找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
: U; u0 N( d% {3 j6 s/ T<TBODY>, F# _3 J9 P  K: _9 {
<TR>  _. m' @3 C& u( b0 Z: {  p
<TD><PRE>Method 01
5 ~! o2 |! N) |  G7 e: V2 N* \=========7 `8 O- F' S8 c0 i- C

* k) t% R" L# i! l/ {% x1 WThis method of detection of SoftICE (as well as the following one) is+ X# Q' q. Z8 F  N& K; ~# U
used by the majority of packers/encryptors found on Internet.* ?4 ~; o9 k. L5 p$ b" J
It seeks the signature of BoundsChecker in SoftICE; x0 x. K$ O. \2 Q) e" x

4 r- s5 b1 k9 u/ S( R& b    mov     ebp, 04243484Bh        ; 'BCHK'# k7 m3 @/ s# \! {! B# d" k
    mov     ax, 04h
4 T8 W" y2 l! [+ a5 p. l    int     3      
& m4 ~% ?2 }1 U& {- r6 D7 L; W7 E- B( B    cmp     al,4
& D$ h9 R  Z2 n- L% S  x# x$ y    jnz     SoftICE_Detected1 f& I4 Z  a! c# C
3 r, ~2 o; h0 W1 ^1 y  M$ L
___________________________________________________________________________- p9 H) R1 }. u: d
! K! P7 f2 x' ?  A
Method 02
; d' m9 [/ n" \9 Z+ i8 ^' m=========7 n; C) @. t1 c) U
2 [; g: }- t7 J/ _; ]& g; u0 W
Still a method very much used (perhaps the most frequent one).  It is used
1 }! o. N( |6 M" U3 }to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 {& R* t/ K/ d) ~. ~( F' z! A( |
or execute SoftICE commands.... C% z4 p, }/ t- X/ C9 f# G
It is also used to crash SoftICE and to force it to execute any commands: ~3 ^1 u; ], i7 E9 W# t
(HBOOT...) :-((  
! U6 S7 }% c. G3 T- M0 a- i1 W7 P! q6 S& C* g
Here is a quick description:0 C" K% n5 ^- I1 N& z) M0 u/ ~; Y2 Y
-AX = 0910h   (Display string in SIce windows)6 w$ W/ v3 M0 E. g/ q8 u8 T
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
1 J: E) i! z' ?; M-AX = 0912h   (Get breakpoint infos)
9 f& \$ D4 M: J" x" {# T) C4 e-AX = 0913h   (Set Sice breakpoints)2 R& s( t) O$ W; R6 W* @" H
-AX = 0914h   (Remove SIce breakoints)' X9 K3 I' L3 g7 T; Q
/ Z+ q5 B- @2 e
Each time you'll meet this trick, you'll see:
1 Z0 P; t1 {. Q( o2 {+ c-SI = 4647h; }8 g! A  v7 _6 L$ r5 W3 V
-DI = 4A4Dh
! |4 N- M! j' \- n/ ]3 S% g5 AWhich are the 'magic values' used by SoftIce.
* a- |5 e, s% s3 uFor more informations, see "Ralf Brown Interrupt list" chapter int 03h., n& S8 |& @2 L+ Q0 z* C+ V7 m% v

3 x  m3 u0 S% S1 j5 {- }Here is one example from the file "Haspinst.exe" which is the dongle HASP
1 b3 r  C( M/ J2 YEnvelope utility use to protect DOS applications:9 k' q# t- f8 ^0 e/ T; ?

