找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 ~1 t# S4 Q& _" ], y7 U0 U<TBODY>
' {: k1 {+ `% e" J. @' s<TR>5 R6 R4 B" s8 _  p- F* G( E- J
<TD><PRE>Method 01
6 G- }( D5 u" h' l=========
. D+ ]* J8 J( }4 @' d: ?. q" c+ o) W- h' n  q1 l7 X0 b
This method of detection of SoftICE (as well as the following one) is
" M0 g" F7 b* ]+ j& uused by the majority of packers/encryptors found on Internet.
$ Z0 r9 Y% p1 P5 |It seeks the signature of BoundsChecker in SoftICE
0 t  P! d) Z) H) Q- P3 B" ]# j
6 _! S$ w9 j1 w    mov     ebp, 04243484Bh        ; 'BCHK': b5 z7 K% X# Y3 [  Q& g
    mov     ax, 04h. K' E5 F  U! t
    int     3      
  ~  @' Y& Z4 M/ G7 F  C; }! K+ V    cmp     al,45 }! N9 A5 ^8 e$ h
    jnz     SoftICE_Detected8 @$ p! U8 B4 W; \! R/ G; G* r

1 a. ^" K1 b& j. @" o___________________________________________________________________________
$ C3 h/ N( |6 u+ r: v# y" ~) _# b
2 J2 E5 D# s7 |- JMethod 02( |0 ?. K. p- }# x
=========
" O/ W& E- A. I  y5 F9 ]7 ~
1 k' R/ i/ G6 AStill a method very much used (perhaps the most frequent one).  It is used* R2 s& q* U7 r5 q1 U3 o
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,; `- e( |! _0 ^
or execute SoftICE commands...; s/ m5 {2 S/ G4 R' q- ^, a
It is also used to crash SoftICE and to force it to execute any commands
1 O  U. U, O, D, H* L1 J9 ](HBOOT...) :-((  5 }& y$ S( _& `# N

7 @1 Q8 `4 C8 Z% Z5 uHere is a quick description:
$ x$ V9 S0 Z  T-AX = 0910h   (Display string in SIce windows); d( Q" k* u9 U1 p7 o2 I( c
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ ?+ d3 A$ P* J9 @
-AX = 0912h   (Get breakpoint infos)% B, z  _, B3 i+ q9 e, w6 K
-AX = 0913h   (Set Sice breakpoints)$ C3 S  b) {6 r
-AX = 0914h   (Remove SIce breakoints)9 u$ E; {; J, M9 D
) w; R# S; T( {6 s6 s& I# X, @
Each time you'll meet this trick, you'll see:, V: t9 G/ g3 c
-SI = 4647h
* |! M; \% _- q, g-DI = 4A4Dh
2 t9 R7 V  G/ W5 t& m! HWhich are the 'magic values' used by SoftIce./ e7 k! G9 L6 t0 H
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, G& r+ [0 H0 J# d5 d% U; U. |; N. t6 c. x2 w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; `' b$ }1 _. ~" F* ^  H1 v2 QEnvelope utility use to protect DOS applications:* f4 t6 c) b: I7 K' E6 x+ {& Z/ x- ~

! x. R, g' d0 k- y
/ G3 w3 K) O" l/ O$ ?) \- p! [) ]4C19:0095   MOV    AX,0911  ; execute command.
$ f) v! B# c- S8 y, ]& Y4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).' a- m0 E; M. e5 s
4C19:009A   MOV    SI,4647  ; 1st magic value.
1 p3 U3 K6 {+ q: k* o4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
2 `! O2 y$ S* S4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; ?7 f/ c7 C" _, x4 Z4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute. `7 j/ w! X. [1 A
4C19:00A4   INC    CX9 |% U& L5 y% i2 r' ^& E
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. Q" c- @2 e3 ~/ m4C19:00A8   JB     0095     ; 6 different commands.
( Y( x) N* E) k- d$ V8 w! d' Q4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  z5 F; ^$ V# v. O) k5 k& T
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 C; i6 b+ t3 s! o
9 C6 b% \2 v1 u7 X6 oThe program will execute 6 different SIce commands located at ds:dx, which" h, Y+ Q4 ^2 T5 I
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 R/ C" U5 O9 q4 l1 i9 }" j0 J

