找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
2 j' y7 Z1 h9 z8 j' z6 r<TBODY>
# C9 @1 w2 F6 k* y. e7 F<TR>
1 n) p" o0 z% y. Z: Z<TD><PRE>Method 01
; x4 t% M% a3 v% c$ a. ^=========' t, K9 K7 C& B5 H9 F

& z( ]. L; W! V3 YThis method of detection of SoftICE (as well as the following one) is. ?. a! l3 V  a  ?1 L4 _
used by the majority of packers/encryptors found on Internet.
) m  @, k8 m) h. e3 y+ Y/ S/ CIt seeks the signature of BoundsChecker in SoftICE& j: n5 A! g* F) R% o
+ N  g9 M( ]( E; _+ X* V8 {
    mov     ebp, 04243484Bh        ; 'BCHK'
2 S* [( I+ O( y    mov     ax, 04h& O0 i, l) \9 A) J  g, z
    int     3       3 J* c; y4 ~* r, s# r2 }! t
    cmp     al,4
9 F2 |1 m7 B0 H$ A    jnz     SoftICE_Detected6 c2 o9 @- `, S  L

1 O$ F! p( a( Y# v___________________________________________________________________________4 H  Y" Y% b5 G8 @2 b7 F  J* z

" D2 ~  B( o! x8 h7 {4 ?Method 02
( J8 J0 L7 ~0 p0 ^; k5 r4 {=========
  A  I6 u% B4 ]2 N, C' @' L+ }, Q4 V' p! r7 r0 S
Still a method very much used (perhaps the most frequent one).  It is used
1 l- s9 _6 n3 h- zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ w+ J# P$ O6 ?6 d7 T; i; p- \or execute SoftICE commands...
1 J' d0 f! w! m% G( ^6 CIt is also used to crash SoftICE and to force it to execute any commands4 T0 N% P( o6 z) A9 c
(HBOOT...) :-((  
( Y8 t* d, q# A- H6 s  m
* Q) o! H7 H' a8 L' m: WHere is a quick description:) w  N! R, \, _+ f7 b) o/ R
-AX = 0910h   (Display string in SIce windows)( Y0 j, j0 r9 G
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)$ b* @$ A  h& Z3 L8 Y  g# ?
-AX = 0912h   (Get breakpoint infos)
4 r% Q" }  ]- _- m* c-AX = 0913h   (Set Sice breakpoints)
' n/ x9 S& F# H3 o, Z$ Z* _' L-AX = 0914h   (Remove SIce breakoints)
  ^) c- R5 `3 ]- Y, H$ l+ I% R) p& ^, R5 L! r* W* ~% {4 x
Each time you'll meet this trick, you'll see:/ W; U' P% w4 b% K
-SI = 4647h
( m5 A9 @$ d. B4 C% _$ r-DI = 4A4Dh
. u* D9 k# |' z9 H8 _$ V' UWhich are the 'magic values' used by SoftIce.
( v- E0 W: _$ e. h- K% a- A3 l  WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.: x$ S. s( P6 F. c4 ?7 ^- l. D
5 [0 n2 W( y- j" W' b) E
Here is one example from the file "Haspinst.exe" which is the dongle HASP; T, C6 j) A! |/ P* I& k) K8 ?
Envelope utility use to protect DOS applications:" u) C7 C" V, d- y! O0 b

0 \( f# H  e/ X" J" e8 D; w& E$ r- P  k
$ B) o. y0 F. h8 ~1 }4C19:0095   MOV    AX,0911  ; execute command.
* w7 H  f( E; J6 w4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).! Z2 J0 ?. [7 A" O9 z
4C19:009A   MOV    SI,4647  ; 1st magic value.
- e- m% S6 [( f* y- \% v4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 v$ `! k7 n" s3 d" ]4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). x1 u& w( \2 H* C; \
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute, F, ~/ K& q' b$ w& D
4C19:00A4   INC    CX
% i& }  K3 m6 O3 ^$ B1 h4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ N+ K& L9 X8 X, a7 W
4C19:00A8   JB     0095     ; 6 different commands.
% I) N5 `9 ?, f' H0 B. _* P4C19:00AA   JMP    0002     ; Bad_Guy jmp back.& v( C1 E+ J. q% z/ ^) r
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
: ~) Z3 [" t+ C6 e' u: ]8 I1 S1 ?% h* Y5 u6 h! T
The program will execute 6 different SIce commands located at ds:dx, which
5 }: }8 ]+ A( g" @5 i# W* r4 H7 ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& I" J( M$ `6 ?

