找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
3 \0 X- p/ v+ h7 Z/ E3 @8 _3 f<TBODY>6 U: P, j+ w0 P0 u% T$ H
<TR>
! I0 z5 g* a  M  }2 F8 {" H! n<TD><PRE>Method 01
3 d' I, s6 m7 R' A" {! }=========
& u  G8 Z# m* g+ {" Y
+ b+ {8 _  d+ ^# y# y! WThis method of detection of SoftICE (as well as the following one) is# o0 R1 F" N6 n; _6 q- K: B- v
used by the majority of packers/encryptors found on Internet./ c& W. @7 C: o$ m  Q8 J0 R+ u
It seeks the signature of BoundsChecker in SoftICE- R1 ]3 E" i5 M' x/ h" j; e, Y

, `7 \. t4 m; ]/ k9 B7 c, \/ F, p% U    mov     ebp, 04243484Bh        ; 'BCHK'
2 A& b3 ]) R& v7 d. l2 q5 T, Z    mov     ax, 04h
+ f" }/ f: U- Y$ ]; O/ l8 s    int     3       / ~' ~& q- q2 X: n2 b3 h0 G3 L/ S
    cmp     al,4" b6 Y) w0 Y4 e% J) i" q
    jnz     SoftICE_Detected6 y5 Z, W6 I, L* a+ N& j1 R% L0 X/ m
0 T5 T( l; @0 t, z/ V
___________________________________________________________________________3 G1 K. W# N( V: e- ^) e5 \

0 w! d5 @5 L; O/ j/ }/ L0 V" a) q: d: NMethod 024 U) o" V. g  k
=========: m1 \  e2 [+ n4 l6 s

5 V" {* s6 r2 D$ d) ~Still a method very much used (perhaps the most frequent one).  It is used
* }6 `) B& y) _9 r$ J" J- Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) i$ j3 q# D% P6 Lor execute SoftICE commands...# j1 Q# u9 ~: P8 ~& P
It is also used to crash SoftICE and to force it to execute any commands: s+ I3 P7 W6 C1 l& h* d% a/ ]
(HBOOT...) :-((  
$ W, Q5 V" f9 ~4 }: f
4 q& |8 M" d. jHere is a quick description:% p' A0 `. b- N6 _2 Q  c
-AX = 0910h   (Display string in SIce windows)
1 y8 e* V) C7 z9 C% M-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! ]% G0 j: V! C( ?3 s1 W$ Z# `-AX = 0912h   (Get breakpoint infos)& S# Z+ C9 y0 |) {: N2 |; y
-AX = 0913h   (Set Sice breakpoints)8 l5 a8 M8 [# t) r
-AX = 0914h   (Remove SIce breakoints)
3 P# |+ T$ b, P1 P% a
7 v+ |$ n8 U3 T$ [  I4 I. z  tEach time you'll meet this trick, you'll see:
, b8 o% K( a6 _/ t3 ^9 b-SI = 4647h2 G" x) q( m+ Z4 C
-DI = 4A4Dh
7 t* @* o) R9 [Which are the 'magic values' used by SoftIce.* f8 F8 b' k# h' \  b2 @: i
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
% h$ ?: X: {0 r( {0 a5 o" X7 c; B* d$ p" o
Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 |. W( P) M3 t" Q6 dEnvelope utility use to protect DOS applications:
7 }! _: X7 A$ ?3 z/ d# o8 Y5 q5 n7 \, f/ S4 u1 r: \8 S" S/ T
+ K+ G& c" U; M7 ~& a9 ?. \+ A
4C19:0095   MOV    AX,0911  ; execute command.5 Z- N# l/ n0 n$ o$ E) F6 l4 e8 Y2 G
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).; G, i8 u0 Z; ]. k- {: H7 V
4C19:009A   MOV    SI,4647  ; 1st magic value.: K/ p* q" ~7 w5 f( m
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
; B6 I+ M+ c" j9 _) b5 k: W4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
2 @/ a- P7 C' H0 P( _2 z0 z; C: ~4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, ~: s/ y/ O3 }/ H# s- V4C19:00A4   INC    CX) r& F1 D3 ?& H1 Q! U  q
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute6 f9 `" r  T2 i' W
4C19:00A8   JB     0095     ; 6 different commands.
+ ^! V! z  m, `& m) O7 Q4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 O! V$ B; z" k( `& i- J4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
3 o8 G: i( \* w( o
* g/ {9 F7 m) N! l, h* d$ B3 JThe program will execute 6 different SIce commands located at ds:dx, which6 B% Q. x/ |6 ?3 p4 p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: B: h  x! C. w5 n; R6 ~4 S  d
1 e1 P, G0 k. p0 H5 F1 i. b+ B6 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
+ _% l( v4 Z$ {8 n___________________________________________________________________________
0 r" G/ i! ?2 S9 [5 e1 X
" c: a+ y4 g1 E; {: \; `7 [& J
7 j" S* I1 V* C5 A+ ^; j' Y' K! GMethod 03. i: |) ]; k  f: l) u
=========
7 P; _3 x, S( X1 Y# }  t
4 [' e5 M8 j3 {( u8 mLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
# {2 {5 ~2 q; j6 m(API Get entry point)# a: r3 d& C/ s1 m9 F& d
        / ?7 |0 o9 M# l" V  v

