找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( n' N8 L+ K  t: a( l; N
<TBODY>" u; Y4 p( @7 W% w
<TR>4 k/ Q* _6 u3 {+ D  u2 r( ?
<TD><PRE>Method 01
  w# e2 m7 c& x$ w- [. y* j=========
. }/ W4 p8 ^4 X0 n: f
. ]- @  v/ p# v5 z* v! lThis method of detection of SoftICE (as well as the following one) is4 t9 V# H6 q, L! x
used by the majority of packers/encryptors found on Internet.
6 z, a5 q; m$ s: R! J7 T) Y% A7 rIt seeks the signature of BoundsChecker in SoftICE
; z! M4 G; c- q0 D9 v  v- k( C5 t2 n# T. b* n7 L$ ^
    mov     ebp, 04243484Bh        ; 'BCHK'
9 J% e. N, j: k    mov     ax, 04h5 r' r% F* U! _1 w
    int     3      
8 W: t( r, k9 F. z6 M: h8 b    cmp     al,4
/ ~8 |/ i3 c- A    jnz     SoftICE_Detected
% |8 Q" i2 S; N: P8 t8 B5 c( [4 q9 s  f# g. }. {1 {
___________________________________________________________________________0 d4 M" S. e9 P" q3 u2 G

  L2 I7 G" Z7 M( gMethod 022 B" H6 j" X2 I' x  V- e3 p
=========0 t# Q+ C! @; ~1 P+ \3 {  r
5 k! V2 u" j& F
Still a method very much used (perhaps the most frequent one).  It is used
' u4 R& x+ D6 H9 z- j; b' a8 x2 Pto get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 z1 L) W2 O7 _
or execute SoftICE commands..., N4 T/ e: T0 w0 Q- P2 t# `
It is also used to crash SoftICE and to force it to execute any commands2 ]  }& R7 C0 F! @- @% o' F+ ]
(HBOOT...) :-((  
; G) h0 W/ u: P- x& ~, `% z9 _( K# b) Y% m: d0 Y4 k& V5 Z6 d- E* s
Here is a quick description:
- I) W# x" @) A+ {1 ?  P  ~% E-AX = 0910h   (Display string in SIce windows)7 ^7 P& t/ h* p7 ^
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 D! J! N; J: ^- e. P0 I8 n-AX = 0912h   (Get breakpoint infos)
2 Q; o* q+ J& N1 W9 G' T-AX = 0913h   (Set Sice breakpoints)
! O1 X& O* W/ C4 a$ ~) x  _' w-AX = 0914h   (Remove SIce breakoints)
! `0 t! M) b3 H. A- F' ]; C" d* Y- ]" R  k3 L" `. z; x
Each time you'll meet this trick, you'll see:
) h& s0 @  \. u2 V- H-SI = 4647h
- W, |. Y/ {# q, M4 h  |+ Y) X-DI = 4A4Dh
5 N6 ~" ]0 Y% S5 ]3 I4 y- lWhich are the 'magic values' used by SoftIce.
0 m( z  J- q: Y' ~( l% z5 s0 lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; g+ m* l* w; o+ X; g7 ]( P
5 M+ F/ E8 X+ d$ T8 qHere is one example from the file "Haspinst.exe" which is the dongle HASP
3 N# c0 f5 @3 p8 g! tEnvelope utility use to protect DOS applications:
1 Y& t0 I. d  y: Z& x4 S$ |
, |' {6 i* }0 G  \4 `
5 L6 C/ O4 b+ l( h4C19:0095   MOV    AX,0911  ; execute command.7 V- a& s$ z3 _- {# ^' T) M
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).# h$ ~9 Z( s3 ^; z. ?8 R& K
4C19:009A   MOV    SI,4647  ; 1st magic value.( R( o; v7 [* v+ P0 C% }" y3 g
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& G- Z0 B1 j! q: w/ J+ ?
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
) v4 |: ~6 a- [  u4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
! ?. w2 k! W: P5 p& H/ d4C19:00A4   INC    CX6 N) [5 Y) M# @  x  F& G
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' Y7 g, F8 J" i) C3 y( H% D
4C19:00A8   JB     0095     ; 6 different commands.
  ^% b9 t2 B; N6 H) t/ c4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 D% p" @8 G, [: n
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
! j* ]0 r$ h8 V( P7 V- M/ J) N. k; d: V) C. p  H1 n+ s6 @
The program will execute 6 different SIce commands located at ds:dx, which! l0 X+ Z- @$ }6 Q( s$ i4 o8 u
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) e& \% T7 T- K$ [2 m" o- \- ]0 I
5 t' z1 J/ U1 ~( _& K, L1 a* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- d2 b6 Y1 V" p' `* i: f6 _/ `
___________________________________________________________________________
! [+ [. ]" L& `- b$ G7 `) A
9 t% X% P0 P' p: K0 O3 V6 k$ n8 v$ F- r5 g
Method 03
' h' a' D# l  O8 U$ l+ F=========
) y- u2 Q$ k6 U! F
. n0 E5 q8 ], r+ V# \( D8 wLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, M6 A+ n! y6 k5 K  Q# a
(API Get entry point), f% H) T0 ^3 |) i% y7 @2 ~5 i
          m) ~$ f+ D& q6 E: ?( K$ l2 u0 w

