找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 ~7 ?% T% }% _8 ?/ ]
<TBODY>
& v, X& K& ?  v- ^) F, w' S* Q<TR>
# R4 V+ Q, f  i' t8 `<TD><PRE>Method 01 & }( b) a( s9 |
=========( q" P! b2 R+ ]+ @5 R9 [$ E, G, i
1 d& C9 M4 J# U$ X4 D
This method of detection of SoftICE (as well as the following one) is
2 P) a5 b6 Q5 k/ q0 ]4 y2 iused by the majority of packers/encryptors found on Internet.
# `( e- t1 j7 D" m* N. ZIt seeks the signature of BoundsChecker in SoftICE! C+ c  I5 k) G1 F5 _0 _! @) V5 k
# \0 Q/ M9 a8 j$ M: @0 ?
    mov     ebp, 04243484Bh        ; 'BCHK'
4 m+ y, U" M( m; A* _8 Z    mov     ax, 04h! W9 z* X3 B& }/ Z
    int     3      
& w: n1 f  P3 ~/ q    cmp     al,4
, W3 @" S% I3 [+ Y( _5 r. ^    jnz     SoftICE_Detected; h* ~% u# J9 J; r0 o; _3 c5 |
' N- E( Y- n+ Z, J% {
___________________________________________________________________________+ o9 i9 y  n6 V7 ~0 m
; y. ~% ]) s; G" d0 [7 R! M, ~8 v
Method 020 q, N, ~* F; R
=========
* c& n3 B! e# E# {8 d# m8 j3 e$ G4 S
$ k4 L0 v( f5 g+ o9 o- a5 a7 w; pStill a method very much used (perhaps the most frequent one).  It is used
5 N8 i3 Y* n! K4 D( D0 D. L$ V5 Kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ C' I+ l2 |  E5 }1 t0 I2 k; dor execute SoftICE commands..." @- ^# `( d3 |0 c8 P
It is also used to crash SoftICE and to force it to execute any commands7 W- ^: k9 d/ [+ c7 v
(HBOOT...) :-((  , C) C0 {5 ~: ^( A( U
( R( }, i% y6 p: C) X; v
Here is a quick description:$ t' M) T( R; K& U' S
-AX = 0910h   (Display string in SIce windows)$ `7 l0 l- Y* m! H! c$ c3 p8 V
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 J+ H% ?+ D  c- B$ U
-AX = 0912h   (Get breakpoint infos)
7 U2 p: {" G" z( \* ~0 ]2 e/ u-AX = 0913h   (Set Sice breakpoints)
, [$ \1 Y/ \& `0 @5 R-AX = 0914h   (Remove SIce breakoints)
% Z8 k1 E8 Z; o6 C2 w% t0 N. c9 w
# Z3 K+ O) q% {6 c* r: [) S; xEach time you'll meet this trick, you'll see:0 v8 ?4 r- W- r; [/ T2 e1 `
-SI = 4647h$ i( N# l  u' |% v0 [0 j
-DI = 4A4Dh" v  K' A5 ~# _3 W5 ]/ N( k. V9 H
Which are the 'magic values' used by SoftIce.4 H/ g' E. F, p' F
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., N; |6 y. }, T  b$ a9 m

, }, }0 _) _  ~' MHere is one example from the file "Haspinst.exe" which is the dongle HASP% t& ~! c3 N0 P! b# k5 t
Envelope utility use to protect DOS applications:
6 P. }3 f# R: |8 t8 Q" x
. n7 Z3 V, ?  Y5 ]2 l5 g* N* S3 w  p- y1 F
4C19:0095   MOV    AX,0911  ; execute command.
& s3 P. P; d* Y# c# N; ^' w4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 R: x5 z# N0 R; k& G
4C19:009A   MOV    SI,4647  ; 1st magic value.
% \& e) L0 v7 M7 R1 x4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ ^1 g( O/ K- R4 P3 X' L4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 Z& ?' K3 B9 k5 e6 @4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
# b: l& w% E" F4C19:00A4   INC    CX- ^5 |8 `) ~8 L$ d
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 S; J8 e- o; v4 P4 f6 {4C19:00A8   JB     0095     ; 6 different commands." T9 n6 ]/ q6 c( b" h
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 Z* w3 K6 i( u/ G4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* ]: t* N, o( s% p! O, B
: N8 @) i+ W! m: l' P2 B$ T
The program will execute 6 different SIce commands located at ds:dx, which
" l5 o4 F) e9 n. T; [  Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# O; E2 y- L' B0 J+ Q
" K) O) e! t( `) L( d0 d8 u: m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ L( D2 \0 G2 W! W/ A# ?( B" T8 b
___________________________________________________________________________: }" T* n0 @- N! B2 z

