找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
( _7 M6 ~: I* N% I( r<TBODY>7 {( q6 T6 y+ ]
<TR>
, r& B/ f! }; d' f( N8 s  Q% u5 L3 z<TD><PRE>Method 01 3 g( L0 r  T& |
=========
" t, i, l, l7 G, m$ B7 Z0 F4 A6 H8 P, `# s
This method of detection of SoftICE (as well as the following one) is$ M7 `" o- q( [( f6 F' N
used by the majority of packers/encryptors found on Internet.+ l/ I2 K) S+ Q* H0 {0 y
It seeks the signature of BoundsChecker in SoftICE+ H) k- G% w% t

! F% x+ l. \5 o: S& U" @    mov     ebp, 04243484Bh        ; 'BCHK'
$ T" q4 W7 i6 V: c& J" W' {% C    mov     ax, 04h
9 x/ M' C* H4 M' v. k2 _    int     3      
- Z# v6 @% g% X( \5 w    cmp     al,4
! d) g( k3 ^, o# ~' b' V    jnz     SoftICE_Detected3 V! R2 c; i4 i' h" H8 }+ V6 Y, W

: k$ r: Q5 O0 U7 _9 ?  v1 }___________________________________________________________________________
$ W7 n: j7 r/ O8 b
# _9 ~# p  {; }* ]% E( HMethod 02
7 _$ Q8 U* h; W: \. X=========9 o8 ?" d* d6 p& g* c+ [

! d  S' O9 r( b3 N! xStill a method very much used (perhaps the most frequent one).  It is used
$ w4 Y; h: ~+ |: \9 ^2 T! ?to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
3 C2 S2 v% s  Vor execute SoftICE commands...
, \2 p9 s0 ?  H, PIt is also used to crash SoftICE and to force it to execute any commands
& S% x& Y9 S/ @' F8 F" P3 ~/ K(HBOOT...) :-((  
* A3 F2 [  }. o0 H
8 y1 V8 s7 K/ i* Z6 _+ c' q% U; U) nHere is a quick description:
) j* R& i3 L* {' W# R-AX = 0910h   (Display string in SIce windows)- A/ b9 H* M$ w4 F4 y. V8 c
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* \5 C) M) D" Y. R: F-AX = 0912h   (Get breakpoint infos)% F& [4 H8 P2 p
-AX = 0913h   (Set Sice breakpoints)
3 |8 v, q: F& x5 o$ o0 F+ n+ S-AX = 0914h   (Remove SIce breakoints)( h# C% T  X8 Q4 C

) b7 D, k& C; K$ H1 nEach time you'll meet this trick, you'll see:+ |# r' ~- ]% c5 w8 G: ?
-SI = 4647h; a6 U8 b1 K, X* y% @" R
-DI = 4A4Dh
: Z: L" z% M1 a# b! vWhich are the 'magic values' used by SoftIce.
: I' e$ i& N5 ~  A2 _1 nFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
9 c' i, B- I: r; [- T' L7 _9 @* |3 B
0 z9 e" f7 [# j* zHere is one example from the file "Haspinst.exe" which is the dongle HASP' v% M! ]' c% s
Envelope utility use to protect DOS applications:
" C7 r# k! P+ S% m) @- Z) g
1 E$ b1 J, D: J9 p6 B# j# E% H  e$ q2 I& ~. T. W
4C19:0095   MOV    AX,0911  ; execute command.6 Z9 p, `1 A/ b; {: @' Z" C
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).( Z/ W' q5 n" P$ T5 e3 j
4C19:009A   MOV    SI,4647  ; 1st magic value.
. Q6 S7 |! a) L" O, a; x& l4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 Z, N; r) r6 `0 V* }0 f9 L( C
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)7 d) k$ w6 L9 T9 i
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
9 }! T% r7 |; X2 g4C19:00A4   INC    CX5 y& s- @- e3 s2 H/ L
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute5 C# g  t% z7 i/ e) \$ ?/ H
4C19:00A8   JB     0095     ; 6 different commands./ r0 p4 D9 ?5 y. Y
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
! [2 L5 a% g0 y0 S# z# W5 V8 O1 T4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
9 j' ]6 b0 q# a  u
( k+ h6 o( j( I5 L; D* gThe program will execute 6 different SIce commands located at ds:dx, which2 R# o- B$ F9 P/ n9 ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.- c) m$ O/ e2 m- z, d3 I

