<TABLE width=500>
- A( D& @5 {0 l<TBODY>
. L- J2 n4 j5 c9 {; `9 t<TR>7 i2 p) @) y2 P( ?; V( N4 f0 U
<TD><PRE>Method 01
% H2 L: d3 Q+ E4 k=========
( A# a8 A, V: Y
8 H3 a) L' j1 \+ B W. h2 wThis method of detection of SoftICE (as well as the following one) is) G. g6 m% o! L$ r$ ~
used by the majority of packers/encryptors found on Internet.
: W: Q6 [- W* n6 I) L/ iIt seeks the signature of BoundsChecker in SoftICE
1 W2 s9 \+ G! X8 I* I1 |9 Y
[; _# M- o5 q9 l& l9 Q$ A) X mov ebp, 04243484Bh ; 'BCHK'
& V' s2 G9 |4 `; e mov ax, 04h
5 ~ q- b2 V2 s/ e; i5 J7 r int 3 2 |3 B6 k, `- o+ v3 @3 K, @3 }
cmp al,4
/ Z$ v# C! S$ v+ I' K: L3 G jnz SoftICE_Detected x! Y+ k+ q1 l5 X ^& u5 _9 N
4 e+ T( s5 n7 ?2 L6 g" {0 f
___________________________________________________________________________
- }) R% \/ m! S
, }6 z! f7 e4 JMethod 02
6 L j. l) z8 O7 b. b=========
( F0 J6 ?# f1 S1 @- {* }4 y: {) I% |* C- `5 s6 h9 z- V
Still a method very much used (perhaps the most frequent one). It is used# H5 W. F! w. _
to get SoftICE 'Back Door commands' which gives infos on Breakpoints,3 x9 }8 D. }$ O
or execute SoftICE commands...( w4 B! i [6 p
It is also used to crash SoftICE and to force it to execute any commands7 z: Z( K7 j; Z( w1 J/ c; }) b
(HBOOT...) :-(( % Q$ `$ e3 S" `$ b( \
! I, }" @- C1 s$ F: M9 g6 R# THere is a quick description:
- |0 s# p" w" E' b- P( s-AX = 0910h (Display string in SIce windows)
2 J' E% N' N9 f- o0 f1 Y-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)
6 |$ z( q: r7 A0 \3 E/ l% u-AX = 0912h (Get breakpoint infos)) [* M# Y* S5 \ S
-AX = 0913h (Set Sice breakpoints)
$ P0 i( v, o2 t-AX = 0914h (Remove SIce breakoints)- d, j5 K5 Q3 t$ d
) ?0 C3 o! q2 X4 m9 K! A. eEach time you'll meet this trick, you'll see:. h# u4 ]; C* e' f# f0 J
-SI = 4647h( v9 U4 d3 e( k0 V3 D0 M9 X! S( D; P
-DI = 4A4Dh+ {* l9 Y" z% p+ \8 x, }
Which are the 'magic values' used by SoftIce.9 ?* N: t8 [: I/ C6 D
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.
( x. K+ B6 o( W
8 f* @5 H7 i5 }6 {Here is one example from the file "Haspinst.exe" which is the dongle HASP
+ b( ~; D, i% U& c/ ?Envelope utility use to protect DOS applications:
1 ]9 f1 D3 }" R- g6 j* L& l' N+ [% e/ r) z6 r% b
. {5 G* W7 F1 H6 N( t+ u; a4C19:0095 MOV AX,0911 ; execute command.6 F7 I" O1 U! u+ Z0 V5 G& `
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).% E2 F1 _- V$ D8 x% l6 O
4C19:009A MOV SI,4647 ; 1st magic value.
+ `. F) U7 z* A- ?( }/ _# c" v4C19:009D MOV DI,4A4D ; 2nd magic value.
( A4 J4 E* I% C# ]: f6 `. @3 J4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*). T. Z% F7 C5 o5 @' k- h$ T
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute3 F7 n- c4 Q- X* N9 @
4C19:00A4 INC CX, a7 q( N% {2 ?) D
4C19:00A5 CMP CX,06 ; Repeat 6 times to execute
$ k. e2 W# j! u f! C4C19:00A8 JB 0095 ; 6 different commands.
