找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! g2 Z: S1 I! H
<TBODY>
" Q3 q, O  L# s# h5 N- d  o) H<TR>$ n- r, ?2 N1 k7 \. C6 j& g2 ~; \
<TD><PRE>Method 01 2 E$ d8 V7 F( ^+ [# R/ {8 j
=========1 u, f2 R5 m4 N1 ~+ |7 a1 n* }

& t, ?- L- s) ^/ y9 b& G+ sThis method of detection of SoftICE (as well as the following one) is
. t7 @) j# i* Iused by the majority of packers/encryptors found on Internet.
+ L- M) d' M+ HIt seeks the signature of BoundsChecker in SoftICE
- A8 g: l+ |6 I  @; h4 ]1 E
* m# Y7 |( L* D  A% i+ [    mov     ebp, 04243484Bh        ; 'BCHK'
0 o* T5 v: i$ ~( q( z    mov     ax, 04h6 {  u. |0 V; }5 H" g4 y$ k6 c! S3 R
    int     3      
. k( [1 d, r1 g/ U$ G1 J/ f# B2 Q    cmp     al,4  N% ^+ p, Y  C& Z" Q- P. j& {3 e
    jnz     SoftICE_Detected
+ G- ?+ H4 s4 [1 U- b* j1 O  q0 ?9 r2 V1 r' b- T6 e
___________________________________________________________________________
; h/ D( m' i6 D  u7 P* q0 H$ K( G& S( ^8 j
Method 02
- b: Q: u) f3 H; b/ l0 [1 {6 ^$ U: `=========
& v; N" n7 ?4 D. ]) i- v# I
9 e% I4 V- u' @4 W8 ~8 O" CStill a method very much used (perhaps the most frequent one).  It is used
- a' m. d! b2 q9 r$ Uto get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 c! B) W& E5 j. X
or execute SoftICE commands...
% D$ Z$ K5 o+ _1 {8 b4 PIt is also used to crash SoftICE and to force it to execute any commands
. [7 b% s7 c) l( N/ x4 D+ l(HBOOT...) :-((  3 K2 B! b' o" p' ^

