找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ i# G' w9 k  b
<TBODY>
3 U0 @& Y! x, k; N; D5 b* }<TR>
8 `$ x3 u/ h5 R8 w: e<TD><PRE>Method 01 # L/ ?' z! l7 }# J8 V7 d& O
=========/ h0 m' o8 W. i7 S4 g( X

3 f  v$ n3 U& R6 I* vThis method of detection of SoftICE (as well as the following one) is
0 B4 n4 P5 ?7 p# k: g. y; g; Uused by the majority of packers/encryptors found on Internet.  e, f( F' J4 {! \; g+ d2 _$ Q) Y! J
It seeks the signature of BoundsChecker in SoftICE
; x; b8 ]9 l: d: C4 I8 B+ Y. n7 j
, z, c8 K8 E: x+ q1 [( M, l& \    mov     ebp, 04243484Bh        ; 'BCHK'
. W) Z" l3 ~4 S' @& i# o    mov     ax, 04h4 C( R4 f, }% X% d+ @9 T0 _: S! k: g
    int     3      
0 X3 X9 [0 N: v2 |9 H7 u    cmp     al,4! _4 R; {. [  f/ {* H# n
    jnz     SoftICE_Detected
; }4 `% U7 J1 ~6 E, O5 ~
. h4 Y, b- K( q+ {0 W; L% S& x7 u___________________________________________________________________________8 l8 ~  o/ o  l, t7 U3 t" i' v
1 r+ |9 e$ R8 I1 N" B4 Y
Method 02
5 z0 A: X  t( A  |$ |5 h* o=========+ j/ J5 Y* I1 t$ \! k9 S
, S0 a2 G, P7 M' M
Still a method very much used (perhaps the most frequent one).  It is used
: V1 u: j. Z0 d) J* G( Mto get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 C& [1 u& a& S; D. d
or execute SoftICE commands...
9 {8 O, V  i2 s' G# RIt is also used to crash SoftICE and to force it to execute any commands
6 l+ @7 L7 _! F7 k) n* i: U- h(HBOOT...) :-((  " Q( s4 `) V. {, _5 G6 `+ {6 \

7 o' @: i' w2 A7 N5 @. FHere is a quick description:
1 Z) [" S; b; @% p% Z-AX = 0910h   (Display string in SIce windows)
" W) r' Y6 m+ }-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)3 b; o8 {( W+ G+ t& l7 ]) S1 B
-AX = 0912h   (Get breakpoint infos)" v' p9 H& V8 l" O6 [# V) ?
-AX = 0913h   (Set Sice breakpoints)0 [- _9 F) Z9 F6 U5 s" {
-AX = 0914h   (Remove SIce breakoints)
7 p. T$ M$ Y7 J' \
% K+ ]! `0 M9 c% |& l0 FEach time you'll meet this trick, you'll see:) ]" ?% g" ^# `+ E8 r
-SI = 4647h" f. @$ ?, W/ S# @9 t: O) v
-DI = 4A4Dh
, Q- s' x4 u; L2 ?! `4 G, wWhich are the 'magic values' used by SoftIce.
3 @8 i  X1 t: d( G/ |3 @6 AFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! L% I/ Y4 G! d' [! f3 U1 U
6 H9 M* ?  N) u7 P, l- I1 _Here is one example from the file "Haspinst.exe" which is the dongle HASP
* t0 S2 J6 R, j8 a3 wEnvelope utility use to protect DOS applications:# R9 r" I7 @+ ?8 L- F9 @# S; G

