找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
  `2 @5 X& ]- v2 c+ t5 Q/ f<TBODY>) M3 p" i! n: g9 J/ C7 O
<TR>
! L, |/ n* T( g3 h4 x<TD><PRE>Method 01 / C( {/ K+ @+ c# q3 m( z5 g, {$ Z
=========
1 j: K& Z& H- E* ]0 c4 W" K
! r5 f" z5 q) \0 V$ wThis method of detection of SoftICE (as well as the following one) is
8 I3 q+ p. G# L2 ?used by the majority of packers/encryptors found on Internet.7 e- U. q: x5 t& H- _
It seeks the signature of BoundsChecker in SoftICE
% h2 ~. \- N. D3 D0 Q/ Y* _3 F
( k# k1 e! N* o5 w( {! ^    mov     ebp, 04243484Bh        ; 'BCHK'
) D7 U6 W- e- S8 z1 f    mov     ax, 04h
; A0 B6 h5 p) Z; Y    int     3      
9 E2 t: i$ L; b0 u7 j2 i    cmp     al,4  x. I3 T6 B0 }
    jnz     SoftICE_Detected
7 t) r. k) n5 c4 _5 [' k# W# N, N# L# t) W7 ]# ^
___________________________________________________________________________
- x3 _7 h- h( X0 t0 [9 |5 F
* \5 s) h" n' a& a, I" w. SMethod 02
- D& _4 q9 M' N5 Q=========: Y. t& h% [' L4 @) o/ l
0 }: B1 _  q7 d( E1 U8 s/ Z' p
Still a method very much used (perhaps the most frequent one).  It is used
1 Z! u$ C7 i; i  \# e; b" Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 N, ~* T- l. P
or execute SoftICE commands...
( ~% `! u/ R; q1 I9 L( V  v1 QIt is also used to crash SoftICE and to force it to execute any commands' H7 o2 f1 P5 x. ?; E
(HBOOT...) :-((  
; S7 c4 T+ h: W8 G- L' n
# D5 G. T6 s- e* x) {Here is a quick description:
; M1 n8 }+ d8 M. _-AX = 0910h   (Display string in SIce windows)
. m" F+ u; ^5 j) L( i" ~-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 r6 f" J2 N* ?+ A8 n! P, r1 W-AX = 0912h   (Get breakpoint infos)
4 X; y4 n; d' a0 o. W-AX = 0913h   (Set Sice breakpoints)# U1 T' t/ O, D' Q' _' n
-AX = 0914h   (Remove SIce breakoints)8 n  z* H6 }; ?% }. C

* o0 c4 I  @. _Each time you'll meet this trick, you'll see:
0 G  y$ f1 ?  J& e, w-SI = 4647h
: p" ?' p' l$ f" s4 X: i9 _-DI = 4A4Dh4 K+ u, L1 N7 v+ X, }7 E; H4 c( i
Which are the 'magic values' used by SoftIce.6 e$ y; _) }/ v& _
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 p, r% a& o) k! y; _
) m4 y* j% ~) iHere is one example from the file "Haspinst.exe" which is the dongle HASP
7 U: T8 P, a2 Q7 ]" ]3 HEnvelope utility use to protect DOS applications:
2 A% V, R2 f+ l  e  q3 S: n* V3 r& b- P: `4 n7 p3 r

) t  f  l1 d( J4C19:0095   MOV    AX,0911  ; execute command.
0 n0 R! K% V6 _1 ]/ ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 X( o1 _) z6 Q% K% f
4C19:009A   MOV    SI,4647  ; 1st magic value.
8 J+ H) n' q% Z3 `$ W: V4C19:009D   MOV    DI,4A4D  ; 2nd magic value.# a, k# C# c4 |+ s6 g9 d$ E
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 Y; X- \& k* `
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
. s) D% u- x; L- ~1 V  R& ~0 e4C19:00A4   INC    CX- j9 o- t& u0 `% v1 ?9 ^( f
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
: J% P0 O0 p+ G" j4C19:00A8   JB     0095     ; 6 different commands.; o5 Y2 A6 j  n& @# ?
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
$ d; H' P1 R9 y' v4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)7 r! G0 B+ @! b* w% Y: B# M
7 R+ A' K4 E4 l5 T% A6 B! A
The program will execute 6 different SIce commands located at ds:dx, which! c/ b' Y2 d3 \' z$ H: }
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 F( D& ]/ x/ `. Y8 Z" x- Y2 C9 `2 C0 }# v  l$ @
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ N  c  D4 {! L; f3 q___________________________________________________________________________' |6 M7 o: ]- d3 H

