找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
1 M1 M# @  Z) i1 g/ y<TBODY>2 y( e& k0 }& |6 E7 K+ A
<TR>
2 N2 z* G7 F# j* n+ L' f' c! O0 u<TD><PRE>Method 01
5 ~8 g: C* t: R1 D=========# F* j* ~9 I+ t, T$ y# q% Q0 P2 p

4 R  B% `/ L- G8 ?. g" F7 [0 a9 DThis method of detection of SoftICE (as well as the following one) is
0 z) @( ?7 F, B1 X8 s) @. nused by the majority of packers/encryptors found on Internet.. ]/ H4 X0 T: `: h& q1 I5 x
It seeks the signature of BoundsChecker in SoftICE) j: b+ ?6 }! H3 B9 p$ C
" z* y& `% E. [* f
    mov     ebp, 04243484Bh        ; 'BCHK'
! `' I9 T8 J+ k9 H( I    mov     ax, 04h$ B, Y2 N) j% b  `/ d' {- [
    int     3       ( V3 A3 p4 l( A, L) p/ K4 ]
    cmp     al,4( _3 F- ?2 Y6 g+ c8 q' L
    jnz     SoftICE_Detected) t3 z. U9 a' {$ T5 F/ I6 S4 G0 Y
6 ^" l; o' _# O- I# u
___________________________________________________________________________$ C, T  p7 A/ x& ^. }  B3 p

- F8 U7 f; x! q" C& ^Method 02$ {+ t- z* n/ ]3 `; J/ F
=========
9 H/ o9 E/ j" }( A7 Y7 W! o3 u$ b- D: x# W! @0 }+ [) Q
Still a method very much used (perhaps the most frequent one).  It is used
" O2 K8 j- t) w2 M& N" eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,  k& \1 P1 k4 l, E
or execute SoftICE commands...
* `; h6 I- u  k# i% U$ HIt is also used to crash SoftICE and to force it to execute any commands
  {: x  k% H- \% V- E(HBOOT...) :-((  9 D3 d/ `4 w9 B/ s& x3 X
2 A( W) T" o1 B& p& U) `* `
Here is a quick description:
- `/ e( v% t* y% L-AX = 0910h   (Display string in SIce windows)) g. B0 P6 B! x
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 B) s6 `2 P! q2 R( u+ d6 W3 `-AX = 0912h   (Get breakpoint infos)
* t/ O' N9 e* i6 j3 {-AX = 0913h   (Set Sice breakpoints)- u  G; A5 v, r9 a1 B& K! N
-AX = 0914h   (Remove SIce breakoints)
( I. }7 L7 f1 I; D" C- O, K
: R0 M) d" ^8 V& xEach time you'll meet this trick, you'll see:- ^* M+ f/ B; \. h5 b8 R
-SI = 4647h
, T9 t  [. @1 O6 k" ?' y-DI = 4A4Dh9 Q$ x( }. I- E# z9 }; W
Which are the 'magic values' used by SoftIce.  ^8 i& y6 q9 ^' Z) K4 e% c
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
, m0 L+ s/ `2 Z. b
, ?9 m- J9 _# l. y* Y* ZHere is one example from the file "Haspinst.exe" which is the dongle HASP2 g6 t. _+ P$ h9 k( [& `) f
Envelope utility use to protect DOS applications:) D2 Y0 ?: j+ d% x$ K

