找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- V9 j# O; v) [  B1 C<TBODY>
7 o* @' }; O' E* z# u; v9 m* W<TR>
- Z, i9 p: A* u6 f4 ^<TD><PRE>Method 01 3 L( T; C7 y9 a4 N# Q5 c
=========. j8 F$ P& x( \$ i* ~. I& k4 {5 E

! u1 a9 G4 G; }) GThis method of detection of SoftICE (as well as the following one) is: x) b: R; Q9 ]3 J  c2 y# @  d; N
used by the majority of packers/encryptors found on Internet.3 W$ O4 O' Q, g" ~2 O. x: `+ a  Q
It seeks the signature of BoundsChecker in SoftICE
7 _' m  ~+ w7 S9 f0 a$ ^: _* v, [( C% ]$ W9 v( D9 y% L4 }& f9 F
    mov     ebp, 04243484Bh        ; 'BCHK'
* F7 ?3 O* M, d+ U4 T    mov     ax, 04h
) {/ i% F7 p0 R) Z6 Y0 y    int     3       5 L8 R9 `$ ^' r$ r
    cmp     al,4
4 h" s" G, N( L- D. G& p1 {    jnz     SoftICE_Detected* }8 t2 l( O6 {, m& P$ I

' ^$ ~7 T4 ~. h___________________________________________________________________________
, i9 V. Z+ j! n
# \- D) E( Z$ m% I4 B* g$ @( WMethod 02
! [! n- Q! \% J+ `) l. D=========7 K( g% Z! i# u1 f! ?
: G& x6 h' Z4 u4 Q" |, |+ e7 e
Still a method very much used (perhaps the most frequent one).  It is used( N  @1 [& \( I% k) u+ c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
' S4 q. y+ ^0 ]or execute SoftICE commands...& n# z& G( n8 j& D' O% I
It is also used to crash SoftICE and to force it to execute any commands. J8 S% h' Q% |/ c1 I, m) i
(HBOOT...) :-((  
5 u& Y1 B  ~  C1 C& s5 [# ]; u; Y, s8 @7 u9 S$ R; }: @$ z) h  v2 N! j" c
Here is a quick description:
! L) ~$ j$ N4 Y-AX = 0910h   (Display string in SIce windows)
1 O: ~* [, I# Y- [5 p0 [) F7 ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 a7 G  E* X9 Y3 v0 L-AX = 0912h   (Get breakpoint infos)
+ }( u& g3 u2 y3 _. f-AX = 0913h   (Set Sice breakpoints): M  Z# r: Q7 L+ }- u8 m  I# A
-AX = 0914h   (Remove SIce breakoints)
4 V# E+ h. h# m# H5 L- ~; c2 w$ r: d6 g
Each time you'll meet this trick, you'll see:
. i) U) ^# P. k$ N/ i/ l-SI = 4647h
) `, i6 _: r! P6 D-DI = 4A4Dh8 d# D2 A9 P4 }8 `) X. [; k
Which are the 'magic values' used by SoftIce.
- ]& O! u) w, J( e. ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
- n; F$ `- V5 i1 ~" T4 o# T0 j2 G) X$ H! r- @8 b9 @
Here is one example from the file "Haspinst.exe" which is the dongle HASP( Y2 r8 S$ \! a/ p- o
Envelope utility use to protect DOS applications:' c# w* M  w* N! U  e7 w- V5 |# L

