找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>7 E' ?1 |$ g( |% o
<TBODY>
2 x' n) `, }$ Q2 z<TR>5 ^1 n1 D3 x4 A3 W  ^9 {) s
<TD><PRE>Method 01
& X7 d' l- T' B2 @' ^: ^& Q=========4 T; v7 }$ X1 ^$ K* p& F0 g

& u1 l: T: t$ r- v! ~/ zThis method of detection of SoftICE (as well as the following one) is; Y% ]6 L+ o/ F7 {* n
used by the majority of packers/encryptors found on Internet.$ q3 L  R  h# H  I4 G) T
It seeks the signature of BoundsChecker in SoftICE0 T+ S0 }) z; Y+ w7 f* p* x

. r1 c  x8 X: |" U    mov     ebp, 04243484Bh        ; 'BCHK'1 |, f' u+ Z3 W) z8 a
    mov     ax, 04h
2 ]3 X) f6 l& V2 j+ s( M    int     3      
( _7 R" Q2 x$ r. A    cmp     al,4
/ @. S& E: ~" A# m) T( i+ Z    jnz     SoftICE_Detected/ G0 Q7 K: G$ F) e6 O

" z4 e6 j  o) R8 K___________________________________________________________________________7 E' b1 u* N* ]# X8 q; P
  M" ~" R  i  Z' a' w4 A
Method 029 Z# S* j+ {' ]; O: x
=========
5 Y. ]$ K9 ~; F8 [8 P' R$ X5 h2 ^- l
0 g, D# d0 F3 T* l3 d! YStill a method very much used (perhaps the most frequent one).  It is used7 v. o2 L$ L  J; \" ]
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
) G- V# o+ k( Q8 O7 j8 U4 c9 Ror execute SoftICE commands...
( z  G1 q6 d6 }+ @It is also used to crash SoftICE and to force it to execute any commands
5 i- c/ m/ t: y. N! s(HBOOT...) :-((  ' A& G! \! U3 X( X! u2 {

6 q# \9 s8 g; `" Q& y* S6 g* }: HHere is a quick description:
! c. N: S. |, R, D-AX = 0910h   (Display string in SIce windows)
8 a- \0 y1 _% D. W- w8 |-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)! t- Y4 D4 d. \8 T
-AX = 0912h   (Get breakpoint infos)
* i- A3 J, v* }4 v. Q7 n$ i-AX = 0913h   (Set Sice breakpoints)9 p3 h; O& E* [9 y+ K% P; r
-AX = 0914h   (Remove SIce breakoints)$ |" D+ f' \* Q2 o8 t, ]/ P

+ ?3 B8 i( d- y! x6 T% L5 b8 s* eEach time you'll meet this trick, you'll see:3 ^8 g* v; |1 S2 X" M# `7 Q
-SI = 4647h
+ P0 l- L. ?- Q5 }, l" y-DI = 4A4Dh4 `6 D/ u/ |) Q' O' _5 P( ~
Which are the 'magic values' used by SoftIce.4 r2 J) e4 g3 F; N9 b2 g/ w0 d
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 O4 b) e# G* U$ `

/ q5 N) C. H) T# rHere is one example from the file "Haspinst.exe" which is the dongle HASP
8 c8 ?6 T4 y8 Z: b- HEnvelope utility use to protect DOS applications:
* y! m! m  c8 M9 y: ^1 X! O2 `1 n% O: ]; j5 z

$ k; i& }5 g( @8 ?8 i4C19:0095   MOV    AX,0911  ; execute command.6 _; B# M5 E$ b# ^( V
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
+ b% I1 b, `4 W8 @# u4 M  d: W6 w4C19:009A   MOV    SI,4647  ; 1st magic value.
2 ^: p( O# A$ w" O& @3 t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.* W/ J; {/ S+ o: ?" m7 ^4 r4 B
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)% m; [$ B8 D1 s8 D( X! F
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute3 O9 E7 o6 M$ {" v. j- C
4C19:00A4   INC    CX" }5 ]) y+ \. M6 K. H5 g6 a1 l
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
% ?: F- P* x5 O+ ?+ v8 R9 D$ {4C19:00A8   JB     0095     ; 6 different commands.
& U0 t3 V; G+ \. W  M) U4C19:00AA   JMP    0002     ; Bad_Guy jmp back.8 X; r% y) Z$ r% F/ t' ?
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :), Y% R$ r6 y+ {3 f* j1 t  V6 @

