找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
/ ]+ P  F3 y, Y6 F% q<TBODY>
' J# R5 _, Q( [& y) c<TR>
7 Z5 q, }+ p) b" k' B+ B( s<TD><PRE>Method 01 $ F( f& I2 H( b+ C
=========5 a, B$ h; z# v2 u7 z. P$ x8 s

9 V$ {' p. {% DThis method of detection of SoftICE (as well as the following one) is
5 l) x* m( a* @/ v8 J( A. G) Aused by the majority of packers/encryptors found on Internet.
0 n" E& A4 e2 P( f; z% f; c$ DIt seeks the signature of BoundsChecker in SoftICE/ b; t( G( ^8 ^; u) ~( w8 @: j

/ C7 B  y. a2 ~# F    mov     ebp, 04243484Bh        ; 'BCHK'
2 O0 j, ?% W5 `! u    mov     ax, 04h3 v; y3 W7 t1 W  [, I
    int     3      
3 i# \' g- Z# D  L2 G  _- _    cmp     al,4
; B1 ?. @9 ^' ~! b2 }: d* }1 |    jnz     SoftICE_Detected  ~5 I7 _7 I  C, q) g

: v/ f0 x) Y5 i: D* @, z4 R0 S___________________________________________________________________________
6 y# X. G$ d6 ^* t
& K# }: y& r% E4 _Method 02
( w0 w0 T# m$ C2 {' x5 Y=========
8 L3 Q  S5 h; p' E9 K: b& n+ b4 f' z8 J( G( x9 c; _) M  N; T
Still a method very much used (perhaps the most frequent one).  It is used3 P8 i8 @, ^# ?& c/ p% Y' n8 `
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,- M& _. L2 D$ ]- g: w7 a
or execute SoftICE commands...# V% d2 G2 A5 m
It is also used to crash SoftICE and to force it to execute any commands2 M, e5 c# o, q* I- J& {7 [/ e
(HBOOT...) :-((  
% F' l' g% g* F5 p9 `4 n5 {. a" V, l( c3 Q- Z2 N2 |. u8 W
Here is a quick description:
) f" e$ R. C) v7 g# n% V% r7 W-AX = 0910h   (Display string in SIce windows)
8 R" f5 N- e1 |# |-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 z# ?: m( t8 W+ Q
-AX = 0912h   (Get breakpoint infos)
, I5 s: K3 X/ L9 c-AX = 0913h   (Set Sice breakpoints)" u, a; x% N  S& g8 e8 A) b
-AX = 0914h   (Remove SIce breakoints)
' F4 y0 {  _" |* D7 E  ]4 T0 N$ s: _5 z- o  I5 `
Each time you'll meet this trick, you'll see:
) I, g$ g6 o" a6 W. E0 E-SI = 4647h
1 }- J8 |/ z( N/ ~-DI = 4A4Dh0 z/ y2 Q2 B0 N( M3 H  Y
Which are the 'magic values' used by SoftIce.
. x- |7 ], D' o* H% GFor more informations, see "Ralf Brown Interrupt list" chapter int 03h." Y7 b2 e( f" J/ L3 v7 z
" w$ p. ?1 @+ d% k$ L7 ]# P+ s" c
Here is one example from the file "Haspinst.exe" which is the dongle HASP
* L* s, z% L8 Q5 i& `Envelope utility use to protect DOS applications:
6 h" E3 }; ?2 A$ }
; k, `* J9 @4 _; g+ x5 Q6 n' v6 Q! u+ o' Y
4C19:0095   MOV    AX,0911  ; execute command.
* ]& l+ g; f) P) B* N4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).( Z2 ?% `! h+ n' Q" }' C
4C19:009A   MOV    SI,4647  ; 1st magic value.
3 |: x) k; N  r! t4C19:009D   MOV    DI,4A4D  ; 2nd magic value.9 Z" G& [0 v$ o- |
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*). c* E7 n( T4 x1 k. E7 c( H$ J
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
$ h  t5 _) X& t4C19:00A4   INC    CX: B/ }, b6 Z+ a6 q! }  h% [
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute
% p% h) Q; g6 I4C19:00A8   JB     0095     ; 6 different commands.* Y* U* {) U; J# a& E) n6 O3 T0 V
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.5 V( h$ N# K" ~& h2 ~' ]
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)6 y6 k# o5 |; {4 x( D! Q/ Z
, ^- s. c+ ~- d
The program will execute 6 different SIce commands located at ds:dx, which
$ m5 W! P9 U8 m+ d$ M( ~8 fare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.( V1 A2 H" ~9 r6 ~1 m0 g
& A$ Z' E( ^- p' y8 q3 D4 ~3 [
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.# T& C8 C# ]5 g7 g( W- A
