找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
- }7 M4 [0 a8 f% t6 [2 w<TBODY>  K" H9 V  F4 c6 W. V6 F
<TR>. M0 a( K& q  u, u7 g% \. Q0 O
<TD><PRE>Method 01
+ n8 F2 m5 }2 d# O3 s% Y=========
" Y  e9 @  [0 w
, f2 `# A0 W5 j0 W2 M7 ~! |4 _7 ^This method of detection of SoftICE (as well as the following one) is
% s8 R/ E% ^" [# l, ?7 P; \used by the majority of packers/encryptors found on Internet.4 _) E; w4 [3 q. h6 {
It seeks the signature of BoundsChecker in SoftICE
; x8 f& _/ N) m6 e2 f3 F. w$ ~8 W& v5 A0 K! t  ?# Y* A
    mov     ebp, 04243484Bh        ; 'BCHK'1 h1 O# y7 I! ]! l* k2 k
    mov     ax, 04h! @# d9 S+ ]0 g: f) o
    int     3       7 K. Z# e! q! q
    cmp     al,4
) L  K7 s9 P& f    jnz     SoftICE_Detected
" h* @1 r" p* q& k$ J4 E& _! e  B
___________________________________________________________________________
* [+ N' W5 ]1 B  H1 s- O8 L
1 x& F/ K' ?  e) ?7 cMethod 02
4 K  N( Y' X. T3 G8 E: Q, d; L=========
) e/ C3 M6 }* P' g
9 R/ x- Y9 e6 a! [Still a method very much used (perhaps the most frequent one).  It is used
0 x" m" z, M2 m; b: G! r* ato get SoftICE 'Back Door commands' which gives infos on Breakpoints,5 M; w; _' I; f+ s$ `
or execute SoftICE commands...
& Q& D2 }: r+ t4 _7 E1 F+ `, nIt is also used to crash SoftICE and to force it to execute any commands; D4 R4 F' L4 |) `: A
(HBOOT...) :-((  * l8 A' m) z, j6 ~2 x

# S; E) }0 [( w% H: OHere is a quick description:0 {# N5 ~6 K8 {- P# T( i
-AX = 0910h   (Display string in SIce windows)( A4 U9 _) Q/ A% f
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx). x- T" r* \' G  n" d
-AX = 0912h   (Get breakpoint infos); v5 W) e& l" K+ X
-AX = 0913h   (Set Sice breakpoints)0 e7 }0 a2 m& l/ Z1 s
-AX = 0914h   (Remove SIce breakoints)- t3 `5 v- ?3 r4 m/ y5 t3 M. ]

: p/ Z( o! q9 \3 ^Each time you'll meet this trick, you'll see:% i% }' B5 z: Q/ ]6 B, c
-SI = 4647h: E# [9 j$ f6 |+ e& Q! Q- ^
-DI = 4A4Dh+ H0 f8 ~: @8 \2 }% t
Which are the 'magic values' used by SoftIce.
  G$ H* D0 N8 L" ?For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
+ i) I. i" X+ B- X. v7 T! |4 F( W5 b4 C5 }! W; ~& f; {
Here is one example from the file "Haspinst.exe" which is the dongle HASP9 F+ y0 K- M8 [: N
Envelope utility use to protect DOS applications:
& M; N2 b2 Z' j/ r( J: w+ n+ j/ y
2 a# K# c! O1 {5 o% L, O: w  [8 o) c
4C19:0095   MOV    AX,0911  ; execute command.
) D; i* h/ p* u# s6 `" h4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: {, r9 U0 f' e: |( @7 _4C19:009A   MOV    SI,4647  ; 1st magic value.
4 O  W6 p! P/ `+ x1 w* x6 o+ r4C19:009D   MOV    DI,4A4D  ; 2nd magic value.! A& _4 J: I  o! @* J; e8 Y
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( P7 J8 Q+ l" Z  l& s
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute4 f' i& p% N% F5 g" W8 A0 Q
4C19:00A4   INC    CX$ a) X5 \# n( f& J; N, V
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: Z  E) F6 \6 o1 ]6 K* a5 [
4C19:00A8   JB     0095     ; 6 different commands.& Q! g3 K9 C" Z: V1 e
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
4 R- x+ P7 I( c5 J& K" b4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
+ l% \- o( L. I4 Y# p7 {0 k; Q" |6 H- U- f4 l! B
The program will execute 6 different SIce commands located at ds:dx, which9 w4 `% ~8 s6 N" j6 g
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.& \* R# ]  n8 W" [

