找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
" o4 p9 d$ o& e<TBODY>
7 o0 I6 t- O+ Y9 o! D<TR>4 \8 g0 y2 j! p: O. o
<TD><PRE>Method 01 , \# Z5 a( M& S+ N2 S
=========7 R; D4 O% P* n) r

/ r2 |5 }- z( i) s6 qThis method of detection of SoftICE (as well as the following one) is
5 e& z# L4 D8 v7 ~used by the majority of packers/encryptors found on Internet.
' U1 u7 d2 W& z6 N/ SIt seeks the signature of BoundsChecker in SoftICE% G. `+ k7 p5 y: Y

1 _/ |8 A9 i% [% C5 k/ S    mov     ebp, 04243484Bh        ; 'BCHK'0 R" |# L3 p& S+ w* P
    mov     ax, 04h
9 T2 ]; d. o  c! z    int     3       ; Y3 o, ~" i" f* n5 R3 j  Y
    cmp     al,4' W- j9 H2 Y9 m$ H
    jnz     SoftICE_Detected
3 V% E6 v% n8 \2 @! g( v. j' J4 `9 z
___________________________________________________________________________5 z6 A' \8 I3 D; H" q7 b

0 W* G( Q2 ]$ r1 yMethod 02
3 A6 V/ f* m1 l2 S=========/ u* Z% W+ \: y+ K6 S' ?

" G/ h, J; [/ y' D: f$ I$ Q9 C4 x/ `7 ^Still a method very much used (perhaps the most frequent one).  It is used+ W0 P0 z, `' b- ]" R# r' G
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
4 ]: o/ ?/ o) o) V0 Gor execute SoftICE commands...
1 l# B5 q& ?4 Y2 _: A& ]6 J, cIt is also used to crash SoftICE and to force it to execute any commands( W( u/ ]: d- n' T0 y& f* M
(HBOOT...) :-((  
1 ~7 v9 N  C3 a! q! ~
& K$ \+ ]- p2 u+ h9 j0 HHere is a quick description:
5 A0 G9 J4 w4 H8 z3 T1 n' ~-AX = 0910h   (Display string in SIce windows)- F- U4 V9 z) H* b
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 @7 v, P1 Q0 B$ w
-AX = 0912h   (Get breakpoint infos)
& g% z6 Z) p2 @5 X: S-AX = 0913h   (Set Sice breakpoints)
( V7 i' V/ I; ?0 m-AX = 0914h   (Remove SIce breakoints)# r0 V* M7 H& C8 Q! `, v3 ~

8 n: Q7 k4 j; `! E  X1 NEach time you'll meet this trick, you'll see:
4 ^- g9 }7 b4 g( `; i& e-SI = 4647h
5 v$ ]8 R5 d+ F/ X1 j3 F! E8 `-DI = 4A4Dh
  v8 b) w, E, {' ~6 {9 aWhich are the 'magic values' used by SoftIce.
; V8 M+ y% E2 a5 {For more informations, see "Ralf Brown Interrupt list" chapter int 03h.  A& J2 t( V/ @* ~: u6 p% M
' u5 n/ ~- G8 [0 X7 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP' y& _" ~1 I$ I
Envelope utility use to protect DOS applications:$ c" i% s" a7 I
$ @' s7 V8 F5 D7 y, j
: X* G/ g3 W' F+ T8 L
4C19:0095   MOV    AX,0911  ; execute command.  m* X# w; I2 Y, F; Q
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( L6 X- @3 |+ j8 |9 n+ }2 Q' k% A4C19:009A   MOV    SI,4647  ; 1st magic value.
5 F$ \! M" {# E4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ ]0 A7 m. W3 s4 h' K4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 Y/ D$ S! _  K- ]( ?' f# W% g
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
8 g  y6 |/ N* T3 ^6 k  V3 f4C19:00A4   INC    CX
) @. N( @% K' v9 I4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
- x  j8 |4 m: c/ O4C19:00A8   JB     0095     ; 6 different commands.
. K3 z, e0 Q8 b, Q- I4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 k- n' H7 p  @6 _# ?! r4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 m! U# _6 G3 N( J! C5 q
) H3 _- n, v* P9 b$ tThe program will execute 6 different SIce commands located at ds:dx, which
6 d! [9 \9 S. [; g& i4 i0 W, n: \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- P# R5 Y* ]% \1 o$ Q

