找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>/ ?  W  y- a  A- C6 A; ^2 K
<TBODY>
6 O- }- r, c' m- {$ m& k+ k<TR>" S6 Z' A" h5 Y' {2 a$ k" H
<TD><PRE>Method 01
* O7 F* F" K1 u6 C% d. w8 ~=========6 U( T5 i1 o8 _4 I) v

" X6 }$ H' M. d; M+ lThis method of detection of SoftICE (as well as the following one) is1 z3 h: v& a3 z9 ]) Y& ?4 u; x
used by the majority of packers/encryptors found on Internet.0 q/ q0 X. {' ^- C! M. r4 P! E
It seeks the signature of BoundsChecker in SoftICE
+ U. W3 |8 ~" ^
- H# O+ b6 k4 x( v    mov     ebp, 04243484Bh        ; 'BCHK'
9 \$ k% ]9 a6 |4 N$ o    mov     ax, 04h
/ y% \1 }6 P) O1 ^' D5 \/ G' _    int     3      
, y: B3 B5 D+ }) c* @& O; P    cmp     al,4
$ p3 J" i& x: B' }8 J    jnz     SoftICE_Detected& ]- ]2 `6 J' l2 S

8 ]4 }* V! v+ u  @8 p/ b8 Y* ^% A___________________________________________________________________________6 I( S1 O: u: R! D& i
6 m! p* e2 \6 U, w, g
Method 02, Q6 h0 }+ v! |7 i8 H* M! G2 |
=========
2 [  ~$ |/ j* }2 t
7 S1 F  b3 @* w7 e& J( E4 iStill a method very much used (perhaps the most frequent one).  It is used
% V* f- H2 O- zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
" T5 W- c. N& a: q5 d8 H0 Dor execute SoftICE commands...
/ q' x; }. _" O( YIt is also used to crash SoftICE and to force it to execute any commands
0 Y* b- d% a/ C5 H3 M(HBOOT...) :-((  
  {& Q5 O, i6 ~1 U1 H2 E* [" m, z2 r" t6 F8 H
Here is a quick description:
1 K. ^5 r- w$ e* T* u  s, P/ O( L-AX = 0910h   (Display string in SIce windows)
- `6 E$ t/ z2 [# v) e7 ?-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
3 Y; F. \  Z0 Q6 i( u-AX = 0912h   (Get breakpoint infos)
1 m2 |/ R* u! I- a-AX = 0913h   (Set Sice breakpoints)
+ C9 X. `+ F7 z5 t, m6 |-AX = 0914h   (Remove SIce breakoints)
6 P; b! S) \' s3 \+ {# C; L
) n, z% C4 I2 E) HEach time you'll meet this trick, you'll see:
. Z" h' W1 F. A9 l2 l/ W-SI = 4647h
2 O) M% K5 O' ^6 |( H7 S6 `-DI = 4A4Dh; Q2 f" d( o" Y9 Y. {( z- G
Which are the 'magic values' used by SoftIce.
, K& |9 R0 s2 S( O* c: @4 E( g, lFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ S- P( [- o; V+ M) q. G1 F) T, |! L, o- t1 Q
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 x5 ~5 o+ B' x3 f! SEnvelope utility use to protect DOS applications:) x  |1 [- p  F" b

