找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>0 |# _$ f  z" S9 u( C: o6 h3 X
<TBODY>
: k- l' J: E. M* x, Q<TR>8 D: `1 U# a( ^6 t8 e( o
<TD><PRE>Method 01
  D! q/ H6 H' b9 f, {=========
* H! G* ]' h3 p
* ]; d8 L+ F$ ?% ~' @This method of detection of SoftICE (as well as the following one) is) I: @, E& t7 U1 \
used by the majority of packers/encryptors found on Internet.1 ~+ Q; p1 Q: t. ?. D) ]$ t. X
It seeks the signature of BoundsChecker in SoftICE
  i3 Z) ]0 `+ W# j8 d' V* ]3 i# ^8 p3 e9 B3 u8 L
    mov     ebp, 04243484Bh        ; 'BCHK'
; [( `5 m. Y1 h1 e* ?    mov     ax, 04h
" E( A4 A8 _0 n( ]3 L    int     3      
1 U( M& x6 n& W    cmp     al,4
9 B" W8 y4 S' c5 g" e8 r2 L    jnz     SoftICE_Detected
. y9 ?$ Z) U! ?4 W! g8 X, V! \1 B: W2 D/ {' D& X) N+ V' T& p+ k: K
___________________________________________________________________________
" S0 B" W8 P( V, U5 f' l$ t+ A* T2 I: f: t# |  i% a% V+ I& `
Method 02
, A" m1 `3 y: _% ^" ~1 b& o. I2 D=========
/ z5 }# `9 h( V7 v; [- c/ E; x% k4 w
Still a method very much used (perhaps the most frequent one).  It is used% |. v1 R& z  z9 ~; W
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
( ?4 _. m% {7 B8 j9 o* o4 ror execute SoftICE commands...8 s6 l1 w+ W% F9 S& x- x2 r4 u
It is also used to crash SoftICE and to force it to execute any commands
* x! h# O# W* E- @) W* D(HBOOT...) :-((  
- s6 S9 h9 r5 T/ q& B1 w7 n* }/ O6 u( S% V- n
Here is a quick description:
3 @- S3 m4 V& B4 a$ j% H+ ]% O; j' [  \-AX = 0910h   (Display string in SIce windows)
: c* ~  Z0 b9 a2 U, Z7 M-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. c; b) ~( `/ p1 y-AX = 0912h   (Get breakpoint infos)
( k$ U0 j; b4 r5 P- r-AX = 0913h   (Set Sice breakpoints)
" J6 @+ O/ W3 {- ~3 r1 z# A. w2 P9 N-AX = 0914h   (Remove SIce breakoints): k/ ]9 b' o9 \2 T0 u; M
2 B: ?6 C+ r4 D' i2 B+ d4 t5 s' ^
Each time you'll meet this trick, you'll see:1 i% v& k2 A& [9 h$ a( o4 Z
-SI = 4647h
# `1 r) h/ n  D# y-DI = 4A4Dh6 F6 f! M( W& \3 w
Which are the 'magic values' used by SoftIce.
/ Q) D% u8 k% H2 }For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
) n+ Q3 d- p/ a* B; G' ]6 Z1 |
/ d9 w! `8 S$ k" [8 SHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ z& H! I$ h, {5 f6 f' GEnvelope utility use to protect DOS applications:& r' f8 s) Y! h; D4 S9 |

  D+ t/ b; d- y
8 s. J$ A1 B# @  J( @# n8 I8 v7 [4C19:0095   MOV    AX,0911  ; execute command.
" S* _; c: P+ G& g) x% g" H4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
( Q2 `% d& @+ _( Z; Z4C19:009A   MOV    SI,4647  ; 1st magic value.) e, ^2 f( @* [, q2 e' p
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
. i: b& f* G- `+ u$ |" ^) Z2 S4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
3 Y/ T/ x0 ?4 f& {. j# Q4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! D6 v: |. @% i) e" B( u0 v! O
4C19:00A4   INC    CX  M! ?9 t5 }) ?: z9 |( s: e
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
" L4 f  Z7 }, D* C. r+ o4C19:00A8   JB     0095     ; 6 different commands.
8 e6 @# U: m9 Z! _# B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
, Q- i& s  @1 v& d0 z7 v4 G  N! X4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
' w$ G/ V1 e  d% c5 {1 h( |! Y' ^4 T' l4 i6 W, b4 [
The program will execute 6 different SIce commands located at ds:dx, which/ t5 N% G$ }& ~7 P9 H, t
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ ~  ?+ Y9 a$ B. x3 _2 Q7 J

