找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
! b  b: Q) T0 G. W/ f- J- Y: |/ T- u<TBODY>, f9 u; N) ~9 y8 O2 b
<TR>
3 B, v* @9 N9 X) R5 o<TD><PRE>Method 01 ) `- U1 `+ G' A, W6 u
=========  {9 i# B) `/ V

0 B+ Q3 |$ c' k) XThis method of detection of SoftICE (as well as the following one) is
, n; m; O- j6 h( {  g1 k8 kused by the majority of packers/encryptors found on Internet.- I, o  ?/ k, p% C7 P  v2 B# S& n
It seeks the signature of BoundsChecker in SoftICE* n) e7 d0 V$ ], C( t: m
; F) W, F- a6 m7 @3 {! J; R% y. p
    mov     ebp, 04243484Bh        ; 'BCHK'
( S  ]' Q: h2 p2 V- ]% y- m    mov     ax, 04h5 K; W: G& s  c# m5 W1 Z/ A( w; q
    int     3      
) K& C4 m8 Y* h    cmp     al,4
3 O) y" z* K7 e" t, k    jnz     SoftICE_Detected. U' ^' g3 p: e: p& q' P

" Q; v% U; V8 _6 W9 x: N___________________________________________________________________________
" y1 c4 ~" y6 V9 }3 j' n, ]+ d$ B: l0 Z" `: `  B' x
Method 02
$ _% q- [. l( g0 P7 W+ c% p3 v; G=========1 x: k; t9 D/ E1 g$ l

5 h7 U. d) M8 m  ?Still a method very much used (perhaps the most frequent one).  It is used
9 s; n& U( J1 z0 M6 V0 K7 Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,; V. x+ J; u+ q! Y1 B
or execute SoftICE commands...
1 G8 X  s. `/ M: I8 b; IIt is also used to crash SoftICE and to force it to execute any commands
% N$ M/ Q, a" L+ X" z; J(HBOOT...) :-((  3 u% ~6 R; f  m
' t2 t! ?" n- v
Here is a quick description:/ T. x2 u/ v2 Q/ N; ^
-AX = 0910h   (Display string in SIce windows)
* M, Y3 K9 Y6 y/ h-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
( q3 Z. ~' s0 a) x* ?3 i' e' w-AX = 0912h   (Get breakpoint infos)
7 Q+ n6 w5 p! `4 @7 i-AX = 0913h   (Set Sice breakpoints)
# M- l+ o! ]5 J. R& f4 p, l; w-AX = 0914h   (Remove SIce breakoints)
7 e$ w/ D0 c' [1 F4 x% w3 o; u* I- [+ w* s% s0 B2 I5 n9 X8 q
Each time you'll meet this trick, you'll see:+ p! a" d, H9 }! a- O& b
-SI = 4647h
& v% D( C) D2 S" w-DI = 4A4Dh
% z% `. Z$ w# l, ~7 I& j5 YWhich are the 'magic values' used by SoftIce.
8 I' z. K; }0 a, L0 X6 e4 O* NFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
  j* K: v8 e* R4 Q. ]
$ p/ I# s5 k1 l! `+ ~6 q* yHere is one example from the file "Haspinst.exe" which is the dongle HASP& l' V& `5 h- R" i
Envelope utility use to protect DOS applications:! |3 i2 r, `( Q: @; S- T$ b

$ B( U3 `( c# z5 c' ]: u6 a' f& f$ V% v
4C19:0095   MOV    AX,0911  ; execute command.1 T2 I* ~9 ~3 ?8 Y
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% S  o: c/ N$ u, b3 t$ J/ H
4C19:009A   MOV    SI,4647  ; 1st magic value.
& T9 Y0 G2 H2 p. N4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
+ @: C5 S, H$ W5 p7 F4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: \: c5 }2 ~/ q4 n# g4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
/ Q& B& Q8 H( |* ?$ M# B7 ^! {4C19:00A4   INC    CX
7 a# g4 R8 ]; G  N: q3 a6 q3 ]4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
. w% e& P# k3 a# W0 f- T% ]1 M4C19:00A8   JB     0095     ; 6 different commands.- C& N+ [! J5 M3 g
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 z; k+ V* \; s0 _; [
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
7 t9 N3 g) p7 ^4 Z8 a, X( v0 c$ Q5 C8 `
The program will execute 6 different SIce commands located at ds:dx, which5 ^0 u' @5 w; ^9 u$ }8 A
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% \+ c$ A3 e- Y. m" S& }5 f2 T0 Z2 `$ s4 z! Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 v% [/ p" C' K5 D% s4 Z( U___________________________________________________________________________
* n8 h  h1 Y! @2 A3 d7 G4 l  V( q* n! N5 T3 K  _