; y8 @6 A' [* C' e& R6 z3 B( m    xor     di,di, X) s5 `, p6 F
    mov     es,di; B# n4 y  o9 e2 e7 v
    mov     ax, 1684h       , O% H/ k: M4 O* O) x
    mov     bx, 0202h       ; VxD ID of winice
/ T# q7 [( G2 Z0 S8 p8 ?! r4 M    int     2Fh6 J( X- T1 h2 x. X; v" R
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) u+ B7 I; f3 e: t2 s    add     ax, di
/ m2 R0 K# K! B2 p  G' r    test    ax,ax3 c- Z5 J' X+ {! N, }
    jnz     SoftICE_Detected( s% Y: [1 _* p% N& I8 f! N( B

5 a- z/ n$ ?, G& [% O4 ____________________________________________________________________________
! l: d) m$ K3 x. t, u( v6 A* M
' g3 m! e* S8 ]+ x1 a. b6 sMethod 04* ?+ n8 B6 B- B! t" A) m7 e7 H
=========1 L+ T7 a0 u" D' S2 b5 [
3 p" Z; c# u6 q# V
Method identical to the preceding one except that it seeks the ID of SoftICE
& R; \; b3 R/ ^6 N: [; x) dGFX VxD.
  K# X& p. E9 G+ ?' i1 h' A
3 O' E! t* k" u1 B4 W* B    xor     di,di
; ]2 }  o" J1 ~- R6 e8 l    mov     es,di; q3 p0 v9 F7 A: o- R
    mov     ax, 1684h       : _5 _$ @, @: t9 W3 C
    mov     bx, 7a5Fh       ; VxD ID of SIWVID( H% Y$ T% K. o7 q
    int     2fh+ h6 `) ?! ^  K4 x' n' J: H
    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ i) {& W' t# q
    add     ax, di
  v% U6 y, d  J4 B# ~: r( b    test    ax,ax" @9 l1 e1 G, O# y8 L
    jnz     SoftICE_Detected/ ?9 _, Q, }9 q$ e/ J7 @$ M

$ C: `4 C8 n' l% U: d7 T/ k6 r__________________________________________________________________________
0 b4 h3 `0 C" m( U' t# ]8 f
* R/ _, ]- x4 z7 @4 s+ j1 a' A2 B9 S/ u
Method 058 M7 k( `0 k% P) R+ B
=========
+ H' G% q8 S# P# a) k8 a$ Z2 S# q: ], p
Method seeking the 'magic number' 0F386h returned (in ax) by all system3 m' m& W8 `: ^5 g. N; [; s
debugger. It calls the int 41h, function 4Fh.& q2 M5 M! e4 ]& H
There are several alternatives.  ; A' ^3 m6 x8 j% p; U

