找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>1 \. {6 F+ R. Y( E2 _
<TBODY>) A- s2 R& V- J$ g- t- ?0 N- a
<TR>1 r( P5 K& ^; N' w& B6 v
<TD><PRE>Method 01
- h; h( s2 a# P+ r" V8 }=========) o+ v) ]1 W) C) I- X2 s" j( B
4 i$ T! H- M$ Z6 _8 S, Z3 H/ w
This method of detection of SoftICE (as well as the following one) is( ?+ @' |! e! z
used by the majority of packers/encryptors found on Internet." v. @8 H) e: h/ W+ ?
It seeks the signature of BoundsChecker in SoftICE
! Z( ^; a3 _" S4 @* k) O% S/ H/ x3 X5 ?
    mov     ebp, 04243484Bh        ; 'BCHK'
( ~8 C9 N3 O' z' W4 ]    mov     ax, 04h
5 Y3 I$ q) A, }" I: d! u+ V' X    int     3      
' f' F2 A6 s8 E    cmp     al,4) |; T4 h/ [& s. s; ]- @0 r7 P
    jnz     SoftICE_Detected" y; z* C. u( ~7 V" z+ \; l6 J
8 f$ g. K7 |8 Y% Q" V' h
___________________________________________________________________________
2 P5 A$ j# N* Y; _
+ m! c. h0 P& `0 xMethod 02
  e8 }. J1 l/ p. u; g* R=========  ?. ?* r. O( K6 t& \
+ Y: V) K" k6 ]+ Y" }
Still a method very much used (perhaps the most frequent one).  It is used! `- L1 c; n7 Q* C  x
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,/ U* G" z7 U. e7 b
or execute SoftICE commands...
" K4 u& [6 d4 ^* t2 _$ f* TIt is also used to crash SoftICE and to force it to execute any commands+ B* ~2 n( T" v/ H* h; ?
(HBOOT...) :-((  
( S3 O( S+ p* A1 j, y# y' s- _, j/ l
: `# Y1 q, l* u" o! M) T- O* ~Here is a quick description:& [7 I3 \! ^' q, `6 \
-AX = 0910h   (Display string in SIce windows), M8 P# v6 t9 ?, L# m  {0 d/ k
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
; ?0 s- K% b3 H-AX = 0912h   (Get breakpoint infos). V4 w+ f% {/ w9 A. Y! R4 [2 x
-AX = 0913h   (Set Sice breakpoints)& ?. ?5 K( Y, G7 B9 |; u. Y# ?- f
-AX = 0914h   (Remove SIce breakoints)- N$ K7 @& \  e9 b. I" y
% ^8 B: l3 U; N. Z( s. A5 Q! Z
Each time you'll meet this trick, you'll see:
: ^/ Q) w% u- c: O& V3 y7 c-SI = 4647h7 Y7 \# C$ q5 D: i% m5 y
-DI = 4A4Dh( O/ r, j" J7 A* l
Which are the 'magic values' used by SoftIce.8 r, V5 a) L( p" O$ H$ [6 Y
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
! ?& H6 Y# B* L
6 Z6 w9 I  c  r; H' ?Here is one example from the file "Haspinst.exe" which is the dongle HASP
; n! U# K  T# hEnvelope utility use to protect DOS applications:& R8 c! H( P3 _( K8 v" m8 x
+ u' j. V% @( w( B2 T, T6 b
6 m# z! \# Y6 N
4C19:0095   MOV    AX,0911  ; execute command.0 e2 c7 `2 J* x9 Z) v2 O
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).4 ^9 F% F/ q* u( n( Z9 J
4C19:009A   MOV    SI,4647  ; 1st magic value.
/ s8 N) C% f, M- S- t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.& z; v: @/ p3 }. N3 t6 S4 q
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
# `; E9 o5 Y7 ^5 B4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
. C% I) H  }$ h# U, p6 t  |4C19:00A4   INC    CX4 d' L/ K0 X" S$ L! l) S8 D
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
( P0 d- m, d& n4C19:00A8   JB     0095     ; 6 different commands.
) B8 o7 @3 |' X7 h- z: |, Y4C19:00AA   JMP    0002     ; Bad_Guy jmp back.0 Z0 v+ J- C  P9 k" P
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)6 O: C* a7 m7 L+ H: k
2 {/ Y' ]6 i, @$ J6 F  E
The program will execute 6 different SIce commands located at ds:dx, which
: w" _$ I) O) B& J% _# Q8 r9 Zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.! k! q( a2 l1 v