# Z( f3 y. R; Q' ^2 d* `( [8 g4C19:00AA JMP 0002 ; Bad_Guy jmp back.
4 y$ G0 M5 c7 n5 r) m4C19:00AD MOV BX,SP ; Good_Guy go ahead :)
* X) X o9 @5 B( ^! ?6 O2 d7 |
. w; c% I+ U( g9 bThe program will execute 6 different SIce commands located at ds:dx, which
0 J# M2 a, X, f; c b1 G1 nare: LDT, IDT, GDT, TSS, RS, and ...HBOOT.4 F9 H, z+ e2 B# _) k9 H# _
2 w2 `; f9 w" b* s4 S* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.% K) F9 y' [5 C* _1 U, X
___________________________________________________________________________ c" n* J) `1 w1 i
& p' C/ v) D3 ]$ L, Q& Q% l
+ A/ q4 q1 L0 ]
Method 03" ?% S' m; M3 i! U/ ^# W
=========
' H% ^/ f: B, i0 P2 u$ o# Z( }' Q8 C/ m' T" W
Less used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h
4 c4 O* M9 ?4 ?7 B* S6 ~/ I(API Get entry point)
; h5 I% Q0 g' q$ U8 C : h7 ? h! H" H' ]& m, D8 i
8 e- x8 c! ?' `' I xor di,di
* _2 d8 S3 C% A; @" F9 L3 \% @$ F( q3 { mov es,di
! L4 ^+ x0 o3 B2 m& r mov ax, 1684h $ m( i; ^; N$ ^; R$ D# j
mov bx, 0202h ; VxD ID of winice
% _2 Z5 _* o! m0 F2 \3 z int 2Fh. R' [; c8 ^, M% k( i; `' d
mov ax, es ; ES:DI -> VxD API entry point
" S8 k& X: O. t) u: ]$ A X C1 f+ I add ax, di, G, n0 D+ e2 M8 g) n
test ax,ax2 S; ]1 M# M( r6 ~0 V8 b
jnz SoftICE_Detected
, D- [2 @# Y$ B* J5 ]4 L
3 w c- L- E( u. @) r+ W___________________________________________________________________________
- S. }* I! U R2 ?
6 w2 t& B: y3 p4 b% @Method 04& y! d7 i# i' W, i: t0 A" A% I
=========
# a) P; K$ Y" R4 K8 t4 [: e& b( x D6 |4 A( B. Z/ X# r+ f |
Method identical to the preceding one except that it seeks the ID of SoftICE4 j7 {: W, T+ e
GFX VxD.7 q3 w, x) i o+ J8 i! M' A
2 }3 N' u: \; p' s0 ?1 j3 h
xor di,di# p8 q( l% ~% _: H' O Q: a
mov es,di+ ?. F) @4 ~# V$ g
mov ax, 1684h
* O! }+ B L4 _" d/ e, q: q mov bx, 7a5Fh ; VxD ID of SIWVID
/ M& R r, o" B+ G1 G int 2fh7 Z. x0 }% \& J1 i6 ]
mov ax, es ; ES:DI -> VxD API entry point
0 z: u/ n0 Z- |& e add ax, di
) e% W7 k& {+ T8 j* ]2 O( M# E test ax,ax! a7 L" V! h* C
jnz SoftICE_Detected3 N* M0 N1 Q4 ]
8 o$ s9 u. V3 @0 ~__________________________________________________________________________ n+ J4 x0 a3 R6 L
5 [6 | E" a' [7 D, S: y
r$ p- W$ P2 a* J8 w1 G
Method 05
2 A3 T( Z; T+ E' u; ?% t0 Z=========0 O, L% J1 R6 y) z1 W
6 H1 e3 \4 G( n& r" m
Method seeking the 'magic number' 0F386h returned (in ax) by all system
4 v$ @1 C9 x& k& Z5 H; H; Cdebugger. It calls the int 41h, function 4Fh.
