找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; b* ]9 v3 C9 G# g) i<TBODY>
1 W! o) X9 w. V' d<TR>
% P: X" @2 n% @' R6 z0 U<TD><PRE>Method 01 9 ~5 w# y4 H7 G/ `$ P0 N! l8 G
=========) s% \2 D( [2 J" ^+ Z

5 ~% P- c: a7 W9 I5 SThis method of detection of SoftICE (as well as the following one) is# G$ D: }2 R- s% ~( o( t0 x, m- [
used by the majority of packers/encryptors found on Internet.5 J% t0 V- e! m  l3 D
It seeks the signature of BoundsChecker in SoftICE
! R* p) r7 D7 y+ s  A) }! k4 y! l4 N; {) _1 F# p
    mov     ebp, 04243484Bh        ; 'BCHK'$ B" j! V: @  g* w1 e, R* X# G
    mov     ax, 04h
4 S7 x$ D3 e" H    int     3       ! `: `+ O% K! _- j
    cmp     al,4& Y- ]9 g. d' R/ ]' O
    jnz     SoftICE_Detected# H" ^# s: H% d  t. W. ^
' ~" _1 S2 i5 u5 i
___________________________________________________________________________
5 j& {" _. P# T, Q& {% d
7 F; k7 c% O/ ]8 d0 ]7 j( |/ ]Method 02
2 D7 u. Q; e: m$ ^" ^=========
. p" M- ^4 y/ ?* d
* n: \: c: Q8 S2 ^Still a method very much used (perhaps the most frequent one).  It is used' A! O4 k5 C' [6 q3 }
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) R7 j( ^7 A  m) ?7 l9 d- wor execute SoftICE commands...7 B" O9 e+ T" e0 C' x2 O
It is also used to crash SoftICE and to force it to execute any commands6 U- s& K7 I! b0 i) v+ I
(HBOOT...) :-((  
  ?" g! ]% i, f( W% L& w4 p+ d8 j9 ~$ q! V; E
Here is a quick description:
/ I- C+ h  ^) F7 j; K-AX = 0910h   (Display string in SIce windows)
; x5 Z( S& U5 u$ a. Q4 S2 Q-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! ]) B% y6 R1 ?( u' T4 T: Q
-AX = 0912h   (Get breakpoint infos)
. ~# R! H6 h1 N' M: |-AX = 0913h   (Set Sice breakpoints)
: }0 @, |% I+ a" T* @/ @0 q" ]-AX = 0914h   (Remove SIce breakoints)
+ c9 }6 V) v# M# @8 r2 e  q0 j: U" c2 @  F/ s
Each time you'll meet this trick, you'll see:7 B5 E% ^8 G  C: t
-SI = 4647h
, T( k, N4 Z' S. P) L, t-DI = 4A4Dh. L+ y1 `2 w3 @' _  y, v# Z! p
Which are the 'magic values' used by SoftIce.: w+ V/ E+ x8 f) t' q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
5 @3 _3 ^! ~- _2 p$ m. Q/ q4 R
6 ]4 F. J% a8 M( i4 L7 tHere is one example from the file "Haspinst.exe" which is the dongle HASP
; `% H, k: m: y* b1 P4 hEnvelope utility use to protect DOS applications:" G8 y) w3 \  v! j

