找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>! y( C5 o) T6 P9 z: l# r! H+ u
<TBODY>
) n6 ~9 q. Z& A! c. r6 N0 `<TR>7 A2 A/ D7 H+ B9 J" G
<TD><PRE>Method 01
6 ], H: S1 l( e1 f* B" S$ Y; L=========7 e: u) B1 S% z7 a% i7 I
, A. B# N8 f# ]
This method of detection of SoftICE (as well as the following one) is5 m5 Y' _8 N1 C
used by the majority of packers/encryptors found on Internet.
: E' C! }9 ?0 @) D; V* {& |: qIt seeks the signature of BoundsChecker in SoftICE$ y( l: s  W9 W; O- F' v4 L

; E9 x9 M' U+ T& P9 r    mov     ebp, 04243484Bh        ; 'BCHK'0 A2 F; f+ |8 M; N' w/ y+ ^/ @
    mov     ax, 04h
, l: F/ o- x" o3 |  h    int     3       2 l" j1 D% \. j' l0 ^2 ]1 b( |4 H
    cmp     al,4$ v' P/ O: Y" S- n; n+ K
    jnz     SoftICE_Detected
3 \# D/ C) |$ m3 O& p
* b( U. z, }9 {. L# j___________________________________________________________________________
" r/ \- M* d, u# b) h) ?- A) Q( @% Z' T- P9 A) M& j
Method 02
4 u9 _1 ^8 s: e' @+ l+ q=========' ?: F% y) t0 C% N2 Z% N$ A9 U

  m  i6 y% {1 w' q1 kStill a method very much used (perhaps the most frequent one).  It is used# D2 z& z" r9 `! S% P+ z
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
6 ~$ D: o  H" N; n# Q7 v1 L6 yor execute SoftICE commands...
' O" K4 F4 a# H: k. K) a3 GIt is also used to crash SoftICE and to force it to execute any commands2 h' v# K$ N% _- o! |1 A: ]
(HBOOT...) :-((  & |' {) m3 g1 o: X

; d8 E. I0 ~5 r. R$ J  H6 D  fHere is a quick description:, N0 T$ F7 T( I
-AX = 0910h   (Display string in SIce windows)
, B8 f7 |9 ^3 B" Z* e& @4 H-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
  l2 i; X6 Z2 _9 C$ T  L: ]: f-AX = 0912h   (Get breakpoint infos)
6 q' }& C) m! V2 ]-AX = 0913h   (Set Sice breakpoints)% E1 q( I6 F" r( a( [! p- L
-AX = 0914h   (Remove SIce breakoints)  U$ i$ z0 l" S6 k

+ K1 _: t$ q2 p5 S2 Q4 M5 Z  C( _Each time you'll meet this trick, you'll see:
7 r/ F, k- W5 q6 O2 @- g-SI = 4647h
  a: ]3 B* M8 R: Q; p9 `, l6 s: E7 |3 ~-DI = 4A4Dh
9 @+ Z+ V! Z0 D( \% U) D8 K" CWhich are the 'magic values' used by SoftIce.
$ f9 y1 c3 d( ^/ G  l* wFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.% R/ X2 d" s& t0 G. _) ~

6 k6 z& J, z1 K9 g: P' ZHere is one example from the file "Haspinst.exe" which is the dongle HASP
$ a! `1 a7 I) u, j6 j& D. ]* w  A& BEnvelope utility use to protect DOS applications:  p( K% d" O4 T* ]0 K. F

: _, H5 J7 `2 {4 P9 V; i; O
' z& R% p: Y: S6 |4 Z3 Y4C19:0095   MOV    AX,0911  ; execute command.
& m% E: R) [, m1 F1 A) n4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
  Q2 {" e" W$ U) B; ?4 G, Q6 H4C19:009A   MOV    SI,4647  ; 1st magic value.* j+ S2 y* N0 X+ ]$ `9 \9 Y  f/ c4 V7 ^
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.6 g- j  `- D6 L+ H! a% c  {
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)0 |; Z! g# X1 N; ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
3 {! {, L$ [7 R8 `4C19:00A4   INC    CX
0 c, |6 F$ _4 ]4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
* l0 a' K" y( O; @- `! x7 l4C19:00A8   JB     0095     ; 6 different commands.
( [" V. p" ^( z, u0 L$ m1 w4 K; E6 W. J4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' U" B9 d/ S1 l  [4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
( Y7 m* W& T* G' H9 G1 S
7 D- o+ Y6 K+ S% T7 u! VThe program will execute 6 different SIce commands located at ds:dx, which
3 \" G9 i: A# x2 Y, d2 Lare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
. I6 J; x9 a( `' a4 K. j" k3 C# B( y: D0 W0 F8 g; f/ S' h8 K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 X2 d1 n# n* f- \___________________________________________________________________________) e) k( U  Y8 K, f

