找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: S; r( N: f  I$ v$ u1 ~<TBODY>
$ k  _4 j3 b1 T& V- C<TR>  m2 w. R$ x4 i8 W, d, S
<TD><PRE>Method 01
2 W) i: \+ b6 U, n* o2 N# V=========
# Z4 r1 s* {4 n7 }. ^8 J" C& P3 b
% ]( Y7 J7 a& K; l. G0 AThis method of detection of SoftICE (as well as the following one) is( d1 d& f2 F3 f* |
used by the majority of packers/encryptors found on Internet.
& k. U9 _1 o; U% u; V; xIt seeks the signature of BoundsChecker in SoftICE/ o. W* t7 g: T, G$ c- H* Z
4 ~6 s: F0 o7 w
    mov     ebp, 04243484Bh        ; 'BCHK'
6 E, K" z, N: Y: j    mov     ax, 04h
" h# E( Q% m7 B  B' a  X    int     3      
( H1 ?) J2 T3 `$ y    cmp     al,4
8 \; P1 D4 N0 ?  ?1 v6 ^* J2 H' {    jnz     SoftICE_Detected
: E) |& P& X% F  _- C& c) {2 w$ a6 k; b' X7 D  W0 A
___________________________________________________________________________
0 e+ O5 U: b! N; W2 ~8 S7 Z% i# Z! K9 _: K$ s
Method 02! D8 F- U% h( _  _4 E
=========
4 c$ v( E. ?1 k& ?* x4 U- [, S$ }) @+ k/ s# L
Still a method very much used (perhaps the most frequent one).  It is used
) v( \; X  ^( Q! [5 x9 |to get SoftICE 'Back Door commands' which gives infos on Breakpoints,% P2 G- l( m1 G6 j& o
or execute SoftICE commands...
& {9 O3 Z( X/ O! \2 {1 QIt is also used to crash SoftICE and to force it to execute any commands# `7 |0 I) d. \/ j3 M  r
(HBOOT...) :-((  
* i: i- A* E8 _+ i3 P4 }# a4 D, D# W" b$ p
3 a3 x0 U- h: a0 ]5 dHere is a quick description:
/ l& k* L1 D9 J0 |0 y8 B& e-AX = 0910h   (Display string in SIce windows)$ M7 A5 q: m" [! {  a# U
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)7 l1 o, m9 o9 L6 d+ Q* J( p
-AX = 0912h   (Get breakpoint infos)
* W$ d9 @# |, O-AX = 0913h   (Set Sice breakpoints)0 Q/ V8 ~$ @  Q) D: n
-AX = 0914h   (Remove SIce breakoints)% \1 P7 F' u) s+ a/ T
0 J+ O8 |5 N; U" v: m! l. c9 v. j
Each time you'll meet this trick, you'll see:
; \  k, Q. x' f-SI = 4647h! h7 p+ @6 J$ a3 I
-DI = 4A4Dh
6 f: A* Q* G" y+ i7 H* c6 R* i& lWhich are the 'magic values' used by SoftIce.) z: K! }4 F5 O! I5 m9 ~
For more informations, see "Ralf Brown Interrupt list" chapter int 03h./ [% C7 `8 _/ _; @. I# i
* q# G% F1 l) ?
Here is one example from the file "Haspinst.exe" which is the dongle HASP$ f4 N( n& [6 }3 G
Envelope utility use to protect DOS applications:9 p$ R1 r! q  y* S) }1 p; ?' n
8 u! {; a& @- l3 ?
: V8 t5 y0 x7 l! V
4C19:0095   MOV    AX,0911  ; execute command.3 H$ f& E  |8 `1 x
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).. n, ^( ~/ ]7 m& O* C; U$ V
4C19:009A   MOV    SI,4647  ; 1st magic value.1 r1 K2 h' e, ]) f# s$ u
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4 E8 d6 V' D# A) r3 @4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): a3 a9 a0 G" H0 W7 x1 R0 ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( g* r' e' f+ m6 ?4 t. y
4C19:00A4   INC    CX
7 Q, F& {) \* C4 U4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" H! D  o) Q. i! b* C  r4C19:00A8   JB     0095     ; 6 different commands.
8 e/ W0 @9 d* L4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
, ^; E$ s, p4 l( p9 H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); I) `1 P# a. ]4 g& p# B2 o- x
& a5 k! U( ^8 g  G( [, u
The program will execute 6 different SIce commands located at ds:dx, which
: M9 k# u/ [( }4 S. n0 kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' R& w: D) X. t$ \) J* q1 W# m* y" a2 I; S) a6 x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ I, ]* j5 [5 B1 N1 x
___________________________________________________________________________( R6 B* Y6 T; `0 S2 Y$ Y0 v( l

