找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>& a& s2 k6 a" r% w
<TBODY>
+ @" m8 T2 h( y& |$ o<TR>, s. ~: ^' q! R2 i0 i& M
<TD><PRE>Method 01
$ r8 u& q/ J+ N% f=========
! ]0 n' w" a' i6 O% L, z5 T6 v6 S  ]- C7 y9 Q5 \
This method of detection of SoftICE (as well as the following one) is
+ G$ V' z! b; s+ s. K( xused by the majority of packers/encryptors found on Internet.% m6 l2 G( t2 r, k. T
It seeks the signature of BoundsChecker in SoftICE6 u9 T8 E* f3 K* m( X4 b& F& [: i
. j# T+ ]9 t; @# w
    mov     ebp, 04243484Bh        ; 'BCHK'- l" P8 N, z% i2 T3 ^
    mov     ax, 04h. |. F/ f& N" x, K% t, T# a  H- M
    int     3      
; U- U) w! Y! A* k  L! s  \9 L  z    cmp     al,4
+ Z2 F' I3 d% i7 U4 T% W    jnz     SoftICE_Detected
2 w/ h3 v  s5 P+ x9 V5 ?5 x" h8 ]; S0 Q$ r0 [
___________________________________________________________________________
$ Y, ~0 U  c% m# p4 X' z
" H, s( j% l0 N7 K3 VMethod 02* s' n3 \# w6 Q% |) z4 I$ J
=========$ g- m7 w9 m* o7 I- G4 o
5 ]6 a( a, ]" v' N$ O. x
Still a method very much used (perhaps the most frequent one).  It is used
, J; X5 T  J! Q$ l$ n6 M0 V( fto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 B" ^- v0 l5 U3 U+ k# k- [" T8 n) \or execute SoftICE commands...' k% @+ R. _  ?+ n& Z8 a2 j
It is also used to crash SoftICE and to force it to execute any commands" ?$ H. f9 U& v- g6 _; L9 ~
(HBOOT...) :-((  
: I- u8 U0 [( J. f9 V8 f6 Q- ?/ g3 F( Z! d2 s+ r+ q
Here is a quick description:1 O+ {4 A5 O. V. n. j; S' ~
-AX = 0910h   (Display string in SIce windows)' H/ N) c" ]  n: r& z: v
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 T( u7 z: r/ J2 E
-AX = 0912h   (Get breakpoint infos)
( T- j% M# U+ Y  Y% b6 j9 ^& {-AX = 0913h   (Set Sice breakpoints)$ o. d* g4 Q4 I6 F
-AX = 0914h   (Remove SIce breakoints)! Q2 q% p/ q6 [5 t( g0 X4 z
( o; x! {2 G4 k# r6 O
Each time you'll meet this trick, you'll see:
$ H2 Q$ v1 d7 [-SI = 4647h
' V$ l1 g7 H' {+ B/ g-DI = 4A4Dh
7 K! s& }* w3 i( QWhich are the 'magic values' used by SoftIce.
1 P3 o* u- g* N! j0 [  l% u  JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& j4 a; ]$ L& O% n9 L( K4 {
/ |; t- A  X8 c) B7 qHere is one example from the file "Haspinst.exe" which is the dongle HASP, H0 f. ]# k( z4 ?3 E9 }
Envelope utility use to protect DOS applications:
/ U3 T! b0 N2 k; u( z( L* R& f8 d) J% r  z3 [3 M: |; T: S

; Q( R# G3 ]" `4C19:0095   MOV    AX,0911  ; execute command.
+ s# L1 ]% d# i. I* `: _4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: {7 T4 m' a) `% m  H  [* a4C19:009A   MOV    SI,4647  ; 1st magic value.6 Q. U6 \  v6 e& R6 M
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.# m* p" I' z& _
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)& {% G2 I( B* u* E+ m& q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ T# c! L( P6 q( Y& b$ N* b0 q; _
4C19:00A4   INC    CX2 e8 u0 t' l9 l. {  C. U
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) ]3 j8 i% C* Z4C19:00A8   JB     0095     ; 6 different commands.% t5 S& S- ?1 H! d' b& R
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ |( O" {$ o: X+ ]4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)1 G6 h- D$ W5 }! B) x" A! l

