找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>7 A7 S% e0 p# q! _! ^. e! u0 K
<TBODY>
, v4 \- l1 j0 `+ q* |/ ?<TR>
) Q: S, |& R3 p/ b. p; ]<TD><PRE>Method 01 & q! J8 G: D. X8 K
=========' B9 S! Z) e: |7 B
$ D' q( S3 t2 r9 i* A& @, ]
This method of detection of SoftICE (as well as the following one) is
! g5 D+ q/ i4 H4 ]7 H6 C4 pused by the majority of packers/encryptors found on Internet." ]! A. T2 t6 H
It seeks the signature of BoundsChecker in SoftICE
( ~! p3 g4 o5 b; r4 v" v6 z- M) `; I; W; F2 C
    mov     ebp, 04243484Bh        ; 'BCHK'; k. l6 `3 p: K! z* ^' t
    mov     ax, 04h8 l! P: [/ x) H5 a1 P
    int     3      
. L2 T  Z8 `: U9 b! Q    cmp     al,4- M$ M6 i7 N5 J, Q5 C* W/ S9 Y
    jnz     SoftICE_Detected
' h# t/ q/ r5 E9 J7 O7 n: Y/ B3 x2 U4 _! H( o" W: a# B
___________________________________________________________________________8 [( d2 `) k9 ^; o3 c

1 w# d6 i0 ?  ]: ~* ?0 h" L4 KMethod 02
; t9 R/ V( U. u=========4 S& G) ~  T: H
  X+ D7 r; z* X- F3 h) K
Still a method very much used (perhaps the most frequent one).  It is used+ Y; }9 N  G5 g- R9 S5 e& a2 @7 y+ [
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
0 R6 }9 m7 J+ ~! o( uor execute SoftICE commands...
. P! b" @9 y' E" `- AIt is also used to crash SoftICE and to force it to execute any commands* ~2 @2 X1 j1 {- B7 ?, ~
(HBOOT...) :-((  & a  ]7 {5 f/ G: K6 I/ r/ b" K

1 U  A; E, }7 s" `) `  o1 b' ^Here is a quick description:
0 H3 k" T* `2 q5 O( K7 r-AX = 0910h   (Display string in SIce windows)
/ H% f8 p' z* N% i; f! F; w4 {-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)) T" h* G1 O% k# K5 g
-AX = 0912h   (Get breakpoint infos)! I: a; W9 W- R' Z
-AX = 0913h   (Set Sice breakpoints)
7 e* T* B6 |+ C6 w* z-AX = 0914h   (Remove SIce breakoints)
4 H/ l. i7 m/ e6 `& l, [- E6 K1 c# t# o3 }
Each time you'll meet this trick, you'll see:2 C9 j) g; B6 Z/ f, R, I
-SI = 4647h
; Q. N: `% J. q' \" F9 v( x/ g-DI = 4A4Dh
: d6 q+ Z8 X* K  A: hWhich are the 'magic values' used by SoftIce.
% Z  G$ ~7 J, F) D( F+ m- vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
& m3 J& B+ l' R! u6 ]. p3 V# @( ^1 F! S* J4 j  c+ q7 ~
Here is one example from the file "Haspinst.exe" which is the dongle HASP, U( B+ F: Q2 |' @: X
Envelope utility use to protect DOS applications:
! I2 u! }7 M% g0 R" X& V( M: k+ T* l" M( I) e) {

# ^% v9 n; E/ D4 M8 \3 ^) Q" r4C19:0095   MOV    AX,0911  ; execute command.
0 ?! d- J; L7 J, U7 e) U% B% J4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% \' Z$ w$ J( X# n1 P( @4 C1 H
4C19:009A   MOV    SI,4647  ; 1st magic value.5 l4 U& ]( E4 Q5 C
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.+ k. y2 w/ N0 n3 m, g2 B$ n
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)' F9 v5 y' O! N9 y% Q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! D1 O! C& ?3 u+ X3 L8 ?+ }
4C19:00A4   INC    CX7 `9 O) ^: T. r: t% A& F
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
, _  X. w; k# i" s0 J  b' W6 W4C19:00A8   JB     0095     ; 6 different commands.
+ H+ J" e# s/ j0 n+ T4 s# P, e: Z4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
% n0 b4 [& B& B6 U4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)$ E9 s$ v, a+ o# W4 a; Y( {, x
3 w- B4 P- L8 l) u% }/ ?" W4 o
The program will execute 6 different SIce commands located at ds:dx, which
5 R7 H9 a0 B% b) ?  h2 A! K' q! Sare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.7 e* \& b1 i* r6 l0 ?2 [+ I0 {

