找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
& h; \& p# }  }$ `) D<TBODY>; b; p& i& B4 U0 C2 _( E
<TR>
% K( ?  t+ J: q4 X% b7 m<TD><PRE>Method 01
* b2 i+ m. s( Q- ^5 G=========
6 K( u- k$ @: u0 d' i  x
3 m4 v+ _9 s" I% w7 SThis method of detection of SoftICE (as well as the following one) is3 ]2 U6 [. w: t, U7 x( l
used by the majority of packers/encryptors found on Internet.* e6 ?; I/ [$ k
It seeks the signature of BoundsChecker in SoftICE" |8 i+ i2 m2 |* n1 ]/ {3 x+ e
9 r9 j5 S( C: b  i" f5 g+ e
    mov     ebp, 04243484Bh        ; 'BCHK'5 A( b: x2 }; ^0 H' N  J% S4 r3 j. x/ f
    mov     ax, 04h8 d2 D3 E) ]& c: [  @: E
    int     3       - l! {& m2 \1 f/ H
    cmp     al,4
7 S7 ?2 N# Z6 R) R' ^    jnz     SoftICE_Detected# p+ D; ^9 s  }$ A+ n9 i/ M1 ~

; z7 z+ y# K6 }- u$ h. Z0 U8 b___________________________________________________________________________' Q  d/ ]* x/ ]% W

# V) q* W4 i4 n- W' rMethod 02
9 L8 A( i/ L$ V# R2 X5 \=========
- M" J# k4 f9 u8 ~% {3 N
# g# ]5 d2 P; ^6 a. o) c4 WStill a method very much used (perhaps the most frequent one).  It is used
1 Q! Y; ?8 O3 l( L+ X' wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' E' P) r$ ~/ J$ m8 p% Oor execute SoftICE commands...6 X% [9 a% J& r% A
It is also used to crash SoftICE and to force it to execute any commands  N; ]! K4 a0 e$ X8 t& W8 H: X  j
(HBOOT...) :-((  
; R5 e# K0 [, T# V8 l( `# A2 I. {0 l% `
Here is a quick description:# V0 V% v* m$ M
-AX = 0910h   (Display string in SIce windows)
" T' f; _  ^0 B9 s6 q/ m) l$ j3 ~$ O-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
3 p/ W3 G1 o* M$ J$ ~- H3 G-AX = 0912h   (Get breakpoint infos)+ u* ?0 ~# T& \
-AX = 0913h   (Set Sice breakpoints)- h; M! Z3 u+ o5 Q: c4 y, x
-AX = 0914h   (Remove SIce breakoints)
; X  K9 `& S6 d7 b$ p+ T3 g; H$ \$ f' B2 X8 U& F
Each time you'll meet this trick, you'll see:2 @7 Y1 h7 T( D4 Z4 D9 n7 c
-SI = 4647h6 e8 r, x( @4 @9 z' w: C: X
-DI = 4A4Dh0 B3 |: s% l6 _8 l: E# U: S- S+ ]; p
Which are the 'magic values' used by SoftIce.% f+ r* S+ h; N! W: ?, W* [/ U/ ^
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ r- B; ]$ A' L% y
* ~4 y* j- _3 A! _. rHere is one example from the file "Haspinst.exe" which is the dongle HASP$ k' K: N3 C- X3 [6 T/ z7 d
Envelope utility use to protect DOS applications:3 e! p  l; }+ E( [8 h8 c; ^$ `
: ?8 n4 Z- Z9 T2 |/ m: R% |
1 h" ]9 B' K$ J& A! X) Y+ ^8 d
4C19:0095   MOV    AX,0911  ; execute command.
0 r0 F% m9 _& w! N4 q4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 _; `) Q: r6 ~; P$ \6 P  V4C19:009A   MOV    SI,4647  ; 1st magic value., ~4 R/ `7 p% W
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ m' |5 t+ g, y4 S' Z4 Q0 Q/ }2 ]4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
$ W! j  [4 P- @* Y+ P5 p$ @+ C4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- K/ V/ ~1 R* d4 t7 a! e4C19:00A4   INC    CX- ?4 D( s& q! \
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute/ g- x2 `! {! d  {$ M, c4 v: q
4C19:00A8   JB     0095     ; 6 different commands./ J4 C+ D& P# f# W
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
- k* r3 j$ a# o7 P4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
. m! q4 q4 z# [: h4 g! }7 \$ ?0 ~- c  T6 T& Q1 {8 Y
The program will execute 6 different SIce commands located at ds:dx, which
# I/ k. e! ]2 {0 Uare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 ]5 s$ R" B/ ?  [% J# _  z2 z- ~) ~8 Q9 B; S3 F: ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 f) p, M9 u8 E0 s- }# y4 U
___________________________________________________________________________) k" _$ h8 Z2 C' F" r1 {

