找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
8 v# A& W# y4 D, L" ~' h<TBODY>
. c4 u2 M& e% ]& [. T: R. T: i<TR>
9 r) p' b7 m& x" I1 G7 O<TD><PRE>Method 01 8 ]! A# ]5 u3 z% a! J
=========
" {1 k& d6 ]- v7 @' A  F) `0 t% {2 m) j, \* q; r
This method of detection of SoftICE (as well as the following one) is
* k  K0 C" @! _: bused by the majority of packers/encryptors found on Internet.# P# x# q: p+ W. z
It seeks the signature of BoundsChecker in SoftICE8 c: ^' u, ^3 [- z' c3 G

: m5 |% w' U4 a: i# S5 @4 S: E    mov     ebp, 04243484Bh        ; 'BCHK'
6 s. c+ m) I7 T# @" `" f- g    mov     ax, 04h; e! Q- V* e0 c* m4 u& X
    int     3       ; D3 e1 A- r3 y3 B" T* N- s
    cmp     al,4
/ a" p4 z3 x/ U3 \- R' d+ W2 z2 T    jnz     SoftICE_Detected5 N6 B0 ^* }9 x  }7 W
. T; k3 f( e8 ]/ s8 ?; J1 S
___________________________________________________________________________
4 M' s! U  K# X, M: n) P; f
: L, x# M" {1 s, ?) O8 y  j: d1 FMethod 02+ H# t% e5 m3 x9 u- ]. `' f
=========
! ^2 R- W" f. F; U0 b2 P; d- S. r. [" \) D# U$ h7 _
Still a method very much used (perhaps the most frequent one).  It is used
0 a* M' L/ d9 F0 @& C" ^to get SoftICE 'Back Door commands' which gives infos on Breakpoints,* p. K  z  \# L: z
or execute SoftICE commands...! f2 C! V4 Q$ X
It is also used to crash SoftICE and to force it to execute any commands# [3 ~% T& x6 z( K
(HBOOT...) :-((  
' b9 _/ K2 B1 e3 _' ?7 h4 f
+ a3 G0 d6 _. W$ q0 OHere is a quick description:: V7 ^7 {8 g* U# W: u
-AX = 0910h   (Display string in SIce windows). T4 z6 W" N5 d$ b2 h9 y7 [( o( P
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
+ e6 S6 R8 j& |-AX = 0912h   (Get breakpoint infos)
  v5 T2 e/ D  F" v. _5 j1 N-AX = 0913h   (Set Sice breakpoints)
' g0 t; E2 K! Q9 y+ m$ h-AX = 0914h   (Remove SIce breakoints). D' {+ W) g% ~) l8 i9 w

( Z! `' [8 x1 b& i5 C# O1 ^% z9 bEach time you'll meet this trick, you'll see:1 u7 ^* H# a4 A* C: V
-SI = 4647h
2 N# c; y2 e3 Q-DI = 4A4Dh- R7 t1 T9 d6 t. u
Which are the 'magic values' used by SoftIce." S! D" g4 g9 G9 c7 t* b
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* B5 M" m+ Q! ]- D
+ e% B, T( N6 t& u* Z9 sHere is one example from the file "Haspinst.exe" which is the dongle HASP
4 |* G* T" f' s( R- F9 m# MEnvelope utility use to protect DOS applications:- x( x1 J# I0 e( y! r& a* U
! u8 v' Q$ ?6 H$ r
: p% }% F; g9 v% A0 g
4C19:0095   MOV    AX,0911  ; execute command.
" X9 N% \" H4 g+ B$ z; E8 m/ }4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 c) r# D2 h- C. n( J
4C19:009A   MOV    SI,4647  ; 1st magic value." Z5 z- {8 C( Z$ p- j
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.7 P, h* [6 E3 b4 u9 n
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 j, A4 T- `1 C  ]7 d4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
2 K$ g# H* e) S4 J4C19:00A4   INC    CX
0 V7 c; o3 ^, J/ }4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- l4 Y0 _& v- q
4C19:00A8   JB     0095     ; 6 different commands.
, `3 p* W  q8 m: a+ D. h( L9 Y  y" L4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 Q6 S0 L+ H& m5 ~. v3 s
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" s2 C9 ?4 S: Z: G- v) A/ l
; r9 n' g) C2 J
The program will execute 6 different SIce commands located at ds:dx, which
; a) }( C; [; Y1 d: Z- R* Care: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 h7 d5 I: z  c# \0 g  Y( A