% E" t8 a9 S& e4 N0 n  D! w/ l) ?; \* W6 k
Method 03) ]" T/ B! {- b9 q+ L
=========
9 i4 ~( y1 \6 I# {4 l2 |1 A" L, c6 Q  a% ^$ b% J
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h  r/ D: B2 z% E- h1 Y6 ~% g0 {
(API Get entry point)
% C% q8 r) D7 v& x4 j$ d        " ^' u8 p5 z7 J  V% N# g7 L

5 Y2 W* y* A7 `- o& }" W    xor     di,di1 r9 A0 E: S5 k! C$ n& B! \. X
    mov     es,di% Y$ H; l: c7 s- w6 h  `: P$ b) v
    mov     ax, 1684h      
- C+ {. D7 m' M; |5 ~    mov     bx, 0202h       ; VxD ID of winice! {: `0 O) z- k9 S6 t- t" j
    int     2Fh
6 Z( s: _" K4 B3 L8 {& [    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- {# H! P+ ?/ {+ ]' M" I    add     ax, di
& e5 h# K  r5 `- j    test    ax,ax
* c3 {0 e) X" j& \4 k" d    jnz     SoftICE_Detected
7 z0 L$ m! y5 [: a" Y+ k0 B4 m3 n) ~3 N
$ ~! ~" x9 O, b% |# i' a___________________________________________________________________________: s+ t- P+ \$ z) _6 Q* d

8 i! E; b. u8 ?0 F- ~) XMethod 04& q1 f' S3 u; k" X' o" Y( y
=========3 a7 k0 |! i, X/ Y

" V  \% k) _( p# M! i8 ?8 ~' UMethod identical to the preceding one except that it seeks the ID of SoftICE
$ Z. {) N( F( T' P9 ^' l' P8 P! |GFX VxD.( A1 U0 `; D# _- Z5 }6 j/ a

" b2 k( r0 F- M    xor     di,di
# I1 q% Z- X) K) Q: k0 ~% v    mov     es,di
6 d. x0 }2 {) J/ H- b2 h    mov     ax, 1684h      
$ \! l% [4 m" _+ b3 F    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 o. Q$ R* u2 t- @& s! m    int     2fh
" n; E, T$ N; d% E9 n# Y    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 ^) f7 ?8 H5 @# I0 s
    add     ax, di
1 G+ s; o3 |. [: v, e: q# k9 R    test    ax,ax+ c; i/ }/ |# |% V# C
    jnz     SoftICE_Detected5 l$ d! @7 x* i8 |

  A/ n5 h4 x/ N/ S__________________________________________________________________________
! h) x7 P/ M3 k: Q6 Q- X# n
# S% `& \" [  n& [* ^' T7 S( R7 }( ?5 p7 e; F3 _! o9 S6 g
Method 057 o" G9 r7 K! P& C; a8 x* L
=========4 l- V  u5 c! ^! K6 g3 s
, J. k( @. J2 O, D
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 K3 u" a( v4 Z- [  v+ k2 edebugger. It calls the int 41h, function 4Fh.
! p, T4 C: _; X  c# YThere are several alternatives.  + ^0 {4 O; y! u+ o9 ?  q1 w) p

/ b, V! `7 X+ F7 k" I; HThe following one is the simplest:
/ ?+ i; n7 q& {" r) P
% Y) C( [0 u. Y7 n4 m, W    mov     ax,4fh% V9 Z3 N  m  F# m  X, E' Y0 Z
    int     41h
6 h: j/ Y0 o. [4 H4 `4 k    cmp     ax, 0F386+ j1 W: t# U% o& o2 w8 M3 n
    jz      SoftICE_detected6 J: R  K# o6 l; |, _

