找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
. i: x0 e' }3 ~: C: e* C8 s, e$ ^<TBODY>
- U2 D  W2 t  F( n/ ?3 n4 W/ Z<TR>2 o# {5 m1 w# l" m* y
<TD><PRE>Method 01 / c" M1 y7 U5 a' ~
=========8 D* M7 }0 h; O* ~! k
) w6 M9 I1 g7 p6 N; [* `# E( z' L7 B! U
This method of detection of SoftICE (as well as the following one) is
. A* k& C( w& y7 Q2 Z( }6 Dused by the majority of packers/encryptors found on Internet.# ]0 O: l% U1 Y5 e$ N- m
It seeks the signature of BoundsChecker in SoftICE7 m- \. d5 D" j& K' C, G* H
! J" |3 `, b, z  f
    mov     ebp, 04243484Bh        ; 'BCHK'
+ o1 f6 C+ k* Z: t    mov     ax, 04h
& ~. J: C( \% Y! @* K8 I    int     3      
% `7 v/ H8 _* B( P    cmp     al,4
! {" p: [9 Y  {! m2 s! E    jnz     SoftICE_Detected# Y" V# j, b! }3 H
, H8 k. j$ c% Q! z; k6 Q. O5 V& Z
___________________________________________________________________________
8 K- f5 Z6 q" G: s2 {3 q. x) U  d# f* j
Method 02
6 W& K: {' I) Y4 H=========* |5 `3 ~* U* j! v
" g, P5 ]  W" {' K( p' C
Still a method very much used (perhaps the most frequent one).  It is used
) w0 d5 B( y2 e( e+ W3 i! N( Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
9 G- [" G- X% aor execute SoftICE commands...
; E7 e! P0 K7 t, }. o8 L0 \4 W! t; q# {It is also used to crash SoftICE and to force it to execute any commands
2 Y) ?, w* X* y" A6 g* Z(HBOOT...) :-((  $ A- a6 M; o) h* q

- J- N. Y; `, H9 eHere is a quick description:
! C+ J6 p' T- v9 X-AX = 0910h   (Display string in SIce windows), [, y% {$ T7 @$ [* w3 p8 n+ Q
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
2 l0 j) l( c5 I2 z6 y( w1 a1 n-AX = 0912h   (Get breakpoint infos)8 H& [2 q0 ?; u
-AX = 0913h   (Set Sice breakpoints)
3 L( L4 u( ?, H3 [2 ~2 j7 N-AX = 0914h   (Remove SIce breakoints)
$ h( _' o& L. ?% E, P, D! A+ b( `5 C) {: p7 |
Each time you'll meet this trick, you'll see:# u( D# @; u) n
-SI = 4647h8 `4 g+ M& z$ e. P; E7 g2 |4 r6 M4 I1 ^
-DI = 4A4Dh
9 _5 Q5 ]" a) B1 {- a& a( uWhich are the 'magic values' used by SoftIce.; k7 ?+ J4 r  W% H' r  _( J
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
  ^1 G6 W# U/ f' W% h7 j! i
4 M/ O1 z+ Q& \" Y$ W1 _+ SHere is one example from the file "Haspinst.exe" which is the dongle HASP* q8 ~( K) N& ?
Envelope utility use to protect DOS applications:
2 J! S: M* n% N# s% B: [3 u: A+ E
* R: X% g1 l$ B8 `( r* k% ^/ ~0 w$ C
4C19:0095   MOV    AX,0911  ; execute command.9 ^8 s7 t5 F5 ~; k& [( O
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).- I+ L" H1 G7 G/ R# v) b2 {) k
4C19:009A   MOV    SI,4647  ; 1st magic value.1 V2 Z% Z% {& K: \- x3 z; T' v; m
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
6 g& v. \% e4 F/ a# j+ ^  s9 U+ R4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)6 T$ c2 [  i& M8 k4 m8 k
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& W; ?9 d8 N/ M9 ]6 T) Q: l0 @9 u4C19:00A4   INC    CX/ ^% z1 j7 ?/ r5 U. |0 C4 C7 ~: q
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute+ ]' g+ R9 l- m2 w/ `7 I2 n
4C19:00A8   JB     0095     ; 6 different commands.
+ H8 B5 u- u* G& s. L* E8 t# z' [: a, R4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
) y% G8 B+ y" O2 V/ W2 A4 H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
/ S' n2 ~/ X+ R% [1 e  y5 R& _2 S- y1 m) |
The program will execute 6 different SIce commands located at ds:dx, which
0 R" S* r" [; k( ]1 |9 qare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.1 s8 D$ u2 H3 S9 E# G6 L

