找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>" [- P/ O/ a5 s9 V6 X" B2 K$ _
<TBODY>! E8 @1 H* T# k& L+ e( j( }
<TR>) g$ M" G& B5 T$ I" _
<TD><PRE>Method 01 ; P( e& a5 U  Z$ B+ s# S9 O$ o9 m
=========, P0 B' Y, S" ~4 G2 J, N
" ~  Q/ w$ L4 @( _& n
This method of detection of SoftICE (as well as the following one) is
6 S) P6 Q" ~6 c$ ?3 n5 Yused by the majority of packers/encryptors found on Internet.
: a" x. q; U# F9 [/ H0 lIt seeks the signature of BoundsChecker in SoftICE
6 o8 B4 p' e: H9 H' \1 q" n8 i
) h0 b5 o2 z' U6 U2 [    mov     ebp, 04243484Bh        ; 'BCHK'( ^9 E+ {, ?" Q) O
    mov     ax, 04h2 W0 T: j2 N" S8 Z$ T- B$ E( M* _
    int     3      
" ]) N- ^* r- `+ i: ]& x    cmp     al,4- f' _# t3 [0 `% {  u# O$ j
    jnz     SoftICE_Detected
* g* w1 y8 Y0 R6 E+ U% R; h9 Q& b9 C5 Y6 W7 ^; g# N
___________________________________________________________________________
* u6 |+ Y$ L1 ~- W  V
4 Q6 `9 J& v! O2 ~Method 02
' w- o: \* v$ P1 R; I0 }, c* T$ W=========
& p  ]. C# i# _* a" y/ r% K1 _4 C3 K: O1 D" v7 ^, j! k$ N
Still a method very much used (perhaps the most frequent one).  It is used% c8 E' ~% x- U4 V) k3 c
to get SoftICE 'Back Door commands' which gives infos on Breakpoints," l9 {1 ~$ r- R; U8 ?% x$ g
or execute SoftICE commands...9 |* z) p) E2 ?- t
It is also used to crash SoftICE and to force it to execute any commands
6 @* l7 J! T( w; S- ^. I2 c* w(HBOOT...) :-((  
4 i! P$ C# E4 `: D3 o
2 h- e% z8 ~1 B5 qHere is a quick description:
) B# j9 E1 P* j2 z-AX = 0910h   (Display string in SIce windows)
# J% G: J+ T# c% Z3 Q$ A- \! n-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)6 x! d! }* F0 O) C# |
-AX = 0912h   (Get breakpoint infos)
& Q2 w3 ]$ N$ L) k% O! ~-AX = 0913h   (Set Sice breakpoints)! q+ s  R0 |: c. n
-AX = 0914h   (Remove SIce breakoints)
: ~5 K1 t0 g4 V* X9 F
& M/ C+ ~% a- |2 |  dEach time you'll meet this trick, you'll see:1 I: t( z+ l" k: {3 V3 o# q
-SI = 4647h
- [. b* F) c8 I8 m) S-DI = 4A4Dh9 P2 Q- i0 }+ z. u# k; h
Which are the 'magic values' used by SoftIce.
2 s; @3 z" E0 \" ~, yFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
' h8 O- h* c- _0 d' U5 O4 R) y* P# Q" ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP
- s. x% I- r" t6 {; a% {( PEnvelope utility use to protect DOS applications:: P' Y7 W$ o6 }/ _$ U' b8 K

