找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
0 N/ z3 Y/ P* P8 Z4 h1 M<TBODY>
: ?9 P& F! y( `* C5 ]5 J) x<TR>  J) Z; ^2 o8 u+ C' r* u+ `# ^* u. C
<TD><PRE>Method 01
* c, Y; q) P7 R1 X=========
" f, N( I- u  x7 ]) y3 \/ h4 F$ i
This method of detection of SoftICE (as well as the following one) is  P* u% P1 [- ]4 \
used by the majority of packers/encryptors found on Internet.2 b7 K: `- x1 e# F* h
It seeks the signature of BoundsChecker in SoftICE/ u1 P1 O+ N; M1 v* k2 B: q8 }
) }; w$ a* ?1 S3 h1 h3 a1 Y8 ]
    mov     ebp, 04243484Bh        ; 'BCHK'4 l, p: a0 z" J$ i; H# p, v
    mov     ax, 04h3 Y3 L7 k# v2 b' {4 Q2 p6 X6 x
    int     3      
$ l4 t6 P6 d" f4 P3 T    cmp     al,4
# F2 E5 L; l# b% D: y: O' \3 U5 w    jnz     SoftICE_Detected0 V: I+ B2 a) N( ?! y; Z6 O$ ^  y- p5 j

+ ], h; A6 {0 O2 \0 t: A. Q4 U4 ~7 Q2 n___________________________________________________________________________& Z+ `* ]0 x  P; b8 ^

& Z9 |, F/ U0 m; x1 k+ n2 y: o; a1 u" UMethod 02
% ]7 ]6 N! x& |=========
: Y8 s- g) [7 u9 x) }$ k' h1 h& [4 d6 r- f7 m7 G# C4 k) \7 A) s
Still a method very much used (perhaps the most frequent one).  It is used
; h- e; r' W( R& k' U$ Xto get SoftICE 'Back Door commands' which gives infos on Breakpoints,) r% M, t$ Q* ]: @
or execute SoftICE commands...$ c# e2 A- @1 ]0 |+ ~/ R. _
It is also used to crash SoftICE and to force it to execute any commands& ?7 {- X9 Q8 ~  m$ K3 c4 [
(HBOOT...) :-((  6 q, V6 m9 H7 j: S) G

* m& K# B9 ]4 |* t7 t( JHere is a quick description:- u4 f2 [! v- a! C$ A  a
-AX = 0910h   (Display string in SIce windows)6 {) @8 _3 j5 o$ p2 J
-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)1 e- ~7 Q9 o8 j1 c" m1 Y5 x6 v, Z
-AX = 0912h   (Get breakpoint infos)- }" ?0 D: J4 a, M
-AX = 0913h   (Set Sice breakpoints); J! D% }; {( T
-AX = 0914h   (Remove SIce breakoints)$ M6 I# R" u1 E! l: X& Y/ c. ~' c
6 `8 ^$ d$ y7 y& f( i& g' h
Each time you'll meet this trick, you'll see:
2 Q8 r. u/ {& }) z-SI = 4647h
7 |7 M7 P/ a3 e) M5 O2 v-DI = 4A4Dh+ I* g9 N4 z% W4 _! h
Which are the 'magic values' used by SoftIce.
2 G2 d6 ?6 C3 b$ N3 ~For more informations, see "Ralf Brown Interrupt list" chapter int 03h.% g7 I4 A( y- t; v0 @$ ^2 Q& {* L

