r9 C( d1 I* N0 h" B
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
- M8 F; x- b9 z! ], U4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 ]5 j5 ?" |# O% [& g0 V- h2 K& X
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; ?1 F" r) M5 a/ I6 L: Z
4C19:00A4   INC    CX2 K8 J$ ?3 p6 ^' V2 U$ {
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
; ?' N6 O3 {' X$ o4C19:00A8   JB     0095     ; 6 different commands.' U: m+ Y9 T( Z4 M0 P1 P9 t
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! D& i+ \/ G. s1 A- ?2 J
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)$ g4 V6 }  f# x) V' V- Y8 s

5 z) z' w' e* @( Z& MThe program will execute 6 different SIce commands located at ds:dx, which
/ {* `1 z; H( R7 R2 tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
6 C$ C0 {* C- S& n- n' i) {' ]9 m( S6 v
, R* t8 A& G+ _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
" S0 ]" \& l0 C% g___________________________________________________________________________- O: @# Q; K6 `8 ?

) p4 c- @/ l% m3 O! V
3 C2 V9 i6 O7 b  w- EMethod 03. ~4 d# o' m) |$ I% y# l
=========7 o. g' ]( S5 S" P/ H+ `8 b+ }6 z' K! t
, K3 U/ S. m  H! g( y* s
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* a) h% i6 Z2 o3 e4 f! E, {(API Get entry point)
8 M( ?5 e+ J2 V& H8 X, A        
7 t) K) q" R5 i9 P
7 a7 A8 l! U; G4 j! D& T    xor     di,di
  [: X! R6 z7 l    mov     es,di* T" f6 W# ~9 y' V% K, {2 q0 S
    mov     ax, 1684h      
+ @! W+ O5 o9 b6 o    mov     bx, 0202h       ; VxD ID of winice( h: u; ^# B0 ]( D. A0 n
    int     2Fh! G! r8 _3 y/ f6 _8 q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
. I1 |4 m0 u2 a% U8 m    add     ax, di
1 u: w# z1 Y: L$ }! V8 j! i2 v    test    ax,ax
1 n( q# @, _( \8 d; H, B( }, i# Z+ ~    jnz     SoftICE_Detected
. ]* t* }- c0 C8 \1 R5 C
" Y6 D% ~( G1 P___________________________________________________________________________
3 S1 }9 r% B5 B4 I" K
- H, A5 X) O# I& `% k* L) @$ VMethod 04
, m. A+ b9 v  _$ ?; e: k5 T=========& S6 j0 x8 K# G, G; s3 @

: Y+ L% a* J# @" S: M8 R5 TMethod identical to the preceding one except that it seeks the ID of SoftICE
! T3 P. `; M$ \, tGFX VxD.
( Z2 R2 b1 {. n# C4 A% g/ ]$ R) [# h) Y9 k  b/ o2 `
    xor     di,di
) b4 i7 w( l- h2 s    mov     es,di# P  u& i6 p& K  P3 B8 R% z6 C
    mov     ax, 1684h      
0 U. K: k# n/ V& l7 q$ Z9 H( K) ~1 T    mov     bx, 7a5Fh       ; VxD ID of SIWVID/ i6 a& h, \1 H* Y* r
    int     2fh
! }! E& h# H" Y! V- ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ c$ [3 c1 N$ `. k" `
    add     ax, di  T" l) }1 |/ f/ M. P: `
    test    ax,ax6 z6 _: l6 S' R1 f
    jnz     SoftICE_Detected6 y0 F3 U+ u# V+ r3 O4 Q4 S& e' j" Y
8 S3 I1 y/ m. C1 C2 E9 I
__________________________________________________________________________& _1 ~! k/ Y% p1 W2 f3 F

9 x$ J& }8 x0 Y) a" m3 m" C
  M+ N+ `! n& j' N9 R: p' }9 QMethod 05) U: v- U9 M0 P6 [) h
=========) J  D( l' C3 H; I

