找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# V1 S1 T1 B9 z! n% i& a: q<TBODY>
  ^* F' H9 ~$ k3 u<TR>! T: a! E6 ?: q) P
<TD><PRE>Method 01 3 p/ D7 Z3 J( z: B) J
=========
7 d" v- U7 s+ j- l2 E0 v( v. h2 E, B; Q: [3 i, R
This method of detection of SoftICE (as well as the following one) is
1 g5 x1 k- _  l, c# X: ~  m' w: }used by the majority of packers/encryptors found on Internet.7 o3 f- ]' w2 g+ s7 X
It seeks the signature of BoundsChecker in SoftICE2 h6 }1 k/ N4 m( g

% [  ?: B6 s. u1 s; C    mov     ebp, 04243484Bh        ; 'BCHK'+ [5 A/ M3 Q4 C! u/ \4 S8 Q/ z
    mov     ax, 04h5 e4 A0 C& T2 J! ~9 r. P
    int     3       2 {# c' q! q. n. d
    cmp     al,4
; ^) A: n# n- v; Y) D, O    jnz     SoftICE_Detected
- C, s% @- W/ K' S7 [! u
; p* D% W% L. z; T4 a; q7 B& O5 e1 o___________________________________________________________________________. x7 j( ]; @  O5 A. E8 c, t) n7 c& m

9 W% }1 |' Y0 \+ g2 q) uMethod 02/ @1 t) X" v0 g  A& ^; f+ ~% I# H
=========$ n+ w* L# h# H1 k7 k

0 ^* ^$ G' ?2 O! e/ H) R) j- bStill a method very much used (perhaps the most frequent one).  It is used  i" B' `3 q; O+ I! x" @" U& ?0 _6 ^
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 l- E3 w; o0 B) L% k/ X& ?or execute SoftICE commands...
4 w4 W  f! v9 r# O- nIt is also used to crash SoftICE and to force it to execute any commands
- P3 h2 }; V/ c7 \* W! M(HBOOT...) :-((  
7 p/ H1 o# c3 B+ E" C* Y8 L& `# K
Here is a quick description:1 U3 _% z* ~: R4 M
-AX = 0910h   (Display string in SIce windows)
; _6 @" E) ?1 m: j-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 o, Q' O0 R8 ?7 z( {) l-AX = 0912h   (Get breakpoint infos)' w' ?" K5 O$ L1 M: ^/ @# @
-AX = 0913h   (Set Sice breakpoints)
3 c& K$ L1 _( k" ^-AX = 0914h   (Remove SIce breakoints)
5 V0 t* }' v, O1 s  Z3 _. v0 {
, k/ \- {0 s- K* q$ wEach time you'll meet this trick, you'll see:& l1 H3 u; ]4 y, q4 I
-SI = 4647h
# \! Z) s: [( n" F& E-DI = 4A4Dh* M2 @/ ]8 E+ \: R
Which are the 'magic values' used by SoftIce.) h" W3 ], V: V, j7 w- M
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 K+ A  ^/ b, h3 @. `, ]4 ^9 a: z  _) ~# E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
" }$ v- _% _* s- Y# m6 T/ y0 kEnvelope utility use to protect DOS applications:% ^6 ?& q5 M: \5 o, `7 i
, k5 o0 |4 j! L' r
4 H' e% C( C5 ^2 X8 r0 m' }
4C19:0095   MOV    AX,0911  ; execute command.8 {% @. O6 o8 d# q
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) G  i# j) w1 W3 e. ]
4C19:009A   MOV    SI,4647  ; 1st magic value.8 A  s1 [* m  A) D% O! G, a
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
* _3 u7 s) |2 C: p4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 y) {) G, @% s9 |  q+ U3 k
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, s( C" O+ q- N( H* X+ D4 ?4C19:00A4   INC    CX
/ W& R- v9 J$ D2 B: l7 g4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' ^; k# C' [% Q; H4C19:00A8   JB     0095     ; 6 different commands., Z/ v  M6 L  z3 B+ i+ O
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
! I9 ]& ?3 P& i: G  n4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
! K$ ]1 c, X& U. V) e) B! R9 n' n  B& z+ ]+ Z6 q7 ]
The program will execute 6 different SIce commands located at ds:dx, which  u! ]6 R. l- Y1 @/ J% `4 Y3 A0 H
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! [' c7 @1 }" b: ~: j: J( ]4 J" a1 N% h7 |8 W: C
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: a# t4 r5 k" s
___________________________________________________________________________1 \. w) J& j8 q7 z& b% P$ t! k5 u