* q- a* h: u, C1 R9 c- N! |' b& K7 t6 h; @& W: o& E1 R
Next method as well as the following one are 2 examples from Stone's 2 R  {- b  `; }6 ~
"stn-wid.zip" (www.cracking.net):
! S) G; D6 |5 ?; w8 |5 ^- q- H, C& V: q1 z5 X; E7 p9 a
    mov     bx, cs
+ K& Z7 Y3 H: I" I' S    lea     dx, int41handler24 X" n7 {6 V: R: l( w+ R! {  W. d1 E
    xchg    dx, es:[41h*4]
$ `7 o! q/ \$ \    xchg    bx, es:[41h*4+2]
6 R% F" }' O% k* M! v2 W9 J" _    mov     ax,4fh
3 ~2 O: R1 m4 I, s( W    int     41h
1 d, Y, f& b+ t* m. G) P    xchg    dx, es:[41h*4]/ n$ Q! N" f0 f( k
    xchg    bx, es:[41h*4+2]% X- Z5 F- F9 B) Q2 Q  z
    cmp     ax, 0f386h- Y* a8 s3 }  D0 K" G4 m! s
    jz      SoftICE_detected
4 g! R) q& t+ F* |1 n9 n
4 c' i: e- s) O. _2 |6 c: Hint41handler2 PROC7 w* h1 Z3 X' [; J0 ]7 e4 u* Y
    iret0 {* X: i! L" m# U1 t2 D; e. ]
int41handler2 ENDP
( T! q9 ]: e1 v! _$ {  L4 p6 w+ M! m3 l/ \3 a5 V' k/ t, K3 G7 h( y
; |  e8 E0 i" d
_________________________________________________________________________, O4 `* ~  ^7 [+ p9 M
/ Q6 Z1 `  }( d$ r; \# o
* Y- i- V& y  x0 i- B1 V
Method 069 R8 n4 e5 `# Q/ J  `
=========
1 P6 n; e6 o" P% e' k, p  G, q, Y+ t/ K  N+ e+ D8 M0 J" Q3 m

! l  n! w$ B/ w# {2nd method similar to the preceding one but more difficult to detect:8 @6 H3 o! e& Y% ~& I6 k# O1 o
: V# N5 B1 }) L, _6 j8 y) U

. z8 l0 v" n# r# Aint41handler PROC3 z+ p- q, U( k5 [$ T. x
    mov     cl,al
8 U' r0 A# {# `% d( P    iret6 D( {5 X- o9 L/ v; }$ X3 K6 g
int41handler ENDP; G; B6 s) M8 X+ l) F9 `

* F) E, r, N- T$ U
7 O  u5 Q5 \  I. d: c# U    xor     ax,ax4 j! Y. G; i% I3 s
    mov     es,ax2 q! Y+ e" [1 _+ R& z
    mov     bx, cs; _* L8 D) d" X/ B, p
    lea     dx, int41handler+ y, r9 z7 @' f5 L' s1 J7 |' R4 N
    xchg    dx, es:[41h*4]
& U- D0 ^1 I3 p5 p/ w9 m    xchg    bx, es:[41h*4+2]
" }1 g# B. P! U/ [. f3 R    in      al, 40h  I( Q( y1 K) O2 d. [$ j5 \0 K3 K
    xor     cx,cx2 O+ r# |/ D% J2 k  g9 j0 m  n
    int     41h
6 M0 `* G% t- q( b    xchg    dx, es:[41h*4]
+ `% L# Z; e5 Q5 h$ i# g# A    xchg    bx, es:[41h*4+2]
5 g3 c" F+ G8 H0 t4 r7 |& b* Q    cmp     cl,al/ n% I- W0 g- h
    jnz     SoftICE_detected
4 q8 g! a) {! X3 J- n! l" Z0 z, f- _+ l# Z& r4 r( [
_________________________________________________________________________
$ Y8 l  G' Z+ J" T. h* g4 t0 O7 B- n1 @0 e& k6 {
Method 07
& T% Y1 z  C: A0 d. h! q% z* a=========
4 v# c( {0 V9 r4 Z/ ?+ G2 U/ @0 u4 s9 h+ n) w
Method of detection of the WinICE handler in the int68h (V86)( L6 U6 J3 p1 w6 J6 B7 o  t" Q6 B" g
( L& Q7 I6 k: D- `, M0 p# t" Q  q
    mov     ah,43h
, D0 N$ _; ^$ O+ e0 G! z    int     68h: \- F1 M  |( }. ^: e2 g( P
    cmp     ax,0F386h) g% Z; ~' ~6 J* U4 v  Y6 q  g8 H* c
    jz      SoftICE_Detected. _4 D; h( g9 B
( B2 b# B/ p2 P7 @$ ]

