找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>( O; E3 L7 z6 P7 A+ b/ B; }! I
<TBODY>
$ _- c! O$ M6 O) L<TR>1 }8 L6 i. |4 G1 e; b0 S3 |' |
<TD><PRE>Method 01 4 h1 V, ~1 A5 C9 E9 E) H! T
=========/ F7 y1 b3 Q+ W# I

4 I# T: ?: ?  C( T- Z5 {This method of detection of SoftICE (as well as the following one) is
$ c9 d$ {2 f8 R# }) Lused by the majority of packers/encryptors found on Internet.
( {; U/ d9 O2 ?* g9 D2 t) fIt seeks the signature of BoundsChecker in SoftICE- l: R, o* N$ w) q( n4 p

9 K1 H6 R" d* g$ d: c& j, y8 s    mov     ebp, 04243484Bh        ; 'BCHK'' d2 Y: N& e! Z; f- [5 G/ F
    mov     ax, 04h
1 }" |. y% G: {+ b6 }6 B    int     3      
; T+ |8 `+ @! j  E/ B- k    cmp     al,4
) r8 Y) a& I1 Z- M7 O4 k. K' Q8 Y. r    jnz     SoftICE_Detected
4 i, @4 U7 G. O
! v7 T7 k+ ]! @& u5 m) c- |% l___________________________________________________________________________
% p# w7 t  ?0 H" s3 \7 U$ a% b/ l, g: j2 Q& R% y6 X% t
Method 027 x+ _4 u5 |( w
=========& B4 o. q) k, f7 J, P* o
( N+ h( u. Y/ z) f( F
Still a method very much used (perhaps the most frequent one).  It is used* C8 r) ~# z# U- i! ~3 Q
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,$ t/ [% L4 [# J1 c$ x2 f1 ^
or execute SoftICE commands.../ s7 Z1 c! L1 G! z" q% l- s& T2 ?
It is also used to crash SoftICE and to force it to execute any commands
3 q( Q3 k' N. p0 {. q5 Y$ b(HBOOT...) :-((  
# }& t# n; a; _% c
5 K# u; ^7 ]7 K) eHere is a quick description:1 n# h$ Q  k" l2 u" V& @4 R
-AX = 0910h   (Display string in SIce windows)
; f# N" u! V, ]7 Q0 Y  s' ^-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
# _/ V, e' `! e3 N1 ^5 U% B-AX = 0912h   (Get breakpoint infos)9 L! X$ i9 t+ W5 B$ G6 O
-AX = 0913h   (Set Sice breakpoints)' f6 B& t, A1 y6 _7 G- h& V" H
-AX = 0914h   (Remove SIce breakoints)6 ^! l8 \3 \: ], G

, N# L& F2 z% ^, hEach time you'll meet this trick, you'll see:
4 t3 Q/ b1 G5 v: X5 j  r-SI = 4647h
$ D+ F3 c0 H& H/ z$ C-DI = 4A4Dh
  ^. q( Z( y5 M* _. A8 XWhich are the 'magic values' used by SoftIce.
6 c- J9 F& E2 _9 H! B+ }For more informations, see "Ralf Brown Interrupt list" chapter int 03h., T! b" Q/ ~( L, K) E$ L3 T
& n, G1 z5 i. \% v' W
Here is one example from the file "Haspinst.exe" which is the dongle HASP. R% G- l* y5 e" o$ w! b
Envelope utility use to protect DOS applications:
) G* c' Q* s; J; P( z( ^
$ R* R$ l" [: r7 y
# t7 y! w7 |0 u7 k+ [5 t, r4C19:0095   MOV    AX,0911  ; execute command./ y' G7 n( e$ p1 K
4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).2 h; X  F9 U6 N5 K, r
4C19:009A   MOV    SI,4647  ; 1st magic value.9 S0 C8 n# F' T* L( _
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
% L" x- Q. J: A, A  M  h& h4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)- F: t7 D  C0 V
4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute5 o, W* ^' H  a. o
4C19:00A4   INC    CX
* i7 W$ {2 y$ r. Y4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute  ~' e) |7 }- N0 I. b# `0 U
4C19:00A8   JB     0095     ; 6 different commands.
6 f  E. r7 i3 j; z$ t7 C# t9 D4C19:00AA   JMP    0002     ; Bad_Guy jmp back.' y0 o, f9 W; ~2 t5 S- p
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)
4 C- O; e8 d9 u! v
6 C  X' Y/ b, n4 y% Y9 u( FThe program will execute 6 different SIce commands located at ds:dx, which: W8 t+ }/ |1 @  @+ @1 n
are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.2 x+ `9 F0 l1 T- D3 j6 ^( W
" P. M6 ?8 ^# [) ]! ^
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.9 h8 j% a! J/ T( H
___________________________________________________________________________
3 u3 r! M; ?1 Z/ K3 v# p0 F! m& b8 J$ w: d5 L2 X

