找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># {/ |3 ]  w0 \! J' `5 F
<TBODY>/ q5 a  p* H0 {" M
<TR>5 `( u: l9 X2 t, c0 N+ z/ c5 R( i
<TD><PRE>Method 01
5 i$ d8 V5 k# O4 \=========: k' u/ k$ p* N; @: L: ^' C

3 G: v0 B7 u5 G5 A. q* B9 h% d  t2 PThis method of detection of SoftICE (as well as the following one) is' F# X, ?( A8 S7 S% v
used by the majority of packers/encryptors found on Internet." \% \3 u) s& P% Q0 x
It seeks the signature of BoundsChecker in SoftICE
- r- O8 g# w5 J1 X  Q8 _/ l2 r
+ M8 N/ A9 B8 Q/ z& y; D% _    mov     ebp, 04243484Bh        ; 'BCHK'
  q  m! ~' H. U4 _$ \    mov     ax, 04h
  |$ ]+ E. Q" Y# }! _2 P8 X% t    int     3       " [1 l/ M- M1 T7 V
    cmp     al,4
3 u; c8 J3 ?1 Z% Q* i& h) u8 r6 [; v' C5 y    jnz     SoftICE_Detected
+ s  Z2 J  u% {8 f3 Q6 D- w, m  m' s& R7 K! R7 `
___________________________________________________________________________
+ a& ~) U) y* @9 `( U- f/ c# j% i: t7 M" c' R
Method 02
0 g7 {% q- w. J/ p=========7 x$ K6 n$ x- v  F! C
9 l% o2 v3 p! @7 s5 q0 x+ [% p
Still a method very much used (perhaps the most frequent one).  It is used7 y7 O; ^4 W+ a4 @4 W& N
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* Q2 X- ]$ V, C# C, por execute SoftICE commands...# Y* I: n+ j) b7 Q
It is also used to crash SoftICE and to force it to execute any commands2 ^& l* i2 X5 y7 z! d3 |
(HBOOT...) :-((  
- N! v* w5 ^2 P2 u; O1 c( K) @7 K7 x! L% p
Here is a quick description:
: Z- B8 |! }8 a+ e1 L-AX = 0910h   (Display string in SIce windows)
; e+ \  m2 e% v' R9 B-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
, X" L' X; ]/ ?! x+ C-AX = 0912h   (Get breakpoint infos)
- x3 p8 b$ A& i- i-AX = 0913h   (Set Sice breakpoints)4 y0 k5 l5 \; R
-AX = 0914h   (Remove SIce breakoints)
( k" c4 L* ]# r7 ~% u  ^) o2 Z8 a% q+ l4 y+ J5 w' s2 M
Each time you'll meet this trick, you'll see:. o/ |* t/ v  y8 E, ~0 s
-SI = 4647h
2 E$ a( Y  j9 s, L0 E3 {-DI = 4A4Dh
& @% B4 J) Y9 N+ `% p- H2 {5 @Which are the 'magic values' used by SoftIce.
& N$ k8 S7 e- P5 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! X. K3 z6 x# K/ d4 c4 q8 [/ J0 ]6 y6 e: L4 J
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 l$ B  l7 y: `& h7 \/ ?
Envelope utility use to protect DOS applications:) k" l( U! X, y' M" U, y* n3 @
& t8 T4 T) N: h1 w

  L1 P9 N, i& \" I4C19:0095   MOV    AX,0911  ; execute command.
, Y9 z/ n8 l5 W3 ^# H- H5 r4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
# e) I8 p3 Q" t2 `3 B$ ]/ r4C19:009A   MOV    SI,4647  ; 1st magic value.% b- g9 H, q1 F# r. Q$ d7 k
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4 X9 n1 Q' g- O4 }' o$ r( n5 b) J4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& H. l' g' u4 y$ V& x( b' ^: v4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute% X1 L* `4 ?9 l2 O! C! x
4C19:00A4   INC    CX5 I8 p& S; ^: N$ s1 i8 u: J
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- T- ]0 F7 h  M
4C19:00A8   JB     0095     ; 6 different commands.
" e- n4 j2 h1 w9 {- s+ M4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  G. H' j, c* p4 x# Z0 `. n: b4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
+ b0 P4 G- j( x& {; }9 [. k$ I' q* A5 ]7 C
The program will execute 6 different SIce commands located at ds:dx, which3 |9 K* T/ [8 G- c4 T) D# O, m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  G/ V  K7 o  I6 c& J* A
, m! I; N) E3 R2 q7 y! |$ D# m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' L! D4 b2 \; N) W$ l
___________________________________________________________________________
5 t. `( n9 c" E8 C, ]0 [
7 g3 `8 p0 S: K% ~5 s1 Q3 q' y) m# ?# {- J% i3 M  p
Method 03
  ?6 T& h2 p$ \2 I=========( @$ I' M- U: ^) a& E

