找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
% e0 E8 f/ V; ^7 s1 V, ~1 e  f<TBODY>
4 O- X) \3 W- Z# ^2 d, `% N9 C& d0 I<TR>
7 c! ~$ v7 ?% _6 u' f: y' x<TD><PRE>Method 01
1 n5 s* \7 ~) x" L=========
" D# m  k# K" e% p" T* Y' r- |$ @
+ Z/ R6 g: I! m: P' y, QThis method of detection of SoftICE (as well as the following one) is- P) j1 L1 n9 o5 s: r# \0 q$ v" z1 S4 o
used by the majority of packers/encryptors found on Internet.1 ]! O+ o3 @  h; w; z
It seeks the signature of BoundsChecker in SoftICE
3 [4 @% L; n1 a* G% `5 q' s% L0 C, Y2 z0 m; x
    mov     ebp, 04243484Bh        ; 'BCHK'
* v3 t, }' M. H: N5 h" R: C+ |    mov     ax, 04h+ G. [% ?& g  V7 Y) q; x. P
    int     3       , H. O" P7 T; u# E0 [4 D; O: G- F
    cmp     al,4, T; m& w* K+ n9 d) i/ }
    jnz     SoftICE_Detected2 q( b) V% _$ Z! G2 a5 I

2 R' x$ E( N9 y7 D) V; Q( l, S___________________________________________________________________________
2 P2 c0 n( ~% d5 _# ~
, M7 J2 b, p& e& z' o% M! J$ n8 Z/ LMethod 02- J2 q% B; M4 |$ I: _$ ?
=========
% b  m+ _+ D+ }, J
+ t& N5 d+ |6 h+ C: v. C( eStill a method very much used (perhaps the most frequent one).  It is used, m" o( |& F$ `  j8 \6 B
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,7 k3 p  v$ N8 }3 V
or execute SoftICE commands...8 W; ]2 t2 J8 `7 v3 Q  m8 ^- ]
It is also used to crash SoftICE and to force it to execute any commands
) H+ y8 [' s. f) Y1 [6 u; L(HBOOT...) :-((  7 u, W; q0 ]4 T# P" S7 J

2 E9 d2 w) i3 a7 E2 ^  H, sHere is a quick description:
3 K# U; q8 Q' a  p* {7 u-AX = 0910h   (Display string in SIce windows)- J$ z- P4 u. |, _' z
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' @$ w) P6 T, l-AX = 0912h   (Get breakpoint infos); W8 B2 }/ ^& ]' W
-AX = 0913h   (Set Sice breakpoints)
3 d  i, s! m' J-AX = 0914h   (Remove SIce breakoints)( _  R! w& S$ p/ J7 w1 c
% K6 Y' f% ]: H0 B9 V- ?/ x
Each time you'll meet this trick, you'll see:
4 W$ N5 {& C  E# R  c6 v-SI = 4647h
4 G" `  Q$ ^4 b5 C" Z-DI = 4A4Dh
9 H- T' ?) @% L3 |Which are the 'magic values' used by SoftIce.. _1 D3 A/ [9 K8 I# `1 w
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 x* S* r9 k( k" x0 ~# b' Y
$ R5 e+ E& j& p" d8 g- e9 h! O1 MHere is one example from the file "Haspinst.exe" which is the dongle HASP* W5 K2 ?( v& v# y3 ?4 `; d
Envelope utility use to protect DOS applications:, V2 K  k% K3 D' @2 @
) T' L- P3 z8 _- R+ m

6 ?  Z1 g+ {+ Z% F6 ?4C19:0095   MOV    AX,0911  ; execute command.
2 U* p! y0 o. I: E6 O4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
1 m, _5 Y! }+ h  A9 U4 V4C19:009A   MOV    SI,4647  ; 1st magic value.
" f* J: L, E; p" K3 X& M- }+ j4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
# e( M8 s( A& K& }/ ^) k. l4 V8 [4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*): E& P2 B: Z4 y; p7 F) S9 q1 ]
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute7 z2 F0 _) A2 N% s
4C19:00A4   INC    CX
1 R0 F; n1 p: {; Y( T1 Q$ z' D4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute% B9 s6 G( q) k- k& a2 G2 v
4C19:00A8   JB     0095     ; 6 different commands.! [+ \& t2 L# ~2 s- w
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
1 a& ^) w4 S  `; L: M# H4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)4 N. O6 ?; @" H+ g5 E" x" H