! [& \; L% C6 h8 ?8 ?) ]/ g* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ c2 x4 y2 W7 f___________________________________________________________________________6 d+ Q  L: l+ ]& q5 c  \0 P

! |9 w4 i  s0 P$ r2 H
) q5 Y6 }  R) R1 GMethod 03
6 u4 Y0 ~, f/ B6 o1 v; {=========
  h- L2 i- X! v# d" P% I
# M, H5 F# J& w, p, f) ^* {Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
. k. X2 ?$ q( }0 ~4 k(API Get entry point)) ?+ o5 R# X  d
        
9 L8 Q3 n/ p$ H' K. E) f- y0 x" A4 q  O
    xor     di,di. c9 z; J2 r! q& _
    mov     es,di  R( i+ t! y! v+ U/ v6 Z
    mov     ax, 1684h       # `& Q) g  l* E, N
    mov     bx, 0202h       ; VxD ID of winice
, t+ `6 Z* W+ S- {) i. O    int     2Fh( d) ]5 C' x+ ~+ B
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 ^1 `4 l& R! R0 O, y1 S- _5 J    add     ax, di
1 n, p) A  ]; F! \( S5 N. @  O, {    test    ax,ax
) Z' q( R2 H" A+ m$ s& N    jnz     SoftICE_Detected9 p) K8 W4 p3 M( S0 r0 ?
: ~; V/ d( S! i& a
___________________________________________________________________________  N. r: }& f5 Z: r/ m: L7 ^

4 R0 M# j# p3 v, z* s% AMethod 04
% P! C. x2 S6 [6 }+ N2 @; b! f=========) e; b; |0 F+ X. _
+ c3 D7 `  b: N2 m! o$ z
Method identical to the preceding one except that it seeks the ID of SoftICE
  _$ _8 A& F7 g" n5 Y( l6 \/ [& YGFX VxD.
4 m, G" X3 K4 o# J6 |+ V; N$ {. J) Z7 l+ ^* @: T
    xor     di,di
; V; U: j; K1 t& m. n7 T    mov     es,di
  m5 J% Z' Q* }    mov     ax, 1684h       ! }. `6 x4 M+ b- h  x0 x) j: h7 v
    mov     bx, 7a5Fh       ; VxD ID of SIWVID* r  }% j2 T9 T2 y9 T8 n9 C
    int     2fh
: s/ V2 A8 [3 y3 `) v. \& q% W8 h# X8 R    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: j* m2 |4 Z  `9 S0 Y. @    add     ax, di
, l, |, j9 z! t* E! d$ m' m$ h    test    ax,ax2 z' @4 F+ g7 m
    jnz     SoftICE_Detected
5 `  C6 \6 T& C6 C! d0 z. ^" q/ ]. W* P
__________________________________________________________________________
; D$ i5 b! O- s; `4 v1 `1 F& Q' |5 N2 F  `2 ^3 `; v
/ D9 `3 ?: S) X8 b0 G7 T& J! D6 T
Method 05# ?, t, j1 ]$ g( R% a
=========% A( G) B( V2 \! h9 R, C
% f! G: ~2 w& E  T
Method seeking the 'magic number' 0F386h returned (in ax) by all system
* y$ N7 S: E  |7 D, W2 C4 Y. Fdebugger. It calls the int 41h, function 4Fh.
8 X. f$ l$ X) l5 _( [+ L1 L3 n3 i4 pThere are several alternatives.  
* {3 f5 ^7 y8 E/ |! {6 e% U0 ^4 v3 g
+ |- P8 h2 ]6 S3 D* XThe following one is the simplest:% r: a1 ^/ o  q7 I. I