8 b6 l3 v+ g. U9 Q$ m- e; b* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: X& G% w/ l4 Q9 n. @
___________________________________________________________________________
$ C9 u& |* u$ y% g
, d# s. v$ s) L3 ]! r4 S9 |' g7 @6 S. r
Method 03
) `) o" v5 c# S. L1 m7 b. f=========
  _8 i, L) J$ H/ ~
8 ^" p6 m; F1 P" R1 T4 ~  `9 n* v% qLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% @: M% x* o/ \! v( _* m, K3 @(API Get entry point)+ }) d+ q$ q( @9 C
        ) A$ e# `! J/ I8 F- U3 y

0 |: ^$ e. P$ Z8 g3 W. y* b- {    xor     di,di
* y4 }4 Q1 r7 S- D. I    mov     es,di
7 j. l/ V9 ^# `. e4 A    mov     ax, 1684h      
+ b6 h8 J+ e2 n  f% W6 ~* ^    mov     bx, 0202h       ; VxD ID of winice* r6 `! P0 }2 l' E1 X
    int     2Fh  E0 E+ Y+ M% E+ A0 `3 P  {
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
  \- u. `/ k5 [; X0 @    add     ax, di
# j$ y! ^/ X+ q' Y" I3 |7 x0 ~; _    test    ax,ax
% h' D  b% D* z. a1 S    jnz     SoftICE_Detected
6 `) k5 j! b  P! y  ~# r+ _# @: T% @: Z8 ^9 d3 Z0 d& j1 N! O! J
___________________________________________________________________________
" F2 V) p( k6 g& `# Y
: X4 D( q) h3 {. ?Method 04# m+ t! N% B4 l0 R
=========
  o9 X$ l/ d. P+ |+ J: P
, x# i: v1 ~, r2 y* }( b  }Method identical to the preceding one except that it seeks the ID of SoftICE' `! y* Q2 m9 R! S$ U. j# \
GFX VxD.
% m3 l3 V6 _2 Y3 x6 A- U! {" `- \" k1 S/ d' c/ }. S9 N
    xor     di,di: j7 K5 i9 Y3 X1 Y6 v3 H
    mov     es,di- K4 O, L& @. ^  F, T+ {
    mov     ax, 1684h      
; q. `; K4 }: J7 @    mov     bx, 7a5Fh       ; VxD ID of SIWVID% ]4 N+ y% S: r( p; R( \
    int     2fh1 I( M! s# l) ?% R; `# A5 z/ l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
0 s, [3 V% E( V7 X9 {    add     ax, di
6 M) F! q7 N; L# a( Z: r' b6 c$ B3 W. t    test    ax,ax
# D4 x! p# P8 T2 q8 E+ k    jnz     SoftICE_Detected7 _- b# u2 Z4 ~4 m, u
$ B, k+ Z' P7 `3 z- P
__________________________________________________________________________
2 W1 ^! v8 s  D) j
+ i; V: w% [. O9 A4 {" ^
8 j* ^% V! s  f$ _: |Method 05
1 C! n7 D' _) [# r! M+ H=========- `, I6 j- @( y9 j0 g" E/ {
+ ~' ^7 Q! i: a) F2 ^) ]7 A" I
Method seeking the 'magic number' 0F386h returned (in ax) by all system
' H! s7 v; X/ v9 G) Vdebugger. It calls the int 41h, function 4Fh.
: |/ j: U. |7 lThere are several alternatives.  6 A9 `: N" N, H6 K. `4 z
- w8 V4 ]7 m- A: {1 Q
The following one is the simplest:# h2 p" P4 _6 v4 t* U
" g* l) D: z! f' k; t
    mov     ax,4fh2 N! M, p: N) p) i) g0 w: \
    int     41h
( G: q+ R0 i, I0 C. o, a    cmp     ax, 0F386) J& T! M) z% F
    jz      SoftICE_detected6 x$ Y3 z/ Z/ ?& P