9 t$ b$ H# l  j5 S! Z# U: l/ bThe program will execute 6 different SIce commands located at ds:dx, which
0 k2 m0 l, P' _/ V" Z9 \are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
: W0 S  O/ D1 W0 X* m
* n2 H5 R1 l+ P% D* n3 A' |* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 I! E! `2 j+ _1 V5 v! g% c" R
___________________________________________________________________________
% Q4 a% M* w/ Q* V: l; |9 j+ n7 L# z) X+ }, ^3 |/ I

( D: A1 e; H* C. yMethod 037 }# M2 S0 {. e
=========7 n3 f# R2 j/ b

0 x( n$ P0 Z: c% n# |Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
( U; O. P4 d# a! Z(API Get entry point)
8 g. j+ D1 h# }/ p! i        2 Q1 J) s! \6 F9 b+ b! o! m$ t
4 C) v& i' B: S5 r% R
    xor     di,di$ R( E: X+ Z/ G: r7 w
    mov     es,di! U/ m- g( y# ]' _9 J
    mov     ax, 1684h       0 u0 E# j' k! q1 f5 L( ]
    mov     bx, 0202h       ; VxD ID of winice
; h  {6 J" O; ?9 j2 J    int     2Fh
& `0 @4 `8 H" A' R    mov     ax, es          ; ES:DI -&gt; VxD API entry point
4 G2 y4 x7 \7 m* V4 c4 i  r; Z8 t    add     ax, di) o9 r. o/ `% J  a5 l
    test    ax,ax& E7 f# A; W) t& w1 L( _3 @% A9 s' l
    jnz     SoftICE_Detected
) P+ [) @, m; B% j5 l  S( c' y7 _; Q. X2 |( C
___________________________________________________________________________- S5 ]( N8 y* h, P

/ K1 j/ L) s3 F6 ?* N; [( D# U, `Method 043 h6 E7 O! k/ y. m  D
=========, A  p7 S4 q# A
6 i6 `3 T$ K, G4 }0 c
Method identical to the preceding one except that it seeks the ID of SoftICE
: b7 H$ @& i& L5 c6 q% z! O& W- P! [GFX VxD.
6 S5 E+ l' \8 i6 M8 W. B/ K
3 l# v$ ]4 v+ u9 @/ }$ j) t: q    xor     di,di
  ~1 n# D  H8 E5 E+ s2 g+ A    mov     es,di. N5 o$ L8 c: V% h
    mov     ax, 1684h       3 s0 B7 F& F" T7 f1 ]1 F& P. B+ X
    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 m9 k: u( I" J+ }9 u1 ^
    int     2fh
2 Q0 z/ r# _5 i+ A  ~) T( f    mov     ax, es          ; ES:DI -&gt; VxD API entry point& l9 S4 Q3 x, c+ y/ C
    add     ax, di1 J! F; d: X+ v% v
    test    ax,ax
$ J+ \/ f7 f" ]# r: X3 I0 V8 k- f    jnz     SoftICE_Detected2 S! U( I. {" W/ e) r2 G

# `4 q/ ?, i! V, M" ?: r2 Q# I  y__________________________________________________________________________" _6 R, F$ Z2 Q) z3 v

- t; ?2 `; W: p" ]$ m
6 l9 M& H' P; y. @6 V' ^: hMethod 053 D% Q2 p. e3 H1 t) S3 Z# ~
=========5 X. p# V( o! d0 ^' }) k

% Q6 g* r4 I& ]; yMethod seeking the 'magic number' 0F386h returned (in ax) by all system
3 z+ C/ ?$ T+ r9 D- ^' r$ Wdebugger. It calls the int 41h, function 4Fh.8 E" O4 K( j7 {! R6 ~
There are several alternatives.  1 s- |% S  F, w1 T* W5 ~