. w/ ]9 M: |; D8 I5 Q" @# T4 x* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
& Z; H5 j' {$ |$ E: S. I___________________________________________________________________________6 a  m- K5 n( C2 `5 G1 X
- k/ O/ f: w5 v& i0 n

. R- A0 K0 M& P# K6 v1 h8 uMethod 03! r+ S  Z: ~- k4 Q* D! |
=========
: b2 F$ Z, c9 \9 z& I- P1 k, ]9 {; k3 g
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h: K$ H1 b& {; C' R
(API Get entry point)
( p6 V% T$ Q: K% Y6 \        " u% p( K# O2 l' ]

* C! a, r$ K- V/ d  z; {, |2 O+ C    xor     di,di  r9 c( A7 f3 U7 w4 E
    mov     es,di
6 _8 g# n7 G+ X% W) k    mov     ax, 1684h       . |3 V" {: a- ?5 v$ K* J8 v2 l
    mov     bx, 0202h       ; VxD ID of winice
6 S/ ^( `0 M9 B& G; Y; A' a, s1 Z    int     2Fh  L) j* d, v( l* p( W- I
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 O' O2 F& a" v9 p& d7 w    add     ax, di
& G+ g# y0 H/ a3 p; q2 B    test    ax,ax) y% ?0 s7 {- X
    jnz     SoftICE_Detected6 q: D' B( N5 U- o, [6 N

2 L) t1 C, ]; H: b, u& o% U8 r___________________________________________________________________________- L( w; E" d& y% p/ n/ B* t9 W6 _9 d
/ j$ U5 z& e; Z. K) L/ A7 J2 J$ Y
Method 04( I1 \% |7 d/ U5 u( o7 G
=========
3 s% u' H$ s$ e: U8 \7 ?2 N9 K+ g2 s3 `! }9 P* ~: o) f
Method identical to the preceding one except that it seeks the ID of SoftICE5 b! F& p! Q4 M+ K6 e+ @7 n
GFX VxD.
( j, k  o2 k/ U* ]0 [" ~
; G( N6 @& [* E+ Y+ q9 |    xor     di,di0 D1 W( y0 l8 M& ]9 z& H
    mov     es,di
- a1 P! G; Y# R    mov     ax, 1684h      
7 j4 q$ q* d$ \$ l/ P3 X2 B4 }    mov     bx, 7a5Fh       ; VxD ID of SIWVID2 c, B, @" T( N; j
    int     2fh
7 v7 `- H1 Y5 r    mov     ax, es          ; ES:DI -&gt; VxD API entry point
! h" g8 {- a; Y- A    add     ax, di
. A$ `& v! n: r7 N    test    ax,ax. G, _+ t/ j- ^5 {- K% e) R
    jnz     SoftICE_Detected9 I4 v1 S# Y" l, o: ~

* P; d8 ~5 B2 U9 h& Y; f__________________________________________________________________________
2 R& g& t2 G" Q% j! ~) ]: s  \& h" W7 t: |( j; {1 o4 M+ O9 L

$ I  B( w& Y) m& s* fMethod 05
9 ?/ l1 e% X7 X=========/ [/ W! S3 h! t8 d6 C9 Y$ d

; X8 A' ^; |" K; d* v6 DMethod seeking the 'magic number' 0F386h returned (in ax) by all system, L5 o* l6 p$ a  }- b1 I, V
debugger. It calls the int 41h, function 4Fh.
/ \7 B5 }# m/ j. G' ]# e9 @% d. fThere are several alternatives.  ( z$ \! m% d3 ^

