找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 n! G' }& \8 ]- {& K
<TBODY>; h/ t1 Q. }" \3 `+ n
<TR>
7 i' T6 H, W3 v( n<TD><PRE>Method 01
2 y0 ~1 h/ U$ b2 u: R=========
- k5 V+ w6 g2 u+ F2 o7 o
6 q8 I( a! ^  e1 S- P3 H  }2 v9 RThis method of detection of SoftICE (as well as the following one) is8 \$ |7 ^0 j. P: H
used by the majority of packers/encryptors found on Internet.
; u; i6 M0 l. R3 z! Z4 V5 sIt seeks the signature of BoundsChecker in SoftICE
/ K! g2 y7 G$ ^$ f! S5 ^1 M5 h( H; ^& Y& ^% @/ @! ~* ~' X
    mov     ebp, 04243484Bh        ; 'BCHK'& ^% n9 T  \2 _' F( O
    mov     ax, 04h6 q: k: H8 T8 H5 J3 K! m
    int     3       ) d9 v7 i8 @+ L: }
    cmp     al,4
7 q- G& [7 R% A    jnz     SoftICE_Detected  |& k# I& c! |( x

) a2 W) g, ]/ v4 d___________________________________________________________________________
# X$ K# @% d$ m  P& }# A7 n# O0 _7 ^5 \+ u) w% R
Method 02+ F0 b. v( e+ Q3 e
=========+ ?% c/ ?( r' R  \: X

; L5 T! D  [  u" O- z8 k: [) WStill a method very much used (perhaps the most frequent one).  It is used1 ~8 r3 h5 |( p8 ?" y
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 R8 B# ~6 W8 j  ?9 c  F. T! r2 eor execute SoftICE commands...
' p* T, n: v; F4 o3 RIt is also used to crash SoftICE and to force it to execute any commands
6 n+ p, g- N+ S8 i. |+ {(HBOOT...) :-((  1 Z  _- J7 G) }# P: B8 b! @# P
0 A! N' t' ^: Z9 i
Here is a quick description:
: ?1 L5 N& u, ?7 o/ h-AX = 0910h   (Display string in SIce windows)* \; c8 Q3 e: A% j( ?
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
: c# W$ m; F1 g) K+ u5 ~-AX = 0912h   (Get breakpoint infos)
) A) G7 ^' V0 K& D, W9 o-AX = 0913h   (Set Sice breakpoints)) g8 e+ q/ q- B5 B$ \% u# j* e
-AX = 0914h   (Remove SIce breakoints)
; |; A1 P; Z  v- |& M/ X; ]
# b* `" K# s2 mEach time you'll meet this trick, you'll see:3 p- Z5 [5 ~; \  k6 [3 }: @# v
-SI = 4647h$ H8 {( L% v  H& J% n" C
-DI = 4A4Dh. L  h) t; L3 v" h  t
Which are the 'magic values' used by SoftIce.
7 \' z8 `3 _8 ]* vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 w  n9 k, {, x; a- v1 q6 V: d  m! E- p2 N% u: s* T4 W
Here is one example from the file "Haspinst.exe" which is the dongle HASP
# s% d8 L& G* h! I7 x" aEnvelope utility use to protect DOS applications:5 w' P9 j3 s5 f) b0 Q4 ]& R
0 \% E- `% p4 W2 Y% Z
- U6 G/ f4 g& n% g0 D, V  w$ _
4C19:0095   MOV    AX,0911  ; execute command.
+ ]# y; {/ p% u0 _+ m7 E4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
6 K/ K* D# K; Q1 c/ h1 {4C19:009A   MOV    SI,4647  ; 1st magic value.
# A6 _2 b/ {2 f: f, v4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
0 _4 W; F7 S4 x6 x4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
( i6 F+ a: L4 {% z) `8 t$ g2 {4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute. G" H; O/ w* ^+ F+ @, ?9 k7 |
4C19:00A4   INC    CX# E8 y3 s- O, p' u$ n+ O
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
& x* Y: \- w  K7 Z" E" u: x4C19:00A8   JB     0095     ; 6 different commands.
" \! Y% B% f' k9 ~$ {! ?4 I5 r- O2 T4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) Z$ Z/ h" U5 I4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)% I) p9 M$ f. ?
  ~7 a/ C! Z# O, A
The program will execute 6 different SIce commands located at ds:dx, which" A( O# u6 k2 q+ ?
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( D" W/ |+ U' r2 Y
# u$ J& b% N$ `* d& ]
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. j7 R# `: F, K  c___________________________________________________________________________9 D4 V9 p) ~/ |( [8 j( y8 A4 c
9 Z6 d6 s, m, G! `