___________________________________________________________________________
/ m$ [# l2 B4 ]8 k5 N. r& [
4 @; `! o0 C: B& x1 C2 x* X
  Z( x. i$ h8 a8 l7 V& iMethod 03
, D' v. k2 Y. ?  ~4 a=========
3 `' p0 u  d$ h( y, g: b+ ^
- n5 D+ h8 \' C: k. hLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
5 O1 o* p) v8 K7 n(API Get entry point)
* y$ g& U7 D, Z% }" k; M        
$ `7 Q+ n: N# k2 D9 H- U7 A# \
! C/ R% r, k  D. E    xor     di,di( y% f* D7 T" B+ }: D$ {( w; g
    mov     es,di
7 X, Y" O$ S2 r. X    mov     ax, 1684h       1 X# R5 @8 A+ ]9 o. P' b
    mov     bx, 0202h       ; VxD ID of winice
. K  L* a" {9 E$ n8 v- }    int     2Fh0 X* A7 x1 f8 T8 n( U3 \& Y
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" @2 J* ]- F7 \, H+ F8 o6 D6 b    add     ax, di
& s6 Y" [1 e& B* ?" ~# m    test    ax,ax
/ h  i# p3 Z/ T4 {    jnz     SoftICE_Detected
0 d9 z" K( V/ H+ g9 y" h
7 H5 L, P8 c; I- ^1 I& k# N2 O___________________________________________________________________________
& t5 |  o2 c% `+ |- v8 Z6 `) h' @" p8 k
. R5 K) F+ \4 m! p& {; SMethod 04
1 g# z5 ]: Q" Z2 D! k: @! f6 p& V8 a=========
( o- G  |+ j* U
* A7 x+ s" y1 n4 K' U8 M/ B  AMethod identical to the preceding one except that it seeks the ID of SoftICE! Z* @' B" C: `9 R
GFX VxD.
" Y- b" X1 H1 H# c6 |% j
9 K* P' {& x% q, C! ?* z( F! l) ?    xor     di,di7 h8 A3 i( x& ?+ o9 k0 t' [
    mov     es,di% B, ?1 d3 O7 j& R( r0 O& ]
    mov     ax, 1684h      
# D% K" f9 o  |0 w4 ^. G% H2 e    mov     bx, 7a5Fh       ; VxD ID of SIWVID
: L7 u; d' v6 d3 |# x( m    int     2fh
& ?8 S# ?5 o5 |/ \, v    mov     ax, es          ; ES:DI -&gt; VxD API entry point
/ a/ f9 f6 M( @6 X$ ]    add     ax, di% m* S6 Q. n# c+ z
    test    ax,ax- m3 Y- t, Y8 E/ O6 c4 e
    jnz     SoftICE_Detected
. r8 O1 y9 x7 {. o7 w) O' J! p4 `
__________________________________________________________________________
! I( U+ M# J  c+ {: ]4 c7 c) r- P7 `# W3 D6 E! e, S" |
% C- g8 g- T" L8 O4 E. X: s
Method 05
! l; ^2 a  o7 I6 j4 f=========8 p: ^& S  a( M8 V( n4 O5 \
$ e2 `6 f5 P, [; |" f4 S) w
Method seeking the 'magic number' 0F386h returned (in ax) by all system% D0 M% G6 L/ {7 V5 T4 _7 {
debugger. It calls the int 41h, function 4Fh.2 x. e+ _, k& c; Q; e3 \
There are several alternatives.  
' o7 v  v# [& \3 R* R* L" X% ?! j+ Z0 S" X- y7 l0 x
The following one is the simplest:
2 ?8 r! k: f% b: c
, `5 N/ t: G& w! K, {) _0 c' @    mov     ax,4fh
+ F( j9 o# Z& O4 A, ^    int     41h
& s/ ^. y$ Y" q6 g    cmp     ax, 0F3860 G5 ?# j  M2 F$ S3 O8 [/ x
    jz      SoftICE_detected9 x$ H8 R. k) T' M2 m
: m7 |8 t3 u6 D5 S2 R+ A7 P2 L
) `- U# ~9 j9 O3 ?/ X
Next method as well as the following one are 2 examples from Stone's 6 z2 W( {0 y5 ~' o, G+ Y8 H
"stn-wid.zip" (www.cracking.net):
' l6 h; f: X* E$ c8 ]; W* O! w5 Z+ a: g8 {6 X- t
    mov     bx, cs& G2 {/ K. b6 s  e; ]
    lea     dx, int41handler2
# F; h9 P0 i+ M: E  v" a6 A    xchg    dx, es:[41h*4]0 L# O: W. y( M: q
    xchg    bx, es:[41h*4+2]! B" I4 _7 O+ ], o! `4 z
    mov     ax,4fh
% {7 ~* @4 ^8 g    int     41h2 x$ k. `( E' M3 @1 \* S0 h
    xchg    dx, es:[41h*4]; |: j& r) p2 L1 D; P
    xchg    bx, es:[41h*4+2]
1 e% P8 e. b, o% V) s- P    cmp     ax, 0f386h
9 Z" a6 C2 I1 r$ ~$ m    jz      SoftICE_detected
' f7 n- i2 K% e5 J+ h- ^# w% I. K# c! K3 C8 P
int41handler2 PROC
% h- O0 ], p$ M. V$ I- p    iret
  c( q2 N& O( G6 t' U7 X% R, pint41handler2 ENDP
5 n. {0 H3 n: W. Z* u3 c/ i: }. ~) a% x( ~
6 m) i* O! a1 N& V; Y* b
_________________________________________________________________________, t" |6 X8 s5 w/ F
2 W: m  g& S1 v3 _; |

