找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
; E' @7 Y, `9 m<TBODY>% m3 Q5 u# T' q" d5 D5 ]: y
<TR>
" Z: C1 x# y' W/ e2 C5 w" R! x, Q<TD><PRE>Method 01
" H1 ~9 q9 X# X" Y6 x. i& _3 G=========
0 U& W. [9 n2 e, H& C7 p# R: S  h2 W2 L7 e3 p, f4 ~4 S
This method of detection of SoftICE (as well as the following one) is. _. q* A, E0 M  f- e+ Q9 t' b8 u
used by the majority of packers/encryptors found on Internet.8 @2 b. a; ?5 j6 O, ~2 j
It seeks the signature of BoundsChecker in SoftICE
9 C4 A' B7 n2 \6 P' m4 B$ P$ m) T. `+ A. ]' C) T& ?
    mov     ebp, 04243484Bh        ; 'BCHK'" B# L1 I9 n' N) A1 j
    mov     ax, 04h
' [! W/ k4 [1 E/ v    int     3      
' t5 |5 l% C5 v( U" v" E3 u    cmp     al,4+ o1 _+ Q; W( O5 K3 x0 `
    jnz     SoftICE_Detected, O8 d8 Q3 ]; [) A6 j

; U6 d# h/ o+ ?) D8 D___________________________________________________________________________4 x6 l9 M, a- m1 L6 M/ {0 }
$ V$ Q8 k5 C' V( \4 I5 u) t/ \
Method 02  r; c! j8 I) h( w2 e6 q
=========5 P# a- f) V: g' x, ~* P

, f7 I5 s3 C4 x' X( R0 C' k5 l: VStill a method very much used (perhaps the most frequent one).  It is used- \" ]/ H0 m. P; V
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,0 e: G" a/ L, l
or execute SoftICE commands...  M* R' {0 j7 I- _$ \2 D2 Z5 s
It is also used to crash SoftICE and to force it to execute any commands
6 H% J8 d+ x2 T2 G(HBOOT...) :-((  # ]( f0 d% _) u. _9 w8 K
/ d/ @) {* Y; h# v% w4 R+ n5 {
Here is a quick description:5 k8 h* r6 J' `# x  F
-AX = 0910h   (Display string in SIce windows); D0 u# f% i+ u2 @  c( S0 v
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)' O% p) m5 n* A/ F
-AX = 0912h   (Get breakpoint infos)7 N  {1 L$ e' i; L
-AX = 0913h   (Set Sice breakpoints)7 x6 }: K- r; y$ T4 @- d  o
-AX = 0914h   (Remove SIce breakoints)3 q; b2 s) \# a, z. E: w& l

6 Q* p1 c, E" W5 d' mEach time you'll meet this trick, you'll see:
6 M; s: j+ H) b+ ]7 w3 ?+ a) v* j-SI = 4647h
0 _- s2 X+ E0 V! h2 D-DI = 4A4Dh+ t7 n) d. s3 K+ ~
Which are the 'magic values' used by SoftIce.+ M9 `0 I1 }) u1 q
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
7 y  r/ D0 a9 s. f1 j6 A1 V8 U1 j3 A+ h0 b! H
Here is one example from the file "Haspinst.exe" which is the dongle HASP
; u! |' j% `6 J3 h  ^# C: m* aEnvelope utility use to protect DOS applications:
) S6 f* p! e7 m$ f5 z6 _6 k( ?* r: n: A5 C
, ?! E/ J- `6 o0 t4 M, _, c
4C19:0095   MOV    AX,0911  ; execute command.0 @+ a5 d" p6 g# l
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
) @1 m# a2 |  N2 ]: _& ?$ L: K" p4C19:009A   MOV    SI,4647  ; 1st magic value.' `/ g- D9 \  q$ s) i
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
1 @" x* b3 n) I* n( x! V; K) }4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)( m% W! b3 a$ ], l# h
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute6 u0 V. t' S: j7 ]; N' `
4C19:00A4   INC    CX
; q+ F, R# Q: s- [+ Z4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
' ^2 K/ _+ ?* M* o! q4C19:00A8   JB     0095     ; 6 different commands.6 |" e" [/ ?* L) P; k, t; q, ?# V) h
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' Z; z; S; a/ x% a5 y# u
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)$ G1 H3 C) d9 `1 o# H6 h

