找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# z" F- `9 D* L4 B+ j2 V<TBODY>( B! v& G0 I  s: f6 E
<TR>. \" f6 d$ k8 n1 u- Q
<TD><PRE>Method 01
( A# @* V  C9 k/ Z=========
0 `; V% F, _8 l& }
! `7 s2 X4 G6 `3 I3 mThis method of detection of SoftICE (as well as the following one) is9 l, K7 `& x! |9 B$ N0 j: z
used by the majority of packers/encryptors found on Internet.  x$ d9 y- E! s  C; H1 G5 S
It seeks the signature of BoundsChecker in SoftICE
: r  w( e4 \. }: B& u  @; M5 c# N1 n0 h0 [# w. e0 u! \* Q- B
    mov     ebp, 04243484Bh        ; 'BCHK'
/ n! e2 X0 h( a; P6 X; A    mov     ax, 04h
0 j8 O" J+ h/ h# M* u: P. @/ t    int     3       ; t! ^1 }) ]5 |# L& A$ d
    cmp     al,4  _) z. b2 ]* c0 B9 U" u7 V
    jnz     SoftICE_Detected8 X1 r) D4 i$ ~! {

+ A  B) W! ]) c$ W___________________________________________________________________________# p) b' N: y; [8 N+ Z7 i/ x# c" O

, I. U, J6 r( w2 ]; DMethod 02
$ b( b! s! x7 x=========* I+ z( m7 B; H
- M. X5 Z8 W3 U! o! O
Still a method very much used (perhaps the most frequent one).  It is used; Z1 p, ]/ ~. U5 R' m9 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
* `" i5 K0 B3 p. f* W" m9 For execute SoftICE commands...* v4 n5 ?1 F+ o, z
It is also used to crash SoftICE and to force it to execute any commands' s9 |$ M4 Q- P3 E0 g! |% Z$ `
(HBOOT...) :-((  " A0 H4 o, e" m

$ J. B" ~4 F0 u' f7 a! n5 j8 nHere is a quick description:+ r# W! x8 e% V# R2 q& p7 B
-AX = 0910h   (Display string in SIce windows)* k4 L$ r" V% V: j8 \
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. n- q( k, ~- @0 Y5 W-AX = 0912h   (Get breakpoint infos)
6 T. Z) S' `( o% m4 S- k9 o-AX = 0913h   (Set Sice breakpoints)2 u" }: q( }, ^3 C- M$ e# Y( w
-AX = 0914h   (Remove SIce breakoints)
2 y7 k! F2 J+ ^
( b8 M) R! ?% S& W( b, N' NEach time you'll meet this trick, you'll see:* q7 f. H( u* R+ N. v
-SI = 4647h
0 O3 p. Q' a* G) L& u7 b4 s-DI = 4A4Dh; d2 C9 F' J! O# V" q6 L7 X
Which are the 'magic values' used by SoftIce.# y  _! T9 t0 b( K& W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 i) h! q% O, r
& O( d. C. W& I1 ^& b1 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 h7 u7 ]) x5 R& U$ X$ e
Envelope utility use to protect DOS applications:" m3 d+ k8 m' w1 ^

: z: _% R2 h2 P" }8 Y* o' r* p, Z4 k$ Z+ o* X0 b6 e( H
4C19:0095   MOV    AX,0911  ; execute command.; ~6 V2 @5 t2 |4 ]
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 G0 [% j9 F. l2 L; k7 o* l
4C19:009A   MOV    SI,4647  ; 1st magic value./ v6 s3 q6 U- k5 H3 B# E% E! F
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.1 o& M2 ~0 h7 d
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: |# ]# d% y6 @% ^( D4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute# d7 l; W% {& d% ?0 m
4C19:00A4   INC    CX% I( {4 v6 r* L" I8 s4 \( M
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 B  r$ g. K7 V4C19:00A8   JB     0095     ; 6 different commands.: N- t2 x$ Y3 ^7 b1 y8 E
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 o$ @- c9 `$ i; P. a# ^4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 E8 ^0 f7 c8 `
! c/ c7 e: Q  QThe program will execute 6 different SIce commands located at ds:dx, which
% Z/ H: \, a0 o6 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 z8 P  v0 f6 Y5 c
0 {: p& c* P( t# Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.  B5 B) m: M: U" U; k- u
___________________________________________________________________________
3 r1 J( O+ p+ [# F7 s$ e2 U" {" V" U. Z7 g