, ], I( p0 W: D# c    mov     ax,4fh
5 d- k- m! p, @    int     41h7 [1 n9 p7 ~. }/ ^
    cmp     ax, 0F386
1 e- e5 {& G% A+ C" A0 |4 N    jz      SoftICE_detected
! A7 Y- Z  a: ^( k: ^1 K' W
, U' k+ V4 m- z/ n) K+ F- B- I! k+ A6 t/ o
Next method as well as the following one are 2 examples from Stone's 0 C2 [: v+ l; h$ I* W0 \0 ~( U
"stn-wid.zip" (www.cracking.net):% R/ S9 W3 a$ I0 E
2 I" ?. |! g5 U' x
    mov     bx, cs7 k. A4 @# g0 h3 Y3 k; H$ q
    lea     dx, int41handler2
2 l9 N: }) C- K$ j  M# k9 W2 ]    xchg    dx, es:[41h*4]5 V/ a+ s3 k% W3 B& x- W, I
    xchg    bx, es:[41h*4+2]
" m1 g8 S+ e# z9 K! a, |( M    mov     ax,4fh
8 P6 Y7 O: J  E: ^; J2 ^  i! m  ~    int     41h
+ o) k) P/ ~1 p. p    xchg    dx, es:[41h*4]
1 |% {1 U+ W- H6 e( u1 m3 R    xchg    bx, es:[41h*4+2]
4 }2 z" `4 j- v- _- Y+ ?    cmp     ax, 0f386h
+ e2 o) K+ T' }, v8 P8 G    jz      SoftICE_detected
/ {) C; Y/ [& {' ^$ E3 O1 \
6 L; d% U8 o, @: T. n  Q/ k* nint41handler2 PROC# J1 l+ r* }+ J4 {2 G2 Z4 q$ a, _
    iret5 u9 `7 l! `6 ?) C! [
int41handler2 ENDP# b$ I* ]( l6 @) L) ?

  u9 C+ d* g7 H: d" z
) _# t4 d9 ?' _( _8 k& P_________________________________________________________________________( ]8 [8 g* q8 o" |
; A4 Q5 V* e+ J& _

: z( X# M9 m5 `+ b) L4 DMethod 06$ M* p$ b( A1 _# V$ {; I% _
=========
+ [' C- z9 Y; K  }# y, K
/ Y1 ^: x& s1 b1 O, _
2 V+ R3 I. f2 h2nd method similar to the preceding one but more difficult to detect:
! b& p- U* s/ C1 D' q* i) r+ t
" s! J( _7 D9 `3 q0 w+ A
" {4 M( N/ V# v4 u/ x) [int41handler PROC4 E) b1 s! l0 ]8 N& L& o
    mov     cl,al  t! ]' T" {5 s5 k1 U6 _
    iret
1 c+ }6 F6 C' @# Hint41handler ENDP
% P7 B7 z* I9 f9 W. `  P+ P) m+ B
8 o. ^& H# g4 g' d: D
0 c. ?& I& c* {* g    xor     ax,ax
4 ]; a  A0 t9 I" w" x% X$ q    mov     es,ax
; w; `6 Z) U3 z9 C3 ^) h    mov     bx, cs6 S3 W* p- F' k9 U
    lea     dx, int41handler
1 N, `5 u8 [% e/ O3 m. W    xchg    dx, es:[41h*4]
0 }+ d5 J1 A/ h9 e2 J5 }  C4 l    xchg    bx, es:[41h*4+2]! r4 I; f) m" s3 t
    in      al, 40h9 D1 z; Z8 @) g  c
    xor     cx,cx+ G' Z2 E, L8 R, S9 @
    int     41h
' [4 n! \' c3 s( k% V, C    xchg    dx, es:[41h*4]
* i0 [$ `& M1 e9 g! Y2 K4 j3 a    xchg    bx, es:[41h*4+2]0 V# ]$ R- v  ^, F+ e
    cmp     cl,al
9 a% i6 ?! o0 W( l' i    jnz     SoftICE_detected- G8 Y9 V: o9 d0 |
1 Y0 l" U5 ~1 G$ o! X. A
_________________________________________________________________________- M$ H+ |1 x" F" y& m+ l