8 ?' J  B- B0 t. o+ IThe program will execute 6 different SIce commands located at ds:dx, which9 W* c. K/ B  Y( Y( S' d( s2 X  n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ d3 x8 q9 n) N1 A9 I

1 X  O3 G( o  V* C9 ]8 i& u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.. P# Z. K2 w0 Q0 f: I
___________________________________________________________________________
& U4 t. T; L% @7 @$ D4 e/ s3 t2 J8 N# q8 c

$ R9 Q+ j: r8 ?) P( }6 _Method 03% c8 v9 O) V3 V
=========/ `# U: `0 O7 X& F
: {  L9 m/ }# ~+ B
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' F! V) E+ o5 L8 _. f& i4 w
(API Get entry point)
) t# Z0 |9 x! X$ r8 Q% D        / E8 [9 Z$ o1 y: q" h4 L) |
* x9 a9 u3 l7 c- t8 t  d$ }
    xor     di,di* T1 g: ^2 }9 O$ K- r% R% U
    mov     es,di. x& k; B, y, u% e6 C
    mov     ax, 1684h      
* a6 Y( m7 y( O9 h' b( l( ]% X    mov     bx, 0202h       ; VxD ID of winice8 V4 k9 T4 }2 `) ?- G4 a
    int     2Fh0 [/ A6 b: A2 ~) r$ }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: {" w# U0 `8 ]    add     ax, di: [# f/ P6 h% k7 h. P+ Z1 S
    test    ax,ax
& f* e" W! F5 n. _    jnz     SoftICE_Detected" R- _: p1 R$ S% C

0 U! c0 `- ~: R( k$ [___________________________________________________________________________8 l9 N! i" ~2 A7 {: x6 v$ e

4 Y' p9 j5 N4 s% V" \7 @! I/ DMethod 04
* E, |5 j& o. [7 w=========% T  \4 L8 p" W- F( V" Y# ~, S

; |- u  p& v9 Z6 f6 U: F& R* I# sMethod identical to the preceding one except that it seeks the ID of SoftICE! W) {5 N. F  i9 L4 e4 ?
GFX VxD.0 b( T2 h$ ], G; f4 s# C

6 r) w" W: e) Y! Q4 L. p    xor     di,di( R, u: i* Z8 w& x9 \6 ~* O
    mov     es,di0 q6 y* L* `3 H! z6 z1 l
    mov     ax, 1684h       : a/ c6 y2 o0 b4 ?! A
    mov     bx, 7a5Fh       ; VxD ID of SIWVID3 `, l$ l9 o. S% S" i- Z/ T* ^0 m
    int     2fh
' B* s) m& L  c4 }* N    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ B. V# R( ?6 V6 E4 R    add     ax, di
( m$ j1 r2 x4 T- a$ y. Y    test    ax,ax3 W5 H/ w, L; b1 b( p
    jnz     SoftICE_Detected
7 B! I- t" w% I6 _! p8 n+ p0 \
' c( x+ Y; u; X- T__________________________________________________________________________
  M" h: r& E& f- ~5 W$ ]
0 ]# |8 d% D: q8 I
. Y, W' [$ R* E& P5 j$ F0 eMethod 052 _# u" u5 {) u. i" j, k) Q
=========6 e" \! z! T( X$ N7 U+ l  H% b

) T, u& D- ^  L; c' f. t* C- JMethod seeking the 'magic number' 0F386h returned (in ax) by all system
9 k& i6 Q! o& ddebugger. It calls the int 41h, function 4Fh., S2 \9 c5 U* \- |# ^  @, e
There are several alternatives.  
7 Y% G5 G& B* b- I  T
' p; K, L) {! J2 O; @% n3 H  ]The following one is the simplest:6 A$ |# j/ T* P0 u, T5 N! A
1 w$ h$ Z3 {' r3 C/ K# A
    mov     ax,4fh2 r0 V4 s' l' `1 H! @) h
    int     41h
! {' Z0 h$ ?7 K, D    cmp     ax, 0F386+ M0 z9 J) Z, a2 J& N- }/ a" D1 T
    jz      SoftICE_detected
4 U: q$ o' ~3 L2 Q* A! d8 d) x7 X" E* T5 i