, G9 a0 F' C1 J( B9 L8 p, f
0 L+ c* L$ T0 U: v! o# I  N4C19:0095   MOV    AX,0911  ; execute command.& E! G( e$ T- [5 T' x5 t. g' A
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).- ~# _8 L: r. c+ o
4C19:009A   MOV    SI,4647  ; 1st magic value.6 }2 M) |! h% x  m1 I2 g
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ C3 r- Q5 z8 M& m2 J% Q2 P
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
- |0 h! V! W# c/ x: u" F% Y1 \4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute: y6 Y7 V. f0 D) ]$ _
4C19:00A4   INC    CX
5 H- @9 w- V8 `! v- B# _: ?5 {4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute% l5 p7 H# ^9 u/ x1 d$ k: i) x/ {
4C19:00A8   JB     0095     ; 6 different commands.7 f- z$ P( w, D+ c. u5 S
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.* ^9 {9 y& b. r) n
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
0 ~& L$ y! `" e/ m/ r5 j
; B+ k9 t# W+ P; `0 SThe program will execute 6 different SIce commands located at ds:dx, which3 M) b* a$ z2 B9 K! ]5 k* U4 Q
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! Y' e7 y# Z6 @+ p8 H& E1 ]: u7 |! R1 K
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
* e/ z  b& Q5 ?4 X  y" L___________________________________________________________________________
& T) Q/ L, e; O5 u; j
- D. L" Z1 K6 |, W
, k0 j1 P' ?3 O% t# DMethod 037 {# U8 ?. d# Q0 r5 E
=========) S. i' j; X0 U  d. M/ z0 E
0 j! G6 [; G0 a3 Y0 }4 j% Z) o
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
" @! U+ i, i. t' L8 [(API Get entry point)
1 f4 g& r3 u2 P; L        + D3 d+ @9 w5 g- n

# I  b' Y1 `* J) w- \    xor     di,di+ B+ ?8 ]  v# w, F8 @5 _
    mov     es,di. [4 ^9 h, M. `
    mov     ax, 1684h      
9 y/ L$ k. S1 u0 e    mov     bx, 0202h       ; VxD ID of winice
: {$ C: d5 c7 j) l9 f    int     2Fh
5 c; z2 C& Y$ y    mov     ax, es          ; ES:DI -&gt; VxD API entry point. d1 [: @$ q1 @6 v/ x
    add     ax, di$ ]* L4 y6 [+ S, m% T
    test    ax,ax/ l6 Z0 X' |  {: X/ M0 d: N; J
    jnz     SoftICE_Detected
( l; h) u; Z& b. x. t- |8 R. }& Y0 o
___________________________________________________________________________5 t" D8 ~# D1 ?2 ~1 |
% |( X1 f( M$ `) m
Method 04
3 Y$ U  L: J! Y% p  y% u=========* ^% [  ^/ @( A
8 N+ u/ M" L  |
Method identical to the preceding one except that it seeks the ID of SoftICE
6 W3 {( O: B: e* o2 g) H' [; T1 YGFX VxD.
; z* M1 h3 P2 {; Q- I) c4 q9 b' `0 p6 L. O$ A5 q/ p" K2 q
    xor     di,di+ a6 V- g/ E: e" o: @; B" E
    mov     es,di: @5 S' U4 ]+ w
    mov     ax, 1684h      
/ p* f7 l% Y% Q# v  a, R, }    mov     bx, 7a5Fh       ; VxD ID of SIWVID5 E7 g/ Y0 @; @1 B$ h) v0 u: ?
    int     2fh( H1 B0 M8 h; J# D6 k  m
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' P, g7 ?8 w" ^2 V; K1 v2 o    add     ax, di
$ D1 c5 u  H7 x9 l- Q7 @! @    test    ax,ax3 a) x8 G; s9 o9 n! D% q
    jnz     SoftICE_Detected
% e# J6 @  x& Y8 n
2 g$ n5 e$ p9 \3 O! w7 H; I0 n__________________________________________________________________________
6 X0 Z" L" f- y% P1 N" V/ r5 G/ n& p
1 \" @5 B, f6 Q# R: r5 @& _- }  c0 ^- @+ j, o. ?
Method 05
. L2 E) F; s2 c4 E: w% ]5 j=========* O$ I' y. A" D" l& E5 i$ A5 e+ D

