找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: |0 X# H6 h" B# h# q  Y6 C<TBODY>
# v; B+ R6 W, ]0 b8 b# x( Y$ Z% d) Y<TR>2 R: z' ]0 J7 _2 @9 R2 G  ^
<TD><PRE>Method 01
4 b" g% N* M8 m2 N=========
8 M4 g! l7 a- g8 X, \- ^  {# p: Y  U. S2 Q4 M; o1 M) x2 P
This method of detection of SoftICE (as well as the following one) is
2 T& \2 X3 }" Y% k# X" xused by the majority of packers/encryptors found on Internet.
5 g- g& \, j+ M( `- @6 KIt seeks the signature of BoundsChecker in SoftICE
% Y7 x. z7 |4 G# }9 f/ x- i/ x% s  s4 i. N
    mov     ebp, 04243484Bh        ; 'BCHK'
" A8 l: g- O# ]    mov     ax, 04h
& r0 @, n0 f+ `6 H7 L    int     3      
' j3 O7 u. f3 ?- h2 J7 O7 C    cmp     al,4# k+ Z; j/ n7 Z
    jnz     SoftICE_Detected4 }2 W) n% [. b1 }: \9 f3 K
2 Y% R8 c+ f) C8 R# J: ?8 b
___________________________________________________________________________
4 P( P5 r9 T- b" }
; Q- z/ T: m7 @+ tMethod 029 }/ K+ j! j7 p( g# @
=========
! y% Q4 ?1 t/ [! j; ]$ r1 k5 n7 e! p8 z; k8 q- E0 e
Still a method very much used (perhaps the most frequent one).  It is used. O: l1 l# x, Y5 s) T
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 o5 H# I3 Q/ [5 g2 _! i. l4 Vor execute SoftICE commands...) R) S* ~! X% ~$ F2 h* P" r
It is also used to crash SoftICE and to force it to execute any commands
; U( a; K" ?; [3 ~) L1 Y(HBOOT...) :-((  ' Y/ T7 M0 i9 G* \; D# s; A

0 _- W; O; j8 U( ]: }4 b$ R( a$ \Here is a quick description:
" [" p, y4 ]  S2 a; K-AX = 0910h   (Display string in SIce windows)6 @5 m. _* O3 N# \- [; l( r% \
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
% Z4 M6 Q: b, R8 p( Q" H-AX = 0912h   (Get breakpoint infos)( L$ ]. K+ Q! e# f' }
-AX = 0913h   (Set Sice breakpoints)9 s" n! Z# e  z4 G: Y6 @$ |
-AX = 0914h   (Remove SIce breakoints)$ e  d6 v+ C) Q6 T) m( V  I) w
/ p( _( u8 a' ^& R) F+ z/ V
Each time you'll meet this trick, you'll see:9 U; q3 M% B: W1 b
-SI = 4647h
7 v1 X1 j* z/ z* ?-DI = 4A4Dh
9 P9 @' l6 x0 O  V! N4 i' ?2 H. ?% ]1 e  EWhich are the 'magic values' used by SoftIce.
) x( a% v& r) k3 U* AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ j- v& V) T' Z+ @, s* |3 ?. K3 F$ Y( @. p7 }8 Z: K: U$ ^. |7 d
Here is one example from the file "Haspinst.exe" which is the dongle HASP
/ i  d  B+ X2 f+ X/ B8 l- \( qEnvelope utility use to protect DOS applications:0 l3 s, @  M$ Z& p; E