, O" e4 V- q+ Q) n5 BMethod 039 ~9 T; r0 C' K
=========8 Q8 i; P4 Q! r. V  b

: }$ t% k6 J5 ]Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h6 h' q6 {9 g; ?# n( y! V
(API Get entry point)
+ |8 a! R; c1 [9 D! W7 ?& I& b" O  t        
/ P, N+ g& e% q$ @3 P! |9 v. s. X, n' e! N0 o5 E! N
    xor     di,di
6 E+ U$ m2 g5 e9 Q! v: |* W& L    mov     es,di; u3 K% Z4 D& Q$ U. P3 |4 P
    mov     ax, 1684h       , x: J; [& d/ b4 d$ k% y
    mov     bx, 0202h       ; VxD ID of winice
9 D4 F+ N3 F% y& r1 f3 x8 U    int     2Fh
6 g# N. [5 N- Q: I    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% d' F5 l' L* n    add     ax, di! f& a' e* P  B  v
    test    ax,ax
& O( U  g- P+ h5 ~+ _2 o+ T2 K    jnz     SoftICE_Detected
) O& q3 |# n# J* U2 m7 O6 n; |- B) s8 X! b2 k; |
___________________________________________________________________________
: _% \6 Z5 X& a) t2 p9 ]$ M/ v/ z3 @* y" Q0 m% c
Method 041 o/ a: q- x/ h; K8 Y; h
=========% T) {$ y! y, v8 Y$ H
* B% p+ B4 L) S, [( k
Method identical to the preceding one except that it seeks the ID of SoftICE' \4 P( J: f* f+ k+ x, L- {) B' A
GFX VxD.9 \! e( A: T! G1 Z+ `

4 n) K& y9 C( c7 p  @: \    xor     di,di
- ]' J# D- a1 q    mov     es,di1 g: x: p8 l. l9 d* I
    mov     ax, 1684h      
* m% w5 J, z6 \# @% d    mov     bx, 7a5Fh       ; VxD ID of SIWVID+ ^, R( ~2 ]  N( T/ c0 ^6 [
    int     2fh
6 s# v" V- Q5 j2 e' [    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 x6 R5 ^. X7 j: d( c    add     ax, di
6 b6 i2 m, o7 V- B. A2 [: i8 T( Z    test    ax,ax5 \# u3 ]- f- D) i' P( w1 f
    jnz     SoftICE_Detected
6 `1 i  ^# N5 d2 X6 e* y; g! d
5 _( z; ]& R0 Z1 X__________________________________________________________________________
3 G/ X: n8 y  `" V6 n7 w: i  I% U" \: w
3 w6 W1 n! B. g; r. s* o$ r1 g# p
Method 05
0 l3 P# C+ ^+ k% }; p& x=========1 @6 v: s% ^  _# O
; ?5 l; P' Q3 _
Method seeking the 'magic number' 0F386h returned (in ax) by all system/ k, ?: |- b/ r" M
debugger. It calls the int 41h, function 4Fh.& o3 T" y  M% R3 ~& Y
There are several alternatives.  
0 Z! f: o; F. D
8 R/ X! [6 h+ _- \" |! cThe following one is the simplest:
+ U! C0 s0 Y/ L9 ^, T. G. x. n8 U4 C
( B1 \) O2 ]- ?+ H$ n1 p    mov     ax,4fh
% d( \- {9 Y+ X. D8 }* {    int     41h6 G+ f+ q. F; M* ]2 e4 O, o+ F1 c
    cmp     ax, 0F386
2 m# H8 z& T- a6 y( B5 t1 R3 c* n    jz      SoftICE_detected
' Q' [3 W; a: D5 X! i) y3 A
7 a3 u# i+ E- |8 G6 Q
" W1 n/ K0 r% R$ e6 ~) B& K+ tNext method as well as the following one are 2 examples from Stone's
8 D. S. V+ O5 \. b. }$ n! k  b. B) h"stn-wid.zip" (www.cracking.net):
# i$ ?" o! E+ m9 F
% Y# Q+ K6 G$ a' J' u" R    mov     bx, cs
& o1 M$ J- t3 R: ?% V* Q; q/ H    lea     dx, int41handler2
4 {7 c; \% y4 k: }$ U5 Q1 J    xchg    dx, es:[41h*4]* ~; ]' i- Z) c5 g5 k
    xchg    bx, es:[41h*4+2]2 c4 J! j0 j6 G- z
    mov     ax,4fh$ D5 P) z6 `, F. n" N& ?
    int     41h
3 q  ]2 z9 j% W8 @6 A. Y' C    xchg    dx, es:[41h*4]
* E! A/ M- S+ x. W7 s4 d; k. d9 Z    xchg    bx, es:[41h*4+2]
4 p$ G4 a7 [9 R% ^7 C% I5 }) }    cmp     ax, 0f386h
+ z  Q" a1 o8 C2 f9 D: }3 G" R2 l    jz      SoftICE_detected6 I6 J# s5 T$ Z, a! H