8 V' @' @! P0 e2 ^8 X  j3 F5 b
4 b% j" P, E7 q9 N& K9 l# V* v' D; rMethod 03" e, d8 O! C. W% W6 t; q3 I
=========& Q* z: {& K5 j6 H- A

8 S- [( ~1 {  B: _Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& W# u8 C' Z4 I* O, Y8 q6 H(API Get entry point)' b) m" m! Z9 ^8 n% Z
        , {+ Y: ^  H4 ]+ f4 d7 k! |+ y
+ R! w- L: r/ o6 Y& y( @
    xor     di,di
/ h6 s# w, Q+ [/ q9 o    mov     es,di7 w0 f7 c+ o, u: q
    mov     ax, 1684h      
) i; Z: c; {. [+ O* Z    mov     bx, 0202h       ; VxD ID of winice0 S: K$ {- E' l  W  @# G
    int     2Fh, c* b; z& [: @% t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
+ a5 I1 u& j/ R. E, x( J6 d    add     ax, di' s1 M& \* i2 d. R% {, L! }: E! n
    test    ax,ax
$ L1 N1 e4 N$ A  T! w* h+ ~: _% I    jnz     SoftICE_Detected
' V5 i( S% t4 c* o% e$ D% C! h9 y* Q& ^* m8 i2 C- n
___________________________________________________________________________' x8 {; H* X3 Z5 z0 u
9 @0 d8 |6 P( h
Method 04
4 z1 d0 _+ E9 V! T7 I=========
) E, L) [( o2 d2 E% A' K1 D
& q% V  F' W4 u! }9 f, h+ OMethod identical to the preceding one except that it seeks the ID of SoftICE
$ Y5 d! h% R0 b& Z% @2 p5 N0 ~GFX VxD.6 z$ t4 z& b% `! L
; P8 w" Q3 j/ S, D- _8 m
    xor     di,di
$ ^: r4 B) M0 X/ Q* ?    mov     es,di
' C" F) G% d$ a2 h2 [- a" r3 Q0 n. O1 M4 q    mov     ax, 1684h      
  ]4 b& K- [% S9 @' b$ d# R; T/ x    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- \5 P& w) _6 J3 I    int     2fh
# I% k" S; ?. a    mov     ax, es          ; ES:DI -&gt; VxD API entry point! B2 R, k. U. h/ [0 ]: A" ?2 x) k
    add     ax, di
& v% W5 [7 m; @+ Z3 ~    test    ax,ax. V) f: {' N" G6 P
    jnz     SoftICE_Detected$ `0 e. _' z* Q  l' b

  T" P) d# T5 i__________________________________________________________________________
+ \0 }2 y! |1 E2 ?% a  y
( g" [& H' m) ^9 |0 u9 S# B1 @* s
# a& R# E' A- f" _% r( R& JMethod 056 E0 c: i4 a/ T8 M
=========# ?" U/ t+ y5 P) {; D5 X
5 ]4 R- `" q8 `% J/ M+ n: x
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 R7 K4 Y7 h9 adebugger. It calls the int 41h, function 4Fh.  C9 \7 m" L+ d7 |) L# [
There are several alternatives.  6 d) H3 v9 R, T/ |$ M3 ?' U6 ^; _