2 N6 a/ j7 l( A" H6 S
+ }9 [+ L8 P5 u4 r# ^4C19:0095   MOV    AX,0911  ; execute command.
5 y: p* r+ `% f# c: a( U' p4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
. |# D" ~0 I- R; y3 A* ]4C19:009A   MOV    SI,4647  ; 1st magic value.
; E' t2 Z# ^9 |$ P; V8 X. H8 `4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. [3 e3 f& j) T+ y. a# K- z4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' X5 i( S3 |$ }! w& A0 j' Z
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute2 |& u! B3 R# J" A# G
4C19:00A4   INC    CX& j8 D7 ~; V3 u' J) C6 _
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 K3 g4 }1 l7 j& o" K0 E4C19:00A8   JB     0095     ; 6 different commands.
; C/ K( ?# [( O1 `5 r4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 a' h. k5 \/ T* y! _" Z
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
$ h8 g  r& Y6 G! q
, c4 m+ y# U& w. E2 f5 `, A; {6 LThe program will execute 6 different SIce commands located at ds:dx, which. w; N. H* E( ~5 C5 N8 T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
4 Z$ t3 h/ `! Q8 S* t6 Z& H
$ {' N' M# n6 X. T* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.4 n  M( [2 m0 z8 R: |
___________________________________________________________________________
: D2 U- K; m: J0 @0 Z9 A, N4 q
" H/ `' q* |. q9 o) I( ]6 u2 J/ X; ~& V- a
Method 036 Z$ s! C( q, {8 m
=========7 K9 Q9 d8 F* K# e3 @
3 X- p. _6 g9 j4 q( z6 n+ j
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' d0 X3 O! z5 ]3 `/ h  n8 @8 D(API Get entry point)
# l. ?8 y6 g6 A- d! D8 [/ g        * O) V! r8 [( y) ]$ t1 A  K1 U' f" k& L
3 z; Z: X# U# t* [7 F( s/ @
    xor     di,di  c# p% q1 C* i  j4 ~
    mov     es,di
" ~/ E6 L4 V7 X5 R* \    mov     ax, 1684h      
% O# r3 |7 h" R  z7 B' W    mov     bx, 0202h       ; VxD ID of winice  m6 l" H( g/ ]8 L) ~
    int     2Fh# m8 a7 T2 v6 c7 J: c4 V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point& P& t. y4 S( K0 ?( n$ b
    add     ax, di
- q8 {! p! V- d    test    ax,ax
2 @8 D- }+ \) P8 g9 Q0 _( i    jnz     SoftICE_Detected
8 u% y: p5 c9 M9 c+ w: s
2 {, |/ O7 b6 h/ V) z, ^& D- V___________________________________________________________________________, s6 r2 L0 q/ A2 C5 ~9 C
! y) \9 _* i) m1 }( r, F
Method 04
8 f. ^  \4 }! F* j- V=========
7 [0 r- a; j# W" s+ V' D
3 S0 U  Z6 o3 Y( aMethod identical to the preceding one except that it seeks the ID of SoftICE
$ w7 [. w. y$ H+ O; H" |6 A9 ^5 d1 a" H- ^GFX VxD.- Q& D- }& ^% w" B8 _( ~% P1 d
$ m" T) k& Q1 W8 r. E$ E
    xor     di,di
1 [& L6 P7 u; g3 M# o% u    mov     es,di; f' l( Z# S. X, L9 X3 d
    mov     ax, 1684h       $ v( s- v8 S6 W% x( z
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
& W: {4 ]# N6 `! |+ r    int     2fh4 W4 M. O/ x# v; d/ R$ k) a) {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 c/ p3 j3 x, J, q, x. A    add     ax, di
5 n$ ], c% D( g; V$ ^' _/ z    test    ax,ax2 V7 ]9 @+ ~( q
    jnz     SoftICE_Detected
$ ]7 P1 P- }0 Y: i* K4 i
5 j3 C' M6 g' g2 ]4 e4 ^6 V__________________________________________________________________________* t; y5 }$ o5 c0 U+ d! ~1 A
* F3 }$ {; u3 n. Q7 l: @+ A" {

8 ~' A1 e, i  F) @; A/ wMethod 05
' z  k! |1 s, Y* ~4 v=========
; e( j2 T* e% _: a' c" l9 i; Y7 c" s( o( z. m: u
Method seeking the 'magic number' 0F386h returned (in ax) by all system. Z: Y; U; ]- o9 Z3 T# O: i: M/ y
debugger. It calls the int 41h, function 4Fh., ]# b* U" P$ q( a5 K
There are several alternatives.  
6 f# X3 c: B; _
4 B; h" a- G' l7 O  ]; G1 _The following one is the simplest:
! [  d1 ?: Z: p+ ]" s
: ~. r; h7 D2 E6 o# p    mov     ax,4fh0 T$ a' I, S2 W' {( s% D* D
    int     41h0 B* Z0 z/ p' g  ~: F: V
    cmp     ax, 0F386- t; H0 h# A1 g! M3 I% ~
    jz      SoftICE_detected/ \, l4 \* y- T1 o5 Y- N( y

