找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
  X4 m& e* T6 _! h- ^! ~<TBODY>* Z" b: s7 x7 i4 E8 k& W
<TR>* \1 C+ w; H$ {8 ~9 `* o
<TD><PRE>Method 01 $ T+ a1 P8 r5 i7 |5 ^+ k3 U- \! s/ ?
=========: {9 G. J" C8 ^  n
  `) }$ x# |8 A5 \& A) \1 y; x
This method of detection of SoftICE (as well as the following one) is# v- W3 A0 l8 o: q) T1 D( _
used by the majority of packers/encryptors found on Internet.* V5 R5 Y: {3 J5 @) P- x' e' A3 b: R! j
It seeks the signature of BoundsChecker in SoftICE- d! _1 I' S4 ~! t

9 {- L8 W1 Q  b    mov     ebp, 04243484Bh        ; 'BCHK') W! U1 m) A4 y, e
    mov     ax, 04h
$ H+ l8 B% l  R1 O    int     3      
+ D5 r" L4 `9 U0 L3 Z/ f    cmp     al,4" D3 ]2 L0 L7 f4 U, `
    jnz     SoftICE_Detected; c1 x+ K/ V) f' O
' u& @: f2 i* I1 l: `* Y/ v- E+ B8 k
___________________________________________________________________________( G( t: e$ h8 U6 I' r6 o3 q
- }: l! Z. Q. X" n! i2 K
Method 024 i3 T% }2 C" E* W% q8 O6 X
=========$ l5 q+ f% J3 K0 M
& |+ ~/ P& P" ~+ m1 d4 n9 P% x
Still a method very much used (perhaps the most frequent one).  It is used
# R1 H  z  u4 x$ U% sto get SoftICE 'Back Door commands' which gives infos on Breakpoints,! `7 A! ], t% Q: x
or execute SoftICE commands...
( B- h' ~: G' I, oIt is also used to crash SoftICE and to force it to execute any commands
% O) A+ Y5 ]: r0 A; X(HBOOT...) :-((  9 f6 `& F' a: P& L" L

& p2 N; t2 i% [1 w# K$ o5 wHere is a quick description:
% M1 z2 G5 V; f1 S-AX = 0910h   (Display string in SIce windows)* ~2 @9 i% h, D8 L% N
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# Q( H3 Y9 D) s8 R$ t' l. k" g% b-AX = 0912h   (Get breakpoint infos)) \1 D# D: O( |' Q! _& C$ h
-AX = 0913h   (Set Sice breakpoints). H; M4 z: d8 c8 L4 ?' h& |' U1 {
-AX = 0914h   (Remove SIce breakoints)
( K+ }+ G# X! o" y0 h* L
( d9 d+ c, Q2 V# {5 j/ |Each time you'll meet this trick, you'll see:2 Q7 m; F; N, H3 e9 x
-SI = 4647h
7 a0 ^  u/ z! u8 _4 T. {-DI = 4A4Dh
9 X* K) G* w1 F# m. f1 }* w4 Z/ TWhich are the 'magic values' used by SoftIce.
0 m/ A8 D2 Y# d% GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 D) A( D- }6 U
: L* B, x: `1 r' |3 G1 H
Here is one example from the file "Haspinst.exe" which is the dongle HASP! b* Q! o& p* t- m$ A3 Q
Envelope utility use to protect DOS applications:
" M! z. ^+ ~1 P, Z* ^. g: E8 |, g& y% N3 k1 o5 q

: H. ~, y' I+ M' t4C19:0095   MOV    AX,0911  ; execute command.3 h4 G" X' b+ C
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).; i1 ]4 ~3 w% U" p# ~4 B2 V
4C19:009A   MOV    SI,4647  ; 1st magic value.
) b9 h: J: G# t/ u* O) @6 N4C19:009D   MOV    DI,4A4D  ; 2nd magic value.) u  B" C! h9 _1 l6 |+ m* f
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 X; ?5 b* ]0 l# T3 ~8 V) j+ B; U$ E4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 }# C$ e6 f. }5 Y* E$ f
4C19:00A4   INC    CX
7 l# `! T8 q; g/ c4 y5 `4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute; L/ s5 q& y: l2 m8 m
4C19:00A8   JB     0095     ; 6 different commands.0 O; p, j: g) p7 M; o4 B+ P  s
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
8 A6 r3 k2 \3 C& I% U4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)  [; ^/ _% Q+ `- d; [% u