7 P6 g# Q* s+ j: K5 K* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
1 Q  G5 U3 N. J; f7 F___________________________________________________________________________
4 ]4 M; a' b: H; f
+ Q9 d0 w+ O0 Z  T) i
- P1 N, ~5 @# R3 u8 h+ R: kMethod 03
  u( ?9 F' W$ X=========
$ {' g% N$ W" a" T8 t* @3 r* l3 X+ i
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h0 I' n. q) r9 g
(API Get entry point)
& l( Q/ R. i' L$ h% {7 C, p        
& w2 e2 |/ g+ L( D9 `" p% e& S7 D- I8 i- I# m2 T! ^8 B
    xor     di,di5 `2 F4 U6 G9 I- x
    mov     es,di
  L" r0 ?1 s6 J! Z7 m( X7 C    mov     ax, 1684h       - W2 P. I$ r; \  d4 K( E$ S
    mov     bx, 0202h       ; VxD ID of winice
  d+ N) g) q! m) q% \& C7 N) ~    int     2Fh
: K# r; j$ i. O    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  N! ~; s" T- {8 _    add     ax, di
+ o' P8 b0 R$ B; M- U8 N1 B+ G    test    ax,ax
! u: ^8 f& c: `7 y; V! `7 i+ G" W    jnz     SoftICE_Detected
- i- f6 P' D4 L9 T: g3 U% ]
" U( U  z  i* F___________________________________________________________________________
& E; F) K8 ]- y6 I2 l  \5 `6 L1 F/ Q) z4 _$ ~2 m3 `
Method 044 Q+ ]0 ^; k3 R" I9 V. B
=========
- i6 |- P% D+ q$ j  ?2 V
0 ~) q) M, q3 X6 eMethod identical to the preceding one except that it seeks the ID of SoftICE% \+ A- U% z% e0 U1 L1 k5 q- G' U
GFX VxD.9 K5 ?. P5 J" L6 C, s0 W6 `  Y

% F% t# E4 R4 D: A' n) @: W& y" K# g    xor     di,di
/ ?3 a7 f7 L7 |0 a: }    mov     es,di
/ O: d8 E& _6 B3 h" g" }4 I    mov     ax, 1684h       " F% a  ]7 y# h7 V5 t+ a( \
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
  S4 K, T" p! Q    int     2fh5 C& q  a% {& D
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
1 U9 L" P$ G- C7 _2 g8 \, C: ^2 i" t    add     ax, di
' f  H. K/ C0 C( m# s5 D    test    ax,ax
; c- b: f1 v, A4 n# F. I, f    jnz     SoftICE_Detected
$ h. g% e9 V6 W, x. Z# c* a( e! T  B3 Z; _4 u& \# p
__________________________________________________________________________
9 A9 v: ^9 }+ ~4 Y
6 `4 k& s. L2 t9 Z( _. B/ {8 V
5 E) J' f7 S# e+ u. b0 K0 ]Method 05# g# m- t  w+ V* ^' r! {0 y
=========( p( |4 p8 f3 y) `

# `+ c/ J0 D, u! RMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# N- ^7 p9 }2 V* u! Qdebugger. It calls the int 41h, function 4Fh.7 W' i0 ^: m; H1 Z
There are several alternatives.  : u' S8 ^7 ?" Q0 Q9 ?$ c0 U
" q1 ^4 R4 D' f- x: _) l
The following one is the simplest:. P! F9 Y0 ]+ [% D9 |2 h* y
9 k1 m6 M7 D0 J% Q; _( d
    mov     ax,4fh
3 O# j' T3 ^; K5 H    int     41h
4 E% k- s, ?/ m4 S7 M! Y# G/ S    cmp     ax, 0F386
' @* y- \' L+ f/ E" C    jz      SoftICE_detected0 S7 @: F  Q( [/ Z' X/ e) M
: g6 R% ?/ s6 g% `$ o  c, M8 @- K3 |

