找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
' R: ^) U$ U$ @9 T3 M<TBODY>
7 L0 C+ L. S0 X4 e- |6 k<TR>
0 j& u. R* G2 ~7 R* w. h' x<TD><PRE>Method 01 4 S! j; {0 J- \1 o8 n" C
=========; v% V4 z0 b4 F. V- V8 Z$ f2 p3 f: b

8 |5 e! g; e0 uThis method of detection of SoftICE (as well as the following one) is" E' Z. r0 k2 a$ G$ c, J" J
used by the majority of packers/encryptors found on Internet.+ n# x1 G6 ~+ J1 ]  D/ {5 r' ^& }
It seeks the signature of BoundsChecker in SoftICE6 ^' p; P% I/ ?* z" |. A

$ D: X$ N. U( Y* D0 a    mov     ebp, 04243484Bh        ; 'BCHK'7 s9 s* O3 l- ]. D8 i
    mov     ax, 04h
7 C( c. y3 R' o% k4 D1 r9 i0 n    int     3       ; e: ^) w- T3 ~8 Z
    cmp     al,4
" B4 r! z( S9 f9 _. |    jnz     SoftICE_Detected
+ G4 f$ s& W6 D! p' w
, b  F7 q# B/ S  ]+ @___________________________________________________________________________" o8 x$ ?1 f4 B% o" q8 f
; _( W/ O% }: K, @
Method 02
3 E) q( m9 f+ z0 T1 D& a0 Z=========
: C8 m5 r4 l6 {6 [* @2 _% M1 F1 b' S$ s8 K0 f/ x
Still a method very much used (perhaps the most frequent one).  It is used
4 I  X' a: X5 T4 h  k# Y; bto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 Q8 s0 H$ Y  mor execute SoftICE commands...8 U" J8 y& [: B0 ]9 V0 f0 l, W
It is also used to crash SoftICE and to force it to execute any commands2 ~& x5 }& R+ D" w/ o; _9 a! o
(HBOOT...) :-((  ; B: c- Z  _/ P9 \. q" [
& \* D4 A. y+ H% j8 H
Here is a quick description:
3 f- N: [0 c! t) y& K-AX = 0910h   (Display string in SIce windows)
( n' A4 ]! D- t-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)  s' @2 c% p$ o: M# l0 |' o
-AX = 0912h   (Get breakpoint infos)
+ A# I& k* y' H! T! ^-AX = 0913h   (Set Sice breakpoints)
, _! N9 f* n8 n# y2 m: e9 E-AX = 0914h   (Remove SIce breakoints)
: v# X$ v. F( c& F$ [0 Q1 F. i) a- {
Each time you'll meet this trick, you'll see:: ?( h5 s* p! |! m) o' M; h% P
-SI = 4647h% ~- {+ S: R* A3 K4 t! I
-DI = 4A4Dh
6 B5 l. A! g2 GWhich are the 'magic values' used by SoftIce.
! J/ c4 g$ n, X/ J8 F4 RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.2 e; u" U2 b2 }7 D2 Q# T- S. [' A

5 h$ l/ {/ I1 n4 S+ k, D; `5 H* |. M) IHere is one example from the file "Haspinst.exe" which is the dongle HASP6 S+ v# P, r3 M1 j$ _2 ^/ r
Envelope utility use to protect DOS applications:! a. F* P# p) S

