找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' [7 a/ H8 F+ X4 ]
<TBODY>$ T& F  _& B! o
<TR>& T# [6 q$ h  J' }  K, A. N  z
<TD><PRE>Method 01
8 d2 g4 K, u7 j4 \% y- v" W=========
- E7 T  g1 d/ L
' Y$ G+ ?% r6 b2 l2 C0 q; OThis method of detection of SoftICE (as well as the following one) is  p& l* [, F/ J- a& v6 H; U
used by the majority of packers/encryptors found on Internet.
9 U# k# k/ i1 v0 q5 rIt seeks the signature of BoundsChecker in SoftICE
8 _& B: {2 W7 Z2 J8 t! m. M
1 S6 {5 q2 [6 J" M# w+ l5 O  b7 e    mov     ebp, 04243484Bh        ; 'BCHK'
. h& m$ C3 ?8 i# w2 L) u/ z) Q    mov     ax, 04h  {' k. Q6 g1 P. L! B* C
    int     3       ) m( [& D1 I+ h+ R" v7 N
    cmp     al,4
' D0 L1 s( E4 O; W, }1 Q! @" A    jnz     SoftICE_Detected
% t' c4 D6 Q5 B- z( V  `, ]$ w
7 T9 }$ T4 j2 a% ?7 f___________________________________________________________________________- S4 i- ]4 J3 L9 c
- N7 I: p+ T0 X3 a* x: d9 D  r; ~
Method 02' h! [- g, n: g+ o* A
=========2 q' H8 `& [$ p, n1 V
3 f+ M5 @6 T5 {$ b; J- u1 j1 t$ g4 d) ]
Still a method very much used (perhaps the most frequent one).  It is used
* f9 |& F/ z5 r) u6 }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,, b, O! z! s5 d  ?) _: G
or execute SoftICE commands...# _% X; G! c$ \; r* }+ N
It is also used to crash SoftICE and to force it to execute any commands; {5 u. @- O0 F
(HBOOT...) :-((  ; t" Y; I6 o( O, ~1 }

' @4 K# Z$ j; O% q( S3 A0 lHere is a quick description:( t$ |2 |" A& B' b5 U
-AX = 0910h   (Display string in SIce windows)
9 N9 q4 ]1 S; ~3 d1 [& k-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
) I3 h  ~+ K) Y-AX = 0912h   (Get breakpoint infos)
+ ^( \( C7 D( N; r; N' _9 _-AX = 0913h   (Set Sice breakpoints)
1 r  `# ]7 c7 J& e-AX = 0914h   (Remove SIce breakoints)9 k1 X/ n- o4 R1 M& E

: z" J8 l; R$ Z* N0 c3 wEach time you'll meet this trick, you'll see:
& ~( x* n! Y4 M4 ?) I7 S-SI = 4647h
3 B- v- D* F, W& q. d1 K-DI = 4A4Dh
4 w2 u: U3 u% M+ |) d- y% m& SWhich are the 'magic values' used by SoftIce.
7 [4 n' |0 ^' {$ U6 \For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
4 J  `5 ]! g7 s; \3 |" }; y7 \# B# O1 k1 ^( }2 o5 B7 j$ R
Here is one example from the file "Haspinst.exe" which is the dongle HASP
( @, r6 y( h7 qEnvelope utility use to protect DOS applications:$ Q. y/ h2 ~( e6 }! S. P6 b+ C
! B) ?4 p- }$ M3 Q; s4 u

