找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>: _$ A5 D1 C7 S. N
<TBODY>
/ O: ~/ y; e5 o  H<TR>
2 E# L# W( W" n: p( y( \4 C  X8 l<TD><PRE>Method 01
( [# q5 Q  F% `=========
% q: o: A: d1 \$ Q+ r8 V& Y# U& ], j9 E9 n# ?# z: _/ {5 y' L: Z
This method of detection of SoftICE (as well as the following one) is8 y; F) g8 o" U  D
used by the majority of packers/encryptors found on Internet.. z4 V% g- V9 \8 q" [
It seeks the signature of BoundsChecker in SoftICE! f( X7 w+ t8 H& ^; Q% p

9 F0 B5 T" D. G5 S% P    mov     ebp, 04243484Bh        ; 'BCHK'
: B& a6 o' ~0 e5 r9 F    mov     ax, 04h& u) r5 o3 y* M7 D6 m
    int     3       8 \# z& O( d! x- ~
    cmp     al,4
5 ]4 b$ p. \1 T0 y+ D    jnz     SoftICE_Detected4 G- U0 ?- B0 \2 ?
( q% g8 O, I8 E! O/ ^: |& h( l  ^
___________________________________________________________________________) K9 l' T( ^7 G9 f7 f6 {

2 R4 S( I3 y7 a/ v" {: A; MMethod 02
7 v- f7 ]/ {: H3 q0 F2 i( |" T% o=========# ^' O) D* w" S2 U
2 E5 p& y+ y; l
Still a method very much used (perhaps the most frequent one).  It is used  ?8 @: K/ E& I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 ^5 Q' X0 r" t8 ^+ z1 ~! Xor execute SoftICE commands...
9 N; Y$ j1 G# w( qIt is also used to crash SoftICE and to force it to execute any commands' c( z/ I3 a/ a! T8 W
(HBOOT...) :-((  & j- s0 b2 i0 r9 K# j; U9 r

* M- o3 k4 Z. k  u3 A2 bHere is a quick description:
; o* u% c+ Z' R) v-AX = 0910h   (Display string in SIce windows)
+ h+ b+ V4 e3 d" P  T- N9 u% h- u" a-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
6 G* h& x* ~9 d-AX = 0912h   (Get breakpoint infos)# y+ F6 v9 }$ S" T/ t3 }* B# B6 k# t' ]
-AX = 0913h   (Set Sice breakpoints)( N& R# b- d1 Z5 R  N8 z2 _
-AX = 0914h   (Remove SIce breakoints)
: f2 I$ p' r' y
  y& R( |4 Z- w( z/ _Each time you'll meet this trick, you'll see:
: s% I1 W9 O4 z$ Y1 R, B-SI = 4647h
. t, g* d1 N# [/ ?. X& b6 p-DI = 4A4Dh# p: J1 U$ @. O4 H) V" A
Which are the 'magic values' used by SoftIce.
+ U/ A! v# U- {# p6 P* I5 e8 M/ aFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 i; I  L: W. L$ \: E" w- n3 l  ?" `- k, J6 l" d  n1 d: E
Here is one example from the file "Haspinst.exe" which is the dongle HASP6 _( M, u) j9 }% ?# J. ?  Z
Envelope utility use to protect DOS applications:" h1 }2 I$ v8 c: P% m, K
( J* g9 h8 B) O: K% }- m

/ g( k1 p* b6 J+ h8 K( O+ `. _4C19:0095   MOV    AX,0911  ; execute command.5 L: T# {. Y! t5 z
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
, m" L5 ?( a- M% d4C19:009A   MOV    SI,4647  ; 1st magic value., D( B% E: p  _" R: ?5 Z
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.1 J9 c# c, z; |* h: I  l0 P) h. z/ @, X
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
+ E2 B6 q) B; U+ H6 W4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute$ k( U5 }5 q, w7 X, r* G
4C19:00A4   INC    CX
7 [- d# ?& k9 _! M& N6 y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute/ Q& y- A9 _, I; n7 k0 A
4C19:00A8   JB     0095     ; 6 different commands.
+ @7 I/ t. s4 c# P- B% L% S2 ^0 H4C19:00AA   JMP    0002     ; Bad_Guy jmp back.2 V( I, w, k; `& h4 n
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
" y% @' @  o% [0 n) ]! v0 F4 u3 h
5 a% [+ d6 E) E! dThe program will execute 6 different SIce commands located at ds:dx, which1 L  X( F' _" D. ^+ B5 T
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 ^5 {7 _( h- L/ n, ~3 q" N0 d6 K& h& j/ e7 `- Q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.* b/ `, j7 T0 W% I0 L* L
___________________________________________________________________________
- W# ]+ e7 }* r' \' a. t/ V4 s; H; C# d7 N5 o+ o$ G