4 ?+ w1 K0 }* |' j+ j
8 A: m9 h. R1 ]6 e% B  R! @4C19:0095   MOV    AX,0911  ; execute command.
6 c- _( y: e& c  b) ]- r3 B4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, ]( a% m' h; c! r# e4C19:009A   MOV    SI,4647  ; 1st magic value.
- y+ U- _' f$ t" O: q& a1 {0 l4C19:009D   MOV    DI,4A4D  ; 2nd magic value.7 b) o/ q$ K8 ?+ j) l
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 w) ~4 o/ |: r5 ~' b6 I* c( \" M
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 h3 W1 ~# x. Z4C19:00A4   INC    CX$ {1 N9 I2 J. t! ]2 c/ Z
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
) u9 ?: V* D: ^5 L4C19:00A8   JB     0095     ; 6 different commands.
' B; J) h* i) I; `  N. Q7 ~( ^* J4C19:00AA   JMP    0002     ; Bad_Guy jmp back.  R0 g# ?: Z. c
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :). r7 w' e$ P5 t9 D  ?4 t
4 R# n. P+ {9 I
The program will execute 6 different SIce commands located at ds:dx, which
7 c* ^1 P) E+ y( h# u( w6 f2 |, Vare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ w0 l+ c- F8 w/ L; o; n% s3 j9 f4 z. {2 Z. n8 f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
( ?" J/ r( J# ?8 x. a' s: ?$ K$ `- u4 d___________________________________________________________________________; l! l$ Z9 l$ d. i0 _
9 @4 i% l3 K- a, @5 _
3 [4 A: s1 T7 R/ n3 W' [/ P2 e
Method 03. u! c  Y  m" @, ?/ o8 l' k
=========
2 e+ a) G# B3 Z. j; t2 x" R1 R( e7 H" w' i" [" f
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' n' e+ i' X5 C8 J) M; Y+ J
(API Get entry point)2 J4 N4 X, }7 ^) {3 u9 A1 F
        
, x/ i! Y) [& I1 v3 [' s, w: k5 I+ ~2 N" F5 l  E( F
    xor     di,di, ?% Q5 N: e3 |( v! e; Q
    mov     es,di
7 J: f4 J- x5 x7 `7 b    mov     ax, 1684h       4 m# d# w4 ^& I0 Q$ ?* y
    mov     bx, 0202h       ; VxD ID of winice7 M( x( K, [! L. |5 t/ j  W, n
    int     2Fh
( e6 `2 e6 \# D7 [8 p    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 V4 N2 F2 J3 M$ \$ m
    add     ax, di( {+ {, a! K9 @/ N4 e( b
    test    ax,ax3 G* X7 y+ B7 ~
    jnz     SoftICE_Detected9 h! X! Z6 T0 |! P; m# T$ ^, z

$ @% p, A' f) t( U, O___________________________________________________________________________- n4 y, n/ U$ n3 ?9 H

: w1 @6 f8 S; J% mMethod 04
! }; a8 I9 d% S=========" o1 L# {( i: T& t
: \6 g7 ^3 D- }( I) Q9 z& m/ i
Method identical to the preceding one except that it seeks the ID of SoftICE% A$ u0 W" b: d% H- H  n5 X# z
GFX VxD.
/ [4 a, n" Y8 B) g7 S. O# e& c: t9 s1 D* _# C
    xor     di,di- e' E* L- z* W2 n/ ~3 h: A* T% U) u
    mov     es,di
5 N9 |" P$ n$ a: J! }" v5 V    mov     ax, 1684h       4 o; B: o6 m3 k5 T" E/ g5 T. q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  T6 i, G( ]( F/ s1 Q$ q/ b' q    int     2fh
: R' S( e, @( w6 A* u8 [    mov     ax, es          ; ES:DI -&gt; VxD API entry point- K* l4 y1 c9 C3 r' G
    add     ax, di, J4 k# f* `0 G7 D# O
    test    ax,ax8 v1 c) r; k8 U: }
    jnz     SoftICE_Detected  @" o% ~7 o5 ~$ q  K5 @
7 [; O2 c+ o4 M2 `# e, H
__________________________________________________________________________  P1 w. T- |$ `  |  I
, P+ K  s6 |3 z9 c6 P% s4 a* O- Y# _7 z
1 F; o: A- P: b" W5 @
Method 054 H  X& X" \% R: _
=========/ z! w( o$ W# C$ `! Y2 o0 i
2 |& p+ W# ]5 R7 J% F0 ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
5 V, n! z) B: Wdebugger. It calls the int 41h, function 4Fh.4 {: L. @8 }1 u3 [
There are several alternatives.  
% C$ e+ w$ }+ ^. _1 J
2 H: n- u5 S8 ]The following one is the simplest:
9 |' e. K' }- D  b/ s/ c9 A3 `( t6 f3 c+ ]% A2 `5 T6 v
    mov     ax,4fh8 c3 a9 _) f* f' a% }
    int     41h/ W% f+ \. m% c. z1 i- T8 d# j7 {
    cmp     ax, 0F386$ K8 X1 _, H- {! Q6 B4 K& y/ }- p1 K- ^
    jz      SoftICE_detected: h+ [6 Q) \5 L