# N# {. [+ M( y3 l/ N: mLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; O9 s  j4 q  U
(API Get entry point)  v3 G" Z7 x" J8 g% `" E' p( r* Y7 ^) U: @
        " q/ p- q; c# V; [- j8 |0 h. x! i3 W
5 G! o5 b  u( m4 p' D5 ?  S1 |
    xor     di,di
" F; a! Q5 ~$ D    mov     es,di
, I* S, F' j1 K' r9 X    mov     ax, 1684h      
- {  Z# R. a2 w0 p* I    mov     bx, 0202h       ; VxD ID of winice
" S; Q' g8 y6 }. `* ]0 z/ O1 D% n    int     2Fh
# ~: w/ E0 T: W. y' G2 h    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' ^4 K, P- i0 Z! N) Q, ?5 l    add     ax, di
- o/ k0 B( y0 v, V0 t* c    test    ax,ax  u0 w9 t- A2 D1 o6 H0 b
    jnz     SoftICE_Detected
6 z* r. x. `8 u5 g! \% `1 ~. j
4 T7 l% h  i" M& a___________________________________________________________________________: \& D4 T  ]' |$ T

+ f( @) f: ]2 G5 F% FMethod 045 K) N+ l) j% e7 w# Y
=========- s  T" _6 Z' ^7 a) P

& {2 T; I& r' y% z& G& Y' nMethod identical to the preceding one except that it seeks the ID of SoftICE  R( L5 P9 P% D% I2 T
GFX VxD.. J7 T/ j% S8 [- a

+ M$ n( U8 y& r    xor     di,di$ X6 _) D4 A$ o* w0 W; m0 }: N
    mov     es,di( i, M* X" ^# D2 w8 h4 A
    mov     ax, 1684h       1 c$ e' e' |) _
    mov     bx, 7a5Fh       ; VxD ID of SIWVID7 j2 M8 i% k7 `1 G8 N
    int     2fh* }1 d( r  I* j2 ], Z! c0 x. j2 H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point' D* l9 Z2 l! E  _# s$ v
    add     ax, di
' y  I9 V& ^  i1 q) m1 F# R$ d- E7 h3 h    test    ax,ax" p! w1 [  a/ a) y  G! V6 Y2 y
    jnz     SoftICE_Detected
: n. b7 L5 |4 w( f. H$ D2 p8 V+ T7 i  n2 k! D9 ]2 n
__________________________________________________________________________. G( x4 N# Y3 z8 ?+ u! l8 y
( l) b9 a; O& e6 Z8 P
4 \) ^# E& f/ b* [
Method 05
7 Q2 d  C% S* R$ u2 a$ H7 W- L=========2 ?& b0 Y* L. N9 [  e- _- m
" f7 h8 A5 h& S( t; t  ^' k: M
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 `' @  c) f* d" c+ [5 R) f
debugger. It calls the int 41h, function 4Fh.* ~  P7 y2 a8 Q0 Q
There are several alternatives.  
5 _: Z* K" v  b) M9 m
  m( `. L/ U' ?) {, E" Z) Q# QThe following one is the simplest:
8 U7 j2 ]7 \4 \# C3 Y$ d, h/ g" R* ~& H8 ?1 A
    mov     ax,4fh
& s) {( _* y* L% K; H& Z% n    int     41h# u% j4 Y3 b& B( P9 y
    cmp     ax, 0F386
, ]: H% V! O, E; b' K5 o+ ?    jz      SoftICE_detected
+ Y/ \% ?! q& X9 ^% s( o/ I5 p3 A6 d* M. \! Z7 R

