找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
) O( \9 ^2 n8 |7 \) |<TBODY>
5 I3 u; m+ d9 g' }1 b<TR>
1 Y: ~( L: }3 l: q. U6 B<TD><PRE>Method 01
% m" u) B$ a. Q, x: b% x=========
- [( k  A+ m8 k+ E8 K, X; c$ u
- O- {& m  p* `- d0 E3 x, bThis method of detection of SoftICE (as well as the following one) is0 t( D. P. ]* I9 r0 [) _% q+ K: Y
used by the majority of packers/encryptors found on Internet.  o! F) H" m8 ^. ~7 {* a: ]+ Q' Y4 E
It seeks the signature of BoundsChecker in SoftICE
4 L5 f$ o/ _( ^* w' t# d' C: b  U+ V1 b
    mov     ebp, 04243484Bh        ; 'BCHK'0 i6 W3 c3 U4 Z4 b. q2 K' V2 h
    mov     ax, 04h
5 A3 B! s/ ~$ I    int     3      
0 P6 i& D1 O( v; T' i    cmp     al,48 X* d* W. R& k; v# S# q
    jnz     SoftICE_Detected
2 t! I- B4 b6 d6 `% e! O! ?# f( i7 F+ K- ]
___________________________________________________________________________- |/ E+ H* t' [7 Q) F
1 |# g8 b9 T3 N0 v3 ]
Method 021 I- p8 T0 |' t% M: ?9 f
=========. R$ a9 `; k6 Z0 I6 ^1 S" _, j
7 m3 `- Z" @& J: h* o
Still a method very much used (perhaps the most frequent one).  It is used
% ]0 u, y1 p: P  I$ l& J2 a8 N/ ito get SoftICE 'Back Door commands' which gives infos on Breakpoints,8 `6 I. I- `+ o+ p5 ]" u) `
or execute SoftICE commands...8 \- E. E0 _6 f0 b9 f9 |( f# r
It is also used to crash SoftICE and to force it to execute any commands
$ I% |. z; f$ e9 g" u2 [(HBOOT...) :-((  
+ w& P6 j$ X/ [( \4 c" w+ Q0 B
- B5 o! a; w2 |! b/ I8 E; `8 rHere is a quick description:
2 q( [3 V: {& `3 [' p-AX = 0910h   (Display string in SIce windows)! j: R' @3 b5 v5 r1 Q0 `
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx): a- b; v7 J7 O. M7 ^
-AX = 0912h   (Get breakpoint infos)
, x- `: x" M- S8 S7 ^8 b4 _-AX = 0913h   (Set Sice breakpoints)$ Z  Z' {7 x$ N( y
-AX = 0914h   (Remove SIce breakoints)
8 `8 a& v, v. C5 q! i+ U2 }0 ^6 K0 {6 {  R5 E+ T
Each time you'll meet this trick, you'll see:7 L3 A3 a: F$ ]( m6 ?5 S
-SI = 4647h+ @( g* Y+ ~( b
-DI = 4A4Dh
2 o9 I# V2 J- Q) e6 n; G  wWhich are the 'magic values' used by SoftIce.
4 {( U8 g" `9 |$ L  x) h2 [For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
3 Q6 `, q1 o' C; n1 z
0 g2 p+ i* Q; I" n  A4 FHere is one example from the file "Haspinst.exe" which is the dongle HASP# J. w: Y6 d; ~6 r7 e
Envelope utility use to protect DOS applications:2 N; L) c  s6 H) A) K
* N- G" F6 T0 m/ j- g& f
. O1 ^) |: ?; h2 b
4C19:0095   MOV    AX,0911  ; execute command.
0 }0 L- z, n; J/ `' l  `3 ]( s4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( x3 F, e( {! ]8 J" P4C19:009A   MOV    SI,4647  ; 1st magic value.
/ ~: t7 ]- M( n& j( n% Y4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. Y  F+ l$ n2 r4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
0 W: [* W& Q8 Z9 u+ A0 H! G6 v4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute9 R/ J8 L6 t6 I
4C19:00A4   INC    CX
+ {* \) s) d  @3 ^4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 O" L+ M3 V/ S* G) L  K$ A  D
4C19:00A8   JB     0095     ; 6 different commands.1 ?1 b8 b+ r* H4 ~: A9 H
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
  ~; F* b! I: P" B; h0 C# h4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)& ?5 {1 `1 A! g& O9 W0 w: L3 Q
8 e( v) E7 l& z1 H7 j" \; ^9 E
The program will execute 6 different SIce commands located at ds:dx, which
/ F3 W4 Z6 V# C2 b/ R& Tare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. N" i# ?' V7 q/ `; k. C% ]/ p& X9 v' G; m
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& @; h/ D/ L& W___________________________________________________________________________6 b8 x7 j1 m9 x: h/ `/ d; d