* ?- ]/ r* z4 m$ g+ S  @8 k- V5 R
4C19:0095   MOV    AX,0911  ; execute command.
7 A* |. y2 M4 `+ p4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
; O, |! d  n+ D# s4C19:009A   MOV    SI,4647  ; 1st magic value.4 C. x/ q4 a: Q/ {0 ]" l; l. \
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
8 t' ~6 X2 I! C4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 t! m+ ^, P6 g1 k' W& W& C
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 a1 q, v. d8 S' a5 w
4C19:00A4   INC    CX+ m& q8 s! r, w9 \
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
/ p1 p( ]2 O  l3 u4 z' l, P$ p! ?4C19:00A8   JB     0095     ; 6 different commands.
8 \% q, Z; }1 M$ ~4C19:00AA   JMP    0002     ; Bad_Guy jmp back., K) f2 U% w9 T# d" B# d
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)- Q2 X9 N. c  S1 }/ k* q! q
( |7 e, a4 _+ r: ^9 D! |/ }, c  Z
The program will execute 6 different SIce commands located at ds:dx, which- E! g* b' b5 ?% y1 x0 S: k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT." y3 `# j2 M! |2 _/ v; q; J

0 t2 D3 C. m9 g$ ~! D* Z0 e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 a9 t, a7 r+ N  O6 D2 L___________________________________________________________________________
( O4 r/ a8 U7 w3 Q$ ~. J: j! u' e0 h3 o1 l
4 h/ t. H& i  H' ~: i
Method 03( F4 J/ {* U; }3 O. I
=========7 C1 x4 I9 @9 Z0 Q9 Y

5 \5 y) x  f( {/ g/ ^! qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ u" q: C" T( E  O% X& t0 p(API Get entry point)! F0 P' R  a" I* z* }6 R
        1 X1 l/ S& ?/ c
3 R7 J2 V/ y0 i7 P- y5 ]2 w
    xor     di,di+ H7 u" Q' W. _) b- B  |$ I
    mov     es,di) L( m) X8 B+ ?" ^
    mov     ax, 1684h      
# G/ e2 v8 e1 ?3 B& W7 P8 Z. F, f    mov     bx, 0202h       ; VxD ID of winice
6 Q& w- g, A9 f    int     2Fh- m7 g; O$ c! D. h, B/ V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 Z8 g5 X# I3 V, I, b: |, I    add     ax, di
: u+ S6 N8 `9 b: }1 I  z+ b1 j4 n    test    ax,ax
/ U: _; ?- q( q6 {    jnz     SoftICE_Detected
$ ]- R6 @3 z# y
. l4 u$ j2 R. Z2 j' C& O___________________________________________________________________________
$ G# c9 G* z- p( S+ C- [7 v0 ], x7 j" o
Method 04, L. x& W6 _; t$ _
=========
3 D' Q: U6 k1 u3 M( v  a4 t% W: T7 F' N; F/ p; C0 Z
Method identical to the preceding one except that it seeks the ID of SoftICE
2 c- ?2 H7 z% s" v/ l0 E7 G8 dGFX VxD.2 U. e2 p8 g6 s6 q6 h- e
7 U( C& `: N: M& p+ L- {/ _9 W
    xor     di,di
5 J( H, {  k9 g3 _" `    mov     es,di
* e4 s" j: Z4 D- T) A    mov     ax, 1684h       $ z* _' t1 J7 c
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
2 J4 o7 W/ J7 J6 l8 j" z7 ]& f    int     2fh' w9 T" c7 n# w9 P) ^
    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 L; X0 e, k5 `, o
    add     ax, di/ J2 \" ^7 ~* L5 M% \1 g+ N
    test    ax,ax) h) Z+ r& G5 N! L
    jnz     SoftICE_Detected
9 x9 M) O& U  x$ \0 P8 Z! r6 Q' k/ }* F0 G1 \
__________________________________________________________________________# E8 e9 R1 h1 g- j9 O0 Q1 v
; B# Z+ f, F% U- x, `3 B1 d

8 e1 h& q9 M! BMethod 057 O9 w+ A2 O1 e- X
=========
3 p* Q2 r1 |- h
0 v, u9 q/ d" V9 J8 G1 @8 rMethod seeking the 'magic number' 0F386h returned (in ax) by all system
- o8 C1 N- ?$ tdebugger. It calls the int 41h, function 4Fh.
5 ^) T: U: I* |/ @& M7 L: U# cThere are several alternatives.  
6 A4 C/ X- P+ s9 R
8 t' Y; m6 H+ r9 v$ Y( }+ s6 }The following one is the simplest:' {8 t+ q1 n- F* Y
2 ]- x9 J- v" o3 G, c
    mov     ax,4fh
; X/ C" @: c1 G( O. W$ _1 F    int     41h
- I: \# Y0 l) r+ f% C    cmp     ax, 0F386. `* }# G7 h* z+ }# a: x
    jz      SoftICE_detected  ^% t0 O% f: X4 l  k8 f% g# b- W