) m! `! C: \$ W: ?. G
4 V, }; G, K2 N- W8 [9 gMethod 03
. M' Z5 N/ N7 c2 O1 x& W=========$ E( S% p# j  P( `0 k  F  E$ T
* u2 C. [/ s. w* B
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ {+ k& v2 ~* o(API Get entry point)6 H, |. b2 L* ~6 S! g. H
        
% v8 o& @$ H2 t0 B
& t+ v9 B: W0 G    xor     di,di4 O! n# G% k9 @) D) L0 ^
    mov     es,di
( N, K7 W) x4 g9 O: W, }: n8 n- {    mov     ax, 1684h      
' T' q5 c. n4 o4 a  C. [    mov     bx, 0202h       ; VxD ID of winice
) @3 B0 Y8 {8 n0 i& Z5 ]+ Q1 K! j    int     2Fh' Y+ g* q: v5 ~5 w) `) U* I$ F
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 q4 m& E3 I2 k* h7 A7 m2 m2 {
    add     ax, di
5 k: X. a2 \8 l+ e$ P# O    test    ax,ax5 E, Y/ M; e7 t7 U2 P0 `# g
    jnz     SoftICE_Detected$ j1 ]0 f8 T" s$ v  e6 r
$ K6 i6 L- l& D5 {$ c: o
___________________________________________________________________________
4 t! f% u) l  H% _9 U- F8 x9 I9 m; n  n
Method 04. w$ N' V3 o. `" U7 b
=========
2 L! w( B8 v) ?7 W; ~4 m# h7 Y6 w
Method identical to the preceding one except that it seeks the ID of SoftICE* O' O2 ?, f1 Q& h+ S" t' c, O  \
GFX VxD.; o# J4 X( z8 d. a/ h

: d3 g3 r# L8 \- o; K    xor     di,di
: i" h1 k2 H2 B7 h5 v    mov     es,di8 T2 z3 c# s3 f6 p
    mov     ax, 1684h      
5 m. }' O/ Q5 _& Y$ i- G    mov     bx, 7a5Fh       ; VxD ID of SIWVID' C' q$ Y- ~' M& H) A" @
    int     2fh9 G% y1 F; M8 Y' W
    mov     ax, es          ; ES:DI -&gt; VxD API entry point' c8 k" b& s% _; `
    add     ax, di9 x$ O, T# i8 |! m& K2 c
    test    ax,ax
$ ~) I# K( _/ p" q" S6 o7 \    jnz     SoftICE_Detected
) S% V( o% F: j3 A
/ Z0 J9 x7 P* Z1 ]- n0 Y__________________________________________________________________________" c: T% J6 r8 J( W9 F
; s+ n- M  y. h% F/ z, X, }

* `. u' v2 N7 Y! E# O. \# kMethod 056 K% [# p+ @1 k' _$ g6 Q3 K
=========
) M) `& A5 t! h; c! ?1 `* M' w2 s! B1 S. W" ?" L
Method seeking the 'magic number' 0F386h returned (in ax) by all system0 M0 N# Y8 f4 p3 Z: ]/ P! [) ^+ ?# u
debugger. It calls the int 41h, function 4Fh.8 w  u, H& z6 f
There are several alternatives.  
$ z( C  y, G9 M( }  L2 \1 W  t1 P$ L3 q, i' U
The following one is the simplest:5 \# v3 E. T+ w! O( N/ u