; ?0 @. X- s& s$ e- l9 g: L) KMethod 06
/ I0 v& I0 `( ?2 l; V0 M=========
8 X. @! D. K( H5 y5 w4 F- W! u4 H3 p: `! i- [% z2 U' M
1 {8 r9 [. H: \* h4 |6 S
2nd method similar to the preceding one but more difficult to detect:5 ^5 J" Z6 ?1 d- U2 q

- g% f8 D7 p. g* b) m  i$ q* C7 w  t# }( W" p8 k3 Y: L
int41handler PROC4 r2 s9 R* \) l" |3 j# D" i! {1 E
    mov     cl,al. {& Y0 O; C9 F4 m4 c( B
    iret) w3 `, f/ y4 ~* z- N) D
int41handler ENDP
7 C: M: f; i1 v4 M( V- g4 h
4 [5 t  \+ A9 s/ Q( \8 U
/ ~; V- A+ Y; l2 P, [    xor     ax,ax1 V8 A& B) A6 S$ o! v& W
    mov     es,ax' A% @3 O1 m0 X7 [( y6 [0 U
    mov     bx, cs
  p$ E3 S1 z- W6 U3 i    lea     dx, int41handler, c/ c3 ?5 d, V
    xchg    dx, es:[41h*4]
/ ^' p' ?4 j: ?, l' j% z    xchg    bx, es:[41h*4+2]
6 S0 E" O  W- M; x9 p! q6 q    in      al, 40h
+ L! e8 L1 `: X5 M* c8 |    xor     cx,cx% f: h: V# E2 P8 R! i+ L
    int     41h
' m+ o3 O, a: }$ L, S* }- N    xchg    dx, es:[41h*4]/ U4 u" ]5 G; `
    xchg    bx, es:[41h*4+2]
4 J' E2 y6 C' ?    cmp     cl,al
0 `' L8 N& S9 }# h    jnz     SoftICE_detected
* I4 E  k: n" K- F
! H; @. m# P9 a  d! I_________________________________________________________________________( I' j- d! b" k1 o9 A3 M( b+ c1 _