3 N9 Y% Q4 L& Y" S! ^! r8 s4C19:0095   MOV    AX,0911  ; execute command." U- a7 A. c1 u# b6 p) k: `7 U( G
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 Q5 ~9 R, G& m. d! F  y4C19:009A   MOV    SI,4647  ; 1st magic value.
1 c5 o% W/ R# K. Y, M+ f) F$ N4C19:009D   MOV    DI,4A4D  ; 2nd magic value.4 y" A$ |8 H- |! X
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)3 X8 F- H. C6 P
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute1 j: P7 J) R* N8 j
4C19:00A4   INC    CX$ L5 U  L8 u# j& P2 v  j4 P) d
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute" w+ R/ @$ m) B% e
4C19:00A8   JB     0095     ; 6 different commands.5 f9 h; c' j* K& A4 W6 X: Z. }/ r
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
" R$ r5 W, h1 R, o% A4 \, S- ~4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)0 R' }+ w! F8 |& R* Z
+ O" P4 }7 P3 R$ [
The program will execute 6 different SIce commands located at ds:dx, which$ }3 l7 {' X6 c/ a5 ~
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.$ Y$ Z, h" y  ~) h* k
% s4 H% U3 E  p- ^1 P
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
, H" n: k) B6 z1 W___________________________________________________________________________
- H0 W, r) @7 O/ Z. j$ r
: J% Y9 K" g+ C3 p8 S! [4 J  E5 z5 A  @$ |
Method 03& T# U+ ~9 C7 c4 R
=========
( n* ~! j7 n) X; s' c9 S- U+ Y0 o5 A
0 c, C* X/ O0 |4 SLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 A, E' I8 Q7 V- m2 R. _9 I# I(API Get entry point)8 Z0 ^' z; t! }( T* V, k; I' v
        
3 ^2 H( w1 ?$ y2 |
8 W) I& D8 {* \+ j* }! x& L    xor     di,di
, r6 u* Q5 K" H2 B" {! f    mov     es,di
$ \  w! m; n# X% S. d) B+ Y  L2 k    mov     ax, 1684h       - C( \( }6 S4 D% j- b$ {# y
    mov     bx, 0202h       ; VxD ID of winice; t6 }/ \, h) _' n5 {3 M* J+ f* W5 S
    int     2Fh! J* l* J! i3 e) C1 b+ f8 @2 _
    mov     ax, es          ; ES:DI -&gt; VxD API entry point( I4 Q1 L+ `1 }4 s9 v, [3 j
    add     ax, di
) I- }; i9 e8 f4 A. J+ a8 V6 X    test    ax,ax7 `2 N8 p0 M7 e: J* N( S
    jnz     SoftICE_Detected5 n8 H8 n3 v4 X- ^+ E7 f

: k; `8 O! K; v. b1 a8 P___________________________________________________________________________
6 K- I$ g3 N4 t) W
3 b# D. T" t& Q3 A' XMethod 04
4 D$ j1 d" F- _/ J5 U! O; \. W=========
7 |; l0 W1 ~; ]" t% |0 w" O+ \
* o( ]. Y/ T' LMethod identical to the preceding one except that it seeks the ID of SoftICE
  T+ q/ C0 O8 k7 n2 c- U: Q4 KGFX VxD./ i6 z- N8 l- G+ Z0 D
" D: ~: e  G6 v5 V0 b; W' ~
    xor     di,di; u" [  ^1 M" z' `2 `' q, H
    mov     es,di
+ c5 y0 P. Y# E    mov     ax, 1684h      
" K5 D" V2 [  q: }! {2 Q    mov     bx, 7a5Fh       ; VxD ID of SIWVID7 y: ]6 T$ ]3 |. \0 y
    int     2fh% V# P" K; z# n3 X
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" I7 c1 s4 Y/ X1 w; m1 i  |    add     ax, di; P$ ?  k1 w* n9 A, e
    test    ax,ax
9 }9 [# p' ~! Z  C( {) Q    jnz     SoftICE_Detected1 `8 E# [: p! ~! \1 G) F/ Z0 K- Y: U

3 M1 w: f- x* ~! D8 z, @- |__________________________________________________________________________7 H$ b7 W" q( `6 ^8 N2 V3 g

