<TABLE width=500>4 [* p! D8 I7 E5 Q
<TBODY>
5 X# M8 \% }5 `" q- T<TR>
4 G8 V/ f6 K4 s1 v<TD><PRE>Method 01
9 E1 @1 ~8 L6 G, ?& d=========- Z' g8 l9 e1 T+ ^' l) z
7 w1 e0 J! u( }+ o3 z3 f3 T/ Z
This method of detection of SoftICE (as well as the following one) is8 B' P4 C/ o1 {8 o( d) _
used by the majority of packers/encryptors found on Internet.4 Z" s* t# @! ]
It seeks the signature of BoundsChecker in SoftICE' f ]; q9 j0 Z" h
5 U% P* N) F+ C$ M) y mov ebp, 04243484Bh ; 'BCHK'6 o. q0 ^6 I# g
mov ax, 04h# ~7 w2 |! _+ m: |4 ?1 Q" _
int 3
?% n( M% b/ I: ?: }* @8 ? cmp al,4; k# s$ l- X/ ~2 {) _
jnz SoftICE_Detected: W) @7 @/ H {
8 l; m( n) [4 P' i) {
___________________________________________________________________________* T ]8 m2 ?; E, t( ~& x) C2 _0 H% ]
0 X/ |/ y+ _, ]Method 02
' j& k& w, g# ~1 w=========
/ u! S+ W( D' ]/ A; p
- ?4 a$ Y8 e' o. ~6 ^# F- CStill a method very much used (perhaps the most frequent one). It is used
- y. c% x! {" V. R2 {+ x# K! tto get SoftICE 'Back Door commands' which gives infos on Breakpoints,
: N- f. ]$ @" e0 m# oor execute SoftICE commands...9 z! H1 R( _5 X& ~# J! u
It is also used to crash SoftICE and to force it to execute any commands2 O0 k# A) Y* _
(HBOOT...) :-(( ! x9 T3 ^2 N! H2 x
2 g, O4 o2 n6 I1 v& g, a
Here is a quick description:: `6 _9 {# k9 P7 ^# R" m! ?( X, z
-AX = 0910h (Display string in SIce windows). n" _- X: l- W3 A7 o: B* X0 ]4 z7 y+ a
-AX = 0911h (Execute SIce commands -command is displayed is ds:dx)0 s% k1 ~( b: c% g- k
-AX = 0912h (Get breakpoint infos)
7 R0 @5 J }7 I4 m; g9 L( _1 H) _-AX = 0913h (Set Sice breakpoints)- V% }; S# k1 J
-AX = 0914h (Remove SIce breakoints)
6 F! z" o0 H) p, m7 T0 X1 z+ w9 S) B
# k) x w. f. d. cEach time you'll meet this trick, you'll see:
" O( w' i; S/ @! Y8 R9 d-SI = 4647h
: |; T! ]1 }& y. Z' g0 S-DI = 4A4Dh
/ z1 F5 L. L! w7 C' F/ f' bWhich are the 'magic values' used by SoftIce.& a# E; O( p3 I& E
For more informations, see "Ralf Brown Interrupt list" chapter int 03h.1 w) S& N8 V) q- r4 K
1 \( W# q: ~$ B% \3 u( h
Here is one example from the file "Haspinst.exe" which is the dongle HASP3 P; f8 u' n) w+ _
Envelope utility use to protect DOS applications:! K' R* Q u1 f" ~5 K0 I( x3 N/ v
: L+ `, Y: A+ z+ ^- @& |$ z
' N* m( Q; J/ v/ y. K7 ^3 {
4C19:0095 MOV AX,0911 ; execute command.; }3 {& k) J) f, o* ~% Y6 F
4C19:0098 MOV DX,[BX] ; ds:dx point to the command (see below).4 o1 g k. t4 G
4C19:009A MOV SI,4647 ; 1st magic value.
