找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>: ?% M+ C" r' v# h
<TBODY>
9 C# r+ p* g, z8 V<TR>; ?5 H8 N/ f9 P, m! w' Q
<TD><PRE>Method 01 / `: h6 W, P7 ?8 A
=========
  y6 J( `: j2 |
( D6 `! m/ d; D* P5 tThis method of detection of SoftICE (as well as the following one) is3 e+ ~8 d1 P. ~) {. R; Z# P
used by the majority of packers/encryptors found on Internet.: L& v+ m5 u3 |$ A# ^7 H2 h
It seeks the signature of BoundsChecker in SoftICE+ Z3 M% C5 G9 L: e7 c1 f1 ~

5 n2 u6 ?2 e( z1 p& V! `4 L8 W0 X    mov     ebp, 04243484Bh        ; 'BCHK'5 q+ h# X1 _) }
    mov     ax, 04h
' p. q; \7 `: F" B! X    int     3       ; \, ]5 Y+ u- w/ ]" S
    cmp     al,4
" [; D8 S' O; ]7 M  \* C    jnz     SoftICE_Detected  n0 @7 s8 q7 @" b

8 O- u4 _+ y7 {0 S2 j___________________________________________________________________________: K- ^/ z1 n  w0 L2 N% l

. m1 `3 M5 L% S2 F$ TMethod 02
) x) a* |8 X" P: |=========
# L& \1 H" i4 b4 t" ~& B" }+ K5 W3 B) S+ z$ n
Still a method very much used (perhaps the most frequent one).  It is used
( K7 A! M4 T- Y, z2 a; `7 j" V" @to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
; ~- T, ?- V/ W2 W6 P' ?. C$ I  X* Nor execute SoftICE commands.../ r( |! C" I! d  }! w2 e
It is also used to crash SoftICE and to force it to execute any commands
* q- O7 g# ^! u7 i(HBOOT...) :-((  " K4 ^$ w  t) C2 |9 T4 n9 Q

" Y5 B, d% l( M& O# Q* aHere is a quick description:" D9 K; `) _2 P9 c- ]: \8 G  b& _
-AX = 0910h   (Display string in SIce windows)
% c* y9 b0 G8 i' p-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx); e; j% l5 I, c; s3 _
-AX = 0912h   (Get breakpoint infos)
1 v$ t5 P0 {% u5 s" _! O4 q-AX = 0913h   (Set Sice breakpoints)
$ V: \. x; F" X7 Z) p, C; t- |1 H-AX = 0914h   (Remove SIce breakoints)7 y% t, P; r& o' B! u
; P: o: G5 T( a& t! F
Each time you'll meet this trick, you'll see:4 p! C2 g1 B& Q9 ?
-SI = 4647h
" {) m) q8 n5 k, c# P9 A0 J/ P-DI = 4A4Dh4 W, y3 u8 L3 j0 ?' L
Which are the 'magic values' used by SoftIce.2 F' ]3 E9 P' g! P; y! G
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.$ f# I, K8 [$ ~. [! G

' {  _3 r, b, ~( a3 K6 }" ]+ mHere is one example from the file "Haspinst.exe" which is the dongle HASP
1 N+ T3 c2 |9 ~2 jEnvelope utility use to protect DOS applications:2 G% C; x' J2 s# p, q0 T/ I, d. D