9 c( B+ j# v: c6 b4 nHere is a quick description:
( X* y, J% A# v# _( N& I; d1 W-AX = 0910h   (Display string in SIce windows)" f6 X( ~; {' I4 ~5 Q* s9 D. A/ o7 i' N
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 M: E& E6 {& u  y4 @0 m4 e* |
-AX = 0912h   (Get breakpoint infos)
- S8 ]' N1 q. n4 U2 C$ ?4 ^6 l/ B1 F0 s-AX = 0913h   (Set Sice breakpoints)( _# L# b1 q+ j* B
-AX = 0914h   (Remove SIce breakoints)
- o! @5 h2 i, D% c$ `% f, H
, N$ {/ P5 M4 g+ ^Each time you'll meet this trick, you'll see:- n" Y6 N0 P4 Y  d' C$ o  I* a
-SI = 4647h
8 y; I4 G6 `* o7 e/ k-DI = 4A4Dh
0 s% k# @' l5 s9 p; J' \) M+ g1 \1 K! kWhich are the 'magic values' used by SoftIce.% q& Y0 H5 K# `  G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# f! d% L, a) [5 I2 {+ A8 D+ O9 f/ N5 r4 o( w
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 e* N. a3 k7 x0 d0 n! r- n$ ], l
Envelope utility use to protect DOS applications:& g, X$ V' x4 ]" J4 }4 o
6 r/ K4 t1 Y! I* _) T/ k/ A8 l5 V8 o
$ Q* p" v( ^. `* s
4C19:0095   MOV    AX,0911  ; execute command.$ I) c4 [& d. D; c
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
7 H# T  h7 p& F8 B: d% ^" o5 h6 {4C19:009A   MOV    SI,4647  ; 1st magic value.
# B' V4 @0 Y: z, O4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
; j" k5 N7 {+ A2 q0 }. B; {2 P4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)0 v6 ]) \. ?( [& f( [
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
1 w. O9 p4 C! f0 \# |7 m4C19:00A4   INC    CX7 L3 V! M9 i! I$ [
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( Q+ K  |; _  }
4C19:00A8   JB     0095     ; 6 different commands.
, l- v0 r3 A$ O1 ~2 r. D$ X7 A4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 j; F6 j5 C/ _0 Z+ |2 H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; [; l6 Z/ g: _2 F# L, u9 O1 b% {3 t, d, k- x1 [
The program will execute 6 different SIce commands located at ds:dx, which: U# ~4 C0 `% p0 g9 j6 B
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
; }1 z+ J5 l0 S) Z- z2 n, H0 ^( y
8 R: ]" m) E5 V2 ]* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& C. b: f5 e9 P# B) Q___________________________________________________________________________
5 c1 T+ I1 n7 s; s  s, N8 n: x! J" c. h
4 |4 @* b, C! @+ q6 Z
% a' L8 }8 B6 k2 b. v% K4 h7 pMethod 03
  }- m3 u) b& p* `6 b$ Y* }=========
# ?; y1 o3 I1 Z1 w
! k- r; Z& ^' @9 Y  `; G4 H" m7 NLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; M' K* A! a2 e9 ?: a" V# R' {, V  N
(API Get entry point)3 Q7 @: _4 H3 x, F/ g3 v: k$ q
        * A0 D7 P/ X9 K2 d) b
) K+ L3 G/ @- h5 |5 m# q4 g# ~1 H
    xor     di,di
, o5 L+ ^+ c1 T+ a( C8 Y$ ~1 I    mov     es,di. C4 F6 \4 W% `
    mov     ax, 1684h      
% i2 j" k. w- K" L% [, Y* j" b2 I    mov     bx, 0202h       ; VxD ID of winice
3 G+ h4 O+ T7 G* @9 u# F1 @* b    int     2Fh) ~. o5 g3 f! ?5 {) i
    mov     ax, es          ; ES:DI -&gt; VxD API entry point! _" {; \, ]1 [' o2 {
    add     ax, di
* a5 E* i8 \& i3 \+ M    test    ax,ax2 h; i; c. ]7 b% `3 T
    jnz     SoftICE_Detected0 l; A/ |5 ^, J) b

: ^$ a; S. l- e( V___________________________________________________________________________
6 _" Z7 B* d1 {: v' I0 Q$ @8 D! [6 p* _! o$ ^3 Q
Method 04% T9 O. n/ q0 }+ |% B! G* ^
=========
8 x2 _* U# ]6 z  C7 A2 @, N% T7 s) c
Method identical to the preceding one except that it seeks the ID of SoftICE) w4 p, D, ^$ V/ c3 O5 r8 Z
GFX VxD.
. l3 N, _" l6 j( r' S. G3 @) \2 f  b# f. ^6 P( l
    xor     di,di
* o$ J% c* j( J$ }6 u* V6 v    mov     es,di
% O, c) W! U# \6 ?1 n    mov     ax, 1684h      
: r- l8 i8 r3 ?$ X7 o* a: F% w    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  A" p) @0 E! h3 J, N& ^    int     2fh) T; Z- M4 G6 E# Y8 w
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 s4 E( g" ]" {5 C  L5 V/ t/ d    add     ax, di0 L1 h! g6 o; @8 s! i. h
    test    ax,ax! |0 `7 A; K7 w4 @1 z: V2 N* ~5 h
    jnz     SoftICE_Detected
+ T0 J' U/ C) W: Y% `# i) {# K4 ~2 g5 w. {3 {
__________________________________________________________________________4 w* O5 x9 L2 r( p7 c+ U
, U" T7 a, H  w1 B# b. c

' a& j% \& Q! ?  EMethod 05
+ M; |/ y! n3 F' r* Q( c4 H$ \* e=========
& @* r1 Q' u2 q1 N" C( [( K* o1 E. h& A6 a. M$ g
Method seeking the 'magic number' 0F386h returned (in ax) by all system. w, R6 o: l$ @7 C( Q! b; U
debugger. It calls the int 41h, function 4Fh.
/ b# v7 [' O' vThere are several alternatives.  . h& B  j) j7 ^* i

& i3 o; H; z8 [1 f. X/ G% BThe following one is the simplest:2 u$ W" M% z# {  H; O+ z