9 l: W) W# s' `& k8 D( r. @3 T0 s' I
Next method as well as the following one are 2 examples from Stone's ) r) T. c  F0 Y! J4 l* ~; k! B  y
"stn-wid.zip" (www.cracking.net):8 ?0 A' O% |2 |8 {
- v$ r; p+ u% D) `) L5 i
    mov     bx, cs" J; r0 j0 x* H  h5 i
    lea     dx, int41handler2
0 e- M5 a8 m  d: U    xchg    dx, es:[41h*4]  [% w* ~7 P3 o. d- Z8 f
    xchg    bx, es:[41h*4+2]! a' ]. O/ i* a( i5 [; A7 L7 s" q  z3 ?
    mov     ax,4fh
* D% G) H6 Y$ h3 T. ?5 r7 b: i    int     41h
; A0 a8 ]: ]3 L$ c) ~    xchg    dx, es:[41h*4]
3 W7 {, Y- p! x3 Z9 M6 a/ d    xchg    bx, es:[41h*4+2]
; |" o7 g& h* ], u) e' D( y( [+ r    cmp     ax, 0f386h4 v1 ]( c( Z/ V3 s" t3 ~
    jz      SoftICE_detected$ S! M6 G# R4 V9 P/ ]

( j  j+ X$ D; {& pint41handler2 PROC  K6 G$ \, {% {9 G4 B
    iret
0 a; m4 z) C1 \4 i( T/ @+ V0 H( d5 }int41handler2 ENDP" n7 M* b3 R$ z7 {1 e
3 D  R9 Z/ `9 q; J1 U5 U! C0 q2 r1 g
9 c- M% B. V6 {5 p. Q6 k
_________________________________________________________________________
! w" e2 O6 N2 ?2 K8 h0 X$ e/ W3 t" o5 @; V; \0 x" A/ X

6 k/ [3 p0 d# }  o, RMethod 06$ ~* G- `, o( W# |; ]' z) J, w
=========7 \  ^4 [+ ^6 X' @# I
) Y: @3 R3 A! r6 y! |

# }3 \; G# h; _( w. x7 ~( m) O/ W2nd method similar to the preceding one but more difficult to detect:0 o& X8 B# b- x: i( x' Y
% j( x' R8 ]2 o3 `) t

, y# {8 G! z& ~$ Bint41handler PROC* o7 Y+ t8 h- @. o+ l
    mov     cl,al
2 @" g% q0 |" l1 L    iret
& Z6 _# v6 r: ?- N& Wint41handler ENDP  G7 L/ l& X# e1 X7 h- J6 i9 v9 `

; F. I  d4 O% V, R# P% k3 h
6 k# L. O2 i1 c2 p3 r    xor     ax,ax. g' q& S/ }3 h( ~/ c# `
    mov     es,ax; j  D% ^% I7 ?7 s3 ?
    mov     bx, cs& t8 W* `3 h: D  \$ [7 H
    lea     dx, int41handler  M& S, L( B+ ]& ^# Y) a
    xchg    dx, es:[41h*4]
" g, Y8 L% A* t- `( f    xchg    bx, es:[41h*4+2]
% y; l! ?4 a; h8 y* O1 R    in      al, 40h
& U1 [+ \- j/ j    xor     cx,cx' Q- m+ z  G8 J8 U0 B# e& o. _! `- ~
    int     41h$ i) Y* y" u4 G( ]* `
    xchg    dx, es:[41h*4]
; y( d0 r) Z3 p7 `( D' p( ~4 f% {2 ^    xchg    bx, es:[41h*4+2]
7 p; y% `& m7 w) o2 n. B    cmp     cl,al
6 L! Z1 [" J7 i$ C: Z8 D$ R    jnz     SoftICE_detected# s" Q, r3 o9 t5 E2 }
8 i9 V- k5 s! W3 @* V
_________________________________________________________________________
' {% f$ w1 [" D) S
0 N5 i0 x+ s& {Method 07
5 P# |, u! ?3 `# E=========2 M' W: X# ~7 k: Y
" b7 j! d( X6 Z1 B
Method of detection of the WinICE handler in the int68h (V86)
! L; v! q# u5 [3 }% U
3 c( W! h! M8 F1 V4 v( o    mov     ah,43h
6 g3 c7 |" I! a3 _/ L. Z* d2 `    int     68h
2 }$ ~/ [$ \, O7 c  T& y    cmp     ax,0F386h
$ _5 a1 l/ l( i) Y    jz      SoftICE_Detected% Z( y# R7 |/ O- x- C0 y: k3 P% D; L
3 C& F$ }0 `! F% e