/ f  Q$ ]2 F/ k) h2 ?6 L! a6 R& L5 n
4C19:0095   MOV    AX,0911  ; execute command.; Z2 d- D- S3 l4 K# p6 b# B' }
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).) L0 q7 V( I/ b
4C19:009A   MOV    SI,4647  ; 1st magic value.$ s$ _# l$ r& X6 P+ V
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
" F$ l  J) J$ C& o5 C4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
6 a/ E3 ?" O3 U& {4 M6 P' x, `. N4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
: {6 g$ r1 @: `2 _4C19:00A4   INC    CX7 p4 k+ C5 s' S3 ~1 M, v) E
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute5 ^3 y- r5 ]  h: m% D$ E
4C19:00A8   JB     0095     ; 6 different commands.& y( T7 r5 G$ }5 F$ e
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
2 r/ F. l2 h- B9 ?: g4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)' z" m# o9 y. o4 O& h9 k5 d
) N* h4 F, M& o8 k6 ?  F
The program will execute 6 different SIce commands located at ds:dx, which9 d# n5 L1 u# E" q7 m
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 M/ E' s% e7 N3 r' c5 I4 `9 H  b' ?0 b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.  y( q7 C  B* C: I
___________________________________________________________________________
3 t& M. Z3 ~9 J1 W4 S" s. V% h: ~# j& s7 p6 m  l
3 X' O4 E* o; |* f8 d' a* ~
Method 03
% z% H  N6 H3 [9 t=========
& e2 o5 M0 W: N$ a1 J4 ^5 X* y: N* R$ `6 C7 t- a
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
8 M6 z4 e3 t# }! |3 Y(API Get entry point)& P6 J- g2 Q" ?+ t' J5 w3 d+ \8 P
        
/ W6 ?- F, d7 W; S. h1 K. p5 y7 c0 |$ H  T6 ?5 L9 ?- l
    xor     di,di$ o8 U, w3 v! B" U) M
    mov     es,di
9 J, I- t! z  i6 }; ?    mov     ax, 1684h      
8 r4 ]. R3 C9 b2 Q- h; V2 r* U    mov     bx, 0202h       ; VxD ID of winice
, e6 x" r6 ~5 ]! U; e    int     2Fh
0 N0 H8 C7 s* S* o) @& c# v    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 K4 ~9 A0 N4 e  R! r; Y
    add     ax, di2 V) [# U# G1 S) O% `% s+ O/ U! L+ V
    test    ax,ax
, Q* p  w- c& d  m: t- T  F    jnz     SoftICE_Detected8 O& D8 {6 ~" N% j
- N' \4 z* f- R% l8 V
___________________________________________________________________________  {' I7 X8 F) e1 v2 R4 P, y

6 X$ J; B: N) H& k# hMethod 04
* ^1 l. D/ W6 `0 I6 f, z3 A9 M=========
1 R" G6 }! }. u" Y* N) G9 J  u- ?7 X
Method identical to the preceding one except that it seeks the ID of SoftICE8 p6 j3 S5 K0 w
GFX VxD.8 D- G* n: _& a7 ]; R

2 c# a0 d6 y# ~" R8 ~7 ^7 R! V( {    xor     di,di% m4 c4 R' `. i+ m4 l
    mov     es,di
% |+ y* {# l4 U+ M; z# R% r/ W    mov     ax, 1684h       . {, K- w* x) D' ~$ h1 e
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! L3 j7 s: g8 H7 s* O    int     2fh
4 Y* @( S  ]- o! r) n+ |' a* M    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ r$ E% m! y( [& U0 D. Y9 T
    add     ax, di: G  g! C& K+ K! u' O# j
    test    ax,ax
+ t3 S0 y6 G& h9 ]  G' C7 U' L    jnz     SoftICE_Detected
+ N7 y* R8 H& }4 k/ p$ B) @. c) o" W/ ^! t" A8 I: s% d
__________________________________________________________________________* p; g6 V* f4 e, ~: x+ _1 X! s

+ A; v9 E8 Q7 i1 v. P
( ~. N0 Y- D$ D' l  HMethod 05( X- ]4 E* x% d  U
=========
" b) z6 G8 V  ~, r/ j" |' n
+ F9 a& |5 C, B0 `: Y0 JMethod seeking the 'magic number' 0F386h returned (in ax) by all system" N  b* ~& H( v; S; H
debugger. It calls the int 41h, function 4Fh.
3 \9 B6 Y1 Z' F! VThere are several alternatives.  2 v# V$ ]# ?8 h- a5 V! D+ ?
# ], g9 d% H; D2 g0 {' P. M3 b9 B
The following one is the simplest:
) B" K. G. A5 V; Q; @0 T6 B, G
  Y; t+ B- c. V* d8 C- j    mov     ax,4fh4 \/ v* y/ E  X
    int     41h; |! W6 j. W4 S. h( x- a4 Y
    cmp     ax, 0F386$ `% R* W& O, P& K5 t9 q
    jz      SoftICE_detected6 y0 {+ q1 Y6 A- x4 T0 Z
; x; d/ g# U. W4 V4 g6 t- S5 i

