找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
0 g6 V2 v# o; t" p; G' R- l3 ~* q<TBODY>. V. j) r0 F2 t* f( M- G* A  E) z
<TR>
7 f. r1 }  P8 ^$ i( Z1 ~/ {: X8 t<TD><PRE>Method 01 % X0 s. D/ N, G/ K" m
=========
6 H8 U- n/ l) S, B8 g& T/ o; |0 W. Z# K; M
This method of detection of SoftICE (as well as the following one) is
  B$ B& U" A& J9 [. F) d' ?. dused by the majority of packers/encryptors found on Internet.
+ l5 m' W7 [2 w9 t' y$ RIt seeks the signature of BoundsChecker in SoftICE
1 ]" E+ f% b' f7 y8 @( _5 ^+ @( s
* N9 \8 x0 Z, _% ~    mov     ebp, 04243484Bh        ; 'BCHK'- s; ]6 w) [' r$ l7 s; J8 v
    mov     ax, 04h
8 x" `) N& A% A2 v* M; d6 K0 S    int     3       : g3 |. Y) a  _
    cmp     al,4
" [4 {  c. c9 o  e    jnz     SoftICE_Detected
& t# T: N7 F+ n: _
9 o9 t' a5 n5 V* o___________________________________________________________________________$ i& t6 E5 u5 A5 t3 P8 V4 N1 X/ C( O

( @( h9 l7 n- p4 v4 v8 A' [6 pMethod 02
4 ]( D- m& g, z/ M1 D" l=========
1 x$ W( r. e& ^1 A, f; J( R$ V3 j. A; F3 I
Still a method very much used (perhaps the most frequent one).  It is used
* [' v( ~0 b( h3 J8 Yto get SoftICE 'Back Door commands' which gives infos on Breakpoints," r6 @4 F9 w* ^- |# e) F4 T
or execute SoftICE commands...4 m: }* V9 ?. }: A" k! r# V
It is also used to crash SoftICE and to force it to execute any commands$ C& ]; ?, v1 q: S
(HBOOT...) :-((  
- u- V5 d' ^; X. o- L+ _1 O/ o4 N# Z' a4 y! t+ B
Here is a quick description:
4 _  z1 I. i% ]% L5 c+ p( o-AX = 0910h   (Display string in SIce windows)
) b# Z% |' k& t8 X/ ?-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); K% m: _/ S5 g) \; h
-AX = 0912h   (Get breakpoint infos)& a' ]# j5 O, t5 C
-AX = 0913h   (Set Sice breakpoints)
+ Y% d# Y2 @# H9 t. M8 ~! `-AX = 0914h   (Remove SIce breakoints)
. `3 X( z" N3 G1 R
+ _1 A# H7 f* U" B5 {4 A( w7 X* iEach time you'll meet this trick, you'll see:
9 k2 c2 E* ?4 `( T  I* K) E-SI = 4647h; S3 r0 `5 N$ y7 f; m9 ^
-DI = 4A4Dh
2 c8 b) D) }, \8 B9 ?4 h9 cWhich are the 'magic values' used by SoftIce.
1 r! e) n8 C9 B: Y0 N2 v% O! `For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 A& S3 M* v9 l6 o1 Y
% h9 f) S4 H6 C9 x$ @
Here is one example from the file "Haspinst.exe" which is the dongle HASP7 \9 m; j8 l" p  f# c0 l9 z
Envelope utility use to protect DOS applications:
0 k1 L5 W  ^0 ^0 t. ]+ O5 f' e# Z  e4 F( C