) W) @- L- u' x7 l# L  k. C2 L- l- N2 B1 P: _7 b/ U2 G3 X' T
Method 034 \  g3 W1 O( ^/ t; Q! ^
=========7 T3 N: {1 b2 {% \# Z; ~
/ x( k% C+ z( h( I. O. t
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
$ K2 v1 Z6 I; o) i9 ~(API Get entry point)
. ]3 `7 }, A' y& q! C        
, |5 D# W6 ^2 u' s" `# n8 ^( l' r8 }
+ p7 d; N0 d( n9 X) j5 ]" a    xor     di,di& d9 }0 c: F+ J2 n, z9 u
    mov     es,di4 L8 X. @+ ~6 c. z( k
    mov     ax, 1684h       ) Z1 O: d! f  o$ R) Y+ m
    mov     bx, 0202h       ; VxD ID of winice: m/ g6 a. {: H3 E1 a, u
    int     2Fh
3 `7 b. \: H7 `9 H# [! e& h    mov     ax, es          ; ES:DI -&gt; VxD API entry point
; z, n  D. d- L/ X; N7 X    add     ax, di5 I7 I3 ?0 ?% F6 A
    test    ax,ax7 l& Y1 B: `" X* `0 N6 Y) {/ q
    jnz     SoftICE_Detected4 u! t6 n  S! W' I" J' v" i

  m/ X4 C/ D8 y___________________________________________________________________________
$ `. u7 H! h9 A) v( y2 H" k7 N" N5 m6 \
Method 04- R) h! h5 W- F: g* V2 Y
=========7 M* c6 z; v, O* u3 n9 B! r7 f& W

" Q, y; r0 Y7 U4 I+ X( m: xMethod identical to the preceding one except that it seeks the ID of SoftICE
0 o' }( ]3 Q) U! H4 cGFX VxD.
" ?8 R. W. L4 N% v% `: ^" m9 k5 A  s5 m  K. L& n% Y6 H
    xor     di,di
, T1 m7 k( K1 v, q3 g    mov     es,di5 B; A6 [+ A" P0 ?& m( A" A4 i
    mov     ax, 1684h       $ q3 X  f( u* ^
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
5 G% E3 O% m) o* N7 U' i7 b    int     2fh
* g; p  r- G8 J" y6 ^% u    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 G# Q& z4 `; y& L6 I1 N6 l    add     ax, di
+ W- J, T( p$ A3 C7 A0 l$ b9 E* I    test    ax,ax% ?6 n5 E: I% l* `+ D! Y
    jnz     SoftICE_Detected
, X4 F8 [; l8 R8 o4 E" @6 U7 }) ]  Y. l5 J. Z/ v" Q+ B# u# Y, K
__________________________________________________________________________
. o1 C( {7 u6 n  J% e  B4 i7 y( n$ L, t! p0 k

% m* _/ q& O! x, _5 dMethod 05, p! \8 R3 C8 X3 t+ J  H2 [
=========" Z$ J& G  B' ]8 p2 G1 v

& V3 X: f% ]8 H, G( o$ M' VMethod seeking the 'magic number' 0F386h returned (in ax) by all system6 D: v2 s, F" D# l9 P/ D2 p* F
debugger. It calls the int 41h, function 4Fh.
. G9 r3 `# ^0 V3 R4 |There are several alternatives.  4 I; \& X, b5 {

