找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 ?% e% {/ N  j& g0 O
<TBODY>
0 C8 t+ w! g7 X' Z$ R& B8 z+ j7 C<TR>5 I$ o' E/ V4 t  x5 X
<TD><PRE>Method 01
7 q1 k! |1 N! d, M6 n=========
4 {9 `: U7 h2 f; ]- R0 u4 v5 |% q5 B* O/ |' A' E- r# i/ l
This method of detection of SoftICE (as well as the following one) is  c. w4 M* d" {( X/ i& |
used by the majority of packers/encryptors found on Internet.
/ Z* O2 T' l+ E) \; PIt seeks the signature of BoundsChecker in SoftICE
! D: E% _% y- v: c% H" O0 D8 ]* P6 q; O' |- X5 Y0 y
    mov     ebp, 04243484Bh        ; 'BCHK'
7 Y0 L4 `6 |2 Y9 u/ k0 @4 n    mov     ax, 04h3 Y& ~8 ^  W3 |# w0 S/ ?% B/ S+ b
    int     3      
4 P9 o- z6 Q  h  I$ V0 r    cmp     al,4; c& q* i1 O( k. j1 Y* p5 q
    jnz     SoftICE_Detected6 d: ^& u( X1 w& q5 W& J! u
/ [* t7 [# h, w1 v) g4 f9 V
___________________________________________________________________________* j3 g# v" V" n% s; W
1 o2 w$ R" S, N. S' q+ O, g
Method 027 i1 G; k2 L1 F5 _
=========
( H3 L) \4 P+ b3 \" m1 Z& M3 D+ \$ j0 t" e% Q, ~/ _) Q
Still a method very much used (perhaps the most frequent one).  It is used
6 T) K+ p2 ~" A9 J( Gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
8 @9 l6 A; c, G$ c. H" Yor execute SoftICE commands...
4 t+ d1 k9 `7 V- z7 pIt is also used to crash SoftICE and to force it to execute any commands- D! K: @2 R$ Y5 @% Z: S4 o# U3 [8 E
(HBOOT...) :-((  
6 C4 \9 R$ Y" W0 z$ E* y4 g0 {6 Q; E, u2 P$ v* _
Here is a quick description:
2 K" V# z' D( M; B-AX = 0910h   (Display string in SIce windows)
: V3 j& f6 j% B3 |7 Z0 _-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
/ c  J9 I: c& M, W9 O-AX = 0912h   (Get breakpoint infos)4 b/ `( R8 g+ w. T9 N
-AX = 0913h   (Set Sice breakpoints)
* q/ Z5 ]  f# N& c# j6 @; h-AX = 0914h   (Remove SIce breakoints)' a0 _, F3 D2 U# m: j( m
6 e2 d: t6 Z' j; _1 M
Each time you'll meet this trick, you'll see:7 I! d- }* h7 j1 m& D3 _: Y' k
-SI = 4647h
- B+ e$ h: l$ k! L/ ]# N-DI = 4A4Dh
, c) ^' Y! P/ z1 @$ O  }Which are the 'magic values' used by SoftIce.
4 g. u3 p. S8 uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.) H1 b6 B" h+ ?5 P2 [

- r/ x/ M7 Q. k8 {) M  lHere is one example from the file "Haspinst.exe" which is the dongle HASP2 |; b( M; j3 }/ a4 R
Envelope utility use to protect DOS applications:2 g% I% f& K- Y! }6 s0 D* I/ x
5 }; y- o  g, p/ k& q
( N1 k7 J4 o' J# T/ u
4C19:0095   MOV    AX,0911  ; execute command.
& ?# }/ X; A1 l+ ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).6 A& |. k6 h9 H
4C19:009A   MOV    SI,4647  ; 1st magic value.
  h0 v" u% P. U  _4C19:009D   MOV    DI,4A4D  ; 2nd magic value.$ B, {+ a1 B9 u$ p
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 ~) R( H( z9 I# o# w2 f( x4 i4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
4 _2 ^1 \* }; N4 O4C19:00A4   INC    CX
7 d6 J9 l2 z+ K% }; X* ~- ~# M: ?9 S4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute8 a9 N( [( a* ~7 Q6 ]9 R3 @- u; ?7 _
4C19:00A8   JB     0095     ; 6 different commands.9 k, ~* l+ S/ _$ \# J( ]' b( Z
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  V7 I3 x: q/ [6 j; m6 m$ b+ d3 ~4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
2 u5 l% j- ~/ ]& D0 N3 Z4 v9 f" {* d
8 S/ E2 O, M2 @$ B1 I! TThe program will execute 6 different SIce commands located at ds:dx, which
, J% u' e$ y( ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 u& i7 v. \; K. U6 z
& _0 j# a5 X* Y# y7 p9 o- X8 Z/ Y
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 w& R; t8 P) ]4 d6 |6 L___________________________________________________________________________5 {) i- V, b" ~4 A% \