4 w! D* \7 t% l& H/ ^
+ E" H# a/ |- [. ^Method 03
* F7 k2 y2 Y! X' Z4 a8 N) d' n  D=========' x1 t6 H7 W$ F8 V. B( Z; D/ W

/ u4 `/ a  n* m8 f( c3 }. xLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' A: z1 Z8 J: x' ~$ N% T! Q5 n- `
(API Get entry point)' W+ J7 H) J: [3 {2 h: D! h
        1 K5 z" B/ c5 D: t; P
9 x2 |2 D7 C9 r' d3 A' W' D4 I
    xor     di,di
$ }7 o0 ^/ P! L! i5 ], P0 e5 D% N: r5 i    mov     es,di+ _/ l5 j# r0 C0 d- {
    mov     ax, 1684h      
# h0 O9 ?5 E  ?6 n7 W5 ?; K" f6 v    mov     bx, 0202h       ; VxD ID of winice
. k2 d5 a+ n6 q    int     2Fh- V& ]' h( a2 w6 ~' l% H- y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( e% J2 c6 B1 O
    add     ax, di/ l" s- _4 P* l2 j; y6 H0 V
    test    ax,ax4 e4 G: y& N9 s/ D
    jnz     SoftICE_Detected
8 [5 C. v1 G5 Y* o: n9 X6 [; `. i  c% m2 V) h( p( [$ B* {- C% l
___________________________________________________________________________  u& A8 W4 N% e* Y

" z; r, K, m4 s0 S5 H+ S4 a$ n. \) LMethod 04. `, k+ f& K7 o' M8 z, V" V
=========
" W: @+ s. m" G& ~5 |3 B: |
- }- g3 b; f0 [' T0 D: qMethod identical to the preceding one except that it seeks the ID of SoftICE
! ~3 }9 c- v  D3 {' x2 f; fGFX VxD.. T) R+ ~0 _9 |$ ~4 T, ~% @

5 [+ z3 F) X& v" L& b# h8 w% t1 L' i    xor     di,di% H  ^7 F' [) L3 D" y5 H
    mov     es,di
. Z. N2 A' B4 `5 w    mov     ax, 1684h      
& L1 y7 u6 [# _' I, l. K' |    mov     bx, 7a5Fh       ; VxD ID of SIWVID( W8 t- J8 o7 M( S
    int     2fh
2 B! a9 w7 g- x7 x3 D    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; s' z, ?& L- V+ J. `' ^    add     ax, di1 h2 M- K- t9 Q3 p
    test    ax,ax
0 w9 `& i; r: v$ R7 w3 H    jnz     SoftICE_Detected
! v' p, I4 H, P! E. e2 v
- @; g0 x; E9 N) v" y. F2 a5 A__________________________________________________________________________
8 J# @2 m; V- B" X3 P. C; Z, n6 U0 C/ E2 h* w# ^6 `8 ]