8 S4 T5 F6 l& m  f1 i. t    mov     ax,4fh/ l1 s! c. v0 I! Y+ ^& P( K3 S
    int     41h
, E  `2 V3 H4 V* d- A0 `( A    cmp     ax, 0F386. |6 ]) o/ G1 D/ |9 p9 B
    jz      SoftICE_detected
: g% o7 i  d- r7 l$ P8 z+ {9 t& z4 P. a& ?1 j2 X  P

$ \0 c0 }* r# d, l7 iNext method as well as the following one are 2 examples from Stone's ' B+ z4 |% @3 X2 |, I5 R& ^
"stn-wid.zip" (www.cracking.net):
2 a5 W1 r# _1 E* p  }7 N% f# K# x! o! K: ~7 r
    mov     bx, cs
- M- w% y  t. m( M3 o, }! k    lea     dx, int41handler2% w0 s2 C! W& [' u" X) D- D) e  B  J
    xchg    dx, es:[41h*4]
# A0 |) o+ ]. v+ n1 _/ w* D    xchg    bx, es:[41h*4+2]
& @& z2 a- `! j+ E: _4 i    mov     ax,4fh
1 {2 G% |% y8 s    int     41h2 o0 i& ~- h0 E$ S1 K# O6 ~
    xchg    dx, es:[41h*4]
/ W: b0 s7 a; _0 d) |    xchg    bx, es:[41h*4+2]
7 t6 l5 L( e% `; c- X    cmp     ax, 0f386h
' R- s" ?2 `' y1 w    jz      SoftICE_detected
, C) n1 W, f1 ]# J4 n0 b5 e/ R+ D3 }2 r
int41handler2 PROC- O3 e; [' t4 q9 q) x
    iret0 D. x4 \# t# _4 T8 O! |* \7 i4 y
int41handler2 ENDP
: y- X. F8 Q1 |' A! l: M# u3 _. @+ A8 S
4 v" Z: A% V6 m  I* ^
_________________________________________________________________________! O5 T5 T8 V. g6 C  g! p% c5 ?
1 [4 a1 ?5 E  X0 ]% |
  N8 X$ z2 }4 r/ [3 a
Method 06, f  p( s) V' e* T
=========
* J& n+ U. ^1 Z4 E" ?' c  L; P% D8 }% c  T7 c5 {$ d  H6 H

+ `/ Y. g( J6 H2nd method similar to the preceding one but more difficult to detect:
6 \3 N0 q: N& p. N
0 c5 ~2 \% e/ `' w, j; i" O" E* Y4 r& b3 I; r. j; o
int41handler PROC
! v" S; j3 b) L3 W6 h8 M4 d7 L    mov     cl,al+ f6 R' s) g$ w  u8 F+ J4 r6 i
    iret
- Q9 u$ L3 M4 h3 e4 d" E+ mint41handler ENDP5 W8 S; C' E+ w7 n7 e0 S6 O- q6 @# U

8 ~' ~8 T- C! `8 @. m0 k& w! p  s7 x0 t3 q* P3 y
    xor     ax,ax0 X" T5 }+ x* h1 C( z
    mov     es,ax
/ A+ x: s8 }: F4 |4 r( N, o    mov     bx, cs- N4 R# j& C) X' F6 Q
    lea     dx, int41handler
( ^4 @' q5 m! ~  w    xchg    dx, es:[41h*4]
- G- Q' J8 N* m  {' V$ b1 _" ~    xchg    bx, es:[41h*4+2]1 O% P/ m3 \2 v
    in      al, 40h$ M+ U- I+ j- U5 m5 }7 p2 d
    xor     cx,cx) @& |4 N: x$ |4 w" E
    int     41h
! L. ?7 u/ \& h- a% f    xchg    dx, es:[41h*4]
8 o0 j, G/ [# _8 s: |    xchg    bx, es:[41h*4+2]2 f3 B! w. }  ]  W$ ^' W  D
    cmp     cl,al
. C; q3 S2 [8 y% I% t$ U0 C9 i! T/ ?    jnz     SoftICE_detected
6 ?8 U( [6 X2 D( g3 G, R6 U: _; }; Z6 B0 m/ D. B0 l
_________________________________________________________________________+ t9 R2 N+ C6 v9 A
" b: O" k% b) u1 i8 Y: m
Method 070 R% V1 E8 F+ j1 p" v7 u
=========* v' z9 u" |4 x, h
0 [0 Q( I  J  m: I; ^* [
Method of detection of the WinICE handler in the int68h (V86)
6 j+ Z* n% [6 I. k2 n
8 g5 t$ P$ x/ }    mov     ah,43h$ O! C3 K3 S  A  @3 q
    int     68h, D/ A% R9 Z" Z, f4 E& v5 l
    cmp     ax,0F386h
. {0 \% G3 m2 N/ A    jz      SoftICE_Detected8 h1 f* u- @2 T# X+ i) x: ~

