找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
0 Z2 a) {4 p8 f$ R/ R0 s3 u9 m<TBODY>
! V% o2 p1 e( l5 q1 ]5 e) l  Z0 z1 Z<TR>, v" e8 f% W8 |( C. K
<TD><PRE>Method 01
/ m5 D! G0 x% N$ M% S- Q. L=========
2 w  `( b' v; Z4 ^4 Q" `( E! n5 `4 m
; u# P2 B4 D% M5 [, |This method of detection of SoftICE (as well as the following one) is
2 D0 }/ s5 d2 i4 D" Aused by the majority of packers/encryptors found on Internet.
, W! E- N& B3 q7 k, E; A; p* hIt seeks the signature of BoundsChecker in SoftICE
# k! e, M( F1 S  w" a0 J
6 ~. ^/ m; }/ O0 G    mov     ebp, 04243484Bh        ; 'BCHK'
8 A: [4 g1 X( k" o; j4 ~# ]& [    mov     ax, 04h
# ^! l) I; V5 r    int     3       - X3 `2 @/ i* k) @( ~7 f
    cmp     al,4
5 c8 z  c1 v8 M- ?$ {+ f, g    jnz     SoftICE_Detected
4 l% E0 z, D) Q7 F0 B1 L. h
: I! G. e/ }9 e___________________________________________________________________________8 b! u. i$ G  G
1 N( H# `0 t( R% v  @0 e
Method 02
% ?6 Y: H1 m" i/ @- b# `6 q=========8 B/ v7 [- Z% S( n$ D
$ O# V  U. L  }) V
Still a method very much used (perhaps the most frequent one).  It is used
4 @! D) V5 G" g6 O/ ]to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 _( r3 _0 T7 l6 _' E4 ^) Z% F6 _7 Mor execute SoftICE commands...
0 P: ^. A# l% ?/ [It is also used to crash SoftICE and to force it to execute any commands
/ m- v% h9 B$ G(HBOOT...) :-((  9 l5 A+ Q) H+ {5 ^5 O3 Q3 z8 ~
/ C; _% ]# ~4 i! O7 [6 N! q
Here is a quick description:
) Y8 B* ?/ B2 C4 [- O7 M" Z-AX = 0910h   (Display string in SIce windows)
# \: V* ]3 c: T6 ?* g+ G-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)& [! B7 ~  ]( h9 l8 U  y
-AX = 0912h   (Get breakpoint infos)
; n  z! b1 ?8 F* n+ p7 N; [-AX = 0913h   (Set Sice breakpoints)# l0 s5 o, ^+ m" ~
-AX = 0914h   (Remove SIce breakoints), l% o  i# f6 H" U# E9 W/ j
- A0 C3 y' [9 l2 R* _
Each time you'll meet this trick, you'll see:+ V* P% h' r' D3 Q5 i* w: ]
-SI = 4647h
  c7 F  W. _$ x8 h! s-DI = 4A4Dh  e1 w& D& d6 R3 L9 F+ k
Which are the 'magic values' used by SoftIce.) `( Z( f( b; c7 E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 o+ J* P5 U; ^5 ~  \4 f! p' n  n
Here is one example from the file "Haspinst.exe" which is the dongle HASP
2 x, i+ N) V; t' v5 q- l' pEnvelope utility use to protect DOS applications:, |) D4 }8 R5 |8 S& A9 V$ V

( ]* X5 B* }- `5 z6 v! P7 x
4 p% n* g, j( i& h$ Y" d: `4C19:0095   MOV    AX,0911  ; execute command.% Q4 ~& V, N% z2 O5 V" u6 F. G
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 v* R1 |# t5 h. p  s8 {% B4C19:009A   MOV    SI,4647  ; 1st magic value.6 r1 R; N$ Q3 R. x( L
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
& r# ?$ ~+ S& G# z; f5 K4 Z4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
# n: ?- h/ D/ ~" U3 A4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
0 s0 I# R+ A3 C4C19:00A4   INC    CX$ k1 t, q) `8 B4 v: P
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
1 A. L+ E! a! y+ r4C19:00A8   JB     0095     ; 6 different commands.8 e9 ~/ i. g' S
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
- V  v; `4 m$ Z- g7 G4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" Y7 {7 ]- i1 I' ]( y3 V& R

