找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
, f  ^( d0 l# H<TBODY>. s6 {" D# _( U7 S
<TR>
8 g3 I. a" k1 p8 b) B- m<TD><PRE>Method 01 ! D4 z) C3 w" C4 K) F
=========
( @- ~. n& W$ W9 T' L& o
( z2 C/ Q7 n! I- ?; NThis method of detection of SoftICE (as well as the following one) is$ s! b7 k) l8 J. M6 R% V
used by the majority of packers/encryptors found on Internet.
8 s" l) H, b% E& D- _It seeks the signature of BoundsChecker in SoftICE
' m9 R8 x9 o8 l0 L4 w8 y1 O- P) I# ~1 x5 k/ R" m, j- `8 k# X
    mov     ebp, 04243484Bh        ; 'BCHK'
4 j7 u0 Y; [' a1 w  L7 {5 t    mov     ax, 04h5 ?. ^- c" o- e3 u0 o& f9 C
    int     3      
; B( Q% z# X- A6 N' [9 A    cmp     al,4
3 F# _* E; n& s. u& l, [( I    jnz     SoftICE_Detected4 o$ ]. o$ U8 J# y7 f
" c( \+ g: ^6 ?/ g* o0 s
___________________________________________________________________________2 E4 O  m' o  t+ J: A

& X' f7 v7 i- [/ h$ CMethod 02
- }, e6 M+ g1 ^6 T+ q" [) g=========
! E- L* n! a4 v' [8 c  b6 p" J: O+ F: a6 L* K
Still a method very much used (perhaps the most frequent one).  It is used" t5 G# J" A7 Y) e- {
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 z1 i: @7 f8 j9 t; s1 Z- m
or execute SoftICE commands.../ A0 B/ }4 j; Q5 j1 _& F# b; N
It is also used to crash SoftICE and to force it to execute any commands
5 z2 J6 Q+ L5 }6 {(HBOOT...) :-((  % g4 G+ b" S& ?2 J& o& |/ d1 J
; H# p9 E% i, T4 T2 R* I
Here is a quick description:
& b5 [9 c' V) J' S; l-AX = 0910h   (Display string in SIce windows): B0 p, n7 g$ B* Y% X1 v! h
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)+ t  g3 O4 \5 [, J7 l, \
-AX = 0912h   (Get breakpoint infos)! E; j0 J: ~* V4 j1 _( C
-AX = 0913h   (Set Sice breakpoints)
, U. _9 V) B$ r' n8 n-AX = 0914h   (Remove SIce breakoints)
" W, W; I2 ~6 A  c7 f; V! `
9 h, J8 s: Q, ^2 Y% ?) ^* `! p& bEach time you'll meet this trick, you'll see:
! h" b; u" ]- N; K5 k9 A" L# y-SI = 4647h* o# J; l, @8 b3 ~% H; o% e
-DI = 4A4Dh. H' _9 z/ Q  H* @( K* @$ O
Which are the 'magic values' used by SoftIce.
0 G  x7 f" W1 k8 Y; d1 x/ c: \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( v9 L; Y, A3 ]7 f, y; n% f$ m0 J) E/ P  y7 Z! R; R2 x( G% k8 D% C: t8 _
Here is one example from the file "Haspinst.exe" which is the dongle HASP8 x6 o3 t4 K  w# F& r
Envelope utility use to protect DOS applications:
' K& s$ M# E! c7 p; z& y, ^& y; P  t0 U  T& x" E4 T
( _7 ]% K; `) h( T$ X7 }$ j; n
4C19:0095   MOV    AX,0911  ; execute command.
, n6 T% Z" S; P+ B4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  V& Q) i5 I! n" S4C19:009A   MOV    SI,4647  ; 1st magic value.
2 O( t7 \% B% V1 \# w4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: r9 l- I2 z0 z4 q/ F, c& u
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: w, s' h) t3 G% K$ A4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
/ q# N9 ^& Z) A; k( [+ t- t* L4C19:00A4   INC    CX$ ^7 a$ a. Z0 h( P5 J& a0 U
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: Q% w( [& \! V- ?4 u1 j2 a  M4C19:00A8   JB     0095     ; 6 different commands., u) `$ W4 U& H" m
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 z3 `' C# e3 C' p+ F; x" `
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 K# i# ^) N( R7 I, |1 {/ V1 Q5 ]- r) S% e4 i
The program will execute 6 different SIce commands located at ds:dx, which
: L, ]" y5 R" E" Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' b* b' a; J" V9 ~9 k
2 R. T' R* x* s3 K9 N* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.3 [8 m- V6 c# {' {
___________________________________________________________________________0 ~  I3 ^  n6 U+ M: P8 r4 E

