找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>6 L; o: f, n) c2 t( H8 }! D
<TBODY>
* G" W% q- v. L! H<TR>* s# r3 a; m1 b7 w1 N3 U
<TD><PRE>Method 01
' K& V; \! p7 C( z* Q=========% a* U2 \6 n- D* z6 [" ~! a. x5 C
+ P2 w+ M  c1 f
This method of detection of SoftICE (as well as the following one) is$ n% D$ I( H& F( t6 D) }
used by the majority of packers/encryptors found on Internet.( D& i6 W  Z, J! p% V4 e
It seeks the signature of BoundsChecker in SoftICE# G6 f# s- ^# q- e$ ?. G" S
+ P9 l* J& a& b( F2 Y# d
    mov     ebp, 04243484Bh        ; 'BCHK'' ~/ X. q9 n6 O" u
    mov     ax, 04h2 s% O, V0 v& P; C/ w5 b
    int     3      
+ N! E" f* D$ Z  I% B& b3 P( t4 o    cmp     al,4
7 ]# {9 L- a" p, R# H    jnz     SoftICE_Detected2 @4 b5 r& `, \8 @$ w
, D7 K' N% s# o4 \
___________________________________________________________________________& Y( F: q! f% q2 g% L. }
( ^" W; r) y0 ?! r
Method 02% s( M. g) B5 R# c# X1 I2 M, ?2 O, H) b$ \
=========( k- k% r6 g3 N4 D# [. [5 p9 b

: c1 [2 ^. b1 f8 dStill a method very much used (perhaps the most frequent one).  It is used
! i$ Z+ G/ C* i: J6 r" k, v/ Nto get SoftICE 'Back Door commands' which gives infos on Breakpoints,1 S/ r0 h; R+ y" q+ J2 W+ J
or execute SoftICE commands...2 i6 F3 F7 e4 Z! Y+ D2 }) |, L# v
It is also used to crash SoftICE and to force it to execute any commands$ x' v5 X2 A& y. b
(HBOOT...) :-((  
3 e+ Z8 i* _( i# O, B. k. L2 t8 @  X  B  U% p
Here is a quick description:
: ]8 u9 Q$ ^4 _5 o3 Y8 B" F! x) z-AX = 0910h   (Display string in SIce windows)
, [  S% ^+ p$ p' V-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)4 P" H8 T6 @- h+ y# S' |$ F
-AX = 0912h   (Get breakpoint infos)1 G9 ~" n7 w+ O1 B
-AX = 0913h   (Set Sice breakpoints)" q$ ]3 Z1 a4 o( E$ E: @0 w
-AX = 0914h   (Remove SIce breakoints)
7 m# e( w1 N: Z7 W# H, n! S: A4 G9 ?/ d9 F
Each time you'll meet this trick, you'll see:- v* h+ h8 N5 V: g. f; b, u( c
-SI = 4647h
9 u1 S( i; K5 M+ q. U$ N-DI = 4A4Dh1 I: }3 T+ \1 z/ U* X
Which are the 'magic values' used by SoftIce.
3 Q  P8 I" F1 t: d6 W7 JFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.6 _/ L7 r/ f  b" K6 h: E
+ K, g  m% j- |8 ]# p
Here is one example from the file "Haspinst.exe" which is the dongle HASP
0 N, s9 D6 y1 w( t# @Envelope utility use to protect DOS applications:: f/ I1 Z9 |# N: Y& d8 I$ r