, z0 z/ I: [  T9 m! v( w% P    xor     di,di
$ j7 i$ z; [' M+ P    mov     es,di
$ X2 G5 w1 o7 k, r% i! k, e0 Z$ p    mov     ax, 1684h       ) q* `& y' `6 E
    mov     bx, 0202h       ; VxD ID of winice
) x: A8 I' p6 |& B) Y) e8 u( x% |* l    int     2Fh/ o! m) W- l" _' d7 d8 p) e/ e* u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point' I! v  p, V3 T" N: P  k
    add     ax, di5 T& }) l# z( P# a$ I
    test    ax,ax0 }* L1 R$ W! j: D3 E- [7 [
    jnz     SoftICE_Detected. i; q4 _& y' z( @: l1 D2 m& _

  ]9 U' w# P! r% u___________________________________________________________________________
9 J) I) t: R8 O4 {$ e3 W/ N- O! Y: ?
Method 04
' w; D( E5 _7 X=========* ~) h+ L# \$ `% E! Y

' q( |* M- R+ p0 M/ w5 bMethod identical to the preceding one except that it seeks the ID of SoftICE
! T4 x) v6 i! k0 l2 w  h! ~GFX VxD.! j' B2 W  R' a

% J" Z0 S  O* \. P& Y    xor     di,di
) a+ J& }( G% t% l3 r    mov     es,di
" P' l2 Q1 `3 _% p/ D  i    mov     ax, 1684h       9 k! z& R: r9 q8 h' L5 o" o$ Q) z
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
2 N* o3 e, j4 M$ j    int     2fh% y4 b2 E* W& B8 F% s9 e
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 X6 d, e$ _4 a& h* ^
    add     ax, di% C4 r) V- ]( C$ J
    test    ax,ax3 }- m4 f5 l8 ^1 b' q6 \0 g
    jnz     SoftICE_Detected' o4 F4 F5 o1 x0 T! P* r: Z. m

! Z5 F0 q+ m3 c! u1 u: F  u8 }9 k% @__________________________________________________________________________
" ?* q+ a* P. |- _, i! ~! I% _$ N. x
; U( f" }! R- V* w6 v1 {7 R! |: _
$ x) o/ [. S: |' ^5 b" |& O' NMethod 05
8 ^5 m7 t: V0 N( z. t0 D=========
/ G  ^7 X, A+ |7 v. a- @
: c+ }7 `  W6 YMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 f) H/ |: c! ]) R2 q) B6 T7 _
debugger. It calls the int 41h, function 4Fh.# K0 E3 }, l4 o# L
There are several alternatives.  
0 @! S* J! A) {
5 M) ?/ B$ N2 n& wThe following one is the simplest:& t. _7 T# w: N
+ @9 E* v% q/ Y7 e. j0 I0 ?
    mov     ax,4fh: w( S3 L8 s) ^$ w! o  ?
    int     41h
1 L) ^; O8 S4 O! w2 i    cmp     ax, 0F386
' N, B. J; A9 B" T" V& E. k  }    jz      SoftICE_detected
' @1 u8 {1 j# R0 F$ n5 ~8 `4 t1 E+ O% D7 \2 A! _& f: q1 G