5 k' z: A* {3 \Method 03
& C# b! C7 x/ A+ P# B( h=========
4 B5 f5 T& M5 }- ~& X% n0 `) t+ A* G1 O7 |' E5 G( J
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
% G7 {9 ~; M  `# W1 P# n- b! N(API Get entry point)$ h' R$ d2 T' S4 s" Y0 s. w
        
0 Q7 ^/ ?5 r5 Y* K+ G! D, l) {; K9 O) S+ J
    xor     di,di
" }: d' ?+ h1 i- `+ E( r4 G    mov     es,di! L+ A8 `" Q# |4 g+ M0 B  O! m" |
    mov     ax, 1684h       - s$ [# Q! m" U6 ]& C
    mov     bx, 0202h       ; VxD ID of winice
4 Q" G% x; b& b9 v* W$ d4 @    int     2Fh% D8 k0 l; V5 r3 o1 [0 \4 n* T/ E
    mov     ax, es          ; ES:DI -&gt; VxD API entry point2 f  r+ A5 A1 S" G4 H6 F
    add     ax, di
/ o  l$ o3 c  l8 v4 [# a4 P' [    test    ax,ax$ v6 s7 @  x. l1 C$ L6 [
    jnz     SoftICE_Detected" Q$ Z9 G+ C7 L% s. W: R

" J7 l" H+ n1 P' W( _: \; r___________________________________________________________________________4 v. e, i+ V- T7 I3 S% [& u! o# c

9 z8 \& T( G6 v% ?$ EMethod 04" r$ f% m& `, h
=========
0 i  ~' L0 Q3 b" _% U& h* r/ P! \9 h: b* X% p
Method identical to the preceding one except that it seeks the ID of SoftICE9 T9 a/ a# |- y. h% c
GFX VxD., ^- W' J3 W! [8 `. t( @: l
0 ^1 t: ?6 r, E7 ]2 [& ]
    xor     di,di: `) Z5 A/ P1 S# w* B& K
    mov     es,di% r# G) B( t# }+ \
    mov     ax, 1684h      
- A# p' X) A/ W- i8 {* K    mov     bx, 7a5Fh       ; VxD ID of SIWVID* @1 B& ]- O5 T- Q3 A8 y* k
    int     2fh
; Y0 N* P/ O' @: Y    mov     ax, es          ; ES:DI -&gt; VxD API entry point
" ~2 X  I$ M) _/ t9 X    add     ax, di: T) W' E, }1 N8 R, Q* N
    test    ax,ax
, }  q. c/ q' A% \2 ~  s    jnz     SoftICE_Detected
$ g0 V. e0 \6 B6 g3 v' ~; `7 ~( T, U9 j$ z+ w  l( S2 z" q' ?6 l. U
__________________________________________________________________________
* w7 I8 W0 L& @' n4 g9 i' b' O7 a3 A8 n# y" [
. d8 Y; ]) u% O1 g
Method 052 ?; I% @* h  |2 I  X
=========
1 S- E) G  O2 v1 P% \* v1 Z" D' Q+ \" [4 ^7 j& {
Method seeking the 'magic number' 0F386h returned (in ax) by all system- x7 ~; Q$ C# r4 y' X
debugger. It calls the int 41h, function 4Fh.
3 a9 O% V" I( {) p- o6 U! LThere are several alternatives.  - y: x" l. I$ C: A, u