- s. i8 N2 V) r; w- [$ h! k    mov     ax,4fh6 c/ I7 @% C! ^5 w1 R  q
    int     41h5 f5 J3 c% W# s/ }9 j9 O5 ]
    cmp     ax, 0F386
$ D! r, I4 e8 L) q  h  D    jz      SoftICE_detected
4 ^% W- @) _" F2 o0 A% ]
1 k, f1 Z% ]. y# i4 v9 d8 s% L$ Q0 P" f$ O* a/ m5 {' J( H
Next method as well as the following one are 2 examples from Stone's
' ^( u6 ~2 @! Z$ |"stn-wid.zip" (www.cracking.net):
4 I, L9 ~  Y& z- O  Z1 b
* p  l! e: k5 x; ^: J$ Z    mov     bx, cs2 m: O% ^! v2 r$ V# k, N
    lea     dx, int41handler2
! k1 w8 W  r9 A9 o3 C4 l  h( D    xchg    dx, es:[41h*4]$ l* p$ O8 d: {5 O7 c
    xchg    bx, es:[41h*4+2]7 k  [1 W9 p1 ^& }% w9 u5 X
    mov     ax,4fh
8 y2 }2 m% d8 K/ _9 |    int     41h
- j$ N4 q# k2 K: J/ M    xchg    dx, es:[41h*4]* q+ D6 d+ J9 @- L
    xchg    bx, es:[41h*4+2]! t' ]' X) }: o9 O) k
    cmp     ax, 0f386h
1 W9 q( [: Y! p9 @    jz      SoftICE_detected
7 v; m0 r. \- q3 U+ F* w9 d
1 a* r/ r: Z# c8 n4 pint41handler2 PROC2 E% T& ~( ?8 r) v8 f: R
    iret" O6 c/ ^6 ]5 O6 L  b! W
int41handler2 ENDP& E4 ^; w  \3 n" w- O8 G

: _7 H3 a) f. Y$ P) ~% @5 h) n# B2 o5 E2 R( o4 H1 y; E6 e
_________________________________________________________________________* @3 K8 D: l) |7 N
0 T$ u% R. }2 i
% G7 t- G5 b2 `6 G! d7 N% I
Method 06" w- ^8 f; l( ]+ n% ?
=========
! p6 S5 Y& Z  t) G  H1 L- B5 F- W  ~5 \" S& U
! |" E% |5 L9 j' B  @2 n" P) b6 q
2nd method similar to the preceding one but more difficult to detect:0 @! z1 P4 [% Z! d! J
' ^  ^# @1 b# q( u; z* b
, q( I+ s1 C( N: D8 e4 y; F& O9 d
int41handler PROC
9 Y9 F# c+ @/ _* ^* S3 Q- {( k5 z    mov     cl,al6 H  [8 H: _3 G2 p( s
    iret. c/ v! j7 W& W( L
int41handler ENDP
: f& y# {  N8 {" M
% O, G7 e" O- a; V$ M3 p- F% B5 n" w7 [# q! j3 Q! I
    xor     ax,ax3 U! s$ {/ e  R9 q, Y" F, T* h
    mov     es,ax% Q, i( ~9 I2 k4 ^: l
    mov     bx, cs
/ W7 \% y" h" ]' K$ o4 R  @    lea     dx, int41handler
0 A: f5 G  O, q% g    xchg    dx, es:[41h*4]
/ H# g$ ]+ @- u6 _9 d* m    xchg    bx, es:[41h*4+2]
9 P9 r" X( r* [: u) s% T    in      al, 40h
$ \! E* f0 `, b    xor     cx,cx
3 P7 W) Z7 ], ^1 w/ V3 @1 X1 r    int     41h
; |( B+ A8 }  b4 O9 w1 [! U    xchg    dx, es:[41h*4], c* d) x8 \5 v* Z# S% g
    xchg    bx, es:[41h*4+2]; S$ V2 U, }+ ^, D5 X- k; G
    cmp     cl,al/ a% u1 L4 t6 e& H! \1 r
    jnz     SoftICE_detected; o$ P8 b7 W6 c- n7 p& z/ _$ q- Z