/ S9 [8 c! x. h1 q1 AMethod seeking the 'magic number' 0F386h returned (in ax) by all system& I5 S* x- Q$ k3 A  b$ E8 i
debugger. It calls the int 41h, function 4Fh.
* N+ z4 e- E1 t) g- ^9 qThere are several alternatives.  1 R* i" S, K- d. ~% T' `  b5 Q8 ?
" Q8 V: N4 J" e( q) [5 ~/ @0 ~
The following one is the simplest:* L) L' L7 H# c5 R

, a1 [) [1 c* p( ~9 Z, r# w4 ^    mov     ax,4fh
7 S. l" }; v7 [( ?( A    int     41h
, }, J& T+ P$ K( K    cmp     ax, 0F3863 r& P) f7 g- [4 S. H; i* P
    jz      SoftICE_detected/ y! l2 S$ m) N3 I. p5 Z

* A0 o: n) ~; i
' U, H$ p# c/ \4 pNext method as well as the following one are 2 examples from Stone's
% M: s. u5 @3 G4 A8 u: O"stn-wid.zip" (www.cracking.net):/ P( J9 r% B, S& m. f4 {
2 j& ]- j2 m4 D$ H5 w# p, h5 {# m
    mov     bx, cs
% `5 e* }' c: s* s& |% ]* ~. G    lea     dx, int41handler26 r" z" f" L/ k! g: _0 v7 j
    xchg    dx, es:[41h*4]
7 O# g5 t) A# |8 ^" |' V# a: A    xchg    bx, es:[41h*4+2]9 S2 E& w, W: P  M  U/ n2 P
    mov     ax,4fh
$ O" n5 a+ w0 N' z+ P- }* o    int     41h' X3 L8 s# N7 A: W. V
    xchg    dx, es:[41h*4]4 @! G2 }# |' Z3 B
    xchg    bx, es:[41h*4+2]4 y- M, N9 @/ t! m
    cmp     ax, 0f386h; Y% X- h. y6 m- A: s1 K0 d
    jz      SoftICE_detected/ c8 _; L  s1 }6 ]

( e" e$ F+ O' Z% c, b. u/ Lint41handler2 PROC
  I7 I- J% L  `( A  D    iret! c; ^! V, o+ l. j5 |
int41handler2 ENDP2 u( q, I8 S" n  L/ R) o

3 q# ?2 s! [) W/ ]% b' T$ [2 O; E* Q) W! z6 O
_________________________________________________________________________
& ?; G' V# k7 K0 N$ y7 P- M8 h; u4 k) Z- l1 ?+ {7 c
0 }+ _+ r1 I& F; N# e/ A
Method 06% J3 t; W) W2 p/ U4 |
=========( K% A- V' @9 d# B
1 h3 V; a$ D+ g0 n2 n8 {
9 F" l5 m9 y/ i2 C
2nd method similar to the preceding one but more difficult to detect:
* \3 O! T! }2 y% i- H8 L: L5 L+ K# X! I& o# V: u
) B8 z& o$ h6 l' h/ C
int41handler PROC
. Z' r* R. }5 U    mov     cl,al
% P0 ?2 r2 w2 H, I" B3 S3 v8 f    iret& ^- `5 d$ Y9 H
int41handler ENDP
: N  G- _. Z1 w+ ^8 K
. z, f9 Q- M- ?, n7 R9 w4 z1 x+ v8 m1 x: l& ~, V5 F
    xor     ax,ax
0 w+ T) |+ C" U& F    mov     es,ax5 J) J( m! B1 z% G: s+ E
    mov     bx, cs7 ?) y& q' s" R1 q# Z* N5 T  j; U
    lea     dx, int41handler6 W: T2 O% F% t: J" [# J
    xchg    dx, es:[41h*4]
! O9 {: g. U3 j$ y) x    xchg    bx, es:[41h*4+2]0 p, P# G- `$ o4 K
    in      al, 40h
* P# m" `, ?: C* n    xor     cx,cx% z* {. z9 z1 T1 i( j
    int     41h
) b" Z2 J' h6 t4 Z8 x/ Z    xchg    dx, es:[41h*4]
9 V  ?7 e/ N4 n. i( e    xchg    bx, es:[41h*4+2]1 |4 W$ @# ]/ W! V' e) k) p
    cmp     cl,al
7 ~0 d% g+ X1 o2 n1 V/ Y    jnz     SoftICE_detected1 b) F. P" h" U
6 \2 T! }  z+ l6 c8 C3 F9 [( D  P/ N
_________________________________________________________________________
: t% [- Q3 x6 ^4 n/ ]/ P7 m5 ^* n; v' W% W
Method 078 R" x& G( T; S5 j3 ?
=========9 S, K0 C9 S4 d) @4 j: H
  Z' _. C, M( l2 w4 ]' i1 [& B' d
Method of detection of the WinICE handler in the int68h (V86)
, G+ {5 M& {! R0 h+ S! G2 [4 k9 q* b7 U
    mov     ah,43h
+ H7 c1 U1 Z! W# ~+ b* {    int     68h8 R7 G+ C  {+ o; q* \5 c
    cmp     ax,0F386h( s  C) K+ t: e9 L' V
    jz      SoftICE_Detected
) X: \. r3 t; c5 W! S0 t5 ~+ T% v( S0 s& R