5 l6 {# \" ~8 b( S7 C/ I% d8 l6 H
* J% W# z5 F( m- w5 Y# X# s" V4 V4C19:0095   MOV    AX,0911  ; execute command.
* n* P( e0 h6 U9 h4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).
6 O  w0 }* p9 Y1 S4C19:009A   MOV    SI,4647  ; 1st magic value.
! f$ v' j! ^2 }2 @1 t/ f4C19:009D   MOV    DI,4A4D  ; 2nd magic value." R3 U- R1 n& w$ o; M
4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- |# Y- U, C5 X/ _
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute/ P5 x8 N" |4 M% {1 G
4C19:00A4   INC    CX
' F/ f# U9 D) j- o6 U4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute$ A5 Q+ C, g9 ~4 W9 x
4C19:00A8   JB     0095     ; 6 different commands.9 l! h2 D# e2 L: d4 ]8 ^& X$ W8 U# m) v& I
4C19:00AA   JMP    0002     ; Bad_Guy jmp back.! n  j- i' }# Z2 t# i+ {
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
8 j, y7 l# s! h) |7 r* D0 {% D5 v2 x4 X
The program will execute 6 different SIce commands located at ds:dx, which
1 b7 y% {# I3 v" \$ ]are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.' K' s8 A* m4 Z' Z- T
$ z  V. [% M. O5 A' X  W
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.& T- ~- P' U5 }
___________________________________________________________________________
! X" \; _2 p) M5 z4 T2 c+ P
7 m/ Q* E, }0 A. ?
% B8 e) @6 \3 b# p, ^) hMethod 03
8 {6 r# O2 J4 U$ V=========
, h3 R  H# {5 v* s2 F& }
1 E9 u+ R& t" ~+ cLess used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h- A) z; u9 d1 B4 l
(API Get entry point)
( ^# x5 J: W( I. Z9 P) r! M4 M        
4 y) L2 x8 v0 O/ ]# z( ]7 l8 \' e6 W% R! V' |/ L
    xor     di,di
$ d  e+ o9 \7 c    mov     es,di0 }2 j/ d2 N) X5 L$ B2 W# @
    mov     ax, 1684h       - C- V+ s$ c* A7 r8 x2 u( n
    mov     bx, 0202h       ; VxD ID of winice/ T8 m3 h, C1 {, r. N* N
    int     2Fh8 U7 r% M4 O' j2 K) V, ?: A2 M
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
8 `, k. W/ l4 ?3 K    add     ax, di
& Y5 m& W+ \& Y; }% o; K    test    ax,ax
* R' R- H7 l0 a0 c    jnz     SoftICE_Detected8 `  @1 z4 z5 _: P8 a5 ~
4 {5 c- t+ `/ y1 x5 {4 w/ G. s
___________________________________________________________________________
$ Q/ u$ m$ ~: P# c$ I4 S6 Z3 y
  W# p% c& T9 x5 d0 KMethod 04; h7 T$ r0 L# Q& B7 n
=========
: @; G5 G& H( k. V$ B) f+ }( F& V. z. @  o
Method identical to the preceding one except that it seeks the ID of SoftICE
6 A" h1 T6 @& {5 j) y1 T- nGFX VxD.7 ?5 t( c7 r7 b& W/ T1 k, b