& m. Q! f" H$ a- R- t: q4 uMethod 03
! Q, O" U' @. ~- b=========
" O* o8 r  |9 m0 R+ P/ g  A5 |2 K! k9 p9 K- C
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 W4 j8 e6 M& i8 f( O5 r9 ?; c
(API Get entry point)
/ x* ^( U' C: K4 r        ; I; C: _( I0 B( K7 \7 k
3 M- P6 E) F8 x9 g4 Z7 M' ]2 g' I
    xor     di,di
$ _. |. A( R/ {, d4 V+ ^    mov     es,di
% r8 i* T1 \. r    mov     ax, 1684h       % i3 C. `; `) Y
    mov     bx, 0202h       ; VxD ID of winice5 X9 F  a! Q1 o8 p; b
    int     2Fh! C  b) |2 ]) S7 H5 g
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( d1 X( y3 F4 v( z4 z
    add     ax, di# h- i9 G! E  o$ j
    test    ax,ax
6 C: ]( p* F( u    jnz     SoftICE_Detected
# G1 a! E4 V* I! k# O! t! Y
+ q8 r  N, R" X' k___________________________________________________________________________
: S6 ^0 F1 t& y" t
7 _/ M0 A, K0 _9 z9 w. n- EMethod 048 ~- ]0 x6 B# b  o3 }2 v* m
=========
1 I5 k2 w" {/ S+ d+ V& @
5 f! y( _% `, }  f7 M, qMethod identical to the preceding one except that it seeks the ID of SoftICE  ]+ H: |! G9 o! M- ]# F
GFX VxD.
- a/ f/ Q) }4 E# A/ H7 O3 @' N2 M
8 a/ u9 A8 |2 }. q  k7 ~$ `# p    xor     di,di" h7 m$ j# a  Q! n7 S. X
    mov     es,di1 `. i! n1 q: @$ w* b/ _
    mov     ax, 1684h       : \+ x3 o3 N# A! C, x; u
    mov     bx, 7a5Fh       ; VxD ID of SIWVID. f6 ]+ N3 u  D- d$ Y/ c- P6 E: j
    int     2fh
! }5 M" u% |* N( ]" G8 k    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 q9 m8 y8 u* u7 X6 ~% M8 N    add     ax, di) s5 {" ?4 F. j9 D# w
    test    ax,ax
" v( ^% ^' ?" N% `( m8 U5 u    jnz     SoftICE_Detected+ L. r% t- f  H# J: Z- N9 K$ O

! ?. e2 U/ M+ m__________________________________________________________________________
- L( p2 q2 C1 x8 N; }5 y: ?/ h) u! l4 @& m% S7 y  f% r
3 P  e3 l7 p+ Q+ B! W) W$ }
Method 05
& m$ d3 W: L7 O4 Y0 Z( N=========3 z! A7 B6 D6 Q  w' B  @