3 A# |1 Y7 T$ X. ]' j: N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 k) f/ ^3 c- ?2 s$ m
___________________________________________________________________________/ O2 d7 t7 q3 E. R6 @
) q/ M/ W% ~: W7 v3 \
3 O- Q: s4 P( g' E1 @
Method 03
- `" }( w0 w4 m=========+ H% r' G5 ~+ t: M* u3 z( k( ?8 o! ^
* R8 t' W+ U: P* Q' e9 |. w. T
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. C( i1 h6 h3 n! w; L, s0 I(API Get entry point)
: U- `# U* ~" x! q        + o, e" y! p1 q3 p% j$ W" t

$ U3 w! S, A# f$ E    xor     di,di1 {+ W1 B& z' t
    mov     es,di
% Z" Z3 s! @4 k: Q4 N- |8 U2 |, [    mov     ax, 1684h       0 {& _5 A' Z; |0 J- P
    mov     bx, 0202h       ; VxD ID of winice  b$ ^# j0 g% o$ D/ N) `
    int     2Fh
- `5 O/ A/ `- y; M# h7 y    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( G/ V" @# f1 L, I6 g& s    add     ax, di0 F& u( r) r3 p8 p; |, B
    test    ax,ax( B/ p1 g8 {9 b5 h  I5 y( k$ s. |
    jnz     SoftICE_Detected
! ]' \8 W7 k. I( M$ ~% S
- B% _( B% Z$ Z3 m7 b- {7 T___________________________________________________________________________/ N2 s' V6 \$ v" _$ h, S

4 \/ z/ a. v7 w$ gMethod 04
& Q; h* q  @6 T, Q=========/ }5 _2 R- j7 U9 z: T; j5 U
/ o; u6 Y3 |8 L5 c
Method identical to the preceding one except that it seeks the ID of SoftICE7 w; d5 g! R& O( l5 G
GFX VxD.
; E' l; r% A9 j" Y' M; ^1 @
1 {8 ]% y( H7 a! [    xor     di,di7 P2 W6 L" s3 X/ E
    mov     es,di
, m8 G1 u2 |) E4 l7 B: B: R    mov     ax, 1684h      
- T9 V! G9 w' ~# l4 ]    mov     bx, 7a5Fh       ; VxD ID of SIWVID$ O4 r$ z; M& o9 U/ G3 E
    int     2fh. s/ [1 T0 v* P3 i- F4 N
    mov     ax, es          ; ES:DI -&gt; VxD API entry point6 z' e5 z. R) E3 c  p  P9 c( S" e
    add     ax, di
/ j, ^' T! s8 }/ j$ a    test    ax,ax3 B. v7 I+ _) a
    jnz     SoftICE_Detected
( B( d- ?/ L/ s. J5 K$ d2 J
3 Y$ q) }: w1 ~& l/ ^0 A__________________________________________________________________________7 E5 S9 H) `, C1 Z

% t& U) n$ o: M! E
1 B* M( G& p# x$ g! K8 q* OMethod 05
' n- O6 N2 v# t/ k5 P& q. ~# Z=========
% B8 M) }0 X' j3 ]) |1 d5 i9 O/ W, p9 s1 h, B
Method seeking the 'magic number' 0F386h returned (in ax) by all system
) M; G, d  P0 T6 l: Pdebugger. It calls the int 41h, function 4Fh.0 b7 v) @' h$ C1 p1 p" b  p, {& S
There are several alternatives.  5 X1 x+ {2 p9 m  y: U  D0 Q8 i/ c: O% a* S