/ Q- N: [/ \( P! O* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ t0 G3 ~/ ?5 G7 r. e! W9 t___________________________________________________________________________* [3 m0 o- v1 [; ]) D
1 U* o+ g5 u* j2 |, Q* A
, M/ V: r6 h7 o# B. c
Method 03
* x6 c. N! n' o0 u* ~=========
* k4 K& H! U( N$ ]) V  }3 o. w7 f! F5 a4 M; h) j! H
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
' ]* G: C/ Q$ B9 u9 ^7 N3 F(API Get entry point), E4 X5 r5 ^7 ^5 t5 g
        : j& s& y8 B" E( S, u8 y$ K/ C( t
0 s1 I4 ^$ R3 a0 S- b
    xor     di,di
5 d" D- L. g0 h$ ]5 [( W* [    mov     es,di
4 S7 o# ]4 M/ f    mov     ax, 1684h      
) l4 K/ R( T2 L1 V    mov     bx, 0202h       ; VxD ID of winice7 u' Q# N" e  V4 P8 V" q# x# {
    int     2Fh
* b) A3 d- _& E6 A+ Z2 O: b0 o# ^    mov     ax, es          ; ES:DI -&gt; VxD API entry point- l7 M2 c1 h( E  ^0 a2 c
    add     ax, di8 c, J, |$ I$ ~, R. Z" `9 o* e& R& j+ n7 b
    test    ax,ax) q( c, f9 r: Q/ X
    jnz     SoftICE_Detected3 k6 O# y9 j. N% c

8 r9 }3 x+ l2 ^7 |9 o' A7 c; z___________________________________________________________________________
3 X' y2 V9 V# N7 M  E
8 Y$ |. }' m- pMethod 04( e8 O( O: P4 u' P  U
=========7 x9 h/ g8 x( H# `; S, ~- H

1 q: f1 C3 T0 V. zMethod identical to the preceding one except that it seeks the ID of SoftICE
! m$ d) s* `6 f% @( ]GFX VxD.
( f1 H2 `) S6 n8 t  y: ]
1 H, h& r' t- V; _/ \' }* \    xor     di,di6 V( D9 U9 I( B) J! p* s
    mov     es,di
" U- F; @, a  |$ g% f2 _    mov     ax, 1684h       ' G7 ~3 H- _% g8 I, ^
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
" N/ O$ ^9 _1 W! u    int     2fh
& l$ c, W! B- ?& W    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ O  T5 c& \5 {( w! ^# D, _( @    add     ax, di
$ b/ |. w! n+ j# D3 C" _2 M    test    ax,ax
8 |' B9 y& Y( Q2 ^, J    jnz     SoftICE_Detected- D; c+ s) i& F. v' J3 a) k$ ~
4 E& z# t" }1 U
__________________________________________________________________________
5 X" p& p6 y# ]9 H( m  _0 D! ?0 |$ p& M, F

1 X2 H$ q. V6 M0 |: P( \6 L! U$ fMethod 05" P4 `" H: [! C2 k  r0 q: G% Q2 z2 Z4 L
=========: a" G) u, S, m- T/ Y- J/ r

2 K( W. ]- x% I. o) n4 Y) Q3 kMethod seeking the 'magic number' 0F386h returned (in ax) by all system7 {) P( k$ A* k
debugger. It calls the int 41h, function 4Fh.
/ v/ M4 w6 ]0 |! Q. ^  T9 DThere are several alternatives.  : K( @* W# |* o, m2 D; G