+ `4 z6 K6 b" F' W( w1 f; B8 ^The program will execute 6 different SIce commands located at ds:dx, which, i7 v# @3 g# x- L; s/ {+ o
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
3 t% Y+ @5 E4 I; a8 G% a8 b6 c' R# q  j0 K- Y" [5 e+ b
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.8 }; K" A+ z2 H0 d: O
___________________________________________________________________________
+ \; c3 f" b/ O
/ [% h+ g9 k1 C, B- \5 u- M
4 X( j$ \6 M, ?Method 03
) l: N" _2 o3 l# ]: I- ^=========" a; {/ f! T$ p5 B
5 Q8 g- P. \3 E  m% J. L! N8 z
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h" K. T; o1 L/ ]# q
(API Get entry point)
; H* t0 H: N% O, [0 \        
1 `5 ~7 }7 U4 N2 y; l, y, o3 `  W9 D' w
    xor     di,di4 V# A; c; S3 z2 ^; G5 a& F3 `/ l
    mov     es,di
2 G: p4 S1 c% x* G: b    mov     ax, 1684h       % c5 \* _% a1 l; g, x8 C; r
    mov     bx, 0202h       ; VxD ID of winice
5 r) Q6 X# t* Z. X    int     2Fh( I+ U; b6 S- p6 a
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 @, P/ L1 [* c; O  L
    add     ax, di
6 u& c5 z/ A7 ~  H2 {1 z5 c+ d    test    ax,ax
5 A' P3 b# h( I7 N    jnz     SoftICE_Detected
+ y7 J( S$ H5 [5 _2 S( _0 `7 T. A% o- I/ W/ e& l
___________________________________________________________________________
3 V9 ~. L# I& Q
0 |  O  c2 S2 G+ `* {Method 04
- E5 w2 h+ J6 T  r; ~=========
  v% F% W; [0 J6 }( u
- S" k5 d0 w8 e) rMethod identical to the preceding one except that it seeks the ID of SoftICE
6 J7 W, A' d4 t. d7 v' Z! KGFX VxD.+ `7 j. s* F5 C) o9 y4 Q. N5 G
$ ]) B' @8 m+ W0 h+ s$ J2 K8 S
    xor     di,di
: r+ u' @/ E1 A; k    mov     es,di+ }* g) D* W+ O
    mov     ax, 1684h      
7 e3 C$ ?1 m7 F$ h# h    mov     bx, 7a5Fh       ; VxD ID of SIWVID' \. A, |( b6 q. v) Q: J  T5 A# [$ v
    int     2fh
$ U5 l  k" ^7 s" q; c1 b    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ j/ D; r: \! W2 z, I' C) V" \0 N    add     ax, di! ?% R) c+ X1 ~3 I: q& f" _: K2 j
    test    ax,ax+ `& R' I' l! j/ {& L- H0 _
    jnz     SoftICE_Detected
0 Z1 a: x. `1 U* Z7 v6 f
3 ?, @$ \# n: ]__________________________________________________________________________
" m5 `$ C0 {  a& A# ?" C/ y+ e0 t

2 C6 z& X. O) `( M" I# W- xMethod 05, o4 J. F2 V) j# L
=========' Y& J9 J  H' H6 Y$ q; Y- F

1 Q: t% C; s/ j2 z4 I& v/ {Method seeking the 'magic number' 0F386h returned (in ax) by all system. d( q# c+ K* H$ `
debugger. It calls the int 41h, function 4Fh.
3 Z/ ?" w; N+ b! ^, z; e3 PThere are several alternatives.  
' B" v1 i5 j: ^
0 p* Z4 }0 b2 ?- d& o  f' M5 HThe following one is the simplest:7 r$ a( ?) y; p. Z4 _7 [
+ K6 ^7 t( V* Y9 A
    mov     ax,4fh
1 G' ?+ N5 s5 Q, \: E- }    int     41h" G- w% q! K' K3 ]+ ?! D2 n8 @3 m
    cmp     ax, 0F386
, |  o) g& \6 m  M# e  s    jz      SoftICE_detected
/ N# s- R1 ]* Q3 [; `3 k3 e" @$ U) f4 o8 a& f- Q8 ~: w+ y