2 c- |  M: J* A. f=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 M- V  P  c" C) D! r# D; X   app like this:
' {+ o2 N0 s' g: u$ t3 H- j, c4 h, J8 x! d9 K
   BPX exec_int if ax==68# g, J5 N5 `1 \8 Y
   (function called is located at byte ptr [ebp+1Dh] and client eip is
% ]% t9 U/ X3 d' g3 {! S' A* S   located at [ebp+48h] for 32Bit apps)5 r  r' P) R) n- i4 n7 Q
__________________________________________________________________________+ F1 p5 ?& N$ J5 U4 }2 q7 ~4 n
% k8 Z/ j$ j4 v& [! x# N
2 Z! I! L- K' L  I- b8 k& L# K
Method 08) ^! w7 c7 X4 b( M3 d
=========
4 k+ E- B1 R5 O
& P9 _$ W3 ?. I" g- O0 i2 r& UIt is not a method of detection of SoftICE but a possibility to crash the
, x0 H4 J. V/ a" {system by intercepting int 01h and int 03h and redirecting them to another
2 q' w8 `7 b$ d2 j, r" Croutine.
2 V+ |6 I, V" u( g) ?% @2 eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 l' p* V$ h5 m! {2 l
to the new routine to execute (hangs computer...)5 Q7 z. Y& r, |( t" t/ f4 H/ O! v
6 Q" a6 u! e# B; Y) {
    mov     ah, 25h
9 j; T9 P# i$ i3 z" T3 h/ d    mov     al, Int_Number (01h or 03h)
4 J& v0 H: f: X4 E; B8 `    mov     dx, offset New_Int_Routine' b7 \- i( L+ W" v
    int     21h
; Y7 R/ O# N1 A" Z. I7 s! r
7 l- D/ _1 z5 ^  D2 }; Z__________________________________________________________________________5 x4 _2 U5 Z4 p3 M- h0 t# I0 F) e
' l( v0 T1 }# s- V/ _8 ^6 R9 e
Method 09
  b4 l4 O" W  X7 {0 l" q+ h# t=========
2 |& s3 r: F. I: X7 C  V  ?1 y2 t& o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) |! B( z$ Z  Q
performed in ring0 (VxD or a ring3 app using the VxdCall).' k8 R0 X/ v: a' @. U) s
The Get_DDB service is used to determine whether or not a VxD is installed
+ j1 F5 c  @) e# d* W6 g& W% r4 sfor the specified device and returns a Device Description Block (in ecx) for
. W( N- t8 T8 ~6 q$ h2 @; K5 `that device if it is installed.
* c. `9 `6 ^% w% F2 H/ ?+ L
* R; O  F" o" V; U   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID, `/ D% Y3 t- F3 q& s' W
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- `# y: p' p2 C( g! v, L& D5 Z0 C) i) p
   VMMCall Get_DDB1 p$ X: V! m0 h, V' u5 U9 t, p
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
+ p& `+ x2 @* k$ _; C5 k  M$ H
, Q; L8 U/ r& M6 t0 z* F0 ONote as well that you can easily detect this method with SoftICE:
& h4 J! j: k. |1 q% s$ A. R   bpx Get_DDB if ax==0202 || ax==7a5fh& ~/ a# Y7 p5 r& T4 }& A. r$ m
, c. d& b' K( @7 b$ z0 N# ~
__________________________________________________________________________/ A' N& I0 f" e$ }

