找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>9 _$ M! n2 ^! Q- R7 Y
<TBODY># ~3 e/ C% S( R4 L$ l3 y
<TR>2 E/ Z* F# q, A, U3 V3 U6 P
<TD><PRE>Method 01 ' U9 b+ a# f! s$ ?2 s
=========
0 W. u! o8 n; t0 B% d
5 d3 k2 ^( p. w/ H1 s3 R# Q& sThis method of detection of SoftICE (as well as the following one) is2 T% l* b4 ?+ F
used by the majority of packers/encryptors found on Internet.1 V7 B5 @6 Z. B% ~& m$ X/ B7 x) z
It seeks the signature of BoundsChecker in SoftICE
; k2 L" A' F" t3 T* W: v6 k% m6 d+ R* x1 k, C
    mov     ebp, 04243484Bh        ; 'BCHK'1 u5 f4 c: e6 R. ^! j* @
    mov     ax, 04h
$ J9 i  {* }/ [$ p  j    int     3      
9 e. @3 [! n8 u' O6 k. o7 n    cmp     al,4
: t) Z+ \; R5 |' N! t    jnz     SoftICE_Detected
/ V; X7 ~9 ~+ \, {- a3 U4 s5 _- N3 {# J6 x  o6 T
___________________________________________________________________________" f, ~5 k2 ]! Y6 Q' ~& x
" ~) H, ^; g% |& ~
Method 02& k  N! }. x9 J
=========1 }9 B8 }/ X4 O  e+ F
: X- W+ `2 `. _7 B+ R& T3 e+ W6 \
Still a method very much used (perhaps the most frequent one).  It is used' D' r! ~4 }- f2 I
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,
1 Y1 c7 a' u* Lor execute SoftICE commands..., |6 \: J! p1 W+ D
It is also used to crash SoftICE and to force it to execute any commands, W, b/ ~# d6 I# \: H- M! L
(HBOOT...) :-((  
& [) N; G* R- l7 t, ?, B4 r9 e7 Y* _0 Z0 a. I9 ~
Here is a quick description:( N7 [- u( \* O) W( H; R) ]
-AX = 0910h   (Display string in SIce windows)$ S, X9 s3 m, n. ~  a3 h/ E
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' e" Y* X" z1 S# I  b6 H-AX = 0912h   (Get breakpoint infos)
5 v/ l* j, l, O! b-AX = 0913h   (Set Sice breakpoints)
/ c2 H, v* L" T' B: J-AX = 0914h   (Remove SIce breakoints)2 ]5 z" G  }6 @* g4 E
9 A/ U! z5 V  E2 b8 I3 ?. N
Each time you'll meet this trick, you'll see:, z7 l% Z' y; F3 y$ f  u( {
-SI = 4647h
( z0 h7 Y8 Q, T' t2 f1 H  T8 r-DI = 4A4Dh
6 B  ]- o# C9 N6 o1 EWhich are the 'magic values' used by SoftIce.5 o! j8 X/ o' ~  p
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
$ q6 U+ f' Z9 M& G$ T2 t$ H- ]) k; k  _  M
Here is one example from the file "Haspinst.exe" which is the dongle HASP/ u  H' k7 G5 ^) M1 O
Envelope utility use to protect DOS applications:
$ F9 s0 D1 a* n; c" ~/ ?! x! k, I7 J1 c* n! n6 H& W

6 c: L, k  q' W- ]/ \4C19:0095   MOV    AX,0911  ; execute command.* Y5 i2 l1 g/ s& X$ W1 m
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).8 @/ y6 L5 g. v! x
4C19:009A   MOV    SI,4647  ; 1st magic value.5 Q7 f$ b1 O8 `- Z4 z1 f0 G: B
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
4 B! `- x8 L4 C7 \0 o2 ~. [4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)5 p# h+ C5 Z- `5 ~, N" \
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute! Z+ e. P$ P* q3 V; P
4C19:00A4   INC    CX- w$ ?! l. h: p
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute) Y$ H. \# d1 H0 }* t; z
4C19:00A8   JB     0095     ; 6 different commands.
5 ]( }. _  }% S- B4C19:00AA   JMP    0002     ; Bad_Guy jmp back.( q$ t6 Y* z1 P0 q" B% n
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)7 E2 E% I( E; @& U0 u) R