0 v2 z! ^. b& ^% hThe program will execute 6 different SIce commands located at ds:dx, which& ]/ N6 _* E+ c2 S% C
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
! f5 p4 p, A' s/ {( W; N4 }  f5 J! S8 r4 ?
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
5 O# G6 p' P0 e% e0 Q* K* N& R___________________________________________________________________________
# K3 }  k0 A+ N$ R& M3 v3 @" [" Z5 |! D
8 J, B, [  g0 c/ I7 O) E
Method 03
7 i8 \% V7 H% I# Q5 q=========
; p- j, O6 C3 m
& |$ q. ^6 B7 n  W* eLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h8 d1 s+ |6 f: [$ l! U+ h
(API Get entry point)/ K  q& o6 C$ T; I+ i" m
        / e4 ]' e1 o. [/ i0 r; A
3 {, I, t+ E# @9 n; X* n0 N- @; O
    xor     di,di$ {) C- p- S; ?+ i' v
    mov     es,di
5 F; ]5 H# p" T9 U5 }! U    mov     ax, 1684h      
- s. w) e3 g' K5 s& J4 H+ r. r    mov     bx, 0202h       ; VxD ID of winice
1 D  }; D6 ?/ t4 S0 @$ {! g4 E    int     2Fh
1 a9 N2 ^3 V  @/ h" J+ V    mov     ax, es          ; ES:DI -&gt; VxD API entry point  Q8 J7 T) P1 `7 `6 Z* C$ u
    add     ax, di) g* c5 @, K+ c2 ]
    test    ax,ax
/ ?  c" t9 n3 Y# C, P' V    jnz     SoftICE_Detected
1 @# I0 K0 F+ L% D9 M4 V% Q0 V/ `1 z% |" l
___________________________________________________________________________) M; e: h1 L$ j  d

  ^* ~" e+ ]6 u, z% s' fMethod 04& y! W0 e/ N& l4 B$ G) f! b
=========
2 ~8 F5 Q/ G- z6 y! w3 b$ `4 Y. m2 u5 ^' Z
Method identical to the preceding one except that it seeks the ID of SoftICE
3 P# d% n$ }8 ]. k2 \2 d  mGFX VxD.; ]) A1 D* b9 [5 W' n

4 |$ V+ a1 e; \! \    xor     di,di  Q! A1 r5 ^6 d. D: b  I
    mov     es,di
2 M, _" X$ u5 [0 K& D9 t+ T    mov     ax, 1684h       " ]; |* t$ u/ q
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! y4 l% m# U' p5 c    int     2fh
* l/ H/ v8 x; X5 L% O6 j    mov     ax, es          ; ES:DI -&gt; VxD API entry point$ x: t; h+ @7 Y5 p4 @7 `, }- p
    add     ax, di* h$ G0 X% a; m3 {* u( F% `
    test    ax,ax
! N& ~* U' t+ f' V  E, u; z3 p+ q& ?  u    jnz     SoftICE_Detected
3 b5 i6 ~8 H  k: ?
5 U& X: n( P+ L; L1 h; |3 S3 D" G__________________________________________________________________________" M- G, }" u, U# N2 b; I

, M* U# i6 D" j( }8 J& ^1 o
' F7 s. f3 i5 J6 p3 rMethod 05# M0 b: Q. }/ [! L4 b2 K7 ~
=========" g- @  O' {2 I4 d. P

* s4 C! f" R; ?2 @0 MMethod seeking the 'magic number' 0F386h returned (in ax) by all system
/ i0 i8 S/ f. K/ \: ~, T% tdebugger. It calls the int 41h, function 4Fh.
( K$ t5 [/ q1 C/ [2 ~: CThere are several alternatives.  
' I) D  @5 a! h$ M' h4 K8 W) ?# M; M; |6 h& N1 {
The following one is the simplest:2 N0 R  Z0 Z' k/ E" a4 ^- ]6 u

