找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
3 o! H5 R& |8 d8 X) j6 Y. q<TBODY>: ]) i- Y. P8 ]  I2 H
<TR>
& e! J* U. D2 B  u; d! T) P<TD><PRE>Method 01 4 j) U9 W" k' u( P0 _
=========
; b$ B! p9 ^, d$ O7 \) j; s7 K: }; u& _7 \
This method of detection of SoftICE (as well as the following one) is4 W% x" N6 b2 U9 z0 q4 t
used by the majority of packers/encryptors found on Internet." I6 w) p# Q- O4 C2 ]! T+ q$ x. c
It seeks the signature of BoundsChecker in SoftICE+ b$ P* z( x9 b; j- ?
2 P( m. J0 e0 A; C
    mov     ebp, 04243484Bh        ; 'BCHK'+ K4 W, [/ l# ?/ ^. a
    mov     ax, 04h/ f* ^# U, R0 E. o8 u) S* L* @3 q5 K
    int     3      
2 k# b$ U* q! g6 O; b" Q- z0 g$ @    cmp     al,4; j9 F7 L' ]2 C- m- U+ Q* m
    jnz     SoftICE_Detected
) w2 H( Q( ]! d4 @; v
: x8 m" Z9 J% m9 J& U4 ], c! z___________________________________________________________________________) I! x* R3 `# b! h6 N2 p
" G; k% N8 [9 y4 @/ z- F6 P
Method 02
3 N1 @0 k( D- g=========9 ~0 v- o" D, L6 w1 h  b( o1 u

- |7 l7 f5 L" u! g7 \Still a method very much used (perhaps the most frequent one).  It is used9 q3 o" `" P/ P8 X, i# |
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ E/ u  @! S# t3 Bor execute SoftICE commands...
; U2 Q+ Y- W9 p* hIt is also used to crash SoftICE and to force it to execute any commands
- m7 J) L+ ?7 \; G(HBOOT...) :-((  
& S- x) U% Q  a
2 u+ b: {; L- V, P) ?8 YHere is a quick description:
1 `3 v% p. N7 L( p! y3 V-AX = 0910h   (Display string in SIce windows)
* d! V5 I$ F9 a, Z-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
7 ~" e  z' n, u7 S) q-AX = 0912h   (Get breakpoint infos)
: ^0 g, s) T" \-AX = 0913h   (Set Sice breakpoints)
$ l; d* U8 S, x-AX = 0914h   (Remove SIce breakoints)* V+ A7 c: z* n8 G% B
/ `8 V* i* o6 B2 ]4 u% M( r. A
Each time you'll meet this trick, you'll see:
; s7 I3 z- `* I* k+ l-SI = 4647h
$ N$ w9 k, u2 [$ n-DI = 4A4Dh
% a0 }  ?5 P+ l9 X' s, g: b- UWhich are the 'magic values' used by SoftIce.' g6 z5 f* S9 R4 N  ^; a8 G+ L! s
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- G+ j+ l6 v0 n2 c4 K' P
/ j* k' ]% p7 Q- B! b! t; ^6 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP- N7 @% W0 q0 h6 r, \% I2 [4 J6 G
Envelope utility use to protect DOS applications:
) P# X# g! Y% I! O) s
" {) u3 N' e" ^7 K$ {5 t) o0 N: x( O$ o/ r% Q7 s+ V
4C19:0095   MOV    AX,0911  ; execute command.
2 |& L8 L+ K0 ]$ e4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).* z! Q" n: Z/ m) j
4C19:009A   MOV    SI,4647  ; 1st magic value.
7 y0 u3 a* y( T+ F! y3 m( S* A4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
- [+ u8 W( q+ e" W4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' O1 @. ~  S( t4 \; k9 c! ?
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 p! E% q+ s+ [- |- |4C19:00A4   INC    CX
7 d2 o, e  ]8 ~( S/ T4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute4 i6 D, n4 [- x4 g
4C19:00A8   JB     0095     ; 6 different commands.6 o& ^% x+ t/ A) m  p2 S! D
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& {; Z" F$ n8 l: L4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)% E! Z! h7 P8 K' r1 C' ]% f9 F5 F1 l0 B