  _: D/ F$ j' {$ i& G6 R' l4 JMethod 07
& S) c) w! d; v8 ~0 z0 M. V7 @! i0 C- g=========) t1 `- s: H/ M( p& x. a( b  w

; H4 N7 V+ _' J1 q! L1 _) {Method of detection of the WinICE handler in the int68h (V86)  O7 q& k8 a2 Y& }5 N4 e- |5 }  q9 ~

& d1 c. O4 K+ v6 k% k/ e    mov     ah,43h( M6 Z0 k8 S1 W! c3 m& o* |, P9 n9 D
    int     68h  o5 H! i  X+ U. T! s
    cmp     ax,0F386h
3 m: K+ p1 k! [/ G4 ]    jz      SoftICE_Detected7 x) p/ [6 O9 n' r7 \

" G9 d9 l6 s3 B+ `) c) T" J9 u  R
6 m4 c( i  V! m; b5 q8 }=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
; K8 m* O+ Z9 W+ y5 Q4 ]( o- X1 c   app like this:
& u% |1 _) J1 I/ o8 F/ I. ?9 W8 ?5 r$ C* r8 v6 C( C7 i
   BPX exec_int if ax==680 H& h/ S1 V/ y9 v- `
   (function called is located at byte ptr [ebp+1Dh] and client eip is8 j' [  f5 a- b1 G% F" R
   located at [ebp+48h] for 32Bit apps)! Q# L; V3 j9 u0 @% i
__________________________________________________________________________' G0 t' E3 l5 I, W1 F* D7 }
7 e. }0 [( {" e' g" t

4 G7 x& X0 b2 E# ^- F$ LMethod 08
' \# B6 E4 S+ j$ `: L=========: d0 i5 B( G7 ?2 i5 q0 G; Y
( r  Y$ L/ u6 T
It is not a method of detection of SoftICE but a possibility to crash the- n0 ]7 T# y5 n. }; k  R* E* S
system by intercepting int 01h and int 03h and redirecting them to another2 A$ \  b9 p+ U% w
routine.
! ]$ P5 y, L5 Q8 C3 z- cIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points5 F2 O" q: b5 z; a( g0 H+ B
to the new routine to execute (hangs computer...)- V% ^. Z$ S" S8 F0 o6 d3 A6 w: {4 L' n

( B. q1 o" f( p    mov     ah, 25h
+ S' L9 K1 [; |: U1 Z+ X2 l( Y    mov     al, Int_Number (01h or 03h)/ g# T- e1 L( S( ?' H$ h
    mov     dx, offset New_Int_Routine
* g- |( M. U2 ~2 W    int     21h
) R: T- H- w5 _! c1 S; n3 j1 @" ~/ m/ X4 p. m% B
__________________________________________________________________________7 O. A0 e( O+ I' G- K0 ^. {
+ E! Y' p. s  c
Method 098 R6 s3 B5 V3 o4 f
=========; [! ~& H$ s5 ~$ X" g+ O7 j
) K5 N; E! R3 a
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
5 g) Q9 U- C  \! Iperformed in ring0 (VxD or a ring3 app using the VxdCall).
! k6 T9 Y7 d' y, n, T( lThe Get_DDB service is used to determine whether or not a VxD is installed
) j* \8 ~- \4 yfor the specified device and returns a Device Description Block (in ecx) for
. W6 ]& ]0 S4 f; F% g2 Othat device if it is installed.. C- W' p( c" f" h' p* {! D

' {  l' Z6 z- j4 X   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID7 G$ w  P1 i! |- \/ Y0 }( a6 Q
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
, m$ D9 `. y  G/ J) G8 N6 R) K- J   VMMCall Get_DDB0 }/ b$ v5 A+ K, C* V0 N( `6 s
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
) ]9 p- y, c2 @; T* V9 z( N* u3 K# t5 m! O8 e; r3 ~7 r
Note as well that you can easily detect this method with SoftICE:. x2 U" o+ `9 W! [
   bpx Get_DDB if ax==0202 || ax==7a5fh+ F. K: t* O; c6 }/ X( B" p* T5 e( z