. `  Y' g# Q7 e+ V1 T    mov     ax,4fh  k" O/ T$ A; j" z! Y6 n
    int     41h
6 \' [* X: _  U    cmp     ax, 0F386
# q8 s  [. r' \3 b0 }    jz      SoftICE_detected) d+ k  f6 k! U8 Z5 G
1 }9 S; T! s% }" Z
6 O4 g) x; \- n; Z
Next method as well as the following one are 2 examples from Stone's 0 G) {- `5 M% u  j+ S1 X6 b( W! j: i
"stn-wid.zip" (www.cracking.net):
) o: w1 i$ w1 g' A/ n0 i
$ a2 b* {3 t2 _: u    mov     bx, cs' D! @9 V% ?+ ~9 n
    lea     dx, int41handler2) Y. k) ?5 W# e& \, k& _) U) m+ F
    xchg    dx, es:[41h*4]
- R' p: }$ j6 T5 s8 h7 K0 S    xchg    bx, es:[41h*4+2], C" H  ~# T4 Q. T" w# W
    mov     ax,4fh
3 G8 b' B) Q$ N+ G' O8 t    int     41h
+ p' W9 B7 N) k! b    xchg    dx, es:[41h*4]/ q7 X& l2 R3 {: z1 ^# C; y: V
    xchg    bx, es:[41h*4+2]- N# _9 I* ?% S. Z& ~$ _
    cmp     ax, 0f386h0 S4 x" z% j* W1 L
    jz      SoftICE_detected
1 A( ^* b4 b- F! w5 P+ R/ y" K; K' \& [$ q0 D6 c: r/ u. }; Y! _
int41handler2 PROC9 P: ]! g; Y) R: `# ]
    iret) K) G" ~6 b& G4 \
int41handler2 ENDP
. {- C% n5 N% x7 a6 ?
! W7 z+ W# D' p" L8 D! N
2 J% r, l$ p) t$ s' a_________________________________________________________________________% _4 |' F8 }$ G
. S# e) ?1 e! ?2 ?2 z) r7 X
- @: W% n' ], p& T% p% |
Method 06
0 S: N+ g. T  r' [9 c) u: F( J7 K' q=========% \2 Z- R7 Z8 _' |) `, K0 h2 [
6 ~+ h  i5 M( v+ D% r  d/ M

) q' N5 {0 V: ^) [% K1 Q9 T( x2nd method similar to the preceding one but more difficult to detect:0 a& a" P# v: A- W0 V
5 P9 V) w- v* C, q! S: r/ I# J, R
$ `6 Z8 q+ i  x) u# n3 l
int41handler PROC$ \! K1 B$ H! [9 n7 n9 j
    mov     cl,al: ]$ Z$ W) y+ L0 C/ i
    iret/ c! c# n, `3 G  Y3 q/ P
int41handler ENDP1 y9 J1 Y/ p0 a! f8 g
+ w8 X1 j0 ~2 y  l! ~+ S6 W# I

1 ~- F2 C! }/ I% N    xor     ax,ax+ Z" d+ y! Y- s- B) j
    mov     es,ax- G/ R- u6 K8 e: ^0 W+ ^
    mov     bx, cs
" Y$ Q, l) S6 A, ^1 j8 q, o    lea     dx, int41handler5 G, x1 [5 p2 I4 B6 b  e- j
    xchg    dx, es:[41h*4]/ }8 I) a( M* r! h( F# D
    xchg    bx, es:[41h*4+2]
, o6 j" `  L6 h    in      al, 40h, G- @, y7 L' @5 L& g
    xor     cx,cx: E, C' q3 m0 [! T0 u
    int     41h! ^4 i/ N6 ]. ]' `* E& C
    xchg    dx, es:[41h*4]9 o1 c9 T" l, z+ f/ X# ~
    xchg    bx, es:[41h*4+2]* E4 b# z- F. a- R: L$ K& _
    cmp     cl,al) g  _% \# _4 c1 p- I$ E
    jnz     SoftICE_detected
  h" i+ q3 l# U* j' N
0 |) D$ v: v0 y$ Z4 q_________________________________________________________________________& `( c) g3 p* D% i$ ~) K1 v) H8 }& g
! ^( p8 I5 r1 @8 U/ A6 H( K0 {
Method 07
/ Y9 U% _5 Z9 o0 e( S( ]=========& v* z3 Y  `9 u% Q, s, X

