找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
6 Y3 U. c2 k! i, F1 R0 o- g8 u<TBODY>
# d" ?3 e1 I. B8 Y$ a3 f) A0 W<TR>4 f9 d) s; l/ w5 `8 r9 |! d
<TD><PRE>Method 01
1 V! y# I3 h+ d2 ^+ W$ Y1 H# B=========, E$ @( b" N) s
- x  o0 `& Q0 s' ^( v$ Y
This method of detection of SoftICE (as well as the following one) is
! p9 R9 M0 y+ `7 q% h" Uused by the majority of packers/encryptors found on Internet.* \$ f3 v) }0 b# q
It seeks the signature of BoundsChecker in SoftICE
4 k7 y7 a3 i% p* K
' {8 w* Q$ I2 K. R# ^( ?    mov     ebp, 04243484Bh        ; 'BCHK'
; q$ A! B# S+ y$ D% P1 a  I  U    mov     ax, 04h! `/ N" p; a2 L; T  k) k1 z7 ^* |# s  f
    int     3      
0 e! }& m7 I3 |; [/ P5 `) h    cmp     al,4
; C, L+ Y; j( Z7 f; ?. r7 P    jnz     SoftICE_Detected
% _/ G* D. o! Z" c, c
8 J' E* j4 w) R___________________________________________________________________________9 c/ a+ X5 u. Y9 T
6 [  v! X- K* u3 a7 E& ^
Method 02
7 j8 t0 a9 B# |  a* b=========
- M6 W2 [5 W  u# G1 Q, ]' `5 o4 \0 c/ A
Still a method very much used (perhaps the most frequent one).  It is used
, g8 O# J: v: C1 @9 \" Lto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" ^+ G! ?/ C( j6 l5 xor execute SoftICE commands...+ i4 p6 A  _/ T1 r
It is also used to crash SoftICE and to force it to execute any commands; }1 C2 k  N3 A' n
(HBOOT...) :-((  9 G- f) g& @: N) c0 l( F

# T2 z) N, t! m4 Y  GHere is a quick description:
% J7 ^6 x. {2 n0 f, B" f' _-AX = 0910h   (Display string in SIce windows)
/ |- D; @5 Y% A  R/ r. S-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
/ y7 `1 e3 v- E/ n- w# f" B: D-AX = 0912h   (Get breakpoint infos)6 N3 X: T/ r6 A, {6 o! h0 P
-AX = 0913h   (Set Sice breakpoints)1 @; V0 d7 n2 A( ~! R; ^
-AX = 0914h   (Remove SIce breakoints)
3 l# {1 \  V/ {, w4 C0 {* e6 x0 G2 \; K' b- U8 h& [$ x( y2 M
Each time you'll meet this trick, you'll see:" ^; J0 L$ c: y9 `1 A
-SI = 4647h& e% X  K: B2 M6 U) i! ~* _& Y' Y* W
-DI = 4A4Dh
+ r+ A( ~& ~# a; v: ?. hWhich are the 'magic values' used by SoftIce.# x4 \3 v* C+ x' |! j
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ I1 H7 e: R2 a8 F/ A$ p0 h  J

9 c* x& ?: _1 xHere is one example from the file "Haspinst.exe" which is the dongle HASP
; c  s0 D3 ]: V+ M' lEnvelope utility use to protect DOS applications:
, i# R2 h% d( S0 |" e
* U, f8 Q. L7 _: I! w5 a1 l" W8 K* z) z: d( D) D
4C19:0095   MOV    AX,0911  ; execute command.# n* \& e- @7 C9 |+ j
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).- m0 _+ L( b1 i' q/ G1 S3 B2 v
4C19:009A   MOV    SI,4647  ; 1st magic value.
$ t! I" X! R6 G. e8 y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
! d+ ~2 H, H* g) n# D4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 y8 @& h$ I' ~: Y) c4 d5 @4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute$ l  x) s; `- n& Z; @8 E
4C19:00A4   INC    CX/ H. ~- c6 B% i- \% |6 M7 ]* v5 g
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
( E0 ]7 \* N4 n" @8 }4C19:00A8   JB     0095     ; 6 different commands.
  L' o) H( Z. O4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 q* ~, z9 b: |  W4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
. U* r+ l% r5 Q4 }9 d
* z! H3 O, W$ w2 u0 s9 Z$ [The program will execute 6 different SIce commands located at ds:dx, which/ X7 ]! T% ~' f) Y3 k
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 r1 g( E) r4 O6 F# A9 }) V7 ?$ s2 b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( m. h3 h/ |; _! Y" x) }- s) B, W
___________________________________________________________________________1 |, c) a! D! ~9 J& i0 K
. c$ m; p/ k+ T' |

