找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
7 L6 L3 V& J7 R4 |1 w( S<TBODY>8 T2 k' c! K" t4 A, m4 }6 @
<TR>
9 o5 V% e0 {- L2 G# g* ~<TD><PRE>Method 01
9 |0 Q% U5 P7 a0 d# V8 l=========
( I( Z" ^' a7 |! s& r& }; x! ]
& G0 ]# X7 v( V/ i% Y2 oThis method of detection of SoftICE (as well as the following one) is3 L1 ?1 N) b9 ^) c$ N
used by the majority of packers/encryptors found on Internet.
, n" {, e" _4 Q, l; ~1 V4 ZIt seeks the signature of BoundsChecker in SoftICE' v! u* ^2 Z. `4 Z, Q! T; ~
( l3 S$ Y! k0 h4 ]* [
    mov     ebp, 04243484Bh        ; 'BCHK'" ~& X$ J* Z/ G8 L! R
    mov     ax, 04h7 A0 a% q& A  |# V! w0 V  z
    int     3       ! ~& o9 Z! o. m! f; F
    cmp     al,4; V% h2 H9 p+ j7 L) A$ e
    jnz     SoftICE_Detected; M/ R7 Z+ b7 s2 q' ~. q

8 n. {' K3 L6 |___________________________________________________________________________9 ~& J- G4 T' d: G! `' c$ s0 c3 ^
; Z% |- |& E7 e5 Q( X2 ^' e  u8 _) n
Method 02; g% [$ D; A  I# g5 [1 b, Q
=========4 T$ B7 t6 M  n0 [# R2 n

" {: d9 J% @, n  R! ^- a% _0 ]Still a method very much used (perhaps the most frequent one).  It is used5 }8 _$ g" \+ j; A- F# q3 n! m
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 ^) a* N5 Z% }4 R" G; p
or execute SoftICE commands...( ]9 t6 e- Y% q7 K8 L3 m2 z
It is also used to crash SoftICE and to force it to execute any commands
! @' w& p3 o! D3 j& o(HBOOT...) :-((  . x0 |; n6 M8 G9 m

: w" a# Q8 A3 z; k6 }5 fHere is a quick description:& a1 w9 y  O8 x6 k- E( E
-AX = 0910h   (Display string in SIce windows). l: p4 f0 N* }' j. J5 ?/ N# f  {
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. x% F, w8 _, G3 H# W-AX = 0912h   (Get breakpoint infos); O8 q! l* S/ t  [
-AX = 0913h   (Set Sice breakpoints)
8 F7 m4 v7 n+ k1 `, G-AX = 0914h   (Remove SIce breakoints)
! \& e& S. L" y% M2 X, V) z; |
( i$ e% K* Q2 N1 K/ {  W1 tEach time you'll meet this trick, you'll see:0 ~+ ?8 k8 P$ K; [5 p$ p6 Y- |
-SI = 4647h6 H: v6 R9 U2 k
-DI = 4A4Dh0 O' ^1 S5 S1 u$ n# {- T
Which are the 'magic values' used by SoftIce./ ~6 I8 o) A  q9 d& H7 c0 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
# ~- j$ H; \  I: i8 o: X0 I/ S. N6 ]+ z; n7 A. E
Here is one example from the file "Haspinst.exe" which is the dongle HASP
, i& P* c1 O& W. x" A; _) xEnvelope utility use to protect DOS applications:! O5 W; i9 L8 Q1 W$ q0 f9 b* l

