找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>) l6 a9 b+ K( Y; N( j
<TBODY>5 c4 v6 k* e/ M. A
<TR>
1 z" `, q! c1 D8 r  ]* L9 S6 x<TD><PRE>Method 01 ' U$ U8 j2 m" r/ y3 w
=========
' z5 y& V, n6 w/ b5 O; |8 D% p) W1 K1 m/ s" }- i4 X! x$ _
This method of detection of SoftICE (as well as the following one) is
7 X& W5 Y3 F! z: Y" tused by the majority of packers/encryptors found on Internet.
% E9 Z* }2 e3 v3 j, X$ G- mIt seeks the signature of BoundsChecker in SoftICE7 r+ F2 c  C1 o* Q; Y$ d" ^

$ u0 ^. T+ p2 J! A* K    mov     ebp, 04243484Bh        ; 'BCHK'
* {& v. _1 Q( W- h/ n9 P8 p' i    mov     ax, 04h
; F! Y3 u+ h. n1 D& H! X; R) w1 r    int     3      
4 s% X% J* n+ K2 _, O( r" G$ F    cmp     al,4
1 y9 f" G7 s9 R: T5 q) A/ O    jnz     SoftICE_Detected
  ^  q) a0 G" }! K9 }& m2 P+ a3 g) T) K/ s! C7 r: ]* L: }
___________________________________________________________________________$ r( w- [8 f& ~$ a0 b- m5 I* L* c# v

1 U) k- S! B' q" \) J9 U( V: NMethod 02
' U$ i. y% r5 T$ X, m=========
& x2 {7 H1 I& h9 m* G5 x0 I5 j3 l
8 r) C+ k6 Y! Z) I5 Q) S, z+ T6 zStill a method very much used (perhaps the most frequent one).  It is used
: \' ~/ T) A' }3 m6 h! Hto get SoftICE 'Back Door commands' which gives infos on Breakpoints,% m; o3 R# z( H! O! o
or execute SoftICE commands...
$ i2 L1 A0 T2 @7 U! W) X2 X& W& pIt is also used to crash SoftICE and to force it to execute any commands- A1 w$ x9 N+ K0 R
(HBOOT...) :-((  8 H- Z! ]# D/ q1 v- Z/ L% G/ w: c

# J7 E7 X& c8 f! F% fHere is a quick description:
# l2 z- T8 P( q2 {-AX = 0910h   (Display string in SIce windows)4 P& [3 \5 @8 R4 @
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
* h8 U' Q+ L/ l1 @# }5 f-AX = 0912h   (Get breakpoint infos)0 g; T7 X5 Q4 w/ n# H! l' @' w: m
-AX = 0913h   (Set Sice breakpoints)
* z0 K/ I* k0 ]( p. l- r# O-AX = 0914h   (Remove SIce breakoints)
4 V- Q- U. ~- g7 O+ \$ T/ u' H6 `( s& r- R( N1 |9 V
Each time you'll meet this trick, you'll see:
# f) K, C: Y1 E/ e  V: h-SI = 4647h
* g5 S" D, _4 F( ]7 j3 S-DI = 4A4Dh
8 S9 l6 [+ `$ v9 B" Y! U  U3 O) nWhich are the 'magic values' used by SoftIce.
* s) m; j. i2 H2 n6 ~' f: _2 Q% d/ i8 vFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.9 j4 J8 H: o) S7 K9 H

