找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
+ ?! J& |% P0 N! z* j/ T<TBODY>  F% C( u0 E9 \2 ?* o! G+ u
<TR>  d( {4 ]: @8 D! f: h9 ]
<TD><PRE>Method 01
8 Z) [" X0 T( t% Z  a% Q; F=========+ i; T) o' t$ G2 j

7 E/ A+ Q6 \0 p/ XThis method of detection of SoftICE (as well as the following one) is7 ]0 k: O7 I# G/ ], P1 Y! @' s
used by the majority of packers/encryptors found on Internet.
  v9 ~# I" D+ l4 V8 l( |It seeks the signature of BoundsChecker in SoftICE
: b+ P5 W1 R1 g1 ~& E7 Z6 V! H( I1 Q, C) J! S: T
    mov     ebp, 04243484Bh        ; 'BCHK'! B4 W5 D/ b/ u
    mov     ax, 04h5 a) ~' R: O, j6 u. ]* k
    int     3       5 r! R1 T1 B) k/ k( }" j2 L
    cmp     al,4; h1 G+ ~5 h+ |/ s" q
    jnz     SoftICE_Detected
. W0 D9 ~1 c5 f1 o
" Y! b. J0 E+ n& L  s" G___________________________________________________________________________* l* F) {# A5 j  Z. C* z, l
7 \" ?; y- t3 j1 F: m- `  H
Method 02! `0 i3 z6 Z4 Y9 \1 b% X
=========. ?! `" e, u5 o" e3 N3 J
2 }* m& U0 y/ h% j. [# p
Still a method very much used (perhaps the most frequent one).  It is used0 l0 L# T% f8 h6 d2 C: r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 W" e; R# T5 F0 K; H  U5 Z
or execute SoftICE commands...
  x& Q% Z1 R9 t3 t% x, OIt is also used to crash SoftICE and to force it to execute any commands2 w- P$ B! g- K; g/ {. J. H
(HBOOT...) :-((  
# t" V& R* S: V) O) R% b
. c' J7 I. S8 OHere is a quick description:& p3 ?2 p4 Y1 I  F' x3 O
-AX = 0910h   (Display string in SIce windows)
% s( q0 q. |7 \" z9 K/ ]-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* \8 i+ B2 C+ p0 F' O" E-AX = 0912h   (Get breakpoint infos)- `$ O- _8 n- k; \
-AX = 0913h   (Set Sice breakpoints)* a. k0 \; t' l( a. \
-AX = 0914h   (Remove SIce breakoints)
/ h, j% [* \# M+ }+ n5 u1 i5 ~; B! }$ @  ^, z  L0 s# x
Each time you'll meet this trick, you'll see:
! z3 P6 f* Y# x( u: O6 _/ V& V; b# S-SI = 4647h6 z; O  K4 Q7 m: h6 x3 F  C
-DI = 4A4Dh  U* C$ _3 Z6 T; o! |
Which are the 'magic values' used by SoftIce.% R6 p* U, f' d1 m! ?* y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 z7 W5 v6 d' h- ~% e2 c
0 f  ]/ F8 `1 n8 L# l' S8 K+ U
Here is one example from the file "Haspinst.exe" which is the dongle HASP
' ~! m' B4 p% n( }4 f4 eEnvelope utility use to protect DOS applications:2 ?  L# ]' E5 a$ B2 G" c
# ~6 O9 i, Y8 y' f2 R  y

! b1 l2 f4 O# ^* w. T4C19:0095   MOV    AX,0911  ; execute command.
3 E  G9 T0 o- Y; C( x4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 ?% |% s. H% ~3 u5 {
4C19:009A   MOV    SI,4647  ; 1st magic value.
. ?, \; K0 x* i2 C- n6 F' R4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ a3 w; _- ~: H1 @3 b1 z
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
; ?0 N6 Z8 N+ T+ Y* I% r; i* Z4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
  f3 L2 M4 S& T, S. d! ?$ J7 ?/ L- s4C19:00A4   INC    CX( Z3 P' M! C0 l' `
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# X) k+ y; b$ W8 {% H4 ~. _4C19:00A8   JB     0095     ; 6 different commands.
, F& L* T! K& J$ \4C19:00AA   JMP    0002     ; Bad_Guy jmp back.* w/ T% @3 M; B1 i- S5 v1 X" i7 J* R# ?
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)8 p) U' F) {* f3 Y7 {! y