* V9 @+ v) z) d, a% t; CThe program will execute 6 different SIce commands located at ds:dx, which
3 p7 a3 H* E" t/ I  {* y9 Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
% P; [: `7 u+ W4 d
" }( p8 K4 \0 k' s6 [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. d/ I( h( ~9 ]3 h  K4 P, @___________________________________________________________________________
" ?4 A& X& R" X/ O! D
; t4 x2 y' r) C' R, b6 Q" M4 m1 b- l+ m
Method 03) m1 i9 C+ ^' s. \
=========7 I: B0 _. b1 B/ B$ ~% y
3 B* {. a! H! N
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
; W3 p- q) n# Y5 B(API Get entry point)
& n/ s1 q& \, B; Z        8 A2 J$ d: D8 v: _" i% Q! _
/ x5 l/ L( f  y: p  J
    xor     di,di8 v/ g5 L4 r- G; e9 v
    mov     es,di
( `0 l! d( E/ p    mov     ax, 1684h       , F* t. x- g- Y  ~1 Q& ~. m& M
    mov     bx, 0202h       ; VxD ID of winice
# L& l. x- m8 x    int     2Fh0 S9 _  T( X6 D3 ~, @- u; [2 ?* O
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
3 p/ U+ Y( x' s# s) n5 h  G5 \    add     ax, di
2 h/ b$ f3 [9 U6 u% o    test    ax,ax
2 Q8 S7 s: ^4 @, t/ O$ d    jnz     SoftICE_Detected+ E4 H# ?2 h2 p7 R3 i, R

' E) `- o  c/ I% @, t5 g, \___________________________________________________________________________. p8 |# f0 y  i3 N6 K) `

) J9 k  ~* b6 U. q, b( Q  RMethod 04* F, _8 y3 P# R, E% S
=========8 }/ e. j2 b' v- v- e1 x  W

* y; k5 w$ y$ r, WMethod identical to the preceding one except that it seeks the ID of SoftICE7 Y! ~* u9 [0 _# Q8 N
GFX VxD.
# c& h! _( w3 o/ S. u+ R5 \! z" O/ D+ @: K% E; {; p$ o7 m
    xor     di,di
! M; ?* E( c. |3 l8 o& v    mov     es,di' E1 J- w4 [/ u7 h! s, `
    mov     ax, 1684h       : I3 k4 i9 Z% E" U' V
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 V5 `0 `+ @. v/ n    int     2fh5 z. F+ P. O; S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point6 E' g" O, Y# H7 C0 F
    add     ax, di
+ X; b# e3 ~0 K" }/ j$ Y1 E3 _    test    ax,ax& D+ n  r: M( p' e4 `5 _
    jnz     SoftICE_Detected
$ i! {6 ]5 a7 e) t# N( K* |5 @
$ }; Y* H0 F4 }- e% p, i: q__________________________________________________________________________5 p9 V3 `) s" i/ k

: Z+ x+ P) L, q- A' x) x; {1 `0 T# a3 r" F% u  \
Method 05) N6 d; J# K. K
=========/ ]; E, s" n/ Y& V
( T, ]7 p  \, n! N* q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
2 N1 R# }6 w7 vdebugger. It calls the int 41h, function 4Fh.
  C4 ~( D5 v& M2 cThere are several alternatives.  1 H, [1 O! m5 \8 `3 Y

4 `! o% X" r5 C" x. `2 S( R+ J. P9 ?The following one is the simplest:+ G* A0 \# Q6 }( a+ J

- O9 ^4 w2 ]$ r" a) Y# c    mov     ax,4fh  a: k  ~, Y0 j1 F- a
    int     41h
4 O! |6 G& ]# K! P& t    cmp     ax, 0F386' h4 ?, d" k( {5 A
    jz      SoftICE_detected( N( u+ h/ {& b4 S
2 E* M8 z/ U- ~2 i' r6 I) u; k