" p3 \, N- H3 v" R9 y3 qThe following one is the simplest:
- ]4 G8 x% Z7 s. e, X' k; v7 n- H; d+ P
    mov     ax,4fh
) o2 I. M4 S. [2 u  G6 l& y    int     41h" E. \  L" O/ k' S
    cmp     ax, 0F3862 E% [. L9 J+ z0 u0 w, {, Y5 @
    jz      SoftICE_detected
* D, P4 K+ Y+ z7 K& V
" n6 V$ }- Z2 m2 M
4 e, m  b) B- u) n7 s, T- tNext method as well as the following one are 2 examples from Stone's ( A& D& P& h3 m7 W; s3 g# F
"stn-wid.zip" (www.cracking.net):
2 ?, N' d- a/ S" ^- {% O/ p
  Z( o; x4 O/ `- d& Y# C    mov     bx, cs
5 e8 s$ y! a5 W0 B    lea     dx, int41handler22 ~" N  j4 Y% \
    xchg    dx, es:[41h*4]+ V' f. W6 n* \* x" P4 h8 z9 ~0 r
    xchg    bx, es:[41h*4+2]' j8 K3 E7 e( t  Q4 M" ], b: {
    mov     ax,4fh+ C0 D" B6 G1 @
    int     41h
+ I; p. b  {1 i& G2 ]2 N2 f    xchg    dx, es:[41h*4]
! d; H, F. z" V    xchg    bx, es:[41h*4+2]! H& ?5 H# E" Z5 u$ b4 i6 y, ~
    cmp     ax, 0f386h& m( q/ ]& K2 \! b
    jz      SoftICE_detected
/ y* `7 u9 o% t: \8 S) O6 L5 C& L! F6 ?  \
int41handler2 PROC: X+ }$ u) ~4 m5 E* j( P/ s. O
    iret
& ~' d( s) j/ s) @5 yint41handler2 ENDP+ I9 |/ W! I$ @* @! i6 S7 M
: m$ Z1 Q- h: z# R/ _
6 {) s* A7 K) ?
_________________________________________________________________________
$ L0 I$ a4 [) q3 b, D6 [
& N! k( I" ^% E; X4 B6 \; X/ v4 i6 C/ n" W9 O, U$ m+ }/ V) c9 Z
Method 06
7 N0 ?+ S9 z1 B, m4 D; W=========
5 M" g# O+ n7 N( k. m' I0 R# r
/ D0 b' k( D( q# z# \/ t
- N1 g5 I0 P) s* g2 ?7 W6 p2nd method similar to the preceding one but more difficult to detect:- ~6 B& P9 j6 k2 j& i

+ D& i( v$ m% ]$ {$ k- V$ F( _$ d2 l: H! b- x3 k
int41handler PROC% b' u8 }/ n9 q1 `5 K% p% T9 i. _0 L
    mov     cl,al( h  l- V' J# Y5 L# K4 X
    iret
2 L1 [  [& [: H5 D5 qint41handler ENDP% Q$ H+ O( d; f& B! @# N
! Q( `7 g8 A/ v) T4 p6 p