  h* D$ T  C9 T% D
# }: m2 E4 x9 b4 x) V  [8 K0 H2 D4C19:0095   MOV    AX,0911  ; execute command.% a7 ~3 [# x: n: ^" K4 g, K
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).+ B: [# V) l9 L/ t( u: {
4C19:009A   MOV    SI,4647  ; 1st magic value.1 ~' `  t* L, ?/ A4 M
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.: Z' h& ]- e- b6 g' E
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
' v- [/ _' K4 v4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& P0 H5 v+ S% R- M. t% ]' {4C19:00A4   INC    CX. A6 |5 n9 @3 z+ Q
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
9 P! @) ]% b% M  z# F4C19:00A8   JB     0095     ; 6 different commands.
* i7 \7 ?* H+ }$ i* t8 J+ z4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
6 W4 N) d% a, b0 b4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)* R$ ^; [' e2 ^0 T  l
" G; K# b1 o: s
The program will execute 6 different SIce commands located at ds:dx, which
7 Y- F% o$ g2 o! Gare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ m" ?8 L+ C6 {: p& e5 ?( m
# M% Z" j" L- y/ Q1 E* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' z( g6 Q  [5 ^5 m! }* `9 U7 e___________________________________________________________________________
+ v" U$ z+ T+ Q1 C; r2 l
5 E9 N4 Q/ Z7 B2 {6 ^) ~/ Q$ @
3 X: Z. u( D1 h/ oMethod 03
9 R7 V* V  ^# k& Q=========* {7 J" G" |) F

- F' b1 M! J# [Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
& p- c% X5 V; N0 I( V" I(API Get entry point)  R; |. C* X& ~% |9 z
        7 V& Z1 N) |+ ?$ C7 }
/ U2 g" J. {9 _+ C3 G. o" D1 Z, d4 m
    xor     di,di8 w8 \& }% X( y- l  [& _
    mov     es,di
" C6 s( y* {4 c    mov     ax, 1684h       0 A8 {$ K! {+ C: |( }: y9 y4 _
    mov     bx, 0202h       ; VxD ID of winice
, P8 C4 k' V! D; f: Y; Y  z    int     2Fh
$ s  v* }* z% f; w) N    mov     ax, es          ; ES:DI -&gt; VxD API entry point, e. ?/ H; n0 S/ @
    add     ax, di
8 y0 U) R+ m% g6 o! B    test    ax,ax
7 T. m# G0 T7 K3 R- v) J7 Q    jnz     SoftICE_Detected
  J, B/ Y7 m3 Z8 S9 R) d& R( x+ [. S3 a9 D
___________________________________________________________________________0 V; V. ]1 y/ ?" \$ m# u# |
; c: I% f( g. M# j  M& k
Method 040 H& a5 y0 u  d9 ?$ P" k7 g
=========, A7 T1 f/ v# n* ]# _" `6 c" K
1 A& S! \% |; n1 X
Method identical to the preceding one except that it seeks the ID of SoftICE
% d2 X+ Z2 S0 e% \8 ^4 k: L  ~6 bGFX VxD.
) F, r& L& w' M# R
% _* t4 ?( b+ ?$ N3 j' `    xor     di,di
9 Z' P, b$ G$ w1 ~% z& s    mov     es,di
: @( O3 T# b& v- I7 \- H2 l    mov     ax, 1684h       8 i2 p5 E* D4 U$ X% @- e2 C
    mov     bx, 7a5Fh       ; VxD ID of SIWVID1 t' ^+ t, ?5 S
    int     2fh5 V5 n2 Q( b9 S$ Y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ q8 U1 g% S, L# i, Y, @/ i    add     ax, di! M# z( O: n1 B
    test    ax,ax
& u/ |6 O0 \' r) q) ~    jnz     SoftICE_Detected# ^0 N: C# z/ ?. {
5 c4 W% P  a9 b+ U
__________________________________________________________________________
! A. d. O7 c! E' P6 O" a* p& P, w# n! T5 ?2 P+ L$ Q& S9 v* g
) |$ m9 i3 Z4 S% E2 K  s
Method 05
  O( t6 p2 K! A=========
% j4 n3 Y8 _2 {; _5 W
. K. C# h5 s1 x# h2 @. o* o8 _Method seeking the 'magic number' 0F386h returned (in ax) by all system2 V- ~5 t4 _6 V. X; `
debugger. It calls the int 41h, function 4Fh.
5 j5 a: W; n6 y% k2 ^$ d7 jThere are several alternatives.  
9 L8 o( q& `; a3 ]
8 V+ ^1 F4 P% M. `& a7 y5 n5 K! pThe following one is the simplest:# Z8 R5 A3 z, y
1 G4 ~  e" S0 A; f
    mov     ax,4fh
$ U3 y+ g' x$ K' R7 N' l    int     41h* Q. r" U# [. m  h7 x6 K6 k
    cmp     ax, 0F386
+ b% A% T7 o6 {2 o+ T" c% ?3 f    jz      SoftICE_detected
4 y6 u+ G9 s- r4 G6 f/ n" b% y% V, K! Q* Y
- H. l$ n3 C  Q9 d8 n
Next method as well as the following one are 2 examples from Stone's 5 O6 X: X! @/ W, e" }6 ]) Q; a/ f9 I
"stn-wid.zip" (www.cracking.net):3 |. j$ j/ |. u) {5 A& N