" W' B7 s& u5 E* O; b* Q. ]( y( g7 |5 [- \+ q8 O
4C19:0095   MOV    AX,0911  ; execute command.4 h9 C% }4 E3 q" @& a
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
/ F6 t+ t) u- X: I' ^4C19:009A   MOV    SI,4647  ; 1st magic value.& u5 \* m; u, X; d5 v9 y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  Y) O* O0 M: b% \9 {4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ Y& n4 I6 P9 \6 h. V" B( z9 }4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute8 s1 N+ G; i2 J6 s4 K( m! I
4C19:00A4   INC    CX
9 P' J  q1 u) |6 Z: i7 C4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute4 ^" ?2 v, a" D" V; e/ U5 |" [9 ~
4C19:00A8   JB     0095     ; 6 different commands.8 ]  l+ W, e$ _) y5 j& z; q' f6 J
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.7 V* v6 x3 q) `* o; c5 v$ O8 d
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ _# C, A; o8 J! N: h, w/ W! a- \. P' s6 ~- x. w& b( L
The program will execute 6 different SIce commands located at ds:dx, which
5 G5 m: h& o5 J5 V/ gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% y" C6 d! }0 N7 G. x3 a/ q- X
2 |6 c) \8 o2 q1 n* q* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
8 W& D& c5 E3 S; H, Z. Z___________________________________________________________________________
% |- V6 j! q1 e( ?- Z; g' M
& Q6 c6 C+ I" k3 k8 u
, D8 X% }! F$ {0 `Method 030 I( \) _4 }# z% v  Q1 ^! J
=========3 O* W* v* o$ {3 T0 `. M1 X3 p
, ?$ H6 O- @1 @
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h; {7 }5 T' @2 a+ k+ K
(API Get entry point)% u; P7 _  `# j( O: F3 D' C
        
; w7 d; K7 w6 W" U. E% P4 G8 q* i" J6 z3 X6 f5 O
    xor     di,di: o0 P0 p1 t9 I3 e6 H% v% c2 y% p
    mov     es,di
' T% F3 V/ L* [0 }0 r" ^    mov     ax, 1684h      
% z+ d0 h- _4 j0 ^! _. I! g    mov     bx, 0202h       ; VxD ID of winice
2 `& K' @" w9 g; F& l1 V& G    int     2Fh" \+ G& k) @0 L. ?; f% p" a# \" }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point4 X6 E; T$ F# v% L  \' s5 W+ k
    add     ax, di
' B" t6 j7 }+ q    test    ax,ax
% W% n  G8 H6 A4 ]. }6 C9 Q    jnz     SoftICE_Detected
5 L: Z( `, I8 p5 z! v
- ?% y) j* R5 E/ v4 `( a5 [& T# ]___________________________________________________________________________
7 U, X- k4 I; `& m5 F. I" j3 j7 ?( Q6 G6 t1 i$ E0 l, ~
Method 04# k+ }1 c$ }& H3 J4 @
=========$ W& m0 q0 V' {' p% Z

+ f; H* v# x* Q0 {# D+ P% I1 `  QMethod identical to the preceding one except that it seeks the ID of SoftICE8 w( L% K$ j; l0 A1 C
GFX VxD.
1 H# Q9 z. _  k% g( L* R
. Q- U: s" [# H* a    xor     di,di
/ }" r1 _9 E4 ]2 w) j5 J* K    mov     es,di
) v; A5 i2 m! F+ c( |    mov     ax, 1684h      
* h- q+ y+ ~9 ^  l    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" k1 [( Y$ Y, D8 k    int     2fh1 X( L' X9 }) P, r/ e
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* _; E3 v$ m! I    add     ax, di0 L! X; e! s0 q' g) H" I
    test    ax,ax
, \- b) t+ l; R+ l- g    jnz     SoftICE_Detected
6 N$ ~: s+ b9 s* U( {
4 i- l$ ~* r$ {5 E3 E% l__________________________________________________________________________
8 H. J% L/ k, t$ H8 K/ d4 A% [% g9 z7 t/ A( F4 X4 d& r* `9 ?# Q; X

/ ^2 O* L7 y" w8 [" ~' E! E% L  v( RMethod 05. T  i8 N+ k- N8 Y0 q& i
=========) i- i  ~2 F( ~6 }7 ^