1 s+ ?, Z# E5 D: NNext method as well as the following one are 2 examples from Stone's   {2 p2 h! N5 z: ]' v& |" S. D7 t8 B2 |
"stn-wid.zip" (www.cracking.net):
/ ?' ]" y5 u4 L$ U) Y( A' N# i
; _& `" M* X! a: U  Y0 [    mov     bx, cs8 z) h- ]; B+ u" ]
    lea     dx, int41handler2
# ?  u( ^' [) _( r% i    xchg    dx, es:[41h*4]
! A4 _* k" p- ^4 l    xchg    bx, es:[41h*4+2]: V6 i9 @; M( m# B
    mov     ax,4fh/ K& k- J/ \- ?4 Y# M/ B, G7 ?* [) `
    int     41h
* I* \. K4 ?9 E) r    xchg    dx, es:[41h*4]+ L: E4 g* B' L1 X$ ^% V7 c
    xchg    bx, es:[41h*4+2]
4 q& Q+ v3 \8 [4 C, {    cmp     ax, 0f386h/ R3 m8 B: _6 o- |0 G) [8 m) B
    jz      SoftICE_detected
1 Z& R7 _. B7 a  d& W! p3 K+ l9 X
int41handler2 PROC) W5 J7 \4 A1 d" N* n* R0 q4 J
    iret
( r. G# {* k+ V& h, p7 J. T) m8 x' E2 zint41handler2 ENDP9 V/ V0 W' }- w* l7 k

: a( T1 M8 H0 s0 K. }' K5 e. g) [; o8 r6 U2 A
_________________________________________________________________________
4 l4 M1 x6 |8 z2 C4 D2 q' t; m& K! e  f& G9 s7 H4 k/ p( V
7 Z' r# _5 b0 D0 u- c9 _
Method 062 {" t, Q  k2 E2 k" {
=========- G& f& M) O$ R7 ]. s
6 w! ~- }, b8 a9 ]8 `

* y, O, e" C) `2 d2nd method similar to the preceding one but more difficult to detect:( }6 K: c3 t- u/ N( U4 D
+ Y/ N! p* O' i& G6 X: O

5 K6 H' Z% A% B9 G  B) B  tint41handler PROC+ p! l0 q$ g' A- ?+ l" W" j% S
    mov     cl,al" K3 j+ U; V+ B5 h1 v
    iret. c3 ~0 T1 l+ h+ O. B
int41handler ENDP
' ]6 a  [9 M8 N& Z2 m6 f6 ]' l
. {1 p& V( M! @9 @; M3 _1 {; R
7 e1 y5 l  ^6 X' P# X) f    xor     ax,ax  _9 Q( k! E. D1 {1 O& n" _9 ]
    mov     es,ax
0 g- @; c+ }- @/ H    mov     bx, cs( H# L$ \# K* ^0 R
    lea     dx, int41handler3 Q( V& a0 A8 b7 Y+ r- c' e
    xchg    dx, es:[41h*4]1 e* l; t6 U; i. E' O! h; t
    xchg    bx, es:[41h*4+2]
* G5 g( \; e+ m% `: L( H! d" O    in      al, 40h
0 @/ }5 |+ q7 L+ O    xor     cx,cx9 K! r9 _: o) o- l# N* S
    int     41h3 E& b1 Z8 W/ E! B# z- @
    xchg    dx, es:[41h*4]; Y' J! c- M) g- u7 i: E! p
    xchg    bx, es:[41h*4+2]) h) U  I! C' n8 x& O
    cmp     cl,al
. p( Z9 [9 T! c* b    jnz     SoftICE_detected# }# ^3 F; Q9 |5 [) t; o+ X

, m/ ~6 d4 ~" {$ {_________________________________________________________________________
; T$ ?# @; i. X; \# }1 h1 ?/ s3 C: B6 {% T7 }
Method 07
7 q) Q7 \  x! e$ L- H7 V0 p=========( q0 f5 U3 e1 E: @2 I" i