* ~9 q3 L* ]3 d' J5 _The following one is the simplest:
9 i$ K8 N( m$ O. s- ]( ^6 Q
0 i9 W) ^: ~* B, _4 r  F$ j, h, p    mov     ax,4fh
3 f9 A5 r# h; @6 y! \& Z    int     41h- F' i# u8 D) \7 R/ H
    cmp     ax, 0F386
; I) z! V( Y9 Y/ R) V# o( X    jz      SoftICE_detected% x) m3 J: c, U# r7 n1 ]

% _- G: ?! \* W! i4 \: `. T% W! G% k2 M$ Y6 f' [. S! z
Next method as well as the following one are 2 examples from Stone's ) R  B8 q' P6 [5 V& l
"stn-wid.zip" (www.cracking.net):* L- O& U. W$ t0 O8 j& D. H
* Y  U. |' S3 a# \" A+ }0 l% Z
    mov     bx, cs
: n* }! ?% \( C  y    lea     dx, int41handler2- ^, V( ]) f6 y, V3 i! |5 v: ?" ?
    xchg    dx, es:[41h*4]
4 K; W" X( G( ?, ~    xchg    bx, es:[41h*4+2]8 `$ [+ |; {% [$ `8 Y7 m
    mov     ax,4fh  S. z3 t6 q! o& K' }; R. X+ \4 n
    int     41h) X" [1 X; _9 I$ e( G6 m5 @
    xchg    dx, es:[41h*4]0 W, _0 J5 S2 @6 h7 D  l, E! {0 u
    xchg    bx, es:[41h*4+2]1 Z/ }0 S% G) b8 `
    cmp     ax, 0f386h
' D# S- d7 h+ [5 W8 Y" w! Y    jz      SoftICE_detected0 M: q+ `  v1 F: _7 V) d
9 M' e! B& I4 h$ C+ ^5 Q
int41handler2 PROC
% }* r7 C3 _2 J2 ?    iret5 x/ W/ Z; a1 z9 [6 q
int41handler2 ENDP+ T+ e" A3 a0 i  s+ W
9 v" w9 \$ j" f' r: D: N. |$ z+ O

+ B/ K& @+ k2 t% p) S- t' V/ m_________________________________________________________________________9 W: F) i! k$ s

- ^, E5 h: T" ]% v0 p; q
; P5 w! |9 @' s( X5 n9 [. xMethod 06
3 i+ H$ R) n0 ]' s; y=========
" s8 Y: i% U3 l+ U
" [. i: g. t" q4 Z* V" H. b& V! S+ u! L+ S
2nd method similar to the preceding one but more difficult to detect:
! J$ Z( X: L: Y( q) b
: @0 l) N, F1 s$ G
" v# M* q; j4 ?1 q" N4 v2 k. rint41handler PROC. v, {, b3 s  X5 ]; v+ Q
    mov     cl,al# y3 x7 l1 t, ~' Y3 c, D3 A
    iret
' n( C. E& a, l$ ~8 n  @int41handler ENDP
' L# w4 U* |, u+ u2 Q
* w5 Q2 p+ X0 D* m! \/ _  `; a9 S. p) D) }0 z) J
    xor     ax,ax5 i1 I3 a$ T6 \
    mov     es,ax
$ V8 O0 e+ d. k# o7 o' }% z7 a3 P5 F    mov     bx, cs3 A$ A  ^. [2 ]/ x$ a- U2 a
    lea     dx, int41handler
. y! J2 J1 B% c( X3 @3 n" F& f    xchg    dx, es:[41h*4]
- R: u& L$ b& U& K* j5 P/ j; u    xchg    bx, es:[41h*4+2]
' q& Q$ ?; w% D) R# c    in      al, 40h: V. Q8 L0 G; m+ ]; Z6 q
    xor     cx,cx
- Z5 d# L) N! |& X0 Q) u' B    int     41h
5 f: r/ [, Y- ]3 G8 Q    xchg    dx, es:[41h*4]- Q, _$ y( ?# T2 Z
    xchg    bx, es:[41h*4+2]$ ^/ F& H8 ]+ ]& T% U: F
    cmp     cl,al
/ o4 i5 l* ^: D7 e    jnz     SoftICE_detected
' H3 D4 y: |( L  `2 Q( M; n# D0 B2 V; r0 O* q# X& i( T* v& M5 l  c
_________________________________________________________________________
+ i7 D8 u1 S# ~. Q, m
$ E3 W6 k7 c9 ]Method 07
2 Y$ B6 x5 A$ r! H4 I& G3 L; F+ [5 d=========
2 K) n+ Q  l6 k. X; v% u
' R) J: \, Q) g  B( m# V8 C0 B& [Method of detection of the WinICE handler in the int68h (V86)! ~3 P& p$ `( l- C: P, V

