找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>' B. x& O: T4 s; \# [- J$ @
<TBODY>/ p* P; B, N% _& m
<TR>
2 N# n4 l  \, [/ c7 Q" j$ m; x<TD><PRE>Method 01
# x- Y/ t1 J1 c. j9 B' e2 H=========
6 c6 u2 h3 t9 H9 R$ w
' X& j9 x7 s: P8 c0 w" s% Y, FThis method of detection of SoftICE (as well as the following one) is9 e  m& \3 f& E8 _" }0 j" |4 q
used by the majority of packers/encryptors found on Internet.1 X) b% ~! c: p3 |+ t+ [
It seeks the signature of BoundsChecker in SoftICE2 A" ?! M% b/ C8 N7 P/ c1 x! J

+ q1 h. }/ ]/ n) U+ a    mov     ebp, 04243484Bh        ; 'BCHK'
* p4 f0 F% _" C+ h    mov     ax, 04h( X  T3 b9 p  F; P
    int     3       5 r: N0 X" m/ r8 ~9 \& m' m
    cmp     al,4
0 T1 P! K) [/ ~& n8 I: t' H" k4 ?    jnz     SoftICE_Detected
! i/ l9 J5 |3 l
) {: x$ q% U5 B+ t___________________________________________________________________________
) h0 S: h# W0 S; y7 L" F4 E9 r' t% X  u  m0 s- l9 i
Method 023 X( C) z. T0 a2 D
=========4 U& V  M) y" ~9 Y. Z' O+ w0 W3 x9 h
5 ]7 b# k( Q) G6 m! y) b
Still a method very much used (perhaps the most frequent one).  It is used( e( J3 @+ D" N9 z2 j
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
! z  W5 z" k, `3 Q3 C) H8 dor execute SoftICE commands...
3 g6 Z/ ]: E  ]8 pIt is also used to crash SoftICE and to force it to execute any commands9 S% x& X+ @- @7 x1 f; V
(HBOOT...) :-((  6 J  ^/ d; y4 y, T0 C) a

9 H, s( d6 x4 g# G% O+ S5 \: h- HHere is a quick description:1 i7 s# Y7 o# C2 h# J/ e9 ^
-AX = 0910h   (Display string in SIce windows)
) F, A5 @" S! C' e4 a9 n. i5 q-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' u# C; d7 ]; i: q# P, d; T-AX = 0912h   (Get breakpoint infos)0 I0 L7 p1 c( h. n. @6 J2 N
-AX = 0913h   (Set Sice breakpoints)  ~$ u' h/ s; ~9 C; c: ^
-AX = 0914h   (Remove SIce breakoints)
7 Q9 x# ^0 P- u# O" k& U% X% B, m1 f3 K9 V: i2 C+ \
Each time you'll meet this trick, you'll see:) D. u2 M( e, |2 n- a3 I; S3 b0 ^
-SI = 4647h
1 P1 `( V7 L. h( x$ ^# P& W" b. t-DI = 4A4Dh. c" j4 a  E; L
Which are the 'magic values' used by SoftIce.
8 E, E+ V: k: B: G! R, t. RFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 \7 Q3 ?, ~/ q! X2 d9 n3 x* j3 b2 U, n" _) U
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ w" S4 z# C+ R
Envelope utility use to protect DOS applications:
4 N* R3 y+ f3 B# J% S' n0 j- Q  H: R9 ~) e7 y5 v2 U- [% O' v: j1 E1 |