4 G5 x3 C4 h$ m! W% Z7 }. S+ H4 J6 J  Z* j( ?8 f6 |9 f! ?: {( {* B
Method 03
( x; O: [0 k$ `=========8 _9 ]6 M& p& [
8 @; [: Q, K: k( a  [' R2 o( I
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( R4 H8 n: H7 N. V( Y9 O(API Get entry point)7 |% D0 D; C3 _8 I
        7 f: J8 w9 I9 R7 v- k" c3 I

9 ^, p  P8 W1 F9 v( ^+ c9 q    xor     di,di
* D& S4 s( O% x- N- C  r. F    mov     es,di
2 a4 t& U" f. M+ t4 S* C    mov     ax, 1684h      
- ~+ \, w# u6 {0 s    mov     bx, 0202h       ; VxD ID of winice
$ k  x  i, O, n    int     2Fh
) P6 ^) f7 g! J! }) E# F% F    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  |. F* X8 S- E* ^    add     ax, di0 V/ a9 K, ?' c5 _1 f' t1 N& R
    test    ax,ax9 y) `6 D8 D9 g4 n$ N
    jnz     SoftICE_Detected
+ u5 h+ O' A" R, A3 K5 m
" r" C1 m# `- b: s___________________________________________________________________________% U9 L4 w& F$ X7 l5 }3 H

! l7 b  J2 _9 O6 I) O0 C3 s! `Method 04
: i( b: u8 |7 \" e=========! `1 c( r- ]  E) p! E( Z
$ h+ g# p  G8 c+ Z) F) Z- A" W
Method identical to the preceding one except that it seeks the ID of SoftICE* y4 r+ V/ |& w  k1 q- `! E
GFX VxD.' f4 k* U9 @1 [

3 O( {! T& m: E( T) ?    xor     di,di6 C, f- \4 e) z) x& k1 y% p* r
    mov     es,di
0 J: G! y. t4 J1 O! h- r    mov     ax, 1684h       1 y. i2 Y) I) `9 s/ Q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 U3 M+ s) C7 t; h
    int     2fh. a1 J) r4 t8 B4 _  b/ Z
    mov     ax, es          ; ES:DI -&gt; VxD API entry point0 W$ k) k7 R& G" Y7 s
    add     ax, di& J. J5 h6 @( J8 p( T" P0 P, D# _
    test    ax,ax( k' k% t( F6 \! W8 `# t
    jnz     SoftICE_Detected
) s9 K) W0 s. H: z; M# I) T
& f5 S- [  P6 i! l" I__________________________________________________________________________% Y( {8 D- C9 u7 O

4 q7 j9 R; [" ?+ `
1 X; y* k4 g; ?8 I+ }2 C  Z: dMethod 054 e, y2 P! u5 K6 k' Z- N
=========
3 x' A( O- l& [' |
, M8 C  n' _. I. p% Y$ [2 i9 F2 p5 c+ UMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 A+ I% S" S' L! ]
debugger. It calls the int 41h, function 4Fh.
3 M! A! y- B4 T* C5 P9 L! ?# UThere are several alternatives.  ' |% f3 K& O' g0 J/ h8 w( l# s
- [% K7 k+ k$ M+ p8 E+ t) `% h* ~( H
The following one is the simplest:( f. E) h" e. U  g& ^, x5 [