: v* D& D1 d4 b0 l! f: ?9 p1 b) _* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% c" N: n7 Q. V$ H+ D9 W. v
___________________________________________________________________________
0 w- e# C! p6 p
" e7 p" ]7 ?7 [$ h- ?; Q7 ^8 J
. w/ _( ^- {* I/ u3 jMethod 03, ^" p4 {0 R" n& `+ c
=========9 w& L# F6 a$ A  T+ u

2 W4 D6 ^4 w* [! Y0 XLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" c; V/ Y* N9 H- e  A
(API Get entry point)# k( r$ m, l; T% J- a4 |
        
% h& {- r  e4 n, L, ?* {. Y1 ]& d. V1 g2 J) p
    xor     di,di) V' y; L; J2 [# Z
    mov     es,di
6 A# U" Y( b3 s9 D9 q- `, _    mov     ax, 1684h       2 s& V, T3 y7 g1 {) K
    mov     bx, 0202h       ; VxD ID of winice
- ^5 M( @  `2 e; e! S5 o3 I    int     2Fh
! }( v  D' ?4 R    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! S+ U: c1 ~/ y    add     ax, di
* Q: X/ a: z5 Z$ \    test    ax,ax
4 C7 D" K# U5 s0 [8 U& O: ]" B    jnz     SoftICE_Detected
' V, d8 r9 m" ~8 u2 B/ T( w, `: Y6 c3 `9 \  }+ \/ W% m! W2 B
___________________________________________________________________________
8 O' h! o$ N8 w, P6 a! {! f: ~
! w% A3 i* \+ {0 E) `Method 04
. C. u; e7 r( ]* t- v=========# T" C/ u% ]3 M1 m. W
8 @% u% e( m5 q+ k- ]4 Q
Method identical to the preceding one except that it seeks the ID of SoftICE
& |/ V/ }0 i; ?; a5 [+ R  uGFX VxD.8 K2 H2 k& |( \7 Y( u
- X3 S) ^; q8 x) J4 h! T
    xor     di,di. e) w$ m2 ~$ E
    mov     es,di0 I& S( H( W3 U3 E! q: a0 g$ l; ^& g
    mov     ax, 1684h       ) c# X5 l  y: a; K
    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 n+ t1 X- J# e. L, ?" b0 a
    int     2fh5 Z1 s$ t. u' D3 E% Z5 n. w9 i
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 v! f3 C" X) Y5 I! k, ?* y    add     ax, di8 k! l# P  w- [$ R3 G
    test    ax,ax3 f' @# D- ~1 n5 N0 P
    jnz     SoftICE_Detected
6 D+ k  ]" T5 V1 z
7 l- b' A# ~* x2 ], A__________________________________________________________________________
! J* [0 J& D* f( {; B+ h% o8 a: C9 M& n* E. n6 a+ |: x$ j4 n( n
$ a2 n: C; i" n( o3 K
Method 057 M; P# |, x2 e) P; r$ L1 Z
=========1 S" \3 ?) u2 ?4 ]. v) S  `) B! N

; X4 U0 q6 y6 ~% O7 [Method seeking the 'magic number' 0F386h returned (in ax) by all system2 ~* f3 T* R& R- q2 d' T* m
debugger. It calls the int 41h, function 4Fh.  K# r. r* c3 A# ^! n; u  Q
There are several alternatives.  3 F' G2 p3 r0 N# ]
3 `# L. d" k9 g) j% l5 ]0 N9 B* l
The following one is the simplest:
4 z2 {  n( L0 m+ c, K( b# L9 @* e# f) p3 ?) c. Q1 p* z- z
    mov     ax,4fh
1 A! \/ W7 E! U. Q    int     41h8 r( ]3 x8 J# V3 W- c
    cmp     ax, 0F386- E" _' E1 o. c' x6 P
    jz      SoftICE_detected: a( j2 h; l+ z2 A1 r, I& B1 e

