找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
# U/ q% y3 e- W! b9 |<TBODY>
, o  `. ]9 y. [& ?! l5 S- q4 L<TR>
) a5 H  _& Y! |4 S, Z7 c<TD><PRE>Method 01
0 A4 U0 Z( r+ f' I=========
. s& l" x2 k* N
- n% n  F$ b% f! n, v0 MThis method of detection of SoftICE (as well as the following one) is9 d1 q" N% e0 `. I# O
used by the majority of packers/encryptors found on Internet.0 G8 u5 O* {2 P4 ^, E" d: ]
It seeks the signature of BoundsChecker in SoftICE
( X$ c; K  T0 n' ^/ O$ q
  W( E% G2 H+ R- v" `7 ?* l    mov     ebp, 04243484Bh        ; 'BCHK'6 V3 W. T8 P# @+ Q9 h
    mov     ax, 04h8 s( |2 l1 E- j( u
    int     3       3 I1 a; Z* A9 i' H+ r* x5 f% f
    cmp     al,4  z" L* P! D' g6 z  l4 p4 u. k' b
    jnz     SoftICE_Detected
1 \/ D% f, U( f' n: z) ~8 A6 Q# Y# u, A+ e
___________________________________________________________________________
  Y9 R/ W5 W7 u+ ?0 m) C2 }" h2 b/ a$ Y
Method 02
5 J9 ]& L/ i9 t! t8 ]# i* L! e1 z=========
: o" U5 C5 w) j2 Q2 s: g* B% M  j
+ E% \4 S/ P5 ]0 E( EStill a method very much used (perhaps the most frequent one).  It is used1 ?. L' r  h: q* r
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
/ I; e3 v) Y$ S7 ]( kor execute SoftICE commands...
) a+ j: Q4 |3 u' gIt is also used to crash SoftICE and to force it to execute any commands
, {/ Y: p8 N; n7 L(HBOOT...) :-((  " m( r0 C2 ~6 L7 M9 V
. z1 e# O4 ^  W' i. p) |- g
Here is a quick description:# W& `% `1 l3 d+ I" Q0 o6 R
-AX = 0910h   (Display string in SIce windows)
0 Y3 ^# d4 l8 \6 @* G! ?-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* u5 K8 y% B9 g" `8 E8 `-AX = 0912h   (Get breakpoint infos)0 u+ V- E. b  |& o5 T" r, C
-AX = 0913h   (Set Sice breakpoints). j% ?& M/ `8 w. ]. ^
-AX = 0914h   (Remove SIce breakoints)
, B; \, y; ]1 Y8 P
3 m( O8 Y. ]9 C' K, h$ PEach time you'll meet this trick, you'll see:5 a* G1 J) \8 S* u
-SI = 4647h- y: d, P+ |( Y# O- [, M1 v0 o
-DI = 4A4Dh2 i( T; T# C8 g( J
Which are the 'magic values' used by SoftIce.
$ \, n2 @" g1 YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
. L7 v. U9 A9 }
$ H2 b) x7 [- E# m! e, _. O2 oHere is one example from the file "Haspinst.exe" which is the dongle HASP( n4 j4 [/ @8 c! n, {4 G  C
Envelope utility use to protect DOS applications:, ]8 q- s' M1 j" J" a! f1 w5 Q
$ W  n: h) W9 r
: `- ?- a8 V# h) D' g# a
4C19:0095   MOV    AX,0911  ; execute command.
1 O" r4 K' |' a) [. m2 s; P  |4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
" ?7 w( e  S0 w/ x4C19:009A   MOV    SI,4647  ; 1st magic value.
+ w, d1 w- k7 q4 C" A0 D1 S/ w& J4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
5 ~6 T3 [, W) X2 Y- K. I/ i5 l4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)1 J+ T0 r  m/ k" e: Q, `+ @
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
6 F# R3 o9 o  c* C% M4C19:00A4   INC    CX
. {7 E- X8 e- g  `, _. \+ F  ~4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
; J8 o( Z! J3 F4C19:00A8   JB     0095     ; 6 different commands.
/ B5 B% H; O6 B/ `  L7 [4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
' z; O3 L& b8 v- C! H' H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)9 @* V, h' |% e6 r9 M6 C

