找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
/ p- f$ c; ]$ a: y<TBODY>
4 \" H3 b) M+ ]; ~% F<TR>* K* l! P8 |+ a. W5 ~' N7 s
<TD><PRE>Method 01
' `$ K9 O; U; v3 ~8 X% R/ R=========) j# Z; E! q, `! V8 V7 K$ t; ?+ M

$ R7 E5 l* `6 o% |* f8 a- P' eThis method of detection of SoftICE (as well as the following one) is1 v1 h6 o; ]3 ?7 {6 B
used by the majority of packers/encryptors found on Internet.+ E8 S8 R+ `9 A1 V. ]6 L' [
It seeks the signature of BoundsChecker in SoftICE
4 J: b/ t- F7 [* h( B. h: W8 V2 m2 f0 h4 S# o" P
    mov     ebp, 04243484Bh        ; 'BCHK'
1 r6 ^. V6 Q3 T" u: _2 m7 u    mov     ax, 04h/ ^! z* P$ _7 B$ L/ D' _
    int     3       $ [" ^# s6 w8 D( J
    cmp     al,4
$ f1 G! ?2 \# b2 z    jnz     SoftICE_Detected
9 i' u3 e9 M+ s1 ?/ u- z: M2 c7 G
___________________________________________________________________________
  D( c9 j7 y; x% d4 |, Q
: n$ h4 Q* s. ~3 e+ O. w9 ?5 \Method 02
) Y- ?) i$ V' B( X, u. _=========
9 G7 a) t+ V% T% K, s8 s  \8 x: K; B2 Q( `8 q- p. l# J
Still a method very much used (perhaps the most frequent one).  It is used
) _6 q. G! P: s# E+ q( K. n; R0 kto get SoftICE 'Back Door commands' which gives infos on Breakpoints,* f- F( `, \3 E+ C0 a6 e. d
or execute SoftICE commands...4 n8 Z9 _* a: ?' D
It is also used to crash SoftICE and to force it to execute any commands# ^2 S' h6 b+ {; ?9 b8 x/ c
(HBOOT...) :-((  
% [( N5 V5 X( F/ h: t  W
1 d- t  E0 a: ]* ]# ?Here is a quick description:: t+ g8 \+ P( J& f
-AX = 0910h   (Display string in SIce windows)
1 G. T2 j1 j3 Y; O1 S( n( ?-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 V9 y- Q3 F5 _: Z& I-AX = 0912h   (Get breakpoint infos)
+ G" a' Q. M  Y# j# U-AX = 0913h   (Set Sice breakpoints)6 U$ K1 p5 V+ L$ Q0 n
-AX = 0914h   (Remove SIce breakoints)
( `$ p) e: ~$ F0 |% D4 l8 q% g- r/ ?1 r* x& V
Each time you'll meet this trick, you'll see:, K, u' ^5 q3 }2 i4 u) V- \
-SI = 4647h  B, C2 J/ D& B. Q
-DI = 4A4Dh2 V: Q0 b/ [1 U4 E, \  N
Which are the 'magic values' used by SoftIce.1 }. t: H7 `& M7 E3 f
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.3 j( O2 b$ w- k& @, M( ^( \

9 L: U: i. ^) W# _Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ C; t4 s8 R4 [Envelope utility use to protect DOS applications:) n1 L- A5 J8 T, n

