找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>- t. m3 v; W+ N& W) l+ J& T$ ]
<TBODY>
& a4 z' M7 D8 [7 ~- T" B<TR>
' e: \) s& i- [" w* e<TD><PRE>Method 01 % B! C$ B1 S% O$ I' ~6 D( b
=========- I+ y5 h9 r- ?/ [& k) I

- p7 Q4 y+ O/ Z$ U; b- s* p9 oThis method of detection of SoftICE (as well as the following one) is
( A) g5 Y: H! o9 j* Y% H" k6 }1 Eused by the majority of packers/encryptors found on Internet.% {% o: s9 b2 v
It seeks the signature of BoundsChecker in SoftICE
# X; W0 D, U/ k1 _: G" j  ~  X3 {; m8 u$ ]( R/ a1 Z
    mov     ebp, 04243484Bh        ; 'BCHK'5 Y, \; C1 m  a
    mov     ax, 04h
* F9 t( s. e6 @* s' i+ q, |    int     3      
) k: S8 K1 I1 v0 P    cmp     al,48 z9 k8 U' H+ `
    jnz     SoftICE_Detected4 f  J+ z; A5 A, @2 Y

! J. t) M& Q9 C  a" [; V5 E4 W___________________________________________________________________________8 Z2 N# Y9 o# l: {0 v. G

! e' {+ h/ g9 v/ z- S$ aMethod 02: u/ D6 x, m/ l( @# H) Y2 B
=========
3 X$ Q% T: `7 _5 U; H
" t- i6 N: O& f1 x8 ?8 uStill a method very much used (perhaps the most frequent one).  It is used0 D; U' k$ S  G4 q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,+ B! o: h8 n$ `& {
or execute SoftICE commands...
0 V! R6 T" p4 m& }1 y0 hIt is also used to crash SoftICE and to force it to execute any commands, y9 U% M5 f% e! Q
(HBOOT...) :-((  ; L4 M2 `2 k' G# k, b! Y9 z

& Y/ f- w& _! E  XHere is a quick description:  q, r7 l) ^& e4 {0 ^  j9 M7 [4 k
-AX = 0910h   (Display string in SIce windows)
, \0 M3 c' s: A' a: G0 V# U-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 b/ ]+ C$ S+ |( s
-AX = 0912h   (Get breakpoint infos)
& i8 u# v2 R/ B: d" Y. A-AX = 0913h   (Set Sice breakpoints)
5 E$ H, `  _! i2 M1 K# U-AX = 0914h   (Remove SIce breakoints)9 f( a& L  \+ k

' G# K. V7 U2 a- J$ _$ TEach time you'll meet this trick, you'll see:( h. X) r4 ~; M3 I. r* n
-SI = 4647h1 ^. [& Z/ y- `% ]
-DI = 4A4Dh5 |  R$ \( `3 ~9 X- o
Which are the 'magic values' used by SoftIce.
& L3 w* `4 T  S. YFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( r- a8 w2 R4 C  q7 ^: u8 O) J
+ E& I, \9 E" V  x& X: HHere is one example from the file "Haspinst.exe" which is the dongle HASP  Z. c" B( e& v7 \! ?( S& U+ ~% \
Envelope utility use to protect DOS applications:
3 E8 R% e9 [" m" ~" L  @% y& I) {+ m$ `3 Y+ `! e: T8 x

9 F' [  L7 f1 k. ?& J; C. n4C19:0095   MOV    AX,0911  ; execute command.
' ]. }2 d3 S8 ^4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).% g3 ?! T  T4 z" a
4C19:009A   MOV    SI,4647  ; 1st magic value.. T+ d. p+ I/ e  \$ \* _; `/ Y; y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.  l. I6 k# \/ `- k+ a% i8 t
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
( N6 @7 {2 U3 t4 F' P4 o4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute( E. [! U/ W& f' T
4C19:00A4   INC    CX5 D0 F  ?# ~6 L3 b$ `) U4 }4 {$ A
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  M5 B/ I: K( d4 _
4C19:00A8   JB     0095     ; 6 different commands.
; H; D0 }, @& s- ~6 Q+ l7 ?4C19:00AA   JMP    0002     ; Bad_Guy jmp back.4 l1 F7 X/ t2 U
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)" m5 g& x) L5 f& }0 Q, H! ^