9 R0 p7 l* ?+ x5 i, g6 T5 [7 kMethod of detection of the WinICE handler in the int68h (V86)
* a4 x5 J) a. P0 E1 c$ }( Q. F+ `
    mov     ah,43h
2 j0 r& n/ m( A8 T    int     68h
  F4 Q' h* P# q. B- t# `7 j    cmp     ax,0F386h) b* G/ @8 K5 n2 K1 A( M
    jz      SoftICE_Detected
& |" Z4 G/ ^7 d/ s0 B( A+ r+ k. D4 O4 V- B* u" }

6 r! A6 f; m9 C/ v+ W: L  A1 p=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit2 p3 N6 Y: |; S& P* S& i9 E
   app like this:
. G3 k& q% J1 o' W  p
4 e2 I) [# ?) O- \1 ]   BPX exec_int if ax==68
6 `3 B1 @* W, A& w   (function called is located at byte ptr [ebp+1Dh] and client eip is# [) o" R4 L1 |
   located at [ebp+48h] for 32Bit apps)
7 |8 R* V  N# |/ }& S4 ?__________________________________________________________________________, n: S1 q8 `9 T  U2 ~8 s

% B9 [- `4 |0 |0 j) s. r! u
5 x( ~" d6 |" B7 p, uMethod 08
3 C9 \  K7 m& N! E" v=========9 ~) l4 N5 I+ m* U% u. a
' y& s; j. B" O, c2 G" q9 N
It is not a method of detection of SoftICE but a possibility to crash the" X; g1 k1 A9 p0 b
system by intercepting int 01h and int 03h and redirecting them to another7 L0 j) J: K! {, C5 L# R
routine.$ d( H7 U/ V8 x8 x1 |
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points3 V$ i( T7 @) Y# s# |; w& @! [
to the new routine to execute (hangs computer...)
7 a& t  B0 w/ G7 h6 @% [: d6 u" G" X( q1 Y
    mov     ah, 25h9 ?2 c) m& B& ], l- _/ k
    mov     al, Int_Number (01h or 03h)
( l; w7 t1 B7 H- R( X9 J    mov     dx, offset New_Int_Routine2 M! {+ g: j* V" |( g% Y0 N" v
    int     21h/ ]. ~2 R9 o# c: j
) [! y6 n! w* J( p' i
__________________________________________________________________________
! v" y. t9 x2 U/ E( a0 C6 o
! a' y& {% B, b3 yMethod 09
: x) S/ W" ~& r=========
5 L' z# A7 `. I) X4 s5 N! G: ?8 q% }4 M
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 R/ K7 i: p- B; A7 Rperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 \9 |- w  Z5 ]+ ^6 hThe Get_DDB service is used to determine whether or not a VxD is installed
/ E( M+ S3 o1 ?( Z$ X" rfor the specified device and returns a Device Description Block (in ecx) for/ U' S% w# S$ ~' J( F7 b' _1 `+ a
that device if it is installed.
5 ]+ U. S' E# Z
# w% P( p  }$ J1 C   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
+ t) d: D$ g, S- A; S& V" j! [   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
% B' A  Z. q* L   VMMCall Get_DDB& ]( y9 H( U' {
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
, t2 a& w0 y! Q" ~3 }" {  V
2 \0 ^, n$ L) r6 UNote as well that you can easily detect this method with SoftICE:
# k( d& ?- B: ~: g! u* V   bpx Get_DDB if ax==0202 || ax==7a5fh% a" p) J. s+ O5 F* ^2 M+ W# [
% u! X2 j) c5 {* n1 a; L1 u$ W+ E
__________________________________________________________________________! \6 E* c" b. z  o  C, [
+ X$ y% z. s1 T4 J& t5 Z
Method 101 b) C% X( U4 B0 Q0 S: F* s
=========/ V5 u! U/ {0 @1 e2 J0 q