( {4 x# G; Z$ E, B7 F) lNext method as well as the following one are 2 examples from Stone's   [* H4 l( g, o: l3 ?# h9 R
"stn-wid.zip" (www.cracking.net):$ w" S' B& V% m) w. L
- _$ \2 p7 G7 a& _* D  T' b
    mov     bx, cs
2 Y. o# ^0 y! B& u5 {( M    lea     dx, int41handler2
: t1 j  n. S7 k1 i: n# _/ B' q    xchg    dx, es:[41h*4]
# r2 K( \' R5 h8 v, }& d3 Y# U    xchg    bx, es:[41h*4+2]! s! m3 d5 b5 t1 A9 H; r' Z/ k
    mov     ax,4fh# R+ x! C3 v* d( b. p
    int     41h
0 {% b7 ~) U7 A* m0 I    xchg    dx, es:[41h*4]- |: ]* w9 ~# s; C! _
    xchg    bx, es:[41h*4+2]
: b9 [) @* U% \  `5 M  J6 p    cmp     ax, 0f386h
; g1 ]' A  }: t5 B" G. y    jz      SoftICE_detected
9 q, i4 ?/ l' |! [0 `5 f6 j5 V! l9 n9 Y/ F9 S6 X, j0 |1 a4 _+ l9 @
int41handler2 PROC# _/ f+ w5 |2 w" q. @, v
    iret5 _) U$ {. i; Q
int41handler2 ENDP1 M1 u* k. k; G/ h1 H& k2 H

& u- y  ]8 e/ K' d: b/ b% Q) ]4 {! ?1 q) ~: r' R
_________________________________________________________________________( h4 F% i4 X9 Q' h

6 L# F1 g0 h2 ]" w" y% `
1 w* {& X3 d5 j2 b7 V7 F1 S: ?Method 06+ X9 v0 ?, H  r6 ~9 E- e
=========7 n7 K8 F* g9 E) s) R

7 |. g( e$ g9 \4 f3 ^+ W
; x8 |/ `& R( O/ m+ Z) m2nd method similar to the preceding one but more difficult to detect:: W3 c2 v2 R1 w$ A4 I& C: ~8 F: G+ G7 O
1 \$ b+ N4 ]5 A  S5 C
' F' `8 _4 ?6 z: y" G: z4 f- i1 O6 [
int41handler PROC9 O3 r: B2 d& O+ ~2 P2 C8 X; P
    mov     cl,al- j0 n3 ?, z; A) c5 y: h2 u$ }1 k
    iret
& d' w$ ~( g$ b; e- Fint41handler ENDP" d* s3 {! A" U' w% G: d4 M
7 g1 G0 _8 T) y; d: l( A
4 ^4 y/ n; `* P' P& n
    xor     ax,ax
* v  j( k1 k1 ^) R5 \( ^) g    mov     es,ax
( Z1 v( x5 q3 C) c' B  F% p    mov     bx, cs$ [" ?5 j4 B1 H8 u5 Q
    lea     dx, int41handler
: t6 p+ i2 j. O* ~    xchg    dx, es:[41h*4]7 E" T4 W8 P7 E% X% D( J- B
    xchg    bx, es:[41h*4+2]
6 [, \# X/ e; @3 S% o9 D" f. A    in      al, 40h1 f- o5 I" F! m
    xor     cx,cx
( k; g/ ?& o5 h4 o% e# A5 g    int     41h
8 U5 F  Z. z' R9 M1 \: M    xchg    dx, es:[41h*4], W$ ^, t% j- \/ }, [9 w
    xchg    bx, es:[41h*4+2]
& g! _% w3 G; i    cmp     cl,al
# `7 C' A8 a  @7 r% g: Q    jnz     SoftICE_detected9 Y7 E3 C4 Y6 I- o+ b