% q" L2 K/ O% T4 A5 |& c6 jHere is one example from the file "Haspinst.exe" which is the dongle HASP
+ d4 \. ^. ]* ^) V) W* v* aEnvelope utility use to protect DOS applications:
& n5 T& L8 Z0 a) l
) Q) O9 p1 ]- E- ~' ^
# ~& \- z: z$ _5 X0 F* {4C19:0095   MOV    AX,0911  ; execute command.* d' I$ J+ w7 @& a$ H
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
$ L! w) E6 P" G7 E1 A4C19:009A   MOV    SI,4647  ; 1st magic value.7 }/ J* [2 x% l; q, p
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
1 b" V6 X) L5 J' l/ w" }9 ^4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)8 m! U+ h; Z  n9 @+ V: j- I( B" z/ K
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
& }) E1 f0 D# H9 g# K- v; [  H/ w4C19:00A4   INC    CX( a; C& t) p! k4 ?, p) C. ?( V) r0 x
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute; i$ E, x7 x( A
4C19:00A8   JB     0095     ; 6 different commands.
" F$ ]/ K1 p. a1 l4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' p$ |) K9 T" q% g7 \
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)3 J, p5 X  ~/ M1 j# M2 ?9 [+ P! n
( [1 l% R$ B  {. o$ r3 X
The program will execute 6 different SIce commands located at ds:dx, which& B* d4 g/ f, p  P/ O
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.
5 J  s* n+ ?$ o  _" i# s0 M$ |$ U$ _
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
  M! z+ K0 c) k___________________________________________________________________________4 Q& C' i& ~# o9 _% I# |
2 z+ a' v+ n) ~( K
2 Q; l5 _( t1 g
Method 03
2 s" e% T# J- K* f: V=========2 |1 _# f# e3 V4 u5 c
! l7 |5 r6 k3 e0 P. {+ G
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h& W4 x" n1 K( J7 `0 x
(API Get entry point). m$ ^$ \5 l, p& }
        
7 G4 {3 j) u3 _3 p; g/ E1 ?/ \7 y; J# |
    xor     di,di3 p6 }* i% u; b8 K' v5 v2 v& y' Q  g- F/ \
    mov     es,di
1 Y: L3 @; Z; T5 S- t    mov     ax, 1684h       4 f! ?$ e! L2 @& i5 l9 R
    mov     bx, 0202h       ; VxD ID of winice
( `7 \# x/ V6 s2 {) q1 f" ~    int     2Fh' J+ B2 ]' w3 D! ?1 g0 j0 K8 F2 r/ [
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
% L  [8 A5 B0 C    add     ax, di
- ^, `$ L, }6 s    test    ax,ax
3 s* z9 W' {6 i  s5 V6 O    jnz     SoftICE_Detected
' F& G! Y: R. R' ~, Z% |/ H2 S0 P" u2 `- T0 X) ~' @6 X
___________________________________________________________________________7 p$ m7 o5 M2 R3 F7 S% K+ Z

( N! i3 }1 ~! I9 Z+ h8 {/ sMethod 04+ {' N2 y# u9 S) r# i+ w8 }
=========
9 D0 p& _0 Y4 f  m8 H5 k* p  E8 r/ w. v
Method identical to the preceding one except that it seeks the ID of SoftICE" H5 O8 {6 H( X2 L1 ]4 B9 p4 F8 }& w
GFX VxD.) I- X9 G5 K- ]2 p- M2 B/ J

; A2 p: f1 S+ K" G, @7 m9 T    xor     di,di
" e4 a; y5 F+ U5 d6 N    mov     es,di* c9 R, E5 G9 s% \) J5 @! |0 d
    mov     ax, 1684h      
3 `/ m2 d; X7 z* ^0 E9 w' C6 y    mov     bx, 7a5Fh       ; VxD ID of SIWVID
- i$ i- V1 G3 A8 }& v    int     2fh1 h4 @+ R. {2 j0 E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point; S# ]1 B3 }( y$ s( s( f
    add     ax, di
- r6 v: Y* U3 h9 {    test    ax,ax
9 g  i: H+ c$ c3 N% f8 J( x0 k    jnz     SoftICE_Detected7 [4 F* w5 g4 Q- a# r% t- i/ O