0 E% p2 m' ]* t. S4 k! nThe following one is the simplest:2 z% A* x2 z/ `5 c' y

9 Y/ M; t+ e! E9 v" E" ~6 P    mov     ax,4fh* H  N- n5 {0 A% ~, a, @% H
    int     41h
( l: o% [) y5 A' e% V    cmp     ax, 0F386
% h- p4 y2 H" j# E    jz      SoftICE_detected
2 m) E* h( b( [) L* |0 O4 b$ T2 \: |5 @6 r" Q

% I& b7 G" A7 x* sNext method as well as the following one are 2 examples from Stone's / N( f- ~" ]0 n: w/ W
"stn-wid.zip" (www.cracking.net):- H' K# g% |. J4 T6 P. f& Q

1 b. }6 g( V! q+ B5 F    mov     bx, cs
  ^6 \+ {2 a9 y7 V* `, l7 l    lea     dx, int41handler2
  X) }( I( T. \( J, K9 o! K    xchg    dx, es:[41h*4]
" _5 x% V& u9 e) z! |    xchg    bx, es:[41h*4+2]
& H& }8 @, h0 V, W  E    mov     ax,4fh
$ {4 v; Y( {2 f( _    int     41h
* ^! b: n/ ?: x! O' g    xchg    dx, es:[41h*4]6 g1 P+ G' h& w2 i# |1 `2 V, O
    xchg    bx, es:[41h*4+2]( s9 J4 ?% w) ]
    cmp     ax, 0f386h
. y: ?; V4 ^  A3 X6 U1 O' I2 }    jz      SoftICE_detected
; X1 y6 C1 p: {; B) u% R9 W- t( H
( c3 x/ Y  n# r! W" Hint41handler2 PROC
3 N) B8 L# J- I) A    iret
; t3 ?" _# y; |int41handler2 ENDP
5 n0 W( D: I" |; E3 b* f$ e( l% t$ e, f7 v, [
1 w3 D# _& x0 h$ p6 E+ ~! T0 ~9 n
_________________________________________________________________________
) l5 W5 K" t+ _2 n/ ?% \5 ?
& p: r) q- `5 S6 ]- I# t+ j& [; B- b- J
Method 06
5 r, Y( }* f9 u5 V5 c: u=========
& x+ I3 q( @: W% d# C5 a6 g5 r1 N0 W" o3 n
1 _$ I) ?% {; H, `
2nd method similar to the preceding one but more difficult to detect:
/ ?9 e; X6 a. s1 C9 |! B6 O0 X; M) B- T6 W/ q0 m8 @- @

2 ?* o0 v5 @, ~1 D) cint41handler PROC
) q' M/ B) ?2 v% \" W$ K+ _    mov     cl,al6 U& D! T5 J7 H0 S7 k( f6 E
    iret% x2 h9 J' f. z% G7 F3 L
int41handler ENDP6 m7 H( B/ w- K- I' I& M$ u) w

, y6 Y1 B# J8 y* Y, k0 N
5 U: j- L, P1 F4 W/ ]% B/ |    xor     ax,ax
; h9 U1 B7 s& C/ t$ S$ k; [    mov     es,ax, a8 U& `1 Y2 k1 X& _
    mov     bx, cs
# n; n1 O1 r$ r' k+ J4 k    lea     dx, int41handler" M" A" g/ ?: A5 {5 u. ~
    xchg    dx, es:[41h*4]
" f1 o6 `1 v8 l+ T- _    xchg    bx, es:[41h*4+2]# p+ ~- @* M9 F- l1 g8 M6 V
    in      al, 40h
0 }# E  w1 R8 F0 P% ]" Q. j    xor     cx,cx" Z: o5 @! v% G7 ]+ J, `# P6 b
    int     41h
0 R  y8 Q. o6 a7 x) E: e# \    xchg    dx, es:[41h*4]
: e( k+ S) F) T3 V/ \    xchg    bx, es:[41h*4+2]8 F, \/ S( k6 \- W( R7 L
    cmp     cl,al
( s3 ]. D5 u$ ?& [! X; T* V, V    jnz     SoftICE_detected
6 r- [4 {( a( L6 ?* L* {
( g6 i* ^0 @9 N' K' o, c. C! I1 Z_________________________________________________________________________& ?) W$ A6 X& F+ S; C; K