3 C6 q- y6 `. S7 Q' g/ L=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; k8 i5 u0 z0 h   app like this:
- L' p5 E5 s, Y) o
! G  X; ^8 V" L+ x   BPX exec_int if ax==68
3 s1 U3 h4 P* ~   (function called is located at byte ptr [ebp+1Dh] and client eip is
- w  x- W+ R9 z: V+ I/ E  K+ F% q   located at [ebp+48h] for 32Bit apps)+ ^2 d% \8 u: S+ a0 B& J
__________________________________________________________________________1 _) R/ z5 \  K+ w8 p' p3 }( s* i

0 H& x. m* o0 _9 r) R
/ t2 g, U, w* ^Method 084 @7 q9 P) O+ r# i
=========, n8 E0 \/ V8 {2 f  {

! G: D4 B; |, P9 u" IIt is not a method of detection of SoftICE but a possibility to crash the) M1 o) c) A: o9 ?& }1 n1 Z$ k
system by intercepting int 01h and int 03h and redirecting them to another
5 R/ N' j+ o; X  j% Y0 \+ |3 {routine.. b7 {2 i1 V6 @& F+ q" G. c
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. ]4 k0 y( Z: Oto the new routine to execute (hangs computer...)8 _' d: `+ b, j

2 U/ N" g6 S7 s    mov     ah, 25h- C0 I+ v) K# C6 ~4 e6 n9 D1 @
    mov     al, Int_Number (01h or 03h)
  ?6 ~: B0 b3 @1 M    mov     dx, offset New_Int_Routine- e9 |6 B1 _' @- h
    int     21h& y+ ~, n/ B0 E  h" B( D! D+ Z
+ ^/ a8 c6 B% y/ I1 D) z
__________________________________________________________________________
( Z2 v8 V6 @  q  h
0 C7 W, C, k# U; Y) wMethod 09
- J" `/ i1 M* ?0 ~( C( }; [=========( S! f/ _4 [2 J6 q% W' g0 }
) \, |2 @& F7 {2 J+ d5 \
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 `+ z/ z7 G( U- I) ?4 w) R! \
performed in ring0 (VxD or a ring3 app using the VxdCall).
- e) P0 e# y- t5 UThe Get_DDB service is used to determine whether or not a VxD is installed( R( A. F9 j+ X% ?; E" [4 A7 k
for the specified device and returns a Device Description Block (in ecx) for6 Q; ^/ Y0 G" h$ o, b8 l
that device if it is installed.0 }* Z, I1 p3 m  R$ P

7 d8 k. r2 y9 D: G* Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) l- D4 v% M1 E
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
* _. w5 P0 K6 @2 Z/ L' i% j* W5 q' N+ `   VMMCall Get_DDB$ U5 m+ K; P- j; B3 V  o
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 D$ o- \- x8 s0 R2 y  |$ r
. a. s8 n9 f) g9 C
Note as well that you can easily detect this method with SoftICE:
/ y, R' K" Q( I) v   bpx Get_DDB if ax==0202 || ax==7a5fh. ]5 t7 N  l7 O( N$ w; P+ x