& B5 Q. n8 ~9 H: Q9 DNext method as well as the following one are 2 examples from Stone's 2 E* c" ?2 A) z: L' v* L* s% W
"stn-wid.zip" (www.cracking.net):
2 @2 g& k! X! O2 B
' c* s1 V* w3 e7 G4 M% I2 [: V    mov     bx, cs* m* |$ k( X4 h) X+ q  p# l; `
    lea     dx, int41handler2# A6 ~' K' G2 i/ s2 t3 d
    xchg    dx, es:[41h*4]
- z' m' `2 y/ w+ ~& U    xchg    bx, es:[41h*4+2]
. x; z6 Z/ N, m) \3 T( t    mov     ax,4fh
7 Q: @  g- ?8 f* S0 B, f; V5 j    int     41h+ J8 Q0 P$ x, V$ [: g1 J; {6 N
    xchg    dx, es:[41h*4]
; S/ S* T( z3 T( x- Q8 F5 B    xchg    bx, es:[41h*4+2]
( y# J" ^* O( W    cmp     ax, 0f386h
$ l; P- v0 i: @8 \    jz      SoftICE_detected
9 @; }; p% K  X" e# N+ Y  U" i. U, K/ T" l5 v! u0 T
int41handler2 PROC
1 t" w) i0 W' E8 K+ l( ]4 b    iret/ R! a7 o# Y$ h/ F1 {; O
int41handler2 ENDP
, ^% A" j5 y; n1 g' c( o+ z
6 f2 J0 _+ y7 B5 a3 K& r% D
" m  X3 @  l' ~7 G# s_________________________________________________________________________
+ x/ n6 f4 L' ~; ~: |" b! X. }
# H6 p) p1 D! q9 B% h3 l: ^
4 ]- r) |) J( hMethod 06' c2 ^9 G& l9 b2 O' p$ D0 E
=========( {, A1 f) w+ ^

' E3 D5 U3 F) R9 D& i3 y9 M5 }" M8 R" n
2nd method similar to the preceding one but more difficult to detect:
0 ]1 p+ E: q! ^+ d4 m- J+ |0 i7 f6 R; C4 o6 I& `
* d/ v! H* w3 z1 o3 G# P; |
int41handler PROC
9 E0 ~! ~( M  d    mov     cl,al* d! P$ R" y) X7 c) G7 |9 m
    iret  v& Y: ^+ K: }( y! J
int41handler ENDP
3 u0 Y) x) k. T7 B7 K& s
2 g& ?+ d) l  [
4 N' J, v6 }3 W; h& R    xor     ax,ax  p& X7 x/ e  m7 Q, u1 L3 w
    mov     es,ax2 J, M" @. n) ~5 |8 B
    mov     bx, cs! E: d+ b5 j9 `- T6 I' z  B
    lea     dx, int41handler
9 t( ~9 `, y1 h+ o9 U4 S3 K    xchg    dx, es:[41h*4]
# ]2 v% V  p# E- `3 Z    xchg    bx, es:[41h*4+2]& B7 E& r; A! g2 Z: B  N: t
    in      al, 40h
( {1 X: y  [& G9 X    xor     cx,cx# }2 i9 F5 @) O- s% m/ |. ^
    int     41h
  ~4 o' @3 h6 o2 `( \6 L* |7 Z    xchg    dx, es:[41h*4]
* ~7 \3 j$ G; c& e5 F    xchg    bx, es:[41h*4+2]' I: |! }2 ?3 F7 J9 g4 t( k
    cmp     cl,al
2 a0 m2 w3 w" v' E% u+ ?& X    jnz     SoftICE_detected
- a, w/ X  S: ^8 {; p8 P- R: z+ F& y+ e1 _
_________________________________________________________________________
8 D  q' b2 ^: f* l2 |) t9 E  o# T7 g1 C9 w+ a
Method 07, [0 p/ R* ~  E$ y7 a% a/ q5 f; ?) t
=========/ ?" W" {5 K! \, \) q* e3 R
$ Z: A  {5 S( I0 A+ K0 m7 V
Method of detection of the WinICE handler in the int68h (V86)* H* B: f) }3 P2 M$ E