/ b1 P8 m+ t: D0 D1 }6 h3 e. _3 ]( t* Y0 e+ b+ Q
4C19:0095   MOV    AX,0911  ; execute command.
/ Q6 T# t+ V$ W3 \, U4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
) v/ Q' g0 s9 ]4 i4 f6 D% O4C19:009A   MOV    SI,4647  ; 1st magic value.
1 a3 a) C3 F; R) R! S5 B4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
1 J0 N+ ^4 ~. a; P% I" R- s0 n! c/ ?' H4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
& k, p/ M$ F- o5 J4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
; S7 ^$ S  w2 V. l6 n- F6 |4C19:00A4   INC    CX
& C; |) n! f% p6 a/ e, i8 N4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute# y5 O" U! C0 L( j
4C19:00A8   JB     0095     ; 6 different commands.
8 |) _. w$ w& L! w, s4 w4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  i# X3 m$ o$ d- Z6 Z
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
& n6 f; R! a$ y/ A5 `% Q1 X4 U
1 t- ~- K& S/ B2 b# _; O# K7 \7 iThe program will execute 6 different SIce commands located at ds:dx, which4 F- Z1 H: I( m& h, a: \( \
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.9 s3 x7 n. |  G0 {0 s, W2 |
4 K- W1 k* b+ ~
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
  S' ?; S  g# V) t5 z6 l___________________________________________________________________________6 N; P  r9 c( Y* e/ F$ j

+ V- p+ e4 C) o4 R5 p# t+ m
; w( d5 e) h  sMethod 035 i; q- ?# y/ W" v* g/ K! i5 s  W
=========
7 ^, F% d4 K, k; U0 d
* ]+ D3 x# a* y9 n% Z& U/ M  y: TLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
* ~8 \3 ^8 j( A2 G" {% m(API Get entry point)
7 M  n4 {0 ?: H5 p. k        + k& K0 L4 q, R* K+ N1 U* O6 n3 k
! K* G, C' F6 |& C0 H& H! t
    xor     di,di
/ x$ Y- L/ \1 u    mov     es,di0 O% b8 F& [: M# q+ |2 V  g
    mov     ax, 1684h      
1 E+ t) N; ?" Z- v* t; g    mov     bx, 0202h       ; VxD ID of winice- g4 S3 P0 s& b. V( W' g/ X  r
    int     2Fh
1 a" S9 \* {, i2 L( v    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" G1 d8 U' q3 e0 E% w1 H- ^) c    add     ax, di
& p( W+ f4 l7 ], h7 @% U7 V    test    ax,ax) d1 V' `! }1 x/ L5 }# j/ x2 F4 u& R+ @
    jnz     SoftICE_Detected
9 N+ v/ i$ Q* _7 d
7 H( p4 C" G7 j/ z) z9 a+ p8 `___________________________________________________________________________
& @# @3 D! T% ^5 }+ {
$ g9 d8 U7 H+ u: R: X( e& cMethod 04/ V0 t5 H; q4 }/ m/ p! Q
=========+ [  V! v$ R7 H2 W! c7 s) T& Z0 B! r- {

$ m1 |9 C# s3 A# i* v8 k3 TMethod identical to the preceding one except that it seeks the ID of SoftICE
9 g9 j0 N9 ?4 y8 T4 \" |5 E! I8 hGFX VxD.3 `$ _# r7 M3 m. g. l7 X
# ^& U- t6 B* j5 \& I
    xor     di,di- q. i$ ~$ `' _4 G
    mov     es,di! `* g2 _# p2 H) Y
    mov     ax, 1684h      
7 J. v* _; F$ B  `' e5 a: A    mov     bx, 7a5Fh       ; VxD ID of SIWVID- a. U% ]8 p) ~3 P
    int     2fh
, _$ o+ ]/ X7 e( V5 q- ~1 b    mov     ax, es          ; ES:DI -&gt; VxD API entry point- M0 H3 t1 z9 _/ O& p
    add     ax, di
) ~5 r7 O4 t7 D7 N3 d" M    test    ax,ax
) B: w: J: B& N9 [  e5 t  l    jnz     SoftICE_Detected
- e7 [# k) s7 I7 {
* `# e) C0 t* B5 Z2 [/ u__________________________________________________________________________
0 S: x' q: [4 i" ]  k
8 E# t8 Z5 Z1 A1 u; @( |) P
. s& g2 J! j. `; S! w0 g( cMethod 05# I, T1 k6 {0 K- t. E/ y6 c- N2 H
=========
  @' z/ ?2 P5 m9 X; Q1 `
- d: e1 f$ ~8 xMethod seeking the 'magic number' 0F386h returned (in ax) by all system" G; y: A! P- R3 @3 Q  s: [
debugger. It calls the int 41h, function 4Fh.
6 e' Q$ @! z- B# P. G' W2 WThere are several alternatives.  
2 R9 U9 Z' G" w  {2 d
& n0 K, [. G  |! c) l: V4 MThe following one is the simplest:* ?  i+ j  g. `1 F
8 K% R2 o9 C' Q8 g
    mov     ax,4fh
( D  h  T' D  j3 C3 K& e    int     41h
# B" B; l) G& u' G* s    cmp     ax, 0F3862 F" q/ O3 p, r& j6 K# C
    jz      SoftICE_detected' {0 [1 {0 D% [
$ r  I; O( {5 H8 X" x