8 |! r. ?) j: H& v8 z. ^The program will execute 6 different SIce commands located at ds:dx, which
( L9 x# ^1 k8 `$ a/ j  ?% R# Yare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
# R! Z' |+ \1 Y( Q" L( Q8 q: V8 v  S% t" H+ `. M  @/ W+ q
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
$ Q! x7 h" k- {, R( j9 Y4 @' F___________________________________________________________________________
) Q6 b- b' t" e  q7 ^% {+ Y! u
6 r& d* R0 N, U9 N( E( Z) n
6 s8 r* z5 q) I/ C  Q; p  N. ~Method 03
# r. O3 m: x4 a: E2 Q, q9 p% n=========3 ~+ P5 I. X$ O) O1 n# q

* j+ t# ^, x+ I. h# k0 r. D0 |Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h9 G0 m$ _6 }8 K, l8 ]1 h
(API Get entry point)
9 B8 t( V% w+ _/ v        & u, Z2 E; f. J, I1 ]
, p/ ~& i) F# E3 A1 ]) A
    xor     di,di) G" T. b2 [% M
    mov     es,di! J' x/ X- }/ g! o$ m4 h
    mov     ax, 1684h       0 k" W- `' n+ o9 F" V1 F5 O, t+ f
    mov     bx, 0202h       ; VxD ID of winice
8 m% V/ W( C% y. ?) z$ ^8 D    int     2Fh
; |0 Z) {7 x# m! S    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 _* V# }# ~, C7 X
    add     ax, di* b% d, m3 D& D! O
    test    ax,ax
+ Q$ t# }" N8 G7 \/ \6 R    jnz     SoftICE_Detected
6 E; r  X/ p( j* C. q
/ c( ^5 F7 a; d___________________________________________________________________________/ E4 s. c6 b; ^; Y

, W2 o3 d8 W  D5 B9 C  P' Z! SMethod 041 F0 D6 k) x8 E1 ~/ F! c, n
=========# V* i6 R: V5 f4 O. f. p

( U/ ~: f" d# r, [Method identical to the preceding one except that it seeks the ID of SoftICE
) J. V! E% ~9 J! SGFX VxD." W" Q2 |- N" l+ W' ~
, _# J; D8 [" M5 l' u
    xor     di,di! h( t9 G6 p. v1 J. ^
    mov     es,di/ m/ c7 P  S% K, _! `
    mov     ax, 1684h      
, ]) I- T# D( \8 l; E3 z    mov     bx, 7a5Fh       ; VxD ID of SIWVID) q% i3 Y# M) A$ N( n
    int     2fh
/ _& B& e" F& j3 z1 _) i9 _    mov     ax, es          ; ES:DI -&gt; VxD API entry point9 T( N0 f& ^+ x. D. r
    add     ax, di1 e8 v2 W. ]/ R
    test    ax,ax
9 I# v- o, N% {0 \! {+ z* K    jnz     SoftICE_Detected) D- H# r7 {" l/ I
9 j+ D+ d3 ~  {! C
__________________________________________________________________________) j/ s; V  o) q. I! i8 I
/ p. `  l0 l% {3 R/ T$ T, q
+ H% M" ]# b) G: b
Method 05' A* g: E7 d( ]5 t$ l7 R# _
=========
; U" ^9 f  w3 R- X  X! X
1 H# X8 W2 M9 V1 S* R% ]7 M4 S5 \* zMethod seeking the 'magic number' 0F386h returned (in ax) by all system" X- j1 M6 b0 O& `
debugger. It calls the int 41h, function 4Fh.
5 X4 p6 r9 d. |- Z- i. {; _* h& jThere are several alternatives.  
( E5 T9 U  X4 O: ]: `! K: c* |
, T# X, D2 v. ]The following one is the simplest:/ J# R0 i8 q3 [1 u9 Y; D