, c* F# `5 x5 w2 H. lThe program will execute 6 different SIce commands located at ds:dx, which
% h4 F3 j& z1 |9 _are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
) V) b$ i( Z# C: p' Y: g) P) J; }, @( O7 k; D
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, Q0 \; Y( k# \6 I) B0 f4 F___________________________________________________________________________& }# n  ~; d6 Y' ~# l
& b' W; a, K* S; B

' y  U5 n! U* ~4 ~6 TMethod 03/ F. v2 U  N" S2 G/ o& [
=========
8 Z' ?5 }9 T5 P9 A/ \, s1 ]5 x* J9 }% v7 ~! n/ n: d
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& T3 x0 B. L& T3 `/ Y(API Get entry point)
0 W# S1 D7 [! T1 Z# Z        
; D; {% F; v3 o9 @
4 n( E2 H% {+ E+ C4 s7 p# R9 w    xor     di,di
% S+ \& t" {" w    mov     es,di
7 w& Z8 k! l5 N9 V7 H8 I    mov     ax, 1684h       1 Y7 t( r9 }3 L
    mov     bx, 0202h       ; VxD ID of winice
  _0 S8 p. o3 B( u    int     2Fh
7 S% q' Z  m. }6 b* K& L    mov     ax, es          ; ES:DI -&gt; VxD API entry point# v9 v7 H0 Q! p" `' @; h
    add     ax, di. r6 {* E( U6 i
    test    ax,ax# N5 n/ R" F8 U8 e! M
    jnz     SoftICE_Detected! j+ |2 h3 o1 v* E2 ~( w

8 r1 _9 C6 B. `___________________________________________________________________________9 r# P% a3 v4 W5 N' g3 U* L5 K
4 {$ ?& v5 l; I# C1 U/ C: a% o6 u
Method 04% G0 ~  g" J2 `& W4 j* k2 m7 q
=========
8 |  o9 x# K! T9 E. O& Y$ ~! f; Q; L
3 E# b, `8 o! L2 D% X6 m7 }! h/ CMethod identical to the preceding one except that it seeks the ID of SoftICE8 d8 r  @9 m2 Q8 v. z! j
GFX VxD.& z- Q. q0 S4 k

# z  {8 M7 S' f/ Y: l    xor     di,di
+ ?" J$ {. t: H+ j    mov     es,di
  f& c, P! O! F+ E0 r: r( `( |    mov     ax, 1684h      
5 N6 v8 @+ u8 A    mov     bx, 7a5Fh       ; VxD ID of SIWVID
5 U7 a# K# p8 V- G/ T4 ~& _# w* _    int     2fh9 a$ l" m! x5 o& E: l  [+ f
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* x  H1 a- N1 b: M    add     ax, di
. e# G$ t7 d( |" z# R& s    test    ax,ax2 J7 }& a) @2 O8 Y6 q$ |$ k$ i2 o. s
    jnz     SoftICE_Detected2 h% [( x, y( b; L3 f" p5 P