7 {! K$ u9 S! y
$ |6 c' G3 }  Q( d) r3 O/ S; g2 O. xMethod 05
" C9 Z+ P& L$ E/ d. u=========
! F: i' a& f  r# O6 E3 I. }
2 N% }4 A/ f! @  C1 yMethod seeking the 'magic number' 0F386h returned (in ax) by all system! p  j6 C/ }! _! ^8 t8 j
debugger. It calls the int 41h, function 4Fh.4 r& Q. D- w, B
There are several alternatives.  , N. C4 i( ?4 }  b& t0 x
. u' g! t5 ?9 m/ q7 T
The following one is the simplest:
1 r) F$ G7 a) ^: X
1 [; Q/ t, w) A1 S8 m( \. q1 V8 d* k    mov     ax,4fh' \0 ]5 w+ p- \6 e# \1 @0 Q. k1 \
    int     41h
5 ^6 w: ?  }: H    cmp     ax, 0F386
9 w, G8 P  F+ o7 X    jz      SoftICE_detected
- `1 T3 v# F. _1 q3 ?# m2 \) |0 p" Y0 b" F  j6 ^* A

- M# W3 z+ Z6 x: INext method as well as the following one are 2 examples from Stone's
8 `& r5 `9 q+ q/ e! z5 o* Y"stn-wid.zip" (www.cracking.net):9 V' }  \8 Y# g/ y$ f
4 K+ `* a8 P3 ]' W' s5 A5 C
    mov     bx, cs; I4 U7 h4 s/ o  b, I
    lea     dx, int41handler2
- b3 W+ `* C% d) J    xchg    dx, es:[41h*4]
+ \1 i9 C( [7 m3 M7 H& M/ i    xchg    bx, es:[41h*4+2]
' W3 `' X/ Y: Z  m. ?- @: _- L    mov     ax,4fh
0 w8 k/ P7 y7 c+ M3 i& o    int     41h
( q8 @4 f& t1 D6 W, m    xchg    dx, es:[41h*4]+ y8 n6 g* R$ J& k9 x. C
    xchg    bx, es:[41h*4+2]
3 Z- ?" _/ x1 r( h6 y6 D# F8 Y( v' V    cmp     ax, 0f386h9 W$ c: U* J9 c/ Q
    jz      SoftICE_detected
# K' s; Z$ G$ D1 C3 Q0 k
* W0 Q! b4 s4 ~. Wint41handler2 PROC; W8 t5 H6 ~6 X6 y5 m
    iret
. o( y6 y2 x7 m* U9 Y. Z& z# eint41handler2 ENDP
8 T. I1 [% f1 Y& ]2 F; m
; n  k( z8 a. X6 N1 b
  Z& }& ?3 Z3 T+ b1 S! @3 E# ?- x_________________________________________________________________________/ n- x& u; D% X. i: m
5 G* U, v: y+ x
+ ~3 ~& Z/ _" D( v7 e" g
Method 06
. |9 u; z: J" T" ^, L' w=========5 G5 J" u+ a' m6 T6 {# K
/ V+ t7 t( X& K/ C1 S: m; l

, r2 C9 p  \7 s& U9 N3 N2nd method similar to the preceding one but more difficult to detect:. e3 I) z0 J4 P/ u0 ]

, {- U, Y8 l1 `7 R
; k9 f9 C) d( n0 F1 g' s0 dint41handler PROC, N4 `# s% x6 C0 I* Y
    mov     cl,al
, ?+ i/ B& ?& d* D5 {    iret
$ v7 i3 x2 B$ y" bint41handler ENDP& y/ q7 Q& _. ~% N& t% q5 K# a& F. ]; f