) R+ o% N  e3 |/ Y* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
- l2 \( N" r# [8 s; I7 m/ P) M___________________________________________________________________________
3 f6 b  L) R9 z0 V8 _& C; o8 A+ P* n" L- X; b2 q, [( U* ^

3 c7 w3 t, B  }$ f0 i7 v* QMethod 03# Z- t+ V  g& L6 B
=========# y' y! y+ a4 O
( A9 z* A4 E+ {  h2 ~
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 e* \8 a" F6 A(API Get entry point)
6 E; C/ q2 F9 }7 l" _9 Y        
2 L( t! x. Z. M+ c6 k& J  n3 r, F1 b5 D0 U, ~* ~
    xor     di,di2 V5 V! F# M$ N& {) x" S
    mov     es,di6 @  Y: e, g" Y9 D$ z+ g6 \
    mov     ax, 1684h       7 ?0 U" X' r  R( v; u, u2 z4 M7 `
    mov     bx, 0202h       ; VxD ID of winice' C8 j" {& ~9 |, i- m$ ?# G
    int     2Fh
2 ~6 D) q1 g' Y1 ?    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% g" t3 Y+ Q9 a. G    add     ax, di
0 f/ @& Y) ^2 d( o; t4 O9 r    test    ax,ax4 S/ F8 U! [8 n5 ^. D( J
    jnz     SoftICE_Detected
: E4 {' t/ \. ^3 _, K2 I4 ^. S1 z; x6 {# g# `
___________________________________________________________________________
% q) i& }" B: }( o, ^( M, b% h4 _9 n# k0 ?+ D4 K9 U. N
Method 04
4 x: o: X# s+ w=========0 p+ P( i) h! O! ?4 a: x  S" E
: X! j& K# f% m! R
Method identical to the preceding one except that it seeks the ID of SoftICE2 u( |$ I" u( l& s( o- V: F
GFX VxD.$ _7 g! J6 i+ ^! o

- |8 M) K! G/ ~" X$ U    xor     di,di
+ {* w2 r) d/ Q/ V    mov     es,di
% X. U9 i1 N9 T: M4 c/ P    mov     ax, 1684h       2 L4 o. e6 z% o5 B
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
$ k  C7 k: g: k) F. X    int     2fh
- r+ s" N* A5 m! }    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 ~' K6 d# ~1 B8 Y    add     ax, di
- g+ M" g! i+ o% t1 V! t1 N' q    test    ax,ax. I$ h& ]3 z) c! K
    jnz     SoftICE_Detected- h+ C6 {' F) K
% [' m) a% K; E2 s/ Q
__________________________________________________________________________
* w* R: T5 y- |  G6 d4 q
! |0 @: S6 I4 v2 B; m. `2 i, ^
  ~' C' T% W, N$ K" Y* ~" y5 \Method 053 T3 M4 r, R! ^/ B! }1 F3 G$ |
=========. U) [' L9 ]0 x; M0 i- Z/ G& H! I

2 e1 o3 d+ h) k: LMethod seeking the 'magic number' 0F386h returned (in ax) by all system
& m  R+ {  d, h3 l. S: Rdebugger. It calls the int 41h, function 4Fh.
( X6 N7 E% ], P3 R% I6 v( dThere are several alternatives.  + {- @: ?6 c0 b" k2 ]  V/ Y
2 ~1 ?$ P& R. v) T; W# B- k6 S
The following one is the simplest:" S( h" R. t5 i% _6 }8 Q
! z$ [5 z+ D# b1 A1 \) ]5 _% U
    mov     ax,4fh2 e- K- Z( `+ B" T0 z+ J
    int     41h* f7 ~" ^1 S3 E7 F2 }# n
    cmp     ax, 0F386
" M* \/ T# O/ ~2 h* k! ]+ j    jz      SoftICE_detected0 P8 `/ P" R/ l0 y8 K  W$ F
( e3 `5 A9 v# M1 _6 s