9 P4 H; _" c0 g# I- w$ ?% z' {2 e
9 Z( _% i- x4 t/ x4C19:0095   MOV    AX,0911  ; execute command.3 D6 d) s& ^  C# t- {& {
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 K$ u! i! v* H  Y7 S8 s: k4C19:009A   MOV    SI,4647  ; 1st magic value.
2 P6 _4 x5 u% e' g, O, Z4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
% z! t' l" K2 T' l4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; V/ |6 U0 |$ I; x9 {0 c, I7 I" f4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 f+ F7 j9 }( @, }  R3 {4 w4C19:00A4   INC    CX0 N" e* K0 d8 V2 _$ ~) c8 f- I
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute1 o  F1 P$ Y0 [- E. \( B! Y
4C19:00A8   JB     0095     ; 6 different commands.7 ?2 G4 l: R* Z! [4 v4 V  W
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ R5 `' y: ~' r4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)+ w, f+ q- X/ J$ F' w/ ~
! J$ y  e3 b6 |, H
The program will execute 6 different SIce commands located at ds:dx, which4 j4 _) ?& B4 H; j0 R
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! r* |: k% Z* H
$ z5 D- [& X, h+ {
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
# |9 T. @' t( S0 P" S___________________________________________________________________________3 Q% t# u) `; J& s
7 Z/ L1 W1 m; }+ K  v
) _3 a1 N+ S% T7 ]
Method 03) p! u. L  f2 y; O
=========. M. S5 X# R& s. @, ^
( ]) z; |, f" Z
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 t- h  R7 l2 [0 q7 I$ X% g
(API Get entry point)
4 x" {/ F: e  c1 B        % o$ I( {& F7 O- y* J1 R

) F& V' Z, u4 A    xor     di,di, ]& Q0 g6 V3 b- b! j
    mov     es,di
  {( D/ U9 ]7 z- [" f6 K    mov     ax, 1684h       " j2 ]2 H+ x( G7 v( b# Z8 E7 Y7 ~
    mov     bx, 0202h       ; VxD ID of winice" Z; s: I+ }9 W7 k) ?# p
    int     2Fh
" K5 ^) g9 b4 `, j# @3 `6 e/ M  x9 F    mov     ax, es          ; ES:DI -&gt; VxD API entry point
9 b0 c" Z7 p$ y& K" I* w! f    add     ax, di" R! }! B) {) S$ U: H* T  k; x
    test    ax,ax
0 a! s' \$ m6 j9 N) E. z  f+ p    jnz     SoftICE_Detected
; C$ S+ s" G5 V3 q/ d3 _. }
5 t7 c# ?( h3 T" f0 ^___________________________________________________________________________
7 N, p/ x+ g6 Y1 Z; U; j+ k+ F. E+ u! u4 U
Method 04( F7 q) u) P4 q
=========8 s( Y- R/ T$ }/ D% H

, x! I( K3 b" QMethod identical to the preceding one except that it seeks the ID of SoftICE2 r+ G% U8 B/ G& B3 B8 T
GFX VxD.2 Q& |) v% f% j4 \$ C8 r1 E8 K
1 W2 A6 A( _2 l
    xor     di,di
0 H% O( L9 [* T) v/ o# |7 M    mov     es,di
9 Z! ^. N0 u7 s8 ?0 m  a    mov     ax, 1684h      
( M8 C( ~! Q3 y- y8 l    mov     bx, 7a5Fh       ; VxD ID of SIWVID
; I* A( z1 i3 {( t0 i- c    int     2fh
2 Z0 }* C- w' ~    mov     ax, es          ; ES:DI -&gt; VxD API entry point5 C. W' b0 i! N/ X4 w: H
    add     ax, di1 V" k, _% \+ Q
    test    ax,ax
9 r+ H4 n- X  F    jnz     SoftICE_Detected
4 P; L0 Z7 w1 S% y( m
, m( [; g  R9 I# ~__________________________________________________________________________8 x+ O2 U: i. l. i5 ~" Q  \# W
% H0 Y) i- _3 M! ?

( i9 p" i0 }3 KMethod 05: H) ~7 L  m& O  ~, |
=========
8 |9 T( ~$ o/ _$ _1 E/ u2 k5 n- B) S2 T2 C7 ?! @% p5 t, o2 y
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ f! T. M& j  ^debugger. It calls the int 41h, function 4Fh.
: o6 f. }; h8 {, HThere are several alternatives.  
# h9 C, ~5 W! t% F% b1 P- G9 }
5 h  P  O- b$ _8 ?/ j7 _The following one is the simplest:2 \4 q6 ?2 n; E" W3 F# V6 f
" r2 u" N% B4 Z) v& A4 n8 N
    mov     ax,4fh3 ?" Y* f! ?/ T- A8 @
    int     41h$ f5 z! r8 T3 g# I
    cmp     ax, 0F386
. N5 B- M. F2 y    jz      SoftICE_detected
5 H0 ^5 @6 _+ E4 A) R! S0 Q  B' u" u4 l, R0 K9 z

