找回密码
 注册

QQ登录

只需一步,快速开始

About anti-SoftICE tricks

[复制链接]
发表于 2008-9-28 16:34:50 | 显示全部楼层 |阅读模式
<TABLE width=500>
* D" P5 c- Q. b, C- k0 G<TBODY>
1 ?4 J; k0 O: U! k: o6 ^<TR>
! r8 N+ ~8 o0 i9 k% ?<TD><PRE>Method 01 ! N9 ^; h2 ]6 l( q* J. S8 c/ U
=========9 W1 C& [  \6 M' w- b

* i, ]9 U7 T6 y+ g; @' aThis method of detection of SoftICE (as well as the following one) is
% M' K, b3 U3 @& u7 }6 ]used by the majority of packers/encryptors found on Internet.  J% t) D& c) y( C# q
It seeks the signature of BoundsChecker in SoftICE
3 F# A5 Y. ]  N! H! O! K3 P
9 `  F- J( o9 A, m! y; h& s% ]    mov     ebp, 04243484Bh        ; 'BCHK'+ N1 ^1 S  t7 [. A! s& J% d) L& l
    mov     ax, 04h0 r; b$ X5 {9 ]
    int     3       9 B6 X6 e. S2 x/ H
    cmp     al,4
+ ~& Z( Y. i% L7 ^" x+ t- w    jnz     SoftICE_Detected
/ y2 c9 O  X" ?. k$ Z" ?/ e' @7 A8 f4 o
___________________________________________________________________________
; R  N( k/ W( T6 X) z( y/ W7 @0 C6 h: l7 K, r9 p
Method 028 T3 s7 s  o; R( v! R( s' x% @1 P
=========& c# l6 Q  O4 s( m
2 u7 q2 v0 L1 B- ~
Still a method very much used (perhaps the most frequent one).  It is used
& Y& I9 @) I% {" f" Eto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
. ^) G6 l7 y; }2 Z5 Xor execute SoftICE commands...! H. a9 D. ]1 m# A* T
It is also used to crash SoftICE and to force it to execute any commands- @3 `/ n& K5 C3 q( ?/ i* r( a
(HBOOT...) :-((  
+ j0 z- {) n7 b4 b2 f! h
/ Q6 L8 k, Q( lHere is a quick description:# v8 k- U; f4 n6 c
-AX = 0910h   (Display string in SIce windows)
* t9 y5 W# B5 Q/ [( F8 a-AX = 0911h   (Execute SIce commands -command is displayed is ds:dx)
' T3 A8 a/ ~4 n-AX = 0912h   (Get breakpoint infos)
! \% B% E7 I4 N-AX = 0913h   (Set Sice breakpoints)# n; x9 G* T% }. y% G! X5 Q
-AX = 0914h   (Remove SIce breakoints)% K1 @" A9 l) A* v. |; Q! X

& Q# M& [% t0 o, V; \" u; U8 [9 cEach time you'll meet this trick, you'll see:6 U9 h0 N5 P. F' U
-SI = 4647h5 V7 {* k. F* X: p' b. q
-DI = 4A4Dh  ?7 I, y! [% f  N. Q
Which are the 'magic values' used by SoftIce.' C/ I9 I: T) f7 N# C; f5 H7 H3 W
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
6 s5 |$ @/ m! v6 i
1 ~9 R0 Z. C* c, ^$ `+ gHere is one example from the file "Haspinst.exe" which is the dongle HASP
! M* \" S) U6 ~0 l1 i: iEnvelope utility use to protect DOS applications:
2 j% z2 _8 h& u* n$ x/ T# u- H5 J3 f  C, J" ?