- s. R. v8 J+ l9 l& H4 O4 F5 z5 t9 l" J' h) {: t5 P
Next method as well as the following one are 2 examples from Stone's % H: c4 h, b  `* u% g2 W
"stn-wid.zip" (www.cracking.net):
2 z& E0 A( p: \) N* I2 l) ]2 |$ l. j" \0 D
    mov     bx, cs8 j% H5 Q0 M" g" X( H( U" O( y2 p5 S; v
    lea     dx, int41handler28 I; C% n6 @, P8 q% `% [
    xchg    dx, es:[41h*4]! {  o9 _" m1 w; D# q9 k( k( P
    xchg    bx, es:[41h*4+2]9 b# R0 [8 \7 g  A. h+ u0 u
    mov     ax,4fh
$ t. M7 l7 O! S$ Y) F- f    int     41h
3 k0 H, l: W! u1 v, r    xchg    dx, es:[41h*4]6 ^6 R! E" O. t: U
    xchg    bx, es:[41h*4+2]  s$ _* W& O+ b. i( [8 k& }. |
    cmp     ax, 0f386h
. G) T; X$ z4 J$ k    jz      SoftICE_detected
- |: F$ t, C  A% M  ~
" }; x8 N1 ~$ w' a9 eint41handler2 PROC7 w) S1 k; L" X8 v
    iret
# @* @" R: _  j8 n/ aint41handler2 ENDP7 _- U+ |  n: l% b
9 ~2 e7 O" `5 E& C
9 g0 f+ g/ k1 V2 ~+ U
_________________________________________________________________________
! z: f) W6 Y$ Z7 C. Q: D* @2 e5 h6 j" r3 i: b# `
! t! f$ h, r: S, T2 x$ P& `$ D
Method 06$ z# ?5 Q, \8 ~9 k# Z" j! l0 t( @, C
=========
# g# }' O+ Y" U2 o1 I5 H7 U: k2 |" [, W/ I6 x# G

! w6 p0 p# Q! m" d% g6 H$ s9 T# p6 `2nd method similar to the preceding one but more difficult to detect:
  ^5 \2 R2 o; \, I) R. S% w7 u
2 }5 ~, o' _& U5 D, K' ~8 ?8 X/ Q4 m1 l" Z( b, S) e% a2 j$ N
int41handler PROC
  _: N2 K: H0 `4 s: |    mov     cl,al+ T" R4 v  A/ F0 _' q+ i2 O# z2 A, J
    iret' Q, k* K( h0 h. v% y/ W
int41handler ENDP' c. j, J6 b; u7 L

