找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
2 G& F' H- C. ~<TBODY>
0 _( |' j5 J4 T. o2 Q0 \1 j<TR>
# ^. g6 \1 c# h! Z" u2 C<TD><PRE>Method 01 4 y  ]$ a; f0 k, b5 X2 f- h
=========
# i& l* e) ?+ M* z" K3 u; G8 S
" P# n7 ]; ^4 g1 V! A# I" V; I: ZThis method of detection of SoftICE (as well as the following one) is
+ o" j. F  J3 ?4 \: _5 `) Mused by the majority of packers/encryptors found on Internet.9 ?+ x! [, q( L6 E, S
It seeks the signature of BoundsChecker in SoftICE* F% M8 _% T. m, {9 w7 S; n0 Z
! I0 c; c0 _1 \! u6 C% W
    mov     ebp, 04243484Bh        ; 'BCHK'! _9 a0 `1 L9 q$ S/ ~, `. j
    mov     ax, 04h
: A. Q' H) L2 W$ \  {, q    int     3      
$ M  S' v* I/ A' }4 H6 b    cmp     al,4+ r1 L7 m( i7 I6 M
    jnz     SoftICE_Detected" f; A6 Y3 R+ F0 U
) [* j3 F: c$ ~
___________________________________________________________________________
& j+ ~4 S% H  L; |) C( Q( y# f' g+ i/ s( s) O; }& L/ D
Method 02
4 W5 U$ L- ~$ x=========/ d$ y" G% r! h' C& O$ a( B

! [+ }  @" x8 @  q1 Y, GStill a method very much used (perhaps the most frequent one).  It is used
8 [. X$ `+ n# p6 M& B( n* L- gto get SoftICE 'Back Door commands' which gives infos on Breakpoints,. B7 e7 C6 W& p' b
or execute SoftICE commands...
! t' i& O- i  [1 I- n; yIt is also used to crash SoftICE and to force it to execute any commands
  K4 V4 n- \# v1 }- [& y4 V(HBOOT...) :-((  + N3 O7 E/ ^& l+ ]5 c

4 q, }2 l- j1 s& @& b1 V# a: UHere is a quick description:
- s6 k- s( @3 W+ u-AX = 0910h   (Display string in SIce windows)
) [9 J* J# }& v2 J- s2 I3 r- H-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' G% L8 o# n2 v' f4 R  K, b7 C) G$ o8 r-AX = 0912h   (Get breakpoint infos)
8 v+ {& Z* d, D-AX = 0913h   (Set Sice breakpoints)
. Q7 G+ m! x  j* l6 {1 [-AX = 0914h   (Remove SIce breakoints)
% I5 O2 i' J5 Q3 r2 r2 x, S3 V  W
/ q: M% Y) {9 B0 w9 K) AEach time you'll meet this trick, you'll see:$ I$ u% Q9 e3 B8 O# b) \
-SI = 4647h  [) y2 T. R: G. `6 @
-DI = 4A4Dh
! g) w. @( @2 M) P1 s( A$ K4 ZWhich are the 'magic values' used by SoftIce.
9 H/ j& C7 B/ F( xFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.* g6 \* k' w- A1 B
) h6 I, T$ q' u) C! B. M, v% H1 f9 a4 E
Here is one example from the file "Haspinst.exe" which is the dongle HASP+ X4 }" ~3 {# m# R# O+ H/ P5 ?
Envelope utility use to protect DOS applications:$ Y+ e6 N9 d0 S
- y% o( L# v7 t  Y- e
2 L% W+ [' b5 E1 S+ X* Y
4C19:0095   MOV    AX,0911  ; execute command.
0 G. ^$ r+ g) U6 j; j1 c+ b9 \4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).1 k  z: q4 N; W4 o) g( k1 l, X
4C19:009A   MOV    SI,4647  ; 1st magic value.  W6 z- n$ i7 b; i$ A
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  u8 g% h, ?! `# k9 t  y3 i4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( P* X' b8 u6 i9 n0 F+ H3 X/ q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! t$ C# E$ Y$ A' i7 O3 P3 u! ?9 u1 g
4C19:00A4   INC    CX
. G9 m! W' u0 T: j0 ^( l4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute* g7 c& n7 K4 m6 }( q1 g+ @6 h6 P5 O
4C19:00A8   JB     0095     ; 6 different commands., Z2 u  ^# ?* T* ~
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; U5 {. R* ]. w3 t( S* K& ~
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
3 }8 O) D$ M. c1 c: e# S8 \
$ [9 h( d$ ^, [- FThe program will execute 6 different SIce commands located at ds:dx, which& t. u9 {/ g% \; }" Y1 ?( {. ?6 q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.# ]3 C  k- J0 F4 B) W