" F) v! q: C6 g0 RHere is one example from the file "Haspinst.exe" which is the dongle HASP- \* X- L' t  ~# B7 t
Envelope utility use to protect DOS applications:
: ^7 N% f% B3 N; k) G/ _
5 R4 F0 S% |) d* d5 k
3 ?$ w. `1 N% B+ `: P7 M0 `4C19:0095   MOV    AX,0911  ; execute command.
  E5 x9 V+ y9 W) B4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
9 W1 S' H6 _6 t2 y0 O( `: v4C19:009A   MOV    SI,4647  ; 1st magic value.
# |9 O. B  g+ s( ?4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
+ L$ Z4 u) a6 |8 O4 f4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)+ B+ V8 w! U& {- Q8 B0 F' r9 v
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
2 F5 v& U: b% B2 e+ a4 |: c4C19:00A4   INC    CX
2 h6 K3 |9 m5 W! o4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute* M. |$ O0 C6 v1 x: A% I+ B& L
4C19:00A8   JB     0095     ; 6 different commands.  A( s' k0 ~) Z" S- ]: ]" e
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.
+ [& @6 o* P4 w' w9 k% i! I* I. x3 v& y4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 u2 t+ f+ |/ Y4 j, h
/ i; {8 E0 Y9 J3 S& h% _% I1 BThe program will execute 6 different SIce commands located at ds:dx, which
; k! d# {4 J9 A( [9 v) Iare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
/ l2 A- Y( C+ T; |' W) g
% r/ K' h' Z' i3 l+ c% \+ ~* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
4 a; Q% e. W) n' H7 L1 O8 r___________________________________________________________________________
0 A8 p! K- Z; Z# C! Z4 p% G7 T
. e' g) J7 v6 R  M0 N; M, M6 Y& b5 ?
Method 03  y, I$ ~1 p+ B  L- x
=========2 k7 o& a. ^4 H: Q: [

# }9 v2 ?( P9 s+ }6 Z9 ?4 pLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 _" I0 A/ Z( ?  e, B1 i* B3 Z9 _3 Z(API Get entry point)
) B; s, d% P/ \! }$ q: t$ Q8 i/ h        
0 O! v. r) G! `/ C; ]' O
! o$ ^1 X2 X$ D$ K    xor     di,di
3 ~; S. U8 Z- c1 y1 I8 G    mov     es,di$ O; S( T" B; ]) e: [
    mov     ax, 1684h      
- }* w9 \, v- s    mov     bx, 0202h       ; VxD ID of winice( M% C. j7 }$ b) _3 n) o
    int     2Fh( P/ s; ~8 j" S" P
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
* ?$ b+ l3 d' V* f% |    add     ax, di
8 I. Y' `: J5 j    test    ax,ax4 f# s2 k8 B0 S: O+ X( R8 d5 z: B' k
    jnz     SoftICE_Detected0 ~. _! Y7 ^/ I/ S
" @; y) C! l4 `4 g9 l* C) z, J; `
___________________________________________________________________________. R/ J" {: h" r0 _4 z3 M$ H1 A3 {
2 x$ A( m( W/ k, Q
Method 04- f+ R0 J: X( m9 A, i+ \4 \
=========
- t0 Q" |  I5 W* l( x1 l# b
2 {; Q% p( k' V  {& R0 }' q# ~# FMethod identical to the preceding one except that it seeks the ID of SoftICE
# U' z% h$ }$ g! x$ |GFX VxD.5 j' Y0 Z8 [0 s) B8 B8 u( }, S9 l9 ]

4 c$ ]3 z/ ^8 r# T& `    xor     di,di5 Q& L0 H+ o/ f! ?
    mov     es,di1 P. T, O  B$ F$ V6 \' C. S
    mov     ax, 1684h       3 }* e( U# l$ m+ |) u
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
) S) H: k# u- Q; h    int     2fh& c5 C0 a* V* U% N/ q5 V! k) K* Y9 U
    mov     ax, es          ; ES:DI -&gt; VxD API entry point+ X% G' v. w$ O) v6 L
    add     ax, di
* i+ W& U0 u- m2 O4 c% V4 b. Q    test    ax,ax( n! n! V  J& R( L6 Z3 ^3 }3 @
    jnz     SoftICE_Detected
% f# D3 Y# C. ^1 n8 e* p- L) {& e5 G- ]
__________________________________________________________________________0 a8 }) t' y8 }. P7 T

