找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
( f) \; K6 n7 F& t) ?<TBODY>  F, [2 `  \' [8 j: o
<TR>
, [7 M+ O$ v4 Z<TD><PRE>Method 01
8 `* Y& q5 e" A/ a. [2 X1 \$ u5 |=========  d8 [& C% k, U2 Q0 N/ V: h, V
- K$ h; Z9 e% e8 M
This method of detection of SoftICE (as well as the following one) is
3 K% {" C- t2 y5 J! r/ [: v& Gused by the majority of packers/encryptors found on Internet.& x. n6 L, Y" o) s/ l/ k
It seeks the signature of BoundsChecker in SoftICE
; G, L! s4 `- f2 d0 m0 \4 D
1 B1 Z! E8 g0 X, F  @1 \: n    mov     ebp, 04243484Bh        ; 'BCHK'
, E  Y/ S7 Y6 L2 _    mov     ax, 04h
) W$ u' ~% T1 Z& `5 t    int     3       1 i' W# s% W  q
    cmp     al,48 o4 n' D9 w$ N# i
    jnz     SoftICE_Detected; L, I/ ^1 l3 m. y! A4 X

! F& U0 ~" S4 o2 q0 ?" F6 ^3 ?/ f- P* C___________________________________________________________________________$ }& v+ t) u% O& X1 c1 J
9 G$ N" w  u  {
Method 02
& Z* ~; G3 i; l3 G) w% G=========8 P" S+ ^4 b3 F  p; |
. {% R- u- P4 N  D3 b0 M) h3 F* L
Still a method very much used (perhaps the most frequent one).  It is used
; [) N# ?9 S7 |3 D" A" V7 |# cto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ d0 X' j' `1 s7 X2 \  N2 ]or execute SoftICE commands...
/ @1 m7 D; }0 v$ ~4 MIt is also used to crash SoftICE and to force it to execute any commands1 e# f* e  U5 j8 {
(HBOOT...) :-((  , I1 u9 ?" B7 A5 w$ x0 v  `( C( v

- u8 d, ^1 I" @/ W* P4 LHere is a quick description:4 L3 x4 ?. n5 `' V1 l0 X7 p
-AX = 0910h   (Display string in SIce windows)
( C* V& N' Y! t) s2 I1 O+ E-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
3 o+ d$ J0 z6 V4 P, L2 L; E-AX = 0912h   (Get breakpoint infos)- @6 m% R' Z( i" S8 H. z, [
-AX = 0913h   (Set Sice breakpoints): e! k. Q6 f% x: Z# r) ^0 n" L
-AX = 0914h   (Remove SIce breakoints)
! j6 O8 _3 Q' l' d
: J4 A% _1 u* D5 K9 z$ e3 a2 mEach time you'll meet this trick, you'll see:9 \4 r; u3 p8 i- P# @4 c* a3 D
-SI = 4647h
" @( g2 l2 x# U" t-DI = 4A4Dh/ k2 k) [* o6 T' d& q6 h- B
Which are the 'magic values' used by SoftIce./ ?$ T+ K4 o5 }
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 ?# u5 Q) J( p) ^1 }7 }
( e, s3 L2 m/ x# p/ B' z- D: oHere is one example from the file "Haspinst.exe" which is the dongle HASP
9 }6 ]$ a; b* e$ N; A0 U- xEnvelope utility use to protect DOS applications:! d5 f- R9 A) [5 \) p  w
" |  B, v/ T7 r
& }$ _3 S, a+ l# O9 ?; I& [
4C19:0095   MOV    AX,0911  ; execute command.- j& S* Z* C# k2 L/ S
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
* H* Y, T7 W+ i$ d  S+ t+ r4C19:009A   MOV    SI,4647  ; 1st magic value.
% |  o8 T+ |) C# P7 G4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
$ M) K( o$ ?; M2 V6 x4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)9 Z2 I( L( J9 q
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
; A# @1 Y8 n; F* q4C19:00A4   INC    CX+ `* j' k, l0 v, B+ r
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
# z. i8 x" ]% ?' _$ @4C19:00A8   JB     0095     ; 6 different commands.
1 c! E* q$ i$ G( P: J6 `4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 D' c+ E6 W# W4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
  O: V  Z( R* J$ y& i9 j1 B. |1 a0 o( K! O! u5 \
The program will execute 6 different SIce commands located at ds:dx, which& Z3 Q' V. _2 C: v$ ]$ j: {$ D* o) p
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 ~4 C& K1 j( A  J( \