9 L- \+ R+ g. x4 I- o=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with/ z% w6 c) J  y) d- ~
  SoftICE while the option is enable!!
3 f$ Z) O2 F. P0 {% o# R0 B+ M
" ^- P+ P: b7 r3 HThis trick is very efficient:
$ S0 E7 l' x' f+ \5 j8 c) eby checking the Debug Registers, you can detect if SoftICE is loaded
: T% Y7 D( @4 T(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
/ Y! j; c- O/ o9 X! z. T  }5 {; [there are some memory breakpoints set (dr0 to dr3) simply by reading their
* u+ r! E) w& J7 D- o+ h1 S7 jvalue (in ring0 only). Values can be manipulated and or changed as well: `+ [7 U. D8 Z, X$ ~5 Y3 h
(clearing BPMs for instance)4 |( Z/ q* I9 U+ |
) r7 D, U2 j, J2 Z
__________________________________________________________________________
% {# M3 _2 y! k5 e" h3 P* J: ~. D# Z3 `( h) S5 _. r7 n: L0 l
Method 11
  _" B0 e8 @4 N9 Y2 [5 j' g=========
& u2 W2 N' E9 |1 m9 Y0 F7 Y5 H( i/ _! w3 n0 @; s
This method is most known as 'MeltICE' because it has been freely distributed$ I  x( n$ X) r
via www.winfiles.com. However it was first used by NuMega people to allow
: _6 _/ [" u* P- gSymbol Loader to check if SoftICE was active or not (the code is located5 x7 n, [$ a. X; D
inside nmtrans.dll).
5 s6 B# [; D' B, o7 X% K
3 P6 o1 d8 [; P3 k/ o+ JThe way it works is very simple:
$ R0 R: {" R2 c: w5 r# ?) K" O. bIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
+ s1 l/ F4 Q! YWinNT) with the CreateFileA API., _2 d& B- C+ G7 }. x) S: _: [

6 l0 ~: V1 }& J0 e3 e" P, [Here is a sample (checking for 'SICE'):+ j& f3 c, V( I6 D5 [

; o, J$ Q9 J: N$ _# \BOOL IsSoftIce95Loaded()8 @$ Y* H5 p2 _0 {2 F) F" P
{
2 j5 p2 p* m4 ]& L5 M# f   HANDLE hFile;  * h5 p! ]1 [% j# G* {8 }: @) m2 F
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,. U) L. w" D3 Q, e! y
                      FILE_SHARE_READ | FILE_SHARE_WRITE,6 L- W1 O% x2 v" l, N+ M
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
# c  {1 p, y5 j: y6 u( Y3 j   if( hFile != INVALID_HANDLE_VALUE )
% s# {# k8 G% T" V: |. _- Y   {+ ^+ u/ s: u; q; W
      CloseHandle(hFile);5 {/ r8 s6 ^1 ]3 H) w% G
      return TRUE;) G4 t/ l$ [$ D! B
   }( n& o. ^! D: q  m2 P
   return FALSE;
; E% d( E4 _2 R0 A: g; `5 j5 g}$ e$ G$ q* ?" B: m& |1 G! Q* e
9 g- N/ M* h1 T3 C$ h3 Q/ B
Although this trick calls the CreateFileA function, don't even expect to be+ [. o  m1 h4 I/ ~2 i( ?2 m
able to intercept it by installing a IFS hook: it will not work, no way!
1 C0 Q, h- c# ]# v6 k) C6 v. C- DIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
4 e, I) f2 v* {/ ^) g( p: a) k* dservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
+ i' P) U1 z. s/ ]and then browse the DDB list until it find the VxD and its DDB_Control_Proc) H3 {1 o6 P( T& e& W
field.* B3 f- f+ F6 j0 ~( g& [1 o# l
In fact, its purpose is not to load/unload VxDs but only to send a
* B% @* j3 b: K8 |8 l, o9 U* ]( YW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
9 @, {# n' ?3 R/ d$ sto the VxD Control_Dispatch proc (how the hell a shareware soft could try# w2 l( J4 Y* R
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
. b. U- {8 `$ ^: N# H2 G1 JIf the VxD is loaded, it will always clear eax and the Carry flag to allow
0 C0 F1 T: k9 F% \its handle to be opened and then, will be detected.
4 U- D$ J8 U2 v9 p+ b, w' o" [You can check that simply by hooking Winice.exe control proc entry point" |. q$ u; H/ V0 ~8 b. |- ]
while running MeltICE.2 d! l) a$ ?+ h8 m5 h, H
6 G( G+ e# j6 H' t! }4 H4 x- ]% e8 U

