找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>% i4 `7 p+ k- m; M2 D8 N
<TBODY>
( \/ M+ v0 k/ u4 R  ^<TR>2 Q$ O) l) m; m) H3 G+ i8 T2 w
<TD><PRE>Method 01 - T! j% }0 ~1 R% S5 q5 M
=========
, ^! P6 ^* e! U! J( d! I/ e
6 R: i8 P* y* t% L2 iThis method of detection of SoftICE (as well as the following one) is. D. {5 J3 Q0 [. w% T
used by the majority of packers/encryptors found on Internet.
0 v! N" E8 u. W5 ~- G. Q3 tIt seeks the signature of BoundsChecker in SoftICE$ e1 c5 o  z: Q2 R  U4 u2 L# D
9 I2 V0 |( b. M8 Q  F
    mov     ebp, 04243484Bh        ; 'BCHK'
; G2 A" o" g8 t/ E5 L    mov     ax, 04h9 S9 m" d' m' H5 P- v0 `( N
    int     3       - G" C* G& U3 c) P, s4 G
    cmp     al,4$ `2 U5 [+ ~6 Q: n# H' q% ~
    jnz     SoftICE_Detected! h. O; I/ V( Q+ _" D2 M

2 K' D2 R; o/ e7 v2 |! v___________________________________________________________________________9 H( x; L4 L( L1 k
/ c- ], z9 l- r! t6 U
Method 02
. J7 O; R. j; O, h1 d- f% F=========
: R: q- E* _+ R2 j1 y/ |1 M! |3 @, V( ]$ _2 I5 G
Still a method very much used (perhaps the most frequent one).  It is used4 n% ?; e# O% W% B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! Y" @# T- ~, P" j5 ~/ C
or execute SoftICE commands...
7 n& X% @1 Z, ~% w: ?9 Q1 Q/ u1 gIt is also used to crash SoftICE and to force it to execute any commands
# B9 K; t! W8 {(HBOOT...) :-((  
  E5 \. h5 @$ Y$ D! p2 G/ j. {7 u% x5 ~
Here is a quick description:" |" |- U" d( N! {3 K
-AX = 0910h   (Display string in SIce windows)) l; z1 L) i3 X9 k. V
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)0 V- M) Y+ e# w' q
-AX = 0912h   (Get breakpoint infos)
/ j' B" i; H* N  D( X" y# G-AX = 0913h   (Set Sice breakpoints)* t/ f( W7 l! E- a3 F! P3 i
-AX = 0914h   (Remove SIce breakoints)* ]* R- n0 {% \. \

5 v! I+ H' C( A- Q  b6 HEach time you'll meet this trick, you'll see:
3 T- S' p$ W0 w0 x-SI = 4647h
6 r! ]4 c) X+ P6 Z-DI = 4A4Dh; r4 W, l/ u* i) q9 U! ?) o* S
Which are the 'magic values' used by SoftIce.- G5 O# n  j: j( X( A
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.# t' y) h, C6 d& L2 C
; S. w9 V0 w, |+ S
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ `8 C9 c9 |  K8 H4 b8 h, U
Envelope utility use to protect DOS applications:9 v/ @% `9 G' ?5 G* d* S, |3 f- e2 p
, K0 |4 d5 }7 x/ ?1 D# S$ \
" ~) E* y# {" h, _( ]$ L" D9 x
4C19:0095   MOV    AX,0911  ; execute command.
" n0 ^4 e$ Q3 r' Z/ m0 \& P4 D4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
: g/ L6 A& e6 a' ^5 P+ Z" _. B4C19:009A   MOV    SI,4647  ; 1st magic value.3 P  G: b$ \4 q; W8 [2 @9 z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: H4 A' J0 J' Y1 C; `' |4 X: h" c
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; G9 Z+ `5 |; q3 m7 ]' f2 ]" \' ]4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
' K, |* `+ [( q" t' S4C19:00A4   INC    CX' L# l7 J. y% F6 q
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ D  r9 ^0 A4 X2 ?) s
4C19:00A8   JB     0095     ; 6 different commands.( y" m! B( s" f
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
. a# e% s. Z4 A% Z8 z% t# F4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)( o6 k# P- L# w
! n% I3 W5 n7 e0 v
The program will execute 6 different SIce commands located at ds:dx, which: ]0 H, o% m' G; U
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
' ]1 ^  C; x- P9 F/ a
0 z( S( Q* y6 q( g& |, d, `* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded., ]. I! u- T# j3 {+ i
___________________________________________________________________________( t4 E% n% j5 ?$ a* k. K