+ _; E4 p+ e3 _( g# SMethod seeking the 'magic number' 0F386h returned (in ax) by all system) N  N7 ~- R1 d, k0 B- g
debugger. It calls the int 41h, function 4Fh., D$ a7 ]$ o0 H5 _( K/ B0 H- D
There are several alternatives.  
" W5 t. W6 [- z4 W& V# y% i+ h9 z; C( w
The following one is the simplest:
  {) D8 V# o: @! E' ^2 l. N2 z% Q' b+ g1 R3 @* S
    mov     ax,4fh
0 P/ d) r7 X! \8 `5 r- U3 K* @7 G    int     41h4 O' m8 q9 U5 r$ x7 Y- a
    cmp     ax, 0F386( Q- u. B( E8 O: L
    jz      SoftICE_detected
* i/ Z+ r  Q3 R% P( J+ A6 P3 B: v% e  V* p0 i
. B5 D2 {0 b& A' z8 Y: n
Next method as well as the following one are 2 examples from Stone's 9 H% x  _' ^, j* z- Q# v* @! D9 S
"stn-wid.zip" (www.cracking.net):
9 H/ L2 G$ _# F+ q5 W1 B; B/ T& u8 x! h1 m
    mov     bx, cs
% K3 S4 e# b8 Y7 |% ?8 Z    lea     dx, int41handler29 _8 T( q0 I7 a# D2 B
    xchg    dx, es:[41h*4]
& \& `" l! p+ b5 ?    xchg    bx, es:[41h*4+2]
) X% P2 g% g$ c" o    mov     ax,4fh8 K3 b9 z2 H! g4 y
    int     41h
$ R" `. K' e0 b7 G9 k/ M% \    xchg    dx, es:[41h*4]
. r# N, |# z- V' [2 c    xchg    bx, es:[41h*4+2]4 U4 @+ W4 I6 S5 ]# v8 I
    cmp     ax, 0f386h( x+ Z, E% l' l+ S6 m0 y' H
    jz      SoftICE_detected
: J6 H$ B, ^/ z% {# i5 O) e- @+ ?4 S% f' G% `$ g8 }8 O" y4 K8 I, Y
int41handler2 PROC
# [! }  W5 z  V    iret
5 k: h7 |; z7 K, C2 I# Eint41handler2 ENDP
+ i0 J- x/ E0 H& M2 |( l8 W
  W/ f" c& W8 G) t3 h7 P; J) K4 B# B$ O  P' r. i2 ]: d8 _' e' o
_________________________________________________________________________
5 W' k1 k4 y# a( l. e4 ^$ a* h% F  b
# R; ?& i2 ^% H5 |9 ^  j: p: }2 H  u9 d# {" x7 |+ ?
Method 06
6 w. |. ^: S# \2 Z7 _=========
% w4 h5 V( P, E0 |* R/ ~2 k; _7 z6 ?. ]. I5 W7 s
3 w9 N( g# i, P7 w) h" r) m1 S
2nd method similar to the preceding one but more difficult to detect:9 C1 G/ t# W1 @! L, R

& A* L8 @' ~! J% F( q7 E) t) y
4 j8 }4 V" f8 \' |: _) v* oint41handler PROC
" v) e  r% u* ]3 E3 |4 ]2 Y    mov     cl,al
2 I+ V: |2 v0 L( t+ W4 H9 {    iret/ t; U/ Y+ e' y# h. r9 e
int41handler ENDP' _' K# B: p4 z& g& @9 |8 V
/ r+ `) h0 z6 p$ Y' X
3 s% R8 K, t6 q+ n
    xor     ax,ax8 Y3 f1 V7 ^" c7 T  t2 n. H& w
    mov     es,ax7 x  l/ Z0 e& Z) {0 @' y/ x$ T& V
    mov     bx, cs
* ?! K: b( K9 r    lea     dx, int41handler
) C% N/ A, x5 V    xchg    dx, es:[41h*4]
5 U' Q1 m& @( x  G$ x* m    xchg    bx, es:[41h*4+2]5 h. _7 Z1 ~: T+ z$ Q: ~/ A, y: y
    in      al, 40h
+ T8 I  F9 q6 }' T    xor     cx,cx+ V' n) N% W. ?9 F6 S, E* C
    int     41h
, c/ `: ~3 H4 G, r4 |    xchg    dx, es:[41h*4], k  k' U* K( L2 \" k: U
    xchg    bx, es:[41h*4+2]
5 ?1 \  j, B* H    cmp     cl,al( x+ X: d& k: o4 L  B& j) Z( p
    jnz     SoftICE_detected
/ t' `- [' d& M6 p4 |& L) r6 y& ~9 S
_________________________________________________________________________
, i" r& ]; i7 P0 S/ E
% T( K/ E6 G3 L9 F9 S# n+ d$ s" LMethod 07
, N4 r* s( S1 ]+ v  b. B8 o* N% K=========$ o. g" h0 f+ g

