找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>, ?0 n# O1 y4 s) [) f3 ~* w
<TBODY>: c. G: J( J/ q! o! v- w. ^) L
<TR>/ v: e6 m+ A7 q2 m- ?* x6 v
<TD><PRE>Method 01
" E+ e0 y) i* `: G& e+ o9 a1 i=========
% W) }8 B, d1 T
# C; h4 e% k1 H) P5 p$ yThis method of detection of SoftICE (as well as the following one) is3 ~6 z7 ^, r9 x8 Z
used by the majority of packers/encryptors found on Internet.
0 @, U! A4 p/ P* @It seeks the signature of BoundsChecker in SoftICE4 ^) j2 H$ M$ E1 O/ J/ u
* Q( l3 c) V/ }6 X  M$ X! B7 C
    mov     ebp, 04243484Bh        ; 'BCHK'
1 p, c/ S9 ~  g: F  w$ n  ^; }    mov     ax, 04h% M* P/ @9 ^; B1 c
    int     3       ) {% Q, H6 Q7 A2 t, c
    cmp     al,46 p2 v7 S9 M2 H8 W1 U. o
    jnz     SoftICE_Detected
- O5 t5 C7 \, w" X* B7 |" `4 e! F9 y2 ~( G
___________________________________________________________________________7 z0 z0 o$ R8 \) K( O8 [

. i# a/ c" f! a. k: N7 jMethod 02% Y, L! p8 ^& d  u1 N6 N7 k
=========
, ?* I* P$ l% ~% h. M+ Z4 L. j: n+ W$ Y
Still a method very much used (perhaps the most frequent one).  It is used
5 D. J, A, R6 h' jto get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ n1 i, V, G/ \; H) p# _; B
or execute SoftICE commands...
) t  R- ^, g/ d- }; @It is also used to crash SoftICE and to force it to execute any commands
. E5 B3 a$ \9 X5 I( o9 i5 y(HBOOT...) :-((  $ A, }. j! x4 p* n# N5 V% z( s
  P5 x9 ~8 W, \+ h
Here is a quick description:
' U+ D9 ~- `. _. k8 c- V2 z-AX = 0910h   (Display string in SIce windows)* g: ~) k5 E7 U3 ^+ T7 _9 r
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! @  w* }9 r, d-AX = 0912h   (Get breakpoint infos)
7 S1 a. F+ }1 T( p. K-AX = 0913h   (Set Sice breakpoints)
9 S$ I! g6 E8 l! T! m5 O$ L0 i. y-AX = 0914h   (Remove SIce breakoints)" Z" c# p, j) Z. v$ Y+ O

# u" s1 ^9 K3 p! m2 LEach time you'll meet this trick, you'll see:2 U4 g9 f9 V- K
-SI = 4647h
# m: k+ a( v* R2 z-DI = 4A4Dh
: t( x( h9 ?  {2 q% Y/ pWhich are the 'magic values' used by SoftIce.4 Q& V3 m7 M0 g9 V* T0 ^+ C
For more informations, see "Ralf Brown Interrupt list" chapter int 03h., S& a4 O8 J* Q9 t! v
( F8 m+ Z3 X( @. r) l) b4 w
Here is one example from the file "Haspinst.exe" which is the dongle HASP
: W7 m" I& V7 |; _7 {) ^, KEnvelope utility use to protect DOS applications:8 T" N* I, B. s" ?8 Y
2 _" V5 o7 S, M. R

' f7 k( ]3 y; g, G4C19:0095   MOV    AX,0911  ; execute command.' O  ?8 C) @1 m6 G0 H4 @; B
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below)." v6 I% G- P' E8 Z/ k
4C19:009A   MOV    SI,4647  ; 1st magic value.
5 D/ b& ^' V) B  H, z8 j+ r3 g: N4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
" G6 [/ H2 h+ l4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
: B1 G* b: Y  k; R2 X4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute' U# O! a# {7 u! x
4C19:00A4   INC    CX) |0 F8 E$ S+ Q; a4 E0 |- A8 J7 }
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute: K! x4 r3 |5 w  S% W, S7 r& ~% h" M! t
4C19:00A8   JB     0095     ; 6 different commands.
' O3 c. e2 d6 ?9 R4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 p, @/ C: t5 A! S% O; Y
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)/ _5 p& ~" w( c$ q) {% F