9 R9 E' E r) v, v% N: [4C19:009D MOV DI,4A4D ; 2nd magic value.' V* J7 P$ b* n& N8 p
4C19:00A0 INT 3 ; Int call.(if SIce is not loaded, jmp to 00AD*)' Q; h6 w+ X, ]1 B$ r: `; X
4C19:00A1 ADD BX,02 ; BX+2 to point to next command to execute
7 _7 k# ^+ d3 p9 t5 Y q4C19:00A4 INC CX
% c' x1 p, g6 \* C; J1 o5 z4C19:00A5 CMP CX,06 ; Repeat 6 times to execute5 T i7 L6 w) m3 W# f# }/ e
4C19:00A8 JB 0095 ; 6 different commands.
/ k$ p+ _, q: T7 h0 K4C19:00AA JMP 0002 ; Bad_Guy jmp back.
2 q* t% \. T: u" d& m! G5 N- @# z4C19:00AD MOV BX,SP ; Good_Guy go ahead :)1 M U8 p1 b' O2 S n( ^
: M5 J/ r. D, w0 Q+ I3 BThe program will execute 6 different SIce commands located at ds:dx, which
! m0 J7 @! Z6 A& ware: LDT, IDT, GDT, TSS, RS, and ...HBOOT.* q7 \6 j: d( Z% G+ L
" d1 e, [1 a+ C7 K2 v* the "jmp to 00ADh" is performed via an SEH if the debugger is not loaded.; Q& b& A1 w% T/ V2 `) F
___________________________________________________________________________4 m% J+ j* U& ~4 c; Q
# e# Z9 V2 g3 b3 n
, }" M( z4 g" m" jMethod 03
5 C6 j& z- u( m* [. `4 L=========
! x0 g1 P1 U; A- o% V+ |; n
4 y% J8 }& C8 U: f' v: ?# gLess used method. It seeks the ID of SoftICE VxD via the int 2Fh/1684h. s' y4 K' P; r8 M
(API Get entry point)
, [! h3 R- ~: [* Y% l( U% f& `
9 i* f" r h8 C% z$ ?/ }6 L( P+ H* T D; J H. A
xor di,di
& c( H- i7 k" g4 V6 j7 o# j5 z8 F- t5 V mov es,di
& K( ]9 p) U4 l2 _6 N; T7 E3 B$ W' U. P mov ax, 1684h K+ a; W; Z" ^+ _# X* K, N
mov bx, 0202h ; VxD ID of winice& \/ T- O$ k8 v
int 2Fh3 S. ?( ~+ x( n, v" t
mov ax, es ; ES:DI -> VxD API entry point2 k# ^5 m3 e, f% n' o* X
add ax, di
5 L9 |( b) f7 ]. T) x9 N test ax,ax) x' a9 l& Y# f u
jnz SoftICE_Detected
/ A$ g& w D5 d) m3 L; H: n# M1 e( @
___________________________________________________________________________- c3 O9 X% `$ b6 {3 [& t
5 w: C* R) {# D/ ~
Method 04" L; u7 G: c, N( O6 L
=========4 b: x) a6 Y! x
3 @$ b1 X) h8 D- D7 _/ ~Method identical to the preceding one except that it seeks the ID of SoftICE b8 \% I+ B9 v$ K0 H. ~
GFX VxD.