2 H! x; d6 A  U6 p9 P; U6 w. {: {" S7 L6 o
Next method as well as the following one are 2 examples from Stone's
' t8 Q4 u! L# w9 J  L# x, M"stn-wid.zip" (www.cracking.net):
3 m9 A3 Y' W7 q* L: ^+ g" Z0 ^: a+ X5 V' D) Z) o) g2 c/ \
    mov     bx, cs. a1 S: `7 {" M. o. t0 w
    lea     dx, int41handler2( M3 C- D- c% f
    xchg    dx, es:[41h*4]! E$ f- n: F+ v3 [
    xchg    bx, es:[41h*4+2]: a" @6 ]& p& D
    mov     ax,4fh
- l7 [. D0 p4 e6 ^    int     41h
8 b; }9 I& n+ Y5 b    xchg    dx, es:[41h*4]8 ~# `: }% U( C2 J: A8 y
    xchg    bx, es:[41h*4+2]
$ W5 d1 ^" f9 |4 ^7 g" I    cmp     ax, 0f386h/ i& ]! j: q2 q$ h- f) B
    jz      SoftICE_detected
5 @- i  W! z/ x" R
; Q, }; c# }7 s' q% yint41handler2 PROC; B! ^6 j( D! B2 }+ g4 s* ?
    iret
; p  C( q1 e2 D. Cint41handler2 ENDP
1 _, d% m! e$ |) s- ^+ U! m: y; Y% d( x

6 ^- }7 u9 o, y0 w4 l_________________________________________________________________________% q) f- _* y+ ?: k: Z" H" m

5 ]/ W' `/ V% ?2 |3 Y
6 l5 H: w# q8 e! C. l# C& \, K, dMethod 06
' I# V4 Q% k. b- t3 J: p5 A=========
0 {6 x# s/ b9 O3 i: T" y4 [
! {7 R  O  S0 l7 a5 u& B4 ~! I+ k
2nd method similar to the preceding one but more difficult to detect:
* j) w, i! [$ Y2 g+ z% m
; s  n1 R+ `2 `* [4 r9 |
+ `8 b) ?+ Q- `3 y: c" Jint41handler PROC
5 G) J- ]0 E% _6 n    mov     cl,al
( `9 e  c+ ?9 ~/ j7 x9 j% g9 D) Z/ M, x' J    iret0 h  f7 G! m% M; Z
int41handler ENDP
6 |( h+ P$ C2 o. M+ V) q) _& a6 E  y: _7 {" P$ K# k4 i2 E1 m
7 K# F# k) p5 _5 g8 p) K
    xor     ax,ax8 j! r! n' y% c$ |1 N3 ^
    mov     es,ax" ]  @% J/ _# x/ r4 }  T
    mov     bx, cs
' q, }0 y* S' |  z. e    lea     dx, int41handler  J  w) F; p2 A; e/ I
    xchg    dx, es:[41h*4]8 p+ e# {, }. R* v( p/ I2 a
    xchg    bx, es:[41h*4+2]2 q5 c6 @+ C' X
    in      al, 40h
9 [. `+ Q8 b1 v( o) {    xor     cx,cx
  ~, z* V+ S  T0 H) [2 L    int     41h/ {7 \4 b2 D4 a
    xchg    dx, es:[41h*4]
5 k* g4 F. j+ h( r    xchg    bx, es:[41h*4+2]
# `3 ?" g4 `2 i1 y- x    cmp     cl,al
& g6 U2 P* I' d' F    jnz     SoftICE_detected  A- S+ N* ~3 a% l8 |* A
$ t% p! W. k% U5 b4 j
_________________________________________________________________________
( `/ @$ w  F3 a) \: Z6 {2 y: N
, h% U: C$ f( \  S" |# N$ |3 CMethod 07
3 D' E! L. M' h" ~1 D$ u0 z# D' S; O$ B; s=========
4 E+ [2 {" m- ^- ]  E' h' t( ?& U4 S& g2 _) O- F4 o- V
Method of detection of the WinICE handler in the int68h (V86)0 T: Z: O  K- S% v+ M
0 F( u5 Y9 [8 _7 z+ m2 w' l% n
    mov     ah,43h
: Y$ q3 @6 ]9 D/ }1 ~    int     68h; o1 N( n3 J( G1 S- @8 F" K
    cmp     ax,0F386h+ z% i$ ^3 Q/ \) S
    jz      SoftICE_Detected
3 x' s  D" [; h7 l# K3 w3 t' B. q) ^7 _" [: x7 P6 [4 n