+ ~* Q" k  ]" ~& ?- K, G- Z. n0 {The program will execute 6 different SIce commands located at ds:dx, which
7 s+ g) D$ Z% z# dare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.3 P4 ?2 G( S; K) T* a

$ t& Q7 L6 y( a% U3 P* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.( ?2 R9 D. Y8 E# L( @! I) Y5 c: V
___________________________________________________________________________; d5 ~3 a; y' I2 c6 w

9 s, J3 W4 f: t& ^7 i, z% L
6 ~$ E% m; K2 w6 |; P! y% gMethod 03
, @! e% j3 N9 a' D8 h) V0 B: N=========
, h: R- A( G+ n: i0 N$ N6 I4 D7 }; O3 v/ v9 t; I+ I
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- g8 Z) E! n; V: m
(API Get entry point)
7 g/ Q/ l. J/ z7 d8 n  h        
4 S$ |% |; a- u$ x* N9 [
$ |% `) ?; g+ u: f  E7 c; R, }    xor     di,di- a% O7 j2 y/ I. r, d
    mov     es,di! p; [* E; K/ a
    mov     ax, 1684h       1 ^& T8 ]6 Y' F6 O( v
    mov     bx, 0202h       ; VxD ID of winice/ u. Z+ K* n4 D/ q) R& J
    int     2Fh
2 D9 Y/ l+ k  s2 G3 a* g: x  B    mov     ax, es          ; ES:DI -&gt; VxD API entry point- ]4 [. D/ ~  |& f1 G# D4 I
    add     ax, di
( n: `% Q. A  i8 o$ Y8 u0 @    test    ax,ax
* y  Y5 B9 E: Q" ?6 S    jnz     SoftICE_Detected$ \! J6 _, `) w: n6 d2 C

- G) R2 Q' n  O4 {& v2 {& r# ^___________________________________________________________________________' P. P. A# e: V8 j

2 w0 J" p+ o1 _" N8 i# QMethod 041 F4 ]* }1 p8 M8 Q2 P9 s1 B
=========
- e2 Y+ Z& v. t6 f- P* Y/ g
0 I- m8 {% T6 m, aMethod identical to the preceding one except that it seeks the ID of SoftICE2 m4 ^" ]6 L8 S
GFX VxD.
+ X* G! A  \3 _" [- E, P8 T% ^5 L( W( x+ r& X1 i5 o  E
    xor     di,di
- A1 I4 W, @3 O% h) b( l    mov     es,di
3 t- z  _' r2 i0 Y, P    mov     ax, 1684h       " ]' i3 l6 t; u( l
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
# D" L/ T: t3 n    int     2fh4 T0 _9 Q% ?) B; ]' r7 h) G
    mov     ax, es          ; ES:DI -&gt; VxD API entry point3 |  l  L/ T. ?; n
    add     ax, di' g+ {* }5 b6 ?  k
    test    ax,ax) k* e1 I, g4 z/ g- L
    jnz     SoftICE_Detected% j' b9 [+ j+ p: U$ L2 C9 B
% h% C' G6 O8 y% o& m8 `  y
__________________________________________________________________________2 Y+ d; a$ ~& R* f* ~. \
0 H' z2 T7 `# z" I1 U