2 d7 I9 x" j$ f5 GThe program will execute 6 different SIce commands located at ds:dx, which
$ m% M# I8 r$ G  k5 x/ Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& P9 q# x& @. y! K; X3 N, y

3 |3 w7 r( N. I. K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' X3 \5 R1 B/ U/ L7 T2 y1 P6 T___________________________________________________________________________
+ t9 T9 o$ T! j0 a. A+ C" j- _2 H5 h) r0 Y, d# Z

2 _2 l3 _* I. l& O, D# t. j8 ]: l9 oMethod 03
( O3 m0 `- ]0 d1 X2 y=========9 J: P& a" K! D4 C7 A9 w1 O) v
# S4 t/ J- F5 r& D
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h! Z7 k: s* {# [+ ~% s) ]% c, @
(API Get entry point)- [+ v( v) I+ o5 M5 }
        4 ?& f! ^; h8 R# h8 ~0 {$ f, b

) A) N( f5 _' Z    xor     di,di
: z! K* o3 d1 [( Q    mov     es,di
8 W: D$ k3 ?3 M/ W, ?- ~( Z    mov     ax, 1684h       + q' s2 Z  i4 a
    mov     bx, 0202h       ; VxD ID of winice% @4 u2 E. k2 v  U
    int     2Fh
  z0 t$ {9 W/ r, G3 I5 i    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ ^" Z/ j2 Z, F* L, c3 w
    add     ax, di. n% m3 r3 a8 Y1 L2 B; E3 k
    test    ax,ax, c1 y3 q: i9 P  W' Z
    jnz     SoftICE_Detected  o6 S4 a5 x! ]1 l, k: x$ b

# X. B: L" h# V  [$ V. B) G! V& N___________________________________________________________________________+ m9 ?4 g0 ~4 M) \$ d6 Y7 G  Y) Z
8 R$ w& \, G# G5 e
Method 041 L/ |! {+ f% v8 [# e
=========
! @; e4 P" r; z! h8 j6 {8 j6 P# ?( h# a
Method identical to the preceding one except that it seeks the ID of SoftICE1 ?" R3 w6 ^, J4 V2 K( E  W
GFX VxD.6 f; }$ E3 W% R1 u; s: Q9 m$ R

% U, u: C6 p/ U( A0 _" n- }, a    xor     di,di
* Y; c5 C! l$ R4 t    mov     es,di
2 ~' h7 j  U; s) D, U" ~    mov     ax, 1684h       ) n' c. z$ i$ [8 j; Q# l
    mov     bx, 7a5Fh       ; VxD ID of SIWVID, H. ~( y3 _. S
    int     2fh, m6 M  ~; {0 z6 q- }$ V8 J, G* m# t
    mov     ax, es          ; ES:DI -&gt; VxD API entry point. |8 p8 E, v2 k) ^' N
    add     ax, di
) L) {, L$ R# c1 _4 Z# b    test    ax,ax8 C- C6 Z, v# K' R6 `3 K* G
    jnz     SoftICE_Detected; Q7 U3 h% s! l+ n% K

. C" X2 q2 O' a) [__________________________________________________________________________
5 C  ^5 D( o- K+ d$ v8 z6 D/ z/ b" ]
1 @* V/ Y) n! X2 E8 j
Method 05
+ M0 i" K# e$ O. Y1 n/ b=========2 Z) |; `! @  y5 Z- G

