找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
( e9 a2 v' p" T; P<TBODY>0 R( [, o* {& {4 f
<TR>
9 n( L3 W6 J* m& L0 g0 L# e<TD><PRE>Method 01
9 @) w. |- v+ r4 v, E=========
' I- x8 y" ~& t/ y' s5 m5 K6 {
( I; a' M+ N( M. t0 m) C  GThis method of detection of SoftICE (as well as the following one) is
9 o  [( |8 W1 P; n; I3 t: z* wused by the majority of packers/encryptors found on Internet.# V* \% T' l0 K. L# R3 F
It seeks the signature of BoundsChecker in SoftICE
6 h- H$ _8 s# ~! ^% Y6 Y2 x9 ?; r# X# T% d" {2 z0 y2 J( M  z& a* g
    mov     ebp, 04243484Bh        ; 'BCHK'
/ r$ z( ?2 ~- A3 ?- P    mov     ax, 04h
" A" K" \" \# C/ {+ L) A0 A    int     3      
1 ?. L% d/ K+ f2 B' c    cmp     al,4* Y5 O5 j, w1 p( t
    jnz     SoftICE_Detected2 h0 _$ Y9 H, O5 n0 h
/ |5 K. m5 W, I8 K! |4 U. L  @# B
___________________________________________________________________________* }# F- Q3 N+ b. c7 B3 {4 y# w( o$ {, X
, \4 X3 T( ~( {" V9 U
Method 02$ s, p; ]' T* |8 L) M4 ^7 D
=========1 X+ C5 b4 J3 ]
7 k  {, f' a3 B8 X% A
Still a method very much used (perhaps the most frequent one).  It is used1 c4 c  t, w' F2 t
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
2 }3 q( i* }) J% I, \or execute SoftICE commands...+ ~2 F+ ]' N2 s$ f
It is also used to crash SoftICE and to force it to execute any commands. {  c# s3 g  {6 b/ u- i: X9 h
(HBOOT...) :-((  0 ?+ B1 R0 k( d8 O
( z, t& R  L  G2 F
Here is a quick description:
# b1 T. `! O; y0 [- v+ O7 G/ j2 `. ]-AX = 0910h   (Display string in SIce windows)5 Q8 i+ G# m3 d; u
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' ~& b! o# u) }3 G-AX = 0912h   (Get breakpoint infos)
# G; X3 h, e0 K; b6 |4 O0 g) S-AX = 0913h   (Set Sice breakpoints)
- D) O" I# y: H& p+ f- ]2 f& ]$ d-AX = 0914h   (Remove SIce breakoints)
$ I8 e5 M% f' k( C6 C4 i
* v' f- Z! h% ?' H: v8 A/ t& f2 cEach time you'll meet this trick, you'll see:
( g9 [/ u1 t5 i) O-SI = 4647h  Z  V* s* }& F7 q8 a2 b
-DI = 4A4Dh
; a9 y5 y4 {5 P0 f) c0 I( m( I5 P- [Which are the 'magic values' used by SoftIce.
& B% i% K& c/ Z  V) H- l7 cFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 @- w2 y# s  }0 O7 ~8 }1 j) Q- d, H/ K

1 M' S! D- L9 G9 Z1 Y7 zHere is one example from the file "Haspinst.exe" which is the dongle HASP3 e9 }0 @) k4 j
Envelope utility use to protect DOS applications:# l- D2 u& a0 S6 g
7 ^* ~8 r: X$ W: g9 L3 Z

1 @. S# F5 q) J) V2 d4C19:0095   MOV    AX,0911  ; execute command.8 k3 }( O% Y1 O5 J# t
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% L, Y: z% Z) X# ^% b, S8 ]7 z
4C19:009A   MOV    SI,4647  ; 1st magic value.
( ]" K/ l7 K# O  m, t. e8 S* {4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 k2 I# j& l$ P) W
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
% U4 \8 ?9 j& X" t$ @% e$ l4 g. ?4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' U, Y3 J! e$ m8 G5 L/ u0 l
4C19:00A4   INC    CX) T/ z- M! g, K
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ b- v0 m: ~: \; z
4C19:00A8   JB     0095     ; 6 different commands.9 {) f7 H6 [8 Y3 U! w7 Z8 W
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
& N4 s) b5 L, Z: l5 y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), Z+ P4 h$ @* F* F