! c- k8 y; W; u5 {& v0 j( l' }' q5 N% L9 d5 B7 ~- s% R( w
Method 05
) {) W6 ?; x# Y=========; f  R0 U! j0 l; l7 N
+ P9 s( ?" M% W- Q
Method seeking the 'magic number' 0F386h returned (in ax) by all system
% I2 y9 n- t- ?debugger. It calls the int 41h, function 4Fh.
7 b1 P2 q3 N3 h" Z  y# I9 OThere are several alternatives.  ( J8 d7 b: q, e8 v2 H% _
. F+ _" J2 y, b3 ~& X8 B9 I3 p
The following one is the simplest:
1 O4 N) v2 a9 h5 r2 f6 e3 u8 v' T! p8 @3 ~- z8 Q$ k  D
    mov     ax,4fh
+ A6 T) @& g2 Z" j. }' C    int     41h
$ v- j" x/ C! B    cmp     ax, 0F386+ I; C9 p# J7 [* |
    jz      SoftICE_detected
8 B8 K9 P* W( T0 o7 r/ [, Z
' k& V/ ]) T  A1 @9 }; i' @! `1 a# U
Next method as well as the following one are 2 examples from Stone's
% e5 Y0 h% [, Y1 }5 }4 i0 E- \"stn-wid.zip" (www.cracking.net):8 S4 x; ^) S  f4 }1 l8 N9 Z" V
/ d, @* ]4 c1 Y/ t9 @
    mov     bx, cs
+ }$ v' `' D3 r& z# I7 T    lea     dx, int41handler2/ z* o" a0 O, {: z% A) B
    xchg    dx, es:[41h*4]
. x- a+ ^! D  ?, [# w8 y    xchg    bx, es:[41h*4+2]2 |' H0 b3 T) P: \6 J+ I  {* p
    mov     ax,4fh
  `0 @1 @# J9 F: y$ F/ S0 F! N    int     41h
2 c, V" U( p0 p/ ~% R* U    xchg    dx, es:[41h*4]
0 B6 Z: J, m) l, F3 O    xchg    bx, es:[41h*4+2]9 _- R. T% A  B+ w# e
    cmp     ax, 0f386h
4 z% _, `* x: f3 q3 `    jz      SoftICE_detected
  I  F: L; U* H; c, |: v
: N" S* B, n' X8 U+ F  J( Sint41handler2 PROC$ N8 w( i7 l; L7 J
    iret
) e9 F- E- @# [# G  qint41handler2 ENDP3 n6 N+ {  }: X, _+ T5 s  v
6 H7 W& h! b5 g& O0 v0 l& S

0 d- r: N8 L/ a$ L; H_________________________________________________________________________1 K4 {; x! P, |- t

" H% g" K3 k" ^" W6 K( c
7 O+ q% U0 k" R7 AMethod 06! X+ k" @! _+ F/ A0 X. e* L, p( r, q; W
=========! g" _1 u5 v( _' l) H) p  f( N& w

* J# Q8 D8 ~4 S* Z4 P4 H# V4 u: l
2nd method similar to the preceding one but more difficult to detect:$ E* q/ Y0 ?8 q! v+ A- l; M: a5 i9 `
# L% s2 B2 C8 b$ i% t8 i# O1 A$ @
8 Z# t' ~) a# W8 k
int41handler PROC3 @; Z0 I7 @5 U3 ~/ q, L
    mov     cl,al
3 D, V* ?$ Y" V8 z) ~& {    iret, }3 D0 e9 q6 ~9 \
int41handler ENDP
# }& z+ @) a8 {9 d  Z- b$ I% g# e+ W4 R2 {! n6 j; R
8 l0 x9 T: d+ E- c$ d
    xor     ax,ax3 K" H4 Z$ T8 w+ a( k! e+ ]6 p
    mov     es,ax
1 M% i+ Z4 j8 X    mov     bx, cs1 i$ Q! E7 @. H3 E
    lea     dx, int41handler
0 D& i! E. Z8 @9 a  }3 u    xchg    dx, es:[41h*4]4 H$ L4 O( }; c' ^" M! ~0 T9 ~
    xchg    bx, es:[41h*4+2]+ [  Z' g+ b  _. U7 g+ Q2 w+ w
    in      al, 40h  R1 g$ S8 h$ j/ e
    xor     cx,cx
+ ?6 W3 i1 X# ^$ e    int     41h
6 [4 W1 |, c* H    xchg    dx, es:[41h*4]
- ^- U, O. A! ?    xchg    bx, es:[41h*4+2]
  P0 X# Q( D& M, |6 G6 K    cmp     cl,al
% g! y6 `: T4 Z4 W  i    jnz     SoftICE_detected) C4 k! x& J% ?
* ?4 d% h2 {; Z( M- c) L- Q
_________________________________________________________________________
6 w, h4 ]! I. y) u$ R. m! L+ A
+ p; D$ g! {" y' N( EMethod 074 y) |/ J$ H; o. Z) O
=========
  r# a0 B! t. e  k# U1 d2 _( d+ Y, ?) h$ O/ o3 N+ c5 H2 z6 P
Method of detection of the WinICE handler in the int68h (V86)
" c- H$ o& i6 C9 |* A; b
8 a" F% A7 Y5 g! O! Q& u    mov     ah,43h
3 f3 b+ }4 A! B' X! X; V    int     68h( g* c$ c) X+ d  c+ r8 k( d
    cmp     ax,0F386h- M+ Y  |4 o! A3 M  N+ o
    jz      SoftICE_Detected
- D! h& X7 w( b: a$ \' K0 E
4 Q8 {, p' M5 H8 f$ L1 Y3 @) c+ g
- O' Z3 {) t: T- T8 E=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
$ n9 `- y1 y6 Y" t  p  u: m1 |   app like this:/ |. l3 m4 f( ~1 i. ]

