<TABLE width=500>' D7 p/ j8 M; k* w8 y
<TBODY>
$ _/ D- m! r1 r3 j<TR>
+ ^6 k/ k: i; D, j, n<TD><PRE>Method 01
- a( D& p! N& T4 w4 L; m, P- a4 c=========, I* R F7 ^ \. g/ E' ~
, ]3 q5 h U% T& ]. B. J/ X7 LThis method of detection of SoftICE (as well as the following one) is. X( Y! Y& F1 e- n9 ]0 f- n0 @7 K
used by the majority of packers/encryptors found on Internet.1 J' E, Z( d; [: h5 z8 G+ g' L. l
It seeks the signature of BoundsChecker in SoftICE
! w8 h7 Y( P) _/ ^+ `% x, g" Z( Z) y9 _% U
mov ebp, 04243484Bh ; 'BCHK'+ y- Y& G0 _$ b, T: ~
mov ax, 04h
2 p% p9 z/ G# |% H int 3 8 G% {9 h+ K1 K: b/ T' [
cmp al,4
& F- l( |9 [" A& Q& U$ p9 q h jnz SoftICE_Detected
1 H5 W( S1 Y; r. H, }+ f& j9 X
. t. m' L1 a* y8 r___________________________________________________________________________2 v/ W, C% H% c9 a% Z
4 H+ `. \/ ^* e! r1 P; i o
Method 02- [. N: c4 a1 e, A
=========% u' n* J% j, @' x. e9 O' C; W
% P+ F8 P8 Y$ M) e P) ~+ yStill a method very much used (perhaps the most frequent one). It is used
+ X& J! z, K' wto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
+ G, S2 A- w3 H0 [# For execute SoftICE commands...
4 Y. @3 I9 I( }0 a: \2 xIt is also used to crash SoftICE and to force it to execute any commands. ?% `) B/ @. H6 ]
(HBOOT...) :-(( + Y5 D* Z; R8 Q! P( `. G
. W9 y& D. L* A- V! R) F
Here is a quick description:
; u6 m# `& j- B$ L. b3 X. e-AX = 0910h (Display string in SIce windows)
k/ W- v' b4 Y" W, y! L-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
* e$ i* K3 n/ s0 D-AX = 0912h (Get breakpoint infos)
+ d4 u+ W% g0 J% ~ X3 {-AX = 0913h (Set Sice breakpoints)
2 W5 d9 |. T1 _-AX = 0914h (Remove SIce breakoints)5 A4 K4 [# V0 T; b5 `9 b2 l
/ U5 c! u6 L& @+ T
Each time you'll meet this trick, you'll see:
9 Q6 H6 t, P" R M-SI = 4647h8 a0 O* M' {/ `" B5 q+ \$ R; i ]& [+ ^
-DI = 4A4Dh
0 |# C7 B* y7 xWhich are the 'magic values' used by SoftIce.
9 x6 k7 d) u+ H- |' pFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
* u: R0 V/ w* W! p. a. z9 e7 ]9 l4 b9 e. ?7 \: r0 o% O/ o
Here is one example from the file "Haspinst.exe" which is the dongle HASP4 {* P$ h2 q+ x8 Z5 q0 a, ?& r; G4 H
Envelope utility use to protect DOS applications:: K, Z" T. V6 x) u) }$ Y g& O
' ?" v+ d1 l) |' C0 e! P" r% w; E9 {+ N; ^6 A$ W
4C19:0095 MOV AX,0911 ; execute command.
$ {0 n6 M& N s: p! o1 v$ p4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).
( m M1 p( q1 e: g1 ^7 O+ O4 H4C19:009A MOV SI,4647 ; 1st magic value.
; ?# p7 l' V* _9 \1 J4C19:009D MOV DI,4A4D ; 2nd magic value.
4 W" }6 y# t7 s/ R$ U! ?6 L# P/ ]4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)
q/ J! D6 A1 z4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute1 w4 P, Z3 o2 F8 a. I7 s% A
4C19:00A4 INC CX9 _* T! {, K. G) n: ]! [( x# e# O! {) P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute4 z9 E) J! W9 q% B+ `
4C19:00A8 JB 0095 ; 6 different commands.
