<TABLE width=500>
$ E& t6 y- W2 i* W Z! g3 ^<TBODY>6 m$ j1 f) V+ k G! y$ e
<TR>. B! ]6 T, {: ^2 e
<TD><PRE>Method 01
$ u0 [. |! `0 I" f, L" M=========
8 n" H' ` X- k# i4 N- R D% A% G8 P! e( S3 M4 H# o
This method of detection of SoftICE (as well as the following one) is& { G, c; g6 P: K" l q) h
used by the majority of packers/encryptors found on Internet.. g w: K5 i+ I, ]/ N7 t
It seeks the signature of BoundsChecker in SoftICE
( M# S+ D4 {& ^+ Z" i* v9 `# N1 e8 `! h7 B) \! V/ T
mov ebp, 04243484Bh ; 'BCHK'1 ~6 G% j9 ] v4 y6 S1 e) f
mov ax, 04h
+ Y9 H* \% s/ \. v V4 c3 v {# ? int 3
: U" P0 q U/ c$ i- T7 _ cmp al,4
* ^0 M9 A) H7 z4 h" V# A jnz SoftICE_Detected3 r9 X' O* d8 m; H4 W1 h; ]
$ B: b! q* o8 r( K
___________________________________________________________________________
4 T- U$ Y! `8 @ K7 \/ c; f( t' s3 w% j
Method 02
; l5 P7 s8 Q6 z) @=========7 u! C0 P' J3 r& _. ~% }/ g
5 l* L, \- h3 t* P0 v
Still a method very much used (perhaps the most frequent one). It is used$ U' O! V1 Y" M8 A
to get SoftICE 'Back Door commands' which gives infos on Breakpoints, B8 t# O ]' ]; o+ V
or execute SoftICE commands..., z5 s( U0 p5 N2 K) E* F7 U! F5 O
It is also used to crash SoftICE and to force it to execute any commands
6 ]1 F/ `% K- Q5 I+ ~0 K0 I6 p+ }(HBOOT...) :-((
3 S6 }0 `# b. P6 n. g6 h" i6 a; ?; }$ E8 m, ^
Here is a quick description:2 g4 J. f" d( d2 `
-AX = 0910h (Display string in SIce windows)
B! j2 b) b1 K0 j& t( Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
: q {8 U0 R* `& E+ \6 g6 D( R" t-AX = 0912h (Get breakpoint infos)
4 x' c! a0 q& R3 v3 g8 }-AX = 0913h (Set Sice breakpoints)
. k r V9 i: S2 k5 w-AX = 0914h (Remove SIce breakoints)" K5 \ |' u: f
& W% ~* N* x' F) p- sEach time you'll meet this trick, you'll see:) Y! G( Y1 u9 \7 q2 s7 U
-SI = 4647h0 d$ k' a' s3 F+ g8 l, z2 _9 g
-DI = 4A4Dh
l6 u b+ ~$ B' b/ DWhich are the 'magic values' used by SoftIce.
* V Q7 O' r# _4 k& l7 P( y, N( WFor more informations, see "Ralf Brown Interrupt list" chapter int 03h.
" S* s4 `9 d; ?7 w" y
) f5 h( F# t, U9 x3 d8 ?! U# B7 _ mHere is one example from the file "Haspinst.exe" which is the dongle HASP! C/ \' K6 \; n$ y
Envelope utility use to protect DOS applications:
; U+ D' B9 o* G: m3 k
# y$ I1 X1 x2 |2 | v- W9 s7 t% i# @+ Z1 ~' Y* I" L
4C19:0095 MOV AX,0911 ; execute command.* D4 R0 r( W! ^. o9 m4 y
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below)." C+ a7 t+ S5 @5 q6 I
4C19:009A MOV SI,4647 ; 1st magic value.6 b8 U7 A' n0 B- y4 o ^
4C19:009D MOV DI,4A4D ; 2nd magic value.: Y+ H2 K" ?6 @2 ^/ I& _
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*); ?8 D( ^' k, l* ^' O6 l: S8 F! }
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
: S0 `- g. l& c4C19:00A4 INC CX% T& Y& @6 K. _) z# P
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
+ ^2 B$ p9 ^3 P9 L5 ]1 b/ M4C19:00A8 JB 0095 ; 6 different commands.% r" X/ I9 Y4 \4 r j, G
4C19:00AA JMP 0002 ; Bad_Guy jmp back.