+ A/ x1 i8 C3 s! y. X# F% A$ r__________________________________________________________________________
+ W9 Y, L% f5 s4 ]% C% G3 A* S1 d
+ K; A7 R4 a$ `7 U% l' z
. |/ q0 [( m0 D, DMethod 05# U) A5 l# Y- }( `% A5 ?4 j3 I( m
=========
" K' N& F7 d- t  N9 h; m) T# X
6 \- s8 s* y  n4 `Method seeking the 'magic number' 0F386h returned (in ax) by all system
$ O" a- |" ~" {% `debugger. It calls the int 41h, function 4Fh.
5 p  L" P: m& i4 d+ l& E) ~/ }There are several alternatives.  
! C( Y; N  c  l" B3 o4 N
: j7 A5 ~) u" CThe following one is the simplest:
" u5 n  i: P% M) X7 {( F9 L- }3 h3 I# }4 p( f) W1 ^
    mov     ax,4fh
# t0 w  p1 ^6 ?9 n3 ?% k. |    int     41h
4 ~# J3 ?. b0 T7 i8 k* A+ ^4 I5 D4 E! \( H    cmp     ax, 0F3862 W8 ~' H. T4 e  h) `
    jz      SoftICE_detected
9 O( g* M, ]6 A! O* f' R; R) C5 h0 R1 s, H% @/ X7 k! z1 _, K
1 o( n% B5 m) P; ?  c% c, U
Next method as well as the following one are 2 examples from Stone's   K& C7 K0 q( \
"stn-wid.zip" (www.cracking.net):
' l1 O+ K. V9 U4 U$ C  q, v
2 E. o& q% z9 \1 u1 v; e8 b, i    mov     bx, cs# v- \; f# ?2 @0 X% u& K
    lea     dx, int41handler2; x$ M* L" ~) c1 P
    xchg    dx, es:[41h*4]
/ Z2 N- z" d  ]0 ~3 {    xchg    bx, es:[41h*4+2]7 ^  l5 s/ k, N3 X: u& G
    mov     ax,4fh
- `8 u: W  _5 J0 ^    int     41h6 P  g! |5 b9 Y
    xchg    dx, es:[41h*4]
: f  G( B* I9 V6 j! f* V. O    xchg    bx, es:[41h*4+2]
+ b5 w4 x1 C; ~3 [) l# O    cmp     ax, 0f386h! t3 \$ R$ C. t
    jz      SoftICE_detected
2 p6 U/ `0 j- h& E- \/ Y9 }1 w! Y" y* K% t0 T  {! q) n6 h/ g
int41handler2 PROC% F( J2 {" K# r4 \
    iret7 m+ g7 U% |, f$ M/ \* V( [
int41handler2 ENDP8 Y# _# ?( t, |% ]

! {, _5 F2 |: n; L( u, K3 E
% i0 L! }9 S  n+ p$ B8 b_________________________________________________________________________
( x6 P* x! w0 w: o- v6 y; j! O8 V! f

+ T+ a2 ^9 L% r: c( a1 W- e  j6 hMethod 06* u1 L2 J$ O& }
=========
  i5 Q/ d4 D  o& ?8 U% q; \; B
0 o4 Q9 f& U. [" X8 h0 k
* b2 ?6 k$ N. I! j8 |. D/ f2nd method similar to the preceding one but more difficult to detect:! _: d9 H: J) e# q; g9 }0 t' I7 V7 ^/ f
: W9 b6 D# z: F: `/ _" o( f
6 n& V  B" y  e/ T) a$ G: s1 g
int41handler PROC
1 s  {7 J# }- d8 O: W& T9 ]" p    mov     cl,al0 L# ~4 m- u" H4 C3 n( m
    iret& }; [  G- C5 H8 x2 c; s- b5 A9 ?' S! G
int41handler ENDP
: r* Z) ?" i$ [' I* z0 I; _% ]) U( G  n0 H( M' Q
7 r2 Y8 |5 r8 |8 ?3 \2 z! R) ?; `
    xor     ax,ax
4 p6 @6 i* _* M. }* R' b    mov     es,ax
# S" o- i5 j7 X7 h& O8 r2 n    mov     bx, cs
. W9 y" b% Z# w    lea     dx, int41handler
# s, W& j9 s; ]# k. P9 c! \    xchg    dx, es:[41h*4]& X! H2 |7 q& P1 L  J
    xchg    bx, es:[41h*4+2]* N' \$ ^0 s. n
    in      al, 40h
, p( `. \* X& q  C    xor     cx,cx, [* ?. v% y  E7 U4 J% b. n
    int     41h
/ j. u3 E4 {! A6 X2 [+ O    xchg    dx, es:[41h*4]% b: i, k1 p  ^% D, y
    xchg    bx, es:[41h*4+2]5 g$ w. e3 h+ c( U- _# l
    cmp     cl,al
3 z2 H9 s1 ?7 ~3 t( z! B$ x+ z7 Y% r    jnz     SoftICE_detected; }: e; }) o$ h