* m. \: ^; k& p) u9 P' z# e0 X3 B7 g- Y# [8 p
Method 03
" x) ?4 |% Z  h" i# @' V  A6 u3 V=========
' B  a$ v# y/ E8 ~1 O: m/ @8 s7 b4 I  g/ n
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
6 y6 \% S, P1 E9 U(API Get entry point)3 J# b# V4 h6 B
        8 P# P2 Z, }/ ]; P2 P4 Z- a& u7 k

. \- j- b0 r% c    xor     di,di9 z9 g) `- v- t6 s
    mov     es,di
" T5 w) c' I8 G5 w! {5 Z  U4 C+ b    mov     ax, 1684h       ) e" ?* @9 @3 r1 x2 R2 a( Y0 {; a
    mov     bx, 0202h       ; VxD ID of winice
5 F$ r2 X- L/ `; |    int     2Fh
2 ?4 f0 t. J! @! a0 P9 e    mov     ax, es          ; ES:DI -&gt; VxD API entry point8 ~7 k( \/ F& b' ^) F8 Z
    add     ax, di
; K1 k3 i$ T, d) y1 y1 K    test    ax,ax0 T$ Q; S9 h& W
    jnz     SoftICE_Detected6 o) S3 c+ L# L1 f
7 I% k( V1 |4 Q! l8 Z
___________________________________________________________________________1 H* u* u$ ?1 y( @7 U6 B# |

+ A1 k" Y* O! m4 O; n! MMethod 04
& f/ U7 |  n+ i; I, D=========
; x0 |! H" C) g' G8 S3 f4 y$ |1 [; m1 ^, b% |
Method identical to the preceding one except that it seeks the ID of SoftICE+ V+ T) E% q+ C
GFX VxD.
3 o, ~" a5 M. u2 ?) a& I! `8 w" S* }& y
    xor     di,di' F1 V: M/ l; U
    mov     es,di" M, l5 Z6 m5 H6 w9 t
    mov     ax, 1684h       6 W4 q6 [/ [& |/ j8 B, E
    mov     bx, 7a5Fh       ; VxD ID of SIWVID. f9 {( D$ J2 z% W& C8 t
    int     2fh
5 |% p. T$ s# B, u    mov     ax, es          ; ES:DI -&gt; VxD API entry point
- W, `8 j+ A) ?: {& q3 C4 _& t    add     ax, di
, O6 I4 I/ [+ J' \0 Q    test    ax,ax3 S) f. E+ R' t+ k/ S) p/ i
    jnz     SoftICE_Detected
4 H, @. W4 ]$ S) [8 {
6 ?' Z8 I" Z5 J/ |__________________________________________________________________________
! ?* m/ [* U7 E5 n0 y! q. B
. D( G) N# E. Z& [
- K/ d2 A# p- E) A# H; R& {. j8 tMethod 05! i  I! ?/ g6 A
=========
/ W0 J) }- e  S! b+ ^/ b/ A+ I3 _, \5 t0 D
Method seeking the 'magic number' 0F386h returned (in ax) by all system9 z2 V' _* n) r* S
debugger. It calls the int 41h, function 4Fh.
7 \( T3 V- P+ |4 |There are several alternatives.  & s6 u7 I% @$ Q* K8 `, L: [

+ V' e& n  g$ GThe following one is the simplest:
3 c. K5 {4 P2 Z# f" }5 P, |. K! V2 u. K+ c  ~& S
    mov     ax,4fh
8 r7 u; C1 r# _/ Q% k    int     41h! E2 w. d' O0 n) O2 G3 d2 q
    cmp     ax, 0F3865 T8 y* U8 z6 m+ J
    jz      SoftICE_detected# a. Z0 V1 n1 `5 G4 o  W