& j5 g' j: O' |* DThe following one is the simplest:3 G, @  c5 g2 R6 t
4 x1 D: W  f; }& E2 F  ~
    mov     ax,4fh
0 C% b- E3 f6 J( H    int     41h# l. Z% v3 N+ ?2 S6 n* u6 B
    cmp     ax, 0F386
2 ]9 n6 O4 o$ ?3 Y    jz      SoftICE_detected: T5 Z& x. F, Y' n

* @% D8 v4 a/ L6 _. }. {+ [- _0 {7 f$ L- t" r: Q" c
Next method as well as the following one are 2 examples from Stone's
8 J! l+ S+ h8 _/ ?! p! Q"stn-wid.zip" (www.cracking.net):
) ~7 _8 k0 F! o5 [- \- L6 g: X8 N% O
    mov     bx, cs- P9 e! ^$ o0 j; l3 x
    lea     dx, int41handler2
$ Z! Y+ _3 q( _% l6 A' Y    xchg    dx, es:[41h*4]
. y$ e7 f) U+ ^3 ?    xchg    bx, es:[41h*4+2]
) U/ ~; z' O$ ~' Q9 b& {    mov     ax,4fh
- ]$ |/ |5 d, z! \$ W6 k& O    int     41h
- C/ q8 W6 Q1 q5 h( j    xchg    dx, es:[41h*4]" F0 x* q5 E7 V6 E. ]! {" X5 ^
    xchg    bx, es:[41h*4+2]
) O5 t0 C8 J+ t+ V  v7 g    cmp     ax, 0f386h3 ]& {" `) x5 A4 q
    jz      SoftICE_detected
1 P+ H3 O7 @' J7 F3 x8 ~! x5 V( `4 [8 x
int41handler2 PROC
" Z) e. g# C% l  S    iret
; ~  u. O5 p+ h. N# vint41handler2 ENDP
) c1 U3 T5 ?5 l) V+ c
1 w) K/ _) ?5 d. _1 E  e; Z2 f9 ^, D' q  Y, W2 N
_________________________________________________________________________
9 W+ f' ~9 ~& j3 T7 k- ]% m- t! a- ~2 V% R# |' N4 {& F, \
4 ^2 ~7 F- c9 X' {. p7 e2 s
Method 06
% n6 `! Y; a0 W2 m; ~=========+ `& b: Z, A3 Y6 E2 D3 s' i

5 x- [  `+ U: a
6 _9 C- f  t; _+ o2nd method similar to the preceding one but more difficult to detect:
9 B' Y6 z+ \% Z2 |" Y7 s! o: K0 F
6 [  Q( u8 T/ \1 n" V. O2 N; [' Z) M% j/ M  l
int41handler PROC
$ ~( ]" S- p- Z- E6 f" ~; s- [    mov     cl,al9 Z3 c8 R$ y$ b  o, W# u4 E8 U
    iret
# l! X3 i* I8 O; c- B0 R' ]" Wint41handler ENDP
" u) b! E2 H. p# D7 h8 Y% [
  i, \* w" k& x  e6 h0 u
' o9 U. N4 D% j# X    xor     ax,ax
0 ~0 k2 W7 u. Q( {    mov     es,ax
0 z' L# o# i0 s7 z2 x0 \    mov     bx, cs
" `: N: K9 c( [6 M; @% ?" Q    lea     dx, int41handler
) T! _- V/ X: \0 p& f* r8 i) X    xchg    dx, es:[41h*4]. {- k" j7 W( v+ ?9 @: [
    xchg    bx, es:[41h*4+2]
% ], M2 x3 Z9 \3 \6 b' C    in      al, 40h
- G1 o) F- T1 c9 A: `    xor     cx,cx# R4 i. P  [7 x
    int     41h. Q6 O6 d7 m6 M
    xchg    dx, es:[41h*4]" F0 {2 D: i4 K2 z2 z) l
    xchg    bx, es:[41h*4+2]
2 q; R7 c; X* I! i/ s5 }' `5 O    cmp     cl,al
( Z9 c. h3 P* h8 ~( p: l    jnz     SoftICE_detected
: p/ V# R$ o9 I, s, t( K; ^
' V' J- o- q5 l, ^. ^  R_________________________________________________________________________" {7 @8 Q1 `" k' O
( _/ u7 U1 v0 C9 k
Method 07
% Q4 U" w* q3 u  G  d- x- V3 ^+ G=========
" O3 K+ T6 ^" e4 U
  V2 d/ m# X, m* G. P+ sMethod of detection of the WinICE handler in the int68h (V86)! T1 C1 R9 M! {" _5 H/ l

