找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
/ C0 l3 O/ W9 n) _+ E+ `<TBODY># o" Q4 D5 |% Z2 S: r# L; v
<TR>
6 Z/ q8 W% t+ \<TD><PRE>Method 01 + u" G. \# [4 |7 n- l+ K
=========1 I( c0 H/ f$ h) L0 Z/ r

4 A6 ?3 T6 l3 n% I' XThis method of detection of SoftICE (as well as the following one) is
. j8 v/ {8 _" U, N& ~4 h* nused by the majority of packers/encryptors found on Internet.$ n9 k) W1 k6 D; o+ C' v9 d$ y) K
It seeks the signature of BoundsChecker in SoftICE
5 {& _1 r# V2 ~+ n  W4 J0 e8 U8 Z- m  E% J  D
    mov     ebp, 04243484Bh        ; 'BCHK'1 {' Z: t6 S& t! @0 W, x' m
    mov     ax, 04h
; p: I2 z# s# e+ R9 S    int     3       , q, g) l& d8 u3 A4 @. V. ^
    cmp     al,4
1 Z! n3 n* |/ z2 `    jnz     SoftICE_Detected2 D4 _/ x. g  a' x
9 A4 @9 R: ~) w) ^3 C8 p
___________________________________________________________________________
' d) F1 M4 ], g2 R  _2 I0 h
" E5 _4 V! G" I, `3 ?) p/ |Method 02
; h# Z- G; W0 r: w2 ~4 a) V' f=========9 l8 R5 e" c: C% T6 m0 W$ s* z
/ J! r: l6 }. R" I' u
Still a method very much used (perhaps the most frequent one).  It is used8 ^6 G; P0 x4 P; V' p
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,: x7 K1 Q, n; x5 H3 k* c
or execute SoftICE commands...6 Z4 V' l3 [2 `  |+ x
It is also used to crash SoftICE and to force it to execute any commands6 y. |7 e# x* V8 N+ T; C: [+ b+ x
(HBOOT...) :-((  ; V) }1 z2 \& V$ o0 l  I" t! q9 H# I
; |) u6 z7 J! k2 P& ]
Here is a quick description:0 H" O) X( m+ j! f- A/ S5 D
-AX = 0910h   (Display string in SIce windows)
1 H2 r; j5 v" w5 B8 o0 p5 g8 I-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ `) s1 w4 O) [% \4 [
-AX = 0912h   (Get breakpoint infos)2 F& S4 {; w" X0 M5 Q
-AX = 0913h   (Set Sice breakpoints)
2 Z' W/ ~# q; n9 y* N- G9 c3 m-AX = 0914h   (Remove SIce breakoints)! A6 c1 z$ s8 _: A) W

6 F1 b) c9 z, @' T6 FEach time you'll meet this trick, you'll see:
) @: A" e/ f  I* Q-SI = 4647h( |3 q3 h) ~$ Y# o9 C/ p1 h0 l
-DI = 4A4Dh$ O) L# R6 ?' V( W9 {) Y
Which are the 'magic values' used by SoftIce.4 M/ c2 B5 u. k9 h: \
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.  k: N( B0 {* e& l

- ~0 c  B; N2 j5 nHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ i  P+ n1 v4 m6 t9 T( T, q; UEnvelope utility use to protect DOS applications:
7 i) h- Q% ]. x9 a1 d
5 u% j& S* y5 ]9 B; h4 E
+ ]* i' F0 C0 b3 G, z0 R4C19:0095   MOV    AX,0911  ; execute command.
/ @# n" @8 o2 C( x9 ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
0 n( Z( A" l+ f- A4C19:009A   MOV    SI,4647  ; 1st magic value.
; c& x7 U* {7 r; V( p1 b3 E/ G4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
, [6 o% a" w" r# U+ s: w$ r0 }1 ^5 p4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
# H% v9 u& h" I4 X: a, r4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 ?$ m7 J' c3 P8 P7 g9 U) d/ x4C19:00A4   INC    CX
. v! v/ M1 A  ?) J. |9 }4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
! m1 X0 q& c* {( L9 x7 [7 G9 Q4C19:00A8   JB     0095     ; 6 different commands.
. ~% ?; s& H) F4C19:00AA   JMP    0002     ; Bad_Guy jmp back.8 t2 G+ x/ p: ^- d6 q
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
* G4 G1 P% C4 x) z* ]' @! M; B, |0 R! v0 \( S) R4 [! M
The program will execute 6 different SIce commands located at ds:dx, which
/ O( _, I& [+ L0 H3 vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# p' U2 D+ C; i4 b1 ~7 g* q; y# T8 h; I  j
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
/ Z' N) ]2 v5 h) v___________________________________________________________________________
1 ^. s# J* Z, E. L4 K1 A9 H. Y1 B9 O