( S) L9 T$ R6 k3 A8 z4 C1 cThe program will execute 6 different SIce commands located at ds:dx, which
$ Y0 Z  \5 ]% l4 N* e: Xare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
  l; L( {8 M( |3 F; P
; u* m0 `9 p3 K* T* L( Q1 n- [* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
. w. g1 F; o; w# ^7 j___________________________________________________________________________: b- X# ~- H  v4 R9 b& F0 \7 |
  R8 ]0 m& R( W( ?( n
5 m+ ]9 g; N  ^1 z
Method 033 `5 I" ]+ q$ h% L/ \: ~
=========# g) u% o6 Y, R8 x( t) X5 M! D

- \8 t7 w' f- HLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
3 n0 U3 k, G- B5 E2 `(API Get entry point)8 s% g. q; Q6 J4 Z2 }
        : z6 y& Z+ u7 ]3 d1 B

; V  B  K. r2 ?- N- X    xor     di,di
: |! f1 v6 W3 A  G; D0 |    mov     es,di
1 E* x( {8 ~. b2 H, w$ m    mov     ax, 1684h      
- M8 Q& ]$ |7 [) }    mov     bx, 0202h       ; VxD ID of winice) N. h- N! ^2 k* ?  j
    int     2Fh
. J3 A2 q5 W" B    mov     ax, es          ; ES:DI -&gt; VxD API entry point& b6 D) o( U' H8 S: {% T( r* R  [
    add     ax, di
# D, r# Y( W9 }$ A% ?    test    ax,ax
, H, Q2 c; i, j% a) h" z) M# s# E    jnz     SoftICE_Detected
8 k. @$ Z& V! b3 g
; h  S" _6 v% C% _# x___________________________________________________________________________
5 p: q( I" @! ^- x; K3 A' G) [7 z
0 |3 {$ d; x  x7 B, iMethod 04
& H/ B% e/ G5 m2 V1 P=========5 `& v& N8 U3 f' C, g# d- m
$ I! T/ T9 z- i; T. ~- y2 _
Method identical to the preceding one except that it seeks the ID of SoftICE
$ b- \9 y; Z* F, p$ Z3 GGFX VxD.
. n) t) F: S# O& c8 `8 \* e  `: x$ f& A- z# ~- |1 u
    xor     di,di" Y5 ?1 Q( b- H5 z/ R8 @5 Q( E
    mov     es,di+ \* U% _$ P5 ~. I2 T$ f7 ^" K
    mov     ax, 1684h      
2 t- F  P+ X! D/ P4 x  D    mov     bx, 7a5Fh       ; VxD ID of SIWVID- W: j% E# r5 P
    int     2fh
. k: |/ k0 V# b0 n2 d( f, V9 A    mov     ax, es          ; ES:DI -&gt; VxD API entry point
' X' B7 S3 U- z* G8 N+ n- B; R; p    add     ax, di
/ y7 X! y2 E! p; m! e: o" V/ A& z    test    ax,ax  i/ L8 T8 V0 p" j2 J
    jnz     SoftICE_Detected
$ D% p3 {3 i' u# n/ }, e3 j( [
: ]+ T) {* `+ L4 R- f1 [__________________________________________________________________________
, _3 l8 {7 L# x. K) s- F& _8 X! h- m1 F4 z

