找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># D4 w; Q9 F. d7 b3 C
<TBODY># p1 ?# p. s7 Z
<TR>4 A0 ]( J7 b+ g* A- S; W0 B" d
<TD><PRE>Method 01 6 M' }7 a4 L# x! M) t
=========
, B' ~! _5 O: b( |
, ^3 _. u! k6 dThis method of detection of SoftICE (as well as the following one) is
+ u4 s( K# Q: |0 r- c) A0 fused by the majority of packers/encryptors found on Internet.# t4 b* i# W/ l, V% b
It seeks the signature of BoundsChecker in SoftICE
4 U: d! |8 Y9 R1 h, @% L; Q* g( {& M' z
    mov     ebp, 04243484Bh        ; 'BCHK'
2 A; x6 C( x2 I% n$ e2 z& ]    mov     ax, 04h  @; N( R# p, T. J6 B2 i, m4 ~
    int     3      
) G/ {; Q) R! y! U  q8 P( H  N. z    cmp     al,44 I+ z3 n3 N4 I5 p$ y5 W( \  }0 x
    jnz     SoftICE_Detected4 C& T/ P* |- z0 Q  n1 |
9 ?+ R5 T" i1 D
___________________________________________________________________________, g% U' o) g- `" G9 D* s! `7 a
) Y. q+ H" ^# p9 k. d
Method 02
: o6 C( C4 P4 g5 V% f7 I=========& J* b7 S; Z( Q

. q% d" [9 M7 AStill a method very much used (perhaps the most frequent one).  It is used0 `$ P9 k8 O* u- y' l; h, O
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 Y( W. K1 h  Y0 H  P9 {4 vor execute SoftICE commands...
4 e5 @( a% o8 b0 T7 n3 cIt is also used to crash SoftICE and to force it to execute any commands& r2 p/ |1 X2 x1 k
(HBOOT...) :-((  ) x5 e0 \6 D% n. B

3 H9 h  y. y+ h: B5 FHere is a quick description:
, x1 y: y/ W# R# i+ z: O4 e-AX = 0910h   (Display string in SIce windows)  e& o& c( T7 F( g+ z! c
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
! v( I% u- k; O& n8 P9 l1 L-AX = 0912h   (Get breakpoint infos)
& H3 ~& \/ i: Z; z; T$ n' Z1 ]" F-AX = 0913h   (Set Sice breakpoints)
" |8 I6 J0 q& l-AX = 0914h   (Remove SIce breakoints)$ \( d9 x9 A9 x5 Q" u
7 t1 _+ c3 Z) |+ d0 k1 e0 e5 g
Each time you'll meet this trick, you'll see:
3 \; B2 q6 S, A8 l-SI = 4647h
3 I, b/ t1 C! g1 T-DI = 4A4Dh
# V: z  w8 I- SWhich are the 'magic values' used by SoftIce.
( u& V, w9 v" c) H) t& KFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
1 H8 h- V4 A  ~7 W; P% Q
0 ?$ T) g- C: ^$ V3 L1 P& WHere is one example from the file "Haspinst.exe" which is the dongle HASP2 A' Q+ Q% Y1 t; r4 F/ V* Y
Envelope utility use to protect DOS applications:
- ^4 p2 B9 R5 b$ F
. F' m: R- @' `# n6 o( z: S+ p) a$ }$ R8 e1 \) M8 a9 U
4C19:0095   MOV    AX,0911  ; execute command.( k2 G3 _; D/ B, X9 c: p
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ B+ V4 g" W: [; h- p, C
4C19:009A   MOV    SI,4647  ; 1st magic value.3 ~6 j8 m5 i) ~5 v) C
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.5 I) o) p8 v9 y5 k9 S7 m
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
1 ~5 ~9 U" |; ?$ R: R3 \4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
  A+ X" W0 Z% i# F' Z) J4C19:00A4   INC    CX
! z8 k- ^, Q! K6 Q) S% q9 M4 Y- O+ a6 u4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute( u) y9 r; z, V& B- a1 {/ M
4C19:00A8   JB     0095     ; 6 different commands.2 u6 s& L' W& Z. [; y, X, {9 U! ~2 k
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 a+ R9 W+ |( z' o: W. }+ J! P
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
3 m3 j" E% ~* q  g6 Y" a8 {7 ?$ d% V0 Q" H8 J2 O) a, F! K+ O6 g# w
The program will execute 6 different SIce commands located at ds:dx, which
' G- k% H6 J: H. l! Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
& S( r- Q, q5 e6 S  G& h" Z' c5 G
5 Q) C' u& i% e' [( N- [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.: |% P, B" z0 l+ ~  Z- B4 F
___________________________________________________________________________- Z3 a" ~5 ~4 j9 n' g
4 b/ I( Z# B! Y* b
: s# y9 t( r4 [7 r' ]/ U! \
Method 03. v. N: C3 H- X( l: B* b
=========$ J. A7 G8 u  O& t" y: h
7 V( a* X5 R6 k" w6 n9 l
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" s; b. q. I2 S- c- o, E7 q) z
(API Get entry point)
6 d: F7 E, Z; r2 r  I5 c        
6 H$ S) A0 t3 ~! P1 H2 x' F
+ [# c5 R9 I) b) u* ^    xor     di,di
% C  w( O# E$ v- L6 P    mov     es,di7 N) Y4 ?. W; R! P: j- m& W
    mov     ax, 1684h      
4 u, m/ W' n  F' x3 R    mov     bx, 0202h       ; VxD ID of winice
5 r$ }4 v3 u- i$ t    int     2Fh
7 F; y3 [0 D7 c+ S    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' b: B+ a" Z- d1 D3 k4 T    add     ax, di8 Z" a$ w7 U; J3 v. x8 q% U
    test    ax,ax
/ ?# r1 e* h( {- y    jnz     SoftICE_Detected
2 @# d" Q" v2 Q8 C5 I, y0 M6 I2 s2 c* S4 v6 M( H) L
___________________________________________________________________________! ~1 H2 e0 @: p" |+ k, p8 Q6 E