7 T7 B5 n% ]: {5 d7 Y4C19:0095   MOV    AX,0911  ; execute command.
$ D; K; D4 F4 ?1 v4C19:0098   MOV    DX,[BX]  ; ds:dx point to the command (see below).0 d, w; y2 v/ M( \3 k
4C19:009A   MOV    SI,4647  ; 1st magic value.9 E1 p: p" u, _! p! t% D" y
4C19:009D   MOV    DI,4A4D  ; 2nd magic value.
& G0 P3 H( V" A; D; d4C19:00A0   INT    3        ; Int call.(if SIce is not loaded, jmp to 00AD*)
4 n4 V  f- \9 V4C19:00A1   ADD    BX,02    ; BX+2 to point to next command to execute
7 y. H' d; {' r3 ]% `" o& I$ @  @4C19:00A4   INC    CX1 x/ V' \+ V2 ?6 O
4C19:00A5   CMP    CX,06    ; Repeat 6 times  to execute2 r8 L4 z# m6 _% g9 U
4C19:00A8   JB     0095     ; 6 different commands.
) b% Q6 P0 j" N' X4C19:00AA   JMP    0002     ; Bad_Guy jmp back.3 j0 Q4 O  I/ V. b) ]
4C19:00AD   MOV    BX,SP    ; Good_Guy go ahead :)/ \5 M4 ?0 C1 u! a, i2 z% g$ M# n  w6 H

5 N( g( f! q+ i5 I7 n8 _; cThe program will execute 6 different SIce commands located at ds:dx, which
7 W" g& r9 @5 d8 }are: LDT, IDT, GDT, TSS, RS, and ...HBOOT.  I& X. O3 S6 Y  E
0 |# ^  @7 E1 N1 x
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.- m0 }3 i0 y; U
___________________________________________________________________________$ Y/ c( w9 j& H9 }

) N# e0 S; n) H  @  `: K5 `" D* y0 H. P2 |- m
Method 030 w; z% N4 s1 f: j5 `: N: m
=========
& O' L  y1 t* i2 g. K& I! u" Z5 m, y) ~- [
Less used method.  It seeks the ID of SoftICE VxD via the int 2Fh/1684h
: E9 d) q3 ~7 U; O" l(API Get entry point)
/ U5 s( b9 A$ l9 p) d' {        
/ W  M$ U2 u$ B% N8 `+ r0 c: j7 z4 }
    xor     di,di& y' _- W+ ]3 o9 I5 C# C6 \# k2 @
    mov     es,di
% r% y; M! L$ R2 k+ b    mov     ax, 1684h      
$ D( Q& @1 }) W' Z+ E& \! X    mov     bx, 0202h       ; VxD ID of winice
' h: u: I9 N2 V( F: J% u4 F: G    int     2Fh
  J# h- v4 f' Z9 Y9 }) {/ d    mov     ax, es          ; ES:DI -&gt; VxD API entry point
( l. x* U& n" ?* H4 v    add     ax, di
% Q- C" G" f9 W    test    ax,ax% I1 B% `+ g# `; T' Q* Z
    jnz     SoftICE_Detected
6 R4 i$ T  ~( L* I& _
% t4 l$ v  }7 o; E+ ]  t3 C___________________________________________________________________________0 p- M! A1 _' ^4 |# W
; i5 K; x  X/ q7 c4 q* _
Method 04
2 |& g8 P8 C: T4 f1 g=========0 M% g2 e0 S: ~8 s$ @* [- B  F

+ z8 T7 E" v8 H" ~6 r* s- x& rMethod identical to the preceding one except that it seeks the ID of SoftICE
% x. @# A/ }3 s, g$ b9 @GFX VxD.
2 `0 e7 x" t2 v5 z+ f% s
) `& P) T! N, t; \7 _    xor     di,di
' a* @8 q. Y" v5 g4 M6 L& l) @3 J    mov     es,di/ s3 z8 o. x4 p1 j
    mov     ax, 1684h       * }3 ~8 y& A1 O- f* x8 b5 A3 U
    mov     bx, 7a5Fh       ; VxD ID of SIWVID
! U8 y4 r7 ?+ R( O5 v$ z    int     2fh
  g# `( h" j! @; G# q$ Y; n' f    mov     ax, es          ; ES:DI -&gt; VxD API entry point* |, w* q) M# Z/ S5 f  r
    add     ax, di3 s0 i; r" N; H2 b- |1 l/ H
    test    ax,ax
( ?: n/ H  j6 c, S' V) F. M& ~    jnz     SoftICE_Detected! o( }! {1 R+ _/ ~  ~
1 y# @1 |9 Z7 ~0 O! v  T- n& h  U
__________________________________________________________________________7 Z. n: F1 X" ]- [

