找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) E& H4 D# n5 \: s* e5 x
<TBODY>0 s0 e% u. W" T/ K! E' f, o
<TR>& i* o  Y) m2 @% s- {
<TD><PRE>Method 01 ; a" R. Q: \; g4 W& q
=========6 {" Y& ?) J& k2 a' s  b0 D
: K2 W: m( U% C3 X. @
This method of detection of SoftICE (as well as the following one) is, }4 j4 k/ D4 h* m* S
used by the majority of packers/encryptors found on Internet./ O6 K) v! m# V5 c$ O$ q3 {
It seeks the signature of BoundsChecker in SoftICE
/ J" ?8 M4 U, c3 H: @6 l/ m9 a: e9 N/ c% J
    mov     ebp, 04243484Bh        ; 'BCHK'
) |  Q7 l7 V6 a5 G: I, X: W    mov     ax, 04h
) Q$ a" q2 ^+ X( D: @, ^- f( ~. n0 d    int     3       - K- U' ]  B" ^7 |4 Q6 C
    cmp     al,4
5 e: o' o+ Q6 }4 z- T% d( W* i% i: A- H    jnz     SoftICE_Detected2 E; z' [: U# w+ j! g  ^$ `; z

: }: p3 K' H+ \! ^5 r4 M1 c___________________________________________________________________________
8 B+ ^( U% |4 T% Q1 b8 J9 J" ~1 g6 s# ?& `: u9 r% N9 I3 a
Method 02
3 V6 |( _9 a  c4 a; M" z=========; H" W4 @3 c. R7 z
8 V( H4 }# p, \1 w' `2 t, M0 S3 Y
Still a method very much used (perhaps the most frequent one).  It is used4 l0 H0 R  O# S8 G  }# U  A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,! ^1 n4 S) ~2 M* W: }. A4 ~
or execute SoftICE commands...
# g( _; k! S4 {2 {; F; KIt is also used to crash SoftICE and to force it to execute any commands
6 E3 L8 N* ^" V3 o4 K/ @4 j8 V- n(HBOOT...) :-((  ! P  r" @: T/ @; E5 t

' U" W( f5 L' YHere is a quick description:
& g7 L# A  Q# {8 c1 I! m1 r! |-AX = 0910h   (Display string in SIce windows)
3 E5 F7 M9 _. ^1 r% O6 I* f-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)0 P! _9 s) M  k3 f- z/ R4 ?8 G: S
-AX = 0912h   (Get breakpoint infos)# i( i3 s% O( T
-AX = 0913h   (Set Sice breakpoints)
1 o0 ^+ d6 f( k; ~; |  `( b-AX = 0914h   (Remove SIce breakoints)
) N8 ]& @1 X9 K# T/ E8 M8 ]
" E: Z! R5 ]& L1 B. t, s  s0 nEach time you'll meet this trick, you'll see:9 W# y8 p5 _- Q
-SI = 4647h. y  u' ?& @) e  _. E8 m
-DI = 4A4Dh' Y: Z- z, w4 }
Which are the 'magic values' used by SoftIce.* P9 K$ x. Y8 t
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.- f6 \4 o* ^5 b% Y- F( G2 X

+ P, h: V" V' [) O* ~( zHere is one example from the file "Haspinst.exe" which is the dongle HASP& R8 Z$ `9 k& t( D; q+ j
Envelope utility use to protect DOS applications:
% P; v9 b! Y. ^0 M3 A0 ?7 @& I9 [+ A5 ]) t2 N' O
& o" e: ^+ T  Q2 `; }: j/ o
4C19:0095   MOV    AX,0911  ; execute command.+ V5 d  r3 I4 ~
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 ?6 e0 O# v. X9 k( S
4C19:009A   MOV    SI,4647  ; 1st magic value.
; ~' i- {# D1 O' _2 ~6 o4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
  v! o% [$ ?' N' n5 n4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' y1 g3 w4 q7 ^7 H& p
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
" k6 x" s- {# z- ?' ?' j+ e7 N4C19:00A4   INC    CX6 d- b9 {2 j3 [$ v. m. X$ i2 A0 |
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute' A% i! g; l/ a3 M# }) F5 h
4C19:00A8   JB     0095     ; 6 different commands.
5 R( s. C- h1 Q  C! ^7 |' {' \4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
# ?" @- h# n# B0 g4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
* x1 d2 }# G9 F% |6 }# @5 \  K0 {# j9 h$ x. L
The program will execute 6 different SIce commands located at ds:dx, which
( t8 b6 @0 d3 X/ \3 Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
$ X( g3 l) O4 n! I! j$ S4 Y
/ n7 \/ H3 m' R4 d, J9 U) t. u* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
2 y6 B& \& R. m9 D5 s___________________________________________________________________________
  q  e$ ?/ d2 p: |: a# R  _) L8 [& f% t

