找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
  b' Q7 s: K" ?0 l<TBODY>, z3 k9 Z. a( Z& n9 c6 y
<TR># n' J6 |( k& q" X( h3 t; f
<TD><PRE>Method 01 3 H# `! l9 o6 r$ @. m
=========
& K3 c" P) B' @% y1 {
5 k: _- {. @5 [, Q) e+ tThis method of detection of SoftICE (as well as the following one) is
# U* h. Z; s! Sused by the majority of packers/encryptors found on Internet.
0 K0 {2 k/ O- E5 PIt seeks the signature of BoundsChecker in SoftICE
- u6 @- v2 m" @$ A& A. m4 G0 J3 ^  X
! u' q" g1 i1 R) z1 n) `7 E    mov     ebp, 04243484Bh        ; 'BCHK'4 B. [' V% b7 V$ g% {! c4 i3 A; \
    mov     ax, 04h9 D- `6 \2 b$ \
    int     3      
; {  M7 T9 q) \2 y3 k+ I    cmp     al,44 r1 v* O9 _, z, r6 W7 R
    jnz     SoftICE_Detected
. S# [; D. o1 H7 A/ ^9 P! l
) P# ?4 o4 c, m4 }4 D8 x2 q1 @___________________________________________________________________________
9 L% P; X. E; y/ U6 X* e% x
5 ?& t, S8 ^& ~+ VMethod 02; |  N% B' C# ]# a; x' U' S. G. ]
=========, [7 v* `4 J, U( o2 v  N6 x

, N; K3 v6 m+ A. f# u/ Q! dStill a method very much used (perhaps the most frequent one).  It is used% j2 H$ M  l" U% E0 Q# |5 L
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,2 o) A& c7 ]' o' G$ B/ u
or execute SoftICE commands..." j, [; Y- p9 P* x
It is also used to crash SoftICE and to force it to execute any commands
+ i9 u6 g5 [) o(HBOOT...) :-((  
' B$ ?1 T7 W9 s- z' L! D2 Y$ L" Q$ k- y, ]9 i
Here is a quick description:7 j' E4 r' c" Z6 g! J0 ~# R
-AX = 0910h   (Display string in SIce windows)1 u/ Q& l# V( u) N4 Y7 S0 b. f
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
( W- ^4 t; D  C  ~* n-AX = 0912h   (Get breakpoint infos)6 E! P3 }* n/ d6 r
-AX = 0913h   (Set Sice breakpoints)
5 m. t5 p, R& b$ B; s-AX = 0914h   (Remove SIce breakoints)
% i1 R; G$ a% `* v1 c$ ?
' T* ^5 h' k) Q* m3 tEach time you'll meet this trick, you'll see:' ^* ?; k+ F% p  K1 t9 t" s  }1 z
-SI = 4647h/ A0 B( S' J( n8 l  O: [. s
-DI = 4A4Dh( n6 A; j" w5 X. F5 l0 O% w
Which are the 'magic values' used by SoftIce.; I  c$ I! q$ x+ ?4 I  r
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.+ Q4 M% o8 n5 D3 e$ U3 X

! t2 c9 v0 V; p( iHere is one example from the file "Haspinst.exe" which is the dongle HASP" ?7 R0 C* v! L& {- L; Z; [/ p
Envelope utility use to protect DOS applications:. }. y, I) {. L8 ?$ Z2 N8 D; A( J1 V
! T) Y/ F4 o1 ?8 G- W

, U: N' S) G, P9 b* {, l- X4 R/ X4C19:0095   MOV    AX,0911  ; execute command.9 C5 ^2 p- i/ F( d! @- A
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
3 {+ ^7 i4 l/ s5 P4C19:009A   MOV    SI,4647  ; 1st magic value.6 L1 f1 w# l& n, r* Q" _5 W6 T
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.1 u6 R! s. ~! E1 k9 A
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)& d: K/ }+ N4 P
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
- _8 s# E. d$ Z5 l4 o7 H* J% K4C19:00A4   INC    CX4 C5 ~; Q. w; u! g# U* E
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 S; C+ g+ M* |; ~4 ?6 x( C
4C19:00A8   JB     0095     ; 6 different commands.- O9 N6 o9 c+ L& ?* |# F
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.; R, o4 |+ \, C$ u+ T- q4 H; }" V9 f
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)8 ^5 r% n6 u  e, u3 x+ u2 U
* t* m, p' a0 K% e# D
The program will execute 6 different SIce commands located at ds:dx, which
; Q# j7 t, C: Kare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.+ H/ |. H# ]( b/ I) S
. d& c0 w& s; T! s( y( U' s! q$ Z' v! H
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 U+ v4 N  I+ t
___________________________________________________________________________! a8 M. x* t6 B1 X