" p: t4 P0 S" a# j* NMethod seeking the 'magic number' 0F386h returned (in ax) by all system
  q- M/ c; [# f0 l( c; z* o9 ?debugger. It calls the int 41h, function 4Fh.1 }  C3 ?) ]* E3 x$ |
There are several alternatives.  ! J9 z! P. @( u% u. f9 U, K
- _2 \* Y( g' N3 [3 E& A
The following one is the simplest:
! |  g$ e) Z* q- D. F3 O  F- ?
# _) ]0 ]; s& P1 Z: U    mov     ax,4fh; W/ ?1 ]# g) }+ ?1 @" u
    int     41h4 B$ Z) s5 h% S" t
    cmp     ax, 0F386
( }9 x9 b/ S5 f    jz      SoftICE_detected
( V4 Q8 g5 B: d8 ^& @; L) w4 h/ _$ Y  Q$ @3 n( y
$ ?0 @1 m# I% p+ u0 I
Next method as well as the following one are 2 examples from Stone's
3 h* O' R. G$ R; q9 T, k# F. H"stn-wid.zip" (www.cracking.net):" q: e0 O4 b: T9 ~/ D. P% _9 K
, ^* F5 c6 B* ^" i1 Y: s6 M
    mov     bx, cs
6 F3 j! |- c& D+ `    lea     dx, int41handler2  O4 ^4 @5 k( U7 ]* _
    xchg    dx, es:[41h*4]
  b" A8 U0 C4 ]+ u6 o    xchg    bx, es:[41h*4+2]1 P, Q$ D; G5 ~- P4 Z& i5 e
    mov     ax,4fh% T/ b( }3 Y, g8 m9 c! Z
    int     41h
* |  y# ~6 ^$ ]7 U    xchg    dx, es:[41h*4]
3 o0 U! P5 m: E0 ?$ C* L; u    xchg    bx, es:[41h*4+2]
1 D' U* n7 i$ J. W    cmp     ax, 0f386h
- _( s5 [7 N+ C; K/ W: d6 B- O, E    jz      SoftICE_detected3 s$ s# Y4 l+ Z3 x

% H: E3 V8 K1 H  Fint41handler2 PROC
- D$ I) F0 T6 z# ~: t' P9 t8 Q    iret
1 c' e; ?) F% y! G) q; h. u7 }int41handler2 ENDP1 h* Z! H& M6 U6 r2 s+ Z* ?/ A5 k* e

2 z3 R4 h) X  G
6 N; l8 Q% u% @( W- A& ^% \  C_________________________________________________________________________
0 f7 ~! E: x% V4 p" H( w4 `% o
# o7 }, T$ e8 H% L9 N2 F7 Y3 ?8 |% o( ?  Y/ d3 p6 E; L. p
Method 069 N" T% N- n9 ^7 q& i
=========( n$ G! k; p9 h8 c8 Y8 n' d
- @; F7 `& |% [2 ?, W

7 c$ N' c4 C, _# O' T& _* h2nd method similar to the preceding one but more difficult to detect:( \, ]: H; Z$ b% J+ F
; C* D0 X$ U6 u! p: z( k
, \5 x' i: t9 b' h
int41handler PROC
: H6 E$ m; q, l: k% k8 I& g# p  B    mov     cl,al
; X  D7 ?- C7 j7 ]( o5 N" S9 ?    iret3 K. B6 ]# a2 Q
int41handler ENDP; f, z9 b1 y. k/ x' @; M+ U
8 e% e+ c% ^/ E8 q6 }  Y* M

! x( ^/ \6 x: e* S  |    xor     ax,ax( ?# c4 o, G: ^3 R9 t0 \7 v
    mov     es,ax
1 D3 ~3 A: [% E/ Y. l    mov     bx, cs( E2 Y# n/ w! s* f8 S8 \. r6 M# y
    lea     dx, int41handler2 ~& F0 Q" t) L  s  r4 M$ m
    xchg    dx, es:[41h*4]( b$ B# Y) D0 \5 B
    xchg    bx, es:[41h*4+2]: a3 |3 n& D* R3 |+ E
    in      al, 40h  N4 X. ]% D7 q: }8 v, T; |
    xor     cx,cx
( z8 p" Y* o9 V5 _& A6 o% B: E2 |    int     41h
5 R# F' L9 [' z  O4 Y7 G    xchg    dx, es:[41h*4]
- G; N7 b% ^( z, l5 U    xchg    bx, es:[41h*4+2]$ N$ ^8 C) c6 K2 I9 ?" c7 r
    cmp     cl,al7 }4 B% v# I8 [* b' T* N
    jnz     SoftICE_detected
5 ?  E2 r2 u) u0 P2 V! v
& y1 i* S! O7 F* b: O4 K_________________________________________________________________________2 u  P! g. m+ B( y% a$ r4 Q. r