$ O1 k/ a4 u/ _/ r; \$ v2 KNext method as well as the following one are 2 examples from Stone's ' U% l- F5 M$ a) _. Q% S/ c: G3 o
"stn-wid.zip" (www.cracking.net):3 W, l+ Z8 d( u* X

3 Z" _, {' p8 f2 N) _; g    mov     bx, cs
7 l& e2 [1 T8 |$ Q2 P$ t, a& d    lea     dx, int41handler2
; S. {8 @! T/ }0 v4 ]. M. X    xchg    dx, es:[41h*4]
% h* X$ q" k; _& Y7 g; U4 U, E* V5 ~    xchg    bx, es:[41h*4+2]+ T' D' @: u: N, v
    mov     ax,4fh
$ A) F  w6 {8 e# |    int     41h
0 ^4 u9 @. Z& T5 `! b8 \    xchg    dx, es:[41h*4]4 y4 N+ q- |! M0 j
    xchg    bx, es:[41h*4+2]5 J5 {/ j. m, a/ c
    cmp     ax, 0f386h0 w3 h0 _. z' z
    jz      SoftICE_detected
0 k6 I% y; R1 ~, l( @" O
! k$ G$ u( U# ~2 i* o5 x1 R; C+ Fint41handler2 PROC1 r, g7 X2 R+ S& ~- H
    iret8 D& i" N. T0 G
int41handler2 ENDP5 e" R5 a1 n/ a: ^) `7 |6 \0 L
* g7 H+ j. s1 J4 _
4 p  b9 }' T0 P+ M0 _, _
_________________________________________________________________________
; X" G! M2 e2 w. a, ]; r# `5 J. c; S% p, U, H( v# f# x

) O: b: C# Z8 C2 ^3 T: T- L8 E4 [Method 067 f0 w) \+ G5 E3 d/ }5 V
=========1 M) h+ s8 C" H$ ]1 G- Y' h

/ M3 J- \. q+ v5 ~4 R7 ^, W$ u8 t8 O$ U
2nd method similar to the preceding one but more difficult to detect:, c/ \) _* _4 c, t3 U6 _
- F2 a1 ^& x' ~: [' A

; o! ^3 N; y  b  K  g; P% |int41handler PROC
1 V5 R5 Q4 j/ p' e6 S, B( {    mov     cl,al
9 H, X1 _- b& F& P& j; P    iret7 W: @7 [+ V9 `) J) p4 K7 S1 x9 o
int41handler ENDP* y4 ~& |, K2 z% J
6 `2 E' i5 {/ f* H

4 w$ ~3 h6 B8 ^2 b2 ]    xor     ax,ax4 V; e2 U0 ?2 m$ ^9 l
    mov     es,ax
+ `# O. r6 h5 G  D. @4 m5 h+ A    mov     bx, cs  R( F+ s( ]1 f) b( y' C/ ~
    lea     dx, int41handler. Q- s& a( J: Y/ w$ {
    xchg    dx, es:[41h*4]" x/ [* f" B- @; V: q. l# d4 s8 C( Q$ k8 o
    xchg    bx, es:[41h*4+2]. l9 s( l% Y) \+ x3 V7 B( d1 k
    in      al, 40h+ ]1 [% u, y2 E9 D6 \. e  g1 f
    xor     cx,cx; E) r+ D. S- T7 i' ^  R
    int     41h
5 m6 S  ~8 h) |# |    xchg    dx, es:[41h*4]/ u$ s3 Y4 B: l% Y5 S
    xchg    bx, es:[41h*4+2]* {& x8 F- g5 x8 l' y/ A
    cmp     cl,al/ w. ~1 u( q( `$ n
    jnz     SoftICE_detected
4 H! q, [) {0 _, P% f/ J9 ~! S( N% r  l% a
_________________________________________________________________________! K: w* s) d+ V3 C0 L2 [1 W