' W; \6 s6 g* ^4 @8 E0 d* A    mov     ah,43h
1 ~1 g1 s/ K* p" a    int     68h
. n8 [+ z, R' S6 [$ \0 S    cmp     ax,0F386h
. ^3 f# A( K# k- E: `0 I    jz      SoftICE_Detected  L4 {4 P+ v$ j% Q" I5 X; G
: F8 {) o/ _: w, |$ j! c

6 L0 _" b1 n. i7 j2 k6 d2 Y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
! T3 [  Z1 [/ y  t( p2 Z" I: f; b   app like this:
& c9 k0 Q! c: E3 D9 l$ U+ \2 ?! f+ Z+ x4 v: m9 P0 a& ?4 X' }
   BPX exec_int if ax==68* C& `% G9 V  T( \6 K
   (function called is located at byte ptr [ebp+1Dh] and client eip is
7 _0 W" e3 s2 o" s3 S1 g   located at [ebp+48h] for 32Bit apps)% \. b4 w, [, u$ G7 v+ t/ Q
__________________________________________________________________________7 A) i. v  M1 O1 P7 r3 |
- g$ H. ]+ y# n$ G3 i1 m* _0 ^
/ _/ }1 W% }3 e# p
Method 089 Q7 _7 o/ U7 r/ z0 J
=========& S' _* X5 O! `, H2 I- o0 `

0 K' v9 }. G* ]( I8 sIt is not a method of detection of SoftICE but a possibility to crash the
. {) b! O3 F& ^9 ^! Jsystem by intercepting int 01h and int 03h and redirecting them to another
8 `2 i4 J/ e2 @' o6 V! s3 E% f$ C' K) Mroutine.
/ b& ~! C) U* e# G( b! P; ~8 cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% Q6 J" d3 h8 p1 ~! }; B3 Q
to the new routine to execute (hangs computer...)5 r. R7 u3 I! u2 B* F2 @' J
3 B4 H& l* e) }! N
    mov     ah, 25h& K" ~4 O/ q: e! X$ ~  l. w
    mov     al, Int_Number (01h or 03h)
- k( @% @. p% h* s    mov     dx, offset New_Int_Routine- i5 v$ k( v! i0 {! d/ ^) c- S/ v) l
    int     21h
! j- a6 Z7 r- t" N, _( B3 H0 u% Y' k! B. @
__________________________________________________________________________
! u  V) W$ B8 p$ e6 J( r0 H; |. J+ _
Method 09
) a- \6 V, e$ r- g=========
4 ~# Q* R9 m  i" z! U# O" J7 Q7 U) _
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 h' K% h: z% F+ z* X' c9 y7 {* [  O$ _performed in ring0 (VxD or a ring3 app using the VxdCall).
- z' t; g* l1 H/ a" U9 DThe Get_DDB service is used to determine whether or not a VxD is installed, J2 U& V, [2 m( t( A2 h0 e# D2 `% [
for the specified device and returns a Device Description Block (in ecx) for
, a, R/ x/ e4 m* q4 tthat device if it is installed.( e) v+ Y5 {! D5 |  r8 z