0 u  x' s$ g2 ]    mov     ah,43h
) Q) L9 ~: }; F9 E  s    int     68h
3 N2 p/ P2 {- T5 w- [    cmp     ax,0F386h; f0 `$ _9 P8 K  [+ @9 E
    jz      SoftICE_Detected) d% H. A  Q) b) d6 U

6 M$ P, o5 _' j# C0 d6 t; k( t5 L4 L
1 ]7 X' t/ Y3 b6 h( E=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# V. u8 C) S) R" \   app like this:
  i( F3 z& }' [- K& N# [5 l- S& G! S& x$ F7 F7 V
   BPX exec_int if ax==68
3 x* A1 s' L. a0 [   (function called is located at byte ptr [ebp+1Dh] and client eip is* L6 M( G$ k' N6 D$ [
   located at [ebp+48h] for 32Bit apps)
; g% m! e9 ^+ f& G__________________________________________________________________________
' T- R/ ?* [: Z! w! z) ]! \
% L  a: m( P- h* }! {& N3 [! c$ I8 v: S% X6 ~
Method 081 d0 J  q6 l; J( x. Q
=========  i! c$ W! Z, ~% ~3 x- Z

& f9 {7 J0 x- B9 a2 T8 r  ~) QIt is not a method of detection of SoftICE but a possibility to crash the
0 T) q5 G. S2 p! Z4 }* L3 u! Tsystem by intercepting int 01h and int 03h and redirecting them to another
& W2 h9 y/ h$ g4 `1 I3 Z8 Z5 q  jroutine.* f; G: |* V% T8 N* l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  B* f0 J5 r* I  N+ Y2 n1 n
to the new routine to execute (hangs computer...)
, y) ^4 D  L. @0 i& G( k9 X4 A0 G
5 z- j; H4 `* P1 B3 f& g    mov     ah, 25h
8 F6 Y! B! L0 h! I# U& T    mov     al, Int_Number (01h or 03h)
4 ^% D0 T) f  ^% k    mov     dx, offset New_Int_Routine
2 h, ]' \9 M/ h3 q) d$ Q    int     21h' X5 F1 d1 D- f7 _1 x! }- |' S, Z