+ X4 L" P) }) J3 ^3 QMethod of detection of the WinICE handler in the int68h (V86)" }$ q) `6 l3 a" f

1 K0 z3 V9 \" b+ M    mov     ah,43h" l4 p3 v% ?% v7 b
    int     68h
7 j2 O+ {- ?' x, U! F    cmp     ax,0F386h0 ?" G) S) F. d
    jz      SoftICE_Detected+ _/ Z3 Y8 T5 v, K8 d5 I6 }
8 @4 h" l0 W1 ~3 H  A3 r) w+ ]% D

% s4 {3 v- |* H/ Y" }=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; V3 }4 w  a7 }
   app like this:9 i8 w) z: v0 e, I& o. ?. l* c
- E0 b" S( p1 J+ T
   BPX exec_int if ax==68; m- ~& e: g4 ?, G
   (function called is located at byte ptr [ebp+1Dh] and client eip is
4 Q- p! W1 h# e8 K3 w: x  T: A  f   located at [ebp+48h] for 32Bit apps)
8 X/ c% A# L# p+ f( u( V7 Z4 n__________________________________________________________________________
  A+ |  }  H' l" j- \+ m- Y. L8 u/ U0 R* l
3 [9 H2 a/ o7 U2 Z9 A
Method 08
6 z1 {/ v4 A) a=========
) j  a4 X7 h8 @' [8 n4 A/ T  c9 U' T# O
It is not a method of detection of SoftICE but a possibility to crash the
$ K+ U. q5 X6 @! ]4 C' Ssystem by intercepting int 01h and int 03h and redirecting them to another
+ J+ U) e. n- p: a% O# Z8 Broutine.$ N* z& I  W; ~5 E6 m
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
0 L# t6 W. k. H- d" K2 t! L9 E. Uto the new routine to execute (hangs computer...)% b, I* P( t# V0 g( e% @. ?2 t

$ `' E% K. r1 w- v    mov     ah, 25h
- i1 V" c; h) q) l. E" S. ~, E    mov     al, Int_Number (01h or 03h)
0 Q* U' @( j- b- }7 r    mov     dx, offset New_Int_Routine
# p  e. E/ q3 V    int     21h
+ L7 U! d$ Z* c: W8 b5 O4 T* E' {2 B" ?! K6 Q% H) O& x2 v; o
__________________________________________________________________________
' p3 I" Z/ E& A- N& y2 m& N, K  ^
) f9 H: O! h& Q8 `% u8 A* I6 R" D& nMethod 09
1 Z6 I+ B8 ^3 g: ^$ n& Z) r=========
( n7 F8 v6 ~- U( n) O6 c! w( |2 q& _" `- s: z9 Z4 T4 W7 T6 Z
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
9 ]: S* l1 o% V" Pperformed in ring0 (VxD or a ring3 app using the VxdCall).
& q) S3 ?0 Z4 L9 c, q/ HThe Get_DDB service is used to determine whether or not a VxD is installed& A& Y5 z$ ~" [- H( L# c; b* Y
for the specified device and returns a Device Description Block (in ecx) for
" q/ A! o7 ^! h& g. mthat device if it is installed.2 ~$ f7 l1 N/ Y) Z2 q& F- w6 W+ V3 c
0 ~* ?# ?" v% j5 s; @1 I* i
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ u* k! a* h% v7 D
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ s' R0 m3 \! e9 m   VMMCall Get_DDB+ k3 E. Z5 e5 `: d5 o! o2 R. i# H
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
3 \* a" l6 m: \- y0 k3 z) e' m$ T' w$ [' x3 b8 Z+ a
Note as well that you can easily detect this method with SoftICE:
. ^% u- z! U$ ~; W. A   bpx Get_DDB if ax==0202 || ax==7a5fh
+ d# S" M0 L% Z' w7 ]9 K& B9 _* q8 f% j/ k$ k3 w
__________________________________________________________________________
+ d, N& ~1 a; `& X0 w1 z
7 x1 x7 H- B- H5 x. }Method 10
7 f+ D- A* Y+ l* g2 C) ~3 Q% _=========* J% u. P* i1 w3 A) F6 v
# [2 p  X9 W2 `$ T/ f* }- U
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with3 v  x4 R+ w4 X  e6 f3 o, S0 I
  SoftICE while the option is enable!!2 H# o8 L( Z) m/ M% i