8 r- w+ O+ m/ K- s  o  J& wThe following one is the simplest:
3 j1 S5 |3 ^8 H: U" i  H
4 ~& I. s/ Z2 U! {' ~1 b    mov     ax,4fh7 K* j/ C+ I. m4 F# j5 u
    int     41h
! m1 l; a3 P! n) \1 g, n    cmp     ax, 0F386) G% A6 a* u4 A9 t) [$ H
    jz      SoftICE_detected
+ D3 \( w- P" {+ i4 @, \: a3 }6 O' e) W  U/ s2 w
4 l5 L4 g, R& ^: U% N( \( I. x
Next method as well as the following one are 2 examples from Stone's
. b8 E' z+ V6 |. E"stn-wid.zip" (www.cracking.net):/ P0 Q% s* w/ H8 y: s

; ?' ~9 C. h; |* f4 ?# d8 `8 F    mov     bx, cs
7 G4 c: J' \# B( S    lea     dx, int41handler2# }6 K  \6 _9 Z
    xchg    dx, es:[41h*4]
' A6 H! q$ n. y/ i5 g; d    xchg    bx, es:[41h*4+2]& R, n' h" r; a0 S+ t  B9 Z
    mov     ax,4fh, z& m1 R3 w; W2 `5 E8 Z
    int     41h
' t' @: q6 H. {; [2 i4 A    xchg    dx, es:[41h*4]- u  U+ _# V0 G4 t* o* y
    xchg    bx, es:[41h*4+2]
( R- K1 g0 `- y- Q) F! [) l8 S- A    cmp     ax, 0f386h8 a& {5 a. Q$ b  b( V: k& A
    jz      SoftICE_detected$ X" k/ _! U+ O  S$ r" _

7 c4 ?4 k" e! Xint41handler2 PROC" k% p/ q( H- [! t3 i$ V& E0 F2 f
    iret% ?- c9 @7 j) J2 Q9 u0 `. r& r
int41handler2 ENDP
6 s; X! J3 X* K  p- h) H. r4 S* n- f4 Y0 q8 b( `5 \% u) K

$ X8 B: X+ g( e! Y) o; D" f9 H_________________________________________________________________________
) @! l5 z! P- i. S- s4 P6 S# Z( ^% Q; I6 U; l) q( u1 X

4 r+ X( y7 ^% U+ _, hMethod 06% v  r1 ^) [% F; R
=========; A! m. E* w% O: m& K5 f! @. L/ i

; C8 p% L- G: V8 ^1 h( U  l8 Y
& g1 Z/ A0 s3 c" v5 ^2nd method similar to the preceding one but more difficult to detect:
( R# ^! O3 x3 S
9 D) U0 {4 b& g8 j! n8 b! B
( X+ W0 o" F4 n$ pint41handler PROC
+ E5 O3 T. L0 v  o' D3 t$ J( M    mov     cl,al% R$ ^( v* I) M4 _! k
    iret+ ?6 ~) O$ _1 s! |
int41handler ENDP* E( i! P- `. O( z% ^

7 s) V, Z- g1 N) l; ^, I* b' C; G* s$ O' k7 x; s( x" n" b
    xor     ax,ax' x+ f  M: A! _3 x1 K" b* a
    mov     es,ax. l, r- V: Z. K% d" g. c
    mov     bx, cs
/ D% e. F# ]( G    lea     dx, int41handler
) H+ V) z% h( |& k    xchg    dx, es:[41h*4]( a9 G! V' e8 c. @
    xchg    bx, es:[41h*4+2]
# s1 L$ M) `# e( f  l$ D& i) r! X    in      al, 40h
1 j1 B) e3 k$ ~+ k6 K/ v! M9 W    xor     cx,cx
: T+ k/ |2 I# \. k  Z    int     41h
4 [8 M4 b4 \6 \9 U4 B8 W    xchg    dx, es:[41h*4]. u* P3 U- C. K8 T
    xchg    bx, es:[41h*4+2]
2 t  U: T( Z+ A) Q: J/ |    cmp     cl,al
9 \  D. w, y1 F    jnz     SoftICE_detected
9 [0 E2 }, Q- s! W
" Y0 Z( V$ E  j9 S  E: |_________________________________________________________________________
( X" ^, _& i" j9 I& Y6 ~/ |0 p( G( k) g* i0 |/ L
Method 079 ~" X' r, l4 G8 a! m3 k6 S
=========
% _# P) y* E" a; S, y( a( `
4 n* `/ H& t. O5 u" oMethod of detection of the WinICE handler in the int68h (V86)
' e) f1 ~, [! w' ]
6 `; G. c  {" E8 Y, w3 \: b    mov     ah,43h
5 S- U% s4 v/ E9 |6 |    int     68h
% X2 D# c) N% ^. x$ o2 s& z    cmp     ax,0F386h0 _) L: p" h9 p" t' N
    jz      SoftICE_Detected% v7 C0 Y1 u5 f: |" B