1 @' c: ?: T7 u/ ?. {$ U/ y/ s. }! ?1 i8 {- C5 ]' i
Method 05; A0 x/ F0 q$ B" ~
=========
( c  d' {# y' H
3 f  f: G; t4 r8 }- {Method seeking the 'magic number' 0F386h returned (in ax) by all system
: O: u& ]0 j; |- i) f% Udebugger. It calls the int 41h, function 4Fh.& }0 w) e; |" `: C1 ]9 L( E' R4 V
There are several alternatives.  6 ?0 x" X$ f0 T8 Y. b
  J5 z& D9 u- [$ h- F' P( _: `
The following one is the simplest:
9 [  l' ?6 Z6 _% s5 }$ ]" }. W8 D& M6 `7 E% u
    mov     ax,4fh5 ^; j! ?4 R. {
    int     41h
+ M/ y% z. [2 |/ g    cmp     ax, 0F386
2 k) O) |& r* M+ U1 x2 o+ ^( x    jz      SoftICE_detected
4 A/ Q+ U3 N- Y; I$ e
8 Q1 o# G1 K! [4 X' H6 K* e, H- v% E3 J) ?( L/ y3 r% x$ _
Next method as well as the following one are 2 examples from Stone's
" R2 D& p+ `7 g9 d  E/ W"stn-wid.zip" (www.cracking.net):
9 J0 T# o3 g, \2 ~0 M# ]: E# V/ W
1 W3 f( [$ r) F1 z7 Z! Z6 q# v" r% W    mov     bx, cs$ ?; ~. z4 r. `+ U
    lea     dx, int41handler2
0 L+ N' d% C0 C    xchg    dx, es:[41h*4]* b9 P; L' [7 t+ U6 q0 k
    xchg    bx, es:[41h*4+2]* P6 v0 K0 ?, x
    mov     ax,4fh" q/ O5 ~+ P( b4 h2 S/ w) H
    int     41h7 T) }: ^1 D0 E( D+ v+ F, ?
    xchg    dx, es:[41h*4]
5 [3 X) O6 B9 v/ G: J/ a    xchg    bx, es:[41h*4+2]
$ c4 l$ ^' ?% s8 M& Y; q, e    cmp     ax, 0f386h8 y$ m4 P! H9 w- Z9 ?
    jz      SoftICE_detected- @: Q5 h% ]3 z# z2 y  O! {& {9 N0 y
4 r1 ?) R7 f0 `
int41handler2 PROC: {; @4 [) M% }6 _
    iret* G; s. r" s/ x9 X* w. W: B0 k( L
int41handler2 ENDP
* H$ Y" {. M9 e6 O0 W3 i: s' ~9 n$ h4 N3 z4 h  |
1 l' C; r% Q+ y+ {) Q
_________________________________________________________________________' h1 y8 A8 x; ^/ p5 I, P( J

, G/ V7 T& \# D! c) O! R3 p$ W. h" T* d% K' q$ j* f9 p
Method 06
- W& \5 x8 m+ U/ |3 d=========6 J/ p7 N9 a8 W3 i

0 Y- m0 A; X! F1 G5 m, B: v
% h4 R; I+ Y7 |3 \7 J: K! t2nd method similar to the preceding one but more difficult to detect:" V! H* m! G) w: j: ^: S
/ R: p, U) a7 T* M# K