& ~& y3 ]( z8 O* }Method 07
4 Z) ^. V. j: e( h=========* p9 B0 t! N1 ?1 R5 g, A' q
# k  |0 Z) H6 R7 \. ~7 Z6 U( I
Method of detection of the WinICE handler in the int68h (V86)
# u: N) n2 ^7 I! F8 Y
5 |2 N9 [  A1 [7 D    mov     ah,43h
. |; {  o! x" ~( v/ @: ~; a, C/ Y    int     68h
2 o) r# a. D9 e    cmp     ax,0F386h
" F4 q5 c; _: a, D# [! Z& j    jz      SoftICE_Detected3 O! j& _+ K, _" |5 A/ m

" u1 I+ k6 Q/ n! }( T- _5 q) E' h2 u9 j* D( f
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# T6 U6 l; x6 U! @7 {
   app like this:1 q4 ~* ^5 @. {3 D" Q% G+ Q

5 g2 P. o5 E9 W% n& t- W   BPX exec_int if ax==68# |% z9 S$ J1 V
   (function called is located at byte ptr [ebp+1Dh] and client eip is
1 t' b9 F! ?2 s* {' v   located at [ebp+48h] for 32Bit apps)) u+ a! S* K6 C( Z& ?
__________________________________________________________________________
- N6 {$ `+ m' t' D; n$ k9 T9 P$ l' O5 h( u
/ m4 P  }) c- a. n0 L9 Z5 h
Method 08* p. |" r1 `) s: S! a4 M5 l0 o
=========* [7 _$ w8 g( E" v

' j: a: \2 W, j" ]9 gIt is not a method of detection of SoftICE but a possibility to crash the
8 [. H% f! i$ ssystem by intercepting int 01h and int 03h and redirecting them to another1 e; G( s7 W" ]& [; X
routine.
! W) M9 z. g: a, \It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points- \' C- J2 k+ z1 ?" ^4 F0 d
to the new routine to execute (hangs computer...)
$ W) L) K6 C3 I5 |7 A" o$ \) k4 b% u+ t
    mov     ah, 25h# ]' [$ L8 t9 d: W  v" a
    mov     al, Int_Number (01h or 03h)5 f  ^5 ?  n% p; w6 u# P
    mov     dx, offset New_Int_Routine
) {6 K3 `) n' m( K" P, q) q2 v    int     21h, W0 c* @  B- B6 T9 p* ?
- L6 h/ [2 P! q
__________________________________________________________________________
6 O) ]; M, A0 O2 i$ V- u( R* v5 T  _4 h" t) I
Method 09% Z& g7 e/ Z+ u, D
=========
4 d; p- @" C% q4 t$ d; }/ U, c  l
8 H+ s) H% Q& E# v8 ]. ~This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
4 ?# X3 d9 z; c% _3 v/ ^' x; h2 e& Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
# M% E! w4 G" s' n2 kThe Get_DDB service is used to determine whether or not a VxD is installed/ m* T  @2 g5 W& Y5 Y2 u
for the specified device and returns a Device Description Block (in ecx) for
8 q# X( p( _( ~$ e# o  l6 F  ^that device if it is installed.+ ?" q' I2 X' [! I

, I0 p1 i& W6 k, d; E+ U   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID" V. J8 \/ q0 y/ f+ T4 k' u. b
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
2 ]  [7 b- ^) M2 I0 @   VMMCall Get_DDB: z  Q5 q% U* p0 J
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 W& i" Y7 Z& l! ^

9 m, f9 {1 G' S8 ~$ Q0 y1 ENote as well that you can easily detect this method with SoftICE:9 ]- Q8 ]8 l/ a7 N2 k! d# n2 e
   bpx Get_DDB if ax==0202 || ax==7a5fh
* `6 J) q; ^% Y0 f) ~3 b9 G0 F. F  B# B; l# G  ]7 T2 ~
__________________________________________________________________________9 G9 J8 t2 E1 B; _/ q