- ^. V6 A/ ]3 O0 y/ @8 l* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 i  Z: M' q9 C4 o
___________________________________________________________________________; c7 W4 ~# G7 `

) g' ^5 t1 C$ {+ \" ?" K6 u8 H% ]# y4 g; {, O% m" A
Method 03
  s$ L, W0 L  P! k# P/ `, D& p+ H=========
) k7 t1 c1 ]& S4 n1 F( r9 K: O/ o# r8 O3 n! m8 L+ u" X
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& @& B3 w+ m  s" U' n(API Get entry point)8 G7 J* y2 W' @/ }" k  P
        
; \8 e0 c/ z; C" f/ q2 D: Y/ \7 h; ~
    xor     di,di5 P5 V$ w6 G  o! J* q) A
    mov     es,di) g7 g% U' f% O9 _
    mov     ax, 1684h       % a% w" \7 U; {7 U0 Y. s
    mov     bx, 0202h       ; VxD ID of winice
* ?2 F7 L; m* X    int     2Fh) Y* }2 ]6 I8 I: l3 H( l
    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 u+ N  P/ Q$ G1 A
    add     ax, di) i: i* L& M8 @& Z; ]
    test    ax,ax
% V% |8 o  f: Z' a7 v; w    jnz     SoftICE_Detected
1 n; Q8 @( v3 s/ ~$ g! |
4 J( K2 ^4 ?. Y# M  S___________________________________________________________________________
( a# r. c: g" a& z
8 K, W+ d6 b+ F: kMethod 04/ V9 }1 m9 e. w0 |7 c
=========  `- T" Y; v& P

4 [8 L+ j3 ?! p" n) wMethod identical to the preceding one except that it seeks the ID of SoftICE
6 E2 |' B6 {2 ^4 ~" x8 a5 s: z  \$ _% gGFX VxD.
# ?" o3 E/ z, E0 k4 L
" z) L2 v& r0 F3 p6 R. r3 m$ I    xor     di,di) h& d* t- x7 {! M  R  G
    mov     es,di3 B2 L8 b+ _+ s% o6 j( F: o
    mov     ax, 1684h       , D4 i# K0 K" h# [/ f0 g' ^
    mov     bx, 7a5Fh       ; VxD ID of SIWVID+ R" T; R: m5 S1 i3 W, p; j5 [4 n
    int     2fh8 ^' d* O" ^4 l/ k4 U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ D) C: K9 ~2 `4 o/ H1 `
    add     ax, di
* `; A3 L5 f1 d& A- M# z    test    ax,ax
8 f. i: S- Y* A) m# G" \8 u    jnz     SoftICE_Detected5 X* Y. Y& @- a- R+ }* E

8 Z0 F# c3 C4 _% U# G3 }( U, V( P__________________________________________________________________________  o( {  n3 [( g  I# [

7 u' p' r+ t: w
1 q/ i. _" C& iMethod 053 @: Y4 [3 K) X; }: V7 X( o3 M1 K2 t+ Y
=========
  y9 k& ^2 v& ?* E
; m5 E; O! O/ bMethod seeking the 'magic number' 0F386h returned (in ax) by all system) s1 s2 ^( }' r2 [  T! D
debugger. It calls the int 41h, function 4Fh.( L: ~# }6 f6 d) r) c7 X- O" y- X
There are several alternatives.  
9 G( {4 y/ Z& C
* D3 s0 m( Y5 e! L  l' E0 }The following one is the simplest:* E7 C1 I: |9 G8 f5 K9 K

# b3 g6 p! `# P- i: ~    mov     ax,4fh" n# L% `/ L2 N1 @% o+ H- \) [
    int     41h* A! @4 q5 j, V% }" B
    cmp     ax, 0F386, u& Q  A4 S  R6 W
    jz      SoftICE_detected) {' s6 ?7 O3 C. p2 n7 u, k