7 Q3 c9 q9 r, g; \, {Method 07
+ _9 Q! J$ [+ R' S; b; E=========
/ `; T4 w; y4 X$ ?
/ M7 }# R( F2 s" N% l1 _, r2 LMethod of detection of the WinICE handler in the int68h (V86)
& _1 t0 Q0 t, A. q
6 m7 l' ~' R/ b2 j/ P4 k7 i/ M+ _    mov     ah,43h6 ?# b4 p, J$ p' k
    int     68h
  A' _+ e  U, Z1 |% W    cmp     ax,0F386h
9 m+ R& J2 ]: f: V8 a( A5 N    jz      SoftICE_Detected3 y& @- u7 x- T* E& N' V+ c

6 ?+ [1 i0 F0 ~/ D  G# d5 f& U6 T: Q6 b6 G7 y
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- H& J4 p6 E: M  F7 [
   app like this:
. h' F+ U1 n/ j2 b' y
0 p  y/ k8 l3 Z9 d7 Z' S" k" }+ R   BPX exec_int if ax==68/ o0 m" ]: D  w
   (function called is located at byte ptr [ebp+1Dh] and client eip is
" u' m7 K" `; S3 j   located at [ebp+48h] for 32Bit apps)' u3 e) B8 u) Z* c; d: q
__________________________________________________________________________
: u# n& ?* I4 _$ U* a
: c5 g% n) t. C" s! a
$ i: F, z& r, d( e% t% Y1 O/ JMethod 08
7 |+ t9 k" A) v4 A' G2 C' c=========
( P. i+ J( l- p6 H4 m) K. N6 O4 o, W! C2 \3 a+ M6 [& P
It is not a method of detection of SoftICE but a possibility to crash the) j  p* }/ M+ X9 j1 S3 W5 z* S6 ~) {
system by intercepting int 01h and int 03h and redirecting them to another: O! x1 P5 V2 B
routine.
- K8 s7 [+ Y9 k# LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! R! s/ O: t' `7 O& o, M1 Zto the new routine to execute (hangs computer...)
/ S! b8 f; B& @4 \" W
% C; k9 k  |, g2 q    mov     ah, 25h
1 X) m! c7 `0 L; B# N5 |0 C    mov     al, Int_Number (01h or 03h)
( R! m$ Y* B# u* P    mov     dx, offset New_Int_Routine" V) y+ ^* ]4 V  X1 J
    int     21h
3 G3 Q# O3 Z* s) `9 t- |5 ~# H+ p3 f3 U" H2 W+ Z" }& B: [
__________________________________________________________________________
# z" U, E/ U* \( j1 b) E0 L( \1 `- Y* O, @- O" [6 y1 I4 h
Method 09
$ H( n4 Q+ l/ S; R9 b  s$ R=========& y9 M  K3 _* V6 _$ O' t7 c- a
. T5 z. J7 ]. b1 r
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
6 o, J7 {8 W7 O" x3 l- j: eperformed in ring0 (VxD or a ring3 app using the VxdCall).
, C3 d0 S9 n. NThe Get_DDB service is used to determine whether or not a VxD is installed3 b" u  {: {$ T- ?. F9 b; Z
for the specified device and returns a Device Description Block (in ecx) for
% \$ x" E. D) k; A0 Qthat device if it is installed.- b7 }. r7 J* n3 l
7 p* U/ {+ M  D( B6 B
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
; C( E. D  z* E3 r9 S# n6 i   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 N' f+ O; f1 @$ ?5 n   VMMCall Get_DDB
4 e# j3 _. u* u7 {8 i2 z" M   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; G, f0 w1 h3 k' ?  }; w8 @, L' r7 j3 z# ~7 V( V
Note as well that you can easily detect this method with SoftICE:5 e; w; J& O: ?; u8 V' M4 \
   bpx Get_DDB if ax==0202 || ax==7a5fh
8 X- r, n8 T% y4 b4 f
! J: [# U% ~& q8 Y( n__________________________________________________________________________
% l$ d8 f; I4 |  G/ o9 ]8 j
1 }$ \( G* W9 q: p1 ^Method 100 F1 z+ x! m# S/ ]) s
=========
9 g- g4 W2 j9 ]- b" J! {% f% S: E" @, n0 c" U0 K0 L* d
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
$ i: {  X/ k2 A" e# [/ [  SoftICE while the option is enable!!- x. V. M/ N  X% Q2 x1 Z9 ^
8 F3 o$ w8 `' k% T. x
This trick is very efficient:
( R7 G& X$ C. |1 Qby checking the Debug Registers, you can detect if SoftICE is loaded
9 X7 }2 @- o* x  X9 D6 H0 X7 _& N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if$ ^: Q. `" K8 k/ r" S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 C" ~8 d) h7 |" w3 h3 F* r4 tvalue (in ring0 only). Values can be manipulated and or changed as well  ]3 S+ z1 C5 h& n" ]
(clearing BPMs for instance)6 d- E7 D% ?8 [& J" Q' L% ]1 ^1 U% L