, V+ F  q6 n. r: `2 m, F' O) F: _5 q
    xor     ax,ax9 Y0 Q7 }- ~0 j5 f% i
    mov     es,ax5 l8 g' H5 }0 f2 p
    mov     bx, cs
4 M4 \( N$ N6 F8 Y% f    lea     dx, int41handler
! f; `% V+ s( U6 U$ t& B- j    xchg    dx, es:[41h*4]- y* ^& s! A9 b( e4 v
    xchg    bx, es:[41h*4+2]
5 J+ |% d- e$ b6 l: r1 ^: W4 x1 x    in      al, 40h7 a  u+ A7 U: E$ z2 @) Q
    xor     cx,cx
- G( ^) b( y1 P# o- q- ~2 z    int     41h/ b; x. x% N2 @+ a5 O7 ^, y0 y
    xchg    dx, es:[41h*4]) W; o9 M8 a6 z4 B9 {
    xchg    bx, es:[41h*4+2]) ~. x% h/ n! p& T# [" N. W
    cmp     cl,al
* z$ R, A) ]( u" |    jnz     SoftICE_detected
' G+ c- M5 m5 y# c6 [- N4 K# k/ O3 T1 I  u  x4 j$ y( f* q9 X
_________________________________________________________________________) C! K* A& T5 k% s7 X
( Y3 D% a3 e" W/ r/ W
Method 078 D2 \. V9 D9 F% r  a" H! Z0 H1 ~
=========2 r7 ~& F/ o5 h, k& J
6 W8 f9 _8 t: q' c2 s% Z' Y
Method of detection of the WinICE handler in the int68h (V86)5 |+ y% R5 f8 Q
9 l; `) q' p3 M
    mov     ah,43h# @/ o6 O+ H, |2 W. c6 c  M
    int     68h6 X& G7 o# B1 X% Z% P
    cmp     ax,0F386h9 h7 v, A: {* j: c
    jz      SoftICE_Detected9 Y' K- G9 C2 U, U. A: u4 c

0 U; ]' P* s; U3 k4 C, i) P4 |+ Y
' X3 V3 c6 ~3 d& U/ W=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit; Q8 R+ ]$ z0 O/ ]- m
   app like this:9 ?. H6 W( R# z7 V9 L

8 e4 f) C5 _8 e0 l* M" m- n' ?   BPX exec_int if ax==689 P6 j! [0 L6 [. n- [% O) R' h/ b
   (function called is located at byte ptr [ebp+1Dh] and client eip is: }" Y! u' K1 u
   located at [ebp+48h] for 32Bit apps)3 A/ L% N% n/ H1 N/ }! J$ I: B
__________________________________________________________________________
+ c5 i# K! }2 B7 C- W6 K/ P6 S
- @6 B( U4 z7 R' n; l4 w: ~, P- ?, O5 s
Method 08( ]' W! p# [% J1 H6 @% `
=========  H( J+ E* i& u
3 o0 L& Z) _/ B. q$ ~6 a& T" A& |
It is not a method of detection of SoftICE but a possibility to crash the
! o% o+ \2 P: J' ^* A  _' m2 Msystem by intercepting int 01h and int 03h and redirecting them to another
  g/ R! }6 R0 K1 }2 `' e# K$ Z( ?routine.4 ?1 |  V9 m3 y* {3 G
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points4 Q* x, s8 ?% n4 ~; ]7 q1 K' f
to the new routine to execute (hangs computer...)
; Y3 N" u) @8 V
. C/ B$ v) I! B) p  _    mov     ah, 25h
& A. B% ^  s  j+ _    mov     al, Int_Number (01h or 03h)- o; i" K: z" g9 {2 X- }
    mov     dx, offset New_Int_Routine! ~/ y3 |9 h% R- g7 u
    int     21h
6 F) F; ?' M) H3 j/ y0 W2 Z. Q% j9 x7 ?: p
__________________________________________________________________________
7 L7 a# S. X; p9 M7 G- c8 ?7 v
9 ?* @. z/ s- K! SMethod 097 s: Y& S  Q3 c7 L
=========' b4 @) ]/ Q4 \$ w6 y# m4 F
5 n1 J# ]$ d+ ?9 J6 g7 z& S' q1 x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 t0 `( w8 V) P. S* K+ j9 i
performed in ring0 (VxD or a ring3 app using the VxdCall).. k* G% l. ~2 l1 B/ O5 j/ B
The Get_DDB service is used to determine whether or not a VxD is installed, @* V  d  t/ V, r9 p9 Y+ F. I8 E$ @
for the specified device and returns a Device Description Block (in ecx) for4 W; S( d2 L; O/ X. t, R
that device if it is installed.3 {' K5 M( K/ Y' `6 g