; F" p. M( k: V/ J2 T0 ?
1 L. c2 ^2 I6 B; ]! _4C19:0095   MOV    AX,0911  ; execute command.+ C& E  \1 X4 v+ m" `4 a/ g. B
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) L  C" w' N" ?  i& S
4C19:009A   MOV    SI,4647  ; 1st magic value.
" E3 i6 j2 S+ b  w3 L2 I2 T( F' J' m. b4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 s& k$ k# r* _- h4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)4 a2 f) Y, F' b# X1 @  K
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute$ R0 f9 c+ b% k, y6 I9 [
4C19:00A4   INC    CX4 l) B6 O+ o1 O
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
$ j$ A$ H6 X. K/ e; o2 c" [4C19:00A8   JB     0095     ; 6 different commands.
6 L0 }% z% B7 k( I* ]: _" B+ Q4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 i8 S  Y! f1 Z# \# ^% g! I4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
5 v9 w( N4 h6 g2 Q5 S2 |) D( }% W2 j! H; y" F9 H
The program will execute 6 different SIce commands located at ds:dx, which  i& E/ N" N# k' @  g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
( _! i7 b6 v4 ~, d& U5 O  ?6 E0 o. I; r
+ E$ X* j8 E! F- A$ A$ e* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.+ p4 v& t6 T4 K& P  J8 a
___________________________________________________________________________# n5 V* ]. a. W4 f+ k
# k0 X! G5 X- t! H5 f

9 \6 h6 |  x8 T( @Method 03  ~5 A: }3 G6 k5 p% b4 I6 s
=========
2 ^) h5 q/ r: Q+ o1 t; ?5 P. a3 n
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h% M' U9 ~, n: M! Q; A4 l
(API Get entry point)
+ `) t, U  M  I& A# @4 a        ( [: G& g! r6 \2 N9 `+ y
5 x5 I- f7 M) t4 z. t5 @; I
    xor     di,di
8 C1 h+ W5 c- `; O- Q# {    mov     es,di# Z7 [3 D& q7 U
    mov     ax, 1684h      
; y6 r$ s% {, T    mov     bx, 0202h       ; VxD ID of winice  o& I8 O- Z! B2 b9 b2 X$ z
    int     2Fh
: P6 g' p- \! P3 S! W! B    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' s0 q5 m1 F) h/ N    add     ax, di8 Y5 U" R5 d- f; s2 R8 Z) o
    test    ax,ax
9 v  _3 _( Y0 L9 z+ f    jnz     SoftICE_Detected8 z7 Y' x7 I3 ?) s9 R
/ N1 D3 ?+ L( C/ ?+ E6 `
___________________________________________________________________________) m4 c3 b2 E9 w* b
3 d' {: n" h9 x" S8 h* K
Method 04
: \- a1 B' V, S" ]; c; `=========6 i& x$ W% k( {% M" q
& b* S4 Y+ c. z
Method identical to the preceding one except that it seeks the ID of SoftICE
- F* s5 s: o+ r( ^: _- oGFX VxD.% C; G. D9 x' E
" D1 {) p5 z) i2 {! l* h; |
    xor     di,di/ V& f$ O! w- G  m
    mov     es,di+ x; A) R: f! v: x+ z
    mov     ax, 1684h      
" ~) h( e7 W8 L" `% a    mov     bx, 7a5Fh       ; VxD ID of SIWVID8 I5 @( H! u3 n3 w) j! I
    int     2fh
5 o3 t$ V6 _" S5 _  D5 r9 _    mov     ax, es          ; ES:DI -&gt; VxD API entry point. {6 Z0 m5 f) [% H; ?# p% z
    add     ax, di. ?0 b% g. {' r9 E
    test    ax,ax
: ?# ?$ l4 t4 A- `9 {( v- i% O% X    jnz     SoftICE_Detected' p. {0 F$ `" H; T$ R4 ]