; A0 v8 N7 |3 a; [1 @8 K: z# G
, t) h# [) T: j  \5 M( D. J    xor     ax,ax
; E/ `9 ]7 \$ ~2 C! d$ i    mov     es,ax
7 n& T) d! }$ [    mov     bx, cs0 j, L% S8 ?) J' h0 a' p
    lea     dx, int41handler
  ~" N# \: i0 u7 e1 k5 ^; T$ n, K    xchg    dx, es:[41h*4]: `" h- Y; \1 c* s- p
    xchg    bx, es:[41h*4+2]$ {7 b, v4 O! c0 X7 f" n( H5 F0 J. D+ F
    in      al, 40h
; d4 e2 ^1 m: o5 Q. _' [4 D  |    xor     cx,cx7 {0 ~2 C' r9 ~$ ]2 R
    int     41h$ R8 g$ Y' _! k
    xchg    dx, es:[41h*4]2 E& s' X1 S7 {  x8 R! K
    xchg    bx, es:[41h*4+2]
& {" \' H1 x; }" H) I    cmp     cl,al) h5 X5 t  B) \0 p2 ], q8 ^2 S
    jnz     SoftICE_detected( t6 c# F& M$ d1 @( O1 A5 g
' u5 J6 R( J/ A; W) t; k. i# R
_________________________________________________________________________
; U" ~+ b8 \6 a" Q, T+ q5 @$ K" M. x3 q+ P7 M
Method 07; i9 a" ^8 d7 O3 O  e$ D5 p
=========
7 w$ `. t; y5 Q. e% q% C. B( g5 F3 K! n- h
Method of detection of the WinICE handler in the int68h (V86)
1 I5 B( F0 Q- l9 O8 |, k* Y( F8 N
7 x" n* |& a) u$ {* ^    mov     ah,43h8 H- _8 q' s6 p" f9 i4 i) l
    int     68h& U1 B8 @# O  `& w# r# w( n
    cmp     ax,0F386h
4 E1 X" I& @4 A    jz      SoftICE_Detected
5 }5 K. y6 l+ ?( T, U  \7 k6 A' r
7 c1 M5 S) J1 ], W- [$ h2 ]$ k0 n* |! e; R2 ?5 H9 `2 k
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 R: O* E8 t$ M  s6 b2 J
   app like this:
# a7 |  R, ?% N0 {2 C: H9 Y* e: t: C- \3 U' ]( a1 @" E2 \/ c6 S2 N
   BPX exec_int if ax==68% b$ v6 m: U) l0 {2 c4 @; o1 V+ E' z
   (function called is located at byte ptr [ebp+1Dh] and client eip is
! u  z6 A/ ?, ^( @7 f   located at [ebp+48h] for 32Bit apps)! ]( W9 l' a! o0 U: y' z3 ~& a: `6 i
__________________________________________________________________________
: c# \' g0 M4 c1 V+ n9 T
: y+ U; P& |, I7 g) }; e" C% j4 U& B( ^$ T
Method 08: C5 T( I; @. N
=========
; y9 O# v) z9 w" Y& @9 `( E
. G5 L# Z" N* `" R/ \: wIt is not a method of detection of SoftICE but a possibility to crash the
7 ?( [! v. h/ G/ C9 T& c" bsystem by intercepting int 01h and int 03h and redirecting them to another
: C1 Q' N0 [  i( l$ \routine./ M/ H& v+ ]" b4 ]1 E+ ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' N9 m/ Y7 Z2 b, p" o2 x  Q; |to the new routine to execute (hangs computer...)& m5 u7 L/ f  k" Q! E1 n$ G
0 f8 B2 c& Y- h* o
    mov     ah, 25h5 k  q8 d$ j: x) z. [
    mov     al, Int_Number (01h or 03h)
! `/ \/ I# T# t, G/ Y$ ]    mov     dx, offset New_Int_Routine# p1 Y- c0 m/ d3 F2 M6 Z7 |0 a
    int     21h
2 O6 z9 i$ O( ~7 T" v  P% Z( A0 W4 b2 d* E- F$ j# x
__________________________________________________________________________
. b1 u5 Q& O0 O6 W, j. K& I5 [8 U  @4 ?. z; {
Method 095 G7 ~0 [0 f2 `1 A/ H1 O4 R
=========
  Z2 q" o6 V9 H3 S  z$ x* t3 r2 A2 a: d+ q
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only" L. r2 a" K& _$ t" r2 p
performed in ring0 (VxD or a ring3 app using the VxdCall).
) _# n1 k5 i8 [$ vThe Get_DDB service is used to determine whether or not a VxD is installed, h$ d% u& m0 U1 n' x* P; {# G
for the specified device and returns a Device Description Block (in ecx) for
3 D% I/ S) K8 ]/ D" s$ B2 Fthat device if it is installed.
: v% Q0 r: n. M5 C' v' R/ k
1 E( y/ P: X& [   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID- e8 _. h) a. X0 Y
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
# Q: O- X! C& o% Z" n   VMMCall Get_DDB  s# o! O2 q/ l, u3 ^  A
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed1 ~; _  x8 U; Y' N

7 c3 ]" M; O  b7 Z3 ?* J5 w$ y: _& QNote as well that you can easily detect this method with SoftICE:
5 q1 r5 z8 b5 U  F8 U% @; S6 e   bpx Get_DDB if ax==0202 || ax==7a5fh) P( `* R/ @, ]: B4 c