, N; v/ d/ x3 ~% ]4 @There are several alternatives. 2 L. ]6 c( \7 Q5 O# Z# f5 ~' D! {0 |
8 X5 |) N" a# w: r FThe following one is the simplest:
) z$ C5 }5 n( O% v
5 z/ u& i6 N9 A& B) e: x% I mov ax,4fh( n( k' Q3 t9 u1 x R" [0 D2 R5 k3 \
int 41h
* a& G' @, o5 i) c1 Q/ J cmp ax, 0F386
) N- X% `' u$ s4 q ^) R8 u jz SoftICE_detected
9 u' G6 y; N: f4 d$ U+ l7 m" \% l0 V$ C6 ^+ H5 ~
* M! P- d( X1 x' JNext method as well as the following one are 2 examples from Stone's 0 L h! a4 x; r& l$ Z k) p
"stn-wid.zip" (www.cracking.net):
: C' L9 x! U, g1 i4 \! d/ X% R" F! t4 h4 S
mov bx, cs5 V/ ]1 q- P, }# b3 i( U; s2 C
lea dx, int41handler2
9 b& y# D* @# Q3 }9 j% p( G1 F xchg dx, es:[41h*4]
1 _) M, _9 ^* d$ T xchg bx, es:[41h*4+2]( k$ O: e% s' c% X5 P9 l
mov ax,4fh
9 i" q$ I# s# C: W/ C) e int 41h# Q9 P5 T( D6 h: ^1 R
xchg dx, es:[41h*4]
. L5 m! ?! N. ^5 b2 }% X xchg bx, es:[41h*4+2]
* M" c; K6 j5 t2 H cmp ax, 0f386h9 G2 D+ S8 J2 A \" Z+ P- L! B2 M
jz SoftICE_detected' ?7 h2 |7 v0 Y \8 s
& ~8 ` n; V) \' s6 J" \
int41handler2 PROC
4 w2 K. |) s' H$ ]+ Y$ i/ Q iret( U; H; A9 S, w6 `
int41handler2 ENDP
8 w7 K, Y5 E9 N8 Z" R/ g8 B1 W$ s" J6 O3 Y% o
0 h2 J3 j3 ]: m, J, t2 m a_________________________________________________________________________
4 ?/ k5 q! s7 S4 B$ O0 w( T, R
! [" l0 ^! F5 N- l# V7 K! l, {% b: Z
Method 06
, o$ q4 _0 o9 Z) ?=========
6 l8 t7 B4 C% _
, f4 S- u' N7 g3 M) s: S9 |
/ l' v+ N9 m8 Y2 [2nd method similar to the preceding one but more difficult to detect:
" G3 R U4 z/ Y P
1 @5 ?; ?# H. z) s
+ \4 U7 Z8 M1 M- P$ n9 A, ?int41handler PROC
, j g, V9 q; n6 x3 F' Y O6 Z2 _ mov cl,al
5 }; Q& N$ [9 a8 h) c- P iret1 I: I6 w( v3 l$ {
int41handler ENDP2 r! d. \+ j* N0 m" P& b6 }
3 H2 _5 e( N- p( o' e0 M
5 `5 O+ H9 v6 |( p xor ax,ax
7 w5 O5 a1 X2 s mov es,ax
# f; X- M" n+ u5 l8 \' D5 d, S6 s mov bx, cs
9 X' E- E6 N* [* w, v0 K$ q lea dx, int41handler* X2 }* ]) [$ m' C
xchg dx, es:[41h*4]! Z; u% v# P/ n7 N7 u' V
xchg bx, es:[41h*4+2]& ~% a* U- Q# N) E+ g, m
in al, 40h+ B6 O4 @* T+ p8 G' d$ [, \
xor cx,cx2 k9 w" N% Z" U7 H' V: a3 F
int 41h0 G3 j0 v6 r3 ?4 ~
xchg dx, es:[41h*4]
. M( h3 C6 w1 x' i xchg bx, es:[41h*4+2]
N1 K$ }, @& B1 j, b; N cmp cl,al9 w1 n# k. ?' O+ J# F
jnz SoftICE_detected. M6 ?& E* }9 B. u3 k
6 X' @' x5 ~! Q: b/ f' E0 i_________________________________________________________________________
, `4 r; D; D; v6 x4 {( U9 T. X3 b8 i' i) p) c8 o2 ~1 `' _, K
Method 070 |- w0 k ^+ [4 r/ ?. W
=========
k; d( C% R8 r
' A3 h' E! H# }3 e% lMethod of detection of the WinICE handler in the int68h (V86)
- J% ~( J- j+ \" K1 O0 f! B
' `* ~* q5 F2 ^% A' g+ g( _* E mov ah,43h