/ l% s/ Q  ?7 W0 X/ ~0 |# s8 ?4 aMethod 109 o- I' ?/ c( L, ~( u
=========! v" \' }- B+ j5 c  U, [" v

7 \. n& P: M; z2 K2 D: C, {& K=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with! {) [* Y0 T" W% {5 o
  SoftICE while the option is enable!!
# ?; r: u- b: f0 t4 `
6 E$ m! r% E% N4 _' G$ V) KThis trick is very efficient:
# N# l6 ^0 B2 T: ]4 Eby checking the Debug Registers, you can detect if SoftICE is loaded& F2 Z: F3 p7 g. |
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
: |$ A) S3 y- ?there are some memory breakpoints set (dr0 to dr3) simply by reading their
. k2 j% j& X; Qvalue (in ring0 only). Values can be manipulated and or changed as well
4 |' v8 z' B+ T# ]4 p(clearing BPMs for instance)% k- r1 A% |1 d# J7 U
: M# v4 `5 W6 u# y. i
__________________________________________________________________________1 g7 H6 U) ^( o6 v& \  K; @) O( R
9 A" E0 P& v! q- g
Method 114 l2 {2 x4 D, T' v& B
=========( w1 @1 e$ f/ S' d- |

' r: t% d, Y; t4 ?1 L, u; {This method is most known as 'MeltICE' because it has been freely distributed6 O1 _3 u. B& {0 \3 a( H: }
via www.winfiles.com. However it was first used by NuMega people to allow! C% h7 L5 O7 o2 a
Symbol Loader to check if SoftICE was active or not (the code is located" e+ k2 g& ?% w
inside nmtrans.dll).' y  V( a, H6 R; E6 A* m0 M
/ z1 Y- W! t# S! W/ X5 y6 x) f
The way it works is very simple:
$ l7 \% N& Q$ t7 n1 aIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for! H" i, W' Q+ R/ F2 }7 t
WinNT) with the CreateFileA API.# G9 g8 o6 O% t4 A( c3 e0 u
6 u! ~) m8 ^& K1 x9 K% N$ F+ Q
Here is a sample (checking for 'SICE'):9 X( z; z* @6 f# E. z7 N
! Q, `: i. A, }8 E6 z- W* J2 v2 T
BOOL IsSoftIce95Loaded()4 H; _$ }2 m, j0 G' O4 u. b+ W* _
{
- t1 o+ M  d$ B0 o( }- B3 D9 Z   HANDLE hFile;  
9 B6 ]: r* ?, {# V7 x$ ~   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,5 z  _9 f8 ]' |" {! O' |
                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 d0 k- C( z. e! y
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 n+ s$ _& Y8 Q& ]
   if( hFile != INVALID_HANDLE_VALUE )
  T8 G) q% w2 f9 r/ l+ m8 A$ E" q   {
+ [  M8 k, `) X% y' R" q; p0 D      CloseHandle(hFile);
/ Q2 ~+ o  k8 r( |( t4 M      return TRUE;
/ I  f; Y' y8 c0 ?# h( K- p1 P   }
0 K2 a4 d8 f- @1 W   return FALSE;" T# |" F+ k! \" ]' D
}1 B) j. O; r6 ^( j$ U% x

' |+ e$ }3 f6 D* V: N) GAlthough this trick calls the CreateFileA function, don't even expect to be- d) E4 ^! e3 ?7 E3 u
able to intercept it by installing a IFS hook: it will not work, no way!6 e7 u! I1 q* N' ]/ v
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
! _, @, m4 d. uservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 |  H7 o" e) v# [3 f9 Eand then browse the DDB list until it find the VxD and its DDB_Control_Proc' b% e9 i' K+ V) i* w& y4 o  Z$ u
field.
+ z6 ^( v. b1 T1 T3 i6 \In fact, its purpose is not to load/unload VxDs but only to send a ( M7 @: S) i, e* A5 @/ H4 x
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
0 b. C+ r  O, L* d$ L- t' ?. ato the VxD Control_Dispatch proc (how the hell a shareware soft could try$ @* L& m. g  \9 w* Q: w# B
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& {9 E- M) F, w7 J, _1 P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
! F3 u! v! ?) ^its handle to be opened and then, will be detected.
' B0 [: M8 X: pYou can check that simply by hooking Winice.exe control proc entry point5 {5 j" Y; N, T& X0 a  [; A. o
while running MeltICE.( \# f1 |4 H& R/ Q
; @5 [% A  Q0 w$ Q" c3 K