: E  d3 X; F, p9 O. i4C19:0095   MOV    AX,0911  ; execute command.
. M2 y$ Z6 ?. R0 `2 x3 A" o4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) v8 x8 T1 [0 H1 r& E& G
4C19:009A   MOV    SI,4647  ; 1st magic value.
7 W+ h  ^) F9 |' T6 ^% a, u4C19:009D   MOV    DI,4A4D  ; 2nd magic value.. J/ E" V9 [9 e
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)  Y$ i. r1 U1 Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
+ w7 W3 C; ~' i+ Z" g4C19:00A4   INC    CX/ `+ u4 a) m- |5 W( W3 Q5 B
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
( [) E) y* `6 o! A8 s. g$ Q  J4C19:00A8   JB     0095     ; 6 different commands./ H3 z( Z, W  E9 ?
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
9 K" f4 k& v, {- |' R& P" [) V4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
  C! m  m! G; T' |+ V7 B/ s/ |
The program will execute 6 different SIce commands located at ds:dx, which
7 W9 ^7 d* r. x2 o5 e2 }0 r9 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.8 R4 @8 M; K  H! T7 L- Z( N4 q" ?* g
' s9 n9 N* m2 D/ ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
6 T5 D7 {' r) d3 y9 ?( u/ G___________________________________________________________________________6 K$ C; `" L) |2 P, q

9 Z$ `. i3 p: A* [( ?9 q, K' U, s9 o/ X2 q! f
Method 03$ R1 r8 \3 e9 t9 T! ?
=========
/ a) U$ g& R. Z2 Z/ `
+ J+ [% K) O2 p; G, ZLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 L9 K3 T" A1 G' t9 f/ O(API Get entry point)4 ]7 R# l; a; `: `& v" L& A
          f# x% Q6 e# B

: H9 M, U0 S5 [* X: N+ k    xor     di,di; e. w9 V, E. d  v7 Q2 x7 |
    mov     es,di
4 T2 @$ O# u3 r6 w9 U; x    mov     ax, 1684h       / G. I! z: f( k3 L) S
    mov     bx, 0202h       ; VxD ID of winice" w6 I9 N1 G; H4 P2 U+ {! l
    int     2Fh
1 J( Z5 S% \- A! [* g$ ^- Y* ]" D    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 z! E- i% R1 R3 q    add     ax, di" T; u1 P( a! ]$ U# q/ @
    test    ax,ax/ }% i% D$ b. D  G3 e, |
    jnz     SoftICE_Detected
7 T/ X# ]2 a( M; U5 L3 n' A  v
6 X) `, X6 J. r" I& P___________________________________________________________________________$ l2 L5 C& d! i
5 Q2 v3 u/ G* f& ^9 b
Method 04+ d, g( G; z3 F8 x3 L4 S' ?2 U
=========0 d. n- [7 I6 [& e4 a$ g* Y% _
7 ~% [6 W# M8 [9 c0 L6 L, ^: ~
Method identical to the preceding one except that it seeks the ID of SoftICE' H3 K2 _; b; C# O6 f7 R: `: x7 u
GFX VxD.
2 @+ Q1 H; F) F/ c) n; x  W1 B6 U$ i% W9 O, b0 i3 J3 Q
    xor     di,di
2 Q8 X' j9 [/ O0 k/ c: j    mov     es,di
5 i' O& S% `: o9 L& @    mov     ax, 1684h       ; `6 _! i% Q$ Z" ?5 O
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" ^; b8 r- ^: k/ \2 `: Q    int     2fh: z% t! h" Z7 x& I, N) x6 E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  K2 d/ d7 _3 z. Y6 o! }- I$ p2 e    add     ax, di
: P4 J) j5 i, Y0 {" J    test    ax,ax
" I' N" a! ~- k6 b    jnz     SoftICE_Detected7 g$ l4 O) V1 \' N/ |- {% p

% x" H3 l8 J+ b3 ^$ r; l__________________________________________________________________________
/ {- N& o, X3 F% ~" ~
7 S2 I% Q- s! `* l
. K; T6 t0 R  d: U, @+ u% f3 kMethod 052 I, ]( R. u, i* u  R5 Q
=========
( i8 f: U/ L' K! W4 k
( i, s/ p" M  y0 r9 V# Y% Q  t4 tMethod seeking the 'magic number' 0F386h returned (in ax) by all system+ o# }- i4 |- F! t( X
debugger. It calls the int 41h, function 4Fh.
' l) H' }% S- V- K: j! @' I" }# e$ gThere are several alternatives.  
# s0 V2 ^/ l, |7 B7 N" Z) K
/ ^5 W2 b& G- e( u) n9 B) FThe following one is the simplest:
  U* H( U" Z3 r! s+ C0 F' P
5 n, a$ j/ Z6 |/ _* X9 Z7 x    mov     ax,4fh
  [$ u+ E8 ~( l    int     41h, z$ ^) N$ h0 o5 p- T5 m3 L/ H
    cmp     ax, 0F386  ?# ^/ @5 a: H6 J+ O# o- s0 s, M/ U
    jz      SoftICE_detected5 D8 d( [0 z3 a& P) r+ v  l) G

