找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
$ I0 L9 P9 p1 \1 g<TBODY>
  v" O! _7 u2 J4 X5 J# p% k<TR>0 K( t* Z0 I, D
<TD><PRE>Method 01 - D; H. p9 t# V, N! y& u
=========) {* `) R' \; o2 j. J/ E/ E, `
* x9 ^/ Q. V% T' L
This method of detection of SoftICE (as well as the following one) is1 E1 k5 H; l) z' R3 H# U0 |
used by the majority of packers/encryptors found on Internet.. |& Y9 ?; o1 A) o+ c5 s7 ?+ B0 m
It seeks the signature of BoundsChecker in SoftICE% e  U9 l% D% f9 G( A7 w
/ k$ b8 j9 A! c5 l  K+ e, \) \8 }
    mov     ebp, 04243484Bh        ; 'BCHK'
% S4 z. O! ~% p4 G3 f    mov     ax, 04h+ N- I, V5 a* B& t2 ?& ?! }: P) z
    int     3      
1 }% m( L! @0 g# ^. e    cmp     al,4
5 D- D: q, g& E* D2 v    jnz     SoftICE_Detected9 j$ [# H/ O; E$ u5 w- C8 R& ?2 K: _
8 o2 U  ]; l! X1 i2 n9 ?. u; J, C
___________________________________________________________________________/ U/ y2 T4 h/ n1 B' U

* Z0 g* v. ?% S" K. s/ RMethod 02
2 ]$ Y& R' h4 s- t=========. |6 r2 E! R# G4 f& H  z1 G
0 n. @: w1 h+ q& `! O" p& n, v
Still a method very much used (perhaps the most frequent one).  It is used8 e  Q+ e  Y: D
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,  ^1 c1 K- P* B' S, \
or execute SoftICE commands...3 J& Q$ M5 C) t5 u+ \
It is also used to crash SoftICE and to force it to execute any commands
# }) e( S* y" L1 r2 a7 _6 f(HBOOT...) :-((  $ N. j$ ~. {, t

, ]& a  f3 j3 J. Y, v' UHere is a quick description:$ c# x1 s& q, u  h0 ]3 J9 ^
-AX = 0910h   (Display string in SIce windows)
! P' r) L: N2 B2 |. J: \) f. v-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 s* {9 |5 o% d: R5 t
-AX = 0912h   (Get breakpoint infos)5 ~' e# I  E8 @/ m; R1 L
-AX = 0913h   (Set Sice breakpoints); J& d# Z' j( N7 v! \
-AX = 0914h   (Remove SIce breakoints)% A6 c0 ^2 f: f7 @

6 C' F' @: s/ W  S- d4 D& {Each time you'll meet this trick, you'll see:3 O$ y$ u9 X: Y1 |) Q! Y
-SI = 4647h% K$ B" y; w3 _
-DI = 4A4Dh3 d3 ]5 \3 I: Q
Which are the 'magic values' used by SoftIce.4 x8 X1 @9 n* J) n* I+ V
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
0 d; }) g3 ?& E6 H
$ G; g6 `6 S: {& {/ V: V4 g, cHere is one example from the file "Haspinst.exe" which is the dongle HASP% u# D0 P0 I6 p: W- L
Envelope utility use to protect DOS applications:+ ~/ `1 Y! G7 _

' g4 G8 ?8 U" d4 s
, P' ?& ]' ]* U4C19:0095   MOV    AX,0911  ; execute command.
- O4 }- a) T5 J: y& q* V4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 V) K& H2 @9 w4 T8 W! ?+ t& ~2 v* I4C19:009A   MOV    SI,4647  ; 1st magic value.! G  l( y$ ^0 Z3 u
4C19:009D   MOV    DI,4A4D  ; 2nd magic value." J9 N3 ?& b& ]: d- a8 s9 J
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
9 x1 m1 g1 @" s7 b( F4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 y# }8 c0 V: N) \' V; p4C19:00A4   INC    CX
3 C0 T$ j" B, ~. z* B, _, t4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
$ R7 F* j+ p3 [5 U$ V4C19:00A8   JB     0095     ; 6 different commands.& J$ e3 E4 @6 z! q, d- g7 P
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' Q5 n7 y/ ~! A1 O  U1 e4 |1 M  U
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
; e6 }, m4 m, g+ f; j6 ]$ D
% i, H: x, r* {; GThe program will execute 6 different SIce commands located at ds:dx, which
9 g" F1 z1 F- j3 [3 {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ q4 J/ v( a9 `6 n8 f" h

