找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># }3 G; k0 B- z) L0 _) m8 }( V
<TBODY>  t! B% e. |5 q: }& Y/ `/ k
<TR>
+ v5 n, Q+ O  |- L- K+ f2 ^8 q5 Z<TD><PRE>Method 01
' h, O) T3 j1 I( Z0 y0 r" n8 H" \0 m=========
; u* H# y0 s+ b( S& ^) E9 G9 t" R: }5 q+ \7 m6 U( @+ b
This method of detection of SoftICE (as well as the following one) is
0 M" g* V! L, L  t( Z1 dused by the majority of packers/encryptors found on Internet.! V& ~$ b: N4 S3 s& |6 h) ?
It seeks the signature of BoundsChecker in SoftICE
& U2 \& p0 p: e# r! u
; n0 m3 C1 A' g' R2 a1 A    mov     ebp, 04243484Bh        ; 'BCHK'
, ?8 M, i& {2 N7 N    mov     ax, 04h: i7 M: a* y2 {- _& l
    int     3       ' `9 i" }8 F+ N2 y
    cmp     al,4# E0 o; y) W! `# x5 {3 X0 X
    jnz     SoftICE_Detected
6 h2 Q* F. }7 C/ ^4 Y+ c0 L' Z. ]
___________________________________________________________________________
+ p+ L/ _- R  ?) \' n7 Y" L8 V
* I7 `2 V! _1 jMethod 02( d  v. b$ [' G7 ^; T6 {! j5 i$ w( P
=========( b0 c3 E- G7 Z; Q. ?0 |/ z/ X

+ s4 [2 }, \' h9 V% y) Y  LStill a method very much used (perhaps the most frequent one).  It is used! `4 _& t; |. d# g/ j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," ^, I1 w: G/ O( ^9 R
or execute SoftICE commands...
9 E$ G1 N; S: v1 RIt is also used to crash SoftICE and to force it to execute any commands
4 B& _' ?7 ^. ~$ e(HBOOT...) :-((  / f9 y3 T. a8 Q% k" h

* c4 ]: ?* H! Z* F* b/ ^Here is a quick description:
1 s/ D- @( b) A5 l8 L-AX = 0910h   (Display string in SIce windows)
- _2 a9 J$ K" ~( |/ N: k# p: E) N% l-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: A# T( r4 F  U/ ?-AX = 0912h   (Get breakpoint infos)6 T; U& {3 d1 I) l9 U8 o# c1 ?
-AX = 0913h   (Set Sice breakpoints)
0 N+ L! C! `# p, I7 t-AX = 0914h   (Remove SIce breakoints)4 J% d( O  j, n4 v+ H% o
5 e3 W, H& K) m. W
Each time you'll meet this trick, you'll see:
- N  q% K5 J0 O: o6 v5 M-SI = 4647h5 D1 Y/ S; u: Z: d
-DI = 4A4Dh3 S/ \* t+ o% e! b0 P: O) b$ k& C
Which are the 'magic values' used by SoftIce.
3 u: t& V; M$ @; @/ O5 LFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) x" M" y7 D+ ?* |; F
- J* z- {5 x! v5 l0 p4 |Here is one example from the file "Haspinst.exe" which is the dongle HASP
! f5 R4 Q. \- k+ aEnvelope utility use to protect DOS applications:
- d1 \0 c, T3 G* O( V4 H7 a
) n( r. W5 a8 o8 h
, T0 ]2 R' i* n( [$ Y6 R. w4C19:0095   MOV    AX,0911  ; execute command.
- ~$ C* i! s0 A8 t/ x- U4 `4 M4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 i4 {- z7 d7 s3 p3 [4 T1 w
4C19:009A   MOV    SI,4647  ; 1st magic value.
+ z( O  `2 Q7 Z0 I4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
& J% L& w8 s% }( W- i; ?8 L8 Q4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)! U: z+ X0 c% b/ q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
) b  z! E" l5 {9 s6 P4C19:00A4   INC    CX4 _/ e8 S, n1 H0 Z  T! @. f' R
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 O  `6 v+ R  A$ a
4C19:00A8   JB     0095     ; 6 different commands.
0 q( T. p: g5 k1 z5 ?4C19:00AA   JMP    0002     ; Bad_Guy jmp back.% N. W% V( d+ z5 m
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 f" }5 c# H. y. t! k

