找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>5 Y; w; K4 n1 L) P* z* H" i
<TBODY>
( h5 h  A$ `! ?<TR>. \1 T! r, F+ C$ I/ h8 Z
<TD><PRE>Method 01   O& d8 Q8 |* ?1 ~
=========# G; c" |- Y6 [. E2 O" J

) P6 V# u% M* u1 R' n  w, [+ |This method of detection of SoftICE (as well as the following one) is5 k9 U' [. S' B$ D( ~
used by the majority of packers/encryptors found on Internet.% a& [- G( \* m8 Y" a8 W, [3 Z- U1 ?
It seeks the signature of BoundsChecker in SoftICE+ e6 L- Z" m& W- o# w! Z6 X" B

" v1 t- a7 y, G0 X( o) Y7 f+ f    mov     ebp, 04243484Bh        ; 'BCHK'7 W# h& W5 M# d- `( }8 u! c
    mov     ax, 04h
! ?" k, t) N5 n& p7 p    int     3      
9 j" Z! x, I' H0 V    cmp     al,49 G! T3 {. l4 p) W9 {# o% w
    jnz     SoftICE_Detected
! `3 q8 m4 h$ ^5 O8 n: u* c: V7 _7 r$ @4 O. D$ P
___________________________________________________________________________
2 k/ r  O4 y; L6 h. `1 e: t$ Z6 M  w. W4 ?. K
Method 02- r2 l0 F9 I* f7 Y# K7 {
=========3 j1 B  q$ @3 H7 b0 P1 E7 |: @

: V  m  b" t3 \/ N4 I3 |9 nStill a method very much used (perhaps the most frequent one).  It is used
8 [0 T& @$ W$ O0 j8 i( Rto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 F* _" `; m5 B- Yor execute SoftICE commands.... ^+ n7 k# @$ g/ B& o" U
It is also used to crash SoftICE and to force it to execute any commands% t, B: m4 ?9 H& Z
(HBOOT...) :-((  % w+ i3 E- U. L1 {2 D- y
5 Z" [$ `7 X- k* _1 l
Here is a quick description:
5 ]5 A# S& Q" l% _8 [" a4 |-AX = 0910h   (Display string in SIce windows)3 J$ |% r, T! G3 \5 Q+ [0 T( N
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! R& q& U! d2 _0 t; f% [0 Q* R-AX = 0912h   (Get breakpoint infos)8 Q  k& F3 e  K0 y, J! O+ y
-AX = 0913h   (Set Sice breakpoints)
7 w( k2 H- A" M0 h1 x2 g% P! b0 E8 [-AX = 0914h   (Remove SIce breakoints)
/ s7 \8 |, j: o8 T/ F
% ]! T; B8 G; G' rEach time you'll meet this trick, you'll see:
4 p6 W& m2 z0 m; e" O3 X-SI = 4647h
+ Z/ e/ M8 @$ u+ _! E-DI = 4A4Dh
3 c6 ?1 [& u9 z% Z, `$ R3 uWhich are the 'magic values' used by SoftIce.
; Q9 O! {1 j/ ^+ t7 f# W9 |' nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 c  b9 [3 l- |4 C/ I% o3 e  h8 Z8 `
Here is one example from the file "Haspinst.exe" which is the dongle HASP5 D$ U# y0 z4 l+ Y
Envelope utility use to protect DOS applications:
. A- I- \8 }  O; W0 X
2 }* E$ r# A6 k5 l8 J0 F0 r/ t0 a. h" c5 T1 Q
4C19:0095   MOV    AX,0911  ; execute command.
* A! f9 s0 F- Y4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ x# B5 U0 j9 E% d9 o
4C19:009A   MOV    SI,4647  ; 1st magic value.$ V1 x9 _6 ]0 u
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.2 H+ U8 J8 ]7 K" F8 r. W+ c
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): H7 t: D) |. E# f' Z( r0 ^
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
) x' X; D  g, [9 a! t" v* T6 O9 G! r9 Q4C19:00A4   INC    CX. \# K# ?) S2 j; v: \# H
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 Z$ S" c9 I& r4 ?0 o! V: n( j
4C19:00A8   JB     0095     ; 6 different commands.2 h2 K, J1 O- Y* @- r/ }& Z
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
- W5 O. M. B. i  L3 {4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)7 v* x* k) E* ]) U# q: @