+ D4 N0 {3 m$ }- h3 @( H# ]Method 05
5 ~/ F' _) ]; l4 `& y( d0 F=========
1 w! `0 i. l. W1 g; F8 P  A3 g. R0 c. o& S
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% ~' L  }# p3 ]' [debugger. It calls the int 41h, function 4Fh.
5 ^/ a- Q. {2 X  A$ N4 ?( v( PThere are several alternatives.  
: s- A# o1 B# P. [* y) ?2 c9 w+ D( u; `2 X1 Z6 K+ ~# B) [
The following one is the simplest:
# d* d8 x; h) ~
3 X6 C9 Q' J, \! v: T    mov     ax,4fh
4 {! e- R3 U* b- j    int     41h) Z* f: ^! i$ D6 [9 h/ O
    cmp     ax, 0F3861 O- G* r: [8 U: u' X; E' F( x( r
    jz      SoftICE_detected
2 l% q& P0 ~/ C0 E; h8 [" n# [: X, c6 S: p- u' ^& ^
4 c% U  ~+ E( f0 u
Next method as well as the following one are 2 examples from Stone's $ ~5 d! K/ T1 ]0 J4 K
"stn-wid.zip" (www.cracking.net):
; d, S% w8 {2 [( e. T- U  }
! M4 }- F9 x1 a9 N4 I  y8 s    mov     bx, cs
8 u1 {% T4 V7 H2 R5 c) m% e    lea     dx, int41handler2# X4 F( \  N: E* ~2 f; J
    xchg    dx, es:[41h*4]4 t/ Z; V6 r* M3 M+ {5 t1 ?0 v
    xchg    bx, es:[41h*4+2]
( T- Z6 Y$ K4 X  m* ^- |; G3 N    mov     ax,4fh
: i9 P# R( l+ l- n4 ]0 n$ j, d( O    int     41h
- H% R/ y% F7 V6 m    xchg    dx, es:[41h*4]
; O* O6 C3 _4 e1 {    xchg    bx, es:[41h*4+2]
; `3 H# D8 A4 ^    cmp     ax, 0f386h
) q) B5 x) V$ o5 U! W  x7 t    jz      SoftICE_detected6 Z4 x. J) G5 A

1 ^% N& v: p( A" G: j. i/ Sint41handler2 PROC
/ e+ z9 a$ a; k/ z% O    iret
( H6 w+ V) I- v6 o7 ]int41handler2 ENDP
" R- r: p# N/ s* z0 X# W, R
! F$ X/ l) i2 ?* s* V$ X: y1 o  S: X
6 w9 o4 v* Y! V6 g, R: w3 b_________________________________________________________________________/ \' A+ Y9 S$ Z8 O

- z1 D, {* F# G. T" t9 ?. v; Z  T6 T! v, B, B
Method 06
3 p7 |, r7 q- i/ z  ]! P% Y/ R1 D=========3 d. b- F( ]4 a- y7 {) Q, j
: N) T7 j. `( p5 L0 a
5 r& H$ X5 h/ T% \- O. _
2nd method similar to the preceding one but more difficult to detect:
- @2 D: p- x; g' R0 V! @% \5 L
# F* E6 P* C7 g( B" e5 x$ f" y; g& M6 `" d+ G* n4 i" K
int41handler PROC
8 M0 W( |% B5 X4 p4 ]  [! s    mov     cl,al3 L1 y: b0 j1 R% O' |
    iret/ C7 g& f7 I+ E( m' ]/ c5 L0 n% r
int41handler ENDP& g- b$ N, ?  I" n. ^, e; `

7 u4 u- i- P3 z. M6 W9 Y# o- f
/ |9 s; `8 @! J6 j    xor     ax,ax7 i8 E: I2 T6 B
    mov     es,ax
+ d) h7 T( {1 Y$ e8 h, i    mov     bx, cs7 l( F8 F/ k* s  P$ u2 t
    lea     dx, int41handler& ^: w; U& O! E2 O, e) g
    xchg    dx, es:[41h*4]
% h- ^  w1 p7 F3 b1 |; I    xchg    bx, es:[41h*4+2]
; B& r) V" a" I    in      al, 40h
6 r# U/ G, u6 n2 w$ a3 V$ c+ y, R    xor     cx,cx, s* _. {. s4 t( M8 A0 c
    int     41h1 c- ^5 G- [+ ]- g
    xchg    dx, es:[41h*4]
7 H! h7 w" Q6 Y5 N5 H    xchg    bx, es:[41h*4+2]" L3 {# e+ L4 l# D  |3 b
    cmp     cl,al
" p7 n5 [9 M+ X! ?5 b    jnz     SoftICE_detected
8 y/ Q* e9 g/ A0 G: \+ K* X1 Q' D( a/ x, t
_________________________________________________________________________
/ @, J6 _; P# l; {; t; R# S0 s$ v; \( _( L6 S! B. [2 E# x3 ?4 h
Method 07
7 Z$ Z. B( T+ `; `& Z% Z! W=========: _. h6 @, s1 s8 C