/ s: i3 n; ^& }9 S) z0 }% ]  s5 {  U7 {' A: C/ J
Next method as well as the following one are 2 examples from Stone's 2 T; H5 U( f6 G' m5 D
"stn-wid.zip" (www.cracking.net):
; [1 F- J/ Q' o- L$ `8 j% X5 r, i7 Y% f, o8 x6 h4 ^4 J9 D" v* N
    mov     bx, cs& n6 U$ u$ I) l
    lea     dx, int41handler2; }, Z& b$ e( t% `: V6 o
    xchg    dx, es:[41h*4]$ {/ X( T3 q% X
    xchg    bx, es:[41h*4+2]
& I$ R# t. L- i    mov     ax,4fh
% W" v6 c. y7 E4 P    int     41h
: r. C3 V( g- d0 v1 B3 w  d9 U8 a    xchg    dx, es:[41h*4]6 D# \* [2 e. X) ~1 X" _; L4 {5 H
    xchg    bx, es:[41h*4+2]' _" A" L/ H; ~, G4 U
    cmp     ax, 0f386h
3 E* }! h$ j6 X4 j6 ^    jz      SoftICE_detected6 V& E2 g8 b8 a
" w4 O7 s% Q" l# n5 d4 Q
int41handler2 PROC
& h. l5 }5 \% }2 T/ T    iret/ l; \3 L5 t( D: p$ y, T
int41handler2 ENDP9 a8 r% K# m) M, B+ b/ T* Y

9 y. U  j4 |0 R/ x# ~& y$ H+ ?& e3 t$ M3 y: N3 O! h  B
_________________________________________________________________________
( `8 V# Q  M& t2 j5 q/ \/ r" \$ f
- A$ m& \# W5 Z8 F& `8 G: h/ B, P
1 k* B7 s5 H$ F1 R% \2 \Method 069 L, x! X; q$ ^  s
=========
( ?( f2 p* S+ b, L7 U( }' n
" z3 A' f! D. x, J- X, y, l7 b7 ?4 E' `0 T0 i- a5 B
2nd method similar to the preceding one but more difficult to detect:6 m- k; O' \$ L6 b' [

& z! \  ?$ o* \9 m4 l
) ?  B8 g- C/ ~+ e0 S# ?# Dint41handler PROC& D( a* ]3 T# F( N
    mov     cl,al
3 u. c& o, _2 R6 d, C    iret
' _4 b. b* l( T3 d) y' [5 s8 [int41handler ENDP* m2 s& ]" I4 l; Z2 G: d( y! ?9 u, u

) [) D$ ~  T/ ~  e# Q0 P
6 S) k/ T! b9 S7 F, J: F3 A    xor     ax,ax& m; u* k, ^) V% y8 u: `
    mov     es,ax! s9 ?+ t3 [: \4 V! {' r3 m
    mov     bx, cs
+ z2 }) p" F) B  c: z# V    lea     dx, int41handler
9 \5 b5 a9 t  b" A. s% Q    xchg    dx, es:[41h*4]; {/ A* R; N8 B2 a
    xchg    bx, es:[41h*4+2]( A/ s/ E; o! W/ B# i3 `1 K1 T3 Z
    in      al, 40h
7 g" s6 M) U& m' t2 r    xor     cx,cx
2 K3 \0 n) V" _% I, Y7 Q2 L    int     41h2 h3 y/ z$ J" Y  c# P
    xchg    dx, es:[41h*4]
$ w9 m% r" ^+ J8 E' Q" n* X    xchg    bx, es:[41h*4+2]' l% D; L* }2 S0 P) ]* j
    cmp     cl,al& u) u& }0 F  z& E* g9 i+ b
    jnz     SoftICE_detected1 {; ?/ G' @' x# ~2 A3 C! }