" d8 I! T% Z1 z  `    mov     ax,4fh; o8 m. T. F7 @: p) C, k4 S! o- @
    int     41h3 c9 S" ~& o0 q! ^; E7 m# L) A1 O
    cmp     ax, 0F386! h" J$ P& W2 U9 X. j* Y
    jz      SoftICE_detected; ?0 ]: d: U- M( W  p

+ a  B  [: o! W+ c, W5 n7 R2 z  h' I  b" C+ i+ h0 l0 J
Next method as well as the following one are 2 examples from Stone's
" V# X* p# s/ F" ?+ ~! V( D" J"stn-wid.zip" (www.cracking.net):' _* @& k3 K9 S5 \) A

* C* \) H! Y6 r5 g3 t* h3 u  m    mov     bx, cs
% D" O! U# {8 y* z9 b) v    lea     dx, int41handler2# T  Z6 b1 {" v, y2 e5 J  N7 p
    xchg    dx, es:[41h*4]" l$ z$ r( X& J# Q/ J' m5 x
    xchg    bx, es:[41h*4+2]2 Q! q6 v5 [. N' I1 C2 L: B
    mov     ax,4fh
6 Z8 m, A& n6 X$ j    int     41h
3 v) f* w8 `* B  {    xchg    dx, es:[41h*4]+ ]6 l' T/ E# p# J) I9 t9 G
    xchg    bx, es:[41h*4+2]7 z9 G( a# n; N2 s0 v
    cmp     ax, 0f386h
9 P( p) @+ q- Z& h: }    jz      SoftICE_detected# v& v% R4 d$ ~. u; w5 I6 W
- E7 A' B9 S" F1 i: U
int41handler2 PROC; S+ H+ i; @& P6 E
    iret' |& W6 B( E0 J& C  T# h/ R
int41handler2 ENDP1 m. R' F, a, T0 l+ ?. h: f& B0 S4 k) s+ @

! o% V, b$ Q2 U0 w; E/ e0 c: x# w# s& r
_________________________________________________________________________
! g2 R# j( o1 d  b- L% C' c' `  D( Y3 `

& _4 f, M  l: R  y9 v* bMethod 06( _/ ]5 _  d0 d3 F% i# b
=========
5 ^8 H9 u9 a# ~# |; I) M
7 M& x' Y) ^8 u3 u: c5 [
: k- ^8 M, ~6 j) i4 W; [: {5 M1 {2nd method similar to the preceding one but more difficult to detect:* \$ d# z+ `! {
4 u( O8 T: D+ Y# b- K" u; }  F% U

$ g5 d! M& y. x9 e0 |9 P/ Lint41handler PROC8 d& _; [9 M7 F) D, b4 a- u, h
    mov     cl,al" V& y2 h8 x3 c
    iret+ F# _+ b# Q' D6 ?
int41handler ENDP
% h5 c  i$ q0 T  |" J/ V" a
: ^  G  E) w  g2 `) l) B" r9 t2 e' w
    xor     ax,ax, V1 i# X' Q$ a1 ]& F; s9 A
    mov     es,ax
0 B+ O( ^/ G3 s( N! ^# C; g: d    mov     bx, cs
/ k) g! B' U/ J7 d( [0 t9 A    lea     dx, int41handler. B9 o5 k9 {  K7 F* q
    xchg    dx, es:[41h*4]
# D1 [) _; q! A4 }$ F/ p' _. E    xchg    bx, es:[41h*4+2]$ W. ^- M# C( U9 T& q
    in      al, 40h  D' g0 L" P9 p
    xor     cx,cx3 @$ U3 O; n7 N: Q
    int     41h; S5 v2 p+ z/ `$ ^$ Q# I) A4 R7 H0 Y
    xchg    dx, es:[41h*4]6 Z1 j* z% l' _, F, n9 c( Z
    xchg    bx, es:[41h*4+2]
( ?0 w; I( v; D    cmp     cl,al) {) A' E* r" \  j8 O
    jnz     SoftICE_detected+ J% o, S/ v( R2 @# b9 E