/ @: v! Q/ ~$ S5 fThe program will execute 6 different SIce commands located at ds:dx, which$ Y7 k5 a3 Q. x4 \- G
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.) F  {9 T- A/ Q3 w$ X. ^

7 y! }/ c- \& b2 v# _3 I* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.6 u1 e( r+ n1 x- ^; K7 b
___________________________________________________________________________
% z  b6 ^% V' p$ i. o, B% z* h" F  f' N" |6 a
5 u( t" x# i* z- _/ f
Method 03
% p2 W* D5 e+ w% E/ ?5 U=========
# q' X. {  p( \2 {6 S9 E
3 T  p- [$ Y* `: m1 mLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
7 r+ [' }: `+ ^  `1 t6 f(API Get entry point): Y; s% O, ~/ F7 b+ D4 v
        
: V9 i; Y2 _" N9 p/ X5 R' j1 X& w1 k( U. i+ k# O* P3 ^
    xor     di,di1 z, O( V3 d: l5 J1 C
    mov     es,di' E. U) q$ ?7 i6 m2 s. Q, t
    mov     ax, 1684h       0 K8 e! d+ p8 p6 s
    mov     bx, 0202h       ; VxD ID of winice4 N6 g% t: r6 w3 U% H
    int     2Fh- u7 |  p7 s' q4 b# ^$ T& b% d% O2 }
    mov     ax, es          ; ES:DI -&gt; VxD API entry point, ~- s/ m* m# N8 R# U& w+ @- R
    add     ax, di
8 u7 D% J. F# |    test    ax,ax+ q" J2 L5 P4 t: d( l( O+ g
    jnz     SoftICE_Detected
6 j! y: E; j8 u% F, B. `; `+ ?
  T# ]7 Z. t/ U5 P1 \- i___________________________________________________________________________9 h; g# }) {  k0 ?* u& ~
$ l, y/ [1 n/ b2 B; N7 I2 c  t; I3 w
Method 04, O; Y2 [2 {  y" @4 e
=========
+ {5 v6 M! t: k
8 F' ?8 m$ f. u# k5 J7 u. h2 lMethod identical to the preceding one except that it seeks the ID of SoftICE" F$ F) Q# e! B( `# @- f
GFX VxD.
+ Q& B% ~0 f! w7 Y9 y9 M+ j( |5 R% m1 [" |& ]) r; k5 R
    xor     di,di
' [' A! r  V3 j    mov     es,di' d* z7 j! I5 Q0 z( h5 B* Y, e! ~
    mov     ax, 1684h      
# Z6 I& Q& i; d- l' F    mov     bx, 7a5Fh       ; VxD ID of SIWVID0 |1 J) P' ?, e! W0 Z9 R9 J
    int     2fh" ?. ?3 X. z- C' t  f6 z: V
    mov     ax, es          ; ES:DI -&gt; VxD API entry point) Y) k7 Q6 `/ i" H. R
    add     ax, di
. T: v" J. e0 e( ^% ]6 @  z& S    test    ax,ax5 Y- t  r9 X: n; V; z4 Y
    jnz     SoftICE_Detected, c7 f- `2 v+ D$ b, m
) C( x4 A  `% }! _
__________________________________________________________________________4 t; {5 h( f$ Q  J. t