3 Q! t, K8 K( F; J0 YThe following one is the simplest:
; x6 G; J( v' t8 o0 d; I: L% j% n+ V4 }3 H
    mov     ax,4fh
. D6 A. O1 D7 f+ W/ P* U) [3 ^# z0 h    int     41h' A0 N6 S$ [9 {) _7 c9 d4 F
    cmp     ax, 0F386! E: s# N2 }9 _1 t- o# ^& s  l: p
    jz      SoftICE_detected. \) X# d' M( P# a! C! b6 @- [

9 `( M/ b& S& k- a$ ?1 b& `% D1 r$ U% {1 [8 C
Next method as well as the following one are 2 examples from Stone's
+ t5 V  A, K: x3 C% Z"stn-wid.zip" (www.cracking.net):
  d* f0 W) ?- o; {# H# k, l9 Q
3 r  c1 q) F2 U- t* O) K3 D    mov     bx, cs) c; _7 R. {( w9 f5 X0 Y& S% ^
    lea     dx, int41handler2+ _$ ^/ k# g  m- Y# U  \
    xchg    dx, es:[41h*4]+ l! I/ @  {1 c, k: _! T
    xchg    bx, es:[41h*4+2]3 Y( q0 U2 _* T( i" F$ w4 o
    mov     ax,4fh
% J' m- w* d# N" G    int     41h
+ n4 ~. }( {. ?; q6 h4 v    xchg    dx, es:[41h*4]* L: F' J# H3 A; k: [, \! Y
    xchg    bx, es:[41h*4+2]7 P; z/ R; A2 O! K
    cmp     ax, 0f386h
" E. E& [" O% |: Y2 v( g& X. i    jz      SoftICE_detected$ }  K; `1 A0 C6 M2 T5 Q5 R
: F/ {( \( w( e4 e6 P+ w
int41handler2 PROC. l8 O' X+ b- u9 V/ ~
    iret5 G: A! s, l) H6 R1 G
int41handler2 ENDP
6 T4 D' @! [% k  N  D: J3 h' Z- |5 i0 q
' {( n3 F8 E( O$ a. c( ?
_________________________________________________________________________
( k: X2 L! e) F* [" {% E; |
6 J" Z/ ?2 ]2 @; p
8 r0 C9 {0 i  H& ?/ F- BMethod 06( P9 c$ n; a" [, B& H
=========' u& d7 c- L/ r& ?5 r

! m% }: ^8 t4 z3 {) e' W; B4 P1 u
6 R: R' Z2 @/ j4 g2 C; Y2nd method similar to the preceding one but more difficult to detect:
) [$ p0 R6 p( o% Q6 E+ b7 {* P0 f  O& O$ T
# e% i9 i2 S) ]# O$ [8 y" N
int41handler PROC! c; c0 x- N9 M' l% ^
    mov     cl,al
" L, f! i4 E3 y: ]9 x, ], e6 N! q  q    iret
- l1 C3 _* |0 B1 ?4 W4 b& yint41handler ENDP
% b0 |, Y6 h" P. j, Y% V3 p$ S, R; o" c$ W6 L, ~
2 P1 n$ V5 C0 ?% A" h! X
    xor     ax,ax: i( Q  r+ l. P( U% ]8 r
    mov     es,ax' r  r' q2 q& i* s' c! v5 N* L
    mov     bx, cs6 N/ ~6 C$ O7 e' Z4 p7 @2 Z
    lea     dx, int41handler! }% T. `8 U# ^2 n% F% a, G
    xchg    dx, es:[41h*4]& x* g! n8 |* e7 y, i$ g
    xchg    bx, es:[41h*4+2]
5 g# |' J5 ^8 _' m0 R2 c    in      al, 40h
3 z, m* e- P% o$ ^8 Q    xor     cx,cx
, c6 t4 h; w+ Y- P5 }3 v- L    int     41h
- c  [  x: @( p- F( Z$ b: M    xchg    dx, es:[41h*4]4 o' L$ l/ Y+ i2 i% Z
    xchg    bx, es:[41h*4+2]) w/ o. j$ g! V. j  a4 j3 {. ]
    cmp     cl,al4 l3 v, r1 d5 E1 T2 ~
    jnz     SoftICE_detected
5 {: C. m5 O4 Q$ ]. J
: h1 Q6 y- b9 _; L8 t1 m_________________________________________________________________________
7 P' V+ s" l2 x: {/ }# n. I$ X" g* n/ V& X2 J5 U
Method 070 @  P; ]8 i: y' I# m6 r
=========* k# i' L' @1 D
, d9 _; Z6 u% c3 Q1 L$ I: }. H
Method of detection of the WinICE handler in the int68h (V86)' J# v& T2 c) x' j- N" ^' Z