2 P7 \, E# K# iMethod of detection of the WinICE handler in the int68h (V86)
* @( H8 u( S; j' y$ w% X5 I+ s8 E5 k8 c$ K1 n
    mov     ah,43h
  e# v* A4 U7 [/ q/ T    int     68h$ G& A  M& x* T" z
    cmp     ax,0F386h9 u) k: U8 {5 h6 F. U. X( W7 E/ e
    jz      SoftICE_Detected/ x/ Q/ j; z* q5 l
# w1 ?0 f3 c2 g6 D3 N6 J
8 F! }4 n' E5 U9 m) K8 \
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit" e4 C3 y- d8 D6 h. W5 }( f  [4 A
   app like this:: N, Z5 Y+ D/ o) e! b) Y% o0 J' p
; V( C& d+ Z( m5 P2 u! p, V8 I
   BPX exec_int if ax==68
  N( _- E9 O! M2 `: h0 ]   (function called is located at byte ptr [ebp+1Dh] and client eip is
8 v) R1 a$ {* L7 N   located at [ebp+48h] for 32Bit apps)
# u8 t/ d8 E2 t% j9 g' j__________________________________________________________________________6 Z% ?0 v* a9 U" E, l

  n/ Z9 X1 e* @- t
+ \5 `: N; {. J% P# OMethod 086 M: W4 X0 Y7 z" B
=========5 S" S; Z( _/ N) E3 n
$ g+ J) g$ F  _1 x( }: U+ \
It is not a method of detection of SoftICE but a possibility to crash the' S( N' Q" M* `2 S5 F! l4 f- n
system by intercepting int 01h and int 03h and redirecting them to another; F9 x, f- Y5 G( u
routine.
$ z3 Z5 a( o2 X  D4 l( y$ TIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
* M" H* ~' p0 @+ |% O2 Dto the new routine to execute (hangs computer...)0 B1 w% p' l4 a0 D  _, v' n! Q
+ }' m* b& l# G
    mov     ah, 25h  v4 Q' v; L& f, O" r& U6 _( ]
    mov     al, Int_Number (01h or 03h)0 e8 S; X# T% E
    mov     dx, offset New_Int_Routine
9 `" J& v  e8 k0 h. J% I4 C' R    int     21h$ _6 A2 q4 x( K! G4 F2 j! \- j! q

& q6 k7 Z, v$ b/ W" O__________________________________________________________________________
3 c/ i8 C. I. C0 }$ u
& y3 E! z& D2 G# g2 VMethod 09
5 l" T# X) l/ P+ A; e+ V& }% R=========
% L  _9 F/ J& ]7 ?- Q- g( F9 |4 |8 [$ b/ Z4 P* ~! P
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only0 Q2 Q* s* C8 H  X
performed in ring0 (VxD or a ring3 app using the VxdCall).
6 H  a. H. A8 S, g2 GThe Get_DDB service is used to determine whether or not a VxD is installed" }( Q( @  Y. U5 O9 ^. G6 g9 U
for the specified device and returns a Device Description Block (in ecx) for
6 H; m  C% T/ e. Pthat device if it is installed.8 z$ {# w) k/ N& q% i1 p; R

8 o9 {: r8 L# E4 E2 o- N: V- {' l% a/ `   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID% G' V8 V+ E1 J
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 d: x0 S) D6 m# w" m
   VMMCall Get_DDB
* q2 C# ~5 }4 Q7 g$ b1 v+ J   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& `7 m# ~6 }( w$ i* b

* g1 F, @6 B8 O( R7 E: ]Note as well that you can easily detect this method with SoftICE:  f% G& S6 g7 i6 a& F8 l* u
   bpx Get_DDB if ax==0202 || ax==7a5fh/ S7 N* l% |* ~" u3 K! `

8 v7 p4 J. b9 B1 Z__________________________________________________________________________: [* }4 h5 g0 U: m
; m( P: e5 q( p- Y* o
Method 109 U( `' h, F- T( |; p
=========; O4 G. D4 a! h9 K