5 A$ J$ b( ]. c4 W4 w4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
, X' H% r: b4 P' k+ v
6 w6 z1 `; z) {The program will execute 6 different SIce commands located at ds:dx, which
* r7 H. T+ U% d! m# jare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.; f: `" p2 G( m1 r% f& l
4 H, | ?& ?7 I! z$ n+ p* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded. M9 Y! z' j- D& B, ^$ E$ V2 m
___________________________________________________________________________8 W, j' O& F$ f$ V3 e
5 q4 e/ G, K1 m# k. R
3 Y/ o# R( ]! C: H7 X; M i( BMethod 03. Y* e! W& {8 I* B4 `& J& j% K
=========
$ G v% z' p8 u% z! v! I; W6 B# }* @8 l6 @6 Y! o
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
9 M! p" V& W8 Q(API Get entry point), O/ x. E) a: ~5 d& G- U
, L9 L& F6 @/ |6 b) K$ q
Y( Y. W! M; ]* v, j
xor di,di
) P+ E2 U* l- i0 D mov es,di! J' Z- r! s+ t$ z
mov ax, 1684h
* p( ?, t" a6 }& g1 O8 V4 i mov bx, 0202h ; VxD ID of winice
" [! r9 i; M! [% U7 o( [6 R4 x" a int 2Fh
, l5 a: t" |2 B" P3 i mov ax, es ; ES:DI -> VxD API entry point2 z% m& w" s) `1 r5 a. M% J
add ax, di3 _+ N, r* ^! H* u$ H
test ax,ax; U1 Z/ w6 O- e7 H
jnz SoftICE_Detected
0 m/ Y" h/ n$ e# W
2 b6 m6 d9 t- i3 t5 j___________________________________________________________________________
0 k3 q3 Q- |& E5 t7 Z4 \. s h) {
6 L h/ r! f1 T2 H* wMethod 04+ P, Z) {( S* N O, P
=========
2 r7 W+ X1 p* q# Z% H1 Z, s, f+ V/ W; D
Method identical to the preceding one except that it seeks the ID of SoftICE1 j( S1 B' c; r) `. Z
GFX VxD.
; E6 s7 N2 e! r* Q" o- ]
6 C1 e' W4 H" S/ [% d3 ] r) D8 X/ | xor di,di
1 ~2 U3 e* G/ Q" Q1 Y mov es,di" \7 A3 g8 P _0 l9 p9 O; i
mov ax, 1684h & \# @, D+ u$ k% I6 L9 B
mov bx, 7a5Fh ; VxD ID of SIWVID
4 k9 m6 y3 f1 L0 f) _4 Y/ s int 2fh7 X, B6 ]0 {$ Q' Q1 n: j. n6 A: [
mov ax, es ; ES:DI -> VxD API entry point8 D6 Y$ N: f4 j" R3 B7 w2 L3 X/ ~* z
add ax, di
+ c) U: W) }: e9 G$ k% C test ax,ax
! U' D8 ?5 B# {1 J/ A; Y- V jnz SoftICE_Detected% ?7 P- V! w: i% {) Y1 i+ H3 O0 V
$ f( Y- g1 Z# F
__________________________________________________________________________: K% z8 r e$ h2 u
2 `1 o9 v6 I: }: A) f A* b% x
( ~8 W* Z' S( A$ L: m LMethod 05
J: }6 x) Q) ~! H0 L* g=========! b- Q- m+ o, o1 q9 B2 ?$ p
) C5 A0 \- ] C) p# p+ v! tMethod seeking the 'magic number' 0F386h returned (in ax) by all system) i" S0 ?3 G( v9 ~/ ?