' }1 ]7 T0 n5 Q! _. A/ N0 pMethod 059 G6 R9 Q% k- G
=========% V* F" R) V& u. k- e& f+ Y, U
- w1 F. F9 R0 C4 B# j3 N
Method seeking the 'magic number' 0F386h returned (in ax) by all system! a$ E2 S: q# z
debugger. It calls the int 41h, function 4Fh.* ]4 x. P( |) y9 }5 l- S, H3 A
There are several alternatives.  8 F  ~3 ]% {  ]+ I8 w$ s
0 j/ ~6 t: D0 T+ }5 ^" k! P. z5 H
The following one is the simplest:% t2 K; n5 r, M& q! |( e: @
9 X( o1 i; d: b, i- k6 G
    mov     ax,4fh
; `- c2 J3 P) M+ z; _    int     41h) s5 l( X) q) D0 D
    cmp     ax, 0F386! n5 S" W6 @, L0 i
    jz      SoftICE_detected, H5 l7 J, [3 F5 F5 t$ w2 z8 z& ^7 Q
8 h6 D5 {6 R- P' R# y. H
/ |1 c9 C1 t6 T. N. `  \' o8 F
Next method as well as the following one are 2 examples from Stone's / y4 F' w# E. {' `- F9 s0 c2 C8 T
"stn-wid.zip" (www.cracking.net):
6 A" M5 h, c+ w/ _5 ^1 J0 d; [. c
    mov     bx, cs. U/ ]1 u" [$ s
    lea     dx, int41handler2
7 c2 Y1 h2 E1 k- U. }7 k    xchg    dx, es:[41h*4]- B2 R& @" j+ h
    xchg    bx, es:[41h*4+2]
  n* B' m, I4 t    mov     ax,4fh/ |( K/ {* ~- [
    int     41h
4 s/ M) h- c$ ?2 \    xchg    dx, es:[41h*4]
7 t& y# _; ]- @; _9 `  k    xchg    bx, es:[41h*4+2]3 `5 d' r+ a- n, R  V
    cmp     ax, 0f386h
/ F$ q" t7 ^% Z2 M3 a3 f1 ?% i    jz      SoftICE_detected7 s. z' {* f1 x! |* P; I$ o

% @) x2 b9 x/ Xint41handler2 PROC
' R) O! f$ `$ s5 M$ _    iret+ V2 W. a/ ]* v
int41handler2 ENDP
7 q% C$ i" L. S( T/ R6 D" [& C5 `* }9 `/ o" s6 Y
" H$ D) K" @& K5 j; N7 \6 i  x
_________________________________________________________________________
+ f- |0 d* c, t6 @
% a4 I! x6 V2 Y* o+ C( Q' \
) b8 a7 a; z2 q; BMethod 06/ u; d3 L4 k% w2 h# a
=========4 Z3 v( E/ Y5 y1 F) j4 ]! w5 `
: ~, V8 h$ c  C& y; o7 w
! Z6 k8 o9 q& t: U. P. k
2nd method similar to the preceding one but more difficult to detect:
; ~" `4 Q2 _/ U& j) j+ n
( U1 w0 V/ L' p/ V- I6 I' ~& ~( m$ C6 a  [& F
int41handler PROC
: S' `3 \% Z* w( D! M! H* R    mov     cl,al4 F. ^% i/ h0 H  H/ B5 B
    iret
# K1 k8 k! a& z9 wint41handler ENDP4 P/ r, ]7 ]" T' p4 J5 J  s
6 [' L3 u) c' B( Z) h
  F- ?4 M5 B6 U0 ~/ C; R% t  S: S' S
    xor     ax,ax
9 I4 B3 {! K6 u+ S) L. [* O    mov     es,ax
5 }' `$ Z& [. N5 s+ @% f    mov     bx, cs: D! X& R# m+ {5 ^0 S, h
    lea     dx, int41handler. Q7 C9 d/ U+ C
    xchg    dx, es:[41h*4]+ X. f0 r. I2 L! R6 M
    xchg    bx, es:[41h*4+2]: ^/ \6 [) h/ r3 z* u9 H5 J
    in      al, 40h
9 Z/ t: }* y/ [    xor     cx,cx
$ }' S+ ?  Y; Z0 t, \" G    int     41h) F) m3 l( i( _% X
    xchg    dx, es:[41h*4]( q1 b  z7 y3 L5 I* i
    xchg    bx, es:[41h*4+2]0 n4 `! Q! U1 |$ p3 R) S
    cmp     cl,al
$ V3 @/ c: Q+ x    jnz     SoftICE_detected3 E) W2 W- h8 H' R/ s+ e

$ d0 D: ?- v# h8 Y1 _3 B_________________________________________________________________________6 _- H. o  ^4 [' z" ?* D