6 Z3 q: V: j5 ]' AMethod 03
# F, t5 k- o1 ]  E) O=========
! \! {. r5 Q9 o
4 H) m2 T4 E- P2 |& gLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
0 W3 q! S- N3 B' j8 T" M' |2 Q(API Get entry point)
# V/ f: g: W+ W& W3 C- z+ s, ~1 U1 P        
  J! H- H- o& k2 z' [  v/ K9 _" J* n# c* P* n: h. j+ A/ i' X' G
    xor     di,di
! I8 ^; H# {. l- T    mov     es,di
. t$ C& M3 B" ~* }    mov     ax, 1684h       - z$ ^4 r# O+ a9 h+ l# M
    mov     bx, 0202h       ; VxD ID of winice
; Y4 V& i0 s7 D, L" ~& C    int     2Fh3 n$ h% E, h0 b/ o2 A$ N( G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
5 T  U) {5 @8 d6 \  P" a* f4 V    add     ax, di) c& g4 D/ @) S
    test    ax,ax- W5 m0 k6 t5 g- f3 C
    jnz     SoftICE_Detected8 D3 k, I1 B% R2 C  k  q1 u5 E* y

6 k2 u* s8 k2 W; {1 u  y! n2 N___________________________________________________________________________
1 p% g) N+ @1 m) Z  q" O9 U% z+ z+ }1 S* y
Method 04
8 F6 O: N1 [3 N! s+ G# |# m: P1 c=========" W2 f0 I- D- ~

0 R0 X: ?$ J7 g: e9 m; T  |Method identical to the preceding one except that it seeks the ID of SoftICE& N$ Z# i) B! f- C: l3 f& ^
GFX VxD.
2 d, ]: @- [. k1 {9 N' r3 w: f: h0 u" l- n6 T# L
    xor     di,di+ I3 @* P; q6 u, C
    mov     es,di
: {3 Y* r/ Z( {) B3 d6 s2 c    mov     ax, 1684h      
! Y5 a/ T2 H- f6 x" M$ m    mov     bx, 7a5Fh       ; VxD ID of SIWVID* F+ P& H6 N, V1 {8 A2 M. N! u" [7 e2 ~
    int     2fh# U: O* _3 a0 w7 W  u$ D+ t0 K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& [! ?" k, ]( {7 I2 O* c  F) ^
    add     ax, di/ n8 M5 [& a" T2 w
    test    ax,ax& E. ~" B( V1 |% h+ K
    jnz     SoftICE_Detected  W' V3 N. Z! M/ ]* v) k
4 L2 H; P4 k7 Z1 g7 z) @4 V7 a& \
__________________________________________________________________________
- S- L& |' p5 G" u3 j) g* N, Y
6 f/ H& ~3 E. M! t- {+ n& e+ J- u$ n  r) s7 |; F
Method 05& S; N4 e7 M4 b3 Q& J' u0 t* m6 g
=========7 u3 e' _8 ?9 [) j
7 ~' X8 A; _' v" ~5 i3 e0 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system7 M6 o8 t; C( @) }1 L
debugger. It calls the int 41h, function 4Fh.( l  k0 G& S: a' t1 U
There are several alternatives.  ' N+ r: z1 v. f0 H8 E
1 _* k  t- k  o) |( d
The following one is the simplest:
1 |6 g# B- W+ h
, B( l; b" z& `* k* X$ C" l; p6 R4 y2 T    mov     ax,4fh
! ]/ x/ o) M8 {7 _0 R    int     41h( T8 p, _! ~& P- q" f
    cmp     ax, 0F386
2 ~( v  D+ L' {( k" d% Z    jz      SoftICE_detected" o3 i% Y- |/ b( K) ~! l. _