6 X( d1 W8 i) u$ V3 ~Method 04
! ~% g+ \# |) P2 H: y=========
. m( ]/ Y) \& W( a2 O% [& J5 a  ]5 z- I9 q  z+ T
Method identical to the preceding one except that it seeks the ID of SoftICE* i( u- R4 u3 U0 r  [
GFX VxD.5 M" w8 @( {7 I, h- q9 _

, Z, [5 U- F2 ^( E. _: ?# y, e/ U5 F    xor     di,di
& x) S3 C. Z% s% y2 T' n    mov     es,di
/ L' [% A; N( }  ?$ i7 U    mov     ax, 1684h       7 e- ?. J) t4 b1 z% @
    mov     bx, 7a5Fh       ; VxD ID of SIWVID, ?) u0 K% f% |; A* F, |
    int     2fh" L- u& Z2 j; P: q5 r
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- v8 e: M# U' Z7 k0 e+ [9 i    add     ax, di: x. w" B. J! i- O0 K
    test    ax,ax
& G( G- B. A  Y6 n" I5 H) I. X    jnz     SoftICE_Detected
$ D5 f% Z" ?+ J! i. Y5 v" c1 d$ V
- O  u, X5 B+ B" j. ~" B__________________________________________________________________________
+ i/ H; F. I' L0 u7 c5 G/ E$ H6 m: w3 G( r

: r% U$ v% h0 q$ k6 \  KMethod 05
# K: x. |- E9 M/ o  s, _=========; c- r! t- Q4 j5 f