& d# ?( n$ n: t: Z1 W1 sMethod seeking the 'magic number' 0F386h returned (in ax) by all system0 t+ k# H9 d7 Y* u: j3 j8 R" L
debugger. It calls the int 41h, function 4Fh.
8 X5 q+ K6 g/ U0 S4 N' N. nThere are several alternatives.  
9 @2 p6 G9 x0 j$ y
$ K8 K' \7 {4 [/ J1 wThe following one is the simplest:
, y7 a8 {- c( t+ F7 u
  }6 ^; d7 }% C2 a5 \8 M2 ]1 w5 [  K* \    mov     ax,4fh4 ?0 _' N: {* H- x0 K- W! J
    int     41h
% ~3 b6 j. r( }: ^7 O2 X+ m    cmp     ax, 0F386
* l6 g" V$ w. K' h4 U    jz      SoftICE_detected
# r' {( U( ]  {# h( Q
2 g' l  X  @" W6 I0 X1 Y
  i, t1 j$ v! M/ l2 UNext method as well as the following one are 2 examples from Stone's
1 U& j& W+ i6 W1 s/ I$ A6 L1 t2 H"stn-wid.zip" (www.cracking.net):# x. P- R2 _  \. @; J" V( a
4 l/ T0 {0 n3 _% u" |( ~
    mov     bx, cs
& h" U7 d& i; u- a; b3 a. s    lea     dx, int41handler23 [0 C- \$ F6 r+ O' o
    xchg    dx, es:[41h*4]; q, \" x5 U* O5 q/ m# }# R
    xchg    bx, es:[41h*4+2]
; P& M* U4 C$ r6 Q    mov     ax,4fh4 W* i8 z. x% @9 W, S% Y- l
    int     41h
3 ^% V2 [( n" Q' B+ q: m    xchg    dx, es:[41h*4]3 S! I% Y9 h" S2 }4 O: b+ Y
    xchg    bx, es:[41h*4+2]; @+ ]' S$ i  D: M. d
    cmp     ax, 0f386h  g. v$ b: S9 T! J' d
    jz      SoftICE_detected1 q, b* Z; m% p7 c3 z
' g/ A% Z# ~0 u, J
int41handler2 PROC! g% O4 L" ?& C# R% `
    iret
; |9 b' x5 E( |$ A, i5 sint41handler2 ENDP5 c$ K2 n! O7 }1 ?1 K" C
) q& u6 h. {5 {3 Q/ i% L3 G$ S9 @

8 R! J1 v7 h7 ^) y_________________________________________________________________________
6 p8 `; Z- n  B0 o: A" F% c8 Y# e! k; K

3 @( \! P6 y; B% }* D' c- KMethod 06
% X& X% p- i* w" a, O5 R) V- a1 k=========
5 E* A3 k" o- ^# Q: r# i
7 b5 S3 h2 t1 N2 @. l0 S/ F% V; Q+ w- T$ u9 L0 E) ]6 U
2nd method similar to the preceding one but more difficult to detect:  d2 s8 _8 F7 w( l: v

2 g) [8 X* k( R# d  z/ O' b, V) d& ^4 ~$ |$ }& N6 O
int41handler PROC
- ^  i. X- F% p: R* H    mov     cl,al
$ W( C! s, l0 Y. y' t, v    iret
$ \3 \' e! K+ ?, _9 A2 s2 oint41handler ENDP& ^- e# V! S7 h8 z; Z( d
. C6 Y0 f& a' }

  T  X4 n- R, B) U3 i1 Z    xor     ax,ax# V& s7 p! ]" l2 A0 d" H
    mov     es,ax" v! t0 w& o% O8 T5 L/ |5 k% V
    mov     bx, cs
* C5 o: ]  P8 s- ^# ^/ E* ^    lea     dx, int41handler! Q; v- z  ]" {9 q% g* i
    xchg    dx, es:[41h*4]! R, J: S0 g8 ]/ f* L$ L- a
    xchg    bx, es:[41h*4+2]3 P* `0 r; T# L' g8 l* U: h+ E
    in      al, 40h7 |9 m" @: x6 _. Y
    xor     cx,cx* b% A7 Q. A& i* I* l0 x3 n
    int     41h
. \$ [3 P* O) O6 i    xchg    dx, es:[41h*4]
% b) W: \. ~/ o- r6 q    xchg    bx, es:[41h*4+2]
) W, Q# @+ V6 t8 C/ w    cmp     cl,al
2 }1 {$ X/ N% a# }/ k1 C    jnz     SoftICE_detected
* t1 |: r; C  l% g' U
# M, N$ A# [" X_________________________________________________________________________) w) ~9 c' j/ G5 ^4 U