& o' g/ N$ {& l" o$ n* x5 n_________________________________________________________________________
  |. [2 i# n1 d! `( E1 R. \1 e/ P8 h
Method 07& q; P3 ~8 v$ b, v$ S  n: w) U* l/ v
=========
: E8 m( M: z3 l" g% a! J0 p$ j. Q/ r: n* g  Z' ~
Method of detection of the WinICE handler in the int68h (V86)
) {+ p) o6 a. b1 u8 k) S
2 t$ E: {" S2 ~    mov     ah,43h
, @2 I2 W0 G0 z/ [* w9 i# @    int     68h4 `0 F/ s/ ^* ~+ d0 x5 ?( A. o: u- Q
    cmp     ax,0F386h
2 B3 f( {* g' q( V+ o: y- \    jz      SoftICE_Detected! Z/ |1 v7 v% f4 O, O8 d+ S# w
5 E" T) U( _7 ?! s* h

# P' s5 @) F. I2 z0 y=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit) r9 p& f" K( F/ Q; E) w- K- W1 h- l- B) {
   app like this:" k- R' B5 G6 n1 {

7 N9 m" Z) J' @% F8 r5 e   BPX exec_int if ax==68
9 J( E( b1 I+ u9 Y) ~; W   (function called is located at byte ptr [ebp+1Dh] and client eip is
. A7 |/ \' ~" Q   located at [ebp+48h] for 32Bit apps)
  x8 L8 ~; m& n9 b3 s4 m__________________________________________________________________________
9 a, k0 m' m6 z+ O; k( {- c1 `7 |
" M( \$ _  _# p# F* ~
- b4 L) X7 V* b2 U' _Method 08  M& J! q4 K& c2 o3 M3 I
=========$ A3 V6 n  p7 P$ j4 k! a
. l9 Q7 o# y8 B" u8 |3 T
It is not a method of detection of SoftICE but a possibility to crash the
' C# Z' r$ g: n8 @  {2 S0 usystem by intercepting int 01h and int 03h and redirecting them to another
8 M2 N( ]1 Z( a1 z7 g" jroutine.; z4 S& B0 g; O9 `4 ?
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points# a" q3 b4 Z: j8 v# F* S' T
to the new routine to execute (hangs computer...)' w1 f/ o5 h: m1 f' t
, w8 K: ^% b6 b
    mov     ah, 25h
* r3 e. g5 Y/ h" D2 b# L9 t    mov     al, Int_Number (01h or 03h)& M  L1 r/ j2 o% A7 H6 z) Z
    mov     dx, offset New_Int_Routine
% S3 m2 b9 @" b. N# ]0 {/ q( r& ?    int     21h
8 X% g% X$ Z! b! v0 E3 n2 B3 F7 P5 D. S0 p) H: n; O
__________________________________________________________________________
! H1 L& d/ D+ C/ r& R( B9 {& z& A( q0 m+ A4 V# R
Method 09# ]5 I  v. {3 w+ `2 h; z
=========
, a3 w- B0 P" \+ L* n. e, F* n5 S+ v
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) X  Y3 A8 h+ b" [performed in ring0 (VxD or a ring3 app using the VxdCall).
' T8 o2 R- Y) p$ cThe Get_DDB service is used to determine whether or not a VxD is installed
+ `0 X' B0 v0 N# t- }  b9 i: Ofor the specified device and returns a Device Description Block (in ecx) for
- U& N0 s1 [, s1 ^% \$ }that device if it is installed.! f1 A5 [5 r& P% \2 U" U2 p- y

. Y7 K; p7 D/ s4 c5 N   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
/ B& Q& l5 d; W$ ^   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 Q* B$ Z& U2 r7 ?+ d: E$ W   VMMCall Get_DDB
( r# s  m1 \' \% c' w$ N/ ^   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed! o, |- F5 ~3 D* q  k8 i# n6 R
- b) j$ S, G0 \% k5 u6 F1 P4 F! ]
Note as well that you can easily detect this method with SoftICE:) n0 i2 @/ J/ I3 j' `
   bpx Get_DDB if ax==0202 || ax==7a5fh0 L6 ~+ a/ C* R* d  {

' p% V7 a4 H4 l: z% Z6 o__________________________________________________________________________* T. Y# r; S- p* y: x* ~; A( t