4 C( B, Z* P3 p  a- `" M6 \; T9 \3 F- A' V) C0 ~0 z7 ^$ @
Next method as well as the following one are 2 examples from Stone's
* ~7 x, O8 V& i# o7 A0 p, f"stn-wid.zip" (www.cracking.net):
, L2 p, z& V+ A$ H6 }' w- Z+ v( y+ [6 b( L' @2 O
    mov     bx, cs
8 a6 c$ Y% V( V2 L0 k/ {  ~2 n    lea     dx, int41handler2
% M3 ?3 m& `/ A. U    xchg    dx, es:[41h*4]
; w, Q5 k5 p8 R; l2 E8 p    xchg    bx, es:[41h*4+2]- f6 l& [+ @" c4 w* V6 ~
    mov     ax,4fh( l0 @: @( H/ [) A! }
    int     41h
8 b3 x/ w$ T$ h# W' ~: z8 [    xchg    dx, es:[41h*4]4 {* J6 M! p, \0 R
    xchg    bx, es:[41h*4+2]
3 O8 F1 T, {9 h2 v* n# w    cmp     ax, 0f386h
) a3 P" J3 W' o% I+ J9 o    jz      SoftICE_detected
. O0 V* M* u+ y8 u4 o7 G# O- X: E' n- t
int41handler2 PROC: l: v" ~6 M0 p  V
    iret; p4 T' S3 z/ v: N
int41handler2 ENDP
+ m+ A: L7 g3 b5 p* h! u0 K1 Z$ m6 x5 {

' w! B9 m! ~- n5 P0 [$ K/ g. Y* {_________________________________________________________________________
6 g+ @* c" s; ~9 Q# Z( N
3 T, N; C% q% k/ q- ^- S( B7 ~; ?* ~4 P7 m2 l2 B7 K
Method 068 I: y/ a0 g: Q9 I; e
=========
( g3 `3 o( {6 ~6 b3 g( o7 Y, X5 T3 a* u

! Q' _2 s, ?2 l4 f# [2nd method similar to the preceding one but more difficult to detect:
* \* Y. n7 `: Q" v9 H& ~) Y4 e; l8 B9 {. _# O2 b4 T  B& r. E: r( K& s; Q
$ h$ }) s/ n# u/ e$ A
int41handler PROC1 }1 c1 Y% t0 y# `
    mov     cl,al* D: Z- u' a: Z; l8 j9 [, z
    iret( n/ b+ Y6 s0 A% I7 N
int41handler ENDP0 s$ p& T, V) {* y, G& E* A( I
; S9 m; `( A! q3 F