9 s n7 w5 G- J- O2 n7 `+ w4 U& K5 n4 w/ b! V
xor di,di6 a2 k, A: l8 i: g, g
mov es,di
5 n! G4 ^4 G4 s, a! |2 } mov ax, 1684h
, _- v3 q0 I* q+ i; E7 q* V mov bx, 7a5Fh ; VxD ID of SIWVID
' w3 m( Z8 G# ]/ l4 h$ D# B int 2fh' j& ^8 Z& V9 w0 T
mov ax, es ; ES:DI -> VxD API entry point3 m; y' q2 E) T# o A8 U6 ]
add ax, di( J- q$ M; R r" Z/ ]! f6 n
test ax,ax3 t& y( S) z/ t: {5 t c. l4 B8 e% h3 N! @
jnz SoftICE_Detected
# g8 F7 ~( D' w( m0 I: F$ z
4 L/ k' Y6 h9 ]) m/ `__________________________________________________________________________1 c. ]; [5 x2 p4 \6 y: c
2 p G1 l, ]+ n' F5 a( v H6 f9 i7 Z: R
6 b& I" A0 B& q# X2 S# u' A! aMethod 05! O$ W5 H- F- q3 t- a" ~0 B J
=========
, g2 E6 D$ x- K
4 J( f% H: F* U+ f) TMethod seeking the 'magic number' 0F386h returned (in ax) by all system
( c L# H. ?+ N; g. Hdebugger. It calls the int 41h, function 4Fh.7 w# _- |2 ~) V8 |/ E
There are several alternatives. 4 |6 s- a9 [- Q9 n5 _
7 F2 I1 ~! V6 uThe following one is the simplest:7 H# X3 v/ Q$ `) x0 P) m0 M- T
7 J$ W+ X9 d4 I) L
mov ax,4fh
" K6 `7 [$ r, ^( K! I int 41h
3 e# V- P' Z) V2 {, M1 z cmp ax, 0F386. z; m& ^ |6 Z' n: x% t. }
jz SoftICE_detected( L6 p Y" A) `( L6 f
2 i8 J; m2 R1 ~( K; f8 \ C: Z
! l- Y6 T0 S @2 [
Next method as well as the following one are 2 examples from Stone's 8 R7 v/ N! X T. j
"stn-wid.zip" (www.cracking.net):: ^0 a6 D* T) D/ V1 x" @ c
/ I' i- x! ~( @6 @0 H1 H& v
mov bx, cs
# P4 [! a; z- P0 [* ~% R lea dx, int41handler2
- Q: V# n/ r0 |; y6 ^ o( {7 C6 i xchg dx, es:[41h*4]
" T1 D, r+ D; H, H& h: A7 q1 ? xchg bx, es:[41h*4+2]
: N/ P$ Z; w% ^* P# Y mov ax,4fh- D3 k7 `" C! d' H
int 41h
. I) n. ~3 G+ q: F9 b xchg dx, es:[41h*4]- [* m; S2 q3 Q, E+ D) N; I" b
xchg bx, es:[41h*4+2], Q/ ?$ Q# {- S+ H, e+ K# h2 b$ j
cmp ax, 0f386h
! j+ }& S! S$ n4 x4 k; h jz SoftICE_detected+ K) l# e% l2 }! | W0 c+ L
( U" S6 ` r: d k+ Eint41handler2 PROC
3 H2 ?- n2 ?# Q iret# A! ~1 c& O4 c, K0 w p
int41handler2 ENDP
" b" j- h, ^0 b+ c2 {
/ ?! n1 _9 [9 z3 ?, V, J5 t4 v1 a8 @4 q7 A v9 C0 k/ y5 {# l8 Q
_________________________________________________________________________
. f" s5 p! X `, D' c" W
9 r' G. ]1 F/ B' v" \6 _# [: _! |7 Z+ z. f7 O6 v8 q9 b
Method 06$ F+ G# r# w% L/ T
=========/ M7 O+ a5 _+ \1 r3 J
4 b/ b9 d8 X% W* R; T
# ]9 c: E' X9 h
2nd method similar to the preceding one but more difficult to detect:
* m8 Z; v" Q2 y4 f1 T$ i7 \' O6 G: X6 K! h* m, [1 _7 a2 O
! @; X* Z3 ~7 n* \2 ~6 t* X
int41handler PROC& H7 o1 K7 T3 ^ ?