! n4 ^- |  Q. X/ wNext method as well as the following one are 2 examples from Stone's
' P% a3 w1 C& B# H7 y"stn-wid.zip" (www.cracking.net):/ P1 w* ?1 e; ^( c
" M5 N4 Q6 h3 G8 k- ~% ]" ]
    mov     bx, cs& F6 P4 u: l# t1 A' n2 Y) b: i$ i
    lea     dx, int41handler20 D! N  O- P8 |0 v/ K3 f5 L5 L
    xchg    dx, es:[41h*4]% K- d, Z: f- ~8 P
    xchg    bx, es:[41h*4+2]
7 F. N% q9 V& W, ~    mov     ax,4fh7 k& ~) \  p1 S8 @* K; F
    int     41h+ f5 D$ w& o$ w( }7 M, D3 m
    xchg    dx, es:[41h*4]2 H" C* g) P  c( {
    xchg    bx, es:[41h*4+2]
6 Y! c* a1 A7 }+ J) I/ H( N    cmp     ax, 0f386h7 m0 b3 `. Z5 \* q1 T' D, v
    jz      SoftICE_detected
; a* R& t" {( y. n8 [- D( l( f2 O, p- w
2 H# C9 I1 B4 c# K1 l) A. Jint41handler2 PROC
/ J5 p) P  o# k; o1 L3 d* W    iret  \5 d1 J8 o8 `
int41handler2 ENDP
1 y( c5 ?' E7 c8 V9 D8 L
" ~0 N- }0 j; G# L0 @7 l, `+ G) Z% I7 P, I9 Q
_________________________________________________________________________
" r( n9 u5 e1 f: \
5 ?- `4 {% G, c2 q" ~: W& ?  E6 i4 a: Q  P0 x7 a6 F) E  W8 i: B
Method 06
, l4 [9 C7 x+ X" a1 P9 ?4 `=========
4 s: p% n' w) F/ G) i( [+ k/ ~& y' N6 L2 L! v
- d& ?6 M/ X! I& r% `) Z
2nd method similar to the preceding one but more difficult to detect:( |( c7 A- t9 v: }  a; A/ C
5 s* T7 l5 H: ^& I) o. q9 r: g( g! K* m
% [2 f+ L7 H! X/ \
int41handler PROC! b- L1 ~3 x! `1 e0 \5 [
    mov     cl,al
5 N: P* W) W' s* p9 |, |    iret' `7 Q6 R( p# U5 z  ?" ?
int41handler ENDP
- }) _" ]; C8 o" d$ i: o* |' e- |3 Z9 \9 i! _3 u0 ~7 k. r' l

; v8 e7 J2 ~6 s* S    xor     ax,ax8 V% ]0 J5 Y* r  A0 E" Y  G+ S
    mov     es,ax
. h+ h2 J) k! |9 B; y( ~; [    mov     bx, cs# l# S/ d: s( ~0 D' G* v/ y$ c; Y
    lea     dx, int41handler! Q" `2 C: w( N; U' z3 T
    xchg    dx, es:[41h*4]
. h$ q0 t5 d/ ?7 [4 n% x1 g    xchg    bx, es:[41h*4+2]
: C$ r% T7 z. T    in      al, 40h/ W$ _: q, @1 v$ Z) C+ Z# E' D
    xor     cx,cx, ~  v, Y5 [5 U! A
    int     41h& V% t0 i, F6 r$ W
    xchg    dx, es:[41h*4]( j; G3 X% g5 c3 G0 i& e
    xchg    bx, es:[41h*4+2]# O: S/ U& P& O
    cmp     cl,al
, k$ `8 p; K6 d    jnz     SoftICE_detected* ~% C4 H( o6 S
. m9 z2 P! I2 N7 w
_________________________________________________________________________
' q1 f+ j, e" j6 _- X, S6 d6 B+ M2 j& N9 g# D
Method 07
/ }& x0 J$ C2 W: @=========
7 Y! x- I, ~/ N8 m4 j# ?- ]( B+ v, [. I# h
Method of detection of the WinICE handler in the int68h (V86)
4 _" A% y7 T" [) U# I, U" \0 h* w- D- {/ a: h
    mov     ah,43h
. B+ j" w( ~0 X0 k% d    int     68h
$ Q# L9 F& n- v+ F1 d    cmp     ax,0F386h; B7 Q, X% W3 A8 l0 t( l% K
    jz      SoftICE_Detected0 m$ u! F. e8 Q
  K# |3 m- J6 [3 A/ Q+ g5 @1 s( d