$ M8 C. K" l! e! I   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- k2 W6 ?3 v8 f- w" k0 v- N* j   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)) L4 Y. k" }: k7 {( ~
   VMMCall Get_DDB- g  f/ G9 F; _# b; D# i; c0 L
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed8 p% H5 G& L% ]% H9 ^
6 m$ n: I2 j/ I9 C) S% C2 f( U
Note as well that you can easily detect this method with SoftICE:' f  l$ w% _; o% U" R
   bpx Get_DDB if ax==0202 || ax==7a5fh$ n+ z. w/ o0 @3 ]1 ]
5 w' D. o+ _6 i" G0 j5 f* c
__________________________________________________________________________# t. X! A- U0 @
$ Y9 F1 H# L, ~! N% j* F
Method 10& x% w* \' G. k8 {# H
=========
: K/ p" M. t5 ~# ?3 h2 G6 A5 T! ]5 K" ], T- X; a
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 j) ~7 H' o4 W. u  SoftICE while the option is enable!!
$ Z. h  U6 o- _$ v! a5 I1 r" o, T+ \( E: G3 I
This trick is very efficient:  Y) r( ^3 ]: J) S1 O/ f  o, R
by checking the Debug Registers, you can detect if SoftICE is loaded! o% k  h  G( d" _3 q- {! M( `
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 d) `! W. e9 l+ Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their  t3 g2 H# R1 E/ b& E  T- R+ Z1 N
value (in ring0 only). Values can be manipulated and or changed as well
$ ]# r) N+ U' ?* s9 }0 r& d+ a2 q(clearing BPMs for instance). Z0 E5 ]! h# i
- _' K4 Z: C! p7 s6 Y0 |
__________________________________________________________________________3 |- s. z3 M- P3 l. k  q

% M- J& Y- d$ C6 @3 y* fMethod 11
  f( ?/ E, b+ h3 @=========9 R' i/ h+ o! A* f/ }
" u' g, N6 U' M
This method is most known as 'MeltICE' because it has been freely distributed$ O" W( x* O6 Q
via www.winfiles.com. However it was first used by NuMega people to allow" |8 M3 X9 b( e' S
Symbol Loader to check if SoftICE was active or not (the code is located" a1 }; G  C& m5 i
inside nmtrans.dll).
1 M7 C& H4 l& u4 K/ }# Y( R$ H6 H- x9 q9 W
The way it works is very simple:' i% e' ~! M' i+ D% ^- K& n; I0 V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
0 s& {% l) Y/ J. V+ T/ T4 ~WinNT) with the CreateFileA API.  N' D: D7 S& r! ~9 j0 b$ b- ^9 }" ]
) f- T  [* F5 q: T
Here is a sample (checking for 'SICE'):% l- K$ O; O. f( `  V, I) y; e3 K
& Z5 [" Q1 s0 w
BOOL IsSoftIce95Loaded()! @' W1 q( v/ ?0 r( H$ y! o0 v
{1 l, P& o1 z0 h; G( |9 N
   HANDLE hFile;  3 o6 l& d, I2 v/ S* ~  j3 `
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ `4 O9 [; H# O- F
                      FILE_SHARE_READ | FILE_SHARE_WRITE,2 {4 G2 y" y8 ~* ?5 }+ E+ b6 w
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  _4 B3 B! e" f. B: Q( [   if( hFile != INVALID_HANDLE_VALUE )2 l, b" `* @1 }7 h' ]$ r3 I) c- ?
   {# p7 U: Z; Y! |$ @# I* O9 z
      CloseHandle(hFile);# O/ p5 l6 J7 @' ?3 y
      return TRUE;7 a$ o, Z; H" P, k" w2 e4 [5 `
   }
# ^* b) y9 |' H% F   return FALSE;
6 Y; B8 _8 v  h0 C}9 }2 [6 {! J. c- w* L# a9 N  u! M% g