debugger. It calls the int 41h, function 4Fh., s: I, |& p/ L* b" S# N' F. ~
There are several alternatives. 5 @( N& J, i) d( U# x+ d- Y
# s% H+ z1 M( B3 n5 R$ iThe following one is the simplest:$ A% `% k9 o' v% b' [# O
0 A- H% r* C" @, F1 h
mov ax,4fh
# a+ r/ r+ w+ z4 x3 W6 p5 o8 | int 41h2 w" ~ n, ]' [; v! j: e; W
cmp ax, 0F386" ?0 K5 M; J' r( ?) A9 {
jz SoftICE_detected
) z* B1 X4 M3 Q# s( j5 F: D- k) n0 l3 d8 X
6 p" c; N+ ]5 U, V1 p& X: r( jNext method as well as the following one are 2 examples from Stone's . d9 K8 g4 _' C& n& l3 N5 r
"stn-wid.zip" (www.cracking.net):4 p! ?" t# J: N, O8 ]6 h
3 F# x7 Z5 p" `6 U9 T
mov bx, cs
6 U) |! M5 K9 I' y* D2 |# I lea dx, int41handler2
! y l- g6 _+ K) M4 D' F xchg dx, es:[41h*4]
% }& _5 W9 Z+ Z( G, Q$ L xchg bx, es:[41h*4+2]
- G R4 W O6 X mov ax,4fh
0 B) X. x; M. r: c8 {9 r' c3 H int 41h
2 c# n' ]! U9 W9 B6 Q& ], s xchg dx, es:[41h*4]
8 c/ @( Z: D( H0 E3 K xchg bx, es:[41h*4+2]
3 b7 b/ g$ {8 O0 r1 K+ f$ b cmp ax, 0f386h
% X+ x r1 ]" S! x2 X jz SoftICE_detected( h- K/ Y9 H( c, \% [# @7 z
" Y: o. W; ^7 Q* w1 b
int41handler2 PROC3 x( U' \' M$ t, i, `
iret
2 g0 k- c P& |( _1 j5 e! X" Jint41handler2 ENDP. {) o! |+ R3 Z# [" B/ K( m/ {
8 ^ m; o, x9 y0 N/ e% N
" t3 p- Y3 q% ~+ B& {. |% J_________________________________________________________________________
, v$ s9 b. D( r0 G7 x' M- n$ s
; @0 L j# O! ~8 O1 z
Method 06% E0 i* i2 U1 }7 r$ n9 F7 o1 n
=========
2 R9 {0 L6 _* B+ r8 ?5 P1 W! {% h
) z% s$ x6 `, q3 U9 ]* C$ r0 u6 ~* l* N/ C
2nd method similar to the preceding one but more difficult to detect:* N6 H9 a, w. V7 Z8 k1 ]- V
. s% ~! S0 L8 [# b, |
; i. z! h9 K' D5 q/ {; oint41handler PROC0 @3 x' c# }' R9 Q8 }2 C0 w
mov cl,al
; V1 P$ S5 [6 K iret) p: G$ `2 S3 A& ]. B4 q% L2 o- m
int41handler ENDP# L$ |; D4 ^- A* H8 W5 a% c
8 M; S$ b. ~) E! { P4 n% ^) [" U3 E, A- N0 t
xor ax,ax. b+ e5 `2 l3 q5 S6 O8 D! q! K
mov es,ax
$ H { y) A6 Y' o mov bx, cs
1 p1 i' l7 ?. S7 Y4 t5 |! U, H lea dx, int41handler
; n2 d1 K. r; O/ s xchg dx, es:[41h*4]- D9 Y) \# O# S0 `
xchg bx, es:[41h*4+2]
9 f# r+ f9 |! G9 l in al, 40h/ N3 w4 D; \ b+ Q
xor cx,cx* Y' V ^ V4 {
int 41h
' `8 Q6 _5 ^1 x xchg dx, es:[41h*4]/ P y# h3 L# t
xchg bx, es:[41h*4+2]; T1 Z M/ \- E1 Q
cmp cl,al. L7 a7 _/ M1 t' c( x; @# ^; Z
jnz SoftICE_detected% ]6 F- \. U, J0 D9 p/ c0 M
& N7 f8 ?: a" z! t/ G/ o_________________________________________________________________________; j% Y% A+ i0 v l
5 t% m& y: E8 x" |& Y
Method 07
4 J$ T* Z2 f. D6 k" G=========* d9 j( v! [2 r7 I5 k
8 ^, e: M4 n4 l4 a: W ^- z/ |$ @/ IMethod of detection of the WinICE handler in the int68h (V86)
" P7 k9 y: n' C! n% f% W; g* U2 w7 z9 D, U" b
mov ah,43h
! M5 _6 G [0 c5 l! D int 68h6 u5 d9 [* M, {) B4 p0 b
cmp ax,0F386h. B9 ?, m4 H+ |
jz SoftICE_Detected0 p7 {' T- i0 p& l8 ^3 j2 k1 y r# d7 a
