找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
5 W; `0 I; t" t<TBODY>, S4 u+ I9 h& Z8 o+ g5 a
<TR>
1 R! C; _5 Y$ ^<TD><PRE>Method 01 3 w7 U' C4 w% f. I9 g9 a# G
=========
3 q' S4 c0 j& L( I" u; d: R
; g3 `2 F! P$ I: L! q4 _This method of detection of SoftICE (as well as the following one) is
3 ?" v" ]. ~3 d! l" [- n* `) ~( Eused by the majority of packers/encryptors found on Internet.( G3 {5 O; y- ~" ]5 e! T6 n2 x% t- l
It seeks the signature of BoundsChecker in SoftICE9 N# I# D% L" Q. A0 E+ p
* e. n/ W% f* l% L( Z( s
    mov     ebp, 04243484Bh        ; 'BCHK'6 U$ b1 P& c9 I/ [: Z! m; I
    mov     ax, 04h
& E' h$ ?4 i& q& G    int     3       6 X8 ^: p" N( S: q9 N2 ]  ]
    cmp     al,4) Q3 [& a4 j8 s4 l
    jnz     SoftICE_Detected
  ~- u4 Y% A$ m3 D3 R5 J/ ^% G1 C: Z
7 \3 F  m/ y9 f5 h, c___________________________________________________________________________
4 d. K) x& O% L( r7 ~) P) G! P, K2 y+ f0 r  Q+ R& ^
Method 021 F- P9 ]  q' t6 X8 ~& @  ?3 F: w
=========
) T/ F/ u4 J7 c) ?8 N3 l$ B' |& b/ a8 K
Still a method very much used (perhaps the most frequent one).  It is used( f2 b( L7 N' u
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,4 ]3 I9 m' h* y: n7 z6 \; ?" M* f
or execute SoftICE commands...3 i& E! ^; {! o' x3 U3 l: c
It is also used to crash SoftICE and to force it to execute any commands, C: K  i0 j6 h
(HBOOT...) :-((  
! L3 X7 ]6 I  g8 y3 ?( L4 m2 w7 c6 S7 G# t" a- K
Here is a quick description:- Q5 V1 m- d' }- W+ B$ x$ h
-AX = 0910h   (Display string in SIce windows)
0 I+ K6 M4 ~& f4 M7 G8 B+ L9 W-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! g1 l1 L( _* K2 T/ a, X& ~
-AX = 0912h   (Get breakpoint infos)
( G% \- {4 Q0 r0 Q-AX = 0913h   (Set Sice breakpoints)
% }9 Y; u4 W0 r-AX = 0914h   (Remove SIce breakoints)9 p; C- k* D' \3 [& \! S

( t  b; e) N. _5 F  f1 A: ~8 p) pEach time you'll meet this trick, you'll see:
6 j5 T$ i# X) Q-SI = 4647h9 M  n5 C4 G; W8 q
-DI = 4A4Dh
5 S2 k8 _0 m  xWhich are the 'magic values' used by SoftIce.  J2 o3 M5 f0 V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ T. j; A9 {, z. x& b) c+ C

3 d3 O) u8 v# n; e8 r2 r4 E3 GHere is one example from the file "Haspinst.exe" which is the dongle HASP# N! P( T+ W+ r6 e0 }- @* C
Envelope utility use to protect DOS applications:
- H# T3 z, C; y: b' Z5 h) }9 H  z* t( A) R# s' e5 D