. G) t9 W* S) M1 b1 I% \/ N! }9 Q7 E+ D3 O. ?6 f
=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
- z5 j4 w' d6 o. j6 r4 R/ P5 ^   app like this:6 ^0 i$ k8 i- W) C$ x3 O0 Q1 A

5 r/ `- D, D- O1 _" P. r; J   BPX exec_int if ax==68
. v- H9 b2 t) k. ]: P   (function called is located at byte ptr [ebp+1Dh] and client eip is
0 I9 V# u% S7 S* u; i" E+ z2 T" x   located at [ebp+48h] for 32Bit apps)
: p; Z" v3 D8 v; U6 {( z__________________________________________________________________________
& R6 V, V% h% X
5 b4 A, L( J( R$ e& Q, d& M, X0 C! p" J7 R
Method 08
9 t: X1 [6 o. t4 [; q$ c; S=========5 B! l1 n4 I$ [5 q' l
* y" t' _4 E$ d2 g" T
It is not a method of detection of SoftICE but a possibility to crash the
! Z4 w7 g- v" @4 _& \system by intercepting int 01h and int 03h and redirecting them to another/ G- M+ L2 `; r) C/ }7 L7 I
routine.: J' |. j1 u( [2 S& n: l
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
+ r0 p/ R- |" C% K1 Sto the new routine to execute (hangs computer...)
* m* R& r9 ?  d+ _8 i4 `4 o- I' A# h# @' L& c1 T
    mov     ah, 25h
2 _  j4 _& L, Z" u    mov     al, Int_Number (01h or 03h)
# e) \4 z8 c& u/ [! |3 U/ j& D- s    mov     dx, offset New_Int_Routine
! v2 v: p+ D+ {) p* I    int     21h
8 G$ z! x! G+ k6 W/ ^1 M5 M6 n
0 ]" ^3 a0 A% ^5 M* ~/ g- h! V3 X__________________________________________________________________________
" B1 [1 M) n: R5 }3 _, a" ]( k/ a9 J  M
Method 09
* n, j/ p5 W* j. o9 M. N=========2 P" w' {9 p9 j% H0 l0 B. q- v+ G0 r

9 s3 w( @: x9 W( m: }' C; TThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
: N: _- `  E+ \$ aperformed in ring0 (VxD or a ring3 app using the VxdCall).
7 ~9 B9 M8 l' A$ G* E/ x' x' YThe Get_DDB service is used to determine whether or not a VxD is installed
& ]" P: h8 `1 H. tfor the specified device and returns a Device Description Block (in ecx) for
: |" q& P0 i# \8 [- Q. C6 @2 ~3 bthat device if it is installed.
/ l# u3 O4 e3 H& N8 M
5 w% r9 Q/ P0 F   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
' G; h$ M4 o: z   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
7 I3 W" {0 v8 s" Q7 u0 \( l5 ~   VMMCall Get_DDB
* H" X/ O/ G4 ]' R* z- v5 K   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed
2 X, x$ h6 s/ w
9 S: T# w( u( sNote as well that you can easily detect this method with SoftICE:
3 d7 ]6 I7 M/ V3 r$ k2 \   bpx Get_DDB if ax==0202 || ax==7a5fh  n0 P4 P0 D* x6 q# Y! C

; O# s/ V0 Z1 K8 ^2 g, Y__________________________________________________________________________  @4 @5 t" O' \: p3 a5 Z4 _/ S