: `8 |0 a. s7 Q" H* v' }    xor     di,di0 g# Z! {2 e0 O+ k! ~& }' y! E+ P+ ]
    mov     es,di
! m+ x6 }$ {% d. u% P" ~    mov     ax, 1684h       $ {; L5 |: _+ l( W
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
0 L- {5 {' U- D    int     2fh' a% Q* Y* n' M8 b* Y- Z$ ]# N
    mov     ax, es          ; ES:DI -&gt; VxD API entry point
# e6 n: E( t; ~! s    add     ax, di
; S# j* D( v9 L* C3 S  c5 j4 [; y    test    ax,ax
( {) u' j) Z- K& |5 b- B' C& D2 ]/ C    jnz     SoftICE_Detected
! Q5 W  e: a9 H9 g; U0 o( I; n$ L1 M3 U2 c& F6 o# W
__________________________________________________________________________. y# C7 Q$ `1 c; ~. H, y3 h
( s" X( g# ?/ c0 Y9 N& c+ c% c! ~
* a7 d  }1 O& f1 q+ {1 A7 N1 I8 p
Method 05
* |4 o+ H! w( {=========
; X7 N3 {2 E  O9 D- x+ D9 W
; I* F4 T$ S( @9 `( Z( mMethod seeking the 'magic number' 0F386h returned (in ax) by all system: L& y) b9 s8 P% d' D! ^4 M4 ]
debugger. It calls the int 41h, function 4Fh.5 u3 h6 q$ V; q
There are several alternatives.  , Y$ R6 {0 [: j' r2 G+ U
; V; f; Q, g& o' {  a' X4 F
The following one is the simplest:
- Q( `* Q- S" ~/ L2 t, d' l, |
, O: t$ @. g/ U    mov     ax,4fh
5 Q7 E& B% H# A' d7 F) Y: @+ N    int     41h0 F( V3 U) ~! f2 t; k( r
    cmp     ax, 0F3867 U3 w6 F  N8 A& x4 V2 Q, s
    jz      SoftICE_detected
8 y$ w( S3 @5 S3 s" J2 n+ Y1 p+ o# R# U' Z
$ F1 N2 A) J+ S4 S8 Z6 @
Next method as well as the following one are 2 examples from Stone's # U6 J7 P% P; \6 Y
"stn-wid.zip" (www.cracking.net):
- i6 |! h4 u: [) ?* e& O5 U7 R" z$ q/ u, b$ }9 g6 V, G; D
    mov     bx, cs: U2 v8 ?2 Q- {2 x  S* n% s" ^
    lea     dx, int41handler2
0 z* |* U2 a2 h2 n' q    xchg    dx, es:[41h*4]; Q1 d; k- E. B# O
    xchg    bx, es:[41h*4+2]( l" t& e$ g9 P% r7 w8 N
    mov     ax,4fh. [. G1 ~3 P4 ]) [
    int     41h
: h; s1 A0 p9 d# Y' P    xchg    dx, es:[41h*4]$ b) T/ M. l* P2 p/ T& i. u
    xchg    bx, es:[41h*4+2]
; Y0 E: K% q& i. P% N    cmp     ax, 0f386h
- w  B" }3 H8 K$ j- L9 v/ h    jz      SoftICE_detected, |8 |! |9 Z9 X( ^; Y1 v% \
: a$ u  F9 C7 R2 D3 Z
int41handler2 PROC' q% l7 J5 N8 T3 h2 r+ g
    iret
& U9 [' Y" v) z8 I2 F0 p; q, U# [int41handler2 ENDP3 d# R" S: c8 v% v2 U
' c8 z. }6 j5 ?/ W
: @4 J) I! Z" R( Y$ x8 t; ]
_________________________________________________________________________+ S9 C) u* R: p; s

$ h( k6 e' i& N8 \
: d, [: U9 V/ i8 e8 J) P$ NMethod 06
# r+ X  |$ I4 s=========
0 T3 r; ^' l6 D7 U" N5 h9 }' i# {9 s, H4 h- Z0 ~6 d+ k' n

* o( d' [$ U( u7 B+ x/ W, M2nd method similar to the preceding one but more difficult to detect:
; x" z, f/ b' L4 f' |. m( j5 c9 z/ w- x4 A: l7 M% D
, C6 {7 N8 z$ x9 L) }' ~
int41handler PROC
9 w$ b7 L1 c- G, g3 v$ b% \0 G0 t    mov     cl,al
' k. |& b3 D& @# W7 [% D7 R- |    iret6 ?' ~: k3 W. l
int41handler ENDP
) o1 a: P" Q' u( W6 ~
$ y! \! t- w8 }. c
$ C2 Z4 d; P1 x) q$ X5 B    xor     ax,ax
4 |( v/ N& b! Y$ G: A    mov     es,ax
! ?# J' i* v7 q5 Y    mov     bx, cs
& M6 B7 U" n- w& G# I  d* Q    lea     dx, int41handler5 R8 M& z/ W+ N
    xchg    dx, es:[41h*4]  S. B3 Z/ r( f/ J
    xchg    bx, es:[41h*4+2]" d! w+ D' E" G# I7 t
    in      al, 40h
& t# l: X3 f; ]3 w# x    xor     cx,cx6 \- u9 Z, t% t6 Y  D& ~  e
    int     41h1 _+ P# G; b/ `; n0 N( k, G3 |
    xchg    dx, es:[41h*4], N* o8 Z8 |" w2 @8 ~
    xchg    bx, es:[41h*4+2]5 N! B, R7 P# [& w
    cmp     cl,al1 ^& u$ l" D1 [( N( U
    jnz     SoftICE_detected
3 R3 j" V0 w( B9 M" i9 l  f0 g
_________________________________________________________________________
7 P' e* d4 S( f" [$ w
- I8 j+ p+ v4 r- p, g6 iMethod 07& ~2 S! z: h( k- R( h( ]
=========
2 M8 K# ^2 B: W% [% h7 P+ m+ |
! |9 c; u/ A* ~1 Q0 eMethod of detection of the WinICE handler in the int68h (V86)
! v& d, l+ Z7 W$ j  o& h
6 @- T, m8 Z: U    mov     ah,43h8 C8 T+ t& S* t( N8 L! K( A  V; ~/ J( ?
    int     68h4 v' e9 a0 r# ]
    cmp     ax,0F386h4 m, }& j" i; }& k
    jz      SoftICE_Detected
7 |* j" w1 N! H0 Q5 y7 u. t. f% T1 J1 }* ~# |5 {$ C