0 D# f4 A0 M* G- b5 Q5 a: m6 s_________________________________________________________________________
3 H- \! u% a% R. Y3 C+ R2 h$ M2 @+ d1 u- P! _
Method 07' `2 Y" }" f! j: r
=========
+ @6 `) c+ g7 o) B, Z; |: l  T% x! {+ T- E: u
Method of detection of the WinICE handler in the int68h (V86)
, f9 n, K% r+ ?& a- Y* z; d" P8 r/ e' f9 g
    mov     ah,43h
7 @) l: @6 k. k9 N$ Q    int     68h
/ M2 |, Q( I( L' N/ {2 I  }* C, b    cmp     ax,0F386h
9 h* e6 a9 H# X9 C: I6 S    jz      SoftICE_Detected9 c8 [: n3 k5 ^; }2 Z- L+ J1 r
5 t8 w# A7 E. N4 S& l7 f

$ Y- {8 C$ N- `6 i  P$ i4 G' m=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit* K% O# }+ v! v' D$ M
   app like this:9 u8 Z. _# S+ o7 F4 Y
+ U5 \- z- u) f. U
   BPX exec_int if ax==681 n% j6 w0 _5 J, R
   (function called is located at byte ptr [ebp+1Dh] and client eip is
" O% |, N) v* ^2 ?% |5 d   located at [ebp+48h] for 32Bit apps)
3 o3 F- Y  m4 M4 p  A' P__________________________________________________________________________1 v- E6 i4 D! l: S( Y1 F
1 Y3 Z- z0 l  ~6 g8 N& S

$ M& Z% S0 B$ h* LMethod 08* {. S  e, p  ]
=========" m( Q/ e. q8 k% X, |/ T! J8 ^/ y

/ R: v5 H0 X! D# W: [' hIt is not a method of detection of SoftICE but a possibility to crash the- m+ n0 o4 I. m- k6 t/ S
system by intercepting int 01h and int 03h and redirecting them to another
) L6 I1 t0 m, V" e% z% a. Yroutine.
1 S7 q; X* W) G8 PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- I" a* j; f& M! I* H7 V: s) a" xto the new routine to execute (hangs computer...). `1 K! w- m" f

+ e3 ^# s6 @3 k; Q" `    mov     ah, 25h; R) I6 g9 A( T" e, V4 V) L
    mov     al, Int_Number (01h or 03h)  m7 {7 g  r7 h# d8 Q" _
    mov     dx, offset New_Int_Routine
. I2 w, ]' ?7 P+ \, J" b6 Y    int     21h. }: i( J" E- t9 B0 L) C

( I$ l- K  J. H4 O: A$ s, q9 B__________________________________________________________________________+ W7 [# Y! A& q

9 s6 p& f( w4 t: C$ V9 V& W0 _Method 09  \3 T$ f( O9 e& Z8 \3 n& }. o+ {
=========
# Q7 q- I6 ], B3 v
* X. w( K/ Z0 [0 c4 g1 V5 }This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- x2 N+ h( P0 Zperformed in ring0 (VxD or a ring3 app using the VxdCall).5 w6 X0 ?6 y# Z3 q, B" S& ?* e) p5 H
The Get_DDB service is used to determine whether or not a VxD is installed9 Z" h0 w# l* M9 [9 x
for the specified device and returns a Device Description Block (in ecx) for+ n& k& R, J7 |9 N/ o
that device if it is installed.: I; z. `2 t$ H4 N0 h% o7 E
; T9 [; V- O9 @5 b8 j  h' e" f7 g& h
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID' [1 B( z2 G" |/ t2 W3 R! c& ^2 k& W
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); N% a1 p, M+ F) Z0 C
   VMMCall Get_DDB& ^" q: {! z- b. q
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed, b6 |( u2 }9 f# a9 R; ?9 T8 z
, j: p2 e! g$ u* D* z1 ~+ J% z/ s
Note as well that you can easily detect this method with SoftICE:
6 i% E. W  B0 j4 Z0 x, i4 j   bpx Get_DDB if ax==0202 || ax==7a5fh$ C0 T9 t! i6 c1 e( Q6 m- O7 H