: Z" Q+ O( k8 j! J) g- {4 H* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' C7 Q, R! c9 s+ {& q* e# ?
___________________________________________________________________________
; v/ b1 B) W2 J
* |) V0 t  S! ?  t1 T1 s$ p/ I
4 F5 q* q7 _/ C! ]+ J6 k7 A* AMethod 03
0 \4 J9 X( o% q# @% d=========
$ I6 D3 Q# y* z" r: X4 s
! v) r; a: L: m" s: |! tLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
1 D: b! U8 Y+ Y% E(API Get entry point)
$ x  N" p7 [; ]2 r5 p( ~) q        
2 I; Q) S9 m: {& ]* v
5 G, B  Y' ~: Q. g  {$ T1 k( Q. s    xor     di,di9 ~' ~: b8 |( c4 y) P0 P4 B
    mov     es,di: g7 X& F% ^; \
    mov     ax, 1684h      
, Z2 N. p0 s/ N6 U    mov     bx, 0202h       ; VxD ID of winice7 Z9 d( I; K. u( o$ f" I( u
    int     2Fh: z4 u$ x4 n( y8 M
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
6 a; G# Q2 b" U- c    add     ax, di
- d1 o- o4 U( B7 w7 i+ P. t  G    test    ax,ax# t0 e4 Q' e) `% M7 Y
    jnz     SoftICE_Detected
/ w( }' a: U* D, I9 B0 M- ]7 L! ]4 c6 e8 M! I, A
___________________________________________________________________________3 W$ T) \8 d/ A) f

+ h0 A: s: A, lMethod 04& A; u- }* _) @, d( i. P
=========7 G' Q2 p: G5 }8 [4 Z
3 L% \" W/ d& v" x
Method identical to the preceding one except that it seeks the ID of SoftICE
& I5 ?3 z/ w* }) o" [GFX VxD.% [- g/ r5 b/ L5 Z

7 H* T- }1 G+ p$ z% s% h    xor     di,di
6 s6 Z7 m5 W! y/ n& V" c& X' J# |7 f    mov     es,di7 I2 _9 M5 K" C' {3 G! V" n) N
    mov     ax, 1684h       % Z) {: a' a% p; s2 u
    mov     bx, 7a5Fh       ; VxD ID of SIWVID5 s5 E  v! n0 u4 A* w
    int     2fh
( U' b5 ]) Y. A( v4 D* x0 `+ J    mov     ax, es          ; ES:DI -&gt; VxD API entry point
2 L* r, K5 H/ A2 V4 q/ n    add     ax, di9 i3 }* \  f. O! W( T
    test    ax,ax
8 P/ Z7 j3 G( N5 {6 f  p3 n/ ~: Z    jnz     SoftICE_Detected
  V  E$ y# w; ~) Q
, D6 w) N- d$ U, f5 j- U* X' D6 |) e3 K$ O__________________________________________________________________________; j4 c7 i0 V. L" z+ V/ v

5 K+ Q# R/ M- s' c9 S2 _0 o! t$ q: W) w& o% f
Method 05, C0 e; G: W1 o2 @0 l
=========$ ]4 P5 c' V5 }# `. U

4 i! E; Y# Z2 g$ B* o- ~  X- l% DMethod seeking the 'magic number' 0F386h returned (in ax) by all system; x, r3 f! ^( C' p/ c
debugger. It calls the int 41h, function 4Fh.) ?# }% d) z% u- R' a& C
There are several alternatives.  
0 q: S& P, c5 {$ A& v4 \8 c- D8 F  j5 |
The following one is the simplest:
* w( }4 ~7 N3 D2 k( `
4 t6 Q/ M* f$ @1 B1 h! r# S    mov     ax,4fh# k0 |1 [2 z  y$ k0 D5 }0 @
    int     41h
9 A( X2 |2 @7 @8 s1 n    cmp     ax, 0F386" R& i$ F+ M. Q# |" _) q
    jz      SoftICE_detected/ ~" K# c3 I- f4 z) L& }