  E3 G& X% B. ~6 {8 A$ g__________________________________________________________________________
5 N- Q' W& h0 S
3 O2 ^! |$ Y' g! L3 K9 lMethod 11' Q* }. V1 B. U7 Q5 f" \
=========
& [' I. i. Q; i) f, O
; L: Z" P6 M8 q: v5 }This method is most known as 'MeltICE' because it has been freely distributed
6 e: p( ?3 @+ k8 y# lvia www.winfiles.com. However it was first used by NuMega people to allow- D8 _8 T+ u9 j
Symbol Loader to check if SoftICE was active or not (the code is located
5 v3 `! t, E7 T! Z0 ?% v  ]& iinside nmtrans.dll).
0 V- I) d0 ^) G  g6 h% x: k: v$ K5 e0 x+ r! ~2 z
The way it works is very simple:  A3 P* J& C8 G. w5 e6 U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 S. f, o( X7 _" I. p' x8 C% fWinNT) with the CreateFileA API.* [# {3 A/ ]4 k( c5 n# V7 ]
0 o/ D: y! B2 I' R" z' }/ z2 m
Here is a sample (checking for 'SICE'):
/ X% V, G1 D4 _! t  o7 t9 J) ~
2 Z8 k4 S" h4 c. p8 p: nBOOL IsSoftIce95Loaded()
' A0 a4 C5 |& z' C{
- }+ j2 @4 w2 G   HANDLE hFile;  
6 N6 q  z" l$ N- X: p4 R6 e   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: }. R, A0 _1 m, i3 X% K
                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 t+ {) g0 o9 X6 }5 `& K8 j' \
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ }' H$ p7 V4 m0 J% w   if( hFile != INVALID_HANDLE_VALUE )$ f# _5 F& M  w; \( O
   {
5 y2 @8 u" |; Q' I) p4 o8 S) `      CloseHandle(hFile);# |5 Q3 V) ?: h; d3 g) t
      return TRUE;5 y! I; B0 K- Y  f( [  ~9 V: X
   }% b/ ~& h* F1 v% e0 q
   return FALSE;
! Q3 x# S! s. y9 q* k$ g8 l+ J1 k}
# n* S1 W+ U% ~, }7 e6 j! l% B
" E' S; p! Q1 F1 ]: H3 LAlthough this trick calls the CreateFileA function, don't even expect to be
% y. R# }) Z: C2 K# L% iable to intercept it by installing a IFS hook: it will not work, no way!
7 g6 w) l, ?& f9 {- n% l  J/ M. y) fIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. h% g# A+ q5 ~) N' u# kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 D% l! ^4 g1 I' @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc6 `. P0 j+ k% N
field.
+ C5 x7 `, x7 K4 N* }/ Y) p' ]% ]% cIn fact, its purpose is not to load/unload VxDs but only to send a 0 J8 P+ R: c$ ^
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)2 b. A! q5 V0 _6 ^
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
, m" W5 ?1 ^8 a, l) \0 U  |0 ]: ?to load/unload a non-dynamically loadable driver such as SoftICE ;-).
  ~4 [: _$ c) b* u* TIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 a4 U: Q8 ]* W$ D5 T0 }its handle to be opened and then, will be detected.
1 N- b+ t3 x" `  T% g, EYou can check that simply by hooking Winice.exe control proc entry point
" L3 M6 O. Y5 v7 z$ fwhile running MeltICE.
; G4 d8 U4 C* Z3 k
5 P8 b7 Z2 V9 v5 D" L0 @: K1 i( N$ b. l+ E( q. y1 g
  00401067:  push      00402025    ; \\.\SICE
5 z0 q: i0 q* k" N0 R2 o  0040106C:  call      CreateFileA
5 |9 W/ L4 \' l# ^$ I- n2 ?% ]  00401071:  cmp       eax,-001) m) X% b8 J* V& X6 e/ B. R; _' Y) {
  00401074:  je        00401091
+ i4 q4 l6 Q, n, P2 M; A. g1 A! b4 q6 a2 ]