2 U2 `! \7 g, G7 x) k* R4 K1 V+ q4C19:00AA JMP 0002 ; Bad_Guy jmp back.
/ z8 Y$ X! T% u5 q" b" S, M1 y' ?# Y4C19:00AD MOV BX,SP ; Good_Guy go ahead :)6 j+ C- {! Q# ?/ C3 ]
' t" Y. T, \5 ^% ?& W- yThe program will execute 6 different SIce commands located at ds:dx, which
0 \" _/ r: d! C zare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.5 S. ?" c! C% r% C
$ _2 O. L) i( i* c" l- ^7 f
* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.
' p+ Y3 r1 H7 ?/ \ w5 W( q' n___________________________________________________________________________1 L$ E2 M9 ^9 }. w: J% g8 W' j, o
1 c7 G/ B: Z7 w9 B. F9 [
8 T# z! x; k4 d' \Method 03
$ X8 s; P9 V: l4 O3 ?=========
! q8 r n. j3 v" @
+ |% R% s, Z+ e. Z. fLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
+ M# m) t+ ^$ N% ]4 x( k(API Get entry point)* |* I+ B' W n" s4 d0 H
5 }1 O1 l. n. r- o$ J2 u/ O" i6 r, ?0 ?9 n0 v; L
xor di,di
2 j+ N, d/ K) {+ D' j: [) w mov es,di
8 x7 e0 _9 Y+ O) {. ~+ u2 T" ~0 a mov ax, 1684h 4 F/ X" f4 q, R0 G
mov bx, 0202h ; VxD ID of winice
, n6 ?+ T8 @( Q. Z: f7 h int 2Fh
( @9 c# {) C+ O) z' f mov ax, es ; ES:DI -> VxD API entry point2 J; n9 Q& N" }4 J6 [ x
add ax, di
( P3 [* \6 [& |# c' \ test ax,ax
! s* x4 o0 ~' j; j0 i+ K9 A jnz SoftICE_Detected
8 a, v- _4 Y& P5 x0 B7 a. Y+ U- T& W9 z0 [
___________________________________________________________________________
7 I' H( I$ c: O7 N) [6 V/ k, t1 X: g; t$ C' b
Method 04
) H' U: d4 I* u3 |=========
$ [& F& d- }0 w' }7 @& }/ [% M$ C w# Z
Method identical to the preceding one except that it seeks the ID of SoftICE
4 ^( B' ^% e) y& i) i4 U3 cGFX VxD.
* h1 `2 x: O& @/ i
/ _+ h% A% f! H* u! u6 D xor di,di; H5 e' C. k) w+ k A2 [2 f. V
mov es,di1 X J& e& J0 V7 B. }+ g0 c. `; f
mov ax, 1684h
1 {6 J1 n- l4 v2 q* H4 d( y( T( L4 U mov bx, 7a5Fh ; VxD ID of SIWVID
/ H: Y) F- j+ {* Q. x8 H. p int 2fh
) M, C/ D5 \) E e5 _ mov ax, es ; ES:DI -> VxD API entry point
, G1 P/ u. X3 e add ax, di
; Q& B* Q: |1 z* A1 S9 h. S test ax,ax' @6 V- f2 ~8 \2 @* G: _
jnz SoftICE_Detected
# f' X5 z5 p6 B$ D. j- P* t
/ _ ]) X" b! O+ N$ `8 m- u4 l__________________________________________________________________________
9 Z$ \4 k1 Z) h, j1 c; A- s
\' E7 E4 E% m6 l4 ]2 z$ u1 S2 J
# a8 M, X; C/ u! x& c& @' c' rMethod 053 A5 h5 L3 f3 A) `" B4 E$ B% r5 H
=========; R0 H$ f" w) P9 p# M
+ w$ P* O) G, ^( [# lMethod seeking the 'magic number' 0F386h returned (in ax) by all system& u3 j! l0 r: K
debugger. It calls the int 41h, function 4Fh.& d6 j3 F1 N ^3 Z
There are several alternatives.