  M9 ^1 f7 p7 T
" l% l6 ~' V  _1 [& @2 [Next method as well as the following one are 2 examples from Stone's
. S% h$ s( W$ J3 i7 G"stn-wid.zip" (www.cracking.net):: O7 ~, T, p' [! g! `+ Z
7 V0 E9 E; t7 `) W7 V. L% E
    mov     bx, cs1 f% k( s7 j: E4 C& R  o! [
    lea     dx, int41handler2
& k' [3 Z( f1 u( d  C; [    xchg    dx, es:[41h*4]
% U( l9 V) p" N5 n: X    xchg    bx, es:[41h*4+2]4 v5 }  c5 t% y& S
    mov     ax,4fh
* t; U1 Y9 b2 a, _& Y% s/ Z    int     41h- E, c8 \$ c$ J5 R! Y
    xchg    dx, es:[41h*4]+ J* c; p1 F: K( ]2 r
    xchg    bx, es:[41h*4+2]0 L/ ]* v1 m5 X
    cmp     ax, 0f386h1 G; F5 q. ]! J
    jz      SoftICE_detected
! C" V% U4 t6 T& u8 U
8 f1 p9 M* `, T& Eint41handler2 PROC
4 X& D% Z2 y  t7 ^0 h    iret
! J. G2 ]: B2 a$ N$ f: N7 oint41handler2 ENDP
* Q3 t0 b( B' D( V; r! j) ~
: v& B; j4 \; u& H/ w5 S0 g- }" R
  n- N; P/ B; p, D6 u) h& _5 D_________________________________________________________________________
/ K. Y3 E, {' }/ a# I+ B* P7 o( p
8 U2 H: G; [% b
* q3 K3 m1 K1 w' PMethod 06# F- [# n. s: Z8 P
=========  O4 P4 ~' A" i
& Z! F- R; ]. X3 b5 H2 w0 o2 {1 r$ G
8 v, a8 u$ Q# T) D/ R$ e
2nd method similar to the preceding one but more difficult to detect:
+ J2 N6 m, j, F5 g0 L7 e+ _3 [2 r6 j+ O+ v4 k- s

- Q/ q# a0 E# E2 R8 K4 i) o; yint41handler PROC
5 u* V8 x8 M) q: Z0 h; V    mov     cl,al. h4 z2 e! ?# ^6 a( O
    iret' m+ N+ x3 H" f2 r0 k6 R/ V2 R
int41handler ENDP
% R9 K5 m9 Q1 x% I6 z6 g) F
* f0 w# |$ q: e. b+ [9 L9 g. {/ M3 t( U, r- H2 E
    xor     ax,ax
/ R- N! g9 R% T/ S% e( p& _    mov     es,ax
! o1 z9 n, H9 G    mov     bx, cs
1 Q5 O/ G- ]  h: D" h    lea     dx, int41handler6 t% K5 P$ q% P6 ]$ J* W
    xchg    dx, es:[41h*4]" X5 |  ?# J% K6 K# B4 Z. i' r- A/ R
    xchg    bx, es:[41h*4+2]. a5 T; L! u5 h% h' E0 _8 F
    in      al, 40h! ]+ a# d/ l* K
    xor     cx,cx
' F3 t" B3 L) _3 N$ I    int     41h
# i% C" d9 o& n" v3 R    xchg    dx, es:[41h*4]
  u2 s5 ^1 Q" G7 w3 }1 h0 Q    xchg    bx, es:[41h*4+2]
! c. j" F1 _1 g9 X) {    cmp     cl,al
8 a& c( p2 j& `8 d/ d6 ]    jnz     SoftICE_detected5 s4 s: Q* W: V- ~# Z( ?' ]

" U$ a* A( B8 C_________________________________________________________________________" x6 |8 U( O6 g