2 t5 [  [: o0 v9 c/ j8 |. g! X$ E6 Y2 G5 t+ K) u  I5 i
Method 03
! ~0 w# i& a8 |% S! Z. E9 ^( V- h=========
+ C, d0 a* P9 I2 a6 |+ O
; x+ L. |/ X) v' N5 O& d: ^& o% ~* KLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h2 k  t) R9 w. I! h2 c
(API Get entry point)& G& i' G7 e$ d/ I* L$ B
        - x' \! \; k: U4 j/ s1 s3 q( U
1 n4 p: z. Y, k% A. \
    xor     di,di
& |6 A5 j$ t: I    mov     es,di
5 w, T- x: N# ~! t" X+ h: o, {& j    mov     ax, 1684h      
+ f: i% t0 a: p    mov     bx, 0202h       ; VxD ID of winice0 I; h8 ^+ `4 Y, k% \1 _( E; p
    int     2Fh
2 h6 u% P# D1 P# y$ O    mov     ax, es          ; ES:DI -&gt; VxD API entry point
: ]( h; a3 d* f* x  o    add     ax, di  [0 A! W  A+ h
    test    ax,ax
2 C  V3 X3 k2 k8 g    jnz     SoftICE_Detected: V4 v" E" m' D% L

& z+ i% G0 J0 t* C& g2 ____________________________________________________________________________) g' `( {$ _7 [+ z7 r! Y
8 |. y) a2 Q+ M6 P6 Y
Method 043 l( g2 D$ Y* u
=========
$ M% n$ J/ d" T* @
: z5 U0 T6 g) k: u2 NMethod identical to the preceding one except that it seeks the ID of SoftICE7 i& {% k; b% y
GFX VxD.8 r7 e8 u, t6 J* C
4 I( d8 `7 ?  x( [: P$ `. z+ N
    xor     di,di! l8 c' M5 d5 i9 o/ G) W& J2 N
    mov     es,di
  h- g3 `; f: |! t6 Z' @    mov     ax, 1684h       3 e3 i0 P& e9 y" U. ]
    mov     bx, 7a5Fh       ; VxD ID of SIWVID% o( v/ H. ^9 F. n/ @& B3 t
    int     2fh$ B: p; }4 `. m$ ]- |( \
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  o6 s: P# h! _& }* Y    add     ax, di
' U9 `/ C5 }. {- R, Y    test    ax,ax
6 k# s1 {: x( v* c: @, Y    jnz     SoftICE_Detected, W$ X7 q2 L% y6 v! P, {' M; h( U; q
4 c& D/ [. X$ D& h$ |# r4 d) Q2 ^
__________________________________________________________________________5 @3 l8 T: Z+ F8 w, M& Q2 W3 i
9 Z" s: D, d0 J* i/ ~
' \& E, [8 J+ K3 d' |
Method 05- a! W* q, l( s7 U5 h$ G' ?
=========
  i9 Z. j$ b, N8 n) k6 X
$ S( V  A+ o4 C( Q6 lMethod seeking the 'magic number' 0F386h returned (in ax) by all system5 r' q; H" q; p, }2 I
debugger. It calls the int 41h, function 4Fh.: Y! ?6 f. j+ i2 Q
There are several alternatives.  
6 @4 G# @, D! @9 Q* x& F' Y2 _$ `4 M( b3 i# u1 E9 d3 ?0 r
The following one is the simplest:
2 T. T: `/ I0 c! e2 r
5 Z6 E1 }; W% f    mov     ax,4fh
$ _/ u1 l8 P3 o    int     41h
" i6 s1 I. B% U( z3 X3 ~    cmp     ax, 0F386
  P. o$ g; k! H1 v    jz      SoftICE_detected" R& v9 Z& F4 Y8 b% x
% Z3 _2 u( C' L; |- m
0 `0 K$ }( s' y5 g; e$ C
Next method as well as the following one are 2 examples from Stone's
: y0 e4 i# M, ?' d  y"stn-wid.zip" (www.cracking.net):
9 W" X8 o9 C  a. e# Q6 m3 J2 b1 z9 T% _3 W' {, Q2 s9 v
    mov     bx, cs1 v$ N$ b% W% @7 n8 d
    lea     dx, int41handler2/ T/ T' C: H2 V, ]/ K. [
    xchg    dx, es:[41h*4]
1 ~# n" _' d* W! g    xchg    bx, es:[41h*4+2]
9 e  g3 Q$ v  k& g$ E+ H    mov     ax,4fh5 d5 O: p( G  G- [1 w. h/ [: f" q
    int     41h0 N0 h0 \" @! c" }& ~
    xchg    dx, es:[41h*4]+ ]8 R& k: o2 L$ ?
    xchg    bx, es:[41h*4+2]7 Y: ]8 C' F7 t) M/ k
    cmp     ax, 0f386h
8 N# E' y- Y3 |3 V" u    jz      SoftICE_detected' T6 T1 Q! R5 R8 F( \0 _8 Z
  j- E% I& k$ T& O
int41handler2 PROC( R: Q7 \" b/ t" O0 G2 w2 D
    iret
8 h* t  p+ Z) O" r0 P% X6 |int41handler2 ENDP
4 g9 g; Z+ K7 i+ [; _
! F1 j  R- n. i, Q5 w* u
8 }9 R6 _5 a; T( t$ E4 d' P_________________________________________________________________________
  m+ g4 d2 A* W7 c: j* ^! W
0 O' o1 ~) Y' c3 G
) y0 ~6 w1 D' f0 i3 ^Method 06
) j" J8 D# \! x9 Z=========6 {7 V3 U% F* m3 a