0 D8 |! w6 S7 D, i3 O' F) p; t__________________________________________________________________________
3 V! S( I  R8 i# Q: Z& b
* _8 i- m/ T+ L5 n% x; u8 h1 h  |8 p7 U# X* V) e% n
Method 05
- C; T1 G- a, L- k" H3 {=========7 |" d" u2 `0 G; W. ~* B& o
( s1 d; ~0 }3 Q3 s3 I3 z6 d: Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system; o5 _1 a' s8 u  K0 f: z
debugger. It calls the int 41h, function 4Fh.
9 e" |9 E1 \! qThere are several alternatives.  
" L9 g8 b" n% R3 ?! ^) M' _9 W+ ~( u2 B. S
The following one is the simplest:
8 o3 f0 v3 b! ^0 @  O# n3 T- z& x$ o2 \4 L# x+ S
    mov     ax,4fh' ?+ x+ P, l. E4 @; a5 l6 X
    int     41h. G7 U3 w; Q; k( r1 h
    cmp     ax, 0F386  U" k+ E' P& |) q7 q6 o
    jz      SoftICE_detected
+ M8 t/ k0 O7 E% _4 N, b' H
: ?1 U- Z2 o8 w9 O0 T4 K
5 }) d# ~+ e! ~0 g! \) }Next method as well as the following one are 2 examples from Stone's - {9 @4 |, k) D( j( v' v
"stn-wid.zip" (www.cracking.net):# M3 o6 J2 U6 I7 H3 I4 M) k/ P
* O' z) m' x  B# i% X# _% U: r
    mov     bx, cs& z5 s3 F" d4 P+ _( i+ g' a: I
    lea     dx, int41handler2! \- ~, p3 A* [! H0 J) ]( d
    xchg    dx, es:[41h*4]5 y  c' ^" o8 c* `4 @
    xchg    bx, es:[41h*4+2]
* p, D5 G7 M, S1 E    mov     ax,4fh$ G% q, o) i! M) u
    int     41h& \& i, v, B* J  Q; n+ p  u
    xchg    dx, es:[41h*4]
5 e  f0 W0 T7 o7 O+ j    xchg    bx, es:[41h*4+2]
! r2 N3 b0 ~: c    cmp     ax, 0f386h# O5 V- Y2 c, Y: s) Z
    jz      SoftICE_detected. b4 W; {2 y8 E! E

6 h: v+ F! l3 D  R$ Tint41handler2 PROC
% N3 z  B6 f: }0 \) l    iret9 w. j" o" h8 Z: J: s. u! y
int41handler2 ENDP
) ~# K% W8 W8 t  p  K0 O! M8 X4 c" [$ b
' \( @9 `7 c/ _( x/ d7 B+ ?2 O5 P
_________________________________________________________________________3 C5 r5 c/ X# z. A8 Q

6 d$ q! B  ]5 G5 G+ W7 t8 I7 _: W/ E# \9 L. M2 q7 y
Method 06
" C! U' J* r) S3 c& V' p=========
7 @: o7 T! @9 K7 W' N# p
! i9 z/ l0 v5 Z: j7 p9 D8 Q" p: A. a/ N% r/ M0 E6 I2 z, x
2nd method similar to the preceding one but more difficult to detect:
' m1 }! B2 e. O6 n% m
& N" B3 \$ q+ `- o2 C, V* @9 z  J
int41handler PROC
8 L3 p- {) J. h    mov     cl,al
7 g. b: G) W5 Z5 r) R9 j    iret: a. j' \/ D* C. {3 w9 H& j
int41handler ENDP- c1 b3 K+ p4 x8 R

0 l" J6 U# x/ |9 X2 n: {* Q* F+ l7 ]
( [" V/ l  R6 e' ^* q1 q    xor     ax,ax0 O5 K% p) U( Q" n, R) S0 d
    mov     es,ax
, @/ C5 c- F; J5 W    mov     bx, cs9 M9 E) n7 I) @- m
    lea     dx, int41handler, K# t- W$ G4 @3 g; j/ ~& I
    xchg    dx, es:[41h*4]
' S, t- @3 C4 g  @" Z3 Q. A  p7 j    xchg    bx, es:[41h*4+2]
" ^4 [; K; P$ _6 g    in      al, 40h
' ], s+ t4 M7 i# r* p7 h% S    xor     cx,cx0 ?+ U0 G$ `. S, t2 x
    int     41h
, A3 c& z" ]* [  _! A8 B; ^    xchg    dx, es:[41h*4]
$ k" _8 i1 B/ U4 x3 x! E  J    xchg    bx, es:[41h*4+2]' u9 e4 z3 k% c5 Q$ s: D; u
    cmp     cl,al
0 S( W( V) _1 v' a4 N    jnz     SoftICE_detected) t8 Y9 I2 K2 R6 U/ V* D