9 ?, H% D2 P- K" ~5 B__________________________________________________________________________
" r# S, }0 o8 H0 G9 S$ k
( t5 f8 G: ]* d% l, F, sMethod 10$ p- @6 }. G; {. x  f
=========4 L& n& J9 |6 B! E& N5 r; ]
4 J9 F7 r! c, W) O+ l# E) u2 G
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
& O$ ^+ |& v$ B: ], O# a6 b& `: ^  SoftICE while the option is enable!!. @# m9 R8 [: u

! P) _# E5 M4 ?& t- n" E% H& xThis trick is very efficient:
& u8 u5 `; A; l4 d) f, Q8 ?/ Yby checking the Debug Registers, you can detect if SoftICE is loaded
8 g& J4 w3 D0 o0 a% }6 ]* W0 P! j3 Q(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
) z7 K; J& c6 n7 R( }# A1 Xthere are some memory breakpoints set (dr0 to dr3) simply by reading their
$ ^) V% c& Z- Y$ yvalue (in ring0 only). Values can be manipulated and or changed as well
1 d  o# l. M2 r  R  u" A3 b" Z(clearing BPMs for instance)
0 ~) M/ ?( I, y- g! U( p* u% q5 n, z- d- R3 g& o! R
__________________________________________________________________________
1 c2 C) f7 c: h! H( b
  Z; E. c7 O% vMethod 11# I9 p( ?' g! k, [5 ?
=========/ R4 z' M  c4 g  z; L' S) F$ O

6 Q- X/ o; x" I& z% HThis method is most known as 'MeltICE' because it has been freely distributed
+ y. A& X  G) K: I( r- l6 evia www.winfiles.com. However it was first used by NuMega people to allow4 p- ^$ h0 x5 W0 r
Symbol Loader to check if SoftICE was active or not (the code is located& [/ r( ]$ G( m! j( n& O" ]0 A: X
inside nmtrans.dll).
1 B7 B$ D" u- T# [$ }- {; [" \. H" R6 K$ Q5 {: @6 [% j3 E
The way it works is very simple:
5 C( s" D4 ]4 K* }; iIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
. @/ B8 T! |% f6 d% ?0 J  Q1 A7 tWinNT) with the CreateFileA API.6 ?# h5 K# u+ ]7 S# E

4 s5 l$ g& O& RHere is a sample (checking for 'SICE'):
' `1 d/ U! Q2 ?3 @: C! ]$ O& H3 V
BOOL IsSoftIce95Loaded()
9 p: U8 V$ D7 P, L* w8 d  \{
+ C3 x9 m9 [# a; x   HANDLE hFile;  
' z2 f' D$ q! M- e/ Y0 {  \   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
( u/ V1 s, m/ Z+ C" d                      FILE_SHARE_READ | FILE_SHARE_WRITE,
! i( C# M% L8 o4 j                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
3 z2 h: ?) @" v% o   if( hFile != INVALID_HANDLE_VALUE )" S- z5 `- n. S1 k
   {# {) }8 G- V- w1 |  w
      CloseHandle(hFile);
2 y, _" L$ d8 q& }# z      return TRUE;2 x8 |" M, `$ A* I- u, e
   }
- I( X+ U, R5 |8 S2 u   return FALSE;
& N" B" c' X: L" q- D}+ T& x% o8 h5 X8 E3 g5 n' ?
/ t# G: M, e" d
Although this trick calls the CreateFileA function, don't even expect to be8 w" B" z, f2 c5 ^3 y" R7 G& c! R
able to intercept it by installing a IFS hook: it will not work, no way!, J. E" A% B  O  H  k" w: b
In fact, after the call to CreateFileA it will get through VWIN32 0x001F* |, U9 w1 W/ ]/ o' \
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)+ Q8 r$ s7 V# Y1 k
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
( p. P( l+ ^2 x& V6 o3 f, s7 gfield.
6 l- y0 ^$ ^: ~4 H, h& V, rIn fact, its purpose is not to load/unload VxDs but only to send a
; y8 E% n0 `, q/ T7 ^5 MW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)# q: J7 |+ U+ M: x
to the VxD Control_Dispatch proc (how the hell a shareware soft could try- U% P5 P* h9 c4 R( I) G
to load/unload a non-dynamically loadable driver such as SoftICE ;-).2 B' p) D% ~' Y7 y5 T
If the VxD is loaded, it will always clear eax and the Carry flag to allow
5 k& _& b$ L9 n% Y8 ~# a9 I) wits handle to be opened and then, will be detected.- a- V3 b8 u/ m& l/ m; O
You can check that simply by hooking Winice.exe control proc entry point3 F9 M, G7 P7 f
while running MeltICE.
2 W  N* P& q. m( g9 P1 V  w; I1 r& N3 Q' Z3 Z( ]# c' o
- D, Z! n. s8 A, R
  00401067:  push      00402025    ; \\.\SICE
4 H6 h5 Q4 w( @* N: L  0040106C:  call      CreateFileA& k1 A( ]- k$ O0 o' Z9 ^4 v
  00401071:  cmp       eax,-0019 V8 x" @/ \, N! M6 z2 `
  00401074:  je        00401091
5 {  [: {, o  J9 \4 j3 M* V1 \1 z( s
0 E, ^4 `# {& d5 i4 G3 q9 Q1 P/ Z4 p: K& m" |- n1 J8 o+ }5 Z
There could be hundreds of BPX you could use to detect this trick.
2 i) X# Y6 {) a; [- ?7 n-The most classical one is:' C, j% t  D* M& u2 Q$ K
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
0 j8 S& ?7 l. Q- \; v    *(esp-&gt;4+4)=='NTIC'+ L4 \' S9 B# ~! Z5 Q