7 u0 l) p/ M2 ?4 z& Q
5 j3 _! P! v0 x: b* V0 VNext method as well as the following one are 2 examples from Stone's
) z. k( L) ^8 X/ t0 P& w" j" S$ b4 l& \  j"stn-wid.zip" (www.cracking.net):9 z6 m# ]1 w+ L8 J1 P6 m

: k# a* S3 ]' l7 D7 x0 e% z    mov     bx, cs2 p$ N) D1 t' v' m# ]' Z! u
    lea     dx, int41handler22 g  c: _3 j9 j+ M9 B
    xchg    dx, es:[41h*4]2 ]# U3 d% {5 C  K( {0 H8 d
    xchg    bx, es:[41h*4+2]
5 V( n" N5 A$ y1 b9 }. J    mov     ax,4fh
2 S3 u6 p, M* v1 ^/ r% ~% b    int     41h
9 G/ C9 _* j) d( q    xchg    dx, es:[41h*4]8 M$ B9 H8 T* ~
    xchg    bx, es:[41h*4+2], u" I  q' e1 E" `0 R4 w
    cmp     ax, 0f386h
! o5 i0 I4 ?# C5 V1 A- _3 ?+ @    jz      SoftICE_detected, u  m$ w3 U8 `( b# x3 t. M& M' w
% S) R( ~: n( G4 y
int41handler2 PROC8 q, a7 j- J3 T: `6 O9 m
    iret; S+ M8 w; m7 u' K+ N3 |  b: X5 J$ g
int41handler2 ENDP
9 r  w3 y7 b' t0 V9 {; k
% g/ ^6 H3 J2 Z  d$ d
( J* A; Q# [9 t8 o' e3 Y) p_________________________________________________________________________
" |3 v4 M  L0 E9 a! P/ X8 c: f* U$ `# }$ p. w2 x) r, ?

+ g' `* d; }6 K$ UMethod 06
7 P) o1 F$ \( R+ g. s=========
/ g9 A; J" T0 U# s+ I+ c
0 {& H3 \3 j7 r; i6 a/ q; C1 `: [% Y* Q
2nd method similar to the preceding one but more difficult to detect:; A* f$ V3 s  k1 P. Q( m
2 F! l& Z+ @1 @: h
8 U: d# a4 _' R2 G5 f2 p
int41handler PROC5 ?3 o/ g; m# {- c4 h
    mov     cl,al
0 H+ {0 T" g8 k5 ^    iret
+ ^3 \  I# R' I1 x4 d4 w% Q) }int41handler ENDP
+ J% _# Z8 B1 m) T+ K0 \) G( ~' x5 Y( H
( Z# W8 O3 n1 U6 i6 @* L5 p( T
    xor     ax,ax% X# i' _6 E& H* h) y9 `, ]+ `
    mov     es,ax+ d% K, X, b$ T. x# ^$ D; p+ z" x
    mov     bx, cs) k+ K' _0 _' Q" E5 U
    lea     dx, int41handler
2 v# l6 H% I+ Z7 T9 Y4 h, i    xchg    dx, es:[41h*4]  [% z+ n5 d0 o1 ?
    xchg    bx, es:[41h*4+2]! q3 H1 |' Z" u" ]* k+ m) J" S: [
    in      al, 40h
% @- V! o) F% z) H$ B3 Q. b+ t    xor     cx,cx
' L; w! @  \% y1 L4 d    int     41h2 W1 ]/ e9 q/ Q- D! b! |
    xchg    dx, es:[41h*4]3 G3 s% Z- B  `7 H# }0 P# t
    xchg    bx, es:[41h*4+2]5 h( G( n4 j8 L/ C) B
    cmp     cl,al
* M) s6 U" ]- J7 S8 J1 z& W% ?    jnz     SoftICE_detected0 A8 t3 ]( l) g5 i1 J+ O! F  b5 \