" I4 f5 W6 \2 e# l__________________________________________________________________________2 ~8 H. }9 m: C) u. Q' a) c; j. d
! D! I9 W1 e1 e; G$ E3 y
Method 10; |4 ?4 D# T( F; i: d/ G; a
=========
. b5 {* Z4 m& @: n; _9 o* b' `
* j8 {2 ^" }% G) `=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with$ Q; N5 X/ C" Y4 _5 l" H8 m
  SoftICE while the option is enable!!
$ Q$ E) F7 `! e& Y9 r$ b$ O$ y+ Y/ R5 Y
This trick is very efficient:; B: i, `7 v  O  i1 O
by checking the Debug Registers, you can detect if SoftICE is loaded
2 _! ^8 ?! @6 Z(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 y4 o7 |( U4 u* w" m7 s7 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
" q9 ^: i0 r* E. Y9 T+ Ovalue (in ring0 only). Values can be manipulated and or changed as well
: Y! [& ]- u& t(clearing BPMs for instance)( k( a$ j! g$ P6 b" S0 n- Y

& l0 ~( b! [; ?* [. s__________________________________________________________________________5 J4 x& l' i2 E* M* W

3 d3 `+ g0 M( l6 R6 _& Z4 c' hMethod 116 m( G  v7 r5 ]+ P. {6 R0 G  i& v& Z
=========* D* b+ g: B( B0 f6 p
! Z) b) f( ^% l4 P5 `( h
This method is most known as 'MeltICE' because it has been freely distributed: g( z! o" S" R% I* e4 O$ y2 z
via www.winfiles.com. However it was first used by NuMega people to allow
  T' [# }% \2 K- `. L, MSymbol Loader to check if SoftICE was active or not (the code is located
7 ~/ n( j0 a1 Y+ Z# R2 iinside nmtrans.dll).  _5 Z8 i9 k- U" K9 k
; P; k+ M/ `+ A( D$ {1 N
The way it works is very simple:. r* d! B3 O1 V! E' m! Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; R! e: ]$ o3 x
WinNT) with the CreateFileA API.  b, J$ F; f* {# D# w
$ S& J6 A4 d) P0 t" m* [& J, }  q$ Z
Here is a sample (checking for 'SICE'):
9 H  I" W) x( L- @' V; t. w
2 M  f( l8 H, v0 s2 kBOOL IsSoftIce95Loaded()
9 j' C1 v! k& d& O- j7 ^0 ^{
9 w, c# L* s! N' g$ _& L4 {   HANDLE hFile;  
" z+ \0 s! r* V4 S3 l6 _& Y   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* O; z8 S3 R! v1 R& ~
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 `  V. M5 b% [# a4 a. c* d) Q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);, t4 I" ]3 B& l! w9 ]' v# B
   if( hFile != INVALID_HANDLE_VALUE )
3 m8 d' F0 ^+ Y6 Z' l: V+ I& q& A0 Q   {
( ]" [: a+ @9 _* l# ~. F) i& s      CloseHandle(hFile);
4 n) ^# i6 `( I: Y      return TRUE;" Y; H. w( f  h* l* K5 t  _
   }0 J5 s$ `% ~# V: F/ D: Q: A
   return FALSE;/ S0 _5 d, S2 Z5 @8 l
}
1 N# q9 W8 }" M1 f! ~, Q6 s& \0 j- M# L6 b8 X/ i
Although this trick calls the CreateFileA function, don't even expect to be
3 ^! ^* o/ t) \) Gable to intercept it by installing a IFS hook: it will not work, no way!
7 Z' E+ W9 d+ f- aIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: t2 w% b: x, B0 ]# h0 Tservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) m& i: P0 M1 b7 I+ s7 @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. j3 a0 m* ~- V! Tfield.
/ c% m5 l1 n- V% z9 e/ z- L$ VIn fact, its purpose is not to load/unload VxDs but only to send a