" `: G* @2 J( ~/ \8 W, }% [9 p& N% a* @7 J( l+ j
Method 03
' {; a# F3 g6 g; }: }' |$ ?=========$ `# f; j( X: c& y6 u, x
$ ~" R1 D( b0 j9 a" z$ w
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 F9 A: U2 T( p6 ]: e) C
(API Get entry point)
& d$ ?, b0 q- q. c1 m' ?6 K6 n        ; H. ^/ V2 [" J# d( i
% f: K( `0 o6 T& `1 }1 A
    xor     di,di
, _' ?9 _3 A) X7 x. a    mov     es,di. K" e4 N5 z4 q
    mov     ax, 1684h      
& M0 P: |. _; ]% ]1 J    mov     bx, 0202h       ; VxD ID of winice
6 E: e8 R  {; n9 O/ L; y( B0 M: G0 ~    int     2Fh9 n# j9 W7 |  @2 ]/ Q" z4 Q& K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. }* T: ~/ d( i$ f8 Z
    add     ax, di
2 \8 C) I! f( U$ R% r    test    ax,ax% L% r+ U- W9 g# J
    jnz     SoftICE_Detected" y7 U( p0 i0 n: R# n/ n: v9 x

* m; k+ M* F7 A5 G! [) U: B___________________________________________________________________________
7 J2 L8 V+ G' f( m' M) S9 Z- H; }8 N( y& e! y+ _: w
Method 04
  Y& G9 ~4 X+ i( n. K, ]1 j* K=========
$ }# B1 @4 F0 e0 ~% s+ C9 J1 F! B# |6 |. W: G/ |% G- n8 D
Method identical to the preceding one except that it seeks the ID of SoftICE1 j$ K# ]' ^6 U+ k* V* t+ f# [5 N
GFX VxD.
# k$ t& s8 `, ?1 w8 N0 y: E3 e
6 \* r" M5 B& Q; i- |    xor     di,di
$ ~. V* B: _6 L9 T. x  n0 b, j    mov     es,di; e9 ?8 K& _; ?" c  C) \
    mov     ax, 1684h      
4 Q9 I& k8 p/ v8 G* K$ Y  e2 T    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ S+ z9 P$ u7 @/ i* O8 _    int     2fh# P! ]3 S1 l' B* c6 e( r
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; r$ |. ~2 d. N* J5 ?. q/ D: ~' f    add     ax, di% p' k9 P! v" E
    test    ax,ax8 `. u$ F0 `; _* n
    jnz     SoftICE_Detected6 ^7 `' y+ N" m! G

* u3 }' c/ J4 G0 L: ?6 _! z% w/ l__________________________________________________________________________# ?. @1 d; a  O" B, Y2 j$ e
+ W4 _- |+ o! L% d! i2 ~% @% b
2 b- V6 Q" ^# C& U
Method 05
9 z/ }- V% }( \=========
' v$ E( m6 F: j1 V  C- Y& U
& o4 D. k1 [! y: ]( zMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ I, U9 \" i. _' Ndebugger. It calls the int 41h, function 4Fh.
6 I- c; L! c/ k$ @) f% `- VThere are several alternatives.  
6 s, Q* p/ {% v* P0 W- Y' Z& E4 y/ {* K$ {* X4 k8 I
The following one is the simplest:
. M# I6 p; {7 v1 I# n0 }" K
$ K2 y! O3 M) Q; m. A8 c    mov     ax,4fh
, y# O4 _- J8 I/ c' X0 x    int     41h
0 v# p  O! Q! d$ N# ^' W    cmp     ax, 0F386) K$ A9 `7 q9 r% v+ a" G8 c# C1 g
    jz      SoftICE_detected
! |7 [: J6 _, H' o( u, Q% C+ e& _/ Y
1 ^- I+ n; J# m$ l
Next method as well as the following one are 2 examples from Stone's # v* W. A. Y' U: B3 S; Y( N; p* C" p  o' J
"stn-wid.zip" (www.cracking.net):+ r9 F% m8 E" d4 z5 K% @2 I7 n