$ X- c) R# s( @1 h__________________________________________________________________________/ h2 J+ U! L0 L$ J$ X$ X
6 p- p+ i5 k# `3 w3 e2 L6 O7 K1 {, |! c
4 i$ ^7 |6 o& T: @0 u$ c3 b" T
Method 05
  [/ v! N) @. G! f: M; m" s  L: I=========' H( f% N* j+ `! r' S1 w9 C+ I& v
  }& f4 Y# ]( M$ H) ^
Method seeking the 'magic number' 0F386h returned (in ax) by all system
( L8 r; H4 g- X, F: m2 K# B0 C6 g0 @debugger. It calls the int 41h, function 4Fh.4 L5 A3 f; H+ c/ k$ \% \
There are several alternatives.  
/ j: [! r7 r' d- I: i9 v9 v; U! }* `' p' c
The following one is the simplest:
/ ?7 u- W& N  Z7 U5 [, s, U- Y$ c7 M: Y
    mov     ax,4fh' K: ?4 }2 a/ T  h4 I
    int     41h
- L; K" ]0 z9 c' Z& D9 ]    cmp     ax, 0F386* n, ^/ @2 A& h9 q" U8 T+ _
    jz      SoftICE_detected
% F/ e) V8 M1 Y8 R2 J% n: g0 e( C0 ?" |7 B$ S9 f
  ^+ ]" p' x1 e! `5 ~$ g
Next method as well as the following one are 2 examples from Stone's 2 B/ T  W( a* h& L- r# X7 `
"stn-wid.zip" (www.cracking.net):9 N3 c' m" z9 `4 c, o1 d
5 m, c- [* f1 R: _+ s( R
    mov     bx, cs
3 c) ?% Z" D. P, {! ]2 C    lea     dx, int41handler24 v/ o) ]+ L. Y) @1 S4 d' T
    xchg    dx, es:[41h*4]* M! c( K8 y0 k7 S) y
    xchg    bx, es:[41h*4+2]& g+ e) D. ]/ D; [
    mov     ax,4fh
, S" f! S8 S4 ^$ C) z, O  W$ s    int     41h
5 s. ^1 n! S! l( E' q+ G+ _$ \    xchg    dx, es:[41h*4]
, P+ T, `9 B# n1 V$ c* k    xchg    bx, es:[41h*4+2]
! r( y2 a& |6 f* D  q+ ^2 O6 M    cmp     ax, 0f386h
. Z) s. k6 k3 d3 G) p    jz      SoftICE_detected8 `4 C4 j: B/ H- j; x) p6 _  m

8 ?+ U! g6 s; d7 Z" S8 L9 Wint41handler2 PROC
/ o" m# \0 j7 m6 ~0 j# P    iret
6 V% [7 [' _/ ~$ kint41handler2 ENDP
$ Z& s4 l9 U  k6 b1 y2 W: I2 T, [6 N1 j
* o2 }% N) l! _( A! b( P- ?
_________________________________________________________________________! g' ^% Y( V" {- T9 L0 |
5 y8 J: d  n% D7 q

  A6 K/ L# D8 f  t6 m8 I- r& S; EMethod 06" o8 V: B# M/ y5 ^' g; v4 g9 C+ V
=========* u. w. T( S& u: V: o

5 y9 l$ N' W" v) l' U
7 ^" m* S4 c+ S8 w+ k2nd method similar to the preceding one but more difficult to detect:
+ o( P* O* H8 X# Q. l; F( d4 Y7 J
( V0 Z1 d: o/ a. K' U( f7 T% o6 S0 N+ u, }2 R; k
int41handler PROC: k# s0 i+ n* W9 u/ ]' |4 Q$ `
    mov     cl,al
0 {9 _8 l. D" X3 r; ?4 `5 h    iret2 X8 R5 ~5 l$ t0 K
int41handler ENDP
; u: b3 G, z! R" ^6 H% D2 J" K
/ O$ ], y  W5 \5 M/ d4 w% y) _! ]+ p
" L" _3 [& l6 Z# I8 p6 d    xor     ax,ax) j; h! ?: M0 C
    mov     es,ax
$ r& K$ X3 e+ g, @9 o, _& N    mov     bx, cs9 H- N4 Q& \! H$ u* Y0 U; \, G
    lea     dx, int41handler
- K. W6 w. r: C4 {9 A( F6 T  j    xchg    dx, es:[41h*4]) B( c* N0 M6 d
    xchg    bx, es:[41h*4+2]
/ S7 Z6 _* b' J6 L5 G    in      al, 40h6 V( H+ f7 [0 y; d9 P
    xor     cx,cx/ \5 A4 U1 d' N6 G7 T
    int     41h
! ^& F" W6 v$ h    xchg    dx, es:[41h*4]
$ M0 g4 b) k) j! F" |    xchg    bx, es:[41h*4+2]5 L( `/ z) G. |6 }" n7 `
    cmp     cl,al' y5 l  ]3 \, C  Z4 Y! @' D
    jnz     SoftICE_detected, }2 h. x: h* i. x! t

