找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
1 N" j/ N  }7 n$ w; _% a/ ~<TBODY>
2 W+ ?# s: I7 w, J: }- I<TR>
* z! ?) M1 t( `1 d2 m' d6 F<TD><PRE>Method 01 : W/ R/ b; o0 S2 N" c! o- F
=========- A' i* F. ]' J1 J: M- f2 L
% j9 u% r4 ~; u9 r# u- y" k0 ?
This method of detection of SoftICE (as well as the following one) is
' V' R- g5 }; ?" T; t: }used by the majority of packers/encryptors found on Internet.
$ u6 u# E3 _  }* |- \/ tIt seeks the signature of BoundsChecker in SoftICE
! H/ `; q* J$ U# k& Z* H7 `6 Y! [0 u% P8 c7 `# p7 p' _  Z+ O
    mov     ebp, 04243484Bh        ; 'BCHK'
, ]* R6 A3 o& ^3 g% a! t8 h) V& f    mov     ax, 04h
2 S* ]1 D$ B$ N% ^4 o    int     3      
. Q4 A/ E% k- g" V, ?    cmp     al,4
7 w! {8 Q, V" z/ \- q$ ^/ J    jnz     SoftICE_Detected! ]! r: A" ]7 s2 f' m
, E% _* l! H; F& n4 [( @! T
___________________________________________________________________________: a) P+ j6 X) p) b

- X9 L1 ~! b  \7 aMethod 02( K7 \8 p  X# D3 G# w
=========6 m0 V: R3 F: j2 C3 L- `. z1 \
0 i- P$ }; i& i) ]7 M, S
Still a method very much used (perhaps the most frequent one).  It is used  O( {, `4 r7 I" V( P6 d0 n
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 F1 c' r' {0 X, T, vor execute SoftICE commands...5 S; M# D1 S- O: P$ v' i/ ]
It is also used to crash SoftICE and to force it to execute any commands
4 S/ h, G) o% O0 r(HBOOT...) :-((  
6 ^0 f& R9 d4 U! v3 i  x  l: o$ |8 a7 U2 v5 O4 H) c& C' M1 z
Here is a quick description:+ n5 |! s/ c' O" I# ^6 N
-AX = 0910h   (Display string in SIce windows)
/ i3 F. }% v* v. H4 D7 i& O-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)% G( t* l( V* C$ N/ z
-AX = 0912h   (Get breakpoint infos)8 K1 i  Y( u6 _$ d9 F- w0 i1 w
-AX = 0913h   (Set Sice breakpoints)7 A. ~  }3 J3 V* P
-AX = 0914h   (Remove SIce breakoints)
! J& N+ @# s5 S- O. d# _
3 F0 t0 X2 A& R$ n1 t5 r& tEach time you'll meet this trick, you'll see:% I7 u. q$ X! g# L* S& D6 q
-SI = 4647h
9 _+ R0 X8 H' Q* t# d( X-DI = 4A4Dh; `# B' O! ~  G' m/ b
Which are the 'magic values' used by SoftIce.. O3 X& g0 o2 T
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 D' f) O/ W3 h# |2 u  r

: o0 E* q# I" s, `Here is one example from the file "Haspinst.exe" which is the dongle HASP
' W  w) v0 T# ?: y% xEnvelope utility use to protect DOS applications:3 P- I& v' {- ]3 o! D: U9 V

1 b4 G; A1 @5 s3 z) ?5 F# b; Y' J* D: g1 f: F
4C19:0095   MOV    AX,0911  ; execute command.
5 G: y$ e" _6 H* L+ @/ C4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).: K4 Z& V6 d9 `- G. f# r1 w, m0 ^
4C19:009A   MOV    SI,4647  ; 1st magic value.
: p. L# |0 q) k. m6 M4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
/ [# b( y7 }' Z6 p0 B6 G. ^3 L/ l4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)/ [5 Q( O! U! O% w- k8 T" a
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 Q1 }! E6 G) }! n6 a4C19:00A4   INC    CX$ Q" j. U& x; p" o/ x
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 g: e1 A% G& ], S6 }4C19:00A8   JB     0095     ; 6 different commands.* y+ r) K# I4 V) T( Q# S0 G
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.8 K" U8 e. N3 A5 w! T  B/ @  A
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)! B( C- V/ e% L" {& ?9 |+ Q# P- [2 X