% q& B" W" R% [/ `. q8 d. t& g_________________________________________________________________________
# e2 a+ g% c( }4 \. X; R; |# C. j' {$ W/ I3 B# t+ ?: z: d
Method 071 c: y' u9 ~- q5 p7 J$ S6 Y! i( F
=========
# S" s- C& w+ ?; |; }/ D
0 G/ r6 ?7 b7 \% P0 A, @8 KMethod of detection of the WinICE handler in the int68h (V86)
0 q- X+ f% S; O1 J8 }& \0 a* Q. V  i3 j" K* f; ^# J% P% D
    mov     ah,43h+ Y, M9 O9 h  s
    int     68h
) v8 S) J! N6 w1 q1 B2 |2 n    cmp     ax,0F386h
8 X- C1 `7 Z6 f8 x    jz      SoftICE_Detected
6 L5 E5 P0 K2 i& G; f4 _; }
8 J4 E7 ^" t# T# U- Y
: w2 Z$ b$ g. v=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 N8 G  j- X( w- n" C   app like this:
# r7 Z) e4 e! a  Y0 U- c7 y2 ]
* A! ~8 r: y$ s/ o0 d! I" b   BPX exec_int if ax==68
/ ^5 `# M6 y; z: T- M) @3 G. ~   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 r" ^- T7 K) s7 \" B   located at [ebp+48h] for 32Bit apps)3 ~: U" t$ I: O
__________________________________________________________________________1 g- E3 S9 f6 L' T8 G- A* s, B
/ Q& S# z3 B* i$ w. F" X1 J% n
5 P# ]/ D6 v3 i$ ?
Method 08
, u1 d  A) ?) T& j7 \=========% C3 R! p- l3 C" v8 C+ b6 Z
# R' |, F& x: b0 B  {
It is not a method of detection of SoftICE but a possibility to crash the1 V5 E5 `5 i2 }5 O8 r) U0 K# x) O! R
system by intercepting int 01h and int 03h and redirecting them to another: s) J$ Y, a* d7 [" Z
routine.
! a$ J& `. Q* z  v- ~It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ y- k7 E0 L: b' c* I; Sto the new routine to execute (hangs computer...)
2 [& w& }1 j& h$ T" }, ~* F7 F
9 w9 s9 k/ Z' {) i! h/ i+ K% ^; t6 L    mov     ah, 25h
" i2 M5 P$ d* b+ W    mov     al, Int_Number (01h or 03h)# [$ \3 b9 ]" n/ _. f
    mov     dx, offset New_Int_Routine9 }/ g1 \& j* W/ V( N6 k
    int     21h: i% v" ?2 k+ @3 R+ n7 y- z

# h7 w: T2 {8 {: D$ Z  |  U) `__________________________________________________________________________1 w: s, x) W4 d' ^0 O( F
) u, t- z, ?4 _* d
Method 09
, i! X  g- J7 L=========6 W5 l5 V" s  h! L/ j' V
6 J# E1 B% z9 \  r; c% `! S; ]6 s6 v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 {$ ?3 C1 M  [9 q6 B8 O: n7 P4 Bperformed in ring0 (VxD or a ring3 app using the VxdCall).
" O$ W7 ^0 t+ x2 bThe Get_DDB service is used to determine whether or not a VxD is installed
7 Z; f0 x+ M! O/ h: |" H# Vfor the specified device and returns a Device Description Block (in ecx) for6 u! U  u. [: F1 v- D
that device if it is installed.
" b- a1 U2 ~$ k+ n- N- E& n6 o& m* U* M# Q9 u. o( m
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID$ r: g1 b- v* w: S6 Y6 f
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 s3 v- q$ o. a. d- V) W
   VMMCall Get_DDB( r& v( f: h" N1 t3 c4 H& x7 W
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
9 D. Q. M) q& k5 D) P! H1 |6 P$ Z2 ]" `6 u% C6 H. b/ P: e
Note as well that you can easily detect this method with SoftICE:
5 i5 ^( [) T) o6 U; f- ~   bpx Get_DDB if ax==0202 || ax==7a5fh4 X" h1 u2 B& {0 N0 o
) u) m7 K/ i5 Z  H7 X" @2 S) G
__________________________________________________________________________
) r4 I. {/ z8 Y" X8 C: n# V( C' o7 z; t5 D8 F+ V9 d3 W
Method 10$ p1 Z4 }+ l  I' p  N) V$ G' p8 w) Z
=========
1 G( W# E: p2 i5 z; i7 {, k+ [1 X+ p% G
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% t1 s) O9 i9 c2 v" f  SoftICE while the option is enable!!
+ q' u' a# D  f3 S- g2 n$ s& G" k+ _' p: e$ F/ S1 _
This trick is very efficient:) R4 u2 @' E. }. z
by checking the Debug Registers, you can detect if SoftICE is loaded& H( V; o0 @; z! d2 i+ m4 J4 x
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ D* n3 f6 w; M5 h1 y, gthere are some memory breakpoints set (dr0 to dr3) simply by reading their5 N0 H* u, w5 C4 q/ f* c
value (in ring0 only). Values can be manipulated and or changed as well" m' \! B' p& |' f8 e/ J; i
(clearing BPMs for instance)0 N$ q. N0 T  g3 o2 Z