/ O7 d  C1 N$ B) ~! `( u0 p- v4 `/ bThe program will execute 6 different SIce commands located at ds:dx, which  X) ?( R8 R  X1 A/ j
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- l8 _4 v  V6 a2 |
9 c  y' J" L+ U2 s  w6 l9 s3 [' C) j( M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.) c" X/ \! o! r: C6 A
___________________________________________________________________________5 o4 X" ]; Y* V* e) I* W
" i; C) q( R: g  m5 Y
( F/ p; F+ g. ^
Method 03/ R# K9 o) q2 U: K) g
=========
& p) @( I$ V( ~, |/ X
3 a# d5 A' n/ r! ~+ V' VLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h' a  I  x; G6 g4 {8 p
(API Get entry point)0 r; W% w! ]  |8 G
        ' B  o  I* D) x, M. g* A: y! B+ s
' I* X: k* P8 F/ {3 F* J+ r' d
    xor     di,di1 a8 `' U1 Z# `+ j- _( h6 u
    mov     es,di
2 I1 I5 V- X  s    mov     ax, 1684h       + }3 d: V  c/ v. B+ R
    mov     bx, 0202h       ; VxD ID of winice
, H, |- c8 |1 T/ K0 k    int     2Fh  s- `$ ?3 i" c8 T+ A3 j5 U# ]$ l5 G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 H9 `( l: g6 I) L    add     ax, di' t0 \. q5 H( j$ {. y
    test    ax,ax6 U! @! s- v" w
    jnz     SoftICE_Detected, o+ P/ e5 q* v2 }6 k+ B! t4 u
0 q* c0 T  j. N* c6 x8 y
___________________________________________________________________________) D$ r7 V# w3 y; R
- ?1 w% y* z# J/ c' i
Method 04
' {% b: }8 B" b! Q) o5 D=========% J4 z; i& q) C3 p

9 Y4 S% l% h$ w/ d' E& C- D% xMethod identical to the preceding one except that it seeks the ID of SoftICE2 A3 F: @5 }  N0 z1 X
GFX VxD.3 J+ I0 }& F, `. k
0 N; n- _% t+ E* [( |8 Q
    xor     di,di3 X3 }" F  [* A1 c
    mov     es,di, K1 Y1 n1 s- ]: m. ?
    mov     ax, 1684h      
6 C- t: `/ R" U- `    mov     bx, 7a5Fh       ; VxD ID of SIWVID. v% ]) t& k$ ^3 p& r8 ]+ O
    int     2fh! O7 C% V8 k# P! o3 S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 f$ v4 f6 N# a5 W8 {" t5 D2 M3 c; M
    add     ax, di
2 _: }* e9 M+ U" V    test    ax,ax0 Q' H; E9 d2 r2 n- [0 j! Z) D2 V
    jnz     SoftICE_Detected
3 `* i9 U( U; y' w2 K( A( t8 t% j# q9 b: z" R- Q$ }
__________________________________________________________________________
+ D* o. d) m% l% u1 `, t5 R" a5 J1 g; N7 ]5 I& G
% x, j5 [+ ?9 R4 |, f
Method 05: Q$ ]% D* O( E, a- \8 J) f
=========
4 h9 v* A' Y. X+ i( A& l8 N3 K4 s8 R1 Q* r( a/ W
Method seeking the 'magic number' 0F386h returned (in ax) by all system4 F% p8 Q* h/ _5 w7 c
debugger. It calls the int 41h, function 4Fh.
/ @5 M. z& k' y6 u2 ~7 bThere are several alternatives.  
" G2 T& j: v& e0 ~& E  I3 V7 K! S4 C1 Z7 D9 N& ]
The following one is the simplest:$ \0 e) q) ]2 \- {; e