' R+ A* U3 b0 i* s$ Y- ]3 ZMethod 07
! R! y: T' T& Q- u=========
: D% s3 y; O! t1 k
# b  Z' \2 s' F- a; a8 x1 AMethod of detection of the WinICE handler in the int68h (V86)
1 }* j  F% W$ h9 f' U- ^) H5 l9 a/ }8 b
    mov     ah,43h
" Z) x- i) H' f: O6 p% U/ S    int     68h' Z3 F. |6 P7 ~6 ^& ^
    cmp     ax,0F386h
, A& E8 a6 H0 {- T$ |    jz      SoftICE_Detected( [8 ^  S( v. E- w) R
! }  d" s) A( c

: I6 M4 X9 {% N- m" ?  K0 c=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 v' G+ b1 t3 n' v' t2 m
   app like this:
7 s& ~7 T/ K$ T1 q* ]5 T4 K
& D. P7 R0 e. O) u& ^6 s1 D   BPX exec_int if ax==68: N6 |1 Q( ]( o8 \, |2 B& R
   (function called is located at byte ptr [ebp+1Dh] and client eip is6 v$ h$ n5 B, @/ t7 u3 @
   located at [ebp+48h] for 32Bit apps): c+ E7 N8 ]5 u* A% O
__________________________________________________________________________$ ]: m3 y/ C3 e% f
; Y. L& S2 H4 O# @4 R6 ~! w
! j! }! J# d1 _1 \
Method 08* ?  V2 O; k/ V- M" a5 x' }
=========# }! F- }1 g, t  K; y0 a
6 O2 ^2 Q; z$ X! G" X  ^
It is not a method of detection of SoftICE but a possibility to crash the0 v( b) j) V7 h/ {  t1 y) C! X% C
system by intercepting int 01h and int 03h and redirecting them to another( ~( G- |. R. v5 ~& J6 O
routine.1 b2 @* g' @$ `8 k9 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, l8 E6 o3 w% J' ato the new routine to execute (hangs computer...)
' a& o$ f* o2 M( H! F
! O( y: H! F" \% J1 |    mov     ah, 25h
- I  J0 b  z2 u% ]' L! f    mov     al, Int_Number (01h or 03h)) n# J* D) F. t* ]; J9 Q  N$ B
    mov     dx, offset New_Int_Routine
  R, m. l- u# d' J4 `; s    int     21h; [0 Y1 g7 C" `0 t& ]+ H8 x8 x

% V: E/ l' V  l8 T5 Z" e__________________________________________________________________________9 G  n8 i* ^2 g: \6 ]
: m+ Y. K* Y8 S6 |! |: _% ]
Method 09
2 H% c% B) u- t7 q3 z$ X0 C; z=========+ H8 P" q& g8 Z8 v9 r3 ?
7 f) J% Z8 K8 A8 G2 S/ Z6 |" f
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 @" X% _5 ]6 z0 Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
: a% `0 R2 T7 {9 m/ }: V% T/ A/ v. rThe Get_DDB service is used to determine whether or not a VxD is installed; `/ N5 k+ R1 d3 Z9 ~- v
for the specified device and returns a Device Description Block (in ecx) for
; P0 Z3 {( t; [$ u2 Y) Nthat device if it is installed.
% z7 Z6 Z+ r1 J+ o0 L/ Y1 A
7 Q& h9 j8 j7 u; p   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 `8 w8 W( s, z7 N' q   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, h- N# l. D8 S3 Q5 \& G   VMMCall Get_DDB
+ f! H9 X* n' h/ d, f7 x  }. h   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed1 v1 M5 {3 Y2 h" e
6 F8 D, g0 C0 V; K5 c, U
Note as well that you can easily detect this method with SoftICE:* j8 `' q* ?- b% E+ L
   bpx Get_DDB if ax==0202 || ax==7a5fh& v4 E6 }  G  O5 u
2 P- ]3 X4 o8 F) {; e; H5 B/ A
__________________________________________________________________________
" g% X$ h; W4 w, N, q( M  S& p  A+ e. Y! _, E
Method 10
+ H' d. T0 w. F0 Z3 C$ P2 z" g=========6 o9 X# d& m- T* Z: ?