# k: ^7 Q  C( V- ?The program will execute 6 different SIce commands located at ds:dx, which
* Y; I8 f9 v' o' b! s3 e; z; u1 k7 ~are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
2 M$ V1 N# B/ B; R( d1 X5 [, W6 ^/ c$ N# J. o
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 C, C8 L: A( @7 W* F8 F1 P___________________________________________________________________________3 {/ V* b( n- {7 b' U9 b4 S

: {# |+ i! B! h6 e/ h3 E3 @4 w) u% Q; R! `
Method 038 Y. P( D6 u' s  t/ p. Q7 R
=========
: p! u; j& G4 A! m, |& E7 r8 o2 o, k6 _
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h. L/ ~, p5 _) ^# B5 x
(API Get entry point)
* U# W( s4 J5 i1 S        / K( S- E" ]- n- C: G, Z
2 M- [: y4 E$ R9 W, z) X
    xor     di,di& D# ]- E  j1 ]6 b$ g# K+ J
    mov     es,di
5 H/ [2 ^! {% v- D% ~" u    mov     ax, 1684h      
" F1 g1 V6 ~' o" `    mov     bx, 0202h       ; VxD ID of winice
7 M( X7 M; _1 d: L' @    int     2Fh3 H: l3 m5 D% H3 J8 ]( K; |
    mov     ax, es          ; ES:DI -&gt; VxD API entry point/ R- \1 t$ @  i  i/ h
    add     ax, di
4 `. w2 P1 M6 u% i8 @: w" j7 A    test    ax,ax
+ z6 ^0 S; T3 b0 E7 F    jnz     SoftICE_Detected; m# t. X# T: y6 l6 _2 T$ I& g

0 R4 b/ U/ [2 e9 t1 J" G0 }9 {___________________________________________________________________________7 o6 ?9 F, D# A+ F
4 \: l+ C. o: f9 {8 v; k6 L+ x
Method 04) h" m  l" m' F( w3 x& e- p8 j# j* E
=========
$ A# {9 W  a# ~2 ^2 C
1 m# S; {3 V/ sMethod identical to the preceding one except that it seeks the ID of SoftICE
$ ?0 r# c* T! [/ ~# {GFX VxD.
! w" c6 O0 a' G1 S4 }  y
3 m8 \6 I: k* f/ R  n, _. v% L    xor     di,di' j! ]9 ]2 d& |$ n1 Q. X
    mov     es,di' X! D/ d! o' L7 s* t
    mov     ax, 1684h      
, [5 r; ~' O, V* d% V/ E    mov     bx, 7a5Fh       ; VxD ID of SIWVID
8 G) s: m  n! w2 h5 ?' O    int     2fh: o: w" X& S5 o$ c  o1 `9 u
    mov     ax, es          ; ES:DI -&gt; VxD API entry point; g8 |7 k6 \9 I5 V% u
    add     ax, di
8 [3 C8 O+ c6 R    test    ax,ax
) R& F4 Z, c, G( O& X5 A0 N    jnz     SoftICE_Detected
! q3 T- }! I$ U3 l* K
1 i0 J4 ^  ]" e5 a( U__________________________________________________________________________# f0 n. f$ e6 d7 k) ^

; U4 j6 a8 {8 q8 d, U9 ]+ D6 z" y2 T
& j5 S5 ?0 q  c; s, |$ B0 hMethod 057 g- o" k8 M! q- b. x9 y( r! w
=========8 p. ^' p/ [8 G  i  n7 Z- N6 J