4 J' i; t8 L( p/ WNext method as well as the following one are 2 examples from Stone's & n9 m0 B- p- w
"stn-wid.zip" (www.cracking.net):( `+ Q+ B" e" q) L* Q- q
+ y6 N& ~5 S, s  ]8 R1 B# A
    mov     bx, cs
8 n/ e$ b" d$ W) Y: D; o    lea     dx, int41handler2
  i4 R/ n& R! n1 }# x    xchg    dx, es:[41h*4]
* u: b* e7 q6 _0 I- J2 h    xchg    bx, es:[41h*4+2]" C  t3 f% u5 v/ l% r
    mov     ax,4fh
! @/ c4 K% L" Z. W    int     41h+ }: F& [+ J9 C# r3 [
    xchg    dx, es:[41h*4]
' `3 Y) ]9 e. U; r! i/ P' }    xchg    bx, es:[41h*4+2]
7 U( h% o& }$ r) {$ D' Z( i6 C    cmp     ax, 0f386h
3 u( G( a5 C& b, a2 K) c# h    jz      SoftICE_detected
9 f' M. @; k, G& ^" u9 U8 l0 J4 u- B' h
2 Z3 \3 s# X/ n/ Z/ J0 R; C: Iint41handler2 PROC% |9 B: `3 d* i$ o7 M  X
    iret- \' ?  G7 S' V# N1 s+ ^# a
int41handler2 ENDP
/ i; k+ f) {& y& N
/ `1 d% t* J; \
% n/ Q' p. v1 v1 n_________________________________________________________________________
5 H6 P/ J+ H0 j8 z9 J7 o+ F# y& r! r2 R: l
" s; g" O/ @6 E: a$ u
Method 062 k) Z4 q# b& ^. R* ?4 K" z
=========
/ s$ p% o6 ]3 J0 J9 `$ T
" ]8 j; m# h! |* @) ~, E9 r3 p$ g, U' A* K# Q* u
2nd method similar to the preceding one but more difficult to detect:5 y* T$ }9 @; c3 W1 R0 l5 z: R; t

  i; ]5 y+ `  Q/ C+ Y% j+ |. Y' p! }% x. Q# P5 \1 W- [
int41handler PROC
/ E! B: V) u1 L9 O/ c& D( Z    mov     cl,al
  ~+ W. k# l, H    iret
- _( H0 T* I2 r. U; N  g) @3 Sint41handler ENDP
; H9 C0 B3 W( z7 s4 S
% f- s5 w" @7 d3 G$ {2 V: d  ]8 K/ f2 c% X$ n5 E- l
    xor     ax,ax
0 r/ {7 b5 ~* D. n- g  A    mov     es,ax
' D( s7 N0 B" {! \6 t# l3 k    mov     bx, cs
; F9 B1 v* [- o7 n+ a8 M$ N! A( Y5 @    lea     dx, int41handler
) j7 W. _# S  e* F4 {. z0 S" Y! j, z    xchg    dx, es:[41h*4]
! G% s; _* `; S4 r3 V* `7 i, t    xchg    bx, es:[41h*4+2]) Y- G4 m4 q$ @9 q
    in      al, 40h
' }) d! L! f9 y3 G! F5 ]2 h    xor     cx,cx
8 u: l7 v, ?, C, T# N; w* y    int     41h
3 g. i: w* v  L5 @    xchg    dx, es:[41h*4]2 A, F+ j2 w4 k+ c* e1 V
    xchg    bx, es:[41h*4+2]- Z5 C( C1 K8 h$ N; v
    cmp     cl,al2 U1 m$ N" S; I2 u) S+ T
    jnz     SoftICE_detected
" V: _8 J0 W7 u: K: w$ C. f3 q- h1 y/ ]; }! U  z0 V
_________________________________________________________________________/ V- G- W7 d9 |6 h- A8 ~; Z* D
1 g% y7 B  M! P4 e/ D
Method 07% u; j/ t4 k) A
=========5 ~& S' h9 W2 _: J4 J& T
* _9 N" n! b7 n; J; D: K  G
Method of detection of the WinICE handler in the int68h (V86)
4 l- H; W# n+ v1 m. W) V/ [1 e$ u
* `2 n" u9 T/ x6 w* ^. ]4 W    mov     ah,43h: O2 V$ [8 a- J! R8 M( u. a
    int     68h
9 X) k' x: @4 G2 [4 Q    cmp     ax,0F386h
0 l0 ]7 C/ S4 ~  a. n. N    jz      SoftICE_Detected1 J, `1 F5 z) A+ `/ P  m( ]