( Z& H9 W- h- z4 B* |8 \=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
9 O' R2 ^1 |$ p9 R9 ^( W  E; Z   app like this:
5 t1 |2 q* K+ q0 t) [$ M9 f  I- l5 N
8 G& g; a; T7 C: Q3 r& m   BPX exec_int if ax==68( H5 N4 z! f2 |" f3 y) L8 D
   (function called is located at byte ptr [ebp+1Dh] and client eip is
) A2 V! Q- P5 i: c& W   located at [ebp+48h] for 32Bit apps)
* Q  }8 W3 R* u+ I2 B__________________________________________________________________________
8 B. \0 b: U4 ]3 |2 P* x
7 t# @" B0 I' f+ B9 ?, x
# o. J3 ]" ^2 CMethod 08
7 K* E3 M* }- q5 I7 r+ t=========: U" O5 [' K8 z: R

' f* l. A5 A+ j; `: S/ p7 I% eIt is not a method of detection of SoftICE but a possibility to crash the
( ~, G' U9 J0 u7 P% v( Tsystem by intercepting int 01h and int 03h and redirecting them to another; u, n" E: y. C5 `$ d$ L
routine.- `, `. X/ q& m$ k
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. M% S( s* |# b3 j5 Dto the new routine to execute (hangs computer...)
- |' ]6 c4 q# L3 m
8 L8 {+ \8 A9 f  ^3 ~* i    mov     ah, 25h* |( c# x7 k# w2 L8 I+ K+ J5 m
    mov     al, Int_Number (01h or 03h)# [$ s7 V4 @  Z1 l, j- K
    mov     dx, offset New_Int_Routine
$ P* h+ g; G3 d" o' |    int     21h
! y5 |! \5 W, v+ t5 p4 D5 {$ H1 F. L; _7 _) R
__________________________________________________________________________
' [! j6 f( P, h6 x2 p6 i5 r  N4 v. a" E* N; V# J" O- a$ M
Method 09% x% \, O6 N" ]5 W$ o6 P3 a( u
=========
" I- G+ `/ K& n  t) r
5 ]; s$ I) F- }3 X; YThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
- |' r7 i; t+ }8 Jperformed in ring0 (VxD or a ring3 app using the VxdCall)., }$ f" R9 v6 @! G; V) m/ d
The Get_DDB service is used to determine whether or not a VxD is installed# H. Z7 t; S8 I
for the specified device and returns a Device Description Block (in ecx) for( @& C! p% V2 c8 w' j5 b2 M
that device if it is installed./ U- t3 l2 ]4 J- i+ V
) j6 k& Q0 \$ h: T3 e
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" N7 ]! r, V0 t! f; z+ o0 V) m3 H   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ ^9 ^7 ~0 A3 A# f
   VMMCall Get_DDB
. a+ J  d0 W% o6 d& k- F! w   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
7 Q' U% F5 j+ H1 Q1 H  i4 o" f3 i9 }" l1 G) l1 {7 J/ @
Note as well that you can easily detect this method with SoftICE:" A1 W, L5 J8 y1 X8 A
   bpx Get_DDB if ax==0202 || ax==7a5fh( x9 x" U7 c& P$ r$ F5 l1 C

5 A7 ~3 Q( Q9 {' n__________________________________________________________________________
9 I( j9 W  d+ o% ^
. M  E# }# P  K, I$ k9 R# V. _  _Method 10% s8 ?5 B9 B5 N0 @& z! t
=========! B8 R: X8 O2 q2 t4 h9 C