! g- P1 b6 D' Z0 G" ?. v7 H4 A  P: k* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.0 Z; g1 {1 y6 r6 y* I5 Y6 Z
___________________________________________________________________________& v: r1 j( X) I5 J2 P

' c- S# ]$ k/ @  d7 M; k# r, p  R$ @; d2 I
Method 03& N9 g$ ]1 h7 s
=========' d8 I0 L6 x* h: K& m$ r. B" L5 W, [
$ s3 I8 B: T) z8 [
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h/ y5 d; M: Q  [8 S8 P% C. R, v
(API Get entry point)
7 _, h2 P8 E' J8 W) N: Y        
4 Z, E; p' w! }) H, r
% L7 \% n) [7 s  m. e0 I    xor     di,di
& \/ h* m3 ?: b$ b5 G    mov     es,di
  a& ^  n( F5 V; o    mov     ax, 1684h       5 y" E+ X+ ~9 h( L
    mov     bx, 0202h       ; VxD ID of winice
% L6 H, F5 B& t    int     2Fh# f  S( a9 B4 q8 q
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 Z4 Q7 p- l1 @5 D: d5 B    add     ax, di
9 @( Y3 D* S& S9 T0 U  Z. k    test    ax,ax1 `+ l" U9 I. i. H
    jnz     SoftICE_Detected
* |; W  n& y: ]% o' ~$ J; A7 [& D4 S
8 g; \; u: t7 T0 U: u1 l9 k: Z___________________________________________________________________________
7 M( I5 J% n+ k2 X" a" t" i4 Z# x1 z0 u" `' P
Method 04" z) u, U3 D  F" s& ?
=========
9 F& |& B1 d, K- D1 B3 D5 Z+ I; O6 U$ P8 Z+ Q4 T- }* J9 y0 s
Method identical to the preceding one except that it seeks the ID of SoftICE+ v; W3 B3 u1 a, L  A' ^& P5 k* q: {
GFX VxD.6 ~6 F) ]( R9 R& l& X* j& v# {7 h
. l( U' @% u, F4 P4 X
    xor     di,di
- Q; K8 x; C- A    mov     es,di
$ Y+ \+ Q- [! P    mov     ax, 1684h      
( l' {  z. I! s/ ]    mov     bx, 7a5Fh       ; VxD ID of SIWVID5 X) a6 a1 f; S6 [( ]
    int     2fh
8 y8 E$ ~5 T3 r$ ~+ h    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  N* F/ t" K# F! B: T% O    add     ax, di
: {1 z! ]+ r0 ?  m7 `1 @+ E% T    test    ax,ax" g) }4 ~' ^" }/ p3 Q  i) o
    jnz     SoftICE_Detected
- H; Z  |1 c7 e: c' k! N: y  U- }3 J8 I! F0 j: X# A( {( K0 f! n
__________________________________________________________________________
( C3 n% L7 C5 f5 o. a3 _
& y2 _( ?3 D0 a
; n1 p/ Q% _( l6 ]* j5 w$ U9 VMethod 05/ A( q' \8 j* \
=========, B6 j+ N5 C# ?3 c8 e

& c- B* v1 M* T) P: F  H  mMethod seeking the 'magic number' 0F386h returned (in ax) by all system
# B1 D0 A+ e8 c9 D% b2 {9 |debugger. It calls the int 41h, function 4Fh.+ v1 [: O' U: u& d1 H% p
There are several alternatives.  
, U1 Z; T3 J) m
( V. k( N( Z: p2 a* S0 cThe following one is the simplest:1 j) f8 t/ h* G' w