& U' ]! R7 `( z4 s9 E( X+ F_________________________________________________________________________' i4 Z; g! M) ]0 i) v7 O

: e3 |/ w! E0 N9 B# }+ q3 j: OMethod 07* Y7 [' G$ X+ T1 Z5 J: O
=========6 @+ v- M! ~; ?/ M* R* I

& b3 ^# \2 q/ u! O& U& IMethod of detection of the WinICE handler in the int68h (V86)& W0 x/ D0 S4 q8 H7 @9 W; U& S
2 U8 j# C/ N0 N
    mov     ah,43h
# B/ s. `5 v% u    int     68h
# O/ t7 a( Q+ V/ @    cmp     ax,0F386h
8 \- r' l9 O# r& }) B# F: M    jz      SoftICE_Detected8 b4 P2 n5 T1 ?

0 U+ ^# ?) |) \( r( i+ z8 B0 F- j
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 a% q' k3 `2 k% }   app like this:& `  f5 U  N& \# O- P- `

. r: }( Z: A# I2 j( ^) y   BPX exec_int if ax==682 O: q5 a# L( d: J- O! k
   (function called is located at byte ptr [ebp+1Dh] and client eip is
' k! ?8 n! [4 R) K4 |' h   located at [ebp+48h] for 32Bit apps)
5 e" y/ ^+ L* ~( ]__________________________________________________________________________7 x7 k( T3 F7 M5 Z% P8 s+ X5 J

* o8 C' W7 j- ~/ f, d8 A# x5 i) r) ]
Method 08
) G6 f3 S+ I+ S+ b, _' Z" S- I7 E=========
: P2 y# _+ x* O3 |6 \5 F% T0 Q; S. h7 ~: Z" X* I
It is not a method of detection of SoftICE but a possibility to crash the" C0 k2 E% E) v$ I2 [$ X7 L8 W- u+ X" R
system by intercepting int 01h and int 03h and redirecting them to another
  N$ I, D; k) Y) i1 m9 H" y2 groutine.
' Z0 C$ |) u. |! H0 V8 M/ PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
3 f- u5 @7 a  S# B, f- _; ]6 Jto the new routine to execute (hangs computer...): q- h& T% N2 `4 s

8 w, K! n, f+ S! S! U    mov     ah, 25h
5 Z  e$ ^7 V# Q. G# m9 P    mov     al, Int_Number (01h or 03h): }  N! r0 g: H5 t& \/ Y  V' ^
    mov     dx, offset New_Int_Routine" @4 I! B8 h( I: f/ e* @
    int     21h
( g% u. i$ V5 H; G6 _+ E7 k  V- B3 U. {! ^1 g
__________________________________________________________________________
7 i8 \  S% k5 c) @
7 w; X- [) j$ k+ FMethod 09
: i" `. }( n9 E9 \( d. ^: O- j! w2 h" d=========3 ]5 E+ k! L8 R3 |
) o. T, y+ H1 [$ a# L4 C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# J. O1 \7 V: T5 p9 [* hperformed in ring0 (VxD or a ring3 app using the VxdCall).1 N8 w* t+ C/ {9 ?$ n
The Get_DDB service is used to determine whether or not a VxD is installed
4 Q: y% M4 s4 x5 }- }: ffor the specified device and returns a Device Description Block (in ecx) for
" L( p1 N0 w: W( T$ P4 ?. t! k5 Fthat device if it is installed.
0 f# v! M# L! X- }
: `: k  q5 f/ h- U# Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID: }# C8 L$ p$ `
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 ^" w" F- a! X. C) V  c5 R5 Q) Y) \
   VMMCall Get_DDB4 D( I$ |4 {# E
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 I+ Z, E' a1 ?' G. L9 ?) [% f- y& D3 {0 ~" N2 j+ _7 _
Note as well that you can easily detect this method with SoftICE:' J/ n, U0 @  F8 ~- E
   bpx Get_DDB if ax==0202 || ax==7a5fh( d, ^) l0 g; T* D
  _8 `; d0 Q/ H" r2 Y+ z4 K, S6 p7 j
__________________________________________________________________________# L3 P2 V2 Q9 s/ b3 @