2 Y% d' ]6 Y7 v( l- B& t' N
# {( C  ~9 b8 w4 T2 p# J, oMethod 032 g$ ^0 g) K/ p: h
=========
/ ?5 [! d0 `% m  z7 d# a! L) j8 Z1 [! X
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& y( c: C& g( z, t5 O* D(API Get entry point)( z9 y, n( i/ l4 J
        5 F' C& Q; D$ a7 ]; X

4 W, k' L8 e( L4 @    xor     di,di" P8 T2 i  w8 p' @
    mov     es,di5 ]; G( v1 ^* P3 ^$ [) w
    mov     ax, 1684h      
+ j/ c" \6 _$ p5 Z3 ~: ]3 g    mov     bx, 0202h       ; VxD ID of winice
0 A$ @$ R5 J* Y4 I$ L4 \' ]; j; v    int     2Fh
: S' }3 I1 {7 f    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! R  V8 p! J" [" ?, e    add     ax, di" W2 G( w; {9 a, z* X' P5 Q& x
    test    ax,ax& i( ?8 G- ^- r
    jnz     SoftICE_Detected; \. E" q, J' S
- R/ V: w' n6 l$ b+ z8 ^
___________________________________________________________________________
3 e* c5 a* k3 F
) z  N+ h; Z( H* s* e$ vMethod 04
- F" c5 t3 B# r7 u5 H=========
% B. a% \- G1 Y4 _0 j4 u) o' A3 [, r2 ?/ w9 k
Method identical to the preceding one except that it seeks the ID of SoftICE
" Z: D4 d) o5 p6 r, |* gGFX VxD.0 |5 u1 M7 v4 K, _3 G

% L/ d) y7 o* p; r: h9 U    xor     di,di7 L3 h) l, Y% z  ?, m
    mov     es,di' A8 A; H) v/ B; A( B
    mov     ax, 1684h      
' S8 ~1 k* n- \- _% p: U    mov     bx, 7a5Fh       ; VxD ID of SIWVID6 i9 _' A9 ^# F, \8 H) v1 ~7 @
    int     2fh# Y- ?8 N! E# {0 K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* d; w  H# y( l3 h' V4 l/ z    add     ax, di% E! P+ I: X0 d* J+ I5 o( N% W
    test    ax,ax
+ o/ u, c0 `! m" J' O    jnz     SoftICE_Detected2 n( x5 U/ ?4 e  c$ Z( x
% o& J0 A) R5 M4 _0 `  Z* T9 |
__________________________________________________________________________) k: i! y6 ]/ k" t$ \$ {- C

6 }- c" Y7 o0 \/ m1 y: V; i# z! W5 H$ C6 t& X2 i+ T) b% b
Method 059 A) Z3 h' V9 K) ?! E
=========- z+ d: F7 r$ g4 ]: w! b- R1 T
) X/ O) |4 b% w8 Y4 v1 ]/ n
Method seeking the 'magic number' 0F386h returned (in ax) by all system8 {; U: K6 K  {2 g7 \0 c- C
debugger. It calls the int 41h, function 4Fh.# {! x; ?# S( {+ ?% _4 d
There are several alternatives.  " Q7 y  Q- r+ |4 b