' s% ]* u4 |# ?% }: _) w; JNext method as well as the following one are 2 examples from Stone's
! s  s7 g8 a2 j, O7 B$ l2 I3 `"stn-wid.zip" (www.cracking.net):5 l0 e$ |, {* Y# J+ t
# U$ N, F5 F6 W$ J6 g% i2 ]
    mov     bx, cs
+ N, V! U. E# T' G5 b) y& P    lea     dx, int41handler2
8 K. m) g7 |" d+ p    xchg    dx, es:[41h*4]$ Q9 O9 g' @8 L# G
    xchg    bx, es:[41h*4+2]
# Q3 _/ e$ \8 q: B) c9 a+ `    mov     ax,4fh: h: q& F% c* _* s$ s6 r
    int     41h, [  W2 P" X6 e( B# s6 d
    xchg    dx, es:[41h*4]& c4 v% {3 x8 ]. Q3 o
    xchg    bx, es:[41h*4+2]
# p# c1 E/ v9 n+ L. n/ B    cmp     ax, 0f386h
" M3 ?, e8 A  v7 z4 i$ |    jz      SoftICE_detected
, Q1 A. q2 P' I( @! w1 J+ n( w6 c- e+ U: z, N, A, B8 h
int41handler2 PROC: ~; h9 V" I& x
    iret9 Z" @7 ]+ {3 t% d. ^8 N* c' ?
int41handler2 ENDP
+ i6 z) n2 h( K# y: x4 y; k
  G( l- ^) u7 D. J. W0 X% F; w% T& N  v5 D* }4 r- p
_________________________________________________________________________) t1 A. J% h. a) o2 C3 W, k1 w4 i
: j' J: i/ g; H8 R

/ M+ l; n+ Z3 J6 d4 zMethod 06
. ?- |. B* P( K=========* {3 B3 A: Y5 R6 ?# w

8 V8 Z: N. {( p( V
- J0 h$ T4 D% k' D$ ?: |( `+ u% I2nd method similar to the preceding one but more difficult to detect:
- O( f: v9 N, K+ J7 q& u) b" Q3 `$ x* f( {

- X4 \* O. y) J, x- \: i" oint41handler PROC$ W1 r! Q2 C- E( \. @) _
    mov     cl,al4 L  e- I9 ]6 ~6 A7 m9 {
    iret
! ]& q/ U  v2 [7 G6 sint41handler ENDP! o1 \9 n% ~3 ^' v7 L% e
( N; J% _7 ^: I

% c! ~) j: w) g    xor     ax,ax
2 D& v4 w+ R* F    mov     es,ax* J& F9 y0 C6 e) b
    mov     bx, cs% ~( m! n* ^( |% F. `; q
    lea     dx, int41handler
& V% i5 U" o# `) [4 Q    xchg    dx, es:[41h*4]5 c& W6 C/ A1 d; N; ~" R4 c- c
    xchg    bx, es:[41h*4+2]5 q6 V$ [3 @. O( s' r
    in      al, 40h
- ?4 {2 K/ P9 S$ H: I    xor     cx,cx
3 P1 X. X( _  G) r    int     41h2 m5 W& L% e# r7 T
    xchg    dx, es:[41h*4]' M4 V  E& A5 e( v+ }: C
    xchg    bx, es:[41h*4+2]
6 ^; c, h5 x  u$ R8 u# F' l    cmp     cl,al9 j1 s* t& E( u# i7 W7 Z- h# C. c) Y
    jnz     SoftICE_detected6 q! _2 T; }6 d+ D: N% v4 ^

& N( R! D  }( o; z! O4 V_________________________________________________________________________, Z) B/ R# u+ H7 E1 T3 d2 A

  q6 I( ~. A* D% W( M  qMethod 070 J! j. _; |* r
=========
, x1 B, e4 L3 A1 m+ @( i% o7 E0 I7 i! [7 b# P9 L
Method of detection of the WinICE handler in the int68h (V86)0 V, L6 L$ r& q$ l9 [6 f

. y; J  ]( N3 t1 c6 b( ?    mov     ah,43h" X8 _+ f$ |! U  ?) d; m
    int     68h
# P8 z  g; W3 G- F0 m    cmp     ax,0F386h" ^2 Q% u( V7 ]$ L' b
    jz      SoftICE_Detected  A7 L% ^) L; _
' W! e5 l( b8 `/ J

& |$ o, ]1 S( h& }=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit0 `- m1 y# v. `; y1 J1 [8 p/ H
   app like this:* p  L) a1 `. p  U" y7 i, ^, _  c9 s' ?