+ a: X* Z0 o  _; C, f0 C
! u9 C; `7 z! W$ j- u2 I( NMethod 05
$ |, ~9 B- a+ c% ~0 r=========
( {! S. n  S% O7 `; e5 @0 }+ q5 O8 p, N4 n3 a
Method seeking the 'magic number' 0F386h returned (in ax) by all system
+ y: y$ e; y& Z. @5 q: ?9 bdebugger. It calls the int 41h, function 4Fh.
9 Q+ C; w2 v1 N( i2 s* |/ cThere are several alternatives.  
' ~* J3 f; w9 H( F/ K! u' N# k' ]; Z) N
' |! D& s* s$ c" TThe following one is the simplest:
) g* Z" ~1 c# C# c1 ]/ K% j8 @; X
0 k; [/ [9 C' }3 o$ c4 N! U    mov     ax,4fh
: f4 O. C) ]. B/ n, r8 c    int     41h
& D$ N$ N/ J2 x: E9 U8 h1 M    cmp     ax, 0F386
( ^- G" A) b2 i3 F7 Y3 ?    jz      SoftICE_detected, Y5 E  ]( `4 O
. k7 ~: C' ]0 B" E7 s  b1 b
. `, |% ~/ A. e
Next method as well as the following one are 2 examples from Stone's
/ q; R" W$ }+ B. D, A( Z* f- a8 Y6 l- V' |"stn-wid.zip" (www.cracking.net):' E' Z. g( R* l& r

, u- l- ]& |4 a    mov     bx, cs4 v, {$ M6 v" p" u8 R: w; n
    lea     dx, int41handler2
2 Z2 H( z, q9 Q& w4 v) q& v& N* R    xchg    dx, es:[41h*4]
3 F% a7 X8 Q5 N* n    xchg    bx, es:[41h*4+2]
) B( }* z3 n/ Z$ m# n    mov     ax,4fh
' o0 n- r1 X! g6 o    int     41h, J& e( C% i5 m+ a
    xchg    dx, es:[41h*4]( G; Q5 N* e3 l" Y
    xchg    bx, es:[41h*4+2]
# z( X& u) V% M% R- v  J+ f% {    cmp     ax, 0f386h
/ S2 A/ [% x" C, Q    jz      SoftICE_detected$ V  _, I- E: s0 l2 y

/ Z: n- [, n- `) Z" [6 T8 gint41handler2 PROC
: H9 ?7 w1 w, }( B8 `+ j) L7 M* E' H    iret5 J5 L) J' Q9 x; ~1 }8 ]% n
int41handler2 ENDP0 \+ \1 z" F( P- a/ D

0 X, f3 G( S( @/ P5 d  p+ s1 G( j& o  \! n
_________________________________________________________________________
- G8 t! v5 @0 f  u5 |+ B0 l, G& Q5 R' D6 i6 x5 H/ M. F6 H

9 V; H# C5 z" R5 i2 v4 b/ H3 kMethod 06  b% ?1 @9 N* b% a
=========8 x* h9 I, `  e9 I: P

2 Q, s  L4 m2 k0 B
, Q; |4 ?0 |" n: ~7 a2nd method similar to the preceding one but more difficult to detect:
+ [$ C/ ?6 U- ~& O7 w$ J. G4 V& h- P9 }! Q& D
* X! _1 j' N4 N  |( H3 |2 B
int41handler PROC
* v, M+ j" i1 ?6 R3 A    mov     cl,al. L, q* r% p' U6 v" }& U
    iret
1 x; J2 p" A/ i. M7 k  Jint41handler ENDP
/ S5 W+ u: T: z% T! s( G$ q: b7 L  T; @" R% p