2 \! u! a$ `8 q, X8 P- x' {( |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( F3 {4 b9 X$ @% l. I( Z0 e+ E
___________________________________________________________________________
+ p1 G; w2 I1 }/ [9 q4 C
% {5 S" p+ d3 e, m2 M$ F: O' M  c7 H* }
2 P6 ]! v+ U1 ]) L% XMethod 03& t  W0 m0 m! k0 _! {. ?- d
=========4 `6 L: R6 O) n, V4 U  g7 i4 d8 G8 h

7 E# x7 G9 u* F1 e7 {( c, Q5 cLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ C: B5 O' j( I* E2 b
(API Get entry point)
! B$ B8 o: R1 G+ y6 t" n        
3 m3 l0 m7 C% o+ C0 M9 u  P' ^- K! I0 F, m' h
    xor     di,di
: }( Z8 d$ y* F3 Q    mov     es,di4 d, ?+ K% [% k2 J2 L; p' K3 T
    mov     ax, 1684h       + k' j3 g( {) }$ e+ Q, I$ `
    mov     bx, 0202h       ; VxD ID of winice
# l# G+ A! Q/ g    int     2Fh
0 Z- u1 v- g, H* P    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: v  w% {! [/ a; D, y& \3 O    add     ax, di
# o; Q1 W+ B0 p, r9 a9 y    test    ax,ax
" `, N1 t, n1 f' @    jnz     SoftICE_Detected$ r6 q7 i* E7 c" v5 a5 J
/ T9 y) m* P( ]# y8 ~/ Z' C% Q
___________________________________________________________________________, x" a# j" {% _
* L1 s3 x: m  w8 m, j$ N! Z3 @
Method 04
% K' p+ W: v0 Z1 w=========* `! Y. G+ w5 H( H* H

! U7 h; t% e, i6 J- g. i( S9 t6 q( RMethod identical to the preceding one except that it seeks the ID of SoftICE0 M1 p7 }6 h; W# y: t- r, i/ L
GFX VxD.0 J/ p! h6 ^# W( B% H8 g7 {* Q

% F/ X8 L% u; [2 Y: G" Y9 s    xor     di,di
) t$ Z! i7 `5 S5 f& p# C- `    mov     es,di. L) v* [4 O5 x# T% w
    mov     ax, 1684h      
& s! \4 m7 v+ D9 ~/ p( K    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 X0 q; y- I/ r$ v  B& {
    int     2fh
* \' z( v% _! f    mov     ax, es          ; ES:DI -&gt; VxD API entry point* Y( T: f! P# Q, H- E( _" i
    add     ax, di
. L- R9 o- B8 k0 E/ d) l+ D    test    ax,ax8 \% t6 Q3 t  X  I) t* J
    jnz     SoftICE_Detected5 u3 p; X2 y* E! I4 x
7 I. C9 q8 I9 A8 Y: p
__________________________________________________________________________: z$ F- T0 Q* [

- ~& ~- |; V/ o, N! l* |4 T9 G  T
Method 05
, p  S4 @8 M# Q=========
/ U# `9 G( M0 c& _) L2 I0 _3 Y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
: E( u0 t" L3 S1 W3 R. n! G9 Rdebugger. It calls the int 41h, function 4Fh.
8 ~/ p3 v5 E$ R& Q# p2 g9 BThere are several alternatives.  * R' j# x$ |. }- g) r

) e$ `4 ~/ @* e3 MThe following one is the simplest:
  A' ^6 s8 g6 l: s( q1 l% t9 E
  y8 `7 [7 ?4 c$ m5 t. R" j( @    mov     ax,4fh
1 }* s9 P( u5 {1 ^# S    int     41h
9 O/ D$ Y' _$ `) s0 l$ }    cmp     ax, 0F386( F  h/ P5 o. T6 o  G- y( t
    jz      SoftICE_detected) c0 _# ?( H& @