% F9 b1 k( {; ]2 a0 P& e* p% Y
4 E& A5 W! a* I1 J8 n0 Q8 s* K5 X
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit, q0 |, \/ c7 u/ h# c6 A* o
app like this:
( p/ v! M6 F$ k$ f7 {- z0 w. I, t( Z- o' D' @9 A
BPX exec_int if ax==68
. ^2 }* I. e/ j/ } (function called is located at byte ptr [ebp+1Dh] and client eip is1 J% l: C% _2 j; a# v
located at [ebp+48h] for 32Bit apps)
4 n% f( D) l7 e6 w5 @- m0 p__________________________________________________________________________4 u# i0 p' J* d( `& p" C* o
" Q$ n4 Q8 N) Y" L; |# D
- L5 l7 U2 |( F9 f, f' I
Method 08/ q2 k' ~3 j, G& ~% H& G
=========
$ b3 S1 d1 r u1 O: T- H* T4 q9 s* H
It is not a method of detection of SoftICE but a possibility to crash the
% v+ z& a3 c: nsystem by intercepting int 01h and int 03h and redirecting them to another+ [: ~% H @6 U2 [# l0 f
routine.
) @' V3 z. y- D/ bIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points6 O, x0 M- V; }3 ~- L. V
to the new routine to execute (hangs computer...)8 C% U. f; b( S! W. y7 [/ R( n
; s3 w4 \$ g b9 {; ~" ~
mov ah, 25h% d% _, d" H9 }$ X9 o2 F G
mov al, Int_Number (01h or 03h)) j" E0 ]) J, S1 P0 U3 M
mov dx, offset New_Int_Routine
+ z1 }0 H/ H( @ w1 e0 _% w int 21h
* Q/ G5 X! l y- o# ~/ ?7 K1 } }0 N4 M, ^* l$ N5 b
__________________________________________________________________________
3 S* P0 |) x2 W; a" i) f1 }' D2 s% g3 [1 B, i* I
Method 09
+ ?& C; x3 t1 c2 r/ l" E. B=========
, y+ i, x5 D$ Y6 k" S
! U9 ^- Z. F/ c( {7 ^# G; GThis method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only. S1 ^0 i1 w, z8 P6 \
performed in ring0 (VxD or a ring3 app using the VxdCall).
5 l+ _9 j% `! F; bThe Get_DDB service is used to determine whether or not a VxD is installed5 j0 H/ f$ T/ U, y+ a/ Z
for the specified device and returns a Device Description Block (in ecx) for4 _+ D- s& Z! b! T
that device if it is installed.0 n7 j2 ^. f* |0 m
6 E+ x- w$ ^! f$ B9 Q+ p
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID
7 n" j' q* r! h/ l( v- K" B mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)
6 q, O, z" |! w# `+ A% G7 m' S VMMCall Get_DDB
) W o9 e) K( e' r$ u; p' v* v% n, { mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed8 {3 ~3 T4 F2 c4 s' D* K1 @
9 j* B& d0 G5 U! T m3 ?2 PNote as well that you can easily detect this method with SoftICE:; V/ K; F, M& o8 A' E. i) P6 ]
bpx Get_DDB if ax==0202 || ax==7a5fh* X: U* s. c& G' P8 A0 ]" a* o
, D1 T' x' Z: ^: s( U% A8 D
__________________________________________________________________________% W0 v0 n3 ~1 O1 g; g# Q7 d1 G
, o& w" ^) g/ _7 D8 `/ b) U+ O# RMethod 10
Q2 ?$ j9 F! _: R- X; a& G" T9 Z=========
. }8 |% J2 p. E% ^3 y H# C5 K" C/ ^0 A. D, W3 P
=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 B* H9 r1 G- q0 G- q# ?- l( @4 [$ c SoftICE while the option is enable!!