9 F  ^& Y$ R) ^) S0 V+ U7 m    mov     bx, cs
  T% J2 L  Z* I/ Y2 \' P    lea     dx, int41handler2
4 N7 A8 Z. M% A. J% ^8 G& C    xchg    dx, es:[41h*4]+ M" _. I) t3 I
    xchg    bx, es:[41h*4+2]
* x# a* \4 `* J1 o/ W    mov     ax,4fh
$ F8 |! w, j7 o9 R7 X    int     41h
/ a" {8 B) \5 j5 ?. _. O7 A    xchg    dx, es:[41h*4]6 v/ e5 {" e9 z3 Z! a
    xchg    bx, es:[41h*4+2]) g7 {+ i" k4 p+ e3 {$ }
    cmp     ax, 0f386h2 N1 G% j6 Y' \: Z. _5 U' T2 E3 F
    jz      SoftICE_detected
9 x$ s# Z7 L  F8 }; q& L
# P. k4 A8 y" o# I6 I' }int41handler2 PROC9 I5 C  h: n/ i8 k
    iret
; |: q+ W( n3 ]& ~int41handler2 ENDP/ I; ~/ z/ q, A; p' U* C+ W5 v
( a6 I* H5 D" U

  a7 @' L1 H( K2 m_________________________________________________________________________% \: P! A: }; y/ `6 ]0 o
1 @6 e3 _6 _& e8 A  a9 f

% L3 w6 M/ X  D. ]0 YMethod 06! B6 |; U* u: f
=========
7 ?; M+ x6 h: o8 p! |( f1 y/ b# h# ]' `% U3 O. a7 o6 W

5 L2 _7 q, ]) L1 H. N7 e  O2nd method similar to the preceding one but more difficult to detect:
9 {, X# s: T/ }" }, j
3 a, t6 x  g2 a% J1 [$ Y% ^, v; j0 W
1 [  x$ S, U0 e, x# g" Z+ y$ D6 y7 d' tint41handler PROC
: J. s- [' s$ ?    mov     cl,al9 c2 Z- X; _' B# ]6 Y
    iret
" k" J$ B, D) G. `: s! Pint41handler ENDP: o/ Q; ]! e' P; v! ?. U
  v, ^. t. B/ w% v# @; r) [
1 U2 Y# b+ t9 ?
    xor     ax,ax
1 N6 |: N# X; l1 N$ j8 o5 `    mov     es,ax; F, O6 y; s- H* V* Y! K
    mov     bx, cs
/ q/ o4 ]3 n, |4 l( y    lea     dx, int41handler7 t& C: Z1 f. r0 q; J& c
    xchg    dx, es:[41h*4]) P5 B9 M7 A  V/ C: X2 N8 k: E. p1 `
    xchg    bx, es:[41h*4+2]
1 r. B# M4 d/ t1 C! ?- X- A    in      al, 40h
8 e0 T. N8 k0 }- u* D: Z: ]% g7 b1 Y    xor     cx,cx
/ j8 X5 O- L3 J4 f7 P    int     41h3 x! x: ~" }5 K6 ^/ j
    xchg    dx, es:[41h*4]
  i6 ?# H6 t& f1 Z. T# u    xchg    bx, es:[41h*4+2]- W* I$ ~2 F# \% ]1 g' p& R
    cmp     cl,al, e$ p8 s4 N9 x  X9 c' T
    jnz     SoftICE_detected
" Z5 t% N. d3 N, k2 o2 a$ D$ `+ }, G2 d
1 n/ b' `" l; C9 M1 t) g. c_________________________________________________________________________2 c- V/ O, b0 d4 U3 U! {1 o9 s
; P% v3 F: c7 ]; G5 F  }* |
Method 07
0 r+ R( h1 J- F=========% O6 s( I, G) s* _4 h
+ c9 m- o4 I% l  g/ }$ Y" E
Method of detection of the WinICE handler in the int68h (V86)! E# C) S3 |/ Q4 T& z
' I6 B: c4 n/ d3 @+ P8 ^
    mov     ah,43h* S0 T" P: g% d5 _, |
    int     68h, F+ W$ J, _! g2 d
    cmp     ax,0F386h
8 x! H, o/ z# t" _( \    jz      SoftICE_Detected: I# ?, u! i' S4 f- f( E
+ |# Q- Z' [! a0 h6 q0 Y- U0 I
4 ]9 A, C# u; i
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 S" u7 b3 ?0 Z6 r! @   app like this:
" O% M* v% }6 q- k( _
$ i' U  i, s/ p7 z; |+ y   BPX exec_int if ax==68
8 I5 ]1 ], x* t& t; v' M- e   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ C. K- V1 e+ w9 |: J! c: R   located at [ebp+48h] for 32Bit apps)( M2 O0 J6 \7 z9 W
__________________________________________________________________________
4 ~2 M8 j  f& q2 G+ I$ e
' q( K/ p& X; e1 ~1 X: v& v" P
- a# [$ t* H* {" i" tMethod 08
) l1 g$ b0 j7 L8 E8 t4 m=========% u$ E$ E4 ~! V* e- B  K