2 z* h, S$ _+ e" Y int 68h
$ t, X4 d' {& B cmp ax,0F386h
% Q# g( ~+ }+ J jz SoftICE_Detected+ M. L# p6 |* v
) a5 b/ Y- i h0 @
3 }( K' Y9 `: s% i3 \1 }/ P0 h=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
1 R; t5 V. m7 F8 @ app like this:. e* S$ f) v( O/ t$ a5 [
2 o( |* D0 R: c! l v H2 Q
BPX exec_int if ax==684 } F# v9 s& y( E
(function called is located at byte ptr [ebp+1Dh] and client eip is
' A3 ^+ R3 |8 ~. q. M3 } located at [ebp+48h] for 32Bit apps)
+ ]* q# L( r9 Q( ^ F5 Q" Z2 Q$ F__________________________________________________________________________ p! B- a6 t" r: w
- M/ |( V9 ^' Y4 y
2 z6 f; ]9 A) s; Q# u) fMethod 08
5 T. k9 Q. @, g- l7 H=========
+ O& J% h B: L* B+ D
1 a8 i9 \/ }* [It is not a method of detection of SoftICE but a possibility to crash the
9 ^' p. C1 X* F2 K3 G9 l7 ]system by intercepting int 01h and int 03h and redirecting them to another
2 t9 x4 D' l8 e, Zroutine.
& f. m) P9 t8 a# X `. pIt calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points
; `( J- h0 w* Ato the new routine to execute (hangs computer...)
( l& i( s2 J6 E/ A/ P% B. u+ M* T; m, G B! R0 r: z* {" R
mov ah, 25h7 J; e* ]0 c q: B% A" K
mov al, Int_Number (01h or 03h)
% `4 f6 F* Y) V1 [, y( @1 j% M mov dx, offset New_Int_Routine$ L5 j2 ?2 ~/ g- |: ?' K
int 21h
9 Q; \4 q* @& T1 U+ G$ u' P; E+ n0 V" \ ]
__________________________________________________________________________
! n+ k! O4 q+ j% T" K1 h: k
0 P& u1 {4 S1 ]9 T. r xMethod 09
9 |+ ^7 J! u6 A& ]9 j) `& K* S=========
8 K" o' g/ p6 |( ^! T. z, N+ J1 q A9 d! m! A
This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only, x [/ N" m. }# Q+ s
performed in ring0 (VxD or a ring3 app using the VxdCall). G8 Z* m# ~2 _4 @$ g
The Get_DDB service is used to determine whether or not a VxD is installed6 R$ c' W# v( a Y: k6 Y: f, X& g
for the specified device and returns a Device Description Block (in ecx) for
# v1 B7 r( R* O& |% {that device if it is installed.* Y$ a' \2 ]& |0 N7 s
- u$ x# V7 g% M: r5 ^- p mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID' _+ |7 ?+ }( `+ E
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-)1 U6 ^; g( Y3 d6 N2 f6 ~' _- J7 A
VMMCall Get_DDB
7 G6 N% \. y0 {. q; z' T! } mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed
$ H1 L, R& U* }# M$ B) }6 L$ k+ f$ a- \' {
Note as well that you can easily detect this method with SoftICE:
2 c$ j9 u2 g4 h) J" a bpx Get_DDB if ax==0202 || ax==7a5fh" Z s X! o, r; f, |
& x7 f+ w/ K$ d7 C, S2 _* \__________________________________________________________________________
5 o& R9 V: c% g# Q% j$ l& S+ n$ J9 W$ Q( ^4 [9 f( R! ?( W) D