5 J7 R% Y5 a3 z" E8 K. aMethod 10
, V$ m) i; C7 D. u8 A3 x=========; M2 [  O1 x6 ]9 z

2 S+ b4 j7 n1 q3 ~) s=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ ~) \7 G# }! j2 X4 w' _  x5 ^
  SoftICE while the option is enable!!
9 k0 l+ Z2 C$ u& R/ Q6 P
8 N8 F3 E- @2 a2 R: g0 J' }. KThis trick is very efficient:- h; g( t/ H7 k9 I0 Q( V4 L
by checking the Debug Registers, you can detect if SoftICE is loaded
  }- y& t6 x) e, \(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 H- p, D  d( ]  y2 }" V' K/ tthere are some memory breakpoints set (dr0 to dr3) simply by reading their
/ x( [: j8 n' Q7 X& H$ Z; svalue (in ring0 only). Values can be manipulated and or changed as well
2 E) c( C" X# Q(clearing BPMs for instance)4 b2 r! ]! A- F

1 T) r  V9 }/ ^9 v2 q__________________________________________________________________________
, T; L. ~7 [3 j' k
) u; l7 f7 a! d% eMethod 11
$ Z; Z  P/ x1 Z4 X" Q5 U=========# X* M) [$ V- m5 q$ E7 [& `
. r0 q: Z. s$ k( _( n+ J# J
This method is most known as 'MeltICE' because it has been freely distributed
2 C! ]$ e6 [% w% s6 Dvia www.winfiles.com. However it was first used by NuMega people to allow
" q" }& j3 X! c% k( ~# Y" @. ~/ ~/ PSymbol Loader to check if SoftICE was active or not (the code is located! w. U7 F; ~( e
inside nmtrans.dll)." r( B2 Q7 @$ S/ y

) P3 p' B' F0 G& gThe way it works is very simple:) U$ U1 p: O* ?/ v' ^2 V3 f0 W, y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 h! @7 A8 x3 x; b
WinNT) with the CreateFileA API.
# k6 V  w! u) F2 P
+ c' @- V$ Y( R2 w8 b' O  m  s% b! oHere is a sample (checking for 'SICE'):
8 g+ H5 \* G# q
& q& J. m( p& T9 u9 N9 Z+ nBOOL IsSoftIce95Loaded()
7 a, s& S, e, @  y{
, k% x8 }* a8 i/ P+ h) f" W$ Z   HANDLE hFile;  8 Q" R6 g* M. B! K2 e
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
3 G* v7 _1 j+ ~; E! E- D                      FILE_SHARE_READ | FILE_SHARE_WRITE,3 V- [# e0 D) I
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# U1 M; y" \# w; v; J* n   if( hFile != INVALID_HANDLE_VALUE )
; B) U: ^5 f2 b5 |0 \/ J* K4 E   {
  d- i- u; f1 s% T* p/ n6 ]      CloseHandle(hFile);2 F! g7 [; U+ y/ P
      return TRUE;# G8 p( N$ N" J- P
   }9 @  H3 E5 F' `" D! N% o
   return FALSE;- v' g1 h% W$ V( ?- H
}& u2 T" I" R9 n  ]" R8 J% {