* k% Z7 l; U3 v; }. V5 a( v    xor     ax,ax+ ]7 b- n: V# T9 y  [
    mov     es,ax
; x4 `0 x! A9 m- `! b/ \    mov     bx, cs
) U4 m# c. i- |3 I' k0 Q    lea     dx, int41handler
8 }" l7 A' x& w( R    xchg    dx, es:[41h*4]! F; j& K2 N0 v* ]
    xchg    bx, es:[41h*4+2]
! d# \2 v" z% ^    in      al, 40h  I# n' X& j9 t
    xor     cx,cx
# l/ C1 b# \, t4 i    int     41h
7 v( C" j3 F( B) V7 T# u; p4 V    xchg    dx, es:[41h*4]; m/ D7 R" h+ q! _# O1 W% G
    xchg    bx, es:[41h*4+2]% I8 [; o: b$ N) t# M: r/ F. O+ l, z
    cmp     cl,al# d4 Z+ S7 i/ u# p) v/ o
    jnz     SoftICE_detected# x1 f. I, h- w9 a6 m& B
. i+ l- X9 @3 F6 r% I3 d% T
_________________________________________________________________________& L  l: _2 P3 V* u+ d( E& N
% l& `" ~! K' v: Z3 `, Q% c0 O
Method 07
( o, S7 X$ ^1 e( _=========
9 v; z" Z7 I0 @5 p4 a+ l& d
! T* }9 _( x4 ~7 U: M% ^: rMethod of detection of the WinICE handler in the int68h (V86)
; c! u$ X6 b' r: C. h1 m, f8 O; a& n- B3 h
    mov     ah,43h" ^7 b, D' D# W2 T, s5 ]: a2 ~2 ?
    int     68h
' c4 x7 r6 _+ ~' j% D! \    cmp     ax,0F386h
2 u2 U. \7 g! o- p/ Z4 u" U    jz      SoftICE_Detected
5 }! F. ?4 z0 {( ?' f- v' d+ r/ W& S4 Z7 r/ V" U3 H8 G
4 n: y* b7 Z9 g0 R  J6 V  U$ v8 V
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit% x$ e& |/ Q6 R3 r
   app like this:
# }. ]# a" E  g
% J* c2 s( N# F3 v" J   BPX exec_int if ax==68
0 E/ [& c6 k9 {" ?( b' e; S( M   (function called is located at byte ptr [ebp+1Dh] and client eip is
* v% j" U" J. i0 O% ~: O   located at [ebp+48h] for 32Bit apps)
: P$ d2 x; m7 A( I: c' g; _+ H__________________________________________________________________________
, y: K8 C3 }5 F  m! r. x+ X3 y" S: @. C
$ E2 W# y' p, t- B) `
Method 08- v: h3 ]$ i( H! K  k
=========) R: j4 ?! ^1 P# a& i( U

8 m( O; H" |8 u" PIt is not a method of detection of SoftICE but a possibility to crash the/ E* k  A' L6 i
system by intercepting int 01h and int 03h and redirecting them to another4 I5 h" {2 O$ X% I4 w
routine.
3 z5 G' \+ `2 p, l, Z6 o0 P! FIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" H1 ~- o- z# B  [% ]" ~6 L
to the new routine to execute (hangs computer...)2 R$ P) N' m1 d8 b6 t% x
5 |: }: r! c8 o3 H2 S# ~# G/ S0 I( p# M
    mov     ah, 25h
  |0 z; g+ Z: W7 E# L" l4 \    mov     al, Int_Number (01h or 03h)
6 m7 L7 }& G  ?5 ?1 t8 h    mov     dx, offset New_Int_Routine
. P* R& x$ v& V3 N- M( Y5 m    int     21h/ P5 Z' X2 _6 P2 W

, D; N% E/ G5 a0 v. n__________________________________________________________________________
3 R+ S) ?) C% Q1 k4 q
2 q7 t' @6 x4 {: c7 z" W& C7 TMethod 09% ^9 k4 g0 j  `" w/ F- Y9 r
=========
! z) w7 V" A0 F/ B/ @4 B( Y* E. A- `' {  z0 V' `
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only  [; \& f& X$ R. {9 P! D8 x/ K% O
performed in ring0 (VxD or a ring3 app using the VxdCall).- u6 i( X3 i5 l
The Get_DDB service is used to determine whether or not a VxD is installed
) t+ R" A. i0 Qfor the specified device and returns a Device Description Block (in ecx) for: i& {0 F% \! n5 ~  g& B; m
that device if it is installed.
1 w  o% }! J4 ~5 i! H" f, \% A# _9 o* |5 t  i
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID1 z9 Z$ c# D8 Q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)8 `: f& G( a( [* y# J! N: s
   VMMCall Get_DDB
3 A3 N5 z, |$ X/ n9 ^: l' H: h   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 G4 K- o% I. k% u- p2 I; A7 f9 D& g& X+ g1 M
Note as well that you can easily detect this method with SoftICE:
/ g9 X- A  p! K   bpx Get_DDB if ax==0202 || ax==7a5fh5 ?( Y. n0 Y9 Y" s) x1 `
! v% A6 _; X8 B! b5 P1 n
__________________________________________________________________________  u7 a& M  C  p( }