Method 10" I- Z L6 D: i. |7 w/ ]8 f
=========
! G' l5 e+ u" s1 ], G
% [' W( n9 R; ]& I& W# x6 w=>Disable or clear breakpoints before using this feature. DO NOT trace with
1 R" u; z8 }/ h! s! F- S: k5 J SoftICE while the option is enable!!: \5 f6 P2 b& A7 O4 j* R
2 Z A4 H+ y, V% ]% c# P3 ]
This trick is very efficient:7 i7 u; {. T8 m" f* N
by checking the Debug Registers, you can detect if SoftICE is loaded
8 m' D; [+ t6 Q/ h0 R- ?(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if/ ^3 a( C2 d4 \2 |- T" ^- Q
there are some memory breakpoints set (dr0 to dr3) simply by reading their4 R2 F' I- G4 J- U4 [5 T
value (in ring0 only). Values can be manipulated and or changed as well
! K0 F' ~* W. p7 r5 J( D$ X6 Q(clearing BPMs for instance)4 V; ~0 b' E) O' h, T
5 V- G% D& M. ?/ D% @+ Z; _
__________________________________________________________________________& R8 ?/ |. r2 P, q; U F7 o: ~! @9 y
4 O/ r; L8 ~1 i. ]3 ?5 N- r
Method 11
" G: C J! O4 B=========# k/ ]8 \, U; a$ _! ^- g
7 q% `' L6 Q, o( Q# L, SThis method is most known as 'MeltICE' because it has been freely distributed5 i; Z2 x3 e9 T# t: A
via www.winfiles.com. However it was first used by NuMega people to allow9 t' q" r+ q8 P+ h$ e: x/ c' x/ b% G
Symbol Loader to check if SoftICE was active or not (the code is located0 a$ a8 s# z" S+ h+ A" A
inside nmtrans.dll).7 D6 f4 ~9 `. ]$ S
" P! v: S- q: b5 u# ^' }The way it works is very simple:6 _- {. I, L0 b) ~- U
It tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for
- M6 g; k8 C! v( fWinNT) with the CreateFileA API.
3 o; r1 f+ }6 }0 ~7 P" ?. L% V( w, T% [& {8 J
Here is a sample (checking for 'SICE'):
, M( @4 L* X& `# i3 _6 L
6 l5 O; F5 E: I* | |BOOL IsSoftIce95Loaded()% O% C) ~) O" u0 w$ U4 l* z5 N# j2 k, ~
{
4 Z( h& f% y* d! P3 Y: e HANDLE hFile; & R0 f+ H/ z G; k
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
' o8 m8 c& A, t! p( ] FILE_SHARE_READ | FILE_SHARE_WRITE,
D3 e: A3 ~5 q/ G# k' O- S8 Q, H NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);( c/ X; A' P2 F8 N% H( t
if( hFile != INVALID_HANDLE_VALUE )
x: Y/ N0 r9 T( x8 r {# v, z* }* s" l6 E( O2 d8 J% a
CloseHandle(hFile);" W; F# Q% k9 _. K3 s
return TRUE;- D5 v' g7 z5 R) a' Z
}9 s8 D4 @) @* H0 S$ M4 E4 W5 x
return FALSE; ]2 b% b% y7 I# f, ~
}( l. e1 y- r) S/ _& D" J h& ]# F
7 L. ]8 }: J/ x/ s% P, z* }# KAlthough this trick calls the CreateFileA function, don't even expect to be
2 w0 P% \& N6 P& }5 k1 Uable to intercept it by installing a IFS hook: it will not work, no way!" Z) x0 ~# n2 ]7 z* ~* ]# z/ p6 r
In fact, after the call to CreateFileA it will get through VWIN32 0x001F. K+ K( T% d0 p/ G+ \9 s, ?