$ c6 {& f& e5 l1 z) s+ d$ \  00401067:  push      00402025    ; \\.\SICE
- H. h. P) Z& _0 e) G+ q4 C. [  0040106C:  call      CreateFileA( |% {, D- [: |8 O8 B
  00401071:  cmp       eax,-001( o" R0 ~/ |! ]# e
  00401074:  je        00401091+ J# M/ p' ^- L# r
3 V& N7 e  v7 B4 D
1 I1 Y6 V% }5 U& Z! V' q% S( p) O
There could be hundreds of BPX you could use to detect this trick.7 U  C/ J( [# M# K* R* z
-The most classical one is:
1 m2 _# N& T  E$ p6 e  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||  w5 Z! }6 E' u" q$ Z$ E5 s
    *(esp-&gt;4+4)=='NTIC'% ^$ G# k, h5 k& W- X/ a8 Y
( M" O) q3 p: |
-The most exotic ones (could be very slooooow :-(3 X/ n6 ^4 S5 w
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ! S" y+ M0 v3 v  l$ S# g
     ;will break 3 times :-(  S/ P: t- Z6 q
6 T4 Z& Y0 f0 T8 s) c* T) _% `
-or (a bit) faster:   Y5 i! T4 T! E" i
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')1 l9 q, @! W% `6 Z1 c

0 p# p& k8 m# d' v2 Y, ^" r   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
, G7 s( ^  \# k& i3 Z     ;will break 3 times :-(' }9 o& _. d) M3 X

2 n! H. u+ G6 y9 x! @  X2 u-Much faster:
1 U6 m0 K4 c8 Z7 i   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'* M% U6 @# m% z9 v; K) D1 A! e5 @

  `; R. B) P3 qNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ t2 f  b* P# s3 d) E* G; B7 Nfunction to do the same job:* o0 p0 J/ D0 v% j: W

' {! z! Q5 i' S: r1 s   push    00                        ; OF_READ8 V. p' @- |- u
   mov     eax,[00656634]            ; '\\.\SICE',05 j1 ^6 e$ R, b/ |2 d
   push    eax
9 P" |+ H6 d/ c. c   call    KERNEL32!_lopen
5 J7 n, i  C7 V$ T( [3 Q   inc     eax- {1 `1 M# ~$ x
   jnz     00650589                  ; detected
/ q+ g( H  b- H3 t   push    00                        ; OF_READ
" C( k# U7 B2 G4 X' k3 R   mov     eax,[00656638]            ; '\\.\SICE'6 B' p* F9 n- ]/ c/ r
   push    eax
: X3 x( _1 B, u/ j# V: S5 j& I: @3 D   call    KERNEL32!_lopen$ T# J3 M. [7 }" m2 i) H, J
   inc     eax7 o  \, [" h4 A6 \. `# {
   jz      006505ae                  ; not detected
  x. T/ P6 B- v4 d. [
! m# E+ O3 M& u/ K% o; E; r/ Z7 ^- D7 j
__________________________________________________________________________
, w2 g, M8 h( \: n, F0 J  u! k2 P3 n; U0 t) B
Method 12: M- E9 G* G# O0 K2 R
=========6 b1 Y) \5 r" l% i* ^& \: B