) w; C8 h: e  d' s9 dThe program will execute 6 different SIce commands located at ds:dx, which1 l# c& Y  w. J$ {1 H3 @. o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ `) |8 \" s9 L5 b. ^) l0 H- C2 o( q

7 s% [6 D* O6 l5 h: c* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* u9 h6 p; H( k___________________________________________________________________________( e! u# T% U7 o7 Z0 [
$ f4 b' v" }  V& @$ K% a
7 ^) C6 F& Z" e
Method 030 W. U6 u8 `; ]0 M, J3 M9 A/ i
=========0 ^3 y: g1 N7 j7 P5 M1 H& y2 G
! t7 C0 W' m3 A# k
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
2 f# \3 a* p) V+ E(API Get entry point)
- H1 m3 P- `+ y$ ^) e2 s9 e        
9 j9 V3 ?1 @$ G* `9 s6 r% D: R' l1 k2 a; E" q' T0 S
    xor     di,di
  _; o+ G4 G% w. D! g  @/ O    mov     es,di0 }4 C* N  s8 S' \- `; r! E
    mov     ax, 1684h       ' ]4 ~7 ?' d4 d8 q3 T) B
    mov     bx, 0202h       ; VxD ID of winice7 U  c+ I9 F2 K! {6 g1 b
    int     2Fh5 g2 M, [7 U! s0 D7 i3 _1 |
    mov     ax, es          ; ES:DI -&gt; VxD API entry point- r0 c$ v7 e0 D2 Q
    add     ax, di
5 h! w! }* K. v8 X    test    ax,ax
& O9 _% _" M  `- c# C8 Y    jnz     SoftICE_Detected
% I$ e% k# Z: \" |! q5 e5 }
6 s$ a* l) d1 `# r: |___________________________________________________________________________
  a" l4 S) ~  K$ r, T. [0 q% p' H% s; ]3 `3 q8 [; R
Method 04
0 H6 I5 r; p4 i=========
/ @, @/ |% J2 P) R6 x: f) j# O7 m9 A% |0 @# Y0 X. I5 u" V- r3 O
Method identical to the preceding one except that it seeks the ID of SoftICE1 I' a1 O  ]$ J/ k
GFX VxD.
. a5 g9 f$ A5 Z9 \6 @, [* c8 Y
" ?1 X# W4 j6 O. j" y5 T    xor     di,di$ L0 M9 k- D3 K5 j+ Q1 q
    mov     es,di& \4 `6 s- Y7 m7 }" v
    mov     ax, 1684h      
' }- j; m" }1 S8 d( O  T8 S( L# m4 @' E+ H    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 O" N7 l# D% Z; R2 C, ^    int     2fh
( m2 p' T/ M; a    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ b4 {! |, u2 d0 |
    add     ax, di
7 {& G; @. S* o4 s* B    test    ax,ax
$ l( O1 V8 e8 H7 x    jnz     SoftICE_Detected
2 z( ]6 b% j; U. q0 J7 v
2 l: [: ?2 U3 w0 d& A& \__________________________________________________________________________6 J9 C5 [: q9 W# q

, F$ n- `% H  C+ y4 [, Q
9 k' B9 I6 P7 m7 R, `% hMethod 05% g4 N1 N) q6 m" U0 T  @
=========6 ^8 n# T" l. p+ W& v: V

# d" N" l$ W# D5 [1 OMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ I4 J% q, T/ \6 D; ?
debugger. It calls the int 41h, function 4Fh.
. \: Y' n0 C$ y. X7 xThere are several alternatives.  " e6 ~! T  h) a" o# \- u