/ o$ U( Q. a) \. G$ ^: kMethod 03" }6 n( A. Y" r8 s& C
=========- K8 G$ n" ]" B/ r$ x, m
4 x8 u- S% `3 G! e
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h, I( d" }+ M3 Y' _
(API Get entry point)! t+ \  n, L6 s7 X# w
        
8 r$ K1 j2 t3 c+ t. `  q) e3 O7 w; a, P* I/ g) ^+ l
    xor     di,di9 f# ~( l' P8 h% R" K% B) T8 E
    mov     es,di8 J* k% {0 Y* T; N9 y# Z5 g* x3 D# y; w
    mov     ax, 1684h       8 c6 p( N8 q5 Z- g
    mov     bx, 0202h       ; VxD ID of winice
* ~! {, y% g$ M  t) d1 w$ |! z. U    int     2Fh+ E) W) l& j( [9 D
    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 `) z" R+ c; @/ p2 a: Y
    add     ax, di. a$ Z/ G! X% S
    test    ax,ax2 g) V6 I! ^6 t5 F8 J5 o$ t
    jnz     SoftICE_Detected
0 [* {. n. J1 M5 @$ A
! [, x1 m2 I# A___________________________________________________________________________$ K5 E) v1 ]% u( M2 Z# L! Y
9 c7 j5 |% [: s3 [
Method 04
) Y' L" w! O! |/ F$ X) A; Z& V=========+ ?% _2 S5 ?' Y  a1 _. C/ Y

* R' M. V8 v" Q" W& ^/ EMethod identical to the preceding one except that it seeks the ID of SoftICE0 b3 r2 f/ z$ Q3 S2 L5 C2 b3 J
GFX VxD.
* `+ i3 e9 A( y; C: c: m* H
* N7 e& F- o0 H    xor     di,di
# [2 D( y% m3 S. P* J    mov     es,di6 F! g4 D, k9 I! m4 {
    mov     ax, 1684h      
( Y, u7 _$ l) B2 H% v    mov     bx, 7a5Fh       ; VxD ID of SIWVID
3 `" K+ U" W5 P4 M7 {+ g7 |, A    int     2fh
1 d' H/ w! ?' r& \0 ~& G9 Z    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( S* m3 t. [) s    add     ax, di2 K) _( X! {0 ^5 g' d) j+ ]3 c
    test    ax,ax6 ~9 \. c. b/ K3 P; ]4 s0 h
    jnz     SoftICE_Detected
& @2 c1 E* k3 Y. X: y0 b! M  Y; T# ]% l. a
__________________________________________________________________________  Q3 u  {# e9 \0 h6 v+ e
, U, u8 x  Y2 R, ?9 n
; {0 D9 s  N/ q2 a5 ]" d$ z
Method 05. v- {% i1 T; I
=========* u3 G5 Z5 K* O' j9 ^  X
2 e1 Z! c( F7 ?9 q
Method seeking the 'magic number' 0F386h returned (in ax) by all system: [! o/ v- z# P! }% u) `
debugger. It calls the int 41h, function 4Fh.- ]4 \* d2 X, R$ n, H4 q( F% i
There are several alternatives.  ; ~( R( H0 S( c" e" v$ h

/ L* H8 [, X' WThe following one is the simplest:9 F, P7 @) `8 ?/ m0 F+ g" h2 l5 |
' o8 i3 d: _) u) ?' e/ M* `
    mov     ax,4fh
& s$ ]3 [. l2 X; u5 ~2 ~& B    int     41h
" e8 ?" _" k" f# H$ B    cmp     ax, 0F386
( m0 F/ I/ j/ `, X8 u" S& E! ?    jz      SoftICE_detected
; `; y" a3 z# C3 Q- o4 J- I/ D! P4 d, C- x: T! W: ?