' C1 H4 U1 Y% a/ l# [* h! gThe following one is the simplest:
$ j: v/ r, a2 T5 F/ y6 g
3 Z: T7 y+ X2 b4 l    mov     ax,4fh
3 e% P( i7 X  Y8 M+ N6 Z5 l& r    int     41h5 F8 m# e; c3 P7 _4 a6 V* m, o
    cmp     ax, 0F386
' E; T( j$ }8 b# a    jz      SoftICE_detected
+ q2 I, n* Q# h* d$ E
8 X# F; _/ z; w: Y4 U' k; }
: I: \$ m  l8 r: k( I4 d7 f/ VNext method as well as the following one are 2 examples from Stone's
$ B* l9 c: D* i9 u"stn-wid.zip" (www.cracking.net):8 L, ]6 P2 R* h8 q' h. Y; Y' O; x  A
7 E/ X* s, y) k5 ?. v$ A/ u1 V% }( V# y
    mov     bx, cs6 A4 F0 u1 Z+ b
    lea     dx, int41handler2
* D4 _9 b9 L; [, ]0 L    xchg    dx, es:[41h*4]
' F/ c9 [  i: s1 }6 v" R% K* b' l    xchg    bx, es:[41h*4+2]
5 W# P, U) h) V. r, b6 ~; D    mov     ax,4fh4 j. q9 j4 V, _. {0 k% D
    int     41h1 W9 \: i" k' U5 @" z* @
    xchg    dx, es:[41h*4]1 `0 I2 }7 o! A) N, @' \
    xchg    bx, es:[41h*4+2]" V# v$ G) c8 f# r
    cmp     ax, 0f386h& |9 b7 a3 {& H& s: p
    jz      SoftICE_detected
2 q* z. U1 ^- a3 k' Y7 Q1 Z2 s5 c7 ~' h0 w3 _1 W0 l! v3 H* T
int41handler2 PROC
. q+ a6 X3 i. j8 ~: i1 u. j    iret0 J, |% R) f* U3 f
int41handler2 ENDP
, Q1 i6 g0 ~$ [. W; ?+ |! T5 d2 `$ h: b8 N8 A1 M) Y& ?. L

+ x4 N5 {2 Y9 k$ a( a, o_________________________________________________________________________
( ?- @! e( J9 h9 m
) W% \4 V1 V, d  ~1 L( D) B: d' S$ \/ d
Method 06
3 C& Q( Q, X! R4 s3 A" r=========0 h" p+ |6 {$ K$ G* E- D# C* d6 c' n( ^
2 \. r7 T- D0 D

1 n: i, ?$ X" \* w1 g4 c- A! r2nd method similar to the preceding one but more difficult to detect:6 J- w7 k9 j" N; X0 _2 J8 O' h! R

% }/ V# ]: E; {' g+ t+ m$ p$ d
8 @) N5 k% c# Y! `8 e1 |$ H4 xint41handler PROC0 z& o0 n0 A4 G1 b4 @
    mov     cl,al% z. F$ l% [/ M6 Q; x0 B
    iret1 x3 \) O% \" g3 n) y4 A3 e
int41handler ENDP* p' f! S1 p( O' \