& P2 t0 g0 @+ u/ L" j) bThe program will execute 6 different SIce commands located at ds:dx, which. l# Q: I4 b! O  N* L3 W" p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* B4 s  `5 ^& j; n) N" d% k
/ V5 J& |* t. n4 s5 n
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.$ Q9 ~3 i" t' i
___________________________________________________________________________
8 K0 G( n4 b# v
% k% R2 m+ n. R# e, [. m2 X: L" U' t6 q
Method 03, f, O. e7 ?, ^! |% o  u
=========; `' V% b. B! T( }3 o* G  R1 {9 f. B

% y- v, Q; E  MLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h& d- [3 R; Z, g$ F. ?
(API Get entry point)
" c, J+ V( R+ m# R% E( J  B& ~7 v          B9 x, C" H: P) Y: I! ~7 Q! N
. o( e  @; J- v9 D' g
    xor     di,di
8 X" y: y) `; X3 d5 O: Q( M    mov     es,di
/ N5 w0 ^0 o' \6 n+ I    mov     ax, 1684h      
8 i" B/ A$ N2 ^" S) v0 J* T0 l    mov     bx, 0202h       ; VxD ID of winice
: z- r/ s5 w/ W+ g# m. G6 u/ P- |    int     2Fh
+ B, g9 s& D4 ?6 G, I    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) j% P  f8 g- q: z    add     ax, di
4 T2 u- h  j6 l8 I) g$ R" D) I    test    ax,ax
3 M8 m% l; S- E( l7 z    jnz     SoftICE_Detected
0 f' e2 b- u. [" T( S4 D3 Q9 Z! b" D) S( G
___________________________________________________________________________, h5 c! |3 m0 R+ S& L

9 N, S3 ?( _; xMethod 04
! p5 q8 _% i: J( u4 k4 A2 `+ X=========
" B, I9 F# ?* F' X, q" M
$ @5 G+ r$ ^! `! C. f( h( @5 yMethod identical to the preceding one except that it seeks the ID of SoftICE8 s# {6 `7 T) [3 Y1 e+ _/ K4 ?
GFX VxD.
' e& f- R6 m4 n$ E1 D: a. Z; R" a5 W' k- s: X
    xor     di,di
& b! F4 d3 |4 B0 [    mov     es,di+ E% ?, B; u0 s9 f! r3 E* c
    mov     ax, 1684h       % G' g* L0 a- t9 l6 \, a- ]* F; U
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 U" o5 B- w- w6 X" c. T8 v) f    int     2fh/ n' L& W& |* {3 B3 c
    mov     ax, es          ; ES:DI -&gt; VxD API entry point" ~; Z, u6 M) C  b7 G& ~/ ~+ G
    add     ax, di
+ z4 ]4 U" ]! f4 r# u    test    ax,ax, ~9 s3 r! P. z$ R' T
    jnz     SoftICE_Detected% [0 I$ \( @' u$ I5 o2 M) n1 {

9 v; W. h4 N4 q__________________________________________________________________________+ w& A6 c$ W8 D1 V

9 a: U/ ]' K+ E  H# }! E/ _# @, _" Y! b/ w% d
Method 05; h) w4 G2 k' u- v6 `
=========. q5 h+ x  O. L, }0 l/ P) ~

% Q( r) L1 d5 `/ h/ w0 I. H. a: Z' |  eMethod seeking the 'magic number' 0F386h returned (in ax) by all system
: X4 [: c9 I# ^) O0 |debugger. It calls the int 41h, function 4Fh.! U# F; m2 g- I) F
There are several alternatives.  
. \7 v$ ^4 V2 X1 X2 b1 L! i% I+ g# a. ^6 V- k2 }2 P) d
The following one is the simplest:
$ P' O2 ?/ b. l8 M- y# I! f2 r* V; U
/ e* _% ~7 _0 y0 ?/ B    mov     ax,4fh
* ~( t1 b5 V  z5 L, I' X' R    int     41h6 B& Z8 N/ Q; f$ F' D
    cmp     ax, 0F386
9 d5 u  I' L' d* o7 v+ ]    jz      SoftICE_detected
  G! P+ _5 \1 w% n8 N% d; Z! y' P