" D  p* Q8 Q! O6 R, n- |Method 05
/ G8 A* f# b) H9 F6 C% d=========4 k. z. x3 F: G" u& L) ~
6 E( Y, m# t6 a6 U4 E; U% w! M  D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% |* a" H8 g% z6 Y4 G8 c1 l5 pdebugger. It calls the int 41h, function 4Fh.
+ b) ]- [, k' i8 AThere are several alternatives.  
  o4 [! [9 ?' G$ h9 O0 E6 @* o. H& Y8 H
The following one is the simplest:! B7 ?: K7 Y3 P. M' Z
$ Z+ ~5 F, n) d: p4 U
    mov     ax,4fh
! k: q+ D+ _! j, L7 ^0 A# {6 M# `    int     41h$ w7 K# |5 g; _1 Y( i
    cmp     ax, 0F386
1 L. a3 [, t6 `0 Z& L    jz      SoftICE_detected
, Q  {" ?2 `$ ?0 P1 F0 B/ u! H( I5 L  h3 c

6 C: S& `) |6 h) A- q, a) X1 ANext method as well as the following one are 2 examples from Stone's
( B; n" A! g$ P+ w# u, k4 h"stn-wid.zip" (www.cracking.net):
  K8 K) [1 a' ~  m# d4 I9 ?2 K4 n/ e% r, F+ {, S/ o9 Z+ q/ n4 K
    mov     bx, cs+ ]8 _) t6 q" ~; y, j8 U0 Q. f
    lea     dx, int41handler2% ?/ J7 c: R5 @; j# V- t( H
    xchg    dx, es:[41h*4]
: x) ?$ X) u# ]0 n6 J    xchg    bx, es:[41h*4+2]
) g! {$ Q$ \& l! l    mov     ax,4fh
( `0 y9 D# k( _1 r    int     41h3 M+ |  }: b# j2 Q2 A1 ~9 @2 a) o, M
    xchg    dx, es:[41h*4]4 g2 Q) }% i" t4 w9 j9 r. ]4 P  b
    xchg    bx, es:[41h*4+2]3 l: a# w  s" o) i# B
    cmp     ax, 0f386h' X& d" C5 f/ [, T
    jz      SoftICE_detected/ ^/ X+ ]# g6 S( `$ R* `

" z% C& \1 W6 x6 x  \( yint41handler2 PROC) E1 L# m, j  \. @" R6 M
    iret
* }2 T& c% ]' P- b& K0 Wint41handler2 ENDP# j( W0 E  ?+ p5 e

2 s1 F) i/ k* _9 ]8 s6 _' b6 X' H3 U1 l; U
_________________________________________________________________________
  @9 S' G, s9 h5 h+ p  x; i0 I6 O; d) B4 b) H3 P
2 K2 U) z# X8 J4 @9 V) l, A* G& k) C
Method 06
* U4 ^% H! K" S5 F=========
1 d+ ?* I  O9 P5 ~4 m: f/ U. o# K
+ F7 z% z+ M8 p/ Y# ~. \
2nd method similar to the preceding one but more difficult to detect:
' v; n- ?: c) E6 ?& f, U5 O6 z# s. P4 R2 `
) m, M. g- _! m
int41handler PROC6 ^) X' z8 E! L, N7 w5 z1 G
    mov     cl,al
5 J8 [% P, y: F8 d7 o( M' n    iret
: L: `/ g/ p3 y" ~) vint41handler ENDP
3 |! p) r+ Q& J1 v1 ^
2 j1 }2 f$ j3 E5 Q( c* x3 ~# P6 u, g) N7 B3 o7 K
    xor     ax,ax
. A) F0 m1 Z+ h2 h8 t$ e9 @    mov     es,ax5 a! p& c! f: v& f& g9 o) j
    mov     bx, cs5 |7 p# |; w/ i( r- L$ a: s
    lea     dx, int41handler
5 Y" E2 ]; j  X    xchg    dx, es:[41h*4]
* j  D" Y4 H6 W5 j1 S    xchg    bx, es:[41h*4+2]
* T! Y+ T) {: D    in      al, 40h
8 m4 x* H9 U  x    xor     cx,cx
6 v; O5 e# v) o+ @: ^  ?    int     41h, P) \5 z  P5 D: n
    xchg    dx, es:[41h*4]8 k/ U% h. W: ]0 p
    xchg    bx, es:[41h*4+2]- O& ]  b4 Q) I
    cmp     cl,al
" r+ [1 _" J  d2 O" [, q8 U    jnz     SoftICE_detected
( N- |8 d' }7 B% ]9 l& Q/ h4 p8 w
_________________________________________________________________________- S! K4 e! U" {, `. R
6 _8 x0 {0 G$ _$ i5 q( g
Method 07
6 b5 G8 h% ]: i( w- }# B8 i& X0 ]4 `=========, n9 P5 U3 c2 N3 ^2 H* }
1 l1 W! Z4 ~7 E0 R/ I0 s
Method of detection of the WinICE handler in the int68h (V86). Z! ^5 ~4 D# t' F