9 o% v; A6 w; \, ]1 L
/ B, v+ B: @  `/ a" `: o) ~3 CNext method as well as the following one are 2 examples from Stone's
' ^7 o  t* w. d4 u! p* q" L" ["stn-wid.zip" (www.cracking.net):
# P1 T- u0 J: T" V  W0 ~3 ^6 x  B/ K( q2 n4 y% @8 ^
    mov     bx, cs
1 @( z; E0 J* v( Q# J  A    lea     dx, int41handler2, Z' E" q* U7 Q" |" A; ^
    xchg    dx, es:[41h*4]
, K. z! c9 [( l. n: l    xchg    bx, es:[41h*4+2]3 v- c2 x5 ^$ d0 \
    mov     ax,4fh
% o7 j5 x3 [# [, v) P    int     41h
: N; M( A) D+ f    xchg    dx, es:[41h*4]
( e7 A4 P0 g6 t1 y2 j, k* E    xchg    bx, es:[41h*4+2]% u5 w1 U5 d+ f! q7 K$ R' a+ h
    cmp     ax, 0f386h/ k1 @2 l" N6 L) k$ h
    jz      SoftICE_detected3 W0 r- d  }, v- P# n
  J3 S, J2 V' G% m* f) i: z% _9 s/ d
int41handler2 PROC, l# n) G+ F- H& [5 w
    iret
) j9 b5 R) y# @- ?: u$ D/ j, Rint41handler2 ENDP% x2 F) _- e( o; ?% x

: x2 e3 Y6 K. M
4 j0 c1 x- L+ c" F# s+ ?_________________________________________________________________________
- r$ A/ n0 W, J& f4 l; j- L# B
5 e8 [. Q& ^% j, u0 g# C  @" m/ T& I0 L2 V* d/ l  j# ]5 S
Method 06
/ F" ]( A* _' `; y/ l=========! `/ c; X! O! y7 [. V( A0 }

! W, |8 ^. @  c" P2 f& w! M+ n, _
& r3 H; Q/ }( N8 |# J+ z9 e( P. p2nd method similar to the preceding one but more difficult to detect:/ ]- K+ m6 E0 d5 J
' {+ E) h9 J8 O) G. k" A+ F
( k+ ~- g# Z/ s. Z' k5 {% ~
int41handler PROC! Z2 i6 Y! ~% s$ M8 F/ a' U( m
    mov     cl,al
4 V  A* C5 u& q1 y( i" K    iret" s( T1 z+ r8 Z0 ?% Q& P3 d
int41handler ENDP5 u& m* d+ S7 Z7 y3 \5 j
9 ?4 M. |$ }& |
6 T5 \1 F! U1 t( ]
    xor     ax,ax
1 A2 R- a8 p9 M, p) k    mov     es,ax3 b! p$ L  ]5 I& D- ^9 f1 ?
    mov     bx, cs2 [2 V1 C0 f( \2 g/ z' J7 f. r6 z
    lea     dx, int41handler
" v8 ]  q% @1 Q$ q+ d4 l# j; {    xchg    dx, es:[41h*4]- V, N5 [+ p/ g% N% h
    xchg    bx, es:[41h*4+2]
3 i$ q; _9 M" e" ^    in      al, 40h
% x, \. {( h- j    xor     cx,cx1 r( C) q6 O) J, f0 Q
    int     41h- b9 S+ k9 d# j: W' w! q
    xchg    dx, es:[41h*4]% U' ^* J4 O2 f7 y; T. f; Q1 O6 f
    xchg    bx, es:[41h*4+2]
: ?' F& _, Z4 Z" |    cmp     cl,al( {8 d: h8 ]" o; J" h+ N% @
    jnz     SoftICE_detected
/ m4 w' V4 B& ~) E. X) s  H! \7 y" ?, Q1 _6 V
_________________________________________________________________________
& {6 v5 A) {' ~; u1 N+ K+ L2 s( c1 t" u% t
Method 07
: B( `/ L" m: k8 S6 \# C1 M=========- T$ v% {# v5 b