  R- j7 d  m8 w( R9 j) S( S& m8 n* n* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.1 d5 ?) s  R/ F2 ~3 _# B, B" i
___________________________________________________________________________
0 t3 V& U- w% c" N$ g; @8 Y+ i5 @: k8 X/ `: r# Q' T
2 A4 g6 E5 W6 \9 t3 f8 _
Method 03
$ F4 {% L0 E  b, N' W2 p' J: p=========
- h$ G& ], f' d# y8 _) U8 A3 p: f! E% @5 K! g# ]
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h# ?$ P: h3 q7 \
(API Get entry point)
/ w* F* w. M1 N* T# b        ; C  i  Q3 Y0 G# D% }
& ~( V1 m% V, `/ u9 b3 T  d
    xor     di,di
( Z% y, `% x3 K- A% O8 h* L: u8 ?6 C7 p( \    mov     es,di
/ r0 g1 ]$ s, E8 G* t    mov     ax, 1684h       $ p  o2 z6 T6 S
    mov     bx, 0202h       ; VxD ID of winice0 S: K1 n  @8 a& u
    int     2Fh
/ p7 ]; |: H( v. Z# q    mov     ax, es          ; ES:DI -&gt; VxD API entry point
$ q+ P7 c  o+ f! E    add     ax, di
# Z* @* t) P" @( F    test    ax,ax
& b1 a/ R: M  R* G3 q: I- q    jnz     SoftICE_Detected4 P$ b. v: s3 R; `- `
; O) s+ ?; t& r2 j
___________________________________________________________________________
, t# m2 N% W! S% f! _3 D3 n8 ]0 n4 H4 F" w" O% S) z
Method 04
/ q. G" l1 L: X% `- l& G( v=========
" k4 c/ E$ z) A! ?. V* s# a
4 n/ T3 R2 q' J8 J( |! [% sMethod identical to the preceding one except that it seeks the ID of SoftICE" m4 r6 `  c# m5 ]" h" C
GFX VxD.) @) B) x+ q* `8 `7 A. s! T

% W/ f8 x; w8 n9 o    xor     di,di9 ~+ ~. _& G+ e0 a$ Y) l$ ]0 q
    mov     es,di3 Q/ E1 {  j. f; V" M
    mov     ax, 1684h      
; J8 Y7 D( Y3 a& ?; x; c0 @    mov     bx, 7a5Fh       ; VxD ID of SIWVID
9 o+ O1 n! T1 _- ?    int     2fh
& H1 F/ ~' N3 i0 j* x' S( T    mov     ax, es          ; ES:DI -&gt; VxD API entry point
) n3 z- u( h1 s/ A1 M* L    add     ax, di
5 z" D" N7 y& Y6 w    test    ax,ax
5 w, s, P+ [$ _% c    jnz     SoftICE_Detected* Z0 Q, E  f3 |& X% X0 F9 {
$ h, A7 }& j5 K, Z% x
__________________________________________________________________________% [0 Y! ^; K) S6 d* O

1 Q5 T* u  }6 l! q
' _8 s2 v' F* ?! @+ gMethod 05
2 S& H: x) D1 ]=========
; l* Q* Y4 Y! A( x
/ L+ v: j& O  I% g8 ZMethod seeking the 'magic number' 0F386h returned (in ax) by all system
+ v. B. M' x5 ~+ i8 }  Gdebugger. It calls the int 41h, function 4Fh.
9 I1 k* i5 w) d8 z; ^4 kThere are several alternatives.  
0 x/ K; p% l. k. G
" E7 p0 }1 A9 z! `0 kThe following one is the simplest:* c% ^; b/ p& {+ u2 _+ h. o! ^
, o1 O6 H- N, U0 W( c
    mov     ax,4fh
% ~8 T/ T# c" Q/ @* x5 X: p. d# n    int     41h$ i' r( o7 a9 Y& B
    cmp     ax, 0F386% @- [$ e2 L# Q1 O
    jz      SoftICE_detected6 e; z2 S; ^. x, g/ I6 ~