, i$ ^' G6 v2 K=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
+ [# r: Y& w! L5 q   app like this:
& P% i: ]$ u, o$ `0 M/ L3 p& X! K" T) p9 W( e
   BPX exec_int if ax==68
. x4 S- E* P. i$ Q/ u% L6 r% P   (function called is located at byte ptr [ebp+1Dh] and client eip is
6 I. D5 x9 r  @- K, Q   located at [ebp+48h] for 32Bit apps)3 ?4 d$ Y% a7 y, _- T
__________________________________________________________________________
2 M8 E0 y& Z) x3 ^0 Y+ }8 [. g8 F4 g% y; N' `$ r" J
  D; G% H$ T/ q; O- Q) {+ i- i% R
Method 08
1 H  u5 q0 g2 a$ _=========: K' u6 k) G# y. q
/ ]$ p5 I# @0 ?9 q
It is not a method of detection of SoftICE but a possibility to crash the
$ t+ a8 W) o2 f$ M! Q8 Asystem by intercepting int 01h and int 03h and redirecting them to another4 [" T2 @; R3 K+ c
routine.) Q) M9 d: a2 h7 X
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points% e4 u4 @$ _/ w) n( W" B+ f
to the new routine to execute (hangs computer...)) L$ C/ m, K6 t1 I9 _0 }' S! g
7 o5 Z* D6 I# `: x6 P! B& M; j
    mov     ah, 25h% F; h* H; S: {) J
    mov     al, Int_Number (01h or 03h)/ F2 w, T8 X. A$ l3 A/ ?0 U( j
    mov     dx, offset New_Int_Routine9 c- l+ n% r8 B) C9 ^
    int     21h
# \4 K; F- l% c  \+ t: {4 v# X
4 Q( A9 F" ~  `! }% \  l__________________________________________________________________________
7 p% w  g  }7 l, ~  Z
) w4 X- m: y( o) P1 L* j4 z, lMethod 09# K/ h- {' Q4 D; z" X" g& a7 V
=========) e3 E3 P+ H+ `- b. R' {* S

' b/ S- ?! P3 kThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
% J$ F1 L" o5 L3 R& U8 G$ h2 ]7 kperformed in ring0 (VxD or a ring3 app using the VxdCall).
% D# h, O4 a4 {' M1 }$ V8 _The Get_DDB service is used to determine whether or not a VxD is installed
- j  Q! }0 ]: X' A! b# vfor the specified device and returns a Device Description Block (in ecx) for
7 k2 n4 P: d: Tthat device if it is installed.
& V; r) L6 V9 X, g, Q3 G* }3 O
# g6 `! I5 c& Z; R' Q& e: s8 K$ z   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID* i! r/ [$ a4 B5 y/ }) d+ F
   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)6 ~, G$ O% I& `# b
   VMMCall Get_DDB; x. h! V8 P, T2 n  x+ C& S
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed& i) D6 E1 i) W) [
: D4 S+ q6 ?% Y: d# X0 w7 ?
Note as well that you can easily detect this method with SoftICE:1 m/ e" ]' [3 \7 J. }# J# `
   bpx Get_DDB if ax==0202 || ax==7a5fh
; x2 w: ]+ L$ I0 z
0 @. V1 l6 U+ n& O  E4 f9 Q__________________________________________________________________________/ N; [/ P# M% U+ l; E
/ \' t7 Z8 y- X
Method 10
7 a+ F1 S  ^+ x1 \+ r% t: l=========
; b. p" s( J; m  E7 g. D' t7 r. U% Q4 @. U6 T' m+ ?
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
9 ~/ K3 w. A. h% y, C( S  SoftICE while the option is enable!!
$ [# G7 y: ]* J# ]9 q
" F; a4 }- w! l* z* Y5 ]4 }This trick is very efficient:
/ _' C* U" S% Uby checking the Debug Registers, you can detect if SoftICE is loaded
3 M4 N: X" l2 c# |1 s, d  t" l(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
9 q5 r: t6 G' z6 nthere are some memory breakpoints set (dr0 to dr3) simply by reading their6 x6 L9 d8 F4 a; g& E# `
value (in ring0 only). Values can be manipulated and or changed as well
+ U# Y) A" Y) v- s  ?3 C8 Z  s; F5 u(clearing BPMs for instance)8 S& a" O& Z9 ^/ p* |

