找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500># ~# T9 f) ?2 ?8 }! c- N
<TBODY>0 i: U1 \" R% q7 F$ _  ]0 j
<TR>
1 W6 ?) W8 {0 [( _1 L; H4 C<TD><PRE>Method 01   g0 @  W, K! E' j. J5 b
=========
- p+ c5 V( `8 |, b0 O& u
* ^& I( @3 q8 Y  L, t! R3 {This method of detection of SoftICE (as well as the following one) is/ w  ]+ i- L2 o1 }5 X: q
used by the majority of packers/encryptors found on Internet.
# e( `% \* g1 vIt seeks the signature of BoundsChecker in SoftICE. X0 v: T9 t7 {$ U. h3 ~' b- P

, g+ @* D0 Q. A0 W0 n% Z" x    mov     ebp, 04243484Bh        ; 'BCHK'
% p2 v, @. J0 q) F7 |    mov     ax, 04h8 W' e1 {, H$ D7 H
    int     3       . e/ m& v# X  Z1 S7 x
    cmp     al,4
* @" f/ s6 U& o; l    jnz     SoftICE_Detected
3 I9 n) d. a+ `: C  h+ Q5 y# w2 p( O4 O. z+ A8 _) l$ u
___________________________________________________________________________6 z$ L* ~9 l) H5 N* z0 E) J