/ N! @  I: v$ |  Y% l8 Z: m/ B' L1 {This trick is very efficient:
9 X9 |3 ]% _4 L1 G9 V% cby checking the Debug Registers, you can detect if SoftICE is loaded
! J2 G( o% G  Q$ X- l! A(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 o; [: J) G! ^* q1 z  i, N! U
there are some memory breakpoints set (dr0 to dr3) simply by reading their
9 R, f# W# j" H6 u" hvalue (in ring0 only). Values can be manipulated and or changed as well
& ^1 I3 H* `2 j7 n" j(clearing BPMs for instance)' Q) A+ s- S  D4 c' L* [

: }" `% q1 y# j* o& }* ~__________________________________________________________________________1 ^* l' `$ S! ~, t0 Y

; B7 b# H9 S  HMethod 119 S+ u2 \# f! r( w$ _. m, X* H' o  P
=========  [# F" f3 K4 T

3 O: m% a( z6 d+ T, i0 EThis method is most known as 'MeltICE' because it has been freely distributed
% k, T9 m3 v. N# n$ {" fvia www.winfiles.com. However it was first used by NuMega people to allow
6 z4 @* a, u7 H& p8 P! a+ T& I' eSymbol Loader to check if SoftICE was active or not (the code is located
0 K$ o( ~0 h4 u/ p* winside nmtrans.dll)." F  q; [& n5 t" s
+ w$ V/ z+ R$ U- ]1 l
The way it works is very simple:1 g; i4 C7 }  B2 c% V
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ F& d1 l" ?& o8 [. b) SWinNT) with the CreateFileA API.
9 c; a) e. a* D, A1 z. S  H7 C# l; A+ G
Here is a sample (checking for 'SICE'):
/ f/ z/ E% ]# R  T+ }* b4 K( Q  l9 i
BOOL IsSoftIce95Loaded()
. G$ W% [) f" F' ~8 I{
$ ~6 Y6 H( z- }( M4 P0 N& X) O) N   HANDLE hFile;  
, t" N( S/ P6 k; g* ^- Q   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 }: w& N( P( C/ F- F) D                      FILE_SHARE_READ | FILE_SHARE_WRITE,
7 y+ Y  D) y4 L) N                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' x+ A5 Y( H2 @: k. s6 o# {* k
   if( hFile != INVALID_HANDLE_VALUE )
  u6 |+ i/ b$ g6 c5 ]7 @) a   {
) P" U" X* U: h" R8 W+ ^" i/ L      CloseHandle(hFile);6 P) B0 P0 L9 b' l. Y& _2 y
      return TRUE;4 p! y+ s8 L- A! C
   }$ G6 X, ?, d: \8 c5 C9 U! v7 C% @
   return FALSE;! Q1 X6 m4 ^3 {4 V: V+ q: [
}  \' l: b$ O# _1 g
( u5 o, b  L8 x: N
Although this trick calls the CreateFileA function, don't even expect to be$ a- X0 C4 m' h  K
able to intercept it by installing a IFS hook: it will not work, no way!4 V5 p* W- l: a1 B& z
In fact, after the call to CreateFileA it will get through VWIN32 0x001F3 B  R( X) p1 D! J6 Z8 ~- E+ X
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)5 @" l& a; E- P3 d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
3 }# P+ T1 `& Dfield.
5 l0 q+ m. P7 X" |& m  ^" y5 fIn fact, its purpose is not to load/unload VxDs but only to send a 5 x1 s0 T  _# [4 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)" Z1 @( V5 p% n7 a5 [- G7 Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try9 P2 @4 Y, O/ s* r" V' a6 U( _9 B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 ?5 |$ w8 i, ^9 h% ]2 F7 LIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; J8 Y/ p% t- C' Hits handle to be opened and then, will be detected.
$ b7 g% w7 ^2 C4 n$ {, b5 VYou can check that simply by hooking Winice.exe control proc entry point- Q4 ~% |$ |4 g* {
while running MeltICE.
6 K4 k6 Q: F" }' _- d6 \5 T3 C
9 n7 f) _9 l. \; P- `! ]/ O! G/ u6 q3 ]9 I& {( k
  00401067:  push      00402025    ; \\.\SICE
: ^8 Z! R! j/ P0 k7 a, [  0040106C:  call      CreateFileA( K6 N* l6 H; P
  00401071:  cmp       eax,-001
3 L9 T# x% a) P  00401074:  je        004010916 S6 \: X* z8 f. H& a7 G