7 |1 l4 n8 \7 `, |5 u& y' c' @__________________________________________________________________________0 @1 g2 Z3 p% e' i" q+ I

4 _7 a5 k' G1 r. X' X( U% v2 J& D0 _Method 111 W, Z; S& _5 ?9 q* m
=========
5 r" b9 c* m; |1 b6 j+ o  J1 I5 \  v
This method is most known as 'MeltICE' because it has been freely distributed! C1 M4 b+ J$ ?5 x3 M
via www.winfiles.com. However it was first used by NuMega people to allow3 O4 X* c! ^9 d4 J- z" z- L8 D
Symbol Loader to check if SoftICE was active or not (the code is located* x+ G9 v3 X' q. e% Z
inside nmtrans.dll).  I* {7 {$ q4 }/ ?
+ W$ R- z0 ~( v4 Z
The way it works is very simple:
, Y2 _7 x* r( uIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
) D: u5 i. C2 z: p& F- b8 KWinNT) with the CreateFileA API.
* F& i: h, |2 d2 D8 K, B+ j$ I3 _, q4 |; x( ~2 F& O  L
Here is a sample (checking for 'SICE'):
* X! M* I! l0 {3 ^9 b  [, j! y/ ~0 ^3 C
BOOL IsSoftIce95Loaded()0 R) `9 S/ h& }
{2 m/ K: q9 ~/ y) Z
   HANDLE hFile;  
0 Q( f8 E! z8 t   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
6 B9 q+ o: k( n+ g" f$ }* F& i                      FILE_SHARE_READ | FILE_SHARE_WRITE,
% W3 u: S% H8 ?, b( W                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);$ }6 Q; J! Q" L, C
   if( hFile != INVALID_HANDLE_VALUE )
2 ]' q, ^! b- U   {' n5 @. z. T( |/ c: L; Q) s
      CloseHandle(hFile);
: @: f0 B$ M6 P3 c( I, f      return TRUE;
' i5 T2 k( Q8 ]! d; T; c9 I* u   }: q  j3 ^) J  {6 ~
   return FALSE;
8 @. r1 U8 _# y2 y* I* g8 M3 G}
# ^- p5 y# I3 `+ u% f4 |6 d3 k; |: ~+ }5 M
Although this trick calls the CreateFileA function, don't even expect to be
8 L! F) ^) [" O, }: c6 L/ {$ H& t4 `able to intercept it by installing a IFS hook: it will not work, no way!
' B/ |& k6 {" ^+ t5 x  Y; |In fact, after the call to CreateFileA it will get through VWIN32 0x001F! a. v9 b6 o1 ~
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
0 y' g1 Y' w  V2 Q5 V& L0 \4 Nand then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 D8 y  v7 ^) \+ Y9 gfield.- v3 v# U/ ^: R
In fact, its purpose is not to load/unload VxDs but only to send a 4 K1 K% U' k# M! A3 f3 W
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)' p8 m8 T+ E8 y; \  O8 j
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
1 P# ?, e1 W( k4 S1 i3 b& Jto load/unload a non-dynamically loadable driver such as SoftICE ;-).9 U: B0 z' b$ S# a9 X4 m
If the VxD is loaded, it will always clear eax and the Carry flag to allow
; {( F9 w  B- M0 t1 c7 E7 x1 S* s  o9 iits handle to be opened and then, will be detected.
/ f: D; p( P) ~6 F' tYou can check that simply by hooking Winice.exe control proc entry point
' v" X8 s% p. n! dwhile running MeltICE.% f2 G1 O6 l* ]$ Y* c3 M
9 V1 V' E" r1 K; l! Z