mov cl,al7 `" r# [* W+ ]9 x
iret) g5 |$ W) S1 z4 Q$ [2 C: T; I
int41handler ENDP( Z& ?+ e& s: g% p5 }, L
/ \ J/ z2 v. w
8 l4 h5 b% U6 q/ J) t xor ax,ax! E7 p2 U! f. U. E/ o
mov es,ax, ]0 J9 r/ e$ O. e& }
mov bx, cs9 h' J1 k; O5 h1 k8 X
lea dx, int41handler
; C* d: d7 P* Z9 _ xchg dx, es:[41h*4]
$ H9 g" w# T4 S; _/ e2 r xchg bx, es:[41h*4+2]
1 S$ t8 Q$ Z- p2 @ in al, 40h5 W; O2 q# K4 w5 [3 O
xor cx,cx
7 O" h# @ L! ~8 R; } int 41h6 b( N+ e2 l( }# s* q. J& J
xchg dx, es:[41h*4]$ y# O& ~! A9 Y5 j- o+ _! K
xchg bx, es:[41h*4+2]4 W/ T4 }8 j. y. o8 {
cmp cl,al+ V# _* W+ ^6 e$ H2 F
jnz SoftICE_detected* W, T& M* B( T- [( T
7 c, P( B/ k6 ^" {! u3 m& A_________________________________________________________________________
% R- r8 V1 Z+ R# s" p* o n4 g; Q& `# C& M
Method 07
9 o! [5 u1 L% g9 q- r* t=========
$ ^6 x2 } ~3 y y
4 s7 T' y6 O9 H8 U+ dMethod of detection of the WinICE handler in the int68h (V86)8 ~4 z [# n2 X7 t, E: H4 Q
1 I& W& f* M* W R6 i2 Y
mov ah,43h
: K% Y! z$ [; X7 C9 ~ int 68h
& u2 r' r6 G0 j4 h: x cmp ax,0F386h
: ^3 Y/ F8 V4 J* i, @- _4 |$ d0 l jz SoftICE_Detected0 ?7 n$ _- V6 ~( U. W. i
% }2 H7 ?: G! J/ Y/ i7 I; V! ]; L/ a: s/ m$ P+ e
=> it is not possible to set a BPINT 68 with softice but you can hook a 32Bit
. f' {& [ I Z" \ app like this:
7 C, d' w! F0 O' ~# _( U, V/ I$ D; v% E4 P' b, |
BPX exec_int if ax==68( H* C% X$ n1 A p' C9 q
(function called is located at byte ptr [ebp+1Dh] and client eip is; T3 e3 ^7 n/ q) t4 c4 G
located at [ebp+48h] for 32Bit apps)* u: q* U, @% v5 b9 w! y7 S
__________________________________________________________________________
% C" r6 ]# S( l6 X* p. b2 e% w j% } e$ N
" T; W5 ?* h5 A+ k
Method 08" {/ A3 e- a" B* n
=========
, I$ f4 L _' b! K2 _9 y6 f1 d" q" I# \8 d1 K/ D) K) @
It is not a method of detection of SoftICE but a possibility to crash the
. T6 E" c8 o5 `- fsystem by intercepting int 01h and int 03h and redirecting them to another+ S2 x" T# y6 t& N
routine.+ i% g, |2 q* x1 N6 M% M+ D1 }
It calls int 21h functions 25h and 35h (set/get int vector) and ds:dx points* K2 J6 K- D- R" G
to the new routine to execute (hangs computer...)% z/ h) X; w3 ?' g
- j6 ]$ U: W) q9 b# k mov ah, 25h
( B6 C3 [5 K# y; p$ F! ?, w8 T: D- o G mov al, Int_Number (01h or 03h)+ j1 S& R* v3 V8 X& q
mov dx, offset New_Int_Routine
7 e& }8 C* F, P int 21h
9 G1 R4 W. L5 F3 N. X3 G4 _% I3 r0 S! d* J5 a( p
__________________________________________________________________________ S9 N1 U; I; @; i0 G
) r) r: [# ~* A
Method 09
' w. X1 {3 }8 M' x* {9 {# C=========
% {5 i- j* H2 ^. x! L3 J; r* W
: G6 o5 X) E" b9 ?This method is closed to methods 03 and 04 (int 2Fh/1684h) but it is only
/ o( ^: y7 w% R# ?2 uperformed in ring0 (VxD or a ring3 app using the VxdCall).