8 h1 r, ~+ h1 CThe program will execute 6 different SIce commands located at ds:dx, which+ w2 S3 i, u5 X
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( d0 h& ?' K9 j! ?; L8 g

7 e, S9 `9 L4 o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 v3 y! w8 \2 N8 W3 p- F7 n. }# H___________________________________________________________________________+ l/ u" f1 I; P2 R; A# Z

5 U+ [: f* g" U- `8 a! x# L9 h! `# c% P. Y  u9 k
Method 03
) `1 s; i& Z) `4 P, G' ^=========
3 m4 y5 Y8 B. O( B/ F! a0 G" `# B7 }) c4 T6 X& g
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 H, V' E# U$ y0 {, T2 |: d7 ]. e(API Get entry point)
9 u' T* v9 }4 k+ r        
! n) t" L# `/ q4 U* c
( L- p- c2 j4 d3 L3 j  X    xor     di,di9 Y6 M5 z( h( B  q7 t
    mov     es,di) K" R: F: |8 G4 s( D4 T
    mov     ax, 1684h      
3 l) O1 d" x$ w- _& H    mov     bx, 0202h       ; VxD ID of winice; n6 R% r- t. W* D* O$ S" c
    int     2Fh
1 a' K/ t2 m0 c7 B: u4 b5 P    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' G% o7 x8 z: _; x* U" R4 _3 W    add     ax, di
- t1 Z7 J4 @$ t7 _2 d    test    ax,ax
) i; W- p- g- u+ C  Y  i% Z: E    jnz     SoftICE_Detected% N& k) [) G+ r7 l8 C
1 Q$ v. R  ^2 \+ P; D, _' c
___________________________________________________________________________* D+ k5 j, ]1 k

7 l3 d+ j& o, w3 s9 G5 t1 [Method 045 O: h( z, {7 I$ e0 D
=========& n" \4 d# h# ]8 T! M
( D- M* A6 k, j$ [4 ]9 g6 v
Method identical to the preceding one except that it seeks the ID of SoftICE
' m) w5 A2 O- J3 JGFX VxD.6 A% a* x# C. a. N7 T6 @

0 S* N- v" |! S9 ]0 @1 Y    xor     di,di  s3 B3 o3 {& x4 p% A( c# ]
    mov     es,di
8 x; F/ c* z" l& m9 M9 J# T    mov     ax, 1684h      
2 G4 ]4 N( v- [# }1 ~    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 ~: \# e! C, J5 r- ?9 [    int     2fh& x, l/ X2 C# T2 k
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ p$ }1 a" Z2 L4 {5 b4 M6 ^    add     ax, di0 p7 y, c5 w  R2 g+ b4 z
    test    ax,ax1 B) e! Y$ V5 J
    jnz     SoftICE_Detected
  T' E# Y# S" f+ N  p' z
% P) N2 T( F$ U2 o, b; g__________________________________________________________________________6 }+ L' e% }# q% |! G* X* s6 E

& m6 ?$ [0 A1 W9 g$ }8 Y8 n/ @
* t- _/ S3 W* S+ S$ `+ G. i% ~Method 057 u  _0 B. x  J& R
=========) F4 |& K9 z, {* c7 a, o: U
  r/ F$ d+ b2 N( r7 X$ R
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 \8 `4 O8 G- u+ {) o- zdebugger. It calls the int 41h, function 4Fh.
% b% t' {1 {' p% [There are several alternatives.  5 m9 m  i* S: m, @- D: D% R+ T
, b3 ?, `' Y2 S* `# W
The following one is the simplest:* F6 J1 O  H4 Q& |. o% i! u, B5 f
. A: R! G" K  i# C2 _/ M
    mov     ax,4fh
# ]/ w' D+ M3 S7 G: }8 d    int     41h. N# u( }! q4 N% Y0 {8 n
    cmp     ax, 0F386" v6 ^( O  P4 q9 M+ \4 ~! T6 V
    jz      SoftICE_detected6 D) q/ H/ [7 w# {, X5 i