5 C5 d4 q2 i: o3 x/ {" t    xor     ax,ax5 a' J/ z1 K8 J" p$ X
    mov     es,ax
7 {* Y! k8 Y1 ?8 ]6 J* \! a    mov     bx, cs/ U4 ?* \! j: o0 c- q) H
    lea     dx, int41handler
: b) l- I  p# a; I+ m    xchg    dx, es:[41h*4]
. C, A; a  T0 {: _( x* w    xchg    bx, es:[41h*4+2]" L: y7 Y7 V- T7 A9 u6 U
    in      al, 40h
- {( m9 v2 m' j) g3 J4 i, E    xor     cx,cx- i% V5 n6 B# z8 U/ G
    int     41h  ?+ v$ P) a5 s* L
    xchg    dx, es:[41h*4]. t* Q0 Z% X& s+ [! U; K/ y9 \! ?
    xchg    bx, es:[41h*4+2]+ F$ h3 `+ W" e8 m, E
    cmp     cl,al
( p5 z% g) s; j- C) _4 S    jnz     SoftICE_detected
1 |, y  w4 H$ u5 L8 F' e% s: ]
6 g* O. U8 V( l# W: ]. I_________________________________________________________________________
8 \* L+ x, U, \. X6 G6 g6 b3 J
7 }8 E/ T9 c: ~/ x) BMethod 07
- Q3 |& l" s0 u9 K8 `* v=========
- _& A! v6 Z8 c" e( p+ [0 S
, u( k5 b5 C7 \7 m  `) h% SMethod of detection of the WinICE handler in the int68h (V86)
) i' ?! [- [; @' j  r" T2 ]
# j- D) a2 L2 _  v    mov     ah,43h3 C0 E8 g8 J  ~
    int     68h$ I+ h* [& K% @8 w3 H4 ^
    cmp     ax,0F386h9 t& G* t# k6 E8 N
    jz      SoftICE_Detected
9 i3 K% w( c4 K! H; v) q
5 O1 \* e) \" P. @' ~5 v2 t6 c  I6 D9 ^" w. W
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 v! b* w% U" ~, E/ K
   app like this:/ n: _& d  c( U- e
" g, a. G: w$ ?  w
   BPX exec_int if ax==68
$ _2 ?5 i, h5 ~" |. j0 J& `   (function called is located at byte ptr [ebp+1Dh] and client eip is
; H6 M" c" B9 O7 O   located at [ebp+48h] for 32Bit apps)
# E2 z2 [7 i- e2 Q! g__________________________________________________________________________1 Y$ d/ @# r/ P. p; i
( ~, \6 y! y5 N* h# M! E: I9 W

3 t" N) R3 r5 x% P8 [$ S+ EMethod 08
" ?, w* L) \+ U=========1 Q- W5 A( t2 W' T
+ o9 u3 j; Q: q7 h8 f
It is not a method of detection of SoftICE but a possibility to crash the( O" [  W  b7 n: R6 R) ^, s
system by intercepting int 01h and int 03h and redirecting them to another) c% Y8 r. j& i. }  _3 o/ Z- R8 j
routine.
: t8 _) p* n9 ?) R8 S. J: CIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
  K/ x* h' d/ k: j$ |9 ]to the new routine to execute (hangs computer...)  G( I3 `1 M& r2 |* Z' ]1 o/ r
. _2 q2 Y7 f  j% y5 J+ I
    mov     ah, 25h' w( |- {! u+ h# w6 ~  x
    mov     al, Int_Number (01h or 03h)3 U2 s' R! s- Q! b
    mov     dx, offset New_Int_Routine
- D3 e, j  ]  `& c    int     21h
7 ~9 V( E" X0 Z  i- v8 i& G, b: W; E8 ^) W- E1 X) R( V* z8 D
__________________________________________________________________________; r* i4 D2 l2 _; @- {
1 Q# O' B  Q: s. c# p# B
Method 09
+ x% ]3 H4 U( t6 h) d5 g6 B=========$ }6 e- [& I  e9 O9 [+ R) f

, r: F: \1 f3 j$ qThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 {6 k2 ?0 l/ fperformed in ring0 (VxD or a ring3 app using the VxdCall).
% H' e5 b( w5 x, B, nThe Get_DDB service is used to determine whether or not a VxD is installed6 x6 K+ V9 p4 j- }; h
for the specified device and returns a Device Description Block (in ecx) for5 e' Y% h+ O) k+ L: U
that device if it is installed.
8 @; E1 n( n1 |( J$ I3 h% k- W' a2 ]+ G
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 g& L& g% P/ R; C: Y; n; Q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 ~9 C2 D. x6 N! v- p" }/ B8 Q
   VMMCall Get_DDB* `) y# ?2 h7 y. h* m6 g- }+ l/ Y
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed9 m1 I- h. E0 x+ w- t7 O4 Z; [