4 g6 V& y2 J) @* }7 B   BPX exec_int if ax==687 H! R1 ?7 y: q8 _- {
   (function called is located at byte ptr [ebp+1Dh] and client eip is
& t3 N3 p2 D( J7 z   located at [ebp+48h] for 32Bit apps)
- C% g7 E2 H$ z' A__________________________________________________________________________- P8 m% I( S# ^: u/ B/ O

5 w5 o" @- m2 q4 C* J: B
7 P, F: h, k7 T+ \Method 08$ F# e) g+ _) c% h! \8 y
=========
6 y! L' d$ r# e& H" M
+ j- o  x1 z: _3 j0 J" V% sIt is not a method of detection of SoftICE but a possibility to crash the
) p% x# a2 z* J6 ]' m- p* g, Psystem by intercepting int 01h and int 03h and redirecting them to another% z* q' y/ h  Q
routine.
7 Y0 {- C7 h0 K, L6 \+ }It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
9 c1 X2 X1 ^) Z7 R" n: Oto the new routine to execute (hangs computer...)
; X! h; R. d4 }/ q$ r, k4 q
6 }6 U  {8 u0 F2 f% P  A* T! q0 `; `    mov     ah, 25h( k0 Y4 }+ I' g+ o
    mov     al, Int_Number (01h or 03h)
; x0 }2 Q2 U; c3 c- G5 `    mov     dx, offset New_Int_Routine! n: V) S* f, o9 e3 n
    int     21h( P- Q/ C9 p, `: k+ u, i8 P& K

* f$ c+ B1 C7 [# x/ V__________________________________________________________________________
* E6 P2 g& h$ Z
6 d' e' N! C+ U- ?8 s; Y5 q8 f$ MMethod 099 }; F- n2 F  i. N: P
=========- m0 e: D) ^  [

# K  c0 B7 W* K- T/ }4 _5 m, b' eThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only( X5 ?' t' C& Y! N/ |( e$ D
performed in ring0 (VxD or a ring3 app using the VxdCall).6 `3 t4 C, H7 {# |+ R! S- j
The Get_DDB service is used to determine whether or not a VxD is installed
! `! u; s( X1 B- L$ W/ @2 W7 i+ Ffor the specified device and returns a Device Description Block (in ecx) for: X) E; N+ d5 T/ b! ]
that device if it is installed.
5 ?2 W) A/ d1 A& a$ E0 i
2 B1 P% C4 w! K" ~+ c   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
3 @5 Y# f# A' p, _( ^   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
: Y: D. k9 ~8 ~. m; f   VMMCall Get_DDB: ^  E/ B* \2 C4 n0 s# l
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
& n4 d1 R# F: N  q3 r9 S
, B2 T% l, Y. U0 wNote as well that you can easily detect this method with SoftICE:; b3 i4 L5 A! X$ j* Z2 B" n) ~; b: c
   bpx Get_DDB if ax==0202 || ax==7a5fh
  E) Z" S% O$ J* i- M8 Y7 e# k! k+ ^* W0 v$ v7 z; q$ [& p2 \. q
__________________________________________________________________________( J: a: L8 t0 V