8 _3 f9 [" ~( f=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- E1 g+ Y: n9 r, i2 l
   app like this:
+ `) B8 H1 ^: \' ~! K; T/ ?9 o4 ~! E; g
4 m7 C- h2 I. e& [6 l   BPX exec_int if ax==68
4 E1 i: s2 m/ J! Z   (function called is located at byte ptr [ebp+1Dh] and client eip is
& N' f; j9 o+ ?1 C( W   located at [ebp+48h] for 32Bit apps)3 d# m$ B: r" G- P9 k; A6 e
__________________________________________________________________________
$ f/ J, `0 U2 x9 m" L6 u0 @+ R8 m* R: b  \3 f( ^1 ~  O
8 O6 w- U+ z  o; j
Method 08. B: ]5 N, X( T) N4 _0 h+ _
=========
) `8 U7 s6 ]5 }) E* ~" H: O( d* h  S: e" o  m  b5 ?+ f, v
It is not a method of detection of SoftICE but a possibility to crash the2 i7 F* d; w- P: S% A$ q
system by intercepting int 01h and int 03h and redirecting them to another9 m; n" F% N1 }9 z* H2 A/ z
routine.' D. R( [% v# |- @
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* {: ?4 @1 h' ]! k
to the new routine to execute (hangs computer...)
, |0 n+ F! Y, c, o7 i3 K5 |$ ^/ r% T
" R# x, A! E; v  @' [    mov     ah, 25h& _/ \8 J$ I9 o/ d
    mov     al, Int_Number (01h or 03h)3 q) M. \( z- Z/ M/ g* J( N5 z7 H! d
    mov     dx, offset New_Int_Routine
, k" c  D9 d* _( ]" V    int     21h
1 e; u" k) D5 t! H8 ~/ A) T& p/ r- b, c, d
__________________________________________________________________________
) ?& T/ W4 v6 q9 V5 L
) m7 E5 r, U# q4 ^% X# W! QMethod 09
+ ]0 V  o  n# l/ \' w=========
. T1 _/ k9 |. a7 l, l
  g8 T$ w5 e. p  h8 {5 [This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 k/ K+ ?3 s5 y! J- r( E' W; }performed in ring0 (VxD or a ring3 app using the VxdCall).5 l% [+ O8 b0 t) ?/ u
The Get_DDB service is used to determine whether or not a VxD is installed. G/ T, v# y" O: g9 Z
for the specified device and returns a Device Description Block (in ecx) for! q7 O0 s, Q( Z" V
that device if it is installed.# A$ t. I- [$ n, K' q  K

; m: f/ }7 Z9 K5 O- ]4 E   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
1 f. t7 Y8 y% ?' y9 d8 {   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
. t2 w4 E/ c9 e/ P$ B1 P. e   VMMCall Get_DDB+ L. a% V( }" d* `" L1 o
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
" A8 r. `5 O/ t! j0 [$ Q
. C. B# i1 Y, n2 L0 UNote as well that you can easily detect this method with SoftICE:
9 g  l' I6 ~$ k5 {   bpx Get_DDB if ax==0202 || ax==7a5fh
2 V0 B  l$ `' g! b# |
. C* z) l) J- [3 _9 g& g7 C) z5 t6 n__________________________________________________________________________
$ n/ D$ h5 f8 B3 X2 A: A% c+ w) L+ ^
Method 10
3 F% G5 H8 b- D2 J# }3 h2 {# V=========
9 M( `5 _0 K" b7 a3 ]- K9 F7 k6 H' U2 a1 X
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  b8 z2 s- q7 B9 ~+ R! G
  SoftICE while the option is enable!!/ g3 m) H4 K- V/ ]5 O