2 H5 P  ?- n8 D7 L5 p6 B. X_________________________________________________________________________! z2 {# z0 V, c9 y) j
+ W, f. m. u( I7 t! Q8 W
Method 074 P1 Z, d. ]. ?; k. Q9 X3 |
=========
( X4 ^, t4 x% d
) l5 h+ z% a0 N4 t  x0 H& UMethod of detection of the WinICE handler in the int68h (V86)" l0 v; O! @: Z; q! E" o( R+ V

7 K" S9 |% E; \4 M# G9 a6 r& E    mov     ah,43h
" r$ O8 Y7 n, K- J1 I# ~  {5 @& R    int     68h2 W5 N7 L& e' F/ }4 A
    cmp     ax,0F386h5 ]0 t. M4 O# }2 r. `$ k
    jz      SoftICE_Detected* A3 `  D5 p& p
/ S- o8 K7 g' N+ M& y
1 r1 A$ g/ F8 B
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; d  j7 h) U: s$ d, s$ c* u9 N
   app like this:
1 q- F/ Y+ M/ n( \
% p- v  K" f7 H5 O! ~: v3 t   BPX exec_int if ax==682 N7 Y( ^( B3 b  Y; ?5 q7 f- ~
   (function called is located at byte ptr [ebp+1Dh] and client eip is) ]7 d2 w6 x( r0 c; D( S4 R4 X
   located at [ebp+48h] for 32Bit apps)# {3 _1 R3 j$ Z, m! q  ^# L$ X
__________________________________________________________________________; s7 n0 Q  E' H  J4 o- a3 f/ k: I7 Q
0 Y) V. t+ M  Z. f4 B% |
4 j1 z$ Z' k4 @0 B( Z+ C6 r  g
Method 08
" E( h0 P' {* E, N=========( |) e$ Q: u( q6 ^- ?5 Q9 _
0 }4 X! F' P% \( c( _
It is not a method of detection of SoftICE but a possibility to crash the
' C% |5 R' P' O: V+ j5 {4 Ysystem by intercepting int 01h and int 03h and redirecting them to another' I4 N- F# S% P$ W! O
routine.0 p& q9 m8 R( m& }' C7 a' ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 n. `/ `/ n8 n2 K: b! K9 B9 |' J
to the new routine to execute (hangs computer...)
: [( K7 H+ `9 z' n
0 P* m. C4 z, E    mov     ah, 25h
6 ^9 c# H% g8 e3 g" T    mov     al, Int_Number (01h or 03h)- K7 z1 I4 e$ J2 m, C: W: s
    mov     dx, offset New_Int_Routine
1 E+ w: C2 m$ a% \/ L  k    int     21h/ B# j# M2 q: e& s1 h4 Y
: P4 u3 c; M" _' \' K  `. k
__________________________________________________________________________
1 `+ @7 C; H, E+ B1 l! `+ D# P
0 V9 ]" f9 t7 t. y/ iMethod 09
/ y1 B5 g# c: l, W=========0 v. y7 \: h6 G+ Z6 o9 L1 p

5 ]  P+ f* V5 y( N/ ZThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
+ K% E: C4 p  D" n) n: P: Dperformed in ring0 (VxD or a ring3 app using the VxdCall).
6 m2 C6 y. g8 P: J" V# T6 zThe Get_DDB service is used to determine whether or not a VxD is installed
1 w4 M/ c. @3 U9 g0 L' Vfor the specified device and returns a Device Description Block (in ecx) for
4 z- H, S  f, j/ a5 O$ qthat device if it is installed.. U* w+ M. }& [4 j
/ e# G- O9 e; M. Z! w, I  d# r; A
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID  o6 J" L8 P1 Y- {0 `7 Y
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-). ]( p2 M7 w% U3 O
   VMMCall Get_DDB
& Z* l' R- s$ p- C   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
4 o: {7 r% w/ i, I5 W
# {0 W- Z& s2 {- \" j$ ANote as well that you can easily detect this method with SoftICE:
$ Y  Y: ~  h7 C! o   bpx Get_DDB if ax==0202 || ax==7a5fh
* W* n) S9 B& l5 j3 I
8 f- E2 J6 i* g2 z& X* k__________________________________________________________________________5 k# I" A6 }) w& i
6 o; S4 [& j7 B! ]& ~
Method 10, @5 f8 Q" W2 M5 Y/ v* w) T
=========1 |' n/ N4 |$ n$ A6 V