; H) D* v7 L* IThe following one is the simplest:% g9 i% r  T& \: q

* \* Y3 X  f. x6 L# N    mov     ax,4fh; d+ z. l/ C8 M. g' `
    int     41h& n6 x- v4 g4 s' w/ C
    cmp     ax, 0F3869 m6 j; n3 y% ^2 @7 _6 U" E
    jz      SoftICE_detected; U  Y  o9 a! o$ X& e0 \

. H+ x3 {! T) o8 a; N$ C' W; |* U: u7 S- c. O+ e
Next method as well as the following one are 2 examples from Stone's
$ y- _0 ^* \3 }- z6 A$ U0 Y- G"stn-wid.zip" (www.cracking.net):
$ B( B$ d5 x) A2 ?, X+ ~& ~* E8 H) ~
    mov     bx, cs2 S; T5 P/ l) r+ ~$ h& B4 Z% S" F+ |
    lea     dx, int41handler2! P2 a. F- v' @# q: M7 W
    xchg    dx, es:[41h*4]
( K: X% L9 t% l: t4 {    xchg    bx, es:[41h*4+2]6 }, i+ a2 p5 B) ^. @6 |- l  g
    mov     ax,4fh' d# }  Q$ P, F4 l
    int     41h3 m4 p/ C/ D8 x  J% t; t
    xchg    dx, es:[41h*4]
6 ?3 Z* v/ R" T$ O    xchg    bx, es:[41h*4+2]
9 `- A+ ?- s8 J3 I& y    cmp     ax, 0f386h
4 K4 v8 ]% ~! V$ ^6 h    jz      SoftICE_detected
) q$ e2 C) P% w: g2 y( s4 ^. k1 A  z6 }
int41handler2 PROC
* M0 M" A7 b3 V. Y  `5 U    iret- j6 E% ^$ M5 `0 H5 u7 K! Y
int41handler2 ENDP6 X2 u, n4 p# W1 t. w
7 s! R2 W: c9 p$ }  V; R) u9 ?3 A. e
& \6 ^8 @8 a4 D+ E2 P' ?9 y* _
_________________________________________________________________________: H3 m) K  q& ?) a! g( J
% d1 u, U+ @1 l  v

, S/ S, o$ D# o0 u3 DMethod 06
) d2 M. U8 F+ X9 i8 }- t=========' e4 D: h. I' N. w
; R2 a' t, s  k0 j6 }1 F* f
4 x; D& W; y& n
2nd method similar to the preceding one but more difficult to detect:6 H4 K: T4 ]4 b7 b9 `3 z9 ]

9 ^: k  G, E1 z% o$ S4 j# p6 p6 S1 R% @3 V
int41handler PROC6 h' s2 C+ R$ d. B+ o2 Z0 Q
    mov     cl,al% y) _$ }2 I7 D  v1 h0 ^' O, ?
    iret
; S+ a7 G: g* K3 |/ H, gint41handler ENDP
$ t1 ]7 _7 R6 s( f7 q5 n) B0 x& j1 D$ ]' d# W

8 A& R. s8 V. C! l& P" ]- e    xor     ax,ax6 J, O, m+ x+ c) ^
    mov     es,ax
: u. N- o7 _0 t% X' m    mov     bx, cs
3 Y. k# [* r# `/ f4 S9 |    lea     dx, int41handler
# w3 r- p3 E6 r7 x, }& i- C2 {    xchg    dx, es:[41h*4]
( p" V0 m+ n  Q- L5 t5 G* z    xchg    bx, es:[41h*4+2]
7 K$ l: G+ s( N/ C( ^    in      al, 40h# q9 E: ~& H7 C( j3 X* P. V/ @. g
    xor     cx,cx
# s" d- }+ M- a4 x. D, m2 d8 I/ N    int     41h+ |6 b% T$ b2 @$ {) o9 z
    xchg    dx, es:[41h*4]: W/ S' [% A2 Q' D. V/ N+ M) x& h* a
    xchg    bx, es:[41h*4+2]
/ z$ d2 G/ C. ^+ ~3 {% g0 w% _0 H    cmp     cl,al
  d6 m) f/ ~  V/ x8 _; K% \+ w    jnz     SoftICE_detected" e3 J' Z+ y- b5 B/ X! s9 _$ M
" o4 ^- J1 \6 ]; S2 a8 ]: j* ^+ z
_________________________________________________________________________
9 s, U1 t- ^( U( X: N! l7 f
3 p/ I6 n/ w+ p. b0 k9 T- l: DMethod 07: m0 a! g$ {* ^( T/ Q0 o2 u
=========
- M$ Y& p4 x- W  ]6 R, |
- s$ q' e% R1 [' m0 [Method of detection of the WinICE handler in the int68h (V86)# Q+ N7 u; O2 ]- T+ }
* T2 V* {1 W5 z/ {( [# [
    mov     ah,43h0 d& u# w1 ]3 n+ ]* y
    int     68h
( i$ [# l" w3 Z* K    cmp     ax,0F386h2 O4 G3 F9 n& |' K: m! |- L4 S
    jz      SoftICE_Detected: ~) Z5 F( N. h
& k7 E: {- l/ Z; h% q2 v8 _7 F' l  l