  B+ ~0 b  p" \- G  pMethod 03* l# k! A5 ]& ^/ _; j! E! {
=========1 G! X3 r( E$ c/ q. W

2 h+ r' d, K) s( u- QLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 b; X: q4 a' h( U4 G! \(API Get entry point)0 D! X- o2 B5 _: O/ z8 j- l( b9 m
        
; M7 g3 i& C$ m( N
( V7 J9 ], w5 E8 d0 X    xor     di,di
* A+ L+ ?, P7 l9 v7 i4 i    mov     es,di
; s: w  y& M2 t' J: H* ^: a    mov     ax, 1684h       3 W1 O# f* R/ e$ p# b
    mov     bx, 0202h       ; VxD ID of winice; Y0 D1 P/ X; ]3 C/ n9 P+ C
    int     2Fh( Q  Q2 Z: E6 {% V9 @2 E& {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
, T8 S& D4 ^# l8 }# ^- v    add     ax, di
6 {! [, W! a5 v9 P; M* D. p+ A  x& a$ A    test    ax,ax
# e" H6 ]) U- g$ v    jnz     SoftICE_Detected
9 Y4 j! I$ J2 y' r
& Y* ]4 i; I' l4 Z; b1 c1 x___________________________________________________________________________  V* C; M; o. i* J2 T8 G

3 G1 J" ~7 l- S' g: M$ E: BMethod 04
9 V5 w! o2 R$ [2 g' h, A; }=========3 s6 o9 T( Q! _9 Y4 V
& T) h/ K* h$ n& W  M8 ^
Method identical to the preceding one except that it seeks the ID of SoftICE2 c6 K3 z' Q( k- D" h" T4 r; o. r$ _
GFX VxD.* t) S* \  s0 z  S

- H; S# [+ d7 {/ o) u0 i9 d7 g7 m    xor     di,di
) E9 z" J6 T, H( E0 y# w    mov     es,di
; d2 V% i7 S* c$ I: D8 U4 j- `    mov     ax, 1684h         C/ @: Z  r4 f& J4 [" n
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
6 q! {/ l; u# o- Y8 k3 P$ ~    int     2fh
7 u, b$ a0 m1 F  I% z6 ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# I0 R, Q' Y* A2 q    add     ax, di
7 V1 N7 P0 [! I    test    ax,ax1 E5 D8 u( Q% n; n' |
    jnz     SoftICE_Detected9 J1 X2 s7 ~, c3 `2 H4 A
' K. a9 P; E2 Y: C8 D
__________________________________________________________________________9 s& @9 Q3 B/ k# ?6 T7 D

- F( p% j: w, H7 Z5 F" K  V& L" H5 C, ~* b' d0 U7 O% B
Method 05
1 h; V4 s5 J# O+ I=========4 |  q2 b: w2 e5 `3 f6 a
+ [! r0 G. \/ F  X' K/ M: U  C
Method seeking the 'magic number' 0F386h returned (in ax) by all system" H2 I7 N9 G% v' x1 O" ~6 R* x
debugger. It calls the int 41h, function 4Fh.
/ K( j1 z+ t: M) O" WThere are several alternatives.  ) W: Y, K. K5 C3 X
, n# w$ p( @/ }) _
The following one is the simplest:1 j) x$ E$ ?! \2 X2 R$ ~. r
  `8 g9 P) _4 `, l
    mov     ax,4fh
' l( w1 q5 W5 K5 }    int     41h
" f: s2 c- T3 p: f: M' U    cmp     ax, 0F386
! Y( {: d2 n. D: h: u3 x    jz      SoftICE_detected; _7 R! }5 q6 \8 V9 ?+ z. w9 L
2 \3 }, l4 m& I& L' X: r