( _5 _; r$ Z, z: ^& X3 {) T: K  m
3 h0 s( C# y1 b% sMethod 03
+ y0 m' t& V0 d) v0 P1 A8 H4 }9 j=========) D  l- i  }# |5 w' M! R( {) s

% S) ^) E- q  G& A; p  k1 aLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h& n( I7 C0 W# L9 |4 Y6 u# E
(API Get entry point): t, v$ J  _+ d$ K) |+ L$ c
        
* o8 ?' N' m6 |9 H- d/ W/ V  b6 `9 _+ {( g1 g
    xor     di,di$ P/ H3 ]- b/ K: k
    mov     es,di" I3 C' m" V1 D6 y5 g4 y; F
    mov     ax, 1684h      
, M* P. o: R* C0 l. }9 S    mov     bx, 0202h       ; VxD ID of winice' r- W+ [- q5 d+ a' b  g3 [
    int     2Fh
7 e( E, m& M; o4 j$ [    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: _* e! A! H# U& l; }0 @    add     ax, di" i1 F7 K; v: x1 W
    test    ax,ax! _2 c4 R/ F' _- |$ g/ `) }* G2 \
    jnz     SoftICE_Detected# r/ p3 x. p% @7 q
$ }* _1 c: G+ N; R
___________________________________________________________________________
' D- B7 B# S9 d' n  f$ E
# u2 ~% B) |, {$ r$ D  T0 F* [8 WMethod 04
" @2 Z) R; d$ ^' m. l0 ?=========
* ?. B8 w9 I  o; l0 P* r$ j8 |. w5 x$ l0 Q: a: a( ]- p/ k4 K
Method identical to the preceding one except that it seeks the ID of SoftICE
/ U: p8 H# o  J2 c: ?# k5 {& NGFX VxD.
+ [9 A0 n2 J, J
, \1 I9 c1 h" b4 z% k3 i4 V    xor     di,di
5 E$ X7 ]" [' E    mov     es,di2 h- `+ X& e$ w4 [: Q
    mov     ax, 1684h       + J( Y* a: i8 Z9 h5 t  b
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
: n0 e. c5 q& \( F# W% d    int     2fh9 T, |+ Y5 k4 X. ]- Z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 S! R: `; }' T5 X    add     ax, di
, ~* `" T' r4 Z) P' c% v) M3 l    test    ax,ax# o$ L: V/ M" y# {5 s! ^' K3 Z
    jnz     SoftICE_Detected
" ~8 s8 o' W& o& E$ z" \& Y4 x* D& j( Q: t% K! o
__________________________________________________________________________
* j# i3 U( c- [, r5 g7 u% R1 ~$ |2 [6 D, {; W( J: g

# a4 U+ i& r3 J+ J$ eMethod 05
% y! U( x% z! d( [=========
  x% N4 k. c; k. z# X" h, m# L& [1 F- T' p/ H: o! k
Method seeking the 'magic number' 0F386h returned (in ax) by all system% r* x3 {$ a4 X0 T5 o7 G
debugger. It calls the int 41h, function 4Fh.4 R. a( @7 O! K4 L. c; \
There are several alternatives.  6 D  h* Y# z& }' n, r7 D% K4 @