5 u$ b  T. j# _! c$ d+ oMethod 03
* L& C+ }$ K* z+ y$ A$ b3 G+ b=========8 s% `, |8 W7 P; C" H

% f: \$ y9 Q# d3 ^Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
, E7 w, n/ G0 {* e! P, z; o(API Get entry point)
3 Y; i7 O$ v- B  b) m: p0 d4 _        
. C2 x) x! I- g4 k& V+ m9 c2 }! m$ U  \$ R+ C1 P! G" a
    xor     di,di
. t0 ^+ y% }6 `. J' X    mov     es,di
' n+ X/ n9 I& k    mov     ax, 1684h       & Y# t: v( [) u$ }2 `8 `( `
    mov     bx, 0202h       ; VxD ID of winice2 j+ G' x$ o1 s7 {
    int     2Fh
+ |9 N/ K5 u* M/ k( `# v4 `, v9 k    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ s% E$ d4 _; h: s4 i: w" e% ?9 ]    add     ax, di
  j  ]2 x% u3 i' |    test    ax,ax  Z* O  A; N& J; @; O, T) o& W
    jnz     SoftICE_Detected
4 H1 Z0 U) E: i$ o
6 Q6 D0 `: B* a+ |___________________________________________________________________________9 L, F/ }) X1 n7 R1 ]! x

. {# I6 N* z% t, E4 RMethod 04: \7 s: s1 ~7 G/ a6 v' ]! P: U$ w
=========. q7 a% W4 U* h7 v
  |( q1 Y- h: z# q5 `# Y3 [7 |7 Q
Method identical to the preceding one except that it seeks the ID of SoftICE
; K" s" n/ I* Z$ ]( R: D$ q- d  kGFX VxD.
- T! Z0 {) m3 U4 R
4 O+ ]( J2 r+ }# R1 G    xor     di,di
& F( \0 F  o$ H; t  g/ t    mov     es,di
$ \" f3 I: V9 b& T) L    mov     ax, 1684h      
1 I; M/ b9 R. `/ b+ j9 d/ X    mov     bx, 7a5Fh       ; VxD ID of SIWVID
. p5 C# a/ v! ]: Z2 [" s0 y1 s    int     2fh" T5 P7 b$ Y6 b& C/ p+ m
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! A; P  f$ t& g; J+ h( x- G    add     ax, di
( @- |4 C) @" p  I: B( L7 m$ d' K3 X/ x    test    ax,ax% h# C9 O$ a5 Y5 d% u
    jnz     SoftICE_Detected
, D: ^1 i2 I% j* h8 i) U- y( G6 ?: a% y, G
__________________________________________________________________________
; c9 S% Y2 L7 ^: O" d% r
( E- S, e' n! j5 H1 }8 H! s" {% L4 ^/ X0 v$ a
Method 05( X( {, r* L9 x4 \1 F
=========
7 p4 X5 q2 [, ^
, k8 |# C% E0 J; u! W! p; j# @Method seeking the 'magic number' 0F386h returned (in ax) by all system, }1 `6 a+ c- h; d& T% H
debugger. It calls the int 41h, function 4Fh.
2 E" L* c* f9 A$ Z! i& {' `1 WThere are several alternatives.  ' m0 [4 ^+ I; k% t1 m4 R4 ]# n* x3 _
" U5 U$ H' i% e* ^# a' @3 u
The following one is the simplest:0 Y' B2 k, }. p0 ^