# J0 N8 E: J% s# V8 q) nMethod seeking the 'magic number' 0F386h returned (in ax) by all system
' n0 y: C: E! m- K/ F: Ldebugger. It calls the int 41h, function 4Fh.
4 h! z' u, a" c% k3 X0 R6 |There are several alternatives.  ' n. W4 k1 Z8 k$ Y7 z- R# O
' `# N3 ~9 L$ k- R1 z% F7 v1 ?2 q
The following one is the simplest:
9 h/ g6 u0 e6 h& X2 o5 H- N: _( u, W/ K8 P1 I/ z7 k
    mov     ax,4fh" n: x- H* J7 y' S8 @: u- Q2 E. e3 g
    int     41h
9 Z" B2 a5 N, v6 [    cmp     ax, 0F386
3 l' v: g: n" Z    jz      SoftICE_detected
% `8 G7 |! E1 b( r" P: j
7 x- J$ u( C7 O/ A! x$ k
1 K( B0 @; V; i8 _" nNext method as well as the following one are 2 examples from Stone's
- d; H5 V( M9 ?- X& [- R$ K"stn-wid.zip" (www.cracking.net):2 F" V5 t$ ~) z6 ~: f
# L% Y3 ]* Y) r* H/ k& K
    mov     bx, cs
+ m! j* _. z" i$ `    lea     dx, int41handler2
5 y7 C) r* {' n- k/ q7 ^8 O    xchg    dx, es:[41h*4]
; G2 R5 ]8 y6 v5 w; w* c    xchg    bx, es:[41h*4+2]
( l5 v& Q' W- H' t6 g& u1 n    mov     ax,4fh
& Q5 r/ K3 ]  E; {6 k; Q    int     41h: E" V  g. C1 {; t& @+ \3 {
    xchg    dx, es:[41h*4]9 C7 [( P* Y; [) |* V: k5 ~" y
    xchg    bx, es:[41h*4+2]/ \( u+ A/ g) q/ e" T2 ]; [
    cmp     ax, 0f386h1 P& O: Q8 X% Q
    jz      SoftICE_detected5 T' a. `; M+ x9 z( C/ F
) r6 w2 I8 Q; p" P( x) g3 e2 ~
int41handler2 PROC
# H0 j1 Z9 R: ?: x    iret+ e; r& r8 @) N% }* v
int41handler2 ENDP
. v# K8 O: V; T1 K) M3 q/ q! U! y% A  @
& I0 \0 t  z$ T& f+ J/ y: K
_________________________________________________________________________- F* D1 O, g) b
* s; Z, i4 |: F% T2 U. q
- Z. V; N# K3 x" W6 ?
Method 06
  T4 ?1 ~5 q+ Q3 X4 u=========
- _3 F! u& w, n$ [+ Z: P+ G/ `- d( _, S8 u

# x3 p7 H+ a: }" M: S0 b2nd method similar to the preceding one but more difficult to detect:0 V+ A9 {. o; |4 Z0 e0 ^! E
4 ]  L5 G% w7 H+ c% I

; }* Z" E- D- F( [$ Y+ s0 g2 b: y; E7 fint41handler PROC
3 {2 T2 ?- e& B    mov     cl,al
/ I8 m* [/ h, g4 D& B7 E& E( q    iret4 o6 w7 O$ Z5 [5 Z5 f! x0 u$ v
int41handler ENDP7 {5 h7 W, q# ?