4 ]+ W  j5 M/ M=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit3 n' B0 D& t8 d3 m7 u, Q
   app like this:
) h) v- q1 z! |! X( i
# @# a0 W) p+ H5 S/ f. W   BPX exec_int if ax==68
2 e2 P0 P' M. ~0 ?8 q; R- c5 \   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ `0 }3 t: n# C5 W' `   located at [ebp+48h] for 32Bit apps)
+ o6 ?7 t* {+ _2 a__________________________________________________________________________
# D: l) r* `. z0 d. n' n- o2 ]( s6 g+ ?0 m
8 ]2 `1 x5 u% s! T
Method 08% W/ `3 i, U( E# C  f9 r0 J
=========
/ `, U- ?  x$ s, V
/ f3 T+ x: {3 }' J7 r6 YIt is not a method of detection of SoftICE but a possibility to crash the
! e: ~9 _/ o, f  zsystem by intercepting int 01h and int 03h and redirecting them to another7 S! a! E5 J8 E% N7 u/ K
routine.
0 R2 L' P6 q" D: E; \* S! PIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) u* _4 h6 Y3 F  ]/ u
to the new routine to execute (hangs computer...)$ a8 x& e( C* y2 d: h7 i* |
9 G( \2 L* n, Q& {7 O- P
    mov     ah, 25h
7 o+ y1 l8 X* f    mov     al, Int_Number (01h or 03h)
7 f+ G+ Q: W/ J4 f    mov     dx, offset New_Int_Routine
3 y4 z" S5 C  U4 j; c7 w# i6 e8 t: x    int     21h
, h/ r9 I# ]8 e' [- h! K% @) b( S9 t3 ~- C
__________________________________________________________________________! O3 A' ~1 a( k2 x' j

; l: d, r" t& XMethod 09
2 M; O4 }. ?( [5 `8 k3 u) A" s=========
( x# G. b" w( m, i) H( E% H$ ^% u2 U% B- |
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
8 g9 f9 I. R: y. _8 i' r) P1 aperformed in ring0 (VxD or a ring3 app using the VxdCall).  O3 O, d4 U5 u$ n  F4 J
The Get_DDB service is used to determine whether or not a VxD is installed% P! z; W# \; h* u, k% P0 q" E; s
for the specified device and returns a Device Description Block (in ecx) for% U* l6 R; `& M7 M& j+ J
that device if it is installed.
. }5 M, O  e5 {& A% C" I- f$ a9 S
0 C6 u8 p& F2 N$ F! s3 R   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
" h* P. M! [/ F, M   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)* Q" n" z9 E2 M. b. w
   VMMCall Get_DDB9 n: {* m* W) G. R3 }# A
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed* B4 L+ {0 s. }+ Q

& w5 _0 V- o' O5 b! X; Y" U1 [! ]Note as well that you can easily detect this method with SoftICE:; L  L1 [) ^; d3 L# L5 [
   bpx Get_DDB if ax==0202 || ax==7a5fh
, @% c$ s, ]) N/ D& X
' g: q4 r( E( F+ U" o4 R1 X; ~. G1 p__________________________________________________________________________% `4 o3 }* J$ z8 C0 h