1 T4 A0 @! [  P4 e, pNext method as well as the following one are 2 examples from Stone's 1 ?* N% a2 v7 s6 n' Y) E4 O
"stn-wid.zip" (www.cracking.net):
6 P5 d( q* W- F$ m' t0 _" p7 f
! f/ Z5 p0 `  U! M$ n    mov     bx, cs: W- @0 U% O9 v# V$ Q1 O( O* Y/ a
    lea     dx, int41handler2
0 d' ]# D$ r/ s: g+ N    xchg    dx, es:[41h*4]
% }: k( H0 k+ F) a    xchg    bx, es:[41h*4+2], o8 K7 q0 l1 }1 ~' Q9 G
    mov     ax,4fh
0 H) D1 A' l! ~$ c! G; E    int     41h* s% \$ Q  g+ w, U& ]
    xchg    dx, es:[41h*4]0 H4 r5 O' ~' N2 N5 e, w
    xchg    bx, es:[41h*4+2]
3 D& M- t( S) R! \+ B    cmp     ax, 0f386h+ Z$ ]1 f% Y3 C4 `2 n
    jz      SoftICE_detected* E. z5 o9 ]. B6 M

3 a' |/ ^: V. t- ]3 t/ Y; kint41handler2 PROC9 f- D  N5 S# \
    iret
8 ~$ \, D3 s, ~2 {/ |int41handler2 ENDP* H# z) B) l4 D3 k4 C
0 ]+ T6 P4 H6 }; J5 g2 s7 [

9 L' A5 A( k6 h2 u_________________________________________________________________________* s% j7 K2 m7 B0 s' r
( o* o6 Q5 G8 G: P: d# n! B. M
) H; g/ S$ @2 e! d
Method 06
' D3 l) E! R+ L! E6 k* _=========. N8 `* s# d7 i5 K( U) o

+ h& Y7 [1 T' J* U( B4 V4 i" ^( m4 V. z3 u( s" |1 p2 Q! X
2nd method similar to the preceding one but more difficult to detect:
/ G1 d. A' u, i3 K, S1 I3 m1 a7 p0 j" F6 `# v/ W
/ L) q* M/ I, V4 E* m; f+ @2 w
int41handler PROC) l9 L0 y9 o3 l* B: X" I) z
    mov     cl,al0 l* U7 q( p/ E- ]  N9 T3 v! F4 X1 J
    iret, g# L2 D! z$ O4 s* E
int41handler ENDP
! b+ x* t# r- u: W. K" A) M9 ]
+ e1 _. }: Q, `7 h; a+ c
+ q. S' x) c9 }5 R7 w    xor     ax,ax6 z: ~/ e, c! X, ^2 K, S) a
    mov     es,ax
" f8 B4 p5 a7 l1 U: g) ?    mov     bx, cs' i0 _' g2 C$ U+ O1 ^) ~7 b
    lea     dx, int41handler
" G( \0 W9 O0 G. S1 Y, }    xchg    dx, es:[41h*4]
  b  D4 g+ k0 Q9 l    xchg    bx, es:[41h*4+2]( ~- v# w0 Y( P( X2 h9 Y2 |! n; C
    in      al, 40h- z$ Q) J% q8 U6 }! I2 [
    xor     cx,cx  V, \4 I! G) ?# \
    int     41h' \! ~6 [! ?) @- v5 c% x& I
    xchg    dx, es:[41h*4]0 ?: \# Q( Q7 _' i7 q# L0 ?
    xchg    bx, es:[41h*4+2]9 o# k2 x; [* t9 Z
    cmp     cl,al, H: H8 _) c& Q+ q" W) B
    jnz     SoftICE_detected
! z3 R: F/ Y5 h! ]. Q* m
( p+ i; f) M1 I; \4 h: Q# h) D_________________________________________________________________________: r: m8 ]$ S6 s: S  M* P