. z) Q, o6 N* I' U% O9 jMethod 074 H  ~  Z$ f, @, s$ m5 b% Q
=========
+ d3 z% m( y- B, e; u8 N2 N- W9 j3 a3 i# c
Method of detection of the WinICE handler in the int68h (V86)
8 ?0 j6 m1 E3 @7 I0 x4 i
% J* h5 f/ a% p& D" u, Q! S    mov     ah,43h# p% N+ k. o: \$ Z  g
    int     68h9 H4 M5 ^. l% K. O; Q
    cmp     ax,0F386h0 \/ E9 l3 t/ d% n: K% {0 B
    jz      SoftICE_Detected' R8 F5 O! z8 _" k/ V; o! p

+ X2 d* {# M7 U0 I$ i7 \* D
' Q' t. _+ _5 ~( H6 u, V+ q+ [=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. B' F( m" h0 M$ @
   app like this:
2 V. [5 t7 I# z; D% w' s7 s
8 `0 |# u- F+ B' I. B   BPX exec_int if ax==68
; {! O0 r6 n8 O) d( r; Y   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 E9 [& o! N7 m9 q6 [) g6 ^" L   located at [ebp+48h] for 32Bit apps)
& h+ a1 w8 N- _% @  o  o( Y__________________________________________________________________________# P; b0 S& l, B1 H4 B, U2 v/ U4 I
  @1 S  B1 k4 I! q3 d  Y/ S
! B2 B  h5 t& U6 B6 c/ r
Method 08
: ]8 v! y6 O3 t$ Q! @=========
/ X. ^8 B/ B/ q. v6 @5 p6 R+ b, o+ X4 Z$ f; w
It is not a method of detection of SoftICE but a possibility to crash the
) ], Z6 f# b) P2 F5 a/ bsystem by intercepting int 01h and int 03h and redirecting them to another  b( v: C, w* |  A: b" H
routine.
6 d% A8 t! c" O( I$ T, ^1 y: z  q) GIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points: x' [* I/ d; R+ V+ _
to the new routine to execute (hangs computer...)* l- ]0 R* [/ ~8 ?& l

& e$ M, m% S" y$ f4 K, O    mov     ah, 25h
: E* S; z! \7 z+ }: E    mov     al, Int_Number (01h or 03h)% M/ f) _1 R' \( N
    mov     dx, offset New_Int_Routine
0 R! ~) u/ ~- L    int     21h
- [1 K7 _. G/ M/ n0 L( D$ n- ]1 T, E; U/ x9 j
__________________________________________________________________________1 G2 @/ g' n# `7 V

( k# V! }3 t1 [1 K7 hMethod 09/ b% I: k2 \% A. V9 I) v4 F
=========# s- ?5 F& w- f; P' p9 y) l2 G

- a: V# x# x$ P) M2 O" o& _This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( o- T8 f% f4 r) [3 m% I
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 b! W) u+ L6 Q  q# `2 DThe Get_DDB service is used to determine whether or not a VxD is installed3 F! I9 c# v( {$ M) P9 F' ]* g/ `
for the specified device and returns a Device Description Block (in ecx) for
( y7 ~2 P$ x8 G) d6 N4 w! nthat device if it is installed.7 @, k6 J% r- V4 s7 C& Z

) J: l6 a8 K$ o   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID4 g! `" c# X0 A+ w$ C+ y; V9 w1 t" f
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
( ^9 r; @5 l" X# ]) U   VMMCall Get_DDB& u9 l; c, B: H. y
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 h) c9 \$ N/ @3 X) i5 t+ Q$ m, f2 }) o  V) A
Note as well that you can easily detect this method with SoftICE:8 b2 i$ R' i+ N
   bpx Get_DDB if ax==0202 || ax==7a5fh, Z3 [8 s& s* l; b( \; I- P

' P8 A' D6 S+ N2 H__________________________________________________________________________* U4 g; D  }3 M0 C& K

! w+ G( i3 R, t) N! c  bMethod 107 e* k2 d+ ~/ K3 _  g8 R
=========
- n2 {. a: W8 t$ ^1 v6 t/ x- Y# F5 c
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
$ {2 H& b# s0 N5 R$ U3 E, y  SoftICE while the option is enable!!7 Z5 ]/ C! J0 Q) u" |( n3 g, i