$ i$ N" {3 G4 p- Y    mov     ax,4fh+ k9 Y1 v* S+ x# B- T
    int     41h
; E$ p' W) {- H, k* f7 f- H    cmp     ax, 0F3861 S% n" m( K% L/ `( k- U  {
    jz      SoftICE_detected
% A" L* f6 n! p6 W9 V, a; K1 U2 Q
& w9 d: d  m9 o) m' C' X: X7 F/ n2 Y1 B
Next method as well as the following one are 2 examples from Stone's " D" J8 x/ ?! W' W, ~' v
"stn-wid.zip" (www.cracking.net):& h' v8 T5 _. E7 T) P7 K; J
; e( Z' c0 f3 p+ w+ E3 o& K
    mov     bx, cs
2 `& W& {2 N  M) L! ^2 c1 y    lea     dx, int41handler21 N8 ^# L8 o- A5 |* e% ~6 k" }
    xchg    dx, es:[41h*4]
" K9 J4 `& h, B+ e    xchg    bx, es:[41h*4+2]. Q2 g4 U/ [5 B/ z" Y# z* F
    mov     ax,4fh
- S+ a5 V0 x: G8 W# P# f& C* y1 T    int     41h: p9 k# Z) b+ s& ]  r
    xchg    dx, es:[41h*4]8 _! \8 r: L7 ~
    xchg    bx, es:[41h*4+2]" j7 G$ |- L4 G
    cmp     ax, 0f386h! Q" L/ L& z2 z& L- ^% j+ e6 g2 n
    jz      SoftICE_detected
* N! b9 d9 U1 t$ {7 K& D3 F& `, _% n/ _+ l
int41handler2 PROC
' i" ?  x6 E: `7 m    iret/ D8 [% _5 E$ Q( \) o* `
int41handler2 ENDP; L) k! E* E+ z- e; U' b+ b3 i% @9 K
5 F4 r9 A8 L4 b& ~4 P

/ X$ v( i( [9 A( O_________________________________________________________________________1 u( ]: E) n; T$ K; k( l

, n4 m9 c8 @# Q' t6 v: n9 P  x" u# f; `6 t/ H$ L. Z' S! d$ K
Method 06  [( V' X, R9 b- }/ i
=========8 I. o+ `- r! y) L  n& w6 n/ G" W
- P# V2 `$ F: j

3 i; }/ V7 y, x2nd method similar to the preceding one but more difficult to detect:
8 Q" ~2 c6 |5 T& M% y; G  Y  L  v2 P

/ H3 d$ R7 m8 L/ i" Y, u  aint41handler PROC  I7 w, h, Y, E, Y# O* Z" P6 d
    mov     cl,al# ~& W8 ~+ R$ s* }
    iret
( q% M  n, ]* }4 o; O7 D7 ], Xint41handler ENDP  f( J0 W' {  ~7 D: ^

1 A* y6 N; a7 C; F$ Y4 N9 m2 t2 a  X, b! [/ n' D
    xor     ax,ax6 H" i& [2 j4 I" y! S- r
    mov     es,ax
8 F; M6 E, O6 ^, }) k    mov     bx, cs
" A; M7 _) U6 A" S3 q    lea     dx, int41handler
2 J- {0 Y  r8 j    xchg    dx, es:[41h*4]/ q! Q) w3 ]7 [9 _* @/ h
    xchg    bx, es:[41h*4+2]9 Q0 Z9 \* q+ V6 g3 e
    in      al, 40h) z+ U7 @/ s8 {5 ^# X8 V( R  C- ?) Z
    xor     cx,cx
  ~" L- T- \& i- U    int     41h8 _1 K0 _' X: O( u/ \
    xchg    dx, es:[41h*4]
5 r% n$ E4 Q/ R5 B. t    xchg    bx, es:[41h*4+2]
" o4 q+ ?: U- G8 @9 _! A- |/ B    cmp     cl,al) W  @" i/ S7 H
    jnz     SoftICE_detected
# E5 @7 M! z# w- |) S- \$ D' y, @6 F* n' Q, O8 ~, X
_________________________________________________________________________: C1 H6 @6 p! T( i# Y( H
' }8 e: m7 M" j9 y4 H! D+ U* j
Method 077 `& T# K# [1 Z* d# c
=========9 @+ F( z4 ^. L
' v5 \9 c4 J9 v, p) K/ N! H
Method of detection of the WinICE handler in the int68h (V86)( }" p/ E4 W+ O+ U6 i# o+ p  }
) S# h% v4 U9 V! d! ~& b: T# g( s  V
    mov     ah,43h. M- d* X+ R1 K: Y0 w% [; j
    int     68h
4 L# D4 _1 E5 ~9 O. b9 t    cmp     ax,0F386h
  `5 a6 r6 b- V) u% m* w    jz      SoftICE_Detected1 O6 y1 D; n/ o; d# z( y6 W8 C" n