: i  k4 A) Y" pMethod of detection of the WinICE handler in the int68h (V86)0 {& o( I* ?* X7 r# e, U

+ U, N8 X$ X2 R2 o3 V# Q0 u' a    mov     ah,43h
" z8 F4 o: v) L4 [8 n! N, ]    int     68h
7 u0 |: w' ~4 ?8 ^; N; R0 J3 S. g    cmp     ax,0F386h
% H/ |# ~/ v9 j7 K, \( W7 H/ s4 k    jz      SoftICE_Detected
' }( U* G, @6 i
* ?+ u: p. ?1 ?- V( |! c6 N, g; l1 O& U/ P3 a+ q3 l
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit8 g6 _  h" J2 h: S
   app like this:
5 K1 p) g5 h1 T+ [9 W/ r: e7 i2 a9 w% K7 j7 ]% U9 ?
   BPX exec_int if ax==68
# H. B5 i5 I  ~# U$ e   (function called is located at byte ptr [ebp+1Dh] and client eip is
: r% W+ G) o0 n! V( Y7 \$ C   located at [ebp+48h] for 32Bit apps)1 X# B, X2 V; H0 l, F5 R, b5 D
__________________________________________________________________________
- {0 {! U" W! {! A* D# q& b9 [# k; M7 a. x3 A' l; c
4 }' q8 v: y" _: a4 t' t5 d' B
Method 085 p& a$ ^+ m* ^3 m
=========1 n  m2 k5 ]' q3 u, K+ s
7 P5 V: O' K( G( C2 c; q
It is not a method of detection of SoftICE but a possibility to crash the- T/ p  k1 A* a3 W; ?  B
system by intercepting int 01h and int 03h and redirecting them to another
$ F( ?" W6 A; {( w, {routine.
, ~* c% v0 ]& H1 jIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points" Z3 s, e4 w4 ?5 u
to the new routine to execute (hangs computer...)
# }' S, t4 s3 j* Y4 x- J9 Q* ^9 H6 G6 d2 l
    mov     ah, 25h# {) _  y4 [, o( o6 ^
    mov     al, Int_Number (01h or 03h)7 c) u, u6 k. k' r0 n, h8 b  |0 ~
    mov     dx, offset New_Int_Routine0 L* ~5 a: S- u: D! a# t4 `- ]' z
    int     21h+ U' O  V) x+ J' c( P8 x
( l: d9 g5 `( k2 T) o5 f
__________________________________________________________________________" p9 R$ U+ h/ E0 V$ [
  l/ Q, w" c7 Q. I: q$ o% l8 T3 `
Method 094 u9 R7 B/ B; c
=========! E- l: f+ T+ u8 ^& q8 M