- o# M2 G8 S9 J/ G0 C! ]1 N' Q4 }: Z: R2 c; C5 @
Next method as well as the following one are 2 examples from Stone's 2 {% f* f" b/ Y3 I* r' X
"stn-wid.zip" (www.cracking.net):  u" I5 G) G4 `; R. h. X
4 [* {: A/ q/ j. u) I# G
    mov     bx, cs& Y2 F% C  R* [: j1 w
    lea     dx, int41handler2- s; G8 ]% n/ J( C/ _1 N0 S0 l$ L& h
    xchg    dx, es:[41h*4]
' V( R5 a' c5 d% \: Y) p$ j+ Z    xchg    bx, es:[41h*4+2]6 h  |6 Z' d" T; h# Z
    mov     ax,4fh
3 A  l" K  n& B: I5 \, l- M    int     41h6 S0 Z" G+ r# R$ o) T9 M1 A
    xchg    dx, es:[41h*4]) q' t; H- X/ R1 ~# ~8 a: ?
    xchg    bx, es:[41h*4+2]
' P2 _* O+ r& K& R! r    cmp     ax, 0f386h
; A  A: Y; }( e. o0 A4 `    jz      SoftICE_detected, n. B, @7 q- x% y

- z  C+ G7 d+ r0 gint41handler2 PROC
9 [3 T/ o5 n8 @' o    iret
- d$ m8 h: w* U. @, _% |5 T& ~int41handler2 ENDP
1 `0 y2 j% W8 u7 C' K/ V$ b# ?0 L. [

" w' {8 x: ?# e' U) X/ k9 v_________________________________________________________________________
/ L+ K- z; R) b: `; K9 Q& _6 P  E- _+ l' W1 s; Y9 L
0 {  Q+ I1 E* q, [) a2 B. X! }# s$ [
Method 062 E* h) m* Y# t: R5 \8 G
=========0 z9 ~3 B% ^" Y+ S' u3 q6 z* c

) }+ L+ ~4 Z4 g; J# L3 X7 R  _
4 d0 a+ U5 W: [: a9 F) g! W2nd method similar to the preceding one but more difficult to detect:
2 M+ j: c, p1 j$ M% U5 \8 x9 N0 X$ Q

7 m6 T" r! G7 G  Jint41handler PROC
7 [8 K6 C$ {  Q' f6 j5 m' G) h    mov     cl,al
4 m, P& k( M# e. U    iret0 x. X# d- }+ p
int41handler ENDP
0 v5 s' j: n: n1 P- a$ e) b2 `  h: e# d4 q3 I( Y4 w9 S4 k! q
  g  Z( S5 w% n$ `4 V# U
    xor     ax,ax  P8 M# S+ ^, F. {
    mov     es,ax4 v& H( h1 ~. d6 l) j  i. r
    mov     bx, cs
8 Z, f- i. P9 @    lea     dx, int41handler
# R3 b! h* u' f' g" T; F2 _/ v    xchg    dx, es:[41h*4]
) W! y  {: s$ Z) T# y4 x7 x    xchg    bx, es:[41h*4+2]
& [+ K) [4 C$ m0 }/ ~    in      al, 40h) h1 `& @3 Z+ K# J
    xor     cx,cx
8 G7 U! s) @9 k) N! Q    int     41h
& d( m* B; Y0 o$ G" m$ C! r5 b- C$ T    xchg    dx, es:[41h*4]
* d  w3 y% ]' S* ]9 N+ ?    xchg    bx, es:[41h*4+2]- P+ v+ G. X* b) D
    cmp     cl,al; b- t) y; U2 S  T5 w. S
    jnz     SoftICE_detected5 L" N. x  y& }5 R2 g6 T6 T
; k" h5 @# e' `: V6 l0 }
_________________________________________________________________________
' B8 I6 q4 g2 b- a  b% U: s9 ], S- }( H; I5 H
Method 07
* R6 r8 j# u6 _7 N3 t+ g=========+ U' h$ p6 A; `: y