- N, F2 s( ]- y8 }
8 x# T; T, R; j) Y# K- C* w- _Next method as well as the following one are 2 examples from Stone's 8 m" Q  ?7 y( ?7 N, X7 r+ Z
"stn-wid.zip" (www.cracking.net):1 D9 G/ ~+ V" K! c
8 X: k. N, ]3 W( D& w3 S
    mov     bx, cs5 {  {2 W  U8 X; a2 D& L
    lea     dx, int41handler29 b, _& G* s& g3 g4 e8 n/ O
    xchg    dx, es:[41h*4]
' S( k5 {" C- z0 N3 `2 U3 M4 Y* v7 J    xchg    bx, es:[41h*4+2]
3 m* s* y# m3 N& J; P6 A# Z    mov     ax,4fh  }8 |8 O3 V8 @& r4 _7 v" ]
    int     41h! ?" c% }7 j4 T) W& ]  z/ s" y
    xchg    dx, es:[41h*4]2 h6 X. O6 t0 s9 x$ _1 s
    xchg    bx, es:[41h*4+2]* u6 X8 C; z* m1 f
    cmp     ax, 0f386h5 V! S1 r- ~5 \
    jz      SoftICE_detected3 F. Z* ~' }$ v0 |0 w* {

+ |6 j1 O- }7 I& Nint41handler2 PROC
. I7 e; ]  B! v3 ~$ y2 R2 B    iret4 j- b% S8 Z8 @: C8 ~7 q
int41handler2 ENDP6 J9 g% ^1 Y9 t

5 s. o* K$ p) e; t: @/ L7 O
/ n& c6 e5 k$ B! n_________________________________________________________________________
2 z( p/ j" q2 S( }1 u0 z/ }
7 G+ c; D2 ~7 L7 j/ ^" v
* q  K0 F# U" w# W  SMethod 06! g9 `& g8 v! V0 I: @9 b% C
=========# f3 ^, n4 _/ H

# x. f4 ~1 z( M  a: U
3 [* z5 p. R% z7 \* |6 N1 n, F2nd method similar to the preceding one but more difficult to detect:( V; H, t4 P' U, y
  f$ o# x9 S5 I2 F2 m
1 W# E9 ?/ h) ~- [, ?* p9 e. V
int41handler PROC6 u! ~5 y- A8 ?! r2 W
    mov     cl,al$ |: i% [5 F9 u" d. O
    iret5 J$ a- N; E& D9 y  I
int41handler ENDP
5 Y: n' Z3 j# ]9 [
4 g- ?1 S% k+ o/ g8 ~' V- [) K: ]: h9 O- ^# e" n
    xor     ax,ax
: Z0 P  N% n+ X    mov     es,ax- t  m" B4 n5 m3 O' y9 W
    mov     bx, cs1 x, E1 [% g  _+ d- X
    lea     dx, int41handler* x1 w$ N0 |6 |, G% ~
    xchg    dx, es:[41h*4]
" |5 z$ }9 D' B% V* X    xchg    bx, es:[41h*4+2]
$ |) y; q/ i& b- d9 o( W+ ~: a    in      al, 40h
8 A, i- |% x8 \2 W" _% s    xor     cx,cx
0 w6 k7 p/ I6 a- A/ A    int     41h/ o! r# m5 W9 D2 V1 W
    xchg    dx, es:[41h*4]
, D) x- l. b8 y3 P* ]1 I    xchg    bx, es:[41h*4+2]
1 `( }* Z8 H, n* F  z/ k4 Z' J    cmp     cl,al
* S4 M( U2 B# ^+ _+ v+ [    jnz     SoftICE_detected
9 f( ^* I- n: i8 b, M* B2 _* P# x% e; x; Q' h) }  r
_________________________________________________________________________7 Y- Y9 [0 O& o% Y% c6 Y
! g- P5 ~* m- _/ K! x
Method 07
. w/ G6 U7 k2 w# J, z=========% V' @# t. b5 u- q1 C4 n6 ~) ^