! e# N2 y  N' Q1 g( R" ]   BPX exec_int if ax==688 z; D; d3 q9 @6 ^; P% }$ y. Z* k+ e
   (function called is located at byte ptr [ebp+1Dh] and client eip is9 W( i3 N- s4 `1 Z6 ?+ E! h
   located at [ebp+48h] for 32Bit apps)( T: e' X4 O; h6 f# q/ L
__________________________________________________________________________! Z$ l* G# G1 k2 X
- z& n3 p0 ~: m7 ~3 Y, k# ?
( P$ f, Z  I. H
Method 08
+ c* ^! Y) P3 b5 G0 S- q=========
# ]. W+ O5 ^3 s6 \' m* E" B& Z. t) r4 {4 F( x& q; l# C% M
It is not a method of detection of SoftICE but a possibility to crash the# A# h4 t: T! @- v0 E
system by intercepting int 01h and int 03h and redirecting them to another
* d) f" h$ J3 N3 Q8 W, o$ Nroutine.) b& q/ l" B) G. ~
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
/ t" F8 C5 F/ F- B0 ito the new routine to execute (hangs computer...)3 n# B, J+ F& |  l
% O/ i; d# S7 P1 N" N$ F
    mov     ah, 25h/ I8 t+ B# {. ~" w2 ^, @
    mov     al, Int_Number (01h or 03h)
7 _1 x1 r, f2 r0 t% Q1 I) K% x    mov     dx, offset New_Int_Routine
7 J9 e  |/ v/ o" l    int     21h& T- ]" L" w+ L/ S

7 G* |2 T6 e: ~( u; V! I7 o/ ^" {' [__________________________________________________________________________- l3 ~- Y* P3 n; Y) U
, j$ e& J4 ^1 S7 c8 m3 ^1 }. L
Method 09
1 Y' _. O( Q  Z=========
! ], H6 c5 u" R" F. V/ z" \& }# o$ W$ f  p, X0 Z8 I
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only4 e% n" x. ]  |3 D2 j3 K% p4 x/ H* u
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ a+ k7 ]/ R( Z, q2 t% ~The Get_DDB service is used to determine whether or not a VxD is installed5 f, G3 p8 [) ?! I
for the specified device and returns a Device Description Block (in ecx) for
8 k, e$ N4 c" a$ w  p' V: Xthat device if it is installed.
+ A/ t9 w6 p8 k2 o. e6 {+ q# [
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID. T8 X% Q& l0 v3 Y8 j
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
5 k4 O) l) b' [8 K   VMMCall Get_DDB
  O+ B  m  X; D: N/ ?" O9 d/ s   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed! O8 ~/ v- [1 Z$ Z  R  p: S9 Z/ r+ C

# f* r6 H' S) \- ^* }4 C  wNote as well that you can easily detect this method with SoftICE:
( V7 f$ _1 z  b9 M' j- K) G' G) C   bpx Get_DDB if ax==0202 || ax==7a5fh/ D2 h& m2 A6 u0 ~2 r) ?" y