# W1 [0 A( q1 X% l' d) o- |int41handler2 PROC
9 B4 Q% @5 r& k* m4 y0 p! B    iret
9 B  H& ]+ A& X) \, r6 @& B' r1 nint41handler2 ENDP
; Q2 P5 x, D; j( Z* F
3 S/ i, T' I8 z/ W5 n; z5 T* w" b/ p, z  D  P, i" S0 v/ e7 }( L& I' M
_________________________________________________________________________
  w! |/ Q$ X; _6 S) M2 x8 M3 b2 o
- A" U. ~' c$ U3 ?/ X
! r- f' _6 R* M) L0 I2 xMethod 06: j* p" T% H+ Y/ v" C
=========
/ B7 D7 m+ x: `& B' w5 y$ N6 d( Y0 v6 M" G
4 l* I+ e6 G0 v  [
2nd method similar to the preceding one but more difficult to detect:2 T" i( R* X2 X! r4 x5 r

- T5 I1 N+ e) j, f1 U5 v$ }
, M/ w) W8 M0 _) N( Lint41handler PROC: w8 ^6 p( Y+ b
    mov     cl,al
9 Q7 E. g- S! ^: [  [" n    iret: w. X) J, }& `
int41handler ENDP
8 _9 |; C9 t; m& _" u: b
. M& I1 R! n- {7 G! L, v& }) I7 N0 \% N- `+ V) i
    xor     ax,ax
- X  P5 a% G& X$ D, q0 ?5 N    mov     es,ax4 c3 q- K2 v4 ^2 M
    mov     bx, cs% ^4 h1 P' A) o7 R; X7 Z1 x
    lea     dx, int41handler5 |1 o0 S. _& H0 w) x1 |
    xchg    dx, es:[41h*4], p- U/ x5 X8 u9 i) L7 U
    xchg    bx, es:[41h*4+2]# R8 r8 E: V) b$ R+ A1 P
    in      al, 40h
7 p2 J4 a+ S% M! o6 O8 k    xor     cx,cx
  b" S1 Y2 e( A, C  o  V! c# m& d    int     41h
! g3 J! M  j+ _' E' v    xchg    dx, es:[41h*4]
+ R; U( x$ B( D$ [, S    xchg    bx, es:[41h*4+2]+ Y7 w0 r' @# `! l/ s" Y1 c$ _/ ?
    cmp     cl,al/ K1 h" j, v& f
    jnz     SoftICE_detected. m- E, a( L: a, f' s6 h- Q
7 J& ]+ t# t4 V: I( b
_________________________________________________________________________/ ^* I- ]/ ]% S) N$ @$ u$ L4 k) s