: D! S# E: a( p& D/ |& ]0 [; jMethod 035 ?$ M! s. n6 F) B$ _0 G7 n
=========
, T- _' Q) ~1 q, _; N, ]) r9 ?' U1 ]! d0 s
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* @; Q2 m9 A- b6 Z) c+ H(API Get entry point)& q6 S* M+ `  Q' u
        
/ o4 N  T( Q8 q* R  J0 x- o: n! l) u* _3 O) _. B
    xor     di,di$ e7 S; z0 K! [- r- v. M8 V9 q
    mov     es,di' H* O; A% A1 i6 F
    mov     ax, 1684h      
. T/ a8 k1 J& Z9 [2 r" {    mov     bx, 0202h       ; VxD ID of winice
0 Q0 P" L3 q2 b1 F/ F4 V    int     2Fh. @0 Z5 _- i: }3 f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% v& o" J9 b/ _8 `9 Z    add     ax, di2 Y& V; P9 a* u" W' d! }3 M
    test    ax,ax) ]0 |8 `4 L( h# O7 c) r: _" G/ ~
    jnz     SoftICE_Detected
' g3 i& f4 D& h' W
$ E* b$ @( p+ n3 a. b$ T___________________________________________________________________________: P( E* S0 M7 K/ g/ q
3 p# \7 K  _3 l1 [5 d- t5 e7 i
Method 04% H3 m  c/ q. S8 [
=========
0 r  y% _1 p0 M: h; G" K2 v; N& [& l/ V! [% T! i
Method identical to the preceding one except that it seeks the ID of SoftICE
  g+ g3 a! {% |: F; C& _& eGFX VxD.# X9 _3 I6 U, M  a$ L3 \( Y
& `( v* L, l# q: Y6 k
    xor     di,di
9 @" y( K  K* e2 D" t9 Z    mov     es,di/ \9 E! P* u. T& g6 u
    mov     ax, 1684h       : Y3 x% ?/ x$ l% V: s- Y: V! d
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! W" V0 A8 r4 S1 |* ?# Z    int     2fh) Z, E. d+ n; g9 m' d) s
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* T$ C2 i' Z" L. a' C4 e, G  }7 {    add     ax, di
+ s4 u! q' v' v9 g( D    test    ax,ax/ U* J7 D: I6 `6 T6 J! ^8 {
    jnz     SoftICE_Detected
! M$ W( f7 p  |
* R# K: e# `# o% N. J__________________________________________________________________________
! Q+ |  t0 S; m* Q
, V* d7 h0 q7 `- r! Q- |* ?9 ]" e% @0 U; r% p2 \3 ^
Method 05
& ?* h& V/ s7 b" C4 o. E& t=========* g% d' s: S7 _