% f0 H# I! O. K5 V: l) I
4 {+ m! F/ M: B( K+ H" hNext method as well as the following one are 2 examples from Stone's
3 R6 J: I1 V/ Y/ i- N# |- \$ ^"stn-wid.zip" (www.cracking.net):
3 M$ q* o3 }$ `9 M6 F
2 w% D; b3 b7 B1 l% c9 r+ S    mov     bx, cs1 E: S1 {" U9 B1 v' E* f" D
    lea     dx, int41handler2
; K3 R5 A4 f0 ~8 [) n  m/ c; J    xchg    dx, es:[41h*4]
9 z& x7 d# d& Z    xchg    bx, es:[41h*4+2]' C: F2 z" i" l0 I: B, b
    mov     ax,4fh
) I& ~. T' n5 B  S6 z2 L( x. M    int     41h1 O6 B+ [9 W. C7 a- j( }, C
    xchg    dx, es:[41h*4]
. K: O% ]& {+ r. T1 `* f; r    xchg    bx, es:[41h*4+2]
. K, u+ l0 O$ b1 b7 y3 O- P5 r    cmp     ax, 0f386h" s9 x) U0 p; V8 G) e* `5 }
    jz      SoftICE_detected4 r$ z7 P& g! u# ^! s, b! j2 @/ E- I

* [1 ~( O: i# p$ bint41handler2 PROC
' b  b3 ^# Z4 f1 Q2 g    iret
1 A8 t3 W# ^3 aint41handler2 ENDP% W; Q6 ?3 p" d3 W: u4 c$ |

+ _" S! L) C  ^) V; T) D& J
# L) [6 D( q2 A4 j_________________________________________________________________________
- ]/ i! _' j1 }: H  V* q& O5 r. x* F8 ]1 D
4 T0 D2 b. B  ?
Method 06
2 Y9 X9 K$ D- T7 b! N/ u6 j=========
8 Y. w+ E' f$ b: E. s* K
: L0 Z2 L8 b% I3 l; Y* _$ A* G9 q% F2 R( b# d. O
2nd method similar to the preceding one but more difficult to detect:; p: _6 @9 I2 x5 P' O
! d* n# Z3 r3 J. H0 i% N7 M

$ A# {% D2 B$ l5 A8 X5 pint41handler PROC0 T2 P$ n* i. U* t! j
    mov     cl,al: V* H' n9 D2 m) W
    iret
1 a+ q  ]! h& _% [# _int41handler ENDP/ @- g5 z& F3 J% X! W: b
& F# G$ _! |# H% d2 X- M: l

$ ^8 ?9 x; Z3 a3 j0 S- R) _1 s    xor     ax,ax0 K* Q4 C& r6 x9 V; Z3 V
    mov     es,ax5 m" I. H$ R. `9 k- {7 O8 M
    mov     bx, cs( S. R, S* s# h2 l4 G6 A% l3 ]9 G
    lea     dx, int41handler( H2 O" ]4 \: b  k! `
    xchg    dx, es:[41h*4]
; u- D. Y7 Q. z, V! S4 E/ v/ n    xchg    bx, es:[41h*4+2]# e( S- n! E: A7 i
    in      al, 40h
9 }, ~5 a1 B; L) y* @    xor     cx,cx" v1 C0 v) g! y8 k5 Q! n; b
    int     41h
3 t' {/ N/ y/ E" E5 {6 r    xchg    dx, es:[41h*4]
* K( q* c' V. o# C1 y2 v8 G3 N    xchg    bx, es:[41h*4+2]
! q) d0 ^1 r/ K3 w9 e' @0 r* u    cmp     cl,al+ ?6 h+ B3 r7 l+ H, u
    jnz     SoftICE_detected
3 a) X- A, n; w- l. m0 r! P1 J/ K5 r# d+ I
_________________________________________________________________________1 u" B4 K& @1 h