3 Y8 W$ |6 Z# ]2 A. r) [+ X
6 O$ u7 i$ T+ ^" s; _! W, }=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* J& K& @5 I6 h6 }8 F1 d; e   app like this:% n- f0 \+ I/ w& j" Y
; _: r: C  R# `% s
   BPX exec_int if ax==68+ [, a+ S4 ^8 d; Z
   (function called is located at byte ptr [ebp+1Dh] and client eip is
" F% U) L, F5 c6 |   located at [ebp+48h] for 32Bit apps)( ]7 L# }. z0 I5 N  o
__________________________________________________________________________
8 p  a0 f6 G! ~
1 A' j$ B* t$ p/ U7 T4 X" @2 z  ~& \# b7 C- y4 i# g
Method 087 x) T. k( `  Y. j, S
=========! q3 ?8 M) E$ d$ X

; e6 V# U0 ]3 JIt is not a method of detection of SoftICE but a possibility to crash the
8 {  K5 w& {1 D3 U9 wsystem by intercepting int 01h and int 03h and redirecting them to another" W2 \  P" }" p; ^
routine.  B( T: b. G! C5 r& y& O& u* J
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- W" o: \; x0 i% U: n# `to the new routine to execute (hangs computer...)
9 L6 {3 q- i! n% e0 T8 l7 o1 S/ A# G! q
    mov     ah, 25h: \+ o+ n' [7 O* ^+ |
    mov     al, Int_Number (01h or 03h)" w% b: [/ n: X1 }) p8 a
    mov     dx, offset New_Int_Routine1 n! A0 a' e1 H4 b8 q
    int     21h3 V# Z' a1 J, w5 d! h

+ J: v* E% u2 C" u) ?- w__________________________________________________________________________5 K. ^& S9 [, g$ f% N+ X
) A; Q, h( [. \. @3 W9 t/ |6 R
Method 097 Z1 I( h' m2 j  [
=========# e; D7 Q$ R! o9 D  ~- n

) V1 V# |' e# S4 ^, R6 rThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ O# b9 F  `8 ~  [* i; Wperformed in ring0 (VxD or a ring3 app using the VxdCall).
& j$ y* ]4 e$ J7 C) A# L6 g3 MThe Get_DDB service is used to determine whether or not a VxD is installed
3 I( Z5 f1 l: ~1 L' `; @$ Afor the specified device and returns a Device Description Block (in ecx) for
6 l! k7 N2 f$ k+ M* q. y: e( i1 mthat device if it is installed.$ U( j# g# a( Y/ r4 h

5 h$ ?8 I9 C; S! p   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, r  ~$ k9 b  A3 N# c5 x6 G   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)! @% w. q/ j# x) c5 s! x) x+ d- _
   VMMCall Get_DDB
; y* {; l- [9 k+ t; A   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. U) t3 Q# `. k  s# h