# h! F# U) I9 u1 O_________________________________________________________________________7 F0 S: |7 M4 y, i3 e+ O

" I9 [8 p/ b4 \. m& |Method 077 F8 N; L5 z7 m
=========
* {6 l$ p. s2 ?% y- u9 f$ k% {  A1 B% H5 A! Z9 t# |7 N0 E7 K
Method of detection of the WinICE handler in the int68h (V86): C2 C; O  ^/ h( A
7 ]5 `' F) N/ B2 F3 q  k: G% N& R0 g8 V
    mov     ah,43h
0 [4 d. A+ @& W6 F' q    int     68h
1 W, n# l( z# \/ ]    cmp     ax,0F386h. _2 r' P0 w; W, e1 x' `7 F
    jz      SoftICE_Detected5 s3 j" e/ j+ `+ Y9 P

" f, r4 r1 @4 \. j/ y- r( i5 n. l! a7 r- H/ [
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
5 v* Q. v- \% a+ K: L9 [   app like this:% @8 F9 l. E; D( |2 l
$ [; ]- [6 W  ]% {; a' e$ H; W
   BPX exec_int if ax==68
1 _, h& ?( ]) i7 J   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 P8 W7 \( m" C: m5 j- |9 y   located at [ebp+48h] for 32Bit apps)
) S- Q4 q) x' u9 H, n( u9 |' W5 c__________________________________________________________________________
$ ]! T, V5 G8 @( \  Q/ Z7 J7 O, L$ P2 h. F, w9 B

) V" p( J& F  ^& X+ b$ f5 ?Method 08$ m5 W' h0 [5 a; `
=========
7 ^) Q8 s) G7 Y& m) a
8 m0 }4 R% P- Z0 Y" wIt is not a method of detection of SoftICE but a possibility to crash the( P* D8 P% K7 [
system by intercepting int 01h and int 03h and redirecting them to another7 S2 j; i; B9 D( C
routine.
" X8 C5 l% r3 Q  B- O2 bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
8 x/ t3 s$ `( f$ b& n! Bto the new routine to execute (hangs computer...)
6 E; I# a7 R, [. @( j$ l/ `! J4 @# y' e0 F. a' ?; Z
    mov     ah, 25h
: ^4 J$ p; O" i( [7 ]; ]    mov     al, Int_Number (01h or 03h); ^) W% U0 o+ N# i. s
    mov     dx, offset New_Int_Routine
1 I5 c% Q: C8 b( S8 i1 m    int     21h, I! v8 ?6 T; R: _; Y

' g0 Y8 d" Z) S# I) K! z5 J__________________________________________________________________________: Z# L' i+ l! }+ p# b: N7 N3 J
# ?( u, |$ p8 J2 z8 t3 a6 Z3 i
Method 09) M' i8 e9 g) \  ?4 s  ?
=========1 F' L9 x* I) v/ t
/ A7 X: {- ~3 y: i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 g' B& Z* Q7 N
performed in ring0 (VxD or a ring3 app using the VxdCall).
, H) A8 u8 q3 aThe Get_DDB service is used to determine whether or not a VxD is installed. {& k  I4 |, _% n8 D+ V/ G) e
for the specified device and returns a Device Description Block (in ecx) for# B; w/ m+ K9 Q" Q6 G* i: B
that device if it is installed.
/ L2 K( s* ^' I' t
8 O5 C  Q; f2 c! R( O   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID) m  Q5 b5 M# V' j6 E" g& B# K
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; n9 j1 W- i  `5 N9 l5 f6 Y   VMMCall Get_DDB
( v% }4 M$ I, @- b3 U# E   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
0 y( C9 t$ G3 q5 W' N- T3 C8 Z3 C  u+ e: ~9 v" `+ ^
Note as well that you can easily detect this method with SoftICE:: j( x# F/ r. \$ l! c9 _
   bpx Get_DDB if ax==0202 || ax==7a5fh
0 l) r3 t: u3 k" X2 d: h$ ~4 a; b* V! K
__________________________________________________________________________! I$ w$ b2 k  l5 B6 t( D