" u& ?4 E3 n& r9 g! vThis trick is similar to int41h/4fh Debugger installation check (code 05
+ O$ N6 i' n6 f/ c+ w&amp; 06) but very limited because it's only available for Win95/98 (not NT)! x* ]( \4 p+ S3 e. Y5 _- t6 R! `: I
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 z6 [6 p; P5 t2 w4 S5 l; U* J. S  e
5 D2 ?  ^4 g9 [2 b/ ]( B4 x) I, Q8 M   push  0000004fh         ; function 4fh
  h- g; P; ?. m9 @. `; A" q   push  002a002ah         ; high word specifies which VxD (VWIN32)9 W% Y5 D; R  R3 e
                           ; low word specifies which service. R2 d6 V: O6 L% {$ g' U  G! Z: k# B
                             (VWIN32_Int41Dispatch)- W# I5 ]3 ?$ p$ ^
   call  Kernel32!ORD_001  ; VxdCall0 {5 u) W. K8 W
   cmp   ax, 0f386h        ; magic number returned by system debuggers
2 V) @9 W) }! O# ^   jz    SoftICE_detected# r4 d3 N5 C; P- i8 C+ Y% ]* _

0 Y) A: J" n  U2 FHere again, several ways to detect it:0 a& f- W5 l7 Y. c7 n& u

' t% [# ^+ H( O! s: m. x' D" a7 w    BPINT 41 if ax==4f
7 y/ w* z, }& o( J
# S) [& K7 s4 E" U! t    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
1 _+ T% Z' h2 v8 S6 h6 A. k! T6 Z, s% T8 I0 R* W1 C
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A$ i8 S6 K! C) M

( w) T+ z1 q% {6 h9 l# |, T    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!. C1 j" I& P" x- o! b2 q
+ s0 f- E6 n; s& l5 f* M
__________________________________________________________________________  z3 U" Q$ x8 ]. H

3 N  D% ~7 `; j4 U8 `7 VMethod 13% Y! i0 J4 [+ A0 b' r5 v" i
=========
  I9 U+ p7 m; n2 k( {* I
, j! y  c6 X+ w7 W% N$ c5 h. [Not a real method of detection, but a good way to know if SoftICE is
* w% S( y7 J% i/ u- Ainstalled on a computer and to locate its installation directory.
$ z' P, l; q1 f! O! [0 |It is used by few softs which access the following registry keys (usually #2) :; Y3 \  W9 T9 i. g/ y, G2 z1 `' C
* w+ K7 u# B" F) j* i% n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* T9 C' Y: v) T7 t) h! w8 |\Uninstall\SoftICE+ q7 D' f0 @* w# X
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
$ H2 T  F8 i5 h) O# x* J1 s. t  s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
7 c/ m" g: X: ?: l/ s' G\App Paths\Loader32.Exe* B: ]/ t0 A7 c4 j& \
0 M/ [- m% ?* [& C6 \" M

" E& e( ]3 O& F( J: [Note that some nasty apps could then erase all files from SoftICE directory' t9 b3 E$ V- O8 F
(I faced that once :-(
0 l* K: p8 P- v+ h' u5 V, ^
  N6 \' Y2 R$ p% p) E4 D4 y/ r: aUseful breakpoint to detect it:# j% Q5 {: b; R* k% j
8 e1 f4 }3 a& m" m" d
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
. d9 F- T+ |& p. E% U
0 g4 Z9 p% b0 T__________________________________________________________________________
+ V  ^1 i3 |$ e: ]6 z  b0 j1 K+ j) U% S" q4 c1 {! T" a7 {

( u8 E' n( `' l1 I: u3 J4 ]( ^Method 14
) r9 q, q$ `) F4 O: v, u( M' Z=========
+ v, j5 Z2 s" z6 S- p8 S+ e/ T9 I
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
! ]; s9 {0 Z( ]0 q* Vis to determines whether a debugger is running on your system (ring0 only).* }" E/ j. g6 {5 b& r0 Y5 o- C
. c* u& V4 `3 o" L) Y: y) V
   VMMCall Test_Debug_Installed
; B1 z% q4 w( s1 x# K   je      not_installed; }9 M' j" o* {) b( M" x, U0 d& I

. K* I+ D! r& L3 ]! V6 p4 HThis service just checks a flag.5 k  Q  l( S5 D7 k% H7 K5 C
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-7 14:21

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表