: ~# G9 C' C6 a# N5 @# _
& D# {) f! J/ |The following one is the simplest:1 b( g- |4 z: |( T" x' d3 l
5 m4 y, ]! U' j ^' e4 w
mov ax,4fh, m$ E) ?% d- y' V- q$ G( `8 E; o
int 41h5 q0 `( ?; z% F3 S
cmp ax, 0F3866 S2 |: D, u: J/ A* V& b
jz SoftICE_detected% ?* j; x2 m# h" B. O
* p8 q6 J) C- |
4 C+ I/ C) @4 a( m' g( _3 \0 G+ Y7 e0 aNext method as well as the following one are 2 examples from Stone's
, S i; V& S& @ O. ~ a5 s. A3 n. M"stn-wid.zip" (www.cracking.net):
2 B* b. j) c% L7 K! F3 o3 y
$ n5 g# ?, l3 L, O mov bx, cs
( ~. b7 Y: N' @6 B! Y ] lea dx, int41handler2
0 h1 G- C, v6 l4 v, X4 F4 b xchg dx, es:[41h*4]
9 W' o0 ]( V0 E" \) R' k xchg bx, es:[41h*4+2]5 r3 T, @" \3 n0 _# |
mov ax,4fh9 p: P: L9 D8 x5 L$ t( M
int 41h+ i7 B) K& j/ O
xchg dx, es:[41h*4]
3 r/ y4 G2 T* k/ w' ]6 t- j) A xchg bx, es:[41h*4+2]
/ v, g/ y; v" p6 m) ?! a cmp ax, 0f386h
# B( c, O) Y: j- s2 T% z% U jz SoftICE_detected
# b; b. h! {4 ^8 {4 c
) t/ P$ G$ @ `4 U. Qint41handler2 PROC. j, H7 `! G- y$ |" p/ |$ k) Q3 o
iret2 D& M# p1 S w
int41handler2 ENDP. N; q. i& E" L5 C5 Y
3 h4 i: u p- [9 L: b) L5 S- m4 y1 M' t/ S
_________________________________________________________________________9 T( ~* q2 t: J
& T; L q& E3 g* W4 e& M
' u& |% i9 `7 D2 O. P2 yMethod 06: ~* ?/ S& e8 u b5 j# V0 }. W# p
=========
: S) A5 `. }6 U8 ^7 U' Q) w2 P3 m5 y* B/ E
( G- f: g9 q$ j5 R
2nd method similar to the preceding one but more difficult to detect:
8 T5 ~' w8 H; @1 x0 H1 H" e6 s; @3 X. w9 V
+ x! l. ]( A) M0 K* f5 g# w1 Yint41handler PROC6 d: q/ S2 _; F
mov cl,al
+ u( v5 {2 F* }4 t* I% t: J iret* j( e6 J K% o0 E8 M
int41handler ENDP
& d S* K3 F. j2 G- d2 l1 S: D% d, R' S. \4 r' i; g5 |3 Y# a
( [6 S3 |* [4 C8 ^& q7 u% R; M xor ax,ax
2 `1 h1 {$ ^7 C" {7 u mov es,ax2 I9 |5 T% X) ?