: M& F: K, u; R1 w6 U% d) z' CThe Get_DDB service is used to determine whether or not a VxD is installed' x+ U- _0 f8 S7 S4 V9 @$ z! d% B
for the specified device and returns a Device Description Block (in ecx) for, z) `0 d; Y C* ]+ t7 ?" I
that device if it is installed.
& E% n ]1 i9 g' k' e6 m: }; N& T6 S' k x" r7 w
mov eax, Device_ID ; 202h for SICE or 7a5Fh for SIWVID VxD ID( a( A. b* q _* w! K7 H
mov edi, Device_Name ; only used if no VxD ID (useless in our case ;-). S& x7 Z3 x" i& x. Y* u# ]
VMMCall Get_DDB# K |8 Z T9 ^
mov [DDB], ecx ; ecx=DDB or 0 if the VxD is not installed) s4 g! k( o0 o0 w+ c0 l, N. K
* m' ]2 V; q5 s5 |- |Note as well that you can easily detect this method with SoftICE:
; {8 \8 U9 J: r/ @( w9 ~! s bpx Get_DDB if ax==0202 || ax==7a5fh
$ b+ u& n2 `* E* Y" \0 E; j9 q8 r
+ l$ c& w2 x: r6 \7 q__________________________________________________________________________
( A0 D2 S: T/ ], z9 x
0 h) Q; q5 l3 \Method 108 o: A+ l6 f6 i6 A" f, u0 _
=========& a- N9 L6 T( k0 [
+ {4 s6 x! |! v% X& _+ q h1 x+ |* P=>Disable or clear breakpoints before using this feature. DO NOT trace with
2 S1 o( `. g7 F9 F1 L8 D) y SoftICE while the option is enable!!: W- H6 x+ V3 v4 p1 G ]
3 j; y/ u% G" c9 m& E" Z" L g
This trick is very efficient:0 `4 S Q. l9 W4 W" \6 k
by checking the Debug Registers, you can detect if SoftICE is loaded' w# z0 A% d+ g( B2 `. _% b+ T M
(dr7=0x700 if you loaded the soft with SoftICE loader, 0x400 otherwise) or if# {% D, j( ^% R+ @0 W. N. V
there are some memory breakpoints set (dr0 to dr3) simply by reading their
+ ?- M. j/ z0 P# z) jvalue (in ring0 only). Values can be manipulated and or changed as well" ]1 y n- ^$ k/ @) k
(clearing BPMs for instance)
( G6 A' Z9 d9 E
0 G# ~& }% ^. }1 w9 @__________________________________________________________________________4 A6 g( S. t' u) W4 k+ L: q; [, @
6 Q1 l" n2 d) G6 W( c* k
Method 11
' r/ D' a/ f4 m: U! d- j7 x4 Y=========
. z6 _. m# h1 z- J3 Z8 X: a
; K B2 e1 b2 k: `. J! dThis method is most known as 'MeltICE' because it has been freely distributed
6 N; V6 d" y( ^2 I. C9 `7 c* p/ Svia www.winfiles.com. However it was first used by NuMega people to allow6 ?! E- c3 x5 |/ C7 ^0 Y3 i& i
Symbol Loader to check if SoftICE was active or not (the code is located
9 N& E7 |6 d; M0 X6 U1 C, Dinside nmtrans.dll).* |2 n$ Y m" q$ S& c
1 w3 d2 n% h+ ?The way it works is very simple:
8 i5 R- K# n2 q+ V' cIt tries to open SoftICE drivers handles (SICE, SIWVID for Win9x, NTICE for% u) c" y6 T. [4 g% Z, H0 U
WinNT) with the CreateFileA API.