  k, c6 z3 n6 a2 m, z* f4 a. d  j, i( @) F7 ~# ~$ N6 B- M$ p" P  s
4C19:0095   MOV    AX,0911  ; execute command.
/ |; k( s" q4 F8 l2 c5 {4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).3 _2 _8 _' a5 h5 E, M4 G
4C19:009A   MOV    SI,4647  ; 1st magic value.
0 b& |3 K, C, J, |. H2 p2 s+ u- t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
7 Z* h) T& z8 B) J7 Y4 [3 D4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- }/ l: r4 W( H% z. B6 c: r4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute; h2 ^; u; T4 F" m
4C19:00A4   INC    CX
2 _% s, `( `4 |& i& U1 K4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  w3 o0 q$ P6 b# s. W- E" L
4C19:00A8   JB     0095     ; 6 different commands.+ c+ O$ T6 \$ a0 b, o. ~# Y$ d" C
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' T8 q, g& W! s& t  [1 i
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* ]' V5 `$ f9 @$ @
0 M, G1 H/ D3 s' S4 g  G
The program will execute 6 different SIce commands located at ds:dx, which
7 f# X& ^' b# i6 c$ e. B3 {are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! b' _0 W9 u; m5 U
$ m- j0 I/ H" }- v% w5 u/ v
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- V% Y4 P! ]$ e  A# u
___________________________________________________________________________5 P; j& }: q' g6 F1 }

8 D1 X( J; j9 H( ^! c( d4 w" v: K* i9 D* i3 K4 P
Method 03
# [4 T; z( x1 b; R: v! U9 K=========
% M& A# x6 \8 e! |/ [6 k0 j% F/ y" o1 o5 \0 L) v+ q
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
/ y8 E, |# r; M3 {. R6 \! \, n(API Get entry point)) _: Q7 F/ [% W4 v$ e9 j" X
        / _. m6 a$ x2 z$ K7 @9 L+ d
0 J, m2 l7 e( L
    xor     di,di
" ?3 f; v3 M) {7 H. c$ g% h4 e    mov     es,di
7 O6 F/ S* W  {2 V    mov     ax, 1684h      
8 h0 p9 l6 u* C6 j1 s& _5 ]- V/ G    mov     bx, 0202h       ; VxD ID of winice$ x: J$ ?. Q4 y% N) ]& W, G5 @
    int     2Fh
* l, f; ^5 S6 k' X- P    mov     ax, es          ; ES:DI -&gt; VxD API entry point- Z+ N. p8 n5 E" N6 g
    add     ax, di
  {  }6 P) Y6 k  |  X$ i% Z    test    ax,ax* W8 p+ R. p2 J- n4 L. @) R
    jnz     SoftICE_Detected
/ ~' Y# {  x* b0 B1 |8 p. y$ B
4 R0 G0 Q9 U" ?+ v: L4 H( _. z( z___________________________________________________________________________1 l/ l' m7 ^# C, j: L1 d/ e+ T
' N5 r: r: ^$ c: R+ c1 }& a
Method 04, M! m7 k  M8 L* W
=========
+ N7 n/ X/ }2 ~0 V' e  ^9 _$ E$ K. D8 P, q0 {
Method identical to the preceding one except that it seeks the ID of SoftICE2 Y# h. a1 W+ N# k# o& G
GFX VxD.
+ m5 F  v- N9 W$ M7 Z) _( x0 Z# h$ q7 c/ E0 y9 Y/ Y0 L5 W
    xor     di,di
; _, n0 @% D8 C- p& u. X    mov     es,di* z% M5 R: c: K7 |- _
    mov     ax, 1684h       5 G# U8 G7 `8 b6 p6 j5 e2 Z- B
    mov     bx, 7a5Fh       ; VxD ID of SIWVID! f" E7 N  A0 N6 n
    int     2fh
( P3 d+ f9 `8 I6 {& l2 Z, X6 y    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 D; D2 w3 q. K. c
    add     ax, di
$ B7 D% {* [  {7 i    test    ax,ax
* G' [9 q4 _. ?5 B    jnz     SoftICE_Detected% @" S/ C, |4 ?8 ~" Y. a
) C, g/ F" M7 S1 V# r, F4 ^
__________________________________________________________________________% m6 c$ x# G# i6 d/ I8 l8 z  y5 q

( W# S' l/ y) G/ w! }
* F9 V5 Y4 E/ I' e7 Q7 t1 TMethod 05
6 Y" \3 G' Q4 T- ?. r! C=========8 Z2 T: I, N; E' d7 E' I
8 S6 o$ R( G2 h# v, n
Method seeking the 'magic number' 0F386h returned (in ax) by all system
9 p: g( Z: U6 Udebugger. It calls the int 41h, function 4Fh.
* p6 X( i7 T! R. n7 Z: GThere are several alternatives.  
+ ?  g3 n2 a( e4 ~
3 p" P3 i! r3 w( R9 mThe following one is the simplest:& O" p' o* n5 a7 L4 F9 C8 v! u5 s. H