- ~7 B% A" p5 N$ o5 T5 WNext method as well as the following one are 2 examples from Stone's 2 ^& v) v! Y* v9 O0 N1 x
"stn-wid.zip" (www.cracking.net):
* `0 D! |# t& e
  P0 e( n! d7 |/ ^* K% Q    mov     bx, cs
9 q9 w; x5 y  D' |5 D! S    lea     dx, int41handler2
8 `0 S4 ?( U  g) l+ n' h* C    xchg    dx, es:[41h*4]' S7 y6 I0 y* E/ n' I' f
    xchg    bx, es:[41h*4+2]
- s5 e1 k+ C2 g/ z    mov     ax,4fh6 M/ h6 I; i* ~+ B! c
    int     41h
" l$ q/ A8 x4 H& K- }1 C5 j5 p: e+ W    xchg    dx, es:[41h*4]
& T2 z# A( W/ z. K    xchg    bx, es:[41h*4+2]
" D- V0 G7 d5 i! O* ?% X6 ^    cmp     ax, 0f386h
0 C  B" h7 `# _& I, u# w) \    jz      SoftICE_detected& M) K7 b6 |% L' @6 C

6 P( h. R# h% O0 S; u+ D# d1 j- @8 Tint41handler2 PROC* \2 S* u. L. a
    iret
, B+ V6 p5 v8 B1 m% |7 mint41handler2 ENDP; v+ z+ S, c5 }  q/ F' G7 ~. D

2 O- {; B" {4 G; d1 T
- w9 A9 c. N# Y  D3 ?- n& F_________________________________________________________________________8 M6 [7 c! [# w: z' K4 r  J

/ @1 g$ B6 K' Y
4 v  f1 u# v  F2 o( @4 Q) c4 jMethod 06
* u1 ^, }+ }1 M5 m2 N" M. I=========0 V7 Y9 Z/ c  V8 O7 T; A  d

+ g7 P# Y/ o! ]- O% e3 ]! R
$ {5 g, H/ u/ y2nd method similar to the preceding one but more difficult to detect:6 Q; G  ]& G( W

+ e# a7 K. Y- \2 Y2 R, r% [
% s/ t8 m% l. z. Z% Yint41handler PROC) y( y( p) A: f& j; c4 C6 B
    mov     cl,al4 J$ c1 k' y7 t  M3 x6 `( d# K
    iret
6 d; f9 I# y/ B; M: kint41handler ENDP
3 B3 v; o- D- s) d0 C( t9 a; o2 z6 i. F" t7 }

- f. S1 Y% m) S' Q& L    xor     ax,ax5 R: E8 ?8 ]0 r# K5 C$ d; B* D
    mov     es,ax
7 _' `5 ~( V1 m9 l$ [    mov     bx, cs5 D: S$ E/ h0 J9 [5 B
    lea     dx, int41handler) E  n5 L# _; b3 v' a3 A- A
    xchg    dx, es:[41h*4]
* ]/ }+ C$ v& Z9 h  O    xchg    bx, es:[41h*4+2]' j3 W% }- S# s# l- B; m+ K; ^( s
    in      al, 40h
6 ?0 e7 V9 ]  Q7 A& A! [( w& W    xor     cx,cx
& j$ t6 e8 W# X    int     41h* @1 H: ?* y# c$ J: ^
    xchg    dx, es:[41h*4]/ }2 X2 y$ H0 Z6 u
    xchg    bx, es:[41h*4+2]
8 \8 A0 l3 R' w. D& r    cmp     cl,al% @5 j& p/ C" o- O
    jnz     SoftICE_detected
: v3 ^5 C3 }* \& t( _) y* ?$ U9 m6 t# f' X
_________________________________________________________________________
8 B/ d# l# t3 z, E: O# k
- v3 f$ l& ]. `7 ~4 z9 F3 uMethod 07! n# ~  {2 t- p2 O
=========
& g# g0 t" p2 j, I% O/ J4 \- ^. A& u; e
Method of detection of the WinICE handler in the int68h (V86), y( d2 P9 k$ X2 F! Y/ r* ^) E, C& @: k
7 c" a. f2 k8 o. G
    mov     ah,43h4 r1 _8 ^7 E% }
    int     68h
( M9 _6 V+ L5 N6 ^2 W1 G    cmp     ax,0F386h
7 c: ?+ a0 V# w2 z" }    jz      SoftICE_Detected$ v" g+ c5 {- \