, J6 u  S: y& P1 D7 x/ H- V  BThis trick is very efficient:
6 U/ R$ ?( k4 n* C4 Q! N; |& L; s% p& ?by checking the Debug Registers, you can detect if SoftICE is loaded( d. n8 M* I/ z7 S# J+ h
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
! i! a% C) v0 U: H) ^' _5 ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
% x! m, ], Z: x/ O# ?5 }value (in ring0 only). Values can be manipulated and or changed as well
; J* t, o9 {5 _, Q(clearing BPMs for instance)- y+ N+ T. O7 \0 j
9 e, E' i- V) ~9 S( v+ q
__________________________________________________________________________
8 S  q, G9 Z) C& n$ p- U1 i% ~. f: o: r& R2 `
Method 11+ Y; f, w! O5 f5 K3 f
=========1 R" u2 W) `+ k
" l2 a4 t6 M5 P4 h) H+ u
This method is most known as 'MeltICE' because it has been freely distributed
$ n" d) s2 l* C1 ~' q4 ?  Ovia www.winfiles.com. However it was first used by NuMega people to allow0 n1 u9 R7 O. d6 G; u/ O
Symbol Loader to check if SoftICE was active or not (the code is located
& g" k3 i3 t# \! g9 @inside nmtrans.dll).  e, o. }6 m, @0 Z; g

7 F3 G2 w- {1 N% @  ^2 pThe way it works is very simple:
7 h2 D; e4 N' I6 A' hIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ y+ X/ y3 p( [% ^+ U0 j7 sWinNT) with the CreateFileA API.: u8 Z! q$ n! l& @' A  i5 q