3 p' a, h2 [4 r/ A    mov     ax,4fh
" D3 F/ F3 e' X    int     41h
+ j7 g% V. l5 a. h. O    cmp     ax, 0F386
1 [) Q* U1 |* v& B; i& L8 u    jz      SoftICE_detected
, {- @. P1 b/ F; B3 [# V9 M1 i$ _4 B

, }5 I! O3 A; L  m' n8 G% G+ XNext method as well as the following one are 2 examples from Stone's
8 c& }  b. L1 M2 W6 @' M"stn-wid.zip" (www.cracking.net):
7 d# ~* K; ]2 |0 Q( \3 n: F" Y
. d' K1 Q: o' I& u- N% Q; H    mov     bx, cs" o. M, S* a! d2 {$ p% G: g3 g1 F; }/ \
    lea     dx, int41handler29 H: O8 g2 S7 h3 A  d! M4 @9 j
    xchg    dx, es:[41h*4]' E+ n" I; G; x' X# C- n/ Y- h2 B
    xchg    bx, es:[41h*4+2]
. q6 o3 @# H& N% L    mov     ax,4fh
8 F- Z+ @; B7 i! w" a: G5 A    int     41h2 z! b" a( ?3 n, d
    xchg    dx, es:[41h*4]* G2 Y% G5 d5 Y- L
    xchg    bx, es:[41h*4+2]/ c& Z5 ^4 C& ]& E/ b( f* P  ]
    cmp     ax, 0f386h
1 K# h" S" z/ @0 v; Z/ B4 ~: p  r    jz      SoftICE_detected
5 L* S' P: ]6 R+ j! A. K% {( U& S% p! N
int41handler2 PROC
1 l& a8 L3 B: w; C. v4 d, z6 S    iret
4 _' j7 \& X# v# A: C; gint41handler2 ENDP/ S7 K4 a7 K  j* G
* S! k. |8 [. t
1 X$ ?* G! F  Y; E* J0 i: i
_________________________________________________________________________# o0 Q( c7 `) E! T. O/ g
2 z* k+ l2 U, J) E' [: C1 n( O9 e$ J. n
" G( l0 b( Y; y( H. {' ~
Method 063 S1 r7 ~& k1 k
=========+ ?+ s; I" a' q, k7 D

! n* ~# {5 ]# [5 x* o- H  E, X( H4 e) d5 O: I6 K2 F, t
2nd method similar to the preceding one but more difficult to detect:( h& S$ A& V9 q! m: m, C2 @+ B9 b
  p7 Z3 \) t! U

  ?% d4 q1 h! k, Wint41handler PROC. h& m% S" ?- m6 y
    mov     cl,al; `1 Z* _5 W6 ]# Z5 m
    iret3 P/ N1 c' D) B, t5 J$ Z8 s' u( F
int41handler ENDP5 ~) V$ H$ D, ^1 e1 T( _4 d% ]
. j! R0 a. ^0 l/ H; Q
( T2 O9 S$ f7 c0 h5 D- U+ Z$ o
    xor     ax,ax# e: Q9 Y! ]* O3 W/ l; K
    mov     es,ax
( `; @. ]& k/ A2 P    mov     bx, cs0 n8 }' j, I! v* @% l! Z
    lea     dx, int41handler
& E7 X% i6 i" `2 U4 G  \7 R    xchg    dx, es:[41h*4]
2 K; m  u# ?% _4 t$ h9 u2 A    xchg    bx, es:[41h*4+2]
- J2 W% I. j5 L5 Z  o    in      al, 40h3 u; z3 ]- x  G1 F) B, s2 N; V& u
    xor     cx,cx
# Q  X# W5 S/ h, [) C    int     41h
: h" G* Z  k* d+ x* H! R" S    xchg    dx, es:[41h*4]
8 B. ?9 i( b- ~2 b/ M' S& g    xchg    bx, es:[41h*4+2]
) E8 N" z5 \2 A3 w    cmp     cl,al
# s+ X6 R7 f  u, t    jnz     SoftICE_detected- g. F) s5 }! [" ]- R5 K: t
9 l3 @1 Q' H; ^5 r* W  f0 k
_________________________________________________________________________
% y% X" R* [$ L( u* h1 L9 C% I; V
Method 07
. }2 l7 t' D. M4 g: J$ h3 `=========
. k$ ]. {( S& Z! l5 j- S5 j. q- x( ^1 g0 W
Method of detection of the WinICE handler in the int68h (V86)$ a* U; ]1 [* b9 n! q5 e: X; N
$ v1 [; }7 \2 f, L
    mov     ah,43h
( y, o3 Y: Y" `* X6 m    int     68h; U3 b1 ^+ d3 M1 [8 A2 n
    cmp     ax,0F386h) L: c9 I- a4 l1 E: @
    jz      SoftICE_Detected; ~, ^% h$ B$ I  q8 b

