找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' x" ^1 [/ C9 @6 \# P
<TBODY>4 e3 P% g, D  d/ m" A! D
<TR>
& z+ P0 a/ d& v' g  m/ d0 L' N4 v<TD><PRE>Method 01
9 v  ]+ s4 W' J& \# F=========' `" J, i* C; b7 C9 {* s
8 L# }% \! o) |0 F
This method of detection of SoftICE (as well as the following one) is2 L+ ~6 w( b) s/ o# T  E
used by the majority of packers/encryptors found on Internet.- S% O: `/ `, t" d) q+ s0 ^( k
It seeks the signature of BoundsChecker in SoftICE2 w. _+ \& \, |4 E9 q' B  Q( z

6 V& ~1 Z$ U5 t2 z8 u& A    mov     ebp, 04243484Bh        ; 'BCHK'
$ ~+ x3 x1 o/ Q    mov     ax, 04h6 j+ _9 a- \3 D+ ^- R! j
    int     3      
6 B) m# _; ^$ n& V    cmp     al,4
% E5 N, ]; F) z' i0 g3 [    jnz     SoftICE_Detected
1 V" l- h$ S! V3 ^
. p7 P0 `" O" ?/ s4 W___________________________________________________________________________
( k8 l0 u" ?7 k7 ~; L; X& q" v. ^  H" y$ G1 r# D3 Y, ~- p
Method 02
3 I0 w. W: U" y+ Y=========7 v( b6 q6 }- L- R5 v
* Y# z( ~3 Y, @+ [" s' @
Still a method very much used (perhaps the most frequent one).  It is used
2 O! Z( ]' J! D: F4 L; @3 ?; Jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( t$ A5 r2 b( l$ u$ a8 g. Hor execute SoftICE commands...$ Z7 R, j+ w- N3 V* m; T/ X
It is also used to crash SoftICE and to force it to execute any commands2 ?! s* T6 J9 v" N. I
(HBOOT...) :-((  
, @; }5 y1 j' `8 s$ p: _6 z: |  H) b# I
Here is a quick description:+ ]7 Y3 L' u  m3 ^* v- A
-AX = 0910h   (Display string in SIce windows)9 g0 I" A* u; {; F) _2 m6 d% @
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)+ H' i$ e) P; R
-AX = 0912h   (Get breakpoint infos)
6 a* i% _! l3 d' T8 A-AX = 0913h   (Set Sice breakpoints)7 }- I! X6 b1 |
-AX = 0914h   (Remove SIce breakoints), U+ R7 f3 c) B! B" [
  N0 |( ?, J2 I. i/ \# `
Each time you'll meet this trick, you'll see:3 [, K7 X% ~9 j. N' ^
-SI = 4647h0 F" f, ]# W4 s5 u+ l
-DI = 4A4Dh
$ Z8 Q4 y$ Z  y/ }' YWhich are the 'magic values' used by SoftIce.
3 f, L/ J( T  J( u6 D" ]+ pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 }/ c( ^% _& `/ T
# Y! m. [0 t% f. F6 w; B7 A
Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ U' c3 f3 j) x* A* _" t( i: fEnvelope utility use to protect DOS applications:
9 L' `! S0 k0 c5 ?5 u( x* F
: l& \+ a) V% q' Y! [% G) G0 I. I! d/ L" v* l  C
4C19:0095   MOV    AX,0911  ; execute command.5 m0 @* V/ p/ }" Q5 j1 j0 l
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
5 E* G; o5 y  \# o' z4 Y4C19:009A   MOV    SI,4647  ; 1st magic value.# c. W; F, g: H, ]- R4 Y/ Z( a
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
+ n* a) W- \* r4 T# h; j! c4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 W+ _5 {$ ?5 D5 g8 y) v9 i( ~
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
% x+ B7 _3 C0 E5 N4 N% g4C19:00A4   INC    CX
0 [; y- c# {" l4 E4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute5 ^% s* B; Y+ ?7 R# [2 ~8 v
4C19:00A8   JB     0095     ; 6 different commands.% P: h3 ~, g, |: w3 z2 {
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' C  t! ~; Z, e' X
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
. Z: T) @3 M, G2 T2 w* Z* ]# X3 ^" A! f% I4 G
The program will execute 6 different SIce commands located at ds:dx, which
2 p% o) l; d% X! S0 ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
7 y; H- |4 W8 D5 o% E8 u9 k9 R3 o- I: t! @- J
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ {# M8 P3 |) j: x
___________________________________________________________________________4 ?; R3 B" r5 Q% m+ r