7 I6 O9 P2 a3 t. h2 F4C19:0095   MOV    AX,0911  ; execute command.
/ K- A0 o* m' X( A$ U4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
8 P, f( t6 `- B3 T! i! e4C19:009A   MOV    SI,4647  ; 1st magic value.
0 B2 _5 P$ \6 [/ f8 E- m; S# o4C19:009D   MOV    DI,4A4D  ; 2nd magic value.* H" f- ~: H+ p- P
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( U3 v, K% G- I( y  [8 B6 c
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
: `; O* }5 x( T: x4C19:00A4   INC    CX
0 ]; L) [2 P( i+ b0 \4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute- O' g3 g% S: {
4C19:00A8   JB     0095     ; 6 different commands.
: Q* [! T6 [; n! e0 e( y4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 z& K6 v# I/ H7 \- c2 x
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)2 V9 E. ]  q& b' m# e
" ?0 b6 Y: @# _4 ?; j- D9 q
The program will execute 6 different SIce commands located at ds:dx, which; R) C! I- v- Z  ]$ l( F
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ v, }! Y( }+ l* r$ r( P3 ^2 \
& ]4 p% Q1 Z4 x; V* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.' ~  ~2 S3 v. w1 C% R
___________________________________________________________________________5 |. C8 Z' I+ [' V' E

% j$ @( `6 A$ p5 l7 C4 \3 k
; I) @2 S( Z# n. _0 {: ~5 {Method 033 }. A) s7 a/ s. t5 e
=========+ e1 v+ y9 ?, U5 |0 |
8 j7 ^' @5 \. C: W  B$ i4 a$ G0 X
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h4 W( `+ q: `4 |6 M( j; \
(API Get entry point)
4 Y: y6 m, t# Z' u- N' o* y        , {! O7 F: ]* d. }! I+ m

; h; e- b7 J  v4 ^/ f. I3 x9 S    xor     di,di4 B$ R& y$ a$ q2 w: F% C
    mov     es,di
; p- H  }) H& l, G. I8 s, Y% r    mov     ax, 1684h       , c* i' I% w4 J/ D
    mov     bx, 0202h       ; VxD ID of winice
2 K8 ~- ~6 j( G6 z: P    int     2Fh* }5 Y2 O, ]3 y* N' S
    mov     ax, es          ; ES:DI -&gt; VxD API entry point' w; [9 i0 L, c+ d# D" h* K* }
    add     ax, di
" m& Z) ~4 E/ {" a    test    ax,ax
9 G! ^+ ~) K8 j  L% J/ _    jnz     SoftICE_Detected0 h9 I) V: O; ?

7 y+ }2 [- R+ S0 Y6 u/ H___________________________________________________________________________4 s" U0 W6 a/ \: _8 ?

9 ]- E: m% v% `Method 043 u+ P1 ]0 m+ m" Q* b# d5 s
=========
+ t! K" I9 b) G; w' j/ G4 Y/ T. B* [7 Y9 b. y! s
Method identical to the preceding one except that it seeks the ID of SoftICE$ l. m7 ?! f" O2 C/ u/ |7 J3 P
GFX VxD.9 f7 H% W+ J2 C* R9 }

; M- b$ m9 i" P5 s    xor     di,di- T2 Y& O: @. b3 @
    mov     es,di8 P2 J+ l: }* ~) S8 s0 N
    mov     ax, 1684h      
+ f( c+ {( C1 i* W    mov     bx, 7a5Fh       ; VxD ID of SIWVID  U/ j8 C. B$ Q$ V5 w; [8 z* o
    int     2fh
, S! @$ Y* s& }8 v* E5 I    mov     ax, es          ; ES:DI -&gt; VxD API entry point7 u8 m3 B! J3 {/ V7 z" ?+ Q
    add     ax, di' P& a$ L* [6 H& n
    test    ax,ax
8 P5 j: P' N: R" Y& {$ o# W    jnz     SoftICE_Detected
' _2 Q0 ]6 V& S& `( T' D* ]2 L  Z
# o* _" k8 x+ J2 R__________________________________________________________________________
! J: x* |6 E5 f5 y7 Q2 N+ W
+ Z* y8 o7 c. ?/ ]  d. m6 s; E  i1 h* \/ m9 U4 ~
Method 05
, n' w! v# m: F=========0 k7 B4 F* u+ A' g" z* |

: t3 F' B( A- |  IMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ S, ~/ f# G) z0 edebugger. It calls the int 41h, function 4Fh.
7 D2 F- R: E1 u) T2 L$ jThere are several alternatives.  
8 q! y5 C8 `  ~% ~* E- X; Y" B: |9 x
The following one is the simplest:3 m/ Q0 S* G0 p