, C/ {2 U3 n( c! P4 Z- J: i6 ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system
! Y$ A  j' i) m5 Zdebugger. It calls the int 41h, function 4Fh.+ i: P5 E7 v: b+ c$ p' Q# C
There are several alternatives.  
; E) n" P* h( ^* T8 e6 Z0 d# B4 m! d$ p5 p
The following one is the simplest:7 R  Z  C$ T* [% y  N

  a/ X5 A$ a& h" b+ {4 ?    mov     ax,4fh
- R2 X7 v! M- V$ x5 @! f! }* e    int     41h4 T2 @% G  N$ r3 x8 v
    cmp     ax, 0F386# g; {4 ~/ Z) o! X: N8 V
    jz      SoftICE_detected+ A& p/ p2 \$ c- R( X. d0 A
2 }# }) c/ \1 A0 J

/ G/ c# f, a6 `8 n: I. L; S( sNext method as well as the following one are 2 examples from Stone's
7 @6 Y* u( w- z1 I2 u% ]! _1 K"stn-wid.zip" (www.cracking.net):
# N# \* ^) f# s8 z3 F& R# j1 E* |3 M/ y  Q; C4 d5 W
    mov     bx, cs
8 I4 b+ L8 z  l( F    lea     dx, int41handler2% r1 u) C6 S+ Q6 x( J
    xchg    dx, es:[41h*4]" Q# E( b% k* A+ }3 e5 W
    xchg    bx, es:[41h*4+2]/ E; D5 U9 F7 e" B  r7 p
    mov     ax,4fh
3 d2 b5 o# P6 B2 i8 G6 [' A6 D* k; r# \* z    int     41h: c- S! Y* u# @0 W, o6 Z. i0 O
    xchg    dx, es:[41h*4]
. T- o, L9 K8 t" Q4 v5 ?    xchg    bx, es:[41h*4+2]2 V6 ]& ~/ G' s; T, D# M2 f; q2 Q
    cmp     ax, 0f386h
/ {8 D1 z0 L, i# F    jz      SoftICE_detected
8 u: d; C/ x' P+ u
/ }- \/ S  n" k' Iint41handler2 PROC/ ^3 y* f2 V, N& R' ?
    iret
2 R. `; l; q1 T6 P5 b+ ^( @5 gint41handler2 ENDP
: P$ X1 }* C! E: Z
3 L. @* a2 K2 L% W0 o4 O9 S* N" w8 a2 c8 g
_________________________________________________________________________
* Z8 ~' u- d$ \# @7 h6 U0 a; m6 l& A
! u& j# z2 @3 w* E# t/ f2 `& ?6 D8 M6 R7 w0 v; V0 F
Method 06
- W8 n! I3 C0 D, }: D3 [! Q=========+ @5 c# }1 w  [& ~
. Z) {! k4 c9 [6 i( ~
) G! I, @0 P: d* Y% Y
2nd method similar to the preceding one but more difficult to detect:
( \& \; n# C7 p- Y9 L
6 H7 b! B9 ]: v. Q* x3 p7 c5 o; N$ w8 r2 P- q4 L! f' ?* p6 {% z
int41handler PROC
1 m: X5 i% z/ B4 ]9 G    mov     cl,al" E, U) r: V+ V' |/ }0 I3 j
    iret
! Q8 r  x; Z/ b! c) hint41handler ENDP
$ `* e) p5 M& G( H; y: V- F+ j7 D: q4 A* o* T
" }2 q) O* A& E0 t1 B
    xor     ax,ax! O. Q8 m0 b% K2 Y# _3 B% e- k
    mov     es,ax
+ M  |/ y& b4 M$ g" ^/ s/ q$ h    mov     bx, cs' M+ I# {( v# y, l4 X5 v* Y+ Q# v
    lea     dx, int41handler" |8 s' F( P2 b6 P0 d$ y
    xchg    dx, es:[41h*4]! L, m8 s+ q" {
    xchg    bx, es:[41h*4+2]5 }/ N4 p& e7 Z/ l% Y
    in      al, 40h- Q% }; z3 S8 s+ }  w6 @
    xor     cx,cx
+ A6 d; D2 l- P& {6 M% Y/ ~7 a    int     41h
3 f3 m5 Z) M% E5 S1 W  z8 S    xchg    dx, es:[41h*4]
. c" ^- T* b' {/ O    xchg    bx, es:[41h*4+2]
( n7 m$ ^( J& h! }& O0 A    cmp     cl,al9 N+ u; ^. H. y# R- G& @" D( z
    jnz     SoftICE_detected. l, O4 B" q: w  E4 L. ]
2 n! t" v" V- `# n* p1 |. r: k% M; U
_________________________________________________________________________
7 [+ i( X. J7 |! U' I, Z, x9 A  P/ a6 ~& u( k+ i
Method 07
3 v. o* D) V3 c, x! z2 W6 L=========
. `9 t7 S) \3 b& a5 ]4 M
# c6 l: |" ?4 S8 e7 t0 yMethod of detection of the WinICE handler in the int68h (V86)! r  j( r' l+ l: h