5 y; z* D* H* g9 }4 K
0 i) |& ~. Y. J7 Q2nd method similar to the preceding one but more difficult to detect:
) w8 |/ [3 Y( [! S% P& g: Z( x* i" X- a. p5 u

4 S- e' B4 O4 [5 J! m" Zint41handler PROC' i9 n" i* z( R" z4 R6 R
    mov     cl,al, L+ A4 K' I4 P' k1 X$ C
    iret! [5 Q2 ^# x( y1 i
int41handler ENDP
# a2 x' v  c* d+ V
5 B1 B$ T& L+ N( q( x3 o6 k$ K( k5 O* P+ K4 j
    xor     ax,ax
+ P& r; X& D) y1 Z/ Y5 I* E0 {8 O' J0 T    mov     es,ax
! Y# u9 n! q+ Y) q7 D    mov     bx, cs
+ w* ]& {( U  O# q) d4 }, B1 s    lea     dx, int41handler
1 x0 w' S9 Q+ O- f' Q$ T$ ?5 p    xchg    dx, es:[41h*4]
) l0 x" G6 v9 K' m    xchg    bx, es:[41h*4+2]
5 }. H$ |. s; ~/ P/ k4 T    in      al, 40h
& r/ o1 f# Q( w2 s2 Y    xor     cx,cx
7 V1 ^; H6 F; m& F5 A: Q    int     41h
# @! s' n$ B- y; c; m4 i    xchg    dx, es:[41h*4]
3 A- M# N5 A, c    xchg    bx, es:[41h*4+2]/ n5 I# W' a+ Z$ T, w2 f+ ^- ]0 }
    cmp     cl,al  r. r( D) c9 X6 P& B; P# R
    jnz     SoftICE_detected9 i" O6 Z0 u) d$ ~8 s9 |' \
/ {5 ?6 G; {; K
_________________________________________________________________________2 v( B) L7 U' q) d7 Z
# X+ t; B. z+ Q7 r
Method 07. W& p6 v6 N6 W
=========
3 r' j; d8 f' j6 @9 U8 c% E
) n: {" l5 F# e4 X# n) F8 G$ x$ ~, _Method of detection of the WinICE handler in the int68h (V86)+ [  `/ c* a" X, b
1 `& E+ P' T" c/ M: L/ N5 j5 Y1 H
    mov     ah,43h6 K& H1 G- Y( y+ N' X+ h( t
    int     68h" D. @3 Y. Y; ]+ D0 _) C- ?
    cmp     ax,0F386h- e. m" f& N( a# Z4 \+ v
    jz      SoftICE_Detected# |- d0 _: J4 x. v2 O
9 M5 Q5 C* m5 _  b5 X2 R, G