6 u* n# Y, L! i( H8 t    mov     ax,4fh
/ P2 c3 f5 S4 b  a    int     41h- g, c7 }. B! x! r7 \! I
    cmp     ax, 0F386& B' z$ h; H- O0 o/ c
    jz      SoftICE_detected; |/ U1 E) Q) f

/ K! U7 V+ o( F' I4 K. k1 u; i5 N
( k! E  R* T' W" v, qNext method as well as the following one are 2 examples from Stone's
! D1 H7 @! p6 o$ o"stn-wid.zip" (www.cracking.net):5 q* \5 W) E# c) }- T2 C3 r

9 _) D6 m5 v; x    mov     bx, cs9 M, f: b. Y+ J) q  U
    lea     dx, int41handler2
8 I6 x. P8 U& I' V6 a/ e    xchg    dx, es:[41h*4]- U1 u8 l1 g" I; ?; d
    xchg    bx, es:[41h*4+2]1 V+ o2 m' n  ?
    mov     ax,4fh! _' M' m" l  k8 b
    int     41h% h* u4 s, b- O6 |9 ~3 F
    xchg    dx, es:[41h*4]
" ]# h; P2 U$ I5 v: t    xchg    bx, es:[41h*4+2]. ~" o+ A% c8 m0 W3 h
    cmp     ax, 0f386h
, S. ~8 d4 k, W0 H) M4 n  P    jz      SoftICE_detected, y0 X7 ]9 k$ K; M
4 C$ [7 t( r& Q7 |2 D
int41handler2 PROC# H5 z5 a7 M# d0 k& F- x
    iret
  ]% z1 H7 }% I2 C& N% lint41handler2 ENDP
2 i) d7 ~" |( ]' {- t9 Q
0 u7 H+ R+ @9 u/ ^* U" E  n% q  o  p$ A) q; G
_________________________________________________________________________
' ^4 U5 q  C0 g; ^  C! S* A+ k* E  j! ^% _  Z$ k8 a

3 O2 ?1 H3 s! y. ^, @- ZMethod 060 o/ V; k+ t  a
=========" a$ p9 {  ], K3 f& D1 Y$ c! |

3 B1 d1 _; K9 j* f# Q5 G0 j& g2 i, H: W& c
2nd method similar to the preceding one but more difficult to detect:
  S0 o& a" y) {1 p: T
/ \8 a  n! l$ i1 V  m* Y, U/ u6 I( v6 {# a& ]
int41handler PROC/ F5 N0 j' R. v9 }3 \+ P- [
    mov     cl,al$ }5 t3 @. F5 p& Y0 y. k% n
    iret
5 @) {" O8 S$ }" ~1 L' x4 Iint41handler ENDP* ^1 `0 n/ x' {' {8 E
$ `* Z+ {" D: E% [
0 r, n" p7 v# m$ b& r$ o: I
    xor     ax,ax: c% ]6 A$ s( Z+ U9 c2 H$ I, y, ~
    mov     es,ax
) j: i8 q* l6 X9 D3 R& G  ?, [    mov     bx, cs: \; D) i( T. U+ H1 n2 P0 J/ `0 @9 _/ X
    lea     dx, int41handler* t" ^* h0 x% }+ ?4 r# ~" R
    xchg    dx, es:[41h*4]# M5 V8 c0 W2 w2 T
    xchg    bx, es:[41h*4+2]
  a6 K) j+ v9 }6 a    in      al, 40h8 ^3 P3 J# u$ {
    xor     cx,cx
5 K% u+ n' I9 w7 X    int     41h
) c  \% X0 w$ @! C3 f: X) d8 \    xchg    dx, es:[41h*4]( N4 a- Q/ r; Z0 \% O7 E7 y" }% V/ r9 X
    xchg    bx, es:[41h*4+2]
2 m. S4 o7 D# Y8 x4 U; l9 P    cmp     cl,al
( \; ~4 J, E- J( X6 c1 U# H$ y2 L" T    jnz     SoftICE_detected
! T* a3 ^3 O: v& a1 ~: F; [+ T' Q; B% \8 H8 P! e4 h- j5 E
_________________________________________________________________________
8 ~4 W) W  T* j# I' B4 n8 P# q8 h; k, h- p
Method 07
/ g6 l# T. l4 n7 p/ B& n# \5 k4 P* b=========6 n2 H% c9 R, C8 R
/ j) P0 A% U( l7 k5 K5 R: d
Method of detection of the WinICE handler in the int68h (V86)
4 Y* l; s# H$ q  F7 S) M; j1 H* r' E
    mov     ah,43h. o: v3 G2 M* @/ m6 ~
    int     68h
1 K0 a0 [% o; h    cmp     ax,0F386h8 U. M" e' G/ l2 P: r: K+ q
    jz      SoftICE_Detected
+ l6 C3 I) Y. D1 l- f" }5 z5 `+ J+ \* \- s3 s6 h4 S0 g