mov bx, cs0 P+ T: A7 C! ^2 a: }9 V! Z V
lea dx, int41handler; Y" K( @& O; E1 ]# @% \ N& j
xchg dx, es:[41h*4]
. C/ b7 i( \5 j, f$ P! J& d+ M xchg bx, es:[41h*4+2]
, O' y. B% m+ |' U in al, 40h
& r6 r. n0 \- l' w0 t/ n xor cx,cx- Y9 _' T8 B6 |# E% V3 O$ R" U
int 41h
1 c5 t8 H7 ] Q' y7 Y* w xchg dx, es:[41h*4]4 U: w$ d3 `7 w E4 D' Y/ Q. J: S; \
xchg bx, es:[41h*4+2]
9 U3 B6 ?8 l3 W# F6 ] cmp cl,al) S. h$ m7 C9 H! F* U
jnz SoftICE_detected. v7 \2 z( w$ ~0 I
+ Z4 c% z) Z& S( w& R
_________________________________________________________________________ } q. T4 l) g- L
: w4 u% h; Q! o& l9 C. [! ]6 c
Method 07
5 T4 W! A& W* b% g- K8 B=========
) g5 b+ |- h5 E5 f, ^ r7 q# E
9 S/ j2 ^; r& e8 l5 o; vMethod of detection of the WinICE handler in the int68h (V86)5 T% g- v. `& L7 s
0 k' ?7 V! {7 Y- | mov ah,43h
9 q$ ^; S9 ~* j# n int 68h! N# ^! f" \% g5 S- Y
cmp ax,0F386h: m# I g9 Z l
jz SoftICE_Detected
1 k' m4 ^, c2 p3 p0 H1 l |0 {; _; i% B. P* H# |4 q Q
1 o* K+ f4 m% C v2 q, u
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
8 F+ o1 G% R* k# Q9 M) T app like this:! X% L& x7 a# o+ H$ F/ O
% Y$ P6 ]8 D+ B. g BPX exec_int if ax==68 U5 W! ?" [; ]/ Z+ q4 {
(function called is located at byte ptr [ebp+1Dh] and client eip is T# C. f2 |& f6 |
located at [ebp+48h] for 32Bit apps)/ u1 ]/ M- T( s* \0 @
__________________________________________________________________________3 E3 `. T2 z7 V! j1 ~
5 ?( g4 v8 j$ ]+ ?1 Z: w, O8 o; D3 r& }5 X. j+ X5 {
Method 086 }9 h2 N9 a7 Z. ?1 N
=========" K, j* H. E" \# W* E9 V) @3 l
: p( j8 j8 W) `# }. }It is not a method of detection of SoftICE but a possibility to crash the
( l6 ~; ^( b; `0 {system by intercepting int 01h and int 03h and redirecting them to another- i5 |& v# A8 y) ]: l6 U3 c4 {( y( w! x
routine.
# h/ Z: o# f7 @3 I7 [7 yIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
. L8 l- Z- ~$ n/ rto the new routine to execute (hangs computer...)
! Y! p1 V$ ^! f1 j1 ~
0 D n5 M$ l. e: L& H mov ah, 25h1 T1 q" K* ^3 g* ?- n' u: U
mov al, Int_Number (01h or 03h)
+ k; P: v$ D" `; l mov dx, offset New_Int_Routine
/ `* ~' U# K( r4 x* Q7 I$ d' Y int 21h4 e( E7 v5 m7 ^5 G
) i# I2 m3 e8 Z1 \6 ___________________________________________________________________________
% i, H6 m9 l- t) H' Y) H% K; n5 a/ n5 q( o: x, j
Method 093 D; F! i: q; Q) x" W. } \
=========! j- {0 Z5 |+ m
$ S2 Y# I9 x c" F; X7 V8 ?
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only2 P- u1 q) h( ~; Y
performed in ring0 (VxD or a ring3 app using the VxdCall).: c/ [9 D9 r5 X5 d5 I
The Get_DDB service is used to determine whether or not a VxD is installed8 H7 F+ h, J. B
for the specified device and returns a Device Description Block (in ecx) for
& H+ r9 x1 k0 R" D. J' T& Dthat device if it is installed.