0 S# O+ ]3 A7 `/ B" z1 n* _( _6 g) P; z
Method 03, `9 c6 C; W. q+ H
=========4 [( N; j) D0 t% O) ], `

3 _9 {' o& n2 E$ B2 V4 ?- GLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: ~6 b6 T5 g8 g( g. V8 {% F: h
(API Get entry point)# l+ V4 m# t- K3 Z# |- r
        
4 \! X8 z9 W  q1 f/ u9 E! n
. y3 s2 D+ a* Y4 e) g, |    xor     di,di9 ?: B& S" Y7 r8 t' J  m
    mov     es,di- {5 B3 `' Z0 h* N$ V; u
    mov     ax, 1684h      
/ {- Y, U) r4 `, @! Z    mov     bx, 0202h       ; VxD ID of winice& d) R& v8 m; u3 k
    int     2Fh- v$ z# ^5 K, @& u4 [) u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( h& o/ ~& Z2 p  Q* n( W    add     ax, di& L" r5 T5 J$ [4 _
    test    ax,ax4 I+ _# S( |  g% j: E4 o& B; ^
    jnz     SoftICE_Detected1 V& y7 G( H0 h' x7 e: g

( g# [4 {0 w+ R6 r# F4 T& M2 F0 p' F" B___________________________________________________________________________/ b# E# R5 b. j8 q( V

3 \& R7 E, P2 N9 Z( C$ x3 xMethod 04
2 L4 h! l3 k  J0 ]% d" m: u1 g6 g=========
9 K9 u# K" ]! _* j4 E4 r4 E0 g4 E
9 A  p5 P: C& B& U, CMethod identical to the preceding one except that it seeks the ID of SoftICE$ L$ o% r. z4 @: I5 p
GFX VxD.8 M0 m$ ]2 j1 T* P( Z! P

: W2 W$ _8 p$ F# D    xor     di,di
. L  }* V; k2 P  G    mov     es,di9 \2 B6 D7 C* I; X& ?4 t8 J
    mov     ax, 1684h       $ F2 F4 w* v1 E! a$ L+ b; F; _2 w
    mov     bx, 7a5Fh       ; VxD ID of SIWVID; ~0 ~& J  V, ^. w
    int     2fh
& H: Z; @* p2 o- K$ M, T! N9 J    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ `. d; g. G' y. w# n    add     ax, di
4 L5 K7 t% h/ s, E    test    ax,ax
3 P# K' S. f; \+ p3 u8 D    jnz     SoftICE_Detected/ r# x4 a0 _3 W* n, G