1 u6 M0 v4 K- C: I- O: ^5 EMethod 07! z  |% {3 {# n. [' L) ~( w
=========- M# n# \7 d6 V: b5 n( |4 Y6 k* ~
6 }1 v$ Q7 g, q: e6 ~: j% D" d
Method of detection of the WinICE handler in the int68h (V86), \. d6 g6 _5 Y+ S7 {; H, Z/ [5 E
% @8 v: g, |8 J  Z* z4 t
    mov     ah,43h3 t+ z6 P$ q* Y- d0 O- i5 _3 |/ J2 n
    int     68h* n4 s' ^+ |: R$ `1 @# ]& U
    cmp     ax,0F386h) n# `* ]. v- v: {4 T& g( s* U
    jz      SoftICE_Detected
0 ?  c& E/ l7 k, R7 \7 V# I
& f* Z) T& a) N4 I! Q7 m* f: S. W
# q& C/ u: h1 k+ q$ ]=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit. _/ F* W, D7 x0 ?
   app like this:+ {. r. V$ L7 R5 R3 T1 X* z$ P
* \4 z. _1 A" ~: h. m: |
   BPX exec_int if ax==68$ H) D; X$ v% `$ _5 W2 y! \6 B
   (function called is located at byte ptr [ebp+1Dh] and client eip is
  ]5 K7 U& G0 P  A6 Z   located at [ebp+48h] for 32Bit apps)- d0 V1 j2 Y; Q! A6 W1 W
__________________________________________________________________________) d/ X/ \+ O3 ^2 F8 Y

$ e: Z4 a4 l) |" S; O% @/ B+ T. i0 t7 l& f' X: I/ [
Method 08# D: y; n3 r: q  a' Q- y. a2 b
=========& x7 w% a& t+ E2 V" ~$ t1 z" v- z
) U0 F4 |" r; b
It is not a method of detection of SoftICE but a possibility to crash the6 T# G. A1 X, _8 g
system by intercepting int 01h and int 03h and redirecting them to another
  G, b7 q4 F6 ^" Eroutine.
9 l& T# ]  w3 q) z; \/ _# U# OIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
" l- e/ O* N; F! Zto the new routine to execute (hangs computer...)
; v. j3 T: F: i7 _0 O
( S7 x3 H8 ~$ ]. i) S% a2 H, W) `    mov     ah, 25h
0 Y5 _8 G& E9 D9 z    mov     al, Int_Number (01h or 03h)) Y4 x0 q; Y  l, E  [! i
    mov     dx, offset New_Int_Routine
& J0 C* V. @! _( H    int     21h/ ~+ `1 \9 U  i# @9 r6 `

* ]% a4 G8 M7 R__________________________________________________________________________
! B% ^( |, e3 W& E6 b9 w
8 O6 ^. i* S( `# c$ ]Method 09) r) L. Y* S: L; U, \$ C! L
=========3 ]4 [/ _9 u. d
4 h* J! j' A- g9 E9 ]. a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only) P! s1 Z9 C/ Y2 G
performed in ring0 (VxD or a ring3 app using the VxdCall).2 x  A+ b" U( x" E. n; A: K
The Get_DDB service is used to determine whether or not a VxD is installed! w3 }! e9 W) q0 u% N
for the specified device and returns a Device Description Block (in ecx) for, M% I8 x0 E! ]  W$ f
that device if it is installed.
+ u: c! s1 J& z- \5 C- r! ]7 M" I. U/ ?; G5 t
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
2 W& t: ?& Z$ R) ^: W' _# A/ H5 t   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-); J6 i, F- _  `4 p( A; B$ {
   VMMCall Get_DDB
, Q& S8 J; c4 C4 B, b: x8 |  b& \   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed! \) M8 S3 g% Y# y5 [