; t. X/ P7 {% s4 ?3 VNote as well that you can easily detect this method with SoftICE:
: O; z9 U3 p4 D- [   bpx Get_DDB if ax==0202 || ax==7a5fh
" p+ U% y5 K- [8 y0 [# E8 U6 T- O1 S* J# \/ \5 m- \$ ?5 [
__________________________________________________________________________
; R; j% ?$ P9 O0 W' c6 K, L
! X4 K$ R2 b: B0 O! ZMethod 10
1 K- ^4 j6 H3 Z3 |0 s# f% ?+ b7 [; h=========
% Y: C2 b/ k$ M' V# o) M/ A' i
4 J4 e4 v/ ]8 Y  n; j=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 d  ^* l3 G6 ^  SoftICE while the option is enable!!  |. a' N/ M( m% L0 B- k$ i

# P* A) W9 S$ K. TThis trick is very efficient:! M$ u: D# v0 s8 |) u, T
by checking the Debug Registers, you can detect if SoftICE is loaded" m) V2 G4 {- w9 {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 m0 u1 `1 z  N, t" w
there are some memory breakpoints set (dr0 to dr3) simply by reading their
) ]& G+ h& k: s0 @- {value (in ring0 only). Values can be manipulated and or changed as well
5 Q  c! H8 v- ~) S& x7 C. u# o/ C(clearing BPMs for instance)$ b/ B( _7 c. W" D: w2 `" N' _. B
0 U. p1 P# [$ z: u; h
__________________________________________________________________________+ d* ?$ L  O1 h3 h

( s* K# i% I2 X2 E0 o6 GMethod 11& Z* s0 f; b/ O6 B+ u
=========
) Y5 a' d. \8 o2 z$ h( Z
# {6 f0 ~1 Y1 a3 s7 }$ r7 MThis method is most known as 'MeltICE' because it has been freely distributed
' x" M0 L+ W; S! }4 F! h$ Rvia www.winfiles.com. However it was first used by NuMega people to allow
1 |1 n* g8 `4 T( ~9 N' U! B* J8 CSymbol Loader to check if SoftICE was active or not (the code is located. }( v4 C5 ^. m* g  P
inside nmtrans.dll).& @4 X$ M# e) @

7 d3 @3 I7 n# J  c2 WThe way it works is very simple:( T. V; j( {" M8 D$ C. l
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 C( T: F7 E- H& N6 ]7 ^- eWinNT) with the CreateFileA API.
8 A7 m, s# }1 b, R
. b' r" }% [, r$ m  H% N/ ~Here is a sample (checking for 'SICE'):5 P6 }! o0 s, ~! X4 D7 n

, @, D" J3 C; ]3 BBOOL IsSoftIce95Loaded()
4 f( [" z* l; f{
9 E4 m' Z3 U- l. l   HANDLE hFile;  # }7 b" \! X% b! Y, |
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 ?/ n) b1 A2 b4 ]                      FILE_SHARE_READ | FILE_SHARE_WRITE,3 p( d4 w  b& X5 w
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);* A7 T/ \( c  C8 j6 J3 o: Z) y6 @
   if( hFile != INVALID_HANDLE_VALUE )7 C6 }& n) t* P/ O9 V
   {
& n5 M, N" b1 a3 n1 a$ B, Y6 c      CloseHandle(hFile);
3 o* [2 S# K7 {      return TRUE;% e! x# H2 _8 r. ]# B! W
   }
( N: f, |6 C& S2 s7 @$ g' F   return FALSE;( M5 P! k8 n1 O! r9 T" U, t6 t
}' F9 B6 O7 h9 R
) x( W% j- q0 C
Although this trick calls the CreateFileA function, don't even expect to be% g/ J- M: {* M( b+ U
able to intercept it by installing a IFS hook: it will not work, no way!, b; r1 d4 F- a! q" e2 N, D0 x$ c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
: l4 t* e8 `# J4 `0 g% w% [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 T/ Q2 i1 i  X8 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 e+ j6 B4 Z5 V# {; gfield.
& w& S! P5 i1 z1 G: w. KIn fact, its purpose is not to load/unload VxDs but only to send a % Y/ i* g" A5 ]$ j8 X1 s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), N+ o' j8 B+ R% T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
7 g( S( q7 ~3 B& |- Qto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ Q+ E2 i6 |3 w  x
If the VxD is loaded, it will always clear eax and the Carry flag to allow& p3 [( o' |1 q0 I* V
its handle to be opened and then, will be detected.
$ g3 g1 O( ?0 n* {: @You can check that simply by hooking Winice.exe control proc entry point4 b. R% g+ Z# y( r4 F4 s4 o3 ^) B
while running MeltICE.
$ Q0 _$ l# _6 N# K
0 ]# I5 g. e; Z9 w' j, O
$ m' V, p# E. A1 H' a3 ?( `: j  00401067:  push      00402025    ; \\.\SICE
  [" K; k- w1 B2 b) v4 ]: s  0040106C:  call      CreateFileA1 ?; i8 \) N5 t6 ?( A9 g3 L) T0 [
  00401071:  cmp       eax,-001
  v4 ^* }, j% ^4 O  00401074:  je        00401091& n! x* i; G, ~6 @: ^8 k1 t9 |0 P