( l( W1 o. ?$ u! }2 K6 ~% W4 R2 U" t__________________________________________________________________________
/ s& X$ D2 a1 |" r6 L/ y' Q5 P4 `' D! [# A, W+ k$ _7 F1 W
  W+ Y8 t7 x. t: \3 P3 M
Method 05
' D$ P4 p7 ~# I) w9 y=========, T( i6 k; o. O- z. ?
1 R% [- @+ ~! g" J; C: Z5 U
Method seeking the 'magic number' 0F386h returned (in ax) by all system% L* A# i8 i6 U! K" ~) g" D9 T% R: A
debugger. It calls the int 41h, function 4Fh.
$ T. `! ]" E: X1 D) ]There are several alternatives.  
, c7 ?) B' s7 A8 a; D+ M& N$ {0 A) ^. ~+ i9 l  ?  D( Z6 N/ ]
The following one is the simplest:
% e& E' [1 {7 D  v: p6 N. E7 T0 C$ d" R1 X  l1 t
    mov     ax,4fh
1 Z3 z8 V/ }+ ]2 M* }, V    int     41h
& E8 a. @0 N! ?- H4 z/ o' {    cmp     ax, 0F3869 D5 y) K4 K; x5 Z% Z
    jz      SoftICE_detected
& e# W$ I7 z6 h( h' q3 k
# f; x! l, G. z) I$ @1 x1 Q; G+ u& B6 ~; J: d
Next method as well as the following one are 2 examples from Stone's
, J# r. g! B" A/ d- X1 m1 }! L"stn-wid.zip" (www.cracking.net):
3 a9 \. I9 a) {7 W# q9 Y: m( q; g- Y: y/ s/ P0 b. H6 ?
    mov     bx, cs2 {% g' N9 e3 r" w: U
    lea     dx, int41handler2
: n( J2 f" H  o    xchg    dx, es:[41h*4]
0 E' @0 u8 i3 K  w+ M$ C    xchg    bx, es:[41h*4+2]
+ z9 ^1 [; ]1 O& Q    mov     ax,4fh( r9 T1 E3 z$ l/ B+ ?" m( `6 e
    int     41h! T2 @' `8 l1 [/ K0 H% U
    xchg    dx, es:[41h*4]9 w3 \# }' V+ T7 F/ h
    xchg    bx, es:[41h*4+2]- p# r, c1 m+ r
    cmp     ax, 0f386h5 ?3 P! o' w$ {. o9 O# c
    jz      SoftICE_detected2 h) J  k6 n- p, O' I* o* @% l

) B1 S% p: d, E+ s1 j: B6 m8 m% X0 F7 Q6 lint41handler2 PROC0 A3 n) `* r( V$ t% v+ @' V
    iret' ~1 ?; u" b$ L  P& Q( R  Q+ O
int41handler2 ENDP
2 H  H0 i3 U! w
/ |& c. @% g# m' H
8 n4 b* L- ]+ f1 u3 R2 `_________________________________________________________________________
  R& E1 n, I, W. J$ Y5 X+ m. `6 a5 |% c- K7 Z. R
- E4 X2 B3 }2 p/ X
Method 066 b6 d2 ], e9 {( G0 L7 P
=========6 \. l) e9 I" h; O) x3 I( E
1 ~0 h( Z7 C4 R1 n2 x+ k2 l: R

6 n; d' t  u8 j/ c8 U' A# _/ D9 C2nd method similar to the preceding one but more difficult to detect:; o: {2 X( ~1 A! F, B
/ ~. ]- J, O: T: q

: `4 U  }% s3 d8 M( {int41handler PROC
9 \4 i; z! b% ^: P3 @! M    mov     cl,al
6 x; ^' n( [7 ~, ?% o1 E5 ?! U    iret
4 @, A. I. t! v! a" P) S; ]1 aint41handler ENDP
6 `0 Q. V" Y  a% i! ^) n/ H( W0 v$ H& `, l7 f# T9 i0 ^3 W/ P- x

: C' q* C8 u9 `$ }# \    xor     ax,ax
2 e9 x6 K- W5 I# s* Z5 N8 B    mov     es,ax
/ K% H' {0 n9 M8 x% W( B    mov     bx, cs
! C4 M( [- j. X& ~    lea     dx, int41handler: L; ~3 m/ f: L& u- G4 Y
    xchg    dx, es:[41h*4]1 e3 Q5 r! I  r9 C9 g2 {0 S
    xchg    bx, es:[41h*4+2]
: G* r. x, K) _: X# L0 V    in      al, 40h
) H2 q$ e5 T( Y# W' g6 G3 p+ D- v/ u    xor     cx,cx% |5 y( {8 a6 z& r8 P6 t6 r
    int     41h
0 `; X, N3 p8 y$ f: T    xchg    dx, es:[41h*4]
; @8 N  O& W2 ^2 i4 ]/ a    xchg    bx, es:[41h*4+2]" D' u. y: G" a' e
    cmp     cl,al4 H: @  W) b3 [. Q# `1 _3 X2 R* ?
    jnz     SoftICE_detected. b8 d. S4 L/ _7 V