% h3 Q: U+ _- k  T* Q: \, ZNote as well that you can easily detect this method with SoftICE:
# ^& ^, U5 H1 k* D9 G. ~   bpx Get_DDB if ax==0202 || ax==7a5fh  `3 U3 c5 `( |. e
: }  Z) P$ p+ x. A9 ^3 v
__________________________________________________________________________5 R3 P4 H- Y+ @* x$ Q# W: S0 H
7 e; X# Y0 f: Y
Method 10; F3 J% d8 I( I8 Y/ [- ?% U
=========
2 y2 i5 @) E5 c* o* C4 Q" C- P
) D3 E: }6 U6 k% m1 S: O& r=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with* d* D6 u, E3 X4 F
  SoftICE while the option is enable!!& ^& P$ g% F+ P. u; P% o. U8 z

8 j/ n* D* |+ A* u" y& JThis trick is very efficient:) N( ?% q% Q2 K8 A
by checking the Debug Registers, you can detect if SoftICE is loaded
4 b8 A+ ?9 r7 [# R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# J3 r0 ~0 M, [5 U1 T  hthere are some memory breakpoints set (dr0 to dr3) simply by reading their0 r" T' }2 j' V7 F$ ~
value (in ring0 only). Values can be manipulated and or changed as well
* R( l" @! T! w1 \(clearing BPMs for instance)% E; ^" F  r- J: L( |: Y

( ?3 u8 M! m# }% A$ Y6 \5 z5 l! n__________________________________________________________________________% c/ b8 t  m7 F5 }. V7 t# M% V
4 Y% L/ d9 y, o# A- l5 ]
Method 11
! \! z5 k3 w  E; }' T& g=========0 _9 K& q1 C) x. J  e# K
! \) b& U4 K) ?3 i. D: D
This method is most known as 'MeltICE' because it has been freely distributed1 b  T3 Q9 ^) v6 ^$ |$ W/ O# G2 T
via www.winfiles.com. However it was first used by NuMega people to allow
0 L3 ~- _! P" q* C; wSymbol Loader to check if SoftICE was active or not (the code is located
3 d/ H6 l+ k3 Cinside nmtrans.dll).+ m% m6 S9 h0 ~; J% j# R: B

" ~0 `0 v3 t" n7 p$ cThe way it works is very simple:- Q8 F9 {) i+ ^5 @% E9 c3 g& h1 S5 N, I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 B9 j; _# y. l& z8 mWinNT) with the CreateFileA API.1 k$ a. k2 A* \6 A' Y! q
; B9 f- H9 G" i  G) Z/ r7 T
Here is a sample (checking for 'SICE'):
2 D" ~) y$ d+ `, X/ B
+ x4 n; A, T7 t) q! I3 CBOOL IsSoftIce95Loaded()
% W9 M: @, G/ F8 c( Y5 V: H1 u{
0 \8 J5 j; _8 K   HANDLE hFile;  
$ ~( X; Z5 v% I5 i# o7 L& f4 Q5 d6 r- R   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,- {  f! N2 y* G9 b+ r! W% v1 K
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' d' y" p; U0 Q% a0 E3 V4 S% K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 P0 n2 ^) ?1 i9 S7 o. ~. u   if( hFile != INVALID_HANDLE_VALUE )
6 Z# O( G8 x) J' @) [/ @$ M   {
8 [) c2 \! o6 Y) \* r' ~      CloseHandle(hFile);
4 q8 u' H( Y( f! ^      return TRUE;: h* K( R. F- f! ?9 g
   }' w1 n! O' K9 Q
   return FALSE;' N/ e# w' l  y( A8 ]
}
) Y6 b2 b: d' _" q7 C4 K
9 ~$ D3 h4 H6 W; g' lAlthough this trick calls the CreateFileA function, don't even expect to be! a/ Z0 X% t! \! }. V! s
able to intercept it by installing a IFS hook: it will not work, no way!4 A0 O0 u; c9 ]0 K# P  n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F: O& \6 z' j9 p1 L2 e
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ `' o" n. {3 s8 m. t/ Qand then browse the DDB list until it find the VxD and its DDB_Control_Proc( y6 X( M5 m; j
field.' E# O* H( e. a( H. R3 _
In fact, its purpose is not to load/unload VxDs but only to send a
# b" I8 A( l6 R9 G- pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ u7 ~; ~9 C  Q+ w( l3 U3 qto the VxD Control_Dispatch proc (how the hell a shareware soft could try# E: l4 ~) x6 m5 a. z0 A
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 O) s$ X3 D3 z2 Y. a, i7 KIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, o/ B/ @% B' d7 Xits handle to be opened and then, will be detected.- m& n* @6 {) i
You can check that simply by hooking Winice.exe control proc entry point/ e/ E! Q" J# t5 p3 g; l6 t0 k
while running MeltICE.2 ~4 b/ o  ]; c4 L7 s/ o5 E- }
$ p( P) G6 h5 R( `5 S