* C- W1 Z. U4 G  v& D. E7 zHere is a sample (checking for 'SICE'):/ `- k. [2 L( P6 G$ x9 ~9 j  a
2 ]2 G; \  e& E& H2 A
BOOL IsSoftIce95Loaded()4 f! n% Y& M  f2 N: T- E
{
2 v" A8 q# [7 P6 p- |2 H   HANDLE hFile;  
+ d% b% o9 D: Q; q5 q. f" b   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ T, h4 R* {! K7 x
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
) _! H- d  H% D) p; `( Q                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% p/ K6 a6 N; n( W4 ^) r' ^, s. z   if( hFile != INVALID_HANDLE_VALUE )) T4 w6 B# l; V* V5 R: Y
   {) R7 @& t3 s, y6 O) M. \0 T
      CloseHandle(hFile);# s5 J. Q9 e2 u, v/ j" e* C# K
      return TRUE;, K9 h. Z0 g% S3 d. l- w$ }2 m6 i
   }5 ?: Y& z% ~7 u9 i
   return FALSE;
9 `! J" y8 X2 i6 F* o( o. Q}5 A$ J: b& d1 r
# Q, e7 V$ O# n' k0 C* i# J5 J
Although this trick calls the CreateFileA function, don't even expect to be: t$ I0 J, K# N' z' e
able to intercept it by installing a IFS hook: it will not work, no way!& I0 i  C) H3 y4 Z  d$ g
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& S7 I5 _2 g# _  H$ W3 I1 Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 ?8 Z3 x( [/ j( }and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* ?* v8 s% p. _6 z3 Z8 `field." i+ ]# k* \9 \$ c. Q+ B8 x
In fact, its purpose is not to load/unload VxDs but only to send a / k# ^% `& p: d* O
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 J" x3 M7 u( I, ~$ O; Q
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- P  s* w: i0 h
to load/unload a non-dynamically loadable driver such as SoftICE ;-)." C. P  P! a  n# \+ z
If the VxD is loaded, it will always clear eax and the Carry flag to allow
/ p& {7 N- t1 b+ Q" A$ \5 Q: s$ cits handle to be opened and then, will be detected.) n6 \" h  j- ~+ {$ D2 w
You can check that simply by hooking Winice.exe control proc entry point1 w0 v8 f0 `* d. U( U5 V$ g" b
while running MeltICE.
4 \& L4 E5 x8 i0 D  F1 {' h
9 `) U) S: Q5 V9 S9 w% n8 ~0 @. F& Y4 I( H
  00401067:  push      00402025    ; \\.\SICE
! A+ `. Q& M! S" l0 |  0040106C:  call      CreateFileA) ]- W& {0 T$ R( ^
  00401071:  cmp       eax,-001
$ a% i. D; B  F( R  00401074:  je        00401091
3 Z( X7 Y) R  }: Q$ ?* C! J4 u9 X6 D5 y& \+ d
$ m# k% ?+ P; R8 @; \8 }
There could be hundreds of BPX you could use to detect this trick.
: d4 S9 e3 i2 b, k-The most classical one is:4 l* `  C8 d& E
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" d0 U/ ^3 j: L& Z( [    *(esp-&gt;4+4)=='NTIC'
  {" K0 k7 Q! c6 Q& ^: `3 n
2 V# _3 k# Y8 ]+ I, e; a9 G-The most exotic ones (could be very slooooow :-(
! `9 F6 y+ t. [+ P   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  / l# \4 _; R! _0 L3 t
     ;will break 3 times :-(
/ x6 d$ c$ ^+ G
4 n( G4 C0 w+ {$ j-or (a bit) faster:
, _' g; @! Z' Z: ]. E: `, D2 q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 ~. [8 S) X( P: Z1 {  y4 N" G2 l+ l- s
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ R/ h3 j% o4 D2 Z2 {# ^     ;will break 3 times :-(
8 p8 v! d) v. V
5 I- {+ j/ ^( S" M6 p-Much faster:# s2 [; |& q5 s( O3 S0 e9 f
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- X/ B4 i' w$ g" s- Y& m  j2 ?( Y# o: _6 I4 p1 R
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 Q6 w5 X, }8 i( ~% u& P3 S$ b1 Vfunction to do the same job:6 a; r: J2 ^4 F- G/ `% ]8 }

$ R' `- ~! I5 F0 p   push    00                        ; OF_READ7 ~, E; K# Q& K8 ^
   mov     eax,[00656634]            ; '\\.\SICE',0% t2 W' Z5 K! p3 p
   push    eax
4 t8 Z. T( ^6 T, ]7 |2 Z   call    KERNEL32!_lopen3 W% V' m* h, I/ Y
   inc     eax4 U" }2 B' U8 s! t0 h6 K
   jnz     00650589                  ; detected
" l% X& }+ B, M7 Z/ L   push    00                        ; OF_READ0 c2 B7 n/ E  l. s% v8 g( v
   mov     eax,[00656638]            ; '\\.\SICE'- A# f  L  @% I
   push    eax7 o' ^( ]6 b$ S9 C2 V0 |( H
   call    KERNEL32!_lopen3 m6 b* _- x* h; S
   inc     eax
/ I( o2 O  j! l   jz      006505ae                  ; not detected7 s6 z& k3 x9 B4 {8 Z) @* v2 m

# g( v6 W8 G: M2 s6 f( l' J" \
3 Y  Z0 `4 C6 D* t- N__________________________________________________________________________0 `0 L9 b0 U* G! s8 O, s; h" X