: I$ [3 @8 x" H; R- ]  K, A2 u1 ]_________________________________________________________________________
2 H& [- Q& u5 j- O2 F+ X0 Q* K' w1 h% f8 u3 r' Y
Method 07
( ?3 G1 |& c& J$ m/ x8 I" P# ?=========7 q5 M1 p! R# @7 e9 x, @

0 K9 u/ R6 Q6 X6 m1 F. qMethod of detection of the WinICE handler in the int68h (V86)
! I, D0 ]' Q, g( H& B0 x) B
3 G8 h' @# b4 }3 @! s5 Q    mov     ah,43h/ {5 Z2 `, g% H7 P
    int     68h( U- a' |2 \0 R" V1 @2 _
    cmp     ax,0F386h! J* V( S7 q. U# G, P
    jz      SoftICE_Detected
4 n/ e: r8 B8 H/ }1 C  @  I+ X- l8 B
  q' Z0 W2 ^$ `0 c
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
* Z7 ^6 [% z+ V3 s" Q% p7 L7 _   app like this:& o, w# E7 v+ S' d+ r+ ^
% V$ f4 I( w. A
   BPX exec_int if ax==68
) u% G) D: A  x   (function called is located at byte ptr [ebp+1Dh] and client eip is3 E0 b9 N: u, C
   located at [ebp+48h] for 32Bit apps)2 N6 N. H! e7 F; x4 w
__________________________________________________________________________0 X8 R: s: |/ G. i0 B, r* ~

% M' W8 Y! u# R+ ]; s  F" t
( i$ t; p: c3 u; eMethod 086 _. D( i% L7 r: Z: u" y8 w
=========
' A! e. t) v' I; J/ b; M) f& O+ }) r% S  ^4 F
It is not a method of detection of SoftICE but a possibility to crash the
8 X  `9 U8 b, S8 h$ [' v' e# xsystem by intercepting int 01h and int 03h and redirecting them to another
- y$ \' B9 p" n* ~/ froutine.
. }- o: c- ]0 y+ W3 g- M' sIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 f2 R! V2 `1 uto the new routine to execute (hangs computer...)
+ G( t% A* T$ J9 j$ Z" P/ R+ a. B- q7 S' d, E; }2 ~4 p
    mov     ah, 25h1 `! E. c+ b3 S( V
    mov     al, Int_Number (01h or 03h)
( o! O$ v7 P% l4 ^" M. @    mov     dx, offset New_Int_Routine$ I9 i/ d  W# X6 a
    int     21h
3 C4 t# l0 k4 o! p1 n( R3 ^7 M1 _9 P7 C. p5 l4 H  A  p
__________________________________________________________________________
2 s: ^7 c2 L2 S. W0 J8 z0 L* a* j8 {6 u
Method 09
6 ]% p. V7 `0 }' L7 \+ a  [=========0 c" |% s- q& i% b  u/ @