! _  H7 }( T' G1 n* L. Y    mov     ah,43h" O- C& n8 J! P! {3 n
    int     68h
2 v( i& ?) H! T; U    cmp     ax,0F386h
5 W2 u3 v* U) p" S* }7 x: k+ @$ @    jz      SoftICE_Detected$ o; d# M6 m8 v% \0 w+ j& r

/ ^( o, R3 o* s9 P! B) S. N( S3 I) K1 j& X2 W4 v
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit9 O( L/ J6 A9 |. T% d3 n% ^& s4 o7 ]
   app like this:
- F# B( ?3 M0 f+ j; h+ V8 _5 r6 a) w% }
   BPX exec_int if ax==68
; n; U, V% Y2 Z8 t" U' x   (function called is located at byte ptr [ebp+1Dh] and client eip is5 j+ N& G7 p9 L8 z; B* e  R
   located at [ebp+48h] for 32Bit apps)% b, S; }; X9 w, H; D+ P
__________________________________________________________________________
# a6 a; \' q% d4 L* F" x2 z$ o( s) t, ]$ b5 P9 P1 G8 C: G- I5 b( {

8 r7 \9 P) @1 N$ T# \1 VMethod 08
7 P" q- Z% z: ?! {+ C! @=========
' L+ E! z6 h6 A+ `5 i5 X2 }. p" L, H6 Q; Q
It is not a method of detection of SoftICE but a possibility to crash the
8 z: m% U, K: ~( Tsystem by intercepting int 01h and int 03h and redirecting them to another
* H, v9 X7 O4 x2 A* d5 Broutine., p( k8 C1 Y# Q' z
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
% M0 n8 b/ R( H* S- rto the new routine to execute (hangs computer...)
4 g: m. }/ v2 Z; g
3 v: ?$ W+ t% Y: w    mov     ah, 25h
- H/ R3 g1 }* B9 Z# P( w    mov     al, Int_Number (01h or 03h)) E. b* |( x& i
    mov     dx, offset New_Int_Routine9 Q7 f/ n  [- N3 ]: j/ N; I0 S& y1 l0 Z
    int     21h
1 b) \& x% W. m9 k, N$ W8 F. ]1 X, d. H. ?# S/ W; U/ o5 P
__________________________________________________________________________
3 z6 A$ b) a6 M; ^3 ]2 f
6 U  M" |7 ]/ E$ J; K- t2 b! PMethod 09. |. Y. @0 x' {3 Q$ L/ i  P7 f
=========: }- o2 O  E6 G, Y/ C
- {) ^1 P) y( H1 t- [7 H
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 x/ ?, u9 T7 Z* ]7 W) h* a9 [
performed in ring0 (VxD or a ring3 app using the VxdCall).
/ _; M0 [; u- S- P; h' L1 wThe Get_DDB service is used to determine whether or not a VxD is installed- ~8 `* ^6 V+ q  @! J
for the specified device and returns a Device Description Block (in ecx) for; o0 t+ [: C  m" @6 K+ g
that device if it is installed./ Q! R0 _7 W: e  q8 ~  @1 |! A0 y
1 [. h2 b% T& m* T( Y! p: m
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& U; _; ]2 p& H) o9 n5 {; p' D
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% H: [! G. A9 G0 K! F4 [   VMMCall Get_DDB6 b8 _! I0 G! V  c2 k  C
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& K% X6 Q  ?* U; {
7 r8 ^' U0 C: }6 u. P6 W$ FNote as well that you can easily detect this method with SoftICE:
  F3 b" [/ l6 }. Q0 V( J   bpx Get_DDB if ax==0202 || ax==7a5fh
- z9 W# L& s1 v( y! W7 l# u6 F. C1 {- }1 l. R0 z
__________________________________________________________________________; H. _; i) ^% U/ t- a7 f$ l! m$ E
& f* y, o8 v5 a  j+ B
Method 106 g- p/ j( R7 V$ J4 d
=========
4 a( }+ U5 _9 |) O
# j' l* F; I$ B/ o* c( r=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
' I. l7 r2 c/ F4 i( s* ]/ @  SoftICE while the option is enable!!
! I0 b1 B( f" M0 s6 M1 ?9 s4 P# O' r- c2 W6 C7 i0 D3 h
This trick is very efficient:
! b6 `6 [2 l0 _( nby checking the Debug Registers, you can detect if SoftICE is loaded# l+ @0 _& u) r8 E
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ R- K# v; }4 `. [; Kthere are some memory breakpoints set (dr0 to dr3) simply by reading their3 c- I, L+ _$ r6 O4 n8 K5 [4 Y
value (in ring0 only). Values can be manipulated and or changed as well
6 ?+ F1 a- _; }  i4 X(clearing BPMs for instance)) s: A% V: U9 t7 {" s# t