6 B$ e! [/ h* j8 v__________________________________________________________________________* [; X9 [# E/ ]8 p

) S; g; i3 \* D* D' j' XMethod 10
+ ]6 K: t- [" g6 ^$ T/ y* z=========
0 U8 ^3 I$ H/ l0 @. ?. A; A& J
! O+ D* N, n- u9 @6 _. W9 r=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 j3 R7 k- U, h1 h  SoftICE while the option is enable!!3 T7 ]& I' K* b) t; Y# W
6 I4 r6 w+ L0 A# |9 u
This trick is very efficient:2 Z0 P2 U, e; q
by checking the Debug Registers, you can detect if SoftICE is loaded
" L& m/ s0 X6 S(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- Y: u2 V3 q; m  ~+ ?5 s+ ?there are some memory breakpoints set (dr0 to dr3) simply by reading their" ^6 c, i+ M& |$ y3 _
value (in ring0 only). Values can be manipulated and or changed as well6 m% C# }6 I; W5 k
(clearing BPMs for instance)! [9 s/ T/ t$ M9 s7 j
2 m, x7 K: P" D1 E  z
__________________________________________________________________________
0 v0 d. `2 j& \/ Q8 n/ \! q) W
* P0 u. r3 R1 EMethod 11
& v0 ~! W6 r2 y8 D; m$ B7 M- k=========# s& e8 B' E) D- d0 d

* p* L% ^1 S# N$ ?# PThis method is most known as 'MeltICE' because it has been freely distributed
" e7 o* y( {2 L" T( x& Zvia www.winfiles.com. However it was first used by NuMega people to allow% L! D- R; O5 I" S4 w6 {2 b% c3 I
Symbol Loader to check if SoftICE was active or not (the code is located9 \0 ~+ v0 A: J" o/ W
inside nmtrans.dll).+ ^" X+ E6 R0 S. G9 g7 @, v