/ o: Q( F! E/ P3 U% _Method seeking the 'magic number' 0F386h returned (in ax) by all system+ A* I' e2 }. I6 B8 k$ v: W
debugger. It calls the int 41h, function 4Fh.; v: y/ ?7 Z; Q5 o
There are several alternatives.  5 ?( Z$ i* y! m9 ^, r% f9 c
$ Y5 o5 o, Z) U3 F
The following one is the simplest:
$ w# b; \) ]% r* p; t! U
4 a7 b  R- S: t, K3 T1 ~. h    mov     ax,4fh
% ~. R0 u. E, r) @! x% }3 f    int     41h) h- d" p  d! f
    cmp     ax, 0F386) {- \  D3 m  H3 \' b2 o
    jz      SoftICE_detected, \5 D- n. g1 S5 ?4 P1 X
* D( u' h0 P; w' O2 Q
2 |1 Z* t5 u8 u% ?: K0 y5 c# }
Next method as well as the following one are 2 examples from Stone's
1 Z  B6 y( _' n4 I* o7 I8 ~"stn-wid.zip" (www.cracking.net):
, v) e) {. J9 u; a/ S+ D
' S8 |$ q8 g: I: J    mov     bx, cs5 l) k+ E% n. O" m! d0 c3 y- R3 N6 m
    lea     dx, int41handler2
$ q, T, u. [5 A" K# r  N, x    xchg    dx, es:[41h*4]
4 I6 T; ~; K: {. g" P7 B  T3 K    xchg    bx, es:[41h*4+2]
9 B0 o# ^5 x; V; y# Z    mov     ax,4fh, l9 Q" v' F5 J8 X
    int     41h
& y' s, r! p' A, R- G    xchg    dx, es:[41h*4]# ^; w: n' e$ \" Z/ ?2 o
    xchg    bx, es:[41h*4+2]
7 U- \: q0 B/ K6 s+ G    cmp     ax, 0f386h; o/ L9 P/ a& Q6 V
    jz      SoftICE_detected  x/ a( _8 k5 z
! h4 X# @+ g* s+ M6 E) F) R1 K
int41handler2 PROC
2 W+ L& a' J0 w) ^' x5 }) m    iret" Z* A5 E- M$ a4 M9 ^( k
int41handler2 ENDP
$ M7 F0 c4 ]3 {$ u0 q* \7 e3 ~+ x' e* ?5 ]
0 S- z: C: f9 J% G. Q  N# g6 x
_________________________________________________________________________9 K6 D; Z& b# C, U) X& r

% C  M3 ?  ^* `8 ?8 i* I6 n- N3 y- W: }) N' A7 }
Method 06
/ J& Q7 e8 j$ B+ ^  f=========1 K% R# S: I1 N! I0 k( Y8 `
4 D, V) [) \! p4 {  F+ Q

+ H2 a: Z. `% Q: s2nd method similar to the preceding one but more difficult to detect:
1 w* N5 Z: N$ {: P5 Y! Q% H* S
, E- p1 w! s8 m8 s; E" o/ ]/ Z2 @" O2 ?4 W
int41handler PROC3 F1 ?+ i7 I2 y( s
    mov     cl,al8 U9 O2 u! F2 M6 K1 p& U" Q/ y
    iret
" X& ~6 d  r0 Z9 V3 V3 Dint41handler ENDP3 b, D! q- H# h
$ p; v. F1 Z5 B% L3 o9 M; N- c, e
% e; ?# w$ B! E2 x! Q1 `
    xor     ax,ax
# E  W+ N" d: Q0 O7 j2 K    mov     es,ax
& K# y+ s' i/ s# e; {/ o    mov     bx, cs& S8 w, D+ }/ n" ^( J% b. W
    lea     dx, int41handler
; l2 w& N- G( [: C  p/ f$ T2 Z) N+ @" _    xchg    dx, es:[41h*4]
: X7 U/ T( N: i6 k+ `: E' V$ [    xchg    bx, es:[41h*4+2]+ X8 W; a% z% z" ?
    in      al, 40h
0 j( J7 V3 `+ P2 v' |: |    xor     cx,cx
& b. t: s( K  W. _    int     41h% |: n2 s0 c6 r4 L) C6 q, l
    xchg    dx, es:[41h*4]
5 O# m: ?0 J! l3 K; ~: H& c5 {2 g    xchg    bx, es:[41h*4+2]
# v5 M* F, [& v7 J- l7 R    cmp     cl,al9 `6 r/ S9 L# b, V+ [) q
    jnz     SoftICE_detected
5 O2 N4 l/ r" p8 r8 k, F  U2 g! M( D' b4 c: D  h* H9 J3 z8 w
_________________________________________________________________________
* S1 J6 L# y0 y2 h7 ]/ L! `4 X2 \! Q3 u1 @8 w1 X
Method 07; M8 d- K. T; ~$ b% L
=========
8 J) ]2 q  x; F9 w3 ?& j0 u& t2 F% B' l& U" S  \
Method of detection of the WinICE handler in the int68h (V86)
9 M* i) s! s2 u# `  s" L' v  R% J& V
. X4 @6 F/ l/ Y" W    mov     ah,43h
* R7 a+ y8 j/ Z# M' E    int     68h* O$ f" c" g! [8 z- X
    cmp     ax,0F386h
4 e$ u9 a$ u4 u, X; k( Q    jz      SoftICE_Detected
0 [0 Y2 A- [7 a$ p, K
  h" T' e$ C) `6 g# z
5 y) k/ ^" y2 C# u% M8 S3 _=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
/ I( P( K' |) x" W( J' h2 e: h   app like this:
5 \! u5 X1 F4 j& ^3 @" p* @4 P
3 h2 t3 Q1 ?3 \3 @7 |% D# y   BPX exec_int if ax==68" S# F2 ^% ^- D
   (function called is located at byte ptr [ebp+1Dh] and client eip is
5 P9 @. t* z6 n& {# g1 z+ M" F   located at [ebp+48h] for 32Bit apps)4 {* C5 \8 S8 T" N' h4 I
__________________________________________________________________________
6 ?9 p9 z; y8 U! ?$ Q: j- s% z$ I8 P0 u6 A  X2 q! E