' j9 K8 M9 G2 _7 e6 ?; yMethod 07
  }# }! R% Q) j=========6 H. a% J$ o, O( Z
' c9 ]7 `2 p9 R* j  J4 d
Method of detection of the WinICE handler in the int68h (V86)0 \8 }3 u8 [, h4 H  A
6 x3 @+ ]: q+ b
    mov     ah,43h1 z" |- k3 f6 W- Z
    int     68h9 q/ D7 Z) y, d+ p* l9 N
    cmp     ax,0F386h7 M# n# X+ ?# S* ^# ?+ X
    jz      SoftICE_Detected2 }9 w" b. D3 c! P; t) @  P* ~
" M, l5 u2 D1 e7 o) v

; e, K  v% g; L4 E9 h. P% z" \=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
0 A7 B2 y; C/ w( j5 o/ Q   app like this:. C  X6 ~8 z3 K, L: I4 Z! Q9 i

% c+ `+ O. i/ i/ y   BPX exec_int if ax==68
2 O+ _+ }3 K4 y: j7 w2 N$ {   (function called is located at byte ptr [ebp+1Dh] and client eip is. W* z8 |- o/ X! u5 a
   located at [ebp+48h] for 32Bit apps)8 U' ~# g2 B+ ?6 U
__________________________________________________________________________/ |5 e6 K( F- j4 w7 }5 p5 _

' m, [/ v- M2 K( U5 F
& E6 s$ v% e7 r  a- b4 O6 PMethod 08
% M2 Z$ }. g  p: N$ Z3 q8 B6 X=========/ `" o$ k' c; y. u/ }# X% t
. ]  ]0 |5 F( y# O& M
It is not a method of detection of SoftICE but a possibility to crash the
8 x- b4 }$ U, w# wsystem by intercepting int 01h and int 03h and redirecting them to another
4 I  A3 l8 [9 J: R; l6 x) U% |routine.( e! B" r4 h, ?- m. M  s
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
! w, ~5 k. n0 Y4 g: nto the new routine to execute (hangs computer...)
+ g/ q( i0 ~( ^& r( h, q, o7 H7 I
    mov     ah, 25h) ]- x$ O7 U: L; `' M# N# x3 ]
    mov     al, Int_Number (01h or 03h)
! Y' ?. w$ D( T9 Y- l  i    mov     dx, offset New_Int_Routine
- p% `$ y+ o; B; J! ^: a    int     21h
' x; @' f: ]$ B1 p9 ~5 M& @% l4 P1 @# j3 f: r0 G, |% Q
__________________________________________________________________________6 E/ n! }$ `- D+ q$ h2 u& O- x
# ^7 p5 b2 i) J: z) n+ J$ T; {1 Y
Method 09+ f0 C: }! f5 d) d/ P; o8 R
=========
! p9 |$ X) b( h6 D' ^- Z% H+ f0 c7 g2 ~6 D
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 y2 C* O& k' [* ]  fperformed in ring0 (VxD or a ring3 app using the VxdCall).2 u4 {2 W$ Z, M" B. \& f
The Get_DDB service is used to determine whether or not a VxD is installed4 U8 k, [. a. a) U# X( G7 J
for the specified device and returns a Device Description Block (in ecx) for+ G! y: q2 M6 }  O5 _
that device if it is installed.
% [- [' y% P3 s) G# i2 N% ^! k) [/ q' v: E
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID, W6 G' S! ]% E6 ~
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 A1 d* q- m1 `0 w   VMMCall Get_DDB
# A6 m' q4 r  c$ c8 m   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed1 A8 s9 Y2 e" g: o8 z