8 ], c+ H; S3 D" ~) [# kThis trick is very efficient:3 ]- H3 O2 ^& I3 _" j" B5 A( m3 H- }
by checking the Debug Registers, you can detect if SoftICE is loaded- ^; k& W4 B6 \# n$ e, q, j7 T; `  H) E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if7 |% i& _" i* \/ q5 E
there are some memory breakpoints set (dr0 to dr3) simply by reading their
" p2 x9 D, h0 x# o3 W4 X9 gvalue (in ring0 only). Values can be manipulated and or changed as well* a  J) l$ U$ A) |) m
(clearing BPMs for instance)
  i7 v' x' x5 k0 K
1 c& Z1 d/ U4 L$ W& x7 L. ]" N__________________________________________________________________________/ K, h+ b1 F( U- G1 P- f
2 U$ L( a* U- I9 }/ E( n$ s
Method 11
4 y% D9 i1 a, O: V( F=========5 f+ D& e/ @/ o& v( n- C$ d
2 a  u" \, {5 F0 U
This method is most known as 'MeltICE' because it has been freely distributed
  u7 f+ m0 L7 E  dvia www.winfiles.com. However it was first used by NuMega people to allow
, s% j- _; ]' c+ N/ VSymbol Loader to check if SoftICE was active or not (the code is located; n/ @+ g$ n: J+ g) `  M
inside nmtrans.dll)., \" s  F( M6 u" N  b