4 ^. N* }9 s* C! Y4 |# Y6 CIt is not a method of detection of SoftICE but a possibility to crash the
' K2 `! @' k; F; ~) F7 d) [, C8 n( Jsystem by intercepting int 01h and int 03h and redirecting them to another
) k, g8 q$ S# nroutine.
% Z' V' Y* S) @; z5 D' p7 {It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) B. c! V' D& b$ K3 m
to the new routine to execute (hangs computer...)
* d/ `" B$ e8 w7 A+ J/ c3 p; B7 z1 x) p% K, d
    mov     ah, 25h3 e3 J; N# s' N. N: @
    mov     al, Int_Number (01h or 03h)
8 e- h! k; Z! s0 }) O/ U" |+ u# \    mov     dx, offset New_Int_Routine
" c. i% N; q: M) n  j1 d" `+ J    int     21h
, |9 n' L3 i2 J# x' X4 U
  P( w, t/ I0 d0 w* @__________________________________________________________________________5 P: f. c" D* _& k# k+ R

, z# z- ?3 {) d2 p$ K% G! Z& PMethod 09
7 O9 e9 c3 D8 e% j$ o1 c+ m=========
, b. A) }% j2 F- f4 t
4 L. q+ b+ W+ F% w' j: X" Q, L# p1 wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( I, y3 w* v  x- h- W8 @& h
performed in ring0 (VxD or a ring3 app using the VxdCall).2 M% w" n1 S- h
The Get_DDB service is used to determine whether or not a VxD is installed
! X/ g/ i" ~% K+ W5 g4 s/ T+ ]  Ifor the specified device and returns a Device Description Block (in ecx) for
# [% c: d! ?% W8 B0 n" m8 r+ othat device if it is installed.
& \+ n4 s2 i: U# n. H4 b  [: a: C  a
7 _8 ^/ y, q) B  F4 I8 u* ^   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID" a. B* P- `4 r& k1 X
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' A' G2 P+ d/ {5 h1 X; H  y& H) \   VMMCall Get_DDB; U7 f' j# h, l5 |( J$ l
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed: N8 X: L  L. @7 \6 E
8 P9 |+ D- m8 z% p+ C1 I0 y
Note as well that you can easily detect this method with SoftICE:7 m! Y. Z( ^, u4 q0 N
   bpx Get_DDB if ax==0202 || ax==7a5fh
3 z8 D/ n0 s$ a% K% _; U/ @
' A4 o4 o) s: y__________________________________________________________________________
7 X1 Y' X( D2 X+ A) j2 K
- A' n6 j$ i+ j2 Q1 k6 j$ bMethod 10+ s6 f: V! I0 X( [
=========. q- {- q9 b  j9 F2 M" @