1 Q" a, R% d" o  d/ b  M3 j9 B=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit- R2 o0 b: Z+ J
   app like this:/ J7 I9 ~5 W& H# @7 E

5 `/ T! X$ H. i9 u. `1 I   BPX exec_int if ax==68( Y& p& k( O5 m! K0 _. R0 n% L: w  X- _
   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 F$ S) X* J1 q& Q8 x3 T" N; E" _. j   located at [ebp+48h] for 32Bit apps)$ S$ o: I8 u3 s6 J
__________________________________________________________________________
* T; m8 ?" j8 [5 L  q9 ?
  o( T7 ?* b* _+ M& d9 ?: g: O* r% P1 m, b& T, M- G
Method 080 `- R# Y$ {1 O3 k7 }# m) \3 d
=========: ^, L: k: E$ Y% v, W+ G7 ~' H

8 _" e6 q4 O4 C- W: q  CIt is not a method of detection of SoftICE but a possibility to crash the
2 b) G* v- \; t: G  T. M# msystem by intercepting int 01h and int 03h and redirecting them to another! C4 r9 N" G4 C
routine.# l; Y/ L, F  F  Y1 c& N3 a
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
' C- J. E8 r. M3 |* c" \5 Wto the new routine to execute (hangs computer...)( C8 M  i2 S1 w
& u' g! _% C( w
    mov     ah, 25h; R& U5 [5 g3 S7 t3 C8 }
    mov     al, Int_Number (01h or 03h)
- d$ Z# e) a# q, ]  b1 m# N5 [    mov     dx, offset New_Int_Routine% b* j. Q* y. @! l' k+ N5 N9 p) {
    int     21h. D" O, U" \; E- }: e( G6 O; K

  I) K5 A) l& q+ [: c2 e+ h__________________________________________________________________________
; \) W; g0 t4 d. a+ u# I7 ~7 u; `4 ?) }" w: y: ^) U1 {$ G6 P% K$ F
Method 09% ?& w, Q* \, v( I- @4 w7 W! F1 ?
=========
9 [% J) G/ J2 ]& n' l6 ]  @9 [2 F# i
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( \' X3 {' z0 A; ?5 r8 H( m
performed in ring0 (VxD or a ring3 app using the VxdCall).6 h. v8 W. X7 H# Q4 k; H! d
The Get_DDB service is used to determine whether or not a VxD is installed
: E. f8 L6 n* m( F1 hfor the specified device and returns a Device Description Block (in ecx) for
+ K+ w4 J5 y1 M/ o* I* [( Vthat device if it is installed.+ P5 l4 f  I0 z( j- Q$ j! {
* T  |8 K8 k6 [. |3 R$ l( f
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID+ B+ v7 |9 n. W; H! i/ K7 }
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)/ r' y; P, P) j+ s  i( \
   VMMCall Get_DDB# O& M& X- ?' y9 K$ \
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed, Q7 Q7 N% e1 s7 E

) H7 B, O$ C& {  Q/ ^2 V3 ~Note as well that you can easily detect this method with SoftICE:
+ s/ e+ t5 H* G) }   bpx Get_DDB if ax==0202 || ax==7a5fh
" w' g0 A/ c9 n/ w/ k# M9 f6 ~8 q) N, J: ?  ^
__________________________________________________________________________$ Z  x- o* K+ j  i2 a