, _0 J8 Y1 p* ?    mov     ah,43h
3 h" J1 w; N# C. s3 q' f    int     68h
; S: C& m! H, n) ^4 e( r9 Y; [    cmp     ax,0F386h
3 {$ M' `5 G. K; b* V) B( G    jz      SoftICE_Detected
; p4 A! c+ {( ^' f$ x: ~& A
7 o2 E2 T2 K+ |3 `8 w# K5 o. M+ n. _! Q$ i4 P' Z0 }* w
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) o! n) s, |2 L8 l; c. m7 Z
   app like this:# h$ }+ q9 Q  V

/ x2 u9 Y3 D5 ~6 q6 |   BPX exec_int if ax==68
/ u3 I, D4 U2 [% p! l   (function called is located at byte ptr [ebp+1Dh] and client eip is. n* D; n, H$ R3 i. \9 B
   located at [ebp+48h] for 32Bit apps)
1 H3 h3 P* r9 l: [( G1 \__________________________________________________________________________
, H" ]5 i; y2 i- z5 h1 ~
1 ~. w6 V8 I- G' A" `. u& r% p; I" G7 T0 \; U3 ~& M/ G1 ~
Method 08
- @1 a0 C- I4 R( I; J) b( `0 k0 w7 k=========
; u: r) N: [9 m- G9 n) E( k( R, i1 J  }7 ]9 n0 P- {
It is not a method of detection of SoftICE but a possibility to crash the
% |/ j* y" N' N: m0 ssystem by intercepting int 01h and int 03h and redirecting them to another% U+ V7 Q* P! J( ^
routine.8 R9 Y* }8 O# S* B
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  w( w: z% }' x, O
to the new routine to execute (hangs computer...)
: o6 t8 s# o" h- {
9 z3 S, q1 p) @4 H7 f    mov     ah, 25h( F' ~' K# S1 J5 V1 M4 I
    mov     al, Int_Number (01h or 03h)8 m% e! O  w# X8 x
    mov     dx, offset New_Int_Routine1 g3 l3 d# Z! Y) x, {8 o
    int     21h0 }7 o- h: q& \3 x# f! J
; A6 ], z; O5 F
__________________________________________________________________________4 m0 ^/ g6 v" G# _+ M% l/ \* f0 H8 b1 M
1 W9 T% f4 I% X; U2 p+ {- W% A" u5 J
Method 099 |! f. @7 V  L& `% L
=========
+ Y& n+ q7 ~  Z: o* |# R; o- [! x' {. e5 C' s7 b' x& x8 y- {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
& Y, p* \; c5 `% f+ h9 z& yperformed in ring0 (VxD or a ring3 app using the VxdCall)., C$ V* W. @6 x
The Get_DDB service is used to determine whether or not a VxD is installed" z% q" L1 l! f+ T- U
for the specified device and returns a Device Description Block (in ecx) for
! L; m: V2 m" |8 u! rthat device if it is installed.+ D1 {; w; |8 g( ?
5 c' k9 y3 Y, G9 s8 P/ ]2 q% T0 i
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
- X+ S9 J6 y* W' |   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)- j# J+ r1 y; p; L* H* C* F
   VMMCall Get_DDB% i5 r$ q; J2 P( v
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed, n' s- \  z: Y: g* ^
* G1 X2 G; j/ ]) T$ Q" d" H
Note as well that you can easily detect this method with SoftICE:
% c% T7 y# n3 P7 u& Q/ g   bpx Get_DDB if ax==0202 || ax==7a5fh7 i* F) ]- x9 Z! @! ^
- m. _# X& o9 M/ \; u; D
__________________________________________________________________________! @" s) J- m4 }  T