8 Q, a/ X3 K7 a  ^7 p: |Next method as well as the following one are 2 examples from Stone's
& U  \' ]8 P: Y, P0 H9 b"stn-wid.zip" (www.cracking.net):
7 w$ F) D! \, M5 G( D
) \' p, d& c! A  T8 j/ |    mov     bx, cs
8 Z# [* G9 E- I6 ~4 E9 ~2 \0 y    lea     dx, int41handler2
8 F2 ]6 X' ~. z' r7 F& i    xchg    dx, es:[41h*4]
: l. F2 s# R/ b    xchg    bx, es:[41h*4+2]: ]8 x' r+ |; I/ C# v
    mov     ax,4fh
; b2 k  b7 c$ l    int     41h
1 ^: T5 A  G. c. K7 }- ?( B8 l3 L    xchg    dx, es:[41h*4]
2 I2 Q9 f+ J" J1 ~- j9 K    xchg    bx, es:[41h*4+2]
8 H' i  s, \+ p0 w9 w3 O    cmp     ax, 0f386h; N2 F# ?8 u3 G
    jz      SoftICE_detected2 @0 S6 M/ l6 N
, X) {; E6 j) t! K( b2 h
int41handler2 PROC4 m$ G: O4 [' q5 v
    iret  {5 \* ]; P3 I% {* |
int41handler2 ENDP: M/ c( l. Q$ I/ a1 i; M5 i; }5 U
9 h  I3 I9 ?/ l; Q
! ?6 n0 _( K. o( i, T' B( k
_________________________________________________________________________6 N! p: m: C) b  B* _, _) ]" K/ g: P

3 L7 y$ E: x, U$ i  Z
  O7 B# l4 q, W5 Y2 NMethod 06+ h, O( W% h) N% r9 b, o
=========1 o1 q/ a& C3 G4 w+ a

4 O- Q. h# W& O2 a6 i2 T. w/ r: s7 R' b, z1 D- ], g+ N
2nd method similar to the preceding one but more difficult to detect:
7 @- y: D* B( y. ?( k5 l0 u0 `) t2 q6 f9 E

3 n, f4 W1 _) _int41handler PROC
# c- G& P, q0 {! k+ B- y    mov     cl,al
. v( t* `3 d; e: P: F) f    iret
  b0 Z8 l+ s" R4 k; Lint41handler ENDP
8 o# x* q& C, g6 V0 z4 H, w2 n
$ f/ Y. u7 z( B8 Z) d) w4 g% p/ e( q0 k: u- K
    xor     ax,ax3 P( I+ U  H% t- E3 N/ i8 u* o
    mov     es,ax8 q. \: A: j- q+ k* y1 s1 c
    mov     bx, cs
4 l% q6 ?1 o& s9 W, ^5 p    lea     dx, int41handler9 `* U1 _# {& z' W  e  T0 @$ t% y2 T
    xchg    dx, es:[41h*4]
$ l5 f( `- e' j" D7 d7 N9 b    xchg    bx, es:[41h*4+2]
8 E$ C( Q) x$ e& q2 S    in      al, 40h
: }" c2 A  S4 p0 d! c$ H& \    xor     cx,cx" U& ?  i5 ^$ f# N7 m
    int     41h5 s' x, s6 n2 e% L
    xchg    dx, es:[41h*4]* \9 [  B! F: G$ s5 a3 D
    xchg    bx, es:[41h*4+2]/ w( V2 m# @! P4 x
    cmp     cl,al/ z" J5 n3 T6 p+ {
    jnz     SoftICE_detected3 \& P* a% a" V# K

5 y4 Y: a+ C3 }  p; l$ \) G_________________________________________________________________________7 q) V& n6 f: v6 l: \