9 b5 M% y* R9 N- r9 W4 y
3 a) M- b4 [+ W# \0 u=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
% p2 P3 x/ r8 a) ^; X   app like this:
% q6 ~( C" z+ r+ p) x) r/ r: }- D: \( X9 h$ z' [
   BPX exec_int if ax==68
/ M9 l) J8 \8 S6 K+ ]( w) Y   (function called is located at byte ptr [ebp+1Dh] and client eip is
5 {6 j6 I- d3 N# u; {   located at [ebp+48h] for 32Bit apps)4 g) J" [. i9 N* K% n" G! t7 u8 ^
__________________________________________________________________________2 q$ k5 E  |2 C# E

; z% [' \  ]7 E
- h# x$ B, c! P: ?- _8 MMethod 088 Q8 T" _' y6 i$ o/ U4 I6 n" J
=========+ }+ `1 g/ o4 `, p& f4 \1 D

* q0 u8 f* b9 JIt is not a method of detection of SoftICE but a possibility to crash the0 j$ y, R  p/ i& E4 S" N. M
system by intercepting int 01h and int 03h and redirecting them to another& }  ~$ P5 z/ P3 L! h5 ~$ r
routine.
- l: R9 T) m% I1 u7 b6 MIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points! U9 w2 f9 I3 H5 B0 G5 L1 c; d/ A
to the new routine to execute (hangs computer...)
$ Q( _  I# H+ t0 ^( t! Z
% }0 N! Y3 d' W5 |7 g/ T" L    mov     ah, 25h
( i3 q' q4 m* K- c) r4 U' |    mov     al, Int_Number (01h or 03h)
+ h5 d0 s' T# k& ]# E    mov     dx, offset New_Int_Routine5 W2 _% u: D, [% w7 R
    int     21h$ ^5 X" A6 |7 e  N+ k' j
8 ~1 d  c) W7 L3 O' r& p3 Q
__________________________________________________________________________: F' o  T0 }  L1 Z2 t  T5 {  U

9 ^% A/ Q( q5 H$ y3 d6 g/ ]1 |Method 09+ h* Q8 R8 ?( {% b/ f' ], N
=========
' D% O. w+ g2 h
0 L+ `3 C- P: X  a  `0 n0 nThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only$ K' _1 l( R% Q3 Q5 L% j: M
performed in ring0 (VxD or a ring3 app using the VxdCall).
) [% _: a0 \" c# m8 aThe Get_DDB service is used to determine whether or not a VxD is installed( E/ i) U4 d4 b+ a8 ^' A
for the specified device and returns a Device Description Block (in ecx) for  ?8 _( t, r3 O; ^2 K8 H
that device if it is installed.
' @  B8 [8 \" J4 D5 p) Y2 P! h, Z$ B: P7 i
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID0 X7 T8 l2 Z- {& |+ T* B- D
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; z6 O& T5 F  ~- L' ^5 s' j3 l) C   VMMCall Get_DDB
0 A/ y$ E' S3 D: o  E   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed) h3 M5 \4 o7 s5 ]" S. N: I( z  x