2 F/ G1 S& q) V9 q1 n) o3 A; v0 r, F8 zMethod 07
# n9 e/ S+ C" }: M1 c" z- @+ n% Q=========, {& \! W7 P" u) t0 b5 _7 @0 H

! `& \& M8 [1 GMethod of detection of the WinICE handler in the int68h (V86)- h( R' m& s; H+ l' n* A: q6 G
1 s7 B3 ?7 G9 q) k
    mov     ah,43h
0 P% F/ c0 c9 Y" X9 L! e$ I    int     68h  B5 {6 O7 T$ a4 F0 T1 @& {, D" z
    cmp     ax,0F386h
6 B! F' o" @2 \/ z    jz      SoftICE_Detected" `/ J) U6 a  H0 T& |1 t# H' j

  G: U) w5 Y. V# Y( d- Y/ c, A, e9 N% I) D
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- b! r+ K; Y: M; q8 r
   app like this:$ M1 l% x. x+ P4 z4 J

8 G6 C4 _( W  a# h   BPX exec_int if ax==686 w. L3 `% W1 y5 m9 x5 ]! F
   (function called is located at byte ptr [ebp+1Dh] and client eip is
, b( Y2 K4 L; `% c0 o, g$ W* r; S1 f7 B   located at [ebp+48h] for 32Bit apps)
' R- _! I9 \# D; l2 y  o__________________________________________________________________________5 H* x9 H( c& E) l: ^! M$ p
! K: i9 L5 q1 f& [. F" Y
& W; J! {. t8 h1 z
Method 08
3 H: o* E; h8 I+ [=========
/ ^  ^- H+ l4 e7 R8 i
  I% U8 [5 `; Y! g! wIt is not a method of detection of SoftICE but a possibility to crash the/ W: `5 r; C- }
system by intercepting int 01h and int 03h and redirecting them to another
/ \1 l( M1 ?/ ~; c# l) @4 G8 Droutine.
; j4 d, t: O7 o0 E0 V% p+ a& C/ bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points. w# X/ h7 P5 ~
to the new routine to execute (hangs computer...)
2 ^3 }0 n: ~/ o# e" v; K/ X+ Q
! p& j# p5 T$ e+ u' p    mov     ah, 25h/ D# r9 r# \4 b. Y4 ]& }4 M  |4 o
    mov     al, Int_Number (01h or 03h)$ U. r1 f& g( ]# p3 w
    mov     dx, offset New_Int_Routine
: u- [  g  d, q    int     21h. a" q+ D! ~# u  R3 D9 U$ X: W& S
* g, c6 q, L; B5 C0 T4 Y, I; B
__________________________________________________________________________
: l9 |) O+ u) V: L. D6 l- W, c7 S
Method 09; a$ C, {7 }) l! n% K, A( f
=========' G' W0 N' A$ `; X

6 f# O4 }2 I9 Z1 `; N" wThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only3 w! J6 A" v) Q! ^7 ?0 V
performed in ring0 (VxD or a ring3 app using the VxdCall).) J' t  t" R3 \! w
The Get_DDB service is used to determine whether or not a VxD is installed
* f; R5 |1 u+ Y; qfor the specified device and returns a Device Description Block (in ecx) for1 K  i. ?3 v7 Z
that device if it is installed.
. ?# W% l2 L9 @+ j1 m/ @2 r0 F8 n4 L1 X" O5 ^# t' q8 o4 _* N
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  Z6 ~) T) f( t6 A3 x5 V+ v/ ?
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
& T- F0 M+ d- l2 J5 c   VMMCall Get_DDB
8 O$ w9 P5 {. N/ E" d, p, Z   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& y/ ?0 G: Q# |5 ?
; b' S  N$ }" r7 d- B8 M
Note as well that you can easily detect this method with SoftICE:
2 k( M0 m$ ?  d   bpx Get_DDB if ax==0202 || ax==7a5fh
. ]# f7 u7 k7 s! A+ {& K! K
7 ^& S2 N) _* b& I__________________________________________________________________________! d* R% R* b  q" d