# K0 O8 w. t2 G: E4 S  T4 e4 |Method 07" z1 D! @4 ^/ X; ~* ~
=========& p4 t: Q! W& D$ D6 S: U4 q
9 ^0 E5 l* f4 F' ~- W, h: S/ N4 R
Method of detection of the WinICE handler in the int68h (V86)3 {* ^4 _9 s1 k2 X

, F1 T1 e. D& L# g& K/ p( w/ ]( H    mov     ah,43h4 a" A1 E6 {0 z- v# O) B: S
    int     68h
, g" Z) t5 H% Q7 T    cmp     ax,0F386h
" b; e2 o0 p3 U' T6 k- y5 u    jz      SoftICE_Detected
1 y. M& R! E- ?) o5 F
0 o; N% u" X* |
5 S" M' f9 a+ t. t7 Z% R3 M2 D=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
4 ?; ~% e& g' i3 k   app like this:
) d) T1 o# B9 ?  j2 ?. z
: ?9 v/ P. ?! _: A' U   BPX exec_int if ax==68
/ v3 g) I" q% D6 z0 T   (function called is located at byte ptr [ebp+1Dh] and client eip is6 a5 a& k' r5 c8 W
   located at [ebp+48h] for 32Bit apps)* Y9 Q: R' N/ O
__________________________________________________________________________8 M4 a, s; V# ]6 ?) ^* b* _

/ [4 X' q7 @9 X  c1 ?9 }( Y
( \$ I0 \$ i. Z( M+ vMethod 087 e# @2 k: p! L. i8 H: A8 K
=========
& S* E7 A+ V9 _. f3 }" y+ `- l+ E8 p7 r1 x
It is not a method of detection of SoftICE but a possibility to crash the* o, q9 S2 ~5 Q: t) ]
system by intercepting int 01h and int 03h and redirecting them to another. m; V9 g8 d( B( z
routine.2 i$ X$ O: i) z0 U- y  Y
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 |6 R0 `% F5 ?to the new routine to execute (hangs computer...)0 y7 `$ ?" E. L& S& }3 ]8 F# b
/ S3 e3 \# }4 Q6 `0 r' C: q
    mov     ah, 25h
! s* p  d' d' l, w8 _+ K    mov     al, Int_Number (01h or 03h)
; e" Q3 j8 J- X$ j$ u; w7 k    mov     dx, offset New_Int_Routine4 z- ~, d; l- D4 |+ l2 k3 @6 W
    int     21h8 l0 B2 x% L6 s, g2 a$ l: Q
+ v7 x$ o4 H6 ?/ J
__________________________________________________________________________) T: V% n+ o! E5 t/ ^4 _. A; C

; {1 |1 {9 \- w4 A: T) LMethod 09
9 [2 h5 g0 v' m6 ?) T4 h=========
( c& Q  A% [# t+ J: F, k% U4 q% _; {$ P2 \7 L6 [6 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 r  Y3 U1 p8 ]: |: Q
performed in ring0 (VxD or a ring3 app using the VxdCall).
8 @4 b" H. R5 Y0 CThe Get_DDB service is used to determine whether or not a VxD is installed# S: k* y0 y( |% ?
for the specified device and returns a Device Description Block (in ecx) for
) ?& r/ _& d& Y( \# K9 B9 bthat device if it is installed.  Q6 ^4 ?6 x: }( p1 j
  I; ^1 i7 o* P& k
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 y4 Y; h) i  {4 f- I" P   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
" u8 S5 b; j$ |1 X- ?8 _   VMMCall Get_DDB
# \: ~4 [, U, L+ C7 z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
8 t0 L) k% R$ b' j% P; {6 o/ l
1 @  Z" ~( i0 l. m3 ^! v0 BNote as well that you can easily detect this method with SoftICE:
. g. n- ~; A- ~   bpx Get_DDB if ax==0202 || ax==7a5fh' x* T; p/ K. T! y; y, R3 K
4 J- k8 s  c+ B7 _4 K& [
__________________________________________________________________________7 e3 P) _5 M- N, b7 p