( a/ T$ H( N! R% a# @    mov     ah,43h( H4 D7 f! \7 G
    int     68h
3 `& J, |1 }& ]    cmp     ax,0F386h
/ _$ |! _& Z- B0 l8 E    jz      SoftICE_Detected4 K+ M! U/ d+ c$ z. I; w8 F
1 {& o* K; w" ?/ X$ Z) z5 t
' K4 w% {2 W( g1 v/ o& Y4 T& B8 K
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
3 |- G3 T, q9 R  j  [, O   app like this:- _6 _, H- H# m5 p: o

6 S9 @7 W, u& O7 l) R   BPX exec_int if ax==68; [7 S- Q3 F2 h3 k
   (function called is located at byte ptr [ebp+1Dh] and client eip is: o! g4 }& j/ h+ n& l1 @
   located at [ebp+48h] for 32Bit apps)( z# i6 _3 |/ a6 }2 f' ?3 u
__________________________________________________________________________; Q  y. p* I1 Z
) p; P5 l, k2 z7 {& O

7 _* p& j" p0 |7 [. L6 o4 hMethod 08- l2 g$ G5 o" p* y# l- V. @
=========
; R- R- ~' u! C1 o, |% x8 e' I
  k5 r5 m0 C) q# S1 ~It is not a method of detection of SoftICE but a possibility to crash the
. R& I0 M+ B7 f) D% [! L% U# W5 ssystem by intercepting int 01h and int 03h and redirecting them to another" k3 q- ]. Z2 q+ f4 G9 @; G3 _$ e
routine.
/ Q) t( Y9 V! R, ]2 I1 D* N7 Y6 i/ xIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 n' v" r6 A$ u
to the new routine to execute (hangs computer...)
7 Z0 }. q. c6 O$ w
4 K; u6 x8 V. Z8 p3 E. w* r: R    mov     ah, 25h! Y! ]1 \" a& N  q: x
    mov     al, Int_Number (01h or 03h); C( t* ?6 ]4 N6 }- p, U
    mov     dx, offset New_Int_Routine* w8 E& |; N7 H/ [  ^1 m
    int     21h
1 k0 w! i5 t% [) E. D! \
% B( s8 }7 A" r+ c/ _( E4 ^__________________________________________________________________________
0 w; ~, M5 v6 c% y7 Z/ _# n) o. C5 [
Method 09  m2 Z1 h" Y2 R1 {6 @3 E  L
=========7 h1 n5 y! {! l1 D4 Q5 J; t
" F% ^6 H' X, e' ^0 j2 o
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
3 N  w, _# K" ?% z# o0 }& aperformed in ring0 (VxD or a ring3 app using the VxdCall).
* ]3 a( a. v: A% cThe Get_DDB service is used to determine whether or not a VxD is installed- b0 y8 Y6 o1 W$ {5 L# O1 R2 _
for the specified device and returns a Device Description Block (in ecx) for; S: Z: f) b3 G" Z3 O8 ?" g
that device if it is installed.
# B3 D! d) s( [. ~: H5 Y* j8 t/ O) M: C& U7 X
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  [' K  X2 v9 d9 o% L   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% u1 V* u4 ^  s5 W) N   VMMCall Get_DDB, Y  D' `. I( r# k4 r" U3 F0 U
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* a; z$ \! D% O% w) `- w% A+ B5 M! t6 _+ V
Note as well that you can easily detect this method with SoftICE:
5 J3 d& J& x6 c9 a0 b5 }& c/ _9 u   bpx Get_DDB if ax==0202 || ax==7a5fh
$ z; _6 o: b# F4 a5 P6 Z/ h" E
+ v0 B7 G3 s4 D" Y/ e7 a/ d__________________________________________________________________________- c/ x& I$ X. ~  K. Y7 K% o3 M

