找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>  x" G. F2 J# _. H7 C& f
<TBODY>
; b  @( e; S& W+ I<TR>  Y! G' x" c6 ?, O9 m
<TD><PRE>Method 01 * g6 _. o2 V) `6 A/ e9 `7 {9 t
=========; p& `! u2 L1 w9 @
- S  i9 e% t7 {% {$ J4 e
This method of detection of SoftICE (as well as the following one) is
. }+ [/ F* f9 b: v3 O  F, Jused by the majority of packers/encryptors found on Internet.
2 [0 `8 W) [6 @+ FIt seeks the signature of BoundsChecker in SoftICE1 F$ G2 t* Y( n- D; |3 ]

6 }( k: F! q5 ]1 N4 C) X    mov     ebp, 04243484Bh        ; 'BCHK'
' \4 f7 q( Q% a- n    mov     ax, 04h
# \9 C. x0 |6 Q2 u# x3 B& P- \& h8 o# O    int     3      
: m0 P7 L8 T6 ~( n- e8 _    cmp     al,4( E$ x- R5 |& ^: w4 U3 `# E
    jnz     SoftICE_Detected( W; A4 R) O3 o' S! z$ q0 o0 ~
7 G) F* L. P5 t6 s
___________________________________________________________________________) S2 y" R& U8 _, l$ o! x9 F( H
( r, `$ M0 K5 {9 C8 b6 m9 j( L
Method 02
3 P( U) l$ h' d4 H7 V& t% E=========
* _% M. u% ~$ l* O8 d7 B  Y, H& K. N
Still a method very much used (perhaps the most frequent one).  It is used
4 q8 C9 R- X; ~. O: b: o' v1 ^: Zto get SoftICE 'Back Door commands' which gives infos on Breakpoints,# r% G! y0 ~- d
or execute SoftICE commands...
. X) A# i8 m8 X0 {' [6 qIt is also used to crash SoftICE and to force it to execute any commands7 \( c1 ^: s$ r  w* A- q$ r. Q: s
(HBOOT...) :-((  ; g5 w6 }9 y( F6 @6 L

7 Q+ E4 w! L' R. g. ]7 T/ A$ fHere is a quick description:
/ |" G! i; }4 b+ Y5 T% m& ~) h-AX = 0910h   (Display string in SIce windows)% a4 Q* {6 m5 a8 P* f
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx): H* m* K! y! F- o% u
-AX = 0912h   (Get breakpoint infos)( g9 J7 J* T( [: B
-AX = 0913h   (Set Sice breakpoints)( L; c+ z% {3 {" a+ U3 n% t
-AX = 0914h   (Remove SIce breakoints). m# v2 S0 B1 j: J" B$ L
3 K( e, y, t1 D; M1 [
Each time you'll meet this trick, you'll see:% w- N+ U4 D. x  E: G
-SI = 4647h
% \4 N5 n" O5 E) i5 T2 ^" x% U) C-DI = 4A4Dh3 K5 E7 X3 d* U; c6 N7 R
Which are the 'magic values' used by SoftIce.
$ M# R8 P$ K, W* n+ MFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
; H. x3 g: {+ D, {# V6 Z) b, e# M+ e3 }( m/ e/ v
Here is one example from the file "Haspinst.exe" which is the dongle HASP- V3 s% s7 D# Z6 ]4 C- ^+ K
Envelope utility use to protect DOS applications:
( a. Z5 Y* U- r
; M; i) S8 M% x; n( Y% x. M' l! G" c) ?: o
4C19:0095   MOV    AX,0911  ; execute command.7 y" {1 Y- P# z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
' ]* M, C$ T5 D7 l" L4C19:009A   MOV    SI,4647  ; 1st magic value." j. l! c2 X( _% m5 S7 f8 e$ d
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
; O3 c2 c+ c: a, X, H  N. L; j4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% e+ Z. i6 v- c+ V$ X+ X5 J4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
; n0 w3 Z1 N, G$ c- R4C19:00A4   INC    CX2 z  ?5 e* e+ x8 M" ~, `
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
7 q1 [2 h' E8 W. D" E3 [9 S8 J/ V4C19:00A8   JB     0095     ; 6 different commands.
4 t. ~* U/ g) |4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
. ?3 f5 ^, R* t; U4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :); H& Q$ @$ I; d' n$ {
0 Q& g1 r* S0 ?3 [
The program will execute 6 different SIce commands located at ds:dx, which
2 F( ~2 j+ j2 ^0 e5 v5 o9 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 H: R0 ~0 t3 X. ~. M