6 u+ J9 M7 F4 j7 h! `Method 07: u* \3 |" k7 n/ R0 h0 L& p
=========8 g- T8 i& t# E2 m! r7 p9 `: E

1 L' s! U' U" p2 e2 ~8 f5 CMethod of detection of the WinICE handler in the int68h (V86)
5 A, @  H% k# B" A
2 t& i9 Z+ ~  s. }0 \6 y+ {$ P8 j    mov     ah,43h  a3 t; S3 L7 F3 S
    int     68h$ |  h* j. q1 V% v* u4 K' C
    cmp     ax,0F386h
1 f2 d2 ~4 q+ l; m; p. Q    jz      SoftICE_Detected
" R; I6 ], m5 y
/ ?+ e9 Z  e' n' @9 d: `
3 y5 Q: ~: w6 h8 m( b( R=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
  g- g4 _0 w9 w& U% K7 q  O   app like this:
5 m! `5 D( a2 l0 R8 i- o! n6 {3 |+ q& W$ }! p- w) A$ K+ {! q3 [6 _
   BPX exec_int if ax==68
+ L  h+ ~# Q- c! B) Y   (function called is located at byte ptr [ebp+1Dh] and client eip is
" f) @' X# S+ u- h+ v6 q   located at [ebp+48h] for 32Bit apps)
% ^: I) B- T- U! d+ A__________________________________________________________________________
) F: I8 @4 A* P  [7 ^& I- R, T
+ o6 w# d3 n9 \  @! N" q
$ @  C6 u9 v6 t! N) M7 wMethod 08
1 x( ?5 K" S! H=========# V8 e& r/ H6 A+ a! {* e0 t/ }
7 v. c8 J  l  C0 n$ C
It is not a method of detection of SoftICE but a possibility to crash the
  {% \) i4 x+ ~4 e' ?system by intercepting int 01h and int 03h and redirecting them to another& N; B5 b1 h+ M/ q
routine.
/ |0 S$ B) ^$ S  s  aIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
2 D0 z5 Z9 Z4 h! X, kto the new routine to execute (hangs computer...)! K0 D! u% `& l% p0 c* {  S0 d
1 w4 _+ w7 y! J% z
    mov     ah, 25h; R9 x4 p% R) ^# |
    mov     al, Int_Number (01h or 03h)
5 V9 x9 u& `' j5 v8 ^) B0 P    mov     dx, offset New_Int_Routine
* J# T8 q) M3 u( W; s    int     21h
' {! x- B. e" q+ M8 P4 @/ N6 r  D) U+ V4 i# M
__________________________________________________________________________
* z4 [4 {, S7 z& j' `3 g% K& F. k) b. a0 D
Method 09
9 Q. I% q- `- `, Q=========
4 @( t  }$ @. ~1 y3 V2 }" F; T
, g7 Q9 d3 u- Y4 C- R1 yThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only  r4 b" @  y/ I- O( {- R6 R
performed in ring0 (VxD or a ring3 app using the VxdCall).
: L5 Z, V7 m! l  P6 |The Get_DDB service is used to determine whether or not a VxD is installed
6 U5 {, }/ @. `" q( J9 H* y4 `  Mfor the specified device and returns a Device Description Block (in ecx) for  n/ ~- y0 u+ n* T# A% ?& w
that device if it is installed.
* y2 a" e0 q+ s$ Z
6 _* j( @3 N# V" L# Y   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% c- I3 v+ i2 R9 X# C6 A4 i
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 @, f' {  c; q( L) a
   VMMCall Get_DDB
% S/ q; B9 F- r# [1 N, _   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed7 A+ p/ x5 y" E! e$ A- q5 n0 [0 [