$ s1 b; J+ h2 a) [  q2 x' |__________________________________________________________________________! ]8 I* B% F3 g5 f, m
5 S9 G: q- A$ t$ ]7 @
Method 09
* t9 M3 i1 t9 J+ C=========
1 ?& M' J6 e2 y% J+ \0 l( P: {2 s$ ~9 n; _1 W
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only% s0 {( I0 n* H8 T5 f$ [
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 w+ ]/ O/ Z/ T  `1 d, \The Get_DDB service is used to determine whether or not a VxD is installed
& b( o$ `- B4 e. Jfor the specified device and returns a Device Description Block (in ecx) for- V/ }: T4 Q$ g
that device if it is installed.3 Q2 Z. W9 B) [* Z+ a$ e
4 |0 o0 H: Z/ ?
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 f4 Q7 F' K! \( ^   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 z8 O& d" l* w9 H, |6 h; u  k   VMMCall Get_DDB
- A: _, i& \8 [7 `( C   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
6 Y0 c3 R4 S. n$ m, V! {: y5 x8 p2 H1 O; [- T5 u, s
Note as well that you can easily detect this method with SoftICE:
! t4 M! F7 t9 [6 `   bpx Get_DDB if ax==0202 || ax==7a5fh
8 c: Z! O- l5 O3 t& g8 r7 ]
+ X3 i+ ?: z3 g+ n% _! f__________________________________________________________________________. f0 P6 h: Q" i$ _
) u! G" s0 n1 Z, G; ]$ K& ~
Method 10, v0 f) v, S% |% o3 d
=========
( t# ~; k  y  X/ }# b; j" c* q  c
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 G- e5 U5 o. x; H
  SoftICE while the option is enable!!
; F, W% {4 s7 Y' y6 p+ O) c
4 M1 D; v- x% b; P$ s3 `This trick is very efficient:
% L: D3 L$ k' o4 `( L* Lby checking the Debug Registers, you can detect if SoftICE is loaded7 j) Z4 u$ l& y9 F
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 |- b8 [- d0 A+ X+ l( Zthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 A7 {/ v' @8 v' |, m4 s3 N$ a$ G
value (in ring0 only). Values can be manipulated and or changed as well
$ z8 i+ K  m$ d3 U# c: W; a(clearing BPMs for instance)
- x( F+ u& l; M$ j+ a* ~/ S6 j# O4 s1 r: m: d& c7 m
__________________________________________________________________________* Z, L: v( L0 ?  n
/ N/ ~# _# @' P3 r1 v+ I" {
Method 11. h: t( o; _2 d, f( d0 Q
=========! [# t2 R/ D- K- M+ D

5 O. s( {7 G$ W8 s; E- l3 ]) [1 a" iThis method is most known as 'MeltICE' because it has been freely distributed  G6 r- |; }: z" \, f- h
via www.winfiles.com. However it was first used by NuMega people to allow
$ x4 L8 z. k; `" g3 `: t/ aSymbol Loader to check if SoftICE was active or not (the code is located/ M  w! G; |9 \& Y$ H  |+ ?2 n
inside nmtrans.dll).
  z- A0 s2 B& C! X' t# D  [
. S# L+ X0 C' a' y+ KThe way it works is very simple:
4 U7 j0 I9 S: h6 n+ ^It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
9 g6 {4 {( l; t* X1 W! }, \7 ^WinNT) with the CreateFileA API.
5 Z6 w( w% f* F. v$ U& l! M; i, M& V4 l. D" |- z
Here is a sample (checking for 'SICE'):; T6 [( k; |  B/ t' C7 N! o$ v' j