$ C7 e8 t" r* F
1 l, S  A: P  q9 d. s+ Y4C19:0095   MOV    AX,0911  ; execute command.; J* m, _9 `5 e
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 A- C( q( \# A
4C19:009A   MOV    SI,4647  ; 1st magic value.5 T# u8 l1 K5 Y1 |: V3 s* F
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 D3 \7 l% H, ]: U+ h: V* A4 ?: X4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). x4 z0 z+ T) |  r8 Y2 `
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute* }2 Q' J4 C* r) N- l) O+ q$ A
4C19:00A4   INC    CX
5 {8 s, ~2 {2 f- ~4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute" |" f" Y0 [' ^- l5 n+ }' f
4C19:00A8   JB     0095     ; 6 different commands.
9 F, T; c: |. l+ o& O: b1 X2 D4C19:00AA   JMP    0002     ; Bad_Guy jmp back.6 D0 K* G7 s! T5 G+ O  V  F
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 G* B9 O/ g% h4 B" A
* T# [; ?# V0 R% L* r
The program will execute 6 different SIce commands located at ds:dx, which; N* f! V. T/ z1 V/ r
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
, L0 E4 w5 A" r7 U& \* ?: `
' e! {% ?) U5 E$ q7 f) c- |0 o* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 z! c. x5 z$ r! B- k# l' g( t1 f___________________________________________________________________________
0 q! |( N( F1 r6 B  o& P& `
" `; Y! h) A7 Q! \2 I6 Y8 V. \0 J7 w) J5 z, w, t9 k6 ^8 e" |
Method 03
8 s# A; o8 h) Q=========* S; o1 e% I5 |+ o+ P7 }& N/ i

/ x2 }1 D3 C+ E7 a7 V+ ULess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; V) V! P- u4 Q4 U
(API Get entry point)5 \& F( O% t0 a- s0 s3 ?3 N( ~
        ( M4 X: D% t0 D2 {8 r- p

; }! c4 K$ l2 E2 F    xor     di,di
  |1 y; b4 h8 M+ ?$ I    mov     es,di
5 u7 q# G! w1 C+ ?4 j    mov     ax, 1684h       3 `: A+ o: z3 D+ @$ o6 A2 n
    mov     bx, 0202h       ; VxD ID of winice! P: p4 [; v" V# z
    int     2Fh
% z4 e; F0 O% x    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, Z4 _& |# S( j" u! c) V# I    add     ax, di
+ O- }/ V& ?2 m    test    ax,ax
) h& C0 z5 m8 D3 j4 {    jnz     SoftICE_Detected& U9 T# v6 o1 X$ X+ c2 P5 [
- _; C& q& q3 f
___________________________________________________________________________0 l- J( e& h" X6 d; Z& c% J* H

( k2 _3 O3 d, C  M# i& n" ]' LMethod 04
+ p6 L& t+ q+ E9 [% o=========2 t: Z! O% x% V+ J  T4 D1 f
8 c4 D( v6 }1 Q5 r
Method identical to the preceding one except that it seeks the ID of SoftICE" t2 K2 ~; l+ {
GFX VxD.
% l3 Y: v$ |' G% j! Q2 d- N2 c6 {/ _
    xor     di,di
! `8 x; q* H( f5 O' |  F    mov     es,di7 X3 {! e- I9 ^. r" i; u2 e
    mov     ax, 1684h       % Z+ i# ^# \; @' S' t0 ~
    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 j8 m+ z0 Y! |0 _. ~
    int     2fh2 K, x5 q2 y) E) F# n  I' S7 u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ M: H/ k: Q" T( s    add     ax, di
7 x  t' Y7 l1 Z# N- I% ?7 z7 `4 R    test    ax,ax8 K2 Z( }. u1 K- C" K! L5 }  }
    jnz     SoftICE_Detected
+ v. e0 o$ i) X8 x& S& K! B3 ^! }
' u9 J8 h4 U; D! @# s6 x( J__________________________________________________________________________3 u# C( Z3 s7 |! |
5 k3 D: ]+ r5 C0 b1 v7 s
4 ?# t3 w: D: p: E# D# I
Method 05  n6 v- g. N0 w; o
=========; i/ D# [5 v8 O( G) m1 ]6 x9 U
- R, R+ L$ `2 K8 W3 k$ N4 G/ W. W
Method seeking the 'magic number' 0F386h returned (in ax) by all system, ~4 n" m) N! h3 }
debugger. It calls the int 41h, function 4Fh.
, Y+ s, n: O" QThere are several alternatives.  # S8 z  T! C" k% r/ o