# V" F0 d3 ]; G2 T_________________________________________________________________________% C# a# i& g5 w; ?
7 o# J2 l" {' J: x' ]  V
Method 075 m$ @; q+ |! L2 t( o' p
=========
! D! j* |- H! c5 f* |  g$ D& z& I4 d
) K( i# |* Z, EMethod of detection of the WinICE handler in the int68h (V86)
% {  k: y" g2 c6 ]
' h; ~& q. O# B    mov     ah,43h
, C, k( P% C- Y, `0 M    int     68h5 d- c7 l! k( c" H
    cmp     ax,0F386h
/ }6 n( N6 G9 b& V0 z$ F    jz      SoftICE_Detected
. n% N$ X% I' [/ c6 b" j  v
, W6 v/ z  Q2 y# w3 ~$ D" V0 Z+ c7 d, r
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
: M/ p! o3 y$ X" l! ]   app like this:
8 m" L2 ~5 }! ]! {* D* y: \
0 v0 I* F3 P, }- Z8 {& s   BPX exec_int if ax==68" ^# ]$ _, {8 M6 N3 o/ T9 \
   (function called is located at byte ptr [ebp+1Dh] and client eip is
+ m2 D6 H# O/ G$ h+ I0 a   located at [ebp+48h] for 32Bit apps)1 P! u1 D6 d4 B! |
__________________________________________________________________________5 h: Y6 p$ V4 T* ^* P* ^
/ D2 K3 C- `. l8 X
4 o" W8 e; T. G
Method 08
7 j+ q# X: h  e0 T9 V1 z7 G* ~=========* _/ y) e' _2 K. {& s
9 |" ]9 T, u! ]) `  J( Y% A( C+ k0 o
It is not a method of detection of SoftICE but a possibility to crash the
; M$ W1 L/ E. j" Jsystem by intercepting int 01h and int 03h and redirecting them to another
' W& `0 L- j8 }& h2 L: rroutine.
( q0 |3 \' l' o- m: d; i4 |  i+ ?It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points( r' X3 N2 Q% P$ I; q/ M8 W- D
to the new routine to execute (hangs computer...)9 ]; v1 W% ]) D5 ]

1 G; g+ o/ i7 n- r( |    mov     ah, 25h
8 h4 Y' b% s4 }2 z, s- b    mov     al, Int_Number (01h or 03h)+ L# E2 M, \# M, g7 a: K  q& f" ?
    mov     dx, offset New_Int_Routine
0 w' c% e: H7 D" V    int     21h
, H' O" j6 g' v4 f- ]$ _: ^. V) }' v
__________________________________________________________________________
, I# f1 z, l. S
3 w' b5 O0 L1 b( k# w, kMethod 09
: j' G: W* C! T: R+ H8 X=========8 J5 q1 l1 R7 Q2 h1 u, }
9 g, p/ a, o( l5 {6 E8 {
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
* C( m7 U" \: }performed in ring0 (VxD or a ring3 app using the VxdCall).. _+ U0 B  L3 U, I
The Get_DDB service is used to determine whether or not a VxD is installed6 K; m6 f  }- I. X/ a6 T- ~0 X
for the specified device and returns a Device Description Block (in ecx) for
" `9 |$ |7 v  V! \6 ^: r6 Q( Q: [that device if it is installed.2 p1 b! t- a( t7 V4 k: U! p+ p) |

/ p: J/ K1 z# r   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID& Z# Q; K; b8 H. A2 K# H
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
; b" y' q; H' i/ c. w# m3 v   VMMCall Get_DDB
2 e+ c$ g# W! h7 p( j4 V5 P   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
, H& i& j1 L5 ~' }, I, M' h. ~, M/ J, J$ y; b, G
Note as well that you can easily detect this method with SoftICE:1 X; l3 U2 ^; m- U! m
   bpx Get_DDB if ax==0202 || ax==7a5fh8 l: H# K$ }' G( X  K