; ?- q2 i" R( o1 G. v- |Next method as well as the following one are 2 examples from Stone's
8 _' L" N0 m8 p: I"stn-wid.zip" (www.cracking.net):2 @; {% }" R$ J7 p) Z. e9 S
  [9 i- u/ b9 c9 U' ?3 ?4 _
    mov     bx, cs
. i( y& M' y" ?/ ?" P0 v6 M: O    lea     dx, int41handler2
& X8 I- {$ q: f+ z5 u7 P2 e$ c( L    xchg    dx, es:[41h*4]# d0 k; l) s; |& ]$ w: I+ U
    xchg    bx, es:[41h*4+2]
5 r1 b9 F) J8 Q  B2 |' ?' [    mov     ax,4fh- @) L2 [# Q9 c- q# X
    int     41h9 w2 Y( l1 F2 d( {* X$ p' e' G7 ~# f
    xchg    dx, es:[41h*4]
; _( k# E# b, {2 f+ R" ^    xchg    bx, es:[41h*4+2]9 }, h+ i, n# r; K2 o
    cmp     ax, 0f386h' X# p( u4 i- M3 Y& n/ B8 }& _3 z
    jz      SoftICE_detected# W1 q# g6 p& `3 E7 H# G

! Q8 ]% S! {# ]7 v; S% V8 eint41handler2 PROC
* J" N: C: x) A0 F/ l    iret
6 c8 _* P' s3 c% L" W# a' sint41handler2 ENDP
/ h- G* {2 e6 E! w1 ^0 l; s
5 g3 G+ l* F$ e3 A; D" p0 Q  j8 U9 \* B+ z3 d$ {
_________________________________________________________________________
3 Y8 j) ^) w+ ]& S+ w/ j; q) U# ~. _' Y4 s1 [

4 B* W5 C( ?5 QMethod 06; B' E% l( g4 s" y  W3 X! `
=========0 _; {; O, S+ J$ y. l9 c' w
7 |0 Q" S+ [- Q. `; [/ g7 d

4 q7 o0 B& d9 t$ r/ _. X  ]2nd method similar to the preceding one but more difficult to detect:' v7 P1 p( R' K$ Y( p( K