1 |' a* n- L# y8 ?( Y- y% i: o. LMethod 10
$ H9 G1 |) y- M1 D) u, }2 \=========
. l+ s/ A* @+ ?* r2 E6 i: y0 E8 n( c- }& X
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& g; D! l, q% i* k* g9 }  SoftICE while the option is enable!!  k2 @8 R! x! j7 \

) d4 ?9 P0 W8 Q. m( s2 jThis trick is very efficient:0 Y/ ~, p" X1 G: I
by checking the Debug Registers, you can detect if SoftICE is loaded0 t1 {1 N5 o7 _0 c( G; V
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
2 y/ w" E+ R) i( Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
8 j& b' C0 K: B+ w, c/ p' O: gvalue (in ring0 only). Values can be manipulated and or changed as well( u! |. [. H! I+ K! ~
(clearing BPMs for instance)6 L% Z; d( `0 a- w

, y7 b: ^5 G2 M" ~__________________________________________________________________________
9 w4 Z; D9 j1 O) m6 u% I
; U9 x' ?7 ]; {4 k4 k/ _Method 11
' `7 i9 l: i( f=========: [8 N, W7 D* u+ c; M/ d: h

: _6 S0 P7 o0 r. F) E3 [. {; U6 R; TThis method is most known as 'MeltICE' because it has been freely distributed; K; g3 C/ b5 S* w. M$ N% G/ ?" f
via www.winfiles.com. However it was first used by NuMega people to allow5 o$ w9 C$ e$ [" a) U3 m4 N/ D: K
Symbol Loader to check if SoftICE was active or not (the code is located& Y5 E, V# R+ p( }9 ?0 p
inside nmtrans.dll).
! q: n& s0 b. Z7 ^5 L) Q9 [! a4 h1 t0 }. F+ D3 x( Q2 B3 J
The way it works is very simple:5 ~9 h$ `3 k1 I. M' j# o  h) F
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
8 O2 o: ?9 m8 m1 _- m$ ~WinNT) with the CreateFileA API.( e+ l4 d; V/ _& U

; S& E9 F7 K! i6 S- \4 m2 y& cHere is a sample (checking for 'SICE'):1 |* k$ |0 D$ H1 J