$ p1 |0 U; F6 e6 D% P! gThe following one is the simplest:
% {0 |6 V. X( s* V/ O6 M& [2 @3 D7 D1 c/ ^  B/ D, D
    mov     ax,4fh" r- A) i2 h; }; I4 ?& l7 D( t
    int     41h  q; e$ v" _7 M2 h' B5 G  N
    cmp     ax, 0F386. K. \1 b7 E: a) v( r
    jz      SoftICE_detected! ?" \' D: b6 b8 ?
6 x! A* ]' {* O& U/ ~
! i7 X2 Z% C9 r
Next method as well as the following one are 2 examples from Stone's ) x5 S; F  M# K' ~! O
"stn-wid.zip" (www.cracking.net):3 T5 h+ E2 D$ t7 `
  G/ P; i" `' {* A7 J& D
    mov     bx, cs
" U1 Z+ y3 a$ i    lea     dx, int41handler2
1 h- j7 v: k, p' B' J    xchg    dx, es:[41h*4]3 h& t- e  a, G# I
    xchg    bx, es:[41h*4+2]% v0 I9 q2 B( \6 \
    mov     ax,4fh$ }% b; _. X3 Q' _2 O; T1 p
    int     41h, F8 r7 i3 g+ c) d% E% g6 s3 j+ i# S# J$ w
    xchg    dx, es:[41h*4]
8 D8 ^" w( l% y8 i6 t    xchg    bx, es:[41h*4+2]
% p, d* t% N& t4 a    cmp     ax, 0f386h& W! q* G2 X" X. ~5 u- S* |1 H1 `* F/ N
    jz      SoftICE_detected
; e: G1 c  t9 w! V5 J* t- G
0 R5 G9 ?& l1 A+ U+ fint41handler2 PROC
9 `1 L& U+ j' A# D* O/ P6 ]$ p- D    iret4 p) ]) J+ n) ~! @/ z: y: A7 f) x
int41handler2 ENDP
7 e0 i4 b0 P  o0 Y! T6 S& e+ z/ x
# S, d' J) R0 Y8 ]8 s1 y$ j1 D
) }0 W5 s  [+ r, ]6 e7 _/ ^5 A_________________________________________________________________________
+ G/ g* ]% F7 T6 N- j5 a1 x) K
$ B7 ^$ `+ Z1 ?. Q3 M! B
& j8 F- v: M% t  EMethod 06
3 b  O7 ^$ U# H! C; i" G# S=========  |  d7 D7 x- M  w
3 A  U. M* P/ I1 P# j, ]: ]- Z( Q

; P  A7 }# E& P& H0 h& D3 ], Y2nd method similar to the preceding one but more difficult to detect:
# R2 l2 J4 |3 V2 z! c5 ?+ _& W
) D' T; _. E# H" x+ f
# I8 J- M. p" V3 D. }int41handler PROC. T5 @5 f. Z8 W+ P
    mov     cl,al
( @6 v8 Z8 o+ k, [% O8 ^9 \    iret& s9 r1 w# P9 {& v1 F! S" N( E1 M
int41handler ENDP
. u' v0 `  U0 F* @! N, ~" J) [0 Y7 n) a/ f6 ?: h/ d