8 E* l) E+ ^$ }( W  S3 E) SMethod 10
% _9 N& A+ i9 }$ W* I=========
. k8 r: ?' ?! J1 V9 d8 P1 m
4 w# `8 ]- @( z  `& f=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with* P( D1 K5 I, x- t
  SoftICE while the option is enable!!
: {1 u; Q0 e0 s+ s# {- p0 S9 M/ D* i& c9 W" q* o; b3 f% V
This trick is very efficient:
  ]$ ~' L; n1 Y$ l# ?- c" yby checking the Debug Registers, you can detect if SoftICE is loaded
/ i! a5 ]8 A+ d7 j5 ?. o(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if2 B( n2 u$ c! n- }$ S
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& O. ]; ?3 \( E) o( ], a7 b+ q" Zvalue (in ring0 only). Values can be manipulated and or changed as well
% X8 l, u+ e4 ~2 k& _(clearing BPMs for instance)# Z$ x" X6 E7 U: N$ E9 k
; c6 e% E$ w7 e( J4 Q
__________________________________________________________________________
- |5 J+ _* {2 z# e  L: G2 ?+ _: M' g# N
- I8 V- y  b# r5 g8 M& ?8 Q" Z6 h: LMethod 11
' n" N: y$ I3 ^/ h: _$ w' V' t. B=========
# K) E' f) |: t) a1 e/ w$ I6 V$ u3 k
This method is most known as 'MeltICE' because it has been freely distributed# {* R; u% I- d$ s6 n
via www.winfiles.com. However it was first used by NuMega people to allow
$ a0 [* K9 h9 t1 ]Symbol Loader to check if SoftICE was active or not (the code is located' _  g( S5 d# W/ Y  K* U
inside nmtrans.dll).
  R9 i  Q9 p5 y$ |5 S5 D% Y8 G$ x# `" ~# j# s3 K  m1 p& S
The way it works is very simple:2 i1 U( }8 F: S0 z7 n
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for3 J! V1 @0 S  S3 a; T& [
WinNT) with the CreateFileA API.
6 G9 y- b$ Z9 F1 t0 X; E1 r2 Q* Q5 {
Here is a sample (checking for 'SICE'):
& ~3 f( B& ?0 E+ s
6 W1 }. ?" x/ p' K6 W; f& Y( YBOOL IsSoftIce95Loaded()
3 S7 K) O) s* |" \8 q{; {. I# r6 T) k( j7 T8 T
   HANDLE hFile;  
& D% A  W& G$ G& S0 m9 R   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,' T9 M9 H8 l! b) R/ A$ V7 s" n- @: r! K
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 T1 ~1 x7 u7 Y  K5 B9 z& W! [  i. i                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( e+ ~7 x+ t3 F$ [0 f1 ^   if( hFile != INVALID_HANDLE_VALUE ), u9 Z; v  w- E0 t
   {
) T& J, p4 [! M      CloseHandle(hFile);  ?- X6 L$ W$ o& a
      return TRUE;
: `( _# O3 P8 Y0 c. Y) C( y' s7 f   }
8 w4 D% \! o- k7 [   return FALSE;8 O6 A+ ?* g# R2 \
}1 ?! M( q9 j6 f. b8 o
5 Z$ I9 R, m3 q" L. h
Although this trick calls the CreateFileA function, don't even expect to be( p" R( b/ [9 }! `, x4 m4 h5 m8 O0 B
able to intercept it by installing a IFS hook: it will not work, no way!: _/ `1 h: K. C) o9 c4 p4 c
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
" ^; ^( Z" M3 xservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)$ Q& B# c9 N1 Y, {: \1 G& x$ M5 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
" T6 a2 ~+ F; y$ J2 i1 Hfield.
  B0 E# t4 L! t! N! c8 hIn fact, its purpose is not to load/unload VxDs but only to send a
, b5 C6 o9 L+ M* fW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)+ @% a4 Z1 T7 d' T
to the VxD Control_Dispatch proc (how the hell a shareware soft could try. R5 U' w; h5 E( y" R) ?$ Y
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 w0 I% R4 G) r& g4 \& N2 SIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 E6 C# I3 W" P% D' X8 Jits handle to be opened and then, will be detected.
- ]6 |* e2 N9 E6 ~  pYou can check that simply by hooking Winice.exe control proc entry point* p! J$ z& }7 X: a% o. P
while running MeltICE.
# v8 t: [  }$ l) J+ ]: x9 \. Z& v2 R) w  p( s) n9 |
6 r9 M) T7 q1 c4 i% m  o8 @
  00401067:  push      00402025    ; \\.\SICE$ C- R5 `. O& {  k- a
  0040106C:  call      CreateFileA2 X4 i- i5 X& K! d) T1 d/ B: Q# e5 x
  00401071:  cmp       eax,-001
" I7 D2 ]7 R6 ?- B9 \, X3 N  00401074:  je        004010912 M4 }& y6 {3 v* Y: ~7 {