4 F2 _5 w+ f3 k# H9 x# wMethod of detection of the WinICE handler in the int68h (V86)0 ?. n) m5 G( V' }" v
% n( ~, \: Y$ o9 m: S
    mov     ah,43h% i' R" m2 T2 S9 }4 }- p
    int     68h
, |- k1 z7 y8 s* S. ]0 P) v' w    cmp     ax,0F386h) X! a7 J* Z4 n0 |( F, b
    jz      SoftICE_Detected. }/ u" ^) q6 x# [

/ Z. d4 a" n' `$ F* S% M7 _9 N
. p# S4 t4 Y0 \2 I=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- k7 h+ z1 \+ @7 C2 i   app like this:
0 J/ L( Y/ z3 d9 |6 u
' c2 R& z3 t) R) P  J! E2 |# a8 V   BPX exec_int if ax==68
9 s8 ~0 {, C* z! k! t   (function called is located at byte ptr [ebp+1Dh] and client eip is
3 o) D. b7 Q& _" ]! i* ]" i   located at [ebp+48h] for 32Bit apps)
$ [$ k  ^! h0 m6 o$ K0 x3 g1 ]: u__________________________________________________________________________' N, D* m: G/ q0 a5 B" @+ @( |

$ j# v0 P% M, q  o0 l, w4 A1 O  {9 @, W- B! Z
Method 08, O4 J, j% p9 X2 J! ^
=========
0 H8 b0 x4 t+ c1 w/ Y7 m1 u. M
$ f$ n9 V. h  d! L# vIt is not a method of detection of SoftICE but a possibility to crash the
) o& F* Z- O# [- l1 k0 Gsystem by intercepting int 01h and int 03h and redirecting them to another
  t/ `4 U7 u7 R2 B& @+ xroutine./ [- D; q) r# F* M1 n; @  Q
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 o6 W" o8 J/ c  n7 A, A3 O' w: H
to the new routine to execute (hangs computer...)
/ C2 N& x) S( Q8 i
" o' e. Y& g. A$ K- }+ i% \( A+ X    mov     ah, 25h
/ ^9 U0 V  n0 K4 \% w) j    mov     al, Int_Number (01h or 03h)/ N, ]# }6 X& D+ Y  B: \7 h8 E, v
    mov     dx, offset New_Int_Routine
# ^' {) C( J1 ^0 {) x* d8 x    int     21h: X7 d* W" l* _9 I0 H
9 m$ U% L2 ^' F% \9 e
__________________________________________________________________________) c5 |/ x2 s! J, {# m) N
/ W+ m. f5 P+ Q$ ~
Method 09- T% F$ O2 b* E. x
=========0 }, }3 P, o/ j+ ]- }
& F( r2 g& M3 b; o! M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ y$ D7 C" J  q* E
performed in ring0 (VxD or a ring3 app using the VxdCall).. \( R8 @4 @0 O9 n4 P2 S& u+ M
The Get_DDB service is used to determine whether or not a VxD is installed2 A6 R# A8 @& b  N1 I
for the specified device and returns a Device Description Block (in ecx) for
6 e9 b* w* U7 i( Q: vthat device if it is installed.) T, h7 F* m+ a
  Z) i0 z/ M+ ~! b
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& @0 G$ N/ ]7 b0 j
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)' g3 U, y+ v, a5 _' G0 o8 L! c8 V/ l
   VMMCall Get_DDB/ Q7 S5 _, B3 ^$ c
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
, n0 z* a+ r" v- G% w4 q
! r& P& S0 ^: u& g9 i* xNote as well that you can easily detect this method with SoftICE:: M& O( M9 \- i
   bpx Get_DDB if ax==0202 || ax==7a5fh  `& Q' e' ~' Z% Z8 m9 y