! B/ q- w" s* n% Y_________________________________________________________________________
# g0 M: Y2 _$ F3 j9 l! x2 y: z) S4 p! l4 X2 m
Method 07
, H6 Z& H9 L$ h( w=========; }5 |5 @$ B2 I8 g: y, Y* N
' C  u: @! \0 ^8 L5 C  w$ R+ y
Method of detection of the WinICE handler in the int68h (V86)
$ F  `/ X7 Z6 K4 \9 Z* R1 V7 I7 {3 G% g- O% Q
    mov     ah,43h; q6 b& C. o; l( V$ Q  j
    int     68h$ ~- c% Y5 m: u$ C3 n
    cmp     ax,0F386h
0 }% l% r% Y+ m! ]    jz      SoftICE_Detected
) T" h+ F  ~# z. p% |( N" S" c0 h9 N) `" U

. j3 W! W9 S. J/ {=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 i+ ~, w5 n. m6 z. T6 r# `) ]   app like this:7 ]' n& D: j% d) ^5 n1 K
2 |$ ?( A3 z- e8 S
   BPX exec_int if ax==68
, t& [- h. S  Y9 x; O3 ~! E   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 g% \8 Y5 d) H3 m1 @, \/ z" A   located at [ebp+48h] for 32Bit apps)5 T/ V# T7 b- [
__________________________________________________________________________
' A. G5 f1 U5 U2 H9 Z# [
7 _- h7 M6 w6 m5 ]" Y  f
; @" q4 A* a2 B& D4 u( X8 @Method 086 ?( p) p6 u7 S6 u! h
=========
/ s, r; u& A, Y7 }
/ a7 L6 S0 A7 _: K1 ?It is not a method of detection of SoftICE but a possibility to crash the" D* X0 Y+ e/ q& C+ U, B! f/ P
system by intercepting int 01h and int 03h and redirecting them to another2 h* z! R4 d, G! ^5 M) P
routine.
& p* N2 x! W) ?! eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
, B7 _1 n" `2 r& Z% l. S: K" l/ a" }  ~to the new routine to execute (hangs computer...)
% Q7 `1 }2 k* z0 j( O# ^1 X& H; w, K( |
    mov     ah, 25h
' ^, J% T# G. O+ t5 v6 p& C, B    mov     al, Int_Number (01h or 03h)2 n: C# ]% o/ V
    mov     dx, offset New_Int_Routine
/ v3 l  h8 j( H8 S5 f  Z  N    int     21h5 c/ a& y8 \; j( ?) o" n
0 r: m/ |  L$ F+ Y* {9 G6 ^
__________________________________________________________________________
+ U9 q9 H/ L/ E  r7 ~0 s* }2 b5 G6 ?" {0 N. x
Method 09- R; A3 E% z. X( y$ X
=========" y2 N1 S3 P$ |, ?/ X/ o

1 j! ]0 K3 \3 p+ W" dThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 a" J6 E" v& A3 y( B
performed in ring0 (VxD or a ring3 app using the VxdCall).2 v& E8 x/ B2 ]' F
The Get_DDB service is used to determine whether or not a VxD is installed
7 d* x' J- y. N: ]9 y0 ?$ k. Xfor the specified device and returns a Device Description Block (in ecx) for; M) a: K& E: E
that device if it is installed.
  p" B; c- W6 K5 v+ z& y& l* A+ X) a7 a5 J- S
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID/ [9 p7 d: x- Y* W6 p6 W8 @! a
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* b% l0 n7 l( N% P% ~' }   VMMCall Get_DDB
1 e' A" R2 R% b. \! x   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed- Z' H( g1 o8 b% P5 b! f- N, O1 D
# X- X5 D$ G) D# j/ ~
Note as well that you can easily detect this method with SoftICE:% }3 F- A4 P' f
   bpx Get_DDB if ax==0202 || ax==7a5fh
9 e  @' n7 x+ j. c1 b9 Z+ F) y, r# F1 N2 M3 J: i
__________________________________________________________________________
! h4 ]/ J, B! ]  B5 Z% W, }8 M4 K5 t9 N& W2 u+ g
Method 10
! }' ?$ a. W9 R5 Y* I# N=========
) H- a% b& I( D6 G$ Y5 p) w& r8 g+ i: w0 L
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with6 @% |0 `7 K) a
  SoftICE while the option is enable!!* S. E0 h+ h5 k( u4 v& u& h