+ L6 `* {; z6 Q" X* R3 cMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( A& L/ ^# k6 `5 H, H( fdebugger. It calls the int 41h, function 4Fh.
1 k8 J% x6 O1 u. JThere are several alternatives.  
6 A: S. a% h' W$ m0 L$ y. f9 r. d& \. R! j4 D
The following one is the simplest:
! G4 I* R, V0 G) O
: A+ I7 T* Q# C( A  K5 r# ]( F    mov     ax,4fh( s; B7 h7 b1 w; b5 f4 p
    int     41h( [. R5 m: s/ b9 v' I
    cmp     ax, 0F386& {+ n/ {" i) B' p! o
    jz      SoftICE_detected
) p: Q- f, \+ O" }( ?; l: N) t. X( y8 }2 _  X' o+ U
% s! _# b- s' k' \+ T( u
Next method as well as the following one are 2 examples from Stone's ' S* V& f& t6 g
"stn-wid.zip" (www.cracking.net):
0 o% Y+ x! R/ ~3 x. s1 X5 V0 t' j4 v: o( k! F; b
    mov     bx, cs
+ Q0 X! P5 E0 I1 ~  B    lea     dx, int41handler2
2 i+ q  m; z# Y2 a7 q9 G    xchg    dx, es:[41h*4]
5 Z" E6 p) T+ U    xchg    bx, es:[41h*4+2]* K% |: k, I+ U1 @+ T. O& @
    mov     ax,4fh& I, S6 D/ z4 \  v+ `
    int     41h1 j+ [5 W8 o: T
    xchg    dx, es:[41h*4]
- Z% ]' s9 H; |# y$ n$ v' C    xchg    bx, es:[41h*4+2]
2 Q% g: O1 L: C+ u" s3 [    cmp     ax, 0f386h; O- u, r: ^$ s, p; s# v
    jz      SoftICE_detected4 ^3 C. I. n: ]% U
) D; X. o7 W, g* E8 t4 V) n
int41handler2 PROC
! B7 l6 c1 X( L  q! N3 e    iret2 B: R* @" r2 l/ I' F
int41handler2 ENDP
7 ]) ^1 i2 v  ]6 s, u
4 e3 R; D! t4 X* p4 O! L# u( @7 T+ m2 Y0 w
_________________________________________________________________________) V2 ?5 o& O: s8 H5 K$ }5 E

2 j0 V4 y, t0 x7 [8 E+ `0 i" S) w6 y) A8 S; A0 F" W
Method 06
9 z2 V% w2 w7 X2 _0 {( U* x=========
5 P7 x) @1 f- o: P4 K5 T' V0 \+ G, D

: Q3 E, K5 j. S  P) g# h2nd method similar to the preceding one but more difficult to detect:
2 d& T! q* |+ y( {' i  p1 b: M& Z- T: g: l& n

* c. f) j/ d& H5 ~8 \$ Iint41handler PROC: r9 _: |+ G5 a# k2 s" A8 P6 K
    mov     cl,al
) X, c5 }3 {! }# O  |5 R    iret* z% q/ B  U: G8 Q9 c* r1 S4 H2 @1 K4 E
int41handler ENDP4 z* v9 e1 {9 m. P  c* K) R
1 Q$ p* B, Y- y" U! j( c

/ x, N, |0 w- |2 s    xor     ax,ax8 @+ Z" a7 n4 G' o) L' b: \; f* Z4 G
    mov     es,ax
9 B' i* o9 E/ u5 I6 \  H% L, z+ h9 p9 `    mov     bx, cs$ }0 e/ l/ ^  U- i5 E  V, p1 h
    lea     dx, int41handler* Q% |5 m5 F- U+ w. p! j) x
    xchg    dx, es:[41h*4]
: B2 }& {; ^4 {0 w3 C! o* t4 T    xchg    bx, es:[41h*4+2]/ a- L8 Z/ I7 O) F
    in      al, 40h
) `* ?! J6 |5 J, f0 {    xor     cx,cx2 L5 \6 S- P8 j/ I* P1 A
    int     41h. |/ _1 G5 y! m7 v0 \
    xchg    dx, es:[41h*4]
2 n& v) f8 N) f    xchg    bx, es:[41h*4+2]  p) e5 q5 p4 `6 L
    cmp     cl,al
( s+ o% V0 @" Q3 S% K, l    jnz     SoftICE_detected# H% L, @+ |. G/ w3 x1 a/ X
, x: z# i  A: r* K* `
_________________________________________________________________________
0 t; o2 N* `* n6 W0 s
* D9 p9 Y3 u0 gMethod 07
5 ?4 Z2 R& `2 ?$ P8 I3 e! F; }# z=========6 ~, q" {2 M+ [! ~' W8 V, k- y
1 N: m1 d9 d* b( Z
Method of detection of the WinICE handler in the int68h (V86)' c5 r4 E7 u6 }8 L$ @+ Y