% f) X5 p+ {; ^& f% y& K! Oint41handler PROC5 J3 b0 b# j; x5 i
    mov     cl,al$ S# x" T* U& n% T; j
    iret  l9 n: \4 v! b- ]
int41handler ENDP
3 R0 H, J; `! `/ [9 _4 e+ M3 T! q8 d, e1 O' ^

; T1 j0 o: r8 ]    xor     ax,ax
, z' e) L) ~5 L$ x) W    mov     es,ax# D& H% g: J' j* L
    mov     bx, cs
* s* I0 I4 t2 S6 Y2 m: j    lea     dx, int41handler; x' G5 W8 A' w  s
    xchg    dx, es:[41h*4]
- }# X# E) h9 K4 h4 a6 R& B- d    xchg    bx, es:[41h*4+2]- v$ w- U6 _& H: [$ @+ \
    in      al, 40h
, ^# V$ M: S9 y; W    xor     cx,cx  g$ K, w& N9 q% s
    int     41h
$ C& D. j) l! W: U" U0 J2 p; C    xchg    dx, es:[41h*4]
: W$ ~! h+ ~2 e6 O9 G5 Q    xchg    bx, es:[41h*4+2]
, q5 g7 C' c2 S' k    cmp     cl,al, R' ?6 a* `4 v( s3 S5 P
    jnz     SoftICE_detected! }8 w% V0 O/ U, e% P1 A( ~# }$ }4 k

" ^  M. n$ w5 l: Q* v8 a_________________________________________________________________________
/ I2 E- _3 O( x: a3 G. ^, j
4 F9 h+ l' t( B) D& ]1 t* cMethod 07
0 Q5 V* b  U: d6 b1 j2 |% T=========
+ g/ h0 x) Z4 W5 S1 e5 v. Z, b) N/ n0 ~, W4 c: p
Method of detection of the WinICE handler in the int68h (V86)
2 a7 {) F2 n, r& e
5 l: W" a; D7 A2 _' g    mov     ah,43h
5 w: B! k# ~# W    int     68h  Y/ |" B! w/ ?
    cmp     ax,0F386h
! C; a/ R) E- I2 L/ n    jz      SoftICE_Detected  B4 d  h$ X2 w" S- O
  j4 Q# [: V7 [) T" S: g9 N  h

  r. g/ O! b* W# |=&gt; it is not possible to set a BPINT 68 with softice but you can hook a 32Bit/ J& j1 ~* P: K; H1 Z
   app like this:- i. s: V$ K/ K7 u* Q' F7 V9 Z