2 v; {. D( v* W3 S    xor     ax,ax: _1 o# J+ q8 Q
    mov     es,ax) U$ j  T$ K0 x4 i0 o. n5 v6 H
    mov     bx, cs- F- d6 |; P5 q& g
    lea     dx, int41handler5 o- {2 d. u( ]8 k5 ~; ?4 Q& n
    xchg    dx, es:[41h*4]1 z% g! ]8 W' v4 S5 {
    xchg    bx, es:[41h*4+2]
  U- r9 G, o3 n8 {4 e4 P    in      al, 40h  v- k! {. X5 f9 g+ m
    xor     cx,cx
3 g! G  {( i2 a  s1 v    int     41h
7 F  \( j' i  l, e5 T: p    xchg    dx, es:[41h*4]" E6 S, Z. F9 x+ ?/ r( k* [
    xchg    bx, es:[41h*4+2]( f4 p% `- ^$ z. }$ N; O
    cmp     cl,al
9 U* G# Q& X* w    jnz     SoftICE_detected
0 ^9 y8 P' m: t. `: J9 _
" B* m: W0 J6 j. ?. h$ y' E6 O6 p_________________________________________________________________________
( O* S/ M* c& B6 Z  V+ `) d+ [  a. t
Method 07
0 J/ O* V3 z; c/ o* B' i1 Q=========$ b" Z6 J( e# p4 G  R! w* T
  b! \5 d- M8 g  ]) I' V, y  m2 f
Method of detection of the WinICE handler in the int68h (V86)
: o' [  H/ u. S+ D5 k0 P5 R7 _3 x% f) N& |2 ~4 T
    mov     ah,43h+ p( ~- F# p" M& Z3 b, g& q. ~% l
    int     68h7 I9 Z# \$ W$ K  x3 D% G5 ~
    cmp     ax,0F386h
' V+ C$ {8 x; u; f3 a    jz      SoftICE_Detected% J! c4 T: `: ~* v0 q/ z: {! u% W
$ Z- `0 E  z4 Y
* O0 j, ]% N: z! G; y
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, l/ l6 f7 t9 f" ?) a/ Y' ~  `
   app like this:: c# R( D( c& l+ _2 o( T3 x
- P6 ?8 J' z$ z: a% j; ^
   BPX exec_int if ax==68: H2 L' ]$ |' ~0 R4 N
   (function called is located at byte ptr [ebp+1Dh] and client eip is
/ u; C6 Y! b( i* E; O) F; W   located at [ebp+48h] for 32Bit apps)
' o  L& |* g# W/ @. t0 z/ L. n__________________________________________________________________________
% `2 g' J! h: q" V$ X$ s( K! F6 S- S1 {8 C" n

. c, I) o6 W* U% w1 ]Method 08
. s; C3 Q1 e5 p6 s( l: o. Y=========
, M0 b( n* |" G5 T1 z( \& R' w- y  n" Z& m$ g
It is not a method of detection of SoftICE but a possibility to crash the! p" n( e. [) T0 i. J
system by intercepting int 01h and int 03h and redirecting them to another5 l6 `  l( L* P
routine.
1 w* X5 E2 C4 g, B7 q) C) A$ a, eIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points' q  e: D/ z( U1 b4 r
to the new routine to execute (hangs computer...)
$ T# x) w6 Y* t) ]+ @) c, f
4 h7 Z' X+ Y5 _7 k8 H4 D2 i3 i    mov     ah, 25h4 h5 V+ F6 z/ C6 R
    mov     al, Int_Number (01h or 03h)( P: m! X$ e( U
    mov     dx, offset New_Int_Routine3 B2 C9 z  }7 @
    int     21h3 M2 ?* ?2 ?- @# e8 d; H, x7 q
2 G. ^* [. v( p3 K$ ~2 c5 P
__________________________________________________________________________
+ @* y/ N% G8 k: j$ R* G( Z/ ~4 a1 @% b( y
Method 09" R5 M0 g( a9 P  ?
=========) ~: D: W7 N! }. a, e' o
" T; a; [3 Z; b. G
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
, \* S! i# `. q% X& l6 Jperformed in ring0 (VxD or a ring3 app using the VxdCall).# @% q( v  b- S1 S2 Z& X4 Q
The Get_DDB service is used to determine whether or not a VxD is installed, P  w, R/ _( y1 }
for the specified device and returns a Device Description Block (in ecx) for
) g9 b* {( Y4 |8 Uthat device if it is installed.
4 }$ \5 }: {! j: y4 N
; U9 F, E, u3 B; ~8 [+ x   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID# v( n: ~3 ~4 J+ C; g
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)3 y) ?0 m/ F4 k. D0 N
   VMMCall Get_DDB% \, }6 X2 a+ D
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed3 \0 m, d$ A2 C6 Z7 C

- @5 j! U( ~5 I* ]! D& R, kNote as well that you can easily detect this method with SoftICE:% F, a  M+ I" x4 l+ ?. q2 ]+ e, j
   bpx Get_DDB if ax==0202 || ax==7a5fh" y8 r) Z; a3 x( S1 [
! ?" x, k' j, [& g* I. Q, @
__________________________________________________________________________- @' v3 s! |0 V; t" o