) A# X0 i5 Q% P. n' W8 i' D* X    mov     ah,43h
3 I; p' _6 E9 P' R( D    int     68h
8 W5 J+ _2 \7 c/ G1 M2 [! w1 g    cmp     ax,0F386h
2 I; j, K0 {0 R1 L* p( E    jz      SoftICE_Detected7 e8 J+ g, V2 z% e4 t

* z4 [, x1 E3 f) I/ H. Z; K% [3 k/ h! i7 {# F$ T* ?. h
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
2 l: X3 e" O6 F2 O8 {  j   app like this:. P7 b# z: H" m7 e$ ?) u' Z: y  o% w

& G& N) b8 ?3 l& q+ x  l% Y   BPX exec_int if ax==68! W5 j7 t5 c, w8 s" f: t
   (function called is located at byte ptr [ebp+1Dh] and client eip is) e2 V* Q/ ^  ^/ u
   located at [ebp+48h] for 32Bit apps)+ x( e9 N, K* l7 l+ ?* C: q" @) l
__________________________________________________________________________2 d3 x$ ~  Z: |, H- `8 x* ?
% @, ^0 O. M+ r, r+ {

1 _0 M: z$ e/ SMethod 08
* g; V$ i* `; t+ X( m1 C1 G=========5 J* u4 p/ f4 M, k) x5 E  M

" T3 x: D8 ]+ v" T. s5 Z5 uIt is not a method of detection of SoftICE but a possibility to crash the
5 ^1 z+ Z# _0 O1 X1 i1 m" z8 lsystem by intercepting int 01h and int 03h and redirecting them to another
" g5 m- x6 z: Rroutine.
  |2 ]# R8 z4 n* D) \+ Z: e9 L& `+ wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" b. P6 H9 g! c+ {+ F
to the new routine to execute (hangs computer...)
- y/ O4 ?3 l* s+ n  y# e
$ ?) G9 V1 M; g9 ~" ?" U1 ^  I    mov     ah, 25h
7 S' n2 ~6 v# L1 h2 L    mov     al, Int_Number (01h or 03h)% N7 p  t6 \& D: l4 R
    mov     dx, offset New_Int_Routine
! M( T. K1 F  s7 F& F1 I    int     21h
* X3 Q' @6 m/ F7 N
) I2 y0 q. K( W__________________________________________________________________________" P5 F: x8 Y/ z2 d, O

! S+ m4 R+ O- w, R' o! ^0 d: PMethod 09
, J1 X1 N5 w( r" T=========4 m7 v+ W8 A' [2 A7 n

- P  u2 Z$ L0 J3 oThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ p* \; \" z3 s, k: B+ T" Y/ O
performed in ring0 (VxD or a ring3 app using the VxdCall).
# r' `& B; z9 R( lThe Get_DDB service is used to determine whether or not a VxD is installed4 u! o% I% W# m, Q* N
for the specified device and returns a Device Description Block (in ecx) for. c4 o* Y1 _! ~1 D4 |( T! l# w- k
that device if it is installed.
; X' W# l' d5 J. F: U6 `+ t' J& R* o- h% ]
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 _# v# U% B& j( c$ {( J: e
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
8 ?: C; ]+ A9 ?   VMMCall Get_DDB. t8 N  E# p) C6 ^; D
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed4 ~1 i' }! I3 `) W! z. f