; C, z5 I7 O' H) p- y8 t9 B. hMethod of detection of the WinICE handler in the int68h (V86)7 s3 [" E8 Q' D* B, i% g8 p
' A3 u5 E& v2 ]8 k: y
    mov     ah,43h
* P- C- E7 G% b. N4 S2 L    int     68h
+ z/ U' m0 q; l0 N    cmp     ax,0F386h5 h( x+ M0 i) t1 [1 T4 z8 K
    jz      SoftICE_Detected3 t: V& j# X  }  F2 I
9 C* P6 l. s) b& m- Q! Z8 b
6 k5 g' g  a: f$ _$ Y! ~
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
6 C' x6 U. M4 h+ V/ e7 J   app like this:
! Z6 S& x+ \# K1 C; s% S3 x! w& `/ K* |
   BPX exec_int if ax==68
+ H: J+ c8 H) Y7 \+ E7 s  r: V   (function called is located at byte ptr [ebp+1Dh] and client eip is
" w7 m5 c# U0 x   located at [ebp+48h] for 32Bit apps)
4 u; k. _6 X7 S__________________________________________________________________________! R3 J9 _9 A5 ^) K, N! c8 N

% d* y* u# F  E
6 o. P$ z% H3 c" y. w% P, u6 ^Method 08
: _, ?* i1 q' C=========
. [  V8 E6 B( p7 l8 ]! C4 w8 {; ^* T! g
It is not a method of detection of SoftICE but a possibility to crash the
+ ~1 n. B" l$ C8 B" B0 ^: l8 S5 Bsystem by intercepting int 01h and int 03h and redirecting them to another
( K* Z" y% i9 d( Kroutine.9 {5 M7 Q6 z! ~: ?9 _' r! F
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ y1 [+ K& G$ X' E4 V/ }3 zto the new routine to execute (hangs computer...)8 ~" L/ h* x" K  x

* F# z' f( h0 V4 z* v+ v9 \    mov     ah, 25h
# c, u$ T1 g' F    mov     al, Int_Number (01h or 03h)& r- i( @2 Y2 n% G" |* P
    mov     dx, offset New_Int_Routine
. x7 N) [% O5 a5 w( Q    int     21h
; P4 L! \- x# G1 T& i9 R/ f  a/ _
__________________________________________________________________________8 P1 f9 `1 B$ H# Y# L! D* p

3 p9 T+ |' {1 Y8 d) nMethod 092 j4 t8 Y5 c" u" B! ?* M
=========
! g: l* q+ x8 e# {: g: T5 c* F) @) h+ A0 l/ Q( c- m/ K) A4 s
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ y( z  B+ O* ]) h. Rperformed in ring0 (VxD or a ring3 app using the VxdCall).; Z1 U  E" m1 l! L; ?2 B" O
The Get_DDB service is used to determine whether or not a VxD is installed
  l1 g. j/ @7 m6 M3 Cfor the specified device and returns a Device Description Block (in ecx) for7 V* m( a6 \8 S- w8 a  o
that device if it is installed.
/ m$ B4 G& ~. j, v7 ?& ?
( y( n" A3 {; g/ h% P4 t   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
( E" E% B5 B9 @7 J( p   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
0 T, d* J4 i. F  s. a   VMMCall Get_DDB: c" A  Z9 i/ d6 d6 t' Z* ~' o
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% D4 D4 z( X0 l+ M! ~' _( w
3 C: T. C6 r- w0 I  sNote as well that you can easily detect this method with SoftICE:5 ^- i0 j9 C, p# r: l5 d' z' V6 ]
   bpx Get_DDB if ax==0202 || ax==7a5fh* D' o$ x' _7 c: `8 `; \. E

5 t0 m2 u; L0 q/ y" u/ q/ M__________________________________________________________________________) W3 B% w6 M/ y' L

& ~, h: M8 |2 m, w+ R) SMethod 10/ v0 ^0 ]; t: z( T7 L/ h7 s
=========3 {5 C4 D" B2 e! H  j7 g