8 t. P; k2 l* O8 `3 B8 ~' Y! a5 M( g5 n' K3 h& f
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 ^' |/ a' [; |. `3 _2 ^: [3 ^/ P
   app like this:5 S+ }( G# _1 ^" v* D$ q* s

8 g3 ]0 G1 _  D' i/ I7 @. ~, V   BPX exec_int if ax==68
' E& P( S3 R8 [4 x) d, n" T/ V. V% w   (function called is located at byte ptr [ebp+1Dh] and client eip is9 d6 r8 p% c5 `/ l
   located at [ebp+48h] for 32Bit apps)
. ^4 B: J, |: C$ Q4 P( I/ k! k+ M0 B__________________________________________________________________________
6 }- G& p4 P" |" m# J* I! Q8 {0 t) X) D0 g9 }
- [7 r' l) m* o6 L' B4 v+ ^( l( N
Method 08
& R( }6 s: {- ^6 C& b=========
+ Q+ g, U/ H. _( G6 s: P9 i, g9 s
& W7 v3 }: i; L* r; P& m! \" oIt is not a method of detection of SoftICE but a possibility to crash the7 s/ c6 f# T  u) w/ K
system by intercepting int 01h and int 03h and redirecting them to another
9 S5 L+ @0 ^) e5 L, Z7 ~routine.. y1 ]% L5 T2 s2 Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points0 w  |- \2 s8 `  N( B
to the new routine to execute (hangs computer...)2 D1 p+ \* Z! z3 t2 B6 e

' _- |) M9 H, U2 w    mov     ah, 25h9 W- |: P$ q) n7 V4 n/ V$ p( G1 U
    mov     al, Int_Number (01h or 03h)7 f; n$ u7 W0 U3 }0 j
    mov     dx, offset New_Int_Routine
8 u6 [  \$ C0 b    int     21h. D0 o/ S4 p" m9 T5 F
; o2 f. T  i* y! v/ u
__________________________________________________________________________. G' ?, }% p" R1 S+ @4 H; Z

6 q- [. {. x3 {" U$ ^9 }$ @Method 099 S7 W# z$ }  Z: [
=========
6 @8 g4 M( N# Q0 r& U% e, [) q5 p
) b. x$ ?' g6 |( d+ c: s" U% BThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
. i* o2 K7 e" lperformed in ring0 (VxD or a ring3 app using the VxdCall).- J6 ?) r' Q4 v3 E. D
The Get_DDB service is used to determine whether or not a VxD is installed
# t0 e4 c; g/ c% j1 k3 L+ _* Ofor the specified device and returns a Device Description Block (in ecx) for5 x( M' @* y$ ?3 R0 L' k$ E( q
that device if it is installed.
7 m' T4 ?9 k$ V8 v. T( o: e' w4 D. B/ j4 D
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID( f- m+ Z7 x7 D
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 G& x) W; z8 a3 ^& G, D
   VMMCall Get_DDB
8 E7 r. j( M' f. r2 s4 P   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
: s3 [% p* ]: P' Y3 u4 [' @/ Y! S: p5 F1 ?/ P- c4 U- P5 c: W
Note as well that you can easily detect this method with SoftICE:
: F1 D7 z* R8 z   bpx Get_DDB if ax==0202 || ax==7a5fh1 m7 B' @2 A, @$ z- x