  _5 G( v% _  l7 o) ?9 [% E: W5 R/ q9 M) ~2 W% j& r4 q
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ S! }4 S: A5 K  Y) ~   app like this:
0 x6 Q' Q' H# B3 E
- f  ^  d6 o* Z- `3 u   BPX exec_int if ax==68& `! d$ f( O, @: B' q1 T
   (function called is located at byte ptr [ebp+1Dh] and client eip is
. J. E0 Y  l0 ]5 t   located at [ebp+48h] for 32Bit apps)
- w, `% z& C$ b" l2 Y__________________________________________________________________________
: I6 ]/ m! R1 \
- {9 O9 ]: C4 N1 w* l5 G. Q( J  u( j6 x( V* ?
Method 08% I% [/ ^/ b6 \* N6 g# o0 K  @9 ]6 o
=========6 Q9 u+ _) _3 t3 z8 t
! C' x5 M% d+ a# }! y, k; N
It is not a method of detection of SoftICE but a possibility to crash the& T) G7 ?$ P" x, I, h( n' m
system by intercepting int 01h and int 03h and redirecting them to another
2 l% m5 B5 Y* s+ e$ p: l& [- i8 Broutine.  G; n  W: d  E5 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& }* }: S/ p0 o/ L3 t' \
to the new routine to execute (hangs computer...)
$ ]$ p7 K+ T7 k: N9 G8 {3 ?
4 u$ Q; W  x9 O$ k# B# z    mov     ah, 25h
2 R3 g/ |8 \7 r6 b: b' U    mov     al, Int_Number (01h or 03h)
) Z( F! N) [, |. W" C* {+ m* l2 r    mov     dx, offset New_Int_Routine
# {+ E9 y* p! t6 e" b4 N, [    int     21h
7 k7 E$ r) o: H' l; ?! p) E# _+ r. t
" Q, {5 c! E: u' F4 e  w__________________________________________________________________________/ `# L7 m$ O9 q$ a; a
& j1 l) F! x& Q9 a% i
Method 09
+ M' D0 L4 A0 u$ I" C=========  Z7 T$ |# ~7 A) O( y2 ^. C' ?2 h
! `. Z! M' m+ x$ N  P! {) B4 }  f, L
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) ]0 V0 g' z' K) [/ \7 k' u9 \performed in ring0 (VxD or a ring3 app using the VxdCall)." J6 n( v; j, @8 r6 Y3 K! N! o
The Get_DDB service is used to determine whether or not a VxD is installed
1 W6 \& c8 s) E8 d9 ufor the specified device and returns a Device Description Block (in ecx) for: x7 A1 N3 m1 e& t
that device if it is installed.& L# d  i. D  X6 N
7 u* f7 R* t- W/ L; T7 x. a
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 f) B0 U( m) K3 C4 t   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ c4 h1 s# Z' u6 m" H/ f$ O
   VMMCall Get_DDB
& ]2 V: j1 m% U- j9 g   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
- I* D+ r# v, H0 {# a; J4 o
: W5 X* t& g* n4 a1 S- oNote as well that you can easily detect this method with SoftICE:; y5 k1 U/ t$ ~
   bpx Get_DDB if ax==0202 || ax==7a5fh1 Z5 g/ e* w$ r3 z
3 Y8 Z2 G! R1 C
__________________________________________________________________________/ a; ?2 E- V: f5 J6 D. l
7 K0 B4 ^7 s+ o; Z* [  \
Method 10
" L- S1 I6 z) s, R! p' n=========, `" R! p1 r. q1 M. D; e. X+ q