" R9 Z& r" @% K/ u8 w=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 w% s: y  C- T( i
  SoftICE while the option is enable!!
- {/ f5 `* M& k8 C' _6 T7 h; @5 L6 W; ^+ v; p
This trick is very efficient:: M5 O3 S& V+ N" l
by checking the Debug Registers, you can detect if SoftICE is loaded  }) I2 g& Q9 n
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 p3 \: D2 N, x' F  J7 kthere are some memory breakpoints set (dr0 to dr3) simply by reading their& I7 G4 x0 v: h+ Z7 I; I( r0 s
value (in ring0 only). Values can be manipulated and or changed as well
$ {5 `& o) k* f  h7 U(clearing BPMs for instance)
* |7 n1 z1 O; }! W9 b
( N- D: H8 t$ L+ a! F__________________________________________________________________________
9 s( q; J8 ]9 k% ^
3 B3 i2 U0 f1 Q6 S3 `5 b4 A7 Y1 GMethod 11
/ Q2 n3 ]: B: I" U) F=========
$ c5 C, T  T' h! X3 _/ ~# s  F- n9 K3 K9 |; i7 N$ A2 Z
This method is most known as 'MeltICE' because it has been freely distributed* p' D$ H/ }3 H) o% W$ I7 h& C
via www.winfiles.com. However it was first used by NuMega people to allow- R( z8 z- {: r, G1 }" `5 s  h
Symbol Loader to check if SoftICE was active or not (the code is located% D, o8 F: ^3 C- K
inside nmtrans.dll).
1 ?4 [: c5 Z5 [0 Z  _, V. @) s! R4 B7 n$ r2 o! o. {
The way it works is very simple:
6 ~! D) d: B5 T, ]/ H5 J$ |It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# h5 ]% v; O0 F6 I  U8 s. |0 l6 oWinNT) with the CreateFileA API.! c! H' P3 I) R- {

$ {2 K1 u3 o( ?* @) d$ _! QHere is a sample (checking for 'SICE'):9 S) g2 p% b; m; \( w
, e3 i; w: c& O2 C" R" p4 [9 }) y* O- z
BOOL IsSoftIce95Loaded()
% M8 k  `8 d' r5 z8 L5 ~{
/ |. Q1 G- Q' E$ I; T+ G   HANDLE hFile;  
* w1 ~2 L' O/ G1 Q" ^5 H7 s% R   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
- _* Q0 d" t; Q4 l; ?1 T, K                      FILE_SHARE_READ | FILE_SHARE_WRITE,
/ O- `5 w& W* O) O' W2 Y" B                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; u& U4 o& G) L0 n% |( a
   if( hFile != INVALID_HANDLE_VALUE )
; K& K( ^+ [/ O5 L3 m. v5 \   {
; H, A! _. s  V2 A3 {' `7 W      CloseHandle(hFile);
$ ~4 E8 t1 M' N      return TRUE;1 p( J! A( J& f5 v& |7 t( A
   }
8 N+ Y" a2 ]2 i   return FALSE;# Z6 h3 Y' e1 d6 `7 V; B( O
}
! X1 ]7 D& \# I! h9 m( ?. K* o% A; `( W3 d$ b0 t
Although this trick calls the CreateFileA function, don't even expect to be8 S/ a4 l9 W+ L8 v1 |8 P" V; l
able to intercept it by installing a IFS hook: it will not work, no way!
) P7 x3 S  M- g9 Y9 PIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
- k0 v7 f- P% ^( E* B1 [# pservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
! s( Z3 H+ T* h$ m; `$ \and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 I0 G( O4 [' H* o+ jfield.9 d9 v) l* W! V" B( Z5 n9 e1 J
In fact, its purpose is not to load/unload VxDs but only to send a
) r0 z) F3 V' [+ f2 O( C* K; X) J4 pW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 w/ |# L( }% |! R) c* r: d. Qto the VxD Control_Dispatch proc (how the hell a shareware soft could try
) v$ M- T0 Q: w( W8 B  g5 pto load/unload a non-dynamically loadable driver such as SoftICE ;-).  S' t3 i" D( z3 k
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! D8 t7 v. S! i! P+ L9 z. B% \# `its handle to be opened and then, will be detected.
& e. |; s, X; E/ l6 ~You can check that simply by hooking Winice.exe control proc entry point! Y8 r0 q" H- |+ K0 d) C( {4 N
while running MeltICE.& |8 e, {! k$ P: c4 V; G
5 g+ x# w5 c" ~) e8 ], t
( R' J8 e2 m/ C0 U& y7 [1 i
  00401067:  push      00402025    ; \\.\SICE
' j1 N- V  @. t1 a  0040106C:  call      CreateFileA
9 B3 L; |* o; d) j  u  00401071:  cmp       eax,-0019 {: R7 G6 J9 ^/ {9 A$ x0 M0 i
  00401074:  je        00401091; {' q5 ]0 K) F