1 A+ ?9 L8 i# X' |3 I0 @
% o% k: S8 r/ _0 G    xor     ax,ax* }. j: a# `7 f6 C; c% k7 Z
    mov     es,ax
/ H" t. L1 ?: ^* C& `9 m    mov     bx, cs
  Y+ Y9 K$ q8 O    lea     dx, int41handler
' A5 P$ N1 w- h6 ~    xchg    dx, es:[41h*4]
% J4 v* a5 W5 s    xchg    bx, es:[41h*4+2]
) K+ Z! y' C# i! R. E    in      al, 40h  }/ I2 A4 S$ o7 K- f" p7 h
    xor     cx,cx
; {  ~) g9 Z$ G    int     41h  Y, \' k) ~; Q5 F! D6 c
    xchg    dx, es:[41h*4]7 Q$ ], }: t0 F$ F- n
    xchg    bx, es:[41h*4+2]
0 L4 }0 ~: m0 |2 W& m& I8 A, {/ T    cmp     cl,al
* H* m" c4 l) r6 B- S0 [( K, ^+ A    jnz     SoftICE_detected9 N2 V2 y' z  y7 r3 |- D1 r
6 L* ?0 T' O( M" i/ \( x: ~9 B
_________________________________________________________________________
  J  a7 I9 O; l' o3 n7 w8 D2 I
  e" W: J/ w  ?; p  t& pMethod 07
5 J- [* G/ X% f2 D0 z=========) r* K1 `8 H* [9 R0 V' o9 l0 ?
" ?3 g2 ?+ E% J# G
Method of detection of the WinICE handler in the int68h (V86)
' W  c6 f( A  R: N( }1 a) F2 p5 |. F8 a
    mov     ah,43h, c2 v8 a$ z) ?* C5 y9 ^
    int     68h2 f: o+ @9 p$ i: u
    cmp     ax,0F386h
4 o8 G2 d$ Y3 m    jz      SoftICE_Detected# Z8 p: N1 [8 P  G  H& z6 E0 N" K3 h
$ h& N7 l- ~# Z- v. S

/ x  R% S+ j) k$ G' h, b! M) T=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit1 d. B& J/ I/ F: K. K6 ~8 N
   app like this:4 P1 Z1 x+ z) x; k& P
7 D0 p( e) {. A/ y
   BPX exec_int if ax==68+ I' d: Y9 K: B1 j; X1 J) y
   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 Y( z6 o" y! Q, E   located at [ebp+48h] for 32Bit apps)5 G; U0 k: t2 m) }+ I% G
__________________________________________________________________________
% z$ |( w4 e' |0 J! A% U' G
; j/ ~( o' F7 _. n: [2 k8 t7 m7 l+ f  K# P
Method 08# y1 J9 L5 D* G/ Q. Q, m
=========
0 ]& t3 I; }* Y( i% `6 |* s- k/ e$ f8 L; ^% N$ z
It is not a method of detection of SoftICE but a possibility to crash the
/ _  {7 H( J: U. U+ m" S- qsystem by intercepting int 01h and int 03h and redirecting them to another
" X! ~8 V7 Q( Y" proutine.
4 a* E: }  Q7 C. ]+ @It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 e( f  ~! `# v9 yto the new routine to execute (hangs computer...)! n7 z$ Q; V3 P# C6 E. r  j0 f8 v
0 C" ]8 l0 y: }
    mov     ah, 25h
) H' h: S& S# w5 z5 ^8 b% G    mov     al, Int_Number (01h or 03h)
, G. V. v! O, F  C/ X    mov     dx, offset New_Int_Routine
' _, k7 h# c" c2 \: p  O7 [7 v    int     21h
6 R+ M  }% V. E; y" S5 e, t! \: }/ @0 m8 g( Z
__________________________________________________________________________
+ L5 ~; N: V2 |) m: }# }
1 N9 k/ d+ k, g" d% ~Method 092 d- v! v( p! y5 t" e. N! p3 U
=========/ H" K. D% }) B3 g/ @! C& K+ g% G
5 `9 f6 _; ^# C
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 ]+ |) D& e8 H  _) [( |
performed in ring0 (VxD or a ring3 app using the VxdCall).
* \8 a0 a/ a" w9 PThe Get_DDB service is used to determine whether or not a VxD is installed* \- B% ~% p; b/ t
for the specified device and returns a Device Description Block (in ecx) for4 |; e. N+ g8 O5 @! S1 b
that device if it is installed.
5 l. k5 {. x0 }$ w; a1 L9 }( ?. G2 z7 s8 C- r- k- v8 p
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 S3 B  A- T5 |; Y3 D
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-): E: C; D8 b3 j8 w" Z2 m6 P
   VMMCall Get_DDB; r7 c9 k+ `% X+ G
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 p, u) T8 o3 a' c+ G  G

  f& ]9 Q3 B( `+ H' o+ C0 V, oNote as well that you can easily detect this method with SoftICE:. X$ z* ?$ ~8 @1 l* a( M
   bpx Get_DDB if ax==0202 || ax==7a5fh) J; y5 t# Q6 u
! ^0 B9 U6 l* y* R
__________________________________________________________________________% x/ ^) t8 z( f+ w+ J. v2 w: H