$ a* v3 O) r6 ^; b=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 _3 ^' g# ^( l; I% u2 I+ e* u  SoftICE while the option is enable!!8 v+ i& G$ b9 q7 v0 b7 B9 Y

: Y; V; n2 }; q6 g& NThis trick is very efficient:# Q: V% S! H# Q# _7 y( O3 U* f% R; n
by checking the Debug Registers, you can detect if SoftICE is loaded# u& J0 c8 k8 u* o( A
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if) D7 n# S; s) F5 K! j
there are some memory breakpoints set (dr0 to dr3) simply by reading their
/ Z* O5 K, t" `+ ^: C; Lvalue (in ring0 only). Values can be manipulated and or changed as well) J" D( `: k& i2 C; ^0 S$ F
(clearing BPMs for instance)
8 T4 `" D9 D& O5 t" U1 F! M8 d  ?3 A9 C1 T  z1 b
__________________________________________________________________________
, g2 N/ j' _) n0 W. |: X; z4 e" W- _# ^' u" e& d
Method 11
. N1 k8 Z- R  p2 J=========
" ~3 {: Q& r" a. _7 U$ E9 g/ f6 `  Z. |8 p& P, @+ P. @: q# K( R5 B
This method is most known as 'MeltICE' because it has been freely distributed4 e8 Z& r# S  Q0 Q$ H1 _1 l
via www.winfiles.com. However it was first used by NuMega people to allow
1 V* y( [. Z, G# s/ u, wSymbol Loader to check if SoftICE was active or not (the code is located0 X1 _+ ?- t$ p" [
inside nmtrans.dll)./ ]9 a& u2 S" ]! x- j; }

8 t* H7 y! q, m% uThe way it works is very simple:3 c$ T1 R+ D  W
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for9 E- {1 J) H! X& k1 i
WinNT) with the CreateFileA API.2 D* \1 {$ c. f$ G+ K
; [/ ]5 ~2 z; ~& I0 P9 x
Here is a sample (checking for 'SICE'):! b$ Y6 Y. F9 m2 {2 ^% @/ y$ w