# b% \8 C, z/ h# z5 @, GMethod 10
7 k& R% ~4 d; v$ U! A=========9 J! y/ ~  j2 Z, U; r! B- D

6 [% }* d! n) x0 m% R6 E7 v=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
5 s7 }& q6 G0 C) b" i" v1 h  SoftICE while the option is enable!!; |5 E9 p5 ~% X/ G2 W) z: V4 H

; y& j( J$ r4 G, N9 l7 M/ ?This trick is very efficient:
! G2 A( f; L" r  G2 H. l' [by checking the Debug Registers, you can detect if SoftICE is loaded
4 ]1 l* F- g8 v7 N. J; @- T8 L. F(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
' C) O9 h8 L0 r" y0 Q2 e: m7 rthere are some memory breakpoints set (dr0 to dr3) simply by reading their
( J0 x( J- H8 l6 A4 Xvalue (in ring0 only). Values can be manipulated and or changed as well
# S8 E0 |( s4 K; t& ?3 Q(clearing BPMs for instance)) v0 P( ^; ~, f* A6 h3 v2 V

6 g* R: ^8 s" v: Q2 I__________________________________________________________________________* M# _9 |' k: g0 l6 e

' V$ h: }8 i. O8 ?: T0 j' |8 Q- E7 PMethod 11$ t( N- P/ J% N6 @" r1 w  ~3 K
=========  j/ N7 r; V* e

$ u9 [" {. U) R0 n- x8 d* T! `This method is most known as 'MeltICE' because it has been freely distributed
1 o# N! D6 q" Z  f3 V8 jvia www.winfiles.com. However it was first used by NuMega people to allow, I  }# T2 I6 j
Symbol Loader to check if SoftICE was active or not (the code is located
7 n( K" V) f8 X' yinside nmtrans.dll).* |9 h# ~0 P8 ^- Q/ M7 A; V! k6 G

+ {; W/ T" y! e# {* S. I0 xThe way it works is very simple:9 k% \6 J' T) o9 e% X4 i! X  V8 q
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
5 n: S" ~  N3 s; |) eWinNT) with the CreateFileA API.
& B! \4 o' J* ]4 X2 [' c* D8 [  z, P7 O* T  l) o
Here is a sample (checking for 'SICE'):
* P* s+ h) D3 W) @+ u# \* J$ M8 G+ \' R5 {$ O3 _
BOOL IsSoftIce95Loaded()" k/ W, b& A  o
{7 X' P" z: O) o- ]9 A7 d
   HANDLE hFile;  9 @: W  m1 M, J6 r+ \& i3 G
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 }* V0 w( k1 O  z& Q5 U
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
1 w7 G! W6 Q% ~( q( Z' s  S                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);0 W9 s5 X6 B" m8 P  J8 z
   if( hFile != INVALID_HANDLE_VALUE )
2 y8 Y4 K1 D0 U   {( V% m" G2 i- k# b4 |' A# f
      CloseHandle(hFile);: d! ]4 L- z; y9 l' u9 L
      return TRUE;/ i- o9 m" Q0 p+ {: c; ~3 ?" U; g% {
   }- o5 b  P" l9 Z1 C$ B- l# L' q
   return FALSE;
- P5 d9 \' d. Y( Y, v; ?& v}
# |2 h1 ]" W; T/ V6 D& N# x6 b1 K
Although this trick calls the CreateFileA function, don't even expect to be
4 K6 ]" @/ C, u$ z6 s# L9 v* rable to intercept it by installing a IFS hook: it will not work, no way!
( t9 ?! B* f9 t4 tIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 j0 {$ A. B& V; W' zservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)/ h+ J6 n( {% l" _& x
and then browse the DDB list until it find the VxD and its DDB_Control_Proc5 A3 ?7 Z( p: P" ?& H
field.8 w! a( }/ H' M. S$ T$ R( }7 A
In fact, its purpose is not to load/unload VxDs but only to send a
+ j6 ^9 P/ Q: m8 uW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
6 n2 Q5 ?) i# u# Q! Rto the VxD Control_Dispatch proc (how the hell a shareware soft could try
' D. }* c- Y6 |- J4 {( q! xto load/unload a non-dynamically loadable driver such as SoftICE ;-).( i8 D/ E8 v6 [) p/ O6 H/ b* P
If the VxD is loaded, it will always clear eax and the Carry flag to allow
7 V! r8 A6 R1 O; Q5 \# gits handle to be opened and then, will be detected.- H7 {7 v, V& S# E. f9 O% W4 x
You can check that simply by hooking Winice.exe control proc entry point: Z) k1 m' E0 P3 y; M
while running MeltICE.8 N1 x2 R2 _1 M- D
/ q; A8 p3 ?" u* Z7 h