/ ~( V6 Y5 H+ d  J=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
# t6 T- V! d# p# y9 M8 p* d( J  `) y  SoftICE while the option is enable!!
$ I  f' i. K4 w9 ^( a/ |
6 y- i8 U" a* Y# fThis trick is very efficient:7 ^% G4 p/ V3 z3 K2 d+ X* c
by checking the Debug Registers, you can detect if SoftICE is loaded/ m7 D& h) M  l
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if, N. v: x0 W, J6 F& y
there are some memory breakpoints set (dr0 to dr3) simply by reading their: w: v: p% S, l7 E, A  e
value (in ring0 only). Values can be manipulated and or changed as well% E% W+ {6 V8 f  }$ w& g
(clearing BPMs for instance)0 l+ _* z  W0 E" E3 z# ]) d4 j
% Z& n# d- x2 @. @% M
__________________________________________________________________________
% `6 _5 N2 r; c8 `: u
' a$ P$ l( \$ ^( \0 `( u% \: E6 nMethod 11
3 A2 v9 s/ C; d7 }" d) t. b, d3 s=========
( X/ S- `! D" {- a9 X1 ?# ^& E: p- N6 J, V% |* E
This method is most known as 'MeltICE' because it has been freely distributed. K! c9 O& o/ Q4 [
via www.winfiles.com. However it was first used by NuMega people to allow* L/ n4 }9 Y; t5 B7 G- N
Symbol Loader to check if SoftICE was active or not (the code is located0 B- j1 ~0 g' u4 S  I/ t: u
inside nmtrans.dll).
! y/ [' P. [. L+ \9 P7 W# }1 P$ F) K$ d; \" I
The way it works is very simple:
# B6 J+ i0 f8 n) A3 FIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 j' x# _1 N! o/ s3 A- F. J/ @WinNT) with the CreateFileA API.
) |: |- N7 P! e5 g( Z  R, G/ m" b) W, T) F
Here is a sample (checking for 'SICE'):! u( B# P( [2 C6 L* i0 J9 [

0 c2 I7 D- c8 `" n/ l3 Z) i- b# \' aBOOL IsSoftIce95Loaded()
: n. y$ P$ ^  K3 G* D{  e6 y) g& }8 Q2 R/ r3 `4 v2 p7 |
   HANDLE hFile;  
7 c# W6 \8 f3 D/ a   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
/ y' M4 N1 X/ I6 f* t                      FILE_SHARE_READ | FILE_SHARE_WRITE,
' m. T3 s: K) D& S: n6 _  K  |                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ K7 u& D0 S5 G
   if( hFile != INVALID_HANDLE_VALUE )3 \5 J8 B+ L  n" C  r
   {& ^4 V) b4 l' P" ^/ m
      CloseHandle(hFile);4 ], j' \/ A  S* I" D$ X
      return TRUE;6 A; b  w* Q' j+ b+ n# ^4 a& k+ C' b8 J
   }
. w& ]+ ?) l2 Z2 e9 @) A4 t   return FALSE;
# X6 u, S, r1 a% v- q0 E}
+ b; `# \" c0 C) O, Z4 m+ m
% n! V4 N+ h8 s! f7 C; d* bAlthough this trick calls the CreateFileA function, don't even expect to be
) z$ u- ^! [7 a; D2 o% ]able to intercept it by installing a IFS hook: it will not work, no way!9 n! {( L0 n; {, ^
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& I9 U4 E5 B, |. h$ n- _) }service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
/ R3 z% m& T: O1 k3 U& ~and then browse the DDB list until it find the VxD and its DDB_Control_Proc" R" r9 h6 ^3 Q
field.
6 L( u. c* z4 b+ [; PIn fact, its purpose is not to load/unload VxDs but only to send a
1 y# c/ U& Z2 r$ h7 |) i  A: V( [W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) O+ @' {- j$ r; t; l; [6 \to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 R3 g  {# y5 ~to load/unload a non-dynamically loadable driver such as SoftICE ;-).$ T) \' l3 n' R& E: n
If the VxD is loaded, it will always clear eax and the Carry flag to allow
: Y2 I9 X/ v4 x1 a$ W& J3 H$ Zits handle to be opened and then, will be detected.) T0 @! \1 q& G
You can check that simply by hooking Winice.exe control proc entry point) s$ b+ _' d: C! H9 B
while running MeltICE.& _  u* R0 l& F2 G! d5 i1 n* M