, w# @% H5 j$ Z, ^# \. w: N. ZMethod 10
1 \! [$ Z; S# W! J; W=========8 F7 O. z0 H4 P  t0 b4 i1 ]3 J

+ p( K9 ?& g$ R4 B9 g; H6 Z=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with$ w# T3 c. a8 a8 J
  SoftICE while the option is enable!!
, c6 }; ~/ I2 K) n8 z6 k8 Y, d
  s' O. H! @6 i4 ]3 wThis trick is very efficient:8 I6 N6 v" a3 u3 g5 D$ T2 x" j; }
by checking the Debug Registers, you can detect if SoftICE is loaded
) i5 B* m% n: }/ W( w3 c(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if3 r# j( |% T/ x# m, l
there are some memory breakpoints set (dr0 to dr3) simply by reading their
& n, z$ H" D: w3 C" E  u' Hvalue (in ring0 only). Values can be manipulated and or changed as well
- k: v* D2 I$ t% `& |8 F(clearing BPMs for instance)
+ n7 Z* O% S; t( U
& [& @) B; @9 k/ G+ f) m' w__________________________________________________________________________
6 H9 q& h6 \3 J: A# X$ o2 m
# T* s: y6 Z& ^0 F' XMethod 11' I+ l4 A& A5 U# y
=========
$ r& Q& q5 J9 K, c+ `: r' }0 J
$ n2 X1 U$ m5 _  q+ EThis method is most known as 'MeltICE' because it has been freely distributed
+ j' E  O% z0 S. Z6 Gvia www.winfiles.com. However it was first used by NuMega people to allow" i! L$ _" [. S1 i: W- a
Symbol Loader to check if SoftICE was active or not (the code is located
- G4 u- t) R9 i2 g' E% ^inside nmtrans.dll).
" \6 G: t2 O0 G1 H. ^& q
# J* G! z8 ^% W& C5 d6 ZThe way it works is very simple:8 T* X+ A2 r' x/ E2 ]: f, C) v! I
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for. ]! \, s4 w, }4 I
WinNT) with the CreateFileA API.$ P& }3 t2 \1 j. d5 _7 T" Y( L
2 S2 H/ v! y1 I7 V6 u/ N6 V
Here is a sample (checking for 'SICE'):. t8 \  e0 p' E! a# b

, l' v8 s6 e0 |! W0 d& u- TBOOL IsSoftIce95Loaded()
6 O1 H" w% P& b$ o, b; K2 q4 r; D{
5 `  X" U8 r! G   HANDLE hFile;  4 \- L9 d1 D9 H9 z' U- C
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 h& ^% ~) s5 @' I; Q2 W: s
                      FILE_SHARE_READ | FILE_SHARE_WRITE,  w9 k9 a0 y2 F3 G, E& E: X
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 f' r- k8 M2 ?* H, T4 E/ i% g
   if( hFile != INVALID_HANDLE_VALUE )3 t7 p/ Y/ [7 L# Z
   {
0 b7 l4 q4 w: l1 ^      CloseHandle(hFile);
1 P" `& K$ C7 ^1 Y      return TRUE;
! {: I/ f/ |  z; g* C   }( O# B# F7 F. X$ w" y: w$ J8 {
   return FALSE;! \6 o* I% z  S, v  S" L$ a- f( H
}1 f% G; l% t# M. x. ~2 t) Z  E7 d
9 X$ y8 r0 b' v/ ~+ ^! \
Although this trick calls the CreateFileA function, don't even expect to be
. w2 H# S: C. x4 e) }5 Kable to intercept it by installing a IFS hook: it will not work, no way!
( I% U; P' f$ dIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
7 k/ y5 Y$ U" \6 b: Nservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)8 W! ~% d0 U! V3 r$ i4 ^4 Z
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
2 K, z5 T2 Z% Z5 I& l! s6 ifield.
5 X0 z: N& v* {6 L, R9 A+ n3 lIn fact, its purpose is not to load/unload VxDs but only to send a / l9 P, S" o: _* ?. i1 ]
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
( u( p- N1 F# L  H0 e& Y0 p1 fto the VxD Control_Dispatch proc (how the hell a shareware soft could try
* o9 B1 N$ `% A5 kto load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 l: e0 Y& K/ a* `/ J  M# nIf the VxD is loaded, it will always clear eax and the Carry flag to allow, n& {- f) H. w' `
its handle to be opened and then, will be detected.( f: X, ~8 P. s+ c0 K3 ~6 |5 e
You can check that simply by hooking Winice.exe control proc entry point
: p. K- I3 H( X$ u7 Z8 Swhile running MeltICE.
9 `# ^6 C+ Q. u1 [" W) p5 O! c& R: w& l; b1 m! |- w$ B( f5 @6 n
9 h6 W3 A( O% b
  00401067:  push      00402025    ; \\.\SICE
/ X9 y( q" u0 P# @, U: O  0040106C:  call      CreateFileA
( ?2 H9 Y  P8 G5 ]  00401071:  cmp       eax,-001
  y4 A" T; {( @$ {- T! O  00401074:  je        004010915 O& f% l% t) c  V# n