4 k# k* Q) n4 Y( k3 O" N' @Although this trick calls the CreateFileA function, don't even expect to be
6 C2 T/ h; S& |2 h8 y8 D. Rable to intercept it by installing a IFS hook: it will not work, no way!, F5 H  k) p* A2 G* e6 _% W
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* y& J$ H6 r/ R
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 ], E0 p9 n" C7 V; m
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
1 z4 O- G* z! x; gfield.
+ x% P# a5 a. I$ V8 ?In fact, its purpose is not to load/unload VxDs but only to send a ' H- M. i% V; A+ L, j2 c6 P9 Y: e* Y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 l2 `1 H4 l, V% f$ T8 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% Q0 x! D( e) r* s+ m3 s1 n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
, k! I, e0 z" h; m# _If the VxD is loaded, it will always clear eax and the Carry flag to allow. N+ l4 Q, P/ g3 }' i
its handle to be opened and then, will be detected.8 B7 |- {0 R) S6 `% c! `3 a
You can check that simply by hooking Winice.exe control proc entry point
1 i4 s9 F# g! ^; V  \while running MeltICE.- {3 M% r3 ?( v- }7 u0 ~! d

$ K0 O9 g( W* {* m& K/ I
9 `6 ~( }) b7 [  00401067:  push      00402025    ; \\.\SICE
, r# H, P) O2 R1 ^  0040106C:  call      CreateFileA
/ ^, _: ?9 F( ?' u! V2 j6 l  00401071:  cmp       eax,-001" V' L9 ~" a  Y1 n% A8 b9 D/ \: `
  00401074:  je        00401091
. h" H: W" k8 y- \; y
+ d" A- ~( a0 `7 W, [; E6 b: Q: ^' {% E& W3 G
There could be hundreds of BPX you could use to detect this trick.
' |# }" B2 h  r0 z5 s9 V2 U-The most classical one is:5 x2 p( }# k, R# A# M6 Y. T! f5 q
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 a5 J& x+ H' Z2 {' ~    *(esp-&gt;4+4)=='NTIC'
! g9 F" Y7 ^1 x$ O9 P5 X0 N* n2 [' p' ^' S! _
-The most exotic ones (could be very slooooow :-(
! v4 L. T8 C1 a0 }* h   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: _  H# Z  G% l! J! C- `     ;will break 3 times :-(( k) `' g6 u$ d$ e
4 T+ T1 k5 ]: j  i; O) Q' o( G3 I# \
-or (a bit) faster: ; ^, m* _6 q, |5 r/ n
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' B, [. H$ e& J( e" @  B0 O) ?
8 m& P5 O( B6 x$ O; k
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( A1 x2 z. a0 u- F2 z8 ]     ;will break 3 times :-(; _5 p$ u4 p+ z  p5 k+ _. T. u
" r: R' K+ R1 s) d6 O
-Much faster:
. S* Z* ?& [4 y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
% U  n$ P- H7 V4 ~+ w4 e  D8 U% D. a6 `+ c
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# f% P) I$ N0 o: c! z
function to do the same job:! M7 Y; b' L0 e  f9 Z3 e

' W2 T* T: j, a   push    00                        ; OF_READ: m, r( ~- n! w
   mov     eax,[00656634]            ; '\\.\SICE',0' o* t3 C: K' k9 O  F9 w
   push    eax1 b0 v- U% E7 E- B* p' |
   call    KERNEL32!_lopen
6 R% W7 J' H) v   inc     eax
, ?2 w, ]' `% @/ @% `   jnz     00650589                  ; detected
* F3 I5 C' k' U   push    00                        ; OF_READ' P7 N( P/ S7 R# |( c2 w
   mov     eax,[00656638]            ; '\\.\SICE'
! A/ X4 {1 u  c   push    eax) ~5 @) m: e' C$ C  i" T
   call    KERNEL32!_lopen0 n1 e5 r, {% J
   inc     eax
! ]6 N; p- \2 s   jz      006505ae                  ; not detected
- m/ u) c- _' r) `3 V+ a. B; ~6 m" H3 r