. b; Q+ X, T! s% j& n8 ^1 @- I__________________________________________________________________________
- N) u6 C% X+ B1 t' X0 z/ e4 u7 A
Method 10: V$ M4 _' H/ d+ n* b( h# l3 ?
=========* d: X# X1 Z9 z, d
/ H7 k, z* _5 n
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 k0 K8 G+ g9 S* M( u
  SoftICE while the option is enable!!
$ T4 K# d+ A! ]7 W- o! l
, Z8 `. `9 A& T/ b* t9 v8 T; x5 IThis trick is very efficient:* A9 F! K) X5 ~- b. K5 V& W
by checking the Debug Registers, you can detect if SoftICE is loaded
9 |: g- g# r5 S  @& B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if6 v, x( C6 c  z  d
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 ?. z( B% X, m+ O2 q2 dvalue (in ring0 only). Values can be manipulated and or changed as well: t" D7 o% H$ G; A
(clearing BPMs for instance)/ C( g/ N9 ?4 l  B8 E, e# X* L2 _
. B3 _$ `. c, f$ K& [8 {7 T. D) A/ B/ Y" t
__________________________________________________________________________
. s  E8 q# V$ J7 u9 o5 L0 O+ W6 ?% X# a5 j8 D3 \) j  ~( @
Method 11. X0 |3 b5 d5 i; q0 s- n$ ?# ?
=========
' N: S4 H2 E0 K3 @; T. B& p- B2 }; j$ u9 u3 R# L$ c2 V, d6 }$ J* i% s
This method is most known as 'MeltICE' because it has been freely distributed
/ r1 P1 M- a, t, {" Zvia www.winfiles.com. However it was first used by NuMega people to allow
: t' G% ^. u# M1 {0 G$ q, [9 z. HSymbol Loader to check if SoftICE was active or not (the code is located
9 }  h3 q4 u  s, t0 einside nmtrans.dll).
: [, E7 N% C  M& J% r! b
7 K/ |% J7 E  U& I& DThe way it works is very simple:
. V% w# N3 N9 z( j. C; H! lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% F2 B  M! F- e1 R+ Y% u# M
WinNT) with the CreateFileA API.! `3 ~& y/ b5 ?6 Y1 K

3 I& W) K# v$ [$ ]Here is a sample (checking for 'SICE'):, `3 i2 h' L9 [0 s" b
# c: v0 N1 Z9 U6 K; C5 m' _: Q% h
BOOL IsSoftIce95Loaded()# Y3 [6 d3 O1 Z% W8 m, R1 ]9 R. L
{
4 @* O. `! V+ W# i% t8 y   HANDLE hFile;  
+ j( v$ U* `3 N$ l. m   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
* n! Q: s9 \% p3 `* Z' ?% q+ K                      FILE_SHARE_READ | FILE_SHARE_WRITE,/ a7 l" Y# ^0 t: P% i% j' x
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);: S1 \, m  B8 x3 i7 F1 c" L' b' ~$ j
   if( hFile != INVALID_HANDLE_VALUE )
  t8 g6 s9 i+ t4 y; D, \0 g8 F   {
: `. i1 }  H. e1 `  z/ e5 q. W      CloseHandle(hFile);" P7 F: t! ~" g) [# Q; c
      return TRUE;
3 k) H3 F2 a  r/ Y3 H2 K1 k1 z   }
8 J* y; A3 p) y7 N  P1 t- F7 X   return FALSE;/ Q1 J' }) a( g! X5 p+ j' J( K
}
4 r6 r7 d4 U6 f  b7 j* t& u8 f  ~/ M9 B) w7 P2 t+ E
Although this trick calls the CreateFileA function, don't even expect to be
+ d/ V% N% M5 j1 Kable to intercept it by installing a IFS hook: it will not work, no way!
  Z8 R3 e( Z- ]9 b, G% l3 a' x7 H; IIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. f, ?- k7 F" T7 C$ y3 q0 Kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
. f! m# t2 ^6 q9 xand then browse the DDB list until it find the VxD and its DDB_Control_Proc
( C4 S. \# X3 \3 @4 |field., m) U, \: m* k/ }5 [! o
In fact, its purpose is not to load/unload VxDs but only to send a
) I$ H" i  \& x3 \4 H$ qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)% ]! Z# t5 m: J
to the VxD Control_Dispatch proc (how the hell a shareware soft could try5 T3 `7 t( n, c$ k( V  j1 ^; _. F
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
( }; t: w( d$ u  J8 ~" ?3 x& [If the VxD is loaded, it will always clear eax and the Carry flag to allow' F( Z4 ?- h) _/ j* K: x. v- R
its handle to be opened and then, will be detected.4 B* M# {: r3 F9 }) }! P# v; t
You can check that simply by hooking Winice.exe control proc entry point' d; _& ^. {& {. q! t, n, y3 G
while running MeltICE.
. m! F) r2 ^' ]' k/ k! ]' h6 u# u" F, w/ ~+ s0 r0 c7 y. @* g
5 j- @* c# R: z3 \0 _$ y2 f  X
  00401067:  push      00402025    ; \\.\SICE5 W+ [: @. a$ o- r% Y; P
  0040106C:  call      CreateFileA
0 j) l( l  Q. A, X/ `8 j  00401071:  cmp       eax,-0018 u' B" y, S6 w/ Y5 `; ]/ c
  00401074:  je        004010916 w$ S# t* {6 V  H/ x  }& Z