) t5 v! C7 m- O6 Z5 d$ DThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 F9 O" o% ]6 f2 P. [performed in ring0 (VxD or a ring3 app using the VxdCall).: t7 }2 u- n' R5 L
The Get_DDB service is used to determine whether or not a VxD is installed; U" N  ^7 ]" @2 a( G0 a
for the specified device and returns a Device Description Block (in ecx) for  Z( Y9 m/ U" y4 T3 u* E; B( J
that device if it is installed.
& @+ X6 t1 |  }) F, |$ x0 A, q' k8 f" }' o1 F$ C* f
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 J  {* ^! Y( W) M
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 l3 ]+ U' q% q; i
   VMMCall Get_DDB1 b1 w% d) m; Q) a+ |3 [* d8 V, b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 \+ t8 `) A* _
6 B) g" D2 \5 O' j' cNote as well that you can easily detect this method with SoftICE:! m" T  H( l$ O4 n# D: ~
   bpx Get_DDB if ax==0202 || ax==7a5fh
+ `& l6 B* A- ?" j, }$ ?1 L( r1 x5 W: }& B% \. r1 Y( C/ D
__________________________________________________________________________
6 s( K/ Q- k6 I9 M1 e/ t# W' ?& g( B  I! i* q4 J. u8 w+ W$ ~3 [( S
Method 10
/ g# {# Y7 c( P9 @9 _  U=========( h0 ], T) ], D, O  H% Z
; g9 e( W8 {# i1 E
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with+ I! O+ c8 ]/ N4 `# x. l7 ?
  SoftICE while the option is enable!!
0 I# K- O* N0 B4 b: _4 a/ k0 {
( z1 H5 g) B" h  k% B! \; @4 FThis trick is very efficient:2 Q9 k% X( V/ `
by checking the Debug Registers, you can detect if SoftICE is loaded0 G2 n! C) O' }" N. i! O! c8 P
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 I4 m4 m$ F! Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 }5 T1 r# C3 u/ W+ x% w2 Q+ ^2 Gvalue (in ring0 only). Values can be manipulated and or changed as well
9 w2 M& N/ p, f4 i& w6 I(clearing BPMs for instance)5 [! f& C; K" B! |5 c: F9 ?

% J! Z3 x% {5 }( p' d) M) y__________________________________________________________________________9 o6 e! s. M% X& @
* ?; ?: {% X% [% U: k
Method 11" g/ W) n) A+ Z8 o! ]
=========; ?& L' |8 u% \

3 ?" b$ I7 M3 I3 g, H& PThis method is most known as 'MeltICE' because it has been freely distributed: C9 X1 t% G) ]/ g$ K! t+ B
via www.winfiles.com. However it was first used by NuMega people to allow
/ G, g3 ~' U6 l* {3 x) {Symbol Loader to check if SoftICE was active or not (the code is located
! `9 T6 r' f* Rinside nmtrans.dll).) a8 k3 {8 g+ w8 V5 q

4 ]0 f7 ^2 ]/ d$ ]: tThe way it works is very simple:
  [* a% q/ H. iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
! ?* S8 E/ ?7 X- |' MWinNT) with the CreateFileA API.
, l% t9 u0 f, u/ x5 O
4 }0 A/ x3 n% `7 v( G% aHere is a sample (checking for 'SICE'):
! ?4 G0 C. t2 d! d  r
; y" ~& X+ K; x3 [) s: XBOOL IsSoftIce95Loaded()
# ~& _9 K% K2 h{
" W, l  f  ^, Z9 ]+ Y   HANDLE hFile;  % _0 c3 B& v/ d1 n, b6 I$ ~
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 I3 q) e+ X# n
                      FILE_SHARE_READ | FILE_SHARE_WRITE,' r6 V( ~5 s1 @& b$ Q  U! N
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
" t' D# P  p8 `* o# N; I* D   if( hFile != INVALID_HANDLE_VALUE )- j( u' F1 m6 j+ g6 \: r
   {; Q) F% L' H: j8 R
      CloseHandle(hFile);
$ M* q1 j6 L" I% i9 W+ ?8 N      return TRUE;
$ ~5 J! S1 B3 m2 M8 [   }
: N+ l  L+ o" i+ i   return FALSE;
( f6 p- K6 ~2 l1 d! y. L}
; V+ E& ^; L$ L: R3 h7 a- L8 J" P2 U$ i" @) G8 M
Although this trick calls the CreateFileA function, don't even expect to be
4 p9 C8 r7 [( Fable to intercept it by installing a IFS hook: it will not work, no way!
5 ^. N3 I) C7 \6 l% eIn fact, after the call to CreateFileA it will get through VWIN32 0x001F9 T% |# c: j1 Z- V  o: C9 S
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
  o, M1 d: v4 @4 l  o( j; H/ Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc
- A# G& r( Y7 g: Z! @' yfield.' ^* y4 w! Q* K/ h) k
In fact, its purpose is not to load/unload VxDs but only to send a
: n6 w) g4 ^4 @- ^% c' @0 GW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). x2 w( h) ~9 y/ P$ ?% }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% o" N& }4 e' a- U: c
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 z& t9 {5 `% c3 j& Z5 V  fIf the VxD is loaded, it will always clear eax and the Carry flag to allow" @7 q$ X- [; u0 @/ P" F: b
its handle to be opened and then, will be detected.! n) k6 q2 L9 ^
You can check that simply by hooking Winice.exe control proc entry point
" _' o/ b! s/ L6 a4 l3 X' @+ m) Z2 Swhile running MeltICE.' T* Z. p8 ?! V% y5 V! Z# T
: m6 E) M  ~5 C$ h; Q6 U" c
* e- S, S/ o1 c
  00401067:  push      00402025    ; \\.\SICE! s$ Y' C) l+ A  X: b8 H5 Q
  0040106C:  call      CreateFileA1 n  [6 u6 N! i$ G, J7 T
  00401071:  cmp       eax,-001- }5 L% \; I7 |' @! Q1 A
  00401074:  je        00401091, A; V& U) e  G% m+ r
$ q1 K# D4 F5 K# S+ v4 e9 S7 e/ K8 Z
1 _0 u7 N. c" r+ [
There could be hundreds of BPX you could use to detect this trick., q& \6 Y. K. M. G, M5 t
-The most classical one is:
" M5 }9 c- G$ i" k: A  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" j! E: v1 f! n  x8 ]* c    *(esp-&gt;4+4)=='NTIC'2 a3 S1 F$ W  @' L# G