) }# @2 `' X3 q  w+ Z& [7 @! Z/ q+ C+ ~5 r* R3 m1 J+ Q
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 s0 m, t( l( z. N
   app like this:
4 Y  q& A3 y3 e
0 ]! f6 d6 Q- S7 `$ w* x% O% r+ P   BPX exec_int if ax==68
! f  r: ^9 D/ p" h& f; U   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 m' @: J( {% [8 K# I" E   located at [ebp+48h] for 32Bit apps)+ H+ W0 I' I, C: a6 d5 H' [
__________________________________________________________________________8 k% W+ f4 _8 i. h# T' g& t
7 L% P' S* E5 G! |
9 F/ ^/ F0 r* |4 n3 C  P% \3 Y
Method 08
; y; N! t7 q- s=========
" |2 q* S; ?% N9 E/ y$ h0 Z$ p- ?3 y6 H
It is not a method of detection of SoftICE but a possibility to crash the8 g) v6 I+ ?0 y0 s
system by intercepting int 01h and int 03h and redirecting them to another
. u( U- p0 o; u+ `/ u% T) {routine.
! `$ S) {( I! M" P1 `It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 |# f7 ~$ }' R4 t- G$ Ato the new routine to execute (hangs computer...)
8 B9 h( b2 _" D! N- j+ _# w/ x' }/ _; y. Y. S
    mov     ah, 25h
, q! ]( J; }0 A8 y    mov     al, Int_Number (01h or 03h)- `/ O' S6 z7 s+ n' v
    mov     dx, offset New_Int_Routine
3 I8 b2 b8 [5 r- g! _2 O1 K7 ~, {0 G    int     21h$ B' Q8 o' i% z& [' [0 \
! A% p4 p4 `9 N) q! f
__________________________________________________________________________
" L" S; {+ y( A' }. s5 X4 \/ G% `+ I7 ]& B) V/ d, c8 o5 N1 W9 @: @
Method 09- X$ x2 a. j* B9 p/ Z
=========5 _: j" G9 j9 i: N; C1 C- x3 ~