) `: E- r/ O# J1 e! I8 ?5 k7 q$ e% y/ R8 W7 [( U5 G
There could be hundreds of BPX you could use to detect this trick.
2 o1 @1 K5 S+ J9 K-The most classical one is:
6 T* e% j( t' ^' ?/ A/ F( H  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
& ?! U! r: C% q    *(esp-&gt;4+4)=='NTIC'
, R' r5 H8 {/ a5 k  \% I# E
8 J4 @; C2 h. _  I5 F5 `) d3 L6 b-The most exotic ones (could be very slooooow :-(
2 v! a% y* O( P' ^   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
9 W- X( _9 j7 H; u5 g% ~     ;will break 3 times :-(
( |' V  S. P$ V9 f2 ?6 T- h
6 K2 v; J; w" ?% G8 Q* Z-or (a bit) faster:
; ~. Q- P0 r$ k/ c$ P1 \; o   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')7 Q' z: H0 _8 m7 G( m1 t

$ ], T4 l- i; j8 d   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) R1 g* i+ Y- Q7 [- y% G! s4 X     ;will break 3 times :-(( M" h; P5 \2 ~: r
# q  [# J* g3 }8 R/ _. g
-Much faster:
, v2 m% w& f: I% A0 x, D7 @  F$ n3 f   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
; w7 a! L3 }( K( _( F& z3 m( v3 g. O
% Z9 Q7 A! R3 f9 c/ ]! n+ fNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# `2 r' F: J+ x8 s5 v% ?  h7 Ofunction to do the same job:4 }0 x6 m" Z+ ]1 L% ?
4 S2 O- i  t: F
   push    00                        ; OF_READ
* b7 O( ^! o3 E9 {5 m# J   mov     eax,[00656634]            ; '\\.\SICE',0+ c6 p) \; Q" @' g* F7 l
   push    eax7 Y: B1 ^) O6 |% q: R: V4 x
   call    KERNEL32!_lopen+ H) x! i, |4 n& y
   inc     eax" o5 t: t; k( h0 |/ V- ]' v
   jnz     00650589                  ; detected
% [. [( K  B2 N/ ^9 Y6 A   push    00                        ; OF_READ2 a0 P) F3 t/ M1 j/ [- a  t
   mov     eax,[00656638]            ; '\\.\SICE'
+ w6 H! g9 A' ~   push    eax6 N4 Y% j7 x% t5 {7 C* K7 j
   call    KERNEL32!_lopen
4 W' ~6 s0 R; X+ B1 B% I7 ~& b8 M   inc     eax
% `% q* ^3 w5 s   jz      006505ae                  ; not detected1 K# R+ t" u2 p4 m( f! T