0 c3 o9 ]  b0 @9 i/ ^    mov     ah,43h" m8 n* M. g* M' u6 g
    int     68h  f4 N8 ~* Y" e( `+ j* m
    cmp     ax,0F386h7 n% B( j& H. t, k' C, d3 ?
    jz      SoftICE_Detected- V) S) A5 F& ?
7 v$ v& {5 n# Q, ], o( G
* [& u4 }1 U0 L/ A; Y4 b3 l
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; u& T- e# d4 w4 Y4 q: [  t1 w/ X% g
   app like this:
  ]* h, n9 o- q1 ?& K
; i+ E7 m: i. e# ~: O$ U$ F   BPX exec_int if ax==68
! o+ \4 y/ _5 u! }1 `/ \   (function called is located at byte ptr [ebp+1Dh] and client eip is
& d; ?% U5 i2 B8 @7 _   located at [ebp+48h] for 32Bit apps)
2 y4 C! e: G4 _: L% V__________________________________________________________________________
9 s- U3 ^8 x' q; y, i% A
1 B' P) i1 G# d/ D; ?4 f- ^6 l0 g6 Q& w0 ^1 M$ a' T
Method 08% C- Q: K& D; B# ]: H) ?' l" n
=========
6 o: @  k  m- Z% T0 Z/ _
; n, P$ s9 K* f5 \7 P2 H9 Q" mIt is not a method of detection of SoftICE but a possibility to crash the# @0 s$ S! t; g& C
system by intercepting int 01h and int 03h and redirecting them to another5 }, n1 a0 f- o
routine.
- u( t& Q1 X- h+ W( H& M9 R, i2 IIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points, J* u( n3 n, V6 M0 q
to the new routine to execute (hangs computer...), Z9 f* O' `4 n* Z
  [( [1 `: \( l- y
    mov     ah, 25h" \# |/ K7 o( d
    mov     al, Int_Number (01h or 03h)
0 A7 r3 |% ]. n% p    mov     dx, offset New_Int_Routine$ m( _* x1 s: b9 V3 t
    int     21h
1 P7 e! s' t) z5 w0 m0 W+ M
& Z- l' W& h0 \, C! C( k* ___________________________________________________________________________6 t; F; ?1 N2 K- G
" }9 e5 s+ ]# a, o
Method 09* \$ ^0 N! x  O5 [# S$ k
=========, d6 E) |4 a1 O4 }6 e3 N
3 a  W& B: Z! \4 P6 C6 Q: R
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. d/ k8 e* D8 y- ~! t
performed in ring0 (VxD or a ring3 app using the VxdCall).
  J6 _& }( E/ }1 E3 B4 IThe Get_DDB service is used to determine whether or not a VxD is installed7 _3 ^! u( ~% Q' i! g
for the specified device and returns a Device Description Block (in ecx) for" j4 B5 Q0 S5 A
that device if it is installed.5 N  ?# f: h/ W# A
4 g; B: K& F/ s1 H/ G; A2 C0 ]5 A
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 X- |$ W' G, v* S
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)2 x5 K! O) o) H6 J1 |
   VMMCall Get_DDB
) W$ d6 k7 z) u* D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
9 o! R6 c$ l' _! I3 t! z+ v) \; ^$ }( b" y4 q
Note as well that you can easily detect this method with SoftICE:9 K: |, F0 z8 ~! d" @: Q
   bpx Get_DDB if ax==0202 || ax==7a5fh
% \; G4 M& x! K: V; G8 g3 {: }) q# c+ w" j7 I
__________________________________________________________________________
! D. X7 N0 ^! e8 s# Y) @7 a5 ?$ m. O1 P, V9 u% B
Method 10
/ c% \8 d7 P6 R& q0 n=========( X) N1 c/ V% x1 z1 J1 l: Z% A/ V