: h  `; @9 \- A5 ~5 N4 v; \Method 02, I+ C  A+ ^6 X" w3 ^
=========
; n, z6 V) U) j3 C) q8 I( K: S6 w' b- T- p3 I: @
Still a method very much used (perhaps the most frequent one).  It is used7 @  p( H9 Z. P2 g8 G4 a: b
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,. I8 n5 Z/ ^4 J! B( c
or execute SoftICE commands...0 A: k* O3 V  q9 f' i: P0 n& u
It is also used to crash SoftICE and to force it to execute any commands
, y) u0 s! G2 ](HBOOT...) :-((  
. u4 m; F  S6 P3 I. U+ X
7 P4 q) r7 F7 X# ?Here is a quick description:5 ?$ M3 V6 d& G7 f6 |5 G
-AX = 0910h   (Display string in SIce windows)
: t' P) l+ m$ A$ o0 I-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
. M( T, A3 f# C, N$ ?2 g" V- U-AX = 0912h   (Get breakpoint infos)
7 ]# s; k8 ^" h5 R; J! B-AX = 0913h   (Set Sice breakpoints)0 K9 ~- C" U8 k/ m; q- S2 q' b
-AX = 0914h   (Remove SIce breakoints)
& R" R  h1 m% q* \; L4 j  W/ m6 g( C' g* J' Y. _
Each time you'll meet this trick, you'll see:) _% X7 ~0 w3 o" m
-SI = 4647h4 ~$ y( c' v5 b5 N7 Q4 J% M! B6 C' m
-DI = 4A4Dh# s3 c- f( B( V' y; W# Q2 \
Which are the 'magic values' used by SoftIce.
/ T' ~  S2 |- Y6 `: \# S  z" SFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" s6 z7 P4 B. d# J7 I
+ u, h7 q: V$ t3 x$ a/ a2 ?* B3 ^Here is one example from the file "Haspinst.exe" which is the dongle HASP, S: B2 `: o! r+ ~" Z: ^% d
Envelope utility use to protect DOS applications:
2 Y) |% U5 i0 X* n' r) V8 c- G
- q7 c- a3 f$ J" l+ ~6 X3 E( \1 Y5 e/ b) ~/ ]
4C19:0095   MOV    AX,0911  ; execute command.
5 ]- n0 C0 x/ Z* x" D/ r" X) g4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
6 F2 [7 j: b1 t- }  c' u1 X4C19:009A   MOV    SI,4647  ; 1st magic value.. N' o8 e7 h; H; j+ ], K% }3 U
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.3 A! p, J3 L; h. w% N
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
' m* a/ H9 I4 P8 J, b& m* j. N4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
, z6 }; P( l4 C4 x) f/ g  ?4C19:00A4   INC    CX8 M: f4 R5 k/ e) {* [
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
4 O$ |% ^3 \9 b( m# Q7 M4C19:00A8   JB     0095     ; 6 different commands.
6 l) z! Q5 f, J. F6 p' Q9 h3 \  k4C19:00AA   JMP    0002     ; Bad_Guy jmp back.9 n" t! u8 f: O5 j3 w7 c
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)# ?0 O4 R7 X6 V0 u
; u, p, O- Z0 k% R$ I- u
The program will execute 6 different SIce commands located at ds:dx, which
& W; g7 |" q" C' _% V) V/ Z+ Qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! u4 \. K/ x" _7 Z! t2 v0 L0 P2 K' F/ ]+ p1 f% M+ M' `( F5 ?5 M
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded./ o& ?) z2 y% z3 u6 j. A3 _, @" i
___________________________________________________________________________5 d' y2 ?' ]3 U' Y" f% w5 o
# {3 b# i/ D$ W* U/ |
" O$ |% @  }5 }) c1 i9 ~7 d& t
Method 03; V/ N9 ?" i$ s/ x! \* p" F7 Z; I
=========
) l! c% N; }& Z+ [7 }# T% ]! @
! \( T, p4 d: _8 Y) v7 ELess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: |) a& V* N9 u1 Y. B
(API Get entry point)
) s) T2 E" c  o9 ^+ c0 A) v! N        
4 X( }2 H- O! C: ^6 W- ]6 `2 ^) c, o& N3 |
    xor     di,di
# F8 o3 O, Z, ~% X    mov     es,di
  w( O  h2 t5 u2 X    mov     ax, 1684h      
; K% A/ Q1 W1 h( v, a  B$ g    mov     bx, 0202h       ; VxD ID of winice* {$ u( b7 ^& v" S, `
    int     2Fh1 H& ^" l  h' b0 U/ I7 @& o' b+ j' m' K
    mov     ax, es          ; ES:DI -&gt; VxD API entry point1 c7 J+ P6 H' D, Q
    add     ax, di
" H% W5 _1 L* d3 O5 w* W    test    ax,ax
6 `5 M8 k& }. c    jnz     SoftICE_Detected
: ?7 p4 T" g) E6 `5 E( }4 w6 P
' ~: f  \3 j# ?8 ^6 }, r___________________________________________________________________________4 M$ D, t0 U8 p& h2 H
( A" q& X7 f8 @* @4 W1 D* n. N/ d
Method 04
3 l+ u% `# E( f7 r3 s=========
6 e5 W8 o8 ~. f& Q
/ ]; S: M( E9 J2 X! q+ K: o  U8 J! WMethod identical to the preceding one except that it seeks the ID of SoftICE
0 |6 E) x* p  j' {8 zGFX VxD.
$ I. R9 V- D/ |" {2 X+ |; R7 a% Y2 j
    xor     di,di& t, L& b5 @/ K
    mov     es,di6 \% H, }' ^* o! ~7 t2 s' N
    mov     ax, 1684h      
& G. |' ], j* i) h' D! t/ s9 t' |    mov     bx, 7a5Fh       ; VxD ID of SIWVID
: A+ p4 |& y' d7 d4 @& a2 w    int     2fh
8 P' F+ u- D6 n) U3 S: v    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% u* M: a, I$ W$ ?3 o7 Z    add     ax, di% x8 f/ n1 R  [- m. W+ ^
    test    ax,ax
. F  W6 z- a  B7 m8 d' r    jnz     SoftICE_Detected
& e( W4 c5 n( c- w; H( ~. M, w9 m2 l/ {0 W' w* P
__________________________________________________________________________
" J& I7 g: M; [# i
" a. p$ s  l+ c1 m& C/ s$ g% N4 K! w9 ]! J6 X4 J9 G. l4 K
Method 058 C" i2 d1 q# K. q9 U' M
=========
* |( I% p* E: C. q2 E5 x- `& f# h4 q8 q8 N: V
Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ ^  R6 t) j$ ?$ u+ Zdebugger. It calls the int 41h, function 4Fh." E& E+ N! U% c3 C
There are several alternatives.  8 u: L4 t3 b$ ?, @( W& J