2 D- M  ?, Q! P  K& Q- x4 Q
5 l; j( u1 u' ~8 P3 p. A3 ^' O* HNext method as well as the following one are 2 examples from Stone's
2 k% `- a* L, f/ f# ?. v& x$ R0 ?. g"stn-wid.zip" (www.cracking.net):4 W& A  H# ]4 C4 h% \
- p+ Z) ]! x- m: C, k1 x/ G/ y! s
    mov     bx, cs* I* v9 }7 a# B% o
    lea     dx, int41handler24 W2 p' B  s( r4 V5 ^2 j
    xchg    dx, es:[41h*4]
/ N. N$ t3 s) Y- X4 V% g# j1 P    xchg    bx, es:[41h*4+2]
3 V) m* j" E( G9 w6 r/ L8 E    mov     ax,4fh
/ y  m) \5 X/ M8 {$ q$ Y5 M7 u+ o    int     41h
/ V7 X+ s( @$ e7 S' }( ^    xchg    dx, es:[41h*4]
1 ?$ u, \! p, w    xchg    bx, es:[41h*4+2]  H" e7 f/ G- g* J- R
    cmp     ax, 0f386h6 \; ]: k& ^" \7 o* |
    jz      SoftICE_detected
* m& L8 \# j; m# N0 R! b. J
# d$ E4 g% z- U  O7 ~int41handler2 PROC; {5 I, v! ]6 D0 l0 }$ x
    iret
' h( b  H+ j1 v7 {" I2 Zint41handler2 ENDP' e: F1 u/ Q8 m( l4 y  M! g2 y
7 B# V. `" g+ ~: m0 p
1 e+ L' c3 Y# Q2 S$ Y2 Z
_________________________________________________________________________/ Y- \" n( V# i' N0 j' h$ G3 [

# \2 a, g$ }6 {$ \, M! Q% e
, t6 o0 B) ~2 ^: m4 A$ ^Method 063 J. ^+ l9 S0 B
=========4 t0 n4 _$ k4 b$ k
0 `) o3 v. [, r8 a- q3 M/ E
9 N$ j: @/ ^% O' {8 z
2nd method similar to the preceding one but more difficult to detect:
4 a, o0 s6 r; f' j7 D: C) [& t0 I/ b# E: K0 c& h

$ {) h  R: H' [  o; _int41handler PROC6 G$ y/ m/ @  f; D/ M
    mov     cl,al
, u: j$ I  Z# T" t( x7 w0 {& r    iret
' r4 S8 Q+ L& A* ]. P5 N9 W' Cint41handler ENDP
) a- p. {3 P( A5 q' H( ?' `2 U2 t
9 u" L$ i& P1 k4 L- t0 W" }. g0 }# X( J8 `9 H! _& T0 I2 ]
    xor     ax,ax+ y9 R, y3 w: h
    mov     es,ax
9 m0 j. o9 o2 o  T  v7 F    mov     bx, cs# C5 d0 Q& `5 F, c1 ]! J% `+ L' z8 |1 v! v
    lea     dx, int41handler5 S  i, l& W- W2 O2 ?8 y) c2 W. g
    xchg    dx, es:[41h*4]
% H, }% t: G! B9 E" w. f7 k    xchg    bx, es:[41h*4+2]8 D, r6 k+ p/ u
    in      al, 40h: W; [8 `, o0 D9 t) @
    xor     cx,cx) b$ K; z& z) t+ \
    int     41h+ \& z% U% |5 }0 f
    xchg    dx, es:[41h*4]* N# c6 C! y- U7 i/ l2 V: E
    xchg    bx, es:[41h*4+2]
* l" ^4 z, ^8 J5 x    cmp     cl,al: y) {* {1 I1 f8 |7 d# \2 g3 v( b) `
    jnz     SoftICE_detected0 L) f9 q- \7 U  O
( Z! U% F" u* n- v  d
_________________________________________________________________________/ M$ U* q* i! H