) F+ w$ ]8 H: [+ |9 _! u, N    mov     bx, cs
! k. Z" E1 P1 {- B" p    lea     dx, int41handler2& a, ~/ z+ Z2 I& \- }; a
    xchg    dx, es:[41h*4]
. ^/ n' _* Q# V* @0 z) a/ J: h, X) d    xchg    bx, es:[41h*4+2]
' D. O6 e% a% y1 D" X    mov     ax,4fh; q8 ~5 T) k+ W! I
    int     41h
+ Z+ L) o* F$ i    xchg    dx, es:[41h*4]
8 T# b1 C- W+ x$ I$ t  {    xchg    bx, es:[41h*4+2]
* t7 x7 x/ a; q7 {" b: \( d) `    cmp     ax, 0f386h8 f5 v2 |6 C3 s7 k. H
    jz      SoftICE_detected
" H4 {( d9 t8 m; R
7 _: y" u5 }" U& F- iint41handler2 PROC
0 o% f" [9 D. ^$ [% Q" T; b3 K9 M    iret
- ]! e( Q( J' E+ I: B9 w+ Wint41handler2 ENDP
. R3 F8 t6 Y* C" G+ D; F: S
8 X4 t2 m" O+ T2 [# H4 F
2 G7 h/ _. R6 ~+ T_________________________________________________________________________
6 B; V4 z  d& h$ _+ q1 J$ m
+ _' `+ N2 P' V1 ?8 \" Y) ?$ t% I) q+ P2 @
Method 06* }- Q% @2 _  M, l" @4 |1 e4 V3 a7 D
=========3 [8 S7 ?0 t% b( Q8 K% j

% J$ p# ^  n8 a% a' e
. U) P. \1 U" }0 r& b+ _: T9 a+ a2nd method similar to the preceding one but more difficult to detect:! \: h1 `6 x4 J" e$ e) H

6 l9 `8 R2 y: M$ k" G1 F6 l4 O$ J& e
int41handler PROC- v' f8 X0 y! }: h
    mov     cl,al
; c- ~! M7 _8 E# M; R1 p    iret' n: ?" T/ v, A
int41handler ENDP1 Z' L% m- o, Y- [8 O! Y

/ T. Q" W5 Y  H4 E( b9 V  H% m) V/ Y  R5 j' H& ]; r8 R
    xor     ax,ax
, X+ g% f+ ^) `9 L2 e; I8 P1 G    mov     es,ax8 \2 Z" z- \" G2 W
    mov     bx, cs# B0 j" _* z2 H, `( i! C7 j; L
    lea     dx, int41handler" S3 V; ?" `$ `2 E' a5 w' @
    xchg    dx, es:[41h*4]
( Q# c& c* C; d    xchg    bx, es:[41h*4+2]
/ X) x/ {* z2 A3 Z    in      al, 40h+ G8 X6 }& u" X5 \& ?
    xor     cx,cx. e9 }5 ~/ c6 @" ~
    int     41h4 S" S% n# E: q  R) k2 u9 v
    xchg    dx, es:[41h*4]
# b1 p7 x/ A8 s; L5 d# q. P; }    xchg    bx, es:[41h*4+2]* B1 X  U- z" }8 {( ?( t
    cmp     cl,al
& W/ n/ d6 v9 \" r* W    jnz     SoftICE_detected. Z6 c% q" I# L/ x$ r3 Z. |" ], E5 _