" q! n# x5 \+ m=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 }7 t0 ?; D- o% m# v# w4 {& A* p
  SoftICE while the option is enable!!7 c! y7 N% U( P7 z  D
* s( Z3 Q% s( }1 W" V' G# ]1 Z) r
This trick is very efficient:2 U  `6 x( R$ z1 f* s# V* t: y2 t# j
by checking the Debug Registers, you can detect if SoftICE is loaded
1 f3 U9 D  L& T- g7 w9 `6 r' k1 o* C, k(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- @+ O) C) K8 L0 u$ F
there are some memory breakpoints set (dr0 to dr3) simply by reading their
6 ?' Q+ w6 V5 Y7 Z7 |2 c$ J" nvalue (in ring0 only). Values can be manipulated and or changed as well
/ n) ~" E8 Q' w: `(clearing BPMs for instance); G; \0 r5 M( p5 }

& c4 G5 a* n# P' r__________________________________________________________________________
, ]& V- {# n/ z% r* Z
8 L  Q0 l3 m8 e7 vMethod 111 n/ ?0 t% }7 c4 M' O
=========
4 \2 b  n/ ?9 M8 G4 v* C# B" U. U% N/ G4 \5 Z9 R1 k9 w+ y
This method is most known as 'MeltICE' because it has been freely distributed3 Z1 `  q: U# t' ]) N
via www.winfiles.com. However it was first used by NuMega people to allow( s. l: b# K) y3 G6 F- ~) v& m
Symbol Loader to check if SoftICE was active or not (the code is located
. L' O' \# n: G+ J- n8 B) tinside nmtrans.dll).
5 C8 j# e: K0 ^* I! U) `! q2 t& e3 a& R( ^) b
The way it works is very simple:9 t" T9 I  B; V7 c
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! B* P& P( f# |WinNT) with the CreateFileA API.: h4 d9 b- P- B: @0 _
$ {# U$ f5 x7 C) ]- [+ |  k* R8 {
Here is a sample (checking for 'SICE'):
$ F: S$ x3 _5 O' Z* A3 n# N$ j  [  S/ p* `/ W0 T1 m$ U: O# r
BOOL IsSoftIce95Loaded()7 _+ o" o6 ~& [( Q. N5 P9 j+ A0 D
{0 z, R* ]3 k0 n4 A# `
   HANDLE hFile;  ; }& a8 D; u) c2 R. h% V
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; h9 N! t. h( T* |/ q$ W' Z* s
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
5 r/ C6 ]- d- l. w  Q7 ^                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ X) \4 D% w! d6 K: e
   if( hFile != INVALID_HANDLE_VALUE )- v8 u; V# \1 e4 f/ ^
   {# t  u2 T$ j" w5 M
      CloseHandle(hFile);9 v" S; [! b- ~& j' V
      return TRUE;
" B7 G: g1 g% T7 m  d$ R7 a   }
% j; g3 y1 g0 t* r9 ]   return FALSE;. x8 t; n. u1 A& c$ O9 m: ?
}6 x( H: B# h5 B

8 m- [! u1 C; J% E; @0 R& v, JAlthough this trick calls the CreateFileA function, don't even expect to be
: f: d7 L* U8 I" w7 f! g" Eable to intercept it by installing a IFS hook: it will not work, no way!
4 w: }1 ]' U$ ~7 ?" z  mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
! @9 q5 S. G1 D+ c0 O' h- Wservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), ~2 O" T: I; ^$ a$ e, B
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- m' q' [3 G& n+ @! _; z$ ^$ sfield.  c) Q; A4 z9 @3 S1 _/ D* |/ Z
In fact, its purpose is not to load/unload VxDs but only to send a 3 e+ d3 e  Q& e  f) d/ x" ?2 z$ R
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)) L0 `2 y! y: Z8 z6 t8 M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( U+ F, i8 L- E1 k, _1 ~  n: |to load/unload a non-dynamically loadable driver such as SoftICE ;-).
+ e4 j7 n; J  o' f7 z) DIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 f# X# a% T. z# j& qits handle to be opened and then, will be detected.
6 @- L4 S( W: j* J% g% q8 P* P7 w& CYou can check that simply by hooking Winice.exe control proc entry point
5 s2 \6 w1 I/ n8 k* Fwhile running MeltICE.
* o5 i- K! u. X$ E( ?$ x- ~1 L5 a7 R7 p3 ?5 @$ U' M+ L