" h2 W2 v( G' |
' P! O' k9 i* {( e. B: JThere could be hundreds of BPX you could use to detect this trick.
+ ?. e" Y% `! Q3 v4 Z-The most classical one is:. I/ R' Q, c: u: G% `
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||. v8 r" N( @3 B4 q5 {" M5 Y
    *(esp-&gt;4+4)=='NTIC'/ ~3 \. O4 s3 x! ]0 f% i$ Q: ~
" d9 S# M7 ~! ^
-The most exotic ones (could be very slooooow :-(
0 L+ X5 Y; A5 X1 A" ^; X  h4 d- P& v6 j   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( q& P- j; L8 Z
     ;will break 3 times :-(
( |& C, h3 r/ E% T$ n% o
! g* v; G- k" L; \8 h1 M' }# w2 q-or (a bit) faster: ; D, ^4 q( e" e0 K# N; }/ x
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
  U1 d8 h4 A9 K1 }  v* f8 E9 M5 d7 m" P+ K  r0 J
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  * o& g; r. v) m3 O
     ;will break 3 times :-(  @5 N% ~9 ~) R- `  \& s

. j* y; F9 E# _$ F2 U+ D, i4 O) t-Much faster:1 s1 w6 O. F( y
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
# t5 e1 f8 e2 @4 S! c1 `1 h% c+ Q
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
! l) e) [/ |( p8 R0 H9 bfunction to do the same job:4 y# V* p% H& D, |

2 x* a7 g# N4 Y) K& U" `  d" j   push    00                        ; OF_READ  `- a" X/ j& [/ `
   mov     eax,[00656634]            ; '\\.\SICE',05 A2 o. f4 a) x9 \
   push    eax& p& i  A4 S7 u1 l
   call    KERNEL32!_lopen
) ~7 C8 l/ r: I- s   inc     eax/ `, ?; D: b! r% d- c
   jnz     00650589                  ; detected" L9 {9 T- H1 g* w$ N3 @
   push    00                        ; OF_READ5 ?4 _9 {; ~, N( f9 H* t
   mov     eax,[00656638]            ; '\\.\SICE'
8 g9 Z  j5 d$ v( S' n# ?   push    eax& v) A4 k) F! L& V# A- |+ s
   call    KERNEL32!_lopen
3 O+ x* e7 o; @; s' U8 W   inc     eax
8 j% o* o& R9 F3 ?7 S   jz      006505ae                  ; not detected
+ O5 A. O2 o1 D, v
$ j; U3 s0 E* I) h0 P
$ X, q0 A# c: g& O0 d' k  W0 ~# F+ \__________________________________________________________________________) H) P& M' K" R! P; U8 S9 F: a
6 y5 R6 ^# B2 h6 s1 [' Y3 y
Method 12
$ _  D8 g! g. a8 B' Y=========
" ]  m  L7 p4 [3 u! k' n) ?- R
! _, n% v* _8 p1 qThis trick is similar to int41h/4fh Debugger installation check (code 05. M# ?5 H% x4 ?6 j3 c* U
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
8 Z# a4 T1 @$ }& h( m% u  }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' K/ k7 W& V4 S# \1 Q0 @8 H