# C  U$ W/ E6 C) F0 \   BPX exec_int if ax==68
8 K0 `7 s/ ]! z) j! R3 u   (function called is located at byte ptr [ebp+1Dh] and client eip is( n" n$ Z( R  Y3 h
   located at [ebp+48h] for 32Bit apps)4 j) J# Q9 d0 g$ j
__________________________________________________________________________
+ [/ F. |% c. k% g' o  i" x- E  v+ j; S0 a" {2 b
6 ]8 E/ Z4 R' ^  Y, g; @
Method 088 h/ R5 c3 t/ Q$ T: d# K+ p( j/ B
=========
2 l# K+ i' K7 a; V9 V4 C' ~" W7 {6 p. c# M2 S5 N& E% M& M+ O
It is not a method of detection of SoftICE but a possibility to crash the
( v% e+ |$ k" X7 y& x& xsystem by intercepting int 01h and int 03h and redirecting them to another, C) _1 c3 E1 k4 ~9 z9 v7 }- C. q
routine.
$ s. q- a6 ?# _- b" UIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points; |; [$ L* z& e0 @7 W. |4 K0 J' H
to the new routine to execute (hangs computer...)* J  ^7 J& \: g3 _4 M* |8 c
) B! E4 {6 x" G" p
    mov     ah, 25h
. ~, |/ e' ?# Q- m    mov     al, Int_Number (01h or 03h); t  f1 _) m# ~4 ~. n- U
    mov     dx, offset New_Int_Routine- e9 A2 U/ Q9 s* o7 z
    int     21h" q) F  Q; N+ K5 t
' B2 B1 P2 t) y2 u& q: f
__________________________________________________________________________+ S/ k( \& l3 v6 V
- Z0 m. `% q/ {: Z6 Y5 M
Method 09
8 U2 N! c3 V; Z" k* t: q- V& n; ^, j7 r* R=========4 c$ [3 q6 U& n8 W
) A# V7 q" p, D" g* g
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only6 \; d0 k0 U5 `, p3 i: U
performed in ring0 (VxD or a ring3 app using the VxdCall).5 _1 @( ]4 \2 j* @- z! K# e
The Get_DDB service is used to determine whether or not a VxD is installed2 G% z& |. ]8 [& D* ]  P
for the specified device and returns a Device Description Block (in ecx) for
( y  n- ^/ |4 r; E& t% Bthat device if it is installed.
3 w! @5 J! Z' s  _" r' A2 ]; h. l8 P( i" b1 t" Q; L
   mov     eax, Device_ID   ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 C- _- W. o4 T6 r# i, O6 N   mov     edi, Device_Name ; only used if no VxD ID (useless in our case ;-)7 `8 O" q! b( V1 G8 P
   VMMCall Get_DDB. d5 R6 h8 ?" i+ X8 n
   mov     [DDB], ecx       ; ecx=DDB or 0 if the VxD is not installed5 d! P4 O. q+ A' g( S* J0 ]
8 O5 X" e: x: L$ q) E9 H
Note as well that you can easily detect this method with SoftICE:
7 }& `4 H* [' J& ^) s   bpx Get_DDB if ax==0202 || ax==7a5fh
9 {. J4 B4 d' v1 m, \; j- D: ?% W# r% [( h. w9 o9 c( `$ d
__________________________________________________________________________- E8 o& ]' E7 Z# C* }. x2 Q

" n8 l! L' f) B( T! c, e" p6 aMethod 109 u( a/ F" t! P. U2 N2 K/ K9 k6 m
=========
3 p, C6 [* R7 i, w) @- k. {6 i2 q/ a- J4 q
=&gt;Disable or clear breakpoints before using this feature. DO NOT trace with
( O9 J. L0 D4 d" l8 }- C6 Y  SoftICE while the option is enable!!1 Z1 J, m: f$ `2 ^* \6 S% I
1 Q" n  J, q/ i5 {
This trick is very efficient:! K& d! i; k  r6 N2 E
by checking the Debug Registers, you can detect if SoftICE is loaded
. a4 ^  {7 o: {- g# g(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if4 r* C" ~7 X  f6 w
there are some memory breakpoints set (dr0 to dr3) simply by reading their
' C# a9 s  v8 V9 avalue (in ring0 only). Values can be manipulated and or changed as well
1 n5 ]/ v; ^1 B(clearing BPMs for instance)& x0 A) x+ E7 [1 w3 M, F
$ S* y4 j  ^: e1 t6 X
__________________________________________________________________________1 r0 S2 l! F/ C3 a" l( d( b