2 I+ M+ E" Y% |0 U% x6 W-The most exotic ones (could be very slooooow :-(
. Z8 \6 C1 n! y$ Q   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  1 N: T- U# Q! U1 x/ `0 k; g8 m6 I  t8 C
     ;will break 3 times :-(, h6 N: y. ?- z. O" E% v; T/ b' T
/ x: b  z4 ]& o8 @4 A: n& Y
-or (a bit) faster:
; Y5 ]( v+ T. n) T4 G   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
5 _1 S0 w& v# u' e; u+ ^! }( \/ ]
0 r: A" v; {$ v* }   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
5 l6 t# u0 m4 e     ;will break 3 times :-(3 a- Y8 l; N! ~$ x
  x1 i/ f) T% M* U3 Y" i0 D
-Much faster:
/ _; n& }6 v, h6 I+ {$ Z, Y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'3 ]! k2 s2 k3 f9 a  Y" y

* X( J( K& Q& ]. l# m+ G. W5 X' GNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 }0 R8 n- ?6 d* Qfunction to do the same job:) T0 U( p2 Z% }2 D

7 O. t' H( U; E6 }0 V  q. `   push    00                        ; OF_READ
* o! Z3 p/ b/ X( r   mov     eax,[00656634]            ; '\\.\SICE',0. ]8 c1 K9 _/ g' J0 ^! {
   push    eax
8 M: H; a9 t6 A+ z+ S: C   call    KERNEL32!_lopen$ q+ G$ x- h) @( W6 Y
   inc     eax
/ {5 o) @* R/ A2 y   jnz     00650589                  ; detected
+ J: q* k- {$ W% I* v  B   push    00                        ; OF_READ- b, O6 z$ B/ \8 l9 Z; K: X
   mov     eax,[00656638]            ; '\\.\SICE'
) u1 X) g) }. m9 T, H# ~   push    eax# N' I9 p, i4 P5 h% H" Q
   call    KERNEL32!_lopen
- K5 `; h, F9 q' R) t% f+ A   inc     eax4 K4 i1 q3 z9 G# H
   jz      006505ae                  ; not detected0 R* s7 O, V; f' u+ B. u6 Y4 C) L3 [
) ?0 `# x+ x6 H
9 u; r' x. R; ]+ F3 j
__________________________________________________________________________
! _2 k0 g' e, y* j4 n- [8 m+ A# E5 l5 d
Method 12( r3 b  `5 `* c& P
=========
  R1 D% l5 T( S' u" r5 U
1 J7 E: k' i7 C$ `* [* Q- R/ xThis trick is similar to int41h/4fh Debugger installation check (code 05# q. x, j" G" Q* E0 ?/ L
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) |3 D7 f  Z2 H8 B4 o1 y1 |1 sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.: s' D- I4 [+ b; d. I