$ w! u2 r! i: [% n; wMethod 07
9 m9 _# B- f/ ^+ H. F; X=========1 ^9 J/ X/ ~: v+ k  M+ E
! U( S0 [  [% u/ J
Method of detection of the WinICE handler in the int68h (V86)3 ^9 J# Y2 q2 \6 Z

8 J* s1 o; D+ p* @" M: p    mov     ah,43h$ m) U+ H9 y( ~
    int     68h+ \+ ~( l* M8 L! Y4 m$ e7 h' z
    cmp     ax,0F386h
6 ]# T* i; ~' B/ F; s7 C    jz      SoftICE_Detected
! X$ ?( [' X4 }  t$ u( J( P9 n- m* `  B0 p
9 K/ u% F  k; y6 e* x
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ v8 m; r! @* L
   app like this:
: W) b: P7 j9 b. W% i$ g1 M& s' S" q  `2 q6 h6 \* h8 u
   BPX exec_int if ax==68
& z$ f/ U$ R7 k5 \/ n   (function called is located at byte ptr [ebp+1Dh] and client eip is
9 T4 b; t( F' Q0 U5 k$ [, \   located at [ebp+48h] for 32Bit apps)! _( {/ F" J- S) e) n
__________________________________________________________________________
, x% F* m$ Z4 K; G0 U$ K: P8 o- G, E" ^9 r* F# Y& P) y