) A# Q4 D6 m; V=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit  o6 ^4 O3 q* s- M* {  N  ~
   app like this:2 b+ N( h+ z- @6 B7 d/ K# R
, q" X1 I6 Z3 j, F% A# B; [
   BPX exec_int if ax==68
. M: q. {5 {; j5 l   (function called is located at byte ptr [ebp+1Dh] and client eip is, v# M8 }$ G- g4 x$ h
   located at [ebp+48h] for 32Bit apps)
7 L& ^8 A9 y& w6 O7 }1 o__________________________________________________________________________8 a0 U8 z9 G7 v" }- Y+ Z

. S4 ~2 {6 x2 g* }  T+ b: }& o# @
6 q6 f5 d2 E' p+ d  {! HMethod 08
' a* G( A' y: F: q- B=========
9 S5 ?. ~# Y  e5 Y: z. _8 {
, f" E/ c% s: c+ A, W7 _- TIt is not a method of detection of SoftICE but a possibility to crash the) H. Z! |1 X; w0 ]
system by intercepting int 01h and int 03h and redirecting them to another9 X" ^& [! G% @) r: j6 F
routine.
+ L. m) `6 k& z0 AIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points  l) J& v$ w- Z# Y9 t5 o7 ~9 k
to the new routine to execute (hangs computer...)
0 x* ]# k- Z4 u& T& }3 _6 a( |; Y  |; k0 e) Y4 S) y& U
    mov     ah, 25h" _; P0 e% O8 H, c" K( M' }
    mov     al, Int_Number (01h or 03h)  ^* W2 r  [& w' p( U
    mov     dx, offset New_Int_Routine
. `0 {7 Y- |  y6 B* W: A) P. k+ P    int     21h# y+ f) F! A. ?1 V
% f) [, R: x$ a; T* O- |! a
__________________________________________________________________________
- e! t5 J8 Q. q1 x% ~& x4 @7 \
  m. I  X3 B0 lMethod 09; o6 @* ^! ?+ l/ H+ f8 q. ?0 j
=========4 U% ?# M) ~: f
9 ~: l, w  D7 [1 l/ |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
; C' n* c) u2 n, D5 K# M8 ^( Uperformed in ring0 (VxD or a ring3 app using the VxdCall).6 c( e! \" x+ z9 x4 u9 ~8 T1 @
The Get_DDB service is used to determine whether or not a VxD is installed$ |) x7 J0 g1 z$ v( q+ T
for the specified device and returns a Device Description Block (in ecx) for
0 Q: K4 O% l* N9 e5 athat device if it is installed.
: S0 L# _# C; ?; \0 ]
* u: N' S0 r% a0 L0 n, w, J   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# k3 |3 ^2 j7 y# W& l+ d   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
' |. q2 C, t& U) v9 [- C0 ^   VMMCall Get_DDB
) l: J0 o8 S9 X7 ?# ]* T   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed% M% e4 m" g6 R) n. t. Y" l
6 G9 R! V" C. y( G0 A% [6 G% M: a
Note as well that you can easily detect this method with SoftICE:" o) d' ~& g- a$ B8 b& T( M
   bpx Get_DDB if ax==0202 || ax==7a5fh2 }0 e8 Q/ ?9 [4 h; [- G

( a4 D3 }( B  B. J  ^4 B__________________________________________________________________________& T1 N0 O$ {# L0 O" [& V