: Y; V  n. ?! \/ Y- b& NMethod 10
/ s4 B6 D( ?7 ?=========1 C) R5 s" P, q3 c1 v6 b7 ]

: L2 u7 Z+ R, m4 ~- D=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
" ]7 p; r+ O  t; p0 I( c  SoftICE while the option is enable!!
, e( @; ~) e+ n" j. d! E; H- C: ~1 K7 g0 u1 J
This trick is very efficient:
2 ?  m7 C" Q8 q' h8 Eby checking the Debug Registers, you can detect if SoftICE is loaded" @% y6 F) t+ ?- k) Y
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
5 P4 g% W& {- C* g/ Mthere are some memory breakpoints set (dr0 to dr3) simply by reading their
5 f( Y8 R7 S  y! [9 `6 F$ kvalue (in ring0 only). Values can be manipulated and or changed as well' ]9 c3 i, I/ d( \$ G
(clearing BPMs for instance)
" Q2 D8 _( C* |$ I7 g, F; Y$ `
$ J5 s8 f0 l5 n0 @__________________________________________________________________________7 a5 t) a: [; M) |) b8 }& i( V
& v$ z9 b4 D0 W7 c+ G9 \
Method 11* r3 V* O2 K4 Z! j/ _
=========: A7 M5 u* g. z( |( t7 a8 r  G

& X4 K, o' l' D6 DThis method is most known as 'MeltICE' because it has been freely distributed
7 m8 ?4 A& y  ]. ^( Z6 Cvia www.winfiles.com. However it was first used by NuMega people to allow
4 A$ _0 U7 ~0 X* G8 V1 L4 \Symbol Loader to check if SoftICE was active or not (the code is located0 o; _6 K2 i# M
inside nmtrans.dll).+ H( X1 W7 ~* O/ `) U( |# E# w* b$ t
  }- R6 I/ g( c
The way it works is very simple:3 p# I7 D% n1 D# X. m( n. R
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for8 y8 X6 M5 W2 t2 @8 B( u7 }6 C; n/ A. T
WinNT) with the CreateFileA API.2 ^) T# Z9 q" O, H4 |. t" @* S

' |6 B+ y( L  J7 v1 {Here is a sample (checking for 'SICE'):% Y: R7 Q2 T+ j: `2 F% M
, C! x/ V) T& D7 w  E8 W! m) K
BOOL IsSoftIce95Loaded()9 \! ~8 p6 s, l4 @) g
{8 ~9 h; f% i# l( ^
   HANDLE hFile;  8 o7 _: G; `* I1 D  U6 I" q* B$ b; s
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( A% t' O8 x' T4 K                      FILE_SHARE_READ | FILE_SHARE_WRITE,) X7 a9 t3 l6 C/ F
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 T1 f% B2 j& k2 X, P7 {. Z  ~   if( hFile != INVALID_HANDLE_VALUE ): e1 W. X9 }8 E+ l: f7 N0 G
   {
* F* P* t3 s% D0 R      CloseHandle(hFile);
) y1 w6 e& j* p      return TRUE;+ m5 t6 W; d4 {( n
   }
7 W0 B& q, ^: Y, ]   return FALSE;
2 t6 X  u. ^5 h}0 H4 X+ h# }" W) L% C