9 K2 P1 r2 C' ^0 x7 rMethod 10
  b" x- j' Y9 k9 L6 f=========
" Z% m; Q$ b; G- W1 v9 l
1 _: a7 h0 S2 c' q6 o' y2 n' \& s& ?=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
4 \) L+ a% u& Q0 F& H( w  SoftICE while the option is enable!!
( E: v( u3 |5 x3 I, V( I' [0 E" Q
& Y5 C7 G$ a5 _, `# w' R! IThis trick is very efficient:9 x6 O. p& [* r  W
by checking the Debug Registers, you can detect if SoftICE is loaded1 s* B9 A' v( r9 X& v# t
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
8 l9 }- V& `2 ^there are some memory breakpoints set (dr0 to dr3) simply by reading their
: L8 f. @7 U9 g% ~) avalue (in ring0 only). Values can be manipulated and or changed as well: S- X- @8 Y' ]- y( t! d' F
(clearing BPMs for instance)1 m- p( _( [5 `1 v
  ^1 J/ `7 x! s
__________________________________________________________________________: z+ q' Z; t" ?7 ]: }- G

# t" {/ D  o0 b* HMethod 11
( A( c# {, f+ }2 @1 [* W) e. X$ o=========
% c5 \: N' b) y6 t) f1 G8 Y# r$ E" Z' y. w
This method is most known as 'MeltICE' because it has been freely distributed
2 l; `7 o/ c7 Tvia www.winfiles.com. However it was first used by NuMega people to allow
' h/ d5 y% f5 v& Z# q2 RSymbol Loader to check if SoftICE was active or not (the code is located* [0 a) I1 a5 p
inside nmtrans.dll).1 ~% ?/ o9 J+ `: H$ N1 U1 }! R/ i4 n( K

2 N' M2 h! f& _  `# z. c# I/ Y2 K/ zThe way it works is very simple:
3 u% t! p; }( tIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
% u( C$ _6 H5 vWinNT) with the CreateFileA API.
' s. r% j+ J! I2 O) ^+ M, V, e6 T
Here is a sample (checking for 'SICE'):
, K) [) S+ m  X/ j7 L0 z$ H9 c. V  K& {3 M  {; G1 w- @
BOOL IsSoftIce95Loaded()9 g2 I1 o8 D  n! g& B- b. r: W
{4 u" n6 \( j- d1 F
   HANDLE hFile;  " x& X) g- W$ Q5 a- q# m
   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 y3 c$ L0 ?/ @3 f8 v& P7 J* Z& _
                      FILE_SHARE_READ | FILE_SHARE_WRITE,
( d3 t' e- m8 C8 V4 W: J/ y" x: a                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
( X1 t# k: W; {6 J   if( hFile != INVALID_HANDLE_VALUE )8 J* k, ~: U% W. I
   {1 I: O9 n) k  z
      CloseHandle(hFile);- G) a3 y3 h% a! L2 s3 B
      return TRUE;: x1 q6 n: z# G  z
   }1 i- @$ L% |9 T1 a* o
   return FALSE;
+ P/ [3 @; b, V! o/ r) X; E3 P1 ~}
% a& m, y. j+ J8 T
+ j1 e: @# G+ w" u: x- n! M0 kAlthough this trick calls the CreateFileA function, don't even expect to be9 @# W, L' Y/ n; s" j$ o* R
able to intercept it by installing a IFS hook: it will not work, no way!
" ~7 z. f1 O  V; V+ k6 xIn fact, after the call to CreateFileA it will get through VWIN32 0x001F
3 r: B1 n/ e% t) Y+ p5 N7 I0 ~service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)1 J4 O/ k% g% I! e! C0 g0 U
and then browse the DDB list until it find the VxD and its DDB_Control_Proc0 R8 f7 }' y) h% N# ~
field." R) w- `7 D7 S1 L) v# O
In fact, its purpose is not to load/unload VxDs but only to send a
! T8 _# E  ?+ \) D( B, a* ]W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
  @+ D$ [3 k4 Z5 Z* D/ I4 Ito the VxD Control_Dispatch proc (how the hell a shareware soft could try8 B& b% ^9 Q5 p
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
0 p3 M' f. X# T+ iIf the VxD is loaded, it will always clear eax and the Carry flag to allow9 S0 A  |! V/ u9 h6 z# G4 x
its handle to be opened and then, will be detected.
7 m+ a1 v* P- K, F% R7 L6 `2 ^; R) U, mYou can check that simply by hooking Winice.exe control proc entry point. a+ ^" ^( W) I$ h
while running MeltICE.8 r! n1 x' L  r; c2 t' ]3 `" o
3 I4 a2 z5 Y3 C: @9 W
# Y! f6 Q6 d& [/ O1 t& S  c
  00401067:  push      00402025    ; \\.\SICE
2 q2 K6 B) m8 X4 m  0040106C:  call      CreateFileA5 u* n0 Q# I/ [- t! c8 d
  00401071:  cmp       eax,-001
* x* d+ j' X, R% I( y  M% n  00401074:  je        00401091
! R  @& i2 Q- R6 I* s( I: ]
# V5 W/ T' m- t+ P! w* E. _* Z% U/ x; c% C8 B
There could be hundreds of BPX you could use to detect this trick.0 b9 e# W0 r8 F, T. x
-The most classical one is:
! C3 c  D* Q1 N7 N% ~5 A  V  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||( ~4 i$ u" S; Q! |% Y* \* f; y
    *(esp-&gt;4+4)=='NTIC'5 s# U. q) a8 b$ T; T
$ P: N6 o) k/ P  D
-The most exotic ones (could be very slooooow :-(5 I3 h9 P$ T4 Z) p) b
   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  ) P, c; |0 ?9 Q; y( @' i/ t1 G+ R( }
     ;will break 3 times :-(
6 }+ H! F/ n) c
, _; ~, P0 ^: q1 {  i6 \  _7 Q7 T-or (a bit) faster:
1 ^8 E8 U8 [, N" q% W+ o0 V   BPINT 30 if (*edi=='SICE' || *edi=='SIWV'): Y  n+ z* t6 y) y6 n