% ~6 j. O. x% P; C, M__________________________________________________________________________9 o+ M7 o& D2 Q6 I0 K2 ~

4 v/ I( {# m. I, _: iMethod 10& H6 w" t3 c. D
=========
$ t$ i3 y# D9 s. \' S* r! b5 B" Y  q* d& Y
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
! R. O  f3 C$ r  SoftICE while the option is enable!!
& x, t5 D3 ^' b5 O) J! u+ ~. q3 D6 k8 B3 f
This trick is very efficient:
6 }- q) x& b* X' z0 V+ U( Uby checking the Debug Registers, you can detect if SoftICE is loaded; i6 S4 X% V+ e7 D6 j: D$ u
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if1 a# B4 d0 Y, y' W, n
there are some memory breakpoints set (dr0 to dr3) simply by reading their7 a/ z; ?* I8 b8 w, I, e) P
value (in ring0 only). Values can be manipulated and or changed as well. J5 w% Y$ Y# `; x" E1 B2 K
(clearing BPMs for instance)
8 q1 j" M0 b6 d( W( f) @4 u
# X. w2 d# Y) ~! Y7 }__________________________________________________________________________! S' M" ]9 h- s
% K" V6 B1 c5 j! U5 y
Method 11" k, R( e* S5 W8 l) W/ ^4 b8 l
=========8 \( y% n( f2 w  J8 Q8 R4 D

; h: R7 q1 I# y$ X! b* z0 }' LThis method is most known as 'MeltICE' because it has been freely distributed; O' ]0 b: D3 b% i
via www.winfiles.com. However it was first used by NuMega people to allow3 r# a# R) }) K- R5 I
Symbol Loader to check if SoftICE was active or not (the code is located
4 G' z+ Z& `/ g2 l7 e9 qinside nmtrans.dll).
* l4 m* [: v9 i- R" o$ _! c$ l! h7 c
The way it works is very simple:
4 D8 o7 E! A: N  GIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. [- M; h5 n! H2 T2 @8 IWinNT) with the CreateFileA API.+ O) t! M0 J: R( p
; T: L6 O4 k% ]0 X& f; C& o$ [% r
Here is a sample (checking for 'SICE'):
" l! Q" ^8 m8 L3 \. L+ \1 n3 @2 g$ D2 B
6 u: K6 A/ W" h4 i: U8 WBOOL IsSoftIce95Loaded()3 z4 D3 G2 M2 C5 r2 ?
{: B1 _% k4 u" i( x
   HANDLE hFile;  
7 W/ n1 N9 e$ d  I% l4 h   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,9 M" S' G, H) q: y8 w
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
. S. S; ?+ e' X                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);4 b5 w0 f( B  X* B: m
   if( hFile != INVALID_HANDLE_VALUE )
& v% t2 ?4 P/ K/ [. b" j" i, v# B   {
; B8 K: x; ?0 ?8 t/ x  J1 ~; N0 P' q      CloseHandle(hFile);
* k/ w- E( w: g7 a8 i; C! J      return TRUE;
+ z! G4 l7 ^- z+ `   }
4 }: Q# C1 G  O; P6 U8 n9 u   return FALSE;
/ {$ v+ m$ r) {5 h" b}
9 x% V3 k6 {( B: |9 n& H0 T/ S5 J0 [& u3 L
Although this trick calls the CreateFileA function, don't even expect to be
9 W# A/ E7 H. F, \$ e# ]- F6 t1 Rable to intercept it by installing a IFS hook: it will not work, no way!# D" G2 [" i0 F2 H4 s; t
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. T6 b: {1 j1 R& q6 ~& y) O
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)3 R9 c+ ^5 |4 H. @
and then browse the DDB list until it find the VxD and its DDB_Control_Proc% p9 u9 Y0 o) M# Y& h7 o( j$ e4 P
field.; Q- j7 `/ _! ^5 g0 d$ T
In fact, its purpose is not to load/unload VxDs but only to send a
3 S8 p* J& b5 k. u) E5 I" PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! A1 U* }  ?1 _$ R
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ ]8 F: O: T! O8 l* t' k3 s3 @' k
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
& ^0 e) d( I  F( d+ G: L6 U; ^2 cIf the VxD is loaded, it will always clear eax and the Carry flag to allow
6 E) v9 ]2 \+ P* K/ m- u7 nits handle to be opened and then, will be detected.
) Y3 ?/ R: B& e1 I$ H0 v1 t4 fYou can check that simply by hooking Winice.exe control proc entry point& h' F( ^: b' x& \# |0 r
while running MeltICE.! f6 _( ^) @5 l. K. v! K- l
- f) n7 L6 u" `