! t9 p! ?# f* ^1 f__________________________________________________________________________5 }, `+ b: x( b8 j
  ~1 I3 `: k- ^; M5 _
Method 109 |$ ^  M$ Q% G) T* b: B: F
=========
" G: w' P. H' K0 N
, l2 V5 [4 v8 F& |  g3 x: O=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( W6 i& i! L9 m1 o, L& s$ i
  SoftICE while the option is enable!!
! O% h* J% n. V$ F+ B2 m7 ~0 J* s  W& s$ b* t7 c9 p* l$ U3 S4 r
This trick is very efficient:* A- G' v6 l0 o  K( c) W. T' W
by checking the Debug Registers, you can detect if SoftICE is loaded" r" V7 A7 @7 _1 B! g9 |3 {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 O! _' _5 W/ O* n9 @; ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
1 ~8 ?# d$ S% F# s0 x- Fvalue (in ring0 only). Values can be manipulated and or changed as well
, I4 J  A, l' E; {(clearing BPMs for instance)
. |8 L5 E/ y2 D3 d# E, L" v, Q4 I" g$ z1 L$ P
__________________________________________________________________________
! P7 x3 N) l! v$ U2 L* l/ z" k3 u& s( ^. i. O/ f
Method 11
5 f4 D+ s$ b9 \7 i% G=========: B  c6 u$ r7 h* ]
8 T! z# |8 u5 w/ ~
This method is most known as 'MeltICE' because it has been freely distributed8 e8 y0 i* |1 K. Z
via www.winfiles.com. However it was first used by NuMega people to allow1 T. F1 n- e/ u' Y7 t
Symbol Loader to check if SoftICE was active or not (the code is located3 B4 |+ ^+ Y! `1 m2 X& m$ W. {0 B
inside nmtrans.dll).
( J. n" ~! A- z* j4 ?  |. \$ p: J4 z* U6 y2 Z7 K! X
The way it works is very simple:
1 a2 ]( P4 z0 [- F0 d0 t2 H& aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 F9 q2 o8 m6 O) g6 I( |
WinNT) with the CreateFileA API.
% Q: C2 T2 Q: s& ?% V1 k
/ D; o9 M( t5 B7 D! s% x& T& @Here is a sample (checking for 'SICE'):# m3 q" B. [! m, f0 M
6 I! z$ `4 C# @( {' B* m+ Q, i
BOOL IsSoftIce95Loaded()7 B/ q& L+ ]2 ?
{9 X. d2 X* x% a' T6 F
   HANDLE hFile;  
; l( N4 T  Z5 @1 r3 G- n4 e# b+ T! F   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# F/ u4 w* @0 A& u$ c# k
                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 I( B+ h: ^% I% @( B5 O+ [! ]
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 M$ v9 i9 w- C- b$ S+ M* C
   if( hFile != INVALID_HANDLE_VALUE ); |3 U3 o7 K7 x' n+ K) T
   {
  G+ T& B4 Q0 y5 N% p5 K  k      CloseHandle(hFile);3 q7 s  @) S" P$ H& `$ u
      return TRUE;
6 B) t+ E  e$ d, V% n" K. c& {   }
, U9 [- w9 X/ V* @) g   return FALSE;
2 e4 E6 z: i/ x4 C$ B5 d}& Q. g; G  @* X7 s; N3 r5 k( b