2 T0 r4 ]4 p2 V( E7 `* kThe following one is the simplest:% S' n* ?# C( Y% ?& r
  F/ d/ }2 q$ J4 b
    mov     ax,4fh- B) b7 t; h  G& f
    int     41h5 u% U; `0 {' A. c. `
    cmp     ax, 0F3865 `, b7 E8 T+ \* M  R
    jz      SoftICE_detected. J( Q; R) ], {! d# q, {6 f* H

4 {' N) Z5 P* o. G; v7 `5 M, b
: }. p4 N4 k* y1 ~# wNext method as well as the following one are 2 examples from Stone's
1 Y6 [. m1 d6 x. s8 O"stn-wid.zip" (www.cracking.net):
: j1 b' J5 H' p6 b2 x
+ f. J) _+ K: |5 o5 p& q9 O( l    mov     bx, cs8 J' b* d4 C6 i' g7 y" m7 P' w
    lea     dx, int41handler24 K7 m9 f( \" T
    xchg    dx, es:[41h*4]: T  T+ |0 e) Q! s+ |7 E/ T
    xchg    bx, es:[41h*4+2]9 @) b# j4 U4 N& X+ X5 `
    mov     ax,4fh
" O# I) H% Y) u4 X  U4 w0 p    int     41h% [' }( {9 x1 @+ D% e! p
    xchg    dx, es:[41h*4]. p. [9 Z$ n8 p# L* u5 `; t
    xchg    bx, es:[41h*4+2]
6 n- R8 R+ K2 Y! V5 O    cmp     ax, 0f386h
/ L% t# Y% [+ h: ]+ r    jz      SoftICE_detected
- V; ^4 f1 r8 V) x) M1 C& J) g) D' w0 d5 }2 t& @5 ]& u! T
int41handler2 PROC
) n2 r7 S$ _; t. |9 y/ [4 W    iret
% R7 a8 m# P( J& ~6 M2 d$ uint41handler2 ENDP6 s8 J4 C; m' e0 O5 \$ ~% V
5 c* V/ N7 P5 T5 q* V# n: S" i5 K' S
2 m, c5 h' [! F$ \
_________________________________________________________________________
1 G, v2 g8 m+ v5 z0 ]
0 e; W7 h6 i) J! i6 Y+ j3 H& t' Q& z8 B
Method 06
$ v6 N: o3 X6 [) [7 F) N=========
( J% |, J) _6 F( u* Q
/ G5 l8 H. x9 {0 X+ H$ [
+ T1 Q0 W, f! F9 z2nd method similar to the preceding one but more difficult to detect:! W3 F: G# Q& T/ z' l+ e. w* w

  F& T% a# D! ?/ d& `
# |# b8 z! H) Y/ J6 {int41handler PROC
+ M- Y+ i# G* A: r8 {) W2 c    mov     cl,al
  ~) {1 p/ d; w+ q) C+ |' L. g    iret# }# K+ K4 U  v, j( y5 S
int41handler ENDP- E" G: Y: d# a

7 ?) j. W5 [" M3 q  S- y, A8 c7 `) H
    xor     ax,ax* F  n, D5 u' R5 j+ o2 {
    mov     es,ax
$ Z( p5 `; z1 N    mov     bx, cs5 d( B7 {. K- t6 g, \0 @  v1 J' A
    lea     dx, int41handler7 n7 \. ~1 p- k) }9 e4 x8 k* J
    xchg    dx, es:[41h*4], s3 V% D$ E3 X" u5 P
    xchg    bx, es:[41h*4+2]# E5 g- y" \3 h+ O
    in      al, 40h
( N) K. E3 w, ]( X5 P& J2 n( @    xor     cx,cx
( J1 |* h; C/ l' Y    int     41h
: Y% h9 T; D( o2 s* Z    xchg    dx, es:[41h*4], ^8 r& n% c7 R# f
    xchg    bx, es:[41h*4+2]0 h- I, I, x. m
    cmp     cl,al
1 _; A( t4 k" i' `) E7 [# ~$ Q6 F0 a* |    jnz     SoftICE_detected1 @7 P8 e' r% k+ I6 O

% K5 R! M/ j) q_________________________________________________________________________9 o! y/ [* ]$ p% O4 P

+ X& {" F2 l: C( \; \2 f) HMethod 07% T# D+ b! a6 ]; S, P
=========+ p; b- b# l+ F