9 f9 `3 r! E! A' M1 |5 M5 zMethod 089 X$ [$ H3 w9 P- X0 J  [
=========0 X8 A* R' r+ _+ l0 a* r% e5 a
  c3 m2 [( t3 X/ c: I
It is not a method of detection of SoftICE but a possibility to crash the  _8 f/ G; F! v5 Y" C2 ]
system by intercepting int 01h and int 03h and redirecting them to another4 }" I9 S; g" {) ~9 y: J
routine.
8 K6 U4 S$ t: G3 w7 A0 aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
5 n" l. g( W2 ]8 Xto the new routine to execute (hangs computer...)9 b: q& ?' D6 m

0 r6 \* `/ Q, X' \( o) Q    mov     ah, 25h5 Z# U' r( L% T) n! |
    mov     al, Int_Number (01h or 03h)0 J! \+ r  u* [4 ?. _8 ?5 @
    mov     dx, offset New_Int_Routine( ~. C: U! h! X% J% u
    int     21h0 {  o1 D- h  [) f! w( |

7 L# {. P2 u2 s$ M  l" W; F- _3 P__________________________________________________________________________
  F& U! B$ A' n6 K/ S" Z
2 K" u, [; ^& BMethod 094 r4 e( c6 e4 }* @; A
=========
$ j4 d0 _2 m! {
# {/ F5 a8 o6 |4 D! vThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) A7 _; p* U: R  W7 Z4 c4 C, n
performed in ring0 (VxD or a ring3 app using the VxdCall).
' W  [$ s/ ^$ z) b# K* d( ZThe Get_DDB service is used to determine whether or not a VxD is installed
  N, E3 }! L! A# v9 kfor the specified device and returns a Device Description Block (in ecx) for6 W" h4 x( x) ]" i2 z" S
that device if it is installed.+ K+ O8 Y' t( i% C7 Y
  R( {6 e! V! y+ V2 c3 ?
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ J4 v+ B: \% d6 O3 X0 E   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)% `8 [+ ^: R2 o0 d& a
   VMMCall Get_DDB, j: ^. }5 W. t( f0 b! B- }
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed4 Z+ R9 i0 F) t% [; o

) O; w6 _' \& v. u  i' d9 qNote as well that you can easily detect this method with SoftICE:( j; d1 x6 y$ W& x0 T
   bpx Get_DDB if ax==0202 || ax==7a5fh  H* e) n/ f5 c) X* r
8 Z: x1 z# j6 Q- J" G7 |. g9 `
__________________________________________________________________________
7 u$ y0 e+ \2 E1 H8 X6 [+ v; r8 N
0 U  j. S0 e! P  m+ bMethod 10, v* k# J4 ~4 V0 D# i+ o
=========
) l, r' R  ~8 j. N: V! z
8 V) U5 Y: T' m. O7 _=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
. `% I! a4 y- P# r+ I  SoftICE while the option is enable!!1 f$ ?, \% G  I  ~# W+ S' d