! `# ]3 @, b- ]) CThe following one is the simplest:) u4 v. t2 Y9 l: {
# q8 m3 n# v( j6 M& i
    mov     ax,4fh: z# a7 z2 l! F7 }; M
    int     41h
+ V. C  A9 b+ I# [    cmp     ax, 0F386
6 _; G: F4 x& A9 C! X# [    jz      SoftICE_detected/ p0 i6 P$ M* Q

" ~0 W  y8 g) L! N4 h" ?6 `* y5 u' E9 g. Z, ]0 Q- @
Next method as well as the following one are 2 examples from Stone's 6 Y: Q& Y& `4 ~* G$ z8 n
"stn-wid.zip" (www.cracking.net):, W. f% V( ^1 x9 W7 N

. N! E0 G. Y# [& w2 E/ j/ K  s    mov     bx, cs
( K6 U  [: |# n( y/ s0 a    lea     dx, int41handler2
; \* W  H& q' v; e, W: T    xchg    dx, es:[41h*4]
6 e7 W! _0 b6 U$ H. W; e( \    xchg    bx, es:[41h*4+2]
. p; w+ s8 U: e: l! f: e    mov     ax,4fh* n2 `4 x, a% w$ [7 Z5 F6 P+ b0 B
    int     41h
8 V* t' _1 k3 L; [# v1 V    xchg    dx, es:[41h*4]/ F& U/ P  d$ q" m
    xchg    bx, es:[41h*4+2]
" L( u4 b! R8 L0 Q/ ]    cmp     ax, 0f386h; s6 U( A1 O; t3 Y% i5 N
    jz      SoftICE_detected6 v2 X, k% O+ v+ l4 x

8 K, _, Q) d9 [7 o9 E1 ^int41handler2 PROC
7 X* m: X0 m$ [" Q+ a    iret
, Z& C% z. @1 g7 j$ iint41handler2 ENDP7 Q& Y% L  A7 f4 R3 p: [
8 [. r# F8 D/ i/ E4 p+ Y0 P
. f. O+ [3 B( E* }; e6 i: e
_________________________________________________________________________
+ E+ b/ C/ s: s. f, d% W- w" L7 D: |8 K# H+ A8 R  G7 R2 z( ~
# N; [' m& a0 J+ m/ g+ k' ~: K' {
Method 064 L/ m1 _+ E; j, s
=========6 a! k0 g7 b5 u# }! }

. \3 l: q- n7 \6 k5 x$ J0 U7 P# J
" j7 @, x& b, S0 E% b. T- L, `) o2nd method similar to the preceding one but more difficult to detect:* a; L+ C# a: J6 d+ r6 X1 b/ ?

6 ^) @( M' ~8 W3 @5 Z, M2 P& H+ [: T
# k* `( z4 L: f" U) ]0 y! R- @& ^int41handler PROC+ f2 d- g# Q' G4 {; ^! @
    mov     cl,al
, z8 \7 K% M7 W0 q( k    iret
1 h+ m$ ]3 D; {) H2 Aint41handler ENDP
+ V7 C  \1 `- p, Z
( w7 ^0 P) H& y- ^! o! N$ v) }  D. D& F! d/ b6 I1 S
    xor     ax,ax
* G# o, h/ Q: X: G7 m. i, C4 |# ?, \    mov     es,ax
8 F' n. j2 u" C1 W8 H; T    mov     bx, cs3 E  q, {  k0 v1 E, y
    lea     dx, int41handler
5 A  Z& Y$ d2 }, p' t    xchg    dx, es:[41h*4]
' l, u" |$ `% s( q1 d' Y! p! t    xchg    bx, es:[41h*4+2]
3 U) w5 @9 P' f    in      al, 40h
" Y( e- n: m9 u; U9 W0 r4 ^3 |    xor     cx,cx
8 ]6 t% @3 V$ N# o- |    int     41h5 M+ J  W. N/ \+ o& ~, e7 \
    xchg    dx, es:[41h*4]6 r4 j, B: s" c' x. h
    xchg    bx, es:[41h*4+2]/ }1 K/ I. w/ C3 r
    cmp     cl,al7 I& t7 o. K! ]3 G5 M' X
    jnz     SoftICE_detected
& q+ j4 p! }/ `8 V+ k2 I5 R, N$ w) Y# O+ {% H! b" O# I# |
_________________________________________________________________________& Z* h" M9 J3 Z# e! ?
1 ?7 u. Q/ g2 D! i% ?- B
Method 07
+ z2 ^4 U( M1 C' N4 C3 e=========9 E9 P) `$ ]2 f7 E