6 g6 S8 Z5 X0 A$ ~  00401067:  push      00402025    ; \\.\SICE
( Y. S1 T, Z' J0 W# q: d2 W  0040106C:  call      CreateFileA
# w) h  P; A3 ?8 ?! l- }& I  00401071:  cmp       eax,-0010 ]; E) A$ ~% W
  00401074:  je        00401091- z. X: s2 i" H5 ~# H9 ~
3 ~" \  }+ h( L, B  ?. }; \% c. y

8 r. Q0 Y9 L+ }. O3 [; yThere could be hundreds of BPX you could use to detect this trick.
0 E4 K* O# N! w9 g( x-The most classical one is:0 G' j8 W2 g8 I9 x7 w# C
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* W! l: ^! u1 H4 Q! A$ s$ L    *(esp-&gt;4+4)=='NTIC'9 A$ q$ j3 o1 {4 k' K6 [" h
* K0 \; s. c$ t' @+ e
-The most exotic ones (could be very slooooow :-(
2 d8 S; {* w% p6 x& e% y6 n   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
% p0 m6 ~+ J# ^9 h6 X$ P8 _0 I     ;will break 3 times :-(6 a/ H$ ~9 Q7 V$ @- U9 G0 {/ I
. x, b$ g" C! o0 l9 |" T! {8 m
-or (a bit) faster: ) Z. F* P& E7 X9 W0 ^# N- G( N
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), U4 D3 }: _2 {& m5 R
9 T3 [4 h* S, K' @( U6 h8 W
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  # z# l! E6 f8 H  |& `- B5 `  \1 P
     ;will break 3 times :-(2 b+ c: |- G% i5 a/ `! c- m' s
; h5 z2 a% R2 r  z: m0 h
-Much faster:
1 g$ H2 z& V8 ^! m   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
- R- y! E5 t* }0 m' j+ B6 \
% \2 c. K) {% f9 TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- B, g( T: |* U7 R2 h
function to do the same job:
9 M+ a# y6 C1 A/ }! q) w1 l+ E/ Z6 r$ z  x" f
   push    00                        ; OF_READ: c$ p( f  y; W( Y8 ]( ^0 m
   mov     eax,[00656634]            ; '\\.\SICE',04 M! {; W# @. K8 R/ I: n0 y  ~
   push    eax
0 @% v( k4 e) @; O   call    KERNEL32!_lopen2 {$ F$ F& Y0 c; I. ?9 T. J6 A
   inc     eax
: F7 R) t* C& P  X   jnz     00650589                  ; detected
" w1 u+ b7 J/ ?   push    00                        ; OF_READ
8 R2 P( \3 p' U; D1 d/ Z   mov     eax,[00656638]            ; '\\.\SICE'
6 k1 J& o: ?" o4 u   push    eax
( E' ~! T: x0 T3 j$ @   call    KERNEL32!_lopen
3 z$ @8 @: `$ _2 d/ R. B   inc     eax
% e9 C* r# a5 @: M1 c' D   jz      006505ae                  ; not detected+ ]+ _/ m7 {: w' q1 [; U