) n2 ]/ t! v- @- `  f( F   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
0 ^/ T, Z. |2 m8 C   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; l: v% }* i: c4 r5 m5 m   VMMCall Get_DDB
! {6 K7 j! t, g  x6 Y$ |) A   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
  r) N* w3 x8 s; B
. V) f/ _% Y6 q; r, s+ oNote as well that you can easily detect this method with SoftICE:+ ^+ P8 O6 g( {; t1 |2 }  ]% V. U
   bpx Get_DDB if ax==0202 || ax==7a5fh
2 P/ d( g' J% @& o8 e0 D
% A9 @1 N+ v! j3 N8 D8 W__________________________________________________________________________
( ]6 J" W" T3 I( I! r, _. ^& N: ~: t( [& R" z/ {2 H( ?
Method 10
1 `" O$ ^6 u4 t, A% W=========. K* ~# j4 O! E) r/ a# [

! H( c' O' j; H' u=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
) C2 @3 I, J: ?7 y6 ~2 x% M  SoftICE while the option is enable!!
) E$ }7 a$ m+ J: U: w0 \. w  `: l$ D
This trick is very efficient:- ^. V$ n2 L# c
by checking the Debug Registers, you can detect if SoftICE is loaded
! _- x/ f5 _( b" I; r  n% L# c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if' R9 ~' K1 I" |6 R; Y. A0 D
there are some memory breakpoints set (dr0 to dr3) simply by reading their
# i1 ~; t) }/ |) P9 e$ c% Bvalue (in ring0 only). Values can be manipulated and or changed as well( N4 `2 }5 e% t" \, O
(clearing BPMs for instance)4 _% i. i# w$ @8 T* x: Y

2 x: U" }5 S; M' g( ?$ ~6 V__________________________________________________________________________* R2 V" P) M# q0 c. w9 H0 l

6 h3 v) l$ E( kMethod 11
9 }  Y! W) P7 R8 V9 K' w=========
; @. s! ?5 _9 g7 E6 e$ R/ j6 ?" Q  @) J# r
This method is most known as 'MeltICE' because it has been freely distributed
9 N% j0 d5 J' Y" @) ]via www.winfiles.com. However it was first used by NuMega people to allow
; B6 }% u3 t5 U& I+ WSymbol Loader to check if SoftICE was active or not (the code is located
: i- \' A' d! T' ^0 r9 rinside nmtrans.dll).
3 Z' [! X3 b( [) I( z8 K9 c2 g- O3 y' ]; b
The way it works is very simple:
% }1 R' [- e; H$ jIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for5 [  ~! X7 R8 i- S
WinNT) with the CreateFileA API.
, R$ t4 @, w: o+ w: Y" h1 Y& m( J, m6 X6 R0 _
Here is a sample (checking for 'SICE'):
8 e. L" |; Z. ?) n5 b/ g) _8 k- u$ J( I& Y# f/ G
BOOL IsSoftIce95Loaded()
8 D) \" T# m" D/ \$ z% ?8 Z{
/ O( k# x. S  r   HANDLE hFile;  
4 l$ Z% D% M& z- {+ F   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
8 O; J& U' v* R/ C6 Z                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 [' s" c4 m0 Y- A* G; d
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
: z' z, G) e0 Y9 Q+ d% x8 X   if( hFile != INVALID_HANDLE_VALUE )" b8 p4 ?# d8 i3 V
   {& L- F8 U7 T" Z8 e$ X
      CloseHandle(hFile);
' h" B* @: q/ T2 v7 Q      return TRUE;
  O5 A) x1 P8 b4 f4 @+ O" s   }
. K2 ^+ U. T" u2 [% [' X5 W% D% K   return FALSE;/ z3 f# S& r+ t: F8 ?% m
}
. x$ O2 i6 a2 v+ e3 C  i* U
: @1 k7 q. A" m6 S0 [$ [: DAlthough this trick calls the CreateFileA function, don't even expect to be
' C; a* ]) S( E" m8 J' O2 F$ mable to intercept it by installing a IFS hook: it will not work, no way!1 U& Z+ ]" p& A
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 r0 @5 [  J  N2 F1 k
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 O% ^9 c% Y2 }+ r1 H; i
and then browse the DDB list until it find the VxD and its DDB_Control_Proc2 e8 A  W9 K( z
field.
$ E/ q& w* U* b) Z# O5 H' F! XIn fact, its purpose is not to load/unload VxDs but only to send a
, U: o# i7 e) h# ^0 l7 N7 cW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
/ ]( h+ ~' Z3 L, y; x& R2 ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try
2 a7 Y# ^) d$ q+ Dto load/unload a non-dynamically loadable driver such as SoftICE ;-).. q" j8 c7 K: d# v- f
If the VxD is loaded, it will always clear eax and the Carry flag to allow( I1 Z, E: x+ X1 y6 ~" R; y& ]
its handle to be opened and then, will be detected.
; V: {, r" z" ]$ I; C, U$ x+ S5 lYou can check that simply by hooking Winice.exe control proc entry point
6 P& q* X, Z" o; _$ kwhile running MeltICE.
) R# }7 E6 E! e! I
5 D) ?( ]+ X) q, [# C
; n0 g7 `) e6 C/ J5 ~+ j, S  00401067:  push      00402025    ; \\.\SICE& I6 f. a, L; E/ _  U& h6 W
  0040106C:  call      CreateFileA+ s- b/ S4 p. I, |! E
  00401071:  cmp       eax,-0014 x' D8 Y+ I7 o8 c" o
  00401074:  je        00401091
: t7 ^8 e. n/ v. i- A7 S' v' f0 M$ D
; Y) y$ ~/ |% D5 f. U# O
There could be hundreds of BPX you could use to detect this trick.* N5 J" E4 [: m! E
-The most classical one is:. G/ i4 z$ N3 R, t8 Z" r
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
" C" n" k  K# X( J& \5 F    *(esp-&gt;4+4)=='NTIC'
! I( _8 L+ i6 Q: w$ R7 c9 ~! l" O9 A6 L% M
-The most exotic ones (could be very slooooow :-($ V8 Q& F4 C1 Q- C' {1 y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  4 ^& Y5 C, ?0 h: @8 v  E
     ;will break 3 times :-(; k, i& B1 e- i; f+ P4 G
  q  t+ s  ]8 _# t  v
-or (a bit) faster:
# V$ ]- V: t8 v( D- S   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ q# B) J1 e* Q4 \: h" s- n+ `/ _5 E
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
; q% c( n, I0 A! P1 g4 Y4 h) H' F% i     ;will break 3 times :-(
& u( w) y( S3 G( g" j' j
4 i5 y# Y. T2 F/ u5 y-Much faster:. V" s; A- W9 ~  x) H
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV') \+ e+ c9 d) F) ^& F; E$ b