4 G& `0 Z+ p( U) ]* r3 AThere could be hundreds of BPX you could use to detect this trick.+ `% V7 q$ U6 ^: C7 \
-The most classical one is:
/ _! f1 k  H/ c+ g; N/ ]  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! ^2 O- Y% ~3 ?: l    *(esp-&gt;4+4)=='NTIC') M5 Q( P) R" s: [5 s; u
9 i: T( B; u2 N3 E6 [; b
-The most exotic ones (could be very slooooow :-(# Y( U, Q" u8 O
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
- i1 C& t& [& ?' H) t) ]( `     ;will break 3 times :-(
* |" i4 q; T0 {
* }( @/ R" e- B! {0 P  W-or (a bit) faster: . |  Z/ X& l( K2 I$ c- Z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# G; [* F: X% ^' U' ~* ?4 k- D) t8 L4 l3 ~' l" x
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
! C( o  B& P$ h1 I4 [     ;will break 3 times :-(0 g3 ]" |0 _( }3 U+ S
1 o( f0 U  \: Q: N  R* u$ S
-Much faster:
" B( A. K" h$ x( `( G1 l3 X: a   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'. d; }. v5 m- v+ j8 s# y

/ C4 I' [$ T/ o; YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
  K  q$ {, M9 Y* n8 B' Y0 s2 }! g  hfunction to do the same job:
  s/ I; @4 @. x. g' G# L7 h+ o  o: n3 b. N. n/ P& V$ W
   push    00                        ; OF_READ
& E  U4 R& D) u9 X/ K1 p1 v/ O   mov     eax,[00656634]            ; '\\.\SICE',01 r4 z9 R% |+ C
   push    eax
; Y0 V4 P* m+ b* j. C* l& s   call    KERNEL32!_lopen# n" Z. C, z) H7 |
   inc     eax- ^5 Z4 p5 r  w8 }& v4 ]( l: y
   jnz     00650589                  ; detected7 G0 t0 P1 I0 b+ t& \' D& V4 O6 q
   push    00                        ; OF_READ
; @" O/ {2 C  {/ Z+ b3 P4 x1 U/ h" Y; s   mov     eax,[00656638]            ; '\\.\SICE'6 `  r8 R8 ]& t
   push    eax( Y3 P/ u+ Y1 \# Q
   call    KERNEL32!_lopen
' D9 @* g: B$ f' Y* T. T4 ^0 ~! k   inc     eax+ z; T  s4 y1 X1 R
   jz      006505ae                  ; not detected* K- j) X! ^8 r9 |" y" }- K
. q# e) _: J1 b3 ?; C$ k

* }: L. Q. |8 ~. r) O2 ^+ N5 K__________________________________________________________________________
0 @+ z- T) z9 g# ~/ }  P4 N+ f8 S
, E/ {3 _" V( G8 ?  A# ^8 fMethod 12
/ q- J! |; o( W1 u4 p+ C=========, V+ y8 E+ F5 W0 x
) G: e" i8 Y7 o1 i5 w
This trick is similar to int41h/4fh Debugger installation check (code 05- s) ~( ^) ]" l# i8 F/ M
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! c# E; f( {( M: ~3 u, t8 Las it uses the VxDCall backdoor. This detection was found in Bleem Demo.  s6 E  w* J! C7 ]8 r3 v9 U9 w& k8 G