% z0 u, y: z# r/ j/ s=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. S5 m* {2 `& U* y# j$ q' P  Q' R+ r  SoftICE while the option is enable!!
# P* g; n9 m6 T7 J" E  L) ^# \4 X# m9 ^6 z- \; r5 b
This trick is very efficient:
$ i# V+ S  m3 n9 ^, l8 Q3 vby checking the Debug Registers, you can detect if SoftICE is loaded
% b% Z8 o# I) g$ m/ O4 V(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ }3 ^, F$ n+ Dthere are some memory breakpoints set (dr0 to dr3) simply by reading their' X. M" }+ Q" _. }1 \4 i. R& h
value (in ring0 only). Values can be manipulated and or changed as well
5 A# Q. U7 e7 ]: V$ D9 Q(clearing BPMs for instance)9 U- Y; e" ^9 s* C! L

6 R! b$ E8 i0 o7 W& P3 L__________________________________________________________________________
- g  ?0 j- o& k+ R1 W4 c/ ^4 @& [2 T
+ b8 y* |2 a, K* u: \  I- M3 _Method 11+ L# I: l9 I4 |6 k2 O5 D% N
=========
8 {! Q: H/ z- c; h: U- h$ C1 T/ z# p" K( Y. B$ h
This method is most known as 'MeltICE' because it has been freely distributed
- K" T: B) e4 J- x$ mvia www.winfiles.com. However it was first used by NuMega people to allow/ Z& k! e3 t5 _
Symbol Loader to check if SoftICE was active or not (the code is located
4 [4 o6 w! p% x# E- M# j8 vinside nmtrans.dll).
. C/ X3 t- `& o# \
4 x+ b3 y; g- `0 z( ~The way it works is very simple:
6 t5 e/ R5 A7 C2 v6 A2 E4 VIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
( |2 H- Z4 e, v$ c6 U8 NWinNT) with the CreateFileA API.( a, Z* ~  T9 _* H" ~

2 ~/ w$ b, r& X$ |# |Here is a sample (checking for 'SICE'):* M& r5 E; o# O) Y; D
2 I7 @1 o6 v8 ~
BOOL IsSoftIce95Loaded()
; \! d- C  U  p0 t2 B4 z8 I+ G{
% |, t1 ]8 ^) R- F/ {   HANDLE hFile;  1 C7 o/ K& z; Y+ y  t$ }
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( M' v, F# j% i  Z% v7 f9 `- b
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
  s# c5 _" F3 R. C! c8 l9 z                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: z9 y& {( ~. I1 O   if( hFile != INVALID_HANDLE_VALUE )& i  M  u! N  C" I# J* Y$ I' H
   {; D8 B4 F7 \% g& j* Z1 V- O5 j/ P
      CloseHandle(hFile);3 x9 _, {* [5 w* E4 C* V8 {$ S$ ?. ~
      return TRUE;3 {% C. A2 q6 G
   }
1 b( A" o5 ]$ q/ e# [% R7 n   return FALSE;4 k! j' D: X; H* |
}
) j; C+ H1 }9 J# a  S6 q* K; E* N, x" t4 z- `2 \5 c6 R
Although this trick calls the CreateFileA function, don't even expect to be0 y. D% V& e# g6 s
able to intercept it by installing a IFS hook: it will not work, no way!/ b9 U. o- N- k* ^, D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
. U5 N- j4 O8 L, o3 d: ^0 Mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 }- v4 `% l: ]1 y9 k0 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc$ C* D  \& }* M) |& Q
field.
. B& @# C  r% S* qIn fact, its purpose is not to load/unload VxDs but only to send a
8 L  k( @! U8 U, }6 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
' T' A4 D& T- y6 o& E' P% ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
4 N* D% r  g; |% Zto load/unload a non-dynamically loadable driver such as SoftICE ;-).2 x, S6 G, j$ J6 I
If the VxD is loaded, it will always clear eax and the Carry flag to allow
. S9 {0 i* M7 ^* m. g, x  @4 Lits handle to be opened and then, will be detected.9 }0 `5 J% a' b4 I5 w4 I: M
You can check that simply by hooking Winice.exe control proc entry point
4 x4 O" |$ M/ A. e9 ?3 S1 N3 Dwhile running MeltICE.4 s* m' z7 N& |  J6 _0 _# }
3 Q# k, e8 z& ~9 M( A& e* U* u