/ K5 X3 G1 K& ~    xor     ax,ax
3 {, Y3 B! t% x$ N2 F    mov     es,ax0 n# y+ A$ e5 a$ r. g
    mov     bx, cs( v! ~0 h; Q% F7 i- W
    lea     dx, int41handler  k) F5 D1 U! J, L
    xchg    dx, es:[41h*4]
. n. t3 m& L8 @' i  j3 _    xchg    bx, es:[41h*4+2]
( T8 J/ J( r. ~( M3 \2 B    in      al, 40h" _9 U# x5 f* h3 p# t1 U7 b
    xor     cx,cx9 O) `7 }3 P7 ^/ o) U% N8 K% Y* _, E6 J
    int     41h7 F2 _/ ?7 n8 t# y# e$ b
    xchg    dx, es:[41h*4]) O2 j/ P0 e! @& z5 L  y
    xchg    bx, es:[41h*4+2], a8 k4 r' s( }
    cmp     cl,al; m9 j( ]4 K7 w
    jnz     SoftICE_detected
# \5 r1 R8 A+ I  t3 k/ [5 E4 A( N" v3 r7 a- {7 l/ |$ _
_________________________________________________________________________
2 }/ R: L' {; B# }3 ^8 h7 s
/ v; `0 x1 m9 e0 cMethod 07
; D! f- w9 `3 Z! W=========
# X) x6 e8 {2 O+ x. a
/ z, L1 ?0 F3 `+ [Method of detection of the WinICE handler in the int68h (V86)8 X) a/ S" s2 B1 ?7 W8 o4 c5 `3 O
! Q- j% Z5 V+ }% h6 `  y) G
    mov     ah,43h0 X$ S. Z" C  z6 j" l1 T; b8 ^0 M
    int     68h
* N+ G5 J: x5 H0 J. w    cmp     ax,0F386h5 }9 |( _6 D5 M, i3 I+ @
    jz      SoftICE_Detected2 V+ h, ?  Q5 x) @5 n
5 S% j# I2 d2 V& t
5 g- Z& n" J* O- g3 F
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  G! G* Q, `/ r  w) d
   app like this:
! {2 A  M: v7 X- K, F6 K# y8 M0 P, n! H, Y: W- S0 K
   BPX exec_int if ax==68: G# F0 ?  E5 L
   (function called is located at byte ptr [ebp+1Dh] and client eip is
! @- j: K& K9 a' D% h   located at [ebp+48h] for 32Bit apps)# H4 F0 I7 U' B  y* s5 i, V" v  H
__________________________________________________________________________
/ n+ e2 ^5 v; L+ w
1 m2 s0 P* H% U! M% [1 R" \* p4 O8 ]% s, c4 g# C# H# s- C2 w/ Z
Method 08
0 ~$ r3 B% }, x" e+ l% K=========
& ~3 |( E" n7 A6 {* u' B& L, v" T
& v# J8 N9 d4 U5 K* wIt is not a method of detection of SoftICE but a possibility to crash the; w# k6 v' R! K: F8 e
system by intercepting int 01h and int 03h and redirecting them to another/ {! ~0 d9 |. D$ w4 F( Q
routine.
/ p1 H; J. @# ?6 K' aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" y  W0 j9 y7 @* i8 x5 J. j7 ~
to the new routine to execute (hangs computer...)1 v/ X% U9 F! d6 C

' D( K" U" Q3 Q3 o2 A7 ~& b    mov     ah, 25h2 w6 _. t. b% \0 @, [0 k/ ^/ K
    mov     al, Int_Number (01h or 03h)
. N) O6 }) n: ]" ]6 L  E" Z    mov     dx, offset New_Int_Routine, ~! V6 O/ h+ K1 F. _' ^
    int     21h. [* a- H# H6 @& {
9 k# S7 l7 j8 P* ]& D
__________________________________________________________________________
0 D. Q) J" V% m6 H# c7 I3 L  B( o+ O6 o' W3 }$ H
Method 095 N/ }# \, G1 K
=========
) Y4 u- k0 t0 _9 R2 B' D0 v+ k& }8 s" R  s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 j" m+ C; `; S- F9 c3 T# {performed in ring0 (VxD or a ring3 app using the VxdCall).' U) S4 q0 ]" [# h3 q
The Get_DDB service is used to determine whether or not a VxD is installed/ s& h% x1 v* j4 ]
for the specified device and returns a Device Description Block (in ecx) for
9 C( m. {1 ?6 d2 \that device if it is installed.
$ E0 ?& l" {- S8 ^1 Z* q
3 r. F. ~7 g/ x4 |, r, ^* j& f3 p2 V   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 I& k/ A8 J3 L" |8 i   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" w& D( A) z0 D  P2 f
   VMMCall Get_DDB
' q8 L; p8 q+ Q: t% g! G4 B/ U   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed; v. b/ e( b; ?# z" J9 T( }
' W/ p5 D! O( P- d
Note as well that you can easily detect this method with SoftICE:
4 D9 ?7 ]' O4 Y, i! Y   bpx Get_DDB if ax==0202 || ax==7a5fh
& f6 I0 k$ Y+ [
7 M, {) p8 f8 M, K0 }% H! z__________________________________________________________________________
; L6 D9 L) s  z6 X$ ~. w+ z* @. f9 F; ]: [( J
Method 10
5 `8 r7 E" |$ M9 |. B=========
, r3 w  s8 m: `8 Q5 C( d( h
7 T6 E& n; g5 W- ?7 e' Y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ }; [4 r: q* @' D" `- U) c
  SoftICE while the option is enable!!. `0 c+ R8 G1 b/ t) c+ l7 ?2 n