& Y4 o. W0 N9 D; ~7 v4 _Method of detection of the WinICE handler in the int68h (V86)
7 v  I2 R, h2 C" K4 G; K9 z# Z; h$ m0 t  H" i, h
    mov     ah,43h& Q0 X1 s6 i% `
    int     68h6 V4 _, q2 ^0 m: a6 ?! A& |
    cmp     ax,0F386h% O2 a) \7 R& S  h
    jz      SoftICE_Detected! P) H: X, ]" h7 L& I, l

& c. j. |! e+ x6 \4 y' G: d: K# Q7 R& U. P: T4 A
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% r0 X8 G  L! W   app like this:
+ g6 B9 \# q1 J
$ F0 N" \& u; ]3 p% O   BPX exec_int if ax==680 O7 M: B9 H6 q1 P; a* c: F. ?
   (function called is located at byte ptr [ebp+1Dh] and client eip is
% v/ B) h0 O9 _6 L' D/ Y   located at [ebp+48h] for 32Bit apps)
( u6 F* O, G& s" v# i- q__________________________________________________________________________
8 F9 ?- |, W) @* A* q9 _7 `* F( F3 Z9 p7 `
+ o" `7 i( h% m$ O5 P$ W/ s5 `$ V
Method 081 O7 D% h; K3 S/ C' Y
=========
9 s9 _1 D& \' c9 S% |0 B; D: X6 L# n  L, j! e
It is not a method of detection of SoftICE but a possibility to crash the
/ I& k3 B- ~$ ?5 ]system by intercepting int 01h and int 03h and redirecting them to another
6 @; J, U! Y$ K5 Y* }routine.
) _- a- E; L: wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ [" F4 ?' N1 G7 e5 L. W0 C4 b' \' ?) Qto the new routine to execute (hangs computer...)
/ ?0 A* g6 E" Z- f( I  S8 H, X( h' C" D
  \9 o) a; k% ?1 g" I6 P. v    mov     ah, 25h
% v4 z2 U- D; s    mov     al, Int_Number (01h or 03h)$ ?! a8 A9 r5 m- X' t% g
    mov     dx, offset New_Int_Routine
' x. ^( @0 a8 c' d: Y' l' @  g    int     21h7 K, H- B' w* t. v
5 b4 ^4 u  I1 t6 C. h2 o& N
__________________________________________________________________________$ v. e3 c) ?8 V0 Z" V( e

( e7 Z* B9 k# e0 u) k' A3 zMethod 09
& a6 m; L: C/ _* t=========- G6 l: e" v1 F6 d9 f) h0 c
5 C4 b8 t" F- ^( P8 C8 c9 T
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
' O4 a. y  f! a% R$ U: @performed in ring0 (VxD or a ring3 app using the VxdCall).
5 H% @% @3 {, l' p. }  nThe Get_DDB service is used to determine whether or not a VxD is installed
* z7 L5 Z' e( K& G- g. rfor the specified device and returns a Device Description Block (in ecx) for
- s  `0 n1 B' ?/ Tthat device if it is installed.- o% ]# v  N; {* F: n2 P1 e

0 V$ L4 A# X7 w' O' L) g* }   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID2 }) L6 h5 F& R
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)  Q0 ?& b: L# K, c
   VMMCall Get_DDB/ |" {. X+ P3 S  o7 _# V7 B6 d# {
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
; G2 n) [" ~5 d, [7 k, C
8 t* J) ]# o$ N6 ]5 v9 W& tNote as well that you can easily detect this method with SoftICE:
  X' R8 f, o  @9 z4 k   bpx Get_DDB if ax==0202 || ax==7a5fh
  l& r; e, g' L5 M7 Y5 ^  ?8 D' O+ I+ H  B9 L/ w) F4 C
__________________________________________________________________________
% M6 m: n. H# l9 f3 j  E# u0 r/ t% W( l7 B  s) G" q" [. k
Method 10
" q3 X, r5 W0 U% f; s. A=========) D# k& R4 h( Q2 W6 u$ K