$ z8 T2 d$ f  R4 [' q' aMethod of detection of the WinICE handler in the int68h (V86), c& k/ }2 p  K7 V% b
$ Q6 u9 h) D: Q  k
    mov     ah,43h2 I6 w8 p* {1 b; g- e: d3 Y3 g, M
    int     68h
; D) i) R* a% b; ?4 i# L- \    cmp     ax,0F386h) B( A2 b6 d3 ~# \7 I& A
    jz      SoftICE_Detected
7 ~, n. C0 d" ?' A
/ n7 ]4 {; _$ f2 k$ G
1 }1 q$ N% q  Z4 p6 `% I( t6 R' f=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  A% S4 J# P# `2 l
   app like this:5 L$ [+ _$ K  M; C* Q- `0 m

/ E+ H# O& s7 [% E9 v" L3 {5 b   BPX exec_int if ax==68
# t$ ?' N* z" ?" \( \' x# |   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ C0 b! Y2 L$ G   located at [ebp+48h] for 32Bit apps)
7 u, ^/ O6 s' P: Z8 Y__________________________________________________________________________
: ~) c3 B' [0 m/ o3 t! q- D  k. ?7 V( H. i, J3 ]2 Q
  F, k1 R3 A" u8 S: ]8 z0 m
Method 08
% S6 N% r8 v3 R4 I- I1 B=========9 ~! m1 j  E# ~! ?$ V1 S

# j/ j5 m% h3 I1 p8 o* fIt is not a method of detection of SoftICE but a possibility to crash the
, D3 B% u+ B( x$ W9 |system by intercepting int 01h and int 03h and redirecting them to another7 \% t* G2 d/ c) C. P$ j
routine." h* w* Q9 s/ K' L
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; p" g) _# m- L' U8 \7 j! ^3 n
to the new routine to execute (hangs computer...)
% f0 o0 B- g% d7 ~/ [: y. O' c
% n  x6 i$ k% V5 O1 a3 B    mov     ah, 25h
; |7 O# q7 M1 h5 m    mov     al, Int_Number (01h or 03h)
* g1 l* E; U' ^1 T' Z& U" u2 A    mov     dx, offset New_Int_Routine
8 _+ G- W* w4 t5 [* u: S0 d    int     21h7 S2 Z1 V2 v7 S7 y" M& P4 F! P

  S. k) B% F( o( N9 s, {  ?, D__________________________________________________________________________
( g3 f1 m5 c. o. f2 |8 k8 H0 b/ U7 g% W5 T5 Q; c( s/ N8 N! z
Method 09! T6 r  D0 s( Q, p) T2 I
=========
9 X' ^# x8 D$ R8 F4 g9 t$ F5 R6 J) o* x; R& R( J) @# R5 e! y
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( ~, l5 W" q) ]9 zperformed in ring0 (VxD or a ring3 app using the VxdCall).
  X4 H6 E) @7 i# ^The Get_DDB service is used to determine whether or not a VxD is installed
* b7 L3 y" H& ?. ffor the specified device and returns a Device Description Block (in ecx) for) l, P( Y5 w0 J( t6 {6 ?9 U
that device if it is installed.5 P, [) x& h  ^5 B- }5 D8 M