7 W* X$ B! G( H9 H, P' S, g8 M8 h1 x. aThe way it works is very simple:  [% r, X5 T+ ]1 D3 C7 ]  H
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  y* ]. I$ A) u2 ^( P, _WinNT) with the CreateFileA API.
) J8 o) V: l' V$ w
: R% }# }) t/ H5 RHere is a sample (checking for 'SICE'):
- }$ ]  m. k/ K0 W* `$ m( y& M! r! R7 y0 t* ^8 F+ m: i% f, D, H
BOOL IsSoftIce95Loaded()8 ~# C* c3 v1 |& r5 V
{+ }2 L6 M9 i4 F2 h/ G6 c
   HANDLE hFile;  8 r  U; D5 A, R6 D/ L5 @9 S
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: K& N6 v' Q9 U& z7 w$ C
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
4 Q6 _: t* j1 I% J& ?2 e                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 H0 _7 X: F2 ^
   if( hFile != INVALID_HANDLE_VALUE )
+ ~" \! a* j* m0 k" g( S. V) Z' I% `  h   {
- K/ X! h9 N: I$ G7 {      CloseHandle(hFile);
' {+ C" j- B0 M      return TRUE;
8 Q) a' H, w( j, i$ M( N# ]   }  V+ r; g# s3 n; K5 f8 u; b% t2 @
   return FALSE;1 R  L8 [/ w, d5 C9 F
}
. b+ q  Q* S/ h, e2 o+ w  i
1 }7 [) W+ @$ [+ Q5 oAlthough this trick calls the CreateFileA function, don't even expect to be
  E2 @1 v* u, o" T+ J# Z& a6 W! oable to intercept it by installing a IFS hook: it will not work, no way!7 ^- q8 \/ n* B0 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F% R4 `% s" j) w% `3 p# s; t8 W
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ Y  e' @# p% A8 ^$ I! ^6 S
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* ~: d$ n! p: w1 Z; v+ X1 `# tfield.# n6 \# C7 ]9 j0 p$ s* p: t, s: L
In fact, its purpose is not to load/unload VxDs but only to send a
" ^7 |* e: k2 {' B9 Q3 j( JW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 u. P* E. @4 W- v9 L2 K8 P
to the VxD Control_Dispatch proc (how the hell a shareware soft could try2 e6 R: o) o, m9 e& s
to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ v+ }7 d2 p/ M8 [4 U' R6 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow. v2 V4 ~" q5 y! B- Q8 P
its handle to be opened and then, will be detected.% U/ O6 ?# h1 g6 H, t" F
You can check that simply by hooking Winice.exe control proc entry point2 j( |- Y/ h3 @. ~& k9 h& J
while running MeltICE.
0 z& h5 ?- t3 l; \: W, W
% ~( Z% Z1 |& B! m" l$ z- s* q  ^1 S( @
  00401067:  push      00402025    ; \\.\SICE  J4 |! f. u6 r$ R' [
  0040106C:  call      CreateFileA
6 {/ O) `* c6 _  00401071:  cmp       eax,-001. P4 L3 `5 T+ m# t
  00401074:  je        00401091
8 t( ]% Y/ t* }: {. J# @" @& Q% J+ X2 f$ G% e* a; I
! ~% e. q) L, K5 o1 w
There could be hundreds of BPX you could use to detect this trick.0 X: }% i2 x, M" _0 \& e/ ], i- S: j+ h9 @
-The most classical one is:
* c2 B9 R. u6 [1 B  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||$ k4 N- c+ k& K( j1 m3 @
    *(esp-&gt;4+4)=='NTIC'1 @( s5 D) @3 g9 W2 D
0 E* }4 }0 Y1 X  Y! Q/ d0 I/ y
-The most exotic ones (could be very slooooow :-(
- |, e% t  O6 S4 i8 G4 W) a: S& W   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ O3 S8 ~- r9 @/ t0 ~     ;will break 3 times :-(
3 ]# Q2 U6 q+ v( X, g  y8 [, n
3 N9 g5 m* o5 z' |4 X-or (a bit) faster:   Y$ B& S6 Q' ?- ~3 t8 A, d" ^
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 C8 N7 V& o0 j5 D' o8 C& }4 g
) ?8 o* Z4 a0 F3 U. m8 \' Z0 {& D% P, @   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
$ q& g" M3 T' d     ;will break 3 times :-(
9 Z$ ~* ]/ V( Y' h7 ?
0 x# N4 t' P6 |; s: F6 b: o-Much faster:
( p! Z( ~- f! V( O  X5 f/ z   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
2 o! z2 B# \& w" Z  W. R" G( k
) `! ^! v$ O/ D1 s) ]3 u" p1 LNote also that some programs (like AZPR3.00) use de old 16-bit _lopen: G# O1 s, K3 l: o5 p
function to do the same job:
5 j2 F: m2 B# {" L& k3 ~: w- {
# c* T5 F, c8 t( z/ \' i, Q   push    00                        ; OF_READ
! K* v) |& k3 [0 D9 F- A  |4 d   mov     eax,[00656634]            ; '\\.\SICE',0
3 p4 S* ?" B& `) v1 u   push    eax8 u4 q; }2 O0 \- o! S4 p# e0 D  @
   call    KERNEL32!_lopen+ Q$ {6 D+ ~* v: Y
   inc     eax; H4 e7 a2 j1 K2 l
   jnz     00650589                  ; detected9 n, f& t& S  X2 }, c' [+ Q! w
   push    00                        ; OF_READ$ G8 K! U- `0 T( ~
   mov     eax,[00656638]            ; '\\.\SICE'
7 b/ z/ f! L! v9 p' t: a& c   push    eax3 W1 T  I8 ]' f6 \; v
   call    KERNEL32!_lopen( p9 N' f' n; L3 [/ j$ i5 C# b0 h4 n
   inc     eax
2 X# @0 }2 e1 m4 ~2 t" d; [   jz      006505ae                  ; not detected
& B- X) S& i. D# z3 w, }9 C' C
7 H' H" t: v% k1 Z* T
8 f4 d2 i; ]* o' i. e8 S- V__________________________________________________________________________' ^4 O3 f& x" A' r+ W6 U

9 Q5 U1 z5 K/ w- u. jMethod 12
9 {: m- i% V; ?, N' U% H  Z=========4 v, ]& Y0 M) O
& e' d/ D4 e, h3 s! q+ l5 q
This trick is similar to int41h/4fh Debugger installation check (code 05; O$ L. Y$ a8 P' S2 l) m: m
&amp; 06) but very limited because it's only available for Win95/98 (not NT)% U5 m; T; F* Q4 A* h
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.7 O8 o/ s# f) ~* H! L