' o' d. e- o! x/ r$ B9 l! ^6 IAlthough this trick calls the CreateFileA function, don't even expect to be3 m8 U& y$ b! [! Z
able to intercept it by installing a IFS hook: it will not work, no way!
9 o1 k# k  |' W& Z% d# DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
/ @5 h6 |/ H7 [service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 @# V/ l" g7 A# y7 v
and then browse the DDB list until it find the VxD and its DDB_Control_Proc# u. i0 s- T2 ~
field.  J, m4 B5 X6 s3 O
In fact, its purpose is not to load/unload VxDs but only to send a " ^5 F" D# y5 ~( k. ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)5 K" F0 h! J9 I; B
to the VxD Control_Dispatch proc (how the hell a shareware soft could try+ C7 o( @; |' \# G: h: {2 @  w9 u
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& Q, {2 Q- z7 b! d9 n
If the VxD is loaded, it will always clear eax and the Carry flag to allow  t0 q, B+ [. _3 J+ _# c
its handle to be opened and then, will be detected.4 d$ \. F8 T8 o0 y* Y* d4 H
You can check that simply by hooking Winice.exe control proc entry point
; Q7 L' t4 |" p1 p6 Z& x, c5 Hwhile running MeltICE.
$ b# z$ L& b8 \9 d  Y6 ]% @; ~% p0 |& k3 l% o' `& k5 F4 d* e
  [7 g0 D" a& F; k
  00401067:  push      00402025    ; \\.\SICE
9 _( H+ X7 j/ s' F# h  0040106C:  call      CreateFileA2 z( W# a9 z$ f. B) Z8 q1 q
  00401071:  cmp       eax,-001
+ ?0 U3 _/ l; j6 e6 h" y; g; C  00401074:  je        00401091
4 M% m) D! z- Y. y2 ^$ L
- M' H! K2 G7 G" _. Q) |2 k  p$ o1 E* C! D  P% y2 t+ V- p
There could be hundreds of BPX you could use to detect this trick.9 B2 C2 u+ o; r4 x/ h
-The most classical one is:
, q: ^4 {+ @0 k) E; b( x7 ^4 g  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||& a+ k. n& R( i1 w* F/ U& ~) U6 t
    *(esp-&gt;4+4)=='NTIC'
. v6 p, j. x9 G* ^+ Z2 T5 X6 Z) J
-The most exotic ones (could be very slooooow :-(0 c; ~7 G  a# m( Y
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ' r8 s5 i9 S; V) b* B. o: n
     ;will break 3 times :-(
3 Z4 {9 B) R6 J7 z3 j& F0 N# s, @. j6 ~2 W. v, }
-or (a bit) faster:
  x7 p( ~! X( u, q8 E. ]/ e   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')+ _" L: \8 P8 ]9 u6 l1 {/ D0 b  ^
1 X+ i9 X0 q+ Z# N
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
, N2 B/ Y( M& L6 |8 w; U" E     ;will break 3 times :-(8 G  ~2 ?+ n; ~- d
# C1 d. |( `. Q+ k
-Much faster:
' h7 r- V+ z2 P   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; U% J- W* j6 q9 j3 ]7 y
4 i6 X( y7 s4 Q( w8 H8 C
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen6 }' E4 O2 U$ R: l5 J
function to do the same job:
  [6 O8 q/ R0 b9 q. d, R3 R
- l: _+ ?8 G, f  J   push    00                        ; OF_READ
% o7 E4 d. w- N( ?/ ]   mov     eax,[00656634]            ; '\\.\SICE',0
1 v  ^; r6 ^# L! E' Z8 l1 e/ L   push    eax( [9 i6 I$ R5 A: F5 M4 D
   call    KERNEL32!_lopen
' Q& d# H+ S& u4 m6 H   inc     eax
5 b& n8 r' x5 u   jnz     00650589                  ; detected. \: C* k6 M8 D; P
   push    00                        ; OF_READ
3 L  G" l) a9 W  I* H& T1 h5 B   mov     eax,[00656638]            ; '\\.\SICE'" m5 b5 [5 i8 R# o, q
   push    eax
1 F: v9 F5 J& z0 x   call    KERNEL32!_lopen& M* ~: u7 @. Q/ E' M# n
   inc     eax4 Q1 t" f0 }1 E  g  g9 J
   jz      006505ae                  ; not detected: I1 ~! Q) e$ o9 M  \6 Y
  i8 n# a' ^2 w6 K! ]7 @
7 k! E( j, ~2 D. |7 k$ i. H
__________________________________________________________________________
7 i7 J  n3 j; _1 m, }- R( c
* I9 M( H+ ]" k; |9 W/ \# cMethod 12% ]' _$ [. r. J# B2 E3 \
=========7 z- T+ k4 l/ n! i( F/ ?