8 Y3 A) o' M/ n% o' r0 l
7 E* ?' q5 ~1 V& j. s9 ~    xor     ax,ax
5 ?& H; j0 l0 H) v4 h! \% A    mov     es,ax
0 M5 h7 j9 c* L% s( y    mov     bx, cs! _( q' ~2 P2 w( Q
    lea     dx, int41handler% C8 D; M' j7 [6 M$ U  _
    xchg    dx, es:[41h*4]
- m/ w6 ?! d) T7 [7 l9 U- D- c    xchg    bx, es:[41h*4+2]" D; I0 j" ~$ H( ^+ j; s! i
    in      al, 40h
% s8 e, A. I; I' O* X7 t    xor     cx,cx
; y6 m5 e9 a% A' M4 n. q' f    int     41h
0 s1 q& O* K8 v7 f- w4 A    xchg    dx, es:[41h*4]
# z7 J6 |, X3 ]    xchg    bx, es:[41h*4+2]
- D  s! L! j1 A    cmp     cl,al4 J$ [7 i( E8 Q; @& ]/ i
    jnz     SoftICE_detected
, }/ p6 b8 V1 \) U1 e4 O! p: f
_________________________________________________________________________
, N* i  P) x  X9 R1 Y/ Y5 j8 m
! Y6 }, A6 g7 O5 U% a% C0 A# m8 rMethod 07
' m+ `/ F; I: Q* Z0 D6 ~4 a=========
" h6 {2 f, s) X" U4 h5 B+ U+ h9 H2 X: |! ^9 w1 _, Y
Method of detection of the WinICE handler in the int68h (V86)
' H3 `, c, O0 U) f0 Q8 i6 x0 T' O0 e1 m7 R3 Q% Z: ^3 ^
    mov     ah,43h- `/ s: x- I, v  e9 [; E. u
    int     68h
# A! J* `% [% b) m( _% J; q    cmp     ax,0F386h
9 n& _5 O4 S! X, ?    jz      SoftICE_Detected
# g' F3 o4 @) ~# e1 `6 M
" Q5 }5 K; y, X7 j
' C9 \. ]6 c6 O, d1 I3 W# Q/ P=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit& }- U. t; ?7 g$ [. F
   app like this:
, Z( F3 {! J  o: k
: o( x, r: p- `8 W   BPX exec_int if ax==68
6 t4 O6 W, t: B: I3 @$ u8 ?   (function called is located at byte ptr [ebp+1Dh] and client eip is
# l& o+ n; }% ?! F3 |6 M! g, v# x   located at [ebp+48h] for 32Bit apps)5 `$ b; q" r/ L. g7 E' p- G
__________________________________________________________________________
6 W1 x; s. B: e! l2 p* j7 T
3 S7 m8 {$ Q/ F! e; G( R
( X; D) n$ L) l6 ^4 wMethod 08
! |/ H4 X- F$ F8 j6 y$ I( W( h=========
, g; x! D: S, r9 d0 [7 E0 U- u# O+ e% l3 m8 e' C( e% R( J
It is not a method of detection of SoftICE but a possibility to crash the# T/ X# n3 S  K1 A) p, d' h! n
system by intercepting int 01h and int 03h and redirecting them to another
% M2 `3 V* }: }! z  J+ j  \/ Troutine.$ u5 f9 L+ e4 a: V8 w0 z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- G" n5 [0 @) u8 b" f, |8 X6 hto the new routine to execute (hangs computer...)
( r" l3 `' a$ A
8 }' D" L2 O0 W6 a8 d2 P    mov     ah, 25h  o% }0 M; |2 h: ^3 I7 o! d
    mov     al, Int_Number (01h or 03h)9 E. r0 r3 i8 h2 H& y
    mov     dx, offset New_Int_Routine
* U- |1 R2 f9 R) @/ @    int     21h2 t' `8 ^0 x$ I: f! G) d% _2 ]

/ W# a9 A0 T- Y8 f1 @__________________________________________________________________________; `2 h7 Q7 o  y, e4 l8 s- |* E