! l/ d4 n+ S& e# v__________________________________________________________________________! b9 h2 l6 g3 J  b

0 U9 {- R, p- C: BMethod 10  v, p+ ]+ r3 f7 j# o
=========- r. V5 z% M- _" A: E, h5 h

- R, c# N* Q; T5 x=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with0 E! f! P' e. l5 X5 s
  SoftICE while the option is enable!!
* |; M: K5 J# |
# A+ `$ k: A* t) }This trick is very efficient:
* D$ i" j  G8 T- Q4 w7 u9 [by checking the Debug Registers, you can detect if SoftICE is loaded
* q( ^2 r+ f% X1 q- f(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if9 a$ G1 T4 X8 c; G
there are some memory breakpoints set (dr0 to dr3) simply by reading their
5 S: @( s. _0 s; ]value (in ring0 only). Values can be manipulated and or changed as well7 ]5 e/ j' v! ]1 p8 P2 L
(clearing BPMs for instance)
' V. w% ~0 U9 O2 ~/ \3 o
3 L7 G, J" u/ X0 i! u__________________________________________________________________________
: Y6 G) p+ ~) i
8 K" w3 ?' h! r7 _: `4 GMethod 111 v$ `, i  O4 O4 C/ n, I5 S; M
=========
* n0 r3 U$ K9 _% N9 a' u5 t# D, I4 L4 y) @# Q) s# {# x' ]  H
This method is most known as 'MeltICE' because it has been freely distributed  I- x# q5 P0 _' z; t+ K3 Z! z
via www.winfiles.com. However it was first used by NuMega people to allow
6 W3 j7 C" L( C, cSymbol Loader to check if SoftICE was active or not (the code is located) W" k0 D! O" o+ R5 P
inside nmtrans.dll).2 G2 H( v3 ?% ~- m6 w2 H

  e4 I# h' ?6 F) G! LThe way it works is very simple:' T: q7 _. J  `- j0 Z
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for0 }: q6 A9 z4 z) U3 Z7 V
WinNT) with the CreateFileA API., ?8 R6 J9 ^$ l9 r

. Q+ P% t0 k- L) B. a3 N! M, D% ^Here is a sample (checking for 'SICE'):) c# @. H# I8 Y( H' I5 F, v9 p
% g( D, T) m* Q8 d& s4 j7 c
BOOL IsSoftIce95Loaded()) X9 y( b) P  T' m0 M3 `
{
( G, G! }) F, g' A   HANDLE hFile;  ! {# q) p* V4 y
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,& f/ m) B4 Z6 y- W
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
: z% k- ~4 e, z$ d/ a                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);- b. u2 {* ]3 n4 G- A( n
   if( hFile != INVALID_HANDLE_VALUE )- Q" M$ ]" @( `) z# r" L; A
   {
( c' E, I- v. [' ?      CloseHandle(hFile);
, a- m8 \. U$ O/ F# |" ]% e$ R      return TRUE;
: S9 |2 v1 Z) l# D' [! |   }4 w2 ]3 g8 c; J, t
   return FALSE;+ i$ Y9 E4 `, X6 u/ W
}; P% Z; j: A1 ~( r