1 x: ?* c/ c, _$ g' A& ~2 t6 ?Method 10
6 P. _- I' D4 m2 N5 J* w=========8 ]+ y6 |) P( @+ e1 e3 p  v5 y7 w* h

# h) c, j7 v$ j4 S- Q% D; i! j=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
% \2 \! L5 i" R' ~. M6 n- |3 ^6 `$ |  SoftICE while the option is enable!!6 ^$ e+ I% |! Z5 X# {6 G5 V: D

2 ~: e5 p+ }* P& ^, MThis trick is very efficient:. \7 u" D, S; E3 B" \
by checking the Debug Registers, you can detect if SoftICE is loaded1 T% I" X/ z. r3 H& G- ^
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ t8 i  c# m+ u. w7 F: z! f, z
there are some memory breakpoints set (dr0 to dr3) simply by reading their+ p; N2 q2 }$ g0 R% s
value (in ring0 only). Values can be manipulated and or changed as well
  l& b0 W1 A  x# b$ `(clearing BPMs for instance)
, |* i7 D0 K/ Y& S; F/ ]- N  z. w6 z( w  Y8 H* i
__________________________________________________________________________3 W, Q' z7 }# a/ A  B' X
1 l5 @6 G8 |- I/ i; D3 T
Method 11
& T% e' U) l# z4 E" \3 J8 K+ {=========+ r: ~2 Y2 h- H4 D
8 y: F- R: t& P6 Y! g4 D9 ~
This method is most known as 'MeltICE' because it has been freely distributed. r0 e& c6 {3 D) d  s. N; m, `& d( P
via www.winfiles.com. However it was first used by NuMega people to allow
+ o! t/ F" y7 p1 ^% \Symbol Loader to check if SoftICE was active or not (the code is located
2 J4 K2 A1 G- Z7 {2 f* `; yinside nmtrans.dll).% _2 W. k+ {& D. F% {' `# d, s  N
  }# ?! m4 f1 h3 y$ h. \/ M
The way it works is very simple:; e6 r- z( v: d2 t3 p. Y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! J& J% I9 {% ?8 B
WinNT) with the CreateFileA API.
; e2 Q7 s2 G, q: U3 ^6 T) }2 w
- j2 n0 j5 x' z7 b! p, v1 U, F/ \Here is a sample (checking for 'SICE'):
' [) U( N8 @$ ^& }
6 [2 l5 _5 J0 K# r1 N! Y, ABOOL IsSoftIce95Loaded()8 V. b1 [$ \4 r+ i/ C
{3 A3 E* `  i" y* A
   HANDLE hFile;  ; u  i6 M2 T9 w3 r  h3 T. s. U
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 v! q# b, t: P9 }+ h7 B2 Z
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
# ~# D$ u8 }0 m5 m. i9 `                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);+ }: ~) u; Y: j9 q
   if( hFile != INVALID_HANDLE_VALUE )6 G$ J, {' t/ i  W& Z
   {
1 V: M, |/ d! d" W) [      CloseHandle(hFile);8 c7 p$ I) i* b$ _. o/ ]" n
      return TRUE;$ z' L  K& y3 K: j2 Z! M0 M
   }
/ {! z- S5 e" Y( [, g, H' E   return FALSE;% M6 Q2 z% [# y! l
}
% z% b" o7 n3 f! z) o5 P, Z5 s5 m; ~  D0 Z! O' I; s
Although this trick calls the CreateFileA function, don't even expect to be
0 J9 W, |0 O1 N& A! oable to intercept it by installing a IFS hook: it will not work, no way!) s: b+ |% j5 w5 D  m+ K2 r- `& [  D# O9 F
In fact, after the call to CreateFileA it will get through VWIN32 0x001F2 k% F# J. y/ ~* d, K
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ x" u9 A; [4 {* v' l" A+ A  Kand then browse the DDB list until it find the VxD and its DDB_Control_Proc% t$ q7 [3 u4 V% o( D& _0 I
field.% D* P2 y2 v8 q4 N. Z4 @
In fact, its purpose is not to load/unload VxDs but only to send a
* P  n; _1 \/ {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% b" v. D. n/ ]% Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try1 k* F9 a+ c2 P9 z1 l1 k1 a4 i% w
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 J( D# _4 K8 jIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# [- [2 d1 C! {; |; i5 ?its handle to be opened and then, will be detected.4 I  Q1 c  p' d: @7 X9 C
You can check that simply by hooking Winice.exe control proc entry point
8 I, c/ C( f5 ~( ?while running MeltICE.$ Y6 z6 `' d. m2 p  t9 v