8 z5 N( V$ m  mNote as well that you can easily detect this method with SoftICE:
  i! o/ z! a5 U; ]/ x: M8 G   bpx Get_DDB if ax==0202 || ax==7a5fh
. I! a8 V8 H& F, Z
: t3 f' I4 N% m6 d" G4 ]8 N3 Z6 t__________________________________________________________________________
" x* ]: O% s4 f+ b5 \  ?/ _: h/ D# w8 }% h) ^" Q3 z
Method 10! {( ?1 g1 y. [* t
=========1 V7 }2 f9 `; r: F; \+ t$ J
, Q' B" C" R4 \% _" z/ q3 P8 Q. o
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with, e+ E7 B8 U, B6 {8 M
  SoftICE while the option is enable!!
) `9 X& w" h: v, x8 l" O0 O6 R8 N
This trick is very efficient:
: `7 Q6 A% w5 C% i+ eby checking the Debug Registers, you can detect if SoftICE is loaded7 K1 c' G1 u4 t4 {! o% |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
, v0 R" {9 s. `' c; r; a0 D5 w/ J* ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
( @4 ]# n# ~1 m; t( q. D2 J  Wvalue (in ring0 only). Values can be manipulated and or changed as well3 T+ Q  w1 [' v- O) k; Z
(clearing BPMs for instance)3 W: j. |( Y* K. ~0 i
/ y1 @0 \7 E6 p1 A
__________________________________________________________________________, u, e  S; [. X$ A+ T5 ^: p) H7 E
- D+ s1 r" G1 [% x0 b
Method 11
/ l6 K$ w  e6 z" @; z=========
" t  D3 s9 M+ x& m8 M: X4 p  q+ m+ I. l6 z+ F% V& A& @
This method is most known as 'MeltICE' because it has been freely distributed
: v( c. \( x) z( R7 {via www.winfiles.com. However it was first used by NuMega people to allow" p* k; x% R' w" \5 H4 v( L
Symbol Loader to check if SoftICE was active or not (the code is located6 P6 V' ?8 g/ \) W. R; @
inside nmtrans.dll).4 r6 |! t9 @" P5 H
7 y$ \5 n) k" p$ c" Z
The way it works is very simple:
( R3 b. S( i( W% ^& A9 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for+ m" P9 w. t* p8 c% k% A
WinNT) with the CreateFileA API.! \9 y; [! s: L' s

, n: v# Z; n1 h0 j" FHere is a sample (checking for 'SICE'):6 O. ]0 w! k, t

6 {* ?9 G8 o; J; q3 U% w, ?# HBOOL IsSoftIce95Loaded()
5 R$ j8 m' Y7 }# P$ O, |( b+ G{
& B9 P1 T% l" `/ j4 @' z5 z5 l) O) I   HANDLE hFile;  
- G' o5 h9 T, c6 M   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& E7 `2 Y# k# X( i9 b3 X
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( e* H$ p1 n* g7 X4 k                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);" @3 y& q% M) \* M; s
   if( hFile != INVALID_HANDLE_VALUE )
2 U, ^' q; w' n; G0 C& }   {
& g2 v' _2 P. G' w      CloseHandle(hFile);
" m, I8 \4 x; e* p4 K! t& @      return TRUE;
0 l: ?0 a+ w- q' z- r   }* W- y8 D. a8 {- }  F
   return FALSE;
; n( g' A1 c: i3 l4 ]+ J. X}
$ |4 b- N$ l( y  h+ ?# K' P$ v! U+ W. |3 k3 m0 W6 `
Although this trick calls the CreateFileA function, don't even expect to be
7 F* s; R* {) Oable to intercept it by installing a IFS hook: it will not work, no way!
8 P4 }% B7 v" k  i- z; i- oIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
, S( R5 o) w1 `* S# ]1 `- Bservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
% Q) B7 p7 P) ^1 N" N# f9 Xand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 ~- `2 s4 ~7 l# F$ E
field.
  ^; L- f9 Y4 P6 ~3 oIn fact, its purpose is not to load/unload VxDs but only to send a
9 q; h; f* u2 G- o3 L6 Y$ D" IW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 d) F3 g2 u7 p/ Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try- R& m  a3 M4 ^. K7 v. C1 P
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
7 m- M4 @; o- j8 T1 pIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 c, L6 a% ]+ c1 J- q
its handle to be opened and then, will be detected.
1 L. z" Y& R# N8 f) }You can check that simply by hooking Winice.exe control proc entry point! d4 w4 j2 V8 P  f
while running MeltICE.# ?6 \" `: Z+ C# T