2 W- f5 J% z" o! b' r1 L/ a+ zBOOL IsSoftIce95Loaded()) e9 \' R* R7 ~  E' E3 p
{; X' ]) Y8 B- n
   HANDLE hFile;  
1 p, e* c* S: I8 ?   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( y8 Y! ^5 C7 @: g/ w                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 {: v6 a6 k# y# M
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
. D- o0 t4 D" M; [! P: U   if( hFile != INVALID_HANDLE_VALUE )
$ @" C4 a; \' E0 `4 U   {
: h5 v9 x$ c1 Q  I6 O$ m, b' C6 {      CloseHandle(hFile);8 {) X! C# U" _2 A" E1 J
      return TRUE;
$ g$ g" ]# @" G( C- d   }) i) n; }" t8 n; d! H
   return FALSE;
+ M  g& `: U$ r# f* @6 J' e; c}
: i* f3 |4 C+ s( X5 \, E$ ?( e1 p: _9 ?" S* \
Although this trick calls the CreateFileA function, don't even expect to be
8 e, p0 [! K5 `3 Aable to intercept it by installing a IFS hook: it will not work, no way!' \7 `8 v7 D5 D1 I  c7 Q$ {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F9 i9 `0 [$ N8 b* n8 S; e6 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! i) F3 {, z. B: U: B+ y: Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 g1 I, E1 Z" Q2 x2 `" ^field.
( w7 B$ I+ Z9 e2 x1 L9 ]% MIn fact, its purpose is not to load/unload VxDs but only to send a * X+ _; u6 @: |3 b% N( Q0 Z5 H
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)  h" {9 T" P) _2 u6 o
to the VxD Control_Dispatch proc (how the hell a shareware soft could try4 J) y4 u% h! P5 X6 G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).' j6 p5 }0 s7 V% k2 G+ X7 W, S
If the VxD is loaded, it will always clear eax and the Carry flag to allow; S5 h& i$ O& j) i8 T( C
its handle to be opened and then, will be detected.1 K. ?) e5 F# G6 L9 }2 w) ]
You can check that simply by hooking Winice.exe control proc entry point
4 [( m5 i; {6 Q5 w+ o- v: @8 awhile running MeltICE.
2 c6 ~$ ~* G8 O/ ?. F; r; u. `6 C4 w8 w! H
0 T; F. {' j0 y8 c  i1 p3 W  c
  00401067:  push      00402025    ; \\.\SICE
! E! H4 p# [$ t3 W6 E  s' e  {  0040106C:  call      CreateFileA
: I  _3 P: Z; j3 u4 B8 Y, f  00401071:  cmp       eax,-001
, c% @, I$ C" {2 k7 o8 e6 T* v  00401074:  je        00401091
+ K7 X* `4 F! y, i( I
  u% q) z  c1 f9 W
) D4 k+ U1 P- g2 W- \& \& ]There could be hundreds of BPX you could use to detect this trick.3 ]8 ]% E9 G8 ]  o- g& o
-The most classical one is:
4 [% a8 _: V( c! w8 f2 ^* I  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
. r  k4 F. D$ Q! S5 Y6 @) F    *(esp-&gt;4+4)=='NTIC'# h+ `6 H; J8 J5 A! b- S+ \
& I+ m1 t" O5 x& z
-The most exotic ones (could be very slooooow :-(2 _( i! }; a/ }! e& l' i* j* d
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % H9 x7 }, }. C8 b
     ;will break 3 times :-(
7 s% K* G) B# D$ B' Q& s7 q1 C7 D7 f7 ~
-or (a bit) faster:
$ `& G  Q  x5 e4 z1 N  S2 F   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')- r: `2 x; M2 T% W7 t

* K8 R6 w4 v' D6 d   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & l  Q# v; o- w$ B  Y, a
     ;will break 3 times :-(- T: u9 n: ~; p) \2 e2 m2 Y
% P8 j' Q: {1 l9 I2 ~
-Much faster:
  j) b: B, k3 N   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 A; d6 g  G) p/ d3 Z5 F, d

7 v& J  s& U( R6 Z- T. }3 \Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
. m: y! ~3 p! q" \4 Afunction to do the same job:
( E9 L/ J- ?- k" \6 {( M$ s' K
. {- ^$ M7 E& Q, c# Y/ A1 c   push    00                        ; OF_READ* y# Z* p0 x$ [- [/ u" ~0 P7 d
   mov     eax,[00656634]            ; '\\.\SICE',0
3 c6 x5 b0 N2 ~) C$ u( y   push    eax
9 V+ r4 x, J' |3 K: M+ e) X   call    KERNEL32!_lopen; x8 U7 o! m/ D' [# n* R8 R8 g8 x
   inc     eax5 F2 f0 M, T+ ?# M: m# \7 f
   jnz     00650589                  ; detected8 X: s( q9 e& l! D+ T) s+ I- r
   push    00                        ; OF_READ
# X) s+ o: z' Z8 B0 U0 j   mov     eax,[00656638]            ; '\\.\SICE'
" s9 i0 E% n, _! _& e2 _   push    eax! Y& i- c5 S7 I) I2 z
   call    KERNEL32!_lopen' `9 T% [% S4 z" G, {3 K
   inc     eax5 S" J* O" [+ t) c0 c, K+ N; h8 A
   jz      006505ae                  ; not detected  @" z7 o# c5 B4 U
! B$ g/ v4 w5 e* l7 L3 U9 m5 v5 e

' s; R& r& u7 }8 F__________________________________________________________________________* Z, m: z) [, J& J% |. {