/ m5 I5 h5 H, A; \( EMethod 10: i* i2 i5 D7 v' e# p0 p2 D
=========+ e' A$ P: N6 i% z( y4 D

% M! Q9 m) Z0 ?! @2 X0 `! f" x/ r, \=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
2 }0 X4 y3 M2 x  SoftICE while the option is enable!!6 Y! T+ U" |* m1 \6 g
* ?8 k! ~3 B8 u
This trick is very efficient:
0 w8 u2 }% k- G$ `) u! t6 D& bby checking the Debug Registers, you can detect if SoftICE is loaded
, |8 l& b0 {3 b3 Z% s(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 u+ e4 N5 t6 A: O2 |there are some memory breakpoints set (dr0 to dr3) simply by reading their9 y& S4 p5 Z" P
value (in ring0 only). Values can be manipulated and or changed as well
1 Z0 Q) b& w8 O. t(clearing BPMs for instance)* w9 A2 Y1 M. h4 I' L6 M

! O! p0 I2 C9 z3 q2 G( j5 `% ?% ]__________________________________________________________________________( n  G, i9 Q$ }9 O& N

! R3 n4 i% X* `4 c! fMethod 11" R9 ^6 `" k# X3 P) @" d
=========
4 x% ?2 B2 j8 q& S6 z# [
) i: R, p+ O( ~This method is most known as 'MeltICE' because it has been freely distributed
& G% J) C3 W2 w# c* bvia www.winfiles.com. However it was first used by NuMega people to allow: M/ I1 v# Y) ?$ e, C. r
Symbol Loader to check if SoftICE was active or not (the code is located
4 N  H6 O9 e: I5 G% F; Y9 hinside nmtrans.dll)., C+ t  W1 v, _. d$ D9 V
) R" e6 f9 S) Y8 {/ {1 N  Q  _
The way it works is very simple:" X7 u& n' l" r1 c0 @1 H  G1 j$ p, d
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! ]) k0 b0 E. n* Q& r0 L/ ?
WinNT) with the CreateFileA API.  L' {8 V! c& Y  U4 w& U: q

$ j* q6 z& U! xHere is a sample (checking for 'SICE'):9 g) E" i! T9 m' V8 X4 J; |0 ~8 \
5 t- f3 Q0 A, @1 o* W8 ?
BOOL IsSoftIce95Loaded()
% n/ K# a: k* O7 F4 w! x5 n{
& U" D" {% |, H5 R9 }- q* I* ^   HANDLE hFile;  . X6 a6 C8 J4 U1 e5 W& p
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% h# s) `( ?; K0 ^9 l2 B1 {; N' h
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
2 f" N0 U; {& x6 t8 U( [  I( _4 K                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 u. b- z; g% h8 ^  I   if( hFile != INVALID_HANDLE_VALUE )% z& ^2 d$ s) F
   {! |4 O% B: x7 w/ i
      CloseHandle(hFile);9 j/ y! D! H* J; a8 U
      return TRUE;
& ?; ?8 G+ e) [/ J( G  @* H1 W7 @  s   }
- e4 Q6 \% I$ J" l/ Z   return FALSE;. f8 J$ D' M( w4 F- b
}
( S; G( E, h3 d; e% z+ `( y
4 \- s7 C/ R& K2 c* g  Z3 V7 qAlthough this trick calls the CreateFileA function, don't even expect to be
4 K# O: Z' |# Mable to intercept it by installing a IFS hook: it will not work, no way!
6 G7 }/ B0 C4 Q; r5 I+ O8 K3 dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
% D: `. T2 P/ g" U2 F8 ~1 `  Q4 P9 ~& ?7 qservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)0 z8 ~. }" o8 x/ M5 O) Q: d/ ^! P
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 g( c% v9 t7 B9 a# {6 Nfield.
, v$ O+ p' J& U  W( lIn fact, its purpose is not to load/unload VxDs but only to send a , ?9 m! Y7 w9 E6 L% C, H. D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! Z; R/ v: ~4 M  m$ ~
to the VxD Control_Dispatch proc (how the hell a shareware soft could try% h5 b% l3 V2 G( {; Z/ g: I
to load/unload a non-dynamically loadable driver such as SoftICE ;-).) z) v  Q# Y; a. i
If the VxD is loaded, it will always clear eax and the Carry flag to allow
) X- [( P# y5 C5 ?! s9 Wits handle to be opened and then, will be detected.% f: |2 O6 `5 j
You can check that simply by hooking Winice.exe control proc entry point1 A9 v) [9 X& }
while running MeltICE.
3 t2 C) i7 m( r2 w1 F5 G+ D+ ^
# X) ~+ O) H. [/ s! e# T% n4 z: J$ f, P1 ?/ w! s4 w
  00401067:  push      00402025    ; \\.\SICE4 c7 f( \* ~0 l  }
  0040106C:  call      CreateFileA3 ^6 X; M) S9 @: j. N+ o. _
  00401071:  cmp       eax,-001
4 g% X1 n- _7 w  00401074:  je        004010916 p: k) f7 B4 ~; {. m* |' w- i: [