9 T1 G# Q2 J& c' d( q- j__________________________________________________________________________
1 i. {2 {9 z" v, r$ R
! ^( f' f& w* g. n- Z0 e8 ?Method 110 J( d5 [& v0 Y5 V- s
=========
" E% S4 a5 K8 F4 A) `+ e( J
4 T- l5 g* P4 n+ U6 vThis method is most known as 'MeltICE' because it has been freely distributed
- X1 e! |$ ]! g- T! {9 O! uvia www.winfiles.com. However it was first used by NuMega people to allow% E7 X  O! J* H
Symbol Loader to check if SoftICE was active or not (the code is located
5 J7 n5 j1 V( j+ K9 D# H# n3 H. rinside nmtrans.dll).( f6 B- w: `) u6 h; K5 W- F

- `7 D8 V& i) u  ?1 P& |. p  P9 xThe way it works is very simple:+ _+ g) R( l1 n; J" w3 m
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% @) c5 x$ S, s! r' o9 Q& V- `9 i/ WWinNT) with the CreateFileA API.
5 |7 z2 W  I. q: a( d& f4 B* w+ l5 k, I1 W% `: O% ]# C
Here is a sample (checking for 'SICE'):0 Q& l, ~$ y+ n( T5 r4 \
1 ]  G. s* f5 t& S% D& r) z2 m$ h
BOOL IsSoftIce95Loaded()* N* b* P4 \9 C- |! G" Z; y
{
, C6 j# \. j& c0 ^   HANDLE hFile;  ) a  n1 F& D- Q" Y' W3 ^; I- i
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE," B4 t# P, O) a6 O4 w
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
8 P+ Q4 U0 J7 X                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 b, J( w% x9 e* y' e2 K
   if( hFile != INVALID_HANDLE_VALUE )* {. ?( `% ]5 O3 p" Y" M( L
   {
5 t. @! P( z3 A) y      CloseHandle(hFile);& l* C0 d' `$ W3 X, t  [7 S8 S
      return TRUE;
4 |7 _5 ^; m8 m   }
+ e6 z$ m# O, |3 \/ g   return FALSE;
, E8 l/ Z, X3 Q}
0 J. n6 M4 z) z, S/ B+ w( {, a7 M8 h/ Z: X' R& @$ q
Although this trick calls the CreateFileA function, don't even expect to be( c4 i/ F& K- N2 D4 L
able to intercept it by installing a IFS hook: it will not work, no way!
$ D) x. z: |7 y! i; t5 lIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
2 f! S. S! e3 H& Fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 p4 U/ x. O5 t: T1 t7 o0 W6 e. U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
8 ~: E0 Z+ w. ^) S9 u2 Gfield.
, J1 c* A8 u4 I$ }' m& Z$ UIn fact, its purpose is not to load/unload VxDs but only to send a ) p5 B. U: L% `2 M7 c' J
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)9 M1 C: g2 z. \! ^- j; U. E) k; e
to the VxD Control_Dispatch proc (how the hell a shareware soft could try$ k3 k# x! S5 N, x) f: k1 a
to load/unload a non-dynamically loadable driver such as SoftICE ;-).4 J( g0 `7 ^! K% V
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 m: J! D  @- b+ M: T% C3 E0 `its handle to be opened and then, will be detected.