; T+ M9 \4 l4 ^' \5 t2 P) }Method 07
9 I7 K/ Y8 {5 L0 m' ]) z=========
$ G% {$ v& t( R; s
$ c: ?. x2 W$ MMethod of detection of the WinICE handler in the int68h (V86)
/ a0 I5 \' L# ^7 [* ]# a. p3 Z, V
7 ^+ @7 Y9 R3 s1 L" d* p& m    mov     ah,43h
1 J. k( s8 [& z' _/ [    int     68h  i# d+ D8 x( p: U8 B
    cmp     ax,0F386h
7 ?$ w$ Z' i5 i2 _/ w5 G( f    jz      SoftICE_Detected
  P+ G! @8 b+ O6 [5 e6 u  W" k3 @7 u# x! [' _& Q: N; _& Y

9 ?, e0 h* u3 i" q# Y/ K/ N=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit( t* E+ }# k0 I3 k# o& w  t
   app like this:9 d/ u$ L9 G* T# a
: `5 k  n$ V% {9 I* T2 o
   BPX exec_int if ax==68; Z, \( o+ `0 _4 u6 E# W, M
   (function called is located at byte ptr [ebp+1Dh] and client eip is4 `( Q7 x' K& F1 Z
   located at [ebp+48h] for 32Bit apps)
' I7 }% f( I' N7 W( m  j- `__________________________________________________________________________
4 k8 U/ M8 V2 b5 D" y) L4 ~3 Z6 W7 w# J9 W/ m

9 z# r$ f- I- v/ Z/ T+ V% cMethod 08
. J9 b0 [: D0 m=========
+ X, ]: `1 K. l9 i
& m3 S$ f; t, W; V* Z; nIt is not a method of detection of SoftICE but a possibility to crash the: `4 q, v$ \; [
system by intercepting int 01h and int 03h and redirecting them to another
; \7 i7 N  j' m  Nroutine.
; u2 K3 P* t( L7 LIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points& A' X1 e. R  ~. Z- J- I9 I7 ^
to the new routine to execute (hangs computer...)) K) [, i& A' Y

- v3 x7 Q# C$ k) a    mov     ah, 25h
/ b6 x; D3 n! h1 _0 _6 `7 Y    mov     al, Int_Number (01h or 03h)
' W. w& q4 A' n4 b) p/ @  G" w. [0 t    mov     dx, offset New_Int_Routine, j7 d) e3 W. A
    int     21h) i6 X! H6 c5 }0 L- {

6 P3 x9 T; r! c5 n__________________________________________________________________________) o- b7 C2 u; ]% M: J5 R, i* ~" T

4 J" W6 R/ i- k; N4 B; eMethod 09
9 I" M1 i( p! J% e=========
* p9 [) L! s2 P0 f$ H; ?% f
" d) W+ u/ n) v1 _) U# ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only! U9 E2 e0 c( V& E  I
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 [" f; w2 w, F: P& JThe Get_DDB service is used to determine whether or not a VxD is installed$ N$ H' K# Y* `2 L5 T9 w
for the specified device and returns a Device Description Block (in ecx) for8 l! s6 }) t6 Z+ b/ b- j
that device if it is installed.' D  ~* ^1 \; r% Z4 [5 b