) `& P/ [. p: W/ y# Q% P. s0 P0 H4 t1 \0 g- G
There could be hundreds of BPX you could use to detect this trick.7 S/ f* x/ X# ~) n
-The most classical one is:: V- g# [6 g+ W/ z" @
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||; y) y4 v  D5 @. f
    *(esp-&gt;4+4)=='NTIC', I1 V5 p1 w$ j7 F0 f4 H
% T# D& j! D$ V
-The most exotic ones (could be very slooooow :-(
/ Y8 y/ ~) ]: T4 }1 Q; m* ]* r1 ^! y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
! O/ d, @; t) V: ?5 A1 S. ~$ F     ;will break 3 times :-(
3 T7 {% s7 ~1 h; [. g
2 m2 h+ y& x% W* T-or (a bit) faster:
3 a# N7 ?- G- H: @6 o/ Y   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
" I" b* m  W& T$ b1 ?! o; F! Z2 P
1 ?8 _4 Q4 \7 T( f% m; {( d   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
& ~; z# ^0 L& e& Y" s     ;will break 3 times :-(4 w$ f1 u4 d+ k" C) l" T( s  I
+ M/ j4 |0 @- z6 m6 \. w- N! p, g
-Much faster:* O5 i9 G+ p0 a* [6 T" w, z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! j5 \5 O9 ^# @3 e  P! a+ T$ @* a
; ~/ o) S+ z4 S9 KNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 ~' E5 I1 y9 e# P* v- m6 @function to do the same job:
/ n$ A7 u% ?# @, G2 Y& G* I: G; z! x4 R+ L( V5 O& b9 a) i
   push    00                        ; OF_READ
- s  l1 [- l) A' }) N5 l. Q. @+ v: D   mov     eax,[00656634]            ; '\\.\SICE',0) C9 z: G  U5 @$ {
   push    eax: J. O  x1 u. X
   call    KERNEL32!_lopen
2 h- Y) W2 k7 x2 ~. C   inc     eax, [; h- t: Y1 }+ [9 ~
   jnz     00650589                  ; detected5 I3 L  q+ E+ j& Q
   push    00                        ; OF_READ1 B3 j$ }/ Y4 t( ]) p- @4 Q7 |
   mov     eax,[00656638]            ; '\\.\SICE'
3 [2 g. O0 y8 K, X7 \/ l; A   push    eax
- A. v5 M( Z! P   call    KERNEL32!_lopen0 d$ a  t' ~7 s" B+ t' z
   inc     eax
+ n. v6 |; b& v/ E% j$ m' S   jz      006505ae                  ; not detected7 W# D5 V9 d0 E7 u& ?2 I
" c" ?- y- `; a9 x6 H
7 i0 h4 e/ o8 ]/ z; Q/ C$ }2 D- d
__________________________________________________________________________- v9 A3 c3 u8 w% l% E1 o