* ^% `5 [$ E) c  {( n( i   push  0000004fh         ; function 4fh
& t' d) V4 a$ I& i# [4 B6 |& P4 S   push  002a002ah         ; high word specifies which VxD (VWIN32)
  U1 ^8 X0 T- }9 Q1 ~1 y                           ; low word specifies which service
- [/ _$ Q) q% ~& L/ r8 J. x9 X$ D# U                             (VWIN32_Int41Dispatch)- Q- ^- T; F% @! n& f/ p
   call  Kernel32!ORD_001  ; VxdCall
6 |' G! W1 d8 Y( C9 c   cmp   ax, 0f386h        ; magic number returned by system debuggers& V/ A  y' S- C
   jz    SoftICE_detected  J8 d; H9 K4 ?
# C5 C. Y( k& N' y
Here again, several ways to detect it:
1 c+ y1 {# u( q. S6 k
3 u  {3 S7 n/ u6 m9 |" O7 O) U    BPINT 41 if ax==4f9 W' M$ R1 z$ Y: W3 O4 E
+ U$ ~* u5 n0 ~8 a. a1 R
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' I! z8 A! t+ c, X* V. v/ ~! n
, O$ s9 [- V: e, K
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A& o" [6 K3 z9 r+ r& {& Q2 w

1 q" e/ c/ m+ K. S7 E" U6 Q3 L    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!5 D3 j- @% I$ l/ @. v
( b* }! U# ]4 c/ i
__________________________________________________________________________% P, Z6 ?: W# n
& u- H. u" t8 J* U( J$ m) x
Method 13
0 K4 x* `- x/ W$ G=========
0 g7 W# x, I& O, w
  ]6 i: v  ^) i* x2 mNot a real method of detection, but a good way to know if SoftICE is
4 d- v7 j4 H% Z' X# k/ ~installed on a computer and to locate its installation directory.
9 u4 u, [' L2 `It is used by few softs which access the following registry keys (usually #2) :$ a' Q( I$ j: V" w% T) o
$ E0 F, P; r  U$ o1 j
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ v) V: p" E' J7 r4 d  j\Uninstall\SoftICE
- ~3 A! m- x6 r# E0 W, ]& n-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 Z4 I) W4 A5 F3 v3 G9 Y% C  G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. L& k. _  `' m$ t5 j( r
\App Paths\Loader32.Exe
+ c# E) T3 S9 m. L( {& V/ z9 b: Y/ e- l' x- X* k$ }: o9 N
9 I7 u' ^3 {0 m
Note that some nasty apps could then erase all files from SoftICE directory* d! l0 `8 ^& L8 b2 [
(I faced that once :-(& O- e5 A/ T: r1 H! v' |" k

" P0 [4 Z) m/ Y$ ~Useful breakpoint to detect it:  p& v, e# P0 _: y8 F" x' H
8 L  t" ^( V) Y
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
: t8 I0 x3 w: |) H* q0 q
$ B+ ~; _2 a# ~__________________________________________________________________________
5 M- b+ _2 m; z9 {9 s
; Q2 g2 P- a7 r6 B* B% Y; K7 Y( U! A/ P, M
Method 14
' F4 k2 }  o1 I/ `=========
3 k- G; Y' L4 b! _- w( B$ o9 w6 c! p+ E/ {% |
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 r6 ?+ E+ M! I: z, i; K/ N
is to determines whether a debugger is running on your system (ring0 only).7 f9 @2 K& k) V! q- y  j7 N
1 |( S# Y. m# \
   VMMCall Test_Debug_Installed0 C1 z( b$ J, w$ {3 z
   je      not_installed
% B) M3 k, Z; d
: }5 ^" G- l" }3 ?2 ^8 l5 e- n3 OThis service just checks a flag.
1 K( Q5 B& B3 J3 C$ r, c</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-13 08:16

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表