: K. _  a" ]* g+ m. `Method 101 b  r( {* T' m) h- z3 i9 m  Q
=========
) v' t/ |' v, B: n& v4 n5 l& u6 E
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# k6 I  a/ f) g  ]( s  SoftICE while the option is enable!!
: I& q8 M9 `  H/ ~/ l/ A; p6 _2 V) a! N8 a
This trick is very efficient:
  f" b$ I& C$ |# Jby checking the Debug Registers, you can detect if SoftICE is loaded
! _0 y& D- A! N+ O2 B5 `(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if- ?- r0 \9 C& \5 o% p
there are some memory breakpoints set (dr0 to dr3) simply by reading their
4 W  m; G# d) x+ j8 M4 d# K! ~0 }value (in ring0 only). Values can be manipulated and or changed as well8 @& V$ G" L" w2 \3 e) u
(clearing BPMs for instance)% z8 j0 B3 p' [- B1 y  j1 ^
  a8 F+ B; l& d" _, R% B
__________________________________________________________________________/ Z: N% |" _6 M& c( w" u' N7 q

# i/ J0 p4 }+ s- n4 s" s8 M, @Method 11
& j3 ]  B3 A+ q, J5 ^& r=========
3 p6 M0 g1 Z8 R( _" [. A) q+ S
' C' v! T8 h) S  k2 ZThis method is most known as 'MeltICE' because it has been freely distributed7 V( U5 Z( _8 @
via www.winfiles.com. However it was first used by NuMega people to allow, Q; h+ f2 ~6 Y7 d  w
Symbol Loader to check if SoftICE was active or not (the code is located
* c' W8 u& e: L  }. r; pinside nmtrans.dll).$ @" k& }$ n9 u# T! R) ]/ `# s( |
  q* H- r. H2 U0 m! M5 R
The way it works is very simple:
( E# K' p& |9 m9 d) |# B* OIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ z4 ]! p2 ?2 Z# nWinNT) with the CreateFileA API.
: e4 J( a- D6 J7 ]1 H( T; n" t1 a* @
Here is a sample (checking for 'SICE'):/ h/ t! J0 _( y# O7 ?