' P& F3 G+ I" X) Q+ w) D& |, T% g- c- `9 T9 J+ A
  00401067:  push      00402025    ; \\.\SICE
7 e5 y! J2 b8 U; A  0040106C:  call      CreateFileA
" Y6 a# ^! O2 j7 U7 T% U- A  00401071:  cmp       eax,-001( G( k( R5 e8 [2 o# e5 {8 r2 `
  00401074:  je        00401091
, a5 K3 L: V7 \1 [9 a# A
; v( s8 f- q3 E8 L- [2 O$ k+ J7 V8 y9 O* h
There could be hundreds of BPX you could use to detect this trick.
$ @3 j3 p2 Z0 Q3 V; c3 E-The most classical one is:
/ ^. e( T0 S& T4 n  y: E3 ?  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* N9 }/ t6 m7 u: G/ I% K. o5 |0 _    *(esp-&gt;4+4)=='NTIC'* \3 c0 w; b2 P  s
6 N% D* c  M1 }. i
-The most exotic ones (could be very slooooow :-(
- N% Z" q0 ]1 S8 G! h# n   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
5 F2 v  \1 @# w% a     ;will break 3 times :-(
7 W, p& Q/ W$ X( I. \1 S0 g: D2 H$ S
-or (a bit) faster: . O' @- ?/ \2 x, I" [7 h! Z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 t& G  i* S# ?
$ B+ k4 \- k, ^: C   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  1 E' i* K4 s% e5 O2 t
     ;will break 3 times :-(7 O2 o5 y  f" m  t, v

0 I5 X8 {' Y% X$ h5 O& J-Much faster:1 y/ a, g. y+ y: P4 `( t
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'- U6 f& u2 k; g, o* o) N/ m- B/ d. j
; t, V1 a" u8 a# M; K
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen. p8 C. @: M3 D0 J) Q( g
function to do the same job:
; T/ D3 f+ j/ ^3 G1 L; s$ e
2 Y, H( G1 o! |* R1 z1 _5 E4 Z   push    00                        ; OF_READ0 @1 X6 q5 U, Q1 D( o9 A7 {& S8 L( c
   mov     eax,[00656634]            ; '\\.\SICE',0; B' Z6 ]1 Y8 |6 v
   push    eax0 D3 m; m" l8 G; n8 p& }
   call    KERNEL32!_lopen( ?& ?+ t- u9 B( c2 E
   inc     eax
7 y6 L1 N5 [5 }  H" s. J9 f   jnz     00650589                  ; detected
: x; ^3 g8 w4 K1 `9 u   push    00                        ; OF_READ9 H1 F( U3 h" ?% R
   mov     eax,[00656638]            ; '\\.\SICE': [$ b7 Y0 G" p5 O
   push    eax
/ x% ?3 M  x  V. O( B* S' m7 J8 `   call    KERNEL32!_lopen  U$ l; t. ~+ Y) X4 l
   inc     eax) g. _. m5 z  i# g
   jz      006505ae                  ; not detected
" l- w# o7 B* E4 U9 Y4 b6 `/ @0 C
( D8 G$ u5 M; o5 Q5 a* `7 ~2 {+ q+ T& X
__________________________________________________________________________
: t( m9 @& A* l/ d5 @* |9 n
  B! `% _  F8 pMethod 12: M8 b0 E8 o' D
=========
' Z/ B0 Z8 F9 ?: @
+ z- L0 O$ S2 K5 BThis trick is similar to int41h/4fh Debugger installation check (code 05  I* D# z+ f7 E  z  o
&amp; 06) but very limited because it's only available for Win95/98 (not NT)! C- J+ N7 ^* n. V# j+ ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ D3 _& R0 Y! F. l! |- C' p