/ z( c0 _0 \6 l5 u. n: [" \The way it works is very simple:4 f5 v6 _! ^: a( d2 `  r* _! _
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! S- c2 b& i7 Z1 F( p) o9 ^0 }WinNT) with the CreateFileA API.
8 K% u; x+ [: P! V
  k) o1 m  e3 V5 e' RHere is a sample (checking for 'SICE'):
' x  ~( m, o: F# `* Y' ~( o6 r
% P$ G# g0 Z6 z6 @4 c" E3 oBOOL IsSoftIce95Loaded(), d' ~- y; l: g0 a  G; B; \: `. }
{
! h; C0 _% \% l: t, e2 Z/ a   HANDLE hFile;  
0 y& i  u7 K5 d' D: N3 s, Q/ `   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; m! d& U! e# s9 O
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. D' t4 v/ v- y' C; ]' F7 r                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, x$ a4 ]; Z( Y, T
   if( hFile != INVALID_HANDLE_VALUE )! N9 M$ ]. x/ o$ ~8 m5 K0 B
   {
; @8 o) t# Q" [; E. m) Q      CloseHandle(hFile);
" T0 f2 q8 Q! w- u. {# l      return TRUE;
7 C+ l: T" R% a" u+ }   }
( [3 ~6 l8 J& d8 [- V, R" U   return FALSE;
: @. X0 i! P0 U}2 C/ S/ s6 Q3 X; I
. b3 }2 q, ]9 S7 p
Although this trick calls the CreateFileA function, don't even expect to be
1 ^3 T. T. U9 F7 w- Table to intercept it by installing a IFS hook: it will not work, no way!4 s5 }0 |) @) h8 _) Y& e# I2 d( z6 Q3 Z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 J* p2 c2 N% y9 w9 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)* b  e/ N7 Y1 U/ ~, `0 {% k, C) _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 z6 Q1 E$ A/ q& f" a# Xfield.3 e  h; l: G; x! H& v! U
In fact, its purpose is not to load/unload VxDs but only to send a + M& F6 x: D! ?; S- S# h
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( y; O6 G% z# m# ito the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 J6 V% Z8 }& U3 z9 v- {to load/unload a non-dynamically loadable driver such as SoftICE ;-).
! f9 I4 s4 e, L: @7 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: t$ k: }7 r6 C. H" Y1 R* gits handle to be opened and then, will be detected.1 A! W& Y8 }, r
You can check that simply by hooking Winice.exe control proc entry point5 b0 H; x8 Q& [
while running MeltICE.
3 D3 g( Z6 Q2 @; g# x' F$ e- ], G% h+ W2 d5 r* O% I6 A3 G& y/ B
) C8 d. R& }- b
  00401067:  push      00402025    ; \\.\SICE* s7 R, t; O) G: m. A: e3 ]) R& |% a% g( D
  0040106C:  call      CreateFileA
/ {" L8 x: v8 F  00401071:  cmp       eax,-0014 j7 |  _- K! r, U; u, e1 p
  00401074:  je        00401091
5 I( p* g3 Q2 X! v- j
3 w0 |$ J0 r, m! {
2 A! U3 Z" m2 g4 @* VThere could be hundreds of BPX you could use to detect this trick.
5 M9 w/ Z$ p' Z4 Z- c  H, @-The most classical one is:
) v, D; q6 P- c' q7 {  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||- V8 ~' N. a4 F* P. e* Q
    *(esp-&gt;4+4)=='NTIC'
3 I- Y7 S, y2 V) B8 o1 W1 w
: X3 y8 h0 @  K8 |( B-The most exotic ones (could be very slooooow :-(
- j. C) U* a, `4 {" ]9 r6 T   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- Y2 m9 s" I1 J( P# s     ;will break 3 times :-(
! X/ z% ]- ~& g( ~9 W, l
" W5 ~7 m! C: z* D5 ~1 }. M-or (a bit) faster: 3 K! s1 n, V( i0 n
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ _+ f( {: X& R! H) |; G" Z5 X  a: G+ \7 k- w8 P, T9 Z
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( f$ t0 e1 n9 I3 `) N( a
     ;will break 3 times :-(
) a& y. b2 h) [/ M! U& n4 }" g; [
. ]- F- m# h$ ]$ G-Much faster:* p8 i7 v# @0 o% n
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) N- S/ ?( W$ `5 G7 A  b  j5 M2 Z+ T8 D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen) t) S% \& ~, l% j6 d! O
function to do the same job:
3 B! j0 i5 V" U9 y- n. o
5 i  V) t3 P( N   push    00                        ; OF_READ* J7 Y; D8 J0 @0 o& N5 r4 b
   mov     eax,[00656634]            ; '\\.\SICE',0" t" J: k6 F- Z9 }  j" h1 |$ g/ P
   push    eax4 N; o# g. u3 q, }
   call    KERNEL32!_lopen. H2 `0 ^& R" o6 ^/ |( k4 H
   inc     eax
/ h7 h- Q: ^& t   jnz     00650589                  ; detected# j; j. H/ d; |9 I: J