7 m! D" c9 Q) `  00401067:  push      00402025    ; \\.\SICE
# s( G7 q/ V7 w8 P4 N# |  0040106C:  call      CreateFileA
% w+ C4 {% P- @2 q" s  00401071:  cmp       eax,-0013 K  j; F  s- t1 m0 H' Q
  00401074:  je        00401091
1 c2 I0 W; b1 M& m# {& T3 k/ I. L2 \) z# r" W

  y6 I  P/ k& C4 O% uThere could be hundreds of BPX you could use to detect this trick.
2 G5 \5 E! @, B- w+ @" ]-The most classical one is:  _  k9 q7 S& Q0 ?
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||( V& b/ E2 A; _8 H' @
    *(esp-&gt;4+4)=='NTIC'- s1 e3 r6 `  p% @" J6 v

, Y6 `% C0 F- n2 C% ]! S: N; a; M-The most exotic ones (could be very slooooow :-(  ~: _' ?  T" O* n9 |. \8 j
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 a7 E- o7 F3 W# A* I  U4 }     ;will break 3 times :-(
& H, P7 h/ n3 @) J
, {6 Z2 x! ]6 W-or (a bit) faster:
: ]) U( ]8 G7 V1 D   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')9 s2 F& ]( u7 H9 K/ s! S0 n/ s

. \5 H; _+ q' U4 x, i7 s/ ?% M- a$ d   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
/ g- h' m+ _$ o0 S     ;will break 3 times :-(( E4 w! Q6 h5 p+ a6 u* d, ^

$ n5 x0 _$ |; b/ y  h-Much faster:
9 v( d; v% d6 m& e0 [   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'1 r7 N. E4 [  q" z
, s; e! k; [+ V" e
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen0 w; V  G6 j3 X2 E, \" M9 W
function to do the same job:* E7 s9 I; x- v& Z  k5 i; L
8 |4 y' Z5 B* K% e( r
   push    00                        ; OF_READ# p2 g+ ]* m& O* R1 J$ ^# t
   mov     eax,[00656634]            ; '\\.\SICE',0
4 T1 C1 g# R# q- u   push    eax
( }5 a& Z/ D" ^" g5 w+ R% L   call    KERNEL32!_lopen. a# P, D+ L( `' ^: M! `
   inc     eax  W9 k" l/ [" `1 C# _& n; \9 D& d
   jnz     00650589                  ; detected
" h/ i2 u( L# |) |6 o+ V3 [   push    00                        ; OF_READ* M% Z& i& v% N4 ^, q2 h
   mov     eax,[00656638]            ; '\\.\SICE'
3 T8 V  b/ Y& x4 {   push    eax
1 a- [+ S1 r8 r/ _1 W5 s* S9 n' _. }, P   call    KERNEL32!_lopen- F- w) A: c* Y2 r6 c5 [
   inc     eax0 d% ]- p* v3 Q$ ]& L( a/ d1 X
   jz      006505ae                  ; not detected* ?' v- Z3 s* m2 b" F" w* s+ Q
3 g# k* C, `+ o; @0 g

# K. Q7 t  O2 Z/ w0 U# a3 H8 ^1 w__________________________________________________________________________1 O& `4 x1 \, c: A
. P( i: V- N( \% c  @! B$ p
Method 12
( J1 y/ x  F1 J=========
6 r" r) \$ L; @; r- r
0 q7 _- s& Q; T0 f# XThis trick is similar to int41h/4fh Debugger installation check (code 051 b3 D  X$ o& \* u  s
&amp; 06) but very limited because it's only available for Win95/98 (not NT)& H! r* N8 z& }3 u3 q# l+ ~8 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.3 f4 y: Z: J# k- y2 j, m9 K$ U