$ l6 ]3 y/ Q  R2 M6 o=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
# j1 H7 O6 ~. l" p, a- R/ d; c   app like this:
4 I+ p0 s4 D6 ]* l6 U2 h4 F; c7 O  d7 p
   BPX exec_int if ax==68
- O5 _  n0 W0 E+ A' }! x   (function called is located at byte ptr [ebp+1Dh] and client eip is
( c0 b0 J  B8 p7 `: ~   located at [ebp+48h] for 32Bit apps)
1 V" Z) t* ?( x8 B3 C2 T% N__________________________________________________________________________
' t9 b+ V- F; U: \  L# r6 `* s/ L0 r! O+ S- z1 p- d9 w0 ~, B

. A" T+ b0 s( r/ E' Q% O$ BMethod 08
/ C# K9 r  @7 p0 k=========: `4 ^4 G7 [% f% B) q* i' e0 {

: Z+ E' U) n1 L% Z; T! D; b& GIt is not a method of detection of SoftICE but a possibility to crash the
( j9 y7 r1 P4 [0 \6 j! |' b3 Osystem by intercepting int 01h and int 03h and redirecting them to another
  W/ [5 q& u3 G/ x, n" N9 `routine.
1 z  @: s2 e8 J6 @) QIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
( S1 I% g  E& N  @$ Vto the new routine to execute (hangs computer...)
  U  w5 [; G! _7 a: M4 t6 r+ }9 {" \6 E. n7 Y1 g' H- D
    mov     ah, 25h
+ Q6 D3 W. b9 |2 m4 q    mov     al, Int_Number (01h or 03h): B% ?+ ]1 j5 s* I
    mov     dx, offset New_Int_Routine/ Q3 S* p- [& `$ A1 d5 b! M' U+ b
    int     21h
7 s+ j8 o9 Y: ]9 C
0 h( C) t: Z) F& J__________________________________________________________________________
  j/ S& O. G5 A# G
/ H) h3 g' \& ?7 @+ F- GMethod 09
5 u3 q. ~, k# ]% e+ r" g& {- y/ `) p0 ~=========: A  h8 G9 {2 v/ D% I7 D- L
- s: }) o6 _( M6 n; ]  x
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only8 V( `" _/ t- c: ~  G
performed in ring0 (VxD or a ring3 app using the VxdCall).
4 U5 z7 a" M% x0 QThe Get_DDB service is used to determine whether or not a VxD is installed+ O0 U  F& R. `9 h0 _+ d
for the specified device and returns a Device Description Block (in ecx) for/ ~8 J3 {  r, @* A
that device if it is installed.! I1 m$ N7 Q! v7 `+ L

4 C2 o4 d9 R" x9 o3 W8 l) H   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
, p6 ?4 z2 y6 ?3 I" C& L$ N   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
/ A# I- p+ @2 ?3 J   VMMCall Get_DDB
) \* N" z- |$ N% `' x   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
* e1 |/ p9 D0 D0 r: i1 ]1 p+ i  ]; c: e+ R" c# r
Note as well that you can easily detect this method with SoftICE:
$ i4 H2 Y7 G# i- z) }5 v7 L   bpx Get_DDB if ax==0202 || ax==7a5fh4 [; z- N0 K) z. @- Z2 s

% O+ C1 P1 e& D$ ~% z; ~/ u/ z__________________________________________________________________________1 p$ ?5 n2 F6 u  d+ `( \& b5 z9 d