7 o1 x- R+ v7 x& k2 e  00401067:  push      00402025    ; \\.\SICE
$ ]6 K+ Y4 g5 a0 q0 o6 ]0 R) ~7 |  0040106C:  call      CreateFileA9 g1 W3 o) _! K- `4 K/ L! Q
  00401071:  cmp       eax,-001! `- @0 e1 h- v7 l
  00401074:  je        00401091
& d- g9 Y! n$ }7 K% |* [
$ {9 V  l9 b8 n* f4 x' x' j. V( ?- q" e  h# X! a5 _4 c2 @
There could be hundreds of BPX you could use to detect this trick.% R6 W5 ]1 E0 w) v0 ]7 p; u
-The most classical one is:4 g0 G# s5 A2 U% s* I" [) V4 ^% x  X0 D
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||9 `; H, w& F: X# T
    *(esp-&gt;4+4)=='NTIC'' ~8 V8 W  X$ g4 A

- {/ O# A$ f' z-The most exotic ones (could be very slooooow :-(
2 }( f; E/ K! `5 |) o   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  7 h& p" f7 g1 v3 Z( I5 c/ b2 f
     ;will break 3 times :-(
& K: i" X. d$ s9 n+ f' k. @; ?9 B; O6 G/ X
-or (a bit) faster:   w8 z9 E: T; F; R
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
2 p) a+ H5 G2 d9 H: o" w5 G7 G7 n2 O7 Q
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  - K* N7 T* x0 }( t/ X
     ;will break 3 times :-(
, d! b# l9 a) }/ T% T% z; z8 ~9 I
2 R# c: k" I; d( M8 W-Much faster:4 [+ ~; u8 ~$ V% ~  O( B
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
; q6 l+ E3 E( d, Z, D+ ]
' j( n5 l& |) E6 a/ o7 _Note also that some programs (like AZPR3.00) use de old 16-bit _lopen3 u) m5 h0 q: N7 H+ G* Y
function to do the same job:- l8 a. Q) |: \( e* P+ \
( `- ~$ W/ U* \- A
   push    00                        ; OF_READ
* E/ m. B% \+ m2 B' r" w   mov     eax,[00656634]            ; '\\.\SICE',0
# n' B3 J; y- `% q; V   push    eax5 l1 S% f; E) H1 h: o  s6 k
   call    KERNEL32!_lopen
1 x* s1 _/ X+ _   inc     eax
9 w, O3 b" q6 k/ w* P) i   jnz     00650589                  ; detected
4 y% d5 \) K& A% X9 e   push    00                        ; OF_READ
9 F8 S1 _/ v+ m$ r$ K   mov     eax,[00656638]            ; '\\.\SICE'4 }* Z" [/ a1 l; ?2 X% k# ^$ |
   push    eax
# }! M  c, m" C) c* o   call    KERNEL32!_lopen
7 y4 o. B8 N* i; o: A   inc     eax
' U/ t8 h8 M* s; U  o7 ~6 l   jz      006505ae                  ; not detected/ g: m9 S% O2 ?; g3 F8 N5 J5 ^6 ?* a
+ A( z( U& ~  z4 d: X
: k/ B! {& O  o9 v' k( o2 ]: G
__________________________________________________________________________8 k& q+ V: Z* d* d2 w* V
, K* s" N( I/ ?+ ~& [3 E
Method 120 _- ?2 ^# p' w) q- H; L; n% V
=========# Z  S2 I* L+ d