, E1 I  U5 v  F, x
- k% m+ {* f; }1 Z. I, ENext method as well as the following one are 2 examples from Stone's + V& Y- [# j" }5 \- `
"stn-wid.zip" (www.cracking.net):0 I; r5 i$ I, N7 M% _
0 i! r- R% T5 Z1 v
    mov     bx, cs7 |0 l( r+ ^( d2 A
    lea     dx, int41handler2
3 A2 P, F! I+ J3 {* L- M    xchg    dx, es:[41h*4]
3 J4 o3 |1 b7 O/ l    xchg    bx, es:[41h*4+2]
' n1 j; V1 H; l: }& T    mov     ax,4fh/ j6 B# Z/ _4 Z8 N6 f4 e
    int     41h
5 V$ ~' b( C( e& H- y3 B, s, Z    xchg    dx, es:[41h*4]/ `5 i. R5 f! S$ m( J0 Y7 P
    xchg    bx, es:[41h*4+2]/ p# t6 o  l) W& P9 n' S" M% N: s: c
    cmp     ax, 0f386h+ ~8 Q% }# i+ w* y3 _$ |
    jz      SoftICE_detected
; H- Y. `6 ~4 L; W4 P4 d- {' [0 s; b
int41handler2 PROC, G% O# c( f* s6 q; ^9 c
    iret
; o! z) A' c( i$ B5 |9 ^0 r9 Q% R4 rint41handler2 ENDP
! m) C( [, ~/ F, V+ o' z4 _0 y
. a$ Y: T! [  b- y( V' k) v4 ^6 a: \, h
_________________________________________________________________________
3 ~9 V3 @$ M" ]4 R, b9 i
( R1 Y  g5 k, ?9 j: Z
$ i6 _/ W- h1 J7 H' P1 vMethod 06
2 C2 Z/ U0 k. |  i# Z6 B=========
4 \7 R8 z! `4 ]9 Q
1 _3 v6 _. I# ^5 b" @& W# [( Q- @
' ]7 b) Q. n/ @9 N# F! c+ F* _$ n9 m2nd method similar to the preceding one but more difficult to detect:# K/ L; V2 l3 h" T8 @& P9 I  Y( v
  G, Y7 Z5 K5 G: C" J
5 o3 \  @% k! j7 W, c; j
int41handler PROC5 @* L) i6 c- L" v# N9 j7 l
    mov     cl,al- `: l7 g' k2 W
    iret
" e* O4 B- P. C( a4 W3 K( rint41handler ENDP
, v% s6 |& U9 S; x$ h2 Z6 a
0 t: n$ G0 A" k1 M/ b$ `+ H, `- c3 Z0 ^* h: b, E
    xor     ax,ax
6 Z# |* K+ R5 G/ _4 F! \7 D    mov     es,ax
& l6 D! E" ?% f* F0 ]    mov     bx, cs
+ ~& U" o9 P$ a* Y2 x$ L    lea     dx, int41handler* H; w2 S4 @6 H' u
    xchg    dx, es:[41h*4]
' E' ?0 W: K+ Z2 N) C: Q    xchg    bx, es:[41h*4+2], w" P, O4 W% ]) J' B* q, L
    in      al, 40h
% _+ i/ {* u; j( d) ~8 r9 S0 V& s" p    xor     cx,cx
$ n* w5 q$ {3 b- f6 f    int     41h4 H# j- B) {9 @1 D
    xchg    dx, es:[41h*4]
2 p* [& Y, n% i    xchg    bx, es:[41h*4+2]1 h3 r; `* ~2 X9 B: S5 F- S/ }" F
    cmp     cl,al% h4 l, [) U7 F
    jnz     SoftICE_detected8 |; }: ^9 ]- |