, _6 R5 m" [3 k6 ?& }Method 10
* f  I- A, u* e5 {, e9 q( Q" p=========
1 F% g+ _6 h3 A3 M
" ^$ K2 y4 m6 o* m! E9 N- \=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with  y- {7 F; E$ d! v" Q# P% L3 k$ ?$ p
  SoftICE while the option is enable!!
4 B7 G2 B3 W( n; g! j
, f3 S( L7 Z4 T2 g3 o) AThis trick is very efficient:
4 D  r: x- j' |+ i/ ~4 w% xby checking the Debug Registers, you can detect if SoftICE is loaded
9 j' _; Q* I) c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# P/ i5 e8 `, \; h
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' d% ~* W6 u& J# dvalue (in ring0 only). Values can be manipulated and or changed as well+ P2 c9 z4 p0 I# ?; i  Z( v
(clearing BPMs for instance)6 A) W- Z1 u; o2 c7 t  n3 x( |: W
; T: ~' u" d+ _+ g! m
__________________________________________________________________________, F5 @$ d; u! C8 o- W' O
0 U( v9 x4 U) d# L
Method 11
: w% q) _: h4 P8 y* h=========3 H- s0 Z; r( I9 K

, s: O- \1 C9 G. Q0 o) oThis method is most known as 'MeltICE' because it has been freely distributed1 W7 d. N, v$ C0 S/ }6 Y4 N3 ?
via www.winfiles.com. However it was first used by NuMega people to allow8 T8 N  b) V" Y8 q" S
Symbol Loader to check if SoftICE was active or not (the code is located
2 [) J' }8 D0 Q. G# U" D& Ainside nmtrans.dll).
( m- S3 Y- o& ^& u$ l7 L, D" G3 Z) b6 `
The way it works is very simple:3 R+ Y; f, _' y# ^1 J
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for, ]2 u' }! Q6 R$ ?6 v' k
WinNT) with the CreateFileA API.
7 S" z4 U5 H5 G" T: v2 J$ p3 h! G; ^: K" G) B: m9 I5 c
Here is a sample (checking for 'SICE'):
- `" D" e6 f) n+ G2 M) s
2 Y2 d0 f- Y% xBOOL IsSoftIce95Loaded()
" z7 s" l3 F& S{# z# {3 P5 Q, e) Y0 Z! P; Q* c
   HANDLE hFile;  
# M/ o9 T, F3 G2 l. H   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* x  }3 ?! X  X, k. K2 z( u0 C
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
4 k6 R7 r! C: ~/ p& R, m0 W/ U                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
- e( F9 Y) F/ _& a, l1 c   if( hFile != INVALID_HANDLE_VALUE )
  Y! m2 K& T7 u/ y! V* ?   {: ]; U+ h% I5 C: }- M* z& j8 {1 z
      CloseHandle(hFile);6 l( c/ {( c6 o9 Q; e1 H8 N' f" f' @
      return TRUE;
6 w  v6 K( v$ X, F) M$ s. y   }3 T. e0 Z7 g+ L! w, a% G5 }: ~: U
   return FALSE;2 F% x: V: a4 k2 L+ A& m, ^
}  U, r+ E8 R4 k( e" u' b

/ h0 n, y/ U0 PAlthough this trick calls the CreateFileA function, don't even expect to be
5 \7 G' Y# |( z' b9 [0 i/ Oable to intercept it by installing a IFS hook: it will not work, no way!
4 M) I$ [' E* {3 G3 n8 ^" r# MIn fact, after the call to CreateFileA it will get through VWIN32 0x001F. ]* W2 T' \( f
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
) H6 d9 k( f2 T7 O1 Fand then browse the DDB list until it find the VxD and its DDB_Control_Proc8 x" b& G5 B- _5 D( }: z" Q
field." f6 Q- i. u) t
In fact, its purpose is not to load/unload VxDs but only to send a
3 w8 E, w! Q8 N' H6 r6 ]+ dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)8 _1 Q- V. z6 j) o% s: N
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- B, M- t9 m4 o" s9 ^. J3 C4 f
to load/unload a non-dynamically loadable driver such as SoftICE ;-)., S7 X, K5 n9 ]& Q9 Z
If the VxD is loaded, it will always clear eax and the Carry flag to allow! v; l$ |# v7 Q+ M
its handle to be opened and then, will be detected.
. A& N# y  E* k, O4 U* |% nYou can check that simply by hooking Winice.exe control proc entry point, T3 f; A) {1 \6 c
while running MeltICE.
6 w, [7 h( |+ g9 B# c% N% _% G- U. T" i" }0 g  y8 O6 }$ j2 _