8 M4 v1 x4 ?7 j: d7 z4 \* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ y' K9 d. G9 ~* g, x
___________________________________________________________________________* L3 Z! n5 M: S. @" n0 _" y

2 }7 n0 q* G0 N' i9 z5 M
/ t6 y  k' }5 ~7 X% {2 P) WMethod 036 c" I+ R# p8 z# ~, G" i
=========; E# `2 @/ P8 U" B" {& n% A3 z

8 ]. {% V: x% D+ xLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ d9 }% E  ]# n2 Y7 m* K: K(API Get entry point)3 X) v$ A. B; E" ]
        
0 P. o8 t& c6 ]/ P
, r# c/ s: L, Z! o5 W! k$ r8 G    xor     di,di
1 w5 F/ Y' D8 m    mov     es,di
7 [+ U, ^* l5 Y) z' w5 K* m! j    mov     ax, 1684h      
% B  K3 Q1 Z+ l2 P    mov     bx, 0202h       ; VxD ID of winice: h* w, |; l6 K' \: E4 N
    int     2Fh' {/ Q- H# \7 \! D$ J
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 t  R5 v8 U1 d
    add     ax, di
9 L6 M8 N! ?! k- Y    test    ax,ax
, H9 B; p! _) ~9 w( D) g1 Q    jnz     SoftICE_Detected
: M! Q- ^2 V7 Z( o1 V# j, S
! f% g& e4 e: r$ _. x  G% y0 u___________________________________________________________________________
$ ~2 z( ~+ G( l- G2 e) d6 S
. i7 X! b8 _' j  N! h' D2 u* a/ AMethod 04
4 E6 M4 @( L- j7 @1 ]+ P=========
: n+ n) j% t5 L' I5 G; q* K3 v2 o* b3 q; Z/ g* s  F: F1 D2 I: H+ H
Method identical to the preceding one except that it seeks the ID of SoftICE1 g8 @; m7 t5 w7 f3 U. S
GFX VxD.
8 \" w9 H; r; J$ V' |
- _5 r& o6 ]& W7 A, j# E    xor     di,di  G5 R, i$ @5 U' m% D
    mov     es,di# D) @+ v+ J: x* H7 Z/ N; L
    mov     ax, 1684h       ) Q8 ?( z5 c$ x& E' y+ V
    mov     bx, 7a5Fh       ; VxD ID of SIWVID9 u. V! z3 _% L# n) L
    int     2fh6 H6 d: ?5 l( R# ], ~
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( b: H% t" Q$ Y3 d
    add     ax, di3 y4 ]' z% U7 i7 }& s& J9 R
    test    ax,ax
9 ]' p- ^" _) G8 g    jnz     SoftICE_Detected% N3 a6 d9 _( s; {& `

: N7 g. `4 C- K1 _/ e1 n0 c- |__________________________________________________________________________/ B) L/ p5 I% E: q2 p2 S! S' E! g. H# j

( @( v% \* e. N. T( Q, v% k4 @3 K8 v# ?7 q; w/ h  M
Method 05. J0 J! ^# z, ~. W
=========
1 H+ w* @0 O  c) n" l2 S* `
( J1 K7 ^6 F8 O# S' t+ WMethod seeking the 'magic number' 0F386h returned (in ax) by all system8 j3 [9 g$ m( o9 z9 a* x
debugger. It calls the int 41h, function 4Fh., c6 U( e+ W7 B# N; P3 r
There are several alternatives.  
( E2 g8 H9 x% F9 N" z$ o3 `$ {( f$ _5 m7 O& n+ R# D
The following one is the simplest:) a% p- p/ e0 z1 s- I+ j