) o% g3 W: ?3 i( W8 f7 Y    mov     ax,4fh) V* L7 }- D5 W2 A- G
    int     41h
2 Q4 \$ Q- p' f: n% U    cmp     ax, 0F386
. T- b( c, W7 Y0 f# v% `) u9 e    jz      SoftICE_detected3 o0 @4 d0 ?) V' k

3 c) N+ h2 g; t+ y- t, l
7 }. z' k1 E1 M+ c8 d: k3 t0 eNext method as well as the following one are 2 examples from Stone's 5 t8 S" b& P5 M. t% |6 O
"stn-wid.zip" (www.cracking.net):
6 S" N1 s3 l& X& S
  w4 j# P$ E2 B& d: X! O    mov     bx, cs
6 _" O- a2 C) x( r    lea     dx, int41handler2
6 ?7 Q1 o: _) ?. A' i# [/ a: ]2 X    xchg    dx, es:[41h*4]
* \- ~: V9 T7 g2 c7 q    xchg    bx, es:[41h*4+2]
( p# J4 h; r& r    mov     ax,4fh
, E( V$ I5 o4 U+ v; u! I; r    int     41h  G% O$ E. j  r% p! k% C3 R
    xchg    dx, es:[41h*4]
/ x6 V/ f) e* ~    xchg    bx, es:[41h*4+2]
  x6 g( d0 j3 \8 {) e    cmp     ax, 0f386h
$ I9 f( P% @' O2 `    jz      SoftICE_detected
/ Y+ S. m$ g( B
! h3 X$ n! ?; j6 Dint41handler2 PROC
% [& V; s! t+ G    iret0 l0 H8 m8 a: S3 X/ I, V  O  Q
int41handler2 ENDP4 |3 N) ]! E- ]* T$ ^$ ~! Z
5 Z) z5 v) ~9 o0 Y- V1 r
+ W, Q2 ~5 i5 K+ W
_________________________________________________________________________
( s0 g8 h4 a3 g7 v8 ?- K/ j# K
& e8 ?- P3 h8 a; B3 I; s9 k! j1 @: z) H
Method 06! f) x# Y- Z: n& w3 f
=========
9 }( `  {2 O: V5 m/ o( G( B. P' Y; E% p* G( B& v4 T( n  ]& n
2 T8 K, g9 ]; x; t3 p' ?3 M: y4 _
2nd method similar to the preceding one but more difficult to detect:2 I7 }$ F: w0 x1 v9 @7 N8 O+ s; K1 ]

4 k) X+ W  O5 L, ?1 B9 {2 g7 u" A- |2 x: o$ r
int41handler PROC) m4 H& e( [1 M9 n. r. x1 c3 o
    mov     cl,al% I3 e6 l2 q4 X* {7 g; H
    iret
; m+ C& F5 f5 R3 I/ g0 d& J' sint41handler ENDP  X  d. Y! d3 _! u( g8 y. o

4 n8 v5 E* |6 Q
& M- j* B% d3 {- @( A, a" Q  _    xor     ax,ax0 i" @1 a0 f9 m3 e2 R# O# @) I9 q
    mov     es,ax6 q- ^7 I! R2 }+ a: ~( e" w  t
    mov     bx, cs
! @7 u4 l- J# s- N* d2 v    lea     dx, int41handler; ^: J( F+ E+ I8 `
    xchg    dx, es:[41h*4]7 ]$ Z& o: H; m% M' E
    xchg    bx, es:[41h*4+2]- E. x1 l0 }; L7 d! n$ y; T
    in      al, 40h
# A4 U/ ]) _% V+ K3 \* E    xor     cx,cx' L% b( z6 W" J/ T9 t
    int     41h
) I# i7 N" J( O* H2 J- G6 L0 S    xchg    dx, es:[41h*4]/ v$ d( X% a( ~
    xchg    bx, es:[41h*4+2]
, h; y  B+ {+ g7 L& Y9 F: N6 P    cmp     cl,al
8 l' p5 g8 V6 j% @    jnz     SoftICE_detected, q/ G- r& [; @0 K