' c# ?, R3 |" R' e; m( mNote as well that you can easily detect this method with SoftICE:" ]( p1 c" \' g
   bpx Get_DDB if ax==0202 || ax==7a5fh: g. _) k# W! h0 O' a0 J4 P5 M5 ~
' ~6 p/ g) X  Z& Q9 @
__________________________________________________________________________
( g3 d5 n8 x4 M* ]6 K  f& P' I. _( q2 C! k7 T
Method 10
4 m& q" |/ }' N& B=========
& S6 `% ]" {8 y: Z) S3 X0 N2 k) k' \) |
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with6 F* Y, x# q4 g  m
  SoftICE while the option is enable!!! g& N$ w1 t0 F6 N2 A5 G
$ [$ ~1 Y  I; G* ]- U9 o
This trick is very efficient:) Q% ?. G. w6 r4 y
by checking the Debug Registers, you can detect if SoftICE is loaded
  A  W  R' N2 G7 s. e(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ ~+ }3 O& h7 r* y
there are some memory breakpoints set (dr0 to dr3) simply by reading their
; r, M' {. V& X9 Svalue (in ring0 only). Values can be manipulated and or changed as well
1 e  m+ [$ y" n# l$ E2 z(clearing BPMs for instance)# H! j/ S2 {8 Z8 ~
' Z) H7 K, |* J. x, _
__________________________________________________________________________0 _& N* U3 C8 A5 I! m. B0 l) K