5 }$ D) R; T& u1 g0 [; j  d    mov     ax,4fh2 m- Q0 l8 [  ?5 `7 @. |* r
    int     41h
! @, j* C% i% {; r2 J    cmp     ax, 0F386" i2 T  t8 y' ?2 k% x: V& G) }0 w, z
    jz      SoftICE_detected. z  r& n5 _" [2 z) A1 E

  k6 |5 u+ m& n2 j6 s- b
8 q* s( p' u  W+ ~. H) INext method as well as the following one are 2 examples from Stone's . j3 W" s+ d2 y* a
"stn-wid.zip" (www.cracking.net):
% c( L  {/ E6 t" e9 U4 ^1 @+ X2 ?- \+ x; H2 j% ]; L  m
    mov     bx, cs# F7 I7 g% @  R9 F
    lea     dx, int41handler25 ]' q' d; }/ I# v6 S
    xchg    dx, es:[41h*4]8 S6 z$ t% C  Z% ?5 s: n( B8 n$ X
    xchg    bx, es:[41h*4+2]0 l8 }9 [/ m! s8 e4 u
    mov     ax,4fh
; y5 S# p( [/ M. e; s4 c& |    int     41h
6 R. e% Q1 x2 e: ]; p2 j    xchg    dx, es:[41h*4]- j. b( q* G: l% ^0 g
    xchg    bx, es:[41h*4+2]
( c: x' {$ C8 ?& O# J/ F5 T) M    cmp     ax, 0f386h' U% \% t0 j6 R4 i
    jz      SoftICE_detected
# \  k+ e4 f$ k- C/ ^- K3 `* [% e& v4 n' x& [/ g1 r
int41handler2 PROC1 F% j4 I8 A* O# q: F: @
    iret
6 E1 ]' E4 U: o7 j7 E' lint41handler2 ENDP$ P6 Y0 \  ?& o

9 [, m( V% S# f' @2 u0 Q3 k: Q- ~) o2 Y9 S2 L6 d
_________________________________________________________________________
3 a& v  Q" v% a8 S  P" i) D! p: L4 x& f

+ }+ ^* ~; h7 E  y" DMethod 06
+ @: A. L& H: g+ b5 k1 i=========
4 s! M9 j; h0 F7 v, J+ f$ L, S$ K- H3 Z) b- |
  R$ [* s9 J* ]$ |& o
2nd method similar to the preceding one but more difficult to detect:+ k$ W; y+ j; C: ]

, @- X2 t, `6 ^3 e6 d4 w
) R5 n( |/ T7 |4 [/ H" Qint41handler PROC
3 Q3 G3 d1 s0 Z# h1 g1 t    mov     cl,al0 q0 L1 R9 w2 A+ `' Y1 V
    iret
- x6 V% F3 z$ z- J( Eint41handler ENDP
! J  c+ S! b' K! T$ @# V, i; [5 P9 ?  Q3 |/ e1 @# G
' p* g; ?" d# J2 Y! |$ T* i
    xor     ax,ax1 G' o3 K( ~5 Q2 f0 B3 Z
    mov     es,ax* x9 E( |% n. r6 d" Y/ J: Q
    mov     bx, cs- ~9 t) h2 P; e' e( C
    lea     dx, int41handler& p" ^1 ^4 Q1 q
    xchg    dx, es:[41h*4]: J3 s2 P* X4 i6 G
    xchg    bx, es:[41h*4+2]
3 t: S; S/ V# f7 G7 m0 Y3 I* g    in      al, 40h0 t0 H; ~5 B. ?% i+ k. ~
    xor     cx,cx
7 p  p3 |; R# R$ {3 o* F8 c    int     41h
5 u9 V7 i+ l5 ]$ e* A2 C  R    xchg    dx, es:[41h*4]: a- U' Q2 T) b/ `0 V2 G
    xchg    bx, es:[41h*4+2]& H2 W$ @) x$ @9 k% Y: Z
    cmp     cl,al: x1 d6 Y8 V. H! w' R0 R7 D( r* I
    jnz     SoftICE_detected1 k4 s+ L6 z# x9 _! v
+ K# i1 a" Y& C! I* E
_________________________________________________________________________( b6 ?: z, E! i, D. z0 t
# K9 k# r6 B* o) k2 B8 d% q/ j
Method 072 C2 }* y& \; O- S6 K1 R0 k' @
=========
1 k  T- \! {- h' m5 I
0 Z, _) P6 Y% Q0 C4 lMethod of detection of the WinICE handler in the int68h (V86)  `5 Z7 d6 @8 S8 C% R( x# Z0 B4 N
) ?$ {5 H$ Y- u0 N. O) |
    mov     ah,43h7 _9 |- f" ~( o4 @  [3 b0 b
    int     68h
( A& T% {2 o3 ]: B1 q- `    cmp     ax,0F386h
* P) B, T, r4 t* m  u* ^    jz      SoftICE_Detected
! D  L# l8 t5 w. ^. N: m3 S) I/ `: q) B' |9 n0 W