5 H# z; G8 @( J- {) G6 M- E7 @2 aNext method as well as the following one are 2 examples from Stone's . n0 j1 y; E2 ^* u7 d
"stn-wid.zip" (www.cracking.net):
: ~6 \/ |6 h, Z" M) Y' i" Z1 S! L0 F$ h2 }9 T) J# G* B3 \3 l( c- [
    mov     bx, cs
* H1 k$ j: l3 u! N    lea     dx, int41handler2
: ^5 {7 x2 B( x& c6 B$ Z6 j! n2 s! o7 a    xchg    dx, es:[41h*4]
& u. G5 K2 X/ n8 E' N    xchg    bx, es:[41h*4+2]
$ T) R; s) \1 l% f, F/ ?  J8 d    mov     ax,4fh
3 W2 u8 `8 f& x7 g    int     41h
8 B* d6 F/ l5 Q5 y- C    xchg    dx, es:[41h*4]  E( O1 F% |* {' z$ h8 R
    xchg    bx, es:[41h*4+2]
4 b' {# |( T: f8 f( t    cmp     ax, 0f386h9 E0 ?& S2 v5 E+ L6 W! p& R
    jz      SoftICE_detected
8 J; J' N. \3 q: M( g. |; l/ L# a
& t& _& h$ E8 fint41handler2 PROC
. V  D" w1 ~7 C' |    iret
; l/ C1 k" y8 p1 ~( r& lint41handler2 ENDP' ^/ \4 m, r9 T7 T

6 j3 T' F. \* P: l# s
1 T% ^/ i) Q5 D" U8 t+ k_________________________________________________________________________9 h. ~9 L- ]4 [/ [, O

0 u/ J# C2 T/ `  W; c' x+ n7 u. u
8 K) n" J0 p% o& a/ Q4 bMethod 06" B. Z' r6 T, l# g. a; {
=========
' S- d% K9 A) N( y# `2 g! q- {; x: e
% W/ L9 t& F% `" I! K' T+ R8 d
2nd method similar to the preceding one but more difficult to detect:& B% n9 R8 W2 N  n7 W% B

8 F' w& l; c" G& `+ P, Q6 f9 \. Q9 [/ m
int41handler PROC, o* ]9 |+ c% ]7 o
    mov     cl,al
. L$ d. }  U$ j: ^0 O    iret
' P$ J$ u; y, l1 Cint41handler ENDP
3 f9 [) v# b" \$ @9 `
# ?% T9 }: ^5 v1 ~+ x9 {8 l/ e
2 \, p9 {" r. j    xor     ax,ax/ L/ u) H) i: p5 [! Q: g$ E( u/ e
    mov     es,ax
; |, L4 w- P. E4 k9 Q    mov     bx, cs5 N3 W# v: l$ T: N$ ^( I
    lea     dx, int41handler6 K/ c4 {1 E) Q. s1 f
    xchg    dx, es:[41h*4]6 t5 v$ Z4 i' b; S3 Y! i9 m
    xchg    bx, es:[41h*4+2]
$ q+ q- x' [- [  F. R$ y    in      al, 40h  X" m( [5 H9 c2 `
    xor     cx,cx$ l0 s! h: Y. g+ V& V# N3 G
    int     41h
* ]/ T8 F0 e- H; \7 \! j  j( ?    xchg    dx, es:[41h*4]
# q. C' k9 a0 g' E    xchg    bx, es:[41h*4+2]1 g: M. r' l+ I0 G) b! a8 n
    cmp     cl,al+ T6 S- s5 G$ G# \5 C, L
    jnz     SoftICE_detected
2 A3 }% }3 ~  b( u
0 Z& o" @# T) p' H) ^_________________________________________________________________________
5 p. x5 a0 \( f! _/ d- r
% p  r+ s' p0 M6 `: wMethod 075 l8 u5 G/ }0 `; T: t2 p; _
=========
' P- U0 k$ c1 L8 B7 }. }" [8 T. l. L
, Q. |- m2 J5 ]" r& j7 Q8 gMethod of detection of the WinICE handler in the int68h (V86)2 d! @! I$ F, M
4 o1 m( \4 d, Q! B
    mov     ah,43h, H! x; G: \- y, ^0 |8 H$ j
    int     68h1 U4 S. Q( y# A7 ?8 M
    cmp     ax,0F386h; Y; |$ h" v9 g# b; D6 [+ d
    jz      SoftICE_Detected7 m6 C/ D& D% W3 i5 y0 a) t/ _. {