' K  c) l; K9 `; gThe following one is the simplest:
* N3 _/ P0 J7 u1 p0 m
, @+ s+ f7 G, U9 J    mov     ax,4fh
! W$ a2 M" V( I% Q: m& p4 V    int     41h2 X" e# r  ?! q! b$ x: o0 q
    cmp     ax, 0F3867 N$ E$ D- I" o" j9 p
    jz      SoftICE_detected
' t- T4 o3 N8 W# j
" F; ~% m1 z- {0 Y+ Z1 W6 g& T: H! D1 ]2 H
Next method as well as the following one are 2 examples from Stone's 0 v( t( v: F- c" K
"stn-wid.zip" (www.cracking.net):
; E  V7 L% |; q, ^
5 P9 j! B9 Q& z) d7 W1 U    mov     bx, cs) t' ^# H( S. L8 }7 s: v
    lea     dx, int41handler2
$ H! N+ o  F# H( T  [6 `( y    xchg    dx, es:[41h*4]
5 |9 i, {8 S, v7 X$ {    xchg    bx, es:[41h*4+2]5 g" w3 ^$ h+ J0 v! j" c* m2 M: u! g
    mov     ax,4fh, F+ h( ]% m+ k+ t
    int     41h/ A! v1 G7 k% P. o' l; U- Z6 p. t2 F
    xchg    dx, es:[41h*4]
- C% A) J+ ~8 B% C+ h  S    xchg    bx, es:[41h*4+2]. x$ m; O+ {- J
    cmp     ax, 0f386h# j  K; P7 J$ u/ D3 q
    jz      SoftICE_detected' a" Y$ E2 u6 `% L- G- `$ }

9 L( g2 X" V7 i" o6 c  T  f9 kint41handler2 PROC- T- b: d) w$ d2 I9 Y* b! I" K
    iret
/ _& V$ G. s% T( f8 p& q( E0 [int41handler2 ENDP
7 O/ @0 ?: w1 ?7 o) K6 x/ q
/ R" p# X' R  \; M" B* v
5 m0 o/ J& K6 @* Z_________________________________________________________________________! v( M' I8 v! U6 m; Z
* |  @/ L! q6 J2 R0 [
' p( V6 v" \/ V( ]! \" S" {( \4 H4 y
Method 06+ E+ v: D* J; s6 P" n3 E* I& W
=========
/ ^1 J  J9 P. [% I( F5 @+ f
+ Z1 X- S6 \) }) {% n1 t3 C3 E' v2 `. x
2nd method similar to the preceding one but more difficult to detect:
9 v4 J. d7 g, i
% `9 [: l/ R1 L- V: f7 ^* `5 e
# \6 i7 t$ Q7 @: e' S2 t& cint41handler PROC, L1 k* {, e# }; e% J) Z
    mov     cl,al$ C' X) G$ Y( C% B, q$ s
    iret% h5 x( x2 r/ y& Y
int41handler ENDP2 C# }/ y& S* Y6 i
& V/ Q8 _. `2 j5 ?% w! b: g

1 t  ?% w9 {, g4 V5 f, A    xor     ax,ax: L- ?# W7 x$ ?, x# J. _
    mov     es,ax
! y' B2 m5 q2 f" {. Y: A0 A    mov     bx, cs
. p7 Z- @0 ]! }8 |    lea     dx, int41handler: z6 \, p& X3 K
    xchg    dx, es:[41h*4]
/ O# d3 P4 l  e3 Y( N2 q. E    xchg    bx, es:[41h*4+2]1 S6 ?5 M) Q+ i) v( ?
    in      al, 40h
# a, x7 |: f- i9 M% h    xor     cx,cx' z$ M4 L8 O' d6 B
    int     41h3 k9 y0 e& |: L+ {+ n; h
    xchg    dx, es:[41h*4]+ m  N( B0 @, P6 Q. M7 p
    xchg    bx, es:[41h*4+2]
) O! Y4 f  e) j& z    cmp     cl,al
+ D: ?* v" R5 v  B* a    jnz     SoftICE_detected
- j% J2 K& [. J5 q2 I0 h
( ~  a7 `8 @* @4 G_________________________________________________________________________& ~7 U! p: m9 r5 S' Y0 s6 c" X