/ m) Z$ ~3 C" `  00401067:  push      00402025    ; \\.\SICE& Q) w9 ]2 j! ^
  0040106C:  call      CreateFileA
8 [( h% G3 F, k5 `, w8 \* F  00401071:  cmp       eax,-001
; x" J3 k' J* l; g! u. X  00401074:  je        00401091
1 v) F& i6 R. H, V: V& g! F/ f2 }1 Z4 D- {
6 e9 ]. j9 o+ A" c1 F" l! V$ y
There could be hundreds of BPX you could use to detect this trick.# t/ ]4 ?' Z5 e  c# Q7 t" F
-The most classical one is:! G6 H" x. R2 E$ B" c
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
3 j1 o- h7 f% u* P. B    *(esp-&gt;4+4)=='NTIC'
) q3 D1 c) I  y: {$ [* Q2 ?4 z  y0 @# Q$ e1 O6 F
-The most exotic ones (could be very slooooow :-(  C. E3 R' u: e  M. v) V
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
2 ?7 V' k# G5 w+ Y- l( C     ;will break 3 times :-(
2 t: H0 ~) r; z/ d- v  }2 b1 I) s( s9 g, O
-or (a bit) faster:
9 @# w1 i2 Z2 f1 o) `; x   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')) P) l; ^% N( o3 L- M( Q- }& M2 M
/ A9 y2 E. k2 g2 ]: a
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ; x- k: j+ h6 k+ S9 x5 R2 s# e! H, J+ V
     ;will break 3 times :-(
' D0 k. e1 e2 [& k4 R% K
- P# j& }& g: I( Z+ g-Much faster:" [" D5 v% ^: I- o+ _4 O+ m6 i& q
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
3 J  @) o8 {4 n
! C5 p$ J$ r. Q- ?Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ _) \8 A9 s7 j$ `. `( L
function to do the same job:$ d5 s* U& p8 w& z# U/ a+ b9 T5 A
5 h  ~- z* P; A- [0 B
   push    00                        ; OF_READ; w' v: z9 S8 {* m9 K) w
   mov     eax,[00656634]            ; '\\.\SICE',0
5 y$ z3 b2 p( l" O- D9 u   push    eax. R( L/ W6 X7 y, Z' ^
   call    KERNEL32!_lopen! a! V9 }( F9 `) W
   inc     eax: `+ u- a. p/ s2 z. d7 Y' U5 R
   jnz     00650589                  ; detected
/ a/ E. F4 s; x8 l; N" }   push    00                        ; OF_READ. ~  I! P1 |' G  R. e, ~  L& P
   mov     eax,[00656638]            ; '\\.\SICE'% M/ d' Q5 |0 o; F9 I
   push    eax2 k9 J7 l# ]4 z& L
   call    KERNEL32!_lopen
+ F% O) O5 ]" V  g5 N   inc     eax
6 O7 N" l$ _- R   jz      006505ae                  ; not detected+ B% T7 a+ Y5 l: F8 ~