, L6 s* Q. ]$ y- l__________________________________________________________________________
. N2 q# L- ]& [  `: |
2 o2 W) q7 w4 s9 J; m$ Y+ v. h9 jMethod 10! t+ m" o! s% Y) H' j+ G
=========
; u$ t. }, a) ?  @; w: `
/ P/ J; j# Q  s* Z! @3 u=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
- D6 E. r% ^0 H  b  SoftICE while the option is enable!!
6 w3 q2 p! [7 _% K. d
4 h5 W2 @  Y; G0 YThis trick is very efficient:& e$ d+ X. k! M% D3 e' P2 _1 s+ B
by checking the Debug Registers, you can detect if SoftICE is loaded; P' U0 Y8 P2 @/ q: k
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if8 L% q; ?! O) Q- V9 V8 P6 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) Y$ R" G8 G( M7 ?! ~8 Xvalue (in ring0 only). Values can be manipulated and or changed as well
- }) [9 i) A' Q, t( q3 u. h(clearing BPMs for instance)
& h: N9 m* M. f, X
+ x3 n7 |2 y( h6 s__________________________________________________________________________5 K% F5 t" ~/ s+ \3 @8 f
1 N# D, C& I* L2 @- U2 s
Method 11% }. `3 W( G( K3 O
=========9 V6 V, H' a6 O# P  M% K* p# L

. H9 W3 v! n! a- h5 B8 Y5 WThis method is most known as 'MeltICE' because it has been freely distributed2 j3 P0 s8 [' R) @
via www.winfiles.com. However it was first used by NuMega people to allow7 |" \* ]1 D0 l% z" j. ^
Symbol Loader to check if SoftICE was active or not (the code is located
4 V9 S$ @: t% T1 cinside nmtrans.dll).
  R& W( O* n: s' n, Z0 E
& t2 i  t9 d7 H$ p: p- `& z( ~7 aThe way it works is very simple:( f, F3 E7 o" k% m1 u& G. s
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for) _. B2 W- H- ~( Z
WinNT) with the CreateFileA API.- X- T& @) a% _" R- V2 j

; m) b5 I6 @( O2 R3 qHere is a sample (checking for 'SICE'):
- P- c8 Q1 d4 Y6 l2 g
, _" D4 r& a# x; e. d% {$ BBOOL IsSoftIce95Loaded()
$ ?% H3 y2 D2 J& [; V! V$ f{
$ R( Z* A, T9 |   HANDLE hFile;  
% L7 I5 e% T+ o9 P   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 L6 a) S) J& K, V( l9 _. G- G                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% }* Q" d4 W+ J8 k' F                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);# g+ o5 v! L" _( Q
   if( hFile != INVALID_HANDLE_VALUE )$ m+ m. T9 }1 H- p( a
   {$ v; ?. i  ?0 d( r  i9 L% j
      CloseHandle(hFile);9 }' W. d/ B) s* q+ d! F) M
      return TRUE;
% N+ U! L0 m6 ]# _7 B7 Q0 \, u   }
* f6 f2 A5 I, m   return FALSE;
% o: V& P! d, P# I$ V4 {}
' D3 O1 F" m7 q( X1 ^+ y( q) w( Z( ]% f! r1 A  @: a0 \4 y
Although this trick calls the CreateFileA function, don't even expect to be* D' K8 z, m* U; W  H2 l2 z5 g
able to intercept it by installing a IFS hook: it will not work, no way!
0 P' ^( j  R$ o6 P5 x6 AIn fact, after the call to CreateFileA it will get through VWIN32 0x001F% m! \+ K2 M/ l4 |6 i. n
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
' n/ W. b! o- {and then browse the DDB list until it find the VxD and its DDB_Control_Proc; P- `5 Z% D  }! {/ `5 p$ e
field.
. D9 Y/ R) s2 w4 K. q8 tIn fact, its purpose is not to load/unload VxDs but only to send a ! Q) [% U7 D/ g1 }4 @/ ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) \( y* f$ ?' V% L2 T& H* [4 \" N9 {to the VxD Control_Dispatch proc (how the hell a shareware soft could try! }) f9 G; U4 s9 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& ]8 [! G3 V7 s( f7 T; tIf the VxD is loaded, it will always clear eax and the Carry flag to allow6 w4 f* T6 s1 n6 A. [
its handle to be opened and then, will be detected.* J. ?$ {7 t" E; _" G' a
You can check that simply by hooking Winice.exe control proc entry point* ?: p6 j1 Q& l: L/ e" ]
while running MeltICE.
& h3 a* k. j1 Q3 A
+ {; W; O7 C( F2 w3 S, v# ]  u4 C! x" ]& g# n  {- C  _* h1 U
  00401067:  push      00402025    ; \\.\SICE4 s! V6 \! l& z
  0040106C:  call      CreateFileA+ t% S9 v/ v5 h
  00401071:  cmp       eax,-0014 D9 z0 n7 ?7 a- U
  00401074:  je        00401091
1 `, i, N- x2 e% t( r1 T4 d# x/ O, @6 s
: V, O0 H- o" X! C  U4 H1 T) }# _. Y, n+ G0 v% Z& j" [& h
There could be hundreds of BPX you could use to detect this trick.3 Y+ h( P5 E5 @: M2 S6 f2 V
-The most classical one is:3 `6 {; ?8 b/ l" J) w. u
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||* Q) V8 W0 n- A; Z
    *(esp-&gt;4+4)=='NTIC') W- T+ V3 O( W) `, s
% z2 P5 W0 }+ Q8 K* d; }9 \3 P
-The most exotic ones (could be very slooooow :-(
- x4 K- S1 i: N0 [8 L   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 A5 A+ u% Y2 w" K$ C( T     ;will break 3 times :-(# M& ~! Q; s: F0 b& m