& _2 N* G  _& d8 b: a8 i5 \This trick is very efficient:
& v1 U1 U( b8 T! w0 M) G6 ^by checking the Debug Registers, you can detect if SoftICE is loaded. v1 f% w% n. d3 W  F- S
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
4 O1 j2 R+ e0 T8 jthere are some memory breakpoints set (dr0 to dr3) simply by reading their. p" K( }  m" g2 y
value (in ring0 only). Values can be manipulated and or changed as well9 c7 N0 m  y4 X8 ^5 }- U6 J: ?/ O
(clearing BPMs for instance)
3 |/ R1 w* f) l" v$ B( n
# l& y6 C2 G7 [$ w2 s0 b" ___________________________________________________________________________# y; Y' r* k. {7 Z9 g: N2 H

9 H8 ]  j; E5 _% e7 e3 e; YMethod 11* K* C6 e6 k2 i7 u& @' y7 K
=========
. y7 h% Z: J4 @" j7 g! B6 M" y
+ b# m  ~. O* z8 }: T' Y* XThis method is most known as 'MeltICE' because it has been freely distributed, Z% c; }) S2 K, p" {  W
via www.winfiles.com. However it was first used by NuMega people to allow2 n& b7 ?( _$ D+ A
Symbol Loader to check if SoftICE was active or not (the code is located9 T9 j  q# B7 {
inside nmtrans.dll).
2 \) m! K, F( u1 x4 [1 I
/ S" x( a' [" }The way it works is very simple:4 [  s' B6 u8 T9 d6 F" v" m% t' a
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 s; R: d+ A& x+ l' PWinNT) with the CreateFileA API.
  s. }6 c  G% c* a7 O3 B% `9 q$ I4 e) r1 y, X3 ?: M
Here is a sample (checking for 'SICE'):
# o  R  E# ?7 s1 M; D1 G8 D( n' G( I8 @0 b6 @: z7 n* E9 L. `
BOOL IsSoftIce95Loaded(), O( W8 d% e9 f0 o
{8 E8 o, j: ]2 H- d9 F7 h( _
   HANDLE hFile;  
0 ]3 C& }- f8 M   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 i2 O, z! B% W3 ^/ g' E# c
                      FILE_SHARE_READ | FILE_SHARE_WRITE,7 M3 O) Q4 u1 S, `, m# B0 w
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: A- j  d5 u, @" W  d   if( hFile != INVALID_HANDLE_VALUE )) E6 d- M7 M5 y/ L
   {0 K) C. e) d, L4 j
      CloseHandle(hFile);7 V+ N; y8 R* n6 D1 j9 ]" W8 l' F
      return TRUE;
  Q' [# c8 C1 }8 t+ \, _   }
3 @% f! j$ G" K+ G, q   return FALSE;
- C8 }! j; \) G}0 u! D5 ~  E9 q. K
! V5 @$ M5 l5 P: Q4 k" M1 }
Although this trick calls the CreateFileA function, don't even expect to be% K+ [8 u5 R7 N( w! [" _, X1 d0 n
able to intercept it by installing a IFS hook: it will not work, no way!
: t) T9 D! X! M7 ?$ MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F1 E/ ]7 P& H. I
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
$ D% d. h1 T" d4 p3 J' J$ {and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 {3 w0 @$ @0 Q2 @
field.
! o  z3 ?: g8 @In fact, its purpose is not to load/unload VxDs but only to send a
- z% ^$ O9 R5 UW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# P4 _0 @& g' D$ U
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ o3 [% m7 ^8 Q* l" x' {% E* j( n
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
8 o* T9 y& E4 Q0 s' B5 ?  T% LIf the VxD is loaded, it will always clear eax and the Carry flag to allow1 ]* {% M$ l, X4 t" S1 V8 \7 L
its handle to be opened and then, will be detected.
( ]. f  I8 Y0 J: }+ D. H! gYou can check that simply by hooking Winice.exe control proc entry point& D% S$ i. h1 R. F* C; {+ q6 A
while running MeltICE.& F2 E2 x. C- @2 P. k$ v3 E