9 \% p$ `1 M& D: v( a" S( o- a* x. }
1 S; N$ l4 f, f  G9 y6 }% c__________________________________________________________________________
6 B1 A3 o, a' t7 }. L# G* E- T' l% {9 F" `$ F5 Y
Method 126 r( G: R: {3 T4 ^* Y9 k
=========
9 J- {: @4 ?* {) ]
. C% \) T4 p- Y9 X7 P7 w4 JThis trick is similar to int41h/4fh Debugger installation check (code 05; o5 i& C1 W  ~$ x9 h# D8 L
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# n- v  _; j% @, W" l7 tas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
6 p- @: ^! u0 z1 }5 V) G3 i
1 ?3 n# K, y/ ^' d: ]- F   push  0000004fh         ; function 4fh" U  b# n+ r- i$ P6 N
   push  002a002ah         ; high word specifies which VxD (VWIN32)4 H' l7 q5 p" Q5 J$ w! Z; b2 n% y
                           ; low word specifies which service2 X2 r2 E$ p+ g
                             (VWIN32_Int41Dispatch), D& `, s* g5 h- {
   call  Kernel32!ORD_001  ; VxdCall# @, c( z$ G9 Q4 |2 ~
   cmp   ax, 0f386h        ; magic number returned by system debuggers
( Q7 k9 [- M! D/ H- s% j8 c   jz    SoftICE_detected
: C/ ?; N9 h& R+ u$ [9 D) p& D9 t. Y9 b4 n  O! s0 {
Here again, several ways to detect it:
1 y  @# [# A6 u, l7 B9 W( F( f" ^' p. H" k/ {7 k- i
    BPINT 41 if ax==4f
* K) d2 D% m( N* Y  q
$ E2 ]; G' a% ]# g; n$ E    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one5 w* g" ^1 y; Y

. `8 g) E7 m( n    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A" q1 L# }* t" z' P
9 J. g, u( l3 M
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
2 V' }% A5 {) H/ L$ X) F) N* M  G( l6 t% ?& G
__________________________________________________________________________! M, A8 N1 K- p# r

3 e0 ^  _1 t$ U6 n2 R6 eMethod 13; d9 y; w2 J8 W# b
=========
8 @* a% w1 K8 W' |! U/ ^, \2 c
* B8 X% w* e" d5 x; J) aNot a real method of detection, but a good way to know if SoftICE is& r7 u( ], T0 N* E" s0 L0 }; Q
installed on a computer and to locate its installation directory.( Q5 w9 V' f1 {1 ^: B
It is used by few softs which access the following registry keys (usually #2) :
; Z! U/ F% t+ D( r: }
$ w" y. f' j; T" {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 V0 j% F  |6 B$ N* p+ B0 `! h
\Uninstall\SoftICE, h3 X+ V- L/ n1 U
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, E# {, E/ }( \! }4 b: e
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
+ N, N' g6 v- F0 q. @* r( Z\App Paths\Loader32.Exe
  H  |0 H$ r9 x) _1 {
6 R1 [/ k. T6 G6 |/ d
! P( r, r8 P" C  uNote that some nasty apps could then erase all files from SoftICE directory5 z9 U7 q$ {1 I- g4 ^( Q; T
(I faced that once :-(( B5 y; v6 P9 S1 h7 p! R4 [2 {
; m! V/ U9 E) [6 c* W8 b+ \& V
Useful breakpoint to detect it:
: a, _/ t: ~* [/ T" Y1 ~- u6 B5 M6 L) p( J7 u0 z
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'! b8 _3 g5 ^  ?

; ^/ q8 ^) y: `, x+ T__________________________________________________________________________) G( N; H8 V( M1 g
% w! C% V# X! C3 x$ E* Q
" ^, e2 ~( T# S  }& P2 u- i
Method 14
2 G! P* D, \6 \( H=========* r- H3 o8 F" ]0 s% U3 g

1 T6 _* F" B1 ]0 e* e9 e3 QA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
5 r/ J, J/ s9 s/ L; sis to determines whether a debugger is running on your system (ring0 only).
. x5 J( u' c, V- G
/ M9 ]# B* r- f   VMMCall Test_Debug_Installed
6 i7 f# n1 g7 f/ u  S- g2 q& \   je      not_installed: R* T1 v9 ~. w1 O# @
. O4 n1 G  w) T$ P9 s
This service just checks a flag.2 o3 B. W( |( @1 C# ^
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-13 08:34

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表