3 c2 @. t8 {; iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
( W3 J6 ?) t" Tperformed in ring0 (VxD or a ring3 app using the VxdCall).
  c! q/ j  b/ T6 S  b2 H+ E1 UThe Get_DDB service is used to determine whether or not a VxD is installed+ f# X, Y4 a3 M% D1 ?# \7 m; b% {
for the specified device and returns a Device Description Block (in ecx) for  j6 v- `8 {- M7 K. Q
that device if it is installed.0 U6 l+ Y8 U  H/ q5 i$ r+ v7 r0 H
* z$ I3 p8 z# {; C4 b/ n. ^
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 ?, U& r4 G+ i' O& H, E1 }   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 W# v, m1 n% f; A% q+ v0 W% |5 x' S
   VMMCall Get_DDB* L* _/ G/ F4 ~7 I' d8 M
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
" C8 m6 R2 V) r  r
+ k) W1 ?/ ^7 g$ sNote as well that you can easily detect this method with SoftICE:' @6 S+ n, _2 _; x/ \0 e5 u4 ^
   bpx Get_DDB if ax==0202 || ax==7a5fh
4 z$ i2 C: U6 X# m& I4 V, ^1 d) f3 a0 j, K
__________________________________________________________________________, Z% w& N$ c  r* X
8 q) H- H0 Z2 H, |
Method 10
5 n( j: }3 F2 w7 Z1 R=========
: K% ], ^0 u4 m# [; R  ]0 D
) l2 ^3 ?1 I5 V5 X: E8 \7 |+ R, t=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with# |: Z, M) T1 B% e; W8 o! k
  SoftICE while the option is enable!!
/ m" t6 n# l: z! F6 q) Q! R1 p& x0 W# i: N6 M2 i, P+ M% a
This trick is very efficient:
8 i& E3 |, n* w# }! Jby checking the Debug Registers, you can detect if SoftICE is loaded
3 D5 C4 V" z! C# _/ |/ v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 G5 B5 R  Y! x# c  l
there are some memory breakpoints set (dr0 to dr3) simply by reading their3 `" L. K! t2 G4 e# L
value (in ring0 only). Values can be manipulated and or changed as well
* o/ _  W& N- [(clearing BPMs for instance)
: v: |) \4 k9 H' M# W9 C. S0 V" {+ v
__________________________________________________________________________
+ |) B, Z/ y/ W, V$ ~# m( {. Q3 k  Z# ~4 R  I- m5 R8 u4 F
Method 11' f5 b- p. K! }& ?- O( L; h
=========
4 u2 \- n9 W# z& A) u* |9 m, h+ S" @: R, S: B  t
This method is most known as 'MeltICE' because it has been freely distributed. _- z& f' _9 X
via www.winfiles.com. However it was first used by NuMega people to allow6 _' ]) b' A7 Z7 h* G- v
Symbol Loader to check if SoftICE was active or not (the code is located
' B. t6 Q# v/ t) J& |7 h9 h( Qinside nmtrans.dll).7 Y( F7 B1 ~1 S7 {# P7 i

, U) J( X' e! j. F. U  t* rThe way it works is very simple:
' k+ l% c8 m* n5 A9 uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- i( v. z% P+ O' r0 o% d6 F* d
WinNT) with the CreateFileA API.
. P0 @) Q9 s) L* m5 {3 h, p9 J
3 O9 b* u( W4 B7 U! M, vHere is a sample (checking for 'SICE'):
3 b4 b; \/ G1 I; F
, h% E3 H+ M" X+ GBOOL IsSoftIce95Loaded()
- f$ }1 n) H  F8 Q- [  l{; z) U9 G5 h  ^2 w( f2 W6 ?8 k  n
   HANDLE hFile;  , M/ O6 Q: x/ J% P
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 W+ F0 X5 O' y! z& j: c2 Y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,: R9 X. M+ ?7 f( b- F  k4 S9 c
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
/ V2 Y5 d: N1 C, K8 U   if( hFile != INVALID_HANDLE_VALUE )
0 ?1 v  r' T$ ]8 F$ G; p   {
: ?5 `  ^2 z" _* p# X      CloseHandle(hFile);) I8 Y( x7 T- l$ B8 y
      return TRUE;" D9 a" m7 [* H! Y, {. h+ C- H' [- R
   }
% n. h5 e& ~* N   return FALSE;4 ?; R6 ]: Z. p2 l& N- J- N
}
' w  m& j0 u, O+ d" u* l- Y( G; y, ~
Although this trick calls the CreateFileA function, don't even expect to be4 |- h; I: k1 T, ?/ [
able to intercept it by installing a IFS hook: it will not work, no way!
5 R* J2 C3 {4 f- M* M8 Z  u4 NIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 I+ O- x9 v/ v2 S) C: g! Rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
- O* h7 }* d, U2 uand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 d' D: f8 s  Y% w* b% v  S- C: ~2 c
field.
! ^! r0 G, r& U% ], d+ kIn fact, its purpose is not to load/unload VxDs but only to send a
3 G2 p6 _& r- y7 \! i: r' IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 I; t  v$ K+ @- I
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! G+ h0 y* U5 V, ], Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).; D( {0 Y- _+ f2 Z% A; R
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! f0 i& R4 ^7 L* q2 X2 @: \3 Nits handle to be opened and then, will be detected./ B1 s( ^6 q; C0 B2 j9 O
You can check that simply by hooking Winice.exe control proc entry point! }4 B2 F7 m0 U1 V) r! ~( P8 `
while running MeltICE.5 d: |! b4 J2 C2 W- K! A3 _  l! l0 H
: Q1 `4 W  W! o7 N- ~% N, T: G/ i
3 W$ ?3 d) }4 _
  00401067:  push      00402025    ; \\.\SICE; ^& m) |. C/ [
  0040106C:  call      CreateFileA
6 f# \; a+ E5 l7 |$ c, A* s# R, n& c  00401071:  cmp       eax,-001
% R4 a0 u* E1 s  00401074:  je        004010915 o2 s0 q: N: W: s$ I/ C