$ W$ Z' n/ W% Z9 L  S& [Note as well that you can easily detect this method with SoftICE:
1 ^& `- i7 y7 P5 ~1 P( q0 h   bpx Get_DDB if ax==0202 || ax==7a5fh
- H2 F0 I9 O' d
3 H( p0 z/ o) @7 a, T__________________________________________________________________________
8 y& E1 f" d5 `' p2 n
( A8 D4 j# f( Q3 D% xMethod 107 @3 k; h2 U1 q
=========
. g4 Z2 z- h. h4 d5 S! [0 J: W" Z/ \+ m2 B- [2 ?3 S
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  f9 r" t/ c& r# N- a
  SoftICE while the option is enable!!
  Z5 A* w" m) E/ p6 R% E
4 W$ C/ V. |1 B+ F1 @This trick is very efficient:5 h+ m- J% u4 \
by checking the Debug Registers, you can detect if SoftICE is loaded
; k1 H6 x7 h% Q& K+ f" Z* u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if  T; `; X2 F$ G+ f9 |" I
there are some memory breakpoints set (dr0 to dr3) simply by reading their' C& E' V+ F- N
value (in ring0 only). Values can be manipulated and or changed as well$ I+ n: I. u% A) {/ C
(clearing BPMs for instance)
9 b/ [7 ^; v8 J+ b+ x1 I9 m% J2 o) e( t
__________________________________________________________________________6 j& u4 V: d% g! @+ r( O9 h0 T; W
7 }0 a" n: K; {; H8 J
Method 11: w$ B  _9 A7 `$ S0 Y' [2 J
=========
, v$ y% d8 N; `: ~2 [6 i" {; f! ^. z; P9 U( L- G* X' d3 x
This method is most known as 'MeltICE' because it has been freely distributed. N$ _3 Z& A& U& n& F/ g8 d$ R
via www.winfiles.com. However it was first used by NuMega people to allow6 p+ r9 A& |$ B  ~
Symbol Loader to check if SoftICE was active or not (the code is located: G( Z- p9 R+ Y: T: Y  Q+ k/ \
inside nmtrans.dll).
3 f! U# ]" R6 `; [/ h: X
& @$ n! o  z9 k) ?( J2 F1 TThe way it works is very simple:
8 a5 e, Z( l3 V, B7 f9 EIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 w* g! F3 _+ P1 }5 X  ~; _
WinNT) with the CreateFileA API.. h; L0 h0 w7 q' e; F2 z

# u. [( ?# U4 yHere is a sample (checking for 'SICE'):  K9 I+ \5 l: U7 n" M0 o

5 F: I" s4 f1 UBOOL IsSoftIce95Loaded()
7 T9 d/ J" M4 u7 U2 ?8 @& ^{4 O5 e) Z8 l" K. c& D6 V$ b! h
   HANDLE hFile;  
0 F2 _: c# v$ M1 i8 \   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 y$ ^( Y% K% g; Z$ Y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,' g# q0 T1 ~% W  v# {9 J$ h
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 \: X4 q, a! F  y
   if( hFile != INVALID_HANDLE_VALUE )
3 y) q7 x" @, u* y- J: X   {
, `, R* Q0 K+ h( l, I  E      CloseHandle(hFile);- x* @) s: T+ D9 U
      return TRUE;
) q8 f1 }, G! n/ J$ o& G" U" x   }' @. E# ~+ z- ]* \% a4 [" S
   return FALSE;
2 D3 [2 I! y9 a$ V- Y/ [}$ W4 ?4 z' J, x" U  w- R# |7 L' e