# [7 ^% S3 p% n, \% h% t9 m2 y# T_________________________________________________________________________. D3 H5 D- x' k# a& y& E( V
2 M+ ]/ |+ l1 r. C* k
Method 078 W7 n4 b# Y6 M- w0 v- t  |0 q
=========
1 E5 Q# G& a" r0 k; l( o
5 j" }8 c2 W! d9 W$ D) n* K5 ?Method of detection of the WinICE handler in the int68h (V86)
- g4 @, b  y9 q& E0 ^& B: E( H2 @4 V6 _" H& G! t' v3 M9 r) b
    mov     ah,43h
4 y  U  X7 b# S0 v    int     68h
  G8 c  u0 B' B    cmp     ax,0F386h4 f1 M3 i3 R1 b/ m: P
    jz      SoftICE_Detected
! |4 N$ v+ {2 Q" a/ u
  R  h0 D+ K8 }) c) q) Z+ P1 |2 N3 _
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ g( s0 [: B+ p( E& t
   app like this:: o! x% ?  W$ g& s4 t

" U: q* `$ c0 T# k; x  s0 l   BPX exec_int if ax==68( q4 O+ E' ?. j( i# H& x2 O
   (function called is located at byte ptr [ebp+1Dh] and client eip is
! M. E+ E9 J- Q3 C# z   located at [ebp+48h] for 32Bit apps)
& p3 E' u, {* o& J7 Y4 k0 V__________________________________________________________________________
$ x6 W, f( T% G7 f) _7 Q( ~' G
4 I5 U/ }4 d2 J$ U
7 j0 w! r; k3 J, OMethod 08
1 X- |& J- |2 J3 B- \( [=========
7 @* w& [0 K. v
6 C3 g' O/ Q4 ]# b2 Z8 W& J8 @It is not a method of detection of SoftICE but a possibility to crash the% t4 s# ?, z5 M
system by intercepting int 01h and int 03h and redirecting them to another% @" e4 Q; R' Z# @
routine.5 i) w* N5 t+ X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
$ k7 u) g% n7 ^to the new routine to execute (hangs computer...)
% Y4 e+ |& z0 a6 l
3 P6 s" m# L' o6 K' P; c6 q; _0 w- E5 s    mov     ah, 25h0 P7 A: \$ \. t  n8 B7 _. M4 ^
    mov     al, Int_Number (01h or 03h)
: r6 ~9 g' N5 K    mov     dx, offset New_Int_Routine
$ P; t: o  J2 j' }. J! \" N6 _    int     21h9 A2 y/ j  ]2 m  l+ j2 U

/ E& f$ j' M7 e) f2 ~8 t__________________________________________________________________________5 E) h& X! I8 |" t1 `- E