* L- b# ]& ^8 {0 t7 A, UMethod 10
: b+ t/ d+ k+ c1 t=========$ W5 x' v2 k" m8 H

: a( D: g( L$ Y1 z+ m=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
1 J& L$ q8 ]/ f  D. p  SoftICE while the option is enable!!
1 V$ P2 v2 n' s! t* l, Z" t* b
( T% l: E! P: w' A# ^* VThis trick is very efficient:$ J- T8 _& ]' X& F9 L3 l  u
by checking the Debug Registers, you can detect if SoftICE is loaded4 }" F! m! N8 M) i" l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
7 [% _0 Q5 A0 K/ T& E) |; E) [there are some memory breakpoints set (dr0 to dr3) simply by reading their9 W( v' n2 A  k
value (in ring0 only). Values can be manipulated and or changed as well
0 E( F+ x& z; X4 H- m(clearing BPMs for instance)
% r" M9 W2 k; R/ i5 I
, N& h( n, o* [  @__________________________________________________________________________
5 D% ]& _! v- Q" t3 a
9 W9 }5 ~% x- C8 RMethod 111 |2 Q: w$ f( Q% ]
=========
& V2 w' j! x; F1 g% F/ B& E) [8 Z$ v3 B$ {! {, K/ q
This method is most known as 'MeltICE' because it has been freely distributed
5 D% n+ ^6 L4 h2 j1 t7 t; f  yvia www.winfiles.com. However it was first used by NuMega people to allow% x. @4 Y, E, z+ n9 o
Symbol Loader to check if SoftICE was active or not (the code is located
- e8 y; }8 e5 V8 K- Cinside nmtrans.dll).5 J! m9 L4 t2 f. Q* h

! d+ q3 p9 k; g8 L' r1 u7 a* QThe way it works is very simple:
6 B, q7 q6 d: e- }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
: o: r5 }6 y2 Z9 h( S& I/ ~0 |WinNT) with the CreateFileA API.
3 O4 ]5 Q. o* L/ \& G% x
1 w; ^5 i& ^3 R9 a! F9 {5 E) I, s9 RHere is a sample (checking for 'SICE'):1 s6 A* B8 u" R4 y8 Q# f

( P+ p9 m) c+ m0 k- \BOOL IsSoftIce95Loaded()
1 a, n" x- Q3 u! U: Y{
3 @3 P  v0 _7 d' u( R' Y9 g   HANDLE hFile;  
9 P5 B. _+ L8 O; V' b* n   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,4 K2 `2 J) G7 C$ ~( a
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
3 d% [1 `! O5 A2 n# d4 D: a& z                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);& |, ^; }8 F- p" |8 W# Z
   if( hFile != INVALID_HANDLE_VALUE )
' e  q/ h5 n# w. X% U9 W3 S   {
& l- G6 k$ _8 `: C9 Y' ]$ r9 L5 R      CloseHandle(hFile);
. K! i9 h! M, ~. ^; B) ]      return TRUE;
% i$ ~7 B9 y* _   }
3 S: X8 ~6 U8 u1 s# P; u5 X   return FALSE;
& ~# W8 m/ `; \8 l6 U}" H1 z) k8 F) G1 @) H- U