) |7 f/ {; z6 i: MBOOL IsSoftIce95Loaded()
. K+ ?( K7 ~; H! J- {7 T( r) E{
; s2 H' ]2 K: j+ _  P6 S# a& M   HANDLE hFile;  
! C5 W$ `- ^( P% `1 k   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
7 d; l, }/ L" W6 O/ [& @                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! ^) d" u$ f; U) O" ?% K9 ]$ r. ]9 E                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);3 f0 b1 x( @! B
   if( hFile != INVALID_HANDLE_VALUE )
4 ?& [* Z' W8 u. v, d* m! L   {
9 f1 }  H- P5 k9 c; e3 G( ]      CloseHandle(hFile);
4 V0 A% m0 f( k- ^. |      return TRUE;
) o0 J1 Y1 }6 B. c   }  m* J3 r" W8 N( M6 R. R7 x, e
   return FALSE;2 V* f& T7 V/ x$ {! m6 h
}
( T4 m  h  C5 i# Z$ w; C5 T% D4 c* p4 H  k3 u; U
Although this trick calls the CreateFileA function, don't even expect to be
5 w* k8 o1 V+ y. oable to intercept it by installing a IFS hook: it will not work, no way!
4 A$ Z  D% i+ ]! g# I$ _In fact, after the call to CreateFileA it will get through VWIN32 0x001F
; x9 c, K8 o" A+ C8 Sservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 N) _1 U9 w: |' e0 _  l4 K! Q  K! o* rand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 j8 [5 J2 h: ^5 y
field., O9 x, y7 f! ~  Y; g( j6 A9 `" ^
In fact, its purpose is not to load/unload VxDs but only to send a
0 |% _6 @+ c0 P9 S+ A5 b' Q  T% nW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 B& i  U$ L1 }( }1 C1 E- @9 i
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# c" @+ B, j* {; u6 Z  zto load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ I& Q; D. b  W1 J. ~If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ m0 y9 D; ]6 I" p; [. Bits handle to be opened and then, will be detected.
: W  P/ y! Q0 u7 yYou can check that simply by hooking Winice.exe control proc entry point
2 Y1 V; w" z& p6 Z3 _while running MeltICE.
( _' F; a& l7 _
( Y( i# |* [" q) r. D! v  T! a" L" V. i3 V
  00401067:  push      00402025    ; \\.\SICE
0 x4 n' G$ M* b! G; ?8 A+ K  0040106C:  call      CreateFileA
) a. S2 s. v- w4 M  00401071:  cmp       eax,-0017 k# `. m) \2 f( v
  00401074:  je        00401091
! K/ @) F8 q+ d4 z* G: G% J
2 _0 ~$ _5 Z1 R5 L5 R
1 O% X4 v  F! P0 _( B0 iThere could be hundreds of BPX you could use to detect this trick.) w1 O+ y: }9 V0 Z( q7 B5 b
-The most classical one is:7 H! A7 z! [( x9 V/ `
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||- X6 J) g+ W/ m! u6 Y. \$ ]) P
    *(esp-&gt;4+4)=='NTIC'1 l% X1 ?5 M% j% F
; s- Y" T- e( F: z! o6 v
-The most exotic ones (could be very slooooow :-(
7 D9 Q( |! i4 H' U   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
! p' G" f' Z( v9 H     ;will break 3 times :-(+ U  v% Q/ j" j
! [- J; r# z! W8 ~9 [( c4 S" j) \& f: S
-or (a bit) faster:
) ~5 X8 d8 t) I% R   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 ^$ {) J0 _4 L2 n) N4 \9 ]) a: X  P; |
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 C3 ]) A+ X8 V- _9 Q+ a* V* R! F     ;will break 3 times :-(
! P6 a9 r/ ?4 P+ I- C7 d  M7 p: y1 g! Y9 h5 x' J
-Much faster:
* J1 k. A" H3 p' _6 B6 B   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ f0 @; P2 z9 b0 I$ d; I
8 E; B* E) L* G- Q8 i& P) WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen! N' z7 q0 l" C2 S6 i8 m9 N
function to do the same job:( b4 P- x3 t6 c

6 V) [1 B- |4 ?# I6 O: t' I) {   push    00                        ; OF_READ
( P4 _- s% L/ r7 S2 K$ j1 }- l7 b   mov     eax,[00656634]            ; '\\.\SICE',0
, M4 ]1 P2 _4 C4 u+ B# Y9 Z   push    eax- P  l2 H) t- O8 o( d$ R
   call    KERNEL32!_lopen: a6 _9 w5 X: u4 p; {1 g
   inc     eax, @7 ]8 r9 _4 }6 P2 Y; K$ K' ~
   jnz     00650589                  ; detected
+ B* N' g3 c! \$ g" d" V- f9 n   push    00                        ; OF_READ
3 S' A+ J4 A' K3 e* G7 ~- @   mov     eax,[00656638]            ; '\\.\SICE'
9 ?* i6 X8 [2 |' [' z8 w   push    eax4 E# M. V+ O5 L& {/ s& C* k
   call    KERNEL32!_lopen
4 {) }& I5 w  {   inc     eax( j" n8 |. P; U! r' C/ l/ s# l7 x$ L
   jz      006505ae                  ; not detected$ d2 q" F0 h3 w0 a. P. a

8 K0 x7 \: G& A) k  W$ ?- B0 a. T( }5 j- p5 r( u2 x* f7 i
__________________________________________________________________________
) l- X, Q6 }7 ?2 o5 Q9 o4 b" M: [8 ]! u5 @6 z- _
Method 123 R5 N% y$ g0 ?( Y( f
=========  z* S% ]. q: S/ T2 }