! j4 T  i8 C, A6 m: _' p: {
6 |6 S1 s' Z6 b7 [0 w- mThere could be hundreds of BPX you could use to detect this trick.% g: {6 u+ J9 y# M5 ?" d& D( }
-The most classical one is:
6 N7 q2 y6 ^% Y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||7 B8 `" T8 Z% S& n$ a- n/ a
    *(esp-&gt;4+4)=='NTIC'# W6 W" g2 [( G; t; ~6 u, X1 c+ G

. Z" B1 r0 I  j/ }-The most exotic ones (could be very slooooow :-(
; Q1 H, g3 i! f* v6 t   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')    ^$ r% W6 P2 t' U: K6 J1 h. s& x! T
     ;will break 3 times :-(
$ h. H* O% `* c+ _2 c7 ~
) I5 l! f$ M$ j-or (a bit) faster: " R, @; L# J* Z+ m, p; l8 c! m  h" I
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 J% e& z6 Q9 i" K/ v$ v$ U

7 ^. G# z+ ~+ R( B2 C   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
4 _8 o- v3 B, C; {, r( @. T9 c4 w% p9 ?     ;will break 3 times :-(
3 ^0 r/ D/ V7 A3 C3 t  e9 V* B( P6 M& M* i
-Much faster:) R* b0 T/ k# k8 \7 m
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
0 z  Y. R  I! O9 \4 ?, M  D
. W' H% a( n- D+ c6 VNote also that some programs (like AZPR3.00) use de old 16-bit _lopen2 n; O1 ^6 i/ R6 ^
function to do the same job:" w7 g  i+ N0 p, G; P6 @9 g" e- k
0 \! X0 u' Q. T; W- B( I( [
   push    00                        ; OF_READ
- B- v: z% X5 w  Q# B   mov     eax,[00656634]            ; '\\.\SICE',0
2 Q. ~, i5 q/ m1 c7 ?   push    eax
* O" K; J8 X( @. k8 T  Y5 \+ _   call    KERNEL32!_lopen
- w/ V: k& l; e+ w4 y   inc     eax
4 R! L3 I0 j( u+ X9 w   jnz     00650589                  ; detected
: B5 e. k- R$ z; t: W1 v* A/ M# ?   push    00                        ; OF_READ
6 W% W: O/ T+ t$ [. I3 e   mov     eax,[00656638]            ; '\\.\SICE'
% ~+ \- A1 u" G+ O   push    eax
2 Z, X: k4 v8 p' a6 _   call    KERNEL32!_lopen& ]2 L/ j- _* d% y  c
   inc     eax
+ ]* a3 u* ]) B& P   jz      006505ae                  ; not detected9 I* H1 D% Z& l" M! V9 g5 k
8 k  z8 R: D0 l7 j( j0 D) B3 A3 G
, y7 f, T6 {+ n! b* n3 p
__________________________________________________________________________
5 E6 j' B' g# J# q. v$ }) X
' K/ V' ~6 D' ^Method 127 ~8 v2 B# B# E2 z4 [9 Q
=========" |6 p1 w! t$ k; C! Z. K6 P5 w& S