; I$ O" q- J9 P% w1 xAlthough this trick calls the CreateFileA function, don't even expect to be& n8 b5 b* X: J$ `; L$ v% ]0 o% y
able to intercept it by installing a IFS hook: it will not work, no way!: q% K* a& v5 x3 w
In fact, after the call to CreateFileA it will get through VWIN32 0x001F8 j, P; h' P$ V* r/ Z' T$ G
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 Y  {; e* m" Y* C# ?
and then browse the DDB list until it find the VxD and its DDB_Control_Proc: N2 d. Z! m0 _6 J* X. L+ Q
field.+ C1 l! H' t3 H8 I4 G& W
In fact, its purpose is not to load/unload VxDs but only to send a ' \& x. Y5 J! k, Y0 P$ E4 j# z, D
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); ?0 H2 d! _( d- o, j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
! [* J: O5 F! t' T, lto load/unload a non-dynamically loadable driver such as SoftICE ;-).
) j  p/ ?& A' @  oIf the VxD is loaded, it will always clear eax and the Carry flag to allow
' V% h+ {/ p# N& ~7 `# S: a2 ]. Xits handle to be opened and then, will be detected.
7 I+ [+ r. `! ~3 M" KYou can check that simply by hooking Winice.exe control proc entry point, J+ X7 v$ P# a- [4 G
while running MeltICE.
$ M; Z% W$ F! V' O# r0 n
& r. V" ?: G/ q, T( _/ B% l8 B% h- L1 S7 {) ]8 y
  00401067:  push      00402025    ; \\.\SICE
6 z' l: m# u. w  0040106C:  call      CreateFileA8 @" B8 Z4 [6 ]& ^8 a9 P  }) h
  00401071:  cmp       eax,-001
6 |7 A* i8 O+ n! n! f- M3 a& m  00401074:  je        00401091
+ R/ N9 O+ j, [
1 x8 e$ V! N/ u% ?1 k2 N: F% P" T+ y3 ^+ N
There could be hundreds of BPX you could use to detect this trick.) i  M/ X/ H3 O* P1 @  A& C7 e. B# X  `
-The most classical one is:
$ k7 k+ m( |" p- r: {; ~; E5 S: O  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||% x! H% z$ g/ J" w2 Q; H0 q, M% n  t
    *(esp-&gt;4+4)=='NTIC'
. J: a, H  ~3 Y$ e0 w7 K
+ u8 v% g, t0 Y) S4 D6 [* W' t4 [7 T-The most exotic ones (could be very slooooow :-(
' x- S+ |% j% i  ]( B: C   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  " Y/ _$ P% s( J# \  X! X
     ;will break 3 times :-(; n' u" g) f3 l; D+ d$ p  u
' P& J" y0 t& ~& d- s- a
-or (a bit) faster:
* u0 o/ E: b- m% R* b9 W& P! s   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')( Z9 x- o8 n2 }1 Q  s" ^+ s
6 k: W1 b% r  S( u& m
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
% G5 \8 k3 m2 o& v8 s" b     ;will break 3 times :-(
7 o! ~( B( }( o" P; |  N
, a, D$ b1 k+ c-Much faster:
+ O. [# @0 c8 ^  ?% J' E2 d   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'; z- \) R/ ~2 }3 F% ~) |' {
' o3 ~" @4 l6 \! Z, U+ F
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
- x- _! |4 N; w3 Zfunction to do the same job:* f: P: P& U, z5 ]5 K, b" P1 E; V  T
3 X$ m* t+ L0 l# V
   push    00                        ; OF_READ( W* H$ c- z: ^2 m2 U
   mov     eax,[00656634]            ; '\\.\SICE',00 {0 I& U- k5 a, X9 Z, ?$ O3 L0 @
   push    eax+ H% @1 G$ v3 h) R( P# K
   call    KERNEL32!_lopen
" t- z' o5 ~2 H4 K: s  t   inc     eax
; @: z% X: ^# f; k! k# Z: b   jnz     00650589                  ; detected
  [3 N4 a, B! q/ a   push    00                        ; OF_READ
2 z- A1 k/ N! A; ?5 m" g8 Z   mov     eax,[00656638]            ; '\\.\SICE'
+ m: d- R* A, U; m   push    eax4 F7 ^8 q2 Z) v( _1 w; n. G
   call    KERNEL32!_lopen
$ S/ V( n9 k1 t9 K   inc     eax& c: W6 p' Z3 H9 b1 Y
   jz      006505ae                  ; not detected0 X3 b8 Q- q6 \4 V" m( D. F; C
7 i+ W5 g  c3 b" _3 P2 g
& ]: L  U0 H0 |  S/ V6 k
__________________________________________________________________________
( [* a0 D3 `% u/ O/ \$ G! n( c8 N# m1 Z! u
Method 122 E( g- z! v3 A. L5 ^9 V
=========' G  N& F7 D$ x. p' b