* R# J# a0 ]' Z8 X4C19:0095   MOV    AX,0911  ; execute command./ j3 i8 m/ }0 a3 N
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
/ V5 i6 X1 ^- b: h' ~4C19:009A   MOV    SI,4647  ; 1st magic value.( u" H$ a4 c: E
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
& X: G8 B0 \* {4 w3 ]1 N3 \; y% e4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): U+ |" `, r0 o" h8 r( |
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 G& @0 H2 o" X+ o  v( x1 |4C19:00A4   INC    CX
* W7 a. ~) }- Z1 V* s1 h! V4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
5 M* R) Q% i" g# q, B; u, t4C19:00A8   JB     0095     ; 6 different commands.7 ?1 n/ |7 F- h5 y9 N
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
0 N/ m, h# j: Y8 a& z* D* \4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); F6 }# D: F/ E: d! {
/ C+ `9 I: Y0 C& A9 Z
The program will execute 6 different SIce commands located at ds:dx, which
* P# X) Z1 u+ j- [9 y8 E3 B# Aare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 m4 b! D8 _) k: C* K; N7 h  X& z% n8 D  T2 Q5 ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., T# u/ m, _  X! ]4 o: x
___________________________________________________________________________
) z2 B, [1 F% l! h( D+ E5 v$ u3 o7 C/ t! i& M7 X
7 E- O5 b' d; }7 Z* j
Method 03
) A6 h; A2 t  t1 }) @% h: k$ b$ }=========
# |( [4 h. {7 v/ A5 r- s" m
7 c" u/ }, [7 o. hLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
  }: S9 @5 O6 t9 P5 M/ ?* V(API Get entry point)0 \& W- G# k$ n5 ~8 ]( f) U
        
" r$ K2 U2 q; [9 b2 L8 J0 P
( R' C; L" X/ s2 W3 f: @2 M    xor     di,di
& J8 [0 D. R8 A/ e5 u    mov     es,di
  N" y2 g3 z: R1 H$ ]/ e$ V    mov     ax, 1684h       / x$ M# c. Y! J9 U! C) D. n0 v( ^& ]
    mov     bx, 0202h       ; VxD ID of winice
! g) r" d$ y8 j    int     2Fh) |' ^* i# v* z* F! V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, a4 S) c# q$ p% i8 q7 f& n
    add     ax, di3 T1 n) B; o/ Q
    test    ax,ax9 F: _8 U& O1 n
    jnz     SoftICE_Detected
; F: Z- g/ z  H8 F2 ^4 ?; Y% i# \3 L  m+ a- G4 q$ ~
___________________________________________________________________________. D' a$ u& S* t: z) z2 {+ h
% Z( ~/ U7 d) S( R: U
Method 048 u9 p2 T, ]7 a& q
=========
# g+ i  h, v- l+ o
5 ^5 k6 N  s2 u! U; ?+ c3 z3 BMethod identical to the preceding one except that it seeks the ID of SoftICE1 g1 A+ y! \- K- o9 b
GFX VxD.$ r" i, E- T8 I
- {' q+ R' _" R& n
    xor     di,di/ X" f3 B8 I# {! }$ A) ~0 E+ d: c3 J, u
    mov     es,di
2 G8 x2 ~8 Q* F" q    mov     ax, 1684h       4 J! o7 _, k2 @! F* t) e6 J9 B
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" P7 o$ ?1 W5 \$ r, N    int     2fh
, k+ Z/ p2 O; s    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 {- ]0 U, j7 P0 S    add     ax, di
" @, I( B1 {+ O    test    ax,ax
1 _5 N2 l  s2 C9 e( _6 W4 p  |    jnz     SoftICE_Detected
8 y+ G8 I. E& s4 `( m+ Q
( v$ e2 B+ {6 E5 B4 C__________________________________________________________________________
9 Y) M. p! O8 F& @- y5 g) ]) B. L5 N9 g# W7 t: `' N8 A" ?" a  C& P# A8 s
0 E6 Y- W! s5 u
Method 05
8 [/ P) \7 _1 q. d6 [; \9 x=========/ |0 V( w" j/ \+ e& ?
! ?% S& w, ^, ~8 S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
0 k1 N9 c% w$ k: \1 O0 Tdebugger. It calls the int 41h, function 4Fh.
* x1 z+ N- }4 [. u3 U& V& `! qThere are several alternatives.  
+ ?7 ~  {/ T6 Z) v3 v9 r, s  B. L6 k
The following one is the simplest:
/ p4 v) X3 t  f  N3 x; I
7 o% F1 W0 F7 y% P9 E- y& ]    mov     ax,4fh
* z+ |) f: T4 \8 N7 o* Z. Z    int     41h
. e6 o2 i4 X6 i4 u: S2 ~% H% b/ }) r    cmp     ax, 0F386
+ @6 |) X3 X. @5 z4 o' a5 B    jz      SoftICE_detected3 p1 p' b  ~, ]. Y* M