% B) l0 \4 L+ c4 C8 \$ W   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
4 j* [0 O$ ^( e+ N     ;will break 3 times :-(/ {6 g6 A4 K9 A+ w. O* |
& R3 a1 X0 n* Q7 o9 k5 H8 V: p& @
-Much faster:
0 ~! d) T+ m9 f* \0 o( x4 {" x   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
5 E, g4 U7 E& ~7 L- s9 U
  r1 Y/ \, L( XNote also that some programs (like AZPR3.00) use de old 16-bit _lopen
# O( T. g  D" Q! N% C. Ifunction to do the same job:
. l+ f9 ?) j$ b& ~  ]
/ D  P8 i/ v4 m9 W   push    00                        ; OF_READ: S5 @* F3 B7 E3 O
   mov     eax,[00656634]            ; '\\.\SICE',0- Q0 G$ |. h& R( V4 a
   push    eax  R! P% [/ s$ M( ]" E
   call    KERNEL32!_lopen
7 g' F8 p5 B; A" q4 g& }2 ?   inc     eax
* t- Z, |6 ?! {  ~( y   jnz     00650589                  ; detected
- r& R+ G& w' M5 C   push    00                        ; OF_READ
! c/ \2 E4 ^: ]( E2 `, r, v   mov     eax,[00656638]            ; '\\.\SICE'" ?3 l7 d" S' ~! V
   push    eax
# Q# G" H* p1 |5 V   call    KERNEL32!_lopen5 G7 s3 M9 B6 v' K/ Y7 k6 ^5 H) u
   inc     eax- E: T# Z) J( M# G/ N
   jz      006505ae                  ; not detected3 t* R0 T4 r, l0 G& s
/ W/ F, f$ }0 h' h2 R% {