7 o3 L3 Y. [% a6 t* f; l4 O6 f
; H$ K, q# e# w' g. N* r( dHere is a sample (checking for 'SICE'):
8 j6 d+ |! _+ [- k. y" {1 o
& E3 m8 {1 i2 D2 ]4 q) UBOOL IsSoftIce95Loaded()
0 u0 S! y/ o9 Z9 p( P{
$ V4 c& l+ n5 ]: B6 E; } HANDLE hFile; - }( N" r8 U! r2 s* L0 F/ D3 y% r F
hFile = CreateFile( "\\\\.\\SICE", GENERIC_READ | GENERIC_WRITE,
0 f- H# K* P) s FILE_SHARE_READ | FILE_SHARE_WRITE,. e4 S# e- k! {8 _) x$ P
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
9 R8 a% Z4 i: g' J2 b2 ] if( hFile != INVALID_HANDLE_VALUE )
# G2 g9 g/ Q* D {
* p0 C2 z) \( {8 y* ?& Q CloseHandle(hFile);
3 z' g* [. E. q, g return TRUE;
% f! F: l* G3 h* a }/ E: C, M+ w5 F2 L9 [: p7 l) x
return FALSE;
* x9 k" L; G+ j( v}7 r; x1 I9 ^$ ?. W7 s
3 H8 e6 I2 C0 C6 ?' QAlthough this trick calls the CreateFileA function, don't even expect to be
* ?' v6 g0 M- o; U4 H( j. [: }able to intercept it by installing a IFS hook: it will not work, no way!. S7 _4 \; w0 K* A6 z/ j" p$ l3 E
In fact, after the call to CreateFileA it will get through VWIN32 0x001F) z/ k! A" m# q' R. o8 w' h- @
service _VWIN32_ReleaseWin32Mutex (via Kernel32!ORD_0001/VxDCall function)
( \, `9 T- h% ]6 B9 tand then browse the DDB list until it find the VxD and its DDB_Control_Proc4 g) H6 W7 S6 _; x6 C8 m, R8 V R9 W
field.
9 l1 W4 v8 J/ p5 ^8 Y, |In fact, its purpose is not to load/unload VxDs but only to send a 6 b3 Y( D2 z: U+ z, o5 P
W32_DEVICEIOCONTROL (0x23) control message (DIOC_OPEN and DIOC_CLOSEHANDLE); O( c6 o0 w# }
to the VxD Control_Dispatch proc (how the hell a shareware soft could try
+ l* ~2 W7 p+ N1 [ vto load/unload a non-dynamically loadable driver such as SoftICE ;-).
4 I1 i, v m1 p: R2 s' }If the VxD is loaded, it will always clear eax and the Carry flag to allow, i/ k8 f) F* x5 R
its handle to be opened and then, will be detected.$ ~. P6 _: z& D) x& W! S. ^! f
You can check that simply by hooking Winice.exe control proc entry point+ t& o8 r* k6 I9 R8 f" u
while running MeltICE.7 M9 T& Q( O; X* {- c8 i
! Q8 c- @# g) E4 R' f5 k8 g, k r* @6 K+ h
00401067: push 00402025 ; \\.\SICE! @. B7 h- Y0 a0 j
0040106C: call CreateFileA& t0 P. S3 k7 Q% c/ [) E
00401071: cmp eax,-001) [5 p2 t* [/ T3 u
00401074: je 00401091# j* ?2 I. D9 S2 Y
- S# Q0 C9 P. F+ _
* b, W2 d( d( W7 d
There could be hundreds of BPX you could use to detect this trick./ Q& U+ P8 V9 |8 e+ W
-The most classical one is:$ g* q9 O# Y2 L0 p, P I
BPX CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' ||! j# U: U5 ]6 g. s$ q: ~/ }