8 P7 ?* H7 g! A) G7 b: Z
* V% y2 ]3 K: W=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; @, x  F4 l. _0 k9 s4 W, C
   app like this:
& K/ c" a: z7 v3 [+ c9 c9 i1 J
7 U: O# n7 m! J' `) [   BPX exec_int if ax==68, ~  A# Y" v  A& M5 K8 A
   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 k$ L" m8 E4 ]4 W5 _2 J   located at [ebp+48h] for 32Bit apps)- J# K9 @: K: ^
__________________________________________________________________________
3 K0 E: b5 X7 S: }1 L, Y) ^8 T$ m6 Z) r  h/ `: ^' y8 A

) ^- t7 O, Q/ N' L4 u$ F5 z' FMethod 08
  |! |% ?; {1 R* u" D=========
1 A5 u& C! M. E, Q/ v* ^7 w3 k+ E& F- A8 A' i
It is not a method of detection of SoftICE but a possibility to crash the
) v6 w. O5 L; P! m. ~5 wsystem by intercepting int 01h and int 03h and redirecting them to another
2 E& t* ?: H1 R+ w) D# Lroutine.* y, j3 U" q' G" G- w
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* L7 f4 N, a( r+ _
to the new routine to execute (hangs computer...): M1 B3 Y/ T2 Z

: N! v/ W: j- \1 P4 g! D7 w    mov     ah, 25h
* h5 W9 f" `) R1 V' o    mov     al, Int_Number (01h or 03h), N5 Z- ]4 ~# M
    mov     dx, offset New_Int_Routine
% P3 O  a! S) Y/ i+ e# \7 E    int     21h
! y4 |% j* [* X! Z# l; S" I- r) |% ?) @% M" u2 i0 n
__________________________________________________________________________4 @2 z4 z% j( P! c+ v$ U& ~