2 M8 w& M, `9 D% m% S' pMethod 11
5 W2 C$ ^4 w. {0 Q+ }5 N! A& Q=========7 X+ O( Q% |4 E) F( J3 O  b% W: X
9 X1 I' [3 K" E8 m! ?$ M4 T
This method is most known as 'MeltICE' because it has been freely distributed8 {" I, E+ X, D* p
via www.winfiles.com. However it was first used by NuMega people to allow
" E9 l' r6 s& I4 d! m1 TSymbol Loader to check if SoftICE was active or not (the code is located% V! H3 U) x" ^  h& z0 H  p
inside nmtrans.dll).
# |# w$ K/ N6 J5 M/ ?, C
: G; `* z% k5 Z; H4 H( `$ T4 cThe way it works is very simple:
* F* z1 M! a* y: Q  C2 KIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for- c/ H9 q1 ~2 J# }6 c! Q
WinNT) with the CreateFileA API.
1 W( }7 Y9 w: j( c$ h* L
1 T  c7 O- }9 F( ^3 l* hHere is a sample (checking for 'SICE'):* x' U6 ~: P7 g3 M/ R! x
7 d. L6 l: i" G( k) h. t$ u! I
BOOL IsSoftIce95Loaded()
6 H7 l6 l& R% z& k. t8 \0 P- N{
- K* E2 t. T  q5 o0 S7 R+ T   HANDLE hFile;  
6 \$ T! Q* V8 n) B   hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 F1 g5 I/ u& o
                      FILE_SHARE_READ | FILE_SHARE_WRITE,9 h+ F, N5 h0 _0 l- h
                      NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
! v' |9 \1 L# }: a& j# K   if( hFile != INVALID_HANDLE_VALUE )
" A9 y, j) L" C   {
/ r# W0 H7 A( C1 r. \* @4 S- [      CloseHandle(hFile);
- X: G( c/ A# k3 o' }6 I      return TRUE;
1 }0 N! U: e0 L" Q9 e- H- p( M   }1 w. K) [- P! N( h3 _% Q0 a
   return FALSE;
& F9 [: R7 Y! ^1 T/ _# T}( ^  @* Z' b- u* f# i" h

5 b* ~6 S1 w* O2 A5 tAlthough this trick calls the CreateFileA function, don't even expect to be$ R+ T3 [" h( K* A9 c5 w2 u+ Z% L. a- W
able to intercept it by installing a IFS hook: it will not work, no way!+ c. z0 O5 J/ o3 A4 d/ Y
In fact, after the call to CreateFileA it will get through VWIN32 0x001F1 m! J! n& L1 z5 U
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)' H# }( ^9 x; v4 Z; J5 I7 ^+ d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
5 s9 n0 g' t$ F7 @; }! Z" gfield.. A$ N# F2 B5 s7 I
In fact, its purpose is not to load/unload VxDs but only to send a
+ K& H( v3 O3 m& T( iW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
" l7 K& [3 k& P6 `5 Xto the VxD Control_Dispatch proc (how the hell a shareware soft could try0 a8 x  z% m5 L# R4 [7 l
to load/unload a non-dynamically loadable driver such as SoftICE ;-).& @. G" q# j, Q3 Y
If the VxD is loaded, it will always clear eax and the Carry flag to allow" @! m! p2 B9 a7 U# v7 {" Q7 i
its handle to be opened and then, will be detected.* z  I2 ?  w; S2 R% t
You can check that simply by hooking Winice.exe control proc entry point
) K5 U: [; |. w/ T; g8 |7 [- J' Zwhile running MeltICE.
7 ^: l, Q- M9 G- I" y" ^
4 j$ G+ o) r& G: Z9 a% I/ _( ?) ]9 h6 c" U5 n5 B7 S* [; Y! j
  00401067:  push      00402025    ; \\.\SICE* b, G( ~6 V( B
  0040106C:  call      CreateFileA3 X# Y( O/ D; z5 B. s
  00401071:  cmp       eax,-001
* E2 h5 `. D) ^  P4 M7 O  00401074:  je        00401091
6 K) Z& ]" k; T3 L. H& l$ O3 {
; T/ e3 @( d# r4 b! a4 F) G3 c0 @( `+ ?, r: Z) x! L+ F# S
There could be hundreds of BPX you could use to detect this trick.
0 `# L# N, c0 R5 E8 r, M* Z-The most classical one is:
9 O9 c/ M" q; U  B% |# v2 s# J+ B  BPX CreateFileA if *(esp-&gt;4+4)=='SICE' || *(esp-&gt;4+4)=='SIWV' ||- G  ?% k2 r2 |, t& N8 J
    *(esp-&gt;4+4)=='NTIC'
" G+ _# G' I( Z+ K4 a# i( j9 u% D/ a3 q- F2 q4 A# y# I
-The most exotic ones (could be very slooooow :-(
( y3 q4 N2 V% ~) [. T5 P( N   BPINT 30 if eax==002A001F &amp;&amp; (*edi=='SICE' || *edi=='SIWV')  - J1 K7 k2 v; b* {7 ?" G" A) @
     ;will break 3 times :-() }5 E+ `: X. x0 S8 M  E1 n" C1 A
2 w. N( |7 C% j3 [5 X
-or (a bit) faster: 5 |7 p3 H# Q6 I
   BPINT 30 if (*edi=='SICE' || *edi=='SIWV')3 j) ^, i# Y' D: u( s* _5 ~