& L$ _* Y  C' x# B+ w1 HThis trick is very efficient:$ @/ u- w: c; t
by checking the Debug Registers, you can detect if SoftICE is loaded
' C7 g( q# S6 P& J! [* N(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; r" [0 h, Q' V! O! n/ f* X& u
there are some memory breakpoints set (dr0 to dr3) simply by reading their
. D' i# F9 c- J# Vvalue (in ring0 only). Values can be manipulated and or changed as well
5 c/ R% m. g1 b& y(clearing BPMs for instance)
/ ?. P- i$ l% c/ {  f2 g0 F" ?- t9 M) i- p5 T+ P; ~6 |
__________________________________________________________________________0 M4 s) G9 y4 I$ f0 z
* l- i1 T& ^) u" O' y+ _8 O. y
Method 11
- n4 _8 H6 p( Z" b5 T9 c=========
3 |4 U9 V3 j( v. M" Q# [
/ O2 Q& u! b/ [/ H9 x- AThis method is most known as 'MeltICE' because it has been freely distributed' W/ ?1 E7 \2 T1 [$ N, `, v* H
via www.winfiles.com. However it was first used by NuMega people to allow$ g8 U0 c& N, ^$ [1 b! Y+ x
Symbol Loader to check if SoftICE was active or not (the code is located, m* h) R4 V3 W4 N2 W
inside nmtrans.dll).
+ s+ y3 y# c+ F3 ?* J. s2 V- b0 Y* @' n5 }
The way it works is very simple:
4 r0 h! L: C0 s% nIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ h" H3 o( @4 B/ r. ?WinNT) with the CreateFileA API.0 l. j* r& b* X; R
8 C) ?6 y4 P0 Y: U# G9 ?
Here is a sample (checking for 'SICE'):0 P3 E- `  S- ~9 K3 n

, L9 O" b1 S5 R9 `BOOL IsSoftIce95Loaded()* z8 C8 k/ z2 M' ]1 Z) p: g; {
{
$ V+ E4 r7 j8 s$ S! P; D   HANDLE hFile;  
( p$ E- I+ Q0 c   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# n2 p: i  }; N1 D' p  u
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* n) m  A6 c7 L7 M# c9 y                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 Q9 t0 u# i$ _, J: t' a; x0 K   if( hFile != INVALID_HANDLE_VALUE )6 W: b: h2 G% ~; f+ d" C2 l
   {
& v/ h& B  u/ K; ]9 t: R      CloseHandle(hFile);
$ {4 e$ k( _7 S8 k      return TRUE;, W6 W3 ~* I+ R  H" z% @% Q+ @
   }
% s' n3 C' q5 E" D   return FALSE;0 }5 U' l+ x' z8 e$ {
}9 H3 `9 X  n/ h
, |  |# `2 ~: ^
Although this trick calls the CreateFileA function, don't even expect to be
0 o9 g* p( ^4 N( x; u. ^, _9 h; Z) ]able to intercept it by installing a IFS hook: it will not work, no way!
0 `% S* A' A2 O/ J: o+ N2 gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F0 E6 h3 j" U9 L% B
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 n# @3 k; [: h" @. N0 B8 A2 C" H( }and then browse the DDB list until it find the VxD and its DDB_Control_Proc/ ]8 o; j6 f* Z! M  a4 D# E
field.4 S! q- c& U# M9 V! n
In fact, its purpose is not to load/unload VxDs but only to send a
( y% Q- t) ?; [; S* ]/ s; C) rW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 L, |! z0 J+ U4 e5 |* Cto the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 J0 N7 a6 n# f) |7 x; Gto load/unload a non-dynamically loadable driver such as SoftICE ;-)." G; E" `) A; w" w5 G
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. N) i% _8 r) [! P( C5 q6 A0 c9 hits handle to be opened and then, will be detected.9 O$ ~3 D& [# p6 b" v- i% q0 E
You can check that simply by hooking Winice.exe control proc entry point/ u7 _1 t$ I; T: G4 [6 U
while running MeltICE.4 F& Q2 C0 }1 A