! H; I" }4 d) o9 A3 NThe following one is the simplest:
* t- r! c$ d! F: S) ?+ F- A: p5 v  A, h1 y
    mov     ax,4fh  X$ A/ n* ?) }2 Z1 V
    int     41h8 d2 t2 `1 `7 {# s
    cmp     ax, 0F386
8 g1 F* |6 C/ @6 v) @8 m  E    jz      SoftICE_detected
* U) M. L/ \/ {; U; U. [3 S
8 C) [# J* N5 E! T- {
; b; {  U/ s1 U/ L0 N6 \, U# aNext method as well as the following one are 2 examples from Stone's , ?2 m! ~8 N0 o3 ^
"stn-wid.zip" (www.cracking.net):1 H, z( \+ G0 b& R- M! ?" u! p" C
9 W: I% P2 L. w* ^" J. ~7 b
    mov     bx, cs
0 ]0 z7 L2 O6 W* x7 ^) i( K0 a+ M    lea     dx, int41handler2" c0 U( @+ Q, O8 x% K) v& @
    xchg    dx, es:[41h*4]4 i+ o3 f7 e& L% t$ I# C4 s
    xchg    bx, es:[41h*4+2]
! d% P' T$ c& J' @/ X; ?- u    mov     ax,4fh5 h2 |: ?* w. _# P5 U
    int     41h
7 o$ A6 V3 r6 k, }8 H    xchg    dx, es:[41h*4]% D7 u2 V" M' z+ e* P, g& U# d& ]
    xchg    bx, es:[41h*4+2]
! U( ~5 j7 L2 u. ?* t' _) p2 |    cmp     ax, 0f386h
4 P$ a% z# x, Z; j" }    jz      SoftICE_detected, Y: g9 @( z  s, L3 [4 C, C5 L! q2 Z
, j  ~3 m% L/ F# \3 ^/ {
int41handler2 PROC5 g- j3 A4 K, t' R" _6 o
    iret
' g) g" J! F. T- Dint41handler2 ENDP
! J- O  ~! @* L, ]! w! \) K: D
6 l1 w. t1 P( w0 J- n9 a9 z
# F- r3 a' d) X_________________________________________________________________________
- {% {+ Q& c; k' r  d) ]: k
# U+ W* ]+ G9 B# f- a! S
; ]4 D$ r# R) R2 HMethod 063 A; |- G0 |9 @7 g& ^% A* d4 s
=========
. T- }+ v( M9 G+ _2 i
4 o  L& [* Z* m" `) b% N" ^0 w! @" _7 \
2nd method similar to the preceding one but more difficult to detect:
  [* M4 Y8 Z( t3 ^4 m: O  i  D2 f
. \7 L7 k8 g- y) C1 ]. J* k5 j+ h3 K2 _$ o2 O& ]# g
int41handler PROC/ D1 U8 J. ]) R3 j# ]# R! r
    mov     cl,al, T+ Q5 u' L/ X- f- r8 M* b
    iret2 J+ k+ @4 G% G1 @( ?! G$ M$ e0 B5 Y
int41handler ENDP) A( {0 Q& o& t
6 V8 m3 t$ Q, n1 D
: R  ~6 p% {! j! Y2 R. ]. {# T
    xor     ax,ax
4 b1 J2 l# U. b/ r: o2 i+ z; h" X    mov     es,ax  N1 I8 V/ b5 `3 t" O
    mov     bx, cs
/ v8 z& p! l6 s- m    lea     dx, int41handler9 ]8 S2 ~6 o0 _: y1 i: m
    xchg    dx, es:[41h*4]
; ~& e1 ?6 s+ X, E6 B: R* Y8 D    xchg    bx, es:[41h*4+2]0 F8 D) G7 \9 [( G0 L8 Z* k6 P
    in      al, 40h+ F% `, P; Q- d# k( l2 n8 I
    xor     cx,cx+ F5 f2 P8 D% B: m0 U6 T* p
    int     41h
/ X, U4 |& B, u# c; ^    xchg    dx, es:[41h*4]
/ q1 C) ?1 _/ h$ X- {& |- b" ~6 x    xchg    bx, es:[41h*4+2]# f0 Y2 e6 ?$ m; {  }
    cmp     cl,al6 Y2 h1 [& p6 f4 u: K' y. I) @4 l
    jnz     SoftICE_detected0 y- J+ P6 ?2 N7 j8 L% c6 ^6 s
4 w( \- L# F% k$ i
_________________________________________________________________________( T, Y( G4 R: x! h