6 @( C. }9 N: V3 AMethod 08
3 H1 v4 C. ~0 j7 k=========% L2 l/ N2 w+ M# I

- @; ?9 }" C- @. TIt is not a method of detection of SoftICE but a possibility to crash the2 C& ?2 I/ A0 R
system by intercepting int 01h and int 03h and redirecting them to another6 D, r: I9 L0 C% n$ j* [( {
routine.: i7 h- h& t0 f4 k! V$ x
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
- W* L! I6 X9 |/ oto the new routine to execute (hangs computer...)
4 Z- ^( S( Q6 R& _: E; R0 I# V
% S, V. [. T- [: }* }& Y. f    mov     ah, 25h) O# Z8 G+ \3 p. F5 \9 P
    mov     al, Int_Number (01h or 03h)
! V# n2 O9 k. j( l% V. u    mov     dx, offset New_Int_Routine3 t! S4 h, q  k/ ]/ P8 ]0 ]7 k
    int     21h
8 ], G  I+ k7 S. Q! m) o1 ^
6 X; B7 \. q/ q__________________________________________________________________________9 ^+ k) u' r) K1 J2 I+ q. \$ r8 f
' ]3 c- N  ~% x
Method 09
6 J% I. \1 `8 h& K=========
' i- B6 C0 L; {+ J0 G1 j2 T: K6 t  u" J/ y, j+ \" r, T: E: s9 c
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
) n3 _+ y; P! ^1 s' \$ v' rperformed in ring0 (VxD or a ring3 app using the VxdCall).
! C7 f, {0 d+ `2 Q  zThe Get_DDB service is used to determine whether or not a VxD is installed
# b6 J( P! ~) m9 G) u; A9 gfor the specified device and returns a Device Description Block (in ecx) for# i8 {; E" ^7 L6 k$ T. k1 ]
that device if it is installed.
- A. E2 g0 o7 x5 ?) j/ @
; o) Q1 {' N& y' _/ T+ \- s1 \) \   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ Z& p' Z9 u) r' ^2 k& Y   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
$ \. K  M- T& K/ @- h+ m0 P9 I   VMMCall Get_DDB
  A: ]3 Z  d' n) q- ~0 K   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& @. L0 g) u' b0 D8 Q( [+ [8 x1 r6 b' f$ A2 [' F
Note as well that you can easily detect this method with SoftICE:3 r4 m3 ]$ `; P' f" K% F9 q. P7 X
   bpx Get_DDB if ax==0202 || ax==7a5fh
8 K, D$ h) @7 o  u5 j2 z  r2 Y. |  n' W: b9 M& W, \
__________________________________________________________________________
. V1 f0 M9 H. O' u# V- {) h
  Y; m1 G: {, i4 K& V% w' T. ^; ~3 JMethod 10
  K5 h+ r$ w) S; V=========
: Z! m$ `, L# @% n& T9 ~9 P3 x/ C
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
: f  {& ]% N* G' I) m5 M  SoftICE while the option is enable!!4 J! A5 F4 X; f  d. r: X) W4 H
) Q- ^( U1 e4 g* M
This trick is very efficient:/ w2 U/ s0 I% }* C# H
by checking the Debug Registers, you can detect if SoftICE is loaded7 X- V* R" i9 H9 l" \+ Z; ]# s
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
1 v( z( N" O5 O) M9 b( h3 {1 kthere are some memory breakpoints set (dr0 to dr3) simply by reading their
+ X6 i# r7 T2 ^4 J2 ivalue (in ring0 only). Values can be manipulated and or changed as well: \; `4 K" N( p3 Q" r
(clearing BPMs for instance)
; a  t1 U. _$ b/ X
3 H! ]8 e( _- ]+ U8 M6 F__________________________________________________________________________
$ U+ X/ }3 ?( a6 G/ g
. h" k; {1 m" h0 kMethod 11' z$ \. f" f, a+ J1 q! s
=========* T8 \1 W+ ~% u/ ~& ?* N
) V" c+ A0 V+ e9 C9 R2 j2 K
This method is most known as 'MeltICE' because it has been freely distributed
- [/ u" G- p7 r+ _! C( x. f4 ?3 R& cvia www.winfiles.com. However it was first used by NuMega people to allow" I) m- H9 ^3 {8 i
Symbol Loader to check if SoftICE was active or not (the code is located
6 d$ N" d* a6 C5 [# cinside nmtrans.dll).0 L. m* Q7 {! B+ k5 @3 h- j
+ ?' r) X& y) H4 t5 D9 {5 l* }
The way it works is very simple:
7 R+ }- a0 |# o3 ?; kIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
  R& G1 m% m  K- q0 e2 AWinNT) with the CreateFileA API.
: X/ P0 h8 R3 R1 e$ }* O" u( y# }1 q
Here is a sample (checking for 'SICE'):
! @% \, [; @* n0 a3 P. t0 B
. Y3 e6 G4 V, i+ Q1 Q) r$ rBOOL IsSoftIce95Loaded()
' E% Z1 ?0 X+ |  c0 N% M; @{
* O/ V) \( g: ^2 h   HANDLE hFile;  . o0 \$ \. i; I
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,( [/ D3 C& b! K0 ~
                      FILE_SHARE_READ | FILE_SHARE_WRITE," v2 C2 H: Y5 p% ~: `6 a" @
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
5 o; X7 P1 H" f, ^: P3 s9 S7 u7 D   if( hFile != INVALID_HANDLE_VALUE )6 [, w1 D( S( F% O
   {1 ]/ l& o( \, X/ g. t# m
      CloseHandle(hFile);
1 ~5 P+ ^1 ?" \/ W6 d+ P      return TRUE;
% c6 C( A$ Y  ^. E   }
" X! l6 `9 o, b( ?. [/ x   return FALSE;0 h* s, d3 e0 F# J6 [2 G" D
}
  n% j/ Z6 y4 Y0 B
7 \/ {! p+ d- N8 L: PAlthough this trick calls the CreateFileA function, don't even expect to be+ k( d, g0 Y# ~# x2 n1 k  j4 h- p: @
able to intercept it by installing a IFS hook: it will not work, no way!/ @, M' B* E0 _  J4 n
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
& w& P- T% T4 c# q1 f& d$ R1 kservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- q2 m0 l* S& L. f& L( ]8 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: t- \: K1 K, z# o; x# R+ M
field.
3 t2 \6 ~! T# E# xIn fact, its purpose is not to load/unload VxDs but only to send a ' y  E9 Z1 e" ]" n) l- n
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)$ a- j3 d* O+ \6 Q. a
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
3 `2 O9 H9 r8 s! B9 Eto load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ c* j* n% y  k% p6 wIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# A# p2 `5 o6 X' R7 V+ Pits handle to be opened and then, will be detected.
" N* J+ e, K4 j6 Z3 WYou can check that simply by hooking Winice.exe control proc entry point6 T0 l1 |9 b" O8 M6 m* a( K
while running MeltICE.5 [( u* k/ @* x+ G8 e  ]