, B1 V! M, @# O) p) u0 o' g8 d7 oNext method as well as the following one are 2 examples from Stone's 5 F. p( Y* u' |1 ^* _
"stn-wid.zip" (www.cracking.net):
1 O% y2 h0 A( ]* N+ r- U" m
9 r7 s: |! k" U    mov     bx, cs2 {7 S' I  P/ h- V1 u
    lea     dx, int41handler23 T4 U+ u, r" x4 {+ F
    xchg    dx, es:[41h*4]) `3 w; r: }& @* j1 W
    xchg    bx, es:[41h*4+2]
$ I' r& b: A8 K/ v+ c3 Q    mov     ax,4fh) b% ?: s  k, O1 p
    int     41h
; X0 i6 L, D  }% ]    xchg    dx, es:[41h*4]$ S- R# X  B: P3 ?# z9 m
    xchg    bx, es:[41h*4+2]$ d1 c9 }; M0 W1 Z, H! b; i
    cmp     ax, 0f386h" M/ V. i8 Z' t( ?3 [+ E  t
    jz      SoftICE_detected
7 Y5 l! o* p) z0 I8 Z2 |1 O5 _
  f# z4 f7 e! P, W! kint41handler2 PROC6 m, ]: K. o6 N: g5 [% `9 ?8 D, F
    iret! v( B0 N; L5 v7 p! P+ {' b  G
int41handler2 ENDP; t; ?( u* T) m3 ^

5 o$ C) v" I% o  ]' n: Z' ?2 Q
. V, s0 s1 z/ ?0 U9 D; x_________________________________________________________________________
2 Y. G5 e: [. j; l- O9 R( J; a! N6 q, n  Y2 i4 W
3 i8 b5 o5 v7 ]6 P. c
Method 06
2 a4 m0 S, _6 |% W1 U0 P3 ~' A=========% c5 z# b+ y. _+ |) y& U# R! b- x
% h- B4 u- _9 R- C1 X$ s

1 w2 a* H- t4 ~% Q; u$ T4 }* K. V. e2nd method similar to the preceding one but more difficult to detect:
. ]' Q  c, w9 Q9 D! f% L$ A7 m, T
8 l& c, p* F& Y. f0 s; G9 q4 I7 Q5 F7 ]& p
int41handler PROC
/ c# y. X- r& W! \" e. D6 Z    mov     cl,al! A+ G3 h' f+ Z" D' I6 R
    iret, A3 h" I5 D$ A
int41handler ENDP
) D- {% H) z8 i* I( [# L/ ~4 H8 Z7 ~/ z" k  q

& V  A4 g# J3 S: c    xor     ax,ax8 S% l% x( @: z1 L+ E; r* `. b
    mov     es,ax# O! {5 g2 D. m& H5 n( H
    mov     bx, cs
( T  ?0 t4 O% w2 f4 Y5 q    lea     dx, int41handler$ _+ z) S4 j, [/ G( b. o
    xchg    dx, es:[41h*4]
- R5 E( k3 [3 \- T  {    xchg    bx, es:[41h*4+2]
% ^6 X% c) U4 y1 Y    in      al, 40h
9 R4 b0 u: r; M: A8 n5 r6 f    xor     cx,cx. v8 j2 F0 y9 `: D* C
    int     41h8 w; \8 Z; f# F9 v5 U% D
    xchg    dx, es:[41h*4]1 [4 v' v+ {6 }' e: e( `$ L
    xchg    bx, es:[41h*4+2]
" k9 p5 F; P4 H1 m1 z1 l) S    cmp     cl,al* ]) l' l2 J! P) s/ P' D/ g& T( r
    jnz     SoftICE_detected2 v% d5 I% x" E) O
7 s1 C  X6 ~) N' @) b
_________________________________________________________________________3 h% k1 n* _! z/ v
+ K. v" ]0 M! U! L; C
Method 07
" {  D1 d! l8 H! @: R+ P=========: W  a# G- O3 h+ g0 Z& G
7 n  [$ W  ?/ ^: ~& f5 w
Method of detection of the WinICE handler in the int68h (V86)
3 M) J, v. z+ x4 u5 f. ^8 @- x" T4 T5 W8 q
    mov     ah,43h
; v6 F5 ~  p) K2 h    int     68h
$ H  n5 Z' G% t: h    cmp     ax,0F386h
6 y( s1 _6 h" ~! X    jz      SoftICE_Detected
0 n  e, E9 W- u& o
$ u) E$ q7 Y3 w$ g% n0 s9 F, ]+ _( W4 W  g
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 A5 J" H3 d) H5 E. Z
   app like this:' r' L/ I4 f+ ^