5 O0 `7 I% ]4 I) b7 YAlthough this trick calls the CreateFileA function, don't even expect to be
  k  ~1 b+ X% W& ]  T# [8 Oable to intercept it by installing a IFS hook: it will not work, no way!5 C0 a4 A0 E3 q0 _( l. r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
  k9 p' }# t3 F* Z- kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 ~/ \8 O+ i# L% w' f$ A0 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc3 \1 N# O: m; Q1 z3 P
field./ C* S4 p; z" B! q0 E
In fact, its purpose is not to load/unload VxDs but only to send a ' k+ d' E/ a' }& c) U/ U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
; F* S- f; O2 L- q  A2 D5 Zto the VxD Control_Dispatch proc (how the hell a shareware soft could try
- ], R# M- @! x$ E4 Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 C5 W9 X$ J, ?2 dIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 [: T- t. A1 i' n* B2 _" M
its handle to be opened and then, will be detected., `+ W0 i. F, _+ E: H( p
You can check that simply by hooking Winice.exe control proc entry point
3 e' L- \' U! T0 g, Y1 T* P7 e& `while running MeltICE.6 G: T; H& d0 o- O& |
$ c& z& L3 A  r2 ]. H
( F- {9 T1 c- N' n. i, K5 t: S+ [; h
  00401067:  push      00402025    ; \\.\SICE2 s. A& p1 z% \# l+ S' |
  0040106C:  call      CreateFileA
. r5 ~1 V9 F5 L  00401071:  cmp       eax,-001
% l& A9 J& ?  o0 N# k  00401074:  je        004010910 B' y, s  ]% [5 Y- P4 }; u1 T
7 T4 v8 \5 o% i& a5 r/ x
: N8 ]2 Z8 ~1 p; N
There could be hundreds of BPX you could use to detect this trick.
& x  B- i8 i) p7 R) w-The most classical one is:
2 V6 R  s& p9 K6 d5 s. ^  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||, s. p: u' ?% M* w+ b' H
    *(esp-&gt;4+4)=='NTIC'
2 N  F* P4 r- V( o: N: r+ E  c: M
-The most exotic ones (could be very slooooow :-(' J* R+ }9 H' d
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  0 D8 i# ~8 ]; G5 e7 X8 K. u
     ;will break 3 times :-(
* L) y+ g1 ~5 K$ [4 c9 |* B4 M. ^/ w8 X# P0 C# t3 v
-or (a bit) faster: & _" h4 D1 L7 T& |; Z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
% K4 s5 h+ t5 U! `5 T; }) }
5 X4 K: {( c4 M" u, j: C. x   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 F/ Z. b- q4 E) q
     ;will break 3 times :-(
$ K& F& U5 [) [" N2 E8 g) `5 v9 I9 l  `  f+ t9 l' t' `
-Much faster:+ a( l3 h* X6 n  [( \' _( s( i
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ D4 T8 Q9 Y! `' K( D( Q3 [
; Q6 m8 ^) h( H6 I! y
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
) c8 Q- ?8 Y; m8 T$ Tfunction to do the same job:- B& l% m1 I6 e) @9 N

) i4 Y1 l8 U3 M7 [  v4 E5 O8 C3 @   push    00                        ; OF_READ
1 h  d  Q% n( s, \( x, ?; C; S   mov     eax,[00656634]            ; '\\.\SICE',0
$ Y3 E9 V& v9 Y+ X) j   push    eax: j8 y2 g8 w& e+ _: u
   call    KERNEL32!_lopen2 r3 i) j' j' K( V  K* R0 E: U7 X
   inc     eax
) c1 t4 z+ \( x7 o, R7 M   jnz     00650589                  ; detected/ Z4 |# \6 S8 y9 u
   push    00                        ; OF_READ
$ V+ f" ^; J  M6 S0 l. o   mov     eax,[00656638]            ; '\\.\SICE'* z, j5 a/ I' u% @
   push    eax* ]* u* M* \. U" F
   call    KERNEL32!_lopen9 F: X! y, `+ g4 _( A
   inc     eax) a3 K  e, t& ^! t
   jz      006505ae                  ; not detected
- U  R- d& t0 ~+ f5 l7 c  m/ v# r6 Q* R7 x! ?- z3 y

8 ~6 t  f5 k6 D2 D' x/ K__________________________________________________________________________. r2 n+ J  r- P, ?& c7 y: h
5 z7 `" q1 y7 F. k6 i5 D
Method 12
0 _0 c  [/ G, p$ B* Z& k2 U1 E=========" ^5 }# _) [! p, q

  b9 L4 M0 t: ?% y7 \- d' z: EThis trick is similar to int41h/4fh Debugger installation check (code 054 e2 `- \3 N' A4 b* ~2 |" {% O
&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 g& K! R3 R7 }- A1 x! S2 |/ N
as it uses the VxDCall backdoor. This detection was found in Bleem Demo., U6 f& k0 {' u/ ?2 }. n