% c; n# Z& J0 Y4 d9 p$ P0 r+ J# O7 i5 T; }3 n2 h0 G  {+ Y
  00401067:  push      00402025    ; \\.\SICE- c6 b2 O, K6 d" S! n9 Q
  0040106C:  call      CreateFileA
  Z# g% R& r: ^  q/ h  00401071:  cmp       eax,-001
& W' q6 M9 i5 S, @2 a  00401074:  je        00401091
3 ?7 Z& ~) _/ O, P4 c# K% W3 p3 c' [$ l/ i: m6 M& |
$ ]8 ^2 B% o' i3 c5 L; A' M4 R* n! ]) P
There could be hundreds of BPX you could use to detect this trick.
2 r/ U7 C' L) Z" P$ k2 g7 @-The most classical one is:
+ [1 _! S5 P9 D  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ O' W. `% I3 ]- x, t2 b    *(esp-&gt;4+4)=='NTIC'
  m& J& J+ R& P, C5 U$ @8 b% l
0 u1 |9 }& ]5 H9 k% `. ^-The most exotic ones (could be very slooooow :-(5 ^5 d5 f0 E* F3 B2 V4 l: J4 |
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' r9 ~/ A$ E) j$ W7 I+ ?5 @
     ;will break 3 times :-(( o; U5 K: @: E4 J) A; o" f& g4 P

) g3 U( l" q1 }2 a! q-or (a bit) faster: - e9 W5 w5 v. p' v, X4 B8 t
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
4 b5 \7 i, J  C+ A& K3 v& O: R3 Y+ |1 [' o* q3 \6 M
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
2 g4 K6 e/ x) k  J/ o  o+ F5 ]     ;will break 3 times :-(
$ E6 e/ B1 g" W1 O8 p! a+ ^/ H& S7 J/ e, u# R
-Much faster:, Q* S) w  L/ C9 V
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
& I/ g; A! J4 g' r( {
4 i6 ], @. h: r- d4 h3 lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 X2 |9 k3 D, p/ Z
function to do the same job:& |8 u2 m- h4 y" w4 A1 }

& ^# G  k/ O( q, K( y   push    00                        ; OF_READ
/ [+ ~' ~* R) `0 u; ~   mov     eax,[00656634]            ; '\\.\SICE',0
3 [4 x, n: f. ~6 w; u   push    eax( a5 Q& t0 X6 _4 a
   call    KERNEL32!_lopen) t4 O7 A- t( K1 T: q% p
   inc     eax
4 ~% @" L, q' S+ m* N   jnz     00650589                  ; detected
' i1 R8 s8 Q1 ?& a: U6 [* K2 u/ w# \   push    00                        ; OF_READ5 T4 }2 r7 `3 v
   mov     eax,[00656638]            ; '\\.\SICE'
; s/ N8 ]' N9 B9 F1 B   push    eax
' N/ [: S$ j! ^4 z3 j! c2 `9 X   call    KERNEL32!_lopen
$ [: {9 F3 G4 d+ L8 k   inc     eax
! [9 w) [  y' I   jz      006505ae                  ; not detected
7 B! t5 I# ~; v: B5 R+ E& ]% ]0 n. a' Y- i