* ?5 i8 z; h  C$ b! I) c% R$ a   BPX exec_int if ax==68! C6 n. e0 ~; `- f! l/ j
   (function called is located at byte ptr [ebp+1Dh] and client eip is4 N# }, r* F. S. c  u
   located at [ebp+48h] for 32Bit apps)
. m& m2 j2 P5 G5 d, @/ o( i# G__________________________________________________________________________/ v1 {! Q' X$ h6 y; x  E  A+ r* n

# c8 C, p/ H; Q1 b9 D$ m& b7 ]7 B. o
Method 088 n% j0 g! L4 P; o" s& @
=========
0 T0 ?$ S* j$ s  ^/ |* r- B4 K3 c* E, Z' u
It is not a method of detection of SoftICE but a possibility to crash the8 {7 q9 [/ A' ?* l1 G4 ?/ C+ B
system by intercepting int 01h and int 03h and redirecting them to another. O7 i3 n! J3 K/ A: u
routine.
3 B4 ~* h0 \! R! F7 S1 a$ w) o' SIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 R* {3 P% J  J1 k9 G0 Qto the new routine to execute (hangs computer...)2 z9 O( q% A8 I  [2 m) G
, o/ o& [  b, K4 p) A% a9 i
    mov     ah, 25h) _# l5 d0 ~' k5 v
    mov     al, Int_Number (01h or 03h)( L) Z) P' c" d# u% z, Y$ x
    mov     dx, offset New_Int_Routine9 _1 f: M9 a) q: |2 m
    int     21h5 U" \0 `6 I& p& l: Y
2 v0 n7 V# ?; a; u
__________________________________________________________________________" f. B2 X/ n" f$ y# [

6 E  C  C( k) P: a9 A+ v( y, EMethod 09
2 W& L- f) p' g: u. t4 f=========
  W5 c4 l, p9 o6 ^9 C9 j
. r8 ?* U# @6 ?, B# a7 ~9 EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
1 X+ h* I. a! d8 u/ t- I. _' \  u$ |performed in ring0 (VxD or a ring3 app using the VxdCall).
4 t) ]; r' ?4 C1 `6 ], SThe Get_DDB service is used to determine whether or not a VxD is installed( n. w1 Y- J8 R6 ?: v+ \* I
for the specified device and returns a Device Description Block (in ecx) for3 Y. H0 j. u. F. x
that device if it is installed.
% b! L" j6 f, T5 B. H% a* i8 W# s# Q8 }6 \& w6 M- r1 t. s  f
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* X$ E3 \, i" d7 T% {8 r: P
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 y2 U4 e& Q9 x, M( S( P
   VMMCall Get_DDB
/ f/ n6 }7 N9 e0 T2 ]8 `   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
% c0 e4 Z% L( A: H* A, u" E# x. H$ S4 P/ V( k" l
Note as well that you can easily detect this method with SoftICE:
2 ~# R9 H# t) ]5 @7 y   bpx Get_DDB if ax==0202 || ax==7a5fh
2 T: \9 O& p( e  G6 O% d# j2 N: m* r; f9 u
__________________________________________________________________________# @# i6 f( |, [% o/ L: B4 U