& s/ Y$ }4 [# }/ `' B0 T' U7 }: }/ H+ I6 h" _& O3 [" Z
int41handler PROC
. j; O" v" a6 C    mov     cl,al% |3 A7 y# S4 e6 H: B7 D
    iret4 e1 I! k6 `+ s* z2 ~$ G
int41handler ENDP5 Q( d5 ^7 j# M) b6 L
/ s, L  J9 k, @$ L+ x4 s* `" ]
/ X7 c6 R$ D4 t# p. x1 H& P3 M8 p
    xor     ax,ax  b0 ^( \. i9 C) [' t
    mov     es,ax+ I* [# V9 Z- k
    mov     bx, cs6 S  T$ A6 X2 c, G2 L
    lea     dx, int41handler/ v' ?3 L8 V/ u" o. l. \, e
    xchg    dx, es:[41h*4]
# R0 @# l8 n$ X) o7 I/ d! D, g    xchg    bx, es:[41h*4+2]
; h8 K8 c- |# H! g+ b    in      al, 40h: d; J. D+ @* M
    xor     cx,cx
, ]0 n7 s# Y# [; ]( w& R/ k    int     41h
6 x2 v# C5 a) M) @$ v" z    xchg    dx, es:[41h*4]
) N. {& m! Y/ D) w2 ]( F    xchg    bx, es:[41h*4+2]
% {* ?- b: |/ E9 Z5 T    cmp     cl,al# T+ [0 N" j- U6 T0 ]4 {
    jnz     SoftICE_detected- p! c7 n2 ~4 }8 t9 X
* i6 n+ g) x9 u0 j! [- ]
_________________________________________________________________________
+ V- t( v0 \2 v* M) p: D" g7 l& V1 h( t& h- r
Method 07
8 O' L- C+ w4 Q=========
4 B- G# O9 k$ J! q- y. m5 T! h$ Z+ E
" c; A3 ]5 L  h; e2 u3 J; PMethod of detection of the WinICE handler in the int68h (V86)
0 y& T! I9 Q3 W  f4 e2 f7 D2 q, n  Q- H/ S' [
    mov     ah,43h
& }' A- n9 ?. f% n% _% K8 _    int     68h- a1 p8 I  H7 _& ]3 ]6 U
    cmp     ax,0F386h
$ r- U- ]* u8 G2 ]: b) K( D* Q    jz      SoftICE_Detected
' P" r1 t, W. C3 {. t2 u/ c6 a1 T" F$ `* [7 H0 b: `
* ]( U; c7 Y  C
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
( M! u/ {  }4 l# o  P8 G% r+ n4 e   app like this:
. |( P  j: K5 }3 m$ w2 a  c% @1 U1 A1 s& e8 h
   BPX exec_int if ax==686 y! i& ^1 U& r/ ?3 R
   (function called is located at byte ptr [ebp+1Dh] and client eip is
" k8 e6 u+ m) A   located at [ebp+48h] for 32Bit apps)
' Z, ^4 m; x; B, q__________________________________________________________________________( n+ W3 s6 o1 U2 R: c& B% c* S- V; n. B
* C8 r/ v. M! z+ e
- m9 Y4 C) `6 `, v$ R9 r2 |1 `
Method 08
9 H& v$ f/ {4 \2 F5 Z5 U0 N. d=========# U$ a5 H' P! ?
0 T+ J& e4 A$ p8 F- m
It is not a method of detection of SoftICE but a possibility to crash the
5 i, g. F' M# _$ q6 [( g2 c( wsystem by intercepting int 01h and int 03h and redirecting them to another
/ x& \% [3 g/ y- P/ X: Lroutine.
' U* w' _1 ^( p* g, h# y) I" a* uIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( _" }  |  o2 Y1 b& d8 |
to the new routine to execute (hangs computer...)
& J' I/ X, y; B: N
/ U$ V2 P, {. y' V* ~1 S' b    mov     ah, 25h
8 p% z; J& t3 s7 V! A; c; s    mov     al, Int_Number (01h or 03h)
6 }6 }6 _8 Z, i) ]6 K  n( T    mov     dx, offset New_Int_Routine1 V3 w9 `, j7 z5 E- q
    int     21h
1 _" i8 l4 b. W7 S, _
' q/ D/ C6 z# q( J- A. M. Z( N% z__________________________________________________________________________- x% g) Z1 l3 I) V/ \
% R: S( P  m" x9 t+ _# ^5 S
Method 09
) z) f  t9 X; ?+ \) S, l" c9 ?=========
+ ]" j0 q4 u& ]) z) o5 [
/ ?# S% _1 V8 EThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only; f2 p3 C! ]& p9 X0 U6 z' N
performed in ring0 (VxD or a ring3 app using the VxdCall).
# Z, j. `" W; X! Y0 j' O1 _The Get_DDB service is used to determine whether or not a VxD is installed; R9 D0 T0 X8 H. n) J9 l# b1 s% p$ H
for the specified device and returns a Device Description Block (in ecx) for# A6 s( f% z" s& R& O% q. p
that device if it is installed.7 @% g# F, V3 a0 k" M3 V" q

% E: d' G8 [2 t) X; G; K   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
. t; V0 W) V! d   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 ^7 n1 _6 X2 j7 B3 Z2 ]8 I3 X& w
   VMMCall Get_DDB
/ f3 g9 [6 u- i   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed! W' s$ W6 R3 U0 K' F

" D/ T- c! t* v7 fNote as well that you can easily detect this method with SoftICE:# T- T6 ~* ^4 \" B$ G! ^
   bpx Get_DDB if ax==0202 || ax==7a5fh3 y" `! A% A2 F3 O$ x, t% T' I& H* {
7 w. s. q) x5 m* `
__________________________________________________________________________
5 F0 S1 X6 t! {6 X  A* V/ w6 t3 t) e
Method 106 N  ]) {4 B" E* N
=========0 h0 ~" D2 U9 w5 @8 h" V3 b5 F! V1 Y