, f) r$ f9 i+ M9 a" YMethod 07
) t$ }! T6 b! S' v% u+ v4 I$ K% I=========& }0 Q$ V" @. L1 X

" ?* {+ Y2 F. q! hMethod of detection of the WinICE handler in the int68h (V86)
" w4 H. p+ r) O4 M- |, r& K: O0 J, B  W
7 w( ~$ V" j7 T5 v9 J: I3 P    mov     ah,43h* d9 O8 Y# d2 ~6 z1 Z
    int     68h
* `# \1 X; F7 [/ V7 s5 C  ]- L4 t    cmp     ax,0F386h
' u1 Q% h/ i4 V0 f3 r& L) W+ m; V    jz      SoftICE_Detected
& q: \& k# G. K1 O2 b. y: z% b6 V! S6 L4 e& I* a7 _% P; |2 B/ W
/ \* f  d! }1 D
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit' t9 G- @- w/ I8 n2 a
   app like this:
# M. P) }9 j- W: R: i8 l
" K; Z; n9 S1 p* M: q   BPX exec_int if ax==68
: F$ h# _3 M: l4 q) w- n/ B# G+ m   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 Z  T7 U0 a( p" S   located at [ebp+48h] for 32Bit apps)
7 g: C- `  s) k__________________________________________________________________________( w8 Y, W. n4 _

1 G5 e0 B) V  v. n+ B% s
' }9 C0 ^( C+ Q$ R. V8 ~) k* nMethod 088 t4 [: j% f! g! Y
=========
3 g$ @. R( Q) d$ w0 c
( a. I, k8 Q! j+ Z7 m& V) LIt is not a method of detection of SoftICE but a possibility to crash the
2 r) l, t& b. i& M/ vsystem by intercepting int 01h and int 03h and redirecting them to another- s6 ^% y% d, w- }
routine.1 H1 O- h5 y3 ?8 _5 [) f
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
# i! V1 R0 f7 @( ito the new routine to execute (hangs computer...)) A; q; x$ I2 V
8 ~3 o' j9 `+ e( e' Y6 V7 m  a: g
    mov     ah, 25h1 l' z2 l: I; o8 Q# }( k: U: M
    mov     al, Int_Number (01h or 03h): c; i# J0 B+ s! N
    mov     dx, offset New_Int_Routine
. K) S2 @; H% j8 U$ \/ e    int     21h
; v, C. o4 U$ S( t# v0 \4 M6 l8 p; p% Q2 {1 J  x: ]6 h8 s
__________________________________________________________________________* Y- z# L: Z& `# Q

1 J# [3 G. h9 C: c4 PMethod 09" w5 J0 ~1 Z: ^' p
=========
) x; r4 Q8 A) V) Z+ P# v6 {. b8 B& d$ F( S3 A: F4 a; l
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 T. S, r: V% U3 e$ T8 v! W4 Uperformed in ring0 (VxD or a ring3 app using the VxdCall).. V7 u9 d& i' @1 {, h$ d9 {. y
The Get_DDB service is used to determine whether or not a VxD is installed1 [/ x. u( H# B8 Y7 b( [
for the specified device and returns a Device Description Block (in ecx) for7 v% s  q1 T* o! q
that device if it is installed.4 J" W/ O8 N( J4 ^' `& b/ d

9 D4 u, A# l7 o3 U3 F9 E   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
4 u# I5 N- j. z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; Q; j# O$ t+ R* m7 ^4 t& ~3 @   VMMCall Get_DDB
$ q0 ?8 Z2 E/ O   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* B& Z9 C5 V' O3 |# P

: f1 C7 p( |; t# r! C4 xNote as well that you can easily detect this method with SoftICE:! y9 [" O2 m) W9 `: _* t: c. U
   bpx Get_DDB if ax==0202 || ax==7a5fh
8 N$ g- q  Q% [0 w
* e# o! I/ D; H8 e" Z5 m__________________________________________________________________________, Z' ]( G' ^' e( R' a4 K
9 g. `4 C' r  Q/ v- h
Method 109 h& f& X+ I& _  |% h
=========+ \/ o* j% Z! M1 E