5 v3 }" H! `  h+ @' j$ }  ~This trick is very efficient:
0 h  Q6 x2 h0 n+ |4 e% tby checking the Debug Registers, you can detect if SoftICE is loaded9 @) ~/ |4 o6 m. e( _4 _
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
0 ?% R# c+ W: x' r% E9 Z' E1 l' b: Uthere are some memory breakpoints set (dr0 to dr3) simply by reading their
6 G, N( d2 I6 y7 N4 Z$ F) v3 \value (in ring0 only). Values can be manipulated and or changed as well+ e0 ~: Z0 E- M( R
(clearing BPMs for instance)
' d* e) D4 P3 h( Y/ n9 y0 S" o0 P& M' a: T' b$ U
__________________________________________________________________________
! M! a, R/ `0 s0 @, q
7 a; t# B9 B, R; f8 \Method 115 v. V; i3 t" v7 h5 @* F
=========! }. p; D2 d& U' g5 V) k1 P
8 O9 q7 C0 ^' U% A; m# v
This method is most known as 'MeltICE' because it has been freely distributed
9 ?( u6 Y0 B  v+ N0 ovia www.winfiles.com. However it was first used by NuMega people to allow
( e* q' L; [/ \# w8 Q( sSymbol Loader to check if SoftICE was active or not (the code is located( o8 ?: H' B* x- h" Y* ~* x
inside nmtrans.dll).
9 E8 q  h3 C; N; D  e  Q$ b) t
! d* y9 x7 f% P& o" h2 x0 LThe way it works is very simple:$ i3 D1 z2 f' L" E- r8 x  `
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for6 P4 z0 k" g1 P
WinNT) with the CreateFileA API.
7 i# R" {/ s: j6 w1 `# V2 z% }8 q8 x2 ?: |6 ]: p! J1 k
Here is a sample (checking for 'SICE'):
+ z! a% @/ B/ F8 U! O9 H: d! O6 o+ {% w5 K. ]2 ?4 Z+ A3 v/ W3 d
BOOL IsSoftIce95Loaded()0 Q9 k$ u7 w8 Y9 g0 p
{
, C0 @2 G: j1 k  N9 g   HANDLE hFile;  % X, m, ~% f* R
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 Y9 x4 d1 Q) ^# Y' G6 H( j
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
* ?- x- x9 j/ T6 t1 }4 u0 S' T                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);6 `) h9 A+ O. H( R2 ^. z! j
   if( hFile != INVALID_HANDLE_VALUE )' x5 l0 G9 N! o( n
   {% _& M( ?& g8 S6 E2 R8 V3 t
      CloseHandle(hFile);7 M+ e( S. N- k0 ~5 E5 a1 C
      return TRUE;5 Z1 X7 `- w! @
   }
0 B: R6 N7 E! Q: ^4 e3 N+ K5 @* l   return FALSE;( n- Q- d! y% P8 r) H" B3 y5 }: l
}, E4 ?: T+ h/ r

8 f: V. n3 H- G+ N2 O1 f+ |9 b. XAlthough this trick calls the CreateFileA function, don't even expect to be' }# u3 X4 W/ W  P5 u$ l) w
able to intercept it by installing a IFS hook: it will not work, no way!& W) S1 l+ K6 L6 e
In fact, after the call to CreateFileA it will get through VWIN32 0x001F6 y& u" Y- Z. B- L
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)" o: _9 h  h  [* g5 \* d8 ]
and then browse the DDB list until it find the VxD and its DDB_Control_Proc+ K4 ]) w, z/ m
field.
8 S1 H. e# t% t4 |3 uIn fact, its purpose is not to load/unload VxDs but only to send a
- @- n5 D+ q; yW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ r! z3 W- n( T0 c0 ato the VxD Control_Dispatch proc (how the hell a shareware soft could try. J& n7 @7 U9 `* M
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& U' |  n7 D5 i; G7 d
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 n+ v5 n3 }! n# v" \its handle to be opened and then, will be detected.' z8 Z# K# J" z& c6 n
You can check that simply by hooking Winice.exe control proc entry point' i9 L0 g& E; |  {2 @' R; t! |
while running MeltICE.3 z! x+ ^. _$ }& L0 R/ M0 B