( b' Z6 ?2 u4 |% m' y5 c$ |3 P/ q, r, j+ r  O
Next method as well as the following one are 2 examples from Stone's 7 z+ k3 W  ?' Z3 U0 d
"stn-wid.zip" (www.cracking.net):# X; J  W* r6 p, U
& t9 M$ f$ _4 f2 X. l
    mov     bx, cs" C" t3 c# E1 U& x, h
    lea     dx, int41handler2
# d# F( o& Q8 |/ I6 f    xchg    dx, es:[41h*4]& d" [; d3 d" w% k# J# d2 s  S) i( I2 d
    xchg    bx, es:[41h*4+2]. o8 V: Z7 J: |! ~3 Q$ W  Z
    mov     ax,4fh  g+ U* `( L0 P1 N- c" Q
    int     41h
7 O" C) M% K1 k    xchg    dx, es:[41h*4]0 i: r$ I  N' T& y1 D
    xchg    bx, es:[41h*4+2]
) M9 d9 W2 i- j; A/ P# n( K! z2 p    cmp     ax, 0f386h0 m$ Y# O4 [" ^- y/ W% h+ z
    jz      SoftICE_detected! u1 p) [4 i( }3 w2 o
: @, R  G1 ]: y* a& [
int41handler2 PROC, k6 \, e" }1 V" b0 I4 D
    iret7 ^8 J; G6 ?  K; ?5 N% H) t
int41handler2 ENDP# k0 C' e  N; w/ U  ^  G" k1 p. v
% D  z* [6 N$ O1 c* w( d1 D( p! g
7 F) x+ P+ ?6 u/ M8 H0 H/ r& H
_________________________________________________________________________
1 k* A4 n: s; V# U! m
8 k% o% D3 n6 e9 E  y; O- e
( q( |- u+ P! p0 KMethod 06" }+ w( N+ I3 f5 r& m
=========  b7 \0 Q+ g  }3 W- v% L) m8 B
% M& M6 M1 Q4 Z$ S
/ V) ]# z, W) g" ]; \
2nd method similar to the preceding one but more difficult to detect:
2 h, ?# i, f2 U/ U" m. D# l/ j" A* j1 U; v: d5 f& y9 z

& h$ s9 v5 f3 ~1 mint41handler PROC+ f; n! f# K* t
    mov     cl,al
, y2 Q+ I5 T6 @* L& D1 W    iret
- c! [9 h, [! |1 z3 Iint41handler ENDP
1 O$ Q: i( ]2 N8 A4 `: o4 n4 w7 L/ S2 Q; g! x0 g

! h- f% @; m2 N    xor     ax,ax
, l* ?$ ?( x3 x) A    mov     es,ax0 L# ]3 G7 I' _& p
    mov     bx, cs6 u/ x- A" ]: `  A8 ?* A* ~6 i
    lea     dx, int41handler$ r8 \$ z# W/ v1 T
    xchg    dx, es:[41h*4]/ K) E1 e( o" x
    xchg    bx, es:[41h*4+2]
! i* ]0 y4 C3 c% E' H    in      al, 40h
; ^8 q/ j1 ]0 t% p3 Z    xor     cx,cx
% I* |# D5 q; {6 m5 g    int     41h3 h. T9 b3 `: q6 n
    xchg    dx, es:[41h*4]9 u, V" a" ^. N2 p, y) p
    xchg    bx, es:[41h*4+2]4 N% Y7 m" j8 {6 e! L: X& Q
    cmp     cl,al5 P0 m; o* b! S0 y/ }
    jnz     SoftICE_detected0 I# m0 v4 i' g$ Y) L& z' @* j
* j# j1 y, m) }/ Z9 C1 K, {
_________________________________________________________________________  v3 @* _$ c( z. `0 `
3 W9 _2 G+ O( x/ Z# K: m
Method 07
4 E( s7 q) P4 a  i8 Q=========
2 B3 H4 ~( X$ T  j+ Y  _1 Q+ I8 d1 }+ o' e# a# F. n% I
Method of detection of the WinICE handler in the int68h (V86)
3 s) S/ ~& p- \) |
, X4 u" @1 I3 L: [    mov     ah,43h
+ {& S' g  s6 N5 F& r    int     68h
, C1 j* k9 @0 n    cmp     ax,0F386h
/ k2 Z7 k6 ^* h    jz      SoftICE_Detected; `" ^7 i; F( [0 J9 G) H/ J
$ O" m% w/ E: p& Z4 O, u: y% U