7 }  u; f7 X1 v0 }. ~  00401067:  push      00402025    ; \\.\SICE! W* }* o7 K9 c$ B
  0040106C:  call      CreateFileA0 \" E3 g1 Z5 n& ]2 q$ q% s
  00401071:  cmp       eax,-001
6 r7 q; L; B0 Z. i  t: h  00401074:  je        00401091
  o/ S5 n/ V2 U' }0 @; T. N( t- w9 e6 O
; Z- C2 i3 w1 W, z% k, j9 ]. Z, U
* r! i$ R, q9 m; p6 Y& m1 cThere could be hundreds of BPX you could use to detect this trick.7 Y: ^$ n9 ], o8 o7 w6 w8 b
-The most classical one is:
1 O9 j! v0 a! a. \& W  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||' M1 D2 w- \3 y
    *(esp-&gt;4+4)=='NTIC'" Y. M" |! x, h1 ~$ K! v
* ?" B# `8 m4 T* K7 f
-The most exotic ones (could be very slooooow :-(
6 ~& j/ `, H) F  F, {   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
% Z5 d- }' `+ y( X     ;will break 3 times :-(
8 w7 N: O3 a7 {% y* p; w1 t" [; d5 i- H8 @/ d& ?9 K
-or (a bit) faster:
7 n& F0 M, `: }7 r  r   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): Z4 f5 p5 s+ t& u& T6 @2 t
3 J! q1 B7 N! ^! g! p' h: @( a8 p
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( W. b' z2 M+ W1 D/ f1 }( p
     ;will break 3 times :-(
; H8 f- }4 P) s- e5 [3 x2 ~) v% k0 Y8 W) L+ ]0 O6 [0 N* Z$ }3 j7 R6 A! z; m+ M
-Much faster:
+ _$ Y( ^  e! w4 g   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'/ i" @/ i) h5 R' ]- t) @

6 e6 u2 q, f& w. s3 sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
2 X' U& w) L* F, o  H1 ~7 Qfunction to do the same job:
, D1 Q4 |' z; j8 i" ?4 J) x* s4 S' G% [/ ^
   push    00                        ; OF_READ9 _4 }( `% i- ~2 u" D  z; T
   mov     eax,[00656634]            ; '\\.\SICE',00 P: C& }4 y& |3 q
   push    eax
. j" o  e& O' w4 F$ A  P   call    KERNEL32!_lopen
! h2 L7 C8 o: U9 `2 ]4 e. N! y2 @   inc     eax6 ^) J  F" ]+ x$ p+ d. C* e
   jnz     00650589                  ; detected0 a0 X. l4 p, X6 w7 R6 ~9 }
   push    00                        ; OF_READ3 C# ^* |! |7 T* M
   mov     eax,[00656638]            ; '\\.\SICE'
# l+ Q+ U' F7 h2 G. c   push    eax, ]2 ?# O+ d4 X- V2 _
   call    KERNEL32!_lopen! I  m- ~# n' ~% O
   inc     eax
( i) O( o# v2 }  m! W3 O   jz      006505ae                  ; not detected
4 P. M% P1 Y0 }. l0 c+ p; q; T1 C; k' H& M+ L& e

% ?0 S8 y7 Z: a" y__________________________________________________________________________
& t# e3 j  N, A+ d# @( ~" P+ Y  `3 s) @6 D* g+ g
Method 12
# R+ N! v5 z5 _+ {=========) Y& L! H+ r- |6 S# Z