1 ]6 K, W1 Y/ KMethod of detection of the WinICE handler in the int68h (V86)
! ~" x. P1 d; }+ ~, C2 v. A- v6 \( z, q3 ^  a; @
    mov     ah,43h; \4 q& H, [6 j9 V, ]# D
    int     68h6 g- s% I) Y9 Z  X6 |
    cmp     ax,0F386h
( T+ I8 A1 B' u6 o# Q! ~5 x- A    jz      SoftICE_Detected
2 e, o) W  z+ V$ E! M+ u6 P% c
) q  I; o4 J; H2 |) u$ ]+ H
, _4 F6 H! @3 d3 Z! G=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, s# d/ s# j1 X& o
   app like this:
" O6 f4 a& g. M& y8 ]$ D0 r9 h- p3 h, _0 F& k
   BPX exec_int if ax==680 y' N5 v; v* U# ]2 ^6 F9 S7 n
   (function called is located at byte ptr [ebp+1Dh] and client eip is$ Z( _9 g2 h$ `( X& G2 N
   located at [ebp+48h] for 32Bit apps)
3 \0 {4 x+ @( h) C__________________________________________________________________________
0 y7 r2 G( b4 s
6 d- }1 x( B1 e; P# V
+ d3 }) w0 F3 v, t- U7 c$ AMethod 08
9 G4 `( w, ?2 {1 Y4 g" F- p! z' v=========
2 N2 o7 _% d, n- [9 g; V5 E* f
9 p" y  t; |  t* SIt is not a method of detection of SoftICE but a possibility to crash the2 x. H/ e- \% n  x
system by intercepting int 01h and int 03h and redirecting them to another
. ?9 }- u9 _% l( W4 n3 hroutine.
; i0 Z& @4 U2 K4 OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; }  c5 ~& `! Mto the new routine to execute (hangs computer...)
- J0 T4 o6 E3 R7 r
; A3 O  W1 t  j& E$ C9 r' J    mov     ah, 25h9 Q* C. y) Z. B6 `* [: \& ~' y! d
    mov     al, Int_Number (01h or 03h)
* E7 S2 u5 t6 Y: F4 _/ w5 c: c    mov     dx, offset New_Int_Routine
% a6 R, j0 N9 C# s    int     21h
( ]; e; N7 V) b6 n5 z$ _  C( {5 _3 U
__________________________________________________________________________
* q% z6 W# _8 E( X5 f
) s5 J2 Q8 C. s( ~( ~( SMethod 09
1 p' H& @. O2 {* L7 A/ f1 j=========  F* j1 x) X+ ^9 j9 ~9 ?/ I( O

/ r# w2 B1 f! x- D7 R" o( O# OThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& a" Q, t1 W8 q( tperformed in ring0 (VxD or a ring3 app using the VxdCall).4 r# S  c0 C2 z3 S) p# d6 V
The Get_DDB service is used to determine whether or not a VxD is installed
9 B- c: a" i. C5 I! Vfor the specified device and returns a Device Description Block (in ecx) for$ X' [3 E" [( k) f  R% w
that device if it is installed.* q3 f+ ~% S$ N& }4 D) v
) z" m1 s. h3 t5 Z# w/ n
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, D( N7 F; w1 R   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)9 D. S7 ~; C! ]9 \) S; k# `
   VMMCall Get_DDB  ?7 N! d4 q/ s' A% {2 r0 ]
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( q( x" ~0 o" c0 s* s. A