+ i: W5 D+ g3 w0 t, x! n" {2 SAlthough this trick calls the CreateFileA function, don't even expect to be) L8 v  H  x, v' `- I/ b, d
able to intercept it by installing a IFS hook: it will not work, no way!( `2 ?& o9 X5 }+ ^1 b9 d
In fact, after the call to CreateFileA it will get through VWIN32 0x001F; j% f/ l  n  J( n4 f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)4 x: O% L% T& M/ S8 q
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 [; l/ G0 H+ O$ D( n9 D
field.  }0 z+ y/ w7 @' z2 b
In fact, its purpose is not to load/unload VxDs but only to send a
/ R" G) u5 r- z' f7 I/ L" n2 B3 P- OW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 Q2 m- a$ ~4 {+ S. ]3 e4 Q1 Jto the VxD Control_Dispatch proc (how the hell a shareware soft could try
  f  y) j8 W( N( b& Fto load/unload a non-dynamically loadable driver such as SoftICE ;-).
2 a7 m% j0 P: v% G7 E0 [If the VxD is loaded, it will always clear eax and the Carry flag to allow8 r* ~: v; ~0 d1 o" m
its handle to be opened and then, will be detected.4 F  ^! u" b* K* y% ^
You can check that simply by hooking Winice.exe control proc entry point* G( Y3 N7 J. r' X; Z
while running MeltICE.
% m3 \: r& s  y; R  B, g# y
3 e/ H" f4 m0 a! Z& x) ?. S+ _9 H+ I5 R* _, c* _) c
  00401067:  push      00402025    ; \\.\SICE
7 H7 D4 D8 q7 O: j8 X2 @" |  0040106C:  call      CreateFileA3 ^! h" a( J3 G: V
  00401071:  cmp       eax,-001
; h3 e$ x! O0 H, L  00401074:  je        00401091( m$ Z+ r5 I9 u3 @7 n, K, `

9 d  l; V& ^9 H0 ^- R2 q! d( m# Y4 @4 f- L5 p6 `& Y4 ?
There could be hundreds of BPX you could use to detect this trick.
/ Y: K- R( X/ \. I-The most classical one is:6 U8 T! p7 {, ~
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
- m7 U3 S! C2 d9 }    *(esp-&gt;4+4)=='NTIC'2 ^% |' j3 S: {1 P  x# s$ e
' b, w* M9 F2 g4 k( [
-The most exotic ones (could be very slooooow :-(# k3 o% I8 c) y. S; Q3 E( R! B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( c9 h: b- d6 X
     ;will break 3 times :-(. E' A" X. N- c* ]
3 z* H0 j- _, t
-or (a bit) faster:
& k4 B; A$ f, j/ a   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
8 ~3 Z: k" C% u4 o, ?: [8 d* G: P$ d* W3 G& p1 Y9 l; y! _- B
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  2 \9 H) i% ?2 b( Q2 s
     ;will break 3 times :-(
: ^( I- a3 j/ c( d) p, }! i. H$ b+ }+ Z$ E% J
-Much faster:
2 s8 C, {9 C: U/ ?; u2 G   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 E. r8 N4 P" P0 i3 k& M+ J1 u8 @. J$ p( l) h
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
# I& M; P+ w$ V! k4 P1 Ufunction to do the same job:
; V: z* I# J6 L! u: A
4 @; [9 Q; i6 h; T* P2 x: u9 c& D   push    00                        ; OF_READ
8 |! `& m. }$ P( Y$ v7 O   mov     eax,[00656634]            ; '\\.\SICE',0% y' u1 z: H3 g% S( v
   push    eax
0 R4 V6 g* ~2 `3 N% c) v   call    KERNEL32!_lopen6 n' ~' i: @0 [: {8 A2 R8 S* o5 v
   inc     eax
6 I* F/ g) s$ z( m7 S5 u: {/ h   jnz     00650589                  ; detected
* j1 y4 w( K$ I& K& e& L; h; l$ j4 b   push    00                        ; OF_READ) D" |; v9 D$ C' W$ B& f
   mov     eax,[00656638]            ; '\\.\SICE'
+ O/ z/ G0 v) @1 b0 H+ g   push    eax& h7 R6 S2 k9 [" }
   call    KERNEL32!_lopen
! X$ Y2 Z) @3 ^4 o9 U' E   inc     eax
8 e3 N* q, ~/ A% v6 I; a: u: w   jz      006505ae                  ; not detected4 `3 O4 \8 D4 K. N7 E3 Z% L
) j0 }7 V) }  N. M

- F& ^- Q% s# T' c! L__________________________________________________________________________8 N" L5 E1 ?. o; Y; u/ o( d