7 \1 N1 j( A+ K, @Although this trick calls the CreateFileA function, don't even expect to be
# V7 u4 e. a1 K$ oable to intercept it by installing a IFS hook: it will not work, no way!
" J1 F6 C2 D3 E0 Q( ^In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 I: I+ R3 H5 ]& uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ L3 v! g  m' Zand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 v4 B! Z- S+ W. a2 o$ Hfield.
! I4 @! P7 Z6 |In fact, its purpose is not to load/unload VxDs but only to send a - m5 ^& j2 a9 K$ o
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  [/ Z" j6 f$ z. @to the VxD Control_Dispatch proc (how the hell a shareware soft could try- }# i1 N" M5 P% p- C
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 B* l; P$ l) i. aIf the VxD is loaded, it will always clear eax and the Carry flag to allow
9 z- p7 }; D8 P+ L5 G- \its handle to be opened and then, will be detected.! e  z9 O3 x7 C5 L) S2 T  ^1 x
You can check that simply by hooking Winice.exe control proc entry point: L+ v* B( D- O6 F  t
while running MeltICE.
# }3 f3 ]" \7 S( {& v; y- O3 b
3 U/ l. Z% l. Q' V9 N! [8 U
! g- b1 R! `- Y4 Y) r: I! e9 I  00401067:  push      00402025    ; \\.\SICE9 f4 S, }$ k6 G* Z3 O, ^- x2 K0 ?
  0040106C:  call      CreateFileA
/ L* I4 A: B: t" B3 p' `, k; g$ W  m  00401071:  cmp       eax,-0019 x- S; E0 P" ~% R3 E7 k
  00401074:  je        00401091
  B& B  n0 b" r  r  G6 D0 G1 q

7 Q+ Y* A0 Y# Z6 V! eThere could be hundreds of BPX you could use to detect this trick.6 g5 o1 O/ Y! @1 `
-The most classical one is:
1 @) m; x; _* y( V5 |, n' Z  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 e- C  p7 A; g1 @    *(esp-&gt;4+4)=='NTIC'
7 x) m: K6 d1 \* K+ m1 L2 N& C/ T2 |. q/ P7 s  L) f
-The most exotic ones (could be very slooooow :-(4 Y) n: y8 ?  o; w2 i& b- _
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
7 R8 `  u( g6 B8 g, r     ;will break 3 times :-(
8 _# O: o1 p, C. x7 E8 H  W/ {  D1 U( v7 b6 @
-or (a bit) faster: % {. M: j" y6 {9 B% z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& U) Q% e8 u3 S, r! O- N, T+ H
# j! g# p- ^1 x8 I
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( ~3 b: ~1 e( K* W     ;will break 3 times :-(
0 H! o6 N* H+ D) u" `: p0 {9 u& M. {, |& F0 ?' h; ~6 [
-Much faster:
) H2 Q2 k6 x2 ?; s( b9 ~   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
1 w: J; {! {+ l5 M, C
# h- f7 s7 }! Q$ M0 A$ J& ~' vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) B+ k: W+ K0 r$ C8 @
function to do the same job:: E' V& D- Q- x$ [( p8 C. w, K
0 \& M9 M* C9 w) a; _6 y
   push    00                        ; OF_READ8 @* y4 ]" e: L1 C2 W8 n
   mov     eax,[00656634]            ; '\\.\SICE',04 J8 C; h; F, ]1 ^
   push    eax
  k+ J4 Y! J( c0 H0 _9 p8 q, R* E   call    KERNEL32!_lopen
8 b8 Q7 `; X7 n# `   inc     eax( F& M5 e6 E/ d. _
   jnz     00650589                  ; detected
# @+ g7 @+ }; g2 @   push    00                        ; OF_READ! e& Z6 Q' d7 f7 r' c
   mov     eax,[00656638]            ; '\\.\SICE'
, P/ _, J$ T8 @8 A; j   push    eax
7 |+ c7 U5 }4 r$ `$ b( u' I   call    KERNEL32!_lopen
, `  S. G- a. X   inc     eax
: l2 K/ p* B* z2 f- K% f   jz      006505ae                  ; not detected
" j0 T) z) X" K9 {' g0 B/ f6 U7 y9 ~, ~+ l3 B" ^
- C9 j* |% x2 z" Y2 }+ ]
__________________________________________________________________________
% C  g- ]4 g, J7 n
+ S4 ~' z' Z3 {Method 12
! v# o' L; s6 r6 E7 u=========
0 L/ r/ t! I5 X( v/ z- e) U
. D. x$ W0 W+ H: r/ _# eThis trick is similar to int41h/4fh Debugger installation check (code 05
$ z0 W$ [- z3 t3 S; w/ \&amp; 06) but very limited because it's only available for Win95/98 (not NT)
  [5 Q: @4 [- q  `: kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" \: q. `# j) m8 C$ l2 B+ w! o7 ?
. h. Y3 \) @5 G0 ?   push  0000004fh         ; function 4fh4 [3 w; x" J3 ?+ z6 E
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, U& X* X, Z9 d- W. C! @! }& @                           ; low word specifies which service% N: f$ ?: H8 e0 \+ f
                             (VWIN32_Int41Dispatch)# @- \6 K: @1 `
   call  Kernel32!ORD_001  ; VxdCall
3 Z5 a+ l2 C  t9 z& I8 ~   cmp   ax, 0f386h        ; magic number returned by system debuggers
: f7 ?% M9 e# _3 ~2 l: @) Y   jz    SoftICE_detected8 G# u9 Q" x  V4 L8 E5 O