3 C6 m; E& C3 wMethod 10) ?7 Q# w/ G- ^: i8 `; g
=========: K: I0 u7 W! D) c: W
5 N  u, c  f  A) t4 E5 _
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
; J2 }# e, c, c  SoftICE while the option is enable!!4 P/ {. A. L' R  Q* f( F4 d

" C) n  F% E) g" a5 t% j9 aThis trick is very efficient:5 R0 t# l2 N% o8 M3 q
by checking the Debug Registers, you can detect if SoftICE is loaded
$ ?- p7 C# Y. j" I(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
- g+ D5 J1 w9 w; N& nthere are some memory breakpoints set (dr0 to dr3) simply by reading their7 Y) j& s9 ~  m  l, X: t' S5 k% O
value (in ring0 only). Values can be manipulated and or changed as well2 g5 K. c+ {/ g% P: e" p
(clearing BPMs for instance)
) j7 p* i, @2 R! e# s% z% b6 f4 a6 k6 y0 ^8 v/ @7 T
__________________________________________________________________________
$ ~! X3 |4 j( D; ~9 c  [
$ I6 n  M- K3 L( F! S7 v4 t3 pMethod 11
- @3 g" P5 P! W=========
% U! V4 E  D9 `9 Y+ M9 M0 g0 |; a8 F. f
This method is most known as 'MeltICE' because it has been freely distributed8 n5 r# ]2 m( A0 ~& Y1 L
via www.winfiles.com. However it was first used by NuMega people to allow
& |9 K2 u6 Z4 GSymbol Loader to check if SoftICE was active or not (the code is located
5 p. i: u1 X( A/ ^  L2 V: hinside nmtrans.dll).8 f/ w& u& C) \1 \5 F! d, y% [
7 o5 w) h) S9 N6 n1 l
The way it works is very simple:
+ ^- I( w. x7 |" e9 o% N5 RIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for7 p0 j8 ^, H9 l' f$ i
WinNT) with the CreateFileA API.
4 p: O$ l7 \2 z$ B- I. L! I
9 x& m  U7 x& y- C; w4 `2 OHere is a sample (checking for 'SICE'):
. \" l5 W2 c" C2 A0 A
( R+ e9 Y- y0 iBOOL IsSoftIce95Loaded()
9 F' a; c  Z% N; B; p0 {) }{
8 O. Q7 S* m/ s5 q9 v0 f& a" Y   HANDLE hFile;  . o: Y6 F  J* Q- A7 O0 m0 H( {
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,* s3 N2 ^+ }% V1 {# i  O5 ]% c
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
5 s, c/ J4 G7 t                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
8 j# i5 m8 d& W# I5 m# j! T   if( hFile != INVALID_HANDLE_VALUE )) e/ g8 G3 d9 E. y2 G' n& \
   {
( }5 r3 {7 u  C( b      CloseHandle(hFile);
5 ]9 {# v+ Z4 A- v  }9 `% {      return TRUE;
9 }4 r& e. J8 n, Z8 f, l8 E   }! k5 t: s( s" f+ p3 v. l0 }" u9 \
   return FALSE;
: a8 s# [# N9 L& z& e; ~}- L2 ~- v1 d# P; F6 L7 h: M/ C/ F