- u  a+ w* _% q- L. \/ v=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with& o: t  E) l. ?  ?  Z
  SoftICE while the option is enable!!( h. [/ m8 l$ x/ W1 K
+ D8 B, w7 Z. B# P% ?# S- H( {' p
This trick is very efficient:
3 X, _* ?% m" P% S3 m% h4 ~! kby checking the Debug Registers, you can detect if SoftICE is loaded
: V. |, U* f( Y- S2 T  e/ A2 v(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
$ E; a" `! J2 T$ _7 B) V+ _" B! E- Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
' f2 {* Z' G3 }' R0 Vvalue (in ring0 only). Values can be manipulated and or changed as well, e: `2 o' J- q$ @% ?7 y
(clearing BPMs for instance)
1 v% r' p# c3 d( B  A  u, g* J/ o; ^* `2 [
__________________________________________________________________________2 o& Z! F# D+ J5 f# Z8 P

+ Z" D. O, V1 |8 R' }% w# AMethod 11
0 X  i% \9 k) d=========
% a+ d0 S( X* K9 l. _' B
6 p! Q4 @1 V( a, g$ x! iThis method is most known as 'MeltICE' because it has been freely distributed
4 ]  ~* b7 L2 k: m2 ]$ Rvia www.winfiles.com. However it was first used by NuMega people to allow" x, S- O# I' ~
Symbol Loader to check if SoftICE was active or not (the code is located
% h' g' |* d1 f- k+ K' u$ ~/ Qinside nmtrans.dll).
- ^; ~6 b  j1 G* [4 c$ M; q# |8 x" B/ [$ P
The way it works is very simple:
8 B8 T7 h  Z2 B% }% K& I' tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for& w% s$ _9 @' o! J4 w
WinNT) with the CreateFileA API.) y1 c3 |$ K/ k* f7 Q  Z7 B
1 I5 J; P* z- j; T+ u$ O
Here is a sample (checking for 'SICE'):" A- g7 `) S/ _5 G; m- X

8 ]5 d0 L; h: S* c; GBOOL IsSoftIce95Loaded()
; e, V4 h# Z2 K% a1 I{; p) m* L* H) c
   HANDLE hFile;  
. K& U% Q3 a" T6 }   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 Z" v- {. p, Z# Y6 f3 ]. A
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
, l0 h4 r, z) s' n0 [5 t1 j5 Y0 b                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);8 U7 y  p+ t8 l& S& }! l5 N+ o/ j+ `
   if( hFile != INVALID_HANDLE_VALUE )
5 j/ ^0 _  s3 g1 M8 q4 z$ y   {. @/ ?+ M' y- Z5 w) S
      CloseHandle(hFile);/ W' q* k% Z6 ?$ n( X1 t$ w8 w" e
      return TRUE;- S' a+ w* `: T1 [1 D  I
   }/ E( C/ c8 S! c4 v* R/ u
   return FALSE;' n# o# t4 N$ C0 q0 j- q
}
: E* B' q+ I; z+ |
9 h7 {' Y5 W, Y8 t  p5 {- ?Although this trick calls the CreateFileA function, don't even expect to be
, ~, d2 x5 y/ }, R$ fable to intercept it by installing a IFS hook: it will not work, no way!
' c. v  V8 d2 D& xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F6 {' K9 s% v. T+ K0 G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
* k8 x, }2 U' l& w5 r1 [/ eand then browse the DDB list until it find the VxD and its DDB_Control_Proc- K5 T4 `+ X  o' N2 l+ |5 C
field.  `% T" q) v8 H; F' u% q" N
In fact, its purpose is not to load/unload VxDs but only to send a
$ i0 E( d  b7 n5 q; FW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
7 Q; X8 M" }$ @7 Wto the VxD Control_Dispatch proc (how the hell a shareware soft could try
( b# i9 o0 {: w' D; Uto load/unload a non-dynamically loadable driver such as SoftICE ;-).
: }* k" q$ A' y9 k2 nIf the VxD is loaded, it will always clear eax and the Carry flag to allow
# q( m- }# }: t! A8 J1 b" I/ d5 ~8 V  J# nits handle to be opened and then, will be detected.7 M2 K& G4 _* Y4 r' t+ u
You can check that simply by hooking Winice.exe control proc entry point
1 @# r1 s7 B1 a7 ]+ Hwhile running MeltICE.) ], G; Y1 d% \1 M5 [/ g- c
- C! ~: r- T" ~+ `
* S0 W) ^4 \! ~& c
  00401067:  push      00402025    ; \\.\SICE
% {3 d" ~; Z# R3 e$ t  k! }  0040106C:  call      CreateFileA
9 c8 N- S4 c) }" R" R  00401071:  cmp       eax,-001
* u9 A( g  z- ]* V4 V  00401074:  je        00401091
! I& S' l  l/ s
2 x# |5 z3 V: j% K- P4 h' S$ X+ K# E4 y4 C% s) l2 M+ \6 S
There could be hundreds of BPX you could use to detect this trick.
& ]9 Y, n1 c1 T4 u-The most classical one is:
( h, t# H0 L! Z& W1 x% @, u  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
/ u3 {6 w7 C& N4 N. }    *(esp-&gt;4+4)=='NTIC'
0 D) L  F8 ~4 B/ I% O5 s7 R9 B( g1 a8 N3 ]3 h
-The most exotic ones (could be very slooooow :-(
- g4 _0 E6 _+ D; u. }9 W4 s   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % t7 B. ^9 u5 O& X
     ;will break 3 times :-(2 M, o2 C; f3 ?, v