0 ?6 j# H! l4 H. _9 C# J" _
, }% h) T6 I) t% k0 v t4 d mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
$ f6 }2 r' H8 O mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)4 L+ g& @, b$ R; H
VMMCall Get_DDB
0 N# F( j p9 n mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
5 G: K5 I1 T$ ^: y2 i# A
+ ~( f9 r( s2 ?- w/ mNote as well that you can easily detect this method with SoftICE:( G- \6 V6 V+ u2 b6 E& y& V
bpx Get_DDB if ax==0202 || ax==7a5fh/ Q2 K+ Y$ n! {
$ z, t& y0 ]. [- s( J
__________________________________________________________________________
7 e% ?0 }4 o" [5 t! E
; y; L0 ^+ N9 }8 NMethod 10- C6 W, p: d+ o7 x) c
=========
$ {) b4 ~4 Z7 P) ?- s$ S
& z P/ e/ V r- d$ o# n' Y=>Disable or clear breakpoints before using this feature. DO NOT trace with! c! L( A! o4 P1 O! s! G2 ~
SoftICE while the option is enable!!9 _! `6 R1 n3 R; m+ F0 P2 V/ F
0 ^( k: Z5 q! E& I! Q( MThis trick is very efficient:5 q3 r3 u! `6 y- }: b
by checking the Debug Registers, you can detect if SoftICE is loaded+ a5 [$ g* S- l) K2 B8 L+ S N
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# O+ x' R v5 M d; w* c
there are some memory breakpoints set (dr0 to dr3) simply by reading their
! Q) w: V, D3 Fvalue (in ring0 only). Values can be manipulated and or changed as well- t4 }% G% k5 X, @+ M# [
(clearing BPMs for instance)
]' e# f4 i! t! R6 z$ v, b, ?+ W
__________________________________________________________________________
9 ^5 c3 j A2 o) J/ V4 H6 d( C1 P4 g" z( Z2 P! n& j4 K3 t
Method 11
i: R/ k; T3 z=========# T5 m- @* F4 Q2 M. ]4 r4 h
4 {8 K! q$ z0 i# M: N4 Q) aThis method is most known as 'MeltICE' because it has been freely distributed
+ w2 O& w$ S% D7 ?. e, E+ @0 `via www.winfiles.com. However it was first used by NuMega people to allow
: S: X6 j1 U9 @. O) K$ H- X3 n' H* _Symbol Loader to check if SoftICE was active or not (the code is located( b6 }, S: s: K7 k# E
inside nmtrans.dll).
1 W9 X. j p" J" }
5 _ U+ H0 K' i7 a% g Z+ PThe way it works is very simple:
/ e- c2 X7 E& O' @0 lIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for" C3 ]' O* `$ Q2 D Y
WinNT) with the CreateFileA API.2 ?3 }0 j- |) i
0 r7 P U, O* C* w' {
Here is a sample (checking for 'SICE'):
( P% _5 j' o! D+ j9 x' R1 {0 f0 j. \/ P ~1 x7 F) t! R4 R: P
BOOL IsSoftIce95Loaded()
$ l& D2 T" s# f9 o* P9 c# o{. O2 @% u8 o5 ]/ R6 l
HANDLE hFile;
* [# U& h, \$ d7 k1 R: |6 |) F% T hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,: s: U( ?0 p0 E
FILE_SHARE_READ | FILE_SHARE_WRITE,0 K f3 D0 }# n5 d/ {% t, Q
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);2 v6 Q. i) L7 _
if( hFile != INVALID_HANDLE_VALUE )& _8 ?; p1 U* V2 C# J& q; t* N5 k1 h- P9 q
{' G5 B, p0 E( w2 m& d3 n
CloseHandle(hFile);
# t8 Y+ R: [$ k7 E# ?5 E1 G, d0 d return TRUE;
/ a7 L/ E/ y6 }9 w! K5 b }
7 P6 d' m& e% k$ h return FALSE;
% _8 I0 f& J A, G+ I}5 `* F* } m2 e
* S- I3 b# w/ I7 G
Although this trick calls the CreateFileA function, don't even expect to be, O% b1 D; Y) ]5 M3 e
able to intercept it by installing a IFS hook: it will not work, no way!- O! r4 n6 H Y/ A7 {
In fact, after the call to CreateFileA it will get through VWIN32 0x001F
\8 f3 L2 @3 `, fservice _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function); Q& ^/ D: ?$ O, {* d
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
. F" L c0 C% H' m7 Gfield.