. m7 q. z0 r( \! UBOOL IsSoftIce95Loaded()
( y2 {/ p" F) \) P* ?4 |{2 T$ j& h- u) {
   HANDLE hFile;  4 g3 V8 p% ]3 }) M: Y
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,# a  {$ _% g& A: e$ S
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
/ y" M5 t5 _1 m7 T9 C                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: B$ A4 h- G0 h" S) I; J) K1 ]# M
   if( hFile != INVALID_HANDLE_VALUE )
9 T' K3 H( N1 @   {
" f/ j# f: R$ b- Q2 P# @      CloseHandle(hFile);$ S* W  v0 k7 B2 G  p2 ?$ t
      return TRUE;+ f5 a4 r0 l! l: S5 {
   }, p" X  P) K5 X. _. ?- v' e  j/ R
   return FALSE;
0 ]9 _. Z! A8 }2 ]9 m9 i1 D}! K& k5 I: U' P. s6 l
. I- @5 I( `7 k+ J% C1 \: s$ L
Although this trick calls the CreateFileA function, don't even expect to be
: y6 D1 c- A1 ^( Z7 ~  M! [able to intercept it by installing a IFS hook: it will not work, no way!
5 B. r3 j( U* e% y: bIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, f8 B5 f* u& u  mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
6 Y0 F/ X( ~% }4 j9 b$ A, l  aand then browse the DDB list until it find the VxD and its DDB_Control_Proc
" L: ?3 A5 V! g7 \* {* m# p9 |% efield.; f* L* F2 t( `8 r* l. R, @- J
In fact, its purpose is not to load/unload VxDs but only to send a
3 \4 @! u. ]: L7 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; `+ l2 W) ?2 m$ Q- b  zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- W( d7 ~) @% \* ^! u! pto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 o' Y; t! M; |& ^/ V2 `7 a- vIf the VxD is loaded, it will always clear eax and the Carry flag to allow! F6 N% f3 N) Q$ Y% I
its handle to be opened and then, will be detected.
! |- i! y: C+ s7 ~/ y( `' xYou can check that simply by hooking Winice.exe control proc entry point
7 p( ~$ c  D0 x3 F4 Ewhile running MeltICE.
6 k1 Q+ ?: V5 E+ _
6 y4 i; L1 O8 X& F$ }& b2 B8 ^7 f* |3 w  D4 I) T
  00401067:  push      00402025    ; \\.\SICE$ N) }  u4 D- a7 u5 _
  0040106C:  call      CreateFileA, U1 \: [: W/ ~) O2 R) w
  00401071:  cmp       eax,-0011 }! H( A2 v3 T/ R" X0 B/ y
  00401074:  je        00401091
8 a( b+ B8 S. v  E
/ G; b1 h* `$ c0 v8 m4 K
' o2 D4 L. f6 R! w2 KThere could be hundreds of BPX you could use to detect this trick., L9 V7 ]* n: b* p
-The most classical one is:1 I: R5 u% H8 A/ B& `
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ j3 m9 E+ h- R5 l5 C) |/ r    *(esp-&gt;4+4)=='NTIC'4 ^) K. n1 ~) a% }4 b) [% f: F- W
/ q* a7 W4 V/ `, e1 F
-The most exotic ones (could be very slooooow :-(
5 u2 C$ B" _* e% Z2 B   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  9 w. z! K# R; \- G
     ;will break 3 times :-(8 F! \) g: y5 {' ~
( D& @3 y: V+ ?
-or (a bit) faster: 7 A# `7 H9 [4 j, _; \5 `" k) a
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
! f* A6 H) b( a1 e8 B4 _3 o+ v" w2 q8 F9 p9 Y( o8 B
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  # F. h$ Z7 i3 E0 \* V$ u7 W
     ;will break 3 times :-(
9 L5 f, U- K& Z; w5 b5 G. t% y; p; `& k8 ]
-Much faster:% H5 ?. O" E8 r, S: W7 W
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; Z% N; c/ C# q2 y9 _! S
) l- O( ~" D' W8 a; \, i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 v) K- l$ b7 V; zfunction to do the same job:
' d  `3 I% g1 l# O) J
: m$ `, \2 W/ s$ v$ Y   push    00                        ; OF_READ: \$ N' O6 ?" B! r# G
   mov     eax,[00656634]            ; '\\.\SICE',03 X+ J8 M& E# Q
   push    eax
% `0 n* j- G' a* V   call    KERNEL32!_lopen5 @; i' H* {+ i( ~
   inc     eax
/ @% j, h# Q& U   jnz     00650589                  ; detected
( X8 ]$ \& w0 b% m1 M   push    00                        ; OF_READ
) x' n& \& h( B- Z% }. H. h6 a   mov     eax,[00656638]            ; '\\.\SICE'
& i/ L: C- H; q   push    eax
! \6 r) H1 l. [+ k   call    KERNEL32!_lopen  J9 H/ q" D& T1 f
   inc     eax
: }/ D' @9 G$ C5 o, V   jz      006505ae                  ; not detected
) e& ^) ^3 s/ W1 B) a$ I1 P; S/ I) M4 s