6 t' l" b& ^8 o: X1 b) e3 X  00401067:  push      00402025    ; \\.\SICE
0 G% ~' ]9 Y0 ]5 A$ p- N  0040106C:  call      CreateFileA" x$ a/ m: V  X% P" C9 y# G1 i
  00401071:  cmp       eax,-001
& ?; f5 `- o& N% O- n  00401074:  je        00401091
9 O/ Z  `$ I" h" G. B4 ?8 a. K: E
& R2 h) }0 I; r$ Z8 `
There could be hundreds of BPX you could use to detect this trick.; r+ J; m9 |! @' h' ]
-The most classical one is:- {1 ?' G6 a. W% s4 I& A
  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||
- }/ V) \  K) s9 L8 _: U- T# N; _    *(esp-&gt;4+4)=='NTIC'" B3 k) K- n" N1 Q7 x2 S6 f! _+ k7 j  B( g9 c

  _3 \$ b% u" _( Q" Y; n4 @  E3 k-The most exotic ones (could be very slooooow :-(8 |0 j* ~5 p  V( o: F
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  
$ [+ e$ C' @' R1 |3 d9 ]     ;will break 3 times :-(
% U; D$ |- o8 W, Y
9 R# a4 ~0 h, i$ O-or (a bit) faster:
3 ^: X$ {) ^, A  R8 b5 ]   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
6 i: V! `+ B5 r# u; H/ N9 r. r) X3 _* A" X! H, a
   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
5 _, ~3 O7 k3 _5 _: R+ D. T0 [     ;will break 3 times :-(! b0 l" y5 P8 M* C7 V+ B

" i- y$ u) |( S$ a9 Y-Much faster:
8 @9 ]1 t3 |% N1 c   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'6 x5 ^& q2 l& r) E8 Y
4 @0 ~- {& Q3 D* R) g: R) ^
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen# r; U- j$ `# e
function to do the same job:+ i& J' A4 [* R& ?5 s

7 {" N* Q6 Z$ a* F  l3 W! O7 f1 F; b   push    00                        ; OF_READ
6 c3 v3 U( k$ ^- \5 y5 A" M; G   mov     eax,[00656634]            ; '\\.\SICE',0
4 v! E6 u6 Q$ `& Z   push    eax
8 Z, f# b8 e- u9 A! m: x/ X   call    KERNEL32!_lopen. o6 @5 U/ I; R7 q
   inc     eax
! u, Y- M2 t6 x$ P4 F9 z' T/ ~   jnz     00650589                  ; detected1 p1 x0 [+ D) K( c0 r& d
   push    00                        ; OF_READ
8 P9 v( k* [0 A! p2 C/ D/ k4 }   mov     eax,[00656638]            ; '\\.\SICE'
9 b' p' s; {1 I; v. C   push    eax
& S) t0 {  P/ s8 I' X/ T   call    KERNEL32!_lopen
( J. D+ k9 x. `- R1 b, ]9 o   inc     eax. U3 u$ ~2 n2 B2 {" a& v! }) |( a- d* P( _
   jz      006505ae                  ; not detected
& h2 V7 [/ _6 j. B7 r
& p9 \+ x& t. \/ m3 y& c& e3 M! X
__________________________________________________________________________
- s' d3 e9 z5 M* O. S3 n
0 [4 u/ G0 Y7 Q% e+ l3 OMethod 120 Q" L6 b% e' e  l; F8 W
=========
; m$ v! o& B5 N5 F. p
1 b. t! I8 }6 Y; v- m, _& Y" SThis trick is similar to int41h/4fh Debugger installation check (code 05
+ p$ \# \2 ^! e' S6 ?7 R- i8 ^&amp; 06) but very limited because it's only available for Win95/98 (not NT)
2 e# b; b( u/ q+ F7 l$ Sas it uses the VxDCall backdoor. This detection was found in Bleem Demo.! k- m8 h5 F7 ~) y( A  a! v  N