% W2 ]3 V  u6 l% |Method 10
3 C% N. t  q$ ~1 c=========3 [$ [: p" {1 h8 p: a: e1 _
" V1 Y; J8 ~: y
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with+ A/ P8 L- Y9 \+ X8 G$ }
  SoftICE while the option is enable!!
! L6 ^, i- d" M0 M% X! A# o4 F& |* r5 Z9 Q' y4 S  D4 d# [* M* m
This trick is very efficient:7 E8 d  p3 o3 N' b  i/ N
by checking the Debug Registers, you can detect if SoftICE is loaded0 F' R) p0 `2 t/ f) N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if" }. O3 _! e& b, D1 t6 R
there are some memory breakpoints set (dr0 to dr3) simply by reading their% A) K' L) l/ |2 S# W- ]' q% X
value (in ring0 only). Values can be manipulated and or changed as well
. j; n5 F6 U: g' T  P# }2 M(clearing BPMs for instance)
* o" E) c- Y0 C0 x3 V/ t8 p$ H2 y# w: k- k; _
__________________________________________________________________________2 k4 f2 ^4 P3 Y0 e' _' M8 f
- o. T* ~" W8 D' V+ R
Method 11
+ c4 m2 L6 a* [! [% j=========2 o; S7 G6 z: g- s/ g

/ K4 p' @* _1 F9 Q6 PThis method is most known as 'MeltICE' because it has been freely distributed
& Q5 g6 Q$ Y  ^/ x6 ^  }. Dvia www.winfiles.com. However it was first used by NuMega people to allow
3 g, \, N4 N9 |  h; @Symbol Loader to check if SoftICE was active or not (the code is located& P! r9 M& O" K6 w' F/ B
inside nmtrans.dll).
2 X% L$ ]4 `) Z9 b
1 @) L" m6 A, F6 |. B; V% nThe way it works is very simple:
  G+ E$ n2 R( X' ?' z; E# I6 D- uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
$ g2 ?6 O* c! a% _! O# iWinNT) with the CreateFileA API.
5 {3 i& n% D5 o+ J8 p6 L' g4 O7 ?8 u/ I1 R8 _; |
Here is a sample (checking for 'SICE'):& w' a4 s* p0 ]# R1 s
+ R# Y: N! [& Q& W
BOOL IsSoftIce95Loaded()
4 |; C/ D% e7 M{
/ ]# t2 {0 _. D. I0 o0 K   HANDLE hFile;  3 T+ t( b0 C3 J# M& B* I
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
1 Y% T& t" W) q! G$ |* _; G  L                      FILE_SHARE_READ | FILE_SHARE_WRITE,$ w) [- `" `) T( Z( L- h1 t$ u$ X
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);1 d$ Y( F% \! \2 r- c/ U, _2 F
   if( hFile != INVALID_HANDLE_VALUE )
- s/ N. J' Z6 n$ e) e& `   {6 r1 s) D/ l1 c( b; B
      CloseHandle(hFile);
( S6 ]% V4 E1 [) a. I) j7 W      return TRUE;
. C: U+ C/ g* Q! \& h   }( j$ n/ `; s1 S) f- j7 d' q; G4 r  q
   return FALSE;! X2 j1 L' P5 J6 w
}
. K' W2 v; i6 S
, t6 e5 I2 b# |9 d/ kAlthough this trick calls the CreateFileA function, don't even expect to be
3 T2 v& s! S4 B# q  `: D: sable to intercept it by installing a IFS hook: it will not work, no way!
& \% C: D: j2 GIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
( Q1 R4 K1 ~2 _4 m1 D6 i# mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
7 m0 @" t! i4 X3 A) V9 S& sand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 ]. d9 k  y4 o- J4 }
field.! h6 W" q' `5 P- H1 }
In fact, its purpose is not to load/unload VxDs but only to send a
) H) W, L! c4 P3 S4 v. hW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)0 ^0 g. a8 K, v8 c
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ ?7 F8 J, O( U2 E- f  hto load/unload a non-dynamically loadable driver such as SoftICE ;-).8 A% S) {* P0 S# W# _
If the VxD is loaded, it will always clear eax and the Carry flag to allow
3 U5 o! w2 E7 \& b6 n* y" Z: Vits handle to be opened and then, will be detected.1 \" N3 O4 ]3 G/ u# \9 W
You can check that simply by hooking Winice.exe control proc entry point
7 }) x. c2 A6 F6 Xwhile running MeltICE.
: T) D" m# }( Z& L& d1 ^8 J; H, `* ~( G
2 m6 w: s; m8 H+ y
  00401067:  push      00402025    ; \\.\SICE& ^/ y$ F3 e5 T8 {/ G) R
  0040106C:  call      CreateFileA
* R8 A2 F3 p. P8 J$ G  00401071:  cmp       eax,-001' K2 ?( n1 ^& x/ F# s
  00401074:  je        00401091) g& U. V' f/ K
( a- x& n5 ?9 J7 E. R9 d/ m+ @/ T
  J: ]2 n) r3 g2 @% W# O4 o  @7 H5 H
There could be hundreds of BPX you could use to detect this trick.8 C, _# p) o9 x' @+ G
-The most classical one is:5 V; i# H8 \* G; n/ M: I/ J+ g3 P
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" O/ h' ?2 M+ k# j    *(esp-&gt;4+4)=='NTIC'7 Z, B# I/ e. z  D3 C