" `. {, q+ U$ W2 f: v% i__________________________________________________________________________
7 w$ B, j) [# M' i- O+ ]( d8 M) T  i2 U5 E8 ~  J
Method 123 G- ~' _/ R5 _) ?; I8 b0 {
=========
/ ~7 {+ e. ~! ~2 K$ T
. s9 K& B, \& }0 U, V* m: BThis trick is similar to int41h/4fh Debugger installation check (code 055 w! R) ^" I- I
&amp; 06) but very limited because it's only available for Win95/98 (not NT). f6 f/ `1 b. ]; o4 l& c
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' a# J7 V- q9 v$ L- s! z7 {
8 ]: x. i5 z6 g6 ?0 f2 A/ j   push  0000004fh         ; function 4fh
1 P1 H9 t) h6 S2 o7 H   push  002a002ah         ; high word specifies which VxD (VWIN32)! T3 w9 k, x$ y
                           ; low word specifies which service$ t; u" @7 u( o+ c
                             (VWIN32_Int41Dispatch)
) q" z0 z' E7 N6 I6 f- I   call  Kernel32!ORD_001  ; VxdCall% O& A- u7 v! c4 j
   cmp   ax, 0f386h        ; magic number returned by system debuggers) y) h1 C; D4 w0 r) k  Y
   jz    SoftICE_detected: _' w4 H' d. R  ~, \+ m

- h7 M  G! s& m' }& [( h! THere again, several ways to detect it:; k: s! e0 o# N4 J* K: @3 S
/ J! }& v( w, {" A" E
    BPINT 41 if ax==4f' @" K7 P3 d) ~9 i
: [+ t. x* c$ Q* q5 r( |6 ?
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
- Y) ^8 ~' p+ ?0 O
7 D0 T" C* R4 C2 w( I7 L7 U    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
4 V' M4 i# T" R$ U! ?% c  u5 j0 }0 A9 M
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
7 f, w0 ], z* T; @2 L' `% b& z5 E$ z+ E/ q+ D, G( W
__________________________________________________________________________
) \. d0 ~. K6 W5 ], j6 X. }% B2 E/ C9 D8 P1 S
Method 137 c( C) o& G. _3 r9 ]. Q" g
=========
: V0 I! l# z  i8 e: n; c$ N6 d# @( P0 _6 u1 S8 n1 `/ c+ ]- f
Not a real method of detection, but a good way to know if SoftICE is$ H5 @/ Z: u6 p- `8 A1 S
installed on a computer and to locate its installation directory.
0 N, m( C! n7 O! ?: ?8 QIt is used by few softs which access the following registry keys (usually #2) :
) |  g# C' ?+ x! i. W# c! O( n5 ~  t0 W( u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 M( i3 v3 R0 t! d7 H\Uninstall\SoftICE& f; y2 \* }3 O( @
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 |& n; w- M! T6 {# A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 \4 V3 K/ H! `% o3 \
\App Paths\Loader32.Exe; j0 |& A0 l( [# D

) m9 s4 }" J; ?9 z. O, i2 `: z, E
Note that some nasty apps could then erase all files from SoftICE directory
0 r* T  F" K; k(I faced that once :-(
4 f8 n( ]8 q$ Y  D% [% U; U/ ], K7 [2 e+ [  J
Useful breakpoint to detect it:
" T! [# M9 U! A4 \( N0 p0 u* e4 i
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'; p4 @  ]* i" L# i  l1 D+ b

/ _" L: j0 c) M* u' k; @% D8 ?__________________________________________________________________________
$ Q6 L, Q6 ^* D( `
7 H' w% X! ]& p! Y# j: `
0 m* B. \" z. A5 q$ }3 R4 \0 SMethod 14
5 B# m  n$ ]( F  P( B' r=========
& B2 b4 H2 N# D: W' g7 J
9 Y$ g6 E9 K# O' A8 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
$ C$ d$ Q1 Q" a+ M* j0 b6 Gis to determines whether a debugger is running on your system (ring0 only).
. L# j1 w/ p* w+ w- N+ l1 v) L1 D1 p$ V5 n& _" F3 F
   VMMCall Test_Debug_Installed' j$ l( w( b* k( e+ t0 a
   je      not_installed) s  ^8 R+ Z2 Y- T* h

* N1 n  F, ~; U$ P' X) h* lThis service just checks a flag.; t! n- ^" m$ Y) X
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-30 12:08

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表