* m" Z' f( _- P! q% J- Z* EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! p: G; W  k: R0 k  U+ k, nto the VxD Control_Dispatch proc (how the hell a shareware soft could try8 d% u: c8 m8 M8 h
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
% g  R/ o. a4 F6 z) |) yIf the VxD is loaded, it will always clear eax and the Carry flag to allow# O+ c3 p. ^1 b4 }9 t
its handle to be opened and then, will be detected.- ^/ p9 w1 |0 D' A* }# x
You can check that simply by hooking Winice.exe control proc entry point2 \" u& |, Q( {4 v# n6 V
while running MeltICE.
: ~9 j% ?0 O- W2 U2 e) W' R: B; Z
8 p7 |' s: S* ]
/ c- p+ K1 ^3 r. e3 a5 S& r9 h  00401067:  push      00402025    ; \\.\SICE+ L" u/ V: I$ c: z. p/ u
  0040106C:  call      CreateFileA5 Q+ a+ o/ W; i/ @* M0 w# `
  00401071:  cmp       eax,-0015 k; ~4 ?2 r. O( @3 ?) Z* ~
  00401074:  je        004010914 C2 w/ U/ t0 T5 n$ }$ H
$ B& P+ W. U( v- ]9 S0 t
% A! y' }7 f1 t! q
There could be hundreds of BPX you could use to detect this trick.
( d) Z0 v: L- R9 ^-The most classical one is:
' ?9 A: s* z; C  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% l: w( N3 k8 @4 k, x+ @5 s" R
    *(esp-&gt;4+4)=='NTIC'
/ h/ O3 B, Z1 N' r) B% A; K+ o/ F! g5 M5 B
-The most exotic ones (could be very slooooow :-($ \: a; H  L' y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; j" Y2 V( |' ^+ n) r     ;will break 3 times :-(
) a4 ]4 V% V: g6 J9 G! Z  N7 o9 B7 K  r, j; a! a0 n0 Y0 Q
-or (a bit) faster: 8 U0 x2 g, r$ p
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
. g' w& s/ G) N8 y3 c* l6 w: H3 P/ Q$ {% J
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  - |$ u4 i- b0 M' o* Q
     ;will break 3 times :-(
; ^  d* t* @! i% l9 j
$ O1 o+ f  i: H0 A3 v# z+ E* p-Much faster:
+ v$ A; a1 v9 |: Q$ I+ R6 q$ t   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 j3 Z( @9 l! Z* D- D
0 w# p- a1 t) ]' O* I* GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 W( Z8 X& W8 ^5 j# H* v1 \3 }function to do the same job:
+ `# R3 o7 r0 L) \4 ~, t4 C6 O+ P1 D2 I8 u2 p4 c% B8 z
   push    00                        ; OF_READ
$ P7 }: s, }0 H1 i! m/ C( ^5 R   mov     eax,[00656634]            ; '\\.\SICE',0& }6 }- q' v0 n, ^5 _! C- M) i* i4 h
   push    eax+ Z- D% y( ]7 J; g. j7 J4 @
   call    KERNEL32!_lopen, r, i. l+ {* u5 G' Z7 i
   inc     eax
8 M& Z* E1 `  i$ k( J   jnz     00650589                  ; detected' J- p3 W. M( `& n- T( ]
   push    00                        ; OF_READ2 W( i3 B0 ^* H0 A& f4 _# B
   mov     eax,[00656638]            ; '\\.\SICE'& c" i6 C; d9 x. o) b$ N
   push    eax4 V6 e  ?0 Y: I, Q* L0 q- Y5 l
   call    KERNEL32!_lopen
3 o- e0 e+ e0 U) r8 N2 W# Z$ B   inc     eax3 d. U4 Y  |' c6 T% v
   jz      006505ae                  ; not detected
1 C; m% g2 C7 t& E  i1 G, l, _: T$ g( D1 Q1 M$ Q6 m' U
9 H7 a8 h- x# m; a
__________________________________________________________________________
0 N9 h! v" r; A& t
* O+ H+ n4 x0 Q! d/ z! q8 xMethod 12$ M3 P- o" J8 t1 g% z
=========" I& T/ A& r& b5 k# Q