$ Z9 ~1 P5 F, ^$ t1 T% }Method 07- |$ M/ z! m) j% a7 H# ~
=========
+ U0 N  W8 P' ~* h1 ~' t3 h( X7 g2 z
" f. ]* \! y' k) Q% t; I2 p$ M& Z% m( lMethod of detection of the WinICE handler in the int68h (V86)3 A- W$ E8 R5 i0 w9 h

6 l) K, x0 K1 O/ [; h" T8 I. h0 W; b0 v    mov     ah,43h
; I3 q. \3 Y) L6 k* q, K* [    int     68h  i. ?# Y7 ?' ~& G6 o! Y
    cmp     ax,0F386h3 ~& c) {& C  r
    jz      SoftICE_Detected  x5 p1 {- s* U
8 R: E, T. N" L9 H/ N
2 ^5 Y. F- R; J. r7 z) Y' C* f
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 T1 ~. ~' ^# K3 Y8 }" Y0 p0 w   app like this:
1 R9 t# y1 T8 W
6 U: B5 B+ Y- ~& S: B3 D   BPX exec_int if ax==68
  e# t. g+ x9 h7 j5 W  {( x   (function called is located at byte ptr [ebp+1Dh] and client eip is% n+ h; b6 M& l  \
   located at [ebp+48h] for 32Bit apps), A, ~5 ]1 m9 c- [% S3 x$ a, Y
__________________________________________________________________________3 l+ F2 D+ i  q4 c
4 ?  C; x$ R4 w) d8 n/ S! \) S

: v' g6 X, ~( a7 b1 d# \) ~$ @9 nMethod 088 g8 q4 V, s- d9 w
=========+ l+ x; F" V( K# v7 I$ `" G
/ `* ?7 p) P; R, K, Q; h
It is not a method of detection of SoftICE but a possibility to crash the
% J: @/ a* T" i. @0 U/ Usystem by intercepting int 01h and int 03h and redirecting them to another
9 G4 k: w. g  b; Q) c' v- O2 broutine.8 R' W. p: y: _9 Y" v! a0 C9 \2 o2 c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ o" i7 _- M2 O( `5 A2 i5 c. X# Sto the new routine to execute (hangs computer...)8 S) C+ V2 \; ~+ J$ G
+ o9 b9 T5 e. G2 o
    mov     ah, 25h& ~$ I( o& A: B7 I8 H% B
    mov     al, Int_Number (01h or 03h)
6 w- h& t5 M" ]7 h0 H' R5 V    mov     dx, offset New_Int_Routine
1 i/ s2 `) B. P/ ~    int     21h
% X% j* F2 ~6 {1 X- S. F
3 K* ^! G; o& ^( c/ _- Q9 v__________________________________________________________________________. j6 F. I1 ]: G. W/ Y/ W5 j
9 a, l1 w& e- p  ~, Q2 H
Method 091 g/ Y. K, Q  P- h
=========7 T, J" o- G$ p* }3 K3 Z5 b7 O* B) d

9 J1 r  ?  C: R# o: f+ WThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
0 p! O3 A) z, _$ n; r! y& ?performed in ring0 (VxD or a ring3 app using the VxdCall).. j% E# D" O# t) s: V; n
The Get_DDB service is used to determine whether or not a VxD is installed
& c: t& {+ Y( l$ e% [0 Ofor the specified device and returns a Device Description Block (in ecx) for+ V# q: ^  t/ I/ y  a
that device if it is installed.0 Y- m' j; B4 \9 d, a