( b* z% y) z/ l& Z4 C* Z5 [# F* vNote also that some programs (like AZPR3.00) use de old 16-bit _lopen; p8 {. L6 N1 Z7 m
function to do the same job:
* g7 p1 t) n6 M
# R0 p; A5 M4 A' _* R   push    00                        ; OF_READ
0 g! v7 v. y6 F! B' J6 [   mov     eax,[00656634]            ; '\\.\SICE',0. \7 q* o1 ^0 Q" g% U1 z
   push    eax( m0 o: {2 \" |" X2 N; q; j
   call    KERNEL32!_lopen
3 {" J! g, P: J* U" ^! l   inc     eax; s+ i' ^8 H3 i7 u; A
   jnz     00650589                  ; detected, o$ x" y% f* c, q
   push    00                        ; OF_READ5 H. H7 P% q( d  q, O, J' q
   mov     eax,[00656638]            ; '\\.\SICE'
; B" Y2 a% d1 n/ y( F   push    eax& w0 h5 J' ~9 s
   call    KERNEL32!_lopen
+ b3 \% N1 A9 n. _; r9 G# U' q0 B   inc     eax
  s0 T& w$ x) e0 o: Q, b   jz      006505ae                  ; not detected
+ I, V, x) D' d$ u8 a' ?0 i+ E/ i; x" `