* B- _/ W' _" V8 F4 P) MMethod 117 A$ k6 z/ F% {# T( V  I" l+ m
=========5 ^, g: d* q7 e- j" n4 q/ t. ]2 N0 f
5 H6 s* q) ?+ f" _6 {5 ]9 k
This method is most known as 'MeltICE' because it has been freely distributed
: B; J- \2 e5 c9 G* z! y  c# ^6 n* |8 lvia www.winfiles.com. However it was first used by NuMega people to allow" z' g, O3 X, d1 h; f0 `
Symbol Loader to check if SoftICE was active or not (the code is located
' ?. I" l6 Z' Q. a2 X& b! Tinside nmtrans.dll).
3 j9 u* ]3 a; @6 D) l% J
4 E) K2 m' p' K* f& L/ L1 `/ ^& }The way it works is very simple:
" v) k+ ?/ I! A$ U, S3 y: EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' c9 F8 }% p' X5 \  j; gWinNT) with the CreateFileA API." g7 q3 F9 o/ q6 W5 }" I9 N5 n
! ?, h) K# f" C3 V0 J4 Z
Here is a sample (checking for 'SICE'):
( f: L+ f  m2 _% j( |' ~
5 z3 U) @. z3 Y" |BOOL IsSoftIce95Loaded()
6 V. h1 \2 k! t" W& F* j. M% a. f7 }{7 U" R2 x* Z! B! v
   HANDLE hFile;  0 Q0 I+ x5 i7 c. {, L7 b2 ^' H
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 e0 J" B: U' a: L! h! M
                      FILE_SHARE_READ | FILE_SHARE_WRITE,. l8 n2 ~0 }5 I* p8 ^/ W
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
7 @0 b' _4 B" \- o! t; t0 U   if( hFile != INVALID_HANDLE_VALUE )! y" p, v: n9 }1 N  E
   {# K( M1 z# R/ C) g! L5 S
      CloseHandle(hFile);) N! D4 M, Z  ^7 ]$ z9 L
      return TRUE;" G1 }+ _) n9 i' f
   }
  r; _3 D3 O8 Q5 s  s: ]* }   return FALSE;
4 ^. e) G* f2 @}9 v$ X" G, P, e  L9 x: e
& G8 K" {! X0 I  {3 T: o: U
Although this trick calls the CreateFileA function, don't even expect to be' }% f( R, U" G5 N8 z% P
able to intercept it by installing a IFS hook: it will not work, no way!0 q3 R  S. z, m4 h' [) Q
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ h2 s$ f8 L- m. O* d- c5 V( K$ ^0 `: |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 n/ T; I$ A4 h2 J- @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
: y9 K9 O- o- C6 ]- ifield.2 J- V" i7 k. S! h7 R. u
In fact, its purpose is not to load/unload VxDs but only to send a / r, X+ T& }4 J- B. Z& G+ _+ x5 C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% p: R7 A3 j! R% X( Gto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( }  P& O6 y) V" z# {. rto load/unload a non-dynamically loadable driver such as SoftICE ;-)./ C% N( Z% Y5 S7 k, r
If the VxD is loaded, it will always clear eax and the Carry flag to allow( `% {) g! z, R2 l5 M& D
its handle to be opened and then, will be detected.5 C9 d2 j* ?8 L9 g
You can check that simply by hooking Winice.exe control proc entry point
8 ]# U1 W9 e, T5 D/ E( ]# Wwhile running MeltICE.
6 G' Z/ ?# S' Q" O: ^7 n. ?
  N0 `& ^- q1 O/ R, X* U
0 f# E- G# M  u8 l$ ?4 k2 Y  00401067:  push      00402025    ; \\.\SICE
7 K  D9 c5 c/ c' v- l# S  K  0040106C:  call      CreateFileA
3 j# p8 e5 d5 n7 J5 s- g& m* K  00401071:  cmp       eax,-001
7 E1 U( J2 @% \( y6 ^" y) ]+ k  00401074:  je        004010918 R* A) ?  a+ t0 H! a' Q  v
, w# z& I1 G6 I$ m, J2 N7 u+ h' m
/ c: {$ E# H) C. j, {
There could be hundreds of BPX you could use to detect this trick.
$ e5 Z0 w$ G! S7 Q; e" K' A3 F-The most classical one is:
' K" ^% X6 @5 G! ?9 k# d  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 f' S0 u) P9 Q0 @( p
    *(esp-&gt;4+4)=='NTIC'
. {3 K3 s  M, F" x6 M- n8 V
) `% @' `2 J' k; k# M-The most exotic ones (could be very slooooow :-(
+ u1 Y3 ^; c3 d4 j+ R* g   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  1 D, ~& l+ {5 A/ Z. I. R! h# Y
     ;will break 3 times :-(6 w3 [, c! f: U+ H9 Z
' ~& F+ F/ L  U8 u6 a5 U( n
-or (a bit) faster:
) }6 \3 c9 `8 c( J   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  q( R& r3 D; S' @0 z* Z& f+ w7 Z! R5 a6 D/ G/ r+ l
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( S4 r4 x2 s: @" g. {7 C3 w     ;will break 3 times :-(
2 K1 a' U* K: h( v1 e
% \5 K' A) b4 R-Much faster:
0 c* z# ?- [+ l; Q8 C. r6 _   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
+ R: y' T+ j' Q& U7 s6 c6 }- |. A) ]. q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 X& l/ a! N% I: u9 `6 p& Q
function to do the same job:
% f+ M' m& C  K, q2 h  t/ I3 G
+ f! `* u/ \; p- R/ f   push    00                        ; OF_READ) T1 C6 J3 c9 f2 s" x
   mov     eax,[00656634]            ; '\\.\SICE',0
5 t' |% P' B) C' L: v1 E5 u" v   push    eax
, n8 r1 ^7 @& ]5 |. F0 b   call    KERNEL32!_lopen
: D# ?) E1 `# ~5 a; Z   inc     eax
" n8 B; T' z, T+ z& b1 i   jnz     00650589                  ; detected
7 I9 Y# [. B# ?$ J- A   push    00                        ; OF_READ
% u6 J9 _/ I+ g3 t( c5 y5 R! l   mov     eax,[00656638]            ; '\\.\SICE'
" q; D8 l; H( {  ^" k   push    eax! T. V6 T) a* t4 a. d' H9 F
   call    KERNEL32!_lopen" m/ E0 _. s, t( D$ I1 a
   inc     eax5 D/ X" R) d8 S5 Y! @( v& I6 ?) s
   jz      006505ae                  ; not detected
: n9 T$ |8 n* J8 r+ K" w% V# L; I$ [% X! g3 f

8 O4 o6 P8 \2 Z6 m6 i__________________________________________________________________________' ?( q9 Y# L. M. G9 Y1 b

& ~3 o0 L" ?9 ?1 Z4 W( K; @9 @Method 124 B) Q6 T; F+ s5 f
=========
+ l' u3 f) X$ O3 d2 F
" M  K9 J: q- X$ gThis trick is similar to int41h/4fh Debugger installation check (code 05
4 o2 J  z( M- Z5 l( J9 E&amp; 06) but very limited because it's only available for Win95/98 (not NT)- K: p+ H* S& n0 F
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.: @+ O+ _  u4 r. H