3 d1 R3 o! ^& ?3 S( w7 R: w* }Method 09' e! Y* h. o  u/ F6 O/ I
=========
8 }4 b' O* ^, r1 a# Z
& s" v! M; y  P3 T* N: }% SThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
7 A) {0 t0 [, K3 Hperformed in ring0 (VxD or a ring3 app using the VxdCall).- ^; w6 D6 r% H9 d9 X# {
The Get_DDB service is used to determine whether or not a VxD is installed
' W3 n) F$ G" S6 q  ]  {" I0 efor the specified device and returns a Device Description Block (in ecx) for
' _6 O- q9 K$ W. h' ?" Fthat device if it is installed.
7 l9 E) V" }3 J8 M, a1 K  k$ ~& y" _0 N2 A
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# o+ v6 P" X% R3 o/ V# W. z+ c   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 S6 l* b  Y' B; y' k0 o   VMMCall Get_DDB: k: [- p" q+ Z- n( r$ a7 ]6 l- N
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* m- t  v6 h0 h# o4 e, `4 K$ L1 U1 G+ L1 g
Note as well that you can easily detect this method with SoftICE:
; }3 E2 M3 S' i: n$ o1 T& G6 g   bpx Get_DDB if ax==0202 || ax==7a5fh
. E! N7 q, R. q6 l) q1 M+ e6 l2 H8 H# h6 I
__________________________________________________________________________
3 E) E/ d( ~3 C' h! o& S
) ]6 U  ?2 W+ R4 P+ e2 wMethod 10
# j9 p: ?  T9 X) D( k: T9 i" g=========
& {( `' Z6 [  \7 |9 F5 M& e. S* J/ f4 A. V# Y1 \- g
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with% D8 X1 c) p( N2 a2 U; I
  SoftICE while the option is enable!!
# B2 ?$ b& H0 l
4 \0 U5 z3 |# m  ^0 r9 ]2 h4 d; p- hThis trick is very efficient:  F: S$ B# A9 i% U4 f( X/ U
by checking the Debug Registers, you can detect if SoftICE is loaded
3 [  P9 h5 h8 n# b4 p(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ \7 @; i3 x  S4 g2 e6 |, Q1 Bthere are some memory breakpoints set (dr0 to dr3) simply by reading their
% Z# _0 v0 K: F1 R, C* [value (in ring0 only). Values can be manipulated and or changed as well  P/ K# r) \! L; `  |- {
(clearing BPMs for instance)% C5 Z) u& ]" a, H
6 M1 d& {3 P$ r% {1 N2 ?
__________________________________________________________________________
+ o9 e: n4 a( X% z& W8 |! J) g. ^7 k2 n; X8 `1 ]
Method 11
. M; z  r' e, S0 G; p=========
, Y, A+ S; C! W8 r5 P. I5 r8 F3 L
3 g2 C2 C! M, N4 p8 uThis method is most known as 'MeltICE' because it has been freely distributed
5 {) d) W7 a2 `6 a: Gvia www.winfiles.com. However it was first used by NuMega people to allow8 x+ [9 d* ~+ @( _4 F  K
Symbol Loader to check if SoftICE was active or not (the code is located
6 l: U# H1 q0 k& ~, A: q/ o- c# Tinside nmtrans.dll).6 S0 S2 v  x$ u) ?- n6 s$ o
5 ^1 b$ |, ]. S$ I
The way it works is very simple:
% N7 t9 D. d& S+ dIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 t0 {) t* u+ {  `
WinNT) with the CreateFileA API.
: Z' F: \% N/ H+ ~, z% Q( t
: B, N, H# {: @, m7 F1 C8 ~  f' jHere is a sample (checking for 'SICE'):
1 p  I7 _. a3 F
, E$ Y% u7 i1 L6 qBOOL IsSoftIce95Loaded()
' `1 r$ ^0 ?8 M( p( K/ {- v{
0 Y; y3 p  ?4 x- C' {& p$ B# @   HANDLE hFile;  
# Y9 R1 y1 I, g7 @: {) e   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,! l) @6 {7 G2 _: g0 ?( x
                      FILE_SHARE_READ | FILE_SHARE_WRITE,1 @* X; P3 t/ R1 j, R8 q6 R
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);; x2 ?5 L# P  [7 j' N0 j6 M  \8 |
   if( hFile != INVALID_HANDLE_VALUE )
; {6 g5 d& S. _   {5 `) i. f7 k* Y" J# {1 h( S1 j
      CloseHandle(hFile);
7 z9 Z' w7 o& W( E" W1 b      return TRUE;
* l( r+ _8 ?* f. ~   }$ J/ f, w! D1 g( s
   return FALSE;* _) j6 u6 z1 Z% u' O$ Q. Y: n
}
$ K; Y& j" Y% r1 I/ X$ u; S: c6 x8 h( v7 M# U" N* V
Although this trick calls the CreateFileA function, don't even expect to be
$ @6 Z5 p" `5 C) Zable to intercept it by installing a IFS hook: it will not work, no way!8 s4 m5 ?. m$ c- C
In fact, after the call to CreateFileA it will get through VWIN32 0x001F5 b, Q' Y; S: v$ l( `: Q
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)  h. o  k7 }' g( k( @4 V! _
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 B9 m! \! ~. w9 O  \- ^" @6 \4 |
field.5 Z# T- A% K% @# @4 K/ z
In fact, its purpose is not to load/unload VxDs but only to send a
1 Y% J) M2 j+ s- @* |( WW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' J( A8 G% F0 h8 K5 ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
% ^5 |! T4 a) j' N8 `to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ m* k; D3 p1 EIf the VxD is loaded, it will always clear eax and the Carry flag to allow
+ B7 q- Q, H* |0 C5 Bits handle to be opened and then, will be detected., N5 o5 X3 V0 P$ J* T
You can check that simply by hooking Winice.exe control proc entry point2 t2 C4 [# j( l" K% C. y* j
while running MeltICE.* v/ e; R% n; N* N5 s4 u9 V
6 J4 {& c6 b0 O  x! }: H9 [