) b+ {7 v" y" {8 J: l- R. }5 Q_________________________________________________________________________; C* N' ~4 ?2 V' u5 {* d
- x+ P, m6 M+ C5 {  d3 c3 T
Method 07# h) E. s6 ?& j
=========* r- u: |. c, [8 O. M6 T: v

1 Q- e0 a4 V/ a! ^8 Q$ M  kMethod of detection of the WinICE handler in the int68h (V86)
$ w8 m2 i: F% U' d3 N" P! f! N  Y; c1 b2 u2 b' }
    mov     ah,43h  U9 C+ O, k$ A5 Q, |
    int     68h9 d- G. f& T$ U( a
    cmp     ax,0F386h/ m; n: Q8 v# d  s- `5 ^
    jz      SoftICE_Detected1 d( H7 G& |7 L5 b- e5 H. v; S/ {

7 M4 Z8 ^8 f% P& C$ b/ o* V* G8 N0 n5 |% B1 [' U- H- R
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit# l4 M: C% e# C! P+ k6 a2 [- v
   app like this:
. E' A3 h4 d- S# ~/ a
- Z3 F: Q( @" \) ?& e4 r   BPX exec_int if ax==68
  K5 N$ H& L/ ]* U4 e' w4 {   (function called is located at byte ptr [ebp+1Dh] and client eip is
2 y& O% P8 q5 l4 ~- a   located at [ebp+48h] for 32Bit apps)
! u3 V/ V) j1 k' i( X; `0 I& Y__________________________________________________________________________* ^* Z  W$ i- {# A1 r8 G

0 u+ X0 y. m/ z! t* K* w% E, T" D# k) N# Q. Q1 B8 ^
Method 08
- o" U% _- @& c0 P9 o( i9 D& @=========
1 P4 k, U. U. K  J9 _# W  o) {2 g: R* `4 D3 ^
It is not a method of detection of SoftICE but a possibility to crash the
3 A1 e, q! {: j% f6 ]system by intercepting int 01h and int 03h and redirecting them to another6 a. a2 k; ~5 c& P; ]( w
routine.
! x) @  ?7 r- I1 U) y. Y) XIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
6 C& C. V6 l4 @: r( E, z, eto the new routine to execute (hangs computer...)* t3 n( ?9 t8 x

2 L' d) C8 O# s2 [    mov     ah, 25h
% |3 P3 P% r% [0 e) z    mov     al, Int_Number (01h or 03h)! ?0 |6 l) S, b
    mov     dx, offset New_Int_Routine
6 G% n" b  m  M/ h$ _    int     21h" N  j) }7 T* b" z: b

8 H+ Z: Q' {( [5 f__________________________________________________________________________
+ a/ \6 B( M- S! u$ p! v1 Z5 r) E+ V3 Y
Method 094 V9 s$ v: z% \: v, k; P
=========- E4 ~3 {' a; n9 S9 {
$ g: S* d9 q/ J7 h. ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 }. b: x- v* P# [: ?" S; l+ W) Y
performed in ring0 (VxD or a ring3 app using the VxdCall).
+ z( @* D& }& [; |2 G% [" R6 KThe Get_DDB service is used to determine whether or not a VxD is installed
; S' K+ E6 [# K4 Q2 _2 a9 C# i" sfor the specified device and returns a Device Description Block (in ecx) for$ T% S( o! h3 N* G; u! H
that device if it is installed.& Z% H0 Q2 Y5 G) w1 V, \

5 ]+ O" n8 v7 O& k4 ]' X$ P. I   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
* l9 f  d. S, @7 Z. \& a   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)" ]3 P( h+ K" J1 {
   VMMCall Get_DDB
* g( }( ~* ?1 q   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed( C$ I) s1 K2 o: y7 ]

% \; ~  o. }3 M3 @* m( fNote as well that you can easily detect this method with SoftICE:8 N+ ~! x5 B) @: g$ B
   bpx Get_DDB if ax==0202 || ax==7a5fh
' }: J% g! b3 \$ |* O& d
0 G# ^4 S( _: m7 q" t. ]__________________________________________________________________________
7 y% [" u9 G/ {( {* i' O2 c; z1 N5 z4 w3 x9 D
Method 10
0 ?# S2 P, [$ U6 g4 u$ `9 l6 z. \$ O=========  V0 r, T$ p# Z& T  ^2 l