& ^# s, D0 T! G8 U( R* O* @
6 M( [# B8 g/ q. R2 i4 z- \  00401067:  push      00402025    ; \\.\SICE& {8 N8 R4 `7 t
  0040106C:  call      CreateFileA
6 D9 @9 }; A- B7 r  i) l- l; p  00401071:  cmp       eax,-001& S1 |! h& Z; Y+ k' {7 t! ?
  00401074:  je        00401091
' X% M' w) L% O+ _3 y- T# Y# L1 S, t, @2 m( ?7 N& |# d! N

+ v7 e/ e7 J+ B  b, Y" ]# \  v' ?There could be hundreds of BPX you could use to detect this trick.
8 J$ q  p8 b$ \! x, t( u& j2 e+ Z-The most classical one is:' P4 T9 E8 R& \* Q/ m/ x
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
  y3 h" o4 \' v$ _    *(esp-&gt;4+4)=='NTIC'& X( y5 A2 l  ?2 }$ J/ |

8 Y7 s4 d1 H$ r. f6 M+ a5 b5 v-The most exotic ones (could be very slooooow :-(6 z' s) K  h% a* F. j9 c
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
0 y9 a; ^3 Z7 `. a$ R; f% e5 A  R     ;will break 3 times :-(: m0 m6 x( U- Q2 ]% p( ^. Z

+ H2 i/ b2 v! }8 u-or (a bit) faster:
4 M. |$ {/ \  c( x1 S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 c' s( s( ]1 Z1 Y5 n! p6 U4 \( n2 h, y
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 x; J% k! Y- k0 ~9 P; n
     ;will break 3 times :-(& b* G- u+ m! y, i5 G

  J, V' U3 T' e, p( }1 C. M-Much faster:
- q, `1 z; |6 b+ W: p( M   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
! k2 M, w3 u& u& l, C* b& G3 o' s2 e6 ?. I, Z6 T
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen7 Q1 [: X% B' V: d% [
function to do the same job:
8 Y0 W. c; @' S8 ~* y. z( ^+ C/ X, J3 P) W0 m" ?
   push    00                        ; OF_READ. A% m& B! |4 ]* q( A* u
   mov     eax,[00656634]            ; '\\.\SICE',0" E( w" h. [" L- x  ~
   push    eax
9 t+ J% v+ {; `   call    KERNEL32!_lopen% {& i& H8 Y7 c' f8 ^
   inc     eax
6 l. a( @0 D0 k/ _$ h& c   jnz     00650589                  ; detected
! x6 ]  e7 e  t! X+ |  r* \8 Q   push    00                        ; OF_READ
- r3 F- |  W+ F# S   mov     eax,[00656638]            ; '\\.\SICE'3 `/ h$ g9 Z, v5 \: m
   push    eax
  w* J! w2 k- x+ Z   call    KERNEL32!_lopen
- u1 b& o! w: F2 e. N, X) r" }   inc     eax
  F& e' A" S1 F   jz      006505ae                  ; not detected  p. T# C2 m4 `; U$ d7 l6 b