9 _+ U& ^5 |/ Z9 v6 j0 OMethod 09
. F& y9 P7 F# \8 u=========
& {9 @1 I4 E. p# ?
  T8 W: u, M* x) w! W8 e5 tThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only+ k8 G/ Q* n7 U6 D& x2 r
performed in ring0 (VxD or a ring3 app using the VxdCall).
) O7 \. v% H! P4 U! LThe Get_DDB service is used to determine whether or not a VxD is installed# N4 B4 ?) v$ p# d  A! E- P
for the specified device and returns a Device Description Block (in ecx) for
3 h. t" E! ~, Y. J% {that device if it is installed.! e1 L+ |" L  J4 T0 Y! a4 v
7 N. `9 S; M' J5 b2 G3 Z5 o
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
& N2 ?, h1 Y2 E# C3 z5 p7 X   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)$ q7 K* O" d) r* y; W
   VMMCall Get_DDB' o: V1 Q! X" ?- `; j: \5 g
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 s0 o  F! q# {7 L- z# o9 d7 ^: H. y7 K
Note as well that you can easily detect this method with SoftICE:
( ~4 }) X0 ]) T" P. I1 ?& F   bpx Get_DDB if ax==0202 || ax==7a5fh
' C% c, O2 j7 d* N* S
) T7 u& n+ F! T/ E__________________________________________________________________________
0 q! k. ]. f0 i8 g8 M1 A: G& k7 q! s& k. Q$ w% h: g
Method 10" s' w* F) k" c: G0 b$ b! k; ~
=========/ q# |4 @) S/ S9 W
0 b- W1 h0 c0 }( h2 r
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with- j. Z* u+ z, n
  SoftICE while the option is enable!!
6 Z( f- w1 m7 C4 Z& r1 Q; ?8 Y2 p7 e9 r  ^
This trick is very efficient:* k; g4 _/ `2 V- H" r) z4 r+ K
by checking the Debug Registers, you can detect if SoftICE is loaded
1 }1 n9 a" U7 T5 w+ H. k4 E(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) [( S5 l5 F& L: zthere are some memory breakpoints set (dr0 to dr3) simply by reading their2 C# f6 g6 H0 C+ A/ h: c
value (in ring0 only). Values can be manipulated and or changed as well. H8 P' N# T) K. D
(clearing BPMs for instance)
0 }2 Y/ l  i' _1 ~" ]  l0 @, {* E- f. y+ _  e- f; T$ j
__________________________________________________________________________
) J4 `  `2 S9 H5 E9 N5 a+ E+ Z& t8 V3 Z8 f# {- z
Method 11
' c& ^  l+ I9 C! t; N, X* D=========) P0 o$ P2 t4 f1 p. |( R4 P0 t0 h% n

2 Z2 Y2 Z9 R/ W' QThis method is most known as 'MeltICE' because it has been freely distributed
2 K" e0 Z: `3 m* ?/ M, n8 ]5 Hvia www.winfiles.com. However it was first used by NuMega people to allow$ d* P4 K, g' ?) _  M
Symbol Loader to check if SoftICE was active or not (the code is located% U! s# [  D% A0 G0 J0 K
inside nmtrans.dll).& [( f; L% ~; h( v( }! L" ]

$ K+ g5 v7 n. V2 r: ?5 z" y+ A, G. zThe way it works is very simple:
* y( X; f- `  d; }It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
/ M) v6 I- B  y, PWinNT) with the CreateFileA API.$ j. l6 S: E: |9 Z3 f' O% J

9 ^4 x: P- x5 \! F9 p$ xHere is a sample (checking for 'SICE'):* y/ p8 t: K) }0 i3 T4 ^' T

& q7 Z+ X* Z- c' {, F0 dBOOL IsSoftIce95Loaded()
# o! X, V6 {' `. W+ w4 Y# m{
' o, Q" E( r& A$ v+ }- b   HANDLE hFile;  5 `0 ]; O* ~- c8 v4 [+ U
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,) a1 e' k: M  v2 e' I
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! [: _+ X# Z. z! m3 {                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
% k  D- [/ v6 h, Z- V; j6 \* m   if( hFile != INVALID_HANDLE_VALUE )
2 B% x, T4 a# B$ @7 G   {+ Y. V5 N/ L4 G. v* |
      CloseHandle(hFile);
. s5 V% v8 \( M1 U" \/ F0 E      return TRUE;
3 \2 L9 r* `# i9 i0 B; o8 t   }
- v- h7 }7 S/ _) g$ s% [   return FALSE;1 C5 C+ A6 k) Y6 G( R
}
3 F  {: S( j8 k& j6 `( i' b6 Q: S/ V1 y: l) H: i; B* l
Although this trick calls the CreateFileA function, don't even expect to be2 K; {+ F  ^# Y! Z9 C& p5 _& n. p
able to intercept it by installing a IFS hook: it will not work, no way!- q* M$ ?" L; p; S8 q* l4 X
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 }0 N: y: T8 E+ \% Y7 G6 k5 g$ x' ~! gservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)! U) j- `. H) o5 k( n. d( c
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
/ J3 K0 `+ f# z/ o" P, @8 bfield.7 f; y1 d3 k3 w
In fact, its purpose is not to load/unload VxDs but only to send a
3 ]  l1 G4 F' s4 P0 {W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)6 ^, ]( v  v' `, `# \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 w! j' |2 F) vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
# X! o) C. x. Z# x" l0 ]2 |If the VxD is loaded, it will always clear eax and the Carry flag to allow! \( U7 R# P1 M0 y+ G% X
its handle to be opened and then, will be detected.
$ F+ X! m8 K$ s- C; QYou can check that simply by hooking Winice.exe control proc entry point
5 h; {  h5 G4 l9 s3 `& B2 x. ]! Ywhile running MeltICE.; E8 \, _3 ]# }- t4 A) r
) G7 ~+ O4 s, X7 ^3 U* T" ^