; z( N. j4 r+ z) H) _' Y5 e2 s   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% J1 x9 w: |; O5 E+ K9 Q; L% Y* w   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)5 Z0 C$ b0 N' u
   VMMCall Get_DDB
. A" N. B1 n! t2 Q: K" z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% ?% t8 F, _7 H; i
! |0 R) Y: Y" S2 Z6 \: \/ E
Note as well that you can easily detect this method with SoftICE:
: C) e3 A2 k7 b/ [5 r' J2 F2 M   bpx Get_DDB if ax==0202 || ax==7a5fh
/ W& {  ^, ?6 @2 j7 ]+ W6 b& w1 F* C* p1 q. x
__________________________________________________________________________
/ n% h% Y* g: Z
6 q* ]& f, z8 N; r0 K! UMethod 10$ d! P, ^* H* D: J3 h
=========) ~; N1 V) p6 N8 Q* a. l# t* C$ [
, E4 A' z3 M. |. Z9 B  r
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ w. n. x1 `( Z6 a
  SoftICE while the option is enable!!: N( h4 J# x* s* h* Z4 d+ X

# z0 U7 [7 A* o9 vThis trick is very efficient:
& P, S$ U6 p4 F$ C. L1 fby checking the Debug Registers, you can detect if SoftICE is loaded$ n3 L' W. }4 v1 G* {
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 m; n1 ~" m+ O+ ~0 a' S! n% a, dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% y& ^0 T, U7 T  wvalue (in ring0 only). Values can be manipulated and or changed as well
8 Y$ R- l( v) u% D4 t+ f9 g(clearing BPMs for instance)
7 j# t$ n  v1 N, X# ~
7 z4 E1 e2 C; v' A__________________________________________________________________________7 [2 A: @* n1 f" f$ F# H+ q: ^

% R/ e; E( Z: E7 O" h# {Method 11
: o8 y0 C: h2 ?=========
6 d% y/ Z& V+ v1 f/ m# s' g
1 f! o; F' G+ _- ]2 t& X% @' BThis method is most known as 'MeltICE' because it has been freely distributed) `/ k  f+ g3 a7 ?: }
via www.winfiles.com. However it was first used by NuMega people to allow. Q6 ]! R5 a6 l. Y7 r& G) v" J
Symbol Loader to check if SoftICE was active or not (the code is located
5 R# p% r1 e2 g' _1 ^inside nmtrans.dll).
2 o' z4 S+ a# a4 u- y4 |. S) ?$ ?) @: ~3 Y$ b8 G5 D1 ~
The way it works is very simple:4 m, S, p! n% t# R$ `: l3 e
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# G8 f% t7 ~: S6 b' X# }8 KWinNT) with the CreateFileA API.
# e/ ^% I, H: r3 k% Q/ W, |8 o( e1 e
Here is a sample (checking for 'SICE'):
% T" m( ]; X6 `" l1 b  d
+ _  w! Z0 z  RBOOL IsSoftIce95Loaded()
, V* v  Z9 t8 y, K; H{3 w$ `; @# [- U& E; \4 }9 r8 R* }/ {
   HANDLE hFile;  
" `, q, w; J' t+ O7 d   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 A, J: G) y0 c) L; a# J7 d4 B
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! |  T2 d8 P- m# k  a                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);7 E. A( D1 [6 M$ ^9 D( h
   if( hFile != INVALID_HANDLE_VALUE )
& l9 i( e8 @6 i. b: C+ K   {6 D! G9 A' o4 Z8 g% k- `
      CloseHandle(hFile);
: o3 h2 c: I) ]      return TRUE;& i3 W& z* f2 }7 D% p' g% H) r$ O; A
   }
2 T; p% [# x0 C   return FALSE;
, I* c% i# N' z% i) r}
1 Z0 a4 l; e4 G: x: Y) K$ n! T$ q
Although this trick calls the CreateFileA function, don't even expect to be) T+ ]1 d" G3 v
able to intercept it by installing a IFS hook: it will not work, no way!
8 F& D- t8 Z9 Z6 \: oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 [/ W4 B  L! u% @( C
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 {+ g% q/ s6 t( b! mand then browse the DDB list until it find the VxD and its DDB_Control_Proc( V; ]' [" z  i" v8 K; z3 }
field.
* Y" s% O) d. w8 w& S' {" qIn fact, its purpose is not to load/unload VxDs but only to send a ! Q, U! N! k8 t; N
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), \# `; M; ?. V$ S1 `$ V) q% ?! F
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
5 W1 \' Y) y& `! Q- _/ I3 }) l9 Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).( e. V3 V; t0 Y7 p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
% Z7 L2 \( a; J8 C. W5 Sits handle to be opened and then, will be detected./ I7 W; X  h. I8 P3 h
You can check that simply by hooking Winice.exe control proc entry point
+ c* i0 p/ u$ \: r& Zwhile running MeltICE.. q9 W6 \7 o" N1 H) s! g9 G- c6 t
1 D+ c: E. b* e$ v) S( V