# H  F! f7 L9 f4 x1 g( w$ H5 I, ~. YMethod 12/ ?; ~( o& `& v# Y3 U7 ?# G% y
=========
- s- v3 C& @0 Q$ g
7 t+ @/ s# B  V. zThis trick is similar to int41h/4fh Debugger installation check (code 05
# z2 C& E# S0 i* [1 I&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 O6 l  x& ?% F, y: Z4 b
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 v$ U% w* q, J) K- N
% c) [, L2 ], \9 @* E. |' \( b  r   push  0000004fh         ; function 4fh
) S% g( z, e, D/ p   push  002a002ah         ; high word specifies which VxD (VWIN32)9 ?# L# ?: k/ d5 f8 y
                           ; low word specifies which service
/ `* C4 C! P! s% y; u/ c9 l                             (VWIN32_Int41Dispatch)
; q8 ~% q. b% I5 t6 i- o   call  Kernel32!ORD_001  ; VxdCall
4 H- \( d3 b; d: w2 J, `   cmp   ax, 0f386h        ; magic number returned by system debuggers! ^; E* O# N0 N7 L
   jz    SoftICE_detected8 U6 A. d: i  L6 g6 l  V
3 w7 A: Y/ l9 ]5 ?
Here again, several ways to detect it:8 L8 f, V2 M2 i9 L

4 }5 ]/ y7 @" |  y- n% `    BPINT 41 if ax==4f
# `; S! u! G5 D1 b/ M7 m+ ^; L- L' O3 E3 m1 `1 k) t
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) f$ \+ t7 g% u* t: ]  M+ r, ^6 ?. X# I( e/ G8 \4 @; ~6 [
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ e: s" U) P' K- q8 Z: p: W7 Z) k3 r- \0 ~3 A- q4 m+ x% }' y
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, w9 L1 W; b/ W" ~7 S) t. x6 u0 d- |0 s" u+ E. K/ H+ \1 ~. Y
__________________________________________________________________________% P8 h3 _7 M, Q. F
, e3 m5 r5 Z2 _8 g5 g1 i
Method 13
& @# a$ [( I, ^" F2 f) S" h=========0 S7 X& c! a3 l. F( B- i% i

( e" \3 y! Y$ x0 t0 PNot a real method of detection, but a good way to know if SoftICE is% P1 q1 x6 X7 Q, d, i
installed on a computer and to locate its installation directory.
* _! U6 D! i+ T; c) e6 HIt is used by few softs which access the following registry keys (usually #2) :# O" _: X# Y$ W- n
9 C+ c' D8 J: ?+ c, y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* q/ \( d; m. b: E9 R\Uninstall\SoftICE" L$ C1 l. F5 I; @( h( W( y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. }( }; h1 z$ _3 g$ \: j4 c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 B! R3 Q/ u8 G( I\App Paths\Loader32.Exe; C3 E" T: e) v) C7 [( S, Y

6 T+ M0 o. b6 [! v, a- x: U
: y  @2 D3 i, e% [4 @Note that some nasty apps could then erase all files from SoftICE directory' z. ]. ?. P  V$ O7 U" a5 g/ B
(I faced that once :-(
: g. \+ w9 I7 r4 a" ]
6 @3 b  F% g7 o* n. d9 p, ~% {4 u0 c: XUseful breakpoint to detect it:: @5 O6 I- l( W, O5 v- H
& Z  W8 }* i5 p9 `/ M
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 N* i, n4 [1 _# \: g- H
! y) Z5 L# f/ u; z8 J0 y* Y  G" k__________________________________________________________________________
3 N  R0 A, S' [
) Z1 w5 m+ L3 B) Q' N; C  @1 g+ V3 ~7 u/ @
Method 14
2 t7 ?) Y, }- P) r, x' ?- p=========
! @9 G" w. e. {. t
  q" n, b1 s/ W# [9 WA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 O0 S+ x' o8 |) F' B9 c
is to determines whether a debugger is running on your system (ring0 only).
3 d; t- {; [. g: [: j& c" _0 g0 L& N
   VMMCall Test_Debug_Installed/ A4 z. W# u" D7 Z* e$ e6 Q  ~
   je      not_installed1 t8 G- e( `9 F9 J' K0 V
2 H8 z7 v# ~( G7 v2 {- x8 X. O) C
This service just checks a flag.( K( [5 s* f7 l, H; J9 d
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-11 15:02

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表