! \- ?: m+ l0 J3 u" g' N4 p o; r* h. p# }; R" s
This trick is very efficient:2 e! w) {' B1 J X% O
by checking the Debug Registers, you can detect if SoftICE is loaded
! a) G/ Q9 [4 ^, d0 \3 v( [(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if
. F+ K5 X4 [7 r6 E, {/ r7 a/ @. L+ Fthere are some memory breakpoints set (dr0 to dr3) simply by reading their
0 ^, v; H _2 avalue (in ring0 only). Values can be manipulated and or changed as well: y. n: h' D# e, l, U8 u
(clearing BPMs for instance)" ~; H8 r. E* z8 U
- w6 G4 o" ?! b8 V& T$ L# B v
__________________________________________________________________________
2 J) a: g1 V' p' B8 ?
7 r0 A/ y9 B# x% _# E" I K8 sMethod 11. H6 y* R# r# j+ _
=========' T+ [' D3 w) w* `- Y( L
" W3 d( P/ u4 u* [" X; ^This method is most known as 'MeltICE' because it has been freely distributed7 [" u, t( Q' Y6 n: B' g
via www.winfiles.com. However it was first used by NuMega people to allow
4 R. X2 i6 v% P0 iSymbol Loader to check if SoftICE was active or not (the code is located5 O; S6 N& F* [6 d' z
inside nmtrans.dll).
4 W0 g. o' d8 U6 y% i/ [% L- }+ _- N2 A9 w8 T8 h
The way it works is very simple:4 y. T2 F' E, o4 r
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
4 G, [8 E' t6 U: DWinNT) with the CreateFileA API.( ` @5 Z3 k1 M# V3 J( ^; ?
* z1 Y% X8 Z% k9 OHere is a sample (checking for 'SICE'):2 ?/ [* d6 n" ^7 ?- ~. `
/ \' ]5 E. O9 mBOOL IsSoftIce95Loaded()# ]4 j* u4 x" s% |$ W- F( M8 f
{
1 t* m8 i) t- q HANDLE hFile; . Y6 q) z l0 l4 F8 t! ~4 J
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,6 s# H4 q( ~1 N5 ]
FILE_SHARE_READ | FILE_SHARE_WRITE,
( A6 i8 d9 w6 S9 O6 S NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);5 ~( F9 h( n+ A6 c9 a' }6 c; o
if( hFile != INVALID_HANDLE_VALUE )
2 O* a* z5 @+ v) y' R+ \; b {
/ z" `& T5 g- V7 [: o5 b! J CloseHandle(hFile);
Z9 G) x9 y: U, h7 S5 x$ M return TRUE;
% \# h1 P0 x, g( ?7 z* p1 e0 W }
: C+ c/ ]+ f& }" Y- b return FALSE;
. {& Z+ _2 M) f3 g( [, B2 c( v}
8 U+ ^! i$ n3 D+ A) V+ `
3 z' \- O& z7 d' a' |$ oAlthough this trick calls the CreateFileA function, don't even expect to be* M' N/ C9 W: T3 Z) s1 i# X
able to intercept it by installing a IFS hook: it will not work, no way!
) H7 H4 ]4 N: e6 mIn fact, after the call to CreateFileA it will get through VWIN32 0x001F: f3 n, V: F; o, |
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
2 A! h+ c5 o3 Yand then browse the DDB list until it find the VxD and its DDB_Control_Proc/ N+ V! a$ e. }9 ]* j) i {
field.9 s: a( G- L' D* U; p
In fact, its purpose is not to load/unload VxDs but only to send a
# R, L- R) k% O LW32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE)/ ?3 E# @3 `% }; ]) \
to the VxD Control_Dispatch proc (how the hell a shareware soft could try( x' W9 t9 L9 D ]
to load/unload a non-dynamically loadable driver such as SoftICE ;-).