) `- U7 C) i0 y0 P9 T& w& n2 XYou can check that simply by hooking Winice.exe control proc entry point
8 A% q' @0 E5 y+ Zwhile running MeltICE.# c) i( S* I4 `9 G+ p2 O% P
  S" i* H- a$ Z& r) M' W7 e, y
: e& F5 G" W  j0 z* ~
  00401067:  push      00402025    ; \\.\SICE/ f- H4 y. n+ x  k
  0040106C:  call      CreateFileA5 p  L0 N+ z) Z) o0 Q
  00401071:  cmp       eax,-001
% J" I1 P& t3 l9 Z- N  00401074:  je        00401091
+ Q+ B5 r- L2 ~9 Y/ c5 @$ {. v& q9 M: N( ?* j
8 P' n& I! l# s( L9 H+ D
There could be hundreds of BPX you could use to detect this trick.- c2 {& A. b; k- e) O- l9 |
-The most classical one is:) V& j$ t: S  ]( M0 M% o* p
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
- y% `1 _1 d+ `' l3 U    *(esp-&gt;4+4)=='NTIC'2 Q* V) G! Y' M
* T7 d$ u5 _' I- p( c
-The most exotic ones (could be very slooooow :-(, ]$ H9 y+ ]  q# K- q$ G
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - b" R$ f6 v/ K  ?6 E! T/ n% h
     ;will break 3 times :-(
( l5 h" {9 F0 M& W8 M% c% K: g2 |& g9 k, l7 c
-or (a bit) faster:
) R# \  _4 d9 q6 @   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
9 J; Q8 Q! G: B' g
3 J  X4 Q+ b- l4 \7 q   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
. U. g1 B, F8 j1 i, d; B0 A     ;will break 3 times :-(* H5 e: y( q" u, X3 N$ }

9 Z& u: o- a+ \( Q; t! W) ?-Much faster:. Q: ~$ O8 l5 J8 _9 I  Y. f2 S
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'  L  q1 {  z: r6 T7 X! }

/ A3 {8 ?9 }& k9 m5 N* }, WNote also that some programs (like AZPR3.00) use de old 16-bit _lopen* z" V) R0 P& W
function to do the same job:& e8 g/ ^3 U9 \, r. B
) l, M4 o  P& B4 @
   push    00                        ; OF_READ7 Z$ S# [  p2 c6 N& t( u
   mov     eax,[00656634]            ; '\\.\SICE',0" g0 k0 e9 J9 I% Y  t
   push    eax6 L6 F9 _# }' S' k1 |1 i: E( }2 Y
   call    KERNEL32!_lopen# Z8 d7 B$ l$ ?
   inc     eax
8 C0 t* R4 Z$ y' Q   jnz     00650589                  ; detected7 _3 V/ s# }  o
   push    00                        ; OF_READ
; _2 O' O0 K0 V/ @$ _   mov     eax,[00656638]            ; '\\.\SICE'
' ?; m9 n, Z9 \7 H" g   push    eax
; }, g2 o. k, A# i7 _; c1 O   call    KERNEL32!_lopen
* k/ w8 }4 q$ u   inc     eax' u' e# t3 V8 E( m, ]# o
   jz      006505ae                  ; not detected
, U+ M/ \9 N% \0 }  z' G# t( t- r* _* A1 [

& P1 X* v$ z! G' ~" f1 d0 s. ~__________________________________________________________________________' N$ [4 X+ A6 |" d6 `$ `4 j