' q( o3 T3 w  g$ r' i# c3 d   push  0000004fh         ; function 4fh" G( Q! U, U% O  a
   push  002a002ah         ; high word specifies which VxD (VWIN32)% ?& Q3 L0 K6 F8 m1 b( i- k( B
                           ; low word specifies which service
7 r) j# g& b; k2 v                             (VWIN32_Int41Dispatch)
! u; [* y! @( P2 K1 M( q7 ]   call  Kernel32!ORD_001  ; VxdCall
4 w4 B2 o* O+ Q- N7 q1 i' M   cmp   ax, 0f386h        ; magic number returned by system debuggers
6 ]% d0 @. N5 z   jz    SoftICE_detected: q$ w) ^" k0 [9 T
2 a& G1 Q& j" q1 A' B1 N2 ?
Here again, several ways to detect it:% c0 G" [; i+ z# _2 r* `1 o

. G* h% g8 X' f    BPINT 41 if ax==4f
8 ~% I+ t* M1 F: \
6 i  A5 T- F+ u" U    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
3 B3 G/ v. ~- G1 `
7 C: G# K8 ^  s* V8 F1 f0 S    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A0 q8 H% ]/ H% W  ?8 N* q, L; G8 k" I, R
  U, M; R8 V" M  ?- n
    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
. x8 U* ]( z& w5 ^; U0 X
  G: j: t( F* v, I6 G" [__________________________________________________________________________) y- i9 [, I% X& z

+ ]+ J( o1 J; kMethod 13
1 }( z5 v7 a& p% Y+ K; F# u=========% m& t4 d: L( s

3 y) }, M% @. d3 j1 c* a% C3 SNot a real method of detection, but a good way to know if SoftICE is
) A! I( ?* h1 k6 qinstalled on a computer and to locate its installation directory.
" s4 g0 M: |' h+ [! o* u$ kIt is used by few softs which access the following registry keys (usually #2) :4 S; k. _; Z1 u2 ]. i5 V7 j
+ O  O6 I) _$ f. o1 |6 G$ a
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion2 _+ x5 r/ t# ]: I* A. N
\Uninstall\SoftICE
8 X; R) R0 l! A8 }! r-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
( X" w. Q6 b3 h) i. H  e3 m4 G-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion# c3 T5 f& G% l/ ]" r  b4 Z
\App Paths\Loader32.Exe* a1 w! j4 T( b! P

$ v9 q4 l; ?0 Y
: b" y/ b1 U1 ^3 @Note that some nasty apps could then erase all files from SoftICE directory
- z9 S5 o# H& \* a6 H3 S3 ?(I faced that once :-(
7 U4 p% i$ j* j7 _# h# J
& M. T2 D/ z  v$ v, _Useful breakpoint to detect it:
4 @# ^  V+ W8 W5 M' z2 u8 X4 d/ w( @: {& z, w5 ^" m
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'4 F' Y9 S6 y" k& v* I9 _- A

& O/ V( v& v; v3 y8 Y__________________________________________________________________________! Z' c  a: t* |: `+ n4 b+ D2 o

) F. E1 a4 g) D) I3 c
# X* N" u5 x* gMethod 14
7 F# T: }( t$ S  e: t! k=========
  _: t2 q( F: q% b% N% v6 c5 `$ n
* @# b1 S. v! m6 Y( u! vA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose( h0 w/ ]: U. @7 c7 e/ p
is to determines whether a debugger is running on your system (ring0 only).
; n% O0 X4 n7 w# O
, x& N: ]' d. p   VMMCall Test_Debug_Installed
- e6 K3 z0 }% C, v   je      not_installed1 r1 h8 V% p8 j  l7 {  |! U# {4 _
  S( R. b" s* }* [
This service just checks a flag.
1 P/ p8 M3 W& l! ~3 U3 P( A' t</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-3-27 20:27

Powered by Discuz! X3.5

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表