*(esp->4+4)=='NTIC'3 q5 {- v- [; H+ |/ u
+ c% e( {0 ]7 m
-The most exotic ones (could be very slooooow :-(* u: [6 X( s! E) r. t) f' m
BPINT 30 if eax==002A001F && (*edi=='SICE' || *edi=='SIWV') 7 F& m( q: O9 n9 d9 j" _
;will break 3 times :-(
' R2 r6 ]# i9 U d2 }8 ~; O) c) F* |* W) C
-or (a bit) faster:
" }, U" U% G/ O! T. P8 F# w BPINT 30 if (*edi=='SICE' || *edi=='SIWV')
a8 g9 `& z) w! F6 a( _9 O# H5 S2 l7 u' v5 H5 W3 {7 K# s+ V
BPX KERNEL32!ORD_0001 if *edi=='SICE' || *edi=='SIWV' 9 w0 P! v. `( ~; h, H! m
;will break 3 times :-(& K6 F5 a7 {' p3 `; g( X3 o8 S6 |
- N5 ?4 w9 |+ E f-Much faster: X9 g4 o5 `7 K: W
BPX VMM_GetDDBList if eax->3=='SICE' || eax->3=='SIWV'& Q+ W5 k u3 Y5 W" w/ A! C/ E. B* S
/ H, ~+ x2 q. M5 R$ B
Note also that some programs (like AZPR3.00) use de old 16-bit _lopen
: s j7 u, z& L; K4 cfunction to do the same job:& a/ s; D4 f" T- U1 ^! o" A, [ ^ }( c
$ s. n, G. J3 Y3 P' K
push 00 ; OF_READ
2 i( U9 H( F9 z$ T/ p mov eax,[00656634] ; '\\.\SICE',08 X! Z% H* B: H/ \# ?4 j
push eax6 q/ y1 t7 M1 J" ~3 K! q* K. {
call KERNEL32!_lopen
) k* H' v+ [" j( W1 y( ^ inc eax
. F1 `6 q1 U$ ?) ~0 b7 a7 u jnz 00650589 ; detected
# R* D3 `$ G( i4 j/ X push 00 ; OF_READ) \5 W1 d4 W8 A/ z" n$ j. R
mov eax,[00656638] ; '\\.\SICE'2 o% m& \ k* b
push eax2 K6 c" y0 U& q; j6 i9 b1 k* N* E
call KERNEL32!_lopen5 _# F, N# E! d3 h0 r' E* V5 u
inc eax
# _9 ^* a/ I% h2 J. R! j5 f jz 006505ae ; not detected
" I; f0 b6 k% m0 [
, q( L2 n1 o* u+ f
) W* M$ w: j9 k1 j__________________________________________________________________________8 w+ ^1 K, v8 ]; ^$ }0 f- X
1 k. P3 q, d% b4 ~5 ]Method 12
+ C( D. F8 Q3 |& c=========
2 j7 f5 p. h4 d/ q" Q# Q7 ~, J; s$ I0 C1 y$ f; ]9 d, D5 m3 y& |+ I
This trick is similar to int41h/4fh Debugger installation check (code 053 g4 T/ }0 s8 [$ t' [. L
& 06) but very limited because it's only available for Win95/98 (not NT)9 H2 ^: E0 f8 O- k6 \1 A
as it uses the VxDCall backdoor. This detection was found in Bleem Demo.% f0 l% w5 L, ^: Q3 X# p: y
7 E _; A! P2 `+ A% Q% o1 W. ~' m. r
push 0000004fh ; function 4fh( U+ }1 W5 x# r; c$ b
push 002a002ah ; high word specifies which VxD (VWIN32)
1 _% X5 A. \! s& j$ b$ b ; low word specifies which service
~4 K5 \5 H) c9 y/ s6 d' z6 c (VWIN32_Int41Dispatch)
" O3 ~' R; U& I' K: N: _& J& r$ q& u call Kernel32!ORD_001 ; VxdCall1 I3 | R, A9 H- [' P) r
cmp ax, 0f386h ; magic number returned by system debuggers
+ g1 Z5 A$ v- R2 o2 O: M) n jz SoftICE_detected, u3 m1 R. w- A- g2 s$ p0 ?