* t, o5 N/ j: J5 m
$ |/ V6 L! S5 T8 \+ S4 `& K__________________________________________________________________________: K$ x$ q# z( {% k3 \% S
$ E5 t: ~1 ]" {3 b
Method 12
& K% R* @" |8 k7 `, }=========
+ F9 n  m3 G7 j# w
2 G* C" s8 I" @/ j$ VThis trick is similar to int41h/4fh Debugger installation check (code 05
4 k3 O3 u/ T) c( d+ p&amp; 06) but very limited because it's only available for Win95/98 (not NT)% t3 U/ N+ {/ N; K" P! o
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 L9 D8 v7 f0 P7 w' A
7 N; k3 ~. [$ E+ s   push  0000004fh         ; function 4fh
6 w- ?# c6 J: ]! a# p: U' p' V3 x   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 m7 e' n* _% J- Y# E! d                           ; low word specifies which service
, d; I+ H$ |7 \6 H, d                             (VWIN32_Int41Dispatch)0 F* x: h; ]0 |) r9 Z7 \' a
   call  Kernel32!ORD_001  ; VxdCall0 {) m" x  L# t  F) }( t
   cmp   ax, 0f386h        ; magic number returned by system debuggers, C$ D3 D1 i- k+ H5 D
   jz    SoftICE_detected3 ]5 ]! b; Q2 f5 v# I# N$ o
# O" Q7 y+ y7 y0 z1 s' }! u/ z
Here again, several ways to detect it:5 l2 X& V8 b, [% H  h
* y3 j5 y- ~( [9 C
    BPINT 41 if ax==4f
& I2 @$ }# J& _" L7 d4 C' f& {% F2 @3 P5 p
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one) u9 D* p" e) ]8 w

+ G* C2 Q  b4 {: V( b/ i    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A, ^) ^4 d" i" h' V% E5 f: L" X! N

/ X7 X/ F: {, q9 F! Q* h    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, E: u/ K& F2 O6 R% \! n1 y7 `$ O. a) d( d3 H; M3 X# [
__________________________________________________________________________' V3 \6 w; W: J6 \' r" D
5 z& H# a. U# x* x+ Q
Method 13
, h' u9 `% E, @: b5 P=========+ q- W8 R- n9 `1 g
8 m- E9 K" M* E; @$ Z. e
Not a real method of detection, but a good way to know if SoftICE is
3 j- U  F. {$ ^installed on a computer and to locate its installation directory.. W3 q$ h% C) O% F. ^' C
It is used by few softs which access the following registry keys (usually #2) :
! t) \! z: M( b  C' t: \* @5 R: j$ w) e
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion5 p7 e( r! z5 V$ u" a& A
\Uninstall\SoftICE
+ D7 R% P1 {1 e  C" s: N9 J, c-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) Q9 d3 r$ ^; F- g# g* M  I3 Y; A-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: j" D1 o0 a$ l& ?; z\App Paths\Loader32.Exe
! c+ A, n4 ^& X7 W- i7 f. n+ ]" w  M+ n8 t

4 x2 O6 {9 d' n* o7 d: v  J0 bNote that some nasty apps could then erase all files from SoftICE directory
9 A7 {, F) z9 d9 I# ]0 P(I faced that once :-(
% ^9 M% S. F, ]
; }% u( Q/ T% r& F% iUseful breakpoint to detect it:
, E9 P1 B' }" S4 u* T
+ E8 h6 M2 f# I6 `! W8 a     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
& s' ^1 `' z4 C: A/ q/ a+ Q- w( B4 {& X1 \5 S
__________________________________________________________________________
# Y- B5 d' n; r9 j# }/ x8 K
  c  Y7 ?! R+ i3 c% S: ]) X' Z: s- F6 Z; i$ {8 ^& U* J
Method 14 # Y# E# W1 P2 N3 I) X% T6 w
=========
6 _! u, v! `0 m) W+ c1 X# j5 q0 }% N2 O! U& g1 ~; Z) M: `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ X$ y- C# M' T1 S; C# i4 Vis to determines whether a debugger is running on your system (ring0 only)." b1 S  {7 \# P8 i0 C
2 O- c+ @7 Q$ Z6 j7 d
   VMMCall Test_Debug_Installed2 U7 D0 v9 V' T9 B
   je      not_installed. u  ?9 B' |; Z

+ E: l9 F) z$ v9 P0 ]5 JThis service just checks a flag.: n2 i9 M) d; K; N
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 10:18

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表