- j& s8 F2 J6 j0 g6 ]Method 07/ c9 Q/ [& K$ M( m! B. `
=========
( U* v/ [6 Z# i$ t/ Q8 z+ n- X1 c# G) \6 A, Q/ Z! N% J
Method of detection of the WinICE handler in the int68h (V86)5 o; t9 G0 d7 L7 v
) ~" u' E$ }  W6 ]6 n7 Q/ M+ H
    mov     ah,43h
% `9 u% C9 B, {) \    int     68h
  {: z0 i6 C$ O% ^* X    cmp     ax,0F386h
: C' _) |) k/ K( r0 U5 y$ m; n! Q( h    jz      SoftICE_Detected+ d% C- b( A) p+ R) ]  M
6 k" c* h, O  u1 r$ n" K
& X3 J- C5 i" o/ Y9 r5 q% f2 q
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, [) {( B! R" C' t$ l
   app like this:' [; k3 s8 e' I" @/ O# t. \' n2 w7 G
* N8 Z8 q  D2 v8 S* y& |9 p. }% q6 [
   BPX exec_int if ax==68# }; H4 u& N) n
   (function called is located at byte ptr [ebp+1Dh] and client eip is
" B( k& [6 n- v0 ~/ \   located at [ebp+48h] for 32Bit apps)5 O3 e3 J* o0 d% y' d
__________________________________________________________________________8 t  b& S) I$ y

2 g$ s0 Z' l1 @; K0 u
+ @" b! i0 d/ t9 v, [6 L! O9 CMethod 08$ w% N7 A8 T/ F5 F4 z1 g( Z
=========
2 V( k& A# P1 H( u; r, H: i! G- E* Q0 \1 o0 T8 `* c
It is not a method of detection of SoftICE but a possibility to crash the
& P6 I0 t; n5 [, fsystem by intercepting int 01h and int 03h and redirecting them to another
  g+ q% a6 \% |routine.
" o1 ~& R( Q, [; F5 ^; X  d: k- uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- y/ z/ G& ?! Hto the new routine to execute (hangs computer...)
! x/ C' ?) i/ ^' Q! Z3 C8 }  F8 C8 U% |! g6 U3 e' f- m6 c
    mov     ah, 25h% |: g5 w" M5 u
    mov     al, Int_Number (01h or 03h)8 S% ~1 c7 \- Z# j) e1 b- ]+ j7 V
    mov     dx, offset New_Int_Routine1 f2 ?8 J0 L  g. V% D$ U2 p
    int     21h
. Y8 Y3 _8 R+ i' P. H( x# O
. F9 l, y  Y" f. C__________________________________________________________________________* w- n0 {* ^4 B( F/ p) W

5 e! m% V# s9 U  f0 L' t! CMethod 09$ P4 Q' r" c: {3 d0 q
=========
* e- A2 P2 j+ W$ v
' m; m) w+ c7 t6 vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, h; y; A: [- t! A# W7 z5 z- Q0 I2 [performed in ring0 (VxD or a ring3 app using the VxdCall).) |* S+ b5 ?/ t- L4 H; b
The Get_DDB service is used to determine whether or not a VxD is installed
. |6 P1 K& W! ffor the specified device and returns a Device Description Block (in ecx) for
" _  B: y# a, C4 Z7 C  i& L( Ithat device if it is installed.. L  h- \* N- T) A# B  K
" R: n5 Q. {% L9 ~8 K, k
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* h( p6 ^* U, p9 ^, Y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 K. F" w( g: X7 z4 q7 D1 f
   VMMCall Get_DDB
% d. l& x6 c+ H. M8 }   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. R# C* |" f/ I7 T/ |: Q3 r0 ]/ u) {9 v, p; a$ m; E* m
Note as well that you can easily detect this method with SoftICE:6 }. k6 Z" C# e$ Y8 b
   bpx Get_DDB if ax==0202 || ax==7a5fh
  S1 h0 @  s" t) o7 c% V* q6 l- s5 u: G4 _  i8 i+ J
__________________________________________________________________________# ?- Z4 }- A5 n& S7 F, m% D. p