5 C3 a0 {/ K+ B+ U/ i1 GThis trick is similar to int41h/4fh Debugger installation check (code 05
$ d/ f" X; S. \/ }5 K4 k' F2 X  x3 X( e&amp; 06) but very limited because it's only available for Win95/98 (not NT)
2 ~" G. P7 J! r3 h4 \7 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
/ s( c* A% P) R* D# I9 V" ~% B! E- o0 x6 f& u
   push  0000004fh         ; function 4fh
6 J  @: g: S3 s2 z. h5 h   push  002a002ah         ; high word specifies which VxD (VWIN32)/ x: g0 T5 D( r7 G  @
                           ; low word specifies which service7 ]4 a$ a( f% q( S' p2 Y' I+ S# l
                             (VWIN32_Int41Dispatch)1 L) H4 V; ^; u
   call  Kernel32!ORD_001  ; VxdCall
: K) O% ?! T- n+ Z. p   cmp   ax, 0f386h        ; magic number returned by system debuggers7 D) M/ x" \5 @8 d
   jz    SoftICE_detected9 c1 g/ m' q! A% h+ y
9 \1 D" g3 n: r$ N+ v' Y6 m
Here again, several ways to detect it:
% s% w% U- u1 v3 ~$ q5 l1 q, W' i8 I. w7 X6 D& O" m$ k* s; _0 r
    BPINT 41 if ax==4f, H2 p0 T/ ^- `& X* D( I& S* o
; w: J" |" V8 \# K, O
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one0 W( \0 T$ F3 y* o; S
9 A& Q8 w8 k7 {7 f3 t! ~+ T
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A2 {2 F1 v/ I# m" j, E) O
# J: E5 T: e* d- L3 u
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 ^* A, G8 c. V2 w6 J' K$ L6 B7 m& F% a, l) f- G9 z: \% T% t
__________________________________________________________________________$ b  q7 U1 r6 `2 c& g/ a. V
  ?: }8 s4 [3 H  R
Method 13: ?" a  t1 M/ V( V) o
=========( ]& t& O4 h( B$ n: p( n5 @

5 Y* F, _8 {0 F$ T5 s1 f( j8 f& HNot a real method of detection, but a good way to know if SoftICE is
( |5 K) }- x% A% ]4 e% ?installed on a computer and to locate its installation directory., |1 {- `; e7 M+ k
It is used by few softs which access the following registry keys (usually #2) :2 [( S( l. T/ H4 {3 l2 y
2 m6 m; o3 m5 o: k/ |0 R2 I& Q
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! W9 b0 y" D6 f% R
\Uninstall\SoftICE, ?9 k# [3 R! c5 N5 H
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: L! ~" Y0 A, N# m5 ~
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 C& ]" x) M4 }/ I\App Paths\Loader32.Exe
' n+ [& D( u# n. y+ X: z/ w8 k8 l' x  S) X: Q( M

4 d' R$ b/ Q2 x- R" h1 fNote that some nasty apps could then erase all files from SoftICE directory
( e: \, o- v. x) Z- o; N(I faced that once :-(6 @4 J! c% {1 R
6 V4 L: w1 ?) F- {1 ^/ i! s
Useful breakpoint to detect it:
- w$ M- N2 x7 l2 a- `' p$ Q) F+ |; S: _( l
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 ^5 _6 _  H7 O& i1 w4 ^7 Y) |4 F2 z3 o
__________________________________________________________________________
: n* ?' D9 ]# }0 M2 q. N* C4 l- \8 G) ^: q

4 z+ L, @2 m7 p* cMethod 14 0 w$ S/ h0 `, J
=========$ L5 N  [) l* y2 Q

" e4 f/ y' ]. X% ^% hA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 p  E7 x# ?$ Ris to determines whether a debugger is running on your system (ring0 only)./ r' W# C& m+ S# k9 F. F" L

, W) I0 s8 z, o# R, z9 \   VMMCall Test_Debug_Installed
: o7 E0 T. k; I0 n   je      not_installed, D9 [7 w4 h/ m* [) p
* d+ G& ]+ ], `/ g2 k
This service just checks a flag.( T: H: A3 ^" n
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-22 10:11

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表