6 P) F4 b& s- g, t/ x0 bNote as well that you can easily detect this method with SoftICE:1 V) l  i$ I  {
   bpx Get_DDB if ax==0202 || ax==7a5fh9 T7 x; n$ q0 }) J2 L
: @9 U' C$ E! u6 ~# j
__________________________________________________________________________
$ s, p5 j  r8 U6 }  ?) i% R. B' F( A: ^" L, S, ?1 K# T
Method 10) Q3 N, `3 }. ?/ m0 ^, ~: T
=========
+ P0 f# Z5 W6 Z* o# L: {
. e& Y/ r5 v! H6 a5 p7 j  ~=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with- g: _( \& V: t3 o0 h- Y) S
  SoftICE while the option is enable!!. n  Y, f& d$ }5 G
  q# ~8 y* V" V# B
This trick is very efficient:. y7 A3 p  q& _8 U" _: ^! R: D
by checking the Debug Registers, you can detect if SoftICE is loaded
2 ^7 ?& `$ a7 P# z9 Z, u' T' B(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 `) h+ j8 u4 k$ q. j7 B3 e( Gthere are some memory breakpoints set (dr0 to dr3) simply by reading their% k8 S6 z8 u# J0 ]( h
value (in ring0 only). Values can be manipulated and or changed as well. A% }; s+ d) E* F& {: o
(clearing BPMs for instance)  m: o: g, v$ r2 g

5 S' t* F0 V" `6 o1 S) Q__________________________________________________________________________/ B/ s) N* Y( f" {4 |8 H

7 m' a* e& u- b$ C" a- @5 Z8 fMethod 115 x3 ?3 R% `5 F" c4 D
=========
1 r9 F' l" }# U1 T
' B7 {; Q" f3 @This method is most known as 'MeltICE' because it has been freely distributed
% R8 `& n$ }. s7 o- avia www.winfiles.com. However it was first used by NuMega people to allow
. ?8 j. d( }; _) w& N; _* K+ N0 d. t2 ~  dSymbol Loader to check if SoftICE was active or not (the code is located
( I8 c0 J" c! Z+ o. Q* \% cinside nmtrans.dll).1 b* W. B& n, `

* R* J& I# M0 S0 {The way it works is very simple:
* V% s8 Y+ G& _1 |& pIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 Q  K, h& C: _1 G! f+ }6 ^
WinNT) with the CreateFileA API.7 R# b- y8 c+ f# j8 P9 N6 w! I5 ]