! D/ ^. l( W& Q/ b4 F4 P, n1 P2 P% G$ h' N+ q
There could be hundreds of BPX you could use to detect this trick.! G0 Z6 v0 |: p5 b* E
-The most classical one is:
# _& F* @& v- u/ Q  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||: Y- M, k  U, g1 [5 X" F2 C
    *(esp-&gt;4+4)=='NTIC'- ?  D' c% Y  K$ N1 \: J, M  J
/ G! A: q. h# T4 t- ^8 O; V
-The most exotic ones (could be very slooooow :-(: Z! S: \: [' j% f
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
+ W* l1 u3 M  l0 A! S1 k- q% H     ;will break 3 times :-(9 E* }/ p( H/ b" c

1 X. Z5 K, i7 g-or (a bit) faster:
! g; v7 M) J0 x   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 e; j9 h+ m) r' j  B) {* R. i
" Q3 P+ {! H' p" r* }0 E; x   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 k! t$ O# L  I# ~
     ;will break 3 times :-(' F) S6 @3 f- V) @
( a4 [- h7 f% c3 {# Z! r* [
-Much faster:2 ~' ~/ ~( A1 Q" L+ I
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
6 N9 u' g1 z7 E, A  J+ N
! B9 l  {: H) a, @+ D& YNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; H& n% `1 v3 a$ x! Y3 l
function to do the same job:
5 }; T$ v1 h$ H8 f0 n2 N5 h* N0 v  z* G) W% y
   push    00                        ; OF_READ- H% P9 ?, j; f4 f; K6 `
   mov     eax,[00656634]            ; '\\.\SICE',0: u9 v% @6 L$ b7 a
   push    eax
$ T) k7 Q  ^, m, M$ N. G9 n   call    KERNEL32!_lopen
  p2 L; c2 B" o. y, ]  w7 J5 t  v   inc     eax9 B/ o9 f* k& r9 G0 v
   jnz     00650589                  ; detected+ Y9 p9 f% S; q- b. i& T. O& I% T
   push    00                        ; OF_READ! q8 w- `- X0 D! _
   mov     eax,[00656638]            ; '\\.\SICE'
3 a# }. `  l0 h1 e( B4 @   push    eax& ^+ W7 M$ r3 ~% ?8 J
   call    KERNEL32!_lopen2 {  Y9 |  V! V# R5 `3 z
   inc     eax
8 _+ a% d) m/ I2 I( ?' L. |" e   jz      006505ae                  ; not detected
/ U6 S3 M8 y3 p- u
" a( I2 B. m. }+ Z+ ?% y
" H+ j1 e3 \% e7 k& W__________________________________________________________________________! B& T0 l( o& d& e, w& m