& n3 t. a8 O0 B$ P7 LNote as well that you can easily detect this method with SoftICE:
+ n1 k; {. F( ~2 p! X   bpx Get_DDB if ax==0202 || ax==7a5fh7 l! Y% j2 f+ D: ]- ?4 J3 s2 o) n
* P0 t$ D" Z! `$ S* i
__________________________________________________________________________8 S$ Z9 s) ?& |& E) Q! y: i! Q# V
( p( C4 o. p9 I. \6 P
Method 10
! O1 r% o& c$ P, P% ?=========: ~4 d7 f0 `8 g* A* {, T

, ]- k+ w# v. D% Q( \=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with' I3 l- d0 a$ z: v& L0 B- b; k
  SoftICE while the option is enable!!4 y/ j( O$ l: f) `* a: A
7 F$ E) o# I- k: B2 P% z
This trick is very efficient:6 f( U0 J, {# l1 o5 s7 T
by checking the Debug Registers, you can detect if SoftICE is loaded, O% Z( R" ?) @* c
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% `8 G* Z" ^6 s: Othere are some memory breakpoints set (dr0 to dr3) simply by reading their+ G+ k! y# D  S" a
value (in ring0 only). Values can be manipulated and or changed as well
$ u7 g3 s  o) H. z/ n(clearing BPMs for instance)( c4 H8 J4 n- m) }
. Y6 }+ M2 ]& r% N- f/ y' |
__________________________________________________________________________: o$ z9 H# r, R

, K; U! |6 z8 s0 R$ o1 |" I* e# SMethod 11- K8 }9 G; g& `3 }, K% \
=========6 M% N- |4 ?5 s3 u# Y) i* @1 A) I

2 K$ l& m* `/ x2 C' K. gThis method is most known as 'MeltICE' because it has been freely distributed. m  A/ p( p) D' c% ]
via www.winfiles.com. However it was first used by NuMega people to allow
3 x2 A3 U) K' N& f2 |% k4 tSymbol Loader to check if SoftICE was active or not (the code is located
" M' D5 w  O( T, L: z$ ~8 vinside nmtrans.dll).( |) |  o( P' \5 z2 Y* a

/ K- A# e8 V( c' [# L* _. ZThe way it works is very simple:( H: U- M  @6 y* @1 v
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for$ S! v  v1 H# `- e9 n  Y( q
WinNT) with the CreateFileA API.
& z7 n; B1 V! _* X3 c9 W
. o3 L$ ~' Y) @5 }* p; `Here is a sample (checking for 'SICE'):
% I( {- C6 {) C, y+ C# A
, d7 E. ]7 r5 l  T: _! ^BOOL IsSoftIce95Loaded()
# l) ]% h4 t( v' i( v! c3 _{, x4 m1 q5 o& F
   HANDLE hFile;  
$ o* Z3 B# e) X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
+ `* c+ t" s8 H6 W- Z9 _4 l                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 k% s, L- t* n  m$ u+ ~1 y  r
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 N* I! U) w0 ]
   if( hFile != INVALID_HANDLE_VALUE )- N+ l( U: l) X0 i( j8 }
   {
0 L  w4 _: u, s! Y5 d      CloseHandle(hFile);
2 C; M0 n, G9 o# l0 e7 j$ J; t      return TRUE;
1 }/ ~4 K- V0 D0 \2 h1 z   }( l9 v2 D; ]8 Z, i# V
   return FALSE;
4 G4 ~9 a7 N  f4 m" L}2 Z+ y: Z0 `' P/ M& ]. ]7 B# a
" y) h9 k2 q2 b& r9 b
Although this trick calls the CreateFileA function, don't even expect to be
, X3 g7 \2 T" }able to intercept it by installing a IFS hook: it will not work, no way!
! n9 N0 L, M, \0 xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F7 f# y2 [- a: e# \; ^. I) r
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)) B! t& o% q5 [" i; O0 ~) w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
  a9 J5 l& l; T; s) p* u; Lfield.
$ u  D( h8 ]6 ?7 q; V3 UIn fact, its purpose is not to load/unload VxDs but only to send a
2 B+ K/ J; Q# D/ I% [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 g$ m4 {" ]7 eto the VxD Control_Dispatch proc (how the hell a shareware soft could try+ O1 H- I( S9 a$ ^
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
* E& f7 [9 j+ P0 ZIf the VxD is loaded, it will always clear eax and the Carry flag to allow
" v# F, d5 |0 E) ]6 m4 s/ jits handle to be opened and then, will be detected.
5 ?( ?- n8 T$ j# M9 c+ aYou can check that simply by hooking Winice.exe control proc entry point) O" T7 k  N( a
while running MeltICE.+ l0 H( l1 [9 R8 f; j