0 |; ^. I. z0 `. h* G& M" j3 B
1 U. V) Q  Y6 [! xThere could be hundreds of BPX you could use to detect this trick.
" _' E4 N( P0 d/ k, v-The most classical one is:
( n1 a4 d5 j2 s! d+ d  n2 _  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
* K, g; `* u) E0 d4 L6 T    *(esp-&gt;4+4)=='NTIC'+ l6 b- L- J; O9 }8 e  r- t

0 Z: K& ^9 Z- ~3 c-The most exotic ones (could be very slooooow :-(" J# q. f, R) E$ d- l
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  + J  B$ j$ z( P4 N+ m$ ?" N
     ;will break 3 times :-(9 a3 F: G& ~4 [2 v
$ D- w" D$ ?+ p1 j
-or (a bit) faster:
  `/ ~. {! Y# d: m7 p   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
) W* G. O) U3 T3 l; A' N4 C/ K) X; M6 v0 |3 v( C
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  9 O; p8 a2 S4 i7 r( p+ Z) r8 n) B4 e) J
     ;will break 3 times :-(1 O0 P1 d1 h6 m$ H* B4 b0 Y

1 f! Y) Q/ |4 s0 E) R-Much faster:& v: v+ o+ w# ~: F" X) z' A* Y
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'* c: k" K. x+ p$ c

% b; q; j( r( W+ l3 \1 RNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
1 ~) D2 A2 L. q: m3 V4 X9 ifunction to do the same job:
: q' S5 f; B; x( g0 n- q
1 ^6 I( V* N2 i0 l   push    00                        ; OF_READ
7 b9 Z3 P+ `9 |9 l. s9 i$ w8 U) X5 W   mov     eax,[00656634]            ; '\\.\SICE',0
8 R/ u4 A: W- v; a0 t5 z   push    eax" u: q/ {% |: @- u+ j  v1 M, }
   call    KERNEL32!_lopen- Q  |/ _9 O. b% x
   inc     eax7 W- H3 [7 G, ?: R* r7 z
   jnz     00650589                  ; detected
# V! e$ m( V: j; E   push    00                        ; OF_READ, I; }  {$ D% k- o. E# `
   mov     eax,[00656638]            ; '\\.\SICE', L. J6 O* [1 l( T0 U8 L, i* `1 }/ b1 H* m
   push    eax
# _3 W4 L% m) D6 b$ I   call    KERNEL32!_lopen
  H8 R, Z! k! n+ m7 I* h   inc     eax
% K; S4 J- @$ x! Q" b9 C2 B8 k   jz      006505ae                  ; not detected) ~' X; `7 B: f0 {& v9 y( N7 N
' F3 w& f, |: {& j0 G- z  T
/ [9 m: E+ e4 ~, }% l9 R
__________________________________________________________________________
- {# d& R( j4 H; b" l7 C! ]! ~
, v( D- p. K6 H2 Z  j8 @Method 12, g( Y/ \) o" `% o$ b8 {
=========
. t. g+ N! R8 A1 W) _  t- v* d7 C# A5 K) X
This trick is similar to int41h/4fh Debugger installation check (code 05" m/ \6 u! ?( Y3 M) P) }
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
" i, E3 j! N4 b9 j8 das it uses the VxDCall backdoor. This detection was found in Bleem Demo.
* _: j& u8 B, R- k
) C  d/ _/ P. f3 H   push  0000004fh         ; function 4fh2 j( b* m5 w8 ^: z8 O# q
   push  002a002ah         ; high word specifies which VxD (VWIN32)$ z/ W/ p0 f$ P2 G( @) p& o
                           ; low word specifies which service
% w% ?* q& l0 A( J                             (VWIN32_Int41Dispatch)
( C! u# H( M& k' F2 O   call  Kernel32!ORD_001  ; VxdCall$ C+ u: |% I8 I) \# N# e
   cmp   ax, 0f386h        ; magic number returned by system debuggers! [$ @8 A7 U+ ]9 |
   jz    SoftICE_detected' p! i# K1 N. M( v% r+ g/ f; V