8 o- @' q1 j3 }5 y3 w' `7 p=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ X; n" E7 H; B8 }- `# E
  SoftICE while the option is enable!!) n) Y5 A, G% q
+ ?- q6 ~- _$ q
This trick is very efficient:
- b3 a: |% p5 {6 ?2 t4 Nby checking the Debug Registers, you can detect if SoftICE is loaded
1 Z6 m( ^0 y; R(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
% \' a6 A5 `7 K) ~/ C- X/ f6 Ithere are some memory breakpoints set (dr0 to dr3) simply by reading their
: `3 t* I# A/ h! K0 o% fvalue (in ring0 only). Values can be manipulated and or changed as well
8 R' [/ n5 M, L! k(clearing BPMs for instance)
# a( t7 o  I3 ~+ b% Q3 T+ L7 H0 W  \0 P9 ?8 R1 W. N; u
__________________________________________________________________________/ n0 C$ h5 A4 c3 }( o, O! y( J

. \6 U) H1 r" O1 }- U( xMethod 11. m  r0 @( y9 [, z% B" s
=========& G! ?. Q0 P7 m$ [9 X

7 Q5 V( c( \/ h3 D* EThis method is most known as 'MeltICE' because it has been freely distributed* y, M' m0 j" e  ?" D1 j
via www.winfiles.com. However it was first used by NuMega people to allow
: }5 j+ j2 n: a. S- W1 USymbol Loader to check if SoftICE was active or not (the code is located
( {9 e: _$ X1 ~8 p2 R% m5 ~9 V' ainside nmtrans.dll).
7 u/ S- V! c- k3 N# T/ [$ T" W
3 U/ [1 a4 e! u7 \) d, }( [2 NThe way it works is very simple:% m% y: L: b) ?8 r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for; }' v2 j3 `7 \$ g) f
WinNT) with the CreateFileA API.
3 j' [3 _' U% L( e$ j* Z0 b4 q, Z4 b5 X( T: Z' t1 t0 P% g/ m
Here is a sample (checking for 'SICE'):
' d4 X/ n7 M7 ^8 ]1 g7 X
, q4 a9 P9 L* m0 v2 _5 N9 WBOOL IsSoftIce95Loaded()
) d- }. [* {' j1 ~% R7 D9 B$ g6 L{
! b' G/ y# {- F; N  L4 w3 p& G   HANDLE hFile;  2 H/ k& X9 l% H( H6 s! o% w
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
; q0 E6 ]8 `" G4 p- \4 |                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ G& F) @3 m6 g; H& z0 i  S
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
  d7 F* H5 U: H0 P5 [+ }' e   if( hFile != INVALID_HANDLE_VALUE )
8 P* c: _# s. g5 Z. T$ F- g- b   {
, q& P! k/ _: m; g      CloseHandle(hFile);
$ c9 l& S1 {+ W      return TRUE;
8 r3 y2 ~* Y% ]   }
' ]/ }9 i+ h$ ~   return FALSE;
* \8 {( @8 }  T}; |+ b$ \+ g: a' k
: f" B. U) ^5 Q3 U; E
Although this trick calls the CreateFileA function, don't even expect to be
9 P7 y6 d/ B' P; k$ a4 Zable to intercept it by installing a IFS hook: it will not work, no way!: B  N6 j: C2 y: x8 u5 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
( w4 q1 W  X) Q. U& vservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function), ?1 B& P1 W! y- M7 F+ y/ l
and then browse the DDB list until it find the VxD and its DDB_Control_Proc8 S! K' z# o% F9 r
field.
; |- x7 l) i4 vIn fact, its purpose is not to load/unload VxDs but only to send a 4 A- Z0 v# B) d% t& y
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
$ r, R  ^" z  {1 ~/ j3 i$ y7 Bto the VxD Control_Dispatch proc (how the hell a shareware soft could try' ]8 l4 n: S; o& Z/ H3 x
to load/unload a non-dynamically loadable driver such as SoftICE ;-).6 F+ M8 E0 `% R* u( a( ]2 O
If the VxD is loaded, it will always clear eax and the Carry flag to allow) F2 W! ?! W* Z' @) B0 E
its handle to be opened and then, will be detected.
" a+ b) a! b( U9 \- n7 d! WYou can check that simply by hooking Winice.exe control proc entry point
; I5 z; U: s1 n: Nwhile running MeltICE.) w6 K! G+ ^5 Y  \2 J0 c5 d