" `& X% f7 i4 a& u! \# c0 G( s) q7 c4 T6 {: Z. ]$ R( h2 i
  00401067:  push      00402025    ; \\.\SICE- d$ O4 n7 r. Q: C5 M1 x0 s' f
  0040106C:  call      CreateFileA
/ u) c$ k4 Y& K; ]) W% I# A  00401071:  cmp       eax,-001: u& E4 }* B' y1 p' T
  00401074:  je        00401091
6 c9 h/ v' V$ X% x& _9 a+ G9 G( J# l

7 T7 E" t5 N3 E/ Y5 x6 \' N" oThere could be hundreds of BPX you could use to detect this trick.
, L5 [3 x. V  {7 D+ b+ n-The most classical one is:5 ~: u1 C: A" p, E+ X5 C2 ~
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 k* M( d2 g( C# K    *(esp-&gt;4+4)=='NTIC'
8 I) a+ k  C/ k" l* {5 @9 o0 U/ [+ i! e- z; }: d% j/ W
-The most exotic ones (could be very slooooow :-($ k' W3 ]  S3 D' M9 W
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 w- E4 J* O" H4 q$ j" @- W
     ;will break 3 times :-(& c+ h1 n  }* W! X4 w1 O0 ~, F
2 H  x' f+ j) ]
-or (a bit) faster:
8 O& T0 G' f0 c% O6 p2 g   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* u( ^$ O5 o. I; h5 G9 q
6 A% L# j3 `' I- w   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 E  x% G: D) I+ I; ~: u% N- j1 n
     ;will break 3 times :-(
* s3 _; s2 z2 K& n
7 D- L5 ^8 b/ ?7 Z/ H-Much faster:
- b' L2 n) f2 b3 h5 M   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" Y- P$ g, i! x/ [

* u% g. ?: b% D5 uNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ M$ H, \4 z0 L! _function to do the same job:
2 q* o. @% t7 G  _5 @! y  v
: Q) B/ c( F7 P( C! q, O   push    00                        ; OF_READ
: m4 Q/ V5 a; [# w! M3 T   mov     eax,[00656634]            ; '\\.\SICE',0
" ^2 W4 m* O* A) k   push    eax
" e# k5 F! F  C2 E0 k2 _) p0 W  i   call    KERNEL32!_lopen
0 t3 e) H$ T0 V: J4 e) m/ C0 g   inc     eax
: `" O, ^. l3 P/ J; i: ~# W   jnz     00650589                  ; detected' Z: q: A7 p. X2 K+ `2 x$ F
   push    00                        ; OF_READ
& \' e& U# F! z7 T. Z   mov     eax,[00656638]            ; '\\.\SICE'2 y7 F7 _2 y. f2 r& d
   push    eax. O4 l. h, N4 f! X. p
   call    KERNEL32!_lopen
4 h0 D1 E6 ?4 K5 j3 _   inc     eax- z( V$ f) |) S+ J+ K% f4 L( [
   jz      006505ae                  ; not detected
0 y. T6 r0 D; Z! H+ @) Z4 y" T. r! k$ ]+ I" h4 e5 V$ b- d

& i& B2 b% }: H__________________________________________________________________________- l4 B' o% z3 s# p
  |( B3 g; z0 w) u: o$ W
Method 12
* L) [: B/ n! }' O: f1 X/ F=========
- \3 N+ U: I  o" d+ L3 p3 b! q- `; o+ A8 U3 x" j3 j1 R
This trick is similar to int41h/4fh Debugger installation check (code 05
) Y; q6 Z6 x6 l) v6 v6 x; A&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 s, F- p: P" `: a; pas it uses the VxDCall backdoor. This detection was found in Bleem Demo.% K- f; G+ O+ T+ a9 @* x# Q