! j0 B8 g3 ^! q' ~-The most exotic ones (could be very slooooow :-(
3 _: B' z2 ^2 I  ~+ o7 P   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  # I7 n* R7 d4 C  B: t: B$ l
     ;will break 3 times :-(
$ |3 l' W9 y; N- i7 p% ~, t! @& _; V" ?# W2 e0 ]. i
-or (a bit) faster:
$ d( N  k& {- w9 ^' {3 y- \   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
; k3 `. ~( S/ I' u2 C8 t8 ?$ u
& e, y: ~, R* s# M: t3 {   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  7 ]& m$ J$ l: }+ J# e( p! q  z
     ;will break 3 times :-(
5 J4 y6 j& y( k
2 K1 h: x* [. D' R6 `* c! ?-Much faster:0 O& u$ l4 ~  ~" u
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
/ R6 J0 y% T4 M! f+ z
- p0 I* `# {3 ~' E$ s1 P' M: L! CNote also that some programs (like AZPR3.00) use de old 16-bit _lopen1 y8 }! i. `2 P- y
function to do the same job:
6 q% a& j# y& a, c6 A. ^# z2 |+ Z: ]( @2 ~+ t; Y! u; o
   push    00                        ; OF_READ
- {% K" |1 Q8 a0 l& c. L2 F2 A4 S   mov     eax,[00656634]            ; '\\.\SICE',09 [+ C4 s7 e, d& e
   push    eax
) r# S  h" r8 _, k, L" X   call    KERNEL32!_lopen1 e, l9 O6 k6 W7 ]5 S: @. c  e8 l
   inc     eax
) D( P/ y: `5 I( z   jnz     00650589                  ; detected
4 u: Y) {" R! H! Q% N3 t4 `/ e   push    00                        ; OF_READ1 K9 V4 w6 q/ q" N
   mov     eax,[00656638]            ; '\\.\SICE'
$ @! e" e* j: p4 k   push    eax5 u/ g, A& u, b4 F7 _/ U- U3 p
   call    KERNEL32!_lopen
! o$ T& B' [: e+ J9 a   inc     eax
' f( ^' I* Q7 S: z; Y6 ^4 s* C7 D8 q   jz      006505ae                  ; not detected' g% c+ X% C. N% [/ v. L