8 ^0 E' w: I! K4 {7 B; M=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" l! r" B5 v# O: L
   app like this:
: z! w: P! Y% E8 Z+ d6 n& \( \: ^
0 j7 K- ]+ [* h3 f* p- T   BPX exec_int if ax==68
3 p6 T$ A5 M* Y3 x; n& X   (function called is located at byte ptr [ebp+1Dh] and client eip is
8 b- Q7 |7 X# t) t) Y4 v   located at [ebp+48h] for 32Bit apps)- p8 B1 ?; [5 A. d! k% t% ]- k/ b
__________________________________________________________________________
9 K8 x$ h( _; c" l! u
* ]" {5 t! p# M1 N' w2 c* J& Q6 h, b: D# l1 Y* N7 k
Method 08
+ h$ I0 G, R" O: {3 Q! B5 }# ?  i1 Z8 m. r=========8 f9 ~7 x. M* e: g! K

: A1 M+ ^4 E/ F& b$ k4 ?9 P/ \0 GIt is not a method of detection of SoftICE but a possibility to crash the; Q* L* Y0 I* a6 [7 n
system by intercepting int 01h and int 03h and redirecting them to another
! J4 e4 F6 h5 ^; T( Q: F- Wroutine.( x7 k9 _. k" M8 t, K' Z' f' k& _
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points+ Q2 u& b5 l4 e9 r+ J
to the new routine to execute (hangs computer...)6 E: N9 @+ C0 R/ P" ~  C* F

0 s. P* N. v+ x5 v# l8 Y    mov     ah, 25h7 b1 c3 m; P' f, l% a2 o; g) g
    mov     al, Int_Number (01h or 03h)( S  Z. r6 X" Z" E# }8 A
    mov     dx, offset New_Int_Routine& L% X9 ?+ ]3 N3 L1 n9 S5 H: T
    int     21h
3 m) }- l6 k4 P! K! ^1 G5 V- ]  _
. i: j& H( n; T- T0 b5 B# }: z__________________________________________________________________________  ?8 D4 R' C# A" O5 E- Z- W

8 a/ n& h# O' B( x5 {& ?Method 09
2 Y8 H3 N9 ]. o  [; f3 \=========5 \, c3 W0 z2 m4 r7 Q! m$ c1 |0 w

/ j6 ^0 C  [5 Z6 l6 xThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
$ b1 c6 \7 p7 d3 f" @% wperformed in ring0 (VxD or a ring3 app using the VxdCall).
8 [$ I  }0 m# V, ^4 c& q: iThe Get_DDB service is used to determine whether or not a VxD is installed  h8 v# ^# P& J8 r' d) X
for the specified device and returns a Device Description Block (in ecx) for
$ c0 [9 H% }2 h& H' p: hthat device if it is installed.
9 H  g' p0 i/ J" v4 O* W# v
; P. }2 ?5 t- c1 b$ |) ?* Z6 a   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 V9 _% ^  r" G4 Q) o# }( z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 N) H$ C- Q1 j6 B% e; Q, A  s; A   VMMCall Get_DDB( A; A" w: C) e
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed. _5 k& z, H* |9 C6 H7 h8 U* v$ F