, B  r6 [& h" K- B2 O4 `; Z-or (a bit) faster: 4 f6 `6 j; C2 U- C, j" K: I
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), J9 k- h7 t& g  x9 Q$ _1 [/ y! M. U
7 ?; j! \8 p7 b* M
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 V" ~% _# |$ s0 E' t6 c! w
     ;will break 3 times :-($ ^" k- J  Z# g; {

: d; a+ h; C% M3 B-Much faster:1 @7 a" t' ~# f# i; X) S
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ O3 h0 @2 A; L1 W4 g* ]0 j, G8 D1 q

+ D$ t, o) U0 b/ sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* S. C' J7 s4 T" `7 ~( j
function to do the same job:
6 O' b% Q" U# K7 {% ]) J, ~# Y/ H* k- {: w. b
   push    00                        ; OF_READ1 ]9 [) H+ F4 P3 m
   mov     eax,[00656634]            ; '\\.\SICE',0
, f" f; l: P5 L& }3 _$ C$ F   push    eax  t0 S5 ]$ u# s5 b* U/ |9 A/ F
   call    KERNEL32!_lopen9 J! @* c/ ]7 H8 z2 [0 E
   inc     eax
( X. m" d5 n# T   jnz     00650589                  ; detected
: o1 d" G; }1 h3 n- e2 p# v   push    00                        ; OF_READ6 X) E) z9 n5 _, u/ `* c  r/ Q
   mov     eax,[00656638]            ; '\\.\SICE'4 e1 Z& v( T2 M0 \
   push    eax% @  v; r3 m! `& {
   call    KERNEL32!_lopen  I& k4 j8 N( D: e
   inc     eax
1 m% ]" J7 k; ^/ Z; f# J   jz      006505ae                  ; not detected
% X) `4 G0 _) `8 R$ R- u7 W- v. r, f9 @0 B' M5 g% s8 P
' _* l4 J# E* A2 s8 v. _& m1 G) {1 x
__________________________________________________________________________1 r6 ^) F9 a( Q, ^
* i( {6 ], c' [5 V, v6 R
Method 12
# O: g7 Q& l. A% M% {$ Y4 y=========
$ `( S6 B( E; {3 M- M- G- I! b* m4 d5 g' c1 F" u+ }. S& E
This trick is similar to int41h/4fh Debugger installation check (code 05
9 f1 c; \' k/ h1 D( |&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 Y' R- d( b1 }6 Q2 }1 Z: L
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) K3 d* c- M  Y. s! q  h1 z4 A7 }$ J/ S# {
   push  0000004fh         ; function 4fh
0 w4 x( P5 s3 C% L) N  Y* ^. _   push  002a002ah         ; high word specifies which VxD (VWIN32)* N5 F! n) M7 Y) j% c
                           ; low word specifies which service
9 w1 ]7 k# u" S- B  A5 [                             (VWIN32_Int41Dispatch)
. G6 ~, p$ d7 J: s0 Z( v   call  Kernel32!ORD_001  ; VxdCall6 @6 }3 @. s. j! k2 n& c7 R3 g5 d6 ]
   cmp   ax, 0f386h        ; magic number returned by system debuggers
" R. ]' v# ]3 P' A   jz    SoftICE_detected' I! B+ H6 V+ G' P) f6 T3 G& ]- o
; ]$ [9 \. q7 D3 Z$ Q
Here again, several ways to detect it:8 F. {2 g% t2 z' C
2 X' d0 F& g2 U$ Y% _. _
    BPINT 41 if ax==4f" |8 Y, [! C6 ~