" j7 C! T3 j  S3 y=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 m# j7 _) E- a- F6 c0 o$ N$ t  SoftICE while the option is enable!!' f0 N9 z" c) r6 L3 n: z+ Z. r
+ Y8 [- Q& g: A  b$ q% f  K/ }
This trick is very efficient:* r# y0 x. D# s4 S4 B- |& L
by checking the Debug Registers, you can detect if SoftICE is loaded* j; N' C  P" R
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& l! e1 o* x/ r+ ^3 H% |$ O
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; v3 K& o% X+ H  Uvalue (in ring0 only). Values can be manipulated and or changed as well
! V$ F4 I' z- W, h5 U1 q(clearing BPMs for instance)+ d6 x0 \2 w% z" y( g$ E! X" P
! b: f6 T7 g4 z1 ?+ B* |
__________________________________________________________________________# `' A7 q8 }, x. K

& M4 F# u: X" ?: v: b2 ?: x& rMethod 11
6 [- E, K( b1 j2 \& w- B, o=========
% i6 m. H  O, q# i. X6 A! J' Y- K1 v, [/ r# d, R
This method is most known as 'MeltICE' because it has been freely distributed
9 U- f/ z( {3 B# |via www.winfiles.com. However it was first used by NuMega people to allow
. C8 X+ d) _0 _: B( ESymbol Loader to check if SoftICE was active or not (the code is located
2 G% U, j5 `( |6 \inside nmtrans.dll).7 h5 Y8 q2 _- T( ]; e

6 M% a4 q! v5 e: U$ IThe way it works is very simple:/ T/ `; v/ h  s% n9 m, m1 y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
6 M" C  X* v5 S: X+ y1 [: }WinNT) with the CreateFileA API.
* M. I2 J$ E% j( ?& T' J9 e# j3 ]6 I0 }9 ?
Here is a sample (checking for 'SICE'):
  k  n3 j5 c3 o( q1 o6 _7 W2 N
1 p. f3 w, M! U1 S& Q  |& }6 uBOOL IsSoftIce95Loaded()- \  p5 }" Z* Y) V' t( F
{8 o; E( L( r, R% ^" U$ N9 s/ L$ u4 ^
   HANDLE hFile;  
& X& }: \8 i" P! z3 E+ W   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
: a2 ^" ~. f$ `, a                      FILE_SHARE_READ | FILE_SHARE_WRITE,
5 U; q7 @; |! Z6 n; m                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* S- q! o+ O: B# {, n) I2 S3 s5 ]& J
   if( hFile != INVALID_HANDLE_VALUE )
; @; N0 d8 R% I. c  M& J4 F   {" i: ^' @& b/ P% [5 T: i7 }# }
      CloseHandle(hFile);( c6 v' F5 g1 _; r- f" D. A; ?$ r
      return TRUE;
/ Z' d5 C5 \) T7 M. I   }
! s9 e% v- A5 K" P   return FALSE;
8 P, H* E% K  h# ?% Q& N}
7 J% |7 p  y# i7 I- X( v6 b. r  N5 C' U* s  N3 a/ Y. d3 G, J" U
Although this trick calls the CreateFileA function, don't even expect to be+ U  h5 i+ n" X! E2 L
able to intercept it by installing a IFS hook: it will not work, no way!# Q: V! H& p+ Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
6 F' x) M+ W( r6 k0 }, H) V+ Pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 i( `" b+ h" Aand then browse the DDB list until it find the VxD and its DDB_Control_Proc$ v4 w% j/ r5 F+ e3 v
field.) O! ^( R2 b4 F
In fact, its purpose is not to load/unload VxDs but only to send a * v8 F" I2 ]5 F5 k& r5 J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% \/ @, y" ]0 f# P. w2 ~# qto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 M" z. Y  H' A, W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).  i9 K9 W1 {$ k# t1 h' T
If the VxD is loaded, it will always clear eax and the Carry flag to allow2 x- b7 e6 W9 u6 x1 a! I
its handle to be opened and then, will be detected.
/ n: h: J% V, {+ X6 y( k% Y+ CYou can check that simply by hooking Winice.exe control proc entry point) e9 t9 S  l/ r# t; }
while running MeltICE.
) E5 v0 k) j4 y; g. W: \
+ M. U- M  J# ]2 D3 z+ t: J: z
( S( i& V+ G8 r, u2 }  00401067:  push      00402025    ; \\.\SICE
- ~/ f4 J7 ?2 W3 Y" |% @  0040106C:  call      CreateFileA
0 V) d1 k0 _; ^' o/ f  00401071:  cmp       eax,-001* i* D5 T' Q# R0 W# ]5 S
  00401074:  je        00401091
1 N/ @) v$ D7 N6 ^& |' h: r; C$ H5 `$ d' C