% R# t( z" r, q$ n, `2 g* g/ T9 U2 g  \  u5 g+ |7 D4 y0 q; L6 K& G
  00401067:  push      00402025    ; \\.\SICE
6 ~" c" R, G2 C  0040106C:  call      CreateFileA$ E. x- J! m0 x+ _! s6 S4 u3 O
  00401071:  cmp       eax,-001
/ Y& n! ^4 S$ x" Z+ e7 i: ~  00401074:  je        00401091
: u$ L* z# \( j* n9 ^6 F3 J1 Q3 _: W8 o: t0 @! c

) s9 D! [1 V, E7 K8 w% Z+ E+ D9 B+ S/ lThere could be hundreds of BPX you could use to detect this trick.
' H0 W& ]7 {6 u! W-The most classical one is:
+ t: g$ k$ l  A6 V/ \6 ]- u. J% \$ C! L  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||2 `+ S0 r! v! \
    *(esp-&gt;4+4)=='NTIC'
$ a; v" g5 \# }0 J4 d2 X9 D/ q
9 ]' o0 M. B; a5 {, Q5 Y) m-The most exotic ones (could be very slooooow :-(
3 f/ K( \- z" o' E- Q+ ]" u' Y   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ }  x: ]3 H$ j* e; U  i4 `6 i     ;will break 3 times :-() [9 x2 V: \& S) j  s

; F$ r% u1 M+ ?4 K4 ~0 ?-or (a bit) faster:
+ V2 f" F/ M1 j   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')! k- }1 u3 m& v8 ]+ i

# X& f- p' ~2 x5 g' i- W   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  " X' |7 }4 Q$ A& T3 T& x
     ;will break 3 times :-() r7 g/ u9 R, G+ T

, Z( R1 [) S4 n+ ?-Much faster:+ F) W& e9 m4 I, [
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'# E: g1 `( `8 S" W

: r: V: z, f+ D/ C% j$ lNote also that some programs (like AZPR3.00) use de old 16-bit _lopen) C/ v0 }2 B: u0 V; C
function to do the same job:
: ^) f% v5 }$ [; q& k( V8 S' X# k6 Y) J$ U: H
   push    00                        ; OF_READ- y4 z0 L: o5 j( p3 {
   mov     eax,[00656634]            ; '\\.\SICE',0
+ ^. M! I' T1 y" T   push    eax. k$ o; B9 v. c0 p
   call    KERNEL32!_lopen
# Q1 Q8 B  {* y# J   inc     eax. w% x& }8 e2 H4 q* l2 N, F9 [
   jnz     00650589                  ; detected; ^% \( ?- s; E% g4 l# i
   push    00                        ; OF_READ4 [4 J( ?" J: ?: k3 y
   mov     eax,[00656638]            ; '\\.\SICE'7 v6 U  N' q  I' c. ]- r
   push    eax
; k: l$ e# t- ?: B$ q$ u1 Y   call    KERNEL32!_lopen% w6 Q1 p( K  a
   inc     eax
9 a; Q, Y5 c. m. ?. n, M0 E   jz      006505ae                  ; not detected
4 M* K% r8 ?; }1 [1 O1 K2 C! R) [5 Q. I3 P' L: y- d5 }

. L: h. `. Q  F8 j+ a# Q__________________________________________________________________________  |& J0 w# n) J7 |$ x" \, d' O6 d: P
# l9 _& }& y$ K5 E, k" S* ^
Method 12
" {4 ?: B# i+ ?) o5 W2 g=========  [2 H& K0 `5 v! H) \9 V