& e* {1 K- ?# R0 @) S$ M" u/ v" r! ~=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
9 }6 n8 ~7 M- l1 y  SoftICE while the option is enable!!
9 e) L  }4 ?1 o. D4 ^
8 ?1 A  R3 f1 q3 a% zThis trick is very efficient:
/ G( o2 p( `& d, x6 J. g: C1 Gby checking the Debug Registers, you can detect if SoftICE is loaded
6 H, f4 ~/ a, ]% h/ q$ Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 g( F$ ]0 @, I) w2 p. @
there are some memory breakpoints set (dr0 to dr3) simply by reading their8 N' ]( ]% a8 F* {' u( J% |
value (in ring0 only). Values can be manipulated and or changed as well
4 A+ T9 E" D! G$ C( L- t# [(clearing BPMs for instance)0 E9 o6 j0 n9 n* a3 l' K
# f2 B/ u. j$ p5 |4 `9 B' ?$ m# P, K
__________________________________________________________________________; L8 c( N6 V0 g
+ H/ y" w0 q3 @) i
Method 11" f6 @) p" _" G& z( {
=========6 Z, v, U) G" d& W0 x3 |' G) ?

/ ~* Z8 u- x; s- @7 u# u. h' H/ `This method is most known as 'MeltICE' because it has been freely distributed
/ }7 A5 J! n4 a0 f3 ~5 b1 v3 Uvia www.winfiles.com. However it was first used by NuMega people to allow3 v" j3 Y2 m0 K& b2 ~5 e
Symbol Loader to check if SoftICE was active or not (the code is located8 n# J5 V# q  f! P
inside nmtrans.dll).2 T& |& k. E0 j0 S

& _- J. W( u( w" o- K" EThe way it works is very simple:; j% x" b& z7 c8 g, L0 |
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! q1 }+ j7 z9 a& c+ l# y( e
WinNT) with the CreateFileA API.
) d6 x0 W0 @$ L
4 `, Q& `% R- _) C2 V0 B4 P0 v; pHere is a sample (checking for 'SICE'):
0 H& {, w% k; J0 H) Q0 y% I5 e- X2 b
BOOL IsSoftIce95Loaded()5 s/ J! _: A: ~& n
{7 C* F* h* `' ~/ g
   HANDLE hFile;  
8 L- y- v) F$ a2 C" d1 b   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ D; q& {0 |8 @& `
                      FILE_SHARE_READ | FILE_SHARE_WRITE,# f# L# E, {1 ]! z3 U7 T* ]
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
4 y! h, n* R; r5 q  |) }1 I   if( hFile != INVALID_HANDLE_VALUE )
& ]& L+ C- h- l4 b; p" e   {2 E5 I! g: d; O/ h6 j
      CloseHandle(hFile);+ p. I; E) L6 _; @% b7 o$ Q  u6 T
      return TRUE;
0 d6 ~. D" {  {# a* O   }1 l5 |: M9 n; Z% ^% m! A' g8 J% y
   return FALSE;
$ L! g' _. P$ p5 X}
7 v) D0 S1 t# h5 i& x- O& z6 ^9 w* I2 a- T: O7 X- ~2 x
Although this trick calls the CreateFileA function, don't even expect to be- C; Y8 Y* y9 z
able to intercept it by installing a IFS hook: it will not work, no way!
( Q! f6 q+ e9 F6 t! GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. l7 n* d' x5 l( t7 W, p8 |; vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)# O+ r& {& d# N" r1 u$ w- q0 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" j0 o; `/ L/ Y9 Q" b, ^4 @field.5 w/ t& f0 Q  b
In fact, its purpose is not to load/unload VxDs but only to send a 9 R' `. H8 e7 \+ C) V" W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
& n1 e3 U  J2 x# \2 @2 dto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) ?, ]- h. |; h0 R4 l8 n9 ^& K+ Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: d: X, l6 W: L" Q9 K6 o2 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow% t' m; V" L/ m. z5 e; c+ s$ s
its handle to be opened and then, will be detected., u& ]$ ?, a7 \" ~6 `$ ?# H6 O
You can check that simply by hooking Winice.exe control proc entry point; y* ]: b, L, D6 W
while running MeltICE.' n; L; N+ x* s