! q5 `/ G( ]1 x/ u& E__________________________________________________________________________
  K  L! }% L6 ?- l
- Q# U1 E* b  h1 k$ f9 A3 U/ UMethod 11
: n8 {* {7 S9 N8 H" S/ {7 a=========- x7 N4 e+ I. y7 g

- [' [& ^, W: C; X, k5 J, SThis method is most known as 'MeltICE' because it has been freely distributed) w* N7 L: J% `0 Z4 Q7 _
via www.winfiles.com. However it was first used by NuMega people to allow/ n# R0 a+ N2 t  G7 B6 d$ Q
Symbol Loader to check if SoftICE was active or not (the code is located
- G8 E/ |1 Z% c. U/ Q% v& I0 r8 Minside nmtrans.dll).
6 D; q+ k7 i- m$ j. y! C; f( B. n' k; _
The way it works is very simple:/ i- a2 u( s, G. m: j* I( d& x
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 M! O, h: I6 Y% b$ Q
WinNT) with the CreateFileA API.
/ k3 W3 H* C- R+ ]& D; k: d8 h( O7 S5 F* {3 t& J/ V9 L. \
Here is a sample (checking for 'SICE'):: \2 H: }) A/ H+ q
: Y% b4 I8 q& g: b$ p# i) K! ~( K
BOOL IsSoftIce95Loaded()
' ^( ~% K2 @* ^: E" ~* O5 Z{
- D5 L& t$ t# j1 j   HANDLE hFile;  7 F8 b! [9 ?& s4 I, ?9 s# ?
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 I. _+ s" \  r) s( k$ H- u
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
$ |9 g7 L9 w  O                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ P8 a& |. R7 y" z
   if( hFile != INVALID_HANDLE_VALUE )
, w* u1 @! D: N; t' [   {
  ?. _4 T7 q" W8 [8 C" c7 K      CloseHandle(hFile);
6 T; Q0 j5 g4 X# K4 ^      return TRUE;
, \) L4 d. t( ^   }
* B5 B1 P  s0 P   return FALSE;1 R3 K( m: R7 _- }
}
$ [5 P4 n1 @7 c: [9 E, K0 c4 M6 j# j
Although this trick calls the CreateFileA function, don't even expect to be5 @3 l& `/ n* o- Y: |6 Z
able to intercept it by installing a IFS hook: it will not work, no way!+ a# D  R5 r3 s5 P, D7 j
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 @: l  c, |$ Yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 h# W. W$ r0 p1 T
and then browse the DDB list until it find the VxD and its DDB_Control_Proc7 I9 ?4 C1 _/ H1 s/ S# E! p- P
field.' ~9 w+ N* k  Z9 V! ^. s: D
In fact, its purpose is not to load/unload VxDs but only to send a
2 ?( ~/ Z( r7 \: qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" m2 G, O$ R: I! b# [to the VxD Control_Dispatch proc (how the hell a shareware soft could try! _, T8 Q. C8 r# U; `8 ]8 m; H) ~
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) c/ y8 I2 W6 n  P8 z+ b
If the VxD is loaded, it will always clear eax and the Carry flag to allow1 U" d) Z5 ~+ K: {: g. P
its handle to be opened and then, will be detected.
4 y5 h2 O6 U0 C% V0 d7 u+ J& d. tYou can check that simply by hooking Winice.exe control proc entry point2 s+ E2 V# [3 I3 T  b) Z0 }5 a4 k9 N
while running MeltICE.( j# k& H& K' {7 }' H, q