5 U0 G! Q, c5 \) {8 J" X, ]0 hIf the VxD is loaded, it will always clear eax and the Carry flag to allow
) c: ~5 W# p0 vits handle to be opened and then, will be detected.
* M" \( T" g0 S. A$ v( ?You can check that simply by hooking Winice.exe control proc entry point
' Q% \5 w# C1 p; u% Ewhile running MeltICE.
# u$ n+ ?2 ]: t% p* Y: Q% G( G, D# r. \- n6 T7 Q
! D& v% b: u! d' q# R 00401067: push 00402025 ; \\.\SICE
; H9 y! c1 w' F5 s9 Q 0040106C: call CreateFileA
) n) b5 D, q/ x+ } 00401071: cmp eax,-001
) {7 O5 |/ P6 Q9 j7 _# d 00401074: je 00401091
; ^0 l( Z' _4 x4 K; n Y5 S" T5 c
1 r4 R3 c" b' G% H5 L: E6 j
There could be hundreds of BPX you could use to detect this trick.
: G$ [# E n: R* E9 a-The most classical one is:# v. Q4 i4 Z _1 F
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||8 p& T$ h7 d9 C
*(esp->4+4)=='NTIC'( L$ J( U2 X; {& @% r* J3 a8 o$ n
6 i0 g0 \" Y& D$ C
-The most exotic ones (could be very slooooow :-(
[- _& r% Y3 \: N$ \/ S3 ? BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV')
{+ i- _& C: x! U ;will break 3 times :-(. d( G1 y& U5 j
' T: {/ _. e$ u Y$ b-or (a bit) faster: 8 D7 S) \4 C" P9 q% }$ Z% O
BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
( M l9 f) e! ]; N( e! n8 L( B Y, [& K8 z& h4 u
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' % O* F, j, I; O# J7 B8 B
;will break 3 times :-(7 }! ^; Z3 d0 q$ N e
- u6 d5 e7 j: I2 [) z6 U
-Much faster:+ X) n4 ]$ `; `8 Q7 l( _
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'( J2 M. B' `% H1 E! q r$ G; B
. A& K" t; w0 x% `: I7 N w' O' V) @
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
/ s1 h; ^; a* Y# h9 G+ P* }function to do the same job:
# x* L; L3 k& D# a2 B0 d2 e t' w4 [* o9 c
push 00 ; OF_READ
( M, ~! Z0 g- |- f# {3 o+ \ K mov eax,[00656634] ; '\\.\SICE',0# M: A, M7 S4 [, x' i& ?' G8 [
push eax; F2 Z# q, c$ i# R" n& o
call KERNEL32!_lopen
7 E; O* O3 d# M9 T$ K* R @! ^# N inc eax2 q( K$ u2 d* Z
jnz 00650589 ; detected
1 c- [$ |9 a7 [$ B' V push 00 ; OF_READ( I5 H4 G0 A' w1 i
mov eax,[00656638] ; '\\.\SICE'
G: x5 j4 k* [) b! q% u! K1 s push eax+ L: b$ U% v9 O$ F( R6 o8 O
call KERNEL32!_lopen9 c% p. f3 t0 c$ T, y
inc eax
% ] a+ c; w9 R" g3 l. s( q% H% {7 N jz 006505ae ; not detected
5 k- `+ t+ }) I* M+ j
4 W4 N! U7 y# M. S$ Q: m9 p
+ o% ?6 |% }6 q) L# b__________________________________________________________________________- d/ j" ?- u: ^0 i+ Z6 I
% n4 j6 E8 e$ q/ x/ ^0 e$ E: IMethod 129 U, o6 d# G- {! b8 Y8 S+ j
=========+ U* D- g g, r5 ~2 a7 i
0 f- D, D7 Z, M# H+ K
This trick is similar to int41h/4fh Debugger installation check (code 05' T: O. L% }' b
& 06) but very limited because it's only available for Win95/98 (not NT)
& ?3 K5 w2 T- _; o1 w( p- nas it uses the VxDCall backdoor. This detection was found in Bleem Demo.& b1 x# k+ d8 f, a$ M
3 ]; y# O0 H1 }& F5 ] l3 u% ? push 0000004fh ; function 4fh: B1 P- X; b B% ]$ M