- W9 c* a% Q$ d/ f* m5 Z  F=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit$ |- w+ Q/ l, k9 C- f1 k" e. U
   app like this:+ _$ _* P! y$ i6 h2 \' J: m% E

: V) P' q# `" A% x9 o9 i   BPX exec_int if ax==68/ m' I8 v6 Y( [7 f% _
   (function called is located at byte ptr [ebp+1Dh] and client eip is  ~+ ^: H( ^3 Y. G& n- d0 N4 S7 h7 Y
   located at [ebp+48h] for 32Bit apps)
# _4 Z4 d; D) s__________________________________________________________________________
3 B8 G/ V2 p( S! u/ H1 ~0 U
% b7 H* u) ?1 I: F
' ~' O5 k1 r- U: p" Z) L- s% JMethod 08
' p7 J8 S8 D+ o$ D2 |=========
* f6 C3 _: u- E" J! g
+ H" {0 y& Q7 f0 P6 O' uIt is not a method of detection of SoftICE but a possibility to crash the
) d9 I" t4 s  z) Q  L+ Dsystem by intercepting int 01h and int 03h and redirecting them to another" A4 ^" ~) ^) Y5 m( h" a
routine.
) U" w! d% {6 x+ v$ wIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points) u- Q  {* Z3 ^0 Y. B
to the new routine to execute (hangs computer...)0 v: \8 j8 Q# B( n4 ^. }" b/ z; z

: C1 ]; S* ]" @! e8 |* p    mov     ah, 25h
% X" B9 z% }$ r" G8 O: i2 O6 t    mov     al, Int_Number (01h or 03h)7 Z; w; t4 Z1 u, E7 R9 s/ h
    mov     dx, offset New_Int_Routine
$ r& o7 p% P! t. h    int     21h+ o2 I( d$ ~$ N

; k$ Z. {& z; B. {2 i__________________________________________________________________________* o9 f5 ?9 H) q1 `" K( g

/ k* p+ J; f" n& s1 NMethod 09* u) _: D7 T8 L  G/ \
=========' U& L4 k8 @; ~/ L* Q0 D

3 T! Z. k) h/ A3 N, iThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only& g8 A3 C% x# v) M! H
performed in ring0 (VxD or a ring3 app using the VxdCall).
0 t  p; `7 L  w0 W, O" D9 n- Q! wThe Get_DDB service is used to determine whether or not a VxD is installed5 I# s) j8 U  X- v* I
for the specified device and returns a Device Description Block (in ecx) for+ @' ]6 K- m' m' X( f( T2 U
that device if it is installed.' V' V, R, k( p/ K0 o! g6 b