2 ?  |  h0 R% R1 I
, M: a7 Y  b0 Y) \4 L  00401067:  push      00402025    ; \\.\SICE
0 Y! }/ m$ J+ M* J( u& o& K  0040106C:  call      CreateFileA0 [8 V# F3 w& K' r3 V
  00401071:  cmp       eax,-001( Z$ h, d* E  p
  00401074:  je        00401091( t, ]; M& e6 ?* @; ~0 g
- _6 D* d) r5 W( o

3 U2 L  O7 K$ t5 G3 a) e# OThere could be hundreds of BPX you could use to detect this trick.2 C+ Z& L( a, G5 w
-The most classical one is:) j$ U7 ~  c! ]7 w) Q
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||0 `  D* Y2 @" H9 A; |# g
    *(esp-&gt;4+4)=='NTIC'
$ ?$ O" _, a9 B  \6 p1 c) t# j0 y1 d. I# I; H9 w
-The most exotic ones (could be very slooooow :-(# ]3 q) p2 s: F; U3 o
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
# p& k7 K: j! `* H) p& {# s     ;will break 3 times :-() U% ]( `( z# }6 K( _
( ?8 }1 T; o0 O9 a& c7 F# F
-or (a bit) faster:
6 j  d0 u4 F1 C. t# \   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')# Y/ {  f9 [8 L9 J9 @
( o; z+ D* y) U
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 g7 {& X0 z+ R$ j$ ]3 Z0 {     ;will break 3 times :-(
1 ?# g. t3 a7 B3 H' l& M# e  I9 _3 x, }$ a! P4 Z
-Much faster:7 }* [  O+ X2 l% o$ q  t
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'7 A6 V  U' n; g# z1 \& z
  B" f  ?& a, Y! n* f' w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 \4 X: a% r8 u. C& `# y
function to do the same job:# L4 f( j, G1 ]+ E% \4 p$ f
/ ~3 H, p' Z' _% f) Y, j
   push    00                        ; OF_READ
7 A6 J3 {$ \2 ?   mov     eax,[00656634]            ; '\\.\SICE',0
, g" b9 _5 V! l; d2 d$ T' B  A   push    eax
  [: x5 _; F! D   call    KERNEL32!_lopen) e  z7 D3 n! g# f6 ^% ]! e
   inc     eax
1 ^3 ?2 W2 K$ x6 o0 y* y   jnz     00650589                  ; detected2 }+ [8 y# G% m9 Q" i
   push    00                        ; OF_READ6 c% [; J+ [, a8 `* \' c0 Y+ d
   mov     eax,[00656638]            ; '\\.\SICE': t- s  Z9 b# i0 r3 ]6 J
   push    eax
! v* l& [9 f" x8 q) v9 G   call    KERNEL32!_lopen
5 r7 A/ ?& `" t6 t$ c! [   inc     eax
$ i6 o% X1 G4 Q/ G; s- W  n7 }' [   jz      006505ae                  ; not detected
4 \: z3 Q$ T  X) v
8 B# v- W) O! U( ?, G" T4 X- R" H" @1 }2 @7 z) }% _
__________________________________________________________________________
7 L# b5 Q5 n; P3 o5 F6 c7 z  f, P, z# }% F' |
Method 12
- _' U3 j  F! b) w=========
7 z0 x1 b' ~6 Z3 y
5 C& v# n, r1 r+ n* @6 XThis trick is similar to int41h/4fh Debugger installation check (code 05
5 d1 Q$ w) |' d5 h3 j+ Z&amp; 06) but very limited because it's only available for Win95/98 (not NT)8 w; U  Y+ D1 r5 ]% T  a
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 c( M: z; h* m! @, \, m% d( j) w
0 p6 S4 G' @+ ~$ `" g$ i
   push  0000004fh         ; function 4fh
* \, S5 H1 x) L; r1 T; g   push  002a002ah         ; high word specifies which VxD (VWIN32)( O5 ]  j( o  L& e5 S  Q: U
                           ; low word specifies which service+ W6 k5 a% G' a/ i* B6 c0 K
                             (VWIN32_Int41Dispatch), }7 v8 j; T2 ~' \* r: o
   call  Kernel32!ORD_001  ; VxdCall
& g0 a  E2 v$ [& U& k   cmp   ax, 0f386h        ; magic number returned by system debuggers
4 y5 i3 Y8 w4 S   jz    SoftICE_detected
& \. W2 [) o$ @' h( c; L9 H* Z% c# b3 `  H
Here again, several ways to detect it:
& C$ \4 Y! ^0 B# J9 ~+ N: o" M! ?1 ~5 i% B6 ~2 f1 f7 v) E
    BPINT 41 if ax==4f/ G5 D( W$ I2 z) l& s5 r. x
2 A6 ~- @8 Z1 W7 o4 ]
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ C; k) l7 U6 f0 Y- Q  t$ {2 g" G5 f; t2 o" j8 B5 q7 i4 H
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
0 D! q8 Y4 M) |3 u2 E0 Z, V& E+ d9 d9 O% y3 R( p8 a! L. o( z
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* m3 G( r3 T% h% u