; o& x; R# p. a# p5 e- ~7 f    mov     ax,4fh& E8 Q7 \; [  L
    int     41h
  {5 V* K, p# y1 g; e# @8 ?, _    cmp     ax, 0F3869 B( k3 }1 [- `% {7 x: A& ^
    jz      SoftICE_detected: o. `' z. O- }2 _# r& A2 u

. t+ q! Z" b8 F& G5 i- ~
- f- q: X/ G/ P$ {6 P9 gNext method as well as the following one are 2 examples from Stone's ; K: K5 w. o/ X0 ^2 `' W
"stn-wid.zip" (www.cracking.net):
1 N1 e; o# _4 p; U; e: I6 @. R. y+ h8 ~) _) p
    mov     bx, cs
8 o) p7 m7 O0 I- e    lea     dx, int41handler2# T! ^: \% r/ Q6 |2 I
    xchg    dx, es:[41h*4]
! f- _; r' ]5 X* w7 h( _' l    xchg    bx, es:[41h*4+2]
  E. ^* u7 i" u    mov     ax,4fh
; O6 |( b" Z- C5 d& h    int     41h, L7 a5 y  j  Y" n8 C# o& Z# L
    xchg    dx, es:[41h*4]
5 X4 S. L, S0 n9 k9 B* ~8 G    xchg    bx, es:[41h*4+2]' v/ v( n, r$ R) @$ C9 U
    cmp     ax, 0f386h
. O' g; G) g9 h8 F    jz      SoftICE_detected
; \" k  k) A( ^8 \1 Z6 x$ u3 w6 S2 k2 |
int41handler2 PROC
& ]% A% ~& z! n    iret# p; ]) i- {- j4 c/ R
int41handler2 ENDP9 d/ U. x' p5 s0 {3 O7 X0 l, }( k
0 G# e' l3 l" E! F9 ~; Z* o# f
5 Z5 _" h- p# q0 F' p% y0 C& T5 ~
_________________________________________________________________________
: A* O) E1 x2 w# d0 Z3 t' A* O: e" Q7 ~0 J2 |3 V9 H" K
8 C# |  n3 s5 ~; \# t& x
Method 061 o4 V% k# w: Y3 Q! W) M
=========
0 J- w1 N1 c7 {2 I
! j" i# e1 e* O- c/ \7 i! }( T) F
( F# W) I0 V. y3 ?) \7 s# v2nd method similar to the preceding one but more difficult to detect:7 Q9 b/ T  U# Y4 v
) ]4 Z4 Y9 G+ @2 `6 ?" ?

0 P' @' P  |  iint41handler PROC
+ T1 j) H7 y' w: Z; Z+ r/ n3 S+ X. [    mov     cl,al/ N: F* E3 G6 s1 {9 l1 X: `( w( n( Q
    iret
9 y+ Y* L0 X3 \int41handler ENDP
1 g- P5 c) e) y% y( F2 u8 e- S1 T8 ?

! Y* W9 Y9 N' j6 R; R9 x    xor     ax,ax5 r5 _- ^  z2 r# Z6 ^) D
    mov     es,ax8 R' q' g! A$ A* H! a, e% w7 [/ J, R
    mov     bx, cs1 N+ Z9 G$ |) R$ v
    lea     dx, int41handler
$ J$ i1 l3 t, u, L  X) l8 Q5 ]2 a  @- n    xchg    dx, es:[41h*4]1 H5 X! Z- [, ^( o0 o7 U/ W
    xchg    bx, es:[41h*4+2]
7 u' V' p. a4 R. U/ e8 F$ p    in      al, 40h
  M5 V) E0 W' p3 L5 N- \    xor     cx,cx* Y3 W5 d9 C  X3 k4 l' R9 I
    int     41h9 L6 y' I! A$ o/ F: ?- @6 c% e
    xchg    dx, es:[41h*4]
5 w5 Q) X) ?+ Q! }    xchg    bx, es:[41h*4+2]
# o8 G* p0 @, {; ?1 m7 N    cmp     cl,al
- n3 p8 Q: e2 K' q    jnz     SoftICE_detected9 m8 p0 |4 q/ r6 l' U
. v& u7 Z9 s# P
_________________________________________________________________________5 C: E( A5 y; g1 e' @0 {