3 V0 S* o) j( W, `7 Z' q: [
2 O1 p% ^' A: O6 I5 M  00401067:  push      00402025    ; \\.\SICE
1 `/ E% q9 C/ R  0040106C:  call      CreateFileA! g. x/ g* @! H* U5 `/ x
  00401071:  cmp       eax,-001
' G! ~  x0 A9 R* p  00401074:  je        00401091- r- h2 f: N2 j/ C, x  ?- X! f
& ]4 I# r( b9 d; S% P# R
3 ~+ v$ z2 u% o8 k
There could be hundreds of BPX you could use to detect this trick.
5 n7 R8 g. I2 I2 R: C: ?( c-The most classical one is:
/ G. W; a2 W' t, Z) r+ f7 c  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 D9 N) D" H7 ?9 Y" M$ Y7 {! S
    *(esp-&gt;4+4)=='NTIC') |2 ?/ X# d4 v( D9 M% p
% g8 T- \5 \" r
-The most exotic ones (could be very slooooow :-(
4 H3 j# z: d+ j0 O- R   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
9 F0 S; V, Z$ H. O* _1 a2 W3 k" j     ;will break 3 times :-(2 O3 H! k1 f9 ^

4 b( u% s& q' _2 P; y5 q-or (a bit) faster:
+ N% o2 @, v. ^8 |   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 {1 l+ h3 @: B8 a3 o
+ W$ _! H" e6 q+ k   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) K- F, G7 [" C* U( m     ;will break 3 times :-(6 S7 A8 S/ V' `9 Q! J  r& C
& e) V! R5 h1 F+ {, Q1 N) N5 b, G2 H
-Much faster:! F8 A) Z& n0 C. C2 M3 Q+ Y( z
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'0 N8 Y: T0 r% Y& X7 c* Q" a
0 ]' N9 H. Z  v2 J  J. F/ S  {4 V
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
5 m/ {/ n. o  l$ ^! b7 sfunction to do the same job:
  s4 u+ C) q! h+ [# @
5 |! f: e6 b+ N! z7 O   push    00                        ; OF_READ
9 n% o" _. ]  R. v$ [; _$ [   mov     eax,[00656634]            ; '\\.\SICE',07 Z& M' i5 J* f+ y: W6 q
   push    eax
. h* o$ u. d! _3 F# p   call    KERNEL32!_lopen
! @5 u1 ?2 x% v" ^" T& J   inc     eax
8 Q- i% y4 a  M/ Z- p* X   jnz     00650589                  ; detected
! |# M, L- O4 B  E$ ^5 i   push    00                        ; OF_READ
! E& P  a) K4 F  }. q# F" S   mov     eax,[00656638]            ; '\\.\SICE'& K/ W- y) p4 ^% j
   push    eax' l$ K" y/ J% E% p- d! W$ ]) M7 X
   call    KERNEL32!_lopen! p) ]; o3 j& m4 U0 _
   inc     eax
- V( a% R/ x* |$ ^& V1 g( J" G   jz      006505ae                  ; not detected
/ T2 |& y7 i) P8 K" p
; ]2 Q) o" E' V8 l6 `& e. `
1 ]0 \' p# @6 Y- h- v__________________________________________________________________________
8 e; J% ~- A+ Z% K) C% h4 i
8 M  {/ V( b' |) h- b/ {: D/ o7 n; nMethod 12
& n* M1 `+ t3 n9 Q0 T1 g, e=========% l0 b3 p+ q: N. u2 F4 j4 Y