! E* l$ Q4 F8 A: x( y) N' M8 z* X0 w' T- ~6 M  g8 I
There could be hundreds of BPX you could use to detect this trick.: |* S7 p. r. F4 ^" p
-The most classical one is:9 X+ R+ ^5 R; O5 @% z2 Y: |
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! T& k0 c8 ~5 c1 T3 p    *(esp-&gt;4+4)=='NTIC'/ P. E) K8 {& I9 Z- ]
6 o3 n) n4 f; I  p! _
-The most exotic ones (could be very slooooow :-(
6 Z0 t1 L  i7 P; l: r. i# B   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  2 q$ e' ?" x* ~" U1 D& F- E( l
     ;will break 3 times :-(
' U/ }( \6 i9 q5 Q2 m) z1 c9 Z" Y3 M. w, J9 Q
-or (a bit) faster: 9 {+ {, k2 V; `/ u: N  L
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
* d* \- q: y+ u8 P. H, H+ h4 X" ^8 y4 ~, e9 @9 ]% E
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 e8 `+ s* U( D2 v: w, D2 |
     ;will break 3 times :-(
% V/ E- ]1 z2 Z  x: L6 o
7 `3 z2 q" I8 _7 N7 e# w-Much faster:
1 t- X" g; c/ s; J8 h* {) G8 G   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
0 K. K$ j, }" M2 Z+ V" J9 Y3 k) _- o% a. @( i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen+ Y% ~% b& l5 U) V/ H  }% }
function to do the same job:
; l$ j& d% X& ^9 [# ]. ?  p) e8 Q( d* R" ~1 F  b1 [2 O
   push    00                        ; OF_READ
, g, Y& W' {2 Q: p+ I7 I! u; b! R   mov     eax,[00656634]            ; '\\.\SICE',0
5 a4 z5 G% J6 W! ~: z   push    eax! d+ `+ G8 r/ }0 J/ W/ u; e0 y
   call    KERNEL32!_lopen
/ j9 ?1 [0 Q1 [: {/ b8 n   inc     eax
2 \, ^: _% F9 ^8 a0 f1 P   jnz     00650589                  ; detected
% a$ }" `% p. F: N   push    00                        ; OF_READ' ?) _/ H( M# V5 v6 X2 Q
   mov     eax,[00656638]            ; '\\.\SICE'
6 g9 t" I. w2 O' U& b# \3 w& q   push    eax
, _- i) X% L) {1 j$ e; Y4 E   call    KERNEL32!_lopen4 X7 f. c& x0 n5 q+ a
   inc     eax
1 t' H( U- j# W. S+ B7 J   jz      006505ae                  ; not detected. [5 L! E. \( t: s9 f4 z+ F