/ P0 {3 o  }7 j# R0 WMethod 10
5 l, o0 g) v( B" o% Y+ S3 R5 h# `=========: k4 A; ~  y* ~1 u3 i
& q. E* s" {# z0 C6 h% J1 W2 s  ~& L
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with7 d2 g4 }+ p; e& u: J, a, ?+ |, I0 p
  SoftICE while the option is enable!!
( f' }$ v- ^$ s5 p& [5 v$ R' w8 Z" l8 e2 ~0 ]9 g
This trick is very efficient:2 P7 k& M8 X2 m' Y
by checking the Debug Registers, you can detect if SoftICE is loaded
8 W1 ]- R0 u6 z6 r8 y( O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 t% ~) v- k) }1 i: t( ]there are some memory breakpoints set (dr0 to dr3) simply by reading their
- @# {; [0 ]+ i/ }# G  @: T; xvalue (in ring0 only). Values can be manipulated and or changed as well
7 i5 v) c5 R" z3 n(clearing BPMs for instance)
( K! x6 H" m# K9 Q4 G0 P! g2 R( f5 ?2 J/ u# w6 c- A" [' X  ?
__________________________________________________________________________
3 u" J* ?7 e: D1 D% o: g5 b
! ~& Y/ R* i3 ~, h( [& t2 KMethod 11! y% m) g1 B" z  D  F5 P3 t7 J- i) Z
=========
+ t8 I; ?( F0 [
1 l! c' Z+ b. G% d  h# AThis method is most known as 'MeltICE' because it has been freely distributed
! I' A+ v: {( z. N! v$ d# Uvia www.winfiles.com. However it was first used by NuMega people to allow  ]3 O$ j$ a6 u: M4 H; F
Symbol Loader to check if SoftICE was active or not (the code is located
8 m) k" x' W8 M4 ~2 x0 Ainside nmtrans.dll).
! B4 O9 R( O' B
0 D4 ?5 U# X/ S0 `  M+ FThe way it works is very simple:% z! O+ `& f, s) I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
# P/ @, q! E- u% `. M! h5 ~WinNT) with the CreateFileA API.) n. v( G6 u* M* Q6 ^

. d  B8 W9 q) [! W) M: d1 i7 k# LHere is a sample (checking for 'SICE'):
, K0 e/ T3 r* s& u$ O
9 k+ \+ O- i5 w, J3 n) qBOOL IsSoftIce95Loaded()
* i9 q. A( c% L" e; G0 W: V1 C4 H9 T{; |' T/ A3 m8 D3 r8 I
   HANDLE hFile;  
1 @, X4 y8 {- t/ N; }   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
! _& _  n; r( K* m                      FILE_SHARE_READ | FILE_SHARE_WRITE,
& A% ^  h0 A3 w3 s6 L                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! t( L! o8 M; A# x2 T" Y$ P2 A   if( hFile != INVALID_HANDLE_VALUE )5 T! b% f6 B# B+ i" B
   {9 I& y" b7 P$ j* @
      CloseHandle(hFile);
& Y% x  S. Q  }      return TRUE;
- d, R: U9 R: p7 J' c+ [) @1 y6 m4 x   }6 C! v* U3 e* @) ]
   return FALSE;
7 K! M0 x; b! M; ?0 P6 D}
3 g* q  X- K6 c8 R% ?0 q
" o  P  \2 ~: h/ [: \' p: dAlthough this trick calls the CreateFileA function, don't even expect to be
; C$ t4 H6 d# ]1 Zable to intercept it by installing a IFS hook: it will not work, no way!, Z4 P* n4 Q& V3 Y6 I- g8 D
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
9 ~: _5 j4 ^' h/ Z& m; r% `service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)% ]2 E! W# U4 h& D( g( K9 n+ v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 A- ^* O& q& C
field.9 E0 W0 w0 v* w2 i* n1 n0 d
In fact, its purpose is not to load/unload VxDs but only to send a % s! U5 I/ j3 _& t: V  t) v( E
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)& ^$ E6 _1 P3 ~! Q* Y
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
# F, ^' H: L4 M5 S2 Lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
3 k. ]% _2 m1 _+ A$ `3 k: FIf the VxD is loaded, it will always clear eax and the Carry flag to allow
; A2 k* u( ~4 g) y: C1 |its handle to be opened and then, will be detected.
  o/ }: o3 |. S7 j7 H4 FYou can check that simply by hooking Winice.exe control proc entry point( K7 N) {( L$ D& ?( g
while running MeltICE.
0 \) P9 o! G- f: q4 M+ }: f% V+ G9 F! J2 G