, [  @/ Z, W1 C1 [1 ]1 M- i   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 w, [" x* {6 ^
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)0 K; z# I5 E- D8 Q: _0 S
   VMMCall Get_DDB0 @3 @; @8 I7 V* ?+ k' e
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed# ~8 d5 J; l9 }( t$ q
% T! P9 G, Z/ C$ o  V7 I
Note as well that you can easily detect this method with SoftICE:
% \  ?0 k- N6 J# E& d' D7 {   bpx Get_DDB if ax==0202 || ax==7a5fh/ f) F' b9 p$ v. G$ K
& b; P( _" K  y: v
__________________________________________________________________________
$ t8 u5 `6 v# C+ D: q( M9 F$ [1 K. N% z( O2 k" k' M' ?' s
Method 10; j; z2 m# L- C2 E& z: W9 R
=========* v: F1 E( d  D% o$ z' c: L
0 `- ~% w. z0 K+ \7 o
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
1 t) y& S: H! g+ e5 x) r2 M8 ~  SoftICE while the option is enable!!
$ z, I7 Z/ p7 y# A4 P9 u& V' t% h* D/ H2 m  E! \9 G$ M
This trick is very efficient:
6 D6 h5 @' X4 A- Fby checking the Debug Registers, you can detect if SoftICE is loaded
- Q' ?: ^2 h( \/ r; ~, X(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
" b2 E2 b% M' J9 Sthere are some memory breakpoints set (dr0 to dr3) simply by reading their
4 o% |0 m2 t8 rvalue (in ring0 only). Values can be manipulated and or changed as well+ K2 ?' C4 X: N& a4 N& x5 j. F
(clearing BPMs for instance)6 J' r- ]6 [" f' x8 L6 _
. N3 e, f9 O' p! [
__________________________________________________________________________
% w& i/ ~6 T* t! u. A7 O3 K5 w5 T7 A1 H& B
Method 11$ y3 u; j0 e1 r* H7 f6 O
=========
8 M8 z" y, L: n" k, I9 D( A- X  A
6 F, {- n3 y% ]* j, r' r/ j* |This method is most known as 'MeltICE' because it has been freely distributed
7 o7 ^" J# l% I. [' Zvia www.winfiles.com. However it was first used by NuMega people to allow# D& b, |* Y% a. p  H. ~8 j+ _  `# K
Symbol Loader to check if SoftICE was active or not (the code is located; L5 N+ Z8 H0 Q, U' J. t8 _2 }& {
inside nmtrans.dll).
+ p5 F/ F9 g& g: C- e- j  c) d" s6 q
The way it works is very simple:
/ }, U$ ~; P/ z$ c- c$ x; e# l% m5 NIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 P0 o! d; j( d5 hWinNT) with the CreateFileA API.
- y0 O5 t1 ~8 b* f( S( M4 I- k, D" I3 ~
. S0 o( ~5 n& q  V6 A' f5 FHere is a sample (checking for 'SICE'):
, t; m9 c6 ?4 @4 ~6 ]7 Q; m9 J1 Q$ e  i5 n) @
BOOL IsSoftIce95Loaded()
/ y' ]0 ]% o+ l{" u/ v2 p: W2 Y0 n$ O" t, b
   HANDLE hFile;  
# z. E! `4 r/ G, n1 [3 S7 k$ M   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,$ \# M3 W  w* }" t+ ^0 ]$ R3 m
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
1 f# }! @& Y. _% h3 ]                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 {' x! t3 j7 W- m2 H& B' Q5 \' I1 j   if( hFile != INVALID_HANDLE_VALUE )+ d8 s( e1 c% E3 r: H0 @
   {. B% ]' k2 U  G) f+ g
      CloseHandle(hFile);% [2 t' C; L4 m# M% l0 |
      return TRUE;9 {0 q9 E) k2 n' e% O$ y
   }
$ L; Z$ q$ m4 t3 X5 p   return FALSE;; O7 I1 |# n5 \' S0 {* ]* a
}
8 ?3 p/ z7 k3 o7 m% q
( e$ L9 ]% Y4 e# IAlthough this trick calls the CreateFileA function, don't even expect to be, b3 |7 u: f( F: i0 b0 v& ]
able to intercept it by installing a IFS hook: it will not work, no way!
4 k6 U. ^" b# X' d7 ?In fact, after the call to CreateFileA it will get through VWIN32 0x001F/ b8 G% n# I( b% D% L% t+ b' w
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ L0 T, b1 d$ E, E/ J  T1 P: xand then browse the DDB list until it find the VxD and its DDB_Control_Proc) Z+ l! l$ m! [: q6 ]
field.9 c& `/ j+ L! X0 }$ Q
In fact, its purpose is not to load/unload VxDs but only to send a 0 C/ t3 F+ O3 g- ?! E% K6 A
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 D+ B* ?+ y3 {
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 d4 p: H' |  V0 H
to load/unload a non-dynamically loadable driver such as SoftICE ;-).9 q8 J" g4 l% s* |+ B
If the VxD is loaded, it will always clear eax and the Carry flag to allow  N& X/ ~9 ^2 @$ P9 l
its handle to be opened and then, will be detected.* K% l* ?$ ?8 ~0 m! h7 d
You can check that simply by hooking Winice.exe control proc entry point" G. ~- I( L* j3 b! P2 z/ ]' d" `* a
while running MeltICE.# v( ~. U, B9 `8 u4 E+ B
0 W. S* G# A, ]; e
1 u4 K, n: i# z! w
  00401067:  push      00402025    ; \\.\SICE
! a! y% T( A1 }; d5 I- l6 ]  0040106C:  call      CreateFileA$ K2 o0 a' B9 p+ w
  00401071:  cmp       eax,-0013 o; v* Y$ S* D6 |, U% a  a
  00401074:  je        00401091/ J" X; n3 o$ t) N6 @( o! R