, \  K+ O1 k' l3 r8 ^This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only- w' `7 w7 P2 B$ j
performed in ring0 (VxD or a ring3 app using the VxdCall).- t! H! J: l+ s( j
The Get_DDB service is used to determine whether or not a VxD is installed
( H: }* R# X2 _0 ^! y& I0 Jfor the specified device and returns a Device Description Block (in ecx) for# R3 z/ R5 h6 D7 `
that device if it is installed.
0 V. S5 Y- A* [' ~/ t
6 O3 ^* \: F6 C) z1 s   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
  m( g* h. B8 i- t0 ?/ ~& l   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
1 r) k' N$ |- Z& @6 i  [   VMMCall Get_DDB9 o+ c! S$ A% m' {( K4 I1 D% J, h' w
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
. U, {" [* I% w" p6 \- r* W6 a( o, M" n1 }! O! s( U
Note as well that you can easily detect this method with SoftICE:7 ~  g4 t0 H9 i3 V! @' I- d
   bpx Get_DDB if ax==0202 || ax==7a5fh3 y+ J) h' [, f+ K, F; r( G1 e
. d: D8 y4 V# C" L8 _  C1 y% K
__________________________________________________________________________
4 o  J& b3 o3 L7 |1 `$ G$ S
: H( S7 q9 _0 u+ W1 @# e! l) vMethod 10  a/ |4 V8 l/ w* Y) K, }2 c8 H0 J
=========
% r( T6 z- f7 N9 A' t! n, ]
7 a; i1 P7 Z" ~  s$ {4 l% q=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& ^# {7 b3 \  o, E% c) A% [  SoftICE while the option is enable!!- a' c3 a' I! ]- V0 q) o6 b
# j  V" T. x' J: E! _! I3 T
This trick is very efficient:* s, b3 J/ Y6 M. |2 Q5 A
by checking the Debug Registers, you can detect if SoftICE is loaded
4 B: q" v  V/ y: u(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
& q8 G/ q. j6 G6 i; R0 \there are some memory breakpoints set (dr0 to dr3) simply by reading their3 h! D! W0 U  e2 @4 b! _0 e0 o
value (in ring0 only). Values can be manipulated and or changed as well; R1 H- S/ a# F) L& J
(clearing BPMs for instance)
6 \0 i& _4 ?7 y0 r& W( ~5 D  i7 y
__________________________________________________________________________
9 C  l' A# V7 m  O0 h4 i
5 T* A7 Q1 j" YMethod 11
9 S" w# K4 @% s7 D=========2 m' ^% \$ u0 i; I5 F# P/ w( {

' L+ {0 u$ n+ s! IThis method is most known as 'MeltICE' because it has been freely distributed
- D1 g: l' b$ D) Z" @8 M2 t( q* }via www.winfiles.com. However it was first used by NuMega people to allow
% E. ^# l6 R, d+ |0 [. D2 O: gSymbol Loader to check if SoftICE was active or not (the code is located
+ S7 X# ~1 i, ^+ w! O7 I0 binside nmtrans.dll).
, `* n  r$ n' R( @! ~
" V% C* n; @+ p9 d1 q% M$ k, o8 `; ]The way it works is very simple:2 a4 j% _+ c$ F+ b6 x' K. X; S* A
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for' C6 ?  W- b8 j- E9 X/ _7 }4 j
WinNT) with the CreateFileA API.
) j! ?9 v, Z2 H3 L1 F5 C8 a8 }  \1 X
Here is a sample (checking for 'SICE'):" }. W# g' P. s
8 B' F" k, k3 K$ l  ~* c# C
BOOL IsSoftIce95Loaded()  C" J- P: P. G8 n8 B3 |
{
/ X  x: l& \: ]' I   HANDLE hFile;  
; L: b$ r5 l. s# Z0 Y4 [' ~6 Z   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,/ D! h5 J! _0 n" Y$ e2 E: W# B4 |
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
/ z# _0 v3 y3 V' e4 s                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 J7 |! U3 @: H/ R( [" [   if( hFile != INVALID_HANDLE_VALUE )' ]& u+ d4 a4 L" k! M" ?
   {
' M6 _+ o9 b1 Z$ J; s( z      CloseHandle(hFile);
) r& @8 d! K3 }4 n. @      return TRUE;
) P7 I5 R/ e; N   }
7 a# R* ?, M& N- Y   return FALSE;) e' z4 V7 r2 f2 ?
}
2 S  p0 v# ^3 T. k# @
/ B7 {+ D2 ]$ NAlthough this trick calls the CreateFileA function, don't even expect to be/ s4 K7 k; t7 n% r
able to intercept it by installing a IFS hook: it will not work, no way!/ p- E9 T7 R1 Z. k
In fact, after the call to CreateFileA it will get through VWIN32 0x001F+ |9 U' Q6 @. j; P. _! B* v
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)6 O6 N9 \" N" b, K4 G, B# X' Z3 n
and then browse the DDB list until it find the VxD and its DDB_Control_Proc' \( \6 e1 b7 S7 z$ y" _
field.
7 x4 K5 q& l+ W6 W' bIn fact, its purpose is not to load/unload VxDs but only to send a & t0 `! [& ?+ U4 ^# y; Z! Z
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
% M0 V) ]" r+ A; K. rto the VxD Control_Dispatch proc (how the hell a shareware soft could try6 L& f% n- c. s/ j& L" r; L
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
/ S* @2 N: y& u8 z' C" {( iIf the VxD is loaded, it will always clear eax and the Carry flag to allow3 _' c) M: S  ]/ D1 h
its handle to be opened and then, will be detected.
) k9 h4 t# o5 d7 M! r* }' z8 z0 cYou can check that simply by hooking Winice.exe control proc entry point
& K6 `# {- w  M+ Q& \while running MeltICE.
) T/ s: Z1 N% b- i; W1 p
5 ~1 D' M" T0 J; W7 k* j* e5 I# D/ ~" Z0 V# E/ i
  00401067:  push      00402025    ; \\.\SICE
% G0 x1 ?; E% M  |  0040106C:  call      CreateFileA
" A6 v( m0 V: `3 M6 e  00401071:  cmp       eax,-0012 H2 }; m% j3 p/ M$ e: S
  00401074:  je        00401091/ Q0 F$ ~- ^1 V* [* t3 w0 t" L