8 H9 B: Z( D# LMethod 10
2 D7 F4 A; h8 f=========
3 L/ B0 C5 d" k+ l8 ^% z
% C7 |5 `9 S- B) h& U3 B7 A=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 {  h2 r$ o$ C* M, e9 N
  SoftICE while the option is enable!!
* z; R; ]. e' R8 W9 u* ?
! f9 b9 }- h0 E8 V3 d4 b' Y0 K) VThis trick is very efficient:
4 j$ x$ ^6 n% X. Fby checking the Debug Registers, you can detect if SoftICE is loaded
' @6 ?. U3 p4 j& j(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% a8 P) N4 y6 A  F4 ~) A1 pthere are some memory breakpoints set (dr0 to dr3) simply by reading their' x5 |0 t7 z6 Q; i
value (in ring0 only). Values can be manipulated and or changed as well
* k+ u9 F5 {; h* h8 o(clearing BPMs for instance)9 b+ D5 n. m# n; a0 r- J- C* y

: z+ S0 w0 v: J* N, G2 J__________________________________________________________________________' b6 u9 Z2 |) l( }) d

5 {2 Q% |4 K  E$ ]. H" q, zMethod 11
: n# h" K/ D/ A, @6 ^- t( y=========+ Q) `0 p: L! h9 ^& U5 p9 O, l
. l2 L" `) x4 _1 e: K1 Y
This method is most known as 'MeltICE' because it has been freely distributed
* z% c1 Z1 w4 V% A2 j9 i7 l( \via www.winfiles.com. However it was first used by NuMega people to allow
! ?: C. p$ ~; a# N4 e& o/ @- D1 E- X4 {8 NSymbol Loader to check if SoftICE was active or not (the code is located6 k$ b; Z3 P: ]5 g
inside nmtrans.dll).1 `( c0 U$ F! ^1 C8 n- m) H" ]

# Y, o" _/ X. V2 ^$ j6 F8 UThe way it works is very simple:
6 R9 j, B. X3 e: ~! OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  V+ T7 w5 y; q  v7 \WinNT) with the CreateFileA API.
- k+ J' H2 T# x" j
9 Q9 i) f9 ?$ e) i: F2 U! m- i5 _- ~Here is a sample (checking for 'SICE'):) Q$ u. T" _) J6 r% v4 d

8 X& f6 {# r2 {, l  H3 k5 dBOOL IsSoftIce95Loaded()
  H% R5 e6 H1 p{; m' u4 _  Y9 r! f. Q
   HANDLE hFile;  
/ u5 e1 o0 k" ]  _" s1 X   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: C5 @- F) x& E( Y( ?
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* ?% ]( C7 k. p& |3 n                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( h- {# f/ _5 F9 M# g
   if( hFile != INVALID_HANDLE_VALUE )" }  b- {: O4 O/ R& l4 K( h  f
   {
% B8 G( h: J4 ]2 E0 l) F( ?      CloseHandle(hFile);8 z1 z" i8 l" @3 e
      return TRUE;: i: p) y+ Y. M1 h. k
   }
2 ?1 _& o# H5 C9 {* c! @3 ^( T8 u) O/ c   return FALSE;
  C8 U3 H' F; Z}
2 e0 r1 Y- {' \' U$ V" Y8 m# }2 J1 F" F$ D4 d5 S1 W. j: o4 `
Although this trick calls the CreateFileA function, don't even expect to be
' B& A1 V0 }# t0 p+ P6 h% Mable to intercept it by installing a IFS hook: it will not work, no way!4 S  Z) {" _0 G; l
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
% F% t: ^+ y, g2 l) B: E; iservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)7 |% C1 K6 S) Z( D* N
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
  Y& t! J: T/ O* i1 W" K( C3 ffield.! F% v, \$ B9 z3 F# p
In fact, its purpose is not to load/unload VxDs but only to send a
2 A0 H5 Q+ V5 B' [2 p! Z2 B/ @, GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
+ Y  ^, H/ u4 q9 dto the VxD Control_Dispatch proc (how the hell a shareware soft could try/ e8 N# \0 [5 h; v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
' a( v: z! i  v2 l2 iIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 c; j- E2 E2 i3 k0 `3 P0 X
its handle to be opened and then, will be detected.
% W2 t3 f: I/ J5 l6 i+ `# cYou can check that simply by hooking Winice.exe control proc entry point8 h+ e$ j8 t5 H4 v- P  ^
while running MeltICE.
3 p, {; R. w; L, P5 _# E# A# W" U. \1 q) O: f$ V3 w$ F8 L' [7 ]