/ c" i2 p% {0 H, h    mov     ax,4fh
  s3 L( q  @: D+ X1 b    int     41h. M  A7 B' p( B9 H& {
    cmp     ax, 0F386
( I- ^/ B& x, b) i! R+ o    jz      SoftICE_detected7 `- `* i$ ]1 j) m8 @* M7 `
& Q' G$ Z2 h- e( G

" O, _4 C( \: S' kNext method as well as the following one are 2 examples from Stone's 4 L( B+ w9 l8 e5 X/ a
"stn-wid.zip" (www.cracking.net):* l1 T# Q, y4 |0 B+ ]. b) k/ `0 A
  U) l# }; j* r; t" B6 a8 O& C
    mov     bx, cs
3 z  y  E( K+ r: {, k6 j. ^% f$ r    lea     dx, int41handler2  M9 f+ |2 \. g# i; R# I' r, M" n
    xchg    dx, es:[41h*4], W/ F( I1 R2 q5 D) s
    xchg    bx, es:[41h*4+2]
; O0 C5 `  b7 k- ^- E% ]) G: i4 t    mov     ax,4fh
( o/ R, q: C% F: s4 o; \    int     41h
5 Z0 s$ O* d6 W0 J    xchg    dx, es:[41h*4]
: t/ E+ ]" Y! Q1 i( x7 r    xchg    bx, es:[41h*4+2]
" e! l7 a6 q1 R  F1 W* V    cmp     ax, 0f386h
, ?6 O; ?; l$ K, `" m, @" N! W    jz      SoftICE_detected& R  W9 Z# _9 h% X3 B
# A( O9 r. W0 ?) K) M- }
int41handler2 PROC1 t" f& t2 p) G5 i- G6 r3 q+ `
    iret! W" g- a) w- E! v1 n3 B9 B. Y
int41handler2 ENDP
+ t/ l4 p7 c+ N" W" C1 T4 P
! F5 c8 O* P; N( p$ I# M+ u/ W% [; c* P4 F* d' l2 M( q4 G
_________________________________________________________________________
0 E$ e! x6 Z; M% K8 t6 b& f1 \, C  g, K/ ~  N3 b4 m* `' `

* y* Z$ t4 k! _- D- R3 b0 ^Method 061 C# {. }" S. p$ X5 g
=========6 v7 x2 R) m. Q$ E; g( N7 V/ n' W
1 ]  o/ i+ O' u' |

9 W7 a, N% e$ a- \2 d# R" n2nd method similar to the preceding one but more difficult to detect:
$ h5 G  k9 o/ q2 A2 j! {; x  s' P0 Z9 H7 p/ [2 p
/ @# h: B+ X' ]+ J
int41handler PROC
5 M- o* y- z, M, R8 x    mov     cl,al
9 Y6 i' r% {4 s- h- }  r& D    iret4 z6 u" g) Z7 ^$ i9 a
int41handler ENDP) f& W; B3 Z5 D* v$ ?9 W; F! n

/ h2 S0 x$ S% ?8 h# N- v5 f; K- b5 @; x3 l' B% p4 h
    xor     ax,ax; C: I+ \5 |3 z
    mov     es,ax
( i! z3 x3 A8 I6 f! v  |( _    mov     bx, cs) R5 v9 R. X/ k  f6 r; Y
    lea     dx, int41handler% K0 t" ]+ Q% J4 _, {
    xchg    dx, es:[41h*4]) c$ o2 C" f# ?6 g' U/ U
    xchg    bx, es:[41h*4+2]
$ ^4 M$ x, Y8 Y  L) u    in      al, 40h% s, Y, B& W) d+ g) p
    xor     cx,cx
+ F, c- i4 S8 T5 i    int     41h
; k9 p3 h9 }9 _9 n: z) r    xchg    dx, es:[41h*4]9 S- z3 `2 z; I% C5 U* Q  d% H
    xchg    bx, es:[41h*4+2]
! q/ ]1 c+ L5 E8 W$ i; f    cmp     cl,al
2 J+ n" K$ o9 c7 e    jnz     SoftICE_detected: M7 ~& I6 ~# D8 P