' l& ~/ W! h( p, j# W3 t, G=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with8 k1 }% p+ ?' g4 G8 \
  SoftICE while the option is enable!!
9 f% Q, }5 S+ I) D9 X; ?3 u- U
2 e+ N& D' O9 F' CThis trick is very efficient:
1 d; e$ J" F$ E, K) Hby checking the Debug Registers, you can detect if SoftICE is loaded
7 U5 @7 t6 C0 J; }6 h% g3 w: Z. O(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if5 i, g# u0 X* k& g; D8 K6 M
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& g/ c& @. d. Q: B6 x0 a# Jvalue (in ring0 only). Values can be manipulated and or changed as well" I, s& f& I; N" {# b
(clearing BPMs for instance)
1 o9 K# U% Q" ~1 y0 I8 H
8 j0 p0 ^9 _* I/ u! ~- T9 u$ z) h__________________________________________________________________________
) F/ r5 @5 S% {6 O! }# g+ b' ]
4 d5 c1 l; h% }  k) i& k/ rMethod 11: l* d$ |7 O0 I) a2 ?
=========
# p6 {$ K: q1 U/ N* `
  @6 |  A% j0 B7 o. hThis method is most known as 'MeltICE' because it has been freely distributed
- S2 s/ m, a1 d2 B& o& e, ]! [1 Jvia www.winfiles.com. However it was first used by NuMega people to allow
- i/ F& a$ D/ B4 m, ASymbol Loader to check if SoftICE was active or not (the code is located9 `& S2 x. n' m; J6 ^
inside nmtrans.dll).
7 _% z( T! ^  \* f9 h# Z, \) g8 e. v5 u+ @8 ^8 F/ w
The way it works is very simple:! n! i; R( ^. G7 _# G% M, f: g) `6 ~( C
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for4 z9 R2 a& |8 \" Q8 P
WinNT) with the CreateFileA API.8 X. X  y) P/ i9 D
/ ^# P. F# p0 U1 y3 \
Here is a sample (checking for 'SICE'):5 A$ H9 P1 n0 a

% Z2 O* v, R9 K  x3 }, i2 EBOOL IsSoftIce95Loaded(); n$ q8 z$ Z; U* J3 a3 ^6 k% Z
{
3 ?2 c$ P  I* @  D; a- q1 A$ }4 M   HANDLE hFile;  
- U! G/ y, w5 s8 I! a0 h% p   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
4 W# _8 U3 {% v" I' U" [0 y                      FILE_SHARE_READ | FILE_SHARE_WRITE,
6 h$ v+ f* x: ~                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! W" K) M9 r2 e% R   if( hFile != INVALID_HANDLE_VALUE )8 G% z3 S9 G* f8 i% K: }
   {
' a  T9 `/ P. N+ k0 n+ F3 G7 Q      CloseHandle(hFile);. e% X& Y' g& B' f/ @- [
      return TRUE;
8 j$ V2 Z+ r# M2 K% Y   }! \2 w0 U) |& u% S# o$ B. _0 X1 K
   return FALSE;) V; E6 ^2 g2 D* ^7 n, ]
}7 E  v! P0 y6 p
- E- ?8 }3 T5 |! d' B) o
Although this trick calls the CreateFileA function, don't even expect to be
) K6 w1 V- d: S6 }$ c! F* n, U5 X# zable to intercept it by installing a IFS hook: it will not work, no way!9 l0 c$ k4 j& h7 f+ q9 \
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
- r" J7 o1 t# |! z+ ?service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
8 ^* a" J) M% i: dand then browse the DDB list until it find the VxD and its DDB_Control_Proc5 B. \& a/ u  s. \8 a
field., i+ \$ U! @. ?! }3 o
In fact, its purpose is not to load/unload VxDs but only to send a 9 U* o3 }7 \5 p! C! S) z* C0 @- N0 i
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
! g+ k- v, w5 Z) c3 h, ^4 oto the VxD Control_Dispatch proc (how the hell a shareware soft could try
6 S; x8 H+ W5 q9 a7 Rto load/unload a non-dynamically loadable driver such as SoftICE ;-).' \# `- p) p  F8 M8 x
If the VxD is loaded, it will always clear eax and the Carry flag to allow
- {. G! n( X" q0 A" Oits handle to be opened and then, will be detected.
$ s: Q$ l3 L0 E7 ^2 e; N8 [) I& M" }You can check that simply by hooking Winice.exe control proc entry point
# E* Z0 }- p+ s( ~/ Z" X$ Dwhile running MeltICE.
. ?! k2 Z8 d* Q1 k  ]( D
2 o2 u. B- _" l9 k" {2 u9 n( ]! C1 J) T" W
  00401067:  push      00402025    ; \\.\SICE
8 I! o! T6 J. v6 c8 l  0040106C:  call      CreateFileA& C2 N8 @- m+ V- t: F' I! }/ c
  00401071:  cmp       eax,-001
& U# X4 d$ y) {+ B& V0 n- Y% d  00401074:  je        00401091( F- N% Y+ u' z
& i* X, M) p* r, v