4 H3 n2 E( w! ]0 oHere is a sample (checking for 'SICE'):
. K; w* ?  Q8 b1 F$ A4 [9 f3 i5 l+ L6 N+ h) w, w# _7 R
BOOL IsSoftIce95Loaded()) z9 ]* M" B! K! @1 s# p9 L/ l& Z
{
. ^# ~/ F" b5 L   HANDLE hFile;  / n& z1 ]" A4 N1 T! b* R5 f
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,8 H' S- }: E" P" I
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
- M; S7 G6 l. H0 s7 O9 v                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
$ c& ^% e- n$ N5 v   if( hFile != INVALID_HANDLE_VALUE )
% R* n3 l8 n7 ~   {2 }% z* Y6 D$ n' z
      CloseHandle(hFile);4 h1 l8 G# ^9 c
      return TRUE;/ t* h3 J2 k3 h
   }
- y( n. j) f3 f5 K* X" M4 @* m4 P5 H' r, W   return FALSE;! i4 x3 F, r- V* s' }! W* `
}
3 @& v1 C5 M! l0 m. X4 m# L# f+ g0 T
7 S+ c- Y7 g& `Although this trick calls the CreateFileA function, don't even expect to be1 R+ q( z4 h3 ]/ X% r' k
able to intercept it by installing a IFS hook: it will not work, no way!
6 @0 c0 G4 @& [- M7 w1 ?$ BIn fact, after the call to CreateFileA it will get through VWIN32 0x001F+ {5 L# K# f; W+ P
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ z% R$ ^3 |- t
and then browse the DDB list until it find the VxD and its DDB_Control_Proc  S4 U( M' U3 G. S! M, ~7 N
field.2 w$ s. v# ]/ {4 z
In fact, its purpose is not to load/unload VxDs but only to send a
1 q% T9 C1 h0 y# {9 EW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# Y) ?# m- Z( ~0 Y) e/ h
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
( r3 W# j* D/ lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
$ |1 q; M: k$ C- z& jIf the VxD is loaded, it will always clear eax and the Carry flag to allow( T1 g0 q6 h4 y! ?; @- z
its handle to be opened and then, will be detected.
7 ~; j! F, u$ c$ M1 ]0 U' vYou can check that simply by hooking Winice.exe control proc entry point
( t: b5 _: p; }( ]# _0 |6 ewhile running MeltICE.
( I, S& ^/ @, O$ C* c" k8 w' q, f1 [' X  A5 R
: w3 Z6 k1 i& H$ U9 f) u, Z
  00401067:  push      00402025    ; \\.\SICE; W  g3 Z; v7 a1 d
  0040106C:  call      CreateFileA
$ C' j; q  {; O$ X( _  00401071:  cmp       eax,-001  o7 {0 O( o3 g
  00401074:  je        00401091
& v+ D3 ]% H. v' J) u' p' E4 N( e
" J1 }) N- u3 }- _% }
, L  m2 }5 }/ e  }3 Y$ CThere could be hundreds of BPX you could use to detect this trick.
) K4 i5 J8 F$ R  _% ^" C& h-The most classical one is:8 E9 y9 H2 r0 m0 f9 R1 A, z
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
! X- Y' P, Y9 h1 P) q: ^0 D    *(esp-&gt;4+4)=='NTIC'7 {3 `# v1 D% f& V6 d+ q
2 ?7 l) C5 Y! q, I. H1 r2 _. y: g
-The most exotic ones (could be very slooooow :-(% C3 B' @! S6 |. `
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
4 s. D4 n% S& I& x! q$ V/ P     ;will break 3 times :-(+ F4 ]) r( J! y/ c: S; x
2 ^& w0 Y8 V. K1 f
-or (a bit) faster: & A; D* R$ B4 S8 y+ g3 K; [' Q
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'); l4 w3 V( f; a9 }9 O& t( m& H

5 L4 y& r3 Y1 n8 b5 Q- b   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  $ j+ S# d! H' a. c; G1 L
     ;will break 3 times :-(
3 C- u: \- R& T8 q5 t, `, ?" t# Z( O$ ~  A; F7 y: ?* _
-Much faster:
3 d0 m+ b6 N* Q* }$ ^   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV', ^8 o' m" G5 E! ?' S6 y# C0 V
+ z. o; {# L0 ?7 P" f- [. e2 ]. @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen' a$ \1 s( q. \4 M% ~' ]
function to do the same job:/ h0 p9 _5 [0 o  t5 G

' A4 s0 r: ~, l4 j9 n   push    00                        ; OF_READ
" g6 _- [; X" |" K5 b* i   mov     eax,[00656634]            ; '\\.\SICE',09 }8 n1 U; B, ^4 p  |) x
   push    eax- E& n0 @5 V$ F: H
   call    KERNEL32!_lopen3 k1 W7 N; _6 U/ T
   inc     eax: H. e7 X* S) Y; P/ e4 ]
   jnz     00650589                  ; detected% A5 S8 G/ `1 P; p& n
   push    00                        ; OF_READ, ?8 P) ~8 B) u5 E) }' t+ W" m
   mov     eax,[00656638]            ; '\\.\SICE'
1 y# U# P+ i" t% M2 ]% \   push    eax
. Z2 i! X; }0 |5 h' u% b   call    KERNEL32!_lopen
0 }0 y* E7 H5 l   inc     eax! k' F2 F6 X" X
   jz      006505ae                  ; not detected
4 P9 b* {$ g7 G8 z6 a$ y4 k/ o, d
2 I& ^# w+ R3 v6 ]% J" @- @- x% r
__________________________________________________________________________; U+ [, _4 g  ?& [