* m. X7 \- M+ }0 c4 ^$ {   push  0000004fh         ; function 4fh
- ]# k" q! _1 \# m8 o   push  002a002ah         ; high word specifies which VxD (VWIN32)
! J! p: _# G& l3 k- f( L2 o) z                           ; low word specifies which service3 ]% \) b5 m. d# ^) V
                             (VWIN32_Int41Dispatch)5 x! y. \: h. T9 z/ ]8 ?0 u
   call  Kernel32!ORD_001  ; VxdCall
3 `- V* k- D, s9 T   cmp   ax, 0f386h        ; magic number returned by system debuggers
# a$ d1 K( \- C) j& u   jz    SoftICE_detected
7 y* \2 s  W% f) P8 w" m3 ^% z* @$ a
. \0 D- s+ V! T, ~) v6 j& _) _  O/ YHere again, several ways to detect it:
( v* _  p& o& ?" K3 ?! Z- V2 {+ s1 q1 F- x% K* O! T& |
    BPINT 41 if ax==4f
1 \  ?, B# z2 W+ n; ^; W% I( ]+ {3 T0 ?3 i1 w9 `
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 l/ h9 z$ W) W' X- i  _* y; O
7 U+ o( D0 j: S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A! r3 y+ K" N* [3 ?( Y  N* h5 A

) k% z9 ~4 C5 l0 o8 r7 }    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!9 Z+ n! R6 ^. C9 x6 b! k
2 t( r) y' ^) i; l5 e  A
__________________________________________________________________________7 T& }  F) L3 P

4 V; n* p% v  [. i8 x, @Method 13/ |0 x7 Z- o- J
=========
1 J) B; ~  C! r9 z1 u
: {; G( \3 N' K! I* TNot a real method of detection, but a good way to know if SoftICE is7 [3 n/ \5 V8 g
installed on a computer and to locate its installation directory.
% q/ P7 Q: d/ ^+ B) SIt is used by few softs which access the following registry keys (usually #2) :
5 u$ i3 A0 y: R2 b  R- Q7 j' T: D0 E4 ~* `0 b- d+ ^' f1 [% P
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# S& N# I* g9 O\Uninstall\SoftICE: w: W- B2 w, p+ E) {8 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE3 A( w( N7 W" a* D) D) ~" w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion0 A. x% |+ a3 X* x% t; Q, o( K
\App Paths\Loader32.Exe3 W  k2 o) w/ ?8 t" q9 p# H; g
- G( `& _) J' M+ e  s  K) ^. V% ]

3 e4 I( g/ S. P- x, U6 h9 hNote that some nasty apps could then erase all files from SoftICE directory' F& V1 t$ X4 ^
(I faced that once :-(
5 p) p( q% K7 q' V+ Q3 V$ T; Z+ S0 p9 k, g$ _8 O* {
Useful breakpoint to detect it:
1 i1 B- d5 w5 H" N( q
4 V# T4 r3 u1 L& u' J( e     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'$ W4 N/ X& Q/ z: x2 o3 l; ]
: ~# @5 a4 s" K; ?1 d
__________________________________________________________________________
+ Y$ e! ]" r; i+ @* Z* Q: w, U1 ]% h
! T1 P8 |$ ]: F/ T
Method 14 % D8 D8 c0 s) P8 [) x
=========
  A  @9 I7 k7 L5 L% Z! S  Z0 h+ [; b! H% G5 E
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose3 G9 @. K3 H" I) G
is to determines whether a debugger is running on your system (ring0 only).
) |! N  y2 b' z+ Y, \
9 n4 S; F2 j9 Y. c8 N0 n# g" H! F   VMMCall Test_Debug_Installed
8 [6 Q& m9 C) P. T2 B. Z* J$ a* l   je      not_installed. j7 Q, q# C# Z8 [

3 L5 j0 n+ v9 g: vThis service just checks a flag.& N% u5 _* S0 F8 y" L! r
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-8 16:04

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表