- n1 |1 P) c* F( K7 V8 \2 t   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
% I' w# @! e2 }. [) D0 U   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
4 U/ C; T/ x* Z; ?5 i+ B   VMMCall Get_DDB7 c# h4 w9 O' L5 o% ~# @" {9 C4 k$ b
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* {6 n0 R9 n. c' G1 o! O; {& v4 s* N; L, T; H7 }
Note as well that you can easily detect this method with SoftICE:8 f9 T9 Q: m: \* D
   bpx Get_DDB if ax==0202 || ax==7a5fh  e0 Q2 I1 E# }
+ x; _5 v9 o. o! {2 d! N; U
__________________________________________________________________________% x! O+ A4 v3 l
% a0 Q3 c6 N' h, j" i
Method 10, F/ O, V  x. A' [, s# K0 ~
=========
, {+ R9 n" R2 B- [, l" s* M, x& c3 h7 }3 H4 v; F. E
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with( I2 q, D8 k) `9 B: N/ R( i
  SoftICE while the option is enable!!
1 i4 J: d& f' q( q# _- ~) O
7 c/ b( k4 R9 R  d; [This trick is very efficient:: Z- a' s0 x" O% U% [- P
by checking the Debug Registers, you can detect if SoftICE is loaded) a+ O' E5 z/ c( O2 s3 `0 t% O3 H& m' ~- D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
# G( M1 S+ ]* jthere are some memory breakpoints set (dr0 to dr3) simply by reading their9 A+ x! V, s7 N
value (in ring0 only). Values can be manipulated and or changed as well5 d# }: V7 [( \7 d1 U( C9 H+ L
(clearing BPMs for instance)* [  ^8 a( a3 ~) F/ N# W
9 h  P9 c: Y1 {- m
__________________________________________________________________________
; p/ c* ]5 i4 d  {0 [0 {6 ?" d
/ c' I5 T8 T' a: [# XMethod 11, o6 j7 o8 ~4 L1 [9 a, J% N: f; y
=========
  Q0 q  F5 S) Z% f
, V% M0 E* _! B* N( i! \This method is most known as 'MeltICE' because it has been freely distributed. V2 N- P$ u- H3 W8 Y
via www.winfiles.com. However it was first used by NuMega people to allow
  G7 J! d, f& z$ P4 ~Symbol Loader to check if SoftICE was active or not (the code is located
* h/ Z$ z: S  f3 A' {. ~inside nmtrans.dll).
1 y$ e& i3 p( O' d
, m3 o9 k$ c; P2 n! q& x; ?The way it works is very simple:7 D3 J# Z* o" ]! q9 a% y
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 Z: U( N. [0 R+ Y% a
WinNT) with the CreateFileA API.% [! A, D/ |  p0 q% g% G