: E) d% y/ I# j- v. H
4 b! U+ O) F) r: dThere could be hundreds of BPX you could use to detect this trick.
; v4 k- f. v0 e: j-The most classical one is:
5 m6 ]( k7 F' R. }% m7 {, M  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
( j6 P" h1 B. ]0 Z    *(esp-&gt;4+4)=='NTIC'
. h$ X& c$ `+ ^, [
' W: S7 j9 c6 i' g. c$ n1 z3 p& R-The most exotic ones (could be very slooooow :-(* M: f  y" M* _0 j/ {0 i# m
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + b" H* x1 p' Z
     ;will break 3 times :-(% M5 Q  M3 o. _( F* B, p6 N
# K4 ~* H6 ^" \# r4 }
-or (a bit) faster: ; N( Y; d& H* R- w( \
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
+ g" e1 f* l/ c& v) \' A4 z4 `! D  C7 A" l: ^" ?8 z: G! h
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 d2 r8 n$ @9 z% Y5 N3 u7 G3 `
     ;will break 3 times :-(
  [$ T. c8 P" m) T: w! y: H  C: V, D8 v4 q- I8 ^8 [
-Much faster:% ~2 e6 j% e# ?9 E
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
' R; ?( ?4 {' |  {  b5 I2 V1 C1 R' k3 i
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen2 `# U" Y- O8 T2 D5 T
function to do the same job:' _  E4 j' ^. {) M" j0 q, ^

4 V* l4 d% ?( g; C$ g, A/ Z5 ^   push    00                        ; OF_READ  n. A; {& g* O7 n
   mov     eax,[00656634]            ; '\\.\SICE',01 Z  d' C: }9 d: a+ i9 b6 x
   push    eax  i# k3 k# d0 ?# N0 I/ k
   call    KERNEL32!_lopen
5 t3 {3 E- |$ s) v& g# I4 F   inc     eax4 i7 ]  ?, l1 @. ^6 r0 N
   jnz     00650589                  ; detected% {8 C- ?" u; u' U
   push    00                        ; OF_READ6 d/ P2 ~( D( a; I+ `
   mov     eax,[00656638]            ; '\\.\SICE'5 b: L7 W( P! r- H, t3 W7 y
   push    eax5 i3 K# `: S$ v
   call    KERNEL32!_lopen
- R& ^* `% H' o   inc     eax
  {, @9 U* |% |" c   jz      006505ae                  ; not detected9 ?( y0 r' q2 ]- E9 _: x

' {- ^6 \' E; {4 f( k* j; z* e7 N! l6 {
__________________________________________________________________________
8 j5 n, y' _  K6 O" P/ _/ Z7 w9 U+ b: ^, J
Method 12
8 O4 f) ]6 E' }" Z/ p8 o9 J=========( r! l- o, J8 @4 t+ {