, x: W1 m; A  J=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
6 U! O0 \8 I6 R& W. ^7 H2 f  SoftICE while the option is enable!!
0 B# D! y  h' r) W
8 a0 M2 H! M3 G% `+ s; M0 @This trick is very efficient:# e# O) K' p) f2 B3 a
by checking the Debug Registers, you can detect if SoftICE is loaded; _" ^( I4 v2 `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if( p  j, p0 c6 y8 O  e. q; {. m
there are some memory breakpoints set (dr0 to dr3) simply by reading their
* A+ T( G' k" c" Wvalue (in ring0 only). Values can be manipulated and or changed as well3 `* G$ G8 s5 M$ Z
(clearing BPMs for instance)0 g8 S3 a" D! C2 {* l6 F

" E* a0 P1 e7 R: `1 v  l- u__________________________________________________________________________
6 I& [* ?; A4 r7 M# h- ^) L5 H& Y+ d/ _0 }" O% o- g9 a, k, f. e
Method 11
% e/ ^% V9 a7 R=========# [$ |" T; S4 v- _
  T0 S3 B7 v+ f% ~# D3 ]
This method is most known as 'MeltICE' because it has been freely distributed; Z6 ~3 z- ]- k" v
via www.winfiles.com. However it was first used by NuMega people to allow3 ~+ Z0 `2 X) y
Symbol Loader to check if SoftICE was active or not (the code is located9 T/ B  C# W2 i2 D
inside nmtrans.dll).
% h4 Y; H% }* h0 H, p. S0 Q9 k
% X$ g' N# {$ ?: E# a- A+ }4 SThe way it works is very simple:
/ L: }/ U) W9 g. ~# I1 J# qIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 d/ i: t8 Z7 t, V# ]WinNT) with the CreateFileA API.
7 Q. E4 ?7 m7 U" q  P( d5 [" y- M- A9 ~+ q; J1 H+ _$ |( X. P
Here is a sample (checking for 'SICE'):1 L! H' t& n3 Y, D! ~# {
7 G, m4 U& J0 ]3 U0 f( E  F$ K
BOOL IsSoftIce95Loaded()
/ T6 p; ]- b7 h- P{
* s2 a6 K: g; d" u$ y- }   HANDLE hFile;  
- j' M: Q$ j. D- ~" i2 o$ @# O) d" z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: N6 y, |) a7 _0 B2 ]
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
: B8 c, p6 W  Z% U% T                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ j/ K( G8 A3 z% k9 r/ \
   if( hFile != INVALID_HANDLE_VALUE )( R# |- X) U. {! c
   {8 g8 l" v2 e0 j0 _8 [
      CloseHandle(hFile);1 J/ s7 U' j; C  D/ f9 {( C& e
      return TRUE;# S, f9 l! `* n
   }
+ F9 t2 \' L1 C/ y! n9 W" z& B2 w   return FALSE;3 ~, `: S. s& o$ D9 J
}' X0 a' ~7 W* \* p" ?: ]# _/ B