6 d% I7 E- c) {1 K' __________________________________________________________________________
' Q, d. p0 J: @, r2 W
6 |1 \: n; f! |( dMethod 07
6 O! F0 P. v6 i: H7 A=========
% H8 g+ V/ R/ T. b* t& D6 B3 ^, v% ^+ x0 [2 w
Method of detection of the WinICE handler in the int68h (V86)4 [+ Y0 z- |4 ~4 C  l& |0 ~! w$ N
" c* W6 Y$ a& Q& A5 d7 R$ ]
    mov     ah,43h% G, ?2 i; M2 |0 ?0 q) U
    int     68h
1 F4 L% ~7 [* ^    cmp     ax,0F386h
+ f# L4 C+ d2 I# M! l, J- T0 T+ A6 H    jz      SoftICE_Detected
; }- A! a/ ~% D, E3 g( M' j
# H. o& x. O4 u1 D% ]% {4 g: N* ~; x. h: J4 j
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! k. }* v/ q. f& Q- x; {$ v   app like this:" p3 e! |# S" B( ]' x+ R- ]4 |" a

/ E- i5 N3 K6 t4 C4 J   BPX exec_int if ax==68; g/ D* |7 \7 I% S, u- Y- k
   (function called is located at byte ptr [ebp+1Dh] and client eip is& M' [7 v8 U: S5 s5 X
   located at [ebp+48h] for 32Bit apps): b, m: x" w( ]* H# Z" P# x
__________________________________________________________________________
8 |! f9 m% ~7 X$ _% R9 v5 f/ z$ _$ T7 U5 l7 D2 p% c

0 K! E7 F+ Y7 OMethod 08+ m; ]+ y# R  N6 m9 b& g, i; e
=========' Y; @  R; E2 W8 |; s, b

1 M4 m* G+ b: A6 mIt is not a method of detection of SoftICE but a possibility to crash the: i7 C6 C. x# f* u7 U0 s
system by intercepting int 01h and int 03h and redirecting them to another
) N6 Q, m& D! @9 xroutine.; Y* _' e+ |5 ~) d
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! e7 b5 k/ A4 H- C4 h5 O, D9 g+ d! hto the new routine to execute (hangs computer...)
. A+ j2 ?# N# Q( `6 j0 N- R( Q- }* I. s( i2 j
    mov     ah, 25h
7 @$ j" _* A; b4 l  S! Z3 _! ]    mov     al, Int_Number (01h or 03h). Z( r2 x1 J" ?/ ?
    mov     dx, offset New_Int_Routine, ^" }$ E) k4 m  H) W  @9 Y! P& u8 k
    int     21h
' T. t# u( {6 h+ r$ ^" g" r2 ~0 v& T/ w2 q, F) P) z4 z( j/ L, _2 N, ^% A3 u
__________________________________________________________________________, c# w: N$ L+ o# }/ ^

/ y7 P' _7 G; a; @9 `& D6 n  k9 \Method 09( }2 l: j: `* l8 q. o- p" S/ ]$ V
=========% \5 n% z  R) B% n  h: T& [

9 B) Q! {9 V7 l. T& fThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ X; [$ c' F. _& O5 N3 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
' @: W# r1 m: o2 T" EThe Get_DDB service is used to determine whether or not a VxD is installed
5 ?/ C1 ?8 [" w) i8 F: D7 ?- Mfor the specified device and returns a Device Description Block (in ecx) for
: d) V" ^6 P5 P& G, ^that device if it is installed.
+ v, G% b. y; C; C1 k/ f
% V# e# Q- ~1 s2 {; y# w   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ M  I: W6 g7 R! S, D   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)( Z8 w. X1 l/ s3 b, H
   VMMCall Get_DDB6 c) Q' S0 `6 R# A# [0 o5 x$ g
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed# Y2 ]) M- p' e, N