, U5 p4 z" O) v' B' \# s  S" ~' O: h  ^! ?2 V% V0 i+ }: U; ~
There could be hundreds of BPX you could use to detect this trick.9 `0 }  Q: w7 P+ H/ E. T* k( _
-The most classical one is:' i* J' [& O" J: ^6 L% ~
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
+ Z3 o+ v& |! w1 X& I( ?' v) D    *(esp-&gt;4+4)=='NTIC'/ ^- v; K0 x8 ?
+ K' x$ V  l# T0 Q
-The most exotic ones (could be very slooooow :-(
, U4 Q, w4 \2 R/ K% n! S; i   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
4 R9 L4 n" u- G     ;will break 3 times :-(
4 e  S$ x7 Z$ ~5 C, h( s0 z. f* z' N8 {" ?
-or (a bit) faster:
# u) e) b6 Q" z   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')" y. Y% f! `2 Z5 ~; W( h
6 l, O; Z) u. H
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  ( y8 |% Z! h( B0 N; m$ j
     ;will break 3 times :-(; P# m( A  ~+ p/ ]+ B( X- Y& y
$ {: r2 R$ Q& R6 L4 G
-Much faster:  T; n7 T9 Q  D- }
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'( n  t  i% i* z5 w% R3 e. A6 D

1 P9 W& P3 h' e; N* aNote also that some programs (like AZPR3.00) use de old 16-bit _lopen3 J% d8 Y) w2 J
function to do the same job:. o: w( U6 s+ g5 k* ^1 J
  S, o- S" _% x" w: l5 K
   push    00                        ; OF_READ
; i! }/ Q; l5 c- A, w% v( u   mov     eax,[00656634]            ; '\\.\SICE',0
: v# o7 j) Y: d+ O4 Z7 r4 @& Q   push    eax
2 Z9 [+ d8 h- T: c3 _0 ^   call    KERNEL32!_lopen
( `7 h! ]# R% ^* _  g; z   inc     eax
9 T; I$ G3 F3 ], b# B# @   jnz     00650589                  ; detected
4 g9 @8 k. \% B% h   push    00                        ; OF_READ
4 p; f+ C# W4 u3 Q8 }5 Z1 T; {   mov     eax,[00656638]            ; '\\.\SICE'2 n. F" E$ x% a3 n- b- {
   push    eax: t4 B9 Q7 j6 X  c
   call    KERNEL32!_lopen& e: G' a3 D( g  h5 y, e( M7 V
   inc     eax
& e4 i% q! }  \0 Z: c   jz      006505ae                  ; not detected
0 `# [  R! y7 n
. [( w* I0 d7 T% ~7 c7 k% o9 j, k& k- {+ A  y; J4 v5 U
__________________________________________________________________________: l" `" |# ?9 e! b7 N: X* P