% E- h& j2 a: o2 p. `/ {; A1 hMethod 109 L8 W3 u% V1 z' I2 a, u" o/ {1 ?
=========
! x$ ~2 }) |6 U: [$ X2 r8 |8 X4 Y% m# Z- U9 t1 b" P
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" ~. h) b% e( x* k  SoftICE while the option is enable!!
8 W* r8 Q! t, ^) t" B7 n5 z0 X# R
, e, n( W* I- _! V- CThis trick is very efficient:
7 Q2 X6 e. M2 r" D4 y& r: nby checking the Debug Registers, you can detect if SoftICE is loaded$ _) U* G1 a4 c% K( ~8 Q$ h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# V% H$ n+ ?" j" H; ^
there are some memory breakpoints set (dr0 to dr3) simply by reading their  l! x! K  [5 B- O
value (in ring0 only). Values can be manipulated and or changed as well' B1 ?$ @1 b( m. u7 u
(clearing BPMs for instance)
1 D/ }1 u; O: g7 r% S
+ c" G9 `# a/ y$ b: L: }, Q__________________________________________________________________________- Z* o0 |5 ?! |9 d$ C
8 J6 s" _- G( y* E% a0 S7 C
Method 11: e7 j. Q9 S9 n5 |6 e
=========! [) w$ u* |4 J0 E3 m
" e7 D' ]* i4 o+ t9 Z& D% A
This method is most known as 'MeltICE' because it has been freely distributed
, T8 e+ ?  Y& Z  I' g, X  Fvia www.winfiles.com. However it was first used by NuMega people to allow0 S5 V% s$ K3 |) P* K
Symbol Loader to check if SoftICE was active or not (the code is located5 z& l7 y% G8 w3 F, p+ O
inside nmtrans.dll)./ o% q! e, b, J, C' G9 O! f% c
2 y  k! X% \1 d& C  O$ a+ m
The way it works is very simple:' c; L1 V7 p- @3 j
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
2 P; ~7 z% }( N) d$ cWinNT) with the CreateFileA API.
7 E0 J" _6 V+ N: O
- r8 D. a" w' M2 GHere is a sample (checking for 'SICE'):2 D: @3 W' q. H( s* R8 p
8 z& P1 }8 I  i6 \( m8 L
BOOL IsSoftIce95Loaded()+ P2 }3 j- @5 L2 ?
{
$ B9 c& P/ ]; O+ j9 S6 V" W) B/ Y   HANDLE hFile;  4 q  H% u# z: r2 D0 J
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) B& k/ `, V* s1 e9 `
                      FILE_SHARE_READ | FILE_SHARE_WRITE,+ j0 i$ y+ @, a/ {4 j
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- ]* F3 O: N: p# D) n* o   if( hFile != INVALID_HANDLE_VALUE )+ j, [, e" w/ i! n3 }) c
   {
. }$ g# C+ [" L  A$ u  v      CloseHandle(hFile);, i$ [/ P, G" g1 L/ Q
      return TRUE;, E: R1 i& c( _- l6 O  e9 `+ X
   }) H+ x5 K$ ^( \7 Q2 T. D
   return FALSE;
8 q7 |5 e8 c& Z6 r$ q. q}  a0 \5 x9 d. j