% m6 k. D0 l2 {+ @! s2 b( d/ WHere is a sample (checking for 'SICE'):# W% {$ V/ h8 b
) I3 P  Q6 V( z' ^/ k0 |$ e/ N
BOOL IsSoftIce95Loaded()% @' w: D5 U. `) W4 O7 H2 b/ E7 V
{! ^) Q! x/ S5 n, Q5 l6 M7 s& K
   HANDLE hFile;  0 ]0 S+ x% p0 T4 j4 V- x( [
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,2 f' D4 }0 X3 N$ A
                      FILE_SHARE_READ | FILE_SHARE_WRITE,! g& |* h8 K, v0 t# S' u
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);' ?% ^  C0 e4 C5 `# }$ D- k8 x% t
   if( hFile != INVALID_HANDLE_VALUE )
9 L! ?" y1 L" f, ^" G- ~9 C   {
0 X' b5 ?6 {( O  l  B/ ]      CloseHandle(hFile);
+ x; i3 x; l# V- k) Z% D$ I      return TRUE;9 V# U1 k+ l- X+ s
   }
5 r& P% R+ ^- c& ?1 L& N  K   return FALSE;: T- m5 D5 a+ V+ S: h. m
}
$ y6 W; o9 ^8 u2 ~
$ L. g1 |0 {9 f: wAlthough this trick calls the CreateFileA function, don't even expect to be9 a- K* n, e4 e) S' t+ [
able to intercept it by installing a IFS hook: it will not work, no way!
! H9 \9 d2 d4 ]' t+ T$ ?/ WIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
. k' \6 |7 ]$ g0 F2 s3 z! Oservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 U+ L" f: A! P5 L7 \3 w
and then browse the DDB list until it find the VxD and its DDB_Control_Proc, v6 u2 F  m- L+ Z7 a5 q
field.
; G+ d4 ~* \' ~0 t$ [, hIn fact, its purpose is not to load/unload VxDs but only to send a 8 S& g% r& M( l9 m  U
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' z& Z. w- Z+ t4 s
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 R9 d7 f$ B9 I4 d( Wto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) i% B* A, f1 D  ^: o1 \: {4 L1 bIf the VxD is loaded, it will always clear eax and the Carry flag to allow
, r- O4 I& |. i* n1 X' t3 hits handle to be opened and then, will be detected.# y: c1 J3 w* m! J7 q: m+ |6 o
You can check that simply by hooking Winice.exe control proc entry point
9 b( b! o! }) L2 y- E( Rwhile running MeltICE.
. }! @6 k4 H* o3 X  E6 f7 W
" [1 M! k% K. s+ z. g* N
8 d" L2 c; j/ e& H! W% b  l! t  00401067:  push      00402025    ; \\.\SICE
) j. h* r. V/ d, X) O  }0 ?  0040106C:  call      CreateFileA4 H3 U- ~1 l8 J' s' I& i% h
  00401071:  cmp       eax,-0016 f$ x! r7 q% \7 n# ~) `3 o7 _
  00401074:  je        00401091
  h: @' f# H+ ~
% V7 S; Y2 q0 V1 K' ^7 l  G
: G0 q( _- h2 kThere could be hundreds of BPX you could use to detect this trick.% ?4 H, q7 a; Y& x" X4 G4 N6 U* n2 ~
-The most classical one is:
9 o2 ?2 W$ w; B; @2 \8 G  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||3 J5 C  t% t+ Q5 U7 v6 n5 l
    *(esp-&gt;4+4)=='NTIC'& _1 o' I2 {& B7 ]7 _& Y
4 v# F) ]$ C  p" X5 p
-The most exotic ones (could be very slooooow :-(8 r2 b& _" R' y" B& k" W' e$ X! s; P
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  6 y5 N$ ]2 |! q! ?$ L. Z' q
     ;will break 3 times :-(7 g& P$ C9 N7 U  T% @9 |, Y  w
: D  t+ p- x, D8 [% c) \; O$ Z- D$ d
-or (a bit) faster: 4 r# W. q6 }3 H9 s! `$ q
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')2 }8 a- W( z- Y6 ]
, f5 b: y1 ?# Y0 y7 B2 i$ [9 R
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & }" y$ N( a% ~
     ;will break 3 times :-(7 r' Q4 U, @9 n, d7 g4 N
' F, g3 n% g' C4 s4 t& H) Q9 D! s
-Much faster:
) E/ C9 e7 V  j1 o- A   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'' ^& X: Y( [2 W3 b  F9 J
5 M" {7 [" a! x& z8 c$ D
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 o9 t: B. T, {/ B9 I% W% c! G6 hfunction to do the same job:6 f. L, O) @+ a+ y4 a' K( T

0 O% V, B: [/ @   push    00                        ; OF_READ% ^* B. `2 }+ V9 B/ x
   mov     eax,[00656634]            ; '\\.\SICE',0
0 ?8 M5 I+ c4 }& D  K' C   push    eax5 K1 s7 m0 _4 w) Q
   call    KERNEL32!_lopen
2 `6 ^9 {- B) {! ?) k: g   inc     eax/ n5 S! f/ w3 u$ j+ z
   jnz     00650589                  ; detected$ q1 N- Q# C1 q& \8 Q' F
   push    00                        ; OF_READ
  w/ D4 D, J: ?( P+ {% d   mov     eax,[00656638]            ; '\\.\SICE'
8 p/ p2 L% u& w! l9 j   push    eax
. |4 o3 c% f! k6 z3 t   call    KERNEL32!_lopen
5 d; [* v1 C0 V. A   inc     eax
3 s' w+ Y+ r5 j, E* B/ ]2 S   jz      006505ae                  ; not detected  N1 z; v* j5 x8 `' A- r- y: c' ^$ @
; H. A; _1 u4 r# q& W6 I& l# p
5 b, m3 `" ~0 x" Z; M2 {# ~" p
__________________________________________________________________________
3 q. T2 Y9 G' I) E7 I) I7 |# D
. _  [  ~  H: }Method 12& N* Z6 ?! k. a: f0 j- t1 R
=========6 F# |; {# L/ ?  [