( J1 T1 Q( t9 N/ u- DMethod 12; P* P9 j# W5 B. H
=========
" L, p7 o" U1 r( L% f3 V" t) q' `5 E: f# U7 v
This trick is similar to int41h/4fh Debugger installation check (code 05% y# J0 [" R5 w% V% L; C
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
- y: K! d- ?5 ^/ `# l5 n, i( cas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' I+ W- k% {# \1 N, M  m
+ ^, x3 Z2 w, o& B. W; u
   push  0000004fh         ; function 4fh
' \: l8 W+ H# Z9 g5 f5 _; _   push  002a002ah         ; high word specifies which VxD (VWIN32)2 X' S! N" A6 ~# C0 N
                           ; low word specifies which service6 K- `3 w8 D9 N7 r4 |
                             (VWIN32_Int41Dispatch)* i/ Q( G8 E6 s
   call  Kernel32!ORD_001  ; VxdCall
: Q" f4 j. ]; s- ?9 f  y9 H   cmp   ax, 0f386h        ; magic number returned by system debuggers& g* o* Q) k: Q. J
   jz    SoftICE_detected7 Y0 J7 o; W, b  V+ K8 Y
9 E7 N+ Y2 F+ z; Y
Here again, several ways to detect it:, v9 ~% v: ^3 u3 y& o
* D& H- k" z' l$ u' t3 C9 e
    BPINT 41 if ax==4f. Q6 h$ i: m7 C6 ^, x- z

, C5 ~2 C$ ?; j1 C& ~9 m, |    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
: M2 I3 h" E& O& y. ^9 ]# K
  M9 D0 L' v1 Q( s( K! b2 l    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 E4 r/ Z$ M3 p7 a
3 D$ h. u8 Q( I0 _9 S' u' T
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!* u. ~$ |5 j& U+ d: x; z" X& v

6 G" Y" f0 e7 v/ S  C! F  K__________________________________________________________________________
. o. C  d& R, R$ \  F0 f& {/ d( B
' J4 o  q$ Z* N6 h3 w0 U$ {Method 13" Z1 i7 K+ F1 S+ i5 C
=========5 |; z* l" A7 n+ ~0 u4 a
) o* V& P0 S& y# L9 X
Not a real method of detection, but a good way to know if SoftICE is
3 E. v& h5 G5 w+ F6 e" xinstalled on a computer and to locate its installation directory.
6 }; M* B2 m% A* h9 j6 TIt is used by few softs which access the following registry keys (usually #2) :
+ q# c9 _1 h# p' a0 i( J+ r( h) {; O' b: |2 U& o4 y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion3 p( w% X3 O0 s" h4 d" k
\Uninstall\SoftICE
4 L7 i+ d  D9 X+ y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
2 W% {# X, N& D-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! L+ J/ A6 X6 ?: B
\App Paths\Loader32.Exe
5 a+ T% ]' k* ?8 c3 ^, Y( ]* Y8 @  w4 f4 U$ p  q0 S$ b

2 h4 }! n7 Q, kNote that some nasty apps could then erase all files from SoftICE directory
: K9 z7 H+ C: k# }: N' D- M(I faced that once :-(
) a3 K9 p) i4 v. z* J( h5 n2 o5 h7 ^2 i' e! u
Useful breakpoint to detect it:
+ `6 `( g! V2 q) B' E
* ~0 v3 v& b6 s$ c     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'9 S4 Q9 t, Z* ], U7 n
3 ?2 }9 n7 y1 f$ R5 I
__________________________________________________________________________
  Z& Y5 e( J5 O. l9 E! X
* j' n9 {. y& J9 ]: u# P% Z. R- J
Method 14 9 v1 D' U/ a0 E# `) M
=========
! E7 g& U! h+ G
. d6 G# I0 s: C6 K* LA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
) Z+ N3 ]- x  b" O9 N% @9 s! Pis to determines whether a debugger is running on your system (ring0 only).+ s' P: W# r1 a/ S- [/ ]5 |6 j
1 i6 h! a* N( f8 c9 V
   VMMCall Test_Debug_Installed) C$ V. [7 i  N8 A) o; n# m' R
   je      not_installed8 R; U9 H  W1 i: i$ r+ [6 ?
! L9 {9 K+ o. `! l* ^. Y
This service just checks a flag.# `# u- z" {- s# V
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-14 20:12

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表