3 W) M! j6 i4 V/ j3 uAlthough this trick calls the CreateFileA function, don't even expect to be2 E- J+ Q0 g, i6 r" u, u
able to intercept it by installing a IFS hook: it will not work, no way!. ?) m, C& l2 x- H# p: }
In fact, after the call to CreateFileA it will get through VWIN32 0x001F! m) X3 q) B- I1 R; g  y
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
3 H* Y4 w& N/ u/ Y# wand then browse the DDB list until it find the VxD and its DDB_Control_Proc0 z9 q$ y" c0 z' H3 @. G
field.' l* J& a0 u( T2 [; E
In fact, its purpose is not to load/unload VxDs but only to send a
+ q* h0 M# g% c/ r  dW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
) L1 Y7 ^" c; U) S5 ]to the VxD Control_Dispatch proc (how the hell a shareware soft could try
$ M5 g$ `" S5 T. m4 m5 h3 V8 rto load/unload a non-dynamically loadable driver such as SoftICE ;-).% }. f% S* g1 A1 u
If the VxD is loaded, it will always clear eax and the Carry flag to allow
" h4 ~. z& o! z# j8 Iits handle to be opened and then, will be detected.
5 b. O- |2 j1 I9 H" `You can check that simply by hooking Winice.exe control proc entry point' Y* Z& f- H) ]# a
while running MeltICE.
& [9 E  I  S1 c$ N3 Z
" v$ G* k7 m" V# W9 U$ s" K' v8 E; }$ v% a: T% P
  00401067:  push      00402025    ; \\.\SICE2 k8 i& T) B0 Z1 I
  0040106C:  call      CreateFileA5 q2 S0 r7 d' l" J! ]! A) U
  00401071:  cmp       eax,-001
. D  P9 ]/ v! {5 Z' o/ W6 D0 o  00401074:  je        00401091! t: z0 c+ L1 @, H4 u9 y. k2 {
6 }7 g0 G6 K9 L8 G. L$ e# N2 }

9 {3 s9 O$ b6 l/ _There could be hundreds of BPX you could use to detect this trick.# n; v! x/ ~* Q& M/ @1 y3 _
-The most classical one is:: v- p9 y" \  n# M
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||4 g: h  ]- L: a' v1 C1 p
    *(esp-&gt;4+4)=='NTIC'
3 v4 D( u1 ^+ J* v! ?8 @6 z. `6 }9 w9 |$ N+ O8 q2 q( r* ^3 @/ }
-The most exotic ones (could be very slooooow :-(
! N2 w) b, A- {! K   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ; K; [3 K* E# z1 [$ H$ h6 C) W- \& e
     ;will break 3 times :-(; g5 \% |" m! A! m

/ g% F3 b% j- L* Z-or (a bit) faster:
: c- ^) `( N6 m( e0 ?   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; M" ]) T0 V' K8 o- N$ Y8 I# I& M9 X) J- n6 I2 K
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  & D& [2 A2 A+ Y) W# @5 v
     ;will break 3 times :-(7 P5 s2 f6 Q# P2 a6 N
# N& h, D1 B8 z# {% G. R7 j
-Much faster:
$ L9 J( d0 k; s* ]# o   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'7 x' ^' {* ~' b
' J% V0 `; k: X4 Q6 v* I
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 l5 N5 G/ w! M7 E5 hfunction to do the same job:
0 }3 ~: X" f5 a  L6 I- w' ?# e
; u0 B0 n/ w9 ^" p6 p   push    00                        ; OF_READ
$ {9 G' z6 Y' c   mov     eax,[00656634]            ; '\\.\SICE',0' l9 m' s6 @+ E- z/ H8 j9 Q1 ~
   push    eax0 e7 @; `4 W5 i
   call    KERNEL32!_lopen! _6 M" N! y( X1 v9 \5 ?8 I
   inc     eax
) o- }( I$ Z0 G  n, Z  q   jnz     00650589                  ; detected
2 K+ z& l5 u4 v5 m6 B   push    00                        ; OF_READ
6 P* Z& u* t- @; T# [* ]   mov     eax,[00656638]            ; '\\.\SICE'
6 d( R* {  |. J; W% x   push    eax
/ g5 q9 v3 D; q! f1 C   call    KERNEL32!_lopen8 y0 o. S% }( z& ?$ f
   inc     eax# W2 f: Y$ i$ D0 ?0 p4 Y
   jz      006505ae                  ; not detected) k5 f. C. e* ?5 z4 n0 }) s8 R

8 A7 t5 ~/ K0 \% u* F7 c6 u
# U; P% |4 [9 v- H: v9 W3 n__________________________________________________________________________
3 V  ]7 |. Q# ]' s8 c( b/ }
+ S) a" ^- t* s/ P) aMethod 12: f; A/ u- |8 K8 y3 K
=========: t6 D, i- {: R$ w3 F% n/ K  p- [
( ~; J+ |6 [2 F) [3 `3 y' x. e
This trick is similar to int41h/4fh Debugger installation check (code 05( ?+ i/ k$ \, m- _% H( I% Y
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
* W! g- M) G- E: T8 C! `6 Was it uses the VxDCall backdoor. This detection was found in Bleem Demo./ A6 c* x6 A7 v) b4 D* w