1 p3 P* c1 x( V' E$ x1 }0 [__________________________________________________________________________
3 U$ V! J: P/ U
& V' a6 M) N* u* p1 gMethod 12
$ ~' m2 d, d- U7 x3 p=========
" \- l7 s; x: ?6 [: K! O$ r: q; L2 k  Q/ J: y
This trick is similar to int41h/4fh Debugger installation check (code 05
) b( m( |$ t6 b9 D/ n: ~&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 V; g7 S! J9 B' ~( _
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
! P9 q* Q; k$ b. \% E
- c8 L7 I# E# C! u  Y2 n   push  0000004fh         ; function 4fh
/ k0 S/ V0 b0 U+ B5 k! u% r. w   push  002a002ah         ; high word specifies which VxD (VWIN32)
' U- Y( Q. x( V& T! V6 u                           ; low word specifies which service9 B- ^3 M1 K  g* E  D
                             (VWIN32_Int41Dispatch)9 h. Q; O$ z1 c( i
   call  Kernel32!ORD_001  ; VxdCall) t0 h: l# G* p6 ~6 ]$ J
   cmp   ax, 0f386h        ; magic number returned by system debuggers) m9 Y. O" V3 R  b
   jz    SoftICE_detected$ U5 u9 u9 w  n) t& w

3 y1 I, I! q/ G" V4 m: k  t$ d5 yHere again, several ways to detect it:! ~( s0 k- H: d( ]; S& U0 e
4 E  _, z3 M# v5 \6 Z& j" l0 n
    BPINT 41 if ax==4f) E- e! Z" J$ N1 Z0 {6 q

* S0 Z, T0 [% M6 t    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" @* k5 ]- z6 b6 K0 o1 e& @" j. N8 c* p/ i, B4 x/ n+ b( d: p
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# f3 d% n7 b/ }- `3 L) X- l/ @1 L% t# }% M, H$ h  @8 B: _2 g
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. \5 Q. d/ j9 I$ v9 T6 v* |+ H& ^& H7 K! Q' h
__________________________________________________________________________) u6 b8 a: M$ q8 Q* O

7 N3 w0 n, @2 M4 tMethod 13
$ B0 X/ b8 v* W=========
9 {* X# P4 e; w0 K6 O2 U: M8 b6 I4 O) y/ v
Not a real method of detection, but a good way to know if SoftICE is
+ ^0 ?  @( @+ W' G. L$ y* Einstalled on a computer and to locate its installation directory.
  ~  N* K1 {+ K5 tIt is used by few softs which access the following registry keys (usually #2) :$ [4 C2 S+ ^; ]% Y# P/ @

! P! t! Y9 [) Q+ f4 }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  O* Z; {, v& c3 o\Uninstall\SoftICE
0 D% [; v9 k# w8 g/ [% d5 v% e-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
8 i7 x8 T' K6 h7 {: z5 k, g! K2 l6 j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 G, T$ y3 _9 D. }  X& U\App Paths\Loader32.Exe7 X* J. u" j( C! s3 Y. y5 G

  r8 ]  k7 r1 }! ]) {# k: r6 f9 [# |3 ?" G6 N4 m- L# b
Note that some nasty apps could then erase all files from SoftICE directory
7 l7 ^1 K/ S4 Z) }8 Y# [(I faced that once :-(5 H# s/ Z% H) j+ Y! f( U& |% x1 v

, `9 P9 j% [) W( L, ^2 A6 T1 \6 rUseful breakpoint to detect it:. v% H0 }2 u- \

; T  Y: J# D5 D( w     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
; R+ X9 U6 r. v/ h% w6 `8 _; s4 o- I) M8 K# q% P  ~+ [
__________________________________________________________________________
8 Z0 f! {: G9 a8 `: S; R) o( f8 T3 p+ v8 l* s

7 b' X# V7 |7 i& t8 X, a2 SMethod 14
* K$ Z" y7 u) W7 T2 {* x9 w3 m3 |6 F=========) _( I& E7 }( w5 ~7 |

6 \! Q! {1 r9 n6 r8 d" P3 YA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: q4 x* Q6 Z1 k( ]* {is to determines whether a debugger is running on your system (ring0 only).
7 c# r/ D: x0 {- [3 z5 K0 E3 t% W
: }5 S0 {; p" \   VMMCall Test_Debug_Installed
* l% B7 w. h5 m. I. p4 Q2 w   je      not_installed# ^2 I. v3 ]  Z3 r

1 y8 S& m. G  sThis service just checks a flag.
2 X. T  N0 {3 n# z: U" D0 M) a% \8 N5 E</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-11 21:23

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表