, B6 i+ X1 [  S+ m; s- q* k" B/ dThis trick is similar to int41h/4fh Debugger installation check (code 05" A% J( b" v1 g9 \3 H
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
( A: T% X6 _0 \3 fas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
" t. N  f- k( O; s5 G& }; [) c, w/ |9 V6 ]" ~0 f
   push  0000004fh         ; function 4fh0 n# \* @3 f+ c$ D; L9 }9 v
   push  002a002ah         ; high word specifies which VxD (VWIN32)& W% t7 L) `: ]7 M
                           ; low word specifies which service* ^+ w; |8 _  H. t; w3 Q
                             (VWIN32_Int41Dispatch)
) E& k6 Y5 |# Y  G8 a   call  Kernel32!ORD_001  ; VxdCall) n! n& p6 |. Y* D# r3 @
   cmp   ax, 0f386h        ; magic number returned by system debuggers8 U6 Z- I0 z' u% S
   jz    SoftICE_detected) O' J0 L9 U' Q9 x2 A4 P
8 ]  z% q* ^) c) h5 J$ m
Here again, several ways to detect it:# T2 M# `) y& Y  _; ~+ M
$ e' [) S- `/ |
    BPINT 41 if ax==4f6 ^3 r% V+ S1 t7 E2 v  \
3 Y  o; F5 P/ G) [
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ y* c( B. N6 ^% E2 S* y7 M% f+ K: a5 w
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A; G" L& i7 }8 z/ t  y2 W, x
' H6 e& ?' [+ w
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
9 r  ^. [3 [9 n  c( H! V
- s$ E2 T9 E. ?& k) f__________________________________________________________________________; L- ~; J& Y1 r. I
6 r5 o/ o" k! |; r1 g- ?; M
Method 13
0 \4 D+ Q0 R' J+ [# L8 n# k=========
5 h5 o" H# u1 b4 C/ Y. W/ S
  j; c0 i6 H8 y  H- L' kNot a real method of detection, but a good way to know if SoftICE is- }" @& i0 I5 F- R
installed on a computer and to locate its installation directory.
+ d! n3 }# o+ f5 P& k' p1 }% RIt is used by few softs which access the following registry keys (usually #2) :
5 h+ {: M% ~% I3 v' `! r/ D$ N! T. ^6 S& I
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, g* v& G$ q0 U* d# X( U\Uninstall\SoftICE
6 ?8 A3 E3 z+ B7 e/ M/ [- K-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
* {8 k/ G% v$ P7 V, |0 @6 O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( C+ R/ q6 F: f# F' ]: i\App Paths\Loader32.Exe' ]) a4 L1 q( O, b, ]. l* x

- Z1 [$ o3 r; b% q3 B/ k6 G8 y0 \- W9 w% m
Note that some nasty apps could then erase all files from SoftICE directory
& K* F8 [4 L/ @/ k(I faced that once :-(
$ ^6 ~& V1 [: p5 e1 u
' K9 H& ^% |' i- Q( g! F* PUseful breakpoint to detect it:& y( }% N9 Y. v. f+ _

: Y& N3 o' ~1 m     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
- c( T* g6 D: w; x7 i
4 v. v0 u) [. Q6 y) p3 o__________________________________________________________________________  j( g, a8 u( J" z2 ?; d9 A0 M
, P. w8 L8 c: T/ A7 B/ B. H
) b1 N, j5 W$ F, n# v0 O7 K. z  Q
Method 14
0 \; D7 I: T/ p9 z=========
/ \. V% m% g5 t" X7 Q! f5 f' Y6 H9 b1 p2 m* n. e
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose; `" ]4 V* D- S% C# k: h& S
is to determines whether a debugger is running on your system (ring0 only).* y$ r$ ^, L) G5 m( y
+ g7 ^' n7 u6 ^
   VMMCall Test_Debug_Installed
5 d  n# q2 M9 G; M7 e9 f   je      not_installed& K2 M. }5 ^: U8 D

# d$ v, {# d- K. CThis service just checks a flag.& H  P9 a  J( m" U
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-19 02:58

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表