& I  I& Y+ b$ y" A3 h) o$ GBOOL IsSoftIce95Loaded()) q, U; O; M& D* e2 K8 ]
{
2 D+ p4 p3 Y) |8 E$ Z9 s   HANDLE hFile;  
8 e+ C0 z& x  l" t  g1 \   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; v& Q) X( X! h+ e                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 y) M% \+ G/ k7 m                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# S3 n  J) Z( h; y, `4 n& u   if( hFile != INVALID_HANDLE_VALUE ). F+ Z5 K/ ^! U3 o% B- u
   {
' r& c; M5 U2 j% P1 F      CloseHandle(hFile);( a7 S2 D; B  C& r$ ]
      return TRUE;
3 M/ A: y' l3 O$ U" Y+ l# a   }% p# E  [# V. ]* R) o
   return FALSE;
' J3 P. t7 m' \7 Z2 L2 ~}
! X5 @+ y7 o) z9 r+ `9 N5 p, j; S: U  h- `* T
Although this trick calls the CreateFileA function, don't even expect to be7 w, @+ Y# E; y  Z. E
able to intercept it by installing a IFS hook: it will not work, no way!
) s. C! |9 N) ^' }! pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
8 x3 }7 ?. _$ R+ w6 xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 f' Y' u! k4 K- B  Q2 R/ h! q* O5 R9 l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, X. r. |; e+ y! I, b! }field.( i  l* o0 H$ A/ H
In fact, its purpose is not to load/unload VxDs but only to send a
. c6 k4 t  r8 ?+ P. r  NW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# C4 G$ n) V  h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
; [! j# p- x( [- B; j( r) F0 oto load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 n( w8 T) x* h  tIf the VxD is loaded, it will always clear eax and the Carry flag to allow  L9 Q; k4 W( W6 L
its handle to be opened and then, will be detected.
) X3 c$ ?! W3 d5 DYou can check that simply by hooking Winice.exe control proc entry point
# z1 B5 b& [! `) o5 o1 Zwhile running MeltICE.
8 k0 I4 C4 r( t- m9 ]( y: B, c9 f
2 Z9 k; S4 n# f! e
  00401067:  push      00402025    ; \\.\SICE
' h- x, ~9 e9 B: f2 L  D8 ]1 U  0040106C:  call      CreateFileA1 E3 f7 z1 `/ Q" c' K0 ^
  00401071:  cmp       eax,-0017 A2 B9 ^# ^2 ~7 Y, L" Z+ t
  00401074:  je        00401091
9 ?3 u, I( x4 T' Z! v; F* w1 _% ?1 O% x: E" e4 V( @
) k/ }9 E* V, i0 Y) t
There could be hundreds of BPX you could use to detect this trick.
2 @! p9 J( A- k$ o3 n8 O-The most classical one is:
, a' V" c5 T* k' c  Q6 ?1 t) B  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
7 }% L1 v3 \# q' F    *(esp-&gt;4+4)=='NTIC'
, C  w: C3 f# `8 h0 f! m
8 a6 v; O3 Q5 w. g! v-The most exotic ones (could be very slooooow :-(
* ~1 r8 `& M. T* i* h   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  1 p0 ^  ]2 R( f! V5 S
     ;will break 3 times :-(
, ?7 l  M' Y5 @0 j2 ?) [
( s- S: C6 a: V& y' k$ Q. F-or (a bit) faster: 4 g5 ^( i0 b# |! T1 G2 {
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
# m# ]' |* Y9 E6 Z) r
- l% c& Y* i2 p* w$ l   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% a: I+ l! @8 \: ~0 {     ;will break 3 times :-(
. ]" F+ @) M% d& e- `# _  o; S
( B/ g' Q# }2 v2 v+ @-Much faster:
! ?: t2 _# y2 u# R; o: }5 n7 k" y5 r  j   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'" a8 s% c1 |5 S5 {- L. I" a/ r
: s4 T! g1 S/ U( A0 P
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. U* y6 A7 c( l. f; a$ N1 J
function to do the same job:
1 ]! H# ^3 f9 M  {
2 A) l0 ?# \" W. H: E: p   push    00                        ; OF_READ) r/ m+ E  F/ G) I& Y7 L8 O
   mov     eax,[00656634]            ; '\\.\SICE',0
% o. E/ p& n; @9 l( L3 o9 k3 T   push    eax
( h9 ]% P1 z: Y2 B, [# _   call    KERNEL32!_lopen5 p) m3 y+ P8 |9 f8 z& z7 o8 q
   inc     eax. k; w# l: F) E; ?0 A
   jnz     00650589                  ; detected
* c0 ]( a8 g" O, {  g   push    00                        ; OF_READ
4 r  m; c8 x3 w9 V* `* Y   mov     eax,[00656638]            ; '\\.\SICE'; m6 ^) j! C9 Z% k
   push    eax
& Q/ o2 b: {, @9 z   call    KERNEL32!_lopen
6 q( {5 j! b& }5 z: [7 G- v! ^5 _& v   inc     eax# Q/ e. O3 M( W1 x8 a
   jz      006505ae                  ; not detected3 y- `0 O) X6 K# O0 p5 K

" K! q# X2 U0 P- T) M: t* c& g$ ~+ O; F% M
__________________________________________________________________________
" v8 q; ~+ J3 J' W9 `* Z7 H3 b; @4 V1 J2 B' V
Method 12& i7 N& ^: `+ [4 y; N
=========& T% I2 d& x$ l
6 E( J% @, D9 s/ j, @4 q
This trick is similar to int41h/4fh Debugger installation check (code 05, ]) g' H; ~/ d( y% _' n
&amp; 06) but very limited because it's only available for Win95/98 (not NT)) {" v& h& h' ~& c$ P$ ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ D; e) d1 \' Q; ?