: r- s3 O$ i/ |: SHere again, several ways to detect it:+ s9 m; ^; O6 A0 m) z& |
6 |, b( f( Y  W
    BPINT 41 if ax==4f- L/ d$ d' {; j/ [: `

7 N0 @- [. K1 a" o, L    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one2 q8 d& s9 `  X  H2 E# C3 m
' \" s* I' y0 [8 S
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
: S& R5 V1 L, x" A+ v3 F+ N
6 b# A! l5 `; J4 Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!- B9 Y0 U; `! T; G

- A4 v! d7 ?$ L5 ?& s! g__________________________________________________________________________, S. Y: `7 i$ B. U
& x, @4 N+ V( k- j
Method 13
5 k8 E! Q* w8 a/ y=========6 |) c; t9 p1 V9 ?  c% f

, ?* ~, [2 a8 b$ q1 T7 |4 i: Q; xNot a real method of detection, but a good way to know if SoftICE is. g* E6 J4 `. J# p% C* [
installed on a computer and to locate its installation directory.  c, W& R+ q- D& G5 o% C# h
It is used by few softs which access the following registry keys (usually #2) :' y) n4 u" _2 }
! m2 T6 f5 K% i$ b4 {$ z' ~
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
! a$ c2 ~2 I: k$ z' H; C, L0 r\Uninstall\SoftICE
2 t, L# _( t3 h6 s, [+ R2 v-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. i. D2 X/ ^2 H4 b# d) K-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
* f, y5 j2 M  M\App Paths\Loader32.Exe
. R" ]! b. l& E) W1 H' r0 W  P, P* [0 H7 p8 i- l

7 A% I" t' _7 K3 z# D6 h7 S0 kNote that some nasty apps could then erase all files from SoftICE directory
- L' R- F: T- @! S( u% r(I faced that once :-(3 }8 o8 P0 ^' T6 P: z6 r  i( k5 l

$ r' c# @7 }: G2 z+ MUseful breakpoint to detect it:$ A/ J4 T4 F* F; L& P5 z/ n
5 j/ T+ v, v. s# {( y; R$ ~( ~! n
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
9 Q8 i1 [& A; }4 x9 i
/ k$ x' Y5 p3 O# k& G- o) `. s__________________________________________________________________________: Y' U( d; x6 ~2 a0 i% o
7 j! c* S' U6 w& C7 T

' @; v5 \; C7 y/ M2 S% _- B% {$ Y) p3 vMethod 14 5 @( _0 d7 {" y9 N0 p1 @
=========
' d$ f5 @8 j2 r- b
% l) o1 S; |" }+ i- [' |4 W. ~3 }/ O% eA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose7 U3 j/ h. e" @; M1 Z1 R
is to determines whether a debugger is running on your system (ring0 only).* ]# J: M/ K7 q, \6 J" F% X

! W0 O- j/ o$ Z3 p- @# J   VMMCall Test_Debug_Installed; [. ~* h5 x, q" b4 R6 b* }
   je      not_installed
3 g6 |- P, i- w$ q& L. r2 M; g# f5 P  L( a# ^
This service just checks a flag.5 n4 S7 c2 q6 d  r% E
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-5-30 10:50

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表