- A% _! Q- k+ P3 p3 ?, m
8 o* c$ N7 f7 j! F- [! F  00401067:  push      00402025    ; \\.\SICE" ]& p+ A4 P# @; h: s% i  e6 F
  0040106C:  call      CreateFileA) t& ]2 M6 n8 H9 b0 ?1 @3 r" q
  00401071:  cmp       eax,-001
& r3 a- B- J, Q: [7 `  R6 N- d  00401074:  je        00401091
7 P+ j/ h* c! a3 F/ u  \, V9 ^! C- A, @; B  \+ i$ Y' r* R% G
  I+ B+ L7 M6 X) i* n* h
There could be hundreds of BPX you could use to detect this trick.8 l- n& D- I: H! E6 z. R* o, a
-The most classical one is:2 O9 s# |5 c5 L: O% {6 r
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 D* R# W; ?" W4 J! T    *(esp-&gt;4+4)=='NTIC'
, a% y) ?3 b6 F/ Q) w* L  `3 A# p- x# p
-The most exotic ones (could be very slooooow :-(
) k, c7 I/ |: m0 a   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  $ Z0 G/ P' G9 L0 n/ T
     ;will break 3 times :-(
, ]# Q- q$ `6 q6 u' u
2 Z$ k! g: S7 b-or (a bit) faster: 7 V, d- Q2 t3 e' U9 p
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')* N; }1 y- M9 t
: Q3 D' P- v! m: D! A4 x6 S
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 C, u: i" w. f1 @2 ^5 q+ A     ;will break 3 times :-(0 M% r% W" d! D+ a

4 r0 ^  Q6 K6 b/ W% R. P" \5 g-Much faster:6 s& H4 R7 v( A
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# B% O! e% T% P" r

) P2 M* G, b9 \" B! c, FNote also that some programs (like AZPR3.00) use de old 16-bit _lopen6 N8 ^* t/ f+ h$ G5 K6 V
function to do the same job:
7 M. G1 Q( m9 P& S: I
0 G5 j: r/ q3 m0 K   push    00                        ; OF_READ3 N' |/ K) m3 c* N" D7 Q- G
   mov     eax,[00656634]            ; '\\.\SICE',0( X0 `/ m2 Q4 Y7 ?4 h
   push    eax
' G0 u& U) y. @1 ?+ q   call    KERNEL32!_lopen
) {) G: I2 y2 B) O* _9 |4 @8 N* u   inc     eax
9 `% b( N; r6 [9 G6 ^1 d) ]! j   jnz     00650589                  ; detected7 C# l, q) |. M$ ]/ B4 a
   push    00                        ; OF_READ, p. l( Y$ v3 k9 J1 a, e, u# U! m
   mov     eax,[00656638]            ; '\\.\SICE'
* I+ y$ T# g& u6 f   push    eax
3 G- _% o/ m5 U6 j5 O: D   call    KERNEL32!_lopen
; S# m. B: F1 G+ d" W   inc     eax
6 P4 ]  B/ R; U/ _4 h: E( i, |1 R   jz      006505ae                  ; not detected
. b' ~6 ?9 w9 b: h; I- N3 n
' d" }" `  n- w, y* l. b4 a
/ f4 ^# C/ y( [8 t2 a2 r- e% c__________________________________________________________________________* z' _3 U" J% R% }9 _6 P, B