# k1 f% `0 ?9 }: P7 h, g+ z( J: }5 n8 a7 p
__________________________________________________________________________
) {& C, h5 u9 k: J+ \1 ]; V+ |$ `4 ^2 {4 K
Method 12
; D5 r3 U2 X7 [  ^=========
8 B+ `: S7 A+ [* ]  o. _' E9 o+ I  |8 Z
This trick is similar to int41h/4fh Debugger installation check (code 05
3 h) |. ]* ~# S3 C/ P: M, r; F&amp; 06) but very limited because it's only available for Win95/98 (not NT)4 T5 {1 i* a- H6 ~
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.0 O0 \0 y# F( E8 d
- P7 Q) P. q  H7 ~# {" e1 \
   push  0000004fh         ; function 4fh
4 p4 r! S" d- C9 Y: O   push  002a002ah         ; high word specifies which VxD (VWIN32)
; H; a8 X( v; P" [3 b! b; M1 q                           ; low word specifies which service
* E5 f# E! D  [: A                             (VWIN32_Int41Dispatch)
9 _" V% ^1 j% F' a5 Y: j  x* O   call  Kernel32!ORD_001  ; VxdCall3 D1 @1 e" ]  J6 B# c
   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 V4 Q& l! `. k4 m   jz    SoftICE_detected
. `% [0 T2 c! M+ `( L8 |! h
, W+ x5 @6 u0 h! Z8 A3 a2 l, {. gHere again, several ways to detect it:: P3 h+ l& c3 o; e7 Q* }

5 R1 W9 Q( P% j    BPINT 41 if ax==4f9 ~, @1 \0 U3 \
) Z9 }6 G" p5 ]1 A8 T# Z# z
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one4 N+ ?( ]3 b. D. d# \2 W: M

3 x+ v0 O. a' z6 ]& _    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
* U' z! s5 w4 W% p. z4 L
4 p# u9 U, p1 _9 A9 O    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
( G6 P' z6 H9 W  l/ l; t- T$ J0 S6 O+ I. Y5 S/ m+ _" {
__________________________________________________________________________2 V  a  ^$ N- l- Q* ?9 w  b* ?1 k+ \

( p" n. R' q& ^/ m' M2 T! {Method 136 x4 ^' \" e& `0 c  a
=========& d( h- [+ P  r* ~, G
0 J6 r/ P: O9 q$ a! |; [. H
Not a real method of detection, but a good way to know if SoftICE is0 z7 B! m. X1 s9 W+ Q4 f
installed on a computer and to locate its installation directory.
& `" x% c) z' x; q: AIt is used by few softs which access the following registry keys (usually #2) :
) e. n7 N. E* P4 v' D4 Q+ k  i* w
* ^. i- p, B9 @( k# P. J6 X-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 m, C# @( l5 F0 Z0 y% R; A. W
\Uninstall\SoftICE
3 B2 s# y3 B! z, L! V6 f-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE9 o, K, h* `0 Y6 G9 ~9 U- a! k9 d
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# h2 {* i; ]* b# N7 B9 p2 w
\App Paths\Loader32.Exe" i! y' @) |) i4 d: n7 t/ [0 ]" o

4 x, v  G' k) `, z
! Y, J! r& y' f( r5 d8 B7 QNote that some nasty apps could then erase all files from SoftICE directory3 _3 g9 |7 i8 Y' ?# U! j
(I faced that once :-(( I9 ]# D$ v. T4 G0 Y5 _
' f( u0 u4 d* C& B
Useful breakpoint to detect it:9 }0 Q3 h1 w1 h: }% U, d9 `2 a

: w. K: U3 }, B' g4 C" C     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
, }# h: P7 h7 c/ m2 `3 @! w  @2 \9 b/ X+ o: O. B( u% Z* U" H
__________________________________________________________________________2 G9 s, @# U4 ?* ^; {5 Q& Q
3 E) H0 A9 P6 r( n, h1 k& J

* h3 R6 x8 s) @' L0 w5 n8 _* E4 pMethod 14
" T# o" s3 t5 I5 K=========
! E2 E1 t( u) A% Q! K6 W  g0 H( a9 h: `/ `( U/ I# B
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose$ ^9 Q- ^. C% \& c  `9 U
is to determines whether a debugger is running on your system (ring0 only).
3 d- s5 P. Y5 c% R/ n7 @7 V% s1 S$ }- {
   VMMCall Test_Debug_Installed
/ g$ I4 g; P9 v- `' C3 H9 A   je      not_installed
1 O6 s# S: \, D* f+ b# ?) b5 Z4 A+ \0 g# U: X% g/ \
This service just checks a flag.9 r3 f+ ]; X% {- ^& O
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-17 04:40

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表