. I6 b. s" z; w# F6 dMethod 07
& j  p1 }; B/ Y1 L3 M- b=========
9 V& t5 V% J! Z/ O) ~- M3 _/ O6 L# Z8 z+ U. q' a5 v
Method of detection of the WinICE handler in the int68h (V86)
& h! f% Z. c. ?6 q. R
; ]) A1 e7 N5 |) Y# k2 y0 b( i    mov     ah,43h, ~+ z  u: s3 Z* [
    int     68h
5 S9 s8 _( }5 ~/ j# x$ G3 q    cmp     ax,0F386h
3 f: ?. i6 n! j; P0 v' ?& H$ v    jz      SoftICE_Detected' s9 i6 n' F, S: G) ?: Y7 g+ Q

$ O; \$ o0 F# `! J" [& w. L
$ W( `2 @" [7 O9 Q& l=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, [& z' t9 x9 b2 o3 J- E% @
   app like this:
: l( B3 Q" C: j" N
. l4 |7 v3 a5 ~5 p8 U; h   BPX exec_int if ax==680 e2 \1 W' t& C
   (function called is located at byte ptr [ebp+1Dh] and client eip is7 [5 ^  v+ o9 n
   located at [ebp+48h] for 32Bit apps)
) e7 H* R/ h, m2 X) Q__________________________________________________________________________
2 R# H; ^7 L9 j3 W0 L+ H5 N% m: M; J  B) A5 @$ A0 b( a. E% n
3 ~, K" O7 f0 G$ o, x) }
Method 08
  o& R4 ^7 ^( T  q: g1 g/ F=========* \- F5 m8 _' G1 b  H

$ \$ J" i% S+ {( }$ Y& N  i. f. nIt is not a method of detection of SoftICE but a possibility to crash the& z* o/ Z2 j; j# ~/ I) H, y
system by intercepting int 01h and int 03h and redirecting them to another
* d# A/ Q4 f" ]5 F9 c0 Wroutine.
2 C2 H) x: e7 Z0 ?/ I7 U- x- W! R5 W; _3 hIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points2 Z/ m* V' T& h5 [: D8 p# m  b" _
to the new routine to execute (hangs computer...)
( H5 k! `" O* x1 D# J$ J9 D& o8 t  K6 Q6 i
    mov     ah, 25h
& ^6 c* v. {' h( ^; A0 A: y    mov     al, Int_Number (01h or 03h)- Y$ `/ C, \& M6 o( _
    mov     dx, offset New_Int_Routine3 y2 P6 q; [- x4 T2 `
    int     21h
: T2 L9 M) C6 X6 o$ l" l* j
; u$ I. ?+ `' |+ F$ F+ V# K__________________________________________________________________________  ?& s5 k% @" @9 m
: W9 H) r( V( N
Method 09
$ a# u* S# I6 e! G=========
0 V+ I: G5 A# G6 V4 [
, y- B4 n! X( Q' n7 d+ R+ uThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
# V' z! i$ s* V; p/ `" y  ^performed in ring0 (VxD or a ring3 app using the VxdCall).: I& ]7 n! N* O* j
The Get_DDB service is used to determine whether or not a VxD is installed+ u, k6 n8 Q% s3 N4 T- a
for the specified device and returns a Device Description Block (in ecx) for3 Q4 b) o* h" T' n0 @' Y( r
that device if it is installed.) m; {( Y. c% ?2 z2 ?- o
# }# ~. `0 H3 p' {9 P
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
# u& t2 U: S7 j, q' }5 }   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 Q+ H6 |2 S8 i1 R# r% G( O) x  z& @   VMMCall Get_DDB- F  P0 f4 K4 J; R! ?5 O
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
1 r* N9 g! |) t6 H6 l8 Z  E: B1 U6 ?5 }9 ~6 V# [2 V! W
Note as well that you can easily detect this method with SoftICE:
! w+ n. G0 f' X. |) X) [  p# f   bpx Get_DDB if ax==0202 || ax==7a5fh
1 C% W1 Y( @5 v7 Q- k: j
  d1 d9 `: I& r% D1 `: x7 s8 E__________________________________________________________________________
2 c) h% w+ z/ Z( I+ V
2 i9 S1 \( h. l, j. r) BMethod 10' Z3 I4 T1 y' `2 k5 e% r6 F" b/ r: H
=========" P0 j: S, P( m" d% k: M