; G( P; x  }7 ^% _1 T0 v+ n2 a/ ?Method 10! i/ o& c. R8 G5 A+ a& v
=========0 s' ?0 B; S9 e! o

: x# Z- m6 i5 C0 M! l9 H; g" v=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with9 H- E, @8 Z+ q: c% O' N0 J
  SoftICE while the option is enable!!8 \9 Y; V% \1 e/ {6 j7 a. q2 o

8 G& N4 }: j7 J& _3 P* R& `( k" H. N$ K4 [This trick is very efficient:' g* C$ K  `" c1 d
by checking the Debug Registers, you can detect if SoftICE is loaded6 U% L7 d! ]" g3 Z$ L  U* l7 k2 w
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if; D" K% L0 f1 V9 j7 ?4 W
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! p7 A- P3 `# z2 }, Q* zvalue (in ring0 only). Values can be manipulated and or changed as well5 Z$ }  l& T3 G3 T2 z* N! Z% H1 [
(clearing BPMs for instance)
! |: S: s# z: u. Y( w
' y. E' G9 j4 q+ R9 D! g__________________________________________________________________________4 P$ a; T6 v/ r1 T/ d* b+ j

. ^6 A/ Z( L% |' o) b# u8 X. w9 FMethod 11
" F( k9 U+ C/ m& W/ ~+ x! w* r) i3 }; h& ~=========% c  \4 {0 H" H: b- D* v: O  ]
6 L+ |; C/ V" ~8 E$ c* g4 q5 l/ i( K  s
This method is most known as 'MeltICE' because it has been freely distributed
7 B, }1 s! _+ a6 Bvia www.winfiles.com. However it was first used by NuMega people to allow
! H* _4 {& t" I4 Q1 x7 PSymbol Loader to check if SoftICE was active or not (the code is located' V# H1 E0 v+ ?+ ~8 C0 B9 t
inside nmtrans.dll).$ d) w0 i3 P4 n" u: K. D

% M  D9 O7 s9 W0 h) z! c. u2 k5 CThe way it works is very simple:) t" |: e3 n6 ?# `, _, z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% D4 S4 q9 {" L: c" X% [9 L$ [8 B2 JWinNT) with the CreateFileA API.) h3 C3 I. F3 d- @/ P9 [
, b! _1 N% E3 E+ f
Here is a sample (checking for 'SICE'):5 O! G$ O9 d: O' Z! l5 F9 u: ]
2 U2 L$ Y1 R& I9 Z" l  H# Q# _
BOOL IsSoftIce95Loaded()
$ F# Z& Y+ F( l7 ~/ y6 i{
2 m/ g5 T7 E, U4 k   HANDLE hFile;  
( J4 h6 D, `  D5 J+ u, l   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,% k7 W$ E* ]; Q. B
                      FILE_SHARE_READ | FILE_SHARE_WRITE,; w, A; |8 H. Z+ @/ \
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 ?  W+ m) W8 f. d. a
   if( hFile != INVALID_HANDLE_VALUE ), q$ E8 i0 D: r# I
   {6 d7 N0 p# m) o& d" a- q; P& o" J2 d
      CloseHandle(hFile);" t; [$ v' v( I7 m0 M4 M( v
      return TRUE;" r+ J. U' Q0 Y" ~
   }; H1 Y$ D+ w# P# @: x
   return FALSE;
" K; @. y( C2 Y$ {}+ i: ?& H# n: d! ?
. V' E/ C8 [; \- [1 @) l0 z
Although this trick calls the CreateFileA function, don't even expect to be3 J: q  w3 B0 O% n  P1 ]' E, R
able to intercept it by installing a IFS hook: it will not work, no way!
# R0 k- k/ b+ o2 f9 \* N) m# \# dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. i9 q4 T" N3 H7 o7 m, A2 yservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 q6 @0 g% v- w# @5 dand then browse the DDB list until it find the VxD and its DDB_Control_Proc; b2 M. O  @* S' n4 X' h2 B
field.
# e6 J" q1 l, N! y9 X$ ~" IIn fact, its purpose is not to load/unload VxDs but only to send a
7 C* E6 ^0 t9 [' u6 J% |3 qW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE), z/ H0 J4 Z2 }! ~1 p9 M2 g# e: E0 [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 q) h) k4 K; s( ^5 t" `7 Ato load/unload a non-dynamically loadable driver such as SoftICE ;-).
6 |6 `9 `3 x; ]* c9 y% o' A  Q  A9 ?If the VxD is loaded, it will always clear eax and the Carry flag to allow
! c1 I+ p- R- R% j5 eits handle to be opened and then, will be detected.
+ j. E; ?6 N5 H8 eYou can check that simply by hooking Winice.exe control proc entry point
, K* h6 l' w* l6 Lwhile running MeltICE.7 y5 R3 f4 g2 A0 ~/ c# v