- Q3 }1 `7 ]& \6 C7 RMethod 12" e8 t' d: i0 P; A+ e  C: p2 l
=========
4 Z( c) M/ l9 a4 a3 |3 j( l2 J! {+ c; F3 K* }3 f% m. M% E
This trick is similar to int41h/4fh Debugger installation check (code 053 |) S9 f9 `/ T. Q- b: ^2 e5 g
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, k3 |* E5 D- x! k! V1 Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' S- F& [& @* L0 D' j5 v6 d, S# n3 Y- O* V# m5 I; _! E" n
   push  0000004fh         ; function 4fh
' U0 ]6 k& K) G* O, ^0 M   push  002a002ah         ; high word specifies which VxD (VWIN32)
3 S( ^' \8 Y" W% t: Z9 e" E                           ; low word specifies which service( @- ^4 q9 W0 a! |: Q. J8 I5 V' }  _
                             (VWIN32_Int41Dispatch)  Z/ q% S6 W- e, F* R8 x8 B
   call  Kernel32!ORD_001  ; VxdCall8 o$ t: v1 W# X
   cmp   ax, 0f386h        ; magic number returned by system debuggers
" Y4 z) k% D) @) |# V/ r   jz    SoftICE_detected/ f, ?2 n# ^2 K1 H0 L

# I3 K1 U( N6 M0 N! x) YHere again, several ways to detect it:, d- G  a: y7 y! q) A4 l
& u2 \# u. r8 s
    BPINT 41 if ax==4f9 Z. V9 w# e) x3 ^
3 I2 |; R( u' X6 o5 X- A( K
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 Z4 `2 p( F: W) z; V, r# W* g
; |6 z. _4 e! E0 H. j* {% y/ l
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 p) G8 _4 M& a7 X$ F
6 N8 K6 J, K* I
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!; Q* W) H  J& F$ p, l# @) L) W
. p1 I6 S/ {6 h9 a* Y( |3 q
__________________________________________________________________________$ h* V. w7 l3 x* z% n8 g) y

5 O8 }% r" H/ e6 Z3 Q( BMethod 13
! N) o/ g6 b1 p=========' J4 ?+ \5 }0 d4 w$ g1 H! q

/ [% K7 I* b' P8 K% ~% S, I9 RNot a real method of detection, but a good way to know if SoftICE is  a+ E# O' i! W9 j3 h. i2 S5 U! p
installed on a computer and to locate its installation directory.# U! O- f3 i3 R: d
It is used by few softs which access the following registry keys (usually #2) :
2 k" [2 k8 w7 @( |% N; }  [
, q  A1 e# F  {7 p7 q1 D8 {3 k0 H-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 E' k. v3 j: D2 k+ h0 N- [' N
\Uninstall\SoftICE! C9 O+ P  h( M3 F7 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
! w$ ?3 j3 `2 ]+ Z-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 A0 n9 ~1 u1 S( V* w0 s& g\App Paths\Loader32.Exe* O3 J, k8 Q5 D! _
9 h6 s9 z9 x( v& H# o2 A/ H
7 A" @  x# }2 M+ G) X4 H
Note that some nasty apps could then erase all files from SoftICE directory; a' k9 U# i6 {& ~5 a
(I faced that once :-(' M7 `/ c7 Z# N' [0 R$ k
- S' I  H: R% `/ E. l* i8 R& s
Useful breakpoint to detect it:
# c6 e) t' x$ _% y  ~$ y; U1 E! }7 V5 V6 a# L4 Q2 }
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
  Y+ J+ G- k1 M# z: X1 D' s% w3 ?: Y! _; k' ]
__________________________________________________________________________, Y6 G: I0 n* N; H7 Z
/ ?2 T5 p1 M$ d- P. e- Z" [

& n! M7 a1 _+ s1 ~* |Method 14
: U& J0 E% X7 t3 C' ^' ~8 H5 J=========
$ }: p- _6 @: {, O/ r; t" V7 j% C3 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( N+ u( c: o) v" @' T% ^
is to determines whether a debugger is running on your system (ring0 only).1 \" b/ C9 N3 Y
; ~7 {6 g4 t# E7 |- u, Z# a
   VMMCall Test_Debug_Installed, n; }, {* G+ {% q/ \
   je      not_installed3 O. S4 D$ P8 w0 |" p  Z
2 V7 c% Q6 v# T$ A/ J
This service just checks a flag.
* j, l8 p5 z' z* O2 p( a& w</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-3 04:56

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表