9 ^! _. u+ m# x4 l- L$ o+ UIn fact, its purpose is not to load/unload VxDs but only to send a & y) [0 m$ `$ S3 G
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)
1 _. Z& x O+ D9 U# sto the VxD Control_Dispatch proc (how the hell a shareware soft could try
/ C8 b# F) X; I- I* s' n* Kto load/unload a non-dynamically loadable driver such as SoftICE ;-).$ m: ^; P- O, p
If the VxD is loaded, it will always clear eax and the Carry flag to allow
# o7 V" b. w& ~" uits handle to be opened and then, will be detected.* T+ V. A8 x; } F+ e/ g
You can check that simply by hooking Winice.exe control proc entry point
4 w3 L; A; }" h: G9 N$ t/ Uwhile running MeltICE.
( ]- e! g; m6 _+ g
" r3 b, q5 W6 i7 u$ \! \0 E f* M5 T
00401067: push 00402025 ; \\.\SICE4 S% q# u. B+ G- E8 f
0040106C: call CreateFileA
/ t8 i, a% E* ~; k% O! i/ ~* ? 00401071: cmp eax,-001& [ d9 D/ D3 D
00401074: je 00401091
* J/ I; s: D8 }, x" U5 ^6 s7 i* b2 o0 k U
$ e# l- i0 e% ~4 j
There could be hundreds of BPX you could use to detect this trick.2 D( W1 E8 O' e$ ]7 _
-The most classical one is:
5 n8 s7 C% G; {" v) J1 I4 Y; y BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
9 O/ V. J5 } ]/ y J$ o *(esp->4+4)=='NTIC'% O4 M \. u4 c9 }
' n" v% I2 b% o7 A2 {( Z-The most exotic ones (could be very slooooow :-(
5 Z/ I! a" C/ @3 D( i BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
1 m5 g4 ?; L( v( }) e$ ]# O2 k ;will break 3 times :-(
! H; Q. t. w m8 s/ @' o8 Y% X8 e) ?3 n4 T. s6 v& G
-or (a bit) faster:
% P( b5 q, e X* M# E4 o% P- r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
1 N% t" q; c3 u" x1 K( l6 T
1 I& i! d2 `( v BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 6 r! P, I& C& x0 H
;will break 3 times :-(5 |' p8 y" a/ Y
& B8 _0 W9 L2 E) K
-Much faster:
$ e Q4 y$ C, }1 o; Q BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'
/ T" T6 G& N( _- i% m$ G% R2 h- q3 W1 K
4 s! w( j; [( g) D t2 g3 iNote also that some programs (like AZPR3.00) use de old 16-bit _lopen' Z0 l$ V6 S" b. }0 W: u2 q
function to do the same job:
6 |9 H" |2 V" l9 ]7 i6 G' Q7 Y5 L/ `& ]7 g: t9 q3 l+ g, v
push 00 ; OF_READ% |# ?+ W) V% i" Z& o
mov eax,[00656634] ; '\\.\SICE',0, i! I5 M1 ]) G2 [# O* y( ^, \) |
push eax' X6 B5 H: h! G* l, Y
call KERNEL32!_lopen S/ q5 g- y6 J1 U. @5 z, I4 G" v
inc eax! ~/ z" K& g- ?2 \" d0 y7 y
jnz 00650589 ; detected
6 o9 k) D; t1 z/ [# h z& m push 00 ; OF_READ
& x1 G0 \9 R4 @* _, ~% z mov eax,[00656638] ; '\\.\SICE'
2 u& C" |6 f! b, a# _+ q push eax
# y W# g+ [5 U( O1 |4 j call KERNEL32!_lopen
; b0 D$ q) o0 E inc eax
2 J" g2 \& [; ?% @ jz 006505ae ; not detected
# d2 E9 D1 G4 |1 P. e/ O% n* }" V" i! i2 Y# x$ `. ]8 j7 L
! j3 q5 U- P3 L& y. _; E__________________________________________________________________________
e: D! Q6 u: v
4 Y- f: u! N% \# [$ D% Q5 iMethod 12& y" m5 Z! ^2 A: M& s
=========
) c$ Y9 n5 F9 b! [+ b3 I
* z) {8 r* r+ p2 B6 s& |This trick is similar to int41h/4fh Debugger installation check (code 053 L4 x) _& T5 c1 i
& 06) but very limited because it's only available for Win95/98 (not NT)* ]& ~% K1 [* \2 B