: Y& @# ]2 M/ J' X3 _  00401067:  push      00402025    ; \\.\SICE
% g/ n0 F) p6 J7 X2 `% x  0040106C:  call      CreateFileA
& K! H; @  d! ?" m" A5 Q" L  00401071:  cmp       eax,-001
$ x& G4 ^, \- O$ w- c/ U2 M% l" T  00401074:  je        00401091" x4 O9 t& k  w8 P* f! i  T3 u* j

- [5 `5 C9 D4 ?. m) b: ^, X, x. M1 I: ^. {
There could be hundreds of BPX you could use to detect this trick.7 l. {# R9 d! j7 m  k8 V9 s
-The most classical one is:5 z! [1 C! v: `
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 V, M0 v1 P" o  W8 ?
    *(esp-&gt;4+4)=='NTIC'
3 W# V$ j7 l' V* u9 r1 f  R& d! X" B$ ~! w# F6 }# A8 f
-The most exotic ones (could be very slooooow :-(
7 [9 c) p# S) V& [) j   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 U  d' a4 @2 G# m! j
     ;will break 3 times :-(
/ G* j6 n9 R: }0 y1 m6 L" }+ E" o9 `2 p
-or (a bit) faster:
: I# {6 e: _" Q   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 J/ b# y5 ]) i% P0 H: f# X- a' X. K, m3 Q' L
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
) a. K0 }% r5 k/ v4 p( B     ;will break 3 times :-($ ^3 F5 D  N1 _- C6 ~, {
; q# r" \0 {  y( g: s5 ]% n
-Much faster:5 v0 K/ s) Z# A( q  |
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'4 m& \% N2 E4 ]$ |) {$ L6 K, I7 b

3 n( c" C0 f6 q& f1 F- U; PNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
9 L$ L- l: V, Z6 ~function to do the same job:2 n5 N# N) U% k( \! o; L+ {
. b4 s! Q! N" g
   push    00                        ; OF_READ
2 Y$ @* r7 D. S4 ]+ V: x   mov     eax,[00656634]            ; '\\.\SICE',00 N$ ?  v1 E$ N, u0 J3 t$ l
   push    eax) M& d' i4 x. _
   call    KERNEL32!_lopen
' f5 E6 v+ I+ w   inc     eax
( T1 Y7 i7 v4 q( Q4 t3 l   jnz     00650589                  ; detected1 K! r6 T$ B; V% L
   push    00                        ; OF_READ
. [, Y; t4 l  h$ g! x' I   mov     eax,[00656638]            ; '\\.\SICE'
, @& h' V! r# I( P! y& V0 k   push    eax" u4 ~8 {( c1 n  A/ ]* O9 g
   call    KERNEL32!_lopen
2 |1 y: x3 n1 q6 G+ u   inc     eax0 s$ j. _- X' f6 G
   jz      006505ae                  ; not detected. Z9 o0 [& s. k9 Z/ t7 n" e* C
0 F' Q( g( c  S1 t