1 d- p, k- M* O! _5 d* \Here again, several ways to detect it:
, t4 v7 X+ z+ B9 N% O. L3 W+ J# e5 k
BPINT 41 if ax==4f: S1 N7 c+ d' G( v" O
$ y8 B6 o3 ~- }) i- C( P
BPINT 30 if ax==0xF386 ; SoftICE must be loaded for this one
3 E5 R1 J( q( H9 e; y
8 u' q- U% [+ p. V BPX Exec_PM_Int if eax==41 && edx->1c==4f && edx->10==002A002A0 n$ c, C: a) Y9 z4 y+ U* [
$ w+ \2 l1 x0 ^3 A- c! L+ P: D BPX Kernel32!ord_0001 if esp->4==002A002A && esp->8==4f ; slooooow!# ~$ Q$ Q) U2 p" L p
$ n; j5 ]2 R" X& R% U5 e' F, b$ f) M! @
__________________________________________________________________________+ t3 d1 M7 G9 G8 r8 \" L: N/ p
; f. [0 H$ Y0 ~
Method 139 c, I |& C0 F% e
=========
# k" g( S, D) Y! ?6 v$ P' C1 b; R: ^: G& V$ K1 c$ u+ R# A
Not a real method of detection, but a good way to know if SoftICE is7 O/ Y, G. ]$ C( S9 E1 i
installed on a computer and to locate its installation directory.) H+ w# _, y7 f$ L6 [! @1 Y
It is used by few softs which access the following registry keys (usually #2) :/ j; K( K3 C7 T0 v9 ~
/ |3 `* q: j- g# \' v Y3 n
-#1: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
2 s( \4 I4 K, r9 X) B& K$ Q\Uninstall\SoftICE; F+ h% G, ~ R
-#2: HKEY_LOCAL_MACHINE\Software\NuMega\SoftICE
7 N: J7 m$ N5 y6 a-#3: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion) z: h9 k+ w3 t: E2 i q
\App Paths\Loader32.Exe
0 ~- p$ G( n# t/ R$ H2 ^+ y/ i; Z9 T1 `& I
- _. ?( _# i1 [/ E: O
Note that some nasty apps could then erase all files from SoftICE directory
' k9 V2 `9 s% \: \6 g(I faced that once :-(( T. h, } b9 }
: K3 k9 p6 i8 _3 @* \% _. S
Useful breakpoint to detect it:
* B% p& l$ Y& V# w' e
: V2 b/ C) j% |& b BPX _regopenkey if *(esp->8+0x13)=='tICE' || *(esp->8+0x37)=='tICE'
( N5 Z" n& r1 w$ e2 U) x1 \4 H
" o- {, B) N ?9 C( n5 z$ H! E1 U__________________________________________________________________________! t1 S$ D) c: d( m
: L! q+ w4 G) t8 k o+ u- R; M9 e
- ?. n ?! Z$ a; [2 d) B5 q8 f
Method 14 : w- C- v, e$ L4 C n. n$ i
=========
) s, z8 ^8 ]5 \. p
6 a. a2 B' H4 B8 ~1 R' ZA call to VMM 'Test_Debug_Installed' service. As the name says, its purpose
: m4 y0 I$ |. L2 R2 j; iis to determines whether a debugger is running on your system (ring0 only).
; I$ s" `2 W* u& ~" Y# z; m1 B5 J
VMMCall Test_Debug_Installed( M) `- n4 L, ^! B/ |" c, u
je not_installed
+ G8 T4 \, @/ X+ M
2 k! c0 n @/ y8 g6 V! n r8 V! |This service just checks a flag.9 `$ i" }- I0 O0 \+ B q1 _
</PRE></TD></TR></TBODY></TABLE> |
|本地广告联系: QQ:905790666 TEL:13176190456|Archiver|手机版|小黑屋|汶上信息港
( 鲁ICP备19052200号-1 )
发表于 2008-9-28 16:34:50
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