1 H1 S* q" x4 E2 ~! R5 b& I_________________________________________________________________________
3 \. q. _$ a; |, R( @2 r3 S/ n1 v
3 c' a. [% @' X! M% z" ]Method 07
" r& ?3 L- B0 r4 D, i4 y  k/ O& m=========" S$ ^# ^& [8 G' C* @! o
6 E9 l) C3 Q/ [+ R
Method of detection of the WinICE handler in the int68h (V86)" p4 `9 }) l9 z, F5 r- f
" G1 X% S/ j2 q; }3 p
    mov     ah,43h
5 i8 ^# j2 `; H' q    int     68h2 Z" R* T) I; m, o; }
    cmp     ax,0F386h1 u, U; D+ x) e' @5 p- p% o+ }# r
    jz      SoftICE_Detected) I, l8 a7 ]" m/ W8 N) Z( A

1 l! ]) U8 J, G' z" F/ |2 j) J
. V! b$ a$ s! d=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 ~; p& N/ H1 ~6 P
   app like this:
; P. D3 Z1 b/ J/ X3 x" ?2 \( K! j  [% C
2 @* Q& ?6 y& F! P1 ^: Z   BPX exec_int if ax==68' P. `% A/ g& v1 U0 K- q
   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 ~' ]( o; l. q/ f   located at [ebp+48h] for 32Bit apps)! `1 n( m, Q1 H5 U5 @  a
__________________________________________________________________________
  Z7 ~( e8 X) s: f0 K. C3 w2 ~  j4 W0 y) a

* g" h/ }4 ]( a( b: K- DMethod 08# q3 W0 K; `( }6 }
=========
" M6 u' k# H; n; L
& b) ^% f, d! i3 E& j/ y1 wIt is not a method of detection of SoftICE but a possibility to crash the6 [0 @1 Z# A5 p7 M+ _4 `
system by intercepting int 01h and int 03h and redirecting them to another& J# h. x* q2 ]0 ?
routine.! A/ M8 X! Q4 u3 [! G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* k/ Q( G  B8 Xto the new routine to execute (hangs computer...)
: R7 h4 ]: G* B+ _) q# J' R. o0 V
2 I) ~& c( m) ^) [1 T    mov     ah, 25h
2 m6 E3 {- R  O6 @5 z' t    mov     al, Int_Number (01h or 03h)
" x0 G' n" N1 Y4 g, e+ ^6 l    mov     dx, offset New_Int_Routine
0 [2 e( n/ }2 q/ q3 e# U    int     21h/ g2 u6 {1 l% |4 q( |. H

9 A( F5 k3 c  ?# @/ \0 o1 ~5 Y__________________________________________________________________________
; d( }+ a0 Z; j
# S: x# N( B, |! e4 C/ }Method 09
- Y" I+ N$ f6 p1 }- k5 x4 }=========& o! W0 _2 a% [! j. w" c

$ J/ v2 S; a0 f( `  L  b8 sThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; d. I, G8 x4 D$ b6 T, vperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 ~. K  l% v3 |) D6 K  FThe Get_DDB service is used to determine whether or not a VxD is installed
- p+ `. X* O) j$ ^8 X3 B* }for the specified device and returns a Device Description Block (in ecx) for
" @3 R! f5 w  r% n: T9 U$ @7 xthat device if it is installed.3 u/ }+ I! O3 r! G7 i

' H% u  x9 |3 i( J6 a   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 z9 M& k0 C* h# a/ U- B6 ]   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). o! E7 s$ N& a7 C2 o
   VMMCall Get_DDB
. p) `9 W$ f" q2 j- W   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed2 I0 r: m5 N  d! N. l8 N
; b$ ?9 Y9 I; V/ n
Note as well that you can easily detect this method with SoftICE:3 K$ k9 ?2 q3 Q2 B( l% O: C
   bpx Get_DDB if ax==0202 || ax==7a5fh. \, \/ v$ g" g
4 s8 W, B$ J. ]6 p
__________________________________________________________________________8 y% l; G, Z8 R) U8 a0 [, a7 w, P  C
; p6 O: f3 s( H/ P, d* p* D* p
Method 10
6 [* O* e* o4 I; o=========0 _! H5 U: @# A- Q" C  x+ Q
8 p: I) Y5 r3 k0 u6 v/ I3 z' W
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. V8 U7 v* f, Z6 K$ L4 m  SoftICE while the option is enable!!, K( u- p( w; S: E* C
5 A# X" J% s, m* q$ c2 W0 L2 B0 k
This trick is very efficient:1 s/ w( [9 S, Q) j& a
by checking the Debug Registers, you can detect if SoftICE is loaded
% L1 ^# s: N! R0 o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if0 b. z, E8 g9 c9 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; H. j9 q& \; ]: Q* Qvalue (in ring0 only). Values can be manipulated and or changed as well
8 j2 S9 V* I* r(clearing BPMs for instance)7 {0 ^3 Y5 @% x) D1 y! j( b/ @