$ J0 D' Y. \, U5 ~4 R7 G# e' l8 vThis trick is similar to int41h/4fh Debugger installation check (code 05
, V* o( V& G0 u& L" G# Q# r&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 l( ?2 z' i$ M4 C' tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
  P  q( ~8 k3 b, p8 W
+ b  ]; C. H7 @   push  0000004fh         ; function 4fh
0 @" {0 {! }0 a+ u* \# Q   push  002a002ah         ; high word specifies which VxD (VWIN32)# |" G' O3 I: ]! P* U" u
                           ; low word specifies which service( j/ K2 Z; ~  @1 X* Z8 q( R+ j
                             (VWIN32_Int41Dispatch)9 d) I* \7 n2 |8 l# |* l
   call  Kernel32!ORD_001  ; VxdCall
7 k: z6 j3 _* Y* @9 e5 m  p   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 N( D, G4 F( \7 I# y9 o* R# z   jz    SoftICE_detected
; W1 f" g" P7 N- E7 C; R$ N
* z7 a6 L8 w! e" ]; @Here again, several ways to detect it:" W9 M' @% {% b0 Z, J
3 i3 ?1 i) i5 O& {; b1 X& Y/ @
    BPINT 41 if ax==4f
& j& I/ Z7 d3 b6 J. F. c' `9 o8 s% S4 T( T) R
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 b! ]# X5 O8 R0 }" Z8 [" a& r+ j$ m2 d- P
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 I+ n9 m1 i: j( t

0 f. e' C# W3 T  H  t5 A    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!+ l" j- E# X" s; G
7 S, S, e6 u* ]( @" |2 p+ k
__________________________________________________________________________
( t# D1 U& {+ V9 M; H) @' G4 K" f2 H+ n& f' ?, t! r( R. o& Y
Method 133 d) ?0 v* i$ V
=========1 j4 n4 v+ A1 h/ l1 ?
+ e# U4 H5 E' o
Not a real method of detection, but a good way to know if SoftICE is* Y: d7 @6 ^- E
installed on a computer and to locate its installation directory.
2 ~. |9 N/ \4 Y7 T, TIt is used by few softs which access the following registry keys (usually #2) :1 L$ \* {4 w  A% s! O- i
2 q5 _6 c5 h6 z; s* y2 k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, d; t' ]  E1 F7 V& |- r" Y\Uninstall\SoftICE
* U1 s; I' K, ~+ l-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  G! ^  r7 K2 K, A, F" d& @
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ _/ y& Z2 j8 H2 l+ ^9 ~; H\App Paths\Loader32.Exe
" a+ Y! t# h4 a$ y2 r8 _2 M. ]& A& r7 E, ~" T( o3 H5 ]% ~0 m+ Y) h

1 [' U3 h/ L+ D. n* SNote that some nasty apps could then erase all files from SoftICE directory
7 |& M! |+ V0 Y& P' E/ p(I faced that once :-(
& [' B& g+ A1 e6 O7 R' l+ n5 ^+ h5 `' M9 w
Useful breakpoint to detect it:
. m: T, c+ i! @) R3 Q
+ l5 r8 d) ~4 }* O- c+ U. a     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE', o% @, s6 P: {4 O; y! Q
* A( w2 J8 r) T2 C
__________________________________________________________________________
: b' O0 z9 P/ ~- Q( K$ X+ \
8 ]1 X) u. w" z9 J8 Z- F$ @. g# v5 {/ i; c
Method 14
# x! y7 R0 K% {7 a! I=========
" w5 ~/ \5 q1 W6 M& D& j) V" B8 \' a3 P! f: K, d6 x: |8 t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ `* I# y5 g2 y0 g- f- mis to determines whether a debugger is running on your system (ring0 only).! s* m+ C, Y9 E

5 e9 E2 R  @2 s6 o7 P3 B   VMMCall Test_Debug_Installed
5 q6 R$ r3 `7 r9 S: t! w. i   je      not_installed
0 ~# x; q& N) D- z% m/ f) H/ k2 k6 Z
This service just checks a flag.
- w1 t, c' J1 j2 u- q</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-30 21:14

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表