+ u. t" |$ E. N( X. {Although this trick calls the CreateFileA function, don't even expect to be
, D: _3 f2 Z) ?% h5 [# Fable to intercept it by installing a IFS hook: it will not work, no way!. D- }" I' b2 e; F; X4 m  h
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. q6 Z3 p7 e: F# ~. T% |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
4 a$ P% k1 O7 P7 ^& H/ S4 Mand then browse the DDB list until it find the VxD and its DDB_Control_Proc# c) p/ H" c7 B% K4 G% f# G
field.
5 n1 a) j2 B- m3 x. h& tIn fact, its purpose is not to load/unload VxDs but only to send a . e7 A6 S9 {& x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; E! R$ _7 h7 x; T5 A& Z/ ^to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 Q5 q9 k* n: Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).* K/ b% e8 z' o3 p% p! m
If the VxD is loaded, it will always clear eax and the Carry flag to allow. U) j) N  d: R0 r- k1 `3 N) a
its handle to be opened and then, will be detected.  s# x1 C) Y9 }3 T% a0 o" n) }) \* T
You can check that simply by hooking Winice.exe control proc entry point
( p2 J6 V1 q& f. G5 f! h' Cwhile running MeltICE.
, g/ M$ C! i: ~8 k  M4 ]+ `
5 D; |% A' @# Q* r) D
, {% D% _. W3 C# Z& O, R  l/ a  00401067:  push      00402025    ; \\.\SICE
7 j! n' |) x7 b& v  0040106C:  call      CreateFileA
. \# K) N. K# B: j$ M  00401071:  cmp       eax,-001/ \) c, \4 `6 V$ r5 g3 |, l
  00401074:  je        004010912 }$ ?/ s& O+ A1 n" c
- U4 ]0 r! i7 M0 P) e1 X, {* Z$ }
7 J: N) {' |$ b8 B; k3 Q' ?" q0 Y0 }
There could be hundreds of BPX you could use to detect this trick.
. r, \% B0 p+ ~-The most classical one is:7 H- ^( n% H$ B1 u0 n9 b
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
6 J* O- s( h. ?    *(esp-&gt;4+4)=='NTIC'
. c% W! m9 s; j5 v/ ]1 i) |: q5 d
-The most exotic ones (could be very slooooow :-(4 w+ L, n6 a: W9 ~* f4 F) G
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 |5 g# \/ i! n' w
     ;will break 3 times :-(
* V2 K" @" o, ]  J8 ?
. B6 B  I3 K0 W( z/ Z! m-or (a bit) faster:
3 H( H, ?/ s" p' h" G   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')8 C' |4 @4 V9 y- W, w$ s! I4 g; o

& d$ p9 ]4 m! v9 r' r7 T   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ) |, t0 q* L2 z4 i" o. w
     ;will break 3 times :-(
) A, [$ O* P: [6 k! R9 Z( w
$ M+ H9 I6 O' L; u" ^-Much faster:2 W% A" {7 d; `0 ^8 z* y, g
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'6 q3 X: y/ N9 Z& @+ n1 g5 z5 H" t

4 f- u5 b( ~) l- ?& l# tNote also that some programs (like AZPR3.00) use de old 16-bit _lopen- j" s% G7 m6 N" a( P0 h/ m1 X
function to do the same job:
3 s+ M9 x' K8 ~0 @4 j# s4 M2 g* m% T& b7 n6 K. P
   push    00                        ; OF_READ% {- F6 R" i7 ~* E
   mov     eax,[00656634]            ; '\\.\SICE',08 ?' z2 v) ~" P* F* v" x$ i8 l
   push    eax
# D$ w1 R  w" H7 h- z" _0 X( w8 t   call    KERNEL32!_lopen
  d3 y2 j+ I- h0 m: R   inc     eax6 p% N" \. V9 v' `5 t
   jnz     00650589                  ; detected
/ G0 B2 V* M# `2 X; i" y, i& r   push    00                        ; OF_READ5 d9 x7 J4 ~2 z8 `  u
   mov     eax,[00656638]            ; '\\.\SICE'- w% D2 S. E1 V" l. `0 P) K, T/ v
   push    eax
* F- i% y- U% \3 D7 S" H# b   call    KERNEL32!_lopen
, w, n) _  f9 H   inc     eax. M! L/ q' ^( a1 U6 m
   jz      006505ae                  ; not detected
, u& H: t6 n3 Q, i' I# |) V" u& M7 F, F3 e: u$ |" m9 ?