# u6 b# W2 v- S3 a2 f  00401067:  push      00402025    ; \\.\SICE# W- [) Y% C: W
  0040106C:  call      CreateFileA
( _. D6 c) f, F% U2 c" m  00401071:  cmp       eax,-001
* F6 d8 K9 V/ V: u  00401074:  je        00401091
9 E- i. G0 y! [& _: `
+ O  J3 G8 x# B1 B5 }+ ]! Y; U7 C# x6 P- y4 P3 i+ I& ]
There could be hundreds of BPX you could use to detect this trick.
6 n( _$ N0 I: x6 k$ k9 k-The most classical one is:( O$ r- z. j4 I. B$ y. ?
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 L+ H& D' X9 Y$ v' Q2 d8 M" K. I
    *(esp-&gt;4+4)=='NTIC'4 ]$ I. Y, n0 e  V# s

4 S0 P6 R; `2 \+ `0 l-The most exotic ones (could be very slooooow :-(7 F0 B& j5 ~4 B# E4 w
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
* Z* `- U# L, f     ;will break 3 times :-(
0 f' }0 f- k' }2 M
4 J3 R* v1 B# w  \! x9 c' }2 y-or (a bit) faster: 8 L  ^$ M6 e  f0 y
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
3 h$ ~! v9 }+ L8 y& e# ]
( X* R! z) [" K, F% z7 X1 b- j+ e% T   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( Z' ?2 H9 @- ~- X; ]( p( h     ;will break 3 times :-(0 u* p  ^8 {5 c* R" Q3 h* t0 ]' Z
5 D6 I- Y/ A  f: k$ K
-Much faster:
5 ~+ P: X1 m1 A% n   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# q) z1 D' ]! [
& r! O/ P( `- k. z2 _' X+ x5 X) f
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen% y1 e- D/ A4 Z
function to do the same job:2 v& c2 Y, e7 Z# |

/ q4 o! q% C& R3 r   push    00                        ; OF_READ
$ q6 \% _$ O* }( q% g# l, ~   mov     eax,[00656634]            ; '\\.\SICE',03 V( N) k* C" L$ ?6 {
   push    eax
% |+ q: ~, P) B! W5 K# I   call    KERNEL32!_lopen
& y" z+ h9 b. T$ j. M0 e: g   inc     eax; L' S' ]# }( A) {5 X
   jnz     00650589                  ; detected0 n# y+ z5 Y# w  [& U
   push    00                        ; OF_READ
8 y% [, u6 |4 N1 }   mov     eax,[00656638]            ; '\\.\SICE'& _# ?4 a1 \& q. v0 G
   push    eax
* m- @' E' `  H: q8 ^5 ?8 ^; j   call    KERNEL32!_lopen# K0 Q4 G' h8 J4 I
   inc     eax
, r  S* Q9 {; a/ }3 m& w   jz      006505ae                  ; not detected
2 Q7 o- ]" M2 a8 w/ r# ^
  l' X/ F- e2 O+ F% z, q. N
0 T9 t7 c+ [- v. ]# ?__________________________________________________________________________1 Y) `% |. B6 r: m8 ^. N