4 \- l9 P  ]+ V' M" ?& o  00401067:  push      00402025    ; \\.\SICE; O- Q: Y* S. \  X7 L
  0040106C:  call      CreateFileA
/ J; X" d! V; z; O: [& R  00401071:  cmp       eax,-001
4 E8 e' l' [" `9 R1 Z  00401074:  je        00401091
8 d+ t9 ^6 L" R) d& V
6 _# c1 F- _- \( z2 I1 H% c7 b; `+ {+ K4 g' b
There could be hundreds of BPX you could use to detect this trick.
5 O5 W- o, P' G; e! n-The most classical one is:
, _& v! |% u4 l4 P9 }  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  x: D  R: |" ~
    *(esp-&gt;4+4)=='NTIC'
. S/ r  G  V( R8 u+ e9 D
9 Y! c  @+ l' X-The most exotic ones (could be very slooooow :-(
, \, R4 Z; A2 B   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! L8 o! d4 N: T2 p; C, }* n8 Q6 X
     ;will break 3 times :-(
. T* r: I: x3 `1 g+ R! n
" n1 n5 e5 d* X' K7 }4 J0 _-or (a bit) faster:
0 B$ |. a! y; t6 t& ~* k   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
$ p5 p/ S; t, l( J, l, M
! |- T0 l4 T5 J* T: z0 |9 K4 d   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
5 ^5 X0 |' V! {8 B% ^" X     ;will break 3 times :-(
, h# @$ M. Y8 J$ k- @1 l: ~4 D- N7 c4 d
-Much faster:
7 ]3 J7 W+ U7 W8 O: D   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
  Y. k. t! q; b  U: J. M* W/ a1 E# z" p- u9 [
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: G4 S0 M/ i  J4 o4 R  r( e5 T" pfunction to do the same job:( n  o5 m( Z; C6 M6 s

  W$ ~( `1 M6 u( u: o   push    00                        ; OF_READ
. c/ F; J& j, P# u  B! z   mov     eax,[00656634]            ; '\\.\SICE',0+ h% c7 r0 h3 f9 w0 H5 b+ U
   push    eax
' [& c4 W. ^4 Y& ~& z5 c   call    KERNEL32!_lopen  M- c8 a1 L6 k7 |4 B
   inc     eax
1 n1 Y6 q# {/ C: h0 m. J- W* ^   jnz     00650589                  ; detected
+ {3 Y" F3 {6 v   push    00                        ; OF_READ
# I# N5 O' d% K' @+ r# F# r   mov     eax,[00656638]            ; '\\.\SICE'9 G" r# x2 k0 n: M/ N; J4 Y, g) J- U
   push    eax
, l1 |, r: i  [" ?. ^7 D   call    KERNEL32!_lopen1 m/ Y* e  Z) g& f
   inc     eax
6 u" Q& `5 C( B& m, e5 a   jz      006505ae                  ; not detected$ [8 b/ e9 Q( N3 z) [

0 _, f( I% X9 \0 H! c$ K$ b6 y$ F* F: x4 T, w3 @
__________________________________________________________________________! u' z/ h4 i* l# y: J/ u0 u
& I! p1 \& ?( }4 D* A- R
Method 12
- O, V3 p6 Q# t=========0 {& a% }0 N" N2 q  z$ ]) I) _. y