/ u  R' v. g2 `8 l4 Y3 y' _=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
+ i3 a$ w( O! z" h' K7 y- T  SoftICE while the option is enable!!7 f# A6 Q, O% d+ j
1 H  x7 N7 {( D1 i
This trick is very efficient:
1 L6 m# m9 a: fby checking the Debug Registers, you can detect if SoftICE is loaded: p$ |# a8 H% D! u3 {% K8 s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if& D, @) _' P0 ?1 B  A2 p/ M! F5 H
there are some memory breakpoints set (dr0 to dr3) simply by reading their
1 T7 u. o: K! z. P+ ovalue (in ring0 only). Values can be manipulated and or changed as well
  ?+ o, v  Z. V( X: k(clearing BPMs for instance)
" A1 Q0 W, ]0 n% m8 g- p' B6 o2 s2 C) g6 D5 `
__________________________________________________________________________
' |7 C6 D. e: z6 i
5 w0 c+ t  x% \0 X- Z% {Method 11
4 Y" ?% r/ c. v4 a=========5 l. A+ a# j  v  D; D  L
' L+ L0 R' U7 q8 D9 Y" T
This method is most known as 'MeltICE' because it has been freely distributed
' X( G# b* }  O, Z- l% B; Y3 l/ mvia www.winfiles.com. However it was first used by NuMega people to allow* ~/ V4 g2 A. }0 d. G# c! c
Symbol Loader to check if SoftICE was active or not (the code is located9 Y  L# h9 t( ?% r9 U- }; H
inside nmtrans.dll).
- t  Y; C6 |% }3 ?9 A  m. t
. w  `$ j, R7 c$ D+ M( FThe way it works is very simple:" D9 R% ~5 a5 R" g3 x$ x+ E
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for2 X% w  ?$ R( ~2 ^
WinNT) with the CreateFileA API.3 O0 ~( a' B# a

/ L! y7 @. Z/ _4 ^4 W! }# X3 LHere is a sample (checking for 'SICE'):
) m. |. F( y7 C" ]2 z' k1 \9 O2 k4 K; U0 X: L) y
BOOL IsSoftIce95Loaded()# O8 k7 O0 k* ^# P* _2 A
{
* G! a5 }( F  m& Y   HANDLE hFile;  
- o$ j) [. n. Z/ h, l0 ^& Y  L   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 E4 L0 L* ]" s0 l                      FILE_SHARE_READ | FILE_SHARE_WRITE,
0 M' o1 b7 x* {* v, @' T                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
& s( W9 g. y4 T1 G& P2 j$ p   if( hFile != INVALID_HANDLE_VALUE )
$ C: ?- L) e; c- i% h* ~; q; w   {7 ], b; Q7 O) |. A0 L8 ~7 E) c
      CloseHandle(hFile);5 ?% j8 c5 F. m. X
      return TRUE;
% }" w- r2 X4 a5 D* B   }
3 \, W* H% m/ A2 ?# R   return FALSE;8 o  D: u* J* q+ ]
}
; B* Y0 C' a! ~9 `8 G: g) R: v( f; `$ P
Although this trick calls the CreateFileA function, don't even expect to be
/ ~8 F' C+ F# H, Cable to intercept it by installing a IFS hook: it will not work, no way!
& u9 V* P- b- V1 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
: {. x6 l* M) `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); o: K# C4 F) v2 x  ?+ t" N' Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 k# K0 a0 Z8 {) m3 v: o
field.
2 t- G0 {1 R8 ^5 {2 F/ rIn fact, its purpose is not to load/unload VxDs but only to send a
! J2 r# C% Q$ i7 w/ PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" Q9 D4 \# o# @4 G4 T3 pto the VxD Control_Dispatch proc (how the hell a shareware soft could try# N0 C, u2 i' h6 ^2 G  v
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 E! h. ?  a- h$ p- K% `If the VxD is loaded, it will always clear eax and the Carry flag to allow
) D6 j2 m0 S: x* ?  s) Q  z6 Uits handle to be opened and then, will be detected.
- L- o; Y$ b  o* {9 {You can check that simply by hooking Winice.exe control proc entry point' g4 C6 E7 O9 {2 n
while running MeltICE.0 i% G. Q: \" I2 ~  @