5 m& A6 {/ u) PThis trick is similar to int41h/4fh Debugger installation check (code 058 P- r0 J2 F% }
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
/ ~* A; I; X( z$ Y% |as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
% ^. w* v$ i) ?" p$ y4 s  h! N( q. b: O$ q7 u1 ?
   push  0000004fh         ; function 4fh
- c. [: b7 |/ K! E. y# r8 h7 ~' \   push  002a002ah         ; high word specifies which VxD (VWIN32)1 _# z, x! p; I/ B* p9 I: \7 f
                           ; low word specifies which service
/ z8 @) j1 T8 h- ]4 @( A- Q+ ^( _: M                             (VWIN32_Int41Dispatch)
# V( O, q2 t  q+ p/ Z   call  Kernel32!ORD_001  ; VxdCall
8 ]+ d" S9 [$ D4 t  Z   cmp   ax, 0f386h        ; magic number returned by system debuggers
1 [/ C9 [$ f' \   jz    SoftICE_detected8 N; g+ x/ _" T" F# O
2 o3 |1 y' r& g2 N( }8 o
Here again, several ways to detect it:3 r2 K! S1 X. a( h" n7 c) ?1 D
1 a8 o, F( l* H; Y& D- K
    BPINT 41 if ax==4f
1 c( ?: |% B4 F  x: A* w: H! T) z& N5 O, T- c! w- _
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one: V, r& l  ^  m

) D$ K0 s6 n8 z$ x1 Y    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
& Z- J( m' t: i. e# u# I0 [* L+ u7 ^2 J! G% N8 I% ?' h
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!: `: M) L) ?5 w1 m5 m
. h2 l& u3 O' [; ?6 r
__________________________________________________________________________  v& N; ?7 b# W
  }/ s. Y2 [4 l) J# t" F$ {
Method 13
! X- T+ y3 C4 n6 m) v=========
* i8 m7 l, y( \" @- z( y  t2 U, ]* W1 G- H2 v9 c
Not a real method of detection, but a good way to know if SoftICE is+ _. x- Y% k" }' t) `
installed on a computer and to locate its installation directory.
! o- `6 Z, B5 ~/ y6 E( s  g5 w7 rIt is used by few softs which access the following registry keys (usually #2) :
. x) \& e8 r" W2 r9 p
! L& Y5 p: }9 M5 o5 j-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 u# K2 l4 |& j3 B; G3 P
\Uninstall\SoftICE/ {) B5 Q4 X. x; f* v  v& s
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
+ M6 s7 N$ o8 ~3 v% Q1 `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% G  e; ?/ a& F* k6 z\App Paths\Loader32.Exe
  Q9 `+ j9 }( ]- `" j# k. I4 Z7 z( t; t8 E

: x6 J; M2 N6 _# pNote that some nasty apps could then erase all files from SoftICE directory! {2 S7 z+ u- ^
(I faced that once :-(4 j" c, m+ h( w- [6 X% \  D

2 I/ f$ e' O3 \+ r3 d) `/ aUseful breakpoint to detect it:% f: w7 F, g$ A. ]9 m$ c( a

6 v0 F8 [% ?# k. L     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
+ H2 v* t* b4 b/ z8 ?0 t4 U. A  A! y" s, X$ u
__________________________________________________________________________
7 T; I: i5 m$ i$ T% x" k) c3 D
) C! U- U- {; W; u7 o
. y) B7 I9 D8 }  xMethod 14
6 E$ ?! ^! ?" s* v) C=========) {) t  T5 E( j* e, @0 a
3 y/ T- z- O% S* r+ B2 W8 A
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose9 ]5 {! G5 q% K7 x' D
is to determines whether a debugger is running on your system (ring0 only).
+ R: W  Q. {" m3 N! F/ N. _0 G4 ?$ @0 ]- |
   VMMCall Test_Debug_Installed
( x* t% }2 g8 g5 o! \; |' E   je      not_installed+ W# t6 A) Z1 x* x/ {
2 E4 G  K+ T/ r, ]. ^
This service just checks a flag.8 \6 ]' x0 L# i! x# R# d
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 01:47

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表