/ `% Y# d* c! `' z2 ZMethod 12
6 ^3 }) `3 U1 o4 Z2 d: |. A+ G, B3 C=========/ S9 s9 f0 s0 m; m5 \  B: q- F
" \5 h3 ^4 r1 j4 s. g" F1 P3 R
This trick is similar to int41h/4fh Debugger installation check (code 05$ p. h" T# L4 o* }
&amp; 06) but very limited because it's only available for Win95/98 (not NT)% z+ v" f  ~5 V& I; T
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.$ A3 D& w. s2 v" q$ ~
4 a3 ~8 w7 ^0 ]& J/ N
   push  0000004fh         ; function 4fh
7 C4 z& ]4 [: B  k2 M   push  002a002ah         ; high word specifies which VxD (VWIN32)
1 j% ^* }( h! L                           ; low word specifies which service
8 k* G5 Z1 k- h, j, B: [! w9 f                             (VWIN32_Int41Dispatch): t- H0 f4 s3 T( d2 c: L
   call  Kernel32!ORD_001  ; VxdCall( i* o/ P% A- E% s+ C5 L" G7 Y7 K
   cmp   ax, 0f386h        ; magic number returned by system debuggers
9 G) [# N: @$ b   jz    SoftICE_detected, d7 P- z/ X* v5 l; F5 p
4 E9 l- Z) o* k; x
Here again, several ways to detect it:( |5 @' ~! T* ]. j

" {2 I# N4 b5 f$ y  `# S9 |    BPINT 41 if ax==4f
' t0 ]& x: A* ?0 X8 }" h, ]4 t- o
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one. _2 M7 Y& x7 U1 @  L
+ ~0 D2 N' ]# S' q3 M, u) j
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 z5 W# u  X; Z8 {4 E" [" o1 J. i! H9 m/ C" e0 n# G. R# p/ Q
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
, u3 B  p& l$ z8 S  j5 Y) ?6 R. h# Q1 `0 `! H5 Q
__________________________________________________________________________
3 g: S5 Y- V$ f8 D$ S% i
: ^; b# b0 ^" z) I1 u: @/ f* |Method 13
' A# |$ W5 s3 r=========% b- U" B7 i/ f" w* D
5 ~, @) R& a: t% q! |) l$ a
Not a real method of detection, but a good way to know if SoftICE is! ]5 ?0 g( |9 a* N) Y
installed on a computer and to locate its installation directory.
8 e4 Q( `! @, u. O: u" Z& N7 RIt is used by few softs which access the following registry keys (usually #2) :4 ~" V5 J+ g  a! P
9 o1 i6 m/ w. v7 C& Q/ f
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* n+ E, G5 ?4 c\Uninstall\SoftICE  ^- j: \+ `. _! q, ~
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
/ J7 r! L8 i# h-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 F: N( `8 C& A! G; i3 |\App Paths\Loader32.Exe. h. M) D2 T; O8 T; [! U

( S3 h7 g) b9 {
0 b& `. h6 z& \: n6 F4 d+ l! fNote that some nasty apps could then erase all files from SoftICE directory
( Y% V9 ?# ?, J( F  z! H(I faced that once :-(. _- A1 ?- L: T  C7 d/ T5 F8 w* L

5 t3 M) R5 T$ a. @4 |4 A8 iUseful breakpoint to detect it:# z. x) y, y* L

# j0 Z/ F1 [: `. P+ _     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'/ F- b+ N3 W& [' c

# u, Q$ ~/ g) W1 R$ r6 S__________________________________________________________________________
) `: Q# E( l* A0 {( l6 a3 ^, y
0 y" s9 ^' f, E0 u; z( I# G
1 s1 r6 U. E" U8 ~6 \( o: TMethod 14
( D+ }, V1 Z9 r; n6 e* x=========
( I! W3 n1 M6 _2 n7 x& K% v; Y; k: d# S
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 `0 ?0 N' C* p0 C) d
is to determines whether a debugger is running on your system (ring0 only).1 R; ?7 ~  t* }/ e. Q1 R: S, n

# V' f. t6 h  J) ?% W) r- _9 P   VMMCall Test_Debug_Installed) Z8 S, u8 d) d+ `
   je      not_installed
* o; R& S, y8 S: {
5 u5 x1 W) a8 s# OThis service just checks a flag.& A2 T" c! v, ]
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-16 23:54

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表