/ @- N; B3 a8 R6 J+ K. f: uNote as well that you can easily detect this method with SoftICE:
) }4 u# f2 w8 Y   bpx Get_DDB if ax==0202 || ax==7a5fh
% l. g* }; i6 z0 C( J+ j4 C+ o' q. o( h2 u5 p5 G: a
__________________________________________________________________________
1 U2 Q# x0 e2 t5 J& z
) k% n# ?; D" t6 L! OMethod 10: Y; t+ ~' m: q( G) ]. c
=========
9 \+ n  o& k9 y, v! V, k
! E; _- k$ x  S% i4 v=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
8 i4 k2 I2 J5 Y9 `; }  M  SoftICE while the option is enable!!( Y+ @0 w6 x, _$ J! r
' O# {- z7 a, _# o1 \
This trick is very efficient:
- ]/ v6 j/ s) D9 w6 G5 Nby checking the Debug Registers, you can detect if SoftICE is loaded( m5 G2 Y, I0 a' H* Q
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' e! Y$ J- j, k( R) e, F. a* ythere are some memory breakpoints set (dr0 to dr3) simply by reading their% S8 l5 `9 C7 f* m2 e0 }3 V. O. t
value (in ring0 only). Values can be manipulated and or changed as well9 ^/ V3 ?! {6 f+ K2 E+ ?
(clearing BPMs for instance)
- W- G9 q8 p$ z$ T$ ?# k* k" U4 p# p3 q6 {  N: U& z
__________________________________________________________________________
# w' Y  r( Y$ m0 o( @& U
2 c: F2 O$ K5 SMethod 11
0 v* D0 B: V& Q* Y# I$ W=========$ ?3 Z3 I2 Z8 Y8 t2 H. v0 S
7 m0 o1 ]. U5 Z! o8 l8 z* I1 g
This method is most known as 'MeltICE' because it has been freely distributed" w* b3 p% S9 t- \
via www.winfiles.com. However it was first used by NuMega people to allow
3 C. P- N1 ~, nSymbol Loader to check if SoftICE was active or not (the code is located
- `: S+ B( `. u- o( t% jinside nmtrans.dll).
8 W  o6 q- ?& Y8 ]. ~* I4 a# q5 y4 \1 A
6 D1 B4 A  a. d& CThe way it works is very simple:9 q5 F2 ]" c5 }6 w6 g
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, T; r) D- N5 V% S' |, O0 }. x! Q
WinNT) with the CreateFileA API.# N& q' {, x+ {  p( [; s
) y. T5 w! D6 O, |. v" A
Here is a sample (checking for 'SICE'):
* C; s  \! {0 [+ c) O  f
* f! w) {& H" EBOOL IsSoftIce95Loaded()8 J( C& z% X3 l" }6 V  m9 Z
{' o6 h; y' t- K: j$ y$ @3 {/ i
   HANDLE hFile;  . h* H6 P  C, s5 B
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
. e7 q8 H$ ?1 P# D1 T* p7 N                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. z; y: l/ s" U5 e' s. s  C8 ^                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);/ a) P5 `) L+ B8 W4 W- R2 V/ ?1 V
   if( hFile != INVALID_HANDLE_VALUE )2 y1 A5 Q  C2 e( p* o
   {
9 f5 T1 n6 I* I8 d: J0 ~      CloseHandle(hFile);) [7 a5 e; U' A. z& t! ~6 e# d! ^
      return TRUE;7 a3 T' _4 R: y8 R
   }. a0 U# M5 x+ }9 d* C
   return FALSE;( o- y( `% X+ o/ l2 [8 B9 o  U
}
" ?& ?8 H. S, _4 C, ^2 F# B
: b% y0 C1 X2 S& H5 R! ^/ QAlthough this trick calls the CreateFileA function, don't even expect to be
8 K" H  M  o* _. Kable to intercept it by installing a IFS hook: it will not work, no way!
' |4 Q9 M+ j/ RIn fact, after the call to CreateFileA it will get through VWIN32 0x001F3 @+ j9 d2 z2 ^0 d3 Y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
, @+ q5 q* V6 U3 F/ Vand then browse the DDB list until it find the VxD and its DDB_Control_Proc
& k; X, n7 d* K, f& Kfield.: {( T0 V3 @. b- h
In fact, its purpose is not to load/unload VxDs but only to send a 7 F5 I( O) |/ Q1 w' j' |- j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). e5 p6 O5 _/ t7 Q! {8 f
to the VxD Control_Dispatch proc (how the hell a shareware soft could try# M: |3 k: i, q# W' C# J
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 p, _/ g3 R# F- R& t; hIf the VxD is loaded, it will always clear eax and the Carry flag to allow- v6 N/ r' s! l3 T7 [* H0 }+ Y- G
its handle to be opened and then, will be detected.7 O& s% E+ _1 O* [5 Y
You can check that simply by hooking Winice.exe control proc entry point
9 @6 F; ?2 ^( h) O, R5 {while running MeltICE.
5 h* t! Z1 R( E( [" ~2 L9 h
3 @5 o5 |5 I( [# D1 v  p+ Y" L9 F5 U: i. A( O1 R
  00401067:  push      00402025    ; \\.\SICE
- y+ K  j8 L0 g0 _  @- c7 t# S3 c  0040106C:  call      CreateFileA9 |2 S  _1 F9 `# t* l* F) _" ]2 s
  00401071:  cmp       eax,-0017 m5 B# A$ ~3 a/ Q7 X# V0 w) c
  00401074:  je        004010911 a2 j! H6 H% i  _% q6 m2 d) J2 w
. ?7 n( N$ P+ O9 k  L" ^
/ y  z$ E9 e9 M) I
There could be hundreds of BPX you could use to detect this trick.7 C. N  f* `/ l1 r
-The most classical one is:/ `4 K/ k! m: D
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
2 r0 z" r- A- B    *(esp-&gt;4+4)=='NTIC'
" C+ Z% D8 B* d0 ^; u/ L4 I6 I  C/ k9 l* k( Y
-The most exotic ones (could be very slooooow :-(9 Y. y9 ?  Y$ z6 _
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
7 u/ v) b% i$ n  q  F. X2 Y6 S& s9 a     ;will break 3 times :-(
- v+ d! m( |& s
- B1 r- d, u9 a! J' R* G! u-or (a bit) faster:
6 [! f; _1 q+ w# L; r2 V: |   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
0 q! x) u0 D9 f$ b7 X* h
' a$ e  z$ ]" h9 D% |) Z1 S   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* L; a$ I) I5 ~% v0 |7 m     ;will break 3 times :-(
7 X$ T6 z6 I# s3 q" F! A2 T, G# t0 Z7 M4 q% X
-Much faster:( M9 G7 _6 {; K$ R
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 O& D# w4 h9 A2 h6 i+ p! V