% v/ o% ^8 k7 f* m% y+ z   push  0000004fh         ; function 4fh( G; D0 j9 i1 Q4 P6 s6 f; H
   push  002a002ah         ; high word specifies which VxD (VWIN32)  T! Z$ t/ n1 \
                           ; low word specifies which service
; M4 n. ~( y2 S. ?5 Q( r- k9 h                             (VWIN32_Int41Dispatch)
! q* h- e4 S5 w8 r+ s& L$ J   call  Kernel32!ORD_001  ; VxdCall4 o: c- t0 G6 T, n9 w  b. B
   cmp   ax, 0f386h        ; magic number returned by system debuggers
5 z4 h3 j* n+ w8 x. J   jz    SoftICE_detected
4 u2 g8 E& e$ `  O1 H
) U1 n2 g# e8 hHere again, several ways to detect it:
* v% l% p; ~' t: Q! O2 D5 w3 C: R! X6 R7 N
    BPINT 41 if ax==4f5 A5 S5 W( q5 l' ^
/ K0 e, a+ a9 q% ]( B
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( I! ?5 U! P; _. b$ r/ j
9 q* h6 @/ {: [4 f, e    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
/ D# n9 X7 A6 B( T/ `
; n+ {- V$ B' c9 p: U- g    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!' P1 H2 `  F; D" `) M

) @8 [+ {8 T* R8 J- K__________________________________________________________________________
$ E6 P; A! g$ G" T1 s6 r7 r; z5 d1 D* ]
Method 13
) R& e- _2 g$ W9 T7 k- b' C7 Q=========
* }% w& j+ c( E2 x0 |" q' m# A4 y) X, ?
Not a real method of detection, but a good way to know if SoftICE is
! W* L* P; I/ S2 z9 f' Dinstalled on a computer and to locate its installation directory.
% I) P' k2 B% P! M/ L& p; r" SIt is used by few softs which access the following registry keys (usually #2) :% z8 Q6 v' H) n! Q  ]! X& `7 a
1 }  @% m* @* s4 S
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# C8 S* h0 n) f& {, _: s\Uninstall\SoftICE
9 V% \$ X2 F( }-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE/ v% S5 Y  P6 V1 x, m7 Z/ k1 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  V5 E( I, {4 w4 y- B9 K( P% s( U
\App Paths\Loader32.Exe
3 C  s' D. F/ C+ j5 D: l& d
% b. u7 t& x, E9 K/ U  O9 j1 R
. y/ i  q+ y1 ?1 o' d+ r4 \5 J& ?Note that some nasty apps could then erase all files from SoftICE directory
* x- r$ t( @& W# F8 p(I faced that once :-(
  Z, t( ?. @9 j$ n3 s4 F! ]. ?
  {5 y% N/ H' k0 ^# {Useful breakpoint to detect it:& q$ O6 u0 r3 T: F* ~

  |5 m. h* K, V8 i     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'$ B- `& J) X3 G* }  R+ b4 @% J1 r

# E) B3 V" E: V0 k__________________________________________________________________________. [0 t$ W" M/ b2 b* O: A& J+ T6 q. D

9 `; w2 P* Y- X: I; V6 }
: b1 @% D( f$ X% l, Z) VMethod 14 % W, q' y8 @9 W( E
=========. |) H  O6 V  c
- n  \6 M: B" A3 c$ Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, a$ T1 T& A# E& R
is to determines whether a debugger is running on your system (ring0 only).+ M, _2 ]1 G+ y, ^& F# h9 b

7 y0 Z1 ]& I4 x0 n2 ?6 R7 N/ U   VMMCall Test_Debug_Installed; V+ G1 ?0 O5 e* S* i$ K1 J3 `/ M
   je      not_installed- n  v* f6 z6 r  Z
5 `; M  C6 p: a1 D/ P- N9 d# t
This service just checks a flag.
$ V6 K* t8 `- @</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 23:16

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表