  f0 i' A8 {. B+ b+ v: V1 Q6 ]-or (a bit) faster:
# k% }9 ]% X9 o% \  H2 T  N( k   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
: r6 F$ T* {$ ]4 ]% ^0 W7 Y/ L/ ]) E' H# V8 F  o+ L
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
5 A6 p" R. t8 \; E" }     ;will break 3 times :-(: i0 m- o# }* l8 O4 L
) a. f4 o8 G; @3 ~7 w
-Much faster:
/ z+ }5 n7 c$ z, o# C. F   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
. g# |2 N* K5 Y' E8 J0 }
! N. Q5 c5 J0 O0 L1 p6 g8 S6 sNote also that some programs (like AZPR3.00) use de old 16-bit _lopen8 G1 V& r; F4 o
function to do the same job:
7 t) _& m# b. J& B2 y9 i0 i* C  V$ T
8 F6 c" \8 i! ~5 o7 b- U   push    00                        ; OF_READ5 ~0 c5 d4 a& W7 D. s8 j
   mov     eax,[00656634]            ; '\\.\SICE',0
5 V: b1 W# N- N( n( o1 ^! ^0 h   push    eax6 z; X9 A8 H( ~
   call    KERNEL32!_lopen5 P0 C6 m4 k% p5 Q& d
   inc     eax
$ b* V$ z+ @  b   jnz     00650589                  ; detected) m5 T+ @2 F: c
   push    00                        ; OF_READ
8 [& u/ s6 d* p, O# A& u6 K   mov     eax,[00656638]            ; '\\.\SICE'
- K2 B, k, J6 T. c& a; j   push    eax" s5 c0 W2 ]- b
   call    KERNEL32!_lopen
6 T9 E4 u- P5 w5 S. Y! p   inc     eax
, C9 R3 _9 j! D9 v1 L+ q+ g; b- V   jz      006505ae                  ; not detected5 p$ u. m9 E4 L+ T! R+ m6 d. y3 v

3 X, o9 C* P7 k9 ]
4 q. _  d$ J/ x7 O, l__________________________________________________________________________8 e  h' E( O1 ^$ z* w