& K/ X4 Q' Y3 s0 M+ u$ pHere again, several ways to detect it:
: @4 p+ w4 d/ V0 V; E. a( @0 t8 a" u# J
    BPINT 41 if ax==4f' v# t; H1 O/ i+ }' W# g. C1 d
# J& N4 |9 k1 s. o/ W' u# A  v
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; U( U+ T- I' w" n' s8 m  W  x+ ]4 s9 `! m
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
0 a# j* f% X0 t7 y: A. o. K0 ]' f! D6 q" x% _
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
" d9 i% j/ T) j, b5 P( [' h
1 k  l% C% B% i__________________________________________________________________________
  M4 y  h% z+ y# Z, Q, a+ j( |2 a1 X. M: N8 _
Method 134 g2 k5 S8 `+ ~' x8 i
=========9 v4 d# i, Z1 e- D, B( P

3 ~4 h4 {% K, R' i- u6 PNot a real method of detection, but a good way to know if SoftICE is% R5 X* U% s2 N. Y2 I4 E
installed on a computer and to locate its installation directory.! x1 j* a: ~2 C, o) X) m) k
It is used by few softs which access the following registry keys (usually #2) :/ X2 O, [+ k0 ~- k+ c
  Q4 c. {3 |0 A" D& _
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ ^* G# m/ a& _- y
\Uninstall\SoftICE
( y7 `& P" v; r1 E- T4 d3 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) ]  g5 k4 S1 g-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ j$ H9 }, O9 D! \' Z8 J% n6 f\App Paths\Loader32.Exe; Z+ ^3 Y" ^: J$ Z* f( k" X

- s! ~4 k! I) ~
5 T0 @0 m) j0 n' ANote that some nasty apps could then erase all files from SoftICE directory
- ^/ O) H* A8 d(I faced that once :-(9 e% K3 t2 W# L% c  D! f5 w7 }/ p

; N. E4 U" m- T7 ?/ X: E- UUseful breakpoint to detect it:5 F: T; O% F+ E+ ]

. i5 l. A% _4 y3 v4 ^     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
, a( r( M9 b# a
& \0 Q' w0 O0 s& t6 k: S9 I__________________________________________________________________________* S- v: e: X% L) W6 T4 i+ D

, m! p' O( A( j3 `4 u9 M+ Y$ O
Method 14
$ _6 L$ f& W* I* X=========
8 D/ ~4 a4 C! [$ `0 k# B% t( A# S# v$ f2 j& U  `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
& K" [. `$ |. Q- e* Jis to determines whether a debugger is running on your system (ring0 only).
; q& @0 C7 q8 n& V- Z* m* P* Y1 D
& u- x2 R- T/ U# L9 I   VMMCall Test_Debug_Installed
# @, n+ F6 [. q4 s/ `5 P  E9 h   je      not_installed* T. k" w& L( f- q9 z  P2 c/ ~! z

; x8 v) A% M8 r1 m$ c7 PThis service just checks a flag.
& S7 H" L! d- d# T4 \</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-1 16:10

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表