1 ^" @! o: a' i  q) j8 \9 d" b$ l=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
0 K; P. C# |& z3 M! A& m  SoftICE while the option is enable!!* G$ |; b* P- ?- L% ]; C

! c6 B* _8 z* j, g/ N8 G- ~This trick is very efficient:$ k, L! v, _8 D2 u9 g2 a
by checking the Debug Registers, you can detect if SoftICE is loaded: @' F3 R4 s* s' x& D
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if* [  p! @# B) H  j0 K# }4 i
there are some memory breakpoints set (dr0 to dr3) simply by reading their
% A+ ~& k* M9 a1 u& Ovalue (in ring0 only). Values can be manipulated and or changed as well2 e! @1 b5 x5 I0 Y8 u: M  O
(clearing BPMs for instance)! X$ k' F, x, e9 E8 D" o/ M

( X3 Q1 ]+ d' \' M' V' [__________________________________________________________________________
, T# \, y, H  ]0 }' F: u) `8 v  @; `, }1 R
Method 11' K4 P( y( w2 `. v
=========
% p( f, v$ x0 T6 d  d; b6 E$ F0 R4 N" [: h- x/ r2 t2 [5 |2 \
This method is most known as 'MeltICE' because it has been freely distributed
% F( l4 _. F: F! {1 Xvia www.winfiles.com. However it was first used by NuMega people to allow1 j  I3 R; G; p+ g
Symbol Loader to check if SoftICE was active or not (the code is located
3 W" v# B0 X* |) Uinside nmtrans.dll).
3 C; u' n7 c2 g1 O0 G  M% Q* Q! g& e) o+ ?5 C8 M4 F7 v+ v
The way it works is very simple:3 g# @. ]8 X9 C) y1 |( \1 {
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
' t: Q) @5 }9 L) Q+ X% e4 ?) {% ZWinNT) with the CreateFileA API.. o& J7 z" _% l7 V, g- ^% ?/ n- \

, \) @6 D3 L9 NHere is a sample (checking for 'SICE'):# O- }4 U8 M0 ~/ N- l
# Z- I" J/ c/ M( z
BOOL IsSoftIce95Loaded()
! ^, u. O4 u5 f$ V8 L% Y{
) ^2 w2 ^* T) w( {   HANDLE hFile;  
3 b2 h$ _5 u0 m7 \3 S   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,0 j: g* \8 w+ _$ G4 ]9 ]- ^
                      FILE_SHARE_READ | FILE_SHARE_WRITE,) G2 Y+ h9 n/ z# M" _
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 E/ ], ^8 E4 u7 a   if( hFile != INVALID_HANDLE_VALUE )
- P7 |5 f9 [: D# h, J+ c5 Q2 d   {
8 ^* K" `1 \0 ^" k* ~: s! m2 f9 n      CloseHandle(hFile);$ }) t. J! L& s' @* `; D- R; c6 C0 ^, [
      return TRUE;: M8 d# F5 f: ~& A) E
   }4 q2 g- y. N& R+ R6 r* c1 \, L
   return FALSE;) B% M' Q* |' Y( t. ~
}
* w+ q  v, l& J( D  U) q  d
3 H, z4 @: b4 ~6 s- qAlthough this trick calls the CreateFileA function, don't even expect to be
  ~0 d! C# n4 V; f  O0 ~# Zable to intercept it by installing a IFS hook: it will not work, no way!
1 j( P1 p+ p* s  W1 W" z3 k" u& DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
  C8 Z" }# A( Z3 i$ p0 J  jservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 W2 Y- c9 \  L$ Sand then browse the DDB list until it find the VxD and its DDB_Control_Proc
7 P6 q7 ]- n" K7 X4 @; C: Ufield.9 Q- i- t* R/ u0 ^
In fact, its purpose is not to load/unload VxDs but only to send a ; k% m: [8 M* L3 R4 Y) r  k- K; C
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ t% o( I8 w" Q# S& [
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
- Q. e/ h0 I' ?3 ]9 M- Xto load/unload a non-dynamically loadable driver such as SoftICE ;-).; u" P" f% `) z# C
If the VxD is loaded, it will always clear eax and the Carry flag to allow/ P9 Q" S+ ?9 ~, X7 e3 I
its handle to be opened and then, will be detected.; k8 d  Y2 w6 l* A4 z( p; e
You can check that simply by hooking Winice.exe control proc entry point
) M$ y! }6 {6 X) swhile running MeltICE." j* c$ A9 E8 ~9 ?% C
  @( u4 d7 S3 o& \
1 K6 u& u$ l5 H' D2 B3 K, _' b
  00401067:  push      00402025    ; \\.\SICE9 O9 f' B  j. |3 s  N3 l& U  e
  0040106C:  call      CreateFileA* C& x0 Z- ?1 u- ]
  00401071:  cmp       eax,-001
: l, e  n" q4 L  00401074:  je        00401091' ~7 `' t9 p/ `  e* `# O
4 P; U3 l4 {. w! r