8 X' f" j4 ]- `' d7 [6 e/ Q$ `Although this trick calls the CreateFileA function, don't even expect to be
, T) ~+ }7 b- Oable to intercept it by installing a IFS hook: it will not work, no way!
+ o; N& V: \# ]! }In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 K; }7 `3 d, k& A1 I1 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 V+ k6 K5 W0 h( uand then browse the DDB list until it find the VxD and its DDB_Control_Proc
6 m+ n& g8 P3 V5 p2 X4 ?field.& Z' `3 M  D9 i( i5 T
In fact, its purpose is not to load/unload VxDs but only to send a
9 [6 O; j" N- F* ]8 O6 WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)* v' y9 j, K% x' Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 b- ^1 q0 Y( v0 a$ m- cto load/unload a non-dynamically loadable driver such as SoftICE ;-).- w5 q0 Q! c, F8 N3 z" ~
If the VxD is loaded, it will always clear eax and the Carry flag to allow
+ I( T& a  Q& [  c" cits handle to be opened and then, will be detected.
( @: i8 ^" b: k" ZYou can check that simply by hooking Winice.exe control proc entry point
( g% ?( t) g% b, Z1 F! K* y. [while running MeltICE.
: T6 Q* c8 N& Y' I/ a% b
/ W: A6 W6 |( h6 o1 F% O
/ E6 [4 u3 u  E# D3 A8 |  00401067:  push      00402025    ; \\.\SICE% c( N5 l# g! k$ |9 h
  0040106C:  call      CreateFileA' j! v0 G+ X' u. t
  00401071:  cmp       eax,-001- r7 j" k# q4 J9 \9 ]
  00401074:  je        00401091
, @+ H' e+ l- E" N- e/ X0 a& \- ^2 Z
( q4 [) U" Z' h7 k2 H
2 M* ~$ y+ P' D# x/ HThere could be hundreds of BPX you could use to detect this trick.6 p  r  {4 H: o" w& W( e5 Q% }3 e& q
-The most classical one is:6 B, z! |- b8 N
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
' S( i; h# B% e7 E" ^, A: ~5 A    *(esp-&gt;4+4)=='NTIC'
3 W8 Z+ e5 e' ^* b' O
* F+ I5 a$ n; @! l! W* D" U2 v-The most exotic ones (could be very slooooow :-(
6 j5 l& P+ y* }8 Q" _1 N* W   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 p3 R! n9 A, n$ T
     ;will break 3 times :-(
, \6 q. R$ o( o7 Y! Q7 w2 n5 u; P' f. I  r& r8 f% ~) d
-or (a bit) faster:
& k$ W! G' [. ^# Q8 {6 |   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; ?2 P0 G5 N" Y5 l2 U& p. S* `
3 y  i' Z" D8 o* {1 f7 k' r" }# L   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & e- `1 R: K: }9 B( L% E1 Y! m+ Z
     ;will break 3 times :-(
! t; j/ r- {+ p$ Y8 K4 g. a  B. ]9 Z; [% Q! i9 ?
-Much faster:' `, Y6 N; b/ D  @
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ w( H0 g$ A) T, t* b* W6 L, D! x# c! W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen5 M8 T* g% `- s
function to do the same job:
% u* w, K1 ^  A, U  W2 k! _! w
( O4 m& X. w* y   push    00                        ; OF_READ; h8 ?( _2 J1 a0 N
   mov     eax,[00656634]            ; '\\.\SICE',02 @9 F5 U9 e( C3 u- Y) j
   push    eax
+ R) k2 ^, F# r4 S   call    KERNEL32!_lopen
" t2 K( y$ H& F  ^/ D/ y! s: W   inc     eax
7 |8 f; T9 Y0 g, \5 ^+ t   jnz     00650589                  ; detected8 N& a4 j- Y7 J# B0 Q
   push    00                        ; OF_READ
1 J7 O5 @" E8 z3 h) I   mov     eax,[00656638]            ; '\\.\SICE'
$ P5 O' U9 Q3 k& ]" F5 f/ e   push    eax
% Y0 q$ C8 q9 y( S   call    KERNEL32!_lopen
" q# T+ T2 j% I( A' s* w   inc     eax/ S" F; \5 |6 ~5 `; k& L
   jz      006505ae                  ; not detected
$ w1 X6 ^6 S4 q- s0 ]% q7 ?1 T% N9 f+ F% [6 s3 X  u7 G5 ^6 b

  O$ C6 p7 p2 C' i. C__________________________________________________________________________4 U( X6 S/ q2 L# T) Q' w4 S0 G