+ L+ B6 x$ B: J, b  G* h-The most exotic ones (could be very slooooow :-(
6 b. G( ]; J6 k! ^# C   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  5 D( g9 A5 D( L! v7 M$ }% g
     ;will break 3 times :-(
2 V7 F$ m/ d4 [3 u8 @. S
1 E2 K! l6 r5 A- D7 i- t4 o-or (a bit) faster: 0 B. @6 d' v2 t2 A& m* l
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')' c9 d) V7 j# P% {
9 t; _% |7 I, g: O8 M
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  / H4 D; O* o  _' Q) O) ]
     ;will break 3 times :-(
, [) M( Z0 j( t. u8 d; M& n. L& D  v$ Z8 W! `& O8 ]
-Much faster:
9 j& n# s9 y2 I& A: S2 y/ n6 t   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'6 ]* n6 Z) U4 Q

$ a! Y3 _, J; a! wNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
7 {* ^  c5 I  y5 R  B. I& ~function to do the same job:
. J) {5 O2 S) c" l# j! v' x; u2 j7 K1 o. c, ^
   push    00                        ; OF_READ  I: h7 c) g4 B5 a- I
   mov     eax,[00656634]            ; '\\.\SICE',00 c4 L8 _% R7 [; ?+ B% f
   push    eax0 F& a' x8 z$ b, U
   call    KERNEL32!_lopen! B' {/ j3 R# m" X. p" }
   inc     eax
7 `4 ^9 Q- `9 ?& R   jnz     00650589                  ; detected
- v8 @8 M& R' j. X. K5 Z9 [   push    00                        ; OF_READ+ @- g) \, o+ h7 H" I: i- n
   mov     eax,[00656638]            ; '\\.\SICE'
# t! n6 x5 `: X/ p   push    eax1 w: C; W) s% O( S, o# f
   call    KERNEL32!_lopen
7 n; Y: X1 H  ^5 ?; L   inc     eax5 N5 ]2 \4 u. e- }( j( C2 W5 s
   jz      006505ae                  ; not detected
4 u5 A, F" e5 y, [
# P0 y/ X  p% z' P( n3 u' T$ ^3 P: [& y+ z7 r$ o: f5 {: d
__________________________________________________________________________
! G  O! a( T3 t# ]& p
  K0 o1 S$ }* p! ]Method 120 G9 _  T$ B( O3 Q7 b' }
=========/ h' U5 V2 ^+ ^2 Y( r" x