) L* f# i9 Y: c% d% ]7 t8 i2 V" o+ M$ CAlthough this trick calls the CreateFileA function, don't even expect to be
/ u& C- G! w1 v( o* dable to intercept it by installing a IFS hook: it will not work, no way!0 R1 K& |* {: n$ l2 k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F# _* e4 K$ P& V! o8 ~+ f8 J
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' L, b; l; U- v9 b* U! v. V
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
# s9 ]" E* A( K! V0 }field.
0 e3 r1 Q: G4 |/ ?8 ~7 \2 o* gIn fact, its purpose is not to load/unload VxDs but only to send a
1 b7 }. _4 G. w- OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& j/ \5 x  E( _! [! D8 b0 ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; I8 ^; v0 d& t) Y5 J" s' ]to load/unload a non-dynamically loadable driver such as SoftICE ;-)., ?3 ]3 D/ K: u, X) G" @- r) Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow
* b( n1 Y# H# K3 G! oits handle to be opened and then, will be detected.6 L' _! c7 q& S+ E- i" t
You can check that simply by hooking Winice.exe control proc entry point
3 u. O8 C! Q3 @/ Y" A# |while running MeltICE.9 @( S2 \8 S% z/ `( a! \
/ x$ q; |! m' Y  ?" X3 e5 ]  |
9 N+ O/ W9 K  c0 `: {' f
  00401067:  push      00402025    ; \\.\SICE  e4 ]3 D8 e* n/ M1 A: k8 f
  0040106C:  call      CreateFileA, |; ?) G5 M" w! D8 j# |
  00401071:  cmp       eax,-001
5 K; E; \7 p. I. G  00401074:  je        00401091
9 z/ \% r. @+ S+ h: H- ?
4 y9 Q" ^! f/ Z. n0 s( w3 P; _/ S+ q! V' ?% q8 m; ~- S+ U
There could be hundreds of BPX you could use to detect this trick.
0 I$ [! \" t9 I  c4 B+ h-The most classical one is:
2 a* Q! p3 [3 w8 ], O  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" B1 U+ g; r* u- c    *(esp-&gt;4+4)=='NTIC'0 e3 a" c. X5 E6 H1 U4 j
& f) m9 [' l- P+ @! G. F2 `
-The most exotic ones (could be very slooooow :-(
7 k# a: J9 q8 Y( h   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  * G5 D( _: L0 a- Y( b$ o8 L
     ;will break 3 times :-(
5 d4 h7 f1 O9 I9 n4 s) j1 Z2 i6 e# o& j4 v( j4 K/ k* J
-or (a bit) faster: . M! Y9 n% Q: |9 A
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')6 H$ [$ O9 I0 d; c: P5 d
1 C& U1 o- u; M* R' x! S: i6 @
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  3 e/ C/ {0 P9 ^  e8 x
     ;will break 3 times :-(2 V9 ?# |6 W% P% I; `, E! o3 `1 C

$ u+ `+ \0 c5 C7 U/ H" D-Much faster:" i- ~" ]9 X6 s+ @$ j- ?
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( G1 ^0 D. m6 a6 w: |% Y( ?
; b3 c! E; U4 e- n* v
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 ?3 f" ?2 O1 b- e
function to do the same job:7 i" m. y' p$ B. Z9 X

1 Z* L: z$ i  R3 C+ e# t7 V/ L   push    00                        ; OF_READ
+ d+ X2 }6 A# p* n   mov     eax,[00656634]            ; '\\.\SICE',0( A) A% q  S6 {& |6 v
   push    eax
$ w" J3 q/ N' r9 q1 X4 H   call    KERNEL32!_lopen
: F3 p! z6 P. \: Q5 W' B6 @, g   inc     eax0 L4 r1 j% L4 g. j5 z
   jnz     00650589                  ; detected  F; r, ~" Y/ G% W) N
   push    00                        ; OF_READ9 c9 x; ~6 c* r9 q2 Y/ C
   mov     eax,[00656638]            ; '\\.\SICE'
0 i5 p- X3 N+ d. H% r   push    eax
) Q) `( I4 |7 \: N+ t   call    KERNEL32!_lopen
( t8 u- J% S/ ?; F# @4 z, w   inc     eax
: \3 ?( i# a8 _7 P! r4 X   jz      006505ae                  ; not detected  {3 A' q2 @, O7 z7 H
' S" q) z1 E" ?