: Y- o+ `. i" m- p1 U3 K0 C, O0 ~% ]1 }* y# Q& Z. B
There could be hundreds of BPX you could use to detect this trick.
4 E" {- ]1 \, t-The most classical one is:
/ i+ G' D. w/ T. C8 Y: B  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  ]7 J% r/ F3 s$ F
    *(esp-&gt;4+4)=='NTIC'
# o  t9 B: B' I1 f7 {$ e2 u3 L& y) O2 L, r0 z# q
-The most exotic ones (could be very slooooow :-(
/ R& j" X. F; R6 A   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( I" ]- v$ C- a; m3 c
     ;will break 3 times :-(
1 F3 W2 Q, ^* n7 U. ]: B9 {
$ E3 |5 u/ u9 V0 q-or (a bit) faster: ) B2 H3 k4 U- `
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' ~* p) ]6 ~- t/ H

, @# X' u. K, r6 w. {   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; o/ r* \# A  f& S3 ?5 S8 r' S6 @
     ;will break 3 times :-(
: N) T# V6 m$ O% C& v/ l# N# w/ L" E+ v+ p# T! ?8 g5 D% ]4 d8 r
-Much faster:2 w# P9 G0 Q5 M
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' ~7 r2 r$ T, K7 K+ E
" r8 y0 ~1 P; I) l8 pNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
- O  p7 E! @2 [# o" h9 x; Xfunction to do the same job:# N! t5 H4 L: e8 T9 ^7 z
( z# q7 [% z2 o3 [
   push    00                        ; OF_READ( c+ l9 r1 j$ n: q7 S
   mov     eax,[00656634]            ; '\\.\SICE',0
8 u: T! R+ ^0 q: l" j3 y/ Z   push    eax8 P! y& ~: y  @& w
   call    KERNEL32!_lopen
' r8 d2 V) A' _  a# k3 ^$ H0 V   inc     eax6 J& f8 t1 v* T7 ?7 q
   jnz     00650589                  ; detected
- h8 B, K5 U( L: c8 h9 F: `+ l   push    00                        ; OF_READ7 Q; p" T% q- R, P0 P3 y
   mov     eax,[00656638]            ; '\\.\SICE'
3 Q/ Q# S, k. s1 ?   push    eax
. w! U) X0 ]( ]$ D" M/ [. e  Y   call    KERNEL32!_lopen
) L, u  C7 T  ~! n" S   inc     eax' @$ C: M6 r1 b
   jz      006505ae                  ; not detected
3 d; H9 J% I. q$ ~9 Z9 [  g
$ m9 ~* s+ A4 i$ a+ ?
. _  Y- X+ g7 c" ~- f# r3 N4 [" g__________________________________________________________________________
: S1 W4 u8 X; v1 _
% j$ H7 @! ^& Y% F7 V/ oMethod 12
0 ~9 R+ R0 j$ u  h=========
  j; q" l2 ^5 [4 a1 p& N
- ~5 [! ^) C! }This trick is similar to int41h/4fh Debugger installation check (code 05# ]6 m+ e6 o. R+ m
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
2 e% t0 o2 Y' }. G" o& j; m: I0 @as it uses the VxDCall backdoor. This detection was found in Bleem Demo./ ~: l+ C- L9 {; ~8 m