0 V. ~% }5 K3 EThis trick is similar to int41h/4fh Debugger installation check (code 05
* m- |- ?  _( Z! @* f2 ]: z) q&amp; 06) but very limited because it's only available for Win95/98 (not NT)
* u( g! i7 M% }as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
1 Z1 {( Z" a- h/ E; H- }! R
, J' }" b+ I) j' c. v; I7 B0 X   push  0000004fh         ; function 4fh3 r4 m. b9 u% r0 J1 z- U/ s
   push  002a002ah         ; high word specifies which VxD (VWIN32)  A7 d8 E- ~2 ]  O4 a
                           ; low word specifies which service4 U+ h5 G! N" q( N4 E
                             (VWIN32_Int41Dispatch)
& t" P; e% l1 w: u& v   call  Kernel32!ORD_001  ; VxdCall
/ ^: d0 j# ^- [% U   cmp   ax, 0f386h        ; magic number returned by system debuggers* x: }" l. _9 ]: q# h
   jz    SoftICE_detected
" ?6 H6 O# u5 D$ I# j. n
3 [/ f9 f7 ]) g" w6 yHere again, several ways to detect it:
6 }2 `! o& L5 I* m# ~: Z! X, a! b$ U! r' n& B! R5 X! d7 n
    BPINT 41 if ax==4f
, ]" p# J1 L: y( @0 Y$ ?/ y4 U" Y- W
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
2 }6 ?3 [0 T9 I! y) [3 n1 X5 E# N* i5 {: c2 h1 R
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
% M- ~* L5 s/ C+ c* P. V  g  w- j+ I& p, u; I! T7 o! A
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!# u- c. L) o! u" c! W4 V3 w
& ^1 y6 y# u5 o+ M
__________________________________________________________________________
9 L9 A/ P0 H  ]0 F2 k( E. W1 ?" @6 h6 ]6 e! x+ A& g
Method 13. o' ^" g& [' C9 U1 z
=========
% s/ o- S$ e4 X& }9 U% u9 ~' h  w6 m0 k) s: t% d
Not a real method of detection, but a good way to know if SoftICE is; w3 S7 i+ t  A5 A
installed on a computer and to locate its installation directory.
, L' J) z/ t3 d& nIt is used by few softs which access the following registry keys (usually #2) :) q  i/ T# w$ B6 {
  @$ {( _$ N: t; [
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* n# T) a; k+ L\Uninstall\SoftICE
' L& l) p. q& m* H0 p-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
" {: o( l4 S- Y2 T3 `-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 ]5 Y8 P- f2 f" Z0 F( r7 `  a
\App Paths\Loader32.Exe
7 o5 T* y' @; ^
- K) a9 V2 x. Z) ]9 E. L" Z. h- j6 G: f6 s$ o2 E, m
Note that some nasty apps could then erase all files from SoftICE directory+ L/ p0 F" Z1 A
(I faced that once :-(
' t  p3 S) J; S3 u4 g6 N" q& P; Z. i- y
Useful breakpoint to detect it:! m: B9 O* l  U! k9 W/ e4 Z' @
- M' x3 |/ }" r; _* A- g" H) H) d
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'* z! ?0 E  t' K- W% h5 L$ h

0 |7 [6 n+ x8 R! |__________________________________________________________________________( o# P' G3 p0 A

! e9 h8 a6 y5 D) B& V
; @  \) }& O# u. c" [" D& T: NMethod 14 4 t  j  y* a% [7 B
=========
! s5 o: G4 v6 O0 Y2 {( k% P% F. ~! [$ y( A" U( L/ K: h% K$ }: [+ h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
( d" t2 W* C3 }) Xis to determines whether a debugger is running on your system (ring0 only).
2 b7 y+ ]6 T, _* i% |) s( [0 f1 }8 w2 c% R3 S+ N+ C5 {
   VMMCall Test_Debug_Installed' }: h6 s0 g2 K( S8 \
   je      not_installed
5 I+ d* l& Q! c+ d2 F7 y8 o" d3 F3 d5 R0 j2 h9 l
This service just checks a flag.
5 w( k+ Y% }' U: a1 m5 s</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-4 11:50

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表