) v' S* _  j6 D+ t( f* e  f/ _There could be hundreds of BPX you could use to detect this trick.8 G; S( k* |; G5 Q- ~
-The most classical one is:
  O/ n( q; W; N( r3 Z4 S0 Y  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
# ^) L, @! c* Z    *(esp-&gt;4+4)=='NTIC'6 r- j# w( d6 H( L
. ]+ F# G' {6 I8 p
-The most exotic ones (could be very slooooow :-(' t) D2 L: A! }$ N
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  2 W  `! [9 G6 d+ F/ ^8 q8 [; Q( \
     ;will break 3 times :-(
9 W& P% l% u) O6 D' S& V
- c  h6 _) _  a) E. F8 I-or (a bit) faster:
& Q8 Y+ v+ p$ N8 T8 ~2 C   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
/ G4 `; D7 ?' ?, ]# W% z1 P9 @9 e8 w( D& T- K6 F: ]$ w! ~
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
1 K9 Y8 Q) }! x- @! d9 R     ;will break 3 times :-(* K/ r$ Y% [$ r+ ?) r3 U
0 |5 ~) k/ `9 _- }( ^& `) f
-Much faster:
8 s5 z2 J$ q1 m+ x   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
# k% a- Q$ g  v9 I4 `% t# H7 s; M# a" h6 |
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
6 w) S+ u) |' O' F* t6 Tfunction to do the same job:
! [6 \6 {  H5 Q3 y3 W4 U$ r6 B$ o$ B$ e3 x
   push    00                        ; OF_READ* l4 a( _( |4 j5 o. H% Q' D
   mov     eax,[00656634]            ; '\\.\SICE',0
4 z9 t. S3 m- g+ {9 p/ b$ ]   push    eax. {8 A6 d1 t% q  b" M, ?6 M2 r8 l
   call    KERNEL32!_lopen
# q1 h+ W$ K, h1 |6 w5 m: g   inc     eax
5 D' N# Q1 R& E. j9 [   jnz     00650589                  ; detected
# y" x) J& Q+ d   push    00                        ; OF_READ- |; |- X  r- T0 [3 ]& u
   mov     eax,[00656638]            ; '\\.\SICE'& X! }! u. g0 @5 x
   push    eax8 p7 V% _, l8 w6 J9 w
   call    KERNEL32!_lopen
3 d9 B4 g* F; p1 Q   inc     eax( \2 u6 w" G4 d' W& p7 T) U- t
   jz      006505ae                  ; not detected
  d8 j% b" L5 ^* _; Q2 h8 ^3 u' n+ U0 u( J; H- l* Q- E  _- u8 Q