# u, T  e2 H- W) N/ ?Note as well that you can easily detect this method with SoftICE:
2 f3 ]# O( o. \& g! N8 y   bpx Get_DDB if ax==0202 || ax==7a5fh
5 V& I2 C& N0 Q; l- [' Y6 ~& C6 |2 O' R3 P
__________________________________________________________________________/ T! ^! O" V4 w) F

9 |' C& C5 F8 Y# j$ UMethod 10, r; b5 G# |4 c8 r1 W9 C! K
=========
5 _4 V5 Z) z8 g  @9 F. X+ H5 V
+ @3 R- o. M" p) ~) q( V1 W=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with2 ]7 c% W3 z# \2 A  D+ r. ?4 w" S
  SoftICE while the option is enable!!7 \9 P+ J3 \; V, c* K9 }

# P) O4 j( o8 ~8 l  O' q! ^This trick is very efficient:: F2 v. y) L  }4 M% _0 v6 |' j
by checking the Debug Registers, you can detect if SoftICE is loaded
6 A4 R+ Z$ [1 D. z4 [, K(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: i/ j2 ~- A7 ~) Ythere are some memory breakpoints set (dr0 to dr3) simply by reading their
! j+ \) I0 N1 |7 U3 N- D5 @value (in ring0 only). Values can be manipulated and or changed as well
* {+ G2 {. Y/ w5 U(clearing BPMs for instance)
  y3 |, `! J9 \+ ^- s5 S
3 D: _7 w) p4 z6 o, c__________________________________________________________________________+ V( }1 u& y, Q7 F- r% W

7 }2 K, e0 q% O6 O* q, v8 TMethod 11, F9 G/ r/ M- j+ ?+ h+ }
=========( ?6 ^! H3 n* r# C: n8 h! Z! ^9 \* C
5 K2 A- T3 O4 w( X) Q3 M
This method is most known as 'MeltICE' because it has been freely distributed
" |6 ~! A& j; g$ }0 [& p& h# ivia www.winfiles.com. However it was first used by NuMega people to allow* B6 |% t$ B; I  z4 X9 v
Symbol Loader to check if SoftICE was active or not (the code is located- C" s5 p  v0 i! I
inside nmtrans.dll).
3 S  i5 K9 [1 K) L5 o% O5 R& T7 A7 U, }3 w# X0 F
The way it works is very simple:
3 f3 @# A( z7 `  _It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 T: d3 U" z; t% t6 _% ^' K
WinNT) with the CreateFileA API.
( B/ z4 t6 I* W' b: T
  D0 t9 u5 V. o5 I) j- R" CHere is a sample (checking for 'SICE'):
# T( b! ~! x% ^  m& x& M
7 Y$ x$ `& R" V5 LBOOL IsSoftIce95Loaded()
, O: p8 D. ?- |7 ^( y' a( W{' n$ x) C1 m! |9 Y. o
   HANDLE hFile;  ! I9 m$ k$ p; Z+ c1 a
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,+ j+ C' Q- L: l& J$ b- Q
                      FILE_SHARE_READ | FILE_SHARE_WRITE,3 K/ b+ v  H* c' Z
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
) a, X# j2 v7 w' t2 h   if( hFile != INVALID_HANDLE_VALUE ); s5 J# b" R. A) i+ _4 ~
   {* l6 t# }3 o  \; \+ @
      CloseHandle(hFile);
* P+ Y* o' K% }      return TRUE;$ s: m$ K& g0 ]! w3 ~: Y! z6 o
   }! c! s9 G  u+ a
   return FALSE;: x- [' s" Z" A+ I9 z  u- d0 F$ R) l
}
- J( q- S( W0 T. \. ]& X7 S: o" ~; Y9 X1 Y' }" x9 I
Although this trick calls the CreateFileA function, don't even expect to be' ~* y  K: c7 P! Y! e7 d
able to intercept it by installing a IFS hook: it will not work, no way!
8 `" y0 m7 A* pIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
5 V% B& v- N  e5 I$ H4 zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) Z: W  A' j; S2 }1 gand then browse the DDB list until it find the VxD and its DDB_Control_Proc# d! a5 y7 e- Y
field.0 B1 _; m; c# w3 Y
In fact, its purpose is not to load/unload VxDs but only to send a 7 L3 S  R5 M# M  E! o: H; t* ~, c- s
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' d/ O, F* E4 Z
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ o' u3 N7 b9 a' W0 W
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
  U3 i( v/ e: AIf the VxD is loaded, it will always clear eax and the Carry flag to allow
& f+ H/ ^' }( m% D1 a! zits handle to be opened and then, will be detected.- g( s8 Y. `* ]# p" x6 A
You can check that simply by hooking Winice.exe control proc entry point
! c, w! X& n7 T3 O8 F3 y$ |6 S# @. xwhile running MeltICE.8 W# l0 c% Y" \/ g3 y$ P