& S2 ?; m  T$ o7 {2 c) [There could be hundreds of BPX you could use to detect this trick.
* i* W3 c7 I, C0 R* p-The most classical one is:! ]4 t5 v! ]: O3 z9 K8 f# R
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
8 q: M  J2 _  E    *(esp-&gt;4+4)=='NTIC'
; x3 n  D2 r& v5 Q  ?
. `7 a9 G" L  ^! {# o( p% c-The most exotic ones (could be very slooooow :-(
. I4 X8 s6 g4 V- g( i) Y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
3 m  s+ o: e: ?# v+ J. j- s     ;will break 3 times :-(3 j, X" M7 l. t) i6 x2 C) [7 t

3 M% U7 s9 L; [/ K8 O5 ?2 j  j8 w& l-or (a bit) faster:
4 G5 L6 ~7 |3 I' I2 U6 \8 f   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 p# ]4 ]- F0 Y: L- y5 l

& |* a! ^* i7 G  j* B6 F   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 U  z; a# i) C; L" u0 F9 i6 k     ;will break 3 times :-(' S4 T7 N# C3 r2 j6 g5 A! g1 X6 N

. l% M7 c) a* `3 q* _-Much faster:
/ {( _/ Y! f! [8 A* C   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV') r7 k- w( n8 S6 Z& _
/ J' i5 S5 q) ~; P8 c/ \9 J8 s
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
  M4 m* k0 x! G' P! C; w# [function to do the same job:, q2 {' f  [) S0 T/ b8 m! O
& H/ Q0 u. C4 {: z) o
   push    00                        ; OF_READ
1 D$ E9 M# x9 `0 i   mov     eax,[00656634]            ; '\\.\SICE',0
- J8 @7 S0 E/ {3 ^* u1 m7 Y   push    eax+ E" t# l! ~: l% ?+ E
   call    KERNEL32!_lopen5 w0 D7 g0 O$ o; }2 m* W
   inc     eax
6 F/ g' t0 a5 d* ~# y( h   jnz     00650589                  ; detected
/ u/ N% w( n: @   push    00                        ; OF_READ6 J7 x# d9 K2 `: {4 V* O5 a5 p
   mov     eax,[00656638]            ; '\\.\SICE'
3 t# M" |9 |9 k  @  i) L   push    eax
5 y2 H" v% a% U9 w4 A* P+ `6 p   call    KERNEL32!_lopen& [  t  Z+ }% o, i
   inc     eax7 ?4 k# K" W. N+ N% e4 [5 V
   jz      006505ae                  ; not detected. c8 w5 v9 L6 {& R+ |% a/ j