) O  K+ J2 z; R- }3 w  X" F__________________________________________________________________________
. t* I  }; s+ W6 r# ~6 |- B, |# D* g
Method 12
# q$ Y( L& P2 J- |" ?=========
- o. ?! i" p& W) `+ k' u; g6 u, j$ p4 K! n
This trick is similar to int41h/4fh Debugger installation check (code 056 n8 Q* A7 K3 I8 F
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
, G8 X$ R1 S$ |; Q8 Bas it uses the VxDCall backdoor. This detection was found in Bleem Demo.
# m$ T4 P! `( j# a2 D9 }9 X( Y& r; B) r+ u) [' y+ H
   push  0000004fh         ; function 4fh7 G0 `! Q6 K7 H" r1 \
   push  002a002ah         ; high word specifies which VxD (VWIN32)8 A5 q, z2 O6 J
                           ; low word specifies which service5 a% q* I& |' e7 i% J; Y
                             (VWIN32_Int41Dispatch)
* v0 _3 }. x( U0 _. F   call  Kernel32!ORD_001  ; VxdCall
  A4 t7 r. B7 o* f$ Q   cmp   ax, 0f386h        ; magic number returned by system debuggers
7 j0 i5 p9 ]& P( A   jz    SoftICE_detected
! r/ Z  J, f9 Q% [9 p/ l' J3 u3 p9 {& q  H7 ?) B
Here again, several ways to detect it:7 X3 O( ~& D' \  t. `# J

3 P' @$ A. }0 J9 ?- m  [3 L. m! B    BPINT 41 if ax==4f
7 W3 `( U) _, p4 P2 Q
+ R' z- Z- h, L' r    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one
$ x% u$ N" \1 b* t% O; m# j. A
) ^' f* y+ g  z# n1 A    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A4 r9 G/ o* Z. B

9 C. t! z& y1 [% G7 P" f$ S    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
- ?  U  U7 ]  t# B
( M. T/ g. \3 V$ m) q7 x__________________________________________________________________________
* c  J% ]' S8 e# G: A% l  J2 A0 f2 y( A9 t& W% c  a  w7 W
Method 13
3 `7 S. Q* q" x) c4 D0 `& o% D=========
) r. @1 v5 E+ o: n2 T/ Z& t' s1 ]4 n1 |: Y# Y3 v0 e
Not a real method of detection, but a good way to know if SoftICE is
5 L- \+ K8 ]& P( D) ninstalled on a computer and to locate its installation directory.
3 D, F/ \7 N; n! z) R* A# dIt is used by few softs which access the following registry keys (usually #2) :2 ~! _$ K- B5 F4 C3 T; f: H

8 i  A; f. H5 k! l-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
% g" X3 `1 K# M& Y9 c. x+ W* d\Uninstall\SoftICE, t3 o; }& ^9 _
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE7 X+ Y- p) d6 ]( c
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
$ f6 ?; f" J# C2 E" m3 C8 M' a- K\App Paths\Loader32.Exe
: r. K( G* s4 H# R9 e: C8 L4 a0 G
, l$ E# @- F$ y' O
Note that some nasty apps could then erase all files from SoftICE directory
4 z& z0 s' U$ N* z' Z(I faced that once :-(' t3 Z7 k+ I; |) l" c
( V% ^" n* S8 }  }
Useful breakpoint to detect it:# f  x7 D. ^/ G5 x8 J+ k
" W" M# r$ e7 `! l, t8 P
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'
3 s+ Y1 V6 N9 U! `" t
% w# _) ^3 ?) {) Q1 C; h/ p__________________________________________________________________________
# G. R" ]7 v5 u  R6 S7 ^  J# G  X6 X

1 O0 ~8 G' |4 S& OMethod 14
; c: ?, j6 s; e2 r! _- E=========( h2 a2 |. @# \/ z
! M2 O2 j& [& o/ B/ D6 j
A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
2 p, L( l  q% k1 y  p& S! yis to determines whether a debugger is running on your system (ring0 only).8 c! c# ?4 M0 V$ {  b( E
& T/ r0 ?5 V& v2 I& b  u
   VMMCall Test_Debug_Installed2 [$ b# m& e# j& i  h" T2 J
   je      not_installed. Z1 i8 r4 |# S7 X( v" M' X6 x

/ ?+ R2 X4 n( o( O; Y. r* TThis service just checks a flag.% h& t3 h0 S7 w- e5 V, S" d0 u
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-6 05:34

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表