0 R% ^5 W( j7 m( [: n' T8 z0 U  00401067:  push      00402025    ; \\.\SICE/ ?+ u. F4 V* G* T) |. t6 A
  0040106C:  call      CreateFileA
: Q5 m+ v$ @3 b, a$ m7 Y  00401071:  cmp       eax,-001
5 F: J, d. K& j! P( |: E" V( ?3 x$ c  00401074:  je        00401091
: M* l: a( F9 \; {, `) c
" N8 H) `+ ]5 i/ ~/ |2 i: P# \1 D
+ B: u' i, B4 ^; rThere could be hundreds of BPX you could use to detect this trick.
- ^3 M, Y) O, r+ c, x-The most classical one is:
& O* V2 @5 |( C5 t1 K  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
, p# Q& J- b. L* K+ `. }2 q    *(esp-&gt;4+4)=='NTIC'! y, g0 v) N- Q! t4 P

: o* g1 o. o, u% e% z  N0 I-The most exotic ones (could be very slooooow :-(7 M; F; \: \4 h7 J4 `4 t7 T
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! c! Z  `/ ]& a6 q" T. H
     ;will break 3 times :-(1 ^8 n. v' n, U+ L2 \$ J
2 E; k3 Q7 G! w0 y+ E5 A$ s
-or (a bit) faster:
1 a( B; @3 a1 ?+ q+ r! M   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
- i, C# z* B# u& W
2 J! |2 a; q* E% ?   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 S+ z$ H. d8 D. m& `$ G' p' V     ;will break 3 times :-(
7 q1 M- ~% _7 R2 F: {( J* U5 |5 u; B3 c: o2 y9 f9 y9 i
-Much faster:
$ O+ b; r* s  e# T+ M   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ j; u6 G2 w3 L& T
0 R$ i, Y$ W3 S
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# W4 \  X0 \5 O* |6 Y7 y7 O4 Gfunction to do the same job:
" p$ x! j8 Y: d# v0 a+ Z0 E- g4 i; f9 B$ _7 Y5 v+ A$ @& G, d5 k
   push    00                        ; OF_READ4 z. v5 b# I# [5 N4 K6 z' Z+ W
   mov     eax,[00656634]            ; '\\.\SICE',04 h. j, h3 g9 `. d5 N7 d4 ~9 _1 Q
   push    eax3 }" F* i* s9 d/ m6 n
   call    KERNEL32!_lopen4 L  P2 \* L) I. ]) w! U
   inc     eax
7 L$ t) j2 s- j/ d   jnz     00650589                  ; detected& `" {5 ~7 e  f2 _9 M2 h
   push    00                        ; OF_READ: U  ]- a3 J' y! l( |
   mov     eax,[00656638]            ; '\\.\SICE'
9 d$ b  Z, b9 @- ^$ D9 D   push    eax
0 q; @5 i  q" Z/ r6 D: `   call    KERNEL32!_lopen
% E" x, ?& v* n2 W2 ]4 x& P   inc     eax7 ~4 o3 h- Q% Q
   jz      006505ae                  ; not detected
8 q# ^1 W# v9 L2 e' X% P3 {8 ~, a8 o) }" Z  k
) G5 ^0 V; I# Q+ `* x% Y" n( A
__________________________________________________________________________
5 R* C5 a# @1 g  N" t$ Q0 J! Z- I9 ~0 o/ C; h
Method 121 U5 {# ~7 \7 N; i/ z) T
=========( p3 k* L6 U9 V" ^