' @& G# o: T1 E- o8 ~, ]' HThis trick is similar to int41h/4fh Debugger installation check (code 05& w+ k2 ]) N3 _. l
&amp; 06) but very limited because it's only available for Win95/98 (not NT)( I% l6 b$ B, r: k7 D( F- B. [
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ U1 Q7 u; Q$ ?+ n( ~; Y8 V5 y$ L8 D0 G' f# }" ~2 p) \' Y
   push  0000004fh         ; function 4fh& D  n+ w5 ]' z* j# B$ i4 D! e
   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 `$ G3 y' `8 n) W/ i) }                           ; low word specifies which service4 r& F$ ?# g# K- q
                             (VWIN32_Int41Dispatch)) f9 W: c4 n( j8 p4 H* p
   call  Kernel32!ORD_001  ; VxdCall  b% r, {$ t0 ~+ c
   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 J3 [+ A: I- V: f# T- ^   jz    SoftICE_detected+ ]( }9 B! }! c& I& P- u+ p
% w" p! {2 ]* J& l. n+ u
Here again, several ways to detect it:) M* M2 R  ~% ?. f* n
4 d! ?1 m! {9 I
    BPINT 41 if ax==4f' u. y0 Q3 ?6 O3 M" e* f$ A
% H8 L* ~2 }: @/ O$ ]
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& b# s+ }6 D( j
" d- H( T8 |" U& ?
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A8 S: U* l$ O! ?; E5 G

) }2 @3 p3 p8 X9 d) H    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!5 J2 Y7 Z6 e! r( l' T# t

6 ?8 p! n) i3 n( s! h; I9 {__________________________________________________________________________
% q! T3 o# [. u$ H
1 e0 z5 S5 C1 B, n$ [) }7 {Method 13
  `' Q8 K, ^  q8 f0 N1 L; z% ~; x=========
# p4 U+ o6 ^$ x( s+ o, r5 O
1 Q; T+ j1 C) DNot a real method of detection, but a good way to know if SoftICE is
5 s* x: d8 x" \/ P5 ninstalled on a computer and to locate its installation directory./ \' z; `; U# n& G5 b4 b: |
It is used by few softs which access the following registry keys (usually #2) :
) j+ M% W2 Z: O+ S& ~
% i: L/ n: D8 v/ y; o-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
) U& G  L) N4 A$ H. a( u% v\Uninstall\SoftICE+ W% y( b/ U1 e! I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
& q0 H6 e$ Y! p) K# N-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
; h5 j/ D! x0 n" b+ [* C1 C\App Paths\Loader32.Exe
6 [6 X2 i; V5 g+ ?' T/ |! N; j+ T
9 W$ {- m. h( d# _6 Z7 ]% ^8 l7 f  z: f/ o
Note that some nasty apps could then erase all files from SoftICE directory0 Z1 E) g2 K' U% c" d' r' w5 a- t1 m
(I faced that once :-(
" _+ j4 X% u# G$ D" K, w/ M# r. Z  m& ~+ H  n. {
Useful breakpoint to detect it:8 E8 Y# F: v9 k- T  l
5 O% Y4 A* M$ X  H/ m0 u
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
: [/ W) @. c7 u6 \
% V4 P+ l9 M$ \6 w$ Y0 l__________________________________________________________________________
; {% G5 L- H. d4 i9 B! c9 [: b4 p4 E7 E3 ^2 L  p1 Q
/ y# j( ^$ G; T5 `6 A
Method 14
7 A+ c7 x- B! k5 Q7 D( L=========+ [6 ~, O7 H9 G

/ o( \) p7 p3 _% e; w, cA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( x- O7 u4 P, }' g1 E. A4 e) Gis to determines whether a debugger is running on your system (ring0 only).
+ M% Z7 v2 h1 F8 b+ n* G* r; n1 e& E0 Q
   VMMCall Test_Debug_Installed
# U" B( C# Y& l# {- i5 e   je      not_installed' o/ p( h/ |: z8 f6 U& N0 b

, ~) w. W8 u8 L9 xThis service just checks a flag.
/ n# V5 c; z% p( d</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-4 21:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表