0 h7 x* }& f& |7 O   push  0000004fh         ; function 4fh
7 K& w# [$ g& A# i6 s6 m4 Z; B+ N4 i   push  002a002ah         ; high word specifies which VxD (VWIN32)
2 A% R: w* |1 q6 |! g' ?' d                           ; low word specifies which service
- u5 r/ g4 e/ }9 X/ J2 p6 g. B$ N                             (VWIN32_Int41Dispatch)7 f' u7 ]9 v% A, O
   call  Kernel32!ORD_001  ; VxdCall' [# c! y6 Z  q( K/ N8 j
   cmp   ax, 0f386h        ; magic number returned by system debuggers; \0 ^  U  Z# P) J
   jz    SoftICE_detected4 H2 ?8 S7 f- D6 m6 e
; E" S3 Y* O/ B1 A
Here again, several ways to detect it:1 |2 W& S, T8 n

4 P9 w* B' G/ W    BPINT 41 if ax==4f( C/ A; @" R, ~" v! z! i7 z. u) `
2 ~: E7 v7 i( k. G
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one' m- {1 H" |4 O  G$ K) ^
3 ?6 Y6 R2 t; F# _; y
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
2 q- T& l# u1 _8 |* W
1 m) n: v3 T' O, H" J8 ?  t    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!7 i1 j  I$ ]2 {: e6 u6 `

- Q, ~7 f% N6 G) E1 [. N" h__________________________________________________________________________5 Z7 Z& \' g4 U  g# T

7 |6 n; k+ }  nMethod 13
( O$ v- k3 |9 g" s1 @( c1 g, M=========
; U# }6 r& |2 b6 h  K0 d2 G+ d+ S2 N( l7 _' ]% W  G. o; H) G$ L0 l
Not a real method of detection, but a good way to know if SoftICE is
3 s6 G5 X1 R# j1 winstalled on a computer and to locate its installation directory.
: }1 U/ u" o1 ]- N0 _+ |/ VIt is used by few softs which access the following registry keys (usually #2) :
+ Y& K" P. l7 g) Z+ R2 ?
! e& M( x1 M: \( U5 W* u-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
# |* |2 X/ {% m$ v; A* B; y% ]  y\Uninstall\SoftICE
9 t7 b# P: S6 F/ E, b+ d; y-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( B* m& r6 F1 k, G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion% N! v. {$ j- O
\App Paths\Loader32.Exe
" _" ~; L! m4 Q! R
& A! c( Y6 c8 K/ g, b* T/ S- Q3 E. p& I4 ]% U+ c
Note that some nasty apps could then erase all files from SoftICE directory
; E- X$ @% f( K% \+ ]4 t(I faced that once :-(6 l0 _& F8 |& w$ T4 i" \

1 Y# i( n5 z; j: N$ L& V; bUseful breakpoint to detect it:
' C. _0 o5 o4 \9 b+ A' j
8 P7 q  V+ H* W% {7 D     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
8 g6 s# ?5 Z4 B9 i, |4 J- S  k! j- n7 t
__________________________________________________________________________
. G: p8 k6 e( |* e2 P1 D1 s; {

+ O8 w! [! g+ H9 l( ]2 }0 RMethod 14 . W: o1 }9 i2 i, Y4 x& k
=========
8 N! X3 E- H4 o$ i3 v) d7 _
& P9 w9 S7 Y- ^9 M5 e4 |" sA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
/ G( a1 U0 a. ^3 s; Bis to determines whether a debugger is running on your system (ring0 only).% v' X' M0 l$ \+ ]" S, D- b. o
, C% D) T1 B4 i4 h
   VMMCall Test_Debug_Installed
4 t' C+ s" W. b8 M! S9 w   je      not_installed. j" S# m4 W3 t

9 s* v+ z+ I) }, V2 h4 {/ ZThis service just checks a flag.
% |( `' p3 z' `5 T- I</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-6-14 08:50

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表