9 k, I, R5 y) V9 k  00401067:  push      00402025    ; \\.\SICE8 `5 n9 I) Z' U9 c! _
  0040106C:  call      CreateFileA
: S# f" Y6 d* s; A% {8 r) r% s# n  00401071:  cmp       eax,-001) ^1 q0 a2 R3 c$ x3 h4 Y% c
  00401074:  je        004010915 r5 J0 a! |' R+ w
) f/ q' A4 H) E

6 H7 @& D8 y" R+ m1 |There could be hundreds of BPX you could use to detect this trick.
) d3 ^. P- q6 u( D, O-The most classical one is:0 y5 _$ Z, N9 t5 R# h8 ^7 g# e
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, k  n9 |' t, b3 W6 D! w1 w    *(esp-&gt;4+4)=='NTIC'
; ^, C' ]( }# s* r, d( s* L: c$ g  f
-The most exotic ones (could be very slooooow :-(
2 S; q7 A5 Z9 X0 `8 Q   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
/ }$ ]7 P. b1 P     ;will break 3 times :-(
1 K( M% F) `6 P. ^! N
% n4 S3 q' k5 m; Q1 E+ ^-or (a bit) faster:
; s/ [+ [9 O' O: j# j   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* @2 h$ D9 b6 f" m/ ]( \+ `8 I% N% @
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  4 U+ F7 H' L. r# a2 t0 w% t# [4 b7 b) S
     ;will break 3 times :-(
8 a: \! \4 m# r9 Q, y5 M. R8 `% L3 W
-Much faster:9 v- a; e$ c8 \( w4 x) X+ {
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'% B5 W+ N' u$ v6 M, a1 t3 V

- Z' h4 Y' q3 @) |6 hNote also that some programs (like AZPR3.00) use de old 16-bit _lopen$ j" `+ k2 E) G6 u# J
function to do the same job:/ `2 n  O8 }5 ?9 _0 q
$ |+ s9 m9 S& B' c4 @
   push    00                        ; OF_READ
6 }  t+ ]9 W3 G' C/ V   mov     eax,[00656634]            ; '\\.\SICE',03 h" d5 t( \( @8 b
   push    eax+ s; x7 v$ b1 S  @" G. I( K, C2 f; X
   call    KERNEL32!_lopen
' i7 ^  D  H% B9 Z. ^   inc     eax  Q, g. ^; l2 w0 ~$ `* d
   jnz     00650589                  ; detected; s- [% C- v% w: ~: u, |  R9 q+ D
   push    00                        ; OF_READ* @1 f% N( Y5 w
   mov     eax,[00656638]            ; '\\.\SICE'. Y* {0 K$ I0 Z3 e7 Z1 N+ }
   push    eax
' H  h# i9 v0 k- e   call    KERNEL32!_lopen* P( M5 }( P" `% @% R
   inc     eax' B8 {+ e3 X5 G! c4 C2 d9 a
   jz      006505ae                  ; not detected0 _# }9 Y4 X* d8 b
! N% }' W! B+ ^: J6 h5 ~" ]