- s. b; F4 T5 _6 m+ J8 l% W9 P- n__________________________________________________________________________
4 C0 j( _3 h4 W3 a2 n
4 z9 u+ R8 t5 S  Y2 GMethod 12" Z* r5 Q% J+ r0 q
=========
7 t' d& J# O$ Q% G" x& O; G) Y4 m3 Y
/ B0 v9 [! @) j9 U; Q& kThis trick is similar to int41h/4fh Debugger installation check (code 05
+ j3 u& S: {1 V&amp; 06) but very limited because it's only available for Win95/98 (not NT)
- p+ y5 t; z/ v1 Y3 V7 k# q! ]- aas it uses the VxDCall backdoor. This detection was found in Bleem Demo.' Y8 E2 }* Q+ S( D0 x
' Z. G) h* {4 v! u& G  Y
   push  0000004fh         ; function 4fh
  \8 o& [: ?) E" m   push  002a002ah         ; high word specifies which VxD (VWIN32)
# q; `( a5 `" D2 k6 F" `: y                           ; low word specifies which service
! D% C( q3 |( W7 c                             (VWIN32_Int41Dispatch). k+ u' ]: j0 m; r+ t8 X% a. x
   call  Kernel32!ORD_001  ; VxdCall% e1 I0 ^- S$ D
   cmp   ax, 0f386h        ; magic number returned by system debuggers
0 r: n/ ^6 [! L   jz    SoftICE_detected* s# @$ y9 F+ O; |% n2 k
! Y5 u3 H3 d0 a7 a
Here again, several ways to detect it:, X6 O" U4 l" K- I
6 L$ b1 y& X/ ]
    BPINT 41 if ax==4f
# M; p) a& {, b& D. B% l" g4 j' b5 b' H, `" a
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one6 Q, m1 R% D7 W, N

  D& Z# M* p& y+ T5 \    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# i3 g, C- H* P$ b6 a1 Q$ [$ T- Q4 z: x2 x5 m
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# W$ U& @& C* p( B5 U2 a) p. ?& g0 H* v9 p$ T- m* F# t
__________________________________________________________________________
  W* y* q# l, U) u8 |$ J8 n- q) R) {. z
Method 13
. q0 @' N# ]6 B9 D' ~6 q& s=========
) |+ P) i, N7 s$ F+ J  h6 A1 P
$ u: [9 c- v! {7 z. C9 m, hNot a real method of detection, but a good way to know if SoftICE is
0 j  {: y, x: f2 e* j/ D: O- n8 |3 }installed on a computer and to locate its installation directory.. J' y, d. F6 j- I4 c
It is used by few softs which access the following registry keys (usually #2) :8 O' g- D5 |. s. F9 }1 g

4 j) q+ f. O' R9 L' M6 O$ V% @2 O" l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ A# q# A5 n! G( ?. T# w% ]\Uninstall\SoftICE( e& M; e! ]% H# W( |# X% r. \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 h0 Q' j9 B: c1 E+ Y) t8 o% e! B4 D7 Q
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 L$ V- }$ I: o: e) `' h2 F
\App Paths\Loader32.Exe
1 ]. H+ S6 j! u- v
  n8 p9 w) B' T0 s& |
: \& q& O# w1 t( h5 H" VNote that some nasty apps could then erase all files from SoftICE directory! {8 P7 u! N) Q* }
(I faced that once :-(! n4 n. q% o0 J* Q' j. H2 A

' ^3 `. K- }$ a/ I7 rUseful breakpoint to detect it:3 C9 p1 @2 ^; D2 O

, \. ^$ j; B; r' Y     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
  N1 k9 C& y1 n8 t
& S2 ^( i5 i/ l! V. c4 [! M" o) u__________________________________________________________________________
  q/ m+ x6 E( J1 c1 d4 i! |% E: q' d, K* w# e- j& O( m6 T  q* a' U
' V  Q. h" Y& T. `/ k
Method 14 1 q6 e$ D& P; l# ]
=========/ D% u$ R; G' v+ b
0 x5 A5 j6 S2 T3 t% y5 x
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
8 ]1 \+ {3 j9 A# P. V6 n% d& u9 l" X, Zis to determines whether a debugger is running on your system (ring0 only).; j$ a, @* r3 x0 z+ t" G0 d
/ m+ i# r: n7 J& A* F) I3 g
   VMMCall Test_Debug_Installed1 N2 k, M5 Z  Y! D% n4 i+ a& c) j
   je      not_installed
' `: M" ]' a- ]8 \. j* D  Y1 |; P# H3 k7 s
This service just checks a flag.6 a5 v! C( R# O" @' G
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-10 07:38

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表