0 o( y/ T5 O* Z, i! \, {__________________________________________________________________________
' x6 g1 G% v$ v# t- k. H& {  p" l1 L+ Z8 c. P" [, E
Method 120 [$ h' J# Z, \4 e$ P
=========' G$ M. ]) l- m4 l! U! o
; N6 J( T: j/ `
This trick is similar to int41h/4fh Debugger installation check (code 05
; B" ?+ V( ?! O  L' u% m! W. @&amp; 06) but very limited because it's only available for Win95/98 (not NT)
& U6 C% S% U0 c, ~. c5 ^as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
2 B8 p+ a+ M$ M7 V3 L; D6 \5 B2 [- |; b  z( q1 [/ `. @
   push  0000004fh         ; function 4fh; S+ |3 Q0 p" J* b6 u+ f7 `
   push  002a002ah         ; high word specifies which VxD (VWIN32)
8 k% i& f) p0 D5 f8 s' G                           ; low word specifies which service
$ n  `; {' d1 Q+ E' Y5 j- F                             (VWIN32_Int41Dispatch)
: E5 D2 v/ G0 b! O2 O   call  Kernel32!ORD_001  ; VxdCall
8 f* j, p( j' h* U8 ]* w7 N   cmp   ax, 0f386h        ; magic number returned by system debuggers8 o; t' c6 p# X, ]
   jz    SoftICE_detected
0 L  R* f; g/ f! k& q# ?! j0 n& }4 V+ T5 Z- Z, `6 k5 @
Here again, several ways to detect it:: {( O* A( Y) F/ H$ L! ^$ q
2 z- m& h1 L  Q, c2 ~* {
    BPINT 41 if ax==4f3 m, {3 t/ e3 D! y
, M" d% t. V6 h$ l  s# r5 V" K$ n
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one, M# A5 v* ]- \* Z2 ~

0 G5 R5 M+ ?4 I* n    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A/ \4 b  |7 n' `- K  U5 w$ {" ^

2 i6 a7 w' ]& h6 [    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!, {$ W) `7 k3 s0 _( E# t2 l) p; a

: B  m1 M, s( ]% |__________________________________________________________________________: u" N. H9 T9 }

( N. t9 c! D7 {- {Method 13; e% B0 `. ~  M/ a! j0 K
=========
7 w  B1 a( X4 @1 G( d
7 G5 u. O. v  W- G# @5 [, qNot a real method of detection, but a good way to know if SoftICE is
; P0 O  a+ L1 J/ a; Z' j0 Ginstalled on a computer and to locate its installation directory.+ b4 B- V8 f5 Y# E
It is used by few softs which access the following registry keys (usually #2) :( P5 g1 x1 M( d$ H* n

1 V. k2 m* p' Y( [6 g5 z2 }% |-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! A+ E) K7 A: Z
\Uninstall\SoftICE
/ I8 [; E3 s$ M! ^$ Q* @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 T: V2 e1 J" i* X/ J( g& A6 p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 u# j$ k8 ^/ G1 g( x\App Paths\Loader32.Exe
/ ~# o1 l- c& X, q+ e( _  O$ C5 Y- A' u' k2 e' @/ ^2 R. d2 P. O

9 s, Q0 D6 f1 a' o9 q+ `Note that some nasty apps could then erase all files from SoftICE directory0 O6 @2 H# X& e0 H) u
(I faced that once :-(' e$ g7 t! b( p' }! ?# o* F
1 ~& Q' N2 A6 o1 H) T
Useful breakpoint to detect it:
8 E: x% V2 D' z( ?  r  O' D4 h  b6 I; B0 F9 s
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'- B& Q. g1 Y1 @- \$ E* r
' [$ T+ h( L' [# ~; R
__________________________________________________________________________2 P: {: L/ x; U% d/ \' X7 c
  X* V# n- v- k* f& y! q* }$ X

; O" b2 X& ^: C( ?$ a) OMethod 14
- r& f  i1 s1 e; f7 W, t/ C, v=========2 l3 T  M2 M  j" U

" ^  N7 ]( G3 z9 Y! g% \A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 z: h$ A# V* W5 L$ U
is to determines whether a debugger is running on your system (ring0 only).
: X2 B) {" @+ i
6 Q/ v' J7 F/ R: j9 @3 ~; b3 N2 v& N   VMMCall Test_Debug_Installed
% L5 Z8 t4 _3 i" r# b3 o1 X9 V   je      not_installed
8 z- H! R2 T! q& M
8 @9 s8 `+ h$ xThis service just checks a flag.
% S; F; |( H* P) G</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-4 02:11

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表