: U# I( t6 W, Z( q9 IMethod 091 h$ e1 g3 t; C! N" J
=========
2 T" O- W8 l- p6 T/ f0 R& S1 e6 B) W7 A! x+ i6 C* E- \& w+ `# Y4 `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ H8 d0 y# Q$ e" O  b* K8 I
performed in ring0 (VxD or a ring3 app using the VxdCall)." S6 x, y, g/ ?/ {5 r4 j* M
The Get_DDB service is used to determine whether or not a VxD is installed" A$ N' @4 Y9 v6 f3 D& H5 x
for the specified device and returns a Device Description Block (in ecx) for7 }% @% @( `2 A
that device if it is installed.
1 v# r! K8 U1 I9 q: @) a
3 ?" O6 H( ?3 R7 [9 j; M" d4 ~   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 E$ l3 s! {" S' K2 q7 U1 {   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
- G) X; r6 p3 A6 J$ L   VMMCall Get_DDB
" [: \( o0 Z2 j, z- T: {2 M: b& S   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 x& J  Z% L. n0 y1 m! Q  [  u+ R/ N1 a' f, ]) e3 a
Note as well that you can easily detect this method with SoftICE:
- n# [7 h+ M  a7 ^' `   bpx Get_DDB if ax==0202 || ax==7a5fh
: X7 f2 @4 |, }% ?0 y+ v5 H
+ r! H' u) P! J+ f; @__________________________________________________________________________
- l' ~9 b/ `) P' z! ]/ f  B/ J- t, v( D& L2 U! z4 O8 R4 B6 M
Method 10
2 j1 t! N; v" Z% k=========
' H, |8 u/ Y( A& I$ a' E* x# \3 V- @" F4 i0 y, s' Y: b
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. T- i4 d& N  A8 Z1 `  p  SoftICE while the option is enable!!2 J$ ?5 }3 Z( Z" E$ ~  }: _* u2 W
$ ?9 f2 H+ Y2 ]* Q2 A' q; L6 F
This trick is very efficient:
7 W3 L$ J8 X/ }by checking the Debug Registers, you can detect if SoftICE is loaded
' i. ~. y7 B+ h$ G0 Q# w" ^4 T8 R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
3 l. l5 U2 O7 h4 Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% n6 a, |0 V% \5 L4 M' G# ~# avalue (in ring0 only). Values can be manipulated and or changed as well" \: J# f4 r4 X, Z3 F$ Q$ N2 L
(clearing BPMs for instance)
! n% Z1 J* K# r( @! d5 y4 \" S* H( T" X) ~1 [5 L0 K
__________________________________________________________________________( R' `4 L# Y$ j

: g& y7 [1 k' d  Z- f. i  j: MMethod 11
! B9 `- S9 O) o5 ]' m9 c# a=========3 V, N5 ^% Y) W- F2 ?  i! U1 A

$ A2 V# k+ h$ ~6 @% ~* EThis method is most known as 'MeltICE' because it has been freely distributed
7 T" Y3 D1 K! f# D3 o) Mvia www.winfiles.com. However it was first used by NuMega people to allow. X. a  F  v, g1 H$ S! O
Symbol Loader to check if SoftICE was active or not (the code is located4 e! T% Q0 x1 U' C' D6 G
inside nmtrans.dll)., z" v: T# O# {
# |7 C3 x7 y# x2 a: P: s9 H& z
The way it works is very simple:
6 g5 N3 m1 _7 BIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for# ?2 ^* r0 k2 i
WinNT) with the CreateFileA API./ z8 j; ~/ y/ \; l+ J: W8 m
2 E$ l7 z! ?0 O& q; N
Here is a sample (checking for 'SICE'):
7 Q; O7 \5 L# h( j2 m% ]' I" K( [& m/ K9 B, h" M
BOOL IsSoftIce95Loaded()7 ^7 }' s* y6 S/ ?# _
{% n) _" O9 w9 q, v
   HANDLE hFile;  
8 J, _" E6 @/ I6 ]. r   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
) s% j, I9 |! r1 c                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! s2 V( D1 T! E1 p0 I+ l1 w" O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) `8 E% F8 b3 s5 i0 R   if( hFile != INVALID_HANDLE_VALUE )  W* ~/ B8 }" f9 H1 |
   {
3 s3 j7 x* `& s      CloseHandle(hFile);7 ]3 _/ M$ e% T0 b
      return TRUE;
0 y/ c7 Y, R, @4 @* w   }, ?" G/ r1 E" z0 b- p/ P( h7 ]
   return FALSE;/ f* s- m& X' w
}! u) p4 t0 W; D+ W2 w9 v
. W1 W; a( C( ~  \6 K: O1 H
Although this trick calls the CreateFileA function, don't even expect to be( L/ v/ q& ^+ F$ p
able to intercept it by installing a IFS hook: it will not work, no way!, z1 H# F2 D( \/ C1 c& B# A1 d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
$ ^. _8 S% r: Cservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 b% h7 I" r6 q! M/ v: u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc  O; D( i+ d& d/ |. O6 o( w+ c
field.
) _, A3 A% w* u9 [6 IIn fact, its purpose is not to load/unload VxDs but only to send a 7 `. V- ^/ x+ e3 {5 c2 y! j* ]  C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 v7 N. \. b) t* O
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# |2 c" Y- \% m+ g4 I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 Z5 q" i5 q  r7 uIf the VxD is loaded, it will always clear eax and the Carry flag to allow
: y6 Q3 Y; V4 aits handle to be opened and then, will be detected.
7 j8 ^1 C! K( G( TYou can check that simply by hooking Winice.exe control proc entry point
; ^$ @, ^" F* c  Pwhile running MeltICE.
8 O+ p) }% k7 P6 g- p1 o
" S) @1 n% t! w8 p$ c. a! x0 y7 I$ f0 j" _. x9 }7 u
  00401067:  push      00402025    ; \\.\SICE
* x# |9 l. L5 t  0040106C:  call      CreateFileA
/ @9 m- O6 b# r. ~; a9 @  00401071:  cmp       eax,-0015 ]9 m+ e3 c5 w# z" d2 w
  00401074:  je        00401091' q  u7 T) _$ O) V; Z8 a( h
' g2 I0 S0 [. a9 K6 u( e
1 u1 y3 G- x" j
There could be hundreds of BPX you could use to detect this trick.
% O1 l, f* q% F+ q  n-The most classical one is:
6 a0 o0 l' |1 o+ s6 ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
% ^& N; T" R! v    *(esp-&gt;4+4)=='NTIC'
; d+ i$ h0 ]/ N( F; Q" p' p- E( s( L2 Z  P& g  l2 i
-The most exotic ones (could be very slooooow :-(; e. I" [5 \; H2 n7 g: f; X
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  $ l0 M1 [8 R6 \8 s  o
     ;will break 3 times :-(
% O  w9 V0 d* t, g" H  m$ ]' ?1 c4 R, l6 {
-or (a bit) faster:
! ~" n9 F' f% z   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')& ?. o' d" M, Q, V1 X. X" Q- F9 h
7 e! j; y+ R0 K; I0 Z3 C
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" [: ^7 |4 p. G, U* s     ;will break 3 times :-(4 K: H6 b1 ^: C- n: t