/ h& B) a( w7 `% [& _   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID5 ~. C0 U5 ]4 l1 V4 d- k8 S4 i
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
+ L' G+ s( E* m' ?# D( X   VMMCall Get_DDB
" ~" y: v, M) T0 u& B; g& J2 |5 D   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed' G: C. s1 v! z& l0 y
0 g- _# D6 f2 B' \; ~6 Q. Q. [0 B
Note as well that you can easily detect this method with SoftICE:
1 q/ s' ~0 C9 H9 u2 e4 m* B0 }   bpx Get_DDB if ax==0202 || ax==7a5fh
8 m9 r8 _! G5 l. V( `+ z! k) g9 s& p1 d
__________________________________________________________________________1 X6 L6 C5 O& p4 u2 S+ Z: a
# S) I4 H" E! M% a2 n( D
Method 10
( d; g4 S* j2 {5 Z=========) y, v2 x$ ]7 {/ Y3 _# d
# v* `, r: [4 e. R7 O
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with1 h: L. h) S' O, U0 B! b$ T
  SoftICE while the option is enable!!
: G* W( k( b" Z2 b
% h4 t* D# m/ J8 i9 i" B% g0 z4 ZThis trick is very efficient:
, S* I) [% T. ]+ S+ o' o! e1 U8 x9 U! A2 Bby checking the Debug Registers, you can detect if SoftICE is loaded5 k( x! z, [) u9 W& ~- v3 H
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 ^2 p0 k7 O3 w$ a
there are some memory breakpoints set (dr0 to dr3) simply by reading their# y2 v/ Z  j) x6 E2 O, w+ }
value (in ring0 only). Values can be manipulated and or changed as well
$ `% {3 b6 @- B' ^- i(clearing BPMs for instance)
* ]- s  A" x9 D
* S0 u+ p7 E; m- _7 T4 W__________________________________________________________________________
0 S+ A* i- k1 t7 p) ~
! u- E, G! A- F$ V7 ~: I  t$ wMethod 11" K, o! S/ Q2 z$ m) j
=========1 }8 e' x/ F; @6 G
0 [1 D: ^9 }1 {( s$ f$ F0 g/ R
This method is most known as 'MeltICE' because it has been freely distributed4 o" Q( C, U- d5 R( A5 R
via www.winfiles.com. However it was first used by NuMega people to allow
5 c; S# [9 }  `* c! g" S7 P6 ^2 lSymbol Loader to check if SoftICE was active or not (the code is located
1 w+ _) G, o, X% ]7 f  linside nmtrans.dll).* |# b6 D, d& y7 R5 N9 K

; [4 K' }, i# @9 j5 [9 S; t3 CThe way it works is very simple:
/ z- C+ l+ q3 Z/ F# o- KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
7 J' Z) Z; @6 Y0 x) QWinNT) with the CreateFileA API.
& X/ V! e4 S6 u+ w2 U+ C
1 }) G- {3 U+ r, m& jHere is a sample (checking for 'SICE'):
+ j( s5 P4 ~4 Y# C* q, z9 `# n1 _! X- V0 m7 n" C" I. X
BOOL IsSoftIce95Loaded()0 x& m, ?* r* n* U
{
. y( f+ Q, A( b0 K, N( i   HANDLE hFile;  ' q. U* W/ U9 D' W1 V  n8 \
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,7 X. u! ], G% R% k
                      FILE_SHARE_READ | FILE_SHARE_WRITE,# r2 N) s, g6 ]8 q; F; w+ B* c
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
2 m5 q* H+ i% |   if( hFile != INVALID_HANDLE_VALUE )
- ]1 o3 Q) N8 n3 Q( f+ H! M9 N0 a% H# B   {
" O* D, C' L7 t      CloseHandle(hFile);
& A; K# G" \8 Q* B# r+ [      return TRUE;
( H) V, H. Y8 k   }
( A% L; @0 B* n( F3 @* U% \9 r) i' M   return FALSE;
) Y( h& @+ `! |0 i" d}" R" p0 F% p5 \+ k, J( M, S& d

! ~% t7 L; r* \Although this trick calls the CreateFileA function, don't even expect to be
& l. B, g- w& h8 w( z) {0 Kable to intercept it by installing a IFS hook: it will not work, no way!. ]! m4 J2 d" z. G9 S1 M
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
) t& u& E- U  M$ V0 B, F! mservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)2 k6 h! A  }: o/ N. w1 \3 E
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
, c) b$ @& j# H, B7 V6 z$ B) vfield.: i/ H5 P, @/ b/ C
In fact, its purpose is not to load/unload VxDs but only to send a
& q* |1 T6 `, Q# f! a. PW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
. Q" O" Z1 }3 n) ?to the VxD Control_Dispatch proc (how the hell a shareware soft could try
. A2 W) U7 ~3 |$ {# e, kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
9 N- b9 j! I2 y% o; h' B; UIf the VxD is loaded, it will always clear eax and the Carry flag to allow0 E! D: Y9 w) K1 f5 |6 u  E
its handle to be opened and then, will be detected.
: r% Y0 z3 o4 IYou can check that simply by hooking Winice.exe control proc entry point6 `- H$ ]+ }, B" f# [! V
while running MeltICE.. u% Q" V( M8 V! t2 j" D7 S7 h