  {9 I6 S% p/ b7 y  c4 ^5 N
  e! V9 H8 w" p, y. L) x* D' \__________________________________________________________________________
4 w; I* r: i/ _4 A0 \, J) @' H' U2 Z. g4 s) D
Method 128 }! h" ^0 G; G; U' b
=========7 I6 D1 ~4 R2 s+ q8 ^
. t0 x- }: ?  P7 \+ c
This trick is similar to int41h/4fh Debugger installation check (code 05; {1 I" Y- p& e: z& w
&amp; 06) but very limited because it's only available for Win95/98 (not NT)" l  w3 h$ b5 a  n
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
$ c$ j! c9 Z' Q, j- X! K5 ?9 G: g1 O2 V2 O) ]% L" O1 g! [  D/ F, A% U% i
   push  0000004fh         ; function 4fh
3 b% L" v- T9 m8 N' A+ R# M   push  002a002ah         ; high word specifies which VxD (VWIN32)4 ]1 g, k# G0 e0 {- C) P
                           ; low word specifies which service6 Z2 w5 I: V. N' V0 J) ~! o6 {. C
                             (VWIN32_Int41Dispatch)
+ W' [- M9 w* Y2 n6 `* c8 w   call  Kernel32!ORD_001  ; VxdCall
( l- q/ t' M0 l7 u2 t5 Q   cmp   ax, 0f386h        ; magic number returned by system debuggers
0 |+ C4 Q6 Z5 I   jz    SoftICE_detected
' u* y( l. A: o& p
9 d. T$ n4 ]5 J7 \1 A) `" O& dHere again, several ways to detect it:$ W6 v/ }. }. n4 c- p6 v# `1 o

* P& ^. `: B  k' t0 E    BPINT 41 if ax==4f
; Y/ W9 z' P& l, i6 c" P5 d4 ^3 o1 C: ~( e+ b
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one9 o0 `3 Y/ y& @8 _, K6 {, P( k& P) U
  B, T; V) @/ t1 D+ I6 \
    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A
! F! J! b& y7 n5 S% b3 [# |& j2 ^, n5 F5 M& l8 x3 P4 L
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!5 x$ Z: C/ F) ^: x
% t0 j% Q- Y4 B/ T
__________________________________________________________________________2 E9 u/ y: g/ K2 a0 X

& D* ?- w. F( jMethod 13
% I* D7 @" y" B. \=========9 k  b/ M4 x$ l( w' Q( p. P
- f( k0 |9 ~% X, D) X4 A6 }
Not a real method of detection, but a good way to know if SoftICE is( i4 Y* n5 Q. `
installed on a computer and to locate its installation directory.* S6 u/ e7 ?5 u6 t8 O2 T# l% o
It is used by few softs which access the following registry keys (usually #2) :1 _0 p: M3 Q& N% E7 F# k
6 R. U  z8 ]% X# T
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion/ K  t3 n8 J$ g& Q
\Uninstall\SoftICE. C" w  W  L; ]7 |
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
1 R* r* b% K) l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion+ y( H' n8 i4 o: y3 O$ G9 s
\App Paths\Loader32.Exe
$ v( ]; p6 m, v! w# V0 T: r  z$ n2 J' O% a8 D: D, ^

; t0 e2 `+ N8 l$ r& w. H5 i! S6 ?Note that some nasty apps could then erase all files from SoftICE directory  d) T$ t; l+ R7 p/ x7 V" n$ K
(I faced that once :-(. b* E3 k' B# D5 ^0 ~

9 b7 g- i- h& V0 hUseful breakpoint to detect it:
* \+ l8 P3 ]6 q! N; Z1 Y( E
5 u1 V. L" ?9 i/ T" X     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE': d' D; K6 J; k! M6 W
2 R  Q' H. B7 H, i- f& \  K
__________________________________________________________________________
$ g7 X6 Z: c, \
: D% D5 y% W5 @$ M4 j$ ?2 w+ z8 s9 \# O: w
Method 14 : J) g$ S6 c4 f
=========
0 `3 y4 U/ c4 M/ |$ G, ]  S+ t5 W0 R" L! M+ `
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( S: E+ \. r6 [* s( e8 Q
is to determines whether a debugger is running on your system (ring0 only).
! S! R4 N! S: T8 ^( p# [
+ ?/ c8 r. y' ?   VMMCall Test_Debug_Installed
* {9 l8 e, Q- S1 g1 `8 u0 {9 B   je      not_installed
. ]' t3 p* t& \; `7 g" B: [, E$ @, g0 I9 ]* p' |
This service just checks a flag.7 m* F2 y1 I0 l
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-27 01:47

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表