5 ?0 D) G2 Q& z  ^3 t5 o# e# A% W
2 O* f: T& N. F: r  00401067:  push      00402025    ; \\.\SICE6 ~, e: I+ S# N# U6 t+ X" x
  0040106C:  call      CreateFileA& w- \" R% z# G' X1 O- E
  00401071:  cmp       eax,-001
8 K4 m5 Y% S9 D: l& N7 d  e* `& c  00401074:  je        004010911 w7 ?2 n% ^" K
3 F7 C0 Z! \% H: t) P2 Z! o/ }
5 X$ S1 q/ e6 w  U; `# U4 i
There could be hundreds of BPX you could use to detect this trick.
+ A2 ]$ x* `6 |4 E9 J$ T% u-The most classical one is:
9 a$ U: x! q3 Q+ z9 G$ R+ C  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 \- B- q1 q# s3 q3 C3 d9 e
    *(esp-&gt;4+4)=='NTIC'
2 y3 A3 F, I  c. s3 u. Q. a5 v) P9 A6 J$ D& t. M# G; H- b6 _( S2 N; Z
-The most exotic ones (could be very slooooow :-() x8 C% H6 A# c/ o! a
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ E  g. d- Z2 K, @: {- I     ;will break 3 times :-(0 Z- o- U' |9 w
: Z3 S! s) B* X6 c/ ~: _' K' L
-or (a bit) faster: 2 W- y0 _+ d4 l5 p" j+ W
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% l5 E7 E; b$ `
  R! w6 u3 R0 V+ E6 K   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
, y. ^* q! t* y7 r6 x5 D) x     ;will break 3 times :-(8 n4 O/ Y" G2 |* p% {( M3 |3 ?- n. V
) j/ I3 A# ~  f* I$ w% f" R
-Much faster:& `1 N- }" X3 K/ j' Y0 g' \; y
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'- d( M. U0 d; S9 w* g. X

% e, V3 f; m! \. g! `2 y, WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen  r- N! j* Z' o, d+ u4 F
function to do the same job:# H, u* L0 m0 I5 J) _) r
1 ]; ]4 A" N6 K7 b' N# N
   push    00                        ; OF_READ8 o5 `3 [% Y$ |* N& M' L
   mov     eax,[00656634]            ; '\\.\SICE',0
+ Y" A7 \: z7 m( i7 P' `3 u" f, y   push    eax
8 [% u& T  w$ h   call    KERNEL32!_lopen$ ^3 c/ z9 Q, f8 Q
   inc     eax
% i7 O  w% A' @3 s; a9 `, G   jnz     00650589                  ; detected: z1 Z1 P3 c& V6 d3 M7 q3 r
   push    00                        ; OF_READ. ?' s* P5 D4 u! s
   mov     eax,[00656638]            ; '\\.\SICE'
7 u  W! `  S, e3 a   push    eax" y% Q; {3 l9 a8 g; W$ E
   call    KERNEL32!_lopen
2 R: j1 o2 R. O. f/ i   inc     eax1 O, ~- b3 ?8 o/ }& |- X5 v
   jz      006505ae                  ; not detected
) ?$ r7 ]" T, J1 D$ j# x0 v
; J: ?! P$ F, f8 i' ~, l
8 W, ~' w, g  m/ K& L3 F, m__________________________________________________________________________
9 f6 P7 m  X1 M6 O" Y4 s8 K4 u/ _6 p/ R# s5 f$ ?7 F' q
Method 12
0 Y+ G1 b0 h( F6 Q" [  {=========/ y) y: Y6 k# j. f4 ?
- G" I; H. D  _4 O
This trick is similar to int41h/4fh Debugger installation check (code 056 C" z# B5 ?0 w! d8 ^4 w3 c% k
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
+ t1 q& s2 r$ gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
5 {& |5 W8 s5 ^/ p. B1 M. H/ E8 M8 Y9 z. J* j" r& `- |# h
   push  0000004fh         ; function 4fh- e7 k6 Y6 w9 x8 a7 I
   push  002a002ah         ; high word specifies which VxD (VWIN32)  U- {/ L2 L7 h1 U3 L; E
                           ; low word specifies which service$ `- f6 w; T" m1 z
                             (VWIN32_Int41Dispatch)% K* c+ F) P( S7 u, _- W7 E% w( V+ p6 |5 I
   call  Kernel32!ORD_001  ; VxdCall5 x  l. D+ [$ n! R6 a: v
   cmp   ax, 0f386h        ; magic number returned by system debuggers
* ]; M1 i6 v/ C5 ]   jz    SoftICE_detected
- L0 ]+ p  r8 j3 m  z( S) B* G% `* j" e2 c% [
Here again, several ways to detect it:. U4 q: V; b( U+ i% T5 v: e3 n
6 Z% q" `  o1 _
    BPINT 41 if ax==4f
' Q7 F5 k, j8 l) i
  H5 O4 J0 t' D% {- v$ t    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
/ B( D6 @6 T# b# O0 ?- ?) |/ U
. {0 z+ D+ W6 F    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; }" P$ z) o# ]: G- T