push 002a002ah ; high word specifies which VxD (VWIN32)
( U( K, u5 O- V ; low word specifies which service
- c3 T# E* ]& a D0 ]1 n (VWIN32_Int41Dispatch)$ l# F* A+ O) v
call Kernel32!ORD_001 ; VxdCall! V6 r+ N9 T. x6 I8 g! m
cmp ax, 0f386h ; magic number returned by system debuggers
. G5 o) p' Z! V9 R1 B- F. B4 ^% ? jz SoftICE_detected
/ Y9 j2 x; Z" \$ ]3 K& f
) S9 {, m- L$ B; r( q2 {# T' P( EHere again, several ways to detect it:
7 u8 x! y) Q8 m7 Q5 P5 o8 ]# O3 b! h5 Z# k
BPINT 41 if ax==4f5 t$ \+ ~9 R" U# B) G4 n: m5 z
" b0 C* P& J) K3 ^ BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
+ i" P: [+ @. t/ N [
9 G! K" h& j" ~3 u5 i BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
8 z# f! C. A# v7 ~) ]' X7 _# C* a' V9 V0 I! P6 U U: ]1 T" C4 c
BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!! b4 j0 c& S3 U R0 S) {3 @
. z& a$ L" C2 M1 i q; k8 n+ P8 L__________________________________________________________________________* s6 F+ q& g4 B
) \( M: ?0 G b6 k7 d% s
Method 13
6 q' c3 _3 E( R& v; J; ]" d=========
/ x/ s4 l2 l) w
2 p: O7 i8 n+ m' d0 ^Not a real method of detection, but a good way to know if SoftICE is
2 E/ M; M1 s; [. t! ?installed on a computer and to locate its installation directory.. Q1 p( @( h- s" B7 k/ J
It is used by few softs which access the following registry keys (usually #2) :
* v$ l) e7 p: b! |& `" I$ y
' E- U) g! n( z! j. l& E-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
/ P% N, a4 \$ H7 n% v/ `& V2 q\Uninstall\SoftICE0 |" ]+ {7 H2 k) k9 G6 c" u* x. C1 `
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
9 c+ Z- l7 U% N: v8 s-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
5 K5 s. }5 B- k5 \3 `6 b! M Z& g! w* ]\App Paths\Loader32.Exe
' a/ I8 r/ E, w# }8 C3 ^) A; J2 F) q3 U# ~
U: N M+ W4 N) N
Note that some nasty apps could then erase all files from SoftICE directory
i2 o1 R0 B, a9 \(I faced that once :-(% ~6 k& h0 I( ^+ l# K# E5 _, e
z" _2 T* ^ ^: ~/ ?1 r) X
Useful breakpoint to detect it:
k9 C' i) A' s- C/ D( j% w
8 @+ m" ^+ [. I& Z9 _& G BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
" S- O, a: z7 y/ ~3 _: d8 e* q$ R6 [3 d5 U7 _/ c, c/ A; `, @/ X
__________________________________________________________________________
" ?" A6 J8 T- h/ z5 ]
; k! [* G3 j/ q" a# d5 l8 i8 A
! o& w( f8 |4 ~$ yMethod 14
" T) O# U \. s; b; H( c9 G1 P=========* O/ I3 h( @2 G- a/ U8 v; d
9 E+ F7 I3 N: {A call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
- C0 I, m+ O9 D! n- e7 B6 D) ]is to determines whether a debugger is running on your system (ring0 only).7 ]" L E5 {2 J7 k4 d# G2 I2 l
/ I$ O) i6 A3 p
VMMCall Test_Debug_Installed
8 ]+ p, F, B! P$ I, u; {, R' r je not_installed/ U8 }5 |3 ^& D4 v
- {1 Y: o" b* b* x8 |4 e" mThis service just checks a flag.0 l1 L$ `3 @% P: L
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