0 G) u9 W& {" q. E( t$ r& c& g6 s2 y( |7 P" K9 d& o9 U
  00401067:  push      00402025    ; \\.\SICE
/ R7 O) r, Y; N# b2 x0 e$ u  0040106C:  call      CreateFileA4 s4 J4 _5 v( {* n  [) U4 a3 y
  00401071:  cmp       eax,-001
( Z% G% q: a2 T5 I4 e  00401074:  je        004010911 ~+ y" H$ o/ k

2 Z. r8 c7 _6 d( [4 ?: g3 y9 T
There could be hundreds of BPX you could use to detect this trick.' W, r" P7 o' \+ Q2 o& ~! m
-The most classical one is:
5 c) t+ s0 N, `. H/ q* w  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  z7 |( r9 D) Z$ E
    *(esp-&gt;4+4)=='NTIC'9 ]2 [7 L; Y8 E% Y

4 M/ |8 @5 F$ `* a-The most exotic ones (could be very slooooow :-(* Q6 Z& f" p) B1 ~! x! a1 E0 M8 |
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
: A) |# T  F+ |5 \: E! }     ;will break 3 times :-(
- a" r/ f; R1 o( k# I: c! _
$ ?4 M8 K6 x8 ^1 j+ u-or (a bit) faster:
9 _+ d) p' r$ D! R' m   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 e' x+ ^8 t5 q# J$ `. A! O# D$ W
# o; N& p; ^1 l5 K2 B$ _
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
( N0 a+ y# `4 B" L( r& P2 L     ;will break 3 times :-(, o9 v' N6 C8 L% [, e& g! ^+ L6 y
4 U5 e0 Y5 ^+ i3 R5 Y  _0 `
-Much faster:
, ?. a0 `& k9 I" e   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
* x* _. ]5 [2 \$ v. h' S6 U6 t% b) |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& ~& d# l9 I' a0 \function to do the same job:
  w* C: ?0 Z) a1 d7 K& f+ I$ X) z5 z/ s0 @$ Q
   push    00                        ; OF_READ
9 W! ?8 y3 Q; X   mov     eax,[00656634]            ; '\\.\SICE',0
' p+ @' z: `/ z. @) K   push    eax
" n3 v9 Z* k7 D0 E* Q' R   call    KERNEL32!_lopen! n+ D& _! l+ C9 v
   inc     eax
$ H  U9 L+ u5 {9 p   jnz     00650589                  ; detected
) E. L& I2 g" x4 f& m   push    00                        ; OF_READ
  j/ G* L5 V, ?, O- l% U   mov     eax,[00656638]            ; '\\.\SICE'% Y2 v( h- |  b& |1 ]7 i* e
   push    eax
1 D8 w/ @# U; Z9 W8 m8 I8 \- M   call    KERNEL32!_lopen
: l3 F: x6 T& m) F7 A0 e2 h4 u   inc     eax
2 d) r9 a( d+ X7 x) b1 v% w5 F( Q: u4 a   jz      006505ae                  ; not detected7 ?) T# `% T, d* T+ m
! X: \" U+ _/ T
+ T6 ]* m' H2 O" `, i( o2 o
__________________________________________________________________________0 ]. e8 a, \& [# S- W. C# x: O
5 B; g4 [1 r( O' h- I$ s+ `( Z8 G
Method 12
9 P6 _6 Z. Q$ `( q2 C2 \" @# ^3 B) m=========
. K% K3 w1 v6 r- V: [3 |6 [8 b! m- u0 v: V" Q8 y9 F% D* }) A
This trick is similar to int41h/4fh Debugger installation check (code 05# g; [: |) s: F" B. p" N8 n0 o
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
) [$ o; N4 U9 r  b2 zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
) B) ]3 ^" n. v1 Y3 G, E1 o
0 k* E4 n3 x# W4 L5 d   push  0000004fh         ; function 4fh
8 T( @) Z) H" r$ ]' V% D2 D   push  002a002ah         ; high word specifies which VxD (VWIN32)8 N6 f' H1 I  K7 H0 J5 q, X7 y
                           ; low word specifies which service* }3 c' W, ~3 i- X* ]5 V" M- n
                             (VWIN32_Int41Dispatch). Y" g  }! ^) @2 y$ z1 y
   call  Kernel32!ORD_001  ; VxdCall7 d. a6 S3 e7 o9 E5 v, O. n
   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ \7 P2 d7 s. j; }8 U- w7 g   jz    SoftICE_detected
# ^" N: g5 A( r$ d% h
( c2 _" |  {) k* VHere again, several ways to detect it:5 f0 b' E4 R, {$ x! i
; j$ c/ t8 ^  @+ V4 \* b
    BPINT 41 if ax==4f
8 y$ T. X3 Y7 i) k3 \0 R, z9 \
! m0 b$ h5 J+ L2 t# p' Q    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% R3 |- L" ?7 X9 a# H& z- j