7 j( ^  Y$ |) Q5 |2 a. v( W  00401067:  push      00402025    ; \\.\SICE
0 @. g; d. a' F9 T; `$ K4 b  0040106C:  call      CreateFileA6 S8 j7 x3 c0 U5 U7 p1 s
  00401071:  cmp       eax,-001$ p3 v2 ]5 W5 B: _0 D
  00401074:  je        00401091
' U: B/ ]6 I* e/ A+ |
. N" F1 i8 J/ j1 X6 f/ Q$ P& J" G/ M+ b) n$ o0 S0 d+ y
There could be hundreds of BPX you could use to detect this trick.: K9 K# T8 H) C) ?3 I
-The most classical one is:
. K4 c+ L5 p$ E! [; L( p/ W  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
) {2 }; ~) r# P# c3 M' u    *(esp-&gt;4+4)=='NTIC'6 I3 D1 G. t- @& ?& Z

9 L) a5 F3 D8 `3 a% N  }% O! ?-The most exotic ones (could be very slooooow :-(8 G# K; W" o: F: ?/ K$ r0 G
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  % R9 W) W7 ]+ \8 \6 A$ o1 g& h
     ;will break 3 times :-(' U5 _( @* H. x

; n; r" b+ ~' f8 h& l-or (a bit) faster:
; r1 T# P9 s$ |' U/ |% u$ k5 w! \" P2 c   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 d9 z9 k+ h3 d6 v6 @3 }# D' M
  _6 E7 S, p) l; T6 H* t4 @
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
6 J- q" U$ `) H     ;will break 3 times :-(
& J9 ~; k! S0 v- o, P1 s+ i. H% G: c7 ?+ v+ i: i1 y6 [. H& p
-Much faster:
& Z& {+ N  O( v# m   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) g& G' q6 X. e; T+ G& ^0 `2 C7 B. K+ t. |- u& `
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
+ x3 ^/ E: @; b+ [) sfunction to do the same job:5 f) Q7 o9 E5 v7 {; T) T0 }! g
5 x- E' ]3 j& @, N* u
   push    00                        ; OF_READ% Z& V+ M/ ~& n* r5 n
   mov     eax,[00656634]            ; '\\.\SICE',0
6 ]/ x6 d& s$ x) w* d" ^$ V   push    eax
/ f# B* i$ y' g/ \   call    KERNEL32!_lopen
8 c# e) {5 p2 Q0 L   inc     eax" n% I3 O. p+ @1 B0 l* b
   jnz     00650589                  ; detected
7 @! D; ?6 Z; {) z. N   push    00                        ; OF_READ/ C4 v! n- n+ a' c% e2 g; a
   mov     eax,[00656638]            ; '\\.\SICE'
. e3 {3 }- U5 E4 O- B   push    eax' k( w2 S5 H8 F
   call    KERNEL32!_lopen
" J3 b9 ~& d" f, a$ R0 K; U+ a   inc     eax5 _4 a' a9 }; B  H5 T# K1 t& e
   jz      006505ae                  ; not detected! v8 M7 k5 v( t$ e- s8 Y6 {* \
( X% Q" |& s; H( k% ~5 x5 k