8 u; m7 B' I% A( UThis trick is similar to int41h/4fh Debugger installation check (code 05. y+ g( |. H, L# i' P, r" K+ \. ]# _
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
/ @+ S* T6 [: s& V0 Has it uses the VxDCall backdoor. This detection was found in Bleem Demo.
; x& S5 O' c! p, w; t  Z- p+ i( T8 B8 c% [; C/ R
   push  0000004fh         ; function 4fh- B: B& j) t- E; a, G
   push  002a002ah         ; high word specifies which VxD (VWIN32)  A4 y7 h/ `* K3 S
                           ; low word specifies which service
7 b! J$ O) N* o1 _) A                             (VWIN32_Int41Dispatch)1 l9 {- d+ ~0 a* ~
   call  Kernel32!ORD_001  ; VxdCall
/ i* f% [5 \  s3 E   cmp   ax, 0f386h        ; magic number returned by system debuggers4 I7 d# G! ~2 y8 g9 L4 [4 w* V4 n7 ]
   jz    SoftICE_detected
- o6 {2 @1 T8 b% S- ^2 ^/ p2 j. f
Here again, several ways to detect it:4 h# H0 h/ L7 U

  t$ ]' u  L" D2 x  H; P3 O6 B) |    BPINT 41 if ax==4f, D2 @& r* [5 A# Q; Z# }
/ w" ^, |/ `0 W5 }
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
9 v2 j- U, Y3 v3 Z
: S3 p9 G/ L- ^# h3 o* \4 U    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A1 K6 ^8 M9 B/ [
1 m- k$ l/ Y. H1 S3 X% _
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
/ o9 R9 e' ?; Y* f7 `6 D( t* p0 ^' E/ l: [4 ?/ _* A0 t$ a
__________________________________________________________________________6 D; C# N# E) w: i. ?  {4 D+ a
2 E& f- {0 z9 z) u$ O9 J% b0 I( z
Method 13
% V( A8 c1 n! n, S- A=========
# V5 s+ M7 l* U3 E$ k8 x4 p2 g3 {6 {* f  S( O3 B
Not a real method of detection, but a good way to know if SoftICE is
4 z' g  h% d0 k9 a% O! u; V' Minstalled on a computer and to locate its installation directory.
: T) G: C; T; P; o6 oIt is used by few softs which access the following registry keys (usually #2) :
3 c2 V6 g7 @1 `# D
' S3 y1 f, n  v0 o0 {! x-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion; `* _2 s* z# {; T: A7 Z' }' I) u
\Uninstall\SoftICE
, g! R- @" E* c2 k' A: ?7 @-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) ]% R8 M# X7 j& j$ U6 M5 Y-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! V  P/ c% E) U+ J0 V  `* A\App Paths\Loader32.Exe
& }+ w' M& D2 g$ m
9 M1 [: v5 p) K
( g" K# y7 [+ d' YNote that some nasty apps could then erase all files from SoftICE directory
8 Q0 J) @6 V# ], F, c1 f(I faced that once :-(
6 p# v3 H( K" p4 t% k
/ k( D: ]! D4 E5 a, k; zUseful breakpoint to detect it:
' y0 V' D* h. |$ e( v' [7 k4 a
; B7 J+ |5 }5 O% m' Z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
: G* [9 e7 I7 R: J  A- F# \6 j* Q# o  d. |7 s- ?- q
__________________________________________________________________________
$ ~- J" }# o4 N+ E3 B
! P3 B/ |0 W4 `& y) O  c1 Z! i# o0 S/ z) ]0 h
Method 14 . B: r6 K2 R" d* V9 `
=========
! |6 N( u' Y/ U1 h  W: p% U* H. ^4 j1 z/ ^" i6 k
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ C* y1 i/ W( s& F" S( wis to determines whether a debugger is running on your system (ring0 only).; P$ b: y) y3 p- Z1 ?* [
* S2 O( ]6 S3 c1 f5 Q
   VMMCall Test_Debug_Installed4 ^, v9 y% y/ s0 J$ u# s( ~
   je      not_installed" N4 }) ?; g: q

- o$ [5 K; L2 |( h" ?/ T5 QThis service just checks a flag.
; @7 y- {9 b( h" X</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-13 17:57

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表