   push    00                        ; OF_READ
& e8 F, g( E- R4 V/ f8 D6 n   mov     eax,[00656638]            ; '\\.\SICE'
6 y5 N" S2 [+ {; C6 E0 ~9 I) S   push    eax
8 m4 T5 c3 m1 q, Y7 @   call    KERNEL32!_lopen
: Z' O( g1 [/ k# @   inc     eax2 m' R/ J  {( w- K$ j: F" ^, ]
   jz      006505ae                  ; not detected
4 X( I1 a$ \9 x, |- Y
' T. l& S. r- k, A) b- V/ U. a* b1 E  c4 o8 D( R5 T2 s
__________________________________________________________________________5 W) J. I  {, M! e  l1 N0 H. `
4 {/ p6 z- W8 m$ X% t
Method 126 K' B% b9 m- B. n
=========
( C5 ?  r1 I. Z4 U/ t- ~" v2 i7 R4 f0 h% v9 e& m
This trick is similar to int41h/4fh Debugger installation check (code 051 ]5 B; D  U" V, E0 d
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
% U( ~; E  H( N) u: \as it uses the VxDCall backdoor. This detection was found in Bleem Demo.+ B* b3 l2 t/ \
. I4 {* c8 I" i( d
   push  0000004fh         ; function 4fh
0 B/ O0 m" Y% V+ s; x" b1 S   push  002a002ah         ; high word specifies which VxD (VWIN32)
+ ?2 `0 j: [; `- e; d' u: q                           ; low word specifies which service
4 Y4 ~" q! q! a, d5 d! s                             (VWIN32_Int41Dispatch)
& [0 u3 o- \- n1 b   call  Kernel32!ORD_001  ; VxdCall" P5 ]5 G5 n. Z' h
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 ^6 I" e3 B/ u" C" J8 h5 J   jz    SoftICE_detected: [8 p( K% y7 W! w9 `& R- q* n
, a5 a( A( V' O. Y6 X
Here again, several ways to detect it:  @4 g: Z6 q) l# L# e
8 o" b0 f- h( k8 j+ K4 C, P) |
    BPINT 41 if ax==4f
5 c  {; [( J0 _4 S& k6 p
; ]# v4 d" i6 q) F; O    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ U+ K- U/ N; |3 `0 J
+ d$ w& g! u' B" |1 M# G8 }/ Q% B" M    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: q# H" g: p7 B# {6 J% Q) r
% h9 t7 ?* W5 d, ^" t* p) X
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
% g) B4 S  Q: x; f1 z- {& T, ^8 m9 \: @1 b) }* e  \% m  T
__________________________________________________________________________
$ ?4 e- q* U' Y  }& s7 i$ }9 F" c% n% F$ e# b
Method 137 N# s/ I8 m$ g$ N! d7 ]
=========
' X  x! [8 l( C, Y1 u# `0 o' t
. g6 ?0 R0 H5 z& y; W) q! |8 a6 r* wNot a real method of detection, but a good way to know if SoftICE is2 A- k. Z: b0 C
installed on a computer and to locate its installation directory.
) f4 ]+ g: s" A' eIt is used by few softs which access the following registry keys (usually #2) :
2 O( {; V$ ?7 ?1 [- b) h% }$ N9 K3 P! G- Y/ ~" d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
" M. I  r  m6 H5 Z\Uninstall\SoftICE
( b9 p& w4 I$ G4 \  G( K7 G4 [1 x0 U-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, J* q  Z% ?# q* H2 s
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* E. S* b9 a0 y' v
\App Paths\Loader32.Exe
: E  l& ]7 p* G
0 Z, n/ }9 `* t# J3 U% x9 e6 `& r! j* Q5 i+ S. Z/ T* v
Note that some nasty apps could then erase all files from SoftICE directory0 @  K, q7 \/ n3 {4 \1 s- c, |
(I faced that once :-(3 u3 N! p, v) n/ t# E" m9 a
( w5 z# S( M# H8 @3 V5 }
Useful breakpoint to detect it:
1 ~1 [- f  O4 n8 l! y, Y2 W% x$ }; I! u! s7 P1 Z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
& u0 r+ Y6 Z* V; S& ?, v& z# O8 g) p4 Y3 T
__________________________________________________________________________' k. L9 w6 W" s9 B( J' K. E9 Z) f8 P
( u- d* r& H) [* K
; J; w: B7 G4 p8 y. z$ L! T
Method 14
! h  }- p$ x/ x* F$ F" J0 V% t=========
' I) d7 {3 y1 Y5 \. Q9 e; ?- O' k$ U$ M
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* t/ Z1 s+ a- l8 l3 c! M% V
is to determines whether a debugger is running on your system (ring0 only).1 w4 n; x! k2 {+ U1 a

' G$ u  v7 C  x% s   VMMCall Test_Debug_Installed, d3 G2 I7 O1 u
   je      not_installed
3 w- H6 o9 i0 A* ?% C. ^) o9 j2 x; D- U
This service just checks a flag.
' e4 g& c8 b6 O6 L' ?9 r1 f# V</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-12 18:37

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表