7 ~8 Q( m" D# h1 K( @, CMethod 12
" h8 X2 l# O$ P=========
0 {$ j5 ~. X' V. {6 }) K$ j8 [7 q+ H# s* i6 C* y$ m( A$ Z
This trick is similar to int41h/4fh Debugger installation check (code 059 w& B# A1 `7 w9 z( G
&amp; 06) but very limited because it's only available for Win95/98 (not NT)4 x  j+ u5 t) I1 \9 H8 P; c; W0 O
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.! m& t7 z) u. X' z
# Z/ ]' G0 h( J5 z. i
   push  0000004fh         ; function 4fh
7 w3 V( G! L% c) V3 j! ]/ z1 J   push  002a002ah         ; high word specifies which VxD (VWIN32)
" z/ }5 V  ~, _+ f; }' {                           ; low word specifies which service
  q' s& P/ }+ m# w! p4 t* o                             (VWIN32_Int41Dispatch)% `5 O, L" |, ]  B% v" m
   call  Kernel32!ORD_001  ; VxdCall* _( h( F' v( Z# K
   cmp   ax, 0f386h        ; magic number returned by system debuggers
$ C3 a  z2 X% L4 \9 H   jz    SoftICE_detected
# [! B1 ~% D( H; R
0 C4 w7 K7 r3 ?/ THere again, several ways to detect it:
7 @: ]$ Z; m9 a( E7 T
* Q9 K5 J1 m5 \" i; W    BPINT 41 if ax==4f
: B3 g. i" l9 O& a
- ^7 s9 n/ Y  t! G/ i    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ e7 l6 ], K6 F+ l

% C7 [- J8 e/ R    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
# g8 B3 ?' S* F( h1 C3 n9 }7 [4 B! I+ S2 p; V3 U
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
+ p+ m* J) k: @
9 j; z0 W& m* E+ T$ e__________________________________________________________________________+ Y* M% H- y5 C2 ~# {
0 [8 b/ H. O+ C. P) m
Method 13
4 }1 f+ U1 ]$ B" a=========0 _. P) t) S# s3 j3 B$ e3 M, q( x% s

' Y; S& x) ~3 f8 j# o1 B3 LNot a real method of detection, but a good way to know if SoftICE is
$ X" ]3 T3 E( z$ Vinstalled on a computer and to locate its installation directory.
5 s) j3 F+ y& e+ g$ e3 PIt is used by few softs which access the following registry keys (usually #2) :7 U4 y2 ?* c# X6 A. \# B

4 p$ z5 S  S5 X2 g* u  C-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
. C, e* T% A& R5 V8 D4 j6 @: ?\Uninstall\SoftICE
* P) A5 j1 Z9 s-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
6 V; T& ]2 S- e$ c-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  o" ?# x7 ~; e8 Q! j7 u
\App Paths\Loader32.Exe
1 ~5 c5 \6 [2 [& D1 w) s
$ o8 l& ?$ y% l- E8 q
! D" r8 r/ ~9 P) x: P7 f. N0 h# mNote that some nasty apps could then erase all files from SoftICE directory, Z' U0 F$ ]& k8 H( w) ^* K
(I faced that once :-(
+ z# l, z. X* X# S  v5 t3 d
$ P0 Q7 F- V8 {& A! uUseful breakpoint to detect it:$ k; ^5 v% f  i' t! k( U

  T) d9 s9 i: V$ J) g# r' X     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 G! p+ T) T/ |. ~2 v

. [4 D' B4 [% B- W  Z, h__________________________________________________________________________
# T& ~  ?* Q- l# u5 [5 u. ?: T. k  I9 w1 X4 n! e$ Q

+ A4 o6 I) p0 x' u1 X+ `, TMethod 14
2 v( y5 v3 {7 x& I9 L, ~=========
& e- t3 Q8 I4 m  H
1 {# w1 A. F  fA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 y+ m4 L; w; D/ U, O
is to determines whether a debugger is running on your system (ring0 only).
. y- o2 S- D5 [( R& v( f7 c- W3 i- m+ P: x; c! z. g+ W
   VMMCall Test_Debug_Installed
, u4 E' Q: ~' e/ o   je      not_installed
/ [2 @) Z0 j! N# u. y; x* X8 \9 h, l. u6 s$ i
This service just checks a flag.
( t' A8 _. @: w  z6 u5 `</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-5 23:07

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表