/ A6 {# b9 y; HNote as well that you can easily detect this method with SoftICE:
& X/ o# s9 I! e1 a1 f! H   bpx Get_DDB if ax==0202 || ax==7a5fh8 G( \9 s7 z6 h1 P0 ]$ c2 _
& A  l  Z/ q# c$ I  O
__________________________________________________________________________
5 k& W( K) `7 B" |9 \* Z! p* @
1 ]( n* ~$ A5 t7 M5 ]* hMethod 107 s8 a6 i) B( J  h6 _2 p& B
=========6 m% [2 q8 _3 ]8 @& x
. P0 q$ n- x% _3 b8 q+ y
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
+ q7 `3 s: e" t4 h$ G  SoftICE while the option is enable!!
' T& m7 y* m+ h2 X0 i6 E8 D8 N2 Y8 W" i3 V* `% |1 M7 `# J( G* R
This trick is very efficient:
5 M" c, _5 I4 W" @0 jby checking the Debug Registers, you can detect if SoftICE is loaded
% C  V* [# H/ }( W4 b(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 r2 K1 \6 z2 K( K2 i  u4 w# ^' jthere are some memory breakpoints set (dr0 to dr3) simply by reading their1 j2 q- t5 K" I. t4 e
value (in ring0 only). Values can be manipulated and or changed as well
& [" o+ t5 u$ x; G( S(clearing BPMs for instance)
4 L; J% m6 B0 x5 p" i0 ]
$ [5 D- g6 y  m9 z3 x" m0 E/ V__________________________________________________________________________
) e+ M. @" m1 E) R/ ~7 l, ^/ q) s5 y: d: `, ~
Method 11
" Z: v- s$ ~: ?=========
" L7 `6 o$ X+ b( i0 a. o3 N# q% g( ~) i/ D! K# c6 b
This method is most known as 'MeltICE' because it has been freely distributed5 f1 @/ M# f3 [2 L
via www.winfiles.com. However it was first used by NuMega people to allow
. C1 K7 D8 R% K7 A  Z) l3 ]- K, ?Symbol Loader to check if SoftICE was active or not (the code is located
5 J6 @! W. o/ r- H0 oinside nmtrans.dll).
9 j6 o$ V! {' y
; Q2 }; F1 ]% |8 r; W, t, fThe way it works is very simple:; W5 N- J- D0 P: Q, o6 T% L
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 q* a, N1 _3 c7 b' B  bWinNT) with the CreateFileA API.
( J" D+ \) i  e
7 ^- y6 r3 R/ [$ D* B' \& v/ k% DHere is a sample (checking for 'SICE'):. Y3 ~& [6 m; g; v, Q/ Q0 e2 s
- N- R# V! }) c8 ^0 A
BOOL IsSoftIce95Loaded()
! r# d( i% T5 K. d; {- \2 p& A{# f2 j, m4 J$ b$ j$ Q& P
   HANDLE hFile;  $ w5 x$ m3 C  a1 p, y) i
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,; o% m; `- q4 `
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
- A$ i; H$ R; o$ Q; G' t$ j+ \( f                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
1 n" F% H- z% }8 N+ V   if( hFile != INVALID_HANDLE_VALUE )- o. Y0 f4 k/ f' O: q
   {
; @4 [5 l7 w' b  I4 W/ h      CloseHandle(hFile);
8 M0 N! j& P) `- x) c8 t7 H6 w      return TRUE;
/ ]) `& c2 o; A; D9 l# s* N# G; I   }
9 L! g% d3 }9 P; X0 |# V3 O0 k# W   return FALSE;
+ c. r' f' k* h; v9 Z2 w}
$ v, B, @1 ^/ Q( ^0 A6 w
& Z" C7 W9 W1 h& z* ~8 |( D5 R2 mAlthough this trick calls the CreateFileA function, don't even expect to be
" @& N4 `& y$ p+ o- w  x3 T! eable to intercept it by installing a IFS hook: it will not work, no way!
3 ~- X, _2 @: ^$ O8 J4 c. I" gIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 Q/ ]# o$ o( C; {, c/ ?6 L$ }( T5 rservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 P, o* ]" X% `+ x# G: n& q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
* ^* z  g8 N9 d( ]  Gfield.* I6 N% s' N+ ^! v; Y5 l" r
In fact, its purpose is not to load/unload VxDs but only to send a / B/ B  O, D/ [+ X( a
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)! }6 j/ R* Y& f+ e+ ^9 Y6 t4 |/ ^0 B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
  Q5 @1 ~6 \" C6 e) V7 }- }& Gto load/unload a non-dynamically loadable driver such as SoftICE ;-).
. ?2 c' [( m- k6 IIf the VxD is loaded, it will always clear eax and the Carry flag to allow
8 Y: J; U1 y( ]& v; d& W8 u3 K" B! @its handle to be opened and then, will be detected.
8 Y% b2 @4 `/ @/ u+ X' s7 m; K6 DYou can check that simply by hooking Winice.exe control proc entry point/ t! z$ I$ q4 B) z2 r0 K4 P; H+ D
while running MeltICE.3 F9 t7 [9 N, q, Z