: p7 x, q* R- C, P$ |   push  0000004fh         ; function 4fh
; ~; G+ Q( I4 m   push  002a002ah         ; high word specifies which VxD (VWIN32)* x( f0 ]/ f. R7 K8 G* C- C7 ]
                           ; low word specifies which service& F9 X  q: v* W  d$ `
                             (VWIN32_Int41Dispatch); Z- J% p& U3 q; E( E
   call  Kernel32!ORD_001  ; VxdCall3 J( q& P+ _! ?4 j, x7 g* J
   cmp   ax, 0f386h        ; magic number returned by system debuggers( c6 e. w7 j( |  D# {" b8 |
   jz    SoftICE_detected; o% U( G4 Z+ \( ^! ^5 W
' q, V! t3 T: n5 }" {9 |  u3 C
Here again, several ways to detect it:
3 R- r0 Q, j# c5 K- Z- }5 `' K
. G1 B7 ?. E4 N! g# ]    BPINT 41 if ax==4f+ e, S( i4 L, @8 r

4 {# d7 b% W( P% s, F    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ \8 M2 X  X* @$ V* l" V6 b
/ [& [9 ^! `. x0 w    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A8 g$ C, A" s) m, i/ T* I. O& d7 V

, {* c- K: W4 G  E7 z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
; u; k2 z) i' @) y# x
. l; S; ]# [! B% k- c7 H__________________________________________________________________________9 p$ u% H! ~2 ~% Y

" q% j& t& _" B, e1 `' k" ]  W5 J3 VMethod 130 h1 V7 }, v! B2 H
=========
. Z1 ~! L  i' K. J# o& J' r2 f9 z5 F5 z1 H
Not a real method of detection, but a good way to know if SoftICE is& m( U6 b' ?% F
installed on a computer and to locate its installation directory.+ [) [' k4 x6 H
It is used by few softs which access the following registry keys (usually #2) :% @# |  s7 `  A8 y! k- a9 n

" L; z/ a3 c5 A-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 n6 M! w6 g7 C+ p) m& ]# z\Uninstall\SoftICE
. ?/ t9 z1 |& Z( J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 H2 S3 n4 X: `7 r3 w-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  a+ w/ C7 B' |5 r\App Paths\Loader32.Exe7 f7 s. r" _) M1 w* p

3 K5 Z; {3 a' k2 j, o+ ~. }; t4 X" c8 {: O  M3 k4 \  u
Note that some nasty apps could then erase all files from SoftICE directory7 t! f3 ^5 [7 ?+ ^
(I faced that once :-(1 t5 Q  p* Q* A1 N: [% C2 h

2 \: U+ l7 [1 lUseful breakpoint to detect it:+ H& b0 G0 r: N/ a

! A3 ?3 N7 L7 g( }/ A. A% j     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
& Y4 m( s5 s4 s9 @; j  z7 q
/ w4 B2 V/ }; u__________________________________________________________________________; G2 O+ c+ z2 u: [/ U5 e' \- G( j' |

- D, o: x; W* L& f" s( i
8 F$ ^2 Y# Z/ o$ a% o' G) x% ~Method 14
. ?. c: c. v! \$ j7 g0 q8 I4 n=========* B" Q: f2 O& a6 t, t, U$ ?4 c
" m; _7 q+ J# k- C3 U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) o1 W  `- I8 F, ~- cis to determines whether a debugger is running on your system (ring0 only).( z( u" {1 C7 e- I! |5 R( v

" U: N' H0 h% A3 `5 [1 c   VMMCall Test_Debug_Installed% g, A' @' r' V7 Q7 x5 h8 o
   je      not_installed
7 Y/ d, l# P: _* _2 B* |
" n8 r( p: b# h4 B: ?$ ?This service just checks a flag.
8 f+ d5 [0 o  p- V2 p</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-6 02:25

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表