; p9 n* b3 G/ @+ _, P  W" Q" g, A+ Y# N' ^& b
  00401067:  push      00402025    ; \\.\SICE0 W) A5 p1 f" [$ g: U! a  P
  0040106C:  call      CreateFileA
3 X2 t4 ^! F  Q  00401071:  cmp       eax,-001
+ w0 X' q2 g. O8 ^  00401074:  je        00401091
- ]. e& f  }7 j, Y+ n" Y: f1 I; Q2 b$ G( l% e" y1 Z* J
4 j. C% A  _* w! Q5 F: a
There could be hundreds of BPX you could use to detect this trick.% O4 j6 T& s; l; K: @6 g. `4 D
-The most classical one is:& ~2 Z; L% K* P2 C6 i/ |4 ~
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 \3 q, T# b  M1 y  W
    *(esp-&gt;4+4)=='NTIC'
" L& n7 ]( C* \( H0 B# f) ]* C0 K& @" h! ?
-The most exotic ones (could be very slooooow :-(4 }  ^, V; B0 |' w2 G  w, o! R9 H5 W- \
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! n. E, {" r+ H: y
     ;will break 3 times :-(
( i1 e' ?; e& N; J8 p7 e' \! a+ j' l7 m$ i3 U& t1 y, v3 d3 `
-or (a bit) faster: - M% q5 e5 F  Z+ u
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' {% q" N5 H* m
: |. x- [5 q3 w& c8 S  O
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
' x: V0 X! {2 f8 e/ o6 E/ m     ;will break 3 times :-(, |4 Z" f% C* S' x# D: o( V

" {. z6 D; {0 g( p-Much faster:+ _% ^; g* u$ R$ m* Q" s6 K
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
* x/ U6 g8 ~, p  V$ c) P4 A2 l( e' k$ v( b
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen* |  M# U) g6 P( {
function to do the same job:8 T; w9 F  A4 z& p2 u) P

7 a+ f, c/ n! d' o- G$ z   push    00                        ; OF_READ  j( S+ d+ X& r
   mov     eax,[00656634]            ; '\\.\SICE',0
4 F( P' H. H4 J! G/ Z1 L   push    eax4 [! O0 L) I7 I0 E
   call    KERNEL32!_lopen
% {. b. g% |/ W0 P+ d+ {   inc     eax
. L2 b+ v% n( J0 ~2 \   jnz     00650589                  ; detected' v. |) L* g# k2 R1 b4 m  d
   push    00                        ; OF_READ
6 f- ?. U9 V" Q/ S  c   mov     eax,[00656638]            ; '\\.\SICE'
; J% q% F' |& W. [0 Z   push    eax9 _+ ?, U) s, Z, P
   call    KERNEL32!_lopen5 M+ C( p/ Q! Y- B# B- M
   inc     eax9 Z# N( G8 U! {. W" k( E' T
   jz      006505ae                  ; not detected8 o- c, s% J, U

8 p8 V2 p2 w  m7 C
# S6 S. W2 E. {( i% ?__________________________________________________________________________* {( Z) K5 \$ M/ X0 Q& `

) s/ l3 h& v3 {* q5 C2 CMethod 12
8 K, R. p1 j, J+ l9 h& o=========$ I) g0 N9 [& T, r# Y- a) g0 C
( ~+ a/ U8 o; E. e
This trick is similar to int41h/4fh Debugger installation check (code 05& E5 J7 O; ?: D9 x6 k7 l, o: u
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. d- I! I6 p- y2 [& Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.6 K% E+ i! @7 w