  l; s2 X2 s4 n# |# s2 l% S; T8 A& Z* A! W% z) \6 c
  00401067:  push      00402025    ; \\.\SICE
- j3 B& K; _; `/ T" E1 ]. g( ^3 k  0040106C:  call      CreateFileA
+ w+ i% K" d! a, o  00401071:  cmp       eax,-001" P; r) ]$ @  }0 t8 s! x4 ~. j2 ^
  00401074:  je        004010919 ~, I/ L/ x1 L8 H- t" C& v9 h
5 w" f  u; R0 b$ e9 j% Y0 f

4 |  T4 a$ K& Q, E0 s/ sThere could be hundreds of BPX you could use to detect this trick.; Y. a% E. E% X  n6 O
-The most classical one is:* H& d, c& P# t& A) w* s5 f
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||: ^6 G  v6 d; M$ C: N& X9 [) L
    *(esp-&gt;4+4)=='NTIC'
3 w8 u2 D" O; _0 }. Y' |4 b  ?; [4 Y+ o3 [8 k) u& ?8 l5 f
-The most exotic ones (could be very slooooow :-(
7 B% J/ t- {) F9 x3 W% E   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 q: F0 u- w( i! G9 c
     ;will break 3 times :-(0 E8 z6 \( n5 G

5 D# N/ l0 q/ V. r3 c: g-or (a bit) faster:
) [4 [3 d6 _: W# v0 z5 F! q+ E4 O   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ w+ c. q  `4 D1 Y3 \' D8 N* Z7 {- ]+ ~0 o- ^
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  . B6 d, p  O- b
     ;will break 3 times :-(
9 h7 V8 [' ^- k5 {; x5 Y
) Q1 G% i3 k/ E2 z* |0 Q-Much faster:) ~0 }& p( ^7 K  R, Y* j# }
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'7 d0 d- I8 J1 A) {2 N# L

/ h. s( o1 S8 {  h# o- w9 INote also that some programs (like AZPR3.00) use de old 16-bit _lopen* U8 c' z( _3 g: \" S
function to do the same job:5 x8 i# L+ v0 y/ ~- K
. p+ X3 ?' k' S+ u; p
   push    00                        ; OF_READ! h$ r! ?1 r" d9 r5 ?- i0 e1 T  y9 n
   mov     eax,[00656634]            ; '\\.\SICE',0
! |  C, ~3 L- n# M; k$ l0 l6 S2 X   push    eax
5 T/ z( I  a- @2 o# n   call    KERNEL32!_lopen) F( |: v4 ~- G) _: `- g- |. h
   inc     eax) D2 Z: D, B1 _3 G: m7 [* X% O
   jnz     00650589                  ; detected; y3 [6 X$ i" w: F3 s5 |6 P
   push    00                        ; OF_READ! O/ }& [) N7 ?; x
   mov     eax,[00656638]            ; '\\.\SICE'- p/ Y: L) p0 d5 l) |* {
   push    eax
  o' C" [1 F( V3 U   call    KERNEL32!_lopen0 o+ m! r' Z# P9 H9 Q; @$ D! @) ~
   inc     eax$ |0 o( d3 t. J5 @" P: p
   jz      006505ae                  ; not detected" s! V7 V( b0 A$ o2 ]2 ]3 a

2 s5 l. e; g% f4 l3 e% H# q# E6 l. T9 o9 S5 s4 ^* `; s8 T' Y
__________________________________________________________________________
2 n' y" J0 z0 m5 m$ I* p6 [3 m( y& |( @) @7 r) H2 c
Method 12
: G0 X; g% [1 k1 v=========+ N& K* \& q' g: A+ ?) g. L0 T