1 x4 {) v0 b) r" {There could be hundreds of BPX you could use to detect this trick./ L0 k+ Q7 [1 f. p6 A- D. }
-The most classical one is:
- J( X' t8 I2 J6 c% u  v  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 r" y9 o1 ]# M6 r    *(esp-&gt;4+4)=='NTIC'
6 O5 g# E& P* A7 H4 W( @
2 S6 {$ j$ P8 c; a" Q-The most exotic ones (could be very slooooow :-(
( v' S5 p( c6 ^0 x7 E8 M   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
& X4 K) R: R% I4 B* U& o     ;will break 3 times :-(
# u9 z8 O# Q9 p9 k
& x  p/ x/ l$ S' \+ t- ]-or (a bit) faster: 5 u# x3 h9 B# S! Z; Q
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'), `, q6 |5 f% ?# p
- f9 m8 v* I3 j9 H7 D2 G* ?
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% h% \0 k7 r; V+ F2 w     ;will break 3 times :-(
( D- {3 a4 I( ^7 H, P( E
) M0 A2 r3 J/ J+ W  [3 R7 n' b-Much faster:4 N$ D# P! a& _3 \5 F$ y
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 j: ^+ U  O/ C+ f- z& ]: n( N3 v1 W* ?( m: X! C' c+ w
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen$ E! ~. |  L7 h# p: E) t$ ^
function to do the same job:% V$ |% s# [! I/ [; \

% {+ L' j( K( x# T% B7 G0 s   push    00                        ; OF_READ
9 z! q3 ?% q3 v* \7 z$ I, H   mov     eax,[00656634]            ; '\\.\SICE',0
0 v# N9 P8 ]: h! T, S   push    eax8 L: e$ |4 D! N! ^/ W3 M! U
   call    KERNEL32!_lopen. b; `, H! r2 O8 V; n- \- o5 F
   inc     eax
1 P+ g/ \) w( w+ m: ?" @   jnz     00650589                  ; detected
' V4 w+ T& z/ j5 T   push    00                        ; OF_READ
2 y2 V8 r) Y" n" ?: `   mov     eax,[00656638]            ; '\\.\SICE'7 v; |3 C1 B/ G; Q: |7 L$ d/ z' X
   push    eax' j% a- C2 k; G1 }; b& v
   call    KERNEL32!_lopen6 J3 r9 {8 ^& r2 j  q
   inc     eax
# N1 K  \( y9 h) f9 d, ~! J; g   jz      006505ae                  ; not detected/ e! n" r6 @% j  A4 W) I
# B6 V8 u- g( B' `) ~  ]! R