4 c. ?# a: `, Q; a* k9 a! HThis trick is similar to int41h/4fh Debugger installation check (code 05" m; S% [+ v/ j) O$ y
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
' C; c) o- X5 W( b! Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& w; q! y' A- D8 d# u/ ^

- \$ g# @. `9 N5 K2 _/ M; g   push  0000004fh         ; function 4fh/ y( t0 {9 b% t0 X; Y
   push  002a002ah         ; high word specifies which VxD (VWIN32): U# z  Y; c) q, U: K
                           ; low word specifies which service0 O7 ~/ c7 J& K. \. L
                             (VWIN32_Int41Dispatch)1 C+ c2 r& k8 i6 j# M
   call  Kernel32!ORD_001  ; VxdCall: h' o" P, {: A* z
   cmp   ax, 0f386h        ; magic number returned by system debuggers6 i5 d9 A9 [' k) c; F  [
   jz    SoftICE_detected
+ h$ o; |/ G0 A# Y2 B
0 N) g1 m0 P% B- W  R3 VHere again, several ways to detect it:9 W, q5 N$ K0 X( a

+ m$ ^( j1 p4 k& F1 v    BPINT 41 if ax==4f) q5 U1 B7 @3 U

5 J( U: `! s& b) |4 A# q" r    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( g: G- {" L. u/ D$ Y  L
% u% \6 ]; i. \7 X    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 _( W4 o% w& F' Y

$ d/ l& j' p0 z+ a1 L" b    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
  x9 w# ^6 {9 ^/ z$ p
/ @8 ?# _# ]: s# f" N2 n0 Z__________________________________________________________________________
6 s0 L% w4 G4 n2 ~7 a! G+ C- N$ F: c/ R" Z' U* m
Method 13+ ]  N+ `$ t- `
=========. @9 q! R+ A+ z5 H  Y
5 B4 H5 Q% u: j* h) x% ^# P9 M
Not a real method of detection, but a good way to know if SoftICE is- F% z3 }* h! s) u! p+ T- L4 P* ^
installed on a computer and to locate its installation directory.2 P2 s2 r; e  [9 x4 C3 H; ^% C7 l
It is used by few softs which access the following registry keys (usually #2) :! w8 h/ x+ y" Y* D4 d
% M" X# B5 {0 u
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 S4 A0 ?! T8 X" W3 w  @" W/ w\Uninstall\SoftICE6 E6 A9 P( W) W& h7 x( A
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE% R4 O0 r) G! @; J* ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 J4 v: E, T6 ~7 \\App Paths\Loader32.Exe$ Y* I5 G6 F* o0 X
5 U+ L- t* F4 c: O8 g* j% q$ u

& ?+ W% H) O9 v7 M; m. t4 r& ANote that some nasty apps could then erase all files from SoftICE directory
% |" X- q/ m: l6 a8 S! [! i(I faced that once :-(
0 b! ?; o  R6 r8 [  P# A! D: y+ L% q* u! T& `
Useful breakpoint to detect it:
0 M9 L8 U: A) e6 X6 B' I2 D' T
& r( h- _3 b3 f5 w" h     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 t! r$ h; E. g- _; l: X( o& \, k  P: ?
__________________________________________________________________________
' d  w0 O; |' Z) J2 [8 d7 z2 ~  \2 y; o+ i8 ?7 ~: d$ Q4 L
7 Y" G7 p' U2 x5 h; }$ J1 L
Method 14 ; K& _# |) U6 v% B2 X+ O3 y
=========
6 ]0 G3 w1 g4 W! m0 e# J
: J6 o6 {  h+ c9 _2 o" @. nA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* _" r1 @& V$ j5 V5 {3 _% ^
is to determines whether a debugger is running on your system (ring0 only).
' g- _0 L. S4 p$ C" ?- t+ w; H& U7 x7 j9 v4 D& x+ Q& c+ X
   VMMCall Test_Debug_Installed# O! j: U5 a/ y
   je      not_installed
0 ^. w' Z  M' _6 R) l
' C9 G' H9 i/ a0 yThis service just checks a flag., z6 |9 S( t" q( a0 v( ~
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-10 07:27

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表