+ M, F9 |) X: w$ f$ u) \: t, l   push  0000004fh         ; function 4fh) @! e& ?4 S" {9 H  O) t
   push  002a002ah         ; high word specifies which VxD (VWIN32)
! S0 d% M- A) |5 m( @5 Q5 L- K                           ; low word specifies which service5 V! [  q8 G+ s, J# [  L
                             (VWIN32_Int41Dispatch)+ K! @; E# Y" Y: G) o' ^+ x: W
   call  Kernel32!ORD_001  ; VxdCall
3 }+ e- |2 y! p& a, O7 P: C   cmp   ax, 0f386h        ; magic number returned by system debuggers8 X0 p# Q1 X$ m$ r( D
   jz    SoftICE_detected
6 k( b" f2 N7 _* k+ m$ u
; u4 C! e5 ]$ ]3 y; CHere again, several ways to detect it:
- V9 I0 l# t' A: y" K* E! f2 E+ d2 Y
    BPINT 41 if ax==4f$ x- O1 N) @/ j. k8 q* g
$ c) }, n  F8 Z: l/ N+ E9 M, \
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% O/ i5 G3 U& |* f

% J' n4 l  ?0 B! [& p- Z    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# j3 E) q+ @1 @$ T5 S

8 I4 D9 h1 v0 V8 Z    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 @6 [+ Z! [2 n4 J/ h+ }% ]( |1 }' W8 D' F
__________________________________________________________________________1 p+ }# @: Q' t* P. J  r
7 s( _( x, o5 h* ~
Method 13$ ^9 Z' S/ D& [- @9 `- D% u
=========
% a  a/ v1 U' S/ o) N, k9 D* H. M/ B) a. B" R* D' i
Not a real method of detection, but a good way to know if SoftICE is
7 }' P& x* U& `2 c* S( Sinstalled on a computer and to locate its installation directory.# r7 e/ U" \/ J2 a$ \4 d. c" c- \
It is used by few softs which access the following registry keys (usually #2) :, B: Y1 M3 x- w" p& k: d( N& I9 z6 a
/ u8 a, j9 C- W
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; i( W+ ?6 A/ D- I' o5 o
\Uninstall\SoftICE
5 F8 M" a$ t( y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, m. ?7 C2 }& @( {! n0 e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 V7 o5 s( T8 R
\App Paths\Loader32.Exe
- p9 x. V+ E* \/ `$ \0 T. I+ k$ J* |- f) U  D4 }
1 @; U$ t  m6 u6 z/ t
Note that some nasty apps could then erase all files from SoftICE directory. [. E( R  ^5 e* ]4 ^( P* K3 F
(I faced that once :-(; V0 d  ], ]2 m' K$ b& J8 R

/ ], g7 M9 J8 T! S5 k, _8 KUseful breakpoint to detect it:
) p7 O! ~( w4 Y- z/ N( D
5 a, d9 X* U8 j( J     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 [) y& u- P* `0 Y( L
& B2 }" l! d$ ?" o/ _1 S- n8 x__________________________________________________________________________& ^2 h, ]0 @1 W+ L$ s
+ g- z, n' s  e' m' G% D
. v9 L7 i9 `% F! A$ Z
Method 14
9 u$ d% M) k! b( T* x=========* y# n6 t' C$ ]; _+ [2 i
: K% x% w7 R; ^% A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 {& x3 K, N8 g. H* F. X5 }
is to determines whether a debugger is running on your system (ring0 only).; J1 A! p# s; \
, x+ k8 w( m  G: C
   VMMCall Test_Debug_Installed
9 V& ~$ g0 \6 b1 [% ~9 d   je      not_installed
1 i8 e% Q0 p% \' n! [
" E5 h- \, j) y. y# R3 O) d- eThis service just checks a flag.
- w7 Z2 e$ K0 P+ B9 w</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-15 18:37

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表