% `7 b* p, I: C1 C& o__________________________________________________________________________5 |7 ~7 G: V5 h: ]' _0 C0 n

- @8 @. z1 o$ t* y1 T/ S0 S9 k+ SMethod 12
- u* J& v1 _8 j. H5 P* r( p1 z" @=========
- D1 {& J* I; s( L8 P. u
3 @. H7 \0 j$ E: @9 P6 ?  H3 BThis trick is similar to int41h/4fh Debugger installation check (code 055 ]: g, j7 g! O& p& I1 |! X0 y
&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 l3 q& @+ ~. E1 ]' ^' S$ h" Z
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.# @8 l" o* s0 A. b! K
% [) Q( a# X- ^: g$ r
   push  0000004fh         ; function 4fh- G5 h7 L! }+ h. {* `# z7 b( B
   push  002a002ah         ; high word specifies which VxD (VWIN32)
$ A2 W) a$ ?0 p                           ; low word specifies which service( t5 N: w7 q0 O4 U. K% |$ [" m
                             (VWIN32_Int41Dispatch)
( z- _5 B  x9 A   call  Kernel32!ORD_001  ; VxdCall4 U& r; x; v3 q0 X
   cmp   ax, 0f386h        ; magic number returned by system debuggers) x/ _/ ~6 ^' X1 Z& g7 B
   jz    SoftICE_detected
9 l% L2 I6 Q7 G( K, c! ^
1 e7 A6 e& c1 T; w# NHere again, several ways to detect it:
& c  V2 J% X  l+ w
9 X- ?) n9 \( ]0 [) X/ z    BPINT 41 if ax==4f
' b9 k+ Q, J, ^8 t) H+ n1 P, A1 U6 Y* L! x; a- x
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one& C0 ]# U4 d* @( u) t

/ g6 i: m7 N1 w, l# O) _+ f* b    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A: J0 ~  M+ \4 D4 u) q* P

5 h) r6 R0 }' \; B" }    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( K' n6 A9 {% e

4 e  [' o6 K8 {  S  _% r__________________________________________________________________________7 G; F" u; T: e' I
9 s# b* K9 x0 Q4 ^( ]5 K
Method 13
; N: h0 l! Z4 c+ U4 }1 j0 b=========
; E- N9 u! H2 A- s; s4 Q2 A# P' `
Not a real method of detection, but a good way to know if SoftICE is4 U0 t% r) \8 v. W
installed on a computer and to locate its installation directory.
! a+ }7 R2 h& E% P" f/ VIt is used by few softs which access the following registry keys (usually #2) :, K2 F. n1 i5 ~; l+ r) F

# W5 @2 l) a: f6 W" N! T+ i-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; s5 j% Y  r, z$ V
\Uninstall\SoftICE1 T0 t9 p' v5 f; x1 [
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ {6 a8 q& k5 }9 ?" N# _% c7 F2 f& P9 ~7 s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. v2 Q9 ?7 O( j  n3 r, K" y% _7 C
\App Paths\Loader32.Exe  D- M) R/ Q6 ?+ Z
, l- z/ U- w3 d" g" B$ A

) ]9 ]3 P' V! ]3 h5 e! ANote that some nasty apps could then erase all files from SoftICE directory
  _# N$ r0 k7 r7 t; m(I faced that once :-(
% T$ |  o! m- J9 M$ x8 l
0 P) K6 \6 W  D. G( V$ S( KUseful breakpoint to detect it:9 l' i% ?! Q. N+ a/ p! p: ~

7 g: Y/ _( s" O0 y2 e" K6 N+ f     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'% R( ~9 I( m1 a
# K/ x( t' K8 T- F
__________________________________________________________________________1 H& P; Z$ w- v9 m: }
9 a, }( y4 N) w" O4 @5 ^( |3 \
- ?5 x1 `; z: L& h' U- E7 G- z
Method 14
1 C& _$ ?' |2 }! m( j2 `$ {=========9 x5 o& b8 K6 C
/ E( Y. ?# F5 g& @: _
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 T2 \% G' V* j) M
is to determines whether a debugger is running on your system (ring0 only).8 ]' s# w4 n6 y
, B" K* a; C' W. q1 l
   VMMCall Test_Debug_Installed
5 b6 z# J% l0 J+ R+ q   je      not_installed
( Q* _0 Q  z$ p4 `) F, j
# G8 F4 B; [# l$ O2 L0 Y# ^+ R; GThis service just checks a flag.
& A, ^& W, b& ?6 ^! r</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-21 17:26

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表