5 _( \3 a; A7 Z' y8 w% I, G; {" G6 x4 y3 G( @# Q
  00401067:  push      00402025    ; \\.\SICE: A. I9 N& d' l/ ]7 t! o) }
  0040106C:  call      CreateFileA
' g/ V7 W% w( @' J9 J  00401071:  cmp       eax,-0011 V( P6 B; B4 X' N
  00401074:  je        00401091- p$ F6 u. i: v& B1 q# W
; s& R- u4 U% V

: e( G, {* ~+ p! pThere could be hundreds of BPX you could use to detect this trick.
2 k1 E" R$ {* j6 T" t- k8 j! V-The most classical one is:& m+ f, E0 @3 c+ v' Q( f' I0 f  {
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' j' E. ]# a; Y! {# Q
    *(esp-&gt;4+4)=='NTIC') F6 V0 k2 R9 O, a& _

- F5 h4 h. L! f4 R7 |1 N) M& V-The most exotic ones (could be very slooooow :-(
' G% @4 K' @( o9 F* v   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
, l: x: ^8 s. \  |% ~8 T     ;will break 3 times :-(
2 E, Y' F# E2 q7 S6 U+ ?7 r% {* l& `
-or (a bit) faster:   U3 b! }* Z2 Y) @3 ]% T/ B$ `
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( O, i) n' K7 u1 f: b+ W3 }  Z
  L% p& l3 O2 j8 k
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
3 _' W/ J8 E6 B; i6 I8 s     ;will break 3 times :-(
& N/ N0 j, F8 }# {! O  s
. I2 J5 p6 T; ^, q-Much faster:
. g, T  P7 z; A- U; `& \0 y   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
2 v2 i! g6 w# k3 T+ O7 B  J3 M& X# B' b8 U, M' g
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
& e3 `5 z1 |$ I( B/ M: }function to do the same job:
+ [1 i2 L/ u2 y; `4 S* U  n
( @9 v- p2 |& q# N' B6 `& {1 o+ l5 B, M   push    00                        ; OF_READ
  o6 }7 W. P( k5 E' i, i( ~   mov     eax,[00656634]            ; '\\.\SICE',0
, a" V: u& e* ^$ T: E1 n' |5 M) T   push    eax0 v" d) J4 t8 Z
   call    KERNEL32!_lopen, m, V3 @! j4 i1 |% P
   inc     eax% q+ d; S2 N3 Y
   jnz     00650589                  ; detected
7 w  I$ Q9 S+ O) d- b; I5 L   push    00                        ; OF_READ
- X1 ~2 {. x5 x) k. ?   mov     eax,[00656638]            ; '\\.\SICE'
, Y) T% z6 p, d3 c   push    eax/ n, x0 `! Q7 P0 i  \* r3 e; g
   call    KERNEL32!_lopen
4 a6 ~% E/ G# r# H3 G9 i   inc     eax
5 X9 H# n% o8 D2 K0 c   jz      006505ae                  ; not detected
1 K4 |  q* {6 d# T6 n8 d2 l6 X. L5 s1 m' c9 ?3 M0 D# O