9 S8 }8 u3 {: v4 y# wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) Q7 Y) ~/ i; C6 s/ s
function to do the same job:
4 L2 Q! f" Z( s
7 \( m) {9 S  q2 s) e   push    00                        ; OF_READ
- `4 N  C. |9 q9 O1 V, H* U! Z   mov     eax,[00656634]            ; '\\.\SICE',0; i" w6 I5 H( E! R2 S
   push    eax
0 P% d8 Y, a6 C% r6 l8 G6 r% P   call    KERNEL32!_lopen
  `' y- j& G- Z5 U+ U+ B+ @   inc     eax$ e4 W6 d" I+ n+ [: ]6 |0 u4 }
   jnz     00650589                  ; detected4 l4 b' N+ R# S8 ^
   push    00                        ; OF_READ
$ @- y" T7 @; I- }1 h# l8 @   mov     eax,[00656638]            ; '\\.\SICE'
1 ], R1 H+ T7 I3 I9 \0 |( v8 Q# U   push    eax, Z" v0 j+ e( H0 V' w1 k
   call    KERNEL32!_lopen
5 A8 l( J# }; O$ @$ J   inc     eax
, m! X6 y; w" q$ z6 \2 w4 j: w   jz      006505ae                  ; not detected
7 o* }) O/ \8 {+ E6 N6 g8 k; V. n' Z5 v% e7 K  ^

& n/ W% [1 g3 ^5 r__________________________________________________________________________
# R% T7 M, X8 q
7 j; o$ b& m& `' n: T: `' b$ aMethod 12
2 ?  O- A3 j1 V% o; g" x, H=========9 S; Q4 k2 ]5 ]" {( {3 q: [4 A( w
. V3 a5 o; G9 }0 @
This trick is similar to int41h/4fh Debugger installation check (code 05
' k: H  ~3 i, x&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, ?5 P3 c6 n+ z; v- l  c8 Gas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! u; i  I7 O' W5 Q8 E