8 W# n+ f2 T3 x1 x__________________________________________________________________________. \9 j6 _+ Z& I

) X7 F- F. Y6 ^: F8 N0 M' O: c, EMethod 11
4 A5 m. s  w3 m" R: I: L2 y) X=========4 m- S% j$ l1 h4 ^# r1 C
3 L9 }" M  M: h1 B
This method is most known as 'MeltICE' because it has been freely distributed
+ E  Z/ P& w  r  u9 e% ?) Gvia www.winfiles.com. However it was first used by NuMega people to allow
# b% L: M( m& J) _0 j: v! BSymbol Loader to check if SoftICE was active or not (the code is located( Z/ n, n7 A6 A/ w8 h
inside nmtrans.dll).
8 c7 b0 B& V0 \4 j+ a' k( G' a
+ `# j+ Q5 e. K! qThe way it works is very simple:4 R; v2 V' Q$ C: H. Y4 S- U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ }" h6 ~) e4 Z2 J
WinNT) with the CreateFileA API.5 h3 {0 S- u2 d+ H) w

2 R2 q1 `4 y! M1 p5 MHere is a sample (checking for 'SICE'):+ F4 |# Y2 F# ?3 i* h& j$ A# [
0 P2 O/ D( S- G" k, l: D- h
BOOL IsSoftIce95Loaded()
1 T8 N) ?- y% X- E, L- u0 f{
- H; n4 k' o  u# a/ [3 q6 B   HANDLE hFile;  # r# E4 f& U$ l6 U% F1 N4 o& u) s6 C1 s
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; I) b$ G4 g. w1 X% s8 P' H                      FILE_SHARE_READ | FILE_SHARE_WRITE,; F$ `9 X- u" @- ?& t; }
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
; U( R1 F) f. @   if( hFile != INVALID_HANDLE_VALUE )
& z0 Z: ]9 ]4 }8 o" [   {& T6 O. L! V5 n, J& V7 ?; x0 E
      CloseHandle(hFile);
# Z; J1 k' u5 R) w) D/ x6 m      return TRUE;
" ?  h3 K& W" Q7 I* @# j& e   }
8 f% N. R# A0 K. H. v  R- N" d   return FALSE;
! c8 o, ^: E) y: w}$ {  B3 P7 y2 x3 b" g

  m9 e9 ]* p$ `' I' |- n: o7 e! CAlthough this trick calls the CreateFileA function, don't even expect to be) Y4 ?+ Z+ o( n9 M# B! w. t* E
able to intercept it by installing a IFS hook: it will not work, no way!
8 u! c1 r- g1 ]6 q$ h; e4 X0 `In fact, after the call to CreateFileA it will get through VWIN32 0x001F
* c1 y9 R8 V7 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* E! S6 p2 v- t" ^and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# I3 Y7 J' n8 ^field.9 X7 p" O, U" i) _' b7 [
In fact, its purpose is not to load/unload VxDs but only to send a * b8 [" u4 V- L# Z9 ~
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). I9 y3 y: ~/ [; ~7 U) s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 ~5 D; {& G/ ^( t( Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. N% a* v8 T( H9 SIf the VxD is loaded, it will always clear eax and the Carry flag to allow+ a4 V$ n, n+ h7 U: E% Z- b* p* N4 P
its handle to be opened and then, will be detected.* b0 o  E% }! c$ b- j2 k- ~3 w
You can check that simply by hooking Winice.exe control proc entry point
$ O9 c8 j* q( D) E) T8 m! A! D- hwhile running MeltICE., I1 b  c1 Q( K, o( I
0 j8 c8 B+ e3 _3 }. j8 H