# D6 p/ Q. @1 BThis trick is similar to int41h/4fh Debugger installation check (code 05
+ k8 n+ ^0 c3 [) X' f&amp; 06) but very limited because it's only available for Win95/98 (not NT)! T* N. w9 C3 z0 y' S
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.& M6 }& G9 `# K3 Y9 m8 F7 }* E( w

7 a7 }$ p# Y( B% v6 N$ j8 y3 }   push  0000004fh         ; function 4fh$ _! m6 P. d/ W) E
   push  002a002ah         ; high word specifies which VxD (VWIN32)) Y( E$ P# C& @
                           ; low word specifies which service  [  P+ W* {! ]+ r! {9 ^) h
                             (VWIN32_Int41Dispatch)
! x* m7 a- x  u* O% x. I7 y* M   call  Kernel32!ORD_001  ; VxdCall
% M8 a& M: X5 j' N   cmp   ax, 0f386h        ; magic number returned by system debuggers6 W# I3 @0 r7 u  w! ]
   jz    SoftICE_detected
9 X& u' y- g6 x- H. K# V- X% ~$ a2 p& U& y) B; ?
Here again, several ways to detect it:! n6 V$ |3 Z& Y( l5 y
$ z$ ]4 O- j2 M  w+ t2 D; l
    BPINT 41 if ax==4f
  a0 Q; T8 K& X1 }
# l2 f: u8 |# x% p    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
* f, p+ p4 q9 d+ y  f8 i3 s
- x1 Y5 {( O" E6 x' ]    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
% l7 v* ?" y: G  `8 f" a9 F& w+ I8 e
" a, A* c, y# r$ w/ w6 z8 I    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
6 u( [6 V  R8 `/ \
7 u4 n" p6 L. q9 x% s__________________________________________________________________________
( e* b; ^  C% i; l- E+ U, q6 R+ p4 |0 U3 z; q3 F
Method 133 o  }2 l% c& s% C" Z
=========9 |3 D- t+ b3 a  {  D" d( ]4 H
& H# A: T2 p4 M. ^& b* M. N% c5 ~+ Y
Not a real method of detection, but a good way to know if SoftICE is
& P* @1 g/ W, @installed on a computer and to locate its installation directory.
1 K& T0 B- `8 a7 sIt is used by few softs which access the following registry keys (usually #2) :9 a. }" E) O- Q4 k* |. Z0 W

. P( h* a3 g2 {-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! G8 q& h: K/ W7 b, \\Uninstall\SoftICE2 Z0 W2 q7 C/ c$ {  c! o" {
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE5 o/ g9 A7 a6 ]0 e/ ^1 i
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% a7 ~* x& m4 O4 b
\App Paths\Loader32.Exe% N' y1 f% Z# B! ~
" c0 M* n* J! u% r: K* O7 }7 s

) E( X% I6 L' N/ y! s0 TNote that some nasty apps could then erase all files from SoftICE directory" A% }5 E" ^9 Q- x3 j. l3 O5 B
(I faced that once :-() @8 p) F' v; ], u, t$ b

; @% V5 j& |8 T% C# oUseful breakpoint to detect it:
" d; W" v* g& w" d9 v; J
" H: j. c8 s4 K1 s: c     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 Z. T3 q6 V$ D' v7 S2 @- @  e, l4 b
__________________________________________________________________________
1 L( Q+ h, Z! f: e- o% C4 ~; W$ O- p% j+ y4 e

* g+ a, F) h' F8 j* kMethod 14
1 l! G) M. U1 ]# `3 W% z=========
# z* H3 y  _" U: ?6 g" g5 w5 m# C8 u; v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose! ^. M) {, s+ |  r( f
is to determines whether a debugger is running on your system (ring0 only).
% ~6 m' |- O9 l; Y7 `5 e5 b. u  Z- T! |
   VMMCall Test_Debug_Installed. |' ]6 k! }' p% O1 X
   je      not_installed5 s4 y( Z; t. Q3 X

$ [# D" |. q  m4 `2 X! UThis service just checks a flag.* p0 Z' y, O. J8 L# H
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-10 04:42

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表