2 p+ W& B& a' G( n3 X; V__________________________________________________________________________* C9 Y6 n- V3 ?
9 ~  W3 E7 w& N- k* o) E* k
Method 137 X! r" Q# ?, [0 M3 a
=========% d. l& P* C; I0 e  N) ]0 ?  {

8 X4 D4 r3 t1 }7 }8 b( fNot a real method of detection, but a good way to know if SoftICE is
5 Q5 Q* v  n. ^/ h1 Binstalled on a computer and to locate its installation directory.
& I2 n% l- }3 i8 @3 v. X; VIt is used by few softs which access the following registry keys (usually #2) :2 s6 Y( M3 c% R; S
+ Q# h0 n9 e( v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' G" f; Y1 Z3 X2 k, Y9 {
\Uninstall\SoftICE
4 t1 }! j# ~" p% S-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE" j  f! F( _0 S5 c+ w6 z: _
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
' j( e( ^! I2 e6 y! p( S" d# l\App Paths\Loader32.Exe" d% T$ D) Q7 e/ V( H
( i7 o' {: I5 k# N% Y
% T5 T) B) P' Q( v( P0 I& K
Note that some nasty apps could then erase all files from SoftICE directory6 n) n+ v' A; x% f
(I faced that once :-(
- Q) G9 O) s$ g+ [0 u9 b1 J+ i
% O( X1 o+ r5 {8 jUseful breakpoint to detect it:0 `! h' d) E- B- d! E: M3 d8 Z

  s6 y0 ?5 Z% A7 q2 ?     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'$ n( K8 D' C, c2 P
% f( ~% P- M* K
__________________________________________________________________________$ U: R; ]. ]7 ~; a

- f$ }  o& c) ~  R) t! x7 `8 s7 C' \+ W4 v
Method 14 * q; M/ V/ C, K5 @
=========1 x* T% s$ \0 l! F. D7 k

- Z8 `! f1 ]  ?; f' k' T$ VA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 M2 M1 W3 ^, c0 I5 l; P' his to determines whether a debugger is running on your system (ring0 only).8 P) i5 }5 ~# ]: j# y2 J& ?

; F8 D* w, G- e8 w2 X( l, h   VMMCall Test_Debug_Installed
( [9 I- r/ G' G! A. p   je      not_installed4 w( v1 o9 J. K

& x/ |3 j' x. Z- U9 D: PThis service just checks a flag.
' l- q, ]! x0 ^  r8 c7 g. t</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-17 03:25

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表