0 m$ Q: k( G- k9 }9 k( x. J
) |. T9 ?( j3 b) u9 W: j__________________________________________________________________________: m; [$ b; z. g
9 {( _' ~: }. H. @5 d6 M* c
Method 12
+ j4 m5 j9 E+ G8 ~=========
/ n  {  ^! ~: {, Q# r0 [$ U. R( `, T6 ~8 P' e: a. @, @! H6 S2 H
This trick is similar to int41h/4fh Debugger installation check (code 051 Q1 C9 S0 u: s2 E$ n- b6 @
&amp; 06) but very limited because it's only available for Win95/98 (not NT)1 P; p) ~! ?5 w
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.4 p. ]8 z$ d& D0 |
# ^" u5 V' e* \; v: ~
   push  0000004fh         ; function 4fh: R" W7 R* J7 B' Y
   push  002a002ah         ; high word specifies which VxD (VWIN32)
0 h% t8 {/ |* ^: ~/ P# Q$ W                           ; low word specifies which service4 J# f: q  p% b
                             (VWIN32_Int41Dispatch)
1 o! _8 {7 a7 V* ]) y. m   call  Kernel32!ORD_001  ; VxdCall
( ?5 L; x# t% e   cmp   ax, 0f386h        ; magic number returned by system debuggers; S4 s, f! L. H) r% g
   jz    SoftICE_detected
+ W% {1 E* C7 t
& ?( ?# {6 h9 aHere again, several ways to detect it:$ d* c& K3 H5 u5 p' }

8 b% i! c+ `/ T( a/ S' @    BPINT 41 if ax==4f
7 [( m' U2 J* i$ K! u  v; Q) X4 I6 F2 O( E) c2 i
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ o) M- L( u/ K& j9 ?$ l- n
& D8 f' Y. C) \    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 c7 \2 |3 \. m. v

0 [) \+ M: y# F3 i  ?) T    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!' |7 g$ J; T$ H; O% @6 a
/ y% k1 T( C2 E" j  P/ j) c
__________________________________________________________________________2 n. H& c' N( f4 Y, T$ d* @0 p9 F0 ]+ Z
# l+ S% O, I0 X% E4 {5 b% U1 e2 j9 u
Method 13
* f( F7 Y' w% b. L( K. w=========! G7 K! h7 b  g# i) H

5 k. `8 i, K9 }/ d; p" ~3 _Not a real method of detection, but a good way to know if SoftICE is
& E+ ~5 [# J# Z; |$ ?4 einstalled on a computer and to locate its installation directory.
. z4 x$ `  T) lIt is used by few softs which access the following registry keys (usually #2) :
+ C- `4 a6 \) m% h* h9 @" s' H! }2 S; p% n8 i" M% x
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion8 h7 d- d9 S' V: Z. p9 P" f, l
\Uninstall\SoftICE, W+ D7 H1 N2 r
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
  T0 j$ k7 e- ^; x6 C" Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
1 M$ C5 v, Z, j- @0 ^1 Z\App Paths\Loader32.Exe
! j0 O& g0 a6 T- e- s: K& W3 U4 s- H" r# e4 o4 V6 W2 }7 F

1 O0 l$ u* H) \- x2 gNote that some nasty apps could then erase all files from SoftICE directory
0 q) P: ^: w4 D4 @$ z(I faced that once :-(6 ?, l3 h3 e5 T& _
2 j$ y6 A" X5 ^1 y) [
Useful breakpoint to detect it:  D* T- Y3 t0 y: |; C# h! g

: ?4 |4 j, K# K. v4 `1 G     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 g) `4 t- _# [+ i) u4 x
: U1 X0 c, t0 t: N9 w__________________________________________________________________________5 R3 [$ i/ Q! l) [  R

: l/ {* A2 [0 @  L( S
: T' r+ p# V9 n# I, B8 g* WMethod 14 ( P" n, f3 K- ^9 U1 ]1 J$ C' ~/ x
=========2 }& v1 r; n7 d
; L+ ^! o1 f2 y0 ~& x* ^4 s4 ^: ?
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose/ p/ C$ _* @8 x  b
is to determines whether a debugger is running on your system (ring0 only).
2 r9 V  \) r3 K: @+ y' s8 |
6 f6 r& X9 _, Z, Y; C" C   VMMCall Test_Debug_Installed/ X: P0 _0 D2 @# f9 ?
   je      not_installed) Y/ f" F- R- Z9 I2 L

- \% f  u. T* L& J5 hThis service just checks a flag.' S8 Y6 y1 e; M0 f
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-29 01:36

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表