! J; ?9 f2 c1 p& c; t8 u! Q( m2 ~6 i__________________________________________________________________________" r2 D1 f. I3 [3 `
( R# V$ h4 L7 n6 Z. {4 \* M
Method 12+ E3 Z9 E" k8 h# N! o
=========
1 {. z$ x: F7 t# F) G
( t- f) E8 I9 m. ^+ H) fThis trick is similar to int41h/4fh Debugger installation check (code 059 Z3 @. A6 `1 K9 s' U
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
3 ?5 s' t0 |; p5 @; m* x& K& J. d& kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.2 D! p' c) k9 {
9 m# g0 K& V: b; X/ K
   push  0000004fh         ; function 4fh
0 W5 x, b  T0 d  ?+ ]   push  002a002ah         ; high word specifies which VxD (VWIN32)7 ^/ b" s" m4 O2 i7 E. l& x6 m6 Q
                           ; low word specifies which service8 D$ b+ j9 R# o. y
                             (VWIN32_Int41Dispatch)
) b  E$ R5 F& P- A   call  Kernel32!ORD_001  ; VxdCall+ |; R; O7 f8 }
   cmp   ax, 0f386h        ; magic number returned by system debuggers% s, Y4 T2 t$ s3 h" T- c0 k% y1 P
   jz    SoftICE_detected
5 w6 q' K  V) n- t# a
! c! m& d% N  `: {- `Here again, several ways to detect it:0 t4 F9 q- q. W9 u3 p

8 G, s$ ^, J/ ?    BPINT 41 if ax==4f3 O/ m% P1 x5 ?3 a

8 M- l/ E" w' F6 Q. g6 g' I    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one% a& c  i' F- e0 ]% t! z6 f
1 ?* l+ O6 W2 i3 X
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- R9 x$ N9 G& s# X" N- b

3 @& @1 g9 m8 G. g& _    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
! a1 |' y9 ]3 H) V: ]4 `4 A
9 h- }9 Y7 A# Q( G3 ]/ m: l8 {__________________________________________________________________________
# B) M+ \5 ?3 E9 T1 s1 t
  E( l/ Y' m. `Method 13) x0 b1 D. J3 T+ Y
=========
3 i+ Q( H# V' F
0 `3 H% g; ^3 k  S/ P* s  wNot a real method of detection, but a good way to know if SoftICE is* J8 W0 G: }  L2 \
installed on a computer and to locate its installation directory.* f. z* O8 Y7 [: G  k
It is used by few softs which access the following registry keys (usually #2) :( t( z' ]3 s0 }9 [6 n
3 F4 m( z: V2 w* [( D8 A
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- y3 n; a& s0 H3 I# t# ^
\Uninstall\SoftICE  J% l! h. r* n/ U+ g
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 l6 N) T; `6 q  ~( h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. f0 t7 H! C: l9 R4 f$ t7 A1 b1 A
\App Paths\Loader32.Exe
# S2 n+ d# N0 v( C6 f! I1 C
! |% B& ]. G7 X2 l& N4 u/ U* s7 _# j$ Y* H2 b7 b' C" r$ s
Note that some nasty apps could then erase all files from SoftICE directory
3 D0 r  T6 ~" y: ~(I faced that once :-(5 {: d  T$ E( ~6 O
0 Y' B7 V6 D6 q" M  l
Useful breakpoint to detect it:
. l/ n  k: R( E4 Z8 }/ B3 m7 V  F: D* s( z0 J
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- D  T9 U* u0 ^4 I3 L& Z/ q& D0 M8 G4 h" \9 X! Q
__________________________________________________________________________4 l7 J+ n6 W5 o, I; x
, T& R/ _" f% ^# v3 m
5 [( w# e0 O$ l- {1 {
Method 14
2 N: @# P7 c/ h8 [+ g  z=========" C% Q# w( Z# B. C
  ]1 ]% r: e. \. C0 [
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ _) R; ?& b; O9 v/ wis to determines whether a debugger is running on your system (ring0 only)." @! @* Z% ]: v, `) @7 U# x) G/ V
1 }( W5 N' _5 G" J+ n0 u: m
   VMMCall Test_Debug_Installed8 t4 f% T; y1 B4 w( `
   je      not_installed' p5 t8 f% ]) _# }: y7 k: ]

4 O2 m2 H7 B! j/ lThis service just checks a flag.
- i1 x3 ]' b0 N5 i0 g) D, X% ]</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-3 21:18

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表