4 I% l5 m) S+ j- D-Much faster:
% ?; H9 G+ ~) B  `   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ Z1 R1 A- _; R0 c8 Q! M4 {+ h  b, t% d& G5 s0 @  \1 d
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
' ?" V2 E0 J2 r6 u/ lfunction to do the same job:* `" j1 C) r5 C- H6 f/ Z
% u- z1 G+ d1 S& ~$ Y+ j8 ?
   push    00                        ; OF_READ! [+ j, @3 I0 x" t' z& ?
   mov     eax,[00656634]            ; '\\.\SICE',0
8 R3 B. `2 Y8 {+ D+ {5 ?: w( i: _   push    eax
: b" l* ^8 A# O$ l. {& ~1 Z   call    KERNEL32!_lopen9 k7 h% f7 r. Y1 i% L& E- F5 k
   inc     eax
/ K4 v4 n- U. }/ s9 n. j7 l  g, I   jnz     00650589                  ; detected
3 N  o; n7 A( @) D* ?   push    00                        ; OF_READ
1 |$ T2 h8 ~5 G) \$ J7 W   mov     eax,[00656638]            ; '\\.\SICE'
  T+ V' K0 n; k; c. z   push    eax4 |6 ^3 U! @7 Q7 a
   call    KERNEL32!_lopen
# `/ c7 a+ Z  E* M* K. e0 f   inc     eax: v1 E& j+ s% h, I
   jz      006505ae                  ; not detected
$ |# g) q* g- `5 G- e; d4 \1 J; h( U* @. S: @) S$ j

' D7 C5 W3 ]5 |2 p$ R" Y__________________________________________________________________________* ?# G0 l. R; }# m' `1 y- ?( B
: x9 E6 c# p5 P
Method 124 A3 s: i' S. h* d
=========' Y0 `! l& r5 [  W, T/ r' b; F