% Y- y( q. E$ l8 _2 K7 @__________________________________________________________________________+ q, @' @' {) T1 \7 a7 w2 t' o
; `+ R; f& ^, ~* t( L
Method 12
7 T$ \; f9 m+ N=========7 a. ^6 o2 ^9 G' j
4 K  S9 }3 w9 r* z, x- ~
This trick is similar to int41h/4fh Debugger installation check (code 05
. H$ A& D/ V5 m# t) p5 A4 r5 P&amp; 06) but very limited because it's only available for Win95/98 (not NT)
. W: i3 C6 s9 m; `5 |# x. Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo." t. E: d, j1 ^6 b9 O, _
1 u* _( i0 e- A/ m8 i! G
   push  0000004fh         ; function 4fh
- \* M4 N, D5 J4 C/ ]   push  002a002ah         ; high word specifies which VxD (VWIN32)
. a  r  t0 E  {3 q                           ; low word specifies which service
7 M; ?# A2 i, |; C& ^                             (VWIN32_Int41Dispatch)
1 Z8 }5 g' e8 m8 G  }$ R   call  Kernel32!ORD_001  ; VxdCall
2 ~/ T7 `: b, t, `0 T  l7 B   cmp   ax, 0f386h        ; magic number returned by system debuggers
+ U( J7 V8 \/ o   jz    SoftICE_detected
- H; I* T- B# l8 L( h8 F- i! \3 r- [& x' d
Here again, several ways to detect it:- D4 R$ g& Z7 {5 @6 ]! r
6 |$ t6 J7 F8 s* s
    BPINT 41 if ax==4f
( ?7 L3 h6 @8 d$ u' _' o: s6 d
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ o1 m; S, t" J. k
, W, f' o3 V9 j7 L, i* N, l    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
+ m5 T- k" i: ~! k& W. D8 W# h' V$ t" s" @% `# e! P
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!/ j) ]3 v- A( K; |5 X  e1 l

2 I9 o  q; i! I__________________________________________________________________________
9 V! C/ K  ~6 U5 c3 a: C
- s+ u: C9 K, JMethod 13) N3 R1 I) L7 X- E( K
=========6 L! j; n. y. @* Z. S7 ]6 W
- o4 S" y8 E# _0 }' k
Not a real method of detection, but a good way to know if SoftICE is
& `1 l8 g1 s3 I" cinstalled on a computer and to locate its installation directory.
# |+ F" O1 Y2 ]4 |It is used by few softs which access the following registry keys (usually #2) :: Y% G" u. K# S
" X( p- {2 U4 R% l# a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 o5 s+ [5 R+ g" ^4 j' t# }6 D
\Uninstall\SoftICE& r! z& e& B' [* b/ @& }
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE+ k+ f* n8 T6 \7 w& W5 ?
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion7 L2 @( M" c0 ~4 ~
\App Paths\Loader32.Exe
- {+ y5 e: W) J( C& v( w/ R0 W' M% b; M7 V, p' G. W; B5 m
" u4 r% ~7 w" B  M4 m
Note that some nasty apps could then erase all files from SoftICE directory3 J& o1 O9 Q! K9 V, m
(I faced that once :-(
# \: y; a$ \' v; b; d0 N8 k% Q- S5 l1 v# E; u1 S" t% Q
Useful breakpoint to detect it:% ~# S7 u. g% V4 v

: Y4 ]: X# J! j: N- Z5 b     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'1 d! R/ B! w) o8 @3 R! c

0 ]+ p* b$ G7 S* g__________________________________________________________________________
/ b/ y2 E% p3 t# x
. a. ]9 E' c' M
$ P9 |0 |! W' @6 E: AMethod 14 , B0 F) B+ G; f; A  H( e
=========  w- _; m( `3 }
& v) |1 ~$ i+ g  u9 L8 Z
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
# C2 R- t* ^2 R5 m7 sis to determines whether a debugger is running on your system (ring0 only).
4 m& [4 }6 k/ [) \8 S6 B' T* B
5 H" s7 l3 f9 j3 o   VMMCall Test_Debug_Installed
7 A' s' q: }, A" t+ d6 x% ^   je      not_installed: W' T7 S, K  l

7 b2 I, P4 {) u+ o2 [3 D+ P  `, OThis service just checks a flag.  ?! S, n- Q  u% V+ g# x
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-2-2 06:12

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表