- ?9 G' ]$ G% uMethod 123 I* d. x# }) E/ _
=========5 Z7 O# S" ~& G
0 D' U7 Z( {$ G
This trick is similar to int41h/4fh Debugger installation check (code 054 q9 Y) c" t$ m, J* R0 d+ m+ k
&amp; 06) but very limited because it's only available for Win95/98 (not NT)2 i. g0 b2 |: n: q3 U
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.' I3 Z  G+ |0 l; |
# d! W* g) y+ t" @4 f. Q) R
   push  0000004fh         ; function 4fh: u4 x. I  j4 L3 U4 F9 b) J
   push  002a002ah         ; high word specifies which VxD (VWIN32)
& n% t1 B, v& i) j1 ^                           ; low word specifies which service# @# H6 V; Q2 L3 I; h5 ^1 Y
                             (VWIN32_Int41Dispatch)' N- \4 z) X9 [! N1 B+ S9 e
   call  Kernel32!ORD_001  ; VxdCall9 p7 \5 @" P; x( X5 T, K$ g* z
   cmp   ax, 0f386h        ; magic number returned by system debuggers+ ?  ~/ k4 {2 ]; r
   jz    SoftICE_detected- Z! X5 R$ l- B* p  D
1 {6 R1 _6 \$ j: S. ^# X
Here again, several ways to detect it:
1 X, H$ M" u0 P- ?& N
$ n+ N1 k1 v. P' K( d+ L  l    BPINT 41 if ax==4f' D& y8 \) c0 A: x2 A
2 f) ]! |5 Y8 ~, x" W: V" ~
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 L5 F* r+ L" @) B, m. z5 P+ |+ n, H
) C4 ^) I9 P# F9 @$ i
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
5 A; m  b- W6 b8 V' L( r1 M- m5 a6 p; G  s: c
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
; E) S/ f4 Y/ {6 v# U
: `( p1 |4 z; A9 `  F$ l7 T__________________________________________________________________________
! s7 h. Y# d" P5 k
- Y' A5 I  B) _. b9 `/ H' {$ QMethod 13
. o& N: ~, i5 @  M/ x, @$ q=========, x* }/ \5 e# ]2 w6 J. I$ A: g
/ k" ~4 x! ~) Q: Z- A9 t- G
Not a real method of detection, but a good way to know if SoftICE is0 }1 b/ L8 f" A9 h
installed on a computer and to locate its installation directory.
7 G; ?; p3 B3 q, N$ x0 I5 w# a' xIt is used by few softs which access the following registry keys (usually #2) :
. G, r' q- K+ k& B
& h& `* O2 Q5 M$ T3 q6 k/ B-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 B  r# r' P/ [; y7 q% ]& D
\Uninstall\SoftICE% T; t9 [+ I9 }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE! @, a, ~, \7 e* B
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ R6 k& m6 Q& S; P: u& D\App Paths\Loader32.Exe1 ?# L! z$ y. |1 }0 `+ M% r

( g! P& m) q, o5 D" c2 i, d' h) q, Z& q* w1 ~* F
Note that some nasty apps could then erase all files from SoftICE directory  O. @! Z5 C9 K+ c+ W( N/ @, n$ P
(I faced that once :-(2 I7 w! j5 M  n# d4 I; A$ M) K& x' F
9 I7 I# ~% d! R$ L5 y2 B) G
Useful breakpoint to detect it:
+ h* o2 ^6 w/ Y/ n9 N, I
) n9 l: b& a9 N     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'. A3 T. k! c$ {0 Z  s

3 P9 i6 |$ n5 a, o; C; H; x$ {__________________________________________________________________________: ~! H/ R% s5 Y) [* r+ W
( k' H' w9 ~. C' c
9 Q- q3 ~) j% C! I: W) b
Method 14 ! \7 F% @) `( \" O0 \4 A  l& z: V
=========" r  `5 K! q1 c6 N  z

/ E, _0 z7 S% EA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) r1 b$ O+ v. e/ r% wis to determines whether a debugger is running on your system (ring0 only).4 m$ ?" Y2 ?5 M& [& `7 t

9 z% a9 c7 g$ z5 F$ W% e   VMMCall Test_Debug_Installed
$ f2 ~* b# m: y( a   je      not_installed! F! ]( g0 C8 _0 }5 Y* P

$ a" B% I0 X3 h7 qThis service just checks a flag.8 ?; N; |6 s% G- A9 ~( K! _8 j
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-12 17:18

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表