8 Z  e* s1 z+ {( a& }. K% Z* o7 EMethod 12
2 C6 `8 t0 J" I3 R=========! @* o+ M( y' c9 Z8 g

, ]$ q2 l9 p4 G; KThis trick is similar to int41h/4fh Debugger installation check (code 058 Q8 N! m$ S' w" }& s
&amp; 06) but very limited because it's only available for Win95/98 (not NT)8 P( k. e1 z, p* }
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
0 l: e% ^% L  _& |4 |5 }3 r4 ]1 E9 W
   push  0000004fh         ; function 4fh! _& p4 E- e6 b5 ?/ _/ F: W6 Q$ N+ ]! ?
   push  002a002ah         ; high word specifies which VxD (VWIN32)& D7 L9 t( Q! t! B
                           ; low word specifies which service
8 F9 r3 E$ D8 W+ e                             (VWIN32_Int41Dispatch)
6 O8 |7 \5 x) x" H# `, k+ v0 e; ?   call  Kernel32!ORD_001  ; VxdCall$ c5 i# T, Z' C9 s: U" @. X
   cmp   ax, 0f386h        ; magic number returned by system debuggers; Q1 q1 D, k: m! r5 h8 B8 X  F
   jz    SoftICE_detected
9 c; g+ m/ f! m4 o& `5 V0 j. {" X6 N
Here again, several ways to detect it:
/ \# }: V" k. G' P
4 n) Q1 }$ D# Z0 G- U7 w- D4 e    BPINT 41 if ax==4f
& X4 Y0 v- N$ L+ I7 |$ F0 |% \* U/ v2 y1 s6 `- P
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
  ~/ C0 j+ U* I" x* @: \" n6 w  G
+ S; {3 m0 p" O$ q! n8 p    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
4 P& G. @2 ?7 d# H1 s4 O' W5 y  D6 w
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  J0 C( z; P. H& v' S; w- o6 [& c" v. ?( i
__________________________________________________________________________& i1 A# q) f* ^1 P& J
9 D+ F8 B' L9 q( p" w7 J" r! c
Method 13' Q9 N3 [2 C$ u4 Q% V3 W
=========
4 H3 P: ?" @- M7 X( U' p
; f4 V8 W# S1 }, Q0 GNot a real method of detection, but a good way to know if SoftICE is* _3 y+ M" j3 @; B2 a9 k7 v
installed on a computer and to locate its installation directory.. b$ _2 C( r$ ~2 @! G' n" J8 a
It is used by few softs which access the following registry keys (usually #2) :  {, W6 c8 u" I7 v7 g
9 x1 b' E( m0 ?8 `
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 V( x7 H% @! T( o
\Uninstall\SoftICE9 l( q9 k1 ^" y
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; T5 |* U4 T1 U; O: G: R-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 @. K2 N: R! t! A9 q\App Paths\Loader32.Exe
+ M6 b3 q& H# x& y( Q0 \' U4 B; b& H& s/ s6 W

  d, [4 X5 u8 j7 Q. _5 ]Note that some nasty apps could then erase all files from SoftICE directory
, ~+ ?0 L  e8 O8 q(I faced that once :-($ k0 G& H0 r% O8 D

: [1 q/ k4 X8 g3 wUseful breakpoint to detect it:
6 L) S( C" p: S5 s
8 E6 O8 x4 H5 G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 i- \2 |- r4 x( r; \* X, V, k* U- Z' p) R3 E8 N! A% [
__________________________________________________________________________0 `( r" |% E( M8 P
# I. e: o. {8 X6 {7 `1 \3 D
3 J  ^5 v8 i* R
Method 14
; t9 ^0 k2 R0 d" P% r; s, K=========
/ f7 l0 T4 R, F0 d5 K  B  u# K8 T: E0 X2 K' S5 X* r/ U
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose& O  k% l; l0 I
is to determines whether a debugger is running on your system (ring0 only).
8 x1 t  h" D) [, G! g$ ^; a0 `- A& U0 [6 z
   VMMCall Test_Debug_Installed
# o& E0 ~0 [4 X3 h) b   je      not_installed* G0 A7 q9 q% p
6 k8 m" v; c, f& l5 x% u
This service just checks a flag.! v5 W9 ?3 G" j$ O6 n% O1 I9 P8 q
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-8 23:43

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表