3 F" j, P8 G" p0 f# g' ~" YThis trick is similar to int41h/4fh Debugger installation check (code 056 l' @# c, v  n/ p4 e% e$ C! \: |
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
- v! n' B  ?4 H$ kas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
7 m) J0 q2 P$ \3 I. _: k1 ^
7 K7 p, k' R, H/ r/ t3 c6 ~' K' ^   push  0000004fh         ; function 4fh: q* S1 w( x: Z" L% m
   push  002a002ah         ; high word specifies which VxD (VWIN32)
6 d/ z# y5 E7 i2 y/ h4 _& f6 C9 e                           ; low word specifies which service
: }9 R8 m" C& t7 @                             (VWIN32_Int41Dispatch)
5 f$ n! e4 |6 N" r& c& W6 c   call  Kernel32!ORD_001  ; VxdCall, Y. U' `- _6 ^' H1 N" s
   cmp   ax, 0f386h        ; magic number returned by system debuggers
% }$ B* u$ z$ Z7 f, R   jz    SoftICE_detected3 ~& C2 R) b4 ^
4 M6 Z6 H1 P# J  m- p
Here again, several ways to detect it:2 z! u8 a; t* c4 Z- |& C
8 N% Y: S1 @6 w6 a; a' W$ ?1 a
    BPINT 41 if ax==4f! S1 Q0 n& ?. g

6 P9 r6 Q" `8 D2 z# |; p* T    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one/ g& J# g* f- y' t- m
+ u# F- X/ E: Z
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A# t2 _/ W) K6 ~8 N1 R
; V, ?$ d6 C+ k
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. t$ E7 X# W1 v3 K
& \* L* B  M7 h( f9 f
__________________________________________________________________________
1 }: o# j) D3 Z& m# T1 N/ h8 A* K1 ~/ M1 d% I
Method 13
7 F! _% _. p/ ?* u/ u; y$ t" s=========
, t1 f9 e9 n" K1 k2 H
2 M9 d9 Z4 h  i* f# PNot a real method of detection, but a good way to know if SoftICE is
5 O7 H* e1 e& J3 S1 I. }installed on a computer and to locate its installation directory.3 Q7 k5 l# e, ^0 ^+ X
It is used by few softs which access the following registry keys (usually #2) :% J! R4 c) h, {/ R6 G/ G; e
. e  _4 p1 }" f  v
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion6 n) r. ~0 ~# \& B6 `& a" o
\Uninstall\SoftICE
8 {$ f6 a5 V# W& o/ h-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE1 V  @/ y6 W2 F# P
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
9 y% m8 D& q: D* c$ C2 ]" Y9 a\App Paths\Loader32.Exe
. V: Y; _; k" T3 \+ M4 d4 G
5 ]+ l5 _% H. W$ N) x+ N, Y8 z+ b3 ]) k' ]; k& R% c8 B! j
Note that some nasty apps could then erase all files from SoftICE directory4 t. A, v; [0 R0 ]% k% }
(I faced that once :-(9 L/ H( X4 J- G( _0 y" l: T

$ j7 {7 r" \+ b: ^% I% }" s' j5 IUseful breakpoint to detect it:
, X& n; r8 F9 I' J- p( M; L5 q
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
6 g* ~! K4 X6 `
3 \3 |8 b" T2 s4 V3 v__________________________________________________________________________
) c! _  W6 h% G, E2 F. n3 B/ ]2 N; p
- {+ |& I  m: f0 d+ ?+ n
Method 14
9 H% @7 ^" G' J3 k7 `" |=========
3 {3 F$ m, D+ O  x* y1 D2 y& G8 q) K0 Q3 |5 `5 ?# j" w
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose0 S+ H+ M% Y6 ?+ j; Q! D
is to determines whether a debugger is running on your system (ring0 only).: ?1 w- w% I6 v

- M" O  U6 m( `2 i   VMMCall Test_Debug_Installed/ s. w8 \) n, a
   je      not_installed
9 t+ Y$ |1 T2 G) E0 h& l3 T+ A7 G& `( |9 @9 x1 o3 A
This service just checks a flag.7 P  @+ }0 X7 W: n$ X( d  @
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-19 17:26

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表