9 c5 o2 E3 @- x, i" w2 n# [0 {
  {9 @$ u0 f5 V& d5 d; X# o5 L  00401067:  push      00402025    ; \\.\SICE/ W- d5 H9 Q/ _# |. ^% h3 [% K
  0040106C:  call      CreateFileA
. M' F1 [) {  R' R+ F+ r+ E  00401071:  cmp       eax,-001
" N1 s+ n0 _! A8 v  00401074:  je        00401091
' _7 V3 r3 k; T! ~* e5 p
$ N7 ]- t; |% {9 X. c
3 X* v  K8 {) WThere could be hundreds of BPX you could use to detect this trick.
( C; P3 H8 o! ^" u4 b4 O; T-The most classical one is:  I* E0 q6 Z: O+ P/ H
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
; j6 a: C1 i* c8 t8 d    *(esp-&gt;4+4)=='NTIC'
% x3 V6 r0 s" E% O4 C5 }: M
* q" V/ ?' ?6 i-The most exotic ones (could be very slooooow :-(/ R* b' I2 t8 H. J6 I  r  r: i- B
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ( t3 \$ o$ ^$ ~9 Z& {  k- r3 `
     ;will break 3 times :-(
! h' M* v5 y8 g1 [2 _* _$ L" d6 H% w0 F1 m# r* W" ?
-or (a bit) faster: ) H7 W9 n- P7 A) Q4 w, C  |
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 e& g) a& V; |' x% J5 z5 u
% ~% c% _% W* A/ V; C
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
9 d- _3 Y# i/ r" `8 X7 U' m     ;will break 3 times :-(
( z8 W* l/ Z- S( W$ [7 g5 x4 J9 w4 o% l' B! R
-Much faster:
4 k0 G, N: p; z: Z" S. {   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
) K3 p, ~3 m4 w: s  ^
% G7 j; Z% Z  g- j6 h, TNote also that some programs (like AZPR3.00) use de old 16-bit _lopen# B$ @& s' Y6 v
function to do the same job:$ S4 \& |9 C; b- y* `0 O
9 ]) S  p" V( Y8 G1 y5 E
   push    00                        ; OF_READ+ \4 Z+ h9 ~* [) l5 n
   mov     eax,[00656634]            ; '\\.\SICE',0
$ c* F  Z) j6 L! [   push    eax
- {- ^% q( M4 n2 `7 f3 A   call    KERNEL32!_lopen
0 \7 h( v, a' O' o   inc     eax/ I- g7 S6 Q$ ^$ k, n* T+ A8 |- ?/ G9 m2 y
   jnz     00650589                  ; detected
1 I4 G, z/ [, ~: ^" |. q/ r- Y   push    00                        ; OF_READ: N, |& T+ k1 m$ x7 p6 r+ ?/ x
   mov     eax,[00656638]            ; '\\.\SICE'
5 G" L3 P/ n% X& \" B0 @   push    eax. |5 b& K5 H, w
   call    KERNEL32!_lopen
' L8 L* O' C" u6 f   inc     eax" Y; Z9 J1 }$ [4 |' i" l: a( V0 W
   jz      006505ae                  ; not detected+ H2 w2 s* Z1 Y

+ a( t! x/ T& r/ t( A
: O* F* H. g  D0 o__________________________________________________________________________$ z1 n+ T  U; f3 z- {( I