) m! q: A4 [  `; t. H) |. @2 }Method 10
7 r& v2 n' t. Z6 p$ f2 O=========  t( m; p3 {1 O$ f! r7 ^

$ `$ k% N  u5 m3 A" ^8 v=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
3 [# f  z2 K- |- j  SoftICE while the option is enable!!7 {( l0 v5 H& f  K, {- L+ A& x1 ]

1 D! w* s( C; c/ j3 v+ BThis trick is very efficient:2 l/ u2 E) w' ^* v7 V
by checking the Debug Registers, you can detect if SoftICE is loaded
  v* {8 y9 `; l" C(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
* @0 J/ q# @7 e, Nthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( s* ]7 |0 t$ Z" Fvalue (in ring0 only). Values can be manipulated and or changed as well
/ l$ u6 y! s) n$ z+ e(clearing BPMs for instance)( B- C3 a! ?! W, N% E2 r5 b6 f
- c/ f6 x4 J+ `+ _, S9 d( ]
__________________________________________________________________________
5 [& e9 m2 z* D- B/ m2 S9 v/ }% V1 G) B8 l  `
Method 11! ^% a5 X- k  r- d; _
=========
/ A* F" c7 u1 L1 V) u
) j: m4 a& ^. I6 F( p) \This method is most known as 'MeltICE' because it has been freely distributed3 D8 n+ P. W0 j& w& t
via www.winfiles.com. However it was first used by NuMega people to allow
8 R4 F6 @* h2 J' R6 A4 ESymbol Loader to check if SoftICE was active or not (the code is located
5 c* s- q! S: b  K/ finside nmtrans.dll).
- Q6 p# g0 p; ?$ G& e; |- v" V* X! c" N5 ~' {6 L
The way it works is very simple:
2 m( S( N" ^/ G5 q# L) I- z8 f: `It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 ]+ f' J3 L5 K6 {( D% M7 K+ @
WinNT) with the CreateFileA API.
8 p/ k8 g! W# T% T4 A8 u  t
% S5 I7 q% d& wHere is a sample (checking for 'SICE'):, X9 W3 |) b$ ~7 l$ Q
2 }8 A% _% ]# j7 Y
BOOL IsSoftIce95Loaded()( ], f" n- D5 |4 g! E
{* P& R' i# L: i) f( r
   HANDLE hFile;  
6 X* u7 R/ d; u! }/ @; N5 M5 Y! V   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- N3 t3 @/ o7 c: n- w  A5 h                      FILE_SHARE_READ | FILE_SHARE_WRITE,# F& b" j: ~- Q: n7 ~& H: p8 ?7 f2 X( I
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ w' g6 V: \% e0 l% D8 s+ d0 y; F
   if( hFile != INVALID_HANDLE_VALUE )
" ]. r; C5 L, i: \" J# ]/ B   {
; X4 S3 a! U( w0 V+ \5 P0 `' G      CloseHandle(hFile);: N1 {* O" l% z0 d
      return TRUE;
  M3 s! i  z3 i   }& }; g  U4 }* y: l
   return FALSE;1 F' j4 n+ C* v
}
8 n$ v& l0 U+ x( x- `: b4 c# D9 L) v5 a. {( ]1 h' o# _
Although this trick calls the CreateFileA function, don't even expect to be$ m& K' G4 N' H9 q! E# o3 e
able to intercept it by installing a IFS hook: it will not work, no way!. x- b8 H3 B0 i7 O; N9 U# R
In fact, after the call to CreateFileA it will get through VWIN32 0x001F- t) M; U8 W% B# k! i8 a
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 H" o! X* f2 M4 H+ |  R$ rand then browse the DDB list until it find the VxD and its DDB_Control_Proc+ ~6 l, Y/ q6 N
field.
2 i0 r; u# w( OIn fact, its purpose is not to load/unload VxDs but only to send a
  U8 Q: Q2 G" u, h0 F) G2 JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
# p6 p; H5 t$ H& |3 {' lto the VxD Control_Dispatch proc (how the hell a shareware soft could try! ?- N( R* J) A* P; g* H* q9 R! ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 ~6 d! R6 W9 |+ y7 D. A
If the VxD is loaded, it will always clear eax and the Carry flag to allow" S+ `3 D: J4 {# @' q# D# V
its handle to be opened and then, will be detected.$ ]. T& ^6 m7 O
You can check that simply by hooking Winice.exe control proc entry point
, i0 g" e0 t* H, Iwhile running MeltICE./ A& f  G' \+ I* k/ k2 t. H" |) _