1 M* u7 X% u4 }6 S5 Y& `% tMethod 12
# R( y" B6 f# `: H=========- e& h- o4 C3 V1 d" B' n# A: ~

/ ]. o! E2 U4 O' K0 fThis trick is similar to int41h/4fh Debugger installation check (code 05
* A# w5 f) K, x/ {0 T/ H& h&amp; 06) but very limited because it's only available for Win95/98 (not NT): j5 r7 Z! Z5 V# T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
  k: X* h. h2 [* ]1 y2 p- h6 d% f$ y
   push  0000004fh         ; function 4fh
( E2 i' y# t: w1 Z' e9 H! `; Q5 Q0 D  Q   push  002a002ah         ; high word specifies which VxD (VWIN32). h  g# c' [  }3 p$ z' K; h; w
                           ; low word specifies which service' P/ [& B* L; ?5 e+ t6 i
                             (VWIN32_Int41Dispatch)
4 J" a/ N" @. A7 G. ~   call  Kernel32!ORD_001  ; VxdCall$ q$ N+ R/ P$ J0 R$ C7 R
   cmp   ax, 0f386h        ; magic number returned by system debuggers
! M; f& h& n$ s' t8 [4 u   jz    SoftICE_detected
& d" l. Q# e# q' i; Z0 [  w# D& w; A3 i* X* P3 S; y
Here again, several ways to detect it:
( A+ j* ^  x/ w# Z# E8 M
. b' R7 F  C+ p+ @; f3 j  z    BPINT 41 if ax==4f
1 w9 O4 k4 B0 \% s$ w" h9 r/ H1 j% S& O8 c! I
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one$ i% [, ]! l, j8 w# O, [

% Z( X" C  n% s' I' x    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A* r3 K- n- g! |& j& G3 [9 E& X( A
3 b, [5 p/ a/ E" d% B
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 U9 @2 j/ p6 \8 m3 p0 ?8 P3 [  }- Z( L1 f/ r5 m9 r
__________________________________________________________________________
- r0 }3 S9 ^/ t. ~4 I! U3 q6 I
+ d: I- z* O8 m' C! M/ h/ h9 dMethod 13+ V3 ?" J' ^% {
=========
% [6 `! `2 R6 o1 |4 H* i2 M+ o" O  l3 ~/ Z7 ~5 ]/ @7 ^( H: o
Not a real method of detection, but a good way to know if SoftICE is
1 I' ~, G$ z9 b' |8 G" Xinstalled on a computer and to locate its installation directory.
" G; M. T# a  jIt is used by few softs which access the following registry keys (usually #2) :) f0 c9 ~( s! q1 f7 Q
) c6 \. t2 ]7 ?* d
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; {: S" m% {. u# W+ H
\Uninstall\SoftICE
  u6 e$ k. G* J- ~" M3 w% g-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 k7 f# M5 j% |" ~, }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 Z, x5 A6 s# ?! X% F8 y\App Paths\Loader32.Exe
- R9 S  E3 w, s& B, E# z. J+ f" }' b7 i( X! h* Y2 a8 f" o/ L

8 G5 L8 b3 M% ]1 gNote that some nasty apps could then erase all files from SoftICE directory
5 m+ Z" `5 ~& G* u6 Z5 |(I faced that once :-(1 S( d7 a# a7 E0 K

0 z* p* p- C' k: V. H! iUseful breakpoint to detect it:
2 V4 d6 {2 Z+ K+ C+ d3 o' k/ z9 h8 L. F# ^4 O3 v
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'5 _7 G7 G$ V- J$ ]! I0 Q' P) t

. l( S, n7 M9 F; u& ?__________________________________________________________________________5 H% w" m1 _' Z% j
: I# o- j+ f- e8 Q, [
) n: d, m* s4 E: C7 l4 ^$ z8 o# G
Method 14 5 F1 n2 o2 C8 E7 G2 P
=========& m0 C6 R- }, v. N8 i
6 }# D& R! ~* H2 N/ J+ T' w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose# f( b* _2 n4 L5 B; p
is to determines whether a debugger is running on your system (ring0 only).) B; _# b) z) Q8 V; v
+ V3 r6 g5 a* _$ l
   VMMCall Test_Debug_Installed
' y- c1 R( M; W7 d% `   je      not_installed
7 n% s. I( D; R; G) Y6 J
% [& U  c7 C" a. G5 ~  TThis service just checks a flag.8 E6 T8 D6 V& R" ~0 M+ c' M
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-11 05:12

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表