2 d; b9 M. M3 s, ^: @+ V8 t# GMethod 12
6 g: @& g' I% Q* h+ s( j, [=========
# j! l& b4 C) Q' t6 Y$ ?2 ?' A- D- c& f
This trick is similar to int41h/4fh Debugger installation check (code 05/ P. K" q9 ^* l8 h3 b2 q4 m
&amp; 06) but very limited because it's only available for Win95/98 (not NT)9 W3 ^8 M* N9 z2 y4 f
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
& A3 }* B$ Q3 F* h, o* D! o
2 C! R1 h$ V! O/ z7 r   push  0000004fh         ; function 4fh- h6 G$ _* |" e' j/ C8 a1 E! V
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, f. g4 h' [: u- d                           ; low word specifies which service9 q% l+ u% x7 k% c# p
                             (VWIN32_Int41Dispatch), y. U4 Z0 o# o
   call  Kernel32!ORD_001  ; VxdCall
0 Z3 `; l5 `5 i  |& f! B: ?   cmp   ax, 0f386h        ; magic number returned by system debuggers
# x: f9 [0 c/ V" k: ?: N' [* b) P8 P, |   jz    SoftICE_detected! l, ^  U8 A2 n" u
3 b0 P0 g# ^0 {' }# ]! W6 P- i
Here again, several ways to detect it:0 w! v0 {; _! j5 g
+ e4 ~3 A, r: n; X, g% Q
    BPINT 41 if ax==4f
8 R8 W2 u8 `: s+ j, }" ?5 c8 a  P5 i, S! x) O
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one4 z% {* N* T4 z, ]4 F0 ]
" s* t$ e$ T. ~$ P5 z9 [9 r3 v
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A' H; @" _0 }# ]% |2 ]- A

! C3 C$ K. G3 }    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
4 a; i. @! z, F' M( ?8 n% w2 W- r
- L# }1 O/ E+ q2 g__________________________________________________________________________
1 j0 y7 E0 r' V, q- M: z  ~' F
. s0 }7 x$ W. P' E2 D% KMethod 13
. {- |0 [* c) D; F& ?# a2 t=========4 S2 Z. B8 @0 H* D- n: p4 K
& S6 ~) k; \1 u, s- s9 {- h
Not a real method of detection, but a good way to know if SoftICE is! @. [& e8 P, _4 `" `+ {6 Y
installed on a computer and to locate its installation directory.6 a1 w7 L& \; t9 R9 `
It is used by few softs which access the following registry keys (usually #2) :
2 T, O3 m3 L1 U' D9 G; _
# q! d$ d9 ?4 m2 B" A9 }- k( i4 T-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
3 B, p8 f" T0 u\Uninstall\SoftICE8 u! @) k( Z2 N7 C5 ^6 R; e% [( i. I
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
) D6 N2 ~5 z! h  e$ }-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& O; v: B' h) R8 E\App Paths\Loader32.Exe
1 U7 \" ~( I5 V5 `2 N# o/ s
! \; i) b/ ~. Q. _$ G9 a( S2 G5 Z5 C
Note that some nasty apps could then erase all files from SoftICE directory3 a& h- U7 D1 T! S
(I faced that once :-(: d2 ~! L% w5 S9 v
& _, K% |0 A; j7 ^  R! c8 ]
Useful breakpoint to detect it:) S& t, }' m$ {
3 F' o4 G  y9 m
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
* l) v3 U& u1 e& Y
' `0 j  l8 m* a+ L8 ]5 o$ `__________________________________________________________________________$ B& e+ j+ {* Y' Q1 U. P8 w
4 T- U# B( S4 @. E8 c

# @- Q$ M2 v; t  O, gMethod 14 7 E1 h) d  H1 Q( Z5 |' w' U4 D
=========# F; a: [8 B6 r  [: Q
9 C2 j- s/ s7 m( q& l% h" ]6 K
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose* m! @8 Y1 F; R" |4 V& b
is to determines whether a debugger is running on your system (ring0 only).
! m+ E( N  {# Y
2 }6 I. O  d4 f" H* i& y   VMMCall Test_Debug_Installed
! r7 Z5 u/ e/ \/ ]$ K3 b5 R   je      not_installed
3 u/ H/ W1 |3 p$ _0 E: @# F
' o4 E" u7 L; P8 |. P& \, ZThis service just checks a flag.
% _5 G2 ?  T( B* k' E</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-7-15 15:33

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表