2 Z9 x9 M! w. _) E3 f    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( D/ f& m7 a6 M. Y

% P1 g/ z  e. w__________________________________________________________________________7 i9 O; i( ?8 c: T

6 d; B& F+ n% FMethod 13
/ v: Y) l) l) M1 A=========1 A5 h6 }; V. ^$ i0 W( b
5 E% w# Y9 {0 T5 H  ~5 F) Z9 ?) J
Not a real method of detection, but a good way to know if SoftICE is! I3 c9 J1 R7 v$ W8 I! Q; ]
installed on a computer and to locate its installation directory.- {, u* c) l  ?# x
It is used by few softs which access the following registry keys (usually #2) :) t1 S( g# L# q

4 o2 l& c0 y; ?5 V: t; X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# Z% I  P- ?3 T' G* ?% P" D* G( N
\Uninstall\SoftICE9 i* E* ~3 @' H+ e6 b$ m, L
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
, L1 a! L' N! w7 C6 M$ m  Q+ [6 Q-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 H% R3 c3 S  \& N/ q
\App Paths\Loader32.Exe
/ J7 V) J% f5 F4 Y: h' _+ R2 s' e% k5 X4 }

' |. x" @& `' T) pNote that some nasty apps could then erase all files from SoftICE directory
+ m$ l, G- y% r(I faced that once :-(
8 M; N/ S- b2 F  I8 [9 S7 o: X! Y. n  L- Y' m
Useful breakpoint to detect it:$ c0 y% U. h' a7 b9 \) s) Y" |
# D) u) V7 L- ?2 g! G
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 Y& Y( P, ~  T
8 H6 n. x, J& k! v9 }" y__________________________________________________________________________; j2 b3 Y+ w: h+ f; e! p1 q; X

7 f3 z, U! c; y' T% U3 B6 u3 i0 ?  e( r5 y8 w  Q. |4 W/ Q0 {
Method 14
5 U- q5 l; j% I=========
. N" z& u* H! M1 I7 ]8 B
6 K9 _$ G, _3 t: _0 SA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
  i9 P( V( I+ d- q6 A- I* E3 uis to determines whether a debugger is running on your system (ring0 only).
, \5 \$ H+ ^6 u, p+ E' y4 O7 u. e6 b9 R+ ?4 D
   VMMCall Test_Debug_Installed3 }9 R( j9 G) e* |0 j
   je      not_installed
% f& v' Y2 q( @- c! g1 G
3 _+ {+ o9 M' V% C" tThis service just checks a flag.
& K3 L$ E$ Z% s" {3 y6 i0 f</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-17 21:07

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表