' ~/ d- I( ~. v- h" `   push  0000004fh         ; function 4fh# H( E) V1 C) J. `3 Z5 x. `, n
   push  002a002ah         ; high word specifies which VxD (VWIN32)
" j+ R$ ^% }1 w* z                           ; low word specifies which service; N; ~# G/ x3 w. {4 [3 }( ]
                             (VWIN32_Int41Dispatch)9 ~5 R( l& v9 Y) a
   call  Kernel32!ORD_001  ; VxdCall, T1 ]( S4 E% J: ^5 z- C  p" i
   cmp   ax, 0f386h        ; magic number returned by system debuggers- J% h1 I5 ]0 J# R5 x1 M
   jz    SoftICE_detected& e; J% {; R* O9 j3 f

7 J4 G( C( t. u& kHere again, several ways to detect it:9 }! o# w% S1 U  O" Q& x' Y  ?

8 G% P  i( A" l    BPINT 41 if ax==4f; ]9 G" o/ Z( z5 O5 n1 m
" l. C- h$ X4 Y
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' U' [! Y% f6 W

; |7 a9 ]6 s$ T    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 x- b& L+ X  U% ]

" d( t5 ], \1 U% b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 I  Q# z7 F' g$ {# ~
; p4 i) Q8 G- h7 @5 {+ G- U" q$ P
__________________________________________________________________________4 P6 A1 n8 T* A: a- Y3 _7 j

& o( l, ]* Q3 `  b# W2 _1 v' }# SMethod 13
) i9 s4 |) d: x/ X5 j( p- I=========
: S4 k8 y1 E# e& ~) }) u  ^( l
7 _1 ^3 I. J1 }: fNot a real method of detection, but a good way to know if SoftICE is/ u& {3 d6 h5 t( y6 W
installed on a computer and to locate its installation directory.- `+ T( i% o3 V5 ^" w: ~* u# d( [# [
It is used by few softs which access the following registry keys (usually #2) :* t2 S" U% q' n

* ~  y% x0 H+ ?9 v* k-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 [+ Y/ t/ m: E9 [" |. F( w! v\Uninstall\SoftICE
% ~. l- v* g5 E. Z0 o7 {-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! n6 ?3 {+ o0 ]# e  t
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* \6 f, I  h: a' o, {7 x# e1 n\App Paths\Loader32.Exe4 a! Q" \6 u2 l# u9 A0 t$ Y

4 a7 k  ~7 ~5 v8 \! p4 Z8 Y7 F& F% C# R8 P% H
Note that some nasty apps could then erase all files from SoftICE directory
: x" S! S8 z; a) `1 V* A+ O(I faced that once :-(& s" z7 l- T/ j. Q5 q
/ L3 p2 z  U1 z/ A! J0 O( _
Useful breakpoint to detect it:
2 @! `% r; `% L# Q4 E9 j' N' f8 x0 I. `, y& q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 R% F8 w! g0 |! A4 t& F7 z, H1 M  L- ]  k& Q0 }) j, L
__________________________________________________________________________. ^. |- Z6 t- f+ X( U" m
2 d6 e5 c+ p( D; j

2 z) F: N5 e$ e: _Method 14 * y8 k! O* P# E3 M6 `$ {) m# g2 t
=========
2 A% q* B& E/ T' g4 d2 Z2 e1 q: [. {  ]8 v* {5 _! Y7 Z% w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose: x8 Z- U/ ~4 T; S( l
is to determines whether a debugger is running on your system (ring0 only).1 N' ~$ C4 J" j5 I, h* e

5 X1 o2 _5 q9 v6 P. ?   VMMCall Test_Debug_Installed3 d0 V) b. ^5 {
   je      not_installed
1 K; U- P6 I# X4 L1 P, P% a1 ~% j+ T! ~: f- W
This service just checks a flag.. Y6 ^5 P, v  B% d+ a# m
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-21 13:34

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表