% N* M) k) L8 x  `
$ g2 |0 P4 e( r& e  00401067:  push      00402025    ; \\.\SICE+ c4 B% g, s1 H4 B( C! b
  0040106C:  call      CreateFileA- M0 Y: W# d$ h4 |* D$ y& f! O8 g
  00401071:  cmp       eax,-001
5 Y5 G& }( C& s& s& }+ K  00401074:  je        00401091
; i2 X/ h3 [, G$ U2 G6 ]) h. K  O2 b1 e  _3 S0 n, R
2 l) c$ }) O  b2 h* x
There could be hundreds of BPX you could use to detect this trick.
& ~" ~" W3 Q; E, b3 `: |0 t-The most classical one is:) e) L8 S* d" b6 Q" b+ n
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
) N% f* m: e' E2 Q' `    *(esp-&gt;4+4)=='NTIC'
- f& |- }! H1 p* N* z; @
* T( H& ]0 w% x( `  K# q. m-The most exotic ones (could be very slooooow :-(
6 K8 V" x$ w9 N& [1 t   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  : C% l+ d0 v/ n/ Z2 m1 l# U
     ;will break 3 times :-(9 ^" b/ U% Z$ I9 g. r! h
) m. ~" i* \( z% |) R0 C
-or (a bit) faster: 2 ?& U' F* ]5 v3 X/ h
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), L* \+ ^/ u, j3 D6 Z2 N0 M* r
5 P) \* x5 S3 [0 t8 S: O
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  + N/ p6 Z0 j, G1 ?8 N
     ;will break 3 times :-(7 H6 c; E9 e: I7 N) _+ x
. k9 g* G/ Z9 N; g
-Much faster:6 w* @/ R- P. e0 |5 A/ B
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
( P: \6 A- n' v6 g
' `$ `: l1 y, CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
3 u9 j+ i% n% {5 wfunction to do the same job:
/ q* ~( t1 B% W0 R& _* i- m
) b" O- x7 ^& w, O2 c) e1 v: R- `   push    00                        ; OF_READ% _3 I& W8 E  r" O9 u: Y
   mov     eax,[00656634]            ; '\\.\SICE',0
1 U. [! H" ]( k+ I. E   push    eax6 K' w2 p! j/ e
   call    KERNEL32!_lopen% ^3 H9 z' k1 V; b2 z1 I
   inc     eax
. F9 ]% c  H, v7 Z; @; N   jnz     00650589                  ; detected
) ]4 E. T9 ^1 o) q6 x0 y   push    00                        ; OF_READ0 [8 ?' L0 U9 H6 H; m6 D! x
   mov     eax,[00656638]            ; '\\.\SICE'
+ w0 h; ?. b4 A( C# _0 M: U5 ?7 F: @   push    eax
" `( O6 V2 ?$ n* ~5 }, `+ I   call    KERNEL32!_lopen1 U$ o% g' J+ H5 l
   inc     eax  b* l6 G% @$ [( V3 ^. K8 y
   jz      006505ae                  ; not detected) l8 D5 {9 {$ }# [

3 G6 n9 m% s# T8 a/ C% Z4 b, {/ u- q, u- @3 [; d
__________________________________________________________________________4 h, b% e, @; Q6 r5 O2 H" h