: u+ C% S$ w: z  m0 S+ o% [9 n* }* G( yThis trick is similar to int41h/4fh Debugger installation check (code 05
0 R; F4 _4 F! V7 x1 ^# a" z&amp; 06) but very limited because it's only available for Win95/98 (not NT)
$ g+ P/ F, l- R  j" Oas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 z8 x' n- h% v
! B  e- C$ X# ]. X- u  h0 H4 M# N   push  0000004fh         ; function 4fh
5 U8 \7 a! W1 l( d+ A* b- z   push  002a002ah         ; high word specifies which VxD (VWIN32)
1 C2 f' v' d% v' K$ }: |                           ; low word specifies which service4 r4 T$ ]4 x( `2 [! Z% w
                             (VWIN32_Int41Dispatch)
8 c% p! \6 s" d: U   call  Kernel32!ORD_001  ; VxdCall& G8 [. p' n# h! N( m, U. N$ a
   cmp   ax, 0f386h        ; magic number returned by system debuggers
8 S/ J, }7 l6 h  g8 a1 @   jz    SoftICE_detected
" k! d; g+ Q" j& M. A6 g* a4 m  M8 r9 u% ]
Here again, several ways to detect it:
6 G* ]" P' U  R. u- _0 D' e3 l0 T& b+ m& Q
    BPINT 41 if ax==4f! {7 Q8 B; s- f8 h5 J/ V
( P- r& p% L; ^) b
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' T! s! F3 z* w: S( _

4 A: t4 a3 k3 H( u. b/ Y2 D- L0 W, Z# O    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
7 @% Q4 n7 F' T/ L! n7 Z' W  j7 v* p" R% \; J3 k# h3 U7 q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ U) u' \4 o% R. L( m7 E) g/ j* _! n+ h0 C7 a1 n" z8 |$ u
__________________________________________________________________________; M+ Z7 w! q0 z! A

2 p* v2 ?: W, G" f9 \# YMethod 13$ |; G5 N. I- l6 [
=========
( m# j( k9 [6 V) Q8 K0 d
! A0 m9 d- q+ w/ z+ YNot a real method of detection, but a good way to know if SoftICE is
  U. @- Y& L. l5 ~7 i$ iinstalled on a computer and to locate its installation directory.$ }# r& C# w% T) H( Y+ z
It is used by few softs which access the following registry keys (usually #2) :) `/ f& W4 r! _7 U, d4 d3 S

5 G7 r6 k. S' ?, y, E1 N2 p-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion& n- t5 P; [. ?0 L
\Uninstall\SoftICE! T" U" m6 i/ F6 B* r- U1 `& x1 G
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ o- b8 ]+ i. j$ u, ~( i! S, D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, H7 H& X: l0 C\App Paths\Loader32.Exe
/ E0 o: G$ {# r# j2 P4 {5 P7 `+ o2 q7 b
+ g. ^* x7 s4 U( J
Note that some nasty apps could then erase all files from SoftICE directory
8 n& Q; G, X' Q7 e(I faced that once :-(- J" k, F7 c  n1 S. u
: N* x8 L  P5 D% L$ _
Useful breakpoint to detect it:: v; s4 P& ]2 \& V# K# N) L
% F6 R. `( L2 U! t: m, _
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- a, {+ c* p8 v* y! {8 S; B4 r' Y' V; w  U% L& c4 Z) W
__________________________________________________________________________
, H; ~, l2 ~5 |7 q1 ^# R; Y; h  i: u: u+ F4 b* t

9 [$ x2 D4 h) M1 W* c- @- j; C8 Q/ wMethod 14
# W6 n6 q9 W- o( {=========2 p! D5 {! z$ K
* Y. [( O! ^0 M0 d
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( D9 G, q, s* Tis to determines whether a debugger is running on your system (ring0 only).
% B- T4 T; A+ F) [4 k6 ?! }& G
: |, R  {$ J+ N  D   VMMCall Test_Debug_Installed
+ J4 `9 k) Y; }, n5 T4 y   je      not_installed& W$ s& `, p) s6 Z) n
: T, p# f  h, X% h8 |
This service just checks a flag.
4 Q9 a' _- G7 s' t8 q. I</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-31 19:35

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表