9 `% e  D5 Q6 ~. Z__________________________________________________________________________
0 q! S8 T6 b9 _( f+ m8 A* H4 i! j) I9 w' k. x: ^' p
Method 128 r8 k4 V& Y* Z/ z
=========& Q* P! T8 o+ N
$ M" A. d! w% {: X+ G1 F
This trick is similar to int41h/4fh Debugger installation check (code 05
6 g' d$ _; w- Q8 W! l2 ^/ W& p&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' {! P- a- Q! V% k- Q; was it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& c8 I( ^2 e/ k0 E% }% w
$ P1 J- t) i2 {3 D+ a6 L' ~   push  0000004fh         ; function 4fh2 n4 ~: o; C" A/ y& i1 Z
   push  002a002ah         ; high word specifies which VxD (VWIN32)
# j1 E9 C" r+ Y& f( O  H                           ; low word specifies which service' Q. X9 l  Y9 I4 l8 A) [
                             (VWIN32_Int41Dispatch)' k* v) p% I9 e* `" p2 E
   call  Kernel32!ORD_001  ; VxdCall
9 X8 z, ~4 B. @8 i3 Y' x3 X& N   cmp   ax, 0f386h        ; magic number returned by system debuggers. h& t; E, J. V0 j+ Y
   jz    SoftICE_detected
' C, r2 M1 d) j# e* ^6 p
( f* ^3 }5 P2 s$ LHere again, several ways to detect it:
9 n- y  c/ O5 T+ S, H) I. X7 h) _
; q' w: H3 O1 [2 E    BPINT 41 if ax==4f' ~: u+ ?) ^% y4 a& F% D

* l, {1 \/ L& N7 E: W/ }    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one2 m# u0 x4 G; M3 s- a/ n( X
" i" Q' B- W, X+ @: K: R
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
1 f1 u5 L3 F) P- Y, c, Z; l/ A, v8 X
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 A7 d* t8 B, _2 R  C
0 k% i' d0 A9 I! |0 Q8 Z, p- j__________________________________________________________________________/ W6 |5 p- r5 n4 c( }" m

# w( c* ^3 Z; ~  H& w2 W$ ?Method 13. L0 }0 p' {5 O' H; L) f
=========' s5 U. k# S1 d; E/ Q

% R0 N" V. P7 P9 U9 C2 X, u# M9 u* }Not a real method of detection, but a good way to know if SoftICE is4 E( [9 @( s9 o+ _5 }
installed on a computer and to locate its installation directory.
; p2 a# W5 R; SIt is used by few softs which access the following registry keys (usually #2) :3 K" x& s/ j  c1 b. p
7 J7 m$ z- s) W2 p
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 X+ b0 H; x$ `$ d\Uninstall\SoftICE
; {6 z9 M1 q0 j9 o" M1 C-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
' I- d$ g% g% B6 e% M# j-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( H! P8 N6 {* [+ m2 y7 `+ V\App Paths\Loader32.Exe
& L6 r% K1 u- O& \4 |( n" Z# h( R8 O4 B6 J/ Y

7 T3 m; s8 |! A; R. WNote that some nasty apps could then erase all files from SoftICE directory
8 M3 [6 D# P( G(I faced that once :-(
" [; q# c3 v5 b: P0 @
3 ]% Q9 N6 U! w% T" v3 zUseful breakpoint to detect it:
  P2 B6 X% i# G* a6 c7 N" ~- r! T' u# z! e) c
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'" a  x. m, F7 g
; B  m4 ]) E$ v" p8 C' Y* v* L
__________________________________________________________________________$ J& g6 o: E2 A( Z+ i# \, R' ^
2 y  p6 L+ V2 {6 ~

. K6 |4 a% Q( Z& EMethod 14
1 X( J7 _' M1 \6 `" I- M6 ?=========! v! @4 t8 U/ w* [! }5 g- p

2 P+ W% m( R0 J2 P+ j8 N. v# LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ d( Y2 k3 j9 A- O' z) Yis to determines whether a debugger is running on your system (ring0 only).9 ^  U( U! E' I) F# u

% i' Z, @8 T! ~3 x/ r   VMMCall Test_Debug_Installed& g, i1 \6 ]: b: @$ q6 U9 r" O$ l
   je      not_installed
" ^$ M/ o' y" U, E5 {* [$ Q% o* h( q2 T+ D( R, h7 q( u3 w2 h( d) G8 z
This service just checks a flag.
) X  n$ ?1 U* j8 X! L$ c: ~</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-17 09:51

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表