* r( _8 ^5 a3 P' P# U8 E5 F( ?: @) ]- m  H# z7 }
__________________________________________________________________________
; z$ t- y2 A" T7 _* Y$ M" s0 M1 F& R  [. J
Method 12$ H  r% h& E% w& u, l8 A
=========
+ f& `! q  Q- H1 _* p' Q% p
5 O1 @- z0 J% j- I8 }  g' qThis trick is similar to int41h/4fh Debugger installation check (code 05
% k  B6 N# ]1 a' X8 d  r# z&amp; 06) but very limited because it's only available for Win95/98 (not NT)
/ _, {0 k2 l4 g  J+ Zas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' i) |) p) c$ U9 F' L, s
" Y2 \* o  s6 F: x. ~+ y6 B
   push  0000004fh         ; function 4fh8 J  x1 f% q/ s* y
   push  002a002ah         ; high word specifies which VxD (VWIN32)4 K7 G& N$ n8 h) t: G4 j7 _$ {; b# S
                           ; low word specifies which service
1 I/ x  `9 V/ k, b1 m                             (VWIN32_Int41Dispatch). p% Q! z, A1 g3 ~2 M4 |) t
   call  Kernel32!ORD_001  ; VxdCall
" {. C* m( e3 |  M: D1 p   cmp   ax, 0f386h        ; magic number returned by system debuggers
  A. r! u2 ^9 v( r' v7 c   jz    SoftICE_detected
. B4 l1 S3 |9 H  D8 P
  \' r5 `$ a/ m% K" AHere again, several ways to detect it:0 ?6 H- W& R( |+ \4 U; B9 m

4 R* z) V2 j% J" `    BPINT 41 if ax==4f& p7 A+ e3 D( u# }

% b. h0 O& R/ F9 a) |    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one6 m0 c+ `' G( N6 n, y3 i

* X- v# i& D  s    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
9 Z9 i1 M1 V' [: \+ T9 z/ e( R0 H7 U0 x8 [# y- H( ?9 w
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ b  J( b! n3 f) Y8 w  E0 v
7 L, |- }8 C! W6 q" D7 h) V3 t+ Q( [
__________________________________________________________________________& j. _2 r" W& m3 @

( ~# ~+ i+ f7 E3 S  HMethod 130 D7 x. e0 x' F
=========& N3 K' n% f! c2 }7 k( T. W

3 n0 K' W5 a1 j1 ]- [& X6 U/ i/ \* l; KNot a real method of detection, but a good way to know if SoftICE is
& B- h. E" @6 h# k& M$ `installed on a computer and to locate its installation directory.: ?8 Q2 Z+ k8 ~' a0 @" u9 @( h
It is used by few softs which access the following registry keys (usually #2) :
  o# G3 T. t/ n8 v5 d# ~
8 X# s' a1 l3 k+ s2 L-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ k  j: G$ C5 ^- i9 u  d\Uninstall\SoftICE- Z4 ]3 l; c8 }0 ?, ^
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# K: Y6 T+ @. h: ^
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion: ^/ m+ @/ @) W
\App Paths\Loader32.Exe3 y/ m3 c4 g0 Y  d% ]% i, @' B8 [
. z5 Z& d- v9 M0 ], C, U

& g3 r' t* T" W+ W4 dNote that some nasty apps could then erase all files from SoftICE directory
. h5 b% x4 k! p  h(I faced that once :-(0 k6 ^$ @* g9 l

) Q) s/ ?( R+ |! r4 ~Useful breakpoint to detect it:  {9 z! T6 I* z' \9 w: l0 E* O8 s
+ [" q3 g" j1 [" \1 L
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
2 X1 s* p" {+ n9 ]+ A8 \, u4 |
' Q  s5 U; N9 h' q/ C" a__________________________________________________________________________
8 q$ J8 P3 i2 Z
& r9 y% E. a; V! s% M3 a  \1 ?1 Q0 ?$ t
Method 14
9 W1 F& b9 I% b=========
  }# E, O( C- _, d8 g! D' a* D& Y( S3 v% X- i
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose. ]+ a* E. c; S* n  {
is to determines whether a debugger is running on your system (ring0 only).3 K" d7 o% [) h2 b% ]

( A* n3 p1 @  j   VMMCall Test_Debug_Installed/ E/ |0 h( n9 D6 X3 D
   je      not_installed
) K% n; e& }2 B; n
5 K6 q0 z/ c" l# h' l. \. Q: `6 GThis service just checks a flag.
- G) S" F5 z2 s0 W# C</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-2 00:31

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表