7 q# x( K" n9 P% I* ^/ kThis trick is similar to int41h/4fh Debugger installation check (code 05
# b+ j3 d0 Z* z& M5 f3 ~8 @. a) O8 n5 e&amp; 06) but very limited because it's only available for Win95/98 (not NT)7 x2 j7 F  |1 l( o" Y
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 N$ k! C2 N0 @4 \; Y
8 l' o+ ~4 j5 H# l/ S$ T
   push  0000004fh         ; function 4fh7 }  F" f* l: S/ k+ l
   push  002a002ah         ; high word specifies which VxD (VWIN32)
% y; L: w$ l0 V' C0 R+ |7 h6 o                           ; low word specifies which service# Z2 I/ t, D7 ?6 c' E2 |. W: s$ }
                             (VWIN32_Int41Dispatch)8 }  o2 o) u( R: [( \/ s' X" d
   call  Kernel32!ORD_001  ; VxdCall; A+ T0 L% x9 B5 F
   cmp   ax, 0f386h        ; magic number returned by system debuggers
6 c+ n( N- a2 s, u) |5 c* ~$ l; t   jz    SoftICE_detected9 [% x# M8 j5 f" p5 g! }+ r5 ]
7 a% p3 r1 T6 U4 f7 ]
Here again, several ways to detect it:: {5 L* C" g4 Z1 r+ L: [3 ?

- x- e1 l9 ]' p2 N    BPINT 41 if ax==4f
* D( ^$ E6 M  |7 w4 j! p: G2 i! Y/ k& E
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
' I& K& ~7 z# n7 I! s! o9 Z+ K3 a9 B, {! e/ @/ Z4 j( Q: n
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 {7 X6 v+ ^* Z. R! N
" S0 @. W/ }$ {: t* ~+ A
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
) m# h! X" `( @4 L% l
% T" A; S% c; R2 Z6 x__________________________________________________________________________
1 t2 L9 o8 X+ A+ R. J3 N3 e7 B! S# x* g* x9 v) @0 X, |
Method 13
3 X( F) _" f4 a9 S& d6 t; a1 ?=========0 [9 n" l4 t' ]3 A  z- G( Z4 E1 y- H: K
* M  _1 \8 p. u5 ~" l; i* |$ p
Not a real method of detection, but a good way to know if SoftICE is
$ |. ]! m& |4 @& J0 h3 x# Z8 Iinstalled on a computer and to locate its installation directory.
! z# ?# {7 z4 v' y5 @: E1 iIt is used by few softs which access the following registry keys (usually #2) :: D6 f) f' q1 A. |$ A* q

. W' Z7 f3 G! m7 T" X! @-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' R: H2 K5 b# h  N
\Uninstall\SoftICE/ e, v8 L7 b' x6 v
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE2 M& M- y  ?) M4 C
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion- o: A1 n  H, Y8 B
\App Paths\Loader32.Exe
; q8 f# J$ P! _: t1 Y3 F6 {; a
/ `; S  A7 J! q: l6 w' Y3 z0 k* Y1 M  E8 I
Note that some nasty apps could then erase all files from SoftICE directory: B0 [7 U  R2 M/ @+ G
(I faced that once :-(9 v6 m& {' U) n/ }7 Y% ~* r
( i! D% Y3 Y  f6 I; H6 K7 y+ ]- n
Useful breakpoint to detect it:
0 x9 v2 l: N2 q+ R+ n. Q6 z, h7 E9 P( H7 d% O5 F) |. L
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'% w. b5 x0 S1 S6 M
- j9 y, K; n( I$ l$ T
__________________________________________________________________________
; \  w; u% i4 \, {* P# P7 h
. \3 ]" p' ?: @+ s
# J7 }( a8 S* l' a" L( t; MMethod 14 4 a8 Y7 ^7 ~, [8 w4 x+ L2 L
=========
, C1 c! ?1 o8 U, T& J
4 U/ @3 @6 {- |0 ?  s7 P% dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
6 _* _5 I0 [2 {& M! Gis to determines whether a debugger is running on your system (ring0 only).& ]# @+ V; h% i2 l) U' F0 H
  a8 k- |9 Q, n, [$ B
   VMMCall Test_Debug_Installed
6 Y% s  J4 g7 D' @   je      not_installed
2 m! F0 G$ Y0 b2 c: Q  K' j
0 J! ^' @2 m: _! OThis service just checks a flag.8 Y5 x7 b# N, @7 I6 N8 b1 V
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-23 12:41

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表