" [* X5 Z. `6 e" Y/ o$ n   push  0000004fh         ; function 4fh
* L, H2 [& l& e   push  002a002ah         ; high word specifies which VxD (VWIN32)& W: t+ j7 Z1 k" n. c8 X
                           ; low word specifies which service
, J$ C: B& R) e+ C4 x- f2 s                             (VWIN32_Int41Dispatch)! {5 J$ r+ @: o! f! Y
   call  Kernel32!ORD_001  ; VxdCall
! l4 a, M  ~- Z- ^   cmp   ax, 0f386h        ; magic number returned by system debuggers
, O. {  g; I& V/ p; _   jz    SoftICE_detected
3 ^& ?! r- `# Y5 A" u: o1 N" _- e+ q* f; U7 C1 G+ c- v1 m1 A
Here again, several ways to detect it:* N% Z0 K5 T9 {' y3 O0 d" D; S
- p9 [/ {! n- e4 @3 @
    BPINT 41 if ax==4f
. M, A4 V- b' D3 C4 X
# ^( {; ?3 m% Z" G: Q" U/ g    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* D" P2 y( Y6 Y0 S, [# J* @& V6 ]7 K0 \: K. l* w
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A1 ^2 S& s$ I" i# T1 K
2 [  S. ?# d0 v1 e
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!! l) c2 O8 Z7 _( d

( s0 L$ u$ s, d& c6 {) ^/ F__________________________________________________________________________6 S1 a# _8 A# j: L4 ?/ N  P  t

8 l" @$ z$ Q8 t; NMethod 13
+ y6 c1 W: A; F  E+ m2 L0 L3 y( l=========
% w0 U. p) c' M) H2 [7 S* y5 Y& f& l1 C2 N' z7 z, X3 ?
Not a real method of detection, but a good way to know if SoftICE is
( \3 w1 |1 Q/ ^installed on a computer and to locate its installation directory.
/ {4 o3 r+ K0 Z9 j: h( q8 L) sIt is used by few softs which access the following registry keys (usually #2) :
& A) O5 \" u* A- x# _' ^# B: a
4 T  e6 ^: t* n' T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
0 D# d0 f8 ^2 H3 h; O\Uninstall\SoftICE/ f3 }! a5 D! V% k
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
  z1 y6 D9 \6 l& ?9 W-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# ]4 `1 e& {" ^
\App Paths\Loader32.Exe
- @, t+ _) D8 ^1 J8 [% |1 t3 `( s) q  ^5 R  Q: q
0 k! A" k7 Z  O  o, [
Note that some nasty apps could then erase all files from SoftICE directory
" {5 z* t. ~$ E. s(I faced that once :-(  e. D# h2 O& {! E5 u, V
% b2 J0 J: a; _- d# A* w1 ~
Useful breakpoint to detect it:  k) B8 K3 u* U
, B/ k8 N- }9 T) p, Y8 x/ e+ o; W: l
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'& a) S+ ^! b& H% B

1 d1 k* Q* O# N5 R. b4 H; \$ L3 k__________________________________________________________________________
* o& m6 e& g# @" `0 e0 ^  E* L& q9 z

8 @9 _( L, y/ W4 D) E: H  LMethod 14 $ y) V8 d. w8 V) ]$ t5 n; O: R1 l
=========- U' p% u/ x! v+ w6 v

" _2 v: y$ W. {$ v$ l# l& i4 H8 t  ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose" L! v3 {: Q" i1 E; D. G7 @/ Q) L
is to determines whether a debugger is running on your system (ring0 only).+ F+ N* L0 ?+ e+ F. o
0 i- f' z, Z5 s% t
   VMMCall Test_Debug_Installed/ a* a/ O) w8 f4 o
   je      not_installed
% j1 e& X  h% N6 K7 A- A! U( j5 p. V6 S
. \0 Z! o& i0 F( Q4 dThis service just checks a flag./ T/ o. r. p' P8 U+ I, s
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-10 22:35

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表