/ b5 f3 V5 J! \/ ]5 a* _This trick is similar to int41h/4fh Debugger installation check (code 055 O6 w. g: d' ?" c! E
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
7 k0 ~$ U& q# j$ X" Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! I6 Z1 t/ P9 H* t1 G
$ l  J! e) g* m
   push  0000004fh         ; function 4fh3 k$ J0 p: J6 a6 E; ^
   push  002a002ah         ; high word specifies which VxD (VWIN32)3 q& r$ Z/ U4 z+ k
                           ; low word specifies which service( f9 V6 `! \7 |% i2 E& l+ J
                             (VWIN32_Int41Dispatch); S. e0 X. A: @( m+ ]# @
   call  Kernel32!ORD_001  ; VxdCall
  v. }4 f0 x  ?& {   cmp   ax, 0f386h        ; magic number returned by system debuggers
: h8 h9 p$ q# R) \+ @7 G   jz    SoftICE_detected( w* f5 S2 y$ a0 Q1 z' d
8 s, m/ p" z+ K2 c- _
Here again, several ways to detect it:
/ ~3 D5 v& c6 f0 b! F
  \! _0 u7 L$ S, @( U% P4 w    BPINT 41 if ax==4f
6 c) H1 i5 O9 a- D! Q& Q! z8 ^8 W. t( f0 l* w9 d
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
7 R, `+ E! V6 k  M: E: u; c0 Z5 |
" \/ b+ b! _# Y' @  ?& p; ^; b" D    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A+ }1 P6 Q3 q* ]" }, k9 ?! |

1 J% Z! z/ s- G+ J- ?* ]" @    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
1 ]& {4 D( H5 J7 j. f% w- s
' j7 D; H  e  U, G& Z4 M5 ?__________________________________________________________________________
( N9 u6 X1 F8 M, N& `
" Z* N" e+ B+ k% G, |! YMethod 13
( ~+ l. y* B/ i6 V: l2 p: }3 S" r7 J=========  A3 H, B) K6 x

% G3 l# ?& W8 w2 a8 ENot a real method of detection, but a good way to know if SoftICE is/ _) a& D. P2 I; Z# @, r
installed on a computer and to locate its installation directory.
% {1 n7 Q  W. I/ fIt is used by few softs which access the following registry keys (usually #2) :
* F* @3 Z/ ]5 Q( Z& A$ w
% T! ?/ m) c5 {2 U-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion( j+ J4 O. T$ P. z
\Uninstall\SoftICE% H) t0 c7 X% H! J& T8 _) n
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE  P7 {, H6 ?) r. f5 @4 Z. w
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion! b- J0 R+ K* c% ~$ S3 G
\App Paths\Loader32.Exe4 \9 l0 i. ?0 u2 x
3 e" t# }3 q- Z* {& \, e3 v+ f9 t
; u5 Q: b( O8 W1 q! z
Note that some nasty apps could then erase all files from SoftICE directory0 ]1 ]' {6 V1 N/ @
(I faced that once :-(! D1 N8 o% [) J
! {5 b8 n3 B# k
Useful breakpoint to detect it:" a5 n4 L0 p+ p
7 s7 y$ _' E9 m
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'' x- s) S% y( ]% K5 U

# `  H* }/ r9 ~+ m( S' D: I__________________________________________________________________________
+ T1 T. ]# e+ w1 k4 [: R. J/ j! {0 g4 q. X# V8 [

2 X9 O8 n5 }/ wMethod 14 , i1 Y8 t4 M! C" f0 Z: A
=========/ D$ B9 P% g7 r: H6 s
8 v1 u4 q# n( t: q+ v7 e8 h
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose6 H& ^2 ^+ Z1 u  Y
is to determines whether a debugger is running on your system (ring0 only).( @4 o9 y( n- S" e4 Y4 ]
. ?; F! h+ n9 C/ O3 }5 P! M
   VMMCall Test_Debug_Installed4 u6 p& `# B! ?% J# a* _* o
   je      not_installed
5 k2 i- ?. d& j5 V( f
+ @( a8 |6 e% b/ z  W2 x, A, HThis service just checks a flag.
1 K# `* Y( r# B% L+ D( O5 @/ b</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-1-17 12:02

Powered by Discuz! X3.5

© 2001-2025 Discuz! Team.

快速回复 返回顶部 返回列表