# V2 d. \: @* t2 [  00401067:  push      00402025    ; \\.\SICE1 d4 d6 q. X" m2 G, p+ M
  0040106C:  call      CreateFileA
; i4 ?) d2 P. X. b* V+ u3 b9 y  00401071:  cmp       eax,-001
) y1 G7 \* o8 U) o  00401074:  je        00401091# e) [4 b0 ~4 r
% @2 u2 |  v0 I% P/ t# E8 `

' X8 z0 a# ~1 H% l' w- O/ XThere could be hundreds of BPX you could use to detect this trick.
% p' t+ B; ]8 |: U9 @" y' }0 c-The most classical one is:: J5 O6 P/ ~; ~! P4 I; d
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 a2 w2 N8 X& R3 b% ^+ @! M. y& y, f
    *(esp-&gt;4+4)=='NTIC'# f4 R3 i9 _% O5 T( b; t3 P; w
: s, H/ j! F% n: D% V
-The most exotic ones (could be very slooooow :-(
; Y5 n: d* s$ |! v2 M. T   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + _, Q% x: o8 n9 t' t) B
     ;will break 3 times :-(
/ Y* y2 `( Y* k3 d. G) I+ O
1 E$ s0 V1 h7 P! K-or (a bit) faster: 0 s9 C" M3 q9 Q8 k* y+ _. w
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): {) _+ s$ D. f- a* V
* J* C; K  {8 `! z& k8 @. A
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. J8 f8 J$ ^) ?9 {$ u' F. P, r     ;will break 3 times :-(+ h# z& M5 s6 B" k$ T

5 g6 D5 L$ Q& I9 U/ K0 a-Much faster:2 d# z! m$ b/ b7 M4 Q
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
9 `2 B4 _; I2 g- i/ K+ n; }" w, o9 h% w# C5 ^! @* [7 o5 v- u
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
  W8 S' a! R9 r! ]function to do the same job:
/ ^% M' p8 a& c/ l# `) B. b5 q
2 W3 M0 S4 T4 t/ z' G- T" a   push    00                        ; OF_READ1 ]: Z1 A, n" r1 K
   mov     eax,[00656634]            ; '\\.\SICE',0
! |; k3 e. d3 d" \+ j( {   push    eax
8 L& v& ?. J- }3 {, ]   call    KERNEL32!_lopen8 b' h- f4 X9 B
   inc     eax$ F! ?* G$ ^8 y8 x- _
   jnz     00650589                  ; detected$ l% k3 C2 i, m6 C0 Y( W
   push    00                        ; OF_READ
/ J9 L1 v+ [; y   mov     eax,[00656638]            ; '\\.\SICE'0 o2 L' G# M" |" Y) X
   push    eax
; V. D" [. P8 ^# u' q   call    KERNEL32!_lopen
! H9 W# B8 K! Q4 ?% [8 v+ y9 I' D   inc     eax5 q$ |$ x* c3 i: H; u1 {
   jz      006505ae                  ; not detected
# {$ }5 L1 f1 m/ \- [! a, Q1 ~4 ^% s# j& l- A0 I2 w2 m
% b, m' E! H2 Q* @0 h
__________________________________________________________________________: T" `: {7 `$ A8 n4 E. V