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)- Q( Q- k6 P2 h$ u
and then browse the DDB list until it find the VxD and its DDB_Control_Proc
- h- h& l4 }3 M- m' ^& H6 X6 `7 Z8 `. Pfield.) C6 Y- B, l/ x7 h, T) e) j4 g: n8 ~
In fact, its purpose is not to load/unload VxDs but only to send a 6 I7 {4 i. u7 G5 j1 ^# j
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE). E- h$ j/ u6 {, r1 K- t; }# }/ t5 M
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
8 m6 t* _# Z! }/ ^5 `' m5 dto load/unload a non-dynamically loadable driver such as SoftICE ;-).& e" K e. c! U) Q4 t& i3 g
If the VxD is loaded, it will always clear eax and the Carry flag to allow" y9 d; o! o: v8 l, J/ E
its handle to be opened and then, will be detected./ ?$ D y3 O6 Z/ w; P- F5 n' a
You can check that simply by hooking Winice.exe control proc entry point
' x1 A! `; K, |* B4 g! Ywhile running MeltICE.* I1 t0 a8 R* l6 F& J) B
9 ?0 S) d: E1 d+ Q! q Q
* ^+ D; G2 [% M 00401067: push 00402025 ; \\.\SICE
; |& s$ l# B& [$ k) d4 E9 ^ 0040106C: call CreateFileA$ h) p- O) ? \+ V4 D" T9 I5 w
00401071: cmp eax,-001
4 x' I, o; t( j: G3 W 00401074: je 00401091
6 S% K1 ]3 r1 C; {1 C# P
* R$ g; B. |6 i; Q' ?2 m0 r2 n- M# P/ |- e4 `% d, f# T7 e) X) j
There could be hundreds of BPX you could use to detect this trick.
. ?9 }6 M' I4 m) _5 z-The most classical one is:
. e1 \9 ?4 _+ ]' j BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||
' ~& |6 A# @. l5 ]7 j% k& d *(esp->4+4)=='NTIC'7 F2 o \2 B* `. J' }
+ k% x* b2 F5 a& R6 i7 Y* ?! u
-The most exotic ones (could be very slooooow :-(
9 L* j! R& `) W. p# _2 J, a BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') " c1 O8 O9 ^- S/ q( _3 ?9 f
;will break 3 times :-() {9 t) w' W7 l% |4 \" Y! {( ]0 E
# l3 Y2 o" g& x0 F
-or (a bit) faster:
0 K) F1 s; ^0 Z$ r BPINT 30 if (*edi=='SICE' || *edi=='SIWV')4 W. Y! H3 ^+ g6 J, n3 g
* s' e6 i7 I" F9 P# [# @# W2 X BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' + H% b) W! \( L3 H
;will break 3 times :-(
& A8 ~& G4 H; r8 u$ z) A: i; T! q* G8 g& b6 p
-Much faster:
1 `! g# }5 M4 a- {: J BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV', z0 E9 d* \4 p( N
9 U; m5 e, v( Z
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
0 L- @& c. B) G1 ifunction to do the same job:
0 f9 r$ _( Q0 c Y9 u
$ ]3 ^; [8 f/ G push 00 ; OF_READ% _8 t" G" T2 S0 V
mov eax,[00656634] ; '\\.\SICE',0
! l1 ]6 `9 v" _. J0 b4 N7 ?: C9 M push eax. d3 D+ ^4 p0 c2 I0 m7 g
call KERNEL32!_lopen
% F, i) j, f$ R k* ? inc eax1 M3 a2 b* x8 G+ ^$ I
jnz 00650589 ; detected: {& N8 C% E7 g1 Z$ P
push 00 ; OF_READ
: ?( c7 Z) x% f: h mov eax,[00656638] ; '\\.\SICE'! i) U; _$ C+ b9 T' x- O
push eax
4 T7 A& X7 ~3 j8 {5 P call KERNEL32!_lopen; ^5 C2 u7 |* Y4 Y9 c
inc eax& R' K) i7 R" @. m" B* d; g9 L" s- |
jz 006505ae ; not detected
3 b# @( y* x- P) O h; V" `1 ^3 ]6 D8 r" C* ~0 @
; A. U7 [& V3 `$ H
__________________________________________________________________________
5 ^( _- B+ g1 c- L: ~9 ?* u% v% {
( L* H2 ]* _0 [/ mMethod 12
" ?" |) H# ~+ U4 |" s$ Q=========
- @3 z* S0 ]0 Y( D% @- m' H! q# n5 S. z# {
This trick is similar to int41h/4fh Debugger installation check (code 054 `1 G/ P3 z+ K& k3 X
& 06) but very limited because it's only available for Win95/98 (not NT)6 ~, N) A. X& s R
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.