5 J1 J( U4 Z( U3 y# E    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% q0 g. \- Z4 \4 F. T* t

' s1 V+ }1 L3 P- g% h; A, y. l* B; ]    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ [/ H0 I( N0 J; _$ B

) W7 @- D0 [8 B5 k0 e8 V( _  [- Z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
0 t2 ]6 T4 a& L2 y4 e
7 l% p+ ^7 ~" i$ h% P7 g__________________________________________________________________________
" p4 ?6 y2 H: L/ k, E9 l% @5 \  F# W8 n6 ?/ Q+ A/ E/ G
Method 13
: _3 a' U/ k- h# k# w2 |" ~1 ~=========
- a! l+ v4 y0 A8 Y+ g
& b. r8 ?8 J, _* z# `1 BNot a real method of detection, but a good way to know if SoftICE is
7 g+ t- t. n* b4 zinstalled on a computer and to locate its installation directory.
0 U/ f6 E: ]+ C) u+ o1 H$ ^It is used by few softs which access the following registry keys (usually #2) :2 p- D& C6 c0 W* S2 z4 n" O; F

5 N0 e; _9 y4 s$ u3 C) L2 D-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: e( p2 a; v* g
\Uninstall\SoftICE% u& C/ [! U, x2 C8 Z$ W5 M
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 h: v9 n7 t. q% K4 H0 @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& s6 q! ]$ ?# x8 ]3 l) a
\App Paths\Loader32.Exe* \/ e0 r( P4 y3 _9 S( ?( c. K( }

4 a9 p4 c" e( p* W5 _- Q+ t8 N2 F! v& H+ j. L
Note that some nasty apps could then erase all files from SoftICE directory
6 D+ v, p  y$ H8 J& D(I faced that once :-(
( @( I1 B5 _7 R0 h8 q4 ~4 I" x: I/ W4 p# I
Useful breakpoint to detect it:' e) ?" _! S7 Q; }6 c1 _
( r8 R: O6 b/ A9 z, ~' b; M3 p, s
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 W  @% i: y2 U) d; x) v
2 D  P3 B6 ^  {! a: T
__________________________________________________________________________# H2 W: l0 m( n7 F$ {" q+ H! m: J

& _+ |- F' R! e$ [9 i. M
) K2 \; E- s1 j) Z5 aMethod 14 & |8 k  b; X0 @6 G" U
=========
& U3 c! r  Q" z) a$ x2 w
$ G* {2 K1 P; _  m& j7 s6 W9 kA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( Y# Y* H6 a- n3 C+ Q" A* D1 S0 M
is to determines whether a debugger is running on your system (ring0 only).1 J4 z: n: h6 Z& y" l8 `& a) z
' R1 t* C' \5 O% E3 M% Z% n; ], _
   VMMCall Test_Debug_Installed
# z. i8 D3 m$ D9 Z' D0 f0 c/ d, V3 z   je      not_installed
0 \% z! o. ]' @& T! s
3 O% y! I6 n! RThis service just checks a flag.+ T' x: Q- @9 B: h- _+ ?& v
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-19 01:13

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表