3 Z. Q/ L: j" a: z  B2 e   push  0000004fh         ; function 4fh
8 X( j  O7 f, x% X   push  002a002ah         ; high word specifies which VxD (VWIN32)
5 v. {  T7 j$ n7 F                           ; low word specifies which service
# ~9 Y1 x+ c) W9 j7 O. o                             (VWIN32_Int41Dispatch)
8 f( M  j0 T9 t, c- g/ s3 @' l$ j% ~   call  Kernel32!ORD_001  ; VxdCall
: a4 M* m5 Y3 ~0 i" Y' u   cmp   ax, 0f386h        ; magic number returned by system debuggers
, f1 c; w0 n- J/ `  y4 K   jz    SoftICE_detected
- f! }& b, n5 _, E7 `( x+ M3 \- V, [+ T4 D
Here again, several ways to detect it:
, t! U8 g4 J3 S( V1 U4 \$ K% g2 e# x! w# R
    BPINT 41 if ax==4f
2 Y) s4 Y- _, \6 @4 |5 i
; O+ F9 J3 E+ g: N    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
  a% k3 {6 s% r3 d9 x5 a. e: |9 }# P! `5 q& {& i4 d3 A1 _
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
, O: _# p# u5 ]  l$ q( w2 h
2 i" U5 @. a) [    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!3 F0 W8 I8 Q7 {

7 M+ S& ^# G2 ^5 p3 r8 O" w__________________________________________________________________________
' |4 `) }2 z3 i0 H1 u' x' }5 X
& H3 R' f# W& A7 i1 v  zMethod 13
" Y, @* |& `; c, b8 c1 f/ v- ^=========
6 Y3 k2 f3 q) N$ H3 ~5 K- n7 f1 ~/ @4 c; Q9 T
Not a real method of detection, but a good way to know if SoftICE is
: S8 u* M% p, z- X0 p& _installed on a computer and to locate its installation directory.$ k* e! e1 d& P, g# w/ O3 }
It is used by few softs which access the following registry keys (usually #2) :+ w8 A9 Y! w# U6 K9 ~
7 E. f4 }; X6 J, v& |
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: o3 m0 W" ~- z6 a, O7 A- F\Uninstall\SoftICE
5 p7 D' ]7 t) `/ D& V-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
4 m6 d* M$ I7 A" w! i-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion* F& e, l* e5 m4 f% d
\App Paths\Loader32.Exe
1 w- c# x' C. w3 W7 Y% M* |  i" r4 Z. n3 s$ Y' ?% S3 K1 y8 U" L
$ R+ X, W6 y% g: w7 {9 W3 o) a
Note that some nasty apps could then erase all files from SoftICE directory
  _3 h& T/ _' J5 [4 u(I faced that once :-(; k) B3 K( l; \5 v9 ?  n$ c0 e6 d
9 y8 Y/ x& K: h+ f5 Y- S& T
Useful breakpoint to detect it:# M+ o2 d8 ?' y" P! Z

1 ^: ~: v6 u7 M5 B7 Q- L+ N' {     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
7 K. L* _; p0 \& c& y, Q4 W8 z& ]1 r% b: \5 I( ^2 \+ e
__________________________________________________________________________# }7 u( q2 p$ z7 Q! z* Y# g, A

8 ]8 W  Q5 h+ p8 `1 W: y; h' M1 c- q: y! p$ A( H$ S
Method 14 4 L) X$ `: ~% e0 B! Z9 W& u6 n
=========% U3 y  P4 A" z

5 H* c1 `$ r" NA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose, A- f# R6 W% d' G0 D$ l
is to determines whether a debugger is running on your system (ring0 only).
9 X5 E: T& V  p! B- C* u/ u: T2 m# \5 k6 e* j  ]
   VMMCall Test_Debug_Installed
: z0 C0 D- o. M" a   je      not_installed0 i9 L9 c- _- c( _% c' w2 k1 w
- K" C6 H- [1 I1 A& W" u3 b) \
This service just checks a flag.: y" y( \. h; D
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-7 22:19

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表