/ t! s1 u- f$ N' l0 B' n" |__________________________________________________________________________
8 S  I% v* G2 M" }/ p2 n% `, }" z8 E! o2 p5 N, `. q
Method 12' n1 c; l& z8 `( p* a; V
=========
" s6 u3 \  w9 r9 W. A5 K8 V  d1 L0 D
0 @! C6 I  \; ]6 I( G! s6 zThis trick is similar to int41h/4fh Debugger installation check (code 05+ F8 k7 Y5 r! Y4 k+ o9 u
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. e! \3 N0 s  x. z' N- y% {4 cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& ~: a, K4 e- b4 n- N+ [" U: V0 `- q0 D+ e( b
   push  0000004fh         ; function 4fh( }- x2 V8 ~  W( r1 S+ R/ C5 L
   push  002a002ah         ; high word specifies which VxD (VWIN32)7 _, ~4 C: X4 _6 Q( }) D
                           ; low word specifies which service# [- Z1 e1 r& I. J
                             (VWIN32_Int41Dispatch)
. {- t) B# S5 J7 L# M. m% R8 q( j   call  Kernel32!ORD_001  ; VxdCall! D+ `4 O' H9 W8 d" Y' Z% ~
   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ s1 s) s. e7 n% u/ q+ K" y& k   jz    SoftICE_detected: k; P9 O1 B. I: _% ~
4 [, `+ Q  o  _; N' u9 j
Here again, several ways to detect it:
8 E5 ]% j1 f* Y6 ~  W! x
1 j% m0 V/ ~3 E  u3 f    BPINT 41 if ax==4f/ a7 \) ~, b' _  j

6 X, @) t4 p* R( d% _6 Q8 e- i( i    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ p0 B# q# c( K1 h) F3 l
/ W! U2 j. t4 H% Q/ w* N
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, `2 K1 `! l1 E* o
6 u2 v- O- S/ ?" A( i0 ?0 a    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* s* o; J9 b5 F* J3 B1 g1 A# R; L

' W0 x5 B0 P' \# O* h__________________________________________________________________________
! M1 o) ~2 y! v7 L  n" J3 u5 v9 n+ b/ |* [- f, h! h
Method 13
  m) {/ k) L- H& y* i! Q+ w# V=========* `; j" V6 l& b* {

- ]' Q" `# ]) X$ T1 NNot a real method of detection, but a good way to know if SoftICE is
7 M7 r9 N' z  W6 Minstalled on a computer and to locate its installation directory.
/ f  T  O0 w* [% v7 i: P" rIt is used by few softs which access the following registry keys (usually #2) :
! D# S% m4 {* U  J+ w' i
" _5 O- U( x( p# l; y5 O( l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: }3 K5 ~8 e* N! @% j7 y2 G
\Uninstall\SoftICE
6 S5 t* @) c- f( S6 }: ]- R) `% g; X-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ h, B; J# K0 {* s' k5 W' `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 b2 [0 s/ }7 ?# Q( v\App Paths\Loader32.Exe* o) C' Y; X' d6 N$ G2 {

4 l& U$ [: n3 k2 [- W+ `& J$ _# `
1 V+ ^/ m/ ^" yNote that some nasty apps could then erase all files from SoftICE directory
3 D, ~- ~' E, Y6 u  v+ A(I faced that once :-(
) @* {9 r2 `  U5 C! k. G" a* i$ E. I: t3 p8 t6 H
Useful breakpoint to detect it:" R) L0 w; U3 |; v2 R* e

: T+ n: _* n4 V4 a, Y' k' B     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
: B- j' i. V5 ]; T8 T& J! x) K, {# h+ K
__________________________________________________________________________
; t) g7 g4 k8 [2 y; L7 J: t$ `# k! g
: n! O$ e/ Y, D9 U3 l' P
Method 14 ' Y: v5 @/ C. l$ Y" o; g9 H9 I
=========
8 h+ y: W7 v* Q% k0 C1 |: Q" c
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( H# h% x6 x1 g* j) r. [: _
is to determines whether a debugger is running on your system (ring0 only).. @6 c7 i2 [  e: n" M

! g$ }6 E, H/ M& h   VMMCall Test_Debug_Installed
$ Z* r( L+ N2 v# u- |  i! I   je      not_installed
3 Z; m3 w" R* v
% j7 M0 m7 o" W: i. j7 _) tThis service just checks a flag.+ N$ c, T  |2 @: M; O
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-7 04:58

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表