' Y+ e% |( K% Z; K  @Method 12
7 e; J2 ^6 q+ X9 m0 w$ u  r=========
  {" O* G4 e; g4 I& m! y) @& l. w+ r
1 B8 q* q% q& N5 l( `& QThis trick is similar to int41h/4fh Debugger installation check (code 059 H: H" `/ F. U! ]$ k
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
! N" R# ^8 T  das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# H9 s: v/ \# F! E7 a
6 q4 W# u2 Z9 A$ ^   push  0000004fh         ; function 4fh& L( S2 e" J  }  [6 e
   push  002a002ah         ; high word specifies which VxD (VWIN32)
7 X" W( E7 i4 {1 T9 B                           ; low word specifies which service
9 F5 e  @2 W2 |9 _9 j# K; Y                             (VWIN32_Int41Dispatch)
$ o5 Q# Q0 |; @3 j( [   call  Kernel32!ORD_001  ; VxdCall8 N" ?5 h' D6 E7 N
   cmp   ax, 0f386h        ; magic number returned by system debuggers" R' L/ ^* w  X5 p0 r
   jz    SoftICE_detected$ `3 w- _1 q6 H; L  ?

, N+ y! g; b2 cHere again, several ways to detect it:: s2 v. [5 a, r. v& G( P% H
( R) Q0 ]% ^7 C$ ]
    BPINT 41 if ax==4f
+ K3 K/ k: s; J" |( c0 z. L+ m
3 J; e7 K( T7 Z    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* Y1 j3 V& }+ \9 e0 }/ U
7 ?" K# b1 D5 u- w    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
2 P# Q* u; j" X( a! Q" d; ~( j
7 l' p% ~% c0 s4 q6 P    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!( @8 _: a# O7 Y! @
3 e4 ~( ]$ j" u1 g
__________________________________________________________________________
, r7 N4 A" e, j5 z$ d  W" w0 x% F( R+ I) H" I1 K
Method 13! S# o5 m; A8 z! m
=========1 m6 h9 m( Z' o9 I# b* V, A- ]

5 [% h4 a2 [& i. a# C6 tNot a real method of detection, but a good way to know if SoftICE is
. }7 @: J4 i" j. J, Q7 c8 I* {installed on a computer and to locate its installation directory." H& b! t4 v+ A  O" x7 s
It is used by few softs which access the following registry keys (usually #2) :9 p8 s- u! z9 }4 a

3 {7 d- w, V0 T- v6 F- z2 ^-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- W8 e* n  j/ G* w' B8 s" T4 i
\Uninstall\SoftICE$ I- p0 `4 x3 y+ i
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
; }7 i: R. C' ?9 V$ d-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 p: a: @, s" C1 [4 N$ ?  e7 n3 y\App Paths\Loader32.Exe
0 Y! w5 T5 _! _$ I; i
0 o/ g: f# G$ }9 _  G3 r+ e7 k/ L7 M. w9 U: S- ~
Note that some nasty apps could then erase all files from SoftICE directory
1 s/ W. G$ K% L) q5 @/ M: k; l(I faced that once :-(
2 J- p  v  ?! ?3 T, J
7 S& l  i) Z' z& O( Q' b* kUseful breakpoint to detect it:1 T& C/ g; F3 K& U/ ~

( g2 w* f2 N2 ~' i* d. V  W     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'3 q6 p4 X" c5 [5 K" ?6 l
& }6 P" `# `, m# w9 A! |
__________________________________________________________________________! ~# S$ i- o3 |. L; j) G
8 n! l- q$ |- R- e2 `5 D. U+ ~/ E

1 t/ @4 ?$ B0 Y) QMethod 14 ( @/ E) k1 l. a  x1 E- z
=========
9 P  `/ L1 |+ X/ i0 d
1 `. a9 z8 w6 Q0 R+ vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# a0 b; }. R% d( z; ^
is to determines whether a debugger is running on your system (ring0 only).+ }8 v$ ~" y* B% Y

6 j+ J& A8 m7 i" [7 W   VMMCall Test_Debug_Installed
$ R+ T) _7 l& W; o   je      not_installed
: ]4 V: ^8 q" R6 S6 N- h8 t8 n, u! b( U- ]3 l
This service just checks a flag.
; M* ^) t' b4 A3 ]</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-17 03:18

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表