) ~- ~  v% v& r: }) u; a
8 J! m2 s0 ?  C3 s  00401067:  push      00402025    ; \\.\SICE! k/ W" B. t; x! F( X# b$ K0 {
  0040106C:  call      CreateFileA  A; G9 U% }9 U/ a  _7 p
  00401071:  cmp       eax,-001
5 T  a: E0 d( `# H: m8 i/ ^) J  00401074:  je        00401091) ~8 |1 G2 L% a3 O: N; B) J5 z
! J* m5 h+ r4 ~& _

4 f" a! a9 {% Y0 C6 }There could be hundreds of BPX you could use to detect this trick.
8 C# }& x$ `% S9 s2 d% K-The most classical one is:
6 y1 C$ ]* l& x0 B  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||5 P) |7 _) w" _: I6 ]
    *(esp-&gt;4+4)=='NTIC'7 M5 R1 D+ }0 h
. o( D" D6 O: r, g6 q, {
-The most exotic ones (could be very slooooow :-(
; g  m& ^6 s* [0 W  t1 w6 M+ ?   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' B; u& }# e- t* U5 j2 l9 m
     ;will break 3 times :-(9 E* c' g5 Z! B; I$ K

) j4 N% @* ]" t1 E6 K-or (a bit) faster: ' g+ d( ?# n3 \7 m+ Y- `/ i# `, z
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ W: F  G5 g% ^  f. }

' I; @. K3 I6 Z! w6 a   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
" F- Y: k3 ?  ~) ?     ;will break 3 times :-(
# i# c) ?5 g: D% D7 c
2 Y- Y9 I5 B" h4 f8 e7 `, Q7 j7 Q-Much faster:0 r; N6 l- s5 g8 y1 u
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'7 }* n  Z. ^, e) {
4 j0 ^& p# M: w/ D3 A) |2 S$ G
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen" H" E7 k  Q4 E1 ^
function to do the same job:
0 q, u  y+ X& \( }" _+ S
: E) W! u2 ^; F( m- R' n3 p' \/ ^   push    00                        ; OF_READ# n3 \8 @) T, Y* L' K  q
   mov     eax,[00656634]            ; '\\.\SICE',0( r, {+ {$ E% N0 d# W
   push    eax
1 Q/ ?+ S. e; h4 G2 k* U: G$ Z   call    KERNEL32!_lopen
3 o/ A2 r1 N) E2 r+ M+ v) F   inc     eax9 c2 Q3 p3 s. I
   jnz     00650589                  ; detected
3 h9 Y$ P& Q& b, m   push    00                        ; OF_READ
. P* p  \; @  {, f: C: F$ v& R/ \& C   mov     eax,[00656638]            ; '\\.\SICE'
0 y. j" W5 H' F0 Q0 v. J; t8 I, E. t   push    eax
; t: [0 e- b4 U: H  R8 k5 G   call    KERNEL32!_lopen
7 h2 P5 s( i* n  v! b   inc     eax
# P& u6 v1 F. g   jz      006505ae                  ; not detected$ \3 E4 |2 N$ Y7 w" V8 }: _

  \. @3 e: e% V% f. r  U
% u1 {; ~2 K1 `" A( F__________________________________________________________________________
: J: F% E. k5 s0 t' W! z3 M
9 }+ q, |; ?8 h1 d1 N+ lMethod 12
1 N0 d3 S" Y2 z2 ~( B9 y. K- ~=========2 [6 m' V4 I- {1 L2 D' g/ h
1 b2 q4 g& d9 n9 V
This trick is similar to int41h/4fh Debugger installation check (code 05
( W) o' X$ `2 H  _; D&amp; 06) but very limited because it's only available for Win95/98 (not NT)% _/ P9 `# c; ]
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% D1 X* ~" G% o$ r' G3 `8 i, X6 G- Y