- O* f( g1 E8 L& e, `3 N   push  0000004fh         ; function 4fh6 P5 i9 L+ n! {  j/ {
   push  002a002ah         ; high word specifies which VxD (VWIN32)
; R* t' v4 D+ }6 n: x( c& v                           ; low word specifies which service' h2 y, g* i6 j$ k8 F
                             (VWIN32_Int41Dispatch)7 k! t; A4 t9 T! r6 Y+ `: g
   call  Kernel32!ORD_001  ; VxdCall% r, K* _# ?+ X* J
   cmp   ax, 0f386h        ; magic number returned by system debuggers
9 |# k2 |3 n( X; S: V& K   jz    SoftICE_detected
( H& X& k, W( Q0 f
5 `3 S/ @- [$ f, c$ b  G1 f- }; J+ |Here again, several ways to detect it:
" p; O% R: x5 z+ q5 k( }: \
  w; }2 Q7 s0 c9 y) u, h    BPINT 41 if ax==4f
3 I: [6 I0 @- S# `' O% f) Z& @- Z7 _' ]5 c& z) k' d  J9 a" ^# [* s
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one* i& F( K# c& E9 h  J2 x

% B$ j* C. k" i  r5 L    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ R  ?/ n6 E' q5 \+ N2 I" K

# k! f; s; E( _) }    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. q" e" f, _! {% ]/ i( K

; L/ N/ Q( t9 O  ]__________________________________________________________________________+ Y" ]8 y; K5 G" l" K

4 E9 B) _/ Z- M' QMethod 13
5 a$ v7 H0 E: I  T=========
6 t- M3 A: h) T& x. ?3 E& u9 h4 ]' S" f/ E1 ^
Not a real method of detection, but a good way to know if SoftICE is; ^9 B! i" D# |1 A! ^) h
installed on a computer and to locate its installation directory.
( q# ]' P- o# J7 @' j) l! p: w, @0 T% `. }It is used by few softs which access the following registry keys (usually #2) :
2 r. F: v& w- H
/ {8 \5 C( y1 D* T9 f' r-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  F2 ^2 W0 H' L: [% K$ o3 r
\Uninstall\SoftICE
+ H0 c: M  R$ I& E) l! E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 c0 c7 |% j; W/ W
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 O0 a8 Z$ k" J\App Paths\Loader32.Exe; G2 r3 {# Q& K/ H

; i8 o8 n% D4 @' w
+ X# l" a' g% v" Z% VNote that some nasty apps could then erase all files from SoftICE directory3 ]7 V+ B# m# U* u3 V) ^
(I faced that once :-(( u# ~( `7 }- k: w7 f
- r( P" @  k  A8 ]
Useful breakpoint to detect it:* n$ Q9 b3 P* p/ Z! m% `% F
+ S; q9 O& Y9 \2 S! t/ U
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% A* G8 N% I! q* T  J6 u
% U2 L* o: O% t__________________________________________________________________________2 C+ v- K5 T0 V: V
% M* d3 D  ~1 n6 V# o

6 H. h0 c  w. f& H6 ]' WMethod 14
( S0 m4 a$ J5 y4 i! x' S( ~=========) k  g. l9 w+ j& H, y6 @" B- k- H9 z
% L7 O, }1 V$ R# t
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- v5 X5 W7 j! @is to determines whether a debugger is running on your system (ring0 only).0 |4 S" L7 u" j. Y
& X# F; _  g+ |4 |5 d0 |
   VMMCall Test_Debug_Installed
* U! G# Q  i6 P3 }4 y   je      not_installed2 x5 X5 d2 d) p+ [0 G8 x- r5 Y9 a9 |
+ _1 {1 l# W4 ]  T9 K
This service just checks a flag.+ y5 a" C/ J# G- W
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-23 07:30

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表