. Y, ~( {6 S8 d2 J: Z+ Z( ]5 Z$ n   BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV'  
' u* m  k2 g/ t( K! ~2 t' t     ;will break 3 times :-(1 p; `- w  r9 M0 Z( f
' x% V. b- c) u1 U. s) V7 j7 X/ @
-Much faster:# N9 G8 Y! X4 Z% E( U
   BPX VMM_GetDDBList if eax-&gt;3=='SICE' || eax-&gt;3=='SIWV'
0 |! O& ?& y" e  \3 s2 u* n( M( a( B, s, J8 L- _6 r8 }" R. k8 b7 @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
" [4 e' T: i( w' `% n7 ?function to do the same job:
5 ]) H4 ~- A) t# q3 a) W$ B% H% t( T: f
   push    00                        ; OF_READ4 w% z6 ]; P2 J+ U! Y# q- _. i% Y
   mov     eax,[00656634]            ; '\\.\SICE',0
: }0 ?7 G5 w" o4 Z6 A4 L2 A, j8 a   push    eax
- L7 P# m$ ]% ?( g   call    KERNEL32!_lopen' p3 d/ T+ i, G8 z/ g3 [
   inc     eax% C8 B: n9 f5 m( i4 `
   jnz     00650589                  ; detected
2 U, U! p" q7 u   push    00                        ; OF_READ
- Q+ v% P9 d% T4 L; B" Q   mov     eax,[00656638]            ; '\\.\SICE'. D; }0 K- t, [9 S
   push    eax; v% `& i7 A* @1 k5 \
   call    KERNEL32!_lopen
. K! w; }2 ^6 W* q! ^   inc     eax
  o  v, \: B- w9 q   jz      006505ae                  ; not detected
" q! c  E$ J" M9 n' [! q' O9 E
" \  A0 W0 J: e2 s3 K* ~% m, H9 ^1 V  m6 N: d+ N) w0 q5 N9 ^
__________________________________________________________________________4 M& O0 q$ I: a% z- h, }

0 @  r# U/ f' I, X/ x& e- s& ]! f5 ^Method 12
6 l7 p, }% {& T=========# s' _% N* t' r8 i5 O8 S7 T! ?

, c( `. j  R# C" [This trick is similar to int41h/4fh Debugger installation check (code 059 n% B; k' e2 h
&amp; 06) but very limited because it's only available for Win95/98 (not NT)
# [$ W; j* Q4 u% `7 p# Eas it uses the VxDCall backdoor. This detection was found in Bleem Demo., B' S) G  O7 a0 u
  v7 @# Y( c* K5 Q4 w
   push  0000004fh         ; function 4fh* K0 w* P; i6 A) n# k1 S, `; `
   push  002a002ah         ; high word specifies which VxD (VWIN32)
, ~- t" H" h% r) M1 h) v) w                           ; low word specifies which service
7 ^7 d9 Y- n3 H5 D% c                             (VWIN32_Int41Dispatch)+ ^. _# ^( z6 u+ b. b
   call  Kernel32!ORD_001  ; VxdCall
3 ~4 R+ `" k* \   cmp   ax, 0f386h        ; magic number returned by system debuggers5 K9 F2 q: `* ]0 p' p! w! I. t
   jz    SoftICE_detected% g7 h1 e1 ]5 y6 c
* ?) p5 C" ^% x' `0 ^" V) a( k
Here again, several ways to detect it:) V! R. N: u. m0 f! G# x