9 c$ y+ Z# x5 f8 U2 ~- S__________________________________________________________________________
# Z  I' v( Q6 M4 s# e: C( i' {0 A3 l" Q  A; z) D! e8 g/ I
Method 12) P5 L; f4 J0 n% p) }
=========9 n+ ?, S+ j/ b
2 n6 B9 A& M  H3 Q: L
This trick is similar to int41h/4fh Debugger installation check (code 05+ P& m1 a. Q' i2 N. E6 L3 \; p
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
1 |$ c$ o! H; h+ U2 |5 x- e2 T+ \/ e8 K4 Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
+ ]( A' k- A) k$ k
" j  E' s& D- v: k8 g  C& N   push  0000004fh         ; function 4fh- J/ _* ?, r5 j& H* l
   push  002a002ah         ; high word specifies which VxD (VWIN32)
$ o6 x# ]3 ~- n! Z" u& G5 E' q                           ; low word specifies which service) j: }8 {3 k; {" O+ W2 e! a- C$ A
                             (VWIN32_Int41Dispatch)
" o1 b+ A7 z- Y; [# ^2 d) I   call  Kernel32!ORD_001  ; VxdCall
6 i* W% G  J& b/ R6 U' u   cmp   ax, 0f386h        ; magic number returned by system debuggers# ?8 ], ~) S% b. D# r  ]+ G
   jz    SoftICE_detected: e$ z! g  M4 L" c/ L+ G* [9 N
* G' J: l: v. c  S
Here again, several ways to detect it:
+ q6 V7 |; a9 N+ V6 g# N. V4 i- `- ^4 K6 K, I! z
    BPINT 41 if ax==4f) V: C: t/ ?% L  y; g" s+ t

/ K+ c) [% @- {- J9 e    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one3 f; v  }6 J: u. a' v8 E

8 T+ G- D& h- a- R9 |5 |5 N3 H    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 }2 N, K! R2 Y1 X% c

8 z9 d# |; Y3 f: m% h" j    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!! x7 ?( K: h) F

( ^# T" y; Y7 L2 U" ?8 H2 H1 B__________________________________________________________________________
; g+ [+ b, X! v5 ^' z% Y
9 F9 g8 O9 V$ \Method 13
8 ]0 X5 A2 Y+ a, G$ @=========; v' Q( u% [* u5 S8 R; c% r$ @5 I
* b5 D: u* ~% w; A# _/ ?; l; [) j
Not a real method of detection, but a good way to know if SoftICE is2 h" w+ I. V* @7 B+ ?
installed on a computer and to locate its installation directory.
% n8 e) u4 P+ C4 E% b) O- EIt is used by few softs which access the following registry keys (usually #2) :
) s0 q, a! @9 u* h* b+ b$ V
# w: h, ], ^2 T* }-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' ^& h: t% f+ v0 I
\Uninstall\SoftICE
2 X, P# G/ y0 T, d* f2 U- u: i-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE# b5 M0 V  R! {' M8 \
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion4 @% G; z& P3 X) N* b- ^
\App Paths\Loader32.Exe- `1 t3 k  Z: L4 ?) P0 T8 Y

- Q1 `5 a3 q1 v$ O' t1 Q
) A' x+ ?& q9 q8 F9 R) ^Note that some nasty apps could then erase all files from SoftICE directory: [& I6 N) E8 y2 o5 q7 P9 X- D
(I faced that once :-(
* W: }7 X0 a, G/ u; n0 U* o
( o" _. G: `4 K. o+ R" C9 u4 qUseful breakpoint to detect it:
  l5 ?& }" F" Q' ]- g/ _( j9 j+ G" _
! I9 e+ j- o4 i, b- g. b' p' m     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
0 ?1 R( [7 E5 C- N7 T& R$ x6 ~7 e3 k) `
__________________________________________________________________________
" {3 N) N. J! K" @
" n& S, S8 m/ A! X+ v
% D/ c" V* l$ I3 eMethod 14 0 j% z, F0 i) V, \9 R
=========
5 G$ T' a7 u9 q6 i, ^; S
. l6 a  S$ o: s# CA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
3 E, F: q5 k! ^( O+ fis to determines whether a debugger is running on your system (ring0 only).
: }' q9 [) s! Y$ R4 }6 i8 A* N+ K/ U
   VMMCall Test_Debug_Installed
7 [9 v7 ^) F- A   je      not_installed7 d" d: j* k8 R: w' O% Q

+ E& u; v+ a5 o* v: v0 EThis service just checks a flag.% t3 h8 f; }! g+ E% l$ |  v% @# P
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-12 16:15

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表