- `/ _, i% L, G
+ _! T9 _  j0 M  U  00401067:  push      00402025    ; \\.\SICE# T( z3 L' u% i% T2 U9 F: i
  0040106C:  call      CreateFileA1 H1 C0 ~) Y( R) ?/ H+ U  O
  00401071:  cmp       eax,-001
3 ^, b0 k% m/ p2 ^* h& r1 {  00401074:  je        00401091
$ H" F; K3 B3 e% _7 \" m) i0 j" Z4 \, Q" B
. h! E: _0 m4 u' l5 s4 f
There could be hundreds of BPX you could use to detect this trick./ ]- Q* @5 C. e* J; p) e
-The most classical one is:! A: ?! d+ ~# J2 a% I' _  t+ C
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||+ Q) i9 e% o4 h5 H$ F1 _- Y
    *(esp-&gt;4+4)=='NTIC'& B2 |6 c4 n% O1 V1 \! P+ r
9 I: j2 Q3 y/ V3 Y
-The most exotic ones (could be very slooooow :-(
) q% H. `, _1 N0 N3 H( u/ Y, S   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
; Q) f( l3 l8 M2 }2 G9 o; B; d     ;will break 3 times :-(
) h* k" y/ U! l" U. J, I4 P3 w" n' f6 A9 B+ H5 [" M
-or (a bit) faster: 0 e8 z$ u; @* o) E' O$ D& Q
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')0 s  a: b; p( p( B+ w+ W& D
  c1 N: D' I( X! b; S
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% I1 t# c+ g. ?) i0 B; O     ;will break 3 times :-(! c! {  y7 N4 V- l, d
% T9 R) m9 }5 E% }: h$ |
-Much faster:; \9 _+ [* W6 r$ B8 A4 T0 |9 |
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
4 K0 W+ w( U6 U  h5 T3 E: M4 |/ t; {' V3 B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
% T" x% x, Y" @3 ~( d+ A' I0 Y. P9 Kfunction to do the same job:, E( B* t2 D% q- g5 v2 s

# V6 P' J. E" h   push    00                        ; OF_READ" \0 k0 Z( f. y; L$ |
   mov     eax,[00656634]            ; '\\.\SICE',0; k& D0 }. U# I# K: _
   push    eax- I6 k- `% d: K( Q# R; [& P- X
   call    KERNEL32!_lopen
2 ^& y# p$ L1 T3 u% K   inc     eax
4 i. h4 y& f& E/ i; }$ O   jnz     00650589                  ; detected% F% T" a# ]) G
   push    00                        ; OF_READ' e4 J" U' k* z7 B% @( i/ Z
   mov     eax,[00656638]            ; '\\.\SICE'
8 g% J. a) g1 l* f/ ?   push    eax/ F% b  m* G7 b7 V5 V
   call    KERNEL32!_lopen+ G/ G6 W9 o, {& b' N7 j% j& g
   inc     eax) P/ W' P) S; V7 `# B
   jz      006505ae                  ; not detected
" n$ `3 Z" F& F) `' D7 x% ?
$ J8 K, X& S  s2 ~7 h. a: Y% z# [. A5 _
__________________________________________________________________________
* O. y' n4 T4 a: }1 D# r! j+ ?- [0 O0 F* w0 [' d
Method 12
% a# |, T6 h8 [: {9 T$ M=========
6 [) ?# j5 s9 h- k- d5 L
- i1 U  [' y6 IThis trick is similar to int41h/4fh Debugger installation check (code 055 p% E6 K' I7 M/ M+ a# m8 Y4 |
&amp; 06) but very limited because it's only available for Win95/98 (not NT)6 e! X( q4 ~9 C; X: k# K
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% ^+ u8 H* L7 V/ b* K! P4 }6 m% O) s1 }) v
   push  0000004fh         ; function 4fh- U7 o  y* w2 D* L! r" J8 p9 O
   push  002a002ah         ; high word specifies which VxD (VWIN32)
# K7 f7 H% ^1 v' S  e& L1 h' j1 J                           ; low word specifies which service* a% }0 s. A: \4 l$ v2 h3 e* |
                             (VWIN32_Int41Dispatch)
, J' w( D5 l$ P: z* c+ W& \   call  Kernel32!ORD_001  ; VxdCall
- W+ D9 ^8 E) J* Y   cmp   ax, 0f386h        ; magic number returned by system debuggers
( S* L8 |# K6 U   jz    SoftICE_detected' N5 M& `: O2 ^) u. W% ]. z# s