" F/ y5 V( c) `2 v& s, G0 L& r% _- D   push  0000004fh         ; function 4fh2 C& [5 j2 Q* w* d! X7 i6 U
   push  002a002ah         ; high word specifies which VxD (VWIN32)
2 G8 e2 ^9 Q  s+ Z! q. [. e" u                           ; low word specifies which service' X+ ^' l. ~5 R( U
                             (VWIN32_Int41Dispatch)
- @7 [% Z' p: D/ |   call  Kernel32!ORD_001  ; VxdCall
2 o) j# C4 }9 {% o   cmp   ax, 0f386h        ; magic number returned by system debuggers* C' ?' q1 n3 \) }1 J# e* B
   jz    SoftICE_detected" w# e3 `' \: i8 n
, u$ N) W1 i3 B1 N5 w0 m
Here again, several ways to detect it:) }, \2 @( U8 j& F5 f7 \, s- x
" g; u# l6 Y0 G, l3 Y6 m3 H$ \
    BPINT 41 if ax==4f' V- r' i. L! D

; @1 d, A2 }" \    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 J3 Y& |3 a& r! U4 \8 l8 w3 n
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
& F) p5 x- f5 N
* [. Q- X, C& _; g    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!4 `& \# L4 C  B' `$ G$ z
) D+ K; q5 x  i6 }* u7 m
__________________________________________________________________________3 U( I8 O; m* \, ^: V8 l% W
! n  G  G& b$ R2 P# X  c0 d
Method 13: B5 x  [9 @5 g# o
=========
+ p! i4 D$ P" n5 x$ K5 _" n  x; K8 d) @
+ a% e4 H$ d4 x9 [* q" f" GNot a real method of detection, but a good way to know if SoftICE is
( y4 m; M% G0 hinstalled on a computer and to locate its installation directory.
1 o5 M7 D* j# s; V) ]It is used by few softs which access the following registry keys (usually #2) :9 w" n. q; w: e( c& M2 \5 t! ]

9 E% b4 c0 B; u: v-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 D, o5 }6 @. F, _! |\Uninstall\SoftICE
* g6 L4 ?) g7 J-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE) b( y9 B2 G2 `# }- L! l) L( A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 ~+ c; l9 s# E6 j1 g7 ]- f) m
\App Paths\Loader32.Exe
+ z# o/ H; F4 x, G# |. q; a' S
& |) K# k5 A; I$ \8 S
! c6 t/ W' Q7 j1 F" y1 TNote that some nasty apps could then erase all files from SoftICE directory
6 n+ L6 q% f* s1 S: e( q(I faced that once :-(
4 Y2 l$ R0 k, \: _: Q4 V
9 L7 P3 @7 \* w% y& W0 L. ?7 cUseful breakpoint to detect it:
; l  b3 T+ Z, C3 f- b6 u( Y; M6 r+ V6 z( \; I
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' J9 J# X0 P- l8 m: |& t/ K+ I
: {% M/ P" y- g" _; C$ y8 |9 Y
__________________________________________________________________________
3 D5 c& Q4 K  E% [
% e" a1 ?1 J5 N" C& T) l  @
) g+ x# L- w0 ^" \4 p6 i  AMethod 14 5 q3 _2 b5 N: |% u1 W
=========0 s9 C6 C5 e1 E

# e4 e# u: D; t" CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ M+ a; g6 m. D8 Cis to determines whether a debugger is running on your system (ring0 only).; |" V  ~) @% h) G2 q! X$ Q

, J% |* k3 |7 x1 t# t8 r- w   VMMCall Test_Debug_Installed! U% b! Z( [3 ?$ I) P: \  k8 E5 u
   je      not_installed
7 I1 A7 d# m3 Q) f8 Q$ D+ g
! |6 t6 ]# W/ M  ?' \7 j" |This service just checks a flag.
) g/ z$ x+ Z5 |( U, v</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-1 03:17

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表