# u1 l0 T% J5 R   push  0000004fh         ; function 4fh
3 `7 m9 X4 `5 l$ c   push  002a002ah         ; high word specifies which VxD (VWIN32)) M6 N* n. _0 K! g: A
                           ; low word specifies which service
; A; ^3 g8 O: ?) X                             (VWIN32_Int41Dispatch)& W% B2 `9 p5 M2 }+ S6 n
   call  Kernel32!ORD_001  ; VxdCall
, y; m' o+ _/ i% G5 f+ Y* S   cmp   ax, 0f386h        ; magic number returned by system debuggers
& ^; i6 x( U4 c2 X1 b7 P) R   jz    SoftICE_detected( U' }0 [4 W, r7 @, z( u

  Y  z7 e7 p5 e' LHere again, several ways to detect it:+ U$ x) N3 j# \

) N" B) i4 g, J7 G9 [    BPINT 41 if ax==4f# C- o% b, E. ~) j: v

* a- N: r0 Z- X    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
& B5 e4 R3 l  B2 A! U6 t* e2 N8 ?  S0 a3 A
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 Q6 O% \* d; R5 O% [
5 P, Y1 M; [: B
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
! S7 a! x- @$ s: y. |
. J% N4 }1 R) v  `7 N" v; m__________________________________________________________________________: T1 S" b; |  e8 N+ p6 c

0 e: e. ^/ x6 Z' v$ M8 a( |Method 13
3 v; L, e0 p+ J3 K( Q5 b=========
1 t. a4 r7 w% O9 _: o
/ U( l  S% U* c# q. |Not a real method of detection, but a good way to know if SoftICE is
& B9 L+ T0 H* j+ Uinstalled on a computer and to locate its installation directory./ O: ?4 J9 \3 [# X& H
It is used by few softs which access the following registry keys (usually #2) :
  y3 p6 s5 |; ]2 U( ?
6 q4 M( H- \* g  O1 t-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( d; |- D9 \  u0 J\Uninstall\SoftICE. k5 `2 C6 J- V9 \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, w; A' S1 ?8 H9 I9 n" t# Z* {5 k
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: ^9 ^% e# O2 D: H# Y
\App Paths\Loader32.Exe/ Q1 P) S3 c) C

4 ^0 a5 x& m; |6 x( n3 d1 S0 P7 [3 q( e; g
Note that some nasty apps could then erase all files from SoftICE directory6 n) R6 h8 s$ u# P6 q- u
(I faced that once :-(
5 A) h. P6 T% d4 T5 T! ?$ O. x- D. k! {/ U! w  R9 X6 I8 f# t! a
Useful breakpoint to detect it:1 I+ @( u0 I% s+ W/ A
9 ^0 s8 c% C' A
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'0 Q. g8 p) q9 |
' ~3 o" d* V2 O6 h: w" ^! B! |
__________________________________________________________________________, r. B' Q/ s: Z& ]# Q! ~- m9 K
4 v  V" d  ~- q5 w' L

1 r- y! W5 M4 \! v6 xMethod 14
$ [4 B" C/ }5 l=========( J: \; i* {6 g$ B$ V' t6 f* i
1 q% H9 M5 k8 b6 x" A/ a; }. ]
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose4 J5 m2 G$ Z! N+ Z8 e
is to determines whether a debugger is running on your system (ring0 only).1 Y5 P( Y6 V" F4 ~6 F
5 X6 P+ l' z$ U  k) S% b3 k
   VMMCall Test_Debug_Installed
6 ?& \/ e- b, K- G4 Q   je      not_installed' B: u9 Y4 n3 z" D

9 @, j: V. m6 l' u$ M! Q+ RThis service just checks a flag.: d' E. K6 ~9 L5 m6 v+ ]# W
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 16:59

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表