& R. ?; ]" U  _Here again, several ways to detect it:2 [! X& t% _  D8 z5 e4 b

* W4 h7 Y# ^6 D/ y4 D# H4 \. `- z    BPINT 41 if ax==4f
: V4 o( S# c# u$ N6 I/ M& u+ h0 ?+ y$ h
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
4 K! ^! `7 \  H$ L- @
) {2 w& j' E/ N3 h* Z! @! t    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
7 n% w$ b8 o4 g) V8 h, u! e0 Y, a+ c9 |
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 n- {+ M7 F; ~  f3 L% X% J2 L! o
__________________________________________________________________________- a! z1 W2 U5 h% A7 a- y

* D* U' ^. p7 MMethod 13
- Q+ d: T3 F. \# Y5 {=========
( b& S: J! e0 w, r! b. p5 r- t5 `' L" ^, E
Not a real method of detection, but a good way to know if SoftICE is9 n& l/ m" G" B( }
installed on a computer and to locate its installation directory., [2 m+ `6 v0 B( L
It is used by few softs which access the following registry keys (usually #2) :# c3 Y' s7 Q, Z/ g
" n3 [/ Y0 f. m) i: ]
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 ?- y5 E1 o& A1 L- l" u2 ?
\Uninstall\SoftICE- Z1 P* i) D0 {, ]; \2 j
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) C  P0 ?" j; a% `9 ]5 e-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- @$ C7 y4 S$ p) M& w$ m
\App Paths\Loader32.Exe
( {1 g! |! o8 P: s( y4 H/ X
0 U/ k  Z: j% ~! g# Q
0 r# g; ]" Y; r3 c: l. y! h$ dNote that some nasty apps could then erase all files from SoftICE directory: m& w' |" M% L6 K* R; I' T
(I faced that once :-(
$ z% T! d- g4 x2 k1 t% S5 i* P' U: `7 o2 o2 R2 S' M. T; |
Useful breakpoint to detect it:: h# z( z# w8 _# L# Y; s

  V: t' x1 R) \     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ p" l% i( |; r- L, x; l
8 n. ]+ j& c. U% I4 ~, w__________________________________________________________________________( }2 F/ F$ {( R3 y6 N

; h2 v! |: p8 b$ v  n& z
8 q) ?; }$ m* Y, i+ Q3 R7 J' T' mMethod 14
" _8 z) d: N4 R* ?: S1 d0 |=========( W# }$ E- I, {3 i
7 |" B- T% X: v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" s0 i4 K0 C% Y2 t% R
is to determines whether a debugger is running on your system (ring0 only).! ^6 e( B' c- a4 j
; j3 t/ G: G8 ]- w  _* ]+ O
   VMMCall Test_Debug_Installed4 d. u$ M4 ^' W3 W
   je      not_installed4 S8 X  x, u% v$ V

, l+ M7 b4 z5 I! P3 A1 d  L1 rThis service just checks a flag.; a- j5 I7 P. E
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-8 05:28

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表