% f; c( T. w7 B$ h( K    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* ]% ]; X( n8 |# O" |9 O
0 a5 p& s( l6 I8 b% b) u    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
: h9 b4 @- @1 s% L+ B5 m0 O  H6 D1 t& N9 f9 Y3 [6 s
__________________________________________________________________________3 k6 F# ?7 m* M+ T9 ]
) }- i5 ]0 A' q; Y" O' P. h; ^8 r
Method 133 z9 Y) e8 F9 z9 U5 J; w
=========/ V1 u" ~  V) V! _
. _+ u  u! u2 V8 Z1 {$ L
Not a real method of detection, but a good way to know if SoftICE is
* b7 f  o% _3 N% kinstalled on a computer and to locate its installation directory.) `6 Y9 g+ O5 B' X
It is used by few softs which access the following registry keys (usually #2) :& e: R/ t4 `" W4 T
  ~$ K0 I  c1 b6 R! @
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' Q/ {9 I- O$ D/ i! u  b
\Uninstall\SoftICE$ Q, p1 ~/ |/ i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
- ^7 x5 J4 D4 `  d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; ?7 ^1 w$ M2 s2 u" v# U
\App Paths\Loader32.Exe
5 T4 N& R: m+ H2 h6 D9 Z  T" D3 a$ z+ t4 l. O
4 }! K& `& H2 ]0 g+ A
Note that some nasty apps could then erase all files from SoftICE directory
- n% f: L  f3 i2 ]* M& J(I faced that once :-(0 P& Q3 D/ }# Q+ B# c
; }# T7 L* W( e/ w1 r0 L
Useful breakpoint to detect it:$ i0 @" R1 F! E4 T
0 p% N! ~! N) N1 J  a$ m
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 Q  o) J) K1 K$ b$ K* ~" }$ d
2 r6 D. U) R' U* X__________________________________________________________________________
$ g0 K! }/ Y. T" l. U/ P" C, c1 J6 N5 B5 ]* Y
7 Z7 f% z& b. i/ z
Method 14 4 q: W7 E3 ^: D4 t" A. {
=========+ V5 Y2 c% G6 `1 D6 G1 ]$ v% @3 K

- c$ O' ]! p; e5 F1 y7 P$ \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
0 c, e6 z' M. k" \2 F/ S4 A$ q  ?0 iis to determines whether a debugger is running on your system (ring0 only).
8 J  x/ ~8 Y3 p8 a/ O
/ t$ x" F& V9 ]% x- n+ _   VMMCall Test_Debug_Installed; {+ I& ?2 j# h6 ]6 q
   je      not_installed( t) w& N& o$ o# \
1 n7 v# a" Z1 O9 t3 m! N
This service just checks a flag.
% w; I2 z: j8 M; f7 e( @* u: W</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-17 07:09

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表