8 j% ~+ W. X/ ~  B  o( v
/ S. O6 q2 \5 K: E+ [) y__________________________________________________________________________
" D4 D& b( a6 m$ o: F% L! S. W; P# T3 Y5 J( O' G
Method 12: m4 b( A9 t7 U
=========
. W- V& A, ?" f
  S% J2 L! D  C" FThis trick is similar to int41h/4fh Debugger installation check (code 05
6 z7 f: P2 p+ i# N% _. ^&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! x6 z  [( s% m$ Das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
: _  G7 O& P8 S* z! C" n6 i8 D2 O/ L
   push  0000004fh         ; function 4fh
# D) f$ t! N4 w" V: a, \# E   push  002a002ah         ; high word specifies which VxD (VWIN32)
: D! q! H( ~3 J$ R" g  w+ t* p                           ; low word specifies which service: A* D5 Q7 N+ w9 H9 Q' ?) C
                             (VWIN32_Int41Dispatch)
* @7 p- n3 B0 t. ^1 x   call  Kernel32!ORD_001  ; VxdCall% ]0 \# V; @, a% z! Q5 q
   cmp   ax, 0f386h        ; magic number returned by system debuggers
5 U0 c0 z% `& C3 }; D) j# M   jz    SoftICE_detected6 f! |2 ~% X" y
4 l* J- O) w; x9 }) }2 g
Here again, several ways to detect it:
" T8 t. I, V# r3 s- L' y5 o7 Y# N) A& a7 ]7 X  L( L% x$ W4 {3 ^
    BPINT 41 if ax==4f7 X7 V$ ?- s6 e3 D- Y2 M

& I- G5 {3 p: x6 x- a0 F4 O" l9 D3 C    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one# S: C% `+ ]! ?: q( f

0 P( U: Z) b* P* P: ?$ \    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
8 w& W6 e, T7 s( m* G  W0 s% d  [3 f% J! W
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!: N1 l7 p2 Q: \' P5 z# @

$ [) {; n( c! F/ M- R/ b__________________________________________________________________________
) Y! }+ u) w$ Y
' I5 _' B/ n7 T, PMethod 13
3 H4 z. c* K5 d9 k=========
% C/ Y" k8 P. ^' F4 T; @, f4 f' @) _5 ]$ M
Not a real method of detection, but a good way to know if SoftICE is6 w3 C# i& k1 D" |
installed on a computer and to locate its installation directory.) \# ]9 _" ^9 \4 `+ \8 C! g
It is used by few softs which access the following registry keys (usually #2) :
/ f3 i% f, q0 z* ^- v
: m  S' I, [# l* ]3 \6 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 K( r) ^4 m- ?! o# I" b$ _\Uninstall\SoftICE# i" n( E0 ?  V. o" R8 F( [) o
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# O- A% q( m  }( |$ L& l' q! Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 w# N4 o- g$ _* i\App Paths\Loader32.Exe
6 z0 V3 x$ s& e. d- [
) E5 e" r* ]" M9 g$ H4 U3 g  {) o# F0 v! {( u
Note that some nasty apps could then erase all files from SoftICE directory1 y8 t3 u0 b( K% B; B; \$ z
(I faced that once :-(
: e6 g" H0 w7 t. Q# [# v( A
3 |5 q  C9 J/ G& j2 x2 cUseful breakpoint to detect it:
5 e) K8 Z( C2 n) q& T7 j9 N* Y
1 W7 |# ~) T4 I5 E2 Y5 y8 @8 {     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 B7 `) u+ h4 Z& y" M
1 o4 }8 m# Z0 l. J( I* @& `( A__________________________________________________________________________
& f5 O9 B0 f1 y' j1 Y$ H& \& b( r# Z6 K4 |

5 i. R+ c. x  u9 eMethod 14
: F: C- S8 t; C" z=========% ?' T/ V% g+ ]; m5 q

" i7 P3 P8 Z  w% e3 {, D) ]A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. @3 D6 p" u1 l  H, z( h
is to determines whether a debugger is running on your system (ring0 only).2 T: x5 E$ O  H0 z& z

" a4 W5 w; p) p% _1 Y  w) c  l   VMMCall Test_Debug_Installed7 b# ]7 N+ G9 A! m7 `
   je      not_installed$ Q0 s7 l1 B+ J! Z% o
& H  k% y. x! Y+ ^8 a
This service just checks a flag.
' g" M' ^0 q" l* I  l: X# W& u- y</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-22 19:10

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表