, R0 P2 d" c) k& Z' q* u& Q* e4 ]2 P    BPINT 41 if ax==4f
4 @* k7 l7 H: I  I% e- Q) w: @5 K& \
    BPINT 30 if ax==0xF386   ; SoftICE must be loaded for this one+ N, P) N, ~$ ~* v4 ~* Q

, l5 H; G! n0 Z    BPX Exec_PM_Int if eax==41 &amp;&amp; edx-&gt;1c==4f &amp;&amp; edx-&gt;10==002A002A5 |' N' z$ Z2 o/ l( G$ t* L

% _4 ~3 ~3 F5 h" g: O3 d3 Q    BPX Kernel32!ord_0001 if esp-&gt;4==002A002A &amp;&amp; esp-&gt;8==4f   ; slooooow!
# X+ x5 Z) M9 M  p9 N) s" u& n" p& ^% j! Z; F0 g; c' R& o
__________________________________________________________________________5 F$ y* S6 w6 Z8 |9 f6 y& F6 C
6 c. |' Y' t& z) S; l% r
Method 13! |+ {" Q' {+ M0 _1 w* `: V+ O
=========2 B' }4 a2 M' w7 J

/ ?8 `! a4 C9 jNot a real method of detection, but a good way to know if SoftICE is6 E9 O+ x2 Q/ B7 J% z! ~& g3 U
installed on a computer and to locate its installation directory.8 q9 \8 P0 a% p6 ^% ?
It is used by few softs which access the following registry keys (usually #2) :" J: s7 v9 e2 K, A3 P: i) Q
' G/ X# b3 j3 u5 p. _" B9 r8 Y
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
: S% E8 t0 z* V$ @' B; r& r\Uninstall\SoftICE& d- @% Y, O/ J0 [% Y& V0 u
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
. T& a! J/ p4 o% B; x. U* ?8 l-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion1 @1 k& Z3 O3 B; [9 A/ ^& c3 s
\App Paths\Loader32.Exe
* R  \# ~0 m! T+ T5 A
8 q, e& s- m1 X9 n8 }0 S
9 x5 {5 D/ H7 l+ sNote that some nasty apps could then erase all files from SoftICE directory" }3 U% r0 E" V/ N6 }
(I faced that once :-(
7 N; ?8 j) V0 w, h) ]! j, r/ x
6 }' ^$ j0 w5 K1 d8 P# TUseful breakpoint to detect it:5 b- e$ t, s, W7 S! s. G! J5 }
( v. W/ K4 O- [, `* |& [1 i2 E, {
     BPX _regopenkey if *(esp-&gt;8+0x13)=='tICE' || *(esp-&gt;8+0x37)=='tICE'7 z  c* _6 C; X0 D+ h) U& z

0 \: X# a5 p+ [( ^% f2 E7 _' B__________________________________________________________________________) |. B- n# }- v
1 q1 X( g3 E, |
' e1 R9 N; B2 Z+ G2 S0 f
Method 14 1 n1 l% T# `* U" j) s
=========
$ t) j9 u' g( |/ A/ y! s9 l
% @+ n( g6 t- x8 DA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose- y; n1 b' t& ~5 ?( v
is to determines whether a debugger is running on your system (ring0 only).* x- O4 y$ s1 c" D7 D5 U/ i
: G* N& ~- u: X% G5 S! Q
   VMMCall Test_Debug_Installed
& h5 K, ^. P5 E% `, O- r   je      not_installed
6 T; D4 r' D% q' B% F9 W4 m4 M6 z
. ?3 O! p  u& u: {' `This service just checks a flag.1 U! F3 O1 t- F- ~- Z% X
</PRE></TD></TR></TBODY></TABLE>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港 ( 鲁ICP备19052200号-1 )

GMT+8, 2026-4-29 05:29

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表