. F3 {% @5 R7 c; L$ a: ~4 u7 n' x- \   push  0000004fh         ; function 4fh
" n) p2 v2 q, w7 W) J0 p' V   push  002a002ah         ; high word specifies which VxD (VWIN32)
/ U. z) M9 w: o, u2 r. h6 D                           ; low word specifies which service& F; d2 ?7 S: n- T, O/ _
                             (VWIN32_Int41Dispatch)7 W) W: W8 e& ?. x
   call  Kernel32!ORD_001  ; VxdCall
7 P: C. g( o( u( |: m; N( S/ i   cmp   ax, 0f386h        ; magic number returned by system debuggers" C! p, s; e+ `+ b, k
   jz    SoftICE_detected" b1 i- x6 g3 M
  j' P9 j6 q, d+ H- i: J' T
Here again, several ways to detect it:
+ T, ~$ |% F" z. s  K% d. J, P1 q& I$ r9 ~, S
    BPINT 41 if ax==4f$ M) K, Y1 J& `. z8 e/ s# i

- u) K' v: q1 b# V" Y; `  r    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 V2 G- U; V5 w; x; x+ o) v/ m* U2 G- ^& g$ S* m' q) V0 u1 y2 T
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A* w- }) Q& ]1 F( {$ f8 i. P" m

" y6 D- m; ^; ^$ Q% r2 J3 `) Q6 z& J    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, \5 |& J# A1 |) K+ S8 b
5 T0 z, O, S* ~; l5 b0 D* K3 K__________________________________________________________________________
4 h; \9 L+ C5 _. d8 c( h
7 w2 A) R, ]# M* T' [Method 13
6 T2 t4 H. a& D0 T, c! O=========
( g4 Q, E* s* Q6 I9 T( x3 q! k/ s1 D: m) ?5 Y- n' m8 U
Not a real method of detection, but a good way to know if SoftICE is
1 `2 X5 l- A; T+ K- t5 Jinstalled on a computer and to locate its installation directory.  o/ K1 }) e: R7 J' v- r
It is used by few softs which access the following registry keys (usually #2) :
1 w; Q) v5 M% @+ n6 t/ a7 a" e+ \; n  P& r) b( O) k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
8 ~, r$ U8 c8 n7 q: H3 x\Uninstall\SoftICE
* w4 z7 P. i% j1 h7 [% R-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 [& c+ J1 w/ \; @; y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: \! e( A+ L8 Y) ?+ s! t
\App Paths\Loader32.Exe
* r! L8 c3 t5 P
0 c! H+ R! `$ l; _! E8 S2 r5 x; a' \! P# P: Y9 C. M3 R
Note that some nasty apps could then erase all files from SoftICE directory2 M2 D$ ^3 k  A3 ]! q0 r5 b7 E
(I faced that once :-(
- a& E0 `: W$ K/ D$ t& u% B$ e8 {$ K0 P9 |5 i
Useful breakpoint to detect it:$ F! t% a' }0 M

! F, {: Z. F2 c" Y9 f/ |     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 R% j1 V) c1 r& E- w& l/ e0 Z
, S9 Q+ \& F  O8 o  B
__________________________________________________________________________
: ^) X- \# s( L; f* h8 u2 D4 c5 M8 d! P5 q3 L% I( p2 c7 \1 ]
1 X+ Y/ `9 V! S( S0 Q1 |# B5 [
Method 14
. @/ U  n: U# L  Z9 E! a7 d: x  ?4 v4 l=========
, J" R; w9 l/ @) E& P2 Q% l6 U, U5 P
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose  a$ F( Z! q$ s7 `. V
is to determines whether a debugger is running on your system (ring0 only).# F0 Z' {+ R& z( ?  i

7 C- [4 l+ ~  z   VMMCall Test_Debug_Installed
/ i1 a( ^' I2 ?% p   je      not_installed
7 L% M1 T' C0 ~( o
  V6 Y4 V- T" Q4 x# g: V) O# hThis service just checks a flag.
! B6 u/ H( }% t3 H+ Z3 ]! w$ E</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-15 06:42

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表