1 g# K/ D) [) D' t. N; h% A, p' r__________________________________________________________________________- ?8 }3 u9 u) m0 T) v. \

0 j/ {% ^- P! T6 I0 F7 K1 eMethod 12
/ y  ?; J; \0 I' b8 E! z=========
6 r$ _) M# V2 l1 s+ u! \& F0 x/ J9 B8 i- A
This trick is similar to int41h/4fh Debugger installation check (code 05
& C; I$ r  s9 J) m9 z7 d& q" [&amp; 06) but very limited because it's only available for Win95/98 (not NT)
; |9 S! S# j2 e) M' y2 c  uas it uses the VxDCall backdoor. This detection was found in Bleem Demo.  O8 m, |' d" v% u' {9 ~& b. V

+ J# s2 i' S/ D9 |$ _8 s   push  0000004fh         ; function 4fh
0 ?, v) w8 p  J( ~   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 E: Y9 S, m3 d4 {                           ; low word specifies which service
( X! {& E* I& T. A# p' L                             (VWIN32_Int41Dispatch)6 Q! ^! n1 F, k) v' I. i' ?) J6 b
   call  Kernel32!ORD_001  ; VxdCall
% w: R- ^( [$ U7 G3 q: ^; ~   cmp   ax, 0f386h        ; magic number returned by system debuggers5 }" @8 z" a2 u+ `5 o0 P8 V& J& X
   jz    SoftICE_detected0 n5 Q5 I7 P2 r& m( C( h
' t  I5 X; A$ A6 q
Here again, several ways to detect it:
& O. {$ m+ C& [& K, l# Y6 \" z2 T- @3 w9 v3 ]/ f$ p9 Q
    BPINT 41 if ax==4f& h! d) R" E, z1 ~0 H; g
9 u! Q8 a9 W( S. A5 ^+ y  j
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one/ S6 T5 i# f6 l' ]

: D. A' T: y: L$ n    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A8 a; e5 E$ Q) N

3 ^+ b, `8 P1 W5 }- s    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  {4 [) m" E* c; j2 r& E' U3 ~5 D( @
__________________________________________________________________________
4 o$ @% \1 [* ?  ^( A- {8 W6 ?9 k0 j1 f/ w8 Y% d( O  n( {
Method 13. n, T& D; d0 C$ T2 @
=========
8 x; |8 s. g5 g9 _$ d" B& }9 D+ h  v* u
Not a real method of detection, but a good way to know if SoftICE is
$ Y; ~0 w( D* S- Xinstalled on a computer and to locate its installation directory.
* b) ]* s6 R6 }It is used by few softs which access the following registry keys (usually #2) :6 i/ e) M4 E( @: L. a! D

6 W0 `! V+ j. T5 F-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 U- d/ V+ h; g( ?  ^" |2 }/ r
\Uninstall\SoftICE* F/ h3 a# K4 W) |- |: |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- ^! O" @* G; b9 _# l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  {8 i5 q& R' Y8 U) D
\App Paths\Loader32.Exe
6 S; ?& b' \1 o* {
3 j4 l$ [) q: s& ^% j5 s8 ]* t+ M9 c4 y- A
Note that some nasty apps could then erase all files from SoftICE directory9 x7 h3 @  B( s3 D3 L: K4 \
(I faced that once :-(
5 }+ |- G! W7 N1 a' c8 H4 J
2 Q+ u' K' [) \, B- o7 C; e4 QUseful breakpoint to detect it:5 _1 S* \# [$ Q, c0 w' Z

5 f: q. S2 N/ c# G" |. }+ [9 y     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
; m6 q& ^/ |3 U6 {( t
' }$ o6 d, L6 Y__________________________________________________________________________
9 ?6 K3 [  V3 @# V
9 K) `7 V+ ^: j: f& }  a. m' R' b4 m7 p
Method 14
5 T' L! `/ S" }* q7 \$ l1 V7 W=========- P4 _- e) E' y( y- N2 d
- h* x1 [/ i! [. M* z1 m) x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
" O% i" _" M8 ~/ `6 dis to determines whether a debugger is running on your system (ring0 only).  O8 l7 d2 h6 k" J5 v! I1 G7 Z

% h- X$ }/ @( m8 ?   VMMCall Test_Debug_Installed# U- v/ q7 b% W( @/ T
   je      not_installed
- B% c# c+ Y0 a" H8 x* l  P3 M+ T+ V* `) H- ?6 Y, S* j; k" \
This service just checks a flag.
8 X8 C  K  e( W; \</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-17 08:31

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表