& J. m# a& c( N3 G$ IMethod 12* `$ X8 w9 N" b2 M; X) j7 E
=========
/ n' |7 R3 h$ y+ s3 M
; Y, J9 H3 r* K* G4 CThis trick is similar to int41h/4fh Debugger installation check (code 05
1 O4 E# b0 T$ Z5 f, _' P&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. v. W7 C/ m4 y0 Y' uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* M0 n  v  Q7 o- ?6 X" @. e7 N6 G2 i6 ~7 W' J+ o8 f
   push  0000004fh         ; function 4fh; T# V6 j, {$ e3 c; U5 l4 q
   push  002a002ah         ; high word specifies which VxD (VWIN32)  O4 H* s; q3 x6 W
                           ; low word specifies which service
, c0 z) b5 u9 T" x* B  F                             (VWIN32_Int41Dispatch)
: L7 C  d  E1 c$ [* ^/ L   call  Kernel32!ORD_001  ; VxdCall, l$ j5 G' [1 g' }
   cmp   ax, 0f386h        ; magic number returned by system debuggers3 [. G) S5 M, R) u9 F, a6 x
   jz    SoftICE_detected5 R( E# t) C7 d" R" c

0 ^; P% l* c. ~+ ~9 U* N( k( XHere again, several ways to detect it:0 o' Z. O( K; X3 K

3 R' c  Z3 [3 G. W    BPINT 41 if ax==4f
5 \2 J; i' D8 f; Y: B: f3 e# w5 ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; i3 U/ Y. F& Y% b/ u9 Z1 |  f+ s/ i4 P+ H+ r5 ?4 K
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A$ Z1 _5 L( N4 n2 K. ~4 P& |

0 z1 Q" @. Y( a# x# u    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!0 ^/ {3 O4 y0 b/ o+ u5 K
4 y5 k* c4 g  r/ T0 J9 E
__________________________________________________________________________/ z* p( J3 i2 }1 }4 o
1 l, V1 P  u1 p6 l3 k+ u; n4 w$ l
Method 133 w% W- W! H! E& B" d( O
=========
) `: j6 w! p5 h6 ]+ n5 `; Z4 G/ E: {. _: ~7 z) z
Not a real method of detection, but a good way to know if SoftICE is
' L7 O4 [$ A! W( e0 A+ t, Z; R6 Einstalled on a computer and to locate its installation directory.
( a5 h5 C9 [$ E9 d$ r+ v! R' p2 |It is used by few softs which access the following registry keys (usually #2) :
2 F% I1 F+ `' J  b$ S, F$ z
0 S9 _8 q) U2 ^3 [- E- g+ w3 r9 l  B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) B* {1 F! K+ E& N# J\Uninstall\SoftICE8 a* p4 f% {' g9 x& A$ d
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 g+ D. M; X, m3 K. y" \-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, i& A/ i5 T4 ?" u% B0 s7 c2 p. h* t8 ]\App Paths\Loader32.Exe- J8 g' `6 j- K$ }! ^9 A0 j% i

0 {# P. |' L" ^1 f7 ^. t/ b2 I. m7 ?' O* Y
Note that some nasty apps could then erase all files from SoftICE directory( J$ R5 J6 W2 A6 V; s" l% G
(I faced that once :-(/ {0 M# \9 f8 \. D+ |

& ~/ R2 k" B$ U9 B! EUseful breakpoint to detect it:4 U! r3 z* e3 v- {! i+ h5 Y  B8 c

! I1 B* X# V0 w7 d, |5 l0 [7 a     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 c0 y8 X; d1 u7 D% }
8 w/ X5 @$ {8 u7 C
__________________________________________________________________________! e+ {  V# `: b4 @% K% N; }
3 ]- M0 c  j5 |5 o  U+ g, T% M

5 f8 Q0 j5 s3 v+ zMethod 14
7 E" X3 ~, O2 I0 h=========
! H8 j1 ~. ]& H8 W; h' d. a- P* f3 P0 S$ `. I% o4 E0 {* x2 C1 t8 Q. d/ k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
  h5 d$ t! {  ^$ k7 s& v% kis to determines whether a debugger is running on your system (ring0 only).7 o1 p. \/ M7 \, b/ }- z

+ z/ I! o7 i7 n$ g7 i   VMMCall Test_Debug_Installed5 }6 T( E8 U7 v9 Y! x7 B7 S" h
   je      not_installed
* S* \4 q0 {" a' g% W/ K: p) Y+ S$ u2 p& X
This service just checks a flag.% t' v' b1 S$ Q- V0 Q2 P* n9 m: `
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-2 00:37

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表