8 B  S5 x) f& @This trick is similar to int41h/4fh Debugger installation check (code 05/ i+ o3 t- F) d; M7 i
&amp; 06) but very limited because it's only available for Win95/98 (not NT)* \6 E4 a5 u# W
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 P! e& k! N! @% C* A2 Z  ?" G/ r

7 t9 S* K- a4 d   push  0000004fh         ; function 4fh$ m' I; b+ n. }# i4 D
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, w  W) ~/ x" j! h0 O8 A. H                           ; low word specifies which service
) U- G: W& {& M: H: e# Z% [5 M                             (VWIN32_Int41Dispatch)
( q/ I3 J- B7 K$ E  A( d   call  Kernel32!ORD_001  ; VxdCall
- z* L# [  S" m4 x7 W+ A! i! }   cmp   ax, 0f386h        ; magic number returned by system debuggers. {. `' Z2 i7 s( Q5 M$ S7 R: _
   jz    SoftICE_detected. p6 c. Y' {" R

" e2 n! o3 a; jHere again, several ways to detect it:  g- a  C9 P# z
: S' x  C8 j+ d; N6 {# _
    BPINT 41 if ax==4f
: s" b% e/ x4 j2 Z0 D% q) m
' Z( ~7 D& U7 }+ R( U; W4 s0 A    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
1 B) ~, N* C1 B8 J( k6 @, w% E
, @( z: E/ K! d; W- s6 ]6 ?; d    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 I1 V2 h" u- t/ j) V: C
' Q( e# Q& s* L  i+ E6 g
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!1 r  P9 v. ^6 ]" |0 \! i; O4 x
& h  _: i& k4 I. U9 C8 E, y
__________________________________________________________________________
1 n# h/ ~: A4 H% D9 Z: p& G$ t; Y& ]4 S. f; q: x5 Z+ o+ ~- |
Method 13# A) R3 l2 S- b! |, V3 v) m
=========
6 ^. M" j5 _  `6 `; y4 m6 y2 A( Q. y0 E7 [0 j7 v% i
Not a real method of detection, but a good way to know if SoftICE is& |' T( c3 `8 n  q' J3 P
installed on a computer and to locate its installation directory.
3 {$ `  x0 o# G8 O1 sIt is used by few softs which access the following registry keys (usually #2) :
; h$ [+ ]8 |% Z* n) p  a" r- O9 l% k6 x: P+ U
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- @1 B' K2 F! ]& x; t# u; |8 Y+ X\Uninstall\SoftICE- }, E3 M8 M' E. `: M( y! ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! U* x- @; l8 s& \5 W: l. ^" W9 F
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 @" |( ~7 S  Y5 ~: _; U" G! ?5 c
\App Paths\Loader32.Exe( a7 \/ I( m/ X" `# B

8 d7 l. _$ T9 ?# H7 Z% P$ w1 }8 }. |$ }" s- p3 p6 w
Note that some nasty apps could then erase all files from SoftICE directory" [8 s' g* D; A( p! v
(I faced that once :-(
, D: m( c2 p( ]; F3 J
" u' F( }) w3 e( z: WUseful breakpoint to detect it:
6 P( X  g$ Z- [5 S; x0 K. A9 F; W# N+ Q4 E7 i! v/ y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE') C( R1 \, d3 @& H
0 p7 K! _% A1 S
__________________________________________________________________________7 [0 H; z! Q& [
. o  z0 l( w) V: W) n: P- C
. {( r- L$ H1 W) M& P
Method 14 : l5 _$ f( F3 C9 N" M/ u& n% v
=========2 u. O2 s; I# M4 G; i

$ \/ d9 Y/ O  |, J7 |A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- C+ p; \+ B) d  [" T8 m- D4 ]
is to determines whether a debugger is running on your system (ring0 only).
6 F& M$ a5 @3 a) ~. U3 k4 e; ^9 j: Q8 ~7 L+ \3 F
   VMMCall Test_Debug_Installed
- ]8 _) l& ?  a$ r. j2 v   je      not_installed
  u* X* j# k; h0 ^
% \. U! V! H  F* q8 QThis service just checks a flag.
" i( K/ H* R; d! h</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-2 17:50

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表