. U; Z* c- f2 N/ jMethod 123 `$ P$ f2 y: m  Q& Q7 u# U0 r
=========. b7 L" p; S( |1 D. ^7 T
* S% L$ n4 t+ O8 e, |! W( b
This trick is similar to int41h/4fh Debugger installation check (code 05
  k7 r6 c2 L! q. d* H( n  u/ v&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 {: p- K+ i6 ]8 ?as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& e" I9 H6 x% {+ q0 D& h( W/ O9 R& w, l: `
   push  0000004fh         ; function 4fh
8 P: B& V: k! c' ~9 n   push  002a002ah         ; high word specifies which VxD (VWIN32)1 n& ]- b' b( v: ^- K  {/ j
                           ; low word specifies which service/ V' p( m0 K) f
                             (VWIN32_Int41Dispatch)' |; j* U- `; a4 N1 h+ ]! x. r& S
   call  Kernel32!ORD_001  ; VxdCall
+ e- g5 |3 X$ ]6 _7 o   cmp   ax, 0f386h        ; magic number returned by system debuggers
* a3 Q5 w- u# o   jz    SoftICE_detected9 s3 M8 B% c+ _

9 i% b$ g% n# I- T6 l# Q+ lHere again, several ways to detect it:6 |5 \( C$ E. \% L& J9 P# L$ v

: o  T% P$ u, m( r1 d" }* T% h    BPINT 41 if ax==4f+ c- q, D: V' g: ?
5 p  }( o2 e4 i! _! K5 ~8 G
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
( ~6 Q; N8 _4 t2 ~$ Q% O, E2 _6 e
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A- T8 W) ^: M- Q) m

: C$ P8 |1 O# K; U* w; J    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
' }- M, R2 Z% b1 i. t. A% Y+ `
' J% C1 I# x$ n) B* _/ v0 @; [  v__________________________________________________________________________) r. p& [  Q# A8 ^/ a6 H

; R! p7 ]8 ^8 VMethod 139 [( E& {; n+ W3 m/ F7 S
=========
( w. U* Z& n" Q/ a- F( o( E2 `* _3 b1 c6 }0 w
Not a real method of detection, but a good way to know if SoftICE is
- U: g; M; f) b! qinstalled on a computer and to locate its installation directory.7 n! c0 B$ w( F+ o
It is used by few softs which access the following registry keys (usually #2) :$ }" l) U8 z% T/ W
( s8 m# G( K- v5 B$ z& |# X
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
( K! z1 v8 K7 u+ q; i\Uninstall\SoftICE% t8 U- F* o4 c2 e: t
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
: i% Q$ j  Z# B& {-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 \7 P  ~, Q3 y  _$ D\App Paths\Loader32.Exe
3 Z. F7 h7 {8 z9 A5 Y$ \8 V  }7 ~# R+ P4 R6 l
" e7 V, v# t' I1 `
Note that some nasty apps could then erase all files from SoftICE directory
# a8 J+ ^2 N/ j0 j(I faced that once :-(
, |. @2 E+ Z/ O7 M8 O
+ P: S- K' }. g  l* L, mUseful breakpoint to detect it:
1 T) m- o5 G& B& _" `
; O' D3 h1 h+ o  Z     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE') q+ u: E$ W4 N6 F3 r/ g4 N
; i+ Z8 Y4 b, o$ L; R& c
__________________________________________________________________________
! m( E8 u$ l: q3 J1 \* b8 F
: V, i+ }: r% _0 ^2 W* N' E" V
! A  }5 d- ?/ ^: Z) U$ RMethod 14 7 V; P3 k& u! n6 U8 j
=========/ w3 R2 O) b0 P! S, _
( B1 k+ m' Z% c+ w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
4 e3 E6 @4 w. I2 J& Bis to determines whether a debugger is running on your system (ring0 only).
1 ~/ i7 ?) {4 e- x4 `  r- m6 o8 ~! m5 d
; P& q" b3 J; g) Q6 B; `   VMMCall Test_Debug_Installed
7 W2 r- R( S0 C/ ?6 M! S   je      not_installed
9 h, h8 o& \$ L) E. Y
* j* n/ w1 R# ?4 e* X( C+ b1 }This service just checks a flag.1 t9 Y' H  F$ B  z; t
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-30 23:25

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表