$ \; {% N7 {$ R; F__________________________________________________________________________
2 d! X* f6 t' v" F2 a/ p0 f
7 i% h  J+ [: }% D  TMethod 12
# T4 U1 I% z* ^/ K7 ]=========
2 X, @0 G1 e3 I. T5 n7 }
" Q0 H* }8 l% y* eThis trick is similar to int41h/4fh Debugger installation check (code 05$ G2 x+ ]  ^9 @) ?- N4 W) w3 Z* a9 _/ r
&amp; 06) but very limited because it's only available for Win95/98 (not NT)3 E  T% x# k7 G8 o; s
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
9 l$ S; N7 B2 O1 F) d; K
: J- Z7 L. }! i" t   push  0000004fh         ; function 4fh  ~5 P3 U% W# Y* i/ l
   push  002a002ah         ; high word specifies which VxD (VWIN32)7 G; B! [% Q3 d5 i, v+ F% A& c! H) o# \
                           ; low word specifies which service: a( M4 @- P' E$ N# V0 a2 R9 m
                             (VWIN32_Int41Dispatch)
) S7 |5 O. {% N- N7 O7 [8 y: n   call  Kernel32!ORD_001  ; VxdCall  d. G7 ]0 M" Q( C. p( A* A# g
   cmp   ax, 0f386h        ; magic number returned by system debuggers
  F5 l* ?) [7 U4 M) t% O   jz    SoftICE_detected
, [$ e, w. B9 b& r  l! _' u: V
& F! w9 J5 Z5 CHere again, several ways to detect it:
0 ^" Z, ?0 `  n$ W: W2 M
7 N0 v7 C4 T, k6 X. X! k    BPINT 41 if ax==4f, @( M2 J/ |- N8 v4 [1 o
7 [! V' H8 }2 T& N- c# q1 E
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one: k/ N( o' b  f5 Q
# h. d6 J5 ]7 d- y5 g: x
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A9 d& r3 S- v( p; m/ r% j$ S# ?

) F: W. E: J  Q* ~; y: ]    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!4 D& C$ R7 Y: m" T3 R: w" K6 ^
2 [' w6 q; g! h
__________________________________________________________________________
: t, C& ]+ x% {; l! ~4 z; _! `1 B7 ^0 r: a' U% S6 l" f( D
Method 13
+ f! n2 k9 ~8 P=========
) r4 e7 F! D6 b5 Q: E+ s# D
* a, M3 @( u' |2 z8 H  ]5 e& gNot a real method of detection, but a good way to know if SoftICE is9 R+ ~! d: ?' Y8 Z
installed on a computer and to locate its installation directory.
8 d. p0 X+ s# MIt is used by few softs which access the following registry keys (usually #2) :
( R* A$ s4 R! t" ^. c3 \3 R) a& |! f, [$ _# r
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion  k& D1 |# h  Y! g
\Uninstall\SoftICE* i: f6 o, Q1 {# @* \
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE, k' I4 K  l% u2 P0 Z+ p
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, `6 `. ~; x; @\App Paths\Loader32.Exe$ Y( {" A. F  d9 W
6 [, T; t& A" y: c3 c
% s2 D) @8 ~: X% l* R# H
Note that some nasty apps could then erase all files from SoftICE directory
- l. N7 {5 B1 j3 j+ e: U(I faced that once :-(
9 U1 I5 C$ q7 ?/ S+ A1 ]9 Q% ]0 q. s6 H  j; G( ]
Useful breakpoint to detect it:4 m6 r! y, ?: n' ^: e
5 Z5 ~) I2 \4 g" Q4 L4 z) j" }9 F
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE', e& N8 f) S( m9 E  @2 _% T- B( F3 _

( p7 b* j4 r+ r9 n! c9 M0 |__________________________________________________________________________
( P9 m2 Y( W. N) o/ s: K! [4 }. h* ]4 ?3 K9 g4 l& v, X

, `" `9 K6 [4 a6 V  V" kMethod 14
3 [2 B4 r7 {1 X=========; a& s9 R8 q( F* ?

$ N/ a8 @# R& h9 F/ }9 @: lA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 Y) x/ T% i; H# u$ @* c- h
is to determines whether a debugger is running on your system (ring0 only).
2 [6 {  r! u5 `; a! X( W2 A7 N4 N- t+ r. E6 I5 ~6 X
   VMMCall Test_Debug_Installed
1 A% s  e, E. c   je      not_installed: \) F. |- G4 l* r
$ ~8 D+ x3 v2 U$ {3 v
This service just checks a flag.4 U) ?. I/ I( S, N  y/ j2 }
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-3 14:39

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表