' @3 `7 m7 p. ]4 e2 l& H! G4 L) y
push 0000004fh ; function 4fh( g* I# G& j/ [; U) o4 j# Y+ F
push 002a002ah ; high word specifies which VxD (VWIN32)1 N: m) U, z( p- C
; low word specifies which service+ b8 ?+ j' @2 ?& s0 r! S7 C
(VWIN32_Int41Dispatch)& j8 A4 S5 \3 J
call Kernel32!ORD_001 ; VxdCall8 Q% x" o2 B( E1 f; b7 Q
cmp ax, 0f386h ; magic number returned by system debuggers
' f) E2 K. K$ f' t c5 a jz SoftICE_detected
' V9 z$ A+ k3 ?' J& t& F
) R9 I- f( E9 X( B* d3 i1 a0 Z& R9 iHere again, several ways to detect it:+ @4 v$ q7 L) }% X( \+ n: M z
* k/ d% k/ l; t" H: M% v% U4 B% H+ W
BPINT 41 if ax==4f
* {8 V1 P, T- `- k+ a( h% W8 L7 r# e- x) l; w
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
! M3 V w$ J! p& D1 }2 c2 b* R( J4 `1 E& i% |- g# g
BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A
6 a/ a/ n$ j2 K8 o- N- Q, r2 e! a
0 H+ ?- a& v* p! p$ t$ n4 H BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!
+ F4 O4 p0 F% a T9 [4 ?
, h5 j4 W; X2 k$ Y6 |__________________________________________________________________________
/ c0 h: E! R8 F h. X8 l, j: N( T1 A
Method 13
3 L. l, B7 E' U% ?=========: ]( a) k8 R& ] E' _% z
* G! o3 l% B, j: \5 _1 @9 Q. S
Not a real method of detection, but a good way to know if SoftICE is" z. B/ w- V! M" }5 X) f' o, r
installed on a computer and to locate its installation directory.* F. J" y/ s9 Q
It is used by few softs which access the following registry keys (usually #2) :
: v/ Z6 G7 Y2 ?3 P9 q: B0 U% L
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- I3 J$ V9 X: Y( i1 l- S* Q \\Uninstall\SoftICE
5 [5 C/ d0 u+ g1 `-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE6 m6 Q3 p6 ^0 A
-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
, g& n3 l" A5 T+ l/ e* `\App Paths\Loader32.Exe/ T E3 D- V; W, i5 U0 G: D+ j3 }
& |# t( @; \/ J1 ~' m8 j7 s \
, K4 w% P8 R4 v, jNote that some nasty apps could then erase all files from SoftICE directory; W2 @6 V7 V8 w% ` R; y. w: ^
(I faced that once :-(3 D, z% Y, g* I! E e1 M
) u& |4 |: Q. L0 ^9 dUseful breakpoint to detect it:
" M% j4 V# ^3 e$ w6 D* p" f
: S; Y+ c& H2 a' m z BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'! ^" z3 @; h+ Z! b4 t6 B2 Q
# O# o% j8 N* R2 F# i/ R1 `
__________________________________________________________________________
* y( [, z% s) C; D7 J. [- \
& W: F# S0 x: K, {% ~
8 D) W5 W: ~! X& \2 ^5 S ?Method 14
$ \6 ]' c, d* h3 b- N! ?" r=========
( v4 r5 H3 ]4 c, v9 n& `
6 E! R" K6 x9 c/ ^" d+ JA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
7 a) l, o, Y# ]2 c' c* B. U/ O) Dis to determines whether a debugger is running on your system (ring0 only).
/ d. h" W! _, G' P0 N1 N3 I; v
4 n* X* x4 t( z: Q' z VMMCall Test_Debug_Installed
" Y' S' m, |+ ]. e( A; m) s7 |8 L je not_installed! a9 g$ Z/ A& h9 S9 Q2 Z0 e' s
6 N0 |) H2 ^6 p: J% i. o
This service just checks a flag.
M$ \' q) t1 s$ s6 g</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