8 Y) f  q) s% @; D4 h% TMethod 12! v9 _: c- \, y; Q
=========# |0 q1 [) A( i8 b4 A. D, Q
" J- ]% d2 S. d8 i! H2 r$ Y
This trick is similar to int41h/4fh Debugger installation check (code 05
* J. g/ n7 {1 l/ r# L: @6 Z&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 s5 n+ n& W1 A$ f2 X6 e) `, R- _9 x
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.. ]4 i* k$ G( a
, g4 q9 ?3 l" W9 A8 ]* P
   push  0000004fh         ; function 4fh
/ {9 w; r) E3 Z0 o   push  002a002ah         ; high word specifies which VxD (VWIN32)3 L0 k2 R3 e* m/ T; `0 K6 o
                           ; low word specifies which service
. r& ^- N. J* u! f, G/ G% a                             (VWIN32_Int41Dispatch)
3 G2 p8 ?* a3 p; y   call  Kernel32!ORD_001  ; VxdCall
/ ~; t0 D1 A0 f: K1 c   cmp   ax, 0f386h        ; magic number returned by system debuggers& M( h! L0 k$ m; o' K
   jz    SoftICE_detected% n4 Q: u% K% A, O# u
. t) ^1 r! m) k$ v
Here again, several ways to detect it:
# @8 }% `/ B' e/ H  u# z  ~; ~% E2 Z
    BPINT 41 if ax==4f
8 j6 S! y7 U3 Q( l" X' u. [" \. H* o* ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 |5 o# m: ~% r+ d% P; t" P0 e, `' f/ ]0 \$ q* c# F' K+ F( G
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; a" H$ |, |, E2 W: g
# q- t1 h7 D& a, o0 b3 J
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!1 I" A! L: m$ }
. f( l8 }# Q/ L- X: x
__________________________________________________________________________
4 v7 g7 n5 H% h% {2 |1 j+ a& r
( }3 u2 B4 C$ T0 Q' zMethod 13
: E/ o8 ^5 `% r( I3 x* k4 j=========
. f4 g" T: b( X5 I" |/ s* p& }6 G; t; a  R, Z3 M' c+ u
Not a real method of detection, but a good way to know if SoftICE is' o0 T& T. C0 g7 z8 ^# h) q( K
installed on a computer and to locate its installation directory.
1 f8 t8 }/ f* V+ {$ I2 o* FIt is used by few softs which access the following registry keys (usually #2) :' j) d( O8 K' q1 P
5 e; r7 f; w9 s- T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 A8 F! u; N3 A2 _! K  M1 o\Uninstall\SoftICE
& @' O( N  T9 V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 ~6 n+ K/ R/ I5 k; }. B2 S  W" E
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. ~8 G/ n& m2 }& l. {0 L- p0 M, m\App Paths\Loader32.Exe
/ Z+ H0 K0 F* w6 R* l* q. I
) _- ?6 u) Q# ]- i' ?; W# @
9 Q) S' v+ q7 |( V- h4 p$ e  L* l4 j4 CNote that some nasty apps could then erase all files from SoftICE directory$ s3 h8 B, w: k' D
(I faced that once :-(1 Y  b* _8 S- u$ I& ?) A( D

6 u3 Q8 ~9 ^7 t. z  DUseful breakpoint to detect it:
6 H5 y0 L% y# b# A+ u) a
& K$ ~- {( s% {8 G% S     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 t% j. [- A, e% v  N
$ C2 \: \; I2 }
__________________________________________________________________________" Q4 t) G( m: O" P) H% a
2 ]  ~6 A/ L. c0 {

% m( t3 K9 u& cMethod 14
4 Y( q) V1 F0 W" d$ G" Q3 z% |) l. h=========( ^6 y4 y9 H+ F6 k

! x8 e( Q0 D4 U) [) w) Q6 ?A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ |& \% A# o' _  u% g# J' m' |is to determines whether a debugger is running on your system (ring0 only).! N! r- C7 K* ]) G* g; {* s2 @  Z

, o2 k6 R" e/ y, a- y- P$ T5 C   VMMCall Test_Debug_Installed
6 M& }% W  @/ t   je      not_installed
. B- D$ ~4 E1 V3 P( \" U1 Z. H( s$ q0 i+ ?3 Y
This service just checks a flag.# E% L+ g. T6 l5 q* a
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 03:44

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表