2 S% d  R* K5 [3 xThis trick is similar to int41h/4fh Debugger installation check (code 05
7 y+ F+ S' P) O  a$ A$ i  Z&amp; 06) but very limited because it's only available for Win95/98 (not NT)4 m, X. w* g3 U. Y8 C7 u3 |& X
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! H% A3 p. ~- y1 o

6 J4 W& f3 t' \  y- O  t- [   push  0000004fh         ; function 4fh! Y7 P  Y" |1 A5 g
   push  002a002ah         ; high word specifies which VxD (VWIN32)' o; v6 I6 s  C8 C, W
                           ; low word specifies which service
- R! S) Z) I7 W: A$ J                             (VWIN32_Int41Dispatch)
/ o9 \$ ]/ O) C$ Z- I( w   call  Kernel32!ORD_001  ; VxdCall+ r+ D6 `: n! Z3 o* h0 Q& A3 @
   cmp   ax, 0f386h        ; magic number returned by system debuggers
, V2 L# y1 K4 {- @6 l   jz    SoftICE_detected
% b2 V2 G0 a! R( d1 @0 ^7 M) Y7 Y: _+ _! s0 v
Here again, several ways to detect it:( ]" x3 t' j4 [" T

$ X1 h* K# ]$ S6 e0 A0 Z/ S' W    BPINT 41 if ax==4f1 d0 X" X- R$ y3 u7 H. s

- u, B/ Q! f$ s- D2 f    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
) F& E5 [; G: i1 t2 d1 v. g9 \6 I& T4 V
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
9 g2 E  C7 @& }
) F' m( H. a, F7 L/ I& j! H    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
: _1 D2 E0 i8 V; f. q
+ d; ~, R9 M4 r, ^5 o__________________________________________________________________________
, N1 A' z- c4 p+ n' G9 O% E( }, `# }: ?) r  t
Method 138 H" F+ C" E( ]' I9 }4 K6 Z6 @
=========
6 c, f: l0 r- Z6 D% f+ P. V3 B8 }" }6 A2 N& g  H! r
Not a real method of detection, but a good way to know if SoftICE is
& t3 G0 B( u! g, N* z8 d- G$ Uinstalled on a computer and to locate its installation directory.
" z/ d7 F' ?) A/ ]7 o0 YIt is used by few softs which access the following registry keys (usually #2) :
- e8 D! B4 l) i7 ]$ N3 Q0 l9 v; }0 |- z
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, D; U/ j& g% X\Uninstall\SoftICE$ Q3 w( ?4 o; r7 a5 N. O
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE$ M1 m2 P3 s4 J- R2 c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 E4 u: V# X& D) i
\App Paths\Loader32.Exe
$ Q) g; `/ v& B/ b1 S" T) j* _" D
( A0 W- S- a2 F% w. }( }$ y$ a, `" x/ f- S6 J/ q& |
Note that some nasty apps could then erase all files from SoftICE directory
# q* k) \, z, I4 c(I faced that once :-(- Y! M- h0 _/ B; B& O3 b
3 ?7 n  ^& e; |: X5 Z
Useful breakpoint to detect it:
6 J6 ]. m9 v+ E$ {' E6 Y0 O
/ r  n# m0 z" O7 Q# ]! l7 N     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'% U: G; N' P9 d
* x4 U: O0 v8 ]9 x5 S, ?) Y6 A
__________________________________________________________________________. ?& g! w7 N. x+ f" m9 n/ u5 w; a

" p- N; l, T, _4 g1 l! H$ n5 N7 N' K
Method 14
# [, L4 @, {) a$ i+ m=========
$ P- Y8 D( l0 o$ W* b' D: i
: {) {6 K( E# }3 Z, R0 MA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 t6 y3 b! q6 _6 dis to determines whether a debugger is running on your system (ring0 only).
" w) }9 F4 e' C# V' {, j% A+ J2 ~; |# r( Q
   VMMCall Test_Debug_Installed- Q: ]$ g  ^( p0 d% ^; d
   je      not_installed
% g! L# E/ v3 v" M0 h: k) }+ q0 A( |- H0 W- y' b7 h9 F# X
This service just checks a flag.$ b; a0 h6 ^. K
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-27 04:14

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表