: S: ?# q( }- ~Method 12
" r, ]1 M6 G- h/ _. L=========
* n: s+ [+ q" N% _- C* j" W4 \6 C8 w0 E5 n5 W2 Q
This trick is similar to int41h/4fh Debugger installation check (code 05# T: g0 `1 ~$ R" l
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
6 [4 M/ e; d: [* Xas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
, ^$ [5 v5 |8 n, e
9 [* j9 \6 _1 M4 r+ Y$ e% k1 J   push  0000004fh         ; function 4fh! Y. f9 C0 }, J8 E& b# C6 @& V, V
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, D1 u% U' [9 x/ s                           ; low word specifies which service# k! R* {& T0 b: q& c* T5 }
                             (VWIN32_Int41Dispatch), P2 B" |" ^& ?$ V( N
   call  Kernel32!ORD_001  ; VxdCall
( S# V& e. B; n7 a/ D   cmp   ax, 0f386h        ; magic number returned by system debuggers4 b; n/ @' a; e- _( `
   jz    SoftICE_detected
2 \3 A, q; }! ^7 D- p4 |% f2 K# y' }+ m
Here again, several ways to detect it:
+ o) `0 W/ F* t0 W6 ~( v! S
1 M2 r) W/ O& R, i. Z    BPINT 41 if ax==4f+ ]+ W) u' Y$ r1 q; y$ D

# `4 B4 G- m( L% {; Q5 h% Q    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one3 _/ C4 Y. t9 c  b
, l0 S  n. X! P2 I6 ]6 S9 B
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A3 T* L, w. C5 U$ u# u( l
# s2 p2 g, Q* i# H6 c
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# O( ^" r* q1 _; M# Q0 q+ l
1 _& e: U% A$ |4 I7 i3 D__________________________________________________________________________
& V( s' @+ g  @+ b1 F
0 h, q4 ?. Q4 [: L5 F3 iMethod 13% J4 `5 k5 l9 Q0 B2 O5 t
=========
; A4 F0 s% y; G- M% n7 A& `1 F+ S3 ~# f% ~% E
Not a real method of detection, but a good way to know if SoftICE is0 _3 Z) B- h7 t8 w, E
installed on a computer and to locate its installation directory.& l9 m( R. e* ?& y4 e% m
It is used by few softs which access the following registry keys (usually #2) :
7 R+ @! G5 m. w+ t, h$ J) X8 O# I  ~8 K/ r1 h# g8 `, y+ l" V) |1 M/ b. a7 y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& M- G0 w3 ]' n7 l: C# {' h; k\Uninstall\SoftICE
* x# }/ \# L2 t-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. E4 N+ M  U8 w3 O-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
6 N% Q8 A% O* ^! Z+ \9 s9 D\App Paths\Loader32.Exe; l5 r. v' N, \1 C, d, y* i
8 i% }( q! y  G0 |

" _: D- O! u5 u6 T* ]  E9 s+ kNote that some nasty apps could then erase all files from SoftICE directory
" M4 H3 K3 z  |" H2 z(I faced that once :-(
2 S2 T) A7 ~. j
6 i7 O3 _1 X0 ^Useful breakpoint to detect it:" |! H( H: E' O2 e0 Q! t

2 w( }# G  b8 C     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 C' m; }  [$ ?+ A) A* B# u7 @+ v, i1 k4 T0 ~. ^
__________________________________________________________________________
' Z: t5 g* V, ?) j8 z5 _  p; ?% j$ G- m

  b4 P2 f5 ]8 M0 z9 M1 @. J" }Method 14 . t" t* ~' N( B- J0 ~6 E2 a" y
=========0 b: D7 n) w- r3 [% g% k# r
' m5 F# ^  e% H. v
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 B1 Y7 S& u# S% {2 A  |is to determines whether a debugger is running on your system (ring0 only).
" N' H# d' n1 P6 ]. r$ D4 e: J' Z  E4 i2 a8 z' n
   VMMCall Test_Debug_Installed) w; {5 g6 Z% J! M+ x  u
   je      not_installed
, @5 o$ S- H! l+ }. g1 i1 ^; L; b$ a: g( C
This service just checks a flag.
( d* G, {: r. H( x5 l</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-11 22:25

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表