1 q3 u2 e9 @+ ?( \% H$ b7 X$ F' d   push  0000004fh         ; function 4fh
, D& k/ j5 v4 J* G; s# }7 {$ m; H   push  002a002ah         ; high word specifies which VxD (VWIN32)
$ I5 B$ m3 }$ k/ ]& a- W3 c, k                           ; low word specifies which service
1 N% ~+ N% `# `( z; q# Z8 L                             (VWIN32_Int41Dispatch)0 W0 L9 q! B# J. z  x- ]4 A
   call  Kernel32!ORD_001  ; VxdCall
/ `; i3 k5 `. m   cmp   ax, 0f386h        ; magic number returned by system debuggers
8 O+ E% k: M! j8 ]1 m8 a5 R" U  B   jz    SoftICE_detected; z( x- y2 Z& C9 c
! D0 M) y, ^+ @& d$ @
Here again, several ways to detect it:
8 J& Y" [' j$ g' F" F) p% ]0 J: e8 S2 }
    BPINT 41 if ax==4f( _5 r! i7 w6 ^& w
: Y! Y) {+ G. G* P
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 z' h# l! q5 k( B9 T' |8 T

* I# U7 r: U, L2 ?. t( a, X    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A6 ]& h+ g3 _5 p9 b6 W. b9 r$ c4 i
0 H2 l: t8 M7 e+ F9 H
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!$ o. q& V. _5 q% z+ F

4 b2 }4 w3 f3 [8 F" O) |7 I__________________________________________________________________________
0 R8 v1 Z, Z  p9 D# k6 U. |/ X+ e6 Y! ~* l3 H) f
Method 13
! c/ W5 o% x: W8 L* ^# j& D) V. `=========
: g+ W6 m3 N/ H* ^
& p/ p8 a" u# J  ~) B# @Not a real method of detection, but a good way to know if SoftICE is4 A/ @: C- `1 ?+ k
installed on a computer and to locate its installation directory.
+ H( z$ D! \" e% R$ p4 ~8 ]3 p+ ~It is used by few softs which access the following registry keys (usually #2) :
# ]/ {3 C: w* v. r1 D6 s, @3 p  O; Y8 v- G* c$ f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 h" t8 T5 ?6 V3 o
\Uninstall\SoftICE
8 U5 m4 M3 e4 E0 J6 [4 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE- \' a: G/ G( D2 T; A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 l7 g4 C" G. c# L3 z3 Q5 L% C
\App Paths\Loader32.Exe
4 C/ {2 U( K+ K
# i  D; V: M, _2 P) c! `& ~% _
) D2 I) M# Q+ j( o) UNote that some nasty apps could then erase all files from SoftICE directory
8 s4 f0 P0 o* w5 j$ i9 L' Z. H' S2 A: ^(I faced that once :-(2 s3 U% Q" F! I1 Y: O
) c( T+ X0 o; ^  l0 m6 q9 G  I2 z
Useful breakpoint to detect it:
- Z' ^6 k$ k$ C4 H+ y
$ P3 R4 B5 S1 P     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'$ A2 W$ r9 Y1 H1 J/ b0 M
- |/ Z& P* b- W2 [, H2 a7 R, b
__________________________________________________________________________
0 |8 ]- k7 i" r* k; U) {9 ?/ l
) C2 F9 Z+ g& R! L
! ~' m+ m2 s3 V. w: o! k/ q7 WMethod 14
1 t3 g% K- O6 y& ^=========5 Z, b7 Y7 _1 V

" D) H7 d5 g& B' q+ f. n) oA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose1 R. g; {) N" F, w8 F  t1 ?
is to determines whether a debugger is running on your system (ring0 only).
& p! b2 O8 C; s' B3 M* x( p. N# i- [- o7 [$ [* i5 N
   VMMCall Test_Debug_Installed
( g8 {3 w$ h' q& U3 I3 j   je      not_installed3 \) w2 t2 j* c5 F

% f. t( d) I; B) f" T. V9 _This service just checks a flag.
/ l/ _" n2 U1 i! U# @2 h# u4 g</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-21 11:42

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表