% v& Q7 ^5 A- Q9 g) L  00401067:  push      00402025    ; \\.\SICE0 [& D1 W( ?) e
  0040106C:  call      CreateFileA, |; c, z- ~1 D$ u# c4 a$ }! u, P
  00401071:  cmp       eax,-0019 Z0 G& L" i4 H
  00401074:  je        00401091
1 R+ M6 ~" |8 E. N6 y8 @# u" g
8 p5 |! t* n7 o+ ]8 ^4 A! |9 I( d# L% u
There could be hundreds of BPX you could use to detect this trick.+ a2 C, O, k/ B' R" G% x1 I% n
-The most classical one is:
. B  D5 {; A* m+ M# Y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 j# a8 V9 f( C8 J% _% |5 ^
    *(esp-&gt;4+4)=='NTIC'
/ |* ]' g  ?% E! i
6 w$ E' q) m3 W+ `0 O1 `0 I-The most exotic ones (could be very slooooow :-(
* g, L4 b' E2 H+ Y; r6 L   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
" F1 L9 q1 f4 o. L: S     ;will break 3 times :-(+ |7 B# C6 ]) t! Z
8 U9 l5 G( ]5 ]8 }: `5 L# r
-or (a bit) faster: 7 m; @3 z( F; b, Z4 z7 k. q6 X/ r2 i- \
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ d5 b0 B$ b; W% T, d1 ~
) y; t, }* {+ W
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
* x6 g( _  I3 b& }! x9 q) L. t2 z) Q     ;will break 3 times :-(
# G1 L! n% ?$ Y5 g; Y5 s* {% K9 ~* q# E6 r  x
-Much faster:
4 Q- E  E3 j, p+ u  T   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'7 Y7 Y$ ?# N  }* j3 b% @
6 t+ T: D" O- t8 W
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen( R; N2 F0 Q% P4 p- B4 S" {
function to do the same job:4 o6 w) }% \, Q& O9 f0 A
2 [* Q; F  Y% V' ^7 H- N9 q
   push    00                        ; OF_READ& ^+ t5 o5 v+ C. A; n
   mov     eax,[00656634]            ; '\\.\SICE',0
" K6 U& T/ }- `, }% e   push    eax. ^' A- O( M- s! I/ _0 j
   call    KERNEL32!_lopen" d. {0 \" q( W1 p  D+ q9 G+ g1 F/ j) [
   inc     eax
6 a" c+ u" n* H   jnz     00650589                  ; detected
, l' E1 |& v: O: c2 {) z   push    00                        ; OF_READ
0 ]6 Z4 n) v& m' ~" Y6 T$ z   mov     eax,[00656638]            ; '\\.\SICE', p  C0 B* g! f" W
   push    eax
& }' U/ [* n' J3 m" f   call    KERNEL32!_lopen
* u5 m7 @0 n8 s* a# j( p   inc     eax( P- J9 S1 _0 H& m1 b3 a* S* V$ m
   jz      006505ae                  ; not detected! s/ {% F! V" X! a0 r5 P