! |/ _$ |: L% Y% Z" t/ M) u# K   push  0000004fh         ; function 4fh
# Y  f5 [% T4 |3 j8 x% X; N" x8 _0 s   push  002a002ah         ; high word specifies which VxD (VWIN32)/ S: @' u3 S1 ^. P/ r
                           ; low word specifies which service* R2 l' m* W; Z. D1 L- n
                             (VWIN32_Int41Dispatch)
" q* F  [: {7 T- A+ Z* ^- @. b   call  Kernel32!ORD_001  ; VxdCall
! f: N6 ~( ^3 m2 ~5 t( I4 I   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ w6 D+ z- g# z2 j7 T8 V   jz    SoftICE_detected
2 l$ D. g2 P8 v1 P, ^5 {
( ]8 C; E) S% N0 DHere again, several ways to detect it:3 Z- W2 S& ^+ i6 m7 D
4 H6 ]; a. q; r" J- ?% `- V
    BPINT 41 if ax==4f$ G: [' B1 V/ p. ^
) X/ N  t6 K( u- e6 w- J2 x
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
" @: ]: I# M  j: ?/ e5 c/ y' H! g* Q7 X* L" h
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
6 }# v8 r' `0 {: y; B7 \: s3 \) c! y9 k. m/ D/ E
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!  R2 q" T7 i" k. D3 R

- B- n  Z( s8 r__________________________________________________________________________
, W" W- o6 Z; q3 C
- F1 J  N/ Y) j  j& GMethod 13( T; S/ i$ D/ L$ E( E4 B/ [
=========
2 z' o6 F2 [* t
( }4 d% J' R  \, }9 P! p' g/ J; YNot a real method of detection, but a good way to know if SoftICE is& q' q. D+ M( a: D1 u# g
installed on a computer and to locate its installation directory.9 u9 b6 k7 G- V, V2 t: _! {
It is used by few softs which access the following registry keys (usually #2) :
4 g# F6 F  M% Z& }/ l
5 X) n8 w$ [, m9 ]% u9 E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, z$ |+ v+ x6 F' L* y$ m\Uninstall\SoftICE/ l% V  T8 D  Y4 ]
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
0 w4 s0 C" Y6 u-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 d* ~0 @7 H9 s% I" u: u" Q& n7 j
\App Paths\Loader32.Exe
! S5 Z: z. [" v* Y: V/ C5 e8 ~6 F3 ~) @

, x; d2 f" {/ T% [7 }) w/ I) SNote that some nasty apps could then erase all files from SoftICE directory% h( c3 e, X( l
(I faced that once :-(
5 A& x6 b, V- H3 F- u# Y4 k8 f; x9 F2 f* h7 }& _9 F
Useful breakpoint to detect it:) v; `0 u6 x+ o7 I

; ^" n+ d0 d$ q2 O/ }  h8 m8 m) k     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
% d, _0 K  T, O# V/ l! a: e5 {" Z- T5 P( s; g6 V% o; o# \" ^! E
__________________________________________________________________________- K( L0 ~9 p4 y0 {) m' C% O7 M. ^

, c0 G4 H8 b& `8 W2 S/ S  [4 F
: B: ^* n9 U# ]- k+ F$ FMethod 14
& l' e8 u7 o- e3 J0 c" `1 t: u* F=========5 u1 b  F: |+ }" j) A# x" a

3 Y$ |4 |* Y! G6 IA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
* o' x2 F6 {& W. T. m. {6 L; P: ]' kis to determines whether a debugger is running on your system (ring0 only).. R$ n, g: V- m% i1 @
3 t; \! J+ Q/ D. F
   VMMCall Test_Debug_Installed, s* m* ?! [2 `
   je      not_installed3 B& j+ X# o, {( S" g
& ^$ ?- s7 E# A7 I( z& i
This service just checks a flag.
9 b6 m  S, U5 E. h</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-1 14:43

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表