/ G8 A' g! D' E. v) o1 x( wMethod 12
0 r, V' V+ _4 r# n2 f" Q=========; x8 p" O1 n! w
& {8 |( X) \6 E
This trick is similar to int41h/4fh Debugger installation check (code 05$ x. `) d% Q, U/ |* p
&amp; 06) but very limited because it's only available for Win95/98 (not NT)8 W! @! W+ S" A1 H# _8 \# Y7 C' ?
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 S$ m4 f2 E6 d3 e
# q- |' ^& D, m+ {2 L2 E( ^' C- C% C/ K   push  0000004fh         ; function 4fh
: F- U6 f. t0 C% N   push  002a002ah         ; high word specifies which VxD (VWIN32)7 K8 P# E) W( h) O" w/ o8 h. `; h1 S
                           ; low word specifies which service
- r# o6 y! @/ s7 x7 ]; K3 ?- R2 f                             (VWIN32_Int41Dispatch)& u* n- s2 F% T- G
   call  Kernel32!ORD_001  ; VxdCall" S1 |8 `7 E8 [. ~! r" W7 c
   cmp   ax, 0f386h        ; magic number returned by system debuggers
2 g! z0 U# u5 x( ~   jz    SoftICE_detected
# V. \5 r* `" i6 h  e& Y. I& Y4 H. D
$ t3 f( O' n6 Q* KHere again, several ways to detect it:
& t  ?3 ]3 l. r, @: j% a+ o8 g/ O- p
    BPINT 41 if ax==4f
( B6 l% |) R3 j! c: B: @9 J' T+ N, W! N- Z& s7 w/ f9 u& h' b( s' ]
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one; ?1 a- g+ M% p$ I8 {9 m  v, r

* Q4 {" B% q, C. i    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
. n, j! W  W! }1 t& i
* w3 L4 z4 l( ?8 U    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!# t1 Z2 I/ ~& T4 D3 q+ Z
: @- H( a0 U% N2 s# D8 v0 m/ Y$ b
__________________________________________________________________________2 f3 S& `6 w4 X" Y) y& |

8 c/ ]( y; d" [1 I+ c; oMethod 13
. @2 V9 @, [# L! B& ?=========9 ~9 [0 ?  F2 [4 C: P$ }( e* c
1 L  k) G- `' e! y
Not a real method of detection, but a good way to know if SoftICE is
8 T# \2 y$ F+ r; X" p0 T& \4 z% {' m" Zinstalled on a computer and to locate its installation directory.
3 d5 O: m: A2 m) q3 i- ZIt is used by few softs which access the following registry keys (usually #2) :" q  X5 G2 N2 f5 ]
; r. k4 M, S6 i2 o
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# r: e% B8 W$ m! W: I7 q\Uninstall\SoftICE
, T; Q8 ~6 \7 Q4 l- ]-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) h+ |8 Y; Z8 d( n% P9 y& b8 {3 l
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& k) d0 R% K7 c% j2 n9 }8 D\App Paths\Loader32.Exe  F6 Z" i5 q- h$ @' T: K- T
$ y! ?; d" ]* C

4 ^% `. A; _2 PNote that some nasty apps could then erase all files from SoftICE directory
+ ]9 |) E( ?$ Y( u4 B(I faced that once :-(8 w- w9 _$ b9 ^

+ ~" z( S' H6 c  a0 @6 \* r+ x2 pUseful breakpoint to detect it:
8 @2 k9 Z) ?* _# q# _0 R$ V: c
* H4 N' F- ]$ Q/ A     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'6 d$ T+ V$ M" U) n$ b" j5 B8 W3 c

* E% U2 ?5 z) r0 K__________________________________________________________________________' L4 Y9 v0 |  P8 |& [& J5 f+ ]

- S' v" E  ^3 N7 i$ h: C  a- H
# p% g/ h9 z. G  g& _  CMethod 14
5 }# j3 w7 }$ G=========( n( v3 [5 e2 T2 b8 p/ P) _
; e3 t3 j! M1 ~# {9 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. N8 R7 I2 x; D2 y2 t
is to determines whether a debugger is running on your system (ring0 only).
$ o: y% W; e% s( X" b
% s' @% \2 ~7 `   VMMCall Test_Debug_Installed
0 X! o" w. P# C( B4 \   je      not_installed
$ ^* T4 Q3 v. H' M9 p: [
1 I6 o# V! n9 z- f; r9 E* }This service just checks a flag.
/ z% O( b* z! J1 [; T8 G! Y7 R% T</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-31 17:23

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表