* b1 }6 `- _. C5 t: x( mThis trick is similar to int41h/4fh Debugger installation check (code 05
, w$ Y! q) e& ~1 {" k&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' n% D5 a6 X, H% a2 _: [! {as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; B1 P' Z, t' O2 E0 V0 S- Y' V" n0 ^$ p, k
   push  0000004fh         ; function 4fh
5 M: p' Q9 k5 W! A  D   push  002a002ah         ; high word specifies which VxD (VWIN32)7 F7 U  s" x0 s' A' ^/ T
                           ; low word specifies which service" Z' D5 W4 Z- u2 C
                             (VWIN32_Int41Dispatch)
+ f! D( U8 h/ a7 B! f0 b" J   call  Kernel32!ORD_001  ; VxdCall
) Z0 T6 `/ Z2 M& ?. ^$ P( [# E   cmp   ax, 0f386h        ; magic number returned by system debuggers. r9 Q5 K' N- ]* w
   jz    SoftICE_detected
& I0 U5 b; f( H+ y
0 d& Q% r. q) H! k$ r. a' N. A! fHere again, several ways to detect it:
, p6 N& _2 ~; K
! u( y7 f: ^) H9 J! }    BPINT 41 if ax==4f6 {/ ^+ {. t6 t
/ ~8 y, K7 {5 p9 R: O1 J& r0 d$ t
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ l' m! n8 b* c1 z9 D, P
& @* B( D& g4 Q3 g5 K+ o. U
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* m7 Q2 G# |/ s8 A! U8 {% u
+ O" O/ w# \! Q- W# D  l! O) N% ^" j    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
: z4 J, Q- y) F2 E; v: @7 n7 ]! X
7 _5 J8 ?4 k6 m$ B__________________________________________________________________________
4 C( }  ~. u3 U# V
/ W5 ^, T9 ]/ a% X. Z+ HMethod 13
& D  M7 u; i* M6 t2 v3 |=========2 n: W* t3 T# y" r1 Y* ^" |! w

1 F# l2 P7 W$ h( K# ?  x2 [Not a real method of detection, but a good way to know if SoftICE is% M( w6 X2 E0 y
installed on a computer and to locate its installation directory.
/ o" z) r& b% f. `2 A# wIt is used by few softs which access the following registry keys (usually #2) :
3 N3 N4 I# K( p( L4 x' Y* o" [8 i& V4 |4 a  k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: ?$ [, t0 O6 q7 B. K\Uninstall\SoftICE  T( b# n) \5 f% W7 I/ C
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE' I4 v9 z1 T' o2 b4 V
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 w2 Y8 C8 s! C+ A! y5 }9 ]. ?# C- x; T\App Paths\Loader32.Exe
2 u" ~( \2 g* o3 }$ ~& A# U; o; z$ P7 U6 Z: T# I# k2 W

+ K8 ^' n7 O; G! c# ?Note that some nasty apps could then erase all files from SoftICE directory
! B# z- t, o% j9 ~(I faced that once :-(, t4 ]" K9 B( J$ ~
$ i: `+ F8 j* u# Z/ E' r0 d0 `$ Z
Useful breakpoint to detect it:
/ p% b5 {  N& F* G* W0 }2 }% q' j5 l4 |$ D. G% U4 `
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
$ U  @9 F/ F+ q6 P9 L; I, s/ p- \1 ?% N/ T0 @( B' u2 i/ x
__________________________________________________________________________$ h* x, B6 z  z6 S
8 P* m3 \9 r1 X- E: P" h4 l1 M! h, v

, q( g: w" h! w4 eMethod 14
% m# r& ]8 X4 F3 [0 f* ~=========2 k* r; G0 A. [* x

, m0 A. G& {1 Y  C1 aA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 A! P. I0 G# l7 @5 {9 C9 W; ]  ~is to determines whether a debugger is running on your system (ring0 only).
% H* F/ E. `& u+ @" o% e( O8 D" J9 I6 \8 l9 G& A3 ]
   VMMCall Test_Debug_Installed0 ^# z6 r+ q- X' U' m  u: Y& ~
   je      not_installed# K8 R" b9 P- V2 f" t6 G- e8 m0 U
$ n9 ]( X. w( X
This service just checks a flag.5 z! b( }" b; B4 D
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-24 10:04

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表