) t/ E( |% O2 s: c' S0 y
3 k6 S) `: [% \0 H; P__________________________________________________________________________
( G. r! q7 G. b6 X
6 b7 A* y. s/ ~# m8 X: T2 ~/ WMethod 125 f" p* ~2 X! o; R5 h
=========
$ |. w* v- n; V8 k4 W2 Q
- P4 j9 j3 A& a; dThis trick is similar to int41h/4fh Debugger installation check (code 05
9 }( Q/ y9 l  D&amp; 06) but very limited because it's only available for Win95/98 (not NT)0 o3 o8 P  B0 j5 N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ R0 m% x4 o! Q. ~, w1 ~2 y
; z1 o4 |; Z6 g, ~
   push  0000004fh         ; function 4fh) T# ?/ U  x7 c4 N
   push  002a002ah         ; high word specifies which VxD (VWIN32)
7 R% b# J( p/ [  o8 c/ G4 t* [                           ; low word specifies which service
3 ?# Q5 D% r' {; j& i& Q! ^! e- A3 D                             (VWIN32_Int41Dispatch)) o8 C* d! o1 K0 i
   call  Kernel32!ORD_001  ; VxdCall
4 d: t# \+ }) z8 i% X' Y   cmp   ax, 0f386h        ; magic number returned by system debuggers
! F. ]) \8 |, j* `" P   jz    SoftICE_detected, e/ r" b  r) F

5 ?% ^# q7 {+ ]( vHere again, several ways to detect it:
# L4 `' P. k/ \) m# ~& F) G9 F: P6 f5 ]& j/ q/ z- l* Z& A2 f
    BPINT 41 if ax==4f
$ t" h2 A% ^) ~. ~9 U
. U  j4 X* U8 J/ [! t    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
; K% M- w; Z8 O# w# r* v" v" e. I3 {0 g5 [& |, M
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
) X/ r8 d8 n. ?* w
+ ?) v" P2 K- y$ [; R    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, a% ^& v) E' ^, g

. H/ u1 {% V" o; n__________________________________________________________________________( @3 W9 _, t% Y/ i8 J: o9 m/ N

$ d( m9 i; B" Y* x9 JMethod 135 ~1 W$ Q$ D; ~
=========. F& X. j- u8 ?, J
; d  s  p4 ~$ \
Not a real method of detection, but a good way to know if SoftICE is
  \* ?3 J+ l! P% `9 Binstalled on a computer and to locate its installation directory.1 O' U& U; ]0 D! A1 {
It is used by few softs which access the following registry keys (usually #2) :) v2 d% Y, N, N8 Q+ {8 q6 |
( g1 e3 V9 b! K' k
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion9 X) _6 y0 e3 p' @  @9 Y
\Uninstall\SoftICE
2 y4 P' o0 Y! W8 a: [8 F1 E-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE: ]2 l) y& l  D: u; M
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 X9 N- _* g. s, V9 B\App Paths\Loader32.Exe/ o, b+ ]$ g8 K* ^8 Y# L& L3 P3 ?$ P

) f; J2 V( Q5 r. W& D6 f$ @  P9 x( A
Note that some nasty apps could then erase all files from SoftICE directory5 f4 [2 ~. D" }1 k* a& N$ D# }
(I faced that once :-(
/ _3 H, ^: {' _% {+ z1 m- T8 T. O! e  \
Useful breakpoint to detect it:
3 Q. ~- R/ w% L, B7 d- O: ?) J; ^, _8 T9 p" x) Y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
& X) @4 `# f3 j8 C6 u( s. A2 n) k# v$ X4 ^, Z& q1 ]
__________________________________________________________________________
3 F0 d5 R! V8 q' Y' a
7 _. K4 Q" a) c$ e, |
) X3 Z- t" j' ^6 e  |Method 14
) w8 o$ b' I, g( E6 [+ G=========/ M( F. R* B) e! p" u4 B# Q" ~

6 X1 O) _6 @; s( e! f: O& S( BA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: i( k5 G6 B; A6 u; ?- ]is to determines whether a debugger is running on your system (ring0 only).
- h, V2 z' }  y1 H' @+ ^* z  n1 @" [/ [$ }$ U; }! S
   VMMCall Test_Debug_Installed* H* Z2 |( ^9 l" I+ T
   je      not_installed
# r: p$ [6 Y! _; _3 O- W$ E) j/ N8 X- a. }0 j
This service just checks a flag., E6 X+ {: n+ t/ J9 ?; T2 F
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-3 11:52

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表