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.8 u. E+ {( k1 I; o5 Y1 `
5 x; @: |) s' K) z c M* N# V+ _5 w
push 0000004fh ; function 4fh
8 p. r4 b2 e6 K$ K push 002a002ah ; high word specifies which VxD (VWIN32)
0 V; x# |$ n$ V ; low word specifies which service
9 ?& Q! Z! R* k- g( B' O1 @ (VWIN32_Int41Dispatch)# q- X1 _: q, k) @3 v; @! k
call Kernel32!ORD_001 ; VxdCall) c& L" z# R: R7 T( ]! o
cmp ax, 0f386h ; magic number returned by system debuggers
2 v+ X% ~% a8 V& }1 N- p$ N jz SoftICE_detected
2 |6 P/ D! D H" l. Q- `+ B b0 D7 c" T y: S
Here again, several ways to detect it:
/ q4 q' p1 B6 b% r" g w" _
; Z$ q3 o- @. Q6 F; {4 P/ E BPINT 41 if ax==4f4 r! a' J7 ~( D, z- ^0 i
& ]- ]/ n* k+ g& h! ?7 c BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one2 l/ C# f8 I% K
! P4 M8 N3 a# C" W4 x9 h( E/ s6 E) k
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A5 N B- i7 u. V1 M$ A7 u
* _0 a& M- _. t1 U+ F9 R% m
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!& _ {$ g: k* }( c4 _* w
: o4 z t- m2 a l- q__________________________________________________________________________' z0 z$ k( E6 B. p$ m! r4 E5 o6 d
' I, E* N: t) C# R3 w
Method 13+ ]3 F' p2 n, T, b3 _( I/ K
=========7 c6 [. R# c! T3 j& b, J! W
* ~- c, y7 w- a2 l* ?
Not a real method of detection, but a good way to know if SoftICE is
% V! ^$ U. E' j3 H8 c4 {installed on a computer and to locate its installation directory.
9 v7 O4 F# ]) b" sIt is used by few softs which access the following registry keys (usually #2) :
% C0 p1 ]. ~" W1 K2 ^6 ~
0 A% V. ^1 K! K! n3 u. K' R6 Z-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
& S& h' j, o# o: d' J6 A$ B\Uninstall\SoftICE
. N H# C/ m! Z w+ ~- q-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
k% L; I+ N! Y: |% v-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
4 ]! f% u# W- j1 G/ n% X\App Paths\Loader32.Exe
( u' ?9 V% ^3 \3 P; k
; v, w3 N$ M$ U9 B1 c8 `6 g% |/ E6 c* ]4 `1 ?! H
Note that some nasty apps could then erase all files from SoftICE directory
9 ~; ?2 |; ]' I- [% t1 `(I faced that once :-(* g ~4 r+ f+ [3 E; u2 `0 N
" W* A3 x0 \! u; `- @ m! C' y
Useful breakpoint to detect it:" V4 {/ L. |7 r! f: \! `
& A2 e9 b8 o0 W) m, d BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'3 N5 x/ c# q% O' ~2 r# S7 V
0 j1 ^+ J7 } d: _+ a! s* D
__________________________________________________________________________
5 t* W6 s ^6 n! I8 g4 \1 J5 L0 Q! M( q( _7 v2 r# d& A
4 ]- F* a" f7 ~* HMethod 14
, n+ f _5 i# G2 X=========6 F5 m9 J( m9 b0 ?6 U, ?) s
7 Q6 z# z2 d/ [. T5 dA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose2 U) K- u W) T1 \
is to determines whether a debugger is running on your system (ring0 only).
& O d) P3 q, t, r0 c. f3 _% e6 h) q9 {3 [- N9 a& S3 t
VMMCall Test_Debug_Installed2 n* a! f# F/ M _: i6 c+ @! @
je not_installed
* ]; q% w1 c/ m, d4 T1 w1 c& ^- {
" q& c1 k G+ u7 `5 HThis service just checks a flag." X/ Q1 X k$ ^) G
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